@frontmcp/sdk 0.4.1 → 0.5.0

package/src/common/types/options/auth.options.js

@@ -1,53 +1,571 @@
 "use strict";
+// common/types/options/auth.options.ts
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.appAuthOptionsSchema = exports.authOptionsSchema = exports.localAuthOptionsSchema = exports.remoteAuthOptionsSchema = void 0;
+exports.appAuthOptionsSchema = exports.authOptionsSchema = exports.orchestratedAuthOptionsSchema = exports.orchestratedRemoteSchema = exports.orchestratedLocalSchema = exports.transparentAuthOptionsSchema = exports.publicAuthOptionsSchema = exports.transportConfigSchema = exports.incrementalAuthConfigSchema = exports.consentConfigSchema = exports.skippedAppBehaviorSchema = exports.tokenRefreshConfigSchema = exports.tokenStorageConfigSchema = exports.remoteProviderConfigSchema = exports.localSigningConfigSchema = exports.publicAccessConfigSchema = void 0;
+exports.parseAuthOptions = parseAuthOptions;
+exports.isPublicMode = isPublicMode;
+exports.isTransparentMode = isTransparentMode;
+exports.isOrchestratedMode = isOrchestratedMode;
+exports.isOrchestratedLocal = isOrchestratedLocal;
+exports.isOrchestratedRemote = isOrchestratedRemote;
+exports.allowsPublicAccess = allowsPublicAccess;
 const zod_1 = require("zod");
 const auth_1 = require("../auth");
-exports.remoteAuthOptionsSchema = zod_1.z.object({
-    type: zod_1.z.literal('remote'),
+const transport_session_types_1 = require("../../../auth/session/transport-session.types");
+// ============================================
+// SHARED SCHEMAS
+// ============================================
+/**
+ * Public access configuration for tools/prompts
+ */
+exports.publicAccessConfigSchema = zod_1.z.object({
+    /**
+     * Allow all tools or explicit whitelist
+     * @default 'all'
+     */
+    tools: zod_1.z.union([zod_1.z.literal('all'), zod_1.z.array(zod_1.z.string())]).default('all'),
+    /**
+     * Allow all prompts or explicit whitelist
+     * @default 'all'
+     */
+    prompts: zod_1.z.union([zod_1.z.literal('all'), zod_1.z.array(zod_1.z.string())]).default('all'),
+    /**
+     * Rate limit per IP per minute
+     * @default 60
+     */
+    rateLimit: zod_1.z.number().default(60),
+});
+/**
+ * Local signing configuration (for orchestrated local type)
+ */
+exports.localSigningConfigSchema = zod_1.z.object({
+    /**
+     * Private key for signing orchestrated tokens
+     * @default auto-generated
+     */
+    signKey: auth_1.jwkSchema.or(zod_1.z.instanceof(Uint8Array)).optional(),
+    /**
+     * JWKS for token verification
+     * @default auto-generated
+     */
+    jwks: auth_1.jsonWebKeySetSchema.optional(),
+    /**
+     * Issuer identifier for orchestrated tokens
+     * @default auto-derived from server URL
+     */
+    issuer: zod_1.z.string().optional(),
+});
+/**
+ * Remote OAuth provider configuration (for orchestrated remote and transparent)
+ */
+exports.remoteProviderConfigSchema = zod_1.z.object({
+    /**
+     * OAuth provider base URL
+     * @example 'https://auth.example.com'
+     */
+    provider: zod_1.z.string().url(),
+    /**
+     * Provider display name
+     */
+    name: zod_1.z.string().optional(),
+    /**
+     * Unique identifier for this provider
+     * @default derived from provider URL
+     */
     id: zod_1.z.string().optional(),
-    name: zod_1.z.string(),
-    baseUrl: zod_1.z.string(),
-    dcrEnabled: zod_1.z.boolean().optional(),
-    clientId: zod_1.z
-        .union([
-        zod_1.z.string(),
-        zod_1.z.function().args(zod_1.z.object({ clientId: zod_1.z.string() })).returns(zod_1.z.string())
