@leanmcp/auth 0.4.2 → 0.4.4-alpha.6.6dae082

package/dist/storage/index.d.mts

@@ -0,0 +1,181 @@
+import { T as TokenStorage, O as OAuthTokens, C as ClientRegistration, S as StoredSession } from '../types-DMpGN530.mjs';
+export { i as isTokenExpired, w as withExpiresAt } from '../types-DMpGN530.mjs';
+
+/**
+ * In-memory token storage
+ *
+ * Fast, simple storage for development and short-lived sessions.
+ * Tokens are lost when the process exits.
+ */
+
+/**
+ * In-memory token storage implementation
+ *
+ * @example
+ * ```typescript
+ * const storage = new MemoryStorage();
+ * await storage.setTokens('https://mcp.example.com', tokens);
+ * ```
+ */
+declare class MemoryStorage implements TokenStorage {
+    private tokens;
+    private clients;
+    /**
+     * Normalize server URL for consistent key lookup
+     */
+    private normalizeUrl;
+    /**
+     * Check if an entry is expired
+     */
+    private isExpired;
+    getTokens(serverUrl: string): Promise<OAuthTokens | null>;
+    setTokens(serverUrl: string, tokens: OAuthTokens): Promise<void>;
+    clearTokens(serverUrl: string): Promise<void>;
+    getClientInfo(serverUrl: string): Promise<ClientRegistration | null>;
+    setClientInfo(serverUrl: string, info: ClientRegistration): Promise<void>;
+    clearClientInfo(serverUrl: string): Promise<void>;
+    clearAll(): Promise<void>;
+    getAllSessions(): Promise<StoredSession[]>;
+}
+
+/**
+ * File-based token storage
+ *
+ * Persists tokens to a JSON file for survival across restarts.
+ * Optionally encrypts tokens for security.
+ */
+
+interface FileStorageOptions {
+    /** Path to the storage file */
+    filePath: string;
+    /** Optional encryption key (if omitted, data stored in plaintext) */
+    encryptionKey?: string;
+    /** Whether to pretty-print JSON (default: false) */
+    prettyPrint?: boolean;
+}
+/**
+ * File-based token storage with optional encryption
+ *
+ * @example
+ * ```typescript
+ * // Plaintext storage
+ * const storage = new FileStorage({ filePath: '~/.leanmcp/tokens.json' });
+ *
+ * // Encrypted storage
+ * const storage = new FileStorage({
+ *   filePath: '~/.leanmcp/tokens.enc',
+ *   encryptionKey: process.env.TOKEN_ENCRYPTION_KEY
+ * });
+ * ```
+ */
+declare class FileStorage implements TokenStorage {
+    private filePath;
+    private encryptionKey?;
+    private prettyPrint;
+    private cache;
+    private writePromise;
+    constructor(options: FileStorageOptions | string);
+    /**
+     * Expand ~ to home directory
+     */
+    private expandPath;
+    /**
+     * Normalize server URL for consistent key lookup
+     */
+    private normalizeUrl;
+    /**
+     * Encrypt data
+     */
+    private encrypt;
+    /**
+     * Decrypt data
+     */
+    private decrypt;
+    /**
+     * Read data from file
+     */
+    private readFile;
+    /**
+     * Write data to file (coalesced to avoid race conditions)
+     */
+    private writeFile;
+    getTokens(serverUrl: string): Promise<OAuthTokens | null>;
+    setTokens(serverUrl: string, tokens: OAuthTokens): Promise<void>;
+    clearTokens(serverUrl: string): Promise<void>;
+    getClientInfo(serverUrl: string): Promise<ClientRegistration | null>;
+    setClientInfo(serverUrl: string, info: ClientRegistration): Promise<void>;
+    clearClientInfo(serverUrl: string): Promise<void>;
+    clearAll(): Promise<void>;
+    getAllSessions(): Promise<StoredSession[]>;
+}
+
+/**
+ * OS Keychain Token Storage
+ *
+ * Secure storage using the operating system's credential manager:
+ * - macOS: Keychain
+ * - Windows: Credential Vault
+ * - Linux: libsecret (GNOME Keyring, KWallet, etc.)
