npm - @frontmcp/sdk - Versions diffs - 0.6.1 → 0.6.2 - Mend

@frontmcp/sdk 0.6.1 → 0.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1059) hide show

package/src/auth/flows/oauth.register.flow.js DELETED Viewed

@@ -1,201 +0,0 @@
-"use strict";
-/**
- * Dynamic Client Registration — POST /oauth/register
- *
- * Who calls: Developers/automation.
- *
- * Purpose: Let clients register programmatically (redirect URIs, grant types, etc.).
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.DevClientRegistry = void 0;
-const tslib_1 = require("tslib");
-/**
- * Quick checklist (security & correctness)
- * - PKCE (S256) required for public clients (and basically for all).
- * - Use authorization code grant only (no implicit/hybrid).
- * - Rotate refresh tokens and bind them to client + user + scopes.
- * - Prefer private_key_jwt or mTLS for confidential clients.
- * - PAR + JAR recommended for higher security.
- * - Consider DPoP (proof-of-possession) to reduce token replay.
- * - Keep codes very short-lived (e.g., ≤60 s) and single-use.
- * - Publish discovery and JWKS, rotate keys safely.
- * - Decide JWT vs opaque access tokens; provide introspection if opaque.
- */
-const common_1 = require("../../common");
-const zod_1 = require("zod");
-const crypto_1 = require("crypto");
-const CLIENTS = new Map();
-/** Optional: export getters so other flows can validate client_id */
-exports.DevClientRegistry = {
-    get(client_id) {
-        return CLIENTS.get(client_id);
-    },
-    has(client_id) {
-        return CLIENTS.has(client_id);
-    }
-};
-const inputSchema = common_1.httpInputSchema;
-const outputSchema = common_1.HttpJsonSchema;
-const registrationRequestSchema = zod_1.z.object({
-    // RFC 7591-ish minimal set
-    redirect_uris: zod_1.z.array(zod_1.z.string().url()).min(1, "At least one redirect_uri is required"),
-    token_endpoint_auth_method: zod_1.z.enum(["none", "client_secret_basic", "client_secret_post", "private_key_jwt", "tls_client_auth"])
-        .default("none"),
-    grant_types: zod_1.z.array(zod_1.z.enum(["authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:device_code"]))
-        .default(["authorization_code"]),
-    response_types: zod_1.z.array(zod_1.z.enum(["code"])).default(["code"]),
-    client_name: zod_1.z.string().optional(),
-    scope: zod_1.z.string().optional(),
-}).passthrough();
-const stateSchema = zod_1.z.object({
-    body: registrationRequestSchema,
-    isDev: zod_1.z.boolean(),
-});
-const plan = {
-    pre: ['parseInput', 'validateInput'],
-    execute: ['registerClient', 'respondRegistration'],
-    post: ['validateOutput'],
-};
-const name = 'oauth:register';
-const Stage = (0, common_1.StageHookOf)(name);
-let OauthRegisterFlow = class OauthRegisterFlow extends common_1.FlowBase {
-    registered;
-    async parseInput() {
-        // Dev-only guard: hide the endpoint in production
-        const isDev = process.env['NODE_ENV'] !== 'production';
-        const { request } = this.rawInput;
-        const parsed = registrationRequestSchema.parse(request.body || {});
-        this.state.set({
-            body: parsed,
-            isDev,
-        });
-    }
-    async validateInput() {
-        if (!this.state.isDev) {
-            // Behave like the endpoint doesn't exist in prod
-            this.next();
-            return;
-        }
-        // Minimal sanity checks for common mistakes in dev
-        const { redirect_uris, token_endpoint_auth_method, grant_types, response_types } = this.state.required.body;
-        // Keep only supported combinations for the dummy server
-        if (!response_types.includes('code')) {
-            this.respond(common_1.httpRespond.json({
-                error: 'invalid_client_metadata',
-                error_description: 'Only response_types=["code"] is supported in dev.',
-            }, { status: 400 }));
-            return;
-        }
-        if (!grant_types.includes('authorization_code')) {
-            this.respond(common_1.httpRespond.json({
-                error: 'invalid_client_metadata',
-                error_description: 'grant_types must include "authorization_code" in dev.',
-            }, { status: 400 }));
-            return;
-        }
-        // Warn (soft) if confidential but no TLS/jwt (still allowed for local only)
-        if (token_endpoint_auth_method !== 'none' && token_endpoint_auth_method !== 'client_secret_post' && token_endpoint_auth_method !== 'client_secret_basic') {
-            this.respond(common_1.httpRespond.json({
-                error: 'invalid_client_metadata',
-                error_description: 'This dev server only supports "none", "client_secret_post", or "client_secret_basic".',
-            }, { status: 400 }));
-            return;
-        }
-        // Ensure localhost/https-ish redirects for dev
-        const bad = redirect_uris.find(u => !/^https?:\/\/(localhost|\d+\.\d+\.\d+\.\d+|127\.0\.0\.1)/.test(u));
-        if (bad) {
-            this.respond(common_1.httpRespond.json({
-                error: 'invalid_redirect_uri',
-                error_description: `Dev registration allows only localhost-style redirect_uris; got ${bad}`,
-            }, { status: 400 }));
-            return;
-        }
-    }
-    async registerClient() {
-        const now = Math.floor(Date.now() / 1000);
-        const { token_endpoint_auth_method, grant_types, response_types, redirect_uris, client_name, scope, } = this.state.required.body;
-        const client_id = (0, crypto_1.randomUUID)();
-        let client_secret;
-        if (token_endpoint_auth_method === 'client_secret_post' || token_endpoint_auth_method === 'client_secret_basic') {
-            client_secret = (0, crypto_1.randomBytes)(24).toString('base64url'); // short-lived dev secret
-        }
-        this.registered = {
-            client_id,
-            client_secret,
-            token_endpoint_auth_method,
-            grant_types,
-            response_types,
-            redirect_uris,
-            client_name,
-            scope,
-            created_at: now,
-            dev: true,
-        };
-        CLIENTS.set(client_id, this.registered);
-    }
-    async respondRegistration() {
-        const c = this.registered;
-        // Minimal RFC 7591-ish response
-        // (intentionally omitting registration_access_token/registration_client_uri for simplicity in dev)
-        this.respond(common_1.httpRespond.json({
-            client_id: c.client_id,
-            ...(c.client_secret ? { client_secret: c.client_secret } : {}),
-            client_id_issued_at: c.created_at,
