@robelest/convex-auth 0.0.4-preview.32 → 0.0.4-preview.34

package/dist/model.js

@@ -0,0 +1,391 @@
+import { v } from "convex/values";
+
+//#region src/component/model.ts
+const TABLES = {
+	User: "User",
+	UserEmail: "UserEmail",
+	Session: "Session",
+	Account: "Account",
+	AuthVerifier: "AuthVerifier",
+	VerificationCode: "VerificationCode",
+	RefreshToken: "RefreshToken",
+	Passkey: "Passkey",
+	TotpFactor: "TotpFactor",
+	RateLimit: "RateLimit",
+	Group: "Group",
+	GroupTag: "GroupTag",
+	GroupMember: "GroupMember",
+	GroupInvite: "GroupInvite",
+	GroupConnection: "GroupConnection",
+	GroupConnectionDomain: "GroupConnectionDomain",
+	GroupConnectionDomainVerification: "GroupConnectionDomainVerification",
+	GroupConnectionSecret: "GroupConnectionSecret",
+	GroupConnectionScimConfig: "GroupConnectionScimConfig",
+	GroupConnectionScimIdentity: "GroupConnectionScimIdentity",
+	GroupAuditEvent: "GroupAuditEvent",
+	GroupWebhookEndpoint: "GroupWebhookEndpoint",
+	GroupWebhookDelivery: "GroupWebhookDelivery",
+	ApiKey: "ApiKey",
+	DeviceCode: "DeviceCode"
+};
+const vTag = v.object({
+	key: v.string(),
+	value: v.string()
+});
+const vPaginated = (item) => v.object({
+	items: v.array(item),
+	nextCursor: v.union(v.string(), v.null())
+});
+const vInviteStatus = v.union(v.literal("pending"), v.literal("accepted"), v.literal("revoked"), v.literal("expired"));
+const vDeviceStatus = v.union(v.literal("pending"), v.literal("authorized"), v.literal("denied"));
+const vGroupConnectionAccountLinkingPolicy = v.union(v.literal("verifiedEmail"), v.literal("none"), v.literal("sameConnection"));
+const vGroupConnectionScimReuseUserPolicy = v.union(v.literal("externalId"), v.literal("none"));
+const vGroupConnectionJitProvisioningMode = v.union(v.literal("off"), v.literal("createUser"), v.literal("createUserAndMembership"));
+const vGroupConnectionDeprovisionMode = v.union(v.literal("soft"), v.literal("hard"));
+const vGroupConnectionProfileUpdateMode = v.union(v.literal("never"), v.literal("missing"), v.literal("always"));
+const vGroupConnectionProvisioningAuthority = v.union(v.literal("app"), v.literal("sso"), v.literal("scim"));
+const vGroupConnectionGroupSyncMode = v.union(v.literal("ignore"), v.literal("sync"));
+const vGroupConnectionRoleSyncMode = v.union(v.literal("ignore"), v.literal("map"));
+const vGroupConnectionStatus = v.union(v.literal("draft"), v.literal("active"), v.literal("disabled"));
+const vGroupConnectionProtocol = v.union(v.literal("oidc"), v.literal("saml"));
+const vGroupConnectionPolicy = v.object({
+	version: v.literal(1),
+	identity: v.object({ accountLinking: v.object({
+		oidc: vGroupConnectionAccountLinkingPolicy,
+		saml: vGroupConnectionAccountLinkingPolicy
+	}) }),
+	provisioning: v.object({
+		user: v.object({
+			createOnSignIn: v.boolean(),
+			updateProfileOnLogin: vGroupConnectionProfileUpdateMode,
+			updateProfileFromScim: vGroupConnectionProfileUpdateMode,
+			authority: vGroupConnectionProvisioningAuthority
+		}),
+		scimReuse: v.object({ user: vGroupConnectionScimReuseUserPolicy }),
+		jit: v.object({
+			mode: vGroupConnectionJitProvisioningMode,
+			defaultRole: v.optional(v.string()),
+			defaultRoleIds: v.optional(v.array(v.string()))
+		}),
+		deprovision: v.object({ mode: vGroupConnectionDeprovisionMode }),
+		groups: v.object({
+			mode: vGroupConnectionGroupSyncMode,
+			source: v.literal("protocol"),
+			mapping: v.optional(v.record(v.string(), v.array(v.string())))
+		}),
+		roles: v.object({
