@leanmcp/auth 0.1.0

package/dist/chunk-YC7GFXAO.mjs

@@ -0,0 +1,193 @@
+var __defProp = Object.defineProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+
+// src/index.ts
+import "reflect-metadata";
+
+// src/decorators.ts
+import "reflect-metadata";
+var AuthenticationError = class extends Error {
+  static {
+    __name(this, "AuthenticationError");
+  }
+  code;
+  constructor(message, code) {
+    super(message), this.code = code;
+    this.name = "AuthenticationError";
+  }
+};
+function Authenticated(authProvider) {
+  return function(target, propertyKey, descriptor) {
+    if (!propertyKey && !descriptor) {
+      Reflect.defineMetadata("auth:provider", authProvider, target);
+      Reflect.defineMetadata("auth:required", true, target);
+      const prototype = target.prototype;
+      const methodNames = Object.getOwnPropertyNames(prototype).filter((name) => name !== "constructor" && typeof prototype[name] === "function");
+      for (const methodName of methodNames) {
+        const originalDescriptor = Object.getOwnPropertyDescriptor(prototype, methodName);
+        if (originalDescriptor && typeof originalDescriptor.value === "function") {
+          const originalMethod = originalDescriptor.value;
+          Reflect.defineMetadata("auth:provider", authProvider, originalMethod);
+          Reflect.defineMetadata("auth:required", true, originalMethod);
+          prototype[methodName] = createAuthenticatedMethod(originalMethod, authProvider);
+          copyMetadata(originalMethod, prototype[methodName]);
+        }
+      }
+      return target;
+    }
+    if (descriptor && typeof descriptor.value === "function") {
+      const originalMethod = descriptor.value;
+      Reflect.defineMetadata("auth:provider", authProvider, originalMethod);
+      Reflect.defineMetadata("auth:required", true, originalMethod);
+      descriptor.value = createAuthenticatedMethod(originalMethod, authProvider);
+      copyMetadata(originalMethod, descriptor.value);
+      return descriptor;
+    }
+    throw new Error("@Authenticated can only be applied to classes or methods");
+  };
+}
+__name(Authenticated, "Authenticated");
+function createAuthenticatedMethod(originalMethod, authProvider) {
+  return async function(...args) {
+    const firstArg = args[0];
+    let token;
+    let cleanedArgs = args;
+    if (firstArg && typeof firstArg === "object") {
+      token = firstArg.token;
+      const { token: _, ...restArgs } = firstArg;
+      cleanedArgs = [
+        restArgs,
+        ...args.slice(1)
+      ];
+    }
+    if (!token) {
+      throw new AuthenticationError("Authentication required. Please provide a valid token in the request.", "MISSING_TOKEN");
+    }
+    try {
+      const isValid = await authProvider.verifyToken(token);
+      if (!isValid) {
+        throw new AuthenticationError("Invalid or expired token. Please authenticate again.", "INVALID_TOKEN");
+      }
+    } catch (error) {
+      if (error instanceof AuthenticationError) {
+        throw error;
+      }
+      throw new AuthenticationError(`Token verification failed: ${error instanceof Error ? error.message : String(error)}`, "VERIFICATION_FAILED");
+    }
+    return originalMethod.apply(this, cleanedArgs);
+  };
+}
+__name(createAuthenticatedMethod, "createAuthenticatedMethod");
+function copyMetadata(source, target) {
+  const metadataKeys = Reflect.getMetadataKeys(source);
+  for (const key of metadataKeys) {
+    const value = Reflect.getMetadata(key, source);
+    Reflect.defineMetadata(key, value, target);
+  }
+  const designKeys = [
+    "design:type",
+    "design:paramtypes",
+    "design:returntype"
+  ];
+  for (const key of designKeys) {
+    const value = Reflect.getMetadata(key, source);
+    if (value !== void 0) {
+      Reflect.defineMetadata(key, value, target);
+    }
+  }
+}
