@inkeep/agents-manage-api 0.1.1 → 0.1.6

package/dist/utils/auth-detection.js

@@ -1,149 +0,0 @@
-/**
- * Centralized authentication detection utilities for MCP tools
- */
-import { getLogger } from '../logger.js';
-const logger = getLogger('auth-detection');
-/**
- * Helper function to construct well-known OAuth endpoint URLs
- */
-const getWellKnownUrls = (baseUrl) => [
-    `${baseUrl}/.well-known/oauth-authorization-server`,
-    `${baseUrl}/.well-known/openid-configuration`,
-];
-/**
- * Helper function to validate OAuth metadata for PKCE support
- */
-const validateOAuthMetadata = (metadata) => {
-    return metadata.code_challenge_methods_supported?.includes('S256');
-};
-/**
- * Helper function to construct OAuthConfig from metadata
- */
-const buildOAuthConfig = (metadata) => ({
-    authorizationUrl: metadata.authorization_endpoint,
-    tokenUrl: metadata.token_endpoint,
-    registrationUrl: metadata.registration_endpoint,
-    supportsDynamicRegistration: !!metadata.registration_endpoint,
-});
-/**
- * Helper function to try OAuth discovery at well-known endpoints
- */
-const tryWellKnownEndpoints = async (baseUrl) => {
-    const wellKnownUrls = getWellKnownUrls(baseUrl);
-    for (const wellKnownUrl of wellKnownUrls) {
-        try {
-            const response = await fetch(wellKnownUrl);
-            if (response.ok) {
-                const metadata = await response.json();
-                if (validateOAuthMetadata(metadata)) {
-                    logger.debug({ baseUrl, wellKnownUrl }, 'OAuth 2.1/PKCE support detected');
-                    return buildOAuthConfig(metadata);
-                }
-            }
-        }
-        catch (error) {
-            logger.debug({ wellKnownUrl, error }, 'OAuth endpoint check failed');
-        }
-    }
-    return null;
-};
-/**
- * Check if a server supports OAuth 2.1/PKCE endpoints (simple boolean)
- */
-const checkForOAuthEndpoints = async (serverUrl) => {
-    const config = await discoverOAuthEndpoints(serverUrl);
-    return config !== null;
-};
-/**
- * Full OAuth endpoint discovery with complete configuration
- */
-export const discoverOAuthEndpoints = async (serverUrl) => {
-    try {
-        // 1. Try direct 401 response first
-        const response = await fetch(serverUrl, {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify({}),
-        });
-        if (response.status === 401) {
-            const wwwAuth = response.headers.get('WWW-Authenticate');
-            if (wwwAuth) {
-                // Parse Protected Resource Metadata URL from WWW-Authenticate header
-                const metadataMatch = wwwAuth.match(/as_uri="([^"]+)"/);
-                if (metadataMatch) {
-                    const metadataResponse = await fetch(metadataMatch[1]);
-                    if (metadataResponse.ok) {
-                        const metadata = await metadataResponse.json();
-                        if (metadata.authorization_servers?.length > 0) {
-                            return await tryWellKnownEndpoints(metadata.authorization_servers[0]);
-                        }
-                    }
-                }
-            }
-        }
-    }
-    catch (_error) {
-        // Continue to well-known endpoints
-    }
-    // 2. Try well-known endpoints
-    const url = new URL(serverUrl);
-    const baseUrl = `${url.protocol}//${url.host}`;
-    return await tryWellKnownEndpoints(baseUrl);
-};
-/**
- * Detect if OAuth 2.1/PKCE authentication is specifically required for a tool
- */
-export const detectAuthenticationRequired = async (tool, error) => {
-    const serverUrl = tool.config.mcp.server.url;
-    // 1. First, try OAuth 2.1/PKCE endpoint discovery (most reliable for our use case)
-    let hasOAuthEndpoints = false;
-    try {
-        hasOAuthEndpoints = await checkForOAuthEndpoints(serverUrl);
-        if (hasOAuthEndpoints) {
-            logger.info({ toolId: tool.id, serverUrl }, 'OAuth 2.1/PKCE support confirmed via endpoint discovery');
-            return true; // Server supports OAuth 2.1/PKCE, prioritize this
-        }
-    }
-    catch (discoveryError) {
-        logger.debug({ toolId: tool.id, discoveryError }, 'OAuth endpoint discovery failed');
-    }
-    // 2. Check for 401 with OAuth-specific WWW-Authenticate header
-    try {
-        const response = await fetch(serverUrl, {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify({
-                jsonrpc: '2.0',
-                method: 'initialize',
-                id: 1,
-                params: { protocolVersion: '2024-11-05', capabilities: {} },
-            }),
-        });
-        // Check for 401 with OAuth-specific WWW-Authenticate header
-        if (response.status === 401) {
-            const wwwAuth = response.headers.get('WWW-Authenticate');
-            // Only return true for OAuth-specific auth schemes (not Basic, API Key, etc.)
