@elnora-ai/mcp-server 0.2.0 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +27 -0
- package/dist/auth/clients-store.d.ts +1 -0
- package/dist/auth/clients-store.d.ts.map +1 -1
- package/dist/auth/clients-store.js +13 -1
- package/dist/auth/clients-store.js.map +1 -1
- package/dist/auth/provider.d.ts +2 -19
- package/dist/auth/provider.d.ts.map +1 -1
- package/dist/auth/provider.js +61 -19
- package/dist/auth/provider.js.map +1 -1
- package/dist/constants.d.ts +2 -3
- package/dist/constants.d.ts.map +1 -1
- package/dist/constants.js +18 -3
- package/dist/constants.js.map +1 -1
- package/dist/index.js +155 -24
- package/dist/index.js.map +1 -1
- package/dist/middleware/cors.js +1 -1
- package/dist/middleware/cors.js.map +1 -1
- package/dist/middleware/rate-limiter.d.ts.map +1 -1
- package/dist/middleware/rate-limiter.js +2 -1
- package/dist/middleware/rate-limiter.js.map +1 -1
- package/dist/middleware/tool-logging.d.ts +14 -0
- package/dist/middleware/tool-logging.d.ts.map +1 -1
- package/dist/middleware/tool-logging.js +49 -4
- package/dist/middleware/tool-logging.js.map +1 -1
- package/dist/server.d.ts +2 -2
- package/dist/server.d.ts.map +1 -1
- package/dist/server.js +29 -2
- package/dist/server.js.map +1 -1
- package/dist/services/elnora-api-client.d.ts +12 -18
- package/dist/services/elnora-api-client.d.ts.map +1 -1
- package/dist/services/elnora-api-client.js +34 -42
- package/dist/services/elnora-api-client.js.map +1 -1
- package/dist/services/error-handler.d.ts.map +1 -1
- package/dist/services/error-handler.js +5 -6
- package/dist/services/error-handler.js.map +1 -1
- package/dist/tools/account.d.ts +5 -0
- package/dist/tools/account.d.ts.map +1 -0
- package/dist/tools/account.js +70 -0
- package/dist/tools/account.js.map +1 -0
- package/dist/tools/api-keys.d.ts +5 -0
- package/dist/tools/api-keys.d.ts.map +1 -0
- package/dist/tools/api-keys.js +53 -0
- package/dist/tools/api-keys.js.map +1 -0
- package/dist/tools/audit.d.ts +5 -0
- package/dist/tools/audit.d.ts.map +1 -0
- package/dist/tools/audit.js +28 -0
- package/dist/tools/audit.js.map +1 -0
- package/dist/tools/feedback.d.ts +5 -0
- package/dist/tools/feedback.d.ts.map +1 -0
- package/dist/tools/feedback.js +23 -0
- package/dist/tools/feedback.js.map +1 -0
- package/dist/tools/files.d.ts.map +1 -1
- package/dist/tools/files.js +275 -17
- package/dist/tools/files.js.map +1 -1
- package/dist/tools/flags.d.ts +5 -0
- package/dist/tools/flags.d.ts.map +1 -0
- package/dist/tools/flags.js +36 -0
- package/dist/tools/flags.js.map +1 -0
- package/dist/tools/folders.d.ts +5 -0
- package/dist/tools/folders.d.ts.map +1 -0
- package/dist/tools/folders.js +90 -0
- package/dist/tools/folders.js.map +1 -0
- package/dist/tools/health.d.ts +5 -0
- package/dist/tools/health.d.ts.map +1 -0
- package/dist/tools/health.js +19 -0
- package/dist/tools/health.js.map +1 -0
- package/dist/tools/library.d.ts +5 -0
- package/dist/tools/library.d.ts.map +1 -0
- package/dist/tools/library.js +93 -0
- package/dist/tools/library.js.map +1 -0
- package/dist/tools/messages.d.ts.map +1 -1
- package/dist/tools/messages.js +3 -10
- package/dist/tools/messages.js.map +1 -1
- package/dist/tools/orgs.d.ts +5 -0
- package/dist/tools/orgs.d.ts.map +1 -0
- package/dist/tools/orgs.js +221 -0
- package/dist/tools/orgs.js.map +1 -0
- package/dist/tools/projects.d.ts +5 -0
- package/dist/tools/projects.d.ts.map +1 -0
- package/dist/tools/projects.js +177 -0
- package/dist/tools/projects.js.map +1 -0
- package/dist/tools/protocols.d.ts.map +1 -1
- package/dist/tools/protocols.js +9 -24
- package/dist/tools/protocols.js.map +1 -1
- package/dist/tools/scope-guard.d.ts +0 -8
- package/dist/tools/scope-guard.d.ts.map +1 -1
- package/dist/tools/scope-guard.js +85 -10
- package/dist/tools/scope-guard.js.map +1 -1
- package/dist/tools/search.d.ts +5 -0
- package/dist/tools/search.d.ts.map +1 -0
- package/dist/tools/search.js +60 -0
- package/dist/tools/search.js.map +1 -0
- package/dist/tools/tasks.d.ts.map +1 -1
- package/dist/tools/tasks.js +83 -29
- package/dist/tools/tasks.js.map +1 -1
- package/dist/tools/with-guard.d.ts.map +1 -1
- package/dist/tools/with-guard.js +21 -6
- package/dist/tools/with-guard.js.map +1 -1
- package/dist/types.d.ts +0 -43
- package/dist/types.d.ts.map +1 -1
- package/package.json +2 -1
package/CHANGELOG.md
CHANGED
|
@@ -5,6 +5,33 @@ All notable changes to the Elnora MCP Server will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/).
