@frontmcp/sdk 0.5.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (226) hide show
  1. package/README.md +3 -3
  2. package/package.json +8 -19
  3. package/src/adapter/adapter.instance.js +5 -0
  4. package/src/adapter/adapter.instance.js.map +1 -1
  5. package/src/auth/authorization/authorization.class.d.ts +1 -4
  6. package/src/auth/authorization/authorization.class.js +6 -13
  7. package/src/auth/authorization/authorization.class.js.map +1 -1
  8. package/src/auth/flows/session.verify.flow.d.ts +1 -0
  9. package/src/auth/flows/session.verify.flow.js +11 -1
  10. package/src/auth/flows/session.verify.flow.js.map +1 -1
  11. package/src/auth/flows/well-known.jwks.flow.js +2 -2
  12. package/src/auth/flows/well-known.jwks.flow.js.map +1 -1
  13. package/src/auth/jwks/dev-key-persistence.d.ts +63 -0
  14. package/src/auth/jwks/dev-key-persistence.js +219 -0
  15. package/src/auth/jwks/dev-key-persistence.js.map +1 -0
  16. package/src/auth/jwks/index.d.ts +1 -0
  17. package/src/auth/jwks/index.js +1 -0
  18. package/src/auth/jwks/index.js.map +1 -1
  19. package/src/auth/jwks/jwks.service.d.ts +7 -4
  20. package/src/auth/jwks/jwks.service.js +81 -12
  21. package/src/auth/jwks/jwks.service.js.map +1 -1
  22. package/src/auth/jwks/jwks.types.d.ts +7 -0
  23. package/src/auth/jwks/jwks.types.js.map +1 -1
  24. package/src/auth/machine-id.d.ts +5 -0
  25. package/src/auth/machine-id.js +32 -0
  26. package/src/auth/machine-id.js.map +1 -0
  27. package/src/auth/session/index.d.ts +1 -0
  28. package/src/auth/session/index.js +3 -1
  29. package/src/auth/session/index.js.map +1 -1
  30. package/src/auth/session/record/session.base.js +5 -3
  31. package/src/auth/session/record/session.base.js.map +1 -1
  32. package/src/auth/session/record/session.stateless.d.ts +2 -2
  33. package/src/auth/session/record/session.stateless.js +5 -3
  34. package/src/auth/session/record/session.stateless.js.map +1 -1
  35. package/src/auth/session/redis-session.store.d.ts +64 -0
  36. package/src/auth/session/redis-session.store.js +204 -0
  37. package/src/auth/session/redis-session.store.js.map +1 -0
  38. package/src/auth/session/session.service.d.ts +0 -2
  39. package/src/auth/session/session.service.js +1 -7
  40. package/src/auth/session/session.service.js.map +1 -1
  41. package/src/auth/session/transport-session.manager.js +3 -5
  42. package/src/auth/session/transport-session.manager.js.map +1 -1
  43. package/src/auth/session/transport-session.types.d.ts +4 -0
  44. package/src/auth/session/transport-session.types.js +4 -3
  45. package/src/auth/session/transport-session.types.js.map +1 -1
  46. package/src/auth/session/utils/session-id.utils.d.ts +12 -1
  47. package/src/auth/session/utils/session-id.utils.js +48 -9
  48. package/src/auth/session/utils/session-id.utils.js.map +1 -1
  49. package/src/auth/ui/base-layout.d.ts +0 -8
  50. package/src/auth/ui/base-layout.js +1 -14
  51. package/src/auth/ui/base-layout.js.map +1 -1
  52. package/src/auth/ui/index.d.ts +3 -4
  53. package/src/auth/ui/index.js +10 -11
  54. package/src/auth/ui/index.js.map +1 -1
  55. package/src/auth/ui/{htmx-templates.d.ts → templates.d.ts} +5 -6
  56. package/src/auth/ui/{htmx-templates.js → templates.js} +8 -15
  57. package/src/auth/ui/templates.js.map +1 -0
  58. package/src/common/decorators/decorator-utils.js.map +1 -1
  59. package/src/common/decorators/front-mcp.decorator.js +28 -2
  60. package/src/common/decorators/front-mcp.decorator.js.map +1 -1
  61. package/src/common/index.d.ts +0 -1
  62. package/src/common/index.js +0 -1
  63. package/src/common/index.js.map +1 -1
  64. package/src/common/interfaces/adapter.interface.d.ts +6 -0
  65. package/src/common/interfaces/adapter.interface.js.map +1 -1
  66. package/src/common/interfaces/execution-context.interface.d.ts +52 -3
  67. package/src/common/interfaces/execution-context.interface.js +88 -3
  68. package/src/common/interfaces/execution-context.interface.js.map +1 -1
  69. package/src/common/interfaces/flow.interface.d.ts +13 -0
  70. package/src/common/interfaces/flow.interface.js +24 -0
  71. package/src/common/interfaces/flow.interface.js.map +1 -1
  72. package/src/common/interfaces/server.interface.d.ts +9 -0
  73. package/src/common/interfaces/server.interface.js.map +1 -1
  74. package/src/common/metadata/app.metadata.d.ts +108 -0
  75. package/src/common/metadata/front-mcp.metadata.d.ts +659 -2
  76. package/src/common/metadata/front-mcp.metadata.js +3 -1
  77. package/src/common/metadata/front-mcp.metadata.js.map +1 -1
  78. package/src/common/metadata/provider.metadata.d.ts +14 -0
  79. package/src/common/metadata/provider.metadata.js +18 -2
  80. package/src/common/metadata/provider.metadata.js.map +1 -1
  81. package/src/common/metadata/tool.metadata.d.ts +33 -1
  82. package/src/common/metadata/tool.metadata.js.map +1 -1
  83. package/src/common/migrate/auth-transport.migrate.d.ts +62 -0
  84. package/src/common/migrate/auth-transport.migrate.js +140 -0
  85. package/src/common/migrate/auth-transport.migrate.js.map +1 -0
  86. package/src/common/migrate/index.d.ts +1 -0
  87. package/src/common/migrate/index.js +6 -0
  88. package/src/common/migrate/index.js.map +1 -0
  89. package/src/common/schemas/http-output.schema.d.ts +10 -2
  90. package/src/common/schemas/index.d.ts +1 -0
  91. package/src/common/schemas/index.js +1 -0
  92. package/src/common/schemas/index.js.map +1 -1
  93. package/src/common/schemas/session-header.schema.d.ts +16 -0
  94. package/src/common/schemas/session-header.schema.js +42 -0
  95. package/src/common/schemas/session-header.schema.js.map +1 -0
  96. package/src/common/tokens/front-mcp.tokens.js +3 -1
  97. package/src/common/tokens/front-mcp.tokens.js.map +1 -1
  98. package/src/common/types/options/auth.options.d.ts +233 -3
  99. package/src/common/types/options/auth.options.js +29 -40
  100. package/src/common/types/options/auth.options.js.map +1 -1
  101. package/src/common/types/options/index.d.ts +2 -0
  102. package/src/common/types/options/index.js +2 -0
  103. package/src/common/types/options/index.js.map +1 -1
  104. package/src/common/types/options/redis.options.d.ts +22 -0
  105. package/src/common/types/options/redis.options.js +45 -0
  106. package/src/common/types/options/redis.options.js.map +1 -0
  107. package/src/common/types/options/transport.options.d.ts +84 -0
  108. package/src/common/types/options/transport.options.js +121 -0
  109. package/src/common/types/options/transport.options.js.map +1 -0
  110. package/src/completion/flows/complete.flow.d.ts +17 -2
  111. package/src/context/frontmcp-context-storage.d.ts +94 -0
  112. package/src/context/frontmcp-context-storage.js +183 -0
  113. package/src/context/frontmcp-context-storage.js.map +1 -0
  114. package/src/context/frontmcp-context.d.ts +269 -0
  115. package/src/context/frontmcp-context.js +360 -0
  116. package/src/context/frontmcp-context.js.map +1 -0
  117. package/src/context/frontmcp-context.provider.d.ts +43 -0
  118. package/src/context/frontmcp-context.provider.js +61 -0
  119. package/src/context/frontmcp-context.provider.js.map +1 -0
  120. package/src/context/index.d.ts +34 -0
  121. package/src/context/index.js +64 -0
  122. package/src/context/index.js.map +1 -0
  123. package/src/context/request-context-storage.d.ts +89 -0
  124. package/src/context/request-context-storage.js +183 -0
  125. package/src/context/request-context-storage.js.map +1 -0
  126. package/src/context/request-context.d.ts +184 -0
  127. package/src/context/request-context.js +209 -0
  128. package/src/context/request-context.js.map +1 -0
  129. package/src/context/request-context.provider.d.ts +37 -0
  130. package/src/context/request-context.provider.js +51 -0
  131. package/src/context/request-context.provider.js.map +1 -0
  132. package/src/context/session-key.provider.d.ts +45 -0
  133. package/src/context/session-key.provider.js +65 -0
  134. package/src/context/session-key.provider.js.map +1 -0
  135. package/src/context/trace-context.d.ts +43 -0
  136. package/src/context/trace-context.js +142 -0
  137. package/src/context/trace-context.js.map +1 -0
  138. package/src/errors/index.d.ts +1 -1
  139. package/src/errors/index.js +3 -1
  140. package/src/errors/index.js.map +1 -1
  141. package/src/errors/mcp.error.d.ts +7 -0
  142. package/src/errors/mcp.error.js +11 -1
  143. package/src/errors/mcp.error.js.map +1 -1
  144. package/src/flows/flow.instance.d.ts +16 -0
  145. package/src/flows/flow.instance.js +166 -80
  146. package/src/flows/flow.instance.js.map +1 -1
  147. package/src/flows/flow.registry.d.ts +5 -0
  148. package/src/flows/flow.registry.js +45 -3
  149. package/src/flows/flow.registry.js.map +1 -1
  150. package/src/front-mcp/front-mcp.d.ts +12 -0
  151. package/src/front-mcp/front-mcp.js +22 -3
  152. package/src/front-mcp/front-mcp.js.map +1 -1
  153. package/src/front-mcp/front-mcp.providers.d.ts +266 -1
  154. package/src/front-mcp/front-mcp.providers.js +2 -1
  155. package/src/front-mcp/front-mcp.providers.js.map +1 -1
  156. package/src/front-mcp/serverless-handler.d.ts +28 -0
  157. package/src/front-mcp/serverless-handler.js +61 -0
  158. package/src/front-mcp/serverless-handler.js.map +1 -0
  159. package/src/hooks/hooks.utils.d.ts +1 -1
  160. package/src/hooks/hooks.utils.js +10 -3
  161. package/src/hooks/hooks.utils.js.map +1 -1
  162. package/src/index.d.ts +8 -4
  163. package/src/index.js +20 -1
  164. package/src/index.js.map +1 -1
  165. package/src/logger/instances/instance.logger.js +0 -1
  166. package/src/logger/instances/instance.logger.js.map +1 -1
  167. package/src/logging/flows/set-level.flow.d.ts +17 -2
  168. package/src/notification/notification.service.js +5 -1
  169. package/src/notification/notification.service.js.map +1 -1
  170. package/src/prompt/flows/get-prompt.flow.d.ts +97 -2
  171. package/src/prompt/flows/prompts-list.flow.d.ts +12 -1
  172. package/src/provider/provider.registry.d.ts +97 -5
  173. package/src/provider/provider.registry.js +306 -9
  174. package/src/provider/provider.registry.js.map +1 -1
  175. package/src/provider/provider.types.d.ts +21 -3
  176. package/src/provider/provider.types.js.map +1 -1
  177. package/src/resource/flows/read-resource.flow.d.ts +22 -3
  178. package/src/resource/flows/resource-templates-list.flow.d.ts +20 -1
  179. package/src/resource/flows/resources-list.flow.d.ts +20 -1
  180. package/src/resource/flows/subscribe-resource.flow.d.ts +17 -2
  181. package/src/resource/flows/unsubscribe-resource.flow.d.ts +17 -2
  182. package/src/scope/flows/http.request.flow.js +43 -7
  183. package/src/scope/flows/http.request.flow.js.map +1 -1
  184. package/src/scope/scope.instance.js +12 -5
  185. package/src/scope/scope.instance.js.map +1 -1
  186. package/src/server/adapters/base.host.adapter.d.ts +9 -0
  187. package/src/server/adapters/base.host.adapter.js.map +1 -1
  188. package/src/server/adapters/express.host.adapter.d.ts +12 -0
  189. package/src/server/adapters/express.host.adapter.js +21 -1
  190. package/src/server/adapters/express.host.adapter.js.map +1 -1
  191. package/src/server/server.instance.d.ts +3 -0
  192. package/src/server/server.instance.js +14 -7
  193. package/src/server/server.instance.js.map +1 -1
  194. package/src/tool/flows/call-tool.flow.d.ts +118 -13
  195. package/src/tool/flows/call-tool.flow.js +240 -194
  196. package/src/tool/flows/call-tool.flow.js.map +1 -1
  197. package/src/tool/flows/tools-list.flow.d.ts +25 -11
  198. package/src/tool/flows/tools-list.flow.js +82 -31
  199. package/src/tool/flows/tools-list.flow.js.map +1 -1
  200. package/src/tool/tool.instance.d.ts +1 -4
  201. package/src/transport/adapters/transport.streamable-http.adapter.js +1 -0
  202. package/src/transport/adapters/transport.streamable-http.adapter.js.map +1 -1
  203. package/src/transport/flows/handle.sse.flow.js +9 -2
  204. package/src/transport/flows/handle.sse.flow.js.map +1 -1
  205. package/src/transport/flows/handle.streamable-http.flow.js +63 -6
  206. package/src/transport/flows/handle.streamable-http.flow.js.map +1 -1
  207. package/src/transport/mcp-handlers/complete-request.handler.d.ts +27 -1
  208. package/src/transport/mcp-handlers/get-prompt-request.handler.d.ts +52 -1
  209. package/src/transport/mcp-handlers/index.d.ts +413 -7
  210. package/src/transport/mcp-handlers/initialize-request.handler.js +12 -2
  211. package/src/transport/mcp-handlers/initialize-request.handler.js.map +1 -1
  212. package/src/transport/mcp-handlers/list-prompts-request.handler.d.ts +27 -1
  213. package/src/transport/mcp-handlers/list-resource-templates-request.handler.d.ts +32 -1
  214. package/src/transport/mcp-handlers/list-resources-request.handler.d.ts +32 -1
  215. package/src/transport/mcp-handlers/list-tools-request.handler.d.ts +30 -1
  216. package/src/transport/mcp-handlers/logging-set-level-request.handler.d.ts +20 -0
  217. package/src/transport/mcp-handlers/read-resource-request.handler.d.ts +27 -1
  218. package/src/transport/mcp-handlers/subscribe-request.handler.d.ts +20 -0
  219. package/src/transport/mcp-handlers/unsubscribe-request.handler.d.ts +20 -0
  220. package/src/transport/transport.registry.d.ts +68 -4
  221. package/src/transport/transport.registry.js +313 -11
  222. package/src/transport/transport.registry.js.map +1 -1
  223. package/src/auth/ui/htmx-templates.js.map +0 -1
  224. package/src/common/providers/session.provider.d.ts +0 -13
  225. package/src/common/providers/session.provider.js +0 -27
  226. package/src/common/providers/session.provider.js.map +0 -1
package/src/auth/session/transport-session.manager.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"transport-session.manager.js","sourceRoot":"","sources":["../../../../src/auth/session/transport-session.manager.ts"],"names":[],"mappings":";AAAA,4CAA4C;;;AAE5C,mCAAoC;AAYpC,+DAAuD;AACvD,qDAA4E;AAC5E,8EAAoE;AAEpE;;GAEG;AACH,MAAa,oBAAoB;IACd,QAAQ,GAAG,IAAI,GAAG,EAAyB,CAAC;IAE7D,KAAK,CAAC,GAAG,CAAC,SAAiB;QACzB,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,mBAAmB;QACnB,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACtE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAChC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,uBAAuB;QACvB,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACnC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,SAAiB,EAAE,OAAsB,EAAE,KAAc;QACjE,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;QACjD,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAE1B,mBAAmB;QACnB,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACtE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAChC,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO;QACL,OAAO,IAAA,mBAAU,GAAE,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,OAAO;QACL,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,KAAK,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACzC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;gBAC/D,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;gBACzB,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;IAC5B,CAAC;CACF;AAlED,oDAkEC;AAED;;;;;;;;;;GAUG;AACH,MAAa,uBAAuB;IACjB,KAAK,CAAe;IACpB,IAAI,CAA2B;IAC/B,aAAa,CAAS;IAEvC,YAAY,MAA4D;QACtE,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QAExB,IAAI,MAAM,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAChC,IAAI,CAAC,KAAK,GAAG,IAAI,oBAAoB,EAAE,CAAC,CAAC,2BAA2B;QACtE,CAAC;aAAM,IAAI,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrC,IAAI,CAAC,KAAK,GAAG,IAAI,oBAAoB,EAAE,CAAC;QAC1C,CAAC;aAAM,IAAI,MAAM,CAAC,KAAK,KAAK,OAAO,EAAE,CAAC;YACpC,yCAAyC;YACzC,kCAAkC;YAClC,oCAAoC;YACpC,OAAO,CAAC,IAAI,CAAC,iGAAiG,CAAC,CAAC;YAChH,IAAI,CAAC,KAAK,GAAG,IAAI,oBAAoB,EAAE,CAAC;QAC1C,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,KAAK,GAAG,IAAI,oBAAoB,EAAE,CAAC;QAC1C,CAAC;QAED,oDAAoD;QACpD,MAAM,MAAM,GAAG,MAAM,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;QAC5E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,YAAY,EAAE,CAAC;gBAC7C,MAAM,IAAI,KAAK,CACb,8FAA8F;oBAC5F,wFAAwF,CAC3F,CAAC;YACJ,CAAC;YACD,mDAAmD;YACnD,OAAO,CAAC,IAAI,CACV,uGAAuG;gBACrG,+DAA+D,CAClE,CAAC;QACJ,CAAC;QACD,MAAM,eAAe,GAAG,MAAM,IAAI,IAAA,kCAAY,GAAE,CAAC;QACjD,IAAI,CAAC,aAAa,GAAG,IAAA,2BAAU,EAC7B,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,EAC5B,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,EAC/B,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,EAChC,EAAE,CACH,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,aAAa,CACjB,eAAuB,EACvB,QAA2B,EAC3B,UAKI,EAAE;QAEN,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;QAEvC,MAAM,OAAO,GAAqB;YAChC,EAAE,EAAE,SAAS;YACb,eAAe;YACf,QAAQ;YACR,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,MAAM,EAAE,IAAA,kCAAY,GAAE;YACtB,iBAAiB,EAAE,OAAO,CAAC,WAAW;YACtC,cAAc,EAAE,OAAO,CAAC,cAAc;SACvC,CAAC;QAEF,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAC7B,oCAAoC;YACpC,MAAM,MAAM,GAAkB;gBAC5B,OAAO;gBACP,eAAe;gBACf,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;gBACrB,cAAc,EAAE,IAAI,CAAC,GAAG,EAAE;aAC3B,CAAC;YACF,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAC1C,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,UAAU,CAAC,SAAiB;QAChC,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC9B,2BAA2B;YAC3B,OAAO,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;QAC3C,CAAC;QAED,4BAA4B;QAC5B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC/C,OAAO,MAAM,EAAE,OAAO,IAAI,IAAI,CAAC;IACjC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,gBAAgB,CAAC,SAAiB;QACtC,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC9B,mDAAmD;YACnD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACnC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CACjB,SAAiB,EACjB,OAGC;QAED,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC9B,0EAA0E;YAC1E,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAE1B,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;YAC3B,MAAM,CAAC,OAAO,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;QACzD,CAAC;QACD,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YACtB,MAAM,CAAC,OAAO,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QAC/C,CAAC;QACD,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEnC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QACxC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC9B,sCAAsC;YACtC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAClD,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACrC,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;OAMG;IACH,gBAAgB,CACd,OAAyB,EACzB,eAGC;QAED,MAAM,OAAO,GAAsB;YACjC,GAAG,EAAE,OAAO,CAAC,EAAE;YACf,GAAG,EAAE,OAAO,CAAC,eAAe;YAC5B,KAAK,EAAE,OAAO,CAAC,QAAQ;YACvB,GAAG,EAAE,OAAO,CAAC,MAAM;YACnB,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;YAClC,GAAG,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;SAC1E,CAAC;QAEF,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,IAAI,eAAe,EAAE,CAAC;YACjD,MAAM,gBAAgB,GAAG,OAAqC,CAAC;YAE/D,IAAI,eAAe,CAAC,KAAK,EAAE,CAAC;gBAC1B,MAAM,SAAS,GAAG,IAAA,8BAAa,EAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC;gBAC3F,gBAAgB,CAAC,KAAK,GAAG,GAAG,SAAS,CAAC,EAAE,IAAI,SAAS,CAAC,GAAG,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;YAChF,CAAC;YAED,IAAI,eAAe,CAAC,MAAM,EAAE,CAAC;gBAC3B,MAAM,SAAS,GAAG,IAAA,8BAAa,EAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC;gBAC5F,gBAAgB,CAAC,MAAM,GAAG,GAAG,SAAS,CAAC,EAAE,IAAI,SAAS,CAAC,GAAG,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;YACjF,CAAC;QACH,CAAC;QAED,OAAO,IAAA,8BAAW,EAAC,OAAO,CAAC,CAAC;IAC9B,CAAC;IAED;;;;;OAKG;IACK,iBAAiB,CAAC,GAAW;QACnC,IAAI,CAAC;YACH,kDAAkD;YAClD,2CAA2C;YAC3C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YAEpC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC;YACrC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;YAC9E,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;YAChF,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;YAEhF,MAAM,SAAS,GAAG,IAAA,8BAAa,EAAC,IAAI,CAAC,aAAa,EAAE;gBAClD,GAAG,EAAE,SAAS;gBACd,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAC5B,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAC9B,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;aACjC,CAAC,CAAC;YAEH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAsB,CAAC;YAE3D,sBAAsB;YACtB,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBACnD,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO;gBACL,EAAE,EAAE,OAAO,CAAC,GAAG;gBACf,eAAe,EAAE,OAAO,CAAC,GAAG;gBAC5B,QAAQ,EAAE,OAAO,CAAC,KAAK;gBACvB,SAAS,EAAE,OAAO,CAAC,GAAG,GAAG,IAAI;gBAC7B,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS;gBACvD,MAAM,EAAE,OAAO,CAAC,GAAG;aACpB,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;YAClD,OAAO,OAAO,KAAK,IAAI,CAAC;QAC1B,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACtC,CAAC;IAED;;OAEG;IACH,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;CACF;AA5QD,0DA4QC","sourcesContent":["// auth/session/transport-session.manager.ts\n\nimport { randomUUID } from 'crypto';\nimport {\n TransportSession,\n TransportProtocol,\n SessionJwtPayload,\n StatelessSessionJwtPayload,\n StoredSession,\n SessionStore,\n SessionStorageConfig,\n TransportState,\n EncryptedBlob,\n} from './transport-session.types';\nimport { encryptJson } from './utils/session-id.utils';\nimport { encryptAesGcm, decryptAesGcm, hkdfSha256 } from './session.crypto';\nimport { getMachineId } from '../authorization/authorization.class';\n\n/**\n * In-memory session store implementation\n */\nexport class InMemorySessionStore implements SessionStore {\n private readonly sessions = new Map<string, StoredSession>();\n\n async get(sessionId: string): Promise<StoredSession | null> {\n const stored = this.sessions.get(sessionId);\n if (!stored) return null;\n\n // Check expiration\n if (stored.session.expiresAt && stored.session.expiresAt < Date.now()) {\n this.sessions.delete(sessionId);\n return null;\n }\n\n // Update last accessed\n stored.lastAccessedAt = Date.now();\n return stored;\n }\n\n async set(sessionId: string, session: StoredSession, ttlMs?: number): Promise<void> {\n if (ttlMs) {\n session.session.expiresAt = Date.now() + ttlMs;\n }\n this.sessions.set(sessionId, session);\n }\n\n async delete(sessionId: string): Promise<void> {\n this.sessions.delete(sessionId);\n }\n\n async exists(sessionId: string): Promise<boolean> {\n const stored = this.sessions.get(sessionId);\n if (!stored) return false;\n\n // Check expiration\n if (stored.session.expiresAt && stored.session.expiresAt < Date.now()) {\n this.sessions.delete(sessionId);\n return false;\n }\n return true;\n }\n\n allocId(): string {\n return randomUUID();\n }\n\n /**\n * Clean up expired sessions\n */\n cleanup(): number {\n const now = Date.now();\n let cleaned = 0;\n for (const [id, stored] of this.sessions) {\n if (stored.session.expiresAt && stored.session.expiresAt < now) {\n this.sessions.delete(id);\n cleaned++;\n }\n }\n return cleaned;\n }\n\n /**\n * Get count of active sessions\n */\n get size(): number {\n return this.sessions.size;\n }\n}\n\n/**\n * Transport Session Manager\n *\n * Manages transport sessions independent of authorization.\n * Supports both stateless (JWT-encrypted) and stateful (store-backed) modes.\n *\n * Key concepts:\n * - Authorization = User identity + permissions (1 per user token)\n * - TransportSession = Protocol-specific connection (N per authorization)\n * - One authorization can have multiple transport sessions (e.g., multiple browser tabs)\n */\nexport class TransportSessionManager {\n private readonly store: SessionStore;\n private readonly mode: 'stateless' | 'stateful';\n private readonly encryptionKey: Buffer;\n\n constructor(config: SessionStorageConfig & { encryptionSecret?: string }) {\n this.mode = config.mode;\n\n if (config.mode === 'stateless') {\n this.store = new InMemorySessionStore(); // Used only for allocation\n } else if (config.store === 'memory') {\n this.store = new InMemorySessionStore();\n } else if (config.store === 'redis') {\n // Redis store would be instantiated here\n // For now, fall back to in-memory\n // TODO: Implement RedisSessionStore\n console.warn('[TransportSessionManager] Redis store requested but not implemented - falling back to in-memory');\n this.store = new InMemorySessionStore();\n } else {\n this.store = new InMemorySessionStore();\n }\n\n // Derive encryption key from secret or generate one\n const secret = config.encryptionSecret || process.env['MCP_SESSION_SECRET'];\n if (!secret) {\n if (process.env['NODE_ENV'] === 'production') {\n throw new Error(\n '[TransportSessionManager] MCP_SESSION_SECRET or encryptionSecret is required in production. ' +\n 'Set the MCP_SESSION_SECRET environment variable or provide encryptionSecret in config.',\n );\n }\n // Development fallback - NOT secure for production\n console.warn(\n '[TransportSessionManager] Using machine ID as session encryption secret - NOT SECURE FOR PRODUCTION. ' +\n 'Set MCP_SESSION_SECRET or provide encryptionSecret in config.',\n );\n }\n const effectiveSecret = secret || getMachineId();\n this.encryptionKey = hkdfSha256(\n Buffer.from(effectiveSecret),\n Buffer.from('mcp-session-salt'),\n Buffer.from('transport-session'),\n 32,\n );\n }\n\n /**\n * Create a new transport session for an authorization\n *\n * @param authorizationId - The authorization this session belongs to\n * @param protocol - Transport protocol (sse, streamable-http, etc.)\n * @param options - Additional session options\n * @returns The created transport session\n */\n async createSession(\n authorizationId: string,\n protocol: TransportProtocol,\n options: {\n expiresAt?: number;\n fingerprint?: string;\n transportState?: TransportState;\n tokens?: Record<string, EncryptedBlob>;\n } = {},\n ): Promise<TransportSession> {\n const sessionId = this.store.allocId();\n\n const session: TransportSession = {\n id: sessionId,\n authorizationId,\n protocol,\n createdAt: Date.now(),\n expiresAt: options.expiresAt,\n nodeId: getMachineId(),\n clientFingerprint: options.fingerprint,\n transportState: options.transportState,\n };\n\n if (this.mode === 'stateful') {\n // Store session in persistent store\n const stored: StoredSession = {\n session,\n authorizationId,\n tokens: options.tokens,\n createdAt: Date.now(),\n lastAccessedAt: Date.now(),\n };\n await this.store.set(sessionId, stored);\n }\n\n return session;\n }\n\n /**\n * Get an existing session by ID\n *\n * @param sessionId - The session ID (encrypted JWT or UUID)\n * @returns The session if found and valid, null otherwise\n */\n async getSession(sessionId: string): Promise<TransportSession | null> {\n if (this.mode === 'stateless') {\n // Decrypt session from JWT\n return this.decryptSessionJwt(sessionId);\n }\n\n // Stateful: lookup in store\n const stored = await this.store.get(sessionId);\n return stored?.session ?? null;\n }\n\n /**\n * Get stored session with tokens (for orchestrated mode)\n */\n async getStoredSession(sessionId: string): Promise<StoredSession | null> {\n if (this.mode === 'stateless') {\n // In stateless mode, we don't have stored sessions\n return null;\n }\n return this.store.get(sessionId);\n }\n\n /**\n * Update session state\n */\n async updateSession(\n sessionId: string,\n updates: {\n transportState?: TransportState;\n expiresAt?: number;\n },\n ): Promise<boolean> {\n if (this.mode === 'stateless') {\n // Stateless sessions are immutable - caller should create new session JWT\n return false;\n }\n\n const stored = await this.store.get(sessionId);\n if (!stored) return false;\n\n if (updates.transportState) {\n stored.session.transportState = updates.transportState;\n }\n if (updates.expiresAt) {\n stored.session.expiresAt = updates.expiresAt;\n }\n stored.lastAccessedAt = Date.now();\n\n await this.store.set(sessionId, stored);\n return true;\n }\n\n /**\n * Delete a session\n */\n async deleteSession(sessionId: string): Promise<boolean> {\n if (this.mode === 'stateless') {\n // Stateless sessions can't be revoked\n return false;\n }\n\n const exists = await this.store.exists(sessionId);\n if (exists) {\n await this.store.delete(sessionId);\n }\n return exists;\n }\n\n /**\n * Encode a session as an encrypted JWT for the Mcp-Session-Id header\n *\n * @param session - The transport session to encode\n * @param additionalState - Additional encrypted state for stateless mode\n * @returns Encrypted session JWT\n */\n encodeSessionJwt(\n session: TransportSession,\n additionalState?: {\n state?: unknown;\n tokens?: Record<string, unknown>;\n },\n ): string {\n const payload: SessionJwtPayload = {\n sid: session.id,\n aid: session.authorizationId,\n proto: session.protocol,\n nid: session.nodeId,\n iat: Math.floor(Date.now() / 1000),\n exp: session.expiresAt ? Math.floor(session.expiresAt / 1000) : undefined,\n };\n\n if (this.mode === 'stateless' && additionalState) {\n const statelessPayload = payload as StatelessSessionJwtPayload;\n\n if (additionalState.state) {\n const encrypted = encryptAesGcm(this.encryptionKey, JSON.stringify(additionalState.state));\n statelessPayload.state = `${encrypted.iv}.${encrypted.tag}.${encrypted.data}`;\n }\n\n if (additionalState.tokens) {\n const encrypted = encryptAesGcm(this.encryptionKey, JSON.stringify(additionalState.tokens));\n statelessPayload.tokens = `${encrypted.iv}.${encrypted.tag}.${encrypted.data}`;\n }\n }\n\n return encryptJson(payload);\n }\n\n /**\n * Decode an encrypted session JWT\n *\n * @param jwt - The encrypted session JWT\n * @returns Decoded session or null if invalid\n */\n private decryptSessionJwt(jwt: string): TransportSession | null {\n try {\n // The encryptJson format is iv.tag.ct (base64url)\n // We need to decrypt it using the same key\n const parts = jwt.split('.');\n if (parts.length !== 3) return null;\n\n const [ivB64, tagB64, ctB64] = parts;\n const iv = Buffer.from(ivB64.replace(/-/g, '+').replace(/_/g, '/'), 'base64');\n const tag = Buffer.from(tagB64.replace(/-/g, '+').replace(/_/g, '/'), 'base64');\n const data = Buffer.from(ctB64.replace(/-/g, '+').replace(/_/g, '/'), 'base64');\n\n const decrypted = decryptAesGcm(this.encryptionKey, {\n alg: 'A256GCM',\n iv: iv.toString('base64url'),\n tag: tag.toString('base64url'),\n data: data.toString('base64url'),\n });\n\n const payload = JSON.parse(decrypted) as SessionJwtPayload;\n\n // Validate expiration\n if (payload.exp && payload.exp * 1000 < Date.now()) {\n return null;\n }\n\n return {\n id: payload.sid,\n authorizationId: payload.aid,\n protocol: payload.proto,\n createdAt: payload.iat * 1000,\n expiresAt: payload.exp ? payload.exp * 1000 : undefined,\n nodeId: payload.nid,\n };\n } catch {\n return null;\n }\n }\n\n /**\n * Check if a session exists and is valid\n */\n async sessionExists(sessionId: string): Promise<boolean> {\n if (this.mode === 'stateless') {\n const session = this.decryptSessionJwt(sessionId);\n return session !== null;\n }\n return this.store.exists(sessionId);\n }\n\n /**\n * Get the storage mode\n */\n get storageMode(): 'stateless' | 'stateful' {\n return this.mode;\n }\n}\n"]}
1
+ {"version":3,"file":"transport-session.manager.js","sourceRoot":"","sources":["../../../../src/auth/session/transport-session.manager.ts"],"names":[],"mappings":";AAAA,4CAA4C;;;AAE5C,mCAAoC;AAYpC,+DAAuD;AACvD,qDAA4E;AAC5E,8EAAoE;AACpE,+DAA0D;AAE1D;;GAEG;AACH,MAAa,oBAAoB;IACd,QAAQ,GAAG,IAAI,GAAG,EAAyB,CAAC;IAE7D,KAAK,CAAC,GAAG,CAAC,SAAiB;QACzB,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,mBAAmB;QACnB,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACtE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAChC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,uBAAuB;QACvB,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACnC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,SAAiB,EAAE,OAAsB,EAAE,KAAc;QACjE,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;QACjD,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAE1B,mBAAmB;QACnB,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACtE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAChC,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO;QACL,OAAO,IAAA,mBAAU,GAAE,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,OAAO;QACL,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,KAAK,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACzC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;gBAC/D,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;gBACzB,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;IAC5B,CAAC;CACF;AAlED,oDAkEC;AAED;;;;;;;;;;GAUG;AACH,MAAa,uBAAuB;IACjB,KAAK,CAAe;IACpB,IAAI,CAA2B;IAC/B,aAAa,CAAS;IAEvC,YAAY,MAA4D;QACtE,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QAExB,IAAI,MAAM,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAChC,IAAI,CAAC,KAAK,GAAG,IAAI,oBAAoB,EAAE,CAAC,CAAC,2BAA2B;QACtE,CAAC;aAAM,IAAI,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrC,IAAI,CAAC,KAAK,GAAG,IAAI,oBAAoB,EAAE,CAAC;QAC1C,CAAC;aAAM,IAAI,MAAM,CAAC,KAAK,KAAK,OAAO,EAAE,CAAC;YACpC,kCAAkC;YAClC,IAAI,CAAC,KAAK,GAAG,IAAI,uCAAiB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACpD,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,KAAK,GAAG,IAAI,oBAAoB,EAAE,CAAC;QAC1C,CAAC;QAED,oDAAoD;QACpD,MAAM,MAAM,GAAG,MAAM,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;QAC5E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,YAAY,EAAE,CAAC;gBAC7C,MAAM,IAAI,KAAK,CACb,8FAA8F;oBAC5F,wFAAwF,CAC3F,CAAC;YACJ,CAAC;YACD,mDAAmD;YACnD,OAAO,CAAC,IAAI,CACV,uGAAuG;gBACrG,+DAA+D,CAClE,CAAC;QACJ,CAAC;QACD,MAAM,eAAe,GAAG,MAAM,IAAI,IAAA,kCAAY,GAAE,CAAC;QACjD,IAAI,CAAC,aAAa,GAAG,IAAA,2BAAU,EAC7B,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,EAC5B,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,EAC/B,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,EAChC,EAAE,CACH,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,aAAa,CACjB,eAAuB,EACvB,QAA2B,EAC3B,UAKI,EAAE;QAEN,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;QAEvC,MAAM,OAAO,GAAqB;YAChC,EAAE,EAAE,SAAS;YACb,eAAe;YACf,QAAQ;YACR,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,MAAM,EAAE,IAAA,kCAAY,GAAE;YACtB,iBAAiB,EAAE,OAAO,CAAC,WAAW;YACtC,cAAc,EAAE,OAAO,CAAC,cAAc;SACvC,CAAC;QAEF,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAC7B,oCAAoC;YACpC,MAAM,MAAM,GAAkB;gBAC5B,OAAO;gBACP,eAAe;gBACf,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;gBACrB,cAAc,EAAE,IAAI,CAAC,GAAG,EAAE;aAC3B,CAAC;YACF,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAC1C,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,UAAU,CAAC,SAAiB;QAChC,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC9B,2BAA2B;YAC3B,OAAO,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;QAC3C,CAAC;QAED,4BAA4B;QAC5B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC/C,OAAO,MAAM,EAAE,OAAO,IAAI,IAAI,CAAC;IACjC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,gBAAgB,CAAC,SAAiB;QACtC,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC9B,mDAAmD;YACnD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACnC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CACjB,SAAiB,EACjB,OAGC;QAED,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC9B,0EAA0E;YAC1E,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAE1B,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;YAC3B,MAAM,CAAC,OAAO,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;QACzD,CAAC;QACD,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YACtB,MAAM,CAAC,OAAO,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QAC/C,CAAC;QACD,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEnC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QACxC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC9B,sCAAsC;YACtC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAClD,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACrC,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;OAMG;IACH,gBAAgB,CACd,OAAyB,EACzB,eAGC;QAED,MAAM,OAAO,GAAsB;YACjC,GAAG,EAAE,OAAO,CAAC,EAAE;YACf,GAAG,EAAE,OAAO,CAAC,eAAe;YAC5B,KAAK,EAAE,OAAO,CAAC,QAAQ;YACvB,GAAG,EAAE,OAAO,CAAC,MAAM;YACnB,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;YAClC,GAAG,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;SAC1E,CAAC;QAEF,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,IAAI,eAAe,EAAE,CAAC;YACjD,MAAM,gBAAgB,GAAG,OAAqC,CAAC;YAE/D,IAAI,eAAe,CAAC,KAAK,EAAE,CAAC;gBAC1B,MAAM,SAAS,GAAG,IAAA,8BAAa,EAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC;gBAC3F,gBAAgB,CAAC,KAAK,GAAG,GAAG,SAAS,CAAC,EAAE,IAAI,SAAS,CAAC,GAAG,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;YAChF,CAAC;YAED,IAAI,eAAe,CAAC,MAAM,EAAE,CAAC;gBAC3B,MAAM,SAAS,GAAG,IAAA,8BAAa,EAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC;gBAC5F,gBAAgB,CAAC,MAAM,GAAG,GAAG,SAAS,CAAC,EAAE,IAAI,SAAS,CAAC,GAAG,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;YACjF,CAAC;QACH,CAAC;QAED,OAAO,IAAA,8BAAW,EAAC,OAAO,CAAC,CAAC;IAC9B,CAAC;IAED;;;;;OAKG;IACK,iBAAiB,CAAC,GAAW;QACnC,IAAI,CAAC;YACH,kDAAkD;YAClD,2CAA2C;YAC3C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YAEpC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC;YACrC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;YAC9E,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;YAChF,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;YAEhF,MAAM,SAAS,GAAG,IAAA,8BAAa,EAAC,IAAI,CAAC,aAAa,EAAE;gBAClD,GAAG,EAAE,SAAS;gBACd,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAC5B,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAC9B,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;aACjC,CAAC,CAAC;YAEH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAsB,CAAC;YAE3D,sBAAsB;YACtB,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBACnD,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO;gBACL,EAAE,EAAE,OAAO,CAAC,GAAG;gBACf,eAAe,EAAE,OAAO,CAAC,GAAG;gBAC5B,QAAQ,EAAE,OAAO,CAAC,KAAK;gBACvB,SAAS,EAAE,OAAO,CAAC,GAAG,GAAG,IAAI;gBAC7B,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS;gBACvD,MAAM,EAAE,OAAO,CAAC,GAAG;aACpB,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;YAClD,OAAO,OAAO,KAAK,IAAI,CAAC;QAC1B,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACtC,CAAC;IAED;;OAEG;IACH,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;CACF;AAzQD,0DAyQC","sourcesContent":["// auth/session/transport-session.manager.ts\n\nimport { randomUUID } from 'crypto';\nimport {\n TransportSession,\n TransportProtocol,\n SessionJwtPayload,\n StatelessSessionJwtPayload,\n StoredSession,\n SessionStore,\n SessionStorageConfig,\n TransportState,\n EncryptedBlob,\n} from './transport-session.types';\nimport { encryptJson } from './utils/session-id.utils';\nimport { encryptAesGcm, decryptAesGcm, hkdfSha256 } from './session.crypto';\nimport { getMachineId } from '../authorization/authorization.class';\nimport { RedisSessionStore } from './redis-session.store';\n\n/**\n * In-memory session store implementation\n */\nexport class InMemorySessionStore implements SessionStore {\n private readonly sessions = new Map<string, StoredSession>();\n\n async get(sessionId: string): Promise<StoredSession | null> {\n const stored = this.sessions.get(sessionId);\n if (!stored) return null;\n\n // Check expiration\n if (stored.session.expiresAt && stored.session.expiresAt < Date.now()) {\n this.sessions.delete(sessionId);\n return null;\n }\n\n // Update last accessed\n stored.lastAccessedAt = Date.now();\n return stored;\n }\n\n async set(sessionId: string, session: StoredSession, ttlMs?: number): Promise<void> {\n if (ttlMs) {\n session.session.expiresAt = Date.now() + ttlMs;\n }\n this.sessions.set(sessionId, session);\n }\n\n async delete(sessionId: string): Promise<void> {\n this.sessions.delete(sessionId);\n }\n\n async exists(sessionId: string): Promise<boolean> {\n const stored = this.sessions.get(sessionId);\n if (!stored) return false;\n\n // Check expiration\n if (stored.session.expiresAt && stored.session.expiresAt < Date.now()) {\n this.sessions.delete(sessionId);\n return false;\n }\n return true;\n }\n\n allocId(): string {\n return randomUUID();\n }\n\n /**\n * Clean up expired sessions\n */\n cleanup(): number {\n const now = Date.now();\n let cleaned = 0;\n for (const [id, stored] of this.sessions) {\n if (stored.session.expiresAt && stored.session.expiresAt < now) {\n this.sessions.delete(id);\n cleaned++;\n }\n }\n return cleaned;\n }\n\n /**\n * Get count of active sessions\n */\n get size(): number {\n return this.sessions.size;\n }\n}\n\n/**\n * Transport Session Manager\n *\n * Manages transport sessions independent of authorization.