@robelest/convex-auth 0.0.4-preview.5 → 0.0.4-preview.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (39) hide show
  1. package/dist/client/index.d.ts.map +1 -1
  2. package/dist/client/index.js +1 -10
  3. package/dist/client/index.js.map +1 -1
  4. package/dist/component/convex.config.d.ts +2 -2
  5. package/dist/component/convex.config.d.ts.map +1 -1
  6. package/dist/component/schema.d.ts +35 -35
  7. package/dist/component/server/implementation/tokens.js +4 -2
  8. package/dist/component/server/implementation/tokens.js.map +1 -1
  9. package/dist/server/auth.d.ts +50 -50
  10. package/dist/server/implementation/index.d.ts +12 -12
  11. package/dist/server/implementation/mutations/account.d.ts +8 -8
  12. package/dist/server/implementation/mutations/account.d.ts.map +1 -1
  13. package/dist/server/implementation/mutations/code.d.ts +12 -12
  14. package/dist/server/implementation/mutations/code.d.ts.map +1 -1
  15. package/dist/server/implementation/mutations/index.d.ts +103 -103
  16. package/dist/server/implementation/mutations/index.d.ts.map +1 -1
  17. package/dist/server/implementation/mutations/invalidate.d.ts +4 -4
  18. package/dist/server/implementation/mutations/invalidate.d.ts.map +1 -1
  19. package/dist/server/implementation/mutations/oauth.d.ts +8 -8
  20. package/dist/server/implementation/mutations/refresh.d.ts +3 -3
  21. package/dist/server/implementation/mutations/refresh.d.ts.map +1 -1
  22. package/dist/server/implementation/mutations/register.d.ts +11 -11
  23. package/dist/server/implementation/mutations/retrieve.d.ts +8 -8
  24. package/dist/server/implementation/mutations/signature.d.ts +4 -4
  25. package/dist/server/implementation/mutations/signin.d.ts +5 -5
  26. package/dist/server/implementation/mutations/signin.d.ts.map +1 -1
  27. package/dist/server/implementation/mutations/verify.d.ts +10 -10
  28. package/dist/server/implementation/tokens.d.ts.map +1 -1
  29. package/dist/server/implementation/tokens.js +4 -2
  30. package/dist/server/implementation/tokens.js.map +1 -1
  31. package/dist/server/providers.d.ts +8 -8
  32. package/dist/server/providers.d.ts.map +1 -1
  33. package/dist/server/version.d.ts +1 -1
  34. package/dist/server/version.js +1 -1
  35. package/dist/server/version.js.map +1 -1
  36. package/package.json +1 -1
  37. package/src/client/index.ts +3 -9
  38. package/src/server/implementation/tokens.ts +5 -1
  39. package/src/server/version.ts +1 -1
package/dist/client/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","names":[],"sources":["../../src/client/index.ts"],"mappings":";;;;;;AAU0B;;;;;;;UAWhB,eAAA;EACR,MAAA,CAAO,MAAA,OAAa,IAAA,QAAY,OAAA;EAChC,OAAA,CACE,UAAA,GAAa,IAAA;IACX,iBAAA;EAAA,MACI,OAAA,6BACN,QAAA,IAAY,eAAA;EAEd,SAAA;AAAA;;UAIe,OAAA;EACf,OAAA,CACE,GAAA,uCAC6B,OAAA;EAC/B,OAAA,CAAQ,GAAA,UAAa,KAAA,kBAAuB,OAAA;EAC5C,UAAA,CAAW,GAAA,kBAAqB,OAAA;AAAA;;;;;;;KActB,gBAAA;EAjBR,+DAmBF,UAAA,UAjBA;EAmBA,QAAA,UAnBqB;EAqBrB,eAAA,UApBA;EAsBA,uBAAA,UAtBgC;EAwBhC,SAAA,UAxBuC;EA0BvC,QAAA;AAAA;;;;;;;;;;KAYU,YAAA;EAAA,mEAEV,SAAA;EAEA,QAAA,GAAW,GAAA,EAFX;EAIA,YAAA,YAFW;EAIX,UAAA,GAAa,gBAAA,EAAb;EAEA,QAAA;AAAA;;KAIU,SAAA;EAAA,iEAEV,KAAA;EAEA,SAAA,WAFA;EAIA,eAAA;EAEA,KAAA;AAAA;;KAIU,aAAA;EAAa,iEAEvB,MAAA,EAAQ,eAAA;EAAA;;;;EAKR,GAAA;EALA;;;;;;;EAaA,OAAA,GAAU,OAAA,SAYV;EAVA,UAAA,IAAc,WAAA,oBAA+B,OAAA;EAkBxC;;AA6EP;;;;;;;EArFE,KAAA;EAylBW;;;;;;;EAjlBX,KAAA;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA6Ec,MAAA,CAAO,OAAA,EAAS,aAAA;EAs5BxB,mDAwgBS,SAAA,EAtgBV;8BAtZc,IAAA,GACV,QAAA,GAAW,MAAA,SAAe,KAAA,MAChC,OAAA,CAAQ,YAAA;gCA0iBkB;kBAzTN,KAAA,EAAO,SAAA,4BA0TzB;;;;;;;;;;;;;;;+BAlM4B,OAAA;;;;;;;;;;;;;;;;;;;;;;;MAsC3B,IAAA;MACA,KAAA;MACA,QAAA;MACA,eAAA;IAAA,MAED,OAAA,CAAQ,YAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;MAsJA,KAAA;MAAgB,QAAA;IAAA,MACxB,OAAA,CAAQ,YAAA;EAAA;;;;;;;;;;;;;;MAwHA,IAAA;MAAe,WAAA;IAAA,MACvB,OAAA;MAAU,GAAA;MAAa,MAAA;MAAgB,QAAA;MAAkB,MAAA;IAAA;;;;;;;;;MA4B1D,IAAA;MACA,QAAA;MACA,MAAA;IAAA,MACE,OAAA;;;;;;;;;;;;;;MAkDmB,IAAA;MAAc,QAAA;IAAA,MAAqB,OAAA;EAAA;;;;;;;;;;;;;;;;;;;;;iBA0DvC,gBAAA,KAAmB,OAAA;;;;;;;;;;;;;;kCAqFJ,OAAA;EAAA"}
1
+ {"version":3,"file":"index.d.ts","names":[],"sources":["../../src/client/index.ts"],"mappings":";;;;;;AAU0B;;;;;;;UAWhB,eAAA;EACR,MAAA,CAAO,MAAA,OAAa,IAAA,QAAY,OAAA;EAChC,OAAA,CACE,UAAA,GAAa,IAAA;IACX,iBAAA;EAAA,MACI,OAAA,6BACN,QAAA,IAAY,eAAA;EAEd,SAAA;AAAA;;UAIe,OAAA;EACf,OAAA,CACE,GAAA,uCAC6B,OAAA;EAC/B,OAAA,CAAQ,GAAA,UAAa,KAAA,kBAAuB,OAAA;EAC5C,UAAA,CAAW,GAAA,kBAAqB,OAAA;AAAA;;;;;;;KActB,gBAAA;EAjBR,+DAmBF,UAAA,UAjBA;EAmBA,QAAA,UAnBqB;EAqBrB,eAAA,UApBA;EAsBA,uBAAA,UAtBgC;EAwBhC,SAAA,UAxBuC;EA0BvC,QAAA;AAAA;;;;;;;;;;KAYU,YAAA;EAAA,mEAEV,SAAA;EAEA,QAAA,GAAW,GAAA,EAFX;EAIA,YAAA,YAFW;EAIX,UAAA,GAAa,gBAAA,EAAb;EAEA,QAAA;AAAA;;KAIU,SAAA;EAAA,iEAEV,KAAA;EAEA,SAAA,WAFA;EAIA,eAAA;EAEA,KAAA;AAAA;;KAIU,aAAA;EAAa,iEAEvB,MAAA,EAAQ,eAAA;EAAA;;;;EAKR,GAAA;EALA;;;;;;;EAaA,OAAA,GAAU,OAAA,SAYV;EAVA,UAAA,IAAc,WAAA,oBAA+B,OAAA;EAkBxC;;AA6EP;;;;;;;EArFE,KAAA;EAmlBW;;;;;;;EA3kBX,KAAA;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA6Ec,MAAA,CAAO,OAAA,EAAS,aAAA;EAg5BxB,mDAwgBS,SAAA,EAtgBV;8BAtZc,IAAA,GACV,QAAA,GAAW,MAAA,SAAe,KAAA,MAChC,OAAA,CAAQ,YAAA;gCA0iBkB;kBAzTN,KAAA,EAAO,SAAA,4BA0TzB;;;;;;;;;;;;;;;+BAlM4B,OAAA;;;;;;;;;;;;;;;;;;;;;;;MAsC3B,IAAA;MACA,KAAA;MACA,QAAA;MACA,eAAA;IAAA,MAED,OAAA,CAAQ,YAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;MAsJA,KAAA;MAAgB,QAAA;IAAA,MACxB,OAAA,CAAQ,YAAA;EAAA;;;;;;;;;;;;;;MAwHA,IAAA;MAAe,WAAA;IAAA,MACvB,OAAA;MAAU,GAAA;MAAa,MAAA;MAAgB,QAAA;MAAkB,MAAA;IAAA;;;;;;;;;MA4B1D,IAAA;MACA,QAAA;MACA,MAAA;IAAA,MACE,OAAA;;;;;;;;;;;;;;MAkDmB,IAAA;MAAc,QAAA;IAAA,MAAqB,OAAA;EAAA;;;;;;;;;;;;;;;;;;;;;iBA0DvC,gBAAA,KAAmB,OAAA;;;;;;;;;;;;;;kCAqFJ,OAAA;EAAA"}
package/dist/client/index.js CHANGED
@@ -143,16 +143,7 @@ function client(options) {
143
143
  authConfirmed = true;
144
144
  handshakePending = false;
145
145
  settleHandshakeWaiters(authEpoch, { type: "resolve" });
146
- } else {
147
- authConfirmed = false;
148
- if (token !== null && handshakePending) {
149
- handshakePending = false;
150
- settleHandshakeWaiters(authEpoch, {
151
- type: "reject",
152
- error: createHandshakeError("AUTH_HANDSHAKE_REJECTED", { reason: "convex_rejected" })
153
- });
154
- }
155
- }
146
+ } else authConfirmed = false;
156
147
  if (updateSnapshot()) notify();
157
148
  };
158
149
  const notify = () => {
package/dist/client/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","names":["url","result","options"],"sources":["../../src/client/index.ts"],"sourcesContent":["import { ConvexHttpClient } from \"convex/browser\";\nimport { ConvexError, Value } from \"convex/values\";\nimport { AUTH_ERRORS } from \"../server/errors\";\n\n// Re-export error utilities so consumers can import from `@robelest/convex-auth/client`.\nexport {\n isAuthError,\n parseAuthError,\n AUTH_ERRORS,\n type AuthErrorCode,\n} from \"../server/errors\";\n\n/**\n * Structural interface for any Convex client.\n * Satisfied by `ConvexClient` (`convex/browser`),\n * `ConvexReactClient` (`convex/react`), and similar transports.\n *\n * `clearAuth` is present on `ConvexReactClient` and `BaseConvexClient`\n * but not on the simplified `ConvexClient`. When available we call it\n * during sign-out for a clean deauthentication.\n */\ninterface ConvexTransport {\n action(action: any, args: any): Promise<any>;\n setAuth(\n fetchToken: (args: {\n forceRefreshToken: boolean;\n }) => Promise<string | null | undefined>,\n onChange?: (isAuthenticated: boolean) => void,\n ): void;\n clearAuth?(): void;\n}\n\n/** Pluggable key-value storage (defaults to `localStorage`). */\nexport interface Storage {\n getItem(\n key: string,\n ): string | null | undefined | Promise<string | null | undefined>;\n setItem(key: string, value: string): void | Promise<void>;\n removeItem(key: string): void | Promise<void>;\n}\n\ntype AuthSession = {\n token: string;\n refreshToken: string;\n};\n\n/**\n * Device code response returned when signing in with the `\"device\"` provider.\n *\n * The device displays the `userCode` (or `verificationUriComplete`) and\n * polls via `auth.device.poll()` until the user authorizes.\n */\nexport type DeviceCodeResult = {\n /** High-entropy device code used for polling (keep secret). */\n deviceCode: string;\n /** Short human-readable code the user enters (e.g. \"WDJB-MJHT\"). */\n userCode: string;\n /** Base verification URL (e.g. \"https://myapp.com/device\"). */\n verificationUri: string;\n /** Verification URL with user code pre-filled as `?code=XXXX-XXXX`. */\n verificationUriComplete: string;\n /** Lifetime of the codes in seconds. */\n expiresIn: number;\n /** Minimum polling interval in seconds. */\n interval: number;\n};\n\n/**\n * Result of a `signIn` call.\n *\n * - `signingIn: true` — credentials were accepted and the user is authenticated.\n * - `redirect` — OAuth flow initiated; redirect the user to `redirect.toString()`.\n * - `totpRequired` — credentials valid but 2FA is needed; call `auth.totp.verify()`.\n * - `deviceCode` — device flow initiated; display the code and poll via `auth.device.poll()`.\n * - `verifier` — opaque string for multi-step flows (TOTP, passkey).\n */\nexport type SignInResult = {\n /** `true` when sign-in completed and the user is authenticated. */\n signingIn: boolean;\n /** OAuth redirect URL. Present when the provider requires a browser redirect. */\n redirect?: URL;\n /** `true` when the account has TOTP enabled and a code is required. */\n totpRequired?: boolean;\n /** Device code response for the device authorization flow (RFC 8628). */\n deviceCode?: DeviceCodeResult;\n /** Opaque verifier for multi-step flows (pass to `totp.verify` or passkey phase 2). */\n verifier?: string;\n};\n\n/** Reactive auth state snapshot returned by `auth.state` and `auth.onChange`. */\nexport type AuthState = {\n /** High-level auth phase for deterministic UI state handling. */\n phase: \"loading\" | \"handshake\" | \"authenticated\" | \"unauthenticated\";\n /** `true` during initial hydration before the first token is resolved. */\n isLoading: boolean;\n /** `true` only after Convex confirms authentication with the backend. */\n isAuthenticated: boolean;\n /** The raw JWT string, or `null` when not authenticated. */\n token: string | null;\n};\n\n/** Options for {@link client}. */\nexport type ClientOptions = {\n /** Any Convex client (`ConvexClient` or `ConvexReactClient`). */\n convex: ConvexTransport;\n /**\n * Convex deployment URL. Derived automatically from the client internals\n * when omitted — pass explicitly only if auto-detection fails.\n */\n url?: string;\n /**\n * Key-value storage for persisting tokens.\n *\n * - Defaults to `localStorage` in SPA mode.\n * - Defaults to `null` (in-memory only) when `proxy` is set,\n * since httpOnly cookies handle persistence.\n */\n storage?: Storage | null;\n /** Override how the URL bar is updated after OAuth code exchange. */\n replaceURL?: (relativeUrl: string) => void | Promise<void>;\n /**\n * SSR proxy endpoint (e.g. `\"/api/auth\"`).\n *\n * When set, `signIn`/`signOut`/token refresh POST to this URL\n * (with `credentials: \"include\"`) instead of calling Convex directly.\n * The server handles httpOnly cookies for token persistence.\n *\n * Pair with {@link ClientOptions.token} for flash-free SSR hydration.\n */\n proxy?: string;\n /**\n * JWT from server-side hydration.\n *\n * In proxy mode the server reads the JWT from an httpOnly cookie\n * and passes it to the client during SSR. This avoids a loading\n * flash on first render — the client is immediately authenticated.\n */\n token?: string | null;\n};\n\nconst VERIFIER_STORAGE_KEY = \"__convexAuthOAuthVerifier\";\nconst JWT_STORAGE_KEY = \"__convexAuthJWT\";\nconst REFRESH_TOKEN_STORAGE_KEY = \"__convexAuthRefreshToken\";\n\nconst RETRY_BACKOFF = [500, 2000];\nconst RETRY_JITTER = 100;\nconst AUTH_HANDSHAKE_TIMEOUT_MS = 5000;\n\ntype AuthHandshakeErrorCode =\n | \"AUTH_HANDSHAKE_TIMEOUT\"\n | \"AUTH_HANDSHAKE_REJECTED\";\n\ntype AuthFlowContext = {\n provider?: string;\n flow: string;\n};\n\ntype HandshakeWaiter = {\n epoch: number;\n context: AuthFlowContext;\n resolve: () => void;\n reject: (error: ConvexError<Value>) => void;\n timeoutId: ReturnType<typeof setTimeout>;\n};\n\n/**\n * Resolve the Convex deployment URL from the client.\n *\n * `ConvexReactClient` exposes `.url` directly.\n * `ConvexClient` exposes `.client.url` via `BaseConvexClient`.\n */\nfunction resolveUrl(convex: ConvexTransport, explicit?: string): string {\n if (explicit) return explicit;\n const c = convex as any;\n const url: unknown = c.url ?? c.client?.url;\n if (typeof url === \"string\") return url;\n throw new Error(\n \"Could not determine Convex deployment URL. Pass `url` explicitly.\",\n );\n}\n\n/**\n * Create a framework-agnostic auth client.\n *\n * Returns an object with `signIn`, `signOut`, `onChange`, `state`,\n * `passkey`, and `totp` — everything needed for client-side auth.\n *\n * ### SPA mode (default)\n *\n * ```ts\n * import { ConvexClient } from 'convex/browser';\n * import { client } from '@robelest/convex-auth/client';\n *\n * const convex = new ConvexClient(CONVEX_URL);\n * const auth = client({ convex });\n * ```\n *\n * ### SSR / proxy mode\n *\n * ```ts\n * const auth = client({\n * convex,\n * proxy: '/api/auth',\n * token: tokenFromServer, // JWT read from httpOnly cookie during SSR\n * });\n * ```\n *\n * In proxy mode all auth operations go through the proxy URL.\n * Tokens are stored in httpOnly cookies server-side — the client\n * holds the JWT in memory only.\n *\n * @param options - Client configuration. See {@link ClientOptions}.\n * @returns Auth client with `signIn`, `signOut`, `onChange`, `state`, `passkey`, and `totp`.\n */\nexport function client(options: ClientOptions) {\n const { convex, proxy } = options;\n\n // In proxy mode, default storage to null (cookies handle persistence).\n const storage =\n options.storage !== undefined\n ? options.storage\n : proxy\n ? null\n : typeof window === \"undefined\"\n ? null\n : window.localStorage;\n\n const replaceURL =\n options.replaceURL ??\n ((url: string) => {\n if (typeof window !== \"undefined\") {\n window.history.replaceState({}, \"\", url);\n }\n });\n\n const url = proxy ? undefined : resolveUrl(convex, options.url);\n const escapedNamespace = proxy\n ? proxy.replace(/[^a-zA-Z0-9]/g, \"\")\n : url!.replace(/[^a-zA-Z0-9]/g, \"\");\n const key = (name: string) => `${name}_${escapedNamespace}`;\n const subscribers = new Set<() => void>();\n let disposeStorageListener: (() => void) | null = null;\n\n // Unauthenticated HTTP client for code verification & OAuth exchange.\n // Only needed in SPA mode — proxy mode routes everything through the proxy.\n const httpClient = proxy ? null : new ConvexHttpClient(url!);\n\n // ---------------------------------------------------------------------------\n // State\n // ---------------------------------------------------------------------------\n\n // If a server-provided token was supplied (SSR hydration), treat it as\n // immediately authenticated to avoid a handshake-only loading screen.\n const serverToken =\n typeof options.token === \"string\" && options.token.trim().length > 0\n ? options.token\n : null;\n const hasServerToken = serverToken !== null;\n\n let token: string | null = serverToken;\n let isLoading = !hasServerToken;\n let authConfirmed = hasServerToken;\n let handshakePending = false;\n let authEpoch = 0;\n let destroyed = false;\n const handshakeWaiters = new Set<HandshakeWaiter>();\n let snapshot: AuthState = {\n phase: hasServerToken\n ? \"authenticated\"\n : isLoading\n ? \"loading\"\n : \"unauthenticated\",\n isLoading,\n isAuthenticated: hasServerToken,\n token,\n };\n let handlingCodeFlow = false;\n\n const createHandshakeError = (\n code: AuthHandshakeErrorCode,\n context: Record<string, unknown>,\n ) => {\n return new ConvexError({\n code,\n message: AUTH_ERRORS[code],\n ...context,\n } as Value);\n };\n\n const settleHandshakeWaiters = (\n epoch: number,\n outcome:\n | { type: \"resolve\" }\n | { type: \"reject\"; error: ConvexError<Value> },\n ) => {\n for (const waiter of Array.from(handshakeWaiters)) {\n if (waiter.epoch !== epoch) {\n continue;\n }\n clearTimeout(waiter.timeoutId);\n handshakeWaiters.delete(waiter);\n if (outcome.type === \"resolve\") {\n waiter.resolve();\n } else {\n waiter.reject(outcome.error);\n }\n }\n };\n\n const rejectObsoleteHandshakeWaiters = (activeEpoch: number) => {\n for (const waiter of Array.from(handshakeWaiters)) {\n if (waiter.epoch >= activeEpoch) {\n continue;\n }\n clearTimeout(waiter.timeoutId);\n handshakeWaiters.delete(waiter);\n waiter.reject(\n createHandshakeError(\"AUTH_HANDSHAKE_REJECTED\", {\n ...waiter.context,\n reason: \"token_changed\",\n }),\n );\n }\n };\n\n const waitForAuthHandshake = async (context: AuthFlowContext) => {\n if (token === null) {\n return;\n }\n if (authConfirmed && !handshakePending) {\n return;\n }\n if (!handshakePending) {\n throw createHandshakeError(\"AUTH_HANDSHAKE_REJECTED\", {\n ...context,\n reason: \"auth_rejected\",\n });\n }\n\n const epoch = authEpoch;\n await new Promise<void>((resolve, reject) => {\n const waiterRef: { current: HandshakeWaiter | null } = { current: null };\n const timeoutId = setTimeout(() => {\n if (waiterRef.current !