npm - @frontmcp/sdk - Versions diffs - 0.6.0 → 0.6.2 - Mend

@frontmcp/sdk 0.6.0 → 0.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1053) hide show

package/src/auth/flows/well-known.prm.flow.js DELETED Viewed

@@ -1,106 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-const tslib_1 = require("tslib");
-// auth/flows/well-known.prm.flow.ts
-require("reflect-metadata");
-const zod_1 = require("zod");
-const common_1 = require("../../common");
-const inputSchema = common_1.httpInputSchema;
-const stateSchema = zod_1.z.object({
-    resource: zod_1.z.string().min(1),
-    baseUrl: zod_1.z.string().min(1),
-    scopesSupported: zod_1.z.array(zod_1.z.string()).default(['openid', 'profile', 'email']),
-    isOrchestrated: zod_1.z.boolean(),
-});
-const outputSchema = common_1.HttpJsonSchema.extend({
-    body: zod_1.z
-        .object({
-        resource: zod_1.z.string().min(1),
-        authorization_servers: zod_1.z.array(zod_1.z.string().min(1)).min(1),
-        scopes_supported: zod_1.z.array(zod_1.z.string()).default(['openid', 'profile', 'email']),
-        bearer_methods_supported: zod_1.z.array(zod_1.z.string()).default(['header']),
-    })
-        .passthrough(),
-});
-const plan = {
-    pre: ['parseInput'],
-    execute: ['collectData'],
-    post: ['validateOutput'],
-};
-const name = 'well-known.oauth-protected-resource';
-const Stage = (0, common_1.StageHookOf)(name);
-let WellKnownPrmFlow = class WellKnownPrmFlow extends common_1.FlowBase {
-    static canActivate(request, scope) {
-        return (0, common_1.makeWellKnownPaths)('oauth-protected-resource', scope.entryPath, scope.routeBase).has(request.path);
-    }
-    async parseInput() {
-        const { request } = this.rawInput;
-        const scope = this.scope;
-        if (!request)
-            throw new Error('Request is undefined');
-        const resource = (0, common_1.computeResource)(request, scope.entryPath, scope.routeBase);
-        const baseUrl = (0, common_1.getRequestBaseUrl)(request, scope.entryPath);
-        this.state.set(stateSchema.parse({
-            resource,
-            baseUrl,
-            scopesSupported: ['openid', 'profile', 'email'],
-            isOrchestrated: false, //scope.orchestrated,// TODO: fix
-        }));
-    }
-    async collectData() {
-        const { resource, baseUrl, scopesSupported, isOrchestrated } = this.state.required;
-        if (isOrchestrated) {
-            this.respond({
-                kind: 'json',
-                contentType: 'application/json; charset=utf-8',
-                status: 200,
-                body: {
-                    resource,
-                    authorization_servers: [baseUrl],
-                    scopes_supported: scopesSupported,
-                    bearer_methods_supported: ['header'],
-                },
-            });
-            return;
-        }
-        const issuer = this.scope.auth.issuer;
-        // Transparent scope
-        this.respond({
-            kind: 'json',
-            status: 200,
-            contentType: 'application/json; charset=utf-8',
-            body: {
-                resource,
-                authorization_servers: [issuer],
-                scopes_supported: scopesSupported,
-                bearer_methods_supported: ['header'],
-            },
-        });
-    }
-};
-tslib_1.__decorate([
-    Stage('parseInput'),
-    tslib_1.__metadata("design:type", Function),
-    tslib_1.__metadata("design:paramtypes", []),
-    tslib_1.__metadata("design:returntype", Promise)
-], WellKnownPrmFlow.prototype, "parseInput", null);
-tslib_1.__decorate([
-    Stage('collectData'),
-    tslib_1.__metadata("design:type", Function),
-    tslib_1.__metadata("design:paramtypes", []),
-    tslib_1.__metadata("design:returntype", Promise)
-], WellKnownPrmFlow.prototype, "collectData", null);
-WellKnownPrmFlow = tslib_1.__decorate([
-    (0, common_1.Flow)({
-        name,
-        plan,
-        inputSchema,
-        outputSchema,
-        access: 'public',
-        middleware: {
-            method: 'GET',
-        },
-    })
-], WellKnownPrmFlow);
-exports.default = WellKnownPrmFlow;
-//# sourceMappingURL=well-known.prm.flow.js.map

package/src/auth/flows/well-known.prm.flow.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"well-known.prm.flow.js","sourceRoot":"","sources":["../../../../src/auth/flows/well-known.prm.flow.ts"],"names":[],"mappings":";;;AAAA,oCAAoC;AACpC,4BAA0B;AAC1B,6BAAwB;AACxB,yCAasB;AAEtB,MAAM,WAAW,GAAG,wBAAe,CAAC;AAEpC,MAAM,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3B,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IAC5E,cAAc,EAAE,OAAC,CAAC,OAAO,EAAE;CAC5B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,uBAAc,CAAC,MAAM,CAAC;IACzC,IAAI,EAAE,OAAC;SACJ,MAAM,CAAC;QACN,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3B,qBAAqB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACxD,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;QAC7E,wBAAwB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC;KAClE,CAAC;SACD,WAAW,EAAE;CACjB,CAAC,CAAC;AAEH,MAAM,IAAI,GAAG;IACX,GAAG,EAAE,CAAC,YAAY,CAAC;IACnB,OAAO,EAAE,CAAC,aAAa,CAAC;IACxB,IAAI,EAAE,CAAC,gBAAgB,CAAC;CACW,CAAC;AActC,MAAM,IAAI,GAAG,qCAA8C,CAAC;AAC5D,MAAM,KAAK,GAAG,IAAA,oBAAW,EAAC,IAAI,CAAC,CAAC;AAYjB,IAAM,gBAAgB,GAAtB,MAAM,gBAAiB,SAAQ,iBAAqB;IACjE,MAAM,CAAC,WAAW,CAAC,OAAsB,EAAE,KAAiB;QAC1D,OAAO,IAAA,2BAAkB,EAAC,0BAA0B,EAAE,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5G,CAAC;IAGK,AAAN,KAAK,CAAC,UAAU;QACd,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAClC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QACzB,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAEtD,MAAM,QAAQ,GAAG,IAAA,wBAAe,EAAC,OAAO,EAAE,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;QAC5E,MAAM,OAAO,GAAG,IAAA,0BAAiB,EAAC,OAAO,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;QAC5D,IAAI,CAAC,KAAK,CAAC,GAAG,CACZ,WAAW,CAAC,KAAK,CAAC;YAChB,QAAQ;YACR,OAAO;YACP,eAAe,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC;YAC/C,cAAc,EAAE,KAAK,EAAE,iCAAiC;SACzD,CAAC,CACH,CAAC;IACJ,CAAC;IAE2B,AAAN,KAAK,CAAC,WAAW;QACrC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAEnF,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,OAAO,CAAC;gBACX,IAAI,EAAE,MAAM;gBACZ,WAAW,EAAE,iCAAiC;gBAC9C,MAAM,EAAE,GAAG;gBACX,IAAI,EAAE;oBACJ,QAAQ;oBACR,qBAAqB,EAAE,CAAC,OAAO,CAAC;oBAChC,gBAAgB,EAAE,eAAe;oBACjC,wBAAwB,EAAE,CAAC,QAAQ,CAAC;iBACrC;aACF,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC;QACtC,oBAAoB;QACpB,IAAI,CAAC,OAAO,CAAC;YACX,IAAI,EAAE,MAAM;YACZ,MAAM,EAAE,GAAG;YACX,WAAW,EAAE,iCAAiC;YAC9C,IAAI,EAAE;gBACJ,QAAQ;gBACR,qBAAqB,EAAE,CAAC,MAAM,CAAC;gBAC/B,gBAAgB,EAAE,eAAe;gBACjC,wBAAwB,EAAE,CAAC,QAAQ,CAAC;aACrC;SACF,CAAC,CAAC;IACL,CAAC;CACF,CAAA;AAhDO;IADL,KAAK,CAAC,YAAY,CAAC;;;;kDAgBnB;AAE2B;IAA3B,KAAK,CAAC,aAAa,CAAC;;;;mDA8BpB;AArDkB,gBAAgB;IAVpC,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,IAAI;QACJ,WAAW;QACX,YAAY;QACZ,MAAM,EAAE,QAAQ;QAChB,UAAU,EAAE;YACV,MAAM,EAAE,KAAK;SACd;KACF,CAAC;GACmB,gBAAgB,CAsDpC;kBAtDoB,gBAAgB","sourcesContent":["// auth/flows/well-known.prm.flow.ts\nimport 'reflect-metadata';\nimport { z } from 'zod';\nimport {\n Flow,\n FlowBase,\n FlowPlan,\n FlowRunOptions,\n httpInputSchema,\n HttpJsonSchema,\n ScopeEntry,\n ServerRequest,\n StageHookOf,\n computeResource,\n getRequestBaseUrl,\n makeWellKnownPaths,\n} from '../../common';\n\nconst inputSchema = httpInputSchema;\n\nconst stateSchema = z.object({\n resource: z.string().min(1),\n baseUrl: z.string().min(1),\n scopesSupported: z.array(z.string()).default(['openid', 'profile', 'email']),\n isOrchestrated: z.boolean(),\n});\n\nconst outputSchema = HttpJsonSchema.extend({\n body: z\n .object({\n resource: z.string().min(1),\n authorization_servers: z.array(z.string().min(1)).min(1),\n scopes_supported: z.array(z.string()).default(['openid', 'profile', 'email']),\n bearer_methods_supported: z.array(z.string()).default(['header']),\n })\n .passthrough(),\n});\n\nconst plan = {\n pre: ['parseInput'],\n execute: ['collectData'],\n post: ['validateOutput'],\n} as const satisfies FlowPlan<string>;\n\ndeclare global {\n interface ExtendFlows {\n 'well-known.oauth-protected-resource': FlowRunOptions<\n WellKnownPrmFlow,\n typeof plan,\n typeof inputSchema,\n typeof outputSchema,\n typeof stateSchema\n >;\n }\n}\n\nconst name = 'well-known.oauth-protected-resource' as const;\nconst Stage = StageHookOf(name);\n\n@Flow({\n name,\n plan,\n inputSchema,\n outputSchema,\n access: 'public',\n middleware: {\n method: 'GET',\n },\n})\nexport default class WellKnownPrmFlow extends FlowBase<typeof name> {\n static canActivate(request: ServerRequest, scope: ScopeEntry) {\n return makeWellKnownPaths('oauth-protected-resource', scope.entryPath, scope.routeBase).has(request.path);\n }\n\n @Stage('parseInput')\n async parseInput() {\n const { request } = this.rawInput;\n const scope = this.scope;\n if (!request) throw new Error('Request is undefined');\n\n const resource = computeResource(request, scope.entryPath, scope.routeBase);\n const baseUrl = getRequestBaseUrl(request, scope.entryPath);\n this.state.set(\n stateSchema.parse({\n resource,\n baseUrl,\n scopesSupported: ['openid', 'profile', 'email'],\n isOrchestrated: false, //scope.orchestrated,// TODO: fix\n }),\n );\n }\n\n @Stage('collectData') async collectData() {\n const { resource, baseUrl, scopesSupported, isOrchestrated } = this.state.required;\n\n if (isOrchestrated) {\n this.respond({\n kind: 'json',\n contentType: 'application/json; charset=utf-8',\n status: 200,\n body: {\n resource,\n authorization_servers: [baseUrl],\n scopes_supported: scopesSupported,\n bearer_methods_supported: ['header'],\n },\n });\n return;\n }\n const issuer = this.scope.auth.issuer;\n // Transparent scope\n this.respond({\n kind: 'json',\n status: 200,\n contentType: 'application/json; charset=utf-8',\n body: {\n resource,\n authorization_servers: [issuer],\n scopes_supported: scopesSupported,\n bearer_methods_supported: ['header'],\n },\n });\n }\n}\n"]}

package/src/auth/instances/instance.local-primary-auth.js DELETED Viewed

@@ -1,308 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.LocalPrimaryAuth = void 0;
-const tslib_1 = require("tslib");
-const jose_1 = require("jose");
-const crypto_1 = require("crypto");
-const common_1 = require("../../common");
-const auth_options_1 = require("../../common/types/options/auth.options");
-const well_known_prm_flow_1 = tslib_1.__importDefault(require("../flows/well-known.prm.flow"));
-const well_known_oauth_authorization_server_flow_1 = tslib_1.__importDefault(require("../flows/well-known.oauth-authorization-server.flow"));
-const well_known_jwks_flow_1 = tslib_1.__importDefault(require("../flows/well-known.jwks.flow"));
-const session_verify_flow_1 = tslib_1.__importDefault(require("../flows/session.verify.flow"));
-const oauth_authorize_flow_1 = tslib_1.__importDefault(require("../flows/oauth.authorize.flow"));
-const oauth_register_flow_1 = tslib_1.__importDefault(require("../flows/oauth.register.flow"));
-const oauth_token_flow_1 = tslib_1.__importDefault(require("../flows/oauth.token.flow"));
-const oauth_callback_flow_1 = tslib_1.__importDefault(require("../flows/oauth.callback.flow"));
-const jwks_1 = require("../jwks");
-const authorization_store_1 = require("../session/authorization.store");
-const DEFAULT_NO_AUTH_SECRET = (0, crypto_1.randomBytes)(32);
-class LocalPrimaryAuth extends common_1.FrontMcpAuth {
-    scope;
-    providers;
-    host;
-    port;
-    issuer;
-    keys = [];
-    secret;
-    logger;
-    authorizationStore;
-    jwks = new jwks_1.JwksService();
-    /** Default access token TTL (1 hour) */
-    accessTokenTtlSeconds = 3600;
-    /** Default refresh token TTL (30 days) */
-    refreshTokenTtlSeconds = 30 * 24 * 3600;
-    /**
-     * Get the authorization store as InMemoryAuthorizationStore with type guard.
-     * This ensures type safety when using InMemory-specific methods.