+			mode: vGroupConnectionRoleSyncMode,
+			source: v.literal("protocol"),
+			mapping: v.optional(v.record(v.string(), v.array(v.string())))
+		})
+	}),
+	extend: v.optional(v.any())
+});
+const vScimStatus = v.union(v.literal("draft"), v.literal("active"), v.literal("disabled"));
+const vScimResourceType = v.union(v.literal("user"), v.literal("group"));
+const vAuditActorType = v.union(v.literal("user"), v.literal("system"), v.literal("scim"), v.literal("api_key"), v.literal("webhook"));
+const vAuditStatus = v.union(v.literal("success"), v.literal("failure"));
+const vWebhookEndpointStatus = v.union(v.literal("active"), v.literal("disabled"));
+const vWebhookDeliveryStatus = v.union(v.literal("pending"), v.literal("processing"), v.literal("delivered"), v.literal("failed"));
+const vInviteTokenAcceptStatus = v.union(v.literal("accepted"), v.literal("already_accepted"));
+const vMembershipStatus = v.union(v.literal("joined"), v.literal("already_joined"), v.literal("not_applicable"));
+const vApiKeyScope = v.object({
+	resource: v.string(),
+	actions: v.array(v.string())
+});
+const vApiKeyRateLimit = v.object({
+	maxRequests: v.number(),
+	windowMs: v.number()
+});
+const vApiKeyRateLimitState = v.object({
+	attemptsLeft: v.number(),
+	lastAttemptTime: v.number()
+});
+const vGroupConnectionSecretKind = v.union(v.literal("oidc_client_secret"));
+function vDocMeta(tableName) {
+	return {
+		_id: v.id(tableName),
+		_creationTime: v.number()
+	};
+}
+const vUserDoc = v.object({
+	...vDocMeta(TABLES.User),
+	name: v.optional(v.string()),
+	image: v.optional(v.string()),
+	email: v.optional(v.string()),
+	emailVerificationTime: v.optional(v.number()),
+	phone: v.optional(v.string()),
+	phoneVerificationTime: v.optional(v.number()),
+	isAnonymous: v.optional(v.boolean()),
+	lastActiveGroup: v.optional(v.id(TABLES.Group)),
+	extend: v.optional(v.any())
+});
+const vUserEmailSource = v.union(v.literal("password"), v.literal("oauth"), v.literal("oidc"), v.literal("saml"), v.literal("scim"));
+const vProfileEmail = v.object({
+	email: v.string(),
+	primary: v.optional(v.boolean()),
+	verified: v.optional(v.boolean())
+});
+const vUserEmailDoc = v.object({
+	...vDocMeta(TABLES.UserEmail),
+	userId: v.id(TABLES.User),
+	email: v.string(),
+	verificationTime: v.optional(v.number()),
+	isPrimary: v.boolean(),
+	source: vUserEmailSource,
+	accountId: v.optional(v.id(TABLES.Account)),
+	provider: v.optional(v.string()),
+	connectionId: v.optional(v.id(TABLES.GroupConnection))
+});
+const vSessionDoc = v.object({
+	...vDocMeta(TABLES.Session),
+	userId: v.id(TABLES.User),
+	expirationTime: v.number()
+});
+const vAccountDoc = v.object({
+	...vDocMeta(TABLES.Account),
+	userId: v.id(TABLES.User),
+	provider: v.string(),
+	providerAccountId: v.string(),
+	secret: v.optional(v.string()),
+	emailVerified: v.optional(v.string()),
+	phoneVerified: v.optional(v.string()),
+	extend: v.optional(v.any())
+});
+const vAuthVerifierDoc = v.object({
+	...vDocMeta(TABLES.AuthVerifier),
+	sessionId: v.optional(v.id(TABLES.Session)),
+	signature: v.optional(v.string()),
+	expirationTime: v.optional(v.number())
+});
+const vVerificationCodeDoc = v.object({
+	...vDocMeta(TABLES.VerificationCode),
+	accountId: v.id(TABLES.Account),
+	provider: v.string(),
+	code: v.string(),
+	expirationTime: v.number(),
+	verifier: v.optional(v.string()),
+	emailVerified: v.optional(v.string()),
+	phoneVerified: v.optional(v.string())
+});
+const vRefreshTokenDoc = v.object({
+	...vDocMeta(TABLES.RefreshToken),
