Require authorize field in email provider config

[erquhart]

The authorize field in a custom Email provider config can be skipped unintentionally as it isn't required in types. Not providing an authorize function must be allowed to support "magic link" auth. This change:

• Makes the field required, but still accepts an explicit undefined so the opt-out is more clear.
• Adds an explanatory docstring

Unrelated maintenance:

• adds release scripts

Summary by CodeRabbit

• Chores
  • Added new release management scripts for pre-release versioning and publishing workflows.
  • Streamlined prepublish build process to focus on compilation only.
  • Updated build automation tool dependencies.
  • Clarified API type definitions for email configuration parameters.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Updated (UTC)
convex-auth-docs	Ready	Preview	Dec 4, 2025 7:03pm

[coderabbitai]

Walkthrough

Changes across configuration and type definitions: .gitignore now excludes tgz files, package.json restructures release scripts and renames npm-run-all to npm-run-all2, and EmailConfig.authorize field signature changes from optional method to union type with undefined.

Changes

Cohort / File(s)	Summary
Build & Release Configuration package.json	Modified prepublishOnly script from composite lint/build/test:once to build-only. Added new scripts: preversion, alpha, release, version for expanded release workflows. Renamed devDependency npm-run-all to npm-run-all2.
Type Definitions src/server/types.ts	Updated EmailConfig.authorize field from optional method (authorize?) to union type explicitly including undefined (authorize: (...) | undefined). Expanded inline documentation with additional guidance and verification example.
Project Ignore Rules .gitignore	Added *.tgz pattern to ignore compiled archive files.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify npm-run-all2 migration: ensure all dependent scripts and CI workflows function correctly with the renamed package
• Confirm new release scripts (preversion, alpha, release, version) are properly sequenced and documented
• Validate authorize field type change: check that existing usages and implementations remain compatible with the union type signature

Poem

🐰 A hop through configs, scripts, and types so fine,
npm-run-all2 now leads the line,
Release workflows bloom with alpha's embrace,
While authorize speaks with union-type grace—
Tgz archives tucked away with care,
Ready for building everywhere! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the main change: converting the authorize field from optional to required in EmailConfig, which is the primary goal of this pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch require-email-authorize

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

package.json (1)

40-45: Release/test scripts are coherent; consider pinning prettier for the version step

The new preversion, alpha, and release scripts give you a clear, test-gated release flow, and simplifying prepublishOnly to just build is reasonable if you standardize on those commands.

One small portability nit: the version script assumes a prettier binary is on PATH, but it isn’t declared in this package’s devDependencies. To avoid surprises on fresh clones, consider adding Prettier here or calling it via npx prettier.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2734225 and 7375b71.

⛔ Files ignored due to path filters (4)

• package-lock.json is excluded by !**/package-lock.json
• test-nextjs/package-lock.json is excluded by !**/package-lock.json
• test-router/package-lock.json is excluded by !**/package-lock.json
• test/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• .gitignore (1 hunks)
• package.json (2 hunks)
• src/server/types.ts (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

src/server/types.ts (1)

src/server/convex_types.ts (1)

• GenericDoc (15-21)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: lint
• GitHub Check: test

🔇 Additional comments (3)

.gitignore (1)

43-45: Ignoring test artifacts and package tarballs looks good

Keeping test-results/ ignored and adding *.tgz will prevent local test output and npm pack artifacts from being committed; no issues from a tooling or DX standpoint.

src/server/types.ts (1)

253-284: EmailConfig.authorize typing and docs align with the stated goal

Making authorize required on EmailConfig while allowing undefined matches the intent of always having an explicit choice (OTP vs magic link), and the inline example does a nice job of showing how to bind the token to the original email. No functional or typing issues stand out here.

package.json (1)

109-109: npm-run-all2 devDependency matches the new preversion usage

Adding npm-run-all2 and using run-p in preversion is consistent; just ensure this is the intended fork and that its CLI behavior matches the old npm-run-all expectations (especially around parallel failure handling).

[erquhart]

This change is at odds with Convex Auth's general support for Auth.js providers, as they don't include an authorize function. Putting this in draft for now.