@leanmcp/auth 0.3.2 → 0.4.0

package/dist/storage/index.mjs

@@ -0,0 +1,372 @@
+import {
+  MemoryStorage,
+  isTokenExpired,
+  withExpiresAt
+} from "../chunk-RGCCBQWG.mjs";
+import {
+  __name,
+  __require
+} from "../chunk-LPEX4YW6.mjs";
+
+// src/storage/file.ts
+import { promises as fs } from "fs";
+import { dirname } from "path";
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
+var CURRENT_VERSION = 1;
+var ALGORITHM = "aes-256-gcm";
+var FileStorage = class {
+  static {
+    __name(this, "FileStorage");
+  }
+  filePath;
+  encryptionKey;
+  prettyPrint;
+  cache = null;
+  writePromise = null;
+  constructor(options) {
+    if (typeof options === "string") {
+      this.filePath = this.expandPath(options);
+      this.prettyPrint = false;
+    } else {
+      this.filePath = this.expandPath(options.filePath);
+      this.prettyPrint = options.prettyPrint ?? false;
+      if (options.encryptionKey) {
+        this.encryptionKey = scryptSync(options.encryptionKey, "leanmcp-salt", 32);
+      }
+    }
+  }
+  /**
+   * Expand ~ to home directory
+   */
+  expandPath(filePath) {
+    if (filePath.startsWith("~")) {
+      const home = process.env.HOME || process.env.USERPROFILE || "";
+      return filePath.replace("~", home);
+    }
+    return filePath;
+  }
+  /**
+   * Normalize server URL for consistent key lookup
+   */
+  normalizeUrl(serverUrl) {
+    return serverUrl.replace(/\/+$/, "").toLowerCase();
+  }
+  /**
+   * Encrypt data
+   */
+  encrypt(data) {
+    if (!this.encryptionKey) return data;
+    const iv = randomBytes(16);
+    const cipher = createCipheriv(ALGORITHM, this.encryptionKey, iv);
+    let encrypted = cipher.update(data, "utf8", "hex");
+    encrypted += cipher.final("hex");
+    const authTag = cipher.getAuthTag();
+    return `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted}`;
+  }
+  /**
+   * Decrypt data
+   */
+  decrypt(data) {
+    if (!this.encryptionKey) return data;
+    const [ivHex, authTagHex, encrypted] = data.split(":");
+    const iv = Buffer.from(ivHex, "hex");
+    const authTag = Buffer.from(authTagHex, "hex");
+    const decipher = createDecipheriv(ALGORITHM, this.encryptionKey, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(encrypted, "hex", "utf8");
+    decrypted += decipher.final("utf8");
+    return decrypted;
+  }
+  /**
+   * Read data from file
+   */
+  async readFile() {
+    if (this.cache) return this.cache;
+    try {
+      const raw = await fs.readFile(this.filePath, "utf8");
+      const decrypted = this.decrypt(raw);
+      this.cache = JSON.parse(decrypted);
+      return this.cache;
+    } catch (error) {
+      if (error.code === "ENOENT") {
+        this.cache = {
+          version: CURRENT_VERSION,
+          sessions: {}
+        };
+        return this.cache;
+      }
+      throw error;
+    }
+  }
+  /**
+   * Write data to file (coalesced to avoid race conditions)
+   */
+  async writeFile(data) {
+    this.cache = data;
+    if (this.writePromise) {
+      return this.writePromise;
+    }
+    this.writePromise = (async () => {
+      try {
+        await fs.mkdir(dirname(this.filePath), {
+          recursive: true
+        });
+        const json = this.prettyPrint ? JSON.stringify(data, null, 2) : JSON.stringify(data);
+        const encrypted = this.encrypt(json);
+        await fs.writeFile(this.filePath, encrypted, "utf8");
+      } finally {
+        this.writePromise = null;
+      }
+    })();
+    return this.writePromise;
+  }
+  async getTokens(serverUrl) {
+    const key = this.normalizeUrl(serverUrl);
+    const data = await this.readFile();
+    const session = data.sessions[key];
