@frontmcp/sdk 1.3.0 → 1.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +65 -60
- package/agent/agent.scope.d.ts +164 -0
- package/agent/agent.scope.d.ts.map +1 -1
- package/app/instances/app.esm.instance.d.ts.map +1 -1
- package/app/instances/app.remote.instance.d.ts.map +1 -1
- package/auth/auth-ui/auth-ui.contract.d.ts +149 -0
- package/auth/auth-ui/auth-ui.contract.d.ts.map +1 -0
- package/auth/auth-ui/auth-ui.registry.d.ts +151 -0
- package/auth/auth-ui/auth-ui.registry.d.ts.map +1 -0
- package/auth/auth-ui/auth-ui.render.d.ts +49 -0
- package/auth/auth-ui/auth-ui.render.d.ts.map +1 -0
- package/auth/auth-ui/auth-ui.state.d.ts +62 -0
- package/auth/auth-ui/auth-ui.state.d.ts.map +1 -0
- package/auth/auth-ui/index.d.ts +24 -0
- package/auth/auth-ui/index.d.ts.map +1 -0
- package/auth/auth.registry.d.ts.map +1 -1
- package/auth/authorized-apps.utils.d.ts +51 -0
- package/auth/authorized-apps.utils.d.ts.map +1 -0
- package/auth/consent-tools.helper.d.ts +26 -0
- package/auth/consent-tools.helper.d.ts.map +1 -0
- package/auth/consent.utils.d.ts +62 -0
- package/auth/consent.utils.d.ts.map +1 -0
- package/auth/credentials/credentials.context-extension.d.ts +63 -0
- package/auth/credentials/credentials.context-extension.d.ts.map +1 -0
- package/auth/credentials/credentials.providers.d.ts +40 -0
- package/auth/credentials/credentials.providers.d.ts.map +1 -0
- package/auth/credentials/index.d.ts +3 -0
- package/auth/credentials/index.d.ts.map +1 -0
- package/auth/flows/auth.verify.flow.d.ts.map +1 -1
- package/auth/flows/oauth.auth-ui.flow.d.ts +53 -0
- package/auth/flows/oauth.auth-ui.flow.d.ts.map +1 -0
- package/auth/flows/oauth.authorize.flow.d.ts +51 -9
- package/auth/flows/oauth.authorize.flow.d.ts.map +1 -1
- package/auth/flows/oauth.callback.flow.d.ts +118 -5
- package/auth/flows/oauth.callback.flow.d.ts.map +1 -1
- package/auth/flows/oauth.connect.flow.d.ts +89 -0
- package/auth/flows/oauth.connect.flow.d.ts.map +1 -0
- package/auth/flows/oauth.provider-callback.flow.d.ts +34 -4
- package/auth/flows/oauth.provider-callback.flow.d.ts.map +1 -1
- package/auth/flows/oauth.register.flow.d.ts +16 -20
- package/auth/flows/oauth.register.flow.d.ts.map +1 -1
- package/auth/flows/oauth.token.flow.d.ts +2 -2
- package/auth/flows/oauth.token.flow.d.ts.map +1 -1
- package/auth/flows/oauth.userinfo.flow.d.ts +67 -0
- package/auth/flows/oauth.userinfo.flow.d.ts.map +1 -0
- package/auth/flows/session.verify.flow.d.ts +2 -2
- package/auth/flows/session.verify.flow.d.ts.map +1 -1
- package/auth/flows/well-known.jwks.flow.d.ts +3 -3
- package/auth/flows/well-known.oauth-authorization-server.flow.d.ts +3 -2
- package/auth/flows/well-known.oauth-authorization-server.flow.d.ts.map +1 -1
- package/auth/flows/well-known.prm.flow.d.ts +1 -1
- package/auth/flows/well-known.prm.flow.d.ts.map +1 -1
- package/auth/instances/instance.local-primary-auth.d.ts +226 -12
- package/auth/instances/instance.local-primary-auth.d.ts.map +1 -1
- package/auth/secure-store/index.d.ts +3 -0
- package/auth/secure-store/index.d.ts.map +1 -0
- package/auth/secure-store/secure-store.context-extension.d.ts +61 -0
- package/auth/secure-store/secure-store.context-extension.d.ts.map +1 -0
- package/auth/secure-store/secure-store.providers.d.ts +36 -0
- package/auth/secure-store/secure-store.providers.d.ts.map +1 -0
- package/common/decorators/agent.decorator.d.ts +32 -0
- package/common/decorators/agent.decorator.d.ts.map +1 -1
- package/common/decorators/app.decorator.d.ts.map +1 -1
- package/common/decorators/front-mcp.decorator.d.ts.map +1 -1
- package/common/decorators/skill.decorator.d.ts.map +1 -1
- package/common/decorators/tool.decorator.d.ts +44 -0
- package/common/decorators/tool.decorator.d.ts.map +1 -1
- package/common/entries/scope.entry.d.ts +7 -0
- package/common/entries/scope.entry.d.ts.map +1 -1
- package/common/entries/skill.entry.d.ts +22 -1
- package/common/entries/skill.entry.d.ts.map +1 -1
- package/common/entries/tool.entry.d.ts +17 -0
- package/common/entries/tool.entry.d.ts.map +1 -1
- package/common/interfaces/internal/primary-auth-provider.interface.d.ts +18 -0
- package/common/interfaces/internal/primary-auth-provider.interface.d.ts.map +1 -1
- package/common/interfaces/tool.interface.d.ts +26 -0
- package/common/interfaces/tool.interface.d.ts.map +1 -1
- package/common/metadata/app.metadata.d.ts +472 -0
- package/common/metadata/app.metadata.d.ts.map +1 -1
- package/common/metadata/front-mcp.metadata.d.ts +1773 -52
- package/common/metadata/front-mcp.metadata.d.ts.map +1 -1
- package/common/metadata/index.d.ts +1 -0
- package/common/metadata/index.d.ts.map +1 -1
- package/common/metadata/output-policy.d.ts +82 -0
- package/common/metadata/output-policy.d.ts.map +1 -0
- package/common/metadata/skill.metadata.d.ts +45 -1
- package/common/metadata/skill.metadata.d.ts.map +1 -1
- package/common/metadata/tool-ui.metadata.d.ts +1 -1
- package/common/metadata/tool-ui.metadata.d.ts.map +1 -1
- package/common/metadata/tool.metadata.d.ts +65 -0
- package/common/metadata/tool.metadata.d.ts.map +1 -1
- package/common/schemas/http-output.schema.d.ts +25 -25
- package/common/schemas/http-output.schema.d.ts.map +1 -1
- package/common/tokens/app.tokens.d.ts.map +1 -1
- package/common/tokens/front-mcp.tokens.d.ts.map +1 -1
- package/common/tokens/skill.tokens.d.ts +2 -0
- package/common/tokens/skill.tokens.d.ts.map +1 -1
- package/common/tokens/tool.tokens.d.ts +1 -0
- package/common/tokens/tool.tokens.d.ts.map +1 -1
- package/common/types/auth/session.types.d.ts +2 -2
- package/common/types/options/auth/index.d.ts +4 -4
- package/common/types/options/auth/index.d.ts.map +1 -1
- package/common/types/options/auth/interfaces.d.ts +1 -1
- package/common/types/options/auth/interfaces.d.ts.map +1 -1
- package/common/types/options/auth/orchestrated.schema.d.ts +1 -1
- package/common/types/options/auth/orchestrated.schema.d.ts.map +1 -1
- package/common/types/options/auth/shared.schemas.d.ts +2 -2
- package/common/types/options/auth/shared.schemas.d.ts.map +1 -1
- package/common/types/options/http/index.d.ts +1 -1
- package/common/types/options/http/index.d.ts.map +1 -1
- package/common/types/options/http/interfaces.d.ts +56 -1
- package/common/types/options/http/interfaces.d.ts.map +1 -1
- package/common/types/options/http/schema.d.ts +15 -0
- package/common/types/options/http/schema.d.ts.map +1 -1
