@leanmcp/core 0.3.12 → 0.3.13

package/dist/index.js

@@ -41,6 +41,9 @@ function Tool(options = {}) {
     if (options.inputClass) {
       Reflect.defineMetadata("tool:inputClass", options.inputClass, descriptor.value);
     }
+    if (options.securitySchemes) {
+      Reflect.defineMetadata("tool:securitySchemes", options.securitySchemes, descriptor.value);
+    }
   };
 }
 function Prompt(options = {}) {
@@ -551,7 +554,8 @@ async function createHTTPServer(serverInput, options) {
       logging: serverOptions.logging,
       sessionTimeout: serverOptions.sessionTimeout,
       stateless: serverOptions.stateless,
-      dashboard: serverOptions.dashboard
+      dashboard: serverOptions.dashboard,
+      auth: serverOptions.auth
     };
   }
   const [express, { StreamableHTTPServerTransport }, cors] = await Promise.all([
@@ -713,6 +717,73 @@ async function createHTTPServer(serverInput, options) {
       uptime: process.uptime()
     });
   });
+  app.get("/.well-known/oauth-protected-resource", (req, res) => {
+    const host = req.headers.host || "localhost";
+    const protocol = req.headers["x-forwarded-proto"] || "http";
+    const resource = httpOptions.auth?.resource || `${protocol}://${host}`;
+    const authServers = httpOptions.auth?.authorizationServers || [
+      resource
+    ];
+    res.json({
+      resource,
+      authorization_servers: authServers,
+      scopes_supported: httpOptions.auth?.scopesSupported || [],
+      resource_documentation: httpOptions.auth?.documentationUrl
+    });
+  });
+  if (httpOptions.auth?.enableOAuthServer && httpOptions.auth?.oauthServerOptions) {
+    const authOpts = httpOptions.auth.oauthServerOptions;
+    app.get("/.well-known/oauth-authorization-server", (req, res) => {
+      const host = req.headers.host || "localhost";
+      const protocol = req.headers["x-forwarded-proto"] || "http";
+      const issuer = httpOptions.auth?.resource || `${protocol}://${host}`;
+      res.json({
+        issuer,
+        authorization_endpoint: `${issuer}/oauth/authorize`,
+        token_endpoint: `${issuer}/oauth/token`,
+        registration_endpoint: `${issuer}/oauth/register`,
+        scopes_supported: httpOptions.auth?.scopesSupported || [],
+        response_types_supported: [
+          "code"
+        ],
+        grant_types_supported: [
+          "authorization_code",
+          "refresh_token"
+        ],
+        code_challenge_methods_supported: [
+          "S256"
+        ],
+        token_endpoint_auth_methods_supported: [
+          "client_secret_post",
+          "client_secret_basic",
+          "none"
+        ]
+      });
+    });
+    (async () => {
+      try {
+        const authServerModule = await import(
+          /* webpackIgnore: true */
+          "@leanmcp/auth/server"
+        );
+        const { OAuthAuthorizationServer } = authServerModule;
+        const authServer = new OAuthAuthorizationServer({
+          issuer: httpOptions.auth?.resource || `http://localhost:${basePort}`,
+          sessionSecret: authOpts.sessionSecret,
+          jwtSigningSecret: authOpts.jwtSigningSecret,
+          jwtEncryptionSecret: authOpts.jwtEncryptionSecret,
+          tokenTTL: authOpts.tokenTTL,
+          upstreamProvider: authOpts.upstreamProvider,
+          scopesSupported: httpOptions.auth?.scopesSupported,
+          enableDCR: true
+        });
+        app.use(authServer.getRouter());
+        logger.info("OAuth authorization server mounted");
+      } catch (e) {
+        logger.warn("OAuth server requested but @leanmcp/auth/server not available");
+      }
+    })();
+  }
   const handleMCPRequestStateful = /* @__PURE__ */ __name(async (req, res) => {
     const sessionId = req.headers["mcp-session-id"];
     let transport;
@@ -728,6 +799,17 @@ async function createHTTPServer(serverInput, options) {
       logMessage += ` (session: ${sessionId.substring(0, 8)}...)`;
