@dataflint/mcp-server 1.0.14 → 1.0.17

package/dist/auth/service-account-service.d.ts

@@ -0,0 +1,77 @@
+/**
+ * Service Account Authentication Service
+ *
+ * Provides authentication using a pre-generated JWT token read from a file.
+ * This is typically used for M2M (machine-to-machine) scenarios where a service
+ * account token is mounted as a file (e.g., in Kubernetes).
+ *
+ * The token is expected to be a valid JWT with an 'exp' claim.
+ */
+import { IAuthStrategy, AuthStrategyType, AuthUserInfo, IAuthLogger } from "./types";
+/**
+ * Service Account authentication strategy
+ *
+ * Reads a JWT token from a file path and manages token caching and expiration.
+ *
+ * @example
+ * ```typescript
+ * const service = new ServiceAccountService(
+ *   '/var/run/secrets/dataflint/token',
+ *   'tenant-123',
+ *   logger
+ * );
+ *
+ * await service.initialize();
+ * const token = await service.getToken();
+ * ```
+ */
+export declare class ServiceAccountService implements IAuthStrategy {
+    private tokenPath;
+    private tenantId;
+    private tokenCache;
+    private logger;
+    constructor(tokenPath: string, tenantId?: string, logger?: IAuthLogger);
+    /**
+     * Get the strategy type identifier
+     */
+    getType(): AuthStrategyType;
+    /**
+     * Initialize the service account strategy
+     * Validates that the token file exists and is readable
+     */
+    initialize(): Promise<void>;
+    /**
+     * Get a valid access token, reading from file if cache is expired
+     */
+    getToken(): Promise<string>;
+    /**
+     * Force refresh the token by clearing cache and re-reading from file
+     */
+    refreshToken(): Promise<void>;
+    /**
+     * Check if currently authenticated (token file exists and is valid)
+     */
+    isAuthenticated(): Promise<boolean>;
+    /**
+     * Get user information for the service account
+     * Returns synthetic user info since service accounts don't have traditional user profiles
+     */
+    getUserInfo(): Promise<AuthUserInfo>;
+    /**
+     * Get the tenant ID associated with this service account
+     */
+    getTenantId(): string | undefined;
+    /**
+     * Read the token from the file system
+     */
+    private readTokenFromFile;
+    /**
+     * Validate the token format and cache it with expiration
+     */
+    private validateAndCacheToken;
+    /**
+     * Extract expiration time from JWT payload
+     */
+    private extractExpiration;
+}
+//# sourceMappingURL=service-account-service.d.ts.map

package/dist/auth/service-account-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-account-service.d.ts","sourceRoot":"","sources":["../../src/auth/service-account-service.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EACH,aAAa,EACb,gBAAgB,EAChB,YAAY,EACZ,WAAW,EACd,MAAM,SAAS,CAAC;AAiBjB;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,qBAAsB,YAAW,aAAa;IACvD,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,QAAQ,CAAqB;IACrC,OAAO,CAAC,UAAU,CAAgC;IAClD,OAAO,CAAC,MAAM,CAAc;gBAEhB,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,WAAW;IAMtE;;OAEG;IACH,OAAO,IAAI,gBAAgB;IAI3B;;;OAGG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAgBjC;;OAEG;IACG,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;IAgBjC;;OAEG;IACG,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IAOnC;;OAEG;IACG,eAAe,IAAI,OAAO,CAAC,OAAO,CAAC;IASzC;;;OAGG;IACG,WAAW,IAAI,OAAO,CAAC,YAAY,CAAC;IAQ1C;;OAEG;IACH,WAAW,IAAI,MAAM,GAAG,SAAS;IAIjC;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAIzB;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAiC7B;;OAEG;IACH,OAAO,CAAC,iBAAiB;CAuB5B"}

