@equinor/fusion-framework-module-msal-node 0.1.0

package/dist/types/AuthConfigurator.interface.d.ts

@@ -0,0 +1,153 @@
+import type { PublicClientApplication } from '@azure/msal-node';
+import type { IAuthProvider } from './AuthProvider.interface.js';
+/**
+ * Represents the configuration for authentication in "token only" mode.
+ *
+ * @property mode - Specifies the authentication mode as 'token_only'.
+ * @property accessToken - The authentication token to be used.
+ * @property parent - An optional reference to a parent authentication provider.
+ */
+type AuthConfigTokenMode = {
+    mode: 'token_only';
+    accessToken: string;
+    client?: never;
+    server?: never;
+    parent?: IAuthProvider;
+};
+/**
+ * Configuration type for silent authentication mode.
+ *
+ * @property mode - Specifies the authentication mode as 'silent'.
+ * @property client - An instance of `PublicClientApplication` used for authentication.
+ * @property parent - An optional parent `IAuthProvider` instance for delegation.
+ */
+type AuthConfigSilentMode = {
+    mode: 'silent';
+    client: PublicClientApplication;
+    server?: never;
+    accessToken?: never;
+    parent?: IAuthProvider;
+};
+/**
+ * Configuration type for the interactive authentication mode.
+ *
+ * @property mode - Specifies the authentication mode as 'interactive'.
+ * @property client - An instance of `PublicClientApplication` used for authentication.
+ * @property server - Configuration for the local server used during the interactive authentication process.
+ * @property server.port - The port number on which the local server will run.
+ * @property server.onOpen - An optional callback function that is invoked with the authentication URL when the server starts.
+ * @property parent - An optional parent `IAuthProvider` instance for delegation or chaining of authentication providers.
+ */
+type AuthConfigInteractiveMode = {
+    mode: 'interactive';
+    client: PublicClientApplication;
+    server: {
+        port: number;
+        onOpen?: (url: string) => void;
+    };
+    accessToken?: never;
+    parent?: IAuthProvider;
+};
+/**
+ * Represents the configuration options for authentication.
+ *
+ * This type is a union of three different authentication modes:
+ * - `AuthConfigInteractiveMode`: Configuration for interactive authentication.
+ * - `AuthConfigSilentMode`: Configuration for silent authentication.
+ * - `AuthConfigTokenMode`: Configuration for token-based authentication.
+ */
+export type AuthConfig = AuthConfigInteractiveMode | AuthConfigSilentMode | AuthConfigTokenMode;
+/**
+ * Interface for configuring authentication settings for the MSAL Node module.
+ *
+ * This interface is intended for both consumers (users integrating authentication into their Fusion Framework Node.js applications)
+ * and future maintainers or developers extending or refactoring the module.
+ *
+ * Each method allows for fine-grained control over the authentication setup, supporting multiple authentication modes:
+ * - `token_only`: Use a pre-obtained access token (e.g., for CI/CD or automation).
+ * - `silent`: Use MSAL's silent authentication with a configured client (for background services or cached tokens).
+ * - `interactive`: Use MSAL's interactive authentication, typically for CLI tools or development, with a local server for browser-based login.
