@frontmcp/sdk 0.6.0 → 0.6.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/{src/auth → auth}/instances/instance.local-primary-auth.d.ts +1 -1
- package/{src/auth → auth}/instances/instance.remote-primary-auth.d.ts +1 -1
- package/{src/auth → auth}/session/index.d.ts +1 -0
- package/auth/session/vercel-kv-session.store.d.ts +96 -0
- package/{src/common → common}/interfaces/internal/primary-auth-provider.interface.d.ts +1 -4
- package/{src/common → common}/metadata/front-mcp.metadata.d.ts +1779 -67
- package/{src/common → common}/metadata/prompt.metadata.d.ts +4 -0
- package/{src/common → common}/metadata/resource.metadata.d.ts +8 -0
- package/{src/common → common}/metadata/tool-ui.metadata.d.ts +2 -2
- package/{src/common → common}/metadata/tool.metadata.d.ts +4 -0
- package/{src/common → common}/schemas/http-output.schema.d.ts +24 -6
- package/common/types/options/auth/app-auth.schema.d.ts +275 -0
- package/common/types/options/auth/auth.interfaces.d.ts +461 -0
- package/common/types/options/auth/auth.schema.d.ts +284 -0
- package/common/types/options/auth/auth.utils.d.ts +32 -0
- package/common/types/options/auth/index.d.ts +16 -0
- package/common/types/options/auth/orchestrated.schema.d.ts +381 -0
- package/common/types/options/auth/public.schema.d.ts +42 -0
- package/common/types/options/auth/shared.schemas.d.ts +120 -0
- package/common/types/options/auth/transparent.schema.d.ts +56 -0
- package/common/types/options/auth/transport.deprecated.d.ts +63 -0
- package/{src/common → common}/types/options/index.d.ts +1 -1
- package/common/types/options/redis.options.d.ts +190 -0
- package/{src/common → common}/types/options/server-info.options.d.ts +4 -0
- package/{src/common → common}/types/options/transport.options.d.ts +74 -5
- package/{src/common → common}/utils/decide-request-intent.utils.d.ts +6 -7
- package/common/utils/global-config.utils.d.ts +36 -0
- package/{src/common → common}/utils/index.d.ts +1 -0
- package/{src/completion → completion}/flows/complete.flow.d.ts +6 -8
- package/{src/errors → errors}/index.d.ts +1 -1
- package/{src/errors → errors}/mcp.error.d.ts +9 -0
- package/esm/index.mjs +22664 -0
- package/esm/mcp-apps/index.mjs +723 -0
- package/esm/package.json +81 -0
- package/{src/front-mcp → front-mcp}/front-mcp.providers.d.ts +246 -38
- package/front-mcp/index.d.ts +2 -0
- package/{src/index.d.ts → index.d.ts} +1 -1
- package/index.js +22957 -0
- package/logger/logger.tokens.d.ts +1 -0
- package/{src/logging → logging}/flows/set-level.flow.d.ts +6 -8
- package/mcp-apps/index.js +799 -0
- package/package.json +37 -17
- package/{src/prompt → prompt}/flows/get-prompt.flow.d.ts +14 -8
- package/{src/prompt → prompt}/flows/prompts-list.flow.d.ts +8 -7
- package/{src/resource → resource}/flows/read-resource.flow.d.ts +8 -9
- package/{src/resource → resource}/flows/resource-templates-list.flow.d.ts +8 -7
- package/{src/resource → resource}/flows/resources-list.flow.d.ts +8 -7
- package/{src/resource → resource}/flows/subscribe-resource.flow.d.ts +6 -8
- package/{src/resource → resource}/flows/unsubscribe-resource.flow.d.ts +6 -8
- package/store/adapters/store.vercel-kv.adapter.d.ts +86 -0
- package/{src/store → store}/index.d.ts +2 -0
- package/store/store.factory.d.ts +86 -0
- package/{src/tool → tool}/flows/call-tool.flow.d.ts +18 -9
- package/{src/tool → tool}/flows/tools-list.flow.d.ts +9 -8
- package/{src/tool → tool}/ui/index.d.ts +4 -4
- package/{src/tool → tool}/ui/platform-adapters.d.ts +2 -2
- package/{src/tool → tool}/ui/template-helpers.d.ts +5 -7
- package/{src/tool → tool}/ui/ui-resource.handler.d.ts +1 -1
- package/{src/transport → transport}/mcp-handlers/complete-request.handler.d.ts +4 -15
- package/{src/transport → transport}/mcp-handlers/get-prompt-request.handler.d.ts +5 -15
- package/{src/transport → transport}/mcp-handlers/index.d.ts +67 -195
- package/{src/transport → transport}/mcp-handlers/list-prompts-request.handler.d.ts +5 -15
- package/{src/transport → transport}/mcp-handlers/list-resource-templates-request.handler.d.ts +5 -15
- package/{src/transport → transport}/mcp-handlers/list-resources-request.handler.d.ts +5 -15
- package/{src/transport → transport}/mcp-handlers/list-tools-request.handler.d.ts +5 -15
- package/{src/transport → transport}/mcp-handlers/logging-set-level-request.handler.d.ts +3 -14
- package/{src/transport → transport}/mcp-handlers/read-resource-request.handler.d.ts +4 -15
- package/{src/transport → transport}/mcp-handlers/subscribe-request.handler.d.ts +3 -14
- package/{src/transport → transport}/mcp-handlers/unsubscribe-request.handler.d.ts +3 -14
- package/{src/transport → transport}/transport.registry.d.ts +5 -1
- package/README.md +0 -460
- package/src/adapter/adapter.instance.js +0 -70
- package/src/adapter/adapter.instance.js.map +0 -1
- package/src/adapter/adapter.regsitry.js +0 -54
- package/src/adapter/adapter.regsitry.js.map +0 -1
- package/src/adapter/adapter.utils.js +0 -83
- package/src/adapter/adapter.utils.js.map +0 -1
- package/src/app/app.registry.js +0 -66
- package/src/app/app.registry.js.map +0 -1
- package/src/app/app.utils.js +0 -58
- package/src/app/app.utils.js.map +0 -1
- package/src/app/instances/app.local.instance.js +0 -67
- package/src/app/instances/app.local.instance.js.map +0 -1
- package/src/app/instances/app.remote.instance.js +0 -36
- package/src/app/instances/app.remote.instance.js.map +0 -1
- package/src/app/instances/index.js +0 -6
- package/src/app/instances/index.js.map +0 -1
- package/src/auth/auth.registry.js +0 -219
- package/src/auth/auth.registry.js.map +0 -1
- package/src/auth/auth.utils.js +0 -84
- package/src/auth/auth.utils.js.map +0 -1
- package/src/auth/authorization/authorization.class.js +0 -217
- package/src/auth/authorization/authorization.class.js.map +0 -1
- package/src/auth/authorization/authorization.types.js +0 -79
- package/src/auth/authorization/authorization.types.js.map +0 -1
- package/src/auth/authorization/index.js +0 -19
- package/src/auth/authorization/index.js.map +0 -1
- package/src/auth/authorization/orchestrated.authorization.js +0 -306
- package/src/auth/authorization/orchestrated.authorization.js.map +0 -1
- package/src/auth/authorization/public.authorization.js +0 -132
- package/src/auth/authorization/public.authorization.js.map +0 -1
- package/src/auth/authorization/transparent.authorization.js +0 -147
- package/src/auth/authorization/transparent.authorization.js.map +0 -1
- package/src/auth/consent/consent.types.js +0 -119
- package/src/auth/consent/consent.types.js.map +0 -1
- package/src/auth/consent/index.js +0 -13
- package/src/auth/consent/index.js.map +0 -1
- package/src/auth/detection/auth-provider-detection.js +0 -230
- package/src/auth/detection/auth-provider-detection.js.map +0 -1
- package/src/auth/detection/index.js +0 -15
- package/src/auth/detection/index.js.map +0 -1
- package/src/auth/flows/auth.verify.flow.js +0 -379
- package/src/auth/flows/auth.verify.flow.js.map +0 -1
- package/src/auth/flows/oauth.authorize.flow.js +0 -822
- package/src/auth/flows/oauth.authorize.flow.js.map +0 -1
- package/src/auth/flows/oauth.callback.flow.js +0 -357
- package/src/auth/flows/oauth.callback.flow.js.map +0 -1
- package/src/auth/flows/oauth.register.flow.js +0 -201
- package/src/auth/flows/oauth.register.flow.js.map +0 -1
- package/src/auth/flows/oauth.token.flow.js +0 -319
- package/src/auth/flows/oauth.token.flow.js.map +0 -1
- package/src/auth/flows/session.verify.flow.js +0 -304
- package/src/auth/flows/session.verify.flow.js.map +0 -1
- package/src/auth/flows/well-known.jwks.flow.js +0 -89
- package/src/auth/flows/well-known.jwks.flow.js.map +0 -1
- package/src/auth/flows/well-known.oauth-authorization-server.flow.js +0 -122
- package/src/auth/flows/well-known.oauth-authorization-server.flow.js.map +0 -1
- package/src/auth/flows/well-known.prm.flow.js +0 -106
- package/src/auth/flows/well-known.prm.flow.js.map +0 -1
- package/src/auth/instances/instance.local-primary-auth.js +0 -308
- package/src/auth/instances/instance.local-primary-auth.js.map +0 -1
- package/src/auth/instances/instance.remote-primary-auth.js +0 -49
- package/src/auth/instances/instance.remote-primary-auth.js.map +0 -1
- package/src/auth/jwks/dev-key-persistence.js +0 -219
- package/src/auth/jwks/dev-key-persistence.js.map +0 -1
- package/src/auth/jwks/index.js +0 -7
- package/src/auth/jwks/index.js.map +0 -1
- package/src/auth/jwks/jwks.service.js +0 -303
- package/src/auth/jwks/jwks.service.js.map +0 -1
- package/src/auth/jwks/jwks.types.js +0 -3
- package/src/auth/jwks/jwks.types.js.map +0 -1
- package/src/auth/jwks/jwks.utils.js +0 -32
- package/src/auth/jwks/jwks.utils.js.map +0 -1
- package/src/auth/machine-id.js +0 -32
- package/src/auth/machine-id.js.map +0 -1
- package/src/auth/oauth/flows/oauth.authorize.flow.js +0 -33
- package/src/auth/oauth/flows/oauth.authorize.flow.js.map +0 -1
- package/src/auth/oauth/flows/oauth.device-authorization.flow.js +0 -48
- package/src/auth/oauth/flows/oauth.device-authorization.flow.js.map +0 -1
- package/src/auth/oauth/flows/oauth.introspect.flow.js +0 -28
- package/src/auth/oauth/flows/oauth.introspect.flow.js.map +0 -1
- package/src/auth/oauth/flows/oauth.par.flow.js +0 -29
- package/src/auth/oauth/flows/oauth.par.flow.js.map +0 -1
- package/src/auth/oauth/flows/oauth.revoke.flow.js +0 -27
- package/src/auth/oauth/flows/oauth.revoke.flow.js.map +0 -1
- package/src/auth/oauth/flows/oauth.token.flow.js +0 -59
- package/src/auth/oauth/flows/oauth.token.flow.js.map +0 -1
- package/src/auth/oauth/flows/oauth.userinfo.flow.js +0 -24
- package/src/auth/oauth/flows/oauth.userinfo.flow.js.map +0 -1
- package/src/auth/oauth/flows/oidc.logout.flow.js +0 -20
- package/src/auth/oauth/flows/oidc.logout.flow.js.map +0 -1
- package/src/auth/session/authorization-vault.js +0 -817
- package/src/auth/session/authorization-vault.js.map +0 -1
- package/src/auth/session/authorization.store.js +0 -323
- package/src/auth/session/authorization.store.js.map +0 -1
- package/src/auth/session/encrypted-authorization-vault.js +0 -493
- package/src/auth/session/encrypted-authorization-vault.js.map +0 -1
- package/src/auth/session/index.js +0 -16
- package/src/auth/session/index.js.map +0 -1
- package/src/auth/session/record/session.base.js +0 -125
- package/src/auth/session/record/session.base.js.map +0 -1
- package/src/auth/session/record/session.stateful.js +0 -55
- package/src/auth/session/record/session.stateful.js.map +0 -1
- package/src/auth/session/record/session.stateless.js +0 -32
- package/src/auth/session/record/session.stateless.js.map +0 -1
- package/src/auth/session/record/session.transparent.js +0 -22
- package/src/auth/session/record/session.transparent.js.map +0 -1
- package/src/auth/session/redis-session.store.js +0 -204
- package/src/auth/session/redis-session.store.js.map +0 -1
- package/src/auth/session/session.crypto.js +0 -47
- package/src/auth/session/session.crypto.js.map +0 -1
- package/src/auth/session/session.schema.js +0 -13
- package/src/auth/session/session.schema.js.map +0 -1
- package/src/auth/session/session.service.js +0 -105
- package/src/auth/session/session.service.js.map +0 -1
- package/src/auth/session/session.transport.js +0 -20
- package/src/auth/session/session.transport.js.map +0 -1
- package/src/auth/session/session.types.js +0 -4
- package/src/auth/session/session.types.js.map +0 -1
- package/src/auth/session/token.refresh.js +0 -63
- package/src/auth/session/token.refresh.js.map +0 -1
- package/src/auth/session/token.store.js +0 -53
- package/src/auth/session/token.store.js.map +0 -1
- package/src/auth/session/token.vault.js +0 -54
- package/src/auth/session/token.vault.js.map +0 -1
- package/src/auth/session/transport-session.manager.js +0 -298
- package/src/auth/session/transport-session.manager.js.map +0 -1
- package/src/auth/session/transport-session.types.js +0 -111
- package/src/auth/session/transport-session.types.js.map +0 -1
- package/src/auth/session/utils/auth-token.utils.js +0 -57
- package/src/auth/session/utils/auth-token.utils.js.map +0 -1
- package/src/auth/session/utils/session-id.utils.js +0 -217
- package/src/auth/session/utils/session-id.utils.js.map +0 -1
- package/src/auth/session/utils/tiny-ttl-cache.js +0 -26
- package/src/auth/session/utils/tiny-ttl-cache.js.map +0 -1
- package/src/auth/session/vault-encryption.js +0 -263
- package/src/auth/session/vault-encryption.js.map +0 -1
- package/src/auth/ui/base-layout.js +0 -279
- package/src/auth/ui/base-layout.js.map +0 -1
- package/src/auth/ui/index.js +0 -34
- package/src/auth/ui/index.js.map +0 -1
- package/src/auth/ui/templates.js +0 -426
- package/src/auth/ui/templates.js.map +0 -1
- package/src/auth/utils/audience.validator.js +0 -196
- package/src/auth/utils/audience.validator.js.map +0 -1
- package/src/auth/utils/index.js +0 -7
- package/src/auth/utils/index.js.map +0 -1
- package/src/auth/utils/www-authenticate.utils.js +0 -183
- package/src/auth/utils/www-authenticate.utils.js.map +0 -1
- package/src/common/common.schema.js +0 -35
- package/src/common/common.schema.js.map +0 -1
- package/src/common/constants.js +0 -13
- package/src/common/constants.js.map +0 -1
- package/src/common/decorators/adapter.decorator.js +0 -20
- package/src/common/decorators/adapter.decorator.js.map +0 -1
- package/src/common/decorators/app.decorator.js +0 -44
- package/src/common/decorators/app.decorator.js.map +0 -1
- package/src/common/decorators/auth-provider.decorator.js +0 -20
- package/src/common/decorators/auth-provider.decorator.js.map +0 -1
- package/src/common/decorators/decorator-utils.js +0 -195
- package/src/common/decorators/decorator-utils.js.map +0 -1
- package/src/common/decorators/flow.decorator.js +0 -19
- package/src/common/decorators/flow.decorator.js.map +0 -1
- package/src/common/decorators/front-mcp.decorator.js +0 -67
- package/src/common/decorators/front-mcp.decorator.js.map +0 -1
- package/src/common/decorators/hook.decorator.js +0 -178
- package/src/common/decorators/hook.decorator.js.map +0 -1
- package/src/common/decorators/index.js +0 -16
- package/src/common/decorators/index.js.map +0 -1
