@leanmcp/auth 0.4.3 → 0.4.4-alpha.8.f4673cd

package/dist/proxy/index.js

@@ -233,28 +233,28 @@ var OAuthProxy = class {
     }
   }
   /**
-   * Get configured providers
-   */
+  * Get configured providers
+  */
   getProviders() {
     return this.config.providers;
   }
   /**
-   * Get a provider by ID
-   */
+  * Get a provider by ID
+  */
   getProvider(id) {
     return this.providersMap.get(id);
   }
   /**
-   * Generate state parameter with signature
-   */
+  * Generate state parameter with signature
+  */
   generateState() {
     const nonce = (0, import_crypto2.randomUUID)();
     const signature = (0, import_crypto2.createHmac)("sha256", this.config.sessionSecret).update(nonce).digest("hex").substring(0, 8);
     return `${nonce}.${signature}`;
   }
   /**
-   * Verify state parameter signature
-   */
+  * Verify state parameter signature
+  */
   verifyState(state) {
     const [nonce, signature] = state.split(".");
     if (!nonce || !signature) return false;
@@ -262,13 +262,13 @@ var OAuthProxy = class {
     return signature === expectedSignature;
   }
   /**
-   * Handle authorization request
-   * 
-   * Redirects the user to the external provider's authorization page.
-   * 
-   * @param params - Request parameters
-   * @returns URL to redirect the user to
-   */
+  * Handle authorization request
+  *
+  * Redirects the user to the external provider's authorization page.
+  *
+  * @param params - Request parameters
+  * @returns URL to redirect the user to
+  */
   handleAuthorize(params) {
     const provider = this.providersMap.get(params.provider);
     if (!provider) {
@@ -311,13 +311,13 @@ var OAuthProxy = class {
     return authUrl.toString();
   }
   /**
-   * Handle callback from external provider
-   * 
-   * Exchanges the authorization code for tokens and maps them.
-   * 
-   * @param params - Callback query parameters
-   * @returns Result with redirect URI and tokens
-   */
+  * Handle callback from external provider
+  *
+  * Exchanges the authorization code for tokens and maps them.
+  *
+  * @param params - Callback query parameters
+  * @returns Result with redirect URI and tokens
+  */
   async handleCallback(params) {
     const { code, state, error, error_description } = params;
     if (error) {
@@ -372,8 +372,8 @@ var OAuthProxy = class {
     };
   }
   /**
-   * Exchange authorization code for tokens with external provider
-   */
+  * Exchange authorization code for tokens with external provider
+  */
   async exchangeCodeForTokens(provider, code, redirectUri, codeVerifier) {
     const tokenPayload = {
       grant_type: "authorization_code",
@@ -394,7 +394,7 @@ var OAuthProxy = class {
     }
     const headers = {
       "Content-Type": "application/x-www-form-urlencoded",
-      "Accept": "application/json"
+      Accept: "application/json"
     };
     if (provider.tokenEndpointAuthMethod === "client_secret_basic") {
       const credentials = Buffer.from(`${provider.clientId}:${provider.clientSecret}`).toString("base64");
@@ -412,8 +412,8 @@ var OAuthProxy = class {
     return response.json();
   }
   /**
-   * Fetch user info from external provider
-   */
+  * Fetch user info from external provider
+  */
   async fetchUserInfo(provider, accessToken) {
     if (!provider.userInfoEndpoint) {
       return {
@@ -422,8 +422,8 @@ var OAuthProxy = class {
     }
     const response = await fetch(provider.userInfoEndpoint, {
