@robelest/convex-auth 0.0.4-preview.30 → 0.0.4-preview.32

package/dist/component/schema.js

@@ -52,7 +52,8 @@ var schema_default = defineSchema({
 	}).index("account_id", ["accountId"]).index("code", ["code"]),
 	AuthVerifier: defineTable({
 		sessionId: v.optional(v.id("Session")),
-		signature: v.optional(v.string())
+		signature: v.optional(v.string()),
+		expirationTime: v.optional(v.number())
 	}).index("signature", ["signature"]),
 	Passkey: defineTable({
 		userId: v.id("User"),

package/dist/core/index.d.ts

@@ -1,9 +1,9 @@
 import { AuthAuthorizationConfig, ConvexAuthConfig, Doc, KeyDoc, KeyScope, ScopeChecker, UserOrderBy, UserWhere } from "../server/types.js";
-import { AuthConfig, AuthContext, AuthContextConfig, AuthContextFactory, AuthContextResolver, OptionalAuthContext, UserDoc } from "../server/auth-context.js";
-import { ComponentCtx, ComponentReadCtx } from "../server/componentContext.js";
+import { AuthConfig, AuthContext, AuthContextConfig, AuthContextFactory, AuthContextResolver, OptionalAuthContext, UserDoc } from "../server/facade.js";
+import { ComponentCtx, ComponentReadCtx } from "../server/component/context.js";
 import { AuthProfile } from "../server/payloads.js";
 import "../component/index.js";
-import "../server/convexIdentity.js";
+import "../server/identity/convex.js";
 import * as convex_values0 from "convex/values";
 import * as convex_server0 from "convex/server";
 import * as fluent_convex0 from "fluent-convex";
@@ -31,6 +31,11 @@ import * as fluent_convex0 from "fluent-convex";
  * import { auth } from "./auth-core";
  * export const authQuery = customQuery(query, auth.ctx());
  * ```
+ *
+ * @param component - The Convex Auth component reference from `components.auth`.
+ * @param config - Optional auth configuration. Provider config is intentionally
+ *   omitted in this lightweight entrypoint.
+ * @returns The lightweight auth context facade.
  */
 declare function createAuthContext(component: ConvexAuthConfig["component"], config?: Omit<AuthConfig, "providers"> & {
   authorization?: AuthAuthorizationConfig;

package/dist/core/index.js

@@ -1,5 +1,5 @@
-import "../server/convexIdentity.js";
-import { createAuthContextFacade } from "../server/auth-context.js";
+import "../server/identity/convex.js";
+import { createAuthContextFacade } from "../server/facade.js";
 import { configDefaults } from "../server/config.js";
 import { createCoreDomains } from "../server/core.js";
 import { callModifyAccount } from "../server/mutations/account.js";
@@ -30,6 +30,11 @@ import { callRetrieveAccountWithCredentials } from "../server/mutations/retrieve
 * import { auth } from "./auth-core";
 * export const authQuery = customQuery(query, auth.ctx());
 * ```
+*
+* @param component - The Convex Auth component reference from `components.auth`.
+* @param config - Optional auth configuration. Provider config is intentionally
+*   omitted in this lightweight entrypoint.
+* @returns The lightweight auth context facade.
 */
 function createAuthContext(component, config) {
 	const fullConfig = configDefaults({

package/dist/expo/index.d.ts

@@ -0,0 +1,21 @@
+import { AuthApiRefs, ClientOptions, PlatformAuthClient } from "../client/core/types.js";
+import "../client/index.js";
+import * as AuthSession from "expo-auth-session";
+
+//#region src/expo/index.d.ts
+interface ExpoClientOptions<Api extends AuthApiRefs<boolean, boolean, boolean> = AuthApiRefs> extends ClientOptions<Api> {
+  authSession?: AuthSession.AuthSessionRedirectUriOptions & {
+    redirectUri?: string;
+    preferEphemeralSession?: boolean;
+  };
+}
+/**
+ * Create an Expo-configured auth client.
+ *
+ * Native Expo defaults include SecureStore persistence, auth session launch,
+ * and native passkey support. Web falls back to the browser entrypoint.
+ */
+declare function client<Api extends AuthApiRefs<boolean, boolean, boolean> = AuthApiRefs>(options: ExpoClientOptions<Api>): PlatformAuthClient<Api>;
+//#endregion
+export { type AuthApiRefs, type PlatformAuthClient as AuthClient, ExpoClientOptions, client };
+//# sourceMappingURL=index.d.ts.map

