npm - @frontmcp/sdk - Versions diffs - 0.6.0 → 0.6.2 - Mend

@frontmcp/sdk 0.6.0 → 0.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1053) hide show

package/src/auth/flows/auth.verify.flow.js DELETED Viewed

@@ -1,379 +0,0 @@
-"use strict";
-// auth/flows/auth.verify.flow.ts
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.authVerifyOutputSchema = void 0;
-const tslib_1 = require("tslib");
-const common_1 = require("../../common");
-require("reflect-metadata");
-const zod_1 = require("zod");
-const auth_token_utils_1 = require("../session/utils/auth-token.utils");
-const jwks_1 = require("../jwks");
-const utils_1 = require("../utils");
-const authorization_1 = require("../authorization");
-const authorization_2 = require("../authorization");
-// Input schema
-const inputSchema = common_1.httpRequestInputSchema;
-// State schema for the flow
-const stateSchema = zod_1.z.object({
-    baseUrl: zod_1.z.string().min(1),
-    authorizationHeader: zod_1.z.string().optional(),
-    token: zod_1.z.string().optional(),
-    sessionIdHeader: zod_1.z.string().optional(),
-    prmUrl: zod_1.z.string(),
-    wwwAuthenticateHeader: zod_1.z.string(),
-    authMode: zod_1.z.enum(['public', 'transparent', 'orchestrated']).optional(),
-    jwtPayload: zod_1.z.object({}).passthrough().optional(),
-    user: authorization_2.authUserSchema.optional(),
-});
-// Output schemas
-const UnauthorizedSchema = zod_1.z
-    .object({
-    kind: zod_1.z.literal('unauthorized'),
-    wwwAuthenticateHeader: zod_1.z.string().describe('WWW-Authenticate header per RFC 9728'),
-    reason: zod_1.z.string().optional().describe('Human-readable reason for rejection'),
-})
-    .describe('401 Unauthorized response');
-const AuthorizedSchema = zod_1.z
-    .object({
-    kind: zod_1.z.literal('authorized'),
-    authorization: zod_1.z.custom().describe('Authorization object'),
-    llmContext: authorization_2.llmSafeAuthContextSchema.optional().describe('LLM-safe context (no tokens)'),
-})
-    .describe('Authorized response with Authorization object');
-exports.authVerifyOutputSchema = zod_1.z.union([UnauthorizedSchema, AuthorizedSchema]);
-// Flow plan
-const plan = {
-    pre: ['parseInput', 'determineAuthMode', 'handlePublicMode', 'requireAuthorizationHeader', 'verifyToken'],
-    execute: ['buildAuthorization'],
-};
-const name = 'auth:verify';
-const Stage = (0, common_1.StageHookOf)(name);
-/**
- * Auth Verify Flow
- *
- * New authorization verification flow that supports the three auth modes:
- * - public: Auto-generate anonymous authorization
- * - transparent: Pass-through OAuth tokens from upstream provider
- * - orchestrated: Local auth server with secure token storage
- *
- * This flow creates Authorization objects instead of legacy Session objects.
- */
-let AuthVerifyFlow = class AuthVerifyFlow extends common_1.FlowBase {
-    logger = this.scope.logger.child('AuthVerifyFlow');
-    /**
-     * Parse request headers and build WWW-Authenticate header
-     */
-    async parseInput() {
-        const { request } = this.rawInput;
-        const entryPath = (0, common_1.normalizeEntryPrefix)(this.scope.entryPath);
-        const routeBase = (0, common_1.normalizeScopeBase)(this.scope.routeBase);
-        const baseUrl = (0, common_1.getRequestBaseUrl)(request, entryPath);
-        // Extract headers
-        const authorizationHeader = request.headers?.['authorization'] ?? undefined;
-        const sessionIdHeader = request.headers?.['mcp-session-id'] ??
-            request.query['sessionId'] ??
-            undefined;
-        // Build PRM URL and WWW-Authenticate header
-        const prmUrl = (0, utils_1.buildPrmUrl)(baseUrl, entryPath, routeBase);
-        const wwwAuthenticateHeader = (0, utils_1.buildUnauthorizedHeader)(prmUrl);
-        const token = (0, auth_token_utils_1.extractBearerToken)(authorizationHeader);
-        this.state.set({
-            baseUrl,
-            authorizationHeader,
-            token,
-            sessionIdHeader,
-            prmUrl,
-            wwwAuthenticateHeader,
-        });
-    }
-    /**
-     * Determine which auth mode to use based on scope configuration
-     */
-    async determineAuthMode() {
-        const authOptions = this.scope.auth?.options;
-        // Determine auth mode from options
-        let authMode = 'public'; // default
-        if (authOptions && 'mode' in authOptions) {
-            authMode = authOptions.mode;
-        }
-        this.logger.debug(`Auth mode determined: ${authMode}`);
-        this.state.set('authMode', authMode);
-    }
-    /**
-     * Handle public mode - create anonymous authorization without requiring a token
-     */
-    async handlePublicMode() {
-        const authOptions = this.scope.auth?.options;
-        // Create anonymous authorization
-        const publicAccess = authOptions?.['publicAccess'];
-        const authorization = authorization_1.PublicAuthorization.create({
-            scopes: authOptions?.['anonymousScopes'] ?? ['anonymous'],
-            ttlMs: this.parseTtl(authOptions?.['sessionTtl']),
