@leanmcp/auth 0.1.0 → 0.2.0

package/README.md

@@ -5,11 +5,12 @@ Authentication module for LeanMCP providing token-based authentication decorator
 ## Features
 
 - **@Authenticated decorator** - Protect MCP tools, prompts, and resources with token authentication
-- **Multi-provider support** - AWS Cognito (more providers coming soon)
+- **Multi-provider support** - AWS Cognito, Clerk, Auth0
 - **Method or class-level protection** - Apply to individual methods or entire services
 - **Automatic token validation** - Validates tokens before method execution
 - **Custom error handling** - Detailed error codes for different auth failures
 - **Type-safe** - Full TypeScript support with type inference
+- **OAuth & Session modes** - Support for both session-based and OAuth refresh token flows
 
 ## Installation
 
@@ -24,6 +25,16 @@ For AWS Cognito:
 npm install @aws-sdk/client-cognito-identity-provider axios jsonwebtoken jwk-to-pem
 ```
 
+For Clerk:
+```bash
+npm install axios jsonwebtoken jwk-to-pem
+```
+
+For Auth0:
+```bash
+npm install axios jsonwebtoken jwk-to-pem
+```
+
 ## Quick Start
 
 ### 1. Initialize Auth Provider
@@ -169,6 +180,17 @@ try {
 
 ## Supported Auth Providers
 
+### Provider Comparison
+
+| Feature | AWS Cognito | Clerk | Auth0 |
+|---------|-------------|-------|-------|
+| **JWT Verification** | ✅ JWKS | ✅ JWKS | ✅ JWKS |
+| **Refresh Tokens** | ✅ Yes | ✅ Yes (OAuth mode) | ✅ Yes |
+| **Session Mode** | ❌ No | ✅ Yes (default) | ❌ No |
+| **OAuth Mode** | ✅ Yes | ✅ Yes | ✅ Yes |
+| **User Data** | ✅ Yes | ✅ Yes | ✅ Yes |
+| **Setup Complexity** | Low | Low | Low |
+
 ### AWS Cognito
 
 ```typescript
@@ -185,10 +207,123 @@ await authProvider.init();
 - Token must be valid and not expired
 - Token must be issued by the configured User Pool
 
+**Environment Variables:**
+```bash
+AWS_REGION=us-east-1
+COGNITO_USER_POOL_ID=us-east-1_XXXXXXXXX
+COGNITO_CLIENT_ID=your-client-id
+```
+
+### Clerk
+
+Clerk supports both **Session Mode** (default) and **OAuth Mode** (with refresh tokens).
+
+#### Session Mode (Default)
+
+```typescript
+const authProvider = new AuthProvider('clerk', {
+  frontendApi: 'your-frontend-api.clerk.accounts.dev',
+  secretKey: 'sk_test_...'
+});
+await authProvider.init();
+```
+
+**Configuration:**
+- `frontendApi` - Your Clerk Frontend API domain
+- `secretKey` - Your Clerk Secret Key
+
+**Environment Variables:**
+```bash
+CLERK_FRONTEND_API=your-frontend-api.clerk.accounts.dev
+CLERK_SECRET_KEY=sk_test_...
+```
+
+#### OAuth Mode (Refresh Tokens)
+
+```typescript
+const authProvider = new AuthProvider('clerk', {
+  frontendApi: 'your-frontend-api.clerk.accounts.dev',
+  secretKey: 'sk_test_...',
+  clientId: 'your-oauth-client-id',
+  clientSecret: 'your-oauth-client-secret',
+  redirectUri: 'https://yourapp.com/callback'
+});
+await authProvider.init();
+
+// Refresh tokens when needed
+const newTokens = await authProvider.refreshToken(refreshToken);
+// Returns: { access_token, id_token, refresh_token }
+```
+
+**OAuth Configuration:**
+- `clientId` - OAuth Client ID from Clerk
+- `clientSecret` - OAuth Client Secret from Clerk
+- `redirectUri` - OAuth redirect URI
+
+**Token Requirements:**
+- JWT token from Clerk (ID token or session token)
+- Token must be valid and not expired
+- Token must be issued by your Clerk instance
+
+**User Data:**
+```typescript
+const user = await authProvider.getUser(idToken);
+// Returns: { sub, email, email_verified, first_name, last_name, attributes }
+```
+
+### Auth0
+
+```typescript
+const authProvider = new AuthProvider('auth0', {
+  domain: 'your-tenant.auth0.com',
+  clientId: 'your-client-id',
+  clientSecret: 'your-client-secret', // Optional for public clients
+  audience: 'https://your-api-identifier',
+  scopes: 'openid profile email offline_access' // Optional, defaults shown
+});
+await authProvider.init();
+
+// Refresh tokens when needed
+const newTokens = await authProvider.refreshToken(refreshToken);
+// Returns: { access_token, id_token, refresh_token, expires_in }
+```
+
+**Configuration:**
+- `domain` - Your Auth0 tenant domain (e.g., `your-tenant.auth0.com`)
+- `clientId` - Your Auth0 Application Client ID
+- `clientSecret` - Your Auth0 Application Client Secret (optional for public clients)
+- `audience` - Your API identifier (required for API access)
+- `scopes` - OAuth scopes (default: `openid profile email offline_access`)
+
+**Environment Variables:**
+```bash
+AUTH0_DOMAIN=your-tenant.auth0.com
+AUTH0_CLIENT_ID=your-client-id
+AUTH0_CLIENT_SECRET=your-client-secret
+AUTH0_AUDIENCE=https://your-api-identifier
+```
+
+**Token Requirements:**
+- JWT token from Auth0 (access token or ID token)
+- Token must be valid and not expired
+- Token must be issued by your Auth0 tenant
+- Token must have the correct audience
+
+**User Data:**
+```typescript
+const user = await authProvider.getUser(idToken);
+// Returns: { sub, email, email_verified, name, attributes }
+```
+
+**Error Handling:**
+Auth0 provider includes detailed error messages:
+- `Token has expired` - Token is expired
+- `Invalid token signature` - Token signature verification failed
+- `Malformed token` - Token format is invalid
+- `Invalid token issuer` - Token issuer doesn't match
+
 ### More Providers Coming Soon
 