- package/src/common/decorators/logger.decorator.js +0 -20
- package/src/common/decorators/logger.decorator.js.map +0 -1
- package/src/common/decorators/plugin.decorator.js +0 -39
- package/src/common/decorators/plugin.decorator.js.map +0 -1
- package/src/common/decorators/prompt.decorator.js +0 -38
- package/src/common/decorators/prompt.decorator.js.map +0 -1
- package/src/common/decorators/provider.decorator.js +0 -20
- package/src/common/decorators/provider.decorator.js.map +0 -1
- package/src/common/decorators/resource.decorator.js +0 -94
- package/src/common/decorators/resource.decorator.js.map +0 -1
- package/src/common/decorators/tool.decorator.js +0 -45
- package/src/common/decorators/tool.decorator.js.map +0 -1
- package/src/common/dynamic/dynamic.adapter.js +0 -28
- package/src/common/dynamic/dynamic.adapter.js.map +0 -1
- package/src/common/dynamic/dynamic.plugin.js +0 -42
- package/src/common/dynamic/dynamic.plugin.js.map +0 -1
- package/src/common/dynamic/dynamic.utils.js +0 -27
- package/src/common/dynamic/dynamic.utils.js.map +0 -1
- package/src/common/dynamic/index.js +0 -6
- package/src/common/dynamic/index.js.map +0 -1
- package/src/common/entries/adapter.entry.js +0 -8
- package/src/common/entries/adapter.entry.js.map +0 -1
- package/src/common/entries/app.entry.js +0 -9
- package/src/common/entries/app.entry.js.map +0 -1
- package/src/common/entries/auth-provider.entry.js +0 -8
- package/src/common/entries/auth-provider.entry.js.map +0 -1
- package/src/common/entries/base.entry.js +0 -17
- package/src/common/entries/base.entry.js.map +0 -1
- package/src/common/entries/flow.entry.js +0 -21
- package/src/common/entries/flow.entry.js.map +0 -1
- package/src/common/entries/hook.entry.js +0 -20
- package/src/common/entries/hook.entry.js.map +0 -1
- package/src/common/entries/index.js +0 -17
- package/src/common/entries/index.js.map +0 -1
- package/src/common/entries/logger.entry.js +0 -8
- package/src/common/entries/logger.entry.js.map +0 -1
- package/src/common/entries/plugin.entry.js +0 -8
- package/src/common/entries/plugin.entry.js.map +0 -1
- package/src/common/entries/prompt.entry.js +0 -18
- package/src/common/entries/prompt.entry.js.map +0 -1
- package/src/common/entries/provider.entry.js +0 -8
- package/src/common/entries/provider.entry.js.map +0 -1
- package/src/common/entries/resource.entry.js +0 -35
- package/src/common/entries/resource.entry.js.map +0 -1
- package/src/common/entries/scope.entry.js +0 -14
- package/src/common/entries/scope.entry.js.map +0 -1
- package/src/common/entries/tool.entry.js +0 -31
- package/src/common/entries/tool.entry.js.map +0 -1
- package/src/common/flow/flow.utils.js +0 -96
- package/src/common/flow/flow.utils.js.map +0 -1
- package/src/common/index.js +0 -20
- package/src/common/index.js.map +0 -1
- package/src/common/interfaces/adapter.interface.js +0 -3
- package/src/common/interfaces/adapter.interface.js.map +0 -1
- package/src/common/interfaces/app.interface.js +0 -3
- package/src/common/interfaces/app.interface.js.map +0 -1
- package/src/common/interfaces/auth-hook.interface.js +0 -135
- package/src/common/interfaces/auth-hook.interface.js.map +0 -1
- package/src/common/interfaces/auth-provider.interface.js +0 -18
- package/src/common/interfaces/auth-provider.interface.js.map +0 -1
- package/src/common/interfaces/base.interface.js +0 -3
- package/src/common/interfaces/base.interface.js.map +0 -1
- package/src/common/interfaces/execution-context.interface.js +0 -166
- package/src/common/interfaces/execution-context.interface.js.map +0 -1
- package/src/common/interfaces/flow.interface.js +0 -95
- package/src/common/interfaces/flow.interface.js.map +0 -1
- package/src/common/interfaces/front-mcp.interface.js +0 -3
- package/src/common/interfaces/front-mcp.interface.js.map +0 -1
- package/src/common/interfaces/hook.interface.js +0 -3
- package/src/common/interfaces/hook.interface.js.map +0 -1
- package/src/common/interfaces/index.js +0 -21
- package/src/common/interfaces/index.js.map +0 -1
- package/src/common/interfaces/internal/flow.utils.js +0 -83
- package/src/common/interfaces/internal/flow.utils.js.map +0 -1
- package/src/common/interfaces/internal/index.js +0 -7
- package/src/common/interfaces/internal/index.js.map +0 -1
- package/src/common/interfaces/internal/primary-auth-provider.interface.js +0 -81
- package/src/common/interfaces/internal/primary-auth-provider.interface.js.map +0 -1
- package/src/common/interfaces/internal/registry.interface.js +0 -3
- package/src/common/interfaces/internal/registry.interface.js.map +0 -1
- package/src/common/interfaces/logger.interface.js +0 -10
- package/src/common/interfaces/logger.interface.js.map +0 -1
- package/src/common/interfaces/plugin.interface.js +0 -3
- package/src/common/interfaces/plugin.interface.js.map +0 -1
- package/src/common/interfaces/prompt.interface.js +0 -81
- package/src/common/interfaces/prompt.interface.js.map +0 -1
- package/src/common/interfaces/provider.interface.js +0 -18
- package/src/common/interfaces/provider.interface.js.map +0 -1
- package/src/common/interfaces/resource.interface.js +0 -56
- package/src/common/interfaces/resource.interface.js.map +0 -1
- package/src/common/interfaces/scope.interface.js +0 -3
- package/src/common/interfaces/scope.interface.js.map +0 -1
- package/src/common/interfaces/server.interface.js +0 -18
- package/src/common/interfaces/server.interface.js.map +0 -1
- package/src/common/interfaces/session-hook.interface.js +0 -140
- package/src/common/interfaces/session-hook.interface.js.map +0 -1
- package/src/common/interfaces/tool-hook.interface.js +0 -92
- package/src/common/interfaces/tool-hook.interface.js.map +0 -1
- package/src/common/interfaces/tool.interface.js +0 -117
- package/src/common/interfaces/tool.interface.js.map +0 -1
- package/src/common/metadata/adapter.metadata.js +0 -10
- package/src/common/metadata/adapter.metadata.js.map +0 -1
- package/src/common/metadata/app.metadata.js +0 -30
- package/src/common/metadata/app.metadata.js.map +0 -1
- package/src/common/metadata/auth-provider.metadata.js +0 -19
- package/src/common/metadata/auth-provider.metadata.js.map +0 -1
- package/src/common/metadata/flow.metadata.js +0 -15
- package/src/common/metadata/flow.metadata.js.map +0 -1
- package/src/common/metadata/front-mcp.metadata.js +0 -29
- package/src/common/metadata/front-mcp.metadata.js.map +0 -1
- package/src/common/metadata/hook.metadata.js +0 -3
- package/src/common/metadata/hook.metadata.js.map +0 -1
- package/src/common/metadata/index.js +0 -17
- package/src/common/metadata/index.js.map +0 -1
- package/src/common/metadata/logger.metadata.js +0 -10
- package/src/common/metadata/logger.metadata.js.map +0 -1
- package/src/common/metadata/plugin.metadata.js +0 -18
- package/src/common/metadata/plugin.metadata.js.map +0 -1
- package/src/common/metadata/prompt.metadata.js +0 -27
- package/src/common/metadata/prompt.metadata.js.map +0 -1
- package/src/common/metadata/provider.metadata.js +0 -36
- package/src/common/metadata/provider.metadata.js.map +0 -1
- package/src/common/metadata/resource.metadata.js +0 -31
- package/src/common/metadata/resource.metadata.js.map +0 -1
- package/src/common/metadata/tool-ui.metadata.js +0 -12
- package/src/common/metadata/tool-ui.metadata.js.map +0 -1
- package/src/common/metadata/tool.metadata.js +0 -55
- package/src/common/metadata/tool.metadata.js.map +0 -1
- package/src/common/migrate/auth-transport.migrate.js +0 -140
- package/src/common/migrate/auth-transport.migrate.js.map +0 -1
- package/src/common/migrate/index.js +0 -6
- package/src/common/migrate/index.js.map +0 -1
- package/src/common/providers/base-config.provider.js +0 -128
- package/src/common/providers/base-config.provider.js.map +0 -1
- package/src/common/records/adapter.record.js +0 -11
- package/src/common/records/adapter.record.js.map +0 -1
- package/src/common/records/app.record.js +0 -9
- package/src/common/records/app.record.js.map +0 -1
- package/src/common/records/auth-provider.record.js +0 -12
- package/src/common/records/auth-provider.record.js.map +0 -1
- package/src/common/records/flow.record.js +0 -8
- package/src/common/records/flow.record.js.map +0 -1
- package/src/common/records/hook.record.js +0 -8
- package/src/common/records/hook.record.js.map +0 -1
- package/src/common/records/index.js +0 -16
- package/src/common/records/index.js.map +0 -1
- package/src/common/records/logger.record.js +0 -8
- package/src/common/records/logger.record.js.map +0 -1
- package/src/common/records/plugin.record.js +0 -11
- package/src/common/records/plugin.record.js.map +0 -1
- package/src/common/records/prompt.record.js +0 -9
- package/src/common/records/prompt.record.js.map +0 -1
- package/src/common/records/provider.record.js +0 -14
- package/src/common/records/provider.record.js.map +0 -1
- package/src/common/records/resource.record.js +0 -20
- package/src/common/records/resource.record.js.map +0 -1
- package/src/common/records/scope.record.js +0 -9
- package/src/common/records/scope.record.js.map +0 -1
- package/src/common/records/tool.record.js +0 -9
- package/src/common/records/tool.record.js.map +0 -1
- package/src/common/schemas/annotated-class.schema.js +0 -109
- package/src/common/schemas/annotated-class.schema.js.map +0 -1
- package/src/common/schemas/http-input.schema.js +0 -13
- package/src/common/schemas/http-input.schema.js.map +0 -1
- package/src/common/schemas/http-output.schema.js +0 -321
- package/src/common/schemas/http-output.schema.js.map +0 -1
- package/src/common/schemas/index.js +0 -8
- package/src/common/schemas/index.js.map +0 -1
- package/src/common/schemas/session-header.schema.js +0 -42
- package/src/common/schemas/session-header.schema.js.map +0 -1
- package/src/common/tokens/adapter.tokens.js +0 -11
- package/src/common/tokens/adapter.tokens.js.map +0 -1
- package/src/common/tokens/app.tokens.js +0 -30
- package/src/common/tokens/app.tokens.js.map +0 -1
- package/src/common/tokens/auth-provider.tokens.js +0 -12
- package/src/common/tokens/auth-provider.tokens.js.map +0 -1
- package/src/common/tokens/base.tokens.js +0 -9
- package/src/common/tokens/base.tokens.js.map +0 -1
- package/src/common/tokens/flow-hook.tokens.js +0 -9
- package/src/common/tokens/flow-hook.tokens.js.map +0 -1
- package/src/common/tokens/flow.tokens.js +0 -16
- package/src/common/tokens/flow.tokens.js.map +0 -1
- package/src/common/tokens/front-mcp.tokens.js +0 -24
- package/src/common/tokens/front-mcp.tokens.js.map +0 -1
- package/src/common/tokens/index.js +0 -17
- package/src/common/tokens/index.js.map +0 -1
- package/src/common/tokens/logger.tokens.js +0 -11
- package/src/common/tokens/logger.tokens.js.map +0 -1
- package/src/common/tokens/plugin.tokens.js +0 -18
- package/src/common/tokens/plugin.tokens.js.map +0 -1
- package/src/common/tokens/prompt.tokens.js +0 -14
- package/src/common/tokens/prompt.tokens.js.map +0 -1
- package/src/common/tokens/provider.tokens.js +0 -12
- package/src/common/tokens/provider.tokens.js.map +0 -1
- package/src/common/tokens/resource.tokens.js +0 -28
- package/src/common/tokens/resource.tokens.js.map +0 -1
- package/src/common/tokens/server.tokens.js +0 -11
- package/src/common/tokens/server.tokens.js.map +0 -1
- package/src/common/tokens/tool.tokens.js +0 -21
- package/src/common/tokens/tool.tokens.js.map +0 -1
- package/src/common/types/auth/index.js +0 -6
- package/src/common/types/auth/index.js.map +0 -1
- package/src/common/types/auth/jwt.types.js +0 -36
- package/src/common/types/auth/jwt.types.js.map +0 -1
- package/src/common/types/auth/session.types.js +0 -53
- package/src/common/types/auth/session.types.js.map +0 -1
- package/src/common/types/common.types.js +0 -3
- package/src/common/types/common.types.js.map +0 -1
- package/src/common/types/index.js +0 -7
- package/src/common/types/index.js.map +0 -1
- package/src/common/types/options/auth.options.d.ts +0 -1266
- package/src/common/types/options/auth.options.js +0 -560
- package/src/common/types/options/auth.options.js.map +0 -1
- package/src/common/types/options/http.options.js +0 -10
- package/src/common/types/options/http.options.js.map +0 -1
- package/src/common/types/options/index.js +0 -11
- package/src/common/types/options/index.js.map +0 -1
- package/src/common/types/options/logging.options.js +0 -33
- package/src/common/types/options/logging.options.js.map +0 -1
- package/src/common/types/options/redis.options.d.ts +0 -22
- package/src/common/types/options/redis.options.js +0 -45
- package/src/common/types/options/redis.options.js.map +0 -1
- package/src/common/types/options/server-info.options.js +0 -13
- package/src/common/types/options/server-info.options.js.map +0 -1
- package/src/common/types/options/session.options.js +0 -32
- package/src/common/types/options/session.options.js.map +0 -1
- package/src/common/types/options/transport.options.js +0 -121
- package/src/common/types/options/transport.options.js.map +0 -1
- package/src/common/utils/decide-request-intent.utils.js +0 -391
- package/src/common/utils/decide-request-intent.utils.js.map +0 -1
- package/src/common/utils/index.js +0 -6
- package/src/common/utils/index.js.map +0 -1
- package/src/common/utils/path.utils.js +0 -66
- package/src/common/utils/path.utils.js.map +0 -1
- package/src/completion/flows/complete.flow.js +0 -199
- package/src/completion/flows/complete.flow.js.map +0 -1
- package/src/context/frontmcp-context-storage.js +0 -183
- package/src/context/frontmcp-context-storage.js.map +0 -1
- package/src/context/frontmcp-context.js +0 -360
- package/src/context/frontmcp-context.js.map +0 -1
- package/src/context/frontmcp-context.provider.js +0 -61
- package/src/context/frontmcp-context.provider.js.map +0 -1
- package/src/context/index.js +0 -64
- package/src/context/index.js.map +0 -1
- package/src/context/request-context-storage.js +0 -183
- package/src/context/request-context-storage.js.map +0 -1
- package/src/context/request-context.js +0 -209
- package/src/context/request-context.js.map +0 -1
- package/src/context/request-context.provider.js +0 -51
