@robelest/convex-auth 0.0.4-preview.31 → 0.0.4-preview.32

package/dist/component/convex.config.d.ts

@@ -1,7 +1,7 @@
-import * as convex_server4 from "convex/server";
+import * as convex_server0 from "convex/server";
 
 //#region src/component/convex.config.d.ts
-declare const component: convex_server4.ComponentDefinition<any>;
+declare const component: convex_server0.ComponentDefinition<any>;
 //#endregion
 export { component as default };
 //# sourceMappingURL=convex.config.d.ts.map

package/dist/component/model.d.ts

@@ -13,8 +13,8 @@ declare const vApiKeyDoc: convex_values440.VObject<{
     lastAttemptTime: number;
   } | undefined;
   metadata?: any;
-  _creationTime: number;
   name: string;
+  _creationTime: number;
   revoked: boolean;
   userId: convex_values440.GenericId<"User">;
   prefix: string;
@@ -61,7 +61,7 @@ declare const vApiKeyDoc: convex_values440.VObject<{
   metadata: convex_values440.VAny<any, "optional", string>;
   _id: convex_values440.VId<convex_values440.GenericId<"ApiKey">, "required">;
   _creationTime: convex_values440.VFloat64<number, "required">;
-}, "required", "_creationTime" | "name" | "revoked" | "lastUsedAt" | "expiresAt" | "userId" | "prefix" | "hashedKey" | "scopes" | "rateLimit" | "rateLimitState" | "createdAt" | "metadata" | "_id" | "rateLimit.maxRequests" | "rateLimit.windowMs" | "rateLimitState.attemptsLeft" | "rateLimitState.lastAttemptTime" | `metadata.${string}`>;
+}, "required", "name" | "_creationTime" | "revoked" | "lastUsedAt" | "expiresAt" | "userId" | "prefix" | "hashedKey" | "scopes" | "rateLimit" | "rateLimitState" | "createdAt" | "metadata" | "_id" | "rateLimit.maxRequests" | "rateLimit.windowMs" | "rateLimitState.attemptsLeft" | "rateLimitState.lastAttemptTime" | `metadata.${string}`>;
 //#endregion
 export { vApiKeyDoc };
 //# sourceMappingURL=model.d.ts.map

package/dist/component/schema.d.ts

@@ -17,9 +17,9 @@ declare const _default: convex_server80.SchemaDefinition<{
   User: convex_server80.TableDefinition<convex_values50.VObject<{
     name?: string | undefined;
     email?: string | undefined;
+    image?: string | undefined;
     phone?: string | undefined;
     extend?: any;
-    image?: string | undefined;
     emailVerificationTime?: number | undefined;
     phoneVerificationTime?: number | undefined;
     isAnonymous?: boolean | undefined;
@@ -34,7 +34,7 @@ declare const _default: convex_server80.SchemaDefinition<{
     isAnonymous: convex_values50.VBoolean<boolean | undefined, "optional">;
     hasTotp: convex_values50.VBoolean<boolean | undefined, "optional">;
     extend: convex_values50.VAny<any, "optional", string>;
-  }, "required", "name" | "email" | "phone" | "extend" | "image" | "emailVerificationTime" | "phoneVerificationTime" | "isAnonymous" | "hasTotp" | `extend.${string}`>, {
+  }, "required", "name" | "email" | "image" | "phone" | "extend" | "emailVerificationTime" | "phoneVerificationTime" | "isAnonymous" | "hasTotp" | `extend.${string}`>, {
     email: ["email", "_creationTime"];
     email_verified: ["email", "emailVerificationTime", "_creationTime"];
     phone: ["phone", "_creationTime"];
@@ -60,9 +60,9 @@ declare const _default: convex_server80.SchemaDefinition<{
    * A user can have multiple accounts linked.
    */
   Account: convex_server80.TableDefinition<convex_values50.VObject<{
+    emailVerified?: string | undefined;
     extend?: any;
     secret?: string | undefined;
-    emailVerified?: string | undefined;
     phoneVerified?: string | undefined;
     userId: convex_values50.GenericId<"User">;
     provider: string;
@@ -75,7 +75,7 @@ declare const _default: convex_server80.SchemaDefinition<{
     emailVerified: convex_values50.VString<string | undefined, "optional">;
     phoneVerified: convex_values50.VString<string | undefined, "optional">;
     extend: convex_values50.VAny<any, "optional", string>;
-  }, "required", "userId" | "extend" | `extend.${string}` | "provider" | "providerAccountId" | "secret" | "emailVerified" | "phoneVerified">, {
+  }, "required", "emailVerified" | "userId" | "extend" | `extend.${string}` | "provider" | "providerAccountId" | "secret" | "phoneVerified">, {
     user_id_provider: ["userId", "provider", "_creationTime"];
     provider_account_id: ["provider", "providerAccountId", "_creationTime"];
   }, {}, {}>;
@@ -121,7 +121,7 @@ declare const _default: convex_server80.SchemaDefinition<{
     verifier: convex_values50.VString<string | undefined, "optional">;
     emailVerified: convex_values50.VString<string | undefined, "optional">;
     phoneVerified: convex_values50.VString<string | undefined, "optional">;
-  }, "required", "expirationTime" | "provider" | "emailVerified" | "phoneVerified" | "accountId" | "code" | "verifier">, {
+  }, "required", "emailVerified" | "expirationTime" | "provider" | "phoneVerified" | "accountId" | "code" | "verifier">, {
     account_id: ["accountId", "_creationTime"];
     code: ["code", "_creationTime"];
   }, {}, {}>;

