npm - @frontmcp/auth - Versions diffs - 0.11.2 → 0.11.3 - Mend

@frontmcp/auth 0.11.2 → 0.11.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/authorization/authorization.class.d.ts +4 -0
package/authorization/authorization.class.d.ts.map +1 -1
package/esm/index.mjs +44 -6
package/esm/package.json +4 -4
package/index.js +43 -5
package/package.json +4 -4

package/authorization/authorization.class.d.ts CHANGED Viewed

@@ -113,6 +113,10 @@ export declare abstract class AuthorizationBase implements Authorization {
      * Convert to LLM-safe context (no tokens exposed)
      */
     toLLMSafeContext(session: TransportSession): LLMSafeAuthContext;
+    /**
+     * Check if a base64url segment decodes to a JWT-like header (contains "alg").
+     */
+    private static isJwtHeader;
     /**
      * Validate that no tokens are leaked in data
      * Throws if JWT pattern detected

package/authorization/authorization.class.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"authorization.class.d.ts","sourceRoot":"","sources":["../../src/authorization/authorization.class.ts"],"names":[],"mappings":"AAGA,OAAO,EACL,aAAa,EACb,sBAAsB,EACtB,gBAAgB,EAChB,cAAc,EACd,QAAQ,EACR,kBAAkB,EAClB,QAAQ,EACT,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAE,gBAAgB,EAAE,iBAAiB,EAAqB,MAAM,oCAAoC,CAAC;AACjH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAMjE,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAE7C;;;GAGG;AACH,8BAAsB,iBAAkB,YAAW,aAAa;;IAC9D,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACjC,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC1C,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC;IAC1B,QAAQ,CAAC,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;IAC/D,QAAQ,CAAC,qBAAqB,EAAE,MAAM,EAAE,CAAC;IACzC,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;IAC3E,QAAQ,CAAC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IACpC,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IACzD,QAAQ,CAAC,iBAAiB,EAAE,MAAM,EAAE,CAAC;IACrC,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;IAC7D,QAAQ,CAAC,mBAAmB,EAAE,MAAM,EAAE,CAAC;IACvC,QAAQ,CAAC,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAEvC,uDAAuD;IACvD,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAKlC,yBAAyB;IACzB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAE3B,SAAS,aAAa,GAAG,EAAE,sBAAsB;IAsBjD;;;;OAIG;IACH,sBAAsB,CAAC,QAAQ,EAAE,iBAAiB,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,gBAAgB;IAiB3F;;OAEG;IACH,mBAAmB,CAAC,SAAS,EAAE,MAAM,GAAG,gBAAgB,GAAG,SAAS;IAIpE;;OAEG;IACH,cAAc,IAAI,gBAAgB,EAAE;IAIpC;;OAEG;IACH,sBAAsB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO;IAIlD;;OAEG;IACH,IAAI,YAAY,IAAI,MAAM,CAEzB;IAED;;;;;;OAMG;IACH,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAEvD;;OAEG;IACH,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAIhC;;OAEG;IACH,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO;IAIvC;;OAEG;IACH,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO;IAItC;;OAEG;IACH,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAItC;;OAEG;IACH,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAI1C;;;;OAIG;IACH,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAIvC;;;;;OAKG;IACH,qBAAqB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM;IAI7D;;OAEG;IACH,SAAS,IAAI,OAAO;IAKpB;;;OAGG;IACH,eAAe,IAAI,MAAM,GAAG,SAAS;IAKrC;;;OAGG;IACH,YAAY,CAAC,OAAO,EAAE,gBAAgB,GAAG,MAAM;IAY/C;;OAEG;IACH,gBAAgB,CAAC,OAAO,EAAE,gBAAgB,GAAG,kBAAkB;IAgB/D;;;OAGG;IACH,MAAM,CAAC,sBAAsB,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI;~~CAcnD~~"}
