@dataflint/mcp-server 1.0.14 → 1.0.17

package/dist/auth/auth-strategy-factory.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Authentication Strategy Factory
+ *
+ * Creates the appropriate authentication strategy based on configuration and environment.
+ *
+ * Strategy Priority (for MCP standalone server):
+ * 1. Service Account - M2M_SA_TOKEN_PATH env var → read JWT from file
+ * 2. Auth0 M2M - Secrets available → client credentials grant
+ * 3. Auth0 User - Interactive OAuth2/PKCE flow (fallback, returned as null)
+ *
+ * Note: VS Code Extension only uses Auth0 User flow directly (no factory needed).
+ */
+import { IAuthStrategy, AuthStrategyType, IAuthConfigProvider, IAuthLogger } from "./types";
+/**
+ * Result from strategy creation
+ */
+export interface StrategyResult {
+    /**
+     * The created strategy, or null if fallback to interactive OAuth is needed
+     */
+    strategy: IAuthStrategy | null;
+    /**
+     * The type of strategy created (or 'auth0_user' if null strategy)
+     */
+    strategyType: AuthStrategyType;
+}
+/**
+ * Factory for creating authentication strategies
+ *
+ * This factory determines the best authentication strategy based on:
+ * 1. Environment configuration (M2M_SA_TOKEN_PATH)
+ * 2. Available secrets (AWS Secrets Manager or local file)
+ * 3. Falls back to interactive OAuth if no M2M strategy is available
+ *
+ * @example
+ * ```typescript
+ * const factory = new AuthStrategyFactory(configService, logger);
+ * const { strategy, strategyType } = await factory.createStrategy();
+ *
+ * if (strategy) {
+ *   // Use M2M strategy (ServiceAccount or Auth0 M2M)
+ *   await strategy.initialize();
+ *   const token = await strategy.getToken();
+ * } else {
+ *   // Fall back to interactive Auth0 OAuth flow
+ *   const auth0Service = new Auth0Service(...);
+ *   await auth0Service.authenticate();
+ * }
+ * ```
+ */
+export declare class AuthStrategyFactory {
+    private configProvider;
+    private logger;
+    constructor(configProvider: IAuthConfigProvider, logger?: IAuthLogger);
+    createStrategy(): Promise<StrategyResult>;
+    private buildServiceAccountStrategy;
+    private buildAuth0M2MStrategy;
+    isM2MAvailable(): Promise<boolean>;
+}
+//# sourceMappingURL=auth-strategy-factory.d.ts.map

package/dist/auth/auth-strategy-factory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-strategy-factory.d.ts","sourceRoot":"","sources":["../../src/auth/auth-strategy-factory.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EACH,aAAa,EACb,gBAAgB,EAChB,mBAAmB,EACnB,WAAW,EAGd,MAAM,SAAS,CAAC;AAKjB;;GAEG;AACH,MAAM,WAAW,cAAc;IAC3B;;OAEG;IACH,QAAQ,EAAE,aAAa,GAAG,IAAI,CAAC;IAE/B;;OAEG;IACH,YAAY,EAAE,gBAAgB,CAAC;CAClC;AAYD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,qBAAa,mBAAmB;IAC5B,OAAO,CAAC,cAAc,CAAsB;IAC5C,OAAO,CAAC,MAAM,CAAc;gBAEhB,cAAc,EAAE,mBAAmB,EAAE,MAAM,CAAC,EAAE,WAAW;IAK/D,cAAc,IAAI,OAAO,CAAC,cAAc,CAAC;IAiB/C,OAAO,CAAC,2BAA2B;YAcrB,qBAAqB;IAqC7B,cAAc,IAAI,OAAO,CAAC,OAAO,CAAC;CAc3C"}

package/dist/auth/auth-strategy-factory.js

@@ -0,0 +1,113 @@
+"use strict";
+/**
+ * Authentication Strategy Factory
+ *
+ * Creates the appropriate authentication strategy based on configuration and environment.
