@frontmcp/sdk 0.4.1 → 0.5.0

package/src/auth/flows/session.verify.flow.js.map

@@ -1 +1 @@
-{"version":3,"file":"session.verify.flow.js","sourceRoot":"","sources":["../../../../src/auth/flows/session.verify.flow.ts"],"names":[],"mappings":";;;;AAAA,oCAAoC;AACpC,yCAMsB;AACtB,4BAA0B;AAC1B,6BAAsB;AACtB,8CAA0F;AAC1F,wEAI2C;AAC3C,kCAAqE;AACrE,wEAAqE;AAGrE,MAAM,WAAW,GAAG,+BAAsB,CAAC;AAE3C,MAAM,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3B,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,mBAAmB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1C,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,mBAAmB;IAC3D,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,6BAA6B;IACrE,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACtC,iBAAiB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACxC,UAAU,EAAE,OAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;IACjD,IAAI,EAAE,wBAAe,CAAC,QAAQ,EAAE;IAChC,OAAO,EAAE,wBAAe,CAAC,QAAQ,EAAE;CACpC,CAAC,CAAC;AAEH,MAAM,kBAAkB,GAAG,OAAC;KACzB,MAAM,CAAC;IACN,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,cAAc,CAAC;IAC/B,iBAAiB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,qCAAqC,CAAC;CAC9E,CAAC;KACD,QAAQ,CAAC,mFAAmF,CAAC,CAAC;AAEjG,MAAM,gBAAgB,GAAG,OAAC;KACvB,MAAM,CAAC;IACN,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,YAAY,CAAC;IAC7B,aAAa,EAAE,4BAAmB,CAAC,QAAQ,CAAC,8CAA8C,CAAC;CAC5F,CAAC;KACD,QAAQ,CAAC,gCAAgC,CAAC,CAAC;AAGjC,QAAA,yBAAyB,GAAG,OAAC,CAAC,KAAK,CAAC,CAAC,kBAAkB,EAAE,gBAAgB,CAAC,CAAC,CAAC;AAEzF,MAAM,IAAI,GAAG;IACX,GAAG,EAAE,CAAC,YAAY,EAAE,4BAA4B,EAAE,aAAa,CAAC;IAChE,OAAO,EAAE,CAAC,YAAY,EAAE,oBAAoB,EAAE,uBAAuB,CAAC;CACnC,CAAC;AActC,MAAM,IAAI,GAAG,gBAAyB,CAAC;AACvC,MAAM,KAAK,GAAG,IAAA,oBAAW,EAAC,IAAI,CAAC,CAAC;AASjB,IAAM,iBAAiB,GAAvB,MAAM,iBAAkB,SAAQ,iBAAqB;IAI5D,AAAN,KAAK,CAAC,UAAU;QACd,MAAM,EAAC,OAAO,EAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;QAChC,MAAM,SAAS,GAAG,IAAA,iCAAoB,EAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAC7D,MAAM,SAAS,GAAG,IAAA,+BAAkB,EAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAC3D,MAAM,OAAO,GAAG,IAAA,8BAAiB,EAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QAEtD,MAAM,mBAAmB,GAAI,OAAO,CAAC,OAAO,EAAE,CAAC,eAAe,CAAwB,IAAI,SAAS,CAAC;QACpG,MAAM,mBAAmB,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,gBAAgB,CAAuB,CAAC;QACtF,MAAM,kBAAkB,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,gBAAgB,CAAuB,CAAC;QACrF,MAAM,cAAc,GAAG,OAAO,CAAC,KAAK,CAAC,WAAW,CAAuB,CAAC;QAExE,MAAM,eAAe,GAAG,kBAAkB,IAAI,cAAc,IAAI,SAAS,CAAC;QAC1E,MAAM,eAAe,GAAG,mBAAmB;YACzC,CAAC,CAAC,MAAM;YACR,CAAC,CAAC,eAAe;gBACf,CAAC,CAAC,iBAAiB;gBACnB,CAAC,CAAC,cAAc;oBACd,CAAC,CAAC,KAAK;oBACP,CAAC,CAAC,SAAS,CAAC;QAElB,MAAM,KAAK,GAAG,IAAA,qCAAkB,EAAC,mBAAmB,CAAC,CAAC;QAEtD,MAAM,eAAe,GAAG,wCAAwC,SAAS,GAAG,SAAS,EAAE,CAAC;QACxF,MAAM,iBAAiB,GAAG,6BAA6B,OAAO,GAAG,eAAe,GAAG,CAAC;QAEpF,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC;YACb,OAAO;YACP,mBAAmB;YACnB,KAAK;YACL,eAAe;YACf,eAAe;YACf,eAAe;YACf,iBAAiB;SAClB,CAAC,CAAC;IACL,CAAC;IAKK,AAAN,KAAK,CAAC,+BAA+B;QACnC,IAAI,CAAC,OAAO,CAAC;YACX,IAAI,EAAE,cAAc;YACpB,iBAAiB,EAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,iBAAiB;SACzD,CAAC,CAAC;IACL,CAAC;IAGD;;;;;;;OAOG;IAEG,AAAN,KAAK,CAAC,WAAW;QACf,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,kBAAW,CAAC,CAAC,CAAC,sBAAsB;QAC1D,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC;QAExC,IAAI,CAAC,IAAA,wBAAK,EAAC,KAAK,CAAC,EAAE,CAAC;YAClB,wFAAwF;YACxF,IAAI,CAAC,OAAO,CAAC;gBACX,IAAI,EAAE,cAAc;gBACpB,iBAAiB,EAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,iBAAiB;aACzD,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,oFAAoF;QACpF,IAAI,MAA6B,CAAC;QAClC,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC,CAAC,YAAY;YAC1D,MAAM,GAAG,IAAI,CAAC,kBAAkB,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAEvE,CAAC;aAAM,CAAC;YACN,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAA4B,CAAC;YAC7D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC;YACtC,MAAM,YAAY,GAAwB;gBACxC;oBACE,EAAE,EAAE,OAAO,CAAC,EAAE,IAAI,SAAS;oBAC3B,SAAS,EAAE,MAAM;oBACjB,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,OAAO,EAAE,OAAO,CAAC,OAAO;iBACzB;aACF,CAAC;YACF,MAAM,GAAG,IAAI,CAAC,sBAAsB,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;QAC5D,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC;QAE5B,IAAI,MAAM,CAAC,EAAE,EAAE,CAAC;YACd,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAC,UAAU,EAAE,MAAM,CAAC,OAAO,EAAC,CAAC,CAAC;YAC7C,OAAO;QACT,CAAC;QACD,IAAI,CAAC,OAAO,CAAC;YACX,IAAI,EAAE,cAAc;YACpB,iBAAiB,EAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,iBAAiB;SACzD,CAAC,CAAC;IACL,CAAC;IAGK,AAAN,KAAK,CAAC,UAAU;QACd,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,IAAA,kCAAe,EAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,CAAC;IAChF,CAAC;IAED;;;;;OAKG;IAEG,AAAN,KAAK,CAAC,kBAAkB;QACtB,MAAM,EAAC,eAAe,EAAE,QAAQ,EAAE,EAAC,KAAK,EAAC,EAAC,GAAG,IAAI,CAAC,KAAK,CAAC;QAExD,MAAM,OAAO,GAAG,IAAA,qCAAkB,EAAC,eAAe,EAAE,KAAK,CAAC,CAAC;QAC3D,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAGK,AAAN,KAAK,CAAC,qBAAqB;QACzB,MAAM,EACJ,QAAQ,EAAE,EAAC,KAAK,EAAE,IAAI,EAAC,EACvB,OAAO,GACR,GAAG,IAAI,CAAC,KAAK,CAAC;QAEf,IAAI,CAAC,OAAO,CAAC;YACX,IAAI,EAAE,YAAY;YAClB,aAAa,EAAE;gBACb,KAAK;gBACL,IAAI;gBACJ,OAAO;aACR;SACF,CAAC,CAAC;IACL,CAAC;CAEF,CAAA;AAzIO;IADL,KAAK,CAAC,YAAY,CAAC;;;;mDAmCnB;AAKK;IAHL,KAAK,CAAC,4BAA4B,EAAE;QACnC,MAAM,EAAE,CAAC,EAAC,KAAK,EAAC,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,mBAAmB;KAChD,CAAC;;;;wEAMD;AAYK;IADL,KAAK,CAAC,aAAa,CAAC;;;;oDA0CpB;AAGK;IADL,KAAK,CAAC,YAAY,CAAC;;;;mDAGnB;AASK;IADL,KAAK,CAAC,oBAAoB,CAAC;;;;2DAQ3B;AAGK;IADL,KAAK,CAAC,uBAAuB,CAAC;;;;8DAe9B;AA3IkB,iBAAiB;IAPrC,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,IAAI;QACJ,WAAW;QACX,YAAY,EAAE,iCAAyB;QACvC,MAAM,EAAE,YAAY;KACrB,CAAC;GACmB,iBAAiB,CA6IrC;kBA7IoB,iBAAiB","sourcesContent":["// auth/flows/session.verify.flow.ts\nimport {\n  authorizationSchema,\n  Flow, FlowBase,\n  FlowRunOptions,\n  StageHookOf, userClaimSchema,\n  RemoteAuthOptions, sessionIdSchema, httpRequestInputSchema, FlowPlan,\n} from '../../common';\nimport 'reflect-metadata';\nimport {z} from 'zod';\nimport {getRequestBaseUrl, normalizeEntryPrefix, normalizeScopeBase} from '../path.utils';\nimport {\n  deriveTypedUser,\n  extractBearerToken,\n  isJwt,\n} from '../session/utils/auth-token.utils';\nimport {JwksService, ProviderVerifyRef, VerifyResult} from '../jwks';\nimport {parseSessionHeader} from '../session/utils/session-id.utils';\n\n\nconst inputSchema = httpRequestInputSchema;\n\nconst stateSchema = z.object({\n  baseUrl: z.string().min(1),\n  authorizationHeader: z.string().optional(),\n  token: z.string().optional(),\n  sessionIdHeader: z.string().optional(), // 'mcp-session-id'\n  sessionProtocol: z.string().optional(), // 'sse/http/streamable-http'\n  prmMetadataPath: z.string().optional(),\n  prmMetadataHeader: z.string().optional(),\n  jwtPayload: z.object({}).passthrough().optional(),\n  