|
|
7
7
|
|
|
8
|
+
## [0.4.0](https://github.com/Elnora-AI/elnora-mcp-server/compare/mcp-server-v0.3.0...mcp-server-v0.4.0) (2026-03-06)
|
|
9
|
+
|
|
10
|
+
|
|
11
|
+
### Features
|
|
12
|
+
|
|
13
|
+
* add API key auth, expand tool coverage, and harden security ([#11](https://github.com/Elnora-AI/elnora-mcp-server/issues/11)) ([3d51d39](https://github.com/Elnora-AI/elnora-mcp-server/commit/3d51d393b800f80f2489a5d49223015948f5b559))
|
|
14
|
+
|
|
15
|
+
## [0.3.0](https://github.com/Elnora-AI/elnora-mcp-server/compare/mcp-server-v0.2.0...mcp-server-v0.3.0) (2026-03-05)
|
|
16
|
+
|
|
17
|
+
|
|
18
|
+
### Features
|
|
19
|
+
|
|
20
|
+
* add release-please for automatic changelog and npm publishing ([#9](https://github.com/Elnora-AI/elnora-mcp-server/issues/9)) ([3812bc2](https://github.com/Elnora-AI/elnora-mcp-server/commit/3812bc22cdfb832710d947895209b98aba178570))
|
|
21
|
+
* **auth:** OAuth 2.1 proxy AS with SDK v1.27 ([#5](https://github.com/Elnora-AI/elnora-mcp-server/issues/5)) ([4151229](https://github.com/Elnora-AI/elnora-mcp-server/commit/41512290fa1c1690adeb08a32040c78fd712e175))
|
|
22
|
+
* initial release of Elnora MCP Server ([a9a17f9](https://github.com/Elnora-AI/elnora-mcp-server/commit/a9a17f90a127aec7c98f62d43549a33a60ce893e))
|
|
23
|
+
* prepare for MCP Registry registration ([#2](https://github.com/Elnora-AI/elnora-mcp-server/issues/2)) ([3ecf8fc](https://github.com/Elnora-AI/elnora-mcp-server/commit/3ecf8fc803b1b7dba4333faf5eca44766cc70c6a))
|
|
24
|
+
|
|
25
|
+
|
|
26
|
+
### Bug Fixes
|
|
27
|
+
|
|
28
|
+
* **ci:** re-add --provenance flag now that repo is public ([9da065b](https://github.com/Elnora-AI/elnora-mcp-server/commit/9da065bbd52859bd969f00c8604d596e2a889976))
|
|
29
|
+
* **ci:** remove --provenance flag for private repo npm publish ([325d405](https://github.com/Elnora-AI/elnora-mcp-server/commit/325d4051ae19a760d0a84bcd3cf321ea8e802b30))
|
|
30
|
+
* **ci:** skip CodeQL on private repos ([abdf017](https://github.com/Elnora-AI/elnora-mcp-server/commit/abdf017fb229c84a7f07c5d1a3e235c5ad7f1d93))
|
|
31
|
+
* **docs:** correct MCP transport type in client setup instructions ([#4](https://github.com/Elnora-AI/elnora-mcp-server/issues/4)) ([191128a](https://github.com/Elnora-AI/elnora-mcp-server/commit/191128a0d609b2199520145bc8f0d2e7415d3ee0))
|
|
32
|
+
* raise limits for real-world usage, add MCP spec-compliant 405 handlers ([#6](https://github.com/Elnora-AI/elnora-mcp-server/issues/6)) ([05c393c](https://github.com/Elnora-AI/elnora-mcp-server/commit/05c393cd7ce3c6a09962572dfb97e349b643806d))
|
|
33
|
+
* use correct transport type key in server.json remotes ([#3](https://github.com/Elnora-AI/elnora-mcp-server/issues/3)) ([518fc62](https://github.com/Elnora-AI/elnora-mcp-server/commit/518fc62093cfa294950c8b1a0abc450aca6b4a49))
|
|
34
|
+
|
|
8
35
|
## [Unreleased]
|
|
9
36
|
|
|
10
37
|
## [0.1.0] - 2026-02-27
|
|
@@ -7,6 +7,7 @@ import { OAuthClientInformationFull } from "@modelcontextprotocol/sdk/shared/aut
|
|
|
7
7
|
*/
|
|
8
8
|
export declare class InMemoryClientsStore implements OAuthRegisteredClientsStore {
|
|
9
9
|
private clients;
|
|
10
|
+
constructor();
|
|
10
11
|
getClient(clientId: string): OAuthClientInformationFull | undefined;
|
|
11
12
|
registerClient(client: Omit<OAuthClientInformationFull, "client_id" | "client_id_issued_at">): OAuthClientInformationFull;
|
|
12
13
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"clients-store.d.ts","sourceRoot":"","sources":["../../src/auth/clients-store.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,2BAA2B,EAAE,MAAM,kDAAkD,CAAC;AAC/F,OAAO,EAAE,0BAA0B,EAAE,MAAM,0CAA0C,CAAC;AAGtF;;;;GAIG;AACH,qBAAa,oBAAqB,YAAW,2BAA2B;IACtE,OAAO,CAAC,OAAO,CAAiD
|
|
1
|
+
{"version":3,"file":"clients-store.d.ts","sourceRoot":"","sources":["../../src/auth/clients-store.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,2BAA2B,EAAE,MAAM,kDAAkD,CAAC;AAC/F,OAAO,EAAE,0BAA0B,EAAE,MAAM,0CAA0C,CAAC;AAGtF;;;;GAIG;AACH,qBAAa,oBAAqB,YAAW,2BAA2B;IACtE,OAAO,CAAC,OAAO,CAAiD;;IAchE,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,0BAA0B,GAAG,SAAS;IAanE,cAAc,CACZ,MAAM,EAAE,IAAI,CAAC,0BAA0B,EAAE,WAAW,GAAG,qBAAqB,CAAC,GAC5E,0BAA0B;CAgB9B"}
|
|
@@ -7,12 +7,24 @@ import { CLIENT_SECRET_TTL_SECONDS } from "../constants.js";
|
|
|
7
7
|
*/
|
|
8
8
|
export class InMemoryClientsStore {
|
|
9
9
|
clients = new Map();
|
|
10
|
+
constructor() {
|
|
11
|
+
// Periodically evict expired clients to prevent unbounded memory growth
|
|
12
|
+
setInterval(() => {
|
|
13
|
+
const now = Math.floor(Date.now() / 1000);
|
|
14
|
+
for (const [id, client] of this.clients) {
|
|
15
|
+
if (client.client_secret_expires_at && client.client_secret_expires_at < now) {
|
|
16
|
+
this.clients.delete(id);
|
|
17
|
+
}
|
|
18
|
+
}
|
|
19
|
+
}, CLIENT_SECRET_TTL_SECONDS * 1000 / 10).unref(); // Run ~every 9 days
|
|
20
|
+
}
|
|
10
21
|
getClient(clientId) {
|
|
11
22
|
const client = this.clients.get(clientId);
|
|
12
23
|
if (!client)
|
|
13
24
|
return undefined;
|
|
14
|
-
// Check secret expiration
|
|
25
|
+
// Check secret expiration
|
|
15
26
|
if (client.client_secret_expires_at && client.client_secret_expires_at < Math.floor(Date.now() / 1000)) {
|
|
27
|
+
this.clients.delete(clientId);
|
|
16
28
|
return undefined;
|
|
17
29
|
}
|
|
18
30
|
