@frontmcp/sdk 0.4.1 → 0.5.0

package/src/auth/flows/oauth.token.flow.js

@@ -33,7 +33,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const tslib_1 = require("tslib");
 /**
  *
- * OAuth 2.0 Device Authorization Grant (“device code flow”)
+ * OAuth 2.0 Device Authorization Grant ("device code flow")
  * Who does what (at a glance)
  *
  * Device/TV/CLI (no browser)
@@ -43,101 +43,215 @@ const tslib_1 = require("tslib");
  * Visits the given verification_uri and authenticates using your normal OAuth login (whatever you already have). No new UI required beyond two tiny endpoints.
  *
  * Auth Server (you)
- * Stores the device transaction and, after the user authenticates, marks it as approved so the device’s /oauth/token polling succeeds.
+ * Stores the device transaction and, after the user authenticates, marks it as approved so the device's /oauth/token polling succeeds.
  *
- * Endpoints you need (only two “new” ones)
+ * Endpoints you need (only two "new" ones)
  *
  * POST /oauth/device_authorization ✅ (device calls)
  *
  * POST /oauth/token with grant urn:ietf:params:oauth:grant-type:device_code ✅ (device polls)
  *
- * GET /activate ➜ “UI handler” (user lands here from verification_uri — this just redirects into your existing /oauth/authorize)
+ * GET /activate ➜ "UI handler" (user lands here from verification_uri — this just redirects into your existing /oauth/authorize)
  *
- * GET /activate/callback ➜ “UI handler” (your existing flow returns here after the user logs in; you flip the device record to approved and show a basic “All set” page)
+ * GET /activate/callback ➜ "UI handler" (your existing flow returns here after the user logs in; you flip the device record to approved and show a basic "All set" page)
  *
- * That’s it. No pages with complex consent screens are required; reuse your normal /oauth/authorize
+ * That's it. No pages with complex consent screens are required; reuse your normal /oauth/authorize
  */
 const common_1 = require("../../common");
 const zod_1 = require("zod");
 const crypto_1 = require("crypto");
 const inputSchema = common_1.httpInputSchema;
 // RFC 7636 PKCE: code_verifier is 43–128 chars from ALPHA / DIGIT / "-" / "." / "_" / "~"
-const pkceVerifierRegex = /^[A-Za-z0-9_.~-]{43,128}$/; // TODO: move to shared regex utils
+const pkceVerifierRegex = /^[A-Za-z0-9_.~-]{43,128}$/;
 const authorizationCodeGrant = zod_1.z.object({
-    grant_type: zod_1.z.literal("authorization_code"),
+    grant_type: zod_1.z.literal('authorization_code'),
     /** Authorization code returned from the /authorize step */
-    code: zod_1.z.string().min(1, "code is required"),
+    code: zod_1.z.string().min(1, 'code is required'),
     /** Must exactly match the redirect URI used when obtaining the code */
     redirect_uri: zod_1.z.string().url(),
-    /** Public client identifier; UUID in your example */
-    client_id: zod_1.z.string().uuid(),
+    /** Public client identifier */
+    client_id: zod_1.z.string().min(1),
     /** PKCE verifier bound to the code */
-    code_verifier: zod_1.z.string().regex(pkceVerifierRegex, "code_verifier must be 43–128 chars of A–Z, a–z, 0–9, '-', '.', '_' or '~'"),
-    /** Optional resource/audience (used by some providers like AAD v1) */
-    resource: zod_1.z.string().url().describe("FrontMcp scope url"),
+    code_verifier: zod_1.z
+        .string()
+        .regex(pkceVerifierRegex, "code_verifier must be 43–128 chars of A–Z, a–z, 0–9, '-', '.', '_' or '~'"),
+});
+const refreshTokenGrant = zod_1.z.object({
+    grant_type: zod_1.z.literal('refresh_token'),
+    /** The refresh token */
+    refresh_token: zod_1.z.string().min(1, 'refresh_token is required'),
+    /** Public client identifier */
+    client_id: zod_1.z.string().min(1),
 });
 const anonymousGrant = zod_1.z.object({
-    grant_type: zod_1.z.literal("anonymous"),
-    /** Public client identifier; UUID in your example */
-    client_id: zod_1.z.string().uuid(),
+    grant_type: zod_1.z.literal('anonymous'),
+    /** Public client identifier */
+    client_id: zod_1.z.string().min(1),
     /** Target resource/audience is required for this custom flow */
-    resource: zod_1.z.string().url(),
+    resource: zod_1.z.string().url().optional(),
 });
+const tokenRequestSchema = zod_1.z.discriminatedUnion('grant_type', [
+    anonymousGrant,
+    authorizationCodeGrant,
+    refreshTokenGrant,
+]);
 const stateSchema = zod_1.z.object({
-    body: zod_1.z.discriminatedUnion('grant_type', [anonymousGrant, authorizationCodeGrant]),
-    isDefaultAuthProvider: zod_1.z.boolean().describe("If FrontMcp initialized without auth options"),
+    body: tokenRequestSchema.optional(),
+    grantType: zod_1.z.enum(['authorization_code', 'refresh_token', 'anonymous']).optional(),
+    isDefaultAuthProvider: zod_1.z.boolean().describe('If FrontMcp initialized without auth options'),
+    isOrchestrated: zod_1.z.boolean().describe('If auth mode is orchestrated'),
+    // Token response data
+    tokenResponse: zod_1.z
+        .object({
+        access_token: zod_1.z.string(),
+        token_type: zod_1.z.literal('Bearer'),
+        expires_in: zod_1.z.number(),
+        refresh_token: zod_1.z.string().optional(),
+        scope: zod_1.z.string().optional(),
