npm - @leanmcp/auth - Versions diffs - 0.3.1 → 0.4.0 - Mend

@leanmcp/auth 0.3.1 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (32) hide show

package/README.md +148 -661
package/dist/{auth0-54GZT2EI.mjs → auth0-UTD4QBG6.mjs} +4 -2
package/dist/chunk-LPEX4YW6.mjs +13 -0
package/dist/{chunk-EVD2TRPR.mjs → chunk-P4HFKA5R.mjs} +50 -21
package/dist/chunk-RGCCBQWG.mjs +113 -0
package/dist/chunk-ZOPKMOPV.mjs +53 -0
package/dist/{clerk-FR7ITM33.mjs → clerk-3SDKGD6C.mjs} +4 -2
package/dist/client/index.d.mts +499 -0
package/dist/client/index.d.ts +499 -0
package/dist/client/index.js +1039 -0
package/dist/client/index.mjs +869 -0
package/dist/{cognito-I6V5YNYM.mjs → cognito-QQT7LK2Y.mjs} +4 -2
package/dist/index.d.mts +11 -0
package/dist/index.d.ts +11 -0
package/dist/index.js +186 -15
package/dist/index.mjs +2 -1
package/dist/leanmcp-Y7TXNSTD.mjs +140 -0
package/dist/proxy/index.d.mts +376 -0
package/dist/proxy/index.d.ts +376 -0
package/dist/proxy/index.js +536 -0
package/dist/proxy/index.mjs +480 -0
package/dist/server/index.d.mts +496 -0
package/dist/server/index.d.ts +496 -0
package/dist/server/index.js +882 -0
package/dist/server/index.mjs +847 -0
package/dist/storage/index.d.mts +181 -0
package/dist/storage/index.d.ts +181 -0
package/dist/storage/index.js +499 -0
package/dist/storage/index.mjs +372 -0
package/dist/types-DMpGN530.d.mts +122 -0
package/dist/types-DMpGN530.d.ts +122 -0
package/package.json +45 -8

package/dist/client/index.js ADDED Viewed

@@ -0,0 +1,1039 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/client/index.ts
+var client_exports = {};
+__export(client_exports, {
+  OAuthClient: () => OAuthClient,
+  RefreshManager: () => RefreshManager,
+  clearMetadataCache: () => clearMetadataCache,
+  createRefreshManager: () => createRefreshManager,
+  discoverOAuthMetadata: () => discoverOAuthMetadata,
+  findAvailablePort: () => findAvailablePort,
+  generateCodeChallenge: () => generateCodeChallenge,
+  generateCodeVerifier: () => generateCodeVerifier,
+  generatePKCE: () => generatePKCE,
+  isValidCodeVerifier: () => isValidCodeVerifier,
+  serverSupports: () => serverSupports,
+  startCallbackServer: () => startCallbackServer,
+  validateMetadata: () => validateMetadata,
+  verifyPKCE: () => verifyPKCE
+});
+module.exports = __toCommonJS(client_exports);
+// src/client/pkce.ts
+var import_crypto = require("crypto");
+function generateCodeVerifier(length = 64) {
+  if (length < 43 || length > 128) {
+    throw new Error("PKCE code verifier must be between 43-128 characters");
+  }
+  const bytesNeeded = Math.ceil(length * 0.75);
+  const randomBuffer = (0, import_crypto.randomBytes)(bytesNeeded);
+  return randomBuffer.toString("base64url").slice(0, length);
+}
+__name(generateCodeVerifier, "generateCodeVerifier");
+function generateCodeChallenge(verifier) {
+  return (0, import_crypto.createHash)("sha256").update(verifier, "utf8").digest("base64url");
+}
+__name(generateCodeChallenge, "generateCodeChallenge");
+function generatePKCE(verifierLength = 64) {
+  const verifier = generateCodeVerifier(verifierLength);
+  const challenge = generateCodeChallenge(verifier);
+  return {
+    verifier,
+    challenge,
+    method: "S256"
+  };
+}
+__name(generatePKCE, "generatePKCE");
+function verifyPKCE(verifier, challenge, method = "S256") {
+  if (method === "plain") {
+    return verifier === challenge;
+  }
+  const expectedChallenge = generateCodeChallenge(verifier);
+  return expectedChallenge === challenge;
+}
+__name(verifyPKCE, "verifyPKCE");
+function isValidCodeVerifier(verifier) {
+  if (verifier.length < 43 || verifier.length > 128) {
+    return false;
+  }
+  const validPattern = /^[A-Za-z0-9\-._~]+$/;
+  return validPattern.test(verifier);
+}
+__name(isValidCodeVerifier, "isValidCodeVerifier");
+// src/client/callback-server.ts
+var import_http = require("http");
+var import_url = require("url");
+var DEFAULT_SUCCESS_HTML = `
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Authentication Successful</title>
+  <style>
