@lanonasis/oauth-client 1.2.8 → 2.0.3

package/dist/index.cjs

@@ -398,11 +398,15 @@ var MagicLinkFlow = class extends BaseOAuthFlow {
    * @returns Response with success status and expiration time
    */
   async requestOTP(email) {
+    if (typeof email !== "string" || !email.trim()) {
+      throw new Error("Invalid email: a non-empty email address is required to request an OTP.");
+    }
+    const normalizedEmail = email.trim().toLowerCase();
     const response = await (0, import_cross_fetch3.default)(`${this.authBaseUrl}/v1/auth/otp/send`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
-        email: email.trim().toLowerCase(),
+        email: normalizedEmail,
         type: "email",
         // Explicitly request 6-digit code, not magic link
         platform: this.platform,
@@ -556,7 +560,19 @@ var MagicLinkFlow = class extends BaseOAuthFlow {
     return emailRegex.test(email.trim());
   }
   /**
-   * Check if an OTP code is valid format (6 digits)
+   * Check if an OTP code is valid format (6 digits).
+   *
+   * This method:
+   * - Trims leading and trailing whitespace from the input before validating.
+   * - Requires exactly 6 numeric digits (0–9); any non-numeric characters or
+   *   incorrect length will cause it to return `false`.
+   *
+   * Note: This method expects a string value. Passing `null`, `undefined`, or
+   * other non-string values will result in a runtime error when `.trim()` is
+   * called, rather than returning `false`.
+   *
+   * @param code - The OTP code to validate.
+   * @returns `true` if the trimmed code consists of exactly 6 digits, otherwise `false`.
    */
   static isValidOTPCode(code) {
     return /^\d{6}$/.test(code.trim());
@@ -645,13 +661,25 @@ var TokenStorage = class {
   constructor() {
     this.storageKey = "lanonasis_mcp_tokens";
     this.webEncryptionKeyStorage = "lanonasis_web_token_enc_key";
-    if (this.isNode()) {
-      try {
-        this.keytar = require("keytar");
-      } catch (e) {
-        console.warn("Keytar not available - falling back to file storage");
-      }
+    this.keytar = null;
+    this.keytarLoadAttempted = false;
+  }
+  async getKeytar() {
+    if (!this.isNode()) {
+      return null;
+    }
+    if (this.keytarLoadAttempted) {
+      return this.keytar;
+    }
+    this.keytarLoadAttempted = true;
+    try {
+      const keytarModule = await import("keytar");
+      this.keytar = keytarModule.default ?? keytarModule;
+    } catch {
+      this.keytar = null;
+      console.warn("Keytar not available - falling back to file storage");
     }
+    return this.keytar;
   }
   async store(tokens) {
     const tokensWithTimestamp = {
@@ -660,8 +688,9 @@ var TokenStorage = class {
     };
     const tokenString = JSON.stringify(tokensWithTimestamp);
     if (this.isNode()) {
-      if (this.keytar) {
-        await this.keytar.setPassword("lanonasis-mcp", "tokens", tokenString);
+      const keytar = await this.getKeytar();
+      if (keytar) {
+        await keytar.setPassword("lanonasis-mcp", "tokens", tokenString);
       } else {
         await this.storeToFile(tokenString);
       }
@@ -678,8 +707,9 @@ var TokenStorage = class {
     let tokenString = null;
     try {
       if (this.isNode()) {
-        if (this.keytar) {
-          tokenString = await this.keytar.getPassword("lanonasis-mcp", "tokens");
+        const keytar = await this.getKeytar();
+        if (keytar) {
+          tokenString = await keytar.getPassword("lanonasis-mcp", "tokens");
         }
         if (!tokenString) {
           tokenString = await this.retrieveFromFile();
@@ -703,8 +733,9 @@ var TokenStorage = class {
   }
   async clear() {
     if (this.isNode()) {
-      if (this.keytar) {
-        await this.keytar.deletePassword("lanonasis-mcp", "tokens");
+      const keytar = await this.getKeytar();
+      if (keytar) {
+        await keytar.deletePassword("lanonasis-mcp", "tokens");
       }
       await this.deleteFile();
     } else if (this.isElectron()) {