+    })
+        .optional(),
+    // Error data
+    error: zod_1.z.string().optional(),
+    errorDescription: zod_1.z.string().optional(),
 });
 const outputSchema = common_1.HttpJsonSchema;
 const plan = {
-    pre: [
-        'parseInput',
-        'validateInput',
-    ],
-    execute: [
-        'generateJWT',
-        'buildAuthorizeOutput'
-    ],
-    post: [
-        'validateOutput',
-    ],
+    pre: ['parseInput', 'validateInput'],
+    execute: ['handleAuthorizationCodeGrant', 'handleRefreshTokenGrant', 'handleAnonymousGrant', 'buildTokenResponse'],
+    post: ['validateOutput'],
 };
 const name = 'oauth:token';
 const Stage = (0, common_1.StageHookOf)(name);
 let OauthTokenFlow = class OauthTokenFlow extends common_1.FlowBase {
+    logger = this.scope.logger.child('OauthTokenFlow');
     async parseInput() {
         const { metadata } = this.scope;
         const { request } = this.rawInput;
-        if (!metadata.auth) {
-            const isDefaultAuthProvider = true;
-            this.state.set(stateSchema.parse({
-                isDefaultAuthProvider, //
-                body: request.body,
-            }));
+        // Determine if we're using default (anonymous) auth or orchestrated
+        const isDefaultAuthProvider = !metadata.auth;
+        const isOrchestrated = !isDefaultAuthProvider;
+        try {
+            const body = tokenRequestSchema.parse(request.body);
+            this.state.set({
+                isDefaultAuthProvider,
+                isOrchestrated,
+                body,
+                grantType: body.grant_type,
+            });
         }
-        else {
-            // TODO:
-            //  support local/remote proxy auth provider
-            //  the call next only if scope isn't orchestrated
-            this.next();
+        catch (err) {
+            this.logger.warn('Invalid token request body', err);
+            this.state.set({
+                isDefaultAuthProvider,
+                isOrchestrated,
+                error: 'invalid_request',
+                errorDescription: 'Invalid request body',
+            });
         }
     }
     async validateInput() {
+        const { error, errorDescription } = this.state;
+        if (error) {
+            this.respond(common_1.httpRespond.json({
+                error,
+                error_description: errorDescription,
+            }, { status: 400 }));
+        }
+    }
+    async handleAuthorizationCodeGrant() {
+        const { body, isDefaultAuthProvider } = this.state.required;
+        if (body?.grant_type !== 'authorization_code')
+            return;
+        // For default auth provider with "anonymous" code, just issue anonymous tokens
+        if (isDefaultAuthProvider && body.code === 'anonymous') {
+            const localAuth = this.scope.auth;
+            const accessToken = await localAuth.signAnonymousJwt();
+            this.state.set('tokenResponse', {
+                access_token: accessToken,
+                token_type: 'Bearer',
+                expires_in: 86400,
+                refresh_token: (0, crypto_1.randomUUID)(),
+            });
+            return;
+        }
+        // Real authorization code exchange
         const localAuth = this.scope.auth;
-        const access_token = await localAuth.signAnonymousJwt();
-        const refresh_token = (0, crypto_1.randomUUID)();
-        this.respond(common_1.httpRespond.json({
-            access_token,
+        const result = await localAuth.exchangeCode(body.code, body.client_id, body.redirect_uri, body.code_verifier);
+        if ('error' in result) {
+            this.logger.warn(`Code exchange failed: ${result.error}`);
+            this.respond(common_1.httpRespond.json({
+                error: result.error,
+                error_description: result.error_description,
+            }, { status: 400 }));
+            return;
+        }
+        this.state.set('tokenResponse', {
+            access_token: result.access_token,
+            token_type: result.token_type,
+            expires_in: result.expires_in,
+            refresh_token: result.refresh_token,
+            scope: result.scope,
+        });
+    }
+    async handleRefreshTokenGrant() {
+        const { body, isDefaultAuthProvider } = this.state.required;
+        if (body?.grant_type !== 'refresh_token')
+            return;
+        // For default auth provider, just issue new anonymous tokens
+        if (isDefaultAuthProvider) {
+            const localAuth = this.scope.auth;
+            const accessToken = await localAuth.signAnonymousJwt();
+            this.state.set('tokenResponse', {
+                access_token: accessToken,
+                token_type: 'Bearer',
+                expires_in: 86400,
+                refresh_token: (0, crypto_1.randomUUID)(),
+            });
+            return;
+        }
+        // Real refresh token exchange
+        const localAuth = this.scope.auth;
+        const result = await localAuth.refreshAccessToken(body.refresh_token, body.client_id);
+        if ('error' in result) {
+            this.logger.warn(`Refresh token failed: ${result.error}`);
+            this.respond(common_1.httpRespond.json({
+                error: result.error,
