@kya-os/mcp-i-core 1.3.13 → 1.3.15

package/src/identity/idp-token-resolver.ts

@@ -1,181 +0,0 @@
-/**
- * IDP Token Resolver
- *
- * Resolves User DID to IDP access token (MH-7 requirement).
- * Handles token lookup, expiration checking, and automatic refresh.
- *
- * Updated for CRED-003: Returns full token data including usage metadata
- * to support credential providers with custom token usage patterns.
- *
- * @package @kya-os/mcp-i-core
- */
-
-import type { IdpTokens } from "@kya-os/contracts/config";
-import type { IIdpTokenStorage, IdpTokensWithMetadata } from "./idp-token-storage.interface.js";
-
-export interface IdpTokenResolverConfig {
-  /** Token storage implementation */
-  tokenStorage: IIdpTokenStorage;
-
-  /** OAuth service for token refresh */
-  oauthService: {
-    refreshToken(provider: string, refreshToken: string): Promise<IdpTokens | null>;
-  };
-
-  /** Optional logger callback for diagnostics */
-  logger?: (message: string, data?: unknown) => void;
-}
-
-/**
- * Service for resolving User DID to IDP access token
- *
- * MH-7 Requirement: resolveTokenFromDid(userDid: string): Promise<string>
- *
- * This service implements the core MH-7 functionality:
- * - Resolves User DID to IDP access token
- * - Handles token expiration and automatic refresh
- * - Supports multiple IDP providers
- */
-export class IdpTokenResolver {
-  private config: Required<Omit<IdpTokenResolverConfig, "logger">> & {
-    logger: (message: string, data?: unknown) => void;
-  };
-
-  constructor(config: IdpTokenResolverConfig) {
-    this.config = {
-      tokenStorage: config.tokenStorage,
-      oauthService: config.oauthService,
-      logger: config.logger || (() => {}),
-    };
-  }
-
-  /**
-   * Resolve User DID to IDP access token
-   *
-   * MH-7 Requirement: resolveTokenFromDid(userDid: string): Promise<string>
-   *
-   * Flow:
-   * 1. Look up token from storage
-   * 2. Check expiration
-   * 3. Auto-refresh if expired and refresh_token available
-   * 4. Update storage after refresh
-   * 5. Return access_token or null
-   *
-   * @param userDid - User DID to resolve
-   * @param provider - OAuth provider name (e.g., "github", "google")
-   * @param scopes - Required scopes for token
-   * @returns Access token or null if not found/expired
-   */
-  async resolveTokenFromDid(
-    userDid: string,
-    provider: string,
-    scopes: string[]
-  ): Promise<string | null> {
-    const tokenData = await this.resolveTokenDataFromDid(userDid, provider, scopes);
-    return tokenData?.access_token ?? null;
-  }
-
-  /**
-   * Resolve User DID to full IDP token data (CRED-003)
-   *
-   * Returns the full token data including usage metadata for credential providers.
-   * This allows ToolContextBuilder to construct appropriate headers based on
-   * tokenUsage (cookie/bearer/header) and cookieFormat.
-   *
-   * @param userDid - User DID to resolve
-   * @param provider - OAuth provider name or credential provider
-   * @param scopes - Required scopes for token
-   * @returns Full token data with metadata or null if not found/expired
-   */
-  async resolveTokenDataFromDid(
-    userDid: string,
-    provider: string,
-    scopes: string[]
-  ): Promise<IdpTokensWithMetadata | null> {
-    // 1. Look up token from storage
-    const storedToken = await this.config.tokenStorage.getToken(
-      userDid,
-      provider,
-      scopes
-    );
-
-    if (!storedToken) {
-      this.config.logger("[IdpTokenResolver] Token not found", {
-        userDid: userDid.substring(0, 20) + "...",
-        provider,
-        scopes,
-      });
-      return null;
-    }
-
-    // 2. Check expiration
-    const now = Date.now();
-    if (storedToken.expires_at < now) {
-      this.config.logger("[IdpTokenResolver] Token expired, attempting refresh", {
-        userDid: userDid.substring(0, 20) + "...",
-        provider,
-        expiresAt: new Date(storedToken.expires_at).toISOString(),
-        hasRefreshToken: !!storedToken.refresh_token,
-      });
-
-      // 3. Refresh if refresh_token available
-      // Note: Credential tokens don't support refresh - they require re-authentication
-      if (storedToken.refresh_token) {
-        const refreshed = await this.config.oauthService.refreshToken(
-          provider,
-          storedToken.refresh_token
-        );
-
-        if (refreshed) {
-          // 4. Update storage with new tokens, preserving usage metadata
-          const refreshedWithMetadata: IdpTokensWithMetadata = {
-            ...refreshed,
-            tokenUsage: storedToken.tokenUsage,
-            tokenHeader: storedToken.tokenHeader,
-            cookieFormat: storedToken.cookieFormat,
-            apiHeaders: storedToken.apiHeaders,
-          };
-
-          await this.config.tokenStorage.storeToken(
-            userDid,
-            provider,
-            scopes,
-            refreshedWithMetadata
-          );
-
-          this.config.logger("[IdpTokenResolver] Token refreshed successfully", {
-            userDid: userDid.substring(0, 20) + "...",
-            provider,
-            expiresAt: new Date(refreshed.expires_at).toISOString(),
-          });
-
-          // 5. Return new token data
-          return refreshedWithMetadata;
-        } else {
-          this.config.logger("[IdpTokenResolver] Token refresh failed", {
-            userDid: userDid.substring(0, 20) + "...",
-            provider,
-          });
-          return null;
-        }
-      } else {
-        this.config.logger("[IdpTokenResolver] Token expired and no refresh token", {
-          userDid: userDid.substring(0, 20) + "...",
-          provider,
-        });
-        return null;
-      }
-    }
-
-    // 4. Return valid token data
-    this.config.logger("[IdpTokenResolver] Token resolved successfully", {
-      userDid: userDid.substring(0, 20) + "...",
-      provider,
-      expiresAt: new Date(storedToken.expires_at).toISOString(),
-      tokenUsage: storedToken.tokenUsage,
-    });
-
-    return storedToken;
-  }
-}
-

