@leanmcp/auth 0.1.1 → 0.3.0

package/dist/index.js

@@ -32,11 +32,19 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/decorators.ts
-function Authenticated(authProvider) {
+function getAuthUser() {
+  return authUserStorage.getStore();
+}
+function Authenticated(authProvider, options) {
+  const authOptions = {
+    getUser: true,
+    ...options
+  };
   return function(target, propertyKey, descriptor) {
     if (!propertyKey && !descriptor) {
       Reflect.defineMetadata("auth:provider", authProvider, target);
       Reflect.defineMetadata("auth:required", true, target);
+      Reflect.defineMetadata("auth:options", authOptions, target);
       const prototype = target.prototype;
       const methodNames = Object.getOwnPropertyNames(prototype).filter((name) => name !== "constructor" && typeof prototype[name] === "function");
       for (const methodName of methodNames) {
@@ -45,7 +53,8 @@ function Authenticated(authProvider) {
           const originalMethod = originalDescriptor.value;
           Reflect.defineMetadata("auth:provider", authProvider, originalMethod);
           Reflect.defineMetadata("auth:required", true, originalMethod);
-          prototype[methodName] = createAuthenticatedMethod(originalMethod, authProvider);
+          Reflect.defineMetadata("auth:options", authOptions, originalMethod);
+          prototype[methodName] = createAuthenticatedMethod(originalMethod, authProvider, authOptions);
           copyMetadata(originalMethod, prototype[methodName]);
         }
       }
@@ -55,14 +64,15 @@ function Authenticated(authProvider) {
       const originalMethod = descriptor.value;
       Reflect.defineMetadata("auth:provider", authProvider, originalMethod);
       Reflect.defineMetadata("auth:required", true, originalMethod);
-      descriptor.value = createAuthenticatedMethod(originalMethod, authProvider);
+      Reflect.defineMetadata("auth:options", authOptions, originalMethod);
+      descriptor.value = createAuthenticatedMethod(originalMethod, authProvider, authOptions);
       copyMetadata(originalMethod, descriptor.value);
       return descriptor;
     }
     throw new Error("@Authenticated can only be applied to classes or methods");
   };
 }
-function createAuthenticatedMethod(originalMethod, authProvider) {
+function createAuthenticatedMethod(originalMethod, authProvider, options) {
   return async function(args, meta) {
     const token = meta?.authorization?.token;
     if (!token) {
@@ -79,9 +89,29 @@ function createAuthenticatedMethod(originalMethod, authProvider) {
       }
       throw new AuthenticationError(`Token verification failed: ${error instanceof Error ? error.message : String(error)}`, "VERIFICATION_FAILED");
     }
-    return originalMethod.apply(this, [
-      args
-    ]);
+    if (options.getUser !== false) {
+      try {
+        const user = await authProvider.getUser(token);
+        return await authUserStorage.run(user, async () => {
+          return await originalMethod.apply(this, [
+            args
+          ]);
+        });
+      } catch (error) {
+        console.warn("Failed to fetch user information:", error);
+        return await authUserStorage.run(void 0, async () => {
+          return await originalMethod.apply(this, [
+            args
+          ]);
+        });
+      }
+    } else {
+      return await authUserStorage.run(void 0, async () => {
+        return await originalMethod.apply(this, [
+          args
+        ]);
+      });
+    }
   };
 }
 function copyMetadata(source, target) {
@@ -108,11 +138,23 @@ function isAuthenticationRequired(target) {
 function getAuthProvider(target) {
   return Reflect.getMetadata("auth:provider", target);
 }
-var import_reflect_metadata, AuthenticationError;
+var import_reflect_metadata, import_async_hooks, authUserStorage, AuthenticationError;
 var init_decorators = __esm({
   "src/decorators.ts"() {
     "use strict";
     import_reflect_metadata = require("reflect-metadata");
+    import_async_hooks = require("async_hooks");
+    authUserStorage = new import_async_hooks.AsyncLocalStorage();
+    __name(getAuthUser, "getAuthUser");
+    if (typeof globalThis !== "undefined" && !Object.getOwnPropertyDescriptor(globalThis, "authUser")) {
+      Object.defineProperty(globalThis, "authUser", {
