@mcp-abap-adt/auth-broker 0.1.1 → 0.1.2

package/CHANGELOG.md

@@ -9,6 +9,26 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 Thank you to all contributors! See [CONTRIBUTORS.md](CONTRIBUTORS.md) for the complete list.
 
+## [0.1.2] - 2025-11-30
+
+### Added
+- **Storage Interfaces** - New interfaces for custom storage implementations
+  - `ServiceKeyStore` interface - for reading service keys
+  - `SessionStore` interface - for reading/writing session data (tokens, configuration)
+  - `FileServiceKeyStore` - default file-based implementation for service keys
+  - `FileSessionStore` - default file-based implementation for sessions
+- **Dependency Injection Support** - AuthBroker now accepts custom stores via constructor
+  - Can provide custom `ServiceKeyStore` and `SessionStore` implementations
+  - Default to file-based stores if not provided (backward compatible)
+  - Enables custom storage backends (database, cloud, etc.) without creating new packages
+  - New API: constructor accepts object with `serviceKeyStore` and `sessionStore` properties
+  - Backward compatible: still accepts `searchPaths` as first parameter (string/array)
+
+### Technical Details
+- Storage abstraction allows consumers to provide custom implementations
+- No breaking changes - existing code continues to work
+- File-based stores remain the default implementation
+
 ## [0.1.1] - 2025-11-30
 
 ### Added

package/dist/AuthBroker.d.ts

@@ -2,6 +2,7 @@
  * Main AuthBroker class for managing JWT tokens based on destinations
  */
 import { Logger } from './logger';
+import { ServiceKeyStore, SessionStore } from './stores/interfaces';
 /**
  * AuthBroker manages JWT authentication tokens for destinations
  */
@@ -9,26 +10,33 @@ export declare class AuthBroker {
     private searchPaths;
     private browser;
     private logger;
+    private serviceKeyStore;
+    private sessionStore;
     /**
      * Create a new AuthBroker instance
-     * @param searchPaths Optional search paths for .env and .json files.
-     *                    Can be a single path (string) or array of paths.
-     *                    Priority:
-     *                    1. Constructor parameter (highest)
-     *                    2. AUTH_BROKER_PATH environment variable (colon/semicolon-separated)
-     *                    3. Current working directory (lowest)
+     * @param searchPathsOrStores Optional search paths for .env and .json files (backward compatibility),
+     *                            OR object with custom stores.
+     *                            If string/array: creates default file-based stores with these paths.
+     *                            If object: uses provided stores (searchPaths ignored).
+     *                            Priority for searchPaths:
+     *                            1. Constructor parameter (highest)
+     *                            2. AUTH_BROKER_PATH environment variable (colon/semicolon-separated)
+     *                            3. Current working directory (lowest)
      * @param browser Optional browser name for authentication (chrome, edge, firefox, system, none).
      *                Default: 'system' (system default browser).
      *                Use 'none' to print URL instead of opening browser.
      * @param logger Optional logger instance. If not provided, uses default logger.
      */
-    constructor(searchPaths?: string | string[], browser?: string, logger?: Logger);
+    constructor(searchPathsOrStores?: string | string[] | {
+        serviceKeyStore?: ServiceKeyStore;
+        sessionStore?: SessionStore;
+    }, browser?: string, logger?: Logger);
     /**
      * Get authentication token for destination.
-     * Tries to load from .env file, validates it, and refreshes if needed.
+     * Tries to load from session store, validates it, and refreshes if needed.
      * @param destination Destination name (e.g., "TRIAL")
      * @returns Promise that resolves to JWT token string
-     * @throws Error if neither .env file nor service key found
+     * @throws Error if neither session data nor service key found
      */
     getToken(destination: string): Promise<string>;
     /**
@@ -38,24 +46,18 @@ export declare class AuthBroker {
      * @returns Promise that resolves to new JWT token string
      */
     refreshToken(destination: string): Promise<string>;
+    /**
+     * Internal refresh token implementation
+     * @private
+     */
+    private refreshTokenInternal;
     /**
      * Get SAP URL for destination.
-     * Tries to load from .env file first, then from service key.
+     * Tries to load from session store first, then from service key store.
      * @param destination Destination name (e.g., "TRIAL")
      * @returns Promise that resolves to SAP URL string, or undefined if not found
      */
     getSapUrl(destination: string): Promise<string | undefined>;
-    /**
-     * Save token to {destination}.env file
-     * Creates .env file similar to sap-abap-auth utility format
-     * @private
-     */
-    private saveTokenToEnv;
-    /**
-     * Get token expiry information from JWT token
-     * @private
-     */
-    private getTokenExpiry;
     /**
      * Clear cached token for specific destination
      * @param destination Destination name
@@ -65,5 +67,10 @@ export declare class AuthBroker {
      * Clear all cached tokens
      */
     clearAllCache(): void;
+    /**
+     * Get search paths for error messages (from file stores if available)
+     * @private
+     */
+    private getSearchPathsForError;
 }
 //# sourceMappingURL=AuthBroker.d.ts.map

