@leanmcp/auth 0.3.2 → 0.4.0

package/dist/server/index.js

@@ -0,0 +1,882 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/server/index.ts
+var server_exports = {};
+__export(server_exports, {
+  DynamicClientRegistration: () => DynamicClientRegistration,
+  OAuthAuthorizationServer: () => OAuthAuthorizationServer,
+  TokenVerifier: () => TokenVerifier
+});
+module.exports = __toCommonJS(server_exports);
+
+// src/server/authorization-server.ts
+var import_crypto3 = require("crypto");
+var import_express = __toESM(require("express"));
+
+// src/server/dcr.ts
+var import_crypto2 = require("crypto");
+
+// src/server/jwt-utils.ts
+var import_crypto = require("crypto");
+function encryptUpstreamToken(plaintext, secret) {
+  if (secret.length !== 32) {
+    throw new Error("Encryption secret must be 32 bytes (256 bits)");
+  }
+  const iv = (0, import_crypto.randomBytes)(12);
+  const cipher = (0, import_crypto.createCipheriv)("aes-256-gcm", secret, iv);
+  let ciphertext = cipher.update(plaintext, "utf8", "base64");
+  ciphertext += cipher.final("base64");
+  const tag = cipher.getAuthTag();
+  return {
+    ciphertext,
+    iv: iv.toString("base64"),
+    tag: tag.toString("base64")
+  };
+}
+__name(encryptUpstreamToken, "encryptUpstreamToken");
+function decryptUpstreamToken(encrypted, secret) {
+  if (secret.length !== 32) {
+    throw new Error("Encryption secret must be 32 bytes (256 bits)");
+  }
+  try {
+    const iv = Buffer.from(encrypted.iv, "base64");
+    const tag = Buffer.from(encrypted.tag, "base64");
+    const decipher = (0, import_crypto.createDecipheriv)("aes-256-gcm", secret, iv);
+    decipher.setAuthTag(tag);
+    let plaintext = decipher.update(encrypted.ciphertext, "base64", "utf8");
+    plaintext += decipher.final("utf8");
+    return plaintext;
+  } catch (error) {
+    throw new Error(`Failed to decrypt upstream token: ${error.message}`);
+  }
+}
+__name(decryptUpstreamToken, "decryptUpstreamToken");
+function signJWT(payload, secret) {
+  const header = {
+    alg: "HS256",
+    typ: "JWT"
+  };
+  const encodedHeader = base64UrlEncode(JSON.stringify(header));
+  const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+  const signatureInput = `${encodedHeader}.${encodedPayload}`;
+  const signature = (0, import_crypto.createHmac)("sha256", secret).update(signatureInput).digest("base64url");
+  return `${encodedHeader}.${encodedPayload}.${signature}`;
+}
+__name(signJWT, "signJWT");
+function verifyJWT(token, secret) {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    throw new Error("Invalid JWT format");
+  }
+  const [encodedHeader, encodedPayload, signature] = parts;
+  const signatureInput = `${encodedHeader}.${encodedPayload}`;
+  const expectedSignature = (0, import_crypto.createHmac)("sha256", secret).update(signatureInput).digest("base64url");
+  if (signature !== expectedSignature) {
+    throw new Error("Invalid JWT signature");
+  }
+  const header = JSON.parse(base64UrlDecode(encodedHeader));
+  const payload = JSON.parse(base64UrlDecode(encodedPayload));
+  if (header.alg !== "HS256") {
+    throw new Error(`Unsupported algorithm: ${header.alg}`);
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  if (payload.exp && now > payload.exp) {
+    throw new Error("JWT expired");
+  }
+  if (payload.iat && now < payload.iat) {
+    throw new Error("JWT not yet valid");
+  }
+  return payload;
+}
+__name(verifyJWT, "verifyJWT");
+function base64UrlEncode(str) {
+  return Buffer.from(str, "utf8").toString("base64url");
+}
+__name(base64UrlEncode, "base64UrlEncode");
+function base64UrlDecode(str) {
+  return Buffer.from(str, "base64url").toString("utf8");
+}
+__name(base64UrlDecode, "base64UrlDecode");
+function generateJTI() {
+  return (0, import_crypto.randomBytes)(16).toString("hex");
+}
+__name(generateJTI, "generateJTI");
+
+// src/server/dcr.ts
+var DynamicClientRegistration = class {
+  static {
+    __name(this, "DynamicClientRegistration");
+  }
+  options;
+  constructor(options) {
+    if (!options.signingSecret) {
+      throw new Error("signingSecret is required for stateless DCR");
+    }
+    this.options = {
+      clientIdPrefix: options.clientIdPrefix ?? "mcp_",
+      clientSecretLength: options.clientSecretLength ?? 32,