+        get() {
+          return authUserStorage.getStore();
+        },
+        configurable: true,
+        enumerable: false
+      });
+    }
     AuthenticationError = class extends Error {
       static {
         __name(this, "AuthenticationError");
@@ -280,6 +322,231 @@ var init_cognito = __esm({
   }
 });
 
+// src/providers/auth0.ts
+var auth0_exports = {};
+__export(auth0_exports, {
+  AuthAuth0: () => AuthAuth0
+});
+var import_axios2, import_jsonwebtoken2, import_jwk_to_pem2, AuthAuth0;
+var init_auth0 = __esm({
+  "src/providers/auth0.ts"() {
+    "use strict";
+    import_axios2 = __toESM(require("axios"));
+    import_jsonwebtoken2 = __toESM(require("jsonwebtoken"));
+    import_jwk_to_pem2 = __toESM(require("jwk-to-pem"));
+    init_index();
+    AuthAuth0 = class extends AuthProviderBase {
+      static {
+        __name(this, "AuthAuth0");
+      }
+      domain = "";
+      clientId = "";
+      clientSecret = "";
+      audience = "";
+      scopes = "openid profile email offline_access";
+      jwksCache = null;
+      async init(config) {
+        this.domain = config?.domain || process.env.AUTH0_DOMAIN || "";
+        this.clientId = config?.clientId || process.env.AUTH0_CLIENT_ID || "";
+        this.clientSecret = config?.clientSecret || process.env.AUTH0_CLIENT_SECRET || "";
+        this.audience = config?.audience || process.env.AUTH0_AUDIENCE || "";
+        this.scopes = config?.scopes || this.scopes;
+        if (!this.domain || !this.clientId || !this.audience) {
+          throw new Error("Auth0 config missing: domain, clientId, and audience are required");
+        }
+      }
+      async refreshToken(refreshToken) {
+        const url = `https://${this.domain}/oauth/token`;
+        const payload = {
+          grant_type: "refresh_token",
+          client_id: this.clientId,
+          refresh_token: refreshToken,
+          audience: this.audience,
+          scope: this.scopes
+        };
+        if (this.clientSecret) {
+          payload.client_secret = this.clientSecret;
+        }
+        const { data } = await import_axios2.default.post(url, payload, {
+          headers: {
+            "Content-Type": "application/json"
+          }
+        });
+        return data;
+      }
+      async verifyToken(token) {
+        try {
+          await this.verifyJwt(token);
+          return true;
+        } catch (error) {
+          if (error instanceof Error) {
+            if (error.message.includes("jwt expired")) throw new Error("Token has expired");
+            if (error.message.includes("invalid signature")) throw new Error("Invalid token signature");
+            if (error.message.includes("jwt malformed")) throw new Error("Malformed token");
+            if (error.message.includes("invalid issuer")) throw new Error("Invalid token issuer");
+            throw error;
+          }
+          return false;
+        }
+      }
+      async getUser(idToken) {
+        const decoded = import_jsonwebtoken2.default.decode(idToken);
+        if (!decoded) throw new Error("Invalid ID token");
+        return {
+          sub: decoded.sub,
+          email: decoded.email,
+          email_verified: decoded.email_verified,
+          name: decoded.name,
+          attributes: decoded
+        };
+      }
+      async fetchJWKS() {
+        if (!this.jwksCache) {
+          const jwksUri = `https://${this.domain}/.well-known/jwks.json`;
+          const { data } = await import_axios2.default.get(jwksUri);
+          this.jwksCache = data.keys;
+        }
+        return this.jwksCache;
+      }
+      async verifyJwt(token) {
+        const decoded = import_jsonwebtoken2.default.decode(token, {
+          complete: true
+        });
+        if (!decoded) throw new Error("Invalid token");
+        const jwks = await this.fetchJWKS();
+        const key = jwks.find((k) => k.kid === decoded.header.kid);
+        if (!key) throw new Error("Signing key not found in JWKS");
+        const pem = (0, import_jwk_to_pem2.default)(key);
+        return import_jsonwebtoken2.default.verify(token, pem, {
+          algorithms: [
+            "RS256"
+          ],
+          issuer: `https://${this.domain}/`
+        });
+      }
+    };
+  }
+});
+
