@robelest/convex-auth 0.0.4-preview.32 → 0.0.4-preview.34

package/dist/server/sso/domain.js

@@ -74,18 +74,18 @@ function createGroupConnectionDomain(deps) {
 		connection: {
 			create: async (ctx, data) => {
 				return {
-					connectionId: await createGroupConnection(ctx, config.component.public, data),
+					connectionId: await createGroupConnection(ctx, config.component.sso, data),
 					groupId: data.groupId
 				};
 			},
 			get: async (ctx, connectionId) => {
-				return await getGroupConnection(ctx, config.component.public, connectionId);
+				return await getGroupConnection(ctx, config.component.sso, connectionId);
 			},
 			getByDomain: async (ctx, domain) => {
-				return await getGroupConnectionByDomain(ctx, config.component.public, normalizeDomain(domain));
+				return await getGroupConnectionByDomain(ctx, config.component.sso, normalizeDomain(domain));
 			},
 			list: async (ctx, opts) => {
-				return await listGroupConnections(ctx, config.component.public, {
+				return await listGroupConnections(ctx, config.component.sso, {
 					where: opts?.where,
 					limit: opts?.limit,
 					cursor: opts?.cursor,
@@ -94,18 +94,18 @@ function createGroupConnectionDomain(deps) {
 				});
 			},
 			update: async (ctx, connectionId, data) => {
-				await updateGroupConnection(ctx, config.component.public, {
+				await updateGroupConnection(ctx, config.component.sso, {
 					connectionId,
 					data
 				});
 				return { connectionId };
 			},
 			delete: async (ctx, connectionId) => {
-				await deleteGroupConnection(ctx, config.component.public, connectionId);
+				await deleteGroupConnection(ctx, config.component.sso, connectionId);
 				return { connectionId };
 			},
 			status: async (ctx, connectionId) => {
-				const connection = await getGroupConnection(ctx, config.component.public, connectionId);
+				const connection = await getGroupConnection(ctx, config.component.sso, connectionId);
 				if (!connection) throw convexError({
 					code: "INVALID_PARAMETERS",
 					message: connectionNotFoundError
@@ -114,8 +114,8 @@ function createGroupConnectionDomain(deps) {
 				const oidcConfig = getOidcConfig(connection.config);
 				const oidcSecret = await getGroupConnectionSecret(ctx, connection._id, GROUP_CONNECTION_OIDC_CLIENT_SECRET_KIND);
 				const samlConfig = getSamlConfig(connection.config);
-				const scimConfig = await getScimConfigByConnection(ctx, config.component.public, connectionId);
-				const domains = await listConnectionDomains(ctx, config.component.public, connectionId);
+				const scimConfig = await getScimConfigByConnection(ctx, config.component.sso, connectionId);
+				const domains = await listConnectionDomains(ctx, config.component.sso, connectionId);
 				const oidcReady = oidcConfig?.enabled === true && typeof oidcConfig?.client?.id === "string" && oidcConfig.client.id.length > 0 && oidcSecret !== null && (typeof oidcConfig?.discovery?.issuer === "string" || typeof oidcConfig?.discovery?.discoveryUrl === "string");
 				const samlReady = samlConfig?.enabled === true && typeof samlConfig?.idp?.entityId === "string";
 				const scimReady = scimConfig?.status === "active";
@@ -149,21 +149,21 @@ function createGroupConnectionDomain(deps) {
 		},
 		domain: {
 			add: async (ctx, data) => {
-				return await addConnectionDomain(ctx, config.component.public, {
+				return await addConnectionDomain(ctx, config.component.sso, {
 					...data,
 					domain: normalizeDomain(data.domain)
 				});
 			},
 			list: async (ctx, connectionId) => {
-				return await listConnectionDomains(ctx, config.component.public, connectionId);
+				return await listConnectionDomains(ctx, config.component.sso, connectionId);
 			},
 			validate: async (ctx, connectionId) => {
-				const connection = await getGroupConnection(ctx, config.component.public, connectionId);
+				const connection = await getGroupConnection(ctx, config.component.sso, connectionId);
