npm - @lanonasis/oauth-client - Versions diffs - 1.2.6 → 1.2.7 - Mend

@lanonasis/oauth-client 1.2.6 → 1.2.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/{api-key-storage-web-DannE11B.d.cts → api-key-storage-web-J3W8nQi2.d.cts} +53 -1
package/dist/{api-key-storage-web-DannE11B.d.ts → api-key-storage-web-J3W8nQi2.d.ts} +53 -1
package/dist/browser.cjs +187 -0
package/dist/browser.d.cts +2 -2
package/dist/browser.d.ts +2 -2
package/dist/browser.mjs +187 -0
package/dist/index.cjs +187 -0
package/dist/index.d.cts +2 -2
package/dist/index.d.ts +2 -2
package/dist/index.mjs +187 -0
package/package.json +8 -3

package/dist/{api-key-storage-web-DannE11B.d.cts → api-key-storage-web-J3W8nQi2.d.cts} RENAMED Viewed

@@ -29,6 +29,42 @@ interface PKCEChallenge {
     codeVerifier: string;
     codeChallenge: string;
 }
+type AuthTokenType = 'api_key' | 'jwt' | 'oauth' | 'cli';
+interface AuthValidationResult {
+    valid: boolean;
+    type?: AuthTokenType;
+    userId?: string;
+    email?: string;
+    role?: string;
+    projectScope?: string;
+    permissions?: string[];
+    scope?: string | string[];
+    expiresAt?: string | null;
+    error?: string;
+    raw?: unknown;
+}
+interface AuthGatewayClientConfig {
+    authBaseUrl?: string;
+    clientId?: string;
+    projectScope?: string;
+}
+interface TokenExchangeOptions {
+    projectScope?: string;
+    platform?: string;
+}
+interface TokenExchangeResponse {
+    access_token: string;
+    refresh_token: string;
+    expires_in: number;
+    token_type?: string;
+    user?: {
+        id: string;
+        email?: string;
+        role?: string;
+        project_scope?: string;
+    };
+    [key: string]: unknown;
+}
 declare abstract class BaseOAuthFlow {
     protected readonly clientId: string;
@@ -91,6 +127,22 @@ declare class TokenStorage implements TokenStorageAdapter {
     private getWebEncryptionKey;
 }
+declare class AuthGatewayClient {
+    private authBaseUrl;
+    private projectScope;
+    private flow;
+    constructor(config?: AuthGatewayClientConfig);
+    exchangeSupabaseToken(supabaseToken: string, options?: TokenExchangeOptions): Promise<TokenExchangeResponse>;
+    refreshToken(refreshToken: string): Promise<TokenResponse>;
+    revokeToken(token: string, tokenType?: 'access_token' | 'refresh_token'): Promise<void>;
+    validateToken(token: string): Promise<AuthValidationResult>;
+    verifyApiKey(apiKey: string): Promise<AuthValidationResult>;
+    verifyToken(token: string): Promise<AuthValidationResult>;
+    introspectToken(token: string): Promise<AuthValidationResult>;
+    private normalizeTokenType;
+    private requestJson;
+}
 /**
  * Browser-only token storage that avoids Node/Electron dependencies.
  * Tokens are encrypted with Web Crypto and stored in localStorage.
@@ -205,4 +257,4 @@ declare class ApiKeyStorageWeb {
     private base64Decode;
 }
-export { ApiKeyStorageWeb as A, BaseOAuthFlow as B, DesktopOAuthFlow as D, type GrantType as G, type OAuthConfig as O, type PKCEChallenge as P, type TokenStorageAdapter as T, TokenStorageWeb as a, type TokenResponse as b, type DeviceCodeResponse as c, type AuthError as d, TokenStorage as e, type ApiKeyData as f, ApiKeyStorage as g };
+export { AuthGatewayClient as A, BaseOAuthFlow as B, DesktopOAuthFlow as D, type GrantType as G, type OAuthConfig as O, type PKCEChallenge as P, type TokenStorageAdapter as T, TokenStorageWeb as a, ApiKeyStorageWeb as b, type TokenResponse as c, type DeviceCodeResponse as d, type AuthError as e, type AuthTokenType as f, type AuthValidationResult as g, type AuthGatewayClientConfig as h, type TokenExchangeOptions as i, type TokenExchangeResponse as j, TokenStorage as k, type ApiKeyData as l, ApiKeyStorage as m };

package/dist/{api-key-storage-web-DannE11B.d.ts → api-key-storage-web-J3W8nQi2.d.ts} RENAMED Viewed