+    if (!session) return null;
+    if (isTokenExpired(session.tokens)) {
+      return session.tokens;
+    }
+    return session.tokens;
+  }
+  async setTokens(serverUrl, tokens) {
+    const key = this.normalizeUrl(serverUrl);
+    const data = await this.readFile();
+    const now = Date.now();
+    const existing = data.sessions[key];
+    data.sessions[key] = {
+      tokens: withExpiresAt(tokens),
+      clientInfo: existing?.clientInfo,
+      createdAt: existing?.createdAt ?? now,
+      updatedAt: now
+    };
+    await this.writeFile(data);
+  }
+  async clearTokens(serverUrl) {
+    const key = this.normalizeUrl(serverUrl);
+    const data = await this.readFile();
+    const session = data.sessions[key];
+    if (session) {
+      if (session.clientInfo) {
+        data.sessions[key] = {
+          tokens: {
+            access_token: "",
+            token_type: "bearer"
+          },
+          clientInfo: session.clientInfo,
+          createdAt: session.createdAt,
+          updatedAt: Date.now()
+        };
+      } else {
+        const { [key]: _, ...remaining } = data.sessions;
+        data.sessions = remaining;
+      }
+    }
+    await this.writeFile(data);
+  }
+  async getClientInfo(serverUrl) {
+    const key = this.normalizeUrl(serverUrl);
+    const data = await this.readFile();
+    return data.sessions[key]?.clientInfo ?? null;
+  }
+  async setClientInfo(serverUrl, info) {
+    const key = this.normalizeUrl(serverUrl);
+    const data = await this.readFile();
+    const now = Date.now();
+    const existing = data.sessions[key];
+    data.sessions[key] = {
+      tokens: existing?.tokens ?? {
+        access_token: "",
+        token_type: "bearer"
+      },
+      clientInfo: info,
+      createdAt: existing?.createdAt ?? now,
+      updatedAt: now
+    };
+    await this.writeFile(data);
+  }
+  async clearClientInfo(serverUrl) {
+    const key = this.normalizeUrl(serverUrl);
+    const data = await this.readFile();
+    const session = data.sessions[key];
+    if (session) {
+      if (session.tokens?.access_token) {
+        data.sessions[key] = {
+          tokens: session.tokens,
+          createdAt: session.createdAt,
+          updatedAt: Date.now()
+        };
+      } else {
+        const { [key]: _, ...remaining } = data.sessions;
+        data.sessions = remaining;
+      }
+    }
+    await this.writeFile(data);
+  }
+  async clearAll() {
+    await this.writeFile({
+      version: CURRENT_VERSION,
+      sessions: {}
+    });
+  }
+  async getAllSessions() {
+    const data = await this.readFile();
+    return Object.entries(data.sessions).map(([url, session]) => ({
+      serverUrl: url,
+      tokens: session.tokens,
+      clientInfo: session.clientInfo,
+      createdAt: session.createdAt,
+      updatedAt: session.updatedAt
+    }));
+  }
+};
+
+// src/storage/keychain.ts
+var SERVICE_NAME = "leanmcp-auth";
+var KeychainStorage = class {
+  static {
+    __name(this, "KeychainStorage");
+  }
+  serviceName;
+  keytar = null;
+  initPromise = null;
+  constructor(options = {}) {
+    this.serviceName = options.serviceName ?? SERVICE_NAME;
+  }
+  /**
+   * Initialize keytar (lazy load)
+   */
+  async init() {
+    if (this.keytar) return;
+    if (this.initPromise) {
+      await this.initPromise;
+      return;
+    }
+    this.initPromise = (async () => {
+      try {
+        this.keytar = __require("keytar");
+      } catch (error) {
+        throw new Error('KeychainStorage requires the "keytar" package. Install it with: npm install keytar');
+      }
+    })();
+    await this.initPromise;
+  }
+  /**
+   * Normalize server URL for consistent key lookup