+ *
+ * Requires the optional 'keytar' peer dependency.
+ */
+
+/**
+ * Keychain storage options
+ */
+interface KeychainStorageOptions {
+    /** Custom service name (default: 'leanmcp-auth') */
+    serviceName?: string;
+}
+/**
+ * OS Keychain-based token storage
+ *
+ * Uses the operating system's secure credential storage for maximum security.
+ * Tokens are encrypted at rest by the OS.
+ *
+ * @example
+ * ```typescript
+ * import { KeychainStorage } from '@leanmcp/auth/storage';
+ *
+ * // Requires 'keytar' to be installed
+ * const storage = new KeychainStorage();
+ *
+ * await storage.setTokens('https://mcp.example.com', tokens);
+ * ```
+ */
+declare class KeychainStorage implements TokenStorage {
+    private serviceName;
+    private keytar;
+    private initPromise;
+    constructor(options?: KeychainStorageOptions);
+    /**
+     * Initialize keytar (lazy load)
+     */
+    private init;
+    /**
+     * Normalize server URL for consistent key lookup
+     */
+    private normalizeUrl;
+    /**
+     * Get account key for tokens
+     */
+    private getTokensAccount;
+    /**
+     * Get account key for client info
+     */
+    private getClientAccount;
+    getTokens(serverUrl: string): Promise<OAuthTokens | null>;
+    setTokens(serverUrl: string, tokens: OAuthTokens): Promise<void>;
+    clearTokens(serverUrl: string): Promise<void>;
+    getClientInfo(serverUrl: string): Promise<ClientRegistration | null>;
+    setClientInfo(serverUrl: string, info: ClientRegistration): Promise<void>;
+    clearClientInfo(serverUrl: string): Promise<void>;
+    clearAll(): Promise<void>;
+    getAllSessions(): Promise<StoredSession[]>;
+}
+/**
+ * Check if keychain storage is available
+ */
+declare function isKeychainAvailable(): Promise<boolean>;
+
+export { ClientRegistration, FileStorage, KeychainStorage, type KeychainStorageOptions, MemoryStorage, OAuthTokens, StoredSession, TokenStorage, isKeychainAvailable };

package/dist/storage/index.d.ts

@@ -0,0 +1,181 @@
+import { T as TokenStorage, O as OAuthTokens, C as ClientRegistration, S as StoredSession } from '../types-DMpGN530.js';
+export { i as isTokenExpired, w as withExpiresAt } from '../types-DMpGN530.js';
+
+/**
+ * In-memory token storage
+ *
+ * Fast, simple storage for development and short-lived sessions.
+ * Tokens are lost when the process exits.
+ */
+
+/**
+ * In-memory token storage implementation
+ *
+ * @example
+ * ```typescript
+ * const storage = new MemoryStorage();
+ * await storage.setTokens('https://mcp.example.com', tokens);
+ * ```
+ */
+declare class MemoryStorage implements TokenStorage {
+    private tokens;
+    private clients;
+    /**
+     * Normalize server URL for consistent key lookup
+     */
+    private normalizeUrl;
+    /**
+     * Check if an entry is expired
+     */
+    private isExpired;
+    getTokens(serverUrl: string): Promise<OAuthTokens | null>;
+    setTokens(serverUrl: string, tokens: OAuthTokens): Promise<void>;
+    clearTokens(serverUrl: string): Promise<void>;
+    getClientInfo(serverUrl: string): Promise<ClientRegistration | null>;
+    setClientInfo(serverUrl: string, info: ClientRegistration): Promise<void>;
+    clearClientInfo(serverUrl: string): Promise<void>;
+    clearAll(): Promise<void>;
+    getAllSessions(): Promise<StoredSession[]>;
+}
+
+/**
+ * File-based token storage
+ *
+ * Persists tokens to a JSON file for survival across restarts.