+      clientTTL: options.clientTTL ?? 0,
+      signingSecret: options.signingSecret
+    };
+  }
+  /**
+   * Register a new OAuth client (stateless)
+   * 
+   * @param request - Client registration request per RFC 7591
+   * @returns Client registration response with JWT credentials
+   */
+  register(request) {
+    const now = Date.now();
+    const nowSeconds = Math.floor(now / 1e3);
+    const expiresAt = this.options.clientTTL > 0 ? now + this.options.clientTTL * 1e3 : void 0;
+    const expSeconds = expiresAt ? Math.floor(expiresAt / 1e3) : 0;
+    const authMethod = request.token_endpoint_auth_method ?? "client_secret_post";
+    const credentialPayload = {
+      sub: (0, import_crypto2.randomUUID)(),
+      iss: "leanmcp-dcr",
+      aud: "leanmcp-oauth",
+      iat: nowSeconds,
+      exp: expSeconds || void 0,
+      redirect_uris: request.redirect_uris ?? [],
+      grant_types: request.grant_types ?? [
+        "authorization_code"
+      ],
+      response_types: request.response_types ?? [
+        "code"
+      ],
+      client_name: request.client_name,
+      token_endpoint_auth_method: authMethod
+    };
+    const clientIdJWT = signJWT(credentialPayload, this.options.signingSecret);
+    const clientId = `${this.options.clientIdPrefix}${clientIdJWT}`;
+    const response = {
+      client_id: clientId,
+      client_id_issued_at: nowSeconds
+    };
+    if (authMethod !== "none") {
+      const clientSecret = this.deriveClientSecret(clientIdJWT);
+      response.client_secret = clientSecret;
+      response.client_secret_expires_at = expSeconds;
+    }
+    if (request.redirect_uris) response.redirect_uris = request.redirect_uris;
+    if (request.grant_types) response.grant_types = request.grant_types;
+    if (request.response_types) response.response_types = request.response_types;
+    if (request.client_name) response.client_name = request.client_name;
+    if (authMethod) response.token_endpoint_auth_method = authMethod;
+    return response;
+  }
+  /**
+   * Validate client credentials (stateless)
+   * 
+   * @param clientId - Client ID (JWT with prefix)
+   * @param clientSecret - Client secret (optional for public clients)
+   * @returns Whether credentials are valid
+   */
+  validate(clientId, clientSecret) {
+    try {
+      const jwtWithoutPrefix = this.extractJWT(clientId);
+      if (!jwtWithoutPrefix) return false;
+      const payload = verifyJWT(jwtWithoutPrefix, this.options.signingSecret);
+      if (payload.token_endpoint_auth_method && payload.token_endpoint_auth_method !== "none") {
+        if (!clientSecret) return false;
+        const expectedSecret = this.deriveClientSecret(jwtWithoutPrefix);
+        return clientSecret === expectedSecret;
+      }
+      return true;
+    } catch (error) {
+      return false;
+    }
+  }
+  /**
+   * Get a registered client by ID (stateless)
+   */
+  getClient(clientId) {
+    try {
+      const jwtWithoutPrefix = this.extractJWT(clientId);
+      if (!jwtWithoutPrefix) return void 0;
+      const payload = verifyJWT(jwtWithoutPrefix, this.options.signingSecret);
+      return {
+        client_id: clientId,
+        client_secret: payload.token_endpoint_auth_method !== "none" ? this.deriveClientSecret(jwtWithoutPrefix) : void 0,
+        redirect_uris: payload.redirect_uris,
+        grant_types: payload.grant_types,
+        response_types: payload.response_types,
+        client_name: payload.client_name,
+        token_endpoint_auth_method: payload.token_endpoint_auth_method,
+        created_at: payload.iat * 1e3,
+        expires_at: payload.exp ? payload.exp * 1e3 : void 0
+      };
+    } catch (error) {
+      return void 0;
+    }
+  }
+  /**
+   * Validate redirect URI for a client
+   */
+  validateRedirectUri(clientId, redirectUri) {
+    const client = this.getClient(clientId);
+    if (!client) return false;
+    if (client.redirect_uris.length === 0) return true;
+    return client.redirect_uris.includes(redirectUri);
+  }
+  /**
+   * Delete a client (no-op in stateless mode)
+   * 
+   * In stateless mode, clients cannot be truly "deleted" because
+   * their credentials are self-contained. They will expire naturally
+   * or when the signing secret is rotated.