     }
     logger.info(logMessage);
+    logger.info(logMessage);
+    if (req.headers.authorization) {
+      if (!req.body.params) req.body.params = {};
+      if (!req.body.params._meta) req.body.params._meta = {};
+      const authHeader = req.headers.authorization;
+      if (authHeader.startsWith("Bearer ")) {
+        req.body.params._meta.authToken = authHeader.substring(7);
+      } else {
+        req.body.params._meta.authToken = authHeader;
+      }
+    }
     try {
       if (sessionId && transports[sessionId]) {
         transport = transports[sessionId];
@@ -784,7 +866,18 @@ async function createHTTPServer(serverInput, options) {
     if (params?.name) logMessage += ` [${params.name}]`;
     else if (params?.uri) logMessage += ` [${params.uri}]`;
     logger.info(logMessage);
+    logger.info(logMessage);
     try {
+      if (req.headers.authorization) {
+        if (!req.body.params) req.body.params = {};
+        if (!req.body.params._meta) req.body.params._meta = {};
+        const authHeader = req.headers.authorization;
+        if (authHeader.startsWith("Bearer ")) {
+          req.body.params._meta.authToken = authHeader.substring(7);
+        } else {
+          req.body.params._meta.authToken = authHeader;
+        }
+      }
       const freshServer = await statelessServerFactory();
       if (freshServer && typeof freshServer.waitForInit === "function") {
         await freshServer.waitForInit();
@@ -941,6 +1034,56 @@ var init_http_server = __esm({
   }
 });
 
+// src/auth-helpers.ts
+function createAuthError(message, options) {
+  const error = options.error || "invalid_token";
+  const errorDescription = options.errorDescription || message;
+  const wwwAuth = `Bearer resource_metadata="${options.resourceMetadataUrl}", error="${error}", error_description="${errorDescription}"`;
+  return {
+    content: [
+      {
+        type: "text",
+        text: message
+      }
+    ],
+    _meta: {
+      "mcp/www_authenticate": [
+        wwwAuth
+      ]
+    },
+    isError: true
+  };
+}
+function isAuthError(result) {
+  if (!result || typeof result !== "object") return false;
+  const r = result;
+  return r.isError === true && r._meta !== void 0 && typeof r._meta === "object" && r._meta !== null && "mcp/www_authenticate" in r._meta;
+}
+function extractBearerToken(authHeader) {
+  if (!authHeader) return null;
+  if (!authHeader.startsWith("Bearer ")) return null;
+  return authHeader.slice(7);
+}
+function createProtectedResourceMetadata(options) {
+  return {
+    resource: options.resource,
+    authorization_servers: options.authorizationServers || [
+      options.resource
+    ],
+    scopes_supported: options.scopesSupported,
+    resource_documentation: options.documentationUrl
+  };
+}
+var init_auth_helpers = __esm({
+  "src/auth-helpers.ts"() {
+    "use strict";
+    __name(createAuthError, "createAuthError");
+    __name(isAuthError, "isAuthError");
+    __name(extractBearerToken, "extractBearerToken");
+    __name(createProtectedResourceMetadata, "createProtectedResourceMetadata");
+  }
+});
+
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
@@ -960,10 +1103,14 @@ __export(index_exports, {
   UserEnvs: () => UserEnvs,
   classToJsonSchema: () => classToJsonSchema,
   classToJsonSchemaWithConstraints: () => classToJsonSchemaWithConstraints,
+  createAuthError: () => createAuthError,
   createHTTPServer: () => createHTTPServer,
+  createProtectedResourceMetadata: () => createProtectedResourceMetadata,
   defaultLogger: () => defaultLogger,
+  extractBearerToken: () => extractBearerToken,
   getDecoratedMethods: () => getDecoratedMethods,
   getMethodMetadata: () => getMethodMetadata,
+  isAuthError: () => isAuthError,
   startMCPServer: () => startMCPServer,
   validateNonEmpty: () => validateNonEmpty,
   validatePath: () => validatePath,
@@ -993,6 +1140,7 @@ var init_index = __esm({
     init_http_server();