package/dist/server/http.js

@@ -262,26 +262,37 @@ function addOpenIdRoutes(http, deps) {
 		})
 	});
 }
-/**
-* Register `/.well-known/webauthn` on the Convex backend.
-*
-* Useful when the WebAuthn RP ID matches the `CONVEX_SITE_URL` host. Apps
-* whose RP ID is the frontend domain should host this endpoint themselves
-* (see {@link generateWebAuthnConfig} from `@robelest/convex-auth/server`).
-*
-* Returns 404 when no alternative origins are configured (no
-* `WEBAUTHN_ALT_ORIGINS` and no `SECONDARY_URL`).
-*/
-function addWebAuthnRoute(http, deps) {
-	const routeBase = deps.routeBase ?? "";
-	http.route({
-		path: `${routeBase}/.well-known/webauthn`,
+/** Register root `/.well-known/*` app discovery routes on an HTTP router. */
+function addWellKnownRoutes(http, deps) {
+	for (const route of [
+		{
+			endpoint: "apple-app-site-association",
+			path: "/.well-known/apple-app-site-association"
+		},
+		{
+			endpoint: "assetlinks.json",
+			path: "/.well-known/assetlinks.json"
+		},
+		{
+			endpoint: "webauthn",
+			path: "/.well-known/webauthn"
+		},
+		{
+			endpoint: "change-password",
+			path: "/.well-known/change-password"
+		},
+		{
+			endpoint: "security.txt",
+			path: "/.well-known/security.txt"
+		}
+	]) http.route({
+		path: route.path,
 		method: "GET",
 		handler: httpActionGeneric(async () => {
-			const result = deps.getResponse();
+			const result = deps.getResponse(route.endpoint);
 			if (result === null) return new Response(null, { status: 404 });
 			return new Response(result.body, {
-				status: 200,
+				status: result.status,
 				headers: result.headers
 			});
 		})
@@ -392,5 +403,5 @@ function addSSORoutes(http, deps) {
 }
 
 //#endregion
-export { addAuthRoutes, addOpenIdRoutes, addSSORoutes, addWebAuthnRoute, convertErrorsToResponse, createHttpAction, createHttpContext, createHttpRoute, getCookies };
+export { addAuthRoutes, addOpenIdRoutes, addSSORoutes, addWellKnownRoutes, convertErrorsToResponse, createHttpAction, createHttpContext, createHttpRoute, getCookies };
 //# sourceMappingURL=http.js.map