package/dist/auth/service-account-service.js

@@ -0,0 +1,209 @@
+"use strict";
+/**
+ * Service Account Authentication Service
+ *
+ * Provides authentication using a pre-generated JWT token read from a file.
+ * This is typically used for M2M (machine-to-machine) scenarios where a service
+ * account token is mounted as a file (e.g., in Kubernetes).
+ *
+ * The token is expected to be a valid JWT with an 'exp' claim.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ServiceAccountService = void 0;
+const fs = __importStar(require("fs"));
+const types_1 = require("./types");
+/**
+ * Default no-op logger for when no logger is provided
+ */
+const noopLogger = {
+    info: () => { },
+    warn: () => { },
+    error: () => { },
+    debug: () => { },
+};
+/**
+ * Service Account authentication strategy
+ *
+ * Reads a JWT token from a file path and manages token caching and expiration.
+ *
+ * @example
+ * ```typescript
+ * const service = new ServiceAccountService(
+ *   '/var/run/secrets/dataflint/token',
+ *   'tenant-123',
+ *   logger
+ * );
+ *
+ * await service.initialize();
+ * const token = await service.getToken();
+ * ```
+ */
+class ServiceAccountService {
+    tokenPath;
+    tenantId;
+    tokenCache = null;
+    logger;
+    constructor(tokenPath, tenantId, logger) {
+        this.tokenPath = tokenPath;
+        this.tenantId = tenantId;
+        this.logger = logger || noopLogger;
+    }
+    /**
+     * Get the strategy type identifier
+     */
+    getType() {
+        return types_1.AuthStrategyType.SERVICE_ACCOUNT;
+    }
+    /**
+     * Initialize the service account strategy
+     * Validates that the token file exists and is readable
+     */
+    async initialize() {
+        this.logger.info(`Initializing ServiceAccountService with token path: ${this.tokenPath}`);
+        if (!fs.existsSync(this.tokenPath)) {
+            throw new Error(`Service account token file not found: ${this.tokenPath}`);
+        }
+        // Pre-load and validate the token
+        await this.getToken();
+        this.logger.info("ServiceAccountService initialized successfully");
+    }
+    /**
+     * Get a valid access token, reading from file if cache is expired
+     */
+    async getToken() {
+        const now = Date.now();
+        // Check if we have a valid cached token (with 5-minute buffer)
+        const bufferMs = 5 * 60 * 1000;
+        if (this.tokenCache && now < this.tokenCache.expiresAt - bufferMs) {
+            this.logger.debug("Using cached service account token");
+            return this.tokenCache.token;
+        }
+        const rawToken = this.readTokenFromFile();
+        this.validateAndCacheToken(rawToken);
+        return this.tokenCache.token;
+    }
+    /**
+     * Force refresh the token by clearing cache and re-reading from file
+     */
+    async refreshToken() {
+        this.logger.info("Refreshing service account token...");
+        this.tokenCache = null;
+        await this.getToken();
+        this.logger.info("Service account token refreshed");
+    }
+    /**
+     * Check if currently authenticated (token file exists and is valid)
+     */
+    async isAuthenticated() {
+        try {
+            await this.getToken();
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Get user information for the service account
+     * Returns synthetic user info since service accounts don't have traditional user profiles
+     */
+    async getUserInfo() {
+        return {
+            sub: "m2m-service-account",
+            name: "M2M Service Account",
+            ...(this.tenantId && { tenant_id: this.tenantId }),
+        };
+    }
+    /**
+     * Get the tenant ID associated with this service account
+     */
+    getTenantId() {
+        return this.tenantId;
+    }
+    /**
+     * Read the token from the file system
+     */
+    readTokenFromFile() {
+        return fs.readFileSync(this.tokenPath, "utf8");
+    }
+    /**
+     * Validate the token format and cache it with expiration
+     */
+    validateAndCacheToken(rawToken) {
+        const token = rawToken.trim();
+        if (!token) {
+            throw new Error("Service account token is empty");
+        }
+        const parts = token.split(".");
+        if (parts.length !== 3) {
+            throw new Error(`Invalid JWT format: expected 3 parts, got ${parts.length}`);
+        }
+        const expiresAt = this.extractExpiration(token);
+        const now = Date.now();
+        const expiresIn = Math.floor((expiresAt - now) / 1000);
+        // Check if token is already expired
+        if (expiresAt <= now) {
+            throw new Error("Service account token is expired");
+        }
+        this.logger.info(`Service account token loaded${this.tenantId ? ` for tenant ${this.tenantId}` : ""}: expires in ${expiresIn}s (${new Date(expiresAt).toISOString()})`);
+        this.tokenCache = {
+            token,
+            expiresAt,
+        };
+    }
+    /**
+     * Extract expiration time from JWT payload
+     */
+    extractExpiration(token) {
+        const parts = token.split(".");
+        try {
+            const payload = parts[1];
+            const decoded = Buffer.from(payload, "base64url").toString("utf8");
+            const parsed = JSON.parse(decoded);
+            if (typeof parsed.exp === "number") {
+                return parsed.exp * 1000;
+            }
+            this.logger.warn("JWT missing 'exp' field, using fallback expiration");
+            return Date.now() + 300000; // 5 minutes fallback
+        }
+        catch (error) {
+            this.logger.warn(`Failed to parse JWT expiration: ${error}, using fallback expiration`);
+            return Date.now() + 300000; // 5 minutes fallback
+        }
+    }
+}
+exports.ServiceAccountService = ServiceAccountService;
+//# sourceMappingURL=service-account-service.js.map