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      display: flex;
+      justify-content: center;
+      align-items: center;
+      height: 100vh;
+      margin: 0;
+      background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+      color: white;
+    }
+    .container {
+      text-align: center;
+      padding: 40px;
+      background: rgba(255,255,255,0.1);
+      border-radius: 16px;
+      backdrop-filter: blur(10px);
+    }
+    .success-icon { font-size: 64px; margin-bottom: 20px; }
+    h1 { margin: 0 0 10px; font-size: 24px; }
+    p { margin: 0; opacity: 0.9; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="success-icon">\u2713</div>
+    <h1>Authentication Successful</h1>
+    <p>You can close this window and return to your application.</p>
+  </div>
+</body>
+</html>
+`;
+var DEFAULT_ERROR_HTML = `
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Authentication Failed</title>
+  <style>
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      display: flex;
+      justify-content: center;
+      align-items: center;
+      height: 100vh;
+      margin: 0;
+      background: linear-gradient(135deg, #e74c3c 0%, #c0392b 100%);
+      color: white;
+    }
+    .container {
+      text-align: center;
+      padding: 40px;
+      background: rgba(0,0,0,0.2);
+      border-radius: 16px;
+    }
+    .error-icon { font-size: 64px; margin-bottom: 20px; }
+    h1 { margin: 0 0 10px; font-size: 24px; }
+    p { margin: 0; opacity: 0.9; }
+    .details { margin-top: 20px; font-size: 14px; opacity: 0.7; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="error-icon">\u2717</div>
+    <h1>Authentication Failed</h1>
+    <p>{{ERROR_MESSAGE}}</p>
+    <p class="details">{{ERROR_DESCRIPTION}}</p>
+  </div>
+</body>
+</html>
+`;
+async function startCallbackServer(options = {}) {
+  const { port = 0, host = "127.0.0.1", path = "/callback", timeout = 5 * 60 * 1e3, successHtml = DEFAULT_SUCCESS_HTML, errorHtml = DEFAULT_ERROR_HTML } = options;
+  let resolveCallback;
+  let rejectCallback;
+  const callbackPromise = new Promise((resolve, reject) => {
+    resolveCallback = resolve;
+    rejectCallback = reject;
+  });
+  const server = (0, import_http.createServer)((req, res) => {
+    const url = new import_url.URL(req.url || "/", `http://${host}:${port}`);
+    if (url.pathname !== path) {
+      res.writeHead(404, {
+        "Content-Type": "text/plain"
+      });
+      res.end("Not Found");
+      return;
+    }
+    const code = url.searchParams.get("code");
+    const state = url.searchParams.get("state");
+    const error = url.searchParams.get("error");
+    const errorDescription = url.searchParams.get("error_description");
+    if (error) {
+      const html = errorHtml.replace("{{ERROR_MESSAGE}}", error).replace("{{ERROR_DESCRIPTION}}", errorDescription || "");
+      res.writeHead(400, {
+        "Content-Type": "text/html"
+      });
+      res.end(html);
+      rejectCallback(new Error(`OAuth error: ${error} - ${errorDescription || "No description"}`));
+      return;
+    }
+    if (!code) {
+      const html = errorHtml.replace("{{ERROR_MESSAGE}}", "Missing authorization code").replace("{{ERROR_DESCRIPTION}}", "The OAuth server did not return an authorization code.");
+      res.writeHead(400, {
+        "Content-Type": "text/html"
+      });
+      res.end(html);
+      rejectCallback(new Error("No authorization code received"));
+      return;
+    }
+    if (!state) {
+      const html = errorHtml.replace("{{ERROR_MESSAGE}}", "Missing state parameter").replace("{{ERROR_DESCRIPTION}}", "The OAuth server did not return the state parameter.");
+      res.writeHead(400, {
+        "Content-Type": "text/html"
+      });
+      res.end(html);
+      rejectCallback(new Error("No state parameter received"));
+      return;
+    }
+    res.writeHead(200, {
+      "Content-Type": "text/html"
+    });
+    res.end(successHtml);
+    resolveCallback({
+      code,
+      state
+    });
+  });
+  await new Promise((resolve, reject) => {
+    server.once("error", reject);
+    server.listen(port, host, () => {