-            if (wwwAuth &&
-                (wwwAuth.toLowerCase().includes('bearer') ||
-                    wwwAuth.toLowerCase().includes('oauth') ||
-                    wwwAuth.toLowerCase().includes('authorization_uri'))) {
-                logger.info({ toolId: tool.id, wwwAuth }, 'OAuth authentication detected via WWW-Authenticate header');
-                return true;
-            }
-        }
-    }
-    catch (fetchError) {
-        logger.debug({ toolId: tool.id, fetchError }, 'Direct fetch authentication check failed');
-    }
-    // 3. Check if 401 error message AND OAuth endpoints exist together
-    if (error.message.includes('401') || error.message.toLowerCase().includes('unauthorized')) {
-        if (hasOAuthEndpoints) {
-            logger.info({ toolId: tool.id, error: error.message }, 'OAuth required: 401 error + OAuth endpoints detected');
-            return true; // Only return true if BOTH 401 AND OAuth endpoints exist
-        }
-    }
-    // If none of the OAuth-specific checks pass, return false
-    // (This means we won't trigger OAuth flow for Basic Auth, API keys, etc.)
-    logger.debug({ toolId: tool.id, error: error.message }, 'No OAuth authentication requirement detected');
-    return false;
-};

package/dist/utils/oauth-service.d.ts

@@ -1,88 +0,0 @@
-/**
- * Centralized OAuth service for MCP tools
- * Handles the complete OAuth 2.1/PKCE flow for MCP tool authentication
- */
-import type { McpTool } from '@inkeep/agents-core';
-import { type OAuthConfig } from './auth-detection.js';
-/**
- * Retrieve and remove PKCE verifier
- */
-export declare function retrievePKCEVerifier(state: string): {
-    codeVerifier: string;
-    toolId: string;
-    tenantId: string;
-    projectId: string;
-    clientId: string;
-} | null;
-/**
- * OAuth client configuration
- */
-interface OAuthClientConfig {
-    defaultClientId?: string;
-    clientName?: string;
-    clientUri?: string;
-    logoUri?: string;
-    redirectBaseUrl?: string;
-}
-/**
- * OAuth flow initiation result
- */
-interface OAuthInitiationResult {
-    redirectUrl: string;
-    state: string;
-}
-/**
- * Token exchange result
- */
-interface TokenExchangeResult {
-    tokens: any;
-    oAuthConfig: OAuthConfig;
-}
-/**
- * OAuth service class that handles the complete OAuth flow
- */
-declare class OAuthService {
-    private defaultConfig;
-    constructor(config?: OAuthClientConfig);
-    /**
-     * Initiate OAuth flow for an MCP tool
-     */
-    initiateOAuthFlow(params: {
-        tool: McpTool;
-        tenantId: string;
-        projectId: string;
-        toolId: string;
-    }): Promise<OAuthInitiationResult>;
-    /**
-     * Exchange authorization code for access tokens
-     */
-    exchangeCodeForTokens(params: {
-        code: string;
-        codeVerifier: string;
-        clientId: string;
-        tool: McpTool;
-    }): Promise<TokenExchangeResult>;
-    /**
-     * Perform dynamic client registration
-     */
-    private performDynamicClientRegistration;
-    /**
-     * Build authorization URL
-     */
-    private buildAuthorizationUrl;
-    /**
-     * Exchange code using openid-client library
-     */
-    private exchangeWithOpenIdClient;
-    /**
-     * Internal PKCE generation
-     */
-    private generatePKCEInternal;
-    /**
-     * Manual token exchange fallback
-     */
-    private exchangeManually;
-}
-export declare const oauthService: OAuthService;
-export {};
-//# sourceMappingURL=oauth-service.d.ts.map

