@leanmcp/auth 0.1.1 → 0.3.0

package/dist/auth0-54GZT2EI.mjs

@@ -0,0 +1,102 @@
+import {
+  AuthProviderBase,
+  __name
+} from "./chunk-EVD2TRPR.mjs";
+
+// src/providers/auth0.ts
+import axios from "axios";
+import jwt from "jsonwebtoken";
+import jwkToPem from "jwk-to-pem";
+var AuthAuth0 = class extends AuthProviderBase {
+  static {
+    __name(this, "AuthAuth0");
+  }
+  domain = "";
+  clientId = "";
+  clientSecret = "";
+  audience = "";
+  scopes = "openid profile email offline_access";
+  jwksCache = null;
+  async init(config) {
+    this.domain = config?.domain || process.env.AUTH0_DOMAIN || "";
+    this.clientId = config?.clientId || process.env.AUTH0_CLIENT_ID || "";
+    this.clientSecret = config?.clientSecret || process.env.AUTH0_CLIENT_SECRET || "";
+    this.audience = config?.audience || process.env.AUTH0_AUDIENCE || "";
+    this.scopes = config?.scopes || this.scopes;
+    if (!this.domain || !this.clientId || !this.audience) {
+      throw new Error("Auth0 config missing: domain, clientId, and audience are required");
+    }
+  }
+  async refreshToken(refreshToken) {
+    const url = `https://${this.domain}/oauth/token`;
+    const payload = {
+      grant_type: "refresh_token",
+      client_id: this.clientId,
+      refresh_token: refreshToken,
+      audience: this.audience,
+      scope: this.scopes
+    };
+    if (this.clientSecret) {
+      payload.client_secret = this.clientSecret;
+    }
+    const { data } = await axios.post(url, payload, {
+      headers: {
+        "Content-Type": "application/json"
+      }
+    });
+    return data;
+  }
+  async verifyToken(token) {
+    try {
+      await this.verifyJwt(token);
+      return true;
+    } catch (error) {
+      if (error instanceof Error) {
+        if (error.message.includes("jwt expired")) throw new Error("Token has expired");
+        if (error.message.includes("invalid signature")) throw new Error("Invalid token signature");
+        if (error.message.includes("jwt malformed")) throw new Error("Malformed token");
+        if (error.message.includes("invalid issuer")) throw new Error("Invalid token issuer");
+        throw error;
+      }
+      return false;
+    }
+  }
+  async getUser(idToken) {
+    const decoded = jwt.decode(idToken);
+    if (!decoded) throw new Error("Invalid ID token");
+    return {
+      sub: decoded.sub,
+      email: decoded.email,
+      email_verified: decoded.email_verified,
+      name: decoded.name,
+      attributes: decoded
+    };
+  }
+  async fetchJWKS() {
+    if (!this.jwksCache) {
+      const jwksUri = `https://${this.domain}/.well-known/jwks.json`;
+      const { data } = await axios.get(jwksUri);
+      this.jwksCache = data.keys;
+    }
+    return this.jwksCache;
+  }
+  async verifyJwt(token) {
+    const decoded = jwt.decode(token, {
+      complete: true
+    });
+    if (!decoded) throw new Error("Invalid token");
+    const jwks = await this.fetchJWKS();
+    const key = jwks.find((k) => k.kid === decoded.header.kid);
+    if (!key) throw new Error("Signing key not found in JWKS");
+    const pem = jwkToPem(key);
+    return jwt.verify(token, pem, {
+      algorithms: [
+        "RS256"
+      ],
+      issuer: `https://${this.domain}/`
+    });
+  }
+};
+export {
+  AuthAuth0
+};

package/dist/{chunk-NALGJYQB.mjs → chunk-EVD2TRPR.mjs}

@@ -6,6 +6,21 @@ import "reflect-metadata";
 