@@ -29,6 +29,42 @@ interface PKCEChallenge {
     codeVerifier: string;
     codeChallenge: string;
 }
+type AuthTokenType = 'api_key' | 'jwt' | 'oauth' | 'cli';
+interface AuthValidationResult {
+    valid: boolean;
+    type?: AuthTokenType;
+    userId?: string;
+    email?: string;
+    role?: string;
+    projectScope?: string;
+    permissions?: string[];
+    scope?: string | string[];
+    expiresAt?: string | null;
+    error?: string;
+    raw?: unknown;
+}
+interface AuthGatewayClientConfig {
+    authBaseUrl?: string;
+    clientId?: string;
+    projectScope?: string;
+}
+interface TokenExchangeOptions {
+    projectScope?: string;
+    platform?: string;
+}
+interface TokenExchangeResponse {
+    access_token: string;
+    refresh_token: string;
+    expires_in: number;
+    token_type?: string;
+    user?: {
+        id: string;
+        email?: string;
+        role?: string;
+        project_scope?: string;
+    };
+    [key: string]: unknown;
+}
 declare abstract class BaseOAuthFlow {
     protected readonly clientId: string;
@@ -91,6 +127,22 @@ declare class TokenStorage implements TokenStorageAdapter {
     private getWebEncryptionKey;
 }
+declare class AuthGatewayClient {
+    private authBaseUrl;
+    private projectScope;
+    private flow;
+    constructor(config?: AuthGatewayClientConfig);
+    exchangeSupabaseToken(supabaseToken: string, options?: TokenExchangeOptions): Promise<TokenExchangeResponse>;
+    refreshToken(refreshToken: string): Promise<TokenResponse>;
+    revokeToken(token: string, tokenType?: 'access_token' | 'refresh_token'): Promise<void>;
+    validateToken(token: string): Promise<AuthValidationResult>;
+    verifyApiKey(apiKey: string): Promise<AuthValidationResult>;
+    verifyToken(token: string): Promise<AuthValidationResult>;
+    introspectToken(token: string): Promise<AuthValidationResult>;
+    private normalizeTokenType;
+    private requestJson;
+}
 /**
  * Browser-only token storage that avoids Node/Electron dependencies.
  * Tokens are encrypted with Web Crypto and stored in localStorage.
@@ -205,4 +257,4 @@ declare class ApiKeyStorageWeb {
     private base64Decode;
 }
-export { ApiKeyStorageWeb as A, BaseOAuthFlow as B, DesktopOAuthFlow as D, type GrantType as G, type OAuthConfig as O, type PKCEChallenge as P, type TokenStorageAdapter as T, TokenStorageWeb as a, type TokenResponse as b, type DeviceCodeResponse as c, type AuthError as d, TokenStorage as e, type ApiKeyData as f, ApiKeyStorage as g };
+export { AuthGatewayClient as A, BaseOAuthFlow as B, DesktopOAuthFlow as D, type GrantType as G, type OAuthConfig as O, type PKCEChallenge as P, type TokenStorageAdapter as T, TokenStorageWeb as a, ApiKeyStorageWeb as b, type TokenResponse as c, type DeviceCodeResponse as d, type AuthError as e, type AuthTokenType as f, type AuthValidationResult as g, type AuthGatewayClientConfig as h, type TokenExchangeOptions as i, type TokenExchangeResponse as j, TokenStorage as k, type ApiKeyData as l, ApiKeyStorage as m };