- package/common/types/options/session/schema.d.ts +3 -3
- package/common/types/options/transport/schema.d.ts +1 -1
- package/common/utils/caller-dir.utils.d.ts +15 -0
- package/common/utils/caller-dir.utils.d.ts.map +1 -0
- package/common/utils/index.d.ts +1 -0
- package/common/utils/index.d.ts.map +1 -1
- package/errors/index.d.ts +3 -1
- package/errors/index.d.ts.map +1 -1
- package/errors/mcp.error.d.ts +36 -2
- package/errors/mcp.error.d.ts.map +1 -1
- package/errors/tool-credentials-required.error.d.ts +70 -0
- package/errors/tool-credentials-required.error.d.ts.map +1 -0
- package/esm/index.mjs +6553 -2688
- package/flows/flow.instance.d.ts.map +1 -1
- package/front-mcp/front-mcp.d.ts +52 -32
- package/front-mcp/front-mcp.d.ts.map +1 -1
- package/front-mcp/front-mcp.providers.d.ts +700 -8
- package/front-mcp/front-mcp.providers.d.ts.map +1 -1
- package/index.d.ts +29 -4
- package/index.d.ts.map +1 -1
- package/index.js +7138 -3307
- package/package.json +28 -29
- package/scope/flows/http.request.flow.d.ts +18 -1
- package/scope/flows/http.request.flow.d.ts.map +1 -1
- package/scope/optional-dependency.util.d.ts +39 -0
- package/scope/optional-dependency.util.d.ts.map +1 -0
- package/scope/scope.instance.d.ts +17 -0
- package/scope/scope.instance.d.ts.map +1 -1
- package/scope/scope.utils.d.ts.map +1 -1
- package/server/adapters/express.host.adapter.d.ts.map +1 -1
- package/server/custom-routes.helper.d.ts +81 -0
- package/server/custom-routes.helper.d.ts.map +1 -0
- package/skill/flows/http/llm-full-txt.flow.d.ts +1 -1
- package/skill/flows/http/llm-txt.flow.d.ts +1 -1
- package/skill/flows/http/skills-api.flow.d.ts +18 -1
- package/skill/flows/http/skills-api.flow.d.ts.map +1 -1
- package/skill/flows/load-skill.flow.d.ts +7 -0
- package/skill/flows/load-skill.flow.d.ts.map +1 -1
- package/skill/flows/search-skills.flow.d.ts +13 -0
- package/skill/flows/search-skills.flow.d.ts.map +1 -1
- package/skill/index.d.ts +1 -0
- package/skill/index.d.ts.map +1 -1
- package/skill/sep-2640/resources/skill-file.resource.d.ts.map +1 -1
- package/skill/sep-2640/resources/skill-index.resource.d.ts.map +1 -1
- package/skill/sep-2640/resources/skill-md.resource.d.ts.map +1 -1
- package/skill/sep-2640/sep-2640.per-skill.d.ts.map +1 -1
- package/skill/skill-authorities.helper.d.ts +100 -0
- package/skill/skill-authorities.helper.d.ts.map +1 -0
- package/skill/skill.instance.d.ts.map +1 -1
- package/skill/skill.registry.d.ts +34 -0
- package/skill/skill.registry.d.ts.map +1 -1
- package/task/helpers/cli-task-runner.d.ts.map +1 -1
- package/tool/flows/call-tool.flow.d.ts +26 -1
- package/tool/flows/call-tool.flow.d.ts.map +1 -1
- package/tool/flows/tool-credentials.gate.d.ts +31 -0
- package/tool/flows/tool-credentials.gate.d.ts.map +1 -0
- package/tool/flows/tools-list.flow.d.ts.map +1 -1
- package/tool/tool.instance.d.ts.map +1 -1
- package/tool/ui/index.d.ts +1 -1
- package/tool/ui/index.d.ts.map +1 -1
- package/tool/ui/ui-resource.handler.d.ts.map +1 -1
- package/tool/ui/ui-shared.d.ts +33 -1
- package/tool/ui/ui-shared.d.ts.map +1 -1
- package/transport/adapters/transport.local.adapter.d.ts.map +1 -1
- package/transport/flows/handle.sse.flow.d.ts +1 -1
- package/transport/flows/handle.streamable-http.flow.d.ts +58 -1
- package/transport/flows/handle.streamable-http.flow.d.ts.map +1 -1
- package/transport/mcp-handlers/call-tool-request.handler.d.ts.map +1 -1
- package/transport/mcp-handlers/read-resource-request.handler.d.ts.map +1 -1
- package/transport/mcp-handlers/skills-list-request.handler.d.ts.map +1 -1
- package/transport/mcp-handlers/skills-load-request.handler.d.ts.map +1 -1
- package/transport/mcp-handlers/skills-search-request.handler.d.ts.map +1 -1
|
@@ -0,0 +1,151 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Auth-UI Registry (#469 — slot→file map + name→handler map).
|
|
3
|
+
*
|
|
4
|
+
* Built per OAuth scope from the scope's resolved auth options:
|
|
5
|
+
* - `auth.ui` — a {@link AuthSlot} → relative `.tsx`/`.jsx` PATH map, and
|
|
6
|
+
* - `auth.extras` — an extra-name → server HANDLER function map.
|
|
7
|
+
*
|
|
8
|
+
* It resolves each slot's file against the scope's captured source directory
|
|
9
|
+
* (the `@FrontMcp`/`@App` `__sourceDir`; absolute paths pass through) and owns
|
|
10
|
+
* the cross-cutting SERVER-side concerns the client contract delegates to the
|
|
11
|
+
* server:
|
|
12
|
+
* - CSRF minting + verifying (per pending-auth id),
|
|
13
|
+
* - the per-(pending-auth, extra) ACCUMULATOR that backs `useAddedItems(name)`,
|
|
14
|
+
* - the per-slot {@link AuthUiFileSource} the page builder transpiles.
|
|
15
|
+
*
|
|
16
|
+
* The auth pages render ENTIRELY in the browser from a server-side single-file
|
|
17
|
+
* TRANSFORM routed through `@frontmcp/uipack`'s pluggable `renderComponent`: the
|
|
18
|
+
* slot's `.tsx` is transpiled with esbuild `transformSync` (deps stay external)
|
|
19
|
+
* and inlined as a `<script type="module">`, with react / react-dom /
|
|
20
|
+
* `@frontmcp/ui/auth` loaded from esm.sh via an import-map. The server NEVER
|
|
21
|
+
* imports, bundles, or evaluates the component — no IIFE bundle, no served `.js`.
|
|
22
|
+
*
|
|
23
|
+
* When NO file is registered for a slot, the flows fall back to the built-in
|
|
24
|
+
* HTML pages unchanged (the no-config default). No PII is stored — the
|
|
25
|
+
* accumulator holds whatever items the developer's extra handler accepted
|
|
26
|
+
* (their responsibility), keyed by opaque pending-auth id.
|
|
27
|
+
*
|
|
28
|
+
* @packageDocumentation
|
|
29
|
+
*/
|
|
30
|
+
import { type AuthExtraHandler } from '@frontmcp/auth';
|
|
31
|
+
import { type FrontMcpLogger } from '../../common';
|
|
32
|
+
import { type AuthSlot, type AuthUiFileSource } from './auth-ui.contract';
|
|
33
|
+
/**
|
|
34
|
+
* The JSON returned to the client from an extra submit. Mirrors the client
|
|
35
|
+
* `AuthExtraResult` shape — `addedItems` here is the FULL accumulator MAP keyed
|
|
36
|
+
* by extra name (not the handler's per-call new-items list).
|
|
37
|
+
*/
|
|
38
|
+
export interface AuthExtraRunResult {
|
|
39
|
+
ok: boolean;
|
|
40
|
+
error?: string;
|
|
41
|
+
addedItems?: Record<string, unknown[]>;
|
|
42
|
+
sideEffects?: Record<string, unknown>;
|
|
43
|
+
}
|
|
44
|
+
/**
|
|
45
|
+
* Registry of custom auth-UI slot files + extra handlers for a scope.