\n * Supports both stateless (JWT-encrypted) and stateful (store-backed) modes.\n *\n * Key concepts:\n * - Authorization = User identity + permissions (1 per user token)\n * - TransportSession = Protocol-specific connection (N per authorization)\n * - One authorization can have multiple transport sessions (e.g., multiple browser tabs)\n */\nexport class TransportSessionManager {\n private readonly store: SessionStore;\n private readonly mode: 'stateless' | 'stateful';\n private readonly encryptionKey: Buffer;\n\n constructor(config: SessionStorageConfig & { encryptionSecret?: string }) {\n this.mode = config.mode;\n\n if (config.mode === 'stateless') {\n this.store = new InMemorySessionStore(); // Used only for allocation\n } else if (config.store === 'memory') {\n this.store = new InMemorySessionStore();\n } else if (config.store === 'redis') {\n // Instantiate Redis session store\n this.store = new RedisSessionStore(config.config);\n } else {\n this.store = new InMemorySessionStore();\n }\n\n // Derive encryption key from secret or generate one\n const secret = config.encryptionSecret || process.env['MCP_SESSION_SECRET'];\n if (!secret) {\n if (process.env['NODE_ENV'] === 'production') {\n throw new Error(\n '[TransportSessionManager] MCP_SESSION_SECRET or encryptionSecret is required in production. ' +\n 'Set the MCP_SESSION_SECRET environment variable or provide encryptionSecret in config.',\n );\n }\n // Development fallback - NOT secure for production\n console.warn(\n '[TransportSessionManager] Using machine ID as session encryption secret - NOT SECURE FOR PRODUCTION. ' +\n 'Set MCP_SESSION_SECRET or provide encryptionSecret in config.',\n );\n }\n const effectiveSecret = secret || getMachineId();\n this.encryptionKey = hkdfSha256(\n Buffer.from(effectiveSecret),\n Buffer.from('mcp-session-salt'),\n Buffer.from('transport-session'),\n 32,\n );\n }\n\n /**\n * Create a new transport session for an authorization\n *\n * @param authorizationId - The authorization this session belongs to\n * @param protocol - Transport protocol (sse, streamable-http, etc.)\n * @param options - Additional session options\n * @returns The created transport session\n */\n async createSession(\n authorizationId: string,\n protocol: TransportProtocol,\n options: {\n expiresAt?: number;\n fingerprint?: string;\n transportState?: TransportState;\n tokens?: Record<string, EncryptedBlob>;\n } = {},\n ): Promise<TransportSession> {\n const sessionId = this.store.allocId();\n\n const session: TransportSession = {\n id: sessionId,\n authorizationId,\n protocol,\n createdAt: Date.now(),\n expiresAt: options.expiresAt,\n nodeId: getMachineId(),\n clientFingerprint: options.fingerprint,\n transportState: options.transportState,\n };\n\n if (this.mode === 'stateful') {\n // Store session in persistent store\n const stored: StoredSession = {\n session,\n authorizationId,\n tokens: options.tokens,\n createdAt: Date.now(),\n lastAccessedAt: Date.now(),\n };\n await this.store.set(sessionId, stored);\n }\n\n return session;\n }\n\n /**\n * Get an existing session by ID\n *\n * @param sessionId - The session ID (encrypted JWT or UUID)\n * @returns The session if found and valid, null otherwise\n */\n async getSession(sessionId: string): Promise<TransportSession | null> {\n if (this.mode === 'stateless') {\n // Decrypt session from JWT\n return this.decryptSessionJwt(sessionId);\n }\n\n // Stateful: lookup in store\n const stored = await this.store.get(sessionId);\n return stored?.session ?? null;\n }\n\n /**\n * Get stored session with tokens (for orchestrated mode)\n */\n async getStoredSession(sessionId: string): Promise<StoredSession | null> {\n if (this.mode === 'stateless') {\n // In stateless mode, we don't have stored sessions\n return null;\n }\n return this.store.get(sessionId);\n }\n\n /**\n * Update session state\n */\n async updateSession(\n sessionId: string,\n updates: {\n transportState?: TransportState;\n expiresAt?: number;\n },\n ): Promise<boolean> {\n if (this.mode === 'stateless') {\n // Stateless sessions are immutable - caller should create new session JWT\n return false;\n }\n\n const stored = await this.store.get(sessionId);\n if (!stored) return false;\n\n if (updates.transportState) {\n stored.session.transportState = updates.transportState;\n }\n if (updates.expiresAt) {\n stored.session.expiresAt = updates.expiresAt;\n }\n stored.lastAccessedAt = Date.now();\n\n await this.store.set(sessionId, stored);\n return true;\n }\n\n /**\n * Delete a session\n */\n async deleteSession(sessionId: string): Promise<boolean> {\n if (this.mode === 'stateless') {\n // Stateless sessions can't be revoked\n return false;\n }\n\n const exists = await this.store.exists(sessionId);\n if (exists) {\n await this.store.delete(sessionId);\n }\n return exists;\n }\n\n /**\n * Encode a session as an encrypted JWT for the Mcp-Session-Id header\n *\n * @param session - The transport session to encode\n * @param additionalState - Additional encrypted state for stateless mode\n * @returns Encrypted session JWT\n */\n encodeSessionJwt(\n session: TransportSession,\n additionalState?: {\n state?: unknown;\n tokens?: Record<string, unknown>;\n },\n ): string {\n const payload: SessionJwtPayload = {\n sid: session.id,\n aid: session.authorizationId,\n proto: session.protocol,\n nid: session.nodeId,\n iat: Math.floor(Date.now() / 1000),\n exp: session.expiresAt ? Math.floor(session.expiresAt / 1000) : undefined,\n };\n\n if (this.mode === 'stateless' && additionalState) {\n const statelessPayload = payload as StatelessSessionJwtPayload;\n\n if (additionalState.state) {\n const encrypted = encryptAesGcm(this.encryptionKey, JSON.stringify(additionalState.state));\n statelessPayload.state = `${encrypted.iv}.${encrypted.tag}.${encrypted.data}`;\n }\n\n if (additionalState.tokens) {\n const encrypted = encryptAesGcm(this.encryptionKey, JSON.stringify(additionalState.tokens));\n statelessPayload.tokens = `${encrypted.iv}.${encrypted.tag}.${encrypted.data}`;\n }\n }\n\n return encryptJson(payload);\n }\n\n /**\n * Decode an encrypted session JWT\n *\n * @param jwt - The encrypted session JWT\n * @returns Decoded session or null if invalid\n */\n private decryptSessionJwt(jwt: string): TransportSession | null {\n try {\n // The encryptJson format is iv.tag.ct (base64url)\n // We need to decrypt it using the same key\n const parts = jwt.split('.');\n if (parts.length !== 3) return null;\n\n const [ivB64, tagB64, ctB64] = parts;\n const iv = Buffer.from(ivB64.replace(/-/g, '+').replace(/_/g, '/'), 'base64');\n const tag = Buffer.from(tagB64.replace(/-/g, '+').replace(/_/g, '/'), 'base64');\n const data = Buffer.from(ctB64.replace(/-/g, '+').replace(/_/g, '/'), 'base64');\n\n const decrypted = decryptAesGcm(this.encryptionKey, {\n alg: 'A256GCM',\n iv: iv.toString('base64url'),\n tag: tag.toString('base64url'),\n data: data.toString('base64url'),\n });\n\n const payload = JSON.parse(decrypted) as SessionJwtPayload;\n\n // Validate expiration\n if (payload.exp && payload.exp * 1000 < Date.now()) {\n return null;\n }\n\n return {\n id: payload.sid,\n authorizationId: payload.aid,\n protocol: payload.proto,\n createdAt: payload.iat * 1000,\n expiresAt: payload.exp ? payload.exp * 1000 : undefined,\n nodeId: payload.nid,\n };\n } catch {\n return null;\n }\n }\n\n /**\n * Check if a session exists and is valid\n */\n async sessionExists(sessionId: string): Promise<boolean> {\n if (this.mode === 'stateless') {\n const session = this.decryptSessionJwt(sessionId);\n return session !== null;\n }\n return this.store.exists(sessionId);\n }\n\n /**\n * Get the storage mode\n */\n get storageMode(): 'stateless' | 'stateful' {\n return this.mode;\n }\n}\n"]}
package/src/auth/session/transport-session.types.d.ts CHANGED
@@ -203,6 +203,8 @@ export interface RedisConfig {
203
203
  db?: number;
204
204
  tls?: boolean;
205
205
  keyPrefix?: string;
206
+ /** Default TTL in milliseconds for session extension on access (sliding expiration) */
207
+ defaultTtlMs?: number;
206
208
  }
207
209
  export declare const transportProtocolSchema: z.ZodEnum<{
208
210
  "legacy-sse": "legacy-sse";
@@ -437,6 +439,7 @@ export declare const redisConfigSchema: z.ZodObject<{
437
439
  db: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
438
440
  tls: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
439
441
  keyPrefix: z.ZodDefault<z.ZodOptional<z.ZodString>>;
442
+ defaultTtlMs: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
440
443
  }, z.core.$strip>;
441
444
  export declare const sessionStorageConfigSchema: z.ZodUnion<readonly [z.ZodObject<{
442
445
  mode: z.ZodLiteral<"stateless">;
@@ -453,5 +456,6 @@ export declare const sessionStorageConfigSchema: z.ZodUnion<readonly [z.ZodObjec
453
456
  db: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
454
457
  tls: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
455
458
  keyPrefix: z.ZodDefault<z.ZodOptional<z.ZodString>>;
459
+ defaultTtlMs: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
456
460
  }, z.core.$strip>;
457
461
  }, z.core.$strip>]>;
package/src/auth/session/transport-session.types.js CHANGED
@@ -88,12 +88,13 @@ exports.storedSessionSchema = zod_1.z.object({
88
88
  lastAccessedAt: zod_1.z.number(),
89
89
  });
90
90
  exports.redisConfigSchema = zod_1.z.object({
91
- host: zod_1.z.string(),
92
- port: zod_1.z.number().optional().default(6379),
91
+ host: zod_1.z.string().min(1),
92
+ port: zod_1.z.number().int().positive().optional().default(6379),
93
93
  password: zod_1.z.string().optional(),
94
- db: zod_1.z.number().optional().default(0),
94
+ db: zod_1.z.number().int().nonnegative().optional().default(0),
95
95
  tls: zod_1.z.boolean().optional().default(false),
96
96
  keyPrefix: zod_1.z.string().optional().default('mcp:session:'),
97
+ defaultTtlMs: zod_1.z.number().int().positive().optional().default(3600000), // 1 hour default
97
98
  });
98
99
  // Stateful storage options (discriminated by store type)
99
100
  const statefulStorageSchema = zod_1.z.discriminatedUnion('store', [
package/src/auth/session/transport-session.types.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"transport-session.types.js","sourceRoot":"","sources":["../../../../src/auth/session/transport-session.types.ts"],"names":[],"mappings":";AAAA,0CAA0C;;;AAE1C,6BAAwB;AAyOxB,+CAA+C;AAC/C,cAAc;AACd,+CAA+C;AAElC,QAAA,uBAAuB,GAAG,OAAC,CAAC,IAAI,CAAC;IAC5C,YAAY;IACZ,KAAK;IACL,iBAAiB;IACjB,eAAe;IACf,gBAAgB;CACjB,CAAC,CAAC;AAEU,QAAA,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IACtB,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,eAAe,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,QAAQ,EAAE;CACrE,CAAC,CAAC;AAEU,QAAA,kCAAkC,GAAG,OAAC,CAAC,MAAM,CAAC;IACzD,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC;IAClC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE;IACtB,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CAChD,CAAC,CAAC;AAEU,QAAA,gCAAgC,GAAG,OAAC,CAAC,MAAM,CAAC;IACvD,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,eAAe,CAAC;IAChC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE;IACtB,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAChD,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACpC,CAAC,CAAC;AAEU,QAAA,iCAAiC,GAAG,OAAC,CAAC,MAAM,CAAC;IACxD,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC;IACjC,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE;IACxB,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACnC,CAAC,CAAC;AAEU,QAAA,6BAA6B,GAAG,OAAC,CAAC,MAAM,CAAC;IACpD,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,YAAY,CAAC;IAC7B,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE;IACvB,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,eAAe,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,QAAQ,EAAE;CACrE,CAAC,CAAC;AAEU,QAAA,oBAAoB,GAAG,OAAC,CAAC,kBAAkB,CAAC,MAAM,EAAE;IAC/D,+BAAuB;IACvB,0CAAkC;IAClC,wCAAgC;IAChC,yCAAiC;IACjC,qCAA6B;CAC9B,CAAC,CAAC;AAEU,QAAA,sBAAsB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7C,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE;IAC3B,QAAQ,EAAE,+BAAuB;IACjC,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;IACrB,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE;IAClB,iBAAiB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACxC,cAAc,EAAE,4BAAoB,CAAC,QAAQ,EAAE;CAChD,CAAC,CAAC;AAEU,QAAA,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9C,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,KAAK,EAAE,+BAAuB;IAC9B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC,CAAC;AAEU,QAAA,gCAAgC,GAAG,+BAAuB,CAAC,MAAM,CAAC;IAC7E,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC9B,CAAC,CAAC;AAEU,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C,GAAG,EAAE,OAAC,CAAC,OAAO,CAAC,SAAS,CAAC;IACzB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE;IAChB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,IAAI,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;CACnD,CAAC,CAAC;AAEU,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C,OAAO,EAAE,8BAAsB;IAC/B,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE;IAC3B,MAAM,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,2BAAmB,CAAC,CAAC,QAAQ,EAAE;IAC5D,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;IACrB,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE;CAC3B,CAAC,CAAC;AAEU,QAAA,iBAAiB,GAAG,OAAC,CAAC,MAAM,CAAC;IACxC,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE;IAChB,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IACzC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IACpC,GAAG,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAC1C,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,cAAc,CAAC;CACzD,CAAC,CAAC;AAEH,yDAAyD;AACzD,MAAM,qBAAqB,GAAG,OAAC,CAAC,kBAAkB,CAAC,OAAO,EAAE;IAC1D,OAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,OAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;IACxC,OAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,OAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,yBAAiB,EAAE,CAAC;CACnE,CAAC,CAAC;AAEH,mEAAmE;AACnE,iCAAiC;AACpB,QAAA,0BAA0B,GAAG,OAAC,CAAC,KAAK,CAAC;IAChD,OAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;IAC1C,OAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IACjF,OAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;CAClF,CAAC,CAAC","sourcesContent":["// auth/session/transport-session.types.ts\n\nimport { z } from 'zod';\n\n/**\n * Transport protocol types supported by MCP\n * These are the actual transport protocols for sessions (excludes 'delete-session' action)\n */\nexport type TransportProtocol = 'legacy-sse' | 'sse' | 'streamable-http' | 'stateful-http' | 'stateless-http';\n\n/**\n * Session storage mode for distributed systems\n */\nexport type SessionStorageMode = 'stateless' | 'stateful';\n\n/**\n * TransportSession represents a single client connection.\n * Multiple sessions can share the same authorization.\n * Each session is bound to a specific transport protocol.\n */\nexport interface TransportSession {\n /** Unique session ID (encrypted JWT or UUID) */\n id: string;\n\n /** Reference to the authorization this session uses */\n authorizationId: string;\n\n /** Transport protocol for this session */\n protocol: TransportProtocol;\n\n /** Session creation timestamp (epoch ms) */\n createdAt: number;\n\n /** Session expiration (epoch ms, independent of auth expiration) */\n expiresAt?: number;\n\n /** Node ID for distributed systems */\n nodeId: string;\n\n /** Client fingerprint for rate limiting/tracking */\n clientFingerprint?: string;\n\n /** Transport-specific state */\n transportState?: TransportState;\n}\n\n/**\n * Transport-specific state that varies by protocol\n */\nexport type TransportState =\n | SseTransportState\n | StreamableHttpTransportState\n | StatefulHttpTransportState\n | StatelessHttpTransportState\n | LegacySseTransportState;\n\n/**\n * SSE (Server-Sent Events) transport state\n */\nexport interface SseTransportState {\n type: 'sse';\n /** Last event ID for reconnection (per SSE spec) */\n lastEventId?: string;\n /** Connection keep-alive timestamp */\n lastPing?: number;\n /** Connection state */\n connectionState?: 'connecting' | 'open' | 'closed';\n}\n\n/**\n * Streamable HTTP transport state\n */\nexport interface StreamableHttpTransportState {\n type: 'streamable-http';\n /** Request sequence number */\n requestSeq: number;\n /** Active stream ID if streaming */\n activeStreamId?: string;\n /** Pending request IDs */\n pendingRequests?: string[];\n}\n\n/**\n * Stateful HTTP transport state\n */\nexport interface StatefulHttpTransportState {\n type: 'stateful-http';\n /** Request sequence number */\n requestSeq: number;\n /** Pending responses awaiting delivery */\n pendingResponses?: string[];\n /** Last activity timestamp */\n lastActivity?: number;\n}\n\n/**\n * Stateless HTTP transport state\n */\nexport interface StatelessHttpTransportState {\n type: 'stateless-http';\n /** Request count for rate limiting */\n requestCount: number;\n /** Window start for rate limiting */\n windowStart?: number;\n}\n\n/**\n * Legacy SSE transport state (for backwards compatibility)\n */\nexport interface LegacySseTransportState {\n type: 'legacy-sse';\n /** Message endpoint path */\n messagePath: string;\n /** Last event ID */\n lastEventId?: string;\n /** Connection state */\n connectionState?: 'connecting' | 'open' | 'closed';\n}\n\n/**\n * Session JWT payload - encodes both auth ref and transport context\n * This is the structure encrypted in the mcp-session-id header\n */\nexport interface SessionJwtPayload {\n /** Session ID (UUID) */\n sid: string;\n /** Authorization ID (token signature fingerprint) */\n aid: string;\n /** Transport protocol */\n proto: TransportProtocol;\n /** Node ID (for distributed systems) */\n nid: string;\n /** Issued at (epoch seconds) */\n iat: number;\n /** Expiration (epoch seconds) */\n exp?: number;\n}\n\n/**\n * Extended session JWT payload for stateless mode\n * Includes encrypted state and tokens\n */\nexport interface StatelessSessionJwtPayload extends SessionJwtPayload {\n /** Encrypted transport state (AES-256-GCM) */\n state?: string;\n /** Encrypted provider tokens (AES-256-GCM, for orchestrated mode) */\n tokens?: string;\n}\n\n/**\n * Stored session record (for stateful mode in Redis/memory)\n */\nexport interface StoredSession {\n /** The