npm - @dotdo/oauth - Versions diffs - 0.1.0 - Mend

@dotdo/oauth 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,171 @@
+# @dotdo/oauth
+OAuth 2.1 authorization server for MCP (Model Context Protocol) compatibility.
+## The Problem
+You're building an MCP server. Claude and ChatGPT need to authenticate. But OAuth 2.1 is new, the docs are scattered, and you've spent hours debugging `.well-known` endpoints and CORS headers.
+## The Solution
+```typescript
+import { createOAuth21Server, MemoryOAuthStorage } from '@dotdo/oauth'
+const oauth = createOAuth21Server({
+  issuer: 'https://your-mcp.do',
+  storage: new MemoryOAuthStorage(),
+  upstream: {
+    provider: 'workos',
+    apiKey: process.env.WORKOS_API_KEY,
+    clientId: process.env.WORKOS_CLIENT_ID,
+  },
+})
+// Mount it. Done.
+app.route('/', oauth)
+```
+Your MCP server now speaks OAuth 2.1. Claude can connect.
+## What This Does
+This package creates a **federated OAuth 2.1 server**:
+- It's an OAuth **SERVER** to MCP clients (Claude, ChatGPT)
+- It's an OAuth **CLIENT** to your identity provider (WorkOS, Auth0)
+```
+┌─────────────────┐      ┌──────────────────┐      ┌─────────────┐
+│  Claude/ChatGPT │ ───> │  Your MCP Server │ ───> │   WorkOS    │
+│  (OAuth Client) │      │ (OAuth Server +  │      │  (Upstream) │
+│                 │ <─── │   OAuth Client)  │ <─── │             │
+└─────────────────┘      └──────────────────┘      └─────────────┘
+```
+## Endpoints
+Once mounted, your server provides:
+| Endpoint | Purpose |
+|----------|---------|
+| `/.well-known/oauth-authorization-server` | Server metadata (RFC 8414) |
+| `/.well-known/oauth-protected-resource` | Resource metadata |
+| `/authorize` | Authorization endpoint |
+| `/token` | Token endpoint |
+| `/register` | Dynamic client registration |
+| `/revoke` | Token revocation |
+## Features
+- **OAuth 2.1 compliant** - PKCE required, S256 only
+- **MCP compatible** - Works with Claude, ChatGPT, and other MCP clients
+- **Federated auth** - Delegates to WorkOS, Auth0, or custom providers
+- **Storage agnostic** - Bring your own storage backend
+- **Zero dependencies** on `oauth.do` or `@dotdo/do` - this is the leaf package
+## Storage
+The package provides `MemoryOAuthStorage` for testing. For production, implement the `OAuthStorage` interface:
+```typescript
+import type { OAuthStorage } from '@dotdo/oauth'
+class MyStorage implements OAuthStorage {
+  async getUser(id: string) { /* ... */ }
+  async saveUser(user: OAuthUser) { /* ... */ }
+  async getClient(clientId: string) { /* ... */ }
+  // ... other methods
+}
+```
+If you're using `@dotdo/do`, it provides `DOAuthStorage` that implements this interface using Durable Object SQLite storage.