- package/src/context/request-context.provider.js.map +0 -1
- package/src/context/session-key.provider.js +0 -65
- package/src/context/session-key.provider.js.map +0 -1
- package/src/context/trace-context.js +0 -142
- package/src/context/trace-context.js.map +0 -1
- package/src/errors/authorization-required.error.js +0 -274
- package/src/errors/authorization-required.error.js.map +0 -1
- package/src/errors/error-handler.js +0 -107
- package/src/errors/error-handler.js.map +0 -1
- package/src/errors/index.js +0 -44
- package/src/errors/index.js.map +0 -1
- package/src/errors/mcp.error.js +0 -398
- package/src/errors/mcp.error.js.map +0 -1
- package/src/exceptions/mcp-exceptions/session-missing.exception.js +0 -11
- package/src/exceptions/mcp-exceptions/session-missing.exception.js.map +0 -1
- package/src/exceptions/mcp-exceptions/unsupported-client-version.exception.js +0 -15
- package/src/exceptions/mcp-exceptions/unsupported-client-version.exception.js.map +0 -1
- package/src/flows/flow.instance.js +0 -420
- package/src/flows/flow.instance.js.map +0 -1
- package/src/flows/flow.registry.js +0 -121
- package/src/flows/flow.registry.js.map +0 -1
- package/src/flows/flow.stages.js +0 -113
- package/src/flows/flow.stages.js.map +0 -1
- package/src/flows/flow.utils.js +0 -36
- package/src/flows/flow.utils.js.map +0 -1
- package/src/front-mcp/front-mcp.js +0 -63
- package/src/front-mcp/front-mcp.js.map +0 -1
- package/src/front-mcp/front-mcp.providers.js +0 -29
- package/src/front-mcp/front-mcp.providers.js.map +0 -1
- package/src/front-mcp/front-mcp.tokens.js +0 -5
- package/src/front-mcp/front-mcp.tokens.js.map +0 -1
- package/src/front-mcp/index.d.ts +0 -1
- package/src/front-mcp/index.js +0 -5
- package/src/front-mcp/index.js.map +0 -1
- package/src/front-mcp/serverless-handler.js +0 -61
- package/src/front-mcp/serverless-handler.js.map +0 -1
- package/src/hooks/hook.instance.js +0 -26
- package/src/hooks/hook.instance.js.map +0 -1
- package/src/hooks/hook.registry.js +0 -152
- package/src/hooks/hook.registry.js.map +0 -1
- package/src/hooks/hooks.utils.js +0 -34
- package/src/hooks/hooks.utils.js.map +0 -1
- package/src/index.js +0 -36
- package/src/index.js.map +0 -1
- package/src/logger/instances/instance.console-logger.js +0 -75
- package/src/logger/instances/instance.console-logger.js.map +0 -1
- package/src/logger/instances/instance.logger.js +0 -77
- package/src/logger/instances/instance.logger.js.map +0 -1
- package/src/logger/logger.registry.js +0 -96
- package/src/logger/logger.registry.js.map +0 -1
- package/src/logger/logger.tokens.js +0 -3
- package/src/logger/logger.tokens.js.map +0 -1
- package/src/logger/logger.types.js +0 -8
- package/src/logger/logger.types.js.map +0 -1
- package/src/logger/logger.utils.js +0 -42
- package/src/logger/logger.utils.js.map +0 -1
- package/src/logging/flows/set-level.flow.js +0 -108
- package/src/logging/flows/set-level.flow.js.map +0 -1
- package/src/mcp-apps/csp.js +0 -267
- package/src/mcp-apps/csp.js.map +0 -1
- package/src/mcp-apps/index.js +0 -91
- package/src/mcp-apps/index.js.map +0 -1
- package/src/mcp-apps/schemas.js +0 -345
- package/src/mcp-apps/schemas.js.map +0 -1
- package/src/mcp-apps/template.js +0 -419
- package/src/mcp-apps/template.js.map +0 -1
- package/src/mcp-apps/types.js +0 -59
- package/src/mcp-apps/types.js.map +0 -1
- package/src/notification/index.js +0 -13
- package/src/notification/index.js.map +0 -1
- package/src/notification/notification.service.js +0 -731
- package/src/notification/notification.service.js.map +0 -1
- package/src/plugin/plugin.registry.js +0 -152
- package/src/plugin/plugin.registry.js.map +0 -1
- package/src/plugin/plugin.utils.js +0 -88
- package/src/plugin/plugin.utils.js.map +0 -1
- package/src/prompt/flows/get-prompt.flow.js +0 -214
- package/src/prompt/flows/get-prompt.flow.js.map +0 -1
- package/src/prompt/flows/prompts-list.flow.js +0 -176
- package/src/prompt/flows/prompts-list.flow.js.map +0 -1
- package/src/prompt/index.js +0 -17
- package/src/prompt/index.js.map +0 -1
- package/src/prompt/prompt.events.js +0 -25
- package/src/prompt/prompt.events.js.map +0 -1
- package/src/prompt/prompt.instance.js +0 -120
- package/src/prompt/prompt.instance.js.map +0 -1
- package/src/prompt/prompt.registry.js +0 -380
- package/src/prompt/prompt.registry.js.map +0 -1
- package/src/prompt/prompt.types.js +0 -11
- package/src/prompt/prompt.types.js.map +0 -1
- package/src/prompt/prompt.utils.js +0 -136
- package/src/prompt/prompt.utils.js.map +0 -1
- package/src/provider/provider.registry.js +0 -868
- package/src/provider/provider.registry.js.map +0 -1
- package/src/provider/provider.types.js +0 -3
- package/src/provider/provider.types.js.map +0 -1
- package/src/provider/provider.utils.js +0 -103
- package/src/provider/provider.utils.js.map +0 -1
- package/src/regsitry/index.js +0 -5
- package/src/regsitry/index.js.map +0 -1
- package/src/regsitry/registry.base.js +0 -32
- package/src/regsitry/registry.base.js.map +0 -1
- package/src/resource/flows/read-resource.flow.js +0 -270
- package/src/resource/flows/read-resource.flow.js.map +0 -1
- package/src/resource/flows/resource-templates-list.flow.js +0 -191
- package/src/resource/flows/resource-templates-list.flow.js.map +0 -1
- package/src/resource/flows/resources-list.flow.js +0 -196
- package/src/resource/flows/resources-list.flow.js.map +0 -1
- package/src/resource/flows/subscribe-resource.flow.js +0 -123
- package/src/resource/flows/subscribe-resource.flow.js.map +0 -1
- package/src/resource/flows/unsubscribe-resource.flow.js +0 -107
- package/src/resource/flows/unsubscribe-resource.flow.js.map +0 -1
- package/src/resource/index.js +0 -20
- package/src/resource/index.js.map +0 -1
- package/src/resource/resource.events.js +0 -17
- package/src/resource/resource.events.js.map +0 -1
- package/src/resource/resource.instance.js +0 -163
- package/src/resource/resource.instance.js.map +0 -1
- package/src/resource/resource.registry.js +0 -468
- package/src/resource/resource.registry.js.map +0 -1
- package/src/resource/resource.types.js +0 -11
- package/src/resource/resource.types.js.map +0 -1
- package/src/resource/resource.utils.js +0 -151
- package/src/resource/resource.utils.js.map +0 -1
- package/src/scope/flows/http.request.flow.js +0 -474
- package/src/scope/flows/http.request.flow.js.map +0 -1
- package/src/scope/index.js +0 -6
- package/src/scope/index.js.map +0 -1
- package/src/scope/scope.instance.js +0 -263
- package/src/scope/scope.instance.js.map +0 -1
- package/src/scope/scope.registry.js +0 -94
- package/src/scope/scope.registry.js.map +0 -1
- package/src/scope/scope.utils.js +0 -61
- package/src/scope/scope.utils.js.map +0 -1
- package/src/server/adapters/base.host.adapter.js +0 -8
- package/src/server/adapters/base.host.adapter.js.map +0 -1
- package/src/server/adapters/express.host.adapter.js +0 -70
- package/src/server/adapters/express.host.adapter.js.map +0 -1
- package/src/server/server.instance.js +0 -54
- package/src/server/server.instance.js.map +0 -1
- package/src/server/server.types.js +0 -3
- package/src/server/server.types.js.map +0 -1
- package/src/server/server.validation.js +0 -192
- package/src/server/server.validation.js.map +0 -1
- package/src/store/adapters/store.base.adapter.js +0 -16
- package/src/store/adapters/store.base.adapter.js.map +0 -1
- package/src/store/adapters/store.memory.adapter.js +0 -89
- package/src/store/adapters/store.memory.adapter.js.map +0 -1
- package/src/store/adapters/store.redis.adapter.js +0 -104
- package/src/store/adapters/store.redis.adapter.js.map +0 -1
- package/src/store/index.js +0 -12
- package/src/store/index.js.map +0 -1
- package/src/store/store.helpers.js +0 -67
- package/src/store/store.helpers.js.map +0 -1
- package/src/store/store.registry.js +0 -37
- package/src/store/store.registry.js.map +0 -1
- package/src/store/store.tokens.js +0 -7
- package/src/store/store.tokens.js.map +0 -1
- package/src/store/store.types.js +0 -11
- package/src/store/store.types.js.map +0 -1
- package/src/store/store.utils.js +0 -18
- package/src/store/store.utils.js.map +0 -1
- package/src/tool/flows/call-tool.flow.js +0 -616
- package/src/tool/flows/call-tool.flow.js.map +0 -1
- package/src/tool/flows/tools-list.flow.js +0 -328
- package/src/tool/flows/tools-list.flow.js.map +0 -1
- package/src/tool/tool.events.js +0 -16
- package/src/tool/tool.events.js.map +0 -1
- package/src/tool/tool.instance.js +0 -117
- package/src/tool/tool.instance.js.map +0 -1
- package/src/tool/tool.registry.js +0 -353
- package/src/tool/tool.registry.js.map +0 -1
- package/src/tool/tool.types.js +0 -10
- package/src/tool/tool.types.js.map +0 -1
- package/src/tool/tool.utils.js +0 -366
- package/src/tool/tool.utils.js.map +0 -1
- package/src/tool/ui/index.js +0 -63
- package/src/tool/ui/index.js.map +0 -1
- package/src/tool/ui/platform-adapters.js +0 -18
- package/src/tool/ui/platform-adapters.js.map +0 -1
- package/src/tool/ui/template-helpers.js +0 -112
- package/src/tool/ui/template-helpers.js.map +0 -1
- package/src/tool/ui/ui-resource-template.js +0 -64
- package/src/tool/ui/ui-resource-template.js.map +0 -1
- package/src/tool/ui/ui-resource.handler.js +0 -129
- package/src/tool/ui/ui-resource.handler.js.map +0 -1
- package/src/transport/adapters/transport.local.adapter.js +0 -148
- package/src/transport/adapters/transport.local.adapter.js.map +0 -1
- package/src/transport/adapters/transport.sse.adapter.js +0 -65
- package/src/transport/adapters/transport.sse.adapter.js.map +0 -1
- package/src/transport/adapters/transport.streamable-http.adapter.js +0 -112
- package/src/transport/adapters/transport.streamable-http.adapter.js.map +0 -1
- package/src/transport/flows/handle.sse.flow.js +0 -197
- package/src/transport/flows/handle.sse.flow.js.map +0 -1
- package/src/transport/flows/handle.stateless-http.flow.js +0 -102
- package/src/transport/flows/handle.stateless-http.flow.js.map +0 -1
- package/src/transport/flows/handle.streamable-http.flow.js +0 -315
- package/src/transport/flows/handle.streamable-http.flow.js.map +0 -1
- package/src/transport/legacy/legacy.sse.tranporter.js +0 -185
- package/src/transport/legacy/legacy.sse.tranporter.js.map +0 -1
- package/src/transport/mcp-handlers/Initialized-notification.hanlder.js +0 -14
- package/src/transport/mcp-handlers/Initialized-notification.hanlder.js.map +0 -1
- package/src/transport/mcp-handlers/call-tool-request.handler.js +0 -46
- package/src/transport/mcp-handlers/call-tool-request.handler.js.map +0 -1
- package/src/transport/mcp-handlers/complete-request.handler.js +0 -11
- package/src/transport/mcp-handlers/complete-request.handler.js.map +0 -1
- package/src/transport/mcp-handlers/get-prompt-request.handler.js +0 -11
- package/src/transport/mcp-handlers/get-prompt-request.handler.js.map +0 -1
- package/src/transport/mcp-handlers/index.js +0 -57
- package/src/transport/mcp-handlers/index.js.map +0 -1
- package/src/transport/mcp-handlers/initialize-request.handler.js +0 -109
- package/src/transport/mcp-handlers/initialize-request.handler.js.map +0 -1
- package/src/transport/mcp-handlers/list-prompts-request.handler.js +0 -11
- package/src/transport/mcp-handlers/list-prompts-request.handler.js.map +0 -1
- package/src/transport/mcp-handlers/list-resource-templates-request.handler.js +0 -12
- package/src/transport/mcp-handlers/list-resource-templates-request.handler.js.map +0 -1
- package/src/transport/mcp-handlers/list-resources-request.handler.js +0 -12
- package/src/transport/mcp-handlers/list-resources-request.handler.js.map +0 -1
- package/src/transport/mcp-handlers/list-tools-request.handler.js +0 -11
- package/src/transport/mcp-handlers/list-tools-request.handler.js.map +0 -1
- package/src/transport/mcp-handlers/logging-set-level-request.handler.js +0 -34
- package/src/transport/mcp-handlers/logging-set-level-request.handler.js.map +0 -1
- package/src/transport/mcp-handlers/mcp-handlers.types.js +0 -3
- package/src/transport/mcp-handlers/mcp-handlers.types.js.map +0 -1
- package/src/transport/mcp-handlers/read-resource-request.handler.js +0 -12
- package/src/transport/mcp-handlers/read-resource-request.handler.js.map +0 -1
- package/src/transport/mcp-handlers/roots-list-changed-notification.handler.js +0 -26
- package/src/transport/mcp-handlers/roots-list-changed-notification.handler.js.map +0 -1
- package/src/transport/mcp-handlers/subscribe-request.handler.js +0 -34
- package/src/transport/mcp-handlers/subscribe-request.handler.js.map +0 -1
- package/src/transport/mcp-handlers/unsubscribe-request.handler.js +0 -34
- package/src/transport/mcp-handlers/unsubscribe-request.handler.js.map +0 -1
- package/src/transport/transport.error.js +0 -25
- package/src/transport/transport.error.js.map +0 -1
- package/src/transport/transport.event-store.js +0 -36
- package/src/transport/transport.event-store.js.map +0 -1
- package/src/transport/transport.local.js +0 -71
- package/src/transport/transport.local.js.map +0 -1
- package/src/transport/transport.registry.js +0 -523
- package/src/transport/transport.registry.js.map +0 -1
- package/src/transport/transport.remote.js +0 -31
- package/src/transport/transport.remote.js.map +0 -1
- package/src/transport/transport.types.js +0 -3
- package/src/transport/transport.types.js.map +0 -1
- package/src/types/drinen-hooks.types.js +0 -3
- package/src/types/drinen-hooks.types.js.map +0 -1
- package/src/types/invoke.type.js +0 -34
- package/src/types/invoke.type.js.map +0 -1
- package/src/types/token.types.js +0 -3
- package/src/types/token.types.js.map +0 -1
- package/src/utils/content.utils.js +0 -194
- package/src/utils/content.utils.js.map +0 -1
- package/src/utils/index.js +0 -55
- package/src/utils/index.js.map +0 -1
- package/src/utils/lineage.utils.js +0 -82
- package/src/utils/lineage.utils.js.map +0 -1
- package/src/utils/metadata.utils.js +0 -26
- package/src/utils/metadata.utils.js.map +0 -1
- package/src/utils/naming.utils.js +0 -136
- package/src/utils/naming.utils.js.map +0 -1
- package/src/utils/server.utils.js +0 -59
- package/src/utils/server.utils.js.map +0 -1
- package/src/utils/string.utils.js +0 -10