@@ -949,14 +980,26 @@ var ApiKeyStorage = class {
     this.storageKey = "lanonasis_api_key";
     this.legacyConfigKey = "lanonasis_legacy_api_key";
     this.webEncryptionKeyStorage = "lanonasis_web_enc_key";
+    this.keytar = null;
+    this.keytarLoadAttempted = false;
     this.migrationCompleted = false;
-    if (this.isNode()) {
-      try {
-        this.keytar = require("keytar");
-      } catch (e) {
-        console.warn("Keytar not available - falling back to encrypted file storage");
-      }
+  }
+  async getKeytar() {
+    if (!this.isNode()) {
+      return null;
+    }
+    if (this.keytarLoadAttempted) {
+      return this.keytar;
     }
+    this.keytarLoadAttempted = true;
+    try {
+      const keytarModule = await import("keytar");
+      this.keytar = keytarModule.default ?? keytarModule;
+    } catch {
+      this.keytar = null;
+      console.warn("Keytar not available - falling back to encrypted file storage");
+    }
+    return this.keytar;
   }
   /**
    * Initialize and migrate from legacy storage if needed
@@ -976,9 +1019,10 @@ var ApiKeyStorage = class {
     };
     const keyString = JSON.stringify(dataWithTimestamp);
     if (this.isNode()) {
-      if (this.keytar) {
+      const keytar = await this.getKeytar();
+      if (keytar) {
         try {
-          await this.keytar.setPassword("lanonasis-mcp", this.storageKey, keyString);
+          await keytar.setPassword("lanonasis-mcp", this.storageKey, keyString);
           return;
         } catch (error) {
           console.warn("Keytar storage failed, falling back to file:", error);
@@ -1001,9 +1045,10 @@ var ApiKeyStorage = class {
     let keyString = null;
     try {
       if (this.isNode()) {
-        if (this.keytar) {
+        const keytar = await this.getKeytar();
+        if (keytar) {
           try {
-            keyString = await this.keytar.getPassword("lanonasis-mcp", this.storageKey);
+            keyString = await keytar.getPassword("lanonasis-mcp", this.storageKey);
           } catch (error) {
             console.warn("Keytar retrieval failed, trying file:", error);
           }
@@ -1061,9 +1106,10 @@ var ApiKeyStorage = class {
    */
   async clear() {
     if (this.isNode()) {
-      if (this.keytar) {
+      const keytar = await this.getKeytar();
+      if (keytar) {
         try {
-          await this.keytar.deletePassword("lanonasis-mcp", this.storageKey);
+          await keytar.deletePassword("lanonasis-mcp", this.storageKey);
         } catch (error) {
           console.warn("Keytar deletion failed:", error);
         }
@@ -1365,26 +1411,19 @@ var ApiKeyStorage = class {
     throw new Error("No base64 decoder available");
   }
   /**
-   * Normalize API keys to a SHA-256 hex digest.
-   * Accepts pre-hashed input and lowercases it to prevent double hashing.
+   * Normalize stored credentials without transforming their value.
+   *
+   * These secrets are stored in encrypted local storage/keychains and must remain
+   * usable for outbound authentication headers (for example X-API-Key or Bearer).
+   * Hashing here would make the original credential unrecoverable and break
+   * clients that need to send the raw key/token back to a remote service.
    */
   async normalizeApiKey(apiKey) {
     const value = apiKey?.trim();
     if (!value) {
       throw new Error("API key must be a non-empty string");
     }
-    if (/^[a-f0-9]{64}$/i.test(value)) {
-      return value.toLowerCase();
-    }
-    if (typeof globalThis !== "undefined" && globalThis.crypto?.subtle) {
-      const encoder = new TextEncoder();
-      const data = encoder.encode(value);
-      const hashBuffer = await globalThis.crypto.subtle.digest("SHA-256", data);
-      const hashArray = Array.from(new Uint8Array(hashBuffer));
-      return hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
-    }
-    const nodeCrypto = await import("crypto");
-    return nodeCrypto.createHash("sha256").update(value).digest("hex");
+    return value;
   }
 };
 