== null) {\n handshakeWaiters.delete(waiterRef.current);\n }\n reject(\n createHandshakeError(\"AUTH_HANDSHAKE_TIMEOUT\", {\n ...context,\n timeoutMs: AUTH_HANDSHAKE_TIMEOUT_MS,\n }),\n );\n }, AUTH_HANDSHAKE_TIMEOUT_MS);\n\n const waiter: HandshakeWaiter = {\n epoch,\n context,\n resolve,\n reject,\n timeoutId,\n };\n waiterRef.current = waiter;\n handshakeWaiters.add(waiter);\n });\n };\n\n const handleConvexAuthChange = (isAuthenticated: boolean) => {\n if (destroyed) {\n return;\n }\n\n if (isAuthenticated) {\n authConfirmed = true;\n handshakePending = false;\n settleHandshakeWaiters(authEpoch, { type: \"resolve\" });\n } else {\n authConfirmed = false;\n if (token !== null && handshakePending) {\n handshakePending = false;\n settleHandshakeWaiters(authEpoch, {\n type: \"reject\",\n error: createHandshakeError(\"AUTH_HANDSHAKE_REJECTED\", {\n reason: \"convex_rejected\",\n }),\n });\n }\n }\n\n if (updateSnapshot()) {\n notify();\n }\n };\n\n const notify = () => {\n for (const cb of subscribers) cb();\n };\n\n const updateSnapshot = () => {\n let phase: AuthState[\"phase\"];\n if (token !== null && handshakePending) {\n phase = \"handshake\";\n } else if (isLoading) {\n phase = \"loading\";\n } else if (token !== null && authConfirmed) {\n phase = \"authenticated\";\n } else {\n phase = \"unauthenticated\";\n }\n\n const next: AuthState = {\n phase,\n isLoading: phase === \"loading\" || phase === \"handshake\",\n isAuthenticated: phase === \"authenticated\",\n token,\n };\n if (\n snapshot.phase === next.phase &&\n snapshot.isLoading === next.isLoading &&\n snapshot.isAuthenticated === next.isAuthenticated &&\n snapshot.token === next.token\n ) {\n return false;\n }\n snapshot = next;\n return true;\n };\n\n const finalizeLoadingState = () => {\n if (!isLoading) {\n return;\n }\n isLoading = false;\n if (updateSnapshot()) {\n notify();\n }\n };\n\n // ---------------------------------------------------------------------------\n // Storage helpers (SPA mode only)\n // ---------------------------------------------------------------------------\n\n const storageGet = async (name: string) => {\n if (!storage) {\n return null;\n }\n try {\n return (await storage.getItem(key(name))) ?? null;\n } catch (error) {\n console.error(`[convex-auth] Failed to read ${name} from storage:`, error);\n return null;\n }\n };\n const storageSet = async (name: string, value: string) => {\n if (!storage) {\n return;\n }\n try {\n await storage.setItem(key(name), value);\n } catch (error) {\n console.error(`[convex-auth] Failed to write ${name} to storage:`, error);\n }\n };\n const storageRemove = async (name: string) => {\n if (!storage) {\n return;\n }\n try {\n await storage.removeItem(key(name));\n } catch (error) {\n console.error(`[convex-auth] Failed to remove ${name} from storage:`, error);\n }\n };\n\n // ---------------------------------------------------------------------------\n // Token management\n // ---------------------------------------------------------------------------\n\n const bindConvexAuth = () => {\n convex.setAuth(fetchAccessToken, handleConvexAuthChange);\n };\n\n const setToken = async (\n args:\n | {\n shouldStore: true;\n tokens: AuthSession | null;\n requireHandshake?: boolean;\n resyncConvexAuth?: boolean;\n }\n | {\n shouldStore: false;\n tokens: { token: string } | null;\n requireHandshake?: boolean;\n resyncConvexAuth?: boolean;\n },\n ) => {\n const previousToken = token;\n\n if (args.tokens === null) {\n token = null;\n if (args.shouldStore) {\n await storageRemove(JWT_STORAGE_KEY);\n await storageRemove(REFRESH_TOKEN_STORAGE_KEY);\n }\n } else {\n token = args.tokens.token;\n if (args.shouldStore && \"refreshToken\" in args.tokens) {\n await storageSet(JWT_STORAGE_KEY, args.tokens.token);\n await storageSet(REFRESH_TOKEN_STORAGE_KEY, args.tokens.refreshToken);\n }\n }\n\n if (token !== previousToken) {\n authEpoch += 1;\n rejectObsoleteHandshakeWaiters(authEpoch);\n }\n\n if (token === null) {\n authConfirmed = false;\n handshakePending = false;\n settleHandshakeWaiters(authEpoch, {\n type: \"reject\",\n error: createHandshakeError(\"AUTH_HANDSHAKE_REJECTED\", {\n reason: \"token_cleared\",\n }),\n });\n } else {\n const shouldEnterHandshake =\n args.requireHandshake === true || !authConfirmed;\n if (shouldEnterHandshake) {\n authConfirmed = false;\n handshakePending = true;\n } else {\n handshakePending = false;\n }\n }\n\n const hadPendingLoad = isLoading;\n isLoading = false;\n const changed = updateSnapshot();\n if (args.resyncConvexAuth !== false) {\n bindConvexAuth();\n }\n if (hadPendingLoad || changed) {\n notify();\n }\n };\n\n const setTokenAndMaybeWait = async (\n args:\n | {\n shouldStore: true;\n tokens: AuthSession | null;\n waitForHandshake: boolean;\n context: AuthFlowContext;\n }\n | {\n shouldStore: false;\n tokens: { token: string } | null;\n waitForHandshake: boolean;\n context: AuthFlowContext;\n },\n ): Promise<boolean> => {\n const { waitForHandshake, context, ...tokenArgs } = args;\n await setToken({\n ...(tokenArgs as\n | { shouldStore: true; tokens: AuthSession | null }\n | { shouldStore: false; tokens: { token: string } | null }),\n requireHandshake: waitForHandshake,\n });\n if (tokenArgs.tokens === null) {\n return false;\n }\n if (waitForHandshake) {\n await waitForAuthHandshake(context);\n }\n return true;\n };\n\n // ---------------------------------------------------------------------------\n // Proxy fetch helper\n // ---------------------------------------------------------------------------\n\n const resolveProxyUrl = () => {\n const origin =\n typeof window !== \"undefined\" &&\n typeof window.location?.origin === \"string\"\n ? window.location.origin\n : typeof location !== \"undefined\" && typeof location.origin === \"string\"\n ? location.origin\n : null;\n if (origin !== null) {\n return new URL(proxy!, origin).toString();\n }\n try {\n return new URL(proxy!).toString();\n } catch {\n return proxy!;\n }\n };\n\n const isAbsoluteUrl = (value: string) => {\n try {\n new URL(value);\n return true;\n } catch {\n return false;\n }\n };\n\n const proxyFetch = async (body: Record<string, unknown>) => {\n const proxyUrl = resolveProxyUrl();\n if (typeof window === \"undefined\" && !isAbsoluteUrl(proxyUrl)) {\n throw new Error(\n `Cannot call relative proxy URL \\`${proxy!}\\` without a browser origin. ` +\n \"Pass an absolute proxy URL for server runtimes.\",\n );\n }\n\n const response = await fetch(proxyUrl, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n credentials: \"include\",\n body: JSON.stringify(body),\n });\n if (!response.ok) {\n const errorBody = await response.json().catch(() => ({} as Record<string, unknown>));\n // Reconstruct ConvexError when the proxy forwards structured auth error data.\n if (\n typeof errorBody === \"object\" &&\n errorBody !== null &&\n \"authError\" in errorBody &&\n typeof (errorBody as Record<string, unknown>).authError === \"object\"\n ) {\n throw new ConvexError((errorBody as Record<string, unknown>).authError as Value);\n }\n throw new Error(\n (errorBody as Record<string, unknown>).error as string ??\n `Proxy request failed: ${response.status}`,\n );\n }\n try {\n return await response.json();\n } catch {\n throw new Error(\"Proxy response was not valid JSON\");\n }\n };\n\n // ---------------------------------------------------------------------------\n // Code verification with retries (SPA mode only)\n // ---------------------------------------------------------------------------\n\n const verifyCode = async (\n args: { code: string; verifier?: string } | { refreshToken: string },\n ) => {\n let lastError: unknown;\n for (let retry = 0; retry <= RETRY_BACKOFF.length; retry++) {\n try {\n return await httpClient!.action(\n \"auth:signIn\" as any,\n \"code\" in args\n ? { params: { code: args.code }, verifier: args.verifier }\n : args,\n );\n } catch (e) {\n lastError = e;\n const isNetworkError =\n e instanceof TypeError ||\n (e instanceof Error &&\n /(network|fetch|load failed|failed to fetch)/i.test(\n e.message || \"\",\n ));\n if (!isNetworkError) break;\n if (retry >= RETRY_BACKOFF.length) {\n break;\n }\n const wait = RETRY_BACKOFF[retry]! + RETRY_JITTER * Math.random();\n await new Promise((resolve) => setTimeout(resolve, wait));\n }\n }\n throw lastError;\n };\n\n const verifyCodeAndSetToken = async (\n args: { code: string; verifier?: string } | { refreshToken: string },\n opts?: { resyncConvexAuth?: boolean },\n ) => {\n const { tokens } = await verifyCode(args);\n await setToken({\n shouldStore: true,\n tokens: (tokens as AuthSession | null) ?? null,\n resyncConvexAuth: opts?.resyncConvexAuth,\n });\n return tokens !== null;\n };\n\n // ---------------------------------------------------------------------------\n // signIn\n // ---------------------------------------------------------------------------\n\n /**\n * Sign in with a provider.\n *\n * @param provider - Provider ID (e.g. `\"email\"`, `\"password\"`, `\"google\"`).\n * Omit when exchanging an OAuth code (the code carries the provider info).\n * @param args - Provider-specific arguments. Pass a `Record<string, Value>`\n * or `FormData`. Common fields: `email`, `password`, `code`, `redirectTo`.\n * @returns A {@link SignInResult} indicating the outcome.\n *\n * @example Email magic link\n * ```ts\n * await auth.signIn('email', { email: 'user@example.com' });\n * ```\n *\n * @example Password\n * ```ts\n * const result = await auth.signIn('password', { email, password, flow: 'signIn' });\n * if (result.totpRequired) {\n * await auth.totp.verify({ code: totpCode, verifier: result.verifier! });\n * }\n * ```\n *\n * @example OAuth (triggers redirect)\n * ```ts\n * await auth.signIn('google'); // redirects to Google\n * ```\n */\n const signIn = async (\n provider?: string,\n args?: FormData | Record<string, Value>,\n ): Promise<SignInResult> => {\n const params =\n args instanceof FormData\n ? Array.from(args.entries()).reduce(\n (acc, [k, v]) => {\n acc[k] = v as string;\n return acc;\n },\n {} as Record<string, string>,\n )\n : args ?? {};\n const flow =\n typeof params.flow === \"string\" && params.flow.length > 0\n ? params.flow\n : \"signIn\";\n\n if (proxy) {\n // Proxy mode: POST to the proxy endpoint.\n const result = await proxyFetch({\n action: \"auth:signIn\",\n args: { provider, params },\n });\n if (result.redirect !== undefined) {\n const redirectUrl = new URL(result.redirect);\n // Verifier is stored server-side in an httpOnly cookie.\n if (typeof window !== \"undefined\") {\n window.location.href = redirectUrl.toString();\n }\n return { signingIn: false, redirect: redirectUrl };\n }\n if (result.totpRequired) {\n return { signingIn: false, totpRequired: true, verifier: result.verifier };\n }\n if (result.deviceCode !== undefined) {\n return { signingIn: false, deviceCode: result.deviceCode as DeviceCodeResult };\n }\n if (result.tokens !== undefined) {\n // Proxy returns { token, refreshToken: \"dummy\" }.\n // Store JWT in memory only — real refresh token is in httpOnly cookie.\n const signingIn = await setTokenAndMaybeWait({\n shouldStore: false,\n tokens:\n result.tokens === null ? null : { token: result.tokens.token },\n waitForHandshake: true,\n context: { provider, flow },\n });\n return { signingIn };\n }\n return { signingIn: false };\n }\n\n // SPA mode: call Convex directly.\n const verifier = (await storageGet(VERIFIER_STORAGE_KEY)) ?? undefined;\n await storageRemove(VERIFIER_STORAGE_KEY);\n const result = await convex.action(\"auth:signIn\" as any, {\n provider,\n params,\n verifier,\n });\n if (result.redirect !== undefined) {\n const redirectUrl = new URL(result.redirect);\n await storageSet(VERIFIER_STORAGE_KEY, result.verifier!);\n if (typeof window !== \"undefined\") {\n window.location.href = redirectUrl.toString();\n }\n return { signingIn: false, redirect: redirectUrl };\n }\n if (result.totpRequired) {\n return { signingIn: false, totpRequired: true, verifier: result.verifier };\n }\n if (result.deviceCode !== undefined) {\n return { signingIn: false, deviceCode: result.deviceCode as DeviceCodeResult };\n }\n if (result.tokens !== undefined) {\n const signingIn = await setTokenAndMaybeWait({\n shouldStore: true,\n tokens: (result.tokens as AuthSession | null) ?? null,\n waitForHandshake: true,\n context: { provider, flow },\n });\n return { signingIn };\n }\n return { signingIn: false };\n };\n\n // ---------------------------------------------------------------------------\n // signOut\n // ---------------------------------------------------------------------------\n\n /**\n * Sign out the current user.\n *\n * Invalidates the server session and clears local token state.\n * Errors are silently caught — calling `signOut` on an already\n * signed-out user is a no-op.\n */\n const signOut = async () => {\n if (proxy) {\n try {\n await proxyFetch({ action: \"auth:signOut\", args: {} });\n } catch {\n // Already signed out is fine.\n }\n await setToken({ shouldStore: false, tokens: null });\n if (convex.clearAuth) convex.clearAuth();\n return;\n }\n\n // SPA mode.\n try {\n await convex.action(\"auth:signOut\" as any, {});\n } catch {\n // Already signed out is fine.\n }\n await setToken({ shouldStore: true, tokens: null });\n if (convex.clearAuth) convex.clearAuth();\n };\n\n // ---------------------------------------------------------------------------\n // fetchAccessToken — called by convex.setAuth()\n // ---------------------------------------------------------------------------\n\n const fetchAccessToken = async ({\n forceRefreshToken,\n }: {\n forceRefreshToken: boolean;\n }): Promise<string | null> => {\n if (!forceRefreshToken) return token;\n\n if (proxy) {\n // Proxy mode: POST to the proxy to refresh.\n // The proxy reads the real refresh token from the httpOnly cookie.\n const resolvedProxyUrl = resolveProxyUrl();\n if (\n typeof window === \"undefined\" &&\n !isAbsoluteUrl(resolvedProxyUrl)\n ) {\n finalizeLoadingState();\n return token;\n }\n\n const tokenBeforeRefresh = token;\n return await browserMutex(\"__convexAuthProxyRefresh\", async () => {\n // Another tab/call may have already refreshed.\n if (token !== tokenBeforeRefresh) return token;\n try {\n const result = await proxyFetch({\n action: \"auth:signIn\",\n args: { refreshToken: true },\n });\n if (result.tokens) {\n await setToken({\n shouldStore: false,\n tokens: { token: result.tokens.token },\n resyncConvexAuth: false,\n });\n } else {\n await setToken({\n shouldStore: false,\n tokens: null,\n resyncConvexAuth: false,\n });\n }\n } catch (error) {\n console.error(\"[convex-auth] Proxy refresh failed:\", error);\n if (token === null) {\n finalizeLoadingState();\n }\n }\n return token;\n });\n }\n\n // SPA mode: refresh via localStorage + httpClient.\n const tokenBeforeLockAcquisition = token;\n return await browserMutex(REFRESH_TOKEN_STORAGE_KEY, async () => {\n const tokenAfterLockAcquisition = token;\n if (tokenAfterLockAcquisition !== tokenBeforeLockAcquisition) {\n return tokenAfterLockAcquisition;\n }\n const refreshToken =\n (await storageGet(REFRESH_TOKEN_STORAGE_KEY)) ?? null;\n if (!refreshToken) {\n finalizeLoadingState();\n return null;\n }\n await verifyCodeAndSetToken(\n { refreshToken },\n { resyncConvexAuth: false },\n );\n return token;\n });\n };\n\n // ---------------------------------------------------------------------------\n // OAuth code flow (SPA mode only — server handles this in proxy mode)\n // ---------------------------------------------------------------------------\n\n const handleCodeFlow = async () => {\n if (typeof window === \"undefined\") return;\n if (handlingCodeFlow) return;\n const code = new URLSearchParams(window.location.search).get(\"code\");\n if (!code) return;\n handlingCodeFlow = true;\n try {\n await signIn(undefined, { code });\n const codeUrl = new URL(window.location.href);\n codeUrl.searchParams.delete(\"code\");\n await replaceURL(codeUrl.pathname + codeUrl.search + codeUrl.hash);\n } finally {\n handlingCodeFlow = false;\n }\n };\n\n // ---------------------------------------------------------------------------\n // Hydrate from storage (SPA mode only)\n // ---------------------------------------------------------------------------\n\n const hydrateFromStorage = async () => {\n const storedToken = (await storageGet(JWT_STORAGE_KEY)) ?? null;\n await setToken({\n shouldStore: false,\n tokens: storedToken === null ? null : { token: storedToken },\n });\n };\n\n // ---------------------------------------------------------------------------\n // Subscribe\n // ---------------------------------------------------------------------------\n\n /**\n * Subscribe to auth state changes. Invokes the callback immediately\n * with the current state, then again on every state transition.\n *\n * ```ts\n * const unsub = auth.onChange(setState);\n * ```\n *\n * @param cb - Callback receiving the latest {@link AuthState}.\n * @returns An unsubscribe function.\n */\n const onChange = (cb: (state: AuthState) => void): (() => void) => {\n cb(snapshot);\n const wrapped = () => cb(snapshot);\n subscribers.add(wrapped);\n return () => {\n subscribers.delete(wrapped);\n };\n };\n\n // ---------------------------------------------------------------------------\n // Initialization\n // ---------------------------------------------------------------------------\n\n // Cross-tab sync via storage events (SPA mode only).\n if (!proxy && typeof window !== \"undefined\") {\n const registryKey = key(JWT_STORAGE_KEY);\n const registry = getStorageListenerRegistry();\n const existingListener = registry[registryKey];\n if (existingListener !