@leanmcp/auth 0.4.2 → 0.4.4-alpha.6.6dae082

package/dist/index.d.mts

@@ -0,0 +1,181 @@
+/**
+ * Shared types for @leanmcp/auth
+ */
+/**
+ * Options for the Authenticated decorator
+ */
+interface AuthenticatedOptions {
+    /**
+     * Whether to fetch and attach user information to authUser variable
+     * @default true
+     */
+    getUser?: boolean;
+    /**
+     * Project ID for fetching user environment variables.
+     * Required when @RequireEnv is used on the method or class.
+     * Used to scope user secrets to a specific project.
+     */
+    projectId?: string;
+}
+
+/**
+ * Global authUser type declaration
+ * This makes authUser available in @Authenticated methods without explicit declaration
+ */
+declare global {
+    /**
+     * Authenticated user object automatically available in @Authenticated methods
+     *
+     * Implemented as a getter that reads from AsyncLocalStorage for concurrency safety.
+     * Each request has its own isolated context - 100% safe for concurrent requests.
+     */
+    const authUser: any;
+}
+/**
+ * Get the current authenticated user from the async context
+ * This is safe for concurrent requests as each request has its own context
+ */
+declare function getAuthUser(): any;
+/**
+ * Authentication error class for better error handling
+ */
+declare class AuthenticationError extends Error {
+    code: string;
+    constructor(message: string, code: string);
+}
+/**
+ * Decorator to protect MCP tools, prompts, resources, or entire services with authentication
+ *
+ * CONCURRENCY SAFE: Uses AsyncLocalStorage to ensure each request has its own isolated
+ * authUser context, preventing race conditions in high-concurrency scenarios.
+ *
+ * Usage:
+ *
+ * 1. Protect individual methods with automatic user info:
+ * ```typescript
+ * @Tool({ description: 'Analyze sentiment' })
+ * @Authenticated(authProvider, { getUser: true })
+ * async analyzeSentiment(args: AnalyzeSentimentInput): Promise<AnalyzeSentimentOutput> {
+ *   // authUser is automatically available in method scope
+ *   console.log('User:', authUser);
+ *   console.log('User ID:', authUser.sub);
+ * }
+ * ```
+ *
+ * 2. Protect without fetching user info:
+ * ```typescript
+ * @Tool({ description: 'Public tool' })
+ * @Authenticated(authProvider, { getUser: false })
+ * async publicTool(args: PublicToolInput): Promise<PublicToolOutput> {
+ *   // Only verifies token, doesn't fetch user info
+ * }
+ * ```
+ *
+ * 3. Protect entire service (all tools/prompts/resources):
+ * ```typescript
+ * @Authenticated(authProvider)
+ * export class SentimentAnalysisService {
+ *   @Tool({ description: 'Analyze sentiment' })
+ *   async analyzeSentiment(args: AnalyzeSentimentInput) {
+ *     // All methods in this service require authentication
+ *     // authUser is automatically available in all methods
+ *     console.log('User:', authUser);
+ *   }
+ * }
+ * ```
+ *
+ * The decorator expects authentication token in the MCP request _meta field:
+ * ```json
+ * {
+ *   "method": "tools/call",
+ *   "params": {
+ *     "name": "toolName",
+ *     "arguments": { ...businessData },
+ *     "_meta": {
+ *       "authorization": {
+ *         "type": "bearer",
+ *         "token": "your-jwt-token"
+ *       }
+ *     }
+ *   }
+ * }
+ * ```
+ *
+ * @param authProvider - Instance of AuthProviderBase to use for token verification
+ * @param options - Optional configuration for authentication behavior
+ */
+declare function Authenticated(authProvider: AuthProviderBase, options?: AuthenticatedOptions): (target: any, propertyKey?: string | symbol, descriptor?: PropertyDescriptor) => any;
+/**
+ * Check if a method or class requires authentication
+ */
+declare function isAuthenticationRequired(target: any): boolean;
+/**
+ * Get the auth provider for a method or class
+ */
+declare function getAuthProvider(target: any): AuthProviderBase | undefined;
+
+/**
+ * @leanmcp/auth - Authentication Module
+ *
+ * This module provides a base class for implementing authentication providers for MCP tools.
+ * Extend AuthProviderBase to integrate with different auth providers (Clerk, Stripe, Firebase, etc.)
+ */
+/**
+ * Base class for authentication providers
+ * Extend this class to implement integrations with different auth providers
+ */
+declare abstract class AuthProviderBase {
+    /**
+     * Initialize the auth provider with configuration
+     */
+    abstract init(config?: any): Promise<void>;
+    /**
+     * Refresh an authentication token
+     */
+    abstract refreshToken(refreshToken: string, username?: string): Promise<any>;
+    /**
+     * Verify if a token is valid
+     */
+    abstract verifyToken(token: string): Promise<boolean>;
+    /**
+     * Get user information from a token
+     */
+    abstract getUser(token: string): Promise<any>;
+}
+/**
+ * Unified AuthProvider class that dynamically selects the appropriate auth provider
+ * based on the provider parameter
+ */
+declare class AuthProvider extends AuthProviderBase {
+    private providerInstance;
+    private providerType;
+    private config;
+    constructor(provider: string, config?: any);
+    /**
+     * Initialize the selected auth provider
+     */
+    init(config?: any): Promise<void>;
+    /**
+     * Refresh an authentication token
+     */
+    refreshToken(refreshToken: string, username?: string): Promise<any>;
+    /**
+     * Verify if a token is valid
+     */
+    verifyToken(token: string): Promise<boolean>;
+    /**
+     * Get user information from a token
+     */
+    getUser(token: string): Promise<any>;
+    /**
+     * Get user secrets for a project (LeanMCP provider only)
+     * Other providers will return empty object
+     */
+    getUserSecrets(token: string, projectId: string): Promise<Record<string, string>>;
+    /**
+     * Get the provider type
+     */
+    getProviderType(): string;
+}
+
+export { AuthProvider, AuthProviderBase, Authenticated, type AuthenticatedOptions, AuthenticationError, getAuthProvider, getAuthUser, isAuthenticationRequired };

