@leanmcp/auth 0.3.1 → 0.4.0

package/dist/proxy/index.js

@@ -0,0 +1,536 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/proxy/index.ts
+var proxy_exports = {};
+__export(proxy_exports, {
+  OAuthProxy: () => OAuthProxy,
+  azureProvider: () => azureProvider,
+  customProvider: () => customProvider,
+  discordProvider: () => discordProvider,
+  githubProvider: () => githubProvider,
+  gitlabProvider: () => gitlabProvider,
+  googleProvider: () => googleProvider,
+  slackProvider: () => slackProvider
+});
+module.exports = __toCommonJS(proxy_exports);
+
+// src/proxy/providers.ts
+function googleProvider(options) {
+  return {
+    id: "google",
+    name: "Google",
+    authorizationEndpoint: "https://accounts.google.com/o/oauth2/v2/auth",
+    tokenEndpoint: "https://oauth2.googleapis.com/token",
+    userInfoEndpoint: "https://www.googleapis.com/oauth2/v3/userinfo",
+    clientId: options.clientId,
+    clientSecret: options.clientSecret,
+    scopes: options.scopes ?? [
+      "openid",
+      "email",
+      "profile"
+    ],
+    tokenEndpointAuthMethod: "client_secret_post",
+    supportsPkce: true,
+    authorizationParams: {
+      access_type: "offline",
+      prompt: "consent"
+    }
+  };
+}
+__name(googleProvider, "googleProvider");
+function githubProvider(options) {
+  return {
+    id: "github",
+    name: "GitHub",
+    authorizationEndpoint: "https://github.com/login/oauth/authorize",
+    tokenEndpoint: "https://github.com/login/oauth/access_token",
+    userInfoEndpoint: "https://api.github.com/user",
+    clientId: options.clientId,
+    clientSecret: options.clientSecret,
+    scopes: options.scopes ?? [
+      "read:user",
+      "user:email"
+    ],
+    tokenEndpointAuthMethod: "client_secret_post",
+    supportsPkce: false
+  };
+}
+__name(githubProvider, "githubProvider");
+function azureProvider(options) {
+  const tenantId = options.tenantId ?? "common";
+  return {
+    id: "azure",
+    name: "Microsoft",
+    authorizationEndpoint: `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`,
+    tokenEndpoint: `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`,
+    userInfoEndpoint: "https://graph.microsoft.com/oidc/userinfo",
+    clientId: options.clientId,
+    clientSecret: options.clientSecret,
+    scopes: options.scopes ?? [
+      "openid",
+      "email",
+      "profile",
+      "offline_access"
+    ],
+    tokenEndpointAuthMethod: "client_secret_post",
+    supportsPkce: true
+  };
+}
+__name(azureProvider, "azureProvider");
+function gitlabProvider(options) {
+  const baseUrl = options.baseUrl ?? "https://gitlab.com";
+  return {
+    id: "gitlab",
+    name: "GitLab",
+    authorizationEndpoint: `${baseUrl}/oauth/authorize`,
+    tokenEndpoint: `${baseUrl}/oauth/token`,
+    userInfoEndpoint: `${baseUrl}/api/v4/user`,
+    clientId: options.clientId,
+    clientSecret: options.clientSecret,
+    scopes: options.scopes ?? [
+      "openid",
+      "read_user",
+      "email"
+    ],
+    tokenEndpointAuthMethod: "client_secret_post",
+    supportsPkce: true
+  };
+}
+__name(gitlabProvider, "gitlabProvider");
+function slackProvider(options) {
+  return {
+    id: "slack",
+    name: "Slack",
+    authorizationEndpoint: "https://slack.com/oauth/v2/authorize",
+    tokenEndpoint: "https://slack.com/api/oauth.v2.access",
+    userInfoEndpoint: "https://slack.com/api/users.identity",
+    clientId: options.clientId,
+    clientSecret: options.clientSecret,
+    scopes: options.scopes ?? [
+      "openid",
+      "email",
+      "profile"
+    ],
+    tokenEndpointAuthMethod: "client_secret_post",
+    supportsPkce: false
+  };
+}
+__name(slackProvider, "slackProvider");
+function discordProvider(options) {
+  return {
+    id: "discord",
+    name: "Discord",
+    authorizationEndpoint: "https://discord.com/api/oauth2/authorize",
+    tokenEndpoint: "https://discord.com/api/oauth2/token",
