@frontmcp/sdk 1.3.0 → 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +65 -60
- package/agent/agent.scope.d.ts +164 -0
- package/agent/agent.scope.d.ts.map +1 -1
- package/app/instances/app.esm.instance.d.ts.map +1 -1
- package/app/instances/app.remote.instance.d.ts.map +1 -1
- package/auth/auth-ui/auth-ui.contract.d.ts +149 -0
- package/auth/auth-ui/auth-ui.contract.d.ts.map +1 -0
- package/auth/auth-ui/auth-ui.registry.d.ts +151 -0
- package/auth/auth-ui/auth-ui.registry.d.ts.map +1 -0
- package/auth/auth-ui/auth-ui.render.d.ts +49 -0
- package/auth/auth-ui/auth-ui.render.d.ts.map +1 -0
- package/auth/auth-ui/auth-ui.state.d.ts +62 -0
- package/auth/auth-ui/auth-ui.state.d.ts.map +1 -0
- package/auth/auth-ui/index.d.ts +24 -0
- package/auth/auth-ui/index.d.ts.map +1 -0
- package/auth/auth.registry.d.ts.map +1 -1
- package/auth/authorized-apps.utils.d.ts +51 -0
- package/auth/authorized-apps.utils.d.ts.map +1 -0
- package/auth/consent-tools.helper.d.ts +26 -0
- package/auth/consent-tools.helper.d.ts.map +1 -0
- package/auth/consent.utils.d.ts +62 -0
- package/auth/consent.utils.d.ts.map +1 -0
- package/auth/credentials/credentials.context-extension.d.ts +63 -0
- package/auth/credentials/credentials.context-extension.d.ts.map +1 -0
- package/auth/credentials/credentials.providers.d.ts +40 -0
- package/auth/credentials/credentials.providers.d.ts.map +1 -0
- package/auth/credentials/index.d.ts +3 -0
- package/auth/credentials/index.d.ts.map +1 -0
- package/auth/flows/auth.verify.flow.d.ts.map +1 -1
- package/auth/flows/oauth.auth-ui.flow.d.ts +53 -0
- package/auth/flows/oauth.auth-ui.flow.d.ts.map +1 -0
- package/auth/flows/oauth.authorize.flow.d.ts +51 -9
- package/auth/flows/oauth.authorize.flow.d.ts.map +1 -1
- package/auth/flows/oauth.callback.flow.d.ts +118 -5
- package/auth/flows/oauth.callback.flow.d.ts.map +1 -1
- package/auth/flows/oauth.connect.flow.d.ts +89 -0
- package/auth/flows/oauth.connect.flow.d.ts.map +1 -0
- package/auth/flows/oauth.provider-callback.flow.d.ts +34 -4
- package/auth/flows/oauth.provider-callback.flow.d.ts.map +1 -1
- package/auth/flows/oauth.register.flow.d.ts +16 -20
- package/auth/flows/oauth.register.flow.d.ts.map +1 -1
- package/auth/flows/oauth.token.flow.d.ts +2 -2
- package/auth/flows/oauth.token.flow.d.ts.map +1 -1
- package/auth/flows/oauth.userinfo.flow.d.ts +67 -0
- package/auth/flows/oauth.userinfo.flow.d.ts.map +1 -0
- package/auth/flows/session.verify.flow.d.ts +2 -2
- package/auth/flows/session.verify.flow.d.ts.map +1 -1
- package/auth/flows/well-known.jwks.flow.d.ts +3 -3
- package/auth/flows/well-known.oauth-authorization-server.flow.d.ts +3 -2
- package/auth/flows/well-known.oauth-authorization-server.flow.d.ts.map +1 -1
- package/auth/flows/well-known.prm.flow.d.ts +1 -1
- package/auth/flows/well-known.prm.flow.d.ts.map +1 -1
- package/auth/instances/instance.local-primary-auth.d.ts +226 -12
- package/auth/instances/instance.local-primary-auth.d.ts.map +1 -1
- package/auth/secure-store/index.d.ts +3 -0
- package/auth/secure-store/index.d.ts.map +1 -0
- package/auth/secure-store/secure-store.context-extension.d.ts +61 -0
- package/auth/secure-store/secure-store.context-extension.d.ts.map +1 -0
- package/auth/secure-store/secure-store.providers.d.ts +36 -0
- package/auth/secure-store/secure-store.providers.d.ts.map +1 -0
- package/common/decorators/agent.decorator.d.ts +32 -0
- package/common/decorators/agent.decorator.d.ts.map +1 -1
- package/common/decorators/app.decorator.d.ts.map +1 -1
- package/common/decorators/front-mcp.decorator.d.ts.map +1 -1
- package/common/decorators/skill.decorator.d.ts.map +1 -1
- package/common/decorators/tool.decorator.d.ts +44 -0
- package/common/decorators/tool.decorator.d.ts.map +1 -1
- package/common/entries/scope.entry.d.ts +7 -0
- package/common/entries/scope.entry.d.ts.map +1 -1
- package/common/entries/skill.entry.d.ts +22 -1
- package/common/entries/skill.entry.d.ts.map +1 -1
- package/common/entries/tool.entry.d.ts +17 -0
- package/common/entries/tool.entry.d.ts.map +1 -1
- package/common/interfaces/internal/primary-auth-provider.interface.d.ts +18 -0
- package/common/interfaces/internal/primary-auth-provider.interface.d.ts.map +1 -1
- package/common/interfaces/tool.interface.d.ts +26 -0
- package/common/interfaces/tool.interface.d.ts.map +1 -1
- package/common/metadata/app.metadata.d.ts +472 -0
- package/common/metadata/app.metadata.d.ts.map +1 -1
- package/common/metadata/front-mcp.metadata.d.ts +1773 -52
- package/common/metadata/front-mcp.metadata.d.ts.map +1 -1
- package/common/metadata/index.d.ts +1 -0
- package/common/metadata/index.d.ts.map +1 -1
- package/common/metadata/output-policy.d.ts +82 -0
- package/common/metadata/output-policy.d.ts.map +1 -0
- package/common/metadata/skill.metadata.d.ts +45 -1
- package/common/metadata/skill.metadata.d.ts.map +1 -1
- package/common/metadata/tool-ui.metadata.d.ts +1 -1
- package/common/metadata/tool-ui.metadata.d.ts.map +1 -1
- package/common/metadata/tool.metadata.d.ts +65 -0
- package/common/metadata/tool.metadata.d.ts.map +1 -1
- package/common/schemas/http-output.schema.d.ts +25 -25
- package/common/schemas/http-output.schema.d.ts.map +1 -1
- package/common/tokens/app.tokens.d.ts.map +1 -1
- package/common/tokens/front-mcp.tokens.d.ts.map +1 -1
- package/common/tokens/skill.tokens.d.ts +2 -0
- package/common/tokens/skill.tokens.d.ts.map +1 -1
- package/common/tokens/tool.tokens.d.ts +1 -0
- package/common/tokens/tool.tokens.d.ts.map +1 -1
- package/common/types/auth/session.types.d.ts +2 -2
- package/common/types/options/auth/index.d.ts +4 -4
- package/common/types/options/auth/index.d.ts.map +1 -1
- package/common/types/options/auth/interfaces.d.ts +1 -1
- package/common/types/options/auth/interfaces.d.ts.map +1 -1
- package/common/types/options/auth/orchestrated.schema.d.ts +1 -1
- package/common/types/options/auth/orchestrated.schema.d.ts.map +1 -1
- package/common/types/options/auth/shared.schemas.d.ts +2 -2
- package/common/types/options/auth/shared.schemas.d.ts.map +1 -1
- package/common/types/options/http/index.d.ts +1 -1
- package/common/types/options/http/index.d.ts.map +1 -1
- package/common/types/options/http/interfaces.d.ts +56 -1
