npm - @frontmcp/sdk - Versions diffs - 0.6.1 → 0.6.3 - Mend

@frontmcp/sdk 0.6.1 → 0.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1066) hide show

package/src/auth/session/transport-session.manager.js DELETED Viewed

@@ -1,298 +0,0 @@
-"use strict";
-// auth/session/transport-session.manager.ts
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.TransportSessionManager = exports.InMemorySessionStore = void 0;
-const crypto_1 = require("crypto");
-const session_id_utils_1 = require("./utils/session-id.utils");
-const session_crypto_1 = require("./session.crypto");
-const authorization_class_1 = require("../authorization/authorization.class");
-const redis_session_store_1 = require("./redis-session.store");
-/**
- * In-memory session store implementation
- */
-class InMemorySessionStore {
-    sessions = new Map();
-    async get(sessionId) {
-        const stored = this.sessions.get(sessionId);
-        if (!stored)
-            return null;
-        // Check expiration
-        if (stored.session.expiresAt && stored.session.expiresAt < Date.now()) {
-            this.sessions.delete(sessionId);
-            return null;
-        }
-        // Update last accessed
-        stored.lastAccessedAt = Date.now();
-        return stored;
-    }
-    async set(sessionId, session, ttlMs) {
-        if (ttlMs) {
-            session.session.expiresAt = Date.now() + ttlMs;
-        }
-        this.sessions.set(sessionId, session);
-    }
-    async delete(sessionId) {
-        this.sessions.delete(sessionId);
-    }
-    async exists(sessionId) {
-        const stored = this.sessions.get(sessionId);
-        if (!stored)
-            return false;
-        // Check expiration
-        if (stored.session.expiresAt && stored.session.expiresAt < Date.now()) {
-            this.sessions.delete(sessionId);
-            return false;
-        }
-        return true;
-    }
-    allocId() {
-        return (0, crypto_1.randomUUID)();
-    }
-    /**
-     * Clean up expired sessions
-     */
-    cleanup() {
-        const now = Date.now();
-        let cleaned = 0;
-        for (const [id, stored] of this.sessions) {
-            if (stored.session.expiresAt && stored.session.expiresAt < now) {
-                this.sessions.delete(id);
-                cleaned++;
-            }
-        }
-        return cleaned;
-    }
-    /**
-     * Get count of active sessions
-     */
-    get size() {
-        return this.sessions.size;
-    }
-}
-exports.InMemorySessionStore = InMemorySessionStore;
-/**
- * Transport Session Manager
- *
- * Manages transport sessions independent of authorization.
- * Supports both stateless (JWT-encrypted) and stateful (store-backed) modes.
- *
- * Key concepts:
- * - Authorization = User identity + permissions (1 per user token)
- * - TransportSession = Protocol-specific connection (N per authorization)
- * - One authorization can have multiple transport sessions (e.g., multiple browser tabs)
- */
-class TransportSessionManager {
-    store;
-    mode;
-    encryptionKey;
-    constructor(config) {
-        this.mode = config.mode;
-        if (config.mode === 'stateless') {
-            this.store = new InMemorySessionStore(); // Used only for allocation
-        }
-        else if (config.store === 'memory') {
-            this.store = new InMemorySessionStore();
-        }
-        else if (config.store === 'redis') {
-            // Instantiate Redis session store
-            this.store = new redis_session_store_1.RedisSessionStore(config.config);
-        }
-        else {
-            this.store = new InMemorySessionStore();
-        }
-        // Derive encryption key from secret or generate one
-        const secret = config.encryptionSecret || process.env['MCP_SESSION_SECRET'];
-        if (!secret) {
-            if (process.env['NODE_ENV'] === 'production') {
-                throw new Error('[TransportSessionManager] MCP_SESSION_SECRET or encryptionSecret is required in production. ' +
-                    'Set the MCP_SESSION_SECRET environment variable or provide encryptionSecret in config.');
-            }
-            // Development fallback - NOT secure for production
-            console.warn('[TransportSessionManager] Using machine ID as session encryption secret - NOT SECURE FOR PRODUCTION. ' +
-                'Set MCP_SESSION_SECRET or provide encryptionSecret in config.');
-        }
-        const effectiveSecret = secret || (0, authorization_class_1.getMachineId)();
-        this.encryptionKey = (0, session_crypto_1.hkdfSha256)(Buffer.from(effectiveSecret), Buffer.from('mcp-session-salt'), Buffer.from('transport-session'), 32);
-    }
-    /**
-     * Create a new transport session for an authorization
-     *
-     * @param authorizationId - The authorization this session belongs to
-     * @param protocol - Transport protocol (sse, streamable-http, etc.)
-     * @param options - Additional session options
-     * @returns The created transport session
-     */
-    async createSession(authorizationId, protocol, options = {}) {
-        const sessionId = this.store.allocId();
-        const session = {
-            id: sessionId,
-            authorizationId,
-            protocol,
-            createdAt: Date.now(),
-            expiresAt: options.expiresAt,
-            nodeId: (0, authorization_class_1.getMachineId)(),
-            clientFingerprint: options.fingerprint,
-            transportState: options.transportState,
-        };
-        if (this.mode === 'stateful') {
-            // Store session in persistent store
-            const stored = {
-                session,
-                authorizationId,
-                tokens: options.tokens,
-                createdAt: Date.now(),
-                lastAccessedAt: Date.now(),
-            };
-            await this.store.set(sessionId, stored);
-        }
-        return session;
-    }
-    /**
-     * Get an existing session by ID
-     *
-     * @param sessionId - The session ID (encrypted JWT or UUID)
-     * @returns The session if found and valid, null otherwise
-     */
-    async getSession(sessionId) {
-        if (this.mode === 'stateless') {
-            // Decrypt session from JWT
-            return this.decryptSessionJwt(sessionId);
-        }
-        // Stateful: lookup in store
-        const stored = await this.store.get(sessionId);
-        return stored?.session ?? null;
-    }
-    /**
-     * Get stored session with tokens (for orchestrated mode)
-     */
-    async getStoredSession(sessionId) {
-        if (this.mode === 'stateless') {
-            // In stateless mode, we don't have stored sessions
-            return null;
-        }
-        return this.store.get(sessionId);
-    }
-    /**
-     * Update session state
-     */
-    async updateSession(sessionId, updates) {
-        if (this.mode === 'stateless') {