 // src/decorators.ts
 import "reflect-metadata";
+import { AsyncLocalStorage } from "async_hooks";
+var authUserStorage = new AsyncLocalStorage();
+function getAuthUser() {
+  return authUserStorage.getStore();
+}
+__name(getAuthUser, "getAuthUser");
+if (typeof globalThis !== "undefined" && !Object.getOwnPropertyDescriptor(globalThis, "authUser")) {
+  Object.defineProperty(globalThis, "authUser", {
+    get() {
+      return authUserStorage.getStore();
+    },
+    configurable: true,
+    enumerable: false
+  });
+}
 var AuthenticationError = class extends Error {
   static {
     __name(this, "AuthenticationError");
@@ -16,11 +31,16 @@ var AuthenticationError = class extends Error {
     this.name = "AuthenticationError";
   }
 };
-function Authenticated(authProvider) {
+function Authenticated(authProvider, options) {
+  const authOptions = {
+    getUser: true,
+    ...options
+  };
   return function(target, propertyKey, descriptor) {
     if (!propertyKey && !descriptor) {
       Reflect.defineMetadata("auth:provider", authProvider, target);
       Reflect.defineMetadata("auth:required", true, target);
+      Reflect.defineMetadata("auth:options", authOptions, target);
       const prototype = target.prototype;
       const methodNames = Object.getOwnPropertyNames(prototype).filter((name) => name !== "constructor" && typeof prototype[name] === "function");
       for (const methodName of methodNames) {
@@ -29,7 +49,8 @@ function Authenticated(authProvider) {
           const originalMethod = originalDescriptor.value;
           Reflect.defineMetadata("auth:provider", authProvider, originalMethod);
           Reflect.defineMetadata("auth:required", true, originalMethod);
-          prototype[methodName] = createAuthenticatedMethod(originalMethod, authProvider);
+          Reflect.defineMetadata("auth:options", authOptions, originalMethod);
+          prototype[methodName] = createAuthenticatedMethod(originalMethod, authProvider, authOptions);
           copyMetadata(originalMethod, prototype[methodName]);
         }
       }
@@ -39,7 +60,8 @@ function Authenticated(authProvider) {
       const originalMethod = descriptor.value;
       Reflect.defineMetadata("auth:provider", authProvider, originalMethod);
       Reflect.defineMetadata("auth:required", true, originalMethod);
-      descriptor.value = createAuthenticatedMethod(originalMethod, authProvider);
+      Reflect.defineMetadata("auth:options", authOptions, originalMethod);
+      descriptor.value = createAuthenticatedMethod(originalMethod, authProvider, authOptions);
       copyMetadata(originalMethod, descriptor.value);
       return descriptor;
     }
@@ -47,7 +69,7 @@ function Authenticated(authProvider) {
   };
 }
 __name(Authenticated, "Authenticated");
-function createAuthenticatedMethod(originalMethod, authProvider) {
+function createAuthenticatedMethod(originalMethod, authProvider, options) {
   return async function(args, meta) {
     const token = meta?.authorization?.token;
     if (!token) {
@@ -64,9 +86,29 @@ function createAuthenticatedMethod(originalMethod, authProvider) {
       }
       throw new AuthenticationError(`Token verification failed: ${error instanceof Error ? error.message : String(error)}`, "VERIFICATION_FAILED");
     }
-    return originalMethod.apply(this, [
-      args
-    ]);
+    if (options.getUser !== false) {
+      try {
+        const user = await authProvider.getUser(token);
+        return await authUserStorage.run(user, async () => {
+          return await originalMethod.apply(this, [
+            args
+          ]);
+        });
+      } catch (error) {
+        console.warn("Failed to fetch user information:", error);
+        return await authUserStorage.run(void 0, async () => {
+          return await originalMethod.apply(this, [
+            args
+          ]);
+        });
+      }
+    } else {
+      return await authUserStorage.run(void 0, async () => {
+        return await originalMethod.apply(this, [
+          args
+        ]);
+      });
+    }
   };
 }
 __name(createAuthenticatedMethod, "createAuthenticatedMethod");
@@ -123,18 +165,23 @@ var AuthProvider = class extends AuthProviderBase {
     const finalConfig = config || this.config;
     switch (this.providerType) {
       case "cognito": {
-        const { AuthCognito } = await import("./cognito-VCVS77OX.mjs");
+        const { AuthCognito } = await import("./cognito-I6V5YNYM.mjs");
         this.providerInstance = new AuthCognito();
         await this.providerInstance.init(finalConfig);
         break;
       }
-      // Add more providers here in the future
-      // case 'clerk': {
-      //   const { AuthClerk } = await import('./providers/clerk');
-      //   this.providerInstance = new AuthClerk();
-      //   await this.providerInstance.init(finalConfig);
-      //   break;
-      // }
+      case "auth0": {
+        const { AuthAuth0 } = await import("./auth0-54GZT2EI.mjs");
+        this.providerInstance = new AuthAuth0();
+        await this.providerInstance.init(finalConfig);
+        break;
+      }
+      case "clerk": {
+        const { AuthClerk } = await import("./clerk-FR7ITM33.mjs");
+        this.providerInstance = new AuthClerk();
+        await this.providerInstance.init(finalConfig);
+        break;
+      }
       default:
         throw new Error(`Unsupported auth provider: ${this.providerType}. Supported providers: cognito`);
     }
@@ -176,6 +223,7 @@ var AuthProvider = class extends AuthProviderBase {
 