+__name(copyMetadata, "copyMetadata");
+function isAuthenticationRequired(target) {
+  return Reflect.getMetadata("auth:required", target) === true;
+}
+__name(isAuthenticationRequired, "isAuthenticationRequired");
+function getAuthProvider(target) {
+  return Reflect.getMetadata("auth:provider", target);
+}
+__name(getAuthProvider, "getAuthProvider");
+
+// src/index.ts
+var AuthProviderBase = class {
+  static {
+    __name(this, "AuthProviderBase");
+  }
+};
+var AuthProvider = class extends AuthProviderBase {
+  static {
+    __name(this, "AuthProvider");
+  }
+  providerInstance = null;
+  providerType;
+  config;
+  constructor(provider, config) {
+    super();
+    this.providerType = provider.toLowerCase();
+    this.config = config;
+  }
+  /**
+  * Initialize the selected auth provider
+  */
+  async init(config) {
+    const finalConfig = config || this.config;
+    switch (this.providerType) {
+      case "cognito": {
+        const { AuthCognito } = await import("./cognito-GBSAAMZI.mjs");
+        this.providerInstance = new AuthCognito();
+        await this.providerInstance.init(finalConfig);
+        break;
+      }
+      // Add more providers here in the future
+      // case 'clerk': {
+      //   const { AuthClerk } = await import('./providers/clerk');
+      //   this.providerInstance = new AuthClerk();
+      //   await this.providerInstance.init(finalConfig);
+      //   break;
+      // }
+      default:
+        throw new Error(`Unsupported auth provider: ${this.providerType}. Supported providers: cognito`);
+    }
+  }
+  /**
+  * Refresh an authentication token
+  */
+  async refreshToken(refreshToken, username) {
+    if (!this.providerInstance) {
+      throw new Error("AuthProvider not initialized. Call init() first.");
+    }
+    return this.providerInstance.refreshToken(refreshToken, username);
+  }
+  /**
+  * Verify if a token is valid
+  */
+  async verifyToken(token) {
+    if (!this.providerInstance) {
+      throw new Error("AuthProvider not initialized. Call init() first.");
+    }
+    return this.providerInstance.verifyToken(token);
+  }
+  /**
+  * Get user information from a token
+  */
+  async getUser(token) {
+    if (!this.providerInstance) {
+      throw new Error("AuthProvider not initialized. Call init() first.");
+    }
+    return this.providerInstance.getUser(token);
+  }
+  /**
+  * Get the provider type
+  */
+  getProviderType() {
+    return this.providerType;
+  }
+};
+
+export {
+  __name,
+  AuthenticationError,
+  Authenticated,
+  isAuthenticationRequired,
+  getAuthProvider,
+  AuthProviderBase,
+  AuthProvider
+};

package/dist/cognito-GBSAAMZI.mjs

@@ -0,0 +1,145 @@
+import {
+  AuthProviderBase,
+  __name
+} from "./chunk-YC7GFXAO.mjs";
+
+// src/providers/cognito.ts
+import { CognitoIdentityProviderClient, InitiateAuthCommand } from "@aws-sdk/client-cognito-identity-provider";
+import { createHmac } from "crypto";
+import axios from "axios";
+import jwt from "jsonwebtoken";
+import jwkToPem from "jwk-to-pem";
+var AuthCognito = class extends AuthProviderBase {
+  static {
+    __name(this, "AuthCognito");
+  }
+  cognito = null;
+  region = "";
+  userPoolId = "";
+  clientId = "";
+  clientSecret = "";
+  jwksCache = null;
+  /**
+  * Initialize the Cognito client with configuration
+  */
+  async init(config) {
+    this.region = config?.region || process.env.AWS_REGION || "";
+    this.userPoolId = config?.userPoolId || process.env.COGNITO_USER_POOL_ID || "";
+    this.clientId = config?.clientId || process.env.COGNITO_CLIENT_ID || "";
+    this.clientSecret = config?.clientSecret || process.env.COGNITO_CLIENT_SECRET || "";
+    if (!this.region || !this.userPoolId || !this.clientId) {
+      throw new Error("Missing required Cognito configuration: region, userPoolId, and clientId are required");
+    }