package/dist/auth/service-account-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-account-service.js","sourceRoot":"","sources":["../../src/auth/service-account-service.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,uCAAyB;AACzB,mCAKiB;AAOjB;;GAEG;AACH,MAAM,UAAU,GAAgB;IAC5B,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC;IACd,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC;IACd,KAAK,EAAE,GAAG,EAAE,GAAE,CAAC;IACf,KAAK,EAAE,GAAG,EAAE,GAAE,CAAC;CAClB,CAAC;AAEF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAa,qBAAqB;IACtB,SAAS,CAAS;IAClB,QAAQ,CAAqB;IAC7B,UAAU,GAA2B,IAAI,CAAC;IAC1C,MAAM,CAAc;IAE5B,YAAY,SAAiB,EAAE,QAAiB,EAAE,MAAoB;QAClE,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,IAAI,UAAU,CAAC;IACvC,CAAC;IAED;;OAEG;IACH,OAAO;QACH,OAAO,wBAAgB,CAAC,eAAe,CAAC;IAC5C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,UAAU;QACZ,IAAI,CAAC,MAAM,CAAC,IAAI,CACZ,uDAAuD,IAAI,CAAC,SAAS,EAAE,CAC1E,CAAC;QAEF,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CACX,yCAAyC,IAAI,CAAC,SAAS,EAAE,CAC5D,CAAC;QACN,CAAC;QAED,kCAAkC;QAClC,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QACtB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;IACvE,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ;QACV,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,+DAA+D;QAC/D,MAAM,QAAQ,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;QAC/B,IAAI,IAAI,CAAC,UAAU,IAAI,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,SAAS,GAAG,QAAQ,EAAE,CAAC;YAChE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;YACxD,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;QACjC,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC1C,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC;QAErC,OAAO,IAAI,CAAC,UAAW,CAAC,KAAK,CAAC;IAClC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY;QACd,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;QACxD,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;QACvB,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QACtB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;IACxD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe;QACjB,IAAI,CAAC;YACD,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;YACtB,OAAO,IAAI,CAAC;QAChB,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,WAAW;QACb,OAAO;YACH,GAAG,EAAE,qBAAqB;YAC1B,IAAI,EAAE,qBAAqB;YAC3B,GAAG,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC;SACrD,CAAC;IACN,CAAC;IAED;;OAEG;IACH,WAAW;QACP,OAAO,IAAI,CAAC,QAAQ,CAAC;IACzB,CAAC;IAED;;OAEG;IACK,iBAAiB;QACrB,OAAO,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IACnD,CAAC;IAED;;OAEG;IACK,qBAAqB,CAAC,QAAgB;QAC1C,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;QAE9B,IAAI,CAAC,KAAK,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACtD,CAAC;QAED,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CACX,6CAA6C,KAAK,CAAC,MAAM,EAAE,CAC9D,CAAC;QACN,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QAChD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,SAAS,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;QAEvD,oCAAoC;QACpC,IAAI,SAAS,IAAI,GAAG,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACxD,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,CACZ,+BAA+B,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,eAAe,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,gBAAgB,SAAS,MAAM,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,GAAG,CACxJ,CAAC;QAEF,IAAI,CAAC,UAAU,GAAG;YACd,KAAK;YACL,SAAS;SACZ,CAAC;IACN,CAAC;IAED;;OAEG;IACK,iBAAiB,CAAC,KAAa;QACnC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAE/B,IAAI,CAAC;YACD,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACzB,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACnE,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAEnC,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;gBACjC,OAAO,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC;YAC7B,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,IAAI,CACZ,oDAAoD,CACvD,CAAC;YACF,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,CAAC,qBAAqB;QACrD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,IAAI,CAAC,MAAM,CAAC,IAAI,CACZ,mCAAmC,KAAK,6BAA6B,CACxE,CAAC;YACF,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,CAAC,qBAAqB;QACrD,CAAC;IACL,CAAC;CACJ;AAxKD,sDAwKC"}