 				if (connection === null) throw convexError({
 					code: "INVALID_PARAMETERS",
 					message: connectionNotFoundError
 				});
-				const domains = await listConnectionDomains(ctx, config.component.public, connectionId);
+				const domains = await listConnectionDomains(ctx, config.component.sso, connectionId);
 				const primaryDomains = domains.filter((domain) => domain.isPrimary);
 				const verifiedDomains = domains.filter((domain) => domain.verifiedAt !== void 0);
 				const warnings = [];
@@ -184,7 +184,7 @@ function createGroupConnectionDomain(deps) {
 				};
 			},
 			status: async (ctx, connectionId) => {
-				const [connection, domains] = await Promise.all([getGroupConnection(ctx, config.component.public, connectionId), listConnectionDomains(ctx, config.component.public, connectionId)]);
+				const [connection, domains] = await Promise.all([getGroupConnection(ctx, config.component.sso, connectionId), listConnectionDomains(ctx, config.component.sso, connectionId)]);
 				if (connection === null) throw convexError({
 					code: "INVALID_PARAMETERS",
 					message: connectionNotFoundError
@@ -192,7 +192,7 @@ function createGroupConnectionDomain(deps) {
 				const primaryDomain = domains.find((domain) => domain.isPrimary) ?? null;
 				const verifiedDomains = domains.filter((domain) => domain.verifiedAt !== void 0);
 				const pendingChallenges = (await Promise.all(domains.map(async (domain) => {
-					const verification = await getConnectionDomainVerification(ctx, config.component.public, domain._id);
+					const verification = await getConnectionDomainVerification(ctx, config.component.sso, domain._id);
 					if (!verification || verification.expiresAt < Date.now()) return null;
 					return {
 						domain: domain.domain,
@@ -245,13 +245,13 @@ function createGroupConnectionDomain(deps) {
 				};
 			},
 			remove: async (ctx, domainId) => {
-				await deleteConnectionDomain(ctx, config.component.public, domainId);
+				await deleteConnectionDomain(ctx, config.component.sso, domainId);
 			},
 			verification: {
 				request: async (ctx, args) => {
 					const connection = await loadConnectionOrThrow(ctx, args.connectionId);
 					const normalizedDomain = normalizeDomain(args.domain);
-					const domain = (await listConnectionDomains(ctx, config.component.public, connection._id)).find((entry) => entry.domain === normalizedDomain);
+					const domain = (await listConnectionDomains(ctx, config.component.sso, connection._id)).find((entry) => entry.domain === normalizedDomain);
 					if (!domain) throw convexError({
 						code: "INVALID_PARAMETERS",
 						message: "Domain is not attached to this connection."
@@ -261,7 +261,7 @@ function createGroupConnectionDomain(deps) {
 					const token = generateRandomString(32, INVITE_TOKEN_ALPHABET);
 					const tokenHash = await sha256(token);
 					const recordName = getDomainVerificationRecordName(normalizedDomain);
-					await upsertConnectionDomainVerification(ctx, config.component.public, {
+					await upsertConnectionDomainVerification(ctx, config.component.sso, {
 						connectionId: connection._id,
 						groupId: connection.groupId,
 						domainId: domain._id,
@@ -301,7 +301,7 @@ function createGroupConnectionDomain(deps) {
 				confirm: async (ctx, args) => {
 					const connection = await loadConnectionOrThrow(ctx, args.connectionId);
 					const normalizedDomain = normalizeDomain(args.domain);
-					const domain = (await listConnectionDomains(ctx, config.component.public, connection._id)).find((entry) => entry.domain === normalizedDomain);
+					const domain = (await listConnectionDomains(ctx, config.component.sso, connection._id)).find((entry) => entry.domain === normalizedDomain);
 					if (!domain) throw convexError({
 						code: "INVALID_PARAMETERS",
 						message: "Domain is not attached to this connection."
@@ -316,7 +316,7 @@ function createGroupConnectionDomain(deps) {
 							message: "Domain is already verified."
