@lovable.dev/mcp-js 0.5.0

package/dist/protocols/oauth-metadata.cjs

@@ -0,0 +1,390 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/protocols/oauth-metadata.ts
+var oauth_metadata_exports = {};
+__export(oauth_metadata_exports, {
+  createOAuthProtectedResourceMetadataHandler: () => createOAuthProtectedResourceMetadataHandler
+});
+module.exports = __toCommonJS(oauth_metadata_exports);
+
+// src/core/http.ts
+var JSON_HEADERS = { "Content-Type": "application/json" };
+function headResponse(response) {
+  return new Response(null, { status: response.status, statusText: response.statusText, headers: response.headers });
+}
+function methodNotAllowed(allow) {
+  return new Response(JSON.stringify({ error: "method not allowed" }), {
+    status: 405,
+    headers: { ...JSON_HEADERS, Allow: allow }
+  });
+}
+
+// src/core/promise.ts
+function cachedPromise(load) {
+  let settled = false;
+  let value;
+  return async () => {
+    if (settled)
+      return value;
+    const loaded = await load();
+    settled = true;
+    value = loaded;
+    return loaded;
+  };
+}
+
+// src/core/url.ts
+function trimTrailingSlash(value) {
+  return value.replace(/\/+$/, "");
+}
+function isLocalHTTPHost(hostname) {
+  return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]";
+}
+function urlSafetyProblem(url) {
+  const isAllowedHTTP = url.protocol === "http:" && isLocalHTTPHost(url.hostname);
+  if (url.protocol !== "https:" && !isAllowedHTTP) {
+    return "must use https://, except localhost development URLs";
+  }
+  if (url.username || url.password) {
+    return "must not include credentials";
+  }
+  if (url.search || url.hash) {
+    return "must not include query or fragment";
+  }
+  return void 0;
+}
+
+// src/core/validation.ts
+function parseSafeUrl(subject, raw, ErrorClass = Error) {
+  let url;
+  try {
+    url = new URL(raw);
+  } catch {
+    throw new ErrorClass(`${subject} must be an absolute URL`);
+  }
+  const problem = urlSafetyProblem(url);
+  if (problem) {
+    throw new ErrorClass(`${subject} ${problem}`);
+  }
+  return url;
+}
+
+// src/auth/discovery.ts
+var OAuthConfigurationError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "OAuthConfigurationError";
+  }
+};
+var METADATA_FETCH_TIMEOUT_MS = 5e3;
+function issuerPath(url) {
+  const path = trimTrailingSlash(url.pathname);
+  return path === "" ? void 0 : path;
+}
+function pathInsertedOAuthMetadataUrls(url, path) {
+  return [
+    `${url.origin}/.well-known/oauth-authorization-server${path}`,
+    `${url.origin}/.well-known/openid-configuration${path}`
+  ];
+}
+function oauthMetadataUrlsForIssuer(issuer) {
+  const normalizedIssuer = trimTrailingSlash(issuer);
+  const url = new URL(normalizedIssuer);
+  const path = issuerPath(url);
+  if (!path) {
+    return [
+      `${normalizedIssuer}/.well-known/oauth-authorization-server`,
+      `${normalizedIssuer}/.well-known/openid-configuration`
+    ];
+  }
+  return [...pathInsertedOAuthMetadataUrls(url, path), `${normalizedIssuer}/.well-known/openid-configuration`];
+}
+async function fetchFirstValidOAuthServerMetadata(metadataUrls, expectedIssuer) {
+  const errors = [];
+  for (const url of metadataUrls) {
+    try {
+      return await fetchOAuthServerMetadata(url, expectedIssuer);
+    } catch (err) {
+      errors.push(`${url}: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+  throw new Error(`failed to discover OAuth server metadata (${errors.join("; ")})`);
+}
+async function fetchOAuthServerMetadata(url, expectedIssuer) {
+  const response = await fetch(url, { signal: AbortSignal.timeout(METADATA_FETCH_TIMEOUT_MS), redirect: "error" });
+  if (!response.ok) {
+    throw new Error(String(response.status));
+  }
+  const json = await response.json();
+  if (typeof json.issuer !== "string") {
+    throw new Error("missing issuer");
+  }
+  parseSafeUrl("discovered issuer", json.issuer);
+  if (trimTrailingSlash(json.issuer) !== expectedIssuer) {
+    throw new Error("issuer mismatch");
+  }
+  if (typeof json.jwks_uri !== "string") {
+    throw new Error("missing jwks_uri");
+  }
+  parseSafeUrl("discovered jwks_uri", json.jwks_uri);
+  return { issuer: json.issuer, jwks_uri: json.jwks_uri };
+}
+async function fetchIssuerOAuthServerMetadata(issuer) {
+  try {
+    return await fetchFirstValidOAuthServerMetadata(oauthMetadataUrlsForIssuer(issuer), issuer);
+  } catch (err) {
+    throw new OAuthConfigurationError(
+      `OAuth issuer discovery failed: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
