@robelest/convex-auth 0.0.4-preview.30 → 0.0.4-preview.32

package/dist/providers/password.d.ts

@@ -7,54 +7,39 @@ import { DocumentByName, GenericDataModel, WithoutSystemFields } from "convex/se
 /** Configuration for the {@link password} provider. */
 interface PasswordConfig<DataModel extends GenericDataModel> {
   /**
-   * Uniquely identifies the provider, allowing to use
-   * multiple different password providers.
+   * Uniquely identifies the provider, allowing multiple password providers.
    */
   id?: string;
   /**
-   * Perform checks on provided params and customize the user
-   * information stored after sign up, including email normalization.
+   * Perform checks on provided params and customize the user information
+   * stored after sign up, including email normalization.
    *
-   * Called for every flow ("signUp", "signIn", "reset",
-   * "reset-verification" and "email-verification").
+   * Called for every flow.
    */
-  profile?: (
-  /**
-   * The values passed to the `signIn` function.
-   */
-  params: Record<string, Value | undefined>,
-  /**
-   * Convex ActionCtx in case you want to read from or write to
-   * the database.
-   */
-  ctx: GenericActionCtxWithAuthConfig<DataModel>) => WithoutSystemFields<DocumentByName<DataModel, "User">> & {
+  profile?: (params: Record<string, Value | undefined>, ctx: GenericActionCtxWithAuthConfig<DataModel>) => WithoutSystemFields<DocumentByName<DataModel, "User">> & {
     email: string;
   };
   /**
-   * Performs custom validation on password provided during sign up or reset.
-   *
-   * Otherwise the default validation is used (password is not empty and
-   * at least 8 characters in length).
+   * Performs custom validation on a password during `signUp`, `verify`
+   * (when `newPassword` is set), and `change`.
    *
-   * If the provided password is invalid, implementations must throw an Error.
+   * Default: non-empty, length >= 8.
    *
-   * @param password the password supplied during "signUp" or
-   *                 "reset-verification" flows.
+   * Throw an `Error` to reject the password.
    */
   validatePasswordRequirements?: (password: string) => void;
   /**
-   * Provide hashing and verification functions if you want to control
-   * how passwords are hashed.
+   * Hashing and verification functions. Defaults to scrypt.
    */
   crypto?: CredentialsConfig["crypto"];
   /**
-   * An email provider used to require verification
-   * before password reset.
+   * Email provider for the `reset` flow. Issues OTPs that the `verify` flow
+   * accepts when `newPassword` is included.
    */
   reset?: EmailConfig | PasswordEmailProviderFactory;
   /**
-   * An email provider used to require verification
-   * before sign up / sign in.
+   * Email provider for post-signup email confirmation. Issues OTPs that the
+   * `verify` flow accepts when `newPassword` is omitted.
    */
   verify?: EmailConfig | PasswordEmailProviderFactory;
 }
@@ -62,24 +47,20 @@ type PasswordEmailProviderFactory = () => EmailConfig;
 /**
  * Email and password authentication provider.
  *
- * Passwords are by default hashed using scrypt.
- * You can customize the hashing via the `crypto` option.
+ * Passwords are hashed with scrypt by default. Customize via `crypto`.
  *
- * Email verification is not required unless you pass
- * an email provider to the `verify` option.
+ * Email verification is opt-in via the `verify` option. Password reset is
+ * opt-in via the `reset` option (typically the same email provider).
  *
  * @example
  * ```ts
- * import { password } from "@robelest/convex-auth/providers";
- *
  * password()
- * password({ verify: myEmailProvider })
+ * password({ verify: myEmailProvider, reset: myEmailProvider })
  * ```
  *
  * @typeParam DataModel - The Convex data model used by the auth context.
  * @param config - Password flow hooks and optional verification providers.
  * @returns A configured password provider for `createAuth`.
- * @throws {Error} During sign-in flows when required password params are missing or reset is not enabled.
  */
 declare function password<DataModel extends GenericDataModel = GenericDataModel>(config?: PasswordConfig<DataModel>): ConvexCredentialsConfig;
 //#endregion