-    ])
-        .optional(),
-    mode: zod_1.z.union([zod_1.z.literal('orchestrated'), zod_1.z.literal('transparent')]).optional(),
-    allowAnonymous: zod_1.z.boolean().optional(),
-    consent: zod_1.z.boolean().optional(),
+    /**
+     * Inline JWKS for offline token verification
+     * Falls back to fetching from provider's /.well-known/jwks.json
+     */
     jwks: auth_1.jsonWebKeySetSchema.optional(),
+    /**
+     * Custom JWKS URI if not at standard path
+     */
+    jwksUri: zod_1.z.string().url().optional(),
+    /**
+     * Client ID for this MCP server (for orchestrated mode)
+     */
+    clientId: zod_1.z.string().optional(),
+    /**
+     * Client secret (for confidential clients in orchestrated mode)
+     */
+    clientSecret: zod_1.z.string().optional(),
+    /**
+     * Scopes to request from the upstream provider
+     */
     scopes: zod_1.z.array(zod_1.z.string()).optional(),
-    grantTypes: zod_1.z.array(zod_1.z.union([zod_1.z.literal('authorization_code'), zod_1.z.literal('refresh_token')])).optional(),
-    authEndpoint: zod_1.z.string().optional(),
-    tokenEndpoint: zod_1.z.string().optional(),
-    registrationEndpoint: zod_1.z.string().optional(),
-    userInfoEndpoint: zod_1.z.string().optional(),
-    jwksUri: zod_1.z.string().optional(),
-});
-exports.localAuthOptionsSchema = zod_1.z.object({
-    type: zod_1.z.literal('local'),
-    id: zod_1.z.string(),
-    name: zod_1.z.string(),
-    scopes: zod_1.z.array(zod_1.z.string()).optional(),
-    grantTypes: zod_1.z.array(zod_1.z.union([zod_1.z.literal('authorization_code'), zod_1.z.literal('refresh_token')])).optional(),
-    allowAnonymous: zod_1.z.boolean().optional(),
-    consent: zod_1.z.boolean().optional(),
+    /**
+     * Enable Dynamic Client Registration (DCR)
+     * @default false
+     */
+    dcrEnabled: zod_1.z.boolean().default(false),
+    /**
+     * Authorization endpoint override
+     */
+    authEndpoint: zod_1.z.string().url().optional(),
+    /**
+     * Token endpoint override
+     */
+    tokenEndpoint: zod_1.z.string().url().optional(),
+    /**
+     * Registration endpoint override (for DCR)
+     */
+    registrationEndpoint: zod_1.z.string().url().optional(),
+    /**
+     * User info endpoint override
+     */
+    userInfoEndpoint: zod_1.z.string().url().optional(),
+});
+/**
+ * Token storage configuration for orchestrated mode
+ */
+exports.tokenStorageConfigSchema = zod_1.z.discriminatedUnion('type', [
+    zod_1.z.object({ type: zod_1.z.literal('memory') }),
+    zod_1.z.object({ type: zod_1.z.literal('redis'), config: transport_session_types_1.redisConfigSchema }),
+]);
+/**
+ * Token refresh configuration
+ */
+exports.tokenRefreshConfigSchema = zod_1.z.object({
+    /**
+     * Enable automatic token refresh
+     * @default true
+     */
+    enabled: zod_1.z.boolean().default(true),
+    /**
+     * Refresh token before expiry by this many seconds
+     * @default 60
+     */
+    skewSeconds: zod_1.z.number().default(60),
+});
+/**
+ * Behavior when a tool from a skipped (not yet authorized) app is called
+ */
+exports.skippedAppBehaviorSchema = zod_1.z.enum(['anonymous', 'require-auth']);
+/**
+ * Consent configuration for tool selection
+ * Allows users to choose which MCP tools to expose to the LLM
+ *
+ * Note: This schema is the canonical definition. It is duplicated in
+ * auth/consent/consent.types.ts for domain-specific use. Both schemas
+ * MUST be kept in sync. The duplication exists to avoid circular
+ * dependencies between common/ and auth/ modules.
