npm - @leanmcp/auth - Versions diffs - 0.4.2 → 0.4.4 - Mend

@leanmcp/auth 0.4.2 → 0.4.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/README.md +1 -0
package/dist/client/index.d.mts +499 -0
package/dist/client/index.d.ts +499 -0
package/dist/index.d.mts +181 -0
package/dist/index.d.ts +181 -0
package/dist/proxy/index.d.mts +376 -0
package/dist/proxy/index.d.ts +376 -0
package/dist/server/index.d.mts +496 -0
package/dist/server/index.d.ts +496 -0
package/dist/storage/index.d.mts +181 -0
package/dist/storage/index.d.ts +181 -0
package/dist/types-DMpGN530.d.mts +122 -0
package/dist/types-DMpGN530.d.ts +122 -0
package/package.json +2 -1

package/dist/storage/index.d.ts ADDED Viewed

@@ -0,0 +1,181 @@
+import { T as TokenStorage, O as OAuthTokens, C as ClientRegistration, S as StoredSession } from '../types-DMpGN530.js';
+export { i as isTokenExpired, w as withExpiresAt } from '../types-DMpGN530.js';
+/**
+ * In-memory token storage
+ *
+ * Fast, simple storage for development and short-lived sessions.
+ * Tokens are lost when the process exits.
+ */
+/**
+ * In-memory token storage implementation
+ *
+ * @example
+ * ```typescript
+ * const storage = new MemoryStorage();
+ * await storage.setTokens('https://mcp.example.com', tokens);
+ * ```
+ */
+declare class MemoryStorage implements TokenStorage {
+    private tokens;
+    private clients;
+    /**
+     * Normalize server URL for consistent key lookup
+     */
+    private normalizeUrl;
+    /**
+     * Check if an entry is expired
+     */
+    private isExpired;
+    getTokens(serverUrl: string): Promise<OAuthTokens | null>;
+    setTokens(serverUrl: string, tokens: OAuthTokens): Promise<void>;
+    clearTokens(serverUrl: string): Promise<void>;
+    getClientInfo(serverUrl: string): Promise<ClientRegistration | null>;
+    setClientInfo(serverUrl: string, info: ClientRegistration): Promise<void>;
+    clearClientInfo(serverUrl: string): Promise<void>;
+    clearAll(): Promise<void>;
+    getAllSessions(): Promise<StoredSession[]>;
+}
+/**
+ * File-based token storage
+ *
+ * Persists tokens to a JSON file for survival across restarts.
+ * Optionally encrypts tokens for security.
+ */
+interface FileStorageOptions {
+    /** Path to the storage file */
+    filePath: string;
+    /** Optional encryption key (if omitted, data stored in plaintext) */
+    encryptionKey?: string;
+    /** Whether to pretty-print JSON (default: false) */
+    prettyPrint?: boolean;
+}
+/**
+ * File-based token storage with optional encryption
+ *
+ * @example
+ * ```typescript
+ * // Plaintext storage
+ * const storage = new FileStorage({ filePath: '~/.leanmcp/tokens.json' });
+ *
+ * // Encrypted storage
+ * const storage = new FileStorage({
+ *   filePath: '~/.leanmcp/tokens.enc',
+ *   encryptionKey: process.env.TOKEN_ENCRYPTION_KEY
+ * });
+ * ```
+ */
+declare class FileStorage implements TokenStorage {
+    private filePath;
+    private encryptionKey?;
+    private prettyPrint;
+    private cache;
+    private writePromise;
+    constructor(options: FileStorageOptions | string);
+    /**