|
|
46
|
+
*/
|
|
47
|
+
export declare class AuthUiRegistry {
|
|
48
|
+
private readonly slots;
|
|
49
|
+
private readonly extras;
|
|
50
|
+
private readonly pending;
|
|
51
|
+
private readonly logger?;
|
|
52
|
+
/**
|
|
53
|
+
* Optional per-specifier resolver overrides applied when building the page's
|
|
54
|
+
* import-map (e.g. mapping `@frontmcp/ui/auth` to a locally-served ESM URL in
|
|
55
|
+
* dev / offline, where it isn't on esm.sh).
|
|
56
|
+
*/
|
|
57
|
+
private resolverOverrides?;
|
|
58
|
+
constructor(logger?: FrontMcpLogger);
|
|
59
|
+
/**
|
|
60
|
+
* Register the `auth.ui` slot→file map. Each relative path is resolved against
|
|
61
|
+
* `sourceDir` (the declaring `@FrontMcp`/`@App` directory); absolute paths pass
|
|
62
|
+
* through. Later registrations for the same slot win (so a scope can override a
|
|
63
|
+
* server-level default).
|
|
64
|
+
*/
|
|
65
|
+
registerAuthUiMap(map: Partial<Record<AuthSlot, string>> | undefined, sourceDir: string): void;
|
|
66
|
+
/**
|
|
67
|
+
* Register the `auth.extras` name→handler map. Each value must be a function
|
|
68
|
+
* `(input, ctx) => AuthExtraResult | Promise<AuthExtraResult>`.
|
|
69
|
+
*/
|
|
70
|
+
registerAuthExtrasMap(map: Record<string, AuthExtraHandler> | undefined): void;
|
|
71
|
+
/**
|
|
72
|
+
* Set per-specifier import-map overrides for the page builder. Use in dev /
|
|
73
|
+
* offline to point `@frontmcp/ui/auth` (not on esm.sh in a monorepo) at a
|
|
74
|
+
* locally-served ESM URL.
|
|
75
|
+
*/
|
|
76
|
+
setResolverOverrides(overrides: Record<string, string> | undefined): void;
|
|
77
|
+
/** The configured import-map overrides (undefined when none). */
|
|
78
|
+
getResolverOverrides(): Record<string, string> | undefined;
|
|
79
|
+
/** Whether any custom slot file is registered. */
|
|
80
|
+
hasAny(): boolean;
|
|
81
|
+
/** Whether a custom file is registered for `slot`. */
|
|
82
|
+
hasSlot(slot: AuthSlot): boolean;
|
|
83
|
+
/** Whether any extra handler is registered. */
|
|
84
|
+
hasExtras(): boolean;
|
|
85
|
+
/**
|
|
86
|
+
* The file-based source for a slot, or `undefined` when the slot is
|
|
87
|
+
* unregistered or previously failed to build (error cached). Used by the page
|
|
88
|
+
* builder to transpile the `.tsx` server-side.
|
|
89
|
+
*/
|
|
90
|
+
getSlotSource(slot: AuthSlot): AuthUiFileSource | undefined;
|
|
91
|
+
/**
|
|
92
|
+
* Whether a slot can be rendered — i.e. a file is registered for it (and it
|
|
93
|
+
* hasn't recorded a build error). Used by the page assembler to decide between
|
|
94
|
+
* the custom page and the built-in fallback.
|
|
95
|
+
*/
|
|
96
|
+
canRenderSlot(slot: AuthSlot): boolean;
|
|
97
|
+
/**
|
|
98
|
+
* Record a transform/build error for a slot so a broken file isn't
|
|
99
|
+
* re-transpiled on every request (the slot then falls back to the built-in
|
|
100
|
+
* page). Called by the page builder when the transform throws.
|
|
101
|
+
*/
|
|
102
|
+
recordSlotError(slot: AuthSlot, message: string): void;
|
|
103
|
+
/**
|
|
104
|
+
* Mint (or reuse) the CSRF token for a pending-auth id and return it. The
|
|
105
|
+
* token is stored server-side and echoed into {@link AuthFlowState.csrfToken}.
|
|
106
|
+
*/
|
|
107
|
+
mintCsrf(pendingAuthId: string): string;
|
|
108
|
+
/**
|
|
109
|
+
* Look up a pending-ui entry, enforcing the TTL at read time: an expired entry
|
|
110
|
+
* is deleted and treated as absent. This guarantees a stale token can never
|
|
111
|
+
* validate even if no prune-triggering write happened after it expired.
|
|
112
|
+
*/
|
|
113
|
+
private getActivePending;
|
|
114
|
+
/**
|
|
115
|
+
* Verify a submitted CSRF token against the minted one for this pending-auth.
|
|
116
|
+
* Returns false on any mismatch / unknown / expired pending id (caller rejects 400).
|
|
117
|
+
*/
|
|
118
|
+
verifyCsrf(pendingAuthId: string | undefined, submitted: string | undefined): boolean;
|
|
119
|
+
/**
|
|
120
|
+
* Current accumulators for a pending-auth id (empty when none yet). Returns a
|
|
121
|
+
* DEEP copy — each array is cloned — so callers (e.g. an extra handler reading
|
|
122
|
+
* `ctx.current`) can never mutate the internal accumulator by reference.
|
|
123
|
+
*/
|
|
124
|
+
getAddedItems(pendingAuthId: string | undefined): Record<string, unknown[]>;
|
|
125
|
+
/** Append accepted items to an extra's accumulator and return the full map. */
|
|
126
|
+
appendItems(pendingAuthId: string, extraName: string, items: unknown[]): Record<string, unknown[]>;
|
|
127
|
+
private ensurePending;
|
|
128
|
+
private pruneExpired;
|
|
129
|
+
/** Whether a handler is registered for `name`. */
|
|
130
|
+
hasExtra(name: string): boolean;
|
|
131
|
+
/**
|
|
132
|
+
* Route an extra submission to its registered handler. Persists accepted items
|
|
133
|
+
* into the per-pending-auth accumulator and returns the full result including
|
|
134
|
+
* the updated `addedItems` map (so the client refreshes without a reload).
|
|
135
|
+
* Returns `{ ok:false }` when no handler is registered for `name`.
|
|
136
|
+
*
|
|
137
|
+
* Note: the returned `addedItems` is the FULL accumulator MAP (keyed by extra
|
|
138
|
+
* name) — the client `AuthExtraResult` shape — not the handler's per-call
|
|
139
|
+
* `addedItems` (which is the list of NEW items).
|
|
140
|
+
*/
|
|
141
|
+
runExtra(name: string, pendingAuthId: string | undefined, input: Record<string, unknown>): Promise<AuthExtraRunResult>;
|
|
142
|
+
/**
|
|
143
|
+
* Validate every registered slot's source at startup (mirroring tool-ui's
|
|
144
|
+
* `compileUIWidgets`): a missing / non-`.tsx` file is caught lazily at first
|
|
145
|
+
* render and cached as an error so the slot falls back to the built-in page
|
|
146
|
+
* instead of failing the request. This is just a cheap preflight log; it never
|
|
147
|
+
* throws — a broken component must not take the server down.