user: userClaimSchema.optional(),\n  session: sessionIdSchema.optional(),\n});\n\nconst UnauthorizedSchema = z\n  .object({\n    kind: z.literal('unauthorized'),\n    prmMetadataHeader: z.string().describe('Path to protected resource metadata'),\n  })\n  .describe('401 Unauthorized with \\'WWW-Authenticate\\' header for requesting authentication\\'');\n\nconst AuthorizedSchema = z\n  .object({\n    kind: z.literal('authorized'),\n    authorization: authorizationSchema.describe('Session information if session id is present'),\n  })\n  .describe('Authorized session information');\n\n\nexport const sessionVerifyOutputSchema = z.union([UnauthorizedSchema, AuthorizedSchema]);\n\nconst plan = {\n  pre: ['parseInput', 'requireAuthorizationHeader', 'verifyIfJwt'],\n  execute: ['deriveUser', 'parseSessionHeader', 'buildAuthorizedOutput'],\n} as const satisfies FlowPlan<string>;\n\ndeclare global {\n  interface ExtendFlows {\n    'session:verify': FlowRunOptions<\n      SessionVerifyFlow,\n      typeof plan,\n      typeof inputSchema,\n      typeof sessionVerifyOutputSchema,\n      typeof stateSchema\n    >;\n  }\n}\n\nconst name = 'session:verify' as const;\nconst Stage = StageHookOf(name);\n\n@Flow({\n  name,\n  plan,\n  inputSchema,\n  outputSchema: sessionVerifyOutputSchema,\n  access: 'authorized',\n})\nexport default class SessionVerifyFlow extends FlowBase<typeof name> {\n\n\n  @Stage('parseInput')\n  async parseInput() {\n    const {request} = this.rawInput;\n    const entryPath = normalizeEntryPrefix(this.scope.entryPath);\n    const routeBase = normalizeScopeBase(this.scope.routeBase);\n    const baseUrl = getRequestBaseUrl(request, entryPath);\n\n    const authorizationHeader = (request.headers?.['authorization'] as string | undefined) ?? undefined;\n    const httpTransportHeader = request.headers?.['http-transport'] as string | undefined;\n    const sessionIdRawHeader = request.headers?.['mcp-session-id'] as string | undefined;\n    const sessionIdQuery = request.query['sessionId'] as string | undefined;\n\n    const sessionIdHeader = sessionIdRawHeader ?? sessionIdQuery ?? undefined;\n    const sessionProtocol = httpTransportHeader\n      ? 'http'\n      : sessionIdHeader\n        ? 'streamable-http'\n        : sessionIdQuery\n          ? 'sse'\n          : undefined;\n\n    const token = extractBearerToken(authorizationHeader);\n\n    const prmMetadataPath = `/.well-known/oauth-protected-resource${entryPath}${routeBase}`;\n    const prmMetadataHeader = `Bearer resource_metadata=\"${baseUrl}${prmMetadataPath}\"`;\n\n    this.state.set({\n      baseUrl,\n      authorizationHeader,\n      token,\n      sessionIdHeader,\n      sessionProtocol,\n      prmMetadataPath,\n      prmMetadataHeader,\n    });\n  }\n\n  @Stage('requireAuthorizationHeader', {\n    filter: ({state}) => !state.authorizationHeader,\n  })\n  async requireAuthorizationOrChallenge() {\n    this.respond({\n      kind: 'unauthorized',\n      prmMetadataHeader: this.state.required.prmMetadataHeader,\n    });\n  }\n\n\n  /**\n   * If Authorization is a JWT:\n   *  - Attempt verification against any known / cached public keys we have (gateway/local)\n   *  - If verification fails → 401\n   *  - If verification ok → capture payload\n   * If NOT a JWT:\n   *  - we do NOT attempt verification, just pass the raw token through\n   */\n  @Stage('verifyIfJwt')\n  async verifyIfJwt() {\n    const jwks = this.get(JwksService); // TODO: fix providers\n    const token = this.state.required.token;\n\n    if (!isJwt(token)) {\n      // Non-JWT tokens are passed through; user will be mostly empty (the best effort later).\n      this.respond({\n        kind: 'unauthorized',\n        prmMetadataHeader: this.state.required.prmMetadataHeader,\n      });\n      return;\n    }\n\n    // Best-effort verification using locally known keys (gateway/local provider cache).\n    let verify: Promise<VerifyResult>;\n    if (this.scope.auth.options.type === 'local') { // TODO: fix\n      verify = jwks.verifyGatewayToken(token, this.state.required.baseUrl);\n\n    } else {\n      const primary = this.scope.auth.options as RemoteAuthOptions;\n      const issuer = this.scope.auth.issuer;\n      const providerRefs: ProviderVerifyRef[] = [\n        {\n          id: primary.id ?? 'default',\n          issuerUrl: issuer,\n          jwks: primary.jwks,\n          jwksUri: primary.jwksUri,\n        },\n      ];\n      verify = jwks.verifyTransparentToken(token, providerRefs);\n    }\n    const result = await verify;\n\n    if (result.ok) {\n      this.state.set({jwtPayload: result.payload});\n      return;\n    }\n    this.respond({\n      kind: 'unauthorized',\n      prmMetadataHeader: this.state.required.prmMetadataHeader,\n    });\n  }\n\n  @Stage('deriveUser')\n  async deriveUser() {\n    this.state.set('user', deriveTypedUser(this.state.required.jwtPayload ?? {}));\n  }\n\n  /**\n   * Parse the session header (mcp-session-id)\n   * - If session id is present, validate it\n   * - If valid, capture the session info\n   * - If NOT valid, ignore (no session)\n   */\n  @Stage('parseSessionHeader')\n  async parseSessionHeader() {\n    const {sessionIdHeader, required: {token}} = this.state;\n\n    const session = parseSessionHeader(sessionIdHeader, token);\n    if (session) {\n      this.state.set('session', session);\n    }\n  }\n\n  @Stage('buildAuthorizedOutput')\n  async buildAuthorizedOutput() {\n    const {\n      required: {token, user},\n      session,\n    } = this.state;\n\n    this.respond({\n      kind: 'authorized',\n      authorization: {\n        token,\n        user,\n        session,\n      },\n    });\n  }\n\n}\n"]}
+{"version":3,"file":"session.verify.flow.js","sourceRoot":"","sources":["../../../../src/auth/flows/session.verify.flow.ts"],"names":[],"mappings":";;;;AAAA,oCAAoC;AACpC,yCAiBsB;AACtB,4BAA0B;AAC1B,6BAAwB;AACxB,wEAA+F;AAC/F,kCAAuE;AACvE,wEAA0G;AAC1G,oDAAgD;AAEhD,MAAM,WAAW,GAAG,+BAAsB,CAAC;AAE3C,MAAM,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3B,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,mBAAmB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1C,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,mBAAmB;IAC3D,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,6BAA6B;IACrE,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACtC,iBAAiB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACxC,UAAU,EAAE,OAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;IACjD,IAAI,EAAE,wBAAe,CAAC,QAAQ,EAAE;IAChC,OAAO,EAAE,wBAAe,CAAC,QAAQ,EAAE;CACpC,CAAC,CAAC;AAEH,MAAM,kBAAkB,GAAG,OAAC;KACzB,MAAM,CAAC;IACN,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,cAAc,CAAC;IAC/B,iBAAiB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,qCAAqC,CAAC;CAC9E,CAAC;KACD,QAAQ,CAAC,+EAA+E,CAAC,CAAC;AAE7F,MAAM,gBAAgB,GAAG,OAAC;KACvB,MAAM,CAAC;IACN,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,YAAY,CAAC;