package/dist/index.d.cts

@@ -1,5 +1,5 @@
-import { B as BaseOAuthFlow, O as OAuthConfig, c as TokenResponse, T as TokenStorageAdapter } from './api-key-storage-web-J3W8nQi2.cjs';
-export { l as ApiKeyData, m as ApiKeyStorage, b as ApiKeyStorageWeb, e as AuthError, A as AuthGatewayClient, h as AuthGatewayClientConfig, f as AuthTokenType, g as AuthValidationResult, D as DesktopOAuthFlow, d as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, i as TokenExchangeOptions, j as TokenExchangeResponse, k as TokenStorage, a as TokenStorageWeb } from './api-key-storage-web-J3W8nQi2.cjs';
+import { B as BaseOAuthFlow, O as OAuthConfig, i as TokenResponse, T as TokenStorageAdapter } from './api-key-storage-web-DUyiN9mC.cjs';
+export { k as ApiKeyData, l as ApiKeyStorage, A as ApiKeyStorageWeb, a as AuthError, b as AuthGatewayClient, c as AuthGatewayClientConfig, d as AuthTokenType, e as AuthValidationResult, D as DesktopOAuthFlow, f as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, g as TokenExchangeOptions, h as TokenExchangeResponse, m as TokenStorage, j as TokenStorageWeb } from './api-key-storage-web-DUyiN9mC.cjs';
 
 declare class TerminalOAuthFlow extends BaseOAuthFlow {
     private pollInterval;
@@ -131,7 +131,19 @@ declare class MagicLinkFlow extends BaseOAuthFlow {
      */
     static isValidEmail(email: string): boolean;
     /**
-     * Check if an OTP code is valid format (6 digits)
+     * Check if an OTP code is valid format (6 digits).
+     *
+     * This method:
+     * - Trims leading and trailing whitespace from the input before validating.
+     * - Requires exactly 6 numeric digits (0–9); any non-numeric characters or
+     *   incorrect length will cause it to return `false`.
+     *
+     * Note: This method expects a string value. Passing `null`, `undefined`, or
+     * other non-string values will result in a runtime error when `.trim()` is
+     * called, rather than returning `false`.
+     *
+     * @param code - The OTP code to validate.
+     * @returns `true` if the trimmed code consists of exactly 6 digits, otherwise `false`.
      */
     static isValidOTPCode(code: string): boolean;
 }

package/dist/index.d.ts

@@ -1,5 +1,5 @@
-import { B as BaseOAuthFlow, O as OAuthConfig, c as TokenResponse, T as TokenStorageAdapter } from './api-key-storage-web-J3W8nQi2.js';
-export { l as ApiKeyData, m as ApiKeyStorage, b as ApiKeyStorageWeb, e as AuthError, A as AuthGatewayClient, h as AuthGatewayClientConfig, f as AuthTokenType, g as AuthValidationResult, D as DesktopOAuthFlow, d as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, i as TokenExchangeOptions, j as TokenExchangeResponse, k as TokenStorage, a as TokenStorageWeb } from './api-key-storage-web-J3W8nQi2.js';
+import { B as BaseOAuthFlow, O as OAuthConfig, i as TokenResponse, T as TokenStorageAdapter } from './api-key-storage-web-DUyiN9mC.js';
+export { k as ApiKeyData, l as ApiKeyStorage, A as ApiKeyStorageWeb, a as AuthError, b as AuthGatewayClient, c as AuthGatewayClientConfig, d as AuthTokenType, e as AuthValidationResult, D as DesktopOAuthFlow, f as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, g as TokenExchangeOptions, h as TokenExchangeResponse, m as TokenStorage, j as TokenStorageWeb } from './api-key-storage-web-DUyiN9mC.js';
 
 declare class TerminalOAuthFlow extends BaseOAuthFlow {
     private pollInterval;
@@ -131,7 +131,19 @@ declare class MagicLinkFlow extends BaseOAuthFlow {
      */
     static isValidEmail(email: string): boolean;
     /**
-     * Check if an OTP code is valid format (6 digits)
+     * Check if an OTP code is valid format (6 digits).
+     *
+     * This method:
+     * - Trims leading and trailing whitespace from the input before validating.
+     * - Requires exactly 6 numeric digits (0–9); any non-numeric characters or
+     *   incorrect length will cause it to return `false`.
+     *
+     * Note: This method expects a string value. Passing `null`, `undefined`, or
+     * other non-string values will result in a runtime error when `.trim()` is
+     * called, rather than returning `false`.
+     *
+     * @param code - The OTP code to validate.
+     * @returns `true` if the trimmed code consists of exactly 6 digits, otherwise `false`.
      */
     static isValidOTPCode(code: string): boolean;
 }

