@kya-os/mcp-i-cloudflare 1.6.17 → 1.6.18-canary.clientinfo.20251126121218

package/dist/utils/oauth-identity.js

@@ -0,0 +1,215 @@
+/**
+ * OAuth Identity Utilities
+ *
+ * Handles OAuth identity extraction and validation from HTTP requests.
+ * This module consolidates OAuth-related logic that was previously in the adapter.
+ */
+/**
+ * Extract OAuth identity from request cookies
+ *
+ * @param request - HTTP Request object
+ * @returns OAuthIdentity or null if not found/invalid
+ */
+export function extractOAuthIdentityFromRequest(request) {
+    try {
+        const cookieHeader = request.headers.get("Cookie");
+        if (!cookieHeader)
+            return null;
+        const cookies = cookieHeader.split("; ").map((c) => c.trim());
+        const oauthCookie = cookies.find((c) => c.startsWith("oauth_identity="));
+        if (!oauthCookie)
+            return null;
+        // Extract cookie value properly handling cases where value contains '='
+        // Find the first '=' which separates key from value, then take everything after it
+        const equalsIndex = oauthCookie.indexOf("=");
+        if (equalsIndex === -1)
+            return null;
+        const cookieValue = oauthCookie.substring(equalsIndex + 1);
+        const parsed = JSON.parse(decodeURIComponent(cookieValue));
+        // ✅ SECURITY: Validate OAuth identity format and content
+        const validationResult = validateOAuthIdentity(parsed);
+        if (!validationResult.valid) {
+            console.warn("[OAuth] ⚠️ OAuth identity validation failed:", validationResult.reason, { parsed });
+            return null;
+        }
+        return parsed;
+    }
+    catch (error) {
+        console.warn("[OAuth] Failed to extract OAuth identity from cookies:", error);
+    }
+    return null;
+}
+/**
+ * Validate OAuth identity format and content
+ *
+ * Ensures:
+ * - Provider is non-empty string (1-50 chars)
+ * - Subject is non-empty string (1-255 chars)
+ * - Provider matches expected format (alphanumeric, hyphens, underscores)
+ * - Subject matches expected format (non-empty, reasonable length)
+ *
+ * @param identity - Parsed OAuth identity object
+ * @returns Validation result
+ */
+export function validateOAuthIdentity(identity) {
+    // Check if identity is an object
+    if (!identity || typeof identity !== "object") {
+        return { valid: false, reason: "OAuth identity must be an object" };
+    }
+    const oauth = identity;
+    // Validate provider
+    if (!oauth.provider || typeof oauth.provider !== "string") {
+        return {
+            valid: false,
+            reason: "OAuth provider is required and must be a string",
+        };
+    }
+    const provider = oauth.provider.trim();
+    if (provider.length === 0) {
+        return { valid: false, reason: "OAuth provider cannot be empty" };
+    }
+    if (provider.length > 50) {
+        return {
+            valid: false,
+            reason: "OAuth provider must be 50 characters or less",
+        };
+    }
+    // Provider format: alphanumeric, hyphens, underscores, dots (e.g., "google", "microsoft", "github", "custom-provider")
+    const providerPattern = /^[a-zA-Z0-9._-]+$/;
+    if (!providerPattern.test(provider)) {
+        return {
+            valid: false,
+            reason: `OAuth provider must match pattern [a-zA-Z0-9._-]: "${provider}"`,
+        };
+    }
+    // Validate subject
+    if (!oauth.subject || typeof oauth.subject !== "string") {
+        return {
+            valid: false,
+            reason: "OAuth subject is required and must be a string",
+        };
+    }
+    const subject = oauth.subject.trim();
+    if (subject.length === 0) {
+        return { valid: false, reason: "OAuth subject cannot be empty" };
+    }
+    if (subject.length > 255) {
+        return {
+            valid: false,
+            reason: "OAuth subject must be 255 characters or less",
+        };
+    }
+    // Subject format: non-empty, reasonable characters (allows most Unicode, but prevents control chars)
+    // OAuth subjects can be numeric IDs, email-like strings, or other identifiers
+    const subjectPattern = /^[\S]+$/; // At least one non-whitespace character
+    if (!subjectPattern.test(subject)) {
+        return {
+            valid: false,
+            reason: `OAuth subject contains invalid characters: "${subject.substring(0, 20)}..."`,
+        };
+    }
+    // Validate optional email if present