IAC7B,aAAa,EAAE,4BAAmB,CAAC,QAAQ,CAAC,8CAA8C,CAAC;CAC5F,CAAC;KACD,QAAQ,CAAC,gCAAgC,CAAC,CAAC;AAEjC,QAAA,yBAAyB,GAAG,OAAC,CAAC,KAAK,CAAC,CAAC,kBAAkB,EAAE,gBAAgB,CAAC,CAAC,CAAC;AAEzF,MAAM,IAAI,GAAG;IACX,GAAG,EAAE,CAAC,YAAY,EAAE,kBAAkB,EAAE,4BAA4B,EAAE,aAAa,CAAC;IACpF,OAAO,EAAE,CAAC,YAAY,EAAE,oBAAoB,EAAE,uBAAuB,CAAC;CACnC,CAAC;AActC,MAAM,IAAI,GAAG,gBAAyB,CAAC;AACvC,MAAM,KAAK,GAAG,IAAA,oBAAW,EAAC,IAAI,CAAC,CAAC;AASjB,IAAM,iBAAiB,GAAvB,MAAM,iBAAkB,SAAQ,iBAAqB;IAE5D,AAAN,KAAK,CAAC,UAAU;QACd,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAClC,MAAM,SAAS,GAAG,IAAA,6BAAoB,EAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAC7D,MAAM,SAAS,GAAG,IAAA,2BAAkB,EAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAC3D,MAAM,OAAO,GAAG,IAAA,0BAAiB,EAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QAEtD,MAAM,mBAAmB,GAAI,OAAO,CAAC,OAAO,EAAE,CAAC,eAAe,CAAwB,IAAI,SAAS,CAAC;QACpG,MAAM,mBAAmB,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,gBAAgB,CAAuB,CAAC;QACtF,MAAM,kBAAkB,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,gBAAgB,CAAuB,CAAC;QACrF,MAAM,cAAc,GAAG,OAAO,CAAC,KAAK,CAAC,WAAW,CAAuB,CAAC;QAExE,MAAM,eAAe,GAAG,kBAAkB,IAAI,cAAc,IAAI,SAAS,CAAC;QAC1E,oFAAoF;QACpF,6FAA6F;QAC7F,MAAM,eAAe,GAAG,mBAAmB;YACzC,CAAC,CAAC,MAAM;YACR,CAAC,CAAC,kBAAkB;gBACpB,CAAC,CAAC,iBAAiB;gBACnB,CAAC,CAAC,cAAc;oBAChB,CAAC,CAAC,KAAK;oBACP,CAAC,CAAC,SAAS,CAAC;QAEd,MAAM,KAAK,GAAG,IAAA,qCAAkB,EAAC,mBAAmB,CAAC,CAAC;QAEtD,MAAM,eAAe,GAAG,wCAAwC,SAAS,GAAG,SAAS,EAAE,CAAC;QACxF,MAAM,iBAAiB,GAAG,6BAA6B,OAAO,GAAG,eAAe,GAAG,CAAC;QAEpF,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC;YACb,OAAO;YACP,mBAAmB;YACnB,KAAK;YACL,eAAe;YACf,eAAe;YACf,eAAe;YACf,iBAAiB;SAClB,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;OAOG;IAEG,AAAN,KAAK,CAAC,gBAAgB;QACpB,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,CAAC;QAE7C,uFAAuF;QACvF,IAAI,CAAC,WAAW,IAAI,CAAC,IAAA,qBAAY,EAAC,WAAW,CAAC,EAAE,CAAC;YAC/C,OAAO;QACT,CAAC;QAED,kEAAkE;QAClE,IAAI,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACrB,OAAO;QACT,CAAC;QAED,MAAM,eAAe,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC;QACnD,MAAM,SAAS,GAAG,IAAA,4BAAY,GAAE,CAAC;QAEjC,2EAA2E;QAC3E,0EAA0E;QAC1E,+CAA+C;QAC/C,IAAI,eAAe,EAAE,CAAC;YACpB,oFAAoF;YACpF,MAAM,eAAe,GAAG,IAAA,uCAAoB,EAAC,eAAe,CAAC,CAAC;YAE9D,2DAA2D;YAC3D,MAAM,IAAI,GAAG,eAAe;gBAC1B,CAAC,CAAC,EAAE,GAAG,EAAE,QAAQ,eAAe,CAAC,GAAG,GAAG,IAAI,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,WAAW,EAAE;gBACjF,CAAC,CAAC,EAAE,GAAG,EAAE,QAAQ,MAAM,CAAC,UAAU,EAAE,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;YAE7E,mEAAmE;YACnE,kFAAkF;YAClF,6EAA6E;YAC7E,IAAI,CAAC,OAAO,CAAC;gBACX,IAAI,EAAE,YAAY;gBAClB,aAAa,EAAE;oBACb,KAAK,EAAE,EAAE;oBACT,IAAI;oBACJ,OAAO,EAAE;wBACP,EAAE,EAAE,eAAe,EAAE,6CAA6C;wBAClE,OAAO,EAAE,eAAe,IAAI,eAAe,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,SAAS;qBAC/F;iBACF;aACF,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,8DAA8D;QAC9D,mFAAmF;QACnF,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,IAAI,GAAG,EAAE,GAAG,EAAE,QAAQ,MAAM,CAAC,UAAU,EAAE,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;QACtF,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAEjC,sEAAsE;QACtE,MAAM,OAAO,GAAG;YACd,IAAI;YACJ,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,QAAQ;YACjB,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC;YAC3B,QAAQ,EAAE,IAAI;SACf,CAAC;QAEF,MAAM,SAAS,GAAG,IAAA,8BAAW,EAAC,OAAO,CAAC,CAAC;QAEvC,IAAI,CAAC,OAAO,CAAC;YACX,IAAI,EAAE,YAAY;YAClB,aAAa,EAAE;gBACb,KAAK,EAAE,EAAE;gBACT,IAAI;gBACJ,OAAO,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE;aACpC;SACF,CAAC,CAAC;IACL,CAAC;IAKK,AAAN,KAAK,CAAC,+BAA+B;QACnC,IAAI,CAAC,OAAO,CAAC;YACX,IAAI,EAAE,cAAc;YACpB,iBAAiB,EAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,iBAAiB;SACzD,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;OAOG;IAEG,AAAN,KAAK,CAAC,WAAW;QACf,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,kBAAW,CAAC,CAAC,CAAC,sBAAsB;QAC1D,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC;QAExC,IAAI,CAAC,IAAA,wBAAK,EAAC,KAAK,CAAC,EAAE,CAAC;YAClB,kEAAkE;YAClE,IAAI,CAAC,OAAO,CAAC;gBACX,IAAI,EAAE,cAAc;gBACpB,iBAAiB,EAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,iBAAiB;aACzD,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,oFAAoF;QACpF,0EAA0E;QAC1E,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;QAC7B,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,IAAI,CAAC,OAAO,CAAC;gBACX,IAAI,EAAE,cAAc;gBACpB,iBAAiB,EAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,iBAAiB;aACzD,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,IAAI,MAA6B,CAAC;QAClC,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC;QAEjC,+EAA+E;QAC/E,IAAI,IAAA,0BAAiB,EAAC,WAAW,CAAC,EAAE,CAAC;YACnC,MAAM,OAAO,GAAG,WAAqC,CAAC;YACtD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;YAC3B,MAAM,YAAY,GAAwB;gBACxC;oBACE,EAAE,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,IAAI,SAAS;oBAClC,SAAS,EAAE,MAAM;oBACjB,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI;oBACzB,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,OAAO;iBAChC;aACF,CAAC;YACF,MAAM,GAAG,IAAI,CAAC,sBAAsB,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;QAC5D,CAAC;aAAM,CAAC;YACN,kEAAkE;YAClE,MAAM,GAAG,IAAI,CAAC,kBAAkB,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACvE,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC;QAE5B,IAAI,MAAM,CAAC,EAAE,EAAE,CAAC;YACd,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;YAC/C,OAAO;QACT,CAAC;QACD,IAAI,CAAC,OAAO,CAAC;YACX,IAAI,EAAE,cAAc;YACpB,iBAAiB,EAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,iBAAiB;SACzD,CAAC,CAAC;IACL,CAAC;IAGK,AAAN,KAAK,CAAC,UAAU;QACd,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,IAAA,kCAAe,EAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,CAAC;IAChF,CAAC;IAED;;;;;OAKG;IAEG,AAAN,KAAK,CAAC,kBAAkB;QACtB,MAAM,EACJ,eAAe,EACf,QAAQ,EAAE,EAAE,KAAK,EAAE,GACpB,GAAG,IAAI,CAAC,KAAK,CAAC;QAEf,MAAM,OAAO,GAAG,IAAA,qCAAkB,EAAC,eAAe,EAAE,KAAK,CAAC,CAAC;QAC3D,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAGK,AAAN,KAAK,CAAC,qBAAqB;QACzB,MAAM,EACJ,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,EACzB,OAAO,GACR,GAAG,IAAI,CAAC,KAAK,CAAC;QAEf,IAAI,CAAC,OAAO,CAAC;YACX,IAAI,EAAE,YAAY;YAClB,aAAa,EAAE;gBACb,KAAK;gBACL,IAAI;gBACJ,OAAO;aACR;SACF,CAAC,CAAC;IACL,CAAC;CACF,CAAA;AA3OO;IADL,KAAK,CAAC,YAAY,CAAC;;;;mDAqCnB;AAWK;IADL,KAAK,CAAC,kBAAkB,CAAC;;;;yDAuEzB;AAKK;IAHL,KAAK,CAAC,4BAA4B,EAAE;QACnC,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,mBAAmB;KAClD,CAAC;;;;wEAMD;AAWK;IADL,KAAK,CAAC,aAAa,CAAC;;;;oDAwDpB;AAGK;IADL,KAAK,CAAC,YAAY,CAAC;;;;mDAGnB;AASK;IADL,KAAK,CAAC,oBAAoB,CAAC;;;;2DAW3B;AAGK;IADL,KAAK,CAAC,uBAAuB,CAAC;;;;8DAe9B;AA5OkB,iBAAiB;IAPrC,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,IAAI;QACJ,WAAW;QACX,YAAY,EAAE,iCAAyB;QACvC,MAAM,EAAE,YAAY;KACrB,CAAC;GACmB,iBAAiB,CA6OrC;kBA7OoB,iBAAiB","sourcesContent":["// auth/flows/session.verify.flow.ts\nimport {\n  authorizationSchema,\n  Flow,\n  FlowBase,\n  FlowRunOptions,\n  