@assetlab/mcp-server 1.19.6 → 1.20.0

package/dist/oauth.js

@@ -1,16 +1,16 @@
 /**
- * Minimal OAuth 2.0 Authorization Server for Claude.ai MCP integration.
+ * OAuth 2.0 Authorization Server for AssetLab MCP.
  *
- * Implements just enough of OAuth 2.0 + PKCE to satisfy Claude.ai's connector flow:
- *   1. Dynamic client registration (RFC 7591)
- *   2. Authorization endpoint (shows "paste your API key" page)
- *   3. Token endpoint (exchanges auth code for access token)
+ * Implements the subset of OAuth 2.0 + PKCE + RFC 7591/7592 needed to satisfy
+ * MCP connectors (Claude.ai, ChatGPT):
+ *   - /oauth/register   POST   — dynamic client registration with KV-backed allow-list
+ *   - /oauth/register/{id} DELETE — authenticated client deletion
+ *   - /authorize        GET    — consent page (validates client + redirect_uri)
+ *   - /authorize        POST   — issues an encrypted authorization code
+ *   - /token            POST   — code/refresh exchange (PKCE S256 mandatory)
  *
- * The user's AssetLab API key becomes the OAuth access_token, so the existing
- * MCP handler works unchanged (it reads Bearer token from Authorization header).
- *
- * Authorization codes are encrypted with AES-GCM using OAUTH_SECRET — fully
- * stateless, no KV or Durable Objects needed.
+ * The user's AssetLab API key is still returned as the OAuth access_token
+ * (P0 hardening keeps this; the opaque-token swap is tracked as P1).
  */
 // ── Helpers ──────────────────────────────────────────────────────────────────
 function base64url(buf) {
@@ -50,27 +50,161 @@ async function decrypt(code, secret) {
     const decrypted = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, key, ciphertext);
     return new TextDecoder().decode(decrypted);
 }
+async function sha256Hex(s) {
+    const buf = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(s));
+    return Array.from(new Uint8Array(buf))
+        .map(b => b.toString(16).padStart(2, '0'))
+        .join('');
+}
+function safeEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let diff = 0;
+    for (let i = 0; i < a.length; i++)
+        diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+    return diff === 0;
+}
+// Opaque access tokens are prefixed so the Worker can distinguish them from
+// legacy API-key-as-Bearer requests (which start with al_live_ / al_test_).
+const ACCESS_TOKEN_PREFIX = 'mcp_at_';
+const ACCESS_TOKEN_TTL_SECONDS = 86_400; // 24h — matches the `expires_in` in /token response
+// ── KV helpers ───────────────────────────────────────────────────────────────
+const CLIENT_KEY = (id) => `oauth_client:${id}`;
+const TOKEN_KEY = (hash) => `oauth_token:${hash}`;
+const CONSUMED_CODE_KEY = (hash) => `consumed_code:${hash}`;
+async function getClient(kv, id) {
+    if (!id)
+        return null;
+    const raw = await kv.get(CLIENT_KEY(id));
+    if (!raw)
+        return null;
+    try {
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+async function putClient(kv, client) {
+    await kv.put(CLIENT_KEY(client.client_id), JSON.stringify(client));
+}
+async function deleteClient(kv, id) {
+    await kv.delete(CLIENT_KEY(id));
+}
+async function mintAccessToken(kv, apiKey, scope, clientId) {
+    const bytes = crypto.getRandomValues(new Uint8Array(32));
+    const token = ACCESS_TOKEN_PREFIX + base64url(bytes);
+    const hash = await sha256Hex(token);
+    const record = {
+        api_key: apiKey,
+        scope,
+        client_id: clientId,
+        created_at: Date.now(),
+    };
+    await kv.put(TOKEN_KEY(hash), JSON.stringify(record), {
+        expirationTtl: ACCESS_TOKEN_TTL_SECONDS,
+    });
+    return token;
+}
+/**
+ * Resolve a Bearer token presented to the MCP transport. Called once per
+ * incoming request from the Worker.
+ *
+ * - `mcp_at_*` tokens are looked up in KV. Miss → `null` (Worker returns 401).
+ * - Legacy `al_live_*` / `al_test_*` tokens (issued before opaque-token swap
+ *   or used by direct CLI integrations) pass through unchanged so the API
+ *   gateway can validate them.
+ * - Anything else is rejected (`null`) — the API gateway shouldn't see garbage.
+ */
+export async function resolveAccessToken(kv, token) {
+    if (!token)
+        return null;
+    if (token.startsWith(ACCESS_TOKEN_PREFIX)) {
+        const hash = await sha256Hex(token);
+        const raw = await kv.get(TOKEN_KEY(hash));
+        if (!raw)
+            return null;
+        try {
+            const rec = JSON.parse(raw);
+            return { apiKey: rec.api_key, scope: rec.scope, clientId: rec.client_id };
+        }
+        catch {
+            return null;
+        }
+    }
+    if (token.startsWith('al_live_') || token.startsWith('al_test_')) {
+        // Legacy passthrough — API gateway validates. Grace path for pre-swap sessions.
+        return { apiKey: token };
+    }
+    return null;
+}
+async function deleteAccessToken(kv, token) {
+    if (!token.startsWith(ACCESS_TOKEN_PREFIX))
+        return;
+    const hash = await sha256Hex(token);
+    await kv.delete(TOKEN_KEY(hash));
+}
+// ── Redirect URI validation ──────────────────────────────────────────────────
+//
+// RFC 8252 §7.3: allow loopback http for native apps; everything else must be
+// https. Reject anything that could exfiltrate the auth code via a non-HTTP
+// transport (javascript:, data:, file:, ws://, etc.).