package/dist/providers/password.js

@@ -1,4 +1,5 @@
-import { callCredentialsSignIn } from "../server/mutations/credentialsSignIn.js";
+import { getAuthenticatedUserIdOrNull } from "../server/identity.js";
+import { callCredentialsSignIn } from "../server/mutations/credentials/signin.js";
 import { credentials } from "./credentials.js";
 import { ConvexError } from "convex/values";
 import { scryptAsync } from "@noble/hashes/scrypt.js";
@@ -8,63 +9,57 @@ import { bytesToHex } from "@noble/hashes/utils.js";
 /**
 * Configure the password provider for email/password authentication.
 *
-* The password provider supports the following flows, determined
-* by the `flow` parameter:
+* Five flows, all single-word camelCase:
 *
-* - `"signUp"`: Create a new account with a password.
-* - `"signIn"`: Sign in with an existing account and password.
-* - `"reset"`: Request a password reset.
-* - `"reset-verification"`: Verify a password reset code and change password.
-* - `"email-verification"`: If email verification is enabled and `code` is
-*    included in params, verify an OTP.
+* - `signUp` — Create a new account.
+* - `signIn` — Sign in with email + password.
+* - `reset` — Kick off a forgot-password flow (issues an OTP via email).
+* - `verify` — Verify any pending email OTP. With `newPassword`, completes a
+*   `reset` flow and updates the password. Without `newPassword`, completes
+*   the post-signup email confirmation. The OTP scope is enforced server-side
+*   by the issuing email provider.
+* - `change` — Authenticated password change (requires `currentPassword`).
 *
 * ```ts
 * import { password } from "@robelest/convex-auth/providers";
 *
 * password()
+* password({ verify: myEmailProvider, reset: myEmailProvider })
 * ```
 *
 * @module
 */
-const PASSWORD_FLOW_TAG = {
-	signUp: "signUp",
-	signIn: "signIn",
-	reset: "reset",
-	"reset-verification": "resetVerification",
-	"email-verification": "emailVerification"
-};
+const PASSWORD_FLOWS = [
+	"signUp",
+	"signIn",
+	"reset",
+	"verify",
+	"change"
+];
 function decodePasswordFlow(flow) {
-	if (typeof flow !== "string") return {
+	if (typeof flow === "string" && PASSWORD_FLOWS.includes(flow)) return { tag: flow };
+	return {
 		tag: "invalid",
 		flow
 	};
-	const tag = PASSWORD_FLOW_TAG[flow];
-	return tag === void 0 ? {
-		tag: "invalid",
-		flow
-	} : { tag };
 }
 /**
 * Email and password authentication provider.
 *
-* Passwords are by default hashed using scrypt.
-* You can customize the hashing via the `crypto` option.
+* Passwords are hashed with scrypt by default. Customize via `crypto`.
 *
-* Email verification is not required unless you pass
-* an email provider to the `verify` option.
+* Email verification is opt-in via the `verify` option. Password reset is
+* opt-in via the `reset` option (typically the same email provider).
 *
 * @example
 * ```ts
-* import { password } from "@robelest/convex-auth/providers";
-*
 * password()
-* password({ verify: myEmailProvider })
+* password({ verify: myEmailProvider, reset: myEmailProvider })
 * ```
 *
 * @typeParam DataModel - The Convex data model used by the auth context.
 * @param config - Password flow hooks and optional verification providers.
 * @returns A configured password provider for `createAuth`.
-* @throws {Error} During sign-in flows when required password params are missing or reset is not enabled.
 */
 function password(config = {}) {
 	const provider = config.id ?? "password";
@@ -81,12 +76,10 @@ function password(config = {}) {
 				}
 				validateDefaultPasswordRequirements(password);
 			};
-			if (flowDispatch.tag === "signUp") validatePasswordRequirements(params.password);
-			else if (flowDispatch.tag === "resetVerification") validatePasswordRequirements(params.newPassword);
 			const profile = config.profile?.(params, ctx) ?? defaultProfile(params);
 			const { email } = profile;
-			const requirePasswordParam = (value, flow) => {
-				if (typeof value !== "string" || value.length === 0) throw new Error(`Missing \`password\` param for \`${flow}\` flow`);
+			const requireStringParam = (value, name, flow) => {
+				if (typeof value !== "string" || value.length === 0) throw new Error(`Missing \`${name}\` param for \`${flow}\` flow`);