 						}]
 					};
-					const verification = await getConnectionDomainVerification(ctx, config.component.public, domain._id);
+					const verification = await getConnectionDomainVerification(ctx, config.component.sso, domain._id);
 					const checks = [];
 					if (!verification) {
 						checks.push({
@@ -335,7 +335,7 @@ function createGroupConnectionDomain(deps) {
 						ok: true
 					});
 					if (verification.expiresAt < Date.now()) {
-						await deleteConnectionDomainVerification(ctx, config.component.public, domain._id);
+						await deleteConnectionDomainVerification(ctx, config.component.sso, domain._id);
 						checks.push({
 							name: "challenge_active",
 							ok: false,
@@ -377,7 +377,7 @@ function createGroupConnectionDomain(deps) {
 						checks
 					};
 					const verifiedAt = Date.now();
-					await verifyConnectionDomain(ctx, config.component.public, {
+					await verifyConnectionDomain(ctx, config.component.sso, {
 						domainId: domain._id,
 						verifiedAt
 					});
@@ -407,7 +407,7 @@ function createGroupConnectionDomain(deps) {
 			configure: async (ctx, data) => {
 				let connection;
 				try {
-					connection = await getGroupConnection(ctx, config.component.public, data.connectionId);
+					connection = await getGroupConnection(ctx, config.component.sso, data.connectionId);
 				} catch {
 					throw convexError({
 						code: "INTERNAL_ERROR",
@@ -493,7 +493,7 @@ function createGroupConnectionDomain(deps) {
 					hasMetadataXml: typeof nextSamlConfig?.idp?.metadataXml === "string"
 				});
 				try {
-					await updateGroupConnection(ctx, config.component.public, {
+					await updateGroupConnection(ctx, config.component.sso, {
 						connectionId: connection._id,
 						data: {
 							status: "active",
@@ -507,7 +507,7 @@ function createGroupConnectionDomain(deps) {
 					});
 				}
 				if (normalizedDomains) for (const [index, domain] of normalizedDomains.entries()) try {
-					await addConnectionDomain(ctx, config.component.public, {
+					await addConnectionDomain(ctx, config.component.sso, {
 						connectionId: connection._id,
 						groupId: connection.groupId,
 						domain,
@@ -547,7 +547,7 @@ function createGroupConnectionDomain(deps) {
 			refresh: async (ctx, data) => {
 				let connection;
 				try {
-					connection = await getGroupConnection(ctx, config.component.public, data.connectionId);
+					connection = await getGroupConnection(ctx, config.component.sso, data.connectionId);
 				} catch {
 					throw convexError({
 						code: "INTERNAL_ERROR",
@@ -606,7 +606,7 @@ function createGroupConnectionDomain(deps) {
 					security: samlConfig.security
 				});
 				try {
-					await updateGroupConnection(ctx, config.component.public, {
+					await updateGroupConnection(ctx, config.component.sso, {
 						connectionId: connection._id,
 						data: {
 							status: connection.status,
@@ -644,7 +644,7 @@ function createGroupConnectionDomain(deps) {
 			get: async (ctx, connectionId) => {
 				let connection;
 				try {
-					connection = await getGroupConnection(ctx, config.component.public, connectionId);
+					connection = await getGroupConnection(ctx, config.component.sso, connectionId);
 				} catch {
 					throw convexError({
 						code: "INTERNAL_ERROR",
@@ -658,7 +658,7 @@ function createGroupConnectionDomain(deps) {
 				return getSamlConfig(connection.config);
 			},
 			status: (ctx, connectionId) => {
-				return getGroupConnection(ctx, config.component.public, connectionId).then((connection) => {
+				return getGroupConnection(ctx, config.component.sso, connectionId).then((connection) => {
 					if (!connection) throw convexError({
 						code: "INVALID_PARAMETERS",
 						message: connectionNotFoundError
@@ -679,7 +679,7 @@ function createGroupConnectionDomain(deps) {
 				});
 			},
 			metadata: async (ctx, opts) => {
-				const connection = await getGroupConnection(ctx, config.component.public, opts.connectionId);
+				const connection = await getGroupConnection(ctx, config.component.sso, opts.connectionId);
 				if (!connection) throw convexError({
 					code: "INVALID_PARAMETERS",
 					message: "Connection not found."