|
|
148
|
+
*/
|
|
149
|
+
warmup(): Promise<void>;
|
|
150
|
+
}
|
|
151
|
+
//# sourceMappingURL=auth-ui.registry.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"auth-ui.registry.d.ts","sourceRoot":"","sources":["../../../src/auth/auth-ui/auth-ui.registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,OAAO,EAAyB,KAAK,gBAAgB,EAAwB,MAAM,gBAAgB,CAAC;AAGpG,OAAO,EAAE,KAAK,cAAc,EAAE,MAAM,cAAc,CAAC;AACnD,OAAO,EAAE,KAAK,QAAQ,EAAE,KAAK,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAK1E;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,OAAO,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;IACvC,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACvC;AAqBD;;GAEG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAkC;IACxD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAuC;IAC9D,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyC;IACjE,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAiB;IACzC;;;;OAIG;IACH,OAAO,CAAC,iBAAiB,CAAC,CAAyB;gBAEvC,MAAM,CAAC,EAAE,cAAc;IAInC;;;;;OAKG;IACH,iBAAiB,CAAC,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,GAAG,SAAS,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI;IAc9F;;;OAGG;IACH,qBAAqB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,GAAG,SAAS,GAAG,IAAI;IAW9E;;;;OAIG;IACH,oBAAoB,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,SAAS,GAAG,IAAI;IAIzE,iEAAiE;IACjE,oBAAoB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,SAAS;IAI1D,kDAAkD;IAClD,MAAM,IAAI,OAAO;IAIjB,sDAAsD;IACtD,OAAO,CAAC,IAAI,EAAE,QAAQ,GAAG,OAAO;IAIhC,+CAA+C;IAC/C,SAAS,IAAI,OAAO;IAQpB;;;;OAIG;IACH,aAAa,CAAC,IAAI,EAAE,QAAQ,GAAG,gBAAgB,GAAG,SAAS;IAM3D;;;;OAIG;IACH,aAAa,CAAC,IAAI,EAAE,QAAQ,GAAG,OAAO;IAItC;;;;OAIG;IACH,eAAe,CAAC,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAYtD;;;OAGG;IACH,QAAQ,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM;IASvC;;;;OAIG;IACH,OAAO,CAAC,gBAAgB;IAUxB;;;OAGG;IACH,UAAU,CAAC,aAAa,EAAE,MAAM,GAAG,SAAS,EAAE,SAAS,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO;IAWrF;;;;OAIG;IACH,aAAa,CAAC,aAAa,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC;IAO3E,+EAA+E;IAC/E,WAAW,CAAC,aAAa,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC;IAOlG,OAAO,CAAC,aAAa;IAYrB,OAAO,CAAC,YAAY;IAWpB,kDAAkD;IAClD,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAI/B;;;;;;;;;OASG;IACG,QAAQ,CACZ,IAAI,EAAE,MAAM,EACZ,aAAa,EAAE,MAAM,GAAG,SAAS,EACjC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC7B,OAAO,CAAC,kBAAkB,CAAC;IAqC9B;;;;;;OAMG;IACG,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;CAQ9B"}
|
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
import { AUTH_MOUNT_ID, type AuthFlowState, type AuthSlot } from './auth-ui.contract';
|
|
2
|
+
import { type AuthUiRegistry } from './auth-ui.registry';
|
|
3
|
+
/**
|
|
4
|
+
* The mount id the client renders into. Re-exported from the server-owned
|
|
5
|
+
* contract so the shell and (via the wire contract) the `@frontmcp/ui/auth`
|
|
6
|
+
* client mount agree on a single value.
|
|
7
|
+
*/
|
|
8
|
+
export { AUTH_MOUNT_ID };
|
|
9
|
+
/** Path the auth extra submissions POST to (action discriminates the extra). */
|
|
10
|
+
export declare function authUiExtraPath(fullPath: string): string;
|
|
11
|
+
/**
|
|
12
|
+
* The Content-Security-Policy for an auth-UI page.
|
|
13
|
+
*
|
|
14
|
+
* Allows `https://esm.sh` for module scripts + connections + styles (the
|
|
15
|
+
* import-map resolves every dependency there) and `'unsafe-inline'` for scripts
|
|
16
|
+
* (only the server-controlled, JSON-escaped state `<script>` is inline; never
|
|
17
|
+
* user input). It does NOT include `'unsafe-eval'` — the TSX→JS transform is
|
|
18
|
+
* done server-side, so the browser never evals source. Framing is denied to
|
|
19
|
+
* prevent clickjacking of the login / consent form.
|
|
20
|
+
*/
|
|
21
|
+
export declare const AUTH_UI_CSP: string;
|
|
22
|
+
/**
|
|
23
|
+
* Build the auth security headers for an auth-UI page (CSP + anti-clickjacking).
|
|
24
|
+
*
|
|
25
|
+
* @param csp - Override the CSP value (defaults to {@link AUTH_UI_CSP}).
|
|
26
|
+
*/
|
|
27
|
+
export declare function authUiPageHeaders(csp?: string): Record<string, string>;
|
|
28
|
+
/** Convenience wrapper used by the OAuth flows. Same as `authUiPageHeaders()`. */
|
|
29
|
+
export declare function authUiSecurityHeaders(): Record<string, string>;
|
|
30
|
+
/**
|
|
31
|
+
* Build the complete auth-UI HTML page for a slot.
|
|
32
|
+
*
|
|
33
|
+
* Returns `undefined` when the registry has no file for the slot — the caller
|
|
34
|
+
* then renders the built-in page (defaults preserved). On a transform/read
|
|
35
|
+
* failure the error is cached on the registry (so a broken file isn't
|
|
36
|
+
* re-transpiled every request) and `undefined` is returned (fallback).
|
|
37
|
+
*/
|
|
38
|
+
export declare function buildAuthUiPage(options: {
|
|
39
|
+
registry: AuthUiRegistry;
|
|
40
|
+
slot: AuthSlot;
|
|
41
|
+
state: AuthFlowState;
|
|
42
|
+
fullPath: string;
|
|
43
|
+
/** Page <title> (defaults to a slot-appropriate label). */
|
|
44
|
+
title?: string;
|
|
45
|
+
}): {
|
|
46
|
+
html: string;
|
|
47
|
+
headers: Record<string, string>;
|
|
48
|
+
} | undefined;
|
|
49
|
+
//# sourceMappingURL=auth-ui.render.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"auth-ui.render.d.ts","sourceRoot":"","sources":["../../../src/auth/auth-ui/auth-ui.render.ts"],"names":[],"mappings":"AA+CA,OAAO,EAAwB,aAAa,EAAE,KAAK,aAAa,EAAE,KAAK,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC5G,OAAO,EAAE,KAAK,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAEzD;;;;GAIG;AACH,OAAO,EAAE,aAAa,EAAE,CAAC;AAEzB,gFAAgF;AAChF,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAIxD;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,WAAW,QASZ,CAAC;AAEb;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,GAAE,MAAoB,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAOnF;AAED,kFAAkF;AAClF,wBAAgB,qBAAqB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAE9D;AAiBD;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE;IACvC,QAAQ,EAAE,cAAc,CAAC;IACzB,IAAI,EAAE,QAAQ,CAAC;IACf,KAAK,EAAE,aAAa,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,2DAA2D;IAC3D,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CAAE,GAAG,SAAS,CAwChE"}
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Per-slot {@link AuthFlowState} builders (#469, stage 2).
|
|
3
|
+
*
|
|
4
|
+
* Each builder maps the values an OAuth flow ALREADY computes for its built-in
|
|
5
|
+
* page (the same inputs fed to `renderLocalLoginPage` / `buildToolConsentPage` /
|
|
6
|
+
* `buildFederatedLoginPage` / `buildIncrementalAuthPage`) into the stage-1
|
|
7
|
+
* contract shape, plus the server-owned `csrfToken`, `submitUrl`, `extraUrl`,
|
|
8
|
+
* and accumulated `addedItems`. No PII is added — identity the user types is
|
|
9
|
+
* carried by the developer's own form fields, never serialized here.