return client;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"clients-store.js","sourceRoot":"","sources":["../../src/auth/clients-store.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AAGjC,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAE5D;;;;GAIG;AACH,MAAM,OAAO,oBAAoB;IACvB,OAAO,GAAG,IAAI,GAAG,EAAsC,CAAC;IAEhE,SAAS,CAAC,QAAgB;QACxB,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC1C,IAAI,CAAC,MAAM;YAAE,OAAO,SAAS,CAAC;QAE9B,
|
|
1
|
+
{"version":3,"file":"clients-store.js","sourceRoot":"","sources":["../../src/auth/clients-store.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AAGjC,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAE5D;;;;GAIG;AACH,MAAM,OAAO,oBAAoB;IACvB,OAAO,GAAG,IAAI,GAAG,EAAsC,CAAC;IAEhE;QACE,wEAAwE;QACxE,WAAW,CAAC,GAAG,EAAE;YACf,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,KAAK,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBACxC,IAAI,MAAM,CAAC,wBAAwB,IAAI,MAAM,CAAC,wBAAwB,GAAG,GAAG,EAAE,CAAC;oBAC7E,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;gBAC1B,CAAC;YACH,CAAC;QACH,CAAC,EAAE,yBAAyB,GAAG,IAAI,GAAG,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,oBAAoB;IACzE,CAAC;IAED,SAAS,CAAC,QAAgB;QACxB,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC1C,IAAI,CAAC,MAAM;YAAE,OAAO,SAAS,CAAC;QAE9B,0BAA0B;QAC1B,IAAI,MAAM,CAAC,wBAAwB,IAAI,MAAM,CAAC,wBAAwB,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;YACvG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC9B,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,cAAc,CACZ,MAA6E;QAE7E,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QACrC,MAAM,YAAY,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAClE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAE1C,MAAM,UAAU,GAA+B;YAC7C,GAAG,MAAM;YACT,SAAS,EAAE,QAAQ;YACnB,mBAAmB,EAAE,GAAG;YACxB,aAAa,EAAE,YAAY;YAC3B,wBAAwB,EAAE,GAAG,GAAG,yBAAyB;SAC1D,CAAC;QAEF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACvC,OAAO,UAAU,CAAC;IACpB,CAAC;CACF"}
|
package/dist/auth/provider.d.ts
CHANGED
|
@@ -4,29 +4,12 @@ import { OAuthRegisteredClientsStore } from "@modelcontextprotocol/sdk/server/au
|
|
|
4
4
|
import { OAuthClientInformationFull, OAuthTokens, OAuthTokenRevocationRequest } from "@modelcontextprotocol/sdk/shared/auth.js";
|
|
5
5
|
import { AuthInfo } from "@modelcontextprotocol/sdk/server/auth/types.js";
|
|
6
6
|
import { ElnoraConfig } from "../types.js";
|
|
7
|
-
/**
|
|
8
|
-
* OAuth 2.1 provider that proxies to the Elnora platform auth system.
|
|
9
|
-
*
|
|
10
|
-
* Flow:
|
|
11
|
-
* 1. MCP client calls /authorize → provider redirects to Elnora platform login
|
|
12
|
-
* 2. User authenticates on platform → platform redirects back with platform auth code
|
|
13
|
-
* 3. MCP server exchanges platform code for platform token
|
|
14
|
-
* 4. MCP server issues its own access + refresh tokens, mapped to the platform token
|
|
15
|
-
* 5. On token validation, the provider checks its own token store and validates
|
|
16
|
-
* the underlying platform token hasn't been revoked
|
|
17
|
-
*
|
|
18
|
-
* CoSAI controls:
|
|
19
|
-
* - MCP-T1: PKCE S256 mandatory (handled by SDK)
|
|
20
|
-
* - MCP-T1: No token passthrough — MCP tokens are separate from platform tokens
|
|
21
|
-
* - MCP-T7: Short-lived access tokens (1h), refresh token rotation
|
|
22
|
-
* - MCP-T9: Audience binding via resource parameter
|
|
23
|
-
* - MCP-T12: Auth event logging
|
|
24
|
-
*/
|
|
25
7
|
export declare class ElnoraOAuthProvider implements OAuthServerProvider {
|
|
26
8
|
private _clientsStore;
|
|
27
9
|
private authSessions;
|
|
28
10
|
private tokenRecords;
|
|
29
11
|
private refreshTokenIndex;
|
|
12
|
+
private validationCache;
|
|
30
13
|
private config;
|
|
31
14
|
constructor(config: ElnoraConfig);
|
|
32
15
|
get clientsStore(): OAuthRegisteredClientsStore;
|
|
@@ -37,7 +20,7 @@ export declare class ElnoraOAuthProvider implements OAuthServerProvider {
|
|
|
37
20
|
*/
|
|
38
21
|
authorize(client: OAuthClientInformationFull, params: AuthorizationParams, res: Response): Promise<void>;
|
|
39
22
|
challengeForAuthorizationCode(_client: OAuthClientInformationFull, authorizationCode: string): Promise<string>;
|
|
40
|
-
exchangeAuthorizationCode(client: OAuthClientInformationFull, authorizationCode: string, _codeVerifier?: string,
|
|
23
|
+
exchangeAuthorizationCode(client: OAuthClientInformationFull, authorizationCode: string, _codeVerifier?: string, redirectUri?: string, resource?: URL): Promise<OAuthTokens>;
|
|
41
24
|
exchangeRefreshToken(client: OAuthClientInformationFull, refreshToken: string, scopes?: string[], resource?: URL): Promise<OAuthTokens>;
|
|
42
25
|
verifyAccessToken(token: string): Promise<AuthInfo>;
|
|
43
26
|
revokeToken(client: OAuthClientInformationFull, request: OAuthTokenRevocationRequest): Promise<void>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../src/auth/provider.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEnC,OAAO,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,mDAAmD,CAAC;AAC7G,OAAO,EAAE,2BAA2B,EAAE,MAAM,kDAAkD,CAAC;AAC/F,OAAO,EACL,0BAA0B,EAC1B,WAAW,EACX,2BAA2B,EAC5B,MAAM,0CAA0C,CAAC;AAClD,OAAO,EAAE,QAAQ,EAAE,MAAM,gDAAgD,CAAC;AAE1E,OAAO,EAAE,YAAY,EAAqC,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../src/auth/provider.