package/dist/expo/index.js

@@ -0,0 +1,148 @@
+import { LOG_LEVELS, logMessage } from "../shared/log.js";
+import { ClientAdapterFactoriesLive, ClientAdaptersLive } from "../client/services/adapters.js";
+import { ClientHttpLive } from "../client/services/http.js";
+import { resolveClientServices } from "../client/services/resolve.js";
+import { ClientRuntimeLive } from "../client/services/runtime.js";
+import { client as client$1 } from "../client/index.js";
+import { client as client$2 } from "../browser/index.js";
+import { createExpoPasskeyClient } from "./passkey.js";
+import { ConvexHttpClient } from "convex/browser";
+import * as AuthSession from "expo-auth-session";
+import * as SecureStore from "expo-secure-store";
+import * as WebBrowser from "expo-web-browser";
+
+//#region src/expo/index.ts
+/**
+* Expo-first auth client for `@robelest/convex-auth/expo`.
+*
+* This entrypoint wraps the framework-agnostic `client(...)` helper with
+* Expo-native defaults such as SecureStore-backed token persistence, auth
+* session launching, and native passkey support.
+*
+* OAuth in Expo uses direct mode only. Do not configure `proxyPath` for Expo
+* OAuth flows because the proxy flow depends on browser cookies and HTML
+* redirects.
+*
+* @module
+*/
+const secureStoreStorage = {
+	async getItem(key) {
+		return await SecureStore.getItemAsync(key);
+	},
+	async setItem(key, value) {
+		await SecureStore.setItemAsync(key, value);
+	},
+	async removeItem(key) {
+		await SecureStore.deleteItemAsync(key);
+	}
+};
+/**
+* Create an Expo-configured auth client.
+*
+* Native Expo defaults include SecureStore persistence, auth session launch,
+* and native passkey support. Web falls back to the browser entrypoint.
+*/
+function client(options) {
+	if (isWebRuntime()) return client$2(options);
+	const url = options.proxyPath === void 0 ? options.url ?? inferConvexUrl(options.convex) : void 0;
+	const services = resolveClientServices({
+		runtime: ClientRuntimeLive(mergeExpoRuntime(options.runtime)),
+		adapters: ClientAdaptersLive(options.adapters ?? {}),
+		adapterFactories: ClientAdapterFactoriesLive({
+			...options.adapterFactories,
+			passkey: options.adapterFactories?.passkey ?? ((deps) => createExpoPasskeyClient(deps))
+		}),
+		http: ClientHttpLive(options.proxyPath !== void 0 ? null : options.httpClient ?? (url ? new ConvexHttpClient(url) : null))
+	});
+	const redirectUri = resolveRedirectUri(options.authSession);
+	const baseClient = client$1({
+		...options,
+		storage: options.storage === void 0 && options.proxyPath !== void 0 ? null : options.storage,
+		runtime: services.runtime,
+		adapters: services.adapters,
+		adapterFactories: services.adapterFactories,
+		httpClient: services.httpClient
+	});
+	const initialize = async () => {
+		await baseClient.initialize();
+	};
+	const signIn = async (provider, ...args) => {
+		const params = args[0];
+		const nextParams = withRedirectTo(params, redirectUri);
+		const result = await baseClient.signIn(provider, nextParams);
+		if (result.kind !== "redirect") return result;
+		if (options.proxyPath !== void 0) throw new Error("Expo OAuth is not supported when `proxyPath` is set. Use direct mode with `api` and an Expo redirect URI.");
+		const authResult = await WebBrowser.openAuthSessionAsync(result.redirect.toString(), redirectUri, { preferEphemeralSession: options.authSession?.preferEphemeralSession });
+		if (authResult.type === "success") {
+			if ((await baseClient.completeOAuth(authResult.url)).handled) return { kind: "signedIn" };
+		}
+		return result;
+	};
+	const expoClient = {
+		get state() {
+			return baseClient.state;
+		},
+		initialize,
+		param: baseClient.param,
+		get invite() {
+			return baseClient.invite;
+		},
+		completeOAuth: baseClient.completeOAuth,
+		signIn,
+		signOut: baseClient.signOut,
+		onChange: baseClient.onChange,
+		destroy: baseClient.destroy,
+		..."totp" in baseClient ? { totp: baseClient.totp } : {},
+		..."device" in baseClient ? { device: baseClient.device } : {},
+		..."passkey" in baseClient ? { passkey: baseClient.passkey } : {}
+	};
+	initialize().catch((error) => {
+		logMessage("convex-auth/expo", LOG_LEVELS.ERROR, ["[convex-auth] Expo client initialization failed:", error]);
+	});
+	return expoClient;
+}
+function isWebRuntime() {
+	return typeof window !== "undefined" && typeof document !== "undefined";
+}
+function mergeExpoRuntime(runtime) {
+	const defaults = {
+		environment: "client",
+		storage: secureStoreStorage
+	};
+	return {
+		...defaults,
+		...runtime,
+		environment: runtime?.environment ?? defaults.environment,
+		storage: runtime?.storage === void 0 ? defaults.storage : runtime.storage
+	};
+}
+function resolveRedirectUri(options) {
+	if (options?.redirectUri) return options.redirectUri;
+	return AuthSession.makeRedirectUri(options);
+}
+function withRedirectTo(params, redirectTo) {
+	if (params?.redirectTo !== void 0) return params;
+	return {
+		...params,
+		redirectTo
+	};
+}
+function inferConvexUrl(convex) {
+	if (!convex || typeof convex !== "object") return;
+	const candidate = convex;
+	try {
+		if (typeof candidate.url === "string") return candidate.url;
+	} catch {
+		return;
+	}
+	try {
+		const client = typeof candidate.client === "object" && candidate.client !== null ? candidate.client : void 0;
+		return typeof client?.url === "string" ? client.url : void 0;
+	} catch {
+		return;
+	}
+}
+
+//#endregion
+export { client };
+//# sourceMappingURL=index.js.map