- package/src/utils/string.utils.js.map +0 -1
- package/src/utils/token.utils.js +0 -65
- package/src/utils/token.utils.js.map +0 -1
- package/src/utils/types.utils.js +0 -3
- package/src/utils/types.utils.js.map +0 -1
- package/src/utils/uri-template.utils.js +0 -113
- package/src/utils/uri-template.utils.js.map +0 -1
- package/src/utils/uri-validation.utils.js +0 -76
- package/src/utils/uri-validation.utils.js.map +0 -1
- package/{src/adapter → adapter}/adapter.instance.d.ts +0 -0
- package/{src/adapter → adapter}/adapter.regsitry.d.ts +0 -0
- package/{src/adapter → adapter}/adapter.utils.d.ts +0 -0
- package/{src/app → app}/app.registry.d.ts +0 -0
- package/{src/app → app}/app.utils.d.ts +0 -0
- package/{src/app → app}/instances/app.local.instance.d.ts +0 -0
- package/{src/app → app}/instances/app.remote.instance.d.ts +0 -0
- package/{src/app → app}/instances/index.d.ts +0 -0
- package/{src/auth → auth}/auth.registry.d.ts +0 -0
- package/{src/auth → auth}/auth.utils.d.ts +0 -0
- package/{src/auth → auth}/authorization/authorization.class.d.ts +0 -0
- package/{src/auth → auth}/authorization/authorization.types.d.ts +0 -0
- package/{src/auth → auth}/authorization/index.d.ts +0 -0
- package/{src/auth → auth}/authorization/orchestrated.authorization.d.ts +0 -0
- package/{src/auth → auth}/authorization/public.authorization.d.ts +0 -0
- package/{src/auth → auth}/authorization/transparent.authorization.d.ts +0 -0
- package/{src/auth → auth}/consent/consent.types.d.ts +0 -0
- package/{src/auth → auth}/consent/index.d.ts +0 -0
- package/{src/auth → auth}/detection/auth-provider-detection.d.ts +0 -0
- package/{src/auth → auth}/detection/index.d.ts +0 -0
- package/{src/auth → auth}/flows/auth.verify.flow.d.ts +0 -0
- package/{src/auth → auth}/flows/oauth.authorize.flow.d.ts +0 -0
- package/{src/auth → auth}/flows/oauth.callback.flow.d.ts +0 -0
- package/{src/auth → auth}/flows/oauth.register.flow.d.ts +0 -0
- package/{src/auth → auth}/flows/oauth.token.flow.d.ts +0 -0
- package/{src/auth → auth}/flows/session.verify.flow.d.ts +0 -0
- package/{src/auth → auth}/flows/well-known.jwks.flow.d.ts +0 -0
- package/{src/auth → auth}/flows/well-known.oauth-authorization-server.flow.d.ts +0 -0
- package/{src/auth → auth}/flows/well-known.prm.flow.d.ts +0 -0
- package/{src/auth → auth}/jwks/dev-key-persistence.d.ts +0 -0
- package/{src/auth → auth}/jwks/index.d.ts +0 -0
- package/{src/auth → auth}/jwks/jwks.service.d.ts +0 -0
- package/{src/auth → auth}/jwks/jwks.types.d.ts +0 -0
- package/{src/auth → auth}/jwks/jwks.utils.d.ts +0 -0
- package/{src/auth → auth}/machine-id.d.ts +0 -0
- package/{src/auth → auth}/oauth/flows/oauth.authorize.flow.d.ts +0 -0
- package/{src/auth → auth}/oauth/flows/oauth.device-authorization.flow.d.ts +0 -0
- package/{src/auth → auth}/oauth/flows/oauth.introspect.flow.d.ts +0 -0
- package/{src/auth → auth}/oauth/flows/oauth.par.flow.d.ts +0 -0
- package/{src/auth → auth}/oauth/flows/oauth.revoke.flow.d.ts +0 -0
- package/{src/auth → auth}/oauth/flows/oauth.token.flow.d.ts +0 -0
- package/{src/auth → auth}/oauth/flows/oauth.userinfo.flow.d.ts +0 -0
- package/{src/auth → auth}/oauth/flows/oidc.logout.flow.d.ts +0 -0
- package/{src/auth → auth}/session/authorization-vault.d.ts +0 -0
- package/{src/auth → auth}/session/authorization.store.d.ts +0 -0
- package/{src/auth → auth}/session/encrypted-authorization-vault.d.ts +0 -0
- package/{src/auth → auth}/session/record/session.base.d.ts +0 -0
- package/{src/auth → auth}/session/record/session.stateful.d.ts +0 -0
- package/{src/auth → auth}/session/record/session.stateless.d.ts +0 -0
- package/{src/auth → auth}/session/record/session.transparent.d.ts +0 -0
- package/{src/auth → auth}/session/redis-session.store.d.ts +0 -0
- package/{src/auth → auth}/session/session.crypto.d.ts +0 -0
- package/{src/auth → auth}/session/session.schema.d.ts +0 -0
- package/{src/auth → auth}/session/session.service.d.ts +0 -0
- package/{src/auth → auth}/session/session.transport.d.ts +0 -0
- package/{src/auth → auth}/session/session.types.d.ts +0 -0
- package/{src/auth → auth}/session/token.refresh.d.ts +0 -0
- package/{src/auth → auth}/session/token.store.d.ts +0 -0
- package/{src/auth → auth}/session/token.vault.d.ts +0 -0
- package/{src/auth → auth}/session/transport-session.manager.d.ts +0 -0
- package/{src/auth → auth}/session/transport-session.types.d.ts +0 -0
- package/{src/auth → auth}/session/utils/auth-token.utils.d.ts +0 -0
- package/{src/auth → auth}/session/utils/session-id.utils.d.ts +0 -0
- package/{src/auth → auth}/session/utils/tiny-ttl-cache.d.ts +0 -0
- package/{src/auth → auth}/session/vault-encryption.d.ts +0 -0
- package/{src/auth → auth}/ui/base-layout.d.ts +0 -0
- package/{src/auth → auth}/ui/index.d.ts +0 -0
- package/{src/auth → auth}/ui/templates.d.ts +0 -0
- package/{src/auth → auth}/utils/audience.validator.d.ts +0 -0
- package/{src/auth → auth}/utils/index.d.ts +0 -0
- package/{src/auth → auth}/utils/www-authenticate.utils.d.ts +0 -0
- package/{src/common → common}/common.schema.d.ts +0 -0
- package/{src/common → common}/constants.d.ts +0 -0
- package/{src/common → common}/decorators/adapter.decorator.d.ts +0 -0
- package/{src/common → common}/decorators/app.decorator.d.ts +0 -0
- package/{src/common → common}/decorators/auth-provider.decorator.d.ts +0 -0
- package/{src/common → common}/decorators/decorator-utils.d.ts +0 -0
- package/{src/common → common}/decorators/flow.decorator.d.ts +0 -0
- package/{src/common → common}/decorators/front-mcp.decorator.d.ts +0 -0
- package/{src/common → common}/decorators/hook.decorator.d.ts +0 -0
- package/{src/common → common}/decorators/index.d.ts +0 -0
- package/{src/common → common}/decorators/logger.decorator.d.ts +0 -0
- package/{src/common → common}/decorators/plugin.decorator.d.ts +0 -0
- package/{src/common → common}/decorators/prompt.decorator.d.ts +0 -0
- package/{src/common → common}/decorators/provider.decorator.d.ts +0 -0
- package/{src/common → common}/decorators/resource.decorator.d.ts +0 -0
- package/{src/common → common}/decorators/tool.decorator.d.ts +0 -0
- package/{src/common → common}/dynamic/dynamic.adapter.d.ts +0 -0
- package/{src/common → common}/dynamic/dynamic.plugin.d.ts +0 -0
- package/{src/common → common}/dynamic/dynamic.utils.d.ts +0 -0
- package/{src/common → common}/dynamic/index.d.ts +0 -0
- package/{src/common → common}/entries/adapter.entry.d.ts +0 -0
- package/{src/common → common}/entries/app.entry.d.ts +0 -0
- package/{src/common → common}/entries/auth-provider.entry.d.ts +0 -0
- package/{src/common → common}/entries/base.entry.d.ts +0 -0
- package/{src/common → common}/entries/flow.entry.d.ts +0 -0
- package/{src/common → common}/entries/hook.entry.d.ts +0 -0
- package/{src/common → common}/entries/index.d.ts +0 -0
- package/{src/common → common}/entries/logger.entry.d.ts +0 -0
- package/{src/common → common}/entries/plugin.entry.d.ts +0 -0
- package/{src/common → common}/entries/prompt.entry.d.ts +0 -0
- package/{src/common → common}/entries/provider.entry.d.ts +0 -0
- package/{src/common → common}/entries/resource.entry.d.ts +0 -0
- package/{src/common → common}/entries/scope.entry.d.ts +0 -0
- package/{src/common → common}/entries/tool.entry.d.ts +0 -0
- package/{src/common → common}/flow/flow.utils.d.ts +0 -0
- package/{src/common → common}/index.d.ts +0 -0
- package/{src/common → common}/interfaces/adapter.interface.d.ts +0 -0
- package/{src/common → common}/interfaces/app.interface.d.ts +0 -0
- package/{src/common → common}/interfaces/auth-hook.interface.d.ts +0 -0
- package/{src/common → common}/interfaces/auth-provider.interface.d.ts +0 -0
- package/{src/common → common}/interfaces/base.interface.d.ts +0 -0
- package/{src/common → common}/interfaces/execution-context.interface.d.ts +0 -0
- package/{src/common → common}/interfaces/flow.interface.d.ts +0 -0
- package/{src/common → common}/interfaces/front-mcp.interface.d.ts +0 -0
- package/{src/common → common}/interfaces/hook.interface.d.ts +0 -0
- package/{src/common → common}/interfaces/index.d.ts +0 -0
- package/{src/common → common}/interfaces/internal/flow.utils.d.ts +0 -0
- package/{src/common → common}/interfaces/internal/index.d.ts +0 -0
- package/{src/common → common}/interfaces/internal/registry.interface.d.ts +0 -0
- package/{src/common → common}/interfaces/logger.interface.d.ts +0 -0
- package/{src/common → common}/interfaces/plugin.interface.d.ts +0 -0
- package/{src/common → common}/interfaces/prompt.interface.d.ts +0 -0
- package/{src/common → common}/interfaces/provider.interface.d.ts +0 -0
- package/{src/common → common}/interfaces/resource.interface.d.ts +0 -0
- package/{src/common → common}/interfaces/scope.interface.d.ts +0 -0
- package/{src/common → common}/interfaces/server.interface.d.ts +0 -0
- package/{src/common → common}/interfaces/session-hook.interface.d.ts +0 -0
- package/{src/common → common}/interfaces/tool-hook.interface.d.ts +0 -0
- package/{src/common → common}/interfaces/tool.interface.d.ts +0 -0
- package/{src/common → common}/metadata/adapter.metadata.d.ts +0 -0
- package/{src/common → common}/metadata/app.metadata.d.ts +42 -42
- /package/{src/common → common}/metadata/auth-provider.metadata.d.ts +0 -0
- /package/{src/common → common}/metadata/flow.metadata.d.ts +0 -0
- /package/{src/common → common}/metadata/hook.metadata.d.ts +0 -0
- /package/{src/common → common}/metadata/index.d.ts +0 -0
- /package/{src/common → common}/metadata/logger.metadata.d.ts +0 -0
- /package/{src/common → common}/metadata/plugin.metadata.d.ts +0 -0
- /package/{src/common → common}/metadata/provider.metadata.d.ts +0 -0
- /package/{src/common → common}/migrate/auth-transport.migrate.d.ts +0 -0
- /package/{src/common → common}/migrate/index.d.ts +0 -0
- /package/{src/common → common}/providers/base-config.provider.d.ts +0 -0
- /package/{src/common → common}/records/adapter.record.d.ts +0 -0
- /package/{src/common → common}/records/app.record.d.ts +0 -0
- /package/{src/common → common}/records/auth-provider.record.d.ts +0 -0
- /package/{src/common → common}/records/flow.record.d.ts +0 -0
- /package/{src/common → common}/records/hook.record.d.ts +0 -0
- /package/{src/common → common}/records/index.d.ts +0 -0
- /package/{src/common → common}/records/logger.record.d.ts +0 -0
- /package/{src/common → common}/records/plugin.record.d.ts +0 -0
- /package/{src/common → common}/records/prompt.record.d.ts +0 -0
- /package/{src/common → common}/records/provider.record.d.ts +0 -0
- /package/{src/common → common}/records/resource.record.d.ts +0 -0
- /package/{src/common → common}/records/scope.record.d.ts +0 -0
- /package/{src/common → common}/records/tool.record.d.ts +0 -0
- /package/{src/common → common}/schemas/annotated-class.schema.d.ts +0 -0
- /package/{src/common → common}/schemas/http-input.schema.d.ts +0 -0
- /package/{src/common → common}/schemas/index.d.ts +0 -0
- /package/{src/common → common}/schemas/session-header.schema.d.ts +0 -0
- /package/{src/common → common}/tokens/adapter.tokens.d.ts +0 -0
- /package/{src/common → common}/tokens/app.tokens.d.ts +0 -0
- /package/{src/common → common}/tokens/auth-provider.tokens.d.ts +0 -0
- /package/{src/common → common}/tokens/base.tokens.d.ts +0 -0
- /package/{src/common → common}/tokens/flow-hook.tokens.d.ts +0 -0
- /package/{src/common → common}/tokens/flow.tokens.d.ts +0 -0
- /package/{src/common → common}/tokens/front-mcp.tokens.d.ts +0 -0
- /package/{src/common → common}/tokens/index.d.ts +0 -0
- /package/{src/common → common}/tokens/logger.tokens.d.ts +0 -0
- /package/{src/common → common}/tokens/plugin.tokens.d.ts +0 -0
- /package/{src/common → common}/tokens/prompt.tokens.d.ts +0 -0
- /package/{src/common → common}/tokens/provider.tokens.d.ts +0 -0
- /package/{src/common → common}/tokens/resource.tokens.d.ts +0 -0
- /package/{src/common → common}/tokens/server.tokens.d.ts +0 -0
- /package/{src/common → common}/tokens/tool.tokens.d.ts +0 -0
- /package/{src/common → common}/types/auth/index.d.ts +0 -0
- /package/{src/common → common}/types/auth/jwt.types.d.ts +0 -0
- /package/{src/common → common}/types/auth/session.types.d.ts +0 -0
- /package/{src/common → common}/types/common.types.d.ts +0 -0
- /package/{src/common → common}/types/index.d.ts +0 -0
- /package/{src/logger/logger.tokens.d.ts → common/types/options/auth/auth.typecheck.d.ts} +0 -0
- /package/{src/common → common}/types/options/http.options.d.ts +0 -0
- /package/{src/common → common}/types/options/logging.options.d.ts +0 -0
- /package/{src/common → common}/types/options/session.options.d.ts +0 -0
- /package/{src/common → common}/utils/path.utils.d.ts +0 -0
- /package/{src/context → context}/frontmcp-context-storage.d.ts +0 -0
- /package/{src/context → context}/frontmcp-context.d.ts +0 -0
- /package/{src/context → context}/frontmcp-context.provider.d.ts +0 -0
- /package/{src/context → context}/index.d.ts +0 -0
- /package/{src/context → context}/request-context-storage.d.ts +0 -0
- /package/{src/context → context}/request-context.d.ts +0 -0
- /package/{src/context → context}/request-context.provider.d.ts +0 -0
- /package/{src/context → context}/session-key.provider.d.ts +0 -0
- /package/{src/context → context}/trace-context.d.ts +0 -0
- /package/{src/errors → errors}/authorization-required.error.d.ts +0 -0
- /package/{src/errors → errors}/error-handler.d.ts +0 -0
- /package/{src/exceptions → exceptions}/mcp-exceptions/session-missing.exception.d.ts +0 -0
- /package/{src/exceptions → exceptions}/mcp-exceptions/unsupported-client-version.exception.d.ts +0 -0
- /package/{src/flows → flows}/flow.instance.d.ts +0 -0
- /package/{src/flows → flows}/flow.registry.d.ts +0 -0
- /package/{src/flows → flows}/flow.stages.d.ts +0 -0
- /package/{src/flows → flows}/flow.utils.d.ts +0 -0
- /package/{src/front-mcp → front-mcp}/front-mcp.d.ts +0 -0
- /package/{src/front-mcp → front-mcp}/front-mcp.tokens.d.ts +0 -0
- /package/{src/front-mcp → front-mcp}/serverless-handler.d.ts +0 -0
- /package/{src/hooks → hooks}/hook.instance.d.ts +0 -0
- /package/{src/hooks → hooks}/hook.registry.d.ts +0 -0
- /package/{src/hooks → hooks}/hooks.utils.d.ts +0 -0
