@robelest/convex-auth 0.0.4-preview.30 → 0.0.4-preview.32

package/dist/server/mounts.d.ts

@@ -1,5 +1,4 @@
-import { AuthAuthorizationConfig, GroupConnectionDeprovisionMode, GroupConnectionPolicy } from "./types.js";
-import { AuditEventRecord, ConnectionDomainRecord, GroupConnectionDomainLookupRecord, GroupConnectionListResult, GroupConnectionRecord, ScimConfigRecord } from "./contract.js";
+import { AuthAuthorizationConfig, GroupConnectionPolicy } from "./types.js";
 import { AuthApi } from "./auth.js";
 import * as convex_server6 from "convex/server";
 
@@ -227,10 +226,41 @@ declare function sso<TAuthorization extends AuthAuthorizationConfig | undefined
       }>>;
       get: convex_server6.RegisteredQuery<"public", {
         connectionId: string;
-      }, Promise<GroupConnectionRecord | null>>;
+      }, Promise<{
+        _id: string;
+        _creationTime: number;
+        groupId: string;
+        slug?: string;
+        name?: string;
+        protocol: "oidc" | "saml";
+        status: "draft" | "active" | "disabled";
+        config?: unknown;
+        extend?: unknown;
+      } | null>>;
       getByDomain: convex_server6.RegisteredQuery<"public", {
         domain: string;
-      }, Promise<GroupConnectionDomainLookupRecord | null>>;
+      }, Promise<{
+        connection: {
+          _id: string;
+          _creationTime: number;
+          groupId: string;
+          slug?: string;
+          name?: string;
+          protocol: "oidc" | "saml";
+          status: "draft" | "active" | "disabled";
+          config?: unknown;
+          extend?: unknown;
+        } | null;
+        domain: {
+          _id: string;
+          _creationTime: number;
+          connectionId: string;
+          groupId: string;
+          domain: string;
+          isPrimary: boolean;
+          verifiedAt?: number;
+        } | null;
+      } | null>>;
       list: convex_server6.RegisteredQuery<"public", {
         limit?: number | undefined;
         where?: {
@@ -241,7 +271,20 @@ declare function sso<TAuthorization extends AuthAuthorizationConfig | undefined
         cursor?: string | null | undefined;
         orderBy?: string | undefined;
         order?: "asc" | "desc" | undefined;
-      }, Promise<GroupConnectionListResult>>;
+      }, Promise<{
+        items: {
+          _id: string;
+          _creationTime: number;
+          groupId: string;
+          slug?: string;
+          name?: string;
+          protocol: "oidc" | "saml";
+          status: "draft" | "active" | "disabled";
+          config?: unknown;
+          extend?: unknown;
+        }[];
+        nextCursor: string | null;
+      }>>;
       update: convex_server6.RegisteredMutation<"public", {
         connectionId: string;
         data: {
@@ -280,14 +323,22 @@ declare function sso<TAuthorization extends AuthAuthorizationConfig | undefined
             configured: boolean;
             ready: boolean;
             basePath: string | null;
-            deprovisionMode: GroupConnectionDeprovisionMode;
+            deprovisionMode: "soft" | "hard";
           };
         };
       }>>;
       domain: {
         list: convex_server6.RegisteredQuery<"public", {
           connectionId: string;
-        }, Promise<ConnectionDomainRecord[]>>;
+        }, Promise<{
+          _id: string;
+          _creationTime: number;
+          connectionId: string;
+          groupId: string;
+          domain: string;
+          isPrimary: boolean;
+          verifiedAt?: number;
+        }[]>>;
         status: convex_server6.RegisteredQuery<"public", {
           connectionId: string;
         }, Promise<{
@@ -610,7 +661,22 @@ declare function sso<TAuthorization extends AuthAuthorizationConfig | undefined
         groupId?: string | undefined;
         connectionId?: string | undefined;
         limit?: number | undefined;
-      }, Promise<AuditEventRecord[]>>;
+      }, Promise<{
+        _id: string;
+        _creationTime: number;
+        connectionId?: string;
+        groupId: string;
+        eventType: string;
+        actorType: string;
+        actorId?: string;
+        subjectType: string;
+        subjectId?: string;
+        status: string;
+        occurredAt: number;
+        requestId?: string;
+        ip?: string;
+        metadata?: Record<string, unknown>;
+      }[]>>;
     };
     webhook: {
       delivery: {
@@ -769,7 +835,17 @@ declare function scim<TAuthorization extends AuthAuthorizationConfig | undefined
       connectionId: string;
       configured: boolean;
       ready: boolean;
-      config: ScimConfigRecord | null;
+      config: {
+        _id: string;
+        _creationTime: number;
+        connectionId: string;
+        groupId: string;
+        status: string;
+        basePath: string;
+        tokenHash: string;
+        lastRotatedAt?: number;