+ *
+ * Consumers should use the provided methods to configure the module according to their use case.
+ * Maintainers should ensure that new authentication flows or configuration options are exposed via this interface for consistency.
+ *
+ * @example
+ * // --- Interactive mode (browser login, local server) ---
+ * ```ts
+ * builder.setMode('interactive');
+ * builder.setClientConfig('your-tenant-id', 'your-client-id');
+ * builder.setServerPort(3000);
+ * builder.setServerOnOpen((url) => {
+ *   console.log(`Please navigate to: ${url}`);
+ * });
+ * ```
+ *
+ * // --- Silent mode (background, cached/refresh tokens) ---
+ * ```ts
+ * builder.setMode('silent');
+ * builder.setClientConfig('your-tenant-id', 'your-client-id');
+ * ```
+ *
+ * // --- Token only mode (pre-obtained token, CI/CD) ---
+ * ```ts
+ * builder.setMode('token_only');
+ * builder.setAccessToken('your-access-token');
+ */
+export interface IAuthConfigurator {
+    /**
+     * Sets the authentication mode for the module.
+     *
+     * @param mode - The authentication mode to use: 'token_only', 'silent', or 'interactive'.
+     *
+     * Consumers: Call this first to define the overall authentication strategy.
+     * Maintainers: Add new modes here if supporting additional auth flows.
+     */
+    setMode(mode: AuthConfig['mode']): void;
+    /**
+     * Sets the MSAL client instance for authentication.
+     *
+     * @param client - The MSAL PublicClientApplication instance to use for authentication.
+     *
+     * Consumers: Use this to provide a custom MSAL client if needed.
+     * Maintainers: Ensure compatibility with MSAL updates and custom client options.
+     */
+    setClient(client: AuthConfig['client']): void;
+    /**
+     * Configures the MSAL client using tenant and client IDs.
+     *
+     * @param tenantId - Azure AD tenant ID.
+     * @param clientId - Azure AD client/application ID.
+     *
+     * Consumers: Use this for quick setup without manually creating a client instance.
+     * Maintainers: Update this if the client configuration contract changes.
+     */
+    setClientConfig(tenantId: string, clientId: string): void;
+    /**
+     * Sets the port for the local server (used in interactive mode for auth callbacks).
+     *
+     * @param port - The port number for the local HTTP server.
+     *
+     * Consumers: Use this to avoid port conflicts or customize the callback endpoint.
+     * Maintainers: Ensure this is respected in server setup logic.
+     */
+    setServerPort(port: number): void;
+    /**
+     * Sets a callback to be invoked when the local server opens (interactive mode).
+     *
+     * @param onOpen - Callback receiving the server URL when ready, or undefined to disable.
+     *
+     * Consumers: Use this to display or log the login URL for users.
+     * Maintainers: Update this if the server startup flow changes.
+     */
+    setServerOnOpen(onOpen: ((url: string) => void) | undefined): void;
+    /**
+     * Sets a pre-obtained access token for token_only mode.
+     *
+     * @param token - The access token to use for authentication.
+     *
+     * Consumers: Use this for automation or CI/CD scenarios.
+     * Maintainers: Ensure this is securely handled and not mixed with other modes.
+     */
+    setAccessToken(token: string): void;
+}
+export {};