+ */
+exports.consentConfigSchema = zod_1.z.object({
+    /**
+     * Enable consent flow for tool selection
+     * When enabled, users can choose which tools to expose to the LLM
+     * @default false
+     */
+    enabled: zod_1.z.boolean().default(false),
+    /**
+     * Group tools by app in the consent UI
+     * @default true
+     */
+    groupByApp: zod_1.z.boolean().default(true),
+    /**
+     * Show tool descriptions in consent UI
+     * @default true
+     */
+    showDescriptions: zod_1.z.boolean().default(true),
+    /**
+     * Allow selecting all tools at once
+     * @default true
+     */
+    allowSelectAll: zod_1.z.boolean().default(true),
+    /**
+     * Require at least one tool to be selected
+     * @default true
+     */
+    requireSelection: zod_1.z.boolean().default(true),
+    /**
+     * Custom message to display on consent page
+     */
+    customMessage: zod_1.z.string().optional(),
+    /**
+     * Remember consent for future sessions
+     * @default true
+     */
+    rememberConsent: zod_1.z.boolean().default(true),
+    /**
+     * Tools to exclude from consent (always available)
+     * Useful for essential tools that should always be accessible
+     */
+    excludedTools: zod_1.z.array(zod_1.z.string()).optional(),
+    /**
+     * Tools to always include in consent (pre-selected)
+     */
+    defaultSelectedTools: zod_1.z.array(zod_1.z.string()).optional(),
+});
+/**
+ * Progressive/Incremental authorization configuration
+ * Allows users to authorize apps one at a time after initial auth
+ */
+exports.incrementalAuthConfigSchema = zod_1.z.object({
+    /**
+     * Enable incremental (progressive) authorization
+     * When enabled, users can skip app authorizations during initial auth
+     * and authorize individual apps later when needed
+     * @default true
+     */
+    enabled: zod_1.z.boolean().default(true),
+    /**
+     * Behavior when a tool from a skipped app is called
+     * - 'anonymous': If app supports anonymous access, use it; otherwise require auth
+     * - 'require-auth': Always require authorization (return auth_url)
+     * @default 'anonymous'
+     */
+    skippedAppBehavior: exports.skippedAppBehaviorSchema.default('anonymous'),
+    /**
+     * Allow users to skip app authorization during initial auth flow
+     * @default true
+     */
+    allowSkip: zod_1.z.boolean().default(true),
+    /**
+     * Show all apps in a single authorization page (vs step-by-step)
+     * @default true
+     */
+    showAllAppsAtOnce: zod_1.z.boolean().default(true),
+});
+// ============================================
+// TRANSPORT CONFIG
+// Protocol enablement and behavior settings
+// ============================================
+/**
+ * Transport protocol configuration
+ * Controls which transport protocols are enabled and their behavior
+ */
+exports.transportConfigSchema = zod_1.z.object({
+    /**
+     * Enable legacy SSE transport (old HTTP+SSE protocol)
+     * @default false
+     */
+    enableLegacySSE: zod_1.z.boolean().default(false),
+    /**
+     * Enable SSE listener for server-initiated messages (GET /mcp with Accept: text/event-stream)
+     * @default true
+     */
+    enableSseListener: zod_1.z.boolean().default(true),
+    /**
+     * Enable streamable HTTP transport (POST with SSE response)
+     * @default true
+     */
+    enableStreamableHttp: zod_1.z.boolean().default(true),
+    /**
+     * Enable stateless HTTP mode (requests without session ID)
+     * When enabled, allows requests without prior initialize
+     * Uses shared singleton transport for anonymous, per-token singleton for authenticated
+     * @default false
+     */
+    enableStatelessHttp: zod_1.z.boolean().default(false),
+    /**