-            client_secret_expires_at: c.client_secret ? 0 : 0, // 0 = does not expire (dev)
-            token_endpoint_auth_method: c.token_endpoint_auth_method,
-            grant_types: c.grant_types,
-            response_types: c.response_types,
-            redirect_uris: c.redirect_uris,
-            ...(c.client_name ? { client_name: c.client_name } : {}),
-            ...(c.scope ? { scope: c.scope } : {}),
-        }));
-    }
-    async validateOutput() {
-        // no-op; httpRespond.json enforces shape
-    }
-};
-tslib_1.__decorate([
-    Stage('parseInput'),
-    tslib_1.__metadata("design:type", Function),
-    tslib_1.__metadata("design:paramtypes", []),
-    tslib_1.__metadata("design:returntype", Promise)
-], OauthRegisterFlow.prototype, "parseInput", null);
-tslib_1.__decorate([
-    Stage('validateInput'),
-    tslib_1.__metadata("design:type", Function),
-    tslib_1.__metadata("design:paramtypes", []),
-    tslib_1.__metadata("design:returntype", Promise)
-], OauthRegisterFlow.prototype, "validateInput", null);
-tslib_1.__decorate([
-    Stage('registerClient'),
-    tslib_1.__metadata("design:type", Function),
-    tslib_1.__metadata("design:paramtypes", []),
-    tslib_1.__metadata("design:returntype", Promise)
-], OauthRegisterFlow.prototype, "registerClient", null);
-tslib_1.__decorate([
-    Stage('respondRegistration'),
-    tslib_1.__metadata("design:type", Function),
-    tslib_1.__metadata("design:paramtypes", []),
-    tslib_1.__metadata("design:returntype", Promise)
-], OauthRegisterFlow.prototype, "respondRegistration", null);
-tslib_1.__decorate([
-    Stage('validateOutput'),
-    tslib_1.__metadata("design:type", Function),
-    tslib_1.__metadata("design:paramtypes", []),
-    tslib_1.__metadata("design:returntype", Promise)
-], OauthRegisterFlow.prototype, "validateOutput", null);
-OauthRegisterFlow = tslib_1.__decorate([
-    (0, common_1.Flow)({
-        name,
-        plan,
-        inputSchema,
-        outputSchema,
-        access: 'public',
-        middleware: {
-            method: 'POST',
-            path: '/oauth/register',
-        },
-    })
-], OauthRegisterFlow);
-exports.default = OauthRegisterFlow;
-//# sourceMappingURL=oauth.register.flow.js.map

package/src/auth/flows/oauth.register.flow.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"oauth.register.flow.js","sourceRoot":"","sources":["../../../../src/auth/flows/oauth.register.flow.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;;AAEH;;;;;;;;;;;GAWG;AAGH,yCAMsB;AACtB,6BAAsB;AACtB,mCAA+C;AAgB/C,MAAM,OAAO,GAAG,IAAI,GAAG,EAA4B,CAAC;AAEpD,qEAAqE;AACxD,QAAA,iBAAiB,GAAG;IAC/B,GAAG,CAAC,SAAiB;QACnB,OAAO,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAChC,CAAC;IACD,GAAG,CAAC,SAAiB;QACnB,OAAO,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAChC,CAAC;CACF,CAAC;AAEF,MAAM,WAAW,GAAG,wBAAe,CAAC;AACpC,MAAM,YAAY,GAAG,uBAAc,CAAC;AAEpC,MAAM,yBAAyB,GAAG,OAAC,CAAC,MAAM,CAAC;IACzC,2BAA2B;IAC3B,aAAa,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,uCAAuC,CAAC;IACxF,0BAA0B,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,iBAAiB,CAAC,CAAC;SAC5H,OAAO,CAAC,MAAM,CAAC;IAClB,WAAW,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,IAAI,CAAC,CAAC,oBAAoB,EAAE,eAAe,EAAE,8CAA8C,CAAC,CAAC,CAAC;SAClH,OAAO,CAAC,CAAC,oBAAoB,CAAC,CAAC;IAClC,cAAc,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC;IAC3D,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC7B,CAAC,CAAC,WAAW,EAAE,CAAA;AAEhB,MAAM,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3B,IAAI,EAAE,yBAAyB;IAC/B,KAAK,EAAE,OAAC,CAAC,OAAO,EAAE;CACnB,CAAC,CAAC;AAEH,MAAM,IAAI,GAAG;IACX,GAAG,EAAE,CAAC,YAAY,EAAE,eAAe,CAAC;IACpC,OAAO,EAAE,CAAC,gBAAgB,EAAE,qBAAqB,CAAC;IAClD,IAAI,EAAE,CAAC,gBAAgB,CAAC;CACW,CAAC;AActC,MAAM,IAAI,GAAG,gBAAyB,CAAC;AACvC,MAAM,KAAK,GAAG,IAAA,oBAAW,EAAC,IAAI,CAAC,CAAC;AAajB,IAAM,iBAAiB,GAAvB,MAAM,iBAAkB,SAAQ,iBAAqB;IAE1D,UAAU,CAAoB;IAGhC,AAAN,KAAK,CAAC,UAAU;QACd,kDAAkD;QAClD,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,YAAY,CAAC;QAEvD,MAAM,EAAC,OAAO,EAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;QAChC,MAAM,MAAM,GAAG,yBAAyB,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;QACnE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC;YACb,IAAI,EAAE,MAAM;YACZ,KAAK;SACN,CAAC,CAAC;IACL,CAAC;IAGK,AAAN,KAAK,CAAC,aAAa;QACjB,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACtB,iDAAiD;YACjD,IAAI,CAAC,IAAI,EAAE,CAAC;YACZ,OAAO;QACT,CAAC;QAED,mDAAmD;QACnD,MAAM,EAAC,aAAa,EAAE,0BAA0B,EAAE,WAAW,EAAE,cAAc,EAAC,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC;QAE1G,wDAAwD;QACxD,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACrC,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,IAAI,CAAC;gBAC5B,KAAK,EAAE,yBAAyB;gBAChC,iBAAiB,EAAE,mDAAmD;aACvE,EAAE,EAAC,MAAM,EAAE,GAAG,EAAC,CAAC,CAAC,CAAC;YACnB,OAAO;QACT,CAAC;QAED,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;YAChD,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,IAAI,CAAC;gBAC5B,KAAK,EAAE,yBAAyB;gBAChC,iBAAiB,EAAE,uDAAuD;aAC3E,EAAE,EAAC,MAAM,EAAE,GAAG,EAAC,CAAC,CAAC,CAAC;YACnB,OAAO;QACT,CAAC;QAED,4EAA4E;QAC5E,IAAI,0BAA0B,KAAK,MAAM,IAAI,0BAA0B,KAAK,oBAAoB,IAAI,0BAA0B,KAAK,qBAAqB,EAAE,CAAC;YACzJ,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,IAAI,CAAC;gBAC5B,KAAK,EAAE,yBAAyB;gBAChC,iBAAiB,EAAE,uFAAuF;aAC3G,EAAE,EAAC,MAAM,EAAE,GAAG,EAAC,CAAC,CAAC,CAAC;YACnB,OAAO;QACT,CAAC;QAED,+CAA+C;QAC/C,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,yDAAyD,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACxG,IAAI,GAAG,EAAE,CAAC;YACR,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,IAAI,CAAC;gBAC5B,KAAK,EAAE,sBAAsB;gBAC7B,iBAAiB,EAAE,mEAAmE,GAAG,EAAE;aAC5F,EAAE,EAAC,MAAM,EAAE,GAAG,EAAC,CAAC,CAAC,CAAC;YACnB,OAAO;QACT,CAAC;IACH,CAAC;IAGK,AAAN,KAAK,CAAC,cAAc;QAClB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,EACJ,0BAA0B,EAC1B,WAAW,EACX,cAAc,EACd,aAAa,EACb,WAAW,EACX,KAAK,GACN,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC;QAE7B,MAAM,SAAS,GAAG,IAAA,mBAAU,GAAE,CAAC;QAC/B,IAAI,aAAiC,CAAC;QAEtC,IAAI,0BAA0B,KAAK,oBAAoB,IAAI,0BAA0B,KAAK,qBAAqB,EAAE,CAAC;YAChH,aAAa,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,yBAAyB;QAClF,CAAC;QAED,IAAI,CAAC,UAAU,GAAG;YAChB,SAAS;YACT,aAAa;YACb,0BAA0B;YAC1B,WAAW;YACX,cAAc;YACd,aAAa;YACb,WAAW;YACX,KAAK;YACL,UAAU,EAAE,GAAG;YACf,GAAG,EAAE,IAAI;SACV,CAAC;QAEF,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IAC1C,CAAC;IAGK,AAAN,KAAK,CAAC,mBAAmB;QACvB,MAAM,CAAC,GAAG,IAAI,CAAC,UAAW,CAAC;QAC3B,gCAAgC;QAChC,mGAAmG;QACnG,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,IAAI,CAAC;YAC5B,SAAS,EAAE,CAAC,CAAC,SAAS;YACtB,GAAG,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,EAAC,aAAa,EAAE