@leanmcp/auth 0.1.0

package/dist/index.d.ts

@@ -0,0 +1,121 @@
+/**
+ * Authentication error class for better error handling
+ */
+declare class AuthenticationError extends Error {
+    code: string;
+    constructor(message: string, code: string);
+}
+/**
+ * Decorator to protect MCP tools, prompts, resources, or entire services with authentication
+ *
+ * Usage:
+ *
+ * 1. Protect individual methods:
+ * ```typescript
+ * @Tool({ description: 'Analyze sentiment' })
+ * @Authenticated(authProvider)
+ * async analyzeSentiment(args: AnalyzeSentimentInput): Promise<AnalyzeSentimentOutput> {
+ *   // This method requires authentication
+ * }
+ * ```
+ *
+ * 2. Protect entire service (all tools/prompts/resources):
+ * ```typescript
+ * @Authenticated(authProvider)
+ * export class SentimentAnalysisService {
+ *   @Tool({ description: 'Analyze sentiment' })
+ *   async analyzeSentiment(args: AnalyzeSentimentInput) {
+ *     // All methods in this service require authentication
+ *   }
+ * }
+ * ```
+ *
+ * The decorator expects authentication token in the MCP request _meta field:
+ * ```json
+ * {
+ *   "method": "tools/call",
+ *   "params": {
+ *     "name": "toolName",
+ *     "arguments": { ...businessData },
+ *     "_meta": {
+ *       "authorization": {
+ *         "type": "bearer",
+ *         "token": "your-jwt-token"
+ *       }
+ *     }
+ *   }
+ * }
+ * ```
+ *
+ * @param authProvider - Instance of AuthProviderBase to use for token verification
+ */
+declare function Authenticated(authProvider: AuthProviderBase): (target: any, propertyKey?: string | symbol, descriptor?: PropertyDescriptor) => any;
+/**
+ * Check if a method or class requires authentication
+ */
+declare function isAuthenticationRequired(target: any): boolean;
+/**
+ * Get the auth provider for a method or class
+ */
+declare function getAuthProvider(target: any): AuthProviderBase | undefined;
+
+/**
+ * @leanmcp/auth - Authentication Module
+ *
+ * This module provides a base class for implementing authentication providers for MCP tools.
+ * Extend AuthProviderBase to integrate with different auth providers (Clerk, Stripe, Firebase, etc.)
+ */
+/**
+ * Base class for authentication providers
+ * Extend this class to implement integrations with different auth providers
+ */
+declare abstract class AuthProviderBase {
+    /**
+     * Initialize the auth provider with configuration
+     */
+    abstract init(config?: any): Promise<void>;
+    /**
+     * Refresh an authentication token
+     */
+    abstract refreshToken(refreshToken: string, username?: string): Promise<any>;
+    /**
+     * Verify if a token is valid
+     */
+    abstract verifyToken(token: string): Promise<boolean>;
+    /**
+     * Get user information from a token
+     */
+    abstract getUser(token: string): Promise<any>;
+}
+/**
+ * Unified AuthProvider class that dynamically selects the appropriate auth provider
+ * based on the provider parameter
+ */
+declare class AuthProvider extends AuthProviderBase {
+    private providerInstance;
+    private providerType;
+    private config;
+    constructor(provider: string, config?: any);
+    /**
+     * Initialize the selected auth provider
+     */
+    init(config?: any): Promise<void>;
+    /**
+     * Refresh an authentication token
+     */
+    refreshToken(refreshToken: string, username?: string): Promise<any>;
+    /**
+     * Verify if a token is valid
+     */
+    verifyToken(token: string): Promise<boolean>;
+    /**
+     * Get user information from a token
+     */
+    getUser(token: string): Promise<any>;
+    /**
+     * Get the provider type
+     */
+    getProviderType(): string;
+}
+
+export { AuthProvider, AuthProviderBase, Authenticated, AuthenticationError, getAuthProvider, isAuthenticationRequired };