package/dist/utils/oauth-service.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth-service.d.ts","sourceRoot":"","sources":["../../src/utils/oauth-service.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAA0B,KAAK,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAsC/E;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG;IACnD,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;CAClB,GAAG,IAAI,CAOP;AAED;;GAEG;AACH,UAAU,iBAAiB;IACzB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;GAEG;AACH,UAAU,qBAAqB;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,UAAU,mBAAmB;IAC3B,MAAM,EAAE,GAAG,CAAC;IACZ,WAAW,EAAE,WAAW,CAAC;CAC1B;AAED;;GAEG;AACH,cAAM,YAAY;IAChB,OAAO,CAAC,aAAa,CAA8B;gBAEvC,MAAM,GAAE,iBAAsB;IAe1C;;OAEG;IACG,iBAAiB,CAAC,MAAM,EAAE;QAC9B,IAAI,EAAE,OAAO,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;QACjB,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;KAChB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IA6ClC;;OAEG;IACG,qBAAqB,CAAC,MAAM,EAAE;QAClC,IAAI,EAAE,MAAM,CAAC;QACb,YAAY,EAAE,MAAM,CAAC;QACrB,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,OAAO,CAAC;KACf,GAAG,OAAO,CAAC,mBAAmB,CAAC;IA2ChC;;OAEG;YACW,gCAAgC;IAiD9C;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAsB7B;;OAEG;YACW,wBAAwB;IAiCtC;;OAEG;YACW,oBAAoB;IAgBlC;;OAEG;YACW,gBAAgB;CA4C/B;AAGD,eAAO,MAAM,YAAY,cAAqB,CAAC"}

package/dist/utils/oauth-service.js

@@ -1,240 +0,0 @@
-/**
- * Centralized OAuth service for MCP tools
- * Handles the complete OAuth 2.1/PKCE flow for MCP tool authentication
- */
-import { getLogger } from '../logger.js';
-import { discoverOAuthEndpoints } from './auth-detection.js';
-const logger = getLogger('oauth-service');
-// PKCE storage (TODO: Use Redis or database in production)
-const pkceStore = new Map();
-/**
- * Store PKCE verifier for later use in token exchange
- */
-function storePKCEVerifier(state, codeVerifier, toolId, tenantId, projectId, clientId) {
-    pkceStore.set(state, { codeVerifier, toolId, tenantId, projectId, clientId });
-    // Clean up after 10 minutes (OAuth flows should complete quickly)
-    setTimeout(() => {
-        pkceStore.delete(state);
-    }, 10 * 60 * 1000);
-}
-/**
- * Retrieve and remove PKCE verifier
- */
-export function retrievePKCEVerifier(state) {
-    const data = pkceStore.get(state);
-    if (data) {
-        pkceStore.delete(state); // One-time use
-        return data;
-    }
-    return null;
-}
-/**
- * OAuth service class that handles the complete OAuth flow
- */
-class OAuthService {
-    defaultConfig;
-    constructor(config = {}) {
-        this.defaultConfig = {
-            defaultClientId: config.defaultClientId || process.env.DEFAULT_OAUTH_CLIENT_ID || 'mcp-client',
-            clientName: config.clientName || process.env.OAUTH_CLIENT_NAME || 'Inkeep Agent Framework',
-            clientUri: config.clientUri || process.env.OAUTH_CLIENT_URI || 'https://inkeep.com',
-            logoUri: config.logoUri ||
-                process.env.OAUTH_CLIENT_LOGO_URI ||
-                'https://storage.googleapis.com/inkeep-static-assets/Favicon_gray_large.png',
-            redirectBaseUrl: config.redirectBaseUrl || process.env.OAUTH_REDIRECT_BASE_URL || 'http://localhost:3002',
-        };
-    }
-    /**
-     * Initiate OAuth flow for an MCP tool
-     */
-    async initiateOAuthFlow(params) {
-        const { tool, tenantId, projectId, toolId } = params;
-        // 1. Detect OAuth requirements
-        const oAuthConfig = await discoverOAuthEndpoints(tool.config.mcp.server.url);
-        if (!oAuthConfig) {
-            throw new Error('OAuth not supported by this server');
-        }
-        // 2. Generate PKCE parameters
-        const { codeVerifier, codeChallenge } = await this.generatePKCEInternal();
-        // 3. Handle dynamic client registration if supported
-        const redirectUri = `${this.defaultConfig.redirectBaseUrl}/oauth/callback`;
-        let clientId = this.defaultConfig.defaultClientId;
-        if (oAuthConfig.supportsDynamicRegistration && oAuthConfig.registrationUrl) {
-            clientId = await this.performDynamicClientRegistration(oAuthConfig.registrationUrl, redirectUri);
-        }
-        // 4. Build OAuth URL
