@lobu/gateway 2.8.0

package/dist/auth/claude/oauth-module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-module.js","sourceRoot":"","sources":["../../../src/auth/claude/oauth-module.ts"],"names":[],"mappings":";;;AAAA,qCAA0C;AAE1C,kEAA6D;AAC7D,oEAAwD;AAExD,6EAG2C;AAG3C,MAAM,MAAM,GAAG,IAAA,mBAAY,EAAC,qBAAqB,CAAC,CAAC;AAEnD;;;GAGG;AACH,MAAa,iBAAkB,SAAQ,yCAAkB;IAGvD,YACE,mBAAwC,EACxC,oBAA0C;QAE1C,KAAK,CACH;YACE,UAAU,EAAE,QAAQ;YACpB,mBAAmB,EAAE,QAAQ;YAC7B,eAAe,EACb,gEAAgE;YAClE,oBAAoB,EAAE,yBAAyB;YAC/C,iBAAiB,EAAE;gBACjB,mBAAmB;gBACnB,sBAAsB;gBACtB,yBAAyB;aAC1B;YACD,IAAI,EAAE,WAAW;YACjB,eAAe,EAAE,2BAA2B;YAC5C,iBAAiB,EAAE,oBAAoB;YACvC,QAAQ,EAAE,OAAO;YACjB,kBAAkB,EAAE,CAAC,OAAO,EAAE,SAAS,CAAC;YACxC,kBAAkB,EAChB,yIAAyI;YAC3I,iBAAiB,EAAE,YAAY;YAC/B,kBAAkB,EAAE,iDAAiD;SACtE,EACD,mBAAmB,CACpB,CAAC;QACF,gCAAgC;QAChC,IAAI,CAAC,IAAI,GAAG,cAAc,CAAC;QAC3B,IAAI,CAAC,oBAAoB,GAAG,oBAAoB,CAAC;IACnD,CAAC;IAED,8CAA8C;IAErC,YAAY;QACnB,OAAO,CAAC,CAAC,CACP,IAAA,gCAAU,EAAC,sBAAsB,CAAC;YAClC,IAAA,gCAAU,EAAC,yBAAyB,CAAC,CACtC,CAAC;IACJ,CAAC;IAEQ,uBAAuB,CAC9B,OAA+B;QAE/B,IAAI,CAAC,OAAO,CAAC,iBAAiB,IAAI,CAAC,OAAO,CAAC,uBAAuB,EAAE,CAAC;YACnE,kEAAkE;YAClE,wEAAwE;YACxE,MAAM,YAAY,GAChB,IAAA,gCAAU,EAAC,sBAAsB,CAAC,IAAI,IAAA,gCAAU,EAAC,mBAAmB,CAAC,CAAC;YACxE,MAAM,gBAAgB,GAAG,IAAA,gCAAU,EAAC,yBAAyB,CAAC,CAAC;YAE/D,IAAI,YAAY,EAAE,CAAC;gBACjB,OAAO,CAAC,iBAAiB,GAAG,YAAY,CAAC;YAC3C,CAAC;iBAAM,IAAI,gBAAgB,EAAE,CAAC;gBAC5B,OAAO,CAAC,uBAAuB,GAAG,gBAAgB,CAAC;YACrD,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAEQ,KAAK,CAAC,YAAY,CACzB,OAAe,EACf,OAA+B;QAE/B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,cAAc,CAC3D,OAAO,EACP,IAAI,CAAC,UAAU,CAChB,CAAC;QAEF,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,UAAU,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,aAAa,OAAO,CAAC,QAAQ,sBAAsB,OAAO,EAAE,CAAC,CAAC;YAC1E,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;gBACjC,OAAO,CAAC,uBAAuB,GAAG,OAAO,CAAC,UAAU,CAAC;YACvD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,iBAAiB,GAAG,OAAO,CAAC,UAAU,CAAC;YACjD,CAAC;QACH,CAAC;QAED,wEAAwE;QACxE,kDAAkD;QAElD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,mBAAmB;QACjB,OAAO;YACL,IAAI,EAAE,aAAa;YACnB,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,CAAC,IAAI,EAAE,aAAa,EAAE,QAAQ,EAAE,SAAS,CAAC;YAChD,QAAQ,EAAE,SAAS;YACnB,UAAU,EAAE,WAAW;SACxB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,eAAe,CACnB,OAAe,EACf,MAAc;QAEd,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAC9D,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QAE5C,MAAM,cAAc,GAClB,MAAM,IAAI,CAAC,oBAAoB,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAC7D,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE;YAC5C,OAAO;YACP,MAAM;YACN,cAAc;SACf,CAAC,CAAC;QACH,MAAM,YAAY,GAChB,cAAc;YACd,OAAO,CAAC,GAAG,CAAC,mBAAmB;YAC/B,0BAA0B,CAAC;QAC7B,MAAM,OAAO,GAAkB,EAAE,CAAC;QAClC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAE/B,MAAM,SAAS,GAAG,CAAC,KAAa,EAAE,KAAa,EAAE,EAAE;YACjD,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC;gBAAE,OAAO;YAC5B,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YAChB,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QACjC,CAAC,CAAC;QAEF,MAAM,YAAY,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;QACxE,IAAI,YAAY,EAAE,CAAC;YACjB,SAAS,CAAC,YAAY,EAAE,YAAY,CAAC,YAAY,IAAI,YAAY,CAAC,CAAC;QACrE,CAAC;QAED,KAAK,MAAM,KAAK,IAAI,eAAe,EAAE,CAAC;YACpC,SAAS,CAAC,KAAK,CAAC,EAAE,EAAE,KAAK,CAAC,YAAY,IAAI,KAAK,CAAC,EAAE,CAAC,CAAC;QACtD,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,OAAe,EAAE,WAAoB;QACxD,MAAM,IAAI,CAAC,oBAAoB,CAAC,OAAO,EAAE,WAA+B,CAAC,CAAC;IAC5E,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,OAAe;QACrC,MAAM,IAAI,CAAC,mBAAmB,CAAC,sBAAsB,CACnD,OAAO,EACP,IAAI,CAAC,UAAU,CAChB,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,oBAAoB,CAChC,OAAe,EACf,WAA6B;QAE7B,MAAM,IAAI,CAAC,mBAAmB,CAAC,aAAa,CAAC;YAC3C,OAAO;YACP,QAAQ,EAAE,IAAI,CAAC,UAAU;YACzB,UAAU,EAAE,WAAW,CAAC,WAAW;YACnC,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,IAAA,8CAAsB,EAC3B,IAAI,CAAC,mBAAmB,EACxB,WAAW,CAAC,WAAW,CACxB;YACD,QAAQ,EAAE;gBACR,YAAY,EAAE,WAAW,CAAC,YAAY;gBACtC,SAAS,EAAE,WAAW,CAAC,SAAS;aACjC;YACD,WAAW,EAAE,IAAI;SAClB,CAAC,CAAC;IACL,CAAC;IAwBO,KAAK,CAAC,iBAAiB,CAC7B,OAAe;QAEf,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,cAAc,CAC3D,OAAO,EACP,IAAI,CAAC,UAAU,CAChB,CAAC;QAEF,MAAM,UAAU,GACd,CAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,MAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;QACjE,MAAM,MAAM,GACV,CAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,MAAK,OAAO;YAC3B,CAAC,CAAC,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,UAAU;YACrB,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;QAExE,MAAM,OAAO,GAA2B;YACtC,MAAM,EAAE,kBAAkB;YAC1B,mBAAmB,EAAE,YAAY;SAClC,CAAC;QACF,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,CAAC,aAAa,GAAG,UAAU,UAAU,EAAE,CAAC;QACjD,CAAC;aAAM,IAAI,MAAM,EAAE,CAAC;YAClB,OAAO,CAAC,WAAW,CAAC,GAAG,MAAM,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,OAAO,iBAAiB,CAAC,eAAe,CAAC;QAC3C,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,qCAAqC,EAAE;YAClE,OAAO;SACR,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACf,MAAM,CAAC,IAAI,CACT,EAAE,KAAK,EAAE,GAAG,aAAH,GAAG,uBAAH,GAAG,CAAE,OAAO,EAAE,OAAO,EAAE,EAChC,iCAAiC,CAClC,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YAC9B,MAAM,CAAC,IAAI,CACT;gBACE,OAAO;gBACP,MAAM,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,MAAM;gBACxB,QAAQ,EAAE,CAAC,CAAC,UAAU;gBACtB,SAAS,EAAE,CAAC,CAAC,MAAM;aACpB,EACD,2DAA2D,CAC5D,CAAC;YACF,OAAO,iBAAiB,CAAC,eAAe,CAAC;QAC3C,CAAC;QAED,MAAM,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAEvD,CAAC;QAEF,MAAM,MAAM,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC;aAChC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;;YACZ,MAAM,EAAE,GAAG,MAAA,IAAI,CAAC,EAAE,0CAAE,IAAI,EAAE,CAAC;YAC3B,IAAI,CAAC,EAAE;gBAAE,OAAO,IAAI,CAAC;YACrB,OAAO;gBACL,EAAE;gBACF,YAAY,EAAE,IAAI,CAAC,YAAY,IAAI,EAAE;gBACrC,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,OAAO;aAC3B,CAAC;QACJ,CAAC,CAAC;aACD,MAAM,CACL,CAAC,IAAI,EAA8D,EAAE,CACnE,OAAO,CAAC,IAAI,CAAC,CAChB,CAAC;QAEJ,OAAO,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,iBAAiB,CAAC,eAAe,CAAC;IACxE,CAAC;;AArQH,8CAsQC;AA7FyB,iCAAe,GAIlC;IACH;QACE,EAAE,EAAE,0BAA0B;QAC9B,YAAY,EAAE,iBAAiB;QAC/B,IAAI,EAAE,OAAO;KACd;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,YAAY,EAAE,eAAe;QAC7B,IAAI,EAAE,OAAO;KACd;IACD;QACE,EAAE,EAAE,2BAA2B;QAC/B,YAAY,EAAE,kBAAkB;QAChC,IAAI,EAAE,OAAO;KACd;CACF,CAAC"}

package/dist/auth/cli/token-service.d.ts

@@ -0,0 +1,35 @@
+import type Redis from "ioredis";
+export interface CliTokenIdentity {
+    userId: string;
+    email?: string;
+    name?: string;
+}
+export interface CliIssuedTokens {
+    accessToken: string;
+    refreshToken: string;
+    expiresAt: number;
+    user: CliTokenIdentity;
+}
+export interface CliAccessTokenIdentity extends CliTokenIdentity {
+    sessionId: string;
+    expiresAt: number;
+}
+export declare class CliTokenService {
+    private readonly redis;
+    constructor(redis: Redis);
+    issueTokens(identity: CliTokenIdentity): Promise<CliIssuedTokens>;
+    refreshTokens(refreshToken: string): Promise<CliIssuedTokens | null>;
+    verifyAccessToken(accessToken: string): Promise<CliAccessTokenIdentity | null>;
+    revokeSessionByRefreshToken(refreshToken: string): Promise<void>;
+    private buildIssuedTokens;
+    private createSessionRecord;
+    private saveSession;
+    private getSession;
+    private deleteSession;
+    private parseAccessToken;
+    private parseRefreshToken;
+    private parseToken;
+    private getSessionKey;
+    private generateId;
+}
+//# sourceMappingURL=token-service.d.ts.map

package/dist/auth/cli/token-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-service.d.ts","sourceRoot":"","sources":["../../../src/auth/cli/token-service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,KAAK,MAAM,SAAS,CAAC;AAmCjC,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,gBAAgB,CAAC;CACxB;AAED,MAAM,WAAW,sBAAuB,SAAQ,gBAAgB;IAC9D,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,qBAAa,eAAe;IACd,OAAO,CAAC,QAAQ,CAAC,KAAK;gBAAL,KAAK,EAAE,KAAK;IAEnC,WAAW,CAAC,QAAQ,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IAMjE,aAAa,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC;IAkCpE,iBAAiB,CACrB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,sBAAsB,GAAG,IAAI,CAAC;IA+BnC,2BAA2B,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAQtE,OAAO,CAAC,iBAAiB;IA8BzB,OAAO,CAAC,mBAAmB;YAab,WAAW;YAYX,UAAU;YAiBV,aAAa;IAI3B,OAAO,CAAC,gBAAgB;IAIxB,OAAO,CAAC,iBAAiB;IAIzB,OAAO,CAAC,UAAU;IAkBlB,OAAO,CAAC,aAAa;IAIrB,OAAO,CAAC,UAAU;CAGnB"}

package/dist/auth/cli/token-service.js

@@ -0,0 +1,171 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CliTokenService = void 0;
+const node_crypto_1 = require("node:crypto");
+const core_1 = require("@lobu/core");
+const logger = (0, core_1.createLogger)("cli-token-service");
+const ACCESS_TOKEN_TTL_MS = 60 * 60 * 1000;
+const REFRESH_TOKEN_TTL_MS = 30 * 24 * 60 * 60 * 1000;
+class CliTokenService {
+    constructor(redis) {
+        this.redis = redis;
+    }
+    async issueTokens(identity) {
+        const session = this.createSessionRecord(identity);
+        await this.saveSession(session);
+        return this.buildIssuedTokens(session);
+    }
+    async refreshTokens(refreshToken) {
+        const payload = this.parseRefreshToken(refreshToken);
+        if (!payload) {
+            return null;
+        }
+        const session = await this.getSession(payload.sessionId);
+        if (!session) {
+            logger.warn("CLI refresh rejected: session not found", {
+                sessionId: payload.sessionId,
+            });
+            return null;
+        }
+        if (session.refreshTokenId !== payload.refreshTokenId) {
+            logger.warn("CLI refresh rejected: token rotation mismatch", {
+                sessionId: payload.sessionId,
+            });
+            return null;
+        }