+    userInfoEndpoint: "https://discord.com/api/users/@me",
+    clientId: options.clientId,
+    clientSecret: options.clientSecret,
+    scopes: options.scopes ?? [
+      "identify",
+      "email"
+    ],
+    tokenEndpointAuthMethod: "client_secret_post",
+    supportsPkce: true
+  };
+}
+__name(discordProvider, "discordProvider");
+function customProvider(config) {
+  return {
+    tokenEndpointAuthMethod: "client_secret_post",
+    supportsPkce: false,
+    ...config
+  };
+}
+__name(customProvider, "customProvider");
+
+// src/proxy/oauth-proxy.ts
+var import_crypto2 = require("crypto");
+
+// src/client/pkce.ts
+var import_crypto = require("crypto");
+function generateCodeVerifier(length = 64) {
+  if (length < 43 || length > 128) {
+    throw new Error("PKCE code verifier must be between 43-128 characters");
+  }
+  const bytesNeeded = Math.ceil(length * 0.75);
+  const randomBuffer = (0, import_crypto.randomBytes)(bytesNeeded);
+  return randomBuffer.toString("base64url").slice(0, length);
+}
+__name(generateCodeVerifier, "generateCodeVerifier");
+function generateCodeChallenge(verifier) {
+  return (0, import_crypto.createHash)("sha256").update(verifier, "utf8").digest("base64url");
+}
+__name(generateCodeChallenge, "generateCodeChallenge");
+function generatePKCE(verifierLength = 64) {
+  const verifier = generateCodeVerifier(verifierLength);
+  const challenge = generateCodeChallenge(verifier);
+  return {
+    verifier,
+    challenge,
+    method: "S256"
+  };
+}
+__name(generatePKCE, "generatePKCE");
+
+// src/proxy/oauth-proxy.ts
+var defaultTokenMapper = /* @__PURE__ */ __name(async (externalTokens, userInfo) => {
+  return {
+    access_token: externalTokens.access_token,
+    token_type: externalTokens.token_type,
+    expires_in: externalTokens.expires_in,
+    refresh_token: externalTokens.refresh_token,
+    user_id: userInfo.sub
+  };
+}, "defaultTokenMapper");
+var pendingRequests = /* @__PURE__ */ new Map();
+var REQUEST_TTL_MS = 10 * 60 * 1e3;
+function cleanupExpiredRequests() {
+  const now = Date.now();
+  for (const [key, request] of pendingRequests.entries()) {
+    if (now - request.createdAt > REQUEST_TTL_MS) {
+      pendingRequests.delete(key);
+    }
+  }
+}
+__name(cleanupExpiredRequests, "cleanupExpiredRequests");
+setInterval(cleanupExpiredRequests, 60 * 1e3);
+var OAuthProxy = class {
+  static {
+    __name(this, "OAuthProxy");
+  }
+  config;
+  providersMap;
+  constructor(config) {
+    this.config = {
+      authorizePath: "/authorize",
+      tokenPath: "/token",
+      callbackPath: "/callback",
+      tokenMapper: defaultTokenMapper,
+      forwardPkce: true,
+      ...config
+    };
+    this.providersMap = /* @__PURE__ */ new Map();
+    for (const provider of config.providers) {
+      this.providersMap.set(provider.id, provider);
+    }
+  }
+  /**
+   * Get configured providers
+   */
+  getProviders() {
+    return this.config.providers;
+  }
+  /**
+   * Get a provider by ID
+   */
+  getProvider(id) {
+    return this.providersMap.get(id);
+  }
+  /**
+   * Generate state parameter with signature
+   */
+  generateState() {
+    const nonce = (0, import_crypto2.randomUUID)();
+    const signature = (0, import_crypto2.createHmac)("sha256", this.config.sessionSecret).update(nonce).digest("hex").substring(0, 8);
+    return `${nonce}.${signature}`;
+  }
+  /**
+   * Verify state parameter signature
+   */
+  verifyState(state) {
+    const [nonce, signature] = state.split(".");
+    if (!nonce || !signature) return false;
+    const expectedSignature = (0, import_crypto2.createHmac)("sha256", this.config.sessionSecret).update(nonce).digest("hex").substring(0, 8);
+    return signature === expectedSignature;
+  }
+  /**
+   * Handle authorization request
+   * 
+   * Redirects the user to the external provider's authorization page.