+function isValidRedirectUri(uri) {
+    if (typeof uri !== 'string' || uri.length > 2000)
+        return false;
+    let parsed;
+    try {
+        parsed = new URL(uri);
+    }
+    catch {
+        return false;
+    }
+    if (parsed.protocol === 'https:')
+        return true;
+    if (parsed.protocol === 'http:') {
+        return (parsed.hostname === 'localhost' ||
+            parsed.hostname === '127.0.0.1' ||
+            parsed.hostname === '[::1]');
+    }
+    return false;
+}
 // ── CORS ─────────────────────────────────────────────────────────────────────
-const CORS = {
-    'Access-Control-Allow-Origin': '*',
-    'Access-Control-Allow-Methods': 'GET, POST, DELETE, OPTIONS',
-    'Access-Control-Allow-Headers': 'Authorization, Content-Type, MCP-Protocol-Version, Accept',
-};
-function json(body, status = 200, extra = {}) {
+const ALLOWED_ORIGINS = new Set([
+    'https://claude.ai',
+    'https://chat.openai.com',
+    'https://chatgpt.com',
+]);
+export function corsHeaders(request) {
+    const origin = request.headers.get('origin') ?? '';
+    if (!ALLOWED_ORIGINS.has(origin))
+        return {};
+    return {
+        'Access-Control-Allow-Origin': origin,
+        'Access-Control-Allow-Credentials': 'true',
+        Vary: 'Origin',
+        'Access-Control-Allow-Methods': 'GET, POST, DELETE, OPTIONS',
+        'Access-Control-Allow-Headers': 'Authorization, Content-Type, MCP-Protocol-Version, Accept',
+    };
+}
+function json(body, status = 200, extra = {}, corsFor) {
     return new Response(JSON.stringify(body), {
         status,
-        headers: { 'Content-Type': 'application/json', ...CORS, ...extra },
+        headers: {
+            'Content-Type': 'application/json',
+            ...(corsFor ? corsHeaders(corsFor) : {}),
+            ...extra,
+        },
     });
 }
 // ── Discovery endpoints ─────────────────────────────────────────────────────
-export function protectedResourceMetadata(origin) {
+export function protectedResourceMetadata(origin, request) {
     const resource = origin.endsWith('/') ? origin : `${origin}/`;
     return json({
         resource,
         authorization_servers: [origin],
-    });
+    }, 200, {}, request);
 }
-export function authServerMetadata(origin) {
+export function authServerMetadata(origin, request) {
     return json({
         issuer: origin,
         authorization_endpoint: `${origin}/authorize`,
@@ -81,211 +215,196 @@ export function authServerMetadata(origin) {
         scopes_supported: ['claudeai', 'mcp'],
         code_challenge_methods_supported: ['S256'],
         token_endpoint_auth_methods_supported: ['none'],
-    });
+    }, 200, {}, request);
 }
 // ── Dynamic client registration (RFC 7591) ──────────────────────────────────
-export async function handleRegister(request) {
-    const body = await request.json();
+export async function handleRegister(request, kv) {
+    let body;
+    try {
+        body = (await request.json());
+    }
+    catch {
+        return json({ error: 'invalid_client_metadata', error_description: 'Body must be valid JSON' }, 400);
+    }
+    const uris = body.redirect_uris;
+    if (!Array.isArray(uris) || uris.length === 0) {
+        return json({
+            error: 'invalid_redirect_uri',
+            error_description: 'redirect_uris must be a non-empty array',
+        }, 400);
+    }
+    if (uris.length > 10) {
+        return json({ error: 'invalid_redirect_uri', error_description: 'Too many redirect_uris (max 10)' }, 400);
+    }
+    for (const u of uris) {
+        if (!isValidRedirectUri(u)) {
+            return json({
+                error: 'invalid_redirect_uri',
+                error_description: 'All redirect_uris must use https:// (http:// is only allowed for localhost loopback)',
+            }, 400);
+        }
+    }
+    const name = typeof body.client_name === 'string' && body.client_name.trim().length > 0
+        ? body.client_name.trim().slice(0, 200)
+        : 'MCP Client';
+    // Scope is stored as-is (≤200 chars). The /authorize and /token endpoints
+    // intersect requested scope with the supported set at issue time.
+    const rawScope = typeof body.scope === 'string' && body.scope.length <= 200 ? body.scope : 'mcp';
     const clientId = crypto.randomUUID();
+    const regTokenBytes = crypto.getRandomValues(new Uint8Array(32));
+    const regToken = base64url(regTokenBytes);
+    const regTokenHash = await sha256Hex(regToken);
+    const client = {
+        client_id: clientId,
+        client_name: name,
+        redirect_uris: uris,
+        scope: rawScope,
+        registration_access_token_hash: regTokenHash,
+        created_at: Date.now(),
+    };
+    await putClient(kv, client);
+    const origin = new URL(request.url).origin;
     return json({
         client_id: clientId,
-        client_name: body.client_name ?? 'Claude.ai',
-        redirect_uris: body.redirect_uris ?? [],
-        grant_types: body.grant_types ?? ['authorization_code'],
-        response_types: body.response_types ?? ['code'],
+        client_name: name,
+        redirect_uris: uris,
+        grant_types: ['authorization_code', 'refresh_token'],
+        response_types: ['code'],
         token_endpoint_auth_method: 'none',
+        scope: rawScope,
+        registration_access_token: regToken,
+        registration_client_uri: `${origin}/oauth/register/${clientId}`,
     }, 201);
 }
+// ── Authenticated client deletion (RFC 7592) ────────────────────────────────
+export async function handleDelete(request, kv, clientId) {
+    const auth = request.headers.get('Authorization') ?? '';
+    if (!auth.startsWith('Bearer ')) {
+        return json({ error: 'invalid_token', error_description: 'Registration access token required' }, 401, { 'WWW-Authenticate': 'Bearer' });
+    }
+    const token = auth.slice(7).trim();
+    const client = await getClient(kv, clientId);
+    // Return 401 (not 404) for unknown client_ids so we don't leak which IDs exist.