+      server.removeListener("error", reject);
+      resolve();
+    });
+  });
+  const actualPort = server.address().port;
+  const redirectUri = `http://${host}:${actualPort}${path}`;
+  const timeoutId = setTimeout(() => {
+    rejectCallback(new Error(`OAuth callback timed out after ${timeout / 1e3} seconds`));
+  }, timeout);
+  const shutdown = /* @__PURE__ */ __name(async () => {
+    clearTimeout(timeoutId);
+    return new Promise((resolve, reject) => {
+      server.close((err) => {
+        if (err) reject(err);
+        else resolve();
+      });
+    });
+  }, "shutdown");
+  return {
+    redirectUri,
+    port: actualPort,
+    waitForCallback: /* @__PURE__ */ __name(async () => {
+      try {
+        return await callbackPromise;
+      } finally {
+        await shutdown().catch(() => {
+        });
+      }
+    }, "waitForCallback"),
+    shutdown
+  };
+}
+__name(startCallbackServer, "startCallbackServer");
+async function findAvailablePort(preferredPort) {
+  return new Promise((resolve, reject) => {
+    const server = (0, import_http.createServer)();
+    server.once("error", reject);
+    server.listen(preferredPort || 0, "127.0.0.1", () => {
+      const port = server.address().port;
+      server.close(() => resolve(port));
+    });
+  });
+}
+__name(findAvailablePort, "findAvailablePort");
+// src/storage/types.ts
+function isTokenExpired(tokens, bufferSeconds = 60) {
+  if (!tokens.expires_at && !tokens.expires_in) {
+    return false;
+  }
+  const expiresAt = tokens.expires_at ?? Date.now() / 1e3 + (tokens.expires_in ?? 0);
+  const now = Date.now() / 1e3;
+  return expiresAt <= now + bufferSeconds;
+}
+__name(isTokenExpired, "isTokenExpired");
+function withExpiresAt(tokens) {
+  if (tokens.expires_at || !tokens.expires_in) {
+    return tokens;
+  }
+  return {
+    ...tokens,
+    expires_at: Math.floor(Date.now() / 1e3) + tokens.expires_in
+  };
+}
+__name(withExpiresAt, "withExpiresAt");
+// src/storage/memory.ts
+var MemoryStorage = class {
+  static {
+    __name(this, "MemoryStorage");
+  }
+  tokens = /* @__PURE__ */ new Map();
+  clients = /* @__PURE__ */ new Map();
+  /**
+   * Normalize server URL for consistent key lookup
+   */
+  normalizeUrl(serverUrl) {
+    return serverUrl.replace(/\/+$/, "").toLowerCase();
+  }
+  /**
+   * Check if an entry is expired
+   */
+  isExpired(entry) {
+    if (!entry) return true;
+    if (!entry.expiresAt) return false;
+    return Date.now() / 1e3 >= entry.expiresAt;
+  }
+  async getTokens(serverUrl) {
+    const key = this.normalizeUrl(serverUrl);
+    const entry = this.tokens.get(key);
+    if (this.isExpired(entry)) {
+      this.tokens.delete(key);
+      return null;
+    }
+    return entry?.value ?? null;
+  }
+  async setTokens(serverUrl, tokens) {
+    const key = this.normalizeUrl(serverUrl);
+    const enrichedTokens = withExpiresAt(tokens);
+    this.tokens.set(key, {
+      value: enrichedTokens,
+      expiresAt: enrichedTokens.expires_at
+    });
+  }
+  async clearTokens(serverUrl) {
+    const key = this.normalizeUrl(serverUrl);
+    this.tokens.delete(key);
+  }
+  async getClientInfo(serverUrl) {
+    const key = this.normalizeUrl(serverUrl);
+    const entry = this.clients.get(key);
+    if (this.isExpired(entry)) {
+      this.clients.delete(key);
+      return null;
+    }
+    return entry?.value ?? null;
+  }
+  async setClientInfo(serverUrl, info) {
+    const key = this.normalizeUrl(serverUrl);
+    this.clients.set(key, {
+      value: info,
+      expiresAt: info.client_secret_expires_at
+    });
+  }
+  async clearClientInfo(serverUrl) {
+    const key = this.normalizeUrl(serverUrl);
+    this.clients.delete(key);
+  }
+  async clearAll() {
+    this.tokens.clear();
+    this.clients.clear();
+  }
+  async getAllSessions() {
+    const sessions = [];
+    for (const [url, entry] of this.tokens.entries()) {
+      if (!this.isExpired(entry)) {
+        sessions.push({
+          serverUrl: url,
+          tokens: entry.value,
+          clientInfo: this.clients.get(url)?.value,
