@datalayer/agent-runtimes 0.0.5 → 0.0.8

package/lib/identity/OAuthCallback.js

@@ -0,0 +1,223 @@
+import { jsx as _jsx, Fragment as _Fragment, jsxs as _jsxs } from "react/jsx-runtime";
+/*
+ * Copyright (c) 2025-2026 Datalayer, Inc.
+ * Distributed under the terms of the Modified BSD License.
+ */
+import { useEffect, useState } from 'react';
+import { Box, Text, Spinner, Flash, Button } from '@primer/react';
+import { CheckCircleFillIcon, AlertIcon, XCircleIcon, } from '@primer/octicons-react';
+import { useIdentityStore } from './identityStore';
+/**
+ * OAuth callback handler component.
+ *
+ * This component should be rendered on the OAuth callback URL (e.g., /oauth/callback).
+ * It handles the authorization code exchange and token storage.
+ *
+ * @example
+ * // For redirect flow - mount at /oauth/callback
+ * <Route path="/oauth/callback" element={<OAuthCallback redirectUrl="/" />} />
+ *
+ * @example
+ * // For popup flow - mount at /oauth/callback
+ * <Route path="/oauth/callback" element={<OAuthCallback autoClose />} />
+ */
+export const OAuthCallback = ({ successMessage = 'Account connected successfully!', errorMessagePrefix = 'Failed to connect account', autoClose, autoCloseDelay = 1500, onSuccess, onError, redirectUrl, showCloseButton = true, }) => {
+    const [status, setStatus] = useState('processing');
+    const [error, setError] = useState(null);
+    const [provider, setProvider] = useState(null);
+    const [storeHydrated, setStoreHydrated] = useState(false);
+    const completeAuthorization = useIdentityStore(state => state.completeAuthorization);
+    const pendingAuth = useIdentityStore(state => state.pendingAuthorization);
+    // Detect if we're in a popup
+    const isPopup = window.opener !== null;
+    // Determine auto-close behavior
+    const shouldAutoClose = autoClose ?? isPopup;
+    // Wait for Zustand store to hydrate from localStorage
+    useEffect(() => {
+        // Check if store has rehydrated by checking for any data or with a small delay
+        const checkHydration = () => {
+            // Give zustand-persist time to hydrate from localStorage
+            const stored = localStorage.getItem('agent-runtimes-identity');
+            if (stored) {
+                // Store exists - give it a moment to hydrate
+                setTimeout(() => setStoreHydrated(true), 50);
+            }
+            else {
+                // No stored data, proceed immediately
+                setStoreHydrated(true);
+            }
+        };
+        checkHydration();
+    }, []);
+    useEffect(() => {
+        // Wait for store to hydrate before processing callback
+        if (!storeHydrated)
+            return;
+        const handleCallback = async () => {
+            const urlParams = new URLSearchParams(window.location.search);
+            const code = urlParams.get('code');
+            const state = urlParams.get('state');
+            const errorParam = urlParams.get('error');
+            const errorDescription = urlParams.get('error_description');
+            // Handle OAuth error response
+            if (errorParam) {
+                const errorMsg = errorDescription || errorParam;
+                setError(errorMsg);
+                setStatus('error');
+                onError?.(new Error(errorMsg));
+                return;
+            }
+            // Validate required parameters
+            if (!code || !state) {
+                const errorMsg = 'Missing authorization code or state parameter';
+                setError(errorMsg);
+                setStatus('error');
+                onError?.(new Error(errorMsg));
+                return;
+            }
+            // Validate state matches pending authorization
+            if (!pendingAuth || pendingAuth.state !== state) {
+                const errorMsg = 'Invalid state parameter - possible CSRF attack';
+                setError(errorMsg);
+                setStatus('error');
+                onError?.(new Error(errorMsg));
+                return;
+            }
+            setProvider(pendingAuth.provider);
+            try {
+                // Complete the authorization - this returns the identity
+                const identity = await completeAuthorization({
+                    code,
+                    state,
+                });
+                setStatus('success');
+                onSuccess?.(pendingAuth.provider);
+                // Handle popup flow - notify parent and close
+                if (isPopup && window.opener) {
+                    // Small delay to ensure localStorage is fully written by Zustand persist
+                    // before notifying the parent window
+                    setTimeout(() => {
+                        console.log('[OAuthCallback] Posting success message to parent with identity');
+                        // Post message to parent window - include identity so parent doesn't need to read from localStorage
+                        window.opener.postMessage({
+                            type: 'oauth-callback-success',
+                            provider: pendingAuth.provider,
+                            identity: identity,
+                        }, window.location.origin);
+                        if (shouldAutoClose) {
+                            setTimeout(() => {
+                                window.close();
+                            }, autoCloseDelay);
+                        }
+                    }, 50);
+                }
+                // Handle redirect flow
+                else if (redirectUrl) {
+                    if (shouldAutoClose) {
+                        setTimeout(() => {
+                            window.location.href = redirectUrl;
+                        }, autoCloseDelay);
+                    }
+                }
+            }
+            catch (err) {
+                const errorMsg = err instanceof Error ? err.message : 'Unknown error occurred';