+        if (session.expiresAt <= Date.now()) {
+            logger.warn("CLI refresh rejected: session expired", {
+                sessionId: payload.sessionId,
+            });
+            await this.deleteSession(session.sessionId);
+            return null;
+        }
+        session.refreshTokenId = this.generateId();
+        await this.saveSession(session);
+        return this.buildIssuedTokens(session);
+    }
+    async verifyAccessToken(accessToken) {
+        const payload = this.parseAccessToken(accessToken);
+        if (!payload) {
+            return null;
+        }
+        const session = await this.getSession(payload.sessionId);
+        if (!session) {
+            logger.warn("CLI access token rejected: session not found", {
+                sessionId: payload.sessionId,
+            });
+            return null;
+        }
+        if (session.expiresAt <= Date.now()) {
+            logger.warn("CLI access token rejected: session expired", {
+                sessionId: payload.sessionId,
+            });
+            await this.deleteSession(session.sessionId);
+            return null;
+        }
+        return {
+            sessionId: session.sessionId,
+            userId: session.userId,
+            email: session.email,
+            name: session.name,
+            expiresAt: payload.exp,
+        };
+    }
+    async revokeSessionByRefreshToken(refreshToken) {
+        const payload = this.parseRefreshToken(refreshToken);
+        if (!payload) {
+            return;
+        }
+        await this.deleteSession(payload.sessionId);
+    }
+    buildIssuedTokens(session) {
+        const accessPayload = {
+            type: "cli-access",
+            sessionId: session.sessionId,
+            userId: session.userId,
+            email: session.email,
+            name: session.name,
+            iat: Date.now(),
+            exp: Date.now() + ACCESS_TOKEN_TTL_MS,
+        };
+        const refreshPayload = {
+            type: "cli-refresh",
+            sessionId: session.sessionId,
+            refreshTokenId: session.refreshTokenId,
+            iat: Date.now(),
+            exp: session.expiresAt,
+        };
+        return {
+            accessToken: (0, core_1.encrypt)(JSON.stringify(accessPayload)),
+            refreshToken: (0, core_1.encrypt)(JSON.stringify(refreshPayload)),
+            expiresAt: accessPayload.exp,
+            user: {
+                userId: session.userId,
+                email: session.email,
+                name: session.name,
+            },
+        };
+    }
+    createSessionRecord(identity) {
+        const now = Date.now();
+        return {
+            sessionId: this.generateId(),
+            userId: identity.userId,
+            email: identity.email,
+            name: identity.name,
+            refreshTokenId: this.generateId(),
+            createdAt: now,
+            expiresAt: now + REFRESH_TOKEN_TTL_MS,
+        };
+    }
+    async saveSession(session) {
+        const ttlSeconds = Math.max(1, Math.ceil((session.expiresAt - Date.now()) / 1000));
+        await this.redis.setex(this.getSessionKey(session.sessionId), ttlSeconds, JSON.stringify(session));
+    }
+    async getSession(sessionId) {
+        const raw = await this.redis.get(this.getSessionKey(sessionId));
+        if (!raw) {
+            return null;
+        }
+        try {
+            return JSON.parse(raw);
+        }
+        catch (error) {
+            logger.error("Failed to parse CLI session", { sessionId, error });
+            await this.deleteSession(sessionId);
+            return null;
+        }
+    }
+    async deleteSession(sessionId) {
+        await this.redis.del(this.getSessionKey(sessionId));
+    }
+    parseAccessToken(token) {
+        return this.parseToken(token, "cli-access");
+    }
+    parseRefreshToken(token) {
+        return this.parseToken(token, "cli-refresh");
+    }
+    parseToken(token, expectedType) {
+        try {
+            const payload = JSON.parse((0, core_1.decrypt)(token));
+            if (payload.type !== expectedType) {
+                return null;
+            }
+            if (typeof payload.exp !== "number" || payload.exp <= Date.now()) {
+                return null;
+            }
+            return payload;
+        }
+        catch (_a) {
+            return null;
+        }
+    }
+    getSessionKey(sessionId) {
+        return `cli:auth:session:${sessionId}`;
+    }
+    generateId() {
+        return (0, node_crypto_1.randomBytes)(24).toString("base64url");
+    }
+}
+exports.CliTokenService = CliTokenService;
+//# sourceMappingURL=token-service.js.map