package/dist/types/AuthProvider.d.ts

@@ -0,0 +1,81 @@
+import type { AccountInfo, AuthenticationResult, PublicClientApplication } from '@azure/msal-node';
+import type { IAuthProvider } from './AuthProvider.interface.js';
+/**
+ * Implementation of the authentication provider for the Fusion MSAL Node module.
+ *
+ * Implements {@link IAuthProvider} and provides methods for managing authentication
+ * and token acquisition using the MSAL (Microsoft Authentication Library) for Node.js.
+ *
+ * This implementation assumes the user is already logged in and does not support
+ * triggering interactive login or logout flows. The `login` method will always throw, and `logout`
+ * only clears the token cache.
+ *
+ * @see AuthProviderInteractive For interactive login/logout support (user-driven authentication flows).
+ * @see AuthProviderTokenOnly For scenarios where a pre-obtained token is used (automation, CI/CD, etc).
+ *
+ * Developers extending this class can add support for additional authentication flows or modify token
+ * acquisition logic. Ensure that any changes remain consistent with the interface contract.
+ */
+export declare class AuthProvider implements IAuthProvider {
+    protected _client: PublicClientApplication;
+    constructor(_client: PublicClientApplication);
+    /**
+     * Retrieves the first account from the list of all accounts available in the MSAL client.
+     *
+     * @returns A promise that resolves to the first `AccountInfo` object if available, or `null` if no accounts exist.
+     */
+    getAccount(): Promise<AccountInfo | null>;
+    /**
+     * Acquires an access token for the specified scopes.
+     *
+     * @param options - An object containing the options for acquiring the token.
+     * @param options.scopes - An array of strings representing the scopes for which the access token is requested.
+     * @returns A promise that resolves to the acquired access token as a string.
+     * @throws An error if the token acquisition process fails.
+     */
+    acquireAccessToken(options: {
+        scopes: string[];
+    }): Promise<string>;
+    /**
+     * Initiates the login process with the specified options.
+     *
+     * @param _options - An object containing the scopes required for authentication.
+     * @returns A promise that resolves to an `AuthenticationResult` upon successful login.
+     * @throws `AuthServerError` - Always throws this error as login is not supported in this implementation.
+     *
+     * @remarks
+     * This method is not supported and is intended to be overridden by `AuthProviderInteractive`.
+     */
+    login(_options: {
+        scopes: string[];
+    }): Promise<AuthenticationResult>;
+    /**
+     * Logs out the user by clearing the token cache and removing all accounts.
+     *
+     * This method retrieves all accounts from the token cache and removes them
+     * individually. Afterward, it clears the entire cache to ensure no residual
+     * authentication data remains.
+     *
+     * @returns A promise that resolves when the logout process is complete.
+     */
+    logout(): Promise<void>;
+    /**
+     * Acquires an authentication token for the specified scopes.
+     *
+     * This method first attempts to acquire a token silently using the accounts
+     * available in the token cache. If no accounts are found and interactive login
+     * is allowed, it initiates an interactive login flow. If interactive login is
+     * not allowed and no accounts are found, an error is thrown.
+     *
+     * @param scopes - An array of strings representing the scopes for which the token is requested.
+     * @param options - Optional parameters for token acquisition.
+     * @param options.interactive - A boolean indicating whether interactive login is allowed
+     *                               if no accounts are found in the cache. Defaults to `false`.
+     * @returns A promise that resolves to an `AuthenticationResult` containing the acquired token.
+     * @throws {@link NoAccountsError} If no accounts are found in the cache and interactive login is not allowed.
+     * @throws {@link SilentTokenAcquisitionError} If an error occurs during silent token acquisition.
+     */
+    acquireToken(options: {
+        scopes: string[];
+    }): Promise<AuthenticationResult>;
+}

package/dist/types/AuthProvider.interface.d.ts

@@ -0,0 +1,55 @@
+import type { AuthenticationResult } from '@azure/msal-node';
+/**
+ * Interface for authentication providers in the Fusion MSAL Node module.
+ *
+ * Provides a unified API for authentication operations, including acquiring access tokens.
+ * The actual behavior of each method depends on the configured authentication mode (interactive, silent, or token-only).
+ *
+ * When accessing `appModules.msal.auth`, you will interact with this interface to:
+ * - Acquire Azure AD access tokens for specified scopes
+ *
+ * All methods are asynchronous and return Promises. See method documentation for details.
+ *
+ * @remarks
+ * This provider assumes the user is already logged in. To support login and logout operations, the module must be configured in interactive mode. In other modes, `login` and `logout` are present for compatibility but will be no-ops or throw if called.
+ *
+ * @see IAuthProviderInteractive for interactive login/logout support
+ */
+export interface IAuthProvider {
+    /**
+     * This method is present for compatibility but will never trigger a user login flow unless interactive mode is configured.
+     *
+     * @param options - An object specifying the required scopes for authentication.
+     * @returns A Promise that will always reject or be a no-op, depending on implementation.
+     *
+     * @remarks
+     * This method is not supported and should not be used to initiate login unless interactive mode is enabled.
+     */
+    login(options: {
+        scopes: string[];
+    }): Promise<AuthenticationResult>;
+    /**
+     * This method is present for compatibility but will never trigger a user logout flow unless interactive mode is configured.
+     *
+     * @returns A Promise that will always resolve immediately or be a no-op, depending on implementation.
+     *
+     * @remarks
+     * This method is not supported and should not be used to initiate logout unless interactive mode is enabled.
+     */
+    logout(): Promise<void>;
+    /**
+     * Acquires an access token for the specified scopes.
+     *
+     * @param options - An object specifying the required scopes and an optional `interactive` flag.
+     *   - `scopes`: The scopes for which the token is requested.
+     *   - `interactive`: If true, may trigger an interactive login if silent acquisition fails (not supported unless interactive mode is enabled).
+     * @returns A Promise that resolves to a string representing the acquired access token.
+     *
+     * @remarks
+     * This is the primary method for obtaining tokens for API calls or resource access.
+     */
+    acquireAccessToken(options: {
+        scopes: string[];
+        interactive?: boolean;
+    }): Promise<string>;
+}