+                error_description: result.error_description,
+            }, { status: 400 }));
+            return;
+        }
+        this.state.set('tokenResponse', {
+            access_token: result.access_token,
+            token_type: result.token_type,
+            expires_in: result.expires_in,
+            refresh_token: result.refresh_token,
+            scope: result.scope,
+        });
+    }
+    async handleAnonymousGrant() {
+        const localAuth = this.scope.auth;
+        const accessToken = await localAuth.signAnonymousJwt();
+        this.state.set('tokenResponse', {
+            access_token: accessToken,
             token_type: 'Bearer',
-            expires_in: 86500,
-            refresh_token,
-        }));
-        // TBD
+            expires_in: 86400,
+            refresh_token: (0, crypto_1.randomUUID)(),
+        });
     }
-    async buildAuthorizeOutput() {
-        // TBD
+    async buildTokenResponse() {
+        const { tokenResponse } = this.state;
+        if (!tokenResponse) {
+            this.respond(common_1.httpRespond.json({
+                error: 'server_error',
+                error_description: 'Failed to generate tokens',
+            }, { status: 500 }));
+            return;
+        }
+        this.logger.info('Token response generated successfully');
+        this.respond(common_1.httpRespond.json(tokenResponse));
     }
     async validateOutput() {
-        // TBD
+        // Schema handles output validation
     }
 };
 tslib_1.__decorate([
@@ -153,11 +267,35 @@ tslib_1.__decorate([
     tslib_1.__metadata("design:returntype", Promise)
 ], OauthTokenFlow.prototype, "validateInput", null);
 tslib_1.__decorate([
-    Stage('buildAuthorizeOutput'),
+    Stage('handleAuthorizationCodeGrant', {
+        filter: ({ state }) => state.grantType === 'authorization_code',
+    }),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", []),
+    tslib_1.__metadata("design:returntype", Promise)
+], OauthTokenFlow.prototype, "handleAuthorizationCodeGrant", null);
+tslib_1.__decorate([
+    Stage('handleRefreshTokenGrant', {
+        filter: ({ state }) => state.grantType === 'refresh_token',
+    }),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", []),
+    tslib_1.__metadata("design:returntype", Promise)
+], OauthTokenFlow.prototype, "handleRefreshTokenGrant", null);
+tslib_1.__decorate([
+    Stage('handleAnonymousGrant', {
+        filter: ({ state }) => state.grantType === 'anonymous',
+    }),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", []),
+    tslib_1.__metadata("design:returntype", Promise)
+], OauthTokenFlow.prototype, "handleAnonymousGrant", null);
+tslib_1.__decorate([
+    Stage('buildTokenResponse'),
     tslib_1.__metadata("design:type", Function),
     tslib_1.__metadata("design:paramtypes", []),
     tslib_1.__metadata("design:returntype", Promise)
-], OauthTokenFlow.prototype, "buildAuthorizeOutput", null);
+], OauthTokenFlow.prototype, "buildTokenResponse", null);
 tslib_1.__decorate([
     Stage('validateOutput'),
     tslib_1.__metadata("design:type", Function),

package/src/auth/flows/oauth.token.flow.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth.token.flow.js","sourceRoot":"","sources":["../../../../src/auth/flows/oauth.token.flow.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;AACH;;;;;;;;GAQG;AACH;;;;;;;;;;;GAWG;;;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,yCAMsB;AACtB,6BAAsB;AACtB,mCAAkC;AAIlC,MAAM,WAAW,GAAG,wBAAe,CAAC;AAEpC,0FAA0F;AAC1F,MAAM,iBAAiB,GAAG,2BAA2B,CAAC,CAAC,mCAAmC;AAC1F,MAAM,sBAAsB,GAAG,OAAC,CAAC,MAAM,CAAC;IACtC,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC;IAC3C,2DAA2D;IAC3D,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,kBAAkB,CAAC;IAC3C,uEAAuE;IACvE,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAC9B,qDAAqD;IACrD,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;IAC5B,sCAAsC;IACtC,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,iBAAiB,EAAE,2EAA2E,CAAE;IAChI,sEAAsE;IACtE,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,oBAAoB,CAAC;CAC1D,CAAC,CAAC;AACH,MAAM,cAAc,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9B,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,WAAW,CAAC;IAClC,qDAAqD;IACrD,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;IAC5B,gEAAgE;IAChE,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;CAC3B,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3B,IAAI,EAAE,OAAC,CAAC,kBAAkB,CAAC,YAAY,EAAE,CAAC,cAAc,EAAE,sBAAsB,CAAC,CAAC;IAClF,qBAAqB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,8CAA8C,CAAC;CAC5F,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,uBAAc,CAAC;AAGpC,MAAM,IAAI,GAAG;IACX,GAAG,EAAE;QACH,YAAY;QACZ,eAAe;KAChB;IACD,OAAO,EAAE;QACP,aAAa;QACb,sBAAsB;KACvB;IACD,IAAI,EAAE;QACJ,gBAAgB;KACjB;CACkC,CAAC;AActC,MAAM,IAAI,GAAG,aAAsB,CAAC;AACpC,MAAM,KAAK,GAAG,IAAA,oBAAW,EAAC,IAAI,CAAC,CAAC;AAajB,IAAM,cAAc,GAApB,MAAM,cAAe,SAAQ,iBAAqB;IAGzD,AAAN,KAAK,CAAC,UAAU;QACd,MAAM,EAAC,QAAQ,EAAC,GAAG,IAAI,CAAC,KAAK,CAAC;QAC9B,MAAM,EAAC,OAAO,EAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;QAGhC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnB,MAAM,qBAAqB,GAAG,IAAI,CAAA;YAClC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC;gBAC/B,qBAAqB,EAAE,EAAE;gBACzB,IAAI,EAAE