+   */
+  normalizeUrl(serverUrl) {
+    return serverUrl.replace(/\/+$/, "").toLowerCase();
+  }
+  /**
+   * Get account key for tokens
+   */
+  getTokensAccount(serverUrl) {
+    return `tokens:${this.normalizeUrl(serverUrl)}`;
+  }
+  /**
+   * Get account key for client info
+   */
+  getClientAccount(serverUrl) {
+    return `client:${this.normalizeUrl(serverUrl)}`;
+  }
+  async getTokens(serverUrl) {
+    await this.init();
+    const account = this.getTokensAccount(serverUrl);
+    const stored = await this.keytar.getPassword(this.serviceName, account);
+    if (!stored) return null;
+    try {
+      return JSON.parse(stored);
+    } catch {
+      return null;
+    }
+  }
+  async setTokens(serverUrl, tokens) {
+    await this.init();
+    const account = this.getTokensAccount(serverUrl);
+    const enrichedTokens = withExpiresAt(tokens);
+    await this.keytar.setPassword(this.serviceName, account, JSON.stringify(enrichedTokens));
+  }
+  async clearTokens(serverUrl) {
+    await this.init();
+    const account = this.getTokensAccount(serverUrl);
+    await this.keytar.deletePassword(this.serviceName, account);
+  }
+  async getClientInfo(serverUrl) {
+    await this.init();
+    const account = this.getClientAccount(serverUrl);
+    const stored = await this.keytar.getPassword(this.serviceName, account);
+    if (!stored) return null;
+    try {
+      return JSON.parse(stored);
+    } catch {
+      return null;
+    }
+  }
+  async setClientInfo(serverUrl, info) {
+    await this.init();
+    const account = this.getClientAccount(serverUrl);
+    await this.keytar.setPassword(this.serviceName, account, JSON.stringify(info));
+  }
+  async clearClientInfo(serverUrl) {
+    await this.init();
+    const account = this.getClientAccount(serverUrl);
+    await this.keytar.deletePassword(this.serviceName, account);
+  }
+  async clearAll() {
+    await this.init();
+    const credentials = await this.keytar.findCredentials(this.serviceName);
+    for (const cred of credentials) {
+      await this.keytar.deletePassword(this.serviceName, cred.account);
+    }
+  }
+  async getAllSessions() {
+    await this.init();
+    const credentials = await this.keytar.findCredentials(this.serviceName);
+    const sessions = [];
+    const tokensMap = /* @__PURE__ */ new Map();
+    const clientMap = /* @__PURE__ */ new Map();
+    for (const cred of credentials) {
+      if (cred.account.startsWith("tokens:")) {
+        const url = cred.account.replace("tokens:", "");
+        try {
+          tokensMap.set(url, JSON.parse(cred.password));
+        } catch {
+        }
+      } else if (cred.account.startsWith("client:")) {
+        const url = cred.account.replace("client:", "");
+        try {
+          clientMap.set(url, JSON.parse(cred.password));
+        } catch {
+        }
+      }
+    }
+    for (const [url, tokens] of tokensMap) {
+      sessions.push({
+        serverUrl: url,
+        tokens,
+        clientInfo: clientMap.get(url),
+        createdAt: Date.now(),
+        updatedAt: Date.now()
+      });
+    }
+    return sessions;
+  }
+};
+async function isKeychainAvailable() {
+  try {
+    __require("keytar");
+    return true;
+  } catch {
+    return false;
+  }
+}
+__name(isKeychainAvailable, "isKeychainAvailable");
+export {
+  FileStorage,
+  KeychainStorage,
+  MemoryStorage,
+  isKeychainAvailable,
+  isTokenExpired,
+  withExpiresAt
+};

package/dist/types-DMpGN530.d.mts

@@ -0,0 +1,122 @@
+/**
+ * Token Storage Types
+ *
+ * Defines interfaces for storing OAuth tokens across different backends
+ * (memory, file, keychain, browser localStorage, etc.)