package/dist/expo/passkey.js

@@ -0,0 +1,174 @@
+import { Passkey } from "react-native-passkey";
+
+//#region src/expo/passkey.ts
+function requireStringOption(value, name) {
+	if (typeof value !== "string" || value.length === 0) throw new Error(`Server did not return required passkey option \`${name}\``);
+	return value;
+}
+function toPublicKeyCredentialDescriptors(credentials) {
+	return (credentials ?? []).map((cred) => ({
+		type: cred.type ?? "public-key",
+		id: cred.id,
+		...cred.transports === void 0 ? null : { transports: cred.transports }
+	}));
+}
+function wrapNativePasskeyError(e, cancelMessage) {
+	if (e instanceof Error) {
+		if (e.message.includes("cancel") || e.message.includes("Cancel")) return new Error(cancelMessage);
+		return e;
+	}
+	const message = typeof e === "object" && e !== null && "message" in e ? String(e.message) : String(e);
+	if (message.includes("cancel") || message.includes("Cancel")) return new Error(cancelMessage);
+	return new Error(message);
+}
+/** @internal */
+function createExpoPasskeyClient(deps) {
+	const { proxy, convex, requireApiRefs, proxyFetch, setTokenAndMaybeWait } = deps;
+	const handleSignedInResult = async (result, flow) => {
+		if (result.kind !== "signedIn") return { kind: "started" };
+		return await setTokenAndMaybeWait(proxy ? {
+			shouldStore: false,
+			tokens: result.session === null ? null : { token: result.session.token },
+			waitForHandshake: true,
+			context: {
+				provider: "passkey",
+				flow
+			}
+		} : {
+			shouldStore: true,
+			tokens: result.session,
+			waitForHandshake: true,
+			context: {
+				provider: "passkey",
+				flow
+			}
+		}) ? { kind: "signedIn" } : { kind: "started" };
+	};
+	return {
+		isSupported: () => Passkey.isSupported(),
+		isAutofillSupported: async () => false,
+		register: async (opts) => {
+			const phase1Params = {
+				flow: "register",
+				email: opts?.email,
+				userName: opts?.userName,
+				userDisplayName: opts?.userDisplayName
+			};
+			let phase1Result;
+			if (proxy) phase1Result = await proxyFetch({
+				action: "auth:signIn",
+				args: {
+					provider: "passkey",
+					params: phase1Params
+				}
+			});
+			else phase1Result = await convex.action(requireApiRefs().signIn, {
+				provider: "passkey",
+				params: phase1Params
+			});
+			if (phase1Result.kind !== "passkeyOptions") throw new Error("Server did not return passkey registration options");
+			const options = phase1Result.options;
+			const createRequest = {
+				challenge: options.challenge,
+				rp: {
+					...options.rp,
+					id: requireStringOption(options.rp.id, "rp.id")
+				},
+				user: options.user,
+				pubKeyCredParams: options.pubKeyCredParams,
+				timeout: options.timeout,
+				attestation: options.attestation,
+				authenticatorSelection: options.authenticatorSelection,
+				excludeCredentials: toPublicKeyCredentialDescriptors(options.excludeCredentials)
+			};
+			let credential;
+			try {
+				credential = await Passkey.create(createRequest);
+			} catch (e) {
+				throw wrapNativePasskeyError(e, "Passkey registration was cancelled");
+			}
+			const phase2Params = {
+				flow: "verify",
+				clientDataJSON: credential.response.clientDataJSON,
+				attestationObject: credential.response.attestationObject,
