@robelest/convex-auth 0.0.4-preview.32 → 0.0.4-preview.34

package/dist/server/db.js

@@ -4,85 +4,93 @@ function authDb(ctx, config) {
 	const component = config.component;
 	return {
 		users: {
-			getById: (userId) => ctx.runQuery(component.public.userGetById, { userId }),
-			findByVerifiedEmail: (email) => ctx.runQuery(component.public.userFindByVerifiedEmail, { email }),
-			findByVerifiedPhone: (phone) => ctx.runQuery(component.public.userFindByVerifiedPhone, { phone }),
-			insert: (data) => ctx.runMutation(component.public.userInsert, { data }),
-			patch: (userId, data) => ctx.runMutation(component.public.userPatch, {
+			getById: (userId) => ctx.runQuery(component.user.get, { id: userId }),
+			findByVerifiedEmail: (email) => ctx.runQuery(component.user.get, { verifiedEmail: email }),
+			findByVerifiedPhone: (phone) => ctx.runQuery(component.user.get, { verifiedPhone: phone }),
+			insert: (data) => ctx.runMutation(component.user.create, { data }),
+			patch: (userId, data) => ctx.runMutation(component.user.update, {
 				userId,
 				data
 			}),
-			upsert: (userId, data) => ctx.runMutation(component.public.userUpsert, {
+			upsert: (userId, data) => ctx.runMutation(component.user.upsert, {
 				userId,
 				data
 			})
 		},
+		emails: {
+			upsert: (args) => ctx.runMutation(component.user.email.upsert, args),
+			listByUser: (userId) => ctx.runQuery(component.user.email.list, { userId }),
+			findVerified: (email, connectionId) => ctx.runQuery(component.user.email.owner, {
+				email,
+				connectionId
+			})
+		},
 		accounts: {
-			get: (provider, providerAccountId) => ctx.runQuery(component.public.accountGet, {
+			get: (provider, providerAccountId) => ctx.runQuery(component.account.get, {
 				provider,
 				providerAccountId
 			}),
-			getById: (accountId) => ctx.runQuery(component.public.accountGetById, { accountId }),
-			create: (args) => ctx.runMutation(component.public.accountInsert, args),
-			patch: (accountId, data) => ctx.runMutation(component.public.accountPatch, {
+			getById: (accountId) => ctx.runQuery(component.account.get, { id: accountId }),
+			create: (args) => ctx.runMutation(component.account.create, args),
+			patch: (accountId, data) => ctx.runMutation(component.account.update, {
 				accountId,
 				data
 			}),
-			delete: (accountId) => ctx.runMutation(component.public.accountDelete, { accountId })
+			delete: (accountId) => ctx.runMutation(component.account.delete, { accountId })
 		},
 		sessions: {
-			create: (userId, expirationTime) => ctx.runMutation(component.public.sessionCreate, {
+			create: (userId, expirationTime) => ctx.runMutation(component.session.create, {
 				userId,
 				expirationTime
 			}),
-			issue: (args) => ctx.runMutation(component.public.sessionIssue, args),
-			getById: (sessionId) => ctx.runQuery(component.public.sessionGetById, { sessionId }),
-			delete: (sessionId) => ctx.runMutation(component.public.sessionDelete, { sessionId }),
-			listByUser: (userId) => ctx.runQuery(component.public.sessionListByUser, { userId })
+			issue: (args) => ctx.runMutation(component.session.issue, args),
+			getById: (sessionId) => ctx.runQuery(component.session.get, { sessionId }),
+			delete: (sessionId) => ctx.runMutation(component.session.delete, { sessionId }),
+			listByUser: (userId) => ctx.runQuery(component.session.list, { userId })
 		},
 		verifiers: {
-			create: (sessionId, signature) => ctx.runMutation(component.public.verifierCreate, {
+			create: (sessionId, signature) => ctx.runMutation(component.token.pkce.create, {
 				sessionId,
 				signature
 			}),
-			getById: (verifierId) => ctx.runQuery(component.public.verifierGetById, { verifierId }),
-			getBySignature: (signature) => ctx.runQuery(component.public.verifierGetBySignature, { signature }),