+    if (!token || !client) {
+        return json({ error: 'invalid_token', error_description: 'Invalid registration access token' }, 401);
+    }
+    const providedHash = await sha256Hex(token);
+    if (!safeEqual(providedHash, client.registration_access_token_hash)) {
+        return json({ error: 'invalid_token', error_description: 'Invalid registration access token' }, 401);
+    }
+    await deleteClient(kv, clientId);
+    return new Response(null, { status: 204 });
+}
 // ── Authorization endpoint ──────────────────────────────────────────────────
-export function handleAuthorizeGet(request) {
+export async function handleAuthorizeGet(request, kv) {
     const url = new URL(request.url);
-    const state = url.searchParams.get('state') ?? '';
+    const clientId = url.searchParams.get('client_id') ?? '';
     const redirectUri = url.searchParams.get('redirect_uri') ?? '';
+    const responseType = url.searchParams.get('response_type') ?? 'code';
     const codeChallenge = url.searchParams.get('code_challenge') ?? '';
-    const clientId = url.searchParams.get('client_id') ?? '';
+    const codeChallengeMethod = url.searchParams.get('code_challenge_method') ?? '';
     const scope = url.searchParams.get('scope') ?? '';
-    const html = `<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="utf-8"/>
-  <meta name="viewport" content="width=device-width, initial-scale=1"/>
-  <title>Connect to AssetLab</title>
-  <link rel="preconnect" href="https://fonts.googleapis.com"/>
-  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin/>
-  <link href="https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600&family=Lexend:wght@400;500;600&display=swap" rel="stylesheet"/>
-  <style>
-    *{margin:0;padding:0;box-sizing:border-box}
-    body{font-family:'Inter',system-ui,sans-serif;background:rgb(3,6,22);color:#fff;
-         min-height:100vh;display:flex;flex-direction:column;align-items:center;
-         justify-content:center;padding:1rem;position:relative;overflow:hidden}
-    /* base grid - white, faded on edges */
-    .grid-base{position:fixed;inset:0;pointer-events:none;z-index:0;opacity:.04;
-      background-image:linear-gradient(rgba(255,255,255,.4) 1px,transparent 1px),
-                        linear-gradient(90deg,rgba(255,255,255,.4) 1px,transparent 1px);
-      background-size:60px 60px;
-      -webkit-mask-image:radial-gradient(ellipse 60% 60% at 50% 50%,black 0%,transparent 100%);
-      mask-image:radial-gradient(ellipse 60% 60% at 50% 50%,black 0%,transparent 100%)}
-    /* mouse hover glow on grid */
-    .grid-glow{position:fixed;inset:0;pointer-events:none;z-index:0;
-      background-image:linear-gradient(rgba(106,208,157,.3) 1px,transparent 1px),
-                        linear-gradient(90deg,rgba(106,208,157,.3) 1px,transparent 1px);
-      background-size:60px 60px;transition:opacity .3s;
-      -webkit-mask-image:radial-gradient(circle 120px at 0px 0px,black 0%,transparent 100%);
-      mask-image:radial-gradient(circle 120px at 0px 0px,black 0%,transparent 100%)}
-    .logo{display:flex;align-items:center;gap:.625rem;margin-bottom:2rem;position:relative;z-index:1}
-    .logo svg{width:48px;height:48px}
-    .logo-text{font-family:'Lexend',sans-serif;font-size:1.5rem;font-weight:500;letter-spacing:-.025em}
-    .logo-text .lab{color:#45c28b}
-    .card{background:transparent;backdrop-filter:blur(4px);border-radius:1rem;
-          border:1px solid rgba(255,255,255,.2);max-width:420px;width:100%;
-          padding:2rem;position:relative;z-index:1}
-    h1{font-family:'Lexend',sans-serif;font-size:1.25rem;font-weight:500;margin-bottom:.25rem;
-       letter-spacing:-.025em}
-    .sub{color:#d1d5db;font-size:.875rem;margin-bottom:1.5rem}
-    label{display:flex;align-items:center;gap:.5rem;color:#e5e7eb;font-weight:500;
-          font-size:.875rem;margin-bottom:.375rem}
-    label svg{width:16px;height:16px;color:#9ca3af;flex-shrink:0}
-    input[type="password"]{width:100%;padding:.625rem .75rem;background:transparent;
-          border:1px solid rgba(255,255,255,.2);border-radius:.5rem;font-size:.875rem;
-          font-family:'JetBrains Mono',monospace;color:#fff;outline:none;transition:border-color .15s,box-shadow .15s}
-    input[type="password"]::placeholder{color:#6b7280}
-    input[type="password"]:focus{border-color:rgb(106,208,157);
-          box-shadow:0 0 0 3px rgba(106,208,157,.15)}
-    .help{color:#6b7280;font-size:.75rem;margin-top:.375rem}
-    button{width:100%;margin-top:1.25rem;padding:.625rem;
-           background:rgb(106,208,157);color:rgb(3,6,22);border:none;border-radius:.5rem;
-           font-family:'Inter',sans-serif;font-size:.875rem;font-weight:600;cursor:pointer;
-           transition:background .15s}
-    button:hover{background:rgb(86,188,137)}
-    button:disabled{background:#4b5563;color:#9ca3af;cursor:not-allowed}
-    .footer{text-align:center;margin-top:1rem;font-size:.75rem;color:#6b7280}
-    /* subtle glow behind card */