StageHookOf,\n  userClaimSchema,\n  sessionIdSchema,\n  httpRequestInputSchema,\n  FlowPlan,\n  AuthOptions,\n  isTransparentMode,\n  isPublicMode,\n  TransparentAuthOptions,\n  getRequestBaseUrl,\n  normalizeEntryPrefix,\n  normalizeScopeBase,\n} from '../../common';\nimport 'reflect-metadata';\nimport { z } from 'zod';\nimport { deriveTypedUser, extractBearerToken, isJwt } from '../session/utils/auth-token.utils';\nimport { JwksService, ProviderVerifyRef, VerifyResult } from '../jwks';\nimport { parseSessionHeader, encryptJson, decryptPublicSession } from '../session/utils/session-id.utils';\nimport { getMachineId } from '../authorization';\n\nconst inputSchema = httpRequestInputSchema;\n\nconst stateSchema = z.object({\n  baseUrl: z.string().min(1),\n  authorizationHeader: z.string().optional(),\n  token: z.string().optional(),\n  sessionIdHeader: z.string().optional(), // 'mcp-session-id'\n  sessionProtocol: z.string().optional(), // 'sse/http/streamable-http'\n  prmMetadataPath: z.string().optional(),\n  prmMetadataHeader: z.string().optional(),\n  jwtPayload: z.object({}).passthrough().optional(),\n  user: userClaimSchema.optional(),\n  session: sessionIdSchema.optional(),\n});\n\nconst UnauthorizedSchema = z\n  .object({\n    kind: z.literal('unauthorized'),\n    prmMetadataHeader: z.string().describe('Path to protected resource metadata'),\n  })\n  .describe(\"401 Unauthorized with 'WWW-Authenticate' header for requesting authentication\");\n\nconst AuthorizedSchema = z\n  .object({\n    kind: z.literal('authorized'),\n    authorization: authorizationSchema.describe('Session information if session id is present'),\n  })\n  .describe('Authorized session information');\n\nexport const sessionVerifyOutputSchema = z.union([UnauthorizedSchema, AuthorizedSchema]);\n\nconst plan = {\n  pre: ['parseInput', 'handlePublicMode', 'requireAuthorizationHeader', 'verifyIfJwt'],\n  execute: ['deriveUser', 'parseSessionHeader', 'buildAuthorizedOutput'],\n} as const satisfies FlowPlan<string>;\n\ndeclare global {\n  interface ExtendFlows {\n    'session:verify': FlowRunOptions<\n      SessionVerifyFlow,\n      typeof plan,\n      typeof inputSchema,\n      typeof sessionVerifyOutputSchema,\n      typeof stateSchema\n    >;\n  }\n}\n\nconst name = 'session:verify' as const;\nconst Stage = StageHookOf(name);\n\n@Flow({\n  name,\n  plan,\n  inputSchema,\n  outputSchema: sessionVerifyOutputSchema,\n  access: 'authorized',\n})\nexport default class SessionVerifyFlow extends FlowBase<typeof name> {\n  @Stage('parseInput')\n  async parseInput() {\n    const { request } = this.rawInput;\n    const entryPath = normalizeEntryPrefix(this.scope.entryPath);\n    const routeBase = normalizeScopeBase(this.scope.routeBase);\n    const baseUrl = getRequestBaseUrl(request, entryPath);\n\n    const authorizationHeader = (request.headers?.['authorization'] as string | undefined) ?? undefined;\n    const httpTransportHeader = request.headers?.['http-transport'] as string | undefined;\n    const sessionIdRawHeader = request.headers?.['mcp-session-id'] as string | undefined;\n    const sessionIdQuery = request.query['sessionId'] as string | undefined;\n\n    const sessionIdHeader = sessionIdRawHeader ?? sessionIdQuery ?? undefined;\n    // Use sessionIdRawHeader (not sessionIdHeader) to distinguish header vs query param\n    // sessionIdHeader is the merged value, but we need to know the source for protocol selection\n    const sessionProtocol = httpTransportHeader\n      ? 'http'\n      : sessionIdRawHeader\n      ? 'streamable-http'\n      : sessionIdQuery\n      ? 'sse'\n      : undefined;\n\n    const token = extractBearerToken(authorizationHeader);\n\n    const prmMetadataPath = `/.well-known/oauth-protected-resource${entryPath}${routeBase}`;\n    const prmMetadataHeader = `Bearer resource_metadata=\"${baseUrl}${prmMetadataPath}\"`;\n\n    this.state.set({\n      baseUrl,\n      authorizationHeader,\n      token,\n      sessionIdHeader,\n      sessionProtocol,\n      prmMetadataPath,\n      prmMetadataHeader,\n    });\n  }\n\n  /**\n   * Handle public mode - allow anonymous access without requiring authorization\n   * In public mode, we create an anonymous authorization with a stateful session\n   * but NO token. This allows public docs/CI to work without Authorization header.\n   *\n   * CRITICAL: When client sends mcp-session-id header, we MUST use that exact ID\n   * for transport registry lookup. Creating a new session ID would cause mismatch.\n   */\n  @Stage('handlePublicMode')\n  async handlePublicMode() {\n    const authOptions = this.scope.auth?.options;\n\n    // Skip if not public mode or if authorization header is present (authenticated public)\n    if (!authOptions || !isPublicMode(authOptions)) {\n      return;\n    }\n\n    // If token is present, let the normal verification flow handle it\n    if (this.state.token) {\n      return;\n    }\n\n    const sessionIdHeader = this.state.sessionIdHeader;\n    const machineId = getMachineId();\n\n    // CRITICAL: If client sent session ID, ALWAYS use it for transport lookup.\n    // The transport registry uses this ID as the key. Creating a different ID\n    // would cause \"session not initialized\" error.\n    if (sessionIdHeader) {\n      // Try to decrypt/validate for payload extraction (optional - for nodeId validation)\n      const existingPayload = decryptPublicSession(sessionIdHeader);\n\n      // Determine user based on whether we could extract payload\n      const user = existingPayload\n        ? { sub: `anon:${existingPayload.iat * 1000}`, iss: 'public', name: 'Anonymous' }\n        : { sub: `anon:${crypto.randomUUID()}`, iss: 'public', name: 'Anonymous' };\n\n      // ALWAYS use client's session ID, regardless of validation result.\n      // If payload is valid and nodeId matches, include payload for protocol detection.\n      // If validation failed, transport layer will handle the error appropriately.\n      this.respond({\n        kind: 'authorized',\n        authorization: {\n          token: '',\n          user,\n          session: {\n            id: sessionIdHeader, // ← CRITICAL: Always use client's session ID\n            payload: existingPayload && existingPayload.nodeId === machineId ? existingPayload : undefined,\n          },\n        },\n      });\n      return;\n    }\n\n    // No session header → create new session (initialize request)\n    // For new sessions, don't pre-determine protocol. Let transport handler detect it.