+   * 
+   * @param params - Request parameters
+   * @returns URL to redirect the user to
+   */
+  handleAuthorize(params) {
+    const provider = this.providersMap.get(params.provider);
+    if (!provider) {
+      throw new Error(`Unknown provider: ${params.provider}`);
+    }
+    const proxyState = this.generateState();
+    let codeVerifier;
+    let codeChallenge;
+    if (provider.supportsPkce && this.config.forwardPkce) {
+      const pkce = generatePKCE();
+      codeVerifier = pkce.verifier;
+      codeChallenge = pkce.challenge;
+    }
+    const pendingRequest = {
+      providerId: params.provider,
+      clientRedirectUri: params.redirect_uri,
+      clientState: params.state,
+      codeVerifier,
+      proxyState,
+      createdAt: Date.now()
+    };
+    pendingRequests.set(proxyState, pendingRequest);
+    const callbackUrl = `${this.config.baseUrl}${this.config.callbackPath}`;
+    const authUrl = new URL(provider.authorizationEndpoint);
+    authUrl.searchParams.set("client_id", provider.clientId);
+    authUrl.searchParams.set("redirect_uri", callbackUrl);
+    authUrl.searchParams.set("response_type", "code");
+    authUrl.searchParams.set("state", proxyState);
+    const scopes = params.scope?.split(" ") ?? provider.scopes;
+    authUrl.searchParams.set("scope", scopes.join(" "));
+    if (codeChallenge) {
+      authUrl.searchParams.set("code_challenge", codeChallenge);
+      authUrl.searchParams.set("code_challenge_method", "S256");
+    }
+    if (provider.authorizationParams) {
+      for (const [key, value] of Object.entries(provider.authorizationParams)) {
+        authUrl.searchParams.set(key, value);
+      }
+    }
+    return authUrl.toString();
+  }
+  /**
+   * Handle callback from external provider
+   * 
+   * Exchanges the authorization code for tokens and maps them.
+   * 
+   * @param params - Callback query parameters
+   * @returns Result with redirect URI and tokens
+   */
+  async handleCallback(params) {
+    const { code, state, error, error_description } = params;
+    if (error) {
+      const pendingRequest2 = state ? pendingRequests.get(state) : void 0;
+      pendingRequests.delete(state ?? "");
+      const redirectUri2 = new URL(pendingRequest2?.clientRedirectUri ?? "/");
+      redirectUri2.searchParams.set("error", error);
+      if (error_description) {
+        redirectUri2.searchParams.set("error_description", error_description);
+      }
+      if (pendingRequest2?.clientState) {
+        redirectUri2.searchParams.set("state", pendingRequest2.clientState);
+      }
+      return {
+        redirectUri: redirectUri2.toString(),
+        error
+      };
+    }
+    if (!state || !this.verifyState(state)) {
+      throw new Error("Invalid or missing state parameter");
+    }
+    const pendingRequest = pendingRequests.get(state);
+    if (!pendingRequest) {
+      throw new Error("State not found - authorization request expired");
+    }
+    pendingRequests.delete(state);
+    if (!code) {
+      throw new Error("Missing authorization code");
+    }
+    const provider = this.providersMap.get(pendingRequest.providerId);
+    if (!provider) {
+      throw new Error(`Provider not found: ${pendingRequest.providerId}`);
+    }
+    const callbackUrl = `${this.config.baseUrl}${this.config.callbackPath}`;
+    const externalTokens = await this.exchangeCodeForTokens(provider, code, callbackUrl, pendingRequest.codeVerifier);
+    let userInfo = {
+      sub: "unknown"
+    };
+    if (provider.userInfoEndpoint) {
+      userInfo = await this.fetchUserInfo(provider, externalTokens.access_token);
+    }
+    const mappedTokens = await this.config.tokenMapper(externalTokens, userInfo, provider);
+    const redirectUri = new URL(pendingRequest.clientRedirectUri);
+    const internalCode = this.generateInternalCode(mappedTokens);
+    redirectUri.searchParams.set("code", internalCode);
+    if (pendingRequest.clientState) {
+      redirectUri.searchParams.set("state", pendingRequest.clientState);
+    }
+    return {
+      redirectUri: redirectUri.toString(),
+      tokens: mappedTokens
+    };
+  }
+  /**
+   * Exchange authorization code for tokens with external provider
+   */
+  async exchangeCodeForTokens(provider, code, redirectUri, codeVerifier) {
+    const tokenPayload = {
+      grant_type: "authorization_code",
+      code,
+      redirect_uri: redirectUri,
+      client_id: provider.clientId
+    };
+    if (provider.tokenEndpointAuthMethod === "client_secret_post") {
+      tokenPayload.client_secret = provider.clientSecret;
+    }
+    if (codeVerifier) {
+      tokenPayload.code_verifier = codeVerifier;
+    }