- package/common/types/options/http/interfaces.d.ts.map +1 -1
- package/common/types/options/http/schema.d.ts +15 -0
- package/common/types/options/http/schema.d.ts.map +1 -1
- package/common/types/options/session/schema.d.ts +3 -3
- package/common/types/options/transport/schema.d.ts +1 -1
- package/common/utils/caller-dir.utils.d.ts +15 -0
- package/common/utils/caller-dir.utils.d.ts.map +1 -0
- package/common/utils/index.d.ts +1 -0
- package/common/utils/index.d.ts.map +1 -1
- package/errors/index.d.ts +3 -1
- package/errors/index.d.ts.map +1 -1
- package/errors/mcp.error.d.ts +36 -2
- package/errors/mcp.error.d.ts.map +1 -1
- package/errors/tool-credentials-required.error.d.ts +70 -0
- package/errors/tool-credentials-required.error.d.ts.map +1 -0
- package/esm/index.mjs +6551 -2688
- package/flows/flow.instance.d.ts.map +1 -1
- package/front-mcp/front-mcp.d.ts +52 -32
- package/front-mcp/front-mcp.d.ts.map +1 -1
- package/front-mcp/front-mcp.providers.d.ts +700 -8
- package/front-mcp/front-mcp.providers.d.ts.map +1 -1
- package/index.d.ts +29 -4
- package/index.d.ts.map +1 -1
- package/index.js +7138 -3307
- package/package.json +10 -11
- package/scope/flows/http.request.flow.d.ts +18 -1
- package/scope/flows/http.request.flow.d.ts.map +1 -1
- package/scope/optional-dependency.util.d.ts +39 -0
- package/scope/optional-dependency.util.d.ts.map +1 -0
- package/scope/scope.instance.d.ts +17 -0
- package/scope/scope.instance.d.ts.map +1 -1
- package/scope/scope.utils.d.ts.map +1 -1
- package/server/adapters/express.host.adapter.d.ts.map +1 -1
- package/server/custom-routes.helper.d.ts +81 -0
- package/server/custom-routes.helper.d.ts.map +1 -0
- package/skill/flows/http/llm-full-txt.flow.d.ts +1 -1
- package/skill/flows/http/llm-txt.flow.d.ts +1 -1
- package/skill/flows/http/skills-api.flow.d.ts +18 -1
- package/skill/flows/http/skills-api.flow.d.ts.map +1 -1
- package/skill/flows/load-skill.flow.d.ts +7 -0
- package/skill/flows/load-skill.flow.d.ts.map +1 -1
- package/skill/flows/search-skills.flow.d.ts +13 -0
- package/skill/flows/search-skills.flow.d.ts.map +1 -1
- package/skill/index.d.ts +1 -0
- package/skill/index.d.ts.map +1 -1
- package/skill/sep-2640/resources/skill-file.resource.d.ts.map +1 -1
- package/skill/sep-2640/resources/skill-index.resource.d.ts.map +1 -1
- package/skill/sep-2640/resources/skill-md.resource.d.ts.map +1 -1
- package/skill/sep-2640/sep-2640.per-skill.d.ts.map +1 -1
- package/skill/skill-authorities.helper.d.ts +100 -0
- package/skill/skill-authorities.helper.d.ts.map +1 -0
- package/skill/skill.instance.d.ts.map +1 -1
- package/skill/skill.registry.d.ts +34 -0
- package/skill/skill.registry.d.ts.map +1 -1
- package/task/helpers/cli-task-runner.d.ts.map +1 -1
- package/tool/flows/call-tool.flow.d.ts +26 -1
- package/tool/flows/call-tool.flow.d.ts.map +1 -1
- package/tool/flows/tool-credentials.gate.d.ts +31 -0
- package/tool/flows/tool-credentials.gate.d.ts.map +1 -0
- package/tool/flows/tools-list.flow.d.ts.map +1 -1
- package/tool/tool.instance.d.ts.map +1 -1
- package/tool/ui/index.d.ts +1 -1
- package/tool/ui/index.d.ts.map +1 -1
- package/tool/ui/ui-resource.handler.d.ts.map +1 -1
- package/tool/ui/ui-shared.d.ts +33 -1
- package/tool/ui/ui-shared.d.ts.map +1 -1
- package/transport/adapters/transport.local.adapter.d.ts.map +1 -1
- package/transport/flows/handle.sse.flow.d.ts +1 -1
- package/transport/flows/handle.streamable-http.flow.d.ts +58 -1
- package/transport/flows/handle.streamable-http.flow.d.ts.map +1 -1
- package/transport/mcp-handlers/call-tool-request.handler.d.ts.map +1 -1
- package/transport/mcp-handlers/read-resource-request.handler.d.ts.map +1 -1
- package/transport/mcp-handlers/skills-list-request.handler.d.ts.map +1 -1
- package/transport/mcp-handlers/skills-load-request.handler.d.ts.map +1 -1
- package/transport/mcp-handlers/skills-search-request.handler.d.ts.map +1 -1
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
import { FlowBase, type FlowRunOptions } from '../../common';
|
|
2
|
+
declare const extraInputSchema: import("@frontmcp/lazy-zod").ZodObject<{
|
|
3
|
+
request: import("@frontmcp/lazy-zod").ZodObject<{}, import("zod/v4/core").$loose>;
|
|
4
|
+
response: import("@frontmcp/lazy-zod").ZodObject<{}, import("zod/v4/core").$loose>;
|
|
5
|
+
next: import("@frontmcp/lazy-zod").ZodOptional<import("zod").ZodFunction<import("zod/v4/core").$ZodFunctionArgs, import("zod/v4/core").$ZodFunctionOut>>;
|
|
6
|
+
}, import("zod/v4/core").$strip>;
|
|
7
|
+
declare const extraStateSchema: import("@frontmcp/lazy-zod").ZodObject<{
|
|
8
|
+
action: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
9
|
+
pendingAuthId: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
10
|
+
csrf: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
11
|
+
payload: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodRecord<import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodUnknown>>;
|
|
12
|
+
}, import("zod/v4/core").$strip>;
|
|
13
|
+
declare const extraOutputSchema: import("@frontmcp/lazy-zod").ZodObject<{
|
|
14
|
+
kind: import("@frontmcp/lazy-zod").ZodLiteral<"json">;
|
|
15
|
+
status: import("@frontmcp/lazy-zod").ZodNumber;
|
|
16
|
+
body: import("@frontmcp/lazy-zod").ZodUnion<readonly [import("@frontmcp/lazy-zod").ZodObject<{}, import("zod/v4/core").$loose>, import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodAny>, import("@frontmcp/lazy-zod").ZodRecord<import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodAny>]>;
|
|
17
|
+
contentType: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodString>;
|
|
18
|
+
headers: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodRecord<import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodUnion<readonly [import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodUnion<readonly [import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>]>]>>>>;
|
|
19
|
+
cookies: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodObject<{
|
|
20
|
+
name: import("@frontmcp/lazy-zod").ZodString;
|
|
21
|
+
value: import("@frontmcp/lazy-zod").ZodString;
|
|
22
|
+
path: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodString>;
|
|
23
|
+
domain: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
