@frontmcp/auth 0.8.1 → 0.10.0

package/README.md

@@ -1,11 +1,85 @@
-# auth
+# @frontmcp/auth
 
-This library was generated with [Nx](https://nx.dev).
+Authentication, session management, and credential vault for FrontMCP servers.
 
-## Building
+[![NPM](https://img.shields.io/npm/v/@frontmcp/auth.svg)](https://www.npmjs.com/package/@frontmcp/auth)
 
-Run `nx build auth` to build the library.
+## Install
 
-## Running unit tests
+```bash
+npm install @frontmcp/auth
+```
 
-Run `nx test auth` to execute the unit tests via [Jest](https://jestjs.io).
+> Typically consumed via `@frontmcp/sdk` — direct installation is only needed for advanced use cases.
+
+## Features
+
+- **Remote OAuth** — delegate authentication to an external IdP with optional DCR ([docs][docs-remote])
+- **Local OAuth** — built-in token issuance with configurable sign keys ([docs][docs-local])
+- **JWKS validation** — JSON Web Key Set discovery and token verification ([docs][docs-jwks])
+- **OAuth stores** — session, token, and authorization code persistence (memory, Redis, Vercel KV) ([docs][docs-stores])
+- **Credential vault** — encrypted storage for secrets and API keys ([docs][docs-vault])
+- **PKCE** — Proof Key for Code Exchange (RFC 7636) built on `@frontmcp/utils` crypto ([docs][docs-pkce])
+- **CIMD** — Client Instance Machine Detection for session continuity ([docs][docs-cimd])
+- **Auth UI templates** — consent, login, and error pages ([docs][docs-ui])
+- **Audience validation** — per-app audience and scope enforcement ([docs][docs-audience])
+- **Token vault** — secure token exchange and refresh management ([docs][docs-token-vault])
+
+## Quick Example
+
+```ts
+import { FrontMcp, App } from '@frontmcp/sdk';
+
+@FrontMcp({
+  info: { name: 'Secure Server', version: '1.0.0' },
+  apps: [MyApp],
+  auth: {
+    type: 'remote',
+    name: 'my-idp',
+    baseUrl: 'https://idp.example.com',
+  },
+})
+export default class Server {}
+```
+
+> Full guide: [Authentication Overview][docs-overview]
+
+## Docs
+
+| Topic             | Link                                           |
+| ----------------- | ---------------------------------------------- |
+| Overview          | [Authentication Overview][docs-overview]       |
+| Remote OAuth      | [Remote OAuth][docs-remote]                    |
+| Local OAuth       | [Local OAuth][docs-local]                      |
+| JWKS              | [JWKS Validation][docs-jwks]                   |
+| Session stores    | [Session Stores][docs-stores]                  |
+| Credential vault  | [Credential Vault][docs-vault]                 |
+| PKCE              | [PKCE][docs-pkce]                              |
+| CIMD              | [Client Instance Machine Detection][docs-cimd] |
+| Auth UI           | [Auth UI Templates][docs-ui]                   |
+| Audience & scopes | [Audience Validation][docs-audience]           |
+| Token vault       | [Token Vault][docs-token-vault]                |
+
+## Related Packages
+
+- [`@frontmcp/sdk`](../sdk) — core framework (imports auth internally)
+- [`@frontmcp/utils`](../utils) — crypto primitives used by PKCE and vault
+- [`@frontmcp/ui`](../ui) — consent and login page components
+
+## License
+
+Apache-2.0 — see [LICENSE](../../LICENSE).
+
+<!-- links -->
+
+[docs-overview]: https://docs.agentfront.dev/frontmcp/authentication/overview
+[docs-remote]: https://docs.agentfront.dev/frontmcp/authentication/remote
+[docs-local]: https://docs.agentfront.dev/frontmcp/authentication/local
+[docs-jwks]: https://docs.agentfront.dev/frontmcp/authentication/jwks
+[docs-stores]: https://docs.agentfront.dev/frontmcp/authentication/session-stores
+[docs-vault]: https://docs.agentfront.dev/frontmcp/authentication/credential-vault
+[docs-pkce]: https://docs.agentfront.dev/frontmcp/authentication/pkce
+[docs-cimd]: https://docs.agentfront.dev/frontmcp/authentication/cimd
+[docs-ui]: https://docs.agentfront.dev/frontmcp/authentication/auth-ui
+[docs-audience]: https://docs.agentfront.dev/frontmcp/authentication/audience
+[docs-token-vault]: https://docs.agentfront.dev/frontmcp/authentication/token-vault

package/esm/index.mjs

@@ -219,7 +219,12 @@ import { bytesToHex, randomBytes, rsaVerify, createKeyPersistence } from "@front
 