package/dist/browser.cjs CHANGED Viewed

@@ -31,6 +31,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var browser_exports = {};
 __export(browser_exports, {
   ApiKeyStorageWeb: () => ApiKeyStorageWeb,
+  AuthGatewayClient: () => AuthGatewayClient,
   BaseOAuthFlow: () => BaseOAuthFlow,
   DesktopOAuthFlow: () => DesktopOAuthFlow,
   MCPClient: () => MCPClient,
@@ -662,6 +663,192 @@ var MCPClient = class {
   }
 };
+// src/client/auth-gateway-client.ts
+var import_cross_fetch4 = __toESM(require("cross-fetch"), 1);
+var GatewayOAuthFlow = class extends BaseOAuthFlow {
+  async authenticate() {
+    throw new Error("Interactive authentication is not supported in AuthGatewayClient.");
+  }
+};
+var DEFAULT_AUTH_BASE_URL = "https://auth.lanonasis.com";
+var DEFAULT_CLIENT_ID = "lanonasis-cli";
+var DEFAULT_PROJECT_SCOPE = "lanonasis-maas";
+var API_KEY_PREFIXES = ["lano_", "pk_", "sk_"];
+var AuthGatewayClient = class {
+  constructor(config = {}) {
+    const baseUrl = config.authBaseUrl || DEFAULT_AUTH_BASE_URL;
+    this.authBaseUrl = baseUrl.replace(/\/+$/, "");
+    this.projectScope = config.projectScope || DEFAULT_PROJECT_SCOPE;
+    this.flow = new GatewayOAuthFlow({
+      clientId: config.clientId || DEFAULT_CLIENT_ID,
+      authBaseUrl: this.authBaseUrl
+    });
+  }
+  async exchangeSupabaseToken(supabaseToken, options = {}) {
+    const token = typeof supabaseToken === "string" ? supabaseToken.trim() : "";
+    if (!token) {
+      throw new Error("Supabase access token is required");
+    }
+    const projectScope = options.projectScope || this.projectScope;
+    const platform = options.platform || "web";
+    return this.requestJson("/v1/auth/token/exchange", {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+        "X-Project-Scope": projectScope
+      },
+      body: JSON.stringify({
+        project_scope: projectScope,
+        platform
+      })
+    });
+  }
+  async refreshToken(refreshToken) {
+    return this.flow.refreshToken(refreshToken);
+  }
+  async revokeToken(token, tokenType = "access_token") {
+    return this.flow.revokeToken(token, tokenType);
+  }
+  async validateToken(token) {
+    const trimmed = typeof token === "string" ? token.trim() : "";
+    if (!trimmed) {
+      return { valid: false, error: "Token is required" };
+    }
+    if (API_KEY_PREFIXES.some((prefix) => trimmed.startsWith(prefix))) {
+      return this.verifyApiKey(trimmed);
+    }
+    if (trimmed.startsWith("cli_") || trimmed.includes(".")) {
+      return this.verifyToken(trimmed);
+    }
+    return this.introspectToken(trimmed);
+  }
+  async verifyApiKey(apiKey) {
+    try {
+      const data = await this.requestJson("/v1/auth/verify-api-key", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-API-Key": apiKey
+        }
+      });
+      if (!data || data.valid === false) {
+        return {
+          valid: false,
+          type: "api_key",
+          error: data && (data.error || data.message) || "Invalid API key",
+          raw: data
+        };
+      }
+      return {
+        valid: true,
+        type: "api_key",
+        userId: data.userId,
+        projectScope: data.projectScope,
+        permissions: data.permissions || [],
+        raw: data
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        type: "api_key",
+        error: error?.message || "API key validation failed",
+        raw: error?.data
+      };
+    }
+  }
+  async verifyToken(token) {
+    try {
+      const data = await this.requestJson("/v1/auth/verify-token", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ token })
+      });
+      if (!data || data.valid === false) {
+        return {
+          valid: false,
+          type: data?.type ? this.normalizeTokenType(data.type) : "jwt",
+          error: data?.error || "Invalid token",
+          raw: data
+        };
+      }
+      return {
+        valid: true,
+        type: data.type ? this.normalizeTokenType(data.type) : "jwt",
+        userId: data.user?.id,
+        email: data.user?.email,
+        role: data.user?.role,
+        expiresAt: data.expires_at || null,
+        raw: data
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        type: "jwt",
+        error: error?.message || "Token verification failed",
+        raw: error?.data
+      };
+    }
+  }
+  async introspectToken(token) {
+    try {
+      const data = await this.requestJson("/oauth/introspect", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ token })
+      });
+      if (!data || data.active !== true) {
+        return {
+          valid: false,
+          type: "oauth",
+          error: "Token is inactive",
+          raw: data
+        };
+      }
+      return {
+        valid: true,
+        type: "oauth",
+        userId: data.user_id || data.sub,
+        scope: data.scope,
+        expiresAt: data.exp ? new Date(data.exp * 1e3).toISOString() : null,
+        raw: data
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        type: "oauth",
+        error: error?.message || "Token introspection failed",
+        raw: error?.data
+      };
+    }
+  }
+  normalizeTokenType(type) {
+    if (type === "cli_token") return "cli";
+    if (type === "jwt") return "jwt";
+    return "jwt";
+  }
+  async requestJson(path, options) {
+    const response = await (0, import_cross_fetch4.default)(`${this.authBaseUrl}${path.startsWith("/") ? path : `/${path}`}`, options);
+    const text = await response.text();
+    let data = null;
+    if (text) {
+      try {
+        data = JSON.parse(text);
+      } catch (parseError) {
+        data = { raw: text };
+      }
+    }
+    if (!response.ok) {
+      const message = data?.message || data?.error || `Request failed (${response.status})`;
+      const error = new Error(message);
+      error.status = response.status;
+      error.data = data;
+      throw error;
+    }
+    return data;
+  }
+};
 // src/storage/api-key-storage-web.ts
 var ApiKeyStorageWeb = class {
   constructor() {