package/dist/AuthBroker.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AuthBroker.d.ts","sourceRoot":"","sources":["../src/AuthBroker.ts"],"names":[],"mappings":"AAAA;;GAEG;AAYH,OAAO,EAAE,MAAM,EAAiB,MAAM,UAAU,CAAC;AAIjD;;GAEG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,WAAW,CAAW;IAC9B,OAAO,CAAC,OAAO,CAAqB;IACpC,OAAO,CAAC,MAAM,CAAS;IAEvB;;;;;;;;;;;;OAYG;gBACS,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM;IAM9E;;;;;;OAMG;IACG,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAKpD;;;;;OAKG;IACG,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAKxD;;;;;OAKG;IACG,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAgBjE;;;;OAIG;YACW,cAAc;IA6E5B;;;OAGG;IACH,OAAO,CAAC,cAAc;IAyCtB;;;OAGG;IACH,UAAU,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;IAIrC;;OAEG;IACH,aAAa,IAAI,IAAI;CAGtB"}
+{"version":3,"file":"AuthBroker.d.ts","sourceRoot":"","sources":["../src/AuthBroker.ts"],"names":[],"mappings":"AAAA;;GAEG;AAQH,OAAO,EAAE,MAAM,EAAiB,MAAM,UAAU,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAGpE;;GAEG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,WAAW,CAAW;IAC9B,OAAO,CAAC,OAAO,CAAqB;IACpC,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,eAAe,CAAkB;IACzC,OAAO,CAAC,YAAY,CAAe;IAEnC;;;;;;;;;;;;;;OAcG;gBAED,mBAAmB,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG;QAAE,eAAe,CAAC,EAAE,eAAe,CAAC;QAAC,YAAY,CAAC,EAAE,YAAY,CAAA;KAAE,EAC5G,OAAO,CAAC,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,MAAM;IAmBjB;;;;;;OAMG;IACG,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAgDpD;;;;;OAKG;IACG,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAmBxD;;;OAGG;YACW,oBAAoB;IAuDlC;;;;;OAKG;IACG,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAiBjE;;;OAGG;IACH,UAAU,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;IAIrC;;OAEG;IACH,aAAa,IAAI,IAAI;IAIrB;;;OAGG;IACH,OAAO,CAAC,sBAAsB;CAW/B"}