@@ -700,7 +700,7 @@ function createGroupConnectionDomain(deps) {
 			},
 			validate: async (ctx, connectionId) => {
 				const checks = [];
-				const connection = await getGroupConnection(ctx, config.component.public, connectionId);
+				const connection = await getGroupConnection(ctx, config.component.sso, connectionId);
 				if (!connection) return {
 					ok: false,
 					connectionId,
@@ -804,7 +804,7 @@ function createGroupConnectionDomain(deps) {
 				});
 				let connection;
 				try {
-					connection = await getGroupConnection(ctx, config.component.public, data.connectionId);
+					connection = await getGroupConnection(ctx, config.component.sso, data.connectionId);
 				} catch {
 					throw convexError({
 						code: "INTERNAL_ERROR",
@@ -850,7 +850,7 @@ function createGroupConnectionDomain(deps) {
 					}
 				});
 				try {
-					await updateGroupConnection(ctx, config.component.public, {
+					await updateGroupConnection(ctx, config.component.sso, {
 						connectionId: data.connectionId,
 						data: { config: nextConfig }
 					});
@@ -871,7 +871,7 @@ function createGroupConnectionDomain(deps) {
 						});
 					}
 					try {
-						await upsertGroupConnectionSecret(ctx, config.component.public, {
+						await upsertGroupConnectionSecret(ctx, config.component.sso, {
 							connectionId: data.connectionId,
 							groupId: connection.groupId,
 							kind: GROUP_CONNECTION_OIDC_CLIENT_SECRET_KIND,
@@ -922,7 +922,7 @@ function createGroupConnectionDomain(deps) {
 			get: async (ctx, connectionId) => {
 				let connection;
 				try {
-					connection = await getGroupConnection(ctx, config.component.public, connectionId);
+					connection = await getGroupConnection(ctx, config.component.sso, connectionId);
 				} catch {
 					throw convexError({
 						code: "INTERNAL_ERROR",
@@ -945,7 +945,7 @@ function createGroupConnectionDomain(deps) {
 				return withOidcSecretState(getPublicOidcConfig(connection.config), secret !== null);
 			},
 			status: (ctx, connectionId) => {
-				return Promise.all([getGroupConnection(ctx, config.component.public, connectionId), getGroupConnectionSecret(ctx, connectionId, GROUP_CONNECTION_OIDC_CLIENT_SECRET_KIND)]).then(([connection, secret]) => {
+				return Promise.all([getGroupConnection(ctx, config.component.sso, connectionId), getGroupConnectionSecret(ctx, connectionId, GROUP_CONNECTION_OIDC_CLIENT_SECRET_KIND)]).then(([connection, secret]) => {
 					if (!connection) throw convexError({
 						code: "INVALID_PARAMETERS",
 						message: connectionNotFoundError
@@ -980,7 +980,7 @@ function createGroupConnectionDomain(deps) {
 				let connection;
 				if (data.connectionId !== void 0) {
 					try {
-						connection = await getGroupConnection(ctx, config.component.public, data.connectionId);
+						connection = await getGroupConnection(ctx, config.component.sso, data.connectionId);
 					} catch {
 						throw convexError({
 							code: "INTERNAL_ERROR",
@@ -994,7 +994,7 @@ function createGroupConnectionDomain(deps) {
 				} else if (data.domain !== void 0 || data.email !== void 0) {
 					let result;
 					try {
-						result = await getGroupConnectionByDomain(ctx, config.component.public, normalizeDomain(data.domain ?? String(data.email).split("@").pop() ?? ""));
+						result = await getGroupConnectionByDomain(ctx, config.component.sso, normalizeDomain(data.domain ?? String(data.email).split("@").pop() ?? ""));
 					} catch {
 						throw convexError({
 							code: "INTERNAL_ERROR",
@@ -1066,7 +1066,7 @@ function createGroupConnectionDomain(deps) {
 			},
 			validate: async (ctx, connectionId) => {
 				const checks = [];
-				const connection = await getGroupConnection(ctx, config.component.public, connectionId);
+				const connection = await getGroupConnection(ctx, config.component.sso, connectionId);
 				if (!connection) return {
 					ok: false,
 					connectionId,
@@ -1162,7 +1162,7 @@ function createGroupConnectionDomain(deps) {
 				return await recordGroupAuditEvent(ctx, data);
 			},
 			list: async (ctx, data) => {
-				return await listAuditEvents(ctx, config.component.public, data);
+				return await listAuditEvents(ctx, config.component.sso, data);
 			}
 		},