+// src/providers/clerk.ts
+var clerk_exports = {};
+__export(clerk_exports, {
+  AuthClerk: () => AuthClerk
+});
+var import_axios3, import_jsonwebtoken3, import_jwk_to_pem3, AuthClerk;
+var init_clerk = __esm({
+  "src/providers/clerk.ts"() {
+    "use strict";
+    import_axios3 = __toESM(require("axios"));
+    import_jsonwebtoken3 = __toESM(require("jsonwebtoken"));
+    import_jwk_to_pem3 = __toESM(require("jwk-to-pem"));
+    init_index();
+    AuthClerk = class extends AuthProviderBase {
+      static {
+        __name(this, "AuthClerk");
+      }
+      clerkFrontendApi = "";
+      clerkSecretKey = "";
+      clerkJWKSUrl = "";
+      clerkIssuer = "";
+      jwksCache = null;
+      mode = "session";
+      oauthTokenUrl = "";
+      clientId;
+      clientSecret;
+      redirectUri;
+      /**
+      * Initialize Clerk Auth Provider
+      */
+      async init(config) {
+        this.clerkFrontendApi = config?.frontendApi || process.env.CLERK_FRONTEND_API || "";
+        this.clerkSecretKey = config?.secretKey || process.env.CLERK_SECRET_KEY || "";
+        if (!this.clerkFrontendApi || !this.clerkSecretKey) {
+          throw new Error("Missing Clerk configuration: frontendApi and secretKey are required");
+        }
+        this.clerkIssuer = `https://${this.clerkFrontendApi}`;
+        this.clerkJWKSUrl = `${this.clerkIssuer}/.well-known/jwks.json`;
+        if (config?.clientId && config?.clientSecret && config?.redirectUri) {
+          this.mode = "oauth";
+          this.clientId = config.clientId;
+          this.clientSecret = config.clientSecret;
+          this.redirectUri = config.redirectUri;
+          this.oauthTokenUrl = `${this.clerkIssuer}/oauth/token`;
+        }
+      }
+      /**
+      * Refresh tokens (OAuth mode only)
+      */
+      async refreshToken(refreshToken) {
+        if (this.mode !== "oauth") {
+          throw new Error("Clerk is in Session Mode: refresh tokens are not supported. Enable OAuth mode.");
+        }
+        const payload = {
+          grant_type: "refresh_token",
+          refresh_token: refreshToken,
+          client_id: this.clientId,
+          client_secret: this.clientSecret,
+          redirect_uri: this.redirectUri
+        };
+        const { data } = await import_axios3.default.post(this.oauthTokenUrl, payload, {
+          headers: {
+            "Content-Type": "application/json"
+          }
+        });
+        return data;
+      }
+      /**
+      * Verify JWT using JWKS
+      */
+      async verifyToken(token) {
+        await this.verifyJwt(token);
+        return true;
+      }
+      /**
+      * Extract user data from ID token
+      */
+      async getUser(idToken) {
+        const decoded = import_jsonwebtoken3.default.decode(idToken);
+        if (!decoded) throw new Error("Invalid ID token");
+        return {
+          sub: decoded.sub,
+          email: decoded.email,
+          email_verified: decoded.email_verified,
+          first_name: decoded.given_name,
+          last_name: decoded.family_name,
+          attributes: decoded
+        };
+      }
+      /**
+      * JWT verification using JWKS
+      */
+      async verifyJwt(token) {
+        const decoded = import_jsonwebtoken3.default.decode(token, {
+          complete: true
+        });
+        if (!decoded) throw new Error("Invalid token");
+        const jwks = await this.fetchJWKS();
+        const key = jwks.find((k) => k.kid === decoded.header.kid);
+        if (!key) throw new Error("Signing key not found in JWKS");
+        const pem = (0, import_jwk_to_pem3.default)(key);
+        return import_jsonwebtoken3.default.verify(token, pem, {
+          algorithms: [
+            "RS256"
+          ],
+          issuer: this.clerkIssuer
+        });
+      }
+      async fetchJWKS() {
+        if (!this.jwksCache) {
+          const { data } = await import_axios3.default.get(this.clerkJWKSUrl);
+          this.jwksCache = data.keys;
+        }
+        return this.jwksCache;
+      }
+    };
+  }
+});
+
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
@@ -288,6 +555,7 @@ __export(index_exports, {
   Authenticated: () => Authenticated,
   AuthenticationError: () => AuthenticationError,
   getAuthProvider: () => getAuthProvider,