+	sessionId: v.id(TABLES.Session),
+	expirationTime: v.number(),
+	firstUsedTime: v.optional(v.number()),
+	parentRefreshTokenId: v.optional(v.id(TABLES.RefreshToken))
+});
+const vPasskeyDoc = v.object({
+	...vDocMeta(TABLES.Passkey),
+	userId: v.id(TABLES.User),
+	credentialId: v.string(),
+	publicKey: v.bytes(),
+	algorithm: v.number(),
+	counter: v.number(),
+	transports: v.optional(v.array(v.string())),
+	deviceType: v.string(),
+	backedUp: v.boolean(),
+	name: v.optional(v.string()),
+	createdAt: v.number(),
+	lastUsedAt: v.optional(v.number())
+});
+const vTotpFactorDoc = v.object({
+	...vDocMeta(TABLES.TotpFactor),
+	userId: v.id(TABLES.User),
+	secret: v.bytes(),
+	digits: v.number(),
+	period: v.number(),
+	verified: v.boolean(),
+	name: v.optional(v.string()),
+	createdAt: v.number(),
+	lastUsedAt: v.optional(v.number())
+});
+const vRateLimitDoc = v.object({
+	...vDocMeta(TABLES.RateLimit),
+	identifier: v.string(),
+	last_attempt_time: v.number(),
+	attempts_left: v.number()
+});
+const vGroupDoc = v.object({
+	...vDocMeta(TABLES.Group),
+	name: v.string(),
+	slug: v.optional(v.string()),
+	type: v.optional(v.string()),
+	parentGroupId: v.optional(v.id(TABLES.Group)),
+	rootGroupId: v.optional(v.id(TABLES.Group)),
+	isRoot: v.optional(v.boolean()),
+	tags: v.optional(v.array(vTag)),
+	policy: v.optional(vGroupConnectionPolicy),
+	extend: v.optional(v.any())
+});
+const vGroupMemberDoc = v.object({
+	...vDocMeta(TABLES.GroupMember),
+	groupId: v.id(TABLES.Group),
+	userId: v.id(TABLES.User),
+	role: v.optional(v.string()),
+	roleIds: v.optional(v.array(v.string())),
+	status: v.optional(v.string()),
+	extend: v.optional(v.any())
+});
+const vGroupInviteDoc = v.object({
+	...vDocMeta(TABLES.GroupInvite),
+	groupId: v.optional(v.id(TABLES.Group)),
+	invitedByUserId: v.optional(v.id(TABLES.User)),
+	email: v.optional(v.string()),
+	tokenHash: v.string(),
+	role: v.optional(v.string()),
+	roleIds: v.optional(v.array(v.string())),
+	status: vInviteStatus,
+	expiresTime: v.optional(v.number()),
+	acceptedByUserId: v.optional(v.id(TABLES.User)),
+	acceptedTime: v.optional(v.number()),
+	extend: v.optional(v.any())
+});
+const vApiKeyDoc = v.object({
+	...vDocMeta(TABLES.ApiKey),
+	userId: v.id(TABLES.User),
+	prefix: v.string(),
+	hashedKey: v.string(),
+	name: v.string(),
+	scopes: v.array(vApiKeyScope),
+	rateLimit: v.optional(vApiKeyRateLimit),
+	rateLimitState: v.optional(vApiKeyRateLimitState),
+	expiresAt: v.optional(v.number()),
+	lastUsedAt: v.optional(v.number()),
+	createdAt: v.number(),
+	revoked: v.boolean(),
+	metadata: v.optional(v.any())
+});
+const vDeviceCodeDoc = v.object({
+	...vDocMeta(TABLES.DeviceCode),
+	deviceCodeHash: v.string(),
+	userCode: v.string(),
+	expiresAt: v.number(),
+	interval: v.number(),
+	status: vDeviceStatus,
+	userId: v.optional(v.id(TABLES.User)),
+	sessionId: v.optional(v.id(TABLES.Session)),
+	lastPolledAt: v.optional(v.number())
+});
+const vGroupConnectionDoc = v.object({
+	...vDocMeta(TABLES.GroupConnection),
+	groupId: v.id(TABLES.Group),
+	slug: v.optional(v.string()),
+	name: v.optional(v.string()),
+	protocol: vGroupConnectionProtocol,
+	status: vGroupConnectionStatus,
+	config: v.optional(v.any()),
+	extend: v.optional(v.any())
+});
+const vGroupConnectionDomainDoc = v.object({
+	...vDocMeta(TABLES.GroupConnectionDomain),
+	connectionId: v.id(TABLES.GroupConnection),
+	groupId: v.id(TABLES.Group),
+	domain: v.string(),
+	isPrimary: v.boolean(),
+	verifiedAt: v.optional(v.number())
+});