+     * Expand ~ to home directory
+     */
+    private expandPath;
+    /**
+     * Normalize server URL for consistent key lookup
+     */
+    private normalizeUrl;
+    /**
+     * Encrypt data
+     */
+    private encrypt;
+    /**
+     * Decrypt data
+     */
+    private decrypt;
+    /**
+     * Read data from file
+     */
+    private readFile;
+    /**
+     * Write data to file (coalesced to avoid race conditions)
+     */
+    private writeFile;
+    getTokens(serverUrl: string): Promise<OAuthTokens | null>;
+    setTokens(serverUrl: string, tokens: OAuthTokens): Promise<void>;
+    clearTokens(serverUrl: string): Promise<void>;
+    getClientInfo(serverUrl: string): Promise<ClientRegistration | null>;
+    setClientInfo(serverUrl: string, info: ClientRegistration): Promise<void>;
+    clearClientInfo(serverUrl: string): Promise<void>;
+    clearAll(): Promise<void>;
+    getAllSessions(): Promise<StoredSession[]>;
+}
+/**
+ * OS Keychain Token Storage
+ *
+ * Secure storage using the operating system's credential manager:
+ * - macOS: Keychain
+ * - Windows: Credential Vault
+ * - Linux: libsecret (GNOME Keyring, KWallet, etc.)
+ *
+ * Requires the optional 'keytar' peer dependency.
+ */
+/**
+ * Keychain storage options
+ */
+interface KeychainStorageOptions {
+    /** Custom service name (default: 'leanmcp-auth') */
+    serviceName?: string;
+}
+/**
+ * OS Keychain-based token storage
+ *
+ * Uses the operating system's secure credential storage for maximum security.
+ * Tokens are encrypted at rest by the OS.
+ *
+ * @example
+ * ```typescript
+ * import { KeychainStorage } from '@leanmcp/auth/storage';
+ *
+ * // Requires 'keytar' to be installed
+ * const storage = new KeychainStorage();
+ *
+ * await storage.setTokens('https://mcp.example.com', tokens);
+ * ```
+ */
+declare class KeychainStorage implements TokenStorage {
+    private serviceName;
+    private keytar;
+    private initPromise;
+    constructor(options?: KeychainStorageOptions);
+    /**
+     * Initialize keytar (lazy load)
+     */
+    private init;
+    /**
+     * Normalize server URL for consistent key lookup
+     */
+    private normalizeUrl;
+    /**
+     * Get account key for tokens
+     */
+    private getTokensAccount;
+    /**
+     * Get account key for client info
+     */
+    private getClientAccount;
+    getTokens(serverUrl: string): Promise<OAuthTokens | null>;
+    setTokens(serverUrl: string, tokens: OAuthTokens): Promise<void>;
+    clearTokens(serverUrl: string): Promise<void>;
+    getClientInfo(serverUrl: string): Promise<ClientRegistration | null>;
+    setClientInfo(serverUrl: string, info: ClientRegistration): Promise<void>;
+    clearClientInfo(serverUrl: string): Promise<void>;
+    clearAll(): Promise<void>;
+    getAllSessions(): Promise<StoredSession[]>;
+}
+/**
+ * Check if keychain storage is available
+ */
+declare function isKeychainAvailable(): Promise<boolean>;
+export { ClientRegistration, FileStorage, KeychainStorage, type KeychainStorageOptions, MemoryStorage, OAuthTokens, StoredSession, TokenStorage, isKeychainAvailable };