-- Clerk
-- Auth0
 - Firebase Auth
 - Custom JWT providers
 
@@ -238,16 +373,32 @@ function getAuthProvider(target: any, propertyKey?: string): AuthProvider | unde
 
 ## Environment Variables
 
-For AWS Cognito:
+### AWS Cognito
 ```bash
 AWS_REGION=us-east-1
 COGNITO_USER_POOL_ID=us-east-1_XXXXXXXXX
 COGNITO_CLIENT_ID=your-client-id
 ```
 
-## Complete Example
+### Clerk (Session Mode)
+```bash
+CLERK_FRONTEND_API=your-frontend-api.clerk.accounts.dev
+CLERK_SECRET_KEY=sk_test_...
+```
+
+### Auth0
+```bash
+AUTH0_DOMAIN=your-tenant.auth0.com
+AUTH0_CLIENT_ID=your-client-id
+AUTH0_CLIENT_SECRET=your-client-secret
+AUTH0_AUDIENCE=https://your-api-identifier
+```
 
-See [examples/slack-with-auth](../../examples/slack-with-auth) for a complete working example with AWS Cognito.
+## Complete Examples
+
+### AWS Cognito Example
+
+See [examples/slack-with-auth](../../examples/slack-with-auth) for a complete working example.
 
 ```typescript
 import { createHTTPServer, MCPServer } from "@leanmcp/core";
@@ -280,6 +431,123 @@ const serverFactory = () => {
 await createHTTPServer(serverFactory, { port: 3000 });
 ```
 
+### Clerk Example
+
+```typescript
+import { createHTTPServer, MCPServer } from "@leanmcp/core";
+import { AuthProvider, Authenticated } from "@leanmcp/auth";
+
+// Initialize Clerk in Session Mode
+const authProvider = new AuthProvider('clerk', {
+  frontendApi: process.env.CLERK_FRONTEND_API,
+  secretKey: process.env.CLERK_SECRET_KEY
+});
+await authProvider.init();
+
+// Or initialize in OAuth Mode (with refresh tokens)
+const authProviderOAuth = new AuthProvider('clerk', {
+  frontendApi: process.env.CLERK_FRONTEND_API,
+  secretKey: process.env.CLERK_SECRET_KEY,
+  clientId: process.env.CLERK_CLIENT_ID,
+  clientSecret: process.env.CLERK_CLIENT_SECRET,
+  redirectUri: process.env.CLERK_REDIRECT_URI
+});
+await authProviderOAuth.init();
+
+@Authenticated(authProvider)
+class UserService {
+  @Tool({ description: 'Get user profile' })
+  async getProfile(input: { userId: string }) {
+    // Token is automatically validated
+    return { userId: input.userId, name: "John Doe" };
+  }
+}
+
+const serverFactory = () => {
+  const server = new MCPServer({ name: "clerk-server", version: "1.0.0" });
+  server.registerService(new UserService());
+  return server.getServer();
+};
+
+await createHTTPServer(serverFactory, { port: 3000 });
+```
+
+### Auth0 Example
+
+```typescript
+import { createHTTPServer, MCPServer } from "@leanmcp/core";
+import { AuthProvider, Authenticated } from "@leanmcp/auth";
+
+// Initialize Auth0
+const authProvider = new AuthProvider('auth0', {
+  domain: process.env.AUTH0_DOMAIN,
+  clientId: process.env.AUTH0_CLIENT_ID,
+  clientSecret: process.env.AUTH0_CLIENT_SECRET,
+  audience: process.env.AUTH0_AUDIENCE,
+  scopes: 'openid profile email offline_access'
+});
+await authProvider.init();
+
+@Authenticated(authProvider)
+class SecureAPIService {
+  @Tool({ description: 'Get sensitive data' })
+  async getSensitiveData(input: { dataId: string }) {
+    // Token is automatically validated
+    return { dataId: input.dataId, data: "Sensitive information" };
+  }
+  
+  @Tool({ description: 'Update user settings' })
+  async updateSettings(input: { settings: Record<string, any> }) {
+    return { success: true, settings: input.settings };
+  }
+}
+
+const serverFactory = () => {
+  const server = new MCPServer({ name: "auth0-server", version: "1.0.0" });
+  server.registerService(new SecureAPIService());
+  return server.getServer();
+};
+
+await createHTTPServer(serverFactory, { port: 3000 });
+```
+
+### Multi-Provider Example
+
+```typescript
+import { AuthProvider, Authenticated } from "@leanmcp/auth";
+
+// Initialize multiple providers
+const clerkAuth = new AuthProvider('clerk', {
+  frontendApi: process.env.CLERK_FRONTEND_API,
+  secretKey: process.env.CLERK_SECRET_KEY
+});
+await clerkAuth.init();
+
+const auth0Auth = new AuthProvider('auth0', {
+  domain: process.env.AUTH0_DOMAIN,
+  clientId: process.env.AUTH0_CLIENT_ID,
+  audience: process.env.AUTH0_AUDIENCE
+});
+await auth0Auth.init();
+
+// Use different providers for different services
+@Authenticated(clerkAuth)
+class UserService {
+  @Tool()
+  async getUserData(input: { userId: string }) {
+    return { userId: input.userId };
+  }
+}
+
+@Authenticated(auth0Auth)
+class AdminService {
+  @Tool()
+  async getAdminData(input: { adminId: string }) {
+    return { adminId: input.adminId };
+  }
+}
+```
+
 ## How It Works
 