package/dist/server/index.d.ts

@@ -1,9 +1,9 @@
 import { AfterCtx, AuthCallbackContext, AuthCallbackProfile, AuthCallbacks, AuthEvent, BeforeCtx, BeforeEvent, BeforeResult } from "./types.js";
 import { AuthConfig, AuthContext, AuthContextConfig, InferAuth, OptionalAuthContext, UserDoc } from "./facade.js";
+import { WellKnownEndpoint, WellKnownOptions, WellKnownResponse, wellKnown } from "./wellknown.js";
 import { HttpAuthContext, HttpAuthContextConfig, OptionalHttpAuthContext } from "./http.js";
 import { AuthApi, AuthApiBase, ConvexAuthResult, InferClientApi, createAuth } from "./auth.js";
 import "./identity/convex.js";
 import { CreateAuthGroupSsoOptions, GroupSsoAccessHandler, GroupSsoAccessInput, GroupSsoAccessPermissions, GroupSsoPermission, GroupSsoResolvedAccessHandler, createAuthGroupSso, scim, sso } from "./mounts.js";
 import { AuthCookie, AuthCookieConfig, AuthCookies, RefreshResult, ServerOptions, authCookieNames, parseAuthCookies, serializeAuthCookies, server, shouldProxyAuthAction, structuredAuthCookies } from "./prefetch.js";
-import { WellKnownResponse, generateAppleAppSiteAssociation, generateAssetLinks, generateChangePasswordRedirect, generateSecurityTxt, generateWebAuthnConfig } from "./wellknown.js";
-export { type AfterCtx, type AuthApi, type AuthApiBase, type AuthCallbackContext, type AuthCallbackProfile, type AuthCallbacks, type AuthConfig, type AuthContext, type AuthContextConfig, type AuthCookie, type AuthCookieConfig, type AuthCookies, type AuthEvent, type BeforeCtx, type BeforeEvent, type BeforeResult, type ConvexAuthResult, type CreateAuthGroupSsoOptions, type GroupSsoAccessHandler, type GroupSsoAccessInput, type GroupSsoAccessPermissions, type GroupSsoPermission, type GroupSsoResolvedAccessHandler, type HttpAuthContext, type HttpAuthContextConfig, type InferAuth, type InferClientApi, type OptionalAuthContext, type OptionalHttpAuthContext, type RefreshResult, type ServerOptions, type UserDoc, type WellKnownResponse, authCookieNames, createAuth, createAuthGroupSso, generateAppleAppSiteAssociation, generateAssetLinks, generateChangePasswordRedirect, generateSecurityTxt, generateWebAuthnConfig, parseAuthCookies, scim, serializeAuthCookies, server, shouldProxyAuthAction, sso, structuredAuthCookies };
+export { type AfterCtx, type AuthApi, type AuthApiBase, type AuthCallbackContext, type AuthCallbackProfile, type AuthCallbacks, type AuthConfig, type AuthContext, type AuthContextConfig, type AuthCookie, type AuthCookieConfig, type AuthCookies, type AuthEvent, type BeforeCtx, type BeforeEvent, type BeforeResult, type ConvexAuthResult, type CreateAuthGroupSsoOptions, type GroupSsoAccessHandler, type GroupSsoAccessInput, type GroupSsoAccessPermissions, type GroupSsoPermission, type GroupSsoResolvedAccessHandler, type HttpAuthContext, type HttpAuthContextConfig, type InferAuth, type InferClientApi, type OptionalAuthContext, type OptionalHttpAuthContext, type RefreshResult, type ServerOptions, type UserDoc, type WellKnownEndpoint, type WellKnownOptions, type WellKnownResponse, authCookieNames, createAuth, createAuthGroupSso, parseAuthCookies, scim, serializeAuthCookies, server, shouldProxyAuthAction, sso, structuredAuthCookies, wellKnown };

package/dist/server/index.js

@@ -1,7 +1,7 @@
 import "./identity/convex.js";
-import { generateAppleAppSiteAssociation, generateAssetLinks, generateChangePasswordRedirect, generateSecurityTxt, generateWebAuthnConfig } from "./wellknown.js";
+import { wellKnown } from "./wellknown.js";
 import { createAuth } from "./auth.js";
 import { createAuthGroupSso, scim, sso } from "./mounts.js";
 import { authCookieNames, parseAuthCookies, serializeAuthCookies, server, shouldProxyAuthAction, structuredAuthCookies } from "./prefetch.js";
 
-export { authCookieNames, createAuth, createAuthGroupSso, generateAppleAppSiteAssociation, generateAssetLinks, generateChangePasswordRedirect, generateSecurityTxt, generateWebAuthnConfig, parseAuthCookies, scim, serializeAuthCookies, server, shouldProxyAuthAction, sso, structuredAuthCookies };
+export { authCookieNames, createAuth, createAuthGroupSso, parseAuthCookies, scim, serializeAuthCookies, server, shouldProxyAuthAction, sso, structuredAuthCookies, wellKnown };

