@robelest/convex-auth 0.0.4-preview.32 → 0.0.4-preview.34

package/dist/server/mutations/credentials/signin.js

@@ -64,13 +64,9 @@ async function credentialsSignInInner(ctx, args, getProviderOrThrow, config) {
 			}
 		};
 	}
-	let hasTotp = user.hasTotp;
-	if (enforceTotp && hasTotp === void 0) {
-		const memberResolveRef = config.component.public["totpGetVerifiedByUserId"];
-		hasTotp = await ctx.runQuery(memberResolveRef, { userId: existingAccount.userId }) !== null;
-		await db.users.patch(existingAccount.userId, { hasTotp });
-	}
-	const totpRequired = enforceTotp && hasTotp === true;
+	let hasTotp = false;
+	if (enforceTotp) hasTotp = await ctx.runQuery(config.component.factor.totp.get, { verifiedForUserId: existingAccount.userId }) !== null;
+	const totpRequired = enforceTotp && hasTotp;
 	const [issuance] = await Promise.all([issueSession(ctx, config, {
 		userId: existingAccount.userId,
 		generateTokens: generateTokens && !totpRequired

package/dist/server/mutations/oauth.js

@@ -5,6 +5,7 @@ import { AUTH_STORE_REF } from "./store/refs.js";
 import { upsertUserAndAccount } from "../users.js";
 import { getGroup, getGroupConnection } from "../contract.js";
 import { accountExtendValidator, payloadRecordValidator } from "../payloads.js";
+import { vProfileEmail } from "../../component/model.js";
 import { GROUP_OIDC_PROVIDER_PREFIX, GROUP_SAML_PROVIDER_PREFIX, isGroupProviderId } from "../sso/shared.js";
 import { createSyntheticOAuthMaterializedConfig } from "../sso/oidc.js";
 import { normalizeGroupConnectionPolicy, resolveProvisionedRoleIds } from "../sso/policy.js";
@@ -16,6 +17,7 @@ const userOAuthArgs = v.object({
 	provider: v.string(),
 	providerAccountId: v.string(),
 	profile: payloadRecordValidator,
+	emails: v.optional(v.array(vProfileEmail)),
 	signature: v.string(),
 	accountExtend: v.optional(accountExtendValidator)
 });
@@ -52,17 +54,17 @@ async function jitProvisionMembership(ctx, config, connectionPolicy, connection,
 		groups: Array.isArray(profile.groups) ? profile.groups : void 0,
 		roles: Array.isArray(profile.roles) ? profile.roles : void 0
 	});
-	const existingMembership = await ctx.runQuery(config.component.public.memberGetByGroupAndUser, {
+	const existingMembership = await ctx.runQuery(config.component.group.member.get, {
 		userId,
 		groupId
 	});
-	if (existingMembership === null) await ctx.runMutation(config.component.public.memberAdd, {
+	if (existingMembership === null) await ctx.runMutation(config.component.group.member.create, {
 		groupId,
 		userId,
 		roleIds: provisionedRoleIds,
 		status: "active"
 	});
-	else if (provisionedRoleIds.length > 0) await ctx.runMutation(config.component.public.memberUpdate, {
+	else if (provisionedRoleIds.length > 0) await ctx.runMutation(config.component.group.member.update, {
 		memberId: existingMembership._id,
 		data: { roleIds: provisionedRoleIds }
 	});
@@ -75,10 +77,10 @@ async function userOAuthImpl(ctx, args, getProviderOrThrow, config) {
 	const connectionId = provider.startsWith(GROUP_OIDC_PROVIDER_PREFIX) ? provider.slice(GROUP_OIDC_PROVIDER_PREFIX.length) : provider.startsWith(GROUP_SAML_PROVIDER_PREFIX) ? provider.slice(GROUP_SAML_PROVIDER_PREFIX.length) : null;
 	const connectionProtocol = provider.startsWith(GROUP_OIDC_PROVIDER_PREFIX) ? "oidc" : provider.startsWith(GROUP_SAML_PROVIDER_PREFIX) ? "saml" : null;
 	const existingAccount = await db.accounts.get(provider, providerAccountId);
-	const connection = connectionId !== null ? await getGroupConnection(ctx, config.component.public, connectionId) : null;
-	const group = connection !== null ? await getGroup(ctx, config.component.public, connection.groupId) : null;
+	const connection = connectionId !== null ? await getGroupConnection(ctx, config.component.sso, connectionId) : null;
+	const group = connection !== null ? await getGroup(ctx, config.component.group, connection.groupId) : null;
 	const connectionPolicy = connection ? normalizeGroupConnectionPolicy(group?.policy) : null;
-	const existingScimIdentity = connectionId !== null && existingAccount === null && connectionPolicy?.provisioning.scimReuse.user === "externalId" ? await ctx.runQuery(config.component.public.groupConnectionScimIdentityGet, {
+	const existingScimIdentity = connectionId !== null && existingAccount === null && connectionPolicy?.provisioning.scimReuse.user === "externalId" ? await ctx.runQuery(config.component.sso.connection.scim.identity.get, {
 		connectionId,
 		resourceType: "user",
 		externalId: providerAccountId
@@ -110,6 +112,7 @@ async function userOAuthImpl(ctx, args, getProviderOrThrow, config) {
 		type: "oauth",
 		provider: isGroupProviderId(provider) ? createSyntheticOAuthMaterializedConfig(provider, { accountLinking: connectionProtocol === "oidc" ? connectionPolicy?.identity.accountLinking.oidc : connectionProtocol === "saml" ? connectionPolicy?.identity.accountLinking.saml : void 0 }) : getProviderOrThrow(provider),
 		profile: profileForProvisioning,
+		emails: args.emails,
 		accountExtend: normalizeAccountExtend(provider, providerAccountId, accountExtend)
 	}, config, connectionPolicy?.provisioning.user ? {
 		existingUserId: existingScimIdentity?.userId,

