@askexenow/exe-os 0.9.280 → 0.9.281

package/dist/oauth-server-D7D4574D.js

@@ -0,0 +1,437 @@
+import "./chunk-MLKGABMK.js";
+
+// src/lib/oauth-server.ts
+import { createHash, randomBytes } from "crypto";
+import { existsSync, readFileSync } from "fs";
+import path from "path";
+import os from "os";
+var EXE_AI_DIR = process.env.EXE_OS_DIR ?? path.join(os.homedir(), ".exe-os");
+var ACCESS_TOKEN_TTL_MS = 60 * 60 * 1e3;
+var REFRESH_TOKEN_TTL_MS = 30 * 24 * 60 * 60 * 1e3;
+var AUTH_CODE_TTL_MS = 5 * 60 * 1e3;
+var MAX_CLIENTS = 100;
+var MAX_TOKENS = 500;
+var clients = /* @__PURE__ */ new Map();
+var authCodes = /* @__PURE__ */ new Map();
+var accessTokens = /* @__PURE__ */ new Map();
+var refreshTokens = /* @__PURE__ */ new Map();
+function generateId() {
+  return randomBytes(16).toString("hex");
+}
+function generateToken() {
+  return randomBytes(32).toString("hex");
+}
+function sha256(input) {
+  return createHash("sha256").update(input).digest("base64url");
+}
+function parseBody(req) {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    req.on("data", (chunk) => chunks.push(chunk));
+    req.on("end", () => resolve(Buffer.concat(chunks).toString("utf-8")));
+    req.on("error", reject);
+    setTimeout(() => reject(new Error("Body read timeout")), 5e3);
+  });
+}
+function parseUrlEncoded(body) {
+  const result = {};
+  for (const pair of body.split("&")) {
+    const [key, value] = pair.split("=");
+    if (key) result[decodeURIComponent(key)] = decodeURIComponent(value ?? "");
+  }
+  return result;
+}
+function jsonResponse(res, status, body) {
+  const json = JSON.stringify(body);
+  res.writeHead(status, {
+    "Content-Type": "application/json",
+    "Cache-Control": "no-store",
+    "Pragma": "no-cache"
+  });
+  res.end(json);
+}
+function evictExpired(map) {
+  const now = Date.now();
+  for (const [key, val] of map) {
+    if (val.expires_at < now) map.delete(key);
+  }
+}
+function loadLicenseKey() {
+  const keyPath = path.join(EXE_AI_DIR, "license.key");
+  if (!existsSync(keyPath)) return null;
+  try {
+    const key = readFileSync(keyPath, "utf-8").trim();
+    return key.startsWith("exe_sk_") ? key : null;
+  } catch {
+    return null;
+  }
+}
+function handleProtectedResourceMetadata(res, port) {
+  jsonResponse(res, 200, {
+    resource: `http://127.0.0.1:${port}/mcp`,
+    authorization_servers: [`http://127.0.0.1:${port}`],
+    scopes_supported: ["mcp"],
+    bearer_methods_supported: ["header"],
+    resource_name: "exe-os"
+  });
+}
+function handleAuthServerMetadata(res, port) {
+  const base = `http://127.0.0.1:${port}`;
+  jsonResponse(res, 200, {
+    issuer: base,
+    authorization_endpoint: `${base}/authorize`,
+    token_endpoint: `${base}/token`,
+    registration_endpoint: `${base}/register`,
+    response_types_supported: ["code"],
+    grant_types_supported: ["authorization_code", "refresh_token"],
+    token_endpoint_auth_methods_supported: ["client_secret_post", "none"],
+    code_challenge_methods_supported: ["S256"],
+    scopes_supported: ["mcp"]
+  });
+}
+async function handleRegister(req, res) {
+  if (req.method !== "POST") {
+    jsonResponse(res, 405, { error: "method_not_allowed" });
+    return;
+  }
+  if (clients.size > MAX_CLIENTS) {
+    const oldest = [...clients.entries()].sort((a, b) => a[1].registered_at - b[1].registered_at);
+    for (let i = 0; i < oldest.length - MAX_CLIENTS / 2; i++) {
+      clients.delete(oldest[i][0]);
+    }
+  }
+  try {
+    const body = await parseBody(req);
+    const metadata = JSON.parse(body);
+    const clientId = generateId();
+    const clientSecret = metadata.token_endpoint_auth_method === "none" ? void 0 : generateToken();
+    const client = {
+      client_id: clientId,
+      client_secret: clientSecret,
+      redirect_uris: metadata.redirect_uris ?? [],
