@mcp-abap-adt/auth-broker 0.1.6 → 0.1.8

package/CHANGELOG.md

@@ -9,7 +9,40 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 Thank you to all contributors! See [CONTRIBUTORS.md](CONTRIBUTORS.md) for the complete list.
 
-## [0.1.6] - 2025-01-XX
+## [Unreleased]
+
+## [0.1.8] - 2024-12-04
+
+### Added
+- **Interfaces Package Integration**: Migrated to use `@mcp-abap-adt/interfaces` package for all interface definitions
+  - All interfaces now imported from shared package
+  - Backward compatibility maintained with type aliases
+  - Dependency on `@mcp-abap-adt/interfaces@^0.1.0` added
+  - Updated `@mcp-abap-adt/connection` dependency to `^0.1.14`
+
+### Changed
+- **Interface Renaming**: Interfaces renamed to follow `I` prefix convention:
+  - `TokenProviderResult` → `ITokenProviderResult` (type alias for backward compatibility)
+  - `TokenProviderOptions` → `ITokenProviderOptions` (type alias for backward compatibility)
+  - Old names still work via type aliases for backward compatibility
+- **AuthType Export**: `AuthType` now exported from `@mcp-abap-adt/interfaces` instead of local definition
+
+## [0.1.7] - 2025-12-04
+
+### Changed
+- **getToken() Fallback Chain** - Improved authentication reliability with multi-step fallback chain
+  - **Step 1**: Check if session exists and token is valid (returns immediately if valid)
+  - **Step 2**: Verify service key exists (throws error if missing)
+  - **Step 3**: Try refresh token authentication (via tokenProvider) if refresh token is available
+  - **Step 4**: Try UAA client_credentials authentication (via tokenProvider) if refresh token missing or failed
+  - **Step 5**: Try browser authentication (via tokenProvider) if UAA failed or parameters missing
+  - **Step 6**: Throw comprehensive error if all methods failed
+  - All authentication attempts use `ITokenProvider` interface (no direct implementation imports)
+  - Token validation is performed only when checking existing session (step 1)
+  - Tokens obtained through refresh/UAA/browser authentication are not validated before being saved
+  - Improved error messages with details about which authentication methods failed
+
+## [0.1.6] - 2025-12-04
 
 ### Changed
 - **Package Split** - Extracted store and provider implementations into separate packages

package/README.md

@@ -157,6 +157,108 @@ This package supports two types of BTP authentication:
 - **ABAP URL**: Required, from service key or YAML configuration
 - **Use Case**: Accessing ABAP systems in BTP with full permissions
 