package/dist/server/runtime.d.ts

@@ -4,7 +4,7 @@ import { AuthProfile, SignInParams } from "./payloads.js";
 import { HttpAuthContext, HttpAuthContextConfig, OptionalHttpAuthContext } from "./http.js";
 import { createGroupConnectionDomain } from "./sso/domain.js";
 import { GenericId } from "convex/values";
-import * as convex_server105 from "convex/server";
+import * as convex_server119 from "convex/server";
 import { GenericActionCtx, GenericDataModel, HttpRouter } from "convex/server";
 
 //#region src/server/runtime.d.ts
@@ -45,26 +45,51 @@ declare function Auth(config_: ConvexAuthConfig): {
         cursor?: string | null;
         orderBy?: UserOrderBy;
         order?: "asc" | "desc";
-      }) => Promise<any>;
+      }) => Promise<{
+        items: Doc<"User">[];
+        nextCursor: string | null;
+      }>;
       viewer: (ctx: ComponentReadCtx & {
-        auth: convex_server105.Auth;
+        auth: convex_server119.Auth;
       }) => Promise<Doc<"User"> | null>;
+      email: {
+        list: (ctx: ComponentReadCtx & {
+          auth: convex_server119.Auth;
+        }, opts?: {
+          userId?: string;
+        }) => Promise<Doc<"UserEmail">[]>;
+        add: (ctx: ComponentCtx & {
+          auth: convex_server119.Auth;
+        }, email: string, opts?: {
+          userId?: string;
+        }) => Promise<{
+          email: string;
+        }>;
+        remove: (ctx: ComponentCtx & {
+          auth: convex_server119.Auth;
+        }, email: string, opts?: {
+          userId?: string;
+        }) => Promise<{
+          email: string;
+        }>;
+        primary: {
+          (ctx: ComponentReadCtx & {
+            auth: convex_server119.Auth;
+          }, opts?: {
+            userId?: string;
+          }): Promise<Doc<"UserEmail"> | null>;
+          (ctx: ComponentCtx & {
+            auth: convex_server119.Auth;
+          }, email: string, opts?: {
+            userId?: string;
+          }): Promise<{
+            email: string;
+          }>;
+        };
+      };
       update: (ctx: ComponentCtx, userId: string, data: Record<string, unknown>) => Promise<{
         userId: string;
       }>;
-      setActiveGroup: (ctx: ComponentCtx, opts: {
-        userId: string;
-        groupId: string | null;
-      }) => Promise<{
-        userId: string;
-        groupId: null;
-      } | {
-        userId: string;
-        groupId: string;
-      }>;
-      getActiveGroup: (ctx: ComponentReadCtx, opts: {
-        userId: string;
-      }) => Promise<string | null>;
       delete: (ctx: ComponentCtx, userId: string, opts?: {
         cascade?: boolean;
       }) => Promise<{
@@ -79,10 +104,10 @@ declare function Auth(config_: ConvexAuthConfig): {
         userId: GenericId<"User">;
         except: GenericId<"Session">[];
       }>;
-      get: (ctx: ComponentReadCtx, sessionId: string) => Promise<any>;
+      get: (ctx: ComponentReadCtx, sessionId: string) => Promise<Doc<"Session"> | null>;
       list: (ctx: ComponentReadCtx, opts: {
         userId: string;
-      }) => Promise<any>;
+      }) => Promise<Doc<"Session">[]>;
     };
     account: {
       create: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: {
@@ -130,7 +155,7 @@ declare function Auth(config_: ConvexAuthConfig): {
       }>;
       listPasskeys: (ctx: ComponentReadCtx, opts: {
         userId: string;
-      }) => Promise<any>;
+      }) => Promise<Doc<"Passkey">[]>;
       renamePasskey: (ctx: ComponentCtx, passkeyId: string, name: string) => Promise<{