-            // Stateless sessions are immutable - caller should create new session JWT
-            return false;
-        }
-        const stored = await this.store.get(sessionId);
-        if (!stored)
-            return false;
-        if (updates.transportState) {
-            stored.session.transportState = updates.transportState;
-        }
-        if (updates.expiresAt) {
-            stored.session.expiresAt = updates.expiresAt;
-        }
-        stored.lastAccessedAt = Date.now();
-        await this.store.set(sessionId, stored);
-        return true;
-    }
-    /**
-     * Delete a session
-     */
-    async deleteSession(sessionId) {
-        if (this.mode === 'stateless') {
-            // Stateless sessions can't be revoked
-            return false;
-        }
-        const exists = await this.store.exists(sessionId);
-        if (exists) {
-            await this.store.delete(sessionId);
-        }
-        return exists;
-    }
-    /**
-     * Encode a session as an encrypted JWT for the Mcp-Session-Id header
-     *
-     * @param session - The transport session to encode
-     * @param additionalState - Additional encrypted state for stateless mode
-     * @returns Encrypted session JWT
-     */
-    encodeSessionJwt(session, additionalState) {
-        const payload = {
-            sid: session.id,
-            aid: session.authorizationId,
-            proto: session.protocol,
-            nid: session.nodeId,
-            iat: Math.floor(Date.now() / 1000),
-            exp: session.expiresAt ? Math.floor(session.expiresAt / 1000) : undefined,
-        };
-        if (this.mode === 'stateless' && additionalState) {
-            const statelessPayload = payload;
-            if (additionalState.state) {
-                const encrypted = (0, session_crypto_1.encryptAesGcm)(this.encryptionKey, JSON.stringify(additionalState.state));
-                statelessPayload.state = `${encrypted.iv}.${encrypted.tag}.${encrypted.data}`;
-            }
-            if (additionalState.tokens) {
-                const encrypted = (0, session_crypto_1.encryptAesGcm)(this.encryptionKey, JSON.stringify(additionalState.tokens));
-                statelessPayload.tokens = `${encrypted.iv}.${encrypted.tag}.${encrypted.data}`;
-            }
-        }
-        return (0, session_id_utils_1.encryptJson)(payload);
-    }
-    /**
-     * Decode an encrypted session JWT
-     *
-     * @param jwt - The encrypted session JWT
-     * @returns Decoded session or null if invalid
-     */
-    decryptSessionJwt(jwt) {
-        try {
-            // The encryptJson format is iv.tag.ct (base64url)
-            // We need to decrypt it using the same key
-            const parts = jwt.split('.');
-            if (parts.length !== 3)
-                return null;
-            const [ivB64, tagB64, ctB64] = parts;
-            const iv = Buffer.from(ivB64.replace(/-/g, '+').replace(/_/g, '/'), 'base64');
-            const tag = Buffer.from(tagB64.replace(/-/g, '+').replace(/_/g, '/'), 'base64');
-            const data = Buffer.from(ctB64.replace(/-/g, '+').replace(/_/g, '/'), 'base64');
-            const decrypted = (0, session_crypto_1.decryptAesGcm)(this.encryptionKey, {
-                alg: 'A256GCM',
-                iv: iv.toString('base64url'),
-                tag: tag.toString('base64url'),
-                data: data.toString('base64url'),
-            });
-            const payload = JSON.parse(decrypted);
-            // Validate expiration
-            if (payload.exp && payload.exp * 1000 < Date.now()) {
-                return null;
-            }
-            return {
-                id: payload.sid,
-                authorizationId: payload.aid,
-                protocol: payload.proto,
-                createdAt: payload.iat * 1000,
-                expiresAt: payload.exp ? payload.exp * 1000 : undefined,
-                nodeId: payload.nid,
-            };
-        }
-        catch {
-            return null;
-        }
-    }
-    /**
-     * Check if a session exists and is valid
-     */
-    async sessionExists(sessionId) {
-        if (this.mode === 'stateless') {
-            const session = this.decryptSessionJwt(sessionId);
-            return session !== null;
-        }
-        return this.store.exists(sessionId);
-    }
-    /**
-     * Get the storage mode
-     */
-    get storageMode() {
-        return this.mode;
-    }
-}
-exports.TransportSessionManager = TransportSessionManager;
-//# sourceMappingURL=transport-session.manager.js.map

package/src/auth/session/transport-session.manager.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"transport-session.manager.js","sourceRoot":"","sources":["../../../../src/auth/session/transport-session.manager.ts"],"names":[],"mappings":";AAAA,4CAA4C;;;AAE5C,mCAAoC;AAYpC,+DAAuD;AACvD,qDAA4E;AAC5E,8EAAoE;AACpE,+DAA0D;AAE1D;;GAEG;AACH,MAAa,oBAAoB;IACd,QAAQ,GAAG,IAAI,GAAG,EAAyB,CAAC;IAE7D,KAAK,CAAC,GAAG,CAAC,SAAiB;QACzB,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,mBAAmB;QACnB,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACtE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAChC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,uBAAuB;QACvB,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACnC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,SAAiB,EAAE,OAAsB,EAAE,KAAc;QACjE,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;QACjD,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAE1B,mBAAmB;QACnB,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACtE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAChC,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO;QACL,OAAO,IAAA,mBAAU,GAAE,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,OAAO;QACL,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,KAAK,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACzC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;gBAC/D,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;gBACzB,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;IAC5B,CAAC;CACF;AAlED,oDAkEC;AAED;;;;;;;;;;GAUG;AACH,MAAa,uBAAuB;IACjB,KAAK,CAAe;IACpB,IAAI,CAA2B;IAC/B,aAAa,CAAS;IAEvC,YAAY,MAA4D;QACtE,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QAExB,IAAI,MAAM,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAChC,IAAI,CAAC,KAAK,GAAG,IAAI,oBAAoB,EAAE,CAAC,CAAC,2BAA2B;QACtE,CAAC;aAAM,IAAI,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrC,IAAI,CAAC,KAAK,GAAG,IAAI,oBAAoB,EAAE,CAAC;QAC1C,CAAC;aAAM,IAAI,MAAM,CAAC,KAAK,KAAK,OAAO,EAAE,CAAC;YACpC,kCAAkC;YAClC,IAAI,CAAC,KAAK,GAAG,IAAI,uCAAiB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACpD,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,KAAK,GAAG,IAAI,oBAAoB,EAAE,CAAC;QAC1C,CAAC;QAED,oDAAoD;QACpD,MAAM,MAAM,GAAG,MAAM,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;QAC5E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,YAAY,EAAE,CAAC;gBAC7C,MAAM,IAAI,KAAK,CACb,8FAA8F;oBAC5F,wFAAwF,CAC3F,CAAC;YACJ,CAAC;YACD,mDAAmD;YACnD,OAAO,CAAC,IAAI,CACV,uGAAuG;gBACrG,+DAA+D,CAClE,CAAC;QACJ,CAAC;QACD,MAAM,eAAe,GAAG,MAAM,IAAI,IAAA,kCAAY,GAAE,CAAC;QACjD,IAAI,CAAC,aAAa,GAAG,IAAA,2BAAU,EAC7B,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,EAC5B,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,EAC/B,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,EAChC,EAAE,CACH,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,aAAa,CACjB,eAAuB,EACvB,QAA2B,EAC3B,UAKI,EAAE;QAEN,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;QAEvC,MAAM,OAAO,GAAqB;YAChC,EAAE,EAAE,SAAS;YACb,eAAe;YACf,QAAQ;YACR,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,MAAM,EAAE,IAAA,kCAAY,GAAE;YACtB,iBAAiB,EAAE,OAAO,CAAC,WAAW;YACtC,cAAc,EAAE,OAAO,CAAC,cAAc;SACvC,CAAC;QAEF,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAC7B,oCAAoC;YACpC,MAAM,MAAM,GAAkB;gBAC5B,OAAO;gBACP,eAAe;gBACf,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;gBACrB,cAAc,EAAE,IAAI,CAAC,GAAG,EAAE;aAC3B,CAAC;YACF,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAC1C,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,UAAU,CAAC,SAAiB;QAChC,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC9B,2BAA2B;YAC3B,OAAO,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;QAC3C,CAAC;QAED,4BAA4B;QAC5B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC/C,OAAO,MAAM,EAAE,OAAO,IAAI,IAAI,CAAC;IACjC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,gBAAgB,CAAC,SAAiB;QACtC,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC9B,mDAAmD;YACnD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACnC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CACjB,SAAiB,EACjB,OAGC;QAED,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC9B,0EAA0E;YAC1E,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAE1B,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;YAC3B,MAAM,CAAC,OAAO,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;QACzD,CAAC;QACD,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YACtB,MAAM,CAAC,OAAO,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QAC/C,CAAC;QACD,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEnC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QACxC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC9B,sCAAsC;YACtC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAClD,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACrC,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;OAMG;IACH,gBAAgB,CACd,OAAyB,EACzB,eAGC;QAED,MAAM,OAAO,GAAsB;YACjC,GAAG,EAAE,OAAO,CAAC,EAAE;YACf,GAAG,EAAE,OAAO,CAAC,eAAe;YAC5B,KAAK,EAAE,OAAO,CAAC,QAAQ;YACvB,GAAG,EAAE,OAAO,CAAC,MAAM;YACnB,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;YAClC,GAAG,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;SAC1E,CAAC;QAEF,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,IAAI,eAAe,EAAE,CAAC;YACjD,MAAM,gBAAgB,GAAG,OAAqC,CAAC;YAE/D,IAAI,eAAe,CAAC,KAAK,EAAE,CAAC;gBAC1B,MAAM,SAAS,GAAG,IAAA,8BAAa,EAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC;gBAC3F,gBAAgB,CAAC,KAAK,GAAG,GAAG,SAAS,CAAC,EAAE,IAAI,SAAS,CAAC,GAAG,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;YAChF,CAAC;YAED,IAAI,eAAe,CAAC,MAAM,EAAE,CAAC;gBAC3B,MAAM,SAAS,GAAG,IAAA,8BAAa,EAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC;gBAC5F,gBAAgB,CAAC,MAAM,GAAG,GAAG,SAAS,CAAC,EAAE,IAAI,SAAS,CAAC,GAAG,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;YACjF,CAAC;QACH,CAAC;QAED,OAAO,IAAA,8BAAW,EAAC,OAAO,CAAC,CAAC;IAC9B,CAAC;IAED;;;;;OAKG;IACK,iBAAiB,CAAC,GAAW;QACnC,IAAI,CAAC;YACH,kDAAkD;YAClD,2CAA2C;YAC3C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YAEpC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC;YACrC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;YAC9E,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;YAChF,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;YAEhF,MAAM,SAAS,GAAG,IAAA,8BAAa,EAAC,IAAI,CAAC,aAAa,EAAE;gBAClD,GAAG,EAAE,SAAS;gBACd,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAC5B,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAC9B,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;aACjC,CAAC,CAAC;YAEH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAsB,CAAC;YAE3D,sBAAsB;YACtB,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBACnD,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO;gBACL,EAAE,EAAE,OAAO,CAAC,GAAG;gBACf,eAAe,EAAE,OAAO,CAAC,GAAG;gBAC5B,QAAQ,EAAE,OAAO,CAAC,KAAK;gBACvB,SAAS,EAAE,OAAO,CAAC,GAAG,GAAG,IAAI;gBAC7B,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS;gBACvD,MAAM,EAAE,OAAO,CAAC,GAAG;aACpB,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;YAClD,OAAO,OAAO,KAAK,IAAI,CAAC;QAC1B,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACtC,CAAC;IAED;;OAEG;IACH,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;CACF;AAzQD,0DAyQC","sourcesContent":["// auth/session/transport-session.manager.ts\n\nimport { randomUUID } from 'crypto';\nimport {\n TransportSession,\n TransportProtocol,\n SessionJwtPayload,\n StatelessSessionJwtPayload,\n StoredSession,\n SessionStore,\n SessionStorageConfig,\n TransportState,\n EncryptedBlob,\n} from './transport-session.types';\nimport { encryptJson } from './utils/session-id.utils';\nimport { encryptAesGcm, decryptAesGcm, hkdfSha256 } from './session.crypto';\nimport { getMachineId } from '../authorization/authorization.class';\nimport { RedisSessionStore } from './redis-session.store';\n\n/**\n * In-memory session store implementation\n */\nexport class InMemorySessionStore implements SessionStore {\n private readonly sessions = new Map<string, StoredSession>();\n\n async get(sessionId: string): Promise<StoredSession | null> {\n const stored = this.sessions.get(sessionId);\n if (!stored) return null;\n\n // Check expiration\n if (stored.session.expiresAt && stored.session.expiresAt < Date.now()) {\n this.sessions.delete(sessionId);\n return null;\n }\n\n // Update last accessed\n stored.lastAccessedAt = Date.now();\n return stored;\n }\n\n async set(sessionId: string, session: StoredSession, ttlMs?: number): Promise<void> {\n if (ttlMs) {\n session.session.expiresAt = Date.now() + ttlMs;\n }\n this.sessions.set(sessionId, session);\n }\n\n async delete(sessionId: string): Promise<void> {\n this.sessions.delete(sessionId);\n }\n\n async exists(sessionId: string): Promise<boolean> {\n const stored = this.sessions.get(sessionId);\n if (!stored) return false;\n\n // Check expiration\n if (stored.session.expiresAt && stored.session.expiresAt < Date.now()) {\n this.sessions.delete(sessionId);\n return false;\n }\n return true;\n }\n\n allocId(): string {\n return randomUUID();\n }\n\n /**\n * Clean up expired sessions\n */\n cleanup(): number {\n const now = Date.now();\n let cleaned = 0;\n for (const [id, stored] of this.sessions) {\n if (stored.session.expiresAt && stored.session.expiresAt < now) {\n this.sessions.delete(id);\n cleaned++;\n }\n }\n return cleaned;\n }\n\n /**\n * Get count of active sessions\n */\n get size(): number {\n return this.sessions.size;\n }\n}\n\n/**\n * Transport Session Manager\n *\n * Manages transport sessions independent of authorization.