package/dist/auth/cli/token-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-service.js","sourceRoot":"","sources":["../../../src/auth/cli/token-service.ts"],"names":[],"mappings":";;;AAAA,6CAA0C;AAC1C,qCAA4D;AAG5D,MAAM,MAAM,GAAG,IAAA,mBAAY,EAAC,mBAAmB,CAAC,CAAC;AAEjD,MAAM,mBAAmB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAC3C,MAAM,oBAAoB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAgDtD,MAAa,eAAe;IAC1B,YAA6B,KAAY;QAAZ,UAAK,GAAL,KAAK,CAAO;IAAG,CAAC;IAE7C,KAAK,CAAC,WAAW,CAAC,QAA0B;QAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QACnD,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QAChC,OAAO,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,YAAoB;QACtC,MAAM,OAAO,GAAG,IAAI,CAAC,iBAAiB,CAAC,YAAY,CAAC,CAAC;QACrD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACzD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE;gBACrD,SAAS,EAAE,OAAO,CAAC,SAAS;aAC7B,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,OAAO,CAAC,cAAc,KAAK,OAAO,CAAC,cAAc,EAAE,CAAC;YACtD,MAAM,CAAC,IAAI,CAAC,+CAA+C,EAAE;gBAC3D,SAAS,EAAE,OAAO,CAAC,SAAS;aAC7B,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACpC,MAAM,CAAC,IAAI,CAAC,uCAAuC,EAAE;gBACnD,SAAS,EAAE,OAAO,CAAC,SAAS;aAC7B,CAAC,CAAC;YACH,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAC5C,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QAC3C,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QAChC,OAAO,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,iBAAiB,CACrB,WAAmB;QAEnB,MAAM,OAAO,GAAG,IAAI,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;QACnD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACzD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,CAAC,8CAA8C,EAAE;gBAC1D,SAAS,EAAE,OAAO,CAAC,SAAS;aAC7B,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACpC,MAAM,CAAC,IAAI,CAAC,4CAA4C,EAAE;gBACxD,SAAS,EAAE,OAAO,CAAC,SAAS;aAC7B,CAAC,CAAC;YACH,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAC5C,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO;YACL,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,SAAS,EAAE,OAAO,CAAC,GAAG;SACvB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,2BAA2B,CAAC,YAAoB;QACpD,MAAM,OAAO,GAAG,IAAI,CAAC,iBAAiB,CAAC,YAAY,CAAC,CAAC;QACrD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QACD,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAC9C,CAAC;IAEO,iBAAiB,CAAC,OAAyB;QACjD,MAAM,aAAa,GAA0B;YAC3C,IAAI,EAAE,YAAY;YAClB,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE;YACf,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,mBAAmB;SACtC,CAAC;QACF,MAAM,cAAc,GAA2B;YAC7C,IAAI,EAAE,aAAa;YACnB,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE;YACf,GAAG,EAAE,OAAO,CAAC,SAAS;SACvB,CAAC;QAEF,OAAO;YACL,WAAW,EAAE,IAAA,cAAO,EAAC,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;YACnD,YAAY,EAAE,IAAA,cAAO,EAAC,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;YACrD,SAAS,EAAE,aAAa,CAAC,GAAG;YAC5B,IAAI,EAAE;gBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,IAAI,EAAE,OAAO,CAAC,IAAI;aACnB;SACF,CAAC;IACJ,CAAC;IAEO,mBAAmB,CAAC,QAA0B;QACpD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,OAAO;YACL,SAAS,EAAE,IAAI,CAAC,UAAU,EAAE;YAC5B,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,IAAI,EAAE,QAAQ,CAAC,IAAI;YACnB,cAAc,EAAE,IAAI,CAAC,UAAU,EAAE;YACjC,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG,GAAG,oBAAoB;SACtC,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,WAAW,CAAC,OAAyB;QACjD,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CACzB,CAAC,EACD,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CACnD,CAAC;QACF,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CACpB,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,SAAS,CAAC,EACrC,UAAU,EACV,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CACxB,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,UAAU,CACtB,SAAiB;QAEjB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC;QAChE,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqB,CAAC;QAC7C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,6BAA6B,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC;YAClE,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;YACpC,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,SAAiB;QAC3C,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC;IACtD,CAAC;IAEO,gBAAgB,CAAC,KAAa;QACpC,OAAO,IAAI,CAAC,UAAU,CAAwB,KAAK,EAAE,YAAY,CAAC,CAAC;IACrE,CAAC;IAEO,iBAAiB,CAAC,KAAa;QACrC,OAAO,IAAI,CAAC,UAAU,CAAyB,KAAK,EAAE,aAAa,CAAC,CAAC;IACvE,CAAC;IAEO,UAAU,CAChB,KAAa,EACb,YAAoB;QAEpB,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,cAAO,EAAC,KAAK,CAAC,CAAM,CAAC;YAChD,IAAI,OAAO,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAClC,OAAO,IAAI,CAAC;YACd,CAAC;YACD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBACjE,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,OAAO,CAAC;QACjB,CAAC;QAAC,WAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,aAAa,CAAC,SAAiB;QACrC,OAAO,oBAAoB,SAAS,EAAE,CAAC;IACzC,CAAC;IAEO,UAAU;QAChB,OAAO,IAAA,yBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC/C,CAAC;CACF;AAjMD,0CAiMC"}

package/dist/auth/external/client.d.ts

@@ -0,0 +1,65 @@
+import type { OAuthCredentials } from "../oauth/credentials";
+import { type DeviceAuthorizationStartResult } from "./device-code-client";
+export interface ExternalAuthConfig {
+    issuerUrl: string;