 1. **Request arrives** with `_meta.authorization.token`
@@ -304,6 +572,85 @@ await createHTTPServer(serverFactory, { port: 3000 });
 5. **Log authentication failures** - Monitor for suspicious activity
 6. **Use environment variables** - Never hardcode credentials
 7. **Use _meta for auth** - Don't include tokens in business arguments
+8. **Choose the right mode** - Use Session mode for simpler setups, OAuth mode for refresh tokens
+9. **Test token expiration** - Ensure your app handles expired tokens gracefully
+10. **Monitor JWKS cache** - Providers cache JWKS keys for performance
+
+## Quick Reference
+
+### Initialization Patterns
+
+```typescript
+// AWS Cognito
+const cognito = new AuthProvider('cognito', {
+  region: 'us-east-1',
+  userPoolId: 'us-east-1_XXX',
+  clientId: 'xxx'
+});
+
+// Clerk (Session Mode)
+const clerk = new AuthProvider('clerk', {
+  frontendApi: 'xxx.clerk.accounts.dev',
+  secretKey: 'sk_test_xxx'
+});
+
+// Clerk (OAuth Mode)
+const clerkOAuth = new AuthProvider('clerk', {
+  frontendApi: 'xxx.clerk.accounts.dev',
+  secretKey: 'sk_test_xxx',
+  clientId: 'xxx',
+  clientSecret: 'xxx',
+  redirectUri: 'https://app.com/callback'
+});
+
+// Auth0
+const auth0 = new AuthProvider('auth0', {
+  domain: 'tenant.auth0.com',
+  clientId: 'xxx',
+  clientSecret: 'xxx',
+  audience: 'https://api-identifier'
+});
+```
+
+### Common Operations
+
+```typescript
+// Initialize
+await authProvider.init();
+
+// Verify token
+const isValid = await authProvider.verifyToken(token);
+
+// Refresh token (OAuth/Auth0 only)
+const newTokens = await authProvider.refreshToken(refreshToken);
+
+// Get user data
+const user = await authProvider.getUser(idToken);
+
+// Get provider type
+const type = authProvider.getProviderType(); // 'cognito' | 'clerk' | 'auth0'
+```
+
+### Decorator Usage
+
+```typescript
+// Protect single method
+@Authenticated(authProvider)
+async myMethod(input: { data: string }) { }
+
+// Protect entire class
+@Authenticated(authProvider)
+class MyService {
+  @Tool() async method1() { }
+  @Tool() async method2() { }
+}
+
+// Check if authentication required
+const required = isAuthenticationRequired(target, 'methodName');
+
+// Get auth provider for method
+const provider = getAuthProvider(target, 'methodName');
+```
 
 ## License
 

package/dist/auth0-A25F3NOH.mjs

@@ -0,0 +1,102 @@
+import {
+  AuthProviderBase,
+  __name
+} from "./chunk-KKO5VLFX.mjs";
+
+// src/providers/auth0.ts
+import axios from "axios";
+import jwt from "jsonwebtoken";
+import jwkToPem from "jwk-to-pem";
+var AuthAuth0 = class extends AuthProviderBase {
+  static {
+    __name(this, "AuthAuth0");
+  }
+  domain = "";
+  clientId = "";
+  clientSecret = "";
+  audience = "";
+  scopes = "openid profile email offline_access";
+  jwksCache = null;
+  async init(config) {
+    this.domain = config?.domain || process.env.AUTH0_DOMAIN || "";
+    this.clientId = config?.clientId || process.env.AUTH0_CLIENT_ID || "";
+    this.clientSecret = config?.clientSecret || process.env.AUTH0_CLIENT_SECRET || "";
+    this.audience = config?.audience || process.env.AUTH0_AUDIENCE || "";
+    this.scopes = config?.scopes || this.scopes;
+    if (!this.domain || !this.clientId || !this.audience) {
+      throw new Error("Auth0 config missing: domain, clientId, and audience are required");
+    }
+  }
+  async refreshToken(refreshToken) {
+    const url = `https://${this.domain}/oauth/token`;
+    const payload = {
+      grant_type: "refresh_token",
+      client_id: this.clientId,
+      refresh_token: refreshToken,
+      audience: this.audience,
+      scope: this.scopes
+    };
+    if (this.clientSecret) {
+      payload.client_secret = this.clientSecret;
+    }
+    const { data } = await axios.post(url, payload, {
+      headers: {
+        "Content-Type": "application/json"
+      }
+    });
+    return data;
+  }
+  async verifyToken(token) {
+    try {
+      await this.verifyJwt(token);
+      return true;
+    } catch (error) {
+      if (error instanceof Error) {
+        if (error.message.includes("jwt expired")) throw new Error("Token has expired");
+        if (error.message.includes("invalid signature")) throw new Error("Invalid token signature");
+        if (error.message.includes("jwt malformed")) throw new Error("Malformed token");
+        if (error.message.includes("invalid issuer")) throw new Error("Invalid token issuer");
+        throw error;
+      }
+      return false;
+    }
+  }
+  async getUser(idToken) {
+    const decoded = jwt.decode(idToken);
+    if (!decoded) throw new Error("Invalid ID token");
+    return {
+      sub: decoded.sub,
+      email: decoded.email,
+      email_verified: decoded.email_verified,
+      name: decoded.name,
+      attributes: decoded
+    };
+  }
+  async fetchJWKS() {
+    if (!this.jwksCache) {
+      const jwksUri = `https://${this.domain}/.well-known/jwks.json`;
+      const { data } = await axios.get(jwksUri);
+      this.jwksCache = data.keys;
+    }
+    return this.jwksCache;
+  }
+  async verifyJwt(token) {
+    const decoded = jwt.decode(token, {
+      complete: true
+    });
+    if (!decoded) throw new Error("Invalid token");
+    const jwks = await this.fetchJWKS();
+    const key = jwks.find((k) => k.kid === decoded.header.kid);
+    if (!key) throw new Error("Signing key not found in JWKS");
+    const pem = jwkToPem(key);
+    return jwt.verify(token, pem, {
+      algorithms: [
+        "RS256"
+      ],
+      issuer: `https://${this.domain}/`
+    });
+  }
+};
+export {
+  AuthAuth0
+};