+				transports: credential.response.transports,
+				passkeyName: opts?.name,
+				email: opts?.email
+			};
+			let phase2Result;
+			if (proxy) phase2Result = await proxyFetch({
+				action: "auth:signIn",
+				args: {
+					provider: "passkey",
+					params: phase2Params,
+					verifier: phase1Result.verifier
+				}
+			});
+			else phase2Result = await convex.action(requireApiRefs().signIn, {
+				provider: "passkey",
+				params: phase2Params,
+				verifier: phase1Result.verifier
+			});
+			return handleSignedInResult(phase2Result, "verify");
+		},
+		signIn: async (opts) => {
+			const phase1Params = {
+				flow: "signIn",
+				email: opts?.email
+			};
+			let phase1Result;
+			if (proxy) phase1Result = await proxyFetch({
+				action: "auth:signIn",
+				args: {
+					provider: "passkey",
+					params: phase1Params
+				}
+			});
+			else phase1Result = await convex.action(requireApiRefs().signIn, {
+				provider: "passkey",
+				params: phase1Params
+			});
+			if (phase1Result.kind !== "passkeyOptions") throw new Error("Server did not return passkey authentication options");
+			const options = phase1Result.options;
+			const getRequest = {
+				challenge: options.challenge,
+				timeout: options.timeout,
+				rpId: requireStringOption(options.rpId, "rpId"),
+				userVerification: options.userVerification,
+				allowCredentials: toPublicKeyCredentialDescriptors(options.allowCredentials)
+			};
+			let credential;
+			try {
+				credential = await Passkey.get(getRequest);
+			} catch (e) {
+				throw wrapNativePasskeyError(e, "Passkey authentication was cancelled");
+			}
+			const phase2Params = {
+				flow: "verify",
+				credentialId: credential.rawId ?? credential.id,
+				clientDataJSON: credential.response.clientDataJSON,
+				authenticatorData: credential.response.authenticatorData,
+				signature: credential.response.signature
+			};
+			let phase2Result;
+			if (proxy) phase2Result = await proxyFetch({
+				action: "auth:signIn",
+				args: {
+					provider: "passkey",
+					params: phase2Params,
+					verifier: phase1Result.verifier
+				}
+			});
+			else phase2Result = await convex.action(requireApiRefs().signIn, {
+				provider: "passkey",
+				params: phase2Params,
+				verifier: phase1Result.verifier
+			});
+			return handleSignedInResult(phase2Result, "verify");
+		}
+	};
+}
+
+//#endregion
+export { createExpoPasskeyClient };
+//# sourceMappingURL=passkey.js.map

package/dist/providers/apple.d.ts

@@ -27,7 +27,7 @@ interface AppleConfig {
   keyId: string;
   /** Apple private key PEM contents or bytes. */
   privateKey: string | Uint8Array;
-  /** Optional callback URL override. Defaults to `CUSTOM_AUTH_SITE_URL` or `CONVEX_SITE_URL` plus `/api/auth/callback/apple`. */
+  /** Optional callback URL override. Defaults to the auth site URL plus `/callback/apple`. */
   redirectUri?: string;
   /** Optional OAuth scopes. Defaults to `name email`. */
   scopes?: string[];

package/dist/providers/apple.js

@@ -1,5 +1,5 @@
-import { envOptionalString, readConfigSync } from "../server/env.js";
 import { createArcticOAuthClient, createOAuthProvider } from "../server/oauth/factory.js";
+import { defaultOAuthRedirectUri } from "./redirect.js";
 import { Apple } from "arctic";
 