,CAAC,CAAC,aAAa,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5D,mBAAmB,EAAE,CAAC,CAAC,UAAU;YACjC,wBAAwB,EAAE,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,4BAA4B;YAC/E,0BAA0B,EAAE,CAAC,CAAC,0BAA0B;YACxD,WAAW,EAAE,CAAC,CAAC,WAAW;YAC1B,cAAc,EAAE,CAAC,CAAC,cAAc;YAChC,aAAa,EAAE,CAAC,CAAC,aAAa;YAC9B,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,EAAC,WAAW,EAAE,CAAC,CAAC,WAAW,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACtD,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAC,KAAK,EAAE,CAAC,CAAC,KAAK,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;SACrC,CAAC,CAAC,CAAC;IACN,CAAC;IAGK,AAAN,KAAK,CAAC,cAAc;QAClB,yCAAyC;IAC3C,CAAC;CACF,CAAA;AAtHO;IADL,KAAK,CAAC,YAAY,CAAC;;;;mDAWnB;AAGK;IADL,KAAK,CAAC,eAAe,CAAC;;;;sDA8CtB;AAGK;IADL,KAAK,CAAC,gBAAgB,CAAC;;;;uDAiCvB;AAGK;IADL,KAAK,CAAC,qBAAqB,CAAC;;;;4DAiB5B;AAGK;IADL,KAAK,CAAC,gBAAgB,CAAC;;;;uDAGvB;AA1HkB,iBAAiB;IAXrC,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,IAAI;QACJ,WAAW;QACX,YAAY;QACZ,MAAM,EAAE,QAAQ;QAChB,UAAU,EAAE;YACV,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,iBAAiB;SACxB;KACF,CAAC;GACmB,iBAAiB,CA2HrC;kBA3HoB,iBAAiB","sourcesContent":["/**\n * Dynamic Client Registration — POST /oauth/register\n *\n * Who calls: Developers/automation.\n *\n * Purpose: Let clients register programmatically (redirect URIs, grant types, etc.).\n */\n\n/**\n * Quick checklist (security & correctness)\n * - PKCE (S256) required for public clients (and basically for all).\n * - Use authorization code grant only (no implicit/hybrid).\n * - Rotate refresh tokens and bind them to client + user + scopes.\n * - Prefer private_key_jwt or mTLS for confidential clients.\n * - PAR + JAR recommended for higher security.\n * - Consider DPoP (proof-of-possession) to reduce token replay.\n * - Keep codes very short-lived (e.g., ≤60 s) and single-use.\n * - Publish discovery and JWKS, rotate keys safely.\n * - Decide JWT vs opaque access tokens; provide introspection if opaque.\n */\n\n\nimport {\n Flow, FlowBase, FlowPlan,\n FlowRunOptions,\n httpInputSchema, HttpJsonSchema,\n httpRespond,\n StageHookOf\n} from \"../../common\";\nimport {z} from \"zod\";\nimport {randomUUID, randomBytes} from \"crypto\";\n\n/** Simple in-memory registry (dev only) */\ntype RegisteredClient = {\n client_id: string;\n client_secret?: string;\n token_endpoint_auth_method: \"none\" | \"client_secret_basic\" | \"client_secret_post\" | \"private_key_jwt\" | \"tls_client_auth\";\n grant_types: string[];\n response_types: string[];\n redirect_uris: string[];\n client_name?: string;\n scope?: string;\n created_at: number; // seconds since epoch\n dev: boolean;\n};\n\nconst CLIENTS = new Map<string, RegisteredClient>();\n\n/** Optional: export getters so other flows can validate client_id */\nexport const DevClientRegistry = {\n get(client_id: string) {\n return CLIENTS.get(client_id);\n },\n has(client_id: string) {\n return CLIENTS.has(client_id);\n }\n};\n\nconst inputSchema = httpInputSchema;\nconst outputSchema = HttpJsonSchema;\n\nconst registrationRequestSchema = z.object({\n // RFC 7591-ish minimal set\n redirect_uris: z.array(z.string().url()).min(1, \"At least one redirect_uri is required\"),\n token_endpoint_auth_method: z.enum([\"none\", \"client_secret_basic\", \"client_secret_post\", \"private_key_jwt\", \"tls_client_auth\"])\n .default(\"none\"),\n grant_types: z.array(z.enum([\"authorization_code\", \"refresh_token\", \"urn:ietf:params:oauth:grant-type:device_code\"]))\n .default([\"authorization_code\"]),\n response_types: z.array(z.enum([\"code\"])).default([\"code\"]),\n client_name: z.string().optional(),\n scope: z.string().optional(),\n}).passthrough()\n\nconst stateSchema = z.object({\n body: registrationRequestSchema,\n isDev: z.boolean(),\n});\n\nconst plan = {\n pre: ['parseInput', 'validateInput'],\n execute: ['registerClient', 'respondRegistration'],\n post: ['validateOutput'],\n} as const satisfies FlowPlan<string>;\n\ndeclare global {\n interface ExtendFlows {\n 'oauth:register': FlowRunOptions<\n OauthRegisterFlow,\n typeof plan,\n typeof inputSchema,\n typeof outputSchema,\n typeof stateSchema\n >;\n }\n}\n\nconst name = 'oauth:register' as const;\nconst Stage = StageHookOf(name);\n\n@Flow({\n name,\n plan,\n inputSchema,\n outputSchema,\n access: 'public',\n middleware: {\n method: 'POST',\n path: '/oauth/register',\n },\n})\nexport default class OauthRegisterFlow extends FlowBase<typeof name> {\n\n private registered?: RegisteredClient;\n\n @Stage('parseInput')\n async parseInput() {\n // Dev-only guard: hide the endpoint in production\n const isDev = process.env['NODE_ENV'] !== 'production';\n\n const {request} = this.rawInput;\n const parsed = registrationRequestSchema.parse(request.body || {});\n this.state.set({\n body: parsed,\n isDev,\n });\n }\n\n @Stage('validateInput')\n async validateInput() {\n if (!this.state.isDev) {\n // Behave like the endpoint doesn't exist in prod\n this.next();\n return;\n }\n\n // Minimal sanity checks for common mistakes in dev\n const {redirect_uris, token_endpoint_auth_method, grant_types, response_types} = this.state.required.body;\n\n // Keep only supported combinations for the dummy server\n if (!response_types.includes('code')) {\n this.respond(httpRespond.json({\n error: 'invalid_client_metadata',\n error_description: 'Only response_types=[\"code\"] is supported in dev.',\n }, {status: 400}));\n return;\n }\n\n if (!grant_types.includes('authorization_code')) {\n this.respond(httpRespond.json({\n error: 'invalid_client_metadata',\n error_description: 'grant_types must include \"authorization_code\" in dev.',\n }, {status: 400}));\n return;\n }\n\n // Warn (soft) if confidential but no TLS/jwt (still allowed for local only)\n if (token_endpoint_auth_method !== 'none' && token_endpoint_auth_method !== 'client_secret_post' && token_endpoint_auth_method !== 'client_secret_basic') {\n this.respond(httpRespond.json({\n error: 'invalid_client_metadata',\n error_description: 'This dev server only supports \"none\", \"client_secret_post\", or \"client_secret_basic\".',\n }, {status: 400}));\n return;\n }\n\n // Ensure localhost/https-ish redirects for dev\n const bad = redirect_uris.find(u => !/^https?:\\/\\/(localhost|\\d+\\.\\d+\\.\\d+\\.