@keycardai/oauth 0.10.0 → 0.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/server/webIdentity.d.ts +2 -1
- package/dist/cjs/server/webIdentity.d.ts.map +1 -1
- package/dist/cjs/server/webIdentity.js +22 -2
- package/dist/cjs/server/webIdentity.js.map +1 -1
- package/dist/esm/server/webIdentity.d.ts +2 -1
- package/dist/esm/server/webIdentity.d.ts.map +1 -1
- package/dist/esm/server/webIdentity.js +22 -2
- package/dist/esm/server/webIdentity.js.map +1 -1
- package/package.json +1 -1
|
@@ -13,7 +13,8 @@ export interface WebIdentityOptions {
|
|
|
13
13
|
* RFC 7523 private_key_jwt client assertion credential provider.
|
|
14
14
|
*
|
|
15
15
|
* Generates and persists an RSA key pair using the supplied storage
|
|
16
|
-
* implementation (default: `FilePrivateKeyStorage("./
|
|
16
|
+
* implementation (default: `FilePrivateKeyStorage("./server_keys")`, falling
|
|
17
|
+
* back to `./mcp_keys` when that directory already exists).
|
|
17
18
|
* On each token exchange the private key signs a client assertion JWT
|
|
18
19
|
* that the authorization server verifies instead of a shared secret.
|
|
19
20
|
*
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"webIdentity.d.ts","sourceRoot":"","sources":["../../../src/server/webIdentity.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"webIdentity.d.ts","sourceRoot":"","sources":["../../../src/server/webIdentity.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAEhE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAEzD,YAAY,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAqBzD,MAAM,WAAW,kBAAkB;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,iBAAiB,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClD;AAED;;;;;;;;;;;GAWG;AACH,qBAAa,WAAY,YAAW,qBAAqB;;gBAI3C,OAAO,GAAE,kBAAuB;IAiBtC,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;IAOhC,OAAO,IAAI,IAAI;IAIT,2BAA2B,CAC/B,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,GACtE,OAAO,CAAC,oBAAoB,CAAC;IAchC,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAA;KAAE;IAIpD,gBAAgB,CAAC,iBAAiB,EAAE,MAAM,GAAG,MAAM;CAGpD"}
|
|
@@ -13,12 +13,32 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
|
|
|
13
13
|
var _WebIdentity_keyManager, _WebIdentity_bootstrapPromise;
|
|
14
14
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
15
|
exports.WebIdentity = void 0;
|
|
16
|
+
const node_fs_1 = require("node:fs");
|
|
16
17
|
const privateKey_js_1 = require("./privateKey.js");
|
|
18
|
+
const DEFAULT_STORAGE_DIR = "./server_keys";
|
|
19
|
+
const LEGACY_STORAGE_DIR = "./mcp_keys";
|
|
20
|
+
/**
|
|
21
|
+
* Prefer `./server_keys`. Fall back to the pre-extraction `./mcp_keys` when it
|
|
22
|
+
* exists and `./server_keys` does not, so a deployment that relied on the
|
|
23
|
+
* implicit default keeps its keys after upgrade.
|
|
24
|
+
*/
|
|
25
|
+
function resolveDefaultStorageDir() {
|
|
26
|
+
try {
|
|
27
|
+
if (!(0, node_fs_1.existsSync)(DEFAULT_STORAGE_DIR) && (0, node_fs_1.existsSync)(LEGACY_STORAGE_DIR)) {
|
|
28
|
+
return LEGACY_STORAGE_DIR;
|
|
29
|
+
}
|
|
30
|
+
}
|
|
31
|
+
catch {
|
|
32
|
+
// ignore filesystem probe errors; use the default
|
|
33
|
+
}
|
|
34
|
+
return DEFAULT_STORAGE_DIR;
|
|
35
|
+
}
|
|
17
36
|
/**
|
|
18
37
|
* RFC 7523 private_key_jwt client assertion credential provider.
|
|
19
38
|
*
|
|
20
39
|
* Generates and persists an RSA key pair using the supplied storage
|
|
21
|
-
* implementation (default: `FilePrivateKeyStorage("./
|
|
40
|
+
* implementation (default: `FilePrivateKeyStorage("./server_keys")`, falling
|
|
41
|
+
* back to `./mcp_keys` when that directory already exists).
