@leanmcp/auth 0.4.2 → 0.4.4-alpha.10.96d2437

package/dist/server/index.js

@@ -148,11 +148,11 @@ var DynamicClientRegistration = class {
     };
   }
   /**
-   * Register a new OAuth client (stateless)
-   * 
-   * @param request - Client registration request per RFC 7591
-   * @returns Client registration response with JWT credentials
-   */
+  * Register a new OAuth client (stateless)
+  *
+  * @param request - Client registration request per RFC 7591
+  * @returns Client registration response with JWT credentials
+  */
   register(request) {
     const now = Date.now();
     const nowSeconds = Math.floor(now / 1e3);
@@ -194,12 +194,12 @@ var DynamicClientRegistration = class {
     return response;
   }
   /**
-   * Validate client credentials (stateless)
-   * 
-   * @param clientId - Client ID (JWT with prefix)
-   * @param clientSecret - Client secret (optional for public clients)
-   * @returns Whether credentials are valid
-   */
+  * Validate client credentials (stateless)
+  *
+  * @param clientId - Client ID (JWT with prefix)
+  * @param clientSecret - Client secret (optional for public clients)
+  * @returns Whether credentials are valid
+  */
   validate(clientId, clientSecret) {
     try {
       const jwtWithoutPrefix = this.extractJWT(clientId);
@@ -216,8 +216,8 @@ var DynamicClientRegistration = class {
     }
   }
   /**
-   * Get a registered client by ID (stateless)
-   */
+  * Get a registered client by ID (stateless)
+  */
   getClient(clientId) {
     try {
       const jwtWithoutPrefix = this.extractJWT(clientId);
@@ -239,8 +239,8 @@ var DynamicClientRegistration = class {
     }
   }
   /**
-   * Validate redirect URI for a client
-   */
+  * Validate redirect URI for a client
+  */
   validateRedirectUri(clientId, redirectUri) {
     const client = this.getClient(clientId);
     if (!client) return false;
@@ -248,29 +248,29 @@ var DynamicClientRegistration = class {
     return client.redirect_uris.includes(redirectUri);
   }
   /**
-   * Delete a client (no-op in stateless mode)
-   * 
-   * In stateless mode, clients cannot be truly "deleted" because
-   * their credentials are self-contained. They will expire naturally
-   * or when the signing secret is rotated.
-   */
+  * Delete a client (no-op in stateless mode)
+  *
+  * In stateless mode, clients cannot be truly "deleted" because
+  * their credentials are self-contained. They will expire naturally
+  * or when the signing secret is rotated.
+  */
   delete(clientId) {
     return this.getClient(clientId) !== void 0;
   }
   /**
-   * List all registered clients (not supported in stateless mode)
-   */
+  * List all registered clients (not supported in stateless mode)
+  */
   listClients() {
     throw new Error("listClients() is not supported in stateless DCR mode");
   }
   /**
-   * Clear all clients (no-op in stateless mode)
-   */
+  * Clear all clients (no-op in stateless mode)
+  */
   clearAll() {
   }
   /**
-   * Extract JWT from prefixed client_id
-   */
+  * Extract JWT from prefixed client_id
+  */
   extractJWT(clientId) {
     if (!clientId.startsWith(this.options.clientIdPrefix)) {
       return null;
@@ -278,11 +278,11 @@ var DynamicClientRegistration = class {
     return clientId.slice(this.options.clientIdPrefix.length);
   }
   /**
-   * Derive client secret from client_id JWT
-   * 
-   * Uses HMAC to create a deterministic secret that can be
-   * validated without storage.
-   */
+  * Derive client secret from client_id JWT
+  *
+  * Uses HMAC to create a deterministic secret that can be
+  * validated without storage.