     init_logger();
     init_validation();
+    init_auth_helpers();
     init_decorators();
     init_schema_generator();
     init_logger();
@@ -2010,10 +2158,14 @@ init_index();
   UserEnvs,
   classToJsonSchema,
   classToJsonSchemaWithConstraints,
+  createAuthError,
   createHTTPServer,
+  createProtectedResourceMetadata,
   defaultLogger,
+  extractBearerToken,
   getDecoratedMethods,
   getMethodMetadata,
+  isAuthError,
   startMCPServer,
   validateNonEmpty,
   validatePath,

package/dist/index.mjs

@@ -22,6 +22,9 @@ function Tool(options = {}) {
     if (options.inputClass) {
       Reflect.defineMetadata("tool:inputClass", options.inputClass, descriptor.value);
     }
+    if (options.securitySchemes) {
+      Reflect.defineMetadata("tool:securitySchemes", options.securitySchemes, descriptor.value);
+    }
   };
 }
 __name(Tool, "Tool");
@@ -513,7 +516,8 @@ async function createHTTPServer(serverInput, options) {
       logging: serverOptions.logging,
       sessionTimeout: serverOptions.sessionTimeout,
       stateless: serverOptions.stateless,
-      dashboard: serverOptions.dashboard
+      dashboard: serverOptions.dashboard,
+      auth: serverOptions.auth
     };
   }
   const [express, { StreamableHTTPServerTransport }, cors] = await Promise.all([
@@ -675,6 +679,73 @@ async function createHTTPServer(serverInput, options) {
       uptime: process.uptime()
     });
   });
+  app.get("/.well-known/oauth-protected-resource", (req, res) => {
+    const host = req.headers.host || "localhost";
+    const protocol = req.headers["x-forwarded-proto"] || "http";
+    const resource = httpOptions.auth?.resource || `${protocol}://${host}`;
+    const authServers = httpOptions.auth?.authorizationServers || [
+      resource
+    ];
+    res.json({
+      resource,
+      authorization_servers: authServers,
+      scopes_supported: httpOptions.auth?.scopesSupported || [],
+      resource_documentation: httpOptions.auth?.documentationUrl
+    });
+  });
+  if (httpOptions.auth?.enableOAuthServer && httpOptions.auth?.oauthServerOptions) {
+    const authOpts = httpOptions.auth.oauthServerOptions;
+    app.get("/.well-known/oauth-authorization-server", (req, res) => {
+      const host = req.headers.host || "localhost";
+      const protocol = req.headers["x-forwarded-proto"] || "http";
+      const issuer = httpOptions.auth?.resource || `${protocol}://${host}`;
+      res.json({
+        issuer,
+        authorization_endpoint: `${issuer}/oauth/authorize`,
+        token_endpoint: `${issuer}/oauth/token`,
+        registration_endpoint: `${issuer}/oauth/register`,
+        scopes_supported: httpOptions.auth?.scopesSupported || [],
+        response_types_supported: [
+          "code"
+        ],
+        grant_types_supported: [
+          "authorization_code",
+          "refresh_token"
+        ],
+        code_challenge_methods_supported: [
+          "S256"
+        ],
+        token_endpoint_auth_methods_supported: [
+          "client_secret_post",
+          "client_secret_basic",
+          "none"
+        ]
+      });
+    });
+    (async () => {
+      try {
+        const authServerModule = await import(
+          /* webpackIgnore: true */
+          "@leanmcp/auth/server"
+        );
+        const { OAuthAuthorizationServer } = authServerModule;
+        const authServer = new OAuthAuthorizationServer({
+          issuer: httpOptions.auth?.resource || `http://localhost:${basePort}`,
+          sessionSecret: authOpts.sessionSecret,
+          jwtSigningSecret: authOpts.jwtSigningSecret,
+          jwtEncryptionSecret: authOpts.jwtEncryptionSecret,
+          tokenTTL: authOpts.tokenTTL,
+          upstreamProvider: authOpts.upstreamProvider,
+          scopesSupported: httpOptions.auth?.scopesSupported,
+          enableDCR: true
+        });
+        app.use(authServer.getRouter());
+        logger.info("OAuth authorization server mounted");