transport session data */\n session: TransportSession;\n /** Authorization ID reference */\n authorizationId: string;\n /** Encrypted provider tokens (for orchestrated mode) */\n tokens?: Record<string, EncryptedBlob>;\n /** Creation timestamp */\n createdAt: number;\n /** Last accessed timestamp */\n lastAccessedAt: number;\n}\n\n/**\n * Encrypted blob structure (AES-256-GCM)\n */\nexport interface EncryptedBlob {\n /** Algorithm identifier */\n alg: 'A256GCM';\n /** Key ID (for rotation) */\n kid?: string;\n /** Initialization vector (base64url) */\n iv: string;\n /** Authentication tag (base64url) */\n tag: string;\n /** Ciphertext (base64url) */\n data: string;\n /** Expiration hint (epoch seconds) */\n exp?: number;\n /** Additional metadata */\n meta?: Record<string, unknown>;\n}\n\n/**\n * Session store interface for stateful sessions\n */\nexport interface SessionStore {\n /**\n * Get a stored session by ID\n */\n get(sessionId: string): Promise<StoredSession | null>;\n\n /**\n * Store a session with optional TTL\n */\n set(sessionId: string, session: StoredSession, ttlMs?: number): Promise<void>;\n\n /**\n * Delete a session\n */\n delete(sessionId: string): Promise<void>;\n\n /**\n * Check if a session exists\n */\n exists(sessionId: string): Promise<boolean>;\n\n /**\n * Allocate a new session ID\n */\n allocId(): string;\n}\n\n/**\n * Session storage configuration\n */\nexport type SessionStorageConfig =\n | { mode: 'stateless' }\n | { mode: 'stateful'; store: 'memory' }\n | { mode: 'stateful'; store: 'redis'; config: RedisConfig };\n\n/**\n * Redis configuration\n */\nexport interface RedisConfig {\n host: string;\n port?: number;\n password?: string;\n db?: number;\n tls?: boolean;\n keyPrefix?: string;\n}\n\n// ============================================\n// Zod Schemas\n// ============================================\n\nexport const transportProtocolSchema = z.enum([\n 'legacy-sse',\n 'sse',\n 'streamable-http',\n 'stateful-http',\n 'stateless-http',\n]);\n\nexport const sseTransportStateSchema = z.object({\n type: z.literal('sse'),\n lastEventId: z.string().optional(),\n lastPing: z.number().optional(),\n connectionState: z.enum(['connecting', 'open', 'closed']).optional(),\n});\n\nexport const streamableHttpTransportStateSchema = z.object({\n type: z.literal('streamable-http'),\n requestSeq: z.number(),\n activeStreamId: z.string().optional(),\n pendingRequests: z.array(z.string()).optional(),\n});\n\nexport const statefulHttpTransportStateSchema = z.object({\n type: z.literal('stateful-http'),\n requestSeq: z.number(),\n pendingResponses: z.array(z.string()).optional(),\n lastActivity: z.number().optional(),\n});\n\nexport const statelessHttpTransportStateSchema = z.object({\n type: z.literal('stateless-http'),\n requestCount: z.number(),\n windowStart: z.number().optional(),\n});\n\nexport const legacySseTransportStateSchema = z.object({\n type: z.literal('legacy-sse'),\n messagePath: z.string(),\n lastEventId: z.string().optional(),\n connectionState: z.enum(['connecting', 'open', 'closed']).optional(),\n});\n\nexport const transportStateSchema = z.discriminatedUnion('type', [\n sseTransportStateSchema,\n streamableHttpTransportStateSchema,\n statefulHttpTransportStateSchema,\n statelessHttpTransportStateSchema,\n legacySseTransportStateSchema,\n]);\n\nexport const transportSessionSchema = z.object({\n id: z.string(),\n authorizationId: z.string(),\n protocol: transportProtocolSchema,\n createdAt: z.number(),\n expiresAt: z.number().optional(),\n nodeId: z.string(),\n clientFingerprint: z.string().optional(),\n transportState: transportStateSchema.optional(),\n});\n\nexport const sessionJwtPayloadSchema = z.object({\n sid: z.string(),\n aid: z.string(),\n proto: transportProtocolSchema,\n nid: z.string(),\n iat: z.number(),\n exp: z.number().optional(),\n});\n\nexport const statelessSessionJwtPayloadSchema = sessionJwtPayloadSchema.extend({\n state: z.string().optional(),\n tokens: z.string().optional(),\n});\n\nexport const encryptedBlobSchema = z.object({\n alg: z.literal('A256GCM'),\n kid: z.string().optional(),\n iv: z.string(),\n tag: z.string(),\n data: z.string(),\n exp: z.number().optional(),\n meta: z.record(z.string(), z.unknown()).optional(),\n});\n\nexport const storedSessionSchema = z.object({\n session: transportSessionSchema,\n authorizationId: z.string(),\n tokens: z.record(z.string(), encryptedBlobSchema).optional(),\n createdAt: z.number(),\n lastAccessedAt: z.number(),\n});\n\nexport const redisConfigSchema = z.object({\n host: z.string(),\n port: z.number().optional().default(6379),\n password: z.string().optional(),\n db: z.number().optional().default(0),\n tls: z.boolean().optional().default(false),\n keyPrefix: z.string().optional().default('mcp:session:'),\n});\n\n// Stateful storage options (discriminated by store type)\nconst statefulStorageSchema = z.discriminatedUnion('store', [\n z.object({ store: z.literal('memory') }),\n z.object({ store: z.literal('redis'), config: redisConfigSchema }),\n]);\n\n// Session storage config using union instead of discriminatedUnion\n// to avoid duplicate mode values\nexport const sessionStorageConfigSchema = z.union([\n z.object({ mode: z.literal('stateless') }),\n z.object({ mode: z.literal('stateful') }).merge(statefulStorageSchema.options[0]),\n z.object({ mode: z.literal('stateful') }).merge(statefulStorageSchema.options[1]),\n]);\n"]}
1
+ {"version":3,"file":"transport-session.types.js","sourceRoot":"","sources":["../../../../src/auth/session/transport-session.types.ts"],"names":[],"mappings":";AAAA,0CAA0C;;;AAE1C,6BAAwB;AA2OxB,+CAA+C;AAC/C,cAAc;AACd,+CAA+C;AAElC,QAAA,uBAAuB,GAAG,OAAC,CAAC,IAAI,CAAC;IAC5C,YAAY;IACZ,KAAK;IACL,iBAAiB;IACjB,eAAe;IACf,gBAAgB;CACjB,CAAC,CAAC;AAEU,QAAA,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IACtB,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,eAAe,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,QAAQ,EAAE;CACrE,CAAC,CAAC;AAEU,QAAA,kCAAkC,GAAG,OAAC,CAAC,MAAM,CAAC;IACzD,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC;IAClC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE;IACtB,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CAChD,CAAC,CAAC;AAEU,QAAA,gCAAgC,GAAG,OAAC,CAAC,MAAM,CAAC;IACvD,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,eAAe,CAAC;IAChC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE;IACtB,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAChD,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACpC,CAAC,CAAC;AAEU,QAAA,iCAAiC,GAAG,OAAC,CAAC,MAAM,CAAC;IACxD,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC;IACjC,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE;IACxB,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACnC,CAAC,CAAC;AAEU,QAAA,6BAA6B,GAAG,OAAC,CAAC,MAAM,CAAC;IACpD,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,YAAY,CAAC;IAC7B,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE;IACvB,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,eAAe,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,QAAQ,EAAE;CACrE,CAAC,CAAC;AAEU,QAAA,oBAAoB,GAAG,OAAC,CAAC,kBAAkB,CAAC,MAAM,EAAE;IAC/D,+BAAuB;IACvB,0CAAkC;IAClC,wCAAgC;IAChC,yCAAiC;IACjC,qCAA6B;CAC9B,CAAC,CAAC;AAEU,QAAA,sBAAsB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7C,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE;IAC3B,QAAQ,EAAE,+BAAuB;IACjC,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;IACrB,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE;IAClB,iBAAiB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACxC,cAAc,EAAE,4BAAoB,CAAC,QAAQ,EAAE;CAChD,CAAC,CAAC;AAEU,QAAA,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9C,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,KAAK,EAAE,+BAAuB;IAC9B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC,CAAC;AAEU,QAAA,gCAAgC,GAAG,+BAAuB,CAAC,MAAM,CAAC;IAC7E,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC9B,CAAC,CAAC;AAEU,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C,GAAG,EAAE,OAAC,CAAC,OAAO,CAAC,SAAS,CAAC;IACzB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE;IAChB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,IAAI,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;CACnD,CAAC,CAAC;AAEU,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C,OAAO,EAAE,8BAAsB;IAC/B,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE;IAC3B,MAAM,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,2BAAmB,CAAC,CAAC,QAAQ,EAAE;IAC5D,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;IACrB,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE;CAC3B,CAAC,CAAC;AAEU,QAAA,iBAAiB,GAAG,OAAC,CAAC,MAAM,CAAC;IACxC,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAC1D,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IACxD,GAAG,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAC1C,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,cAAc,CAAC;IACxD,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,iBAAiB;CACzF,CAAC,CAAC;AAEH,yDAAyD;AACzD,MAAM,qBAAqB,GAAG,OAAC,CAAC,kBAAkB,CAAC,OAAO,EAAE;IAC1D,OAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,OAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;IACxC,OAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,OAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,yBAAiB,EAAE,CAAC;CACnE,CAAC,CAAC;AAEH,mEAAmE;AACnE,iCAAiC;AACpB,QAAA,0BAA0B,GAAG,OAAC,CAAC,KAAK,CAAC;IAChD,OAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;IAC1C,OAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IACjF,OAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;CAClF,CAAC,CAAC","sourcesContent":["// auth/session/transport-session.types.ts\n\nimport { z } from 'zod';\n\n/**\n * Transport protocol types supported by MCP\n * These are the actual transport protocols for sessions (excludes 'delete-session' action)\n */\nexport type TransportProtocol = 'legacy-sse' | 'sse' | 'streamable-http' | 'stateful-http' | 'stateless-http';\n\n/**\n * Session storage mode for distributed systems\n */\nexport type SessionStorageMode = 'stateless' | 'stateful';\n\n/**\n * TransportSession represents a single client connection.\n * Multiple sessions can share the same authorization.\n * Each session is bound to a specific transport protocol.\n */\nexport interface TransportSession {\n /** Unique session ID (encrypted JWT or UUID) */\n id: string;\n\n /** Reference to the authorization this session uses */\n authorizationId: string;\n\n /** Transport protocol for this session */\n protocol: TransportProtocol;\n\n /** Session creation timestamp (epoch ms) */\n createdAt: number;\n\n /** Session expiration (epoch ms, independent of auth expiration) */\n expiresAt?: number;\n\n /** Node ID for distributed systems */\n nodeId: string;\n\n /** Client fingerprint for rate limiting/tracking */\n clientFingerprint?: string;\n\n /** Transport-specific state */\n transportState?: TransportState;\n}\n\n/**\n * Transport-specific state that varies by protocol\n */\nexport type TransportState =\n | SseTransportState\n | StreamableHttpTransportState\n | StatefulHttpTransportState\n | StatelessHttpTransportState\n | LegacySseTransportState;\n\n/**\n * SSE (Server-Sent Events) transport state\n */\nexport interface SseTransportState {\n type: 'sse';\n /** Last event ID for reconnection (per SSE spec) */\n lastEventId?: string;\n /** Connection keep-alive timestamp */\n lastPing?: number;\n /** Connection state */\n connectionState?: 'connecting' | 'open' | 'closed';\n}\n\n/**\n * Streamable HTTP transport state\n */\nexport interface StreamableHttpTransportState {\n type: 'streamable-http';\n /** Request sequence number */\n requestSeq: number;\n /** Active stream ID if streaming */\n activeStreamId?: string;\n /** Pending request IDs */\n pendingRequests?: string[];\n}\n\n/**\n * Stateful HTTP transport state\n */\nexport interface StatefulHttpTransportState {\n type: 'stateful-http';\n /** Request sequence number */\n requestSeq: number;\n /** Pending responses awaiting delivery */\n pendingResponses?: string[];\n /** Last activity timestamp */\n lastActivity?: number;\n}\n\n/**\n * Stateless HTTP transport state\n */\nexport interface StatelessHttpTransportState {\n type: 'stateless-http';\n /** Request count for rate limiting */\n requestCount: number;\n /** Window start for rate limiting */\n windowStart?: number;\n}\n\n/**\n * Legacy SSE transport state (for backwards compatibility)\n */\nexport interface LegacySseTransportState {\n type: 'legacy-sse';\n /** Message endpoint path */\n messagePath: string;\n /** Last event ID */\n lastEventId?: string;\n /** Connection state */\n connectionState?: 'connecting' | 'open' | 'closed';\n}\n\n/**\n * Session JWT payload - encodes both auth ref and transport context\n * This is the structure encrypted in the mcp-session-id header\n */\nexport interface SessionJwtPayload {\n /** Session ID (UUID) */\n sid: string;\n /** Authorization ID (token signature fingerprint) */\n aid: string;\n /** Transport protocol */\n proto: TransportProtocol;\n /** Node ID (for distributed systems) */\n nid: string;\n /** Issued at (epoch seconds) */\n iat: number;\n /** Expiration (epoch seconds) */\n exp?: number;\n}\n\n/**\n * Extended session JWT payload for stateless mode\n * Includes encrypted state and tokens\n */\nexport interface StatelessSessionJwtPayload extends SessionJwtPayload {\n /** Encrypted transport state (AES-256-GCM) */\n state?: string;\n /** Encrypted provider tokens (AES-256-GCM, for orchestrated mode) */\n tokens?: string;\n}\n\n/**\n * Stored session record (for stateful mode in Redis/memory)\n */\nexport interface StoredSession {\n /** The transport session data */\n session: TransportSession;\n /** Authorization ID reference */\n authorizationId: string;\n /** Encrypted provider tokens (for orchestrated mode) */\n tokens?: Record<string, EncryptedBlob>;\n /** Creation timestamp */\n createdAt: number;\n /** Last accessed timestamp */\n lastAccessedAt: number;\n}\n\n/**\n * Encrypted blob structure (AES-256-GCM)\n */\nexport interface EncryptedBlob {\n /** Algorithm identifier */\n alg: 'A256GCM';\n /** Key ID (for rotation) */\n kid?: string;\n /** Initialization vector (base64url) */\n iv: string;\n /** Authentication tag (base64url) */\n tag: string;\n /** Ciphertext (base64url) */\n data: string;\n /** Expiration hint (epoch seconds) */\n exp?: number;\n /** Additional metadata */\n meta?: Record<string, unknown>;\n}\n\n/**\n * Session store interface for stateful sessions\n */\nexport interface SessionStore {\n /**\n * Get a stored session by ID\n */\n get(sessionId: string): Promise<StoredSession | null>;\n\n /**\n * Store a session with optional TTL\n */\n set(sessionId: string, session: StoredSession, ttlMs?: number): Promise<void>;\n\n /**\n * Delete a session\n */\n delete(sessionId: string): Promise<void>;\n\n /**\n * Check if a session exists\n */\n exists(sessionId: string): Promise<boolean>;\n\n /**\n * Allocate a new session ID\n */\n allocId(): string;\n}\n\n/**\n * Session storage configuration\n */\nexport type SessionStorageConfig =\n | { mode: 'stateless' }\n | { mode: 'stateful'; store: 'memory' }\n | { mode: 'stateful'; store: 'redis'; config: RedisConfig };\n\n/**\n * Redis configuration\n */\nexport interface RedisConfig {\n host: string;\n port?: number;\n password?: string;\n db?: number;\n tls?: boolean;\n keyPrefix?: string;\n /** Default TTL in milliseconds for session extension on access (sliding expiration) */\n defaultTtlMs?: number;\n}\n\n// ============================================\n// Zod Schemas\n// ============================================\n\nexport const transportProtocolSchema = z.enum([\n 'legacy-sse',\n 'sse',\n 'streamable-http',\n 'stateful-http',\n 'stateless-http',\n]);\n\nexport const sseTransportStateSchema = z.object({\n type: z.literal('sse'),\n lastEventId: z.string().optional(),\n lastPing: z.number().optional(),\n connectionState: z.enum(['connecting', 'open', 'closed']).optional(),\n});\n\nexport const streamableHttpTransportStateSchema = z.object({\n type: z.literal('streamable-http'),\n requestSeq: z.number(),\n activeStreamId: z.string().optional(),\n pendingRequests: z.array(z.string()).optional(),\n});\n\nexport const statefulHttpTransportStateSchema = z.object({\n type: z.literal('stateful-http'),\n requestSeq: z.number(),\n pendingResponses: z.array(z.string()).optional(),\n lastActivity: z.number().optional(),\n});\n\nexport const statelessHttpTransportStateSchema = z.object({\n type: z.literal('stateless-http'),\n requestCount: z.number(),\n windowStart: z.number().optional(),\n});\n\nexport const legacySseTransportStateSchema = z.object({\n type: z.literal('legacy-sse'),\n messagePath: z.string(),\n lastEventId: z.string().optional(),\n connectionState: z.enum(['connecting', 'open', 'closed']).optional(),\n});\n\nexport const transportStateSchema = z.discriminatedUnion('type', [\n sseTransportStateSchema,\n streamableHttpTransportStateSchema,\n statefulHttpTransportStateSchema,\n statelessHttpTransportStateSchema,\n legacySseTransportStateSchema,\n]);\n\nexport const transportSessionSchema = z.object({\n id: z.string(),\n authorizationId: z.string(),\n protocol: transportProtocolSchema,\n createdAt: z.number(),\n expiresAt: z.number().optional(),\n nodeId: z.string(),\n clientFingerprint: z.string().optional(),\n transportState: transportStateSchema.optional(),\n});\n\nexport const sessionJwtPayloadSchema = z.object({\n sid: z.string(),\n aid: z.string(),\n proto: transportProtocolSchema,\n nid: z.string(),\n iat: z.number(),\n exp: z.number().optional(),\n});\n\nexport const statelessSessionJwtPayloadSchema = sessionJwtPayloadSchema.extend({\n state: z.string().optional(),\n tokens: z.string().optional(),\n});\n\nexport const encryptedBlobSchema = z.object({\n alg: z.literal('A256GCM'),\n kid: z.string().optional(),\n iv: z.string(),\n tag: z.string(),\n data: z.string(),\n exp: z.number().optional(),\n meta: z.record(z.string(), z.unknown()).optional(),\n});\n\nexport const storedSessionSchema = z.object({\n session: transportSessionSchema,\n authorizationId: z.string(),\n tokens: z.record(z.string(), encryptedBlobSchema).optional(),\n createdAt: z.number(),\n lastAccessedAt: z.number(),\n});\n\nexport const redisConfigSchema = z.object({\n host: z.string().min(1),\n port: z.number().int().positive().optional().default(6379),\n password: z.string().optional(),\n db: z.number().int().nonnegative().optional().default(0),\n tls: z.boolean().optional().default(false),\n keyPrefix: z.string().optional().default('mcp:session:'),\n defaultTtlMs: z.number().int().positive().optional().default(3600000), // 1 hour default\n});\n\n// Stateful storage options (discriminated by store type)\nconst statefulStorageSchema = z.discriminatedUnion('store', [\n z.object({ store: z.literal('memory') }),\n z.object({ store: z.literal('redis'), config: redisConfigSchema }),\n]);\n\n// Session storage config using union instead of discriminatedUnion\n// to avoid duplicate mode values\nexport const sessionStorageConfigSchema = z.union([\n z.object({ mode: z.literal('stateless') }),\n z.object({ mode: z.literal('stateful') }).merge(statefulStorageSchema.options[0]),\n z.object({ mode: z.literal('stateful') }).merge(statefulStorageSchema.options[1]),\n]);\n"]}
package/src/auth/session/utils/session-id.utils.d.ts CHANGED
@@ -3,7 +3,8 @@ import type { PlatformDetectionConfig } from '../../../common/types/options/sess
3
3
  export declare function encryptJson(obj: unknown): string;
4
4
  /**
5
5
  * Decrypt a public session ID without signature verification.
