@frontmcp/sdk 0.2.5 → 0.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +81 -99
- package/package.json +24 -2
- package/src/adapter/adapter.instance.d.ts +11 -0
- package/src/adapter/adapter.instance.js +65 -0
- package/src/adapter/adapter.instance.js.map +1 -0
- package/src/adapter/adapter.regsitry.d.ts +13 -0
- package/src/adapter/adapter.regsitry.js +54 -0
- package/src/adapter/adapter.regsitry.js.map +1 -0
- package/src/adapter/adapter.utils.d.ts +10 -0
- package/src/adapter/adapter.utils.js +83 -0
- package/src/adapter/adapter.utils.js.map +1 -0
- package/src/app/app.registry.d.ts +12 -0
- package/src/app/app.registry.js +64 -0
- package/src/app/app.registry.js.map +1 -0
- package/src/app/app.utils.d.ts +15 -0
- package/src/app/app.utils.js +58 -0
- package/src/app/app.utils.js.map +1 -0
- package/src/app/instances/app.local.instance.d.ts +25 -0
- package/src/app/instances/app.local.instance.js +70 -0
- package/src/app/instances/app.local.instance.js.map +1 -0
- package/src/app/instances/app.remote.instance.d.ts +13 -0
- package/src/app/instances/app.remote.instance.js +36 -0
- package/src/app/instances/app.remote.instance.js.map +1 -0
- package/src/app/instances/index.d.ts +2 -0
- package/src/app/instances/index.js +6 -0
- package/src/app/instances/index.js.map +1 -0
- package/src/auth/auth.registry.d.ts +13 -0
- package/src/auth/auth.registry.js +81 -0
- package/src/auth/auth.registry.js.map +1 -0
- package/src/auth/auth.utils.d.ts +10 -0
- package/src/auth/auth.utils.js +85 -0
- package/src/auth/auth.utils.js.map +1 -0
- package/src/auth/flows/oauth.authorize.flow.d.ts +231 -0
- package/src/auth/flows/oauth.authorize.flow.js +154 -0
- package/src/auth/flows/oauth.authorize.flow.js.map +1 -0
- package/src/auth/flows/oauth.register.flow.d.ts +202 -0
- package/src/auth/flows/oauth.register.flow.js +201 -0
- package/src/auth/flows/oauth.register.flow.js.map +1 -0
- package/src/auth/flows/oauth.token.flow.d.ts +242 -0
- package/src/auth/flows/oauth.token.flow.js +181 -0
- package/src/auth/flows/oauth.token.flow.js.map +1 -0
- package/src/auth/flows/session.verify.flow.d.ts +404 -0
- package/src/auth/flows/session.verify.flow.js +205 -0
- package/src/auth/flows/session.verify.flow.js.map +1 -0
- package/src/auth/flows/well-known.jwks.flow.d.ts +261 -0
- package/src/auth/flows/well-known.jwks.flow.js +82 -0
- package/src/auth/flows/well-known.jwks.flow.js.map +1 -0
- package/src/auth/flows/well-known.oauth-authorization-server.flow.d.ts +282 -0
- package/src/auth/flows/well-known.oauth-authorization-server.flow.js +123 -0
- package/src/auth/flows/well-known.oauth-authorization-server.flow.js.map +1 -0
- package/src/auth/flows/well-known.prm.flow.d.ts +159 -0
- package/src/auth/flows/well-known.prm.flow.js +107 -0
- package/src/auth/flows/well-known.prm.flow.js.map +1 -0
- package/src/auth/instances/instance.local-primary-auth.d.ts +20 -0
- package/src/auth/instances/instance.local-primary-auth.js +78 -0
- package/src/auth/instances/instance.local-primary-auth.js.map +1 -0
- package/src/auth/instances/instance.remote-primary-auth.d.ts +15 -0
- package/src/auth/instances/instance.remote-primary-auth.js +49 -0
- package/src/auth/instances/instance.remote-primary-auth.js.map +1 -0
- package/src/auth/jwks/index.d.ts +2 -0
- package/src/auth/jwks/index.js +6 -0
- package/src/auth/jwks/index.js.map +1 -0
- package/src/auth/jwks/jwks.service.d.ts +41 -0
- package/src/auth/jwks/jwks.service.js +234 -0
- package/src/auth/jwks/jwks.service.js.map +1 -0
- package/src/auth/jwks/jwks.types.d.ts +25 -0
- package/src/auth/jwks/jwks.types.js +3 -0
- package/src/auth/jwks/jwks.types.js.map +1 -0
- package/src/auth/jwks/jwks.utils.d.ts +4 -0
- package/src/auth/jwks/jwks.utils.js +32 -0
- package/src/auth/jwks/jwks.utils.js.map +1 -0
- package/src/auth/oauth/flows/oauth.authorize.flow.d.ts +31 -0
- package/src/auth/oauth/flows/oauth.authorize.flow.js +33 -0
- package/src/auth/oauth/flows/oauth.authorize.flow.js.map +1 -0
- package/src/auth/oauth/flows/oauth.device-authorization.flow.d.ts +46 -0
- package/src/auth/oauth/flows/oauth.device-authorization.flow.js +48 -0
- package/src/auth/oauth/flows/oauth.device-authorization.flow.js.map +1 -0
- package/src/auth/oauth/flows/oauth.introspect.flow.d.ts +26 -0
- package/src/auth/oauth/flows/oauth.introspect.flow.js +28 -0
- package/src/auth/oauth/flows/oauth.introspect.flow.js.map +1 -0
- package/src/auth/oauth/flows/oauth.par.flow.d.ts +27 -0
- package/src/auth/oauth/flows/oauth.par.flow.js +29 -0
- package/src/auth/oauth/flows/oauth.par.flow.js.map +1 -0
- package/src/auth/oauth/flows/oauth.revoke.flow.d.ts +25 -0
- package/src/auth/oauth/flows/oauth.revoke.flow.js +27 -0
- package/src/auth/oauth/flows/oauth.revoke.flow.js.map +1 -0
- package/src/auth/oauth/flows/oauth.token.flow.d.ts +57 -0
- package/src/auth/oauth/flows/oauth.token.flow.js +59 -0
- package/src/auth/oauth/flows/oauth.token.flow.js.map +1 -0
- package/src/auth/oauth/flows/oauth.userinfo.flow.d.ts +22 -0
- package/src/auth/oauth/flows/oauth.userinfo.flow.js +24 -0
- package/src/auth/oauth/flows/oauth.userinfo.flow.js.map +1 -0
- package/src/auth/oauth/flows/oidc.logout.flow.d.ts +18 -0
- package/src/auth/oauth/flows/oidc.logout.flow.js +20 -0
- package/src/auth/oauth/flows/oidc.logout.flow.js.map +1 -0
- package/src/auth/path.utils.d.ts +20 -0
- package/src/auth/path.utils.js +71 -0
- package/src/auth/path.utils.js.map +1 -0
- package/src/auth/session/index.d.ts +4 -0
- package/src/auth/session/index.js +10 -0
- package/src/auth/session/index.js.map +1 -0
- package/src/auth/session/record/session.base.d.ts +103 -0
- package/src/auth/session/record/session.base.js +123 -0
- package/src/auth/session/record/session.base.js.map +1 -0
- package/src/auth/session/record/session.stateful.d.ts +20 -0
- package/src/auth/session/record/session.stateful.js +55 -0
- package/src/auth/session/record/session.stateful.js.map +1 -0
- package/src/auth/session/record/session.stateless.d.ts +17 -0
- package/src/auth/session/record/session.stateless.js +30 -0
- package/src/auth/session/record/session.stateless.js.map +1 -0
- package/src/auth/session/record/session.transparent.d.ts +17 -0
- package/src/auth/session/record/session.transparent.js +22 -0
- package/src/auth/session/record/session.transparent.js.map +1 -0
- package/src/auth/session/session.crypto.d.ts +7 -0
- package/src/auth/session/session.crypto.js +47 -0
- package/src/auth/session/session.crypto.js.map +1 -0
- package/src/auth/session/session.schema.d.ts +5 -0
- package/src/auth/session/session.schema.js +13 -0
- package/src/auth/session/session.schema.js.map +1 -0
- package/src/auth/session/session.service.d.ts +17 -0
- package/src/auth/session/session.service.js +111 -0
- package/src/auth/session/session.service.js.map +1 -0
- package/src/auth/session/session.transport.d.ts +4 -0
- package/src/auth/session/session.transport.js +20 -0
- package/src/auth/session/session.transport.js.map +1 -0
- package/src/auth/session/session.types.d.ts +65 -0
- package/src/auth/session/session.types.js +4 -0
- package/src/auth/session/session.types.js.map +1 -0
- package/src/auth/session/token.refresh.d.ts +60 -0
- package/src/auth/session/token.refresh.js +63 -0
- package/src/auth/session/token.refresh.js.map +1 -0
- package/src/auth/session/token.store.d.ts +35 -0
- package/src/auth/session/token.store.js +53 -0
- package/src/auth/session/token.store.js.map +1 -0
- package/src/auth/session/token.vault.d.ts +26 -0
- package/src/auth/session/token.vault.js +54 -0
- package/src/auth/session/token.vault.js.map +1 -0
- package/src/auth/session/utils/auth-token.utils.d.ts +11 -0
- package/src/auth/session/utils/auth-token.utils.js +57 -0
- package/src/auth/session/utils/auth-token.utils.js.map +1 -0
- package/src/auth/session/utils/session-id.utils.d.ts +17 -0
- package/src/auth/session/utils/session-id.utils.js +129 -0
- package/src/auth/session/utils/session-id.utils.js.map +1 -0
- package/src/auth/session/utils/tiny-ttl-cache.d.ts +7 -0
- package/src/auth/session/utils/tiny-ttl-cache.js +26 -0
- package/src/auth/session/utils/tiny-ttl-cache.js.map +1 -0
- package/src/common/common.schema.d.ts +29 -0
- package/src/common/common.schema.js +35 -0
- package/src/common/common.schema.js.map +1 -0
- package/src/common/constants.d.ts +2 -0
- package/src/common/constants.js +8 -0
- package/src/common/constants.js.map +1 -0
- package/src/common/decorators/adapter.decorator.js.map +1 -0
- package/src/common/decorators/app.decorator.js.map +1 -0
- package/src/common/decorators/auth-provider.decorator.js.map +1 -0
- package/src/common/decorators/flow.decorator.js.map +1 -0
- package/src/common/decorators/front-mcp.decorator.js +40 -0
- package/src/common/decorators/front-mcp.decorator.js.map +1 -0
- package/src/common/decorators/hook.decorator.js.map +1 -0
- package/src/common/decorators/index.js.map +1 -0
- package/src/common/decorators/logger.decorator.js.map +1 -0
- package/src/common/decorators/plugin.decorator.js.map +1 -0
- package/src/common/decorators/prompt.decorator.js.map +1 -0
- package/src/common/decorators/provider.decorator.js.map +1 -0
- package/src/common/decorators/resource.decorator.js.map +1 -0
- package/src/common/decorators/tool.decorator.d.ts +42 -0
- package/src/common/decorators/tool.decorator.js +46 -0
- package/src/common/decorators/tool.decorator.js.map +1 -0
- package/src/common/decorators-old/async-with.decorator.d.ts +10 -0
- package/src/common/decorators-old/async-with.decorator.js +24 -0
- package/src/common/decorators-old/async-with.decorator.js.map +1 -0
- package/src/common/decorators-old/auth-hook.decorator.js.map +1 -0
- package/src/common/decorators-old/session-hook.decorator.js.map +1 -0
- package/src/common/dynamic/dynamic.adapter.js.map +1 -0
- package/src/common/dynamic/dynamic.plugin.js.map +1 -0
- package/src/common/dynamic/dynamic.utils.d.ts +3 -0
- package/src/common/dynamic/dynamic.utils.js.map +1 -0
- package/src/common/dynamic/index.js.map +1 -0
- package/src/common/entries/adapter.entry.js.map +1 -0
- package/src/common/entries/app.entry.d.ts +13 -0
- package/src/common/entries/app.entry.js.map +1 -0
- package/src/common/entries/auth-provider.entry.js.map +1 -0
- package/src/common/entries/base.entry.js.map +1 -0
- package/src/common/entries/flow.entry.js.map +1 -0
- package/src/common/entries/hook.entry.js.map +1 -0
- package/src/common/entries/index.js.map +1 -0
- package/src/common/entries/logger.entry.js.map +1 -0
- package/src/common/entries/plugin.entry.js.map +1 -0
- package/src/common/entries/prompt.entry.js.map +1 -0
- package/src/common/entries/provider.entry.js.map +1 -0
- package/src/common/entries/resource.entry.js.map +1 -0
- package/src/common/entries/scope.entry.d.ts +19 -0
- package/src/common/entries/scope.entry.js +14 -0
- package/src/common/entries/scope.entry.js.map +1 -0
- package/src/common/entries/tool.entry.js.map +1 -0
- package/src/common/index.d.ts +17 -0
- package/src/common/index.js +21 -0
- package/src/common/index.js.map +1 -0
- package/src/common/interfaces/adapter.interface.js.map +1 -0
- package/src/common/interfaces/app.interface.js.map +1 -0
- package/src/common/interfaces/auth-hook.interface.js.map +1 -0
- package/src/common/interfaces/auth-provider.interface.js.map +1 -0
- package/src/common/interfaces/base.interface.js.map +1 -0
- package/src/common/interfaces/flow.interface.d.ts +41 -0
- package/src/common/interfaces/flow.interface.js.map +1 -0
- package/src/common/interfaces/front-mcp.interface.js.map +1 -0
- package/src/common/interfaces/hook.interface.js.map +1 -0
- package/src/common/interfaces/index.js.map +1 -0
- package/src/common/interfaces/internal/flow.utils.d.ts +23 -0
- package/src/common/interfaces/internal/flow.utils.js.map +1 -0
- package/src/common/interfaces/internal/index.js.map +1 -0
- package/src/common/interfaces/internal/primary-auth-provider.interface.d.ts +24 -0
- package/src/common/interfaces/internal/primary-auth-provider.interface.js.map +1 -0
- package/src/common/interfaces/internal/registry.interface.d.ts +95 -0
- package/src/common/interfaces/internal/registry.interface.js.map +1 -0
- package/src/common/interfaces/logger.interface.js.map +1 -0
- package/src/common/interfaces/plugin.interface.js.map +1 -0
- package/src/common/interfaces/prompt.interface.js.map +1 -0
- package/src/common/interfaces/provider.interface.js.map +1 -0
- package/src/common/interfaces/resource.interface.js.map +1 -0
- package/src/common/interfaces/scope.interface.js.map +1 -0
- package/src/common/interfaces/server.interface.js.map +1 -0
- package/src/common/interfaces/session-hook.interface.js.map +1 -0
- package/src/common/interfaces/tool-hook.interface.js.map +1 -0
- package/src/common/interfaces/tool.interface.js.map +1 -0
- package/src/common/metadata/adapter.metadata.js.map +1 -0
- package/src/common/metadata/app.metadata.d.ts +872 -0
- package/src/common/metadata/app.metadata.js.map +1 -0
- package/src/common/metadata/auth-provider.metadata.js.map +1 -0
- package/src/common/metadata/flow.metadata.d.ts +77 -0
- package/src/common/metadata/flow.metadata.js.map +1 -0
- package/src/common/metadata/front-mcp.metadata.d.ts +1144 -0
- package/src/common/metadata/front-mcp.metadata.js.map +1 -0
