@frontmcp/auth 0.10.0 → 0.11.0

package/session/encrypted-authorization-vault.d.ts

@@ -0,0 +1,182 @@
+/**
+ * Encrypted Authorization Vault
+ *
+ * A vault implementation that encrypts all sensitive data using a key
+ * derived from the client's JWT authorization token.
+ *
+ * Security Properties:
+ * - Zero-knowledge storage: Server cannot decrypt credentials
+ * - Client-side key: Encryption key derived from JWT (client must present token)
+ * - Authenticated encryption: AES-256-GCM prevents tampering
+ * - Per-vault keys: Each vault has a unique encryption key
+ *
+ * Usage:
+ * ```typescript
+ * const vault = new EncryptedRedisVault(redis, encryption);
+ *
+ * // On each request, derive key from JWT and set context
+ * const key = encryption.deriveKeyFromToken(token, claims);
+ * vault.setEncryptionKey(key);
+ *
+ * // Now all operations automatically encrypt/decrypt
+ * await vault.addAppCredential(vaultId, credential);
+ * ```
+ */
+import { z } from 'zod';
+import { VaultEncryption } from './vault-encryption';
+import type { AuthorizationVault, AuthorizationVaultEntry, AppCredential, VaultConsentRecord, VaultFederatedRecord, PendingIncrementalAuth } from './authorization-vault';
+/**
+ * What we store in Redis - minimal metadata + encrypted blob
+ */
+export declare const redisVaultEntrySchema: z.ZodObject<{
+    id: z.ZodString;
+    userSub: z.ZodString;
+    userEmail: z.ZodOptional<z.ZodString>;
+    userName: z.ZodOptional<z.ZodString>;
+    clientId: z.ZodString;
+    createdAt: z.ZodNumber;
+    lastAccessAt: z.ZodNumber;
+    authorizedAppIds: z.ZodArray<z.ZodString>;
+    skippedAppIds: z.ZodArray<z.ZodString>;
+    pendingAuthIds: z.ZodArray<z.ZodString>;
+    encrypted: z.ZodObject<{
+        v: z.ZodLiteral<1>;
+        alg: z.ZodLiteral<"aes-256-gcm">;
+        iv: z.ZodString;
+        ct: z.ZodString;
+        tag: z.ZodString;
+    }, z.core.$strip>;
+}, z.core.$strip>;
+export type RedisVaultEntry = z.infer<typeof redisVaultEntrySchema>;
+/**
+ * Encryption context for the current request
+ * Must be set before performing vault operations
+ */
+export interface EncryptionContext {
+    /** Encryption key derived from JWT */
+    key: Uint8Array;
+    /** Vault ID (from JWT jti claim) */
+    vaultId: string;
+}
+/**
+ * Redis vault with client-side encryption
+ *
+ * All sensitive data (tokens, credentials, consent, pending auths)
+ * is encrypted using a key derived from the client's JWT.
+ *
+ * Use `runWithContext()` to set encryption context for concurrent safety.
+ */
+export declare class EncryptedRedisVault implements AuthorizationVault {
+    private readonly redis;
+    private readonly encryption;
+    private readonly namespace;
+    constructor(redis: any, encryption: VaultEncryption, namespace?: string);
+    /**
+     * Run a callback with encryption context set for the current async scope.
+     * This is the recommended way to set encryption context as it is safe for
+     * concurrent requests (each request gets its own isolated context).
+     *
+     * @param context - Encryption context with key and vaultId
+     * @param fn - Async function to run with the context
+     * @returns The result of the callback
+     *
+     * @example
+     * ```typescript
+     * const result = await vault.runWithContext({ key, vaultId }, async () => {
+     *   await vault.get(id);
+     *   await vault.update(id, data);
+     *   return 'done';
+     * });
+     * ```
+     */
+    runWithContext<T>(context: EncryptionContext, fn: () => T | Promise<T>): T | Promise<T>;
+    /**
+     * Get current encryption key from AsyncLocalStorage.