-			patch: (verifierId, data) => ctx.runMutation(component.public.verifierPatch, {
+			getById: (verifierId) => ctx.runQuery(component.token.pkce.get, { id: verifierId }),
+			getBySignature: (signature) => ctx.runQuery(component.token.pkce.get, { signature }),
+			patch: (verifierId, data) => ctx.runMutation(component.token.pkce.update, {
 				verifierId,
 				data
 			}),
-			delete: (verifierId) => ctx.runMutation(component.public.verifierDelete, { verifierId })
+			delete: (verifierId) => ctx.runMutation(component.token.pkce.delete, { verifierId })
 		},
 		verificationCodes: {
-			getByAccountId: (accountId) => ctx.runQuery(component.public.verificationCodeGetByAccountId, { accountId }),
-			getByCode: (code) => ctx.runQuery(component.public.verificationCodeGetByCode, { code }),
-			create: (args) => ctx.runMutation(component.public.verificationCodeCreate, args),
-			delete: (verificationCodeId) => ctx.runMutation(component.public.verificationCodeDelete, { verificationCodeId })
+			getByAccountId: (accountId) => ctx.runQuery(component.token.verification.get, { accountId }),
+			getByCode: (code) => ctx.runQuery(component.token.verification.get, { code }),
+			create: (args) => ctx.runMutation(component.token.verification.create, args),
+			delete: (verificationCodeId) => ctx.runMutation(component.token.verification.delete, { verificationCodeId })
 		},
 		refreshTokens: {
-			create: (args) => ctx.runMutation(component.public.refreshTokenCreate, args),
-			exchange: (args) => ctx.runMutation(component.public.refreshTokenExchange, args),
-			getById: (refreshTokenId) => ctx.runQuery(component.public.refreshTokenGetById, { refreshTokenId }),
-			patch: (refreshTokenId, data) => ctx.runMutation(component.public.refreshTokenPatch, {
+			create: (args) => ctx.runMutation(component.token.refresh.create, args),
+			exchange: (args) => ctx.runMutation(component.token.refresh.exchange, args),
+			getById: (refreshTokenId) => ctx.runQuery(component.token.refresh.get, { id: refreshTokenId }),
+			patch: (refreshTokenId, data) => ctx.runMutation(component.token.refresh.update, {
 				refreshTokenId,
 				data
 			}),
-			getChildren: (sessionId, parentRefreshTokenId) => ctx.runQuery(component.public.refreshTokenGetChildren, {
+			getChildren: (sessionId, parentRefreshTokenId) => ctx.runQuery(component.token.refresh.listChildren, {
 				sessionId,
 				parentRefreshTokenId
 			}),
-			listBySession: (sessionId) => ctx.runQuery(component.public.refreshTokenListBySession, { sessionId }),
-			deleteAll: (sessionId) => ctx.runMutation(component.public.refreshTokenDeleteAll, { sessionId }),
-			getActive: (sessionId) => ctx.runQuery(component.public.refreshTokenGetActive, { sessionId })
+			listBySession: (sessionId) => ctx.runQuery(component.token.refresh.list, { sessionId }),
+			deleteAll: (sessionId) => ctx.runMutation(component.token.refresh.delete, { sessionId }),
+			getActive: (sessionId) => ctx.runQuery(component.token.refresh.get, { activeForSession: sessionId })
 		},
 		rateLimits: {
-			get: (identifier) => ctx.runQuery(component.public.rateLimitGet, { identifier }),
-			create: (args) => ctx.runMutation(component.public.rateLimitCreate, args),
-			patch: (rateLimitId, data) => ctx.runMutation(component.public.rateLimitPatch, {
+			get: (identifier) => ctx.runQuery(component.rateLimit.get, { identifier }),
+			create: (args) => ctx.runMutation(component.rateLimit.create, args),
+			patch: (rateLimitId, data) => ctx.runMutation(component.rateLimit.update, {
 				rateLimitId,
 				data
 			}),
-			delete: (rateLimitId) => ctx.runMutation(component.public.rateLimitDelete, { rateLimitId })
+			delete: (rateLimitId) => ctx.runMutation(component.rateLimit.delete, { rateLimitId })
 		}
 	};
 }