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEnC,OAAO,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,mDAAmD,CAAC;AAC7G,OAAO,EAAE,2BAA2B,EAAE,MAAM,kDAAkD,CAAC;AAC/F,OAAO,EACL,0BAA0B,EAC1B,WAAW,EACX,2BAA2B,EAC5B,MAAM,0CAA0C,CAAC;AAClD,OAAO,EAAE,QAAQ,EAAE,MAAM,gDAAgD,CAAC;AAE1E,OAAO,EAAE,YAAY,EAAqC,MAAM,aAAa,CAAC;AA8B9E,qBAAa,mBAAoB,YAAW,mBAAmB;IAC7D,OAAO,CAAC,aAAa,CAAuB;IAC5C,OAAO,CAAC,YAAY,CAA2C;IAC/D,OAAO,CAAC,YAAY,CAAkC;IACtD,OAAO,CAAC,iBAAiB,CAA6B;IACtD,OAAO,CAAC,eAAe,CAA6B;IACpD,OAAO,CAAC,MAAM,CAAe;gBAEjB,MAAM,EAAE,YAAY;IAKhC,IAAI,YAAY,IAAI,2BAA2B,CAE9C;IAED;;;;OAIG;IACG,SAAS,CAAC,MAAM,EAAE,0BAA0B,EAAE,MAAM,EAAE,mBAAmB,EAAE,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IA2BxG,6BAA6B,CACjC,OAAO,EAAE,0BAA0B,EACnC,iBAAiB,EAAE,MAAM,GACxB,OAAO,CAAC,MAAM,CAAC;IAQZ,yBAAyB,CAC7B,MAAM,EAAE,0BAA0B,EAClC,iBAAiB,EAAE,MAAM,EACzB,aAAa,CAAC,EAAE,MAAM,EACtB,WAAW,CAAC,EAAE,MAAM,EACpB,QAAQ,CAAC,EAAE,GAAG,GACb,OAAO,CAAC,WAAW,CAAC;IA8CjB,oBAAoB,CACxB,MAAM,EAAE,0BAA0B,EAClC,YAAY,EAAE,MAAM,EACpB,MAAM,CAAC,EAAE,MAAM,EAAE,EACjB,QAAQ,CAAC,EAAE,GAAG,GACb,OAAO,CAAC,WAAW,CAAC;IAsCjB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAgEnD,WAAW,CACf,MAAM,EAAE,0BAA0B,EAClC,OAAO,EAAE,2BAA2B,GACnC,OAAO,CAAC,IAAI,CAAC;IA0BhB;;;OAGG;IACH,sBAAsB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,IAAI;IAYnE;;OAEG;IACH,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM;IAc7C,OAAO,CAAC,WAAW;CAyCpB"}
|
package/dist/auth/provider.js
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
import crypto from "node:crypto";
|
|
2
2
|
import axios from "axios";
|
|
3
3
|
import { InMemoryClientsStore } from "./clients-store.js";
|
|
4
|
+
import { logAuthEvent } from "../middleware/tool-logging.js";
|
|
4
5
|
import { ACCESS_TOKEN_TTL_SECONDS, REFRESH_TOKEN_TTL_SECONDS, AUTH_CODE_TTL_SECONDS, REQUEST_TIMEOUT_MS, } from "../constants.js";
|
|
5
6
|
/**
|
|
6
7
|
* OAuth 2.1 provider that proxies to the Elnora platform auth system.
|
|
@@ -20,11 +21,14 @@ import { ACCESS_TOKEN_TTL_SECONDS, REFRESH_TOKEN_TTL_SECONDS, AUTH_CODE_TTL_SECO
|
|
|
20
21
|
* - MCP-T9: Audience binding via resource parameter
|
|
21
22
|
* - MCP-T12: Auth event logging
|
|
22
23
|
*/
|
|
24
|
+
/** TTL for platform token validation cache (seconds) */
|
|
25
|
+
const VALIDATION_CACHE_TTL_SECONDS = 30;
|
|
23
26
|
export class ElnoraOAuthProvider {
|
|
24
27
|
_clientsStore;
|
|
25
28
|
authSessions = new Map();
|
|
26
29
|
tokenRecords = new Map();
|
|
27
30
|
refreshTokenIndex = new Map(); // refreshToken -> accessToken
|
|
31
|
+
validationCache = new Map(); // accessToken -> validatedAt (epoch seconds)
|
|
28
32
|
config;
|
|
29
33
|
constructor(config) {
|
|
30
34
|
this.config = config;
|
|
@@ -50,14 +54,14 @@ export class ElnoraOAuthProvider {
|
|
|
50
54
|
resource: params.resource?.toString(),
|
|
51
55
|
createdAt: Date.now(),
|
|
52
56
|
});
|
|
53
|
-
// Schedule cleanup of expired sessions
|
|
54
|
-
setTimeout(() => this.authSessions.delete(authCode), AUTH_CODE_TTL_SECONDS * 1000);
|
|
57
|
+
// Schedule cleanup of expired sessions (unref so timer doesn't pin process)
|
|
58
|
+
setTimeout(() => this.authSessions.delete(authCode), AUTH_CODE_TTL_SECONDS * 1000).unref();
|
|
55
59
|
// Redirect to Elnora platform login
|
|
56
60
|
const loginUrl = new URL(this.config.loginUrl);
|
|
57
61
|
loginUrl.searchParams.set("mcp_code", authCode);
|
|
58
62
|
loginUrl.searchParams.set("redirect_uri", `${this.config.publicUrl}/oauth/callback`);
|
|
59
63
|
loginUrl.searchParams.set("client_id", this.config.platformClientId);
|
|
60
|
-
|
|
64
|
+
logAuthEvent("authorize_redirect", client.client_id);
|
|
61
65
|
res.redirect(loginUrl.toString());
|
|
62
66
|
}
|
|
63
67
|
async challengeForAuthorizationCode(_client, authorizationCode) {
|
|
@@ -67,7 +71,7 @@ export class ElnoraOAuthProvider {
|
|
|
67
71
|
}
|
|
68
72
|
return session.codeChallenge;
|
|
69
73
|
}
|
|
70
|
-
async exchangeAuthorizationCode(client, authorizationCode, _codeVerifier,
|
|
74
|
+
async exchangeAuthorizationCode(client, authorizationCode, _codeVerifier, redirectUri, resource) {
|
|
71
75
|
const session = this.authSessions.get(authorizationCode);
|
|
72
76
|
if (!session) {
|
|
73
77
|
throw new Error("Invalid or expired authorization code");
|
|
@@ -75,21 +79,29 @@ export class ElnoraOAuthProvider {
|
|
|
75
79
|
if (session.clientId !== client.client_id) {
|
|
76
80
|
throw new Error("Authorization code was not issued to this client");
|
|
77
81
|
}
|
|
82
|
+
// Validate redirect_uri matches the one from the authorization request (RFC 6749 §4.1.3)
|
|
83
|
+
if (redirectUri && redirectUri !== session.redirectUri) {
|
|
84
|
+
logAuthEvent("redirect_uri_mismatch", client.client_id);
|
|
85
|
+
throw new Error("redirect_uri does not match the authorization request");
|
|
86
|
+
}
|
|
78
87
|
// Delete the auth code — single use only
|
|
79
88
|
this.authSessions.delete(authorizationCode);
|
|
89
|
+
if (!session.platformCode) {
|
|
90
|
+
throw new Error("Platform authentication not completed — user must authenticate on the platform first");
|
|
91
|
+
}
|
|
80
92
|
// Exchange with Elnora platform for a platform token
|
|
81
93
|
let platformToken;
|
|
82
94
|
try {
|
|
83
95
|
const response = await axios.post(this.config.tokenExchangeUrl, {
|
|
84
96
|
grant_type: "authorization_code",
|
|
85
|
-
code: session.platformCode
|
|
97
|
+
code: session.platformCode,
|
|
86
98
|
client_id: this.config.platformClientId,
|
|
87
99
|
client_secret: this.config.platformClientSecret,
|
|
88
100
|
}, { timeout: REQUEST_TIMEOUT_MS });
|
|
89
101
|
platformToken = response.data.access_token;
|
|
90
102
|
}
|
|
91
103
|
catch (error) {
|
|
92
|
-
|
|
104
|
+