-            issuer: authOptions?.['issuer'] ?? this.state.required.baseUrl,
-            allowedTools: publicAccess?.['tools'] ?? 'all',
-            allowedPrompts: publicAccess?.['prompts'] ?? 'all',
-        });
-        this.logger.info(`Created anonymous authorization: ${authorization.id}`);
-        this.respond({
-            kind: 'authorized',
-            authorization,
-        });
-    }
-    /**
-     * Require authorization header for non-public modes
-     */
-    async requireAuthorizationHeader() {
-        this.logger.warn('No authorization header provided');
-        this.respond({
-            kind: 'unauthorized',
-            wwwAuthenticateHeader: this.state.required.wwwAuthenticateHeader,
-            reason: 'No authorization header provided',
-        });
-    }
-    /**
-     * Verify the JWT token
-     */
-    async verifyToken() {
-        const jwks = this.get(jwks_1.JwksService);
-        const token = this.state.required.token;
-        const authMode = this.state.required.authMode;
-        const { baseUrl, prmUrl } = this.state.required;
-        // Non-JWT tokens are not supported
-        if (!(0, auth_token_utils_1.isJwt)(token)) {
-            this.logger.warn('Token is not a JWT');
-            this.respond({
-                kind: 'unauthorized',
-                wwwAuthenticateHeader: (0, utils_1.buildInvalidTokenHeader)(prmUrl, 'Token is not a valid JWT'),
-                reason: 'Token is not a valid JWT',
-            });
-            return;
-        }
-        // Verify based on auth mode
-        let verifyResult;
-        if (authMode === 'orchestrated') {
-            // Orchestrated: verify against local keys
-            verifyResult = await jwks.verifyGatewayToken(token, baseUrl);
-        }
-        else {
-            // Transparent: verify against upstream provider
-            const authOptions = this.scope.auth?.options;
-            const issuerUrl = this.scope.auth?.issuer;
-            if (!issuerUrl) {
-                this.logger.warn('No issuer URL configured for transparent mode');
-                this.respond({
-                    kind: 'unauthorized',
-                    wwwAuthenticateHeader: (0, utils_1.buildInvalidTokenHeader)(prmUrl, 'Server misconfiguration'),
-                    reason: 'No issuer URL configured',
-                });
-                return;
-            }
-            const providerRefs = [
-                {
-                    id: authOptions?.['id'] ?? 'default',
-                    issuerUrl,
-                    jwks: authOptions?.['jwks'],
-                    jwksUri: authOptions?.['jwksUri'],
-                },
-            ];
-            verifyResult = await jwks.verifyTransparentToken(token, providerRefs);
-        }
-        if (!verifyResult.ok) {
-            this.logger.warn(`Token verification failed: ${verifyResult.error}`);
-            this.respond({
-                kind: 'unauthorized',
-                wwwAuthenticateHeader: (0, utils_1.buildInvalidTokenHeader)(prmUrl, verifyResult.error),
-                reason: verifyResult.error ?? 'Token verification failed',
-            });
-            return;
-        }
-        // Validate audience
-        const authOptionsForAudience = this.scope.auth?.options;
-        const expectedAudience = authOptionsForAudience?.['expectedAudience'] ??
-            (0, utils_1.deriveExpectedAudience)(baseUrl);
-        const expectedAudienceArray = Array.isArray(expectedAudience) ? expectedAudience : [expectedAudience];
-        const audResult = (0, utils_1.validateAudience)(verifyResult.payload?.aud, {
-            expectedAudiences: expectedAudienceArray,
-            allowNoAudience: true, // Some tokens may not have audience
-        });
-        if (!audResult.valid) {
-            this.logger.warn(`Audience validation failed: ${audResult.error}`);
-            this.respond({
-                kind: 'unauthorized',
-                wwwAuthenticateHeader: (0, utils_1.buildInvalidTokenHeader)(prmUrl, audResult.error),
-                reason: audResult.error,
-            });
-            return;
-        }
-        // Check required scopes
-        const requiredScopes = authOptionsForAudience?.['requiredScopes'] ?? [];
-        if (requiredScopes.length > 0) {
-            const tokenScopes = this.parseScopes(verifyResult.payload?.scope);
-            const hasAllScopes = requiredScopes.every((s) => tokenScopes.includes(s));
-            if (!hasAllScopes) {
-                this.logger.warn(`Insufficient scopes. Required: ${requiredScopes.join(', ')}`);
-                this.respond({
-                    kind: 'unauthorized',
-                    wwwAuthenticateHeader: (0, utils_1.buildInsufficientScopeHeader)(prmUrl, requiredScopes),
-                    reason: `Missing required scopes: ${requiredScopes.join(', ')}`,
-                });
-                return;
-            }
-        }
-        // Store verified payload and user
-        const user = (0, auth_token_utils_1.deriveTypedUser)(verifyResult.payload ?? {});
