@leanmcp/auth 0.3.1 → 0.4.0

package/dist/{cognito-I6V5YNYM.mjs → cognito-QQT7LK2Y.mjs}

@@ -1,7 +1,9 @@
 import {
-  AuthProviderBase,
+  AuthProviderBase
+} from "./chunk-P4HFKA5R.mjs";
+import {
   __name
-} from "./chunk-EVD2TRPR.mjs";
+} from "./chunk-LPEX4YW6.mjs";
 
 // src/providers/cognito.ts
 import { CognitoIdentityProviderClient, InitiateAuthCommand } from "@aws-sdk/client-cognito-identity-provider";

package/dist/index.d.mts

@@ -10,6 +10,12 @@ interface AuthenticatedOptions {
      * @default true
      */
     getUser?: boolean;
+    /**
+     * Project ID for fetching user environment variables.
+     * Required when @RequireEnv is used on the method or class.
+     * Used to scope user secrets to a specific project.
+     */
+    projectId?: string;
 }
 
 /**
@@ -161,6 +167,11 @@ declare class AuthProvider extends AuthProviderBase {
      * Get user information from a token
      */
     getUser(token: string): Promise<any>;
+    /**
+     * Get user secrets for a project (LeanMCP provider only)
+     * Other providers will return empty object
+     */
+    getUserSecrets(token: string, projectId: string): Promise<Record<string, string>>;
     /**
      * Get the provider type
      */

package/dist/index.d.ts

@@ -10,6 +10,12 @@ interface AuthenticatedOptions {
      * @default true
      */
     getUser?: boolean;
+    /**
+     * Project ID for fetching user environment variables.
+     * Required when @RequireEnv is used on the method or class.
+     * Used to scope user secrets to a specific project.
+     */
+    projectId?: string;
 }
 
 /**
@@ -161,6 +167,11 @@ declare class AuthProvider extends AuthProviderBase {
      * Get user information from a token
      */
     getUser(token: string): Promise<any>;
+    /**
+     * Get user secrets for a project (LeanMCP provider only)
+     * Other providers will return empty object
+     */
+    getUserSecrets(token: string, projectId: string): Promise<Record<string, string>>;
     /**
      * Get the provider type
      */

package/dist/index.js

@@ -89,29 +89,39 @@ function createAuthenticatedMethod(originalMethod, authProvider, options) {
       }
       throw new AuthenticationError(`Token verification failed: ${error instanceof Error ? error.message : String(error)}`, "VERIFICATION_FAILED");
     }
+    let user = void 0;
     if (options.getUser !== false) {
       try {
-        const user = await authProvider.getUser(token);
-        return await authUserStorage.run(user, async () => {
-          return await originalMethod.apply(this, [
-            args
-          ]);
-        });
+        user = await authProvider.getUser(token);
       } catch (error) {
         console.warn("Failed to fetch user information:", error);
-        return await authUserStorage.run(void 0, async () => {
+      }
+    }
+    let userSecrets = {};
+    if (options.projectId) {
+      try {
+        if ("getUserSecrets" in authProvider && typeof authProvider.getUserSecrets === "function") {
+          userSecrets = await authProvider.getUserSecrets(token, options.projectId);
+        } else {
+          console.warn('[Auth] Auth provider does not support user secrets. Only the LeanMCP provider supports @RequireEnv and getEnv(). Use: new AuthProvider("leanmcp", { apiKey: "..." })');
+        }
+      } catch (error) {
+        console.warn("[Auth] Failed to fetch user secrets:", error instanceof Error ? error.message : error);
+      }
+    }
+    return await authUserStorage.run(user, async () => {
+      if (options.projectId) {
+        const { runWithEnv } = await import("@leanmcp/env-injection");
+        return await runWithEnv(userSecrets, async () => {
           return await originalMethod.apply(this, [
             args
           ]);
         });
       }
-    } else {
-      return await authUserStorage.run(void 0, async () => {
-        return await originalMethod.apply(this, [
-          args
-        ]);
-      });
-    }
+      return await originalMethod.apply(this, [
+        args
+      ]);
+    });
   };
 }
 function copyMetadata(source, target) {
@@ -547,6 +557,148 @@ var init_clerk = __esm({
   }
 });
 
