@datalayer/agent-runtimes 0.0.7 → 0.0.8

package/lib/identity/dcr.js

@@ -0,0 +1,282 @@
+/*
+ * Copyright (c) 2025-2026 Datalayer, Inc.
+ * Distributed under the terms of the Modified BSD License.
+ */
+/**
+ * Well-known paths for OAuth discovery
+ */
+const WELL_KNOWN_PATHS = [
+    '/.well-known/oauth-authorization-server',
+    '/.well-known/openid-configuration',
+];
+/**
+ * Storage key for DCR clients
+ */
+const DCR_STORAGE_KEY = 'agent-runtimes:dcr-clients';
+/**
+ * Discover OAuth authorization server metadata
+ *
+ * @param issuerUrl - The issuer URL (e.g., https://accounts.google.com)
+ * @returns Authorization server metadata or null if not found
+ */
+export async function discoverAuthorizationServer(issuerUrl) {
+    const baseUrl = issuerUrl.replace(/\/$/, '');
+    for (const path of WELL_KNOWN_PATHS) {
+        try {
+            const response = await fetch(`${baseUrl}${path}`, {
+                headers: {
+                    Accept: 'application/json',
+                },
+            });
+            if (response.ok) {
+                const metadata = await response.json();
+                return metadata;
+            }
+        }
+        catch {
+            // Try next path
+            continue;
+        }
+    }
+    return null;
+}
+/**
+ * Check if an authorization server supports Dynamic Client Registration
+ *
+ * @param metadata - Authorization server metadata
+ * @returns True if DCR is supported
+ */
+export function supportsDCR(metadata) {
+    return !!metadata.registration_endpoint;
+}
+/**
+ * Register a new OAuth client dynamically
+ *
+ * @param registrationEndpoint - The DCR endpoint URL
+ * @param request - Client registration request
+ * @param accessToken - Optional access token (for protected registration endpoints)
+ * @returns Client registration response
+ * @throws Error if registration fails
+ */
+export async function registerClient(registrationEndpoint, request, accessToken) {
+    const headers = {
+        'Content-Type': 'application/json',
+        Accept: 'application/json',
+    };
+    if (accessToken) {
+        headers['Authorization'] = `Bearer ${accessToken}`;
+    }
+    const response = await fetch(registrationEndpoint, {
+        method: 'POST',
+        headers,
+        body: JSON.stringify(request),
+    });
+    const data = await response.json();
+    if (!response.ok) {
+        const error = data;
+        throw new Error(`DCR registration failed: ${error.error}${error.error_description ? ` - ${error.error_description}` : ''}`);
+    }
+    return data;
+}
+/**
+ * Update an existing client registration
+ *
+ * @param registrationClientUri - The client configuration endpoint
+ * @param registrationAccessToken - The registration access token
+ * @param updates - Fields to update
+ * @returns Updated client registration
+ */
+export async function updateClientRegistration(registrationClientUri, registrationAccessToken, updates) {
+    const response = await fetch(registrationClientUri, {
+        method: 'PUT',
+        headers: {
+            'Content-Type': 'application/json',
+            Accept: 'application/json',
+            Authorization: `Bearer ${registrationAccessToken}`,
+        },
+        body: JSON.stringify(updates),
+    });
+    const data = await response.json();
+    if (!response.ok) {
+        const error = data;
+        throw new Error(`DCR update failed: ${error.error}${error.error_description ? ` - ${error.error_description}` : ''}`);
+    }
+    return data;
+}
+/**
+ * Delete a client registration
+ *
+ * @param registrationClientUri - The client configuration endpoint
+ * @param registrationAccessToken - The registration access token
+ */
+export async function deleteClientRegistration(registrationClientUri, registrationAccessToken) {
+    const response = await fetch(registrationClientUri, {
+        method: 'DELETE',
+        headers: {
+            Authorization: `Bearer ${registrationAccessToken}`,
+        },
+    });
+    if (!response.ok && response.status !== 204) {
+        throw new Error(`DCR delete failed: ${response.status} ${response.statusText}`);
+    }
+}
+/**
+ * Get or create a dynamic client for an OAuth provider
+ *
+ * This is the main entry point for DCR. It:
+ * 1. Checks if we already have a registered client for this issuer
+ * 2. If not, discovers the authorization server metadata
+ * 3. If DCR is supported, registers a new client
+ * 4. Stores the client for future use
+ *
+ * @param issuerUrl - The OAuth provider's issuer URL