-     */
-    getInMemoryStore() {
-        if (!(this.authorizationStore instanceof authorization_store_1.InMemoryAuthorizationStore)) {
-            throw new Error('LocalPrimaryAuth requires InMemoryAuthorizationStore for record creation methods');
-        }
-        return this.authorizationStore;
-    }
-    constructor(scope, providers, options) {
-        super(options);
-        this.scope = scope;
-        this.providers = providers;
-        this.logger = this.providers.getActiveScope().logger.child('LocalPrimaryAuth');
-        this.port = this.providers.getActiveScope().metadata.http?.port ?? 3001;
-        this.host = 'localhost';
-        this.issuer = this.deriveIssuer(options);
-        if (process.env['JWT_SECRET']) {
-            this.secret = new TextEncoder().encode(process.env['JWT_SECRET']);
-        }
-        else {
-            this.logger.warn('JWT_SECRET is not set, using default secret');
-            this.secret = DEFAULT_NO_AUTH_SECRET;
-        }
-        // Initialize authorization store (in-memory for now, Redis later)
-        this.authorizationStore = new authorization_store_1.InMemoryAuthorizationStore();
-        this.ready = this.initialize();
-    }
-    /**
-     * Derive issuer from options
-     */
-    deriveIssuer(options) {
-        const basePath = `http://${this.host}:${this.port}${this.scope.fullPath}`;
-        if ((0, auth_options_1.isPublicMode)(options)) {
-            return options.issuer ?? basePath;
-        }
-        if ((0, auth_options_1.isOrchestratedMode)(options)) {
-            if ((0, auth_options_1.isOrchestratedLocal)(options)) {
-                return options.local?.issuer ?? basePath;
-            }
-            else {
-                // Orchestrated remote
-                return options.local?.issuer ?? basePath;
-            }
-        }
-        return basePath;
-    }
-    async signAnonymousJwt() {
-        const sub = (0, crypto_1.randomUUID)();
-        return new jose_1.SignJWT({ sub, role: 'user', anonymous: true })
-            .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
-            .setIssuedAt()
-            .setIssuer(this.issuer)
-            .setExpirationTime('1d')
-            .sign(this.secret);
-    }
-    /**
-     * Sign an access token for an authenticated user
-     */
-    async signAccessToken(user, scopes, audience, consentMetadata) {
-        const claims = {
-            sub: user.sub,
-            scope: scopes.join(' '),
-        };
-        if (user.email)
-            claims['email'] = user.email;
-        if (user.name)
-            claims['name'] = user.name;
-        if (user.picture)
-            claims['picture'] = user.picture;
-        if (user.roles)
-            claims['roles'] = user.roles;
-        // Add consent metadata if present
-        if (consentMetadata) {
-            if (consentMetadata.consentEnabled) {
-                claims['consent'] = {
-                    enabled: true,
-                    selectedTools: consentMetadata.selectedToolIds ?? [],
-                };
-            }
-            if (consentMetadata.federatedLoginUsed) {
-                claims['federated'] = {
-                    enabled: true,
-                    selectedProviders: consentMetadata.selectedProviderIds ?? [],
-                    skippedProviders: consentMetadata.skippedProviderIds ?? [],
-                };
-            }
-        }
-        const jwt = new jose_1.SignJWT(claims)
-            .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
-            .setIssuedAt()
-            .setIssuer(this.issuer)
-            .setExpirationTime(`${this.accessTokenTtlSeconds}s`)
-            .setJti((0, crypto_1.randomUUID)());
-        if (audience) {
-            jwt.setAudience(audience);
-        }
-        return jwt.sign(this.secret);
-    }
-    /**
-     * Exchange an authorization code for tokens
-     */
-    async exchangeCode(code, clientId, redirectUri, codeVerifier) {
-        // Get the authorization code record
-        const codeRecord = await this.authorizationStore.getAuthorizationCode(code);
-        if (!codeRecord) {
-            this.logger.warn(`Authorization code not found or expired: ${code.substring(0, 8)}...`);
-            return {
-                error: 'invalid_grant',
-                error_description: 'Authorization code is invalid or expired',
-            };
-        }
-        // Verify code hasn't been used (single-use)
-        if (codeRecord.used) {
-            this.logger.warn(`Authorization code already used: ${code.substring(0, 8)}...`);
-            // Security: If a code is reused, revoke all tokens from this code
-            await this.authorizationStore.deleteAuthorizationCode(code);
-            return {
-                error: 'invalid_grant',
-                error_description: 'Authorization code has already been used',
-            };
-        }
-        // Verify client_id matches
-        if (codeRecord.clientId !== clientId) {
-            this.logger.warn(`Client ID mismatch: expected ${codeRecord.clientId}, got ${clientId}`);
-            return {
-                error: 'invalid_grant',
-                error_description: 'Client ID does not match',
-            };
-        }
-        // Verify redirect_uri matches
-        if (codeRecord.redirectUri !== redirectUri) {
-            this.logger.warn(`Redirect URI mismatch`);
-            return {
-                error: 'invalid_grant',
-                error_description: 'Redirect URI does not match',
-            };
-        }
-        // Verify PKCE
-        if (!(0, authorization_store_1.verifyPkce)(codeVerifier, codeRecord.pkce)) {
-            this.logger.warn(`PKCE verification failed`);
-            return {
-                error: 'invalid_grant',
-                error_description: 'PKCE verification failed',
-            };
-        }
-        // Mark code as used
-        await this.authorizationStore.markCodeUsed(code);
-        // Generate tokens
-        const user = {
-            sub: codeRecord.userSub,
-            email: codeRecord.userEmail,
-            name: codeRecord.userName,
-        };
-        // Build consent metadata from code record
-        const consentMetadata = codeRecord.consentEnabled || codeRecord.federatedLoginUsed
-            ? {
-                selectedToolIds: codeRecord.selectedToolIds,
-                selectedProviderIds: codeRecord.selectedProviderIds,
-                skippedProviderIds: codeRecord.skippedProviderIds,
-                consentEnabled: codeRecord.consentEnabled,
-                federatedLoginUsed: codeRecord.federatedLoginUsed,