+      client_name: metadata.client_name,
+      registered_at: Date.now()
+    };
+    clients.set(clientId, client);
+    jsonResponse(res, 201, {
+      client_id: clientId,
+      client_secret: clientSecret,
+      client_id_issued_at: Math.floor(Date.now() / 1e3),
+      redirect_uris: client.redirect_uris,
+      client_name: client.client_name,
+      token_endpoint_auth_method: clientSecret ? "client_secret_post" : "none",
+      grant_types: metadata.grant_types ?? ["authorization_code", "refresh_token"],
+      response_types: metadata.response_types ?? ["code"]
+    });
+  } catch {
+    jsonResponse(res, 400, { error: "invalid_client_metadata" });
+  }
+}
+async function handleAuthorize(req, res, url) {
+  const clientId = url.searchParams.get("client_id");
+  const redirectUri = url.searchParams.get("redirect_uri");
+  const responseType = url.searchParams.get("response_type");
+  const codeChallenge = url.searchParams.get("code_challenge");
+  const codeChallengeMethod = url.searchParams.get("code_challenge_method");
+  const state = url.searchParams.get("state");
+  const scope = url.searchParams.get("scope");
+  if (!clientId || !redirectUri || responseType !== "code" || !codeChallenge) {
+    jsonResponse(res, 400, { error: "invalid_request", error_description: "Missing required OAuth parameters" });
+    return;
+  }
+  const client = clients.get(clientId);
+  if (!client) {
+    jsonResponse(res, 400, { error: "invalid_client", error_description: "Unknown client_id" });
+    return;
+  }
+  if (req.method === "POST") {
+    const body = await parseBody(req);
+    const params = parseUrlEncoded(body);
+    const licenseKey = params.license_key;
+    if (!licenseKey || !licenseKey.startsWith("exe_sk_")) {
+      serveAuthForm(res, url, "Invalid license key. Must start with exe_sk_");
+      return;
+    }
+    let licensePlan = "free";
+    let licenseEmail = "";
+    try {
+      const { validateLicense } = await import("./lib/license.js");
+      const license = await validateLicense(licenseKey);
+      if (!license.valid) {
+        serveAuthForm(res, url, "License key is invalid or expired.");
+        return;
+      }
+      licensePlan = license.plan;
+      licenseEmail = license.email ?? "";
+    } catch {
+      serveAuthForm(res, url, "Could not validate license. Check your internet connection.");
+      return;
+    }
+    return issueAuthCode(res, {
+      clientId,
+      redirectUri,
+      codeChallenge,
+      codeChallengeMethod: codeChallengeMethod ?? "S256",
+      state,
+      scope,
+      licensePlan,
+      licenseEmail
+    });
+  }
+  const existingKey = loadLicenseKey();
+  if (existingKey) {
+    let licensePlan = "free";
+    let licenseEmail = "";
+    try {
+      const { checkLicense } = await import("./lib/license.js");
+      const license = await checkLicense();
+      if (license.valid) {
+        licensePlan = license.plan;
+        licenseEmail = license.email ?? "";
+        return issueAuthCode(res, {
+          clientId,
+          redirectUri,
+          codeChallenge,
+          codeChallengeMethod: codeChallengeMethod ?? "S256",
+          state,
+          scope,
+          licensePlan,
+          licenseEmail
+        });
+      }
+    } catch {
+    }
+  }
+  serveAuthForm(res, url, null);
+}
+function issueAuthCode(res, params) {
+  evictExpired(authCodes);
+  const code = generateToken();
+  authCodes.set(code, {
+    code,
+    client_id: params.clientId,
+    redirect_uri: params.redirectUri,
+    code_challenge: params.codeChallenge,
+    code_challenge_method: params.codeChallengeMethod,
+    state: params.state ?? void 0,
+    scope: params.scope ?? void 0,
+    license_plan: params.licensePlan,
+    license_email: params.licenseEmail,
+    expires_at: Date.now() + AUTH_CODE_TTL_MS,
+    used: false
+  });
+  const redirectUrl = new URL(params.redirectUri);