+ * @param options - Registration options
+ * @returns The dynamic client information
+ * @throws Error if DCR is not supported or registration fails
+ */
+export async function getOrCreateDynamicClient(issuerUrl, options) {
+    const normalizedIssuer = issuerUrl.replace(/\/$/, '');
+    // Check for existing client
+    if (!options.forceNew) {
+        const existingClient = loadDynamicClient(normalizedIssuer);
+        if (existingClient) {
+            // Check if client secret has expired
+            if (existingClient.clientSecretExpiresAt &&
+                existingClient.clientSecretExpiresAt > 0 &&
+                existingClient.clientSecretExpiresAt * 1000 < Date.now()) {
+                console.log('[DCR] Client secret expired, re-registering');
+            }
+            else {
+                return existingClient;
+            }
+        }
+    }
+    // Discover authorization server
+    const metadata = await discoverAuthorizationServer(normalizedIssuer);
+    if (!metadata) {
+        throw new Error(`Could not discover authorization server at ${normalizedIssuer}`);
+    }
+    // Check for DCR support
+    if (!supportsDCR(metadata)) {
+        throw new Error(`Authorization server at ${normalizedIssuer} does not support Dynamic Client Registration`);
+    }
+    // Build registration request
+    const request = {
+        redirect_uris: options.redirectUris,
+        client_name: options.clientName || 'Agent Runtimes Client',
+        grant_types: ['authorization_code', 'refresh_token'],
+        response_types: ['code'],
+        token_endpoint_auth_method: 'none', // Public client (PKCE)
+    };
+    if (options.scopes?.length) {
+        request.scope = options.scopes.join(' ');
+    }
+    // Register client
+    const registrationResponse = await registerClient(metadata.registration_endpoint, request, options.initialAccessToken);
+    // Build dynamic client object
+    const dynamicClient = {
+        issuer: normalizedIssuer,
+        clientId: registrationResponse.client_id,
+        clientSecret: registrationResponse.client_secret,
+        clientSecretExpiresAt: registrationResponse.client_secret_expires_at,
+        registrationAccessToken: registrationResponse.registration_access_token,
+        registrationClientUri: registrationResponse.registration_client_uri,
+        registeredAt: Date.now(),
+        redirectUris: options.redirectUris,
+        scopes: options.scopes || [],
+        serverMetadata: metadata,
+    };
+    // Store for future use
+    saveDynamicClient(dynamicClient);
+    return dynamicClient;
+}
+/**
+ * Load a dynamic client from storage
+ */
+export function loadDynamicClient(issuer) {
+    try {
+        const stored = localStorage.getItem(DCR_STORAGE_KEY);
+        if (!stored)
+            return null;
+        const clients = JSON.parse(stored);
+        return clients[issuer] || null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Save a dynamic client to storage
+ */
+export function saveDynamicClient(client) {
+    try {
+        const stored = localStorage.getItem(DCR_STORAGE_KEY);
+        const clients = stored ? JSON.parse(stored) : {};
+        clients[client.issuer] = client;
+        localStorage.setItem(DCR_STORAGE_KEY, JSON.stringify(clients));
+    }
+    catch (error) {
+        console.error('[DCR] Failed to save client:', error);
+    }
+}
+/**
+ * Remove a dynamic client from storage
+ */
+export function removeDynamicClient(issuer) {
+    try {
+        const stored = localStorage.getItem(DCR_STORAGE_KEY);
+        if (!stored)
+            return;
+        const clients = JSON.parse(stored);
+        delete clients[issuer];
+        localStorage.setItem(DCR_STORAGE_KEY, JSON.stringify(clients));
+    }
+    catch {
+        // Ignore storage errors
+    }
+}
+/**
+ * Get all stored dynamic clients
+ */
+export function getAllDynamicClients() {
+    try {
+        const stored = localStorage.getItem(DCR_STORAGE_KEY);
+        if (!stored)
+            return [];
+        const clients = JSON.parse(stored);
+        return Object.values(clients);
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Clear all stored dynamic clients
+ */
+export function clearAllDynamicClients() {
+    try {
+        localStorage.removeItem(DCR_STORAGE_KEY);
+    }
+    catch {
+        // Ignore storage errors
+    }
+}
+/**
+ * Build OAuth provider config from a dynamic client
+ *
+ * This converts a DynamicClient into an OAuthProviderConfig that can be
+ * used with the rest of the identity system.