\n * Supports both stateless (JWT-encrypted) and stateful (store-backed) modes.\n *\n * Key concepts:\n * - Authorization = User identity + permissions (1 per user token)\n * - TransportSession = Protocol-specific connection (N per authorization)\n * - One authorization can have multiple transport sessions (e.g., multiple browser tabs)\n */\nexport class TransportSessionManager {\n private readonly store: SessionStore;\n private readonly mode: 'stateless' | 'stateful';\n private readonly encryptionKey: Buffer;\n\n constructor(config: SessionStorageConfig & { encryptionSecret?: string }) {\n this.mode = config.mode;\n\n if (config.mode === 'stateless') {\n this.store = new InMemorySessionStore(); // Used only for allocation\n } else if (config.store === 'memory') {\n this.store = new InMemorySessionStore();\n } else if (config.store === 'redis') {\n // Instantiate Redis session store\n this.store = new RedisSessionStore(config.config);\n } else {\n this.store = new InMemorySessionStore();\n }\n\n // Derive encryption key from secret or generate one\n const secret = config.encryptionSecret || process.env['MCP_SESSION_SECRET'];\n if (!secret) {\n if (process.env['NODE_ENV'] === 'production') {\n throw new Error(\n '[TransportSessionManager] MCP_SESSION_SECRET or encryptionSecret is required in production. ' +\n 'Set the MCP_SESSION_SECRET environment variable or provide encryptionSecret in config.',\n );\n }\n // Development fallback - NOT secure for production\n console.warn(\n '[TransportSessionManager] Using machine ID as session encryption secret - NOT SECURE FOR PRODUCTION. ' +\n 'Set MCP_SESSION_SECRET or provide encryptionSecret in config.',\n );\n }\n const effectiveSecret = secret || getMachineId();\n this.encryptionKey = hkdfSha256(\n Buffer.from(effectiveSecret),\n Buffer.from('mcp-session-salt'),\n Buffer.from('transport-session'),\n 32,\n );\n }\n\n /**\n * Create a new transport session for an authorization\n *\n * @param authorizationId - The authorization this session belongs to\n * @param protocol - Transport protocol (sse, streamable-http, etc.)\n * @param options - Additional session options\n * @returns The created transport session\n */\n async createSession(\n authorizationId: string,\n protocol: TransportProtocol,\n options: {\n expiresAt?: number;\n fingerprint?: string;\n transportState?: TransportState;\n tokens?: Record<string, EncryptedBlob>;\n } = {},\n ): Promise<TransportSession> {\n const sessionId = this.store.allocId();\n\n const session: TransportSession = {\n id: sessionId,\n authorizationId,\n protocol,\n createdAt: Date.now(),\n expiresAt: options.expiresAt,\n nodeId: getMachineId(),\n clientFingerprint: options.fingerprint,\n transportState: options.transportState,\n };\n\n if (this.mode === 'stateful') {\n // Store session in persistent store\n const stored: StoredSession = {\n session,\n authorizationId,\n tokens: options.tokens,\n createdAt: Date.now(),\n lastAccessedAt: Date.now(),\n };\n await this.store.set(sessionId, stored);\n }\n\n return session;\n }\n\n /**\n * Get an existing session by ID\n *\n * @param sessionId - The session ID (encrypted JWT or UUID)\n * @returns The session if found and valid, null otherwise\n */\n async getSession(sessionId: string): Promise<TransportSession | null> {\n if (this.mode === 'stateless') {\n // Decrypt session from JWT\n return this.decryptSessionJwt(sessionId);\n }\n\n // Stateful: lookup in store\n const stored = await this.store.get(sessionId);\n return stored?.session ?? null;\n }\n\n /**\n * Get stored session with tokens (for orchestrated mode)\n */\n async getStoredSession(sessionId: string): Promise<StoredSession | null> {\n if (this.mode === 'stateless') {\n // In stateless mode, we don't have stored sessions\n return null;\n }\n return this.store.get(sessionId);\n }\n\n /**\n * Update session state\n */\n async updateSession(\n sessionId: string,\n updates: {\n transportState?: TransportState;\n expiresAt?: number;\n },\n ): Promise<boolean> {\n if (this.mode === 'stateless') {\n // Stateless sessions are immutable - caller should create new session JWT\n return false;\n }\n\n const stored = await this.store.get(sessionId);\n if (!stored) return false;\n\n if (updates.transportState) {\n stored.session.transportState = updates.transportState;\n }\n if (updates.expiresAt) {\n stored.session.expiresAt = updates.expiresAt;\n }\n stored.lastAccessedAt = Date.now();\n\n await this.store.set(sessionId, stored);\n return true;\n }\n\n /**\n * Delete a session\n */\n async deleteSession(sessionId: string): Promise<boolean> {\n if (this.mode === 'stateless') {\n // Stateless sessions can't be revoked\n return false;\n }\n\n const exists = await this.store.exists(sessionId);\n if (exists) {\n await this.store.delete(sessionId);\n }\n return exists;\n }\n\n /**\n * Encode a session as an encrypted JWT for the Mcp-Session-Id header\n *\n * @param session - The transport session to encode\n * @param additionalState - Additional encrypted state for stateless mode\n * @returns Encrypted session JWT\n */\n encodeSessionJwt(\n session: TransportSession,\n additionalState?: {\n state?: unknown;\n tokens?: Record<string, unknown>;\n },\n ): string {\n const payload: SessionJwtPayload = {\n sid: session.id,\n aid: session.authorizationId,\n proto: session.protocol,\n nid: session.nodeId,\n iat: Math.floor(Date.now() / 1000),\n exp: session.expiresAt ? Math.floor(session.expiresAt / 1000) : undefined,\n };\n\n if (this.mode === 'stateless' && additionalState) {\n const statelessPayload = payload as StatelessSessionJwtPayload;\n\n if (additionalState.state) {\n const encrypted = encryptAesGcm(this.encryptionKey, JSON.stringify(additionalState.state));\n statelessPayload.state = `${encrypted.iv}.${encrypted.tag}.${encrypted.data}`;\n }\n\n if (additionalState.tokens) {\n const encrypted = encryptAesGcm(this.encryptionKey, JSON.stringify(additionalState.tokens));\n statelessPayload.tokens = `${encrypted.iv}.${encrypted.tag}.${encrypted.data}`;\n }\n }\n\n return encryptJson(payload);\n }\n\n /**\n * Decode an encrypted session JWT\n *\n * @param jwt - The encrypted session JWT\n * @returns Decoded session or null if invalid\n */\n private decryptSessionJwt(jwt: string): TransportSession | null {\n try {\n // The encryptJson format is iv.tag.ct (base64url)\n // We need to decrypt it using the same key\n const parts = jwt.split('.');\n if (parts.length !== 3) return null;\n\n const [ivB64, tagB64, ctB64] = parts;\n const iv = Buffer.from(ivB64.replace(/-/g, '+').replace(/_/g, '/'), 'base64');\n const tag = Buffer.from(tagB64.replace(/-/g, '+').replace(/_/g, '/'), 'base64');\n const data = Buffer.from(ctB64.replace(/-/g, '+').replace(/_/g, '/'), 'base64');\n\n const decrypted = decryptAesGcm(this.encryptionKey, {\n alg: 'A256GCM',\n iv: iv.toString('base64url'),\n tag: tag.toString('base64url'),\n data: data.toString('base64url'),\n });\n\n const payload = JSON.parse(decrypted) as SessionJwtPayload;\n\n // Validate expiration\n if (payload.exp && payload.exp * 1000 < Date.now()) {\n return null;\n }\n\n return {\n id: payload.sid,\n authorizationId: payload.aid,\n protocol: payload.proto,\n createdAt: payload.iat * 1000,\n expiresAt: payload.exp ? payload.exp * 1000 : undefined,\n nodeId: payload.nid,\n };\n } catch {\n return null;\n }\n }\n\n /**\n * Check if a session exists and is valid\n */\n async sessionExists(sessionId: string): Promise<boolean> {\n if (this.mode === 'stateless') {\n const session = this.decryptSessionJwt(sessionId);\n return session !== null;\n }\n return this.store.exists(sessionId);\n }\n\n /**\n * Get the storage mode\n */\n get storageMode(): 'stateless' | 'stateful' {\n return this.mode;\n }\n}\n"]}