== undefined) {\n window.removeEventListener(\"storage\", existingListener);\n }\n\n const onStorage = (event: StorageEvent) => {\n void (async () => {\n if (event.key !== key(JWT_STORAGE_KEY)) return;\n await setToken({\n shouldStore: false,\n tokens:\n event.newValue === null ? null : { token: event.newValue },\n });\n })();\n };\n window.addEventListener(\"storage\", onStorage);\n registry[registryKey] = onStorage;\n disposeStorageListener = () => {\n if (registry[registryKey] === onStorage) {\n delete registry[registryKey];\n }\n window.removeEventListener(\"storage\", onStorage);\n };\n }\n\n // Auto-wire: feed our tokens into the Convex client so\n // queries and mutations are automatically authenticated.\n bindConvexAuth();\n\n // Auto-hydrate and handle code flow.\n if (typeof window !== \"undefined\") {\n if (proxy) {\n // Proxy mode: eagerly resolve auth once on startup so routes that only\n // read auth state (and do not issue Convex queries yet) don't stay in\n // the initial loading phase.\n if (!hasServerToken) {\n void fetchAccessToken({ forceRefreshToken: true }).catch(\n (error: unknown) => {\n console.error(\"[convex-auth] Proxy token refresh failed:\", error);\n },\n );\n }\n } else {\n // SPA mode: hydrate from localStorage, then handle OAuth code flow.\n void (async () => {\n try {\n await hydrateFromStorage();\n await handleCodeFlow();\n } catch (error: unknown) {\n console.error(\"[convex-auth] Client initialization failed:\", error);\n await setToken({ shouldStore: false, tokens: null });\n }\n })();\n }\n }\n\n // ---------------------------------------------------------------------------\n // Passkey helpers\n // ---------------------------------------------------------------------------\n\n /**\n * Base64url encode/decode helpers for the WebAuthn credential API.\n * These run client-side only (browser context).\n */\n const base64urlEncode = (buffer: ArrayBuffer): string => {\n const bytes = new Uint8Array(buffer);\n let binary = \"\";\n for (let i = 0; i < bytes.byteLength; i++) {\n binary += String.fromCharCode(bytes[i]!);\n }\n return btoa(binary).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n };\n\n const base64urlDecode = (str: string): Uint8Array => {\n const padded = str.replace(/-/g, \"+\").replace(/_/g, \"/\");\n const binary = atob(padded);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n };\n\n const passkey = {\n /**\n * Check if WebAuthn passkeys are supported in the current environment.\n */\n isSupported: (): boolean => {\n return (\n typeof window !== \"undefined\" &&\n typeof window.PublicKeyCredential !== \"undefined\"\n );\n },\n\n /**\n * Check if conditional UI (autofill-assisted passkey sign-in) is supported.\n *\n * ```ts\n * if (await auth.passkey.isAutofillSupported()) {\n * auth.passkey.authenticate({ autofill: true });\n * }\n * ```\n */\n isAutofillSupported: async (): Promise<boolean> => {\n if (typeof window === \"undefined\") return false;\n if (typeof window.PublicKeyCredential === \"undefined\") return false;\n if (\n typeof (\n window.PublicKeyCredential as any\n ).isConditionalMediationAvailable !== \"function\"\n ) {\n return false;\n }\n return (\n window.PublicKeyCredential as any\n ).isConditionalMediationAvailable();\n },\n\n /**\n * Register a new passkey for the current or new user.\n *\n * Performs the full two-round-trip WebAuthn registration ceremony:\n * 1. Requests creation options from the server (challenge, RP info)\n * 2. Calls `navigator.credentials.create()` with the options\n * 3. Sends the attestation back to the server for verification\n * 4. Server creates user + account + passkey records and returns tokens\n *\n * Works in both SPA and proxy (SSR) modes.\n *\n * ```ts\n * await auth.passkey.register({ name: \"MacBook Touch ID\" });\n * ```\n *\n * @param opts.name - Friendly name for this passkey\n * @param opts.email - Email to associate with the new account\n * @param opts.userName - Username for the credential (defaults to email)\n * @param opts.userDisplayName - Display name for the credential\n * @returns `{ signingIn: true }` on success\n */\n register: async (\n opts?: {\n name?: string;\n email?: string;\n userName?: string;\n userDisplayName?: string;\n },\n ): Promise<SignInResult> => {\n const phase1Params = {\n flow: \"register-options\",\n email: opts?.email,\n userName: opts?.userName,\n userDisplayName: opts?.userDisplayName,\n };\n\n // Phase 1: Get registration options from server\n let phase1Result: any;\n if (proxy) {\n phase1Result = await proxyFetch({\n action: \"auth:signIn\",\n args: { provider: \"passkey\", params: phase1Params },\n });\n } else {\n phase1Result = await convex.action(\"auth:signIn\" as any, {\n provider: \"passkey\",\n params: phase1Params,\n });\n }\n\n if (!phase1Result.options) {\n throw new Error(\"Server did not return passkey registration options\");\n }\n\n const options = phase1Result.options;\n\n // Convert base64url strings to ArrayBuffers for the credential API\n const createOptions: CredentialCreationOptions = {\n publicKey: {\n rp: options.rp,\n user: {\n id: base64urlDecode(options.user.id).buffer as ArrayBuffer,\n name: options.user.name,\n displayName: options.user.displayName,\n },\n challenge: base64urlDecode(options.challenge).buffer as ArrayBuffer,\n pubKeyCredParams: options.pubKeyCredParams,\n timeout: options.timeout,\n attestation: options.attestation,\n authenticatorSelection: options.authenticatorSelection,\n excludeCredentials: (options.excludeCredentials ?? []).map(\n (cred: any) => ({\n type: cred.type ?? \"public-key\",\n id: base64urlDecode(cred.id).buffer as ArrayBuffer,\n transports: cred.transports,\n }),\n ),\n },\n };\n\n // Phase 2: Create credential via browser API\n const credential = (await navigator.credentials.create(\n createOptions,\n )) as PublicKeyCredential | null;\n if (!credential) {\n throw new Error(\"Passkey registration was cancelled\");\n }\n\n const response =\n credential.response as AuthenticatorAttestationResponse;\n\n // Extract transports if available\n const transports =\n typeof response.getTransports === \"function\"\n ? response.getTransports()\n : undefined;\n\n const phase2Params = {\n flow: \"register-verify\",\n clientDataJSON: base64urlEncode(response.clientDataJSON),\n attestationObject: base64urlEncode(response.attestationObject),\n transports,\n passkeyName: opts?.name,\n email: opts?.email,\n };\n\n // Phase 3: Send attestation to server for verification\n let phase2Result: any;\n if (proxy) {\n // In proxy mode the verifier is stored in an httpOnly cookie by the proxy.\n // We pass it back explicitly so the proxy can forward it to Convex.\n phase2Result = await proxyFetch({\n action: \"auth:signIn\",\n args: {\n provider: \"passkey\",\n params: phase2Params,\n verifier: phase1Result.verifier,\n },\n });\n } else {\n phase2Result = await convex.action(\"auth:signIn\" as any, {\n provider: \"passkey\",\n params: phase2Params,\n verifier: phase1Result.verifier,\n });\n }\n\n if (phase2Result.tokens) {\n if (proxy) {\n await setTokenAndMaybeWait({\n shouldStore: false,\n tokens:\n phase2Result.tokens === null\n ? null\n : { token: phase2Result.tokens.token },\n waitForHandshake: true,\n context: { provider: \"passkey\", flow: \"register-verify\" },\n });\n } else {\n await setTokenAndMaybeWait({\n shouldStore: true,\n tokens: phase2Result.tokens as AuthSession,\n waitForHandshake: true,\n context: { provider: \"passkey\", flow: \"register-verify\" },\n });\n }\n return { signingIn: true };\n }\n return { signingIn: false };\n },\n\n /**\n * Authenticate with an existing passkey.\n *\n * Performs the full two-round-trip WebAuthn authentication ceremony:\n * 1. Requests assertion options from the server (challenge, allowed credentials)\n * 2. Calls `navigator.credentials.get()` with the options\n * 3. Sends the assertion back to the server for signature verification\n * 4. Server verifies signature, updates counter, creates session, returns tokens\n *\n * Works in both SPA and proxy (SSR) modes.\n *\n * ```ts\n * // Discoverable credential (no email needed)\n * await auth.passkey.authenticate();\n *\n * // Scoped to a specific user's credentials\n * await auth.passkey.authenticate({ email: \"user@example.com\" });\n *\n * // Autofill-assisted (conditional UI)\n * await auth.passkey.authenticate({ autofill: true });\n * ```\n *\n * @param opts.email - Scope to credentials for this email's user\n * @param opts.autofill - Use conditional mediation (autofill UI)\n * @returns `{ signingIn: true }` on success\n */\n authenticate: async (\n opts?: { email?: string; autofill?: boolean },\n ): Promise<SignInResult> => {\n const phase1Params = {\n flow: \"auth-options\",\n email: opts?.email,\n };\n\n // Phase 1: Get assertion options from server\n let phase1Result: any;\n if (proxy) {\n phase1Result = await proxyFetch({\n action: \"auth:signIn\",\n args: { provider: \"passkey\", params: phase1Params },\n });\n } else {\n phase1Result = await convex.action(\"auth:signIn\" as any, {\n provider: \"passkey\",\n params: phase1Params,\n });\n }\n\n if (!phase1Result.options) {\n throw new Error(\"Server did not return passkey authentication options\");\n }\n\n const options = phase1Result.options;\n\n // Convert base64url strings to ArrayBuffers for the credential API\n const getOptions: CredentialRequestOptions = {\n publicKey: {\n challenge: base64urlDecode(options.challenge).buffer as ArrayBuffer,\n timeout: options.timeout,\n rpId: options.rpId,\n userVerification: options.userVerification,\n allowCredentials: (options.allowCredentials ?? []).map(\n (cred: any) => ({\n type: cred.type ?? \"public-key\",\n id: base64urlDecode(cred.id).buffer as ArrayBuffer,\n transports: cred.transports,\n }),\n ),\n },\n ...(opts?.autofill ? { mediation: \"conditional\" as any } : {}),\n };\n\n // Phase 2: Get credential via browser API\n const credential = (await navigator.credentials.get(\n getOptions,\n )) as PublicKeyCredential | null;\n if (!credential) {\n throw new Error(\"Passkey authentication was cancelled\");\n }\n\n const response =\n credential.response as AuthenticatorAssertionResponse;\n\n const phase2Params = {\n flow: \"auth-verify\",\n credentialId: base64urlEncode(credential.rawId),\n clientDataJSON: base64urlEncode(response.clientDataJSON),\n authenticatorData: base64urlEncode(response.authenticatorData),\n signature: base64urlEncode(response.signature),\n };\n\n // Phase 3: Send assertion to server for verification\n let phase2Result: any;\n if (proxy) {\n phase2Result = await proxyFetch({\n action: \"auth:signIn\",\n args: {\n provider: \"passkey\",\n params: phase2Params,\n verifier: phase1Result.verifier,\n },\n });\n } else {\n phase2Result = await convex.action(\"auth:signIn\" as any, {\n provider: \"passkey\",\n params: phase2Params,\n verifier: phase1Result.verifier,\n });\n }\n\n if (phase2Result.tokens) {\n if (proxy) {\n await setTokenAndMaybeWait({\n shouldStore: false,\n tokens:\n phase2Result.tokens === null\n ? null\n : { token: phase2Result.tokens.token },\n waitForHandshake: true,\n context: { provider: \"passkey\", flow: \"auth-verify\" },\n });\n } else {\n await setTokenAndMaybeWait({\n shouldStore: true,\n tokens: phase2Result.tokens as AuthSession,\n waitForHandshake: true,\n context: { provider: \"passkey\", flow: \"auth-verify\" },\n });\n }\n return { signingIn: true };\n }\n return { signingIn: false };\n },\n };\n\n const totp = {\n /**\n * Start TOTP enrollment. Must be authenticated.\n *\n * Returns a URI for QR code display and a base32 secret for manual entry.\n *\n * ```ts\n * const setup = await auth.totp.setup();\n * // Display QR code from setup.uri\n * // Or show setup.secret for manual entry\n * ```\n */\n setup: async (\n opts?: { name?: string; accountName?: string },\n ): Promise<{ uri: string; secret: string; verifier: string; totpId: string }> => {\n const params: Record<string, any> = { flow: \"setup\" };\n if (opts?.name) params.name = opts.name;\n if (opts?.accountName) params.accountName = opts.accountName;\n\n if (proxy) {\n const result = await proxyFetch({\n action: \"auth:signIn\",\n args: { provider: \"totp\", params },\n });\n return { uri: result.totpSetup.uri, secret: result.totpSetup.secret, verifier: result.verifier, totpId: result.totpSetup.totpId };\n }\n\n const result = await convex.action(\"auth:signIn\" as any, {\n provider: \"totp\",\n params,\n });\n return { uri: result.totpSetup.uri, secret: result.totpSetup.secret, verifier: result.verifier, totpId: result.totpSetup.totpId };\n },\n\n /**\n * Complete TOTP enrollment by verifying the first code from the authenticator app.\n *\n * ```ts\n * await auth.totp.confirm({ code: \"123456\", verifier: setup.verifier, totpId: setup.totpId });\n * ```\n */\n confirm: async (opts: {\n code: string;\n verifier: string;\n totpId: string;\n }): Promise<void> => {\n const params: Record<string, any> = {\n flow: \"confirm\",\n code: opts.code,\n totpId: opts.totpId,\n };\n\n if (proxy) {\n const result = await proxyFetch({\n action: \"auth:signIn\",\n args: { provider: \"totp\", params, verifier: opts.verifier },\n });\n if (result.tokens) {\n await setTokenAndMaybeWait({\n shouldStore: false,\n tokens: result.tokens === null ? null : { token: result.tokens.token },\n waitForHandshake: true,\n context: { provider: \"totp\", flow: \"confirm\" },\n });\n }\n return;\n }\n\n const result = await convex.action(\"auth:signIn\" as any, {\n provider: \"totp\",\n params,\n verifier: opts.verifier,\n });\n if (result.tokens) {\n await setTokenAndMaybeWait({\n shouldStore: true,\n tokens: (result.tokens as AuthSession | null) ?? null,\n waitForHandshake: true,\n context: { provider: \"totp\", flow: \"confirm\" },\n });\n }\n },\n\n /**\n * Complete 2FA verification during sign-in.\n *\n * Called after a credentials sign-in returns `totpRequired: true`.\n *\n * ```ts\n * const result = await auth.signIn(\"password\", { email, password });\n * if (result.totpRequired) {\n * await auth.totp.verify({ code: \"123456\", verifier: result.verifier! });\n * }\n * ```\n */\n verify: async (opts: { code: string; verifier: string }): Promise<void> => {\n const params: Record<string, any> = {\n flow: \"verify\",\n code: opts.code,\n };\n\n if (proxy) {\n const result = await proxyFetch({\n action: \"auth:signIn\",\n args: { provider: \"totp\", params, verifier: opts.verifier },\n });\n if (result.tokens) {\n await setTokenAndMaybeWait({\n shouldStore: false,\n tokens: result.tokens === null ? null : { token: result.tokens.token },\n waitForHandshake: true,\n context: { provider: \"totp\", flow: \"verify\" },\n });\n }\n return;\n }\n\n const result = await convex.action(\"auth:signIn\" as any, {\n provider: \"totp\",\n params,\n verifier: opts.verifier,\n });\n if (result.tokens) {\n await setTokenAndMaybeWait({\n shouldStore: true,\n tokens: (result.tokens as AuthSession | null) ?? null,\n waitForHandshake: true,\n context: { provider: \"totp\", flow: \"verify\" },\n });\n }\n },\n };\n\n const device = {\n /**\n * Poll for device authorization status.\n *\n * The device calls this repeatedly (respecting `interval`) after\n * initiating a device flow via `signIn(\"device\")`. Returns when\n * the user authorizes, or throws on timeout/denial.\n *\n * ```ts\n * const result = await auth.signIn(\"device\");\n * const { deviceCode } = result;\n * // Display deviceCode.userCode to the user, then poll:\n * await auth.device.poll(deviceCode);\n * // User is now signed in\n * ```\n *\n * @param code - The {@link DeviceCodeResult} from `signIn(\"device\")`.\n * @returns Resolves when the device is authorized and tokens are stored.\n * @throws When the code expires, is denied, or polling encounters an error.\n */\n poll: async (code: DeviceCodeResult): Promise<void> => {\n const intervalMs = code.interval * 1000;\n const expiresAt = Date.now() + code.expiresIn * 1000;\n\n while (Date.now() < expiresAt) {\n await new Promise((resolve) => setTimeout(resolve, intervalMs));\n\n try {\n let result: any;\n const params: Record<string, any> = {\n flow: \"poll\",\n deviceCode: code.deviceCode,\n };\n\n if (proxy) {\n result = await proxyFetch({\n action: \"auth:signIn\",\n args: { provider: \"device\", params },\n });\n } else {\n result = await convex.action(\"auth:signIn\" as any, {\n provider: \"device\",\n params,\n });\n }\n\n // Authorized — tokens received\n if (result.tokens) {\n if (proxy) {\n await setTokenAndMaybeWait({\n shouldStore: false,\n tokens:\n result.tokens === null\n ? null\n : { token: result.tokens.token },\n waitForHandshake: true,\n context: { provider: \"device\", flow: \"poll\" },\n });\n } else {\n await setTokenAndMaybeWait({\n shouldStore: true,\n tokens: (result.tokens as AuthSession | null) ?? null,\n waitForHandshake: true,\n context: { provider: \"device\", flow: \"poll\" },\n });\n }\n return;\n }\n } catch (e: unknown) {\n // Handle expected polling errors\n if (e instanceof ConvexError) {\n const data = e.data as Record<string, unknown>;\n const code_ = data?.code as string | undefined;\n if (code_ === \"DEVICE_AUTHORIZATION_PENDING\") {\n continue; // Keep polling\n }\n if (code_ === \"DEVICE_SLOW_DOWN\") {\n // Back off by adding one interval\n await new Promise((resolve) =>\n setTimeout(resolve, intervalMs),\n );\n continue;\n }\n }\n // Non-recoverable error — rethrow\n throw e;\n }\n }\n\n throw new Error(\"Device authorization timed out.