-        this.state.set({
-            jwtPayload: verifyResult.payload,
-            user,
-        });
-    }
-    /**
-     * Build the Authorization object based on auth mode
-     */
-    async buildAuthorization() {
-        const { token, jwtPayload, user, authMode, baseUrl } = this.state.required;
-        if (!user) {
-            this.respond({
-                kind: 'unauthorized',
-                wwwAuthenticateHeader: this.state.required.wwwAuthenticateHeader,
-                reason: 'Failed to derive user from token',
-            });
-            return;
-        }
-        let authorization;
-        if (authMode === 'transparent') {
-            // Transparent mode: pass-through token
-            const authOptions = this.scope.auth?.options;
-            // jwtPayload has been verified and should contain sub from the upstream token
-            const payload = jwtPayload;
-            authorization = authorization_1.TransparentAuthorization.fromVerifiedToken({
-                token,
-                payload,
-                providerId: this.scope.auth?.id ?? 'default',
-                providerName: authOptions?.['name'],
-            });
-        }
-        else if (authMode === 'orchestrated') {
-            // Orchestrated mode: local auth server
-            // TODO: Retrieve token store from scope configuration
-            authorization = authorization_1.OrchestratedAuthorization.create({
-                token,
-                user: {
-                    sub: user.sub ?? 'unknown',
-                    name: user.name,
-                    email: user.email,
-                    picture: user.picture,
-                },
-                scopes: this.parseScopes(jwtPayload?.['scope']),
-                claims: jwtPayload,
-                expiresAt: jwtPayload?.['exp'] ? jwtPayload['exp'] * 1000 : undefined,
-                primaryProviderId: this.scope.auth?.id ?? 'default',
-                // tokenStore will be injected by scope
-            });
-        }
-        else {
-            // Public mode with token (authenticated public)
-            authorization = authorization_1.PublicAuthorization.create({
-                scopes: this.parseScopes(jwtPayload?.['scope']) || ['anonymous'],
-                ttlMs: jwtPayload?.['exp'] ? jwtPayload['exp'] * 1000 - Date.now() : 3600000,
-                issuer: baseUrl,
-            });
-        }
-        this.logger.info(`Authorization created: ${authorization.id} (mode: ${authMode})`);
-        this.respond({
-            kind: 'authorized',
-            authorization,
-        });
-    }
-    /**
-     * Parse TTL from string or number
-     */
-    parseTtl(ttl) {
-        if (!ttl)
-            return 3600000; // 1 hour default
-        if (typeof ttl === 'number')
-            return ttl * 1000; // Assume seconds
-        // Parse duration string (e.g., '1h', '30m', '1d')
-        const match = ttl.match(/^(\d+)(s|m|h|d)$/);
-        if (!match)
-            return 3600000;
-        const [, value, unit] = match;
-        const num = parseInt(value, 10);
-        switch (unit) {
-            case 's':
-                return num * 1000;
-            case 'm':
-                return num * 60 * 1000;
-            case 'h':
-                return num * 60 * 60 * 1000;
-            case 'd':
-                return num * 24 * 60 * 60 * 1000;
-            default:
-                return 3600000;
-        }
-    }
-    /**
-     * Parse scopes from JWT claim
-     */
-    parseScopes(scope) {
-        if (!scope)
-            return [];
-        if (Array.isArray(scope))
-            return scope.map(String);
-        if (typeof scope === 'string')
-            return scope.split(/\s+/).filter(Boolean);
-        return [];
-    }
-};
-tslib_1.__decorate([
-    Stage('parseInput'),
-    tslib_1.__metadata("design:type", Function),
-    tslib_1.__metadata("design:paramtypes", []),
-    tslib_1.__metadata("design:returntype", Promise)
-], AuthVerifyFlow.prototype, "parseInput", null);
-tslib_1.__decorate([
-    Stage('determineAuthMode'),
-    tslib_1.__metadata("design:type", Function),
-    tslib_1.__metadata("design:paramtypes", []),
-    tslib_1.__metadata("design:returntype", Promise)
-], AuthVerifyFlow.prototype, "determineAuthMode", null);
-tslib_1.__decorate([
-    Stage('handlePublicMode', {
-        filter: ({ state }) => state.authMode === 'public' && !state.token,
-    }),
-    tslib_1.__metadata("design:type", Function),
-    tslib_1.__metadata("design:paramtypes", []),
-    tslib_1.__metadata("design:returntype", Promise)
-], AuthVerifyFlow.prototype, "handlePublicMode", null);
-tslib_1.__decorate([
-    Stage('requireAuthorizationHeader', {
-        filter: ({ state }) => state.authMode !== 'public' && !state.authorizationHeader,
-    }),
-    tslib_1.__metadata("design:type", Function),
-    tslib_1.__metadata("design:paramtypes", []),
-    tslib_1.__metadata("design:returntype", Promise)
-], AuthVerifyFlow.prototype, "requireAuthorizationHeader", null);