package/dist/AuthBroker.js

@@ -2,50 +2,15 @@
 /**
  * Main AuthBroker class for managing JWT tokens based on destinations
  */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AuthBroker = void 0;
-const fs = __importStar(require("fs"));
-const path = __importStar(require("path"));
-const envLoader_1 = require("./envLoader");
-const serviceKeyLoader_1 = require("./serviceKeyLoader");
+const tokenValidator_1 = require("./tokenValidator");
+const tokenRefresher_1 = require("./tokenRefresher");
+const browserAuth_1 = require("./browserAuth");
 const cache_1 = require("./cache");
 const pathResolver_1 = require("./pathResolver");
 const logger_1 = require("./logger");
-const refreshToken_1 = require("./refreshToken");
-const getToken_1 = require("./getToken");
+const stores_1 = require("./stores");
 /**
  * AuthBroker manages JWT authentication tokens for destinations
  */
@@ -53,34 +18,88 @@ class AuthBroker {
     searchPaths;
     browser;
     logger;
+    serviceKeyStore;
+    sessionStore;
     /**
      * Create a new AuthBroker instance
-     * @param searchPaths Optional search paths for .env and .json files.
-     *                    Can be a single path (string) or array of paths.
-     *                    Priority:
-     *                    1. Constructor parameter (highest)
-     *                    2. AUTH_BROKER_PATH environment variable (colon/semicolon-separated)
-     *                    3. Current working directory (lowest)
+     * @param searchPathsOrStores Optional search paths for .env and .json files (backward compatibility),
+     *                            OR object with custom stores.
+     *                            If string/array: creates default file-based stores with these paths.
+     *                            If object: uses provided stores (searchPaths ignored).
+     *                            Priority for searchPaths:
+     *                            1. Constructor parameter (highest)
+     *                            2. AUTH_BROKER_PATH environment variable (colon/semicolon-separated)
+     *                            3. Current working directory (lowest)
      * @param browser Optional browser name for authentication (chrome, edge, firefox, system, none).
      *                Default: 'system' (system default browser).
      *                Use 'none' to print URL instead of opening browser.
      * @param logger Optional logger instance. If not provided, uses default logger.
      */
-    constructor(searchPaths, browser, logger) {
-        this.searchPaths = (0, pathResolver_1.resolveSearchPaths)(searchPaths);
+    constructor(searchPathsOrStores, browser, logger) {
+        // Handle backward compatibility: if first param is string/array, treat as searchPaths
+        if (typeof searchPathsOrStores === 'string' || Array.isArray(searchPathsOrStores) || searchPathsOrStores === undefined) {
+            this.searchPaths = (0, pathResolver_1.resolveSearchPaths)(searchPathsOrStores);
+            // Create default file-based stores
+            this.serviceKeyStore = new stores_1.FileServiceKeyStore(this.searchPaths);
+            this.sessionStore = new stores_1.FileSessionStore(this.searchPaths);
+        }
+        else {
+            // New API: stores provided
+            this.searchPaths = (0, pathResolver_1.resolveSearchPaths)(undefined); // Still resolve for backward compatibility in internal functions
+            this.serviceKeyStore = searchPathsOrStores.serviceKeyStore || new stores_1.FileServiceKeyStore();
+            this.sessionStore = searchPathsOrStores.sessionStore || new stores_1.FileSessionStore();
+        }
         this.browser = browser || 'system';
         this.logger = logger || logger_1.defaultLogger;
     }
     /**
      * Get authentication token for destination.
-     * Tries to load from .env file, validates it, and refreshes if needed.
+     * Tries to load from session store, validates it, and refreshes if needed.
      * @param destination Destination name (e.g., "TRIAL")
      * @returns Promise that resolves to JWT token string
-     * @throws Error if neither .env file nor service key found
+     * @throws Error if neither session data nor service key found
      */
     async getToken(destination) {
-        // Use getToken function with logger
-        return (0, getToken_1.getToken)(destination, this.searchPaths, this.logger);
+        // Check cache first
+        const cachedToken = (0, cache_1.getCachedToken)(destination);
+        if (cachedToken) {
+            // Validate cached token
+            const envConfig = await this.sessionStore.loadSession(destination);
+            if (envConfig) {
+                const isValid = await (0, tokenValidator_1.validateToken)(cachedToken, envConfig.sapUrl);
+                if (isValid) {
+                    return cachedToken;
+                }
+                // Token expired, remove from cache
+            }
+        }
+        // Load from session store
+        const envConfig = await this.sessionStore.loadSession(destination);
+        if (envConfig && envConfig.jwtToken) {
+            // Validate token
+            const isValid = await (0, tokenValidator_1.validateToken)(envConfig.jwtToken, envConfig.sapUrl);
+            if (isValid) {
+                (0, cache_1.setCachedToken)(destination, envConfig.jwtToken);
+                return envConfig.jwtToken;
+            }
+        }
+        // Token not found or expired, check if we have service key for browser auth
+        const serviceKey = await this.serviceKeyStore.getServiceKey(destination);