+     */
+    private getKey;
+    /**
+     * Create Redis key from vault ID
+     */
+    private redisKey;
+    /**
+     * Create credential key from appId and providerId
+     */
+    private credentialKey;
+    /**
+     * Encrypt sensitive data
+     */
+    private encryptSensitive;
+    /**
+     * Decrypt sensitive data
+     */
+    private decryptSensitive;
+    /**
+     * Convert Redis entry to full vault entry (decrypts sensitive data)
+     */
+    private toVaultEntry;
+    /**
+     * Convert vault entry to Redis entry (encrypts sensitive data)
+     */
+    private toRedisEntry;
+    /**
+     * Save entry to Redis
+     */
+    private saveEntry;
+    /**
+     * Load entry from Redis
+     */
+    private loadEntry;
+    create(params: {
+        userSub: string;
+        userEmail?: string;
+        userName?: string;
+        clientId: string;
+        consent?: VaultConsentRecord;
+        federated?: VaultFederatedRecord;
+        authorizedAppIds?: string[];
+        skippedAppIds?: string[];
+    }): Promise<AuthorizationVaultEntry>;
+    get(id: string): Promise<AuthorizationVaultEntry | null>;
+    update(id: string, updates: Partial<AuthorizationVaultEntry>): Promise<void>;
+    delete(id: string): Promise<void>;
+    updateConsent(vaultId: string, consent: VaultConsentRecord): Promise<void>;
+    authorizeApp(vaultId: string, appId: string): Promise<void>;
+    createPendingAuth(vaultId: string, params: {
+        appId: string;
+        toolId?: string;
+        authUrl: string;
+        requiredScopes?: string[];
+        elicitId?: string;
+        ttlMs?: number;
+    }): Promise<PendingIncrementalAuth>;
+    getPendingAuth(vaultId: string, pendingAuthId: string): Promise<PendingIncrementalAuth | null>;
+    completePendingAuth(vaultId: string, pendingAuthId: string): Promise<void>;
+    cancelPendingAuth(vaultId: string, pendingAuthId: string): Promise<void>;
+    isAppAuthorized(vaultId: string, appId: string): Promise<boolean>;
+    getPendingAuths(vaultId: string): Promise<PendingIncrementalAuth[]>;
+    addAppCredential(vaultId: string, credential: AppCredential): Promise<void>;
+    removeAppCredential(vaultId: string, appId: string, providerId: string): Promise<void>;
+    getAppCredentials(vaultId: string, appId: string): Promise<AppCredential[]>;
+    getCredential(vaultId: string, appId: string, providerId: string): Promise<AppCredential | null>;
+    getAllCredentials(vaultId: string, filterByConsent?: boolean): Promise<AppCredential[]>;
+    updateCredential(vaultId: string, appId: string, providerId: string, updates: Partial<Pick<AppCredential, 'lastUsedAt' | 'isValid' | 'invalidReason' | 'expiresAt' | 'metadata'>>): Promise<void>;
+    shouldStoreCredential(vaultId: string, appId: string, toolIds?: string[]): Promise<boolean>;
+    invalidateCredential(vaultId: string, appId: string, providerId: string, reason: string): Promise<void>;
+    refreshOAuthCredential(vaultId: string, appId: string, providerId: string, tokens: {
+        accessToken: string;
+        refreshToken?: string;
+        expiresAt?: number;
+    }): Promise<void>;
+    cleanup(): Promise<void>;
+}
+/**
+ * Create an encrypted vault with the given configuration
+ */
+export declare function createEncryptedVault(redis: any, config?: {
+    pepper?: string;
+    namespace?: string;
+}): {
+    vault: EncryptedRedisVault;
+    encryption: VaultEncryption;
+};
+//# sourceMappingURL=encrypted-authorization-vault.d.ts.map

package/session/encrypted-authorization-vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypted-authorization-vault.d.ts","sourceRoot":"","sources":["../../src/session/encrypted-authorization-vault.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB,OAAO,EAAE,eAAe,EAAuB,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EACV,kBAAkB,EAClB,uBAAuB,EACvB,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,sBAAsB,EACvB,MAAM,uBAAuB,CAAC;AAM/B;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;iBAuBhC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAMpE;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,sCAAsC;IACtC,GAAG,EAAE,UAAU,CAAC;IAChB,oCAAoC;IACpC,OAAO,EAAE,MAAM,CAAC;CACjB;AAYD;;;;;;;GAOG;AACH,qBAAa,mBAAoB,YAAW,kBAAkB;IAG1D,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,SAAS;gBAFT,KAAK,EAAE,GAAG,EACV,UAAU,EAAE,eAAe,EAC3B,SAAS,SAAW;IAGvC;;;;;;;;;;;;;;;;;OAiBG;IACH,cAAc,CAAC,CAAC,EAAE,OAAO,EAAE,iBAAiB,EAAE,EAAE,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC;IAIvF;;OAEG;IACH,OAAO,CAAC,MAAM;IASd;;OAEG;IACH,OAAO,CAAC,QAAQ;IAIhB;;OAEG;IACH,OAAO,CAAC,aAAa;IAIrB;;OAEG;YACW,gBAAgB;IAI9B;;OAEG;YACW,gBAAgB;IAI9B;;OAEG;YACW,YAAY;IAoB1B;;OAEG;YACW,YAAY;IAuB1B;;OAEG;YACW,SAAS;IAKvB;;OAEG;YACW,SAAS;IAiBjB,MAAM,CAAC,MAAM,EAAE;QACnB,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,CAAC,EAAE,kBAAkB,CAAC;QAC7B,SAAS,CAAC,EAAE,oBAAoB,CAAC;QACjC,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;QAC5B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAsB9B,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC;IAWxD,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,uBAAuB,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAU5E,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIjC,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC;IAS1E,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAY3D,iBAAiB,CACrB,OAAO,EAAE,MAAM,EACf,MAAM,EAAE;QACN,KAAK,EAAE,MAAM,CAAC;QACd,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,GACA,OAAO,CAAC,sBAAsB,CAAC;IA0B5B,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,sBAAsB,GAAG,IAAI,CAAC;IAe9F,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAkB1E,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAWxE,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAajE,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,sBAAsB,EAAE,CAAC;IA0BnE,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IAa3E,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUtF,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAU3E,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAQhG,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,eAAe,UAAQ,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAgBrF,gBAAgB,CACpB,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,aAAa,EAAE,YAAY,GAAG,SAAS,GAAG,eAAe,GAAG,WAAW,GAAG,UAAU,CAAC,CAAC,GAC3G,OAAO,CAAC,IAAI,CAAC;IAaV,qBAAqB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAgB3F,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOvG,sBAAsB,CAC1B,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,GACzE,OAAO,CAAC,IAAI,CAAC;IAwBV,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAK/B;AAMD;;GAEG;AACH,wBAAgB,oBAAoB,CAElC,KAAK,EAAE,GAAG,EACV,MAAM,GAAE;IACN,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;CACf,GACL;IAAE,KAAK,EAAE,mBAAmB,CAAC;IAAC,UAAU,EAAE,eAAe,CAAA;CAAE,CAK7D"}

package/session/federated-auth.session.d.ts

@@ -0,0 +1,252 @@
+/**
+ * Federated Auth Session
+ *
+ * Manages state during multi-provider OAuth flows where a user needs to
+ * authenticate with multiple upstream OAuth providers sequentially.