+ *
+ * Strategy Priority (for MCP standalone server):
+ * 1. Service Account - M2M_SA_TOKEN_PATH env var → read JWT from file
+ * 2. Auth0 M2M - Secrets available → client credentials grant
+ * 3. Auth0 User - Interactive OAuth2/PKCE flow (fallback, returned as null)
+ *
+ * Note: VS Code Extension only uses Auth0 User flow directly (no factory needed).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthStrategyFactory = void 0;
+const types_1 = require("./types");
+const service_account_service_1 = require("./service-account-service");
+const auth0_m2m_service_1 = require("./auth0-m2m-service");
+const secrets_1 = require("./secrets");
+/**
+ * Default no-op logger
+ */
+const noopLogger = {
+    info: () => { },
+    warn: () => { },
+    error: () => { },
+    debug: () => { },
+};
+/**
+ * Factory for creating authentication strategies
+ *
+ * This factory determines the best authentication strategy based on:
+ * 1. Environment configuration (M2M_SA_TOKEN_PATH)
+ * 2. Available secrets (AWS Secrets Manager or local file)
+ * 3. Falls back to interactive OAuth if no M2M strategy is available
+ *
+ * @example
+ * ```typescript
+ * const factory = new AuthStrategyFactory(configService, logger);
+ * const { strategy, strategyType } = await factory.createStrategy();
+ *
+ * if (strategy) {
+ *   // Use M2M strategy (ServiceAccount or Auth0 M2M)
+ *   await strategy.initialize();
+ *   const token = await strategy.getToken();
+ * } else {
+ *   // Fall back to interactive Auth0 OAuth flow
+ *   const auth0Service = new Auth0Service(...);
+ *   await auth0Service.authenticate();
+ * }
+ * ```
+ */
+class AuthStrategyFactory {
+    configProvider;
+    logger;
+    constructor(configProvider, logger) {
+        this.configProvider = configProvider;
+        this.logger = logger || noopLogger;
+    }
+    async createStrategy() {
+        const m2mMode = this.configProvider.getM2MMode();
+        switch (m2mMode.type) {
+            case types_1.M2MType.SERVICE_ACCOUNT:
+                return this.buildServiceAccountStrategy(m2mMode);
+            case types_1.M2MType.AUTH0_M2M:
+                return await this.buildAuth0M2MStrategy(m2mMode);
+            default:
+                this.logger.info("Using interactive OAuth flow");
+                return {
+                    strategy: null,
+                    strategyType: types_1.AuthStrategyType.AUTH0_USER,
+                };
+        }
+    }
+    buildServiceAccountStrategy(mode) {
+        this.logger.info(`Service Account mode: ${mode.tokenPath}`);
+        return {
+            strategy: new service_account_service_1.ServiceAccountService(mode.tokenPath, mode.tenantId, this.logger),
+            strategyType: types_1.AuthStrategyType.SERVICE_ACCOUNT,
+        };
+    }
+    async buildAuth0M2MStrategy(mode) {
+        const secretsProvider = new secrets_1.SecretsProvider(this.configProvider.getEnvironment(), this.logger);
+        if (!(await secretsProvider.isAvailable())) {
+            throw new Error(`Auth0 M2M mode requires a secrets provider. ` +
+                `M2M_AUTH0_SECRET_NAME is set to "${mode.secretName}" but no secrets provider is available. ` +
+                `Ensure AWS credentials are configured or use Service Account mode instead.`);
+        }
+        const credentials = await secretsProvider.loadAuth0M2MCredentials(mode.secretName);
+        if (!credentials) {
+            throw new Error(`Auth0 M2M credentials not found: "${mode.secretName}". ` +
+                `Ensure the secret exists and contains valid Auth0 M2M credentials.`);
+        }
+        this.logger.info(`Auth0 M2M mode: ${mode.secretName}`);
+        return {