package/dist/server/facade.d.ts

@@ -52,6 +52,25 @@ type AuthContext = {
   groupId: string | null; /** The user's primary role in the active group, or `null`. */
   role: string | null; /** Resolved grant strings from the user's role definitions. */
   grants: string[];
+  /**
+   * Assert the current user holds the given grant(s); throws
+   * `ConvexError({ code: "MISSING_GRANTS" })` otherwise. Pass a
+   * group-owned document as the second argument to also assert the
+   * record belongs to the active group (`code: "FORBIDDEN"` if not).
+   *
+   * For a boolean check, read `grants` directly:
+   * `ctx.auth.grants.includes("issues.read")`.
+   *
+   * @example
+   * ```ts
+   * ctx.auth.require("members.manage");
+   * ctx.auth.require(["issues.edit", "issues.move"]);
+   * ctx.auth.require("issues.edit", issueDoc); // group-scoped
+   * ```
+   */
+  require: (grant: string | readonly string[], doc?: {
+    groupId?: unknown;
+  }) => void;
 };
 /**
  * Nullable auth context returned by `auth.context(ctx, { optional: true })`
@@ -78,6 +97,15 @@ type OptionalAuthContext = {
   groupId: string | null; /** The user's primary role in the active group, or `null`. */
   role: string | null; /** Resolved grant strings for the active membership, or `[]`. */
   grants: string[];
+  /**
+   * Assert the current user holds the given grant(s); throws when
+   * missing (or, with a group-owned `doc`, when it is not in the active
+   * group). When unauthenticated this always throws. For a boolean
+   * check read `grants` directly.
+   */
+  require: (grant: string | readonly string[], doc?: {
+    groupId?: unknown;
+  }) => void;
 };
 type AuthContextBase = {
   getUserIdentity: () => Promise<UserIdentity | null>;
@@ -139,6 +167,17 @@ type AuthContextConfig<TResolve extends Record<string, unknown> = Record<string,
    * of throwing `NOT_SIGNED_IN`.
    */
   optional?: boolean;
+  /**
+   * Enforce grant(s) inline — equivalent to calling `ctx.auth.require(...)`
+   * at the top of every handler built with this customization. Throws
+   * `ConvexError({ code: "MISSING_GRANTS" })` when missing.
+   */
+  require?: string | readonly string[];
+  /**
+   * Require an active group; throws `ConvexError({ code: "NO_ACTIVE_GROUP" })`
+   * when the resolved context has no `groupId`. Reuses the `active` concept.
+   */
+  active?: true;
   /**
    * Attach additional derived fields to the auth context after the base auth
    * context is resolved.

package/dist/server/facade.js

@@ -19,6 +19,20 @@ function assertAuthResolverContext(ctx) {
 /**
 * Resolve the public auth context for a Convex handler context.
 *
+* Enforce the `require` / `active` builder options against a resolved
+* context. Reuses `ctx.auth.require` for grants so behavior is identical
+* to an inline call.
+*
+* @internal
+*/
+function enforceAuthRequirements(resolved, config) {
+	if (config?.active === true && resolved.groupId === null) throw new ConvexError({
+		code: "NO_ACTIVE_GROUP",
+		message: "An active group is required."
+	});
+	if (config?.require !== void 0) resolved.require(config.require);
+}
+/**
 * This low-level helper underpins `auth.context(...)`.
 */
 async function createPublicAuthContext(auth, ctx, config) {
@@ -27,6 +41,7 @@ async function createPublicAuthContext(auth, ctx, config) {
 		if (config?.optional !== true) throw createNotSignedInError();
 		return createUnauthenticatedAuthContext();
 	}
+	enforceAuthRequirements(resolved, config);
 	const extra = config?.resolve ? await config.resolve(ctx, resolved.user, resolved) : {};
 	return {
 		...resolved,
@@ -55,6 +70,7 @@ function createAuthContextCustomization(auth, config) {
 					args: {}
 				};
 			}
+			enforceAuthRequirements(resolved, config);
 			const extra = config?.resolve ? await config.resolve(ctx, resolved.user, resolved) : {};
 			return {
 				ctx: { auth: {