+                setError(errorMsg);
+                setStatus('error');
+                onError?.(err instanceof Error ? err : new Error(errorMsg));
+                // Notify popup parent of error
+                if (isPopup && window.opener) {
+                    window.opener.postMessage({
+                        type: 'oauth-callback-error',
+                        error: errorMsg,
+                        provider: pendingAuth.provider,
+                    }, window.location.origin);
+                }
+            }
+        };
+        handleCallback();
+    }, [
+        storeHydrated,
+        completeAuthorization,
+        pendingAuth,
+        onSuccess,
+        onError,
+        shouldAutoClose,
+        autoCloseDelay,
+        redirectUrl,
+        isPopup,
+    ]);
+    const handleClose = () => {
+        if (isPopup) {
+            window.close();
+        }
+        else if (redirectUrl) {
+            window.location.href = redirectUrl;
+        }
+    };
+    return (_jsx(Box, { sx: {
+            display: 'flex',
+            flexDirection: 'column',
+            alignItems: 'center',
+            justifyContent: 'center',
+            minHeight: '100vh',
+            padding: 4,
+            backgroundColor: 'canvas.default',
+        }, children: _jsxs(Box, { sx: {
+                maxWidth: 400,
+                width: '100%',
+                padding: 4,
+                borderRadius: 2,
+                border: '1px solid',
+                borderColor: 'border.default',
+                backgroundColor: 'canvas.subtle',
+                textAlign: 'center',
+            }, children: [status === 'processing' && (_jsxs(_Fragment, { children: [_jsx(Spinner, { size: "large" }), _jsx(Text, { sx: {
+                                display: 'block',
+                                marginTop: 3,
+                                fontSize: 2,
+                                fontWeight: 'bold',
+                            }, children: "Connecting your account..." }), _jsx(Text, { sx: { display: 'block', marginTop: 2, color: 'fg.muted' }, children: "Please wait while we complete the authorization." })] })), status === 'success' && (_jsxs(_Fragment, { children: [_jsx(Box, { sx: {
+                                width: 64,
+                                height: 64,
+                                borderRadius: '50%',
+                                backgroundColor: 'success.subtle',
+                                display: 'flex',
+                                alignItems: 'center',
+                                justifyContent: 'center',
+                                margin: '0 auto',
+                            }, children: _jsx(Box, { sx: { color: 'success.fg' }, children: _jsx(CheckCircleFillIcon, { size: 32 }) }) }), _jsx(Text, { sx: {
+                                display: 'block',
+                                marginTop: 3,
+                                fontSize: 2,
+                                fontWeight: 'bold',
+                                color: 'success.fg',
+                            }, children: successMessage }), provider && (_jsxs(Text, { sx: { display: 'block', marginTop: 2, color: 'fg.muted' }, children: ["Your ", provider, " account has been connected."] })), shouldAutoClose && (_jsx(Text, { sx: {
+                                display: 'block',
+                                marginTop: 3,
+                                fontSize: 0,
+                                color: 'fg.muted',
+                            }, children: isPopup
+                                ? 'This window will close automatically...'
+                                : 'Redirecting...' })), showCloseButton && !shouldAutoClose && (_jsx(Button, { variant: "primary", onClick: handleClose, sx: { marginTop: 3 }, children: isPopup ? 'Close' : 'Continue' }))] })), status === 'error' && (_jsxs(_Fragment, { children: [_jsx(Box, { sx: {
+                                width: 64,
+                                height: 64,
+                                borderRadius: '50%',
+                                backgroundColor: 'danger.subtle',
+                                display: 'flex',
+                                alignItems: 'center',
+                                justifyContent: 'center',
+                                margin: '0 auto',
+                            }, children: _jsx(Box, { sx: { color: 'danger.fg' }, children: _jsx(XCircleIcon, { size: 32 }) }) }), _jsx(Text, { sx: {
+                                display: 'block',
+                                marginTop: 3,
+                                fontSize: 2,
+                                fontWeight: 'bold',
+                                color: 'danger.fg',
+                            }, children: "Connection Failed" }), _jsxs(Flash, { variant: "danger", sx: { marginTop: 3, textAlign: 'left' }, children: [_jsx(Box, { as: "span", sx: {
+                                        mr: 2,
+                                        display: 'inline-flex',
+                                        verticalAlign: 'text-bottom',
+                                    }, children: _jsx(AlertIcon, { size: 16 }) }), errorMessagePrefix, ": ", error] }), showCloseButton && (_jsx(Button, { variant: "danger", onClick: handleClose, sx: { marginTop: 3 }, children: isPopup ? 'Close' : 'Go Back' }))] }))] }) }));
+};
+export default OAuthCallback;

package/lib/identity/dcr.d.ts

@@ -0,0 +1,257 @@
+/**
+ * Dynamic Client Registration (DCR) for OAuth 2.1
+ *
+ * Implements RFC 7591 - OAuth 2.0 Dynamic Client Registration Protocol
+ * https://oauth.net/2/dynamic-client-registration/
+ *
+ * DCR allows OAuth clients to register themselves dynamically without
+ * manual setup, which is essential for AI agents that need to connect
+ * to OAuth providers discovered at runtime.