package/dist/index.js

@@ -0,0 +1,384 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/decorators.ts
+function Authenticated(authProvider) {
+  return function(target, propertyKey, descriptor) {
+    if (!propertyKey && !descriptor) {
+      Reflect.defineMetadata("auth:provider", authProvider, target);
+      Reflect.defineMetadata("auth:required", true, target);
+      const prototype = target.prototype;
+      const methodNames = Object.getOwnPropertyNames(prototype).filter((name) => name !== "constructor" && typeof prototype[name] === "function");
+      for (const methodName of methodNames) {
+        const originalDescriptor = Object.getOwnPropertyDescriptor(prototype, methodName);
+        if (originalDescriptor && typeof originalDescriptor.value === "function") {
+          const originalMethod = originalDescriptor.value;
+          Reflect.defineMetadata("auth:provider", authProvider, originalMethod);
+          Reflect.defineMetadata("auth:required", true, originalMethod);
+          prototype[methodName] = createAuthenticatedMethod(originalMethod, authProvider);
+          copyMetadata(originalMethod, prototype[methodName]);
+        }
+      }
+      return target;
+    }
+    if (descriptor && typeof descriptor.value === "function") {
+      const originalMethod = descriptor.value;
+      Reflect.defineMetadata("auth:provider", authProvider, originalMethod);
+      Reflect.defineMetadata("auth:required", true, originalMethod);
+      descriptor.value = createAuthenticatedMethod(originalMethod, authProvider);
+      copyMetadata(originalMethod, descriptor.value);
+      return descriptor;
+    }
+    throw new Error("@Authenticated can only be applied to classes or methods");
+  };
+}
+function createAuthenticatedMethod(originalMethod, authProvider) {
+  return async function(args, meta) {
+    const token = meta?.authorization?.token;
+    if (!token) {
+      throw new AuthenticationError("Authentication required. Please provide a valid token in _meta.authorization.token", "MISSING_TOKEN");
+    }
+    try {
+      const isValid = await authProvider.verifyToken(token);
+      if (!isValid) {
+        throw new AuthenticationError("Invalid or expired token. Please authenticate again.", "INVALID_TOKEN");
+      }
+    } catch (error) {
+      if (error instanceof AuthenticationError) {
+        throw error;
+      }
+      throw new AuthenticationError(`Token verification failed: ${error instanceof Error ? error.message : String(error)}`, "VERIFICATION_FAILED");
+    }
+    return originalMethod.apply(this, [
+      args
+    ]);
+  };
+}
+function copyMetadata(source, target) {
+  const metadataKeys = Reflect.getMetadataKeys(source);
+  for (const key of metadataKeys) {
+    const value = Reflect.getMetadata(key, source);
+    Reflect.defineMetadata(key, value, target);
+  }
+  const designKeys = [
+    "design:type",
+    "design:paramtypes",
+    "design:returntype"
+  ];
+  for (const key of designKeys) {
+    const value = Reflect.getMetadata(key, source);
+    if (value !== void 0) {
+      Reflect.defineMetadata(key, value, target);
+    }
+  }
+}
+function isAuthenticationRequired(target) {
+  return Reflect.getMetadata("auth:required", target) === true;
+}
+function getAuthProvider(target) {
+  return Reflect.getMetadata("auth:provider", target);
+}
+var import_reflect_metadata, AuthenticationError;
+var init_decorators = __esm({
+  "src/decorators.ts"() {
+    "use strict";
+    import_reflect_metadata = require("reflect-metadata");
+    AuthenticationError = class extends Error {
+      static {
+        __name(this, "AuthenticationError");
+      }
+      code;
+      constructor(message, code) {
+        super(message), this.code = code;
+        this.name = "AuthenticationError";
+      }
+    };
+    __name(Authenticated, "Authenticated");
+    __name(createAuthenticatedMethod, "createAuthenticatedMethod");
+    __name(copyMetadata, "copyMetadata");
+    __name(isAuthenticationRequired, "isAuthenticationRequired");
+    __name(getAuthProvider, "getAuthProvider");
+  }
+});
+
+// src/providers/cognito.ts
+var cognito_exports = {};
+__export(cognito_exports, {
+  AuthCognito: () => AuthCognito
+});
+var import_client_cognito_identity_provider, import_crypto, import_axios, import_jsonwebtoken, import_jwk_to_pem, AuthCognito;
+var init_cognito = __esm({
+  "src/providers/cognito.ts"() {
+    "use strict";
+    import_client_cognito_identity_provider = require("@aws-sdk/client-cognito-identity-provider");
+    import_crypto = require("crypto");
+    import_axios = __toESM(require("axios"));
+    import_jsonwebtoken = __toESM(require("jsonwebtoken"));
+    import_jwk_to_pem = __toESM(require("jwk-to-pem"));
+    init_index();
+    AuthCognito = class extends AuthProviderBase {
+      static {
+        __name(this, "AuthCognito");
+      }
+      cognito = null;
+      region = "";
+      userPoolId = "";
+      clientId = "";
+      clientSecret = "";
+      jwksCache = null;
+      /**
+      * Initialize the Cognito client with configuration
+      */
+      async init(config) {
+        this.region = config?.region || process.env.AWS_REGION || "";
+        this.userPoolId = config?.userPoolId || process.env.COGNITO_USER_POOL_ID || "";
+        this.clientId = config?.clientId || process.env.COGNITO_CLIENT_ID || "";
+        this.clientSecret = config?.clientSecret || process.env.COGNITO_CLIENT_SECRET || "";
+        if (!this.region || !this.userPoolId || !this.clientId) {
+          throw new Error("Missing required Cognito configuration: region, userPoolId, and clientId are required");
+        }
+        this.cognito = new import_client_cognito_identity_provider.CognitoIdentityProviderClient({
+          region: this.region
+        });
+      }
+      /**
+      * Refresh access tokens using a refresh token
+      */
+      async refreshToken(refreshToken, username) {
+        if (!this.cognito) {
+          throw new Error("CognitoAuth not initialized. Call init() first.");
+        }
+        const authParameters = {
+          REFRESH_TOKEN: refreshToken
+        };
+        if (this.clientSecret) {
+          const usernameForHash = username;
+          const secretHash = this.calculateSecretHash(usernameForHash);
+          authParameters.SECRET_HASH = secretHash;
+        }
+        const command = new import_client_cognito_identity_provider.InitiateAuthCommand({