+        if (!serviceKey) {
+            // No service key and no valid token - throw error with helpful message
+            const searchPaths = this.getSearchPathsForError();
+            const searchedPaths = searchPaths.map(p => `  - ${p}`).join('\n');
+            throw new Error(`No authentication found for destination "${destination}". ` +
+                `Neither ${destination}.env file nor ${destination}.json service key found.\n` +
+                `Please create one of:\n` +
+                `  - ${destination}.env (with SAP_JWT_TOKEN)\n` +
+                `  - ${destination}.json (service key)\n` +
+                `Searched in:\n${searchedPaths}`);
+        }
+        // Try to refresh (will use browser auth if no refresh token)
+        const newToken = await this.refreshTokenInternal(destination, serviceKey, envConfig);
+        (0, cache_1.setCachedToken)(destination, newToken);
+        return newToken;
     }
     /**
      * Force refresh token for destination using service key.
@@ -89,139 +108,81 @@ class AuthBroker {
      * @returns Promise that resolves to new JWT token string
      */
     async refreshToken(destination) {
-        // Use refreshToken function with logger and browser
-        return (0, refreshToken_1.refreshToken)(destination, this.searchPaths, this.logger);
-    }
-    /**
-     * Get SAP URL for destination.
-     * Tries to load from .env file first, then from service key.
-     * @param destination Destination name (e.g., "TRIAL")
-     * @returns Promise that resolves to SAP URL string, or undefined if not found
-     */
-    async getSapUrl(destination) {
-        // Try to load from .env file first
-        const envConfig = await (0, envLoader_1.loadEnvFile)(destination, this.searchPaths);
-        if (envConfig?.sapUrl) {
-            return envConfig.sapUrl;
-        }
-        // Try service key
-        const serviceKey = await (0, serviceKeyLoader_1.loadServiceKey)(destination, this.searchPaths);
-        if (serviceKey) {
-            return serviceKey.url || serviceKey.abap?.url || serviceKey.sap_url;
+        // Load service key
+        const serviceKey = await this.serviceKeyStore.getServiceKey(destination);
+        if (!serviceKey) {
+            const searchPaths = this.getSearchPathsForError();
+            const searchedPaths = searchPaths.map(p => `  - ${p}`).join('\n');
+            throw new Error(`Service key file not found for destination "${destination}".\n` +
+                `Please create file: ${destination}.json\n` +
+                `Searched in:\n${searchedPaths}`);
         }
-        return undefined;
+        // Load existing session (for refresh token)
+        const envConfig = await this.sessionStore.loadSession(destination);
+        return this.refreshTokenInternal(destination, serviceKey, envConfig);
     }
     /**
-     * Save token to {destination}.env file
-     * Creates .env file similar to sap-abap-auth utility format
+     * Internal refresh token implementation
      * @private
      */
-    async saveTokenToEnv(destination, savePath, config) {
-        // Ensure directory exists
-        if (!fs.existsSync(savePath)) {
-            fs.mkdirSync(savePath, { recursive: true });
+    async refreshTokenInternal(destination, serviceKey, envConfig) {
+        // Extract UAA configuration
+        const { url: uaaUrl, clientid: clientId, clientsecret: clientSecret } = serviceKey.uaa;
+        if (!uaaUrl || !clientId || !clientSecret) {
+            throw new Error(`Invalid service key for destination "${destination}". ` +
+                `Missing required UAA fields: url, clientid, clientsecret`);
         }
-        const envFilePath = path.join(savePath, `${destination}.env`);
-        const tempFilePath = `${envFilePath}.tmp`;
-        // Write to temporary file first (atomic write)
-        // Format similar to sap-abap-auth utility - always create fresh file
-        const envLines = [];
-        // Add token expiry information if we can decode JWT
-        const jwtExpiry = this.getTokenExpiry(config.jwtToken);
-        const refreshExpiry = config.refreshToken ? this.getTokenExpiry(config.refreshToken) : null;
-        if (jwtExpiry || refreshExpiry) {
-            envLines.push('# Token Expiry Information (auto-generated)');
-            if (jwtExpiry) {
-                envLines.push(`# JWT Token expires: ${jwtExpiry.readableDate} (UTC)`);
-                envLines.push(`# JWT Token expires at: ${jwtExpiry.dateString}`);
-            }
-            else {
-                envLines.push('# JWT Token expiry: Unable to determine (token may not be a standard JWT)');
-            }
-            if (refreshExpiry) {
-                envLines.push(`# Refresh Token expires: ${refreshExpiry.readableDate} (UTC)`);
-                envLines.push(`# Refresh Token expires at: ${refreshExpiry.dateString}`);
-            }
-            else if (config.refreshToken) {
-                envLines.push('# Refresh Token expiry: Unable to determine (token may not be a standard JWT)');
-            }
-            envLines.push('');
-        }
-        // Write JWT auth parameters (similar to sap-abap-auth format)
-        // Required fields
-        envLines.push(`SAP_URL=${config.sapUrl}`);
-        if (config.sapClient) {
-            envLines.push(`SAP_CLIENT=${config.sapClient}`);
-        }
-        if (config.language) {
-            envLines.push(`SAP_LANGUAGE=${config.language}`);
+        // Validate SAP URL early (before starting browser auth or refresh)
+        const sapUrl = serviceKey.url || serviceKey.abap?.url || serviceKey.sap_url;