+ *
+ * Flow:
+ * 1. User selects providers on federated login page
+ * 2. System stores FederatedAuthSession with provider queue
+ * 3. User is redirected to first provider's OAuth authorize endpoint
+ * 4. After provider callback, tokens are stored and next provider is processed
+ * 5. When all providers complete, FrontMCP JWT is issued
+ */
+/**
+ * PKCE data for upstream provider OAuth flow
+ */
+export interface ProviderPkce {
+    /** Code verifier (used in token exchange) */
+    verifier: string;
+    /** Code challenge (sent to authorize endpoint) */
+    challenge: string;
+    /** Challenge method (always S256) */
+    method: 'S256';
+}
+/**
+ * Token data received from an upstream provider
+ */
+export interface ProviderTokens {
+    /** Access token */
+    accessToken: string;
+    /** Refresh token (if provided) */
+    refreshToken?: string;
+    /** Token expiration (epoch ms) */
+    expiresAt?: number;
+    /** Token type (usually 'Bearer') */
+    tokenType?: string;
+    /** Granted scopes */
+    scopes?: string[];
+    /** ID token (for OIDC providers) */
+    idToken?: string;
+}
+/**
+ * User info from an upstream provider
+ */
+export interface ProviderUserInfo {
+    /** Subject identifier from provider */
+    sub: string;
+    /** User email */
+    email?: string;
+    /** Display name */
+    name?: string;
+    /** Profile picture URL */
+    picture?: string;
+    /** Additional claims */
+    claims?: Record<string, unknown>;
+}
+/**
+ * Completed provider entry in the federated session
+ */
+export interface CompletedProvider {
+    /** Provider ID */
+    providerId: string;
+    /** OAuth tokens from the provider */
+    tokens: ProviderTokens;
+    /** User info from the provider */
+    userInfo?: ProviderUserInfo;
+    /** Timestamp when provider auth completed */
+    completedAt: number;
+}
+/**
+ * Federated Auth Session state
+ *
+ * Stored during multi-provider OAuth flow to track progress
+ */
+export interface FederatedAuthSession {
+    /** Unique session ID */
+    id: string;
+    /** Original pending auth ID (from /oauth/authorize request) */
+    pendingAuthId: string;
+    /** Client ID that initiated the auth flow */
+    clientId: string;
+    /** Redirect URI for final callback */
+    redirectUri: string;
+    /** Requested scopes for FrontMCP token */
+    scopes: string[];
+    /** Original state parameter from client */
+    state?: string;
+    /** Resource/audience for final token */
+    resource?: string;
+    /** User info (email, name) from initial login form */
+    userInfo: {
+        email?: string;
+        name?: string;
+        sub?: string;
+    };
+    /** PKCE challenge for final FrontMCP token exchange */
+    frontmcpPkce: {
+        challenge: string;
+        method: 'S256';
+    };
+    /** Queue of provider IDs remaining to auth */
+    providerQueue: string[];
+    /** Map of completed providers with their tokens */
+    completedProviders: Map<string, CompletedProvider>;
+    /** Providers that user declined/skipped */
+    skippedProviders: string[];
+    /** Currently active provider (being authenticated) */
+    currentProviderId?: string;
+    /** PKCE data for current provider's OAuth flow */
+    currentProviderPkce?: ProviderPkce;
+    /** State parameter for current provider's OAuth flow */
+    currentProviderState?: string;
+    /** Session creation timestamp */
+    createdAt: number;
+    /** Session expiration timestamp */
+    expiresAt: number;
+}
+/**
+ * Serializable version of FederatedAuthSession for storage
+ */
+export interface FederatedAuthSessionRecord {
+    id: string;
+    pendingAuthId: string;
+    clientId: string;
+    redirectUri: string;
+    scopes: string[];
+    state?: string;
+    resource?: string;
+    userInfo: {
+        email?: string;
+        name?: string;
+        sub?: string;
+    };
+    frontmcpPkce: {
+        challenge: string;
+        method: 'S256';
+    };
+    providerQueue: string[];
+    completedProviders: Array<[string, CompletedProvider]>;
+    skippedProviders: string[];
+    currentProviderId?: string;
+    currentProviderPkce?: ProviderPkce;
+    currentProviderState?: string;
+    createdAt: number;
+    expiresAt: number;
+}
+/**
+ * Federated Auth Session Store Interface
+ */
+export interface FederatedAuthSessionStore {
+    /** Store a federated auth session */
+    store(session: FederatedAuthSession): Promise<void>;
+    /** Get a federated auth session by ID */
+    get(id: string): Promise<FederatedAuthSession | null>;
+    /** Delete a federated auth session */
+    delete(id: string): Promise<void>;
+    /** Update a federated auth session */
+    update(session: FederatedAuthSession): Promise<void>;
+}
+/**
+ * Convert FederatedAuthSession to serializable record
+ */
+export declare function toSessionRecord(session: FederatedAuthSession): FederatedAuthSessionRecord;
+/**
+ * Convert serializable record back to FederatedAuthSession
+ */
+export declare function fromSessionRecord(record: FederatedAuthSessionRecord): FederatedAuthSession;
+/**
+ * Parameters for creating a federated auth session
+ */
+export interface FederatedAuthSessionCreateParams {
+    pendingAuthId: string;
+    clientId: string;
+    redirectUri: string;
+    scopes: string[];
+    state?: string;
+    resource?: string;
+    userInfo: {
+        email?: string;
+        name?: string;
+        sub?: string;
+    };
+    frontmcpPkce: {
+        challenge: string;
+        method: 'S256';
+    };
+    providerIds: string[];
+}
+/**
+ * In-Memory Federated Auth Session Store
+ *
+ * Development/testing implementation for federated auth session storage.