package/dist/browser.d.cts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { O as OAuthConfig, T as TokenStorageAdapter } from './api-key-storage-web-DannE11B.cjs';
-export { A as ApiKeyStorageWeb, d as AuthError, B as BaseOAuthFlow, D as DesktopOAuthFlow, c as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, b as TokenResponse, a as TokenStorageWeb } from './api-key-storage-web-DannE11B.cjs';
+import { O as OAuthConfig, T as TokenStorageAdapter } from './api-key-storage-web-J3W8nQi2.cjs';
+export { b as ApiKeyStorageWeb, e as AuthError, A as AuthGatewayClient, h as AuthGatewayClientConfig, f as AuthTokenType, g as AuthValidationResult, B as BaseOAuthFlow, D as DesktopOAuthFlow, d as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, i as TokenExchangeOptions, j as TokenExchangeResponse, c as TokenResponse, a as TokenStorageWeb } from './api-key-storage-web-J3W8nQi2.cjs';
 interface MCPClientConfig extends Partial<OAuthConfig> {
     mcpEndpoint?: string;

package/dist/browser.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { O as OAuthConfig, T as TokenStorageAdapter } from './api-key-storage-web-DannE11B.js';
-export { A as ApiKeyStorageWeb, d as AuthError, B as BaseOAuthFlow, D as DesktopOAuthFlow, c as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, b as TokenResponse, a as TokenStorageWeb } from './api-key-storage-web-DannE11B.js';
+import { O as OAuthConfig, T as TokenStorageAdapter } from './api-key-storage-web-J3W8nQi2.js';
+export { b as ApiKeyStorageWeb, e as AuthError, A as AuthGatewayClient, h as AuthGatewayClientConfig, f as AuthTokenType, g as AuthValidationResult, B as BaseOAuthFlow, D as DesktopOAuthFlow, d as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, i as TokenExchangeOptions, j as TokenExchangeResponse, c as TokenResponse, a as TokenStorageWeb } from './api-key-storage-web-J3W8nQi2.js';
 interface MCPClientConfig extends Partial<OAuthConfig> {
     mcpEndpoint?: string;