package/dist/{chunk-NALGJYQB.mjs → chunk-KKO5VLFX.mjs}

@@ -123,18 +123,23 @@ var AuthProvider = class extends AuthProviderBase {
     const finalConfig = config || this.config;
     switch (this.providerType) {
       case "cognito": {
-        const { AuthCognito } = await import("./cognito-VCVS77OX.mjs");
+        const { AuthCognito } = await import("./cognito-2RRSLFKI.mjs");
         this.providerInstance = new AuthCognito();
         await this.providerInstance.init(finalConfig);
         break;
       }
-      // Add more providers here in the future
-      // case 'clerk': {
-      //   const { AuthClerk } = await import('./providers/clerk');
-      //   this.providerInstance = new AuthClerk();
-      //   await this.providerInstance.init(finalConfig);
-      //   break;
-      // }
+      case "auth0": {
+        const { AuthAuth0 } = await import("./auth0-A25F3NOH.mjs");
+        this.providerInstance = new AuthAuth0();
+        await this.providerInstance.init(finalConfig);
+        break;
+      }
+      case "clerk": {
+        const { AuthClerk } = await import("./clerk-XNMGPYSN.mjs");
+        this.providerInstance = new AuthClerk();
+        await this.providerInstance.init(finalConfig);
+        break;
+      }
       default:
         throw new Error(`Unsupported auth provider: ${this.providerType}. Supported providers: cognito`);
     }

package/dist/clerk-XNMGPYSN.mjs

@@ -0,0 +1,115 @@
+import {
+  AuthProviderBase,
+  __name
+} from "./chunk-KKO5VLFX.mjs";
+
+// src/providers/clerk.ts
+import axios from "axios";
+import jwt from "jsonwebtoken";
+import jwkToPem from "jwk-to-pem";
+var AuthClerk = class extends AuthProviderBase {
+  static {
+    __name(this, "AuthClerk");
+  }
+  clerkFrontendApi = "";
+  clerkSecretKey = "";
+  clerkJWKSUrl = "";
+  clerkIssuer = "";
+  jwksCache = null;
+  mode = "session";
+  oauthTokenUrl = "";
+  clientId;
+  clientSecret;
+  redirectUri;
+  /**
+  * Initialize Clerk Auth Provider
+  */
+  async init(config) {
+    this.clerkFrontendApi = config?.frontendApi || process.env.CLERK_FRONTEND_API || "";
+    this.clerkSecretKey = config?.secretKey || process.env.CLERK_SECRET_KEY || "";
+    if (!this.clerkFrontendApi || !this.clerkSecretKey) {
+      throw new Error("Missing Clerk configuration: frontendApi and secretKey are required");
+    }
+    this.clerkIssuer = `https://${this.clerkFrontendApi}`;
+    this.clerkJWKSUrl = `${this.clerkIssuer}/.well-known/jwks.json`;
+    if (config?.clientId && config?.clientSecret && config?.redirectUri) {
+      this.mode = "oauth";
+      this.clientId = config.clientId;
+      this.clientSecret = config.clientSecret;
+      this.redirectUri = config.redirectUri;
+      this.oauthTokenUrl = `${this.clerkIssuer}/oauth/token`;
+    }
+  }
+  /**
+  * Refresh tokens (OAuth mode only)
+  */
+  async refreshToken(refreshToken) {
+    if (this.mode !== "oauth") {
+      throw new Error("Clerk is in Session Mode: refresh tokens are not supported. Enable OAuth mode.");
+    }
+    const payload = {
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      client_id: this.clientId,
+      client_secret: this.clientSecret,
+      redirect_uri: this.redirectUri
+    };
+    const { data } = await axios.post(this.oauthTokenUrl, payload, {
+      headers: {
+        "Content-Type": "application/json"
+      }
+    });
+    return data;
+  }
+  /**
+  * Verify JWT using JWKS
+  */
+  async verifyToken(token) {
+    await this.verifyJwt(token);
+    return true;
+  }
+  /**
+  * Extract user data from ID token
+  */
+  async getUser(idToken) {
+    const decoded = jwt.decode(idToken);
+    if (!decoded) throw new Error("Invalid ID token");
+    return {
+      sub: decoded.sub,
+      email: decoded.email,
+      email_verified: decoded.email_verified,
+      first_name: decoded.given_name,
+      last_name: decoded.family_name,
+      attributes: decoded
+    };
+  }
+  /**
+  * JWT verification using JWKS
+  */
+  async verifyJwt(token) {
+    const decoded = jwt.decode(token, {
+      complete: true
+    });
+    if (!decoded) throw new Error("Invalid token");
+    const jwks = await this.fetchJWKS();
+    const key = jwks.find((k) => k.kid === decoded.header.kid);
+    if (!key) throw new Error("Signing key not found in JWKS");
+    const pem = jwkToPem(key);
+    return jwt.verify(token, pem, {
+      algorithms: [
+        "RS256"
+      ],
+      issuer: this.clerkIssuer
+    });
+  }
+  async fetchJWKS() {
+    if (!this.jwksCache) {
+      const { data } = await axios.get(this.clerkJWKSUrl);
+      this.jwksCache = data.keys;
+    }
+    return this.jwksCache;
+  }
+};
+export {
+  AuthClerk
+};

package/dist/{cognito-GBSAAMZI.mjs → cognito-2RRSLFKI.mjs}

@@ -1,7 +1,7 @@
 import {
   AuthProviderBase,
   __name
-} from "./chunk-YC7GFXAO.mjs";
+} from "./chunk-KKO5VLFX.mjs";
 