+    clientId?: string;
+    clientSecret?: string;
+    authorizeUrl?: string;
+    tokenUrl?: string;
+    userinfoUrl?: string;
+    deviceAuthorizationUrl?: string;
+    redirectUri: string;
+    /** Additional redirect URIs to register (e.g. PUBLIC_GATEWAY_URL alongside localhost) */
+    additionalRedirectUris?: string[];
+    scope?: string;
+    cacheStore?: {
+        get: (key: string) => Promise<string | null>;
+        set: (key: string, value: string, ttlSeconds: number) => Promise<void>;
+    };
+}
+interface UserInfoResponse {
+    sub: string;
+    email: string;
+    name?: string;
+}
+export interface ExternalAuthCapabilities {
+    browser: boolean;
+    device: boolean;
+}
+export type ExternalDeviceAuthorizationPollResult = {
+    status: "pending";
+    interval?: number;
+} | {
+    status: "error";
+    error: string;
+    errorCode?: string;
+} | {
+    status: "complete";
+    credentials: OAuthCredentials;
+    user?: UserInfoResponse;
+};
+export declare class ExternalAuthClient {
+    private readonly config;
+    private discoveryCache;
+    constructor(config: ExternalAuthConfig);
+    generateCodeVerifier(): string;
+    buildAuthUrl(state: string, codeVerifier: string, redirectUri?: string): Promise<string>;
+    exchangeCodeForToken(code: string, codeVerifier: string, redirectUri?: string): Promise<OAuthCredentials>;
+    fetchUserInfo(accessToken: string): Promise<UserInfoResponse>;
+    getCapabilities(): Promise<ExternalAuthCapabilities>;
+    startDeviceAuthorization(): Promise<DeviceAuthorizationStartResult>;
+    pollDeviceAuthorization(deviceAuthId: string, intervalSeconds?: number): Promise<ExternalDeviceAuthorizationPollResult>;
+    static isConfigured(): boolean;
+    static fromEnv(publicGatewayUrl: string, cacheStore?: ExternalAuthConfig["cacheStore"]): ExternalAuthClient | null;
+    private resolveConfig;
+    private buildOAuthClient;
+    private buildDeviceCodeClient;
+    private discoverMetadata;
+    private getDiscoveryUrls;
+    private getDynamicClientCredentials;
+    private getCachedClientCredentials;
+    private cacheClientCredentials;
+    private selectTokenEndpointAuthMethod;
+}
+export {};
+//# sourceMappingURL=client.d.ts.map

package/dist/auth/external/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../src/auth/external/client.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAE7D,OAAO,EAEL,KAAK,8BAA8B,EAEpC,MAAM,sBAAsB,CAAC;AAO9B,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,yFAAyF;IACzF,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAC;IAClC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE;QACX,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;QAC7C,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;KACxE,CAAC;CACH;AAaD,UAAU,gBAAgB;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AA2BD,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,MAAM,qCAAqC,GAC7C;IACE,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GACD;IACE,MAAM,EAAE,OAAO,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GACD;IACE,MAAM,EAAE,UAAU,CAAC;IACnB,WAAW,EAAE,gBAAgB,CAAC;IAC9B,IAAI,CAAC,EAAE,gBAAgB,CAAC;CACzB,CAAC;AAEN,qBAAa,kBAAkB;IAMjB,OAAO,CAAC,QAAQ,CAAC,MAAM;IALnC,OAAO,CAAC,cAAc,CAGN;gBAEa,MAAM,EAAE,kBAAkB;IAEvD,oBAAoB,IAAI,MAAM;IAIxB,YAAY,CAChB,KAAK,EAAE,MAAM,EACb,YAAY,EAAE,MAAM,EACpB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,CAAC;IAeZ,oBAAoB,CACxB,IAAI,EAAE,MAAM,EACZ,YAAY,EAAE,MAAM,EACpB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,gBAAgB,CAAC;IAetB,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IA8B7D,eAAe,IAAI,OAAO,CAAC,wBAAwB,CAAC;IAQpD,wBAAwB,IAAI,OAAO,CAAC,8BAA8B,CAAC;IA2BnE,uBAAuB,CAC3B,YAAY,EAAE,MAAM,EACpB,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,qCAAqC,CAAC;IAwBjD,MAAM,CAAC,YAAY,IAAI,OAAO;IAI9B,MAAM,CAAC,OAAO,CACZ,gBAAgB,EAAE,MAAM,EACxB,UAAU,CAAC,EAAE,kBAAkB,CAAC,YAAY,CAAC,GAC5C,kBAAkB,GAAG,IAAI;YAuBd,aAAa;IAwC3B,OAAO,CAAC,gBAAgB;IAoBxB,OAAO,CAAC,qBAAqB;YAaf,gBAAgB;IAgD9B,OAAO,CAAC,gBAAgB;YAiBV,2BAA2B;YA6E3B,0BAA0B;YAiB1B,sBAAsB;IA2BpC,OAAO,CAAC,6BAA6B;CA+BtC"}

package/dist/auth/external/client.js

@@ -0,0 +1,348 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ExternalAuthClient = void 0;
+const node_crypto_1 = require("node:crypto");
+const core_1 = require("@lobu/core");
+const client_1 = require("../oauth/client");
+const device_code_client_1 = require("./device-code-client");
+const logger = (0, core_1.createLogger)("external-auth-client");
+const EXTERNAL_AUTH_CACHE_KEY = "external:auth:client:v3";
+const DISCOVERY_CACHE_TTL_MS = 5 * 60 * 1000;
+const DEFAULT_SCOPE = "profile:read";
+class ExternalAuthClient {
+    constructor(config) {
+        this.config = config;
+        this.discoveryCache = null;
+    }
+    generateCodeVerifier() {
+        return (0, node_crypto_1.randomBytes)(32).toString("base64url");
+    }
+    async buildAuthUrl(state, codeVerifier, redirectUri) {
+        const resolved = await this.resolveConfig();