|
|
10
|
+
*
|
|
11
|
+
* @packageDocumentation
|
|
12
|
+
*/
|
|
13
|
+
import { type AuthFlowState, type AuthProvider, type AuthTool } from './auth-ui.contract';
|
|
14
|
+
/** Common server-owned fields every interactive slot needs. */
|
|
15
|
+
interface SlotCommon {
|
|
16
|
+
pendingAuthId: string;
|
|
17
|
+
/** The scope's `${fullPath}/oauth/callback` submit target. */
|
|
18
|
+
submitUrl: string;
|
|
19
|
+
/** The `${fullPath}/oauth/ui/extra` endpoint for `@AuthExtra` submits. */
|
|
20
|
+
extraUrl: string;
|
|
21
|
+
/** Minted CSRF token for this pending auth. */
|
|
22
|
+
csrfToken: string;
|
|
23
|
+
/** Server-side accumulators for this pending auth (keyed by extra name). */
|
|
24
|
+
addedItems?: Record<string, unknown[]>;
|
|
25
|
+
}
|
|
26
|
+
/** Build the `login` slot state. */
|
|
27
|
+
export declare function buildLoginState(common: SlotCommon, data: {
|
|
28
|
+
clientId: string;
|
|
29
|
+
clientName?: string;
|
|
30
|
+
scopes: string[];
|
|
31
|
+
redirectUri: string;
|
|
32
|
+
logoUri?: string;
|
|
33
|
+
}): AuthFlowState;
|
|
34
|
+
/** Build the `consent` slot state. */
|
|
35
|
+
export declare function buildConsentState(common: SlotCommon, data: {
|
|
36
|
+
clientId: string;
|
|
37
|
+
clientName?: string;
|
|
38
|
+
tools: AuthTool[];
|
|
39
|
+
redirectUri?: string;
|
|
40
|
+
}): AuthFlowState;
|
|
41
|
+
/** Build the `federated` slot state. */
|
|
42
|
+
export declare function buildFederatedState(common: SlotCommon, data: {
|
|
43
|
+
clientId: string;
|
|
44
|
+
clientName?: string;
|
|
45
|
+
providers: AuthProvider[];
|
|
46
|
+
redirectUri: string;
|
|
47
|
+
}): AuthFlowState;
|
|
48
|
+
/** Build the `incremental` slot state. */
|
|
49
|
+
export declare function buildIncrementalState(common: SlotCommon, data: {
|
|
50
|
+
appId: string;
|
|
51
|
+
appName: string;
|
|
52
|
+
appDescription?: string;
|
|
53
|
+
toolId?: string;
|
|
54
|
+
redirectUri: string;
|
|
55
|
+
}): AuthFlowState;
|
|
56
|
+
/** Build the `error` slot state (may have no pending auth yet). */
|
|
57
|
+
export declare function buildErrorState(data: {
|
|
58
|
+
error: string;
|
|
59
|
+
pendingAuthId?: string;
|
|
60
|
+
}): AuthFlowState;
|
|
61
|
+
export {};
|
|
62
|
+
//# sourceMappingURL=auth-ui.state.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"auth-ui.state.d.ts","sourceRoot":"","sources":["../../../src/auth/auth-ui/auth-ui.state.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,EAAoB,KAAK,aAAa,EAAE,KAAK,YAAY,EAAE,KAAK,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAE5G,+DAA+D;AAC/D,UAAU,UAAU;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,8DAA8D;IAC9D,SAAS,EAAE,MAAM,CAAC;IAClB,0EAA0E;IAC1E,QAAQ,EAAE,MAAM,CAAC;IACjB,+CAA+C;IAC/C,SAAS,EAAE,MAAM,CAAC;IAClB,4EAA4E;IAC5E,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;CACxC;AAED,oCAAoC;AACpC,wBAAgB,eAAe,CAC7B,MAAM,EAAE,UAAU,EAClB,IAAI,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAC;IAAC,WAAW,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,GACvG,aAAa,CAcf;AAED,sCAAsC;AACtC,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,UAAU,EAClB,IAAI,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,QAAQ,EAAE,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAAE,GACvF,aAAa,CAaf;AAED,wCAAwC;AACxC,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,UAAU,EAClB,IAAI,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,YAAY,EAAE,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,GAC9F,aAAa,CAef;AAED,0CAA0C;AAC1C,wBAAgB,qBAAqB,CACnC,MAAM,EAAE,UAAU,EAClB,IAAI,EAAE;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,GACtG,aAAa,CAiBf;AAED,mEAAmE;AACnE,wBAAgB,eAAe,CAAC,IAAI,EAAE;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,aAAa,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,aAAa,CAM9F"}
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Custom authorization-UI wiring (#469 — slot→file map + name→handler map).
|
|
3
|
+
*
|
|
4
|
+
* For each OAuth flow slot the server TRANSFORMS the developer's registered
|
|
5
|
+
* `.tsx` ONCE (esbuild `transformSync`, single file — deps stay external) via
|
|
6
|
+
* `@frontmcp/uipack`'s pluggable `renderComponent`, inlines it as a `<script
|
|
7
|
+
* type="module">`, and loads react / react-dom / `@frontmcp/ui/auth` from esm.sh
|
|
8
|
+
* via an import-map. `@frontmcp/ui/auth`'s `mountAuthPage` renders the component
|
|
9
|
+
* client-side into the empty `#frontmcp-auth-root` mount, honoring the
|
|
10
|
+
* framework-free `@frontmcp/ui/auth` contract (the server holds a matching,
|
|
11
|
+
* server-owned write-shape in `auth-ui.contract.ts`). There is NO bundling and
|
|
12
|
+
* the server never imports or evaluates the component, nor `@frontmcp/ui`.
|
|
13
|
+
*
|
|
14
|
+
* Registration is the `auth.ui` / `auth.extras` maps on the auth config — there
|
|
15
|
+
* is no decorator and no class. See `@frontmcp/auth`'s `AuthUiMap` /
|
|
16
|
+
* `AuthExtraHandler`.
|
|
17
|
+
*
|
|
18
|
+
* @packageDocumentation
|
|
19
|
+
*/
|
|
20
|
+
export { AUTH_FLOW_GLOBAL_KEY, type AuthFlowState, type AuthSlot, type AuthProvider, type AuthTool, type AuthExtraResult, type AuthUiFileSource, } from './auth-ui.contract';
|
|
21
|
+
export { AuthUiRegistry, type AuthExtraRunResult } from './auth-ui.registry';
|
|
22
|
+
export { AUTH_MOUNT_ID, AUTH_UI_CSP, authUiExtraPath, authUiPageHeaders, authUiSecurityHeaders, buildAuthUiPage, } from './auth-ui.render';
|
|
23
|
+
export { buildLoginState, buildConsentState, buildFederatedState, buildIncrementalState, buildErrorState, } from './auth-ui.state';
|
|
24
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/auth-ui/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAGH,OAAO,EACL,oBAAoB,EACpB,KAAK,aAAa,EAClB,KAAK,QAAQ,EACb,KAAK,YAAY,EACjB,KAAK,QAAQ,EACb,KAAK,eAAe,EACpB,KAAK,gBAAgB,GACtB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAAE,cAAc,EAAE,KAAK,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAG7E,OAAO,EACL,aAAa,EACb,WAAW,EACX,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,mBAAmB,EACnB,qBAAqB,EACrB,eAAe,GAChB,MAAM,iBAAiB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.registry.d.ts","sourceRoot":"","sources":["../../src/auth/auth.registry.ts"],"names":[],"mappings":"AACA,OAAO,kBAAkB,CAAC;AAE1B,OAAO,EAAyC,KAAK,2BAA2B,EAAE,MAAM,gBAAgB,CAAC;AAGzG,OAAO,EAEL,YAAY,EASZ,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EAGlB,KAAK,UAAU,EAChB,MAAM,WAAW,CAAC;AAGnB,OAAO,KAAK,gBAAgB,MAAM,+BAA+B,CAAC;AAClE,OAAO,EAAE,gBAAgB,EAAE,KAAK,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAa5E,qBAAa,YAAa,SAAQ,gBAAgB,CAAC,iBAAiB,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,CAAC;IAC3G,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAe;IACxC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAc;IAC5C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAiB;IACxC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IAEtC;;OAEG;IACH,QAAQ,CAAC,SAAS,EAAE,2BAA2B,CAAC;IAEhD;;OAEG;IACH,QAAQ,CAAC,qBAAqB,EAAE,OAAO,CAAC;gBAGtC,KAAK,EAAE,UAAU,EACjB,SAAS,EAAE,gBAAgB,EAC3B,QAAQ,EAAE,gBAAgB,EAAE,EAC5B,KAAK,EAAE,aAAa,EACpB,YAAY,CAAC,EAAE,gBAAgB;IA6CjC;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAmB1B;;OAEG;IACH,OAAO,CAAC,cAAc;IA0BtB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAiB3B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAsB7B;;OAEG;IACH,OAAO,CAAC,iBAAiB;
|
|
1
|
+
{"version":3,"file":"auth.registry.d.ts","sourceRoot":"","sources":["../../src/auth/auth.registry.ts"],"names":[],"mappings":"AACA,OAAO,kBAAkB,CAAC;AAE1B,OAAO,EAAyC,KAAK,2BAA2B,EAAE,MAAM,gBAAgB,CAAC;AAGzG,OAAO,EAEL,YAAY,EASZ,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EAGlB,KAAK,UAAU,EAChB,MAAM,WAAW,CAAC;AAGnB,OAAO,KAAK,gBAAgB,MAAM,+BAA+B,CAAC;AAClE,OAAO,EAAE,gBAAgB,EAAE,KAAK,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAa5E,qBAAa,YAAa,SAAQ,gBAAgB,CAAC,iBAAiB,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,CAAC;IAC3G,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAe;IACxC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAc;IAC5C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAiB;IACxC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IAEtC;;OAEG;IACH,QAAQ,CAAC,SAAS,EAAE,2BAA2B,CAAC;IAEhD;;OAEG;IACH,QAAQ,CAAC,qBAAqB,EAAE,OAAO,CAAC;gBAGtC,KAAK,EAAE,UAAU,EACjB,SAAS,EAAE,gBAAgB,EAC3B,QAAQ,EAAE,gBAAgB,EAAE,EAC5B,KAAK,EAAE,aAAa,EACpB,YAAY,CAAC,EAAE,gBAAgB;IA6CjC;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAmB1B;;OAEG;IACH,OAAO,CAAC,cAAc;IA0BtB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAiB3B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAsB7B;;OAEG;IACH,OAAO,CAAC,iBAAiB;cA4BN,QAAQ,CAAC,IAAI,EAAE,gBAAgB,EAAE,GAAG,sBAAsB,CAAC,kBAAkB,CAAC;IAgBjG,SAAS,CAAC,UAAU;cAqBJ,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAO3C,UAAU,IAAI,YAAY;IAO1B,gBAAgB,IAAI,iBAAiB,EAAE;CAGxC"}
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Progressive/Incremental authorization support.