 //#region src/providers/apple.ts
@@ -40,18 +40,16 @@ const DEFAULT_SCOPES = ["name", "email"];
 * ```
 */
 function apple(config) {
+	const privateKey = typeof config.privateKey === "string" ? config.privateKey : new TextDecoder().decode(config.privateKey);
+	const scopes = config.scopes ?? DEFAULT_SCOPES;
+	const createProvider = () => new Apple(config.clientId, config.teamId, config.keyId, new TextEncoder().encode(privateKey), config.redirectUri ?? defaultOAuthRedirectUri("apple"));
 	return createOAuthProvider({
 		id: "apple",
-		provider: createArcticOAuthClient(new Apple(config.clientId, config.teamId, config.keyId, typeof config.privateKey === "string" ? new TextEncoder().encode(config.privateKey) : config.privateKey, config.redirectUri ?? defaultRedirectUri("apple")), { pkce: "never" }),
-		scopes: config.scopes ?? DEFAULT_SCOPES,
+		provider: createArcticOAuthClient(createProvider, { pkce: "never" }),
+		scopes,
 		accountLinking: config.accountLinking
 	});
 }
-function defaultRedirectUri(providerId) {
-	const rootUrl = readConfigSync(envOptionalString("CUSTOM_AUTH_SITE_URL")) ?? readConfigSync(envOptionalString("CONVEX_SITE_URL"));
-	if (!rootUrl) throw new Error(`Missing CONVEX_SITE_URL while configuring ${providerId} OAuth provider. Set CONVEX_SITE_URL or pass redirectUri explicitly.`);
-	return `${rootUrl}/api/auth/callback/${providerId}`;
-}
 
 //#endregion
 export { apple };

package/dist/providers/custom.d.ts

@@ -50,7 +50,7 @@ interface CustomOAuthConfig {
   clientId: string;
   /** Optional OAuth client secret. */
   clientSecret?: string | null;
-  /** Optional callback URL override. Defaults to `CUSTOM_AUTH_SITE_URL` or `CONVEX_SITE_URL` plus `/api/auth/callback/<id>`. */
+  /** Optional callback URL override. Defaults to the auth site URL plus `/callback/<id>`. */
   redirectUri?: string;
   /** Optional default scopes requested during sign-in. */
   scopes?: string[];

package/dist/providers/custom.js

@@ -1,5 +1,5 @@
-import { envOptionalString, readConfigSync } from "../server/env.js";
 import { createOAuthProvider } from "../server/oauth/factory.js";
+import { defaultOAuthRedirectUri } from "./redirect.js";
 import { sha256 } from "@oslojs/crypto/sha2";
 import { encodeBase64urlNoPadding } from "@oslojs/encoding";
 
@@ -12,11 +12,6 @@ import { encodeBase64urlNoPadding } from "@oslojs/encoding";
 *
 * @module
 */
-function defaultRedirectUri(providerId) {
-	const rootUrl = readConfigSync(envOptionalString("CUSTOM_AUTH_SITE_URL")) ?? readConfigSync(envOptionalString("CONVEX_SITE_URL"));
-	if (!rootUrl) throw new Error(`Missing CONVEX_SITE_URL while configuring ${providerId} OAuth provider. Set CONVEX_SITE_URL or pass redirectUri explicitly.`);
-	return `${rootUrl}/api/auth/callback/${providerId}`;
-}
 function joinScopes(scopes, separator = " ") {
 	return scopes.join(separator);
 }
@@ -24,14 +19,15 @@ function createCodeChallenge(codeVerifier) {
 	return encodeBase64urlNoPadding(sha256(new TextEncoder().encode(codeVerifier)));
 }
 function createRuntimeClient(config) {