package/dist/server/mounts.d.ts

@@ -443,8 +443,8 @@ declare function sso<TAuthorization extends AuthAuthorizationConfig | undefined
           mapping?: {
             name?: string | undefined;
             email?: string | undefined;
-            image?: string | undefined;
             emailVerified?: string | undefined;
+            image?: string | undefined;
             groups?: string | undefined;
             roles?: string | undefined;
             subject?: string | undefined;
@@ -772,7 +772,6 @@ declare function sso<TAuthorization extends AuthAuthorizationConfig | undefined
 declare function scim<TAuthorization extends AuthAuthorizationConfig | undefined = undefined, TRequirement = unknown>(auth: Pick<AuthApi<TAuthorization>, "context" | "group">, options?: CreateAuthGroupSsoOptions<TRequirement>): {
   admin: {
     configure: convex_server6.RegisteredMutation<"public", {
-      status?: "draft" | "active" | "disabled" | undefined;
       profile?: {
         mapping?: {
           name?: string | undefined;
@@ -788,6 +787,7 @@ declare function scim<TAuthorization extends AuthAuthorizationConfig | undefined
         } | undefined;
         extraFields?: Record<string, string> | undefined;
       } | undefined;
+      status?: "draft" | "active" | "disabled" | undefined;
       security?: {
         maxRequestSize?: number | undefined;
       } | undefined;
@@ -1163,8 +1163,8 @@ declare function createAuthGroupSso<TAuthorization extends AuthAuthorizationConf
       mapping?: {
         name?: string | undefined;
         email?: string | undefined;
-        image?: string | undefined;
         emailVerified?: string | undefined;
+        image?: string | undefined;
         groups?: string | undefined;
         roles?: string | undefined;
         subject?: string | undefined;
@@ -1421,7 +1421,6 @@ declare function createAuthGroupSso<TAuthorization extends AuthAuthorizationConf
     endpointId: string;
   }>>;
   configureScim: convex_server6.RegisteredMutation<"public", {
-    status?: "draft" | "active" | "disabled" | undefined;
     profile?: {
       mapping?: {
         name?: string | undefined;
@@ -1437,6 +1436,7 @@ declare function createAuthGroupSso<TAuthorization extends AuthAuthorizationConf
       } | undefined;
       extraFields?: Record<string, string> | undefined;
     } | undefined;
+    status?: "draft" | "active" | "disabled" | undefined;
     security?: {
       maxRequestSize?: number | undefined;
     } | undefined;

package/dist/server/runtime.d.ts

@@ -201,7 +201,13 @@ declare function Auth(config_: ConvexAuthConfig): {
       ancestors: (ctx: ComponentReadCtx, opts: {
         groupId: string;
         maxDepth?: number;
-        includeSelf?: boolean;
+        includeSelf /**
+                     * Action called by the client to invalidate the current session.
+                     */?
+        /**
+        * Action called by the client to invalidate the current session.
+        */
+        : boolean;
       }) => Promise<{
         ancestors: Array<Exclude<Doc<"Group"> | null, null>>;
         cycleDetected: boolean;
@@ -413,10 +419,13 @@ declare function Auth(config_: ConvexAuthConfig): {
        *
        * The following routes are handled always:
        *
-       * - `/.well-known/openid-configuration`
-       * - `/.well-known/jwks.json`
-       * - `/.well-known/webauthn` (returns 404 unless `WEBAUTHN_ALT_ORIGINS` or
-       *   `SECONDARY_URL` is set)
+       * - `/.well-known/apple-app-site-association`
+       * - `/.well-known/assetlinks.json`
+       * - `/.well-known/webauthn`
+       * - `/.well-known/change-password`
+       * - `/.well-known/security.txt`
+       * - `<prefix>/.well-known/openid-configuration`
+       * - `<prefix>/.well-known/jwks.json`
        *
        * The following routes are handled if OAuth is configured:
        *
@@ -620,11 +629,11 @@ declare function Auth(config_: ConvexAuthConfig): {
           sessionIndex?: string | undefined;
         } | undefined;
       } | undefined;
+      profile: Record<string, string | number | boolean | (string | number | boolean | null)[] | Record<string, string | number | boolean | (string | number | boolean | null)[] | null> | null>;
       type: "userOAuth";
       provider: string;
       providerAccountId: string;
       signature: string;
-      profile: Record<string, string | number | boolean | (string | number | boolean | null)[] | Record<string, string | number | boolean | (string | number | boolean | null)[] | null> | null>;
     } | {
       email?: string | undefined;
       phone?: string | undefined;
@@ -637,9 +646,9 @@ declare function Auth(config_: ConvexAuthConfig): {
     } | {
       shouldLinkViaEmail?: boolean | undefined;
       shouldLinkViaPhone?: boolean | undefined;
+      profile: Record<string, string | number | boolean | (string | number | boolean | null)[] | Record<string, string | number | boolean | (string | number | boolean | null)[] | null> | null>;
       type: "createAccountFromCredentials";
       provider: string;
-      profile: Record<string, string | number | boolean | (string | number | boolean | null)[] | Record<string, string | number | boolean | (string | number | boolean | null)[] | null> | null>;
       account: {
         secret?: string | undefined;
         id: string;