 export {
   __name,
+  getAuthUser,
   AuthenticationError,
   Authenticated,
   isAuthenticationRequired,

package/dist/clerk-FR7ITM33.mjs

@@ -0,0 +1,115 @@
+import {
+  AuthProviderBase,
+  __name
+} from "./chunk-EVD2TRPR.mjs";
+
+// src/providers/clerk.ts
+import axios from "axios";
+import jwt from "jsonwebtoken";
+import jwkToPem from "jwk-to-pem";
+var AuthClerk = class extends AuthProviderBase {
+  static {
+    __name(this, "AuthClerk");
+  }
+  clerkFrontendApi = "";
+  clerkSecretKey = "";
+  clerkJWKSUrl = "";
+  clerkIssuer = "";
+  jwksCache = null;
+  mode = "session";
+  oauthTokenUrl = "";
+  clientId;
+  clientSecret;
+  redirectUri;
+  /**
+  * Initialize Clerk Auth Provider
+  */
+  async init(config) {
+    this.clerkFrontendApi = config?.frontendApi || process.env.CLERK_FRONTEND_API || "";
+    this.clerkSecretKey = config?.secretKey || process.env.CLERK_SECRET_KEY || "";
+    if (!this.clerkFrontendApi || !this.clerkSecretKey) {
+      throw new Error("Missing Clerk configuration: frontendApi and secretKey are required");
+    }
+    this.clerkIssuer = `https://${this.clerkFrontendApi}`;
+    this.clerkJWKSUrl = `${this.clerkIssuer}/.well-known/jwks.json`;
+    if (config?.clientId && config?.clientSecret && config?.redirectUri) {
+      this.mode = "oauth";
+      this.clientId = config.clientId;
+      this.clientSecret = config.clientSecret;
+      this.redirectUri = config.redirectUri;
+      this.oauthTokenUrl = `${this.clerkIssuer}/oauth/token`;
+    }
+  }
+  /**
+  * Refresh tokens (OAuth mode only)
+  */
+  async refreshToken(refreshToken) {
+    if (this.mode !== "oauth") {
+      throw new Error("Clerk is in Session Mode: refresh tokens are not supported. Enable OAuth mode.");
+    }
+    const payload = {
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      client_id: this.clientId,
+      client_secret: this.clientSecret,
+      redirect_uri: this.redirectUri
+    };
+    const { data } = await axios.post(this.oauthTokenUrl, payload, {
+      headers: {
+        "Content-Type": "application/json"
+      }
+    });
+    return data;
+  }
+  /**
+  * Verify JWT using JWKS
+  */
+  async verifyToken(token) {
+    await this.verifyJwt(token);
+    return true;
+  }
+  /**
+  * Extract user data from ID token
+  */
+  async getUser(idToken) {
+    const decoded = jwt.decode(idToken);
+    if (!decoded) throw new Error("Invalid ID token");
+    return {
+      sub: decoded.sub,
+      email: decoded.email,
+      email_verified: decoded.email_verified,
+      first_name: decoded.given_name,
+      last_name: decoded.family_name,
+      attributes: decoded
+    };
+  }
+  /**
+  * JWT verification using JWKS
+  */
+  async verifyJwt(token) {
+    const decoded = jwt.decode(token, {
+      complete: true
+    });
+    if (!decoded) throw new Error("Invalid token");
+    const jwks = await this.fetchJWKS();
+    const key = jwks.find((k) => k.kid === decoded.header.kid);
+    if (!key) throw new Error("Signing key not found in JWKS");
+    const pem = jwkToPem(key);
+    return jwt.verify(token, pem, {
+      algorithms: [
+        "RS256"
+      ],
+      issuer: this.clerkIssuer
+    });
+  }
+  async fetchJWKS() {
+    if (!this.jwksCache) {
+      const { data } = await axios.get(this.clerkJWKSUrl);
+      this.jwksCache = data.keys;
+    }
+    return this.jwksCache;
+  }
+};
+export {
+  AuthClerk
+};

package/dist/{cognito-GBSAAMZI.mjs → cognito-I6V5YNYM.mjs}

@@ -1,7 +1,7 @@
 import {
   AuthProviderBase,
   __name
-} from "./chunk-YC7GFXAO.mjs";
+} from "./chunk-EVD2TRPR.mjs";
 