+            strategy: new auth0_m2m_service_1.Auth0M2MService(credentials, mode.tenantId, this.logger),
+            strategyType: types_1.AuthStrategyType.AUTH0_M2M,
+        };
+    }
+    async isM2MAvailable() {
+        const mode = this.configProvider.getM2MMode();
+        if (mode.type === types_1.M2MType.SERVICE_ACCOUNT) {
+            return true;
+        }
+        if (mode.type === types_1.M2MType.AUTH0_M2M) {
+            const secretsProvider = new secrets_1.SecretsProvider(this.configProvider.getEnvironment(), this.logger);
+            return secretsProvider.isAvailable();
+        }
+        return false;
+    }
+}
+exports.AuthStrategyFactory = AuthStrategyFactory;
+//# sourceMappingURL=auth-strategy-factory.js.map

package/dist/auth/auth-strategy-factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-strategy-factory.js","sourceRoot":"","sources":["../../src/auth/auth-strategy-factory.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;;AAEH,mCAOiB;AACjB,uEAAkE;AAClE,2DAAsD;AACtD,uCAA4C;AAiB5C;;GAEG;AACH,MAAM,UAAU,GAAgB;IAC5B,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC;IACd,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC;IACd,KAAK,EAAE,GAAG,EAAE,GAAE,CAAC;IACf,KAAK,EAAE,GAAG,EAAE,GAAE,CAAC;CAClB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAa,mBAAmB;IACpB,cAAc,CAAsB;IACpC,MAAM,CAAc;IAE5B,YAAY,cAAmC,EAAE,MAAoB;QACjE,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;QACrC,IAAI,CAAC,MAAM,GAAG,MAAM,IAAI,UAAU,CAAC;IACvC,CAAC;IAED,KAAK,CAAC,cAAc;QAChB,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,UAAU,EAAE,CAAC;QAEjD,QAAQ,OAAO,CAAC,IAAI,EAAE,CAAC;YACnB,KAAK,eAAO,CAAC,eAAe;gBACxB,OAAO,IAAI,CAAC,2BAA2B,CAAC,OAAO,CAAC,CAAC;YACrD,KAAK,eAAO,CAAC,SAAS;gBAClB,OAAO,MAAM,IAAI,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC;YACrD;gBACI,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;gBACjD,OAAO;oBACH,QAAQ,EAAE,IAAI;oBACd,YAAY,EAAE,wBAAgB,CAAC,UAAU;iBAC5C,CAAC;QACV,CAAC;IACL,CAAC;IAEO,2BAA2B,CAC/B,IAAyD;QAEzD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yBAAyB,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;QAC5D,OAAO;YACH,QAAQ,EAAE,IAAI,+CAAqB,CAC/B,IAAI,CAAC,SAAS,EACd,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,MAAM,CACd;YACD,YAAY,EAAE,wBAAgB,CAAC,eAAe;SACjD,CAAC;IACN,CAAC;IAEO,KAAK,CAAC,qBAAqB,CAC/B,IAAmD;QAEnD,MAAM,eAAe,GAAG,IAAI,yBAAe,CACvC,IAAI,CAAC,cAAc,CAAC,cAAc,EAAE,EACpC,IAAI,CAAC,MAAM,CACd,CAAC;QAEF,IAAI,CAAC,CAAC,MAAM,eAAe,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CACX,8CAA8C;gBAC1C,oCAAoC,IAAI,CAAC,UAAU,0CAA0C;gBAC7F,4EAA4E,CACnF,CAAC;QACN,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,eAAe,CAAC,uBAAuB,CAC7D,IAAI,CAAC,UAAU,CAClB,CAAC;QACF,IAAI,CAAC,WAAW,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACX,qCAAqC,IAAI,CAAC,UAAU,KAAK;gBACrD,oEAAoE,CAC3E,CAAC;QACN,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,mBAAmB,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;QACvD,OAAO;YACH,QAAQ,EAAE,IAAI,mCAAe,CACzB,WAAW,EACX,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,MAAM,CACd;YACD,YAAY,EAAE,wBAAgB,CAAC,SAAS;SAC3C,CAAC;IACN,CAAC;IAED,KAAK,CAAC,cAAc;QAChB,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,UAAU,EAAE,CAAC;QAC9C,IAAI,IAAI,CAAC,IAAI,KAAK,eAAO,CAAC,eAAe,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,IAAI,IAAI,CAAC,IAAI,KAAK,eAAO,CAAC,SAAS,EAAE,CAAC;YAClC,MAAM,eAAe,GAAG,IAAI,yBAAe,CACvC,IAAI,CAAC,cAAc,CAAC,cAAc,EAAE,EACpC,IAAI,CAAC,MAAM,CACd,CAAC;YACF,OAAO,eAAe,CAAC,WAAW,EAAE,CAAC;QACzC,CAAC;QACD,OAAO,KAAK,CAAC;IACjB,CAAC;CACJ;AA3FD,kDA2FC"}

package/dist/auth/auth0-m2m-service.d.ts

@@ -0,0 +1,74 @@
+/**
+ * Auth0 Machine-to-Machine (M2M) Authentication Service
+ *
+ * Provides authentication using Auth0's client credentials grant.