 // libs/auth/src/jwks/jwks.utils.ts
 function trimSlash(s) {
-  return (s ?? "").replace(/\/+$/, "");
+  const str = s ?? "";
+  let end = str.length;
+  while (end > 0 && str[end - 1] === "/") {
+    end--;
+  }
+  return str.slice(0, end);
 }
 function normalizeIssuer(u) {
   return trimSlash(String(u ?? ""));
@@ -2627,10 +2632,8 @@ function parseWwwAuthenticate(header) {
     return result;
   }
   const paramString = header.substring(6).trim();
-  const paramRegex = /(\w+)="([^"\\]*(?:\\.[^"\\]*)*)"/g;
-  let match;
-  while ((match = paramRegex.exec(paramString)) !== null) {
-    const [, key, value] = match;
+  const params = parseQuotedParams(paramString);
+  for (const [key, value] of params) {
     const unescapedValue = unescapeQuotedString(value);
     switch (key.toLowerCase()) {
       case "resource_metadata":
@@ -2655,6 +2658,54 @@ function parseWwwAuthenticate(header) {
   }
   return result;
 }
+function parseQuotedParams(input) {
+  const result = [];
+  let i = 0;
+  const len = input.length;
+  while (i < len) {
+    while (i < len && (input[i] === " " || input[i] === "," || input[i] === "	")) {
+      i++;
+    }
+    if (i >= len) break;
+    const keyStart = i;
+    while (i < len && /\w/.test(input[i])) {
+      i++;
+    }
+    const key = input.slice(keyStart, i);
+    if (!key) break;
+    while (i < len && (input[i] === " " || input[i] === "	")) {
+      i++;
+    }
+    if (i >= len || input[i] !== "=") {
+      while (i < len && input[i] !== ",") i++;
+      continue;
+    }
+    i++;
+    while (i < len && (input[i] === " " || input[i] === "	")) {
+      i++;
+    }
+    if (i >= len || input[i] !== '"') {
+      while (i < len && input[i] !== ",") i++;
+      continue;
+    }
+    i++;
+    let value = "";
+    while (i < len && input[i] !== '"') {
+      if (input[i] === "\\" && i + 1 < len) {
+        value += input[i + 1];
+        i += 2;
+      } else {
+        value += input[i];
+        i++;
+      }
+    }
+    if (i < len && input[i] === '"') {
+      i++;
+    }
+    result.push([key, value]);
+  }
+  return result;
+}
 function escapeQuotedString(value) {
   return value.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
 }
@@ -2664,7 +2715,11 @@ function unescapeQuotedString(value) {
 function normalizePathSegment(path2) {
   if (!path2 || path2 === "/") return "";
   const normalized = path2.startsWith("/") ? path2 : `/${path2}`;
-  return normalized.replace(/\/+$/, "");
+  let end = normalized.length;
+  while (end > 0 && normalized[end - 1] === "/") {
+    end--;
+  }
+  return normalized.slice(0, end);
 }
 
 // libs/auth/src/utils/audience.validator.ts

package/esm/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@frontmcp/auth",
-  "version": "0.8.1",
+  "version": "0.10.0",
   "description": "FrontMCP Auth - Authentication, session management, and credential vault",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://docs.agentfront.dev",
@@ -50,7 +50,7 @@
     "zod": "^4.0.0"
   },
   "dependencies": {
-    "@frontmcp/utils": "0.8.1",
+    "@frontmcp/utils": "0.10.0",
     "jose": "^6.0.0"
   },
   "devDependencies": {

package/index.js

@@ -361,7 +361,12 @@ var import_utils = require("@frontmcp/utils");
 