+function createOAuthDiscoveryResolver(auth) {
+  const configuredIssuer = trimTrailingSlash(auth.issuer);
+  const oauthServerMetadata = cachedPromise(() => fetchIssuerOAuthServerMetadata(configuredIssuer));
+  return {
+    resolveIssuer: async () => configuredIssuer,
+    resolveJwksUri: async () => auth.jwksUri ?? (await oauthServerMetadata()).jwks_uri
+  };
+}
+
+// src/auth/resource.ts
+function resolveProtectedResource(auth, request, options) {
+  if (auth.resource)
+    return trimTrailingSlash(auth.resource);
+  const path = resolveResourcePath(options.resourcePath, request);
+  const resourceURL = new URL(path, request.url);
+  resourceURL.search = "";
+  resourceURL.hash = "";
+  return trimTrailingSlash(resourceURL.toString());
+}
+function assertResourcePathShape(resourcePath) {
+  if (!resourcePath.startsWith("/") || resourcePath.startsWith("//") || resourcePath.includes("\\") || /(^|\/)\.\.(\/|$)/.test(resourcePath)) {
+    throw new Error(
+      `@lovable.dev/mcp-js: resourcePath must be an absolute path beginning with "/" without ".." segments or backslashes (got ${JSON.stringify(resourcePath)})`
+    );
+  }
+}
+function resolveResourcePath(resourcePath, request) {
+  if (resourcePath === void 0)
+    return new URL(request.url).pathname;
+  assertResourcePathShape(resourcePath);
+  return resourcePath;
+}
+
+// src/auth/verifier.ts
+var import_jose = require("jose");
+
+// src/auth/claims.ts
+function readString(value) {
+  return typeof value === "string" ? value : void 0;
+}
+function splitScopes(value) {
+  if (typeof value === "string")
+    return value.split(/\s+/).filter(Boolean);
+  if (Array.isArray(value))
+    return value.filter((entry) => typeof entry === "string" && entry.length > 0);
+  return [];
+}
+function stringClaim(claims, name) {
+  return readString(claims[name]);
+}
+
+// src/auth/verifier.ts
+var DEFAULT_JWT_ALGORITHMS = ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "EdDSA"];
+var DEFAULT_CLOCK_TOLERANCE_SECONDS = 30;
+var OAuthTokenError = class extends Error {
+  constructor(status, oauthError, message) {
+    super(message);
+    this.status = status;
+    this.oauthError = oauthError;
+    this.name = "OAuthTokenError";
+  }
+};
+function resolveAcceptedAudiences(auth, resource) {
+  return auth.acceptedAudiences ?? [resource];
+}
+function isJwksFetchFailure(err) {
+  if (err instanceof import_jose.errors.JWKSTimeout || err instanceof import_jose.errors.JWKSInvalid)
+    return true;
+  if (!(err instanceof import_jose.errors.JOSEError))
+    return err instanceof Error;
+  return err.code === "ERR_JOSE_GENERIC";
+}
+async function verifyJwtClaims(token, keySet, issuer, audience, auth) {
+  try {
+    const { payload } = await (0, import_jose.jwtVerify)(token, keySet, {
+      // `issuer` is trimmed of any trailing slash; accept both forms so a token whose
+      // `iss` carries the slash the AS publishes still verifies.
+      issuer: [issuer, `${issuer}/`],
+      audience: [...audience],
+      algorithms: auth.algorithms ? [...auth.algorithms] : DEFAULT_JWT_ALGORITHMS,
+      requiredClaims: ["sub", "exp"],
+      clockTolerance: auth.clockToleranceSeconds ?? DEFAULT_CLOCK_TOLERANCE_SECONDS
+    });
+    return payload;
+  } catch (err) {
+    if (isJwksFetchFailure(err)) {
+      throw new OAuthConfigurationError(`JWKS fetch failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    throw err;
+  }
+}
+function assertNonEmptySubject(claims) {
+  const sub = claims["sub"];
+  if (typeof sub !== "string" || sub.trim() === "") {
+    throw new OAuthTokenError(401, "invalid_token", "token subject claim must be a non-empty string");
+  }
+}
+function assertOAuthClientClaim(auth, clientId) {
+  if (auth.requireOAuthClientClaim !== false && !clientId) {
+    throw new OAuthTokenError(401, "invalid_token", "OAuth client claim is required");
+  }
+}
+function makeBearer(token) {
+  return Object.defineProperty({}, "token", { value: token, enumerable: false });
+}
+function buildMcpAuthContext(args) {
+  const { claims } = args;
+  return {
+    type: "oauth",
+    principal: {
+      claims,
+      issuer: args.issuer,
+      resource: args.resource,
+      acceptedAudiences: args.acceptedAudiences,
+      scopes: splitScopes(claims.scope),
+      sub: stringClaim(claims, "sub"),
+      email: stringClaim(claims, "email"),
+      clientId: stringClaim(claims, "client_id") ?? stringClaim(claims, "azp")
+    },