+        if (!sapUrl) {
+            throw new Error(`Service key for destination "${destination}" does not contain SAP URL. ` +
+                `Expected field: url, abap.url, or sap_url`);
         }
-        envLines.push('TLS_REJECT_UNAUTHORIZED=0');
-        envLines.push('SAP_AUTH_TYPE=jwt');
-        envLines.push(`SAP_JWT_TOKEN=${config.jwtToken}`);
-        if (config.refreshToken) {
-            envLines.push(`SAP_REFRESH_TOKEN=${config.refreshToken}`);
+        // Try to load existing refresh token from session store
+        let refreshTokenValue = envConfig?.refreshToken;
+        let result;
+        // If no refresh token, start browser authentication flow
+        if (!refreshTokenValue) {
+            this.logger.debug(`No refresh token found for destination "${destination}". Starting browser authentication...`);
+            result = await (0, browserAuth_1.startBrowserAuth)(serviceKey, this.browser || 'system', this.logger);
         }
-        if (config.uaaUrl) {
-            envLines.push(`SAP_UAA_URL=${config.uaaUrl}`);
+        else {
+            // Refresh token using refresh token
+            result = await (0, tokenRefresher_1.refreshJwtToken)(refreshTokenValue, uaaUrl, clientId, clientSecret);
         }
-        if (config.uaaClientId) {
-            envLines.push(`SAP_UAA_CLIENT_ID=${config.uaaClientId}`);
-        }
-        if (config.uaaClientSecret) {
-            envLines.push(`SAP_UAA_CLIENT_SECRET=${config.uaaClientSecret}`);
-        }
-        envLines.push('');
-        envLines.push('# For JWT authentication');
-        envLines.push('# SAP_USERNAME=your_username');
-        envLines.push('# SAP_PASSWORD=your_password');
-        const envContent = envLines.join('\n') + '\n';
-        // Write to temp file
-        fs.writeFileSync(tempFilePath, envContent, 'utf8');
-        // Atomic rename
-        fs.renameSync(tempFilePath, envFilePath);
+        // Save new token to session store
+        await this.sessionStore.saveSession(destination, {
+            sapUrl,
+            jwtToken: result.accessToken,
+            refreshToken: result.refreshToken || refreshTokenValue,
+            uaaUrl,
+            uaaClientId: clientId,
+            uaaClientSecret: clientSecret,
+            sapClient: envConfig?.sapClient,
+            language: envConfig?.language,
+        });
+        // Update cache with new token
+        (0, cache_1.setCachedToken)(destination, result.accessToken);
+        return result.accessToken;
     }
     /**
-     * Get token expiry information from JWT token
-     * @private
+     * Get SAP URL for destination.
+     * Tries to load from session store first, then from service key store.
+     * @param destination Destination name (e.g., "TRIAL")
+     * @returns Promise that resolves to SAP URL string, or undefined if not found
      */
-    getTokenExpiry(token) {
-        try {
-            // JWT tokens have format: header.payload.signature
-            const parts = token.split('.');
-            if (parts.length !== 3) {
-                return null;
-            }
-            // Decode payload (base64url)
-            const payload = parts[1];
-            // Add padding if needed
-            const padded = payload + '='.repeat((4 - payload.length % 4) % 4);
-            const decoded = Buffer.from(padded.replace(/-/g, '+').replace(/_/g, '/'), 'base64').toString('utf8');
-            const parsed = JSON.parse(decoded);
-            // Check for exp claim
-            if (parsed.exp) {
-                const expiryDate = new Date(parsed.exp * 1000);
-                const readableDate = expiryDate.toLocaleString('en-US', {
-                    weekday: 'long',
-                    year: 'numeric',
-                    month: 'long',
-                    day: 'numeric',
-                    hour: '2-digit',
-                    minute: '2-digit',
-                    second: '2-digit',
-                    timeZone: 'UTC',
-                    timeZoneName: 'short',
-                });
-                return {
-                    dateString: expiryDate.toISOString(),
-                    readableDate: readableDate,
-                };
-            }
-            return null;
+    async getSapUrl(destination) {
+        // Try to load from session store first
+        const envConfig = await this.sessionStore.loadSession(destination);
+        if (envConfig?.sapUrl) {
+            return envConfig.sapUrl;
         }
-        catch {
-            return null;
+        // Try service key store
+        const serviceKey = await this.serviceKeyStore.getServiceKey(destination);
+        if (serviceKey) {
+            return serviceKey.url || serviceKey.abap?.url || serviceKey.sap_url;
         }
+        return undefined;
     }
     /**
      * Clear cached token for specific destination
@@ -236,5 +197,20 @@ class AuthBroker {
     clearAllCache() {
         (0, cache_1.clearAllCache)();
     }
+    /**
+     * Get search paths for error messages (from file stores if available)
+     * @private
+     */
+    getSearchPathsForError() {
+        // Try to get search paths from file stores
+        if (this.serviceKeyStore instanceof stores_1.FileServiceKeyStore) {
+            return this.serviceKeyStore.getSearchPaths();
+        }
+        if (this.sessionStore instanceof stores_1.FileSessionStore) {
+            return this.sessionStore.getSearchPaths();
+        }
+        // Fallback to stored searchPaths (for backward compatibility)
+        return this.searchPaths;
+    }
 }
 exports.AuthBroker = AuthBroker;