package/dist/types-DMpGN530.d.mts ADDED Viewed

@@ -0,0 +1,122 @@
+/**
+ * Token Storage Types
+ *
+ * Defines interfaces for storing OAuth tokens across different backends
+ * (memory, file, keychain, browser localStorage, etc.)
+ */
+/**
+ * OAuth 2.0/2.1 token response
+ */
+interface OAuthTokens {
+    /** The access token issued by the authorization server */
+    access_token: string;
+    /** Token type (usually "Bearer") */
+    token_type: string;
+    /** Lifetime in seconds of the access token */
+    expires_in?: number;
+    /** Refresh token for obtaining new access tokens */
+    refresh_token?: string;
+    /** ID token (OpenID Connect) */
+    id_token?: string;
+    /** Scope granted by the authorization server */
+    scope?: string;
+    /** Computed: Unix timestamp when token expires */
+    expires_at?: number;
+}
+/**
+ * OAuth client registration information
+ * Used for Dynamic Client Registration (RFC 7591)
+ */
+interface ClientRegistration {
+    /** OAuth client identifier */
+    client_id: string;
+    /** OAuth client secret (for confidential clients) */
+    client_secret?: string;
+    /** Unix timestamp when client secret expires */
+    client_secret_expires_at?: number;
+    /** Token for accessing registration endpoint */
+    registration_access_token?: string;
+    /** Client metadata from registration */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Stored session combining tokens and client info
+ */
+interface StoredSession {
+    /** Server URL this session is for */
+    serverUrl: string;
+    /** OAuth tokens */
+    tokens: OAuthTokens;
+    /** Client registration info (if dynamic registration used) */
+    clientInfo?: ClientRegistration;
+    /** Unix timestamp when session was created */
+    createdAt: number;
+    /** Unix timestamp when session was last updated */
+    updatedAt: number;
+}
+/**
+ * Token storage interface
+ *
+ * Implement this interface to create custom storage backends.
+ * All operations should be async to support various backends.
+ */
+interface TokenStorage {
+    /**
+     * Get stored tokens for a server
+     * @param serverUrl - The MCP server URL
+     * @returns Tokens if found, null otherwise
+     */
+    getTokens(serverUrl: string): Promise<OAuthTokens | null>;
+    /**
+     * Store tokens for a server
+     * @param serverUrl - The MCP server URL
+     * @param tokens - OAuth tokens to store
+     */
+    setTokens(serverUrl: string, tokens: OAuthTokens): Promise<void>;
+    /**
+     * Clear tokens for a server
+     * @param serverUrl - The MCP server URL
+     */
+    clearTokens(serverUrl: string): Promise<void>;
+    /**
+     * Get stored client registration for a server
+     * @param serverUrl - The MCP server URL
+     * @returns Client info if found, null otherwise
+     */
+    getClientInfo(serverUrl: string): Promise<ClientRegistration | null>;
+    /**
+     * Store client registration for a server
+     * @param serverUrl - The MCP server URL
+     * @param info - Client registration info
+     */
+    setClientInfo(serverUrl: string, info: ClientRegistration): Promise<void>;
+    /**
+     * Clear client registration for a server
+     * @param serverUrl - The MCP server URL
+     */
+    clearClientInfo(serverUrl: string): Promise<void>;
+    /**
+     * Clear all stored data
+     */
+    clearAll(): Promise<void>;
+    /**
+     * Get all stored sessions (optional)
+     * @returns Array of stored sessions
+     */
+    getAllSessions?(): Promise<StoredSession[]>;
+}
+/**
+ * Check if tokens are expired or about to expire
+ * @param tokens - OAuth tokens to check
+ * @param bufferSeconds - Seconds before expiry to consider expired (default: 60)
+ * @returns True if tokens are expired or will expire within buffer
+ */
+declare function isTokenExpired(tokens: OAuthTokens, bufferSeconds?: number): boolean;
+/**
+ * Compute expires_at from expires_in if not present
+ * @param tokens - OAuth tokens to enhance
+ * @returns Tokens with expires_at computed
+ */
+declare function withExpiresAt(tokens: OAuthTokens): OAuthTokens;
+export { type ClientRegistration as C, type OAuthTokens as O, type StoredSession as S, type TokenStorage as T, isTokenExpired as i, withExpiresAt as w };