+          createdAt: Date.now(),
+          updatedAt: Date.now()
+        });
+      }
+    }
+    return sessions;
+  }
+};
+// src/client/oauth-client.ts
+var OAuthClient = class {
+  static {
+    __name(this, "OAuthClient");
+  }
+  serverUrl;
+  scopes;
+  clientName;
+  storage;
+  pkceEnabled;
+  autoRefresh;
+  refreshBuffer;
+  callbackPort;
+  timeout;
+  // OAuth endpoints
+  authorizationEndpoint;
+  tokenEndpoint;
+  registrationEndpoint;
+  // Pre-configured credentials
+  preConfiguredClientId;
+  preConfiguredClientSecret;
+  // Runtime state
+  pendingRefresh;
+  metadata;
+  constructor(options) {
+    this.serverUrl = options.serverUrl.replace(/\/+$/, "");
+    this.scopes = options.scopes ?? [];
+    this.clientName = options.clientName ?? "LeanMCP Client";
+    this.storage = options.storage ?? new MemoryStorage();
+    this.pkceEnabled = options.pkceEnabled ?? true;
+    this.autoRefresh = options.autoRefresh ?? true;
+    this.refreshBuffer = options.refreshBuffer ?? 60;
+    this.callbackPort = options.callbackPort;
+    this.timeout = options.timeout ?? 5 * 60 * 1e3;
+    this.authorizationEndpoint = options.authorizationEndpoint;
+    this.tokenEndpoint = options.tokenEndpoint;
+    this.registrationEndpoint = options.registrationEndpoint;
+    this.preConfiguredClientId = options.clientId;
+    this.preConfiguredClientSecret = options.clientSecret;
+  }
+  /**
+   * Discover OAuth metadata from .well-known endpoint
+   */
+  async discoverMetadata() {
+    if (this.metadata) return this.metadata;
+    const wellKnownUrl = `${this.serverUrl}/.well-known/oauth-authorization-server`;
+    try {
+      const response = await fetch(wellKnownUrl);
+      if (response.ok) {
+        this.metadata = await response.json();
+        return this.metadata;
+      }
+    } catch {
+    }
+    try {
+      const oidcUrl = `${this.serverUrl}/.well-known/openid-configuration`;
+      const response = await fetch(oidcUrl);
+      if (response.ok) {
+        this.metadata = await response.json();
+        return this.metadata;
+      }
+    } catch {
+    }
+    this.metadata = {
+      issuer: this.serverUrl,
+      authorization_endpoint: this.authorizationEndpoint || `${this.serverUrl}/authorize`,
+      token_endpoint: this.tokenEndpoint || `${this.serverUrl}/token`,
+      registration_endpoint: this.registrationEndpoint
+    };
+    return this.metadata;
+  }
+  /**
+   * Get or register OAuth client credentials
+   */
+  async getClientCredentials(redirectUri) {
+    if (this.preConfiguredClientId) {
+      return {
+        client_id: this.preConfiguredClientId,
+        client_secret: this.preConfiguredClientSecret
+      };
+    }
+    const stored = await this.storage.getClientInfo(this.serverUrl);
+    if (stored && (!stored.client_secret_expires_at || stored.client_secret_expires_at > Date.now() / 1e3)) {
+      return stored;
+    }
+    const metadata = await this.discoverMetadata();
+    if (!metadata.registration_endpoint) {
+      throw new Error("No client credentials configured and server does not support dynamic registration. Please provide clientId in OAuthClientOptions.");
+    }
+    const registrationPayload = {
+      client_name: this.clientName,
+      redirect_uris: [
+        redirectUri
+      ],
+      grant_types: [
+        "authorization_code",
+        "refresh_token"
+      ],
+      response_types: [
+        "code"
+      ],
+      scope: this.scopes.join(" ")
+    };
+    const response = await fetch(metadata.registration_endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify(registrationPayload)
+    });
+    if (!response.ok) {
+      const error = await response.text();
+      throw new Error(`Client registration failed: ${error}`);
+    }
+    const registration = await response.json();
+    await this.storage.setClientInfo(this.serverUrl, registration);
+    return registration;
+  }
+  /**
+   * Start the browser-based OAuth flow
+   *
+   * Opens the user's browser to the authorization URL and waits for the callback.