-            }
-            : undefined;
-        const accessToken = await this.signAccessToken(user, codeRecord.scopes, codeRecord.resource, consentMetadata);
-        // Create refresh token
-        const refreshTokenRecord = this.getInMemoryStore().createRefreshTokenRecord({
-            clientId,
-            userSub: user.sub,
-            scopes: codeRecord.scopes,
-            resource: codeRecord.resource,
-        });
-        await this.authorizationStore.storeRefreshToken(refreshTokenRecord);
-        this.logger.info(`Tokens issued for user: ${user.sub}`);
-        return {
-            access_token: accessToken,
-            token_type: 'Bearer',
-            expires_in: this.accessTokenTtlSeconds,
-            refresh_token: refreshTokenRecord.token,
-            scope: codeRecord.scopes.join(' '),
-        };
-    }
-    /**
-     * Refresh an access token using a refresh token
-     */
-    async refreshAccessToken(refreshToken, clientId) {
-        const tokenRecord = await this.authorizationStore.getRefreshToken(refreshToken);
-        if (!tokenRecord) {
-            this.logger.warn('Refresh token not found or expired');
-            return {
-                error: 'invalid_grant',
-                error_description: 'Refresh token is invalid or expired',
-            };
-        }
-        if (tokenRecord.clientId !== clientId) {
-            this.logger.warn('Client ID mismatch on refresh');
-            return {
-                error: 'invalid_grant',
-                error_description: 'Client ID does not match',
-            };
-        }
-        // Generate new access token
-        const user = { sub: tokenRecord.userSub };
-        const accessToken = await this.signAccessToken(user, tokenRecord.scopes, tokenRecord.resource);
-        // Rotate refresh token
-        const newRefreshRecord = this.getInMemoryStore().createRefreshTokenRecord({
-            clientId,
-            userSub: tokenRecord.userSub,
-            scopes: tokenRecord.scopes,
-            resource: tokenRecord.resource,
-        });
-        await this.authorizationStore.rotateRefreshToken(refreshToken, newRefreshRecord);
-        this.logger.info(`Tokens refreshed for user: ${user.sub}`);
-        return {
-            access_token: accessToken,
-            token_type: 'Bearer',
-            expires_in: this.accessTokenTtlSeconds,
-            refresh_token: newRefreshRecord.token,
-            scope: tokenRecord.scopes.join(' '),
-        };
-    }
-    /**
-     * Create an authorization code for a user (called after login)
-     */
-    async createAuthorizationCode(params) {
-        const store = this.getInMemoryStore();
-        const codeRecord = store.createCodeRecord({
-            clientId: params.clientId,
-            redirectUri: params.redirectUri,
-            scopes: params.scopes,
-            pkce: { challenge: params.codeChallenge, method: 'S256' },
-            userSub: params.userSub,
-            userEmail: params.userEmail,
-            userName: params.userName,
-            state: params.state,
-            resource: params.resource,
-            // Consent and Federated Login Data
-            selectedToolIds: params.selectedToolIds,
-            selectedProviderIds: params.selectedProviderIds,
-            skippedProviderIds: params.skippedProviderIds,
-            consentEnabled: params.consentEnabled,
-            federatedLoginUsed: params.federatedLoginUsed,
-        });
-        await this.authorizationStore.storeAuthorizationCode(codeRecord);
-        this.logger.info(`Authorization code created for user: ${params.userSub}`);
-        return codeRecord.code;
-    }
-    async initialize() {
-        // TODO: create separated jwk service for local/remote auth options
-        this.providers.injectProvider({
-            value: this.jwks,
-            metadata: {
-                scope: common_1.ProviderScope.GLOBAL,
-                name: 'auth:jwk-service',
-            },
-            provide: jwks_1.JwksService,
-        });
-        await this.registerAuthFlows();
-        return Promise.resolve();
-    }
-    fetch(input, init) {
-        return fetch(input, init);
-    }
-    validate(request) {
-        return Promise.resolve();
-    }
-    async registerAuthFlows() {
-        const scope = this.providers.getActiveScope();
-        await scope.registryFlows(well_known_prm_flow_1.default /** /.well-known/oauth-protected-resource */, well_known_oauth_authorization_server_flow_1.default /** /.well-known/oauth-authorization-server */, well_known_jwks_flow_1.default /** /.well-known/jwks.json */, session_verify_flow_1.default /** Session verification flow */, oauth_authorize_flow_1.default /** GET /oauth/authorize */, oauth_token_flow_1.default /** POST /oauth/token */, oauth_callback_flow_1.default /** GET /oauth/callback - login callback */, oauth_register_flow_1.default /** POST /oauth/register */);
-    }
-}
-exports.LocalPrimaryAuth = LocalPrimaryAuth;
-//# sourceMappingURL=instance.local-primary-auth.js.map

package/src/auth/instances/instance.local-primary-auth.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"instance.local-primary-auth.js","sourceRoot":"","sources":["../../../../src/auth/instances/instance.local-primary-auth.ts"],"names":[],"mappings":";;;;AAAA,+BAA+B;AAE/B,mCAAiD;AACjD,yCAA2G;AAC3G,0EAOiD;AAEjD,+FAA4D;AAC5D,6IAAkF;AAClF,iGAA8D;AAC9D,+FAA6D;AAC7D,iGAA+D;AAC/D,+FAA6D;AAC7D,yFAAuD;AACvD,+FAA6D;AAC7D,kCAAsC;AACtC,wEAKwC;AAOxC,MAAM,sBAAsB,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC;AAmC/C,MAAa,gBAAiB,SAAQ,qBAAqC;IA0BrD;IAA2B;IAzBtC,IAAI,CAAS;IACb,IAAI,CAAS;IACb,MAAM,CAAS;IACf,IAAI,GAAU,EAAE,CAAC;IACjB,MAAM,CAAa;IACnB,MAAM,CAAiB;IACvB,kBAAkB,CAAqB;IACxC,IAAI,GAAG,IAAI,kBAAW,EAAE,CAAC;IAEjC,wCAAwC;IACvB,qBAAqB,GAAG,IAAI,CAAC;IAC9C,0CAA0C;IACzB,sBAAsB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAEzD;;;OAGG;IACK,gBAAgB;QACtB,IAAI,CAAC,CAAC,IAAI,CAAC,kBAAkB,YAAY,gDAA0B,CAAC,EAAE,CAAC;YACrE,MAAM,IAAI,KAAK,CAAC,kFAAkF,CAAC,CAAC;QACtG,CAAC;QACD,OAAO,IAAI,CAAC,kBAAkB,CAAC;IACjC,CAAC;IAED,YAAoB,KAAiB,EAAU,SAA2B,EAAE,OAAgC;QAC1G,KAAK,CAAC,OAAO,CAAC,CAAC;QADG,UAAK,GAAL,KAAK,CAAY;QAAU,cAAS,GAAT,SAAS,CAAkB;QAExE,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QAC/E,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,IAAI,IAAI,CAAC;QACxE,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;QACxB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QAEzC,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC;YAC9B,IAAI,CAAC,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC;QACpE,