@robelest/convex-auth 0.0.4-preview.30 → 0.0.4-preview.32

package/dist/server/contract.d.ts

@@ -1,76 +1,7 @@
 import "./types.js";
-import "./componentContext.js";
+import "./component/context.js";
 
 //#region src/server/contract.d.ts
-type GroupConnectionRecord = {
-  _id: string;
-  _creationTime: number;
-  groupId: string;
-  slug?: string;
-  name?: string;
-  protocol: "oidc" | "saml";
-  status: "draft" | "active" | "disabled";
-  config?: unknown;
-  extend?: unknown;
-};
-type GroupConnectionDomainLookupRecord = {
-  connection: GroupConnectionRecord | null;
-  domain: ConnectionDomainRecord | null;
-};
-type GroupConnectionListResult = {
-  items: GroupConnectionRecord[];
-  nextCursor: string | null;
-};
-type ConnectionDomainRecord = {
-  _id: string;
-  _creationTime: number;
-  connectionId: string;
-  groupId: string;
-  domain: string;
-  isPrimary: boolean;
-  verifiedAt?: number;
-};
-type ScimConfigRecord = {
-  _id: string;
-  _creationTime: number;
-  connectionId: string;
-  groupId: string;
-  status: string;
-  basePath: string;
-  tokenHash: string;
-  lastRotatedAt?: number;
-  extend?: unknown;
-};
-type WebhookEndpointRecord = {
-  _id: string;
-  _creationTime: number;
-  connectionId: string;
-  groupId: string;
-  url: string;
-  status: string;
-  secretHash: string;
-  subscriptions: string[];
-  createdByUserId?: string;
-  lastSuccessAt?: number;
-  lastFailureAt?: number;
-  failureCount: number;
-  extend?: unknown;
-};
-type WebhookDeliveryRecord = {
-  _id: string;
-  _creationTime: number;
-  connectionId: string;
-  endpointId: string;
-  auditEventId?: string;
-  eventType: string;
-  status: string;
-  attemptCount: number;
-  nextAttemptAt: number;
-  lastAttemptAt?: number;
-  lastResponseStatus?: number;
-  lastError?: string;
-  payload: unknown;
-};
 type ScimIdentityRecord = {
   _id: string;
   _creationTime: number;
@@ -84,22 +15,6 @@ type ScimIdentityRecord = {
   raw?: Record<string, unknown>;
   lastProvisionedAt?: number;
 };
-type AuditEventRecord = {
-  _id: string;
-  _creationTime: number;
-  connectionId?: string;
-  groupId: string;
-  eventType: string;
-  actorType: string;
-  actorId?: string;
-  subjectType: string;
-  subjectId?: string;
-  status: string;
-  occurredAt: number;
-  requestId?: string;
-  ip?: string;
-  metadata?: Record<string, unknown>;
-};
 //#endregion
-export { AuditEventRecord, ConnectionDomainRecord, GroupConnectionDomainLookupRecord, GroupConnectionListResult, GroupConnectionRecord, ScimConfigRecord, ScimIdentityRecord, WebhookDeliveryRecord, WebhookEndpointRecord };
+export { ScimIdentityRecord };
 //# sourceMappingURL=contract.d.ts.map

package/dist/server/contract.js

@@ -1,4 +1,4 @@
-import { cached, invalidateCtxCache } from "./ctxCache.js";
+import { cached, invalidateCtxCache } from "./cache/context.js";
 
 //#region src/server/contract.ts
 const query = (ctx, ref, args) => ctx.runQuery(ref, args);

package/dist/server/cookies.js

@@ -10,6 +10,30 @@ const SHARED_COOKIE_OPTIONS = {
 	path: "/",
 	partitioned: true
 };
+/** Encode a redirectTo URL into the OAuth state parameter. */
+function encodeOAuthState(state, redirectTo) {
+	if (redirectTo === null) return state;
+	const json = JSON.stringify({
+		s: state,
+		r: redirectTo
+	});
+	return btoa(json).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+/** Decode an OAuth state parameter, extracting the original state and redirectTo. */
+function decodeOAuthState(encoded) {
+	try {
+		const padded = encoded.replace(/-/g, "+").replace(/_/g, "/");
+		const json = JSON.parse(atob(padded));
+		if (typeof json === "object" && json !== null && typeof json.s === "string") return {
+			state: json.s,
+			redirectTo: typeof json.r === "string" ? json.r : null
+		};
+	} catch {}
+	return {
+		state: encoded,
+		redirectTo: null
+	};
+}
 const REDIRECT_MAX_AGE = 900;
 /** @internal */
 function redirectToParamCookie(providerId, redirectTo) {
@@ -44,5 +68,5 @@ function redirectToParamCookieName(providerId) {
 }
 