+  */
   deriveClientSecret(clientIdJWT) {
     const { createHmac: createHmac3 } = require("crypto");
     return createHmac3("sha256", this.options.signingSecret).update(clientIdJWT).digest("hex");
@@ -331,16 +331,16 @@ var OAuthAuthorizationServer = class {
     });
   }
   /**
-   * Generate state parameter with HMAC signature
-   */
+  * Generate state parameter with HMAC signature
+  */
   generateState() {
     const nonce = (0, import_crypto3.randomUUID)();
     const signature = (0, import_crypto3.createHmac)("sha256", this.options.sessionSecret).update(nonce).digest("hex").substring(0, 8);
     return `${nonce}.${signature}`;
   }
   /**
-   * Verify state parameter signature
-   */
+  * Verify state parameter signature
+  */
   verifyState(state) {
     const [nonce, signature] = state.split(".");
     if (!nonce || !signature) return false;
@@ -348,14 +348,14 @@ var OAuthAuthorizationServer = class {
     return signature === expectedSignature;
   }
   /**
-   * Generate an authorization code
-   */
+  * Generate an authorization code
+  */
   generateAuthCode() {
     return (0, import_crypto3.randomBytes)(32).toString("hex");
   }
   /**
-   * Generate JWT access token with encrypted upstream credentials
-   */
+  * Generate JWT access token with encrypted upstream credentials
+  */
   generateAccessToken(claims, upstreamToken) {
     const now = Math.floor(Date.now() / 1e3);
     const jwtSigningSecret = this.options.jwtSigningSecret || this.options.sessionSecret;
@@ -382,8 +382,8 @@ var OAuthAuthorizationServer = class {
     return signJWT(payload, jwtSigningSecret);
   }
   /**
-   * Get authorization server metadata (RFC 8414)
-   */
+  * Get authorization server metadata (RFC 8414)
+  */
   getMetadata() {
     const issuer = this.options.issuer;
     return {
@@ -410,8 +410,8 @@ var OAuthAuthorizationServer = class {
     };
   }
   /**
-   * Get Express router with all OAuth endpoints
-   */
+  * Get Express router with all OAuth endpoints
+  */
   getRouter() {
     const router = import_express.default.Router();
     router.get("/.well-known/oauth-authorization-server", (_req, res) => {
@@ -444,8 +444,8 @@ var OAuthAuthorizationServer = class {
     return router;
   }
   /**
-   * Handle authorization request
-   */
+  * Handle authorization request
+  */
   handleAuthorize(req, res) {
     const { response_type, client_id, redirect_uri, scope, state, code_challenge, code_challenge_method, resource } = req.query;
     if (response_type !== "code") {
@@ -514,8 +514,8 @@ var OAuthAuthorizationServer = class {
     res.redirect(authUrl.toString());
   }
   /**
-   * Handle callback from upstream provider
-   */
+  * Handle callback from upstream provider
+  */
   async handleCallback(req, res) {
     const { code, state, error, error_description } = req.query;
     if (error) {
@@ -567,7 +567,7 @@ var OAuthAuthorizationServer = class {
       const tokenResponse = await fetch(upstream.tokenEndpoint, {
         method: "POST",
         headers: {
-          "Accept": "application/json",
+          Accept: "application/json",
           "Content-Type": "application/x-www-form-urlencoded"
         },
         body: new URLSearchParams({
@@ -587,8 +587,8 @@ var OAuthAuthorizationServer = class {
       if (upstream.userInfoEndpoint && upstreamTokens.access_token) {
         const userInfoResponse = await fetch(upstream.userInfoEndpoint, {
           headers: {
-            "Authorization": `Bearer ${upstreamTokens.access_token}`,
-            "Accept": "application/json"
+            Authorization: `Bearer ${upstreamTokens.access_token}`,
+            Accept: "application/json"
           }
         });
         if (userInfoResponse.ok) {
@@ -625,8 +625,8 @@ var OAuthAuthorizationServer = class {
     }
   }
   /**
-   * Handle token request
-   */
+  * Handle token request
+  */
   async handleToken(req, res) {
     const { grant_type, code, redirect_uri, client_id, client_secret, code_verifier } = req.body;