-tslib_1.__decorate([
-    Stage('verifyToken', {
-        filter: ({ state }) => !!state.token,
-    }),
-    tslib_1.__metadata("design:type", Function),
-    tslib_1.__metadata("design:paramtypes", []),
-    tslib_1.__metadata("design:returntype", Promise)
-], AuthVerifyFlow.prototype, "verifyToken", null);
-tslib_1.__decorate([
-    Stage('buildAuthorization'),
-    tslib_1.__metadata("design:type", Function),
-    tslib_1.__metadata("design:paramtypes", []),
-    tslib_1.__metadata("design:returntype", Promise)
-], AuthVerifyFlow.prototype, "buildAuthorization", null);
-AuthVerifyFlow = tslib_1.__decorate([
-    (0, common_1.Flow)({
-        name,
-        plan,
-        inputSchema,
-        outputSchema: exports.authVerifyOutputSchema,
-        access: 'authorized',
-    })
-], AuthVerifyFlow);
-exports.default = AuthVerifyFlow;
-//# sourceMappingURL=auth.verify.flow.js.map

package/src/auth/flows/auth.verify.flow.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"auth.verify.flow.js","sourceRoot":"","sources":["../../../../src/auth/flows/auth.verify.flow.ts"],"names":[],"mappings":";AAAA,iCAAiC;;;;AAEjC,yCAWsB;AACtB,4BAA0B;AAC1B,6BAAwB;AACxB,wEAA+F;AAC/F,kCAAuE;AAEvE,oCAOkB;AAClB,oDAM0B;AAC1B,oDAA4E;AAE5E,eAAe;AACf,MAAM,WAAW,GAAG,+BAAsB,CAAC;AAE3C,4BAA4B;AAC5B,MAAM,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3B,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,mBAAmB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1C,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACtC,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE;IAClB,qBAAqB,EAAE,OAAC,CAAC,MAAM,EAAE;IACjC,QAAQ,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC,CAAC,QAAQ,EAAE;IACtE,UAAU,EAAE,OAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;IACjD,IAAI,EAAE,8BAAc,CAAC,QAAQ,EAAE;CAChC,CAAC,CAAC;AAEH,iBAAiB;AACjB,MAAM,kBAAkB,GAAG,OAAC;KACzB,MAAM,CAAC;IACN,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,cAAc,CAAC;IAC/B,qBAAqB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,sCAAsC,CAAC;IAClF,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,qCAAqC,CAAC;CAC9E,CAAC;KACD,QAAQ,CAAC,2BAA2B,CAAC,CAAC;AAEzC,MAAM,gBAAgB,GAAG,OAAC;KACvB,MAAM,CAAC;IACN,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,YAAY,CAAC;IAC7B,aAAa,EAAE,OAAC,CAAC,MAAM,EAAiB,CAAC,QAAQ,CAAC,sBAAsB,CAAC;IACzE,UAAU,EAAE,wCAAwB,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,8BAA8B,CAAC;CACzF,CAAC;KACD,QAAQ,CAAC,+CAA+C,CAAC,CAAC;AAEhD,QAAA,sBAAsB,GAAG,OAAC,CAAC,KAAK,CAAC,CAAC,kBAAkB,EAAE,gBAAgB,CAAC,CAAC,CAAC;AAItF,YAAY;AACZ,MAAM,IAAI,GAAG;IACX,GAAG,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,4BAA4B,EAAE,aAAa,CAAC;IACzG,OAAO,EAAE,CAAC,oBAAoB,CAAC;CACI,CAAC;AAetC,MAAM,IAAI,GAAG,aAAsB,CAAC;AACpC,MAAM,KAAK,GAAG,IAAA,oBAAW,EAAC,IAAI,CAAC,CAAC;AAEhC;;;;;;;;;GASG;AAQY,IAAM,cAAc,GAApB,MAAM,cAAe,SAAQ,iBAAqB;IACvD,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAE3D;;OAEG;IAEG,AAAN,KAAK,CAAC,UAAU;QACd,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAClC,MAAM,SAAS,GAAG,IAAA,6BAAoB,EAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAC7D,MAAM,SAAS,GAAG,IAAA,2BAAkB,EAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAC3D,MAAM,OAAO,GAAG,IAAA,0BAAiB,EAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QAEtD,kBAAkB;QAClB,MAAM,mBAAmB,GAAI,OAAO,CAAC,OAAO,EAAE,CAAC,eAAe,CAAwB,IAAI,SAAS,CAAC;QACpG,MAAM,eAAe,GAClB,OAAO,CAAC,OAAO,EAAE,CAAC,gBAAgB,CAAwB;YAC1D,OAAO,CAAC,KAAK,CAAC,WAAW,CAAwB;YAClD,SAAS,CAAC;QAEZ,4CAA4C;QAC5C,MAAM,MAAM,GAAG,IAAA,mBAAW,EAAC,OAAO,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QAC1D,MAAM,qBAAqB,GAAG,IAAA,+BAAuB,EAAC,MAAM,CAAC,CAAC;QAE9D,MAAM,KAAK,GAAG,IAAA,qCAAkB,EAAC,mBAAmB,CAAC,CAAC;QAEtD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC;YACb,OAAO;YACP,mBAAmB;YACnB,KAAK;YACL,eAAe;YACf,MAAM;YACN,qBAAqB;SACtB,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IAEG,AAAN,KAAK,CAAC,iBAAiB;QACrB,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,CAAC;QAE7C,mCAAmC;QACnC,IAAI,QAAQ,GAAa,QAAQ,CAAC,CAAC,UAAU;QAE7C,IAAI,WAAW,IAAI,MAAM,IAAI,WAAW,EAAE,CAAC;YACzC,QAAQ,GAAG,WAAW,CAAC,IAAgB,CAAC;QAC1C,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yBAAyB,QAAQ,EAAE,CAAC,CAAC;QACvD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IACvC,CAAC;IAED;;OAEG;IAIG,AAAN,KAAK,CAAC,gBAAgB;QACpB,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,OAA8C,CAAC;QAEpF,iCAAiC;QACjC,MAAM,YAAY,GAAG,WAAW,EAAE,CAAC,cAAc,CAAwC,CAAC;QAC1F,MAAM,aAAa,GAAG,mCAAmB,CAAC,MAAM,CAAC;YAC/C,MAAM,EAAG,WAAW,EAAE,CAAC,iBAAiB,CAA0B,IAAI,CAAC,WAAW,CAAC;YACnF,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,YAAY,CAAgC,CAAC;YAChF,MAAM,EAAG,WAAW,EAAE,CAAC,QAAQ,CAAwB,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO;YACtF,YAAY,EAAG,YAAY,EAAE,CAAC,OAAO,CAAkC,IAAI,KAAK;YAChF,cAAc,EAAG,YAAY,EAAE,CAAC,SAAS,CAAkC,IAAI,KAAK;SACrF,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oCAAoC,aAAa,CAAC,EAAE,EAAE,CAAC,CAAC;QAEzE,IAAI,CAAC,OAAO,CAAC;YACX,IAAI,EAAE,YAAY;YAClB,aAAa;SACd,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IAIG,AAAN,KAAK,CAAC,0BAA0