+ *
+ * @module identity/dcr
+ */
+/**
+ * OAuth 2.0 Authorization Server Metadata
+ * Based on RFC 8414
+ */
+export interface AuthorizationServerMetadata {
+    /** The authorization server's issuer identifier */
+    issuer: string;
+    /** URL of the authorization endpoint */
+    authorization_endpoint: string;
+    /** URL of the token endpoint */
+    token_endpoint: string;
+    /** URL of the registration endpoint (for DCR) */
+    registration_endpoint?: string;
+    /** URL of the token revocation endpoint */
+    revocation_endpoint?: string;
+    /** URL of the userinfo endpoint (OpenID Connect) */
+    userinfo_endpoint?: string;
+    /** URL of the JWKS endpoint */
+    jwks_uri?: string;
+    /** Supported response types */
+    response_types_supported: string[];
+    /** Supported grant types */
+    grant_types_supported?: string[];
+    /** Supported scopes */
+    scopes_supported?: string[];
+    /** Supported token endpoint auth methods */
+    token_endpoint_auth_methods_supported?: string[];
+    /** Supported code challenge methods (PKCE) */
+    code_challenge_methods_supported?: string[];
+    /** Additional metadata */
+    [key: string]: unknown;
+}
+/**
+ * Client registration request per RFC 7591
+ */
+export interface ClientRegistrationRequest {
+    /** Array of redirection URI strings */
+    redirect_uris: string[];
+    /** Requested authentication method for the token endpoint */
+    token_endpoint_auth_method?: 'none' | 'client_secret_basic' | 'client_secret_post' | 'private_key_jwt';
+    /** Array of grant types the client will use */
+    grant_types?: string[];
+    /** Array of response types the client will use */
+    response_types?: string[];
+    /** Human-readable name of the client */
+    client_name?: string;
+    /** URL of the client's home page */
+    client_uri?: string;
+    /** URL of the client's logo */
+    logo_uri?: string;
+    /** Space-separated list of scope values */
+    scope?: string;
+    /** Array of email addresses of people responsible for this client */
+    contacts?: string[];
+    /** URL of the terms of service */
+    tos_uri?: string;
+    /** URL of the privacy policy */
+    policy_uri?: string;
+    /** URL of the JWKS for the client (for private_key_jwt) */
+    jwks_uri?: string;
+    /** JWKS document (inline, alternative to jwks_uri) */
+    jwks?: {
+        keys: unknown[];
+    };
+    /** Software identifier (for software statement) */
+    software_id?: string;
+    /** Software version */
+    software_version?: string;
+    /** Software statement JWT */
+    software_statement?: string;
+    /** Additional registration parameters */
+    [key: string]: unknown;
+}
+/**
+ * Client registration response per RFC 7591
+ */
+export interface ClientRegistrationResponse {
+    /** OAuth 2.0 client identifier */
+    client_id: string;
+    /** OAuth 2.0 client secret (if confidential client) */
+    client_secret?: string;
+    /** Time at which the client identifier was issued (Unix timestamp) */
+    client_id_issued_at?: number;
+    /** Time at which the client secret will expire (Unix timestamp, 0 = never) */
+    client_secret_expires_at?: number;
+    /** Registration access token (for client configuration endpoint) */
+    registration_access_token?: string;
+    /** Location of the client configuration endpoint */
+    registration_client_uri?: string;
+    /** All other fields from the registration request echoed back */
+    redirect_uris: string[];
+    token_endpoint_auth_method?: string;
+    grant_types?: string[];
+    response_types?: string[];
+    client_name?: string;
+    client_uri?: string;
+    logo_uri?: string;
+    scope?: string;
+    contacts?: string[];
+    tos_uri?: string;
+    policy_uri?: string;
+    jwks_uri?: string;
+    jwks?: {
+        keys: unknown[];
+    };
+    software_id?: string;
+    software_version?: string;
+}
+/**
+ * DCR error response per RFC 7591
+ */
+export interface ClientRegistrationError {
+    /** Error code */
+    error: 'invalid_redirect_uri' | 'invalid_client_metadata' | 'invalid_software_statement' | 'unapproved_software_statement' | string;
+    /** Human-readable error description */
+    error_description?: string;
+}
+/**
+ * Stored DCR client information
+ */
+export interface DynamicClient {
+    /** Provider/issuer identifier */
+    issuer: string;
+    /** Registered client ID */
+    clientId: string;
+    /** Registered client secret (if any) */
