@leanmcp/auth 0.3.1 → 0.4.0

package/dist/storage/index.mjs

@@ -0,0 +1,372 @@
+import {
+  MemoryStorage,
+  isTokenExpired,
+  withExpiresAt
+} from "../chunk-RGCCBQWG.mjs";
+import {
+  __name,
+  __require
+} from "../chunk-LPEX4YW6.mjs";
+
+// src/storage/file.ts
+import { promises as fs } from "fs";
+import { dirname } from "path";
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
+var CURRENT_VERSION = 1;
+var ALGORITHM = "aes-256-gcm";
+var FileStorage = class {
+  static {
+    __name(this, "FileStorage");
+  }
+  filePath;
+  encryptionKey;
+  prettyPrint;
+  cache = null;
+  writePromise = null;
+  constructor(options) {
+    if (typeof options === "string") {
+      this.filePath = this.expandPath(options);
+      this.prettyPrint = false;
+    } else {
+      this.filePath = this.expandPath(options.filePath);
+      this.prettyPrint = options.prettyPrint ?? false;
+      if (options.encryptionKey) {
+        this.encryptionKey = scryptSync(options.encryptionKey, "leanmcp-salt", 32);
+      }
+    }
+  }
+  /**
+   * Expand ~ to home directory
+   */
+  expandPath(filePath) {
+    if (filePath.startsWith("~")) {
+      const home = process.env.HOME || process.env.USERPROFILE || "";
+      return filePath.replace("~", home);
+    }
+    return filePath;
+  }
+  /**
+   * Normalize server URL for consistent key lookup
+   */
+  normalizeUrl(serverUrl) {
+    return serverUrl.replace(/\/+$/, "").toLowerCase();
+  }
+  /**
+   * Encrypt data
+   */
+  encrypt(data) {
+    if (!this.encryptionKey) return data;
+    const iv = randomBytes(16);
+    const cipher = createCipheriv(ALGORITHM, this.encryptionKey, iv);
+    let encrypted = cipher.update(data, "utf8", "hex");
+    encrypted += cipher.final("hex");
+    const authTag = cipher.getAuthTag();
+    return `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted}`;
+  }
+  /**
+   * Decrypt data
+   */
+  decrypt(data) {
+    if (!this.encryptionKey) return data;
+    const [ivHex, authTagHex, encrypted] = data.split(":");
+    const iv = Buffer.from(ivHex, "hex");
+    const authTag = Buffer.from(authTagHex, "hex");
+    const decipher = createDecipheriv(ALGORITHM, this.encryptionKey, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(encrypted, "hex", "utf8");
+    decrypted += decipher.final("utf8");
+    return decrypted;
+  }
+  /**
+   * Read data from file
+   */
+  async readFile() {
+    if (this.cache) return this.cache;
+    try {
+      const raw = await fs.readFile(this.filePath, "utf8");
+      const decrypted = this.decrypt(raw);
+      this.cache = JSON.parse(decrypted);
+      return this.cache;
+    } catch (error) {
+      if (error.code === "ENOENT") {
+        this.cache = {
+          version: CURRENT_VERSION,
+          sessions: {}
+        };
+        return this.cache;
+      }
+      throw error;
+    }
+  }
+  /**
+   * Write data to file (coalesced to avoid race conditions)
+   */
+  async writeFile(data) {
+    this.cache = data;
+    if (this.writePromise) {
+      return this.writePromise;
+    }
+    this.writePromise = (async () => {
+      try {
+        await fs.mkdir(dirname(this.filePath), {
+          recursive: true
+        });
+        const json = this.prettyPrint ? JSON.stringify(data, null, 2) : JSON.stringify(data);
+        const encrypted = this.encrypt(json);
+        await fs.writeFile(this.filePath, encrypted, "utf8");
+      } finally {
+        this.writePromise = null;
+      }
+    })();
+    return this.writePromise;
+  }
+  async getTokens(serverUrl) {
+    const key = this.normalizeUrl(serverUrl);
+    const data = await this.readFile();
+    const session = data.sessions[key];