+    bearer: makeBearer(args.token)
+  };
+}
+function createOAuthTokenVerifier(auth, discovery) {
+  const loadRemoteJwksKeySet = cachedPromise(
+    () => discovery.resolveJwksUri().then((jwksURI) => (0, import_jose.createRemoteJWKSet)(new URL(jwksURI)))
+  );
+  return async (token, request, options) => {
+    const resource = resolveProtectedResource(auth, request, options);
+    const issuer = await discovery.resolveIssuer();
+    const acceptedAudiences = resolveAcceptedAudiences(auth, resource);
+    const claims = await verifyJwtClaims(token, await loadRemoteJwksKeySet(), issuer, acceptedAudiences, auth);
+    assertNonEmptySubject(claims);
+    const context = buildMcpAuthContext({ token, claims, issuer, resource, acceptedAudiences });
+    assertOAuthClientClaim(auth, context.principal.clientId);
+    return context;
+  };
+}
+
+// src/auth/authorize.ts
+function oauthConfigurationErrorResponse() {
+  return new Response(JSON.stringify({ error: "oauth configuration error" }), {
+    status: 500,
+    headers: { ...JSON_HEADERS, "Cache-Control": "no-store" }
+  });
+}
+function getOAuthRuntime(mcp, options = {}) {
+  if (options.resourcePath !== void 0)
+    assertResourcePathShape(options.resourcePath);
+  const stableOptions = { resourcePath: options.resourcePath };
+  const auth = mcp.auth?.type === "oauth" ? mcp.auth : void 0;
+  if (!auth)
+    return { kind: "unconfigured", options: stableOptions };
+  const discovery = createOAuthDiscoveryResolver(auth);
+  return {
+    kind: "configured",
+    auth,
+    discovery,
+    verify: createOAuthTokenVerifier(auth, discovery),
+    options: stableOptions
+  };
+}
+
+// src/protocols/oauth-metadata.ts
+var CORS_ORIGIN = { "Access-Control-Allow-Origin": "*" };
+function withCors(response) {
+  response.headers.set("Access-Control-Allow-Origin", "*");
+  return response;
+}
+function notFound() {
+  return new Response(JSON.stringify({ error: "not found" }), {
+    status: 404,
+    // `no-store` so a 404 (OAuth unconfigured) isn't heuristically cached and
+    // then served past a later deploy that enables OAuth and starts returning 200.
+    headers: { ...JSON_HEADERS, ...CORS_ORIGIN, "Cache-Control": "no-store" }
+  });
+}
+async function buildProtectedResourceMetadata(mcp, auth, request, options, discovery) {
+  const issuer = await discovery.resolveIssuer();
+  const body = {
+    resource: resolveProtectedResource(auth, request, options),
+    authorization_servers: [issuer],
+    bearer_methods_supported: ["header"],
+    resource_name: auth.resourceName ?? mcp.title,
+    resource_documentation: auth.resourceDocumentation
+  };
+  if (auth.requiredScopes && auth.requiredScopes.length > 0)
+    body.scopes_supported = auth.requiredScopes;
+  return body;
+}
+function createOAuthProtectedResourceMetadataHandler(mcp, options = {}) {
+  const runtime = getOAuthRuntime(mcp, options);
+  if (runtime.kind === "configured" && runtime.auth.protectedResourceMetadataUrl === void 0 && runtime.auth.resource === void 0 && runtime.options.resourcePath === void 0) {
+    throw new Error(
+      `@lovable.dev/mcp-js: auth.resource or a resourcePath is required so the protected-resource metadata doesn't advertise the well-known URL as the resource`
+    );
+  }
+  return async (request) => {
+    if (runtime.kind !== "configured" || runtime.auth.protectedResourceMetadataUrl !== void 0)
+      return notFound();
+    if (request.method === "OPTIONS") {
+      return new Response(null, {
+        status: 204,
+        headers: { ...CORS_ORIGIN, "Access-Control-Allow-Methods": "GET, HEAD, OPTIONS" }
+      });
+    }
+    if (request.method !== "GET" && request.method !== "HEAD")
+      return withCors(methodNotAllowed("GET, HEAD, OPTIONS"));
+    const headers = {
+      ...JSON_HEADERS,
+      ...CORS_ORIGIN,
+      "Cache-Control": "public, max-age=300",
+      Vary: "Host"
+    };
+    try {
+      const metadata = await buildProtectedResourceMetadata(
+        mcp,
+        runtime.auth,
+        request,
+        runtime.options,
+        runtime.discovery
+      );
+      const response = Response.json(metadata, { headers });
+      return request.method === "HEAD" ? headResponse(response) : response;
+    } catch {
+      const response = withCors(oauthConfigurationErrorResponse());
+      return request.method === "HEAD" ? headResponse(response) : response;
+    }
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createOAuthProtectedResourceMetadataHandler
+});

