@decocms/runtime 1.2.6 → 1.2.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@decocms/runtime",
-  "version": "1.2.6",
+  "version": "1.2.8",
   "type": "module",
   "scripts": {
     "check": "tsc --noEmit",
@@ -31,6 +31,11 @@
   "engines": {
     "node": ">=24.0.0"
   },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/decocms/mesh.git",
+    "directory": "packages/runtime"
+  },
   "publishConfig": {
     "access": "public"
   }

package/scripts/generate-json-schema.ts

@@ -1,11 +1,16 @@
 // heavily inspired by https://github.com/cloudflare/workers-sdk/blob/main/packages/wrangler/scripts/generate-json-schema.ts
 import { writeFileSync } from "node:fs";
-import { join } from "node:path";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
 import { createGenerator } from "ts-json-schema-generator";
 import type { Config, Schema } from "ts-json-schema-generator";
 
+// Use standard ESM __dirname pattern for cross-runtime compatibility
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
 const config: Config = {
-  path: join(import.meta.dirname!, "../src/wrangler.ts"),
+  path: join(__dirname, "../src/wrangler.ts"),
+  tsconfig: join(__dirname, "../tsconfig.json"),
   type: "WranglerConfig",
   skipTypeCheck: true,
 };
@@ -19,6 +24,6 @@ const schema = applyFormattingRules(
 );
 
 writeFileSync(
-  join(import.meta.dirname!, "../config-schema.json"),
+  join(__dirname, "../config-schema.json"),
   JSON.stringify(schema, null, 2),
 );

package/src/bindings.ts

@@ -108,6 +108,12 @@ export const proxyConnectionForId = (
     headers ??= {};
     headers.cookie = ctx.cookie;
   }
+
+  if (ctx.token) {
+    headers ??= {};
+    headers["x-mesh-token"] = ctx.token;
+  }
+
   return {
     type: "HTTP",
     url: new URL(`/mcp/${connectionId}`, ctx.meshUrl).href,

package/src/oauth.ts

@@ -285,24 +285,41 @@ export function createOAuthHandlers(oauth: OAuthConfig) {
   const handleToken = async (req: Request): Promise<Response> => {
     try {
       const contentType = req.headers.get("content-type") ?? "";
-      let body: Record<string, string>;
+      let body: Record<string, unknown>;
 
       if (contentType.includes("application/x-www-form-urlencoded")) {
         const formData = await req.formData();
-        body = Object.fromEntries(formData.entries()) as Record<string, string>;
+        body = Object.fromEntries(formData.entries());
       } else {
-        body = await req.json();
+        const jsonBody = await req.json();
+        if (
+          typeof jsonBody !== "object" ||
+          jsonBody === null ||
+          Array.isArray(jsonBody)
+        ) {
+          return Response.json(
+            {
+              error: "invalid_request",
+              error_description: "Request body must be a JSON object",
+            },
+            { status: 400 },
+          );
+        }
+        body = jsonBody as Record<string, unknown>;
       }
 
+      // Extract and validate OAuth parameters
+      // Per RFC 6749, all parameters should be strings, but we validate at runtime
       const { code, code_verifier, grant_type, refresh_token } = body;
 
       // Handle refresh_token grant type
       if (grant_type === "refresh_token") {
-        if (!refresh_token) {
+        if (typeof refresh_token !== "string" || !refresh_token) {
           return Response.json(
             {
               error: "invalid_request",
-              error_description: "refresh_token is required",
+              error_description:
+                "refresh_token is required and must be a string",
             },
             { status: 400 },
           );
@@ -356,9 +373,12 @@ export function createOAuthHandlers(oauth: OAuthConfig) {
         );
       }
 
-      if (!code) {
+      if (typeof code !== "string" || !code) {
         return Response.json(
-          { error: "invalid_request", error_description: "code is required" },
+          {
+            error: "invalid_request",
+            error_description: "code is required and must be a string",
+          },
           { status: 400 },
         );
       }
@@ -377,11 +397,11 @@ export function createOAuthHandlers(oauth: OAuthConfig) {
 
       // Verify PKCE if code challenge was provided
       if (payload.codeChallenge) {
-        if (!code_verifier) {
+        if (typeof code_verifier !== "string" || !code_verifier) {
           return Response.json(
             {
               error: "invalid_grant",
-              error_description: "code_verifier required",
+              error_description: "code_verifier required and must be a string",
             },
             { status: 400 },
           );

package/src/tools.ts

@@ -345,39 +345,70 @@ export interface OnChangeCallback<TState> {
   scopes: string[];
 }
 
+/**
+ * OAuth 2.0 Token Exchange Parameters
+ * Parameters passed to exchangeCode() for token retrieval
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
+ */
 export interface OAuthParams {
+  /** REQUIRED - The authorization code received from the authorization server */
   code: string;
+  /** OPTIONAL - PKCE code verifier (RFC 7636) */
   code_verifier?: string;
+  /** OPTIONAL - Code challenge method: S256 (SHA-256) or plain */
   code_challenge_method?: "S256" | "plain";
   /**
-   * The redirect_uri used in the authorization request (without state/extra params).
-   * This is the clean callback URL that should be used for token exchange.
+   * OPTIONAL - The redirect_uri used in the authorization request
+   * MUST be identical if included in the authorization request
    */
   redirect_uri?: string;
 }
 
+/**
+ * OAuth 2.0 Token Response
+ * Response from the authorization server's token endpoint
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
+ */
 export interface OAuthTokenResponse {
+  /** REQUIRED - The access token issued by the authorization server */
   access_token: string;
+  /** REQUIRED - Type of token (usually "Bearer" per RFC 6750) */
   token_type: string;
+  /** RECOMMENDED - Lifetime in seconds of the access token */
   expires_in?: number;
+  /** OPTIONAL - Used to obtain new access tokens (if applicable) */
   refresh_token?: string;
+  /** OPTIONAL - Scope of the access token (if different from requested) */
   scope?: string;
+  /** Additional provider-specific fields */
   [key: string]: unknown;
 }
 
 /**
- * OAuth client for dynamic client registration (RFC7591)
+ * OAuth 2.0 Client Metadata (Dynamic Client Registration)
+ * @see https://datatracker.ietf.org/doc/html/rfc7591#section-2
+ * @see https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.1
  */
 export interface OAuthClient {
+  /** REQUIRED - OAuth 2.0 client identifier string */
   client_id: string;
+  /** OPTIONAL - OAuth 2.0 client secret string (confidential clients) */
   client_secret?: string;
+  /** OPTIONAL - Human-readable name of the client */
   client_name?: string;
+  /** REQUIRED - Array of redirect URIs for use in redirect-based flows */
   redirect_uris: string[];
+  /** OPTIONAL - Array of OAuth 2.0 grant types (e.g., "authorization_code", "refresh_token") */
   grant_types?: string[];
+  /** OPTIONAL - Array of response types (e.g., "code", "token") */
   response_types?: string[];
+  /** OPTIONAL - Authentication method for the token endpoint (e.g., "client_secret_basic", "none") */
   token_endpoint_auth_method?: string;
+  /** OPTIONAL - Space-separated list of scope values */
   scope?: string;
+  /** OPTIONAL - Time at which the client identifier was issued (Unix timestamp) */
   client_id_issued_at?: number;
+  /** OPTIONAL - Time at which the client secret expires (Unix timestamp, 0 = never) */
   client_secret_expires_at?: number;
 }