logAuthEvent("platform_token_exchange_failed", client.client_id, { error: String(error) });
|
|
93
105
|
throw new Error("Failed to exchange authorization code with platform");
|
|
94
106
|
}
|
|
95
107
|
// Issue MCP tokens (separate from platform token — CoSAI MCP-T1)
|
|
@@ -104,10 +116,21 @@ export class ElnoraOAuthProvider {
|
|
|
104
116
|
if (!record || record.clientId !== client.client_id) {
|
|
105
117
|
throw new Error("Invalid refresh token");
|
|
106
118
|
}
|
|
119
|
+
// Validate scope subset constraint (OAuth 2.1: refresh MUST NOT escalate scopes)
|
|
120
|
+
if (scopes && scopes.length > 0) {
|
|
121
|
+
const escalated = scopes.filter((s) => !record.scopes.includes(s));
|
|
122
|
+
if (escalated.length > 0) {
|
|
123
|
+
throw new Error(`Scope escalation not allowed. Requested scopes not in original grant: ${escalated.join(", ")}`);
|
|
124
|
+
}
|
|
125
|
+
}
|
|
107
126
|
// Rotate: delete old tokens
|
|
108
127
|
this.tokenRecords.delete(accessTokenKey);
|
|
109
128
|
this.refreshTokenIndex.delete(refreshToken);
|
|
110
|
-
|
|
129
|
+
this.validationCache.delete(accessTokenKey);
|
|
130
|
+
logAuthEvent("refresh_token_rotation", client.client_id, {
|
|
131
|
+
previousScopes: record.scopes,
|
|
132
|
+
requestedScopes: scopes || record.scopes,
|
|
133
|
+
});
|
|
111
134
|
// Issue new tokens with the same platform token
|
|
112
135
|
return this.issueTokens(client.client_id, scopes || record.scopes, record.platformToken, resource?.toString() || record.resource);
|
|
113
136
|
}
|
|
@@ -118,23 +141,45 @@ export class ElnoraOAuthProvider {
|
|
|
118
141
|
}
|
|
119
142
|
if (record.expiresAt < Math.floor(Date.now() / 1000)) {
|
|
120
143
|
this.tokenRecords.delete(token);
|
|
144
|
+
this.validationCache.delete(token);
|
|
121
145
|
throw new Error("Access token expired");
|
|
122
146
|
}
|
|
147
|
+
// Check validation cache — skip platform round-trip if recently validated
|
|
148
|
+
const now = Math.floor(Date.now() / 1000);
|
|
149
|
+
const cachedAt = this.validationCache.get(token);
|
|
150
|
+
if (cachedAt && (now - cachedAt) < VALIDATION_CACHE_TTL_SECONDS) {
|
|
151
|
+
return {
|
|
152
|
+
token,
|
|
153
|
+
clientId: record.clientId,
|
|
154
|
+
scopes: record.scopes,
|
|
155
|
+
expiresAt: record.expiresAt,
|
|
156
|
+
resource: record.resource ? new URL(record.resource) : undefined,
|
|
157
|
+
extra: { platformToken: record.platformToken },
|
|
158
|
+
};
|
|
159
|
+
}
|
|
123
160
|
// Validate platform token is still valid
|
|
124
161
|
try {
|
|
125
162
|
const validation = await axios.post(this.config.tokenValidationUrl, { token: record.platformToken }, { timeout: REQUEST_TIMEOUT_MS });
|
|
126
163
|
if (!validation.data.valid) {
|
|
127
164
|
this.tokenRecords.delete(token);
|
|
165
|
+
this.validationCache.delete(token);
|
|
128
166
|
throw new Error("Underlying platform token revoked");
|
|
129
167
|
}
|
|
168
|
+
// Cache successful validation
|
|
169
|
+
this.validationCache.set(token, Math.floor(Date.now() / 1000));
|
|
130
170
|
}
|
|
131
171
|
catch (error) {
|
|
172
|
+
// Re-throw our own revocation errors (from the valid:false check above)
|
|
173
|
+
if (error instanceof Error && error.message === "Underlying platform token revoked") {
|
|
174
|
+
throw error;
|
|
175
|
+
}
|
|
132
176
|
if (axios.isAxiosError(error) && error.response?.status === 401) {
|
|
133
177
|
this.tokenRecords.delete(token);
|
|
178
|
+
this.validationCache.delete(token);
|
|
134
179
|
throw new Error("Underlying platform token revoked");
|
|
135
180
|
}
|
|
136
181
|
// Network errors — don't invalidate, just log
|
|
137
|
-
|
|
182
|
+
logAuthEvent("platform_validation_network_error", record.clientId, { error: String(error) });
|
|
138
183
|
}
|
|
139
184
|
return {
|
|
140
185
|
token,
|
|
@@ -152,7 +197,8 @@ export class ElnoraOAuthProvider {
|
|
|
152
197
|
if (record && record.clientId === client.client_id) {
|
|
153
198
|
this.refreshTokenIndex.delete(record.refreshToken);
|
|
154
199
|
this.tokenRecords.delete(token);
|
|
155
|
-
|
|
200
|
+
this.validationCache.delete(token);
|
|
201
|
+
logAuthEvent("access_token_revoked", client.client_id);
|
|
156
202
|
return;
|
|
157
203
|
}
|
|
158
204
|
// Check if it's a refresh token
|
|
@@ -161,8 +207,9 @@ export class ElnoraOAuthProvider {
|
|
|
161
207
|
const rec = this.tokenRecords.get(accessTokenKey);
|
|
162
208
|
if (rec && rec.clientId === client.client_id) {
|
|
163
209
|
this.tokenRecords.delete(accessTokenKey);
|
|
210
|
+
this.validationCache.delete(accessTokenKey);
|
|
164
211
|
this.refreshTokenIndex.delete(token);
|
|
165
|
-
|
|
212
|
+
logAuthEvent("refresh_token_revoked", client.client_id);
|
|
166
213
|
}
|
|
167
214
|
}
|
|
168
215
|
}
|
|
@@ -177,13 +224,7 @@ export class ElnoraOAuthProvider {
|
|
|
177
224
|
}
|
|
178
225
|
// Store the platform code for later exchange
|
|
179
226
|
session.platformCode = platformCode;
|
|
180
|
-
|
|
181
|
-
const redirectUrl = new URL(session.redirectUri);
|
|
182
|
-
redirectUrl.searchParams.set("code", mcpCode);
|
|
183
|
-
if (session.state) {
|
|
184
|
-
redirectUrl.searchParams.set("state", session.state);
|
|
185
|
-
}
|
|
186
|
-
console.error(`[auth] platform callback: completing auth for client ${session.clientId}`);
|
|
227
|
+
logAuthEvent("platform_callback_completed", session.clientId);
|
|
187
228
|
}
|
|
188
229
|
/**
|
|
189
230
|
* Get redirect URL for MCP client after platform callback.