 		webhook

package/dist/server/sso/http.js

@@ -349,7 +349,7 @@ function addGroupHttpRuntime(deps) {
 					where: { groupId: state$1.connection.groupId },
 					limit: 100
 				});
-				const identities = await listScimIdentitiesByConnection(state$1.ctx, config.component.public, state$1.connection._id);
+				const identities = await listScimIdentitiesByConnection(state$1.ctx, config.component.sso, state$1.connection._id);
 				const identityByUserId = new Map(identities.filter((identity) => typeof identity.userId === "string").map((identity) => [identity.userId, identity]));
 				const users = (await Promise.all(members.items.map(async (member) => {
 					const user = await auth.user.get(state$1.ctx, member.userId);
@@ -414,7 +414,7 @@ function addGroupHttpRuntime(deps) {
 					profile: extracted
 				}) ?? extracted;
 				const externalId = provisionProfile.externalId;
-				const existingIdentity = externalId ? await getScimIdentity(state$1.ctx, config.component.public, {
+				const existingIdentity = externalId ? await getScimIdentity(state$1.ctx, config.component.sso, {
 					connectionId: state$1.connection._id,
 					resourceType: "user",
 					externalId
@@ -426,7 +426,7 @@ function addGroupHttpRuntime(deps) {
 					groups: provisionProfile.groups,
 					roles: provisionProfile.roles
 				});
-				const userId = existingUser?._id ? existingUser._id : await insertUser(state$1.ctx, config.component.public, {
+				const userId = existingUser?._id ? existingUser._id : await insertUser(state$1.ctx, config.component.user, {
 					name: provisionProfile.name,
 					...typeof provisionProfile.firstName === "string" ? { firstName: provisionProfile.firstName } : {},
 					...typeof provisionProfile.lastName === "string" ? { lastName: provisionProfile.lastName } : {},
@@ -438,7 +438,7 @@ function addGroupHttpRuntime(deps) {
 				});
 				if (created && externalId) {
 					const providerId = state$1.connection.protocol === "oidc" ? groupOidcProviderId(state$1.connection._id) : groupSamlProviderId(state$1.connection._id);
-					await insertAccount(state$1.ctx, config.component.public, {
+					await insertAccount(state$1.ctx, config.component.account, {
 						userId,
 						provider: providerId,
 						providerAccountId: externalId
@@ -461,7 +461,7 @@ function addGroupHttpRuntime(deps) {
 						policy: state$1.policy.provisioning.user,
 						source: "scim"
 					});
-					if (Object.keys(patchData).length > 0) await patchUser(state$1.ctx, config.component.public, {
+					if (Object.keys(patchData).length > 0) await patchUser(state$1.ctx, config.component.user, {
 						userId,
 						data: patchData
 					});
@@ -477,7 +477,7 @@ function addGroupHttpRuntime(deps) {
 					roleIds: provisionedRoleIds,
 					status: provisionProfile.active === false ? "inactive" : "active"
 				});
-				if (externalId) await upsertScimIdentity(state$1.ctx, config.component.public, {
+				if (externalId) await upsertScimIdentity(state$1.ctx, config.component.sso, {
 					connectionId: state$1.connection._id,
 					groupId: state$1.connection.groupId,
 					resourceType: "user",
@@ -510,7 +510,7 @@ function addGroupHttpRuntime(deps) {
 				const userId = state$1.parsedPath.resourceId;
 				const existingUser = await auth.user.get(state$1.ctx, userId);
 				if (!existingUser) return scimError(404, "notFound", "User not found.");
-				const existingIdentity = await getScimIdentityByConnectionAndUser(state$1.ctx, config.component.public, {
+				const existingIdentity = await getScimIdentityByConnectionAndUser(state$1.ctx, config.component.sso, {
 					connectionId: state$1.connection._id,
 					userId
 				});
@@ -593,7 +593,7 @@ function addGroupHttpRuntime(deps) {
 					policy: state$1.policy.provisioning.user,
 					source: "scim"
 				});
-				if (Object.keys(nextPatchData).length > 0) await patchUser(state$1.ctx, config.component.public, {
+				if (Object.keys(nextPatchData).length > 0) await patchUser(state$1.ctx, config.component.user, {
 					userId,
 					data: nextPatchData
 				});
@@ -606,7 +606,7 @@ function addGroupHttpRuntime(deps) {
 					}),
 					status: provisionProfile.active === false || nextActive === false ? "inactive" : "active"
 				});