+   */
+  delete(clientId) {
+    return this.getClient(clientId) !== void 0;
+  }
+  /**
+   * List all registered clients (not supported in stateless mode)
+   */
+  listClients() {
+    throw new Error("listClients() is not supported in stateless DCR mode");
+  }
+  /**
+   * Clear all clients (no-op in stateless mode)
+   */
+  clearAll() {
+  }
+  /**
+   * Extract JWT from prefixed client_id
+   */
+  extractJWT(clientId) {
+    if (!clientId.startsWith(this.options.clientIdPrefix)) {
+      return null;
+    }
+    return clientId.slice(this.options.clientIdPrefix.length);
+  }
+  /**
+   * Derive client secret from client_id JWT
+   * 
+   * Uses HMAC to create a deterministic secret that can be
+   * validated without storage.
+   */
+  deriveClientSecret(clientIdJWT) {
+    const { createHmac: createHmac3 } = require("crypto");
+    return createHmac3("sha256", this.options.signingSecret).update(clientIdJWT).digest("hex");
+  }
+};
+
+// src/server/authorization-server.ts
+var pendingAuthRequests = /* @__PURE__ */ new Map();
+var pendingTokenExchanges = /* @__PURE__ */ new Map();
+var CLEANUP_INTERVAL_MS = 60 * 1e3;
+var REQUEST_TTL_MS = 10 * 60 * 1e3;
+function cleanupExpiredRequests() {
+  const now = Date.now();
+  for (const [key, request] of pendingAuthRequests.entries()) {
+    if (now - request.createdAt > REQUEST_TTL_MS) {
+      pendingAuthRequests.delete(key);
+    }
+  }
+  for (const [key, exchange] of pendingTokenExchanges.entries()) {
+    if (now - exchange.createdAt > REQUEST_TTL_MS) {
+      pendingTokenExchanges.delete(key);
+    }
+  }
+}
+__name(cleanupExpiredRequests, "cleanupExpiredRequests");
+setInterval(cleanupExpiredRequests, CLEANUP_INTERVAL_MS);
+var OAuthAuthorizationServer = class {
+  static {
+    __name(this, "OAuthAuthorizationServer");
+  }
+  options;
+  dcr;
+  constructor(options) {
+    this.options = {
+      enableDCR: true,
+      tokenTTL: 3600,
+      refreshTokenTTL: 2592e3,
+      ...options
+    };
+    const jwtSigningSecret = this.options.jwtSigningSecret || this.options.sessionSecret;
+    this.dcr = new DynamicClientRegistration({
+      clientIdPrefix: "mcp_",
+      clientSecretLength: 32,
+      clientTTL: 0,
+      signingSecret: jwtSigningSecret
+    });
+  }
+  /**
+   * Generate state parameter with HMAC signature
+   */
+  generateState() {
+    const nonce = (0, import_crypto3.randomUUID)();
+    const signature = (0, import_crypto3.createHmac)("sha256", this.options.sessionSecret).update(nonce).digest("hex").substring(0, 8);
+    return `${nonce}.${signature}`;
+  }
+  /**
+   * Verify state parameter signature
+   */
+  verifyState(state) {
+    const [nonce, signature] = state.split(".");
+    if (!nonce || !signature) return false;
+    const expectedSignature = (0, import_crypto3.createHmac)("sha256", this.options.sessionSecret).update(nonce).digest("hex").substring(0, 8);
+    return signature === expectedSignature;
+  }
+  /**
+   * Generate an authorization code
+   */
+  generateAuthCode() {
+    return (0, import_crypto3.randomBytes)(32).toString("hex");
+  }
+  /**
+   * Generate JWT access token with encrypted upstream credentials
+   */
+  generateAccessToken(claims, upstreamToken) {
+    const now = Math.floor(Date.now() / 1e3);
+    const jwtSigningSecret = this.options.jwtSigningSecret || this.options.sessionSecret;
+    const jwtEncryptionSecret = this.options.jwtEncryptionSecret || Buffer.from(this.options.sessionSecret.padEnd(32, "0").slice(0, 32));
+    let encryptedUpstreamToken;
+    if (upstreamToken) {
+      encryptedUpstreamToken = encryptUpstreamToken(upstreamToken, jwtEncryptionSecret);
+    }
+    const payload = {
+      sub: claims.sub || "unknown",
+      iss: this.options.issuer,
+      aud: claims.aud || this.options.issuer,
+      iat: now,
+      exp: now + (this.options.tokenTTL || 3600),
+      jti: generateJTI(),
+      scope: claims.scope,
+      client_id: claims.client_id,
+      name: claims.name,
+      email: claims.email,
+      picture: claims.picture,
+      upstream_provider: claims.upstream_provider,