+    if (oauth.email !== undefined) {
+        if (typeof oauth.email !== "string") {
+            return {
+                valid: false,
+                reason: "OAuth email must be a string if provided",
+            };
+        }
+        const email = oauth.email.trim();
+        if (email.length > 0) {
+            // Basic email format validation
+            const emailPattern = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+            if (!emailPattern.test(email)) {
+                return {
+                    valid: false,
+                    reason: `OAuth email format invalid: "${email}"`,
+                };
+            }
+            if (email.length > 255) {
+                return {
+                    valid: false,
+                    reason: "OAuth email must be 255 characters or less",
+                };
+            }
+        }
+    }
+    // Validate optional name if present
+    if (oauth.name !== undefined) {
+        if (typeof oauth.name !== "string") {
+            return {
+                valid: false,
+                reason: "OAuth name must be a string if provided",
+            };
+        }
+        if (oauth.name.length > 255) {
+            return {
+                valid: false,
+                reason: "OAuth name must be 255 characters or less",
+            };
+        }
+    }
+    return { valid: true };
+}
+/**
+ * Lookup User DID from OAuth identity mapping
+ *
+ * @param oauthIdentity OAuth identity to lookup
+ * @param delegationStorage KV namespace for storage
+ * @returns User DID or null if not found
+ */
+export async function lookupUserDidFromOAuth(oauthIdentity, delegationStorage) {
+    if (!delegationStorage || !oauthIdentity?.provider || !oauthIdentity?.subject) {
+        return null;
+    }
+    try {
+        const { STORAGE_KEYS } = await import("../constants/storage-keys");
+        const oauthKey = STORAGE_KEYS.oauthIdentity(oauthIdentity.provider, oauthIdentity.subject);
+        const userDid = await delegationStorage.get(oauthKey, "text");
+        if (userDid) {
+            console.log("[OAuth] ✅ Retrieved persistent userDid from OAuth mapping:", {
+                provider: oauthIdentity.provider,
+                userDid: userDid.slice(0, 20) + "...",
+            });
+        }
+        return userDid;
+    }
+    catch (error) {
+        console.warn("[OAuth] Failed to lookup userDid from OAuth mapping:", error);
+        return null;
+    }
+}
+/**
+ * Create a redacted OAuth identity for storage (PII protection)
+ *
+ * @param oauthIdentity Original OAuth identity
+ * @returns Redacted identity safe for storage
+ */
+export function redactOAuthIdentityForStorage(oauthIdentity) {
+    if (!oauthIdentity) {
+        return undefined;
+    }
+    return {
+        provider: oauthIdentity.provider,
+        subjectHash: oauthIdentity.subject.substring(0, 8), // Redact full subject
+        // Don't store email, name, or full subject for PII protection
+    };
+}
+/**
+ * Test if an OAuth cookie value is valid
+ * Helper function for testing and debugging
+ *
+ * @param cookieValue Encoded cookie value
+ * @returns true if valid OAuth identity, false otherwise
+ */
+export function isValidOAuthCookie(cookieValue) {
+    try {
+        const parsed = JSON.parse(decodeURIComponent(cookieValue));
+        const result = validateOAuthIdentity(parsed);
+        return result.valid;
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=oauth-identity.js.map

package/dist/utils/oauth-identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-identity.js","sourceRoot":"","sources":["../../src/utils/oauth-identity.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAYH;;;;;GAKG;AACH,MAAM,UAAU,+BAA+B,CAAC,OAAgB;IAC9D,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACnD,IAAI,CAAC,YAAY;YAAE,OAAO,IAAI,CAAC;QAE/B,MAAM,OAAO,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAC9D,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC,CAAC;QACzE,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAE9B,wEAAwE;QACxE,mFAAmF;QACnF,MAAM,WAAW,GAAG,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,WAAW,KAAK,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QACpC,MAAM,WAAW,GAAG,WAAW,CAAC,SAAS,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,WAAW,CAAC,CAAC,CAAC;QAE3D,yDAAyD;QACzD,MAAM,gBAAgB,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;QACvD,IAAI,CAAC,gBAAgB,CAAC,KAAK,EAAE,CAAC;YAC5B,OAAO,CAAC,IAAI,CACV,8CAA8C,EAC9C,gBAAgB,CAAC,MAAM,EACvB,EAAE,MAAM,EAAE,CACX,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,MAAuB,CAAC;IACjC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,IAAI,CACV,wDAAwD,EACxD,KAAK,CACN,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAiB;IACrD,iCAAiC;IACjC,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,kCAAkC,EAAE,CAAC;IACtE,CAAC;IAED,MAAM,KAAK,GAAG,QAAmC,CAAC;IAElD,oBAAoB;IACpB,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,OAAO,KAAK,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1D,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,iDAAiD;SAC1D,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IACvC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,gCAAgC,EAAE,CAAC;IACpE,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACzB,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,8CAA8C;SACvD,CAAC;IACJ,CAAC;IAED,uHAAuH;IACvH,MAAM,eAAe,GAAG,mBAAmB,CAAC;IAC5C,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,sDAAsD,QAAQ,GAAG;SAC1E,CAAC;IACJ,CAAC;IAED,mBAAmB;IACnB,IAAI,CAAC,KAAK,CAAC,OAAO,IAAI,OAAO,KAAK,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QACxD,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,gDAAgD;SACzD,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;IACrC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,EAAE,CAAC;IACnE,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACzB,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,8CAA8C;SACvD,CAAC;IACJ,CAAC;IAED,qGAAqG;IACrG,8EAA8E;IAC9E,MAAM,cAAc,GAAG,SAAS,CAAC,CAAC,wCAAwC;IAC1E,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,+CAA+C,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM;SACtF,CAAC;IACJ,CAAC;IAED,qCAAqC;IACrC,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAC9B,IAAI,OAAO,KAAK,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACpC,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,0CAA0C;aACnD,CAAC;QACJ,CAAC;QAED,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACjC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,gCAAgC;YAChC,MAAM,YAAY,GAAG,4BAA4B,CAAC;YAClD,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC9B,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,gCAAgC,KAAK,GAAG;iBACjD,CAAC;YACJ,CAAC;YAED,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;gBACvB,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,4CAA4C;iBACrD,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,oCAAoC;IACpC,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC7B,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACnC,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,yCAAyC;aAClD,CAAC;QACJ,CAAC;QAED,IAAI,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YAC5B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,2CAA2C;aACpD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACzB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,aAA4B,EAC5B,iBAAsB;IAEtB,IAAI,CAAC,iBAAiB,IAAI,CAAC,aAAa,EAAE,QAAQ,IAAI,CAAC,aAAa,EAAE,OAAO,EAAE,CAAC;QAC9E,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,2BAA2B,CAAC,CAAC;QACnE,MAAM,QAAQ,GAAG,YAAY,CAAC,aAAa,CACzC,aAAa,CAAC,QAAQ,EACtB,aAAa,CAAC,OAAO,CACtB,CAAC;QACF,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAE9D,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,GAAG,CACT,4DAA4D,EAC5D;gBACE,QAAQ,EAAE,aAAa,CAAC,QAAQ;gBAChC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;aACtC,CACF,CAAC;QACJ,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,IAAI,CACV,sDAAsD,EACtD,KAAK,CACN,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,6BAA6B,CAAC,aAAmC;IAC/E,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,aAAa,CAAC,QAAQ;QAChC,WAAW,EAAE,aAAa,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,sBAAsB;QAC1E,8DAA8D;KAC/D,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,WAAmB;IACpD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,WAAW,CAAC,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;QAC7C,OAAO,MAAM,CAAC,KAAK,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kya-os/mcp-i-cloudflare",
-  "version": "1.6.17",
+  "version": "1.6.18-canary.clientinfo.20251126121218",
   "description": "Cloudflare Workers adapter for MCP-I framework",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -18,7 +18,7 @@
   },
   "dependencies": {
     "@kya-os/contracts": "^1.6.1",
-    "@kya-os/mcp-i-core": "^1.3.6",
+    "@kya-os/mcp-i-core": "^1.3.7",
     "@modelcontextprotocol/sdk": "^1.19.1",
     "agents": "^0.2.21",
     "base-x": "^5.0.0",