+    this.cognito = new CognitoIdentityProviderClient({
+      region: this.region
+    });
+  }
+  /**
+  * Refresh access tokens using a refresh token
+  */
+  async refreshToken(refreshToken, username) {
+    if (!this.cognito) {
+      throw new Error("CognitoAuth not initialized. Call init() first.");
+    }
+    const authParameters = {
+      REFRESH_TOKEN: refreshToken
+    };
+    if (this.clientSecret) {
+      const usernameForHash = username;
+      const secretHash = this.calculateSecretHash(usernameForHash);
+      authParameters.SECRET_HASH = secretHash;
+    }
+    const command = new InitiateAuthCommand({
+      AuthFlow: "REFRESH_TOKEN_AUTH",
+      ClientId: this.clientId,
+      AuthParameters: authParameters
+    });
+    return await this.cognito.send(command);
+  }
+  /**
+  * Verify a Cognito JWT token using JWKS
+  */
+  async verifyToken(token) {
+    try {
+      await this.verifyJwt(token);
+      return true;
+    } catch (error) {
+      if (error instanceof Error) {
+        if (error.message.includes("jwt expired")) {
+          throw new Error("Token has expired");
+        } else if (error.message.includes("invalid signature")) {
+          throw new Error("Invalid token signature");
+        } else if (error.message.includes("jwt malformed")) {
+          throw new Error("Malformed token");
+        } else if (error.message.includes("invalid issuer")) {
+          throw new Error("Invalid token issuer");
+        }
+        throw error;
+      }
+      return false;
+    }
+  }
+  /**
+  * Get user information from an ID token
+  */
+  async getUser(idToken) {
+    const decoded = jwt.decode(idToken);
+    if (!decoded) {
+      throw new Error("Invalid ID token");
+    }
+    return {
+      username: decoded["cognito:username"],
+      email: decoded.email,
+      email_verified: decoded.email_verified,
+      sub: decoded.sub,
+      attributes: decoded
+    };
+  }
+  /**
+  * Fetch JWKS from Cognito (cached)
+  */
+  async fetchJWKS() {
+    if (!this.jwksCache) {
+      const jwksUri = `https://cognito-idp.${this.region}.amazonaws.com/${this.userPoolId}/.well-known/jwks.json`;
+      const { data } = await axios.get(jwksUri);
+      this.jwksCache = data.keys;
+    }
+    return this.jwksCache;
+  }
+  /**
+  * Verify JWT token using JWKS
+  */
+  async verifyJwt(token) {
+    const decoded = jwt.decode(token, {
+      complete: true
+    });
+    if (!decoded) {
+      throw new Error("Invalid token");
+    }
+    const jwks = await this.fetchJWKS();
+    const key = jwks.find((k) => k.kid === decoded.header.kid);
+    if (!key) {
+      throw new Error("Signing key not found in JWKS");
+    }
+    const pem = jwkToPem(key);
+    return jwt.verify(token, pem, {
+      algorithms: [
+        "RS256"
+      ],
+      issuer: `https://cognito-idp.${this.region}.amazonaws.com/${this.userPoolId}`
+    });
+  }
+  /**
+  * Calculate SECRET_HASH for Cognito authentication
+  * SECRET_HASH = Base64(HMAC_SHA256(username + clientId, clientSecret))
+  */
+  calculateSecretHash(username) {
+    const message = username + this.clientId;
+    const hmac = createHmac("sha256", this.clientSecret);
+    hmac.update(message);
+    return hmac.digest("base64");
+  }
+};
+export {
+  AuthCognito
+};

package/dist/cognito-VCVS77OX.mjs

@@ -0,0 +1,145 @@
+import {
+  AuthProviderBase,
+  __name
+} from "./chunk-NALGJYQB.mjs";
+
+// src/providers/cognito.ts
+import { CognitoIdentityProviderClient, InitiateAuthCommand } from "@aws-sdk/client-cognito-identity-provider";
+import { createHmac } from "crypto";
+import axios from "axios";
+import jwt from "jsonwebtoken";
+import jwkToPem from "jwk-to-pem";
+var AuthCognito = class extends AuthProviderBase {
+  static {
+    __name(this, "AuthCognito");
+  }
+  cognito = null;
+  region = "";
+  userPoolId = "";
+  clientId = "";