+      upstream_token: encryptedUpstreamToken
+    };
+    return signJWT(payload, jwtSigningSecret);
+  }
+  /**
+   * Get authorization server metadata (RFC 8414)
+   */
+  getMetadata() {
+    const issuer = this.options.issuer;
+    return {
+      issuer,
+      authorization_endpoint: `${issuer}/oauth/authorize`,
+      token_endpoint: `${issuer}/oauth/token`,
+      registration_endpoint: this.options.enableDCR ? `${issuer}/oauth/register` : void 0,
+      scopes_supported: this.options.scopesSupported || [],
+      response_types_supported: [
+        "code"
+      ],
+      grant_types_supported: [
+        "authorization_code",
+        "refresh_token"
+      ],
+      code_challenge_methods_supported: [
+        "S256"
+      ],
+      token_endpoint_auth_methods_supported: [
+        "client_secret_post",
+        "client_secret_basic",
+        "none"
+      ]
+    };
+  }
+  /**
+   * Get Express router with all OAuth endpoints
+   */
+  getRouter() {
+    const router = import_express.default.Router();
+    router.get("/.well-known/oauth-authorization-server", (_req, res) => {
+      res.json(this.getMetadata());
+    });
+    if (this.options.enableDCR) {
+      router.post("/oauth/register", import_express.default.json(), (req, res) => {
+        try {
+          const response = this.dcr.register(req.body);
+          res.status(201).json(response);
+        } catch (error) {
+          res.status(400).json({
+            error: "invalid_client_metadata",
+            error_description: error.message
+          });
+        }
+      });
+    }
+    router.get("/oauth/authorize", (req, res) => {
+      this.handleAuthorize(req, res);
+    });
+    router.get("/oauth/callback", async (req, res) => {
+      await this.handleCallback(req, res);
+    });
+    router.post("/oauth/token", import_express.default.urlencoded({
+      extended: true
+    }), async (req, res) => {
+      await this.handleToken(req, res);
+    });
+    return router;
+  }
+  /**
+   * Handle authorization request
+   */
+  handleAuthorize(req, res) {
+    const { response_type, client_id, redirect_uri, scope, state, code_challenge, code_challenge_method, resource } = req.query;
+    if (response_type !== "code") {
+      res.status(400).json({
+        error: "unsupported_response_type",
+        error_description: 'Only "code" response type is supported'
+      });
+      return;
+    }
+    if (!client_id) {
+      res.status(400).json({
+        error: "invalid_request",
+        error_description: "client_id is required"
+      });
+      return;
+    }
+    const client = this.dcr.getClient(client_id);
+    if (!client) {
+      res.status(400).json({
+        error: "invalid_client",
+        error_description: "Unknown client_id"
+      });
+      return;
+    }
+    if (redirect_uri && !this.dcr.validateRedirectUri(client_id, redirect_uri)) {
+      res.status(400).json({
+        error: "invalid_request",
+        error_description: "Invalid redirect_uri"
+      });
+      return;
+    }
+    if (!code_challenge || code_challenge_method !== "S256") {
+      res.status(400).json({
+        error: "invalid_request",
+        error_description: "PKCE with S256 is required"
+      });
+      return;
+    }
+    if (!this.options.upstreamProvider) {
+      res.status(500).json({
+        error: "server_error",
+        error_description: "No upstream provider configured"
+      });
+      return;
+    }
+    const proxyState = this.generateState();
+    const pendingRequest = {
+      clientId: client_id,
+      redirectUri: redirect_uri || client.redirect_uris[0],
+      scope: scope || "",
+      state,
+      codeChallenge: code_challenge,
+      codeChallengeMethod: code_challenge_method,
+      resource,
+      proxyState,
+      createdAt: Date.now()
+    };
+    pendingAuthRequests.set(proxyState, pendingRequest);
+    const upstream = this.options.upstreamProvider;
+    const authUrl = new URL(upstream.authorizationEndpoint);
+    authUrl.searchParams.set("client_id", upstream.clientId);