+ */
+export declare class InMemoryFederatedAuthSessionStore implements FederatedAuthSessionStore {
+    private readonly sessions;
+    /** Default TTL for sessions (15 minutes) */
+    private readonly sessionTtlMs;
+    /** Cleanup interval timer */
+    private cleanupTimer?;
+    constructor();
+    store(session: FederatedAuthSession): Promise<void>;
+    get(id: string): Promise<FederatedAuthSession | null>;
+    delete(id: string): Promise<void>;
+    update(session: FederatedAuthSession): Promise<void>;
+    /**
+     * Clean up expired sessions
+     */
+    cleanup(): Promise<void>;
+    /**
+     * Stop the cleanup timer
+     */
+    dispose(): void;
+    /**
+     * Create a new federated auth session
+     */
+    createSession(params: FederatedAuthSessionCreateParams): FederatedAuthSession;
+    /**
+     * Get count (for testing/monitoring)
+     */
+    get size(): number;
+    /**
+     * Clear all sessions (for testing)
+     */
+    clear(): void;
+}
+/**
+ * Create a new federated auth session object
+ *
+ * This is a standalone factory function that creates a FederatedAuthSession
+ * without requiring a store instance. Use this for type-safe session creation.
+ *
+ * @param params Session parameters
+ * @param ttlMs Session TTL in milliseconds (default: 15 minutes)
+ */
+export declare function createFederatedAuthSession(params: FederatedAuthSessionCreateParams, ttlMs?: number): FederatedAuthSession;
+/**
+ * Helper to check if all providers have been authenticated
+ */
+export declare function isSessionComplete(session: FederatedAuthSession): boolean;
+/**
+ * Helper to get the next provider to authenticate
+ */
+export declare function getNextProvider(session: FederatedAuthSession): string | undefined;
+/**
+ * Helper to mark current provider as complete and move to next
+ */
+export declare function completeCurrentProvider(session: FederatedAuthSession, tokens: ProviderTokens, userInfo?: ProviderUserInfo): void;
+/**
+ * Helper to start authentication with next provider
+ */
+export declare function startNextProvider(session: FederatedAuthSession, pkce: ProviderPkce, state: string): string;
+//# sourceMappingURL=federated-auth.session.d.ts.map

package/session/federated-auth.session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"federated-auth.session.d.ts","sourceRoot":"","sources":["../../src/session/federated-auth.session.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAKH;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,CAAC;IACjB,kDAAkD;IAClD,SAAS,EAAE,MAAM,CAAC;IAClB,qCAAqC;IACrC,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,mBAAmB;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,kCAAkC;IAClC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,kCAAkC;IAClC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,oCAAoC;IACpC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,qBAAqB;IACrB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,oCAAoC;IACpC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,uCAAuC;IACvC,GAAG,EAAE,MAAM,CAAC;IACZ,iBAAiB;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mBAAmB;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,0BAA0B;IAC1B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wBAAwB;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,kBAAkB;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,MAAM,EAAE,cAAc,CAAC;IACvB,kCAAkC;IAClC,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,6CAA6C;IAC7C,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;GAIG;AACH,MAAM,WAAW,oBAAoB;IACnC,wBAAwB;IACxB,EAAE,EAAE,MAAM,CAAC;IAEX,+DAA+D;IAC/D,aAAa,EAAE,MAAM,CAAC;IAEtB,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,CAAC;IAEjB,sCAAsC;IACtC,WAAW,EAAE,MAAM,CAAC;IAEpB,0CAA0C;IAC1C,MAAM,EAAE,MAAM,EAAE,CAAC;IAEjB,2CAA2C;IAC3C,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,sDAAsD;IACtD,QAAQ,EAAE;QACR,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,CAAC;IAEF,uDAAuD;IACvD,YAAY,EAAE;QACZ,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IAEF,8CAA8C;IAC9C,aAAa,EAAE,MAAM,EAAE,CAAC;IAExB,mDAAmD;IACnD,kBAAkB,EAAE,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;IAEnD,2CAA2C;IAC3C,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAE3B,sDAAsD;IACtD,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B,kDAAkD;IAClD,mBAAmB,CAAC,EAAE,YAAY,CAAC;IAEnC,wDAAwD;IACxD,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAE9B,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAElB,mCAAmC;IACnC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,EAAE,EAAE,MAAM,CAAC;IACX,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE;QACR,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,CAAC;IACF,YAAY,EAAE;QACZ,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,kBAAkB,EAAE,KAAK,CAAC,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC,CAAC;IACvD,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,mBAAmB,CAAC,EAAE,YAAY,CAAC;IACnC,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,qCAAqC;IACrC,KAAK,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEpD,yCAAyC;IACzC,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAAC;IAEtD,sCAAsC;IACtC,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAElC,sCAAsC;IACtC,MAAM,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACtD;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,oBAAoB,GAAG,0BAA0B,CAKzF;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,0BAA0B,GAAG,oBAAoB,CAK1F;AAED;;GAEG;AACH,MAAM,WAAW,gCAAgC;IAC/C,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC1D,YAAY,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IACpD,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB;AAED;;;;GAIG;AACH,qBAAa,iCAAkC,YAAW,yBAAyB;IACjF,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiD;IAE1E,4CAA4C;IAC5C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAkB;IAE/C,6BAA6B;IAC7B,OAAO,CAAC,YAAY,CAAC,CAAiC;;IAahD,KAAK,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC;IAKnD,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IAerD,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIjC,MAAM,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC;IAK1D;;OAEG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAS9B;;OAEG;IACH,OAAO,IAAI,IAAI;IAOf;;OAEG;IACH,aAAa,CAAC,MAAM,EAAE,gCAAgC,GAAG,oBAAoB;IAoB7E;;OAEG;IACH,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED;;OAEG;IACH,KAAK,IAAI,IAAI;CAGd;AAED;;;;;;;;GAQG;AACH,wBAAgB,0BAA0B,CACxC,MAAM,EAAE,gCAAgC,EACxC,KAAK,SAAiB,GACrB,oBAAoB,CAkBtB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAExE;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,oBAAoB,GAAG,MAAM,GAAG,SAAS,CAKjF;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,oBAAoB,EAC7B,MAAM,EAAE,cAAc,EACtB,QAAQ,CAAC,EAAE,gBAAgB,GAC1B,IAAI,CAiBN;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAmB1G"}

package/session/index.d.ts

@@ -13,7 +13,27 @@ export { TokenVault } from './token.vault';
 export type { EncBlob, VaultKey } from './token.vault';
 export type { SecretRecord, TokenStore } from './token.store';
 export { hkdfSha256, encryptValue, decryptValue, encryptAesGcm, decryptAesGcm, type EncryptedBlob, } from '@frontmcp/utils';
-export { TinyTtlCache } from './utils';
+export { transportProtocolSchema, sseTransportStateSchema, streamableHttpTransportStateSchema, statefulHttpTransportStateSchema, statelessHttpTransportStateSchema, legacySseTransportStateSchema, transportStateSchema, transportSessionSchema, sessionJwtPayloadSchema, encryptedBlobSchema, storedSessionSchema, redisConfigSchema, } from './transport-session.types';
+export type { TransportProtocol, SessionStorageMode, TransportSession, TransportState, SseTransportState, StreamableHttpTransportState, StatefulHttpTransportState, StatelessHttpTransportState, LegacySseTransportState, SessionJwtPayload, StatelessSessionJwtPayload, StoredSession, EncryptedBlob as TransportEncryptedBlob, SessionStore, SessionStorageConfig, RedisConfig, SessionSecurityConfig, } from './transport-session.types';
+export type { SessionMode, ProviderEmbedMode, EncBlob as SessionEncBlob, ProviderSnapshot, CreateSessionArgs, } from './session.types';
+export { signSession, verifySession, isSignedSession, verifyOrParseSession } from './session-crypto';
+export type { SignedSession, SessionSigningConfig } from './session-crypto';
+export { SessionRateLimiter, defaultSessionRateLimiter } from './session-rate-limiter';
+export type { SessionRateLimiterConfig, RateLimitResult } from './session-rate-limiter';
+export { TransportIdGenerator } from './session.transport';
+export { isJwt, getTokenSignatureFingerprint, deriveTypedUser, extractBearerToken, getKey, encryptJson, decryptSessionJson, safeDecrypt, resetCachedKey, TinyTtlCache, } from './utils';