package/dist/index.d.ts

@@ -5,4 +5,6 @@
 export { AuthBroker } from './AuthBroker';
 export type { EnvConfig, ServiceKey } from './types';
 export { resolveSearchPaths, findFileInPaths } from './pathResolver';
+export { ServiceKeyStore, SessionStore } from './stores/interfaces';
+export { FileServiceKeyStore, FileSessionStore } from './stores';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrD,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrD,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAGrE,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC"}

package/dist/index.js

@@ -4,9 +4,12 @@
  * JWT authentication broker for MCP ABAP ADT server
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.findFileInPaths = exports.resolveSearchPaths = exports.AuthBroker = void 0;
+exports.FileSessionStore = exports.FileServiceKeyStore = exports.findFileInPaths = exports.resolveSearchPaths = exports.AuthBroker = void 0;
 var AuthBroker_1 = require("./AuthBroker");
 Object.defineProperty(exports, "AuthBroker", { enumerable: true, get: function () { return AuthBroker_1.AuthBroker; } });
 var pathResolver_1 = require("./pathResolver");
 Object.defineProperty(exports, "resolveSearchPaths", { enumerable: true, get: function () { return pathResolver_1.resolveSearchPaths; } });
 Object.defineProperty(exports, "findFileInPaths", { enumerable: true, get: function () { return pathResolver_1.findFileInPaths; } });
+var stores_1 = require("./stores");
+Object.defineProperty(exports, "FileServiceKeyStore", { enumerable: true, get: function () { return stores_1.FileServiceKeyStore; } });
+Object.defineProperty(exports, "FileSessionStore", { enumerable: true, get: function () { return stores_1.FileSessionStore; } });

package/dist/stores/FileServiceKeyStore.d.ts

@@ -0,0 +1,38 @@
+/**
+ * File-based implementation of ServiceKeyStore
+ *
+ * Reads service keys from {destination}.json files in search paths.
+ */
+import { ServiceKeyStore } from './interfaces';
+import { ServiceKey } from '../types';
+/**
+ * File-based service key store implementation
+ *
+ * Searches for {destination}.json files in configured search paths.
+ * Search paths priority:
+ * 1. Constructor parameter (highest)
+ * 2. AUTH_BROKER_PATH environment variable
+ * 3. Current working directory (lowest)
+ */
+export declare class FileServiceKeyStore implements ServiceKeyStore {
+    private searchPaths;
+    /**
+     * Create a new FileServiceKeyStore instance
+     * @param searchPaths Optional search paths for .json files.
+     *                    Can be a single path (string) or array of paths.
+     *                    If not provided, uses AUTH_BROKER_PATH env var or current working directory.
+     */
+    constructor(searchPaths?: string | string[]);
+    /**
+     * Get service key for destination
+     * @param destination Destination name (e.g., "TRIAL")
+     * @returns ServiceKey object or null if not found
+     */
+    getServiceKey(destination: string): Promise<ServiceKey | null>;
+    /**
+     * Get search paths (for error messages)
+     * @returns Array of search paths
+     */
+    getSearchPaths(): string[];
+}
+//# sourceMappingURL=FileServiceKeyStore.d.ts.map

package/dist/stores/FileServiceKeyStore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"FileServiceKeyStore.d.ts","sourceRoot":"","sources":["../../src/stores/FileServiceKeyStore.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAItC;;;;;;;;GAQG;AACH,qBAAa,mBAAoB,YAAW,eAAe;IACzD,OAAO,CAAC,WAAW,CAAW;IAE9B;;;;;OAKG;gBACS,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE;IAI3C;;;;OAIG;IACG,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAIpE;;;OAGG;IACH,cAAc,IAAI,MAAM,EAAE;CAG3B"}

package/dist/stores/FileServiceKeyStore.js

@@ -0,0 +1,47 @@
+"use strict";
+/**
+ * File-based implementation of ServiceKeyStore
+ *
+ * Reads service keys from {destination}.json files in search paths.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FileServiceKeyStore = void 0;
+const serviceKeyLoader_1 = require("../serviceKeyLoader");
+const pathResolver_1 = require("../pathResolver");
+/**
+ * File-based service key store implementation
+ *
+ * Searches for {destination}.json files in configured search paths.
+ * Search paths priority:
+ * 1. Constructor parameter (highest)
+ * 2. AUTH_BROKER_PATH environment variable
+ * 3. Current working directory (lowest)
+ */
+class FileServiceKeyStore {
+    searchPaths;
+    /**
+     * Create a new FileServiceKeyStore instance
+     * @param searchPaths Optional search paths for .json files.
+     *                    Can be a single path (string) or array of paths.
+     *                    If not provided, uses AUTH_BROKER_PATH env var or current working directory.
+     */
+    constructor(searchPaths) {
+        this.searchPaths = (0, pathResolver_1.resolveSearchPaths)(searchPaths);
+    }
+    /**
+     * Get service key for destination
+     * @param destination Destination name (e.g., "TRIAL")
+     * @returns ServiceKey object or null if not found
+     */
+    async getServiceKey(destination) {
+        return (0, serviceKeyLoader_1.loadServiceKey)(destination, this.searchPaths);
+    }
+    /**
+     * Get search paths (for error messages)
+     * @returns Array of search paths
+     */
+    getSearchPaths() {
+        return [...this.searchPaths];
+    }
+}
+exports.FileServiceKeyStore = FileServiceKeyStore;