-        const state = `tool_${toolId}`;
-        const authUrl = this.buildAuthorizationUrl({
-            oAuthConfig,
-            clientId,
-            redirectUri,
-            state,
-            codeChallenge,
-            resource: tool.config.mcp.server.url,
-        });
-        // 5. Store PKCE verifier for callback handling
-        storePKCEVerifier(state, codeVerifier, toolId, tenantId, projectId, clientId);
-        logger.info({ toolId, oAuthConfig, tenantId, projectId }, 'OAuth flow initiated successfully');
-        return {
-            redirectUrl: authUrl,
-            state,
-        };
-    }
-    /**
-     * Exchange authorization code for access tokens
-     */
-    async exchangeCodeForTokens(params) {
-        const { code, codeVerifier, clientId, tool } = params;
-        // Discover OAuth server endpoints from MCP server
-        const oAuthConfig = await discoverOAuthEndpoints(tool.config.mcp.server.url);
-        if (!oAuthConfig?.tokenUrl) {
-            throw new Error('Could not discover OAuth token endpoint');
-        }
-        const redirectUri = `${this.defaultConfig.redirectBaseUrl}/oauth/callback`;
-        let tokens;
-        try {
-            // Try openid-client first (more robust)
-            tokens = await this.exchangeWithOpenIdClient({
-                oAuthConfig,
-                clientId,
-                code,
-                codeVerifier,
-                redirectUri,
-            });
-            logger.info({ tokenType: tokens.token_type }, 'Token exchange successful with openid-client');
-        }
-        catch (error) {
-            logger.warn({ error: error instanceof Error ? error.message : error }, 'openid-client failed, falling back to manual token exchange');
-            // Fallback to manual token exchange
-            tokens = await this.exchangeManually({
-                oAuthConfig,
-                clientId,
-                code,
-                codeVerifier,
-                redirectUri,
-            });
-            logger.info({ tokenType: tokens.token_type }, 'Manual token exchange successful');
-        }
-        return { tokens, oAuthConfig };
-    }
-    /**
-     * Perform dynamic client registration
-     */
-    async performDynamicClientRegistration(registrationUrl, redirectUri) {
-        logger.info({ registrationUrl }, 'Attempting dynamic client registration');
-        try {
-            const registrationResponse = await fetch(registrationUrl, {
-                method: 'POST',
-                headers: {
-                    'Content-Type': 'application/json',
-                    Accept: 'application/json',
-                },
-                body: JSON.stringify({
-                    client_name: this.defaultConfig.clientName,
-                    client_uri: this.defaultConfig.clientUri,
-                    logo_uri: this.defaultConfig.logoUri,
-                    redirect_uris: [redirectUri],
-                    grant_types: ['authorization_code'],
-                    response_types: ['code'],
-                    token_endpoint_auth_method: 'none', // PKCE only, no client secret
-                    application_type: 'native', // For PKCE flows
-                }),
-            });
-            if (registrationResponse.ok) {
-                const registration = await registrationResponse.json();
-                logger.info({ clientId: registration.client_id }, 'Dynamic client registration successful');
-                return registration.client_id;
-            }
-            else {
-                const errorText = await registrationResponse.text();
-                logger.warn({
-                    status: registrationResponse.status,
-                    errorText,
-                }, 'Dynamic client registration failed, using default client_id');
-            }
-        }
-        catch (regError) {