+## Configuration
+```typescript
+createOAuth21Server({
+  // Required
+  issuer: 'https://your-domain.com',      // Your server's URL
+  storage: new MemoryOAuthStorage(),       // Storage backend
+  upstream: {                              // Identity provider
+    provider: 'workos',
+    apiKey: 'sk_...',
+    clientId: 'client_...',
+  },
+  // Optional
+  scopes: ['openid', 'profile', 'email'],  // Supported scopes
+  accessTokenTtl: 3600,                    // 1 hour (default)
+  refreshTokenTtl: 2592000,                // 30 days (default)
+  authCodeTtl: 600,                        // 10 minutes (default)
+  enableDynamicRegistration: true,         // Allow client registration
+  debug: false,                            // Debug logging
+  // Callbacks
+  onUserAuthenticated: async (user) => {
+    console.log('User logged in:', user.email)
+  },
+})
+```
+## Upstream Providers
+### WorkOS
+```typescript
+upstream: {
+  provider: 'workos',
+  apiKey: process.env.WORKOS_API_KEY,
+  clientId: process.env.WORKOS_CLIENT_ID,
+}
+```
+### Custom Provider
+```typescript
+upstream: {
+  provider: 'custom',
+  apiKey: 'your-client-secret',
+  clientId: 'your-client-id',
+  authorizationEndpoint: 'https://auth.example.com/authorize',
+  tokenEndpoint: 'https://auth.example.com/token',
+}
+```
+## PKCE Utilities
+The package also exports PKCE utilities:
+```typescript
+import { generatePkce, verifyCodeChallenge } from '@dotdo/oauth/pkce'
+// Generate PKCE pair
+const { verifier, challenge } = await generatePkce()
+// Verify during token exchange
+const valid = await verifyCodeChallenge(verifier, challenge, 'S256')
+```
+## Architecture
+This package is the **leaf** in the dependency chain:
+```
+@dotdo/oauth (this package - pure OAuth 2.1, storage interface)
+     ↓
+@dotdo/do (depends on @dotdo/oauth, implements DOAuthStorage)
+     ↓
+oauth.do (depends on @dotdo/do for storage)
+     ↓
+dotdo (depends on oauth.do for auth)
+```
+Each layer adds capabilities:
+- **@dotdo/oauth** - OAuth 2.1 primitives, abstract storage interface
+- **@dotdo/do** - Concrete storage using Durable Object SQLite
+- **oauth.do** - High-level auth SDK with session management
+- **dotdo** - Full framework with auth built-in
+## License
+MIT

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,48 @@
+/**
+ * @dotdo/oauth - OAuth 2.1 Server for MCP
+ *
+ * A minimal OAuth 2.1 authorization server implementation designed for
+ * Model Context Protocol (MCP) compatibility with Claude, ChatGPT, and other AI clients.
+ *
+ * This package is the "leaf" in the dependency tree - it has no dependencies on
+ * oauth.do or @dotdo/do, allowing them to depend on it without circular dependencies.
+ *
+ * @example Basic usage
+ * ```typescript
+ * import { createOAuth21Server, MemoryOAuthStorage } from '@dotdo/oauth'
+ *
+ * const server = createOAuth21Server({
+ *   issuer: 'https://mcp.do',
+ *   storage: new MemoryOAuthStorage(),
+ *   upstream: {
+ *     provider: 'workos',
+ *     apiKey: env.WORKOS_API_KEY,
+ *     clientId: env.WORKOS_CLIENT_ID,
+ *   },
+ * })
+ *
+ * // Mount on Hono app
+ * app.route('/', server)
+ * ```
+ *
+ * @example With DO storage (provided by @dotdo/do)
+ * ```typescript
+ * import { createOAuth21Server } from '@dotdo/oauth'
+ * import { DOAuthStorage } from '@dotdo/do/oauth'
+ *
+ * const server = createOAuth21Server({
+ *   issuer: 'https://mcp.do',
+ *   storage: new DOAuthStorage(digitalObject),
+ *   upstream: { ... },
+ * })
+ * ```
+ *
+ * @packageDocumentation
+ */
+export { createOAuth21Server } from './server';
+export type { OAuth21ServerConfig } from './server';
+export { MemoryOAuthStorage } from './storage';
+export type { OAuthStorage, ListOptions } from './storage';
+export { generateCodeVerifier, generateCodeChallenge, verifyCodeChallenge, generatePkce, generateState, generateToken, generateAuthorizationCode, hashClientSecret, verifyClientSecret, base64UrlEncode, base64UrlDecode, constantTimeEqual, } from './pkce';
+export type { OAuthUser, OAuthOrganization, OAuthClient, OAuthAuthorizationCode, OAuthAccessToken, OAuthRefreshToken, OAuthGrant, OAuthServerMetadata, OAuthResourceMetadata, TokenResponse, OAuthError, UpstreamOAuthConfig, } from './types';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAGH,OAAO,EAAE,mBAAmB,EAAE,MAAM,UAAU,CAAA;AAC9C,YAAY,EAAE,mBAAmB,EAAE,MAAM,UAAU,CAAA;AAGnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAA;AAC9C,YAAY,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA;AAG1D,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,mBAAmB,EACnB,YAAY,EACZ,aAAa,EACb,aAAa,EACb,yBAAyB,EACzB,gBAAgB,EAChB,kBAAkB,EAClB,eAAe,EACf,eAAe,EACf,iBAAiB,GAClB,MAAM,QAAQ,CAAA;AAGf,YAAY,EACV,SAAS,EACT,iBAAiB,EACjB,WAAW,EACX,sBAAsB,EACtB,gBAAgB,EAChB,iBAAiB,EACjB,UAAU,EACV,mBAAmB,EACnB,qBAAqB,EACrB,aAAa,EACb,UAAU,EACV,mBAAmB,GACpB,MAAM,SAAS,CAAA"}

package/dist/index.js ADDED Viewed

@@ -0,0 +1,48 @@
+/**
+ * @dotdo/oauth - OAuth 2.1 Server for MCP
+ *
+ * A minimal OAuth 2.1 authorization server implementation designed for
+ * Model Context Protocol (MCP) compatibility with Claude, ChatGPT, and other AI clients.