B;QAC9B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;QACrD,IAAI,CAAC,OAAO,CAAC;YACX,IAAI,EAAE,cAAc;YACpB,qBAAqB,EAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,qBAAqB;YAChE,MAAM,EAAE,kCAAkC;SAC3C,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IAIG,AAAN,KAAK,CAAC,WAAW;QACf,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,kBAAW,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC;QACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC9C,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAEhD,mCAAmC;QACnC,IAAI,CAAC,IAAA,wBAAK,EAAC,KAAK,CAAC,EAAE,CAAC;YAClB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;YACvC,IAAI,CAAC,OAAO,CAAC;gBACX,IAAI,EAAE,cAAc;gBACpB,qBAAqB,EAAE,IAAA,+BAAuB,EAAC,MAAM,EAAE,0BAA0B,CAAC;gBAClF,MAAM,EAAE,0BAA0B;aACnC,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,4BAA4B;QAC5B,IAAI,YAA0B,CAAC;QAE/B,IAAI,QAAQ,KAAK,cAAc,EAAE,CAAC;YAChC,0CAA0C;YAC1C,YAAY,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QAC/D,CAAC;aAAM,CAAC;YACN,gDAAgD;YAChD,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,OAA8C,CAAC;YACpF,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC;YAC1C,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;gBAClE,IAAI,CAAC,OAAO,CAAC;oBACX,IAAI,EAAE,cAAc;oBACpB,qBAAqB,EAAE,IAAA,+BAAuB,EAAC,MAAM,EAAE,yBAAyB,CAAC;oBACjF,MAAM,EAAE,0BAA0B;iBACnC,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YACD,MAAM,YAAY,GAAwB;gBACxC;oBACE,EAAE,EAAG,WAAW,EAAE,CAAC,IAAI,CAAwB,IAAI,SAAS;oBAC5D,SAAS;oBACT,IAAI,EAAE,WAAW,EAAE,CAAC,MAAM,CAA8B;oBACxD,OAAO,EAAE,WAAW,EAAE,CAAC,SAAS,CAAuB;iBACxD;aACF,CAAC;YACF,YAAY,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;QACxE,CAAC;QAED,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC;YACrB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,8BAA8B,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC;YACrE,IAAI,CAAC,OAAO,CAAC;gBACX,IAAI,EAAE,cAAc;gBACpB,qBAAqB,EAAE,IAAA,+BAAuB,EAAC,MAAM,EAAE,YAAY,CAAC,KAAK,CAAC;gBAC1E,MAAM,EAAE,YAAY,CAAC,KAAK,IAAI,2BAA2B;aAC1D,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,oBAAoB;QACpB,MAAM,sBAAsB,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,OAA8C,CAAC;QAC/F,MAAM,gBAAgB,GACnB,sBAAsB,EAAE,CAAC,kBAAkB,CAAmC;YAC/E,IAAA,8BAAsB,EAAC,OAAO,CAAC,CAAC;QAClC,MAAM,qBAAqB,GAAG,KAAK,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC;QAEtG,MAAM,SAAS,GAAG,IAAA,wBAAgB,EAAC,YAAY,CAAC,OAAO,EAAE,GAAoC,EAAE;YAC7F,iBAAiB,EAAE,qBAAqB;YACxC,eAAe,EAAE,IAAI,EAAE,oCAAoC;SAC5D,CAAC,CAAC;QAEH,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;YACrB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,+BAA+B,SAAS,CAAC,KAAK,EAAE,CAAC,CAAC;YACnE,IAAI,CAAC,OAAO,CAAC;gBACX,IAAI,EAAE,cAAc;gBACpB,qBAAqB,EAAE,IAAA,+BAAuB,EAAC,MAAM,EAAE,SAAS,CAAC,KAAK,CAAC;gBACvE,MAAM,EAAE,SAAS,CAAC,KAAK;aACxB,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,wBAAwB;QACxB,MAAM,cAAc,GAAI,sBAAsB,EAAE,CAAC,gBAAgB,CAA0B,IAAI,EAAE,CAAC;QAClG,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9B,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,YAAY,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;YAClE,MAAM,YAAY,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YAElF,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,kCAAkC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBAChF,IAAI,CAAC,OAAO,CAAC;oBACX,IAAI,EAAE,cAAc;oBACpB,qBAAqB,EAAE,IAAA,oCAA4B,EAAC,MAAM,EAAE,cAAc,CAAC;oBAC3E,MAAM,EAAE,4BAA4B,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;iBAChE,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;QACH,CAAC;QAED,kCAAkC;QAClC,MAAM,IAAI,GAAG,IAAA,kCAAe,EAAC,YAAY,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;QACzD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC;YACb,UAAU,EAAE,YAAY,CAAC,OAAO;YAChC,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IAEG,AAAN,KAAK,CAAC,kBAAkB;QACtB,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAE3E,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,IAAI,CAAC,OAAO,CAAC;gBACX,IAAI,EAAE,cAAc;gBACpB,qBAAqB,EAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,qBAAqB;gBAChE,MAAM,EAAE,kCAAkC;aAC3C,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,IAAI,aAA4B,CAAC;QAEjC,IAAI,QAAQ,KAAK,aAAa,EAAE,CAAC;YAC/B,uCAAuC;YACvC,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,OAA8C,CAAC;YACpF,8EAA8E;YAC9E,MAAM,OAAO,GAAG,UAAwC,CAAC;YACzD,aAAa,GAAG,wCAAwB,CAAC,iBAAiB,CAAC;gBACzD,KAAK;gBACL,OAAO;gBACP,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,IAAI,SAAS;gBAC5C,YAAY,EAAE,WAAW,EAAE,CAAC,MAAM,CAAuB;aAC1D,CAAC,CAAC;QACL,CAAC;aAAM,IAAI,QAAQ,KAAK,cAAc,EAAE,CAAC;YACvC,uCAAuC;YACvC,sDAAsD;YACtD,aAAa,GAAG,yCAAyB,CAAC,MAAM,CAAC;gBAC/C,KAAK;gBACL,IAAI,EAAE;oBACJ,GAAG,EAAE,IAAI,CAAC,GAAG,IAAI,SAAS;oBAC1B,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,KAAK,EAAE,IAAI,CAAC,KAAK;oBACjB,OAAO,EAAE,IAAI,CAAC,OAAO;iBACtB;gBACD,MAAM,EAAE,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC,OAAO,CAAC,CAAC;gBAC/C,MAAM,EAAE,UAAU;gBAClB,SAAS,EAAE,UAAU,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAE,UAAU,CAAC,KAAK,CAAY,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS;gBACjF,iBAAiB,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,IAAI,SAAS;gBACnD,uCAAuC;aACxC,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,gDAAgD;YAChD,aAAa,GAAG,mCAAmB,CAAC,MAAM,CAAC;gBACzC,MAAM,EAAE,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC;gBAChE,KAAK,EAAE,UAAU,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAE,UAAU,CAAC,KAAK,CAAY,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,OAAO;gBACxF,MAAM,EAAE,OAAO;aAChB,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,0BAA0B,aAAa,CAAC,EAAE,WAAW,QAAQ,GAAG,CAAC,CAAC;QAEnF,IAAI,CAAC,OAAO,CAAC;YACX,IAAI,EAAE,YAAY;YAClB,aAAa;SACd,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,QAAQ,CAAC,GAAqB;QACpC,IAAI,CAAC,GAAG;YAAE,OAAO,OAAO,CAAC,CAAC,iBAAiB;QAE3C,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,GAAG,GAAG,IAAI,CAAC,CAAC,iBAAiB;QAEjE,kDAAkD;QAClD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO,OAAO,CAAC;QAE3B,MAAM,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,KAAK,CAAC;QAC9B,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAEhC,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,GAAG;gBACN,OAAO,GAAG,GAAG,IAAI,CAAC;YACpB,KAAK,GAAG;gBACN,OAAO,GAAG,GAAG,EAAE,GAAG,IAAI,CAAC;YACzB,KAAK,GAAG;gBACN,OAAO,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;YAC9B,KAAK,GAAG;gBACN,OAAO,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;YACnC;gBACE,OAAO,OAAO,CAAC;QACnB,CAAC;IACH,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,KAAc;QAChC,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QACtB,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACnD,IAAI,OAAO,KAAK,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACzE,OAAO,EAAE,CAAC;IACZ,CAAC;CACF,CAAA;AA5SO;IADL,KAAK,CAAC,YAAY,CAAC;;;;gDA4BnB;AAMK;IADL,KAAK,CAAC,mBAAmB,CAAC;;;;uDAa1B;AAQK;IAHL,KAAK,CAAC,kBAAkB,EAAE;QACzB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,KAAK;KACnE,CAAC;;;;sDAoBD;AAQK;IAHL,KAAK,CAAC,4BAA4B,EAAE;QACnC,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,mBAAmB;KACjF,CAAC;;;;gEAQD;AAQK;IAHL,KAAK,CAAC,aAAa,EAAE;QACpB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK;KACrC,CAAC;;;;iDAuGD;AAMK;IADL,KAAK,CAAC,oBAAoB,CAAC;;;;wDA0D3B;AA3QkB,cAAc;IAPlC,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,IAAI;QACJ,WAAW;QACX,YAAY,EAAE,8BAAsB;QACpC,MAAM,EAAE,YAAY;KACrB,CAAC;GACmB,cAAc,CAmTlC;kBAnToB,cAAc","sourcesContent":["// auth/flows/auth.verify.flow.ts\n\nimport {\n Flow,\n FlowBase,\n FlowRunOptions,\n StageHookOf,\n httpRequestInputSchema,\n getRequestBaseUrl,\n normalizeEntryPrefix,\n normalizeScopeBase,\n FlowPlan,\n AuthMode,\n} from '../../common';\nimport 'reflect-metadata';\nimport { z } from 'zod';\nimport { deriveTypedUser, extractBearerToken, isJwt } from '../session/utils/auth-token.utils';\nimport { JwksService, ProviderVerifyRef, VerifyResult } from '../jwks';\nimport type { JSONWebKeySet } from 'jose';\nimport {\n buildPrmUrl,\n buildUnauthorizedHeader,\n buildInvalidTokenHeader,\n buildInsufficientScopeHeader,\n validateAudience,\n deriveExpectedAudience,\n} from '../utils';\nimport {\n PublicAuthorization,\n TransparentAuthorization,\n OrchestratedAuthorization,\n Authorization,\n TransparentVerifiedPayload,\n} from '../authorization';\nimport { authUserSchema, llmSafeAuthContextSchema } from '../authorization';\n\n// Input schema\nconst inputSchema = httpRequestInputSchema;\n\n// State schema for the flow\nconst stateSchema = z.object({\n baseUrl: z.string().min(1),\n authorizationHeader: z.string().optional(),\n token: z.string().optional(),\n sessionIdHeader: z.string().optional(),\n prmUrl: z.string(),\n wwwAuthenticateHeader: z.string(),\n authMode: z.enum(['public', 'transparent', 'orchestrated']).optional(),\n jwtPayload: z.object({}).passthrough().optional(),\n user: authUserSchema.optional(),\n});\n\n// Output schemas\nconst UnauthorizedSchema = z\n .object({\n kind: z.literal('unauthorized'),\n wwwAuthenticateHeader: z.string().describe('WWW-Authenticate header per RFC 9728'),\n reason: z.string().optional().describe('Human-readable reason for rejection'),\n })\n .describe('401 Unauthorized response');\n\nconst AuthorizedSchema = z\n .object({\n kind: z.literal('authorized'),\n authorization: z.custom<Authorization>().describe('Authorization object'),\n llmContext: llmSafeAuthContextSchema.optional().describe('LLM-safe context (no tokens)'),\n })\n .describe('Authorized response with Authorization object');\n\nexport const authVerifyOutputSchema = z.union([UnauthorizedSchema, AuthorizedSchema]);\n\nexport type AuthVerifyOutput = z.infer<typeof authVerifyOutputSchema>;\n\n// Flow plan\nconst plan = {\n pre: ['parseInput', 'determineAuthMode', 'handlePublicMode', 'requireAuthorizationHeader', 'verifyToken'],\n execute: ['buildAuthorization'],\n} as const satisfies FlowPlan<string>;\n\n// Declare flow types\ndeclare global {\n interface ExtendFlows {\n 'auth:verify': FlowRunOptions<\n AuthVerifyFlow,\n typeof plan,\n typeof inputSchema,\n typeof authVerifyOutputSchema,\n typeof stateSchema\n >;\n }\n}\n\nconst name = 'auth:verify' as const;\nconst Stage = StageHookOf(name);\n\n/**\n * Auth Verify Flow\n *\n * New authorization verification flow that supports the three auth modes:\n * - public: Auto-generate anonymous authorization\n * - transparent: Pass-through OAuth tokens from upstream provider\n * - orchestrated: Local auth server with secure token storage\n *\n * This flow creates Authorization objects instead of legacy Session objects.