\\d+|127\\.0\\.0\\.1)/.test(u));\n if (bad) {\n this.respond(httpRespond.json({\n error: 'invalid_redirect_uri',\n error_description: `Dev registration allows only localhost-style redirect_uris; got ${bad}`,\n }, {status: 400}));\n return;\n }\n }\n\n @Stage('registerClient')\n async registerClient() {\n const now = Math.floor(Date.now() / 1000);\n const {\n token_endpoint_auth_method,\n grant_types,\n response_types,\n redirect_uris,\n client_name,\n scope,\n } = this.state.required.body;\n\n const client_id = randomUUID();\n let client_secret: string | undefined;\n\n if (token_endpoint_auth_method === 'client_secret_post' || token_endpoint_auth_method === 'client_secret_basic') {\n client_secret = randomBytes(24).toString('base64url'); // short-lived dev secret\n }\n\n this.registered = {\n client_id,\n client_secret,\n token_endpoint_auth_method,\n grant_types,\n response_types,\n redirect_uris,\n client_name,\n scope,\n created_at: now,\n dev: true,\n };\n\n CLIENTS.set(client_id, this.registered);\n }\n\n @Stage('respondRegistration')\n async respondRegistration() {\n const c = this.registered!;\n // Minimal RFC 7591-ish response\n // (intentionally omitting registration_access_token/registration_client_uri for simplicity in dev)\n this.respond(httpRespond.json({\n client_id: c.client_id,\n ...(c.client_secret ? {client_secret: c.client_secret} : {}),\n client_id_issued_at: c.created_at,\n client_secret_expires_at: c.client_secret ? 0 : 0, // 0 = does not expire (dev)\n token_endpoint_auth_method: c.token_endpoint_auth_method,\n grant_types: c.grant_types,\n response_types: c.response_types,\n redirect_uris: c.redirect_uris,\n ...(c.client_name ? {client_name: c.client_name} : {}),\n ...(c.scope ? {scope: c.scope} : {}),\n }));\n }\n\n @Stage('validateOutput')\n async validateOutput() {\n // no-op; httpRespond.json enforces shape\n }\n}"]}

package/src/auth/flows/oauth.token.flow.js DELETED Viewed

@@ -1,319 +0,0 @@
-"use strict";
-/**
- * Token Endpoint — POST /oauth/token
- *
- * Who calls: Client (server-to-server).
- *
- * When: After getting the code (or for refresh).
- *
- * Purpose: Exchange authorization code + PKCE verifier for access token (and optional refresh token), or refresh an access token.
- */
-/**
- * Typical parameter shapes
- *
- * /oauth/token (POST, application/x-www-form-urlencoded)
- *
- * For code exchange: grant_type=authorization_code, code, redirect_uri, client_id (and auth), code_verifier
- *
- * For refresh: grant_type=refresh_token, refresh_token, client_id (and auth)
- */
-/**
- * Quick checklist (security & correctness)
- * - PKCE (S256) required for public clients (and basically for all).
- * - Use authorization code grant only (no implicit/hybrid).
- * - Rotate refresh tokens and bind them to client + user + scopes.
- * - Prefer private_key_jwt or mTLS for confidential clients.
- * - PAR + JAR recommended for higher security.
- * - Consider DPoP (proof-of-possession) to reduce token replay.
- * - Keep codes very short-lived (e.g., ≤60 s) and single-use.
- * - Publish discovery and JWKS, rotate keys safely.
- * - Decide JWT vs opaque access tokens; provide introspection if opaque.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-const tslib_1 = require("tslib");
-/**
- *
- * OAuth 2.0 Device Authorization Grant ("device code flow")
- * Who does what (at a glance)
- *
- * Device/TV/CLI (no browser)
- * Calls POST /oauth/device_authorization, shows the user a code + URL, and polls POST /oauth/token.
- *
- * User (on phone/laptop browser)
- * Visits the given verification_uri and authenticates using your normal OAuth login (whatever you already have). No new UI required beyond two tiny endpoints.
- *
- * Auth Server (you)
- * Stores the device transaction and, after the user authenticates, marks it as approved so the device's /oauth/token polling succeeds.
- *
- * Endpoints you need (only two "new" ones)
- *
- * POST /oauth/device_authorization ✅ (device calls)
- *
- * POST /oauth/token with grant urn:ietf:params:oauth:grant-type:device_code ✅ (device polls)
- *
- * GET /activate ➜ "UI handler" (user lands here from verification_uri — this just redirects into your existing /oauth/authorize)
- *
- * GET /activate/callback ➜ "UI handler" (your existing flow returns here after the user logs in; you flip the device record to approved and show a basic "All set" page)
- *
- * That's it. No pages with complex consent screens are required; reuse your normal /oauth/authorize
- */
-const common_1 = require("../../common");
-const zod_1 = require("zod");
-const crypto_1 = require("crypto");
-const inputSchema = common_1.httpInputSchema;
-// RFC 7636 PKCE: code_verifier is 43–128 chars from ALPHA / DIGIT / "-" / "." / "_" / "~"
-const pkceVerifierRegex = /^[A-Za-z0-9_.~-]{43,128}$/;
-const authorizationCodeGrant = zod_1.z.object({
-    grant_type: zod_1.z.literal('authorization_code'),
-    /** Authorization code returned from the /authorize step */
-    code: zod_1.z.string().min(1, 'code is required'),
-    /** Must exactly match the redirect URI used when obtaining the code */
-    redirect_uri: zod_1.z.string().url(),
-    /** Public client identifier */
-    client_id: zod_1.z.string().min(1),
-    /** PKCE verifier bound to the code */
-    code_verifier: zod_1.z
-        .string()
-        .regex(pkceVerifierRegex, "code_verifier must be 43–128 chars of A–Z, a–z, 0–9, '-', '.', '_' or '~'"),
-});
-const refreshTokenGrant = zod_1.z.object({
-    grant_type: zod_1.z.literal('refresh_token'),
-    /** The refresh token */
-    refresh_token: zod_1.z.string().min(1, 'refresh_token is required'),
-    /** Public client identifier */
-    client_id: zod_1.z.string().min(1),
-});
-const anonymousGrant = zod_1.z.object({
-    grant_type: zod_1.z.literal('anonymous'),
-    /** Public client identifier */
-    client_id: zod_1.z.string().min(1),
-    /** Target resource/audience is required for this custom flow */
-    resource: zod_1.z.string().url().optional(),
-});
-const tokenRequestSchema = zod_1.z.discriminatedUnion('grant_type', [
-    anonymousGrant,
-    authorizationCodeGrant,
-    refreshTokenGrant,
-]);
-const stateSchema = zod_1.z.object({
-    body: tokenRequestSchema.optional(),
-    grantType: zod_1.z.enum(['authorization_code', 'refresh_token', 'anonymous']).optional(),
-    isDefaultAuthProvider: zod_1.z.boolean().describe('If FrontMcp initialized without auth options'),
-    isOrchestrated: zod_1.z.boolean().describe('If auth mode is orchestrated'),
-    // Token response data
-    tokenResponse: zod_1.z
-        .object({
-        access_token: zod_1.z.string(),
-        token_type: zod_1.z.literal('Bearer'),
-        expires_in: zod_1.z.number(),
-        refresh_token: zod_1.z.string().optional(),
-        scope: zod_1.z.string().optional(),
-    })
-        .optional(),
-    // Error data
-    error: zod_1.z.string().optional(),
-    errorDescription: zod_1.z.string().optional(),
-});