+ *
+ * This package is the "leaf" in the dependency tree - it has no dependencies on
+ * oauth.do or @dotdo/do, allowing them to depend on it without circular dependencies.
+ *
+ * @example Basic usage
+ * ```typescript
+ * import { createOAuth21Server, MemoryOAuthStorage } from '@dotdo/oauth'
+ *
+ * const server = createOAuth21Server({
+ *   issuer: 'https://mcp.do',
+ *   storage: new MemoryOAuthStorage(),
+ *   upstream: {
+ *     provider: 'workos',
+ *     apiKey: env.WORKOS_API_KEY,
+ *     clientId: env.WORKOS_CLIENT_ID,
+ *   },
+ * })
+ *
+ * // Mount on Hono app
+ * app.route('/', server)
+ * ```
+ *
+ * @example With DO storage (provided by @dotdo/do)
+ * ```typescript
+ * import { createOAuth21Server } from '@dotdo/oauth'
+ * import { DOAuthStorage } from '@dotdo/do/oauth'
+ *
+ * const server = createOAuth21Server({
+ *   issuer: 'https://mcp.do',
+ *   storage: new DOAuthStorage(digitalObject),
+ *   upstream: { ... },
+ * })
+ * ```
+ *
+ * @packageDocumentation
+ */
+// Server
+export { createOAuth21Server } from './server';
+// Storage
+export { MemoryOAuthStorage } from './storage';
+// PKCE
+export { generateCodeVerifier, generateCodeChallenge, verifyCodeChallenge, generatePkce, generateState, generateToken, generateAuthorizationCode, hashClientSecret, verifyClientSecret, base64UrlEncode, base64UrlDecode, constantTimeEqual, } from './pkce';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAEH,SAAS;AACT,OAAO,EAAE,mBAAmB,EAAE,MAAM,UAAU,CAAA;AAG9C,UAAU;AACV,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAA;AAG9C,OAAO;AACP,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,mBAAmB,EACnB,YAAY,EACZ,aAAa,EACb,aAAa,EACb,yBAAyB,EACzB,gBAAgB,EAChB,kBAAkB,EAClB,eAAe,EACf,eAAe,EACf,iBAAiB,GAClB,MAAM,QAAQ,CAAA"}

package/dist/pkce.d.ts ADDED Viewed

@@ -0,0 +1,103 @@
+/**
+ * @dotdo/oauth - PKCE (Proof Key for Code Exchange) utilities
+ *
+ * OAuth 2.1 requires PKCE for all authorization code flows.
+ * Only S256 is supported (plain is deprecated in OAuth 2.1).