+    authUrl.searchParams.set("redirect_uri", `${this.options.issuer}/oauth/callback`);
+    authUrl.searchParams.set("response_type", "code");
+    authUrl.searchParams.set("state", proxyState);
+    authUrl.searchParams.set("scope", upstream.scopes?.join(" ") || scope || "");
+    res.redirect(authUrl.toString());
+  }
+  /**
+   * Handle callback from upstream provider
+   */
+  async handleCallback(req, res) {
+    const { code, state, error, error_description } = req.query;
+    if (error) {
+      const pending2 = state ? pendingAuthRequests.get(state) : void 0;
+      pendingAuthRequests.delete(state || "");
+      if (pending2) {
+        const redirectUri = new URL(pending2.redirectUri);
+        redirectUri.searchParams.set("error", error);
+        if (error_description) {
+          redirectUri.searchParams.set("error_description", error_description);
+        }
+        if (pending2.state) {
+          redirectUri.searchParams.set("state", pending2.state);
+        }
+        res.redirect(redirectUri.toString());
+      } else {
+        res.status(400).json({
+          error,
+          error_description
+        });
+      }
+      return;
+    }
+    if (!state || !this.verifyState(state)) {
+      res.status(400).json({
+        error: "invalid_request",
+        error_description: "Invalid state parameter"
+      });
+      return;
+    }
+    const pending = pendingAuthRequests.get(state);
+    if (!pending) {
+      res.status(400).json({
+        error: "invalid_request",
+        error_description: "State not found - request may have expired"
+      });
+      return;
+    }
+    pendingAuthRequests.delete(state);
+    if (!code) {
+      res.status(400).json({
+        error: "invalid_request",
+        error_description: "Missing authorization code"
+      });
+      return;
+    }
+    try {
+      const upstream = this.options.upstreamProvider;
+      const tokenResponse = await fetch(upstream.tokenEndpoint, {
+        method: "POST",
+        headers: {
+          "Accept": "application/json",
+          "Content-Type": "application/x-www-form-urlencoded"
+        },
+        body: new URLSearchParams({
+          grant_type: "authorization_code",
+          code,
+          redirect_uri: `${this.options.issuer}/oauth/callback`,
+          client_id: upstream.clientId,
+          client_secret: upstream.clientSecret
+        })
+      });
+      if (!tokenResponse.ok) {
+        const errorBody = await tokenResponse.text();
+        throw new Error(`Token exchange failed: ${errorBody}`);
+      }
+      const upstreamTokens = await tokenResponse.json();
+      let userInfo = {};
+      if (upstream.userInfoEndpoint && upstreamTokens.access_token) {
+        const userInfoResponse = await fetch(upstream.userInfoEndpoint, {
+          headers: {
+            "Authorization": `Bearer ${upstreamTokens.access_token}`,
+            "Accept": "application/json"
+          }
+        });
+        if (userInfoResponse.ok) {
+          userInfo = await userInfoResponse.json();
+        }
+      }
+      const authCode = this.generateAuthCode();
+      pendingTokenExchanges.set(authCode, {
+        clientId: pending.clientId,
+        redirectUri: pending.redirectUri,
+        scope: pending.scope,
+        resource: pending.resource,
+        upstreamTokens,
+        userInfo,
+        createdAt: Date.now(),
+        codeChallenge: pending.codeChallenge,
+        codeChallengeMethod: pending.codeChallengeMethod
+      });
+      const redirectUri = new URL(pending.redirectUri);
+      redirectUri.searchParams.set("code", authCode);
+      if (pending.state) {
+        redirectUri.searchParams.set("state", pending.state);
+      }
+      res.redirect(redirectUri.toString());
+    } catch (error2) {
+      console.error("Auth callback error:", error2);
+      const redirectUri = new URL(pending.redirectUri);
+      redirectUri.searchParams.set("error", "server_error");
+      redirectUri.searchParams.set("error_description", error2.message);
+      if (pending.state) {