package/dist/types-DMpGN530.d.ts ADDED Viewed

@@ -0,0 +1,122 @@
+/**
+ * Token Storage Types
+ *
+ * Defines interfaces for storing OAuth tokens across different backends
+ * (memory, file, keychain, browser localStorage, etc.)
+ */
+/**
+ * OAuth 2.0/2.1 token response
+ */
+interface OAuthTokens {
+    /** The access token issued by the authorization server */
+    access_token: string;
+    /** Token type (usually "Bearer") */
+    token_type: string;
+    /** Lifetime in seconds of the access token */
+    expires_in?: number;
+    /** Refresh token for obtaining new access tokens */
+    refresh_token?: string;
+    /** ID token (OpenID Connect) */
+    id_token?: string;
+    /** Scope granted by the authorization server */
+    scope?: string;
+    /** Computed: Unix timestamp when token expires */
+    expires_at?: number;
+}
+/**
+ * OAuth client registration information
+ * Used for Dynamic Client Registration (RFC 7591)
+ */
+interface ClientRegistration {
+    /** OAuth client identifier */
+    client_id: string;
+    /** OAuth client secret (for confidential clients) */
+    client_secret?: string;
+    /** Unix timestamp when client secret expires */
+    client_secret_expires_at?: number;
+    /** Token for accessing registration endpoint */
+    registration_access_token?: string;
+    /** Client metadata from registration */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Stored session combining tokens and client info
+ */
+interface StoredSession {
+    /** Server URL this session is for */
+    serverUrl: string;
+    /** OAuth tokens */
+    tokens: OAuthTokens;
+    /** Client registration info (if dynamic registration used) */
+    clientInfo?: ClientRegistration;
+    /** Unix timestamp when session was created */
+    createdAt: number;
+    /** Unix timestamp when session was last updated */
+    updatedAt: number;
+}
+/**
+ * Token storage interface
+ *
+ * Implement this interface to create custom storage backends.
+ * All operations should be async to support various backends.
+ */
+interface TokenStorage {
+    /**
+     * Get stored tokens for a server
+     * @param serverUrl - The MCP server URL
+     * @returns Tokens if found, null otherwise
+     */
+    getTokens(serverUrl: string): Promise<OAuthTokens | null>;
+    /**
+     * Store tokens for a server
+     * @param serverUrl - The MCP server URL
+     * @param tokens - OAuth tokens to store
+     */
+    setTokens(serverUrl: string, tokens: OAuthTokens): Promise<void>;
+    /**
+     * Clear tokens for a server
+     * @param serverUrl - The MCP server URL
+     */
+    clearTokens(serverUrl: string): Promise<void>;
+    /**
+     * Get stored client registration for a server
+     * @param serverUrl - The MCP server URL
+     * @returns Client info if found, null otherwise
+     */
+    getClientInfo(serverUrl: string): Promise<ClientRegistration | null>;
+    /**
+     * Store client registration for a server
+     * @param serverUrl - The MCP server URL
+     * @param info - Client registration info
+     */
+    setClientInfo(serverUrl: string, info: ClientRegistration): Promise<void>;
+    /**
+     * Clear client registration for a server
+     * @param serverUrl - The MCP server URL
+     */
+    clearClientInfo(serverUrl: string): Promise<void>;
+    /**
+     * Clear all stored data
+     */
+    clearAll(): Promise<void>;
+    /**
+     * Get all stored sessions (optional)
+     * @returns Array of stored sessions
+     */
+    getAllSessions?(): Promise<StoredSession[]>;
+}
+/**
+ * Check if tokens are expired or about to expire
+ * @param tokens - OAuth tokens to check
+ * @param bufferSeconds - Seconds before expiry to consider expired (default: 60)
+ * @returns True if tokens are expired or will expire within buffer
+ */
+declare function isTokenExpired(tokens: OAuthTokens, bufferSeconds?: number): boolean;
+/**
+ * Compute expires_at from expires_in if not present
+ * @param tokens - OAuth tokens to enhance
+ * @returns Tokens with expires_at computed
+ */
+declare function withExpiresAt(tokens: OAuthTokens): OAuthTokens;
+export { type ClientRegistration as C, type OAuthTokens as O, type StoredSession as S, type TokenStorage as T, isTokenExpired as i, withExpiresAt as w };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@leanmcp/auth",
-  "version": "0.4.2",
+  "version": "0.4.4",
   "description": "Authentication and identity module with OAuth 2.1 client, token storage, and multiple providers",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
@@ -48,6 +48,7 @@
     "reflect-metadata": "^0.2.1"
   },
   "devDependencies": {
+    "@leanmcp/env-injection": "^0.1.0",
     "@types/jest": "^29.5.0",
     "@types/jsonwebtoken": "^9.0.10",
     "@types/jwk-to-pem": "^2.0.3",