\n */\n@Flow({\n name,\n plan,\n inputSchema,\n outputSchema: authVerifyOutputSchema,\n access: 'authorized',\n})\nexport default class AuthVerifyFlow extends FlowBase<typeof name> {\n private logger = this.scope.logger.child('AuthVerifyFlow');\n\n /**\n * Parse request headers and build WWW-Authenticate header\n */\n @Stage('parseInput')\n async parseInput() {\n const { request } = this.rawInput;\n const entryPath = normalizeEntryPrefix(this.scope.entryPath);\n const routeBase = normalizeScopeBase(this.scope.routeBase);\n const baseUrl = getRequestBaseUrl(request, entryPath);\n\n // Extract headers\n const authorizationHeader = (request.headers?.['authorization'] as string | undefined) ?? undefined;\n const sessionIdHeader =\n (request.headers?.['mcp-session-id'] as string | undefined) ??\n (request.query['sessionId'] as string | undefined) ??\n undefined;\n\n // Build PRM URL and WWW-Authenticate header\n const prmUrl = buildPrmUrl(baseUrl, entryPath, routeBase);\n const wwwAuthenticateHeader = buildUnauthorizedHeader(prmUrl);\n\n const token = extractBearerToken(authorizationHeader);\n\n this.state.set({\n baseUrl,\n authorizationHeader,\n token,\n sessionIdHeader,\n prmUrl,\n wwwAuthenticateHeader,\n });\n }\n\n /**\n * Determine which auth mode to use based on scope configuration\n */\n @Stage('determineAuthMode')\n async determineAuthMode() {\n const authOptions = this.scope.auth?.options;\n\n // Determine auth mode from options\n let authMode: AuthMode = 'public'; // default\n\n if (authOptions && 'mode' in authOptions) {\n authMode = authOptions.mode as AuthMode;\n }\n\n this.logger.debug(`Auth mode determined: ${authMode}`);\n this.state.set('authMode', authMode);\n }\n\n /**\n * Handle public mode - create anonymous authorization without requiring a token\n */\n @Stage('handlePublicMode', {\n filter: ({ state }) => state.authMode === 'public' && !state.token,\n })\n async handlePublicMode() {\n const authOptions = this.scope.auth?.options as Record<string, unknown> | undefined;\n\n // Create anonymous authorization\n const publicAccess = authOptions?.['publicAccess'] as Record<string, unknown> | undefined;\n const authorization = PublicAuthorization.create({\n scopes: (authOptions?.['anonymousScopes'] as string[] | undefined) ?? ['anonymous'],\n ttlMs: this.parseTtl(authOptions?.['sessionTtl'] as string | number | undefined),\n issuer: (authOptions?.['issuer'] as string | undefined) ?? this.state.required.baseUrl,\n allowedTools: (publicAccess?.['tools'] as string[] | 'all' | undefined) ?? 'all',\n allowedPrompts: (publicAccess?.['prompts'] as string[] | 'all' | undefined) ?? 'all',\n });\n\n this.logger.info(`Created anonymous authorization: ${authorization.id}`);\n\n this.respond({\n kind: 'authorized',\n authorization,\n });\n }\n\n /**\n * Require authorization header for non-public modes\n */\n @Stage('requireAuthorizationHeader', {\n filter: ({ state }) => state.authMode !== 'public' && !state.authorizationHeader,\n })\n async requireAuthorizationHeader() {\n this.logger.warn('No authorization header provided');\n this.respond({\n kind: 'unauthorized',\n wwwAuthenticateHeader: this.state.required.wwwAuthenticateHeader,\n reason: 'No authorization header provided',\n });\n }\n\n /**\n * Verify the JWT token\n */\n @Stage('verifyToken', {\n filter: ({ state }) => !!state.token,\n })\n async verifyToken() {\n const jwks = this.get(JwksService);\n const token = this.state.required.token;\n const authMode = this.state.required.authMode;\n const { baseUrl, prmUrl } = this.state.required;\n\n // Non-JWT tokens are not supported\n if (!isJwt(token)) {\n this.logger.warn('Token is not a JWT');\n this.respond({\n kind: 'unauthorized',\n wwwAuthenticateHeader: buildInvalidTokenHeader(prmUrl, 'Token is not a valid JWT'),\n reason: 'Token is not a valid JWT',\n });\n return;\n }\n\n // Verify based on auth mode\n let verifyResult: VerifyResult;\n\n if (authMode === 'orchestrated') {\n // Orchestrated: verify against local keys\n verifyResult = await jwks.verifyGatewayToken(token, baseUrl);\n } else {\n // Transparent: verify against upstream provider\n const authOptions = this.scope.auth?.options as Record<string, unknown> | undefined;\n const issuerUrl = this.scope.auth?.issuer;\n if (!issuerUrl) {\n this.logger.warn('No issuer URL configured for transparent mode');\n this.respond({\n kind: 'unauthorized',\n wwwAuthenticateHeader: buildInvalidTokenHeader(prmUrl, 'Server misconfiguration'),\n reason: 'No issuer URL configured',\n });\n return;\n }\n const providerRefs: ProviderVerifyRef[] = [\n {\n id: (authOptions?.['id'] as string | undefined) ?? 