 //#endregion
-export { SHARED_COOKIE_OPTIONS, redirectToParamCookie, useRedirectToParam };
+export { SHARED_COOKIE_OPTIONS, decodeOAuthState, encodeOAuthState, redirectToParamCookie, useRedirectToParam };
 //# sourceMappingURL=cookies.js.map

package/dist/server/core.js

@@ -1,5 +1,5 @@
 import { getSessionUserId } from "./context.js";
-import { cached, ctxCacheHas, invalidateCtxCache } from "./ctxCache.js";
+import { cached, ctxCacheHas, invalidateCtxCache } from "./cache/context.js";
 import { generateRandomString, sha256 } from "./random.js";
 import { buildScopeChecker, checkKeyRateLimit, generateApiKey, hashApiKey } from "./keys.js";
 import { ConvexError } from "convex/values";

package/dist/server/errors.js

@@ -2,6 +2,29 @@ import { AuthFlowError } from "../shared/errors.js";
 import { ConvexError } from "convex/values";
 
 //#region src/server/errors.ts
+/**
+* Internal signal carrying a non-`signedIn` flow result up through a
+* credentials authorize callback.
+*
+* `ctx.auth.provider.signIn` re-enters the canonical sign-in flow so a
+* credentials provider (e.g. password.ts) can hand off to a verify/reset
+* email provider, an OAuth redirect, or a device-code flow. Those handlers
+* resolve to results like `{ kind: "started" }` or `{ kind: "redirect" }`,
+* which the credentials runner has no shape to return — its `authorize`
+* contract is `{ userId, ... } | null`. Throwing a `FlowSignal` lets the
+* runner unwrap it and forward the carried result unchanged to the outer
+* signIn action.
+*
+* @internal
+*/
+var FlowSignal = class extends Error {
+	result;
+	constructor(result) {
+		super(`FlowSignal:${result.kind}`);
+		this.name = "FlowSignal";
+		this.result = result;
+	}
+};
 /** @internal */
 const toConvexError = (error) => {
 	if (error instanceof ConvexError) return error;
@@ -16,5 +39,5 @@ const toConvexError = (error) => {
 };
 
 //#endregion
-export { toConvexError };
+export { FlowSignal, toConvexError };
 //# sourceMappingURL=errors.js.map

package/dist/server/{auth-context.d.ts → facade.d.ts}

@@ -2,7 +2,7 @@ import { ConvexAuthConfig, Doc } from "./types.js";
 import { GenericId } from "convex/values";
 import { UserIdentity } from "convex/server";
 