-				await upsertScimIdentity(state$1.ctx, config.component.public, {
+				await upsertScimIdentity(state$1.ctx, config.component.sso, {
 					connectionId: state$1.connection._id,
 					groupId: state$1.connection.groupId,
 					resourceType: "user",
@@ -637,7 +637,7 @@ function addGroupHttpRuntime(deps) {
 				const missing = requireScimResourceId(state$1.parsedPath.resourceId, "User");
 				if (missing) return missing;
 				const userId = state$1.parsedPath.resourceId;
-				const identity = await getScimIdentityByConnectionAndUser(state$1.ctx, config.component.public, {
+				const identity = await getScimIdentityByConnectionAndUser(state$1.ctx, config.component.sso, {
 					connectionId: state$1.connection._id,
 					userId
 				});
@@ -647,8 +647,8 @@ function addGroupHttpRuntime(deps) {
 					userId
 				});
 				if (resolution.membership) await auth.member.delete(state$1.ctx, resolution.membership._id);
-				if (state$1.policy.provisioning.deprovision.mode === "hard") await deleteScimIdentity(state$1.ctx, config.component.public, identity._id);
-				else await upsertScimIdentity(state$1.ctx, config.component.public, {
+				if (state$1.policy.provisioning.deprovision.mode === "hard") await deleteScimIdentity(state$1.ctx, config.component.sso, identity._id);
+				else await upsertScimIdentity(state$1.ctx, config.component.sso, {
 					connectionId: identity.connectionId,
 					groupId: identity.groupId,
 					resourceType: identity.resourceType,
@@ -667,7 +667,7 @@ function addGroupHttpRuntime(deps) {
 					where: { parentGroupId: state$1.connection.groupId },
 					limit: 100
 				});
-				const identities = await listScimIdentitiesByConnection(state$1.ctx, config.component.public, state$1.connection._id);
+				const identities = await listScimIdentitiesByConnection(state$1.ctx, config.component.sso, state$1.connection._id);
 				const identityByGroupId = new Map(identities.filter((identity) => typeof identity.mappedGroupId === "string").map((identity) => [identity.mappedGroupId, identity]));
 				const groups = await Promise.all(groupsList.items.map(async (group) => {
 					const typedGroup = group;
@@ -727,7 +727,7 @@ function addGroupHttpRuntime(deps) {
 			const handleGroupsPost = async (state$1) => {
 				const body = await readScimJson(state$1.request);
 				const externalId = typeof body.externalId === "string" ? body.externalId : void 0;
-				const existingIdentity = externalId ? await getScimIdentity(state$1.ctx, config.component.public, {
+				const existingIdentity = externalId ? await getScimIdentity(state$1.ctx, config.component.sso, {
 					connectionId: state$1.connection._id,
 					resourceType: "group",
 					externalId
@@ -760,7 +760,7 @@ function addGroupHttpRuntime(deps) {
 						})).items.map((member) => ({ value: member.userId }))
 					}), 200, { Location: location$1 });
 				}
-				await upsertScimIdentity(state$1.ctx, config.component.public, {
+				await upsertScimIdentity(state$1.ctx, config.component.sso, {
 					connectionId: state$1.connection._id,
 					groupId: state$1.connection.groupId,
 					resourceType: "group",
@@ -810,7 +810,7 @@ function addGroupHttpRuntime(deps) {
 				const missing = requireScimResourceId(state$1.parsedPath.resourceId, "Group");
 				if (missing) return missing;
 				const groupId = state$1.parsedPath.resourceId;
-				const identity = await getScimIdentityByMappedGroup(state$1.ctx, config.component.public, groupId);
+				const identity = await getScimIdentityByMappedGroup(state$1.ctx, config.component.sso, groupId);
 				if (!identity || identity.connectionId !== state$1.connection._id) return scimError(404, "notFound", "Group not found.");
 				const body = await readScimJson(state$1.request);
 				const operations = Array.isArray(body.Operations) ? body.Operations : unsupportedScimPatch();
@@ -906,10 +906,10 @@ function addGroupHttpRuntime(deps) {
 				const missing = requireScimResourceId(state$1.parsedPath.resourceId, "Group");
 				if (missing) return missing;
 				const groupId = state$1.parsedPath.resourceId;
-				const identity = await getScimIdentityByMappedGroup(state$1.ctx, config.component.public, groupId);