+          AuthFlow: "REFRESH_TOKEN_AUTH",
+          ClientId: this.clientId,
+          AuthParameters: authParameters
+        });
+        return await this.cognito.send(command);
+      }
+      /**
+      * Verify a Cognito JWT token using JWKS
+      */
+      async verifyToken(token) {
+        try {
+          await this.verifyJwt(token);
+          return true;
+        } catch (error) {
+          if (error instanceof Error) {
+            if (error.message.includes("jwt expired")) {
+              throw new Error("Token has expired");
+            } else if (error.message.includes("invalid signature")) {
+              throw new Error("Invalid token signature");
+            } else if (error.message.includes("jwt malformed")) {
+              throw new Error("Malformed token");
+            } else if (error.message.includes("invalid issuer")) {
+              throw new Error("Invalid token issuer");
+            }
+            throw error;
+          }
+          return false;
+        }
+      }
+      /**
+      * Get user information from an ID token
+      */
+      async getUser(idToken) {
+        const decoded = import_jsonwebtoken.default.decode(idToken);
+        if (!decoded) {
+          throw new Error("Invalid ID token");
+        }
+        return {
+          username: decoded["cognito:username"],
+          email: decoded.email,
+          email_verified: decoded.email_verified,
+          sub: decoded.sub,
+          attributes: decoded
+        };
+      }
+      /**
+      * Fetch JWKS from Cognito (cached)
+      */
+      async fetchJWKS() {
+        if (!this.jwksCache) {
+          const jwksUri = `https://cognito-idp.${this.region}.amazonaws.com/${this.userPoolId}/.well-known/jwks.json`;
+          const { data } = await import_axios.default.get(jwksUri);
+          this.jwksCache = data.keys;
+        }
+        return this.jwksCache;
+      }
+      /**
+      * Verify JWT token using JWKS
+      */
+      async verifyJwt(token) {
+        const decoded = import_jsonwebtoken.default.decode(token, {
+          complete: true
+        });
+        if (!decoded) {
+          throw new Error("Invalid token");
+        }
+        const jwks = await this.fetchJWKS();
+        const key = jwks.find((k) => k.kid === decoded.header.kid);
+        if (!key) {
+          throw new Error("Signing key not found in JWKS");
+        }
+        const pem = (0, import_jwk_to_pem.default)(key);
+        return import_jsonwebtoken.default.verify(token, pem, {
+          algorithms: [
+            "RS256"
+          ],
+          issuer: `https://cognito-idp.${this.region}.amazonaws.com/${this.userPoolId}`
+        });
+      }
+      /**
+      * Calculate SECRET_HASH for Cognito authentication
+      * SECRET_HASH = Base64(HMAC_SHA256(username + clientId, clientSecret))
+      */
+      calculateSecretHash(username) {
+        const message = username + this.clientId;
+        const hmac = (0, import_crypto.createHmac)("sha256", this.clientSecret);
+        hmac.update(message);
+        return hmac.digest("base64");
+      }
+    };
+  }
+});
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  AuthProvider: () => AuthProvider,
+  AuthProviderBase: () => AuthProviderBase,
+  Authenticated: () => Authenticated,
+  AuthenticationError: () => AuthenticationError,
+  getAuthProvider: () => getAuthProvider,
+  isAuthenticationRequired: () => isAuthenticationRequired
+});
+module.exports = __toCommonJS(index_exports);
+var import_reflect_metadata2, AuthProviderBase, AuthProvider;
+var init_index = __esm({
+  "src/index.ts"() {
+    import_reflect_metadata2 = require("reflect-metadata");
+    init_decorators();
+    AuthProviderBase = class {
+      static {
+        __name(this, "AuthProviderBase");
+      }
+    };
+    AuthProvider = class extends AuthProviderBase {
+      static {
+        __name(this, "AuthProvider");
+      }
+      providerInstance = null;
+      providerType;
+      config;
+      constructor(provider, config) {
+        super();
+        this.providerType = provider.toLowerCase();
+        this.config = config;
+      }
+      /**
+      * Initialize the selected auth provider
+      */
+      async init(config) {
+        const finalConfig = config || this.config;
+        switch (this.providerType) {
+          case "cognito": {
+            const { AuthCognito: AuthCognito2 } = await Promise.resolve().then(() => (init_cognito(), cognito_exports));
+            this.providerInstance = new AuthCognito2();
+            await this.providerInstance.init(finalConfig);
+            break;
+          }
+          // Add more providers here in the future
+          // case 'clerk': {
+          //   const { AuthClerk } = await import('./providers/clerk');
+          //   this.providerInstance = new AuthClerk();
+          //   await this.providerInstance.init(finalConfig);
+          //   break;
+          // }
+          default:
+            throw new Error(`Unsupported auth provider: ${this.providerType}. Supported providers: cognito`);
+        }
+      }
+      /**
+      * Refresh an authentication token
+      */
+      async refreshToken(refreshToken, username) {
+        if (!this.providerInstance) {
+          throw new Error("AuthProvider not initialized. Call init() first.");
+        }
+        return this.providerInstance.refreshToken(refreshToken, username);
+      }
+      /**
+      * Verify if a token is valid
+      */
+      async verifyToken(token) {
+        if (!this.providerInstance) {
+          throw new Error("AuthProvider not initialized. Call init() first.");
+        }
+        return this.providerInstance.verifyToken(token);
+      }
+      /**
+      * Get user information from a token
+      */
+      async getUser(token) {
+        if (!this.providerInstance) {
+          throw new Error("AuthProvider not initialized. Call init() first.");
+        }
+        return this.providerInstance.getUser(token);
+      }
+      /**
+      * Get the provider type
+      */
+      getProviderType() {
+        return this.providerType;
+      }
+    };
+  }
+});
+init_index();
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AuthProvider,
+  AuthProviderBase,
+  Authenticated,
+  AuthenticationError,
+  getAuthProvider,
+  isAuthenticationRequired
+});