package/dist/server/runtime.js

@@ -16,8 +16,8 @@ import { storeArgs, storeImpl } from "./mutations/store.js";
 import { siteUrlsFromEnv } from "./url.js";
 import { decodeOAuthState, encodeOAuthState } from "./cookies.js";
 import { FlowSignal } from "./errors.js";
-import { addAuthRoutes, addOpenIdRoutes, addWebAuthnRoute, convertErrorsToResponse, createHttpAction, createHttpContext, createHttpRoute, getCookies } from "./http.js";
-import { generateWebAuthnConfig } from "./wellknown.js";
+import { addAuthRoutes, addOpenIdRoutes, addWellKnownRoutes, convertErrorsToResponse, createHttpAction, createHttpContext, createHttpRoute, getCookies } from "./http.js";
+import { wellKnown } from "./wellknown.js";
 import { createOAuthAuthorizationURL, handleOAuthCallback } from "./oauth/runtime.js";
 import { redirectAbsoluteUrl, setURLSearchParam } from "./redirects.js";
 import { encryptSecret } from "./secret.js";
@@ -174,13 +174,7 @@ function Auth(config_) {
 			getIssuer: () => authSiteUrl,
 			getJwks: () => requireEnv("JWKS")
 		});
-		addWebAuthnRoute(protocolHttp, { getResponse: () => {
-			const r = generateWebAuthnConfig();
-			return r === null ? null : {
-				body: r.body,
-				headers: r.headers
-			};
-		} });
+		addWellKnownRoutes(protocolHttp, { getResponse: (endpoint) => wellKnown(endpoint) });
 		addGroupHttpRuntime({
 			http: protocolHttp,
 			hasSSO,
@@ -287,16 +281,7 @@ function Auth(config_) {
 				getIssuer: authSiteUrl,
 				getJwks: () => requireEnv("JWKS")
 			});
-			addWebAuthnRoute(http$1, {
-				routeBase: routePrefix,
-				getResponse: () => {
-					const r = generateWebAuthnConfig();
-					return r === null ? null : {
-						body: r.body,
-						headers: r.headers
-					};
-				}
-			});
+			addWellKnownRoutes(http$1, { getResponse: (endpoint) => wellKnown(endpoint) });
 			addGroupHttpRuntime({
 				http: http$1,
 				hasSSO,