     let clientId = client_id;
@@ -672,8 +672,8 @@ var OAuthAuthorizationServer = class {
     }
   }
   /**
-   * Handle authorization code grant
-   */
+  * Handle authorization code grant
+  */
   async handleAuthCodeGrant(res, clientId, code, redirectUri, codeVerifier) {
     if (!code) {
       res.status(400).json({
@@ -776,11 +776,11 @@ var TokenVerifier = class {
     };
   }
   /**
-   * Verify a JWT access token
-   * 
-   * @param token - The JWT access token to verify
-   * @returns Verification result with claims and decrypted upstream token if valid
-   */
+  * Verify a JWT access token
+  *
+  * @param token - The JWT access token to verify
+  * @returns Verification result with claims and decrypted upstream token if valid
+  */
   async verify(token) {
     if (!token) {
       return {
@@ -843,13 +843,13 @@ var TokenVerifier = class {
     }
   }
   /**
-   * Generate WWW-Authenticate header for 401 responses
-   * 
-   * Per RFC 9728, this should include the resource_metadata URL
-   * 
-   * @param options - Header options
-   * @returns WWW-Authenticate header value
-   */
+  * Generate WWW-Authenticate header for 401 responses
+  *
+  * Per RFC 9728, this should include the resource_metadata URL
+  *
+  * @param options - Header options
+  * @returns WWW-Authenticate header value
+  */
   static getWWWAuthenticateHeader(options) {
     const parts = [
       `Bearer resource_metadata="${options.resourceMetadataUrl}"`
@@ -866,8 +866,8 @@ var TokenVerifier = class {
     return parts.join(", ");
   }
   /**
-   * Check if token has required scopes
-   */
+  * Check if token has required scopes
+  */
   hasScopes(claims, requiredScopes) {
     if (requiredScopes.length === 0) return true;
     const tokenScopes = typeof claims.scope === "string" ? claims.scope.split(" ") : claims.scope || [];

package/dist/server/index.mjs

@@ -114,11 +114,11 @@ var DynamicClientRegistration = class {
     };
   }
   /**
-   * Register a new OAuth client (stateless)
-   * 
-   * @param request - Client registration request per RFC 7591
-   * @returns Client registration response with JWT credentials
-   */
+  * Register a new OAuth client (stateless)
+  *
+  * @param request - Client registration request per RFC 7591
+  * @returns Client registration response with JWT credentials
+  */
   register(request) {
     const now = Date.now();
     const nowSeconds = Math.floor(now / 1e3);
@@ -160,12 +160,12 @@ var DynamicClientRegistration = class {
     return response;
   }
   /**
-   * Validate client credentials (stateless)
-   * 
-   * @param clientId - Client ID (JWT with prefix)
-   * @param clientSecret - Client secret (optional for public clients)
-   * @returns Whether credentials are valid
-   */
+  * Validate client credentials (stateless)
+  *
+  * @param clientId - Client ID (JWT with prefix)
+  * @param clientSecret - Client secret (optional for public clients)
+  * @returns Whether credentials are valid
+  */
   validate(clientId, clientSecret) {
     try {
       const jwtWithoutPrefix = this.extractJWT(clientId);
@@ -182,8 +182,8 @@ var DynamicClientRegistration = class {
     }
   }
   /**
-   * Get a registered client by ID (stateless)
-   */
+  * Get a registered client by ID (stateless)
+  */
   getClient(clientId) {
     try {
       const jwtWithoutPrefix = this.extractJWT(clientId);
@@ -205,8 +205,8 @@ var DynamicClientRegistration = class {
     }
   }
   /**
-   * Validate redirect URI for a client
-   */
+  * Validate redirect URI for a client
+  */
   validateRedirectUri(clientId, redirectUri) {
     const client = this.getClient(clientId);
     if (!client) return false;
@@ -214,29 +214,29 @@ var DynamicClientRegistration = class {
     return client.redirect_uris.includes(redirectUri);
   }
   /**
-   * Delete a client (no-op in stateless mode)
-   * 
-   * In stateless mode, clients cannot be truly "deleted" because
-   * their credentials are self-contained. They will expire naturally
-   * or when the signing secret is rotated.