'default',\n issuerUrl,\n jwks: authOptions?.['jwks'] as JSONWebKeySet | undefined,\n jwksUri: authOptions?.['jwksUri'] as string | undefined,\n },\n ];\n verifyResult = await jwks.verifyTransparentToken(token, providerRefs);\n }\n\n if (!verifyResult.ok) {\n this.logger.warn(`Token verification failed: ${verifyResult.error}`);\n this.respond({\n kind: 'unauthorized',\n wwwAuthenticateHeader: buildInvalidTokenHeader(prmUrl, verifyResult.error),\n reason: verifyResult.error ?? 'Token verification failed',\n });\n return;\n }\n\n // Validate audience\n const authOptionsForAudience = this.scope.auth?.options as Record<string, unknown> | undefined;\n const expectedAudience =\n (authOptionsForAudience?.['expectedAudience'] as string | string[] | undefined) ??\n deriveExpectedAudience(baseUrl);\n const expectedAudienceArray = Array.isArray(expectedAudience) ? expectedAudience : [expectedAudience];\n\n const audResult = validateAudience(verifyResult.payload?.aud as string | string[] | undefined, {\n expectedAudiences: expectedAudienceArray,\n allowNoAudience: true, // Some tokens may not have audience\n });\n\n if (!audResult.valid) {\n this.logger.warn(`Audience validation failed: ${audResult.error}`);\n this.respond({\n kind: 'unauthorized',\n wwwAuthenticateHeader: buildInvalidTokenHeader(prmUrl, audResult.error),\n reason: audResult.error,\n });\n return;\n }\n\n // Check required scopes\n const requiredScopes = (authOptionsForAudience?.['requiredScopes'] as string[] | undefined) ?? [];\n if (requiredScopes.length > 0) {\n const tokenScopes = this.parseScopes(verifyResult.payload?.scope);\n const hasAllScopes = requiredScopes.every((s: string) => tokenScopes.includes(s));\n\n if (!hasAllScopes) {\n this.logger.warn(`Insufficient scopes. Required: ${requiredScopes.join(', ')}`);\n this.respond({\n kind: 'unauthorized',\n wwwAuthenticateHeader: buildInsufficientScopeHeader(prmUrl, requiredScopes),\n reason: `Missing required scopes: ${requiredScopes.join(', ')}`,\n });\n return;\n }\n }\n\n // Store verified payload and user\n const user = deriveTypedUser(verifyResult.payload ?? {});\n this.state.set({\n jwtPayload: verifyResult.payload,\n user,\n });\n }\n\n /**\n * Build the Authorization object based on auth mode\n */\n @Stage('buildAuthorization')\n async buildAuthorization() {\n const { token, jwtPayload, user, authMode, baseUrl } = this.state.required;\n\n if (!user) {\n this.respond({\n kind: 'unauthorized',\n wwwAuthenticateHeader: this.state.required.wwwAuthenticateHeader,\n reason: 'Failed to derive user from token',\n });\n return;\n }\n\n let authorization: Authorization;\n\n if (authMode === 'transparent') {\n // Transparent mode: pass-through token\n const authOptions = this.scope.auth?.options as Record<string, unknown> | undefined;\n // jwtPayload has been verified and should contain sub from the upstream token\n const payload = jwtPayload as TransparentVerifiedPayload;\n authorization = TransparentAuthorization.fromVerifiedToken({\n token,\n payload,\n providerId: this.scope.auth?.id ?? 'default',\n providerName: authOptions?.['name'] as string | undefined,\n });\n } else if (authMode === 'orchestrated') {\n // Orchestrated mode: local auth server\n // TODO: Retrieve token store from scope configuration\n authorization = OrchestratedAuthorization.create({\n token,\n user: {\n sub: user.sub ?? 'unknown',\n name: user.name,\n email: user.email,\n picture: user.picture,\n },\n scopes: this.parseScopes(jwtPayload?.['scope']),\n claims: jwtPayload,\n expiresAt: jwtPayload?.['exp'] ? (jwtPayload['exp'] as number) * 1000 : undefined,\n primaryProviderId: this.scope.auth?.id ?? 'default',\n // tokenStore will be injected by scope\n });\n } else {\n // Public mode with token (authenticated public)\n authorization = PublicAuthorization.create({\n scopes: this.parseScopes(jwtPayload?.['scope']) || ['anonymous'],\n ttlMs: jwtPayload?.['exp'] ? (jwtPayload['exp'] as number) * 1000 - Date.now() : 3600000,\n issuer: baseUrl,\n });\n }\n\n this.logger.info(`Authorization created: ${authorization.id} (mode: ${authMode})`);\n\n this.respond({\n kind: 'authorized',\n authorization,\n });\n }\n\n /**\n * Parse TTL from string or number\n */\n private parseTtl(ttl?: string | number): number {\n if (!ttl) return 3600000; // 1 hour default\n\n if (typeof ttl === 'number') return ttl * 1000; // Assume seconds\n\n // Parse duration string (e.g., '1h', '30m', '1d')\n const match = ttl.match(/^(\\d+)(s|m|h|d)$/);\n if (!match) return 3600000;\n\n const [, value, unit] = match;\n const num = parseInt(value, 10);\n\n switch (unit) {\n case 's':\n return num * 1000;\n case 'm':\n return num * 60 * 1000;\n case 'h':\n return num * 60 * 60 * 1000;\n case 'd':\n return num * 24 * 60 * 60 * 1000;\n default:\n return 3600000;\n }\n }\n\n /**\n * Parse scopes from JWT claim\n */\n private parseScopes(scope: unknown): string[] {\n if (!scope) return [];\n if (Array.isArray(scope)) return scope.map(String);\n if (typeof scope === 'string') return scope.split(/\\s+/).filter(Boolean);\n return [];\n }\n}\n"]}