+ * Optionally encrypts tokens for security.
+ */
+
+interface FileStorageOptions {
+    /** Path to the storage file */
+    filePath: string;
+    /** Optional encryption key (if omitted, data stored in plaintext) */
+    encryptionKey?: string;
+    /** Whether to pretty-print JSON (default: false) */
+    prettyPrint?: boolean;
+}
+/**
+ * File-based token storage with optional encryption
+ *
+ * @example
+ * ```typescript
+ * // Plaintext storage
+ * const storage = new FileStorage({ filePath: '~/.leanmcp/tokens.json' });
+ *
+ * // Encrypted storage
+ * const storage = new FileStorage({
+ *   filePath: '~/.leanmcp/tokens.enc',
+ *   encryptionKey: process.env.TOKEN_ENCRYPTION_KEY
+ * });
+ * ```
+ */
+declare class FileStorage implements TokenStorage {
+    private filePath;
+    private encryptionKey?;
+    private prettyPrint;
+    private cache;
+    private writePromise;
+    constructor(options: FileStorageOptions | string);
+    /**
+     * Expand ~ to home directory
+     */
+    private expandPath;
+    /**
+     * Normalize server URL for consistent key lookup
+     */
+    private normalizeUrl;
+    /**
+     * Encrypt data
+     */
+    private encrypt;
+    /**
+     * Decrypt data
+     */
+    private decrypt;
+    /**
+     * Read data from file
+     */
+    private readFile;
+    /**
+     * Write data to file (coalesced to avoid race conditions)
+     */
+    private writeFile;
+    getTokens(serverUrl: string): Promise<OAuthTokens | null>;
+    setTokens(serverUrl: string, tokens: OAuthTokens): Promise<void>;
+    clearTokens(serverUrl: string): Promise<void>;
+    getClientInfo(serverUrl: string): Promise<ClientRegistration | null>;
+    setClientInfo(serverUrl: string, info: ClientRegistration): Promise<void>;
+    clearClientInfo(serverUrl: string): Promise<void>;
+    clearAll(): Promise<void>;
+    getAllSessions(): Promise<StoredSession[]>;
+}
+
+/**
+ * OS Keychain Token Storage
+ *
+ * Secure storage using the operating system's credential manager:
+ * - macOS: Keychain
+ * - Windows: Credential Vault
+ * - Linux: libsecret (GNOME Keyring, KWallet, etc.)
+ *
+ * Requires the optional 'keytar' peer dependency.
+ */
+
+/**
+ * Keychain storage options
+ */
+interface KeychainStorageOptions {
+    /** Custom service name (default: 'leanmcp-auth') */
+    serviceName?: string;
+}
+/**
+ * OS Keychain-based token storage
+ *
+ * Uses the operating system's secure credential storage for maximum security.
+ * Tokens are encrypted at rest by the OS.