+        extend?: unknown;
+      } | null;
       checks: {
         name: string;
         ok: boolean;
@@ -806,7 +882,7 @@ declare function scim<TAuthorization extends AuthAuthorizationConfig | undefined
       ok: boolean;
       connectionId: string;
       basePath: string;
-      deprovisionMode: GroupConnectionDeprovisionMode;
+      deprovisionMode: "soft" | "hard";
       capabilities: {
         users: boolean;
         groups: boolean;
@@ -876,10 +952,41 @@ declare function createAuthGroupSso<TAuthorization extends AuthAuthorizationConf
   }>>;
   getConnection: convex_server6.RegisteredQuery<"public", {
     connectionId: string;
-  }, Promise<GroupConnectionRecord | null>>;
+  }, Promise<{
+    _id: string;
+    _creationTime: number;
+    groupId: string;
+    slug?: string;
+    name?: string;
+    protocol: "oidc" | "saml";
+    status: "draft" | "active" | "disabled";
+    config?: unknown;
+    extend?: unknown;
+  } | null>>;
   getConnectionByDomain: convex_server6.RegisteredQuery<"public", {
     domain: string;
-  }, Promise<GroupConnectionDomainLookupRecord | null>>;
+  }, Promise<{
+    connection: {
+      _id: string;
+      _creationTime: number;
+      groupId: string;
+      slug?: string;
+      name?: string;
+      protocol: "oidc" | "saml";
+      status: "draft" | "active" | "disabled";
+      config?: unknown;
+      extend?: unknown;
+    } | null;
+    domain: {
+      _id: string;
+      _creationTime: number;
+      connectionId: string;
+      groupId: string;
+      domain: string;
+      isPrimary: boolean;
+      verifiedAt?: number;
+    } | null;
+  } | null>>;
   listConnections: convex_server6.RegisteredQuery<"public", {
     limit?: number | undefined;
     where?: {
@@ -890,7 +997,20 @@ declare function createAuthGroupSso<TAuthorization extends AuthAuthorizationConf
     cursor?: string | null | undefined;
     orderBy?: string | undefined;
     order?: "asc" | "desc" | undefined;
-  }, Promise<GroupConnectionListResult>>;
+  }, Promise<{
+    items: {
+      _id: string;
+      _creationTime: number;
+      groupId: string;
+      slug?: string;
+      name?: string;
+      protocol: "oidc" | "saml";
+      status: "draft" | "active" | "disabled";
+      config?: unknown;
+      extend?: unknown;
+    }[];
+    nextCursor: string | null;
+  }>>;
   updateConnection: convex_server6.RegisteredMutation<"public", {
     connectionId: string;
     data: {
@@ -929,13 +1049,21 @@ declare function createAuthGroupSso<TAuthorization extends AuthAuthorizationConf
         configured: boolean;
         ready: boolean;
         basePath: string | null;
-        deprovisionMode: GroupConnectionDeprovisionMode;
+        deprovisionMode: "soft" | "hard";
       };
     };
   }>>;
   listDomains: convex_server6.RegisteredQuery<"public", {
     connectionId: string;
-  }, Promise<ConnectionDomainRecord[]>>;
+  }, Promise<{
+    _id: string;
+    _creationTime: number;
+    connectionId: string;
+    groupId: string;
+    domain: string;
+    isPrimary: boolean;
+    verifiedAt?: number;
+  }[]>>;
   getDomainStatus: convex_server6.RegisteredQuery<"public", {
     connectionId: string;
   }, Promise<{
@@ -1247,7 +1375,22 @@ declare function createAuthGroupSso<TAuthorization extends AuthAuthorizationConf
     groupId?: string | undefined;
     connectionId?: string | undefined;
     limit?: number | undefined;
-  }, Promise<AuditEventRecord[]>>;
+  }, Promise<{
+    _id: string;
+    _creationTime: number;
+    connectionId?: string;
+    groupId: string;
+    eventType: string;
+    actorType: string;
+    actorId?: string;
+    subjectType: string;
+    subjectId?: string;
+    status: string;
+    occurredAt: number;
+    requestId?: string;
+    ip?: string;
+    metadata?: Record<string, unknown>;
+  }[]>>;
   createWebhookEndpoint: convex_server6.RegisteredMutation<"public", {
     createdByUserId?: string | undefined;
     secret: string;
@@ -1341,7 +1484,17 @@ declare function createAuthGroupSso<TAuthorization extends AuthAuthorizationConf
     connectionId: string;
     configured: boolean;
     ready: boolean;
-    config: ScimConfigRecord | null;
+    config: {
+      _id: string;
+      _creationTime: number;
+      connectionId: string;
+      groupId: string;
+      status: string;
+      basePath: string;
+      tokenHash: string;
+      lastRotatedAt?: number;
+      extend?: unknown;
+    } | null;
     checks: {
       name: string;
       ok: boolean;
@@ -1378,7 +1531,7 @@ declare function createAuthGroupSso<TAuthorization extends AuthAuthorizationConf
     ok: boolean;
     connectionId: string;
     basePath: string;
-    deprovisionMode: GroupConnectionDeprovisionMode;
+    deprovisionMode: "soft" | "hard";
     capabilities: {
       users: boolean;
       groups: boolean;

package/dist/server/mutations/code.js

@@ -54,10 +54,16 @@ async function generateUniqueVerificationCode(ctx, accountId, provider, code, ex
 	const db = authDb(ctx, config);
 	const existingCode = await db.verificationCodes.getByAccountId(accountId);
 	if (existingCode !== null) await db.verificationCodes.delete(existingCode._id);
+	const hashedCode = await sha256(code);
+	const conflictingCode = await db.verificationCodes.getByCode(hashedCode);
+	if (conflictingCode !== null && conflictingCode.accountId !== accountId) throw new ConvexError({
+		code: "VERIFICATION_CODE_COLLISION",
+		message: "Generated verification code conflicts with another pending sign-in."
+	});
 	await db.verificationCodes.create({
 		accountId,
 		provider,
-		code: await sha256(code),
+		code: hashedCode,
 		expirationTime,
 		emailVerified: email,
 		phoneVerified: phone

package/dist/server/mutations/{credentialsSignIn.js → credentials/signin.js}

@@ -1,14 +1,14 @@
-import { LOG_LEVELS } from "../../shared/log.js";
-import { verify } from "../crypto.js";
-import { authDb } from "../db.js";
-import { log, maybeRedact } from "../log.js";
-import { AUTH_STORE_REF } from "./store/refs.js";
-import { withSpan } from "../utils/span.js";
-import { issueSession } from "../sessions.js";
-import { getSignInRateLimitState, isStateRateLimited, recordFailedSignIn, resetSignInRateLimit } from "../limits.js";
+import { LOG_LEVELS } from "../../../shared/log.js";
+import { verify } from "../../crypto.js";
+import { authDb } from "../../db.js";
+import { log, maybeRedact } from "../../log.js";
+import { AUTH_STORE_REF } from "../store/refs.js";
+import { withSpan } from "../../utils/span.js";
+import { issueSession } from "../../sessions.js";
+import { getSignInRateLimitState, isStateRateLimited, recordFailedSignIn, resetSignInRateLimit } from "../../limits.js";
 import { v } from "convex/values";
 
-//#region src/server/mutations/credentialsSignIn.ts
+//#region src/server/mutations/credentials/signin.ts
 const credentialsSignInArgs = v.object({
 	provider: v.string(),
 	account: v.object({
@@ -111,4 +111,4 @@ const callCredentialsSignIn = async (ctx, args) => {
 