-//#region src/server/auth-context.d.ts
+//#region src/server/facade.d.ts
 /**
  * Config for auth setup. Extends the standard auth config
  * minus `component` (which is passed as the first constructor argument).
@@ -139,23 +139,6 @@ type AuthContextConfig<TResolve extends Record<string, unknown> = Record<string,
    * of throwing `NOT_SIGNED_IN`.
    */
   optional?: boolean;
-  /**
-   * Resolve the active group + membership when building `ctx.auth`.
-   *
-   * The full resolver fires three sequential component reads on every
-   * call: `user.get`, `user.getActiveGroup`, `member.inspect`. For
-   * handlers that only need `userId` / `user` (e.g. `account:listPasskeys`,
-   * profile reads, self-service settings), the second and third reads are
-   * pure overhead.
-   *
-   * Set `group: false` to skip them. `ctx.auth.groupId`, `ctx.auth.role`,
-   * and `ctx.auth.grants` come back as `null` / `[]` without any
-   * component round-trip. Saves ~10–30ms per auth-gated call on the
-   * lightweight path.
-   *
-   * @defaultValue true
-   */
-  group?: boolean;
   /**
    * Attach additional derived fields to the auth context after the base auth
    * context is resolved.
@@ -163,31 +146,6 @@ type AuthContextConfig<TResolve extends Record<string, unknown> = Record<string,
    * This callback runs only when an authenticated user context is available.
    */
   resolve?: (ctx: TCtx, user: UserDoc, auth: AuthContext) => Promise<TResolve> | TResolve;
-  /**
-   * Override or wrap the base auth resolution used by {@link createAuth().ctx}.
-   *
-   * Return `undefined` to fall back to the built-in resolver,
-   * `null` for an explicit unauthenticated state, or an
-   * {@link AuthContext} object to provide a pre-resolved auth state.
-   * This is useful for tests, proxy auth, impersonation flows, or any
-   * environment that needs to inject auth without depending on the standard
-   * Convex auth tables.
-   *
-   * @param ctx - The Convex function context.
-   * @param fallback - The built-in auth resolver used by {@link createAuth().ctx}.
-   * @returns Resolved auth state, `null`, or `undefined` to use the fallback.
-   *
-   * @example
-   * ```ts
-   * const authCtx = auth.ctx({
-   *   authResolve: async (ctx, fallback) => {
-   *     const injected = getInjectedAuth(ctx);
-   *     return injected ?? (await fallback());
-   *   },
-   * });
-   * ```
-   */
-  authResolve?: (ctx: TCtx, fallback: () => Promise<AuthContext | null>) => Promise<AuthContext | null | undefined> | AuthContext | null | undefined;
 };
 /**
  * Extract the resolved `auth` context type from an `auth.ctx()` customization.
@@ -217,5 +175,5 @@ type InferAuth<T extends {
   input: (...args: never[]) => CustomFunctionInputResult<Record<string, unknown>>;
 }> = Awaited<ReturnType<T["input"]>>["ctx"]["auth"];
 //#endregion
-export { AuthConfig, AuthContext, AuthContextConfig, AuthContextFactory, AuthContextResolver, InferAuth, OptionalAuthContext, UserDoc };
-//# sourceMappingURL=auth-context.d.ts.map
+export { AuthConfig, AuthContext, AuthContextConfig, type AuthContextFactory, type AuthContextResolver, InferAuth, OptionalAuthContext, UserDoc };
+//# sourceMappingURL=facade.d.ts.map

package/dist/server/{auth-context.js → facade.js}

@@ -1,11 +1,9 @@
 import { createUnauthenticatedAuthContext, getAuthContext } from "./context.js";
 import { ConvexError } from "convex/values";
 
-//#region src/server/auth-context.ts
-async function resolveConfiguredAuthContext(auth, ctx, config) {
-	const fallback = () => getAuthContext(auth, ctx, { group: config?.group !== false });
-	const authOverride = config?.authResolve ? await config.authResolve(ctx, fallback) : void 0;
-	return authOverride === void 0 ? await fallback() : authOverride;
+//#region src/server/facade.ts
+async function resolveConfiguredAuthContext(auth, ctx, _config) {
+	return await getAuthContext(auth, ctx);
 }
 function createNotSignedInError() {
 	return new ConvexError({
@@ -13,6 +11,7 @@ function createNotSignedInError() {
 		message: "Authentication required."
 	});
 }
+/** @internal */
 function assertAuthResolverContext(ctx) {
 	const candidate = ctx;
 	if (candidate === null || typeof candidate !== "object" || candidate.auth === void 0 || candidate.auth === null || typeof candidate.auth !== "object" || typeof candidate.auth.getUserIdentity !== "function" || typeof candidate.runQuery !== "function") throw new TypeError("auth.context(ctx) requires a Convex function context with auth.getUserIdentity() and runQuery().");
@@ -20,8 +19,7 @@ function assertAuthResolverContext(ctx) {
 /**
 * Resolve the public auth context for a Convex handler context.
 *
-* This low-level helper underpins `auth.context(...)` and remains exported for
-* compatibility with existing consumers using the server entrypoint.
+* This low-level helper underpins `auth.context(...)`.
 */
 async function createPublicAuthContext(auth, ctx, config) {
 	const resolved = await resolveConfiguredAuthContext(auth, ctx, config);
@@ -38,8 +36,7 @@ async function createPublicAuthContext(auth, ctx, config) {
 /**
 * Create a convex-helpers customization that injects `ctx.auth`.
 *
-* This low-level helper underpins `auth.ctx(...)` and remains exported for
-* compatibility with existing consumers using the server entrypoint.
+* This low-level helper underpins `auth.ctx(...)`.
 */
 function createAuthContextCustomization(auth, config) {
 	return {
@@ -71,8 +68,10 @@ function createAuthContextCustomization(auth, config) {
 	};
 }
 /**
-* Build the shared public auth-context facade used by both `createAuth()` and
+* Build the shared public auth context facade used by both `createAuth()` and
 * `createAuthContext()`.
+*
+* @internal
 */
 function createAuthContextFacade(auth) {
 	return {
@@ -85,5 +84,5 @@ function createAuthContextFacade(auth) {
 }
 