- package/src/common/metadata/hook.metadata.js.map +1 -0
- package/src/common/metadata/index.js.map +1 -0
- package/src/common/metadata/logger.metadata.js.map +1 -0
- package/src/common/metadata/plugin.metadata.js.map +1 -0
- package/src/common/metadata/prompt.metadata.js.map +1 -0
- package/src/common/metadata/provider.metadata.js.map +1 -0
- package/src/common/metadata/resource.metadata.js.map +1 -0
- package/src/common/metadata/tool.metadata.d.ts +178 -0
- package/src/common/metadata/tool.metadata.js.map +1 -0
- package/src/common/providers/session.provider.js.map +1 -0
- package/src/common/records/adapter.record.js.map +1 -0
- package/src/common/records/app.record.js.map +1 -0
- package/src/common/records/auth-provider.record.js.map +1 -0
- package/src/common/records/flow.record.js.map +1 -0
- package/src/common/records/hook.record.js.map +1 -0
- package/src/common/records/index.js.map +1 -0
- package/src/common/records/logger.record.d.ts +11 -0
- package/src/common/records/logger.record.js.map +1 -0
- package/src/common/records/plugin.record.js.map +1 -0
- package/src/common/records/prompt.record.js.map +1 -0
- package/src/common/records/provider.record.js.map +1 -0
- package/src/common/records/resource.record.js.map +1 -0
- package/src/common/records/scope.record.d.ts +18 -0
- package/src/common/records/scope.record.js.map +1 -0
- package/src/common/records/tool.record.js.map +1 -0
- package/src/common/schemas/annotated-class.schema.js.map +1 -0
- package/src/common/schemas/http-input.schema.js.map +1 -0
- package/src/common/schemas/http-output.schema.d.ts +2011 -0
- package/src/common/schemas/http-output.schema.js.map +1 -0
- package/src/common/schemas/index.js.map +1 -0
- package/src/common/tokens/adapter.tokens.js.map +1 -0
- package/src/common/tokens/app.tokens.js.map +1 -0
- package/src/common/tokens/auth-provider.tokens.js.map +1 -0
- package/src/common/tokens/base.tokens.js.map +1 -0
- package/src/common/tokens/flow-hook.tokens.js.map +1 -0
- package/src/common/tokens/flow.tokens.js.map +1 -0
- package/src/common/tokens/front-mcp.tokens.js.map +1 -0
- package/src/common/tokens/index.js.map +1 -0
- package/src/common/tokens/logger.tokens.js.map +1 -0
- package/src/common/tokens/plugin.tokens.js.map +1 -0
- package/src/common/tokens/prompt.tokens.js.map +1 -0
- package/src/common/tokens/provider.tokens.js.map +1 -0
- package/src/common/tokens/resource.tokens.js.map +1 -0
- package/src/common/tokens/server.tokens.js.map +1 -0
- package/src/common/tokens/tool.tokens.js.map +1 -0
- package/src/common/types/auth/index.js.map +1 -0
- package/src/common/types/auth/jwt.types.js.map +1 -0
- package/src/common/types/auth/session.types.d.ts +263 -0
- package/src/common/types/auth/session.types.js.map +1 -0
- package/src/common/types/common.types.js.map +1 -0
- package/src/common/types/index.js.map +1 -0
- package/src/common/types/options/auth.options.d.ts +513 -0
- package/src/common/types/options/auth.options.js.map +1 -0
- package/src/common/types/options/http.options.js.map +1 -0
- package/src/common/types/options/index.js.map +1 -0
- package/src/common/types/options/logging.options.d.ts +39 -0
- package/src/common/types/options/logging.options.js.map +1 -0
- package/src/common/types/options/server-info.options.d.ts +48 -0
- package/src/common/types/options/server-info.options.js.map +1 -0
- package/src/common/types/options/session.options.d.ts +67 -0
- package/src/common/types/options/session.options.js.map +1 -0
- package/src/common/utils/decide-request-intent.utils.d.ts +79 -0
- package/src/common/utils/decide-request-intent.utils.js.map +1 -0
- package/src/common/utils/index.js.map +1 -0
- package/src/common/utils/path.utils.d.ts +20 -0
- package/src/common/utils/path.utils.js.map +1 -0
- package/src/exceptions/mcp-exceptions/session-missing.exception.d.ts +3 -0
- package/src/exceptions/mcp-exceptions/session-missing.exception.js +11 -0
- package/src/exceptions/mcp-exceptions/session-missing.exception.js.map +1 -0
- package/src/exceptions/mcp-exceptions/unsupported-client-version.exception.d.ts +5 -0
- package/src/exceptions/mcp-exceptions/unsupported-client-version.exception.js +15 -0
- package/src/exceptions/mcp-exceptions/unsupported-client-version.exception.js.map +1 -0
- package/src/flows/flow.instance.d.ts +16 -0
- package/src/flows/flow.instance.js +332 -0
- package/src/flows/flow.instance.js.map +1 -0
- package/src/flows/flow.registry.d.ts +14 -0
- package/src/flows/flow.registry.js +79 -0
- package/src/flows/flow.registry.js.map +1 -0
- package/src/flows/flow.stages.d.ts +12 -0
- package/src/flows/flow.stages.js +110 -0
- package/src/flows/flow.stages.js.map +1 -0
- package/src/flows/flow.utils.d.ts +8 -0
- package/src/flows/flow.utils.js +36 -0
- package/src/flows/flow.utils.js.map +1 -0
- package/src/front-mcp/front-mcp.d.ts +12 -0
- package/src/front-mcp/front-mcp.js +44 -0
- package/src/front-mcp/front-mcp.js.map +1 -0
- package/src/front-mcp/front-mcp.providers.d.ts +198 -0
- package/src/front-mcp/front-mcp.providers.js +30 -0
- package/src/front-mcp/front-mcp.providers.js.map +1 -0
- package/src/front-mcp/front-mcp.tokens.d.ts +2 -0
- package/src/front-mcp/front-mcp.tokens.js +5 -0
- package/src/front-mcp/front-mcp.tokens.js.map +1 -0
- package/src/front-mcp/index.d.ts +1 -0
- package/src/front-mcp/index.js +5 -0
- package/src/front-mcp/index.js.map +1 -0
- package/src/hooks/hook.instance.d.ts +7 -0
- package/src/hooks/hook.instance.js +23 -0
- package/src/hooks/hook.instance.js.map +1 -0
- package/src/hooks/hook.registry.d.ts +34 -0
- package/src/hooks/hook.registry.js +138 -0
- package/src/hooks/hook.registry.js.map +1 -0
- package/src/hooks/hooks.utils.d.ts +3 -0
- package/src/hooks/hooks.utils.js +27 -0
- package/src/hooks/hooks.utils.js.map +1 -0
- package/src/index.d.ts +21 -18
- package/src/index.js +9 -18
- package/src/index.js.map +1 -1
- package/src/logger/instances/instance.console-logger.d.ts +10 -0
- package/src/logger/instances/instance.console-logger.js +75 -0
- package/src/logger/instances/instance.console-logger.js.map +1 -0
- package/src/logger/instances/instance.logger.d.ts +24 -0
- package/src/logger/instances/instance.logger.js +77 -0
- package/src/logger/instances/instance.logger.js.map +1 -0
- package/src/logger/logger.registry.d.ts +13 -0
- package/src/logger/logger.registry.js +91 -0
- package/src/logger/logger.registry.js.map +1 -0
- package/src/logger/logger.tokens.d.ts +1 -0
- package/src/logger/logger.tokens.js +3 -0
- package/src/logger/logger.tokens.js.map +1 -0
- package/src/logger/logger.types.d.ts +10 -0
- package/src/logger/logger.types.js +8 -0
- package/src/logger/logger.types.js.map +1 -0
- package/src/logger/logger.utils.d.ts +15 -0
- package/src/logger/logger.utils.js +42 -0
- package/src/logger/logger.utils.js.map +1 -0
- package/src/plugin/plugin.registry.d.ts +24 -0
- package/src/plugin/plugin.registry.js +137 -0
- package/src/plugin/plugin.registry.js.map +1 -0
- package/src/plugin/plugin.utils.d.ts +10 -0
- package/src/plugin/plugin.utils.js +88 -0
- package/src/plugin/plugin.utils.js.map +1 -0
- package/src/prompt/prompt.registry.d.ts +16 -0
- package/src/prompt/prompt.registry.js +34 -0
- package/src/prompt/prompt.registry.js.map +1 -0
- package/src/provider/provider.registry.d.ts +75 -0
- package/src/provider/provider.registry.js +679 -0
- package/src/provider/provider.registry.js.map +1 -0
- package/src/provider/provider.types.d.ts +9 -0
- package/src/provider/provider.types.js +3 -0
- package/src/provider/provider.types.js.map +1 -0
- package/src/provider/provider.utils.d.ts +13 -0
- package/src/provider/provider.utils.js +103 -0
- package/src/provider/provider.utils.js.map +1 -0
- package/src/regsitry/index.d.ts +1 -0
- package/src/regsitry/index.js +5 -0
- package/src/regsitry/index.js.map +1 -0
- package/src/regsitry/registry.base.d.ts +25 -0
- package/src/regsitry/registry.base.js +32 -0
- package/src/regsitry/registry.base.js.map +1 -0
- package/src/resource/resource.registry.d.ts +15 -0
- package/src/resource/resource.registry.js +31 -0
- package/src/resource/resource.registry.js.map +1 -0
- package/src/scope/flows/http.request.flow.d.ts +384 -0
- package/src/scope/flows/http.request.flow.js +210 -0
- package/src/scope/flows/http.request.flow.js.map +1 -0
- package/src/scope/index.d.ts +1 -0
- package/src/scope/index.js +6 -0
- package/src/scope/index.js.map +1 -0
- package/src/scope/scope.instance.d.ts +35 -0
- package/src/scope/scope.instance.js +126 -0
- package/src/scope/scope.instance.js.map +1 -0
- package/src/scope/scope.registry.d.ts +10 -0
- package/src/scope/scope.registry.js +94 -0
- package/src/scope/scope.registry.js.map +1 -0
- package/src/scope/scope.utils.d.ts +13 -0
- package/src/scope/scope.utils.js +61 -0
- package/src/scope/scope.utils.js.map +1 -0
- package/src/server/adapters/base.host.adapter.d.ts +7 -0
- package/src/server/adapters/base.host.adapter.js +8 -0
- package/src/server/adapters/base.host.adapter.js.map +1 -0
- package/src/server/adapters/express.host.adapter.d.ts +12 -0
- package/src/server/adapters/express.host.adapter.js +50 -0
- package/src/server/adapters/express.host.adapter.js.map +1 -0
- package/src/server/server.instance.d.ts +12 -0
- package/src/server/server.instance.js +47 -0
- package/src/server/server.instance.js.map +1 -0
- package/src/server/server.types.d.ts +24 -0
- package/src/server/server.types.js +3 -0
- package/src/server/server.types.js.map +1 -0
- package/src/server/server.validation.d.ts +2 -0
- package/src/server/server.validation.js +192 -0
- package/src/server/server.validation.js.map +1 -0
- package/src/store/adapters/store.base.adapter.d.ts +21 -0
- package/src/store/adapters/store.base.adapter.js +16 -0
- package/src/store/adapters/store.base.adapter.js.map +1 -0
- package/src/store/adapters/store.memory.adapter.d.ts +26 -0
- package/src/store/adapters/store.memory.adapter.js +87 -0
- package/src/store/adapters/store.memory.adapter.js.map +1 -0
- package/src/store/adapters/store.redis.adapter.d.ts +33 -0
- package/src/store/adapters/store.redis.adapter.js +104 -0
- package/src/store/adapters/store.redis.adapter.js.map +1 -0
- package/src/store/index.d.ts +8 -0
- package/src/store/index.js +12 -0
- package/src/store/index.js.map +1 -0
- package/src/store/store.helpers.d.ts +9 -0
- package/src/store/store.helpers.js +67 -0
- package/src/store/store.helpers.js.map +1 -0
- package/src/store/store.registry.d.ts +13 -0
- package/src/store/store.registry.js +37 -0
- package/src/store/store.registry.js.map +1 -0
- package/src/store/store.tokens.d.ts +3 -0
- package/src/store/store.tokens.js +7 -0
- package/src/store/store.tokens.js.map +1 -0
- package/src/store/store.types.d.ts +64 -0
- package/src/store/store.types.js +11 -0
- package/src/store/store.types.js.map +1 -0
- package/src/store/store.utils.d.ts +8 -0
- package/src/store/store.utils.js +18 -0
- package/src/store/store.utils.js.map +1 -0
- package/src/tool/flows/call-tool.flow.d.ts +875 -0
- package/src/tool/flows/call-tool.flow.js +249 -0
- package/src/tool/flows/call-tool.flow.js.map +1 -0
- package/src/tool/flows/tools-list.flow.d.ts +771 -0
- package/src/tool/flows/tools-list.flow.js +149 -0
- package/src/tool/flows/tools-list.flow.js.map +1 -0
- package/src/tool/tool.events.d.ts +17 -0
- package/src/tool/tool.events.js +16 -0
- package/src/tool/tool.events.js.map +1 -0
- package/src/tool/tool.instance.d.ts +15 -0
- package/src/tool/tool.instance.js +68 -0
- package/src/tool/tool.instance.js.map +1 -0
- package/src/tool/tool.registry.d.ts +72 -0
- package/src/tool/tool.registry.js +339 -0
- package/src/tool/tool.registry.js.map +1 -0
- package/src/tool/tool.types.d.ts +25 -0
- package/src/tool/tool.types.js +10 -0
- package/src/tool/tool.types.js.map +1 -0
- package/src/tool/tool.utils.d.ts +20 -0
- package/src/tool/tool.utils.js +157 -0
- package/src/tool/tool.utils.js.map +1 -0
- package/src/transport/adapters/transport.local.adapter.d.ts +41 -0
- package/src/transport/adapters/transport.local.adapter.js +127 -0
- package/src/transport/adapters/transport.local.adapter.js.map +1 -0
- package/src/transport/adapters/transport.sse.adapter.d.ts +14 -0
- package/src/transport/adapters/transport.sse.adapter.js +64 -0
- package/src/transport/adapters/transport.sse.adapter.js.map +1 -0
- package/src/transport/adapters/transport.streamable-http.adapter.d.ts +13 -0
- package/src/transport/adapters/transport.streamable-http.adapter.js +65 -0
- package/src/transport/adapters/transport.streamable-http.adapter.js.map +1 -0
- package/src/transport/flows/handle.sse.flow.d.ts +92 -0
- package/src/transport/flows/handle.sse.flow.js +129 -0
- package/src/transport/flows/handle.sse.flow.js.map +1 -0
- package/src/transport/flows/handle.streamable-http.flow.d.ts +93 -0
- package/src/transport/flows/handle.streamable-http.flow.js +125 -0
- package/src/transport/flows/handle.streamable-http.flow.js.map +1 -0
- package/src/transport/legacy/legacy.sse.tranporter.d.ts +75 -0
- package/src/transport/legacy/legacy.sse.tranporter.js +170 -0
- package/src/transport/legacy/legacy.sse.tranporter.js.map +1 -0
- package/src/transport/mcp-handlers/Initialized-notification.hanlder.d.ts +3 -0