package/src/auth/session/transport-session.types.js DELETED Viewed

@@ -1,111 +0,0 @@
-"use strict";
-// auth/session/transport-session.types.ts
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.sessionStorageConfigSchema = exports.redisConfigSchema = exports.storedSessionSchema = exports.encryptedBlobSchema = exports.statelessSessionJwtPayloadSchema = exports.sessionJwtPayloadSchema = exports.transportSessionSchema = exports.transportStateSchema = exports.legacySseTransportStateSchema = exports.statelessHttpTransportStateSchema = exports.statefulHttpTransportStateSchema = exports.streamableHttpTransportStateSchema = exports.sseTransportStateSchema = exports.transportProtocolSchema = void 0;
-const zod_1 = require("zod");
-// ============================================
-// Zod Schemas
-// ============================================
-exports.transportProtocolSchema = zod_1.z.enum([
-    'legacy-sse',
-    'sse',
-    'streamable-http',
-    'stateful-http',
-    'stateless-http',
-]);
-exports.sseTransportStateSchema = zod_1.z.object({
-    type: zod_1.z.literal('sse'),
-    lastEventId: zod_1.z.string().optional(),
-    lastPing: zod_1.z.number().optional(),
-    connectionState: zod_1.z.enum(['connecting', 'open', 'closed']).optional(),
-});
-exports.streamableHttpTransportStateSchema = zod_1.z.object({
-    type: zod_1.z.literal('streamable-http'),
-    requestSeq: zod_1.z.number(),
-    activeStreamId: zod_1.z.string().optional(),
-    pendingRequests: zod_1.z.array(zod_1.z.string()).optional(),
-});
-exports.statefulHttpTransportStateSchema = zod_1.z.object({
-    type: zod_1.z.literal('stateful-http'),
-    requestSeq: zod_1.z.number(),
-    pendingResponses: zod_1.z.array(zod_1.z.string()).optional(),
-    lastActivity: zod_1.z.number().optional(),
-});
-exports.statelessHttpTransportStateSchema = zod_1.z.object({
-    type: zod_1.z.literal('stateless-http'),
-    requestCount: zod_1.z.number(),
-    windowStart: zod_1.z.number().optional(),
-});
-exports.legacySseTransportStateSchema = zod_1.z.object({
-    type: zod_1.z.literal('legacy-sse'),
-    messagePath: zod_1.z.string(),
-    lastEventId: zod_1.z.string().optional(),
-    connectionState: zod_1.z.enum(['connecting', 'open', 'closed']).optional(),
-});
-exports.transportStateSchema = zod_1.z.discriminatedUnion('type', [
-    exports.sseTransportStateSchema,
-    exports.streamableHttpTransportStateSchema,
-    exports.statefulHttpTransportStateSchema,
-    exports.statelessHttpTransportStateSchema,
-    exports.legacySseTransportStateSchema,
-]);
-exports.transportSessionSchema = zod_1.z.object({
-    id: zod_1.z.string(),
-    authorizationId: zod_1.z.string(),
-    protocol: exports.transportProtocolSchema,
-    createdAt: zod_1.z.number(),
-    expiresAt: zod_1.z.number().optional(),
-    nodeId: zod_1.z.string(),
-    clientFingerprint: zod_1.z.string().optional(),
-    transportState: exports.transportStateSchema.optional(),
-});
-exports.sessionJwtPayloadSchema = zod_1.z.object({
-    sid: zod_1.z.string(),
-    aid: zod_1.z.string(),
-    proto: exports.transportProtocolSchema,
-    nid: zod_1.z.string(),
-    iat: zod_1.z.number(),
-    exp: zod_1.z.number().optional(),
-});
-exports.statelessSessionJwtPayloadSchema = exports.sessionJwtPayloadSchema.extend({
-    state: zod_1.z.string().optional(),
-    tokens: zod_1.z.string().optional(),
-});
-exports.encryptedBlobSchema = zod_1.z.object({
-    alg: zod_1.z.literal('A256GCM'),
-    kid: zod_1.z.string().optional(),
-    iv: zod_1.z.string(),
-    tag: zod_1.z.string(),
-    data: zod_1.z.string(),
-    exp: zod_1.z.number().optional(),
-    meta: zod_1.z.record(zod_1.z.string(), zod_1.z.unknown()).optional(),
-});
-exports.storedSessionSchema = zod_1.z.object({
-    session: exports.transportSessionSchema,
-    authorizationId: zod_1.z.string(),
-    tokens: zod_1.z.record(zod_1.z.string(), exports.encryptedBlobSchema).optional(),
-    createdAt: zod_1.z.number(),
-    lastAccessedAt: zod_1.z.number(),
-});
-exports.redisConfigSchema = zod_1.z.object({
-    host: zod_1.z.string().min(1),
-    port: zod_1.z.number().int().positive().optional().default(6379),
-    password: zod_1.z.string().optional(),
-    db: zod_1.z.number().int().nonnegative().optional().default(0),
-    tls: zod_1.z.boolean().optional().default(false),
-    keyPrefix: zod_1.z.string().optional().default('mcp:session:'),
-    defaultTtlMs: zod_1.z.number().int().positive().optional().default(3600000), // 1 hour default
-});
-// Stateful storage options (discriminated by store type)
-const statefulStorageSchema = zod_1.z.discriminatedUnion('store', [
-    zod_1.z.object({ store: zod_1.z.literal('memory') }),
-    zod_1.z.object({ store: zod_1.z.literal('redis'), config: exports.redisConfigSchema }),
-]);
-// Session storage config using union instead of discriminatedUnion
-// to avoid duplicate mode values
-exports.sessionStorageConfigSchema = zod_1.z.union([
-    zod_1.z.object({ mode: zod_1.z.literal('stateless') }),
-    zod_1.z.object({ mode: zod_1.z.literal('stateful') }).merge(statefulStorageSchema.options[0]),
-    zod_1.z.object({ mode: zod_1.z.literal('stateful') }).merge(statefulStorageSchema.options[1]),
-]);
-//# sourceMappingURL=transport-session.types.js.map