 //#endregion
-export { createAuthContextCustomization, createAuthContextFacade, createPublicAuthContext };
-//# sourceMappingURL=auth-context.js.map
+export { createAuthContextFacade };
+//# sourceMappingURL=facade.js.map

package/dist/server/http.d.ts

@@ -1,6 +1,6 @@
 import { HttpKeyContext } from "./types.js";
-import { AuthContext, OptionalAuthContext, UserDoc } from "./auth-context.js";
-import { ComponentReadCtx } from "./componentContext.js";
+import { AuthContext, OptionalAuthContext, UserDoc } from "./facade.js";
+import { ComponentReadCtx } from "./component/context.js";
 import "./auth.js";
 import { GenericActionCtx, GenericDataModel, HttpRouter, UserIdentity } from "convex/server";
 
@@ -12,7 +12,7 @@ type HttpIdentityCtx = {
 };
 type HttpContextCtx = HttpIdentityCtx & ComponentReadCtx;
 /**
- * Auth context returned by `auth.http.context(ctx, request)`.
+ * Auth context returned by `auth.request.context(ctx, request)`.
  *
  * This resolves raw HTTP authentication in two steps:
  * 1. session auth from `ctx.auth.getUserIdentity()`
@@ -24,7 +24,7 @@ type HttpContextCtx = HttpIdentityCtx & ComponentReadCtx;
  *
  * @example
  * ```ts
- * const authContext = await auth.http.context(ctx, request);
+ * const authContext = await auth.request.context(ctx, request);
  * if (authContext.source === "key") {
  *   console.log(authContext.key.keyId);
  * }
@@ -39,7 +39,7 @@ type HttpAuthContext = (AuthContext & {
 });
 /**
  * Nullable HTTP auth context returned by
- * `auth.http.context(ctx, request, { optional: true })`.
+ * `auth.request.context(ctx, request, { optional: true })`.
  *
  * This preserves a stable auth-shaped object for raw `httpAction` handlers
  * that allow anonymous callers.
@@ -49,7 +49,7 @@ type OptionalHttpAuthContext = (OptionalAuthContext & {
   key: null;
 }) | HttpAuthContext;
 /**
- * Configuration for {@link createAuth().http.context}.
+ * Configuration for {@link createAuth().request.context}.
  *
  * This mirrors {@link AuthContextConfig} for raw HTTP handlers and adds support
  * for enriching mixed session/API-key auth results.
@@ -59,7 +59,7 @@ type OptionalHttpAuthContext = (OptionalAuthContext & {
  *
  * @example
  * ```ts
- * const authContext = await auth.http.context(ctx, request, {
+ * const authContext = await auth.request.context(ctx, request, {
  *   resolve: async (_ctx, user, authState) => ({
  *     email: user.email,
  *     isMachineRequest: authState.source === "key",