1	+ {"version":3,"file":"authorization.class.d.ts","sourceRoot":"","sources":["../../src/authorization/authorization.class.ts"],"names":[],"mappings":"AAGA,OAAO,EACL,aAAa,EACb,sBAAsB,EACtB,gBAAgB,EAChB,cAAc,EACd,QAAQ,EACR,kBAAkB,EAClB,QAAQ,EACT,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAE,gBAAgB,EAAE,iBAAiB,EAAqB,MAAM,oCAAoC,CAAC;AACjH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAMjE,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAE7C;;;GAGG;AACH,8BAAsB,iBAAkB,YAAW,aAAa;;IAC9D,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACjC,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC1C,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC;IAC1B,QAAQ,CAAC,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;IAC/D,QAAQ,CAAC,qBAAqB,EAAE,MAAM,EAAE,CAAC;IACzC,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;IAC3E,QAAQ,CAAC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IACpC,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IACzD,QAAQ,CAAC,iBAAiB,EAAE,MAAM,EAAE,CAAC;IACrC,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;IAC7D,QAAQ,CAAC,mBAAmB,EAAE,MAAM,EAAE,CAAC;IACvC,QAAQ,CAAC,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAEvC,uDAAuD;IACvD,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAKlC,yBAAyB;IACzB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAE3B,SAAS,aAAa,GAAG,EAAE,sBAAsB;IAsBjD;;;;OAIG;IACH,sBAAsB,CAAC,QAAQ,EAAE,iBAAiB,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,gBAAgB;IAiB3F;;OAEG;IACH,mBAAmB,CAAC,SAAS,EAAE,MAAM,GAAG,gBAAgB,GAAG,SAAS;IAIpE;;OAEG;IACH,cAAc,IAAI,gBAAgB,EAAE;IAIpC;;OAEG;IACH,sBAAsB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO;IAIlD;;OAEG;IACH,IAAI,YAAY,IAAI,MAAM,CAEzB;IAED;;;;;;OAMG;IACH,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAEvD;;OAEG;IACH,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAIhC;;OAEG;IACH,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO;IAIvC;;OAEG;IACH,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO;IAItC;;OAEG;IACH,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAItC;;OAEG;IACH,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAI1C;;;;OAIG;IACH,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAIvC;;;;;OAKG;IACH,qBAAqB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM;IAI7D;;OAEG;IACH,SAAS,IAAI,OAAO;IAKpB;;;OAGG;IACH,eAAe,IAAI,MAAM,GAAG,SAAS;IAKrC;;;OAGG;IACH,YAAY,CAAC,OAAO,EAAE,gBAAgB,GAAG,MAAM;IAY/C;;OAEG;IACH,gBAAgB,CAAC,OAAO,EAAE,gBAAgB,GAAG,kBAAkB;IAgB/D;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAW1B;;;OAGG;IACH,MAAM,CAAC,sBAAsB,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI;CAiDnD"}