|
|
@@ -221,8 +262,9 @@ export class ElnoraOAuthProvider {
|
|
|
221
262
|
setTimeout(() => {
|
|
222
263
|
this.tokenRecords.delete(accessToken);
|
|
223
264
|
this.refreshTokenIndex.delete(refreshToken);
|
|
224
|
-
|
|
225
|
-
|
|
265
|
+
this.validationCache.delete(accessToken);
|
|
266
|
+
}, cleanupMs).unref();
|
|
267
|
+
logAuthEvent("tokens_issued", clientId, { expiresAt: new Date((now + ACCESS_TOKEN_TTL_SECONDS) * 1000).toISOString() });
|
|
226
268
|
return {
|
|
227
269
|
access_token: accessToken,
|
|
228
270
|
token_type: "Bearer",
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"provider.js","sourceRoot":"","sources":["../../src/auth/provider.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,OAAO,KAAK,MAAM,OAAO,CAAC;AAS1B,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE1D,OAAO,EACL,wBAAwB,EACxB,yBAAyB,EACzB,qBAAqB,EACrB,kBAAkB,GACnB,MAAM,iBAAiB,CAAC;AAEzB;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,OAAO,mBAAmB;IACtB,aAAa,CAAuB;IACpC,YAAY,GAAG,IAAI,GAAG,EAAgC,CAAC;IACvD,YAAY,GAAG,IAAI,GAAG,EAAuB,CAAC;IAC9C,iBAAiB,GAAG,IAAI,GAAG,EAAkB,CAAC,CAAC,8BAA8B;IAC7E,MAAM,CAAe;IAE7B,YAAY,MAAoB;QAC9B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,aAAa,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAClD,CAAC;IAED,IAAI,YAAY;QACd,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,SAAS,CAAC,MAAkC,EAAE,MAA2B,EAAE,GAAa;QAC5F,MAAM,QAAQ,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAE9D,mCAAmC;QACnC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE;YAC9B,QAAQ,EAAE,MAAM,CAAC,SAAS;YAC1B,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,EAAE;YAC3B,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,QAAQ,EAAE;YACrC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC,CAAC;QAEH,
|
|
1
|
+
{"version":3,"file":"provider.js","sourceRoot":"","sources":["../../src/auth/provider.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,OAAO,KAAK,MAAM,OAAO,CAAC;AAS1B,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE1D,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAC7D,OAAO,EACL,wBAAwB,EACxB,yBAAyB,EACzB,qBAAqB,EACrB,kBAAkB,GACnB,MAAM,iBAAiB,CAAC;AAEzB;;;;;;;;;;;;;;;;;GAiBG;AACH,wDAAwD;AACxD,MAAM,4BAA4B,GAAG,EAAE,CAAC;AAExC,MAAM,OAAO,mBAAmB;IACtB,aAAa,CAAuB;IACpC,YAAY,GAAG,IAAI,GAAG,EAAgC,CAAC;IACvD,YAAY,GAAG,IAAI,GAAG,EAAuB,CAAC;IAC9C,iBAAiB,GAAG,IAAI,GAAG,EAAkB,CAAC,CAAC,8BAA8B;IAC7E,eAAe,GAAG,IAAI,GAAG,EAAkB,CAAC,CAAC,6CAA6C;IAC1F,MAAM,CAAe;IAE7B,YAAY,MAAoB;QAC9B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,aAAa,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAClD,CAAC;IAED,IAAI,YAAY;QACd,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,SAAS,CAAC,MAAkC,EAAE,MAA2B,EAAE,GAAa;QAC5F,MAAM,QAAQ,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAE9D,mCAAmC;QACnC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE;YAC9B,QAAQ,EAAE,MAAM,CAAC,SAAS;YAC1B,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,EAAE;YAC3B,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,QAAQ,EAAE;YACrC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC,CAAC;QAEH,4EAA4E;QAC5E,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,qBAAqB,GAAG,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;QAE3F,oCAAoC;QACpC,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC/C,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;QAChD,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,iBAAiB,CAAC,CAAC;QACrF,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAErE,YAAY,CAAC,oBAAoB,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;QACrD,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,6BAA6B,CACjC,OAAmC,EACnC,iBAAyB;QAEzB,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QACzD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QACD,OAAO,OAAO,CAAC,aAAa,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,yBAAyB,CAC7B,MAAkC,EAClC,iBAAyB,EACzB,aAAsB,EACtB,WAAoB,EACpB,QAAc;QAEd,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QACzD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QAED,IAAI,OAAO,CAAC,QAAQ,KAAK,MAAM,CAAC,SAAS,EAAE,CAAC;YAC1C,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QAED,yFAAyF;QACzF,IAAI,WAAW,IAAI,WAAW,KAAK,OAAO,CAAC,WAAW,EAAE,CAAC;YACvD,YAAY,CAAC,uBAAuB,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;YACxD,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;QAC3E,CAAC;QAED,yCAAyC;QACzC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;QAE5C,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,sFAAsF,CAAC,CAAC;QAC1G,CAAC;QAED,qDAAqD;QACrD,IAAI,aAAqB,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAC/B,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAC5B;gBACE,UAAU,EAAE,oBAAoB;gBAChC,IAAI,EAAE,OAAO,CAAC,YAAY;gBAC1B,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,gBAAgB;gBACvC,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,oBAAoB;aAChD,EACD,EAAE,OAAO,EAAE,kBAAkB,EAAE,CAChC,CAAC;YACF,aAAa,GAAG,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC;QAC7C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,YAAY,CAAC,gCAAgC,EAAE,MAAM,CAAC,SAAS,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAC3F,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;QACzE,CAAC;QAED,iEAAiE;QACjE,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;IACjG,CAAC;IAED,KAAK,CAAC,oBAAoB,CACxB,MAAkC,EAClC,YAAoB,EACpB,MAAiB,EACjB,QAAc;QAEd,MAAM,cAAc,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAChE,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QACrD,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,SAAS,EAAE,CAAC;YACpD,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;QAC3C,CAAC;QAED,iFAAiF;QACjF,IAAI,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChC,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YACnE,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACzB,MAAM,IAAI,KAAK,CAAC,yEAAyE,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACnH,CAAC;QACH,CAAC;QAED,4BAA4B;QAC5B,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QACzC,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAC5C,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAE5C,YAAY,CAAC,wBAAwB,EAAE,MAAM,CAAC,SAAS,EAAE;YACvD,cAAc,EAAE,MAAM,CAAC,MAAM;YAC7B,eAAe,EAAE,MAAM,IAAI,MAAM,CAAC,MAAM;SACzC,CAAC,CAAC;QAEH,gDAAgD;QAChD,OAAO,IAAI,CAAC,WAAW,CACrB,MAAM,CAAC,SAAS,EAChB,MAAM,IAAI,MAAM,CAAC,MAAM,EACvB,MAAM,CAAC,aAAa,EACpB,QAAQ,EAAE,QAAQ,EAAE,IAAI,MAAM,CAAC,QAAQ,CACxC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,KAAa;QACnC,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QAED,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;YACrD,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAChC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnC,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QAED,0EAA0E;QAC1E,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,QAAQ,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACjD,IAAI,QAAQ,IAAI,CAAC,GAAG,GAAG,QAAQ,CAAC,GAAG,4BAA4B,EAAE,CAAC;YAChE,OAAO;gBACL,KAAK;gBACL,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;gBAChE,KAAK,EAAE,EAAE,aAAa,EAAE,MAAM,CAAC,aAAa,EAAE;aAC/C,CAAC;QACJ,CAAC;QAED,yCAAyC;QACzC,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,MAAM,KAAK,CAAC,IAAI,CACjC,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAC9B,EAAE,KAAK,EAAE,MAAM,CAAC,aAAa,EAAE,EAC/B,EAAE,OAAO,EAAE,kBAAkB,EAAE,CAChC,CAAC;YACF,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;gBAC3B,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBAChC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBACnC,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;YACvD,CAAC;YACD,8BAA8B;YAC9B,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;QACjE,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,wEAAwE;YACxE,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,KAAK,mCAAmC,EAAE,CAAC;gBACpF,MAAM,KAAK,CAAC;YACd,CAAC;YACD,IAAI,KAAK,CAAC,YAAY,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,EAAE,MAAM,KAAK,GAAG,EAAE,CAAC;gBAChE,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBAChC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBACnC,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;YACvD,CAAC;YACD,8CAA8C;YAC9C,YAAY,CAAC,mCAAmC,EAAE,MAAM,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC/F,CAAC;QAED,OAAO;YACL,KAAK;YACL,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;YAChE,KAAK,EAAE,EAAE,aAAa,EAAE,MAAM,CAAC,aAAa,EAAE;SAC/C,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,WAAW,CACf,MAAkC,EAClC,OAAoC;QAEpC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAE5B,gCAAgC;QAChC,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC5C,IAAI,MAAM,IAAI,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,SAAS,EAAE,CAAC;YACnD,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YACnD,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAChC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnC,YAAY,CAAC,sBAAsB,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;YACvD,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,MAAM,cAAc,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACzD,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAClD,IAAI,GAAG,IAAI,GAAG,CAAC,QAAQ,KAAK,MAAM,CAAC,SAAS,EAAE,CAAC;gBAC7C,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;gBACzC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;gBAC5C,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBACrC,YAAY,CAAC,uBAAuB,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;YAC1D,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,sBAAsB,CAAC,OAAe,EAAE,YAAoB;QAC1D,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC/C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QAED,6CAA6C;QAC7C,OAAO,CAAC,YAAY,GAAG,YAAY,CAAC;QAEpC,YAAY,CAAC,6BAA6B,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAChE,CAAC;IAED;;OAEG;IACH,oBAAoB,CAAC,OAAe;QAClC,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC/C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;QACjD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC9C,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACvD,CAAC;QACD,OAAO,WAAW,CAAC,QAAQ,EAAE,CAAC;IAChC,CAAC;IAEO,WAAW,CACjB,QAAgB,EAChB,MAAgB,EAChB,aAAqB,EACrB,QAAiB;QAEjB,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACjE,MAAM,YAAY,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAClE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAE1C,MAAM,MAAM,GAAgB;YAC1B,WAAW;