package/dist/auth/types.d.ts

@@ -0,0 +1,140 @@
+/**
+ * Auth types and interfaces for DataFlint authentication
+ *
+ * This module defines the core interfaces used across all authentication strategies:
+ * - Service Account (M2M token from file)
+ * - Auth0 M2M (client credentials grant)
+ * - Auth0 User (interactive OAuth2/PKCE flow)
+ */
+/**
+ * Basic authentication configuration for Auth0
+ */
+export interface AuthConfig {
+    domain: string;
+    clientId: string;
+    scope: string;
+    audience: string;
+}
+/**
+ * Result from a successful authentication
+ */
+export interface AuthResult {
+    accessToken: string;
+    idToken?: string;
+    refreshToken?: string;
+    expiresAt?: Date;
+    userInfo?: unknown;
+}
+/**
+ * Credentials required for Auth0 M2M (client credentials) authentication
+ */
+export interface Auth0M2MCredentials {
+    client_id: string;
+    client_secret: string;
+    audience: string;
+    domain: string;
+}
+/**
+ * Authentication strategy types
+ */
+export declare enum AuthStrategyType {
+    SERVICE_ACCOUNT = "service_account",
+    AUTH0_M2M = "auth0_m2m",
+    AUTH0_USER = "auth0_user"
+}
+/**
+ * M2M authentication mode types
+ */
+export declare enum M2MType {
+    NONE = "none",
+    SERVICE_ACCOUNT = "service_account",
+    AUTH0_M2M = "auth0_m2m"
+}
+/**
+ * M2M authentication mode - single source of truth for M2M detection
+ */
+export type M2MMode = {
+    type: M2MType.NONE;
+} | {
+    type: M2MType.SERVICE_ACCOUNT;
+    tokenPath: string;
+    tenantId?: string;
+} | {
+    type: M2MType.AUTH0_M2M;
+    secretName: string;
+    tenantId?: string;
+};
+/**
+ * User information returned from authentication
+ */
+export interface AuthUserInfo {
+    sub: string;
+    name: string;
+    tenant_id?: string;
+}
+/**
+ * Common interface for all authentication strategies
+ *
+ * Implementations:
+ * - ServiceAccountService: Reads JWT from file path
+ * - Auth0M2MService: Uses client credentials grant
+ * - Auth0Service: Uses interactive OAuth2/PKCE flow
+ */
+export interface IAuthStrategy {
+    /**
+     * Get the type of this authentication strategy
+     */
+    getType(): AuthStrategyType;
+    /**
+     * Initialize the authentication strategy (e.g., discover issuer, validate credentials)
+     */
+    initialize(): Promise<void>;
+    /**
+     * Get a valid access token, refreshing if necessary
+     */
+    getToken(): Promise<string>;
+    /**
+     * Force refresh the token
+     */
+    refreshToken(): Promise<void>;
+    /**
+     * Check if currently authenticated with a valid token
+     */
+    isAuthenticated(): Promise<boolean>;
+    /**
+     * Get user information for the current authentication
+     */
+    getUserInfo(): Promise<AuthUserInfo>;
+    /**
+     * Get the tenant ID associated with this authentication (if any)
+     */
+    getTenantId(): string | undefined;
+}
+/**
+ * Configuration provider interface for authentication
+ */
+export interface IAuthConfigProvider {
+    getAuthConfig(): AuthConfig;
+    getM2MMode(): M2MMode;
+    getTenantId(): string | undefined;
+    getEnvironment(): string;
+    getServerUrl(): string;
+}
+/**
+ * Logger interface for authentication services
+ */
+export interface IAuthLogger {
+    info(message: string): void;
+    warn(message: string): void;
+    error(message: string, error?: unknown): void;
+    debug(message: string): void;
+}
+/**
+ * Handler for opening URLs (used for OAuth2 browser-based flow)
+ */
+export type OpenUrlHandler = (url: string) => Promise<void>;
+/**
+ * Provider function for AuthConfig
+ */
+export type ConfigProvider = () => AuthConfig;
+//# sourceMappingURL=types.d.ts.map