+   *
+   * @returns OAuth tokens
+   */
+  async authenticate() {
+    const existing = await this.storage.getTokens(this.serverUrl);
+    if (existing && !isTokenExpired(existing, this.refreshBuffer)) {
+      return existing;
+    }
+    if (existing?.refresh_token) {
+      try {
+        return await this.refreshTokens();
+      } catch {
+      }
+    }
+    const callbackServer = await startCallbackServer({
+      port: this.callbackPort,
+      timeout: this.timeout
+    });
+    try {
+      const metadata = await this.discoverMetadata();
+      const clientCredentials = await this.getClientCredentials(callbackServer.redirectUri);
+      let pkce;
+      if (this.pkceEnabled) {
+        pkce = generatePKCE();
+      }
+      const state = crypto.randomUUID();
+      const authUrl = new URL(metadata.authorization_endpoint);
+      authUrl.searchParams.set("response_type", "code");
+      authUrl.searchParams.set("client_id", clientCredentials.client_id);
+      authUrl.searchParams.set("redirect_uri", callbackServer.redirectUri);
+      authUrl.searchParams.set("state", state);
+      if (this.scopes.length > 0) {
+        authUrl.searchParams.set("scope", this.scopes.join(" "));
+      }
+      if (pkce) {
+        authUrl.searchParams.set("code_challenge", pkce.challenge);
+        authUrl.searchParams.set("code_challenge_method", pkce.method);
+      }
+      const openBrowser = await this.openBrowser(authUrl.toString());
+      if (!openBrowser) {
+        console.log(`
+Please open this URL in your browser:
+${authUrl.toString()}
+`);
+      }
+      const result = await callbackServer.waitForCallback();
+      if (result.state !== state) {
+        throw new Error("State mismatch - possible CSRF attack");
+      }
+      const tokens = await this.exchangeCodeForTokens(result.code, callbackServer.redirectUri, clientCredentials, pkce?.verifier);
+      const enrichedTokens = withExpiresAt(tokens);
+      await this.storage.setTokens(this.serverUrl, enrichedTokens);
+      return enrichedTokens;
+    } finally {
+      await callbackServer.shutdown().catch(() => {
+      });
+    }
+  }
+  /**
+   * Open URL in browser
+   */
+  async openBrowser(url) {
+    try {
+      const open = require("open");
+      await open(url);
+      return true;
+    } catch {
+      try {
+        const { exec } = require("child_process");
+        const platform = process.platform;
+        if (platform === "darwin") {
+          exec(`open "${url}"`);
+        } else if (platform === "win32") {
+          exec(`start "" "${url}"`);
+        } else {
+          exec(`xdg-open "${url}"`);
+        }
+        return true;
+      } catch {
+        return false;
+      }
+    }
+  }
+  /**
+   * Exchange authorization code for tokens
+   */
+  async exchangeCodeForTokens(code, redirectUri, credentials, codeVerifier) {
+    const metadata = await this.discoverMetadata();
+    const tokenPayload = {
+      grant_type: "authorization_code",
+      code,
+      redirect_uri: redirectUri,
+      client_id: credentials.client_id
+    };
+    if (credentials.client_secret) {
+      tokenPayload.client_secret = credentials.client_secret;
+    }
+    if (codeVerifier) {
+      tokenPayload.code_verifier = codeVerifier;
+    }
+    const response = await fetch(metadata.token_endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams(tokenPayload)
+    });
+    if (!response.ok) {
+      const error = await response.text();
+      throw new Error(`Token exchange failed: ${error}`);
+    }
+    return response.json();
+  }
+  /**
+   * Refresh the access token using the refresh token
+   */
+  async refreshTokens() {
+    if (this.pendingRefresh) {
+      return this.pendingRefresh;
+    }
+    this.pendingRefresh = this.doRefreshTokens();
+    try {
+      return await this.pendingRefresh;
+    } finally {
+      this.pendingRefresh = void 0;
+    }
+  }
+  async doRefreshTokens() {