+     * Enable stateful HTTP transport (JSON-only responses)
+     * @default false
+     */
+    enableStatefulHttp: zod_1.z.boolean().default(false),
+    /**
+     * Require session ID for streamable HTTP (non-stateless mode)
+     * When false, streamable HTTP requests don't require prior initialize
+     * @default true
+     */
+    requireSessionForStreamable: zod_1.z.boolean().default(true),
+});
+// ============================================
+// PUBLIC MODE
+// No authentication required, anonymous access
+// ============================================
+exports.publicAuthOptionsSchema = zod_1.z.object({
+    mode: zod_1.z.literal('public'),
+    /**
+     * Issuer identifier for anonymous JWTs
+     * @default auto-derived from server URL
+     */
+    issuer: zod_1.z.string().optional(),
+    /**
+     * Anonymous session TTL in seconds
+     * @default 3600 (1 hour)
+     */
+    sessionTtl: zod_1.z.number().default(3600),
+    /**
+     * Scopes granted to anonymous sessions
+     * @default ['anonymous']
+     */
+    anonymousScopes: zod_1.z.array(zod_1.z.string()).default(['anonymous']),
+    /**
+     * Tool/prompt access configuration for anonymous users
+     */
+    publicAccess: exports.publicAccessConfigSchema.optional(),
+    /**
+     * JWKS for token verification
+     * @default auto-generated
+     */
     jwks: auth_1.jsonWebKeySetSchema.optional(),
+    /**
+     * Private key for signing anonymous tokens
+     * @default auto-generated
+     */
     signKey: auth_1.jwkSchema.or(zod_1.z.instanceof(Uint8Array)).optional(),
+    /**
+     * Transport protocol configuration
+     * Controls which transports are enabled and their behavior
+     */
+    transport: exports.transportConfigSchema.optional(),
 });
-exports.authOptionsSchema = zod_1.z.discriminatedUnion('type', [
-    exports.remoteAuthOptionsSchema,
-    exports.localAuthOptionsSchema,
+// ============================================
+// TRANSPARENT MODE
+// Pass-through OAuth tokens from remote provider
+// ============================================
+exports.transparentAuthOptionsSchema = zod_1.z.object({
+    mode: zod_1.z.literal('transparent'),
+    /**
+     * Remote OAuth provider configuration (required)
+     */
+    remote: exports.remoteProviderConfigSchema,
+    /**
+     * Expected token audience
+     * If not set, defaults to the resource URL
+     */
+    expectedAudience: zod_1.z.union([zod_1.z.string(), zod_1.z.array(zod_1.z.string())]).optional(),
+    /**
+     * Required scopes for access
+     * Empty array means any valid token is accepted
+     * @default []
+     */
+    requiredScopes: zod_1.z.array(zod_1.z.string()).default([]),
+    /**
+     * Allow anonymous fallback when no token is provided
+     * @default false
+     */
+    allowAnonymous: zod_1.z.boolean().default(false),
+    /**
+     * Scopes granted to anonymous sessions (when allowAnonymous=true)
+     * @default ['anonymous']
+     */
+    anonymousScopes: zod_1.z.array(zod_1.z.string()).default(['anonymous']),
+    /**
+     * Public access config for anonymous users (when allowAnonymous=true)
+     */
+    publicAccess: exports.publicAccessConfigSchema.optional(),
+    /**
+     * Transport protocol configuration
+     * Controls which transports are enabled and their behavior
+     */
+    transport: exports.transportConfigSchema.optional(),
+});
+// ============================================
+// ORCHESTRATED MODE
+// Local auth server that can proxy to remote or be fully local
+// ============================================
+/**
+ * Orchestrated mode with local authentication only
+ */
+exports.orchestratedLocalSchema = zod_1.z.object({
+    mode: zod_1.z.literal('orchestrated'),
+    type: zod_1.z.literal('local'),