         passkeyId: string;
       }>;
@@ -139,7 +164,7 @@ declare function Auth(config_: ConvexAuthConfig): {
       }>;
       listTotps: (ctx: ComponentReadCtx, opts: {
         userId: string;
-      }) => Promise<any>;
+      }) => Promise<Doc<"TotpFactor">[]>;
       deleteTotp: (ctx: ComponentCtx, totpId: string) => Promise<{
         totpId: string;
       }>;
@@ -170,6 +195,17 @@ declare function Auth(config_: ConvexAuthConfig): {
       get: {
         (ctx: ComponentReadCtx, groupId: string): Promise<Doc<"Group"> | null>;
         (ctx: ComponentReadCtx, groupIds: readonly string[]): Promise<Array<Doc<"Group"> | null>>;
+        (ctx: ComponentReadCtx, selector: {
+          slug: string;
+        }): Promise<Doc<"Group"> | null>;
+        (ctx: ComponentReadCtx, groupId: string, opts: {
+          tree: true;
+        }): Promise<{
+          current: Doc<"Group">;
+          parent: Doc<"Group"> | null;
+          children: Array<Doc<"Group">>;
+          ancestors: Array<Doc<"Group">>;
+        } | null>;
       };
       list: (ctx: ComponentReadCtx, opts?: {
         where?: {
@@ -191,7 +227,10 @@ declare function Auth(config_: ConvexAuthConfig): {
         cursor?: string | null;
         orderBy?: "_creationTime" | "name" | "slug" | "type";
         order?: "asc" | "desc";
-      }) => Promise<any>;
+      }) => Promise<{
+        items: Doc<"Group">[];
+        nextCursor: string | null;
+      }>;
       update: (ctx: ComponentCtx, groupId: string, data: Record<string, unknown>) => Promise<{
         groupId: string;
       }>;
@@ -201,13 +240,7 @@ declare function Auth(config_: ConvexAuthConfig): {
       ancestors: (ctx: ComponentReadCtx, opts: {
         groupId: string;
         maxDepth?: number;
-        includeSelf /**
-                     * Action called by the client to invalidate the current session.
-                     */?
-        /**
-        * Action called by the client to invalidate the current session.
-        */
-        : boolean;
+        includeSelf?: boolean;
       }) => Promise<{
         ancestors: Array<Exclude<Doc<"Group"> | null, null>>;
         cycleDetected: boolean;
@@ -224,8 +257,8 @@ declare function Auth(config_: ConvexAuthConfig): {
       }) => Promise<{
         memberId: string;
       }>;
-      get: (ctx: ComponentReadCtx, memberId: string) => Promise<any>;
-      list: (ctx: ComponentReadCtx, opts?: {
+      get: (ctx: ComponentReadCtx, memberId: string) => Promise<Doc<"GroupMember"> | null>;
+      list: <O extends {
         where?: {
           groupId?: string;
           userId?: string;
@@ -236,7 +269,33 @@ declare function Auth(config_: ConvexAuthConfig): {
         cursor?: string | null;
         orderBy?: "_creationTime" | "status";
         order?: "asc" | "desc";
-      }) => Promise<any>;
+        withGroup?: true;
+        withGrants?: true;
+      } | undefined = undefined>(ctx: ComponentReadCtx, opts?: O) => Promise<{
+        items: ({
+          _id: GenericId<"GroupMember">;
+          _creationTime: number;
+          extend?: any;
+          role?: string | undefined;
+          roleIds?: string[] | undefined;
+          status?: string | undefined;
+          groupId: GenericId<"Group">;
+          userId: GenericId<"User">;
+        } & {
+          _id: GenericId<"GroupMember">;
+          _creationTime: number;
+        } & (NonNullable<O> extends infer T_2 ? T_2 extends NonNullable<O> ? T_2 extends {
+          withGroup: true;
+        } ? {