+    const existing = await this.storage.getTokens(this.serverUrl);
+    if (!existing?.refresh_token) {
+      throw new Error("No refresh token available");
+    }
+    const metadata = await this.discoverMetadata();
+    const credentials = await this.getClientCredentials("");
+    const tokenPayload = {
+      grant_type: "refresh_token",
+      refresh_token: existing.refresh_token,
+      client_id: credentials.client_id
+    };
+    if (credentials.client_secret) {
+      tokenPayload.client_secret = credentials.client_secret;
+    }
+    const response = await fetch(metadata.token_endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams(tokenPayload)
+    });
+    if (!response.ok) {
+      await this.storage.clearTokens(this.serverUrl);
+      throw new Error("Token refresh failed");
+    }
+    const tokens = await response.json();
+    if (!tokens.refresh_token && existing.refresh_token) {
+      tokens.refresh_token = existing.refresh_token;
+    }
+    const enrichedTokens = withExpiresAt(tokens);
+    await this.storage.setTokens(this.serverUrl, enrichedTokens);
+    return enrichedTokens;
+  }
+  /**
+   * Get a valid access token, refreshing if necessary
+   */
+  async getValidToken() {
+    let tokens = await this.storage.getTokens(this.serverUrl);
+    if (!tokens) {
+      throw new Error("Not authenticated. Call authenticate() first.");
+    }
+    if (this.autoRefresh && isTokenExpired(tokens, this.refreshBuffer)) {
+      if (tokens.refresh_token) {
+        tokens = await this.refreshTokens();
+      } else {
+        throw new Error("Token expired and no refresh token available. Re-authenticate required.");
+      }
+    }
+    return tokens.access_token;
+  }
+  /**
+   * Get current tokens (may be expired)
+   */
+  async getTokens() {
+    return this.storage.getTokens(this.serverUrl);
+  }
+  /**
+   * Check if we have valid (non-expired) tokens
+   */
+  async isAuthenticated() {
+    const tokens = await this.storage.getTokens(this.serverUrl);
+    if (!tokens) return false;
+    return !isTokenExpired(tokens, this.refreshBuffer) || !!tokens.refresh_token;
+  }
+  /**
+   * Clear stored tokens and log out
+   */
+  async logout() {
+    await this.storage.clearTokens(this.serverUrl);
+    await this.storage.clearClientInfo(this.serverUrl);
+  }
+  /**
+   * Create an auth handler for HTTP requests
+   *
+   * @example
+   * ```typescript
+   * const authHandler = client.asAuthHandler();
+   * const authedRequest = await authHandler(request);
+   * ```
+   */
+  asAuthHandler() {
+    return async (request) => {
+      const token = await this.getValidToken();
+      const headers = new Headers(request.headers);
+      headers.set("Authorization", `Bearer ${token}`);
+      return new Request(request.url, {
+        method: request.method,
+        headers,
+        body: request.body
+      });
+    };
+  }
+};
+// src/client/discovery.ts
+var metadataCache = /* @__PURE__ */ new Map();
+var CACHE_TTL_MS = 60 * 60 * 1e3;
+async function discoverOAuthMetadata(serverUrl, options = {}) {
+  const { timeout = 1e4, cache = true, fetch: customFetch = fetch } = options;
+  const normalizedUrl = serverUrl.replace(/\/+$/, "");
+  if (cache) {
+    const cached = metadataCache.get(normalizedUrl);
+    if (cached && cached.expiresAt > Date.now()) {
+      return cached.metadata;
+    }
+  }
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), timeout);
+  try {
+    const oauthUrl = `${normalizedUrl}/.well-known/oauth-authorization-server`;
+    try {
+      const response = await customFetch(oauthUrl, {
+        signal: controller.signal,
+        headers: {
+          "Accept": "application/json"
+        }
+      });
+      if (response.ok) {
+        const metadata = await response.json();
+        cacheMetadata(normalizedUrl, metadata, cache);
+        return metadata;
+      }
+    } catch {
+    }
+    const oidcUrl = `${normalizedUrl}/.well-known/openid-configuration`;