- /package/{src/logger → logger}/instances/instance.console-logger.d.ts +0 -0
- /package/{src/logger → logger}/instances/instance.logger.d.ts +0 -0
- /package/{src/logger → logger}/logger.registry.d.ts +0 -0
- /package/{src/logger → logger}/logger.types.d.ts +0 -0
- /package/{src/logger → logger}/logger.utils.d.ts +0 -0
- /package/{src/mcp-apps → mcp-apps}/csp.d.ts +0 -0
- /package/{src/mcp-apps → mcp-apps}/index.d.ts +0 -0
- /package/{src/mcp-apps → mcp-apps}/schemas.d.ts +0 -0
- /package/{src/mcp-apps → mcp-apps}/template.d.ts +0 -0
- /package/{src/mcp-apps → mcp-apps}/types.d.ts +0 -0
- /package/{src/notification → notification}/index.d.ts +0 -0
- /package/{src/notification → notification}/notification.service.d.ts +0 -0
- /package/{src/plugin → plugin}/plugin.registry.d.ts +0 -0
- /package/{src/plugin → plugin}/plugin.utils.d.ts +0 -0
- /package/{src/prompt → prompt}/index.d.ts +0 -0
- /package/{src/prompt → prompt}/prompt.events.d.ts +0 -0
- /package/{src/prompt → prompt}/prompt.instance.d.ts +0 -0
- /package/{src/prompt → prompt}/prompt.registry.d.ts +0 -0
- /package/{src/prompt → prompt}/prompt.types.d.ts +0 -0
- /package/{src/prompt → prompt}/prompt.utils.d.ts +0 -0
- /package/{src/provider → provider}/provider.registry.d.ts +0 -0
- /package/{src/provider → provider}/provider.types.d.ts +0 -0
- /package/{src/provider → provider}/provider.utils.d.ts +0 -0
- /package/{src/regsitry → regsitry}/index.d.ts +0 -0
- /package/{src/regsitry → regsitry}/registry.base.d.ts +0 -0
- /package/{src/resource → resource}/index.d.ts +0 -0
- /package/{src/resource → resource}/resource.events.d.ts +0 -0
- /package/{src/resource → resource}/resource.instance.d.ts +0 -0
- /package/{src/resource → resource}/resource.registry.d.ts +0 -0
- /package/{src/resource → resource}/resource.types.d.ts +0 -0
- /package/{src/resource → resource}/resource.utils.d.ts +0 -0
- /package/{src/scope → scope}/flows/http.request.flow.d.ts +0 -0
- /package/{src/scope → scope}/index.d.ts +0 -0
- /package/{src/scope → scope}/scope.instance.d.ts +0 -0
- /package/{src/scope → scope}/scope.registry.d.ts +0 -0
- /package/{src/scope → scope}/scope.utils.d.ts +0 -0
- /package/{src/server → server}/adapters/base.host.adapter.d.ts +0 -0
- /package/{src/server → server}/adapters/express.host.adapter.d.ts +0 -0
- /package/{src/server → server}/server.instance.d.ts +0 -0
- /package/{src/server → server}/server.types.d.ts +0 -0
- /package/{src/server → server}/server.validation.d.ts +0 -0
- /package/{src/store → store}/adapters/store.base.adapter.d.ts +0 -0
- /package/{src/store → store}/adapters/store.memory.adapter.d.ts +0 -0
- /package/{src/store → store}/adapters/store.redis.adapter.d.ts +0 -0
- /package/{src/store → store}/store.helpers.d.ts +0 -0
- /package/{src/store → store}/store.registry.d.ts +0 -0
- /package/{src/store → store}/store.tokens.d.ts +0 -0
- /package/{src/store → store}/store.types.d.ts +0 -0
- /package/{src/store → store}/store.utils.d.ts +0 -0
- /package/{src/tool → tool}/tool.events.d.ts +0 -0
- /package/{src/tool → tool}/tool.instance.d.ts +0 -0
- /package/{src/tool → tool}/tool.registry.d.ts +0 -0
- /package/{src/tool → tool}/tool.types.d.ts +0 -0
- /package/{src/tool → tool}/tool.utils.d.ts +0 -0
- /package/{src/tool → tool}/ui/ui-resource-template.d.ts +0 -0
- /package/{src/transport → transport}/adapters/transport.local.adapter.d.ts +0 -0
- /package/{src/transport → transport}/adapters/transport.sse.adapter.d.ts +0 -0
- /package/{src/transport → transport}/adapters/transport.streamable-http.adapter.d.ts +0 -0
- /package/{src/transport → transport}/flows/handle.sse.flow.d.ts +0 -0
- /package/{src/transport → transport}/flows/handle.stateless-http.flow.d.ts +0 -0
- /package/{src/transport → transport}/flows/handle.streamable-http.flow.d.ts +0 -0
- /package/{src/transport → transport}/legacy/legacy.sse.tranporter.d.ts +0 -0
- /package/{src/transport → transport}/mcp-handlers/Initialized-notification.hanlder.d.ts +0 -0
- /package/{src/transport → transport}/mcp-handlers/call-tool-request.handler.d.ts +0 -0
- /package/{src/transport → transport}/mcp-handlers/initialize-request.handler.d.ts +0 -0
- /package/{src/transport → transport}/mcp-handlers/mcp-handlers.types.d.ts +0 -0
- /package/{src/transport → transport}/mcp-handlers/roots-list-changed-notification.handler.d.ts +0 -0
- /package/{src/transport → transport}/transport.error.d.ts +0 -0
- /package/{src/transport → transport}/transport.event-store.d.ts +0 -0
- /package/{src/transport → transport}/transport.local.d.ts +0 -0
- /package/{src/transport → transport}/transport.remote.d.ts +0 -0
- /package/{src/transport → transport}/transport.types.d.ts +0 -0
- /package/{src/types → types}/drinen-hooks.types.d.ts +0 -0
- /package/{src/types → types}/invoke.type.d.ts +0 -0
- /package/{src/types → types}/token.types.d.ts +0 -0
- /package/{src/utils → utils}/content.utils.d.ts +0 -0
- /package/{src/utils → utils}/index.d.ts +0 -0
- /package/{src/utils → utils}/lineage.utils.d.ts +0 -0
- /package/{src/utils → utils}/metadata.utils.d.ts +0 -0
- /package/{src/utils → utils}/naming.utils.d.ts +0 -0
- /package/{src/utils → utils}/server.utils.d.ts +0 -0
- /package/{src/utils → utils}/string.utils.d.ts +0 -0
- /package/{src/utils → utils}/token.utils.d.ts +0 -0
- /package/{src/utils → utils}/types.utils.d.ts +0 -0
- /package/{src/utils → utils}/uri-template.utils.d.ts +0 -0
- /package/{src/utils → utils}/uri-validation.utils.d.ts +0 -0
|
@@ -1,217 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.encryptJson = encryptJson;
|
|
4
|
-
exports.decryptPublicSession = decryptPublicSession;
|
|
5
|
-
exports.parseSessionHeader = parseSessionHeader;
|
|
6
|
-
exports.createSessionId = createSessionId;
|
|
7
|
-
exports.generateSessionCookie = generateSessionCookie;
|
|
8
|
-
exports.extractSessionFromCookie = extractSessionFromCookie;
|
|
9
|
-
exports.updateSessionPayload = updateSessionPayload;
|
|
10
|
-
// auth/session/utils/session-id.utils.ts
|
|
11
|
-
const crypto_1 = require("crypto");
|
|
12
|
-
const tiny_ttl_cache_1 = require("./tiny-ttl-cache");
|
|
13
|
-
const auth_token_utils_1 = require("./auth-token.utils");
|
|
14
|
-
const notification_service_1 = require("../../../notification/notification.service");
|
|
15
|
-
const machine_id_1 = require("../../machine-id");
|
|
16
|
-
// 5s TTL cache for decrypted headers
|
|
17
|
-
const cache = new tiny_ttl_cache_1.TinyTtlCache(5000);
|
|
18
|
-
// Symmetric key derived from secret or machine id (stable for the process)
|
|
19
|
-
// Uses getMachineId() from authorization module as single source of truth
|
|
20
|
-
function getKey() {
|
|
21
|
-
const base = process.env['MCP_SESSION_SECRET'] || (0, machine_id_1.getMachineId)();
|
|
22
|
-
return (0, crypto_1.createHash)('sha256').update(base).digest(); // 32 bytes
|
|
23
|
-
}
|
|
24
|
-
function b64urlEncode(buf) {
|
|
25
|
-
return buf.toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, '');
|
|
26
|
-
}
|
|
27
|
-
function b64urlDecode(s) {
|
|
28
|
-
const pad = 4 - (s.length % 4);
|
|
29
|
-
const base64 = s.replace(/-/g, '+').replace(/_/g, '/') + (pad < 4 ? '='.repeat(pad) : '');
|
|
30
|
-
return Buffer.from(base64, 'base64');
|
|
31
|
-
}
|
|
32
|
-
function encryptJson(obj) {
|
|
33
|
-
const key = getKey();
|
|
34
|
-
const iv = (0, crypto_1.randomBytes)(12); // AES-GCM 96-bit IV
|
|
35
|
-
const cipher = (0, crypto_1.createCipheriv)('aes-256-gcm', key, iv);
|
|
36
|
-
const pt = Buffer.from(JSON.stringify(obj), 'utf8');
|
|
37
|
-
const ct = Buffer.concat([cipher.update(pt), cipher.final()]);
|
|
38
|
-
const tag = cipher.getAuthTag();
|
|
39
|
-
// Pack iv.tag.ct as base64url(iv.tag.ct)
|
|
40
|
-
return `${b64urlEncode(iv)}.${b64urlEncode(tag)}.${b64urlEncode(ct)}`;
|
|
41
|
-
}
|
|
42
|
-
/**
|
|
43
|
-
* Low-level decryption that returns the raw JSON payload or null.
|
|
44
|
-
* Handles all crypto/parsing failures by returning null.
|
|
45
|
-
*/
|
|
46
|
-
function decryptSessionJson(sessionId) {
|
|
47
|
-
const parts = sessionId.split('.');
|
|
48
|
-
if (parts.length !== 3)
|
|
49
|
-
return null;
|
|
50
|
-
const [ivB64, tagB64, ctB64] = parts;
|
|
51
|
-
if (!ivB64 || !tagB64 || !ctB64)
|
|
52
|
-
return null;
|
|
53
|
-
const key = getKey();
|
|
54
|
-
const iv = b64urlDecode(ivB64);
|
|
55
|
-
const tag = b64urlDecode(tagB64);
|
|
56
|
-
const ct = b64urlDecode(ctB64);
|
|
57
|
-
const decipher = (0, crypto_1.createDecipheriv)('aes-256-gcm', key, iv);
|
|
58
|
-
decipher.setAuthTag(tag);
|
|
59
|
-
const pt = Buffer.concat([decipher.update(ct), decipher.final()]);
|
|
60
|
-
return JSON.parse(pt.toString('utf8'));
|
|
61
|
-
}
|
|
62
|
-
function isValidSessionPayload(dec, sig) {
|
|
63
|
-
if (typeof dec !== 'object' || dec === null)
|
|
64
|
-
return false;
|
|
65
|
-
const d = dec;
|
|
66
|
-
return (typeof d['nodeId'] === 'string' &&
|
|
67
|
-
typeof d['authSig'] === 'string' &&
|
|
68
|
-
typeof d['uuid'] === 'string' &&
|
|
69
|
-
typeof d['iat'] === 'number' &&
|
|
70
|
-
d['authSig'] === sig);
|
|
71
|
-
}
|
|
72
|
-
function isValidPublicSessionPayload(dec) {
|
|
73
|
-
if (typeof dec !== 'object' || dec === null)
|
|
74
|
-
return false;
|
|
75
|
-
const d = dec;
|
|
76
|
-
return (typeof d['nodeId'] === 'string' &&
|
|
77
|
-
d['authSig'] === 'public' &&
|
|
78
|
-
typeof d['uuid'] === 'string' &&
|
|
79
|
-
typeof d['iat'] === 'number' &&
|
|
80
|
-
d['isPublic'] === true);
|
|
81
|
-
}
|
|
82
|
-
function decryptSessionId(sessionId, sig) {
|
|
83
|
-
const dec = safeDecrypt(sessionId);
|
|
84
|
-
return isValidSessionPayload(dec, sig) ? dec : null;
|
|
85
|
-
}
|
|
86
|
-
/**
|
|
87
|
-
* Decrypt a public session ID without signature verification.
|
|
88
|
-
* Public sessions use authSig: 'public' and isPublic: true.
|
|
89
|
-
* First checks the cache for potentially updated payload (e.g., platformType).
|
|
90
|
-
*/
|
|
91
|
-
function decryptPublicSession(sessionId) {
|
|
92
|
-
// Check cache first - may have updated fields like platformType
|
|
93
|
-
const cached = cache.get(sessionId);
|
|
94
|
-
if (cached && isValidPublicSessionPayload(cached)) {
|
|
95
|
-
return cached;
|
|
96
|
-
}
|
|
97
|
-
// Fall back to decrypting from the encrypted session ID
|
|
98
|
-
const dec = safeDecrypt(sessionId);
|
|
99
|
-
if (isValidPublicSessionPayload(dec)) {
|
|
100
|
-
// Cache the decrypted payload for future requests
|
|
101
|
-
cache.set(sessionId, dec);
|
|
102
|
-
return dec;
|
|
103
|
-
}
|
|
104
|
-
return null;
|
|
105
|
-
}
|
|
106
|
-
/**
|
|
107
|
-
* Safe wrapper around decryptSessionJson that catches crypto/parse errors.
|
|
108
|
-
*/
|
|
109
|
-
function safeDecrypt(sessionId) {
|
|
110
|
-
try {
|
|
111
|
-
return decryptSessionJson(sessionId);
|
|
112
|
-
}
|
|
113
|
-
catch {
|
|
114
|
-
return null;
|
|
115
|
-
}
|
|
116
|
-
}
|
|
117
|
-
function nowSec() {
|
|
118
|
-
return Math.floor(Date.now() / 1000);
|
|
119
|
-
}
|
|
120
|
-
/**
|
|
121
|
-
* Validates an existing session header OR creates a fresh one.
|
|
122
|
-
* - Valid: nodeId matches local, authSig matches current Authorization
|
|
123
|
-
* - On any mismatch/decrypt error → generate new
|
|
124
|
-
*/
|
|
125
|
-
function parseSessionHeader(sessionHeader, token) {
|
|
126
|
-
const currentAuthSig = (0, auth_token_utils_1.getTokenSignatureFingerprint)(token);
|
|
127
|
-
if (sessionHeader) {
|
|
128
|
-
const cached = cache.get(sessionHeader);
|
|
129
|
-
if (cached) {
|
|
130
|
-
if (cached.authSig === currentAuthSig) {
|
|
131
|
-
return { id: sessionHeader, payload: cached };
|
|
132
|
-
}
|
|
133
|
-
// fallthrough to regenerate if mismatch
|
|
134
|
-
}
|
|
135
|
-
const dec = decryptSessionId(sessionHeader, currentAuthSig);
|
|
136
|
-
if (dec) {
|
|
137
|
-
cache.set(sessionHeader, dec);
|
|
138
|
-
return { id: sessionHeader, payload: dec };
|
|
139
|
-
}
|
|
140
|
-
}
|
|
141
|
-
return undefined;
|
|
142
|
-
// // Create fresh
|
|
143
|
-
// const decodedSse: SessionIdPayload = {
|
|
144
|
-
// nodeId: MACHINE_ID,
|
|
145
|
-
// authSig: currentAuthSig,
|
|
146
|
-
// uuid: randomUUID(),
|
|
147
|
-
// iat: nowSec(),
|
|
148
|
-
// };
|
|
149
|
-
// const header = encryptJson(decoded);
|
|
150
|
-
// const headerSse = encryptJson(decodedSse);
|
|
151
|
-
// cache.set(header, decoded);
|
|
152
|
-
// cache.set(headerSse, decodedSse);
|
|
153
|
-
// return { header, decoded, headerSse, isNew: true };
|
|
154
|
-
}
|
|
155
|
-
function createSessionId(protocol, token, options) {
|
|
156
|
-
const authSig = (0, auth_token_utils_1.getTokenSignatureFingerprint)(token);
|
|
157
|
-
// Detect platform from user-agent if provided (before MCP initialize)
|
|
158
|
-
let platformType;
|
|
159
|
-
if (options?.userAgent) {
|
|
160
|
-
platformType = (0, notification_service_1.detectPlatformFromUserAgent)(options.userAgent, options.platformDetectionConfig);
|
|
161
|
-
// Only set if we detected something meaningful
|
|
162
|
-
if (platformType === 'unknown') {
|
|
163
|
-
platformType = undefined;
|
|
164
|
-
}
|
|
165
|
-
}
|
|
166
|
-
const payload = {
|
|
167
|
-
nodeId: (0, machine_id_1.getMachineId)(),
|
|
168
|
-
authSig,
|
|
169
|
-
uuid: (0, crypto_1.randomUUID)(),
|
|
170
|
-
iat: nowSec(),
|
|
171
|
-
protocol,
|
|
172
|
-
platformType,
|
|
173
|
-
};
|
|
174
|
-
const id = encryptJson(payload);
|
|
175
|
-
cache.set(id, payload);
|
|
176
|
-
return { id, payload };
|
|
177
|
-
}
|
|
178
|
-
function generateSessionCookie(sessionId, ttlInMinutes = 60 * 24) {
|
|
179
|
-
const expires = new Date(Date.now() + ttlInMinutes * 60 * 1000).toUTCString();
|
|
180
|
-
return `mcp_session_id=${sessionId}; Path=/; Expires=${expires}; HttpOnly; SameSite=Lax`;
|
|
181
|
-
}
|
|
182
|
-
function extractSessionFromCookie(cookie) {
|
|
183
|
-
if (!cookie)
|
|
184
|
-
return undefined;
|
|
185
|
-
const m = cookie.match(/(^|;)\s*mcp_session_id\s*=\s*([^;]*)/);
|
|
186
|
-
return m ? m[2] : undefined;
|
|
187
|
-
}
|
|
188
|
-
/**
|
|
189
|
-
* Update a cached session payload with new data.
|
|
190
|
-
* This is used to persist changes like platformType detection that happen
|
|
191
|
-
* after the initial session creation.