+ */
+/**
+ * OAuth 2.0/2.1 token response
+ */
+interface OAuthTokens {
+    /** The access token issued by the authorization server */
+    access_token: string;
+    /** Token type (usually "Bearer") */
+    token_type: string;
+    /** Lifetime in seconds of the access token */
+    expires_in?: number;
+    /** Refresh token for obtaining new access tokens */
+    refresh_token?: string;
+    /** ID token (OpenID Connect) */
+    id_token?: string;
+    /** Scope granted by the authorization server */
+    scope?: string;
+    /** Computed: Unix timestamp when token expires */
+    expires_at?: number;
+}
+/**
+ * OAuth client registration information
+ * Used for Dynamic Client Registration (RFC 7591)
+ */
+interface ClientRegistration {
+    /** OAuth client identifier */
+    client_id: string;
+    /** OAuth client secret (for confidential clients) */
+    client_secret?: string;
+    /** Unix timestamp when client secret expires */
+    client_secret_expires_at?: number;
+    /** Token for accessing registration endpoint */
+    registration_access_token?: string;
+    /** Client metadata from registration */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Stored session combining tokens and client info
+ */
+interface StoredSession {
+    /** Server URL this session is for */
+    serverUrl: string;
+    /** OAuth tokens */
+    tokens: OAuthTokens;
+    /** Client registration info (if dynamic registration used) */
+    clientInfo?: ClientRegistration;
+    /** Unix timestamp when session was created */
+    createdAt: number;
+    /** Unix timestamp when session was last updated */
+    updatedAt: number;
+}
+/**
+ * Token storage interface
+ *
+ * Implement this interface to create custom storage backends.
+ * All operations should be async to support various backends.
+ */
+interface TokenStorage {
+    /**
+     * Get stored tokens for a server
+     * @param serverUrl - The MCP server URL
+     * @returns Tokens if found, null otherwise
+     */
+    getTokens(serverUrl: string): Promise<OAuthTokens | null>;
+    /**
+     * Store tokens for a server
+     * @param serverUrl - The MCP server URL
+     * @param tokens - OAuth tokens to store
+     */
+    setTokens(serverUrl: string, tokens: OAuthTokens): Promise<void>;
+    /**
+     * Clear tokens for a server
+     * @param serverUrl - The MCP server URL
+     */
+    clearTokens(serverUrl: string): Promise<void>;
+    /**
+     * Get stored client registration for a server
+     * @param serverUrl - The MCP server URL
+     * @returns Client info if found, null otherwise
+     */
+    getClientInfo(serverUrl: string): Promise<ClientRegistration | null>;
+    /**
+     * Store client registration for a server
+     * @param serverUrl - The MCP server URL
+     * @param info - Client registration info
+     */
+    setClientInfo(serverUrl: string, info: ClientRegistration): Promise<void>;
+    /**
+     * Clear client registration for a server
+     * @param serverUrl - The MCP server URL
+     */
+    clearClientInfo(serverUrl: string): Promise<void>;
+    /**
+     * Clear all stored data
+     */
+    clearAll(): Promise<void>;
+    /**
+     * Get all stored sessions (optional)
+     * @returns Array of stored sessions
+     */
+    getAllSessions?(): Promise<StoredSession[]>;
+}
+/**
+ * Check if tokens are expired or about to expire
+ * @param tokens - OAuth tokens to check
+ * @param bufferSeconds - Seconds before expiry to consider expired (default: 60)
+ * @returns True if tokens are expired or will expire within buffer
+ */
+declare function isTokenExpired(tokens: OAuthTokens, bufferSeconds?: number): boolean;
+/**
+ * Compute expires_at from expires_in if not present
+ * @param tokens - OAuth tokens to enhance
+ * @returns Tokens with expires_at computed
+ */
+declare function withExpiresAt(tokens: OAuthTokens): OAuthTokens;
+
+export { type ClientRegistration as C, type OAuthTokens as O, type StoredSession as S, type TokenStorage as T, isTokenExpired as i, withExpiresAt as w };

package/dist/types-DMpGN530.d.ts

@@ -0,0 +1,122 @@
+/**
+ * Token Storage Types
+ *
+ * Defines interfaces for storing OAuth tokens across different backends
+ * (memory, file, keychain, browser localStorage, etc.)