\");\n },\n\n /**\n * Authorize a device from the verification page.\n *\n * Called by an authenticated user on the verification page after\n * they enter the user code displayed on the device.\n *\n * ```ts\n * // On the /device verification page:\n * await auth.device.verify(userCode);\n * ```\n *\n * @param userCode - The user code entered by the user (e.g. \"WDJB-MJHT\").\n */\n verify: async (userCode: string): Promise<void> => {\n const params: Record<string, any> = {\n flow: \"verify\",\n userCode,\n };\n\n if (proxy) {\n await proxyFetch({\n action: \"auth:signIn\",\n args: { provider: \"device\", params },\n });\n } else {\n await convex.action(\"auth:signIn\" as any, {\n provider: \"device\",\n params,\n });\n }\n },\n };\n\n return {\n /** Current auth state snapshot. */\n get state(): AuthState {\n return snapshot;\n },\n /** Sign in with a provider. See {@link SignInResult} for return shape. */\n signIn,\n /** Sign out and clear all token state. */\n signOut,\n /** Subscribe to auth state changes. Returns an unsubscribe function. */\n onChange,\n /** Passkey (WebAuthn) authentication helpers. */\n passkey,\n /** TOTP two-factor authentication helpers. */\n totp,\n /** Device authorization (RFC 8628) helpers. */\n device,\n /** Remove global listeners when disposing this client instance. */\n destroy: () => {\n destroyed = true;\n settleHandshakeWaiters(authEpoch, {\n type: \"reject\",\n error: createHandshakeError(\"AUTH_HANDSHAKE_REJECTED\", {\n reason: \"destroyed\",\n }),\n });\n disposeStorageListener?.();\n subscribers.clear();\n },\n };\n}\n\n// ---------------------------------------------------------------------------\n// Browser mutex — ensures only one tab refreshes a token at a time.\n// ---------------------------------------------------------------------------\n\nasync function browserMutex<T>(\n key: string,\n callback: () => Promise<T>,\n): Promise<T> {\n const lockManager = (globalThis as any)?.navigator?.locks;\n return lockManager !== undefined\n ? await lockManager.request(key, callback)\n : await manualMutex(key, callback);\n}\n\nfunction getStorageListenerRegistry(): Record<string, (event: StorageEvent) => void> {\n const globalAny = globalThis as any;\n if (globalAny.__convexAuthStorageListeners === undefined) {\n globalAny.__convexAuthStorageListeners = {} as Record<\n string,\n (event: StorageEvent) => void\n >;\n }\n return globalAny.__convexAuthStorageListeners as Record<\n string,\n (event: StorageEvent) => void\n >;\n}\n\nfunction getManualMutexTails(): Record<string, Promise<void>> {\n const globalAny = globalThis as any;\n if (globalAny.__convexAuthMutexTails === undefined) {\n globalAny.__convexAuthMutexTails = {} as Record<string, Promise<void>>;\n }\n return globalAny.__convexAuthMutexTails as Record<string, Promise<void>>;\n}\n\nasync function manualMutex<T>(\n key: string,\n callback: () => Promise<T>,\n): Promise<T> {\n const mutexTails = getManualMutexTails();\n const previousTail = mutexTails[key] ?? Promise.resolve();\n\n let releaseCurrent: (() => void) | undefined;\n const currentTail = new Promise<void>((resolve) => {\n releaseCurrent = resolve;\n });\n\n mutexTails[key] = previousTail.then(\n () => currentTail,\n () => currentTail,\n );\n\n try {\n await previousTail;\n return await callback();\n } finally {\n releaseCurrent?.();\n if (mutexTails[key] === currentTail) {\n delete mutexTails[key];\n }\n }\n}\n"],"mappings":";;;;;AA4IA,MAAM,uBAAuB;AAC7B,MAAM,kBAAkB;AACxB,MAAM,4BAA4B;AAElC,MAAM,gBAAgB,CAAC,KAAK,IAAK;AACjC,MAAM,eAAe;AACrB,MAAM,4BAA4B;;;;;;;AAyBlC,SAAS,WAAW,QAAyB,UAA2B;AACtE,KAAI,SAAU,QAAO;CACrB,MAAM,IAAI;CACV,MAAM,MAAe,EAAE,OAAO,EAAE,QAAQ;AACxC,KAAI,OAAO,QAAQ,SAAU,QAAO;AACpC,OAAM,IAAI,MACR,oEACD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAoCH,SAAgB,OAAO,SAAwB;CAC7C,MAAM,EAAE,QAAQ,UAAU;CAG1B,MAAM,UACJ,QAAQ,YAAY,SAChB,QAAQ,UACR,QACE,OACA,OAAO,WAAW,cAChB,OACA,OAAO;CAEjB,MAAM,aACJ,QAAQ,gBACN,UAAgB;AAChB,MAAI,OAAO,WAAW,YACpB,QAAO,QAAQ,aAAa,EAAE,EAAE,IAAIA,MAAI;;CAI9C,MAAM,MAAM,QAAQ,SAAY,WAAW,QAAQ,QAAQ,IAAI;CAC/D,MAAM,mBAAmB,QACrB,MAAM,QAAQ,iBAAiB,GAAG,GAClC,IAAK,QAAQ,iBAAiB,GAAG;CACrC,MAAM,OAAO,SAAiB,GAAG,KAAK,GAAG;CACzC,MAAM,8BAAc,IAAI,KAAiB;CACzC,IAAI,yBAA8C;CAIlD,MAAM,aAAa,QAAQ,OAAO,IAAI,iBAAiB,IAAK;CAQ5D,MAAM,cACJ,OAAO,QAAQ,UAAU,YAAY,QAAQ,MAAM,MAAM,CAAC,SAAS,IAC/D,QAAQ,QACR;CACN,MAAM,iBAAiB,gBAAgB;CAEvC,IAAI,QAAuB;CAC3B,IAAI,YAAY,CAAC;CACjB,IAAI,gBAAgB;CACpB,IAAI,mBAAmB;CACvB,IAAI,YAAY;CAChB,IAAI,YAAY;CAChB,MAAM,mCAAmB,IAAI,KAAsB;CACnD,IAAI,WAAsB;EACxB,OAAO,iBACH,kBACA,YACE,YACA;EACN;EACA,iBAAiB;EACjB;EACD;CACD,IAAI,mBAAmB;CAEvB,MAAM,wBACJ,MACA,YACG;AACH,SAAO,IAAI,YAAY;GACrB;GACA,SAAS,YAAY;GACrB,GAAG;GACJ,CAAU;;CAGb,MAAM,0BACJ,OACA,YAGG;AACH,OAAK,MAAM,UAAU,MAAM,KAAK,iBAAiB,EAAE;AACjD,OAAI,OAAO,UAAU,MACnB;AAEF,gBAAa,OAAO,UAAU;AAC9B,oBAAiB,OAAO,OAAO;AAC/B,OAAI,QAAQ,SAAS,UACnB,QAAO,SAAS;OAEhB,QAAO,OAAO,QAAQ,MAAM;;;CAKlC,MAAM,kCAAkC,gBAAwB;AAC9D,OAAK,MAAM,UAAU,MAAM,KAAK,iBAAiB,EAAE;AACjD,OAAI,OAAO,SAAS,YAClB;AAEF,gBAAa,OAAO,UAAU;AAC9B,oBAAiB,OAAO,OAAO;AAC/B,UAAO,OACL,qBAAqB,2BAA2B;IAC9C,GAAG,OAAO;IACV,QAAQ;IACT,CAAC,CACH;;;CAIL,MAAM,uBAAuB,OAAO,YAA6B;AAC/D,MAAI,UAAU,KACZ;AAEF,MAAI,iBAAiB,CAAC,iBACpB;AAEF,MAAI,CAAC,iBACH,OAAM,qBAAqB,2BAA2B;GACpD,GAAG;GACH,QAAQ;GACT,CAAC;EAGJ,MAAM,QAAQ;AACd,QAAM,IAAI,SAAe,SAAS,WAAW;GAC3C,MAAM,YAAiD,EAAE,SAAS,MAAM;GAaxE,MAAM,SAA0B;IAC9B;IACA;IACA;IACA;IACA,WAjBgB,iBAAiB;AACjC,SAAI,UAAU,YAAY,KACxB,kBAAiB,OAAO,UAAU,QAAQ;AAE5C,YACE,qBAAqB,0BAA0B;MAC7C,GAAG;MACH,WAAW;MACZ,CAAC,CACH;OACA,0BAA0B;IAQ5B;AACD,aAAU,UAAU;AACpB,oBAAiB,IAAI,OAAO;IAC5B;;CAGJ,MAAM,0BAA0B,oBAA6B;AAC3D,MAAI,UACF;AAGF,MAAI,iBAAiB;AACnB,mBAAgB;AAChB,sBAAmB;AACnB,0BAAuB,WAAW,EAAE,MAAM,WAAW,CAAC;SACjD;AACL,mBAAgB;AAChB,OAAI,UAAU,QAAQ,kBAAkB;AACtC,uBAAmB;AACnB,2BAAuB,WAAW;KAChC,MAAM;KACN,OAAO,qBAAqB,2BAA2B,EACrD,QAAQ,mBACT,CAAC;KACH,CAAC;;;AAIN,MAAI,gBAAgB,CAClB,SAAQ;;CAIZ,MAAM,eAAe;AACnB,OAAK,MAAM,MAAM,YAAa,KAAI;;CAGpC,MAAM,uBAAuB;EAC3B,IAAI;AACJ,MAAI,UAAU,QAAQ,iBACpB,SAAQ;WACC,UACT,SAAQ;WACC,UAAU,QAAQ,cAC3B,SAAQ;MAER,SAAQ;EAGV,MAAM,OAAkB;GACtB;GACA,WAAW,UAAU,aAAa,UAAU;GAC5C,iBAAiB,UAAU;GAC3B;GACD;AACD,MACE,SAAS,UAAU,KAAK,SACxB,SAAS,cAAc,KAAK,aAC5B,SAAS,oBAAoB,KAAK,mBAClC,SAAS,UAAU,KAAK,MAExB,QAAO;AAET,aAAW;AACX,SAAO;;CAGT,MAAM,6BAA6B;AACjC,MAAI,CAAC,UACH;AAEF,cAAY;AACZ,MAAI,gBAAgB,CAClB,SAAQ;;CAQZ,MAAM,aAAa,OAAO,SAAiB;AACzC,MAAI,CAAC,QACH,QAAO;AAET,MAAI;AACF,UAAQ,MAAM,QAAQ,QAAQ,IAAI,KAAK,CAAC,IAAK;WACtC,OAAO;AACd,WAAQ,MAAM,gCAAgC,KAAK,iBAAiB,MAAM;AAC1E,UAAO;;;CAGX,MAAM,aAAa,OAAO,MAAc,UAAkB;AACxD,MAAI,CAAC,QACH;AAEF,MAAI;AACF,SAAM,QAAQ,QAAQ,IAAI,KAAK,EAAE,MAAM;WAChC,OAAO;AACd,WAAQ,MAAM,iCAAiC,KAAK,eAAe,MAAM;;;CAG7E,MAAM,gBAAgB,OAAO,SAAiB;AAC5C,MAAI,CAAC,QACH;AAEF,MAAI;AACF,SAAM,QAAQ,WAAW,IAAI,KAAK,CAAC;WAC5B,OAAO;AACd,WAAQ,MAAM,kCAAkC,KAAK,iBAAiB,MAAM;;;CAQhF,MAAM,uBAAuB;AAC3B,SAAO,QAAQ,kBAAkB,uBAAuB;;CAG1D,MAAM,WAAW,OACf,SAaG;EACH,MAAM,gBAAgB;AAEtB,MAAI,KAAK,WAAW,MAAM;AACxB,WAAQ;AACR,OAAI,KAAK,aAAa;AACpB,UAAM,cAAc,gBAAgB;AACpC,UAAM,cAAc,0BAA0B;;SAE3C;AACL,WAAQ,KAAK,OAAO;AACpB,OAAI,KAAK,eAAe,kBAAkB,KAAK,QAAQ;AACrD,UAAM,WAAW,iBAAiB,KAAK,OAAO,MAAM;AACpD,UAAM,WAAW,2BAA2B,KAAK,OAAO,aAAa;;;AAIzE,MAAI,UAAU,eAAe;AAC3B,gBAAa;AACb,kCAA+B,UAAU;;AAG3C,MAAI,UAAU,MAAM;AAClB,mBAAgB;AAChB,sBAAmB;AACnB,0BAAuB,WAAW;IAChC,MAAM;IACN,OAAO,qBAAqB,2BAA2B,EACrD,QAAQ,iBACT,CAAC;IACH,CAAC;aAGA,KAAK,qBAAqB,QAAQ,CAAC,eACX;AACxB,mBAAgB;AAChB,sBAAmB;QAEnB,oBAAmB;EAIvB,MAAM,iBAAiB;AACvB,cAAY;EACZ,MAAM,UAAU,gBAAgB;AAChC,MAAI,KAAK,qBAAqB,MAC5B,iBAAgB;AAElB,MAAI,kBAAkB,QACpB,SAAQ;;CAIZ,MAAM,uBAAuB,OAC3B,SAaqB;EACrB,MAAM,EAAE,kBAAkB,SAAS,GAAG,cAAc;AACpD,QAAM,SAAS;GACb,GAAI;GAGJ,kBAAkB;GACnB,CAAC;AACF,MAAI,UAAU,WAAW,KACvB,QAAO;AAET,MAAI,iBACF,OAAM,qBAAqB,QAAQ;AAErC,SAAO;;CAOT,MAAM,wBAAwB;EAC5B,MAAM,SACJ,OAAO,WAAW,eAClB,OAAO,OAAO,UAAU,WAAW,WAC/B,OAAO,SAAS,SAChB,OAAO,aAAa,eAAe,OAAO,SAAS,WAAW,WAC5D,SAAS,SACT;AACR,MAAI,WAAW,KACb,QAAO,IAAI,IAAI,OAAQ,OAAO,CAAC,UAAU;AAE3C,MAAI;AACF,UAAO,IAAI,IAAI,MAAO,CAAC,UAAU;UAC3B;AACN,UAAO;;;CAIX,MAAM,iBAAiB,UAAkB;AACvC,MAAI;AACF,OAAI,IAAI,MAAM;AACd,UAAO;UACD;AACN,UAAO;;;CAIX,MAAM,aAAa,OAAO,SAAkC;EAC1D,MAAM,WAAW,iBAAiB;AAClC,MAAI,OAAO,WAAW,eAAe,CAAC,cAAc,SAAS,CAC3D,OAAM,IAAI,MACR,oCAAoC,MAAO,8EAE5C;EAGH,MAAM,WAAW,MAAM,MAAM,UAAU;GACrC,QAAQ;GACR,SAAS,EAAE,gBAAgB,oBAAoB;GAC/C,aAAa;GACb,MAAM,KAAK,UAAU,KAAK;GAC3B,CAAC;AACF,MAAI,CAAC,SAAS,IAAI;GAChB,MAAM,YAAY,MAAM,SAAS,MAAM,CAAC,aAAa,EAAE,EAA6B;AAEpF,OACE,OAAO,cAAc,YACrB,cAAc,QACd,eAAe,aACf,OAAQ,UAAsC,cAAc,SAE5D,OAAM,IAAI,YAAa,UAAsC,UAAmB;AAElF,SAAM,IAAI,MACP,UAAsC,SACrC,yBAAyB,SAAS,SACrC;;AAEH,MAAI;AACF,UAAO,MAAM,SAAS,MAAM;UACtB;AACN,SAAM,IAAI,MAAM,oCAAoC;;;CAQxD,MAAM,aAAa,OACjB,SACG;EACH,IAAI;AACJ,OAAK,IAAI,QAAQ,GAAG,SAAS,cAAc,QAAQ,QACjD,KAAI;AACF,UAAO,MAAM,WAAY,OACvB,eACA,UAAU,OACN;IAAE,QAAQ,EAAE,MAAM,KAAK,MAAM;IAAE,UAAU,KAAK;IAAU,GACxD,KACL;WACM,GAAG;AACV,eAAY;AAOZ,OAAI,EALF,aAAa,aACZ,aAAa,SACZ,+CAA+C,KAC7C,EAAE,WAAW,GACd,EACgB;AACrB,OAAI,SAAS,cAAc,OACzB;GAEF,MAAM,OAAO,cAAc,SAAU,eAAe,KAAK,QAAQ;AACjE,SAAM,IAAI,SAAS,YAAY,WAAW,SAAS,KAAK,CAAC;;AAG7D,QAAM;;CAGR,MAAM,wBAAwB,OAC5B,MACA,SACG;EACH,MAAM,EAAE,WAAW,MAAM,WAAW,KAAK;AACzC,QAAM,SAAS;GACb,aAAa;GACb,QAAS,UAAiC;GAC1C,kBAAkB,MAAM;GACzB,CAAC;AACF,SAAO,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAkCpB,MAAM,SAAS,OACb,UACA,SAC0B;EAC1B,MAAM,SACJ,gBAAgB,WACZ,MAAM,KAAK,KAAK,SAAS,CAAC,CAAC,QACxB,KAAK,CAAC,GAAG,OAAO;AACf,OAAI,KAAK;AACT,UAAO;KAET,EAAE,CACH,GACD,QAAQ,EAAE;EAChB,MAAM,OACJ,OAAO,OAAO,SAAS,YAAY,OAAO,KAAK,SAAS,IACpD,OAAO,OACP;AAEN,MAAI,OAAO;GAET,MAAMC,WAAS,MAAM,WAAW;IAC9B,QAAQ;IACR,MAAM;KAAE;KAAU;KAAQ;IAC3B,CAAC;AACF,OAAIA,SAAO,aAAa,QAAW;IACjC,MAAM,cAAc,IAAI,IAAIA,SAAO,SAAS;AAE5C,QAAI,OAAO,WAAW,YACpB,QAAO,SAAS,OAAO,YAAY,UAAU;AAE/C,WAAO;KAAE,WAAW;KAAO,UAAU;KAAa;;AAEpD,OAAIA,SAAO,aACT,QAAO;IAAE,WAAW;IAAO,cAAc;IAAM,UAAUA,SAAO;IAAU;AAE5E,OAAIA,SAAO,eAAe,OACxB,QAAO;IAAE,WAAW;IAAO,YAAYA,SAAO;IAAgC;AAEhF,OAAIA,SAAO,WAAW,OAUpB,QAAO,EAAE,WAPS,MAAM,qBAAqB;IAC3C,aAAa;IACb,QACEA,SAAO,WAAW,OAAO,OAAO,EAAE,OAAOA,SAAO,OAAO,OAAO;IAChE,kBAAkB;IAClB,SAAS;KAAE;KAAU;KAAM;IAC5B,CAAC,EACkB;AAEtB,UAAO,EAAE,WAAW,OAAO;;EAI7B,MAAM,WAAY,MAAM,WAAW,qBAAqB,IAAK;AAC7D,QAAM,cAAc,qBAAqB;EACzC,MAAM,SAAS,MAAM,OAAO,OAAO,eAAsB;GACvD;GACA;GACA;GACD,CAAC;AACF,MAAI,OAAO,aAAa,QAAW;GACjC,MAAM,cAAc,IAAI,IAAI,OAAO,SAAS;AAC5C,SAAM,WAAW,sBAAsB,OAAO,SAAU;AACxD,OAAI,OAAO,WAAW,YACpB,QAAO,SAAS,OAAO,YAAY,UAAU;AAE/C,UAAO;IAAE,WAAW;IAAO,UAAU;IAAa;;AAEpD,MAAI,OAAO,aACT,QAAO;GAAE,WAAW;GAAO,cAAc;GAAM,UAAU,OAAO;GAAU;AAE5E,MAAI,OAAO,eAAe,OACxB,QAAO;GAAE,WAAW;GAAO,YAAY,OAAO;GAAgC;AAEhF,MAAI,OAAO,WAAW,OAOpB,QAAO,EAAE,WANS,MAAM,qBAAqB;GAC3C,aAAa;GACb,QAAS,OAAO,UAAiC;GACjD,kBAAkB;GAClB,SAAS;IAAE;IAAU;IAAM;GAC5B,CAAC,EACkB;AAEtB,SAAO,EAAE,WAAW,OAAO;;;;;;;;;CAc7B,MAAM,UAAU,YAAY;AAC1B,MAAI,OAAO;AACT,OAAI;AACF,UAAM,WAAW;KAAE,QAAQ;KAAgB,MAAM,EAAE;KAAE,CAAC;WAChD;AAGR,SAAM,SAAS;IAAE,aAAa;IAAO,QAAQ;IAAM,CAAC;AACpD,OAAI,OAAO,UAAW,QAAO,WAAW;AACxC;;AAIF,MAAI;AACF,SAAM,OAAO,OAAO,gBAAuB,EAAE,CAAC;UACxC;AAGR,QAAM,SAAS;GAAE,aAAa;GAAM,QAAQ;GAAM,CAAC;AACnD,MAAI,OAAO,UAAW,QAAO,WAAW;;CAO1C,MAAM,mBAAmB,OAAO,EAC9B,wBAG4B;AAC5B,MAAI,CAAC,kBAAmB,QAAO;AAE/B,MAAI,OAAO;GAGT,MAAM,mBAAmB,iBAAiB;AAC1C,OACE,OAAO,WAAW,eAClB,CAAC,cAAc,iBAAiB,EAChC;AACA,0BAAsB;AACtB,WAAO;;GAGT,MAAM,qBAAqB;AAC3B,UAAO,MAAM,aAAa,4BAA4B,YAAY;AAEhE,QAAI,UAAU,mBAAoB,QAAO;AACzC,QAAI;KACF,MAAM,SAAS,MAAM,WAAW;MAC9B,QAAQ;MACR,MAAM,EAAE,cAAc,MAAM;MAC7B,CAAC;AACF,SAAI,OAAO,OACT,OAAM,SAAS;MACb,aAAa;MACb,QAAQ,EAAE,OAAO,OAAO,OAAO,OAAO;MACtC,kBAAkB;MACnB,CAAC;SAEF,OAAM,SAAS;MACb,aAAa;MACb,QAAQ;MACR,kBAAkB;MACnB,CAAC;aAEG,OAAO;AACd,aAAQ,MAAM,uCAAuC,MAAM;AAC3D,SAAI,UAAU,KACZ,uBAAsB;;AAG1B,WAAO;KACP;;EAIJ,MAAM,6BAA6B;AACnC,SAAO,MAAM,aAAa,2BAA2B,YAAY;GAC/D,MAAM,4BAA4B;AAClC,OAAI,8BAA8B,2BAChC,QAAO;GAET,MAAM,eACH,MAAM,WAAW,0BAA0B,IAAK;AACnD,OAAI,CAAC,cAAc;AACjB,0BAAsB;AACtB,WAAO;;AAET,SAAM,sBACJ,EAAE,cAAc,EAChB,EAAE,kBAAkB,OAAO,CAC5B;AACD,UAAO;IACP;;CAOJ,MAAM,iBAAiB,YAAY;AACjC,MAAI,OAAO,WAAW,YAAa;AACnC,MAAI,iBAAkB;EACtB,MAAM,OAAO,IAAI,gBAAgB,OAAO,SAAS,OAAO,CAAC,IAAI,OAAO;AACpE,MAAI,CAAC,KAAM;AACX,qBAAmB;AACnB,MAAI;AACF,SAAM,OAAO,QAAW,EAAE,MAAM,CAAC;GACjC,MAAM,UAAU,IAAI,IAAI,OAAO,SAAS,KAAK;AAC7C,WAAQ,aAAa,OAAO,OAAO;AACnC,SAAM,WAAW,QAAQ,WAAW,QAAQ,SAAS,QAAQ,KAAK;YAC1D;AACR,sBAAmB;;;CAQvB,MAAM,qBAAqB,YAAY;EACrC,MAAM,cAAe,MAAM,WAAW,gBAAgB,IAAK;AAC3D,QAAM,SAAS;GACb,aAAa;GACb,QAAQ,gBAAgB,OAAO,OAAO,EAAE,OAAO,aAAa;GAC7D,CAAC;;;;;;;;;;;;;CAkBJ,MAAM,YAAY,OAAiD;AACjE,KAAG,SAAS;EACZ,MAAM,gBAAgB,GAAG,SAAS;AAClC,cAAY,IAAI,QAAQ;AACxB,eAAa;AACX,eAAY,OAAO,QAAQ;;;AAS/B,KAAI,CAAC,SAAS,OAAO,WAAW,aAAa;EAC3C,MAAM,cAAc,IAAI,gBAAgB;EACxC,MAAM,WAAW,4BAA4B;EAC7C,MAAM,mBAAmB,SAAS;AAClC,MAAI,qBAAqB,OACvB,QAAO,oBAAoB,WAAW,iBAAiB;EAGzD,MAAM,aAAa,UAAwB;AACzC,IAAM,YAAY;AAChB,QAAI,MAAM,QAAQ,IAAI,gBAAgB,CAAE;AACxC,UAAM,SAAS;KACb,aAAa;KACb,QACE,MAAM,aAAa,OAAO,OAAO,EAAE,OAAO,MAAM,UAAU;KAC7D,CAAC;OACA;;AAEN,SAAO,iBAAiB,WAAW,UAAU;AAC7C,WAAS,eAAe;AACxB,iCAA+B;AAC7B,OAAI,SAAS,iBAAiB,UAC5B,QAAO,SAAS;AAElB,UAAO,oBAAoB,WAAW,UAAU;;;AAMpD,iBAAgB;AAGhB,KAAI,OAAO,WAAW,YACpB,KAAI,OAIF;MAAI,CAAC,eACH,CAAK,iBAAiB,EAAE,mBAAmB,MAAM,CAAC,CAAC,OAChD,UAAmB;AAClB,WAAQ,MAAM,6CAA6C,MAAM;IAEpE;OAIH,EAAM,YAAY;AAChB,MAAI;AACF,SAAM,oBAAoB;AAC1B,SAAM,gBAAgB;WACf,OAAgB;AACvB,WAAQ,MAAM,+CAA+C,MAAM;AACnE,SAAM,SAAS;IAAE,aAAa;IAAO,QAAQ;IAAM,CAAC;;KAEpD;;;;;CAYR,MAAM,mBAAmB,WAAgC;EACvD,MAAM,QAAQ,IAAI,WAAW,OAAO;EACpC,IAAI,SAAS;AACb,OAAK,IAAI,IAAI,GAAG,IAAI,MAAM,YAAY,IACpC,WAAU,OAAO,aAAa,MAAM,GAAI;AAE1C,SAAO,KAAK,OAAO,CAAC,QAAQ,OAAO,IAAI,CAAC,QAAQ,OAAO,IAAI,CAAC,QAAQ,OAAO,GAAG;;CAGhF,MAAM,mBAAmB,QAA4B;EACnD,MAAM,SAAS,IAAI,QAAQ,MAAM,IAAI,CAAC,QAAQ,MAAM,IAAI;EACxD,MAAM,SAAS,KAAK,OAAO;EAC3B,MAAM,QAAQ,IAAI,WAAW,OAAO,OAAO;AAC3C,OAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,IACjC,OAAM,KAAK,OAAO,WAAW,EAAE;AAEjC,SAAO;;AAskBT,QAAO;EAEL,IAAI,QAAmB;AACrB,UAAO;;EAGT;EAEA;EAEA;EAEA,SA/kBc;GAId,mBAA4B;AAC1B,WACE,OAAO,WAAW,eAClB,OAAO,OAAO,wBAAwB;;GAa1C,qBAAqB,YAA8B;AACjD,QAAI,OAAO,WAAW,YAAa,QAAO;AAC1C,QAAI,OAAO,OAAO,wBAAwB,YAAa,QAAO;AAC9D,QACE,OACE,OAAO,oBACP,oCAAoC,WAEtC,QAAO;AAET,WACE,OAAO,oBACP,iCAAiC;;GAwBrC,UAAU,OACR,SAM0B;IAC1B,MAAM,eAAe;KACnB,MAAM;KACN,OAAO,MAAM;KACb,UAAU,MAAM;KAChB,iBAAiB,MAAM;KACxB;IAGD,IAAI;AACJ,QAAI,MACF,gBAAe,MAAM,WAAW;KAC9B,QAAQ;KACR,MAAM;MAAE,UAAU;MAAW,QAAQ;MAAc;KACpD,CAAC;QAEF,gBAAe,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV,QAAQ;KACT,CAAC;AAGJ,QAAI,CAAC,aAAa,QAChB,OAAM,IAAI,MAAM,qDAAqD;IAGvE,MAAMC,YAAU,aAAa;IAG7B,MAAM,gBAA2C,EAC/C,WAAW;KACT,IAAIA,UAAQ;KACZ,MAAM;MACJ,IAAI,gBAAgBA,UAAQ,KAAK,GAAG,CAAC;MACrC,MAAMA,UAAQ,KAAK;MACnB,aAAaA,UAAQ,KAAK;MAC3B;KACD,WAAW,gBAAgBA,UAAQ,UAAU,CAAC;KAC9C,kBAAkBA,UAAQ;KAC1B,SAASA,UAAQ;KACjB,aAAaA,UAAQ;KACrB,wBAAwBA,UAAQ;KAChC,qBAAqBA,UAAQ,sBAAsB,EAAE,EAAE,KACpD,UAAe;MACd,MAAM,KAAK,QAAQ;MACnB,IAAI,gBAAgB,KAAK,GAAG,CAAC;MAC7B,YAAY,KAAK;MAClB,EACF;KACF,EACF;IAGD,MAAM,aAAc,MAAM,UAAU,YAAY,OAC9C,cACD;AACD,QAAI,CAAC,WACH,OAAM,IAAI,MAAM,qCAAqC;IAGvD,MAAM,WACJ,WAAW;IAGb,MAAM,aACJ,OAAO,SAAS,kBAAkB,aAC9B,SAAS,eAAe,GACxB;IAEN,MAAM,eAAe;KACnB,MAAM;KACN,gBAAgB,gBAAgB,SAAS,eAAe;KACxD,mBAAmB,gBAAgB,SAAS,kBAAkB;KAC9D;KACA,aAAa,MAAM;KACnB,OAAO,MAAM;KACd;IAGD,IAAI;AACJ,QAAI,MAGF,gBAAe,MAAM,WAAW;KAC9B,QAAQ;KACR,MAAM;MACJ,UAAU;MACV,QAAQ;MACR,UAAU,aAAa;MACxB;KACF,CAAC;QAEF,gBAAe,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV,QAAQ;KACR,UAAU,aAAa;KACxB,CAAC;AAGJ,QAAI,aAAa,QAAQ;AACvB,SAAI,MACF,OAAM,qBAAqB;MACzB,aAAa;MACb,QACE,aAAa,WAAW,OACpB,OACA,EAAE,OAAO,aAAa,OAAO,OAAO;MAC1C,kBAAkB;MAClB,SAAS;OAAE,UAAU;OAAW,MAAM;OAAmB;MAC1D,CAAC;SAEF,OAAM,qBAAqB;MACzB,aAAa;MACb,QAAQ,aAAa;MACrB,kBAAkB;MAClB,SAAS;OAAE,UAAU;OAAW,MAAM;OAAmB;MAC1D,CAAC;AAEJ,YAAO,EAAE,WAAW,MAAM;;AAE5B,WAAO,EAAE,WAAW,OAAO;;GA6B7B,cAAc,OACZ,SAC0B;IAC1B,MAAM,eAAe;KACnB,MAAM;KACN,OAAO,MAAM;KACd;IAGD,IAAI;AACJ,QAAI,MACF,gBAAe,MAAM,WAAW;KAC9B,QAAQ;KACR,MAAM;MAAE,UAAU;MAAW,QAAQ;MAAc;KACpD,CAAC;QAEF,gBAAe,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV,QAAQ;KACT,CAAC;AAGJ,QAAI,CAAC,aAAa,QAChB,OAAM,IAAI,MAAM,uDAAuD;IAGzE,MAAMA,YAAU,aAAa;IAG7B,MAAM,aAAuC;KAC3C,WAAW;MACT,WAAW,gBAAgBA,UAAQ,UAAU,CAAC;MAC9C,SAASA,UAAQ;MACjB,MAAMA,UAAQ;MACd,kBAAkBA,UAAQ;MAC1B,mBAAmBA,UAAQ,oBAAoB,EAAE,EAAE,KAChD,UAAe;OACd,MAAM,KAAK,QAAQ;OACnB,IAAI,gBAAgB,KAAK,GAAG,CAAC;OAC7B,YAAY,KAAK;OAClB,EACF;MACF;KACD,GAAI,MAAM,WAAW,EAAE,WAAW,eAAsB,GAAG,EAAE;KAC9D;IAGD,MAAM,aAAc,MAAM,UAAU,YAAY,IAC9C,WACD;AACD,QAAI,CAAC,WACH,OAAM,IAAI,MAAM,uCAAuC;IAGzD,MAAM,WACJ,WAAW;IAEb,MAAM,eAAe;KACnB,MAAM;KACN,cAAc,gBAAgB,WAAW,MAAM;KAC/C,gBAAgB,gBAAgB,SAAS,eAAe;KACxD,mBAAmB,gBAAgB,SAAS,kBAAkB;KAC9D,WAAW,gBAAgB,SAAS,UAAU;KAC/C;IAGD,IAAI;AACJ,QAAI,MACF,gBAAe,MAAM,WAAW;KAC9B,QAAQ;KACR,MAAM;MACJ,UAAU;MACV,QAAQ;MACR,UAAU,aAAa;MACxB;KACF,CAAC;QAEF,gBAAe,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV,QAAQ;KACR,UAAU,aAAa;KACxB,CAAC;AAGJ,QAAI,aAAa,QAAQ;AACvB,SAAI,MACF,OAAM,qBAAqB;MACzB,aAAa;MACb,QACE,aAAa,WAAW,OACpB,OACA,EAAE,OAAO,aAAa,OAAO,OAAO;MAC1C,kBAAkB;MAClB,SAAS;OAAE,UAAU;OAAW,MAAM;OAAe;MACtD,CAAC;SAEF,OAAM,qBAAqB;MACzB,aAAa;MACb,QAAQ,aAAa;MACrB,kBAAkB;MAClB,SAAS;OAAE,UAAU;OAAW,MAAM;OAAe;MACtD,CAAC;AAEJ,YAAO,EAAE,WAAW,MAAM;;AAE5B,WAAO,EAAE,WAAW,OAAO;;GAE9B;EAkRC,MAhRW;GAYX,OAAO,OACL,SAC+E;IAC/E,MAAM,SAA8B,EAAE,MAAM,SAAS;AACrD,QAAI,MAAM,KAAM,QAAO,OAAO,KAAK;AACnC,QAAI,MAAM,YAAa,QAAO,cAAc,KAAK;AAEjD,QAAI,OAAO;KACT,MAAMD,WAAS,MAAM,WAAW;MAC9B,QAAQ;MACR,MAAM;OAAE,UAAU;OAAQ;OAAQ;MACnC,CAAC;AACF,YAAO;MAAE,KAAKA,SAAO,UAAU;MAAK,QAAQA,SAAO,UAAU;MAAQ,UAAUA,SAAO;MAAU,QAAQA,SAAO,UAAU;MAAQ;;IAGnI,MAAM,SAAS,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV;KACD,CAAC;AACF,WAAO;KAAE,KAAK,OAAO,UAAU;KAAK,QAAQ,OAAO,UAAU;KAAQ,UAAU,OAAO;KAAU,QAAQ,OAAO,UAAU;KAAQ;;GAUnI,SAAS,OAAO,SAIK;IACnB,MAAM,SAA8B;KAClC,MAAM;KACN,MAAM,KAAK;KACX,QAAQ,KAAK;KACd;AAED,QAAI,