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;YAChE,IAAI,CAAC,MAAM,GAAG,sBAAsB,CAAC;QACvC,CAAC;QAED,kEAAkE;QAClE,IAAI,CAAC,kBAAkB,GAAG,IAAI,gDAA0B,EAAE,CAAC;QAE3D,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;IACjC,CAAC;IAED;;OAEG;IACK,YAAY,CAAC,OAAgC;QACnD,MAAM,QAAQ,GAAG,UAAU,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;QAE1E,IAAI,IAAA,2BAAY,EAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,OAAO,OAAO,CAAC,MAAM,IAAI,QAAQ,CAAC;QACpC,CAAC;QAED,IAAI,IAAA,iCAAkB,EAAC,OAAO,CAAC,EAAE,CAAC;YAChC,IAAI,IAAA,kCAAmB,EAAC,OAAO,CAAC,EAAE,CAAC;gBACjC,OAAO,OAAO,CAAC,KAAK,EAAE,MAAM,IAAI,QAAQ,CAAC;YAC3C,CAAC;iBAAM,CAAC;gBACN,sBAAsB;gBACtB,OAAO,OAAO,CAAC,KAAK,EAAE,MAAM,IAAI,QAAQ,CAAC;YAC3C,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,gBAAgB;QACpB,MAAM,GAAG,GAAG,IAAA,mBAAU,GAAE,CAAC;QACzB,OAAO,IAAI,cAAO,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;aACvD,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;aAChD,WAAW,EAAE;aACb,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC;aACtB,iBAAiB,CAAC,IAAI,CAAC;aACvB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CACnB,IAAc,EACd,MAAgB,EAChB,QAAiB,EACjB,eAAiC;QAEjC,MAAM,MAAM,GAA4B;YACtC,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;SACxB,CAAC;QAEF,IAAI,IAAI,CAAC,KAAK;YAAE,MAAM,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC;QAC7C,IAAI,IAAI,CAAC,IAAI;YAAE,MAAM,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC;QAC1C,IAAI,IAAI,CAAC,OAAO;YAAE,MAAM,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC;QACnD,IAAI,IAAI,CAAC,KAAK;YAAE,MAAM,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC;QAE7C,kCAAkC;QAClC,IAAI,eAAe,EAAE,CAAC;YACpB,IAAI,eAAe,CAAC,cAAc,EAAE,CAAC;gBACnC,MAAM,CAAC,SAAS,CAAC,GAAG;oBAClB,OAAO,EAAE,IAAI;oBACb,aAAa,EAAE,eAAe,CAAC,eAAe,IAAI,EAAE;iBACrD,CAAC;YACJ,CAAC;YACD,IAAI,eAAe,CAAC,kBAAkB,EAAE,CAAC;gBACvC,MAAM,CAAC,WAAW,CAAC,GAAG;oBACpB,OAAO,EAAE,IAAI;oBACb,iBAAiB,EAAE,eAAe,CAAC,mBAAmB,IAAI,EAAE;oBAC5D,gBAAgB,EAAE,eAAe,CAAC,kBAAkB,IAAI,EAAE;iBAC3D,CAAC;YACJ,CAAC;QACH,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,cAAO,CAAC,MAAM,CAAC;aAC5B,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;aAChD,WAAW,EAAE;aACb,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC;aACtB,iBAAiB,CAAC,GAAG,IAAI,CAAC,qBAAqB,GAAG,CAAC;aACnD,MAAM,CAAC,IAAA,mBAAU,GAAE,CAAC,CAAC;QAExB,IAAI,QAAQ,EAAE,CAAC;YACb,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QAC5B,CAAC;QAED,OAAO,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC/B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAChB,IAAY,EACZ,QAAgB,EAChB,WAAmB,EACnB,YAAoB;QAEpB,oCAAoC;QACpC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC;QAE5E,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,4CAA4C,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;YACxF,OAAO;gBACL,KAAK,EAAE,eAAe;gBACtB,iBAAiB,EAAE,0CAA0C;aAC9D,CAAC;QACJ,CAAC;QAED,4CAA4C;QAC5C,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC;YACpB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oCAAoC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;YAChF,kEAAkE;YAClE,MAAM,IAAI,CAAC,kBAAkB,CAAC,uBAAuB,CAAC,IAAI,CAAC,CAAC;YAC5D,OAAO;gBACL,KAAK,EAAE,eAAe;gBACtB,iBAAiB,EAAE,0CAA0C;aAC9D,CAAC;QACJ,CAAC;QAED,2BAA2B;QAC3B,IAAI,UAAU,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACrC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gCAAgC,UAAU,CAAC,QAAQ,SAAS,QAAQ,EAAE,CAAC,CAAC;YACzF,OAAO;gBACL,KAAK,EAAE,eAAe;gBACtB,iBAAiB,EAAE,0BAA0B;aAC9C,CAAC;QACJ,CAAC;QAED,8BAA8B;QAC9B,IAAI,UAAU,CAAC,WAAW,KAAK,WAAW,EAAE,CAAC;YAC3C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;YAC1C,OAAO;gBACL,KAAK,EAAE,eAAe;gBACtB,iBAAiB,EAAE,6BAA6B;aACjD,CAAC;QACJ,CAAC;QAED,cAAc;QACd,IAAI,CAAC,IAAA,gCAAU,EAAC,YAAY,EAAE,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;YAC7C,OAAO;gBACL,KAAK,EAAE,eAAe;gBACtB,iBAAiB,EAAE,0BAA0B;aAC9C,CAAC;QACJ,CAAC;QAED,oBAAoB;QACpB,MAAM,IAAI,CAAC,kBAAkB,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QAEjD,kBAAkB;QAClB,MAAM,IAAI,GAAa;YACrB,GAAG,EAAE,UAAU,CAAC,OAAO;YACvB,KAAK,EAAE,UAAU,CAAC,SAAS;YAC3B,IAAI,EAAE,UAAU,CAAC,QAAQ;SAC1B,CAAC;QAEF,0CAA0C;QAC1C,MAAM,eAAe,GACnB,UAAU,CAAC,cAAc,IAAI,UAAU,CAAC,kBAAkB;YACxD,CAAC,CAAC;gBACE,eAAe,EAAE,UAAU,CAAC,eAAe;gBAC3C,mBAAmB,EAAE,UAAU,CAAC,mBAAmB;gBACnD,kBAAkB,EAAE,UAAU,CAAC,kBAAkB;gBACjD,cAAc,EAAE,UAAU,CAAC,cAAc;gBACzC,kBAAkB,EAAE,UAAU,CAAC,kBAAkB;aAClD;YACH,CAAC,CAAC,SAAS,CAAC;QAEhB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,UAAU,CAAC,MAAM,EAAE,UAAU,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;QAE9G,uBAAuB;QACvB,MAAM,kBAAkB,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC,wBAAwB,CAAC;YAC1E,QAAQ;YACR,OAAO,EAAE,IAAI,CAAC,GAAG;YACjB,MAAM,EAAE,UAAU,CAAC,MAAM;YACzB,QAAQ,EAAE,UAAU,CAAC,QAAQ;SAC9B,CAAC,CAAC;QACH,MAAM,IAAI,CAAC,kBAAkB,CAAC,iBAAiB,CAAC,kBAAkB,CAAC,CAAC;QAEpE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,2BAA2B,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAExD,OAAO;YACL,YAAY,EAAE,WAAW;YACzB,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,IAAI,CAAC,qBAAqB;YACtC,aAAa,EAAE,kBAAkB,CAAC,KAAK;YACvC,KAAK,EAAE,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;SACnC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,kBAAkB,CACtB,YAAoB,EACpB,QAAgB;QAEhB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC;QAEhF,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;YACvD,OAAO;gBACL,KAAK,EAAE,eAAe;gBACtB,iBAAiB,EAAE,qCAAqC;aACzD,CAAC;QACJ,CAAC;QAED,IAAI,WAAW,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACtC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;YAClD,OAAO;gBACL,KAAK,EAAE,eAAe;gBACtB,iBAAiB,EAAE,0BAA0B;aAC9C,CAAC;QACJ,CAAC;QAED,4BAA4B;QAC5B,MAAM,IAAI,GAAa,EAAE,GAAG,EAAE,WAAW,CAAC,OAAO,EAAE,CAAC;QACpD,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,WAAW,CAAC,MAAM,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAC;QAE/F,uBAAuB;QACvB,MAAM,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC,wBAAwB,CAAC;YACxE,QAAQ;YACR,OAAO,EAAE,WAAW,CAAC,OAAO;YAC5B,MAAM,EAAE,WAAW,CAAC,MAAM;YAC1B,QAAQ,EAAE,WAAW,CAAC,QAAQ;SAC/B,CAAC,CAAC;QACH,MAAM,IAAI,CAAC,kBAAkB,CAAC,kBAAkB,CAAC,YAAY,EAAE,gBAAgB,CAAC,CAAC;QAEjF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,8BAA8B,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAE3D,OAAO;YACL,YAAY,EAAE,WAAW;YACzB,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,IAAI,CAAC,qBAAqB;YACtC,aAAa,EAAE,gBAAgB,CAAC,KAAK;YACrC,KAAK,EAAE,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;SACpC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,uBAAuB,CAAC,MAgB7B;QACC,MAAM,KAAK,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtC,MAAM,UAAU,GAAG,KAAK,CAAC,gBAAgB,CAAC;YACxC,