package/dist/browser.mjs CHANGED Viewed

@@ -629,6 +629,192 @@ var MCPClient = class {
   }
 };
+// src/client/auth-gateway-client.ts
+import fetch4 from "cross-fetch";
+var GatewayOAuthFlow = class extends BaseOAuthFlow {
+  async authenticate() {
+    throw new Error("Interactive authentication is not supported in AuthGatewayClient.");
+  }
+};
+var DEFAULT_AUTH_BASE_URL = "https://auth.lanonasis.com";
+var DEFAULT_CLIENT_ID = "lanonasis-cli";
+var DEFAULT_PROJECT_SCOPE = "lanonasis-maas";
+var API_KEY_PREFIXES = ["lano_", "pk_", "sk_"];
+var AuthGatewayClient = class {
+  constructor(config = {}) {
+    const baseUrl = config.authBaseUrl || DEFAULT_AUTH_BASE_URL;
+    this.authBaseUrl = baseUrl.replace(/\/+$/, "");
+    this.projectScope = config.projectScope || DEFAULT_PROJECT_SCOPE;
+    this.flow = new GatewayOAuthFlow({
+      clientId: config.clientId || DEFAULT_CLIENT_ID,
+      authBaseUrl: this.authBaseUrl
+    });
+  }
+  async exchangeSupabaseToken(supabaseToken, options = {}) {
+    const token = typeof supabaseToken === "string" ? supabaseToken.trim() : "";
+    if (!token) {
+      throw new Error("Supabase access token is required");
+    }
+    const projectScope = options.projectScope || this.projectScope;
+    const platform = options.platform || "web";
+    return this.requestJson("/v1/auth/token/exchange", {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+        "X-Project-Scope": projectScope
+      },
+      body: JSON.stringify({
+        project_scope: projectScope,
+        platform
+      })
+    });
+  }
+  async refreshToken(refreshToken) {
+    return this.flow.refreshToken(refreshToken);
+  }
+  async revokeToken(token, tokenType = "access_token") {
+    return this.flow.revokeToken(token, tokenType);
+  }
+  async validateToken(token) {
+    const trimmed = typeof token === "string" ? token.trim() : "";
+    if (!trimmed) {
+      return { valid: false, error: "Token is required" };
+    }
+    if (API_KEY_PREFIXES.some((prefix) => trimmed.startsWith(prefix))) {
+      return this.verifyApiKey(trimmed);
+    }
+    if (trimmed.startsWith("cli_") || trimmed.includes(".")) {
+      return this.verifyToken(trimmed);
+    }
+    return this.introspectToken(trimmed);
+  }
+  async verifyApiKey(apiKey) {
+    try {
+      const data = await this.requestJson("/v1/auth/verify-api-key", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-API-Key": apiKey
+        }
+      });
+      if (!data || data.valid === false) {
+        return {
+          valid: false,
+          type: "api_key",
+          error: data && (data.error || data.message) || "Invalid API key",
+          raw: data
+        };
+      }
+      return {
+        valid: true,
+        type: "api_key",
+        userId: data.userId,
+        projectScope: data.projectScope,
+        permissions: data.permissions || [],
+        raw: data
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        type: "api_key",
+        error: error?.message || "API key validation failed",
+        raw: error?.data
+      };
+    }
+  }
+  async verifyToken(token) {
+    try {
+      const data = await this.requestJson("/v1/auth/verify-token", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ token })
+      });
+      if (!data || data.valid === false) {
+        return {
+          valid: false,
+          type: data?.type ? this.normalizeTokenType(data.type) : "jwt",
+          error: data?.error || "Invalid token",
+          raw: data
+        };
+      }
+      return {
+        valid: true,
+        type: data.type ? this.normalizeTokenType(data.type) : "jwt",
+        userId: data.user?.id,
+        email: data.user?.email,
+        role: data.user?.role,
+        expiresAt: data.expires_at || null,
+        raw: data
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        type: "jwt",
+        error: error?.message || "Token verification failed",
+        raw: error?.data
+      };
+    }
+  }
+  async introspectToken(token) {
+    try {
+      const data = await this.requestJson("/oauth/introspect", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ token })
+      });
+      if (!data || data.active !== true) {
+        return {
+          valid: false,
+          type: "oauth",
+          error: "Token is inactive",
+          raw: data
+        };
+      }
+      return {
+        valid: true,
+        type: "oauth",
+        userId: data.user_id || data.sub,
+        scope: data.scope,
+        expiresAt: data.exp ? new Date(data.exp * 1e3).toISOString() : null,
+        raw: data
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        type: "oauth",
+        error: error?.message || "Token introspection failed",
+        raw: error?.data
+      };
+    }
+  }
+  normalizeTokenType(type) {
+    if (type === "cli_token") return "cli";
+    if (type === "jwt") return "jwt";
+    return "jwt";
+  }
+  async requestJson(path, options) {
+    const response = await fetch4(`${this.authBaseUrl}${path.startsWith("/") ? path : `/${path}`}`, options);
+    const text = await response.text();
+    let data = null;
+    if (text) {
+      try {
+        data = JSON.parse(text);
+      } catch (parseError) {
+        data = { raw: text };
+      }
+    }
+    if (!response.ok) {
+      const message = data?.message || data?.error || `Request failed (${response.status})`;
+      const error = new Error(message);
+      error.status = response.status;
+      error.data = data;
+      throw error;
+    }
+    return data;
+  }
+};
 // src/storage/api-key-storage-web.ts
 var ApiKeyStorageWeb = class {
   constructor() {
@@ -760,6 +946,7 @@ var ApiKeyStorageWeb = class {
 };
 export {
   ApiKeyStorageWeb,
+  AuthGatewayClient,
   BaseOAuthFlow,
   DesktopOAuthFlow,
   MCPClient,