package/dist/index.mjs

@@ -359,11 +359,15 @@ var MagicLinkFlow = class extends BaseOAuthFlow {
    * @returns Response with success status and expiration time
    */
   async requestOTP(email) {
+    if (typeof email !== "string" || !email.trim()) {
+      throw new Error("Invalid email: a non-empty email address is required to request an OTP.");
+    }
+    const normalizedEmail = email.trim().toLowerCase();
     const response = await fetch3(`${this.authBaseUrl}/v1/auth/otp/send`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
-        email: email.trim().toLowerCase(),
+        email: normalizedEmail,
         type: "email",
         // Explicitly request 6-digit code, not magic link
         platform: this.platform,
@@ -517,7 +521,19 @@ var MagicLinkFlow = class extends BaseOAuthFlow {
     return emailRegex.test(email.trim());
   }
   /**
-   * Check if an OTP code is valid format (6 digits)
+   * Check if an OTP code is valid format (6 digits).
+   *
+   * This method:
+   * - Trims leading and trailing whitespace from the input before validating.
+   * - Requires exactly 6 numeric digits (0–9); any non-numeric characters or
+   *   incorrect length will cause it to return `false`.
+   *
+   * Note: This method expects a string value. Passing `null`, `undefined`, or
+   * other non-string values will result in a runtime error when `.trim()` is
+   * called, rather than returning `false`.
+   *
+   * @param code - The OTP code to validate.
+   * @returns `true` if the trimmed code consists of exactly 6 digits, otherwise `false`.
    */
   static isValidOTPCode(code) {
     return /^\d{6}$/.test(code.trim());
@@ -606,13 +622,25 @@ var TokenStorage = class {
   constructor() {
     this.storageKey = "lanonasis_mcp_tokens";
     this.webEncryptionKeyStorage = "lanonasis_web_token_enc_key";
-    if (this.isNode()) {
-      try {
-        this.keytar = __require("keytar");
-      } catch (e) {
-        console.warn("Keytar not available - falling back to file storage");
-      }
+    this.keytar = null;
+    this.keytarLoadAttempted = false;
+  }
+  async getKeytar() {
+    if (!this.isNode()) {
+      return null;
+    }
+    if (this.keytarLoadAttempted) {
+      return this.keytar;
+    }
+    this.keytarLoadAttempted = true;
+    try {
+      const keytarModule = await import("keytar");
+      this.keytar = keytarModule.default ?? keytarModule;
+    } catch {
+      this.keytar = null;
+      console.warn("Keytar not available - falling back to file storage");
     }
+    return this.keytar;
   }
   async store(tokens) {
     const tokensWithTimestamp = {
@@ -621,8 +649,9 @@ var TokenStorage = class {
     };
     const tokenString = JSON.stringify(tokensWithTimestamp);
     if (this.isNode()) {
-      if (this.keytar) {
-        await this.keytar.setPassword("lanonasis-mcp", "tokens", tokenString);
+      const keytar = await this.getKeytar();
+      if (keytar) {
+        await keytar.setPassword("lanonasis-mcp", "tokens", tokenString);
       } else {
         await this.storeToFile(tokenString);
       }
@@ -639,8 +668,9 @@ var TokenStorage = class {
     let tokenString = null;
     try {
       if (this.isNode()) {
-        if (this.keytar) {
-          tokenString = await this.keytar.getPassword("lanonasis-mcp", "tokens");
+        const keytar = await this.getKeytar();
+        if (keytar) {
+          tokenString = await keytar.getPassword("lanonasis-mcp", "tokens");
         }
         if (!tokenString) {
           tokenString = await this.retrieveFromFile();
@@ -664,8 +694,9 @@ var TokenStorage = class {
   }
   async clear() {
     if (this.isNode()) {
-      if (this.keytar) {
-        await this.keytar.deletePassword("lanonasis-mcp", "tokens");
+      const keytar = await this.getKeytar();
+      if (keytar) {
+        await keytar.deletePassword("lanonasis-mcp", "tokens");
       }
       await this.deleteFile();
     } else if (this.isElectron()) {
@@ -910,14 +941,26 @@ var ApiKeyStorage = class {