\n    const now = Date.now();\n    const user = { sub: `anon:${crypto.randomUUID()}`, iss: 'public', name: 'Anonymous' };\n    const uuid = crypto.randomUUID();\n\n    // Create a valid session payload matching the SessionIdPayload schema\n    const payload = {\n      uuid,\n      nodeId: machineId,\n      authSig: 'public',\n      iat: Math.floor(now / 1000),\n      isPublic: true,\n    };\n\n    const sessionId = encryptJson(payload);\n\n    this.respond({\n      kind: 'authorized',\n      authorization: {\n        token: '',\n        user,\n        session: { id: sessionId, payload },\n      },\n    });\n  }\n\n  @Stage('requireAuthorizationHeader', {\n    filter: ({ state }) => !state.authorizationHeader,\n  })\n  async requireAuthorizationOrChallenge() {\n    this.respond({\n      kind: 'unauthorized',\n      prmMetadataHeader: this.state.required.prmMetadataHeader,\n    });\n  }\n\n  /**\n   * If Authorization is a JWT:\n   *  - Attempt verification against any known / cached public keys we have (gateway/local)\n   *  - If verification fails → 401\n   *  - If verification ok → capture payload\n   * If NOT a JWT:\n   *  - we do NOT attempt verification, just pass the raw token through\n   */\n  @Stage('verifyIfJwt')\n  async verifyIfJwt() {\n    const jwks = this.get(JwksService); // TODO: fix providers\n    const token = this.state.required.token;\n\n    if (!isJwt(token)) {\n      // Non-JWT tokens are not supported - require JWT for verification\n      this.respond({\n        kind: 'unauthorized',\n        prmMetadataHeader: this.state.required.prmMetadataHeader,\n      });\n      return;\n    }\n\n    // Best-effort verification using locally known keys (gateway/local provider cache).\n    // Add defensive null check for this.scope.auth (consistent with line 130)\n    const auth = this.scope.auth;\n    if (!auth) {\n      this.respond({\n        kind: 'unauthorized',\n        prmMetadataHeader: this.state.required.prmMetadataHeader,\n      });\n      return;\n    }\n\n    let verify: Promise<VerifyResult>;\n    const authOptions = auth.options;\n\n    // Transparent mode uses remote provider's keys, all other modes use local keys\n    if (isTransparentMode(authOptions)) {\n      const primary = authOptions as TransparentAuthOptions;\n      const issuer = auth.issuer;\n      const providerRefs: ProviderVerifyRef[] = [\n        {\n          id: primary.remote.id ?? 'default',\n          issuerUrl: issuer,\n          jwks: primary.remote.jwks,\n          jwksUri: primary.remote.jwksUri,\n        },\n      ];\n      verify = jwks.verifyTransparentToken(token, providerRefs);\n    } else {\n      // Public or orchestrated mode - verify against local gateway keys\n      verify = jwks.verifyGatewayToken(token, this.state.required.baseUrl);\n    }\n\n    const result = await verify;\n\n    if (result.ok) {\n      this.state.set({ jwtPayload: result.payload });\n      return;\n    }\n    this.respond({\n      kind: 'unauthorized',\n      prmMetadataHeader: this.state.required.prmMetadataHeader,\n    });\n  }\n\n  @Stage('deriveUser')\n  async deriveUser() {\n    this.state.set('user', deriveTypedUser(this.state.required.jwtPayload ?? {}));\n  }\n\n  /**\n   * Parse the session header (mcp-session-id)\n   * - If session id is present, validate it\n   * - If valid, capture the session info\n   * - If NOT valid, ignore (no session)\n   */\n  @Stage('parseSessionHeader')\n  async parseSessionHeader() {\n    const {\n      sessionIdHeader,\n      required: { token },\n    } = this.state;\n\n    const session = parseSessionHeader(sessionIdHeader, token);\n    if (session) {\n      this.state.set('session', session);\n    }\n  }\n\n  @Stage('buildAuthorizedOutput')\n  async buildAuthorizedOutput() {\n    const {\n      required: { token, user },\n      session,\n    } = this.state;\n\n    this.respond({\n      kind: 'authorized',\n      authorization: {\n        token,\n        user,\n        session,\n      },\n    });\n  }\n}\n"]}

package/src/auth/flows/well-known.jwks.flow.d.ts

@@ -2,40 +2,19 @@ import { FlowBase, FlowRunOptions, ScopeEntry, ServerRequest } from '../../commo
 import 'reflect-metadata';
 import { z } from 'zod';
 declare const inputSchema: z.ZodObject<{
-    request: z.ZodObject<{}, "passthrough", z.ZodTypeAny, z.objectOutputType<{}, z.ZodTypeAny, "passthrough">, z.objectInputType<{}, z.ZodTypeAny, "passthrough">>;
-    response: z.ZodObject<{}, "passthrough", z.ZodTypeAny, z.objectOutputType<{}, z.ZodTypeAny, "passthrough">, z.objectInputType<{}, z.ZodTypeAny, "passthrough">>;
-    next: z.ZodOptional<z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>>;
-}, "strip", z.ZodTypeAny, {
-    request: {} & {
-        [k: string]: unknown;
-    };
-    response: {} & {
-        [k: string]: unknown;
-    };
-    next?: ((...args: unknown[]) => unknown) | undefined;
-}, {
-    request: {} & {
-        [k: string]: unknown;
-    };
-    response: {} & {
-        [k: string]: unknown;
-    };
-    next?: ((...args: unknown[]) => unknown) | undefined;
-}>;
+    request: z.ZodObject<{}, z.core.$loose>;
+    response: z.ZodObject<{}, z.core.$loose>;
+    next: z.ZodOptional<z.ZodFunction<z.core.$ZodFunctionArgs, z.core.$ZodFunctionOut>>;
+}, z.core.$strip>;
 declare const stateSchema: z.ZodObject<{
     isOrchestrated: z.ZodBoolean;
-}, "strip", z.ZodTypeAny, {
-    isOrchestrated: boolean;
-}, {
-    isOrchestrated: boolean;
-}>;
-declare const outputSchema: z.ZodUnion<[z.ZodObject<{
+}, z.core.$strip>;
+declare const outputSchema: z.ZodUnion<readonly [z.ZodObject<{
     kind: z.ZodLiteral<"json">;
-    status: z.ZodEffects<z.ZodNumber, number, number>;
-    body: z.ZodUnion<[z.ZodObject<{}, "passthrough", z.ZodTypeAny, z.objectOutputType<{}, z.ZodTypeAny, "passthrough">, z.objectInputType<{}, z.ZodTypeAny, "passthrough">>, z.ZodArray<z.ZodAny, "many">, z.ZodRecord<z.ZodString, z.ZodAny>]>;
+    status: z.ZodNumber;
+    body: z.ZodUnion<readonly [z.ZodObject<{}, z.core.$loose>, z.ZodArray<z.ZodAny>, z.ZodRecord<z.ZodString, z.ZodAny>]>;
     contentType: z.ZodDefault<z.ZodString>;
-} & {
-    headers: z.ZodOptional<z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnion<[z.ZodString, z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>]>>>>;
+    headers: z.ZodOptional<z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodString, z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>]>>>>;
     cookies: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodObject<{
         name: z.ZodString;
         value: z.ZodString;
@@ -43,71 +22,20 @@ declare const outputSchema: z.ZodUnion<[z.ZodObject<{
         domain: z.ZodOptional<z.ZodString>;
         httpOnly: z.ZodDefault<z.ZodBoolean>;
         secure: z.ZodOptional<z.ZodBoolean>;
-        sameSite: z.ZodOptional<z.ZodEnum<["lax", "strict", "none"]>>;
+        sameSite: z.ZodOptional<z.ZodEnum<{
+            lax: "lax";
+            strict: "strict";
+            none: "none";
+        }>>;
         maxAge: z.ZodOptional<z.ZodNumber>;
         expires: z.ZodOptional<z.ZodDate>;
-    }, "strip", z.ZodTypeAny, {
-        value: string;
-        path: string;
-        name: string;
-        httpOnly: boolean;
-        domain?: string | undefined;
-        secure?: boolean | undefined;