+ */
+/**
+ * Generate a cryptographically random code verifier
+ *
+ * Per RFC 7636, the verifier must be:
+ * - Between 43 and 128 characters long
+ * - Using only unreserved URI characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"
+ *
+ * @param length - Length of the verifier (default: 64)
+ * @returns Random code verifier string
+ */
+export declare function generateCodeVerifier(length?: number): string;
+/**
+ * Generate a code challenge from a code verifier using S256 method
+ *
+ * S256: BASE64URL(SHA256(code_verifier))
+ *
+ * @param verifier - The code verifier
+ * @returns Base64URL-encoded SHA-256 hash of the verifier
+ */
+export declare function generateCodeChallenge(verifier: string): Promise<string>;
+/**
+ * Verify a code verifier against a code challenge
+ *
+ * @param verifier - The code verifier from the token request
+ * @param challenge - The code challenge from the authorization request
+ * @param method - The challenge method (must be 'S256' for OAuth 2.1)
+ * @returns True if the verifier matches the challenge
+ */
+export declare function verifyCodeChallenge(verifier: string, challenge: string, method?: string): Promise<boolean>;
+/**
+ * Generate a PKCE pair (verifier and challenge)
+ *
+ * @param length - Length of the verifier (default: 64)
+ * @returns Object with verifier and challenge
+ */
+export declare function generatePkce(length?: number): Promise<{
+    verifier: string;
+    challenge: string;
+}>;
+/**
+ * Base64URL encode an ArrayBuffer
+ *
+ * @param buffer - The buffer to encode
+ * @returns Base64URL-encoded string (no padding)
+ */
+export declare function base64UrlEncode(buffer: ArrayBuffer): string;
+/**
+ * Base64URL decode a string to ArrayBuffer
+ *
+ * @param str - Base64URL-encoded string
+ * @returns Decoded ArrayBuffer
+ */
+export declare function base64UrlDecode(str: string): ArrayBuffer;
+/**
+ * Constant-time string comparison to prevent timing attacks
+ *
+ * @param a - First string
+ * @param b - Second string
+ * @returns True if strings are equal
+ */
+export declare function constantTimeEqual(a: string, b: string): boolean;
+/**
+ * Generate a random state parameter for CSRF protection
+ *
+ * @param length - Length of the state (default: 32)
+ * @returns Random state string
+ */
+export declare function generateState(length?: number): string;
+/**
+ * Generate a random token (for access tokens, refresh tokens, etc.)
+ *
+ * @param length - Length of the token (default: 32)
+ * @returns Random token string
+ */
+export declare function generateToken(length?: number): string;
+/**
+ * Generate a unique authorization code
+ *
+ * @returns Random authorization code
+ */
+export declare function generateAuthorizationCode(): string;
+/**
+ * Hash a client secret for storage
+ *
+ * @param secret - The client secret to hash
+ * @returns SHA-256 hash of the secret
+ */
+export declare function hashClientSecret(secret: string): Promise<string>;
+/**
+ * Verify a client secret against a hash
+ *
+ * @param secret - The client secret to verify
+ * @param hash - The stored hash
+ * @returns True if the secret matches the hash
+ */
+export declare function verifyClientSecret(secret: string, hash: string): Promise<boolean>;
+//# sourceMappingURL=pkce.d.ts.map

package/dist/pkce.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../src/pkce.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,GAAE,MAAW,GAAG,MAAM,CAehE;AAED;;;;;;;GAOG;AACH,wBAAsB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAK7E;AAED;;;;;;;GAOG;AACH,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,EACjB,MAAM,GAAE,MAAe,GACtB,OAAO,CAAC,OAAO,CAAC,CAQlB;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAAC,MAAM,GAAE,MAAW,GAAG,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC,CAIxG;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,WAAW,GAAG,MAAM,CAU3D;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW,CAWxD;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAW/D;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,MAAM,GAAE,MAAW,GAAG,MAAM,CAWzD;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,MAAM,GAAE,MAAW,GAAG,MAAM,CAWzD;AAED;;;;GAIG;AACH,wBAAgB,yBAAyB,IAAI,MAAM,CAElD;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAKtE;AAED;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAGvF"}

package/dist/pkce.js ADDED Viewed

@@ -0,0 +1,186 @@
+/**
+ * @dotdo/oauth - PKCE (Proof Key for Code Exchange) utilities
+ *
+ * OAuth 2.1 requires PKCE for all authorization code flows.
+ * Only S256 is supported (plain is deprecated in OAuth 2.1).