-    .glow{position:fixed;width:400px;height:400px;border-radius:50%;
-          background:radial-gradient(circle,rgba(106,208,157,.08),transparent 70%);
-          top:50%;left:50%;transform:translate(-50%,-50%);pointer-events:none;z-index:0}
-  </style>
-</head>
-<body>
-  <div class="grid-base"></div>
-  <div class="grid-glow" id="gridGlow"></div>
-  <div class="glow"></div>
-  <div class="logo">
-    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 292.3 292.3">
-      <g transform="translate(95.414,86.487)">
-        <circle fill="#45c28b" cx="-74.77" cy="-51.34" r="20"/>
-        <circle fill="#45c28b" cx="-74.53" cy="1.19" r="20"/>
-        <circle fill="#45c28b" cx="-22.24" cy="-28.91" r="20"/>
-        <circle fill="#fbd04e" cx="-74.67" cy="56.37" r="20"/>
-        <circle fill="#fbd04e" cx="-74.58" cy="120.34" r="20"/>
-        <circle fill="#fbd04e" cx="-74.49" cy="172.05" r="20"/>
-        <circle fill="#fbd04e" cx="-23.77" cy="26.56" r="20"/>
-        <circle fill="#fbd04e" cx="22.72" cy="-7.36" r="15"/>
-        <circle fill="#fbd04e" cx="-21.38" cy="89.52" r="17"/>
-        <circle fill="#fbd04e" cx="30.77" cy="51.30" r="20"/>
-        <circle fill="#fbd04e" cx="-21.89" cy="159.66" r="17"/>
-        <circle fill="#fbd04e" cx="22.92" cy="173.41" r="15"/>
-        <circle fill="#fbd04e" cx="35.15" cy="119.00" r="20"/>
-        <circle fill="#fbd04e" cx="79.51" cy="79.64" r="15"/>
-        <circle fill="#f78265" cx="72.59" cy="161.68" r="20"/>
-        <circle fill="#f78265" cx="110.66" cy="131.00" r="12"/>
-        <circle fill="#f78265" cx="121.37" cy="86.82" r="12"/>
-        <circle fill="#f78265" cx="155.50" cy="110.89" r="15"/>
-        <circle fill="#f78265" cx="136.27" cy="172.43" r="15"/>
-        <circle fill="#f78265" cx="182.53" cy="154.52" r="15"/>
-      </g>
-    </svg>
-    <span class="logo-text">Asset<span class="lab">Lab</span></span>
-  </div>
-  <div class="card">
-    <h1>Connect to AssetLab</h1>
-    <p class="sub">Claude.ai wants to access your AssetLab workspace via MCP.</p>
-    <form method="POST" action="/authorize" id="form">
-      <input type="hidden" name="state" value="${escapeHtml(state)}"/>
-      <input type="hidden" name="redirect_uri" value="${escapeHtml(redirectUri)}"/>
-      <input type="hidden" name="code_challenge" value="${escapeHtml(codeChallenge)}"/>
-      <input type="hidden" name="client_id" value="${escapeHtml(clientId)}"/>
-      <input type="hidden" name="scope" value="${escapeHtml(scope)}"/>
-      <label for="api_key">
-        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="m21 2-2 2m-7.61 7.61a5.5 5.5 0 1 1-7.778 7.778 5.5 5.5 0 0 1 7.777-7.777zm0 0L15.5 7.5m0 0 3 3L22 7l-3-3m-3.5 3.5L19 4"/></svg>
-        API Key
-      </label>
-      <input type="password" id="api_key" name="api_key" placeholder="al_live_..." required
-             pattern="al_(live|test)_.+" title="Must start with al_live_ or al_test_"/>
-      <p class="help">Find this in AssetLab → Settings → API Keys</p>
-      <button type="submit" id="btn">Authorize</button>
-    </form>
-    <p class="footer">Your key is sent directly to AssetLab and never stored by this server.</p>
-  </div>
-  <script>
-    document.getElementById('form').addEventListener('submit',()=>{
-      document.getElementById('btn').disabled=true;
-      document.getElementById('btn').textContent='Connecting…';
-    });
-    (function(){
-      var g=document.getElementById('gridGlow');
-      document.addEventListener('mousemove',function(e){
-        var m='radial-gradient(circle 120px at '+e.clientX+'px '+e.clientY+'px,black 0%,transparent 100%)';
-        g.style.webkitMaskImage=m;g.style.maskImage=m;
-      });
-    })();
-  </script>
-</body>
-</html>`;
-    return new Response(html, {
-        status: 200,
-        headers: { 'Content-Type': 'text/html; charset=utf-8', ...CORS },
+    const state = url.searchParams.get('state') ?? '';
+    if (responseType !== 'code') {
+        return errorPage(`Unsupported response_type "${responseType}". Only the authorization code flow is supported.`, 400);
+    }
+    if (!codeChallenge || codeChallengeMethod !== 'S256') {
+        return errorPage('This server requires PKCE: code_challenge and code_challenge_method=S256 are mandatory.', 400);
+    }
+    if (!clientId) {
+        return errorPage('Missing client_id.', 400);
+    }
+    const client = await getClient(kv, clientId);
+    if (!client) {
+        return errorPage('Unknown client_id. Re-register the application and try again.', 400);
+    }
+    if (!redirectUri || !client.redirect_uris.includes(redirectUri)) {
+        return errorPage('redirect_uri does not match any URI registered for this client.', 400);
+    }
+    let redirectHost = '';
+    try {
+        redirectHost = new URL(redirectUri).host;
+    }
+    catch {
+        redirectHost = '';
+    }
+    return renderConsentPage({
+        clientName: client.client_name,
+        redirectHost,
+        state,
+        redirectUri,