+    /**
+     * Local signing configuration
+     */
+    local: exports.localSigningConfigSchema.optional(),
+    /**
+     * Token storage configuration
+     * @default { type: 'memory' }
+     */
+    tokenStorage: exports.tokenStorageConfigSchema.default({ type: 'memory' }),
+    /**
+     * Session storage mode
+     * - 'stateful': Store sessions in Redis/memory, JWT contains only reference
+     * - 'stateless': All state encrypted in JWT
+     * @default 'stateful'
+     */
+    sessionMode: zod_1.z.enum(['stateful', 'stateless']).default('stateful'),
+    /**
+     * Allow default public access for unauthenticated requests
+     * When true: all tools are public by default, only tools marked with scopes require auth
+     * When false: all tools require authentication by default
+     * @default false
+     */
+    allowDefaultPublic: zod_1.z.boolean().default(false),
+    /**
+     * Scopes granted to anonymous sessions (when allowDefaultPublic=true)
+     * @default ['anonymous']
+     */
+    anonymousScopes: zod_1.z.array(zod_1.z.string()).default(['anonymous']),
+    /**
+     * Public access config (when allowDefaultPublic=true)
+     */
+    publicAccess: exports.publicAccessConfigSchema.optional(),
+    /**
+     * Consent flow configuration for tool selection
+     * Allows users to choose which MCP tools to expose to the LLM
+     * @default { enabled: false }
+     */
+    consent: exports.consentConfigSchema.optional(),
+    /**
+     * Token refresh settings
+     */
+    refresh: exports.tokenRefreshConfigSchema.optional(),
+    /**
+     * Expected token audience for validation
+     */
+    expectedAudience: zod_1.z.union([zod_1.z.string(), zod_1.z.array(zod_1.z.string())]).optional(),
+    /**
+     * Incremental (progressive) authorization configuration
+     * Allows users to skip app authorizations initially and authorize later
+     * @default { enabled: true, skippedAppBehavior: 'anonymous' }
+     */
+    incrementalAuth: exports.incrementalAuthConfigSchema.optional(),
+    /**
+     * Transport protocol configuration
+     * Controls which transports are enabled and their behavior
+     */
+    transport: exports.transportConfigSchema.optional(),
+});
+/**
+ * Orchestrated mode with remote OAuth provider
+ */
+exports.orchestratedRemoteSchema = zod_1.z.object({
+    mode: zod_1.z.literal('orchestrated'),
+    type: zod_1.z.literal('remote'),
+    /**
+     * Remote OAuth provider configuration (required for remote type)
+     */
+    remote: exports.remoteProviderConfigSchema,
+    /**
+     * Local signing configuration (for issuing local tokens after upstream auth)
+     */
+    local: exports.localSigningConfigSchema.optional(),
+    /**
+     * Token storage configuration
+     * @default { type: 'memory' }
+     */
+    tokenStorage: exports.tokenStorageConfigSchema.default({ type: 'memory' }),
+    /**
+     * Session storage mode
+     * - 'stateful': Store sessions in Redis/memory, JWT contains only reference
+     * - 'stateless': All state encrypted in JWT
+     * @default 'stateful'
+     */
+    sessionMode: zod_1.z.enum(['stateful', 'stateless']).default('stateful'),
+    /**
+     * Allow default public access for unauthenticated requests
+     * When true: all tools are public by default, only tools marked with scopes require auth
+     * When false: all tools require authentication by default
+     * @default false
+     */
+    allowDefaultPublic: zod_1.z.boolean().default(false),
+    /**
+     * Scopes granted to anonymous sessions (when allowDefaultPublic=true)
+     * @default ['anonymous']
+     */
+    anonymousScopes: zod_1.z.array(zod_1.z.string()).default(['anonymous']),
+    /**
+     * Public access config (when allowDefaultPublic=true)