+    if (!session) return null;
+    if (isTokenExpired(session.tokens)) {
+      return session.tokens;
+    }
+    return session.tokens;
+  }
+  async setTokens(serverUrl, tokens) {
+    const key = this.normalizeUrl(serverUrl);
+    const data = await this.readFile();
+    const now = Date.now();
+    const existing = data.sessions[key];
+    data.sessions[key] = {
+      tokens: withExpiresAt(tokens),
+      clientInfo: existing?.clientInfo,
+      createdAt: existing?.createdAt ?? now,
+      updatedAt: now
+    };
+    await this.writeFile(data);
+  }
+  async clearTokens(serverUrl) {
+    const key = this.normalizeUrl(serverUrl);
+    const data = await this.readFile();
+    const session = data.sessions[key];
+    if (session) {
+      if (session.clientInfo) {
+        data.sessions[key] = {
+          tokens: {
+            access_token: "",
+            token_type: "bearer"
+          },
+          clientInfo: session.clientInfo,
+          createdAt: session.createdAt,
+          updatedAt: Date.now()
+        };
+      } else {
+        const { [key]: _, ...remaining } = data.sessions;
+        data.sessions = remaining;
+      }
+    }
+    await this.writeFile(data);
+  }
+  async getClientInfo(serverUrl) {
+    const key = this.normalizeUrl(serverUrl);
+    const data = await this.readFile();
+    return data.sessions[key]?.clientInfo ?? null;
+  }
+  async setClientInfo(serverUrl, info) {
+    const key = this.normalizeUrl(serverUrl);
+    const data = await this.readFile();
+    const now = Date.now();
+    const existing = data.sessions[key];
+    data.sessions[key] = {
+      tokens: existing?.tokens ?? {
+        access_token: "",
+        token_type: "bearer"
+      },
+      clientInfo: info,
+      createdAt: existing?.createdAt ?? now,
+      updatedAt: now
+    };
+    await this.writeFile(data);
+  }
+  async clearClientInfo(serverUrl) {
+    const key = this.normalizeUrl(serverUrl);
+    const data = await this.readFile();
+    const session = data.sessions[key];
+    if (session) {
+      if (session.tokens?.access_token) {
+        data.sessions[key] = {
+          tokens: session.tokens,
+          createdAt: session.createdAt,
+          updatedAt: Date.now()
+        };
+      } else {
+        const { [key]: _, ...remaining } = data.sessions;
+        data.sessions = remaining;
+      }
+    }
+    await this.writeFile(data);
+  }
+  async clearAll() {
+    await this.writeFile({
+      version: CURRENT_VERSION,
+      sessions: {}
+    });
+  }
+  async getAllSessions() {
+    const data = await this.readFile();
+    return Object.entries(data.sessions).map(([url, session]) => ({
+      serverUrl: url,
+      tokens: session.tokens,
+      clientInfo: session.clientInfo,
+      createdAt: session.createdAt,
+      updatedAt: session.updatedAt
+    }));
+  }
+};
+
+// src/storage/keychain.ts
+var SERVICE_NAME = "leanmcp-auth";
+var KeychainStorage = class {
+  static {
+    __name(this, "KeychainStorage");
+  }
+  serviceName;
+  keytar = null;
+  initPromise = null;
+  constructor(options = {}) {
+    this.serviceName = options.serviceName ?? SERVICE_NAME;
+  }
+  /**
+   * Initialize keytar (lazy load)
+   */
+  async init() {
+    if (this.keytar) return;
+    if (this.initPromise) {
+      await this.initPromise;
+      return;
+    }
+    this.initPromise = (async () => {
+      try {
+        this.keytar = __require("keytar");
+      } catch (error) {
+        throw new Error('KeychainStorage requires the "keytar" package. Install it with: npm install keytar');
+      }
+    })();
+    await this.initPromise;
+  }
+  /**
+   * Normalize server URL for consistent key lookup