+const vGroupConnectionDomainVerificationDoc = v.object({
+	...vDocMeta(TABLES.GroupConnectionDomainVerification),
+	connectionId: v.id(TABLES.GroupConnection),
+	groupId: v.id(TABLES.Group),
+	domainId: v.id(TABLES.GroupConnectionDomain),
+	domain: v.string(),
+	recordName: v.string(),
+	token: v.string(),
+	tokenHash: v.string(),
+	requestedAt: v.number(),
+	expiresAt: v.number()
+});
+const vGroupConnectionSecretDoc = v.object({
+	...vDocMeta(TABLES.GroupConnectionSecret),
+	connectionId: v.id(TABLES.GroupConnection),
+	groupId: v.id(TABLES.Group),
+	kind: vGroupConnectionSecretKind,
+	ciphertext: v.string(),
+	updatedAt: v.number()
+});
+const vGroupConnectionScimConfigDoc = v.object({
+	...vDocMeta(TABLES.GroupConnectionScimConfig),
+	connectionId: v.id(TABLES.GroupConnection),
+	groupId: v.id(TABLES.Group),
+	status: vScimStatus,
+	basePath: v.string(),
+	tokenHash: v.string(),
+	lastRotatedAt: v.optional(v.number()),
+	extend: v.optional(v.any())
+});
+const vGroupConnectionScimIdentityDoc = v.object({
+	...vDocMeta(TABLES.GroupConnectionScimIdentity),
+	connectionId: v.id(TABLES.GroupConnection),
+	groupId: v.id(TABLES.Group),
+	resourceType: vScimResourceType,
+	externalId: v.string(),
+	userId: v.optional(v.id(TABLES.User)),
+	mappedGroupId: v.optional(v.id(TABLES.Group)),
+	lastProvisionedAt: v.optional(v.number()),
+	active: v.optional(v.boolean()),
+	raw: v.optional(v.any())
+});
+const vGroupAuditEventDoc = v.object({
+	...vDocMeta(TABLES.GroupAuditEvent),
+	connectionId: v.optional(v.id(TABLES.GroupConnection)),
+	groupId: v.id(TABLES.Group),
+	eventType: v.string(),
+	actorType: vAuditActorType,
+	actorId: v.optional(v.string()),
+	subjectType: v.string(),
+	subjectId: v.optional(v.string()),
+	status: vAuditStatus,
+	occurredAt: v.number(),
+	requestId: v.optional(v.string()),
+	ip: v.optional(v.string()),
+	metadata: v.optional(v.any())
+});
+const vGroupWebhookEndpointDoc = v.object({
+	...vDocMeta(TABLES.GroupWebhookEndpoint),
+	connectionId: v.id(TABLES.GroupConnection),
+	groupId: v.id(TABLES.Group),
+	url: v.string(),
+	status: vWebhookEndpointStatus,
+	secretHash: v.string(),
+	subscriptions: v.array(v.string()),
+	createdByUserId: v.optional(v.id(TABLES.User)),
+	lastSuccessAt: v.optional(v.number()),
+	lastFailureAt: v.optional(v.number()),
+	failureCount: v.number(),
+	extend: v.optional(v.any())
+});
+const vGroupWebhookDeliveryDoc = v.object({
+	...vDocMeta(TABLES.GroupWebhookDelivery),
+	connectionId: v.id(TABLES.GroupConnection),
+	endpointId: v.id(TABLES.GroupWebhookEndpoint),
+	auditEventId: v.optional(v.id(TABLES.GroupAuditEvent)),
+	eventType: v.string(),
+	status: vWebhookDeliveryStatus,
+	attemptCount: v.number(),
+	nextAttemptAt: v.number(),
+	lastAttemptAt: v.optional(v.number()),
+	lastResponseStatus: v.optional(v.number()),
+	lastError: v.optional(v.string()),
+	payload: v.any()
+});
+const vRateLimitResult = v.object({
+	...vDocMeta(TABLES.RateLimit),
+	identifier: v.string(),
+	last_attempt_time: v.number(),
+	attempts_left: v.number(),
+	attemptsLeft: v.number(),
+	lastAttemptTime: v.number()
+});
+const vInviteRedeemResult = v.object({
+	inviteId: v.id(TABLES.GroupInvite),
+	groupId: v.union(v.id(TABLES.Group), v.null()),
+	memberId: v.optional(v.id(TABLES.GroupMember)),
+	inviteStatus: vInviteTokenAcceptStatus,
+	membershipStatus: vMembershipStatus
+});
+
+//#endregion
+export { vGroupDoc, vGroupInviteDoc, vGroupMemberDoc, vPaginated, vProfileEmail, vUserDoc, vUserEmailDoc };
+//# sourceMappingURL=model.js.map