 //#endregion
 export { callCredentialsSignIn, credentialsSignInArgs, credentialsSignInImpl };
-//# sourceMappingURL=credentialsSignIn.js.map
+//# sourceMappingURL=signin.js.map

package/dist/server/mutations/index.js

@@ -1,6 +1,6 @@
 import { callModifyAccount } from "./account.js";
 import { callCreateVerificationCode } from "./code.js";
-import { callCredentialsSignIn } from "./credentialsSignIn.js";
+import { callCredentialsSignIn } from "./credentials/signin.js";
 import { callInvalidateSessions } from "./invalidate.js";
 import { callUserOAuth } from "./oauth.js";
 import { callRefreshSession } from "./refresh.js";

package/dist/server/mutations/invalidate.js

@@ -22,7 +22,17 @@ async function invalidateSessionsImpl(ctx, args, config) {
 	const exceptSet = new Set(except ?? []);
 	const typedUserId = userId;
 	const sessions = await authDb(ctx, config).sessions.listByUser(typedUserId);
-	await Promise.all(sessions.map((session) => exceptSet.has(session._id) ? Promise.resolve() : deleteSession(ctx, session, config)));
+	const deleted = [];
+	await Promise.all(sessions.map(async (session) => {
+		if (exceptSet.has(session._id)) return;
+		await deleteSession(ctx, session, config);
+		deleted.push(session._id);
+	}));
+	if (deleted.length > 0) await config.callbacks?.after?.(ctx, {
+		kind: "sessionsInvalidated",
+		userId: typedUserId,
+		sessionIds: deleted
+	});
 }
 
 //#endregion

package/dist/server/mutations/oauth.js

@@ -43,6 +43,30 @@ function normalizeAccountExtend(provider, providerAccountId, accountExtend) {
 		}
 	};
 }
+async function jitProvisionMembership(ctx, config, connectionPolicy, connection, userId, profile) {
+	if (connectionPolicy?.provisioning.jit.mode !== "createUserAndMembership") return;
+	const groupId = connection?.groupId;
+	if (!groupId) return;
+	const provisionedRoleIds = resolveProvisionedRoleIds({
+		policy: connectionPolicy,
+		groups: Array.isArray(profile.groups) ? profile.groups : void 0,
+		roles: Array.isArray(profile.roles) ? profile.roles : void 0
+	});
+	const existingMembership = await ctx.runQuery(config.component.public.memberGetByGroupAndUser, {
+		userId,
+		groupId
+	});
+	if (existingMembership === null) await ctx.runMutation(config.component.public.memberAdd, {
+		groupId,
+		userId,
+		roleIds: provisionedRoleIds,
+		status: "active"
+	});
+	else if (provisionedRoleIds.length > 0) await ctx.runMutation(config.component.public.memberUpdate, {
+		memberId: existingMembership._id,
+		data: { roleIds: provisionedRoleIds }
+	});
+}
 async function userOAuthImpl(ctx, args, getProviderOrThrow, config) {
 	log("DEBUG", "userOAuthImpl args:", args);
 	const { profile, provider, providerAccountId, signature, accountExtend } = args;
@@ -92,36 +116,10 @@ async function userOAuthImpl(ctx, args, getProviderOrThrow, config) {
 		provisioningUser: connectionPolicy.provisioning.user,
 		source: "login"
 	} : existingScimIdentity?.userId ? { existingUserId: existingScimIdentity.userId } : void 0);
-	if (connectionId !== null && connectionPolicy?.provisioning.jit.mode === "createUserAndMembership") {
-		const userId = (await db.accounts.getById(accountId))?.userId;
-		if (userId) {
-			const groupId = connection?.groupId;
-			if (groupId) {
-				const provisionedRoleIds = resolveProvisionedRoleIds({
-					policy: connectionPolicy,
-					groups: Array.isArray(typedProfile.groups) ? typedProfile.groups : void 0,
-					roles: Array.isArray(typedProfile.roles) ? typedProfile.roles : void 0
-				});
-				const existingMembership = await ctx.runQuery(config.component.public.memberGetByGroupAndUser, {
-					userId,
-					groupId
-				});
-				if (existingMembership === null) await ctx.runMutation(config.component.public.memberAdd, {
-					groupId,
-					userId,
-					roleIds: provisionedRoleIds,
-					status: "active"
-				});
-				else if (provisionedRoleIds.length > 0) await ctx.runMutation(config.component.public.memberUpdate, {
-					memberId: existingMembership._id,
-					data: { roleIds: provisionedRoleIds }
-				});
-			}
-		}
-	}
 	if (connectionId !== null) {
 		const userId = (await db.accounts.getById(accountId))?.userId;
 		if (userId) {
+			await jitProvisionMembership(ctx, config, connectionPolicy, connection, userId, typedProfile);
 			if (config.sso?.hooks?.afterProvision) await config.sso.hooks.afterProvision({
 				protocol: connectionProtocol ?? "oidc",
 				connectionId,