,OAAO,CAAC,IAAI;aACnB,CAAC,CAAC,CAAA;QACL,CAAC;aAAM,CAAC;YACN,QAAQ;YACR,4CAA4C;YAC5C,kDAAkD;YAClD,IAAI,CAAC,IAAI,EAAE,CAAA;QACb,CAAC;IACH,CAAC;IAGK,AAAN,KAAK,CAAC,aAAa;QAEjB,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAwB,CAAC;QACtD,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,gBAAgB,EAAE,CAAA;QACvD,MAAM,aAAa,GAAG,IAAA,mBAAU,GAAE,CAAA;QAClC,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,IAAI,CAAC;YAC5B,YAAY;YACZ,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,KAAK;YACjB,aAAa;SACd,CAAC,CAAC,CAAA;QAEH,MAAM;IACR,CAAC;IAIK,AAAN,KAAK,CAAC,oBAAoB;QACxB,MAAM;IACR,CAAC;IAGK,AAAN,KAAK,CAAC,cAAc;QAClB,MAAM;IACR,CAAC;CACF,CAAA;AA7CO;IADL,KAAK,CAAC,YAAY,CAAC;;;;gDAkBnB;AAGK;IADL,KAAK,CAAC,eAAe,CAAC;;;;mDActB;AAIK;IADL,KAAK,CAAC,sBAAsB,CAAC;;;;0DAG7B;AAGK;IADL,KAAK,CAAC,gBAAgB,CAAC;;;;oDAGvB;AA/CkB,cAAc;IAXlC,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,IAAI;QACJ,WAAW;QACX,YAAY;QACZ,MAAM,EAAE,QAAQ;QAChB,UAAU,EAAE;YACV,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,cAAc;SACrB;KACF,CAAC;GACmB,cAAc,CAgDlC;kBAhDoB,cAAc","sourcesContent":["/**\n * Token Endpoint — POST /oauth/token\n *\n * Who calls: Client (server-to-server).\n *\n * When: After getting the code (or for refresh).\n *\n * Purpose: Exchange authorization code + PKCE verifier for access token (and optional refresh token), or refresh an access token.\n */\n/**\n * Typical parameter shapes\n *\n * /oauth/token (POST, application/x-www-form-urlencoded)\n *\n * For code exchange: grant_type=authorization_code, code, redirect_uri, client_id (and auth), code_verifier\n *\n * For refresh: grant_type=refresh_token, refresh_token, client_id (and auth)\n */\n/**\n * Quick checklist (security & correctness)\n * - PKCE (S256) required for public clients (and basically for all).\n * - Use authorization code grant only (no implicit/hybrid).\n * - Rotate refresh tokens and bind them to client + user + scopes.\n * - Prefer private_key_jwt or mTLS for confidential clients.\n * - PAR + JAR recommended for higher security.\n * - Consider DPoP (proof-of-possession) to reduce token replay.\n * - Keep codes very short-lived (e.g., ≤60 s) and single-use.\n * - Publish discovery and JWKS, rotate keys safely.\n * - Decide JWT vs opaque access tokens; provide introspection if opaque.\n */\n\n/**\n *\n * OAuth 2.0 Device Authorization Grant (“device code flow”)\n * Who does what (at a glance)\n *\n * Device/TV/CLI (no browser)\n * Calls POST /oauth/device_authorization, shows the user a code + URL, and polls POST /oauth/token.\n *\n * User (on phone/laptop browser)\n * Visits the given verification_uri and authenticates using your normal OAuth login (whatever you already have). No new UI required beyond two tiny endpoints.\n *\n * Auth Server (you)\n * Stores the device transaction and, after the user authenticates, marks it as approved so the device’s /oauth/token polling succeeds.\n *\n * Endpoints you need (only two “new” ones)\n *\n * POST /oauth/device_authorization ✅ (device calls)\n *\n * POST /oauth/token with grant urn:ietf:params:oauth:grant-type:device_code ✅ (device polls)\n *\n * GET /activate ➜ “UI handler” (user lands here from verification_uri — this just redirects into your existing /oauth/authorize)\n *\n * GET /activate/callback ➜ “UI handler” (your existing flow returns here after the user logs in; you flip the device record to approved and show a basic “All set” page)\n *\n * That’s it. No pages with complex consent screens are required; reuse your normal /oauth/authorize\n */\n\nimport {\n  Flow, FlowBase, FlowPlan,\n  FlowRunOptions,\n  httpInputSchema, HttpJsonSchema,\n  httpRespond,\n  StageHookOf\n} from \"../../common\";\nimport {z} from \"zod\";\nimport {randomUUID} from \"crypto\";\nimport {LocalPrimaryAuth} from \"../instances/instance.local-primary-auth\";\n\n\nconst inputSchema = httpInputSchema;\n\n// RFC 7636 PKCE: code_verifier is 43–128 chars from ALPHA / DIGIT / \"-\" / \".\" / \"_\" / \"~\"\nconst pkceVerifierRegex = /^[A-Za-z0-9_.~-]{43,128}$/; // TODO: move to shared regex utils\nconst authorizationCodeGrant = z.object({\n  grant_type: z.literal(\"authorization_code\"),\n  /** Authorization code returned from the /authorize step */\n  code: z.string().min(1, \"code is required\"),\n  /** Must exactly match the redirect URI used when obtaining the code */\n  redirect_uri: z.string().url(),\n  /** Public client identifier; UUID in your example */\n  client_id: z.string().uuid(),\n  /** PKCE verifier bound to the code */\n  code_verifier: z.string().regex(pkceVerifierRegex, \"code_verifier must be 43–128 chars of A–Z, a–z, 0–9, '-', '.', '_' or '~'\",),\n  /** Optional resource/audience (used by some providers like AAD v1) */\n  resource: z.string().url().describe(\"FrontMcp scope url\"),\n});\nconst anonymousGrant = z.object({\n  grant_type: z.literal(\"anonymous\"),\n  /** Public client identifier; UUID in your example */\n  client_id: z.string().uuid(),\n  /** Target resource/audience is required for this custom flow */\n  resource: z.string().url(),\n});\n\nconst stateSchema = z.object({\n  body: z.discriminatedUnion('grant_type', [anonymousGrant, authorizationCodeGrant]),\n  isDefaultAuthProvider: z.boolean().describe(\"If FrontMcp initialized without auth