24
|
+
httpOnly: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
25
|
+
secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
26
|
+
sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
27
|
+
strict: "strict";
|
|
28
|
+
none: "none";
|
|
29
|
+
lax: "lax";
|
|
30
|
+
}>>;
|
|
31
|
+
maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
|
|
32
|
+
expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
|
|
33
|
+
}, import("zod/v4/core").$strip>>>>;
|
|
34
|
+
}, import("zod/v4/core").$strip>;
|
|
35
|
+
declare const extraPlan: {
|
|
36
|
+
readonly pre: ["parseInput"];
|
|
37
|
+
readonly execute: ["handleExtra"];
|
|
38
|
+
};
|
|
39
|
+
declare global {
|
|
40
|
+
interface ExtendFlows {
|
|
41
|
+
'oauth:auth-ui-extra': FlowRunOptions<OauthAuthUiExtraFlow, typeof extraPlan, typeof extraInputSchema, typeof extraOutputSchema, typeof extraStateSchema>;
|
|
42
|
+
}
|
|
43
|
+
}
|
|
44
|
+
declare const extraName: "oauth:auth-ui-extra";
|
|
45
|
+
export default class OauthAuthUiExtraFlow extends FlowBase<typeof extraName> {
|
|
46
|
+
private logger;
|
|
47
|
+
parseInput(): Promise<void>;
|
|
48
|
+
handleExtra(): Promise<void>;
|
|
49
|
+
/** Verify the extra's CSRF token against the pending record + registry. */
|
|
50
|
+
private verifyExtraCsrf;
|
|
51
|
+
}
|
|
52
|
+
export {};
|
|
53
|
+
//# sourceMappingURL=oauth.auth-ui.flow.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth.auth-ui.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.auth-ui.flow.ts"],"names":[],"mappings":"AAyBA,OAAO,EAEL,QAAQ,EAMR,KAAK,cAAc,EACpB,MAAM,cAAc,CAAC;AAQtB,QAAA,MAAM,gBAAgB;;;;gCAAkB,CAAC;AACzC,QAAA,MAAM,gBAAgB;;;;;gCAKpB,CAAC;AACH,QAAA,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;gCAAiB,CAAC;AAEzC,QAAA,MAAM,SAAS;;;CAGsB,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,qBAAqB,EAAE,cAAc,CACnC,oBAAoB,EACpB,OAAO,SAAS,EAChB,OAAO,gBAAgB,EACvB,OAAO,iBAAiB,EACxB,OAAO,gBAAgB,CACxB,CAAC;KACH;CACF;AAED,QAAA,MAAM,SAAS,EAAG,qBAA8B,CAAC;AAcjD,MAAM,CAAC,OAAO,OAAO,oBAAqB,SAAQ,QAAQ,CAAC,OAAO,SAAS,CAAC;IAC1E,OAAO,CAAC,MAAM,CAAmD;IAG3D,UAAU;IA6BV,WAAW;IA2BjB,2EAA2E;YAC7D,eAAe;CAkB9B"}
|
|
@@ -49,6 +49,7 @@ declare const stateSchema: import("@frontmcp/lazy-zod").ZodObject<{
|
|
|
49
49
|
targetAppId: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
50
50
|
targetToolId: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
51
51
|
existingSessionId: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
52
|
+
priorAuthorizedAppIds: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>>;
|
|
52
53
|
requiresFederatedLogin: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
53
54
|
requiresConsent: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
54
55
|
isCimdClient: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
@@ -93,8 +94,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
|
|
|
93
94
|
secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
94
95
|
sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
95
96
|
strict: "strict";
|
|
96
|
-
lax: "lax";
|
|
97
97
|
none: "none";
|
|
98
|
+
lax: "lax";
|
|
98
99
|
}>>;
|
|
99
100
|
maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
|
|
100
101
|
expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
|
|
@@ -114,8 +115,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
|
|
|
114
115
|
secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
115
116
|
sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
116
117
|
strict: "strict";
|
|
117
|
-
lax: "lax";
|
|
118
118
|
none: "none";
|
|
119
|
+
lax: "lax";
|
|
119
120
|
}>>;
|
|
120
121
|
maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
|
|
121
122
|
expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
|
|
@@ -133,8 +134,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
|
|
|
133
134
|
secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
134
135
|
sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
135
136
|
strict: "strict";
|
|
136
|
-
lax: "lax";
|
|
137
137
|
none: "none";
|
|
138
|
+
lax: "lax";
|
|
138
139
|
}>>;
|
|
139
140
|
maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
|
|
140
141
|
expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
|
|
@@ -160,7 +161,47 @@ export default class OauthAuthorizeFlow extends FlowBase<typeof name> {
|
|
|
160
161
|
checkIfAuthorized(): Promise<void>;
|
|
161
162
|
prepareAuthorizationRequest(): Promise<void>;
|
|
162
163
|
buildAuthorizeOutput(): Promise<void>;
|
|
164
|
+
/**
|
|
165
|
+
* Render a custom `@AuthUi` slot when one is registered for this scope.
|
|
166
|
+
*
|
|
167
|
+
* Mints the per-pending-auth CSRF token (server-owned), persists it onto the
|
|
168
|
+
* pending authorization record (so the callback can verify it across nodes),
|
|
169
|
+
* builds the {@link AuthFlowState} via `buildState`, SSRs the registered
|
|
170
|
+
* component, and responds with the assembled page + CSP / anti-clickjacking
|
|
171
|
+
* headers. Returns `true` when it handled the slot (caller should `return`),
|
|
172
|
+
* `false` to fall through to the built-in page (no renderer / build failed).
|
|
173
|
+
*/
|
|
174
|
+
private tryRenderCustomSlot;
|
|
175
|
+
/**
|
|
176
|
+
* Remote mode (`mode: 'remote'`) auto-federation.
|
|
177
|
+
*
|
|
178
|
+
* Builds a federated auth session for the SINGLE mandatory upstream provider
|
|
179
|
+
* registered by {@link LocalPrimaryAuth.registerRemoteProvider}, starts it
|
|
180
|
+
* (fresh PKCE + state), persists the session, and redirects straight to the
|
|
181
|
+
* upstream IdP's authorization endpoint. This reuses the exact federated
|
|
182
|
+
* machinery the multi-provider local path uses (`/oauth/provider/:id/callback`
|
|
183
|
+
* then completes the exchange, stores upstream tokens, and mints the FrontMCP
|
|
184
|
+
* session token whose identity comes from the upstream user) — but skips the
|
|
185
|
+
* in-tree login page and the provider-selection page entirely.
|
|
186
|
+
*
|
|
187
|
+
* No identity is collected in-tree: the federated session is created with an
|
|
188
|
+
* EMPTY `userInfo` so the minted token's `sub`/`email`/`name` derive solely
|
|
189
|
+
* from the upstream provider (see the provider-callback flow).