 export { TypedStorage, EncryptedTypedStorage, EncryptedStorageError, StorageTokenStore, StorageAuthorizationVault, InMemoryAuthorizationVault, } from './storage';
 export type { TypedStorageOptions, TypedSetOptions, TypedSetEntry, EncryptedTypedStorageOptions, EncryptedSetOptions, EncryptedSetEntry, EncryptionKey, StoredEncryptedBlob, ClientKeyBinding, StorageTokenStoreOptions, StorageAuthorizationVaultOptions, InMemoryAuthorizationVaultOptions, } from './storage';
+export { RedisSessionStore } from './redis-session.store';
+export type { RedisSessionStoreConfig } from './redis-session.store';
+export { VercelKvSessionStore } from './vercel-kv-session.store';
+export type { VercelKvSessionConfig } from './vercel-kv-session.store';
+export { InMemoryOrchestratedTokenStore } from './orchestrated-token.store';
+export type { InMemoryOrchestratedTokenStoreOptions } from './orchestrated-token.store';
+export { InMemoryFederatedAuthSessionStore, toSessionRecord, fromSessionRecord, createFederatedAuthSession, isSessionComplete, getNextProvider, completeCurrentProvider, startNextProvider, } from './federated-auth.session';
+export type { ProviderPkce, ProviderTokens, ProviderUserInfo, CompletedProvider, FederatedAuthSession, FederatedAuthSessionRecord, FederatedAuthSessionStore, FederatedAuthSessionCreateParams, } from './federated-auth.session';
+export { redisVaultEntrySchema, EncryptedRedisVault, createEncryptedVault } from './encrypted-authorization-vault';
+export type { RedisVaultEntry, EncryptionContext } from './encrypted-authorization-vault';
+export { toEpochSeconds, isSoonExpiring, isSoonExpiringProvider, tryJwtExp } from './token.refresh';
+export type { TokenRefreshCtx, TokenRefreshResult, TokenRefresher } from './token.refresh';
 //# sourceMappingURL=index.d.ts.map

package/session/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/session/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAEL,0BAA0B,EAC1B,uBAAuB,EAEvB,UAAU,EACV,qBAAqB,EAErB,mBAAmB,EACnB,6BAA6B,GAC9B,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EAEV,kBAAkB,EAClB,aAAa,EACb,uBAAuB,EACvB,0BAA0B,EAC1B,kBAAkB,EAClB,kBAAkB,EAClB,yBAAyB,GAC1B,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAEL,oBAAoB,EACpB,qBAAqB,EACrB,sBAAsB,EACtB,yBAAyB,EACzB,sBAAsB,EACtB,0BAA0B,EAC1B,oBAAoB,EACpB,sBAAsB,EACtB,sBAAsB,EACtB,8BAA8B,EAC9B,yBAAyB,EACzB,gBAAgB,EAEhB,mBAAmB,EACnB,wBAAwB,EACxB,0BAA0B,EAC1B,4BAA4B,EAC5B,6BAA6B,GAC9B,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EACV,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,mBAAmB,EACnB,gBAAgB,EAChB,oBAAoB,EACpB,cAAc,EACd,gBAAgB,EAChB,gBAAgB,EAChB,wBAAwB,EACxB,mBAAmB,EACnB,UAAU,EACV,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,kBAAkB,GACnB,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAAE,mBAAmB,EAAE,yBAAyB,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrG,YAAY,EACV,aAAa,EACb,wBAAwB,EACxB,qBAAqB,EACrB,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAGvD,YAAY,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAG9D,OAAO,EACL,UAAU,EACV,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,aAAa,EACb,KAAK,aAAa,GACnB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAGvC,OAAO,EACL,YAAY,EACZ,qBAAqB,EACrB,qBAAqB,EACrB,iBAAiB,EACjB,yBAAyB,EACzB,0BAA0B,GAC3B,MAAM,WAAW,CAAC;AACnB,YAAY,EACV,mBAAmB,EACnB,eAAe,EACf,aAAa,EACb,4BAA4B,EAC5B,mBAAmB,EACnB,iBAAiB,EACjB,aAAa,EACb,mBAAmB,EACnB,gBAAgB,EAChB,wBAAwB,EACxB,gCAAgC,EAChC,iCAAiC,GAClC,MAAM,WAAW,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/session/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAEL,0BAA0B,EAC1B,uBAAuB,EAEvB,UAAU,EACV,qBAAqB,EAErB,mBAAmB,EACnB,6BAA6B,GAC9B,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EAEV,kBAAkB,EAClB,aAAa,EACb,uBAAuB,EACvB,0BAA0B,EAC1B,kBAAkB,EAClB,kBAAkB,EAClB,yBAAyB,GAC1B,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAEL,oBAAoB,EACpB,qBAAqB,EACrB,sBAAsB,EACtB,yBAAyB,EACzB,sBAAsB,EACtB,0BAA0B,EAC1B,oBAAoB,EACpB,sBAAsB,EACtB,sBAAsB,EACtB,8BAA8B,EAC9B,yBAAyB,EACzB,gBAAgB,EAEhB,mBAAmB,EACnB,wBAAwB,EACxB,0BAA0B,EAC1B,4BAA4B,EAC5B,6BAA6B,GAC9B,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EACV,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,mBAAmB,EACnB,gBAAgB,EAChB,oBAAoB,EACpB,cAAc,EACd,gBAAgB,EAChB,gBAAgB,EAChB,wBAAwB,EACxB,mBAAmB,EACnB,UAAU,EACV,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,kBAAkB,GACnB,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAAE,mBAAmB,EAAE,yBAAyB,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrG,YAAY,EACV,aAAa,EACb,wBAAwB,EACxB,qBAAqB,EACrB,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAGvD,YAAY,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAG9D,OAAO,EACL,UAAU,EACV,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,aAAa,EACb,KAAK,aAAa,GACnB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EACL,uBAAuB,EACvB,uBAAuB,EACvB,kCAAkC,EAClC,gCAAgC,EAChC,iCAAiC,EACjC,6BAA6B,EAC7B,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,mBAAmB,EACnB,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,2BAA2B,CAAC;AACnC,YAAY,EACV,iBAAiB,EACjB,kBAAkB,EAClB,gBAAgB,EAChB,cAAc,EACd,iBAAiB,EACjB,4BAA4B,EAC5B,0BAA0B,EAC1B,2BAA2B,EAC3B,uBAAuB,EACvB,iBAAiB,EACjB,0BAA0B,EAC1B,aAAa,EACb,aAAa,IAAI,sBAAsB,EACvC,YAAY,EACZ,oBAAoB,EACpB,WAAW,EACX,qBAAqB,GACtB,MAAM,2BAA2B,CAAC;AAGnC,YAAY,EACV,WAAW,EACX,iBAAiB,EACjB,OAAO,IAAI,cAAc,EACzB,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AACrG,YAAY,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAG5E,OAAO,EAAE,kBAAkB,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAC;AACvF,YAAY,EAAE,wBAAwB,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAGxF,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAG3D,OAAO,EACL,KAAK,EACL,4BAA4B,EAC5B,eAAe,EACf,kBAAkB,EAClB,MAAM,EACN,WAAW,EACX,kBAAkB,EAClB,WAAW,EACX,cAAc,EACd,YAAY,GACb,MAAM,SAAS,CAAC;AAGjB,OAAO,EACL,YAAY,EACZ,qBAAqB,EACrB,qBAAqB,EACrB,iBAAiB,EACjB,yBAAyB,EACzB,0BAA0B,GAC3B,MAAM,WAAW,CAAC;AACnB,YAAY,EACV,mBAAmB,EACnB,eAAe,EACf,aAAa,EACb,4BAA4B,EAC5B,mBAAmB,EACnB,iBAAiB,EACjB,aAAa,EACb,mBAAmB,EACnB,gBAAgB,EAChB,wBAAwB,EACxB,gCAAgC,EAChC,iCAAiC,GAClC,MAAM,WAAW,CAAC;AAGnB,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,YAAY,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AAGrE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,YAAY,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AAGvE,OAAO,EAAE,8BAA8B,EAAE,MAAM,4BAA4B,CAAC;AAC5E,YAAY,EAAE,qCAAqC,EAAE,MAAM,4BAA4B,CAAC;AAGxF,OAAO,EACL,iCAAiC,EACjC,eAAe,EACf,iBAAiB,EACjB,0BAA0B,EAC1B,iBAAiB,EACjB,eAAe,EACf,uBAAuB,EACvB,iBAAiB,GAClB,MAAM,0BAA0B,CAAC;AAClC,YAAY,EACV,YAAY,EACZ,cAAc,EACd,gBAAgB,EAChB,iBAAiB,EACjB,oBAAoB,EACpB,0BAA0B,EAC1B,yBAAyB,EACzB,gCAAgC,GACjC,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,iCAAiC,CAAC;AACnH,YAAY,EAAE,eAAe,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AAG1F,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,sBAAsB,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACpG,YAAY,EAAE,eAAe,EAAE,kBAAkB,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC"}

package/session/orchestrated-token.store.d.ts

@@ -0,0 +1,155 @@
+/**
+ * Orchestrated Token Store
+ *
+ * Token store implementations for OrchestratedAuthorization.
+ * These stores manage upstream provider tokens (access + refresh) indexed
+ * by authorization ID and provider ID.
+ *
+ * Key differences from the low-level TokenStore in @frontmcp/auth:
+ * - Uses composite keys (authorizationId + providerId)
+ * - Handles access/refresh tokens as separate entries
+ * - Returns decrypted strings directly (encryption is handled internally)
+ */
+import type { TokenStore } from '../authorization/orchestrated.authorization';
+/**
+ * Options for InMemoryOrchestratedTokenStore
+ */
+export interface InMemoryOrchestratedTokenStoreOptions {
+    /**
+     * Encryption key for token storage. If not provided, tokens are stored in plain text.
+     * For production, always provide an encryption key.
+     */
+    encryptionKey?: Uint8Array;
+    /**
+     * Default TTL in milliseconds for token records.
+     * If not set and token has no expiresAt, records persist until explicitly deleted.
+     * @default undefined (no automatic expiration)
+     */
+    defaultTtlMs?: number;
+    /**
+     * Interval for cleanup of expired tokens (ms).
+     * @default 60000 (1 minute)
+     */
+    cleanupIntervalMs?: number;
+}
+/**
+ * In-Memory Orchestrated Token Store
+ *
+ * Development/testing implementation for storing upstream provider tokens.
+ * Supports optional encryption for tokens at rest.
+ *
+ * For production, use a persistent store backed by Redis or similar.