package/dist/server/mutations/signin.js

@@ -33,6 +33,12 @@ async function signInImpl(ctx, args, config) {
 				sessionId: issuance.sessionId
 			})
 		});
+		await config.callbacks?.after?.(ctx, {
+			kind: "signedIn",
+			userId: issuance.userId,
+			sessionId: issuance.sessionId,
+			provider: "session"
+		});
 		return issuance;
 	});
 }

package/dist/server/mutations/signout.js

@@ -26,6 +26,11 @@ async function signOutImpl(ctx, config) {
 				sessionId: session._id
 			})
 		});
+		await config.callbacks?.after?.(ctx, {
+			kind: "signedOut",
+			userId: session.userId,
+			sessionId: session._id
+		});
 		return {
 			userId: session.userId,
 			sessionId: session._id

package/dist/server/mutations/store.js

@@ -2,7 +2,7 @@ import { LOG_LEVELS } from "../../shared/log.js";
 import { log } from "../log.js";
 import { modifyAccountArgs, modifyAccountImpl } from "./account.js";
 import { createVerificationCodeArgs, createVerificationCodeImpl } from "./code.js";
-import { credentialsSignInArgs, credentialsSignInImpl } from "./credentialsSignIn.js";
+import { credentialsSignInArgs, credentialsSignInImpl } from "./credentials/signin.js";
 import { invalidateSessionsArgs, invalidateSessionsImpl } from "./invalidate.js";
 import { userOAuthArgs, userOAuthImpl } from "./oauth.js";
 import { refreshSessionArgs } from "./refresh.js";

package/dist/server/oauth/factory.js

@@ -13,19 +13,27 @@ function normalizeTokens(tokens) {
 	};
 }
 function createArcticOAuthClient(provider, options) {
-	const pkce = options?.pkce ?? (provider.createAuthorizationURL.length >= 3 ? "required" : "never");
+	const getProvider = () => typeof provider === "function" ? provider() : provider;
+	const pkce = options?.pkce ?? (getProvider().createAuthorizationURL.length >= 3 ? "required" : "never");
 	return {
 		pkce,
 		createAuthorizationURL({ state, codeVerifier, scopes, nonce }) {
-			const url = pkce === "required" ? provider.createAuthorizationURL(state, codeVerifier, scopes) : provider.createAuthorizationURL(state, scopes);
+			const provider$1 = getProvider();
+			const url = pkce !== "never" ? provider$1.createAuthorizationURL(state, codeVerifier, scopes) : provider$1.createAuthorizationURL(state, scopes);
 			if (nonce !== void 0) url.searchParams.set("nonce", nonce);
 			return url;
 		},
 		async validateAuthorizationCode({ code, codeVerifier }) {
-			return normalizeTokens(pkce === "required" ? await provider.validateAuthorizationCode(code, codeVerifier) : await provider.validateAuthorizationCode(code));
+			const provider$1 = getProvider();
+			return normalizeTokens(pkce !== "never" ? await provider$1.validateAuthorizationCode(code, codeVerifier) : await provider$1.validateAuthorizationCode(code));
 		}
 	};
 }
+/**
+* Materialize a validated OAuth provider definition for internal auth runtime use.
+*
+* @internal
+*/
 function createOAuthProvider(config) {
 	if (!config.provider || typeof config.provider.createAuthorizationURL !== "function" || typeof config.provider.validateAuthorizationCode !== "function") throw new Error(`OAuth provider "${config.id}" must expose createAuthorizationURL() and validateAuthorizationCode().`);
 	return {