       headers: {
-        "Authorization": `Bearer ${accessToken}`,
-        "Accept": "application/json"
+        Authorization: `Bearer ${accessToken}`,
+        Accept: "application/json"
       }
     });
     if (!response.ok) {
@@ -443,9 +443,9 @@ var OAuthProxy = class {
     };
   }
   /**
-   * Generate an internal authorization code for the mapped tokens
-   * This code can be exchanged via the token endpoint
-   */
+  * Generate an internal authorization code for the mapped tokens
+  * This code can be exchanged via the token endpoint
+  */
   generateInternalCode(tokens) {
     const code = (0, import_crypto2.randomUUID)();
     const signature = (0, import_crypto2.createHmac)("sha256", this.config.sessionSecret).update(code).update(JSON.stringify(tokens)).digest("hex").substring(0, 16);
@@ -462,8 +462,8 @@ var OAuthProxy = class {
     return fullCode;
   }
   /**
-   * Handle token request (exchange internal code for tokens)
-   */
+  * Handle token request (exchange internal code for tokens)
+  */
   async handleToken(params) {
     const { grant_type, code, refresh_token } = params;
     if (grant_type === "authorization_code") {
@@ -486,8 +486,8 @@ var OAuthProxy = class {
     throw new Error(`Unsupported grant_type: ${grant_type}`);
   }
   /**
-   * Express/Connect middleware factory
-   */
+  * Express/Connect middleware factory
+  */
   createMiddleware() {
     return {
       authorize: /* @__PURE__ */ __name((req, res) => {

package/dist/proxy/index.mjs

@@ -178,28 +178,28 @@ var OAuthProxy = class {
     }
   }
   /**
-   * Get configured providers
-   */
+  * Get configured providers
+  */
   getProviders() {
     return this.config.providers;
   }
   /**
-   * Get a provider by ID
-   */
+  * Get a provider by ID
+  */
   getProvider(id) {
     return this.providersMap.get(id);
   }
   /**
-   * Generate state parameter with signature
-   */
+  * Generate state parameter with signature
+  */
   generateState() {
     const nonce = randomUUID();
     const signature = createHmac("sha256", this.config.sessionSecret).update(nonce).digest("hex").substring(0, 8);
     return `${nonce}.${signature}`;
   }
   /**
-   * Verify state parameter signature
-   */
+  * Verify state parameter signature
+  */
   verifyState(state) {
     const [nonce, signature] = state.split(".");
     if (!nonce || !signature) return false;
@@ -207,13 +207,13 @@ var OAuthProxy = class {
     return signature === expectedSignature;
   }
   /**
-   * Handle authorization request
-   * 
-   * Redirects the user to the external provider's authorization page.
-   * 
-   * @param params - Request parameters
-   * @returns URL to redirect the user to
-   */
+  * Handle authorization request
+  *
+  * Redirects the user to the external provider's authorization page.
+  *
+  * @param params - Request parameters
+  * @returns URL to redirect the user to
+  */
   handleAuthorize(params) {
     const provider = this.providersMap.get(params.provider);
     if (!provider) {
@@ -256,13 +256,13 @@ var OAuthProxy = class {
     return authUrl.toString();
   }
   /**
-   * Handle callback from external provider
-   * 
-   * Exchanges the authorization code for tokens and maps them.
-   * 
-   * @param params - Callback query parameters
-   * @returns Result with redirect URI and tokens
-   */
+  * Handle callback from external provider
+  *
+  * Exchanges the authorization code for tokens and maps them.