|
|
22
42
|
* On each token exchange the private key signs a client assertion JWT
|
|
23
43
|
* that the authorization server verifies instead of a shared secret.
|
|
24
44
|
*
|
|
@@ -30,7 +50,7 @@ class WebIdentity {
|
|
|
30
50
|
_WebIdentity_keyManager.set(this, void 0);
|
|
31
51
|
_WebIdentity_bootstrapPromise.set(this, void 0);
|
|
32
52
|
const storage = options.storage ??
|
|
33
|
-
new privateKey_js_1.FilePrivateKeyStorage(options.storageDir ??
|
|
53
|
+
new privateKey_js_1.FilePrivateKeyStorage(options.storageDir ?? resolveDefaultStorageDir());
|
|
34
54
|
let keyId = options.keyId;
|
|
35
55
|
if (!keyId && options.serverName) {
|
|
36
56
|
keyId = options.serverName.replace(/[^a-zA-Z0-9\-_]/g, "_");
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"webIdentity.js","sourceRoot":"","sources":["../../../src/server/webIdentity.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"webIdentity.js","sourceRoot":"","sources":["../../../src/server/webIdentity.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,qCAAqC;AAGrC,mDAA2E;AAK3E,MAAM,mBAAmB,GAAG,eAAe,CAAC;AAC5C,MAAM,kBAAkB,GAAG,YAAY,CAAC;AAExC;;;;GAIG;AACH,SAAS,wBAAwB;IAC/B,IAAI,CAAC;QACH,IAAI,CAAC,IAAA,oBAAU,EAAC,mBAAmB,CAAC,IAAI,IAAA,oBAAU,EAAC,kBAAkB,CAAC,EAAE,CAAC;YACvE,OAAO,kBAAkB,CAAC;QAC5B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,kDAAkD;IACpD,CAAC;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AAUD;;;;;;;;;;;GAWG;AACH,MAAa,WAAW;IAItB,YAAY,UAA8B,EAAE;QAH5C,0CAA+B;QAC/B,gDAAkC;QAGhC,MAAM,OAAO,GACX,OAAO,CAAC,OAAO;YACf,IAAI,qCAAqB,CAAC,OAAO,CAAC,UAAU,IAAI,wBAAwB,EAAE,CAAC,CAAC;QAE9E,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC1B,IAAI,CAAC,KAAK,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACjC,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC;QAC9D,CAAC;QAED,uBAAA,IAAI,2BAAe,IAAI,iCAAiB,CAAC;YACvC,OAAO;YACP,KAAK;YACL,cAAc,EAAE,OAAO,CAAC,cAAc;SACvC,CAAC,MAAA,CAAC;IACL,CAAC;IAED,KAAK,CAAC,SAAS;QACb,IAAI,CAAC,uBAAA,IAAI,qCAAkB,EAAE,CAAC;YAC5B,uBAAA,IAAI,iCAAqB,uBAAA,IAAI,+BAAY,CAAC,iBAAiB,EAAE,MAAA,CAAC;QAChE,CAAC;QACD,OAAO,uBAAA,IAAI,qCAAkB,CAAC;IAChC,CAAC;IAED,OAAO;QACL,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,2BAA2B,CAC/B,YAAoB,EACpB,QAAgB,EAChB,OAAuE;QAEvE,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,OAAO,EAAE,QAAQ,EAAE,kBAAkB,IAAI,uBAAA,IAAI,+BAAY,CAAC,WAAW,EAAE,CAAC;QACvF,MAAM,QAAQ,GAAG,OAAO,EAAE,aAAa,IAAI,MAAM,CAAC;QAClD,MAAM,eAAe,GAAG,MAAM,uBAAA,IAAI,+BAAY,CAAC,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACvF,OAAO;YACL,YAAY;YACZ,QAAQ;YACR,gBAAgB,EAAE,+CAA+C;YACjE,mBAAmB,EAAE,wDAAwD;YAC7E,eAAe;SAChB,CAAC;IACJ,CAAC;IAED,aAAa;QACX,OAAO,uBAAA,IAAI,+BAAY,CAAC,aAAa,EAAE,CAAC;IAC1C,CAAC;IAED,gBAAgB,CAAC,iBAAyB;QACxC,OAAO,uBAAA,IAAI,+BAAY,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,CAAC;IAC9D,CAAC;CACF;AAzDD,kCAyDC"}
|
|
@@ -13,7 +13,8 @@ export interface WebIdentityOptions {
|
|
|
13
13
|
* RFC 7523 private_key_jwt client assertion credential provider.