+ *
+ * @example
+ * ```typescript
+ * import { KeychainStorage } from '@leanmcp/auth/storage';
+ *
+ * // Requires 'keytar' to be installed
+ * const storage = new KeychainStorage();
+ *
+ * await storage.setTokens('https://mcp.example.com', tokens);
+ * ```
+ */
+declare class KeychainStorage implements TokenStorage {
+    private serviceName;
+    private keytar;
+    private initPromise;
+    constructor(options?: KeychainStorageOptions);
+    /**
+     * Initialize keytar (lazy load)
+     */
+    private init;
+    /**
+     * Normalize server URL for consistent key lookup
+     */
+    private normalizeUrl;
+    /**
+     * Get account key for tokens
+     */
+    private getTokensAccount;
+    /**
+     * Get account key for client info
+     */
+    private getClientAccount;
+    getTokens(serverUrl: string): Promise<OAuthTokens | null>;
+    setTokens(serverUrl: string, tokens: OAuthTokens): Promise<void>;
+    clearTokens(serverUrl: string): Promise<void>;
+    getClientInfo(serverUrl: string): Promise<ClientRegistration | null>;
+    setClientInfo(serverUrl: string, info: ClientRegistration): Promise<void>;
+    clearClientInfo(serverUrl: string): Promise<void>;
+    clearAll(): Promise<void>;
+    getAllSessions(): Promise<StoredSession[]>;
+}
+/**
+ * Check if keychain storage is available
+ */
+declare function isKeychainAvailable(): Promise<boolean>;
+
+export { ClientRegistration, FileStorage, KeychainStorage, type KeychainStorageOptions, MemoryStorage, OAuthTokens, StoredSession, TokenStorage, isKeychainAvailable };

package/dist/storage/index.js

@@ -59,14 +59,14 @@ var MemoryStorage = class {
   tokens = /* @__PURE__ */ new Map();
   clients = /* @__PURE__ */ new Map();
   /**
-   * Normalize server URL for consistent key lookup
-   */
+  * Normalize server URL for consistent key lookup
+  */
   normalizeUrl(serverUrl) {
     return serverUrl.replace(/\/+$/, "").toLowerCase();
   }
   /**
-   * Check if an entry is expired
-   */
+  * Check if an entry is expired
+  */
   isExpired(entry) {
     if (!entry) return true;
     if (!entry.expiresAt) return false;
@@ -162,8 +162,8 @@ var FileStorage = class {
     }
   }
   /**
-   * Expand ~ to home directory
-   */
+  * Expand ~ to home directory
+  */
   expandPath(filePath) {
     if (filePath.startsWith("~")) {
       const home = process.env.HOME || process.env.USERPROFILE || "";
@@ -172,14 +172,14 @@ var FileStorage = class {
     return filePath;
   }
   /**
-   * Normalize server URL for consistent key lookup
-   */
+  * Normalize server URL for consistent key lookup
+  */
   normalizeUrl(serverUrl) {
     return serverUrl.replace(/\/+$/, "").toLowerCase();
   }
   /**
-   * Encrypt data
-   */
+  * Encrypt data
+  */
   encrypt(data) {
     if (!this.encryptionKey) return data;
     const iv = (0, import_crypto.randomBytes)(16);
@@ -190,8 +190,8 @@ var FileStorage = class {
     return `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted}`;
   }
   /**
-   * Decrypt data
-   */
+  * Decrypt data
+  */
   decrypt(data) {
     if (!this.encryptionKey) return data;
     const [ivHex, authTagHex, encrypted] = data.split(":");
@@ -204,8 +204,8 @@ var FileStorage = class {
     return decrypted;
   }
   /**
-   * Read data from file
-   */
+  * Read data from file
+  */
   async readFile() {
     if (this.cache) return this.cache;
     try {
@@ -225,8 +225,8 @@ var FileStorage = class {
     }
   }
   /**
-   * Write data to file (coalesced to avoid race conditions)
-   */
+  * Write data to file (coalesced to avoid race conditions)
+  */
   async writeFile(data) {
     this.cache = data;
     if (this.writePromise) {
@@ -361,8 +361,8 @@ var KeychainStorage = class {
     this.serviceName = options.serviceName ?? SERVICE_NAME;