+    try {
+      const response = await customFetch(oidcUrl, {
+        signal: controller.signal,
+        headers: {
+          "Accept": "application/json"
+        }
+      });
+      if (response.ok) {
+        const metadata = await response.json();
+        cacheMetadata(normalizedUrl, metadata, cache);
+        return metadata;
+      }
+    } catch {
+    }
+    const fallbackMetadata = {
+      issuer: normalizedUrl,
+      authorization_endpoint: `${normalizedUrl}/authorize`,
+      token_endpoint: `${normalizedUrl}/token`
+    };
+    if (cache) {
+      metadataCache.set(normalizedUrl, {
+        metadata: fallbackMetadata,
+        expiresAt: Date.now() + 5 * 60 * 1e3
+      });
+    }
+    return fallbackMetadata;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+__name(discoverOAuthMetadata, "discoverOAuthMetadata");
+function cacheMetadata(url, metadata, shouldCache) {
+  if (shouldCache) {
+    metadataCache.set(url, {
+      metadata,
+      expiresAt: Date.now() + CACHE_TTL_MS
+    });
+  }
+}
+__name(cacheMetadata, "cacheMetadata");
+function clearMetadataCache(serverUrl) {
+  if (serverUrl) {
+    const normalizedUrl = serverUrl.replace(/\/+$/, "");
+    metadataCache.delete(normalizedUrl);
+  } else {
+    metadataCache.clear();
+  }
+}
+__name(clearMetadataCache, "clearMetadataCache");
+function serverSupports(metadata, feature) {
+  switch (feature) {
+    case "pkce":
+      return metadata.code_challenge_methods_supported?.includes("S256") ?? false;
+    case "refresh_token":
+      return metadata.grant_types_supported?.includes("refresh_token") ?? true;
+    // Assume supported if not specified
+    case "dynamic_registration":
+      return !!metadata.registration_endpoint;
+    case "revocation":
+      return !!metadata.revocation_endpoint;
+    default:
+      return false;
+  }
+}
+__name(serverSupports, "serverSupports");
+function validateMetadata(metadata) {
+  const errors = [];
+  if (!metadata.issuer) {
+    errors.push("Missing required field: issuer");
+  }
+  if (!metadata.authorization_endpoint) {
+    errors.push("Missing required field: authorization_endpoint");
+  }
+  if (!metadata.token_endpoint) {
+    errors.push("Missing required field: token_endpoint");
+  }
+  return {
+    valid: errors.length === 0,
+    errors
+  };
+}
+__name(validateMetadata, "validateMetadata");
+// src/client/refresh-manager.ts
+var RefreshManager = class {
+  static {
+    __name(this, "RefreshManager");
+  }
+  storage;
+  refreshFn;
+  serverUrl;
+  refreshBuffer;
+  checkInterval;
+  maxRetries;
+  retryDelay;
+  intervalId;
+  pendingRefresh;
+  retryCount = 0;
+  listeners = [];
+  isRunning = false;
+  constructor(options) {
+    this.storage = options.storage;
+    this.refreshFn = options.refreshFn;
+    this.serverUrl = options.serverUrl;
+    this.refreshBuffer = options.refreshBuffer ?? 300;
+    this.checkInterval = options.checkInterval ?? 6e4;
+    this.maxRetries = options.maxRetries ?? 3;
+    this.retryDelay = options.retryDelay ?? 5e3;
+  }
+  /**
+   * Start background refresh monitoring
+   */
+  start() {
+    if (this.isRunning) return;
+    this.isRunning = true;
+    this.checkAndRefresh();
+    this.intervalId = setInterval(() => {
+      this.checkAndRefresh();
+    }, this.checkInterval);
+  }
+  /**
+   * Stop background refresh monitoring
+   */
+  stop() {
+    this.isRunning = false;
+    if (this.intervalId) {
+      clearInterval(this.intervalId);
+      this.intervalId = void 0;
+    }
+  }
+  /**
+   * Register event listener
+   */
+  on(listener) {
+    this.listeners.push(listener);
+    return () => {
+      this.listeners = this.listeners.filter((l) => l !== listener);
+    };
+  }
+  /**
+   * Emit event to all listeners
+   */
+  emit(event) {
+    for (const listener of this.listeners) {
+      try {
+        listener(event);
+      } catch {
+      }
+    }