+// src/providers/leanmcp.ts
+var leanmcp_exports = {};
+__export(leanmcp_exports, {
+  AuthLeanmcp: () => AuthLeanmcp
+});
+var import_axios4, import_jsonwebtoken4, AuthLeanmcp;
+var init_leanmcp = __esm({
+  "src/providers/leanmcp.ts"() {
+    "use strict";
+    import_axios4 = __toESM(require("axios"));
+    import_jsonwebtoken4 = __toESM(require("jsonwebtoken"));
+    init_index();
+    AuthLeanmcp = class extends AuthProviderBase {
+      static {
+        __name(this, "AuthLeanmcp");
+      }
+      authUrl = "https://auth.leanmcp.com";
+      orchestrationApiUrl = "https://api.leanmcp.com";
+      apiKey;
+      async init(config) {
+        this.authUrl = config?.authUrl || process.env.LEANMCP_AUTH_URL || "https://auth.leanmcp.com";
+        this.orchestrationApiUrl = config?.orchestrationApiUrl || process.env.LEANMCP_ORCHESTRATION_API_URL || "https://qaapi.leanmcp.com";
+        this.apiKey = config?.apiKey || process.env.LEANMCP_API_KEY;
+      }
+      async refreshToken(refreshToken) {
+        const url = `${this.authUrl}/api/refresh`;
+        try {
+          const { data } = await import_axios4.default.post(url, {
+            refresh_token: refreshToken
+          }, {
+            headers: {
+              "Content-Type": "application/json"
+            }
+          });
+          return data;
+        } catch (error) {
+          if (import_axios4.default.isAxiosError(error) && error.response) {
+            throw new Error(`Failed to refresh token: ${error.response.data.error?.message || error.response.data.error || "Unknown error"}`);
+          }
+          throw error;
+        }
+      }
+      async verifyToken(token) {
+        if (this.apiKey) {
+          const url2 = `${this.orchestrationApiUrl}/public/auth/verify-user`;
+          try {
+            await import_axios4.default.post(url2, {
+              token
+            }, {
+              headers: {
+                "Content-Type": "application/json",
+                "x-api-key": this.apiKey
+              }
+            });
+            return true;
+          } catch (error) {
+            console.error("Failed to verify token:", error);
+            return false;
+          }
+        }
+        const url = `${this.authUrl}/api/verify`;
+        try {
+          const { data } = await import_axios4.default.post(url, {
+            token
+          }, {
+            headers: {
+              "Content-Type": "application/json"
+            }
+          });
+          return data.valid;
+        } catch (error) {
+          return false;
+        }
+      }
+      async getUser(token) {
+        if (this.apiKey) {
+          const url = `${this.orchestrationApiUrl}/public/auth/verify-user`;
+          try {
+            const { data } = await import_axios4.default.post(url, {
+              token
+            }, {
+              headers: {
+                "Content-Type": "application/json",
+                "x-api-key": this.apiKey
+              }
+            });
+            return {
+              uid: data.uid,
+              email: data.email,
+              email_verified: data.emailVerified,
+              name: data.name,
+              picture: data.picture,
+              type: "firebase"
+            };
+          } catch (error) {
+            console.error("Failed to verify user token via Orchestration API:", error.response?.data || error.message);
+            throw new Error("Invalid user token or API key");
+          }
+        }
+        const decoded = import_jsonwebtoken4.default.decode(token);
+        if (!decoded) throw new Error("Invalid ID token");
+        return {
+          uid: decoded.user_id || decoded.sub,
+          email: decoded.email,
+          email_verified: decoded.email_verified,
+          name: decoded.name || decoded.displayName,
+          picture: decoded.picture || decoded.photoURL,
+          attributes: decoded,
+          type: "jwt"
+        };
+      }
+      /**
+       * Fetch user-specific environment variables for a project
+       * Uses the user's UID and project ID to retrieve their stored secrets
+       * 
+       * @param token - User's auth token
+       * @param projectId - Project ID to scope the secrets
+       * @returns Record of environment variables
+       */
+      async getUserSecrets(token, projectId) {
+        if (!this.apiKey) {
+          console.warn("[LeanMCP] API key not configured - cannot fetch user secrets. Set LEANMCP_API_KEY environment variable or pass apiKey in config.");
+          return {};
+        }
+        const url = `${this.orchestrationApiUrl}/public/secrets/user/${projectId}`;
+        try {
+          const { data } = await import_axios4.default.get(url, {
+            headers: {
+              "Authorization": `Bearer ${token}`,
+              "x-api-key": this.apiKey
+            }
+          });
+          return data.secrets || {};
+        } catch (error) {
+          console.warn("[LeanMCP] Failed to fetch user secrets:", error.response?.status || error.message);
+          return {};
+        }
+      }
+    };
+  }
+});
+
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
@@ -605,8 +757,14 @@ var init_index = __esm({
             await this.providerInstance.init(finalConfig);
             break;
           }
+          case "leanmcp": {
+            const { AuthLeanmcp: AuthLeanmcp2 } = await Promise.resolve().then(() => (init_leanmcp(), leanmcp_exports));
+            this.providerInstance = new AuthLeanmcp2();
+            await this.providerInstance.init(finalConfig);
+            break;
+          }
           default:
-            throw new Error(`Unsupported auth provider: ${this.providerType}. Supported providers: cognito`);
+            throw new Error(`Unsupported auth provider: ${this.providerType}. Supported providers: cognito, auth0, clerk, leanmcp`);
         }
       }
       /**
@@ -637,6 +795,19 @@ var init_index = __esm({
         return this.providerInstance.getUser(token);
       }
       /**
+      * Get user secrets for a project (LeanMCP provider only)
+      * Other providers will return empty object
+      */
+      async getUserSecrets(token, projectId) {
+        if (!this.providerInstance) {
+          throw new Error("AuthProvider not initialized. Call init() first.");
+        }
+        if ("getUserSecrets" in this.providerInstance && typeof this.providerInstance.getUserSecrets === "function") {
+          return this.providerInstance.getUserSecrets(token, projectId);
+        }
+        return {};
+      }
+      /**
       * Get the provider type
       */
       getProviderType() {