OAAO;KACT,MAAMA,WAAS,MAAM,WAAW;MAC9B,QAAQ;MACR,MAAM;OAAE,UAAU;OAAQ;OAAQ,UAAU,KAAK;OAAU;MAC5D,CAAC;AACF,SAAIA,SAAO,OACT,OAAM,qBAAqB;MACzB,aAAa;MACb,QAAQA,SAAO,WAAW,OAAO,OAAO,EAAE,OAAOA,SAAO,OAAO,OAAO;MACtE,kBAAkB;MAClB,SAAS;OAAE,UAAU;OAAQ,MAAM;OAAW;MAC/C,CAAC;AAEJ;;IAGF,MAAM,SAAS,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV;KACA,UAAU,KAAK;KAChB,CAAC;AACF,QAAI,OAAO,OACT,OAAM,qBAAqB;KACzB,aAAa;KACb,QAAS,OAAO,UAAiC;KACjD,kBAAkB;KAClB,SAAS;MAAE,UAAU;MAAQ,MAAM;MAAW;KAC/C,CAAC;;GAgBN,QAAQ,OAAO,SAA4D;IACzE,MAAM,SAA8B;KAClC,MAAM;KACN,MAAM,KAAK;KACZ;AAED,QAAI,OAAO;KACT,MAAMA,WAAS,MAAM,WAAW;MAC9B,QAAQ;MACR,MAAM;OAAE,UAAU;OAAQ;OAAQ,UAAU,KAAK;OAAU;MAC5D,CAAC;AACF,SAAIA,SAAO,OACT,OAAM,qBAAqB;MACzB,aAAa;MACb,QAAQA,SAAO,WAAW,OAAO,OAAO,EAAE,OAAOA,SAAO,OAAO,OAAO;MACtE,kBAAkB;MAClB,SAAS;OAAE,UAAU;OAAQ,MAAM;OAAU;MAC9C,CAAC;AAEJ;;IAGF,MAAM,SAAS,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV;KACA,UAAU,KAAK;KAChB,CAAC;AACF,QAAI,OAAO,OACT,OAAM,qBAAqB;KACzB,aAAa;KACb,QAAS,OAAO,UAAiC;KACjD,kBAAkB;KAClB,SAAS;MAAE,UAAU;MAAQ,MAAM;MAAU;KAC9C,CAAC;;GAGP;EA+IC,QA7Ia;GAoBb,MAAM,OAAO,SAA0C;IACrD,MAAM,aAAa,KAAK,WAAW;IACnC,MAAM,YAAY,KAAK,KAAK,GAAG,KAAK,YAAY;AAEhD,WAAO,KAAK,KAAK,GAAG,WAAW;AAC7B,WAAM,IAAI,SAAS,YAAY,WAAW,SAAS,WAAW,CAAC;AAE/D,SAAI;MACF,IAAI;MACJ,MAAM,SAA8B;OAClC,MAAM;OACN,YAAY,KAAK;OAClB;AAED,UAAI,MACF,UAAS,MAAM,WAAW;OACxB,QAAQ;OACR,MAAM;QAAE,UAAU;QAAU;QAAQ;OACrC,CAAC;UAEF,UAAS,MAAM,OAAO,OAAO,eAAsB;OACjD,UAAU;OACV;OACD,CAAC;AAIJ,UAAI,OAAO,QAAQ;AACjB,WAAI,MACF,OAAM,qBAAqB;QACzB,aAAa;QACb,QACE,OAAO,WAAW,OACd,OACA,EAAE,OAAO,OAAO,OAAO,OAAO;QACpC,kBAAkB;QAClB,SAAS;SAAE,UAAU;SAAU,MAAM;SAAQ;QAC9C,CAAC;WAEF,OAAM,qBAAqB;QACzB,aAAa;QACb,QAAS,OAAO,UAAiC;QACjD,kBAAkB;QAClB,SAAS;SAAE,UAAU;SAAU,MAAM;SAAQ;QAC9C,CAAC;AAEJ;;cAEK,GAAY;AAEnB,UAAI,aAAa,aAAa;OAE5B,MAAM,QADO,EAAE,MACK;AACpB,WAAI,UAAU,+BACZ;AAEF,WAAI,UAAU,oBAAoB;AAEhC,cAAM,IAAI,SAAS,YACjB,WAAW,SAAS,WAAW,CAChC;AACD;;;AAIJ,YAAM;;;AAIV,UAAM,IAAI,MAAM,kCAAkC;;GAgBpD,QAAQ,OAAO,aAAoC;IACjD,MAAM,SAA8B;KAClC,MAAM;KACN;KACD;AAED,QAAI,MACF,OAAM,WAAW;KACf,QAAQ;KACR,MAAM;MAAE,UAAU;MAAU;MAAQ;KACrC,CAAC;QAEF,OAAM,OAAO,OAAO,eAAsB;KACxC,UAAU;KACV;KACD,CAAC;;GAGP;EAoBC,eAAe;AACb,eAAY;AACZ,0BAAuB,WAAW;IAChC,MAAM;IACN,OAAO,qBAAqB,2BAA2B,EACrD,QAAQ,aACT,CAAC;IACH,CAAC;AACF,6BAA0B;AAC1B,eAAY,OAAO;;EAEtB;;AAOH,eAAe,aACb,KACA,UACY;CACZ,MAAM,cAAe,YAAoB,WAAW;AACpD,QAAO,gBAAgB,SACnB,MAAM,YAAY,QAAQ,KAAK,SAAS,GACxC,MAAM,YAAY,KAAK,SAAS;;AAGtC,SAAS,6BAA4E;CACnF,MAAM,YAAY;AAClB,KAAI,UAAU,iCAAiC,OAC7C,WAAU,+BAA+B,EAAE;AAK7C,QAAO,UAAU;;AAMnB,SAAS,sBAAqD;CAC5D,MAAM,YAAY;AAClB,KAAI,UAAU,2BAA2B,OACvC,WAAU,yBAAyB,EAAE;AAEvC,QAAO,UAAU;;AAGnB,eAAe,YACb,KACA,UACY;CACZ,MAAM,aAAa,qBAAqB;CACxC,MAAM,eAAe,WAAW,QAAQ,QAAQ,SAAS;CAEzD,IAAI;CACJ,MAAM,cAAc,IAAI,SAAe,YAAY;AACjD,mBAAiB;GACjB;AAEF,YAAW,OAAO,aAAa,WACvB,mBACA,YACP;AAED,KAAI;AACF,QAAM;AACN,SAAO,MAAM,UAAU;WACf;AACR,oBAAkB;AAClB,MAAI,WAAW,SAAS,YACtB,QAAO,WAAW"}
1
+ {"version":3,"file":"index.js","names":["url","result","options"],"sources":["../../src/client/index.ts"],"sourcesContent":["import { ConvexHttpClient } from \"convex/browser\";\nimport { ConvexError, Value } from \"convex/values\";\nimport { AUTH_ERRORS } from \"../server/errors\";\n\n// Re-export error utilities so consumers can import from `@robelest/convex-auth/client`.\nexport {\n isAuthError,\n parseAuthError,\n AUTH_ERRORS,\n type AuthErrorCode,\n} from \"../server/errors\";\n\n/**\n * Structural interface for any Convex client.\n * Satisfied by `ConvexClient` (`convex/browser`),\n * `ConvexReactClient` (`convex/react`), and similar transports.\n *\n * `clearAuth` is present on `ConvexReactClient` and `BaseConvexClient`\n * but not on the simplified `ConvexClient`. When available we call it\n * during sign-out for a clean deauthentication.\n */\ninterface ConvexTransport {\n action(action: any, args: any): Promise<any>;\n setAuth(\n fetchToken: (args: {\n forceRefreshToken: boolean;\n }) => Promise<string | null | undefined>,\n onChange?: (isAuthenticated: boolean) => void,\n ): void;\n clearAuth?(): void;\n}\n\n/** Pluggable key-value storage (defaults to `localStorage`). */\nexport interface Storage {\n getItem(\n key: string,\n ): string | null | undefined | Promise<string | null | undefined>;\n setItem(key: string, value: string): void | Promise<void>;\n removeItem(key: string): void | Promise<void>;\n}\n\ntype AuthSession = {\n token: string;\n refreshToken: string;\n};\n\n/**\n * Device code response returned when signing in with the `\"device\"` provider.\n *\n * The device displays the `userCode` (or `verificationUriComplete`) and\n * polls via `auth.device.poll()` until the user authorizes.\n */\nexport type DeviceCodeResult = {\n /** High-entropy device code used for polling (keep secret). */\n deviceCode: string;\n /** Short human-readable code the user enters (e.g. \"WDJB-MJHT\"). */\n userCode: string;\n /** Base verification URL (e.g. \"https://myapp.com/device\"). */\n verificationUri: string;\n /** Verification URL with user code pre-filled as `?code=XXXX-XXXX`. */\n verificationUriComplete: string;\n /** Lifetime of the codes in seconds. */\n expiresIn: number;\n /** Minimum polling interval in seconds. */\n interval: number;\n};\n\n/**\n * Result of a `signIn` call.\n *\n * - `signingIn: true` — credentials were accepted and the user is authenticated.\n * - `redirect` — OAuth flow initiated; redirect the user to `redirect.toString()`.\n * - `totpRequired` — credentials valid but 2FA is needed; call `auth.totp.verify()`.\n * - `deviceCode` — device flow initiated; display the code and poll via `auth.device.poll()`.\n * - `verifier` — opaque string for multi-step flows (TOTP, passkey).\n */\nexport type SignInResult = {\n /** `true` when sign-in completed and the user is authenticated. */\n signingIn: boolean;\n /** OAuth redirect URL. Present when the provider requires a browser redirect. */\n redirect?: URL;\n /** `true` when the account has TOTP enabled and a code is required. */\n totpRequired?: boolean;\n /** Device code response for the device authorization flow (RFC 8628). */\n deviceCode?: DeviceCodeResult;\n /** Opaque verifier for multi-step flows (pass to `totp.verify` or passkey phase 2). */\n verifier?: string;\n};\n\n/** Reactive auth state snapshot returned by `auth.state` and `auth.onChange`. */\nexport type AuthState = {\n /** High-level auth phase for deterministic UI state handling. */\n phase: \"loading\" | \"handshake\" | \"authenticated\" | \"unauthenticated\";\n /** `true` during initial hydration before the first token is resolved. */\n isLoading: boolean;\n /** `true` only after Convex confirms authentication with the backend. */\n isAuthenticated: boolean;\n /** The raw JWT string, or `null` when not authenticated. */\n token: string | null;\n};\n\n/** Options for {@link client}. */\nexport type ClientOptions = {\n /** Any Convex client (`ConvexClient` or `ConvexReactClient`). */\n convex: ConvexTransport;\n /**\n * Convex deployment URL. Derived automatically from the client internals\n * when omitted — pass explicitly only if auto-detection fails.\n */\n url?: string;\n /**\n * Key-value storage for persisting tokens.\n *\n * - Defaults to `localStorage` in SPA mode.\n * - Defaults to `null` (in-memory only) when `proxy` is set,\n * since httpOnly cookies handle persistence.\n */\n storage?: Storage | null;\n /** Override how the URL bar is updated after OAuth code exchange. */\n replaceURL?: (relativeUrl: string) => void | Promise<void>;\n /**\n * SSR proxy endpoint (e.g. `\"/api/auth\"`).\n *\n * When set, `signIn`/`signOut`/token refresh POST to this URL\n * (with `credentials: \"include\"`) instead of calling Convex directly.\n * The server handles httpOnly cookies for token persistence.\n *\n * Pair with {@link ClientOptions.token} for flash-free SSR hydration.\n */\n proxy?: string;\n /**\n * JWT from server-side hydration.\n *\n * In proxy mode the server reads the JWT from an httpOnly cookie\n * and passes it to the client during SSR. This avoids a loading\n * flash on first render — the client is immediately authenticated.\n */\n token?: string | null;\n};\n\nconst VERIFIER_STORAGE_KEY = \"__convexAuthOAuthVerifier\";\nconst JWT_STORAGE_KEY = \"__convexAuthJWT\";\nconst REFRESH_TOKEN_STORAGE_KEY = \"__convexAuthRefreshToken\";\n\nconst RETRY_BACKOFF = [500, 2000];\nconst RETRY_JITTER = 100;\nconst AUTH_HANDSHAKE_TIMEOUT_MS = 5000;\n\ntype AuthHandshakeErrorCode =\n | \"AUTH_HANDSHAKE_TIMEOUT\"\n | \"AUTH_HANDSHAKE_REJECTED\";\n\ntype AuthFlowContext = {\n provider?: string;\n flow: string;\n};\n\ntype HandshakeWaiter = {\n epoch: number;\n context: AuthFlowContext;\n resolve: () => void;\n reject: (error: ConvexError<Value>) => void;\n timeoutId: ReturnType<typeof setTimeout>;\n};\n\n/**\n * Resolve the Convex deployment URL from the client.\n *\n * `ConvexReactClient` exposes `.url` directly.\n * `ConvexClient` exposes `.client.url` via `BaseConvexClient`.\n */\nfunction resolveUrl(convex: ConvexTransport, explicit?: string): string {\n if (explicit) return explicit;\n const c = convex as any;\n const url: unknown = c.url ?? c.client?.url;\n if (typeof url === \"string\") return url;\n throw new Error(\n \"Could not determine Convex deployment URL. Pass `url` explicitly.\",\n );\n}\n\n/**\n * Create a framework-agnostic auth client.\n *\n * Returns an object with `signIn`, `signOut`, `onChange`, `state`,\n * `passkey`, and `totp` — everything needed for client-side auth.\n *\n * ### SPA mode (default)\n *\n * ```ts\n * import { ConvexClient } from 'convex/browser';\n * import { client } from '@robelest/convex-auth/client';\n *\n * const convex = new ConvexClient(CONVEX_URL);\n * const auth = client({ convex });\n * ```\n *\n * ### SSR / proxy mode\n *\n * ```ts\n * const auth = client({\n * convex,\n * proxy: '/api/auth',\n * token: tokenFromServer, // JWT read from httpOnly cookie during SSR\n * });\n * ```\n *\n * In proxy mode all auth operations go through the proxy URL.\n * Tokens are stored in httpOnly cookies server-side — the client\n * holds the JWT in memory only.\n *\n * @param options - Client configuration. See {@link ClientOptions}.\n * @returns Auth client with `signIn`, `signOut`, `onChange`, `state`, `passkey`, and `totp`.\n */\nexport function client(options: ClientOptions) {\n const { convex, proxy } = options;\n\n // In proxy mode, default storage to null (cookies handle persistence).\n const storage =\n options.storage !== undefined\n ? options.storage\n : proxy\n ? null\n : typeof window === \"undefined\"\n ? null\n : window.localStorage;\n\n const replaceURL =\n options.replaceURL ??\n ((url: string) => {\n if (typeof window !== \"undefined\") {\n window.history.replaceState({}, \"\", url);\n }\n });\n\n const url = proxy ? undefined : resolveUrl(convex, options.url);\n const escapedNamespace = proxy\n ? proxy.replace(/[^a-zA-Z0-9]/g, \"\")\n : url!.replace(/[^a-zA-Z0-9]/g, \"\");\n const key = (name: string) => `${name}_${escapedNamespace}`;\n const subscribers = new Set<() => void>();\n let disposeStorageListener: (() => void) | null = null;\n\n // Unauthenticated HTTP client for code verification & OAuth exchange.\n // Only needed in SPA mode — proxy mode routes everything through the proxy.\n const httpClient = proxy ? null : new ConvexHttpClient(url!);\n\n // ---------------------------------------------------------------------------\n // State\n // ---------------------------------------------------------------------------\n\n // If a server-provided token was supplied (SSR hydration), treat it as\n // immediately authenticated to avoid a handshake-only loading screen.\n const serverToken =\n typeof options.token === \"string\" && options.token.trim().length > 0\n ? options.token\n : null;\n const hasServerToken = serverToken !== null;\n\n let token: string | null = serverToken;\n let isLoading = !hasServerToken;\n let authConfirmed = hasServerToken;\n let handshakePending = false;\n let authEpoch = 0;\n let destroyed = false;\n const handshakeWaiters = new Set<HandshakeWaiter>();\n let snapshot: AuthState = {\n phase: hasServerToken\n ? \"authenticated\"\n : isLoading\n ? \"loading\"\n : \"unauthenticated\",\n isLoading,\n isAuthenticated: hasServerToken,\n token,\n };\n let handlingCodeFlow = false;\n\n const createHandshakeError = (\n code: AuthHandshakeErrorCode,\n context: Record<string, unknown>,\n ) => {\n return new ConvexError({\n code,\n message: AUTH_ERRORS[code],\n ...context,\n } as Value);\n };\n\n const settleHandshakeWaiters = (\n epoch: number,\n outcome:\n | { type: \"resolve\" }\n | { type: \"reject\"; error: ConvexError<Value> },\n ) => {\n for (const waiter of Array.from(handshakeWaiters)) {\n if (waiter.epoch !== epoch) {\n continue;\n }\n clearTimeout(waiter.timeoutId);\n handshakeWaiters.delete(waiter);\n if (outcome.type === \"resolve\") {\n waiter.resolve();\n } else {\n waiter.reject(outcome.error);\n }\n }\n };\n\n const rejectObsoleteHandshakeWaiters = (activeEpoch: number) => {\n for (const waiter of Array.from(handshakeWaiters)) {\n if (waiter.epoch >= activeEpoch) {\n continue;\n }\n clearTimeout(waiter.timeoutId);\n handshakeWaiters.delete(waiter);\n waiter.reject(\n createHandshakeError(\"AUTH_HANDSHAKE_REJECTED\", {\n ...waiter.context,\n reason: \"token_changed\",\n }),\n );\n }\n };\n\n const waitForAuthHandshake = async (context: AuthFlowContext) => {\n if (token === null) {\n return;\n }\n if (authConfirmed && !handshakePending) {\n return;\n }\n if (!handshakePending) {\n throw createHandshakeError(\"AUTH_HANDSHAKE_REJECTED\", {\n ...context,\n reason: \"auth_rejected\",\n });\n }\n\n const epoch = authEpoch;\n await new Promise<void>((resolve, reject) => {\n const waiterRef: { current: HandshakeWaiter | null } = { current: null };\n const timeoutId = setTimeout(() => {\n if (waiterRef.current !== null) {\n handshakeWaiters.delete(waiterRef.current);\n }\n reject(\n createHandshakeError(\"AUTH_HANDSHAKE_TIMEOUT\", {\n ...context,\n timeoutMs: AUTH_HANDSHAKE_TIMEOUT_MS,\n }),\n );\n }, AUTH_HANDSHAKE_TIMEOUT_MS);\n\n const waiter: HandshakeWaiter = {\n epoch,\n context,\n resolve,\n reject,\n timeoutId,\n };\n waiterRef.current = waiter;\n handshakeWaiters.add(waiter);\n });\n };\n\n const handleConvexAuthChange = (isAuthenticated: boolean) => {\n if (destroyed) {\n return;\n }\n\n if (isAuthenticated) {\n authConfirmed = true;\n handshakePending = false;\n settleHandshakeWaiters(authEpoch, { type: \"resolve\" });\n } else {\n authConfirmed = false;\n // Do not reject immediately while a handshake is pending.\n // Convex can transiently emit `false` while reauth is still in flight,\n // and a subsequent `true` confirms the same session.\n }\n\n if (updateSnapshot()) {\n notify();\n }\n };\n\n const notify = () => {\n for (const cb of subscribers) cb();\n };\n\n const updateSnapshot = () => {\n let phase: AuthState[\"phase\"];\n if (token !== null && handshakePending) {\n phase = \"handshake\";\n } else if (isLoading) {\n phase = \"loading\";\n } else if (token !== null && authConfirmed) {\n phase = \"authenticated\";\n } else {\n phase = \"unauthenticated\";\n }\n\n const next: AuthState = {\n phase,\n isLoading: phase === \"loading\" || phase === \"handshake\",\n isAuthenticated: phase === \"authenticated\",\n token,\n };\n if (\n snapshot.phase === next.phase &&\n snapshot.isLoading === next.isLoading &&\n snapshot.isAuthenticated === next.isAuthenticated &&\n snapshot.token === next.token\n ) {\n return false;\n }\n snapshot = next;\n return true;\n };\n\n const finalizeLoadingState = () => {\n if (!isLoading) {\n return;\n }\n isLoading = false;\n if (updateSnapshot()) {\n notify();\n }\n };\n\n // ---------------------------------------------------------------------------\n // Storage helpers (SPA mode only)\n // ---------------------------------------------------------------------------\n\n const storageGet = async (name: string) => {\n if (!storage) {\n return null;\n }\n try {\n return (await storage.getItem(key(name))) ?? null;\n } catch (error) {\n console.error(`[convex-auth] Failed to read ${name} from storage:`, error);\n return null;\n }\n };\n const storageSet = async (name: string, value: string) => {\n if (!storage) {\n return;\n }\n try {\n await storage.setItem(key(name), value);\n } catch (error) {\n console.error(`[convex-auth] Failed to write ${name} to storage:`, error);\n }\n };\n const storageRemove = async (name: string) => {\n if (!storage) {\n return;\n }\n try {\n await storage.removeItem(key(name));\n } catch (error) {\n console.error(`[convex-auth] Failed to remove ${name} from storage:`, error);\n }\n };\n\n // ---------------------------------------------------------------------------\n // Token management\n // ---------------------------------------------------------------------------\n\n const bindConvexAuth = () => {\n convex.setAuth(fetchAccessToken, handleConvexAuthChange);\n };\n\n const setToken = async (\n args:\n | {\n shouldStore: true;\n tokens: AuthSession | null;\n requireHandshake?: boolean;\n resyncConvexAuth?: boolean;\n }\n | {\n shouldStore: false;\n tokens: { token: string } | null;\n requireHandshake?: boolean;\n resyncConvexAuth?: boolean;\n },\n ) => {\n const previousToken = token;\n\n if (args.tokens === null) {\n token = null;\n if (args.shouldStore) {\n await storageRemove(JWT_STORAGE_KEY);\n await storageRemove(REFRESH_TOKEN_STORAGE_KEY);\n }\n } else {\n token = args.tokens.token;\n if (args.shouldStore && \"refreshToken\" in args.tokens) {\n await storageSet(JWT_STORAGE_KEY, args.tokens.token);\n await storageSet(REFRESH_TOKEN_STORAGE_KEY, args.tokens.refreshToken);\n }\n }\n\n if (token !