+     */
+    publicAccess: exports.publicAccessConfigSchema.optional(),
+    /**
+     * Consent flow configuration for tool selection
+     * Allows users to choose which MCP tools to expose to the LLM
+     * @default { enabled: false }
+     */
+    consent: exports.consentConfigSchema.optional(),
+    /**
+     * Token refresh settings
+     */
+    refresh: exports.tokenRefreshConfigSchema.optional(),
+    /**
+     * Expected token audience for validation
+     */
+    expectedAudience: zod_1.z.union([zod_1.z.string(), zod_1.z.array(zod_1.z.string())]).optional(),
+    /**
+     * Incremental (progressive) authorization configuration
+     * Allows users to skip app authorizations initially and authorize later
+     * @default { enabled: true, skippedAppBehavior: 'anonymous' }
+     */
+    incrementalAuth: exports.incrementalAuthConfigSchema.optional(),
+    /**
+     * Transport protocol configuration
+     * Controls which transports are enabled and their behavior
+     */
+    transport: exports.transportConfigSchema.optional(),
+});
+// Combined orchestrated schema
+exports.orchestratedAuthOptionsSchema = zod_1.z.discriminatedUnion('type', [
+    exports.orchestratedLocalSchema,
+    exports.orchestratedRemoteSchema,
+]);
+// ============================================
+// UNIFIED AUTH OPTIONS
+// ============================================
+/**
+ * Main auth options schema - discriminated by 'mode'
+ *
+ * Uses z.union because we have nested discriminators (orchestrated has 'type')
+ */
+exports.authOptionsSchema = zod_1.z.union([
+    exports.publicAuthOptionsSchema,
+    exports.transparentAuthOptionsSchema,
+    exports.orchestratedLocalSchema,
+    exports.orchestratedRemoteSchema,
 ]);
 const standaloneOptionSchema = {
     standalone: zod_1.z.boolean().optional(),
     excludeFromParent: zod_1.z.boolean().optional(),
 };
-exports.appAuthOptionsSchema = zod_1.z.discriminatedUnion('type', [
-    exports.remoteAuthOptionsSchema.extend(standaloneOptionSchema),
-    exports.localAuthOptionsSchema.extend(standaloneOptionSchema),
+exports.appAuthOptionsSchema = zod_1.z.union([
+    exports.publicAuthOptionsSchema.extend(standaloneOptionSchema),
+    exports.transparentAuthOptionsSchema.extend(standaloneOptionSchema),
+    exports.orchestratedLocalSchema.extend(standaloneOptionSchema),
+    exports.orchestratedRemoteSchema.extend(standaloneOptionSchema),
 ]);
+// ============================================
+// HELPER FUNCTIONS
+// ============================================
+/**
+ * Parse and validate auth options with defaults
+ */
+function parseAuthOptions(input) {
+    return exports.authOptionsSchema.parse(input);
+}
+/**
+ * Check if options are public mode
+ */
+function isPublicMode(options) {
+    return options.mode === 'public';
+}
+/**
+ * Check if options are transparent mode
+ */
+function isTransparentMode(options) {
+    return options.mode === 'transparent';
+}
+/**
+ * Check if options are orchestrated mode
+ */
+function isOrchestratedMode(options) {
+    return options.mode === 'orchestrated';
+}
+/**
+ * Check if orchestrated options are local type
+ */
+function isOrchestratedLocal(options) {
+    return options.type === 'local';
+}
+/**
+ * Check if orchestrated options are remote type
+ */
+function isOrchestratedRemote(options) {
+    return options.type === 'remote';
+}
+/**
+ * Check if options allow public/anonymous access
+ */
+function allowsPublicAccess(options) {
+    if (options.mode === 'public')
+        return true;
+    if (options.mode === 'transparent')
+        return options.allowAnonymous;
+    if (options.mode === 'orchestrated')
+        return options.allowDefaultPublic;
+    return false;
+}
 //# sourceMappingURL=auth.options.js.map