+ * This is used for server-to-server communication where no user interaction is needed.
+ *
+ * The service automatically caches tokens and refreshes them before expiration.
+ */
+import { IAuthStrategy, AuthStrategyType, AuthUserInfo, Auth0M2MCredentials, IAuthLogger } from "./types";
+/**
+ * Auth0 M2M authentication strategy using client credentials grant
+ *
+ * @example
+ * ```typescript
+ * const credentials: Auth0M2MCredentials = {
+ *   client_id: 'my-client-id',
+ *   client_secret: 'my-client-secret',
+ *   domain: 'https://my-tenant.auth0.com',
+ *   audience: 'https://api.example.com',
+ * };
+ *
+ * const service = new Auth0M2MService(credentials, 'tenant-123', logger);
+ * await service.initialize();
+ * const token = await service.getToken();
+ * ```
+ */
+export declare class Auth0M2MService implements IAuthStrategy {
+    private credentials;
+    private tenantId;
+    private tokenCache;
+    private logger;
+    private initialized;
+    /**
+     * Token expiry buffer in milliseconds (5 minutes)
+     * Tokens will be refreshed this long before actual expiration
+     */
+    private static readonly EXPIRY_BUFFER_MS;
+    constructor(credentials: Auth0M2MCredentials, tenantId?: string, logger?: IAuthLogger);
+    /**
+     * Get the strategy type identifier
+     */
+    getType(): AuthStrategyType;
+    /**
+     * Initialize the M2M service
+     * Validates credentials format and performs initial token fetch
+     */
+    initialize(): Promise<void>;
+    /**
+     * Get a valid access token, fetching a new one if cache is expired
+     */
+    getToken(): Promise<string>;
+    /**
+     * Force refresh the token by clearing cache and fetching a new one
+     */
+    refreshToken(): Promise<void>;
+    /**
+     * Check if currently authenticated (credentials are valid)
+     */
+    isAuthenticated(): Promise<boolean>;
+    /**
+     * Get user information for the M2M client
+     * Returns synthetic user info since M2M clients don't have traditional user profiles
+     */
+    getUserInfo(): Promise<AuthUserInfo>;
+    /**
+     * Get the tenant ID associated with this M2M client
+     */
+    getTenantId(): string | undefined;
+    /**
+     * Fetch a new token from Auth0 using client credentials grant
+     */
+    private fetchNewToken;
+}
+//# sourceMappingURL=auth0-m2m-service.d.ts.map

package/dist/auth/auth0-m2m-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth0-m2m-service.d.ts","sourceRoot":"","sources":["../../src/auth/auth0-m2m-service.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACH,aAAa,EACb,gBAAgB,EAChB,YAAY,EACZ,mBAAmB,EACnB,WAAW,EACd,MAAM,SAAS,CAAC;AA2BjB;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,eAAgB,YAAW,aAAa;IACjD,OAAO,CAAC,WAAW,CAAsB;IACzC,OAAO,CAAC,QAAQ,CAAqB;IACrC,OAAO,CAAC,UAAU,CAAgC;IAClD,OAAO,CAAC,MAAM,CAAc;IAC5B,OAAO,CAAC,WAAW,CAAS;IAE5B;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAiB;gBAGrD,WAAW,EAAE,mBAAmB,EAChC,QAAQ,CAAC,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,WAAW;IAaxB;;OAEG;IACH,OAAO,IAAI,gBAAgB;IAI3B;;;OAGG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IA4BjC;;OAEG;IACG,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;IAoBjC;;OAEG;IACG,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IAOnC;;OAEG;IACG,eAAe,IAAI,OAAO,CAAC,OAAO,CAAC;IASzC;;;OAGG;IACG,WAAW,IAAI,OAAO,CAAC,YAAY,CAAC;IAS1C;;OAEG;IACH,WAAW,IAAI,MAAM,GAAG,SAAS;IAIjC;;OAEG;YACW,aAAa;CAgE9B"}

package/dist/auth/auth0-m2m-service.js

@@ -0,0 +1,195 @@
+"use strict";
+/**
+ * Auth0 Machine-to-Machine (M2M) Authentication Service
+ *
+ * Provides authentication using Auth0's client credentials grant.
+ * This is used for server-to-server communication where no user interaction is needed.
+ *
+ * The service automatically caches tokens and refreshes them before expiration.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Auth0M2MService = void 0;
+const types_1 = require("./types");
+/**