package/dist/index.d.ts

@@ -0,0 +1,181 @@
+/**
+ * Shared types for @leanmcp/auth
+ */
+/**
+ * Options for the Authenticated decorator
+ */
+interface AuthenticatedOptions {
+    /**
+     * Whether to fetch and attach user information to authUser variable
+     * @default true
+     */
+    getUser?: boolean;
+    /**
+     * Project ID for fetching user environment variables.
+     * Required when @RequireEnv is used on the method or class.
+     * Used to scope user secrets to a specific project.
+     */
+    projectId?: string;
+}
+
+/**
+ * Global authUser type declaration
+ * This makes authUser available in @Authenticated methods without explicit declaration
+ */
+declare global {
+    /**
+     * Authenticated user object automatically available in @Authenticated methods
+     *
+     * Implemented as a getter that reads from AsyncLocalStorage for concurrency safety.
+     * Each request has its own isolated context - 100% safe for concurrent requests.
+     */
+    const authUser: any;
+}
+/**
+ * Get the current authenticated user from the async context
+ * This is safe for concurrent requests as each request has its own context
+ */
+declare function getAuthUser(): any;
+/**
+ * Authentication error class for better error handling
+ */
+declare class AuthenticationError extends Error {
+    code: string;
+    constructor(message: string, code: string);
+}
+/**
+ * Decorator to protect MCP tools, prompts, resources, or entire services with authentication
+ *
+ * CONCURRENCY SAFE: Uses AsyncLocalStorage to ensure each request has its own isolated
+ * authUser context, preventing race conditions in high-concurrency scenarios.
+ *
+ * Usage:
+ *
+ * 1. Protect individual methods with automatic user info:
+ * ```typescript
+ * @Tool({ description: 'Analyze sentiment' })
+ * @Authenticated(authProvider, { getUser: true })
+ * async analyzeSentiment(args: AnalyzeSentimentInput): Promise<AnalyzeSentimentOutput> {
+ *   // authUser is automatically available in method scope
+ *   console.log('User:', authUser);
+ *   console.log('User ID:', authUser.sub);
+ * }
+ * ```
+ *
+ * 2. Protect without fetching user info:
+ * ```typescript
+ * @Tool({ description: 'Public tool' })
+ * @Authenticated(authProvider, { getUser: false })
+ * async publicTool(args: PublicToolInput): Promise<PublicToolOutput> {
+ *   // Only verifies token, doesn't fetch user info
+ * }
+ * ```
+ *
+ * 3. Protect entire service (all tools/prompts/resources):
+ * ```typescript
+ * @Authenticated(authProvider)
+ * export class SentimentAnalysisService {
+ *   @Tool({ description: 'Analyze sentiment' })
+ *   async analyzeSentiment(args: AnalyzeSentimentInput) {
+ *     // All methods in this service require authentication
+ *     // authUser is automatically available in all methods
+ *     console.log('User:', authUser);
+ *   }
+ * }
+ * ```
+ *
+ * The decorator expects authentication token in the MCP request _meta field:
+ * ```json
+ * {
+ *   "method": "tools/call",
+ *   "params": {
+ *     "name": "toolName",
+ *     "arguments": { ...businessData },
+ *     "_meta": {
+ *       "authorization": {
+ *         "type": "bearer",
+ *         "token": "your-jwt-token"
+ *       }
+ *     }
+ *   }
+ * }
+ * ```
+ *
+ * @param authProvider - Instance of AuthProviderBase to use for token verification
+ * @param options - Optional configuration for authentication behavior
+ */
+declare function Authenticated(authProvider: AuthProviderBase, options?: AuthenticatedOptions): (target: any, propertyKey?: string | symbol, descriptor?: PropertyDescriptor) => any;
+/**
+ * Check if a method or class requires authentication
+ */
+declare function isAuthenticationRequired(target: any): boolean;
+/**
+ * Get the auth provider for a method or class
+ */
+declare function getAuthProvider(target: any): AuthProviderBase | undefined;
+
+/**
+ * @leanmcp/auth - Authentication Module
+ *
+ * This module provides a base class for implementing authentication providers for MCP tools.
+ * Extend AuthProviderBase to integrate with different auth providers (Clerk, Stripe, Firebase, etc.)
+ */
+/**
+ * Base class for authentication providers
+ * Extend this class to implement integrations with different auth providers
+ */
+declare abstract class AuthProviderBase {
+    /**
+     * Initialize the auth provider with configuration
+     */
+    abstract init(config?: any): Promise<void>;
+    /**
+     * Refresh an authentication token
+     */
+    abstract refreshToken(refreshToken: string, username?: string): Promise<any>;
+    /**
+     * Verify if a token is valid
+     */
+    abstract verifyToken(token: string): Promise<boolean>;
+    /**
+     * Get user information from a token
+     */
+    abstract getUser(token: string): Promise<any>;
+}
+/**
+ * Unified AuthProvider class that dynamically selects the appropriate auth provider
+ * based on the provider parameter
+ */
+declare class AuthProvider extends AuthProviderBase {
+    private providerInstance;
+    private providerType;
+    private config;
+    constructor(provider: string, config?: any);
+    /**
+     * Initialize the selected auth provider
+     */
+    init(config?: any): Promise<void>;
+    /**
+     * Refresh an authentication token
+     */
+    refreshToken(refreshToken: string, username?: string): Promise<any>;
+    /**
+     * Verify if a token is valid
+     */
+    verifyToken(token: string): Promise<boolean>;
+    /**
+     * Get user information from a token
+     */
+    getUser(token: string): Promise<any>;
+    /**
+     * Get user secrets for a project (LeanMCP provider only)
+     * Other providers will return empty object
+     */
+    getUserSecrets(token: string, projectId: string): Promise<Record<string, string>>;
+    /**
+     * Get the provider type
+     */
+    getProviderType(): string;
+}
+
+export { AuthProvider, AuthProviderBase, Authenticated, type AuthenticatedOptions, AuthenticationError, getAuthProvider, getAuthUser, isAuthenticationRequired };