package/dist/index.cjs CHANGED Viewed

@@ -32,6 +32,7 @@ var index_exports = {};
 __export(index_exports, {
   ApiKeyStorage: () => ApiKeyStorage,
   ApiKeyStorageWeb: () => ApiKeyStorageWeb,
+  AuthGatewayClient: () => AuthGatewayClient,
   BaseOAuthFlow: () => BaseOAuthFlow,
   DesktopOAuthFlow: () => DesktopOAuthFlow,
   MCPClient: () => MCPClient,
@@ -1791,3 +1792,189 @@ var MCPClient = class {
     return this.request("memory/delete", { id });
   }
 };
+// src/client/auth-gateway-client.ts
+var import_cross_fetch5 = __toESM(require("cross-fetch"), 1);
+var GatewayOAuthFlow = class extends BaseOAuthFlow {
+  async authenticate() {
+    throw new Error("Interactive authentication is not supported in AuthGatewayClient.");
+  }
+};
+var DEFAULT_AUTH_BASE_URL = "https://auth.lanonasis.com";
+var DEFAULT_CLIENT_ID = "lanonasis-cli";
+var DEFAULT_PROJECT_SCOPE = "lanonasis-maas";
+var API_KEY_PREFIXES = ["lano_", "pk_", "sk_"];
+var AuthGatewayClient = class {
+  constructor(config = {}) {
+    const baseUrl = config.authBaseUrl || DEFAULT_AUTH_BASE_URL;
+    this.authBaseUrl = baseUrl.replace(/\/+$/, "");
+    this.projectScope = config.projectScope || DEFAULT_PROJECT_SCOPE;
+    this.flow = new GatewayOAuthFlow({
+      clientId: config.clientId || DEFAULT_CLIENT_ID,
+      authBaseUrl: this.authBaseUrl
+    });
+  }
+  async exchangeSupabaseToken(supabaseToken, options = {}) {
+    const token = typeof supabaseToken === "string" ? supabaseToken.trim() : "";
+    if (!token) {
+      throw new Error("Supabase access token is required");
+    }
+    const projectScope = options.projectScope || this.projectScope;
+    const platform = options.platform || "web";
+    return this.requestJson("/v1/auth/token/exchange", {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+        "X-Project-Scope": projectScope
+      },
+      body: JSON.stringify({
+        project_scope: projectScope,
+        platform
+      })
+    });
+  }
+  async refreshToken(refreshToken) {
+    return this.flow.refreshToken(refreshToken);
+  }
+  async revokeToken(token, tokenType = "access_token") {
+    return this.flow.revokeToken(token, tokenType);
+  }
+  async validateToken(token) {
+    const trimmed = typeof token === "string" ? token.trim() : "";
+    if (!trimmed) {
+      return { valid: false, error: "Token is required" };
+    }
+    if (API_KEY_PREFIXES.some((prefix) => trimmed.startsWith(prefix))) {
+      return this.verifyApiKey(trimmed);
+    }
+    if (trimmed.startsWith("cli_") || trimmed.includes(".")) {
+      return this.verifyToken(trimmed);
+    }
+    return this.introspectToken(trimmed);
+  }
+  async verifyApiKey(apiKey) {
+    try {
+      const data = await this.requestJson("/v1/auth/verify-api-key", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-API-Key": apiKey
+        }
+      });
+      if (!data || data.valid === false) {
+        return {
+          valid: false,
+          type: "api_key",
+          error: data && (data.error || data.message) || "Invalid API key",
+          raw: data
+        };
+      }
+      return {
+        valid: true,
+        type: "api_key",
+        userId: data.userId,
+        projectScope: data.projectScope,
+        permissions: data.permissions || [],
+        raw: data
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        type: "api_key",
+        error: error?.message || "API key validation failed",
+        raw: error?.data
+      };
+    }
+  }
+  async verifyToken(token) {
+    try {
+      const data = await this.requestJson("/v1/auth/verify-token", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ token })
+      });
+      if (!data || data.valid === false) {
+        return {
+          valid: false,
+          type: data?.type ? this.normalizeTokenType(data.type) : "jwt",
+          error: data?.error || "Invalid token",
+          raw: data
+        };
+      }
+      return {
+        valid: true,
+        type: data.type ? this.normalizeTokenType(data.type) : "jwt",
+        userId: data.user?.id,
+        email: data.user?.email,
+        role: data.user?.role,
+        expiresAt: data.expires_at || null,
+        raw: data
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        type: "jwt",
+        error: error?.message || "Token verification failed",
+        raw: error?.data
+      };
+    }
+  }
+  async introspectToken(token) {
+    try {
+      const data = await this.requestJson("/oauth/introspect", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ token })
+      });
+      if (!data || data.active !== true) {
+        return {
+          valid: false,
+          type: "oauth",
+          error: "Token is inactive",
+          raw: data
+        };
+      }
+      return {
+        valid: true,
+        type: "oauth",
+        userId: data.user_id || data.sub,
+        scope: data.scope,
+        expiresAt: data.exp ? new Date(data.exp * 1e3).toISOString() : null,
+        raw: data
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        type: "oauth",
+        error: error?.message || "Token introspection failed",
+        raw: error?.data
+      };
+    }
+  }
+  normalizeTokenType(type) {
+    if (type === "cli_token") return "cli";
+    if (type === "jwt") return "jwt";
+    return "jwt";
+  }
+  async requestJson(path, options) {
+    const response = await (0, import_cross_fetch5.default)(`${this.authBaseUrl}${path.startsWith("/") ? path : `/${path}`}`, options);
+    const text = await response.text();
+    let data = null;
+    if (text) {
+      try {
+        data = JSON.parse(text);
+      } catch (parseError) {
+        data = { raw: text };
+      }
+    }
+    if (!response.ok) {
+      const message = data?.message || data?.error || `Request failed (${response.status})`;
+      const error = new Error(message);
+      error.status = response.status;
+      error.data = data;
+      throw error;
+    }
+    return data;
+  }
+};