+          group: Doc<"Group"> | null;
+        } : unknown : never : never) & (NonNullable<O> extends infer T_3 ? T_3 extends NonNullable<O> ? T_3 extends {
+          withGrants: true;
+        } ? {
+          roleIds: string[];
+          grants: string[];
+        } : unknown : never : never))[];
+        nextCursor: string | null;
+      }>;
       delete: (ctx: ComponentCtx, memberId: string) => Promise<{
         memberId: string;
       }>;
@@ -315,13 +374,19 @@ declare function Auth(config_: ConvexAuthConfig): {
         inviteId: string;
         token: string;
       }>;
-      get: (ctx: ComponentReadCtx, inviteId: string) => Promise<any>;
+      get: (ctx: ComponentReadCtx, inviteId: string) => Promise<Doc<"GroupInvite"> | null>;
       token: {
-        get: (ctx: ComponentReadCtx, token: string) => Promise<any>;
+        get: (ctx: ComponentReadCtx, token: string) => Promise<Doc<"GroupInvite"> | null>;
         accept: (ctx: ComponentCtx, args: {
           token: string;
           acceptedByUserId: string;
-        }) => Promise<any>;
+        }) => Promise<{
+          inviteId: string;
+          groupId: string | null;
+          memberId?: string;
+          inviteStatus: string;
+          membershipStatus: string;
+        }>;
       };
       list: (ctx: ComponentReadCtx, opts?: {
         where?: {
@@ -337,7 +402,10 @@ declare function Auth(config_: ConvexAuthConfig): {
         cursor?: string | null;
         orderBy?: "_creationTime" | "status" | "email" | "expiresTime" | "acceptedTime";
         order?: "asc" | "desc";
-      }) => Promise<any>;
+      }) => Promise<{
+        items: Doc<"GroupInvite">[];
+        nextCursor: string | null;
+      }>;
       accept: (ctx: ComponentCtx, inviteId: string, acceptedByUserId?: string) => Promise<{
         inviteId: string;
         acceptedByUserId: string | null;
@@ -377,7 +445,10 @@ declare function Auth(config_: ConvexAuthConfig): {
         cursor?: string | null;
         orderBy?: "_creationTime" | "name" | "lastUsedAt" | "expiresAt" | "revoked";
         order?: "asc" | "desc";
-      }) => Promise<any>;
+      }) => Promise<{
+        items: Doc<"ApiKey">[];
+        nextCursor: string | null;
+      }>;
       get: (ctx: ComponentReadCtx, keyId: string) => Promise<KeyDoc | null>;
       update: (ctx: ComponentCtx, keyId: string, data: {
         name?: string;
@@ -403,6 +474,31 @@ declare function Auth(config_: ConvexAuthConfig): {
         secret: string;
       }>;
     };
+    active: {
+      get: (ctx: ComponentReadCtx & {
+        auth: convex_server119.Auth;
+      }, opts?: {
+        userId?: string;
+      }) => Promise<{
+        groupId: string;
+        group: Doc<"Group"> | null;
+        membership: Doc<"GroupMember">;
+      } | null>;
+      set: (ctx: ComponentCtx & {
+        auth: convex_server119.Auth;
+      }, groupId: string, opts?: {
+        userId?: string;
+      }) => Promise<{
+        groupId: string;
+      }>;
+      clear: (ctx: ComponentCtx & {
+        auth: convex_server119.Auth;
+      }, opts?: {
+        userId?: string;
+      }) => Promise<{
+        groupId: null;
+      }>;
+    };
   } & {
     sso: ReturnType<typeof createGroupConnectionDomain>;
   } & {
@@ -476,22 +572,22 @@ declare function Auth(config_: ConvexAuthConfig): {
       context: {
         <TResolve extends Record<string, unknown> = Record<string, never>, TCtx extends {
           auth: {
-            getUserIdentity: () => Promise<convex_server105.UserIdentity | null>;