package/dist/protocols/oauth-metadata.d.cts

@@ -0,0 +1,8 @@
+import { M as McpRuntimeOptions } from '../authorize-DpTEIFvs.js';
+import { d as McpDefinition } from '../types-zMlr1mOK.js';
+import 'zod';
+
+type OAuthProtectedResourceMetadataHandler = (request: Request) => Promise<Response>;
+declare function createOAuthProtectedResourceMetadataHandler(mcp: McpDefinition, options?: McpRuntimeOptions): OAuthProtectedResourceMetadataHandler;
+
+export { type OAuthProtectedResourceMetadataHandler, createOAuthProtectedResourceMetadataHandler };

package/dist/protocols/oauth-metadata.d.ts

@@ -0,0 +1,8 @@
+import { M as McpRuntimeOptions } from '../authorize-DpTEIFvs.js';
+import { d as McpDefinition } from '../types-zMlr1mOK.js';
+import 'zod';
+
+type OAuthProtectedResourceMetadataHandler = (request: Request) => Promise<Response>;
+declare function createOAuthProtectedResourceMetadataHandler(mcp: McpDefinition, options?: McpRuntimeOptions): OAuthProtectedResourceMetadataHandler;
+
+export { type OAuthProtectedResourceMetadataHandler, createOAuthProtectedResourceMetadataHandler };

package/dist/protocols/oauth-metadata.js

@@ -0,0 +1,9 @@
+import {
+  createOAuthProtectedResourceMetadataHandler
+} from "../chunk-DDF63QWG.js";
+import "../chunk-XEDRJFAR.js";
+import "../chunk-QA3FWDUV.js";
+import "../chunk-6DXGZZA4.js";
+export {
+  createOAuthProtectedResourceMetadataHandler
+};