package/esm/index.mjs CHANGED Viewed

@@ -2560,8 +2560,8 @@ function deriveTypedUser(claims) {
 }
 function extractBearerToken(header) {
   if (!header) return void 0;
-  const m = header.match(/^\s*Bearer\s+(.+)\s*$/i);
-  return m ? m[1].trim() : void 0;
+  const m = header.match(/^\s*Bearer\s+(\S+)\s*$/i);
+  return m ? m[1] : void 0;
 }
 // libs/auth/src/session/utils/session-crypto.utils.ts
@@ -4471,8 +4471,8 @@ var progressiveAuthStateSchema = z7.object({
 });
 // libs/auth/src/authorization/authorization.class.ts
-import { randomUUID as randomUUID10 } from "@frontmcp/utils";
-var AuthorizationBase = class {
+import { randomUUID as randomUUID10, base64urlDecode as base64urlDecode4 } from "@frontmcp/utils";
+var AuthorizationBase = class _AuthorizationBase {
   id;
   isAnonymous;
   user;
@@ -4651,14 +4651,52 @@ var AuthorizationBase = class {
       authorizedPromptIds: this.authorizedPromptIds
     };
   }
+  /**
+   * Check if a base64url segment decodes to a JWT-like header (contains "alg").
+   */
+  static isJwtHeader(segment) {
+    try {
+      const bytes = base64urlDecode4(segment);
+      const text = new TextDecoder().decode(bytes);
+      const parsed = JSON.parse(text);
+      return typeof parsed === "object" && parsed !== null && typeof parsed.alg === "string";
+    } catch {
+      return false;
+    }
+  }
   /**
    * Validate that no tokens are leaked in data
    * Throws if JWT pattern detected
    */
   static validateNoTokenLeakage(data) {
     const json = JSON.stringify(data);
-    if (/eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/.test(json)) {
-      throw new TokenLeakDetectedError("JWT pattern detected in LLM context data");
+    const B64URL = /^[A-Za-z0-9_-]+$/;
+    const MIN_SEG = 2;
+    let dotIdx = json.indexOf(".");
+    while (dotIdx !== -1) {
+      let seg1Start = dotIdx;
+      while (seg1Start > 0 && /[A-Za-z0-9_-]/.test(json[seg1Start - 1])) seg1Start--;
+      const seg1Len = dotIdx - seg1Start;
+      if (seg1Len >= MIN_SEG) {
+        let seg2End = dotIdx + 1;
+        while (seg2End < json.length && /[A-Za-z0-9_-]/.test(json[seg2End])) seg2End++;
+        const seg2Len = seg2End - (dotIdx + 1);
+        if (seg2Len >= MIN_SEG && seg2End < json.length && json[seg2End] === ".") {
+          const dot2 = seg2End;
+          let seg3End = dot2 + 1;
+          while (seg3End < json.length && /[A-Za-z0-9_-]/.test(json[seg3End])) seg3End++;
+          const seg3Len = seg3End - (dot2 + 1);
+          if (seg3Len >= MIN_SEG) {
+            const seg1 = json.substring(seg1Start, dotIdx);
+            const seg2 = json.substring(dotIdx + 1, dot2);
+            const seg3 = json.substring(dot2 + 1, seg3End);
+            if (B64URL.test(seg1) && B64URL.test(seg2) && B64URL.test(seg3) && _AuthorizationBase.isJwtHeader(seg1)) {
+              throw new TokenLeakDetectedError("JWT pattern detected in LLM context data");
+            }
+          }
+        }
+      }
+      dotIdx = json.indexOf(".", dotIdx + 1);
     }
     const sensitiveFields = ["access_token", "refresh_token", "id_token", "tokenEnc", "secretRefId"];
     for (const field of sensitiveFields) {

package/esm/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@frontmcp/auth",
-  "version": "0.11.2",
+  "version": "0.11.3",
   "description": "FrontMCP Auth - Authentication, session management, and credential vault",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://docs.agentfront.dev",
@@ -50,7 +50,7 @@
     "zod": "^4.0.0",
     "ioredis": "^5.0.0",
     "@vercel/kv": "^3.0.0",
-    "@frontmcp/storage-sqlite": "0.11.2"
+    "@frontmcp/storage-sqlite": "0.11.3"
   },
   "peerDependenciesMeta": {
     "ioredis": {
@@ -64,8 +64,8 @@
     }
   },
   "dependencies": {
-    "@frontmcp/utils": "0.11.2",
-    "@frontmcp/di": "0.11.2",
+    "@frontmcp/utils": "0.11.3",
+    "@frontmcp/di": "0.11.3",
     "jose": "^6.0.0"
   },
   "devDependencies": {

