@inkeep/agents-core 0.0.0-dev-20250910233133

package/dist/utils/auth-detection.js

@@ -0,0 +1,148 @@
+/**
+ * Centralized authentication detection utilities for MCP tools
+ */
+/**
+ * Helper function to construct well-known OAuth endpoint URLs
+ */
+const getWellKnownUrls = (baseUrl) => [
+    `${baseUrl}/.well-known/oauth-authorization-server`,
+    `${baseUrl}/.well-known/openid-configuration`,
+];
+/**
+ * Helper function to validate OAuth metadata for PKCE support
+ */
+const validateOAuthMetadata = (metadata) => {
+    return metadata.code_challenge_methods_supported?.includes('S256');
+};
+/**
+ * Helper function to construct OAuthConfig from metadata
+ */
+const buildOAuthConfig = (metadata) => ({
+    authorizationUrl: metadata.authorization_endpoint,
+    tokenUrl: metadata.token_endpoint,
+    registrationUrl: metadata.registration_endpoint,
+    supportsDynamicRegistration: !!metadata.registration_endpoint,
+});
+/**
+ * Helper function to try OAuth discovery at well-known endpoints
+ */
+const tryWellKnownEndpoints = async (baseUrl, logger) => {
+    const wellKnownUrls = getWellKnownUrls(baseUrl);
+    for (const wellKnownUrl of wellKnownUrls) {
+        try {
+            const response = await fetch(wellKnownUrl);
+            if (response.ok) {
+                const metadata = await response.json();
+                if (validateOAuthMetadata(metadata)) {
+                    logger?.debug({ baseUrl, wellKnownUrl }, 'OAuth 2.1/PKCE support detected');
+                    return buildOAuthConfig(metadata);
+                }
+            }
+        }
+        catch (error) {
+            logger?.debug({ wellKnownUrl, error }, 'OAuth endpoint check failed');
+        }
+    }
+    return null;
+};
+/**
+ * Check if a server supports OAuth 2.1/PKCE endpoints (simple boolean)
+ */
+const checkForOAuthEndpoints = async (serverUrl, logger) => {
+    const config = await discoverOAuthEndpoints(serverUrl, logger);
+    return config !== null;
+};
+/**
+ * Full OAuth endpoint discovery with complete configuration
+ */
+export const discoverOAuthEndpoints = async (serverUrl, logger) => {
+    try {
+        // 1. Try direct 401 response first
+        const response = await fetch(serverUrl, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({}),
+        });
+        if (response.status === 401) {
+            const wwwAuth = response.headers.get('WWW-Authenticate');
+            if (wwwAuth) {
+                // Parse Protected Resource Metadata URL from WWW-Authenticate header
+                const metadataMatch = wwwAuth.match(/as_uri="([^"]+)"/);
+                if (metadataMatch) {
+                    const metadataResponse = await fetch(metadataMatch[1]);
+                    if (metadataResponse.ok) {
+                        const metadata = (await metadataResponse.json());
+                        if (metadata.authorization_servers?.length > 0) {
+                            return await tryWellKnownEndpoints(metadata.authorization_servers[0], logger);
+                        }
+                    }
+                }
+            }
+        }
+    }
+    catch (_error) {
+        // Continue to well-known endpoints
+    }
+    // 2. Try well-known endpoints
+    const url = new URL(serverUrl);
+    const baseUrl = `${url.protocol}//${url.host}`;
+    return await tryWellKnownEndpoints(baseUrl, logger);
+};
+/**
+ * Detect if OAuth 2.1/PKCE authentication is specifically required for a tool
+ */
+export const detectAuthenticationRequired = async (tool, error, logger) => {
+    const serverUrl = tool.config.mcp.server.url;
+    // 1. First, try OAuth 2.1/PKCE endpoint discovery (most reliable for our use case)
+    let hasOAuthEndpoints = false;
+    try {
+        hasOAuthEndpoints = await checkForOAuthEndpoints(serverUrl);
+        if (hasOAuthEndpoints) {
+            logger?.info({ toolId: tool.id, serverUrl }, 'OAuth 2.1/PKCE support confirmed via endpoint discovery');
+            return true; // Server supports OAuth 2.1/PKCE, prioritize this
+        }
+    }
+    catch (discoveryError) {
+        logger?.debug({ toolId: tool.id, discoveryError }, 'OAuth endpoint discovery failed');
+    }
+    // 2. Check for 401 with OAuth-specific WWW-Authenticate header
+    try {
+        const response = await fetch(serverUrl, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                jsonrpc: '2.0',
+                method: 'initialize',
+                id: 1,
+                params: { protocolVersion: '2024-11-05', capabilities: {} },
+            }),
+        });
+        // Check for 401 with OAuth-specific WWW-Authenticate header
+        if (response.status === 401) {
+            const wwwAuth = response.headers.get('WWW-Authenticate');
+            // Only return true for OAuth-specific auth schemes (not Basic, API Key, etc.)
+            if (wwwAuth &&
+                (wwwAuth.toLowerCase().includes('bearer') ||
+                    wwwAuth.toLowerCase().includes('oauth') ||
+                    wwwAuth.toLowerCase().includes('authorization_uri'))) {
+                logger?.info({ toolId: tool.id, wwwAuth }, 'OAuth authentication detected via WWW-Authenticate header');
+                return true;
+            }
+        }
+    }
+    catch (fetchError) {
+        logger?.debug({ toolId: tool.id, fetchError }, 'Direct fetch authentication check failed');
+    }
+    // 3. Check if 401 error message AND OAuth endpoints exist together
+    if (error.message.includes('401') || error.message.toLowerCase().includes('unauthorized')) {
+        if (hasOAuthEndpoints) {
+            logger?.info({ toolId: tool.id, error: error.message }, 'OAuth required: 401 error + OAuth endpoints detected');
+            return true; // Only return true if BOTH 401 AND OAuth endpoints exist
+        }
+    }
+    // If none of the OAuth-specific checks pass, return false
+    // (This means we won't trigger OAuth flow for Basic Auth, API keys, etc.)
+    logger?.debug({ toolId: tool.id, error: error.message }, 'No OAuth authentication requirement detected');
+    return false;
+};
+//# sourceMappingURL=auth-detection.js.map