package/dist/providers/credentials.d.ts

@@ -16,7 +16,7 @@ interface CredentialsConfig<DataModel extends GenericDataModel = GenericDataMode
     userId: GenericId<"User">;
     sessionId?: GenericId<"Session">;
     /**
-     * TOTP step-up hint. `false` skips the `totpGetVerifiedByUserId` query;
+     * TOTP step-up hint. `false` skips the verified-TOTP lookup;
      * `true`/`undefined` falls back to it.
      */
     hasTotp?: boolean;

package/dist/providers/github.js

@@ -56,9 +56,15 @@ function github(config) {
 			const emails = await emailResponse.json();
 			const primaryEmail = emails.find((email) => email.primary)?.email ?? emails.find((email) => email.verified)?.email ?? user.email ?? void 0;
 			const verifiedEmail = emails.find((email) => email.primary)?.verified ?? emails.find((email) => email.verified)?.verified ?? false;
+			const allEmails = emails.filter((e) => typeof e.email === "string").map((e) => ({
+				email: e.email,
+				primary: e.primary === true,
+				verified: e.verified === true
+			}));
 			return {
 				id: String(user.id),
 				email: typeof primaryEmail === "string" ? primaryEmail : void 0,
+				emails: allEmails.length > 0 ? allEmails : void 0,
 				emailVerified: verifiedEmail,
 				name: typeof user.name === "string" ? user.name : void 0,
 				image: typeof user.avatar_url === "string" ? user.avatar_url : void 0