+  clientSecret = "";
+  jwksCache = null;
+  /**
+  * Initialize the Cognito client with configuration
+  */
+  async init(config) {
+    this.region = config?.region || process.env.AWS_REGION || "";
+    this.userPoolId = config?.userPoolId || process.env.COGNITO_USER_POOL_ID || "";
+    this.clientId = config?.clientId || process.env.COGNITO_CLIENT_ID || "";
+    this.clientSecret = config?.clientSecret || process.env.COGNITO_CLIENT_SECRET || "";
+    if (!this.region || !this.userPoolId || !this.clientId) {
+      throw new Error("Missing required Cognito configuration: region, userPoolId, and clientId are required");
+    }
+    this.cognito = new CognitoIdentityProviderClient({
+      region: this.region
+    });
+  }
+  /**
+  * Refresh access tokens using a refresh token
+  */
+  async refreshToken(refreshToken, username) {
+    if (!this.cognito) {
+      throw new Error("CognitoAuth not initialized. Call init() first.");
+    }
+    const authParameters = {
+      REFRESH_TOKEN: refreshToken
+    };
+    if (this.clientSecret) {
+      const usernameForHash = username;
+      const secretHash = this.calculateSecretHash(usernameForHash);
+      authParameters.SECRET_HASH = secretHash;
+    }
+    const command = new InitiateAuthCommand({
+      AuthFlow: "REFRESH_TOKEN_AUTH",
+      ClientId: this.clientId,
+      AuthParameters: authParameters
+    });
+    return await this.cognito.send(command);
+  }
+  /**
+  * Verify a Cognito JWT token using JWKS
+  */
+  async verifyToken(token) {
+    try {
+      await this.verifyJwt(token);
+      return true;
+    } catch (error) {
+      if (error instanceof Error) {
+        if (error.message.includes("jwt expired")) {
+          throw new Error("Token has expired");
+        } else if (error.message.includes("invalid signature")) {
+          throw new Error("Invalid token signature");
+        } else if (error.message.includes("jwt malformed")) {
+          throw new Error("Malformed token");
+        } else if (error.message.includes("invalid issuer")) {
+          throw new Error("Invalid token issuer");
+        }
+        throw error;
+      }
+      return false;
+    }
+  }
+  /**
+  * Get user information from an ID token
+  */
+  async getUser(idToken) {
+    const decoded = jwt.decode(idToken);
+    if (!decoded) {
+      throw new Error("Invalid ID token");
+    }
+    return {
+      username: decoded["cognito:username"],
+      email: decoded.email,
+      email_verified: decoded.email_verified,
+      sub: decoded.sub,
+      attributes: decoded
+    };
+  }
+  /**
+  * Fetch JWKS from Cognito (cached)
+  */
+  async fetchJWKS() {
+    if (!this.jwksCache) {
+      const jwksUri = `https://cognito-idp.${this.region}.amazonaws.com/${this.userPoolId}/.well-known/jwks.json`;
+      const { data } = await axios.get(jwksUri);
+      this.jwksCache = data.keys;
+    }
+    return this.jwksCache;
+  }
+  /**
+  * Verify JWT token using JWKS
+  */
+  async verifyJwt(token) {
+    const decoded = jwt.decode(token, {
+      complete: true
+    });
+    if (!decoded) {
+      throw new Error("Invalid token");
+    }
+    const jwks = await this.fetchJWKS();
+    const key = jwks.find((k) => k.kid === decoded.header.kid);
+    if (!key) {
+      throw new Error("Signing key not found in JWKS");
+    }
+    const pem = jwkToPem(key);
+    return jwt.verify(token, pem, {
+      algorithms: [
+        "RS256"
+      ],
+      issuer: `https://cognito-idp.${this.region}.amazonaws.com/${this.userPoolId}`
+    });
+  }
+  /**
+  * Calculate SECRET_HASH for Cognito authentication
+  * SECRET_HASH = Base64(HMAC_SHA256(username + clientId, clientSecret))
+  */
+  calculateSecretHash(username) {
+    const message = username + this.clientId;
+    const hmac = createHmac("sha256", this.clientSecret);
+    hmac.update(message);