+  getAuthUser: () => getAuthUser,
   isAuthenticationRequired: () => isAuthenticationRequired
 });
 module.exports = __toCommonJS(index_exports);
@@ -325,13 +593,18 @@ var init_index = __esm({
             await this.providerInstance.init(finalConfig);
             break;
           }
-          // Add more providers here in the future
-          // case 'clerk': {
-          //   const { AuthClerk } = await import('./providers/clerk');
-          //   this.providerInstance = new AuthClerk();
-          //   await this.providerInstance.init(finalConfig);
-          //   break;
-          // }
+          case "auth0": {
+            const { AuthAuth0: AuthAuth02 } = await Promise.resolve().then(() => (init_auth0(), auth0_exports));
+            this.providerInstance = new AuthAuth02();
+            await this.providerInstance.init(finalConfig);
+            break;
+          }
+          case "clerk": {
+            const { AuthClerk: AuthClerk2 } = await Promise.resolve().then(() => (init_clerk(), clerk_exports));
+            this.providerInstance = new AuthClerk2();
+            await this.providerInstance.init(finalConfig);
+            break;
+          }
           default:
             throw new Error(`Unsupported auth provider: ${this.providerType}. Supported providers: cognito`);
         }
@@ -380,5 +653,6 @@ init_index();
   Authenticated,
   AuthenticationError,
   getAuthProvider,
+  getAuthUser,
   isAuthenticationRequired
 });

package/dist/index.mjs

@@ -4,13 +4,15 @@ import {
   Authenticated,
   AuthenticationError,
   getAuthProvider,
+  getAuthUser,
   isAuthenticationRequired
-} from "./chunk-NALGJYQB.mjs";
+} from "./chunk-EVD2TRPR.mjs";
 export {
   AuthProvider,
   AuthProviderBase,
   Authenticated,
   AuthenticationError,
   getAuthProvider,
+  getAuthUser,
   isAuthenticationRequired
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@leanmcp/auth",
-  "version": "0.1.1",
+  "version": "0.3.0",
   "description": "Authentication and identity module supporting multiple providers",
   "main": "dist/index.js",
   "module": "dist/index.mjs",

package/dist/chunk-YC7GFXAO.mjs

@@ -1,193 +0,0 @@
-var __defProp = Object.defineProperty;
-var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
-
-// src/index.ts
-import "reflect-metadata";
-
-// src/decorators.ts
-import "reflect-metadata";
-var AuthenticationError = class extends Error {
-  static {
-    __name(this, "AuthenticationError");
-  }
-  code;
-  constructor(message, code) {
-    super(message), this.code = code;
-    this.name = "AuthenticationError";
-  }
-};
-function Authenticated(authProvider) {
-  return function(target, propertyKey, descriptor) {
-    if (!propertyKey && !descriptor) {
-      Reflect.defineMetadata("auth:provider", authProvider, target);
-      Reflect.defineMetadata("auth:required", true, target);
-      const prototype = target.prototype;
-      const methodNames = Object.getOwnPropertyNames(prototype).filter((name) => name !== "constructor" && typeof prototype[name] === "function");
-      for (const methodName of methodNames) {
-        const originalDescriptor = Object.getOwnPropertyDescriptor(prototype, methodName);
-        if (originalDescriptor && typeof originalDescriptor.value === "function") {
-          const originalMethod = originalDescriptor.value;
-          Reflect.defineMetadata("auth:provider", authProvider, originalMethod);
-          Reflect.defineMetadata("auth:required", true, originalMethod);
-          prototype[methodName] = createAuthenticatedMethod(originalMethod, authProvider);
-          copyMetadata(originalMethod, prototype[methodName]);
-        }
-      }
-      return target;
-    }
-    if (descriptor && typeof descriptor.value === "function") {
-      const originalMethod = descriptor.value;
-      Reflect.defineMetadata("auth:provider", authProvider, originalMethod);
-      Reflect.defineMetadata("auth:required", true, originalMethod);
-      descriptor.value = createAuthenticatedMethod(originalMethod, authProvider);
-      copyMetadata(originalMethod, descriptor.value);
-      return descriptor;
-    }
-    throw new Error("@Authenticated can only be applied to classes or methods");
-  };
-}
-__name(Authenticated, "Authenticated");
-function createAuthenticatedMethod(originalMethod, authProvider) {