+      } catch (e) {
+        logger.warn("OAuth server requested but @leanmcp/auth/server not available");
+      }
+    })();
+  }
   const handleMCPRequestStateful = /* @__PURE__ */ __name(async (req, res) => {
     const sessionId = req.headers["mcp-session-id"];
     let transport;
@@ -690,6 +761,17 @@ async function createHTTPServer(serverInput, options) {
       logMessage += ` (session: ${sessionId.substring(0, 8)}...)`;
     }
     logger.info(logMessage);
+    logger.info(logMessage);
+    if (req.headers.authorization) {
+      if (!req.body.params) req.body.params = {};
+      if (!req.body.params._meta) req.body.params._meta = {};
+      const authHeader = req.headers.authorization;
+      if (authHeader.startsWith("Bearer ")) {
+        req.body.params._meta.authToken = authHeader.substring(7);
+      } else {
+        req.body.params._meta.authToken = authHeader;
+      }
+    }
     try {
       if (sessionId && transports[sessionId]) {
         transport = transports[sessionId];
@@ -746,7 +828,18 @@ async function createHTTPServer(serverInput, options) {
     if (params?.name) logMessage += ` [${params.name}]`;
     else if (params?.uri) logMessage += ` [${params.uri}]`;
     logger.info(logMessage);
+    logger.info(logMessage);
     try {
+      if (req.headers.authorization) {
+        if (!req.body.params) req.body.params = {};
+        if (!req.body.params._meta) req.body.params._meta = {};
+        const authHeader = req.headers.authorization;
+        if (authHeader.startsWith("Bearer ")) {
+          req.body.params._meta.authToken = authHeader.substring(7);
+        } else {
+          req.body.params._meta.authToken = authHeader;
+        }
+      }
       const freshServer = await statelessServerFactory();
       if (freshServer && typeof freshServer.waitForInit === "function") {
         await freshServer.waitForInit();
@@ -892,6 +985,51 @@ async function createHTTPServer(serverInput, options) {
 }
 __name(createHTTPServer, "createHTTPServer");
 
+// src/auth-helpers.ts
+function createAuthError(message, options) {
+  const error = options.error || "invalid_token";
+  const errorDescription = options.errorDescription || message;
+  const wwwAuth = `Bearer resource_metadata="${options.resourceMetadataUrl}", error="${error}", error_description="${errorDescription}"`;
+  return {
+    content: [
+      {
+        type: "text",
+        text: message
+      }
+    ],
+    _meta: {
+      "mcp/www_authenticate": [
+        wwwAuth
+      ]
+    },
+    isError: true
+  };
+}
+__name(createAuthError, "createAuthError");
+function isAuthError(result) {
+  if (!result || typeof result !== "object") return false;
+  const r = result;
+  return r.isError === true && r._meta !== void 0 && typeof r._meta === "object" && r._meta !== null && "mcp/www_authenticate" in r._meta;
+}
+__name(isAuthError, "isAuthError");
+function extractBearerToken(authHeader) {
+  if (!authHeader) return null;
+  if (!authHeader.startsWith("Bearer ")) return null;
+  return authHeader.slice(7);
+}
+__name(extractBearerToken, "extractBearerToken");
+function createProtectedResourceMetadata(options) {
+  return {
+    resource: options.resource,
+    authorization_servers: options.authorizationServers || [
+      options.resource
+    ],
+    scopes_supported: options.scopesSupported,
+    resource_documentation: options.documentationUrl
+  };
+}
+__name(createProtectedResourceMetadata, "createProtectedResourceMetadata");
+
 // src/index.ts
 var ajv = new Ajv();
 var MCPServer = class {
@@ -1908,10 +2046,14 @@ export {
   UserEnvs,
   classToJsonSchema,
   classToJsonSchemaWithConstraints,
+  createAuthError,
   createHTTPServer,
+  createProtectedResourceMetadata,
   defaultLogger,
+  extractBearerToken,
   getDecoratedMethods,
   getMethodMetadata,
+  isAuthError,
   startMCPServer,
   validateNonEmpty,
   validatePath,