package/dist/server/http.js

@@ -54,7 +54,7 @@ async function resolveHttpAuthContext(auth, ctx, request) {
 }
 /**
 * @internal
-* Create the implementation behind `auth.http.context(...)`.
+* Create the implementation behind `auth.request.context(...)`.
 */
 function createHttpContext(auth) {
 	return (async (ctx, request, config) => {
@@ -230,8 +230,9 @@ function parseConnectionRuntimeRoute(pathname, routeBase) {
 }
 function addOpenIdRoutes(http, deps) {
 	const cacheControl = "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400";
+	const routeBase = deps.routeBase ?? "";
 	http.route({
-		path: "/.well-known/openid-configuration",
+		path: `${routeBase}/.well-known/openid-configuration`,
 		method: "GET",
 		handler: httpActionGeneric(async () => {
 			const issuer = deps.getIssuer();
@@ -248,7 +249,7 @@ function addOpenIdRoutes(http, deps) {
 		})
 	});
 	http.route({
-		path: "/.well-known/jwks.json",
+		path: `${routeBase}/.well-known/jwks.json`,
 		method: "GET",
 		handler: httpActionGeneric(async () => {
 			return new Response(deps.getJwks(), {
@@ -261,20 +262,58 @@ function addOpenIdRoutes(http, deps) {
 		})
 	});
 }
+/** Register root `/.well-known/*` app discovery routes on an HTTP router. */
+function addWellKnownRoutes(http, deps) {
+	for (const route of [
+		{
+			endpoint: "apple-app-site-association",
+			path: "/.well-known/apple-app-site-association"
+		},
+		{
+			endpoint: "assetlinks.json",
+			path: "/.well-known/assetlinks.json"
+		},
+		{
+			endpoint: "webauthn",
+			path: "/.well-known/webauthn"
+		},
+		{
+			endpoint: "change-password",
+			path: "/.well-known/change-password"
+		},
+		{
+			endpoint: "security.txt",
+			path: "/.well-known/security.txt"
+		}
+	]) http.route({
+		path: route.path,
+		method: "GET",
+		handler: httpActionGeneric(async () => {
+			const result = deps.getResponse(route.endpoint);
+			if (result === null) return new Response(null, { status: 404 });
+			return new Response(result.body, {
+				status: result.status,
+				headers: result.headers
+			});
+		})
+	});
+}
 function addAuthRoutes(http, deps) {
+	const routeBase = deps.routeBase ?? "/api/auth";
+	const routePrefix = routeBase === "" ? "" : routeBase;
 	http.route({
-		pathPrefix: "/api/auth/signin/",
+		pathPrefix: `${routePrefix}/signin/`,
 		method: "GET",
 		handler: httpActionGeneric(deps.handleSignIn)
 	});
 	const callbackHandler = httpActionGeneric(deps.handleCallback);
 	http.route({
-		pathPrefix: "/api/auth/callback/",
+		pathPrefix: `${routePrefix}/callback/`,
 		method: "GET",
 		handler: callbackHandler
 	});
 	http.route({
-		pathPrefix: "/api/auth/callback/",
+		pathPrefix: `${routePrefix}/callback/`,
 		method: "POST",
 		handler: callbackHandler
 	});
@@ -332,6 +371,7 @@ function addSSORoutes(http, deps) {
 				if (route.rest[0] === "acs") return await deps.handleSamlAcs(ctx, request, route);
 				if (route.rest[0] === "slo") return await deps.handleSamlSlo(ctx, request, route);
 			}
+			if (route?.protocol === "oidc" && route.rest.length === 1 && route.rest[0] === "callback") return await deps.handleOidcCallback(ctx, request, route);
 			if (route?.protocol === "scim" && route.rest[0] === "v2") return await deps.handleScimRequest(ctx, request);
 			throw new ConvexError({
 				code: "INVALID_PARAMETERS",
@@ -363,5 +403,5 @@ function addSSORoutes(http, deps) {
 }
 
 //#endregion
-export { addAuthRoutes, addOpenIdRoutes, addSSORoutes, convertErrorsToResponse, createHttpAction, createHttpContext, createHttpRoute, getCookies };
+export { addAuthRoutes, addOpenIdRoutes, addSSORoutes, addWellKnownRoutes, convertErrorsToResponse, createHttpAction, createHttpContext, createHttpRoute, getCookies };
 //# sourceMappingURL=http.js.map

package/dist/server/{convexIdentity.d.ts → identity/convex.d.ts}

@@ -1,6 +1,6 @@
 import { GenericId } from "convex/values";
 