-const outputSchema = common_1.HttpJsonSchema;
-const plan = {
-    pre: ['parseInput', 'validateInput'],
-    execute: ['handleAuthorizationCodeGrant', 'handleRefreshTokenGrant', 'handleAnonymousGrant', 'buildTokenResponse'],
-    post: ['validateOutput'],
-};
-const name = 'oauth:token';
-const Stage = (0, common_1.StageHookOf)(name);
-let OauthTokenFlow = class OauthTokenFlow extends common_1.FlowBase {
-    logger = this.scope.logger.child('OauthTokenFlow');
-    async parseInput() {
-        const { metadata } = this.scope;
-        const { request } = this.rawInput;
-        // Determine if we're using default (anonymous) auth or orchestrated
-        const isDefaultAuthProvider = !metadata.auth;
-        const isOrchestrated = !isDefaultAuthProvider;
-        try {
-            const body = tokenRequestSchema.parse(request.body);
-            this.state.set({
-                isDefaultAuthProvider,
-                isOrchestrated,
-                body,
-                grantType: body.grant_type,
-            });
-        }
-        catch (err) {
-            this.logger.warn('Invalid token request body', err);
-            this.state.set({
-                isDefaultAuthProvider,
-                isOrchestrated,
-                error: 'invalid_request',
-                errorDescription: 'Invalid request body',
-            });
-        }
-    }
-    async validateInput() {
-        const { error, errorDescription } = this.state;
-        if (error) {
-            this.respond(common_1.httpRespond.json({
-                error,
-                error_description: errorDescription,
-            }, { status: 400 }));
-        }
-    }
-    async handleAuthorizationCodeGrant() {
-        const { body, isDefaultAuthProvider } = this.state.required;
-        if (body?.grant_type !== 'authorization_code')
-            return;
-        // For default auth provider with "anonymous" code, just issue anonymous tokens
-        if (isDefaultAuthProvider && body.code === 'anonymous') {
-            const localAuth = this.scope.auth;
-            const accessToken = await localAuth.signAnonymousJwt();
-            this.state.set('tokenResponse', {
-                access_token: accessToken,
-                token_type: 'Bearer',
-                expires_in: 86400,
-                refresh_token: (0, crypto_1.randomUUID)(),
-            });
-            return;
-        }
-        // Real authorization code exchange
-        const localAuth = this.scope.auth;
-        const result = await localAuth.exchangeCode(body.code, body.client_id, body.redirect_uri, body.code_verifier);
-        if ('error' in result) {
-            this.logger.warn(`Code exchange failed: ${result.error}`);
-            this.respond(common_1.httpRespond.json({
-                error: result.error,
-                error_description: result.error_description,
-            }, { status: 400 }));
-            return;
-        }
-        this.state.set('tokenResponse', {
-            access_token: result.access_token,
-            token_type: result.token_type,
-            expires_in: result.expires_in,
-            refresh_token: result.refresh_token,
-            scope: result.scope,
-        });
-    }
-    async handleRefreshTokenGrant() {
-        const { body, isDefaultAuthProvider } = this.state.required;
-        if (body?.grant_type !== 'refresh_token')
-            return;
-        // For default auth provider, just issue new anonymous tokens
-        if (isDefaultAuthProvider) {
-            const localAuth = this.scope.auth;
-            const accessToken = await localAuth.signAnonymousJwt();
-            this.state.set('tokenResponse', {
-                access_token: accessToken,
-                token_type: 'Bearer',
-                expires_in: 86400,
-                refresh_token: (0, crypto_1.randomUUID)(),
-            });
-            return;
-        }
-        // Real refresh token exchange
-        const localAuth = this.scope.auth;
-        const result = await localAuth.refreshAccessToken(body.refresh_token, body.client_id);
-        if ('error' in result) {
-            this.logger.warn(`Refresh token failed: ${result.error}`);
-            this.respond(common_1.httpRespond.json({
-                error: result.error,
-                error_description: result.error_description,
-            }, { status: 400 }));
-            return;
-        }
-        this.state.set('tokenResponse', {
-            access_token: result.access_token,
-            token_type: result.token_type,
-            expires_in: result.expires_in,
-            refresh_token: result.refresh_token,
-            scope: result.scope,
-        });
-    }
-    async handleAnonymousGrant() {
-        const localAuth = this.scope.auth;
-        const accessToken = await localAuth.signAnonymousJwt();
-        this.state.set('tokenResponse', {
-            access_token: accessToken,
-            token_type: 'Bearer',
-            expires_in: 86400,
-            refresh_token: (0, crypto_1.randomUUID)(),
-        });
-    }
-    async buildTokenResponse() {
-        const { tokenResponse } = this.state;
-        if (!tokenResponse) {
-            this.respond(common_1.httpRespond.json({
-                error: 'server_error',
-                error_description: 'Failed to generate tokens',
-            }, { status: 500 }));
-            return;
-        }
-        this.logger.info('Token response generated successfully');
-        this.respond(common_1.httpRespond.json(tokenResponse));
-    }
-    async validateOutput() {
-        // Schema handles output validation
-    }
-};
-tslib_1.__decorate([
-    Stage('parseInput'),
-    tslib_1.__metadata("design:type", Function),
-    tslib_1.__metadata("design:paramtypes", []),
-    tslib_1.__metadata("design:returntype", Promise)
-], OauthTokenFlow.prototype, "parseInput", null);
-tslib_1.__decorate([
-    Stage('validateInput'),
-    tslib_1.__metadata("design:type", Function),
-    tslib_1.__metadata("design:paramtypes", []),
-    tslib_1.__metadata("design:returntype", Promise)
-], OauthTokenFlow.prototype, "validateInput", null);
-tslib_1.__decorate([
-    Stage('handleAuthorizationCodeGrant', {
-        filter: ({ state }) => state.grantType === 'authorization_code',
-    }),
-    tslib_1.__metadata("design:type", Function),
-    tslib_1.__metadata("design:paramtypes", []),
-    tslib_1.__metadata("design:returntype", Promise)
-], OauthTokenFlow.prototype, "handleAuthorizationCodeGrant", null);
-tslib_1.__decorate([
-    Stage('handleRefreshTokenGrant', {
-        filter: ({ state }) => state.grantType === 'refresh_token',