+ */
+export function dynamicClientToProviderConfig(client, displayName) {
+    return {
+        provider: client.issuer,
+        displayName: displayName || new URL(client.issuer).hostname,
+        clientId: client.clientId,
+        authorizationUrl: client.serverMetadata.authorization_endpoint,
+        tokenUrl: client.serverMetadata.token_endpoint,
+        userInfoUrl: client.serverMetadata.userinfo_endpoint,
+        revocationUrl: client.serverMetadata.revocation_endpoint,
+        defaultScopes: client.scopes,
+        redirectUri: client.redirectUris[0],
+    };
+}

package/lib/identity/identityStore.d.ts

@@ -0,0 +1,72 @@
+import type { Identity, IdentityStore, AuthorizationRequest } from './types';
+/**
+ * Create the identity store
+ */
+export declare const useIdentityStore: import("zustand").UseBoundStore<Omit<Omit<Omit<import("zustand").StoreApi<IdentityStore>, "setState"> & {
+    setState<A extends string | {
+        type: string;
+    }>(partial: IdentityStore | Partial<IdentityStore> | ((state: IdentityStore) => IdentityStore | Partial<IdentityStore>), replace?: boolean | undefined, action?: A | undefined): void;
+}, "subscribe"> & {
+    subscribe: {
+        (listener: (selectedState: IdentityStore, previousSelectedState: IdentityStore) => void): () => void;
+        <U>(selector: (state: IdentityStore) => U, listener: (selectedState: U, previousSelectedState: U) => void, options?: {
+            equalityFn?: ((a: U, b: U) => boolean) | undefined;
+            fireImmediately?: boolean;
+        } | undefined): () => void;
+    };
+}, "persist"> & {
+    persist: {
+        setOptions: (options: Partial<import("zustand/middleware").PersistOptions<IdentityStore, any>>) => void;
+        clearStorage: () => void;
+        rehydrate: () => Promise<void> | void;
+        hasHydrated: () => boolean;
+        onHydrate: (fn: (state: IdentityStore) => void) => () => void;
+        onFinishHydration: (fn: (state: IdentityStore) => void) => () => void;
+        getOptions: () => Partial<import("zustand/middleware").PersistOptions<IdentityStore, any>>;
+    };
+}>;
+/**
+ * Get all connected identities
+ */
+export declare function useConnectedIdentities(): Identity[];
+/**
+ * Get connected provider names
+ */
+export declare function useConnectedProviders(): string[];
+/**
+ * Get identity for a specific provider
+ */
+export declare function useIdentity(provider: string): Identity | undefined;
+/**
+ * Check if a provider is connected
+ */
+export declare function useIsProviderConnected(provider: string): boolean;
+/**
+ * Get pending authorization
+ */
+export declare function usePendingAuthorization(): AuthorizationRequest | null;
+/**
+ * Get identity loading state
+ */
+export declare function useIdentityLoading(): boolean;
+/**
+ * Get identity error
+ */
+export declare function useIdentityError(): Error | null;
+/**
+ * Configure built-in providers with client IDs
+ */
+export declare function configureBuiltinProviders(options: {
+    github?: {
+        clientId: string;
+        redirectUri: string;
+    };
+    google?: {
+        clientId: string;
+        redirectUri: string;
+    };
+    kaggle?: {
+        clientId: string;
+        redirectUri: string;
+    };
+}): void;