+  *
+  * @param params - Callback query parameters
+  * @returns Result with redirect URI and tokens
+  */
   async handleCallback(params) {
     const { code, state, error, error_description } = params;
     if (error) {
@@ -317,8 +317,8 @@ var OAuthProxy = class {
     };
   }
   /**
-   * Exchange authorization code for tokens with external provider
-   */
+  * Exchange authorization code for tokens with external provider
+  */
   async exchangeCodeForTokens(provider, code, redirectUri, codeVerifier) {
     const tokenPayload = {
       grant_type: "authorization_code",
@@ -339,7 +339,7 @@ var OAuthProxy = class {
     }
     const headers = {
       "Content-Type": "application/x-www-form-urlencoded",
-      "Accept": "application/json"
+      Accept: "application/json"
     };
     if (provider.tokenEndpointAuthMethod === "client_secret_basic") {
       const credentials = Buffer.from(`${provider.clientId}:${provider.clientSecret}`).toString("base64");
@@ -357,8 +357,8 @@ var OAuthProxy = class {
     return response.json();
   }
   /**
-   * Fetch user info from external provider
-   */
+  * Fetch user info from external provider
+  */
   async fetchUserInfo(provider, accessToken) {
     if (!provider.userInfoEndpoint) {
       return {
@@ -367,8 +367,8 @@ var OAuthProxy = class {
     }
     const response = await fetch(provider.userInfoEndpoint, {
       headers: {
-        "Authorization": `Bearer ${accessToken}`,
-        "Accept": "application/json"
+        Authorization: `Bearer ${accessToken}`,
+        Accept: "application/json"
       }
     });
     if (!response.ok) {
@@ -388,9 +388,9 @@ var OAuthProxy = class {
     };
   }
   /**
-   * Generate an internal authorization code for the mapped tokens
-   * This code can be exchanged via the token endpoint
-   */
+  * Generate an internal authorization code for the mapped tokens
+  * This code can be exchanged via the token endpoint
+  */
   generateInternalCode(tokens) {
     const code = randomUUID();
     const signature = createHmac("sha256", this.config.sessionSecret).update(code).update(JSON.stringify(tokens)).digest("hex").substring(0, 16);
@@ -407,8 +407,8 @@ var OAuthProxy = class {
     return fullCode;
   }
   /**
-   * Handle token request (exchange internal code for tokens)
-   */
+  * Handle token request (exchange internal code for tokens)
+  */
   async handleToken(params) {
     const { grant_type, code, refresh_token } = params;
     if (grant_type === "authorization_code") {
@@ -431,8 +431,8 @@ var OAuthProxy = class {
     throw new Error(`Unsupported grant_type: ${grant_type}`);
   }
   /**
-   * Express/Connect middleware factory
-   */
+  * Express/Connect middleware factory
+  */
   createMiddleware() {
     return {
       authorize: /* @__PURE__ */ __name((req, res) => {

package/dist/server/index.js

@@ -148,11 +148,11 @@ var DynamicClientRegistration = class {
     };
   }
   /**
-   * Register a new OAuth client (stateless)
-   * 
-   * @param request - Client registration request per RFC 7591
-   * @returns Client registration response with JWT credentials
-   */
+  * Register a new OAuth client (stateless)
+  *
+  * @param request - Client registration request per RFC 7591
+  * @returns Client registration response with JWT credentials
+  */
   register(request) {
     const now = Date.now();
     const nowSeconds = Math.floor(now / 1e3);
@@ -194,12 +194,12 @@ var DynamicClientRegistration = class {
     return response;
   }
   /**
-   * Validate client credentials (stateless)
-   * 
-   * @param clientId - Client ID (JWT with prefix)
-   * @param clientSecret - Client secret (optional for public clients)
-   * @returns Whether credentials are valid
-   */
+  * Validate client credentials (stateless)
+  *
+  * @param clientId - Client ID (JWT with prefix)
+  * @param clientSecret - Client secret (optional for public clients)
+  * @returns Whether credentials are valid
+  */
   validate(clientId, clientSecret) {
     try {
       const jwtWithoutPrefix = this.extractJWT(clientId);
@@ -216,8 +216,8 @@ var DynamicClientRegistration = class {
     }
   }
   /**
-   * Get a registered client by ID (stateless)
-   */
+  * Get a registered client by ID (stateless)
+  */
   getClient(clientId) {
     try {
       const jwtWithoutPrefix = this.extractJWT(clientId);
@@ -239,8 +239,8 @@ var DynamicClientRegistration = class {
     }
   }
   /**
-   * Validate redirect URI for a client
-   */
+  * Validate redirect URI for a client
+  */
   validateRedirectUri(clientId, redirectUri) {
     const client = this.getClient(clientId);
     if (!client) return false;
@@ -248,29 +248,29 @@ var DynamicClientRegistration = class {
     return client.redirect_uris.includes(redirectUri);
   }
   /**
-   * Delete a client (no-op in stateless mode)
-   * 
-   * In stateless mode, clients cannot be truly "deleted" because
-   * their credentials are self-contained. They will expire naturally
-   * or when the signing secret is rotated.