 // src/providers/cognito.ts
 import { CognitoIdentityProviderClient, InitiateAuthCommand } from "@aws-sdk/client-cognito-identity-provider";

package/dist/index.d.mts

@@ -1,3 +1,35 @@
+/**
+ * Shared types for @leanmcp/auth
+ */
+/**
+ * Options for the Authenticated decorator
+ */
+interface AuthenticatedOptions {
+    /**
+     * Whether to fetch and attach user information to authUser variable
+     * @default true
+     */
+    getUser?: boolean;
+}
+
+/**
+ * Global authUser type declaration
+ * This makes authUser available in @Authenticated methods without explicit declaration
+ */
+declare global {
+    /**
+     * Authenticated user object automatically available in @Authenticated methods
+     *
+     * Implemented as a getter that reads from AsyncLocalStorage for concurrency safety.
+     * Each request has its own isolated context - 100% safe for concurrent requests.
+     */
+    const authUser: any;
+}
+/**
+ * Get the current authenticated user from the async context
+ * This is safe for concurrent requests as each request has its own context
+ */
+declare function getAuthUser(): any;
 /**
  * Authentication error class for better error handling
  */
@@ -8,24 +40,40 @@ declare class AuthenticationError extends Error {
 /**
  * Decorator to protect MCP tools, prompts, resources, or entire services with authentication
  *
+ * CONCURRENCY SAFE: Uses AsyncLocalStorage to ensure each request has its own isolated
+ * authUser context, preventing race conditions in high-concurrency scenarios.
+ *
  * Usage:
  *
- * 1. Protect individual methods:
+ * 1. Protect individual methods with automatic user info:
  * ```typescript
  * @Tool({ description: 'Analyze sentiment' })
- * @Authenticated(authProvider)
+ * @Authenticated(authProvider, { getUser: true })
  * async analyzeSentiment(args: AnalyzeSentimentInput): Promise<AnalyzeSentimentOutput> {
- *   // This method requires authentication
+ *   // authUser is automatically available in method scope
+ *   console.log('User:', authUser);
+ *   console.log('User ID:', authUser.sub);
+ * }
+ * ```
+ *
+ * 2. Protect without fetching user info:
+ * ```typescript
+ * @Tool({ description: 'Public tool' })
+ * @Authenticated(authProvider, { getUser: false })
+ * async publicTool(args: PublicToolInput): Promise<PublicToolOutput> {
+ *   // Only verifies token, doesn't fetch user info
  * }
  * ```
  *
- * 2. Protect entire service (all tools/prompts/resources):
+ * 3. Protect entire service (all tools/prompts/resources):
  * ```typescript
  * @Authenticated(authProvider)
  * export class SentimentAnalysisService {
  *   @Tool({ description: 'Analyze sentiment' })
  *   async analyzeSentiment(args: AnalyzeSentimentInput) {
  *     // All methods in this service require authentication
+ *     // authUser is automatically available in all methods
+ *     console.log('User:', authUser);
  *   }
  * }
  * ```
@@ -48,8 +96,9 @@ declare class AuthenticationError extends Error {
  * ```
  *
  * @param authProvider - Instance of AuthProviderBase to use for token verification
+ * @param options - Optional configuration for authentication behavior
  */
-declare function Authenticated(authProvider: AuthProviderBase): (target: any, propertyKey?: string | symbol, descriptor?: PropertyDescriptor) => any;
+declare function Authenticated(authProvider: AuthProviderBase, options?: AuthenticatedOptions): (target: any, propertyKey?: string | symbol, descriptor?: PropertyDescriptor) => any;
 /**
  * Check if a method or class requires authentication
  */
@@ -118,4 +167,4 @@ declare class AuthProvider extends AuthProviderBase {
     getProviderType(): string;
 }
 
-export { AuthProvider, AuthProviderBase, Authenticated, AuthenticationError, getAuthProvider, isAuthenticationRequired };
+export { AuthProvider, AuthProviderBase, Authenticated, type AuthenticatedOptions, AuthenticationError, getAuthProvider, getAuthUser, isAuthenticationRequired };