package/dist/auth/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH;;GAEG;AACH,MAAM,WAAW,UAAU;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,oBAAY,gBAAgB;IACxB,eAAe,oBAAoB;IACnC,SAAS,cAAc;IACvB,UAAU,eAAe;CAC5B;AAED;;GAEG;AACH,oBAAY,OAAO;IACf,IAAI,SAAS;IACb,eAAe,oBAAoB;IACnC,SAAS,cAAc;CAC1B;AAED;;GAEG;AACH,MAAM,MAAM,OAAO,GACb;IAAE,IAAI,EAAE,OAAO,CAAC,IAAI,CAAA;CAAE,GACtB;IAAE,IAAI,EAAE,OAAO,CAAC,eAAe,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,GACvE;IAAE,IAAI,EAAE,OAAO,CAAC,SAAS,CAAC;IAAC,UAAU,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEzE;;GAEG;AACH,MAAM,WAAW,YAAY;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,aAAa;IAC1B;;OAEG;IACH,OAAO,IAAI,gBAAgB,CAAC;IAE5B;;OAEG;IACH,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAE5B;;OAEG;IACH,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;IAE5B;;OAEG;IACH,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAE9B;;OAEG;IACH,eAAe,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IAEpC;;OAEG;IACH,WAAW,IAAI,OAAO,CAAC,YAAY,CAAC,CAAC;IAErC;;OAEG;IACH,WAAW,IAAI,MAAM,GAAG,SAAS,CAAC;CACrC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAChC,aAAa,IAAI,UAAU,CAAC;IAC5B,UAAU,IAAI,OAAO,CAAC;IACtB,WAAW,IAAI,MAAM,GAAG,SAAS,CAAC;IAClC,cAAc,IAAI,MAAM,CAAC;IACzB,YAAY,IAAI,MAAM,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IACxB,IAAI,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,IAAI,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;IAC9C,KAAK,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CAChC;AAED;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;AAE5D;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,MAAM,UAAU,CAAC"}