 				return value;
 			};
 			const finalizeCredentialsResult = async (account, user) => {
@@ -100,88 +93,150 @@ function password(config = {}) {
 					hasTotp
 				};
 			};
-			if (flowDispatch.tag === "signUp") {
-				const secret = requirePasswordParam(params.password, "signUp");
-				const created = await ctx.auth.account.create(ctx, {
-					provider,
-					account: {
-						id: email,
-						secret
-					},
-					profile,
-					shouldLinkViaEmail: config.verify !== void 0,
-					shouldLinkViaPhone: false
-				});
-				return await finalizeCredentialsResult(created.account, created.user);
-			} else if (flowDispatch.tag === "signIn") {
-				const result = await callCredentialsSignIn(ctx, {
-					provider,
-					account: {
-						id: email,
-						secret: requirePasswordParam(params.password, "signIn")
-					},
-					generateTokens: true,
-					requireVerifiedEmail: verifyProvider !== void 0,
-					enforceTotp: true
-				});
-				if (result.kind === "invalidAccount" || result.kind === "invalidSecret") throw new Error("Invalid credentials");
-				if (result.kind === "tooManyAttempts") throw new ConvexError({
-					code: "RATE_LIMITED",
-					message: "Too many failed sign-in attempts. Please try again later."
-				});
-				if (result.kind === "emailVerificationRequired") return await ctx.auth.provider.signIn(ctx, verifyProvider, {
-					accountId: result.account._id,
-					params
-				});
-				const hasTotp = result.kind === "signedIn" ? result.user.hasTotp : true;
-				return {
-					userId: result.user._id,
-					hasTotp,
-					issuance: result.issuance
-				};
-			} else if (flowDispatch.tag === "reset") {
-				if (!resetProvider) throw new Error(`Password reset is not enabled for ${provider}`);
-				const { account } = await ctx.auth.account.get(ctx, {
-					provider,
-					account: { id: email }
-				});
-				return await ctx.auth.provider.signIn(ctx, resetProvider, {
-					accountId: account._id,
-					params
-				});
-			} else if (flowDispatch.tag === "resetVerification") {
-				if (!resetProvider) throw new Error(`Password reset is not enabled for ${provider}`);
-				if (params.newPassword === void 0) throw new Error("Missing `newPassword` param for `reset-verification` flow");
-				const result = await ctx.auth.provider.signIn(ctx, resetProvider, { params });
-				if (result === null) throw new Error("Invalid code");
-				const { userId, sessionId } = result;
-				const secret = params.newPassword;
-				await ctx.auth.account.update(ctx, {
-					provider,
-					account: {
-						id: email,
-						secret
+			switch (flowDispatch.tag) {
+				case "signUp": {
+					const secret = requireStringParam(params.password, "password", "signUp");
+					validatePasswordRequirements(secret);
+					const created = await ctx.auth.account.create(ctx, {
+						provider,
+						account: {
+							id: email,
+							secret
+						},
+						profile,
+						shouldLinkViaEmail: config.verify !== void 0,
+						shouldLinkViaPhone: false
+					});
+					return await finalizeCredentialsResult(created.account, created.user);
+				}
+				case "signIn": {
+					const result = await callCredentialsSignIn(ctx, {
+						provider,
+						account: {
+							id: email,
+							secret: requireStringParam(params.password, "password", "signIn")
+						},
+						generateTokens: true,
+						requireVerifiedEmail: verifyProvider !== void 0,
+						enforceTotp: true
+					});
+					if (result.kind === "invalidAccount" || result.kind === "invalidSecret") throw new Error("Invalid credentials");
+					if (result.kind === "tooManyAttempts") throw new ConvexError({
+						code: "RATE_LIMITED",
+						message: "Too many failed sign-in attempts. Please try again later."
+					});
+					if (result.kind === "emailVerificationRequired") return await ctx.auth.provider.signIn(ctx, verifyProvider, {
+						accountId: result.account._id,
+						params
+					});
+					const hasTotp = result.kind === "signedIn" ? result.user.hasTotp : true;
+					return {
+						userId: result.user._id,
+						hasTotp,
+						issuance: result.issuance
+					};
+				}
+				case "reset": {
+					if (!resetProvider) throw new Error(`Password reset is not enabled for ${provider}`);