+ * Default no-op logger for when no logger is provided
+ */
+const noopLogger = {
+    info: () => { },
+    warn: () => { },
+    error: () => { },
+    debug: () => { },
+};
+/**
+ * Auth0 M2M authentication strategy using client credentials grant
+ *
+ * @example
+ * ```typescript
+ * const credentials: Auth0M2MCredentials = {
+ *   client_id: 'my-client-id',
+ *   client_secret: 'my-client-secret',
+ *   domain: 'https://my-tenant.auth0.com',
+ *   audience: 'https://api.example.com',
+ * };
+ *
+ * const service = new Auth0M2MService(credentials, 'tenant-123', logger);
+ * await service.initialize();
+ * const token = await service.getToken();
+ * ```
+ */
+class Auth0M2MService {
+    credentials;
+    tenantId;
+    tokenCache = null;
+    logger;
+    initialized = false;
+    /**
+     * Token expiry buffer in milliseconds (5 minutes)
+     * Tokens will be refreshed this long before actual expiration
+     */
+    static EXPIRY_BUFFER_MS = 5 * 60 * 1000;
+    constructor(credentials, tenantId, logger) {
+        this.credentials = credentials;
+        this.tenantId = tenantId;
+        this.logger = logger || noopLogger;
+        // Security: only log partial client_id
+        const clientIdPrefix = credentials.client_id.substring(0, 8);
+        this.logger.info(`Auth0M2MService created for client: ${clientIdPrefix}...`);
+    }
+    /**
+     * Get the strategy type identifier
+     */
+    getType() {
+        return types_1.AuthStrategyType.AUTH0_M2M;
+    }
+    /**
+     * Initialize the M2M service
+     * Validates credentials format and performs initial token fetch
+     */
+    async initialize() {
+        if (this.initialized) {
+            this.logger.debug("Auth0M2MService already initialized");
+            return;
+        }
+        this.logger.info("Initializing Auth0M2MService...");
+        // Validate credentials
+        if (!this.credentials.client_id || !this.credentials.client_secret) {
+            throw new Error("M2M credentials missing client_id or client_secret");
+        }
+        if (!this.credentials.domain) {
+            throw new Error("M2M credentials missing domain");
+        }
+        if (!this.credentials.audience) {
+            throw new Error("M2M credentials missing audience");
+        }
+        // Perform initial token fetch to validate credentials
+        await this.fetchNewToken();
+        this.initialized = true;
+        this.logger.info("Auth0M2MService initialized successfully");
+    }
+    /**
+     * Get a valid access token, fetching a new one if cache is expired
+     */
+    async getToken() {
+        const now = Date.now();
+        // Check if we have a valid cached token (with buffer)
+        if (this.tokenCache &&
+            now < this.tokenCache.expiresAt - Auth0M2MService.EXPIRY_BUFFER_MS) {
+            this.logger.debug("Using cached M2M token");
+            return this.tokenCache.accessToken;
+        }
+        this.logger.info("M2M token expired or not cached, fetching new token...");
+        await this.fetchNewToken();
+        return this.tokenCache.accessToken;
+    }
+    /**
+     * Force refresh the token by clearing cache and fetching a new one
+     */
+    async refreshToken() {
+        this.logger.info("Force refreshing M2M token...");
+        this.tokenCache = null;
+        await this.fetchNewToken();
+        this.logger.info("M2M token refreshed");
+    }
+    /**
+     * Check if currently authenticated (credentials are valid)
+     */
+    async isAuthenticated() {
+        try {
+            await this.getToken();
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Get user information for the M2M client
+     * Returns synthetic user info since M2M clients don't have traditional user profiles
+     */
+    async getUserInfo() {
+        const clientIdPrefix = this.credentials.client_id.substring(0, 8);
+        return {
+            sub: `m2m-client-${clientIdPrefix}`,
+            name: "M2M Client",