+        redirectUri.searchParams.set("state", pending.state);
+      }
+      res.redirect(redirectUri.toString());
+    }
+  }
+  /**
+   * Handle token request
+   */
+  async handleToken(req, res) {
+    const { grant_type, code, redirect_uri, client_id, client_secret, code_verifier } = req.body;
+    let clientId = client_id;
+    const authHeader = req.headers.authorization;
+    if (authHeader?.startsWith("Basic ")) {
+      const credentials = Buffer.from(authHeader.slice(6), "base64").toString();
+      const [basicClientId, basicSecret] = credentials.split(":");
+      clientId = basicClientId;
+      if (!this.dcr.validate(clientId, basicSecret)) {
+        res.status(401).json({
+          error: "invalid_client",
+          error_description: "Invalid client credentials"
+        });
+        return;
+      }
+    } else if (client_id) {
+      if (!this.dcr.validate(client_id, client_secret)) {
+        res.status(401).json({
+          error: "invalid_client",
+          error_description: "Invalid client credentials"
+        });
+        return;
+      }
+    } else {
+      res.status(401).json({
+        error: "invalid_client",
+        error_description: "Client authentication required"
+      });
+      return;
+    }
+    if (grant_type === "authorization_code") {
+      await this.handleAuthCodeGrant(res, clientId, code, redirect_uri, code_verifier);
+    } else if (grant_type === "refresh_token") {
+      res.status(400).json({
+        error: "unsupported_grant_type",
+        error_description: "Refresh token grant not yet implemented"
+      });
+    } else {
+      res.status(400).json({
+        error: "unsupported_grant_type",
+        error_description: `Grant type "${grant_type}" not supported`
+      });
+    }
+  }
+  /**
+   * Handle authorization code grant
+   */
+  async handleAuthCodeGrant(res, clientId, code, redirectUri, codeVerifier) {
+    if (!code) {
+      res.status(400).json({
+        error: "invalid_request",
+        error_description: "Missing authorization code"
+      });
+      return;
+    }
+    const pending = pendingTokenExchanges.get(code);
+    if (!pending) {
+      res.status(400).json({
+        error: "invalid_grant",
+        error_description: "Invalid or expired authorization code"
+      });
+      return;
+    }
+    pendingTokenExchanges.delete(code);
+    if (pending.clientId !== clientId) {
+      res.status(400).json({
+        error: "invalid_grant",
+        error_description: "Client mismatch"
+      });
+      return;
+    }
+    if (redirectUri && pending.redirectUri !== redirectUri) {
+      res.status(400).json({
+        error: "invalid_grant",
+        error_description: "Redirect URI mismatch"
+      });
+      return;
+    }
+    if (pending.codeChallenge) {
+      if (!codeVerifier) {
+        res.status(400).json({
+          error: "invalid_request",
+          error_description: "Missing code_verifier"
+        });
+        return;
+      }
+      if (pending.codeChallengeMethod === "S256") {
+        const calculatedChallenge = (0, import_crypto3.createHash)("sha256").update(codeVerifier).digest("base64url");
+        if (calculatedChallenge !== pending.codeChallenge) {
+          res.status(400).json({
+            error: "invalid_grant",
+            error_description: "PKCE verification failed"
+          });
+          return;
+        }
+      } else {
+        res.status(400).json({
+          error: "invalid_request",
+          error_description: "Unsupported PKCE method"
+        });
+        return;
+      }
+    }
+    let tokens = pending.upstreamTokens;
+    if (this.options.tokenMapper) {
+      tokens = await this.options.tokenMapper(pending.upstreamTokens, pending.userInfo);
+    }
+    const userId = pending.userInfo.id || pending.userInfo.sub || pending.userInfo.login || "unknown";
+    const accessToken = this.generateAccessToken({
+      sub: userId,
+      aud: pending.resource || this.options.issuer,
+      scope: pending.scope,
+      client_id: clientId,
+      // Include upstream user info
+      name: pending.userInfo.name,