== previousToken) {\n authEpoch += 1;\n rejectObsoleteHandshakeWaiters(authEpoch);\n }\n\n if (token === null) {\n authConfirmed = false;\n handshakePending = false;\n settleHandshakeWaiters(authEpoch, {\n type: \"reject\",\n error: createHandshakeError(\"AUTH_HANDSHAKE_REJECTED\", {\n reason: \"token_cleared\",\n }),\n });\n } else {\n const shouldEnterHandshake =\n args.requireHandshake === true || !authConfirmed;\n if (shouldEnterHandshake) {\n authConfirmed = false;\n handshakePending = true;\n } else {\n handshakePending = false;\n }\n }\n\n const hadPendingLoad = isLoading;\n isLoading = false;\n const changed = updateSnapshot();\n if (args.resyncConvexAuth !== false) {\n bindConvexAuth();\n }\n if (hadPendingLoad || changed) {\n notify();\n }\n };\n\n const setTokenAndMaybeWait = async (\n args:\n | {\n shouldStore: true;\n tokens: AuthSession | null;\n waitForHandshake: boolean;\n context: AuthFlowContext;\n }\n | {\n shouldStore: false;\n tokens: { token: string } | null;\n waitForHandshake: boolean;\n context: AuthFlowContext;\n },\n ): Promise<boolean> => {\n const { waitForHandshake, context, ...tokenArgs } = args;\n await setToken({\n ...(tokenArgs as\n | { shouldStore: true; tokens: AuthSession | null }\n | { shouldStore: false; tokens: { token: string } | null }),\n requireHandshake: waitForHandshake,\n });\n if (tokenArgs.tokens === null) {\n return false;\n }\n if (waitForHandshake) {\n await waitForAuthHandshake(context);\n }\n return true;\n };\n\n // ---------------------------------------------------------------------------\n // Proxy fetch helper\n // ---------------------------------------------------------------------------\n\n const resolveProxyUrl = () => {\n const origin =\n typeof window !== \"undefined\" &&\n typeof window.location?.origin === \"string\"\n ? window.location.origin\n : typeof location !== \"undefined\" && typeof location.origin === \"string\"\n ? location.origin\n : null;\n if (origin !== null) {\n return new URL(proxy!, origin).toString();\n }\n try {\n return new URL(proxy!).toString();\n } catch {\n return proxy!;\n }\n };\n\n const isAbsoluteUrl = (value: string) => {\n try {\n new URL(value);\n return true;\n } catch {\n return false;\n }\n };\n\n const proxyFetch = async (body: Record<string, unknown>) => {\n const proxyUrl = resolveProxyUrl();\n if (typeof window === \"undefined\" && !isAbsoluteUrl(proxyUrl)) {\n throw new Error(\n `Cannot call relative proxy URL \\`${proxy!}\\` without a browser origin. ` +\n \"Pass an absolute proxy URL for server runtimes.\",\n );\n }\n\n const response = await fetch(proxyUrl, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n credentials: \"include\",\n body: JSON.stringify(body),\n });\n if (!response.ok) {\n const errorBody = await response.json().catch(() => ({} as Record<string, unknown>));\n // Reconstruct ConvexError when the proxy forwards structured auth error data.\n if (\n typeof errorBody === \"object\" &&\n errorBody !== null &&\n \"authError\" in errorBody &&\n typeof (errorBody as Record<string, unknown>).authError === \"object\"\n ) {\n throw new ConvexError((errorBody as Record<string, unknown>).authError as Value);\n }\n throw new Error(\n (errorBody as Record<string, unknown>).error as string ??\n `Proxy request failed: ${response.status}`,\n );\n }\n try {\n return await response.json();\n } catch {\n throw new Error(\"Proxy response was not valid JSON\");\n }\n };\n\n // ---------------------------------------------------------------------------\n // Code verification with retries (SPA mode only)\n // ---------------------------------------------------------------------------\n\n const verifyCode = async (\n args: { code: string; verifier?: string } | { refreshToken: string },\n ) => {\n let lastError: unknown;\n for (let retry = 0; retry <= RETRY_BACKOFF.length; retry++) {\n try {\n return await httpClient!.action(\n \"auth:signIn\" as any,\n \"code\" in args\n ? { params: { code: args.code }, verifier: args.verifier }\n : args,\n );\n } catch (e) {\n lastError = e;\n const isNetworkError =\n e instanceof TypeError ||\n (e instanceof Error &&\n /(network|fetch|load failed|failed to fetch)/i.test(\n e.message || \"\",\n ));\n if (!isNetworkError) break;\n if (retry >= RETRY_BACKOFF.length) {\n break;\n }\n const wait = RETRY_BACKOFF[retry]! + RETRY_JITTER * Math.random();\n await new Promise((resolve) => setTimeout(resolve, wait));\n }\n }\n throw lastError;\n };\n\n const verifyCodeAndSetToken = async (\n args: { code: string; verifier?: string } | { refreshToken: string },\n opts?: { resyncConvexAuth?: boolean },\n ) => {\n const { tokens } = await verifyCode(args);\n await setToken({\n shouldStore: true,\n tokens: (tokens as AuthSession | null) ?? null,\n resyncConvexAuth: opts?.resyncConvexAuth,\n });\n return tokens !== null;\n };\n\n // ---------------------------------------------------------------------------\n // signIn\n // ---------------------------------------------------------------------------\n\n /**\n * Sign in with a provider.\n *\n * @param provider - Provider ID (e.g. `\"email\"`, `\"password\"`, `\"google\"`).\n * Omit when exchanging an OAuth code (the code carries the provider info).\n * @param args - Provider-specific arguments. Pass a `Record<string, Value>`\n * or `FormData`. Common fields: `email`, `password`, `code`, `redirectTo`.\n * @returns A {@link SignInResult} indicating the outcome.\n *\n * @example Email magic link\n * ```ts\n * await auth.signIn('email', { email: 'user@example.com' });\n * ```\n *\n * @example Password\n * ```ts\n * const result = await auth.signIn('password', { email, password, flow: 'signIn' });\n * if (result.totpRequired) {\n * await auth.totp.verify({ code: totpCode, verifier: result.verifier! });\n * }\n * ```\n *\n * @example OAuth (triggers redirect)\n * ```ts\n * await auth.signIn('google'); // redirects to Google\n * ```\n */\n const signIn = async (\n provider?: string,\n args?: FormData | Record<string, Value>,\n ): Promise<SignInResult> => {\n const params =\n args instanceof FormData\n ? Array.from(args.entries()).reduce(\n (acc, [k, v]) => {\n acc[k] = v as string;\n return acc;\n },\n {} as Record<string, string>,\n )\n : args ?? {};\n const flow =\n typeof params.flow === \"string\" && params.flow.length > 0\n ? params.flow\n : \"signIn\";\n\n if (proxy) {\n // Proxy mode: POST to the proxy endpoint.\n const result = await proxyFetch({\n action: \"auth:signIn\",\n args: { provider, params },\n });\n if (result.redirect !== undefined) {\n const redirectUrl = new URL(result.redirect);\n // Verifier is stored server-side in an httpOnly cookie.\n if (typeof window !== \"undefined\") {\n window.location.href = redirectUrl.toString();\n }\n return { signingIn: false, redirect: redirectUrl };\n }\n if (result.totpRequired) {\n return { signingIn: false, totpRequired: true, verifier: result.verifier };\n }\n if (result.deviceCode !== undefined) {\n return { signingIn: false, deviceCode: result.deviceCode as DeviceCodeResult };\n }\n if (result.tokens !== undefined) {\n // Proxy returns { token, refreshToken: \"dummy\" }.\n // Store JWT in memory only — real refresh token is in httpOnly cookie.\n const signingIn = await setTokenAndMaybeWait({\n shouldStore: false,\n tokens:\n result.tokens === null ? null : { token: result.tokens.token },\n waitForHandshake: true,\n context: { provider, flow },\n });\n return { signingIn };\n }\n return { signingIn: false };\n }\n\n // SPA mode: call Convex directly.\n const verifier = (await storageGet(VERIFIER_STORAGE_KEY)) ?? undefined;\n await storageRemove(VERIFIER_STORAGE_KEY);\n const result = await convex.action(\"auth:signIn\" as any, {\n provider,\n params,\n verifier,\n });\n if (result.redirect !== undefined) {\n const redirectUrl = new URL(result.redirect);\n await storageSet(VERIFIER_STORAGE_KEY, result.verifier!);\n if (typeof window !== \"undefined\") {\n window.location.href = redirectUrl.toString();\n }\n return { signingIn: false, redirect: redirectUrl };\n }\n if (result.totpRequired) {\n return { signingIn: false, totpRequired: true, verifier: result.verifier };\n }\n if (result.deviceCode !== undefined) {\n return { signingIn: false, deviceCode: result.deviceCode as DeviceCodeResult };\n }\n if (result.tokens !== undefined) {\n const signingIn = await setTokenAndMaybeWait({\n shouldStore: true,\n tokens: (result.tokens as AuthSession | null) ?? null,\n waitForHandshake: true,\n context: { provider, flow },\n });\n return { signingIn };\n }\n return { signingIn: false };\n };\n\n // ---------------------------------------------------------------------------\n // signOut\n // ---------------------------------------------------------------------------\n\n /**\n * Sign out the current user.\n *\n * Invalidates the server session and clears local token state.\n * Errors are silently caught — calling `signOut` on an already\n * signed-out user is a no-op.\n */\n const signOut = async () => {\n if (proxy) {\n try {\n await proxyFetch({ action: \"auth:signOut\", args: {} });\n } catch {\n // Already signed out is fine.\n }\n await setToken({ shouldStore: false, tokens: null });\n if (convex.clearAuth) convex.clearAuth();\n return;\n }\n\n // SPA mode.\n try {\n await convex.action(\"auth:signOut\" as any, {});\n } catch {\n // Already signed out is fine.\n }\n await setToken({ shouldStore: true, tokens: null });\n if (convex.clearAuth) convex.clearAuth();\n };\n\n // ---------------------------------------------------------------------------\n // fetchAccessToken — called by convex.setAuth()\n // ---------------------------------------------------------------------------\n\n const fetchAccessToken = async ({\n forceRefreshToken,\n }: {\n forceRefreshToken: boolean;\n }): Promise<string | null> => {\n if (!forceRefreshToken) return token;\n\n if (proxy) {\n // Proxy mode: POST to the proxy to refresh.\n // The proxy reads the real refresh token from the httpOnly cookie.\n const resolvedProxyUrl = resolveProxyUrl();\n if (\n typeof window === \"undefined\" &&\n !isAbsoluteUrl(resolvedProxyUrl)\n ) {\n finalizeLoadingState();\n return token;\n }\n\n const tokenBeforeRefresh = token;\n return await browserMutex(\"__convexAuthProxyRefresh\", async () => {\n // Another tab/call may have already refreshed.\n if (token !== tokenBeforeRefresh) return token;\n try {\n const result = await proxyFetch({\n action: \"auth:signIn\",\n args: { refreshToken: true },\n });\n if (result.tokens) {\n await setToken({\n shouldStore: false,\n tokens: { token: result.tokens.token },\n resyncConvexAuth: false,\n });\n } else {\n await setToken({\n shouldStore: false,\n tokens: null,\n resyncConvexAuth: false,\n });\n }\n } catch (error) {\n console.error(\"[convex-auth] Proxy refresh failed:\", error);\n if (token === null) {\n finalizeLoadingState();\n }\n }\n return token;\n });\n }\n\n // SPA mode: refresh via localStorage + httpClient.\n const tokenBeforeLockAcquisition = token;\n return await browserMutex(REFRESH_TOKEN_STORAGE_KEY, async () => {\n const tokenAfterLockAcquisition = token;\n if (tokenAfterLockAcquisition !== tokenBeforeLockAcquisition) {\n return tokenAfterLockAcquisition;\n }\n const refreshToken =\n (await storageGet(REFRESH_TOKEN_STORAGE_KEY)) ?? null;\n if (!refreshToken) {\n finalizeLoadingState();\n return null;\n }\n await verifyCodeAndSetToken(\n { refreshToken },\n { resyncConvexAuth: false },\n );\n return token;\n });\n };\n\n // ---------------------------------------------------------------------------\n // OAuth code flow (SPA mode only — server handles this in proxy mode)\n // ---------------------------------------------------------------------------\n\n const handleCodeFlow = async () => {\n if (typeof window === \"undefined\") return;\n if (handlingCodeFlow) return;\n const code = new URLSearchParams(window.location.search).get(\"code\");\n if (!code) return;\n handlingCodeFlow = true;\n try {\n await signIn(undefined, { code });\n const codeUrl = new URL(window.location.href);\n codeUrl.searchParams.delete(\"code\");\n await replaceURL(codeUrl.pathname + codeUrl.search + codeUrl.hash);\n } finally {\n handlingCodeFlow = false;\n }\n };\n\n // ---------------------------------------------------------------------------\n // Hydrate from storage (SPA mode only)\n // ---------------------------------------------------------------------------\n\n const hydrateFromStorage = async () => {\n const storedToken = (await storageGet(JWT_STORAGE_KEY)) ?? null;\n await setToken({\n shouldStore: false,\n tokens: storedToken === null ? null : { token: storedToken },\n });\n };\n\n // ---------------------------------------------------------------------------\n // Subscribe\n // ---------------------------------------------------------------------------\n\n /**\n * Subscribe to auth state changes. Invokes the callback immediately\n * with the current state, then again on every state transition.\n *\n * ```ts\n * const unsub = auth.onChange(setState);\n * ```\n *\n * @param cb - Callback receiving the latest {@link AuthState}.\n * @returns An unsubscribe function.\n */\n const onChange = (cb: (state: AuthState) => void): (() => void) => {\n cb(snapshot);\n const wrapped = () => cb(snapshot);\n subscribers.add(wrapped);\n return () => {\n subscribers.delete(wrapped);\n };\n };\n\n // ---------------------------------------------------------------------------\n // Initialization\n // ---------------------------------------------------------------------------\n\n // Cross-tab sync via storage events (SPA mode only).\n if (!proxy && typeof window !== \"undefined\") {\n const registryKey = key(JWT_STORAGE_KEY);\n const registry = getStorageListenerRegistry();\n const existingListener = registry[registryKey];\n if (existingListener !== undefined) {\n window.removeEventListener(\"storage\", existingListener);\n }\n\n const onStorage = (event: StorageEvent) => {\n void (async () => {\n if (event.key !== key(JWT_STORAGE_KEY)) return;\n await setToken({\n shouldStore: false,\n tokens:\n event.newValue === null ? null : { token: event.newValue },\n });\n })();\n };\n window.addEventListener(\"storage\", onStorage);\n registry[registryKey] = onStorage;\n disposeStorageListener = () => {\n if (registry[registryKey] === onStorage) {\n delete registry[registryKey];\n }\n window.removeEventListener(\"storage\", onStorage);\n };\n }\n\n // Auto-wire: feed our tokens into the Convex client so\n // queries and mutations are automatically authenticated.\n bindConvexAuth();\n\n // Auto-hydrate and handle code flow.\n if (typeof window !== \"undefined\") {\n if (proxy) {\n // Proxy mode: eagerly resolve auth once on startup so routes that only\n // read auth state (and do not issue Convex queries yet) don't stay in\n // the initial loading phase.\n if (!hasServerToken) {\n void fetchAccessToken({ forceRefreshToken: true }).catch(\n (error: unknown) => {\n console.error(\"[convex-auth] Proxy token refresh failed:\", error);\n },\n );\n }\n } else {\n // SPA mode: hydrate from localStorage, then handle OAuth code flow.\n void (async () => {\n try {\n await hydrateFromStorage();\n await handleCodeFlow();\n } catch (error: unknown) {\n console.error(\"[convex-auth] Client initialization failed:\", error);\n await setToken({ shouldStore: false, tokens: null });\n }\n })();\n }\n }\n\n // ---------------------------------------------------------------------------\n // Passkey helpers\n // ---------------------------------------------------------------------------\n\n /**\n * Base64url encode/decode helpers for the WebAuthn credential API.\n * These run client-side only (browser context).\n */\n const base64urlEncode = (buffer: ArrayBuffer): string => {\n const bytes = new Uint8Array(buffer);\n let binary = \"\";\n for (let i = 0; i < bytes.byteLength; i++) {\n binary += String.fromCharCode(bytes[i]!);\n }\n return btoa(binary).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n };\n\n const base64urlDecode = (str: string): Uint8Array => {\n const padded = str.replace(/-/g, \"+\").replace(/_/g, \"/\");\n const binary = atob(padded);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n };\n\n const passkey = {\n /**\n * Check if WebAuthn passkeys are supported in the current environment.\n */\n isSupported: (): boolean => {\n return (\n typeof window !== \"undefined\" &&\n typeof window.PublicKeyCredential !== \"undefined\"\n );\n },\n\n /**\n * Check if conditional UI (autofill-assisted passkey sign-in) is supported.\n *\n * ```ts\n * if (await auth.passkey.isAutofillSupported()) {\n * auth.passkey.authenticate({ autofill: true });\n * }\n * ```\n */\n isAutofillSupported: async (): Promise<boolean> => {\n if (typeof window === \"undefined\") return false;\n if (typeof window.PublicKeyCredential === \"undefined\") return false;\n if (\n typeof (\n window.PublicKeyCredential as any\n ).isConditionalMediationAvailable !== \"function\"\n ) {\n return false;\n }\n return (\n window.PublicKeyCredential as any\n ).isConditionalMediationAvailable();\n },\n\n /**\n * Register a new passkey for the current or new user.