+    return hmac.digest("base64");
+  }
+};
+export {
+  AuthCognito
+};

package/dist/index.d.mts

@@ -0,0 +1,121 @@
+/**
+ * Authentication error class for better error handling
+ */
+declare class AuthenticationError extends Error {
+    code: string;
+    constructor(message: string, code: string);
+}
+/**
+ * Decorator to protect MCP tools, prompts, resources, or entire services with authentication
+ *
+ * Usage:
+ *
+ * 1. Protect individual methods:
+ * ```typescript
+ * @Tool({ description: 'Analyze sentiment' })
+ * @Authenticated(authProvider)
+ * async analyzeSentiment(args: AnalyzeSentimentInput): Promise<AnalyzeSentimentOutput> {
+ *   // This method requires authentication
+ * }
+ * ```
+ *
+ * 2. Protect entire service (all tools/prompts/resources):
+ * ```typescript
+ * @Authenticated(authProvider)
+ * export class SentimentAnalysisService {
+ *   @Tool({ description: 'Analyze sentiment' })
+ *   async analyzeSentiment(args: AnalyzeSentimentInput) {
+ *     // All methods in this service require authentication
+ *   }
+ * }
+ * ```
+ *
+ * The decorator expects authentication token in the MCP request _meta field:
+ * ```json
+ * {
+ *   "method": "tools/call",
+ *   "params": {
+ *     "name": "toolName",
+ *     "arguments": { ...businessData },
+ *     "_meta": {
+ *       "authorization": {
+ *         "type": "bearer",
+ *         "token": "your-jwt-token"
+ *       }
+ *     }
+ *   }
+ * }
+ * ```
+ *
+ * @param authProvider - Instance of AuthProviderBase to use for token verification
+ */
+declare function Authenticated(authProvider: AuthProviderBase): (target: any, propertyKey?: string | symbol, descriptor?: PropertyDescriptor) => any;
+/**
+ * Check if a method or class requires authentication
+ */
+declare function isAuthenticationRequired(target: any): boolean;
+/**
+ * Get the auth provider for a method or class
+ */
+declare function getAuthProvider(target: any): AuthProviderBase | undefined;
+
+/**
+ * @leanmcp/auth - Authentication Module
+ *
+ * This module provides a base class for implementing authentication providers for MCP tools.
+ * Extend AuthProviderBase to integrate with different auth providers (Clerk, Stripe, Firebase, etc.)
+ */
+/**
+ * Base class for authentication providers
+ * Extend this class to implement integrations with different auth providers
+ */
+declare abstract class AuthProviderBase {
+    /**
+     * Initialize the auth provider with configuration
+     */
+    abstract init(config?: any): Promise<void>;
+    /**
+     * Refresh an authentication token
+     */
+    abstract refreshToken(refreshToken: string, username?: string): Promise<any>;
+    /**
+     * Verify if a token is valid
+     */
+    abstract verifyToken(token: string): Promise<boolean>;
+    /**
+     * Get user information from a token
+     */
+    abstract getUser(token: string): Promise<any>;
+}
+/**
+ * Unified AuthProvider class that dynamically selects the appropriate auth provider
+ * based on the provider parameter
+ */
+declare class AuthProvider extends AuthProviderBase {
+    private providerInstance;
+    private providerType;
+    private config;
+    constructor(provider: string, config?: any);
+    /**
+     * Initialize the selected auth provider
+     */
+    init(config?: any): Promise<void>;
+    /**
+     * Refresh an authentication token
+     */
+    refreshToken(refreshToken: string, username?: string): Promise<any>;
+    /**
+     * Verify if a token is valid
+     */
+    verifyToken(token: string): Promise<boolean>;
+    /**
+     * Get user information from a token
+     */
+    getUser(token: string): Promise<any>;
+    /**
+     * Get the provider type
+     */
+    getProviderType(): string;
+}
+
+export { AuthProvider, AuthProviderBase, Authenticated, AuthenticationError, getAuthProvider, isAuthenticationRequired };