|
|
190
|
+
*/
|
|
191
|
+
private startRemoteFederation;
|
|
163
192
|
validateOutput(): Promise<void>;
|
|
193
|
+
/**
|
|
194
|
+
* Enforce the local-AS DCR allowlists (#462) at authorize time. Returns a
|
|
195
|
+
* human-readable rejection reason, or `undefined` when the request is allowed
|
|
196
|
+
* (including when no allowlist is configured, or the auth instance does not
|
|
197
|
+
* expose a DCR registry — e.g. non-local modes).
|
|
198
|
+
*
|
|
199
|
+
* - `allowedRedirectUris`: applies to ALL clients (CIMD or not) as an
|
|
200
|
+
* open-redirect / lateral-movement guard.
|
|
201
|
+
* - `allowedClientIds`: applies only to non-CIMD client ids; CIMD URLs are
|
|
202
|
+
* validated by the CIMD layer instead.
|
|
203
|
+
*/
|
|
204
|
+
private checkDcrAllowlist;
|
|
164
205
|
/**
|
|
165
206
|
* Format Zod errors into human-readable strings
|
|
166
207
|
*/
|
|
@@ -170,7 +211,13 @@ export default class OauthAuthorizeFlow extends FlowBase<typeof name> {
|
|
|
170
211
|
*/
|
|
171
212
|
private respondWithError;
|
|
172
213
|
/**
|
|
173
|
-
* Render
|
|
214
|
+
* Render the local login page.
|
|
215
|
+
*
|
|
216
|
+
* Honors `auth.login` (Checkpoint 3a): a `login.render` override yields full
|
|
217
|
+
* custom HTML, `login.fields` extends the built-in form, and otherwise the
|
|
218
|
+
* unchanged default email/name page is rendered. Rendering is delegated to
|
|
219
|
+
* the shared `renderLocalLoginPage` helper so the authorize flow and the
|
|
220
|
+
* callback error re-render stay in sync.
|
|
174
221
|
*/
|
|
175
222
|
private renderLoginPage;
|
|
176
223
|
/**
|
|
@@ -181,11 +228,6 @@ export default class OauthAuthorizeFlow extends FlowBase<typeof name> {
|
|
|
181
228
|
* Render federated login page for multiple auth providers using HTMX templates
|
|
182
229
|
*/
|
|
183
230
|
private renderFederatedLoginPage;
|
|
184
|
-
/**
|
|
185
|
-
* Render consent page for tool selection
|
|
186
|
-
* This is a placeholder - in production, use Juris/Svelte for the UI
|
|
187
|
-
*/
|
|
188
|
-
private renderConsentPage;
|
|
189
231
|
/**
|
|
190
232
|
* Render an error page
|
|
191
233
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth.authorize.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.authorize.flow.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"oauth.authorize.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.authorize.flow.ts"],"names":[],"mappings":"AAkCA,OAAO,EAAE,CAAC,EAAiB,MAAM,oBAAoB,CAAC;AAGtD,OAAO,EAGL,QAAQ,EAWR,KAAK,cAAc,EACpB,MAAM,cAAc,CAAC;AAwEtB;;GAEG;AACH,QAAA,MAAM,2BAA2B;;;;;;;;;gCAS/B,CAAC;AAEH;;GAEG;AACH,QAAA,MAAM,+BAA+B;;;gCAGnC,CAAC;AAEH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAChF,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,+BAA+B,CAAC,CAAC;AAMxF,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AAEpC,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAgCf,CAAC;AAEH,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAIhB,CAAC;AAEH,QAAA,MAAM,IAAI;;;;CAQ2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,iBAAiB,EAAE,cAAc,CAC/B,kBAAkB,EAClB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,iBAA0B,CAAC;AAkCxC,MAAM,CAAC,OAAO,OAAO,kBAAmB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IACnE,OAAO,CAAC,MAAM,CAAiD;IAGzD,UAAU;IAmFV,aAAa;IAuHb,iBAAiB;IAOjB,2BAA2B;IAoH3B,oBAAoB;IAiL1B;;;;;;;;;OASG;YACW,mBAAmB;IA4CjC;;;;;;;;;;;;;;;OAeG;YACW,qBAAqB;IAsE7B,cAAc;IAIpB;;;;;;;;;;OAUG;IACH,OAAO,CAAC,iBAAiB;IAkBzB;;OAEG;IACH,OAAO,CAAC,eAAe;IAOvB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAuBxB;;;;;;;;OAQG;IACH,OAAO,CAAC,eAAe;IA+BvB;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAyBjC;;OAEG;IACH,OAAO,CAAC,wBAAwB;IA2BhC;;OAEG;IACH,OAAO,CAAC,eAAe;CAyCxB"}
|
|
@@ -29,16 +29,27 @@ declare const stateSchema: import("@frontmcp/lazy-zod").ZodObject<{
|
|
|
29
29
|
resource: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
30
30
|
authorizationCode: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
31
31
|
userSub: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
32
|
+
loginFields: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodRecord<import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodString>>;
|
|
33
|
+
customClaims: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodRecord<import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodUnknown>>;
|
|
34
|
+
credentials: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodObject<{
|
|
35
|
+
key: import("@frontmcp/lazy-zod").ZodString;
|
|
36
|
+
secret: import("@frontmcp/lazy-zod").ZodString;
|
|
37
|
+
metadata: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodRecord<import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodUnknown>>;
|
|
38
|
+
}, import("zod/v4/core").$strip>>>;
|
|
32
39
|
isIncremental: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
33
40
|
targetAppId: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
34
41
|
targetToolId: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
35
42
|
existingSessionId: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
36
43
|
existingAuthorizationId: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
44
|
+
priorAuthorizedAppIds: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>>;
|
|
45
|
+
authorizedAppIds: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>>;
|
|
37
46
|
isFederated: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
38
47
|
selectedProviders: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>>;
|
|
39
48
|
skippedProviders: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>>;
|
|
40
49
|
consentEnabled: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
41
50
|
selectedTools: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>>;
|
|
51
|
+
consentSubmitted: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
52
|
+
csrf: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
42
53
|
}, import("zod/v4/core").$strip>;
|
|
43
54
|
declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [import("@frontmcp/lazy-zod").ZodObject<{
|
|
44
55
|
kind: import("@frontmcp/lazy-zod").ZodLiteral<"redirect">;
|
|
@@ -54,8 +65,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
|
|
|
54
65
|
secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
55
66
|
sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
56
67
|
strict: "strict";
|
|
57
|
-
lax: "lax";
|
|
58
68
|
none: "none";
|
|
69
|
+
lax: "lax";
|
|
59
70
|
}>>;
|
|
60
71
|
maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
|
|
61
72
|
expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
|
|
@@ -73,8 +84,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
|
|
|
73
84
|
secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
74
85
|
sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
75
86
|
strict: "strict";
|
|
76
|
-
lax: "lax";
|
|
77
87
|
none: "none";
|
|
88
|
+
lax: "lax";
|
|
78
89
|
}>>;
|
|
79
90
|
maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
|
|
80
91
|
expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
|
|
@@ -97,9 +108,33 @@ export default class OauthCallbackFlow extends FlowBase<typeof name> {
|
|
|
97
108
|
parseInput(): Promise<void>;
|
|
98
109
|
validatePendingAuth(): Promise<void>;
|
|
99
110
|
/**
|
|
100
|
-
*
|
|
101
|
-
*
|
|
102
|
-
*
|
|
111
|
+
* Compute the progressive/incremental authorization grant for the minted
|
|
112
|
+
* token (the `authorized_apps` claim).