package/dist/index.js

@@ -669,13 +669,13 @@ var init_leanmcp = __esm({
         };
       }
       /**
-       * Fetch user-specific environment variables for a project
-       * Uses the user's UID and project ID to retrieve their stored secrets
-       * 
-       * @param token - User's auth token
-       * @param projectId - Project ID to scope the secrets
-       * @returns Record of environment variables
-       */
+      * Fetch user-specific environment variables for a project
+      * Uses the user's UID and project ID to retrieve their stored secrets
+      *
+      * @param token - User's auth token
+      * @param projectId - Project ID to scope the secrets
+      * @returns Record of environment variables
+      */
       async getUserSecrets(token, projectId) {
         if (!this.apiKey) {
           console.warn("[LeanMCP] API key not configured - cannot fetch user secrets. Set LEANMCP_API_KEY environment variable or pass apiKey in config.");
@@ -685,7 +685,7 @@ var init_leanmcp = __esm({
         try {
           const { data } = await import_axios4.default.get(url, {
             headers: {
-              "Authorization": `Bearer ${token}`,
+              Authorization: `Bearer ${token}`,
               "x-api-key": this.apiKey
             }
           });

package/dist/index.mjs

@@ -6,7 +6,7 @@ import {
   getAuthProvider,
   getAuthUser,
   isAuthenticationRequired
-} from "./chunk-P4HFKA5R.mjs";
+} from "./chunk-ZJYMG6ZM.mjs";
 import "./chunk-LPEX4YW6.mjs";
 export {
   AuthProvider,

package/dist/{leanmcp-Y7TXNSTD.mjs → leanmcp-73RUGZ2B.mjs}

@@ -1,6 +1,6 @@
 import {
   AuthProviderBase
-} from "./chunk-P4HFKA5R.mjs";
+} from "./chunk-ZJYMG6ZM.mjs";
 import {
   __name
 } from "./chunk-LPEX4YW6.mjs";
@@ -108,13 +108,13 @@ var AuthLeanmcp = class extends AuthProviderBase {
     };
   }
   /**
-   * Fetch user-specific environment variables for a project
-   * Uses the user's UID and project ID to retrieve their stored secrets
-   * 
-   * @param token - User's auth token
-   * @param projectId - Project ID to scope the secrets
-   * @returns Record of environment variables
-   */
+  * Fetch user-specific environment variables for a project
+  * Uses the user's UID and project ID to retrieve their stored secrets
+  *
+  * @param token - User's auth token
+  * @param projectId - Project ID to scope the secrets
+  * @returns Record of environment variables
+  */
   async getUserSecrets(token, projectId) {
     if (!this.apiKey) {
       console.warn("[LeanMCP] API key not configured - cannot fetch user secrets. Set LEANMCP_API_KEY environment variable or pass apiKey in config.");
@@ -124,7 +124,7 @@ var AuthLeanmcp = class extends AuthProviderBase {
     try {
       const { data } = await axios.get(url, {
         headers: {
-          "Authorization": `Bearer ${token}`,
+          Authorization: `Bearer ${token}`,
           "x-api-key": this.apiKey
         }
       });