options\"),\n});\n\nconst outputSchema = HttpJsonSchema;\n\n\nconst plan = {\n  pre: [\n    'parseInput',\n    'validateInput',\n  ],\n  execute: [\n    'generateJWT',\n    'buildAuthorizeOutput'\n  ],\n  post: [\n    'validateOutput',\n  ],\n} as const satisfies FlowPlan<string>;\n\ndeclare global {\n  interface ExtendFlows {\n    'oauth:token': FlowRunOptions<\n      OauthTokenFlow,\n      typeof plan,\n      typeof inputSchema,\n      typeof outputSchema,\n      typeof stateSchema\n    >;\n  }\n}\n\nconst name = 'oauth:token' as const;\nconst Stage = StageHookOf(name);\n\n@Flow({\n  name,\n  plan,\n  inputSchema,\n  outputSchema,\n  access: 'public',\n  middleware: {\n    method: 'POST',\n    path: '/oauth/token',\n  },\n})\nexport default class OauthTokenFlow extends FlowBase<typeof name> {\n\n  @Stage('parseInput')\n  async parseInput() {\n    const {metadata} = this.scope;\n    const {request} = this.rawInput;\n\n\n    if (!metadata.auth) {\n      const isDefaultAuthProvider = true\n      this.state.set(stateSchema.parse({\n        isDefaultAuthProvider, //\n        body: request.body,\n      }))\n    } else {\n      // TODO:\n      //  support local/remote proxy auth provider\n      //  the call next only if scope isn't orchestrated\n      this.next()\n    }\n  }\n\n  @Stage('validateInput')\n  async validateInput() {\n\n    const localAuth = this.scope.auth as LocalPrimaryAuth;\n    const access_token = await localAuth.signAnonymousJwt()\n    const refresh_token = randomUUID()\n    this.respond(httpRespond.json({\n      access_token,\n      token_type: 'Bearer',\n      expires_in: 86500,\n      refresh_token,\n    }))\n\n    // TBD\n  }\n\n\n  @Stage('buildAuthorizeOutput')\n  async buildAuthorizeOutput() {\n    // TBD\n  }\n\n  @Stage('validateOutput')\n  async validateOutput() {\n    // TBD\n  }\n}"]}
+{"version":3,"file":"oauth.token.flow.js","sourceRoot":"","sources":["../../../../src/auth/flows/oauth.token.flow.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;AACH;;;;;;;;GAQG;AACH;;;;;;;;;;;GAWG;;;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,yCASsB;AACtB,6BAAwB;AACxB,mCAAoC;AAGpC,MAAM,WAAW,GAAG,wBAAe,CAAC;AAEpC,0FAA0F;AAC1F,MAAM,iBAAiB,GAAG,2BAA2B,CAAC;AAEtD,MAAM,sBAAsB,GAAG,OAAC,CAAC,MAAM,CAAC;IACtC,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC;IAC3C,2DAA2D;IAC3D,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,kBAAkB,CAAC;IAC3C,uEAAuE;IACvE,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAC9B,+BAA+B;IAC/B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5B,sCAAsC;IACtC,aAAa,EAAE,OAAC;SACb,MAAM,EAAE;SACR,KAAK,CAAC,iBAAiB,EAAE,2EAA2E,CAAC;CACzG,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAG,OAAC,CAAC,MAAM,CAAC;IACjC,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,eAAe,CAAC;IACtC,wBAAwB;IACxB,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,2BAA2B,CAAC;IAC7D,+BAA+B;IAC/B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAC7B,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9B,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,WAAW,CAAC;IAClC,+BAA+B;IAC/B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5B,gEAAgE;IAChE,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;CACtC,CAAC,CAAC;AAEH,MAAM,kBAAkB,GAAG,OAAC,CAAC,kBAAkB,CAAC,YAAY,EAAE;IAC5D,cAAc;IACd,sBAAsB;IACtB,iBAAiB;CAClB,CAAC,CAAC;AAIH,MAAM,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3B,IAAI,EAAE,kBAAkB,CAAC,QAAQ,EAAE;IACnC,SAAS,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,oBAAoB,EAAE,eAAe,EAAE,WAAW,CAAC,CAAC,CAAC,QAAQ,EAAE;IAClF,qBAAqB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,8CAA8C,CAAC;IAC3F,cAAc,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,8BAA8B,CAAC;IACpE,sBAAsB;IACtB,aAAa,EAAE,OAAC;SACb,MAAM,CAAC;QACN,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE;QACxB,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;QAC/B,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE;QACtB,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACpC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAC7B,CAAC;SACD,QAAQ,EAAE;IACb,aAAa;IACb,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,gBAAgB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACxC,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,uBAAc,CAAC;AAEpC,MAAM,IAAI,GAAG;IACX,GAAG,EAAE,CAAC,YAAY,EAAE,eAAe,CAAC;IACpC,OAAO,EAAE,CAAC,8BAA8B,EAAE,yBAAyB,EAAE,sBAAsB,EAAE,oBAAoB,CAAC;IAClH,IAAI,EAAE,CAAC,gBAAgB,CAAC;CACW,CAAC;AActC,MAAM,IAAI,GAAG,aAAsB,CAAC;AACpC,MAAM,KAAK,GAAG,IAAA,oBAAW,EAAC,IAAI,CAAC,CAAC;AAajB,IAAM,cAAc,GAApB,MAAM,cAAe,SAAQ,iBAAqB;IACvD,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAGrD,AAAN,KAAK,CAAC,UAAU;QACd,MAAM,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC;QAChC,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAElC,oEAAoE;QACpE,MAAM,qBAAqB,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC;QAC7C,MAAM,cAAc,GAAG,CAAC,qBAAqB,CAAC;QAE9C,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,kBAAkB,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACpD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC;gBACb,qBAAqB;gBACrB,cAAc;gBACd,IAAI;gBACJ,SAAS,EAAE,IAAI,CAAC,UAAU;aAC3B,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,4BAA4B,EAAE,GAAG,CAAC,CAAC;YACpD