+				const identity = await getScimIdentityByMappedGroup(state$1.ctx, config.component.sso, groupId);
 				if (!identity || identity.connectionId !== state$1.connection._id) return scimError(404, "notFound", "Group not found.");
 				await auth.group.delete(state$1.ctx, groupId);
-				await deleteScimIdentity(state$1.ctx, config.component.public, identity._id);
+				await deleteScimIdentity(state$1.ctx, config.component.sso, identity._id);
 				await state$1.recordScimEvent("group.sso.scim.group.deleted", true, "group", groupId);
 				return new Response(null, { status: 204 });
 			};

package/dist/server/sso/oidc.js

@@ -313,7 +313,7 @@ function createSyntheticOAuthMaterializedConfig(providerId, options) {
 		type: "oauth",
 		provider: null,
 		scopes: [],
-		accountLinking: options?.accountLinking ?? "verifiedEmail"
+		accountLinking: options?.accountLinking ?? "sameConnection"
 	};
 }
 /** @internal */

package/dist/server/sso/policies.js

@@ -11,13 +11,13 @@ function createGroupPolicyDomain(deps) {
 			return await loadGroupPolicyOrThrow(ctx, groupId);
 		},
 		update: async (ctx, groupId, patch) => {
-			const group = await getGroup(ctx, config.component.public, groupId);
+			const group = await getGroup(ctx, config.component.group, groupId);
 			if (!group) throw convexError({
 				code: "INVALID_PARAMETERS",
 				message: "Group not found."
 			});
 			const policy = patchGroupConnectionPolicy(group.policy, patch);
-			await ctx.runMutation(config.component.public.groupUpdate, {
+			await ctx.runMutation(config.component.group.update, {
 				groupId,
 				data: { policy }
 			});
@@ -33,7 +33,7 @@ function createGroupPolicyDomain(deps) {
 			return policy;
 		},
 		validate: async (ctx, groupId) => {
-			if (!await getGroup(ctx, config.component.public, groupId)) return {
+			if (!await getGroup(ctx, config.component.group, groupId)) return {
 				ok: false,
 				groupId,
 				checks: [{

package/dist/server/sso/policy.js

@@ -4,8 +4,8 @@ import { asRecord } from "./shared.js";
 const DEFAULT_GROUP_CONNECTION_POLICY = {
 	version: 1,
 	identity: { accountLinking: {
-		oidc: "verifiedEmail",
-		saml: "verifiedEmail"
+		oidc: "sameConnection",
+		saml: "sameConnection"
 	} },
 	provisioning: {
 		user: {
@@ -56,8 +56,16 @@ function normalizeGroupConnectionPolicy(policy) {
 	return {
 		version: 1,
 		identity: { accountLinking: {
-			oidc: oneOf(accountLinking.oidc, ["none"], d.identity.accountLinking.oidc),
-			saml: oneOf(accountLinking.saml, ["none"], d.identity.accountLinking.saml)
+			oidc: oneOf(accountLinking.oidc, [
+				"none",
+				"verifiedEmail",
+				"sameConnection"
+			], d.identity.accountLinking.oidc),
+			saml: oneOf(accountLinking.saml, [
+				"none",
+				"verifiedEmail",
+				"sameConnection"
+			], d.identity.accountLinking.saml)
 		} },
 		provisioning: {
 			user: {

package/dist/server/sso/provision.js

@@ -11,7 +11,7 @@ function createGroupScimDomain(deps) {
 	const getScimBasePath = (connectionId) => `${requireEnv("CONVEX_SITE_URL")}/connections/${connectionId}/scim/v2`;
 	const validateScim = async (ctx, connectionId) => {
 		const checks = [];
-		const connection = await getGroupConnection(ctx, config.component.public, connectionId);
+		const connection = await getGroupConnection(ctx, config.component.sso, connectionId);
 		if (!connection) return {
 			ok: false,
 			connectionId,
@@ -22,7 +22,7 @@ function createGroupScimDomain(deps) {
 			}]
 		};
 		const policy = await loadGroupPolicyOrThrow(ctx, connection.groupId);
-		const scimConfig = await getScimConfigByConnection(ctx, config.component.public, connectionId);
+		const scimConfig = await getScimConfigByConnection(ctx, config.component.sso, connectionId);
 		const hasConfig = scimConfig !== null && scimConfig !== void 0;
 		checks.push({
 			name: "scim_config_exists",
@@ -87,7 +87,7 @@ function createGroupScimDomain(deps) {
 	};
 	return {
 		configure: async (ctx, data) => {
-			const connection = await getGroupConnection(ctx, config.component.public, data.connectionId);
+			const connection = await getGroupConnection(ctx, config.component.sso, data.connectionId);
 			if (connection === null) throw convexError({
 				code: "INVALID_PARAMETERS",
 				message: "Connection not found."