|
|
192
|
-
*
|
|
193
|
-
* @param sessionId - The session ID to update
|
|
194
|
-
* @param updates - Partial payload updates to merge
|
|
195
|
-
* @returns true if the session was found and updated, false otherwise
|
|
196
|
-
*/
|
|
197
|
-
function updateSessionPayload(sessionId, updates) {
|
|
198
|
-
const existing = cache.get(sessionId);
|
|
199
|
-
if (existing) {
|
|
200
|
-
// Merge updates into existing payload
|
|
201
|
-
Object.assign(existing, updates);
|
|
202
|
-
// Re-set to refresh TTL
|
|
203
|
-
cache.set(sessionId, existing);
|
|
204
|
-
return true;
|
|
205
|
-
}
|
|
206
|
-
// Try to decrypt and update if not in cache
|
|
207
|
-
const decrypted = safeDecrypt(sessionId);
|
|
208
|
-
if (isValidSessionPayload(decrypted, decrypted?.authSig || '') ||
|
|
209
|
-
isValidPublicSessionPayload(decrypted)) {
|
|
210
|
-
const payload = decrypted;
|
|
211
|
-
Object.assign(payload, updates);
|
|
212
|
-
cache.set(sessionId, payload);
|
|
213
|
-
return true;
|
|
214
|
-
}
|
|
215
|
-
return false;
|
|
216
|
-
}
|
|
217
|
-
//# sourceMappingURL=session-id.utils.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"session-id.utils.js","sourceRoot":"","sources":["../../../../../src/auth/session/utils/session-id.utils.ts"],"names":[],"mappings":";;AA6BA,kCASC;AA0DD,oDAeC;AAsBD,gDAmCC;AASD,0CAwBC;AAED,sDAGC;AAED,4DAIC;AAWD,oDAuBC;AAtPD,yCAAyC;AACzC,mCAA+F;AAC/F,qDAAgD;AAEhD,yDAAkE;AAClE,qFAAyF;AAEzF,iDAAgD;AAEhD,qCAAqC;AACrC,MAAM,KAAK,GAAG,IAAI,6BAAY,CAA2B,IAAI,CAAC,CAAC;AAE/D,2EAA2E;AAC3E,0EAA0E;AAC1E,SAAS,MAAM;IACb,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,IAAA,yBAAY,GAAE,CAAC;IACjE,OAAO,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,WAAW;AAChE,CAAC;AAED,SAAS,YAAY,CAAC,GAAW;IAC/B,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAC5F,CAAC;AAED,SAAS,YAAY,CAAC,CAAS;IAC7B,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC1F,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED,SAAgB,WAAW,CAAC,GAAY;IACtC,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC;IACrB,MAAM,EAAE,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,CAAC,oBAAoB;IAChD,MAAM,MAAM,GAAG,IAAA,uBAAc,EAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC;IACpD,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC9D,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,yCAAyC;IACzC,OAAO,GAAG,YAAY,CAAC,EAAE,CAAC,IAAI,YAAY,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,EAAE,CAAC,EAAE,CAAC;AACxE,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CAAC,SAAiB;IAC3C,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC;IACrC,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAE7C,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC;IACrB,MAAM,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAC/B,MAAM,GAAG,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IACjC,MAAM,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAE/B,MAAM,QAAQ,GAAG,IAAA,yBAAgB,EAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC1D,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAClE,OAAO,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAY,EAAE,GAAW;IACtD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAC1D,MAAM,CAAC,GAAG,GAA8B,CAAC;IACzC,OAAO,CACL,OAAO,CAAC,CAAC,QAAQ,CAAC,KAAK,QAAQ;QAC/B,OAAO,CAAC,CAAC,SAAS,CAAC,KAAK,QAAQ;QAChC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,QAAQ;QAC7B,OAAO,CAAC,CAAC,KAAK,CAAC,KAAK,QAAQ;QAC5B,CAAC,CAAC,SAAS,CAAC,KAAK,GAAG,CACrB,CAAC;AACJ,CAAC;AAED,SAAS,2BAA2B,CAAC,GAAY;IAC/C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAC1D,MAAM,CAAC,GAAG,GAA8B,CAAC;IACzC,OAAO,CACL,OAAO,CAAC,CAAC,QAAQ,CAAC,KAAK,QAAQ;QAC/B,CAAC,CAAC,SAAS,CAAC,KAAK,QAAQ;QACzB,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,QAAQ;QAC7B,OAAO,CAAC,CAAC,KAAK,CAAC,KAAK,QAAQ;QAC5B,CAAC,CAAC,UAAU,CAAC,KAAK,IAAI,CACvB,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,SAAiB,EAAE,GAAW;IACtD,MAAM,GAAG,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IACnC,OAAO,qBAAqB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;AACtD,CAAC;AAED;;;;GAIG;AACH,SAAgB,oBAAoB,CAAC,SAAiB;IACpD,gEAAgE;IAChE,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACpC,IAAI,MAAM,IAAI,2BAA2B,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,wDAAwD;IACxD,MAAM,GAAG,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IACnC,IAAI,2BAA2B,CAAC,GAAG,CAAC,EAAE,CAAC;QACrC,kDAAkD;QAClD,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,GAAuB,CAAC,CAAC;QAC9C,OAAO,GAAuB,CAAC;IACjC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,SAAiB;IACpC,IAAI,CAAC;QACH,OAAO,kBAAkB,CAAC,SAAS,CAAC,CAAC;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,MAAM;IACb,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;AACvC,CAAC;AAED;;;;GAIG;AACH,SAAgB,kBAAkB,CAChC,aAAiC,EACjC,KAAa;IAEb,MAAM,cAAc,GAAG,IAAA,+CAA4B,EAAC,KAAK,CAAC,CAAC;IAC3D,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QACxC,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,MAAM,CAAC,OAAO,KAAK,cAAc,EAAE,CAAC;gBACtC,OAAO,EAAE,EAAE,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;YAChD,CAAC;YACD,wCAAwC;QAC1C,CAAC;QAED,MAAM,GAAG,GAAG,gBAAgB,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;QAC5D,IAAI,GAAG,EAAE,CAAC;YACR,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,EAAE,EAAE,aAAa,EAAE,OAAO,EAAE,GAAuB,EAAE,CAAC;QACjE,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;IACjB,kBAAkB;IAElB,yCAAyC;IACzC,wBAAwB;IACxB,6BAA6B;IAC7B,wBAAwB;IACxB,mBAAmB;IACnB,KAAK;IACL,uCAAuC;IACvC,6CAA6C;IAC7C,8BAA8B;IAC9B,oCAAoC;IACpC,sDAAsD;AACxD,CAAC;AASD,SAAgB,eAAe,CAAC,QAA+B,EAAE,KAAa,EAAE,OAA8B;IAC5G,MAAM,OAAO,GAAG,IAAA,+CAA4B,EAAC,KAAK,CAAC,CAAC;IAEpD,sEAAsE;IACtE,IAAI,YAAwC,CAAC;IAC7C,IAAI,OAAO,EAAE,SAAS,EAAE,CAAC;QACvB,YAAY,GAAG,IAAA,kDAA2B,EAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,uBAAuB,CAAC,CAAC;QAC/F,+CAA+C;QAC/C,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;YAC/B,YAAY,GAAG,SAAS,CAAC;QAC3B,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAqB;QAChC,MAAM,EAAE,IAAA,yBAAY,GAAE;QACtB,OAAO;QACP,IAAI,EAAE,IAAA,mBAAU,GAAE;QAClB,GAAG,EAAE,MAAM,EAAE;QACb,QAAQ;QACR,YAAY;KACb,CAAC;IACF,MAAM,EAAE,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IAChC,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;IACvB,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC;AACzB,CAAC;AAED,SAAgB,qBAAqB,CAAC,SAAiB,EAAE,YAAY,GAAG,EAAE,GAAG,EAAE;IAC7E,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAC9E,OAAO,kBAAkB,SAAS,qBAAqB,OAAO,0BAA0B,CAAC;AAC3F,CAAC;AAED,SAAgB,wBAAwB,CAAC,MAAe;IACtD,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC/D,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC9B,CAAC;AAED;;;;;;;;GAQG;AACH,SAAgB,oBAAoB,CAAC,SAAiB,EAAE,OAAkC;IACxF,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACtC,IAAI,QAAQ,EAAE,CAAC;QACb,sCAAsC;QACtC,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACjC,wBAAwB;QACxB,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC/B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,4CAA4C;IAC5C,MAAM,SAAS,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IACzC,IACE,qBAAqB,CAAC,SAAS,EAAG,SAA8B,EAAE,OAAO,IAAI,EAAE,CAAC;QAChF,2BAA2B,CAAC,SAAS,CAAC,EACtC,CAAC;QACD,MAAM,OAAO,GAAG,SAA6B,CAAC;QAC9C,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAChC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAC9B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC","sourcesContent":["// auth/session/utils/session-id.utils.ts\nimport { randomUUID, createHash, randomBytes, createCipheriv, createDecipheriv } from 'crypto';\nimport { TinyTtlCache } from './tiny-ttl-cache';\nimport { SessionIdPayload, TransportProtocolType, AIPlatformType } from '../../../common';\nimport { getTokenSignatureFingerprint } from './auth-token.utils';\nimport { detectPlatformFromUserAgent } from '../../../notification/notification.service';\nimport type { PlatformDetectionConfig } from '../../../common/types/options/session.options';\nimport { getMachineId } from '../../machine-id';\n\n// 5s TTL cache for decrypted headers\nconst cache = new TinyTtlCache<string, SessionIdPayload>(5000);\n\n// Symmetric key derived from secret or machine id (stable for the process)\n// Uses getMachineId() from authorization module as single source of truth\nfunction getKey(): Buffer {\n const base = process.env['MCP_SESSION_SECRET'] || getMachineId();\n return createHash('sha256').update(base).digest(); // 32 bytes\n}\n\nfunction b64urlEncode(buf: Buffer): string {\n return buf.toString('base64').replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/g, '');\n}\n\nfunction b64urlDecode(s: string): Buffer {\n const pad = 4 - (s.length % 4);\n const base64 = s.replace(/-/g, '+').replace(/_/g, '/') + (pad < 4 ? '='.repeat(pad) : '');\n return Buffer.from(base64, 'base64');\n}\n\nexport function encryptJson(obj: unknown): string {\n const key = getKey();\n const iv = randomBytes(12); // AES-GCM 96-bit IV\n const cipher = createCipheriv('aes-256-gcm', key, iv);\n const pt = Buffer.from(JSON.stringify(obj), 'utf8');\n const ct = Buffer.concat([cipher.update(pt), cipher.final()]);\n const tag = cipher.getAuthTag();\n // Pack iv.tag.ct as base64url(iv.tag.ct)\n return `${b64urlEncode(iv)}.${b64urlEncode(tag)}.${b64urlEncode(ct)}`;\n}\n\n/**\n * Low-level decryption that returns the raw JSON payload or null.\n * Handles all crypto/parsing failures by returning null.\n */\nfunction decryptSessionJson(sessionId: string): unknown {\n const parts = sessionId.split('.');\n if (parts.length !== 3) return null;\n\n const [ivB64, tagB64, ctB64] = parts;\n if (!ivB64 || !tagB64 || !ctB64) return null;\n\n const key = getKey();\n const iv = b64urlDecode(ivB64);\n const tag = b64urlDecode(tagB64);\n const ct = b64urlDecode(ctB64);\n\n const decipher = createDecipheriv('aes-256-gcm', key, iv);\n decipher.setAuthTag(tag);\n const pt = Buffer.concat([decipher.update(ct), decipher.final()]);\n return JSON.parse(pt.toString('utf8'));\n}\n\nfunction isValidSessionPayload(dec: unknown, sig: string): dec is SessionIdPayload {\n if (typeof dec !== 'object' || dec === null) return false;\n const d = dec as Record<string, unknown>;\n return (\n typeof d['nodeId'] === 'string' &&\n typeof d['authSig'] === 'string' &&\n typeof d['uuid'] === 'string' &&\n typeof d['iat'] === 'number' &&\n d['authSig'] === sig\n );\n}\n\nfunction isValidPublicSessionPayload(dec: unknown): dec is SessionIdPayload {\n if (typeof dec !== 'object' || dec === null) return false;\n const d = dec as Record<string, unknown>;\n return (\n typeof d['nodeId'] === 'string' &&\n d['authSig'] === 'public' &&\n typeof d['uuid'] === 'string' &&\n typeof d['iat'] === 'number' &&\n d['isPublic'] === true\n );\n}\n\nfunction decryptSessionId(sessionId: string, sig: string): SessionIdPayload | null {\n const dec = safeDecrypt(sessionId);\n return isValidSessionPayload(dec, sig) ? dec : null;\n}\n\n/**\n * Decrypt a public session ID without signature verification.\n * Public sessions use authSig: 'public' and isPublic: true.\n * First checks the cache for potentially updated payload (e.g., platformType).\n */\nexport function decryptPublicSession(sessionId: string): SessionIdPayload | null {\n // Check cache first - may have updated fields like platformType\n const cached = cache.get(sessionId);\n if (cached && isValidPublicSessionPayload(cached)) {\n return cached;\n }\n\n // Fall back to decrypting from the encrypted session ID\n const dec = safeDecrypt(sessionId);\n if (isValidPublicSessionPayload(dec)) {\n // Cache the decrypted payload for future requests\n cache.set(sessionId, dec as SessionIdPayload);\n return dec as SessionIdPayload;\n }\n return null;\n}\n\n/**\n * Safe wrapper around decryptSessionJson that catches crypto/parse errors.\n */\nfunction safeDecrypt(sessionId: string): unknown {\n try {\n return decryptSessionJson(sessionId);\n } catch {\n return null;\n }\n}\n\nfunction nowSec(): number {\n return Math.floor(Date.now() / 1000);\n}\n\n/**\n * Validates an existing session header OR creates a fresh one.\n * - Valid: nodeId matches local, authSig matches current Authorization\n * - On any mismatch/decrypt error → generate new\n */\nexport function parseSessionHeader(\n sessionHeader: string | undefined,\n token: string,\n): { id: string; payload: SessionIdPayload } | undefined {\n const currentAuthSig = getTokenSignatureFingerprint(token);\n if (sessionHeader) {\n const cached = cache.get(sessionHeader);\n if (cached) {\n if (cached.authSig === currentAuthSig) {\n return { id: sessionHeader, payload: cached };\n }\n // fallthrough to regenerate if mismatch\n }\n\n const dec = decryptSessionId(sessionHeader, currentAuthSig);\n if (dec) {\n cache.set(sessionHeader, dec);\n return { id: sessionHeader, payload: dec as SessionIdPayload };\n }\n }\n\n return undefined;\n // // Create fresh\n\n // const decodedSse: SessionIdPayload = {\n // nodeId: MACHINE_ID,\n // authSig: currentAuthSig,\n // uuid: randomUUID(),\n // iat: nowSec(),\n // };\n // const header = encryptJson(decoded);\n // const headerSse = encryptJson(decodedSse);\n // cache.set(header, decoded);\n // cache.set(headerSse, decodedSse);\n // return { header, decoded, headerSse, isNew: true };\n}\n\nexport interface CreateSessionOptions {\n /** User-Agent header for pre-initialize platform detection */\n userAgent?: string;\n /** Platform detection configuration from scope */\n platformDetectionConfig?: PlatformDetectionConfig;\n}\n\nexport function createSessionId(protocol: TransportProtocolType, token: string, options?: CreateSessionOptions) {\n const authSig = getTokenSignatureFingerprint(token);\n\n // Detect platform from user-agent if provided (before MCP initialize)\n let platformType: AIPlatformType | undefined;\n if (options?.userAgent) {\n platformType = detectPlatformFromUserAgent(options.userAgent, options.platformDetectionConfig);\n // Only set if we detected something meaningful\n if (platformType === 'unknown') {\n platformType = undefined;\n }\n }\n\n const payload: SessionIdPayload = {\n nodeId: getMachineId(),\n authSig,\n uuid: randomUUID(),\n iat: nowSec(),\n protocol,\n platformType,\n };\n const id = encryptJson(payload);\n cache.set(id, payload);\n return { id, payload };\n}\n\nexport function generateSessionCookie(sessionId: string, ttlInMinutes = 60 * 24): string {\n const expires = new Date(Date.now() + ttlInMinutes * 60 * 1000).toUTCString();\n return `mcp_session_id=${sessionId}; Path=/; Expires=${expires}; HttpOnly; SameSite=Lax`;\n}\n\nexport function extractSessionFromCookie(cookie?: string): string | undefined {\n if (!cookie) return undefined;\n const m = cookie.match(/(^|;)\\s*mcp_session_id\\s*=\\s*([^;]*)/);\n return m ? m[2] : undefined;\n}\n\n/**\n * Update a cached session payload with new data.\n * This is used to persist changes like platformType detection that happen\n * after the initial session creation.\n *\n * @param sessionId - The session ID to update\n * @param updates - Partial payload updates to merge\n * @returns true if the session was found and updated, false otherwise\n */\nexport function updateSessionPayload(sessionId: string, updates: Partial<SessionIdPayload>): boolean {\n const existing = cache.get(sessionId);\n if (existing) {\n // Merge updates into existing payload\n Object.assign(existing, updates);\n // Re-set to refresh TTL\n cache.set(sessionId, existing);\n return true;\n }\n\n // Try to decrypt and update if not in cache\n const decrypted = safeDecrypt(sessionId);\n if (\n isValidSessionPayload(decrypted, (decrypted as SessionIdPayload)?.authSig || '') ||\n isValidPublicSessionPayload(decrypted)\n ) {\n const payload = decrypted as SessionIdPayload;\n Object.assign(payload, updates);\n cache.set(sessionId, payload);\n return true;\n }\n\n return false;\n}\n"]}
|
|
@@ -1,26 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.TinyTtlCache = void 0;
|
|
4
|
-
// auth/session/utils/tiny-ttl-cache.ts
|
|
5
|
-
class TinyTtlCache {
|
|
6
|
-
ttlMs;
|
|
7
|
-
map = new Map();
|
|
8
|
-
constructor(ttlMs) {
|
|
9
|
-
this.ttlMs = ttlMs;
|
|
10
|
-
}
|
|
11
|
-
get(k) {
|
|
12
|
-
const hit = this.map.get(k);
|
|
13
|
-
if (!hit)
|
|
14
|
-
return undefined;
|
|
15
|
-
if (hit.exp < Date.now()) {
|
|
16
|
-
this.map.delete(k);
|
|
17
|
-
return undefined;
|
|
18
|
-
}
|
|
19
|
-
return hit.v;
|
|
20
|
-
}
|
|
21
|
-
set(k, v) {
|
|
22
|
-
this.map.set(k, { v, exp: Date.now() + this.ttlMs });
|
|
23
|
-
}
|
|
24
|
-
}
|
|
25
|
-
exports.TinyTtlCache = TinyTtlCache;
|
|
26
|
-
//# sourceMappingURL=tiny-ttl-cache.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"tiny-ttl-cache.js","sourceRoot":"","sources":["../../../../../src/auth/session/utils/tiny-ttl-cache.ts"],"names":[],"mappings":";;;AAAA,uCAAuC;AACvC,MAAa,YAAY;IAEM;IADrB,GAAG,GAAG,IAAI,GAAG,EAA4B,CAAC;IAClD,YAA6B,KAAa;QAAb,UAAK,GAAL,KAAK,CAAQ;IAAG,CAAC;IAE9C,GAAG,CAAC,CAAI;QACN,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAC5B,IAAI,CAAC,GAAG;YAAE,OAAO,SAAS,CAAC;QAC3B,IAAI,GAAG,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACzB,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACnB,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,OAAO,GAAG,CAAC,CAAC,CAAC;IACf,CAAC;IAED,GAAG,CAAC,CAAI,EAAE,CAAI;QACZ,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;IACvD,CAAC;CACF;AAjBD,oCAiBC","sourcesContent":["// auth/session/utils/tiny-ttl-cache.ts\nexport class TinyTtlCache<K, V> {\n private map = new Map<K, { v: V; exp: number }>();\n constructor(private readonly ttlMs: number) {}\n\n get(k: K): V | undefined {\n const hit = this.map.get(k);\n if (!hit) return undefined;\n if (hit.exp < Date.now()) {\n this.map.delete(k);\n return undefined;\n }\n return hit.v;\n }\n\n set(k: K, v: V) {\n this.map.set(k, { v, exp: Date.now() + this.ttlMs });\n }\n}\n"]}
|
|
@@ -1,263 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
/**
|
|
3
|
-
* Vault Encryption
|
|
4
|
-
*
|
|
5
|
-
* Client-side key derivation for zero-knowledge credential storage.