package/dist/utils/auth-detection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-detection.js","sourceRoot":"","sources":["../../src/utils/auth-detection.ts"],"names":[],"mappings":"AAAA;;GAEG;AAeH;;GAEG;AACH,MAAM,gBAAgB,GAAG,CAAC,OAAe,EAAY,EAAE,CAAC;IACtD,GAAG,OAAO,yCAAyC;IACnD,GAAG,OAAO,mCAAmC;CAC9C,CAAC;AAEF;;GAEG;AACH,MAAM,qBAAqB,GAAG,CAAC,QAAa,EAAW,EAAE;IACvD,OAAO,QAAQ,CAAC,gCAAgC,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;AACrE,CAAC,CAAC;AAEF;;GAEG;AACH,MAAM,gBAAgB,GAAG,CAAC,QAAa,EAAe,EAAE,CAAC,CAAC;IACxD,gBAAgB,EAAE,QAAQ,CAAC,sBAAsB;IACjD,QAAQ,EAAE,QAAQ,CAAC,cAAc;IACjC,eAAe,EAAE,QAAQ,CAAC,qBAAqB;IAC/C,2BAA2B,EAAE,CAAC,CAAC,QAAQ,CAAC,qBAAqB;CAC9D,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,qBAAqB,GAAG,KAAK,EACjC,OAAe,EACf,MAAe,EACc,EAAE;IAC/B,MAAM,aAAa,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAEhD,KAAK,MAAM,YAAY,IAAI,aAAa,EAAE,CAAC;QACzC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,CAAC;YAC3C,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;gBAChB,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACvC,IAAI,qBAAqB,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACpC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,EAAE,YAAY,EAAE,EAAE,iCAAiC,CAAC,CAAC;oBAC5E,OAAO,gBAAgB,CAAC,QAAQ,CAAC,CAAC;gBACpC,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,EAAE,KAAK,CAAC,EAAE,YAAY,EAAE,KAAK,EAAE,EAAE,6BAA6B,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC,CAAC;AAEF;;GAEG;AACH,MAAM,sBAAsB,GAAG,KAAK,EAAE,SAAiB,EAAE,MAAe,EAAoB,EAAE;IAC5F,MAAM,MAAM,GAAG,MAAM,sBAAsB,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAC/D,OAAO,MAAM,KAAK,IAAI,CAAC;AACzB,CAAC,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,KAAK,EACzC,SAAiB,EACjB,MAAe,EACc,EAAE;IAC/B,IAAI,CAAC;QACH,mCAAmC;QACnC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE;YACtC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;SACzB,CAAC,CAAC;QAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;YACzD,IAAI,OAAO,EAAE,CAAC;gBACZ,qEAAqE;gBACrE,MAAM,aAAa,GAAG,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;gBACxD,IAAI,aAAa,EAAE,CAAC;oBAClB,MAAM,gBAAgB,GAAG,MAAM,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;oBACvD,IAAI,gBAAgB,CAAC,EAAE,EAAE,CAAC;wBACxB,MAAM,QAAQ,GAAG,CAAC,MAAM,gBAAgB,CAAC,IAAI,EAAE,CAAQ,CAAC;wBACxD,IAAI,QAAQ,CAAC,qBAAqB,EAAE,MAAM,GAAG,CAAC,EAAE,CAAC;4BAC/C,OAAO,MAAM,qBAAqB,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;wBAChF,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,MAAM,EAAE,CAAC;QAChB,mCAAmC;IACrC,CAAC;IAED,8BAA8B;IAC9B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAC/B,MAAM,OAAO,GAAG,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,IAAI,EAAE,CAAC;IAE/C,OAAO,MAAM,qBAAqB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AACtD,CAAC,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAG,KAAK,EAC/C,IAAa,EACb,KAAY,EACZ,MAAe,EACG,EAAE;IACpB,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC;IAE7C,mFAAmF;IACnF,IAAI,iBAAiB,GAAG,KAAK,CAAC;IAC9B,IAAI,CAAC;QACH,iBAAiB,GAAG,MAAM,sBAAsB,CAAC,SAAS,CAAC,CAAC;QAC5D,IAAI,iBAAiB,EAAE,CAAC;YACtB,MAAM,EAAE,IAAI,CACV,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,EAC9B,yDAAyD,CAC1D,CAAC;YACF,OAAO,IAAI,CAAC,CAAC,kDAAkD;QACjE,CAAC;IACH,CAAC;IAAC,OAAO,cAAc,EAAE,CAAC;QACxB,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,cAAc,EAAE,EAAE,iCAAiC,CAAC,CAAC;IACxF,CAAC;IAED,+DAA+D;IAC/D,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE;YACtC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,YAAY;gBACpB,EAAE,EAAE,CAAC;gBACL,MAAM,EAAE,EAAE,eAAe,EAAE,YAAY,EAAE,YAAY,EAAE,EAAE,EAAE;aAC5D,CAAC;SACH,CAAC,CAAC;QAEH,4DAA4D;QAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;YACzD,8EAA8E;YAC9E,IACE,OAAO;gBACP,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBACvC,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC;oBACvC,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,EACtD,CAAC;gBACD,MAAM,EAAE,IAAI,CACV,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,EAC5B,2DAA2D,CAC5D,CAAC;gBACF,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,UAAU,EAAE,CAAC;QACpB,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,UAAU,EAAE,EAAE,0CAA0C,CAAC,CAAC;IAC7F,CAAC;IAED,mEAAmE;IACnE,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QAC1F,IAAI,iBAAiB,EAAE,CAAC;YACtB,MAAM,EAAE,IAAI,CACV,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,EACzC,sDAAsD,CACvD,CAAC;YACF,OAAO,IAAI,CAAC,CAAC,yDAAyD;QACxE,CAAC;IACH,CAAC;IAED,0DAA0D;IAC1D,0EAA0E;IAC1E,MAAM,EAAE,KAAK,CACX,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,EACzC,8CAA8C,CAC/C,CAAC;IACF,OAAO,KAAK,CAAC;AACf,CAAC,CAAC"}