-   */
+  * Delete a client (no-op in stateless mode)
+  *
+  * In stateless mode, clients cannot be truly "deleted" because
+  * their credentials are self-contained. They will expire naturally
+  * or when the signing secret is rotated.
+  */
   delete(clientId) {
     return this.getClient(clientId) !== void 0;
   }
   /**
-   * List all registered clients (not supported in stateless mode)
-   */
+  * List all registered clients (not supported in stateless mode)
+  */
   listClients() {
     throw new Error("listClients() is not supported in stateless DCR mode");
   }
   /**
-   * Clear all clients (no-op in stateless mode)
-   */
+  * Clear all clients (no-op in stateless mode)
+  */
   clearAll() {
   }
   /**
-   * Extract JWT from prefixed client_id
-   */
+  * Extract JWT from prefixed client_id
+  */
   extractJWT(clientId) {
     if (!clientId.startsWith(this.options.clientIdPrefix)) {
       return null;
@@ -244,11 +244,11 @@ var DynamicClientRegistration = class {
     return clientId.slice(this.options.clientIdPrefix.length);
   }
   /**
-   * Derive client secret from client_id JWT
-   * 
-   * Uses HMAC to create a deterministic secret that can be
-   * validated without storage.
-   */
+  * Derive client secret from client_id JWT
+  *
+  * Uses HMAC to create a deterministic secret that can be
+  * validated without storage.
+  */
   deriveClientSecret(clientIdJWT) {
     const { createHmac: createHmac3 } = __require("crypto");
     return createHmac3("sha256", this.options.signingSecret).update(clientIdJWT).digest("hex");
@@ -297,16 +297,16 @@ var OAuthAuthorizationServer = class {
     });
   }
   /**
-   * Generate state parameter with HMAC signature
-   */
+  * Generate state parameter with HMAC signature
+  */
   generateState() {
     const nonce = randomUUID2();
     const signature = createHmac2("sha256", this.options.sessionSecret).update(nonce).digest("hex").substring(0, 8);
     return `${nonce}.${signature}`;
   }
   /**
-   * Verify state parameter signature
-   */
+  * Verify state parameter signature
+  */
   verifyState(state) {
     const [nonce, signature] = state.split(".");
     if (!nonce || !signature) return false;
@@ -314,14 +314,14 @@ var OAuthAuthorizationServer = class {
     return signature === expectedSignature;
   }
   /**
-   * Generate an authorization code
-   */
+  * Generate an authorization code
+  */
   generateAuthCode() {
     return randomBytes2(32).toString("hex");
   }
   /**
-   * Generate JWT access token with encrypted upstream credentials
-   */
+  * Generate JWT access token with encrypted upstream credentials
+  */
   generateAccessToken(claims, upstreamToken) {
     const now = Math.floor(Date.now() / 1e3);
     const jwtSigningSecret = this.options.jwtSigningSecret || this.options.sessionSecret;
@@ -348,8 +348,8 @@ var OAuthAuthorizationServer = class {
     return signJWT(payload, jwtSigningSecret);
   }
   /**
-   * Get authorization server metadata (RFC 8414)
-   */
+  * Get authorization server metadata (RFC 8414)
+  */
   getMetadata() {
     const issuer = this.options.issuer;
     return {
@@ -376,8 +376,8 @@ var OAuthAuthorizationServer = class {
     };
   }
   /**
-   * Get Express router with all OAuth endpoints
-   */
+  * Get Express router with all OAuth endpoints
+  */
   getRouter() {
     const router = express.Router();
     router.get("/.well-known/oauth-authorization-server", (_req, res) => {
@@ -410,8 +410,8 @@ var OAuthAuthorizationServer = class {
     return router;
   }
   /**
-   * Handle authorization request