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC;gBACb,qBAAqB;gBACrB,cAAc;gBACd,KAAK,EAAE,iBAAiB;gBACxB,gBAAgB,EAAE,sBAAsB;aACzC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAGK,AAAN,KAAK,CAAC,aAAa;QACjB,MAAM,EAAE,KAAK,EAAE,gBAAgB,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC;QAE/C,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,CAAC,OAAO,CACV,oBAAW,CAAC,IAAI,CACd;gBACE,KAAK;gBACL,iBAAiB,EAAE,gBAAgB;aACpC,EACD,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAKK,AAAN,KAAK,CAAC,4BAA4B;QAChC,MAAM,EAAE,IAAI,EAAE,qBAAqB,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAE5D,IAAI,IAAI,EAAE,UAAU,KAAK,oBAAoB;YAAE,OAAO;QAEtD,+EAA+E;QAC/E,IAAI,qBAAqB,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YACvD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAwB,CAAC;YACtD,MAAM,WAAW,GAAG,MAAM,SAAS,CAAC,gBAAgB,EAAE,CAAC;YAEvD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,eAAe,EAAE;gBAC9B,YAAY,EAAE,WAAW;gBACzB,UAAU,EAAE,QAAQ;gBACpB,UAAU,EAAE,KAAK;gBACjB,aAAa,EAAE,IAAA,mBAAU,GAAE;aAC5B,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,mCAAmC;QACnC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAwB,CAAC;QACtD,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;QAE9G,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;YACtB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yBAAyB,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;YAC1D,IAAI,CAAC,OAAO,CACV,oBAAW,CAAC,IAAI,CACd;gBACE,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;aAC5C,EACD,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CACF,CAAC;YACF,OAAO;QACT,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,eAAe,EAAE;YAC9B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,KAAK,EAAE,MAAM,CAAC,KAAK;SACpB,CAAC,CAAC;IACL,CAAC;IAKK,AAAN,KAAK,CAAC,uBAAuB;QAC3B,MAAM,EAAE,IAAI,EAAE,qBAAqB,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAE5D,IAAI,IAAI,EAAE,UAAU,KAAK,eAAe;YAAE,OAAO;QAEjD,6DAA6D;QAC7D,IAAI,qBAAqB,EAAE,CAAC;YAC1B,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAwB,CAAC;YACtD,MAAM,WAAW,GAAG,MAAM,SAAS,CAAC,gBAAgB,EAAE,CAAC;YAEvD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,eAAe,EAAE;gBAC9B,YAAY,EAAE,WAAW;gBACzB,UAAU,EAAE,QAAQ;gBACpB,UAAU,EAAE,KAAK;gBACjB,aAAa,EAAE,IAAA,mBAAU,GAAE;aAC5B,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,8BAA8B;QAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAwB,CAAC;QACtD,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,kBAAkB,CAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;QAEtF,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;YACtB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yBAAyB,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;YAC1D,IAAI,CAAC,OAAO,CACV,oBAAW,CAAC,IAAI,CACd;gBACE,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;aAC5C,EACD,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CACF,CAAC;YACF,OAAO;QACT,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,eAAe,EAAE;YAC9B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,KAAK,EAAE,MAAM,CAAC,KAAK;SACpB,CAAC,CAAC;IACL,CAAC;IAKK,AAAN,KAAK,CAAC,oBAAoB;QACxB,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAwB,CAAC;QACtD,MAAM,WAAW,GAAG,MAAM,SAAS,CAAC,gBAAgB,EAAE,CAAC;QAEvD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,eAAe,EAAE;YAC9B,YAAY,EAAE,WAAW;YACzB,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,KAAK;YACjB,aAAa,EAAE,IAAA,mBAAU,GAAE;SAC5B,CAAC,CAAC;IACL,CAAC;IAGK,AAAN,KAAK,CAAC,kBAAkB;QACtB,MAAM,EAAE,aAAa,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC;QAErC,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,IAAI,CAAC,OAAO,CACV,oBAAW,CAAC,IAAI,CACd;gBACE,KAAK,EAAE,cAAc;gBACrB,iBAAiB,EAAE,2BAA2B;aAC/C,EACD,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CACF,CAAC;YACF,OAAO;QACT,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC;IAChD,CAAC;IAGK,AAAN,KAAK,CAAC,cAAc;QAClB,mCAAmC;IACrC,CAAC;CACF,CAAA;AAtLO;IADL,KAAK,CAAC,YAAY,CAAC;;;;gDA0BnB;AAGK;IADL,KAAK,CAAC,eAAe,CAAC;;;;mDAetB;AAKK;IAHL,KAAK,CAAC,8BAA8B,EAAE;QACrC,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,KAAK,CAAC,SAAS,KAAK,oBAAoB;KAChE,CAAC;;;;kEA6CD;AAKK;IAHL,KAAK,CAAC,yBAAyB,EAAE;QAChC,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,KAAK,CAAC,SAAS,KAAK,eAAe;KAC3D,CAAC;;;;6DA6CD;AAKK;IAHL,KAAK,CAAC,sBAAsB,EAAE;QAC7B,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,KAAK,CAAC,SAAS,KAAK,WAAW;KACvD,CAAC;;;;0DAWD;AAGK;IADL,KAAK,CAAC,oBAAoB,CAAC;;;;wDAmB3B;AAGK;IADL,KAAK,CAAC,gBAAgB,CAAC;;;;oDAGvB;AAzLkB,cAAc;IAXlC,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,IAAI;QACJ,WAAW;QACX,YAAY;QACZ,MAAM,EAAE,QAAQ;QAChB,UAAU,EAAE;YACV,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,cAAc;SACrB;KACF,CAAC;GACmB,cAAc,CA0LlC;kBA1LoB,cAAc","sourcesContent":["/**\n * Token Endpoint — POST /oauth/token\n *\n * Who calls: Client (server-to-server).\n *\n * When: After getting the code (or for refresh).\n *\n * Purpose: Exchange authorization code + PKCE verifier for access token (and optional refresh token), or refresh an access token.\n */\n/**\n * Typical parameter shapes\n *\n * /oauth/token (POST, application/x-www-form-urlencoded)\n *\n * For code exchange: grant_type=authorization_code, code, redirect_uri, client_id (and auth), code_verifier\n *\n * For refresh: grant_type=refresh_token, refresh_token, client_id (and auth)\n */\n/**\n * Quick checklist (security & correctness)\n * - PKCE (S256) required for public clients (and basically for all).