+  redirectUrl.searchParams.set("code", code);
+  if (params.state) redirectUrl.searchParams.set("state", params.state);
+  res.writeHead(302, { Location: redirectUrl.toString() });
+  res.end();
+}
+function serveAuthForm(res, url, errorMsg) {
+  const error = errorMsg ? `<p style="color:#ef4444;margin-bottom:16px">${errorMsg}</p>` : "";
+  const html = `<!DOCTYPE html>
+<html>
+<head>
+  <title>Exe OS \u2014 License Authorization</title>
+  <meta charset="utf-8">
+  <style>
+    body { font-family: -apple-system, system-ui, sans-serif; background: #0F0E1A; color: #E0E0E0; display: flex; justify-content: center; align-items: center; min-height: 100vh; margin: 0; }
+    .card { background: #1A1A2E; border: 1px solid #2A2A3E; border-radius: 12px; padding: 32px; max-width: 420px; width: 100%; }
+    h1 { color: #F5D76E; font-size: 20px; margin: 0 0 8px; }
+    p { color: #888; font-size: 14px; line-height: 1.5; margin: 0 0 20px; }
+    label { display: block; color: #AAA; font-size: 13px; margin-bottom: 6px; }
+    input { width: 100%; padding: 10px 12px; background: #0F0E1A; border: 1px solid #2A2A3E; border-radius: 6px; color: #E0E0E0; font-size: 14px; box-sizing: border-box; }
+    input:focus { border-color: #F5D76E; outline: none; }
+    button { width: 100%; padding: 10px; background: #F5D76E; color: #0F0E1A; border: none; border-radius: 6px; font-size: 14px; font-weight: 600; cursor: pointer; margin-top: 16px; }
+    button:hover { background: #E5C75E; }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <h1>Exe OS</h1>
+    <p>Enter your license key to authorize MCP access.</p>
+    ${error}
+    <form method="POST" action="/authorize?${url.searchParams.toString()}">
+      <label for="license_key">License Key</label>
+      <input type="text" id="license_key" name="license_key" placeholder="exe_sk_..." autofocus required>
+      <button type="submit">Authorize</button>
+    </form>
+  </div>
+</body>
+</html>`;
+  res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+  res.end(html);
+}
+async function handleToken(req, res) {
+  if (req.method !== "POST") {
+    jsonResponse(res, 405, { error: "method_not_allowed" });
+    return;
+  }
+  const body = await parseBody(req);
+  let params;
+  const contentType = req.headers["content-type"] ?? "";
+  if (contentType.includes("application/json")) {
+    try {
+      params = JSON.parse(body);
+    } catch {
+      jsonResponse(res, 400, { error: "invalid_request" });
+      return;
+    }
+  } else {
+    params = parseUrlEncoded(body);
+  }
+  const grantType = params.grant_type;
+  if (grantType === "authorization_code") {
+    return handleAuthCodeExchange(params, res);
+  } else if (grantType === "refresh_token") {
+    return handleRefreshToken(params, res);
+  } else {
+    jsonResponse(res, 400, { error: "unsupported_grant_type" });
+  }
+}
+function handleAuthCodeExchange(params, res) {
+  const code = params.code;
+  const codeVerifier = params.code_verifier;
+  const clientId = params.client_id;
+  if (!code || !codeVerifier || !clientId) {
+    jsonResponse(res, 400, { error: "invalid_request", error_description: "Missing code, code_verifier, or client_id" });
+    return;
+  }
+  evictExpired(authCodes);
+  const authCode = authCodes.get(code);
+  if (!authCode) {
+    jsonResponse(res, 400, { error: "invalid_grant", error_description: "Unknown or expired authorization code" });
+    return;
+  }
+  if (authCode.used) {
+    authCodes.delete(code);
+    jsonResponse(res, 400, { error: "invalid_grant", error_description: "Authorization code already used" });
+    return;
+  }
+  if (authCode.client_id !== clientId) {
+    jsonResponse(res, 400, { error: "invalid_grant", error_description: "Client ID mismatch" });
+    return;
+  }
+  const expectedChallenge = sha256(codeVerifier);