+        codeChallenge,
+        clientId,
+        scope,
     });
 }
-export async function handleAuthorizePost(request, secret) {
+export async function handleAuthorizePost(request, env) {
     const form = await request.formData();
     const apiKey = form.get('api_key')?.trim();
-    const state = form.get('state');
-    const redirectUri = form.get('redirect_uri');
-    const codeChallenge = form.get('code_challenge');
+    const state = form.get('state') ?? '';
+    const redirectUri = form.get('redirect_uri') ?? '';
+    const codeChallenge = form.get('code_challenge') ?? '';
+    const clientId = form.get('client_id') ?? '';
     const scope = form.get('scope') ?? '';
-    console.log('[authorize POST]', JSON.stringify({ hasApiKey: !!apiKey, state, redirectUri, codeChallenge, scope }));
-    if (!apiKey || !redirectUri) {
-        return json({ error: 'missing_parameters' }, 400);
+    if (!apiKey)
+        return errorPage('API key is required.', 400);
+    if (!clientId)
+        return errorPage('Missing client_id.', 400);
+    if (!codeChallenge)
+        return errorPage('Missing PKCE code_challenge.', 400);
+    // Re-validate against KV — guards against tampering with hidden form fields.
+    const client = await getClient(env.OAUTH_CLIENTS, clientId);
+    if (!client)
+        return errorPage('Unknown client_id.', 400);
+    if (!redirectUri || !client.redirect_uris.includes(redirectUri)) {
+        return errorPage('redirect_uri does not match any URI registered for this client.', 400);
     }
     const payload = {
         apiKey,
         codeChallenge,
         redirectUri,
         scope,
+        clientId,
         exp: Date.now() + 600_000, // 10 minutes
     };
-    const code = await encrypt(JSON.stringify(payload), secret);
+    const code = await encrypt(JSON.stringify(payload), env.OAUTH_SECRET);
     const target = new URL(redirectUri);
     target.searchParams.set('code', code);
     if (state)
         target.searchParams.set('state', state);
-    console.log('[authorize POST] redirecting to', target.toString().slice(0, 100));
     return Response.redirect(target.toString(), 302);
 }
 // ── Token endpoint ──────────────────────────────────────────────────────────
-async function issueTokens(apiKey, scope, secret) {
-    const refreshPayload = { apiKey, scope: scope || 'mcp', type: 'refresh' };
-    const refreshToken = await encrypt(JSON.stringify(refreshPayload), secret);
+async function issueTokens(apiKey, scope, clientId, env) {
+    const effectiveScope = scope || 'mcp';
+    const accessToken = await mintAccessToken(env.OAUTH_CLIENTS, apiKey, effectiveScope, clientId);
+    const refreshPayload = {
+        apiKey,
+        scope: effectiveScope,
+        clientId,
+        type: 'refresh',
+    };
+    const refreshToken = await encrypt(JSON.stringify(refreshPayload), env.OAUTH_SECRET);
     return json({
-        access_token: apiKey,
+        access_token: accessToken,
         token_type: 'Bearer',
-        expires_in: 86400,
-        scope: scope || 'mcp',
+        expires_in: ACCESS_TOKEN_TTL_SECONDS,
+        scope: effectiveScope,
         refresh_token: refreshToken,
     });
 }
-export async function handleToken(request, secret) {
+export async function handleToken(request, env) {
     let params;
     const ct = request.headers.get('Content-Type') ?? '';
     if (ct.includes('application/json')) {
-        const body = await request.json();
+        const body = (await request.json());
         params = new URLSearchParams(body);
     }
     else {
         params = new URLSearchParams(await request.text());
     }
     const grantType = params.get('grant_type');
-    console.log('[token]', JSON.stringify({ grantType, contentType: ct }));
+    const requestClientId = params.get('client_id') ?? '';
     // ── Refresh token grant ──────────────────────────────────────────────────
     if (grantType === 'refresh_token') {
         const refreshToken = params.get('refresh_token');
@@ -294,7 +413,7 @@ export async function handleToken(request, secret) {
         }
         let payload;
         try {
-            payload = JSON.parse(await decrypt(refreshToken, secret));
+            payload = JSON.parse(await decrypt(refreshToken, env.OAUTH_SECRET));
         }
         catch (err) {
             console.log('[token] refresh decrypt failed:', err instanceof Error ? err.message : err);
@@ -303,55 +422,279 @@ export async function handleToken(request, secret) {
         if (payload.type !== 'refresh') {
             return json({ error: 'invalid_grant', error_description: 'Invalid refresh token' }, 400);
         }
-        console.log('[token] refresh success, issuing new tokens');
-        return issueTokens(payload.apiKey, payload.scope, secret);
+        // Refresh tokens minted before this rewrite have no clientId — accept them
+        // so existing Claude.ai / ChatGPT sessions survive the deploy. New tokens
+        // always carry clientId and are validated against KV.