\n * - Use authorization code grant only (no implicit/hybrid).\n * - Rotate refresh tokens and bind them to client + user + scopes.\n * - Prefer private_key_jwt or mTLS for confidential clients.\n * - PAR + JAR recommended for higher security.\n * - Consider DPoP (proof-of-possession) to reduce token replay.\n * - Keep codes very short-lived (e.g., ≤60 s) and single-use.\n * - Publish discovery and JWKS, rotate keys safely.\n * - Decide JWT vs opaque access tokens; provide introspection if opaque.\n */\n\n/**\n *\n * OAuth 2.0 Device Authorization Grant (\"device code flow\")\n * Who does what (at a glance)\n *\n * Device/TV/CLI (no browser)\n * Calls POST /oauth/device_authorization, shows the user a code + URL, and polls POST /oauth/token.\n *\n * User (on phone/laptop browser)\n * Visits the given verification_uri and authenticates using your normal OAuth login (whatever you already have). No new UI required beyond two tiny endpoints.\n *\n * Auth Server (you)\n * Stores the device transaction and, after the user authenticates, marks it as approved so the device's /oauth/token polling succeeds.\n *\n * Endpoints you need (only two \"new\" ones)\n *\n * POST /oauth/device_authorization ✅ (device calls)\n *\n * POST /oauth/token with grant urn:ietf:params:oauth:grant-type:device_code ✅ (device polls)\n *\n * GET /activate ➜ \"UI handler\" (user lands here from verification_uri — this just redirects into your existing /oauth/authorize)\n *\n * GET /activate/callback ➜ \"UI handler\" (your existing flow returns here after the user logs in; you flip the device record to approved and show a basic \"All set\" page)\n *\n * That's it. No pages with complex consent screens are required; reuse your normal /oauth/authorize\n */\n\nimport {\n  Flow,\n  FlowBase,\n  FlowPlan,\n  FlowRunOptions,\n  httpInputSchema,\n  HttpJsonSchema,\n  httpRespond,\n  StageHookOf,\n} from '../../common';\nimport { z } from 'zod';\nimport { randomUUID } from 'crypto';\nimport { LocalPrimaryAuth, TokenResponse } from '../instances/instance.local-primary-auth';\n\nconst inputSchema = httpInputSchema;\n\n// RFC 7636 PKCE: code_verifier is 43–128 chars from ALPHA / DIGIT / \"-\" / \".\" / \"_\" / \"~\"\nconst pkceVerifierRegex = /^[A-Za-z0-9_.~-]{43,128}$/;\n\nconst authorizationCodeGrant = z.object({\n  grant_type: z.literal('authorization_code'),\n  /** Authorization code returned from the /authorize step */\n  code: z.string().min(1, 'code is required'),\n  /** Must exactly match the redirect URI used when obtaining the code */\n  redirect_uri: z.string().url(),\n  /** Public client identifier */\n  client_id: z.string().min(1),\n  /** PKCE verifier bound to the code */\n  code_verifier: z\n    .string()\n    .regex(pkceVerifierRegex, \"code_verifier must be 43–128 chars of A–Z, a–z, 0–9, '-', '.', '_' or '~'\"),\n});\n\nconst refreshTokenGrant = z.object({\n  grant_type: z.literal('refresh_token'),\n  /** The refresh token */\n  refresh_token: z.string().min(1, 'refresh_token is required'),\n  /** Public client identifier */\n  client_id: z.string().min(1),\n});\n\nconst anonymousGrant = z.object({\n  grant_type: z.literal('anonymous'),\n  /** Public client identifier */\n  client_id: z.string().min(1),\n  /** Target resource/audience is required for this custom flow */\n  resource: z.string().url().optional(),\n});\n\nconst tokenRequestSchema = z.discriminatedUnion('grant_type', [\n  anonymousGrant,\n  authorizationCodeGrant,\n  refreshTokenGrant,\n]);\n\ntype TokenRequest = z.infer<typeof tokenRequestSchema>;\n\nconst stateSchema = z.object({\n  body: tokenRequestSchema.optional(),\n  grantType: z.enum(['authorization_code', 'refresh_token', 'anonymous']).optional(),\n  isDefaultAuthProvider: z.boolean().describe('If FrontMcp initialized without auth options'),\n  isOrchestrated: z.boolean().describe('If auth mode is orchestrated'),\n  // Token response data\n  tokenResponse: z\n    .object({\n      access_token: z.string(),\n      token_type: z.literal('Bearer'),\n      expires_in: z.number(),\n      refresh_token: z.string().optional(),\n      scope: z.string().optional(),\n    })\n    .optional(),\n  // Error data\n  error: z.string().optional(),\n  errorDescription: z.string().optional(),\n});\n\nconst outputSchema = HttpJsonSchema;\n\nconst plan = {\n  pre: ['parseInput', 'validateInput'],\n  execute: ['handleAuthorizationCodeGrant', 'handleRefreshTokenGrant', 'handleAnonymousGrant', 'buildTokenResponse'],\n  post: ['validateOutput'],\n} as const satisfies FlowPlan<string>;\n\ndeclare global {\n  interface ExtendFlows {\n    'oauth:token': FlowRunOptions<\n      OauthTokenFlow,\n      typeof plan,\n      typeof inputSchema,\n      typeof outputSchema,\n      typeof stateSchema\n    >;\n  }\n}\n\nconst name = 'oauth:token' as const;\nconst Stage = StageHookOf(name);\n\n@Flow({\n  name,\n  plan,\n  inputSchema,\n  outputSchema,\n  access: 'public',\n  middleware: {\n    method: 'POST',\n    path: '/oauth/token',\n  },\n})\nexport default class OauthTokenFlow extends FlowBase<typeof name> {\n  private logger = this.scope.logger.child('OauthTokenFlow');\n\n  @Stage('parseInput')\n  async parseInput() {\n    const { metadata } = this.scope;\n    const { request } = this.rawInput;\n\n    // Determine if we're using default (anonymous) auth or orchestrated\n    const isDefaultAuthProvider = !metadata.auth;\n    const isOrchestrated = !isDefaultAuthProvider;\n\n    try {\n      const body = tokenRequestSchema.parse(request.body);\n      this.state.set({\n        isDefaultAuthProvider,\n        isOrchestrated,\n        body,\n        grantType: body.grant_type,\n      });\n    } catch (err) {\n      this.logger.warn('Invalid token request body', err);\n      this.state.set({\n        isDefaultAuthProvider,\n        isOrchestrated,\n        error: 'invalid_request',\n        errorDescription: 'Invalid request body',\n      });\n    }\n  }\n\n  @Stage('validateInput')\n  async validateInput() {\n    const { error, errorDescription } = this.state;\n\n    if (error) {\n      this.respond(\n        httpRespond.json(\n          {\n            error,\n            error_description: errorDescription,\n          },\n          { status: 400 },\n        ),\n      );\n    }\n  }\n\n  @Stage('handleAuthorizationCodeGrant', {\n    filter: ({ state }) => state.grantType === 'authorization_code',\n  })\n  async handleAuthorizationCodeGrant() {\n    const { body, isDefaultAuthProvider } = this.state.required;\n\n    if (body?.grant_type !== 'authorization_code') return;\n\n    // For default auth provider with \"anonymous\" code, just issue anonymous tokens\n    if (isDefaultAuthProvider && body.code === 'anonymous') {\n      const localAuth = this.scope.auth as LocalPrimaryAuth;\n      const accessToken = await localAuth.signAnonymousJwt();\n\n      this.state.set('tokenResponse', {\n        access_token: accessToken,\n        token_type: 'Bearer',\n        expires_in: 86400,\n        refresh_token: randomUUID(),\n      });\n      return;\n    }\n\n    // Real authorization code exchange\n    const localAuth = this.scope.auth as LocalPrimaryAuth;\n    const result = await localAuth.exchangeCode(body.code, body.client_id, body.redirect_uri, body.code_verifier);\n\n    if ('error' in result) {\n      this.logger.warn(`Code exchange failed: ${result.error}`);\n      this.respond(\n        httpRespond.json(\n          {\n            error: result.error,\n            error_description: result.error_description,\n          },\n          { status: 400 },\n        ),\n      );\n      return;\n    }\n\n    this.state.set('tokenResponse', {\n      access_token: result.access_token,\n      token_type: result.token_type,\n      expires_in: result.expires_in,\n      refresh_token: result.refresh_token,\n      scope: result.scope,\n    });\n  }\n\n  @Stage('handleRefreshTokenGrant', {\n    filter: ({ state }) => state.grantType === 'refresh_token',\n  })\n  async handleRefreshTokenGrant() {\n    const { body, isDefaultAuthProvider } = this.state.required;\n\n    if (body?.grant_type !== 'refresh_token') return;\n\n    // For default auth provider, just issue new anonymous tokens\n    if (isDefaultAuthProvider) {\n      const localAuth = this.scope.auth as LocalPrimaryAuth;\n      const accessToken = await localAuth.signAnonymousJwt();\n\n      this.state.set('tokenResponse', {\n        access_token: accessToken,\n        token_type: 'Bearer',\n        expires_in: 86400,\n        refresh_token: randomUUID(),\n      });\n      return;\n    }\n\n    // Real refresh token exchange\n    const localAuth = this.scope.auth as LocalPrimaryAuth;\n    const result = await localAuth.refreshAccessToken(body.refresh_token, body.client_id);\n\n    if ('error' in result) {\n      this.logger.warn(`Refresh token failed: ${result.error}`);\n      this.respond(\n        httpRespond.json(\n          {\n            error: result.error,\n            error_description: result.error_description,\n          },\n          { status: 400 },\n        ),\n      );\n      return;\n    }\n\n    this.state.set('tokenResponse', {\n      access_token: result.access_token,\n      token_type: result.token_type,\n      expires_in: result.expires_in,\n      refresh_token: result.refresh_token,\n      scope: result.scope,\n    });\n  }\n\n  @Stage('handleAnonymousGrant', {\n    filter: ({ state }) => state.grantType === 'anonymous',\n  })\n  async handleAnonymousGrant() {\n    const localAuth = this.scope.auth as LocalPrimaryAuth;\n    const accessToken = await localAuth.signAnonymousJwt();\n\n    this.state.set('tokenResponse', {\n      access_token: accessToken,\n      token_type: 'Bearer',\n      expires_in: 86400,\n      refresh_token: randomUUID(),\n    });\n  }\n\n  @Stage('buildTokenResponse')\n  async buildTokenResponse() {\n    const { tokenResponse } = this.state;\n\n    if (!tokenResponse) {\n      this.respond(\n        httpRespond.json(\n          {\n            error: 'server_error',\n            error_description: 'Failed to generate tokens',\n          },\n          { status: 500 },\n        ),\n      );\n      return;\n    }\n\n    this.logger.info('Token response generated successfully');\n    this.respond(httpRespond.json(tokenResponse));\n  }\n\n  @Stage('validateOutput')\n  async validateOutput() {\n    // Schema handles output validation\n  }\n}\n"]}