|
|
14
14
|
*
|
|
15
15
|
* Generates and persists an RSA key pair using the supplied storage
|
|
16
|
-
* implementation (default: `FilePrivateKeyStorage("./
|
|
16
|
+
* implementation (default: `FilePrivateKeyStorage("./server_keys")`, falling
|
|
17
|
+
* back to `./mcp_keys` when that directory already exists).
|
|
17
18
|
* On each token exchange the private key signs a client assertion JWT
|
|
18
19
|
* that the authorization server verifies instead of a shared secret.
|
|
19
20
|
*
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"webIdentity.d.ts","sourceRoot":"","sources":["../../../src/server/webIdentity.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"webIdentity.d.ts","sourceRoot":"","sources":["../../../src/server/webIdentity.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAEhE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAEzD,YAAY,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAqBzD,MAAM,WAAW,kBAAkB;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,iBAAiB,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClD;AAED;;;;;;;;;;;GAWG;AACH,qBAAa,WAAY,YAAW,qBAAqB;;gBAI3C,OAAO,GAAE,kBAAuB;IAiBtC,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;IAOhC,OAAO,IAAI,IAAI;IAIT,2BAA2B,CAC/B,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,GACtE,OAAO,CAAC,oBAAoB,CAAC;IAchC,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAA;KAAE;IAIpD,gBAAgB,CAAC,iBAAiB,EAAE,MAAM,GAAG,MAAM;CAGpD"}
|
|
@@ -10,12 +10,32 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
|
|
|
10
10
|
return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
|
|
11
11
|
};
|
|
12
12
|
var _WebIdentity_keyManager, _WebIdentity_bootstrapPromise;
|
|
13
|
+
import { existsSync } from "node:fs";
|
|
13
14
|
import { PrivateKeyManager, FilePrivateKeyStorage } from "./privateKey.js";
|
|
15
|
+
const DEFAULT_STORAGE_DIR = "./server_keys";
|
|
16
|
+
const LEGACY_STORAGE_DIR = "./mcp_keys";
|
|
17
|
+
/**
|
|
18
|
+
* Prefer `./server_keys`. Fall back to the pre-extraction `./mcp_keys` when it
|
|
19
|
+
* exists and `./server_keys` does not, so a deployment that relied on the
|
|
20
|
+
* implicit default keeps its keys after upgrade.
|
|
21
|
+
*/
|
|
22
|
+
function resolveDefaultStorageDir() {
|
|
23
|
+
try {
|
|
24
|
+
if (!existsSync(DEFAULT_STORAGE_DIR) && existsSync(LEGACY_STORAGE_DIR)) {
|
|
25
|
+
return LEGACY_STORAGE_DIR;
|
|
26
|
+
}
|
|
27
|
+
}
|
|
28
|
+
catch {
|
|
29
|
+
// ignore filesystem probe errors; use the default
|
|
30
|
+
}
|
|
31
|
+
return DEFAULT_STORAGE_DIR;
|
|
32
|
+
}
|
|
14
33
|
/**
|
|
15
34
|
* RFC 7523 private_key_jwt client assertion credential provider.
|
|
16
35
|
*
|
|
17
36
|
* Generates and persists an RSA key pair using the supplied storage
|
|
18
|
-
* implementation (default: `FilePrivateKeyStorage("./
|
|
37
|
+
* implementation (default: `FilePrivateKeyStorage("./server_keys")`, falling
|
|
38
|
+
* back to `./mcp_keys` when that directory already exists).
|
|
19
39
|
* On each token exchange the private key signs a client assertion JWT
|
|
20
40
|
* that the authorization server verifies instead of a shared secret.
