@kya-os/mcp-i 0.1.0 → 1.2.1

package/dist/auth/oauth/providers/proxy-provider.js

@@ -0,0 +1,159 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProxyOAuthServerProvider = void 0;
+const memory_storage_1 = require("../storage/memory-storage");
+class ProxyOAuthServerProvider {
+    config;
+    storage;
+    constructor(config) {
+        this.config = config;
+        // fallback to memory storage
+        // ideally this would be used in a development environment, could be set with a flag
+        // since we are providing storage on Redis (to do) we may want to fallback to this in dev
+        // does not scale to prod tho, so we should be validating that we prevent that from happening
+        this.storage = config.storage || new memory_storage_1.MemoryOAuthStorage();
+    }
+    // Expose config for router access
+    get endpoints() {
+        return this.config.endpoints;
+    }
+    async verifyAccessToken(token) {
+        if (this.config.verifyAccessToken) {
+            return await this.config.verifyAccessToken(token);
+        }
+        // Fallback to storage lookup or external verification
+        const storedToken = await this.storage.tokens.getToken(token);
+        if (storedToken) {
+            return storedToken;
+        }
+        // If not found in storage, verify with external provider
+        return await this.verifyTokenWithProvider(token);
+    }
+    async authorize(params) {
+        const { client_id, redirect_uri, response_type, scope, state } = params;
+        // Let Auth0 handle all client validation - just build the authorization URL
+        const authUrl = new URL(this.config.endpoints.authorizationUrl);
+        authUrl.searchParams.set("response_type", response_type);
+        authUrl.searchParams.set("client_id", client_id);
+        authUrl.searchParams.set("redirect_uri", redirect_uri);
+        if (scope) {
+            authUrl.searchParams.set("scope", scope);
+        }
+        else if (this.config.defaultScopes) {
+            authUrl.searchParams.set("scope", this.config.defaultScopes.join(" "));
+        }
+        if (state) {
+            authUrl.searchParams.set("state", state);
+        }
+        return authUrl.toString();
+    }
+    async token(params) {
+        const { grant_type, client_id, client_secret, code, redirect_uri, refresh_token, } = params;
+        try {
+            // Forward token request to external provider (let Auth0 handle client validation)
+            const response = await fetch(this.config.endpoints.tokenUrl, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/x-www-form-urlencoded",
+                    Accept: "application/json",
+                },
+                body: new URLSearchParams({
+                    grant_type,
+                    client_id,
+                    ...(client_secret && { client_secret }),
+                    ...(code && { code }),
+                    ...(redirect_uri && { redirect_uri }),
+                    ...(refresh_token && { refresh_token }),
+                }),
+            });
+            const tokenData = await response.json();
+            if (!response.ok) {
+                throw this.createOAuthError(tokenData.error || "server_error", tokenData.error_description || "Token exchange failed");
+            }
+            // Store token in our storage if we have access_token
+            if (tokenData.access_token) {
+                const accessToken = {
+                    token: tokenData.access_token,
+                    clientId: client_id,
+                    scopes: tokenData.scope ? tokenData.scope.split(" ") : [],
+                    expiresAt: tokenData.expires_in
+                        ? new Date(Date.now() + tokenData.expires_in * 1000)
+                        : undefined,
+                    refreshToken: tokenData.refresh_token,
+                };
+                await this.storage.tokens.saveToken(accessToken);
+            }
+            return tokenData;
+        }
+        catch (error) {
+            if (error instanceof Error && error.message.includes("invalid_")) {
+                throw error;
+            }
+            throw this.createOAuthError("server_error", "Failed to exchange token");
+        }
+    }
+    async revoke(params) {
+        const { token, token_type_hint, client_id, client_secret } = params;
+        // Remove from our storage first
+        await this.storage.tokens.deleteToken(token);
+        // If external provider supports revocation, forward the request
+        if (this.config.endpoints.revocationUrl) {
+            try {
+                const response = await fetch(this.config.endpoints.revocationUrl, {
+                    method: "POST",
+                    headers: {
+                        "Content-Type": "application/x-www-form-urlencoded",
+                        Accept: "application/json",
+                    },
+                    body: new URLSearchParams({
+                        token,
+                        ...(token_type_hint && { token_type_hint }),
+                        ...(client_id && { client_id }),
+                        ...(client_secret && { client_secret }),
+                    }),
+                });
+                if (!response.ok) {
+                    console.warn("Failed to revoke token with external provider:", response.statusText);
+                }
+            }
+            catch (error) {
+                console.warn("Error revoking token with external provider:", error);
+            }
+        }
+    }
+    async verifyTokenWithProvider(token) {
+        // If external provider has a userinfo endpoint, we can use it to verify the token
+        if (this.config.endpoints.userInfoUrl) {
+            try {
+                const response = await fetch(this.config.endpoints.userInfoUrl, {
+                    headers: {
+                        Authorization: `Bearer ${token}`,
+                        Accept: "application/json",
+                    },
+                });
+                if (response.ok) {
+                    // Token is valid, create a basic AccessToken object
+                    return {
+                        token,
+                        clientId: "external", // We might not know the exact client ID
+                        scopes: [], // We might not know the exact scopes
+                    };
+                }
+            }
+            catch (error) {
+                console.warn("Error verifying token with external provider:", error);
+            }
+        }
+        throw this.createOAuthError("invalid_token", "Token verification failed");
+    }
+    createOAuthError(error, description) {
+        const oauthError = {
+            error,
+            error_description: description,
+        };
+        const errorObj = new Error(description || error);
+        errorObj.oauth = oauthError;
+        return errorObj;
+    }
+}
+exports.ProxyOAuthServerProvider = ProxyOAuthServerProvider;