package/dist/auth/types.js

@@ -0,0 +1,30 @@
+"use strict";
+/**
+ * Auth types and interfaces for DataFlint authentication
+ *
+ * This module defines the core interfaces used across all authentication strategies:
+ * - Service Account (M2M token from file)
+ * - Auth0 M2M (client credentials grant)
+ * - Auth0 User (interactive OAuth2/PKCE flow)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.M2MType = exports.AuthStrategyType = void 0;
+/**
+ * Authentication strategy types
+ */
+var AuthStrategyType;
+(function (AuthStrategyType) {
+    AuthStrategyType["SERVICE_ACCOUNT"] = "service_account";
+    AuthStrategyType["AUTH0_M2M"] = "auth0_m2m";
+    AuthStrategyType["AUTH0_USER"] = "auth0_user";
+})(AuthStrategyType || (exports.AuthStrategyType = AuthStrategyType = {}));
+/**
+ * M2M authentication mode types
+ */
+var M2MType;
+(function (M2MType) {
+    M2MType["NONE"] = "none";
+    M2MType["SERVICE_ACCOUNT"] = "service_account";
+    M2MType["AUTH0_M2M"] = "auth0_m2m";
+})(M2MType || (exports.M2MType = M2MType = {}));
+//# sourceMappingURL=types.js.map

package/dist/auth/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAiCH;;GAEG;AACH,IAAY,gBAIX;AAJD,WAAY,gBAAgB;IACxB,uDAAmC,CAAA;IACnC,2CAAuB,CAAA;IACvB,6CAAyB,CAAA;AAC7B,CAAC,EAJW,gBAAgB,gCAAhB,gBAAgB,QAI3B;AAED;;GAEG;AACH,IAAY,OAIX;AAJD,WAAY,OAAO;IACf,wBAAa,CAAA;IACb,8CAAmC,CAAA;IACnC,kCAAuB,CAAA;AAC3B,CAAC,EAJW,OAAO,uBAAP,OAAO,QAIlB"}

package/dist/auth.d.ts

@@ -0,0 +1,47 @@
+import { OpenUrlHandler, ConfigProvider } from "./types";
+export interface AuthResult {
+    accessToken: string;
+    idToken?: string;
+    refreshToken?: string;
+    expiresAt?: Date;
+    userInfo?: any;
+}
+export declare class Auth0Service {
+    private config;
+    private redirectUri;
+    private callbackPort;
+    private client;
+    private issuer;
+    private initialized;
+    private openUrlHandler;
+    constructor(openUrlHandler: OpenUrlHandler, configProvider: ConfigProvider, callbackPort?: number);
+    /**
+     * Initialize the Auth0 client by discovering the issuer metadata
+     */
+    initialize(): Promise<void>;
+    /**
+     * Start the authentication flow
+     */
+    authenticate(): Promise<AuthResult>;
+    /**
+     * Get user information using the access token
+     */
+    getUserInfo(accessToken: string): Promise<any>;
+    /**
+     * Refresh the access token using refresh token
+     */
+    refreshToken(refreshToken: string): Promise<AuthResult>;
+    /**
+     * Process token set and return structured result
+     */
+    private processTokenSet;
+    /**
+     * Check if a token is expired
+     */
+    isTokenExpired(authResult: AuthResult): boolean;
+    /**
+     * Logout (revoke tokens if supported)
+     */
+    logout(accessToken: string): Promise<void>;
+}
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,cAAc,EAAc,cAAc,EAAE,MAAM,SAAS,CAAC;AASrE,MAAM,WAAW,UAAU;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,QAAQ,CAAC,EAAE,GAAG,CAAC;CAClB;AAED,qBAAa,YAAY;IACrB,OAAO,CAAC,MAAM,CAAa;IAC3B,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,cAAc,CAAiB;gBAGnC,cAAc,EAAE,cAAc,EAC9B,cAAc,EAAE,cAAc,EAC9B,YAAY,GAAE,MAAc;IAgBhC;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IA6DjC;;OAEG;IACG,YAAY,IAAI,OAAO,CAAC,UAAU,CAAC;IAoHzC;;OAEG;IACG,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC;IAsBpD;;OAEG;IACG,YAAY,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAqB7D;;OAEG;IACH,OAAO,CAAC,eAAe;IA4BvB;;OAEG;IACH,cAAc,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO;IA6B/C;;OAEG;IACG,MAAM,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAenD"}