+ */
+/**
+ * Generate a cryptographically random code verifier
+ *
+ * Per RFC 7636, the verifier must be:
+ * - Between 43 and 128 characters long
+ * - Using only unreserved URI characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"
+ *
+ * @param length - Length of the verifier (default: 64)
+ * @returns Random code verifier string
+ */
+export function generateCodeVerifier(length = 64) {
+    if (length < 43 || length > 128) {
+        throw new Error('Code verifier length must be between 43 and 128 characters');
+    }
+    const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~';
+    const randomValues = new Uint8Array(length);
+    crypto.getRandomValues(randomValues);
+    let verifier = '';
+    for (let i = 0; i < length; i++) {
+        verifier += chars[randomValues[i] % chars.length];
+    }
+    return verifier;
+}
+/**
+ * Generate a code challenge from a code verifier using S256 method
+ *
+ * S256: BASE64URL(SHA256(code_verifier))
+ *
+ * @param verifier - The code verifier
+ * @returns Base64URL-encoded SHA-256 hash of the verifier
+ */
+export async function generateCodeChallenge(verifier) {
+    const encoder = new TextEncoder();
+    const data = encoder.encode(verifier);
+    const hashBuffer = await crypto.subtle.digest('SHA-256', data);
+    return base64UrlEncode(hashBuffer);
+}
+/**
+ * Verify a code verifier against a code challenge
+ *
+ * @param verifier - The code verifier from the token request
+ * @param challenge - The code challenge from the authorization request
+ * @param method - The challenge method (must be 'S256' for OAuth 2.1)
+ * @returns True if the verifier matches the challenge
+ */
+export async function verifyCodeChallenge(verifier, challenge, method = 'S256') {
+    if (method !== 'S256') {
+        // OAuth 2.1 only supports S256
+        return false;
+    }
+    const expectedChallenge = await generateCodeChallenge(verifier);
+    return constantTimeEqual(expectedChallenge, challenge);
+}
+/**
+ * Generate a PKCE pair (verifier and challenge)
+ *
+ * @param length - Length of the verifier (default: 64)
+ * @returns Object with verifier and challenge
+ */
+export async function generatePkce(length = 64) {
+    const verifier = generateCodeVerifier(length);
+    const challenge = await generateCodeChallenge(verifier);
+    return { verifier, challenge };
+}
+/**
+ * Base64URL encode an ArrayBuffer
+ *
+ * @param buffer - The buffer to encode
+ * @returns Base64URL-encoded string (no padding)
+ */
+export function base64UrlEncode(buffer) {
+    const bytes = new Uint8Array(buffer);
+    let binary = '';
+    for (let i = 0; i < bytes.length; i++) {
+        binary += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binary)
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=+$/, '');
+}
+/**
+ * Base64URL decode a string to ArrayBuffer
+ *
+ * @param str - Base64URL-encoded string
+ * @returns Decoded ArrayBuffer
+ */
+export function base64UrlDecode(str) {
+    // Add padding if needed
+    const padded = str + '='.repeat((4 - (str.length % 4)) % 4);
+    // Convert from base64url to base64
+    const base64 = padded.replace(/-/g, '+').replace(/_/g, '/');
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes.buffer;
+}
+/**
+ * Constant-time string comparison to prevent timing attacks
+ *
+ * @param a - First string
+ * @param b - Second string
+ * @returns True if strings are equal
+ */
+export function constantTimeEqual(a, b) {
+    if (a.length !== b.length) {
+        return false;
+    }
+    let result = 0;
+    for (let i = 0; i < a.length; i++) {
+        result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+    }
+    return result === 0;
+}
+/**
+ * Generate a random state parameter for CSRF protection
+ *
+ * @param length - Length of the state (default: 32)
+ * @returns Random state string
+ */
+export function generateState(length = 32) {
+    const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+    const randomValues = new Uint8Array(length);
+    crypto.getRandomValues(randomValues);
+    let state = '';
+    for (let i = 0; i < length; i++) {
+        state += chars[randomValues[i] % chars.length];
+    }
+    return state;
+}
+/**
+ * Generate a random token (for access tokens, refresh tokens, etc.)