package/dist/auth/oauth/router.d.ts

@@ -0,0 +1,4 @@
+import { Router, Request, Response, NextFunction } from "express";
+import { OAuthRouterConfig } from "./types";
+export declare function createOAuthRouter(config: OAuthRouterConfig): Router;
+export declare function createOAuthMiddleware(provider: any): (req: Request, res: Response, next: NextFunction) => Promise<void>;

package/dist/auth/oauth/router.js

@@ -0,0 +1,294 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createOAuthRouter = createOAuthRouter;
+exports.createOAuthMiddleware = createOAuthMiddleware;
+const express_1 = require("express");
+function createOAuthRouter(config) {
+    const router = (0, express_1.Router)();
+    const { provider, issuerUrl, baseUrl, serviceDocumentationUrl, pathPrefix = "/oauth2", } = config;
+    router.use((req, res, next) => {
+        // to do check: cors config from ts file is overriding and failing to add headers
+        res.setHeader("Access-Control-Allow-Origin", "*");
+        res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+        res.setHeader("Access-Control-Allow-Headers", 
+        // should also pass the mcp-protocol-version header
+        // probably only that one since the rest can be set from the config side
+        "Content-Type, Authorization, Accept, mcp-protocol-version");
+        res.setHeader("Access-Control-Expose-Headers", "Content-Type");
+        if (req.method === "OPTIONS") {
+            res.sendStatus(200);
+            return;
+        }
+        next();
+    });
+    // OAuth 2.0 Protected Resource Metadata (RFC 9728)
+    router.get("/.well-known/oauth-protected-resource", async (req, res) => {
+        try {
+            const baseUrlStr = baseUrl.toString().replace(/\/$/, ""); // Remove trailing slash - formatting issues lol
+            // thinking of maybe removing the path prefix?
+            const metadata = {
+                resource: baseUrlStr,
+                authorization_servers: [issuerUrl.toString()],
+                bearer_methods_supported: ["header", "body"],
+                resource_documentation: serviceDocumentationUrl?.toString(),
+                introspection_endpoint: `${baseUrlStr}${pathPrefix}/introspect`,
+                revocation_endpoint: `${baseUrlStr}${pathPrefix}/revoke`,
+            };
+            res.json(metadata);
+        }
+        catch (error) {
+            console.error("Error in protected resource metadata endpoint:", error);
+            res.status(500).json({
+                error: "server_error",
+                error_description: "Internal server error",
+            });
+        }
+    });
+    // OAuth 2.0 Discovery endpoint - authorization server metadata RFC 8414
+    // maybe serve all the config as customizable? for example for scopes etc
+    router.get("/.well-known/oauth-authorization-server", async (req, res) => {
+        try {
+            const discovery = {
+                issuer: issuerUrl.toString(),
+                authorization_endpoint: provider.endpoints.authorizationUrl,
+                token_endpoint: provider.endpoints.tokenUrl,
+                revocation_endpoint: provider.endpoints.revocationUrl,
+                response_types_supported: ["code"],
+                grant_types_supported: ["authorization_code", "refresh_token"],
+                token_endpoint_auth_methods_supported: [
+                    "client_secret_post",
+                    "client_secret_basic",
+                ],
+                scopes_supported: ["openid", "profile", "email"],
+                // PKCE support (RFC 7636) - S256 mandatory for security
+                code_challenge_methods_supported: ["S256"],
+                // DCR is mandatory - all clients must register
+                // this is what MCP recommends doing to handle the entire OAuth flow
+                // cause we're not supporting manually setting up the client
+                registration_endpoint: `${baseUrl.toString().replace(/\/$/, "")}${pathPrefix}/register`,
+                ...(serviceDocumentationUrl && {
+                    service_documentation: serviceDocumentationUrl.toString(),
+                }),
+            };
+            res.json(discovery);
+        }
+        catch (error) {
+            console.error("Error in discovery endpoint:", error);