-            logger.warn({ error: regError }, 'Dynamic client registration error, using default client_id');
-        }
-        return this.defaultConfig.defaultClientId;
-    }
-    /**
-     * Build authorization URL
-     */
-    buildAuthorizationUrl(params) {
-        const { oAuthConfig, clientId, redirectUri, state, codeChallenge, resource } = params;
-        const authUrl = new URL(oAuthConfig.authorizationUrl);
-        authUrl.searchParams.set('response_type', 'code');
-        authUrl.searchParams.set('client_id', clientId);
-        authUrl.searchParams.set('redirect_uri', redirectUri);
-        authUrl.searchParams.set('state', state);
-        authUrl.searchParams.set('code_challenge', codeChallenge);
-        authUrl.searchParams.set('code_challenge_method', 'S256');
-        authUrl.searchParams.set('resource', resource); // Required by MCP spec
-        return authUrl.toString();
-    }
-    /**
-     * Exchange code using openid-client library
-     */
-    async exchangeWithOpenIdClient(params) {
-        const { oAuthConfig, clientId, code, codeVerifier, redirectUri } = params;
-        // Import openid-client for proper OAuth handling
-        const oauth = await import('openid-client');
-        // Extract OAuth server base URL from token URL
-        const tokenUrl = new URL(oAuthConfig.tokenUrl);
-        const oauthServerUrl = `${tokenUrl.protocol}//${tokenUrl.host}`;
-        logger.info({ oauthServerUrl, clientId }, 'Attempting openid-client discovery');
-        const config = await oauth.discovery(new URL(oauthServerUrl), clientId, undefined // No client secret for PKCE
-        );
-        const callbackUrl = new URL(`${redirectUri}?${new URLSearchParams({ code, state: 'unused' }).toString()}`);
-        return await oauth.authorizationCodeGrant(config, callbackUrl, {
-            pkceCodeVerifier: codeVerifier,
-        });
-    }
-    /**
-     * Internal PKCE generation
-     */
-    async generatePKCEInternal() {
-        const codeVerifier = Buffer.from(Array.from(crypto.getRandomValues(new Uint8Array(32)))).toString('base64url');
-        const encoder = new TextEncoder();
-        const data = encoder.encode(codeVerifier);
-        const hash = await crypto.subtle.digest('SHA-256', data);
-        const codeChallenge = Buffer.from(hash).toString('base64url');
-        return { codeVerifier, codeChallenge };
-    }
-    /**
-     * Manual token exchange fallback
-     */
-    async exchangeManually(params) {
-        const { oAuthConfig, clientId, code, codeVerifier, redirectUri } = params;
-        logger.info({ tokenUrl: oAuthConfig.tokenUrl }, 'Attempting manual token exchange');
-        const tokenResponse = await fetch(oAuthConfig.tokenUrl, {
-            method: 'POST',
-            headers: {
-                'Content-Type': 'application/x-www-form-urlencoded',
-                Accept: 'application/json',
-            },
-            body: new URLSearchParams({
-                grant_type: 'authorization_code',
-                code,
-                redirect_uri: redirectUri,
-                client_id: clientId,
-                code_verifier: codeVerifier, // PKCE verification
-            }),
-        });
-        if (!tokenResponse.ok) {
-            const errorText = await tokenResponse.text();
-            logger.error({
-                status: tokenResponse.status,
-                statusText: tokenResponse.statusText,
-                ...(process.env.NODE_ENV === 'development' && { errorText }),
-                clientId,
-                tokenUrl: oAuthConfig.tokenUrl,
-            }, 'Token exchange failed');
-            throw new Error('Authentication failed. Please try again or contact support.');
-        }
-        return await tokenResponse.json();
-    }
-}
-// Default instance for convenience
-export const oauthService = new OAuthService();