package/src/auth/session/transport-session.types.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"transport-session.types.js","sourceRoot":"","sources":["../../../../src/auth/session/transport-session.types.ts"],"names":[],"mappings":";AAAA,0CAA0C;;;AAE1C,6BAAwB;AA2OxB,+CAA+C;AAC/C,cAAc;AACd,+CAA+C;AAElC,QAAA,uBAAuB,GAAG,OAAC,CAAC,IAAI,CAAC;IAC5C,YAAY;IACZ,KAAK;IACL,iBAAiB;IACjB,eAAe;IACf,gBAAgB;CACjB,CAAC,CAAC;AAEU,QAAA,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IACtB,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,eAAe,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,QAAQ,EAAE;CACrE,CAAC,CAAC;AAEU,QAAA,kCAAkC,GAAG,OAAC,CAAC,MAAM,CAAC;IACzD,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC;IAClC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE;IACtB,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CAChD,CAAC,CAAC;AAEU,QAAA,gCAAgC,GAAG,OAAC,CAAC,MAAM,CAAC;IACvD,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,eAAe,CAAC;IAChC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE;IACtB,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAChD,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACpC,CAAC,CAAC;AAEU,QAAA,iCAAiC,GAAG,OAAC,CAAC,MAAM,CAAC;IACxD,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC;IACjC,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE;IACxB,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACnC,CAAC,CAAC;AAEU,QAAA,6BAA6B,GAAG,OAAC,CAAC,MAAM,CAAC;IACpD,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,YAAY,CAAC;IAC7B,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE;IACvB,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,eAAe,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,QAAQ,EAAE;CACrE,CAAC,CAAC;AAEU,QAAA,oBAAoB,GAAG,OAAC,CAAC,kBAAkB,CAAC,MAAM,EAAE;IAC/D,+BAAuB;IACvB,0CAAkC;IAClC,wCAAgC;IAChC,yCAAiC;IACjC,qCAA6B;CAC9B,CAAC,CAAC;AAEU,QAAA,sBAAsB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7C,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE;IAC3B,QAAQ,EAAE,+BAAuB;IACjC,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;IACrB,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE;IAClB,iBAAiB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACxC,cAAc,EAAE,4BAAoB,CAAC,QAAQ,EAAE;CAChD,CAAC,CAAC;AAEU,QAAA,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9C,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,KAAK,EAAE,+BAAuB;IAC9B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC,CAAC;AAEU,QAAA,gCAAgC,GAAG,+BAAuB,CAAC,MAAM,CAAC;IAC7E,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC9B,CAAC,CAAC;AAEU,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C,GAAG,EAAE,OAAC,CAAC,OAAO,CAAC,SAAS,CAAC;IACzB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE;IAChB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,IAAI,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;CACnD,CAAC,CAAC;AAEU,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C,OAAO,EAAE,8BAAsB;IAC/B,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE;IAC3B,MAAM,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,2BAAmB,CAAC,CAAC,QAAQ,EAAE;IAC5D,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;IACrB,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE;CAC3B,CAAC,CAAC;AAEU,QAAA,iBAAiB,GAAG,OAAC,CAAC,MAAM,CAAC;IACxC,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAC1D,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IACxD,GAAG,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAC1C,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,cAAc,CAAC;IACxD,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,iBAAiB;CACzF,CAAC,CAAC;AAEH,yDAAyD;AACzD,MAAM,qBAAqB,GAAG,OAAC,CAAC,kBAAkB,CAAC,OAAO,EAAE;IAC1D,OAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,OAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;IACxC,OAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,OAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,yBAAiB,EAAE,CAAC;CACnE,CAAC,CAAC;AAEH,mEAAmE;AACnE,iCAAiC;AACpB,QAAA,0BAA0B,GAAG,OAAC,CAAC,KAAK,CAAC;IAChD,OAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;IAC1C,OAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IACjF,OAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;CAClF,CAAC,CAAC","sourcesContent":["// auth/session/transport-session.types.ts\n\nimport { z } from 'zod';\n\n/**\n * Transport protocol types supported by MCP\n * These are the actual transport protocols for sessions (excludes 'delete-session' action)\n */\nexport type TransportProtocol = 'legacy-sse' | 'sse' | 'streamable-http' | 'stateful-http' | 'stateless-http';\n\n/**\n * Session storage mode for distributed systems\n */\nexport type SessionStorageMode = 'stateless' | 'stateful';\n\n/**\n * TransportSession represents a single client connection.\n * Multiple sessions can share the same authorization.\n * Each session is bound to a specific transport protocol.\n */\nexport interface TransportSession {\n /** Unique session ID (encrypted JWT or UUID) */\n id: string;\n\n /** Reference to the authorization this session uses */\n authorizationId: string;\n\n /** Transport protocol for this session */\n protocol: TransportProtocol;\n\n /** Session creation timestamp (epoch ms) */\n createdAt: number;\n\n /** Session expiration (epoch ms, independent of auth expiration) */\n expiresAt?: number;\n\n /** Node ID for distributed systems */\n nodeId: string;\n\n /** Client fingerprint for rate limiting/tracking */\n clientFingerprint?: string;\n\n /** Transport-specific state */\n transportState?: TransportState;\n}\n\n/**\n * Transport-specific state that varies by protocol\n */\nexport type TransportState =\n | SseTransportState\n | StreamableHttpTransportState\n | StatefulHttpTransportState\n | StatelessHttpTransportState\n | LegacySseTransportState;\n\n/**\n * SSE (Server-Sent Events) transport state\n */\nexport interface SseTransportState {\n type: 'sse';\n /** Last event ID for reconnection (per SSE spec) */\n lastEventId?: string;\n /** Connection keep-alive timestamp */\n lastPing?: number;\n /** Connection state */\n connectionState?: 'connecting' | 'open' | 'closed';\n}\n\n/**\n * Streamable HTTP transport state\n */\nexport interface StreamableHttpTransportState {\n type: 'streamable-http';\n /** Request sequence number */\n requestSeq: number;\n /** Active stream ID if streaming */\n activeStreamId?: string;\n /** Pending request IDs */\n pendingRequests?: string[];\n}\n\n/**\n * Stateful HTTP transport state\n */\nexport interface StatefulHttpTransportState {\n type: 'stateful-http';\n /** Request sequence number */\n requestSeq: number;\n /** Pending responses awaiting delivery */\n pendingResponses?: string[];\n /** Last activity timestamp */\n lastActivity?: number;\n}\n\n/**\n * Stateless HTTP transport state\n */\nexport interface StatelessHttpTransportState {\n type: 'stateless-http';\n /** Request count for rate limiting */\n requestCount: number;\n /** Window start for rate limiting */\n windowStart?: number;\n}\n\n/**\n * Legacy SSE transport state (for backwards compatibility)\n */\nexport interface LegacySseTransportState {\n type: 'legacy-sse';\n /** Message endpoint path */\n messagePath: string;\n /** Last event ID */\n lastEventId?: string;\n /** Connection state */\n connectionState?: 'connecting' | 'open' | 'closed';\n}\n\n/**\n * Session JWT payload - encodes both auth ref and transport context\n * This is the structure encrypted in the mcp-session-id header\n */\nexport interface SessionJwtPayload {\n /** Session ID (UUID) */\n sid: string;\n /** Authorization