|
|
3
|
+
*
|
|
4
|
+
* The set of app IDs a verified token may use lives in the `authorized_apps`
|
|
5
|
+
* claim embedded by {@link LocalPrimaryAuth.signAccessToken}. That claim is ONLY
|
|
6
|
+
* present when `incrementalAuth` is enabled for the scope — its ABSENCE is
|
|
7
|
+
* meaningful: no app-level gating (the historical allow-all behavior is
|
|
8
|
+
* preserved). When present, `checkToolAuthorization` enforces that the tool's
|
|
9
|
+
* parent app is a member of the set, and an incremental authorize for a new app
|
|
10
|
+
* mints a fresh token whose claim is the UNION of the prior apps plus the newly
|
|
11
|
+
* authorized one.
|
|
12
|
+
*
|
|
13
|
+
* This mirrors the consent claim model (see `consent.utils.ts`): the grant is
|
|
14
|
+
* carried in verified JWT claims and re-minted via the OAuth code exchange, so
|
|
15
|
+
* it is genuinely enforced rather than tracked in dormant server state.
|
|
16
|
+
*/
|
|
17
|
+
/**
|
|
18
|
+
* Minimal `authInfo` projection this helper reads from. The HTTP request flow
|
|
19
|
+
* nests the verified user under `extra.user` (claims spread in via
|
|
20
|
+
* `deriveTypedUser`, so `authorized_apps` is present there); other transports
|
|
21
|
+
* may carry the user at the top level. The verified bearer `token` is the
|
|
22
|
+
* last-resort source — decoding it requires NO re-verification because the
|
|
23
|
+
* token already passed `session:verify` before any tool call runs.
|
|
24
|
+
*/
|
|
25
|
+
interface AuthorizedAppsAuthInfoLike {
|
|
26
|
+
token?: string;
|
|
27
|
+
user?: unknown;
|
|
28
|
+
extra?: unknown;
|
|
29
|
+
}
|
|
30
|
+
/**
|
|
31
|
+
* Extract the authorized-app-id set from a verified `authInfo`.
|
|
32
|
+
*
|
|
33
|
+
* Returns:
|
|
34
|
+
* - a `Set<string>` of authorized app ids when the token carries an
|
|
35
|
+
* `authorized_apps` claim (the runtime enforcement set), or
|
|
36
|
+
* - `undefined` when there is NO such claim — the caller MUST treat this as
|
|
37
|
+
* "allow" so the default (incremental-disabled) behavior is preserved.
|
|
38
|
+
*
|
|
39
|
+
* Resolution order (first hit wins): `extra.user.authorized_apps`
|
|
40
|
+
* → `extra.authorized_apps` → `user.authorized_apps` → decode `token`. All
|
|
41
|
+
* sources are equivalent (they derive from the same verified claims); the
|
|
42
|
+
* fallbacks just make enforcement transport-agnostic.
|
|
43
|
+
*
|
|
44
|
+
* Security: this reads ALREADY-VERIFIED claims. The token decode path uses a
|
|
45
|
+
* no-verify payload decode purely to recover the claim that some transports
|
|
46
|
+
* drop from the projected `authInfo`; signature trust was established upstream
|
|
47
|
+
* in `auth:verify` / `session:verify`.
|
|
48
|
+
*/
|
|
49
|
+
export declare function getAuthorizedAppIds(authInfo: AuthorizedAppsAuthInfoLike | undefined): Set<string> | undefined;
|
|
50
|
+
export {};
|
|
51
|
+
//# sourceMappingURL=authorized-apps.utils.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"authorized-apps.utils.d.ts","sourceRoot":"","sources":["../../src/auth/authorized-apps.utils.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;GAeG;AAEH;;;;;;;GAOG;AACH,UAAU,0BAA0B;IAClC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAoBD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,0BAA0B,GAAG,SAAS,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,SAAS,CAW7G"}
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
import { type ToolCard } from '@frontmcp/auth';
|
|
2
|
+
import { type ScopeEntry } from '../common';
|
|
3
|
+
/**
|
|
4
|
+
* Result of projecting the scope's tools into a consent-ready shape.
|
|
5
|
+
*/
|
|
6
|
+
export interface ConsentToolProjection {
|
|
7
|
+
/** Tool cards for the consent screen, with `excludedTools` removed. */
|
|
8
|
+
toolCards: ToolCard[];
|
|
9
|
+
/**
|
|
10
|
+
* The offerable tool ids (effective runtime ids), with `excludedTools`
|
|
11
|
+
* removed. This is what the consent screen offers and what a submitted
|
|
12
|
+
* selection is validated against.
|
|
13
|
+
*/
|
|
14
|
+
availableToolIds: string[];
|
|
15
|
+
}
|
|
16
|
+
/**
|
|
17
|
+
* Project the scope's tools into consent cards + available ids, applying the
|
|
18
|
+
* `excludedTools` filter (excluded tools are NEVER offered and NEVER required,
|
|
19
|
+
* because they are always available regardless of consent).
|
|
20
|
+
*
|
|
21
|
+
* Used by BOTH the authorize flow (to seed `pendingAuth.consent.availableToolIds`)
|
|
22
|
+
* and the callback flow (to render the consent screen + validate a submission),
|
|
23
|
+
* so the two surfaces can never drift.
|
|
24
|
+
*/
|
|
25
|
+
export declare function projectConsentTools(scope: ScopeEntry, excludedTools?: string[]): ConsentToolProjection;
|
|
26
|
+
//# sourceMappingURL=consent-tools.helper.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"consent-tools.helper.d.ts","sourceRoot":"","sources":["../../src/auth/consent-tools.helper.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAE/C,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,WAAW,CAAC;AAE5C;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,uEAAuE;IACvE,SAAS,EAAE,QAAQ,EAAE,CAAC;IACtB;;;;OAIG;IACH,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC5B;AAiBD;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,UAAU,EAAE,aAAa,CAAC,EAAE,MAAM,EAAE,GAAG,qBAAqB,CA+BtG"}
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Shape of the `consent` claim embedded in a FrontMCP-minted access token by
|
|
3
|
+
* {@link LocalPrimaryAuth.signAccessToken}:
|
|
4
|
+
*
|
|
5
|
+
* ```json
|
|
6
|
+
* { "consent": { "enabled": true, "selectedTools": ["app:tool", ...] } }
|
|
7
|
+
* ```
|
|
8
|
+
*
|
|
9
|
+
* Only present when consent mode was enabled for the authorization that minted
|
|
10
|
+
* the token. Its ABSENCE is meaningful: consent disabled ⇒ no enforcement.