+   */
+  normalizeUrl(serverUrl) {
+    return serverUrl.replace(/\/+$/, "").toLowerCase();
+  }
+  /**
+   * Get account key for tokens
+   */
+  getTokensAccount(serverUrl) {
+    return `tokens:${this.normalizeUrl(serverUrl)}`;
+  }
+  /**
+   * Get account key for client info
+   */
+  getClientAccount(serverUrl) {
+    return `client:${this.normalizeUrl(serverUrl)}`;
+  }
+  async getTokens(serverUrl) {
+    await this.init();
+    const account = this.getTokensAccount(serverUrl);
+    const stored = await this.keytar.getPassword(this.serviceName, account);
+    if (!stored) return null;
+    try {
+      return JSON.parse(stored);
+    } catch {
+      return null;
+    }
+  }
+  async setTokens(serverUrl, tokens) {
+    await this.init();
+    const account = this.getTokensAccount(serverUrl);
+    const enrichedTokens = withExpiresAt(tokens);
+    await this.keytar.setPassword(this.serviceName, account, JSON.stringify(enrichedTokens));
+  }
+  async clearTokens(serverUrl) {
+    await this.init();
+    const account = this.getTokensAccount(serverUrl);
+    await this.keytar.deletePassword(this.serviceName, account);
+  }
+  async getClientInfo(serverUrl) {
+    await this.init();
+    const account = this.getClientAccount(serverUrl);
+    const stored = await this.keytar.getPassword(this.serviceName, account);
+    if (!stored) return null;
+    try {
+      return JSON.parse(stored);
+    } catch {
+      return null;
+    }
+  }
+  async setClientInfo(serverUrl, info) {
+    await this.init();
+    const account = this.getClientAccount(serverUrl);
+    await this.keytar.setPassword(this.serviceName, account, JSON.stringify(info));
+  }
+  async clearClientInfo(serverUrl) {
+    await this.init();
+    const account = this.getClientAccount(serverUrl);
+    await this.keytar.deletePassword(this.serviceName, account);
+  }
+  async clearAll() {
+    await this.init();
+    const credentials = await this.keytar.findCredentials(this.serviceName);
+    for (const cred of credentials) {
+      await this.keytar.deletePassword(this.serviceName, cred.account);
+    }
+  }
+  async getAllSessions() {
+    await this.init();
+    const credentials = await this.keytar.findCredentials(this.serviceName);
+    const sessions = [];
+    const tokensMap = /* @__PURE__ */ new Map();
+    const clientMap = /* @__PURE__ */ new Map();
+    for (const cred of credentials) {
+      if (cred.account.startsWith("tokens:")) {
+        const url = cred.account.replace("tokens:", "");
+        try {
+          tokensMap.set(url, JSON.parse(cred.password));
+        } catch {
+        }
+      } else if (cred.account.startsWith("client:")) {
+        const url = cred.account.replace("client:", "");
+        try {
+          clientMap.set(url, JSON.parse(cred.password));
+        } catch {
+        }
+      }
+    }
+    for (const [url, tokens] of tokensMap) {
+      sessions.push({
+        serverUrl: url,
+        tokens,
+        clientInfo: clientMap.get(url),
+        createdAt: Date.now(),
+        updatedAt: Date.now()
+      });
+    }
+    return sessions;
+  }
+};
+async function isKeychainAvailable() {
+  try {
+    __require("keytar");
+    return true;
+  } catch {
+    return false;
+  }
+}
+__name(isKeychainAvailable, "isKeychainAvailable");
+export {
+  FileStorage,
+  KeychainStorage,
+  MemoryStorage,
+  isKeychainAvailable,
+  isTokenExpired,
+  withExpiresAt
+};

package/dist/types-DMpGN530.d.mts

@@ -0,0 +1,122 @@
+/**
+ * Token Storage Types
+ *
+ * Defines interfaces for storing OAuth tokens across different backends
+ * (memory, file, keychain, browser localStorage, etc.)