+  }
+  /**
+   * Check token and refresh if needed
+   */
+  async checkAndRefresh() {
+    if (this.pendingRefresh) return;
+    try {
+      const tokens = await this.storage.getTokens(this.serverUrl);
+      if (!tokens) return;
+      if (!isTokenExpired(tokens, this.refreshBuffer)) {
+        this.retryCount = 0;
+        return;
+      }
+      if (!tokens.refresh_token) {
+        this.emit({
+          type: "token_expired",
+          serverUrl: this.serverUrl
+        });
+        return;
+      }
+      await this.performRefresh(tokens.refresh_token);
+    } catch (error) {
+      console.error("[RefreshManager] Error checking tokens:", error);
+    }
+  }
+  /**
+   * Perform token refresh with retry logic
+   */
+  async performRefresh(refreshToken) {
+    this.emit({
+      type: "refresh_started",
+      serverUrl: this.serverUrl
+    });
+    this.pendingRefresh = this.doRefresh(refreshToken);
+    try {
+      const tokens = await this.pendingRefresh;
+      this.retryCount = 0;
+      this.emit({
+        type: "refresh_success",
+        serverUrl: this.serverUrl,
+        tokens
+      });
+    } catch (error) {
+      this.emit({
+        type: "refresh_failed",
+        serverUrl: this.serverUrl,
+        error: error instanceof Error ? error : new Error(String(error))
+      });
+      if (this.retryCount < this.maxRetries) {
+        this.retryCount++;
+        setTimeout(() => {
+          this.checkAndRefresh();
+        }, this.retryDelay * this.retryCount);
+      }
+    } finally {
+      this.pendingRefresh = void 0;
+    }
+  }
+  /**
+   * Actually perform the refresh
+   */
+  async doRefresh(refreshToken) {
+    const newTokens = await this.refreshFn(refreshToken);
+    const enrichedTokens = withExpiresAt(newTokens);
+    if (!enrichedTokens.refresh_token) {
+      enrichedTokens.refresh_token = refreshToken;
+    }
+    await this.storage.setTokens(this.serverUrl, enrichedTokens);
+    return enrichedTokens;
+  }
+  /**
+   * Force an immediate refresh
+   */
+  async forceRefresh() {
+    const tokens = await this.storage.getTokens(this.serverUrl);
+    if (!tokens?.refresh_token) {
+      throw new Error("No refresh token available");
+    }
+    if (this.pendingRefresh) {
+      return this.pendingRefresh;
+    }
+    this.pendingRefresh = this.doRefresh(tokens.refresh_token);
+    try {
+      const newTokens = await this.pendingRefresh;
+      this.emit({
+        type: "refresh_success",
+        serverUrl: this.serverUrl,
+        tokens: newTokens
+      });
+      return newTokens;
+    } finally {
+      this.pendingRefresh = void 0;
+    }
+  }
+  /**
+   * Get current running state
+   */
+  get running() {
+    return this.isRunning;
+  }
+};
+function createRefreshManager(storage, serverUrl, tokenEndpoint, clientId, clientSecret) {
+  return new RefreshManager({
+    storage,
+    serverUrl,
+    refreshFn: /* @__PURE__ */ __name(async (refreshToken) => {
+      const payload = {
+        grant_type: "refresh_token",
+        refresh_token: refreshToken,
+        client_id: clientId
+      };
+      if (clientSecret) {
+        payload.client_secret = clientSecret;
+      }
+      const response = await fetch(tokenEndpoint, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded"
+        },
+        body: new URLSearchParams(payload)
+      });
+      if (!response.ok) {
+        throw new Error(`Token refresh failed: ${response.status}`);
+      }
+      return response.json();
+    }, "refreshFn")
+  });
+}
+__name(createRefreshManager, "createRefreshManager");
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  OAuthClient,
+  RefreshManager,
+  clearMetadataCache,
+  createRefreshManager,
+  discoverOAuthMetadata,
+  findAvailablePort,
+  generateCodeChallenge,
+  generateCodeVerifier,
+  generatePKCE,
+  isValidCodeVerifier,
+  serverSupports,
+  startCallbackServer,
+  validateMetadata,
+  verifyPKCE
+});