+            ...(this.tenantId && { tenant_id: this.tenantId }),
+        };
+    }
+    /**
+     * Get the tenant ID associated with this M2M client
+     */
+    getTenantId() {
+        return this.tenantId;
+    }
+    /**
+     * Fetch a new token from Auth0 using client credentials grant
+     */
+    async fetchNewToken() {
+        const domain = this.credentials.domain.startsWith("http")
+            ? this.credentials.domain
+            : `https://${this.credentials.domain}`;
+        const tokenUrl = `${domain.replace(/\/$/, "")}/oauth/token`;
+        this.logger.debug(`Fetching M2M token from: ${tokenUrl}`);
+        const requestBody = {
+            grant_type: "client_credentials",
+            client_id: this.credentials.client_id,
+            client_secret: this.credentials.client_secret,
+            audience: this.credentials.audience,
+        };
+        try {
+            const response = await fetch(tokenUrl, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                },
+                body: JSON.stringify(requestBody),
+            });
+            if (!response.ok) {
+                this.logger.error(`M2M token request failed: ${response.status}`);
+                throw new Error(`Auth0 M2M token request failed with status ${response.status}`);
+            }
+            const tokenResponse = (await response.json());
+            if (!tokenResponse.access_token) {
+                throw new Error("Auth0 response missing access_token");
+            }
+            const expiresIn = tokenResponse.expires_in || 3600; // Default to 1 hour
+            const expiresAt = Date.now() + expiresIn * 1000;
+            this.tokenCache = {
+                accessToken: tokenResponse.access_token,
+                expiresAt,
+            };
+            const expiresInMinutes = Math.floor(expiresIn / 60);
+            this.logger.info(`M2M token obtained${this.tenantId ? ` for tenant ${this.tenantId}` : ""}: expires in ${expiresInMinutes} minutes`);
+        }
+        catch (error) {
+            // Clear cache on error
+            this.tokenCache = null;
+            if (error instanceof Error) {
+                this.logger.error("Failed to fetch M2M token", error);
+                throw error;
+            }
+            throw new Error(`Failed to fetch M2M token: ${error}`);
+        }
+    }
+}
+exports.Auth0M2MService = Auth0M2MService;
+//# sourceMappingURL=auth0-m2m-service.js.map

package/dist/auth/auth0-m2m-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth0-m2m-service.js","sourceRoot":"","sources":["../../src/auth/auth0-m2m-service.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAEH,mCAMiB;AAOjB;;GAEG;AACH,MAAM,UAAU,GAAgB;IAC5B,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC;IACd,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC;IACd,KAAK,EAAE,GAAG,EAAE,GAAE,CAAC;IACf,KAAK,EAAE,GAAG,EAAE,GAAE,CAAC;CAClB,CAAC;AAYF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAa,eAAe;IAChB,WAAW,CAAsB;IACjC,QAAQ,CAAqB;IAC7B,UAAU,GAA2B,IAAI,CAAC;IAC1C,MAAM,CAAc;IACpB,WAAW,GAAG,KAAK,CAAC;IAE5B;;;OAGG;IACK,MAAM,CAAU,gBAAgB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;IAEzD,YACI,WAAgC,EAChC,QAAiB,EACjB,MAAoB;QAEpB,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,IAAI,UAAU,CAAC;QAEnC,uCAAuC;QACvC,MAAM,cAAc,GAAG,WAAW,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAC7D,IAAI,CAAC,MAAM,CAAC,IAAI,CACZ,uCAAuC,cAAc,KAAK,CAC7D,CAAC;IACN,CAAC;IAED;;OAEG;IACH,OAAO;QACH,OAAO,wBAAgB,CAAC,SAAS,CAAC;IACtC,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,UAAU;QACZ,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACnB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;YACzD,OAAO;QACX,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;QAEpD,uBAAuB;QACvB,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;YACjE,MAAM,IAAI,KAAK,CACX,oDAAoD,CACvD,CAAC;QACN,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACtD,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACxD,CAAC;QAED,sDAAsD;QACtD,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QAE3B,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;QACxB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;IACjE,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ;QACV,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,sDAAsD;QACtD,IACI,IAAI,CAAC,UAAU;YACf,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,SAAS,GAAG,eAAe,CAAC,gBAAgB,EACpE,CAAC;YACC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;YAC5C,OAAO,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC;QACvC,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,CACZ,wDAAwD,CAC3D,CAAC;QACF,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QAE3B,OAAO,IAAI,CAAC,UAAW,CAAC,WAAW,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY;QACd,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QAClD,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;QACvB,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QAC3B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;IAC5C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe;QACjB,IAAI,CAAC;YACD,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;YACtB,OAAO,IAAI,CAAC;QAChB,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,WAAW;QACb,MAAM,cAAc,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAClE,OAAO;YACH,GAAG,EAAE,cAAc,cAAc,EAAE;YACnC,IAAI,EAAE,YAAY;YAClB,GAAG,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC;SACrD,CAAC;IACN,CAAC;IAED;;OAEG;IACH,WAAW;QACP,OAAO,IAAI,CAAC,QAAQ,CAAC;IACzB,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,aAAa;QACvB,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC;YACrD,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM;YACzB,CAAC,CAAC,WAAW,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC;QAE3C,MAAM,QAAQ,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,cAAc,CAAC;QAE5D,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,4BAA4B,QAAQ,EAAE,CAAC,CAAC;QAE1D,MAAM,WAAW,GAAG;YAChB,UAAU,EAAE,oBAAoB;YAChC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;YACrC,aAAa,EAAE,IAAI,CAAC,WAAW,CAAC,aAAa;YAC7C,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;SACtC,CAAC;QAEF,IAAI,CAAC;YACD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;gBACnC,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACL,cAAc,EAAE,kBAAkB;iBACrC;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC;aACpC,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACf,IAAI,CAAC,MAAM,CAAC,KAAK,CACb,6BAA6B,QAAQ,CAAC,MAAM,EAAE,CACjD,CAAC;gBACF,MAAM,IAAI,KAAK,CACX,8CAA8C,QAAQ,CAAC,MAAM,EAAE,CAClE,CAAC;YACN,CAAC;YAED,MAAM,aAAa,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAuB,CAAC;YAEpE,IAAI,CAAC,aAAa,CAAC,YAAY,EAAE,CAAC;gBAC9B,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;YAC3D,CAAC;YAED,MAAM,SAAS,GAAG,aAAa,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,oBAAoB;YACxE,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,IAAI,CAAC;YAEhD,IAAI,CAAC,UAAU,GAAG;gBACd,WAAW,EAAE,aAAa,CAAC,YAAY;gBACvC,SAAS;aACZ,CAAC;YAEF,MAAM,gBAAgB,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,EAAE,CAAC,CAAC;YACpD,IAAI,CAAC,MAAM,CAAC,IAAI,CACZ,qBAAqB,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,eAAe,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,gBAAgB,gBAAgB,UAAU,CACrH,CAAC;QACN,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,uBAAuB;YACvB,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;YAEvB,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;gBACzB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,2BAA2B,EAAE,KAAK,CAAC,CAAC;gBACtD,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,MAAM,IAAI,KAAK,CAAC,8BAA8B,KAAK,EAAE,CAAC,CAAC;QAC3D,CAAC;IACL,CAAC;;AAvML,0CAwMC"}

package/dist/auth/auth0-service.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Auth0 OAuth2/PKCE Authentication Service
+ *
+ * Provides interactive browser-based authentication using Auth0 with PKCE flow.