+    if (provider.tokenParams) {
+      for (const [key, value] of Object.entries(provider.tokenParams)) {
+        tokenPayload[key] = value;
+      }
+    }
+    const headers = {
+      "Content-Type": "application/x-www-form-urlencoded",
+      "Accept": "application/json"
+    };
+    if (provider.tokenEndpointAuthMethod === "client_secret_basic") {
+      const credentials = Buffer.from(`${provider.clientId}:${provider.clientSecret}`).toString("base64");
+      headers["Authorization"] = `Basic ${credentials}`;
+    }
+    const response = await fetch(provider.tokenEndpoint, {
+      method: "POST",
+      headers,
+      body: new URLSearchParams(tokenPayload)
+    });
+    if (!response.ok) {
+      const errorText = await response.text();
+      throw new Error(`Token exchange failed: ${response.status} - ${errorText}`);
+    }
+    return response.json();
+  }
+  /**
+   * Fetch user info from external provider
+   */
+  async fetchUserInfo(provider, accessToken) {
+    if (!provider.userInfoEndpoint) {
+      return {
+        sub: "unknown"
+      };
+    }
+    const response = await fetch(provider.userInfoEndpoint, {
+      headers: {
+        "Authorization": `Bearer ${accessToken}`,
+        "Accept": "application/json"
+      }
+    });
+    if (!response.ok) {
+      console.warn(`Failed to fetch user info: ${response.status}`);
+      return {
+        sub: "unknown"
+      };
+    }
+    const data = await response.json();
+    return {
+      sub: data.sub ?? data.id ?? data.user_id ?? "unknown",
+      email: data.email,
+      email_verified: data.email_verified ?? data.verified_email,
+      name: data.name ?? data.login ?? data.display_name,
+      picture: data.picture ?? data.avatar_url ?? data.avatar,
+      raw: data
+    };
+  }
+  /**
+   * Generate an internal authorization code for the mapped tokens
+   * This code can be exchanged via the token endpoint
+   */
+  generateInternalCode(tokens) {
+    const code = (0, import_crypto2.randomUUID)();
+    const signature = (0, import_crypto2.createHmac)("sha256", this.config.sessionSecret).update(code).update(JSON.stringify(tokens)).digest("hex").substring(0, 16);
+    const fullCode = `${code}.${signature}`;
+    pendingRequests.set(fullCode, {
+      providerId: "_internal",
+      clientRedirectUri: "",
+      proxyState: fullCode,
+      createdAt: Date.now(),
+      // @ts-expect-error - storing tokens in pending request
+      _tokens: tokens
+    });
+    setTimeout(() => pendingRequests.delete(fullCode), 5 * 60 * 1e3);
+    return fullCode;
+  }
+  /**
+   * Handle token request (exchange internal code for tokens)
+   */
+  async handleToken(params) {
+    const { grant_type, code, refresh_token } = params;
+    if (grant_type === "authorization_code") {
+      if (!code) {
+        throw new Error("Missing code parameter");
+      }
+      const pending = pendingRequests.get(code);
+      if (!pending || !pending._tokens) {
+        throw new Error("Invalid or expired code");
+      }
+      pendingRequests.delete(code);
+      return pending._tokens;
+    }
+    if (grant_type === "refresh_token") {
+      if (!refresh_token) {
+        throw new Error("Missing refresh_token parameter");
+      }
+      throw new Error("Refresh token grant not implemented - use external provider directly");
+    }
+    throw new Error(`Unsupported grant_type: ${grant_type}`);
+  }
+  /**
+   * Express/Connect middleware factory
+   */
+  createMiddleware() {
+    return {
+      authorize: /* @__PURE__ */ __name((req, res) => {
+        try {
+          const url = this.handleAuthorize(req.query);
+          res.redirect(url);
+        } catch (error) {
+          res.status(400).json({
+            error: error.message
+          });
+        }
+      }, "authorize"),
+      callback: /* @__PURE__ */ __name(async (req, res) => {
+        try {
+          const result = await this.handleCallback(req.query);
+          res.redirect(result.redirectUri);
+        } catch (error) {
+          res.status(400).json({
+            error: error.message
+          });
+        }
+      }, "callback"),
+      token: /* @__PURE__ */ __name(async (req, res) => {
+        try {
+          const tokens = await this.handleToken(req.body);
+          res.json(tokens);
+        } catch (error) {
+          res.status(400).json({
+            error: error.message
+          });
+        }
+      }, "token")
+    };
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  OAuthProxy,
+  azureProvider,
+  customProvider,
+  discordProvider,
+  githubProvider,
+  gitlabProvider,
+  googleProvider,
+  slackProvider
+});