\n *\n * Performs the full two-round-trip WebAuthn registration ceremony:\n * 1. Requests creation options from the server (challenge, RP info)\n * 2. Calls `navigator.credentials.create()` with the options\n * 3. Sends the attestation back to the server for verification\n * 4. Server creates user + account + passkey records and returns tokens\n *\n * Works in both SPA and proxy (SSR) modes.\n *\n * ```ts\n * await auth.passkey.register({ name: \"MacBook Touch ID\" });\n * ```\n *\n * @param opts.name - Friendly name for this passkey\n * @param opts.email - Email to associate with the new account\n * @param opts.userName - Username for the credential (defaults to email)\n * @param opts.userDisplayName - Display name for the credential\n * @returns `{ signingIn: true }` on success\n */\n register: async (\n opts?: {\n name?: string;\n email?: string;\n userName?: string;\n userDisplayName?: string;\n },\n ): Promise<SignInResult> => {\n const phase1Params = {\n flow: \"register-options\",\n email: opts?.email,\n userName: opts?.userName,\n userDisplayName: opts?.userDisplayName,\n };\n\n // Phase 1: Get registration options from server\n let phase1Result: any;\n if (proxy) {\n phase1Result = await proxyFetch({\n action: \"auth:signIn\",\n args: { provider: \"passkey\", params: phase1Params },\n });\n } else {\n phase1Result = await convex.action(\"auth:signIn\" as any, {\n provider: \"passkey\",\n params: phase1Params,\n });\n }\n\n if (!phase1Result.options) {\n throw new Error(\"Server did not return passkey registration options\");\n }\n\n const options = phase1Result.options;\n\n // Convert base64url strings to ArrayBuffers for the credential API\n const createOptions: CredentialCreationOptions = {\n publicKey: {\n rp: options.rp,\n user: {\n id: base64urlDecode(options.user.id).buffer as ArrayBuffer,\n name: options.user.name,\n displayName: options.user.displayName,\n },\n challenge: base64urlDecode(options.challenge).buffer as ArrayBuffer,\n pubKeyCredParams: options.pubKeyCredParams,\n timeout: options.timeout,\n attestation: options.attestation,\n authenticatorSelection: options.authenticatorSelection,\n excludeCredentials: (options.excludeCredentials ?? []).map(\n (cred: any) => ({\n type: cred.type ?? \"public-key\",\n id: base64urlDecode(cred.id).buffer as ArrayBuffer,\n transports: cred.transports,\n }),\n ),\n },\n };\n\n // Phase 2: Create credential via browser API\n const credential = (await navigator.credentials.create(\n createOptions,\n )) as PublicKeyCredential | null;\n if (!credential) {\n throw new Error(\"Passkey registration was cancelled\");\n }\n\n const response =\n credential.response as AuthenticatorAttestationResponse;\n\n // Extract transports if available\n const transports =\n typeof response.getTransports === \"function\"\n ? response.getTransports()\n : undefined;\n\n const phase2Params = {\n flow: \"register-verify\",\n clientDataJSON: base64urlEncode(response.clientDataJSON),\n attestationObject: base64urlEncode(response.attestationObject),\n transports,\n passkeyName: opts?.name,\n email: opts?.email,\n };\n\n // Phase 3: Send attestation to server for verification\n let phase2Result: any;\n if (proxy) {\n // In proxy mode the verifier is stored in an httpOnly cookie by the proxy.\n // We pass it back explicitly so the proxy can forward it to Convex.\n phase2Result = await proxyFetch({\n action: \"auth:signIn\",\n args: {\n provider: \"passkey\",\n params: phase2Params,\n verifier: phase1Result.verifier,\n },\n });\n } else {\n phase2Result = await convex.action(\"auth:signIn\" as any, {\n provider: \"passkey\",\n params: phase2Params,\n verifier: phase1Result.verifier,\n });\n }\n\n if (phase2Result.tokens) {\n if (proxy) {\n await setTokenAndMaybeWait({\n shouldStore: false,\n tokens:\n phase2Result.tokens === null\n ? null\n : { token: phase2Result.tokens.token },\n waitForHandshake: true,\n context: { provider: \"passkey\", flow: \"register-verify\" },\n });\n } else {\n await setTokenAndMaybeWait({\n shouldStore: true,\n tokens: phase2Result.tokens as AuthSession,\n waitForHandshake: true,\n context: { provider: \"passkey\", flow: \"register-verify\" },\n });\n }\n return { signingIn: true };\n }\n return { signingIn: false };\n },\n\n /**\n * Authenticate with an existing passkey.\n *\n * Performs the full two-round-trip WebAuthn authentication ceremony:\n * 1. Requests assertion options from the server (challenge, allowed credentials)\n * 2. Calls `navigator.credentials.get()` with the options\n * 3. Sends the assertion back to the server for signature verification\n * 4. Server verifies signature, updates counter, creates session, returns tokens\n *\n * Works in both SPA and proxy (SSR) modes.\n *\n * ```ts\n * // Discoverable credential (no email needed)\n * await auth.passkey.authenticate();\n *\n * // Scoped to a specific user's credentials\n * await auth.passkey.authenticate({ email: \"user@example.com\" });\n *\n * // Autofill-assisted (conditional UI)\n * await auth.passkey.authenticate({ autofill: true });\n * ```\n *\n * @param opts.email - Scope to credentials for this email's user\n * @param opts.autofill - Use conditional mediation (autofill UI)\n * @returns `{ signingIn: true }` on success\n */\n authenticate: async (\n opts?: { email?: string; autofill?: boolean },\n ): Promise<SignInResult> => {\n const phase1Params = {\n flow: \"auth-options\",\n email: opts?.email,\n };\n\n // Phase 1: Get assertion options from server\n let phase1Result: any;\n if (proxy) {\n phase1Result = await proxyFetch({\n action: \"auth:signIn\",\n args: { provider: \"passkey\", params: phase1Params },\n });\n } else {\n phase1Result = await convex.action(\"auth:signIn\" as any, {\n provider: \"passkey\",\n params: phase1Params,\n });\n }\n\n if (!phase1Result.options) {\n throw new Error(\"Server did not return passkey authentication options\");\n }\n\n const options = phase1Result.options;\n\n // Convert base64url strings to ArrayBuffers for the credential API\n const getOptions: CredentialRequestOptions = {\n publicKey: {\n challenge: base64urlDecode(options.challenge).buffer as ArrayBuffer,\n timeout: options.timeout,\n rpId: options.rpId,\n userVerification: options.userVerification,\n allowCredentials: (options.allowCredentials ?? []).map(\n (cred: any) => ({\n type: cred.type ?? \"public-key\",\n id: base64urlDecode(cred.id).buffer as ArrayBuffer,\n transports: cred.transports,\n }),\n ),\n },\n ...(opts?.autofill ? { mediation: \"conditional\" as any } : {}),\n };\n\n // Phase 2: Get credential via browser API\n const credential = (await navigator.credentials.get(\n getOptions,\n )) as PublicKeyCredential | null;\n if (!credential) {\n throw new Error(\"Passkey authentication was cancelled\");\n }\n\n const response =\n credential.response as AuthenticatorAssertionResponse;\n\n const phase2Params = {\n flow: \"auth-verify\",\n credentialId: base64urlEncode(credential.rawId),\n clientDataJSON: base64urlEncode(response.clientDataJSON),\n authenticatorData: base64urlEncode(response.authenticatorData),\n signature: base64urlEncode(response.signature),\n };\n\n // Phase 3: Send assertion to server for verification\n let phase2Result: any;\n if (proxy) {\n phase2Result = await proxyFetch({\n action: \"auth:signIn\",\n args: {\n provider: \"passkey\",\n params: phase2Params,\n verifier: phase1Result.verifier,\n },\n });\n } else {\n phase2Result = await convex.action(\"auth:signIn\" as any, {\n provider: \"passkey\",\n params: phase2Params,\n verifier: phase1Result.verifier,\n });\n }\n\n if (phase2Result.tokens) {\n if (proxy) {\n await setTokenAndMaybeWait({\n shouldStore: false,\n tokens:\n phase2Result.tokens === null\n ? null\n : { token: phase2Result.tokens.token },\n waitForHandshake: true,\n context: { provider: \"passkey\", flow: \"auth-verify\" },\n });\n } else {\n await setTokenAndMaybeWait({\n shouldStore: true,\n tokens: phase2Result.tokens as AuthSession,\n waitForHandshake: true,\n context: { provider: \"passkey\", flow: \"auth-verify\" },\n });\n }\n return { signingIn: true };\n }\n return { signingIn: false };\n },\n };\n\n const totp = {\n /**\n * Start TOTP enrollment. Must be authenticated.\n *\n * Returns a URI for QR code display and a base32 secret for manual entry.\n *\n * ```ts\n * const setup = await auth.totp.setup();\n * // Display QR code from setup.uri\n * // Or show setup.secret for manual entry\n * ```\n */\n setup: async (\n opts?: { name?: string; accountName?: string },\n ): Promise<{ uri: string; secret: string; verifier: string; totpId: string }> => {\n const params: Record<string, any> = { flow: \"setup\" };\n if (opts?.name) params.name = opts.name;\n if (opts?.accountName) params.accountName = opts.accountName;\n\n if (proxy) {\n const result = await proxyFetch({\n action: \"auth:signIn\",\n args: { provider: \"totp\", params },\n });\n return { uri: result.totpSetup.uri, secret: result.totpSetup.secret, verifier: result.verifier, totpId: result.totpSetup.totpId };\n }\n\n const result = await convex.action(\"auth:signIn\" as any, {\n provider: \"totp\",\n params,\n });\n return { uri: result.totpSetup.uri, secret: result.totpSetup.secret, verifier: result.verifier, totpId: result.totpSetup.totpId };\n },\n\n /**\n * Complete TOTP enrollment by verifying the first code from the authenticator app.\n *\n * ```ts\n * await auth.totp.confirm({ code: \"123456\", verifier: setup.verifier, totpId: setup.totpId });\n * ```\n */\n confirm: async (opts: {\n code: string;\n verifier: string;\n totpId: string;\n }): Promise<void> => {\n const params: Record<string, any> = {\n flow: \"confirm\",\n code: opts.code,\n totpId: opts.totpId,\n };\n\n if (proxy) {\n const result = await proxyFetch({\n action: \"auth:signIn\",\n args: { provider: \"totp\", params, verifier: opts.verifier },\n });\n if (result.tokens) {\n await setTokenAndMaybeWait({\n shouldStore: false,\n tokens: result.tokens === null ? null : { token: result.tokens.token },\n waitForHandshake: true,\n context: { provider: \"totp\", flow: \"confirm\" },\n });\n }\n return;\n }\n\n const result = await convex.action(\"auth:signIn\" as any, {\n provider: \"totp\",\n params,\n verifier: opts.verifier,\n });\n if (result.tokens) {\n await setTokenAndMaybeWait({\n shouldStore: true,\n tokens: (result.tokens as AuthSession | null) ?? null,\n waitForHandshake: true,\n context: { provider: \"totp\", flow: \"confirm\" },\n });\n }\n },\n\n /**\n * Complete 2FA verification during sign-in.\n *\n * Called after a credentials sign-in returns `totpRequired: true`.\n *\n * ```ts\n * const result = await auth.signIn(\"password\", { email, password });\n * if (result.totpRequired) {\n * await auth.totp.verify({ code: \"123456\", verifier: result.verifier! });\n * }\n * ```\n */\n verify: async (opts: { code: string; verifier: string }): Promise<void> => {\n const params: Record<string, any> = {\n flow: \"verify\",\n code: opts.code,\n };\n\n if (proxy) {\n const result = await proxyFetch({\n action: \"auth:signIn\",\n args: { provider: \"totp\", params, verifier: opts.verifier },\n });\n if (result.tokens) {\n await setTokenAndMaybeWait({\n shouldStore: false,\n tokens: result.tokens === null ? null : { token: result.tokens.token },\n waitForHandshake: true,\n context: { provider: \"totp\", flow: \"verify\" },\n });\n }\n return;\n }\n\n const result = await convex.action(\"auth:signIn\" as any, {\n provider: \"totp\",\n params,\n verifier: opts.verifier,\n });\n if (result.tokens) {\n await setTokenAndMaybeWait({\n shouldStore: true,\n tokens: (result.tokens as AuthSession | null) ?? null,\n waitForHandshake: true,\n context: { provider: \"totp\", flow: \"verify\" },\n });\n }\n },\n };\n\n const device = {\n /**\n * Poll for device authorization status.\n *\n * The device calls this repeatedly (respecting `interval`) after\n * initiating a device flow via `signIn(\"device\")`. Returns when\n * the user authorizes, or throws on timeout/denial.\n *\n * ```ts\n * const result = await auth.signIn(\"device\");\n * const { deviceCode } = result;\n * // Display deviceCode.userCode to the user, then poll:\n * await auth.device.poll(deviceCode);\n * // User is now signed in\n * ```\n *\n * @param code - The {@link DeviceCodeResult} from `signIn(\"device\")`.\n * @returns Resolves when the device is authorized and tokens are stored.\n * @throws When the code expires, is denied, or polling encounters an error.\n */\n poll: async (code: DeviceCodeResult): Promise<void> => {\n const intervalMs = code.interval * 1000;\n const expiresAt = Date.now() + code.expiresIn * 1000;\n\n while (Date.now() < expiresAt) {\n await new Promise((resolve) => setTimeout(resolve, intervalMs));\n\n try {\n let result: any;\n const params: Record<string, any> = {\n flow: \"poll\",\n deviceCode: code.deviceCode,\n };\n\n if (proxy) {\n result = await proxyFetch({\n action: \"auth:signIn\",\n args: { provider: \"device\", params },\n });\n } else {\n result = await convex.action(\"auth:signIn\" as any, {\n provider: \"device\",\n params,\n });\n }\n\n // Authorized — tokens received\n if (result.tokens) {\n if (proxy) {\n await setTokenAndMaybeWait({\n shouldStore: false,\n tokens:\n result.tokens === null\n ? null\n : { token: result.tokens.token },\n waitForHandshake: true,\n context: { provider: \"device\", flow: \"poll\" },\n });\n } else {\n await setTokenAndMaybeWait({\n shouldStore: true,\n tokens: (result.tokens as AuthSession | null) ?? null,\n waitForHandshake: true,\n context: { provider: \"device\", flow: \"poll\" },\n });\n }\n return;\n }\n } catch (e: unknown) {\n // Handle expected polling errors\n if (e instanceof ConvexError) {\n const data = e.data as Record<string, unknown>;\n const code_ = data?.code as string | undefined;\n if (code_ === \"DEVICE_AUTHORIZATION_PENDING\") {\n continue; // Keep polling\n }\n if (code_ === \"DEVICE_SLOW_DOWN\") {\n // Back off by adding one interval\n await new Promise((resolve) =>\n setTimeout(resolve, intervalMs),\n );\n continue;\n }\n }\n // Non-recoverable error — rethrow\n throw e;\n }\n }\n\n throw new Error(\"Device authorization timed out.\");\n },\n\n /**\n * Authorize a device from the verification page.\n *\n * Called by an authenticated user on the verification page after\n * they enter the user code displayed on the device.\n *\n * ```ts\n * // On the /device verification page:\n * await auth.device.verify(userCode);\n * ```\n *\n * @param userCode - The user code entered by the user (e.g. \"WDJB-MJHT\").\n */\n verify: async (userCode: string): Promise<void> => {\n const params: Record<string, any> = {\n flow: \"verify\",\n userCode,\n };\n\n if (proxy) {\n await proxyFetch({\n action: \"auth:signIn\",\n args: { provider: \"device\", params },\n });\n } else {\n await convex.action(\"auth:signIn\" as any, {\n provider: \"device\",\n params,\n });\n }\n },\n };\n\n return {\n /** Current auth state snapshot. */\n get state(): AuthState {\n return snapshot;\n },\n /** Sign in with a provider. See {@link SignInResult} for return shape. */\n signIn,\n /** Sign out and clear all token state. */\n signOut,\n /** Subscribe to auth state changes. Returns an unsubscribe function. */\n onChange,\n /** Passkey (WebAuthn) authentication helpers. */\n passkey,\n /** TOTP two-factor authentication helpers. */\n totp,\n /** Device authorization (RFC 8628) helpers. */\n device,\n /** Remove global listeners when disposing this client instance. */\n destroy: () => {\n destroyed = true;\n settleHandshakeWaiters(authEpoch, {\n type: \"reject\",\n error: createHandshakeError(\"AUTH_HANDSHAKE_REJECTED\", {\n reason: \"destroyed\",\n }),\n });\n disposeStorageListener?.();\n subscribers.clear();\n },\n };\n}\n\n// ---------------------------------------------------------------------------\n// Browser mutex — ensures only one tab refreshes a token at a time.\n// ---------------------------------------------------------------------------\n\nasync function browserMutex<T>(\n key: string,\n callback: () => Promise<T>,\n): Promise<T> {\n const lockManager = (globalThis as any)?.navigator?.locks;\n return lockManager !== undefined\n ? await lockManager.request(key, callback)\n : await manualMutex(key, callback);\n}\n\nfunction getStorageListenerRegistry(): Record<string, (event: StorageEvent) => void> {\n const globalAny = globalThis as any;\n if (globalAny.__convexAuthStorageListeners === undefined) {\n globalAny.__convexAuthStorageListeners = {} as Record<\n string,\n (event: StorageEvent) => void\n >;\n }\n return globalAny.__convexAuthStorageListeners as Record<\n string,\n (event: StorageEvent) => void\n >;\n}\n\nfunction getManualMutexTails(): Record<string, Promise<void>> {\n const globalAny = globalThis as any;\n if (globalAny.__convexAuthMutexTails === undefined) {\n globalAny.__convexAuthMutexTails = {} as Record<string, Promise<void>>;\n }\n return globalAny.__convexAuthMutexTails as Record<string, Promise<void>>;\n}\n\nasync function manualMutex<T>(\n key: string,\n callback: () => Promise<T>,\n): Promise<T> {\n const mutexTails = getManualMutexTails();\n const previousTail = mutexTails[key] ?? Promise.resolve();\n\n let releaseCurrent: (() => void) | undefined;\n const currentTail = new Promise<void>((resolve) => {\n releaseCurrent = resolve;\n });\n\n mutexTails[key] = previousTail.then(\n () => currentTail,\n () => currentTail,\n );\n\n try {\n await previousTail;\n return await callback();\n } finally {\n releaseCurrent?.