 // libs/auth/src/jwks/jwks.utils.ts
 function trimSlash(s) {
-  return (s ?? "").replace(/\/+$/, "");
+  const str = s ?? "";
+  let end = str.length;
+  while (end > 0 && str[end - 1] === "/") {
+    end--;
+  }
+  return str.slice(0, end);
 }
 function normalizeIssuer(u) {
   return trimSlash(String(u ?? ""));
@@ -2756,10 +2761,8 @@ function parseWwwAuthenticate(header) {
     return result;
   }
   const paramString = header.substring(6).trim();
-  const paramRegex = /(\w+)="([^"\\]*(?:\\.[^"\\]*)*)"/g;
-  let match;
-  while ((match = paramRegex.exec(paramString)) !== null) {
-    const [, key, value] = match;
+  const params = parseQuotedParams(paramString);
+  for (const [key, value] of params) {
     const unescapedValue = unescapeQuotedString(value);
     switch (key.toLowerCase()) {
       case "resource_metadata":
@@ -2784,6 +2787,54 @@ function parseWwwAuthenticate(header) {
   }
   return result;
 }
+function parseQuotedParams(input) {
+  const result = [];
+  let i = 0;
+  const len = input.length;
+  while (i < len) {
+    while (i < len && (input[i] === " " || input[i] === "," || input[i] === "	")) {
+      i++;
+    }
+    if (i >= len) break;
+    const keyStart = i;
+    while (i < len && /\w/.test(input[i])) {
+      i++;
+    }
+    const key = input.slice(keyStart, i);
+    if (!key) break;
+    while (i < len && (input[i] === " " || input[i] === "	")) {
+      i++;
+    }
+    if (i >= len || input[i] !== "=") {
+      while (i < len && input[i] !== ",") i++;
+      continue;
+    }
+    i++;
+    while (i < len && (input[i] === " " || input[i] === "	")) {
+      i++;
+    }
+    if (i >= len || input[i] !== '"') {
+      while (i < len && input[i] !== ",") i++;
+      continue;
+    }
+    i++;
+    let value = "";
+    while (i < len && input[i] !== '"') {
+      if (input[i] === "\\" && i + 1 < len) {
+        value += input[i + 1];
+        i += 2;
+      } else {
+        value += input[i];
+        i++;
+      }
+    }
+    if (i < len && input[i] === '"') {
+      i++;
+    }
+    result.push([key, value]);
+  }
+  return result;
+}
 function escapeQuotedString(value) {
   return value.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
 }
@@ -2793,7 +2844,11 @@ function unescapeQuotedString(value) {
 function normalizePathSegment(path2) {
   if (!path2 || path2 === "/") return "";
   const normalized = path2.startsWith("/") ? path2 : `/${path2}`;
-  return normalized.replace(/\/+$/, "");
+  let end = normalized.length;
+  while (end > 0 && normalized[end - 1] === "/") {
+    end--;
+  }
+  return normalized.slice(0, end);
 }
 
 // libs/auth/src/utils/audience.validator.ts

package/jwks/jwks.utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwks.utils.d.ts","sourceRoot":"","sources":["../../src/jwks/jwks.utils.ts"],"names":[],"mappings":"AAAA,wBAAgB,SAAS,CAAC,CAAC,EAAE,MAAM,UAElC;AACD,wBAAgB,eAAe,CAAC,CAAC,CAAC,EAAE,MAAM,UAEzC;AAED,uEAAuE;AACvE,wBAAgB,oBAAoB,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,CAgBxF"}
+{"version":3,"file":"jwks.utils.d.ts","sourceRoot":"","sources":["../../src/jwks/jwks.utils.ts"],"names":[],"mappings":"AAAA,wBAAgB,SAAS,CAAC,CAAC,EAAE,MAAM,UAQlC;AACD,wBAAgB,eAAe,CAAC,CAAC,CAAC,EAAE,MAAM,UAEzC;AAED,uEAAuE;AACvE,wBAAgB,oBAAoB,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,CAgBxF"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@frontmcp/auth",
-  "version": "0.8.1",
+  "version": "0.10.0",
   "description": "FrontMCP Auth - Authentication, session management, and credential vault",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://docs.agentfront.dev",
@@ -50,7 +50,7 @@
     "zod": "^4.0.0"
   },
   "dependencies": {
-    "@frontmcp/utils": "0.8.1",
+    "@frontmcp/utils": "0.10.0",
     "jose": "^6.0.0"
   },
   "devDependencies": {

package/utils/www-authenticate.utils.d.ts

@@ -91,6 +91,8 @@ export declare function buildInvalidRequestHeader(prmUrl: string, description?:
 /**
  * Parse a WWW-Authenticate header value
  *
+ * Uses character-by-character parsing to avoid ReDoS vulnerabilities.
+ *
  * @param header - The WWW-Authenticate header value
  * @returns Parsed header options
  */

package/utils/www-authenticate.utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"www-authenticate.utils.d.ts","sourceRoot":"","sources":["../../src/utils/www-authenticate.utils.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,iBAAiB,GAAG,eAAe,GAAG,oBAAoB,CAAC;AAEzF;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAE7B;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAE1B;;OAEG;IACH,KAAK,CAAC,EAAE,eAAe,CAAC;IAExB;;OAEG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,GAAE,sBAA2B,GAAG,MAAM,CAwCjF;AAED;;;;;;;GAOG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CAIzF;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAI9D;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAMpF;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAOnH;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAMtF;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,sBAAsB,CAwC3E"}
+{"version":3,"file":"www-authenticate.utils.d.ts","sourceRoot":"","sources":["../../src/utils/www-authenticate.utils.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,iBAAiB,GAAG,eAAe,GAAG,oBAAoB,CAAC;AAEzF;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAE7B;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAE1B;;OAEG;IACH,KAAK,CAAC,EAAE,eAAe,CAAC;IAExB;;OAEG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,GAAE,sBAA2B,GAAG,MAAM,CAwCjF;AAED;;;;;;;GAOG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CAIzF;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAI9D;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAMpF;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAOnH;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAMtF;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,sBAAsB,CAsC3E"}