+ *
+ * @param length - Length of the token (default: 32)
+ * @returns Random token string
+ */
+export function generateToken(length = 32) {
+    const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+    const randomValues = new Uint8Array(length);
+    crypto.getRandomValues(randomValues);
+    let token = '';
+    for (let i = 0; i < length; i++) {
+        token += chars[randomValues[i] % chars.length];
+    }
+    return token;
+}
+/**
+ * Generate a unique authorization code
+ *
+ * @returns Random authorization code
+ */
+export function generateAuthorizationCode() {
+    return generateToken(48);
+}
+/**
+ * Hash a client secret for storage
+ *
+ * @param secret - The client secret to hash
+ * @returns SHA-256 hash of the secret
+ */
+export async function hashClientSecret(secret) {
+    const encoder = new TextEncoder();
+    const data = encoder.encode(secret);
+    const hashBuffer = await crypto.subtle.digest('SHA-256', data);
+    return base64UrlEncode(hashBuffer);
+}
+/**
+ * Verify a client secret against a hash
+ *
+ * @param secret - The client secret to verify
+ * @param hash - The stored hash
+ * @returns True if the secret matches the hash
+ */
+export async function verifyClientSecret(secret, hash) {
+    const expectedHash = await hashClientSecret(secret);
+    return constantTimeEqual(expectedHash, hash);
+}
+//# sourceMappingURL=pkce.js.map

package/dist/pkce.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"pkce.js","sourceRoot":"","sources":["../src/pkce.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;;;;;;;GASG;AACH,MAAM,UAAU,oBAAoB,CAAC,SAAiB,EAAE;IACtD,IAAI,MAAM,GAAG,EAAE,IAAI,MAAM,GAAG,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAA;IAC/E,CAAC;IAED,MAAM,KAAK,GAAG,oEAAoE,CAAA;IAClF,MAAM,YAAY,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAA;IAC3C,MAAM,CAAC,eAAe,CAAC,YAAY,CAAC,CAAA;IAEpC,IAAI,QAAQ,GAAG,EAAE,CAAA;IACjB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAChC,QAAQ,IAAI,KAAK,CAAC,YAAY,CAAC,CAAC,CAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAA;IACpD,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,QAAgB;IAC1D,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAA;IACjC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;IACrC,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAA;IAC9D,OAAO,eAAe,CAAC,UAAU,CAAC,CAAA;AACpC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,QAAgB,EAChB,SAAiB,EACjB,SAAiB,MAAM;IAEvB,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,+BAA+B;QAC/B,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,iBAAiB,GAAG,MAAM,qBAAqB,CAAC,QAAQ,CAAC,CAAA;IAC/D,OAAO,iBAAiB,CAAC,iBAAiB,EAAE,SAAS,CAAC,CAAA;AACxD,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,SAAiB,EAAE;IACpD,MAAM,QAAQ,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAA;IAC7C,MAAM,SAAS,GAAG,MAAM,qBAAqB,CAAC,QAAQ,CAAC,CAAA;IACvD,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAA;AAChC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,MAAmB;IACjD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAA;IACpC,IAAI,MAAM,GAAG,EAAE,CAAA;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAA;IAC1C,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC;SAChB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;AACvB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,wBAAwB;IACxB,MAAM,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAA;IAC3D,mCAAmC;IACnC,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAA;IAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAA;IAC3B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAC3C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAA;IACjC,CAAC;IACD,OAAO,KAAK,CAAC,MAAM,CAAA;AACrB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAAC,CAAS,EAAE,CAAS;IACpD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,MAAM,GAAG,CAAC,CAAA;IACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,MAAM,IAAI,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAA;IAC7C,CAAC;IAED,OAAO,MAAM,KAAK,CAAC,CAAA;AACrB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE;IAC/C,MAAM,KAAK,GAAG,gEAAgE,CAAA;IAC9E,MAAM,YAAY,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAA;IAC3C,MAAM,CAAC,eAAe,CAAC,YAAY,CAAC,CAAA;IAEpC,IAAI,KAAK,GAAG,EAAE,CAAA;IACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAChC,KAAK,IAAI,KAAK,CAAC,YAAY,CAAC,CAAC,CAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAA;IACjD,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE;IAC/C,MAAM,KAAK,GAAG,gEAAgE,CAAA;IAC9E,MAAM,YAAY,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAA;IAC3C,MAAM,CAAC,eAAe,CAAC,YAAY,CAAC,CAAA;IAEpC,IAAI,KAAK,GAAG,EAAE,CAAA;IACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAChC,KAAK,IAAI,KAAK,CAAC,YAAY,CAAC,CAAC,CAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAA;IACjD,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,yBAAyB;IACvC,OAAO,aAAa,CAAC,EAAE,CAAC,CAAA;AAC1B,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,MAAc;IACnD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAA;IACjC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IACnC,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAA;IAC9D,OAAO,eAAe,CAAC,UAAU,CAAC,CAAA;AACpC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,MAAc,EAAE,IAAY;IACnE,MAAM,YAAY,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,CAAA;IACnD,OAAO,iBAAiB,CAAC,YAAY,EAAE,IAAI,CAAC,CAAA;AAC9C,CAAC"}

package/dist/server.d.ts ADDED Viewed

@@ -0,0 +1,67 @@
+/**
+ * @dotdo/oauth - OAuth 2.1 Server Implementation
+ *
+ * Creates a Hono app that implements OAuth 2.1 authorization server endpoints:
+ * - /.well-known/oauth-authorization-server (RFC 8414)
+ * - /.well-known/oauth-protected-resource (draft-ietf-oauth-resource-metadata)
+ * - /authorize (authorization endpoint)
+ * - /callback (upstream OAuth callback)
+ * - /token (token endpoint)
+ * - /register (dynamic client registration - RFC 7591)
+ * - /revoke (token revocation - RFC 7009)
+ *
+ * This server acts as a federated OAuth 2.1 server:
+ * - It is an OAuth SERVER to downstream clients (Claude, ChatGPT, etc.)