|
|
113
|
+
*
|
|
114
|
+
* EXPANSION model (claim-based, enforceable — mirrors how consent/federated
|
|
115
|
+
* grants already work in this codebase): the authorized-app set lives in the
|
|
116
|
+
* minted token's `authorized_apps` claim, which `checkToolAuthorization`
|
|
117
|
+
* enforces. Both the initial login and an incremental authorize mint a token
|
|
118
|
+
* via the normal code exchange; the difference is the computed grant:
|
|
119
|
+
*
|
|
120
|
+
* - INITIAL login: grant = the apps the client requested via `apps=`
|
|
121
|
+
* (`priorAuthorizedAppIds`); if none requested, grant ALL scope apps (a
|
|
122
|
+
* plain login keeps working for everything).
|
|
123
|
+
* - INCREMENTAL authorize (`mode=incremental&app=B`): grant = the prior apps
|
|
124
|
+
* (carried forward via `apps=`) UNION the newly-authorized `targetAppId`.
|
|
125
|
+
* So after authorizing app B, a `tools/call` on B's tool succeeds while app
|
|
126
|
+
* A keeps working — WITHOUT re-authorizing A.
|
|
127
|
+
*
|
|
128
|
+
* This stage ONLY emits a grant when `incrementalAuth.enabled` is true for an
|
|
129
|
+
* orchestrated scope. When incremental auth is disabled or the scope is not
|
|
130
|
+
* orchestrated, it leaves `authorizedAppIds` undefined → NO `authorized_apps`
|
|
131
|
+
* claim is minted → NO app-level gating (the historical allow-all behavior is
|
|
132
|
+
* preserved exactly). Federated logins mint their token in the provider
|
|
133
|
+
* callback flow, so this stage is a no-op for them.
|
|
134
|
+
*
|
|
135
|
+
* Unknown app ids (not present in the scope) are dropped so a client can never
|
|
136
|
+
* forge a grant to a non-existent app; app-level gating is per-real-app, so a
|
|
137
|
+
* bogus id is harmless anyway.
|
|
103
138
|
*/
|
|
104
139
|
handleIncrementalAuth(): Promise<void>;
|
|
105
140
|
/**
|
|
@@ -112,6 +147,84 @@ export default class OauthCallbackFlow extends FlowBase<typeof name> {
|
|
|
112
147
|
handleFederatedAuth(): Promise<void>;
|
|
113
148
|
createAuthorizationCode(): Promise<void>;
|
|
114
149
|
redirectToClient(): Promise<void>;
|
|
150
|
+
/**
|
|
151
|
+
* Reserved OAuth/flow control params that must never be treated as custom
|
|
152
|
+
* login fields when collecting input for a custom `authenticate` verifier.
|
|
153
|
+
*/
|
|
154
|
+
private static readonly RESERVED_LOGIN_PARAMS;
|
|
155
|
+
/**
|
|
156
|
+
* Collect submitted login-field values (built-in `email`/`name` plus any
|
|
157
|
+
* custom `login.fields`) from the GET query and a urlencoded POST body.
|
|
158
|
+
* Reserved OAuth/flow control params are excluded so they cannot be forwarded
|
|
159
|
+
* to the verifier as if they were login fields. Only string values are kept.
|
|
160
|
+
*/
|
|
161
|
+
/**
|
|
162
|
+
* Defensively read a single param from a urlencoded POST body (some adapters
|
|
163
|
+
* parse the body into `request.body`). The consent form uses a GET round-trip
|
|
164
|
+
* (mirroring the federated page) so query params are the primary source; this
|
|
165
|
+
* is a fallback for adapters that route a POST body instead. Multi-valued
|
|
166
|
+
* keys keep all values so checkbox groups (`tools`) survive a POST.
|
|
167
|
+
*/
|
|
168
|
+
private readBodyParam;
|
|
169
|
+
private collectLoginFields;
|
|
170
|
+
/**
|
|
171
|
+
* Build the {@link AuthenticateContext} from the flow scope and invoke the
|
|
172
|
+
* configured verifier. Verifier exceptions are caught and converted to a
|
|
173
|
+
* generic failure so a throwing verifier never produces a 500.
|
|
174
|
+
*/
|
|
175
|
+
private runAuthenticate;
|
|
176
|
+
/**
|
|
177
|
+
* Outbound fetch handed to the verifier. Routes through the auth instance's
|
|
178
|
+
* `fetch` when available (so tests / adapters can intercept it), else the
|
|
179
|
+
* global fetch.
|
|
180
|
+
*/
|
|
181
|
+
private contextFetch;
|
|
182
|
+
/**
|
|
183
|
+
* Resolve a human-readable client name for the verifier context. Uses the
|
|
184
|
+
* CIMD `client_name` when the client_id is a CIMD URL and resolvable; falls
|
|
185
|
+
* back to the raw client_id.
|
|
186
|
+
*/
|
|
187
|
+
private resolveClientName;
|
|
188
|
+
/**
|
|
189
|
+
* Derive a subject from the configured login subject strategy.
|
|
190
|
+
*
|
|
191
|
+
* - `per-account`: hash the value of `login.subject.fromField` into a stable
|
|
192
|
+
* subject (same account → same `sub`).
|
|
193
|
+
* - otherwise (`per-session` / unset): return undefined so the caller falls
|
|
194
|
+
* back to the anonymous subject.
|
|
195
|
+
*/
|
|
196
|
+
private deriveSubjectFromStrategy;
|
|
197
|
+
/**
|
|
198
|
+
* Re-render the local login page after a failed authenticate(), surfacing the
|
|
199
|
+
* verifier's message (and pre-selecting `retryField`). Submitted values are
|
|
200
|
+
* preserved on the form so the user does not have to re-enter everything.
|
|
201
|
+
*/
|
|
202
|
+
private renderLoginRetryPage;
|
|
203
|
+
/**
|
|
204
|
+
* Render a custom `@AuthUi({ slot: 'consent' })` page when one is registered.
|
|
205
|
+
*
|
|
206
|
+
* Mints + persists the per-pending-auth CSRF token (reusing any token a prior
|
|
207
|
+
* custom page already set on the record, so a consent re-render keeps the same
|
|
208
|
+
* token), builds the consent {@link AuthFlowState} from the SAME tool
|
|
209
|
+
* projection the built-in screen uses, SSRs the component, and responds with
|
|
210
|
+
* the assembled page + CSP headers. Returns `true` when handled.
|
|
211
|
+
*/
|
|
212
|
+
private tryRenderCustomConsent;
|
|
213
|
+
/**
|
|
214
|
+
* Render the tool-consent screen.
|
|
215
|
+
*
|
|
216
|
+
* The form GETs back to `/oauth/callback` carrying `pending_auth_id`,
|
|
217
|
+
* `consent_submitted=1`, the resolved identity (`email`/`name` + any custom
|
|
218
|
+
* `login.fields`), and the chosen `tools=` checkboxes — so the resubmit
|
|
219
|
+
* re-derives the SAME subject and proceeds to mint.
|
|
220
|
+
*
|
|
221
|
+
* Honors the `auth.consent` flags: `groupByApp`, `showDescriptions`,
|
|
222
|
+
* `customMessage`, `allowSelectAll`, `requireSelection`, `defaultSelectedTools`
|
|
223
|
+
* (pre-checked), and `excludedTools` (filtered out of the offered set by
|
|
224
|
+
* {@link projectConsentTools}). `error` re-renders the screen with a banner
|
|
225
|
+
* (used for an empty `requireSelection` submit).