package/dist/index.mjs

@@ -6,7 +6,8 @@ import {
   getAuthProvider,
   getAuthUser,
   isAuthenticationRequired
-} from "./chunk-EVD2TRPR.mjs";
+} from "./chunk-P4HFKA5R.mjs";
+import "./chunk-LPEX4YW6.mjs";
 export {
   AuthProvider,
   AuthProviderBase,

package/dist/leanmcp-Y7TXNSTD.mjs

@@ -0,0 +1,140 @@
+import {
+  AuthProviderBase
+} from "./chunk-P4HFKA5R.mjs";
+import {
+  __name
+} from "./chunk-LPEX4YW6.mjs";
+
+// src/providers/leanmcp.ts
+import axios from "axios";
+import jwt from "jsonwebtoken";
+var AuthLeanmcp = class extends AuthProviderBase {
+  static {
+    __name(this, "AuthLeanmcp");
+  }
+  authUrl = "https://auth.leanmcp.com";
+  orchestrationApiUrl = "https://api.leanmcp.com";
+  apiKey;
+  async init(config) {
+    this.authUrl = config?.authUrl || process.env.LEANMCP_AUTH_URL || "https://auth.leanmcp.com";
+    this.orchestrationApiUrl = config?.orchestrationApiUrl || process.env.LEANMCP_ORCHESTRATION_API_URL || "https://qaapi.leanmcp.com";
+    this.apiKey = config?.apiKey || process.env.LEANMCP_API_KEY;
+  }
+  async refreshToken(refreshToken) {
+    const url = `${this.authUrl}/api/refresh`;
+    try {
+      const { data } = await axios.post(url, {
+        refresh_token: refreshToken
+      }, {
+        headers: {
+          "Content-Type": "application/json"
+        }
+      });
+      return data;
+    } catch (error) {
+      if (axios.isAxiosError(error) && error.response) {
+        throw new Error(`Failed to refresh token: ${error.response.data.error?.message || error.response.data.error || "Unknown error"}`);
+      }
+      throw error;
+    }
+  }
+  async verifyToken(token) {
+    if (this.apiKey) {
+      const url2 = `${this.orchestrationApiUrl}/public/auth/verify-user`;
+      try {
+        await axios.post(url2, {
+          token
+        }, {
+          headers: {
+            "Content-Type": "application/json",
+            "x-api-key": this.apiKey
+          }
+        });
+        return true;
+      } catch (error) {
+        console.error("Failed to verify token:", error);
+        return false;
+      }
+    }
+    const url = `${this.authUrl}/api/verify`;
+    try {
+      const { data } = await axios.post(url, {
+        token
+      }, {
+        headers: {
+          "Content-Type": "application/json"
+        }
+      });
+      return data.valid;
+    } catch (error) {
+      return false;
+    }
+  }
+  async getUser(token) {
+    if (this.apiKey) {
+      const url = `${this.orchestrationApiUrl}/public/auth/verify-user`;
+      try {
+        const { data } = await axios.post(url, {
+          token
+        }, {
+          headers: {
+            "Content-Type": "application/json",
+            "x-api-key": this.apiKey
+          }
+        });
+        return {
+          uid: data.uid,
+          email: data.email,
+          email_verified: data.emailVerified,
+          name: data.name,
+          picture: data.picture,
+          type: "firebase"
+        };
+      } catch (error) {
+        console.error("Failed to verify user token via Orchestration API:", error.response?.data || error.message);
+        throw new Error("Invalid user token or API key");
+      }
+    }
+    const decoded = jwt.decode(token);
+    if (!decoded) throw new Error("Invalid ID token");
+    return {
+      uid: decoded.user_id || decoded.sub,
+      email: decoded.email,
+      email_verified: decoded.email_verified,
+      name: decoded.name || decoded.displayName,
+      picture: decoded.picture || decoded.photoURL,
+      attributes: decoded,
+      type: "jwt"
+    };
+  }
+  /**
+   * Fetch user-specific environment variables for a project
+   * Uses the user's UID and project ID to retrieve their stored secrets
+   * 
+   * @param token - User's auth token
+   * @param projectId - Project ID to scope the secrets
+   * @returns Record of environment variables
+   */
+  async getUserSecrets(token, projectId) {
+    if (!this.apiKey) {
+      console.warn("[LeanMCP] API key not configured - cannot fetch user secrets. Set LEANMCP_API_KEY environment variable or pass apiKey in config.");
+      return {};
+    }
+    const url = `${this.orchestrationApiUrl}/public/secrets/user/${projectId}`;
+    try {
+      const { data } = await axios.get(url, {
+        headers: {
+          "Authorization": `Bearer ${token}`,
+          "x-api-key": this.apiKey
+        }
+      });
+      return data.secrets || {};
+    } catch (error) {
+      console.warn("[LeanMCP] Failed to fetch user secrets:", error.response?.status || error.message);
+      return {};
+    }
+  }
+};
+export {
+  AuthLeanmcp
+};