-	const redirectUri = config.redirectUri ?? defaultRedirectUri(config.id);
 	const authorization = config.authorization;
 	const token = config.token;
 	const pkce = authorization.pkce ?? "required";
 	const scopes = [...config.scopes ?? []];
+	const getRedirectUri = () => config.redirectUri ?? defaultOAuthRedirectUri(config.id);
 	return {
 		pkce,
 		createAuthorizationURL({ state, codeVerifier, scopes: requestedScopes, nonce }) {
+			const redirectUri = getRedirectUri();
 			const url = new URL(authorization.url);
 			const nextScopes = requestedScopes.length > 0 ? requestedScopes : scopes;
 			url.searchParams.set("response_type", "code");
@@ -48,6 +44,7 @@ function createRuntimeClient(config) {
 			return url;
 		},
 		async validateAuthorizationCode({ code, codeVerifier }) {
+			const redirectUri = getRedirectUri();
 			const body = new URLSearchParams();
 			body.set("grant_type", "authorization_code");
 			body.set("code", code);

package/dist/providers/github.d.ts

@@ -21,7 +21,7 @@ interface GitHubConfig {
   clientId: string;
   /** OAuth app client secret from GitHub. */
   clientSecret: string;
-  /** Optional callback URL override. Defaults to `CUSTOM_AUTH_SITE_URL` or `CONVEX_SITE_URL` plus `/api/auth/callback/github`. */
+  /** Optional callback URL override. Defaults to the auth site URL plus `/callback/github`. */
   redirectUri?: string;
   /** Optional OAuth scopes. Defaults to `user:email`. */
   scopes?: string[];

package/dist/providers/github.js

@@ -1,5 +1,5 @@
-import { envOptionalString, readConfigSync } from "../server/env.js";
 import { createArcticOAuthClient, createOAuthProvider } from "../server/oauth/factory.js";
+import { defaultOAuthRedirectUri } from "./redirect.js";
 import { GitHub } from "arctic";
 
 //#region src/providers/github.ts
@@ -39,10 +39,12 @@ const DEFAULT_SCOPES = ["user:email"];
 * ```
 */
 function github(config) {
+	const scopes = config.scopes ?? DEFAULT_SCOPES;
+	const createProvider = () => new GitHub(config.clientId, config.clientSecret, config.redirectUri ?? defaultOAuthRedirectUri("github"));
 	return createOAuthProvider({
 		id: "github",
-		provider: createArcticOAuthClient(new GitHub(config.clientId, config.clientSecret, config.redirectUri ?? defaultRedirectUri("github")), { pkce: "never" }),
-		scopes: config.scopes ?? DEFAULT_SCOPES,
+		provider: createArcticOAuthClient(createProvider, { pkce: "never" }),
+		scopes,
 		accountLinking: config.accountLinking,
 		profile: async (tokens) => {
 			if (!tokens.accessToken) throw new Error("GitHub OAuth response is missing access_token.");
@@ -64,11 +66,6 @@ function github(config) {
 		}
 	});
 }
-function defaultRedirectUri(providerId) {
-	const rootUrl = readConfigSync(envOptionalString("CUSTOM_AUTH_SITE_URL")) ?? readConfigSync(envOptionalString("CONVEX_SITE_URL"));
-	if (!rootUrl) throw new Error(`Missing CONVEX_SITE_URL while configuring ${providerId} OAuth provider. Set CONVEX_SITE_URL or pass redirectUri explicitly.`);
-	return `${rootUrl}/api/auth/callback/${providerId}`;
-}
 