 // src/providers/cognito.ts
 import { CognitoIdentityProviderClient, InitiateAuthCommand } from "@aws-sdk/client-cognito-identity-provider";

package/dist/index.js

@@ -280,6 +280,231 @@ var init_cognito = __esm({
   }
 });
 
+// src/providers/auth0.ts
+var auth0_exports = {};
+__export(auth0_exports, {
+  AuthAuth0: () => AuthAuth0
+});
+var import_axios2, import_jsonwebtoken2, import_jwk_to_pem2, AuthAuth0;
+var init_auth0 = __esm({
+  "src/providers/auth0.ts"() {
+    "use strict";
+    import_axios2 = __toESM(require("axios"));
+    import_jsonwebtoken2 = __toESM(require("jsonwebtoken"));
+    import_jwk_to_pem2 = __toESM(require("jwk-to-pem"));
+    init_index();
+    AuthAuth0 = class extends AuthProviderBase {
+      static {
+        __name(this, "AuthAuth0");
+      }
+      domain = "";
+      clientId = "";
+      clientSecret = "";
+      audience = "";
+      scopes = "openid profile email offline_access";
+      jwksCache = null;
+      async init(config) {
+        this.domain = config?.domain || process.env.AUTH0_DOMAIN || "";
+        this.clientId = config?.clientId || process.env.AUTH0_CLIENT_ID || "";
+        this.clientSecret = config?.clientSecret || process.env.AUTH0_CLIENT_SECRET || "";
+        this.audience = config?.audience || process.env.AUTH0_AUDIENCE || "";
+        this.scopes = config?.scopes || this.scopes;
+        if (!this.domain || !this.clientId || !this.audience) {
+          throw new Error("Auth0 config missing: domain, clientId, and audience are required");
+        }
+      }
+      async refreshToken(refreshToken) {
+        const url = `https://${this.domain}/oauth/token`;
+        const payload = {
+          grant_type: "refresh_token",
+          client_id: this.clientId,
+          refresh_token: refreshToken,
+          audience: this.audience,
+          scope: this.scopes
+        };
+        if (this.clientSecret) {
+          payload.client_secret = this.clientSecret;
+        }
+        const { data } = await import_axios2.default.post(url, payload, {
+          headers: {
+            "Content-Type": "application/json"
+          }
+        });
+        return data;
+      }
+      async verifyToken(token) {
+        try {
+          await this.verifyJwt(token);
+          return true;
+        } catch (error) {
+          if (error instanceof Error) {
+            if (error.message.includes("jwt expired")) throw new Error("Token has expired");
+            if (error.message.includes("invalid signature")) throw new Error("Invalid token signature");
+            if (error.message.includes("jwt malformed")) throw new Error("Malformed token");
+            if (error.message.includes("invalid issuer")) throw new Error("Invalid token issuer");
+            throw error;
+          }
+          return false;
+        }
+      }
+      async getUser(idToken) {
+        const decoded = import_jsonwebtoken2.default.decode(idToken);
+        if (!decoded) throw new Error("Invalid ID token");
+        return {
+          sub: decoded.sub,
+          email: decoded.email,
+          email_verified: decoded.email_verified,
+          name: decoded.name,
+          attributes: decoded
+        };
+      }
+      async fetchJWKS() {
+        if (!this.jwksCache) {
+          const jwksUri = `https://${this.domain}/.well-known/jwks.json`;
+          const { data } = await import_axios2.default.get(jwksUri);
+          this.jwksCache = data.keys;
+        }
+        return this.jwksCache;
+      }
+      async verifyJwt(token) {
+        const decoded = import_jsonwebtoken2.default.decode(token, {
+          complete: true
+        });
+        if (!decoded) throw new Error("Invalid token");
+        const jwks = await this.fetchJWKS();
+        const key = jwks.find((k) => k.kid === decoded.header.kid);
+        if (!key) throw new Error("Signing key not found in JWKS");
+        const pem = (0, import_jwk_to_pem2.default)(key);
+        return import_jsonwebtoken2.default.verify(token, pem, {
+          algorithms: [
+            "RS256"
+          ],
+          issuer: `https://${this.domain}/`
+        });
+      }
+    };
+  }
+});
+
+// src/providers/clerk.ts
+var clerk_exports = {};
+__export(clerk_exports, {
+  AuthClerk: () => AuthClerk
+});
+var import_axios3, import_jsonwebtoken3, import_jwk_to_pem3, AuthClerk;
+var init_clerk = __esm({
+  "src/providers/clerk.ts"() {
+    "use strict";
+    import_axios3 = __toESM(require("axios"));
+    import_jsonwebtoken3 = __toESM(require("jsonwebtoken"));
+    import_jwk_to_pem3 = __toESM(require("jwk-to-pem"));
+    init_index();
+    AuthClerk = class extends AuthProviderBase {
+      static {
+        __name(this, "AuthClerk");