+      email: pending.userInfo.email,
+      picture: pending.userInfo.avatar_url || pending.userInfo.picture,
+      upstream_provider: this.options.upstreamProvider?.id
+    }, tokens.access_token);
+    res.json({
+      access_token: accessToken,
+      token_type: "Bearer",
+      expires_in: this.options.tokenTTL || 3600,
+      scope: pending.scope,
+      // Include upstream refresh token if available
+      refresh_token: tokens.refresh_token
+    });
+  }
+};
+
+// src/server/token-verifier.ts
+var TokenVerifier = class {
+  static {
+    __name(this, "TokenVerifier");
+  }
+  options;
+  constructor(options) {
+    if (!options.secret) {
+      throw new Error("JWT signing secret is required");
+    }
+    this.options = {
+      audience: options.audience,
+      issuer: options.issuer,
+      secret: options.secret,
+      clockTolerance: options.clockTolerance ?? 60,
+      encryptionSecret: options.encryptionSecret
+    };
+  }
+  /**
+   * Verify a JWT access token
+   * 
+   * @param token - The JWT access token to verify
+   * @returns Verification result with claims and decrypted upstream token if valid
+   */
+  async verify(token) {
+    if (!token) {
+      return {
+        valid: false,
+        error: "No token provided",
+        errorCode: "invalid_token"
+      };
+    }
+    try {
+      const payload = verifyJWT(token, this.options.secret);
+      if (this.options.issuer && payload.iss !== this.options.issuer) {
+        return {
+          valid: false,
+          error: `Invalid issuer: expected ${this.options.issuer}, got ${payload.iss}`,
+          errorCode: "invalid_token"
+        };
+      }
+      if (this.options.audience) {
+        const audiences = Array.isArray(payload.aud) ? payload.aud : [
+          payload.aud
+        ];
+        if (!audiences.includes(this.options.audience)) {
+          return {
+            valid: false,
+            error: `Invalid audience: expected ${this.options.audience}`,
+            errorCode: "invalid_token"
+          };
+        }
+      }
+      let upstreamToken;
+      if (payload.upstream_token && this.options.encryptionSecret) {
+        try {
+          upstreamToken = decryptUpstreamToken(payload.upstream_token, this.options.encryptionSecret);
+        } catch (error) {
+          return {
+            valid: false,
+            error: `Failed to decrypt upstream token: ${error.message}`,
+            errorCode: "invalid_token"
+          };
+        }
+      }
+      return {
+        valid: true,
+        claims: payload,
+        upstreamToken
+      };
+    } catch (error) {
+      if (error.message.includes("expired")) {
+        return {
+          valid: false,
+          error: error.message,
+          errorCode: "expired_token"
+        };
+      }
+      return {
+        valid: false,
+        error: error.message,
+        errorCode: "invalid_token"
+      };
+    }
+  }
+  /**
+   * Generate WWW-Authenticate header for 401 responses
+   * 
+   * Per RFC 9728, this should include the resource_metadata URL
+   * 
+   * @param options - Header options
+   * @returns WWW-Authenticate header value
+   */
+  static getWWWAuthenticateHeader(options) {
+    const parts = [
+      `Bearer resource_metadata="${options.resourceMetadataUrl}"`
+    ];
+    if (options.error) {
+      parts.push(`error="${options.error}"`);
+    }
+    if (options.errorDescription) {
+      parts.push(`error_description="${options.errorDescription}"`);
+    }
+    if (options.scope) {
+      parts.push(`scope="${options.scope}"`);
+    }
+    return parts.join(", ");
+  }
+  /**
+   * Check if token has required scopes
+   */
+  hasScopes(claims, requiredScopes) {
+    if (requiredScopes.length === 0) return true;
+    const tokenScopes = typeof claims.scope === "string" ? claims.scope.split(" ") : claims.scope || [];
+    return requiredScopes.every((scope) => tokenScopes.includes(scope));
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  DynamicClientRegistration,
+  OAuthAuthorizationServer,
+  TokenVerifier
+});