+        if (!resolved.authUrl || !resolved.tokenUrl) {
+            throw new Error("External auth: authorization and token URLs are required for browser login");
+        }
+        return this.buildOAuthClient(resolved).buildAuthUrl(state, codeVerifier, redirectUri);
+    }
+    async exchangeCodeForToken(code, codeVerifier, redirectUri) {
+        const resolved = await this.resolveConfig();
+        if (!resolved.authUrl || !resolved.tokenUrl) {
+            throw new Error("External auth: authorization and token URLs are required for browser login");
+        }
+        return this.buildOAuthClient(resolved).exchangeCodeForToken(code, codeVerifier, redirectUri);
+    }
+    async fetchUserInfo(accessToken) {
+        const resolved = await this.resolveConfig();
+        if (!resolved.userinfoUrl) {
+            throw new Error("External auth: userinfo endpoint not available (expose it via OIDC discovery)");
+        }
+        const response = await fetch(resolved.userinfoUrl, {
+            headers: {
+                Authorization: `Bearer ${accessToken}`,
+                Accept: "application/json",
+            },
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new Error(`Failed to fetch user info: ${response.status} ${errorText}`);
+        }
+        const data = (await response.json());
+        logger.info("Fetched external auth user info", {
+            sub: data.sub,
+            email: data.email,
+        });
+        return data;
+    }
+    async getCapabilities() {
+        const resolved = await this.resolveConfig();
+        return {
+            browser: !!(resolved.authUrl && resolved.tokenUrl),
+            device: !!(resolved.deviceAuthorizationUrl && resolved.tokenUrl),
+        };
+    }
+    async startDeviceAuthorization() {
+        const resolved = await this.resolveConfig();
+        if (!resolved.deviceAuthorizationUrl || !resolved.tokenUrl) {
+            throw new Error("External auth: device authorization is not supported");
+        }
+        try {
+            return await this.buildDeviceCodeClient(resolved).requestDeviceCode();
+        }
+        catch (error) {
+            if (this.config.clientId &&
+                error instanceof Error &&
+                error.message.includes("invalid_client")) {
+                logger.warn("Static external auth client was rejected for device flow, retrying with dynamic registration");
+                const dynamicResolved = await this.resolveConfig({
+                    forceDynamicClient: true,
+                });
+                return this.buildDeviceCodeClient(dynamicResolved).requestDeviceCode();
+            }
+            throw error;
+        }
+    }
+    async pollDeviceAuthorization(deviceAuthId, intervalSeconds) {
+        const resolved = await this.resolveConfig();
+        if (!resolved.deviceAuthorizationUrl || !resolved.tokenUrl) {
+            throw new Error("External auth: device authorization is not supported");
+        }
+        const result = await this.buildDeviceCodeClient(resolved).pollForToken(deviceAuthId, intervalSeconds);
+        if (result.status !== "complete") {
+            return result;
+        }
+        const user = resolved.userinfoUrl
+            ? await this.fetchUserInfo(result.credentials.accessToken)
+            : undefined;
+        return Object.assign(Object.assign({}, result), { user });
+    }
+    static isConfigured() {
+        return !!process.env.MEMORY_URL;
+    }
+    static fromEnv(publicGatewayUrl, cacheStore) {
+        const authMcpUrl = process.env.MEMORY_URL;
+        if (!authMcpUrl)
+            return null;
+        const issuerUrl = authMcpUrl.replace(/\/+$/, "");
+        const callbackPath = "/connect/oauth/callback";
+        // Register redirect URIs for both the configured public URL and localhost
+        // so OAuth works regardless of how the user accesses the gateway
+        const redirectUri = `${publicGatewayUrl}${callbackPath}`;
+        const additionalRedirectUris = [
+            `http://localhost:8080${callbackPath}`,
+        ].filter((uri) => uri !== redirectUri);
+        return new ExternalAuthClient({
+            issuerUrl,
+            redirectUri,
+            additionalRedirectUris,
+            scope: DEFAULT_SCOPE,
+            cacheStore,
+        });
+    }
+    async resolveConfig(options) {
+        const metadata = await this.discoverMetadata();
+        const dynamicCredentials = await this.getDynamicClientCredentials(metadata, {
+            forceRegistration: options === null || options === void 0 ? void 0 : options.forceDynamicClient,
+        });
+        const clientId = (dynamicCredentials === null || dynamicCredentials === void 0 ? void 0 : dynamicCredentials.client_id) || this.config.clientId;
+        const clientSecret = (dynamicCredentials === null || dynamicCredentials === void 0 ? void 0 : dynamicCredentials.client_secret) || this.config.clientSecret;