- package/src/transport/mcp-handlers/Initialized-notification.hanlder.js +14 -0
- package/src/transport/mcp-handlers/Initialized-notification.hanlder.js.map +1 -0
- package/src/transport/mcp-handlers/call-tool-request.handler.d.ts +3 -0
- package/src/transport/mcp-handlers/call-tool-request.handler.js +15 -0
- package/src/transport/mcp-handlers/call-tool-request.handler.js.map +1 -0
- package/src/transport/mcp-handlers/index.d.ts +521 -0
- package/src/transport/mcp-handlers/index.js +20 -0
- package/src/transport/mcp-handlers/index.js.map +1 -0
- package/src/transport/mcp-handlers/initialize-request.handler.d.ts +3 -0
- package/src/transport/mcp-handlers/initialize-request.handler.js +33 -0
- package/src/transport/mcp-handlers/initialize-request.handler.js.map +1 -0
- package/src/transport/mcp-handlers/list-tools-request.handler.d.ts +285 -0
- package/src/transport/mcp-handlers/list-tools-request.handler.js +11 -0
- package/src/transport/mcp-handlers/list-tools-request.handler.js.map +1 -0
- package/src/transport/mcp-handlers/mcp-handlers.types.d.ts +37 -0
- package/src/transport/mcp-handlers/mcp-handlers.types.js +3 -0
- package/src/transport/mcp-handlers/mcp-handlers.types.js.map +1 -0
- package/src/transport/transport.error.d.ts +4 -0
- package/src/transport/transport.error.js +25 -0
- package/src/transport/transport.error.js.map +1 -0
- package/src/transport/transport.event-store.d.ts +10 -0
- package/src/transport/transport.event-store.js +36 -0
- package/src/transport/transport.event-store.js.map +1 -0
- package/src/transport/transport.local.d.ts +17 -0
- package/src/transport/transport.local.js +65 -0
- package/src/transport/transport.local.js.map +1 -0
- package/src/transport/transport.registry.d.ts +23 -0
- package/src/transport/transport.registry.js +138 -0
- package/src/transport/transport.registry.js.map +1 -0
- package/src/transport/transport.remote.d.ts +15 -0
- package/src/transport/transport.remote.js +31 -0
- package/src/transport/transport.remote.js.map +1 -0
- package/src/transport/transport.types.d.ts +54 -0
- package/src/transport/transport.types.js +3 -0
- package/src/transport/transport.types.js.map +1 -0
- package/src/types/drinen-hooks.types.d.ts +20 -0
- package/src/types/drinen-hooks.types.js +3 -0
- package/src/types/drinen-hooks.types.js.map +1 -0
- package/src/types/invoke.type.d.ts +15 -0
- package/src/types/invoke.type.js +34 -0
- package/src/types/invoke.type.js.map +1 -0
- package/src/types/token.types.d.ts +1 -0
- package/src/types/token.types.js +3 -0
- package/src/types/token.types.js.map +1 -0
- package/src/utils/metadata.utils.d.ts +5 -0
- package/src/utils/metadata.utils.js +26 -0
- package/src/utils/metadata.utils.js.map +1 -0
- package/src/utils/server.utils.d.ts +19 -0
- package/src/utils/server.utils.js +59 -0
- package/src/utils/server.utils.js.map +1 -0
- package/src/utils/string.utils.d.ts +1 -0
- package/src/utils/string.utils.js +10 -0
- package/src/utils/string.utils.js.map +1 -0
- package/src/utils/token.utils.d.ts +11 -0
- package/src/utils/token.utils.js +65 -0
- package/src/utils/token.utils.js.map +1 -0
- package/src/utils/types.utils.d.ts +7 -0
- package/src/utils/types.utils.js +3 -0
- package/src/utils/types.utils.js.map +1 -0
- package/src/constants.d.ts +0 -30
- package/src/constants.js +0 -36
- package/src/constants.js.map +0 -1
- package/src/decorators/adapter.decorator.js.map +0 -1
- package/src/decorators/app.decorator.js.map +0 -1
- package/src/decorators/auth-provider.decorator.js.map +0 -1
- package/src/decorators/flow.decorator.js.map +0 -1
- package/src/decorators/front-mcp.decorator.js +0 -40
- package/src/decorators/front-mcp.decorator.js.map +0 -1
- package/src/decorators/hook.decorator.js.map +0 -1
- package/src/decorators/index.js.map +0 -1
- package/src/decorators/logger.decorator.js.map +0 -1
- package/src/decorators/plugin.decorator.js.map +0 -1
- package/src/decorators/prompt.decorator.js.map +0 -1
- package/src/decorators/provider.decorator.js.map +0 -1
- package/src/decorators/resource.decorator.js.map +0 -1
- package/src/decorators/tool.decorator.d.ts +0 -42
- package/src/decorators/tool.decorator.js +0 -45
- package/src/decorators/tool.decorator.js.map +0 -1
- package/src/decorators-old/async-with.decorator.d.ts +0 -9
- package/src/decorators-old/async-with.decorator.js +0 -23
- package/src/decorators-old/async-with.decorator.js.map +0 -1
- package/src/decorators-old/auth-hook.decorator.js.map +0 -1
- package/src/decorators-old/session-hook.decorator.js.map +0 -1
- package/src/decorators-old/tool-hook.decorator.d.ts +0 -14
- package/src/decorators-old/tool-hook.decorator.js +0 -27
- package/src/decorators-old/tool-hook.decorator.js.map +0 -1
- package/src/dynamic/dynamic.adapter.js.map +0 -1
- package/src/dynamic/dynamic.plugin.js.map +0 -1
- package/src/dynamic/dynamic.utils.d.ts +0 -3
- package/src/dynamic/dynamic.utils.js.map +0 -1
- package/src/dynamic/index.js.map +0 -1
- package/src/entries/adapter.entry.js.map +0 -1
- package/src/entries/app.entry.d.ts +0 -13
- package/src/entries/app.entry.js.map +0 -1
- package/src/entries/auth-provider.entry.js.map +0 -1
- package/src/entries/base.entry.js.map +0 -1
- package/src/entries/flow.entry.js.map +0 -1
- package/src/entries/hook.entry.js.map +0 -1
- package/src/entries/index.js.map +0 -1
- package/src/entries/logger.entry.js.map +0 -1
- package/src/entries/plugin.entry.js.map +0 -1
- package/src/entries/prompt.entry.js.map +0 -1
- package/src/entries/provider.entry.js.map +0 -1
- package/src/entries/resource.entry.js.map +0 -1
- package/src/entries/scope.entry.d.ts +0 -18
- package/src/entries/scope.entry.js +0 -8
- package/src/entries/scope.entry.js.map +0 -1
- package/src/entries/tool.entry.js.map +0 -1
- package/src/interfaces/adapter.interface.js.map +0 -1
- package/src/interfaces/app.interface.js.map +0 -1
- package/src/interfaces/auth-hook.interface.js.map +0 -1
- package/src/interfaces/auth-provider.interface.js.map +0 -1
- package/src/interfaces/base.interface.js.map +0 -1
- package/src/interfaces/flow.interface.d.ts +0 -41
- package/src/interfaces/flow.interface.js.map +0 -1
- package/src/interfaces/front-mcp.interface.js.map +0 -1
- package/src/interfaces/hook.interface.js.map +0 -1
- package/src/interfaces/index.js.map +0 -1
- package/src/interfaces/internal/flow.utils.d.ts +0 -24
- package/src/interfaces/internal/flow.utils.js.map +0 -1
- package/src/interfaces/internal/index.js.map +0 -1
- package/src/interfaces/internal/primary-auth-provider.interface.d.ts +0 -24
- package/src/interfaces/internal/primary-auth-provider.interface.js.map +0 -1
- package/src/interfaces/internal/registry.interface.d.ts +0 -97
- package/src/interfaces/internal/registry.interface.js.map +0 -1
- package/src/interfaces/logger.interface.js.map +0 -1
- package/src/interfaces/plugin.interface.js.map +0 -1
- package/src/interfaces/prompt.interface.js.map +0 -1
- package/src/interfaces/provider.interface.js.map +0 -1
- package/src/interfaces/resource.interface.js.map +0 -1
- package/src/interfaces/scope.interface.js.map +0 -1
- package/src/interfaces/server.interface.js.map +0 -1
- package/src/interfaces/session-hook.interface.js.map +0 -1
- package/src/interfaces/tool-hook.interface.js.map +0 -1
- package/src/interfaces/tool.interface.js.map +0 -1
- package/src/metadata/adapter.metadata.js.map +0 -1
- package/src/metadata/app.metadata.d.ts +0 -872
- package/src/metadata/app.metadata.js.map +0 -1
- package/src/metadata/auth-provider.metadata.js.map +0 -1
- package/src/metadata/flow.metadata.d.ts +0 -77
- package/src/metadata/flow.metadata.js.map +0 -1
- package/src/metadata/front-mcp.metadata.d.ts +0 -1144
- package/src/metadata/front-mcp.metadata.js.map +0 -1
- package/src/metadata/hook.metadata.js.map +0 -1
- package/src/metadata/index.js.map +0 -1
- package/src/metadata/logger.metadata.js.map +0 -1
- package/src/metadata/plugin.metadata.js.map +0 -1
- package/src/metadata/prompt.metadata.js.map +0 -1
- package/src/metadata/provider.metadata.js.map +0 -1
- package/src/metadata/resource.metadata.js.map +0 -1
- package/src/metadata/tool.metadata.d.ts +0 -178
- package/src/metadata/tool.metadata.js.map +0 -1
- package/src/providers/session.provider.js.map +0 -1
- package/src/records/adapter.record.js.map +0 -1
- package/src/records/app.record.js.map +0 -1
- package/src/records/auth-provider.record.js.map +0 -1
- package/src/records/flow.record.js.map +0 -1
- package/src/records/hook.record.js.map +0 -1
- package/src/records/index.js.map +0 -1
- package/src/records/logger.record.d.ts +0 -11
- package/src/records/logger.record.js.map +0 -1
- package/src/records/plugin.record.js.map +0 -1
- package/src/records/prompt.record.js.map +0 -1
- package/src/records/provider.record.js.map +0 -1
- package/src/records/resource.record.js.map +0 -1
- package/src/records/scope.record.d.ts +0 -18
- package/src/records/scope.record.js.map +0 -1
- package/src/records/tool.record.js.map +0 -1
- package/src/schemas/annotated-class.schema.js.map +0 -1
- package/src/schemas/http-input.schema.js.map +0 -1
- package/src/schemas/http-output.schema.d.ts +0 -2011
- package/src/schemas/http-output.schema.js.map +0 -1
- package/src/schemas/index.js.map +0 -1
- package/src/tokens/adapter.tokens.js.map +0 -1
- package/src/tokens/app.tokens.js.map +0 -1
- package/src/tokens/auth-provider.tokens.js.map +0 -1
- package/src/tokens/base.tokens.js.map +0 -1
- package/src/tokens/flow-hook.tokens.js.map +0 -1
- package/src/tokens/flow.tokens.js.map +0 -1
- package/src/tokens/front-mcp.tokens.js.map +0 -1
- package/src/tokens/index.js.map +0 -1
- package/src/tokens/logger.tokens.js.map +0 -1
- package/src/tokens/plugin.tokens.js.map +0 -1
- package/src/tokens/prompt.tokens.js.map +0 -1
- package/src/tokens/provider.tokens.js.map +0 -1
- package/src/tokens/resource.tokens.js.map +0 -1
- package/src/tokens/server.tokens.js.map +0 -1
- package/src/tokens/tool.tokens.js.map +0 -1
- package/src/types/auth/index.js.map +0 -1
- package/src/types/auth/jwt.types.js.map +0 -1
- package/src/types/auth/session.types.d.ts +0 -263
- package/src/types/auth/session.types.js.map +0 -1
- package/src/types/common.types.js.map +0 -1
- package/src/types/index.js.map +0 -1
- package/src/types/options/auth.options.d.ts +0 -513
- package/src/types/options/auth.options.js.map +0 -1
- package/src/types/options/http.options.js.map +0 -1
- package/src/types/options/index.js.map +0 -1
- package/src/types/options/logging.options.d.ts +0 -39
- package/src/types/options/logging.options.js.map +0 -1
- package/src/types/options/server-info.options.d.ts +0 -48
- package/src/types/options/server-info.options.js.map +0 -1
- package/src/types/options/session.options.d.ts +0 -67
- package/src/types/options/session.options.js.map +0 -1
- package/src/utils/decide-request-intent.utils.d.ts +0 -79
- package/src/utils/decide-request-intent.utils.js.map +0 -1
- package/src/utils/index.js.map +0 -1
- package/src/utils/path.utils.d.ts +0 -20
- package/src/utils/path.utils.js.map +0 -1
- /package/src/{decorators → common/decorators}/adapter.decorator.d.ts +0 -0
- /package/src/{decorators → common/decorators}/adapter.decorator.js +0 -0
- /package/src/{decorators → common/decorators}/app.decorator.d.ts +0 -0
- /package/src/{decorators → common/decorators}/app.decorator.js +0 -0
- /package/src/{decorators → common/decorators}/auth-provider.decorator.d.ts +0 -0
- /package/src/{decorators → common/decorators}/auth-provider.decorator.js +0 -0
- /package/src/{decorators → common/decorators}/flow.decorator.d.ts +0 -0
- /package/src/{decorators → common/decorators}/flow.decorator.js +0 -0
- /package/src/{decorators → common/decorators}/front-mcp.decorator.d.ts +0 -0
- /package/src/{decorators → common/decorators}/hook.decorator.d.ts +0 -0
- /package/src/{decorators → common/decorators}/hook.decorator.js +0 -0
- /package/src/{decorators → common/decorators}/index.d.ts +0 -0
- /package/src/{decorators → common/decorators}/index.js +0 -0
- /package/src/{decorators → common/decorators}/logger.decorator.d.ts +0 -0
- /package/src/{decorators → common/decorators}/logger.decorator.js +0 -0
- /package/src/{decorators → common/decorators}/plugin.decorator.d.ts +0 -0
- /package/src/{decorators → common/decorators}/plugin.decorator.js +0 -0
- /package/src/{decorators → common/decorators}/prompt.decorator.d.ts +0 -0
- /package/src/{decorators → common/decorators}/prompt.decorator.js +0 -0
- /package/src/{decorators → common/decorators}/provider.decorator.d.ts +0 -0
- /package/src/{decorators → common/decorators}/provider.decorator.js +0 -0
- /package/src/{decorators → common/decorators}/resource.decorator.d.ts +0 -0
- /package/src/{decorators → common/decorators}/resource.decorator.js +0 -0
- /package/src/{decorators-old → common/decorators-old}/auth-hook.decorator.d.ts +0 -0
- /package/src/{decorators-old → common/decorators-old}/auth-hook.decorator.js +0 -0
- /package/src/{decorators-old → common/decorators-old}/session-hook.decorator.d.ts +0 -0
- /package/src/{decorators-old → common/decorators-old}/session-hook.decorator.js +0 -0
- /package/src/{dynamic → common/dynamic}/dynamic.adapter.d.ts +0 -0
- /package/src/{dynamic → common/dynamic}/dynamic.adapter.js +0 -0