+            getUserIdentity: () => Promise<convex_server119.UserIdentity | null>;
           };
         } & ComponentReadCtx = {
           auth: {
-            getUserIdentity: () => Promise<convex_server105.UserIdentity | null>;
+            getUserIdentity: () => Promise<convex_server119.UserIdentity | null>;
           };
         } & ComponentReadCtx>(ctx: TCtx, request: Request, config: HttpAuthContextConfig<TResolve, TCtx> & {
           optional: true;
         }): Promise<OptionalHttpAuthContext & TResolve>;
         <TResolve extends Record<string, unknown> = Record<string, never>, TCtx extends {
           auth: {
-            getUserIdentity: () => Promise<convex_server105.UserIdentity | null>;
+            getUserIdentity: () => Promise<convex_server119.UserIdentity | null>;
           };
         } & ComponentReadCtx = {
           auth: {
-            getUserIdentity: () => Promise<convex_server105.UserIdentity | null>;
+            getUserIdentity: () => Promise<convex_server119.UserIdentity | null>;
           };
         } & ComponentReadCtx>(ctx: TCtx, request: Request, config?: HttpAuthContextConfig<TResolve, TCtx>): Promise<HttpAuthContext & TResolve>;
       };
@@ -525,7 +621,7 @@ declare function Auth(config_: ConvexAuthConfig): {
           action: string;
         };
         cors?: CorsConfig;
-      }) => convex_server105.PublicHttpAction;
+      }) => convex_server119.PublicHttpAction;
       /**
        * Register a Bearer-authenticated route **and** its OPTIONS preflight
        * in a single call.
@@ -571,7 +667,7 @@ declare function Auth(config_: ConvexAuthConfig): {
    *
    * Also used for refreshing the session.
    */
-  signIn: convex_server105.RegisteredAction<"public", {
+  signIn: convex_server119.RegisteredAction<"public", {
     provider?: string | undefined;
     verifier?: string | undefined;
     params?: Record<string, string | number | boolean | (string | number | boolean | null)[] | Record<string, string | number | boolean | (string | number | boolean | null)[] | null> | null> | undefined;
@@ -581,12 +677,12 @@ declare function Auth(config_: ConvexAuthConfig): {
   /**
    * Action called by the client to invalidate the current session.
    */
-  signOut: convex_server105.RegisteredAction<"public", {}, Promise<void>>;
+  signOut: convex_server119.RegisteredAction<"public", {}, Promise<void>>;
   /**
    * Internal mutation used by the library to read and write
    * to the database during signin and signout.
    */
-  store: convex_server105.RegisteredMutation<"internal", {
+  store: convex_server119.RegisteredMutation<"internal", {
     args: {
       sessionId?: string | undefined;
       type: "signIn";
@@ -609,9 +705,14 @@ declare function Auth(config_: ConvexAuthConfig): {
       type: "verifier";
     } | {
       type: "verifierSignature";
-      verifier: string;
       signature: string;
+      verifier: string;
     } | {
+      emails?: {
+        primary?: boolean | undefined;
+        verified?: boolean | undefined;
+        email: string;
+      }[] | undefined;
       accountExtend?: {
         identity?: {
           type?: string | undefined;
@@ -639,8 +740,8 @@ declare function Auth(config_: ConvexAuthConfig): {
       phone?: string | undefined;
       accountId?: string | undefined;
       type: "createVerificationCode";
-      expirationTime: number;
       provider: string;
+      expirationTime: number;
       code: string;
       allowExtraProviders: boolean;
     } | {