+ */
+/**
+ * OAuth 2.0/2.1 token response
+ */
+interface OAuthTokens {
+    /** The access token issued by the authorization server */
+    access_token: string;
+    /** Token type (usually "Bearer") */
+    token_type: string;
+    /** Lifetime in seconds of the access token */
+    expires_in?: number;
+    /** Refresh token for obtaining new access tokens */
+    refresh_token?: string;
+    /** ID token (OpenID Connect) */
+    id_token?: string;
+    /** Scope granted by the authorization server */
+    scope?: string;
+    /** Computed: Unix timestamp when token expires */
+    expires_at?: number;
+}
+/**
+ * OAuth client registration information
+ * Used for Dynamic Client Registration (RFC 7591)
+ */
+interface ClientRegistration {
+    /** OAuth client identifier */
+    client_id: string;
+    /** OAuth client secret (for confidential clients) */
+    client_secret?: string;
+    /** Unix timestamp when client secret expires */
+    client_secret_expires_at?: number;
+    /** Token for accessing registration endpoint */
+    registration_access_token?: string;
+    /** Client metadata from registration */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Stored session combining tokens and client info
+ */
+interface StoredSession {
+    /** Server URL this session is for */
+    serverUrl: string;
+    /** OAuth tokens */
+    tokens: OAuthTokens;
+    /** Client registration info (if dynamic registration used) */
+    clientInfo?: ClientRegistration;
+    /** Unix timestamp when session was created */
+    createdAt: number;
+    /** Unix timestamp when session was last updated */
+    updatedAt: number;
+}
+/**
+ * Token storage interface
+ *
+ * Implement this interface to create custom storage backends.
+ * All operations should be async to support various backends.
+ */
+interface TokenStorage {
+    /**
+     * Get stored tokens for a server
+     * @param serverUrl - The MCP server URL
+     * @returns Tokens if found, null otherwise
+     */
+    getTokens(serverUrl: string): Promise<OAuthTokens | null>;
+    /**
+     * Store tokens for a server
+     * @param serverUrl - The MCP server URL
+     * @param tokens - OAuth tokens to store
+     */
+    setTokens(serverUrl: string, tokens: OAuthTokens): Promise<void>;
+    /**
+     * Clear tokens for a server
+     * @param serverUrl - The MCP server URL
+     */
+    clearTokens(serverUrl: string): Promise<void>;
+    /**
+     * Get stored client registration for a server
+     * @param serverUrl - The MCP server URL
+     * @returns Client info if found, null otherwise
+     */
+    getClientInfo(serverUrl: string): Promise<ClientRegistration | null>;
+    /**
+     * Store client registration for a server
+     * @param serverUrl - The MCP server URL
+     * @param info - Client registration info
+     */
+    setClientInfo(serverUrl: string, info: ClientRegistration): Promise<void>;
+    /**
+     * Clear client registration for a server
+     * @param serverUrl - The MCP server URL
+     */
+    clearClientInfo(serverUrl: string): Promise<void>;
+    /**
+     * Clear all stored data
+     */
+    clearAll(): Promise<void>;
+    /**
+     * Get all stored sessions (optional)
+     * @returns Array of stored sessions
+     */
+    getAllSessions?(): Promise<StoredSession[]>;
+}
+/**
+ * Check if tokens are expired or about to expire