();\n if (mutexTails[key] === currentTail) {\n delete mutexTails[key];\n }\n }\n}\n"],"mappings":";;;;;AA4IA,MAAM,uBAAuB;AAC7B,MAAM,kBAAkB;AACxB,MAAM,4BAA4B;AAElC,MAAM,gBAAgB,CAAC,KAAK,IAAK;AACjC,MAAM,eAAe;AACrB,MAAM,4BAA4B;;;;;;;AAyBlC,SAAS,WAAW,QAAyB,UAA2B;AACtE,KAAI,SAAU,QAAO;CACrB,MAAM,IAAI;CACV,MAAM,MAAe,EAAE,OAAO,EAAE,QAAQ;AACxC,KAAI,OAAO,QAAQ,SAAU,QAAO;AACpC,OAAM,IAAI,MACR,oEACD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAoCH,SAAgB,OAAO,SAAwB;CAC7C,MAAM,EAAE,QAAQ,UAAU;CAG1B,MAAM,UACJ,QAAQ,YAAY,SAChB,QAAQ,UACR,QACE,OACA,OAAO,WAAW,cAChB,OACA,OAAO;CAEjB,MAAM,aACJ,QAAQ,gBACN,UAAgB;AAChB,MAAI,OAAO,WAAW,YACpB,QAAO,QAAQ,aAAa,EAAE,EAAE,IAAIA,MAAI;;CAI9C,MAAM,MAAM,QAAQ,SAAY,WAAW,QAAQ,QAAQ,IAAI;CAC/D,MAAM,mBAAmB,QACrB,MAAM,QAAQ,iBAAiB,GAAG,GAClC,IAAK,QAAQ,iBAAiB,GAAG;CACrC,MAAM,OAAO,SAAiB,GAAG,KAAK,GAAG;CACzC,MAAM,8BAAc,IAAI,KAAiB;CACzC,IAAI,yBAA8C;CAIlD,MAAM,aAAa,QAAQ,OAAO,IAAI,iBAAiB,IAAK;CAQ5D,MAAM,cACJ,OAAO,QAAQ,UAAU,YAAY,QAAQ,MAAM,MAAM,CAAC,SAAS,IAC/D,QAAQ,QACR;CACN,MAAM,iBAAiB,gBAAgB;CAEvC,IAAI,QAAuB;CAC3B,IAAI,YAAY,CAAC;CACjB,IAAI,gBAAgB;CACpB,IAAI,mBAAmB;CACvB,IAAI,YAAY;CAChB,IAAI,YAAY;CAChB,MAAM,mCAAmB,IAAI,KAAsB;CACnD,IAAI,WAAsB;EACxB,OAAO,iBACH,kBACA,YACE,YACA;EACN;EACA,iBAAiB;EACjB;EACD;CACD,IAAI,mBAAmB;CAEvB,MAAM,wBACJ,MACA,YACG;AACH,SAAO,IAAI,YAAY;GACrB;GACA,SAAS,YAAY;GACrB,GAAG;GACJ,CAAU;;CAGb,MAAM,0BACJ,OACA,YAGG;AACH,OAAK,MAAM,UAAU,MAAM,KAAK,iBAAiB,EAAE;AACjD,OAAI,OAAO,UAAU,MACnB;AAEF,gBAAa,OAAO,UAAU;AAC9B,oBAAiB,OAAO,OAAO;AAC/B,OAAI,QAAQ,SAAS,UACnB,QAAO,SAAS;OAEhB,QAAO,OAAO,QAAQ,MAAM;;;CAKlC,MAAM,kCAAkC,gBAAwB;AAC9D,OAAK,MAAM,UAAU,MAAM,KAAK,iBAAiB,EAAE;AACjD,OAAI,OAAO,SAAS,YAClB;AAEF,gBAAa,OAAO,UAAU;AAC9B,oBAAiB,OAAO,OAAO;AAC/B,UAAO,OACL,qBAAqB,2BAA2B;IAC9C,GAAG,OAAO;IACV,QAAQ;IACT,CAAC,CACH;;;CAIL,MAAM,uBAAuB,OAAO,YAA6B;AAC/D,MAAI,UAAU,KACZ;AAEF,MAAI,iBAAiB,CAAC,iBACpB;AAEF,MAAI,CAAC,iBACH,OAAM,qBAAqB,2BAA2B;GACpD,GAAG;GACH,QAAQ;GACT,CAAC;EAGJ,MAAM,QAAQ;AACd,QAAM,IAAI,SAAe,SAAS,WAAW;GAC3C,MAAM,YAAiD,EAAE,SAAS,MAAM;GAaxE,MAAM,SAA0B;IAC9B;IACA;IACA;IACA;IACA,WAjBgB,iBAAiB;AACjC,SAAI,UAAU,YAAY,KACxB,kBAAiB,OAAO,UAAU,QAAQ;AAE5C,YACE,qBAAqB,0BAA0B;MAC7C,GAAG;MACH,WAAW;MACZ,CAAC,CACH;OACA,0BAA0B;IAQ5B;AACD,aAAU,UAAU;AACpB,oBAAiB,IAAI,OAAO;IAC5B;;CAGJ,MAAM,0BAA0B,oBAA6B;AAC3D,MAAI,UACF;AAGF,MAAI,iBAAiB;AACnB,mBAAgB;AAChB,sBAAmB;AACnB,0BAAuB,WAAW,EAAE,MAAM,WAAW,CAAC;QAEtD,iBAAgB;AAMlB,MAAI,gBAAgB,CAClB,SAAQ;;CAIZ,MAAM,eAAe;AACnB,OAAK,MAAM,MAAM,YAAa,KAAI;;CAGpC,MAAM,uBAAuB;EAC3B,IAAI;AACJ,MAAI,UAAU,QAAQ,iBACpB,SAAQ;WACC,UACT,SAAQ;WACC,UAAU,QAAQ,cAC3B,SAAQ;MAER,SAAQ;EAGV,MAAM,OAAkB;GACtB;GACA,WAAW,UAAU,aAAa,UAAU;GAC5C,iBAAiB,UAAU;GAC3B;GACD;AACD,MACE,SAAS,UAAU,KAAK,SACxB,SAAS,cAAc,KAAK,aAC5B,SAAS,oBAAoB,KAAK,mBAClC,SAAS,UAAU,KAAK,MAExB,QAAO;AAET,aAAW;AACX,SAAO;;CAGT,MAAM,6BAA6B;AACjC,MAAI,CAAC,UACH;AAEF,cAAY;AACZ,MAAI,gBAAgB,CAClB,SAAQ;;CAQZ,MAAM,aAAa,OAAO,SAAiB;AACzC,MAAI,CAAC,QACH,QAAO;AAET,MAAI;AACF,UAAQ,MAAM,QAAQ,QAAQ,IAAI,KAAK,CAAC,IAAK;WACtC,OAAO;AACd,WAAQ,MAAM,gCAAgC,KAAK,iBAAiB,MAAM;AAC1E,UAAO;;;CAGX,MAAM,aAAa,OAAO,MAAc,UAAkB;AACxD,MAAI,CAAC,QACH;AAEF,MAAI;AACF,SAAM,QAAQ,QAAQ,IAAI,KAAK,EAAE,MAAM;WAChC,OAAO;AACd,WAAQ,MAAM,iCAAiC,KAAK,eAAe,MAAM;;;CAG7E,MAAM,gBAAgB,OAAO,SAAiB;AAC5C,MAAI,CAAC,QACH;AAEF,MAAI;AACF,SAAM,QAAQ,WAAW,IAAI,KAAK,CAAC;WAC5B,OAAO;AACd,WAAQ,MAAM,kCAAkC,KAAK,iBAAiB,MAAM;;;CAQhF,MAAM,uBAAuB;AAC3B,SAAO,QAAQ,kBAAkB,uBAAuB;;CAG1D,MAAM,WAAW,OACf,SAaG;EACH,MAAM,gBAAgB;AAEtB,MAAI,KAAK,WAAW,MAAM;AACxB,WAAQ;AACR,OAAI,KAAK,aAAa;AACpB,UAAM,cAAc,gBAAgB;AACpC,UAAM,cAAc,0BAA0B;;SAE3C;AACL,WAAQ,KAAK,OAAO;AACpB,OAAI,KAAK,eAAe,kBAAkB,KAAK,QAAQ;AACrD,UAAM,WAAW,iBAAiB,KAAK,OAAO,MAAM;AACpD,UAAM,WAAW,2BAA2B,KAAK,OAAO,aAAa;;;AAIzE,MAAI,UAAU,eAAe;AAC3B,gBAAa;AACb,kCAA+B,UAAU;;AAG3C,MAAI,UAAU,MAAM;AAClB,mBAAgB;AAChB,sBAAmB;AACnB,0BAAuB,WAAW;IAChC,MAAM;IACN,OAAO,qBAAqB,2BAA2B,EACrD,QAAQ,iBACT,CAAC;IACH,CAAC;aAGA,KAAK,qBAAqB,QAAQ,CAAC,eACX;AACxB,mBAAgB;AAChB,sBAAmB;QAEnB,oBAAmB;EAIvB,MAAM,iBAAiB;AACvB,cAAY;EACZ,MAAM,UAAU,gBAAgB;AAChC,MAAI,KAAK,qBAAqB,MAC5B,iBAAgB;AAElB,MAAI,kBAAkB,QACpB,SAAQ;;CAIZ,MAAM,uBAAuB,OAC3B,SAaqB;EACrB,MAAM,EAAE,kBAAkB,SAAS,GAAG,cAAc;AACpD,QAAM,SAAS;GACb,GAAI;GAGJ,kBAAkB;GACnB,CAAC;AACF,MAAI,UAAU,WAAW,KACvB,QAAO;AAET,MAAI,iBACF,OAAM,qBAAqB,QAAQ;AAErC,SAAO;;CAOT,MAAM,wBAAwB;EAC5B,MAAM,SACJ,OAAO,WAAW,eAClB,OAAO,OAAO,UAAU,WAAW,WAC/B,OAAO,SAAS,SAChB,OAAO,aAAa,eAAe,OAAO,SAAS,WAAW,WAC5D,SAAS,SACT;AACR,MAAI,WAAW,KACb,QAAO,IAAI,IAAI,OAAQ,OAAO,CAAC,UAAU;AAE3C,MAAI;AACF,UAAO,IAAI,IAAI,MAAO,CAAC,UAAU;UAC3B;AACN,UAAO;;;CAIX,MAAM,iBAAiB,UAAkB;AACvC,MAAI;AACF,OAAI,IAAI,MAAM;AACd,UAAO;UACD;AACN,UAAO;;;CAIX,MAAM,aAAa,OAAO,SAAkC;EAC1D,MAAM,WAAW,iBAAiB;AAClC,MAAI,OAAO,WAAW,eAAe,CAAC,cAAc,SAAS,CAC3D,OAAM,IAAI,MACR,oCAAoC,MAAO,8EAE5C;EAGH,MAAM,WAAW,MAAM,MAAM,UAAU;GACrC,QAAQ;GACR,SAAS,EAAE,gBAAgB,oBAAoB;GAC/C,aAAa;GACb,MAAM,KAAK,UAAU,KAAK;GAC3B,CAAC;AACF,MAAI,CAAC,SAAS,IAAI;GAChB,MAAM,YAAY,MAAM,SAAS,MAAM,CAAC,aAAa,EAAE,EAA6B;AAEpF,OACE,OAAO,cAAc,YACrB,cAAc,QACd,eAAe,aACf,OAAQ,UAAsC,cAAc,SAE5D,OAAM,IAAI,YAAa,UAAsC,UAAmB;AAElF,SAAM,IAAI,MACP,UAAsC,SACrC,yBAAyB,SAAS,SACrC;;AAEH,MAAI;AACF,UAAO,MAAM,SAAS,MAAM;UACtB;AACN,SAAM,IAAI,MAAM,oCAAoC;;;CAQxD,MAAM,aAAa,OACjB,SACG;EACH,IAAI;AACJ,OAAK,IAAI,QAAQ,GAAG,SAAS,cAAc,QAAQ,QACjD,KAAI;AACF,UAAO,MAAM,WAAY,OACvB,eACA,UAAU,OACN;IAAE,QAAQ,EAAE,MAAM,KAAK,MAAM;IAAE,UAAU,KAAK;IAAU,GACxD,KACL;WACM,GAAG;AACV,eAAY;AAOZ,OAAI,EALF,aAAa,aACZ,aAAa,SACZ,+CAA+C,KAC7C,EAAE,WAAW,GACd,EACgB;AACrB,OAAI,SAAS,cAAc,OACzB;GAEF,MAAM,OAAO,cAAc,SAAU,eAAe,KAAK,QAAQ;AACjE,SAAM,IAAI,SAAS,YAAY,WAAW,SAAS,KAAK,CAAC;;AAG7D,QAAM;;CAGR,MAAM,wBAAwB,OAC5B,MACA,SACG;EACH,MAAM,EAAE,WAAW,MAAM,WAAW,KAAK;AACzC,QAAM,SAAS;GACb,aAAa;GACb,QAAS,UAAiC;GAC1C,kBAAkB,MAAM;GACzB,CAAC;AACF,SAAO,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAkCpB,MAAM,SAAS,OACb,UACA,SAC0B;EAC1B,MAAM,SACJ,gBAAgB,WACZ,MAAM,KAAK,KAAK,SAAS,CAAC,CAAC,QACxB,KAAK,CAAC,GAAG,OAAO;AACf,OAAI,KAAK;AACT,UAAO;KAET,EAAE,CACH,GACD,QAAQ,EAAE;EAChB,MAAM,OACJ,OAAO,OAAO,SAAS,YAAY,OAAO,KAAK,SAAS,IACpD,OAAO,OACP;AAEN,MAAI,OAAO;GAET,MAAMC,WAAS,MAAM,WAAW;IAC9B,QAAQ;IACR,MAAM;KAAE;KAAU;KAAQ;IAC3B,CAAC;AACF,OAAIA,SAAO,aAAa,QAAW;IACjC,MAAM,cAAc,IAAI,IAAIA,SAAO,SAAS;AAE5C,QAAI,OAAO,WAAW,YACpB,QAAO,SAAS,OAAO,YAAY,UAAU;AAE/C,WAAO;KAAE,WAAW;KAAO,UAAU;KAAa;;AAEpD,OAAIA,SAAO,aACT,QAAO;IAAE,WAAW;IAAO,cAAc;IAAM,UAAUA,SAAO;IAAU;AAE5E,OAAIA,SAAO,eAAe,OACxB,QAAO;IAAE,WAAW;IAAO,YAAYA,SAAO;IAAgC;AAEhF,OAAIA,SAAO,WAAW,OAUpB,QAAO,EAAE,WAPS,MAAM,qBAAqB;IAC3C,aAAa;IACb,QACEA,SAAO,WAAW,OAAO,OAAO,EAAE,OAAOA,SAAO,OAAO,OAAO;IAChE,kBAAkB;IAClB,SAAS;KAAE;KAAU;KAAM;IAC5B,CAAC,EACkB;AAEtB,UAAO,EAAE,WAAW,OAAO;;EAI7B,MAAM,WAAY,MAAM,WAAW,qBAAqB,IAAK;AAC7D,QAAM,cAAc,qBAAqB;EACzC,MAAM,SAAS,MAAM,OAAO,OAAO,eAAsB;GACvD;GACA;GACA;GACD,CAAC;AACF,MAAI,OAAO,aAAa,QAAW;GACjC,MAAM,cAAc,IAAI,IAAI,OAAO,SAAS;AAC5C,SAAM,WAAW,sBAAsB,OAAO,SAAU;AACxD,OAAI,OAAO,WAAW,YACpB,QAAO,SAAS,OAAO,YAAY,UAAU;AAE/C,UAAO;IAAE,WAAW;IAAO,UAAU;IAAa;;AAEpD,MAAI,OAAO,aACT,QAAO;GAAE,WAAW;GAAO,cAAc;GAAM,UAAU,OAAO;GAAU;AAE5E,MAAI,OAAO,eAAe,OACxB,QAAO;GAAE,WAAW;GAAO,YAAY,OAAO;GAAgC;AAEhF,MAAI,OAAO,WAAW,OAOpB,QAAO,EAAE,WANS,MAAM,qBAAqB;GAC3C,aAAa;GACb,QAAS,OAAO,UAAiC;GACjD,kBAAkB;GAClB,SAAS;IAAE;IAAU;IAAM;GAC5B,CAAC,EACkB;AAEtB,SAAO,EAAE,WAAW,OAAO;;;;;;;;;CAc7B,MAAM,UAAU,YAAY;AAC1B,MAAI,OAAO;AACT,OAAI;AACF,UAAM,WAAW;KAAE,QAAQ;KAAgB,MAAM,EAAE;KAAE,CAAC;WAChD;AAGR,SAAM,SAAS;IAAE,aAAa;IAAO,QAAQ;IAAM,CAAC;AACpD,OAAI,OAAO,UAAW,QAAO,WAAW;AACxC;;AAIF,MAAI;AACF,SAAM,OAAO,OAAO,gBAAuB,EAAE,CAAC;UACxC;AAGR,QAAM,SAAS;GAAE,aAAa;GAAM,QAAQ;GAAM,CAAC;AACnD,MAAI,OAAO,UAAW,QAAO,WAAW;;CAO1C,MAAM,mBAAmB,OAAO,EAC9B,wBAG4B;AAC5B,MAAI,CAAC,kBAAmB,QAAO;AAE/B,MAAI,OAAO;GAGT,MAAM,mBAAmB,iBAAiB;AAC1C,OACE,OAAO,WAAW,eAClB,CAAC,cAAc,iBAAiB,EAChC;AACA,0BAAsB;AACtB,WAAO;;GAGT,MAAM,qBAAqB;AAC3B,UAAO,MAAM,aAAa,4BAA4B,YAAY;AAEhE,QAAI,UAAU,mBAAoB,QAAO;AACzC,QAAI;KACF,MAAM,SAAS,MAAM,WAAW;MAC9B,QAAQ;MACR,MAAM,EAAE,cAAc,MAAM;MAC7B,CAAC;AACF,SAAI,OAAO,OACT,OAAM,SAAS;MACb,aAAa;MACb,QAAQ,EAAE,OAAO,OAAO,OAAO,OAAO;MACtC,kBAAkB;MACnB,CAAC;SAEF,OAAM,SAAS;MACb,aAAa;MACb,QAAQ;MACR,kBAAkB;MACnB,CAAC;aAEG,OAAO;AACd,aAAQ,MAAM,uCAAuC,MAAM;AAC3D,SAAI,UAAU,KACZ,uBAAsB;;AAG1B,WAAO;KACP;;EAIJ,MAAM,6BAA6B;AACnC,SAAO,MAAM,aAAa,2BAA2B,YAAY;GAC/D,MAAM,4BAA4B;AAClC,OAAI,8BAA8B,2BAChC,QAAO;GAET,MAAM,eACH,MAAM,WAAW,0BAA0B,IAAK;AACnD,OAAI,CAAC,cAAc;AACjB,0BAAsB;AACtB,WAAO;;AAET,SAAM,sBACJ,EAAE,cAAc,EAChB,EAAE,kBAAkB,OAAO,CAC5B;AACD,UAAO;IACP;;CAOJ,MAAM,iBAAiB,YAAY;AACjC,MAAI,OAAO,WAAW,YAAa;AACnC,MAAI,iBAAkB;EACtB,MAAM,OAAO,IAAI,gBAAgB,OAAO,SAAS,OAAO,CAAC,IAAI,OAAO;AACpE,MAAI,CAAC,KAAM;AACX,qBAAmB;AACnB,MAAI;AACF,SAAM,OAAO,QAAW,EAAE,MAAM,CAAC;GACjC,MAAM,UAAU,IAAI,IAAI,OAAO,SAAS,KAAK;AAC7C,WAAQ,aAAa,OAAO,OAAO;AACnC,SAAM,WAAW,QAAQ,WAAW,QAAQ,SAAS,QAAQ,KAAK;YAC1D;AACR,sBAAmB;;;CAQvB,MAAM,qBAAqB,YAAY;EACrC,MAAM,cAAe,MAAM,WAAW,gBAAgB,IAAK;AAC3D,QAAM,SAAS;GACb,aAAa;GACb,QAAQ,gBAAgB,OAAO,OAAO,EAAE,OAAO,aAAa;GAC7D,CAAC;;;;;;;;;;;;;CAkBJ,MAAM,YAAY,OAAiD;AACjE,KAAG,SAAS;EACZ,MAAM,gBAAgB,GAAG,SAAS;AAClC,cAAY,IAAI,QAAQ;AACxB,eAAa;AACX,eAAY,OAAO,QAAQ;;;AAS/B,KAAI,CAAC,SAAS,OAAO,WAAW,aAAa;EAC3C,MAAM,cAAc,IAAI,gBAAgB;EACxC,MAAM,WAAW,4BAA4B;EAC7C,MAAM,mBAAmB,SAAS;AAClC,MAAI,qBAAqB,OACvB,QAAO,oBAAoB,WAAW,iBAAiB;EAGzD,MAAM,aAAa,UAAwB;AACzC,IAAM,YAAY;AAChB,QAAI,MAAM,QAAQ,IAAI,gBAAgB,CAAE;AACxC,UAAM,SAAS;KACb,aAAa;KACb,QACE,MAAM,aAAa,OAAO,OAAO,EAAE,OAAO,MAAM,UAAU;KAC7D,CAAC;OACA;;AAEN,SAAO,iBAAiB,WAAW,UAAU;AAC7C,WAAS,eAAe;AACxB,iCAA+B;AAC7B,OAAI,SAAS,iBAAiB,UAC5B,QAAO,SAAS;AAElB,UAAO,oBAAoB,WAAW,UAAU;;;AAMpD,iBAAgB;AAGhB,KAAI,OAAO,WAAW,YACpB,KAAI,OAIF;MAAI,CAAC,eACH,CAAK,iBAAiB,EAAE,mBAAmB,MAAM,CAAC,CAAC,OAChD,UAAmB;AAClB,WAAQ,MAAM,6CAA6C,MAAM;IAEpE;OAIH,EAAM,YAAY;AAChB,MAAI;AACF,SAAM,oBAAoB;AAC1B,SAAM,gBAAgB;WACf,OAAgB;AACvB,WAAQ,MAAM,+CAA+C,MAAM;AACnE,SAAM,SAAS;IAAE,aAAa;IAAO,QAAQ;IAAM,CAAC;;KAEpD;;;;;CAYR,MAAM,mBAAmB,WAAgC;EACvD,MAAM,QAAQ,IAAI,WAAW,OAAO;EACpC,IAAI,SAAS;AACb,OAAK,IAAI,IAAI,GAAG,IAAI,MAAM,YAAY,IACpC,WAAU,OAAO,aAAa,MAAM,GAAI;AAE1C,SAAO,KAAK,OAAO,CAAC,QAAQ,OAAO,IAAI,CAAC,QAAQ,OAAO,IAAI,CAAC,QAAQ,OAAO,GAAG;;CAGhF,MAAM,mBAAmB,QAA4B;EACnD,MAAM,SAAS,IAAI,QAAQ,MAAM,IAAI,CAAC,QAAQ,MAAM,IAAI;EACxD,MAAM,SAAS,KAAK,OAAO;EAC3B,MAAM,QAAQ,IAAI,WAAW,OAAO,OAAO;AAC3C,OAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,IACjC,OAAM,KAAK,OAAO,WAAW,EAAE;AAEjC,SAAO;;AAskBT,QAAO;EAEL,IAAI,QAAmB;AACrB,UAAO;;EAGT;EAEA;EAEA;EAEA,SA/kBc;GAId,mBAA4B;AAC1B,WACE,OAAO,WAAW,eAClB,OAAO,OAAO,wBAAwB;;GAa1C,qBAAqB,YAA8B;AACjD,QAAI,OAAO,WAAW,YAAa,QAAO;AAC1C,QAAI,OAAO,OAAO,wBAAwB,YAAa,QAAO;AAC9D,QACE,OACE,OAAO,oBACP,oCAAoC,WAEtC,QAAO;AAET,WACE,OAAO,oBACP,iCAAiC;;GAwBrC,UAAU,OACR,SAM0B;IAC1B,MAAM,eAAe;KACnB,MAAM;KACN,OAAO,MAAM;KACb,UAAU,MAAM;KAChB,iBAAiB,MAAM;KACxB;IAGD,IAAI;AACJ,QAAI,MACF,gBAAe,MAAM,WAAW;KAC9B,QAAQ;KACR,MAAM;MAAE,UAAU;MAAW,QAAQ;MAAc;KACpD,CAAC;QAEF,gBAAe,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV,QAAQ;KACT,CAAC;AAGJ,QAAI,CAAC,aAAa,QAChB,OAAM,IAAI,MAAM,qDAAqD;IAGvE,MAAMC,YAAU,aAAa;IAG7B,MAAM,gBAA2C,EAC/C,WAAW;KACT,IAAIA,UAAQ;KACZ,MAAM;MACJ,IAAI,gBAAgBA,UAAQ,KAAK,GAAG,CAAC;MACrC,MAAMA,UAAQ,KAAK;MACnB,aAAaA,UAAQ,KAAK;MAC3B;KACD,WAAW,gBAAgBA,UAAQ,UAAU,CAAC;KAC9C,kBAAkBA,UAAQ;KAC1B,SAASA,UAAQ;KACjB,aAAaA,UAAQ;KACrB,wBAAwBA,UAAQ;KAChC,qBAAqBA,UAAQ,sBAAsB,EAAE,EAAE,KACpD,UAAe;MACd,MAAM,KAAK,QAAQ;MACnB,IAAI,gBAAgB,KAAK,GAAG,CAAC;MAC7B,YAAY,KAAK;MAClB,EACF;KACF,EACF;IAGD,MAAM,aAAc,MAAM,UAAU,YAAY,OAC9C,cACD;AACD,QAAI,CAAC,WACH,OAAM,IAAI,MAAM,qCAAqC;IAGvD,MAAM,WACJ,WAAW;IAGb,MAAM,aACJ,OAAO,SAAS,kBAAkB,aAC9B,SAAS,eAAe,GACxB;IAEN,MAAM,eAAe;KACnB,MAAM;KACN,gBAAgB,gBAAgB,SAAS,eAAe;KACxD,mBAAmB,gBAAgB,SAAS,kBAAkB;KAC9D;KACA,aAAa,MAAM;KACnB,OAAO,MAAM;KACd;IAGD,IAAI;AACJ,QAAI,MAGF,gBAAe,MAAM,WAAW;KAC9B,QAAQ;KACR,MAAM;MACJ,UAAU;MACV,QAAQ;MACR,UAAU,aAAa;MACxB;KACF,CAAC;QAEF,gBAAe,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV,QAAQ;KACR,UAAU,aAAa;KACxB,CAAC;AAGJ,QAAI,aAAa,QAAQ;AACvB,SAAI,MACF,OAAM,qBAAqB;MACzB,aAAa;MACb,QACE,aAAa,WAAW,OACpB,OACA,EAAE,OAAO,aAAa,OAAO,OAAO;MAC1C,kBAAkB;MAClB,SAAS;OAAE,UAAU;OAAW,MAAM;OAAmB;MAC1D,CAAC;SAEF,OAAM,qBAAqB;MACzB,aAAa;MACb,QAAQ,aAAa;MACrB,kBAAkB;MAClB,SAAS;OAAE,UAAU;OAAW,MAAM;OAAmB;MAC1D,CAAC;AAEJ,YAAO,EAAE,WAAW,MAAM;;AAE5B,WAAO,EAAE,WAAW,OAAO;;GA6B7B,cAAc,OACZ,SAC0B;IAC1B,MAAM,eAAe;KACnB,MAAM;KACN,OAAO,MAAM;KACd;IAGD,IAAI;AACJ,QAAI,MACF,gBAAe,MAAM,WAAW;KAC9B,QAAQ;KACR,MAAM;MAAE,UAAU;MAAW,QAAQ;MAAc;KACpD,CAAC;QAEF,gBAAe,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV,QAAQ;KACT,CAAC;AAGJ,QAAI,CAAC,aAAa,QAChB,OAAM,IAAI,MAAM,uDAAuD;IAGzE,MAAMA,YAAU,aAAa;IAG7B,MAAM,aAAuC;KAC3C,WAAW;MACT,WAAW,gBAAgBA,UAAQ,UAAU,CAAC;MAC9C,SAASA,UAAQ;MACjB,MAAMA,UAAQ;MACd,kBAAkBA,UAAQ;MAC1B,mBAAmBA,UAAQ,oBAAoB,EAAE,EAAE,KAChD,UAAe;OACd,MAAM,KAAK,QAAQ;OACnB,IAAI,gBAAgB,KAAK,GAAG,CAAC;OAC7B,YAAY,KAAK;OAClB,EACF;MACF;KACD,GAAI,MAAM,WAAW,EAAE,WAAW,eAAsB,GAAG,EAAE;KAC9D;IAGD,MAAM,aAAc,MAAM,UAAU,YAAY,IAC9C,WACD;AACD,QAAI,CAAC,WACH,OAAM,IAAI,MAAM,uCAAuC;IAGzD,MAAM,WACJ,WAAW;IAEb,MAAM,eAAe;KACnB,MAAM;KACN,cAAc,gBAAgB,WAAW,MAAM;KAC/C,gBAAgB,gBAAgB,SAAS,eAAe;KACxD,mBAAmB,gBAAgB,SAAS,kBAAkB;KAC9D,WAAW,gBAAgB,SAAS,UAAU;KAC/C;IAGD,IAAI;AACJ,QAAI,MACF,gBAAe,MAAM,WAAW;KAC9B,QAAQ;KACR,MAAM;MACJ,UAAU;MACV,QAAQ;MACR,UAAU,aAAa;MACxB;KACF,CAAC;QAEF,gBAAe,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV,QAAQ;KACR,UAAU,aAAa;KACxB,CAAC;AAGJ,QAAI,aAAa,QAAQ;AACvB,SAAI,MACF,OAAM,qBAAqB;MACzB,aAAa;MACb,QACE,aAAa,WAAW,OACpB,OACA,EAAE,OAAO,aAAa,OAAO,OAAO;MAC1C,kBAAkB;MAClB,SAAS;OAAE,UAAU;OAAW,MAAM;OAAe;MACtD,CAAC;SAEF,OAAM,qBAAqB;MACzB,aAAa;MACb,QAAQ,aAAa;MACrB,kBAAkB;MAClB,SAAS;OAAE,UAAU;OAAW,MAAM;OAAe;MACtD,CAAC;AAEJ,YAAO,EAAE,WAAW,MAAM;;AAE5B,WAAO,EAAE,WAAW,OAAO;;GAE9B;EAkRC,MAhRW;GAYX,OAAO,OACL,SAC+E;IAC/E,MAAM,SAA8B,EAAE,MAAM,SAAS;AACrD,QAAI,MAAM,KAAM,QAAO,OAAO,KAAK;AACnC,QAAI,MAAM,YAAa,QAAO,cAAc,KAAK;AAEjD,QAAI,OAAO;KACT,MAAMD,WAAS,MAAM,WAAW;MAC9B,QAAQ;MACR,MAAM;OAAE,UAAU;OAAQ;OAAQ;MACnC,CAAC;AACF,YAAO;MAAE,KAAKA,SAAO,UAAU;MAAK,QAAQA,SAAO,UAAU;MAAQ,UAAUA,SAAO;MAAU,QAAQA,SAAO,UAAU;MAAQ;;IAGnI,MAAM,SAAS,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV;KACD,CAAC;AACF,WAAO;KAAE,KAAK,OAAO,UAAU;KAAK,QAAQ,OAAO,UAAU;KAAQ,UAAU,OAAO;KAAU,QAAQ,OAAO,UAAU;KAAQ;;GAUnI,SAAS,OAAO,SAIK;IACnB,MAAM,SAA8B;KAClC,MAAM;KACN,MAAM,KAAK;KACX,QAAQ,KAAK;KACd;AAED,QAAI,OAAO;KACT,MAAMA,WAAS,MAAM,WAAW;MAC9B,QAAQ;MACR,MAAM;OAAE,UAAU;OAAQ;OAAQ,UAAU,KAAK;OAAU;MAC5D,CAAC;AACF,SAAIA,SAAO,OACT,OAAM,qBAAqB;MACzB,aAAa;MACb,QAAQA,SAAO,WAAW,OAAO,OAAO,EAAE,OAAOA,SAAO,OAAO,OAAO;MACtE,kBAAkB;MAClB,SAAS;OAAE,UAAU;OAAQ,MAAM;OAAW;MAC/C,CAAC;AAEJ;;IAGF,MAAM,SAAS,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV;KACA,UAAU,KAAK;KAChB,CAAC;AACF,QAAI,OAAO,OACT,OAAM,qBAAqB;KACzB,aAAa;KACb,QAAS,OAAO,UAAiC;KACjD,kBAAkB;KAClB,SAAS;MAAE,UAAU;MAAQ,MAAM;MAAW;KAC/C,CAAC;;GAgBN,QAAQ,OAAO,SAA4D;IACzE,MAAM,SAA8B;KAClC,MAAM;KACN,MAAM,KAAK;KACZ;AAED,QAAI,OAAO;KACT,MAAMA,WAAS,MAAM,WAAW;MAC9B,QAAQ;MACR,MAAM;OAAE,UAAU;OAAQ;OAAQ,UAAU,KAAK;OAAU;MAC5D,CAAC;AACF,SAAIA,SAAO,OACT,OAAM,qBAAqB;MACzB,aAAa;MACb,QAAQA,SAAO,WAAW,OAAO,OAAO,EAAE,OAAOA,SAAO,OAAO,OAAO;MACtE,kBAAkB;MAClB,SAAS;OAAE,UAAU;OAAQ,MAAM;OAAU;MAC9C,CAAC;AAEJ;;IAGF,MAAM,SAAS,MAAM,OAAO,OAAO,eAAsB;KACvD,UAAU;KACV;KACA,UAAU,KAAK;KAChB,CAAC;AACF,QAAI,OAAO,OACT,OAAM,qBAAqB;KACzB,aAAa;KACb,QAAS,OAAO,UAAiC;KACjD,kBAAkB;KAClB,SAAS;MAAE,UAAU;MAAQ,MAAM;MAAU;KAC9C,CAAC;;GAGP;EA+IC,QA7Ia;GAoBb,MAAM,OAAO,SAA0C;IACrD,MAAM,aAAa,KAAK,WAAW;IACnC,MAAM,YAAY,KAAK,KAAK,GAAG,KAAK,YAAY;AAEhD,WAAO,KAAK,KAAK,GAAG,WAAW;AAC7B,WAAM,IAAI,SAAS,YAAY,WAAW,SAAS,WAAW,CAAC;AAE/D,SAAI;MACF,IAAI;MACJ,MAAM,SAA8B;OAClC,MAAM;OACN,YAAY,KAAK;OAClB;AAED,UAAI,MACF,UAAS,MAAM,WAAW;OACxB,QAAQ;OACR,MAAM;QAAE,UAAU;QAAU;QAAQ;OACrC,CAAC;UAEF,UAAS,MAAM,OAAO,OAAO,eAAsB;OACjD,UAAU;OACV;OACD,CAAC;AAIJ,UAAI,OAAO,QAAQ;AACjB,WAAI,MACF,OAAM,qBAAqB;QACzB,aAAa;QACb,QACE,OAAO,WAAW,OACd,OACA,EAAE,OAAO,OAAO,OAAO,OAAO;QACpC,kBAAkB;QAClB,SAAS;SAAE,UAAU;SAAU,MAAM;SAAQ;QAC9C,CAAC;WAEF,OAAM,qBAAqB;QACzB,aAAa;QACb,QAAS,OAAO,UAAiC;QACjD,kBAAkB;QAClB,SAAS;SAAE,UAAU;SAAU,MAAM;SAAQ;QAC9C,CAAC;AAEJ;;cAEK,GAAY;AAEnB,UAAI,aAAa,aAAa;OAE5B,MAAM,QADO,EAAE,MACK;AACpB,WAAI,UAAU,+BACZ;AAEF,WAAI,UAAU,oBAAoB;AAEhC,cAAM,IAAI,SAAS,YACjB,WAAW,SAAS,WAAW,CAChC;AACD;;;AAIJ,YAAM;;;AAIV,UAAM,IAAI,MAAM,kCAAkC;;GAgBpD,QAAQ,OAAO,aAAoC;IACjD,MAAM,SAA8B;KAClC,MAAM;KACN;KACD;AAED,QAAI,MACF,OAAM,WAAW;KACf,QAAQ;KACR,MAAM;MAAE,UAAU;MAAU;MAAQ;KACrC,CAAC;QAEF,OAAM,OAAO,OAAO,eAAsB;KACxC,UAAU;KACV;KACD,CAAC;;GAGP;EAoBC,eAAe;AACb,eAAY;AACZ,0BAAuB,WAAW;IAChC,MAAM;IACN,OAAO,qBAAqB,2BAA2B,EACrD,QAAQ,aACT,CAAC;IACH,CAAC;AACF,6BAA0B;AAC1B,eAAY,OAAO;;EAEtB;;AAOH,eAAe,aACb,KACA,UACY;CACZ,MAAM,cAAe,YAAoB,WAAW;AACpD,QAAO,gBAAgB,SACnB,MAAM,YAAY,QAAQ,KAAK,SAAS,GACxC,MAAM,YAAY,KAAK,SAAS;;AAGtC,SAAS,6BAA4E;CACnF,MAAM,YAAY;AAClB,KAAI,UAAU,iCAAiC,OAC7C,WAAU,+BAA+B,EAAE;AAK7C,QAAO,UAAU;;AAMnB,SAAS,sBAAqD;CAC5D,MAAM,YAAY;AAClB,KAAI,UAAU,2BAA2B,OACvC,WAAU,yBAAyB,EAAE;AAEvC,QAAO,UAAU;;AAGnB,eAAe,YACb,KACA,UACY;CACZ,MAAM,aAAa,qBAAqB;CACxC,MAAM,eAAe,WAAW,QAAQ,QAAQ,SAAS;CAEzD,IAAI;CACJ,MAAM,cAAc,IAAI,SAAe,YAAY;AACjD,mBAAiB;GACjB;AAEF,YAAW,OAAO,aAAa,WACvB,mBACA,YACP;AAED,KAAI;AACF,QAAM;AACN,SAAO,MAAM,UAAU;WACf;AACR,oBAAkB;AAClB,MAAI,WAAW,SAAS,YACtB,QAAO,WAAW"}
package/dist/component/convex.config.d.ts CHANGED
@@ -1,7 +1,7 @@
1
- import * as convex_server15 from "convex/server";
1
+ import * as convex_server0 from "convex/server";
2
2
 
3
3
  //#region src/component/convex.config.d.ts
4
- declare const component: convex_server15.ComponentDefinition<any>;
4
+ declare const component: convex_server0.ComponentDefinition<any>;
5
5
  //#endregion
6
6
  export { component as default };
7
7
  //# sourceMappingURL=convex.config.d.ts.map
package/dist/component/convex.config.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"convex.config.d.ts","names":[],"sources":["../../src/component/convex.config.ts"],"mappings":";;;cAEM,SAAA,EAAmC,eAAA,CAA1B,mBAAA"}
1
+ {"version":3,"file":"convex.config.d.ts","names":[],"sources":["../../src/component/convex.config.ts"],"mappings":";;;cAEM,SAAA,EAAmC,cAAA,CAA1B,mBAAA"}