package/dist/types/AuthProviderInteractive.d.ts

@@ -0,0 +1,73 @@
+import { type AuthenticationResult, type PublicClientApplication } from '@azure/msal-node';
+import { AuthProvider } from './AuthProvider.js';
+/**
+ * Options for configuring the interactive authentication provider.
+ *
+ * @property server - Configuration for the local server used to handle authentication callbacks.
+ *   @property port - The port number on which the local server will listen for authentication responses.
+ *   @property onOpen - Optional callback invoked with the authentication URL when the server is ready (e.g., to display or log the URL).
+ *
+ * Used when constructing an instance of {@link AuthProviderInteractive} to enable browser-based login flows.
+ */
+type AuthProviderOptions = {
+    server: {
+        port: number;
+        onOpen?: (url: string) => void;
+    };
+};
+/**
+ * Implementation of an interactive authentication provider for the Fusion MSAL Node module.
+ *
+ * Extends {@link AuthProvider} to support user-driven authentication flows using the authorization code flow with PKCE.
+ * This class opens the user's default browser for authentication and handles the response via a local server.
+ *
+ * This implementation is intended for scenarios where interactive login is required, such as CLI tools or development utilities.
+ *
+ * Developers extending this provider can customize the interactive flow, server handling, or PKCE logic as needed.
+ * Ensure that any changes remain consistent with the expected interface and security best practices.
+ *
+ * @see AuthProvider for non-interactive (silent) authentication flows.
+ * @see AuthProviderTokenOnly for token-only scenarios.
+ */
+export declare class AuthProviderInteractive extends AuthProvider {
+    #private;
+    constructor(client: PublicClientApplication, options: AuthProviderOptions);
+    /**
+     * Initiates the login process using the authorization code flow with PKCE.
+     *
+     * This method generates a PKCE code verifier and challenge to enhance security
+     * and prevent authorization code interception attacks. It constructs an
+     * authorization code URL, opens the default browser for user authentication,
+     * and starts a local server to handle the authentication response.
+     *
+     * @param scopes - An array of scopes that specify the permissions being requested.
+     * @returns A promise that resolves to an `AuthenticationResult` containing the
+     *          authentication details upon successful login.
+     *
+     * @throws Will throw an error if the PKCE code generation, browser opening, or
+     *         authentication server setup fails.
+     */
+    login(options: {
+        scopes: string[];
+    }): Promise<AuthenticationResult>;
+    /**
+     * Acquires an authentication token for the specified scopes.
+     *
+     * This method first attempts to acquire a token silently using the accounts
+     * available in the token cache. If no accounts are found and interactive login
+     * is allowed, it initiates an interactive login flow. If interactive login is
+     * not allowed and no accounts are found, an error is thrown.
+     *
+     * @param scopes - An array of strings representing the scopes for which the token is requested.
+     * @param options - Optional parameters for token acquisition.
+     * @param options.interactive - A boolean indicating whether interactive login is allowed
+     *                               if no accounts are found in the cache. Defaults to `false`.
+     * @returns A promise that resolves to an `AuthenticationResult` containing the acquired token.
+     * @throws {@link NoAccountsError} If no accounts are found in the cache and interactive login is not allowed.
+     * @throws {@link SilentTokenAcquisitionError} If an error occurs during silent token acquisition.
+     */
+    acquireToken(options: {
+        scopes: string[];
+    }): Promise<AuthenticationResult>;
+}
+export {};