+      }
+      clerkFrontendApi = "";
+      clerkSecretKey = "";
+      clerkJWKSUrl = "";
+      clerkIssuer = "";
+      jwksCache = null;
+      mode = "session";
+      oauthTokenUrl = "";
+      clientId;
+      clientSecret;
+      redirectUri;
+      /**
+      * Initialize Clerk Auth Provider
+      */
+      async init(config) {
+        this.clerkFrontendApi = config?.frontendApi || process.env.CLERK_FRONTEND_API || "";
+        this.clerkSecretKey = config?.secretKey || process.env.CLERK_SECRET_KEY || "";
+        if (!this.clerkFrontendApi || !this.clerkSecretKey) {
+          throw new Error("Missing Clerk configuration: frontendApi and secretKey are required");
+        }
+        this.clerkIssuer = `https://${this.clerkFrontendApi}`;
+        this.clerkJWKSUrl = `${this.clerkIssuer}/.well-known/jwks.json`;
+        if (config?.clientId && config?.clientSecret && config?.redirectUri) {
+          this.mode = "oauth";
+          this.clientId = config.clientId;
+          this.clientSecret = config.clientSecret;
+          this.redirectUri = config.redirectUri;
+          this.oauthTokenUrl = `${this.clerkIssuer}/oauth/token`;
+        }
+      }
+      /**
+      * Refresh tokens (OAuth mode only)
+      */
+      async refreshToken(refreshToken) {
+        if (this.mode !== "oauth") {
+          throw new Error("Clerk is in Session Mode: refresh tokens are not supported. Enable OAuth mode.");
+        }
+        const payload = {
+          grant_type: "refresh_token",
+          refresh_token: refreshToken,
+          client_id: this.clientId,
+          client_secret: this.clientSecret,
+          redirect_uri: this.redirectUri
+        };
+        const { data } = await import_axios3.default.post(this.oauthTokenUrl, payload, {
+          headers: {
+            "Content-Type": "application/json"
+          }
+        });
+        return data;
+      }
+      /**
+      * Verify JWT using JWKS
+      */
+      async verifyToken(token) {
+        await this.verifyJwt(token);
+        return true;
+      }
+      /**
+      * Extract user data from ID token
+      */
+      async getUser(idToken) {
+        const decoded = import_jsonwebtoken3.default.decode(idToken);
+        if (!decoded) throw new Error("Invalid ID token");
+        return {
+          sub: decoded.sub,
+          email: decoded.email,
+          email_verified: decoded.email_verified,
+          first_name: decoded.given_name,
+          last_name: decoded.family_name,
+          attributes: decoded
+        };
+      }
+      /**
+      * JWT verification using JWKS
+      */
+      async verifyJwt(token) {
+        const decoded = import_jsonwebtoken3.default.decode(token, {
+          complete: true
+        });
+        if (!decoded) throw new Error("Invalid token");
+        const jwks = await this.fetchJWKS();
+        const key = jwks.find((k) => k.kid === decoded.header.kid);
+        if (!key) throw new Error("Signing key not found in JWKS");
+        const pem = (0, import_jwk_to_pem3.default)(key);
+        return import_jsonwebtoken3.default.verify(token, pem, {
+          algorithms: [
+            "RS256"
+          ],
+          issuer: this.clerkIssuer
+        });
+      }
+      async fetchJWKS() {
+        if (!this.jwksCache) {
+          const { data } = await import_axios3.default.get(this.clerkJWKSUrl);
+          this.jwksCache = data.keys;
+        }
+        return this.jwksCache;
+      }
+    };
+  }
+});
+
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
@@ -325,13 +550,18 @@ var init_index = __esm({
             await this.providerInstance.init(finalConfig);
             break;
           }
-          // Add more providers here in the future
-          // case 'clerk': {
-          //   const { AuthClerk } = await import('./providers/clerk');
-          //   this.providerInstance = new AuthClerk();
-          //   await this.providerInstance.init(finalConfig);
-          //   break;
-          // }
+          case "auth0": {
+            const { AuthAuth0: AuthAuth02 } = await Promise.resolve().then(() => (init_auth0(), auth0_exports));
+            this.providerInstance = new AuthAuth02();
+            await this.providerInstance.init(finalConfig);
+            break;
+          }
+          case "clerk": {
+            const { AuthClerk: AuthClerk2 } = await Promise.resolve().then(() => (init_clerk(), clerk_exports));
+            this.providerInstance = new AuthClerk2();
+            await this.providerInstance.init(finalConfig);
+            break;
+          }
           default:
             throw new Error(`Unsupported auth provider: ${this.providerType}. Supported providers: cognito`);
         }