6
- * Public sessions use authSig: 'public' and isPublic: true
6
+ * Public sessions use authSig: 'public' and isPublic: true.
7
+ * First checks the cache for potentially updated payload (e.g., platformType).
7
8
  */
8
9
  export declare function decryptPublicSession(sessionId: string): SessionIdPayload | null;
9
10
  /**
@@ -27,3 +28,13 @@ export declare function createSessionId(protocol: TransportProtocolType, token:
27
28
  };
28
29
  export declare function generateSessionCookie(sessionId: string, ttlInMinutes?: number): string;
29
30
  export declare function extractSessionFromCookie(cookie?: string): string | undefined;
31
+ /**
32
+ * Update a cached session payload with new data.
33
+ * This is used to persist changes like platformType detection that happen
34
+ * after the initial session creation.
35
+ *
36
+ * @param sessionId - The session ID to update
37
+ * @param updates - Partial payload updates to merge
38
+ * @returns true if the session was found and updated, false otherwise
39
+ */
40
+ export declare function updateSessionPayload(sessionId: string, updates: Partial<SessionIdPayload>): boolean;
package/src/auth/session/utils/session-id.utils.js CHANGED
@@ -6,21 +6,19 @@ exports.parseSessionHeader = parseSessionHeader;
6
6
  exports.createSessionId = createSessionId;
7
7
  exports.generateSessionCookie = generateSessionCookie;
8
8
  exports.extractSessionFromCookie = extractSessionFromCookie;
9
+ exports.updateSessionPayload = updateSessionPayload;
9
10
  // auth/session/utils/session-id.utils.ts
10
11
  const crypto_1 = require("crypto");
11
12
  const tiny_ttl_cache_1 = require("./tiny-ttl-cache");
12
13
  const auth_token_utils_1 = require("./auth-token.utils");
13
14
  const notification_service_1 = require("../../../notification/notification.service");
15
+ const machine_id_1 = require("../../machine-id");
14
16
  // 5s TTL cache for decrypted headers
15
17
  const cache = new tiny_ttl_cache_1.TinyTtlCache(5000);
16
- // Single-process machine id generated at server launch
17
- const MACHINE_ID = (() => {
18
- // Prefer an injected env (stable across restarts) if you have one; else random per launch:
19
- return process.env['MACHINE_ID'] || (0, crypto_1.randomUUID)(); // TODO: move to gateway config module
20
- })();
21
18
  // Symmetric key derived from secret or machine id (stable for the process)
19
+ // Uses getMachineId() from authorization module as single source of truth
22
20
  function getKey() {
23
- const base = process.env['MCP_SESSION_SECRET'] || MACHINE_ID; // TODO: move to gateway config module
21
+ const base = process.env['MCP_SESSION_SECRET'] || (0, machine_id_1.getMachineId)();
24
22
  return (0, crypto_1.createHash)('sha256').update(base).digest(); // 32 bytes
25
23
  }
26
24
  function b64urlEncode(buf) {
@@ -87,11 +85,23 @@ function decryptSessionId(sessionId, sig) {
87
85
  }
88
86
  /**
89
87
  * Decrypt a public session ID without signature verification.
90
- * Public sessions use authSig: 'public' and isPublic: true
88
+ * Public sessions use authSig: 'public' and isPublic: true.
89
+ * First checks the cache for potentially updated payload (e.g., platformType).
91
90
  */
92
91
  function decryptPublicSession(sessionId) {
92
+ // Check cache first - may have updated fields like platformType
93
+ const cached = cache.get(sessionId);
94
+ if (cached && isValidPublicSessionPayload(cached)) {
95
+ return cached;
96
+ }
97
+ // Fall back to decrypting from the encrypted session ID
93
98
  const dec = safeDecrypt(sessionId);
94
- return isValidPublicSessionPayload(dec) ? dec : null;
99
+ if (isValidPublicSessionPayload(dec)) {
100
+ // Cache the decrypted payload for future requests
101
+ cache.set(sessionId, dec);
102
+ return dec;
103
+ }
104
+ return null;
95
105
  }
96
106
  /**
97
107
  * Safe wrapper around decryptSessionJson that catches crypto/parse errors.
@@ -154,7 +164,7 @@ function createSessionId(protocol, token, options) {
154
164
  }
155
165
  }
156
166
  const payload = {
157
- nodeId: MACHINE_ID,
167
+ nodeId: (0, machine_id_1.getMachineId)(),
158
168
  authSig,
159
169
  uuid: (0, crypto_1.randomUUID)(),
160
170
  iat: nowSec(),
@@ -175,4 +185,33 @@ function extractSessionFromCookie(cookie) {
175
185
  const m = cookie.match(/(^|;)\s*mcp_session_id\s*=\s*([^;]*)/);
176
186
  return m ? m[2] : undefined;
177
187
  }
188
+ /**
189
+ * Update a cached session payload with new data.
190
+ * This is used to persist changes like platformType detection that happen
191
+ * after the initial session creation.
192
+ *
193
+ * @param sessionId - The session ID to update
194
+ * @param updates - Partial payload updates to merge
195
+ * @returns true if the session was found and updated, false otherwise
196
+ */
197
+ function updateSessionPayload(sessionId, updates) {
198
+ const existing = cache.get(sessionId);
199
+ if (existing) {
200
+ // Merge updates into existing payload
201
+ Object.assign(existing, updates);
202
+ // Re-set to refresh TTL
203
+ cache.set(sessionId, existing);
204
+ return true;
205
+ }
206
+ // Try to decrypt and update if not in cache
207
+ const decrypted = safeDecrypt(sessionId);
208
+ if (isValidSessionPayload(decrypted, decrypted?.authSig || '') ||
209
+ isValidPublicSessionPayload(decrypted)) {
210
+ const payload = decrypted;
211
+ Object.assign(payload, updates);
212
+ cache.set(sessionId, payload);
213
+ return true;
214
+ }
215
+ return false;
216
+ }
178
217
  //# sourceMappingURL=session-id.utils.js.map
package/src/auth/session/utils/session-id.utils.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"session-id.utils.js","sourceRoot":"","sources":["../../../../../src/auth/session/utils/session-id.utils.ts"],"names":[],"mappings":";;AAiCA,kCASC;AAyDD,oDAGC;AAsBD,gDAmCC;AASD,0CAwBC;AAED,sDAGC;AAED,4DAIC;AA3MD,yCAAyC;AACzC,mCAA+F;AAC/F,qDAAgD;AAEhD,yDAAkE;AAClE,qFAAyF;AAGzF,qCAAqC;AACrC,MAAM,KAAK,GAAG,IAAI,6BAAY,CAA2B,IAAI,CAAC,CAAC;AAE/D,uDAAuD;AACvD,MAAM,UAAU,GAAG,CAAC,GAAG,EAAE;IACvB,2FAA2F;IAC3F,OAAO,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,IAAA,mBAAU,GAAE,CAAC,CAAC,sCAAsC;AAC1F,CAAC,CAAC,EAAE,CAAC;AAEL,2EAA2E;AAC3E,SAAS,MAAM;IACb,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,UAAU,CAAC,CAAC,sCAAsC;IACpG,OAAO,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,WAAW;AAChE,CAAC;AAED,SAAS,YAAY,CAAC,GAAW;IAC/B,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAC5F,CAAC;AAED,SAAS,YAAY,CAAC,CAAS;IAC7B,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC1F,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED,SAAgB,WAAW,CAAC,GAAY;IACtC,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC;IACrB,MAAM,EAAE,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,CAAC,oBAAoB;IAChD,MAAM,MAAM,GAAG,IAAA,uBAAc,EAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC;IACpD,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC9D,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,yCAAyC;IACzC,OAAO,GAAG,YAAY,CAAC,EAAE,CAAC,IAAI,YAAY,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,EAAE,CAAC,EAAE,CAAC;AACxE,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CAAC,SAAiB;IAC3C,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC;IACrC,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAE7C,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC;IACrB,MAAM,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAC/B,MAAM,GAAG,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IACjC,MAAM,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAE/B,MAAM,QAAQ,GAAG,IAAA,yBAAgB,EAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC1D,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAClE,OAAO,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAY,EAAE,GAAW;IACtD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAC1D,MAAM,CAAC,GAAG,GAA8B,CAAC;IACzC,OAAO,CACL,OAAO,CAAC,CAAC,QAAQ,CAAC,KAAK,QAAQ;QAC/B,OAAO,CAAC,CAAC,SAAS,CAAC,KAAK,QAAQ;QAChC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,QAAQ;QAC7B,OAAO,CAAC,CAAC,KAAK,CAAC,KAAK,QAAQ;QAC5B,CAAC,CAAC,SAAS,CAAC,KAAK,GAAG,CACrB,CAAC;AACJ,CAAC;AAED,SAAS,2BAA2B,CAAC,GAAY;IAC/C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAC1D,MAAM,CAAC,GAAG,GAA8B,CAAC;IACzC,OAAO,CACL,OAAO,CAAC,CAAC,QAAQ,CAAC,KAAK,QAAQ;QAC/B,CAAC,CAAC,SAAS,CAAC,KAAK,QAAQ;QACzB,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,QAAQ;QAC7B,OAAO,CAAC,CAAC,KAAK,CAAC,KAAK,QAAQ;QAC5B,CAAC,CAAC,UAAU,CAAC,KAAK,IAAI,CACvB,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,SAAiB,EAAE,GAAW;IACtD,MAAM,GAAG,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IACnC,OAAO,qBAAqB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;AACtD,CAAC;AAED;;;GAGG;AACH,SAAgB,oBAAoB,CAAC,SAAiB;IACpD,MAAM,GAAG,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IACnC,OAAO,2BAA2B,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;AACvD,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,SAAiB;IACpC,IAAI,CAAC;QACH,OAAO,kBAAkB,CAAC,SAAS,CAAC,CAAC;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,MAAM;IACb,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;AACvC,CAAC;AAED;;;;GAIG;AACH,SAAgB,kBAAkB,CAChC,aAAiC,EACjC,KAAa;IAEb,MAAM,cAAc,GAAG,IAAA,+CAA4B,EAAC,KAAK,CAAC,CAAC;IAC3D,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QACxC,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,MAAM,CAAC,OAAO,KAAK,cAAc,EAAE,CAAC;gBACtC,OAAO,EAAE,EAAE,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;YAChD,CAAC;YACD,wCAAwC;QAC1C,CAAC;QAED,MAAM,GAAG,GAAG,gBAAgB,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;QAC5D,IAAI,GAAG,EAAE,CAAC;YACR,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,EAAE,EAAE,aAAa,EAAE,OAAO,EAAE,GAAuB,EAAE,CAAC;QACjE,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;IACjB,kBAAkB;IAElB,yCAAyC;IACzC,wBAAwB;IACxB,6BAA6B;IAC7B,wBAAwB;IACxB,mBAAmB;IACnB,KAAK;IACL,uCAAuC;IACvC,6CAA6C;IAC7C,8BAA8B;IAC9B,oCAAoC;IACpC,sDAAsD;AACxD,CAAC;AASD,SAAgB,eAAe,CAAC,QAA+B,EAAE,KAAa,EAAE,OAA8B;IAC5G,MAAM,OAAO,GAAG,IAAA,+CAA4B,EAAC,KAAK,CAAC,CAAC;IAEpD,sEAAsE;IACtE,IAAI,YAAwC,CAAC;IAC7C,IAAI,OAAO,EAAE,SAAS,EAAE,CAAC;QACvB,YAAY,GAAG,IAAA,kDAA2B,EAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,uBAAuB,CAAC,CAAC;QAC/F,+CAA+C;QAC/C,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;YAC/B,YAAY,GAAG,SAAS,CAAC;QAC3B,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAqB;QAChC,MAAM,EAAE,UAAU;QAClB,OAAO;QACP,IAAI,EAAE,IAAA,mBAAU,GAAE;QAClB,GAAG,EAAE,MAAM,EAAE;QACb,QAAQ;QACR,YAAY;KACb,CAAC;IACF,MAAM,EAAE,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IAChC,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;IACvB,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC;AACzB,CAAC;AAED,SAAgB,qBAAqB,CAAC,SAAiB,EAAE,YAAY,GAAG,EAAE,GAAG,EAAE;IAC7E,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAC9E,OAAO,kBAAkB,SAAS,qBAAqB,OAAO,0BAA0B,CAAC;AAC3F,CAAC;AAED,SAAgB,wBAAwB,CAAC,MAAe;IACtD,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC/D,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC9B,CAAC","sourcesContent":["// auth/session/utils/session-id.utils.ts\nimport { randomUUID, createHash, randomBytes, createCipheriv, createDecipheriv } from 'crypto';\nimport { TinyTtlCache } from './tiny-ttl-cache';\nimport { SessionIdPayload, TransportProtocolType, AIPlatformType } from '../../../common';\nimport { getTokenSignatureFingerprint } from './auth-token.utils';\nimport { detectPlatformFromUserAgent } from '../../../notification/notification.service';\nimport type { PlatformDetectionConfig } from '../../../common/types/options/session.options';\n\n// 5s TTL cache for decrypted headers\nconst cache = new TinyTtlCache<string, SessionIdPayload>(5000);\n\n// Single-process machine id generated at server launch\nconst MACHINE_ID = (() => {\n // Prefer an injected env (stable across restarts) if you have one; else random per launch:\n return process.env['MACHINE_ID'] || randomUUID(); // TODO: move to gateway config module\n})();\n\n// Symmetric key derived from secret or machine id (stable for the process)\nfunction getKey(): Buffer {\n const base = process.env['MCP_SESSION_SECRET'] || MACHINE_ID; // TODO: move to gateway config module\n return createHash('sha256').update(base).digest(); // 32 bytes\n}\n\nfunction b64urlEncode(buf: Buffer): string {\n return buf.toString('base64').replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/g, '');\n}\n\nfunction b64urlDecode(s: string): Buffer {\n const pad = 4 - (s.length % 4);\n const base64 = s.replace(/-/g, '+').replace(/_/g, '/') + (pad < 4 ? '='.repeat(pad) : '');\n return Buffer.from(base64, 'base64');\n}\n\nexport function encryptJson(obj: unknown): string {\n const key = getKey();\n const iv = randomBytes(12); // AES-GCM 96-bit IV\n const cipher = createCipheriv('aes-256-gcm', key, iv);\n const pt = Buffer.from(JSON.stringify(obj), 'utf8');\n const ct = Buffer.concat([cipher.update(pt), cipher.final()]);\n const tag = cipher.getAuthTag();\n // Pack iv.tag.ct as base64url(iv.tag.ct)\n return `${b64urlEncode(iv)}.${b64urlEncode(tag)}.${b64urlEncode(ct)}`;\n}\n\n/**\n * Low-level decryption that returns the raw JSON payload or null.\n * Handles all crypto/parsing failures by returning null.\n */\nfunction decryptSessionJson(sessionId: string): unknown {\n const parts = sessionId.split('.');\n if (parts.length !== 3) return null;\n\n const [ivB64, tagB64, ctB64] = parts;\n if (!ivB64 || !tagB64 || !ctB64) return null;\n\n const key = getKey();\n const iv = b64urlDecode(ivB64);\n const tag = b64urlDecode(tagB64);\n const ct = b64urlDecode(ctB64);\n\n const decipher = createDecipheriv('aes-256-gcm', key, iv);\n decipher.setAuthTag(tag);\n const pt = Buffer.concat([decipher.update(ct), decipher.final()]);\n return JSON.parse(pt.toString('utf8'));\n}\n\nfunction isValidSessionPayload(dec: unknown, sig: string): dec is SessionIdPayload {\n if (typeof dec !== 'object' || dec === null) return false;\n const d = dec as Record<string, unknown>;\n return (\n typeof d['nodeId'] === 'string' &&\n typeof d['authSig'] === 'string' &&\n typeof d['uuid'] === 'string' &&\n typeof d['iat'] === 'number' &&\n d['authSig'] === sig\n );\n}\n\nfunction isValidPublicSessionPayload(dec: unknown): dec is SessionIdPayload {\n if (typeof dec !== 'object' || dec === null) return false;\n const d = dec as Record<string, unknown>;\n return (\n typeof d['nodeId'] === 'string' &&\n d['authSig'] === 'public' &&\n typeof d['uuid'] === 'string' &&\n typeof d['iat'] === 'number' &&\n d['isPublic'] === true\n );\n}\n\nfunction decryptSessionId(sessionId: string, sig: string): SessionIdPayload | null {\n const dec = safeDecrypt(sessionId);\n return isValidSessionPayload(dec, sig) ? dec : null;\n}\n\n/**\n * Decrypt a public session ID without signature verification.\n * Public sessions use authSig: 'public' and isPublic: true\n */\nexport function decryptPublicSession(sessionId: string): SessionIdPayload | null {\n const dec = safeDecrypt(sessionId);\n return isValidPublicSessionPayload(dec) ? dec : null;\n}\n\n/**\n * Safe wrapper around decryptSessionJson that catches crypto/parse errors.\n */\nfunction safeDecrypt(sessionId: string): unknown {\n try {\n return decryptSessionJson(sessionId);\n } catch {\n return null;\n }\n}\n\nfunction nowSec(): number {\n return Math.floor(Date.now() / 1000);\n}\n\n/**\n * Validates an existing session header OR creates a fresh one.\n * - Valid: nodeId matches local, authSig matches current Authorization\n * - On any mismatch/decrypt error → generate new\n */\nexport function parseSessionHeader(\n sessionHeader: string | undefined,\n token: string,\n): { id: string; payload: SessionIdPayload } | undefined {\n const currentAuthSig = getTokenSignatureFingerprint(token);\n if (sessionHeader) {\n const cached = cache.get(sessionHeader);\n if (cached) {\n if (cached.authSig === currentAuthSig) {\n return { id: sessionHeader, payload: cached };\n }\n // fallthrough to regenerate if mismatch\n }\n\n const dec = decryptSessionId(sessionHeader, currentAuthSig);\n if (dec) {\n cache.set(sessionHeader, dec);\n return { id: sessionHeader, payload: dec as SessionIdPayload };\n }\n }\n\n return undefined;\n // // Create fresh\n\n // const decodedSse: SessionIdPayload = {\n // nodeId: MACHINE_ID,\n // authSig: currentAuthSig,\n // uuid: randomUUID(),\n // iat: nowSec(),\n // };\n // const header = encryptJson(decoded);\n // const headerSse = encryptJson(decodedSse);\n // cache.set(header, decoded);\n // cache.set(headerSse, decodedSse);\n // return { header, decoded, headerSse, isNew: true };\n}\n\nexport interface CreateSessionOptions {\n /** User-Agent header for pre-initialize platform detection */\n userAgent?: string;\n /** Platform detection configuration from scope */\n platformDetectionConfig?: PlatformDetectionConfig;\n}\n\nexport function createSessionId(protocol: TransportProtocolType, token: string, options?: CreateSessionOptions) {\n const authSig = getTokenSignatureFingerprint(token);\n\n // Detect platform from user-agent if provided (before MCP initialize)\n let platformType: AIPlatformType | undefined;\n if (options?.userAgent) {\n platformType = detectPlatformFromUserAgent(options.userAgent, options.platformDetectionConfig);\n // Only set if we detected something meaningful\n if (platformType === 'unknown') {\n platformType = undefined;\n }\n }\n\n const payload: SessionIdPayload = {\n nodeId: MACHINE_ID,\n authSig,\n uuid: randomUUID(),\n iat: nowSec(),\n protocol,\n platformType,\n };\n const id = encryptJson(payload);\n cache.set(id, payload);\n return { id, payload };\n}\n\nexport function generateSessionCookie(sessionId: string, ttlInMinutes = 60 * 24): string {\n const expires = new Date(Date.now() + ttlInMinutes * 60 * 1000).toUTCString();\n return `mcp_session_id=${sessionId}; Path=/; Expires=${expires}; HttpOnly; SameSite=Lax`;\n}\n\nexport function extractSessionFromCookie(cookie?: string): string | undefined {\n if (!cookie) return undefined;\n const m = cookie.match(/(^|;)\\s*mcp_session_id\\s*=\\s*([^;]*)/);\n return m ? m[2] : undefined;\n}\n"]}