package/dist/types/AuthTokenProvider.d.ts

@@ -0,0 +1,43 @@
+import type { AuthenticationResult } from '@azure/msal-node';
+import type { IAuthProvider } from './AuthProvider.interface.js';
+/**
+ * Implementation of an authentication provider that supplies a static, pre-obtained access token.
+ *
+ * This class implements {@link IAuthProvider} and is intended for scenarios where authentication
+ * is handled externally and a token is provided directly (e.g., CI/CD pipelines, automation, or service accounts).
+ *
+ * Login and logout operations are not supported and will always throw errors if called.
+ *
+ * @see AuthProvider for silent authentication using cached accounts and MSAL flows.
+ * @see AuthProviderInteractive for interactive, user-driven authentication flows.
+ */
+export declare class AuthTokenProvider implements IAuthProvider {
+    #private;
+    constructor(token: string);
+    /**
+     * Not supported in token-only mode. Always throws an error if called.
+     *
+     * This provider is designed for scenarios where authentication is handled externally
+     * and a static token is supplied. Login flows are not possible in this context.
+     *
+     * @throws Error Always throws to indicate login is not supported.
+     */
+    login(): Promise<AuthenticationResult>;
+    /**
+     * Not supported in token-only mode. Always throws an error if called.
+     *
+     * Since this provider does not manage user sessions or accounts, logout is not applicable.
+     *
+     * @throws Error Always throws to indicate logout is not supported.
+     */
+    logout(): Promise<void>;
+    /**
+     * Returns the pre-obtained access token supplied to the provider.
+     *
+     * This is the only supported operation for this provider. No token refresh or acquisition logic is performed.
+     *
+     * @returns The static access token as a string.
+     */
+    acquireAccessToken(): Promise<string>;
+}
+export default AuthTokenProvider;

package/dist/types/create-auth-cache.d.ts

@@ -0,0 +1,32 @@
+import { PersistenceCachePlugin, type IPersistence } from '@azure/msal-node-extensions';
+/**
+ * Creates a persistence cache for storing authentication data securely on disk.
+ *
+ * The cache is encrypted and scoped to the current user for security. It is uniquely identified
+ * by the provided tenant and client IDs, and is associated with the 'fusion-framework' service.
+ *
+ * @param tenantId - The Azure AD tenant ID used to identify the cache.
+ * @param clientId - The Azure AD client/application ID used to identify the cache.
+ * @returns A promise that resolves to the created persistence cache instance.
+ */
+export declare const createPersistenceCache: (tenantId: string, clientId: string) => Promise<IPersistence>;
+/**
+ * Clears the persistence cache for a specific tenant and client.
+ *
+ * Deletes the cache file and all associated authentication data for the given tenant and client IDs.
+ *
+ * @param tenantId - The Azure AD tenant ID.
+ * @param clientId - The Azure AD client/application ID.
+ * @returns A promise that resolves when the cache has been successfully cleared.
+ */
+export declare const clearPersistenceCache: (tenantId: string, clientId: string) => Promise<void>;
+/**
+ * Creates a `PersistenceCachePlugin` instance for use with MSAL, using the provided tenant and client IDs.
+ *
+ * This plugin enables MSAL to use the secure persistence cache for token storage.
+ *
+ * @param tenantId - The Azure AD tenant ID.
+ * @param clientId - The Azure AD client/application ID.
+ * @returns A promise that resolves to an instance of `PersistenceCachePlugin`.
+ */
+export declare const createPersistenceCachePlugin: (tenantId: string, clientId: string) => Promise<PersistenceCachePlugin>;

package/dist/types/create-auth-client.d.ts

@@ -0,0 +1,24 @@
+import { PublicClientApplication } from '@azure/msal-node';
+/**
+ * Creates and configures a new MSAL PublicClientApplication instance for Azure AD authentication.
+ *
+ * This function sets up the client with the specified tenant and client IDs, and attaches a secure
+ * persistence cache plugin for storing authentication tokens on disk. The resulting client can be used
+ * for both silent and interactive authentication flows, depending on how it is integrated.
+ *
+ * @param tenantId - The Azure Active Directory tenant ID (directory identifier).
+ * @param clientId - The client/application ID registered in Azure AD.
+ * @returns A Promise that resolves to a configured instance of `PublicClientApplication`.
+ *
+ * @remarks
+ * The returned client uses a secure, user-scoped cache for token storage. This is recommended for CLI tools,
+ * background services, and other Node.js applications that require persistent authentication.
+ *
+ * @example
+ * ```typescript
+ * const client = await createAuthClient('your-tenant-id', 'your-client-id');
+ * // Use the client with MSAL APIs for authentication flows
+ * ```
+ */
+export declare const createAuthClient: (tenantId: string, clientId: string) => Promise<PublicClientApplication>;
+export default createAuthClient;