-    }),
-    tslib_1.__metadata("design:type", Function),
-    tslib_1.__metadata("design:paramtypes", []),
-    tslib_1.__metadata("design:returntype", Promise)
-], OauthTokenFlow.prototype, "handleRefreshTokenGrant", null);
-tslib_1.__decorate([
-    Stage('handleAnonymousGrant', {
-        filter: ({ state }) => state.grantType === 'anonymous',
-    }),
-    tslib_1.__metadata("design:type", Function),
-    tslib_1.__metadata("design:paramtypes", []),
-    tslib_1.__metadata("design:returntype", Promise)
-], OauthTokenFlow.prototype, "handleAnonymousGrant", null);
-tslib_1.__decorate([
-    Stage('buildTokenResponse'),
-    tslib_1.__metadata("design:type", Function),
-    tslib_1.__metadata("design:paramtypes", []),
-    tslib_1.__metadata("design:returntype", Promise)
-], OauthTokenFlow.prototype, "buildTokenResponse", null);
-tslib_1.__decorate([
-    Stage('validateOutput'),
-    tslib_1.__metadata("design:type", Function),
-    tslib_1.__metadata("design:paramtypes", []),
-    tslib_1.__metadata("design:returntype", Promise)
-], OauthTokenFlow.prototype, "validateOutput", null);
-OauthTokenFlow = tslib_1.__decorate([
-    (0, common_1.Flow)({
-        name,
-        plan,
-        inputSchema,
-        outputSchema,
-        access: 'public',
-        middleware: {
-            method: 'POST',
-            path: '/oauth/token',
-        },
-    })
-], OauthTokenFlow);
-exports.default = OauthTokenFlow;
-//# sourceMappingURL=oauth.token.flow.js.map

package/src/auth/flows/oauth.token.flow.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"oauth.token.flow.js","sourceRoot":"","sources":["../../../../src/auth/flows/oauth.token.flow.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;AACH;;;;;;;;GAQG;AACH;;;;;;;;;;;GAWG;;;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,yCASsB;AACtB,6BAAwB;AACxB,mCAAoC;AAGpC,MAAM,WAAW,GAAG,wBAAe,CAAC;AAEpC,0FAA0F;AAC1F,MAAM,iBAAiB,GAAG,2BAA2B,CAAC;AAEtD,MAAM,sBAAsB,GAAG,OAAC,CAAC,MAAM,CAAC;IACtC,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC;IAC3C,2DAA2D;IAC3D,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,kBAAkB,CAAC;IAC3C,uEAAuE;IACvE,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAC9B,+BAA+B;IAC/B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5B,sCAAsC;IACtC,aAAa,EAAE,OAAC;SACb,MAAM,EAAE;SACR,KAAK,CAAC,iBAAiB,EAAE,2EAA2E,CAAC;CACzG,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAG,OAAC,CAAC,MAAM,CAAC;IACjC,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,eAAe,CAAC;IACtC,wBAAwB;IACxB,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,2BAA2B,CAAC;IAC7D,+BAA+B;IAC/B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAC7B,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9B,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,WAAW,CAAC;IAClC,+BAA+B;IAC/B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5B,gEAAgE;IAChE,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;CACtC,CAAC,CAAC;AAEH,MAAM,kBAAkB,GAAG,OAAC,CAAC,kBAAkB,CAAC,YAAY,EAAE;IAC5D,cAAc;IACd,sBAAsB;IACtB,iBAAiB;CAClB,CAAC,CAAC;AAIH,MAAM,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3B,IAAI,EAAE,kBAAkB,CAAC,QAAQ,EAAE;IACnC,SAAS,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,oBAAoB,EAAE,eAAe,EAAE,WAAW,CAAC,CAAC,CAAC,QAAQ,EAAE;IAClF,qBAAqB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,8CAA8C,CAAC;IAC3F,cAAc,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,8BAA8B,CAAC;IACpE,sBAAsB;IACtB,aAAa,EAAE,OAAC;SACb,MAAM,CAAC;QACN,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE;QACxB,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;QAC/B,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE;QACtB,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACpC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAC7B,CAAC;SACD,QAAQ,EAAE;IACb,aAAa;IACb,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,gBAAgB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACxC,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,uBAAc,CAAC;AAEpC,MAAM,IAAI,GAAG;IACX,GAAG,EAAE,CAAC,YAAY,EAAE,eAAe,CAAC;IACpC,OAAO,EAAE,CAAC,8BAA8B,EAAE,yBAAyB,EAAE,sBAAsB,EAAE,oBAAoB,CAAC;IAClH,IAAI,EAAE,CAAC,gBAAgB,CAAC;CACW,CAAC;AActC,MAAM,IAAI,GAAG,aAAsB,CAAC;AACpC,MAAM,KAAK,GAAG,IAAA,oBAAW,EAAC,IAAI,CAAC,CAAC;AAajB,IAAM,cAAc,GAApB,MAAM,cAAe,SAAQ,iBAAqB;IACvD,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAGrD,AAAN,KAAK,CAAC,UAAU;QACd,MAAM,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC;QAChC,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAElC,oEAAoE;QACpE,MAAM,qBAAqB,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC;QAC7C,MAAM,cAAc,GAAG,CAAC,qBAAqB,CAAC;QAE9C,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,kBAAkB,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACpD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC;gBACb,qBAAqB;gBACrB,cAAc;gBACd,IAAI;gBACJ,SAAS,EAAE,IAAI,CAAC,UAAU;aAC3B,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,4BAA4B,EAAE,GAAG,CAAC,CAAC;YACpD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC;gBACb,qBAAqB;gBACrB,cAAc;gBACd,KAAK,EAAE,iBAAiB;gBACxB,gBAAgB,EAAE,sBAAsB;aACzC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAGK,AAAN,KAAK,CAAC,aAAa;QACjB,MAAM,EAAE,KAAK,EAAE,gBAAgB,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC;QAE/C,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,CAAC,OAAO,CACV,oBAAW,CAAC,IAAI,CACd;gBACE,KAAK;gBACL,iBAAiB,EAAE,gBAAgB;aACpC,EACD,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAKK,AAAN,KAAK,CAAC,4BAA4B;QAChC,MAAM,EAAE,IAAI,EAAE,qBAAqB,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAE5D,IAAI,IAAI,EAAE,UAAU,KAAK,oBAAoB;YAAE,OAAO;QAEtD,+EAA+E;QAC/E,IAAI,qBAAqB,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YACvD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAwB,CAAC;YACtD,MAAM,WAAW,GAAG,MAAM,SAAS,CAAC,gBAAgB,EAAE,CAAC;YAEvD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,eAAe,EAAE;gBAC9B,YAAY,EAAE,WAAW;gBACzB,UAAU,EAAE,QAAQ;gBACpB,UAAU,EAAE,KAAK;gBACjB,aAAa,EAAE,IAAA,mBAAU,GAAE;aAC5B,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,mCAAmC;QACnC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAwB,CAAC;QACtD,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;QAE9G,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;YACtB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yBAAyB,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;YAC1D,IAAI,CAAC,OAAO,CACV,oBAAW,CAAC,IAAI,CACd;gBACE,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;aAC5C,EACD,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CACF,CAAC;YACF,OAAO;QACT,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,eAAe,EAAE;YAC9B