package/dist/utils/credential-store-utils.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Get a lookup key for a credential store from retrieval params
+ * @param retrievalParams - The retrieval params for the credential store
+ * @param credentialStoreType - The type of credential store
+ * @returns A lookup key for the credential store, used to call <CredentialStore>.get()
+ */
+export declare function getCredentialStoreLookupKeyFromRetrievalParams({ retrievalParams, credentialStoreType, }: {
+    retrievalParams: Record<string, unknown>;
+    credentialStoreType: string;
+}): string | null;
+//# sourceMappingURL=credential-store-utils.d.ts.map

package/dist/utils/credential-store-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-store-utils.d.ts","sourceRoot":"","sources":["../../src/utils/credential-store-utils.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,wBAAgB,8CAA8C,CAAC,EAC7D,eAAe,EACf,mBAAmB,GACpB,EAAE;IACD,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACzC,mBAAmB,EAAE,MAAM,CAAC;CAC7B,GAAG,MAAM,GAAG,IAAI,CAahB"}

package/dist/utils/credential-store-utils.js

@@ -0,0 +1,19 @@
+/**
+ * Get a lookup key for a credential store from retrieval params
+ * @param retrievalParams - The retrieval params for the credential store
+ * @param credentialStoreType - The type of credential store
+ * @returns A lookup key for the credential store, used to call <CredentialStore>.get()
+ */
+export function getCredentialStoreLookupKeyFromRetrievalParams({ retrievalParams, credentialStoreType, }) {
+    if (retrievalParams.key) {
+        return retrievalParams.key;
+    }
+    if (credentialStoreType === 'nango') {
+        return JSON.stringify({
+            connectionId: retrievalParams.connectionId,
+            providerConfigKey: retrievalParams.providerConfigKey,
+        });
+    }
+    return null;
+}
+//# sourceMappingURL=credential-store-utils.js.map

package/dist/utils/credential-store-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-store-utils.js","sourceRoot":"","sources":["../../src/utils/credential-store-utils.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,UAAU,8CAA8C,CAAC,EAC7D,eAAe,EACf,mBAAmB,GAIpB;IACC,IAAI,eAAe,CAAC,GAAG,EAAE,CAAC;QACxB,OAAO,eAAe,CAAC,GAAa,CAAC;IACvC,CAAC;IAED,IAAI,mBAAmB,KAAK,OAAO,EAAE,CAAC;QACpC,OAAO,IAAI,CAAC,SAAS,CAAC;YACpB,YAAY,EAAE,eAAe,CAAC,YAAY;YAC1C,iBAAiB,EAAE,eAAe,CAAC,iBAAiB;SACrD,CAAC,CAAC;IACL,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}