+  if (expectedChallenge !== authCode.code_challenge) {
+    jsonResponse(res, 400, { error: "invalid_grant", error_description: "PKCE verification failed" });
+    return;
+  }
+  authCode.used = true;
+  evictExpired(accessTokens);
+  evictExpired(refreshTokens);
+  if (accessTokens.size > MAX_TOKENS) {
+    const oldest = [...accessTokens.entries()].sort((a, b) => a[1].expires_at - b[1].expires_at);
+    for (let i = 0; i < oldest.length - MAX_TOKENS / 2; i++) {
+      accessTokens.delete(oldest[i][0]);
+    }
+  }
+  const accessToken = generateToken();
+  const refreshToken = generateToken();
+  accessTokens.set(accessToken, {
+    token: accessToken,
+    client_id: clientId,
+    scope: authCode.scope ?? "mcp",
+    license_plan: authCode.license_plan,
+    license_email: authCode.license_email,
+    expires_at: Date.now() + ACCESS_TOKEN_TTL_MS
+  });
+  refreshTokens.set(refreshToken, {
+    token: refreshToken,
+    client_id: clientId,
+    scope: authCode.scope ?? "mcp",
+    license_plan: authCode.license_plan,
+    license_email: authCode.license_email,
+    expires_at: Date.now() + REFRESH_TOKEN_TTL_MS
+  });
+  jsonResponse(res, 200, {
+    access_token: accessToken,
+    token_type: "Bearer",
+    expires_in: Math.floor(ACCESS_TOKEN_TTL_MS / 1e3),
+    refresh_token: refreshToken,
+    scope: authCode.scope ?? "mcp"
+  });
+}
+function handleRefreshToken(params, res) {
+  const token = params.refresh_token;
+  const clientId = params.client_id;
+  if (!token) {
+    jsonResponse(res, 400, { error: "invalid_request", error_description: "Missing refresh_token" });
+    return;
+  }
+  evictExpired(refreshTokens);
+  const rt = refreshTokens.get(token);
+  if (!rt) {
+    jsonResponse(res, 400, { error: "invalid_grant", error_description: "Unknown or expired refresh token" });
+    return;
+  }
+  if (clientId && rt.client_id !== clientId) {
+    jsonResponse(res, 400, { error: "invalid_grant", error_description: "Client ID mismatch" });
+    return;
+  }
+  refreshTokens.delete(token);
+  const newAccessToken = generateToken();
+  const newRefreshToken = generateToken();
+  accessTokens.set(newAccessToken, {
+    token: newAccessToken,
+    client_id: rt.client_id,
+    scope: rt.scope,
+    license_plan: rt.license_plan,
+    license_email: rt.license_email,
+    expires_at: Date.now() + ACCESS_TOKEN_TTL_MS
+  });
+  refreshTokens.set(newRefreshToken, {
+    token: newRefreshToken,
+    client_id: rt.client_id,
+    scope: rt.scope,
+    license_plan: rt.license_plan,
+    license_email: rt.license_email,
+    expires_at: Date.now() + REFRESH_TOKEN_TTL_MS
+  });
+  jsonResponse(res, 200, {
+    access_token: newAccessToken,
+    token_type: "Bearer",
+    expires_in: Math.floor(ACCESS_TOKEN_TTL_MS / 1e3),
+    refresh_token: newRefreshToken,
+    scope: rt.scope
+  });
+}
+function verifyAccessToken(token) {
+  evictExpired(accessTokens);
+  const at = accessTokens.get(token);
+  if (!at) return { valid: false };
+  return {
+    valid: true,
+    client_id: at.client_id,
+    scope: at.scope,
+    license_plan: at.license_plan,
+    license_email: at.license_email
+  };
+}
+async function handleOAuthRoute(req, res, url, port) {
+  const p = url.pathname;
+  if (p === "/.well-known/oauth-protected-resource" || p === "/.well-known/oauth-protected-resource/mcp") {
+    handleProtectedResourceMetadata(res, port);
+    return true;
+  }
+  if (p === "/.well-known/oauth-authorization-server") {
+    handleAuthServerMetadata(res, port);
+    return true;
+  }
+  if (p === "/register") {
+    await handleRegister(req, res);
+    return true;
+  }
+  if (p === "/authorize") {
+    await handleAuthorize(req, res, url);
+    return true;
+  }
+  if (p === "/token") {
+    await handleToken(req, res);
+    return true;
+  }
+  return false;
+}
+export {
+  handleOAuthRoute,
+  verifyAccessToken
+};