+ */
+/**
+ * OAuth 2.0/2.1 token response
+ */
+interface OAuthTokens {
+    /** The access token issued by the authorization server */
+    access_token: string;
+    /** Token type (usually "Bearer") */
+    token_type: string;
+    /** Lifetime in seconds of the access token */
+    expires_in?: number;
+    /** Refresh token for obtaining new access tokens */
+    refresh_token?: string;
+    /** ID token (OpenID Connect) */
+    id_token?: string;
+    /** Scope granted by the authorization server */
+    scope?: string;
+    /** Computed: Unix timestamp when token expires */
+    expires_at?: number;
+}
+/**
+ * OAuth client registration information
+ * Used for Dynamic Client Registration (RFC 7591)
+ */
+interface ClientRegistration {
+    /** OAuth client identifier */
+    client_id: string;
+    /** OAuth client secret (for confidential clients) */
+    client_secret?: string;
+    /** Unix timestamp when client secret expires */
+    client_secret_expires_at?: number;
+    /** Token for accessing registration endpoint */
+    registration_access_token?: string;
+    /** Client metadata from registration */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Stored session combining tokens and client info
+ */
+interface StoredSession {
+    /** Server URL this session is for */
+    serverUrl: string;
+    /** OAuth tokens */
+    tokens: OAuthTokens;
+    /** Client registration info (if dynamic registration used) */
+    clientInfo?: ClientRegistration;
+    /** Unix timestamp when session was created */
+    createdAt: number;
+    /** Unix timestamp when session was last updated */
+    updatedAt: number;
+}
+/**
+ * Token storage interface
+ *
+ * Implement this interface to create custom storage backends.
+ * All operations should be async to support various backends.
+ */
+interface TokenStorage {
+    /**
+     * Get stored tokens for a server
+     * @param serverUrl - The MCP server URL
+     * @returns Tokens if found, null otherwise
+     */
+    getTokens(serverUrl: string): Promise<OAuthTokens | null>;
+    /**
+     * Store tokens for a server
+     * @param serverUrl - The MCP server URL
+     * @param tokens - OAuth tokens to store
+     */
+    setTokens(serverUrl: string, tokens: OAuthTokens): Promise<void>;
+    /**
+     * Clear tokens for a server
+     * @param serverUrl - The MCP server URL
+     */
+    clearTokens(serverUrl: string): Promise<void>;
+    /**
+     * Get stored client registration for a server
+     * @param serverUrl - The MCP server URL
+     * @returns Client info if found, null otherwise
+     */
+    getClientInfo(serverUrl: string): Promise<ClientRegistration | null>;
+    /**
+     * Store client registration for a server
+     * @param serverUrl - The MCP server URL
+     * @param info - Client registration info
+     */
+    setClientInfo(serverUrl: string, info: ClientRegistration): Promise<void>;
+    /**
+     * Clear client registration for a server
+     * @param serverUrl - The MCP server URL
+     */
+    clearClientInfo(serverUrl: string): Promise<void>;
+    /**
+     * Clear all stored data
+     */
+    clearAll(): Promise<void>;
+    /**
+     * Get all stored sessions (optional)
+     * @returns Array of stored sessions
+     */
+    getAllSessions?(): Promise<StoredSession[]>;
+}
+/**
+ * Check if tokens are expired or about to expire
+ * @param tokens - OAuth tokens to check
+ * @param bufferSeconds - Seconds before expiry to consider expired (default: 60)
+ * @returns True if tokens are expired or will expire within buffer
+ */
+declare function isTokenExpired(tokens: OAuthTokens, bufferSeconds?: number): boolean;
+/**
+ * Compute expires_at from expires_in if not present
+ * @param tokens - OAuth tokens to enhance
+ * @returns Tokens with expires_at computed
+ */
+declare function withExpiresAt(tokens: OAuthTokens): OAuthTokens;
+
+export { type ClientRegistration as C, type OAuthTokens as O, type StoredSession as S, type TokenStorage as T, isTokenExpired as i, withExpiresAt as w };

package/dist/types-DMpGN530.d.ts

@@ -0,0 +1,122 @@
+/**
+ * Token Storage Types
+ *
+ * Defines interfaces for storing OAuth tokens across different backends
+ * (memory, file, keychain, browser localStorage, etc.)