-        sameSite?: "strict" | "lax" | "none" | undefined;
-        maxAge?: number | undefined;
-        expires?: Date | undefined;
-    }, {
-        value: string;
-        name: string;
-        path?: string | undefined;
-        domain?: string | undefined;
-        httpOnly?: boolean | undefined;
-        secure?: boolean | undefined;
-        sameSite?: "strict" | "lax" | "none" | undefined;
-        maxAge?: number | undefined;
-        expires?: Date | undefined;
-    }>, "many">>>;
-}, "strip", z.ZodTypeAny, {
-    status: number;
-    kind: "json";
-    body: any[] | z.objectOutputType<{}, z.ZodTypeAny, "passthrough"> | Record<string, any>;
-    contentType: string;
-    headers?: Record<string, string | string[]> | undefined;
-    cookies?: {
-        value: string;
-        path: string;
-        name: string;
-        httpOnly: boolean;
-        domain?: string | undefined;
-        secure?: boolean | undefined;
-        sameSite?: "strict" | "lax" | "none" | undefined;
-        maxAge?: number | undefined;
-        expires?: Date | undefined;
-    }[] | undefined;
-}, {
-    status: number;
-    kind: "json";
-    body: any[] | z.objectInputType<{}, z.ZodTypeAny, "passthrough"> | Record<string, any>;
-    headers?: Record<string, string | string[]> | undefined;
-    cookies?: {
-        value: string;
-        name: string;
-        path?: string | undefined;
-        domain?: string | undefined;
-        httpOnly?: boolean | undefined;
-        secure?: boolean | undefined;
-        sameSite?: "strict" | "lax" | "none" | undefined;
-        maxAge?: number | undefined;
-        expires?: Date | undefined;
-    }[] | undefined;
-    contentType?: string | undefined;
-}>, z.ZodObject<{
+    }, z.core.$strip>>>>;
+}, z.core.$strip>, z.ZodObject<{
     kind: z.ZodLiteral<"text">;
-    status: z.ZodEffects<z.ZodNumber, number, number>;
+    status: z.ZodNumber;
     body: z.ZodString;
     contentType: z.ZodDefault<z.ZodString>;
-} & {
-    headers: z.ZodOptional<z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnion<[z.ZodString, z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>]>>>>;
+    headers: z.ZodOptional<z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodString, z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>]>>>>;
     cookies: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodObject<{
         name: z.ZodString;
         value: z.ZodString;
@@ -115,70 +43,19 @@ declare const outputSchema: z.ZodUnion<[z.ZodObject<{
         domain: z.ZodOptional<z.ZodString>;
         httpOnly: z.ZodDefault<z.ZodBoolean>;
         secure: z.ZodOptional<z.ZodBoolean>;
-        sameSite: z.ZodOptional<z.ZodEnum<["lax", "strict", "none"]>>;
+        sameSite: z.ZodOptional<z.ZodEnum<{
+            lax: "lax";
+            strict: "strict";
+            none: "none";
+        }>>;
         maxAge: z.ZodOptional<z.ZodNumber>;
         expires: z.ZodOptional<z.ZodDate>;
-    }, "strip", z.ZodTypeAny, {
-        value: string;
-        path: string;
-        name: string;
-        httpOnly: boolean;
-        domain?: string | undefined;
-        secure?: boolean | undefined;
-        sameSite?: "strict" | "lax" | "none" | undefined;
-        maxAge?: number | undefined;
-        expires?: Date | undefined;
-    }, {
-        value: string;
-        name: string;
-        path?: string | undefined;
-        domain?: string | undefined;
-        httpOnly?: boolean | undefined;
-        secure?: boolean | undefined;
-        sameSite?: "strict" | "lax" | "none" | undefined;
-        maxAge?: number | undefined;
-        expires?: Date | undefined;
-    }>, "many">>>;
-}, "strip", z.ZodTypeAny, {
-    status: number;
-    kind: "text";
-    body: string;
-    contentType: string;
-    headers?: Record<string, string | string[]> | undefined;
-    cookies?: {
-        value: string;
-        path: string;
-        name: string;
-        httpOnly: boolean;
-        domain?: string | undefined;
-        secure?: boolean | undefined;
-        sameSite?: "strict" | "lax" | "none" | undefined;
-        maxAge?: number | undefined;
-        expires?: Date | undefined;
-    }[] | undefined;
-}, {
-    status: number;
-    kind: "text";
-    body: string;
-    headers?: Record<string, string | string[]> | undefined;
-    cookies?: {
-        value: string;
-        name: string;
-        path?: string | undefined;
-        domain?: string | undefined;
-        httpOnly?: boolean | undefined;
-        secure?: boolean | undefined;
-        sameSite?: "strict" | "lax" | "none" | undefined;
-        maxAge?: number | undefined;
-        expires?: Date | undefined;
-    }[] | undefined;
-    contentType?: string | undefined;
-}>, z.ZodObject<{
+    }, z.core.$strip>>>>;
+}, z.core.$strip>, z.ZodObject<{
     kind: z.ZodLiteral<"redirect">;
-    status: z.ZodDefault<z.ZodType<301 | 302 | 303 | 307 | 308, z.ZodTypeDef, 301 | 302 | 303 | 307 | 308>>;
+    status: z.ZodDefault<z.ZodType<301 | 302 | 303 | 307 | 308, unknown, z.core.$ZodTypeInternals<301 | 302 | 303 | 307 | 308, unknown>>>;
     location: z.ZodString;
-} & {
-    headers: z.ZodOptional<z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnion<[z.ZodString, z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>]>>>>;
+    headers: z.ZodOptional<z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodString, z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>]>>>>;
     cookies: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodObject<{
         name: z.ZodString;
         value: z.ZodString;
@@ -186,63 +63,15 @@ declare const outputSchema: z.ZodUnion<[z.ZodObject<{
         domain: z.ZodOptional<z.ZodString>;
         httpOnly: z.ZodDefault<z.ZodBoolean>;
         secure: z.ZodOptional<z.ZodBoolean>;
-        sameSite: z.ZodOptional<z.ZodEnum<["lax", "strict", "none"]>>;
+        sameSite: z.ZodOptional<z.ZodEnum<{
+            lax: "lax";
+            strict: "strict";
+            none: "none";
+        }>>;
         maxAge: z.ZodOptional<z.ZodNumber>;
         expires: z.ZodOptional<z.ZodDate>;
-    }, "strip", z.ZodTypeAny, {
-        value: string;
-        path: string;
-        name: string;
-        httpOnly: boolean;
-        domain?: string | undefined;
-        secure?: boolean | undefined;
-        sameSite?: "strict" | "lax" | "none" | undefined;
-        maxAge?: number | undefined;
-        expires?: Date | undefined;
-    }, {
-        value: string;
-        name: string;
-        path?: string | undefined;
-        domain?: string | undefined;
-        httpOnly?: boolean | undefined;
-        secure?: boolean | undefined;
-        sameSite?: "strict" | "lax" | "none" | undefined;
-        maxAge?: number | undefined;
-        expires?: Date | undefined;
-    }>, "many">>>;
-}, "strip", z.ZodTypeAny, {
-    status: 301 | 302 | 303 | 307 | 308;
-    kind: "redirect";