+            res.status(500).json({
+                error: "server_error",
+                error_description: "Internal server error",
+            });
+        }
+    });
+    // following endpoints we're redirecting to the external authorization server
+    router.get(`${pathPrefix}/authorize`, async (req, res) => {
+        try {
+            const params = {
+                response_type: req.query.response_type,
+                client_id: req.query.client_id,
+                redirect_uri: req.query.redirect_uri,
+                scope: req.query.scope,
+                state: req.query.state,
+                // PKCE parameters (RFC 7636)
+                code_challenge: req.query.code_challenge,
+                code_challenge_method: req.query.code_challenge_method,
+            };
+            if (!params.response_type || !params.client_id || !params.redirect_uri) {
+                res.status(400).json({
+                    error: "invalid_request",
+                    error_description: "Missing required parameters",
+                });
+                return;
+            }
+            // PKCE params validation
+            if (!params.code_challenge || !params.code_challenge_method) {
+                res.status(400).json({
+                    error: "invalid_request",
+                    error_description: "PKCE parameters (code_challenge, code_challenge_method) are required",
+                });
+                return;
+            }
+            // only allow S256 method
+            if (params.code_challenge_method !== "S256") {
+                res.status(400).json({
+                    error: "invalid_request",
+                    error_description: "Only S256 code challenge method is supported",
+                });
+                return;
+            }
+            // let the provider handle the authorization
+            const authUrl = await provider.authorize(params);
+            res.redirect(authUrl);
+        }
+        catch (error) {
+            console.error("Error in authorize endpoint:", error);
+            const oauthError = extractOAuthError(error);
+            res.status(400).json(oauthError);
+        }
+    });
+    router.post(`${pathPrefix}/token`, async (req, res) => {
+        try {
+            const params = {
+                grant_type: req.body.grant_type,
+                client_id: req.body.client_id,
+                client_secret: req.body.client_secret,
+                code: req.body.code,
+                redirect_uri: req.body.redirect_uri,
+                refresh_token: req.body.refresh_token,
+                // PKCE parameter (RFC 7636)
+                code_verifier: req.body.code_verifier,
+            };
+            if (!params.grant_type || !params.client_id) {
+                res.status(400).json({
+                    error: "invalid_request",
+                    error_description: "Missing required parameters",
+                });
+                return;
+            }
+            // PKCE is mandatory for authorization_code grant
+            if (params.grant_type === "authorization_code" && !params.code_verifier) {
+                res.status(400).json({
+                    error: "invalid_request",
+                    error_description: "code_verifier is required for authorization_code grant (PKCE)",
+                });
+                return;
+            }
+            const tokenResponse = await provider.token(params);
+            res.json(tokenResponse);
+        }
+        catch (error) {
+            console.error("Error in token endpoint:", error);
+            const oauthError = extractOAuthError(error);
+            res.status(400).json(oauthError);
+        }
+    });
+    router.post(`${pathPrefix}/revoke`, async (req, res) => {
+        try {
+            const params = {
+                token: req.body.token,
+                token_type_hint: req.body.token_type_hint,
+                client_id: req.body.client_id,
+                client_secret: req.body.client_secret,
+            };
+            if (!params.token) {
+                res.status(400).json({
+                    error: "invalid_request",
+                    error_description: "Missing token parameter",
+                });
+                return;