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,KAAK,EAAE,MAAM,CAAC,KAAK;SACpB,CAAC,CAAC;IACL,CAAC;IAKK,AAAN,KAAK,CAAC,uBAAuB;QAC3B,MAAM,EAAE,IAAI,EAAE,qBAAqB,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAE5D,IAAI,IAAI,EAAE,UAAU,KAAK,eAAe;YAAE,OAAO;QAEjD,6DAA6D;QAC7D,IAAI,qBAAqB,EAAE,CAAC;YAC1B,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAwB,CAAC;YACtD,MAAM,WAAW,GAAG,MAAM,SAAS,CAAC,gBAAgB,EAAE,CAAC;YAEvD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,eAAe,EAAE;gBAC9B,YAAY,EAAE,WAAW;gBACzB,UAAU,EAAE,QAAQ;gBACpB,UAAU,EAAE,KAAK;gBACjB,aAAa,EAAE,IAAA,mBAAU,GAAE;aAC5B,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,8BAA8B;QAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAwB,CAAC;QACtD,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,kBAAkB,CAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;QAEtF,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;YACtB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yBAAyB,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;YAC1D,IAAI,CAAC,OAAO,CACV,oBAAW,CAAC,IAAI,CACd;gBACE,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;aAC5C,EACD,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CACF,CAAC;YACF,OAAO;QACT,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,eAAe,EAAE;YAC9B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,KAAK,EAAE,MAAM,CAAC,KAAK;SACpB,CAAC,CAAC;IACL,CAAC;IAKK,AAAN,KAAK,CAAC,oBAAoB;QACxB,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAwB,CAAC;QACtD,MAAM,WAAW,GAAG,MAAM,SAAS,CAAC,gBAAgB,EAAE,CAAC;QAEvD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,eAAe,EAAE;YAC9B,YAAY,EAAE,WAAW;YACzB,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,KAAK;YACjB,aAAa,EAAE,IAAA,mBAAU,GAAE;SAC5B,CAAC,CAAC;IACL,CAAC;IAGK,AAAN,KAAK,CAAC,kBAAkB;QACtB,MAAM,EAAE,aAAa,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC;QAErC,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,IAAI,CAAC,OAAO,CACV,oBAAW,CAAC,IAAI,CACd;gBACE,KAAK,EAAE,cAAc;gBACrB,iBAAiB,EAAE,2BAA2B;aAC/C,EACD,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CACF,CAAC;YACF,OAAO;QACT,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC;IAChD,CAAC;IAGK,AAAN,KAAK,CAAC,cAAc;QAClB,mCAAmC;IACrC,CAAC;CACF,CAAA;AAtLO;IADL,KAAK,CAAC,YAAY,CAAC;;;;gDA0BnB;AAGK;IADL,KAAK,CAAC,eAAe,CAAC;;;;mDAetB;AAKK;IAHL,KAAK,CAAC,8BAA8B,EAAE;QACrC,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,KAAK,CAAC,SAAS,KAAK,oBAAoB;KAChE,CAAC;;;;kEA6CD;AAKK;IAHL,KAAK,CAAC,yBAAyB,EAAE;QAChC,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,KAAK,CAAC,SAAS,KAAK,eAAe;KAC3D,CAAC;;;;6DA6CD;AAKK;IAHL,KAAK,CAAC,sBAAsB,EAAE;QAC7B,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,KAAK,CAAC,SAAS,KAAK,WAAW;KACvD,CAAC;;;;0DAWD;AAGK;IADL,KAAK,CAAC,oBAAoB,CAAC;;;;wDAmB3B;AAGK;IADL,KAAK,CAAC,gBAAgB,CAAC;;;;oDAGvB;AAzLkB,cAAc;IAXlC,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,IAAI;QACJ,WAAW;QACX,YAAY;QACZ,MAAM,EAAE,QAAQ;QAChB,UAAU,EAAE;YACV,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,cAAc;SACrB;KACF,CAAC;GACmB,cAAc,CA0LlC;kBA1LoB,cAAc","sourcesContent":["/**\n * Token Endpoint — POST /oauth/token\n *\n * Who calls: Client (server-to-server).\n *\n * When: After getting the code (or for refresh).\n *\n * Purpose: Exchange authorization code + PKCE verifier for access token (and optional refresh token), or refresh an access token.\n */\n/**\n * Typical parameter shapes\n *\n * /oauth/token (POST, application/x-www-form-urlencoded)\n *\n * For code exchange: grant_type=authorization_code, code, redirect_uri, client_id (and auth), code_verifier\n *\n * For refresh: grant_type=refresh_token, refresh_token, client_id (and auth)\n */\n/**\n * Quick checklist (security & correctness)\n * - PKCE (S256) required for public clients (and basically for all).\n * - Use authorization code grant only (no implicit/hybrid).\n * - Rotate refresh tokens and bind them to client + user + scopes.\n * - Prefer private_key_jwt or mTLS for confidential clients.\n * - PAR + JAR recommended for higher security.\n * - Consider DPoP (proof-of-possession) to reduce token replay.\n * - Keep codes very short-lived (e.g., ≤60 s) and single-use.\n * - Publish discovery and JWKS, rotate keys safely.\n * - Decide JWT vs opaque access tokens; provide introspection if opaque.\n */\n\n/**\n *\n * OAuth 2.0 Device Authorization Grant (\"device code flow\")\n * Who does what (at a glance)\n *\n * Device/TV/CLI (no browser)\n * Calls POST /oauth/device_authorization, shows the user a code + URL, and polls POST /oauth/token.\n *\n * User (on phone/laptop browser)\n * Visits the given verification_uri and authenticates using your normal OAuth login (whatever you already have). No new UI required beyond two tiny endpoints.\n *\n * Auth Server (you)\n * Stores the device transaction and, after the user authenticates, marks it as approved so the device's /oauth/token polling succeeds.\n *\n * Endpoints you need (only two \"new\" ones)\n *\n * POST /oauth/device_authorization ✅ (device calls)\n *\n * POST /oauth/token with grant urn:ietf:params:oauth:grant-type:device_code ✅ (device polls)\n *\n * GET /activate ➜ \"UI handler\" (user lands here from verification_uri — this just redirects into your existing /oauth/authorize)\n *\n * GET /activate/callback ➜ \"UI handler\" (your existing flow returns here after the user logs in; you flip the device record to approved and show a basic \"All set\" page)\n *\n * That's it. No pages with complex consent screens are required; reuse your normal /oauth/authorize\n */\n\nimport {\n Flow,\n FlowBase,\n FlowPlan,\n FlowRunOptions,\n httpInputSchema,\n HttpJsonSchema,\n httpRespond,\n StageHookOf,\n} from '../../common';\nimport { z } from 'zod';\nimport { randomUUID } from 'crypto';\nimport { LocalPrimaryAuth, TokenResponse } from '../instances/instance.local-primary-auth';\n\nconst inputSchema = httpInputSchema;\n\n// RFC 7636 PKCE: code_verifier is 43–128 chars from ALPHA / DIGIT / \"-\" / \".\" / \"_\" / \"~\"\nconst pkceVerifierRegex = /^[A-Za-z0-9_.