+					const { account } = await ctx.auth.account.get(ctx, {
+						provider,
+						account: { id: email }
+					});
+					return await ctx.auth.provider.signIn(ctx, resetProvider, {
+						accountId: account._id,
+						params
+					});
+				}
+				case "verify": {
+					const newPassword = params.newPassword;
+					if (typeof newPassword === "string" && newPassword.length > 0) {
+						if (!resetProvider) throw new Error(`Password reset is not enabled for ${provider}`);
+						validatePasswordRequirements(newPassword);
+						const result = await ctx.auth.provider.signIn(ctx, resetProvider, { params });
+						if (result === null) throw new Error("Invalid code");
+						const { userId, sessionId } = result;
+						await ctx.auth.account.update(ctx, {
+							provider,
+							account: {
+								id: email,
+								secret: newPassword
+							}
+						});
+						await ctx.auth.session.invalidate(ctx, {
+							userId,
+							except: [sessionId]
+						});
+						await ctx.auth.config.callbacks?.after?.(ctx, {
+							kind: "passwordChanged",
+							userId,
+							flow: "reset"
+						});
+						return {
+							userId,
+							sessionId
+						};
 					}
-				});
-				await ctx.auth.session.invalidate(ctx, {
-					userId,
-					except: [sessionId]
-				});
-				return {
-					userId,
-					sessionId
-				};
-			} else if (flowDispatch.tag === "emailVerification") {
-				if (!verifyProvider) throw new Error(`Email verification is not enabled for ${provider}`);
-				const { account } = await ctx.auth.account.get(ctx, {
-					provider,
-					account: { id: email }
-				});
-				return await ctx.auth.provider.signIn(ctx, verifyProvider, {
-					accountId: account._id,
-					params
-				});
-			} else throw new Error("Missing `flow` param, it must be one of \"signUp\", \"signIn\", \"reset\", \"reset-verification\" or \"email-verification\"!");
+					if (!verifyProvider) throw new Error(`Email verification is not enabled for ${provider}`);
+					const { account } = await ctx.auth.account.get(ctx, {
+						provider,
+						account: { id: email }
+					});
+					return await ctx.auth.provider.signIn(ctx, verifyProvider, {
+						accountId: account._id,
+						params
+					});
+				}
+				case "change": {
+					const authedUserId = await getAuthenticatedUserIdOrNull(ctx);
+					if (authedUserId === null) throw new ConvexError({
+						code: "NOT_SIGNED_IN",
+						message: "Sign in first to change your password."
+					});
+					const currentPassword = requireStringParam(params.currentPassword, "currentPassword", "change");
+					const newPassword = requireStringParam(params.newPassword, "newPassword", "change");
+					validatePasswordRequirements(newPassword);
+					const result = await callCredentialsSignIn(ctx, {
+						provider,
+						account: {
+							id: email,
+							secret: currentPassword
+						},
+						generateTokens: true,
+						requireVerifiedEmail: false,
+						enforceTotp: false
+					});
+					if (result.kind === "invalidAccount" || result.kind === "invalidSecret") throw new Error("Invalid current password");
+					if (result.kind === "tooManyAttempts") throw new ConvexError({
+						code: "RATE_LIMITED",
+						message: "Too many failed attempts. Please try again later."
+					});
+					if (result.kind !== "signedIn") throw new Error(`Unexpected sign-in result: ${result.kind}`);
+					const verifiedUserId = result.user._id;
+					if (verifiedUserId !== authedUserId) throw new Error("Email does not match authenticated user");
+					await ctx.auth.account.update(ctx, {
+						provider,
+						account: {
+							id: email,
+							secret: newPassword
+						}
+					});
+					await ctx.auth.session.invalidate(ctx, {
+						userId: verifiedUserId,
+						except: [result.issuance.sessionId]
+					});
+					await ctx.auth.config.callbacks?.after?.(ctx, {
+						kind: "passwordChanged",
+						userId: verifiedUserId,
+						flow: "change"
+					});
+					return {
+						userId: verifiedUserId,
+						hasTotp: false,
+						issuance: result.issuance
+					};
+				}
+				default: throw new Error("Missing or invalid `flow` param. Expected one of: " + PASSWORD_FLOWS.join(", ") + ".");
+			}
 		},
 		crypto: config.crypto ?? {
 			async hashSecret(password) {