package/dist/server/wellknown.d.ts

@@ -1,130 +1,75 @@
 //#region src/server/wellknown.d.ts
 /**
- * Content generators for cross-platform `.well-known` endpoints.
+ * Content generator for cross-platform `.well-known` endpoints.
  *
- * These helpers produce the exact response shape expected by Apple, Google,
- * browsers, and password managers. Each helper reads convention env vars but
- * accepts explicit overrides; if neither is set, it returns `null` so the
- * caller can serve a 404.
+ * The helper produces the exact response shape expected by Apple, Google,
+ * browsers, and password managers. It reads convention env vars but accepts
+ * explicit overrides; if an endpoint is not configured, it returns `null` so
+ * the caller can serve a 404.
  *
- * The library serves `/.well-known/openid-configuration` and `/.well-known/jwks.json`
- * from the Convex backend (`CONVEX_SITE_URL`). The endpoints in this module
- * must be served from the WebAuthn RP ID host (typically `SITE_URL` — the
- * frontend domain), so they're shipped as framework-agnostic generators that
- * apps wire into their own route handlers (SvelteKit `+server.ts`, Next.js
- * route handlers, Cloudflare Workers, Express, etc.). One exception:
- * `generateWebAuthnConfig` can also be served from Convex via
- * {@link addWebAuthnRoute} when RP ID equals `CONVEX_SITE_URL` host.
+ * These endpoints must be reachable from the public app/RP ID origin at root
+ * `/.well-known/*`. `auth.http()` serves them from Convex; apps using a
+ * separate frontend domain should route those root paths to Convex or adapt
+ * this helper in their framework route handlers.
  *
  * @module
  */
-/** Uniform shape returned by every generator. Adapt to any framework. */
+/** Uniform shape returned by the well-known helper. Adapt to any framework. */
 type WellKnownResponse = {
   status: number;
   headers: Record<string, string>;
   body: string;
 };
+type WellKnownEndpoint = "apple-app-site-association" | "assetlinks.json" | "webauthn" | "security.txt" | "change-password";
+type WellKnownOptions = {
+  /** Options for `/.well-known/apple-app-site-association`. */appleAppSiteAssociation?: {
+    /** Override `IOS_APP_IDS`; e.g., `["ABC123DEF.com.example.app"]`. */appIds?: string[]; /** Override `IOS_APPLINK_PATHS`; default `["/auth/*", "/callback/*"]`. */
+    applinkPaths?: string[];
+  }; /** Options for `/.well-known/assetlinks.json`. */
+  assetLinks?: {
+    apps?: Array<{
+      packageName: string;
+      sha256Fingerprints: string[];
+    }>;
+  }; /** Options for `/.well-known/webauthn`. */
+  webAuthn?: {
+    /** Override `WEBAUTHN_ALT_ORIGINS`. */origins?: string[];
+  }; /** Options for `/.well-known/security.txt`. */
+  securityTxt?: {
+    /** Override `SECURITY_CONTACT`. Should be a `mailto:` or `https:` URI. */contact?: string; /** Override `SECURITY_TXT_EXPIRES_DAYS`. Default 365 days from now. */
+    expiresInDays?: number; /** RFC 5646 language tags, e.g., `["en"]`. */
+    preferredLanguages?: string[]; /** Optional canonical URL of the security.txt file (for signed copies). */
+    canonical?: string; /** Optional public key URL for encrypted reports. */
+    encryption?: string; /** Optional acknowledgments URL. */
+    acknowledgments?: string; /** Optional policy URL. */
+    policy?: string; /** Optional hiring URL. */
+    hiring?: string;
+  }; /** Options for `/.well-known/change-password`. */
+  changePassword?: {
+    /** Override `CHANGE_PASSWORD_URL`. */targetUrl?: string;
+  };
+};
 /**
- * Generate `/.well-known/apple-app-site-association` (AASA) content.
- *
- * Required for native iOS passkeys (`webcredentials`), Universal Links
- * (`applinks`), and Sign in with Apple. Apple's CDN fetches this file from
- * the WebAuthn RP ID host on app install/update; the file MUST be served as
- * `application/json` at the exact path with no `.json` extension and no
- * redirects.
+ * Generate a standard `/.well-known/*` response.
  *
- * Reads {@link IOS_APP_IDS} (comma-separated `TEAMID.bundle.id` entries) and
- * {@link IOS_APPLINK_PATHS} (comma-separated path patterns, default `/auth/*,/callback/*`).
+ * @param endpoint The well-known endpoint name, without the `/.well-known/` prefix.
+ * @param options Optional explicit configuration. When omitted, the helper reads
+ * convention environment variables for the selected endpoint.
+ * @returns A framework-neutral response descriptor, or `null` when the endpoint
+ * is not configured.