- /package/src/{dynamic → common/dynamic}/dynamic.plugin.d.ts +0 -0
- /package/src/{dynamic → common/dynamic}/dynamic.plugin.js +0 -0
- /package/src/{dynamic → common/dynamic}/dynamic.utils.js +0 -0
- /package/src/{dynamic → common/dynamic}/index.d.ts +0 -0
- /package/src/{dynamic → common/dynamic}/index.js +0 -0
- /package/src/{entries → common/entries}/adapter.entry.d.ts +0 -0
- /package/src/{entries → common/entries}/adapter.entry.js +0 -0
- /package/src/{entries → common/entries}/app.entry.js +0 -0
- /package/src/{entries → common/entries}/auth-provider.entry.d.ts +0 -0
- /package/src/{entries → common/entries}/auth-provider.entry.js +0 -0
- /package/src/{entries → common/entries}/base.entry.d.ts +0 -0
- /package/src/{entries → common/entries}/base.entry.js +0 -0
- /package/src/{entries → common/entries}/flow.entry.d.ts +0 -0
- /package/src/{entries → common/entries}/flow.entry.js +0 -0
- /package/src/{entries → common/entries}/hook.entry.d.ts +0 -0
- /package/src/{entries → common/entries}/hook.entry.js +0 -0
- /package/src/{entries → common/entries}/index.d.ts +0 -0
- /package/src/{entries → common/entries}/index.js +0 -0
- /package/src/{entries → common/entries}/logger.entry.d.ts +0 -0
- /package/src/{entries → common/entries}/logger.entry.js +0 -0
- /package/src/{entries → common/entries}/plugin.entry.d.ts +0 -0
- /package/src/{entries → common/entries}/plugin.entry.js +0 -0
- /package/src/{entries → common/entries}/prompt.entry.d.ts +0 -0
- /package/src/{entries → common/entries}/prompt.entry.js +0 -0
- /package/src/{entries → common/entries}/provider.entry.d.ts +0 -0
- /package/src/{entries → common/entries}/provider.entry.js +0 -0
- /package/src/{entries → common/entries}/resource.entry.d.ts +0 -0
- /package/src/{entries → common/entries}/resource.entry.js +0 -0
- /package/src/{entries → common/entries}/tool.entry.d.ts +0 -0
- /package/src/{entries → common/entries}/tool.entry.js +0 -0
- /package/src/{interfaces → common/interfaces}/adapter.interface.d.ts +0 -0
- /package/src/{interfaces → common/interfaces}/adapter.interface.js +0 -0
- /package/src/{interfaces → common/interfaces}/app.interface.d.ts +0 -0
- /package/src/{interfaces → common/interfaces}/app.interface.js +0 -0
- /package/src/{interfaces → common/interfaces}/auth-hook.interface.d.ts +0 -0
- /package/src/{interfaces → common/interfaces}/auth-hook.interface.js +0 -0
- /package/src/{interfaces → common/interfaces}/auth-provider.interface.d.ts +0 -0
- /package/src/{interfaces → common/interfaces}/auth-provider.interface.js +0 -0
- /package/src/{interfaces → common/interfaces}/base.interface.d.ts +0 -0
- /package/src/{interfaces → common/interfaces}/base.interface.js +0 -0
- /package/src/{interfaces → common/interfaces}/flow.interface.js +0 -0
- /package/src/{interfaces → common/interfaces}/front-mcp.interface.d.ts +0 -0
- /package/src/{interfaces → common/interfaces}/front-mcp.interface.js +0 -0
- /package/src/{interfaces → common/interfaces}/hook.interface.d.ts +0 -0
- /package/src/{interfaces → common/interfaces}/hook.interface.js +0 -0
- /package/src/{interfaces → common/interfaces}/index.d.ts +0 -0
- /package/src/{interfaces → common/interfaces}/index.js +0 -0
- /package/src/{interfaces → common/interfaces}/internal/flow.utils.js +0 -0
- /package/src/{interfaces → common/interfaces}/internal/index.d.ts +0 -0
- /package/src/{interfaces → common/interfaces}/internal/index.js +0 -0
- /package/src/{interfaces → common/interfaces}/internal/primary-auth-provider.interface.js +0 -0
- /package/src/{interfaces → common/interfaces}/internal/registry.interface.js +0 -0
- /package/src/{interfaces → common/interfaces}/logger.interface.d.ts +0 -0
- /package/src/{interfaces → common/interfaces}/logger.interface.js +0 -0
- /package/src/{interfaces → common/interfaces}/plugin.interface.d.ts +0 -0
- /package/src/{interfaces → common/interfaces}/plugin.interface.js +0 -0
- /package/src/{interfaces → common/interfaces}/prompt.interface.d.ts +0 -0
- /package/src/{interfaces → common/interfaces}/prompt.interface.js +0 -0
- /package/src/{interfaces → common/interfaces}/provider.interface.d.ts +0 -0
- /package/src/{interfaces → common/interfaces}/provider.interface.js +0 -0
- /package/src/{interfaces → common/interfaces}/resource.interface.d.ts +0 -0
- /package/src/{interfaces → common/interfaces}/resource.interface.js +0 -0
- /package/src/{interfaces → common/interfaces}/scope.interface.d.ts +0 -0
- /package/src/{interfaces → common/interfaces}/scope.interface.js +0 -0
- /package/src/{interfaces → common/interfaces}/server.interface.d.ts +0 -0
- /package/src/{interfaces → common/interfaces}/server.interface.js +0 -0
- /package/src/{interfaces → common/interfaces}/session-hook.interface.d.ts +0 -0
- /package/src/{interfaces → common/interfaces}/session-hook.interface.js +0 -0
- /package/src/{interfaces → common/interfaces}/tool-hook.interface.d.ts +0 -0
- /package/src/{interfaces → common/interfaces}/tool-hook.interface.js +0 -0
- /package/src/{interfaces → common/interfaces}/tool.interface.d.ts +0 -0
- /package/src/{interfaces → common/interfaces}/tool.interface.js +0 -0
- /package/src/{metadata → common/metadata}/adapter.metadata.d.ts +0 -0
- /package/src/{metadata → common/metadata}/adapter.metadata.js +0 -0
- /package/src/{metadata → common/metadata}/app.metadata.js +0 -0
- /package/src/{metadata → common/metadata}/auth-provider.metadata.d.ts +0 -0
- /package/src/{metadata → common/metadata}/auth-provider.metadata.js +0 -0
- /package/src/{metadata → common/metadata}/flow.metadata.js +0 -0
- /package/src/{metadata → common/metadata}/front-mcp.metadata.js +0 -0
- /package/src/{metadata → common/metadata}/hook.metadata.d.ts +0 -0
- /package/src/{metadata → common/metadata}/hook.metadata.js +0 -0
- /package/src/{metadata → common/metadata}/index.d.ts +0 -0
- /package/src/{metadata → common/metadata}/index.js +0 -0
- /package/src/{metadata → common/metadata}/logger.metadata.d.ts +0 -0
- /package/src/{metadata → common/metadata}/logger.metadata.js +0 -0
- /package/src/{metadata → common/metadata}/plugin.metadata.d.ts +0 -0
- /package/src/{metadata → common/metadata}/plugin.metadata.js +0 -0
- /package/src/{metadata → common/metadata}/prompt.metadata.d.ts +0 -0
- /package/src/{metadata → common/metadata}/prompt.metadata.js +0 -0
- /package/src/{metadata → common/metadata}/provider.metadata.d.ts +0 -0
- /package/src/{metadata → common/metadata}/provider.metadata.js +0 -0
- /package/src/{metadata → common/metadata}/resource.metadata.d.ts +0 -0
- /package/src/{metadata → common/metadata}/resource.metadata.js +0 -0
- /package/src/{metadata → common/metadata}/tool.metadata.js +0 -0
- /package/src/{providers → common/providers}/session.provider.d.ts +0 -0
- /package/src/{providers → common/providers}/session.provider.js +0 -0
- /package/src/{records → common/records}/adapter.record.d.ts +0 -0
- /package/src/{records → common/records}/adapter.record.js +0 -0
- /package/src/{records → common/records}/app.record.d.ts +0 -0
- /package/src/{records → common/records}/app.record.js +0 -0
- /package/src/{records → common/records}/auth-provider.record.d.ts +0 -0
- /package/src/{records → common/records}/auth-provider.record.js +0 -0
- /package/src/{records → common/records}/flow.record.d.ts +0 -0
- /package/src/{records → common/records}/flow.record.js +0 -0
- /package/src/{records → common/records}/hook.record.d.ts +0 -0
- /package/src/{records → common/records}/hook.record.js +0 -0
- /package/src/{records → common/records}/index.d.ts +0 -0
- /package/src/{records → common/records}/index.js +0 -0
- /package/src/{records → common/records}/logger.record.js +0 -0
- /package/src/{records → common/records}/plugin.record.d.ts +0 -0
- /package/src/{records → common/records}/plugin.record.js +0 -0
- /package/src/{records → common/records}/prompt.record.d.ts +0 -0
- /package/src/{records → common/records}/prompt.record.js +0 -0
- /package/src/{records → common/records}/provider.record.d.ts +0 -0
- /package/src/{records → common/records}/provider.record.js +0 -0
- /package/src/{records → common/records}/resource.record.d.ts +0 -0
- /package/src/{records → common/records}/resource.record.js +0 -0
- /package/src/{records → common/records}/scope.record.js +0 -0
- /package/src/{records → common/records}/tool.record.d.ts +0 -0
- /package/src/{records → common/records}/tool.record.js +0 -0
- /package/src/{schemas → common/schemas}/annotated-class.schema.d.ts +0 -0
- /package/src/{schemas → common/schemas}/annotated-class.schema.js +0 -0
- /package/src/{schemas → common/schemas}/http-input.schema.d.ts +0 -0
- /package/src/{schemas → common/schemas}/http-input.schema.js +0 -0
- /package/src/{schemas → common/schemas}/http-output.schema.js +0 -0
- /package/src/{schemas → common/schemas}/index.d.ts +0 -0
- /package/src/{schemas → common/schemas}/index.js +0 -0
- /package/src/{tokens → common/tokens}/adapter.tokens.d.ts +0 -0
- /package/src/{tokens → common/tokens}/adapter.tokens.js +0 -0
- /package/src/{tokens → common/tokens}/app.tokens.d.ts +0 -0
- /package/src/{tokens → common/tokens}/app.tokens.js +0 -0
- /package/src/{tokens → common/tokens}/auth-provider.tokens.d.ts +0 -0
- /package/src/{tokens → common/tokens}/auth-provider.tokens.js +0 -0
- /package/src/{tokens → common/tokens}/base.tokens.d.ts +0 -0
- /package/src/{tokens → common/tokens}/base.tokens.js +0 -0
- /package/src/{tokens → common/tokens}/flow-hook.tokens.d.ts +0 -0
- /package/src/{tokens → common/tokens}/flow-hook.tokens.js +0 -0
- /package/src/{tokens → common/tokens}/flow.tokens.d.ts +0 -0
- /package/src/{tokens → common/tokens}/flow.tokens.js +0 -0
- /package/src/{tokens → common/tokens}/front-mcp.tokens.d.ts +0 -0
- /package/src/{tokens → common/tokens}/front-mcp.tokens.js +0 -0
- /package/src/{tokens → common/tokens}/index.d.ts +0 -0
- /package/src/{tokens → common/tokens}/index.js +0 -0
- /package/src/{tokens → common/tokens}/logger.tokens.d.ts +0 -0
- /package/src/{tokens → common/tokens}/logger.tokens.js +0 -0
- /package/src/{tokens → common/tokens}/plugin.tokens.d.ts +0 -0
- /package/src/{tokens → common/tokens}/plugin.tokens.js +0 -0
- /package/src/{tokens → common/tokens}/prompt.tokens.d.ts +0 -0
- /package/src/{tokens → common/tokens}/prompt.tokens.js +0 -0
- /package/src/{tokens → common/tokens}/provider.tokens.d.ts +0 -0
- /package/src/{tokens → common/tokens}/provider.tokens.js +0 -0
- /package/src/{tokens → common/tokens}/resource.tokens.d.ts +0 -0
- /package/src/{tokens → common/tokens}/resource.tokens.js +0 -0
- /package/src/{tokens → common/tokens}/server.tokens.d.ts +0 -0
- /package/src/{tokens → common/tokens}/server.tokens.js +0 -0
- /package/src/{tokens → common/tokens}/tool.tokens.d.ts +0 -0
- /package/src/{tokens → common/tokens}/tool.tokens.js +0 -0
- /package/src/{types → common/types}/auth/index.d.ts +0 -0
- /package/src/{types → common/types}/auth/index.js +0 -0
- /package/src/{types → common/types}/auth/jwt.types.d.ts +0 -0
- /package/src/{types → common/types}/auth/jwt.types.js +0 -0
- /package/src/{types → common/types}/auth/session.types.js +0 -0
- /package/src/{types → common/types}/common.types.d.ts +0 -0
- /package/src/{types → common/types}/common.types.js +0 -0
- /package/src/{types → common/types}/index.d.ts +0 -0
- /package/src/{types → common/types}/index.js +0 -0
- /package/src/{types → common/types}/options/auth.options.js +0 -0
- /package/src/{types → common/types}/options/http.options.d.ts +0 -0
- /package/src/{types → common/types}/options/http.options.js +0 -0
- /package/src/{types → common/types}/options/index.d.ts +0 -0
- /package/src/{types → common/types}/options/index.js +0 -0
- /package/src/{types → common/types}/options/logging.options.js +0 -0
- /package/src/{types → common/types}/options/server-info.options.js +0 -0
- /package/src/{types → common/types}/options/session.options.js +0 -0
- /package/src/{utils → common/utils}/decide-request-intent.utils.js +0 -0
- /package/src/{utils → common/utils}/index.d.ts +0 -0
- /package/src/{utils → common/utils}/index.js +0 -0
- /package/src/{utils → common/utils}/path.utils.js +0 -0
|
@@ -0,0 +1,201 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Dynamic Client Registration — POST /oauth/register
|
|
4
|
+
*
|
|
5
|
+
* Who calls: Developers/automation.
|
|
6
|
+
*
|
|
7
|
+
* Purpose: Let clients register programmatically (redirect URIs, grant types, etc.).
|
|
8
|
+
*/
|
|
9
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
10
|
+
exports.DevClientRegistry = void 0;
|
|
11
|
+
const tslib_1 = require("tslib");
|
|
12
|
+
/**
|
|
13
|
+
* Quick checklist (security & correctness)
|
|
14
|
+
* - PKCE (S256) required for public clients (and basically for all).
|
|
15
|
+
* - Use authorization code grant only (no implicit/hybrid).
|
|
16
|
+
* - Rotate refresh tokens and bind them to client + user + scopes.
|
|
17
|
+
* - Prefer private_key_jwt or mTLS for confidential clients.
|
|
18
|
+
* - PAR + JAR recommended for higher security.
|
|
19
|
+
* - Consider DPoP (proof-of-possession) to reduce token replay.
|
|
20
|
+
* - Keep codes very short-lived (e.g., ≤60 s) and single-use.
|
|
21
|
+
* - Publish discovery and JWKS, rotate keys safely.
|
|
22
|
+
* - Decide JWT vs opaque access tokens; provide introspection if opaque.