package/dist/stores/FileSessionStore.d.ts

@@ -0,0 +1,50 @@
+/**
+ * File-based implementation of SessionStore
+ *
+ * Reads/writes session data from/to {destination}.env files in search paths.
+ */
+import { SessionStore } from './interfaces';
+import { EnvConfig } from '../types';
+/**
+ * File-based session store implementation
+ *
+ * Searches for {destination}.env files in configured search paths.
+ * Writes to first search path (highest priority).
+ * Search paths priority:
+ * 1. Constructor parameter (highest)
+ * 2. AUTH_BROKER_PATH environment variable
+ * 3. Current working directory (lowest)
+ */
+export declare class FileSessionStore implements SessionStore {
+    private searchPaths;
+    /**
+     * Create a new FileSessionStore instance
+     * @param searchPaths Optional search paths for .env files.
+     *                    Can be a single path (string) or array of paths.
+     *                    If not provided, uses AUTH_BROKER_PATH env var or current working directory.
+     */
+    constructor(searchPaths?: string | string[]);
+    /**
+     * Load session configuration for destination
+     * @param destination Destination name (e.g., "TRIAL")
+     * @returns EnvConfig object or null if not found
+     */
+    loadSession(destination: string): Promise<EnvConfig | null>;
+    /**
+     * Save session configuration for destination
+     * @param destination Destination name (e.g., "TRIAL")
+     * @param config Session configuration to save
+     */
+    saveSession(destination: string, config: EnvConfig): Promise<void>;
+    /**
+     * Delete session for destination
+     * @param destination Destination name (e.g., "TRIAL")
+     */
+    deleteSession(destination: string): Promise<void>;
+    /**
+     * Get search paths (for error messages)
+     * @returns Array of search paths
+     */
+    getSearchPaths(): string[];
+}
+//# sourceMappingURL=FileSessionStore.d.ts.map

package/dist/stores/FileSessionStore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"FileSessionStore.d.ts","sourceRoot":"","sources":["../../src/stores/FileSessionStore.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAKrC;;;;;;;;;GASG;AACH,qBAAa,gBAAiB,YAAW,YAAY;IACnD,OAAO,CAAC,WAAW,CAAW;IAE9B;;;;;OAKG;gBACS,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE;IAI3C;;;;OAIG;IACG,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IAIjE;;;;OAIG;IACG,WAAW,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC;IAiBxE;;;OAGG;IACG,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAYvD;;;OAGG;IACH,cAAc,IAAI,MAAM,EAAE;CAG3B"}

package/dist/stores/FileSessionStore.js

@@ -0,0 +1,116 @@
+"use strict";
+/**
+ * File-based implementation of SessionStore
+ *
+ * Reads/writes session data from/to {destination}.env files in search paths.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FileSessionStore = void 0;
+const envLoader_1 = require("../envLoader");
+const tokenStorage_1 = require("../tokenStorage");
+const pathResolver_1 = require("../pathResolver");
+/**
+ * File-based session store implementation
+ *
+ * Searches for {destination}.env files in configured search paths.
+ * Writes to first search path (highest priority).
+ * Search paths priority:
+ * 1. Constructor parameter (highest)
+ * 2. AUTH_BROKER_PATH environment variable
+ * 3. Current working directory (lowest)
+ */
+class FileSessionStore {
+    searchPaths;
+    /**
+     * Create a new FileSessionStore instance
+     * @param searchPaths Optional search paths for .env files.
+     *                    Can be a single path (string) or array of paths.
+     *                    If not provided, uses AUTH_BROKER_PATH env var or current working directory.
+     */
+    constructor(searchPaths) {
+        this.searchPaths = (0, pathResolver_1.resolveSearchPaths)(searchPaths);
+    }
+    /**
+     * Load session configuration for destination
+     * @param destination Destination name (e.g., "TRIAL")
+     * @returns EnvConfig object or null if not found
+     */
+    async loadSession(destination) {
+        return (0, envLoader_1.loadEnvFile)(destination, this.searchPaths);
+    }
+    /**
+     * Save session configuration for destination
+     * @param destination Destination name (e.g., "TRIAL")
+     * @param config Session configuration to save
+     */
+    async saveSession(destination, config) {
+        // Save to first search path (highest priority)
+        const savePath = this.searchPaths[0];
+        // Convert EnvConfig to format expected by saveTokenToEnv
+        await (0, tokenStorage_1.saveTokenToEnv)(destination, savePath, {
+            sapUrl: config.sapUrl,
+            jwtToken: config.jwtToken,
+            refreshToken: config.refreshToken,
+            uaaUrl: config.uaaUrl,
+            uaaClientId: config.uaaClientId,
+            uaaClientSecret: config.uaaClientSecret,
+            sapClient: config.sapClient,
+            language: config.language,
+        });
+    }
+    /**
+     * Delete session for destination
+     * @param destination Destination name (e.g., "TRIAL")
+     */
+    async deleteSession(destination) {
+        // Find .env file in search paths
+        const fileName = `${destination}.env`;
+        const { findFileInPaths } = await Promise.resolve().then(() => __importStar(require('../pathResolver')));
+        const fs = await Promise.resolve().then(() => __importStar(require('fs')));
+        const envFilePath = findFileInPaths(fileName, this.searchPaths);
+        if (envFilePath && fs.existsSync(envFilePath)) {
+            fs.unlinkSync(envFilePath);
+        }
+    }
+    /**
+     * Get search paths (for error messages)
+     * @returns Array of search paths
+     */
+    getSearchPaths() {
+        return [...this.searchPaths];
+    }
+}
+exports.FileSessionStore = FileSessionStore;