   }
   /**
-   * Initialize keytar (lazy load)
-   */
+  * Initialize keytar (lazy load)
+  */
   async init() {
     if (this.keytar) return;
     if (this.initPromise) {
@@ -379,20 +379,20 @@ var KeychainStorage = class {
     await this.initPromise;
   }
   /**
-   * Normalize server URL for consistent key lookup
-   */
+  * Normalize server URL for consistent key lookup
+  */
   normalizeUrl(serverUrl) {
     return serverUrl.replace(/\/+$/, "").toLowerCase();
   }
   /**
-   * Get account key for tokens
-   */
+  * Get account key for tokens
+  */
   getTokensAccount(serverUrl) {
     return `tokens:${this.normalizeUrl(serverUrl)}`;
   }
   /**
-   * Get account key for client info
-   */
+  * Get account key for client info
+  */
   getClientAccount(serverUrl) {
     return `client:${this.normalizeUrl(serverUrl)}`;
   }

package/dist/storage/index.mjs

@@ -2,7 +2,7 @@ import {
   MemoryStorage,
   isTokenExpired,
   withExpiresAt
-} from "../chunk-RGCCBQWG.mjs";
+} from "../chunk-MXTUNMHA.mjs";
 import {
   __name,
   __require
@@ -36,8 +36,8 @@ var FileStorage = class {
     }
   }
   /**
-   * Expand ~ to home directory
-   */
+  * Expand ~ to home directory
+  */
   expandPath(filePath) {
     if (filePath.startsWith("~")) {
       const home = process.env.HOME || process.env.USERPROFILE || "";
@@ -46,14 +46,14 @@ var FileStorage = class {
     return filePath;
   }
   /**
-   * Normalize server URL for consistent key lookup
-   */
+  * Normalize server URL for consistent key lookup
+  */
   normalizeUrl(serverUrl) {
     return serverUrl.replace(/\/+$/, "").toLowerCase();
   }
   /**
-   * Encrypt data
-   */
+  * Encrypt data
+  */
   encrypt(data) {
     if (!this.encryptionKey) return data;
     const iv = randomBytes(16);
@@ -64,8 +64,8 @@ var FileStorage = class {
     return `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted}`;
   }
   /**
-   * Decrypt data
-   */
+  * Decrypt data
+  */
   decrypt(data) {
     if (!this.encryptionKey) return data;
     const [ivHex, authTagHex, encrypted] = data.split(":");
@@ -78,8 +78,8 @@ var FileStorage = class {
     return decrypted;
   }
   /**
-   * Read data from file
-   */
+  * Read data from file
+  */
   async readFile() {
     if (this.cache) return this.cache;
     try {
@@ -99,8 +99,8 @@ var FileStorage = class {
     }
   }
   /**
-   * Write data to file (coalesced to avoid race conditions)
-   */
+  * Write data to file (coalesced to avoid race conditions)
+  */
   async writeFile(data) {
     this.cache = data;
     if (this.writePromise) {
@@ -235,8 +235,8 @@ var KeychainStorage = class {
     this.serviceName = options.serviceName ?? SERVICE_NAME;
   }
   /**
-   * Initialize keytar (lazy load)
-   */
+  * Initialize keytar (lazy load)
+  */
   async init() {
     if (this.keytar) return;
     if (this.initPromise) {
@@ -253,20 +253,20 @@ var KeychainStorage = class {
     await this.initPromise;
   }
   /**
-   * Normalize server URL for consistent key lookup
-   */
+  * Normalize server URL for consistent key lookup
+  */
   normalizeUrl(serverUrl) {
     return serverUrl.replace(/\/+$/, "").toLowerCase();
   }
   /**
-   * Get account key for tokens
-   */
+  * Get account key for tokens
+  */
   getTokensAccount(serverUrl) {
     return `tokens:${this.normalizeUrl(serverUrl)}`;
   }
   /**
-   * Get account key for client info
-   */
+  * Get account key for client info
+  */
   getClientAccount(serverUrl) {
     return `client:${this.normalizeUrl(serverUrl)}`;
   }

package/dist/types-DMpGN530.d.mts

@@ -0,0 +1,122 @@
+/**
+ * Token Storage Types
+ *
+ * Defines interfaces for storing OAuth tokens across different backends
+ * (memory, file, keychain, browser localStorage, etc.)