+        if (!clientId) {
+            throw new Error("External auth: client registration failed and no static client ID is configured");
+        }
+        const authMethods = metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint_auth_methods_supported;
+        const tokenEndpointAuthMethod = (dynamicCredentials === null || dynamicCredentials === void 0 ? void 0 : dynamicCredentials.token_endpoint_auth_method) ||
+            this.selectTokenEndpointAuthMethod(authMethods, clientSecret);
+        return {
+            clientId,
+            clientSecret,
+            authUrl: this.config.authorizeUrl || (metadata === null || metadata === void 0 ? void 0 : metadata.authorization_endpoint),
+            tokenUrl: this.config.tokenUrl || (metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint),
+            userinfoUrl: this.config.userinfoUrl || (metadata === null || metadata === void 0 ? void 0 : metadata.userinfo_endpoint),
+            deviceAuthorizationUrl: this.config.deviceAuthorizationUrl ||
+                (metadata === null || metadata === void 0 ? void 0 : metadata.device_authorization_endpoint),
+            grantTypesSupported: (metadata === null || metadata === void 0 ? void 0 : metadata.grant_types_supported) || [],
+            tokenEndpointAuthMethod,
+        };
+    }
+    buildOAuthClient(resolved) {
+        const providerConfig = {
+            id: "external-auth",
+            name: "External Auth",
+            clientId: resolved.clientId,
+            clientSecret: resolved.clientSecret,
+            authUrl: resolved.authUrl,
+            tokenUrl: resolved.tokenUrl,
+            redirectUri: this.config.redirectUri,
+            scope: this.config.scope || DEFAULT_SCOPE,
+            usePKCE: true,
+            responseType: "code",
+            grantType: "authorization_code",
+            tokenEndpointAuthMethod: resolved.tokenEndpointAuthMethod,
+            requireRefreshToken: false,
+        };
+        return new client_1.OAuthClient(providerConfig);
+    }
+    buildDeviceCodeClient(resolved) {
+        return new device_code_client_1.GenericDeviceCodeClient({
+            clientId: resolved.clientId,
+            clientSecret: resolved.clientSecret,
+            tokenUrl: resolved.tokenUrl,
+            deviceAuthorizationUrl: resolved.deviceAuthorizationUrl,
+            scope: this.config.scope || DEFAULT_SCOPE,
+            tokenEndpointAuthMethod: resolved.tokenEndpointAuthMethod,
+        });
+    }
+    async discoverMetadata() {
+        if (this.discoveryCache &&
+            Date.now() - this.discoveryCache.resolvedAt < DISCOVERY_CACHE_TTL_MS) {
+            return this.discoveryCache.metadata;
+        }
+        const discoveryUrls = this.getDiscoveryUrls();
+        for (const wellKnownUrl of discoveryUrls) {
+            try {
+                logger.info(`Discovering external auth endpoints from ${wellKnownUrl}`);
+                const response = await fetch(wellKnownUrl);
+                if (!response.ok) {
+                    logger.warn(`Failed to fetch external auth metadata from ${wellKnownUrl}: ${response.status}`);
+                    continue;
+                }
+                const metadata = (await response.json());
+                logger.info("Discovered external auth endpoints", {
+                    discoveryUrl: wellKnownUrl,
+                    authUrl: this.config.authorizeUrl || metadata.authorization_endpoint,
+                    tokenUrl: this.config.tokenUrl || metadata.token_endpoint,
+                    userinfoUrl: this.config.userinfoUrl || metadata.userinfo_endpoint || null,
+                    deviceAuthorizationUrl: this.config.deviceAuthorizationUrl ||
+                        metadata.device_authorization_endpoint ||
+                        null,
+                    registrationEndpoint: metadata.registration_endpoint || null,
+                });
+                this.discoveryCache = { metadata, resolvedAt: Date.now() };
+                return metadata;
+            }
+            catch (error) {
+                logger.warn("Failed to discover external auth endpoints", {
+                    discoveryUrl: wellKnownUrl,
+                    error,
+                });
+            }
+        }
+        this.discoveryCache = { metadata: null, resolvedAt: Date.now() };
+        return null;
+    }
+    getDiscoveryUrls() {
+        const trimmedIssuerUrl = this.config.issuerUrl.replace(/\/+$/, "");
+        const candidates = [`${trimmedIssuerUrl}/.well-known/openid-configuration`];
+        try {
+            const origin = new URL(trimmedIssuerUrl).origin;
+            const rootDiscoveryUrl = `${origin}/.well-known/openid-configuration`;
+            if (!candidates.includes(rootDiscoveryUrl)) {
+                candidates.push(rootDiscoveryUrl);
+            }
+        }
+        catch (_a) {
+            // Ignore invalid issuer URLs here; fetch will surface the real error.