-//#region src/server/convexIdentity.d.ts
+//#region src/server/identity/convex.d.ts
 declare module "convex/server" {
   interface UserIdentity {
     /**
@@ -11,5 +11,5 @@ declare module "convex/server" {
      */
     readonly sid?: GenericId<"Session">;
   }
-} //# sourceMappingURL=convexIdentity.d.ts.map
-//# sourceMappingURL=convexIdentity.d.ts.map
+} //# sourceMappingURL=convex.d.ts.map
+//# sourceMappingURL=convex.d.ts.map

package/dist/server/index.d.ts

@@ -1,7 +1,9 @@
-import { AuthConfig, AuthContext, AuthContextConfig, InferAuth, OptionalAuthContext, UserDoc } from "./auth-context.js";
+import { AfterCtx, AuthCallbackContext, AuthCallbackProfile, AuthCallbacks, AuthEvent, BeforeCtx, BeforeEvent, BeforeResult } from "./types.js";
+import { AuthConfig, AuthContext, AuthContextConfig, InferAuth, OptionalAuthContext, UserDoc } from "./facade.js";
+import { WellKnownEndpoint, WellKnownOptions, WellKnownResponse, wellKnown } from "./wellknown.js";
 import { HttpAuthContext, HttpAuthContextConfig, OptionalHttpAuthContext } from "./http.js";
 import { AuthApi, AuthApiBase, ConvexAuthResult, InferClientApi, createAuth } from "./auth.js";
-import "./convexIdentity.js";
+import "./identity/convex.js";
 import { CreateAuthGroupSsoOptions, GroupSsoAccessHandler, GroupSsoAccessInput, GroupSsoAccessPermissions, GroupSsoPermission, GroupSsoResolvedAccessHandler, createAuthGroupSso, scim, sso } from "./mounts.js";
 import { AuthCookie, AuthCookieConfig, AuthCookies, RefreshResult, ServerOptions, authCookieNames, parseAuthCookies, serializeAuthCookies, server, shouldProxyAuthAction, structuredAuthCookies } from "./prefetch.js";
-export { type AuthApi, type AuthApiBase, type AuthConfig, type AuthContext, type AuthContextConfig, type AuthCookie, type AuthCookieConfig, type AuthCookies, type ConvexAuthResult, type CreateAuthGroupSsoOptions, type GroupSsoAccessHandler, type GroupSsoAccessInput, type GroupSsoAccessPermissions, type GroupSsoPermission, type GroupSsoResolvedAccessHandler, type HttpAuthContext, type HttpAuthContextConfig, type InferAuth, type InferClientApi, type OptionalAuthContext, type OptionalHttpAuthContext, type RefreshResult, type ServerOptions, type UserDoc, authCookieNames, createAuth, createAuthGroupSso, parseAuthCookies, scim, serializeAuthCookies, server, shouldProxyAuthAction, sso, structuredAuthCookies };
+export { type AfterCtx, type AuthApi, type AuthApiBase, type AuthCallbackContext, type AuthCallbackProfile, type AuthCallbacks, type AuthConfig, type AuthContext, type AuthContextConfig, type AuthCookie, type AuthCookieConfig, type AuthCookies, type AuthEvent, type BeforeCtx, type BeforeEvent, type BeforeResult, type ConvexAuthResult, type CreateAuthGroupSsoOptions, type GroupSsoAccessHandler, type GroupSsoAccessInput, type GroupSsoAccessPermissions, type GroupSsoPermission, type GroupSsoResolvedAccessHandler, type HttpAuthContext, type HttpAuthContextConfig, type InferAuth, type InferClientApi, type OptionalAuthContext, type OptionalHttpAuthContext, type RefreshResult, type ServerOptions, type UserDoc, type WellKnownEndpoint, type WellKnownOptions, type WellKnownResponse, authCookieNames, createAuth, createAuthGroupSso, parseAuthCookies, scim, serializeAuthCookies, server, shouldProxyAuthAction, sso, structuredAuthCookies, wellKnown };

package/dist/server/index.js

@@ -1,6 +1,7 @@
-import "./convexIdentity.js";
+import "./identity/convex.js";
+import { wellKnown } from "./wellknown.js";
 import { createAuth } from "./auth.js";
 import { createAuthGroupSso, scim, sso } from "./mounts.js";
 import { authCookieNames, parseAuthCookies, serializeAuthCookies, server, shouldProxyAuthAction, structuredAuthCookies } from "./prefetch.js";
 
-export { authCookieNames, createAuth, createAuthGroupSso, parseAuthCookies, scim, serializeAuthCookies, server, shouldProxyAuthAction, sso, structuredAuthCookies };
+export { authCookieNames, createAuth, createAuthGroupSso, parseAuthCookies, scim, serializeAuthCookies, server, shouldProxyAuthAction, sso, structuredAuthCookies, wellKnown };