     this.storageKey = "lanonasis_api_key";
     this.legacyConfigKey = "lanonasis_legacy_api_key";
     this.webEncryptionKeyStorage = "lanonasis_web_enc_key";
+    this.keytar = null;
+    this.keytarLoadAttempted = false;
     this.migrationCompleted = false;
-    if (this.isNode()) {
-      try {
-        this.keytar = __require("keytar");
-      } catch (e) {
-        console.warn("Keytar not available - falling back to encrypted file storage");
-      }
+  }
+  async getKeytar() {
+    if (!this.isNode()) {
+      return null;
+    }
+    if (this.keytarLoadAttempted) {
+      return this.keytar;
     }
+    this.keytarLoadAttempted = true;
+    try {
+      const keytarModule = await import("keytar");
+      this.keytar = keytarModule.default ?? keytarModule;
+    } catch {
+      this.keytar = null;
+      console.warn("Keytar not available - falling back to encrypted file storage");
+    }
+    return this.keytar;
   }
   /**
    * Initialize and migrate from legacy storage if needed
@@ -937,9 +980,10 @@ var ApiKeyStorage = class {
     };
     const keyString = JSON.stringify(dataWithTimestamp);
     if (this.isNode()) {
-      if (this.keytar) {
+      const keytar = await this.getKeytar();
+      if (keytar) {
         try {
-          await this.keytar.setPassword("lanonasis-mcp", this.storageKey, keyString);
+          await keytar.setPassword("lanonasis-mcp", this.storageKey, keyString);
           return;
         } catch (error) {
           console.warn("Keytar storage failed, falling back to file:", error);
@@ -962,9 +1006,10 @@ var ApiKeyStorage = class {
     let keyString = null;
     try {
       if (this.isNode()) {
-        if (this.keytar) {
+        const keytar = await this.getKeytar();
+        if (keytar) {
           try {
-            keyString = await this.keytar.getPassword("lanonasis-mcp", this.storageKey);
+            keyString = await keytar.getPassword("lanonasis-mcp", this.storageKey);
           } catch (error) {
             console.warn("Keytar retrieval failed, trying file:", error);
           }
@@ -1022,9 +1067,10 @@ var ApiKeyStorage = class {
    */
   async clear() {
     if (this.isNode()) {
-      if (this.keytar) {
+      const keytar = await this.getKeytar();
+      if (keytar) {
         try {
-          await this.keytar.deletePassword("lanonasis-mcp", this.storageKey);
+          await keytar.deletePassword("lanonasis-mcp", this.storageKey);
         } catch (error) {
           console.warn("Keytar deletion failed:", error);
         }
@@ -1326,26 +1372,19 @@ var ApiKeyStorage = class {
     throw new Error("No base64 decoder available");
   }
   /**
-   * Normalize API keys to a SHA-256 hex digest.
-   * Accepts pre-hashed input and lowercases it to prevent double hashing.
+   * Normalize stored credentials without transforming their value.
+   *
+   * These secrets are stored in encrypted local storage/keychains and must remain
+   * usable for outbound authentication headers (for example X-API-Key or Bearer).
+   * Hashing here would make the original credential unrecoverable and break
+   * clients that need to send the raw key/token back to a remote service.
    */
   async normalizeApiKey(apiKey) {
     const value = apiKey?.trim();
     if (!value) {
       throw new Error("API key must be a non-empty string");
     }
-    if (/^[a-f0-9]{64}$/i.test(value)) {
-      return value.toLowerCase();
-    }
-    if (typeof globalThis !== "undefined" && globalThis.crypto?.subtle) {
-      const encoder = new TextEncoder();
-      const data = encoder.encode(value);
-      const hashBuffer = await globalThis.crypto.subtle.digest("SHA-256", data);
-      const hashArray = Array.from(new Uint8Array(hashBuffer));
-      return hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
-    }
-    const nodeCrypto = await import("crypto");
-    return nodeCrypto.createHash("sha256").update(value).digest("hex");
+    return value;
   }
 };