-    location: string;
-    headers?: Record<string, string | string[]> | undefined;
-    cookies?: {
-        value: string;
-        path: string;
-        name: string;
-        httpOnly: boolean;
-        domain?: string | undefined;
-        secure?: boolean | undefined;
-        sameSite?: "strict" | "lax" | "none" | undefined;
-        maxAge?: number | undefined;
-        expires?: Date | undefined;
-    }[] | undefined;
-}, {
-    kind: "redirect";
-    location: string;
-    status?: 301 | 302 | 303 | 307 | 308 | undefined;
-    headers?: Record<string, string | string[]> | undefined;
-    cookies?: {
-        value: string;
-        name: string;
-        path?: string | undefined;
-        domain?: string | undefined;
-        httpOnly?: boolean | undefined;
-        secure?: boolean | undefined;
-        sameSite?: "strict" | "lax" | "none" | undefined;
-        maxAge?: number | undefined;
-        expires?: Date | undefined;
-    }[] | undefined;
-}>]>;
+    }, z.core.$strip>>>>;
+}, z.core.$strip>]>;
 declare const plan: {
     readonly pre: ["parseInput", "validateInput"];
     readonly execute: ["collectData"];

package/src/auth/flows/well-known.jwks.flow.js

@@ -5,7 +5,6 @@ const tslib_1 = require("tslib");
 const common_1 = require("../../common");
 require("reflect-metadata");
 const zod_1 = require("zod");
-const path_utils_1 = require("../path.utils");
 const jwks_1 = require("../jwks");
 const inputSchema = common_1.httpInputSchema;
 const stateSchema = zod_1.z.object({
@@ -20,7 +19,7 @@ const name = 'well-known.jwks';
 const Stage = (0, common_1.StageHookOf)(name);
 let WellKnownJwksFlow = class WellKnownJwksFlow extends common_1.FlowBase {
     static canActivate(request, scope) {
-        return (0, path_utils_1.makeWellKnownPaths)('jwks.json', scope.entryPath, scope.routeBase).has(request.path);
+        return (0, common_1.makeWellKnownPaths)('jwks.json', scope.entryPath, scope.routeBase).has(request.path);
     }
     async parseInput() {
         this.state.set({
@@ -39,18 +38,26 @@ let WellKnownJwksFlow = class WellKnownJwksFlow extends common_1.FlowBase {
             this.respond(common_1.httpRespond.json(keysDoc));
             return;
         }
-        const primary = this.scope.auth.options;
-        if (primary) {
-            if (primary.jwks && primary.jwks.keys.length) {
-                this.respond(common_1.httpRespond.json(primary.jwks));
+        const options = this.scope.auth.options;
+        if (options && (0, common_1.isTransparentMode)(options)) {
+            // Transparent mode - use remote provider's JWKS
+            if (options.remote.jwks && options.remote.jwks.keys.length) {
+                this.respond(common_1.httpRespond.json(options.remote.jwks));
             }
             else {
-                const location = primary.jwksUri ?? `${primary.baseUrl}/.well-known/jwks.json`;
+                const location = options.remote.jwksUri ?? `${options.remote.provider}/.well-known/jwks.json`;
                 this.respond(common_1.httpRespond.redirect(location));
             }
         }
         else {
-            this.respond(common_1.httpRespond.notFound());
+            // Public or orchestrated mode - serve local JWKS
+            const keysDoc = jwksSvc.getPublicJwks();
+            if (keysDoc?.keys && Array.isArray(keysDoc.keys)) {
+                this.respond(common_1.httpRespond.json(keysDoc));
+            }
+            else {
+                this.respond(common_1.httpRespond.notFound());
+            }
         }
     }
 };

package/src/auth/flows/well-known.jwks.flow.js.map

@@ -1 +1 @@
-{"version":3,"file":"well-known.jwks.flow.js","sourceRoot":"","sources":["../../../../src/auth/flows/well-known.jwks.flow.ts"],"names":[],"mappings":";;;AAAA,qCAAqC;AACrC,yCAIsB;AACtB,4BAA0B;AAC1B,6BAAsB;AACtB,8CAAiD;AACjD,kCAAoC;AAGpC,MAAM,WAAW,GAAG,wBAAe,CAAC;AAEpC,MAAM,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3B,cAAc,EAAE,OAAC,CAAC,OAAO,EAAE;CAC5B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,OAAC,CAAC,KAAK,CAAC,CAAC,uBAAc,EAAE,uBAAc,EAAE,2BAAkB,CAAC,CAAC,CAAC;AAEnF,MAAM,IAAI,GAAG;IACX,GAAG,EAAE,CAAC,YAAY,EAAE,eAAe,CAAC;IACpC,OAAO,EAAE,CAAC,aAAa,CAAC;CACW,CAAC;AActC,MAAM,IAAI,GAAG,iBAA0B,CAAC;AACxC,MAAM,KAAK,GAAG,IAAA,oBAAW,EAAC,IAAI,CAAC,CAAC;AAajB,IAAM,iBAAiB,GAAvB,MAAM,iBAAkB,SAAQ,iBAAqB;IAClE,MAAM,CAAC,WAAW,CAAC,OAAsB,EAAE,KAAiB;QAC1D,OAAO,IAAA,+BAAkB,EAAC,WAAW,EAAE,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7F,CAAC;IAGK,AAAN,KAAK,CAAC,UAAU;QACd,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC;YACb,cAAc,EAAE,KAAK,EAAE,gCAAgC;SACxD,CAAC,CAAC;IACL,CAAC;IAGK,AAAN,KAAK,CAAC,WAAW;QACf,MAAM,EAAC,cAAc,EAAC,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,kBAAW,CAAC,CAAC;QAEtC,wCAAwC;QACxC,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,OAAO,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;YACxC,IAAI,CAAC,OAAO,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnD,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;YACrD,CAAC;YACD,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;YACxC,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAA4B,CAAC;QAC7D,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;gBAC7C,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;YAC/C,CAAC;iBAAM,CAAC;gBACN,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,IAAI,GAAG,OAAO,CAAC,OAAO,wBAAwB,CAAC;gBAC/E,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,QAAQ,EAAE,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;CACF,CAAA;AAjCO;IADL,KAAK,CAAC,YAAY,CAAC;;;;mDAKnB;AAGK;IADL,KAAK,CAAC,aAAa,CAAC;;;;oDA0BpB;AAtCkB,iBAAiB;IAVrC,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,IAAI;QACJ,WAAW;QACX,YAAY;QACZ,MAAM,EAAE,QAAQ;QAChB,UAAU,EAAE;YACV,MAAM,EAAE,KAAK;SACd;KACF,CAAC;GACmB,iBAAiB,CAuCrC;kBAvCoB,iBAAiB","sourcesContent":["// auth/flows/well-known.jwks.flow.ts\nimport {\n  Flow, FlowBase, FlowPlan,\n  FlowRunOptions, httpInputSchema, HttpJsonSchema, HttpRedirectSchema, httpRespond, HttpTextSchema,\n  RemoteAuthOptions, ScopeEntry, ServerRequest, StageHookOf,\n} from '../../common';\nimport 'reflect-metadata';\nimport {z} from 'zod';\nimport {makeWellKnownPaths} from '../path.utils';\nimport {JwksService} from '../jwks';\n\n\nconst inputSchema = httpInputSchema;\n\nconst stateSchema = z.object({\n  isOrchestrated: z.boolean(),\n});\n\nconst outputSchema = z.union([HttpJsonSchema, HttpTextSchema, HttpRedirectSchema]);\n\nconst plan = {\n  pre: ['parseInput', 'validateInput'],\n  execute: ['collectData'],\n} as const satisfies FlowPlan<string>;\n\ndeclare global {\n  interface ExtendFlows {\n    'well-known.jwks': FlowRunOptions<\n      WellKnownJwksFlow,\n      typeof plan,\n      typeof inputSchema,\n      typeof outputSchema,\n      typeof stateSchema\n    >;\n  }\n}\n\nconst name = 'well-known.jwks' as const;\nconst Stage = StageHookOf(name);\n\n\n@Flow({\n  name,\n  