-   */
+  * Handle authorization request
+  */
   handleAuthorize(req, res) {
     const { response_type, client_id, redirect_uri, scope, state, code_challenge, code_challenge_method, resource } = req.query;
     if (response_type !== "code") {
@@ -480,8 +480,8 @@ var OAuthAuthorizationServer = class {
     res.redirect(authUrl.toString());
   }
   /**
-   * Handle callback from upstream provider
-   */
+  * Handle callback from upstream provider
+  */
   async handleCallback(req, res) {
     const { code, state, error, error_description } = req.query;
     if (error) {
@@ -533,7 +533,7 @@ var OAuthAuthorizationServer = class {
       const tokenResponse = await fetch(upstream.tokenEndpoint, {
         method: "POST",
         headers: {
-          "Accept": "application/json",
+          Accept: "application/json",
           "Content-Type": "application/x-www-form-urlencoded"
         },
         body: new URLSearchParams({
@@ -553,8 +553,8 @@ var OAuthAuthorizationServer = class {
       if (upstream.userInfoEndpoint && upstreamTokens.access_token) {
         const userInfoResponse = await fetch(upstream.userInfoEndpoint, {
           headers: {
-            "Authorization": `Bearer ${upstreamTokens.access_token}`,
-            "Accept": "application/json"
+            Authorization: `Bearer ${upstreamTokens.access_token}`,
+            Accept: "application/json"
           }
         });
         if (userInfoResponse.ok) {
@@ -591,8 +591,8 @@ var OAuthAuthorizationServer = class {
     }
   }
   /**
-   * Handle token request
-   */
+  * Handle token request
+  */
   async handleToken(req, res) {
     const { grant_type, code, redirect_uri, client_id, client_secret, code_verifier } = req.body;
     let clientId = client_id;
@@ -638,8 +638,8 @@ var OAuthAuthorizationServer = class {
     }
   }
   /**
-   * Handle authorization code grant
-   */
+  * Handle authorization code grant
+  */
   async handleAuthCodeGrant(res, clientId, code, redirectUri, codeVerifier) {
     if (!code) {
       res.status(400).json({
@@ -742,11 +742,11 @@ var TokenVerifier = class {
     };
   }
   /**
-   * Verify a JWT access token
-   * 
-   * @param token - The JWT access token to verify
-   * @returns Verification result with claims and decrypted upstream token if valid
-   */
+  * Verify a JWT access token
+  *
+  * @param token - The JWT access token to verify
+  * @returns Verification result with claims and decrypted upstream token if valid
+  */
   async verify(token) {
     if (!token) {
       return {
@@ -809,13 +809,13 @@ var TokenVerifier = class {
     }
   }
   /**
-   * Generate WWW-Authenticate header for 401 responses
-   * 
-   * Per RFC 9728, this should include the resource_metadata URL
-   * 
-   * @param options - Header options
-   * @returns WWW-Authenticate header value
-   */
+  * Generate WWW-Authenticate header for 401 responses
+  *
+  * Per RFC 9728, this should include the resource_metadata URL
+  *
+  * @param options - Header options
+  * @returns WWW-Authenticate header value
+  */
   static getWWWAuthenticateHeader(options) {
     const parts = [
       `Bearer resource_metadata="${options.resourceMetadataUrl}"`
@@ -832,8 +832,8 @@ var TokenVerifier = class {
     return parts.join(", ");
   }
   /**
-   * Check if token has required scopes
-   */
+  * Check if token has required scopes
+  */
   hasScopes(claims, requiredScopes) {
     if (requiredScopes.length === 0) return true;
     const tokenScopes = typeof claims.scope === "string" ? claims.scope.split(" ") : claims.scope || [];