package/dist/providers/redirect.d.ts

@@ -0,0 +1 @@
+export { };

package/dist/providers/redirect.js

@@ -0,0 +1,20 @@
+import { envOptionalString, readConfigSync } from "../server/env.js";
+
+//#region src/providers/redirect.ts
+function normalizeRoutePrefix(prefix) {
+	if (prefix === void 0 || prefix === "" || prefix === "/") return "";
+	return (prefix.startsWith("/") ? prefix : `/${prefix}`).replace(/\/$/, "");
+}
+/** @internal */
+function defaultOAuthRedirectUri(providerId) {
+	const customAuthSiteUrl = readConfigSync(envOptionalString("CUSTOM_AUTH_SITE_URL"));
+	if (customAuthSiteUrl) return `${customAuthSiteUrl.replace(/\/$/, "")}/callback/${providerId}`;
+	const convexSiteUrl = readConfigSync(envOptionalString("CONVEX_SITE_URL"));
+	if (!convexSiteUrl) throw new Error(`Missing CONVEX_SITE_URL while configuring ${providerId} OAuth provider. Set CONVEX_SITE_URL or pass redirectUri explicitly.`);
+	const prefix = normalizeRoutePrefix(readConfigSync(envOptionalString("CONVEX_AUTH_HTTP_PREFIX")) ?? "/auth");
+	return `${convexSiteUrl.replace(/\/$/, "")}${prefix}/callback/${providerId}`;
+}
+
+//#endregion
+export { defaultOAuthRedirectUri };
+//# sourceMappingURL=redirect.js.map

package/dist/server/auth.d.ts

@@ -1,12 +1,10 @@
 import { AuthApiRefs } from "../client/core/types.js";
 import "../client/index.js";
 import { AuthAuthorizationConfig, AuthGrant, AuthProviderConfig, AuthRoleId, ConvexAuthConfig, HasDeviceProvider, HasPasskeyProvider, HasSSO, HasTotpProvider } from "./types.js";
-import { AuthConfig, AuthContext, AuthContextConfig, AuthContextFactory as AuthContextFactory$1, AuthContextResolver as AuthContextResolver$1, InferAuth, OptionalAuthContext, UserDoc } from "./auth-context.js";
+import { AuthConfig, AuthContext, AuthContextConfig, AuthContextFactory, AuthContextResolver, InferAuth, OptionalAuthContext, UserDoc } from "./facade.js";
 import { Auth } from "./runtime.js";
 
 //#region src/server/auth.d.ts
-type AuthContextResolver = AuthContextResolver$1;
-type AuthContextFactory = AuthContextFactory$1;
 type MemberApiWithAuthorization<TAuthorization extends AuthAuthorizationConfig | undefined> = Omit<ReturnType<typeof Auth>["auth"]["member"], "create" | "list" | "update" | "inspect" | "require"> & {
   create: (ctx: Parameters<ReturnType<typeof Auth>["auth"]["member"]["create"]>[0], data: {
     groupId: string;
@@ -48,7 +46,7 @@ type MemberApiWithAuthorization<TAuthorization extends AuthAuthorizationConfig |
  * The base auth API surface returned by {@link createAuth}.
  *
  * Provides core namespaces — `signIn`, `signOut`, `user`, `session`,
- * `member`, `invite`, `group`, `key`, and `http` — that are
+ * `member`, `invite`, `group`, `key`, and `request` — that are
  * always available regardless of which providers are configured.
  * Group SSO helpers under `group.sso` are added conditionally by
  * {@link AuthApi} when an SSO provider is present.
@@ -63,6 +61,7 @@ type AuthApiBase<TAuthorization extends AuthAuthorizationConfig | undefined = un
   signIn: ReturnType<typeof Auth>["signIn"];
   signOut: ReturnType<typeof Auth>["signOut"];
   store: ReturnType<typeof Auth>["store"];
+  http: ReturnType<typeof Auth>["http"];
   user: ReturnType<typeof Auth>["auth"]["user"];
   session: ReturnType<typeof Auth>["auth"]["session"];
   provider: ReturnType<typeof Auth>["auth"]["provider"];
@@ -71,7 +70,7 @@ type AuthApiBase<TAuthorization extends AuthAuthorizationConfig | undefined = un
   member: MemberApiWithAuthorization<TAuthorization>;
   invite: ReturnType<typeof Auth>["auth"]["invite"];
   key: ReturnType<typeof Auth>["auth"]["key"];
-  http: ReturnType<typeof Auth>["auth"]["http"];
+  request: ReturnType<typeof Auth>["auth"]["request"];
   /**
    * Resolve the current request's auth context. Framework-agnostic — use
    * this in fluent-convex middleware, custom wrappers, or anywhere you
@@ -84,8 +83,8 @@ type AuthApiBase<TAuthorization extends AuthAuthorizationConfig | undefined = un
    * Pass `{ optional: true }` to get a null-shaped auth object instead.
    *
    * @param ctx - Convex query, mutation, or action context.
-   * @param config - Optional auth resolution config. Supports `optional`,
-   *   `resolve`, and `authResolve`.
+   * @param config - Optional auth resolution config. Supports `optional` and
+   *   `resolve`.
    * @returns The current auth context.
    *
    * @example fluent-convex middleware