-   */
+  * Delete a client (no-op in stateless mode)
+  *
+  * In stateless mode, clients cannot be truly "deleted" because
+  * their credentials are self-contained. They will expire naturally
+  * or when the signing secret is rotated.
+  */
   delete(clientId) {
     return this.getClient(clientId) !== void 0;
   }
   /**
-   * List all registered clients (not supported in stateless mode)
-   */
+  * List all registered clients (not supported in stateless mode)
+  */
   listClients() {
     throw new Error("listClients() is not supported in stateless DCR mode");
   }
   /**
-   * Clear all clients (no-op in stateless mode)
-   */
+  * Clear all clients (no-op in stateless mode)
+  */
   clearAll() {
   }
   /**
-   * Extract JWT from prefixed client_id
-   */
+  * Extract JWT from prefixed client_id
+  */
   extractJWT(clientId) {
     if (!clientId.startsWith(this.options.clientIdPrefix)) {
       return null;
@@ -278,11 +278,11 @@ var DynamicClientRegistration = class {
     return clientId.slice(this.options.clientIdPrefix.length);
   }
   /**
-   * Derive client secret from client_id JWT
-   * 
-   * Uses HMAC to create a deterministic secret that can be
-   * validated without storage.
-   */
+  * Derive client secret from client_id JWT
+  *
+  * Uses HMAC to create a deterministic secret that can be
+  * validated without storage.
+  */
   deriveClientSecret(clientIdJWT) {
     const { createHmac: createHmac3 } = require("crypto");
     return createHmac3("sha256", this.options.signingSecret).update(clientIdJWT).digest("hex");
@@ -331,16 +331,16 @@ var OAuthAuthorizationServer = class {
     });
   }
   /**
-   * Generate state parameter with HMAC signature
-   */
+  * Generate state parameter with HMAC signature
+  */
   generateState() {
     const nonce = (0, import_crypto3.randomUUID)();
     const signature = (0, import_crypto3.createHmac)("sha256", this.options.sessionSecret).update(nonce).digest("hex").substring(0, 8);
     return `${nonce}.${signature}`;
   }
   /**
-   * Verify state parameter signature
-   */
+  * Verify state parameter signature
+  */
   verifyState(state) {
     const [nonce, signature] = state.split(".");
     if (!nonce || !signature) return false;
@@ -348,14 +348,14 @@ var OAuthAuthorizationServer = class {
     return signature === expectedSignature;
   }
   /**
-   * Generate an authorization code
-   */
+  * Generate an authorization code
+  */
   generateAuthCode() {
     return (0, import_crypto3.randomBytes)(32).toString("hex");
   }
   /**
-   * Generate JWT access token with encrypted upstream credentials
-   */
+  * Generate JWT access token with encrypted upstream credentials
+  */
   generateAccessToken(claims, upstreamToken) {
     const now = Math.floor(Date.now() / 1e3);
     const jwtSigningSecret = this.options.jwtSigningSecret || this.options.sessionSecret;
@@ -382,8 +382,8 @@ var OAuthAuthorizationServer = class {
     return signJWT(payload, jwtSigningSecret);
   }
   /**
-   * Get authorization server metadata (RFC 8414)
-   */
+  * Get authorization server metadata (RFC 8414)
+  */
   getMetadata() {
     const issuer = this.options.issuer;
     return {
@@ -410,8 +410,8 @@ var OAuthAuthorizationServer = class {
     };
   }
   /**
-   * Get Express router with all OAuth endpoints
-   */
+  * Get Express router with all OAuth endpoints
+  */
   getRouter() {
     const router = import_express.default.Router();
     router.get("/.well-known/oauth-authorization-server", (_req, res) => {
@@ -444,8 +444,8 @@ var OAuthAuthorizationServer = class {
     return router;
   }
   /**