1
+ {"version":3,"file":"session-id.utils.js","sourceRoot":"","sources":["../../../../../src/auth/session/utils/session-id.utils.ts"],"names":[],"mappings":";;AA6BA,kCASC;AA0DD,oDAeC;AAsBD,gDAmCC;AASD,0CAwBC;AAED,sDAGC;AAED,4DAIC;AAWD,oDAuBC;AAtPD,yCAAyC;AACzC,mCAA+F;AAC/F,qDAAgD;AAEhD,yDAAkE;AAClE,qFAAyF;AAEzF,iDAAgD;AAEhD,qCAAqC;AACrC,MAAM,KAAK,GAAG,IAAI,6BAAY,CAA2B,IAAI,CAAC,CAAC;AAE/D,2EAA2E;AAC3E,0EAA0E;AAC1E,SAAS,MAAM;IACb,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,IAAA,yBAAY,GAAE,CAAC;IACjE,OAAO,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,WAAW;AAChE,CAAC;AAED,SAAS,YAAY,CAAC,GAAW;IAC/B,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAC5F,CAAC;AAED,SAAS,YAAY,CAAC,CAAS;IAC7B,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC1F,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED,SAAgB,WAAW,CAAC,GAAY;IACtC,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC;IACrB,MAAM,EAAE,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,CAAC,oBAAoB;IAChD,MAAM,MAAM,GAAG,IAAA,uBAAc,EAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC;IACpD,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC9D,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,yCAAyC;IACzC,OAAO,GAAG,YAAY,CAAC,EAAE,CAAC,IAAI,YAAY,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,EAAE,CAAC,EAAE,CAAC;AACxE,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CAAC,SAAiB;IAC3C,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC;IACrC,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAE7C,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC;IACrB,MAAM,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAC/B,MAAM,GAAG,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IACjC,MAAM,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAE/B,MAAM,QAAQ,GAAG,IAAA,yBAAgB,EAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC1D,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAClE,OAAO,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAY,EAAE,GAAW;IACtD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAC1D,MAAM,CAAC,GAAG,GAA8B,CAAC;IACzC,OAAO,CACL,OAAO,CAAC,CAAC,QAAQ,CAAC,KAAK,QAAQ;QAC/B,OAAO,CAAC,CAAC,SAAS,CAAC,KAAK,QAAQ;QAChC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,QAAQ;QAC7B,OAAO,CAAC,CAAC,KAAK,CAAC,KAAK,QAAQ;QAC5B,CAAC,CAAC,SAAS,CAAC,KAAK,GAAG,CACrB,CAAC;AACJ,CAAC;AAED,SAAS,2BAA2B,CAAC,GAAY;IAC/C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAC1D,MAAM,CAAC,GAAG,GAA8B,CAAC;IACzC,OAAO,CACL,OAAO,CAAC,CAAC,QAAQ,CAAC,KAAK,QAAQ;QAC/B,CAAC,CAAC,SAAS,CAAC,KAAK,QAAQ;QACzB,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,QAAQ;QAC7B,OAAO,CAAC,CAAC,KAAK,CAAC,KAAK,QAAQ;QAC5B,CAAC,CAAC,UAAU,CAAC,KAAK,IAAI,CACvB,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,SAAiB,EAAE,GAAW;IACtD,MAAM,GAAG,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IACnC,OAAO,qBAAqB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;AACtD,CAAC;AAED;;;;GAIG;AACH,SAAgB,oBAAoB,CAAC,SAAiB;IACpD,gEAAgE;IAChE,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACpC,IAAI,MAAM,IAAI,2BAA2B,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,wDAAwD;IACxD,MAAM,GAAG,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IACnC,IAAI,2BAA2B,CAAC,GAAG,CAAC,EAAE,CAAC;QACrC,kDAAkD;QAClD,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,GAAuB,CAAC,CAAC;QAC9C,OAAO,GAAuB,CAAC;IACjC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,SAAiB;IACpC,IAAI,CAAC;QACH,OAAO,kBAAkB,CAAC,SAAS,CAAC,CAAC;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,MAAM;IACb,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;AACvC,CAAC;AAED;;;;GAIG;AACH,SAAgB,kBAAkB,CAChC,aAAiC,EACjC,KAAa;IAEb,MAAM,cAAc,GAAG,IAAA,+CAA4B,EAAC,KAAK,CAAC,CAAC;IAC3D,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QACxC,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,MAAM,CAAC,OAAO,KAAK,cAAc,EAAE,CAAC;gBACtC,OAAO,EAAE,EAAE,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;YAChD,CAAC;YACD,wCAAwC;QAC1C,CAAC;QAED,MAAM,GAAG,GAAG,gBAAgB,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;QAC5D,IAAI,GAAG,EAAE,CAAC;YACR,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,EAAE,EAAE,aAAa,EAAE,OAAO,EAAE,GAAuB,EAAE,CAAC;QACjE,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;IACjB,kBAAkB;IAElB,yCAAyC;IACzC,wBAAwB;IACxB,6BAA6B;IAC7B,wBAAwB;IACxB,mBAAmB;IACnB,KAAK;IACL,uCAAuC;IACvC,6CAA6C;IAC7C,8BAA8B;IAC9B,oCAAoC;IACpC,sDAAsD;AACxD,CAAC;AASD,SAAgB,eAAe,CAAC,QAA+B,EAAE,KAAa,EAAE,OAA8B;IAC5G,MAAM,OAAO,GAAG,IAAA,+CAA4B,EAAC,KAAK,CAAC,CAAC;IAEpD,sEAAsE;IACtE,IAAI,YAAwC,CAAC;IAC7C,IAAI,OAAO,EAAE,SAAS,EAAE,CAAC;QACvB,YAAY,GAAG,IAAA,kDAA2B,EAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,uBAAuB,CAAC,CAAC;QAC/F,+CAA+C;QAC/C,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;YAC/B,YAAY,GAAG,SAAS,CAAC;QAC3B,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAqB;QAChC,MAAM,EAAE,IAAA,yBAAY,GAAE;QACtB,OAAO;QACP,IAAI,EAAE,IAAA,mBAAU,GAAE;QAClB,GAAG,EAAE,MAAM,EAAE;QACb,QAAQ;QACR,YAAY;KACb,CAAC;IACF,MAAM,EAAE,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IAChC,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;IACvB,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC;AACzB,CAAC;AAED,SAAgB,qBAAqB,CAAC,SAAiB,EAAE,YAAY,GAAG,EAAE,GAAG,EAAE;IAC7E,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAC9E,OAAO,kBAAkB,SAAS,qBAAqB,OAAO,0BAA0B,CAAC;AAC3F,CAAC;AAED,SAAgB,wBAAwB,CAAC,MAAe;IACtD,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC/D,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC9B,CAAC;AAED;;;;;;;;GAQG;AACH,SAAgB,oBAAoB,CAAC,SAAiB,EAAE,OAAkC;IACxF,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACtC,IAAI,QAAQ,EAAE,CAAC;QACb,sCAAsC;QACtC,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACjC,wBAAwB;QACxB,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC/B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,4CAA4C;IAC5C,MAAM,SAAS,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IACzC,IACE,qBAAqB,CAAC,SAAS,EAAG,SAA8B,EAAE,OAAO,IAAI,EAAE,CAAC;QAChF,2BAA2B,CAAC,SAAS,CAAC,EACtC,CAAC;QACD,MAAM,OAAO,GAAG,SAA6B,CAAC;QAC9C,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAChC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAC9B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC","sourcesContent":["// auth/session/utils/session-id.utils.ts\nimport { randomUUID, createHash, randomBytes, createCipheriv, createDecipheriv } from 'crypto';\nimport { TinyTtlCache } from './tiny-ttl-cache';\nimport { SessionIdPayload, TransportProtocolType, AIPlatformType } from '../../../common';\nimport { getTokenSignatureFingerprint } from './auth-token.utils';\nimport { detectPlatformFromUserAgent } from '../../../notification/notification.service';\nimport type { PlatformDetectionConfig } from '../../../common/types/options/session.options';\nimport { getMachineId } from '../../machine-id';\n\n// 5s TTL cache for decrypted headers\nconst cache = new TinyTtlCache<string, SessionIdPayload>(5000);\n\n// Symmetric key derived from secret or machine id (stable for the process)\n// Uses getMachineId() from authorization module as single source of truth\nfunction getKey(): Buffer {\n const base = process.env['MCP_SESSION_SECRET'] || getMachineId();\n return createHash('sha256').update(base).digest(); // 32 bytes\n}\n\nfunction b64urlEncode(buf: Buffer): string {\n return buf.toString('base64').replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/g, '');\n}\n\nfunction b64urlDecode(s: string): Buffer {\n const pad = 4 - (s.length % 4);\n const base64 = s.replace(/-/g, '+').replace(/_/g, '/') + (pad < 4 ? '='.repeat(pad) : '');\n return Buffer.from(base64, 'base64');\n}\n\nexport function encryptJson(obj: unknown): string {\n const key = getKey();\n const iv = randomBytes(12); // AES-GCM 96-bit IV\n const cipher = createCipheriv('aes-256-gcm', key, iv);\n const pt = Buffer.from(JSON.stringify(obj), 'utf8');\n const ct = Buffer.concat([cipher.update(pt), cipher.final()]);\n const tag = cipher.getAuthTag();\n // Pack iv.tag.ct as base64url(iv.tag.ct)\n return `${b64urlEncode(iv)}.${b64urlEncode(tag)}.${b64urlEncode(ct)}`;\n}\n\n/**\n * Low-level decryption that returns the raw JSON payload or null.\n * Handles all crypto/parsing failures by returning null.\n */\nfunction decryptSessionJson(sessionId: string): unknown {\n const parts = sessionId.split('.');\n if (parts.length !== 3) return null;\n\n const [ivB64, tagB64, ctB64] = parts;\n if (!ivB64 || !tagB64 || !ctB64) return null;\n\n const key = getKey();\n const iv = b64urlDecode(ivB64);\n const tag = b64urlDecode(tagB64);\n const ct = b64urlDecode(ctB64);\n\n const decipher = createDecipheriv('aes-256-gcm', key, iv);\n decipher.setAuthTag(tag);\n const pt = Buffer.concat([decipher.update(ct), decipher.final()]);\n return JSON.parse(pt.toString('utf8'));\n}\n\nfunction isValidSessionPayload(dec: unknown, sig: string): dec is SessionIdPayload {\n if (typeof dec !== 'object' || dec === null) return false;\n const d = dec as Record<string, unknown>;\n return (\n typeof d['nodeId'] === 'string' &&\n typeof d['authSig'] === 'string' &&\n typeof d['uuid'] === 'string' &&\n typeof d['iat'] === 'number' &&\n d['authSig'] === sig\n );\n}\n\nfunction isValidPublicSessionPayload(dec: unknown): dec is SessionIdPayload {\n if (typeof dec !== 'object' || dec === null) return false;\n const d = dec as Record<string, unknown>;\n return (\n typeof d['nodeId'] === 'string' &&\n d['authSig'] === 'public' &&\n typeof d['uuid'] === 'string' &&\n typeof d['iat'] === 'number' &&\n d['isPublic'] === true\n );\n}\n\nfunction decryptSessionId(sessionId: string, sig: string): SessionIdPayload | null {\n const dec = safeDecrypt(sessionId);\n return isValidSessionPayload(dec, sig) ? dec : null;\n}\n\n/**\n * Decrypt a public session ID without signature verification.\n * Public sessions use authSig: 'public' and isPublic: true.\n * First checks the cache for potentially updated payload (e.g., platformType).\n */\nexport function decryptPublicSession(sessionId: string): SessionIdPayload | null {\n // Check cache first - may have updated fields like platformType\n const cached = cache.get(sessionId);\n if (cached && isValidPublicSessionPayload(cached)) {\n return cached;\n }\n\n // Fall back to decrypting from the encrypted session ID\n const dec = safeDecrypt(sessionId);\n if (isValidPublicSessionPayload(dec)) {\n // Cache the decrypted payload for future requests\n cache.set(sessionId, dec as SessionIdPayload);\n return dec as SessionIdPayload;\n }\n return null;\n}\n\n/**\n * Safe wrapper around decryptSessionJson that catches crypto/parse errors.\n */\nfunction safeDecrypt(sessionId: string): unknown {\n try {\n return decryptSessionJson(sessionId);\n } catch {\n return null;\n }\n}\n\nfunction nowSec(): number {\n return Math.floor(Date.now() / 1000);\n}\n\n/**\n * Validates an existing session header OR creates a fresh one.\n * - Valid: nodeId matches local, authSig matches current Authorization\n * - On any mismatch/decrypt error → generate new\n */\nexport function parseSessionHeader(\n sessionHeader: string | undefined,\n token: string,\n): { id: string; payload: SessionIdPayload } | undefined {\n const currentAuthSig = getTokenSignatureFingerprint(token);\n if (sessionHeader) {\n const cached = cache.get(sessionHeader);\n if (cached) {\n if (cached.authSig === currentAuthSig) {\n return { id: sessionHeader, payload: cached };\n }\n // fallthrough to regenerate if mismatch\n }\n\n const dec = decryptSessionId(sessionHeader, currentAuthSig);\n if (dec) {\n cache.set(sessionHeader, dec);\n return { id: sessionHeader, payload: dec as SessionIdPayload };\n }\n }\n\n return undefined;\n // // Create fresh\n\n // const decodedSse: SessionIdPayload = {\n // nodeId: MACHINE_ID,\n // authSig: currentAuthSig,\n // uuid: randomUUID(),\n // iat: nowSec(),\n // };\n // const header = encryptJson(decoded);\n // const headerSse = encryptJson(decodedSse);\n // cache.set(header, decoded);\n // cache.set(headerSse, decodedSse);\n // return { header, decoded, headerSse, isNew: true };\n}\n\nexport interface CreateSessionOptions {\n /** User-Agent header for pre-initialize platform detection */\n userAgent?: string;\n /** Platform detection configuration from scope */\n platformDetectionConfig?: PlatformDetectionConfig;\n}\n\nexport function createSessionId(protocol: TransportProtocolType, token: string, options?: CreateSessionOptions) {\n const authSig = getTokenSignatureFingerprint(token);\n\n // Detect platform from user-agent if provided (before MCP initialize)\n let platformType: AIPlatformType | undefined;\n if (options?.userAgent) {\n platformType = detectPlatformFromUserAgent(options.userAgent, options.platformDetectionConfig);\n // Only set if we detected something meaningful\n if (platformType === 'unknown') {\n platformType = undefined;\n }\n }\n\n const payload: SessionIdPayload = {\n nodeId: getMachineId(),\n authSig,\n uuid: randomUUID(),\n iat: nowSec(),\n protocol,\n platformType,\n };\n const id = encryptJson(payload);\n cache.set(id, payload);\n return { id, payload };\n}\n\nexport function generateSessionCookie(sessionId: string, ttlInMinutes = 60 * 24): string {\n const expires = new Date(Date.now() + ttlInMinutes * 60 * 1000).toUTCString();\n return `mcp_session_id=${sessionId}; Path=/; Expires=${expires}; HttpOnly; SameSite=Lax`;\n}\n\nexport function extractSessionFromCookie(cookie?: string): string | undefined {\n if (!cookie) return undefined;\n const m = cookie.match(/(^|;)\\s*mcp_session_id\\s*=\\s*([^;]*)/);\n return m ? m[2] : undefined;\n}\n\n/**\n * Update a cached session payload with new data.\n * This is used to persist changes like platformType detection that happen\n * after the initial session creation.\n *\n * @param sessionId - The session ID to update\n * @param updates - Partial payload updates to merge\n * @returns true if the session was found and updated, false otherwise\n */\nexport function updateSessionPayload(sessionId: string, updates: Partial<SessionIdPayload>): boolean {\n const existing = cache.get(sessionId);\n if (existing) {\n // Merge updates into existing payload\n Object.assign(existing, updates);\n // Re-set to refresh TTL\n cache.set(sessionId, existing);\n return true;\n }\n\n // Try to decrypt and update if not in cache\n const decrypted = safeDecrypt(sessionId);\n if (\n isValidSessionPayload(decrypted, (decrypted as SessionIdPayload)?.authSig || '') ||\n isValidPublicSessionPayload(decrypted)\n ) {\n const payload = decrypted as SessionIdPayload;\n Object.assign(payload, updates);\n cache.set(sessionId, payload);\n return true;\n }\n\n return false;\n}\n"]}
package/src/auth/ui/base-layout.d.ts CHANGED
@@ -3,7 +3,6 @@
3
3
  *
4
4
  * Provides a consistent HTML shell with all CDN resources pre-configured:
5
5
  * - Tailwind CSS v4 (Browser CDN) - Utility-first CSS framework with @theme support
6
- * - HTMX (CDN) - Progressive enhancement for interactivity
7
6
  * - Google Fonts (Inter) - Modern UI typography
8
7
  *
9
8
  * No build step required - all resources loaded from CDN at runtime.
@@ -31,11 +30,6 @@
31
30
  export declare const CDN: {
32
31
  /** Tailwind CSS v4 Browser CDN - generates styles on-the-fly with @theme support */
33
32
  readonly tailwind: "https://cdn.jsdelivr.net/npm/@tailwindcss/browser@4";
34
- /** HTMX - lightweight JS for AJAX, CSS Transitions, WebSockets */
35
- readonly htmx: {
36
- readonly url: "https://unpkg.com/htmx.org@1.9.10";
37
- readonly integrity: "sha384-D1Kt99CQMDuVetoL1lrYwg5t+9QdHe7NLX/SoJYkXDFfX37iInKRy5xLSi8nO7UC";
38
- };
39
33
  /** Google Fonts - Inter for modern UI */
40
34
  readonly fonts: {
41
35
  readonly preconnect: readonly ["https://fonts.googleapis.com", "https://fonts.gstatic.com"];
@@ -103,8 +97,6 @@ export interface BaseLayoutOptions {
103
97
  title: string;
104
98
  /** Optional description for meta tag */
105
99
  description?: string;
106
- /** Include HTMX script (default: true) */
107
- includeHtmx?: boolean;
108
100
  /** Include Tailwind CSS (default: true) */
109
101
  includeTailwind?: boolean;
110
102
  /** Include Google Fonts (default: true) */
package/src/auth/ui/base-layout.js CHANGED
@@ -4,7 +4,6 @@
4
4
  *
5
5
  * Provides a consistent HTML shell with all CDN resources pre-configured:
6
6
  * - Tailwind CSS v4 (Browser CDN) - Utility-first CSS framework with @theme support
7
- * - HTMX (CDN) - Progressive enhancement for interactivity
8
7
  * - Google Fonts (Inter) - Modern UI typography
9
8
  *
10
9
  * No build step required - all resources loaded from CDN at runtime.