+ */
+/**
+ * OAuth 2.0/2.1 token response
+ */
+interface OAuthTokens {
+    /** The access token issued by the authorization server */
+    access_token: string;
+    /** Token type (usually "Bearer") */
+    token_type: string;
+    /** Lifetime in seconds of the access token */
+    expires_in?: number;
+    /** Refresh token for obtaining new access tokens */
+    refresh_token?: string;
+    /** ID token (OpenID Connect) */
+    id_token?: string;
+    /** Scope granted by the authorization server */
+    scope?: string;
+    /** Computed: Unix timestamp when token expires */
+    expires_at?: number;
+}
+/**
+ * OAuth client registration information
+ * Used for Dynamic Client Registration (RFC 7591)
+ */
+interface ClientRegistration {
+    /** OAuth client identifier */
+    client_id: string;
+    /** OAuth client secret (for confidential clients) */
+    client_secret?: string;
+    /** Unix timestamp when client secret expires */
+    client_secret_expires_at?: number;
+    /** Token for accessing registration endpoint */
+    registration_access_token?: string;
+    /** Client metadata from registration */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Stored session combining tokens and client info
+ */
+interface StoredSession {
+    /** Server URL this session is for */
+    serverUrl: string;
+    /** OAuth tokens */
+    tokens: OAuthTokens;
+    /** Client registration info (if dynamic registration used) */
+    clientInfo?: ClientRegistration;
+    /** Unix timestamp when session was created */
+    createdAt: number;
+    /** Unix timestamp when session was last updated */
+    updatedAt: number;
+}
+/**
+ * Token storage interface
+ *
+ * Implement this interface to create custom storage backends.
+ * All operations should be async to support various backends.
+ */
+interface TokenStorage {
+    /**
+     * Get stored tokens for a server
+     * @param serverUrl - The MCP server URL
+     * @returns Tokens if found, null otherwise
+     */
+    getTokens(serverUrl: string): Promise<OAuthTokens | null>;
+    /**
+     * Store tokens for a server
+     * @param serverUrl - The MCP server URL
+     * @param tokens - OAuth tokens to store
+     */
+    setTokens(serverUrl: string, tokens: OAuthTokens): Promise<void>;
+    /**
+     * Clear tokens for a server
+     * @param serverUrl - The MCP server URL
+     */
+    clearTokens(serverUrl: string): Promise<void>;
+    /**
+     * Get stored client registration for a server
+     * @param serverUrl - The MCP server URL
+     * @returns Client info if found, null otherwise
+     */
+    getClientInfo(serverUrl: string): Promise<ClientRegistration | null>;
+    /**
+     * Store client registration for a server
+     * @param serverUrl - The MCP server URL
+     * @param info - Client registration info
+     */
+    setClientInfo(serverUrl: string, info: ClientRegistration): Promise<void>;
+    /**
+     * Clear client registration for a server
+     * @param serverUrl - The MCP server URL
+     */
+    clearClientInfo(serverUrl: string): Promise<void>;
+    /**
+     * Clear all stored data
+     */
+    clearAll(): Promise<void>;
+    /**
+     * Get all stored sessions (optional)
+     * @returns Array of stored sessions
+     */
+    getAllSessions?(): Promise<StoredSession[]>;
+}
+/**
+ * Check if tokens are expired or about to expire
+ * @param tokens - OAuth tokens to check
+ * @param bufferSeconds - Seconds before expiry to consider expired (default: 60)
+ * @returns True if tokens are expired or will expire within buffer
+ */
+declare function isTokenExpired(tokens: OAuthTokens, bufferSeconds?: number): boolean;
+/**
+ * Compute expires_at from expires_in if not present
+ * @param tokens - OAuth tokens to enhance
+ * @returns Tokens with expires_at computed
+ */
+declare function withExpiresAt(tokens: OAuthTokens): OAuthTokens;
+
+export { type ClientRegistration as C, type OAuthTokens as O, type StoredSession as S, type TokenStorage as T, isTokenExpired as i, withExpiresAt as w };