+        if (payload.clientId) {
+            const client = await getClient(env.OAUTH_CLIENTS, payload.clientId);
+            if (!client) {
+                return json({ error: 'invalid_grant', error_description: 'Client no longer registered' }, 400);
+            }
+        }
+        return issueTokens(payload.apiKey, payload.scope, payload.clientId, env);
     }
     // ── Authorization code grant ─────────────────────────────────────────────
+    if (grantType && grantType !== 'authorization_code') {
+        return json({
+            error: 'unsupported_grant_type',
+            error_description: `Unsupported grant_type "${grantType}"`,
+        }, 400);
+    }
     const code = params.get('code');
     const codeVerifier = params.get('code_verifier');
-    const redirectUri = params.get('redirect_uri');
-    console.log('[token]', JSON.stringify({
-        hasCode: !!code, hasVerifier: !!codeVerifier, redirectUri,
-    }));
+    const redirectUri = params.get('redirect_uri') ?? '';
     if (!code)
         return json({ error: 'invalid_request', error_description: 'Missing code' }, 400);
+    if (!codeVerifier) {
+        return json({ error: 'invalid_request', error_description: 'Missing code_verifier (PKCE is required)' }, 400);
+    }
+    // F-017 — RFC 6749 §3.2.1: public clients MUST send client_id on /token.
+    if (!requestClientId) {
+        return json({ error: 'invalid_request', error_description: 'Missing client_id' }, 400);
+    }
     let payload;
     try {
-        payload = JSON.parse(await decrypt(code, secret));
+        payload = JSON.parse(await decrypt(code, env.OAUTH_SECRET));
     }
     catch (err) {
         console.log('[token] decrypt failed:', err instanceof Error ? err.message : err);
         return json({ error: 'invalid_grant', error_description: 'Invalid or expired code' }, 400);
     }
-    console.log('[token] decrypted payload:', JSON.stringify({
-        hasApiKey: !!payload.apiKey,
-        codeChallenge: payload.codeChallenge,
-        redirectUri: payload.redirectUri,
-        exp: payload.exp,
-        now: Date.now(),
-    }));
     if (Date.now() > payload.exp) {
-        console.log('[token] code expired');
         return json({ error: 'invalid_grant', error_description: 'Code expired' }, 400);
     }
     if (redirectUri && payload.redirectUri !== redirectUri) {
-        console.log('[token] redirect URI mismatch:', payload.redirectUri, '!=', redirectUri);
         return json({ error: 'invalid_grant', error_description: 'Redirect URI mismatch' }, 400);
     }
-    // Verify PKCE
-    if (payload.codeChallenge && codeVerifier) {
-        const digest = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(codeVerifier));
-        const expected = base64url(digest);
-        console.log('[token] PKCE check:', expected, '===', payload.codeChallenge, '→', expected === payload.codeChallenge);
-        if (expected !== payload.codeChallenge) {
-            return json({ error: 'invalid_grant', error_description: 'PKCE verification failed' }, 400);
+    if (requestClientId !== payload.clientId) {
+        return json({ error: 'invalid_client', error_description: 'client_id mismatch' }, 400);
+    }
+    // F-015 — RFC 6749 §4.1.2: authorization codes MUST be single-use. Hash of
+    // the raw code (not the code itself) is stored so the KV value isn't a
+    // credential. Sentinel TTL matches the code's remaining lifetime.
+    const codeHash = await sha256Hex(code);
+    if (await env.OAUTH_CLIENTS.get(CONSUMED_CODE_KEY(codeHash))) {
+        return json({ error: 'invalid_grant', error_description: 'Authorization code already used' }, 400);
+    }
+    const client = await getClient(env.OAUTH_CLIENTS, payload.clientId);
+    if (!client) {
+        return json({ error: 'invalid_client', error_description: 'Unknown client' }, 401);
+    }
+    if (!client.redirect_uris.includes(payload.redirectUri)) {
+        return json({ error: 'invalid_grant', error_description: 'Redirect URI no longer registered' }, 400);
+    }
+    // PKCE verification — mandatory.
+    const digest = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(codeVerifier));
+    const expected = base64url(digest);
+    if (!safeEqual(expected, payload.codeChallenge)) {
+        return json({ error: 'invalid_grant', error_description: 'PKCE verification failed' }, 400);
+    }
+    // Mark code consumed before issuing tokens. KV expirationTtl is in seconds
+    // and clamped at 60s minimum by Cloudflare.
+    const remainingTtl = Math.max(60, Math.ceil((payload.exp - Date.now()) / 1000));
+    await env.OAUTH_CLIENTS.put(CONSUMED_CODE_KEY(codeHash), '1', {
+        expirationTtl: remainingTtl,
+    });
+    return issueTokens(payload.apiKey, payload.scope, payload.clientId, env);
+}
+// ── Token revocation (RFC 7009) ─────────────────────────────────────────────
+/**
+ * POST /oauth/revoke — revoke an opaque access token.
+ *
+ * Refresh tokens are encrypted blobs (not KV-backed), so per-token refresh
+ * revocation is not supported in this iteration; rotating the underlying
+ * AssetLab API key in Settings is the way to fully terminate a session.
+ *
+ * Per RFC 7009 §2.2 we return 200 for unknown tokens too — clients shouldn't
+ * be able to probe token validity via this endpoint.
+ */
+export async function handleRevoke(request, env) {
+    let params;
+    const ct = request.headers.get('Content-Type') ?? '';
+    try {
+        if (ct.includes('application/json')) {
+            const body = (await request.json());
+            params = new URLSearchParams(body);
+        }
+        else {
+            params = new URLSearchParams(await request.text());
         }
     }
-    console.log('[token] success, returning access_token with refresh_token');
-    return issueTokens(payload.apiKey, payload.scope, secret);
+    catch {
+        return json({ error: 'invalid_request', error_description: 'Malformed body' }, 400);
+    }
+    const token = params.get('token') ?? '';
+    if (!token) {
+        return json({ error: 'invalid_request', error_description: 'Missing token' }, 400);
+    }
+    // Best-effort: only opaque access tokens are revocable here. The 200 is
+    // returned regardless to avoid leaking which tokens exist.