ID (token signature fingerprint) */\n aid: string;\n /** Transport protocol */\n proto: TransportProtocol;\n /** Node ID (for distributed systems) */\n nid: string;\n /** Issued at (epoch seconds) */\n iat: number;\n /** Expiration (epoch seconds) */\n exp?: number;\n}\n\n/**\n * Extended session JWT payload for stateless mode\n * Includes encrypted state and tokens\n */\nexport interface StatelessSessionJwtPayload extends SessionJwtPayload {\n /** Encrypted transport state (AES-256-GCM) */\n state?: string;\n /** Encrypted provider tokens (AES-256-GCM, for orchestrated mode) */\n tokens?: string;\n}\n\n/**\n * Stored session record (for stateful mode in Redis/memory)\n */\nexport interface StoredSession {\n /** The transport session data */\n session: TransportSession;\n /** Authorization ID reference */\n authorizationId: string;\n /** Encrypted provider tokens (for orchestrated mode) */\n tokens?: Record<string, EncryptedBlob>;\n /** Creation timestamp */\n createdAt: number;\n /** Last accessed timestamp */\n lastAccessedAt: number;\n}\n\n/**\n * Encrypted blob structure (AES-256-GCM)\n */\nexport interface EncryptedBlob {\n /** Algorithm identifier */\n alg: 'A256GCM';\n /** Key ID (for rotation) */\n kid?: string;\n /** Initialization vector (base64url) */\n iv: string;\n /** Authentication tag (base64url) */\n tag: string;\n /** Ciphertext (base64url) */\n data: string;\n /** Expiration hint (epoch seconds) */\n exp?: number;\n /** Additional metadata */\n meta?: Record<string, unknown>;\n}\n\n/**\n * Session store interface for stateful sessions\n */\nexport interface SessionStore {\n /**\n * Get a stored session by ID\n */\n get(sessionId: string): Promise<StoredSession | null>;\n\n /**\n * Store a session with optional TTL\n */\n set(sessionId: string, session: StoredSession, ttlMs?: number): Promise<void>;\n\n /**\n * Delete a session\n */\n delete(sessionId: string): Promise<void>;\n\n /**\n * Check if a session exists\n */\n exists(sessionId: string): Promise<boolean>;\n\n /**\n * Allocate a new session ID\n */\n allocId(): string;\n}\n\n/**\n * Session storage configuration\n */\nexport type SessionStorageConfig =\n | { mode: 'stateless' }\n | { mode: 'stateful'; store: 'memory' }\n | { mode: 'stateful'; store: 'redis'; config: RedisConfig };\n\n/**\n * Redis configuration\n */\nexport interface RedisConfig {\n host: string;\n port?: number;\n password?: string;\n db?: number;\n tls?: boolean;\n keyPrefix?: string;\n /** Default TTL in milliseconds for session extension on access (sliding expiration) */\n defaultTtlMs?: number;\n}\n\n// ============================================\n// Zod Schemas\n// ============================================\n\nexport const transportProtocolSchema = z.enum([\n 'legacy-sse',\n 'sse',\n 'streamable-http',\n 'stateful-http',\n 'stateless-http',\n]);\n\nexport const sseTransportStateSchema = z.object({\n type: z.literal('sse'),\n lastEventId: z.string().optional(),\n lastPing: z.number().optional(),\n connectionState: z.enum(['connecting', 'open', 'closed']).optional(),\n});\n\nexport const streamableHttpTransportStateSchema = z.object({\n type: z.literal('streamable-http'),\n requestSeq: z.number(),\n activeStreamId: z.string().optional(),\n pendingRequests: z.array(z.string()).optional(),\n});\n\nexport const statefulHttpTransportStateSchema = z.object({\n type: z.literal('stateful-http'),\n requestSeq: z.number(),\n pendingResponses: z.array(z.string()).optional(),\n lastActivity: z.number().optional(),\n});\n\nexport const statelessHttpTransportStateSchema = z.object({\n type: z.literal('stateless-http'),\n requestCount: z.number(),\n windowStart: z.number().optional(),\n});\n\nexport const legacySseTransportStateSchema = z.object({\n type: z.literal('legacy-sse'),\n messagePath: z.string(),\n lastEventId: z.string().optional(),\n connectionState: z.enum(['connecting', 'open', 'closed']).optional(),\n});\n\nexport const transportStateSchema = z.discriminatedUnion('type', [\n sseTransportStateSchema,\n streamableHttpTransportStateSchema,\n statefulHttpTransportStateSchema,\n statelessHttpTransportStateSchema,\n legacySseTransportStateSchema,\n]);\n\nexport const transportSessionSchema = z.object({\n id: z.string(),\n authorizationId: z.string(),\n protocol: transportProtocolSchema,\n createdAt: z.number(),\n expiresAt: z.number().optional(),\n nodeId: z.string(),\n clientFingerprint: z.string().optional(),\n transportState: transportStateSchema.optional(),\n});\n\nexport const sessionJwtPayloadSchema = z.object({\n sid: z.string(),\n aid: z.string(),\n proto: transportProtocolSchema,\n nid: z.string(),\n iat: z.number(),\n exp: z.number().optional(),\n});\n\nexport const statelessSessionJwtPayloadSchema = sessionJwtPayloadSchema.extend({\n state: z.string().optional(),\n tokens: z.string().optional(),\n});\n\nexport const encryptedBlobSchema = z.object({\n alg: z.literal('A256GCM'),\n kid: z.string().optional(),\n iv: z.string(),\n tag: z.string(),\n data: z.string(),\n exp: z.number().optional(),\n meta: z.record(z.string(), z.unknown()).optional(),\n});\n\nexport const storedSessionSchema = z.object({\n session: transportSessionSchema,\n authorizationId: z.string(),\n tokens: z.record(z.string(), encryptedBlobSchema).optional(),\n createdAt: z.number(),\n lastAccessedAt: z.number(),\n});\n\nexport const redisConfigSchema = z.object({\n host: z.string().min(1),\n port: z.number().int().positive().optional().default(6379),\n password: z.string().optional(),\n db: z.number().int().nonnegative().optional().default(0),\n tls: z.boolean().optional().default(false),\n keyPrefix: z.string().optional().default('mcp:session:'),\n defaultTtlMs: z.number().int().positive().optional().default(3600000), // 1 hour default\n});\n\n// Stateful storage options (discriminated by store type)\nconst statefulStorageSchema = z.discriminatedUnion('store', [\n z.object({ store: z.literal('memory') }),\n z.object({ store: z.literal('redis'), config: redisConfigSchema }),\n]);\n\n// Session storage config using union instead of discriminatedUnion\n// to avoid duplicate mode values\nexport const sessionStorageConfigSchema = z.union([\n z.object({ mode: z.literal('stateless') }),\n z.object({ mode: z.literal('stateful') }).merge(statefulStorageSchema.options[0]),\n z.object({ mode: z.literal('stateful') }).merge(statefulStorageSchema.options[1]),\n]);\n"]}

package/src/auth/session/utils/auth-token.utils.js DELETED Viewed

@@ -1,57 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.isJwt = isJwt;
-exports.getTokenSignatureFingerprint = getTokenSignatureFingerprint;
-exports.deriveTypedUser = deriveTypedUser;
-exports.extractBearerToken = extractBearerToken;
-function isJwt(token) {
-    if (!token)
-        return false;
-    return token.split('.').length === 3;
-}
-/**
- * If the token is a JWT, returns the raw signature segment (3rd part) as base64url.
