@kadoa/mcp 0.3.6-rc.1 → 0.3.6-rc.2

package/dist/index.js

@@ -53948,6 +53948,14 @@ function generatePKCE() {
   const challenge = createHash2("sha256").update(verifier).digest("base64url");
   return { verifier, challenge };
 }
+function jwtClaims(jwt2) {
+  try {
+    const payload = JSON.parse(Buffer.from(jwt2.split(".")[1], "base64url").toString());
+    return { email: payload.email, sub: payload.sub };
+  } catch {
+    return {};
+  }
+}
 async function exchangeSupabaseCode(code, codeVerifier) {
   const supabaseUrl = process.env.SUPABASE_URL;
   if (!supabaseUrl)
@@ -54203,6 +54211,8 @@ class KadoaOAuthProvider {
       clientId: entry.clientId
     });
     authCodes.delete(authorizationCode);
+    const claims = jwtClaims(entry.supabaseJwt);
+    console.log(`[AUTH] LOGIN: tokens issued (email=${claims.email}, team=${entry.teamId}, token=${accessToken.slice(0, 12)}..., ttl=${ACCESS_TOKEN_TTL}s, active_sessions=${accessTokens.size})`);
     return {
       access_token: accessToken,
       token_type: "bearer",
@@ -54212,8 +54222,10 @@ class KadoaOAuthProvider {
   }
   async exchangeRefreshToken(_client, refreshToken) {
     const entry = refreshTokens.get(refreshToken);
-    if (!entry)
+    if (!entry) {
+      console.error(`[AUTH] REFRESH_FAIL: unknown refresh token (token=${refreshToken.slice(0, 12)}..., active_sessions=${refreshTokens.size})`);
       throw new Error("Unknown refresh token");
+    }
     refreshTokens.delete(refreshToken);
     let { supabaseJwt, supabaseRefreshToken } = entry;
     try {
@@ -54231,9 +54243,18 @@ class KadoaOAuthProvider {
           const data = await res.json();
           supabaseJwt = data.access_token;
           supabaseRefreshToken = data.refresh_token;
+          const newClaims = jwtClaims(supabaseJwt);
+          console.log(`[AUTH] REFRESH_OK: Supabase JWT refreshed (email=${newClaims.email}, team=${entry.teamId})`);
+        } else {
+          const body = await res.text().catch(() => "");
+          const claims = jwtClaims(entry.supabaseJwt);
+          console.error(`[AUTH] REFRESH_WARN: Supabase refresh failed HTTP ${res.status} (email=${claims.email}, team=${entry.teamId}): ${body.slice(0, 200)}`);
         }
       }
-    } catch {}
+    } catch (err) {
+      const claims = jwtClaims(entry.supabaseJwt);
+      console.error(`[AUTH] REFRESH_WARN: Supabase refresh threw (email=${claims.email}, team=${entry.teamId}):`, err);
+    }
     const newAccessToken = randomToken();
     const newRefreshToken = randomToken();
     const expiresAt = Date.now() + ACCESS_TOKEN_TTL * 1000;
@@ -54268,9 +54289,14 @@ class KadoaOAuthProvider {
       };
     }
     const entry = accessTokens.get(token);
-    if (!entry)
+    if (!entry) {
+      console.error(`[AUTH] VERIFY_FAIL: unknown token (token=${token.slice(0, 12)}..., active_sessions=${accessTokens.size})`);
       throw new Error("Unknown access token");
+    }
     if (entry.expiresAt < Date.now()) {
+      const expiredAgo = Math.round((Date.now() - entry.expiresAt) / 1000);
+      const claims = jwtClaims(entry.supabaseJwt);
+      console.error(`[AUTH] VERIFY_FAIL: token expired ${expiredAgo}s ago (email=${claims.email}, team=${entry.teamId}, token=${token.slice(0, 12)}...)`);
       accessTokens.delete(token);
       throw new Error("Access token expired");
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kadoa/mcp",
-  "version": "0.3.6-rc.1",
+  "version": "0.3.6-rc.2",
   "description": "Kadoa MCP Server — manage workflows from Claude Desktop, Cursor, and other MCP clients",
   "type": "module",
   "main": "dist/index.js",