package/dist/index.mjs

@@ -0,0 +1,16 @@
+import {
+  AuthProvider,
+  AuthProviderBase,
+  Authenticated,
+  AuthenticationError,
+  getAuthProvider,
+  isAuthenticationRequired
+} from "./chunk-NALGJYQB.mjs";
+export {
+  AuthProvider,
+  AuthProviderBase,
+  Authenticated,
+  AuthenticationError,
+  getAuthProvider,
+  isAuthenticationRequired
+};

package/package.json

@@ -0,0 +1,81 @@
+{
+  "name": "@leanmcp/auth",
+  "version": "0.1.0",
+  "description": "Authentication and identity module supporting multiple providers",
+  "main": "dist/index.js",
+  "module": "dist/index.mjs",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "require": "./dist/index.js",
+      "import": "./dist/index.mjs"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "tsup src/index.ts --format esm,cjs --dts",
+    "dev": "tsup src/index.ts --format esm,cjs --dts --watch",
+    "test": "jest --passWithNoTests",
+    "test:watch": "jest --watch"
+  },
+  "dependencies": {
+    "@leanmcp/core": "^0.1.0",
+    "reflect-metadata": "^0.2.1"
+  },
+  "devDependencies": {
+    "@types/jest": "^29.5.0",
+    "@types/jsonwebtoken": "^9.0.10",
+    "@types/jwk-to-pem": "^2.0.3",
+    "@types/node": "^20.0.0",
+    "dotenv": "^17.2.3"
+  },
+  "peerDependencies": {
+    "@aws-sdk/client-cognito-identity-provider": "^3.0.0",
+    "axios": "^1.0.0",
+    "jsonwebtoken": "^9.0.0",
+    "jwk-to-pem": "^2.0.0"
+  },
+  "peerDependenciesMeta": {
+    "@aws-sdk/client-cognito-identity-provider": {
+      "optional": true
+    },
+    "axios": {
+      "optional": true
+    },
+    "jsonwebtoken": {
+      "optional": true
+    },
+    "jwk-to-pem": {
+      "optional": true
+    }
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/LeanMCP/leanmcp-sdk.git",
+    "directory": "packages/auth"
+  },
+  "homepage": "https://github.com/LeanMCP/leanmcp-sdk#readme",
+  "bugs": {
+    "url": "https://github.com/LeanMCP/leanmcp-sdk/issues"
+  },
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "typescript",
+    "decorators",
+    "authentication",
+    "auth",
+    "cognito",
+    "jwt"
+  ],
+  "author": "LeanMCP <admin@leanmcp.com>",
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  }
+}