 //#endregion
 export { github };

package/dist/providers/google.d.ts

@@ -21,7 +21,7 @@ interface GoogleConfig {
   clientId: string;
   /** OAuth client secret from the Google Cloud console. */
   clientSecret: string;
-  /** Optional callback URL override. Defaults to `CUSTOM_AUTH_SITE_URL` or `CONVEX_SITE_URL` plus `/api/auth/callback/google`. */
+  /** Optional callback URL override. Defaults to the auth site URL plus `/callback/google`. */
   redirectUri?: string;
   /** Optional OAuth scopes. Defaults to `openid profile email`. */
   scopes?: string[];

package/dist/providers/google.js

@@ -1,5 +1,5 @@
-import { envOptionalString, readConfigSync } from "../server/env.js";
 import { createArcticOAuthClient, createOAuthProvider } from "../server/oauth/factory.js";
+import { defaultOAuthRedirectUri } from "./redirect.js";
 import { Google } from "arctic";
 
 //#region src/providers/google.ts
@@ -43,18 +43,15 @@ const DEFAULT_SCOPES = [
 * ```
 */
 function google(config) {
+	const scopes = config.scopes ?? DEFAULT_SCOPES;
+	const createProvider = () => new Google(config.clientId, config.clientSecret, config.redirectUri ?? defaultOAuthRedirectUri("google"));
 	return createOAuthProvider({
 		id: "google",
-		provider: createArcticOAuthClient(new Google(config.clientId, config.clientSecret, config.redirectUri ?? defaultRedirectUri("google")), { pkce: "required" }),
-		scopes: config.scopes ?? DEFAULT_SCOPES,
+		provider: createArcticOAuthClient(createProvider, { pkce: "required" }),
+		scopes,
 		accountLinking: config.accountLinking
 	});
 }
-function defaultRedirectUri(providerId) {
-	const rootUrl = readConfigSync(envOptionalString("CUSTOM_AUTH_SITE_URL")) ?? readConfigSync(envOptionalString("CONVEX_SITE_URL"));
-	if (!rootUrl) throw new Error(`Missing CONVEX_SITE_URL while configuring ${providerId} OAuth provider. Set CONVEX_SITE_URL or pass redirectUri explicitly.`);
-	return `${rootUrl}/api/auth/callback/${providerId}`;
-}
 
 //#endregion
 export { google };

package/dist/providers/microsoft.d.ts

@@ -24,7 +24,7 @@ interface MicrosoftConfig {
   clientId: string;
   /** OAuth client secret for confidential clients, when required. */
   clientSecret?: string | null;
-  /** Optional callback URL override. Defaults to `CUSTOM_AUTH_SITE_URL` or `CONVEX_SITE_URL` plus `/api/auth/callback/microsoft`. */
+  /** Optional callback URL override. Defaults to the auth site URL plus `/callback/microsoft`. */
   redirectUri?: string;
   /** Optional OAuth scopes. Defaults to `openid profile email`. */
   scopes?: string[];

package/dist/providers/microsoft.js

@@ -1,5 +1,5 @@
-import { envOptionalString, readConfigSync } from "../server/env.js";
 import { createArcticOAuthClient, createOAuthProvider } from "../server/oauth/factory.js";
+import { defaultOAuthRedirectUri } from "./redirect.js";
 import { createRemoteJWKSet, decodeProtectedHeader, jwtVerify } from "jose";
 import { MicrosoftEntraId } from "arctic";
 
@@ -45,13 +45,14 @@ const DEFAULT_SCOPES = [
 * ```
 */
 function microsoft(config) {
-	const provider = new MicrosoftEntraId(config.tenant, config.clientId, config.clientSecret ?? null, config.redirectUri ?? defaultRedirectUri("microsoft"));
+	const scopes = config.scopes ?? DEFAULT_SCOPES;
+	const createProvider = () => new MicrosoftEntraId(config.tenant, config.clientId, config.clientSecret ?? null, config.redirectUri ?? defaultOAuthRedirectUri("microsoft"));
 	const issuer = `https://login.microsoftonline.com/${config.tenant}/v2.0`;
 	const jwks = createRemoteJWKSet(new URL(`${issuer}/discovery/v2.0/keys`));
 	return createOAuthProvider({
 		id: "microsoft",
-		provider: createArcticOAuthClient(provider, { pkce: "required" }),
-		scopes: config.scopes ?? DEFAULT_SCOPES,
+		provider: createArcticOAuthClient(createProvider, { pkce: "required" }),
+		scopes,
 		nonce: true,
 		accountLinking: config.accountLinking,
 		validateTokens: async (tokens, ctx) => {
@@ -90,11 +91,6 @@ function microsoft(config) {
 		}
 	});
 }
-function defaultRedirectUri(providerId) {
-	const rootUrl = readConfigSync(envOptionalString("CUSTOM_AUTH_SITE_URL")) ?? readConfigSync(envOptionalString("CONVEX_SITE_URL"));
-	if (!rootUrl) throw new Error(`Missing CONVEX_SITE_URL while configuring ${providerId} OAuth provider. Set CONVEX_SITE_URL or pass redirectUri explicitly.`);
-	return `${rootUrl}/api/auth/callback/${providerId}`;
-}
 
 //#endregion
 export { microsoft };