|
|
11
|
+
*/
|
|
12
|
+
export interface ConsentClaim {
|
|
13
|
+
enabled?: boolean;
|
|
14
|
+
selectedTools?: string[];
|
|
15
|
+
}
|
|
16
|
+
/**
|
|
17
|
+
* Minimal `authInfo` projection this helper reads from. The HTTP request flow
|
|
18
|
+
* nests the verified user under `extra.user` (claims spread in via
|
|
19
|
+
* `deriveTypedUser`, so `consent` is present there); other transports may carry
|
|
20
|
+
* the user at the top level. The verified bearer `token` is the last-resort
|
|
21
|
+
* source — decoding it requires NO re-verification because the token already
|
|
22
|
+
* passed `session:verify` before any tool call runs.
|
|
23
|
+
*/
|
|
24
|
+
interface ConsentAuthInfoLike {
|
|
25
|
+
token?: string;
|
|
26
|
+
user?: unknown;
|
|
27
|
+
extra?: unknown;
|
|
28
|
+
}
|
|
29
|
+
/**
|
|
30
|
+
* Extract the consented tool-id set from a verified `authInfo`.
|
|
31
|
+
*
|
|
32
|
+
* Returns:
|
|
33
|
+
* - a `Set<string>` of selected tool ids when the token carries an ENABLED
|
|
34
|
+
* `consent` claim (the runtime enforcement set), or
|
|
35
|
+
* - `undefined` when there is NO consent metadata — the caller MUST treat this
|
|
36
|
+
* as "allow" so the default (consent-disabled) behavior is preserved.
|
|
37
|
+
*
|
|
38
|
+
* Resolution order (first hit wins): `extra.user.consent` → `extra.consent`
|
|
39
|
+
* → `user.consent` → decode `token`. All sources are equivalent (they derive
|
|
40
|
+
* from the same verified claims); the fallbacks just make enforcement
|
|
41
|
+
* transport-agnostic.
|
|
42
|
+
*
|
|
43
|
+
* Security: this reads ALREADY-VERIFIED claims. The token decode path uses a
|
|
44
|
+
* no-verify payload decode purely to recover the `consent` claim that some
|
|
45
|
+
* transports drop from the projected `authInfo`; signature trust was
|
|
46
|
+
* established upstream in `auth:verify` / `session:verify`.
|
|
47
|
+
*/
|
|
48
|
+
export declare function getConsentedToolIds(authInfo: ConsentAuthInfoLike | undefined): Set<string> | undefined;
|
|
49
|
+
/**
|
|
50
|
+
* Test whether a tool id is permitted by the consent set returned from
|
|
51
|
+
* {@link getConsentedToolIds}.
|
|
52
|
+
*
|
|
53
|
+
* - `consented === undefined` (no consent metadata) ⇒ always allowed.
|
|
54
|
+
* - otherwise the tool id must be a member of the set.
|
|
55
|
+
*
|
|
56
|
+
* `toolIds` accepts the tool's candidate identifiers (e.g. `fullName` and bare
|
|
57
|
+
* `name`); the tool is allowed if ANY of them was consented, matching the
|
|
58
|
+
* available-tool ids surfaced on the consent screen.
|
|
59
|
+
*/
|
|
60
|
+
export declare function isToolConsented(consented: Set<string> | undefined, ...toolIds: Array<string | undefined>): boolean;
|
|
61
|
+
export {};
|
|
62
|
+
//# sourceMappingURL=consent.utils.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"consent.utils.d.ts","sourceRoot":"","sources":["../../src/auth/consent.utils.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;GAUG;AACH,MAAM,WAAW,YAAY;IAC3B,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED;;;;;;;GAOG;AACH,UAAU,mBAAmB;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;IAIf,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAsBD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,mBAAmB,GAAG,SAAS,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,SAAS,CAatG;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,SAAS,EAAE,GAAG,OAAO,EAAE,KAAK,CAAC,MAAM,GAAG,SAAS,CAAC,GAAG,OAAO,CAGlH"}
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Credentials Context Extension (Checkpoint 3b)
|
|
3
|
+
*
|
|
4
|
+
* Module augmentation + context-extension configuration that adds
|
|
5
|
+
* `this.credentials` to ExecutionContextBase, mirroring `this.authProviders`
|
|
6
|
+
* and `this.orchestration`.
|
|
7
|
+
*
|
|
8
|
+
* `this.credentials` exposes the per-session, encrypted {@link CredentialsAccessor}
|
|
9
|
+
* so tools can read credentials a local `authenticate()` verifier persisted, and
|
|
10
|
+
* ask the agent to connect a missing credential mid-session via a
|
|
11
|
+
* framework-signed resume URL.
|
|
12
|
+
*/
|
|
13
|
+
import { type CredentialsAccessor } from '@frontmcp/auth';
|
|
14
|
+
import type { ContextExtension } from '../../common/metadata/plugin.metadata';
|
|
15
|
+
declare module '../../common/interfaces/execution-context.interface' {
|
|
16
|
+
interface ExecutionContextBase {
|
|
17
|
+
/**
|
|
18
|
+
* Access per-session credentials persisted by a local `authenticate()`
|
|
19
|
+
* verifier (Checkpoint 3b). Only available in `local`/`remote` auth modes.
|
|
20
|
+
*
|
|
21
|
+
* @example
|
|
22
|
+
* ```typescript
|
|
23
|
+
* @Tool({ name: 'call_acme' })
|
|
24
|
+
* class CallAcmeTool extends ToolContext {
|
|
25
|
+
* async execute(input: Input): Promise<Output> {
|
|
26
|
+
* // Read a stored credential for the current session's subject
|
|
27
|
+
* const cred = await this.credentials.get('acme');
|
|
28
|
+
* if (!cred) {
|
|
29
|
+
* // Ask the user to connect it mid-session via a signed resume URL
|
|
30
|
+
* const res = await this.credentials.requireConnect({ key: 'acme' });
|
|
31
|
+
* if (!res.connected) {
|
|
32
|
+
* return { needsConnect: res.resumeUrl };
|
|
33
|
+
* }
|
|
34
|
+
* }
|
|
35
|
+
* // use cred.secret / cred.metadata …
|
|
36
|
+
* }
|
|
37
|
+
* }
|
|
38
|
+
* ```
|
|
39
|
+
*/
|
|
40
|
+
readonly credentials: CredentialsAccessor;
|
|
41
|
+
}
|
|
42
|
+
}
|
|
43
|
+
/**
|
|
44
|
+
* Context extension configuration for `this.credentials`. Registers the lazy
|
|
45
|
+
* getter on ExecutionContextBase.prototype; resolves {@link CREDENTIALS_ACCESSOR}
|
|
46
|
+
* from the request scope.
|
|
47
|
+
*/
|
|
48
|
+
export declare const credentialsContextExtension: ContextExtension;
|
|
49
|
+
/**
|
|
50
|
+
* Get the {@link CredentialsAccessor} from a context. Throws via the DI layer
|
|
51
|
+
* when not configured (see {@link credentialsContextExtension.errorMessage}).
|
|
52
|
+
*/
|
|
53
|
+
export declare function getCredentials(ctx: {
|
|
54
|
+
get: <T>(token: unknown) => T;
|
|
55
|
+
}): CredentialsAccessor;
|
|
56
|
+
/**
|
|
57
|
+
* Try to get the {@link CredentialsAccessor}; returns undefined when not
|
|
58
|
+
* available (graceful degradation).