~-]{43,128}$/;\n\nconst authorizationCodeGrant = z.object({\n grant_type: z.literal('authorization_code'),\n /** Authorization code returned from the /authorize step */\n code: z.string().min(1, 'code is required'),\n /** Must exactly match the redirect URI used when obtaining the code */\n redirect_uri: z.string().url(),\n /** Public client identifier */\n client_id: z.string().min(1),\n /** PKCE verifier bound to the code */\n code_verifier: z\n .string()\n .regex(pkceVerifierRegex, \"code_verifier must be 43–128 chars of A–Z, a–z, 0–9, '-', '.', '_' or '~'\"),\n});\n\nconst refreshTokenGrant = z.object({\n grant_type: z.literal('refresh_token'),\n /** The refresh token */\n refresh_token: z.string().min(1, 'refresh_token is required'),\n /** Public client identifier */\n client_id: z.string().min(1),\n});\n\nconst anonymousGrant = z.object({\n grant_type: z.literal('anonymous'),\n /** Public client identifier */\n client_id: z.string().min(1),\n /** Target resource/audience is required for this custom flow */\n resource: z.string().url().optional(),\n});\n\nconst tokenRequestSchema = z.discriminatedUnion('grant_type', [\n anonymousGrant,\n authorizationCodeGrant,\n refreshTokenGrant,\n]);\n\ntype TokenRequest = z.infer<typeof tokenRequestSchema>;\n\nconst stateSchema = z.object({\n body: tokenRequestSchema.optional(),\n grantType: z.enum(['authorization_code', 'refresh_token', 'anonymous']).optional(),\n isDefaultAuthProvider: z.boolean().describe('If FrontMcp initialized without auth options'),\n isOrchestrated: z.boolean().describe('If auth mode is orchestrated'),\n // Token response data\n tokenResponse: z\n .object({\n access_token: z.string(),\n token_type: z.literal('Bearer'),\n expires_in: z.number(),\n refresh_token: z.string().optional(),\n scope: z.string().optional(),\n })\n .optional(),\n // Error data\n error: z.string().optional(),\n errorDescription: z.string().optional(),\n});\n\nconst outputSchema = HttpJsonSchema;\n\nconst plan = {\n pre: ['parseInput', 'validateInput'],\n execute: ['handleAuthorizationCodeGrant', 'handleRefreshTokenGrant', 'handleAnonymousGrant', 'buildTokenResponse'],\n post: ['validateOutput'],\n} as const satisfies FlowPlan<string>;\n\ndeclare global {\n interface ExtendFlows {\n 'oauth:token': FlowRunOptions<\n OauthTokenFlow,\n typeof plan,\n typeof inputSchema,\n typeof outputSchema,\n typeof stateSchema\n >;\n }\n}\n\nconst name = 'oauth:token' as const;\nconst Stage = StageHookOf(name);\n\n@Flow({\n name,\n plan,\n inputSchema,\n outputSchema,\n access: 'public',\n middleware: {\n method: 'POST',\n path: '/oauth/token',\n },\n})\nexport default class OauthTokenFlow extends FlowBase<typeof name> {\n private logger = this.scope.logger.child('OauthTokenFlow');\n\n @Stage('parseInput')\n async parseInput() {\n const { metadata } = this.scope;\n const { request } = this.rawInput;\n\n // Determine if we're using default (anonymous) auth or orchestrated\n const isDefaultAuthProvider = !metadata.auth;\n const isOrchestrated = !isDefaultAuthProvider;\n\n try {\n const body = tokenRequestSchema.parse(request.body);\n this.state.set({\n isDefaultAuthProvider,\n isOrchestrated,\n body,\n grantType: body.grant_type,\n });\n } catch (err) {\n this.logger.warn('Invalid token request body', err);\n this.state.set({\n isDefaultAuthProvider,\n isOrchestrated,\n error: 'invalid_request',\n errorDescription: 'Invalid request body',\n });\n }\n }\n\n @Stage('validateInput')\n async validateInput() {\n const { error, errorDescription } = this.state;\n\n if (error) {\n this.respond(\n httpRespond.json(\n {\n error,\n error_description: errorDescription,\n },\n { status: 400 },\n ),\n );\n }\n }\n\n @Stage('handleAuthorizationCodeGrant', {\n filter: ({ state }) => state.grantType === 'authorization_code',\n })\n async handleAuthorizationCodeGrant() {\n const { body, isDefaultAuthProvider } = this.state.required;\n\n if (body?.grant_type !== 'authorization_code') return;\n\n // For default auth provider with \"anonymous\" code, just issue anonymous tokens\n if (isDefaultAuthProvider && body.code === 'anonymous') {\n const localAuth = this.scope.auth as LocalPrimaryAuth;\n const accessToken = await localAuth.signAnonymousJwt();\n\n this.state.set('tokenResponse', {\n access_token: accessToken,\n token_type: 'Bearer',\n expires_in: 86400,\n refresh_token: randomUUID(),\n });\n return;\n }\n\n // Real authorization code exchange\n const localAuth = this.scope.auth as LocalPrimaryAuth;\n const result = await localAuth.exchangeCode(body.code, body.client_id, body.redirect_uri, body.code_verifier);\n\n if ('error' in result) {\n this.logger.warn(`Code exchange failed: ${result.error}`);\n this.respond(\n httpRespond.json(\n {\n error: result.error,\n error_description: result.error_description,\n },\n { status: 400 },\n ),\n );\n return;\n }\n\n this.state.set('tokenResponse', {\n access_token: result.access_token,\n token_type: result.token_type,\n expires_in: result.expires_in,\n refresh_token: result.refresh_token,\n scope: result.scope,\n });\n }\n\n @Stage('handleRefreshTokenGrant', {\n filter: ({ state }) => state.grantType === 'refresh_token',\n })\n async handleRefreshTokenGrant() {\n const { body, isDefaultAuthProvider } = this.state.required;\n\n if (body?.grant_type !== 'refresh_token') return;\n\n // For default auth provider, just issue new anonymous tokens\n if (isDefaultAuthProvider) {\n const localAuth = this.scope.auth as LocalPrimaryAuth;\n const accessToken = await localAuth.signAnonymousJwt();\n\n this.state.set('tokenResponse', {\n access_token: accessToken,\n token_type: 'Bearer',\n expires_in: 86400,\n refresh_token: randomUUID(),\n });\n return;\n }\n\n // Real refresh token exchange\n const localAuth = this.scope.auth as LocalPrimaryAuth;\n const result = await localAuth.refreshAccessToken(body.refresh_token, body.client_id);\n\n if ('error' in result) {\n this.logger.warn(`Refresh token failed: ${result.error}`);\n this.respond(\n httpRespond.json(\n {\n error: result.error,\n error_description: result.error_description,\n },\n { status: 400 },\n ),\n );\n return;\n }\n\n this.state.set('tokenResponse', {\n access_token: result.access_token,\n token_type: result.token_type,\n expires_in: result.expires_in,\n refresh_token: result.refresh_token,\n scope: result.scope,\n });\n }\n\n @Stage('handleAnonymousGrant', {\n filter: ({ state }) => state.grantType === 'anonymous',\n })\n async handleAnonymousGrant() {\n const localAuth = this.scope.auth as LocalPrimaryAuth;\n const accessToken = await localAuth.signAnonymousJwt();\n\n this.state.set('tokenResponse', {\n access_token: accessToken,\n token_type: 'Bearer',\n expires_in: 86400,\n refresh_token: randomUUID(),\n });\n }\n\n @Stage('buildTokenResponse')\n async buildTokenResponse() {\n const { tokenResponse } = this.state;\n\n if (!tokenResponse) {\n this.respond(\n httpRespond.json(\n {\n error: 'server_error',\n error_description: 'Failed to generate tokens',\n },\n { status: 500 },\n ),\n );\n return;\n }\n\n this.logger.info('Token response generated successfully');\n this.respond(httpRespond.json(tokenResponse));\n }\n\n @Stage('validateOutput')\n async validateOutput() {\n // Schema handles output validation\n }\n}\n"]}