+        }
+        return candidates;
+    }
+    async getDynamicClientCredentials(metadata, options) {
+        var _a;
+        if (!(options === null || options === void 0 ? void 0 : options.forceRegistration)) {
+            const cached = await this.getCachedClientCredentials();
+            if (cached) {
+                return cached;
+            }
+        }
+        if (!(metadata === null || metadata === void 0 ? void 0 : metadata.registration_endpoint)) {
+            return null;
+        }
+        if (!(options === null || options === void 0 ? void 0 : options.forceRegistration) && this.config.clientId) {
+            return null;
+        }
+        try {
+            const requestedAuthMethod = this.selectTokenEndpointAuthMethod(metadata.token_endpoint_auth_methods_supported, undefined);
+            const supportsDeviceGrant = !!metadata.device_authorization_endpoint ||
+                ((_a = metadata.grant_types_supported) === null || _a === void 0 ? void 0 : _a.includes(device_code_client_1.DEVICE_CODE_GRANT_TYPE));
+            logger.info("Registering external auth client dynamically", {
+                registrationEndpoint: metadata.registration_endpoint,
+                requestedAuthMethod,
+                supportsDeviceGrant,
+            });
+            const response = await fetch(metadata.registration_endpoint, {
+                method: "POST",
+                headers: {
+                    Accept: "application/json",
+                    "Content-Type": "application/json",
+                },
+                body: JSON.stringify({
+                    client_name: "Lobu CLI and Settings",
+                    redirect_uris: [
+                        this.config.redirectUri,
+                        ...(this.config.additionalRedirectUris || []),
+                    ].filter((v, i, a) => a.indexOf(v) === i),
+                    grant_types: supportsDeviceGrant
+                        ? ["authorization_code", "refresh_token", device_code_client_1.DEVICE_CODE_GRANT_TYPE]
+                        : ["authorization_code", "refresh_token"],
+                    response_types: ["code"],
+                    token_endpoint_auth_method: requestedAuthMethod,
+                }),
+            });
+            if (!response.ok) {
+                const errorText = await response.text();
+                logger.warn("External auth client registration failed", {
+                    status: response.status,
+                    errorText,
+                });
+                return null;
+            }
+            const credentials = (await response.json());
+            await this.cacheClientCredentials(credentials);
+            logger.info("External auth client registered", {
+                clientId: credentials.client_id,
+                tokenEndpointAuthMethod: credentials.token_endpoint_auth_method || requestedAuthMethod,
+            });
+            return credentials;
+        }
+        catch (error) {
+            logger.warn("External auth client registration failed", { error });
+            return null;
+        }
+    }
+    async getCachedClientCredentials() {
+        if (!this.config.cacheStore) {
+            return null;
+        }
+        try {
+            const raw = await this.config.cacheStore.get(EXTERNAL_AUTH_CACHE_KEY);
+            if (!raw) {
+                return null;
+            }
+            return JSON.parse(raw);
+        }
+        catch (error) {
+            logger.warn("Failed to load cached external auth client", { error });
+            return null;
+        }
+    }
+    async cacheClientCredentials(credentials) {
+        if (!this.config.cacheStore) {
+            return;
+        }
+        const ttlSeconds = credentials.client_secret_expires_at &&
+            credentials.client_secret_expires_at > 0
+            ? Math.max(60, Math.floor(credentials.client_secret_expires_at - Date.now() / 1000))
+            : 7 * 24 * 60 * 60;
+        try {
+            await this.config.cacheStore.set(EXTERNAL_AUTH_CACHE_KEY, JSON.stringify(credentials), ttlSeconds);
+        }
+        catch (error) {
+            logger.warn("Failed to cache external auth client", { error });
+        }
+    }
+    selectTokenEndpointAuthMethod(supportedMethods, clientSecret) {
+        const methods = new Set(supportedMethods || []);
+        if (!clientSecret) {
+            if (methods.size === 0 || methods.has("none")) {
+                return "none";
+            }
+            if (methods.has("client_secret_post")) {
+                return "client_secret_post";
+            }
+            if (methods.has("client_secret_basic")) {
+                return "client_secret_basic";
+            }
+            return "none";
+        }
+        if (methods.has("client_secret_post")) {
+            return "client_secret_post";
+        }
+        if (methods.has("client_secret_basic")) {
+            return "client_secret_basic";
+        }
+        if (methods.has("none")) {
+            return "none";
+        }
+        return "client_secret_post";
+    }
+}
+exports.ExternalAuthClient = ExternalAuthClient;
+//# sourceMappingURL=client.js.map