package/dist/index.d.cts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { B as BaseOAuthFlow, O as OAuthConfig, b as TokenResponse, T as TokenStorageAdapter } from './api-key-storage-web-DannE11B.cjs';
-export { f as ApiKeyData, g as ApiKeyStorage, A as ApiKeyStorageWeb, d as AuthError, D as DesktopOAuthFlow, c as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, e as TokenStorage, a as TokenStorageWeb } from './api-key-storage-web-DannE11B.cjs';
+import { B as BaseOAuthFlow, O as OAuthConfig, c as TokenResponse, T as TokenStorageAdapter } from './api-key-storage-web-J3W8nQi2.cjs';
+export { l as ApiKeyData, m as ApiKeyStorage, b as ApiKeyStorageWeb, e as AuthError, A as AuthGatewayClient, h as AuthGatewayClientConfig, f as AuthTokenType, g as AuthValidationResult, D as DesktopOAuthFlow, d as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, i as TokenExchangeOptions, j as TokenExchangeResponse, k as TokenStorage, a as TokenStorageWeb } from './api-key-storage-web-J3W8nQi2.cjs';
 declare class TerminalOAuthFlow extends BaseOAuthFlow {
     private pollInterval;

package/dist/index.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { B as BaseOAuthFlow, O as OAuthConfig, b as TokenResponse, T as TokenStorageAdapter } from './api-key-storage-web-DannE11B.js';
-export { f as ApiKeyData, g as ApiKeyStorage, A as ApiKeyStorageWeb, d as AuthError, D as DesktopOAuthFlow, c as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, e as TokenStorage, a as TokenStorageWeb } from './api-key-storage-web-DannE11B.js';
+import { B as BaseOAuthFlow, O as OAuthConfig, c as TokenResponse, T as TokenStorageAdapter } from './api-key-storage-web-J3W8nQi2.js';
+export { l as ApiKeyData, m as ApiKeyStorage, b as ApiKeyStorageWeb, e as AuthError, A as AuthGatewayClient, h as AuthGatewayClientConfig, f as AuthTokenType, g as AuthValidationResult, D as DesktopOAuthFlow, d as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, i as TokenExchangeOptions, j as TokenExchangeResponse, k as TokenStorage, a as TokenStorageWeb } from './api-key-storage-web-J3W8nQi2.js';
 declare class TerminalOAuthFlow extends BaseOAuthFlow {
     private pollInterval;