  *
- * @example Hosting in SvelteKit
+ * @example
  * ```ts
- * // src/routes/.well-known/apple-app-site-association/+server.ts
- * import { generateAppleAppSiteAssociation } from "@robelest/convex-auth/server";
+ * import { wellKnown } from "@robelest/convex-auth/server";
+ *
  * export const GET = () => {
- *   const r = generateAppleAppSiteAssociation();
- *   if (!r) return new Response(null, { status: 404 });
+ *   const r = wellKnown("assetlinks.json");
+ *   if (r === null) return new Response(null, { status: 404 });
  *   return new Response(r.body, { status: r.status, headers: r.headers });
  * };
  * ```
  */
-declare function generateAppleAppSiteAssociation(opts?: {
-  /** Override `IOS_APP_IDS`; e.g., `["ABC123DEF.com.example.app"]`. */appIds?: string[]; /** Override `IOS_APPLINK_PATHS`; default `["/auth/*", "/callback/*"]`. */
-  applinkPaths?: string[];
-}): WellKnownResponse | null;
-/**
- * Generate `/.well-known/assetlinks.json` content for Android.
- *
- * Required for Android Credential Manager to surface passkeys for the app,
- * and for App Link verification (`autoVerify="true"` intent filters). Google
- * fetches this file from the WebAuthn RP ID host.
- *
- * Reads {@link ANDROID_APP_LINKS} in the format
- * `package1:FP1:FP2;package2:FP1:FP2` where each fingerprint is a colon-
- * separated SHA-256 hex string. Use `;` between apps and `:` to separate
- * package name from fingerprints (and fingerprints share the standard
- * `AA:BB:CC:...` colon format — split on `:`, the first segment is the
- * package, the rest is the fingerprint reassembled).
- *
- * For programmatic config, prefer the `apps` option which avoids parsing.
- *
- * @example Direct config
- * ```ts
- * generateAssetLinks({
- *   apps: [{
- *     packageName: "com.example.app",
- *     sha256Fingerprints: ["AA:BB:CC:..."],
- *   }],
- * });
- * ```
- */
-declare function generateAssetLinks(opts?: {
-  apps?: Array<{
-    packageName: string;
-    sha256Fingerprints: string[];
-  }>;
-}): WellKnownResponse | null;
-/**
- * Generate `/.well-known/webauthn` content (W3C WebAuthn Level 3).
- *
- * Declares alternative origins permitted to use this RP ID. Lets a passkey
- * registered at `app.example.com` work on `staging.example.com`, browser
- * extensions, or wrapped native webviews.
- *
- * Reads {@link WEBAUTHN_ALT_ORIGINS}; falls back to `SECONDARY_URL` parsed
- * from the existing site URL convention.
- */
-declare function generateWebAuthnConfig(opts?: {
-  /** Override `WEBAUTHN_ALT_ORIGINS`. */origins?: string[];
-}): WellKnownResponse | null;
-/**
- * Generate `/.well-known/security.txt` content (RFC 9116).
- *
- * Plain-text contact info for security researchers. Reads {@link SECURITY_CONTACT}
- * (e.g., `mailto:security@example.com` or `https://example.com/security`) and
- * optional {@link SECURITY_TXT_EXPIRES_DAYS} (default 365).
- */
-declare function generateSecurityTxt(opts?: {
-  /** Override `SECURITY_CONTACT`. Should be a `mailto:` or `https:` URI. */contact?: string; /** Override `SECURITY_TXT_EXPIRES_DAYS`. Default 365 days from now. */
-  expiresInDays?: number; /** RFC 5646 language tags, e.g., `["en"]`. */
-  preferredLanguages?: string[]; /** Optional canonical URL of the security.txt file (for signed copies). */
-  canonical?: string; /** Optional public key URL for encrypted reports. */
-  encryption?: string; /** Optional acknowledgments URL. */
-  acknowledgments?: string; /** Optional policy URL. */
-  policy?: string; /** Optional hiring URL. */
-  hiring?: string;
-}): WellKnownResponse | null;
-/**
- * Generate a 302 redirect for `/.well-known/change-password` (RFC 8615).
- *
- * Password managers (1Password, iCloud Keychain, Bitwarden, Chrome) deep-link
- * here when the user picks "Change password". The route should redirect to
- * the actual change-password UI in your app.
- *
- * Reads {@link CHANGE_PASSWORD_URL}.
- */
-declare function generateChangePasswordRedirect(opts?: {
-  /** Override `CHANGE_PASSWORD_URL`. */targetUrl?: string;
-}): WellKnownResponse | null;
+declare function wellKnown(endpoint: WellKnownEndpoint, options?: WellKnownOptions): WellKnownResponse | null;
 //#endregion
-export { WellKnownResponse, generateAppleAppSiteAssociation, generateAssetLinks, generateChangePasswordRedirect, generateSecurityTxt, generateWebAuthnConfig };
+export { WellKnownEndpoint, WellKnownOptions, WellKnownResponse, wellKnown };
 //# sourceMappingURL=wellknown.d.ts.map