@@ -43,11 +42,6 @@ exports.extraWideLayout = extraWideLayout;
43
42
  exports.CDN = {
44
43
  /** Tailwind CSS v4 Browser CDN - generates styles on-the-fly with @theme support */
45
44
  tailwind: 'https://cdn.jsdelivr.net/npm/@tailwindcss/browser@4',
46
- /** HTMX - lightweight JS for AJAX, CSS Transitions, WebSockets */
47
- htmx: {
48
- url: 'https://unpkg.com/htmx.org@1.9.10',
49
- integrity: 'sha384-D1Kt99CQMDuVetoL1lrYwg5t+9QdHe7NLX/SoJYkXDFfX37iInKRy5xLSi8nO7UC',
50
- },
51
45
  /** Google Fonts - Inter for modern UI */
52
46
  fonts: {
53
47
  preconnect: ['https://fonts.googleapis.com', 'https://fonts.gstatic.com'],
@@ -145,7 +139,7 @@ function buildThemeCss(theme) {
145
139
  * ```
146
140
  */
147
141
  function baseLayout(content, options) {
148
- const { title, description, includeHtmx = true, includeTailwind = true, includeFonts = true, headExtra = '', bodyClass = 'bg-gray-50 min-h-screen font-sans antialiased', theme, } = options;
142
+ const { title, description, includeTailwind = true, includeFonts = true, headExtra = '', bodyClass = 'bg-gray-50 min-h-screen font-sans antialiased', theme, } = options;
149
143
  // Merge theme with defaults
150
144
  const mergedTheme = {
151
145
  colors: { ...exports.DEFAULT_THEME.colors, ...theme?.colors },
@@ -173,10 +167,6 @@ function baseLayout(content, options) {
173
167
  ${customCss}
174
168
  </style>`
175
169
  : '';
176
- // Build HTMX script
177
- const htmxScript = includeHtmx
178
- ? `<script src="${exports.CDN.htmx.url}" integrity="${exports.CDN.htmx.integrity}" crossorigin="anonymous"></script>`
179
- : '';
180
170
  // Build meta description
181
171
  const metaDescription = description ? `<meta name="description" content="${escapeHtml(description)}">` : '';
182
172
  return `<!DOCTYPE html>
@@ -193,9 +183,6 @@ function baseLayout(content, options) {
193
183
 
194
184
  <!-- Tailwind CSS v4 Browser CDN with @theme support -->
195
185
  ${tailwindBlock}
196
-
197
- <!-- HTMX CDN - progressive enhancement (~14KB gzipped) -->
198
- ${htmxScript}
199
186
  ${headExtra}
200
187
  </head>
201
188
  <body class="${escapeHtml(bodyClass)}">
package/src/auth/ui/base-layout.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"base-layout.js","sourceRoot":"","sources":["../../../../src/auth/ui/base-layout.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;;;AAoJH,gCAQC;AA0DD,gCA2EC;AAsBD,oCAqBC;AAgBD,gDAYC;AAKD,gCASC;AAKD,0CASC;AAlYD,+CAA+C;AAC/C,oBAAoB;AACpB,+CAA+C;AAE/C;;GAEG;AACU,QAAA,GAAG,GAAG;IACjB,oFAAoF;IACpF,QAAQ,EAAE,qDAAqD;IAE/D,kEAAkE;IAClE,IAAI,EAAE;QACJ,GAAG,EAAE,mCAAmC;QACxC,SAAS,EAAE,yEAAyE;KACrF;IAED,yCAAyC;IACzC,KAAK,EAAE;QACL,UAAU,EAAE,CAAC,8BAA8B,EAAE,2BAA2B,CAAC;QACzE,UAAU,EAAE,kFAAkF;KAC/F;CACO,CAAC;AA0DX;;GAEG;AACU,QAAA,aAAa,GAAgB;IACxC,MAAM,EAAE;QACN,OAAO,EAAE,SAAS,EAAE,WAAW;QAC/B,cAAc,EAAE,SAAS,EAAE,WAAW;QACtC,SAAS,EAAE,SAAS,EAAE,aAAa;QACnC,MAAM,EAAE,SAAS,EAAE,WAAW;QAC9B,OAAO,EAAE,SAAS,EAAE,YAAY;QAChC,OAAO,EAAE,SAAS,EAAE,YAAY;QAChC,MAAM,EAAE,SAAS,EAAE,UAAU;KAC9B;IACD,KAAK,EAAE;QACL,IAAI,EAAE,qFAAqF;KAC5F;CACF,CAAC;AAmCF,+CAA+C;AAC/C,oBAAoB;AACpB,+CAA+C;AAE/C;;;;;;;;;;GAUG;AACH,SAAgB,UAAU,CAAC,GAAW;IACpC,OAAO,GAAG;SACP,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,KAAkB;IACvC,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,sBAAsB;IACtB,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACjB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;YACxD,IAAI,KAAK,EAAE,CAAC;gBACV,KAAK,CAAC,IAAI,CAAC,WAAW,GAAG,KAAK,KAAK,GAAG,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;IACH,CAAC;IAED,qBAAqB;IACrB,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YACvD,IAAI,KAAK,EAAE,CAAC;gBACV,KAAK,CAAC,IAAI,CAAC,UAAU,GAAG,KAAK,KAAK,GAAG,CAAC,CAAC;YACzC,CAAC;QACH,CAAC;IACH,CAAC;IAED,uBAAuB;IACvB,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACrB,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAC/B,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;AAClC,CAAC;AAED,+CAA+C;AAC/C,iBAAiB;AACjB,+CAA+C;AAE/C;;;;;;;;;;;;;;;;;;;GAmBG;AACH,SAAgB,UAAU,CAAC,OAAe,EAAE,OAA0B;IACpE,MAAM,EACJ,KAAK,EACL,WAAW,EACX,WAAW,GAAG,IAAI,EAClB,eAAe,GAAG,IAAI,EACtB,YAAY,GAAG,IAAI,EACnB,SAAS,GAAG,EAAE,EACd,SAAS,GAAG,+CAA+C,EAC3D,KAAK,GACN,GAAG,OAAO,CAAC;IAEZ,4BAA4B;IAC5B,MAAM,WAAW,GAAgB;QAC/B,MAAM,EAAE,EAAE,GAAG,qBAAa,CAAC,MAAM,EAAE,GAAG,KAAK,EAAE,MAAM,EAAE;QACrD,KAAK,EAAE,EAAE,GAAG,qBAAa,CAAC,KAAK,EAAE,GAAG,KAAK,EAAE,KAAK,EAAE;QAClD,UAAU,EAAE,KAAK,EAAE,UAAU;QAC7B,SAAS,EAAE,KAAK,EAAE,SAAS;KAC5B,CAAC;IAEF,8BAA8B;IAC9B,MAAM,cAAc,GAAG,YAAY;QACjC,CAAC,CAAC,WAAG,CAAC,KAAK,CAAC,UAAU;aACjB,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,gCAAgC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC;aACtF,IAAI,CAAC,MAAM,CAAC;QACjB,CAAC,CAAC,EAAE,CAAC;IAEP,wBAAwB;IACxB,MAAM,cAAc,GAAG,YAAY,CAAC,CAAC,CAAC,eAAe,WAAG,CAAC,KAAK,CAAC,UAAU,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;IAEpG,4CAA4C;IAC5C,MAAM,QAAQ,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;IAC5C,MAAM,SAAS,GAAG,WAAW,CAAC,SAAS,IAAI,EAAE,CAAC;IAE9C,MAAM,aAAa,GAAG,eAAe;QACnC,CAAC,CAAC,gBAAgB,WAAG,CAAC,QAAQ;;;QAG1B,QAAQ;;MAEV,SAAS;WACJ;QACP,CAAC,CAAC,EAAE,CAAC;IAEP,oBAAoB;IACpB,MAAM,UAAU,GAAG,WAAW;QAC5B,CAAC,CAAC,gBAAgB,WAAG,CAAC,IAAI,CAAC,GAAG,gBAAgB,WAAG,CAAC,IAAI,CAAC,SAAS,qCAAqC;QACrG,CAAC,CAAC,EAAE,CAAC;IAEP,yBAAyB;IACzB,MAAM,eAAe,GAAG,WAAW,CAAC,CAAC,CAAC,qCAAqC,UAAU,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;IAE5G,OAAO;;;;;WAKE,UAAU,CAAC,KAAK,CAAC;IACxB,eAAe;;;IAGf,cAAc;IACd,cAAc;;;IAGd,aAAa;;;IAGb,UAAU;IACV,SAAS;;eAEE,UAAU,CAAC,SAAS,CAAC;IAChC,OAAO;;QAEH,CAAC;AACT,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,SAAgB,YAAY,CAC1B,cAA0C;IAE1C,OAAO,CAAC,OAAe,EAAE,OAA0B,EAAE,EAAE;QACrD,oBAAoB;QACpB,MAAM,WAAW,GACf,cAAc,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK;YACnC,CAAC,CAAC;gBACE,MAAM,EAAE,EAAE,GAAG,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE;gBACrE,KAAK,EAAE,EAAE,GAAG,cAAc,CAAC,KAAK,EAAE,KAAK,EAAE,GAAG,OAAO,CAAC,KAAK,EAAE,KAAK,EAAE;gBAClE,UAAU,EAAE,OAAO,CAAC,KAAK,EAAE,UAAU,IAAI,cAAc,CAAC,KAAK,EAAE,UAAU;gBACzE,SAAS,EAAE,OAAO,CAAC,KAAK,EAAE,SAAS,IAAI,cAAc,CAAC,KAAK,EAAE,SAAS;aACvE;YACH,CAAC,CAAC,SAAS,CAAC;QAEhB,OAAO,UAAU,CAAC,OAAO,EAAE;YACzB,GAAG,cAAc;YACjB,GAAG,OAAO;YACV,KAAK,EAAE,WAAW;SACnB,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAED,+CAA+C;AAC/C,yBAAyB;AACzB,+CAA+C;AAE/C;;GAEG;AACU,QAAA,UAAU,GAAG,YAAY,CAAC;IACrC,SAAS,EAAE,+CAA+C;CAC3D,CAAC,CAAC;AAEH;;GAEG;AACH,SAAgB,kBAAkB,CAAC,OAAe,EAAE,OAA0B;IAC5E,MAAM,cAAc,GAAG;;;QAGjB,OAAO;;SAEN,CAAC;IAER,OAAO,UAAU,CAAC,cAAc,EAAE;QAChC,GAAG,OAAO;QACV,SAAS,EAAE,gFAAgF;KAC5F,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAgB,UAAU,CAAC,OAAe,EAAE,OAA0B;IACpE,MAAM,cAAc,GAAG;;;QAGjB,OAAO;;SAEN,CAAC;IAER,OAAO,UAAU,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,SAAgB,eAAe,CAAC,OAAe,EAAE,OAA0B;IACzE,MAAM,cAAc,GAAG;;;QAGjB,OAAO;;SAEN,CAAC;IAER,OAAO,UAAU,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;AAC7C,CAAC","sourcesContent":["/**\n * Base Layout for Server-Rendered Pages\n *\n * Provides a consistent HTML shell with all CDN resources pre-configured:\n * - Tailwind CSS v4 (Browser CDN) - Utility-first CSS framework with @theme support\n * - HTMX (CDN) - Progressive enhancement for interactivity\n * - Google Fonts (Inter) - Modern UI typography\n *\n * No build step required - all resources loaded from CDN at runtime.\n *\n * @example\n * ```typescript\n * // Basic usage\n * const html = baseLayout('<div>content</div>', { title: 'Page' });\n *\n * // With custom theme\n * const html = baseLayout('<div>content</div>', {\n * title: 'Page',\n * theme: {\n * colors: {\n * primary: '#3b82f6',\n * 'primary-dark': '#2563eb',\n * },\n * },\n * });\n * ```\n */\n\n// ============================================\n// CDN Configuration\n// ============================================\n\n/**\n * CDN URLs and versions - centralized for easy updates\n */\nexport const CDN = {\n /** Tailwind CSS v4 Browser CDN - generates styles on-the-fly with @theme support */\n tailwind: 'https://cdn.jsdelivr.net/npm/@tailwindcss/browser@4',\n\n /** HTMX - lightweight JS for AJAX, CSS Transitions, WebSockets */\n htmx: {\n url: 'https://unpkg.com/htmx.org@1.9.10',\n integrity: 'sha384-D1Kt99CQMDuVetoL1lrYwg5t+9QdHe7NLX/SoJYkXDFfX37iInKRy5xLSi8nO7UC',\n },\n\n /** Google Fonts - Inter for modern UI */\n fonts: {\n preconnect: ['https://fonts.googleapis.com', 'https://fonts.gstatic.com'],\n stylesheet: 'https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap',\n },\n} as const;\n\n// ============================================\n// Theme Configuration\n// ============================================\n\n/**\n * Theme color configuration\n * Keys become CSS custom properties: --color-{key}\n */\nexport interface ThemeColors {\n /** Primary brand color */\n primary?: string;\n /** Darker primary for hover states */\n 'primary-dark'?: string;\n /** Secondary brand color */\n secondary?: string;\n /** Accent color for highlights */\n accent?: string;\n /** Success state color */\n success?: string;\n /** Warning state color */\n warning?: string;\n /** Error/danger state color */\n danger?: string;\n /** Custom colors (any additional colors) */\n [key: string]: string | undefined;\n}\n\n/**\n * Theme font configuration\n * Keys become CSS custom properties: --font-{key}\n */\nexport interface ThemeFonts {\n /** Sans-serif font family */\n sans?: string;\n /** Serif font family */\n serif?: string;\n /** Monospace font family */\n mono?: string;\n /** Custom fonts */\n [key: string]: string | undefined;\n}\n\n/**\n * Complete theme configuration for FrontMCP UI\n */\nexport interface ThemeConfig {\n /** Custom colors */\n colors?: ThemeColors;\n /** Custom fonts */\n fonts?: ThemeFonts;\n /** Additional custom CSS variables (raw @theme content) */\n customVars?: string;\n /** Additional custom CSS (outside @theme) */\n customCss?: string;\n}\n\n/**\n * Default theme with FrontMCP branding\n */\nexport const DEFAULT_THEME: ThemeConfig = {\n colors: {\n primary: '#3b82f6', // blue-500\n 'primary-dark': '#2563eb', // blue-600\n secondary: '#8b5cf6', // violet-500\n accent: '#06b6d4', // cyan-500\n success: '#22c55e', // green-500\n warning: '#f59e0b', // amber-500\n danger: '#ef4444', // red-500\n },\n fonts: {\n sans: 'Inter, system-ui, -apple-system, BlinkMacSystemFont, \"Segoe UI\", Roboto, sans-serif',\n },\n};\n\n// ============================================\n// Layout Options\n// ============================================\n\n/**\n * Options for the base layout\n */\nexport interface BaseLayoutOptions {\n /** Page title (will be suffixed with \" - FrontMCP\") */\n title: string;\n\n /** Optional description for meta tag */\n description?: string;\n\n /** Include HTMX script (default: true) */\n includeHtmx?: boolean;\n\n /** Include Tailwind CSS (default: true) */\n includeTailwind?: boolean;\n\n /** Include Google Fonts (default: true) */\n includeFonts?: boolean;\n\n /** Additional head content (scripts, styles, meta tags) */\n headExtra?: string;\n\n /** Body classes (default: 'bg-gray-50 min-h-screen font-sans antialiased') */\n bodyClass?: string;\n\n /** Theme configuration - colors, fonts, and custom CSS */\n theme?: ThemeConfig;\n}\n\n// ============================================\n// Utility Functions\n// ============================================\n\n/**\n * Escape HTML special characters to prevent XSS\n * Per OWASP guidelines, escapes: & < > \" ' /\n *\n * @param str - The string to escape\n * @returns The escaped string safe for HTML content and attributes\n *\n * @example\n * escapeHtml('<script>alert(\"xss\")</script>')\n * // => '&lt;script&gt;alert(&quot;xss&quot;)&lt;&#x2F;script&gt;'\n */\nexport function escapeHtml(str: string): string {\n return str\n .replace(/&/g, '&amp;')\n .replace(/</g, '&lt;')\n .replace(/>/g, '&gt;')\n .replace(/\"/g, '&quot;')\n .replace(/'/g, '&#39;')\n .replace(/\\//g, '&#x2F;');\n}\n\n/**\n * Build the @theme CSS block from theme configuration\n */\nfunction buildThemeCss(theme: ThemeConfig): string {\n const lines: string[] = [];\n\n // Add color variables\n if (theme.colors) {\n for (const [key, value] of Object.entries(theme.colors)) {\n if (value) {\n lines.push(`--color-${key}: ${value};`);\n }\n }\n }\n\n // Add font variables\n if (theme.fonts) {\n for (const [key, value] of Object.entries(theme.fonts)) {\n if (value) {\n lines.push(`--font-${key}: ${value};`);\n }\n }\n }\n\n // Add custom variables\n if (theme.customVars) {\n lines.push(theme.customVars);\n }\n\n return lines.join('\\n ');\n}\n\n// ============================================\n// Layout Builder\n// ============================================\n\n/**\n * Build the complete HTML document with CDN resources\n *\n * @param content - The page content (HTML string)\n * @param options - Layout configuration options\n * @returns Complete HTML document string\n *\n * @example\n * ```typescript\n * const html = baseLayout('<div>My content</div>', {\n * title: 'Sign In',\n * description: 'Sign in to your account',\n * theme: {\n * colors: {\n * primary: '#ff6b6b',\n * },\n * },\n * });\n * ```\n */\nexport function baseLayout(content: string, options: BaseLayoutOptions): string {\n const {\n title,\n description,\n includeHtmx = true,\n includeTailwind = true,\n includeFonts = true,\n headExtra = '',\n bodyClass = 'bg-gray-50 min-h-screen font-sans antialiased',\n theme,\n } = options;\n\n // Merge theme with defaults\n const mergedTheme: ThemeConfig = {\n colors: { ...DEFAULT_THEME.colors, ...theme?.colors },\n fonts: { ...DEFAULT_THEME.fonts, ...theme?.fonts },\n customVars: theme?.customVars,\n customCss: theme?.customCss,\n };\n\n // Build font preconnect links\n const fontPreconnect = includeFonts\n ? CDN.fonts.preconnect\n .map((url, i) => `<link rel=\"preconnect\" href=\"${url}\"${i > 0 ? ' crossorigin' : ''}>`)\n .join('\\n ')\n : '';\n\n // Build font stylesheet\n const fontStylesheet = includeFonts ? `<link href=\"${CDN.fonts.stylesheet}\" rel=\"stylesheet\">` : '';\n\n // Build Tailwind v4 script and theme styles\n const themeCss = buildThemeCss(mergedTheme);\n const customCss = mergedTheme.customCss || '';\n\n const tailwindBlock = includeTailwind\n ? `<script src=\"${CDN.tailwind}\"></script>\n <style type=\"text/tailwindcss\">\n @theme {\n ${themeCss}\n }\n ${customCss}\n </style>`\n : '';\n\n // Build HTMX script\n const htmxScript = includeHtmx\n ? `<script src=\"${CDN.htmx.url}\" integrity=\"${CDN.htmx.integrity}\" crossorigin=\"anonymous\"></script>`\n : '';\n\n // Build meta description\n const metaDescription = description ? `<meta name=\"description\" content=\"${escapeHtml(description)}\">` : '';\n\n return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n <meta charset=\"UTF-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n <title>${escapeHtml(title)} - FrontMCP</title>\n ${metaDescription}\n\n <!-- Google Fonts CDN - Inter (modern UI font) -->\n ${fontPreconnect}\n ${fontStylesheet}\n\n <!-- Tailwind CSS v4 Browser CDN with @theme support -->\n ${tailwindBlock}\n\n <!-- HTMX CDN - progressive enhancement (~14KB gzipped) -->\n ${htmxScript}\n ${headExtra}\n</head>\n<body class=\"${escapeHtml(bodyClass)}\">\n ${content}\n</body>\n</html>`;\n}\n\n/**\n * Create a layout wrapper function with preset options\n *\n * @param defaultOptions - Default options to apply to all pages\n * @returns A function that wraps content with the layout\n *\n * @example\n * ```typescript\n * const brandedLayout = createLayout({\n * theme: {\n * colors: {\n * primary: '#ff6b6b',\n * 'primary-dark': '#ee5a5a',\n * },\n * },\n * });\n *\n * const html = brandedLayout('<div>Content</div>', { title: 'Page' });\n * ```\n */\nexport function createLayout(\n defaultOptions: Partial<BaseLayoutOptions>,\n): (content: string, options: BaseLayoutOptions) => string {\n return (content: string, options: BaseLayoutOptions) => {\n // Deep merge themes\n const mergedTheme: ThemeConfig | undefined =\n defaultOptions.theme || options.theme\n ? {\n colors: { ...defaultOptions.theme?.colors, ...options.theme?.colors },\n fonts: { ...defaultOptions.theme?.fonts, ...options.theme?.fonts },\n customVars: options.theme?.customVars ?? defaultOptions.theme?.customVars,\n customCss: options.theme?.customCss ?? defaultOptions.theme?.customCss,\n }\n : undefined;\n\n return baseLayout(content, {\n ...defaultOptions,\n ...options,\n theme: mergedTheme,\n });\n };\n}\n\n// ============================================\n// Pre-configured Layouts\n// ============================================\n\n/**\n * Default auth layout with standard styling\n */\nexport const authLayout = createLayout({\n bodyClass: 'bg-gray-50 min-h-screen font-sans antialiased',\n});\n\n/**\n * Centered card layout for login/auth pages\n */\nexport function centeredCardLayout(content: string, options: BaseLayoutOptions): string {\n const wrappedContent = `\n <div class=\"min-h-screen flex items-center justify-center p-4\">\n <div class=\"w-full max-w-md\">\n ${content}\n </div>\n </div>`;\n\n return baseLayout(wrappedContent, {\n ...options,\n bodyClass: 'bg-gradient-to-br from-primary to-secondary min-h-screen font-sans antialiased',\n });\n}\n\n/**\n * Wide layout for consent/selection pages\n */\nexport function wideLayout(content: string, options: BaseLayoutOptions): string {\n const wrappedContent = `\n <div class=\"min-h-screen py-8 px-4\">\n <div class=\"max-w-2xl mx-auto\">\n ${content}\n </div>\n </div>`;\n\n return baseLayout(wrappedContent, options);\n}\n\n/**\n * Extra wide layout for tool selection pages\n */\nexport function extraWideLayout(content: string, options: BaseLayoutOptions): string {\n const wrappedContent = `\n <div class=\"min-h-screen py-8 px-4\">\n <div class=\"max-w-3xl mx-auto\">\n ${content}\n </div>\n </div>`;\n\n return baseLayout(wrappedContent, options);\n}\n"]}