+ * - It is an OAuth CLIENT to upstream providers (WorkOS, Auth0, etc.)
+ */
+import { Hono } from 'hono';
+import type { OAuthStorage } from './storage';
+import type { OAuthUser, UpstreamOAuthConfig } from './types';
+/**
+ * Configuration for the OAuth 2.1 server
+ */
+export interface OAuth21ServerConfig {
+    /** Server issuer URL (e.g., https://mcp.do) */
+    issuer: string;
+    /** Storage backend for users, clients, tokens */
+    storage: OAuthStorage;
+    /** Upstream OAuth provider configuration */
+    upstream: UpstreamOAuthConfig;
+    /** Supported scopes */
+    scopes?: string[];
+    /** Access token lifetime in seconds (default: 3600) */
+    accessTokenTtl?: number;
+    /** Refresh token lifetime in seconds (default: 2592000 = 30 days) */
+    refreshTokenTtl?: number;
+    /** Authorization code lifetime in seconds (default: 600 = 10 minutes) */
+    authCodeTtl?: number;
+    /** Enable dynamic client registration */
+    enableDynamicRegistration?: boolean;
+    /** Callback after successful user authentication */
+    onUserAuthenticated?: (user: OAuthUser) => void | Promise<void>;
+    /** Enable debug logging */
+    debug?: boolean;
+}
+/**
+ * Create an OAuth 2.1 server as a Hono app
+ *
+ * @example
+ * ```typescript
+ * import { createOAuth21Server, MemoryOAuthStorage } from '@dotdo/oauth'
+ *
+ * const oauthServer = createOAuth21Server({
+ *   issuer: 'https://mcp.do',
+ *   storage: new MemoryOAuthStorage(),
+ *   upstream: {
+ *     provider: 'workos',
+ *     apiKey: env.WORKOS_API_KEY,
+ *     clientId: env.WORKOS_CLIENT_ID,
+ *   },
+ * })
+ *
+ * // Mount on your main app
+ * app.route('/', oauthServer)
+ * ```
+ */
+export declare function createOAuth21Server(config: OAuth21ServerConfig): Hono;
+//# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAE3B,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,WAAW,CAAA;AAC7C,OAAO,KAAK,EAIV,SAAS,EAGT,mBAAmB,EACpB,MAAM,SAAS,CAAA;AAShB;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,+CAA+C;IAC/C,MAAM,EAAE,MAAM,CAAA;IACd,iDAAiD;IACjD,OAAO,EAAE,YAAY,CAAA;IACrB,4CAA4C;IAC5C,QAAQ,EAAE,mBAAmB,CAAA;IAC7B,uBAAuB;IACvB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,uDAAuD;IACvD,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,qEAAqE;IACrE,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,yEAAyE;IACzE,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,yCAAyC;IACzC,yBAAyB,CAAC,EAAE,OAAO,CAAA;IACnC,oDAAoD;IACpD,mBAAmB,CAAC,EAAE,CAAC,IAAI,EAAE,SAAS,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC/D,2BAA2B;IAC3B,KAAK,CAAC,EAAE,OAAO,CAAA;CAChB;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,mBAAmB,GAAG,IAAI,CAuXrE"}