plan,\n  inputSchema,\n  outputSchema,\n  access: 'public',\n  middleware: {\n    method: 'GET',\n  },\n})\nexport default class WellKnownJwksFlow extends FlowBase<typeof name> {\n  static canActivate(request: ServerRequest, scope: ScopeEntry) {\n    return makeWellKnownPaths('jwks.json', scope.entryPath, scope.routeBase).has(request.path);\n  }\n\n  @Stage('parseInput')\n  async parseInput() {\n    this.state.set({\n      isOrchestrated: false, // scope.orchestrated, TODO: fix\n    });\n  }\n\n  @Stage('collectData')\n  async collectData() {\n    const {isOrchestrated} = this.state.required;\n    const jwksSvc = this.get(JwksService);\n\n    // Orchestrated gateway → serve own JWKS\n    if (isOrchestrated) {\n      const keysDoc = jwksSvc.getPublicJwks();\n      if (!keysDoc?.keys || !Array.isArray(keysDoc.keys)) {\n        throw new Error('orchestrator jwks not available');\n      }\n      this.respond(httpRespond.json(keysDoc));\n      return;\n    }\n\n    const primary = this.scope.auth.options as RemoteAuthOptions;\n    if (primary) {\n      if (primary.jwks && primary.jwks.keys.length) {\n        this.respond(httpRespond.json(primary.jwks));\n      } else {\n        const location = primary.jwksUri ?? `${primary.baseUrl}/.well-known/jwks.json`;\n        this.respond(httpRespond.redirect(location));\n      }\n    } else {\n      this.respond(httpRespond.notFound());\n    }\n  }\n}\n"]}
+{"version":3,"file":"well-known.jwks.flow.js","sourceRoot":"","sources":["../../../../src/auth/flows/well-known.jwks.flow.ts"],"names":[],"mappings":";;;AAAA,qCAAqC;AACrC,yCAesB;AACtB,4BAA0B;AAC1B,6BAAwB;AACxB,kCAAsC;AAEtC,MAAM,WAAW,GAAG,wBAAe,CAAC;AAEpC,MAAM,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3B,cAAc,EAAE,OAAC,CAAC,OAAO,EAAE;CAC5B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,OAAC,CAAC,KAAK,CAAC,CAAC,uBAAc,EAAE,uBAAc,EAAE,2BAAkB,CAAC,CAAC,CAAC;AAEnF,MAAM,IAAI,GAAG;IACX,GAAG,EAAE,CAAC,YAAY,EAAE,eAAe,CAAC;IACpC,OAAO,EAAE,CAAC,aAAa,CAAC;CACW,CAAC;AActC,MAAM,IAAI,GAAG,iBAA0B,CAAC;AACxC,MAAM,KAAK,GAAG,IAAA,oBAAW,EAAC,IAAI,CAAC,CAAC;AAYjB,IAAM,iBAAiB,GAAvB,MAAM,iBAAkB,SAAQ,iBAAqB;IAClE,MAAM,CAAC,WAAW,CAAC,OAAsB,EAAE,KAAiB;QAC1D,OAAO,IAAA,2BAAkB,EAAC,WAAW,EAAE,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7F,CAAC;IAGK,AAAN,KAAK,CAAC,UAAU;QACd,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC;YACb,cAAc,EAAE,KAAK,EAAE,gCAAgC;SACxD,CAAC,CAAC;IACL,CAAC;IAGK,AAAN,KAAK,CAAC,WAAW;QACf,MAAM,EAAE,cAAc,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAC/C,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,kBAAW,CAAC,CAAC;QAEtC,wCAAwC;QACxC,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,OAAO,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;YACxC,IAAI,CAAC,OAAO,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnD,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;YACrD,CAAC;YACD,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;YACxC,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC;QACxC,IAAI,OAAO,IAAI,IAAA,0BAAiB,EAAC,OAAO,CAAC,EAAE,CAAC;YAC1C,gDAAgD;YAChD,IAAI,OAAO,CAAC,MAAM,CAAC,IAAI,IAAI,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;gBAC3D,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;YACtD,CAAC;iBAAM,CAAC;gBACN,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,OAAO,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,wBAAwB,CAAC;gBAC9F,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;aAAM,CAAC;YACN,iDAAiD;YACjD,MAAM,OAAO,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;YACxC,IAAI,OAAO,EAAE,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBACjD,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;YAC1C,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,QAAQ,EAAE,CAAC,CAAC;YACvC,CAAC;QACH,CAAC;IACH,CAAC;CACF,CAAA;AAxCO;IADL,KAAK,CAAC,YAAY,CAAC;;;;mDAKnB;AAGK;IADL,KAAK,CAAC,aAAa,CAAC;;;;oDAiCpB;AA7CkB,iBAAiB;IAVrC,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,IAAI;QACJ,WAAW;QACX,YAAY;QACZ,MAAM,EAAE,QAAQ;QAChB,UAAU,EAAE;YACV,MAAM,EAAE,KAAK;SACd;KACF,CAAC;GACmB,iBAAiB,CA8CrC;kBA9CoB,iBAAiB","sourcesContent":["// auth/flows/well-known.jwks.flow.ts\nimport {\n  Flow,\n  FlowBase,\n  FlowPlan,\n  FlowRunOptions,\n  httpInputSchema,\n  HttpJsonSchema,\n  HttpRedirectSchema,\n  httpRespond,\n  HttpTextSchema,\n  ScopeEntry,\n  ServerRequest,\n  StageHookOf,\n  isTransparentMode,\n  makeWellKnownPaths,\n} from '../../common';\nimport 'reflect-metadata';\nimport { z } from 'zod';\nimport { JwksService } from '../jwks';\n\nconst inputSchema = httpInputSchema;\n\nconst stateSchema = z.object({\n  isOrchestrated: z.boolean(),\n});\n\nconst outputSchema = z.union([HttpJsonSchema, HttpTextSchema, HttpRedirectSchema]);\n\nconst plan = {\n  pre: ['parseInput', 'validateInput'],\n  execute: ['collectData'],\n} as const satisfies FlowPlan<string>;\n\ndeclare global {\n  interface ExtendFlows {\n    'well-known.jwks': FlowRunOptions<\n      WellKnownJwksFlow,\n      typeof plan,\n      typeof inputSchema,\n      typeof outputSchema,\n      typeof stateSchema\n    >;\n  }\n}\n\nconst name = 'well-known.jwks' as const;\nconst Stage = StageHookOf(name);\n\n@Flow({\n  name,\n  plan,\n  inputSchema,\n  outputSchema,\n  access: 'public',\n  middleware: {\n    method: 'GET',\n  },\n})\nexport default class WellKnownJwksFlow extends FlowBase<typeof name> {\n  static canActivate(request: ServerRequest, scope: ScopeEntry) {\n    return makeWellKnownPaths('jwks.json', scope.entryPath, scope.routeBase).has(request.path);\n  }\n\n  @Stage('parseInput')\n  async parseInput() {\n    this.state.set({\n      isOrchestrated: false, // scope.orchestrated, TODO: fix\n    });\n  }\n\n  @Stage('collectData')\n  async collectData() {\n    const { isOrchestrated } = this.state.required;\n    const jwksSvc = this.get(JwksService);\n\n    // Orchestrated gateway → serve own JWKS\n    if (isOrchestrated) {\n      const keysDoc = jwksSvc.getPublicJwks();\n      if (!keysDoc?.keys || !Array.isArray(keysDoc.keys)) {\n        throw new Error('orchestrator jwks not available');\n      }\n      this.respond(httpRespond.json(keysDoc));\n      return;\n    }\n\n    const options = this.scope.auth.options;\n    if (options && isTransparentMode(options)) {\n      // Transparent mode - use remote provider's JWKS\n      if (options.remote.jwks && options.remote.jwks.keys.length) {\n        this.respond(httpRespond.json(options.remote.jwks));\n      } else {\n        const location = options.remote.jwksUri ?? `${options.remote.provider}/.well-known/jwks.json`;\n        this.respond(httpRespond.redirect(location));\n      }\n    } else {\n      // Public or orchestrated mode - serve local JWKS\n      const keysDoc = jwksSvc.getPublicJwks();\n      if (keysDoc?.keys && Array.isArray(keysDoc.keys)) {\n        this.respond(httpRespond.json(keysDoc));\n      } else {\n        this.respond(httpRespond.notFound());\n      }\n    }\n  }\n}\n"]}