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,IAAI,EAAE,EAAE,SAAS,EAAE,MAAM,CAAC,aAAa,EAAE,MAAM,EAAE,MAAM,EAAE;YACzD,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,mCAAmC;YACnC,eAAe,EAAE,MAAM,CAAC,eAAe;YACvC,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;YAC/C,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;YAC7C,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;SAC9C,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,kBAAkB,CAAC,sBAAsB,CAAC,UAAU,CAAC,CAAC;QACjE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wCAAwC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;QAE3E,OAAO,UAAU,CAAC,IAAI,CAAC;IACzB,CAAC;IAES,KAAK,CAAC,UAAU;QACxB,mEAAmE;QACnE,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC;YAC5B,KAAK,EAAE,IAAI,CAAC,IAAI;YAChB,QAAQ,EAAE;gBACR,KAAK,EAAE,sBAAa,CAAC,MAAM;gBAC3B,IAAI,EAAE,kBAAkB;aACzB;YACD,OAAO,EAAE,kBAAW;SACrB,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAE/B,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IAEQ,KAAK,CAAC,KAAwB,EAAE,IAAkB;QACzD,OAAO,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;IAEQ,QAAQ,CAAC,OAAsB;QACtC,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IAEO,KAAK,CAAC,iBAAiB;QAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,CAAC;QAC9C,MAAM,KAAK,CAAC,aAAa,CACvB,6BAAgB,CAAC,4CAA4C,EAC7D,oDAAe,CAAC,8CAA8C,EAC9D,8BAAiB,CAAC,6BAA6B,EAC/C,6BAAiB,CAAC,gCAAgC,EAElD,8BAAkB,CAAC,2BAA2B,EAC9C,0BAAc,CAAC,wBAAwB,EACvC,6BAAiB,CAAC,2CAA2C,EAC7D,6BAAiB,CAAC,2BAA2B,CAC9C,CAAC;IACJ,CAAC;CACF;AA1WD,4CA0WC","sourcesContent":["import { SignJWT } from 'jose';\nimport { URL } from 'url';\nimport { randomBytes, randomUUID } from 'crypto';\nimport { FrontMcpAuth, FrontMcpLogger, ProviderScope, ScopeEntry, ServerRequest, JWK } from '../../common';\nimport {\n PublicAuthOptions,\n OrchestratedLocalOptions,\n OrchestratedRemoteOptions,\n isPublicMode,\n isOrchestratedMode,\n isOrchestratedLocal,\n} from '../../common/types/options/auth.options';\nimport ProviderRegistry from '../../provider/provider.registry';\nimport WellKnownPrmFlow from '../flows/well-known.prm.flow';\nimport WellKnownAsFlow from '../flows/well-known.oauth-authorization-server.flow';\nimport WellKnownJwksFlow from '../flows/well-known.jwks.flow';\nimport SessionVerifyFlow from '../flows/session.verify.flow';\nimport OauthAuthorizeFlow from '../flows/oauth.authorize.flow';\nimport OauthRegisterFlow from '../flows/oauth.register.flow';\nimport OauthTokenFlow from '../flows/oauth.token.flow';\nimport OauthCallbackFlow from '../flows/oauth.callback.flow';\nimport { JwksService } from '../jwks';\nimport {\n AuthorizationStore,\n InMemoryAuthorizationStore,\n AuthorizationCodeRecord,\n verifyPkce,\n} from '../session/authorization.store';\n\n/**\n * Options type for LocalPrimaryAuth - can be public, orchestrated local, or orchestrated remote\n */\nexport type LocalPrimaryAuthOptions = PublicAuthOptions | OrchestratedLocalOptions | OrchestratedRemoteOptions;\n\nconst DEFAULT_NO_AUTH_SECRET = randomBytes(32);\n\n/**\n * User information for JWT claims\n */\nexport interface UserInfo {\n sub: string;\n email?: string;\n name?: string;\n picture?: string;\n roles?: string[];\n}\n\n/**\n * Token response from the token endpoint\n */\nexport interface TokenResponse {\n access_token: string;\n token_type: 'Bearer';\n expires_in: number;\n refresh_token?: string;\n scope?: string;\n}\n\n/**\n * Consent and federated login metadata for JWT claims\n */\nexport interface ConsentMetadata {\n selectedToolIds?: string[];\n selectedProviderIds?: string[];\n skippedProviderIds?: string[];\n consentEnabled?: boolean;\n federatedLoginUsed?: boolean;\n}\n\nexport class LocalPrimaryAuth extends FrontMcpAuth<LocalPrimaryAuthOptions> {\n readonly host: string;\n readonly port: number;\n readonly issuer: string;\n readonly keys: JWK[] = [];\n readonly secret: Uint8Array;\n readonly logger: FrontMcpLogger;\n readonly authorizationStore: AuthorizationStore;\n private jwks = new JwksService();\n\n /** Default access token TTL (1 hour) */\n private readonly accessTokenTtlSeconds = 3600;\n /** Default refresh token TTL (30 days) */\n private readonly refreshTokenTtlSeconds = 30 * 24 * 3600;\n\n /**\n * Get the authorization store as InMemoryAuthorizationStore with type guard.\n * This ensures type safety when using InMemory-specific methods.\n */\n private getInMemoryStore(): InMemoryAuthorizationStore {\n if (!(this.authorizationStore instanceof InMemoryAuthorizationStore)) {\n throw new Error('LocalPrimaryAuth requires InMemoryAuthorizationStore for record creation methods');\n }\n return this.authorizationStore;\n }\n\n constructor(private scope: ScopeEntry, private providers: ProviderRegistry, options: LocalPrimaryAuthOptions) {\n super(options);\n this.logger = this.providers.getActiveScope().logger.child('LocalPrimaryAuth');\n this.port = this.providers.getActiveScope().metadata.http?.port ?? 3001;\n this.host = 'localhost';\n this.issuer = this.deriveIssuer(options);\n\n if (process.env['JWT_SECRET']) {\n this.secret = new TextEncoder().encode(process.env['JWT_SECRET']);\n } else {\n this.logger.warn('JWT_SECRET is not set, using default secret');\n this.secret = DEFAULT_NO_AUTH_SECRET;\n }\n\n // Initialize authorization store (in-memory for now, Redis later)\n this.authorizationStore = new InMemoryAuthorizationStore();\n\n this.ready = this.initialize();\n }\n\n /**\n * Derive issuer from options\n */\n private deriveIssuer(options: LocalPrimaryAuthOptions): string {\n const basePath = `http://${this.host}:${this.port}${this.scope.fullPath}`;\n\n if (isPublicMode(options)) {\n return options.issuer ?? basePath;\n }\n\n if (isOrchestratedMode(options)) {\n if (isOrchestratedLocal(options)) {\n return options.local?.issuer ?? basePath;\n } else {\n // Orchestrated remote\n return options.local?.issuer ?? basePath;\n }\n }\n\n return basePath;\n }\n\n async signAnonymousJwt() {\n const sub = randomUUID();\n return new SignJWT({ sub, role: 'user', anonymous: true })\n .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })\n .setIssuedAt()\n .setIssuer(this.issuer)\n .setExpirationTime('1d')\n .sign(this.secret);\n }\n\n /**\n * Sign an access token for an authenticated user\n */\n async signAccessToken(\n user: UserInfo,\n scopes: string[],\n audience?: string,\n consentMetadata?: ConsentMetadata,\n ): Promise<string> {\n const claims: Record<string, unknown> = {\n sub: user.sub,\n scope: scopes.join(' '),\n };\n\n if (user.email) claims['email'] = user.email;\n if (user.name) claims['name'] = user.name;\n if (user.picture) claims['picture'] = user.picture;\n if (user.roles) claims['roles'] = user.roles;\n\n // Add consent metadata if present\n if (consentMetadata) {\n if (consentMetadata.consentEnabled) {\n claims['consent'] = {\n enabled: true,\n selectedTools: consentMetadata.selectedToolIds ?? [],\n };\n }\n if (consentMetadata.federatedLoginUsed) {\n claims['federated'] = {\n enabled: true,\n selectedProviders: consentMetadata.selectedProviderIds ?? [],\n skippedProviders: consentMetadata.skippedProviderIds ?? [],\n };\n }\n }\n\n const jwt = new SignJWT(claims)\n .