- * Otherwise, returns a stable SHA-256(base64url) fingerprint of the whole token,
- * so we can still bind a session id to "this Authorization" deterministically.
- */
-function getTokenSignatureFingerprint(token) {
-    if (isJwt(token)) {
-        return token.split('.')[2];
-    }
-    const crypto = require('crypto');
-    const digest = crypto.createHash('sha256').update(token).digest('base64');
-    return digest.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, '');
-}
-/** Safely extracts a claim value if it matches the expected type */
-function extractClaimValue(claims, key, validator) {
-    const value = claims[key];
-    return validator(value) ? value : undefined;
-}
-/** Type guards for claim validation */
-const isString = (value) => typeof value === 'string';
-const isNumber = (value) => typeof value === 'number';
-const isStringOrStringArray = (value) => typeof value === 'string' || Array.isArray(value);
-/** Best-effort typed user derivation from claims */
-function deriveTypedUser(claims) {
-    return {
-        ...claims,
-        iss: extractClaimValue(claims, 'iss', isString),
-        sid: extractClaimValue(claims, 'sid', isString),
-        sub: extractClaimValue(claims, 'sub', isString),
-        exp: extractClaimValue(claims, 'exp', isNumber),
-        iat: extractClaimValue(claims, 'iat', isNumber),
-        aud: extractClaimValue(claims, 'aud', isStringOrStringArray),
-        email: extractClaimValue(claims, 'email', isString),
-        preferred_username: extractClaimValue(claims, 'preferred_username', isString),
-        username: extractClaimValue(claims, 'username', isString),
-        name: extractClaimValue(claims, 'name', isString),
-        picture: extractClaimValue(claims, 'picture', isString),
-    };
-}
-function extractBearerToken(header) {
-    if (!header)
-        return undefined;
-    const m = header.match(/^\s*Bearer\s+(.+)\s*$/i);
-    return m ? m[1].trim() : undefined;
-}
-//# sourceMappingURL=auth-token.utils.js.map

package/src/auth/session/utils/auth-token.utils.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"auth-token.utils.js","sourceRoot":"","sources":["../../../../../src/auth/session/utils/auth-token.utils.ts"],"names":[],"mappings":";;AAGA,sBAGC;AAOD,oEAOC;AAmBD,0CAeC;AAED,gDAIC;AAzDD,SAAgB,KAAK,CAAC,KAAyB;IAC7C,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;AACvC,CAAC;AAED;;;;GAIG;AACH,SAAgB,4BAA4B,CAAC,KAAa;IACxD,IAAI,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;QACjB,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;IAC9B,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAA4B,CAAC;IAC5D,MAAM,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC1E,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAC5E,CAAC;AAED,oEAAoE;AACpE,SAAS,iBAAiB,CACxB,MAA2B,EAC3B,GAAW,EACX,SAAqC;IAErC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IAC1B,OAAO,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAC9C,CAAC;AAED,uCAAuC;AACvC,MAAM,QAAQ,GAAG,CAAC,KAAU,EAAmB,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC;AAC5E,MAAM,QAAQ,GAAG,CAAC,KAAU,EAAmB,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC;AAC5E,MAAM,qBAAqB,GAAG,CAAC,KAAU,EAA8B,EAAE,CACvE,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAEpD,oDAAoD;AACpD,SAAgB,eAAe,CAAC,MAA2B;IACzD,OAAO;QACL,GAAG,MAAM;QACT,GAAG,EAAE,iBAAiB,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAE;QAChD,GAAG,EAAE,iBAAiB,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC;QAC/C,GAAG,EAAE,iBAAiB,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAE;QAChD,GAAG,EAAE,iBAAiB,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC;QAC/C,GAAG,EAAE,iBAAiB,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC;QAC/C,GAAG,EAAE,iBAAiB,CAAC,MAAM,EAAE,KAAK,EAAE,qBAAqB,CAAC;QAC5D,KAAK,EAAE,iBAAiB,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC;QACnD,kBAAkB,EAAE,iBAAiB,CAAC,MAAM,EAAE,oBAAoB,EAAE,QAAQ,CAAC;QAC7E,QAAQ,EAAE,iBAAiB,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,CAAC;QACzD,IAAI,EAAE,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC;QACjD,OAAO,EAAE,iBAAiB,CAAC,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;KACxD,CAAC;AACJ,CAAC;AAED,SAAgB,kBAAkB,CAAC,MAAe;IAChD,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;IACjD,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACrC,CAAC","sourcesContent":["// auth/session/utils/auth-token.utils.ts\nimport { UserClaim } from '../../../common';\n\nexport function isJwt(token: string | undefined): boolean {\n if (!token) return false;\n return token.split('.').length === 3;\n}\n\n/**\n * If the token is a JWT, returns the raw signature segment (3rd part) as base64url.\n * Otherwise, returns a stable SHA-256(base64url) fingerprint of the whole token,\n * so we can still bind a session id to \"this Authorization\" deterministically.\n */\nexport function getTokenSignatureFingerprint(token: string): string {\n if (isJwt(token)) {\n return token.split('.')[2]!;\n }\n const crypto = require('crypto') as typeof import('crypto');\n const digest = crypto.createHash('sha256').update(token).digest('base64');\n return digest.replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/g, '');\n}\n\n/** Safely extracts a claim value if it matches the expected type */\nfunction extractClaimValue<T>(\n claims: Record<string, any>,\n key: string,\n validator: (value: any) => value is T,\n): T | undefined {\n const value = claims[key];\n return validator(value) ? value : undefined;\n}\n\n/** Type guards for claim validation */\nconst isString = (value: any): value is string => typeof value === 'string';\nconst isNumber = (value: any): value is number => typeof value === 'number';\nconst isStringOrStringArray = (value: any): value is string | string[] =>\n typeof value === 'string' || Array.isArray(value);\n\n/** Best-effort typed user derivation from claims */\nexport function deriveTypedUser(claims: Record<string, any>): UserClaim {\n return {\n ...claims,\n iss: extractClaimValue(claims, 'iss', isString)!,\n sid: extractClaimValue(claims, 'sid', isString),\n sub: extractClaimValue(claims, 'sub', isString)!,\n exp: extractClaimValue(claims, 'exp', isNumber),\n iat: extractClaimValue(claims, 'iat', isNumber),\n aud: extractClaimValue(claims, 'aud', isStringOrStringArray),\n email: extractClaimValue(claims, 'email', isString),\n preferred_username: extractClaimValue(claims, 'preferred_username', isString),\n username: extractClaimValue(claims, 'username', isString),\n name: extractClaimValue(claims, 'name', isString),\n picture: extractClaimValue(claims, 'picture', isString),\n };\n}\n\nexport function extractBearerToken(header?: string): string | undefined {\n if (!header) return undefined;\n const m = header.match(/^\\s*Bearer\\s+(.+)\\s*$/i);\n return m ? m[1].trim() : undefined;\n}\n"]}