+            }
+            await provider.revoke(params);
+            res.status(200).end();
+        }
+        catch (error) {
+            console.error("Error in revoke endpoint:", error);
+            const oauthError = extractOAuthError(error);
+            res.status(400).json(oauthError);
+        }
+    });
+    router.post(`${pathPrefix}/introspect`, async (req, res) => {
+        try {
+            const token = req.body.token;
+            if (!token) {
+                res.status(400).json({
+                    error: "invalid_request",
+                    error_description: "Missing token parameter",
+                });
+                return;
+            }
+            const accessToken = await provider.verifyAccessToken(token);
+            res.json({
+                active: true,
+                client_id: accessToken.clientId,
+                scope: accessToken.scopes.join(" "),
+                exp: accessToken.expiresAt
+                    ? Math.floor(accessToken.expiresAt.getTime() / 1000)
+                    : undefined,
+            });
+        }
+        catch (error) {
+            console.error("Error in introspect endpoint:", error);
+            // return active: false for invalid tokens
+            res.json({ active: false });
+        }
+    });
+    router.all(`${pathPrefix}/register`, async (req, res) => {
+        try {
+            if (req.method === "GET") {
+                // redirect to the external provider's registration page
+                res.redirect(provider.endpoints.registerUrl);
+                return;
+            }
+            // proxy to the external provider's registration page
+            const response = await fetch(provider.endpoints.registerUrl, {
+                method: req.method,
+                headers: {
+                    "Content-Type": "application/json",
+                    Accept: "application/json",
+                    ...(req.headers["user-agent"] && {
+                        "User-Agent": req.headers["user-agent"],
+                    }),
+                },
+                body: JSON.stringify(req.body),
+            });
+            const registrationData = await response.json();
+            res.status(response.status).json(registrationData);
+        }
+        catch (error) {
+            console.error("Error in registration endpoint:", error);
+            res.status(500).json({
+                error: "server_error",
+                error_description: "Failed to register client",
+            });
+        }
+    });
+    return router;
+}
+// create middleware for protecting routes
+function createOAuthMiddleware(provider) {
+    return async (req, res, next) => {
+        try {
+            const authHeader = req.header("Authorization");
+            if (!authHeader || !authHeader.startsWith("Bearer ")) {
+                res.status(401).json({
+                    error: "invalid_token",
+                    error_description: "Missing or malformed Authorization header",
+                });
+                return;
+            }
+            const token = authHeader.slice("Bearer ".length).trim();
+            if (!token) {
+                res.status(401).json({
+                    error: "invalid_token",
+                    error_description: "Missing access token",
+                });
+                return;
+            }
+            const accessToken = await provider.verifyAccessToken(token);
+            req.oauth = {
+                token: accessToken.token,
+                clientId: accessToken.clientId,
+                scopes: accessToken.scopes,
+                expiresAt: accessToken.expiresAt,
+            };
+            next();
+        }
+        catch (error) {
+            console.error("Error in OAuth middleware:", error);
+            res.status(401).json({
+                error: "invalid_token",
+                error_description: "Invalid or expired token",
+            });
+        }
+    };
+}
+// helper function to extract OAuth errors pretty self explanatory
+function extractOAuthError(error) {
+    if (error && error.oauth) {
+        return error.oauth;
+    }
+    return {
+        error: "server_error",
+        error_description: error?.message || "Internal server error",
+    };
+}