YACX,YAAY;YACZ,aAAa;YACb,QAAQ;YACR,MAAM;YACN,QAAQ;YACR,SAAS,EAAE,GAAG,GAAG,wBAAwB;YACzC,SAAS,EAAE,GAAG;SACf,CAAC;QAEF,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAC3C,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;QAEtD,8FAA8F;QAC9F,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,yBAAyB,GAAG,IAAI,EAAE,aAAa,CAAC,CAAC;QAC5E,UAAU,CAAC,GAAG,EAAE;YACd,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YACtC,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YAC5C,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAC3C,CAAC,EAAE,SAAS,CAAC,CAAC,KAAK,EAAE,CAAC;QAEtB,YAAY,CAAC,eAAe,EAAE,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,IAAI,CAAC,CAAC,GAAG,GAAG,wBAAwB,CAAC,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QAExH,OAAO;YACL,YAAY,EAAE,WAAW;YACzB,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,wBAAwB;YACpC,aAAa,EAAE,YAAY;SAC5B,CAAC;IACJ,CAAC;CACF"}
|
package/dist/constants.d.ts
CHANGED
|
@@ -1,11 +1,10 @@
|
|
|
1
1
|
export declare const CHARACTER_LIMIT = 100000;
|
|
2
|
-
export declare const DEFAULT_PAGE_SIZE = 50;
|
|
3
|
-
export declare const MAX_PAGE_SIZE = 100;
|
|
4
2
|
export declare const REQUEST_TIMEOUT_MS = 30000;
|
|
5
3
|
export declare const LONG_REQUEST_TIMEOUT_MS = 120000;
|
|
6
4
|
export declare const ACCESS_TOKEN_TTL_SECONDS = 3600;
|
|
7
5
|
export declare const REFRESH_TOKEN_TTL_SECONDS: number;
|
|
8
6
|
export declare const AUTH_CODE_TTL_SECONDS = 300;
|
|
9
7
|
export declare const CLIENT_SECRET_TTL_SECONDS: number;
|
|
10
|
-
export declare const SUPPORTED_SCOPES: readonly ["tasks:read", "tasks:write", "files:read", "files:write", "messages:read", "messages:write"];
|
|
8
|
+
export declare const SUPPORTED_SCOPES: readonly ["tasks:read", "tasks:write", "files:read", "files:write", "messages:read", "messages:write", "projects:read", "projects:write", "search:read", "orgs:read", "orgs:write", "folders:read", "folders:write", "library:read", "library:write", "api-keys:read", "api-keys:write", "audit:read", "account:read", "account:write", "feedback:write"];
|
|
9
|
+
export declare const ALL_SCOPES: string[];
|
|
11
10
|
//# sourceMappingURL=constants.d.ts.map
|
package/dist/constants.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,eAAe,SAAU,CAAC;AACvC,eAAO,MAAM,
|
|
1
|
+
{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,eAAe,SAAU,CAAC;AACvC,eAAO,MAAM,kBAAkB,QAAS,CAAC;AACzC,eAAO,MAAM,uBAAuB,SAAU,CAAC;AAG/C,eAAO,MAAM,wBAAwB,OAAO,CAAC;AAC7C,eAAO,MAAM,yBAAyB,QAAiB,CAAC;AACxD,eAAO,MAAM,qBAAqB,MAAM,CAAC;AACzC,eAAO,MAAM,yBAAyB,QAAiB,CAAC;AAGxD,eAAO,MAAM,gBAAgB,2VAsBnB,CAAC;AAGX,eAAO,MAAM,UAAU,EAA4B,MAAM,EAAE,CAAC"}
|
package/dist/constants.js
CHANGED
|
@@ -1,6 +1,4 @@
|
|
|
1
1
|
export const CHARACTER_LIMIT = 100_000;
|
|
2
|
-
export const DEFAULT_PAGE_SIZE = 50;
|
|
3
|
-
export const MAX_PAGE_SIZE = 100;
|
|
4
2
|
export const REQUEST_TIMEOUT_MS = 30_000;
|
|
5
3
|
export const LONG_REQUEST_TIMEOUT_MS = 120_000;
|
|
6
4
|
// Auth constants
|
|
@@ -8,7 +6,7 @@ export const ACCESS_TOKEN_TTL_SECONDS = 3600; // 1 hour
|
|
|
8
6
|
export const REFRESH_TOKEN_TTL_SECONDS = 30 * 24 * 3600; // 30 days
|
|
9
7
|
export const AUTH_CODE_TTL_SECONDS = 300; // 5 minutes
|
|
10
8
|
export const CLIENT_SECRET_TTL_SECONDS = 90 * 24 * 3600; // 90 days
|
|
11
|
-
// MCP scopes
|
|
9
|
+
// MCP scopes — all supported scopes for OAuth clients
|
|
12
10
|
export const SUPPORTED_SCOPES = [
|
|
13
11
|
"tasks:read",
|
|
14
12
|
"tasks:write",
|
|
@@ -16,5 +14,22 @@ export const SUPPORTED_SCOPES = [
|
|
|
16
14
|
"files:write",
|
|
17
15
|
"messages:read",
|
|
18
16
|
"messages:write",
|
|
17
|
+
"projects:read",
|
|
18
|
+
"projects:write",
|
|
19
|
+
"search:read",
|
|
20
|
+
"orgs:read",
|
|
21
|
+
"orgs:write",
|
|
22
|
+
"folders:read",
|
|
23
|
+
"folders:write",
|
|
24
|
+
"library:read",
|
|
25
|
+
"library:write",
|
|
26
|
+
"api-keys:read",
|
|
27
|
+
"api-keys:write",
|
|
28
|
+
"audit:read",
|
|
29
|
+
"account:read",
|
|
30
|
+
"account:write",
|
|
31
|
+
"feedback:write",
|
|
19
32
|
];
|
|
33
|
+
// All scopes — used for API key auth (API keys get full access)
|
|
34
|
+
export const ALL_SCOPES = [...SUPPORTED_SCOPES];
|
|
20
35
|
//# sourceMappingURL=constants.js.map
|
package/dist/constants.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,eAAe,GAAG,OAAO,CAAC;AACvC,MAAM,CAAC,MAAM,
|
|
1
|
+
{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,eAAe,GAAG,OAAO,CAAC;AACvC,MAAM,CAAC,MAAM,kBAAkB,GAAG,MAAM,CAAC;AACzC,MAAM,CAAC,MAAM,uBAAuB,GAAG,OAAO,CAAC;AAE/C,iBAAiB;AACjB,MAAM,CAAC,MAAM,wBAAwB,GAAG,IAAI,CAAC,CAAC,SAAS;AACvD,MAAM,CAAC,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,UAAU;AACnE,MAAM,CAAC,MAAM,qBAAqB,GAAG,GAAG,CAAC,CAAC,YAAY;AACtD,MAAM,CAAC,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,UAAU;AAEnE,sDAAsD;AACtD,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC9B,YAAY;IACZ,aAAa;IACb,YAAY;IACZ,aAAa;IACb,eAAe;IACf,gBAAgB;IAChB,eAAe;IACf,gBAAgB;IAChB,aAAa;IACb,WAAW;IACX,YAAY;IACZ,cAAc;IACd,eAAe;IACf,cAAc;IACd,eAAe;IACf,eAAe;IACf,gBAAgB;IAChB,YAAY;IACZ,cAAc;IACd,eAAe;IACf,gBAAgB;CACR,CAAC;AAEX,gEAAgE;AAChE,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,GAAG,gBAAgB,CAAa,CAAC"}
|