package/dist/types/create-auth-server.d.ts

@@ -0,0 +1,34 @@
+import type { AuthenticationResult, PublicClientApplication } from '@azure/msal-node';
+/**
+ * Creates a temporary HTTP server to handle the OAuth 2.0 authorization code flow for interactive authentication.
+ *
+ * This function is used in interactive authentication scenarios to listen for the authorization code
+ * returned by Azure AD after the user authenticates in the browser. It exchanges the code for an access token
+ * using the provided `PublicClientApplication` instance. The server automatically shuts down after a successful
+ * authentication, error, or timeout.
+ *
+ * @param client - The MSAL `PublicClientApplication` instance used to acquire tokens.
+ * @param scopes - An array of scopes for which the token is requested.
+ * @param options - Configuration for the authentication server.
+ *   @param options.port - The port on which the server will listen for the authentication response.
+ *   @param options.codeVerifier - The PKCE code verifier used for enhanced security (optional).
+ *   @param options.timeout - Timeout in milliseconds before the server shuts down if no response is received (default: 5 minutes).
+ *
+ * @returns A promise that resolves with the `AuthenticationResult` upon successful authentication,
+ * or rejects with an error if authentication fails or times out.
+ *
+ * @throws {@link AuthServerError} If no authorization code is received or if token acquisition fails.
+ * @throws {@link AuthServerTimeoutError} If the server times out before receiving a response.
+ *
+ * @example
+ * ```typescript
+ * const result = await createAuthServer(client, ['user.read'], { port: 3000, codeVerifier });
+ * console.log(result.accessToken);
+ * ```
+ */
+export declare const createAuthServer: (client: PublicClientApplication, scopes: string[], options: {
+    port: number;
+    codeVerifier?: string;
+    timeout?: number;
+}) => Promise<AuthenticationResult>;
+export default createAuthServer;

package/dist/types/enable-module.d.ts

@@ -0,0 +1,24 @@
+import type { IModuleConfigurator, IModulesConfigurator } from '@equinor/fusion-framework-module';
+import { type MsalNodeModule } from './module';
+/**
+ * Enables the MSAL Node module by registering its configuration with the provided modules configurator.
+ *
+ * This function should be called to add the MSAL Node authentication module to a Fusion Framework application.
+ * It accepts a configurator instance and a configuration function, which is used to define the module's behavior and settings.
+ *
+ * @param configurator - The modules configurator instance used to register the MSAL Node module.
+ * @param configure - A configuration function for customizing the module (e.g., setting client ID, tenant ID, mode).
+ *
+ * @see IAuthProvider for the authentication provider interface exposed by the module.
+ * @see IAuthConfigurator for the configuration builder interface used in the configure callback.
+ *
+ * @example
+ * ```typescript
+ * enableModule(configurator, (builder) => {
+ *   builder.setMode('interactive');
+ *   builder.setClientConfig('your-tenant-id', 'your-client-id');
+ * });
+ * ```
+ */
+export declare const enableModule: (configurator: IModulesConfigurator<any, any>, configure: IModuleConfigurator<MsalNodeModule>["configure"]) => void;
+export default enableModule;