package/dist/stores/index.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Storage implementations for AuthBroker
+ */
+export { ServiceKeyStore, SessionStore } from './interfaces';
+export { FileServiceKeyStore } from './FileServiceKeyStore';
+export { FileSessionStore } from './FileSessionStore';
+//# sourceMappingURL=index.d.ts.map

package/dist/stores/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/stores/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/stores/index.js

@@ -0,0 +1,10 @@
+"use strict";
+/**
+ * Storage implementations for AuthBroker
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FileSessionStore = exports.FileServiceKeyStore = void 0;
+var FileServiceKeyStore_1 = require("./FileServiceKeyStore");
+Object.defineProperty(exports, "FileServiceKeyStore", { enumerable: true, get: function () { return FileServiceKeyStore_1.FileServiceKeyStore; } });
+var FileSessionStore_1 = require("./FileSessionStore");
+Object.defineProperty(exports, "FileSessionStore", { enumerable: true, get: function () { return FileSessionStore_1.FileSessionStore; } });

package/dist/stores/interfaces.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Storage interfaces for AuthBroker
+ *
+ * These interfaces allow consumers to provide custom storage implementations
+ * for service keys and session data (tokens, configuration).
+ */
+import { ServiceKey, EnvConfig } from '../types';
+/**
+ * Interface for storing and retrieving service keys
+ *
+ * Service keys contain UAA credentials and SAP URL for a destination.
+ * Default implementation: FileServiceKeyStore (reads from {destination}.json files)
+ */
+export interface ServiceKeyStore {
+    /**
+     * Get service key for destination
+     * @param destination Destination name (e.g., "TRIAL")
+     * @returns ServiceKey object or null if not found
+     */
+    getServiceKey(destination: string): Promise<ServiceKey | null>;
+}
+/**
+ * Interface for storing and retrieving session data (tokens, configuration)
+ *
+ * Session data contains JWT tokens, refresh tokens, UAA config, and SAP URL.
+ * Default implementation: FileSessionStore (reads/writes {destination}.env files)
+ */
+export interface SessionStore {
+    /**
+     * Load session configuration for destination
+     * @param destination Destination name (e.g., "TRIAL")
+     * @returns EnvConfig object or null if not found
+     */
+    loadSession(destination: string): Promise<EnvConfig | null>;
+    /**
+     * Save session configuration for destination
+     * @param destination Destination name (e.g., "TRIAL")
+     * @param config Session configuration to save
+     */
+    saveSession(destination: string, config: EnvConfig): Promise<void>;
+    /**
+     * Delete session for destination (optional)
+     * @param destination Destination name (e.g., "TRIAL")
+     */
+    deleteSession?(destination: string): Promise<void>;
+}
+//# sourceMappingURL=interfaces.d.ts.map

package/dist/stores/interfaces.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"interfaces.d.ts","sourceRoot":"","sources":["../../src/stores/interfaces.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAEjD;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B;;;;OAIG;IACH,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;CAChE;AAED;;;;;GAKG;AACH,MAAM,WAAW,YAAY;IAC3B;;;;OAIG;IACH,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IAE5D;;;;OAIG;IACH,WAAW,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEnE;;;OAGG;IACH,aAAa,CAAC,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACpD"}

package/dist/stores/interfaces.js

@@ -0,0 +1,8 @@
+"use strict";
+/**
+ * Storage interfaces for AuthBroker
+ *
+ * These interfaces allow consumers to provide custom storage implementations
+ * for service keys and session data (tokens, configuration).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mcp-abap-adt/auth-broker",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "description": "JWT authentication broker for MCP ABAP ADT - manages tokens based on destination headers",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",