-  return async function(...args) {
-    const firstArg = args[0];
-    let token;
-    let cleanedArgs = args;
-    if (firstArg && typeof firstArg === "object") {
-      token = firstArg.token;
-      const { token: _, ...restArgs } = firstArg;
-      cleanedArgs = [
-        restArgs,
-        ...args.slice(1)
-      ];
-    }
-    if (!token) {
-      throw new AuthenticationError("Authentication required. Please provide a valid token in the request.", "MISSING_TOKEN");
-    }
-    try {
-      const isValid = await authProvider.verifyToken(token);
-      if (!isValid) {
-        throw new AuthenticationError("Invalid or expired token. Please authenticate again.", "INVALID_TOKEN");
-      }
-    } catch (error) {
-      if (error instanceof AuthenticationError) {
-        throw error;
-      }
-      throw new AuthenticationError(`Token verification failed: ${error instanceof Error ? error.message : String(error)}`, "VERIFICATION_FAILED");
-    }
-    return originalMethod.apply(this, cleanedArgs);
-  };
-}
-__name(createAuthenticatedMethod, "createAuthenticatedMethod");
-function copyMetadata(source, target) {
-  const metadataKeys = Reflect.getMetadataKeys(source);
-  for (const key of metadataKeys) {
-    const value = Reflect.getMetadata(key, source);
-    Reflect.defineMetadata(key, value, target);
-  }
-  const designKeys = [
-    "design:type",
-    "design:paramtypes",
-    "design:returntype"
-  ];
-  for (const key of designKeys) {
-    const value = Reflect.getMetadata(key, source);
-    if (value !== void 0) {
-      Reflect.defineMetadata(key, value, target);
-    }
-  }
-}
-__name(copyMetadata, "copyMetadata");
-function isAuthenticationRequired(target) {
-  return Reflect.getMetadata("auth:required", target) === true;
-}
-__name(isAuthenticationRequired, "isAuthenticationRequired");
-function getAuthProvider(target) {
-  return Reflect.getMetadata("auth:provider", target);
-}
-__name(getAuthProvider, "getAuthProvider");
-
-// src/index.ts
-var AuthProviderBase = class {
-  static {
-    __name(this, "AuthProviderBase");
-  }
-};
-var AuthProvider = class extends AuthProviderBase {
-  static {
-    __name(this, "AuthProvider");
-  }
-  providerInstance = null;
-  providerType;
-  config;
-  constructor(provider, config) {
-    super();
-    this.providerType = provider.toLowerCase();
-    this.config = config;
-  }
-  /**
-  * Initialize the selected auth provider
-  */
-  async init(config) {
-    const finalConfig = config || this.config;
-    switch (this.providerType) {
-      case "cognito": {
-        const { AuthCognito } = await import("./cognito-GBSAAMZI.mjs");
-        this.providerInstance = new AuthCognito();
-        await this.providerInstance.init(finalConfig);
-        break;
-      }
-      // Add more providers here in the future
-      // case 'clerk': {
-      //   const { AuthClerk } = await import('./providers/clerk');
-      //   this.providerInstance = new AuthClerk();
-      //   await this.providerInstance.init(finalConfig);
-      //   break;
-      // }
-      default:
-        throw new Error(`Unsupported auth provider: ${this.providerType}. Supported providers: cognito`);
-    }
-  }
-  /**
-  * Refresh an authentication token
-  */
-  async refreshToken(refreshToken, username) {
-    if (!this.providerInstance) {
-      throw new Error("AuthProvider not initialized. Call init() first.");
-    }
-    return this.providerInstance.refreshToken(refreshToken, username);
-  }
-  /**
-  * Verify if a token is valid
-  */
-  async verifyToken(token) {
-    if (!this.providerInstance) {
-      throw new Error("AuthProvider not initialized. Call init() first.");
-    }
-    return this.providerInstance.verifyToken(token);
-  }
-  /**
-  * Get user information from a token
-  */
-  async getUser(token) {
-    if (!this.providerInstance) {
-      throw new Error("AuthProvider not initialized. Call init() first.");
-    }
-    return this.providerInstance.getUser(token);
-  }
-  /**
-  * Get the provider type
-  */
-  getProviderType() {
-    return this.providerType;
-  }
-};
-
-export {
-  __name,
-  AuthenticationError,
-  Authenticated,
-  isAuthenticationRequired,
-  getAuthProvider,
-  AuthProviderBase,
-  AuthProvider
-};