package/dist/index.mjs CHANGED Viewed

@@ -1755,9 +1755,196 @@ var MCPClient = class {
     return this.request("memory/delete", { id });
   }
 };
+// src/client/auth-gateway-client.ts
+import fetch5 from "cross-fetch";
+var GatewayOAuthFlow = class extends BaseOAuthFlow {
+  async authenticate() {
+    throw new Error("Interactive authentication is not supported in AuthGatewayClient.");
+  }
+};
+var DEFAULT_AUTH_BASE_URL = "https://auth.lanonasis.com";
+var DEFAULT_CLIENT_ID = "lanonasis-cli";
+var DEFAULT_PROJECT_SCOPE = "lanonasis-maas";
+var API_KEY_PREFIXES = ["lano_", "pk_", "sk_"];
+var AuthGatewayClient = class {
+  constructor(config = {}) {
+    const baseUrl = config.authBaseUrl || DEFAULT_AUTH_BASE_URL;
+    this.authBaseUrl = baseUrl.replace(/\/+$/, "");
+    this.projectScope = config.projectScope || DEFAULT_PROJECT_SCOPE;
+    this.flow = new GatewayOAuthFlow({
+      clientId: config.clientId || DEFAULT_CLIENT_ID,
+      authBaseUrl: this.authBaseUrl
+    });
+  }
+  async exchangeSupabaseToken(supabaseToken, options = {}) {
+    const token = typeof supabaseToken === "string" ? supabaseToken.trim() : "";
+    if (!token) {
+      throw new Error("Supabase access token is required");
+    }
+    const projectScope = options.projectScope || this.projectScope;
+    const platform = options.platform || "web";
+    return this.requestJson("/v1/auth/token/exchange", {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+        "X-Project-Scope": projectScope
+      },
+      body: JSON.stringify({
+        project_scope: projectScope,
+        platform
+      })
+    });
+  }
+  async refreshToken(refreshToken) {
+    return this.flow.refreshToken(refreshToken);
+  }
+  async revokeToken(token, tokenType = "access_token") {
+    return this.flow.revokeToken(token, tokenType);
+  }
+  async validateToken(token) {
+    const trimmed = typeof token === "string" ? token.trim() : "";
+    if (!trimmed) {
+      return { valid: false, error: "Token is required" };
+    }
+    if (API_KEY_PREFIXES.some((prefix) => trimmed.startsWith(prefix))) {
+      return this.verifyApiKey(trimmed);
+    }
+    if (trimmed.startsWith("cli_") || trimmed.includes(".")) {
+      return this.verifyToken(trimmed);
+    }
+    return this.introspectToken(trimmed);
+  }
+  async verifyApiKey(apiKey) {
+    try {
+      const data = await this.requestJson("/v1/auth/verify-api-key", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-API-Key": apiKey
+        }
+      });
+      if (!data || data.valid === false) {
+        return {
+          valid: false,
+          type: "api_key",
+          error: data && (data.error || data.message) || "Invalid API key",
+          raw: data
+        };
+      }
+      return {
+        valid: true,
+        type: "api_key",
+        userId: data.userId,
+        projectScope: data.projectScope,
+        permissions: data.permissions || [],
+        raw: data
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        type: "api_key",
+        error: error?.message || "API key validation failed",
+        raw: error?.data
+      };
+    }
+  }
+  async verifyToken(token) {
+    try {
+      const data = await this.requestJson("/v1/auth/verify-token", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ token })
+      });
+      if (!data || data.valid === false) {
+        return {
+          valid: false,
+          type: data?.type ? this.normalizeTokenType(data.type) : "jwt",
+          error: data?.error || "Invalid token",
+          raw: data
+        };
+      }
+      return {
+        valid: true,
+        type: data.type ? this.normalizeTokenType(data.type) : "jwt",
+        userId: data.user?.id,
+        email: data.user?.email,
+        role: data.user?.role,
+        expiresAt: data.expires_at || null,
+        raw: data
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        type: "jwt",
+        error: error?.message || "Token verification failed",
+        raw: error?.data
+      };
+    }
+  }
+  async introspectToken(token) {
+    try {
+      const data = await this.requestJson("/oauth/introspect", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ token })
+      });
+      if (!data || data.active !== true) {
+        return {
+          valid: false,
+          type: "oauth",
+          error: "Token is inactive",
+          raw: data
+        };
+      }
+      return {
+        valid: true,
+        type: "oauth",
+        userId: data.user_id || data.sub,
+        scope: data.scope,
+        expiresAt: data.exp ? new Date(data.exp * 1e3).toISOString() : null,
+        raw: data
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        type: "oauth",
+        error: error?.message || "Token introspection failed",
+        raw: error?.data
+      };
+    }
+  }
+  normalizeTokenType(type) {
+    if (type === "cli_token") return "cli";
+    if (type === "jwt") return "jwt";
+    return "jwt";
+  }
+  async requestJson(path, options) {
+    const response = await fetch5(`${this.authBaseUrl}${path.startsWith("/") ? path : `/${path}`}`, options);
+    const text = await response.text();
+    let data = null;
+    if (text) {
+      try {
+        data = JSON.parse(text);
+      } catch (parseError) {
+        data = { raw: text };
+      }
+    }
+    if (!response.ok) {
+      const message = data?.message || data?.error || `Request failed (${response.status})`;
+      const error = new Error(message);
+      error.status = response.status;
+      error.data = data;
+      throw error;
+    }
+    return data;
+  }
+};
 export {
   ApiKeyStorage,
   ApiKeyStorageWeb,
+  AuthGatewayClient,
   BaseOAuthFlow,
   DesktopOAuthFlow,
   MCPClient,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lanonasis/oauth-client",
-  "version": "1.2.6",
+  "version": "1.2.7",
   "type": "module",
   "description": "OAuth and API Key authentication client for Lan Onasis MCP integration",
   "license": "MIT",
@@ -38,7 +38,9 @@
   "scripts": {
     "build": "tsup --config tsup.config.ts",
     "dev": "tsup --watch --config tsup.config.ts",
-    "test": "bun test",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage",
     "lint": "eslint src"
   },
   "keywords": [
@@ -52,6 +54,7 @@
   ],
   "dependencies": {
     "cross-fetch": "^4.0.0",
+    "eventsource": "^2.0.2",
     "keytar": "^7.9.0",
     "open": "^9.1.0"
   },
@@ -59,11 +62,13 @@
     "@eslint/js": "^9.17.0",
     "@types/eventsource": "^3.0.0",
     "@types/node": "^20.0.0",
+    "@vitest/coverage-v8": "^2.0.0",
     "eslint": "^9.17.0",
     "globals": "^16.4.0",
     "tsup": "^8.5.0",
     "typescript": "^5.3.3",
-    "typescript-eslint": "^8.18.1"
+    "typescript-eslint": "^8.18.1",
+    "vitest": "^2.0.0"
   },
   "peerDependencies": {
     "@supabase/supabase-js": "^2.0.0"