package/dist/index.d.ts

@@ -1,3 +1,35 @@
+/**
+ * Shared types for @leanmcp/auth
+ */
+/**
+ * Options for the Authenticated decorator
+ */
+interface AuthenticatedOptions {
+    /**
+     * Whether to fetch and attach user information to authUser variable
+     * @default true
+     */
+    getUser?: boolean;
+}
+
+/**
+ * Global authUser type declaration
+ * This makes authUser available in @Authenticated methods without explicit declaration
+ */
+declare global {
+    /**
+     * Authenticated user object automatically available in @Authenticated methods
+     *
+     * Implemented as a getter that reads from AsyncLocalStorage for concurrency safety.
+     * Each request has its own isolated context - 100% safe for concurrent requests.
+     */
+    const authUser: any;
+}
+/**
+ * Get the current authenticated user from the async context
+ * This is safe for concurrent requests as each request has its own context
+ */
+declare function getAuthUser(): any;
 /**
  * Authentication error class for better error handling
  */
@@ -8,24 +40,40 @@ declare class AuthenticationError extends Error {
 /**
  * Decorator to protect MCP tools, prompts, resources, or entire services with authentication
  *
+ * CONCURRENCY SAFE: Uses AsyncLocalStorage to ensure each request has its own isolated
+ * authUser context, preventing race conditions in high-concurrency scenarios.
+ *
  * Usage:
  *
- * 1. Protect individual methods:
+ * 1. Protect individual methods with automatic user info:
  * ```typescript
  * @Tool({ description: 'Analyze sentiment' })
- * @Authenticated(authProvider)
+ * @Authenticated(authProvider, { getUser: true })
  * async analyzeSentiment(args: AnalyzeSentimentInput): Promise<AnalyzeSentimentOutput> {
- *   // This method requires authentication
+ *   // authUser is automatically available in method scope
+ *   console.log('User:', authUser);
+ *   console.log('User ID:', authUser.sub);
+ * }
+ * ```
+ *
+ * 2. Protect without fetching user info:
+ * ```typescript
+ * @Tool({ description: 'Public tool' })
+ * @Authenticated(authProvider, { getUser: false })
+ * async publicTool(args: PublicToolInput): Promise<PublicToolOutput> {
+ *   // Only verifies token, doesn't fetch user info
  * }
  * ```
  *
- * 2. Protect entire service (all tools/prompts/resources):
+ * 3. Protect entire service (all tools/prompts/resources):
  * ```typescript
  * @Authenticated(authProvider)
  * export class SentimentAnalysisService {
  *   @Tool({ description: 'Analyze sentiment' })
  *   async analyzeSentiment(args: AnalyzeSentimentInput) {
  *     // All methods in this service require authentication
+ *     // authUser is automatically available in all methods
+ *     console.log('User:', authUser);
  *   }
  * }
  * ```
@@ -48,8 +96,9 @@ declare class AuthenticationError extends Error {
  * ```
  *
  * @param authProvider - Instance of AuthProviderBase to use for token verification
+ * @param options - Optional configuration for authentication behavior
  */
-declare function Authenticated(authProvider: AuthProviderBase): (target: any, propertyKey?: string | symbol, descriptor?: PropertyDescriptor) => any;
+declare function Authenticated(authProvider: AuthProviderBase, options?: AuthenticatedOptions): (target: any, propertyKey?: string | symbol, descriptor?: PropertyDescriptor) => any;
 /**
  * Check if a method or class requires authentication
  */
@@ -118,4 +167,4 @@ declare class AuthProvider extends AuthProviderBase {
     getProviderType(): string;
 }
 
-export { AuthProvider, AuthProviderBase, Authenticated, AuthenticationError, getAuthProvider, isAuthenticationRequired };
+export { AuthProvider, AuthProviderBase, Authenticated, type AuthenticatedOptions, AuthenticationError, getAuthProvider, getAuthUser, isAuthenticationRequired };