-   * Handle authorization request
-   */
+  * Handle authorization request
+  */
   handleAuthorize(req, res) {
     const { response_type, client_id, redirect_uri, scope, state, code_challenge, code_challenge_method, resource } = req.query;
     if (response_type !== "code") {
@@ -514,8 +514,8 @@ var OAuthAuthorizationServer = class {
     res.redirect(authUrl.toString());
   }
   /**
-   * Handle callback from upstream provider
-   */
+  * Handle callback from upstream provider
+  */
   async handleCallback(req, res) {
     const { code, state, error, error_description } = req.query;
     if (error) {
@@ -567,7 +567,7 @@ var OAuthAuthorizationServer = class {
       const tokenResponse = await fetch(upstream.tokenEndpoint, {
         method: "POST",
         headers: {
-          "Accept": "application/json",
+          Accept: "application/json",
           "Content-Type": "application/x-www-form-urlencoded"
         },
         body: new URLSearchParams({
@@ -587,8 +587,8 @@ var OAuthAuthorizationServer = class {
       if (upstream.userInfoEndpoint && upstreamTokens.access_token) {
         const userInfoResponse = await fetch(upstream.userInfoEndpoint, {
           headers: {
-            "Authorization": `Bearer ${upstreamTokens.access_token}`,
-            "Accept": "application/json"
+            Authorization: `Bearer ${upstreamTokens.access_token}`,
+            Accept: "application/json"
           }
         });
         if (userInfoResponse.ok) {
@@ -625,8 +625,8 @@ var OAuthAuthorizationServer = class {
     }
   }
   /**
-   * Handle token request
-   */
+  * Handle token request
+  */
   async handleToken(req, res) {
     const { grant_type, code, redirect_uri, client_id, client_secret, code_verifier } = req.body;
     let clientId = client_id;
@@ -672,8 +672,8 @@ var OAuthAuthorizationServer = class {
     }
   }
   /**
-   * Handle authorization code grant
-   */
+  * Handle authorization code grant
+  */
   async handleAuthCodeGrant(res, clientId, code, redirectUri, codeVerifier) {
     if (!code) {
       res.status(400).json({
@@ -776,11 +776,11 @@ var TokenVerifier = class {
     };
   }
   /**
-   * Verify a JWT access token
-   * 
-   * @param token - The JWT access token to verify
-   * @returns Verification result with claims and decrypted upstream token if valid
-   */
+  * Verify a JWT access token
+  *
+  * @param token - The JWT access token to verify
+  * @returns Verification result with claims and decrypted upstream token if valid
+  */
   async verify(token) {
     if (!token) {
       return {
@@ -843,13 +843,13 @@ var TokenVerifier = class {
     }
   }
   /**
-   * Generate WWW-Authenticate header for 401 responses
-   * 
-   * Per RFC 9728, this should include the resource_metadata URL
-   * 
-   * @param options - Header options
-   * @returns WWW-Authenticate header value
-   */
+  * Generate WWW-Authenticate header for 401 responses
+  *
+  * Per RFC 9728, this should include the resource_metadata URL
+  *
+  * @param options - Header options
+  * @returns WWW-Authenticate header value
+  */
   static getWWWAuthenticateHeader(options) {
     const parts = [
       `Bearer resource_metadata="${options.resourceMetadataUrl}"`
@@ -866,8 +866,8 @@ var TokenVerifier = class {
     return parts.join(", ");
   }
   /**
-   * Check if token has required scopes
-   */
+  * Check if token has required scopes
+  */
   hasScopes(claims, requiredScopes) {
     if (requiredScopes.length === 0) return true;
     const tokenScopes = typeof claims.scope === "string" ? claims.scope.split(" ") : claims.scope || [];