@@ -95,7 +95,7 @@ function createGroupScimDomain(deps) {
 			const rawToken = generateRandomString(48, INVITE_TOKEN_ALPHABET);
 			const tokenHash = await sha256(rawToken);
 			const basePath = getScimBasePath(connection._id);
-			const configId = await upsertScimConfig(ctx, config.component.public, {
+			const configId = await upsertScimConfig(ctx, config.component.sso, {
 				connectionId: connection._id,
 				groupId: connection.groupId,
 				status: data.status ?? "active",
@@ -133,7 +133,7 @@ function createGroupScimDomain(deps) {
 			};
 		},
 		get: async (ctx, connectionId) => {
-			const scimConfig = await getScimConfigByConnection(ctx, config.component.public, connectionId);
+			const scimConfig = await getScimConfigByConnection(ctx, config.component.sso, connectionId);
 			if (!scimConfig) return null;
 			const shape = getScimConfigShape(scimConfig);
 			return {
@@ -143,7 +143,7 @@ function createGroupScimDomain(deps) {
 			};
 		},
 		status: async (ctx, connectionId) => {
-			const currentConfig = await getScimConfigByConnection(ctx, config.component.public, connectionId);
+			const currentConfig = await getScimConfigByConnection(ctx, config.component.sso, connectionId);
 			const result = await validateScim(ctx, connectionId);
 			return {
 				connectionId,
@@ -155,17 +155,17 @@ function createGroupScimDomain(deps) {
 			};
 		},
 		getConfigByToken: async (ctx, token) => {
-			return await getScimConfigByTokenHash(ctx, config.component.public, await sha256(token));
+			return await getScimConfigByTokenHash(ctx, config.component.sso, await sha256(token));
 		},
 		validate: async (ctx, connectionId) => {
 			return await validateScim(ctx, connectionId);
 		},
 		identity: {
 			get: async (ctx, data) => {
-				return await getScimIdentity(ctx, config.component.public, data);
+				return await getScimIdentity(ctx, config.component.sso, data);
 			},
 			upsert: async (ctx, data) => {
-				return await upsertScimIdentity(ctx, config.component.public, {
+				return await upsertScimIdentity(ctx, config.component.sso, {
 					...data,
 					lastProvisionedAt: Date.now()
 				});

package/dist/server/sso/validators.js

@@ -6,8 +6,8 @@ const groupConnectionStatusValidator = v.union(v.literal("draft"), v.literal("ac
 /** @internal Structured validator for mounted group policy patch payloads. */
 const groupPolicyPatchValidator = v.object({
 	identity: v.optional(v.object({ accountLinking: v.optional(v.object({
-		oidc: v.optional(v.union(v.literal("verifiedEmail"), v.literal("none"))),
-		saml: v.optional(v.union(v.literal("verifiedEmail"), v.literal("none")))
+		oidc: v.optional(v.union(v.literal("verifiedEmail"), v.literal("none"), v.literal("sameConnection"))),
+		saml: v.optional(v.union(v.literal("verifiedEmail"), v.literal("none"), v.literal("sameConnection")))
 	})) })),
 	provisioning: v.optional(v.object({
 		user: v.optional(v.object({