package/src/identity/idp-token-storage.interface.ts

@@ -1,94 +0,0 @@
-/**
- * IDP Token Storage Interface
- *
- * Platform-agnostic interface for storing and retrieving IDP tokens.
- * Platform-specific implementations (Cloudflare KV, Node.js database, etc.)
- * implement this interface.
- *
- * Supports both OAuth tokens and credential-based session tokens (CRED-003).
- *
- * @package @kya-os/mcp-i-core
- */
-
-import type { IdpTokens } from "@kya-os/contracts/config";
-
-/**
- * Token usage metadata for credential providers (CRED-003)
- *
- * Specifies how the token should be used in subsequent API calls.
- */
-export interface TokenUsageMetadata {
-  /**
-   * How to use the token in requests
-   * - "cookie": Send as Cookie header
-   * - "bearer": Send as Authorization: Bearer xxx
-   * - "header": Send as custom header (specify tokenHeader)
-   */
-  tokenUsage?: "cookie" | "bearer" | "header";
-
-  /** Custom header name when tokenUsage is "header" */
-  tokenHeader?: string;
-
-  /**
-   * Cookie format template when tokenUsage is "cookie"
-   * Use {{token}} placeholder for the token value
-   * @example "CIX={{token}}; customerCookie={{token}}"
-   */
-  cookieFormat?: string;
-
-  /** Additional headers to include in API calls */
-  apiHeaders?: Record<string, string>;
-}
-
-/**
- * Extended IdpTokens with usage metadata (CRED-003)
- */
-export interface IdpTokensWithMetadata extends IdpTokens, TokenUsageMetadata {}
-
-/**
- * Interface for IDP token storage
- */
-export interface IIdpTokenStorage {
-  /**
-   * Store IDP tokens
-   *
-   * @param userDid - User DID to associate tokens with
-   * @param provider - OAuth provider name or credential provider
-   * @param scopes - Scopes granted for these tokens
-   * @param tokens - IDP tokens to store (may include usage metadata for credentials)
-   */
-  storeToken(
-    userDid: string,
-    provider: string,
-    scopes: string[],
-    tokens: IdpTokens | IdpTokensWithMetadata
-  ): Promise<void>;
-
-  /**
-   * Retrieve IDP tokens
-   *
-   * @param userDid - User DID to retrieve tokens for
-   * @param provider - OAuth provider name or credential provider
-   * @param scopes - Scopes to retrieve tokens for
-   * @returns IDP tokens with optional usage metadata or null if not found
-   */
-  getToken(
-    userDid: string,
-    provider: string,
-    scopes: string[]
-  ): Promise<IdpTokensWithMetadata | null>;
-
-  /**
-   * Delete IDP tokens
-   *
-   * @param userDid - User DID
-   * @param provider - OAuth provider name or credential provider
-   * @param scopes - Scopes
-   */
-  deleteToken(
-    userDid: string,
-    provider: string,
-    scopes: string[]
-  ): Promise<void>;
-}
-