package/dist/server/auth.js

@@ -1,4 +1,4 @@
-import { createAuthContextCustomization, createAuthContextFacade, createPublicAuthContext } from "./auth-context.js";
+import { createAuthContextFacade } from "./facade.js";
 import { Auth } from "./runtime.js";
 import { ConvexError } from "convex/values";
 
@@ -133,6 +133,7 @@ function createAuth(component, config) {
 		signIn: authResult.signIn,
 		signOut: authResult.signOut,
 		store: authResult.store,
+		http: authResult.http,
 		user: authResult.auth.user,
 		session: authResult.auth.session,
 		provider: authResult.auth.provider,
@@ -144,7 +145,7 @@ function createAuth(component, config) {
 		member: authResult.auth.member,
 		invite: authResult.auth.invite,
 		key: authResult.auth.key,
-		http: authResult.auth.http,
+		request: authResult.auth.request,
 		...createAuthContextFacade(authResult.auth)
 	};
 }

package/dist/server/{ctxCache.js → cache/context.js}

@@ -1,4 +1,4 @@
-//#region src/server/ctxCache.ts
+//#region src/server/cache/context.ts
 /**
 * Per-execution cache for Convex auth component reads.
 *
@@ -91,4 +91,4 @@ function invalidateCtxCache(ctx, keyPrefix) {
 
 //#endregion
 export { cached, ctxCacheHas, invalidateCtxCache };
-//# sourceMappingURL=ctxCache.js.map
+//# sourceMappingURL=context.js.map

package/dist/server/{componentContext.d.ts → component/context.d.ts}

@@ -1,6 +1,6 @@
 import { GenericDataModel, GenericMutationCtx, GenericQueryCtx } from "convex/server";
 
-//#region src/server/componentContext.d.ts
+//#region src/server/component/context.d.ts
 type ComponentReadCtx = {
   runQuery: GenericQueryCtx<GenericDataModel>["runQuery"];
 };
@@ -9,4 +9,4 @@ type ComponentCtx = ComponentReadCtx & {
 };
 //#endregion
 export { ComponentCtx, ComponentReadCtx };
-//# sourceMappingURL=componentContext.d.ts.map
+//# sourceMappingURL=context.d.ts.map

package/dist/server/context.js

@@ -6,14 +6,7 @@ async function getSessionUserId(ctx) {
 	return await getAuthenticatedUserIdOrNull(ctx);
 }
 /** @internal */
-async function getAuthContextForUser(auth, ctx, userId, opts) {
-	if (opts?.group === false) return {
-		userId,
-		user: await auth.user.get(ctx, userId),
-		groupId: null,
-		role: null,
-		grants: []
-	};
+async function getAuthContextForUser(auth, ctx, userId) {
 	const [user, groupId] = await Promise.all([auth.user.get(ctx, userId), auth.user.getActiveGroup(ctx, { userId })]);
 	let role = null;
 	let grants = [];
@@ -36,10 +29,10 @@ async function getAuthContextForUser(auth, ctx, userId, opts) {
 	};
 }
 /** @internal */
-async function getAuthContext(auth, ctx, opts) {
+async function getAuthContext(auth, ctx) {
 	const userId = await getSessionUserId(ctx);
 	if (userId === null) return null;
-	return await getAuthContextForUser(auth, ctx, userId, opts);
+	return await getAuthContextForUser(auth, ctx, userId);
 }
 /** @internal */
 function createUnauthenticatedAuthContext() {