1
+ {"version":3,"file":"base-layout.js","sourceRoot":"","sources":["../../../../src/auth/ui/base-layout.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;;;AA2IH,gCAQC;AA0DD,gCAkEC;AAsBD,oCAqBC;AAgBD,gDAYC;AAKD,gCASC;AAKD,0CASC;AAhXD,+CAA+C;AAC/C,oBAAoB;AACpB,+CAA+C;AAE/C;;GAEG;AACU,QAAA,GAAG,GAAG;IACjB,oFAAoF;IACpF,QAAQ,EAAE,qDAAqD;IAE/D,yCAAyC;IACzC,KAAK,EAAE;QACL,UAAU,EAAE,CAAC,8BAA8B,EAAE,2BAA2B,CAAC;QACzE,UAAU,EAAE,kFAAkF;KAC/F;CACO,CAAC;AA0DX;;GAEG;AACU,QAAA,aAAa,GAAgB;IACxC,MAAM,EAAE;QACN,OAAO,EAAE,SAAS,EAAE,WAAW;QAC/B,cAAc,EAAE,SAAS,EAAE,WAAW;QACtC,SAAS,EAAE,SAAS,EAAE,aAAa;QACnC,MAAM,EAAE,SAAS,EAAE,WAAW;QAC9B,OAAO,EAAE,SAAS,EAAE,YAAY;QAChC,OAAO,EAAE,SAAS,EAAE,YAAY;QAChC,MAAM,EAAE,SAAS,EAAE,UAAU;KAC9B;IACD,KAAK,EAAE;QACL,IAAI,EAAE,qFAAqF;KAC5F;CACF,CAAC;AAgCF,+CAA+C;AAC/C,oBAAoB;AACpB,+CAA+C;AAE/C;;;;;;;;;;GAUG;AACH,SAAgB,UAAU,CAAC,GAAW;IACpC,OAAO,GAAG;SACP,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,KAAkB;IACvC,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,sBAAsB;IACtB,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACjB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;YACxD,IAAI,KAAK,EAAE,CAAC;gBACV,KAAK,CAAC,IAAI,CAAC,WAAW,GAAG,KAAK,KAAK,GAAG,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;IACH,CAAC;IAED,qBAAqB;IACrB,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YACvD,IAAI,KAAK,EAAE,CAAC;gBACV,KAAK,CAAC,IAAI,CAAC,UAAU,GAAG,KAAK,KAAK,GAAG,CAAC,CAAC;YACzC,CAAC;QACH,CAAC;IACH,CAAC;IAED,uBAAuB;IACvB,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACrB,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAC/B,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;AAClC,CAAC;AAED,+CAA+C;AAC/C,iBAAiB;AACjB,+CAA+C;AAE/C;;;;;;;;;;;;;;;;;;;GAmBG;AACH,SAAgB,UAAU,CAAC,OAAe,EAAE,OAA0B;IACpE,MAAM,EACJ,KAAK,EACL,WAAW,EACX,eAAe,GAAG,IAAI,EACtB,YAAY,GAAG,IAAI,EACnB,SAAS,GAAG,EAAE,EACd,SAAS,GAAG,+CAA+C,EAC3D,KAAK,GACN,GAAG,OAAO,CAAC;IAEZ,4BAA4B;IAC5B,MAAM,WAAW,GAAgB;QAC/B,MAAM,EAAE,EAAE,GAAG,qBAAa,CAAC,MAAM,EAAE,GAAG,KAAK,EAAE,MAAM,EAAE;QACrD,KAAK,EAAE,EAAE,GAAG,qBAAa,CAAC,KAAK,EAAE,GAAG,KAAK,EAAE,KAAK,EAAE;QAClD,UAAU,EAAE,KAAK,EAAE,UAAU;QAC7B,SAAS,EAAE,KAAK,EAAE,SAAS;KAC5B,CAAC;IAEF,8BAA8B;IAC9B,MAAM,cAAc,GAAG,YAAY;QACjC,CAAC,CAAC,WAAG,CAAC,KAAK,CAAC,UAAU;aACjB,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,gCAAgC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC;aACtF,IAAI,CAAC,MAAM,CAAC;QACjB,CAAC,CAAC,EAAE,CAAC;IAEP,wBAAwB;IACxB,MAAM,cAAc,GAAG,YAAY,CAAC,CAAC,CAAC,eAAe,WAAG,CAAC,KAAK,CAAC,UAAU,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;IAEpG,4CAA4C;IAC5C,MAAM,QAAQ,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;IAC5C,MAAM,SAAS,GAAG,WAAW,CAAC,SAAS,IAAI,EAAE,CAAC;IAE9C,MAAM,aAAa,GAAG,eAAe;QACnC,CAAC,CAAC,gBAAgB,WAAG,CAAC,QAAQ;;;QAG1B,QAAQ;;MAEV,SAAS;WACJ;QACP,CAAC,CAAC,EAAE,CAAC;IAEP,yBAAyB;IACzB,MAAM,eAAe,GAAG,WAAW,CAAC,CAAC,CAAC,qCAAqC,UAAU,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;IAE5G,OAAO;;;;;WAKE,UAAU,CAAC,KAAK,CAAC;IACxB,eAAe;;;IAGf,cAAc;IACd,cAAc;;;IAGd,aAAa;IACb,SAAS;;eAEE,UAAU,CAAC,SAAS,CAAC;IAChC,OAAO;;QAEH,CAAC;AACT,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,SAAgB,YAAY,CAC1B,cAA0C;IAE1C,OAAO,CAAC,OAAe,EAAE,OAA0B,EAAE,EAAE;QACrD,oBAAoB;QACpB,MAAM,WAAW,GACf,cAAc,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK;YACnC,CAAC,CAAC;gBACE,MAAM,EAAE,EAAE,GAAG,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE;gBACrE,KAAK,EAAE,EAAE,GAAG,cAAc,CAAC,KAAK,EAAE,KAAK,EAAE,GAAG,OAAO,CAAC,KAAK,EAAE,KAAK,EAAE;gBAClE,UAAU,EAAE,OAAO,CAAC,KAAK,EAAE,UAAU,IAAI,cAAc,CAAC,KAAK,EAAE,UAAU;gBACzE,SAAS,EAAE,OAAO,CAAC,KAAK,EAAE,SAAS,IAAI,cAAc,CAAC,KAAK,EAAE,SAAS;aACvE;YACH,CAAC,CAAC,SAAS,CAAC;QAEhB,OAAO,UAAU,CAAC,OAAO,EAAE;YACzB,GAAG,cAAc;YACjB,GAAG,OAAO;YACV,KAAK,EAAE,WAAW;SACnB,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAED,+CAA+C;AAC/C,yBAAyB;AACzB,+CAA+C;AAE/C;;GAEG;AACU,QAAA,UAAU,GAAG,YAAY,CAAC;IACrC,SAAS,EAAE,+CAA+C;CAC3D,CAAC,CAAC;AAEH;;GAEG;AACH,SAAgB,kBAAkB,CAAC,OAAe,EAAE,OAA0B;IAC5E,MAAM,cAAc,GAAG;;;QAGjB,OAAO;;SAEN,CAAC;IAER,OAAO,UAAU,CAAC,cAAc,EAAE;QAChC,GAAG,OAAO;QACV,SAAS,EAAE,gFAAgF;KAC5F,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAgB,UAAU,CAAC,OAAe,EAAE,OAA0B;IACpE,MAAM,cAAc,GAAG;;;QAGjB,OAAO;;SAEN,CAAC;IAER,OAAO,UAAU,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,SAAgB,eAAe,CAAC,OAAe,EAAE,OAA0B;IACzE,MAAM,cAAc,GAAG;;;QAGjB,OAAO;;SAEN,CAAC;IAER,OAAO,UAAU,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;AAC7C,CAAC","sourcesContent":["/**\n * Base Layout for Server-Rendered Pages\n *\n * Provides a consistent HTML shell with all CDN resources pre-configured:\n * - Tailwind CSS v4 (Browser CDN) - Utility-first CSS framework with @theme support\n * - Google Fonts (Inter) - Modern UI typography\n *\n * No build step required - all resources loaded from CDN at runtime.\n *\n * @example\n * ```typescript\n * // Basic usage\n * const html = baseLayout('<div>content</div>', { title: 'Page' });\n *\n * // With custom theme\n * const html = baseLayout('<div>content</div>', {\n * title: 'Page',\n * theme: {\n * colors: {\n * primary: '#3b82f6',\n * 'primary-dark': '#2563eb',\n * },\n * },\n * });\n * ```\n */\n\n// ============================================\n// CDN Configuration\n// ============================================\n\n/**\n * CDN URLs and versions - centralized for easy updates\n */\nexport const CDN = {\n /** Tailwind CSS v4 Browser CDN - generates styles on-the-fly with @theme support */\n tailwind: 'https://cdn.jsdelivr.net/npm/@tailwindcss/browser@4',\n\n /** Google Fonts - Inter for modern UI */\n fonts: {\n preconnect: ['https://fonts.googleapis.com', 'https://fonts.gstatic.com'],\n stylesheet: 'https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap',\n },\n} as const;\n\n// ============================================\n// Theme Configuration\n// ============================================\n\n/**\n * Theme color configuration\n * Keys become CSS custom properties: --color-{key}\n */\nexport interface ThemeColors {\n /** Primary brand color */\n primary?: string;\n /** Darker primary for hover states */\n 'primary-dark'?: string;\n /** Secondary brand color */\n secondary?: string;\n /** Accent color for highlights */\n accent?: string;\n /** Success state color */\n success?: string;\n /** Warning state color */\n warning?: string;\n /** Error/danger state color */\n danger?: string;\n /** Custom colors (any additional colors) */\n [key: string]: string | undefined;\n}\n\n/**\n * Theme font configuration\n * Keys become CSS custom properties: --font-{key}\n */\nexport interface ThemeFonts {\n /** Sans-serif font family */\n sans?: string;\n /** Serif font family */\n serif?: string;\n /** Monospace font family */\n mono?: string;\n /** Custom fonts */\n [key: string]: string | undefined;\n}\n\n/**\n * Complete theme configuration for FrontMCP UI\n */\nexport interface ThemeConfig {\n /** Custom colors */\n colors?: ThemeColors;\n /** Custom fonts */\n fonts?: ThemeFonts;\n /** Additional custom CSS variables (raw @theme content) */\n customVars?: string;\n /** Additional custom CSS (outside @theme) */\n customCss?: string;\n}\n\n/**\n * Default theme with FrontMCP branding\n */\nexport const DEFAULT_THEME: ThemeConfig = {\n colors: {\n primary: '#3b82f6', // blue-500\n 'primary-dark': '#2563eb', // blue-600\n secondary: '#8b5cf6', // violet-500\n accent: '#06b6d4', // cyan-500\n success: '#22c55e', // green-500\n warning: '#f59e0b', // amber-500\n danger: '#ef4444', // red-500\n },\n fonts: {\n sans: 'Inter, system-ui, -apple-system, BlinkMacSystemFont, \"Segoe UI\", Roboto, sans-serif',\n },\n};\n\n// ============================================\n// Layout Options\n// ============================================\n\n/**\n * Options for the base layout\n */\nexport interface BaseLayoutOptions {\n /** Page title (will be suffixed with \" - FrontMCP\") */\n title: string;\n\n /** Optional description for meta tag */\n description?: string;\n\n /** Include Tailwind CSS (default: true) */\n includeTailwind?: boolean;\n\n /** Include Google Fonts (default: true) */\n includeFonts?: boolean;\n\n /** Additional head content (scripts, styles, meta tags) */\n headExtra?: string;\n\n /** Body classes (default: 'bg-gray-50 min-h-screen font-sans antialiased') */\n bodyClass?: string;\n\n /** Theme configuration - colors, fonts, and custom CSS */\n theme?: ThemeConfig;\n}\n\n// ============================================\n// Utility Functions\n// ============================================\n\n/**\n * Escape HTML special characters to prevent XSS\n * Per OWASP guidelines, escapes: & < > \" ' /\n *\n * @param str - The string to escape\n * @returns The escaped string safe for HTML content and attributes\n *\n * @example\n * escapeHtml('<script>alert(\"xss\")</script>')\n * // => '&lt;script&gt;alert(&quot;xss&quot;)&lt;&#x2F;script&gt;'\n */\nexport function escapeHtml(str: string): string {\n return str\n .replace(/&/g, '&amp;')\n .replace(/</g, '&lt;')\n .replace(/>/g, '&gt;')\n .replace(/\"/g, '&quot;')\n .replace(/'/g, '&#39;')\n .replace(/\\//g, '&#x2F;');\n}\n\n/**\n * Build the @theme CSS block from theme configuration\n */\nfunction buildThemeCss(theme: ThemeConfig): string {\n const lines: string[] = [];\n\n // Add color variables\n if (theme.colors) {\n for (const [key, value] of Object.entries(theme.colors)) {\n if (value) {\n lines.push(`--color-${key}: ${value};`);\n }\n }\n }\n\n // Add font variables\n if (theme.fonts) {\n for (const [key, value] of Object.entries(theme.fonts)) {\n if (value) {\n lines.push(`--font-${key}: ${value};`);\n }\n }\n }\n\n // Add custom variables\n if (theme.customVars) {\n lines.push(theme.customVars);\n }\n\n return lines.join('\\n ');\n}\n\n// ============================================\n// Layout Builder\n// ============================================\n\n/**\n * Build the complete HTML document with CDN resources\n *\n * @param content - The page content (HTML string)\n * @param options - Layout configuration options\n * @returns Complete HTML document string\n *\n * @example\n * ```typescript\n * const html = baseLayout('<div>My content</div>', {\n * title: 'Sign In',\n * description: 'Sign in to your account',\n * theme: {\n * colors: {\n * primary: '#ff6b6b',\n * },\n * },\n * });\n * ```\n */\nexport function baseLayout(content: string, options: BaseLayoutOptions): string {\n const {\n title,\n description,\n includeTailwind = true,\n includeFonts = true,\n headExtra = '',\n bodyClass = 'bg-gray-50 min-h-screen font-sans antialiased',\n theme,\n } = options;\n\n // Merge theme with defaults\n const mergedTheme: ThemeConfig = {\n colors: { ...DEFAULT_THEME.colors, ...theme?.colors },\n fonts: { ...DEFAULT_THEME.fonts, ...theme?.fonts },\n customVars: theme?.customVars,\n customCss: theme?.customCss,\n };\n\n // Build font preconnect links\n const fontPreconnect = includeFonts\n ? CDN.fonts.preconnect\n .map((url, i) => `<link rel=\"preconnect\" href=\"${url}\"${i > 0 ? ' crossorigin' : ''}>`)\n .join('\\n ')\n : '';\n\n // Build font stylesheet\n const fontStylesheet = includeFonts ? `<link href=\"${CDN.fonts.stylesheet}\" rel=\"stylesheet\">` : '';\n\n // Build Tailwind v4 script and theme styles\n const themeCss = buildThemeCss(mergedTheme);\n const customCss = mergedTheme.customCss || '';\n\n const tailwindBlock = includeTailwind\n ? `<script src=\"${CDN.tailwind}\"></script>\n <style type=\"text/tailwindcss\">\n @theme {\n ${themeCss}\n }\n ${customCss}\n </style>`\n : '';\n\n // Build meta description\n const metaDescription = description ? `<meta name=\"description\" content=\"${escapeHtml(description)}\">` : '';\n\n return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n <meta charset=\"UTF-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n <title>${escapeHtml(title)} - FrontMCP</title>\n ${metaDescription}\n\n <!-- Google Fonts CDN - Inter (modern UI font) -->\n ${fontPreconnect}\n ${fontStylesheet}\n\n <!-- Tailwind CSS v4 Browser CDN with @theme support -->\n ${tailwindBlock}\n ${headExtra}\n</head>\n<body class=\"${escapeHtml(bodyClass)}\">\n ${content}\n</body>\n</html>`;\n}\n\n/**\n * Create a layout wrapper function with preset options\n *\n * @param defaultOptions - Default options to apply to all pages\n * @returns A function that wraps content with the layout\n *\n * @example\n * ```typescript\n * const brandedLayout = createLayout({\n * theme: {\n * colors: {\n * primary: '#ff6b6b',\n * 'primary-dark': '#ee5a5a',\n * },\n * },\n * });\n *\n * const html = brandedLayout('<div>Content</div>', { title: 'Page' });\n * ```\n */\nexport function createLayout(\n defaultOptions: Partial<BaseLayoutOptions>,\n): (content: string, options: BaseLayoutOptions) => string {\n return (content: string, options: BaseLayoutOptions) => {\n // Deep merge themes\n const mergedTheme: ThemeConfig | undefined =\n defaultOptions.theme || options.theme\n ? {\n colors: { ...defaultOptions.theme?.colors, ...options.theme?.colors },\n fonts: { ...defaultOptions.theme?.fonts, ...options.theme?.fonts },\n customVars: options.theme?.customVars ?? defaultOptions.theme?.customVars,\n customCss: options.theme?.customCss ?? defaultOptions.theme?.customCss,\n }\n : undefined;\n\n return baseLayout(content, {\n ...defaultOptions,\n ...options,\n theme: mergedTheme,\n });\n };\n}\n\n// ============================================\n// Pre-configured Layouts\n// ============================================\n\n/**\n * Default auth layout with standard styling\n */\nexport const authLayout = createLayout({\n bodyClass: 'bg-gray-50 min-h-screen font-sans antialiased',\n});\n\n/**\n * Centered card layout for login/auth pages\n */\nexport function centeredCardLayout(content: string, options: BaseLayoutOptions): string {\n const wrappedContent = `\n <div class=\"min-h-screen flex items-center justify-center p-4\">\n <div class=\"w-full max-w-md\">\n ${content}\n </div>\n </div>`;\n\n return baseLayout(wrappedContent, {\n ...options,\n bodyClass: 'bg-gradient-to-br from-primary to-secondary min-h-screen font-sans antialiased',\n });\n}\n\n/**\n * Wide layout for consent/selection pages\n */\nexport function wideLayout(content: string, options: BaseLayoutOptions): string {\n const wrappedContent = `\n <div class=\"min-h-screen py-8 px-4\">\n <div class=\"max-w-2xl mx-auto\">\n ${content}\n </div>\n </div>`;\n\n return baseLayout(wrappedContent, options);\n}\n\n/**\n * Extra wide layout for tool selection pages\n */\nexport function extraWideLayout(content: string, options: BaseLayoutOptions): string {\n const wrappedContent = `\n <div class=\"min-h-screen py-8 px-4\">\n <div class=\"max-w-3xl mx-auto\">\n ${content}\n </div>\n </div>`;\n\n return baseLayout(wrappedContent, options);\n}\n"]}
package/src/auth/ui/index.d.ts CHANGED
@@ -1,11 +1,10 @@
1
1
  /**
2
2
  * Auth UI Module
3
3
  *
4
- * Server-rendered UI templates for OAuth flows using HTMX
5
- * with Tailwind CSS (CDN) and Google Fonts.
4
+ * Server-rendered UI templates for OAuth flows with Tailwind CSS (CDN)
5
+ * and Google Fonts.
6
6
  *
7
7
  * No build step required - all rendering is done at runtime.
8
- * HTMX provides progressive enhancement for interactivity (~14KB).
9
8
  */
10
9
  export { CDN, DEFAULT_THEME, type ThemeColors, type ThemeFonts, type ThemeConfig, type BaseLayoutOptions, baseLayout, createLayout, authLayout, centeredCardLayout, wideLayout, extraWideLayout, escapeHtml, } from './base-layout';
11
- export { type AppAuthCard, type ProviderCard, type ToolCard, buildConsentPage, buildIncrementalAuthPage, buildFederatedLoginPage, buildToolConsentPage, buildLoginPage, buildErrorPage, renderToHtml, } from './htmx-templates';
10
+ export { type AppAuthCard, type ProviderCard, type ToolCard, buildConsentPage, buildIncrementalAuthPage, buildFederatedLoginPage, buildToolConsentPage, buildLoginPage, buildErrorPage, renderToHtml, } from './templates';