package/dist/server/runtime.js

@@ -244,13 +244,14 @@ function Auth(config_) {
 				try {
 					const result = await handleOAuthCallback(providerId, provider, Object.fromEntries(params.entries()), cookies);
 					const oauthCookies = result.cookies;
-					const { id: profileId, ...profileData } = result.profile;
+					const { id: profileId, emails: profileEmails, ...profileData } = result.profile;
 					const { signature } = result;
 					const { redirectTo: stateRedirectTo } = decodeOAuthState(params.get("state") ?? "");
 					const redirUrl = setURLSearchParam(await redirectAbsoluteUrl(ctx, config, { redirectTo: stateRedirectTo ?? void 0 }), "code", await callUserOAuth(ctx, {
 						provider: providerId,
 						providerAccountId: profileId,
 						profile: profileData,
+						emails: profileEmails,
 						signature
 					}));
 					const redirHeaders = new Headers({ Location: redirUrl });
@@ -351,13 +352,14 @@ function Auth(config_) {
 					try {
 						const result = await handleOAuthCallback(providerId, provider, Object.fromEntries(params.entries()), cookies);
 						const oauthCookies = result.cookies;
-						const { id: profileId, ...profileData } = result.profile;
+						const { id: profileId, emails: profileEmails, ...profileData } = result.profile;
 						const { signature } = result;
 						const { redirectTo: stateRedirectTo } = decodeOAuthState(params.get("state") ?? "");
 						const redirUrl = setURLSearchParam(await redirectAbsoluteUrl(ctx, config, { redirectTo: stateRedirectTo ?? void 0 }), "code", await callUserOAuth(ctx, {
 							provider: providerId,
 							providerAccountId: profileId,
 							profile: profileData,
+							emails: profileEmails,
 							signature
 						}));
 						const redirHeaders = new Headers({ Location: redirUrl });
@@ -414,12 +416,12 @@ function Auth(config_) {
 	});
 	const http = Object.assign((options) => request.router(options), httpDelegate);
 	const accountUnlink = async (ctx, args) => {
-		const accountDoc = await ctx.runQuery(config.component.public.accountGetById, { accountId: args.accountId });
+		const accountDoc = await ctx.runQuery(config.component.account.get, { id: args.accountId });
 		if (accountDoc === null) throw convexError({
 			code: "ACCOUNT_NOT_FOUND",
 			message: "Account not found."
 		});
-		await ctx.runMutation(config.component.public.accountDelete, { accountId: args.accountId });
+		await ctx.runMutation(config.component.account.delete, { accountId: args.accountId });
 		const userId = accountDoc.userId;
 		const provider = accountDoc.provider;
 		await config.callbacks?.after?.(ctx, {
@@ -435,12 +437,12 @@ function Auth(config_) {
 		};
 	};
 	const passkeyDelete = async (ctx, args) => {
-		const passkeyDoc = await ctx.runQuery(config.component.public.passkeyGetById, { passkeyId: args.passkeyId });
+		const passkeyDoc = await ctx.runQuery(config.component.factor.passkey.get, { id: args.passkeyId });
 		if (passkeyDoc === null) throw convexError({
 			code: "PASSKEY_NOT_FOUND",
 			message: "Passkey not found."
 		});
-		await ctx.runMutation(config.component.public.passkeyDelete, { passkeyId: args.passkeyId });
+		await ctx.runMutation(config.component.factor.passkey.delete, { passkeyId: args.passkeyId });
 		const userId = passkeyDoc.userId;
 		await config.callbacks?.after?.(ctx, {
 			kind: "passkeyRemoved",
@@ -453,12 +455,12 @@ function Auth(config_) {
 		};
 	};
 	const totpDelete = async (ctx, args) => {
-		const totpDoc = await ctx.runQuery(config.component.public.totpGetById, { totpId: args.totpId });
+		const totpDoc = await ctx.runQuery(config.component.factor.totp.get, { id: args.totpId });
 		if (totpDoc === null) throw convexError({
 			code: "TOTP_NOT_FOUND",
 			message: "TOTP factor not found."
 		});
-		await ctx.runMutation(config.component.public.totpDelete, { totpId: args.totpId });
+		await ctx.runMutation(config.component.factor.totp.delete, { totpId: args.totpId });
 		const userId = totpDoc.userId;
 		await config.callbacks?.after?.(ctx, {
 			kind: "totpRemoved",