|
|
226
|
+
*/
|
|
227
|
+
private renderConsentScreen;
|
|
115
228
|
/**
|
|
116
229
|
* Generate a stable user sub from email
|
|
117
230
|
* In production, this would be the user's ID from the database
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth.callback.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.callback.flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;
|
|
1
|
+
{"version":3,"file":"oauth.callback.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.callback.flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAgBH,OAAO,EAAE,CAAC,EAAE,MAAM,oBAAoB,CAAC;AAGvC,OAAO,EAEL,QAAQ,EAQR,KAAK,cAAc,EACpB,MAAM,cAAc,CAAC;AAKtB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AAEpC,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCA2Df,CAAC;AAEH,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAAgD,CAAC;AAEnE,QAAA,MAAM,IAAI;;;CAG2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,gBAAgB,EAAE,cAAc,CAC9B,iBAAiB,EACjB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,gBAAyB,CAAC;AAcvC,MAAM,CAAC,OAAO,OAAO,iBAAkB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAClE,OAAO,CAAC,MAAM,CAAgD;IAGxD,UAAU;IA6EV,mBAAmB;IAoXzB;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4BG;IAEG,qBAAqB;IA2D3B;;;;;;OAMG;IAEG,mBAAmB;IAiInB,uBAAuB;IA2GvB,gBAAgB;IAyCtB;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,qBAAqB,CAoB1C;IAEH;;;;;OAKG;IACH;;;;;;OAMG;IACH,OAAO,CAAC,aAAa;IAYrB,OAAO,CAAC,kBAAkB;IAsB1B;;;;OAIG;YACW,eAAe;IAgC7B;;;;OAIG;IACH,OAAO,CAAC,YAAY;IAQpB;;;;OAIG;YACW,iBAAiB;IAoB/B;;;;;;;OAOG;IACH,OAAO,CAAC,yBAAyB;IAYjC;;;;OAIG;IACH,OAAO,CAAC,oBAAoB;IAmB5B;;;;;;;;OAQG;YACW,sBAAsB;IA0EpC;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,mBAAmB;IA8D3B;;;OAGG;IACH,OAAO,CAAC,eAAe;IAQvB;;OAEG;IACH,OAAO,CAAC,eAAe;CAqDxB"}
|
|
@@ -0,0 +1,89 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* OAuth Connect Endpoint — GET|POST /oauth/connect (Checkpoint 3b)
|
|
3
|
+
*
|
|
4
|
+
* Mid-session add-credential flow reached via a FRAMEWORK-SIGNED resume URL that
|
|
5
|
+
* `this.credentials.requireConnect({ key })` hands back when a credential is not
|
|
6
|
+
* connected.
|
|
7
|
+
*
|
|
8
|
+
* - GET /oauth/connect?token=… → verify the signed token, render a single
|
|
9
|
+
* add-credential field (reusing the 3a `login.fields` render surface).
|
|
10
|
+
* - POST /oauth/connect → re-verify the token, re-invoke the
|
|
11
|
+
* configured `authenticate({ fields, resume: { sub, key, context } })`
|
|
12
|
+
* verifier, and ADDITIVELY store the returned credential into the user's
|
|
13
|
+
* EXISTING vault. Refuses when there is no live vault (never mints a new one)
|
|
14
|
+
* so a stale link cannot resurrect a rotated-away session.
|
|
15
|
+
*
|
|
16
|
+
* This is auth-internal: it lives on the existing OAuth flow surface (registered
|
|
17
|
+
* by LocalPrimaryAuth), not via the public custom-route feature.
|
|
18
|
+
*/
|
|
19
|
+
import { FlowBase, type FlowRunOptions } from '../../common';
|
|
20
|
+
declare const inputSchema: import("@frontmcp/lazy-zod").ZodObject<{
|
|
21
|
+
request: import("@frontmcp/lazy-zod").ZodObject<{}, import("zod/v4/core").$loose>;
|
|
22
|
+
response: import("@frontmcp/lazy-zod").ZodObject<{}, import("zod/v4/core").$loose>;
|
|
23
|
+
next: import("@frontmcp/lazy-zod").ZodOptional<import("zod").ZodFunction<import("zod/v4/core").$ZodFunctionArgs, import("zod/v4/core").$ZodFunctionOut>>;
|
|
24
|
+
}, import("zod/v4/core").$strip>;
|
|
25
|
+
declare const stateSchema: import("@frontmcp/lazy-zod").ZodObject<{
|
|
26
|
+
method: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
27
|
+
token: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
28
|
+
fields: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodRecord<import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodString>>;
|
|
29
|
+
}, import("zod/v4/core").$strip>;
|
|
30
|
+
declare const outputSchema: import("@frontmcp/lazy-zod").ZodObject<{
|
|
31
|
+
status: import("@frontmcp/lazy-zod").ZodNumber;
|
|
32
|
+
body: import("@frontmcp/lazy-zod").ZodString;
|
|
33
|
+
headers: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodRecord<import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodUnion<readonly [import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodUnion<readonly [import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>]>]>>>>;
|
|
34
|
+
cookies: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodObject<{
|
|
35
|
+
name: import("@frontmcp/lazy-zod").ZodString;
|
|
36
|
+
value: import("@frontmcp/lazy-zod").ZodString;
|
|
37
|
+
path: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodString>;
|
|
38
|
+
domain: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
39
|
+
httpOnly: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
40
|
+
secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
41
|
+
sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
42
|
+
strict: "strict";
|
|
43
|
+
none: "none";
|
|
44
|
+
lax: "lax";
|
|
45
|
+
}>>;
|
|
46
|
+
maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
|
|
47
|
+
expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
|
|
48
|
+
}, import("zod/v4/core").$strip>>>>;
|
|
49
|
+
kind: import("@frontmcp/lazy-zod").ZodLiteral<"html">;
|
|
50
|
+
contentType: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodLiteral<"text/html; charset=utf-8">>;
|
|
51
|
+
}, import("zod/v4/core").$strip>;
|
|
52
|
+
declare const plan: {
|
|
53
|
+
readonly pre: ["parseInput"];
|
|
54
|
+
readonly execute: ["handleConnect"];
|
|
55
|
+
};
|
|
56
|
+
declare global {
|
|
57
|
+
interface ExtendFlows {
|
|
58
|
+
'oauth:connect': FlowRunOptions<OauthConnectFlow, typeof plan, typeof inputSchema, typeof outputSchema, typeof stateSchema>;
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
declare const name: "oauth:connect";
|
|
62
|
+
export default class OauthConnectFlow extends FlowBase<typeof name> {
|
|
63
|
+
private logger;
|
|
64
|
+
parseInput(): Promise<void>;
|
|
65
|
+
handleConnect(): Promise<void>;
|
|
66
|
+
/** Verify the signed resume token against the server secret (constant-time + expiry). */
|
|
67
|
+
private verifyToken;
|
|
68
|
+
/** Resolve the single credential field to render from `login.fields` (first field), or a default. */
|
|
69
|
+
private resolveConnectField;
|
|
70
|
+
/** Render the single-field connect page (reusing the login field renderer). */
|
|
71
|
+
private renderConnectPage;
|
|
72
|
+
/**
|
|
73
|
+
* Build the {@link AuthenticateContext} and invoke the verifier with the resume
|
|
74
|
+
* context. A throwing verifier is converted into a clean failure.