package/dist/index.mjs

@@ -5,7 +5,7 @@ import {
   AuthenticationError,
   getAuthProvider,
   isAuthenticationRequired
-} from "./chunk-NALGJYQB.mjs";
+} from "./chunk-KKO5VLFX.mjs";
 export {
   AuthProvider,
   AuthProviderBase,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@leanmcp/auth",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Authentication and identity module supporting multiple providers",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
@@ -24,7 +24,7 @@
     "test:watch": "jest --watch"
   },
   "dependencies": {
-    "@leanmcp/core": "^0.1.0",
+    "@leanmcp/core": "^0.2.0",
     "reflect-metadata": "^0.2.1"
   },
   "devDependencies": {
@@ -32,7 +32,9 @@
     "@types/jsonwebtoken": "^9.0.10",
     "@types/jwk-to-pem": "^2.0.3",
     "@types/node": "^20.0.0",
-    "dotenv": "^17.2.3"
+    "dotenv": "^17.2.3",
+    "jest": "^29.7.0",
+    "ts-jest": "^29.1.0"
   },
   "peerDependencies": {
     "@aws-sdk/client-cognito-identity-provider": "^3.0.0",

package/dist/chunk-YC7GFXAO.mjs

@@ -1,193 +0,0 @@
-var __defProp = Object.defineProperty;
-var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
-
-// src/index.ts
-import "reflect-metadata";
-
-// src/decorators.ts
-import "reflect-metadata";
-var AuthenticationError = class extends Error {
-  static {
-    __name(this, "AuthenticationError");
-  }
-  code;
-  constructor(message, code) {
-    super(message), this.code = code;
-    this.name = "AuthenticationError";
-  }
-};
-function Authenticated(authProvider) {
-  return function(target, propertyKey, descriptor) {
-    if (!propertyKey && !descriptor) {
-      Reflect.defineMetadata("auth:provider", authProvider, target);
-      Reflect.defineMetadata("auth:required", true, target);
-      const prototype = target.prototype;
-      const methodNames = Object.getOwnPropertyNames(prototype).filter((name) => name !== "constructor" && typeof prototype[name] === "function");
-      for (const methodName of methodNames) {
-        const originalDescriptor = Object.getOwnPropertyDescriptor(prototype, methodName);
-        if (originalDescriptor && typeof originalDescriptor.value === "function") {
-          const originalMethod = originalDescriptor.value;
-          Reflect.defineMetadata("auth:provider", authProvider, originalMethod);
-          Reflect.defineMetadata("auth:required", true, originalMethod);
-          prototype[methodName] = createAuthenticatedMethod(originalMethod, authProvider);
-          copyMetadata(originalMethod, prototype[methodName]);
-        }
-      }
-      return target;
-    }
-    if (descriptor && typeof descriptor.value === "function") {
-      const originalMethod = descriptor.value;
-      Reflect.defineMetadata("auth:provider", authProvider, originalMethod);
-      Reflect.defineMetadata("auth:required", true, originalMethod);
-      descriptor.value = createAuthenticatedMethod(originalMethod, authProvider);
-      copyMetadata(originalMethod, descriptor.value);
-      return descriptor;
-    }
-    throw new Error("@Authenticated can only be applied to classes or methods");
-  };
-}
-__name(Authenticated, "Authenticated");
-function createAuthenticatedMethod(originalMethod, authProvider) {
-  return async function(...args) {
-    const firstArg = args[0];
-    let token;
-    let cleanedArgs = args;
-    if (firstArg && typeof firstArg === "object") {
-      token = firstArg.token;
-      const { token: _, ...restArgs } = firstArg;
-      cleanedArgs = [
-        restArgs,
-        ...args.slice(1)
-      ];
-    }
-    if (!token) {
-      throw new AuthenticationError("Authentication required. Please provide a valid token in the request.", "MISSING_TOKEN");
-    }
-    try {
-      const isValid = await authProvider.verifyToken(token);
-      if (!isValid) {
-        throw new AuthenticationError("Invalid or expired token. Please authenticate again.", "INVALID_TOKEN");
-      }
-    } catch (error) {
-      if (error instanceof AuthenticationError) {
-        throw error;
-      }
-      throw new AuthenticationError(`Token verification failed: ${error instanceof Error ? error.message : String(error)}`, "VERIFICATION_FAILED");
-    }
-    return originalMethod.apply(this, cleanedArgs);
-  };
-}
-__name(createAuthenticatedMethod, "createAuthenticatedMethod");
-function copyMetadata(source, target) {
-  const metadataKeys = Reflect.getMetadataKeys(source);
-  for (const key of metadataKeys) {
-    const value = Reflect.getMetadata(key, source);
-    Reflect.defineMetadata(key, value, target);
-  }
-  const designKeys = [
-    "design:type",
-    "design:paramtypes",
-    "design:returntype"
-  ];
-  for (const key of designKeys) {
-    const value = Reflect.getMetadata(key, source);
-    if (value !== void 0) {
-      Reflect.defineMetadata(key, value, target);
-    }
-  }
-}
-__name(copyMetadata, "copyMetadata");
-function isAuthenticationRequired(target) {
-  return Reflect.getMetadata("auth:required", target) === true;
-}
-__name(isAuthenticationRequired, "isAuthenticationRequired");
-function getAuthProvider(target) {
-  return Reflect.getMetadata("auth:provider", target);
-}
-__name(getAuthProvider, "getAuthProvider");
-
-// src/index.ts
-var AuthProviderBase = class {
-  static {
-    __name(this, "AuthProviderBase");
-  }
-};
-var AuthProvider = class extends AuthProviderBase {
-  static {
-    __name(this, "AuthProvider");
-  }
-  providerInstance = null;
-  providerType;
-  config;
-  constructor(provider, config) {
-    super();
-    this.providerType = provider.toLowerCase();
-    this.config = config;
-  }
-  /**
-  * Initialize the selected auth provider
-  */
-  async init(config) {
-    const finalConfig = config || this.config;
-    switch (this.providerType) {
-      case "cognito": {
-        const { AuthCognito } = await import("./cognito-GBSAAMZI.mjs");
-        this.providerInstance = new AuthCognito();
-        await this.providerInstance.init(finalConfig);
-        break;
-      }
-      // Add more providers here in the future
-      // case 'clerk': {
-      //   const { AuthClerk } = await import('./providers/clerk');
-      //   this.providerInstance = new AuthClerk();
-      //   await this.providerInstance.init(finalConfig);
-      //   break;
-      // }
-      default:
-        throw new Error(`Unsupported auth provider: ${this.providerType}. Supported providers: cognito`);
-    }
-  }
-  /**
-  * Refresh an authentication token
-  */
-  async refreshToken(refreshToken, username) {
-    if (!this.providerInstance) {
-      throw new Error("AuthProvider not initialized. Call init() first.");
-    }
-    return this.providerInstance.refreshToken(refreshToken, username);
-  }
-  /**
-  * Verify if a token is valid
-  */
-  async verifyToken(token) {
-    if (!this.providerInstance) {
-      throw new Error("AuthProvider not initialized. Call init() first.");
-    }
-    return this.providerInstance.verifyToken(token);
-  }
-  /**
-  * Get user information from a token
-  */
-  async getUser(token) {
-    if (!this.providerInstance) {
-      throw new Error("AuthProvider not initialized. Call init() first.");
-    }
-    return this.providerInstance.getUser(token);
-  }
-  /**
-  * Get the provider type
-  */
-  getProviderType() {
-    return this.providerType;
-  }
-};
-
-export {
-  __name,
-  AuthenticationError,
-  Authenticated,
-  isAuthenticationRequired,
-  getAuthProvider,
-  AuthProviderBase,
-  AuthProvider
-};