package/dist/providers/password.js

@@ -87,10 +87,9 @@ function password(config = {}) {
 					accountId: account._id,
 					params
 				});
-				const hasTotp = user.hasTotp;
 				return {
 					userId: user._id,
-					hasTotp
+					hasTotp: false
 				};
 			};
 			switch (flowDispatch.tag) {

package/dist/server/auth.d.ts

@@ -3,6 +3,7 @@ import "../client/index.js";
 import { AuthAuthorizationConfig, AuthGrant, AuthProviderConfig, AuthRoleId, ConvexAuthConfig, HasDeviceProvider, HasPasskeyProvider, HasSSO, HasTotpProvider } from "./types.js";
 import { AuthConfig, AuthContext, AuthContextConfig, AuthContextFactory, AuthContextResolver, InferAuth, OptionalAuthContext, UserDoc } from "./facade.js";
 import { Auth } from "./runtime.js";
+import { AuthExtendValidators, AuthValidators } from "./validators.js";
 
 //#region src/server/auth.d.ts
 type MemberApiWithAuthorization<TAuthorization extends AuthAuthorizationConfig | undefined> = Omit<ReturnType<typeof Auth>["auth"]["member"], "create" | "list" | "update" | "inspect" | "require"> & {
@@ -57,7 +58,57 @@ type MemberApiWithAuthorization<TAuthorization extends AuthAuthorizationConfig |
  * @typeParam TAuthorization - The authorization config, used to narrow
  *   role IDs and grant strings on the `member` API.
  */
-type AuthApiBase<TAuthorization extends AuthAuthorizationConfig | undefined = undefined> = {
+type AuthApiBase<TAuthorization extends AuthAuthorizationConfig | undefined = undefined, TExtend extends AuthExtendValidators = {}> = {
+  /**
+   * Convex `returns:` validators for the auth read surface.
+   *
+   * Set these as a function's `returns:` so client-side `useQuery`
+   * inference flows end-to-end without hand-rolled validators or DTO
+   * mappers. The `extend` field of each document carries the shape
+   * supplied via `createAuth({ extend: { ... } })`.
+   *
+   * Available validators:
+   * - `v.user` / `v.group` / `v.member` — single documents (extend-aware).
+   * - `v.invite` — a single group invite document.
+   * - `v.viewer` — `User | null`, for a current-user query.
+   * - `v.list(item)` — wraps an item validator in `{ items, nextCursor }`.
+   *
+   * Compose these for richer reads — e.g. a current user plus their
+   * memberships and groups — using the existing `auth.user.viewer`,
+   * `auth.member.list`, and `auth.group.get` facade methods.
+   *
+   * @example
+   * ```ts
+   * export const viewer = authQuery({
+   *   returns: auth.v.viewer,
+   *   handler: (ctx) => ctx.auth.user.viewer(ctx),
+   * });
+   *
+   * export const groups = authQuery({
+   *   returns: v.union(
+   *     v.object({
+   *       ...auth.v.user.fields,
+   *       memberships: v.array(auth.v.member),
+   *       groups: v.array(auth.v.group),
+   *     }),
+   *     v.null(),
+   *   ),
+   *   handler: async (ctx) => {
+   *     const me = await ctx.auth.user.viewer(ctx);
+   *     if (me === null) return null;
+   *     const { items: memberships } = await ctx.auth.member.list(ctx, {
+   *       where: { userId: me._id },
+   *     });
+   *     const groups = await ctx.auth.group.get(
+   *       ctx,
+   *       memberships.map((m) => m.groupId),
+   *     );
+   *     return { ...me, memberships, groups };
+   *   },
+   * });
+   * ```
+   */
+  v: AuthValidators<TExtend>;
   signIn: ReturnType<typeof Auth>["signIn"];
   signOut: ReturnType<typeof Auth>["signOut"];
   store: ReturnType<typeof Auth>["store"];
@@ -69,7 +120,8 @@ type AuthApiBase<TAuthorization extends AuthAuthorizationConfig | undefined = un
   group: ReturnType<typeof Auth>["auth"]["group"];