|
|
59
|
+
*/
|
|
60
|
+
export declare function tryGetCredentials(ctx: {
|
|
61
|
+
tryGet: <T>(token: unknown) => T | undefined;
|
|
62
|
+
}): CredentialsAccessor | undefined;
|
|
63
|
+
//# sourceMappingURL=credentials.context-extension.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"credentials.context-extension.d.ts","sourceRoot":"","sources":["../../../src/auth/credentials/credentials.context-extension.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAwB,KAAK,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAEhF,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,uCAAuC,CAAC;AAM9E,OAAO,QAAQ,qDAAqD,CAAC;IACnE,UAAU,oBAAoB;QAC5B;;;;;;;;;;;;;;;;;;;;;;WAsBG;QACH,QAAQ,CAAC,WAAW,EAAE,mBAAmB,CAAC;KAC3C;CACF;AAMD;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,EAAE,gBAMzC,CAAC;AAMF;;;GAGG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE;IAAE,GAAG,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,KAAK,CAAC,CAAA;CAAE,GAAG,mBAAmB,CAE1F;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE;IACrC,MAAM,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,KAAK,CAAC,GAAG,SAAS,CAAC;CAC9C,GAAG,mBAAmB,GAAG,SAAS,CAElC"}
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Credentials DI Providers (Checkpoint 3b)
|
|
3
|
+
*
|
|
4
|
+
* Registers the per-request {@link CredentialsAccessor} (`this.credentials`).
|
|
5
|
+
* The vault itself is a GLOBAL singleton owned by LocalPrimaryAuth; the accessor
|
|
6
|
+
* is CONTEXT-scoped because it must resolve the CURRENT request's authenticated
|
|
7
|
+
* subject (from {@link FrontMcpContext}) before reading the vault.
|
|
8
|
+
*/
|
|
9
|
+
import { type SessionCredentialVault } from '@frontmcp/auth';
|
|
10
|
+
import { type Token } from '@frontmcp/di';
|
|
11
|
+
import { type ProviderType } from '../../common';
|
|
12
|
+
import { type FrontMcpContext } from '../../context/frontmcp-context';
|
|
13
|
+
/**
|
|
14
|
+
* GLOBAL DI token for the per-session credential vault singleton. Provided by
|
|
15
|
+
* LocalPrimaryAuth once its storage backend is initialized.
|
|
16
|
+
*/
|
|
17
|
+
export declare const SESSION_CREDENTIAL_VAULT: Token<SessionCredentialVault>;
|
|
18
|
+
/**
|
|
19
|
+
* Resolve the authenticated subject for the current request from the verified
|
|
20
|
+
* auth info. The HTTP request flow stores the verified JWT user under
|
|
21
|
+
* `authInfo.extra.user`; the JWT `sub` is the credential-vault key. Anonymous
|
|
22
|
+
* sessions (`sub` empty or `anon:` prefixed) yield undefined so no credentials
|
|
23
|
+
* are exposed.
|
|
24
|
+
*/
|
|
25
|
+
export declare function resolveRequestSub(ctx: FrontMcpContext): string | undefined;
|
|
26
|
+
/**
|
|
27
|
+
* Build the DI providers that back `this.credentials`.
|
|
28
|
+
*
|
|
29
|
+
* @param vault - the GLOBAL credential vault singleton.
|
|
30
|
+
* @param signingSecret - server HMAC secret used to sign resume tokens.
|
|
31
|
+
* @param basePath - auth scope base path used to build resume URLs.
|
|
32
|
+
* @param resumeTtlMs - optional resume-token TTL override.
|
|
33
|
+
*/
|
|
34
|
+
export declare function createCredentialsProviders(opts: {
|
|
35
|
+
vault: SessionCredentialVault;
|
|
36
|
+
signingSecret: string;
|
|
37
|
+
basePath: string;
|
|
38
|
+
resumeTtlMs?: number;
|
|
39
|
+
}): ProviderType[];
|
|
40
|
+
//# sourceMappingURL=credentials.providers.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"credentials.providers.d.ts","sourceRoot":"","sources":["../../../src/auth/credentials/credentials.providers.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAiD,KAAK,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AAC5G,OAAO,EAAiB,KAAK,KAAK,EAAE,MAAM,cAAc,CAAC;AAEzD,OAAO,EAAkB,KAAK,YAAY,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,KAAK,eAAe,EAAE,MAAM,gCAAgC,CAAC;AAGtE;;;GAGG;AACH,eAAO,MAAM,wBAAwB,EAEhC,KAAK,CAAC,sBAAsB,CAAC,CAAC;AAEnC;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,eAAe,GAAG,MAAM,GAAG,SAAS,CAO1E;AAED;;;;;;;GAOG;AACH,wBAAgB,0BAA0B,CAAC,IAAI,EAAE;IAC/C,KAAK,EAAE,sBAAsB,CAAC;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,GAAG,YAAY,EAAE,CA6BjB"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/credentials/index.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,wBAAwB,EAAE,0BAA0B,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAGlH,OAAO,EAAE,2BAA2B,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.verify.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/auth.verify.flow.ts"],"names":[],"mappings":"AAEA,OAAO,EAEL,QAAQ,EAQR,KAAK,cAAc,EACpB,MAAM,cAAc,CAAC;AAEtB,OAAO,kBAAkB,CAAC;AAI1B,OAAO,EAiBL,KAAK,aAAa,EAMnB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,CAAC,EAAE,MAAM,oBAAoB,CAAC;AAKvC,QAAA,MAAM,WAAW;;gCAAyB,CAAC;AAG3C,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;gCAUf,CAAC;AA2BH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAAmE,CAAC;AAEvG,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAGtE,QAAA,MAAM,IAAI;;;CAU2B,CAAC;AAGtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,aAAa,EAAE,cAAc,CAC3B,cAAc,EACd,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,sBAAsB,EAC7B,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,aAAsB,CAAC;AAGpC;;;;;;;;;GASG;AAQH,MAAM,CAAC,OAAO,OAAO,cAAe,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAC/D,OAAO,CAAC,MAAM,CAA6C;IAE3D;;OAEG;IAEG,UAAU;IA6BhB;;OAEG;IAEG,iBAAiB;IAcvB;;OAEG;IAIG,gBAAgB;IAqBtB;;;OAGG;IAQG,uBAAuB;IAsB7B;;OAEG;IAWG,0BAA0B;IAShC;;OAEG;IAIG,WAAW;
|
|
1
|
+
{"version":3,"file":"auth.verify.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/auth.verify.flow.ts"],"names":[],"mappings":"AAEA,OAAO,EAEL,QAAQ,EAQR,KAAK,cAAc,EACpB,MAAM,cAAc,CAAC;AAEtB,OAAO,kBAAkB,CAAC;AAI1B,OAAO,EAiBL,KAAK,aAAa,EAMnB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,CAAC,EAAE,MAAM,oBAAoB,CAAC;AAKvC,QAAA,MAAM,WAAW;;gCAAyB,CAAC;AAG3C,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;gCAUf,CAAC;AA2BH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAAmE,CAAC;AAEvG,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAGtE,QAAA,MAAM,IAAI;;;CAU2B,CAAC;AAGtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,aAAa,EAAE,cAAc,CAC3B,cAAc,EACd,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,sBAAsB,EAC7B,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,aAAsB,CAAC;AAGpC;;;;;;;;;GASG;AAQH,MAAM,CAAC,OAAO,OAAO,cAAe,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAC/D,OAAO,CAAC,MAAM,CAA6C;IAE3D;;OAEG;IAEG,UAAU;IA6BhB;;OAEG;IAEG,iBAAiB;IAcvB;;OAEG;IAIG,gBAAgB;IAqBtB;;;OAGG;IAQG,uBAAuB;IAsB7B;;OAEG;IAWG,0BAA0B;IAShC;;OAEG;IAIG,WAAW;IAoHjB;;OAEG;IAEG,kBAAkB;IA8FxB;;OAEG;IACH,OAAO,CAAC,QAAQ;IA0BhB;;OAEG;IACH,OAAO,CAAC,WAAW;CAMpB"}
|