package/dist/server/wellknown.js

@@ -3,21 +3,17 @@ import { normalizeUrl } from "./url.js";
 
 //#region src/server/wellknown.ts
 /**
-* Content generators for cross-platform `.well-known` endpoints.
+* Content generator for cross-platform `.well-known` endpoints.
 *
-* These helpers produce the exact response shape expected by Apple, Google,
-* browsers, and password managers. Each helper reads convention env vars but
-* accepts explicit overrides; if neither is set, it returns `null` so the
-* caller can serve a 404.
+* The helper produces the exact response shape expected by Apple, Google,
+* browsers, and password managers. It reads convention env vars but accepts
+* explicit overrides; if an endpoint is not configured, it returns `null` so
+* the caller can serve a 404.
 *
-* The library serves `/.well-known/openid-configuration` and `/.well-known/jwks.json`
-* from the Convex backend (`CONVEX_SITE_URL`). The endpoints in this module
-* must be served from the WebAuthn RP ID host (typically `SITE_URL` — the
-* frontend domain), so they're shipped as framework-agnostic generators that
-* apps wire into their own route handlers (SvelteKit `+server.ts`, Next.js
-* route handlers, Cloudflare Workers, Express, etc.). One exception:
-* `generateWebAuthnConfig` can also be served from Convex via
-* {@link addWebAuthnRoute} when RP ID equals `CONVEX_SITE_URL` host.
+* These endpoints must be reachable from the public app/RP ID origin at root
+* `/.well-known/*`. `auth.http()` serves them from Convex; apps using a
+* separate frontend domain should route those root paths to Convex or adapt
+* this helper in their framework route handlers.
 *
 * @module
 */
@@ -36,30 +32,7 @@ function ok(body, contentType) {
 		body
 	};
 }
-/**
-* Generate `/.well-known/apple-app-site-association` (AASA) content.
-*
-* Required for native iOS passkeys (`webcredentials`), Universal Links
-* (`applinks`), and Sign in with Apple. Apple's CDN fetches this file from
-* the WebAuthn RP ID host on app install/update; the file MUST be served as
-* `application/json` at the exact path with no `.json` extension and no
-* redirects.
-*
-* Reads {@link IOS_APP_IDS} (comma-separated `TEAMID.bundle.id` entries) and
-* {@link IOS_APPLINK_PATHS} (comma-separated path patterns, default `/auth/*,/callback/*`).
-*
-* @example Hosting in SvelteKit
-* ```ts
-* // src/routes/.well-known/apple-app-site-association/+server.ts
-* import { generateAppleAppSiteAssociation } from "@robelest/convex-auth/server";
-* export const GET = () => {
-*   const r = generateAppleAppSiteAssociation();
-*   if (!r) return new Response(null, { status: 404 });
-*   return new Response(r.body, { status: r.status, headers: r.headers });
-* };
-* ```
-*/
-function generateAppleAppSiteAssociation(opts) {
+function appleAppSiteAssociationResponse(opts) {
 	const appIds = opts?.appIds ?? parseList(envOptionalString("IOS_APP_IDS"));
 	if (appIds.length === 0) return null;
 	const applinkPaths = opts?.applinkPaths ?? parseList(envOptionalString("IOS_APPLINK_PATHS"));
@@ -90,15 +63,15 @@ function generateAppleAppSiteAssociation(opts) {
 *
 * @example Direct config
 * ```ts
-* generateAssetLinks({
+* wellKnown("assetlinks.json", { assetLinks: {
 *   apps: [{
 *     packageName: "com.example.app",
 *     sha256Fingerprints: ["AA:BB:CC:..."],
 *   }],
-* });
+* }});
 * ```
 */
-function generateAssetLinks(opts) {
+function assetLinksResponse(opts) {
 	const apps = opts?.apps ?? parseAndroidAppLinksEnv(envOptionalString("ANDROID_APP_LINKS"));
 	if (apps.length === 0) return null;
 	return ok(JSON.stringify(apps.map((app) => ({
@@ -138,7 +111,7 @@ function parseAndroidAppLinksEnv(raw) {
 * Reads {@link WEBAUTHN_ALT_ORIGINS}; falls back to `SECONDARY_URL` parsed
 * from the existing site URL convention.
 */
-function generateWebAuthnConfig(opts) {
+function webAuthnResponse(opts) {
 	const explicit = opts?.origins;
 	const fromEnv = parseList(envOptionalString("WEBAUTHN_ALT_ORIGINS"));
 	const fromSecondary = parseList(envOptionalString("SECONDARY_URL")).map(normalizeUrl);
@@ -153,7 +126,7 @@ function generateWebAuthnConfig(opts) {
 * (e.g., `mailto:security@example.com` or `https://example.com/security`) and
 * optional {@link SECURITY_TXT_EXPIRES_DAYS} (default 365).
 */
-function generateSecurityTxt(opts) {
+function securityTxtResponse(opts) {
 	const contact = opts?.contact ?? envOptionalString("SECURITY_CONTACT");
 	if (contact === void 0 || contact.length === 0) return null;
 	const days = opts?.expiresInDays ?? envOptionalNumber("SECURITY_TXT_EXPIRES_DAYS") ?? 365;
@@ -177,7 +150,7 @@ function generateSecurityTxt(opts) {
 *
 * Reads {@link CHANGE_PASSWORD_URL}.
 */
-function generateChangePasswordRedirect(opts) {
+function changePasswordResponse(opts) {
 	const target = opts?.targetUrl ?? envOptionalString("CHANGE_PASSWORD_URL");
 	if (target === void 0 || target.length === 0) return null;
 	return {
@@ -189,7 +162,37 @@ function generateChangePasswordRedirect(opts) {
 		body: ""
 	};
 }
+/**
+* Generate a standard `/.well-known/*` response.
+*
+* @param endpoint The well-known endpoint name, without the `/.well-known/` prefix.
+* @param options Optional explicit configuration. When omitted, the helper reads
+* convention environment variables for the selected endpoint.
+* @returns A framework-neutral response descriptor, or `null` when the endpoint
+* is not configured.
+*
+* @example
+* ```ts
+* import { wellKnown } from "@robelest/convex-auth/server";
+*
+* export const GET = () => {
+*   const r = wellKnown("assetlinks.json");
+*   if (r === null) return new Response(null, { status: 404 });
+*   return new Response(r.body, { status: r.status, headers: r.headers });
+* };
+* ```
+*/
+function wellKnown(endpoint, options) {
+	switch (endpoint) {
+		case "apple-app-site-association": return appleAppSiteAssociationResponse(options?.appleAppSiteAssociation);
+		case "assetlinks.json": return assetLinksResponse(options?.assetLinks);
+		case "webauthn": return webAuthnResponse(options?.webAuthn);
+		case "security.txt": return securityTxtResponse(options?.securityTxt);
+		case "change-password": return changePasswordResponse(options?.changePassword);
+	}
+	return endpoint;
+}
 
 //#endregion
-export { generateAppleAppSiteAssociation, generateAssetLinks, generateChangePasswordRedirect, generateSecurityTxt, generateWebAuthnConfig };
+export { wellKnown };
 //# sourceMappingURL=wellknown.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@robelest/convex-auth",
-  "version": "0.0.4-preview.31",
+  "version": "0.0.4-preview.32",
   "description": "Authentication for Convex",
   "keywords": [
     "auth",