package/index.js CHANGED Viewed

@@ -2810,8 +2810,8 @@ function deriveTypedUser(claims) {
 }
 function extractBearerToken(header) {
   if (!header) return void 0;
-  const m = header.match(/^\s*Bearer\s+(.+)\s*$/i);
-  return m ? m[1].trim() : void 0;
+  const m = header.match(/^\s*Bearer\s+(\S+)\s*$/i);
+  return m ? m[1] : void 0;
 }
 // libs/auth/src/session/utils/session-crypto.utils.ts
@@ -4722,7 +4722,7 @@ var progressiveAuthStateSchema = import_zod7.z.object({
 // libs/auth/src/authorization/authorization.class.ts
 var import_utils27 = require("@frontmcp/utils");
-var AuthorizationBase = class {
+var AuthorizationBase = class _AuthorizationBase {
   id;
   isAnonymous;
   user;
@@ -4901,14 +4901,52 @@ var AuthorizationBase = class {
       authorizedPromptIds: this.authorizedPromptIds
     };
   }
+  /**
+   * Check if a base64url segment decodes to a JWT-like header (contains "alg").
+   */
+  static isJwtHeader(segment) {
+    try {
+      const bytes = (0, import_utils27.base64urlDecode)(segment);
+      const text = new TextDecoder().decode(bytes);
+      const parsed = JSON.parse(text);
+      return typeof parsed === "object" && parsed !== null && typeof parsed.alg === "string";
+    } catch {
+      return false;
+    }
+  }
   /**
    * Validate that no tokens are leaked in data
    * Throws if JWT pattern detected
    */
   static validateNoTokenLeakage(data) {
     const json = JSON.stringify(data);
-    if (/eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/.test(json)) {
-      throw new TokenLeakDetectedError("JWT pattern detected in LLM context data");
+    const B64URL = /^[A-Za-z0-9_-]+$/;
+    const MIN_SEG = 2;
+    let dotIdx = json.indexOf(".");
+    while (dotIdx !== -1) {
+      let seg1Start = dotIdx;
+      while (seg1Start > 0 && /[A-Za-z0-9_-]/.test(json[seg1Start - 1])) seg1Start--;
+      const seg1Len = dotIdx - seg1Start;
+      if (seg1Len >= MIN_SEG) {
+        let seg2End = dotIdx + 1;
+        while (seg2End < json.length && /[A-Za-z0-9_-]/.test(json[seg2End])) seg2End++;
+        const seg2Len = seg2End - (dotIdx + 1);
+        if (seg2Len >= MIN_SEG && seg2End < json.length && json[seg2End] === ".") {
+          const dot2 = seg2End;
+          let seg3End = dot2 + 1;
+          while (seg3End < json.length && /[A-Za-z0-9_-]/.test(json[seg3End])) seg3End++;
+          const seg3Len = seg3End - (dot2 + 1);
+          if (seg3Len >= MIN_SEG) {
+            const seg1 = json.substring(seg1Start, dotIdx);
+            const seg2 = json.substring(dotIdx + 1, dot2);
+            const seg3 = json.substring(dot2 + 1, seg3End);
+            if (B64URL.test(seg1) && B64URL.test(seg2) && B64URL.test(seg3) && _AuthorizationBase.isJwtHeader(seg1)) {
+              throw new TokenLeakDetectedError("JWT pattern detected in LLM context data");
+            }
+          }
+        }
+      }
+      dotIdx = json.indexOf(".", dotIdx + 1);
     }
     const sensitiveFields = ["access_token", "refresh_token", "id_token", "tokenEnc", "secretRefId"];
     for (const field of sensitiveFields) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@frontmcp/auth",
-  "version": "0.11.2",
+  "version": "0.11.3",
   "description": "FrontMCP Auth - Authentication, session management, and credential vault",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://docs.agentfront.dev",
@@ -50,7 +50,7 @@
     "zod": "^4.0.0",
     "ioredis": "^5.0.0",
     "@vercel/kv": "^3.0.0",
-    "@frontmcp/storage-sqlite": "0.11.2"
+    "@frontmcp/storage-sqlite": "0.11.3"
   },
   "peerDependenciesMeta": {
     "ioredis": {
@@ -64,8 +64,8 @@
     }
   },
   "dependencies": {
-    "@frontmcp/utils": "0.11.2",
-    "@frontmcp/di": "0.11.2",
+    "@frontmcp/utils": "0.11.3",
+    "@frontmcp/di": "0.11.3",
     "jose": "^6.0.0"
   },
   "devDependencies": {