|
|
6
|
-
*
|
|
7
|
-
* Security Model:
|
|
8
|
-
* - The JWT authorization token contains a unique `jti` (JWT ID) claim
|
|
9
|
-
* - A secret portion of the token (or a derived key) is used as the encryption key
|
|
10
|
-
* - The server stores encrypted blobs in Redis but CANNOT decrypt them
|
|
11
|
-
* - Only the client presenting the valid JWT can decrypt their vault
|
|
12
|
-
*
|
|
13
|
-
* Key Derivation:
|
|
14
|
-
* - Input: JWT token (after signature verification)
|
|
15
|
-
* - Extract: jti + a secret claim (e.g., `vaultKey` or derived from signature)
|
|
16
|
-
* - Derive: HKDF-SHA256 to produce AES-256 key
|
|
17
|
-
*
|
|
18
|
-
* Encryption:
|
|
19
|
-
* - Algorithm: AES-256-GCM (authenticated encryption)
|
|
20
|
-
* - IV: Random 12 bytes per encryption (stored with ciphertext)
|
|
21
|
-
* - Auth Tag: 16 bytes (ensures integrity)
|
|
22
|
-
*/
|
|
23
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
24
|
-
exports.encryptedVaultEntrySchema = exports.VaultEncryption = exports.encryptedDataSchema = void 0;
|
|
25
|
-
const node_crypto_1 = require("node:crypto");
|
|
26
|
-
const zod_1 = require("zod");
|
|
27
|
-
// ============================================
|
|
28
|
-
// Types and Schemas
|
|
29
|
-
// ============================================
|
|
30
|
-
/**
|
|
31
|
-
* Encrypted data format stored in Redis
|
|
32
|
-
*/
|
|
33
|
-
exports.encryptedDataSchema = zod_1.z.object({
|
|
34
|
-
/** Version for future algorithm changes */
|
|
35
|
-
v: zod_1.z.literal(1),
|
|
36
|
-
/** Algorithm identifier */
|
|
37
|
-
alg: zod_1.z.literal('aes-256-gcm'),
|
|
38
|
-
/** Initialization vector (base64) */
|
|
39
|
-
iv: zod_1.z.string(),
|
|
40
|
-
/** Ciphertext (base64) */
|
|
41
|
-
ct: zod_1.z.string(),
|
|
42
|
-
/** Authentication tag (base64) */
|
|
43
|
-
tag: zod_1.z.string(),
|
|
44
|
-
});
|
|
45
|
-
// ============================================
|
|
46
|
-
// Vault Encryption Class
|
|
47
|
-
// ============================================
|
|
48
|
-
/**
|
|
49
|
-
* VaultEncryption handles encryption/decryption of vault credentials
|
|
50
|
-
* using keys derived from the client's JWT authorization token.
|
|
51
|
-
*
|
|
52
|
-
* @example
|
|
53
|
-
* ```typescript
|
|
54
|
-
* const encryption = new VaultEncryption({ pepper: process.env.VAULT_PEPPER });
|
|
55
|
-
*
|
|
56
|
-
* // After JWT verification, derive the encryption key
|
|
57
|
-
* const key = encryption.deriveKey(jwtClaims);
|
|
58
|
-
*
|
|
59
|
-
* // Encrypt credentials before storing
|
|
60
|
-
* const encrypted = encryption.encrypt(JSON.stringify(credentials), key);
|
|
61
|
-
*
|
|
62
|
-
* // Decrypt when reading
|
|
63
|
-
* const decrypted = encryption.decrypt(encrypted, key);
|
|
64
|
-
* const credentials = JSON.parse(decrypted);
|
|
65
|
-
* ```
|
|
66
|
-
*/
|
|
67
|
-
class VaultEncryption {
|
|
68
|
-
pepper;
|
|
69
|
-
hkdfInfo;
|
|
70
|
-
constructor(config = {}) {
|
|
71
|
-
// Convert pepper to buffer, use empty if not provided
|
|
72
|
-
this.pepper = Buffer.from(config.pepper ?? '', 'utf8');
|
|
73
|
-
this.hkdfInfo = Buffer.from(config.hkdfInfo ?? 'frontmcp-vault-v1', 'utf8');
|
|
74
|
-
}
|
|
75
|
-
/**
|
|
76
|
-
* Derive an encryption key from JWT claims
|
|
77
|
-
*
|
|
78
|
-
* The key derivation uses HKDF-like construction:
|
|
79
|
-
* 1. Combine jti + vaultKey + sub + iat + pepper
|
|
80
|
-
* 2. Apply HMAC-SHA256 to derive a 256-bit key
|
|
81
|
-
*
|
|
82
|
-
* @param claims - JWT claims containing key material
|
|
83
|
-
* @returns 32-byte encryption key
|
|
84
|
-
*/
|
|
85
|
-
deriveKey(claims) {
|
|
86
|
-
// Build the input key material (IKM)
|
|
87
|
-
// Using multiple claims ensures the key is unique per token
|
|
88
|
-
const ikm = Buffer.concat([
|
|
89
|
-
Buffer.from(claims.jti, 'utf8'),
|
|
90
|
-
Buffer.from(claims.vaultKey ?? '', 'utf8'),
|
|
91
|
-
Buffer.from(claims.sub, 'utf8'),
|
|
92
|
-
Buffer.from(claims.iat.toString(), 'utf8'),
|
|
93
|
-
this.pepper,
|
|
94
|
-
]);
|
|
95
|
-
// HKDF-Extract: PRK = HMAC-SHA256(salt, IKM)
|
|
96
|
-
// Using hkdfInfo as salt for domain separation
|
|
97
|
-
const prk = (0, node_crypto_1.createHmac)('sha256', this.hkdfInfo).update(ikm).digest();
|
|
98
|
-
// HKDF-Expand: OKM = HMAC-SHA256(PRK, info || 0x01)
|
|
99
|
-
// We only need 32 bytes, so single iteration is sufficient
|
|
100
|
-
const okm = (0, node_crypto_1.createHmac)('sha256', prk)
|
|
101
|
-
.update(Buffer.concat([this.hkdfInfo, Buffer.from([0x01])]))
|
|
102
|
-
.digest();
|
|
103
|
-
return okm;
|
|
104
|
-
}
|
|
105
|
-
/**
|
|
106
|
-
* Derive a key directly from the raw JWT token string
|
|
107
|
-
*
|
|
108
|
-
* This is useful when you want to derive the key from the token
|
|
109
|
-
* before or without fully parsing the claims. Uses the token's
|
|
110
|
-
* signature portion as additional entropy.
|
|
111
|
-
*
|
|
112
|
-
* @param token - The raw JWT token string
|
|
113
|
-
* @param claims - Parsed JWT claims
|
|
114
|
-
* @returns 32-byte encryption key
|
|
115
|
-
*/
|
|
116
|
-
deriveKeyFromToken(token, claims) {
|
|
117
|
-
// Extract signature from JWT (last part after final dot)
|
|
118
|
-
const parts = token.split('.');
|
|
119
|
-
const signature = parts[2] ?? '';
|
|
120
|
-
// Include signature in key derivation for additional entropy
|
|
121
|
-
const ikm = Buffer.concat([
|
|
122
|
-
Buffer.from(claims.jti, 'utf8'),
|
|
123
|
-
Buffer.from(claims.vaultKey ?? '', 'utf8'),
|
|
124
|
-
Buffer.from(claims.sub, 'utf8'),
|
|
125
|
-
Buffer.from(claims.iat.toString(), 'utf8'),
|
|
126
|
-
Buffer.from(signature, 'utf8'),
|
|
127
|
-
this.pepper,
|
|
128
|
-
]);
|
|
129
|
-
const prk = (0, node_crypto_1.createHmac)('sha256', this.hkdfInfo).update(ikm).digest();
|
|
130
|
-
const okm = (0, node_crypto_1.createHmac)('sha256', prk)
|
|
131
|
-
.update(Buffer.concat([this.hkdfInfo, Buffer.from([0x01])]))
|
|
132
|
-
.digest();
|
|
133
|
-
return okm;
|
|
134
|
-
}
|
|
135
|
-
/**
|
|
136
|
-
* Encrypt plaintext data using AES-256-GCM
|
|
137
|
-
*
|
|
138
|
-
* @param plaintext - Data to encrypt (typically JSON string)
|
|
139
|
-
* @param key - 32-byte encryption key from deriveKey()
|
|
140
|
-
* @returns Encrypted data object (safe to store in Redis)
|
|
141
|
-
*/
|
|
142
|
-
encrypt(plaintext, key) {
|
|
143
|
-
if (key.length !== 32) {
|
|
144
|
-
throw new Error('Encryption key must be 32 bytes');
|
|
145
|
-
}
|
|
146
|
-
// Generate random 12-byte IV (recommended for GCM)
|
|
147
|
-
const iv = (0, node_crypto_1.randomBytes)(12);
|
|
148
|
-
// Create cipher
|
|
149
|
-
const cipher = (0, node_crypto_1.createCipheriv)('aes-256-gcm', key, iv);
|
|
150
|
-
// Encrypt
|
|
151
|
-
const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
|
|
152
|
-
// Get authentication tag
|
|
153
|
-
const tag = cipher.getAuthTag();
|
|
154
|
-
return {
|
|
155
|
-
v: 1,
|
|
156
|
-
alg: 'aes-256-gcm',
|
|
157
|
-
iv: iv.toString('base64'),
|
|
158
|
-
ct: ciphertext.toString('base64'),
|
|
159
|
-
tag: tag.toString('base64'),
|
|
160
|
-
};
|
|
161
|
-
}
|
|
162
|
-
/**
|
|
163
|
-
* Decrypt encrypted data using AES-256-GCM
|
|
164
|
-
*
|
|
165
|
-
* @param encrypted - Encrypted data object from encrypt()
|
|
166
|
-
* @param key - 32-byte encryption key from deriveKey()
|
|
167
|
-
* @returns Decrypted plaintext
|
|
168
|
-
* @throws Error if decryption fails (wrong key, tampered data, etc.)