package/dist/auth/oauth/storage/memory-storage.d.ts

@@ -0,0 +1,12 @@
+import { OAuthStorage, TokenStorage, AccessToken } from "../types";
+export declare class MemoryTokenStorage implements TokenStorage {
+    tokens: Map<string, AccessToken>;
+    getToken(token: string): Promise<AccessToken | null>;
+    saveToken(token: AccessToken): Promise<void>;
+    deleteToken(token: string): Promise<void>;
+    deleteTokensByClient(clientId: string): Promise<void>;
+}
+export declare class MemoryOAuthStorage implements OAuthStorage {
+    tokens: TokenStorage;
+    constructor();
+}

package/dist/auth/oauth/storage/memory-storage.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MemoryOAuthStorage = exports.MemoryTokenStorage = void 0;
+// Module-level storage map that persists across instances (SINGLETON PATTERN)
+const tokensMap = new Map();
+class MemoryTokenStorage {
+    // same, module level map
+    tokens = tokensMap;
+    async getToken(token) {
+        const accessToken = tokensMap.get(token);
+        if (accessToken &&
+            accessToken.expiresAt &&
+            accessToken.expiresAt < new Date()) {
+            tokensMap.delete(token);
+            return null;
+        }
+        return accessToken || null;
+    }
+    async saveToken(token) {
+        tokensMap.set(token.token, token);
+    }
+    async deleteToken(token) {
+        tokensMap.delete(token);
+    }
+    async deleteTokensByClient(clientId) {
+        for (const [tokenValue, tokenData] of tokensMap.entries()) {
+            if (tokenData.clientId === clientId) {
+                tokensMap.delete(tokenValue);
+            }
+        }
+    }
+}
+exports.MemoryTokenStorage = MemoryTokenStorage;
+class MemoryOAuthStorage {
+    tokens;
+    constructor() {
+        this.tokens = new MemoryTokenStorage();
+    }
+}
+exports.MemoryOAuthStorage = MemoryOAuthStorage;

package/dist/auth/oauth/types.d.ts

@@ -0,0 +1,112 @@
+export interface OAuthClient {
+    client_id: string;
+    client_secret?: string;
+    redirect_uris: string[];
+    grant_types?: string[];
+    response_types?: string[];
+    scopes?: string[];
+}
+export interface AccessToken {
+    token: string;
+    clientId: string;
+    scopes: string[];
+    expiresAt?: Date;
+    refreshToken?: string;
+}
+export interface OAuthEndpoints {
+    authorizationUrl: string;
+    tokenUrl: string;
+    revocationUrl?: string;
+    userInfoUrl?: string;
+    registerUrl: string;
+}
+export interface OAuthError {
+    error: string;
+    error_description?: string;
+    error_uri?: string;
+}
+export interface TokenResponse {
+    access_token: string;
+    token_type: string;
+    expires_in?: number;
+    refresh_token?: string;
+    scope?: string;
+}
+export interface OAuthStorage {
+    tokens: TokenStorage;
+}
+export interface TokenStorage {
+    getToken(token: string): Promise<AccessToken | null>;
+    saveToken(token: AccessToken): Promise<void>;
+    deleteToken(token: string): Promise<void>;
+    deleteTokensByClient(clientId: string): Promise<void>;
+}
+export interface ProxyOAuthProviderConfig {
+    endpoints: OAuthEndpoints;
+    storage?: OAuthStorage;
+    verifyAccessToken?: (token: string) => Promise<AccessToken>;
+    issuerUrl?: string;
+    defaultScopes?: string[];
+}
+export interface OAuthRouterConfig {
+    provider: ProxyOAuthServerProvider;
+    issuerUrl: URL;
+    baseUrl: URL;
+    serviceDocumentationUrl?: URL;
+    pathPrefix?: string;
+}
+export interface ProxyOAuthServerProvider {
+    verifyAccessToken(token: string): Promise<AccessToken>;
+    authorize(params: AuthorizeParams): Promise<string>;
+    token(params: TokenParams): Promise<TokenResponse>;
+    revoke(params: RevokeParams): Promise<void>;
+    readonly endpoints: OAuthEndpoints;
+}
+export interface AuthorizeParams {
+    response_type: string;
+    client_id: string;
+    redirect_uri: string;
+    scope?: string;
+    state?: string;
+    code_challenge: string;
+    code_challenge_method: string;
+}
+export interface TokenParams {
+    grant_type: string;
+    client_id: string;
+    client_secret?: string;
+    code?: string;
+    redirect_uri?: string;
+    refresh_token?: string;
+    code_verifier?: string;
+}
+export interface RevokeParams {
+    token: string;
+    token_type_hint?: string;
+    client_id?: string;
+    client_secret?: string;
+}
+export interface OAuthConfigOptions {
+    endpoints: {
+        authorizationUrl: string;
+        tokenUrl: string;
+        revocationUrl?: string;
+        userInfoUrl?: string;
+        registerUrl: string;
+    };
+    issuerUrl: string;
+    baseUrl: string;
+    serviceDocumentationUrl?: string;
+    pathPrefix?: string;
+    defaultScopes?: string[];
+}
+export interface OAuthProxyConfig {
+    endpoints: OAuthEndpoints;
+    issuerUrl: string;
+    baseUrl: string;
+    serviceDocumentationUrl?: string;
+    pathPrefix?: string;
+    storage?: OAuthStorage;
+    verifyAccessToken?: (token: string) => Promise<any>;
+    defaultScopes?: string[];
+}

package/dist/auth/oauth/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cache/__tests__/cloudflare-kv-nonce-cache.test.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Tests for Cloudflare KV Nonce Cache
+ */
+export {};