+ */
+/**
+ * OAuth 2.0/2.1 token response
+ */
+interface OAuthTokens {
+    /** The access token issued by the authorization server */
+    access_token: string;
+    /** Token type (usually "Bearer") */
+    token_type: string;
+    /** Lifetime in seconds of the access token */
+    expires_in?: number;
+    /** Refresh token for obtaining new access tokens */
+    refresh_token?: string;
+    /** ID token (OpenID Connect) */
+    id_token?: string;
+    /** Scope granted by the authorization server */
+    scope?: string;
+    /** Computed: Unix timestamp when token expires */
+    expires_at?: number;
+}
+/**
+ * OAuth client registration information
+ * Used for Dynamic Client Registration (RFC 7591)
+ */
+interface ClientRegistration {
+    /** OAuth client identifier */
+    client_id: string;
+    /** OAuth client secret (for confidential clients) */
+    client_secret?: string;
+    /** Unix timestamp when client secret expires */
+    client_secret_expires_at?: number;
+    /** Token for accessing registration endpoint */
+    registration_access_token?: string;
+    /** Client metadata from registration */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Stored session combining tokens and client info
+ */
+interface StoredSession {
+    /** Server URL this session is for */
+    serverUrl: string;
+    /** OAuth tokens */
+    tokens: OAuthTokens;
+    /** Client registration info (if dynamic registration used) */
+    clientInfo?: ClientRegistration;
+    /** Unix timestamp when session was created */
+    createdAt: number;
+    /** Unix timestamp when session was last updated */
+    updatedAt: number;
+}
+/**
+ * Token storage interface
+ *
+ * Implement this interface to create custom storage backends.
+ * All operations should be async to support various backends.
+ */
+interface TokenStorage {
+    /**
+     * Get stored tokens for a server
+     * @param serverUrl - The MCP server URL
+     * @returns Tokens if found, null otherwise
+     */
+    getTokens(serverUrl: string): Promise<OAuthTokens | null>;
+    /**
+     * Store tokens for a server
+     * @param serverUrl - The MCP server URL
+     * @param tokens - OAuth tokens to store
+     */
+    setTokens(serverUrl: string, tokens: OAuthTokens): Promise<void>;
+    /**
+     * Clear tokens for a server
+     * @param serverUrl - The MCP server URL
+     */
+    clearTokens(serverUrl: string): Promise<void>;
+    /**
+     * Get stored client registration for a server
+     * @param serverUrl - The MCP server URL
+     * @returns Client info if found, null otherwise
+     */
+    getClientInfo(serverUrl: string): Promise<ClientRegistration | null>;
+    /**
+     * Store client registration for a server
+     * @param serverUrl - The MCP server URL
+     * @param info - Client registration info
+     */
+    setClientInfo(serverUrl: string, info: ClientRegistration): Promise<void>;
+    /**
+     * Clear client registration for a server
+     * @param serverUrl - The MCP server URL
+     */
+    clearClientInfo(serverUrl: string): Promise<void>;
+    /**
+     * Clear all stored data
+     */
+    clearAll(): Promise<void>;
+    /**
+     * Get all stored sessions (optional)
+     * @returns Array of stored sessions
+     */
+    getAllSessions?(): Promise<StoredSession[]>;
+}
+/**
+ * Check if tokens are expired or about to expire
+ * @param tokens - OAuth tokens to check
+ * @param bufferSeconds - Seconds before expiry to consider expired (default: 60)
+ * @returns True if tokens are expired or will expire within buffer
+ */
+declare function isTokenExpired(tokens: OAuthTokens, bufferSeconds?: number): boolean;
+/**
+ * Compute expires_at from expires_in if not present
+ * @param tokens - OAuth tokens to enhance
+ * @returns Tokens with expires_at computed
+ */
+declare function withExpiresAt(tokens: OAuthTokens): OAuthTokens;
+
+export { type ClientRegistration as C, type OAuthTokens as O, type StoredSession as S, type TokenStorage as T, isTokenExpired as i, withExpiresAt as w };