|
|
75
|
+
*/
|
|
76
|
+
private runAuthenticate;
|
|
77
|
+
/** Outbound fetch handed to the verifier (routes through the auth instance when available). */
|
|
78
|
+
private contextFetch;
|
|
79
|
+
/** Fire a `notifications/resources/updated` to connected sessions (best-effort). */
|
|
80
|
+
private notifyResourcesUpdated;
|
|
81
|
+
/** Parse a urlencoded/JSON POST body into a flat record. */
|
|
82
|
+
private coerceBody;
|
|
83
|
+
/** Collect submitted credential field values from query + body (excluding reserved params). */
|
|
84
|
+
private collectFields;
|
|
85
|
+
/** Render a small error page (escaped). */
|
|
86
|
+
private renderError;
|
|
87
|
+
}
|
|
88
|
+
export {};
|
|
89
|
+
//# sourceMappingURL=oauth.connect.flow.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth.connect.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.connect.flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAgBH,OAAO,EAEL,QAAQ,EAMR,KAAK,cAAc,EAEpB,MAAM,cAAc,CAAC;AAGtB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AAEpC,QAAA,MAAM,WAAW;;;;gCAOf,CAAC;AAEH,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;gCAAiB,CAAC;AAEpC,QAAA,MAAM,IAAI;;;CAG2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,eAAe,EAAE,cAAc,CAC7B,gBAAgB,EAChB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,eAAwB,CAAC;AAiBtC,MAAM,CAAC,OAAO,OAAO,gBAAiB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IACjE,OAAO,CAAC,MAAM,CAA+C;IAGvD,UAAU;IAeV,aAAa;IAwHnB,yFAAyF;IACzF,OAAO,CAAC,WAAW;IAKnB,qGAAqG;IACrG,OAAO,CAAC,mBAAmB;IAW3B,+EAA+E;IAC/E,OAAO,CAAC,iBAAiB;IAoBzB;;;OAGG;YACW,eAAe;IA4B7B,+FAA+F;IAC/F,OAAO,CAAC,YAAY;IAQpB,oFAAoF;IACpF,OAAO,CAAC,sBAAsB;IAiB9B,4DAA4D;IAC5D,OAAO,CAAC,UAAU;IAyBlB,+FAA+F;IAC/F,OAAO,CAAC,aAAa;IAerB,2CAA2C;IAC3C,OAAO,CAAC,WAAW;CAQpB"}
|
|
@@ -34,6 +34,9 @@ declare const stateSchema: import("@frontmcp/lazy-zod").ZodObject<{
|
|
|
34
34
|
federatedSession: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodUnknown>;
|
|
35
35
|
providerTokens: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodUnknown>;
|
|
36
36
|
providerUserInfo: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodUnknown>;
|
|
37
|
+
consentSessionId: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
38
|
+
consentSubmitted: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
39
|
+
selectedTools: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>>;
|
|
37
40
|
}, import("zod/v4/core").$strip>;
|
|
38
41
|
declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [import("@frontmcp/lazy-zod").ZodObject<{
|
|
39
42
|
kind: import("@frontmcp/lazy-zod").ZodLiteral<"redirect">;
|
|
@@ -49,8 +52,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
|
|
|
49
52
|
secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
50
53
|
sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
51
54
|
strict: "strict";
|
|
52
|
-
lax: "lax";
|
|
53
55
|
none: "none";
|
|
56
|
+
lax: "lax";
|
|
54
57
|
}>>;
|
|
55
58
|
maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
|
|
56
59
|
expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
|
|
@@ -68,8 +71,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
|
|
|
68
71
|
secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
69
72
|
sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
70
73
|
strict: "strict";
|
|
71
|
-
lax: "lax";
|
|
72
74
|
none: "none";
|
|
75
|
+
lax: "lax";
|
|
73
76
|
}>>;
|
|
74
77
|
maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
|
|
75
78
|
expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
|
|
@@ -78,7 +81,7 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
|
|
|
78
81
|
contentType: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodLiteral<"text/html; charset=utf-8">>;
|
|
79
82
|
}, import("zod/v4/core").$strip>]>;
|
|
80
83
|
declare const plan: {
|
|
81
|
-
readonly pre: ["parseInput", "loadFederatedSession", "validateProviderCallback"];
|
|
84
|
+
readonly pre: ["parseInput", "handleConsentSubmission", "loadFederatedSession", "validateProviderCallback"];
|
|
82
85
|
readonly execute: ["exchangeProviderCode", "storeProviderTokens", "handleNextProviderOrComplete"];
|
|
83
86
|
};
|
|
84
87
|
declare global {
|
|
@@ -95,15 +98,42 @@ export default class OauthProviderCallbackFlow extends FlowBase<typeof name> {
|
|
|
95
98
|
*/
|
|
96
99
|
private getLocalAuth;
|
|
97
100
|
parseInput(): Promise<void>;
|
|
101
|
+
/**
|
|
102
|
+
* Handle a consent-screen submission for a federated login.
|
|
103
|
+
*
|
|
104
|
+
* Federated logins complete (mint the code) here, AFTER all providers are
|
|
105
|
+
* linked. When consent mode is enabled, {@link completeFederatedAuth} first
|
|
106
|
+
* renders the consent screen, which GETs back to this endpoint with
|
|
107
|
+
* `consent_session=<sessionId>` + `tools=`. This stage loads that still alive
|
|
108
|
+
* session, applies the selection (validating + `requireSelection`), and
|
|
109
|
+
* completes the mint — short-circuiting the provider-code path entirely.
|
|
110
|
+
*/
|
|
111
|
+
handleConsentSubmission(): Promise<void>;
|
|
98
112
|
loadFederatedSession(): Promise<void>;
|
|
99
113
|
validateProviderCallback(): Promise<void>;
|
|
100
114
|
exchangeProviderCode(): Promise<void>;
|
|
101
115
|
storeProviderTokens(): Promise<void>;
|
|
102
116
|
handleNextProviderOrComplete(): Promise<void>;
|
|
103
117
|
/**
|
|
104
|
-
* Complete the federated auth flow and issue FrontMCP JWT
|
|
118
|
+
* Complete the federated auth flow and issue FrontMCP JWT.
|
|
119
|
+
*
|
|
120
|
+
* When consent mode is enabled this runs in two passes:
|
|
121
|
+
* 1. First reach (no `consent.consentSubmitted`): render the consent screen,
|
|
122
|
+
* which GETs back to this endpoint with `consent_session` + `tools=`. The
|
|
123
|
+
* federated session is kept ALIVE for the round-trip.
|
|
124
|
+
* 2. Resubmit (`consent.consentSubmitted` true): validate the selection
|
|
125
|
+
* (honoring `requireSelection`) and mint the code with the consented set.
|
|
126
|
+
*
|
|
127
|
+
* With consent disabled, it mints immediately (historical behavior).
|
|
105
128
|
*/
|
|
106
129
|
private completeFederatedAuth;
|
|
130
|
+
/**
|
|
131
|
+
* Render the federated consent screen. The form GETs back to this provider
|
|
132
|
+
* callback endpoint with `consent_session=<sessionId>` + the chosen `tools=`
|
|
133
|
+
* (and `consent_submitted=1`), so {@link handleConsentSubmission} completes
|
|
134
|
+
* the mint. Honors the same `auth.consent` flags as the non-federated path.