   member: MemberApiWithAuthorization<TAuthorization>;
   invite: ReturnType<typeof Auth>["auth"]["invite"];
-  key: ReturnType<typeof Auth>["auth"]["key"];
+  key: ReturnType<typeof Auth>["auth"]["key"]; /** Current user's active-group selection (`get` / `set` / `clear`). */
+  active: ReturnType<typeof Auth>["auth"]["active"];
   request: ReturnType<typeof Auth>["auth"]["request"];
   /**
    * Resolve the current request's auth context. Framework-agnostic — use
@@ -244,8 +296,8 @@ type PublicGroupSsoApi = {
  * @typeParam TAuthorization - The authorization config, forwarded to
  *   {@link AuthApiBase} for typed role IDs and grant strings.
  */
-type AuthApi<TAuthorization extends AuthAuthorizationConfig | undefined = undefined> = AuthApiBase<TAuthorization> & {
-  group: AuthApiBase<TAuthorization>["group"] & {
+type AuthApi<TAuthorization extends AuthAuthorizationConfig | undefined = undefined, TExtend extends AuthExtendValidators = {}> = AuthApiBase<TAuthorization, TExtend> & {
+  group: AuthApiBase<TAuthorization, TExtend>["group"] & {
     sso: PublicGroupSsoApi;
   };
 };
@@ -264,7 +316,7 @@ type AuthApi<TAuthorization extends AuthAuthorizationConfig | undefined = undefi
  * @typeParam P - The tuple of provider configs passed to `createAuth`.
  * @typeParam TAuthorization - Optional authorization config for typed roles/grants.
  */
-type ConvexAuthResult<P extends AuthProviderConfig[], TAuthorization extends AuthAuthorizationConfig | undefined = undefined> = HasSSO<P> extends true ? AuthApi<TAuthorization> : AuthApiBase<TAuthorization>;
+type ConvexAuthResult<P extends AuthProviderConfig[], TAuthorization extends AuthAuthorizationConfig | undefined = undefined, TExtend extends AuthExtendValidators = {}> = HasSSO<P> extends true ? AuthApi<TAuthorization, TExtend> : AuthApiBase<TAuthorization, TExtend>;
 /**
  * Infer the typed `AuthApiRefs` for the client SDK from a `createAuth` call.
  *
@@ -309,10 +361,24 @@ type InferClientApi<T> = T extends ConvexAuthResult<infer P> ? AuthApiRefs<HasPa
  *
  * @see {@link AuthContextConfig}
  */
-declare function createAuth<P extends AuthProviderConfig[], TAuthorization extends AuthAuthorizationConfig | undefined = undefined>(component: ConvexAuthConfig["component"], config: Omit<AuthConfig, "providers" | "authorization"> & {
+declare function createAuth<P extends AuthProviderConfig[], TAuthorization extends AuthAuthorizationConfig | undefined = undefined, TExtend extends AuthExtendValidators = {}>(component: ConvexAuthConfig["component"], config: Omit<AuthConfig, "providers" | "authorization"> & {
   providers: P;
   authorization?: TAuthorization;
-}): ConvexAuthResult<P, TAuthorization>;
+  /**
+   * Validators for the `extend` field of each table. Drives both the
+   * inferred type of `auth.v.*` (so `viewer.extend.<field>` is typed)
+   * and runtime validation of consumer return shapes.
+   *
+   * @example
+   * ```ts
+   * createAuth(components.auth, {
+   *   providers: [password()],
+   *   extend: { User: v.object({ stripeCustomerId: v.optional(v.string()) }) },
+   * });
+   * ```
+   */
+  extend?: TExtend;
+}): ConvexAuthResult<P, TAuthorization, TExtend>;
 //#endregion
 export { AuthApi, AuthApiBase, ConvexAuthResult, InferClientApi, createAuth };
 //# sourceMappingURL=auth.d.ts.map

package/dist/server/auth.js

@@ -1,5 +1,6 @@
 import { createAuthContextFacade } from "./facade.js";
 import { Auth } from "./runtime.js";
+import { buildAuthValidators } from "./validators.js";
 import { ConvexError } from "convex/values";
 