|
|
23
|
+
*/
|
|
24
|
+
const common_1 = require("../../common");
|
|
25
|
+
const zod_1 = require("zod");
|
|
26
|
+
const crypto_1 = require("crypto");
|
|
27
|
+
const CLIENTS = new Map();
|
|
28
|
+
/** Optional: export getters so other flows can validate client_id */
|
|
29
|
+
exports.DevClientRegistry = {
|
|
30
|
+
get(client_id) {
|
|
31
|
+
return CLIENTS.get(client_id);
|
|
32
|
+
},
|
|
33
|
+
has(client_id) {
|
|
34
|
+
return CLIENTS.has(client_id);
|
|
35
|
+
}
|
|
36
|
+
};
|
|
37
|
+
const inputSchema = common_1.httpInputSchema;
|
|
38
|
+
const outputSchema = common_1.HttpJsonSchema;
|
|
39
|
+
const registrationRequestSchema = zod_1.z.object({
|
|
40
|
+
// RFC 7591-ish minimal set
|
|
41
|
+
redirect_uris: zod_1.z.array(zod_1.z.string().url()).min(1, "At least one redirect_uri is required"),
|
|
42
|
+
token_endpoint_auth_method: zod_1.z.enum(["none", "client_secret_basic", "client_secret_post", "private_key_jwt", "tls_client_auth"])
|
|
43
|
+
.default("none"),
|
|
44
|
+
grant_types: zod_1.z.array(zod_1.z.enum(["authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:device_code"]))
|
|
45
|
+
.default(["authorization_code"]),
|
|
46
|
+
response_types: zod_1.z.array(zod_1.z.enum(["code"])).default(["code"]),
|
|
47
|
+
client_name: zod_1.z.string().optional(),
|
|
48
|
+
scope: zod_1.z.string().optional(),
|
|
49
|
+
}).passthrough();
|
|
50
|
+
const stateSchema = zod_1.z.object({
|
|
51
|
+
body: registrationRequestSchema,
|
|
52
|
+
isDev: zod_1.z.boolean(),
|
|
53
|
+
});
|
|
54
|
+
const plan = {
|
|
55
|
+
pre: ['parseInput', 'validateInput'],
|
|
56
|
+
execute: ['registerClient', 'respondRegistration'],
|
|
57
|
+
post: ['validateOutput'],
|
|
58
|
+
};
|
|
59
|
+
const name = 'oauth:register';
|
|
60
|
+
const Stage = (0, common_1.StageHookOf)(name);
|
|
61
|
+
let OauthRegisterFlow = class OauthRegisterFlow extends common_1.FlowBase {
|
|
62
|
+
registered;
|
|
63
|
+
async parseInput() {
|
|
64
|
+
// Dev-only guard: hide the endpoint in production
|
|
65
|
+
const isDev = process.env['NODE_ENV'] !== 'production';
|
|
66
|
+
const { request } = this.rawInput;
|
|
67
|
+
const parsed = registrationRequestSchema.parse(request.body || {});
|
|
68
|
+
this.state.set({
|
|
69
|
+
body: parsed,
|
|
70
|
+
isDev,
|
|
71
|
+
});
|
|
72
|
+
}
|
|
73
|
+
async validateInput() {
|
|
74
|
+
if (!this.state.isDev) {
|
|
75
|
+
// Behave like the endpoint doesn't exist in prod
|
|
76
|
+
this.next();
|
|
77
|
+
return;
|
|
78
|
+
}
|
|
79
|
+
// Minimal sanity checks for common mistakes in dev
|
|
80
|
+
const { redirect_uris, token_endpoint_auth_method, grant_types, response_types } = this.state.required.body;
|
|
81
|
+
// Keep only supported combinations for the dummy server
|
|
82
|
+
if (!response_types.includes('code')) {
|
|
83
|
+
this.respond(common_1.httpRespond.json({
|
|
84
|
+
error: 'invalid_client_metadata',
|
|
85
|
+
error_description: 'Only response_types=["code"] is supported in dev.',
|
|
86
|
+
}, { status: 400 }));
|
|
87
|
+
return;
|
|
88
|
+
}
|
|
89
|
+
if (!grant_types.includes('authorization_code')) {
|
|
90
|
+
this.respond(common_1.httpRespond.json({
|
|
91
|
+
error: 'invalid_client_metadata',
|
|
92
|
+
error_description: 'grant_types must include "authorization_code" in dev.',
|
|
93
|
+
}, { status: 400 }));
|
|
94
|
+
return;
|
|
95
|
+
}
|
|
96
|
+
// Warn (soft) if confidential but no TLS/jwt (still allowed for local only)
|
|
97
|
+
if (token_endpoint_auth_method !== 'none' && token_endpoint_auth_method !== 'client_secret_post' && token_endpoint_auth_method !== 'client_secret_basic') {
|
|
98
|
+
this.respond(common_1.httpRespond.json({
|
|
99
|
+
error: 'invalid_client_metadata',
|
|
100
|
+
error_description: 'This dev server only supports "none", "client_secret_post", or "client_secret_basic".',
|
|
101
|
+
}, { status: 400 }));
|
|
102
|
+
return;
|
|
103
|
+
}
|
|
104
|
+
// Ensure localhost/https-ish redirects for dev
|
|
105
|
+
const bad = redirect_uris.find(u => !/^https?:\/\/(localhost|\d+\.\d+\.\d+\.\d+|127\.0\.0\.1)/.test(u));
|
|
106
|
+
if (bad) {
|
|
107
|
+
this.respond(common_1.httpRespond.json({
|
|
108
|
+
error: 'invalid_redirect_uri',
|
|
109
|
+
error_description: `Dev registration allows only localhost-style redirect_uris; got ${bad}`,
|
|
110
|
+
}, { status: 400 }));
|
|
111
|
+
return;
|
|
112
|
+
}
|
|
113
|
+
}
|
|
114
|
+
async registerClient() {
|
|
115
|
+
const now = Math.floor(Date.now() / 1000);
|
|
116
|
+
const { token_endpoint_auth_method, grant_types, response_types, redirect_uris, client_name, scope, } = this.state.required.body;
|
|
117
|
+
const client_id = (0, crypto_1.randomUUID)();
|
|
118
|
+
let client_secret;
|
|
119
|
+
if (token_endpoint_auth_method === 'client_secret_post' || token_endpoint_auth_method === 'client_secret_basic') {
|
|
120
|
+
client_secret = (0, crypto_1.randomBytes)(24).toString('base64url'); // short-lived dev secret
|
|
121
|
+
}
|
|
122
|
+
this.registered = {
|
|
123
|
+
client_id,
|
|
124
|
+
client_secret,
|
|
125
|
+
token_endpoint_auth_method,
|
|
126
|
+
grant_types,
|
|
127
|
+
response_types,
|
|
128
|
+
redirect_uris,
|
|
129
|
+
client_name,
|
|
130
|
+
scope,
|
|
131
|
+
created_at: now,
|
|
132
|
+
dev: true,
|
|
133
|
+
};
|
|
134
|
+
CLIENTS.set(client_id, this.registered);
|
|
135
|
+
}
|
|
136
|
+
async respondRegistration() {
|
|
137
|
+
const c = this.registered;
|
|
138
|
+
// Minimal RFC 7591-ish response
|
|
139
|
+
// (intentionally omitting registration_access_token/registration_client_uri for simplicity in dev)
|
|
140
|
+
this.respond(common_1.httpRespond.json({
|
|
141
|
+
client_id: c.client_id,
|
|
142
|
+
...(c.client_secret ? { client_secret: c.client_secret } : {}),
|
|
143
|
+
client_id_issued_at: c.created_at,
|
|
144
|
+
client_secret_expires_at: c.client_secret ? 0 : 0, // 0 = does not expire (dev)
|
|
145
|
+
token_endpoint_auth_method: c.token_endpoint_auth_method,
|
|
146
|
+
grant_types: c.grant_types,
|
|
147
|
+
response_types: c.response_types,
|
|
148
|
+
redirect_uris: c.redirect_uris,
|
|
149
|
+
...(c.client_name ? { client_name: c.client_name } : {}),
|
|
150
|
+
...(c.scope ? { scope: c.scope } : {}),
|
|
151
|
+
}));
|
|
152
|
+
}
|
|
153
|
+
async validateOutput() {
|
|
154
|
+
// no-op; httpRespond.json enforces shape
|
|
155
|
+
}
|
|
156
|
+
};
|
|
157
|
+
tslib_1.__decorate([
|
|
158
|
+
Stage('parseInput'),
|
|
159
|
+
tslib_1.__metadata("design:type", Function),
|
|
160
|
+
tslib_1.__metadata("design:paramtypes", []),
|
|
161
|
+
tslib_1.__metadata("design:returntype", Promise)
|
|
162
|
+
], OauthRegisterFlow.prototype, "parseInput", null);
|
|
163
|
+
tslib_1.__decorate([
|
|
164
|
+
Stage('validateInput'),
|
|
165
|
+
tslib_1.__metadata("design:type", Function),
|
|
166
|
+
tslib_1.__metadata("design:paramtypes", []),
|
|
167
|
+
tslib_1.__metadata("design:returntype", Promise)
|
|
168
|
+
], OauthRegisterFlow.prototype, "validateInput", null);
|
|
169
|
+
tslib_1.__decorate([
|
|
170
|
+
Stage('registerClient'),
|
|
171
|
+
tslib_1.__metadata("design:type", Function),
|
|
172
|
+
tslib_1.__metadata("design:paramtypes", []),
|
|
173
|
+
tslib_1.__metadata("design:returntype", Promise)
|
|
174
|
+
], OauthRegisterFlow.prototype, "registerClient", null);
|
|
175
|
+
tslib_1.__decorate([
|
|
176
|
+
Stage('respondRegistration'),
|
|
177
|
+
tslib_1.__metadata("design:type", Function),
|
|
178
|
+
tslib_1.__metadata("design:paramtypes", []),
|
|
179
|
+
tslib_1.__metadata("design:returntype", Promise)
|
|
180
|
+
], OauthRegisterFlow.prototype, "respondRegistration", null);
|
|
181
|
+
tslib_1.__decorate([
|
|
182
|
+
Stage('validateOutput'),
|
|
183
|
+
tslib_1.__metadata("design:type", Function),
|
|
184
|
+
tslib_1.__metadata("design:paramtypes", []),
|
|
185
|
+
tslib_1.__metadata("design:returntype", Promise)
|
|
186
|
+
], OauthRegisterFlow.prototype, "validateOutput", null);
|
|
187
|
+
OauthRegisterFlow = tslib_1.__decorate([
|
|
188
|
+
(0, common_1.Flow)({
|
|
189
|
+
name,
|
|
190
|
+
plan,
|
|
191
|
+
inputSchema,
|
|
192
|
+
outputSchema,
|
|
193
|
+
access: 'public',
|
|
194
|
+
middleware: {
|
|
195
|
+
method: 'POST',
|
|
196
|
+
path: '/oauth/register',
|
|
197
|
+
},
|
|
198
|
+
})
|
|
199
|
+
], OauthRegisterFlow);
|
|
200
|
+
exports.default = OauthRegisterFlow;
|
|
201
|
+
//# sourceMappingURL=oauth.register.flow.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth.register.flow.js","sourceRoot":"","sources":["../../../../src/auth/flows/oauth.register.flow.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;;AAEH;;;;;;;;;;;GAWG;AAGH,yCAMsB;AACtB,6BAAsB;AACtB,mCAA+C;AAgB/C,MAAM,OAAO,GAAG,IAAI,GAAG,EAA4B,CAAC;AAEpD,qEAAqE;AACxD,QAAA,iBAAiB,GAAG;IAC/B,GAAG,CAAC,SAAiB;QACnB,OAAO,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAChC,CAAC;IACD,GAAG,CAAC,SAAiB;QACnB,OAAO,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAChC,CAAC;CACF,CAAC;AAEF,MAAM,WAAW,GAAG,wBAAe,CAAC;AACpC,MAAM,YAAY,GAAG,uBAAc,CAAC;AAEpC,MAAM,yBAAyB,GAAG,OAAC,CAAC,MAAM,CAAC;IACzC,2BAA2B;IAC3B,aAAa,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,uCAAuC,CAAC;IACxF,0BAA0B,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,iBAAiB,CAAC,CAAC;SAC5H,OAAO,CAAC,MAAM,CAAC;IAClB,WAAW,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,IAAI,CAAC,CAAC,oBAAoB,EAAE,eAAe,EAAE,8CAA8C,CAAC,CAAC,CAAC;SAClH,OAAO,CAAC,CAAC,oBAAoB,CAAC,CAAC;IAClC,cAAc,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC;IAC3D,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC7B,CAAC,CAAC,WAAW,EAAE,CAAA;AAEhB,MAAM,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3B,IAAI,EAAE,yBAAyB;IAC/B,KAAK,EAAE,OAAC,CAAC,OAAO,EAAE;CACnB,CAAC,CAAC;AAEH,MAAM,IAAI,GAAG;IACX,GAAG,EAAE,CAAC,YAAY,EAAE,eAAe,CAAC;IACpC,OAAO,EAAE,CAAC,gBAAgB,EAAE,qBAAqB,CAAC;IAClD,IAAI,EAAE,CAAC,gBAAgB,CAAC;CACW,CAAC;AActC,MAAM,IAAI,GAAG,gBAAyB,CAAC;AACvC,MAAM,KAAK,GAAG,IAAA,oBAAW,EAAC,IAAI,CAAC,CAAC;AAajB,IAAM,iBAAiB,GAAvB,MAAM,iBAAkB,SAAQ,iBAAqB;IAE1D,UAAU,CAAoB;IAGhC,AAAN,KAAK,CAAC,UAAU;QACd,kDAAkD;QAClD,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,YAAY,CAAC;QAEvD,MAAM,EAAC,OAAO,EAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;QAChC,MAAM,MAAM,GAAG,yBAAyB,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;QACnE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC;YACb,IAAI,EAAE,MAAM;YACZ,KAAK;SACN,CAAC,CAAC;IACL,CAAC;IAGK,AAAN,KAAK,CAAC,aAAa;QACjB,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACtB,iDAAiD;YACjD,IAAI,CAAC,IAAI,EAAE,CAAC;YACZ,OAAO;QACT,CAAC;QAED,mDAAmD;QACnD,MAAM,EAAC,aAAa,EAAE,0BAA0B,EAAE,WAAW,EAAE,cAAc,EAAC,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC;QAE1G,wDAAwD;QACxD,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACrC,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,IAAI,CAAC;gBAC5B,KAAK,EAAE,yBAAyB;gBAChC,iBAAiB,EAAE,mDAAmD;aACvE,EAAE,EAAC,MAAM,EAAE,GAAG,EAAC,CAAC,CAAC,CAAC;YACnB,OAAO;QACT,CAAC;QAED,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;YAChD,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,IAAI,CAAC;gBAC5B,KAAK,EAAE,yBAAyB;gBAChC,iBAAiB,EAAE,uDAAuD;aAC3E,EAAE,EAAC,MAAM,EAAE,GAAG,EAAC,CAAC,CAAC,CAAC;YACnB,OAAO;QACT,CAAC;QAED,4EAA4E;QAC5E,IAAI,0BAA0B,KAAK,MAAM,IAAI,0BAA0B,KAAK,oBAAoB,IAAI,0BAA0B,KAAK,qBAAqB,EAAE,CAAC;YACzJ,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,IAAI,CAAC;gBAC5B,KAAK,EAAE,yBAAyB;gBAChC,iBAAiB,EAAE,uFAAuF;aAC3G,EAAE,EAAC,MAAM,EAAE,GAAG,EAAC,CAAC,CAAC,CAAC;YACnB,OAAO;QACT,CAAC;QAED,+CAA+C;QAC/C,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,yDAAyD,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACxG,IAAI,GAAG,EAAE,CAAC;YACR,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,IAAI,CAAC;gBAC5B,KAAK,EAAE,sBAAsB;gBAC7B,iBAAiB,EAAE,mEAAmE,GAAG,EAAE;aAC5F,EAAE,EAAC,MAAM,EAAE,GAAG,EAAC,CAAC,CAAC,CAAC;YACnB,OAAO;QACT,CAAC;IACH,CAAC;IAGK,AAAN,KAAK,CAAC,cAAc;QAClB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,EACJ,0BAA0B,EAC1B,WAAW,EACX,cAAc,EACd,aAAa,EACb,WAAW,EACX,KAAK,GACN,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC;QAE7B,MAAM,SAAS,GAAG,IAAA,mBAAU,GAAE,CAAC;QAC/B,IAAI,aAAiC,CAAC;QAEtC,IAAI,0BAA0B,KAAK,oBAAoB,IAAI,0BAA0B,KAAK,qBAAqB,EAAE,CAAC;YAChH,aAAa,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,yBAAyB;QAClF,CAAC;QAED,IAAI,CAAC,UAAU,GAAG;YAChB,SAAS;YACT,aAAa;YACb,0BAA0B;YAC1B,WAAW;YACX,cAAc;YACd,aAAa;YACb,WAAW;YACX,KAAK;YACL,UAAU,EAAE,GAAG;YACf,GAAG,EAAE,IAAI;SACV,CAAC;QAEF,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IAC1C,CAAC;IAGK,AAAN,KAAK,CAAC,mBAAmB;QACvB,MAAM,CAAC,GAAG,IAAI,CAAC,UAAW,CAAC;QAC3B,gCAAgC;QAChC,mGAAmG;QACnG,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,IAAI,CAAC;YAC5B,SAAS,EAAE,CAAC,CAAC,SAAS;YACtB,GAAG,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,EAAC,aAAa,EAAE,CAAC,CAAC,aAAa,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5D,mBAAmB,EAAE,CAAC,CAAC,UAAU;YACjC,wBAAwB,EAAE,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,4BAA4B;YAC/E,0BAA0B,EAAE,CAAC,CAAC,0BAA0B;YACxD,WAAW,EAAE,CAAC,CAAC,WAAW;YAC1B,cAAc,EAAE,CAAC,CAAC,cAAc;YAChC,aAAa,EAAE,CAAC,CAAC,aAAa;YAC9B,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,EAAC,WAAW,EAAE,CAAC,CAAC,WAAW,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACtD,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAC,KAAK,EAAE,CAAC,CAAC,KAAK,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;SACrC,CAAC,CAAC,CAAC;IACN,CAAC;IAGK,AAAN,KAAK,CAAC,cAAc;QAClB,yCAAyC;IAC3C,CAAC;CACF,CAAA;AAtHO;IADL,KAAK,CAAC,YAAY,CAAC;;;;mDAWnB;AAGK;IADL,KAAK,CAAC,eAAe,CAAC;;;;sDA8CtB;AAGK;IADL,KAAK,CAAC,gBAAgB,CAAC;;;;uDAiCvB;AAGK;IADL,KAAK,CAAC,qBAAqB,CAAC;;;;4DAiB5B;AAGK;IADL,KAAK,CAAC,gBAAgB,CAAC;;;;uDAGvB;AA1HkB,iBAAiB;IAXrC,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,IAAI;QACJ,WAAW;QACX,YAAY;QACZ,MAAM,EAAE,QAAQ;QAChB,UAAU,EAAE;YACV,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,iBAAiB;SACxB;KACF,CAAC;GACmB,iBAAiB,CA2HrC;kBA3HoB,iBAAiB","sourcesContent":["/**\n * Dynamic Client Registration — POST /oauth/register\n *\n * Who calls: Developers/automation.\n *\n * Purpose: Let clients register programmatically (redirect URIs, grant types, etc.).\n */\n\n/**\n * Quick checklist (security & correctness)\n * - PKCE (S256) required for public clients (and basically for all).\n * - Use authorization code grant only (no implicit/hybrid).\n * - Rotate refresh tokens and bind them to client + user + scopes.\n * - Prefer private_key_jwt or mTLS for confidential clients.\n * - PAR + JAR recommended for higher security.\n * - Consider DPoP (proof-of-possession) to reduce token replay.\n * - Keep codes very short-lived (e.g., ≤60 s) and single-use.\n * - Publish discovery and JWKS, rotate keys safely.\n * - Decide JWT vs opaque access tokens; provide introspection if opaque.\n */\n\n\nimport {\n Flow, FlowBase, FlowPlan,\n FlowRunOptions,\n httpInputSchema, HttpJsonSchema,\n httpRespond,\n StageHookOf\n} from \"../../common\";\nimport {z} from \"zod\";\nimport {randomUUID, randomBytes} from \"crypto\";\n\n/** Simple in-memory registry (dev only) */\ntype RegisteredClient = {\n client_id: string;\n client_secret?: string;\n token_endpoint_auth_method: \"none\" | \"client_secret_basic\" | \"client_secret_post\" | \"private_key_jwt\" | \"tls_client_auth\";\n grant_types: string[];\n response_types: string[];\n redirect_uris: string[];\n client_name?: string;\n scope?: string;\n created_at: number; // seconds since epoch\n dev: boolean;\n};\n\nconst CLIENTS = new Map<string, RegisteredClient>();\n\n/** Optional: export getters so other flows can validate client_id */\nexport const DevClientRegistry = {\n get(client_id: string) {\n return CLIENTS.get(client_id);\n },\n has(client_id: string) {\n return CLIENTS.has(client_id);\n }\n};\n\nconst inputSchema = httpInputSchema;\nconst outputSchema = HttpJsonSchema;\n\nconst registrationRequestSchema = z.object({\n // RFC 7591-ish minimal set\n redirect_uris: z.array(z.string().url()).min(1, \"At least one redirect_uri is required\"),\n token_endpoint_auth_method: z.enum([\"none\", \"client_secret_basic\", \"client_secret_post\", \"private_key_jwt\", \"tls_client_auth\"])\n .default(\"none\"),\n grant_types: z.array(z.enum([\"authorization_code\", \"refresh_token\", \"urn:ietf:params:oauth:grant-type:device_code\"]))\n .default([\"authorization_code\"]),\n response_types: z.array(z.enum([\"code\"])).default([\"code\"]),\n client_name: z.string().optional(),\n scope: z.string().optional(),\n}).passthrough()\n\nconst stateSchema = z.object({\n body: registrationRequestSchema,\n isDev: z.boolean(),\n});\n\nconst plan = {\n pre: ['parseInput', 'validateInput'],\n execute: ['registerClient', 'respondRegistration'],\n post: ['validateOutput'],\n} as const satisfies FlowPlan<string>;\n\ndeclare global {\n interface ExtendFlows {\n 'oauth:register': FlowRunOptions<\n OauthRegisterFlow,\n typeof plan,\n typeof inputSchema,\n typeof outputSchema,\n typeof stateSchema\n >;\n }\n}\n\nconst name = 'oauth:register' as const;\nconst Stage = StageHookOf(name);\n\n@Flow({\n name,\n plan,\n inputSchema,\n outputSchema,\n access: 'public',\n middleware: {\n method: 'POST',\n path: '/oauth/register',\n },\n})\nexport default class OauthRegisterFlow extends FlowBase<typeof name> {\n\n private registered?: RegisteredClient;\n\n @Stage('parseInput')\n async parseInput() {\n // Dev-only guard: hide the endpoint in production\n const isDev = process.env['NODE_ENV'] !== 'production';\n\n const {request} = this.rawInput;\n const parsed = registrationRequestSchema.parse(request.body || {});\n this.state.set({\n body: parsed,\n isDev,\n });\n }\n\n @Stage('validateInput')\n async validateInput() {\n if (!this.state.isDev) {\n // Behave like the endpoint doesn't exist in prod\n this.next();\n return;\n }\n\n // Minimal sanity checks for common mistakes in dev\n const {redirect_uris, token_endpoint_auth_method, grant_types, response_types} = this.state.required.body;\n\n // Keep only supported combinations for the dummy server\n if (!response_types.includes('code')) {\n this.respond(httpRespond.json({\n error: 'invalid_client_metadata',\n error_description: 'Only response_types=[\"code\"] is supported in dev.',\n }, {status: 400}));\n return;\n }\n\n if (!grant_types.includes('authorization_code')) {\n this.respond(httpRespond.json({\n error: 'invalid_client_metadata',\n error_description: 'grant_types must include \"authorization_code\" in dev.',\n }, {status: 400}));\n return;\n }\n\n // Warn (soft) if confidential but no TLS/jwt (still allowed for local only)\n if (token_endpoint_auth_method !== 'none' && token_endpoint_auth_method !== 'client_secret_post' && token_endpoint_auth_method !== 'client_secret_basic') {\n this.respond(httpRespond.json({\n error: 'invalid_client_metadata',\n error_description: 'This dev server only supports \"none\", \"client_secret_post\", or \"client_secret_basic\".',\n }, {status: 400}));\n return;\n }\n\n // Ensure localhost/https-ish redirects for dev\n const bad = redirect_uris.find(u => !/^https?:\\/\\/(localhost|\\d+\\.\\d+\\.\\d+\\.\\d+|127\\.0\\.0\\.1)/.test(u));\n if (bad) {\n this.respond(httpRespond.json({\n error: 'invalid_redirect_uri',\n error_description: `Dev registration allows only localhost-style redirect_uris; got ${bad}`,\n }, {status: 400}));\n return;\n }\n }\n\n @Stage('registerClient')\n async registerClient() {\n const now = Math.floor(Date.now() / 1000);\n const {\n token_endpoint_auth_method,\n grant_types,\n response_types,\n redirect_uris,\n client_name,\n scope,\n } = this.state.required.body;\n\n const client_id = randomUUID();\n let client_secret: string | undefined;\n\n if (token_endpoint_auth_method === 'client_secret_post' || token_endpoint_auth_method === 'client_secret_basic') {\n client_secret = randomBytes(24).toString('base64url'); // short-lived dev secret\n }\n\n this.registered = {\n client_id,\n client_secret,\n token_endpoint_auth_method,\n grant_types,\n response_types,\n redirect_uris,\n client_name,\n scope,\n created_at: now,\n dev: true,\n };\n\n CLIENTS.set(client_id, this.registered);\n }\n\n @Stage('respondRegistration')\n async respondRegistration() {\n const c = this.registered!;\n // Minimal RFC 7591-ish response\n // (intentionally omitting registration_access_token/registration_client_uri for simplicity in dev)\n this.respond(httpRespond.json({\n client_id: c.client_id,\n ...(c.client_secret ? {client_secret: c.client_secret} : {}),\n client_id_issued_at: c.created_at,\n client_secret_expires_at: c.client_secret ? 0 : 0, // 0 = does not expire (dev)\n token_endpoint_auth_method: c.token_endpoint_auth_method,\n grant_types: c.grant_types,\n response_types: c.response_types,\n redirect_uris: c.redirect_uris,\n ...(c.client_name ? {client_name: c.client_name} : {}),\n ...(c.scope ? {scope: c.scope} : {}),\n }));\n }\n\n @Stage('validateOutput')\n async validateOutput() {\n // no-op; httpRespond.json enforces shape\n }\n}"]}
|
|
@@ -0,0 +1,242 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Token Endpoint — POST /oauth/token
|
|
3
|
+
*
|
|
4
|
+
* Who calls: Client (server-to-server).
|
|
5
|
+
*
|
|
6
|
+
* When: After getting the code (or for refresh).
|
|
7
|
+
*
|
|
8
|
+
* Purpose: Exchange authorization code + PKCE verifier for access token (and optional refresh token), or refresh an access token.
|
|
9
|
+
*/
|
|
10
|
+
/**
|
|
11
|
+
* Typical parameter shapes
|
|
12
|
+
*
|
|
13
|
+
* /oauth/token (POST, application/x-www-form-urlencoded)
|
|
14
|
+
*
|
|
15
|
+
* For code exchange: grant_type=authorization_code, code, redirect_uri, client_id (and auth), code_verifier
|
|
16
|
+
*
|
|
17
|
+
* For refresh: grant_type=refresh_token, refresh_token, client_id (and auth)
|
|
18
|
+
*/
|
|
19
|
+
/**
|
|
20
|
+
* Quick checklist (security & correctness)
|
|
21
|
+
* - PKCE (S256) required for public clients (and basically for all).
|
|
22
|
+
* - Use authorization code grant only (no implicit/hybrid).
|
|
23
|
+
* - Rotate refresh tokens and bind them to client + user + scopes.
|
|
24
|
+
* - Prefer private_key_jwt or mTLS for confidential clients.
|
|
25
|
+
* - PAR + JAR recommended for higher security.
|
|
26
|
+
* - Consider DPoP (proof-of-possession) to reduce token replay.
|
|
27
|
+
* - Keep codes very short-lived (e.g., ≤60 s) and single-use.
|
|
28
|
+
* - Publish discovery and JWKS, rotate keys safely.
|
|
29
|
+
* - Decide JWT vs opaque access tokens; provide introspection if opaque.
|
|
30
|
+
*/
|
|
31
|
+
/**
|
|
32
|
+
*
|
|
33
|
+
* OAuth 2.0 Device Authorization Grant (“device code flow”)
|
|
34
|
+
* Who does what (at a glance)
|
|
35
|
+
*
|
|
36
|
+
* Device/TV/CLI (no browser)
|
|
37
|
+
* Calls POST /oauth/device_authorization, shows the user a code + URL, and polls POST /oauth/token.
|
|
38
|
+
*
|
|
39
|
+
* User (on phone/laptop browser)
|
|
40
|
+
* Visits the given verification_uri and authenticates using your normal OAuth login (whatever you already have). No new UI required beyond two tiny endpoints.
|
|
41
|
+
*
|
|
42
|
+
* Auth Server (you)
|
|
43
|
+
* Stores the device transaction and, after the user authenticates, marks it as approved so the device’s /oauth/token polling succeeds.