package/dist/server/index.d.ts

@@ -1,9 +1,11 @@
-import { AfterCtx, AuthCallbackContext, AuthCallbackProfile, AuthCallbacks, AuthEvent, BeforeCtx, BeforeEvent, BeforeResult } from "./types.js";
+import { vGroupDoc, vGroupInviteDoc, vGroupMemberDoc, vPaginated, vUserDoc, vUserEmailDoc } from "../component/model.js";
+import { AfterCtx, AuthCallbackContext, AuthCallbackProfile, AuthCallbacks, AuthDataModel, AuthEvent, BeforeCtx, BeforeEvent, BeforeResult, Doc, GenericDoc } from "./types.js";
 import { AuthConfig, AuthContext, AuthContextConfig, InferAuth, OptionalAuthContext, UserDoc } from "./facade.js";
+import "./identity/convex.js";
 import { WellKnownEndpoint, WellKnownOptions, WellKnownResponse, wellKnown } from "./wellknown.js";
 import { HttpAuthContext, HttpAuthContextConfig, OptionalHttpAuthContext } from "./http.js";
+import { AuthExtendValidators, AuthValidators, Group, Membership, Viewer, buildAuthValidators } from "./validators.js";
 import { AuthApi, AuthApiBase, ConvexAuthResult, InferClientApi, createAuth } from "./auth.js";
-import "./identity/convex.js";
 import { CreateAuthGroupSsoOptions, GroupSsoAccessHandler, GroupSsoAccessInput, GroupSsoAccessPermissions, GroupSsoPermission, GroupSsoResolvedAccessHandler, createAuthGroupSso, scim, sso } from "./mounts.js";
 import { AuthCookie, AuthCookieConfig, AuthCookies, RefreshResult, ServerOptions, authCookieNames, parseAuthCookies, serializeAuthCookies, server, shouldProxyAuthAction, structuredAuthCookies } from "./prefetch.js";
-export { type AfterCtx, type AuthApi, type AuthApiBase, type AuthCallbackContext, type AuthCallbackProfile, type AuthCallbacks, type AuthConfig, type AuthContext, type AuthContextConfig, type AuthCookie, type AuthCookieConfig, type AuthCookies, type AuthEvent, type BeforeCtx, type BeforeEvent, type BeforeResult, type ConvexAuthResult, type CreateAuthGroupSsoOptions, type GroupSsoAccessHandler, type GroupSsoAccessInput, type GroupSsoAccessPermissions, type GroupSsoPermission, type GroupSsoResolvedAccessHandler, type HttpAuthContext, type HttpAuthContextConfig, type InferAuth, type InferClientApi, type OptionalAuthContext, type OptionalHttpAuthContext, type RefreshResult, type ServerOptions, type UserDoc, type WellKnownEndpoint, type WellKnownOptions, type WellKnownResponse, authCookieNames, createAuth, createAuthGroupSso, parseAuthCookies, scim, serializeAuthCookies, server, shouldProxyAuthAction, sso, structuredAuthCookies, wellKnown };
+export { type AfterCtx, type AuthApi, type AuthApiBase, type AuthCallbackContext, type AuthCallbackProfile, type AuthCallbacks, type AuthConfig, type AuthContext, type AuthContextConfig, type AuthCookie, type AuthCookieConfig, type AuthCookies, type AuthDataModel, type AuthEvent, type AuthExtendValidators, type AuthValidators, type BeforeCtx, type BeforeEvent, type BeforeResult, type ConvexAuthResult, type CreateAuthGroupSsoOptions, type Doc, type GenericDoc, type Group, type GroupSsoAccessHandler, type GroupSsoAccessInput, type GroupSsoAccessPermissions, type GroupSsoPermission, type GroupSsoResolvedAccessHandler, type HttpAuthContext, type HttpAuthContextConfig, type InferAuth, type InferClientApi, type Membership, type OptionalAuthContext, type OptionalHttpAuthContext, type RefreshResult, type ServerOptions, type UserDoc, type Viewer, type WellKnownEndpoint, type WellKnownOptions, type WellKnownResponse, authCookieNames, buildAuthValidators, createAuth, createAuthGroupSso, parseAuthCookies, scim, serializeAuthCookies, server, shouldProxyAuthAction, sso, structuredAuthCookies, vGroupDoc, vGroupInviteDoc, vGroupMemberDoc, vPaginated, vUserDoc, vUserEmailDoc, wellKnown };

package/dist/server/index.js

@@ -1,7 +1,9 @@
 import "./identity/convex.js";
+import { vGroupDoc, vGroupInviteDoc, vGroupMemberDoc, vPaginated, vUserDoc, vUserEmailDoc } from "../component/model.js";
 import { wellKnown } from "./wellknown.js";
+import { buildAuthValidators } from "./validators.js";
 import { createAuth } from "./auth.js";
 import { createAuthGroupSso, scim, sso } from "./mounts.js";
 import { authCookieNames, parseAuthCookies, serializeAuthCookies, server, shouldProxyAuthAction, structuredAuthCookies } from "./prefetch.js";
 
-export { authCookieNames, createAuth, createAuthGroupSso, parseAuthCookies, scim, serializeAuthCookies, server, shouldProxyAuthAction, sso, structuredAuthCookies, wellKnown };
+export { authCookieNames, buildAuthValidators, createAuth, createAuthGroupSso, parseAuthCookies, scim, serializeAuthCookies, server, shouldProxyAuthAction, sso, structuredAuthCookies, vGroupDoc, vGroupInviteDoc, vGroupMemberDoc, vPaginated, vUserDoc, vUserEmailDoc, wellKnown };