|
|
169
|
-
*/
|
|
170
|
-
decrypt(encrypted, key) {
|
|
171
|
-
if (key.length !== 32) {
|
|
172
|
-
throw new Error('Encryption key must be 32 bytes');
|
|
173
|
-
}
|
|
174
|
-
// Validate encrypted data format
|
|
175
|
-
const parsed = exports.encryptedDataSchema.safeParse(encrypted);
|
|
176
|
-
if (!parsed.success) {
|
|
177
|
-
throw new Error('Invalid encrypted data format');
|
|
178
|
-
}
|
|
179
|
-
const { iv, ct, tag } = parsed.data;
|
|
180
|
-
// Decode from base64
|
|
181
|
-
const ivBuffer = Buffer.from(iv, 'base64');
|
|
182
|
-
const ciphertext = Buffer.from(ct, 'base64');
|
|
183
|
-
const tagBuffer = Buffer.from(tag, 'base64');
|
|
184
|
-
// Create decipher
|
|
185
|
-
const decipher = (0, node_crypto_1.createDecipheriv)('aes-256-gcm', key, ivBuffer);
|
|
186
|
-
decipher.setAuthTag(tagBuffer);
|
|
187
|
-
// Decrypt
|
|
188
|
-
try {
|
|
189
|
-
const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
|
|
190
|
-
return plaintext.toString('utf8');
|
|
191
|
-
}
|
|
192
|
-
catch (error) {
|
|
193
|
-
// GCM authentication failed - wrong key or tampered data
|
|
194
|
-
throw new Error('Decryption failed: invalid key or corrupted data');
|
|
195
|
-
}
|
|
196
|
-
}
|
|
197
|
-
/**
|
|
198
|
-
* Encrypt a JavaScript object (serializes to JSON first)
|
|
199
|
-
*
|
|
200
|
-
* @param data - Object to encrypt
|
|
201
|
-
* @param key - Encryption key
|
|
202
|
-
* @returns Encrypted data
|
|
203
|
-
*/
|
|
204
|
-
encryptObject(data, key) {
|
|
205
|
-
return this.encrypt(JSON.stringify(data), key);
|
|
206
|
-
}
|
|
207
|
-
/**
|
|
208
|
-
* Decrypt and parse a JavaScript object
|
|
209
|
-
*
|
|
210
|
-
* @param encrypted - Encrypted data
|
|
211
|
-
* @param key - Encryption key
|
|
212
|
-
* @returns Decrypted and parsed object
|
|
213
|
-
*/
|
|
214
|
-
decryptObject(encrypted, key) {
|
|
215
|
-
const plaintext = this.decrypt(encrypted, key);
|
|
216
|
-
return JSON.parse(plaintext);
|
|
217
|
-
}
|
|
218
|
-
/**
|
|
219
|
-
* Check if data is in encrypted format
|
|
220
|
-
*
|
|
221
|
-
* @param data - Data to check
|
|
222
|
-
* @returns True if data appears to be encrypted
|
|
223
|
-
*/
|
|
224
|
-
isEncrypted(data) {
|
|
225
|
-
return exports.encryptedDataSchema.safeParse(data).success;
|
|
226
|
-
}
|
|
227
|
-
}
|
|
228
|
-
exports.VaultEncryption = VaultEncryption;
|
|
229
|
-
// ============================================
|
|
230
|
-
// Encrypted Vault Entry Schema
|
|
231
|
-
// ============================================
|
|
232
|
-
/**
|
|
233
|
-
* Vault entry with encrypted credentials
|
|
234
|
-
*
|
|
235
|
-
* The structure separates:
|
|
236
|
-
* - Metadata (unencrypted): id, userSub, timestamps, app lists
|
|
237
|
-
* - Sensitive data (encrypted): provider tokens, app credentials
|
|
238
|
-
*/
|
|
239
|
-
exports.encryptedVaultEntrySchema = zod_1.z.object({
|
|
240
|
-
/** Vault ID (maps to JWT jti claim) */
|
|
241
|
-
id: zod_1.z.string(),
|
|
242
|
-
/** User subject identifier */
|
|
243
|
-
userSub: zod_1.z.string(),
|
|
244
|
-
/** User email (unencrypted for display) */
|
|
245
|
-
userEmail: zod_1.z.string().optional(),
|
|
246
|
-
/** User name (unencrypted for display) */
|
|
247
|
-
userName: zod_1.z.string().optional(),
|
|
248
|
-
/** Client ID that created this session */
|
|
249
|
-
clientId: zod_1.z.string(),
|
|
250
|
-
/** Creation timestamp */
|
|
251
|
-
createdAt: zod_1.z.number(),
|
|
252
|
-
/** Last access timestamp */
|
|
253
|
-
lastAccessAt: zod_1.z.number(),
|
|
254
|
-
/** Encrypted sensitive data (provider tokens, credentials, consent) */
|
|
255
|
-
encryptedData: exports.encryptedDataSchema,
|
|
256
|
-
/** Apps that are fully authorized (unencrypted for quick lookup) */
|
|
257
|
-
authorizedAppIds: zod_1.z.array(zod_1.z.string()),
|
|
258
|
-
/** Apps that were skipped (unencrypted for quick lookup) */
|
|
259
|
-
skippedAppIds: zod_1.z.array(zod_1.z.string()),
|
|
260
|
-
/** Pending auth IDs (unencrypted for lookup, actual URLs encrypted) */
|
|
261
|
-
pendingAuthIds: zod_1.z.array(zod_1.z.string()).default([]),
|
|
262
|
-
});
|
|
263
|
-
//# sourceMappingURL=vault-encryption.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"vault-encryption.js","sourceRoot":"","sources":["../../../../src/auth/session/vault-encryption.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;;;AAEH,6CAAwF;AACxF,6BAAwB;AAExB,+CAA+C;AAC/C,oBAAoB;AACpB,+CAA+C;AAE/C;;GAEG;AACU,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C,2CAA2C;IAC3C,CAAC,EAAE,OAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IACf,2BAA2B;IAC3B,GAAG,EAAE,OAAC,CAAC,OAAO,CAAC,aAAa,CAAC;IAC7B,qCAAqC;IACrC,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,0BAA0B;IAC1B,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,kCAAkC;IAClC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;CAChB,CAAC,CAAC;AAmCH,+CAA+C;AAC/C,yBAAyB;AACzB,+CAA+C;AAE/C;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAa,eAAe;IACT,MAAM,CAAS;IACf,QAAQ,CAAS;IAElC,YAAY,SAAgC,EAAE;QAC5C,sDAAsD;QACtD,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;QACvD,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,mBAAmB,EAAE,MAAM,CAAC,CAAC;IAC9E,CAAC;IAED;;;;;;;;;OASG;IACH,SAAS,CAAC,MAAgC;QACxC,qCAAqC;QACrC,4DAA4D;QAC5D,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC;YAC/B,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,MAAM,CAAC;YAC1C,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC;YAC/B,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,MAAM,CAAC;YAC1C,IAAI,CAAC,MAAM;SACZ,CAAC,CAAC;QAEH,6CAA6C;QAC7C,+CAA+C;QAC/C,MAAM,GAAG,GAAG,IAAA,wBAAU,EAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;QAErE,oDAAoD;QACpD,2DAA2D;QAC3D,MAAM,GAAG,GAAG,IAAA,wBAAU,EAAC,QAAQ,EAAE,GAAG,CAAC;aAClC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;aAC3D,MAAM,EAAE,CAAC;QAEZ,OAAO,GAAG,CAAC;IACb,CAAC;IAED;;;;;;;;;;OAUG;IACH,kBAAkB,CAAC,KAAa,EAAE,MAAgC;QAChE,yDAAyD;QACzD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAEjC,6DAA6D;QAC7D,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC;YAC/B,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,MAAM,CAAC;YAC1C,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC;YAC/B,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,MAAM,CAAC;YAC1C,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC;YAC9B,IAAI,CAAC,MAAM;SACZ,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,IAAA,wBAAU,EAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;QACrE,MAAM,GAAG,GAAG,IAAA,wBAAU,EAAC,QAAQ,EAAE,GAAG,CAAC;aAClC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;aAC3D,MAAM,EAAE,CAAC;QAEZ,OAAO,GAAG,CAAC;IACb,CAAC;IAED;;;;;;OAMG;IACH,OAAO,CAAC,SAAiB,EAAE,GAAW;QACpC,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;QAED,mDAAmD;QACnD,MAAM,EAAE,GAAG,IAAA,yBAAW,EAAC,EAAE,CAAC,CAAC;QAE3B,gBAAgB;QAChB,MAAM,MAAM,GAAG,IAAA,4BAAc,EAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QAEtD,UAAU;QACV,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAErF,yBAAyB;QACzB,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAEhC,OAAO;YACL,CAAC,EAAE,CAAC;YACJ,GAAG,EAAE,aAAa;YAClB,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACzB,EAAE,EAAE,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACjC,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;SAC5B,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,OAAO,CAAC,SAAwB,EAAE,GAAW;QAC3C,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;QAED,iCAAiC;QACjC,MAAM,MAAM,GAAG,2BAAmB,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACxD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;QAED,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC;QAEpC,qBAAqB;QACrB,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;QAC3C,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;QAC7C,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAE7C,kBAAkB;QAClB,MAAM,QAAQ,GAAG,IAAA,8BAAgB,EAAC,aAAa,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;QAChE,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QAE/B,UAAU;QACV,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAEjF,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACpC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,yDAAyD;YACzD,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,aAAa,CAAI,IAAO,EAAE,GAAW;QACnC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,CAAC;IACjD,CAAC;IAED;;;;;;OAMG;IACH,aAAa,CAAI,SAAwB,EAAE,GAAW;QACpD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,CAAM,CAAC;IACpC,CAAC;IAED;;;;;OAKG;IACH,WAAW,CAAC,IAAa;QACvB,OAAO,2BAAmB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC;IACrD,CAAC;CACF;AAxLD,0CAwLC;AAED,+CAA+C;AAC/C,+BAA+B;AAC/B,+CAA+C;AAE/C;;;;;;GAMG;AACU,QAAA,yBAAyB,GAAG,OAAC,CAAC,MAAM,CAAC;IAChD,uCAAuC;IACvC,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,8BAA8B;IAC9B,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE;IACnB,2CAA2C;IAC3C,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,0CAA0C;IAC1C,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,0CAA0C;IAC1C,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE;IACpB,yBAAyB;IACzB,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;IACrB,4BAA4B;IAC5B,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE;IACxB,uEAAuE;IACvE,aAAa,EAAE,2BAAmB;IAClC,oEAAoE;IACpE,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACrC,4DAA4D;IAC5D,aAAa,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IAClC,uEAAuE;IACvE,cAAc,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;CAChD,CAAC,CAAC","sourcesContent":["/**\n * Vault Encryption\n *\n * Client-side key derivation for zero-knowledge credential storage.\n *\n * Security Model:\n * - The JWT authorization token contains a unique `jti` (JWT ID) claim\n * - A secret portion of the token (or a derived key) is used as the encryption key\n * - The server stores encrypted blobs in Redis but CANNOT decrypt them\n * - Only the client presenting the valid JWT can decrypt their vault\n *\n * Key Derivation:\n * - Input: JWT token (after signature verification)\n * - Extract: jti + a secret claim (e.g., `vaultKey` or derived from signature)\n * - Derive: HKDF-SHA256 to produce AES-256 key\n *\n * Encryption:\n * - Algorithm: AES-256-GCM (authenticated encryption)\n * - IV: Random 12 bytes per encryption (stored with ciphertext)\n * - Auth Tag: 16 bytes (ensures integrity)\n */\n\nimport { createCipheriv, createDecipheriv, randomBytes, createHmac } from 'node:crypto';\nimport { z } from 'zod';\n\n// ============================================\n// Types and Schemas\n// ============================================\n\n/**\n * Encrypted data format stored in Redis\n */\nexport const encryptedDataSchema = z.object({\n /** Version for future algorithm changes */\n v: z.literal(1),\n /** Algorithm identifier */\n alg: z.literal('aes-256-gcm'),\n /** Initialization vector (base64) */\n iv: z.string(),\n /** Ciphertext (base64) */\n ct: z.string(),\n /** Authentication tag (base64) */\n tag: z.string(),\n});\n\nexport type EncryptedData = z.infer<typeof encryptedDataSchema>;\n\n/**\n * JWT claims required for key derivation\n */\nexport interface VaultKeyDerivationClaims {\n /** JWT ID - unique identifier for this token/vault */\n jti: string;\n /** Vault key material - secret claim added during token generation */\n vaultKey?: string;\n /** Subject - user identifier */\n sub: string;\n /** Issued at timestamp */\n iat: number;\n}\n\n/**\n * Vault encryption configuration\n */\nexport interface VaultEncryptionConfig {\n /**\n * Server-side pepper added to key derivation\n * This adds defense-in-depth: even with a stolen JWT,\n * attacker needs the pepper to derive the key\n */\n pepper?: string;\n /**\n * Key derivation info string for HKDF\n * Allows domain separation between different uses\n */\n hkdfInfo?: string;\n}\n\n// ============================================\n// Vault Encryption Class\n// ============================================\n\n/**\n * VaultEncryption handles encryption/decryption of vault credentials\n * using keys derived from the client's JWT authorization token.\n *\n * @example\n * ```typescript\n * const encryption = new VaultEncryption({ pepper: process.env.VAULT_PEPPER });\n *\n * // After JWT verification, derive the encryption key\n * const key = encryption.deriveKey(jwtClaims);\n *\n * // Encrypt credentials before storing\n * const encrypted = encryption.encrypt(JSON.stringify(credentials), key);\n *\n * // Decrypt when reading\n * const decrypted = encryption.decrypt(encrypted, key);\n * const credentials = JSON.parse(decrypted);\n * ```\n */\nexport class VaultEncryption {\n private readonly pepper: Buffer;\n private readonly hkdfInfo: Buffer;\n\n constructor(config: VaultEncryptionConfig = {}) {\n // Convert pepper to buffer, use empty if not provided\n this.pepper = Buffer.from(config.pepper ?? '', 'utf8');\n this.hkdfInfo = Buffer.from(config.hkdfInfo ?? 'frontmcp-vault-v1', 'utf8');\n }\n\n /**\n * Derive an encryption key from JWT claims\n *\n * The key derivation uses HKDF-like construction:\n * 1. Combine jti + vaultKey + sub + iat + pepper\n * 2. Apply HMAC-SHA256 to derive a 256-bit key\n *\n * @param claims - JWT claims containing key material\n * @returns 32-byte encryption key\n */\n deriveKey(claims: VaultKeyDerivationClaims): Buffer {\n // Build the input key material (IKM)\n // Using multiple claims ensures the key is unique per token\n const ikm = Buffer.concat([\n Buffer.from(claims.jti, 'utf8'),\n Buffer.from(claims.vaultKey ?? '', 'utf8'),\n Buffer.from(claims.sub, 'utf8'),\n Buffer.from(claims.iat.toString(), 'utf8'),\n this.pepper,\n ]);\n\n // HKDF-Extract: PRK = HMAC-SHA256(salt, IKM)\n // Using hkdfInfo as salt for domain separation\n const prk = createHmac('sha256', this.hkdfInfo).update(ikm).digest();\n\n // HKDF-Expand: OKM = HMAC-SHA256(PRK, info || 0x01)\n // We only need 32 bytes, so single iteration is sufficient\n const okm = createHmac('sha256', prk)\n .update(Buffer.concat([this.hkdfInfo, Buffer.from([0x01])]))\n .digest();\n\n return okm;\n }\n\n /**\n * Derive a key directly from the raw JWT token string\n *\n * This is useful when you want to derive the key from the token\n * before or without fully parsing the claims. Uses the token's\n * signature portion as additional entropy.\n *\n * @param token - The raw JWT token string\n * @param claims - Parsed JWT claims\n * @returns 32-byte encryption key\n */\n deriveKeyFromToken(token: string, claims: VaultKeyDerivationClaims): Buffer {\n // Extract signature from JWT (last part after final dot)\n const parts = token.split('.');\n const signature = parts[2] ?? '';\n\n // Include signature in key derivation for additional entropy\n const ikm = Buffer.concat([\n Buffer.from(claims.jti, 'utf8'),\n Buffer.from(claims.vaultKey ?? '', 'utf8'),\n Buffer.from(claims.sub, 'utf8'),\n Buffer.from(claims.iat.toString(), 'utf8'),\n Buffer.from(signature, 'utf8'),\n this.pepper,\n ]);\n\n const prk = createHmac('sha256', this.hkdfInfo).update(ikm).digest();\n const okm = createHmac('sha256', prk)\n .update(Buffer.concat([this.hkdfInfo, Buffer.from([0x01])]))\n .digest();\n\n return okm;\n }\n\n /**\n * Encrypt plaintext data using AES-256-GCM\n *\n * @param plaintext - Data to encrypt (typically JSON string)\n * @param key - 32-byte encryption key from deriveKey()\n * @returns Encrypted data object (safe to store in Redis)\n */\n encrypt(plaintext: string, key: Buffer): EncryptedData {\n if (key.length !== 32) {\n throw new Error('Encryption key must be 32 bytes');\n }\n\n // Generate random 12-byte IV (recommended for GCM)\n const iv = randomBytes(12);\n\n // Create cipher\n const cipher = createCipheriv('aes-256-gcm', key, iv);\n\n // Encrypt\n const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);\n\n // Get authentication tag\n const tag = cipher.getAuthTag();\n\n return {\n v: 1,\n alg: 'aes-256-gcm',\n iv: iv.toString('base64'),\n ct: ciphertext.toString('base64'),\n tag: tag.toString('base64'),\n };\n }\n\n /**\n * Decrypt encrypted data using AES-256-GCM\n *\n * @param encrypted - Encrypted data object from encrypt()\n * @param key - 32-byte encryption key from deriveKey()\n * @returns Decrypted plaintext\n * @throws Error if decryption fails (wrong key, tampered data, etc.)\n */\n decrypt(encrypted: EncryptedData, key: Buffer): string {\n if (key.length !== 32) {\n throw new Error('Encryption key must be 32 bytes');\n }\n\n // Validate encrypted data format\n const parsed = encryptedDataSchema.safeParse(encrypted);\n if (!parsed.success) {\n throw new Error('Invalid encrypted data format');\n }\n\n const { iv, ct, tag } = parsed.data;\n\n // Decode from base64\n const ivBuffer = Buffer.from(iv, 'base64');\n const ciphertext = Buffer.from(ct, 'base64');\n const tagBuffer = Buffer.from(tag, 'base64');\n\n // Create decipher\n const decipher = createDecipheriv('aes-256-gcm', key, ivBuffer);\n decipher.setAuthTag(tagBuffer);\n\n // Decrypt\n try {\n const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);\n\n return plaintext.toString('utf8');\n } catch (error) {\n // GCM authentication failed - wrong key or tampered data\n throw new Error('Decryption failed: invalid key or corrupted data');\n }\n }\n\n /**\n * Encrypt a JavaScript object (serializes to JSON first)\n *\n * @param data - Object to encrypt\n * @param key - Encryption key\n * @returns Encrypted data\n */\n encryptObject<T>(data: T, key: Buffer): EncryptedData {\n return this.encrypt(JSON.stringify(data), key);\n }\n\n /**\n * Decrypt and parse a JavaScript object\n *\n * @param encrypted - Encrypted data\n * @param key - Encryption key\n * @returns Decrypted and parsed object\n */\n decryptObject<T>(encrypted: EncryptedData, key: Buffer): T {\n const plaintext = this.decrypt(encrypted, key);\n return JSON.parse(plaintext) as T;\n }\n\n /**\n * Check if data is in encrypted format\n *\n * @param data - Data to check\n * @returns True if data appears to be encrypted\n */\n isEncrypted(data: unknown): data is EncryptedData {\n return encryptedDataSchema.safeParse(data).success;\n }\n}\n\n// ============================================\n// Encrypted Vault Entry Schema\n// ============================================\n\n/**\n * Vault entry with encrypted credentials\n *\n * The structure separates:\n * - Metadata (unencrypted): id, userSub, timestamps, app lists\n * - Sensitive data (encrypted): provider tokens, app credentials\n */\nexport const encryptedVaultEntrySchema = z.object({\n /** Vault ID (maps to JWT jti claim) */\n id: z.string(),\n /** User subject identifier */\n userSub: z.string(),\n /** User email (unencrypted for display) */\n userEmail: z.string().optional(),\n /** User name (unencrypted for display) */\n userName: z.string().optional(),\n /** Client ID that created this session */\n clientId: z.string(),\n /** Creation timestamp */\n createdAt: z.number(),\n /** Last access timestamp */\n lastAccessAt: z.number(),\n /** Encrypted sensitive data (provider tokens, credentials, consent) */\n encryptedData: encryptedDataSchema,\n /** Apps that are fully authorized (unencrypted for quick lookup) */\n authorizedAppIds: z.array(z.string()),\n /** Apps that were skipped (unencrypted for quick lookup) */\n skippedAppIds: z.array(z.string()),\n /** Pending auth IDs (unencrypted for lookup, actual URLs encrypted) */\n pendingAuthIds: z.array(z.string()).default([]),\n});\n\nexport type EncryptedVaultEntry = z.infer<typeof encryptedVaultEntrySchema>;\n\n/**\n * Sensitive data that gets encrypted\n */\nexport interface VaultSensitiveData {\n /** App credentials */\n appCredentials: Record<string, unknown>;\n /** Consent record */\n consent?: unknown;\n /** Federated login record */\n federated?: unknown;\n /** Pending auth details (URLs, scopes, etc.) */\n pendingAuths: unknown[];\n}\n"]}
|