+ * This is the primary authentication method for user-facing applications.
+ */
+import { AuthResult, OpenUrlHandler, ConfigProvider, IAuthLogger } from "./types";
+/**
+ * Auth0 service for interactive OAuth2/PKCE authentication
+ *
+ * @example
+ * ```typescript
+ * const auth0Service = new Auth0Service(
+ *   async (url) => { await open(url); },
+ *   () => configService.getAuthConfig(),
+ *   logger
+ * );
+ *
+ * await auth0Service.initialize();
+ * const result = await auth0Service.authenticate();
+ * console.log('Access Token:', result.accessToken);
+ * ```
+ */
+export declare class Auth0Service {
+    private config;
+    private redirectUri;
+    private callbackPort;
+    private client;
+    private issuer;
+    private initialized;
+    private openUrlHandler;
+    private logger;
+    constructor(openUrlHandler: OpenUrlHandler, configProvider: ConfigProvider, logger?: IAuthLogger, callbackPort?: number);
+    /**
+     * Initialize the Auth0 client by discovering the issuer metadata
+     */
+    initialize(): Promise<void>;
+    /**
+     * Start the authentication flow
+     */
+    authenticate(): Promise<AuthResult>;
+    /**
+     * Get user information using the access token
+     */
+    getUserInfo(accessToken: string): Promise<unknown>;
+    /**
+     * Refresh the access token using refresh token
+     */
+    refreshToken(refreshToken: string): Promise<AuthResult>;
+    /**
+     * Process token set and return structured result
+     */
+    private processTokenSet;
+    /**
+     * Check if a token is expired
+     */
+    isTokenExpired(authResult: AuthResult): boolean;
+    /**
+     * Logout (revoke tokens if supported)
+     */
+    logout(accessToken: string): Promise<void>;
+}
+export type { AuthResult };
+//# sourceMappingURL=auth0-service.d.ts.map

package/dist/auth/auth0-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth0-service.d.ts","sourceRoot":"","sources":["../../src/auth/auth0-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,EAEH,UAAU,EACV,cAAc,EACd,cAAc,EACd,WAAW,EACd,MAAM,SAAS,CAAC;AAkBjB;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,YAAY;IACrB,OAAO,CAAC,MAAM,CAAa;IAC3B,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,cAAc,CAAiB;IACvC,OAAO,CAAC,MAAM,CAAc;gBAGxB,cAAc,EAAE,cAAc,EAC9B,cAAc,EAAE,cAAc,EAC9B,MAAM,CAAC,EAAE,WAAW,EACpB,YAAY,GAAE,MAAc;IAehC;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IA6DjC;;OAEG;IACG,YAAY,IAAI,OAAO,CAAC,UAAU,CAAC;IAkHzC;;OAEG;IACG,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAoBxD;;OAEG;IACG,YAAY,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAmB7D;;OAEG;IACH,OAAO,CAAC,eAAe;IA+BvB;;OAEG;IACH,cAAc,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO;IA2B/C;;OAEG;IACG,MAAM,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAanD;AAGD,YAAY,EAAE,UAAU,EAAE,CAAC"}