+    if (token.startsWith(ACCESS_TOKEN_PREFIX)) {
+        await deleteAccessToken(env.OAUTH_CLIENTS, token);
+    }
+    return new Response(null, { status: 200 });
+}
+function renderConsentPage(data) {
+    const html = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8"/>
+  <meta name="viewport" content="width=device-width, initial-scale=1"/>
+  <title>Connect to AssetLab</title>
+  <link rel="preconnect" href="https://fonts.googleapis.com"/>
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin/>
+  <link href="https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600&family=Lexend:wght@400;500;600&display=swap" rel="stylesheet"/>
+  <style>
+    *{margin:0;padding:0;box-sizing:border-box}
+    body{font-family:'Inter',system-ui,sans-serif;background:rgb(3,6,22);color:#fff;
+         min-height:100vh;display:flex;flex-direction:column;align-items:center;
+         justify-content:center;padding:1rem;position:relative;overflow:hidden}
+    .grid-base{position:fixed;inset:0;pointer-events:none;z-index:0;opacity:.04;
+      background-image:linear-gradient(rgba(255,255,255,.4) 1px,transparent 1px),
+                        linear-gradient(90deg,rgba(255,255,255,.4) 1px,transparent 1px);
+      background-size:60px 60px;
+      -webkit-mask-image:radial-gradient(ellipse 60% 60% at 50% 50%,black 0%,transparent 100%);
+      mask-image:radial-gradient(ellipse 60% 60% at 50% 50%,black 0%,transparent 100%)}
+    .grid-glow{position:fixed;inset:0;pointer-events:none;z-index:0;
+      background-image:linear-gradient(rgba(106,208,157,.3) 1px,transparent 1px),
+                        linear-gradient(90deg,rgba(106,208,157,.3) 1px,transparent 1px);
+      background-size:60px 60px;transition:opacity .3s;
+      -webkit-mask-image:radial-gradient(circle 120px at 0px 0px,black 0%,transparent 100%);
+      mask-image:radial-gradient(circle 120px at 0px 0px,black 0%,transparent 100%)}
+    .logo{display:flex;align-items:center;gap:.625rem;margin-bottom:2rem;position:relative;z-index:1}
+    .logo svg{width:48px;height:48px}
+    .logo-text{font-family:'Lexend',sans-serif;font-size:1.5rem;font-weight:500;letter-spacing:-.025em}
+    .logo-text .lab{color:#45c28b}
+    .card{background:transparent;backdrop-filter:blur(4px);border-radius:1rem;
+          border:1px solid rgba(255,255,255,.2);max-width:420px;width:100%;
+          padding:2rem;position:relative;z-index:1}
+    h1{font-family:'Lexend',sans-serif;font-size:1.25rem;font-weight:500;margin-bottom:.25rem;
+       letter-spacing:-.025em}
+    .sub{color:#d1d5db;font-size:.875rem;margin-bottom:1.5rem}
+    .sub strong{color:#fff;font-weight:600}
+    label{display:flex;align-items:center;gap:.5rem;color:#e5e7eb;font-weight:500;
+          font-size:.875rem;margin-bottom:.375rem}
+    label svg{width:16px;height:16px;color:#9ca3af;flex-shrink:0}
+    input[type="password"]{width:100%;padding:.625rem .75rem;background:transparent;
+          border:1px solid rgba(255,255,255,.2);border-radius:.5rem;font-size:.875rem;
+          font-family:'JetBrains Mono',monospace;color:#fff;outline:none;transition:border-color .15s,box-shadow .15s}
+    input[type="password"]::placeholder{color:#6b7280}
+    input[type="password"]:focus{border-color:rgb(106,208,157);
+          box-shadow:0 0 0 3px rgba(106,208,157,.15)}
+    .help{color:#6b7280;font-size:.75rem;margin-top:.375rem}
+    button{width:100%;margin-top:1.25rem;padding:.625rem;
+           background:rgb(106,208,157);color:rgb(3,6,22);border:none;border-radius:.5rem;
+           font-family:'Inter',sans-serif;font-size:.875rem;font-weight:600;cursor:pointer;
+           transition:background .15s}
+    button:hover{background:rgb(86,188,137)}
+    button:disabled{background:#4b5563;color:#9ca3af;cursor:not-allowed}
+    .footer{text-align:center;margin-top:1rem;font-size:.75rem;color:#6b7280}
+    .footer .host{color:#9ca3af;font-family:'JetBrains Mono',monospace}
+    .glow{position:fixed;width:400px;height:400px;border-radius:50%;
+          background:radial-gradient(circle,rgba(106,208,157,.08),transparent 70%);
+          top:50%;left:50%;transform:translate(-50%,-50%);pointer-events:none;z-index:0}
+  </style>
+</head>
+<body>
+  <div class="grid-base"></div>
+  <div class="grid-glow" id="gridGlow"></div>
+  <div class="glow"></div>
+  <div class="logo">
+    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 292.3 292.3">
+      <g transform="translate(95.414,86.487)">
+        <circle fill="#45c28b" cx="-74.77" cy="-51.34" r="20"/>
+        <circle fill="#45c28b" cx="-74.53" cy="1.19" r="20"/>
+        <circle fill="#45c28b" cx="-22.24" cy="-28.91" r="20"/>
+        <circle fill="#fbd04e" cx="-74.67" cy="56.37" r="20"/>