+    clientSecret?: string;
+    /** Client secret expiration (if any) */
+    clientSecretExpiresAt?: number;
+    /** Registration access token (for updates) */
+    registrationAccessToken?: string;
+    /** Registration client URI (for updates) */
+    registrationClientUri?: string;
+    /** Registration timestamp */
+    registeredAt: number;
+    /** Configured redirect URIs */
+    redirectUris: string[];
+    /** Granted scopes */
+    scopes: string[];
+    /** Server metadata */
+    serverMetadata: AuthorizationServerMetadata;
+}
+/**
+ * Discover OAuth authorization server metadata
+ *
+ * @param issuerUrl - The issuer URL (e.g., https://accounts.google.com)
+ * @returns Authorization server metadata or null if not found
+ */
+export declare function discoverAuthorizationServer(issuerUrl: string): Promise<AuthorizationServerMetadata | null>;
+/**
+ * Check if an authorization server supports Dynamic Client Registration
+ *
+ * @param metadata - Authorization server metadata
+ * @returns True if DCR is supported
+ */
+export declare function supportsDCR(metadata: AuthorizationServerMetadata): boolean;
+/**
+ * Register a new OAuth client dynamically
+ *
+ * @param registrationEndpoint - The DCR endpoint URL
+ * @param request - Client registration request
+ * @param accessToken - Optional access token (for protected registration endpoints)
+ * @returns Client registration response
+ * @throws Error if registration fails
+ */
+export declare function registerClient(registrationEndpoint: string, request: ClientRegistrationRequest, accessToken?: string): Promise<ClientRegistrationResponse>;
+/**
+ * Update an existing client registration
+ *
+ * @param registrationClientUri - The client configuration endpoint
+ * @param registrationAccessToken - The registration access token
+ * @param updates - Fields to update
+ * @returns Updated client registration
+ */
+export declare function updateClientRegistration(registrationClientUri: string, registrationAccessToken: string, updates: Partial<ClientRegistrationRequest>): Promise<ClientRegistrationResponse>;
+/**
+ * Delete a client registration
+ *
+ * @param registrationClientUri - The client configuration endpoint
+ * @param registrationAccessToken - The registration access token
+ */
+export declare function deleteClientRegistration(registrationClientUri: string, registrationAccessToken: string): Promise<void>;
+/**
+ * Get or create a dynamic client for an OAuth provider
+ *
+ * This is the main entry point for DCR. It:
+ * 1. Checks if we already have a registered client for this issuer
+ * 2. If not, discovers the authorization server metadata
+ * 3. If DCR is supported, registers a new client
+ * 4. Stores the client for future use
+ *
+ * @param issuerUrl - The OAuth provider's issuer URL
+ * @param options - Registration options
+ * @returns The dynamic client information
+ * @throws Error if DCR is not supported or registration fails
+ */
+export declare function getOrCreateDynamicClient(issuerUrl: string, options: {
+    /** Application name */
+    clientName?: string;
+    /** Redirect URIs */
+    redirectUris: string[];
+    /** Requested scopes */
+    scopes?: string[];
+    /** Force re-registration even if client exists */
+    forceNew?: boolean;
+    /** Optional initial access token for protected endpoints */
+    initialAccessToken?: string;
+}): Promise<DynamicClient>;
+/**
+ * Load a dynamic client from storage
+ */
+export declare function loadDynamicClient(issuer: string): DynamicClient | null;
+/**
+ * Save a dynamic client to storage
+ */
+export declare function saveDynamicClient(client: DynamicClient): void;
+/**
+ * Remove a dynamic client from storage
+ */
+export declare function removeDynamicClient(issuer: string): void;
+/**
+ * Get all stored dynamic clients
+ */
+export declare function getAllDynamicClients(): DynamicClient[];
+/**
+ * Clear all stored dynamic clients
+ */
+export declare function clearAllDynamicClients(): void;
+/**
+ * Build OAuth provider config from a dynamic client
+ *
+ * This converts a DynamicClient into an OAuthProviderConfig that can be
+ * used with the rest of the identity system.
+ */
+export declare function dynamicClientToProviderConfig(client: DynamicClient, displayName?: string): {
+    provider: string;
+    displayName: string;
+    clientId: string;
+    authorizationUrl: string;
+    tokenUrl: string;
+    userInfoUrl?: string;
+    revocationUrl?: string;
+    defaultScopes: string[];
+    redirectUri: string;
+};