|
|
135
|
+
*/
|
|
136
|
+
private renderConsentScreen;
|
|
107
137
|
/**
|
|
108
138
|
* Generate a deterministic user sub from email
|
|
109
139
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth.provider-callback.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.provider-callback.flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;
|
|
1
|
+
{"version":3,"file":"oauth.provider-callback.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.provider-callback.flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAeH,OAAO,EAAE,CAAC,EAAE,MAAM,oBAAoB,CAAC;AAGvC,OAAO,EAEL,QAAQ,EAQR,KAAK,cAAc,EACpB,MAAM,cAAc,CAAC;AAKtB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AAEpC,QAAA,MAAM,WAAW;;;;;;;;;;;;;gCAmBf,CAAC;AAEH,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAAgD,CAAC;AAEnE,QAAA,MAAM,IAAI;;;CAG2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,yBAAyB,EAAE,cAAc,CACvC,yBAAyB,EACzB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,yBAAkC,CAAC;AAchD,MAAM,CAAC,OAAO,OAAO,yBAA0B,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAC1E,OAAO,CAAC,MAAM,CAAwD;IAEtE;;;OAGG;IACH,OAAO,CAAC,YAAY;IASd,UAAU;IAoChB;;;;;;;;;OASG;IAEG,uBAAuB;IAyCvB,oBAAoB;IAkEpB,wBAAwB;IAmDxB,oBAAoB;IA0EpB,mBAAmB;IAoEnB,4BAA4B;IAkElC;;;;;;;;;;;OAWG;YACW,qBAAqB;IAkKnC;;;;;OAKG;IACH,OAAO,CAAC,mBAAmB;IAsC3B;;OAEG;IACH,OAAO,CAAC,eAAe;IAQvB;;OAEG;IACH,OAAO,CAAC,eAAe;IAqDvB,OAAO,CAAC,kBAAkB;CAO3B"}
|
|
@@ -4,26 +4,20 @@
|
|
|
4
4
|
* Who calls: Developers/automation.
|
|
5
5
|
*
|
|
6
6
|
* Purpose: Let clients register programmatically (redirect URIs, grant types, etc.).
|
|
7
|
+
*
|
|
8
|
+
* Control surface (#462): the LOCAL Authorization Server's DCR is governed by
|
|
9
|
+
* the declarative `auth.dcr` block. When `dcr` is omitted the historical
|
|
10
|
+
* behavior is preserved exactly — registration is enabled in development and
|
|
11
|
+
* disabled in production (via `isProduction()`), with no allowlist and no
|
|
12
|
+
* initial access token. When configured, this flow enforces:
|
|
13
|
+
* - `dcr.enabled === false` → 404 (behave as if the endpoint does not exist)
|
|
14
|
+
* - `dcr.initialAccessToken` → require `Authorization: Bearer <token>` (401)
|
|
15
|
+
* - `dcr.allowedClientIds` → registrations are pinned to an allowed id (400)
|
|
16
|
+
* - `dcr.allowedRedirectUris` → reject unlisted redirect_uris (400)
|
|
17
|
+
* Registered clients are stored on the per-instance {@link DcrClientRegistry}
|
|
18
|
+
* (LocalPrimaryAuth), so the authorize/token flows can validate them.
|
|
7
19
|
*/
|
|
8
20
|
import { FlowBase, type FlowRunOptions } from '../../common';
|
|
9
|
-
/** Simple in-memory registry (dev only) */
|
|
10
|
-
type RegisteredClient = {
|
|
11
|
-
client_id: string;
|
|
12
|
-
client_secret?: string;
|
|
13
|
-
token_endpoint_auth_method: 'none' | 'client_secret_basic' | 'client_secret_post' | 'private_key_jwt' | 'tls_client_auth';
|
|
14
|
-
grant_types: string[];
|
|
15
|
-
response_types: string[];
|
|
16
|
-
redirect_uris: string[];
|
|
17
|
-
client_name?: string;
|
|
18
|
-
scope?: string;
|
|
19
|
-
created_at: number;
|
|
20
|
-
dev: boolean;
|
|
21
|
-
};
|
|
22
|
-
/** Optional: export getters so other flows can validate client_id */
|
|
23
|
-
export declare const DevClientRegistry: {
|
|
24
|
-
get(client_id: string): RegisteredClient | undefined;
|
|
25
|
-
has(client_id: string): boolean;
|
|
26
|
-
};
|
|
27
21
|
declare const inputSchema: import("@frontmcp/lazy-zod").ZodObject<{
|
|
28
22
|
request: import("@frontmcp/lazy-zod").ZodObject<{}, import("zod/v4/core").$loose>;
|
|
29
23
|
response: import("@frontmcp/lazy-zod").ZodObject<{}, import("zod/v4/core").$loose>;
|
|
@@ -44,8 +38,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodObject<{
|
|
|
44
38
|
secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
45
39
|
sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
46
40
|
strict: "strict";
|
|
47
|
-
lax: "lax";
|
|
48
41
|
none: "none";
|
|
42
|
+
lax: "lax";
|
|
49
43
|
}>>;
|
|
50
44
|
maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
|
|
51
45
|
expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
|
|
@@ -72,7 +66,7 @@ declare const stateSchema: import("@frontmcp/lazy-zod").ZodObject<{
|
|
|
72
66
|
client_name: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
73
67
|
scope: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
74
68
|
}, import("zod/v4/core").$loose>;
|
|
75
|
-
|
|
69
|
+
dcrEnabled: import("@frontmcp/lazy-zod").ZodBoolean;
|
|
76
70
|
}, import("zod/v4/core").$strip>;
|
|
77
71
|
declare const plan: {
|
|
78
72
|
readonly pre: ["parseInput", "validateInput"];
|
|
@@ -87,6 +81,8 @@ declare global {
|
|
|
87
81
|
declare const name: "oauth:register";
|
|
88
82
|
export default class OauthRegisterFlow extends FlowBase<typeof name> {
|
|
89
83
|
private registered?;
|
|
84
|
+
/** The local AS primary auth, which owns the DCR client registry (#462). */
|
|
85
|
+
private get localAuth();
|
|
90
86
|
parseInput(): Promise<void>;
|
|
91
87
|
validateInput(): Promise<void>;
|
|
92
88
|
registerClient(): Promise<void>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth.register.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.register.flow.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"oauth.register.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.register.flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAmBH,OAAO,EAEL,QAAQ,EAMR,KAAK,cAAc,EACpB,MAAM,cAAc,CAAC;AAGtB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AACpC,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;gCAAiB,CAAC;AAkBpC,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;gCAIf,CAAC;AAEH,QAAA,MAAM,IAAI;;;;CAI2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,gBAAgB,EAAE,cAAc,CAC9B,iBAAiB,EACjB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,gBAAyB,CAAC;AAsBvC,MAAM,CAAC,OAAO,OAAO,iBAAkB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAClE,OAAO,CAAC,UAAU,CAAC,CAAmB;IAEtC,4EAA4E;IAC5E,OAAO,KAAK,SAAS,GAEpB;IAGK,UAAU;IAeV,aAAa;IAyIb,cAAc;IA6Bd,mBAAmB;IA8BnB,cAAc;CAGrB"}
|