 //#region src/server/auth.ts
@@ -81,7 +82,7 @@ function createAuth(component, config) {
 				domain: nextDomain.domain,
 				isPrimary: Boolean(nextDomain.isPrimary)
 			});
-			if (current?.verifiedAt !== void 0) await ctx.runMutation(component.public.groupConnectionDomainVerify, {
+			if (current?.verifiedAt !== void 0) await ctx.runMutation(component.sso.connection.domain.verify, {
 				domainId,
 				verifiedAt: current.verifiedAt
 			});
@@ -130,6 +131,7 @@ function createAuth(component, config) {
 		}
 	};
 	return {
+		v: buildAuthValidators(config.extend ?? {}),
 		signIn: authResult.signIn,
 		signOut: authResult.signOut,
 		store: authResult.store,
@@ -145,6 +147,7 @@ function createAuth(component, config) {
 		member: authResult.auth.member,
 		invite: authResult.auth.invite,
 		key: authResult.auth.key,
+		active: authResult.auth.active,
 		request: authResult.auth.request,
 		...createAuthContextFacade(authResult.auth)
 	};

package/dist/server/context.js

@@ -1,13 +1,38 @@
 import { getAuthenticatedUserIdOrNull } from "./identity.js";
+import { ConvexError } from "convex/values";
 
 //#region src/server/context.ts
 /** @internal */
 async function getSessionUserId(ctx) {
 	return await getAuthenticatedUserIdOrNull(ctx);
 }
+/**
+* Build the `ctx.auth.require` grant guard from the resolved grants and
+* active group. `require(grant)` throws when a grant is missing;
+* `require(grant, doc)` additionally asserts the group-owned `doc` belongs
+* to the active group. Reuses `member.require`'s `MISSING_GRANTS` code.
+*
+* @internal
+*/
+function makeRequire(groupId, grants) {
+	return (grant, doc) => {
+		if ((Array.isArray(grant) ? grant : [grant]).filter((g) => !grants.includes(g)).length > 0) throw new ConvexError({
+			code: "MISSING_GRANTS",
+			message: "User is missing required grants."
+		});
+		if (doc !== void 0) {
+			const docGroupId = doc.groupId;
+			if (groupId === null || String(docGroupId) !== groupId) throw new ConvexError({
+				code: "FORBIDDEN",
+				message: "Record is not in the active group."
+			});
+		}
+	};
+}
 /** @internal */
 async function getAuthContextForUser(auth, ctx, userId) {
-	const [user, groupId] = await Promise.all([auth.user.get(ctx, userId), auth.user.getActiveGroup(ctx, { userId })]);
+	const [user, activeGroup] = await Promise.all([auth.user.get(ctx, userId), auth.active.get(ctx, { userId })]);
+	const groupId = activeGroup?.groupId ?? null;
 	let role = null;
 	let grants = [];
 	if (groupId) {
@@ -25,7 +50,8 @@ async function getAuthContextForUser(auth, ctx, userId) {
 		user,
 		groupId,
 		role,
-		grants
+		grants,
+		require: makeRequire(groupId, grants)
 	};
 }
 /** @internal */
@@ -41,7 +67,8 @@ function createUnauthenticatedAuthContext() {
 		user: null,
 		groupId: null,
 		role: null,
-		grants: []
+		grants: [],
+		require: makeRequire(null, [])
 	};
 }