+ * @param tokens - OAuth tokens to check
+ * @param bufferSeconds - Seconds before expiry to consider expired (default: 60)
+ * @returns True if tokens are expired or will expire within buffer
+ */
+declare function isTokenExpired(tokens: OAuthTokens, bufferSeconds?: number): boolean;
+/**
+ * Compute expires_at from expires_in if not present
+ * @param tokens - OAuth tokens to enhance
+ * @returns Tokens with expires_at computed
+ */
+declare function withExpiresAt(tokens: OAuthTokens): OAuthTokens;
+
+export { type ClientRegistration as C, type OAuthTokens as O, type StoredSession as S, type TokenStorage as T, isTokenExpired as i, withExpiresAt as w };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@leanmcp/auth",
-  "version": "0.3.2",
-  "description": "Authentication and identity module supporting multiple providers",
+  "version": "0.4.0",
+  "description": "Authentication and identity module with OAuth 2.1 client, token storage, and multiple providers",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
   "types": "dist/index.d.ts",
@@ -10,6 +10,26 @@
       "types": "./dist/index.d.ts",
       "require": "./dist/index.js",
       "import": "./dist/index.mjs"
+    },
+    "./client": {
+      "types": "./dist/client/index.d.ts",
+      "require": "./dist/client/index.js",
+      "import": "./dist/client/index.mjs"
+    },
+    "./storage": {
+      "types": "./dist/storage/index.d.ts",
+      "require": "./dist/storage/index.js",
+      "import": "./dist/storage/index.mjs"
+    },
+    "./proxy": {
+      "types": "./dist/proxy/index.d.ts",
+      "require": "./dist/proxy/index.js",
+      "import": "./dist/proxy/index.mjs"
+    },
+    "./server": {
+      "types": "./dist/server/index.d.ts",
+      "require": "./dist/server/index.js",
+      "import": "./dist/server/index.mjs"
     }
   },
   "files": [
@@ -18,8 +38,8 @@
     "LICENSE"
   ],
   "scripts": {
-    "build": "tsup src/index.ts --format esm,cjs --dts",
-    "dev": "tsup src/index.ts --format esm,cjs --dts --watch",
+    "build": "tsup src/index.ts src/client/index.ts src/storage/index.ts src/proxy/index.ts src/server/index.ts --format esm,cjs --dts",
+    "dev": "tsup src/index.ts src/client/index.ts src/storage/index.ts src/proxy/index.ts src/server/index.ts --format esm,cjs --dts --watch",
     "test": "jest --passWithNoTests",
     "test:watch": "jest --watch"
   },
@@ -34,14 +54,18 @@
     "@types/node": "^20.0.0",
     "dotenv": "^17.2.3",
     "jest": "^29.7.0",
-    "ts-jest": "^29.1.0"
+    "ts-jest": "^29.1.0",
+    "express": "^5.0.0"
   },
   "peerDependencies": {
     "@aws-sdk/client-cognito-identity-provider": "^3.0.0",
     "@leanmcp/env-injection": "^0.1.0",
     "axios": "^1.0.0",
     "jsonwebtoken": "^9.0.0",
-    "jwk-to-pem": "^2.0.0"
+    "jwk-to-pem": "^2.0.0",
+    "keytar": "^7.0.0",
+    "open": "^10.0.0",
+    "express": "^5.0.0"
   },
   "peerDependenciesMeta": {
     "@aws-sdk/client-cognito-identity-provider": {
@@ -58,6 +82,12 @@
     },
     "jwk-to-pem": {
       "optional": true
+    },
+    "keytar": {
+      "optional": true
+    },
+    "open": {
+      "optional": true
     }
   },
   "repository": {
@@ -77,7 +107,10 @@
     "authentication",
     "auth",
     "cognito",
-    "jwt"
+    "jwt",
+    "oauth",
+    "pkce",
+    "oauth2"
   ],
   "author": "LeanMCP <admin@leanmcp.com>",
   "license": "MIT",