|
|
21
41
|
*
|
|
@@ -27,7 +47,7 @@ export class WebIdentity {
|
|
|
27
47
|
_WebIdentity_keyManager.set(this, void 0);
|
|
28
48
|
_WebIdentity_bootstrapPromise.set(this, void 0);
|
|
29
49
|
const storage = options.storage ??
|
|
30
|
-
new FilePrivateKeyStorage(options.storageDir ??
|
|
50
|
+
new FilePrivateKeyStorage(options.storageDir ?? resolveDefaultStorageDir());
|
|
31
51
|
let keyId = options.keyId;
|
|
32
52
|
if (!keyId && options.serverName) {
|
|
33
53
|
keyId = options.serverName.replace(/[^a-zA-Z0-9\-_]/g, "_");
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"webIdentity.js","sourceRoot":"","sources":["../../../src/server/webIdentity.ts"],"names":[],"mappings":";;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"webIdentity.js","sourceRoot":"","sources":["../../../src/server/webIdentity.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAGrC,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAK3E,MAAM,mBAAmB,GAAG,eAAe,CAAC;AAC5C,MAAM,kBAAkB,GAAG,YAAY,CAAC;AAExC;;;;GAIG;AACH,SAAS,wBAAwB;IAC/B,IAAI,CAAC;QACH,IAAI,CAAC,UAAU,CAAC,mBAAmB,CAAC,IAAI,UAAU,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACvE,OAAO,kBAAkB,CAAC;QAC5B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,kDAAkD;IACpD,CAAC;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AAUD;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,WAAW;IAItB,YAAY,UAA8B,EAAE;QAH5C,0CAA+B;QAC/B,gDAAkC;QAGhC,MAAM,OAAO,GACX,OAAO,CAAC,OAAO;YACf,IAAI,qBAAqB,CAAC,OAAO,CAAC,UAAU,IAAI,wBAAwB,EAAE,CAAC,CAAC;QAE9E,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC1B,IAAI,CAAC,KAAK,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACjC,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC;QAC9D,CAAC;QAED,uBAAA,IAAI,2BAAe,IAAI,iBAAiB,CAAC;YACvC,OAAO;YACP,KAAK;YACL,cAAc,EAAE,OAAO,CAAC,cAAc;SACvC,CAAC,MAAA,CAAC;IACL,CAAC;IAED,KAAK,CAAC,SAAS;QACb,IAAI,CAAC,uBAAA,IAAI,qCAAkB,EAAE,CAAC;YAC5B,uBAAA,IAAI,iCAAqB,uBAAA,IAAI,+BAAY,CAAC,iBAAiB,EAAE,MAAA,CAAC;QAChE,CAAC;QACD,OAAO,uBAAA,IAAI,qCAAkB,CAAC;IAChC,CAAC;IAED,OAAO;QACL,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,2BAA2B,CAC/B,YAAoB,EACpB,QAAgB,EAChB,OAAuE;QAEvE,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,OAAO,EAAE,QAAQ,EAAE,kBAAkB,IAAI,uBAAA,IAAI,+BAAY,CAAC,WAAW,EAAE,CAAC;QACvF,MAAM,QAAQ,GAAG,OAAO,EAAE,aAAa,IAAI,MAAM,CAAC;QAClD,MAAM,eAAe,GAAG,MAAM,uBAAA,IAAI,+BAAY,CAAC,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACvF,OAAO;YACL,YAAY;YACZ,QAAQ;YACR,gBAAgB,EAAE,+CAA+C;YACjE,mBAAmB,EAAE,wDAAwD;YAC7E,eAAe;SAChB,CAAC;IACJ,CAAC;IAED,aAAa;QACX,OAAO,uBAAA,IAAI,+BAAY,CAAC,aAAa,EAAE,CAAC;IAC1C,CAAC;IAED,gBAAgB,CAAC,iBAAyB;QACxC,OAAO,uBAAA,IAAI,+BAAY,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,CAAC;IAC9D,CAAC;CACF"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@keycardai/oauth",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.11.0",
|
|
4
4
|
"description": "[Preview] OAuth 2.0 primitives for Keycard: JWKS keyring, JWT signing/verification, server-tier token verifier, AccessContext, ClientSecret credentials, and impersonation via RFC 8693 token exchange",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"repository": {
|