package/dist/server/services/group.js

@@ -12,7 +12,7 @@ function createGroupService(deps) {
 	const connectionNotFoundError = "Connection not found.";
 	const getPolicyFromGroup = (group) => normalizeGroupConnectionPolicy(group.policy);
 	const getGroupConnectionSecret$1 = async (ctx, connectionId, kind) => {
-		return await getGroupConnectionSecret(ctx, config.component.public, {
+		return await getGroupConnectionSecret(ctx, config.component.sso, {
 			connectionId,
 			kind
 		});
@@ -24,7 +24,7 @@ function createGroupService(deps) {
 	* merge, so doing them sequentially was costing 30–60ms per OIDC lookup.
 	*/
 	const resolveOidcConfigWithSecret = async (ctx, connectionId, preloadedConnection) => {
-		const [connection, secret] = await Promise.all([preloadedConnection !== void 0 ? Promise.resolve(preloadedConnection) : getGroupConnection(ctx, config.component.public, connectionId), getGroupConnectionSecret$1(ctx, connectionId, "oidc_client_secret")]);
+		const [connection, secret] = await Promise.all([preloadedConnection !== void 0 ? Promise.resolve(preloadedConnection) : getGroupConnection(ctx, config.component.sso, connectionId), getGroupConnectionSecret$1(ctx, connectionId, "oidc_client_secret")]);
 		if (!connection) throw convexError({
 			code: "INVALID_PARAMETERS",
 			message: connectionNotFoundError
@@ -42,7 +42,7 @@ function createGroupService(deps) {
 		};
 	};
 	const loadGroupPolicyOrThrow = async (ctx, groupId) => {
-		const group = await getGroup(ctx, config.component.public, groupId);
+		const group = await getGroup(ctx, config.component.group, groupId);
 		if (!group) throw convexError({
 			code: "INVALID_PARAMETERS",
 			message: "Group not found."
@@ -50,7 +50,7 @@ function createGroupService(deps) {
 		return getPolicyFromGroup(group);
 	};
 	const loadConnectionOrThrow = async (ctx, connectionId) => {
-		const connection = await getGroupConnection(ctx, config.component.public, connectionId);
+		const connection = await getGroupConnection(ctx, config.component.sso, connectionId);
 		if (!connection) throw convexError({
 			code: "INVALID_PARAMETERS",
 			message: connectionNotFoundError
@@ -143,17 +143,17 @@ function createGroupService(deps) {
 	};
 	const recordGroupAuditEvent = async (ctx, data) => {
 		const { ok, ...rest } = data;
-		return await ctx.runMutation(config.component.public.groupAuditEventCreate, {
+		return await ctx.runMutation(config.component.sso.audit.create, {
 			...rest,
 			status: ok ? "success" : "failure",
 			occurredAt: Date.now()
 		});
 	};
 	const emitGroupWebhookDeliveries = async (ctx, data) => {
-		const endpoints = await listWebhookEndpoints(ctx, config.component.public, data.connectionId);
+		const endpoints = await listWebhookEndpoints(ctx, config.component.sso, data.connectionId);
 		for (const endpoint of endpoints) {
 			if (endpoint.status !== "active" || !endpoint.subscriptions.includes(data.eventType)) continue;
-			await ctx.runMutation(config.component.public.groupWebhookDeliveryEnqueue, {
+			await ctx.runMutation(config.component.sso.webhook.delivery.create, {
 				connectionId: data.connectionId,
 				endpointId: endpoint._id,
 				auditEventId: data.auditEventId,
@@ -171,13 +171,13 @@ function createGroupService(deps) {
 		});
 		const token = authHeader.slice(7);
 		const parsedPath = parseScimPath(new URL(request.url).pathname);
-		const scimConfig = await getScimConfigByConnection(ctx, config.component.public, parsedPath.connectionId);
+		const scimConfig = await getScimConfigByConnection(ctx, config.component.sso, parsedPath.connectionId);
 		const tokenHash = await sha256(token);
 		if (!scimConfig || scimConfig.status !== "active" || !scimConfig.tokenHash || !constantTimeEqualHex(tokenHash, scimConfig.tokenHash)) throw convexError({
 			code: "INVALID_API_KEY",
 			message: "Invalid SCIM token."
 		});
-		const connection = await getGroupConnection(ctx, config.component.public, scimConfig.connectionId);
+		const connection = await getGroupConnection(ctx, config.component.sso, scimConfig.connectionId);
 		if (connection === null) throw convexError({
 			code: "INVALID_PARAMETERS",
 			message: connectionNotFoundError

package/dist/server/sso/domain.d.ts

@@ -448,7 +448,7 @@ declare function createGroupConnectionDomain<TDeps extends DomainDeps>(deps: TDe
       loginHint?: string;
     }) => Promise<{
       connectionId: string;
-      protocol: "oidc" | "saml";
+      protocol: "saml" | "oidc";
       providerId: string;
       signInPath: string;
       callbackPath: string;