+        <circle fill="#fbd04e" cx="-74.58" cy="120.34" r="20"/>
+        <circle fill="#fbd04e" cx="-74.49" cy="172.05" r="20"/>
+        <circle fill="#fbd04e" cx="-23.77" cy="26.56" r="20"/>
+        <circle fill="#fbd04e" cx="22.72" cy="-7.36" r="15"/>
+        <circle fill="#fbd04e" cx="-21.38" cy="89.52" r="17"/>
+        <circle fill="#fbd04e" cx="30.77" cy="51.30" r="20"/>
+        <circle fill="#fbd04e" cx="-21.89" cy="159.66" r="17"/>
+        <circle fill="#fbd04e" cx="22.92" cy="173.41" r="15"/>
+        <circle fill="#fbd04e" cx="35.15" cy="119.00" r="20"/>
+        <circle fill="#fbd04e" cx="79.51" cy="79.64" r="15"/>
+        <circle fill="#f78265" cx="72.59" cy="161.68" r="20"/>
+        <circle fill="#f78265" cx="110.66" cy="131.00" r="12"/>
+        <circle fill="#f78265" cx="121.37" cy="86.82" r="12"/>
+        <circle fill="#f78265" cx="155.50" cy="110.89" r="15"/>
+        <circle fill="#f78265" cx="136.27" cy="172.43" r="15"/>
+        <circle fill="#f78265" cx="182.53" cy="154.52" r="15"/>
+      </g>
+    </svg>
+    <span class="logo-text">Asset<span class="lab">Lab</span></span>
+  </div>
+  <div class="card">
+    <h1>Connect to AssetLab</h1>
+    <p class="sub"><strong>${escapeHtml(data.clientName)}</strong> wants to access your AssetLab workspace via MCP.</p>
+    <form method="POST" action="/authorize" id="form">
+      <input type="hidden" name="state" value="${escapeHtml(data.state)}"/>
+      <input type="hidden" name="redirect_uri" value="${escapeHtml(data.redirectUri)}"/>
+      <input type="hidden" name="code_challenge" value="${escapeHtml(data.codeChallenge)}"/>
+      <input type="hidden" name="client_id" value="${escapeHtml(data.clientId)}"/>
+      <input type="hidden" name="scope" value="${escapeHtml(data.scope)}"/>
+      <label for="api_key">
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="m21 2-2 2m-7.61 7.61a5.5 5.5 0 1 1-7.778 7.778 5.5 5.5 0 0 1 7.777-7.777zm0 0L15.5 7.5m0 0 3 3L22 7l-3-3m-3.5 3.5L19 4"/></svg>
+        API Key
+      </label>
+      <input type="password" id="api_key" name="api_key" placeholder="al_live_..." required
+             pattern="al_(live|test)_.+" title="Must start with al_live_ or al_test_"/>
+      <p class="help">Find this in AssetLab → Settings → API Keys</p>
+      <button type="submit" id="btn">Authorize</button>
+    </form>
+    <p class="footer">After authorizing you'll be redirected to <span class="host">${escapeHtml(data.redirectHost)}</span>.</p>
+  </div>
+  <script>
+    document.getElementById('form').addEventListener('submit',()=>{
+      document.getElementById('btn').disabled=true;
+      document.getElementById('btn').textContent='Connecting\u2026';
+    });
+    (function(){
+      var g=document.getElementById('gridGlow');
+      document.addEventListener('mousemove',function(e){
+        var m='radial-gradient(circle 120px at '+e.clientX+'px '+e.clientY+'px,black 0%,transparent 100%)';
+        g.style.webkitMaskImage=m;g.style.maskImage=m;
+      });
+    })();
+  </script>
+</body>
+</html>`;
+    return new Response(html, {
+        status: 200,
+        headers: {
+            'Content-Type': 'text/html; charset=utf-8',
+            'X-Frame-Options': 'DENY',
+            'Content-Security-Policy': "frame-ancestors 'none'",
+        },
+    });
+}
+function errorPage(message, status = 400) {
+    const html = `<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"/>
+<meta name="viewport" content="width=device-width, initial-scale=1"/>
+<title>Authorization error</title>
+<style>body{font-family:system-ui,-apple-system,sans-serif;background:rgb(3,6,22);color:#fff;
+display:flex;flex-direction:column;align-items:center;justify-content:center;min-height:100vh;
+padding:1rem;text-align:center}.card{border:1px solid rgba(255,255,255,.2);border-radius:1rem;
+padding:2rem;max-width:480px}h1{font-size:1.25rem;margin-bottom:.5rem;color:#f78265;font-weight:500}
+p{color:#d1d5db;font-size:.875rem;line-height:1.5}</style></head>
+<body><div class="card"><h1>Authorization failed</h1><p>${escapeHtml(message)}</p></div></body></html>`;
+    return new Response(html, {
+        status,
+        headers: {
+            'Content-Type': 'text/html; charset=utf-8',
+            'X-Frame-Options': 'DENY',
+            'Content-Security-Policy': "frame-ancestors 'none'",
+        },
+    });
 }
 // ── Utility ─────────────────────────────────────────────────────────────────
 function escapeHtml(s) {
-    return s.replace(/&/g, '&amp;').replace(/"/g, '&quot;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+    return s
+        .replace(/&/g, '&amp;')
+        .replace(/"/g, '&quot;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;');
 }
 //# sourceMappingURL=oauth.js.map