package/dist/types/error.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Error thrown when no accounts are available for an operation that requires one.
+ *
+ * Typically used when attempting to acquire a token or perform an action that requires
+ * a user account, but none are found in the MSAL cache.
+ *
+ * @param message - Description of the error.
+ * @param options - Optional error options, including a cause for error chaining.
+ */
+export declare class NoAccountsError extends Error {
+    static readonly Name: string;
+    constructor(message: string, options?: {
+        cause?: unknown;
+    });
+}
+/**
+ * Error thrown when silent token acquisition fails.
+ *
+ * This error is used when MSAL cannot acquire a token silently, often due to missing
+ * credentials, expired tokens, or lack of a valid session.
+ *
+ * @param message - Description of the error.
+ * @param options - Optional error options, including a cause for error chaining.
+ */
+export declare class SilentTokenAcquisitionError extends Error {
+    static readonly Name: string;
+    constructor(message: string, options?: {
+        cause?: unknown;
+    });
+}
+/**
+ * Error representing a failure or issue in the authentication server flow.
+ *
+ * Used to signal problems during the OAuth 2.0 authorization code flow, such as
+ * missing codes, invalid requests, or token exchange failures. Supports error chaining.
+ *
+ * @param message - Description of the error.
+ * @param options - Optional error options, including a cause for error chaining.
+ */
+export declare class AuthServerError extends Error {
+    static readonly Name: string;
+    constructor(message: string, options?: {
+        cause?: Error;
+    });
+}
+/**
+ * Error thrown when the authentication server times out waiting for a response.
+ *
+ * Extends {@link AuthServerError} to provide additional context for timeout scenarios.
+ *
+ * @param message - Description of the error.
+ * @param options - Optional error options, including a cause for error chaining.
+ */
+export declare class AuthServerTimeoutError extends AuthServerError {
+    static readonly Name: string;
+    constructor(message: string, options?: {
+        cause?: Error;
+    });
+}

package/dist/types/index.d.ts

@@ -0,0 +1,5 @@
+export { AuthProvider } from './AuthProvider.js';
+export type { IAuthProvider } from './AuthProvider.interface.js';
+export type { IAuthConfigurator, AuthConfig } from './AuthConfigurator.interface.js';
+export { module as authModule, type MsalNodeModule } from './module.js';
+export { enableModule as enableAuthModule } from './enable-module.js';

package/dist/types/module.d.ts

@@ -0,0 +1,24 @@
+import type { Module } from '@equinor/fusion-framework-module';
+import { AuthConfigurator } from './AuthConfigurator';
+import type { IAuthProvider } from './AuthProvider.interface';
+/**
+ * MSAL Node authentication module for the Fusion Framework.
+ *
+ * This module provides authentication capabilities for Node.js applications using Microsoft's MSAL library.
+ * It supports multiple authentication modes: token-only, interactive (browser-based), and silent (cached credentials).
+ *
+ * The module exposes a unified provider interface for acquiring tokens and managing authentication state.
+ *
+ * - In `token_only` mode, a static access token is used (see {@link AuthTokenProvider}).
+ * - In `interactive` mode, the user is prompted via a local server and browser (see {@link AuthProviderInteractive}).
+ * - In all other cases, silent authentication is attempted using cached credentials (see {@link AuthProvider}).
+ *
+ * @see AuthProvider
+ * @see AuthProviderInteractive
+ * @see AuthTokenProvider
+ * @see IAuthProvider
+ * @see AuthConfigurator
+ */
+export type MsalNodeModule = Module<'auth', IAuthProvider, AuthConfigurator>;
+export declare const module: MsalNodeModule;
+export default module;

package/dist/types/version.d.ts

@@ -0,0 +1 @@
+export declare const version = "0.1.0";

package/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "@equinor/fusion-framework-module-msal-node",
+  "version": "0.1.0",
+  "description": "Fusion Framework module for secure Azure AD authentication in Node.js using MSAL. Supports interactive, silent, and token-only authentication modes with encrypted token storage.",
+  "main": "dist/esm/index.js",
+  "types": "dist/types/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/esm/index.js",
+      "types": "./dist/types/index.d.ts"
+    },
+    "./error": {
+      "import": "./dist/esm/error.js",
+      "types": "./dist/types/error.d.ts"
+    }
+  },
+  "keywords": [
+    "msal",
+    "msal-node",
+    "node",
+    "auth",
+    "authentication"
+  ],
+  "author": "",
+  "license": "ISC",
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/equinor/fusion-framework.git",
+    "directory": "packages/modules/msal-node"
+  },
+  "dependencies": {
+    "@azure/msal-node": "^3.5.1",
+    "@azure/msal-node-extensions": "^1.5.11",
+    "open": "^10.1.1",
+    "@equinor/fusion-framework-module": "^4.4.2"
+  },
+  "devDependencies": {
+    "typescript": "^5.8.2"
+  },
+  "scripts": {
+    "build": "tsc -b"
+  }
+}