|
|
44
|
+
*
|
|
45
|
+
* Endpoints you need (only two “new” ones)
|
|
46
|
+
*
|
|
47
|
+
* POST /oauth/device_authorization ✅ (device calls)
|
|
48
|
+
*
|
|
49
|
+
* POST /oauth/token with grant urn:ietf:params:oauth:grant-type:device_code ✅ (device polls)
|
|
50
|
+
*
|
|
51
|
+
* GET /activate ➜ “UI handler” (user lands here from verification_uri — this just redirects into your existing /oauth/authorize)
|
|
52
|
+
*
|
|
53
|
+
* GET /activate/callback ➜ “UI handler” (your existing flow returns here after the user logs in; you flip the device record to approved and show a basic “All set” page)
|
|
54
|
+
*
|
|
55
|
+
* That’s it. No pages with complex consent screens are required; reuse your normal /oauth/authorize
|
|
56
|
+
*/
|
|
57
|
+
import { FlowBase, FlowRunOptions } from "../../common";
|
|
58
|
+
import { z } from "zod";
|
|
59
|
+
declare const inputSchema: z.ZodObject<{
|
|
60
|
+
request: z.ZodObject<{}, "passthrough", z.ZodTypeAny, z.objectOutputType<{}, z.ZodTypeAny, "passthrough">, z.objectInputType<{}, z.ZodTypeAny, "passthrough">>;
|
|
61
|
+
response: z.ZodObject<{}, "passthrough", z.ZodTypeAny, z.objectOutputType<{}, z.ZodTypeAny, "passthrough">, z.objectInputType<{}, z.ZodTypeAny, "passthrough">>;
|
|
62
|
+
next: z.ZodOptional<z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>>;
|
|
63
|
+
}, "strip", z.ZodTypeAny, {
|
|
64
|
+
request: {} & {
|
|
65
|
+
[k: string]: unknown;
|
|
66
|
+
};
|
|
67
|
+
response: {} & {
|
|
68
|
+
[k: string]: unknown;
|
|
69
|
+
};
|
|
70
|
+
next?: ((...args: unknown[]) => unknown) | undefined;
|
|
71
|
+
}, {
|
|
72
|
+
request: {} & {
|
|
73
|
+
[k: string]: unknown;
|
|
74
|
+
};
|
|
75
|
+
response: {} & {
|
|
76
|
+
[k: string]: unknown;
|
|
77
|
+
};
|
|
78
|
+
next?: ((...args: unknown[]) => unknown) | undefined;
|
|
79
|
+
}>;
|
|
80
|
+
declare const stateSchema: z.ZodObject<{
|
|
81
|
+
body: z.ZodDiscriminatedUnion<"grant_type", [z.ZodObject<{
|
|
82
|
+
grant_type: z.ZodLiteral<"anonymous">;
|
|
83
|
+
/** Public client identifier; UUID in your example */
|
|
84
|
+
client_id: z.ZodString;
|
|
85
|
+
/** Target resource/audience is required for this custom flow */
|
|
86
|
+
resource: z.ZodString;
|
|
87
|
+
}, "strip", z.ZodTypeAny, {
|
|
88
|
+
resource: string;
|
|
89
|
+
grant_type: "anonymous";
|
|
90
|
+
client_id: string;
|
|
91
|
+
}, {
|
|
92
|
+
resource: string;
|
|
93
|
+
grant_type: "anonymous";
|
|
94
|
+
client_id: string;
|
|
95
|
+
}>, z.ZodObject<{
|
|
96
|
+
grant_type: z.ZodLiteral<"authorization_code">;
|
|
97
|
+
/** Authorization code returned from the /authorize step */
|
|
98
|
+
code: z.ZodString;
|
|
99
|
+
/** Must exactly match the redirect URI used when obtaining the code */
|
|
100
|
+
redirect_uri: z.ZodString;
|
|
101
|
+
/** Public client identifier; UUID in your example */
|
|
102
|
+
client_id: z.ZodString;
|
|
103
|
+
/** PKCE verifier bound to the code */
|
|
104
|
+
code_verifier: z.ZodString;
|
|
105
|
+
/** Optional resource/audience (used by some providers like AAD v1) */
|
|
106
|
+
resource: z.ZodString;
|
|
107
|
+
}, "strip", z.ZodTypeAny, {
|
|
108
|
+
code: string;
|
|
109
|
+
resource: string;
|
|
110
|
+
grant_type: "authorization_code";
|
|
111
|
+
client_id: string;
|
|
112
|
+
redirect_uri: string;
|
|
113
|
+
code_verifier: string;
|
|
114
|
+
}, {
|
|
115
|
+
code: string;
|
|
116
|
+
resource: string;
|
|
117
|
+
grant_type: "authorization_code";
|
|
118
|
+
client_id: string;
|
|
119
|
+
redirect_uri: string;
|
|
120
|
+
code_verifier: string;
|
|
121
|
+
}>]>;
|
|
122
|
+
isDefaultAuthProvider: z.ZodBoolean;
|
|
123
|
+
}, "strip", z.ZodTypeAny, {
|
|
124
|
+
body: {
|
|
125
|
+
resource: string;
|
|
126
|
+
grant_type: "anonymous";
|
|
127
|
+
client_id: string;
|
|
128
|
+
} | {
|
|
129
|
+
code: string;
|
|
130
|
+
resource: string;
|
|
131
|
+
grant_type: "authorization_code";
|
|
132
|
+
client_id: string;
|
|
133
|
+
redirect_uri: string;
|
|
134
|
+
code_verifier: string;
|
|
135
|
+
};
|
|
136
|
+
isDefaultAuthProvider: boolean;
|
|
137
|
+
}, {
|
|
138
|
+
body: {
|
|
139
|
+
resource: string;
|
|
140
|
+
grant_type: "anonymous";
|
|
141
|
+
client_id: string;
|
|
142
|
+
} | {
|
|
143
|
+
code: string;
|
|
144
|
+
resource: string;
|
|
145
|
+
grant_type: "authorization_code";
|
|
146
|
+
client_id: string;
|
|
147
|
+
redirect_uri: string;
|
|
148
|
+
code_verifier: string;
|
|
149
|
+
};
|
|
150
|
+
isDefaultAuthProvider: boolean;
|
|
151
|
+
}>;
|
|
152
|
+
declare const outputSchema: z.ZodObject<{
|
|
153
|
+
kind: z.ZodLiteral<"json">;
|
|
154
|
+
status: z.ZodEffects<z.ZodNumber, number, number>;
|
|
155
|
+
body: z.ZodUnion<[z.ZodObject<{}, "passthrough", z.ZodTypeAny, z.objectOutputType<{}, z.ZodTypeAny, "passthrough">, z.objectInputType<{}, z.ZodTypeAny, "passthrough">>, z.ZodArray<z.ZodAny, "many">, z.ZodRecord<z.ZodString, z.ZodAny>]>;
|
|
156
|
+
contentType: z.ZodDefault<z.ZodString>;
|
|
157
|
+
} & {
|
|
158
|
+
headers: z.ZodOptional<z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnion<[z.ZodString, z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>]>>>>;
|
|
159
|
+
cookies: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
160
|
+
name: z.ZodString;
|
|
161
|
+
value: z.ZodString;
|
|
162
|
+
path: z.ZodDefault<z.ZodString>;
|
|
163
|
+
domain: z.ZodOptional<z.ZodString>;
|
|
164
|
+
httpOnly: z.ZodDefault<z.ZodBoolean>;
|
|
165
|
+
secure: z.ZodOptional<z.ZodBoolean>;
|
|
166
|
+
sameSite: z.ZodOptional<z.ZodEnum<["lax", "strict", "none"]>>;
|
|
167
|
+
maxAge: z.ZodOptional<z.ZodNumber>;
|
|
168
|
+
expires: z.ZodOptional<z.ZodDate>;
|
|
169
|
+
}, "strip", z.ZodTypeAny, {
|
|
170
|
+
value: string;
|
|
171
|
+
path: string;
|
|
172
|
+
name: string;
|
|
173
|
+
httpOnly: boolean;
|
|
174
|
+
domain?: string | undefined;
|
|
175
|
+
secure?: boolean | undefined;
|
|
176
|
+
sameSite?: "lax" | "strict" | "none" | undefined;
|
|
177
|
+
maxAge?: number | undefined;
|
|
178
|
+
expires?: Date | undefined;
|
|
179
|
+
}, {
|
|
180
|
+
value: string;
|
|
181
|
+
name: string;
|
|
182
|
+
path?: string | undefined;
|
|
183
|
+
domain?: string | undefined;
|
|
184
|
+
httpOnly?: boolean | undefined;
|
|
185
|
+
secure?: boolean | undefined;
|
|
186
|
+
sameSite?: "lax" | "strict" | "none" | undefined;
|
|
187
|
+
maxAge?: number | undefined;
|
|
188
|
+
expires?: Date | undefined;
|
|
189
|
+
}>, "many">>>;
|
|
190
|
+
}, "strip", z.ZodTypeAny, {
|
|
191
|
+
status: number;
|
|
192
|
+
kind: "json";
|
|
193
|
+
body: any[] | z.objectOutputType<{}, z.ZodTypeAny, "passthrough"> | Record<string, any>;
|
|
194
|
+
contentType: string;
|
|
195
|
+
headers?: Record<string, string | string[]> | undefined;
|
|
196
|
+
cookies?: {
|
|
197
|
+
value: string;
|
|
198
|
+
path: string;
|
|
199
|
+
name: string;
|
|
200
|
+
httpOnly: boolean;
|
|
201
|
+
domain?: string | undefined;
|
|
202
|
+
secure?: boolean | undefined;
|
|
203
|
+
sameSite?: "lax" | "strict" | "none" | undefined;
|
|
204
|
+
maxAge?: number | undefined;
|
|
205
|
+
expires?: Date | undefined;
|
|
206
|
+
}[] | undefined;
|
|
207
|
+
}, {
|
|
208
|
+
status: number;
|
|
209
|
+
kind: "json";
|
|
210
|
+
body: any[] | z.objectInputType<{}, z.ZodTypeAny, "passthrough"> | Record<string, any>;
|
|
211
|
+
headers?: Record<string, string | string[]> | undefined;
|
|
212
|
+
cookies?: {
|
|
213
|
+
value: string;
|
|
214
|
+
name: string;
|
|
215
|
+
path?: string | undefined;
|
|
216
|
+
domain?: string | undefined;
|
|
217
|
+
httpOnly?: boolean | undefined;
|
|
218
|
+
secure?: boolean | undefined;
|
|
219
|
+
sameSite?: "lax" | "strict" | "none" | undefined;
|
|
220
|
+
maxAge?: number | undefined;
|
|
221
|
+
expires?: Date | undefined;
|
|
222
|
+
}[] | undefined;
|
|
223
|
+
contentType?: string | undefined;
|
|
224
|
+
}>;
|
|
225
|
+
declare const plan: {
|
|
226
|
+
readonly pre: ["parseInput", "validateInput"];
|
|
227
|
+
readonly execute: ["generateJWT", "buildAuthorizeOutput"];
|
|
228
|
+
readonly post: ["validateOutput"];
|
|
229
|
+
};
|
|
230
|
+
declare global {
|
|
231
|
+
interface ExtendFlows {
|
|
232
|
+
'oauth:token': FlowRunOptions<OauthTokenFlow, typeof plan, typeof inputSchema, typeof outputSchema, typeof stateSchema>;
|
|
233
|
+
}
|
|
234
|
+
}
|
|
235
|
+
declare const name: "oauth:token";
|
|
236
|
+
export default class OauthTokenFlow extends FlowBase<typeof name> {
|
|
237
|
+
parseInput(): Promise<void>;
|
|
238
|
+
validateInput(): Promise<void>;
|
|
239
|
+
buildAuthorizeOutput(): Promise<void>;
|
|
240
|
+
validateOutput(): Promise<void>;
|
|
241
|
+
}
|
|
242
|
+
export {};
|
|
@@ -0,0 +1,181 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Token Endpoint — POST /oauth/token
|
|
4
|
+
*
|
|
5
|
+
* Who calls: Client (server-to-server).
|
|
6
|
+
*
|
|
7
|
+
* When: After getting the code (or for refresh).
|
|
8
|
+
*
|
|
9
|
+
* Purpose: Exchange authorization code + PKCE verifier for access token (and optional refresh token), or refresh an access token.
|
|
10
|
+
*/
|
|
11
|
+
/**
|
|
12
|
+
* Typical parameter shapes
|
|
13
|
+
*
|
|
14
|
+
* /oauth/token (POST, application/x-www-form-urlencoded)
|
|
15
|
+
*
|
|
16
|
+
* For code exchange: grant_type=authorization_code, code, redirect_uri, client_id (and auth), code_verifier
|
|
17
|
+
*
|
|
18
|
+
* For refresh: grant_type=refresh_token, refresh_token, client_id (and auth)
|
|
19
|
+
*/
|
|
20
|
+
/**
|
|
21
|
+
* Quick checklist (security & correctness)
|
|
22
|
+
* - PKCE (S256) required for public clients (and basically for all).
|
|
23
|
+
* - Use authorization code grant only (no implicit/hybrid).
|
|
24
|
+
* - Rotate refresh tokens and bind them to client + user + scopes.
|
|
25
|
+
* - Prefer private_key_jwt or mTLS for confidential clients.
|
|
26
|
+
* - PAR + JAR recommended for higher security.
|
|
27
|
+
* - Consider DPoP (proof-of-possession) to reduce token replay.
|
|
28
|
+
* - Keep codes very short-lived (e.g., ≤60 s) and single-use.
|
|
29
|
+
* - Publish discovery and JWKS, rotate keys safely.
|
|
30
|
+
* - Decide JWT vs opaque access tokens; provide introspection if opaque.
|
|
31
|
+
*/
|
|
32
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
33
|
+
const tslib_1 = require("tslib");
|
|
34
|
+
/**
|
|
35
|
+
*
|
|
36
|
+
* OAuth 2.0 Device Authorization Grant (“device code flow”)
|
|
37
|
+
* Who does what (at a glance)
|
|
38
|
+
*
|
|
39
|
+
* Device/TV/CLI (no browser)
|
|
40
|
+
* Calls POST /oauth/device_authorization, shows the user a code + URL, and polls POST /oauth/token.
|
|
41
|
+
*
|
|
42
|
+
* User (on phone/laptop browser)
|
|
43
|
+
* Visits the given verification_uri and authenticates using your normal OAuth login (whatever you already have). No new UI required beyond two tiny endpoints.
|
|
44
|
+
*
|
|
45
|
+
* Auth Server (you)
|
|
46
|
+
* Stores the device transaction and, after the user authenticates, marks it as approved so the device’s /oauth/token polling succeeds.