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })\n .setIssuedAt()\n .setIssuer(this.issuer)\n .setExpirationTime(`${this.accessTokenTtlSeconds}s`)\n .setJti(randomUUID());\n\n if (audience) {\n jwt.setAudience(audience);\n }\n\n return jwt.sign(this.secret);\n }\n\n /**\n * Exchange an authorization code for tokens\n */\n async exchangeCode(\n code: string,\n clientId: string,\n redirectUri: string,\n codeVerifier: string,\n ): Promise<TokenResponse | { error: string; error_description: string }> {\n // Get the authorization code record\n const codeRecord = await this.authorizationStore.getAuthorizationCode(code);\n\n if (!codeRecord) {\n this.logger.warn(`Authorization code not found or expired: ${code.substring(0, 8)}...`);\n return {\n error: 'invalid_grant',\n error_description: 'Authorization code is invalid or expired',\n };\n }\n\n // Verify code hasn't been used (single-use)\n if (codeRecord.used) {\n this.logger.warn(`Authorization code already used: ${code.substring(0, 8)}...`);\n // Security: If a code is reused, revoke all tokens from this code\n await this.authorizationStore.deleteAuthorizationCode(code);\n return {\n error: 'invalid_grant',\n error_description: 'Authorization code has already been used',\n };\n }\n\n // Verify client_id matches\n if (codeRecord.clientId !== clientId) {\n this.logger.warn(`Client ID mismatch: expected ${codeRecord.clientId}, got ${clientId}`);\n return {\n error: 'invalid_grant',\n error_description: 'Client ID does not match',\n };\n }\n\n // Verify redirect_uri matches\n if (codeRecord.redirectUri !== redirectUri) {\n this.logger.warn(`Redirect URI mismatch`);\n return {\n error: 'invalid_grant',\n error_description: 'Redirect URI does not match',\n };\n }\n\n // Verify PKCE\n if (!verifyPkce(codeVerifier, codeRecord.pkce)) {\n this.logger.warn(`PKCE verification failed`);\n return {\n error: 'invalid_grant',\n error_description: 'PKCE verification failed',\n };\n }\n\n // Mark code as used\n await this.authorizationStore.markCodeUsed(code);\n\n // Generate tokens\n const user: UserInfo = {\n sub: codeRecord.userSub,\n email: codeRecord.userEmail,\n name: codeRecord.userName,\n };\n\n // Build consent metadata from code record\n const consentMetadata: ConsentMetadata | undefined =\n codeRecord.consentEnabled || codeRecord.federatedLoginUsed\n ? {\n selectedToolIds: codeRecord.selectedToolIds,\n selectedProviderIds: codeRecord.selectedProviderIds,\n skippedProviderIds: codeRecord.skippedProviderIds,\n consentEnabled: codeRecord.consentEnabled,\n federatedLoginUsed: codeRecord.federatedLoginUsed,\n }\n : undefined;\n\n const accessToken = await this.signAccessToken(user, codeRecord.scopes, codeRecord.resource, consentMetadata);\n\n // Create refresh token\n const refreshTokenRecord = this.getInMemoryStore().createRefreshTokenRecord({\n clientId,\n userSub: user.sub,\n scopes: codeRecord.scopes,\n resource: codeRecord.resource,\n });\n await this.authorizationStore.storeRefreshToken(refreshTokenRecord);\n\n this.logger.info(`Tokens issued for user: ${user.sub}`);\n\n return {\n access_token: accessToken,\n token_type: 'Bearer',\n expires_in: this.accessTokenTtlSeconds,\n refresh_token: refreshTokenRecord.token,\n scope: codeRecord.scopes.join(' '),\n };\n }\n\n /**\n * Refresh an access token using a refresh token\n */\n async refreshAccessToken(\n refreshToken: string,\n clientId: string,\n ): Promise<TokenResponse | { error: string; error_description: string }> {\n const tokenRecord = await this.authorizationStore.getRefreshToken(refreshToken);\n\n if (!tokenRecord) {\n this.logger.warn('Refresh token not found or expired');\n return {\n error: 'invalid_grant',\n error_description: 'Refresh token is invalid or expired',\n };\n }\n\n if (tokenRecord.clientId !== clientId) {\n this.logger.warn('Client ID mismatch on refresh');\n return {\n error: 'invalid_grant',\n error_description: 'Client ID does not match',\n };\n }\n\n // Generate new access token\n const user: UserInfo = { sub: tokenRecord.userSub };\n const accessToken = await this.signAccessToken(user, tokenRecord.scopes, tokenRecord.resource);\n\n // Rotate refresh token\n const newRefreshRecord = this.getInMemoryStore().createRefreshTokenRecord({\n clientId,\n userSub: tokenRecord.userSub,\n scopes: tokenRecord.scopes,\n resource: tokenRecord.resource,\n });\n await this.authorizationStore.rotateRefreshToken(refreshToken, newRefreshRecord);\n\n this.logger.info(`Tokens refreshed for user: ${user.sub}`);\n\n return {\n access_token: accessToken,\n token_type: 'Bearer',\n expires_in: this.accessTokenTtlSeconds,\n refresh_token: newRefreshRecord.token,\n scope: tokenRecord.scopes.join(' '),\n };\n }\n\n /**\n * Create an authorization code for a user (called after login)\n */\n async createAuthorizationCode(params: {\n clientId: string;\n redirectUri: string;\n scopes: string[];\n codeChallenge: string;\n userSub: string;\n userEmail?: string;\n userName?: string;\n state?: string;\n resource?: string;\n // Consent and Federated Login Data\n selectedToolIds?: string[];\n selectedProviderIds?: string[];\n skippedProviderIds?: string[];\n consentEnabled?: boolean;\n federatedLoginUsed?: boolean;\n }): Promise<string> {\n const store = this.getInMemoryStore();\n const codeRecord = store.createCodeRecord({\n clientId: params.clientId,\n redirectUri: params.redirectUri,\n scopes: params.scopes,\n pkce: { challenge: params.codeChallenge, method: 'S256' },\n userSub: params.userSub,\n userEmail: params.userEmail,\n userName: params.userName,\n state: params.state,\n resource: params.resource,\n // Consent and Federated Login Data\n selectedToolIds: params.selectedToolIds,\n selectedProviderIds: params.selectedProviderIds,\n skippedProviderIds: params.skippedProviderIds,\n consentEnabled: params.consentEnabled,\n federatedLoginUsed: params.federatedLoginUsed,\n });\n\n await this.authorizationStore.storeAuthorizationCode(codeRecord);\n this.logger.info(`Authorization code created for user: ${params.userSub}`);\n\n return codeRecord.code;\n }\n\n protected async initialize(): Promise<void> {\n // TODO: create separated jwk service for local/remote auth options\n this.providers.injectProvider({\n value: this.jwks,\n metadata: {\n scope: ProviderScope.GLOBAL,\n name: 'auth:jwk-service',\n },\n provide: JwksService,\n });\n\n await this.registerAuthFlows();\n\n return Promise.resolve();\n }\n\n override fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response> {\n return fetch(input, init);\n }\n\n override validate(request: ServerRequest): Promise<void> {\n return Promise.resolve();\n }\n\n private async registerAuthFlows() {\n const scope = this.providers.getActiveScope();\n await scope.registryFlows(\n WellKnownPrmFlow /** /.well-known/oauth-protected-resource */,\n WellKnownAsFlow /** /.well-known/oauth-authorization-server */,\n WellKnownJwksFlow /** /.well-known/jwks.json */,\n SessionVerifyFlow /** Session verification flow */,\n\n OauthAuthorizeFlow /** GET /oauth/authorize */,\n OauthTokenFlow /** POST /oauth/token */,\n OauthCallbackFlow /** GET /oauth/callback - login callback */,\n OauthRegisterFlow /** POST /oauth/register */,\n );\n }\n}\n"]}

package/src/auth/instances/instance.remote-primary-auth.js DELETED Viewed

@@ -1,49 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.RemotePrimaryAuth = void 0;
-const tslib_1 = require("tslib");
-const common_1 = require("../../common");
-const jwks_1 = require("../jwks");
-const well_known_prm_flow_1 = tslib_1.__importDefault(require("../flows/well-known.prm.flow"));
-const well_known_oauth_authorization_server_flow_1 = tslib_1.__importDefault(require("../flows/well-known.oauth-authorization-server.flow"));
-const well_known_jwks_flow_1 = tslib_1.__importDefault(require("../flows/well-known.jwks.flow"));
-const session_verify_flow_1 = tslib_1.__importDefault(require("../flows/session.verify.flow"));
-class RemotePrimaryAuth extends common_1.FrontMcpAuth {
-    scope;
-    providers;
-    ready;
-    jwks = new jwks_1.JwksService();
-    constructor(scope, providers, options) {
-        super(options);
-        this.scope = scope;
-        this.providers = providers;
-        this.ready = this.initialize();
-    }
-    fetch(input, init) {
-        return fetch(input, init);
-    }
-    validate(request) {
-        return Promise.resolve();
-    }
-    get issuer() {
-        return this.options.remote.provider;
-    }
-    async initialize() {
-        const scope = this.providers.getActiveScope();
-        this.providers.injectProvider({
-            value: this.jwks,
-            metadata: {
-                scope: common_1.ProviderScope.GLOBAL,
-                name: 'auth:jwk-service',
-            },
-            provide: jwks_1.JwksService,
-        });
-        await this.registerAuthFlows(scope);
-        return Promise.resolve();
-    }
-    async registerAuthFlows(scope) {
-        await scope.registryFlows(well_known_prm_flow_1.default /** /.well-known/oauth-protected-resource */, well_known_oauth_authorization_server_flow_1.default /** /.well-known/oauth-authorization-server */, well_known_jwks_flow_1.default /** /.well-known/jwks.json */, session_verify_flow_1.default /** Session verification flow */);
-    }
-}
-exports.RemotePrimaryAuth = RemotePrimaryAuth;
-//# sourceMappingURL=instance.remote-primary-auth.js.map

package/src/auth/instances/instance.remote-primary-auth.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"instance.remote-primary-auth.js","sourceRoot":"","sources":["../../../../src/auth/instances/instance.remote-primary-auth.ts"],"names":[],"mappings":";;;;AAAA,yCAAsF;AAItF,kCAAsC;AACtC,+FAA4D;AAC5D,6IAAkF;AAClF,iGAA8D;AAC9D,+FAA6D;AAG7D,MAAa,iBAAkB,SAAQ,qBAAoC;IAKtD;IACA;IALV,KAAK,CAAgB;IACtB,IAAI,GAAG,IAAI,kBAAW,EAAE,CAAC;IAEjC,YACmB,KAAiB,EACjB,SAA2B,EAC5C,OAA+B;QAE/B,KAAK,CAAC,OAAO,CAAC,CAAC;QAJE,UAAK,GAAL,KAAK,CAAY;QACjB,cAAS,GAAT,SAAS,CAAkB;QAI5C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;IACjC,CAAC;IAEQ,KAAK,CAAC,KAAwB,EAAE,IAAkB;QACzD,OAAO,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;IAEQ,QAAQ,CAAC,OAAsB;QACtC,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IAED,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC;IACtC,CAAC;IAES,KAAK,CAAC,UAAU;QACxB,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,CAAC;QAE9C,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC;YAC5B,KAAK,EAAE,IAAI,CAAC,IAAI;YAChB,QAAQ,EAAE;gBACR,KAAK,EAAE,sBAAa,CAAC,MAAM;gBAC3B,IAAI,EAAE,kBAAkB;aACzB;YACD,OAAO,EAAE,kBAAW;SACrB,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACpC,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,KAAY;QAC1C,MAAM,KAAK,CAAC,aAAa,CACvB,6BAAgB,CAAC,4CAA4C,EAC7D,oDAAe,CAAC,8CAA8C,EAC9D,8BAAiB,CAAC,6BAA6B,EAC/C,6BAAiB,CAAC,gCAAgC,CACnD,CAAC;IACJ,CAAC;CACF;AAjDD,8CAiDC","sourcesContent":["import { FrontMcpAuth, ProviderScope, ScopeEntry, ServerRequest } from '../../common';\nimport { TransparentAuthOptions } from '../../common/types/options/auth.options';\nimport { URL } from 'url';\nimport ProviderRegistry from '../../provider/provider.registry';\nimport { JwksService } from '../jwks';\nimport WellKnownPrmFlow from '../flows/well-known.prm.flow';\nimport WellKnownAsFlow from '../flows/well-known.oauth-authorization-server.flow';\nimport WellKnownJwksFlow from '../flows/well-known.jwks.flow';\nimport SessionVerifyFlow from '../flows/session.verify.flow';\nimport { Scope } from '../../scope';\n\nexport class RemotePrimaryAuth extends FrontMcpAuth<TransparentAuthOptions> {\n override ready: Promise<void>;\n private jwks = new JwksService();\n\n constructor(\n private readonly scope: ScopeEntry,\n private readonly providers: ProviderRegistry,\n options: TransparentAuthOptions,\n ) {\n super(options);\n this.ready = this.initialize();\n }\n\n override fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response> {\n return fetch(input, init);\n }\n\n override validate(request: ServerRequest): Promise<void> {\n return Promise.resolve();\n }\n\n get issuer(): string {\n return this.options.remote.provider;\n }\n\n protected async initialize() {\n const scope = this.providers.getActiveScope();\n\n this.providers.injectProvider({\n value: this.jwks,\n metadata: {\n scope: ProviderScope.GLOBAL,\n name: 'auth:jwk-service',\n },\n provide: JwksService,\n });\n\n await this.registerAuthFlows(scope);\n return Promise.resolve();\n }\n\n private async registerAuthFlows(scope: Scope) {\n await scope.registryFlows(\n WellKnownPrmFlow /** /.well-known/oauth-protected-resource */,\n WellKnownAsFlow /** /.well-known/oauth-authorization-server */,\n WellKnownJwksFlow /** /.well-known/jwks.json */,\n SessionVerifyFlow /** Session verification flow */,\n );\n }\n}\n"]}