package/dist/cognito-VCVS77OX.mjs

@@ -1,145 +0,0 @@
-import {
-  AuthProviderBase,
-  __name
-} from "./chunk-NALGJYQB.mjs";
-
-// src/providers/cognito.ts
-import { CognitoIdentityProviderClient, InitiateAuthCommand } from "@aws-sdk/client-cognito-identity-provider";
-import { createHmac } from "crypto";
-import axios from "axios";
-import jwt from "jsonwebtoken";
-import jwkToPem from "jwk-to-pem";
-var AuthCognito = class extends AuthProviderBase {
-  static {
-    __name(this, "AuthCognito");
-  }
-  cognito = null;
-  region = "";
-  userPoolId = "";
-  clientId = "";
-  clientSecret = "";
-  jwksCache = null;
-  /**
-  * Initialize the Cognito client with configuration
-  */
-  async init(config) {
-    this.region = config?.region || process.env.AWS_REGION || "";
-    this.userPoolId = config?.userPoolId || process.env.COGNITO_USER_POOL_ID || "";
-    this.clientId = config?.clientId || process.env.COGNITO_CLIENT_ID || "";
-    this.clientSecret = config?.clientSecret || process.env.COGNITO_CLIENT_SECRET || "";
-    if (!this.region || !this.userPoolId || !this.clientId) {
-      throw new Error("Missing required Cognito configuration: region, userPoolId, and clientId are required");
-    }
-    this.cognito = new CognitoIdentityProviderClient({
-      region: this.region
-    });
-  }
-  /**
-  * Refresh access tokens using a refresh token
-  */
-  async refreshToken(refreshToken, username) {
-    if (!this.cognito) {
-      throw new Error("CognitoAuth not initialized. Call init() first.");
-    }
-    const authParameters = {
-      REFRESH_TOKEN: refreshToken
-    };
-    if (this.clientSecret) {
-      const usernameForHash = username;
-      const secretHash = this.calculateSecretHash(usernameForHash);
-      authParameters.SECRET_HASH = secretHash;
-    }
-    const command = new InitiateAuthCommand({
-      AuthFlow: "REFRESH_TOKEN_AUTH",
-      ClientId: this.clientId,
-      AuthParameters: authParameters
-    });
-    return await this.cognito.send(command);
-  }
-  /**
-  * Verify a Cognito JWT token using JWKS
-  */
-  async verifyToken(token) {
-    try {
-      await this.verifyJwt(token);
-      return true;
-    } catch (error) {
-      if (error instanceof Error) {
-        if (error.message.includes("jwt expired")) {
-          throw new Error("Token has expired");
-        } else if (error.message.includes("invalid signature")) {
-          throw new Error("Invalid token signature");
-        } else if (error.message.includes("jwt malformed")) {
-          throw new Error("Malformed token");
-        } else if (error.message.includes("invalid issuer")) {
-          throw new Error("Invalid token issuer");
-        }
-        throw error;
-      }
-      return false;
-    }
-  }
-  /**
-  * Get user information from an ID token
-  */
-  async getUser(idToken) {
-    const decoded = jwt.decode(idToken);
-    if (!decoded) {
-      throw new Error("Invalid ID token");
-    }
-    return {
-      username: decoded["cognito:username"],
-      email: decoded.email,
-      email_verified: decoded.email_verified,
-      sub: decoded.sub,
-      attributes: decoded
-    };
-  }
-  /**
-  * Fetch JWKS from Cognito (cached)
-  */
-  async fetchJWKS() {
-    if (!this.jwksCache) {
-      const jwksUri = `https://cognito-idp.${this.region}.amazonaws.com/${this.userPoolId}/.well-known/jwks.json`;
-      const { data } = await axios.get(jwksUri);
-      this.jwksCache = data.keys;
-    }
-    return this.jwksCache;
-  }
-  /**
-  * Verify JWT token using JWKS
-  */
-  async verifyJwt(token) {
-    const decoded = jwt.decode(token, {
-      complete: true
-    });
-    if (!decoded) {
-      throw new Error("Invalid token");
-    }
-    const jwks = await this.fetchJWKS();
-    const key = jwks.find((k) => k.kid === decoded.header.kid);
-    if (!key) {
-      throw new Error("Signing key not found in JWKS");
-    }
-    const pem = jwkToPem(key);
-    return jwt.verify(token, pem, {
-      algorithms: [
-        "RS256"
-      ],
-      issuer: `https://cognito-idp.${this.region}.amazonaws.com/${this.userPoolId}`
-    });
-  }
-  /**
-  * Calculate SECRET_HASH for Cognito authentication
-  * SECRET_HASH = Base64(HMAC_SHA256(username + clientId, clientSecret))
-  */
-  calculateSecretHash(username) {
-    const message = username + this.clientId;
-    const hmac = createHmac("sha256", this.clientSecret);
-    hmac.update(message);
-    return hmac.digest("base64");
-  }
-};
-export {
-  AuthCognito
-};