+ *
+ * @example
+ * ```typescript
+ * import { InMemoryOrchestratedTokenStore } from '@frontmcp/auth';
+ *
+ * // Without encryption (dev only)
+ * const store = new InMemoryOrchestratedTokenStore();
+ *
+ * // With encryption (recommended)
+ * const key = randomBytes(32);
+ * const store = new InMemoryOrchestratedTokenStore({ encryptionKey: key });
+ *
+ * // Store tokens
+ * await store.storeTokens('auth-123', 'github', {
+ *   accessToken: 'gho_xxxx',
+ *   refreshToken: 'ghr_yyyy',
+ *   expiresAt: Date.now() + 3600000,
+ * });
+ *
+ * // Retrieve tokens
+ * const accessToken = await store.getAccessToken('auth-123', 'github');
+ * ```
+ */
+export declare class InMemoryOrchestratedTokenStore implements TokenStore {
+    /** Token storage: Map<compositeKey, ProviderTokenRecord> */
+    private readonly tokens;
+    /** Encryption key for secure storage */
+    private readonly encryptionKey?;
+    /** Derived keys cache for HKDF */
+    private readonly derivedKeys;
+    /** Cleanup interval timer */
+    private cleanupTimer?;
+    /** Default TTL for records */
+    private readonly defaultTtlMs?;
+    constructor(options?: InMemoryOrchestratedTokenStoreOptions);
+    /**
+     * Build composite key from authorizationId and providerId
+     */
+    private buildKey;
+    /**
+     * Derive encryption key for a specific composite key using HKDF
+     */
+    private deriveKeyForRecord;
+    /**
+     * Encrypt a token record
+     */
+    private encryptRecord;
+    /**
+     * Decrypt a token record
+     */
+    private decryptRecord;
+    /**
+     * Get raw record (handles encryption if enabled)
+     */
+    private getRecord;
+    /**
+     * Retrieve decrypted access token for a provider
+     */
+    getAccessToken(authorizationId: string, providerId: string): Promise<string | null>;
+    /**
+     * Retrieve decrypted refresh token for a provider
+     */
+    getRefreshToken(authorizationId: string, providerId: string): Promise<string | null>;
+    /**
+     * Store tokens for a provider
+     */
+    storeTokens(authorizationId: string, providerId: string, tokens: {
+        accessToken: string;
+        refreshToken?: string;
+        expiresAt?: number;
+    }): Promise<void>;
+    /**
+     * Delete tokens for a provider
+     */
+    deleteTokens(authorizationId: string, providerId: string): Promise<void>;
+    /**
+     * Check if tokens exist for a provider
+     */
+    hasTokens(authorizationId: string, providerId: string): Promise<boolean>;
+    /**
+     * Delete all tokens for an authorization
+     */
+    deleteAllForAuthorization(authorizationId: string): Promise<void>;
+    /**
+     * Get all provider IDs for an authorization
+     */
+    getProviderIds(authorizationId: string): Promise<string[]>;
+    /**
+     * Clean up expired tokens
+     */
+    cleanup(): Promise<void>;
+    /**
+     * Stop the cleanup timer
+     */
+    dispose(): void;
+    /**
+     * Get total number of stored token records (for testing/monitoring)
+     */
+    get size(): number;
+    /**
+     * Clear all tokens (for testing)
+     */
+    clear(): void;
+    /**
+     * Migrate tokens from one authorization ID to another.
+     * Used when tokens are stored with a pending ID during federated auth
+     * and need to be accessible under the real authorization ID.
+     *
+     * @param fromAuthId - Source authorization ID (e.g., "pending:abc123")
+     * @param toAuthId - Target authorization ID (e.g., "def456")
+     */
+    migrateTokens(fromAuthId: string, toAuthId: string): Promise<void>;
+}
+//# sourceMappingURL=orchestrated-token.store.d.ts.map

package/session/orchestrated-token.store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"orchestrated-token.store.d.ts","sourceRoot":"","sources":["../../src/session/orchestrated-token.store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6CAA6C,CAAC;AAe9E;;GAEG;AACH,MAAM,WAAW,qCAAqC;IACpD;;;OAGG;IACH,aAAa,CAAC,EAAE,UAAU,CAAC;IAE3B;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,qBAAa,8BAA+B,YAAW,UAAU;IAC/D,4DAA4D;IAC5D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAmD;IAE1E,wCAAwC;IACxC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAa;IAE5C,kCAAkC;IAClC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAiC;IAE7D,6BAA6B;IAC7B,OAAO,CAAC,YAAY,CAAC,CAAiC;IAEtD,8BAA8B;IAC9B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAS;gBAE3B,OAAO,GAAE,qCAA0C;IAgB/D;;OAEG;IACH,OAAO,CAAC,QAAQ;IAIhB;;OAEG;YACW,kBAAkB;IAqBhC;;OAEG;YACW,aAAa;IAe3B;;OAEG;YACW,aAAa;IAa3B;;OAEG;YACW,SAAS;IAqCvB;;OAEG;IACG,cAAc,CAAC,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAKzF;;OAEG;IACG,eAAe,CAAC,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAK1F;;OAEG;IACG,WAAW,CACf,eAAe,EAAE,MAAM,EACvB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;QACN,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,GACA,OAAO,CAAC,IAAI,CAAC;IAsBhB;;OAEG;IACG,YAAY,CAAC,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAM9E;;OAEG;IACG,SAAS,CAAC,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAK9E;;OAEG;IACG,yBAAyB,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUvE;;OAEG;IACG,cAAc,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAkBhE;;OAEG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAgC9B;;OAEG;IACH,OAAO,IAAI,IAAI;IAOf;;OAEG;IACH,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED;;OAEG;IACH,KAAK,IAAI,IAAI;IAKb;;;;;;;OAOG;IACG,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CA0CzE"}