|
|
47
|
+
*
|
|
48
|
+
* Endpoints you need (only two “new” ones)
|
|
49
|
+
*
|
|
50
|
+
* POST /oauth/device_authorization ✅ (device calls)
|
|
51
|
+
*
|
|
52
|
+
* POST /oauth/token with grant urn:ietf:params:oauth:grant-type:device_code ✅ (device polls)
|
|
53
|
+
*
|
|
54
|
+
* GET /activate ➜ “UI handler” (user lands here from verification_uri — this just redirects into your existing /oauth/authorize)
|
|
55
|
+
*
|
|
56
|
+
* GET /activate/callback ➜ “UI handler” (your existing flow returns here after the user logs in; you flip the device record to approved and show a basic “All set” page)
|
|
57
|
+
*
|
|
58
|
+
* That’s it. No pages with complex consent screens are required; reuse your normal /oauth/authorize
|
|
59
|
+
*/
|
|
60
|
+
const common_1 = require("../../common");
|
|
61
|
+
const zod_1 = require("zod");
|
|
62
|
+
const crypto_1 = require("crypto");
|
|
63
|
+
const inputSchema = common_1.httpInputSchema;
|
|
64
|
+
// RFC 7636 PKCE: code_verifier is 43–128 chars from ALPHA / DIGIT / "-" / "." / "_" / "~"
|
|
65
|
+
const pkceVerifierRegex = /^[A-Za-z0-9_.~-]{43,128}$/; // TODO: move to shared regex utils
|
|
66
|
+
const authorizationCodeGrant = zod_1.z.object({
|
|
67
|
+
grant_type: zod_1.z.literal("authorization_code"),
|
|
68
|
+
/** Authorization code returned from the /authorize step */
|
|
69
|
+
code: zod_1.z.string().min(1, "code is required"),
|
|
70
|
+
/** Must exactly match the redirect URI used when obtaining the code */
|
|
71
|
+
redirect_uri: zod_1.z.string().url(),
|
|
72
|
+
/** Public client identifier; UUID in your example */
|
|
73
|
+
client_id: zod_1.z.string().uuid(),
|
|
74
|
+
/** PKCE verifier bound to the code */
|
|
75
|
+
code_verifier: zod_1.z.string().regex(pkceVerifierRegex, "code_verifier must be 43–128 chars of A–Z, a–z, 0–9, '-', '.', '_' or '~'"),
|
|
76
|
+
/** Optional resource/audience (used by some providers like AAD v1) */
|
|
77
|
+
resource: zod_1.z.string().url().describe("FrontMcp scope url"),
|
|
78
|
+
});
|
|
79
|
+
const anonymousGrant = zod_1.z.object({
|
|
80
|
+
grant_type: zod_1.z.literal("anonymous"),
|
|
81
|
+
/** Public client identifier; UUID in your example */
|
|
82
|
+
client_id: zod_1.z.string().uuid(),
|
|
83
|
+
/** Target resource/audience is required for this custom flow */
|
|
84
|
+
resource: zod_1.z.string().url(),
|
|
85
|
+
});
|
|
86
|
+
const stateSchema = zod_1.z.object({
|
|
87
|
+
body: zod_1.z.discriminatedUnion('grant_type', [anonymousGrant, authorizationCodeGrant]),
|
|
88
|
+
isDefaultAuthProvider: zod_1.z.boolean().describe("If FrontMcp initialized without auth options"),
|
|
89
|
+
});
|
|
90
|
+
const outputSchema = common_1.HttpJsonSchema;
|
|
91
|
+
const plan = {
|
|
92
|
+
pre: [
|
|
93
|
+
'parseInput',
|
|
94
|
+
'validateInput',
|
|
95
|
+
],
|
|
96
|
+
execute: [
|
|
97
|
+
'generateJWT',
|
|
98
|
+
'buildAuthorizeOutput'
|
|
99
|
+
],
|
|
100
|
+
post: [
|
|
101
|
+
'validateOutput',
|
|
102
|
+
],
|
|
103
|
+
};
|
|
104
|
+
const name = 'oauth:token';
|
|
105
|
+
const Stage = (0, common_1.StageHookOf)(name);
|
|
106
|
+
let OauthTokenFlow = class OauthTokenFlow extends common_1.FlowBase {
|
|
107
|
+
async parseInput() {
|
|
108
|
+
const { metadata } = this.scope;
|
|
109
|
+
const { request } = this.rawInput;
|
|
110
|
+
if (!metadata.auth) {
|
|
111
|
+
const isDefaultAuthProvider = true;
|
|
112
|
+
this.state.set(stateSchema.parse({
|
|
113
|
+
isDefaultAuthProvider, //
|
|
114
|
+
body: request.body,
|
|
115
|
+
}));
|
|
116
|
+
}
|
|
117
|
+
else {
|
|
118
|
+
// TODO:
|
|
119
|
+
// support local/remote proxy auth provider
|
|
120
|
+
// the call next only if scope isn't orchestrated
|
|
121
|
+
this.next();
|
|
122
|
+
}
|
|
123
|
+
}
|
|
124
|
+
async validateInput() {
|
|
125
|
+
const localAuth = this.scope.auth;
|
|
126
|
+
const access_token = await localAuth.signAnonymousJwt();
|
|
127
|
+
const refresh_token = (0, crypto_1.randomUUID)();
|
|
128
|
+
this.respond(common_1.httpRespond.json({
|
|
129
|
+
access_token,
|
|
130
|
+
token_type: 'Bearer',
|
|
131
|
+
expires_in: 86500,
|
|
132
|
+
refresh_token,
|
|
133
|
+
}));
|
|
134
|
+
// TBD
|
|
135
|
+
}
|
|
136
|
+
async buildAuthorizeOutput() {
|
|
137
|
+
// TBD
|
|
138
|
+
}
|
|
139
|
+
async validateOutput() {
|
|
140
|
+
// TBD
|
|
141
|
+
}
|
|
142
|
+
};
|
|
143
|
+
tslib_1.__decorate([
|
|
144
|
+
Stage('parseInput'),
|
|
145
|
+
tslib_1.__metadata("design:type", Function),
|
|
146
|
+
tslib_1.__metadata("design:paramtypes", []),
|
|
147
|
+
tslib_1.__metadata("design:returntype", Promise)
|
|
148
|
+
], OauthTokenFlow.prototype, "parseInput", null);
|
|
149
|
+
tslib_1.__decorate([
|
|
150
|
+
Stage('validateInput'),
|
|
151
|
+
tslib_1.__metadata("design:type", Function),
|
|
152
|
+
tslib_1.__metadata("design:paramtypes", []),
|
|
153
|
+
tslib_1.__metadata("design:returntype", Promise)
|
|
154
|
+
], OauthTokenFlow.prototype, "validateInput", null);
|
|
155
|
+
tslib_1.__decorate([
|
|
156
|
+
Stage('buildAuthorizeOutput'),
|
|
157
|
+
tslib_1.__metadata("design:type", Function),
|
|
158
|
+
tslib_1.__metadata("design:paramtypes", []),
|
|
159
|
+
tslib_1.__metadata("design:returntype", Promise)
|
|
160
|
+
], OauthTokenFlow.prototype, "buildAuthorizeOutput", null);
|
|
161
|
+
tslib_1.__decorate([
|
|
162
|
+
Stage('validateOutput'),
|
|
163
|
+
tslib_1.__metadata("design:type", Function),
|
|
164
|
+
tslib_1.__metadata("design:paramtypes", []),
|
|
165
|
+
tslib_1.__metadata("design:returntype", Promise)
|
|
166
|
+
], OauthTokenFlow.prototype, "validateOutput", null);
|
|
167
|
+
OauthTokenFlow = tslib_1.__decorate([
|
|
168
|
+
(0, common_1.Flow)({
|
|
169
|
+
name,
|
|
170
|
+
plan,
|
|
171
|
+
inputSchema,
|
|
172
|
+
outputSchema,
|
|
173
|
+
access: 'public',
|
|
174
|
+
middleware: {
|
|
175
|
+
method: 'POST',
|
|
176
|
+
path: '/oauth/token',
|
|
177
|
+
},
|
|
178
|
+
})
|
|
179
|
+
], OauthTokenFlow);
|
|
180
|
+
exports.default = OauthTokenFlow;
|
|
181
|
+
//# sourceMappingURL=oauth.token.flow.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth.token.flow.js","sourceRoot":"","sources":["../../../../src/auth/flows/oauth.token.flow.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;AACH;;;;;;;;GAQG;AACH;;;;;;;;;;;GAWG;;;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,yCAMsB;AACtB,6BAAsB;AACtB,mCAAkC;AAIlC,MAAM,WAAW,GAAG,wBAAe,CAAC;AAEpC,0FAA0F;AAC1F,MAAM,iBAAiB,GAAG,2BAA2B,CAAC,CAAC,mCAAmC;AAC1F,MAAM,sBAAsB,GAAG,OAAC,CAAC,MAAM,CAAC;IACtC,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC;IAC3C,2DAA2D;IAC3D,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,kBAAkB,CAAC;IAC3C,uEAAuE;IACvE,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAC9B,qDAAqD;IACrD,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;IAC5B,sCAAsC;IACtC,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,iBAAiB,EAAE,2EAA2E,CAAE;IAChI,sEAAsE;IACtE,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,oBAAoB,CAAC;CAC1D,CAAC,CAAC;AACH,MAAM,cAAc,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9B,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,WAAW,CAAC;IAClC,qDAAqD;IACrD,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;IAC5B,gEAAgE;IAChE,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;CAC3B,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3B,IAAI,EAAE,OAAC,CAAC,kBAAkB,CAAC,YAAY,EAAE,CAAC,cAAc,EAAE,sBAAsB,CAAC,CAAC;IAClF,qBAAqB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,8CAA8C,CAAC;CAC5F,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,uBAAc,CAAC;AAGpC,MAAM,IAAI,GAAG;IACX,GAAG,EAAE;QACH,YAAY;QACZ,eAAe;KAChB;IACD,OAAO,EAAE;QACP,aAAa;QACb,sBAAsB;KACvB;IACD,IAAI,EAAE;QACJ,gBAAgB;KACjB;CACkC,CAAC;AActC,MAAM,IAAI,GAAG,aAAsB,CAAC;AACpC,MAAM,KAAK,GAAG,IAAA,oBAAW,EAAC,IAAI,CAAC,CAAC;AAajB,IAAM,cAAc,GAApB,MAAM,cAAe,SAAQ,iBAAqB;IAGzD,AAAN,KAAK,CAAC,UAAU;QACd,MAAM,EAAC,QAAQ,EAAC,GAAG,IAAI,CAAC,KAAK,CAAC;QAC9B,MAAM,EAAC,OAAO,EAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;QAGhC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnB,MAAM,qBAAqB,GAAG,IAAI,CAAA;YAClC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC;gBAC/B,qBAAqB,EAAE,EAAE;gBACzB,IAAI,EAAE,OAAO,CAAC,IAAI;aACnB,CAAC,CAAC,CAAA;QACL,CAAC;aAAM,CAAC;YACN,QAAQ;YACR,4CAA4C;YAC5C,kDAAkD;YAClD,IAAI,CAAC,IAAI,EAAE,CAAA;QACb,CAAC;IACH,CAAC;IAGK,AAAN,KAAK,CAAC,aAAa;QAEjB,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAwB,CAAC;QACtD,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,gBAAgB,EAAE,CAAA;QACvD,MAAM,aAAa,GAAG,IAAA,mBAAU,GAAE,CAAA;QAClC,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,IAAI,CAAC;YAC5B,YAAY;YACZ,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,KAAK;YACjB,aAAa;SACd,CAAC,CAAC,CAAA;QAEH,MAAM;IACR,CAAC;IAIK,AAAN,KAAK,CAAC,oBAAoB;QACxB,MAAM;IACR,CAAC;IAGK,AAAN,KAAK,CAAC,cAAc;QAClB,MAAM;IACR,CAAC;CACF,CAAA;AA7CO;IADL,KAAK,CAAC,YAAY,CAAC;;;;gDAkBnB;AAGK;IADL,KAAK,CAAC,eAAe,CAAC;;;;mDActB;AAIK;IADL,KAAK,CAAC,sBAAsB,CAAC;;;;0DAG7B;AAGK;IADL,KAAK,CAAC,gBAAgB,CAAC;;;;oDAGvB;AA/CkB,cAAc;IAXlC,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,IAAI;QACJ,WAAW;QACX,YAAY;QACZ,MAAM,EAAE,QAAQ;QAChB,UAAU,EAAE;YACV,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,cAAc;SACrB;KACF,CAAC;GACmB,cAAc,CAgDlC;kBAhDoB,cAAc","sourcesContent":["/**\n * Token Endpoint — POST /oauth/token\n *\n * Who calls: Client (server-to-server).\n *\n * When: After getting the code (or for refresh).\n *\n * Purpose: Exchange authorization code + PKCE verifier for access token (and optional refresh token), or refresh an access token.\n */\n/**\n * Typical parameter shapes\n *\n * /oauth/token (POST, application/x-www-form-urlencoded)\n *\n * For code exchange: grant_type=authorization_code, code, redirect_uri, client_id (and auth), code_verifier\n *\n * For refresh: grant_type=refresh_token, refresh_token, client_id (and auth)\n */\n/**\n * Quick checklist (security & correctness)\n * - PKCE (S256) required for public clients (and basically for all).\n * - Use authorization code grant only (no implicit/hybrid).\n * - Rotate refresh tokens and bind them to client + user + scopes.\n * - Prefer private_key_jwt or mTLS for confidential clients.\n * - PAR + JAR recommended for higher security.\n * - Consider DPoP (proof-of-possession) to reduce token replay.\n * - Keep codes very short-lived (e.g., ≤60 s) and single-use.\n * - Publish discovery and JWKS, rotate keys safely.\n * - Decide JWT vs opaque access tokens; provide introspection if opaque.\n */\n\n/**\n *\n * OAuth 2.0 Device Authorization Grant (“device code flow”)\n * Who does what (at a glance)\n *\n * Device/TV/CLI (no browser)\n * Calls POST /oauth/device_authorization, shows the user a code + URL, and polls POST /oauth/token.\n *\n * User (on phone/laptop browser)\n * Visits the given verification_uri and authenticates using your normal OAuth login (whatever you already have). No new UI required beyond two tiny endpoints.\n *\n * Auth Server (you)\n * Stores the device transaction and, after the user authenticates, marks it as approved so the device’s /oauth/token polling succeeds.\n *\n * Endpoints you need (only two “new” ones)\n *\n * POST /oauth/device_authorization ✅ (device calls)\n *\n * POST /oauth/token with grant urn:ietf:params:oauth:grant-type:device_code ✅ (device polls)\n *\n * GET /activate ➜ “UI handler” (user lands here from verification_uri — this just redirects into your existing /oauth/authorize)\n *\n * GET /activate/callback ➜ “UI handler” (your existing flow returns here after the user logs in; you flip the device record to approved and show a basic “All set” page)\n *\n * That’s it. No pages with complex consent screens are required; reuse your normal /oauth/authorize\n */\n\nimport {\n Flow, FlowBase, FlowPlan,\n FlowRunOptions,\n httpInputSchema, HttpJsonSchema,\n httpRespond,\n StageHookOf\n} from \"../../common\";\nimport {z} from \"zod\";\nimport {randomUUID} from \"crypto\";\nimport {LocalPrimaryAuth} from \"../instances/instance.local-primary-auth\";\n\n\nconst inputSchema = httpInputSchema;\n\n// RFC 7636 PKCE: code_verifier is 43–128 chars from ALPHA / DIGIT / \"-\" / \".\" / \"_\" / \"~\"\nconst pkceVerifierRegex = /^[A-Za-z0-9_.~-]{43,128}$/; // TODO: move to shared regex utils\nconst authorizationCodeGrant = z.object({\n grant_type: z.literal(\"authorization_code\"),\n /** Authorization code returned from the /authorize step */\n code: z.string().min(1, \"code is required\"),\n /** Must exactly match the redirect URI used when obtaining the code */\n redirect_uri: z.string().url(),\n /** Public client identifier; UUID in your example */\n client_id: z.string().uuid(),\n /** PKCE verifier bound to the code */\n code_verifier: z.string().regex(pkceVerifierRegex, \"code_verifier must be 43–128 chars of A–Z, a–z, 0–9, '-', '.', '_' or '~'\",),\n /** Optional resource/audience (used by some providers like AAD v1) */\n resource: z.string().url().describe(\"FrontMcp scope url\"),\n});\nconst anonymousGrant = z.object({\n grant_type: z.literal(\"anonymous\"),\n /** Public client identifier; UUID in your example */\n client_id: z.string().uuid(),\n /** Target resource/audience is required for this custom flow */\n resource: z.string().url(),\n});\n\nconst stateSchema = z.object({\n body: z.discriminatedUnion('grant_type', [anonymousGrant, authorizationCodeGrant]),\n isDefaultAuthProvider: z.boolean().describe(\"If FrontMcp initialized without auth options\"),\n});\n\nconst outputSchema = HttpJsonSchema;\n\n\nconst plan = {\n pre: [\n 'parseInput',\n 'validateInput',\n ],\n execute: [\n 'generateJWT',\n 'buildAuthorizeOutput'\n ],\n post: [\n 'validateOutput',\n ],\n} as const satisfies FlowPlan<string>;\n\ndeclare global {\n interface ExtendFlows {\n 'oauth:token': FlowRunOptions<\n OauthTokenFlow,\n typeof plan,\n typeof inputSchema,\n typeof outputSchema,\n typeof stateSchema\n >;\n }\n}\n\nconst name = 'oauth:token' as const;\nconst Stage = StageHookOf(name);\n\n@Flow({\n name,\n plan,\n inputSchema,\n outputSchema,\n access: 'public',\n middleware: {\n method: 'POST',\n path: '/oauth/token',\n },\n})\nexport default class OauthTokenFlow extends FlowBase<typeof name> {\n\n @Stage('parseInput')\n async parseInput() {\n const {metadata} = this.scope;\n const {request} = this.rawInput;\n\n\n if (!metadata.auth) {\n const isDefaultAuthProvider = true\n this.state.set(stateSchema.parse({\n isDefaultAuthProvider, //\n body: request.body,\n }))\n } else {\n // TODO:\n // support local/remote proxy auth provider\n // the call next only if scope isn't orchestrated\n this.next()\n }\n }\n\n @Stage('validateInput')\n async validateInput() {\n\n const localAuth = this.scope.auth as LocalPrimaryAuth;\n const access_token = await localAuth.signAnonymousJwt()\n const refresh_token = randomUUID()\n this.respond(httpRespond.json({\n access_token,\n token_type: 'Bearer',\n expires_in: 86500,\n refresh_token,\n }))\n\n // TBD\n }\n\n\n @Stage('buildAuthorizeOutput')\n async buildAuthorizeOutput() {\n // TBD\n }\n\n @Stage('validateOutput')\n async validateOutput() {\n // TBD\n }\n}"]}
|