+## Responsibilities and Design Principles
+
+### Core Development Principle
+
+**Interface-Only Communication**: This package follows a fundamental development principle: **all interactions with external dependencies happen ONLY through interfaces**. The code knows **NOTHING beyond what is defined in the interfaces**.
+
+This means:
+- Does not know about concrete implementation classes (e.g., `AbapSessionStore`, `BtpTokenProvider`)
+- Does not know about internal data structures or methods not defined in interfaces
+- Does not make assumptions about implementation behavior beyond interface contracts
+- Does not access properties or methods not explicitly defined in interfaces
+
+This principle ensures:
+- **Loose coupling**: `AuthBroker` is decoupled from concrete implementations
+- **Flexibility**: New implementations can be added without modifying `AuthBroker`
+- **Testability**: Easy to mock dependencies for testing
+- **Maintainability**: Changes to implementations don't affect `AuthBroker`
+
+### Package Responsibilities
+
+The `@mcp-abap-adt/auth-broker` package defines **interfaces** and provides **orchestration logic** for authentication. It does **not** implement concrete storage or token acquisition mechanisms - these are provided by separate packages (`@mcp-abap-adt/auth-stores`, `@mcp-abap-adt/auth-providers`).
+
+#### What AuthBroker Does
+
+- **Orchestrates authentication flows**: Coordinates token retrieval, validation, and refresh using provided stores and providers
+- **Manages token lifecycle**: Handles token caching, validation, and automatic refresh
+- **Works with interfaces only**: Uses `IServiceKeyStore`, `ISessionStore`, and `ITokenProvider` interfaces without knowing concrete implementations
+- **Delegates to providers**: Calls `tokenProvider.getConnectionConfig()` to obtain tokens and connection configuration
+- **Delegates to stores**: Uses `sessionStore.setConnectionConfig()` to save tokens and connection configuration
+
+#### What AuthBroker Does NOT Do
+
+- **Does NOT know about `serviceUrl`**: `AuthBroker` does not know whether a specific `ISessionStore` implementation requires `serviceUrl` or not. It simply passes the `IConnectionConfig` returned by `tokenProvider` to `sessionStore.setConnectionConfig()`
+- **Does NOT merge configurations**: `AuthBroker` does not merge `serviceUrl` from service keys with connection config from token providers. This is the responsibility of the consumer or the session store implementation
+- **Does NOT implement storage**: File I/O, parsing, and storage logic are handled by concrete store implementations from `@mcp-abap-adt/auth-stores`
+- **Does NOT implement token acquisition**: OAuth2 flows, refresh token logic, and client credentials are handled by concrete provider implementations from `@mcp-abap-adt/auth-providers`
+
+### Consumer Responsibilities
+
+The **consumer** (application using `AuthBroker`) is responsible for:
+
+1. **Selecting appropriate implementations**: Choose the correct `IServiceKeyStore`, `ISessionStore`, and `ITokenProvider` implementations based on the use case:
+   - **ABAP systems**: Use `AbapServiceKeyStore`, `AbapSessionStore` (or `SafeAbapSessionStore`), and `BtpTokenProvider`
+   - **BTP systems**: Use `AbapServiceKeyStore`, `BtpSessionStore` (or `SafeBtpSessionStore`), and `BtpTokenProvider`
+   - **XSUAA services**: Use `XsuaaServiceKeyStore`, `XsuaaSessionStore` (or `SafeXsuaaSessionStore`), and `XsuaaTokenProvider`
+
+2. **Ensuring complete configuration**: If a session store requires `serviceUrl` (e.g., `AbapSessionStore` requires `sapUrl`), the consumer must ensure that:
+   - The session is created with `serviceUrl` before calling `AuthBroker.getToken()`, OR
+   - The session store implementation handles `serviceUrl` retrieval internally (e.g., from `serviceKeyStore`)
+
+3. **Understanding store requirements**: Different session store implementations have different requirements:
+   - `AbapSessionStore`: Requires `sapUrl` (maps to `serviceUrl` in `IConnectionConfig`)
+   - `BtpSessionStore`: Does not require `serviceUrl` (uses `mcpUrl` instead)
+   - `XsuaaSessionStore`: Does not require `serviceUrl` (MCP URL is optional)
+
+### Store Responsibilities
+
+Concrete `ISessionStore` implementations are responsible for:
+
+- **Handling their own data format**: Each store knows its internal data format (e.g., `AbapSessionData`, `BtpBaseSessionData`)
+- **Converting between formats**: Converting between `IConfig`/`IConnectionConfig` and internal storage format
+- **Managing required fields**: If a store requires `serviceUrl` (e.g., `AbapSessionStore`), it should:
+  - Retrieve it from `serviceKeyStore` if not provided in `IConnectionConfig`, OR
+  - Use existing value from current session if available, OR
+  - Throw an error if neither is available (depending on implementation)
+
+### Provider Responsibilities
+
+Concrete `ITokenProvider` implementations are responsible for:
+
+- **Obtaining tokens**: Using OAuth2 flows, refresh tokens, or client credentials to obtain JWT tokens
+- **Returning connection config**: Returning `IConnectionConfig` with `authorizationToken` and optionally `serviceUrl` (if known)
+- **Not returning `serviceUrl` if unknown**: Providers like `BtpTokenProvider` may not return `serviceUrl` because they only handle token acquisition, not connection configuration
+
+### Design Principles
+
+1. **Interface-Only Communication** (Core Principle): All interactions with external dependencies happen **ONLY through interfaces**. The code knows **NOTHING beyond what is defined in the interfaces** (see [Core Development Principle](#core-development-principle) above)
+2. **Dependency Inversion Principle (DIP)**: `AuthBroker` depends on abstractions (`IServiceKeyStore`, `ISessionStore`, `ITokenProvider`), not concrete implementations
+3. **Single Responsibility**: Each component has a single, well-defined responsibility:
+   - `AuthBroker`: Orchestration and token lifecycle management
+   - `ISessionStore`: Session data storage and retrieval
+   - `ITokenProvider`: Token acquisition
+   - `IServiceKeyStore`: Service key storage and retrieval
+4. **Interface Segregation**: Interfaces are focused and minimal, containing only what's necessary for their specific purpose
+5. **Open/Closed Principle**: New store and provider implementations can be added without modifying `AuthBroker`
+
+### Example: Why AuthBroker Doesn't Handle `serviceUrl`
+
+Consider this scenario:
+- `BtpTokenProvider.getConnectionConfig()` returns `IConnectionConfig` with `authorizationToken` but **without** `serviceUrl` (because it only handles token acquisition)
+- `AbapSessionStore.setConnectionConfig()` requires `sapUrl` (which maps to `serviceUrl`)
+
+If `AuthBroker` tried to merge `serviceUrl` from `serviceKeyStore`, it would:
+1. Violate the DIP by knowing about specific store requirements
+2. Break the abstraction - `AuthBroker` shouldn't know that `AbapSessionStore` needs `serviceUrl`
+3. Create coupling between `AuthBroker` and concrete implementations
+
+Instead, the consumer or `AbapSessionStore` itself should handle this:
+- **Option 1**: Consumer retrieves `serviceUrl` from `serviceKeyStore` and ensures it's in the session before calling `AuthBroker.getToken()`
+- **Option 2**: `AbapSessionStore.setConnectionConfig()` retrieves `serviceUrl` from `serviceKeyStore` internally if not provided
+- **Option 3**: `AbapSessionStore.setConnectionConfig()` uses existing `sapUrl` from current session if available
+
 ## API
 
 ### `AuthBroker`
@@ -191,7 +293,15 @@ new AuthBroker(
 
 ##### `getToken(destination: string): Promise<string>`
 
-Gets authentication token for destination. Tries to load from `.env` file, validates it, and refreshes if needed.
+Gets authentication token for destination. Tries to load from session store, validates it, and refreshes if needed using a fallback chain:
+
+1. **Check session**: Load token from session store and validate it
+2. **Try refresh token**: If refresh token is available, attempt to refresh using it (via tokenProvider)
+3. **Try UAA (client_credentials)**: Attempt to get token using UAA credentials (via tokenProvider)
+4. **Try browser authentication**: Attempt browser-based OAuth2 flow using service key (via tokenProvider)
+5. **Throw error**: If all authentication methods failed
+
+**Note**: Token validation is performed only when checking existing session. Tokens obtained through refresh/UAA/browser authentication are not validated before being saved.
 
 ##### `refreshToken(destination: string): Promise<string>`
 

package/dist/AuthBroker.d.ts

@@ -31,10 +31,36 @@ export declare class AuthBroker {
     }, browser?: string, logger?: Logger);
     /**
      * Get authentication token for destination.
-     * Tries to load from session store, validates it, and refreshes if needed.
+     * Tries to load from session store, validates it, and refreshes if needed using a fallback chain.
+     *
+     * **Fallback Chain:**
+     * 1. **Check session**: Load token from session store and validate it
+     *    - If token is valid, return it immediately
+     *    - If token is invalid or missing, continue to next step
+     *
+     * 2. **Check service key**: Verify that service key exists
+     *    - If no service key found, throw error
+     *
+     * 3. **Try refresh token**: If refresh token is available in session, attempt to refresh using it (via tokenProvider)
+     *    - If successful, save new token to session and return it
+     *    - If failed, continue to next step
+     *
+     * 4. **Try UAA (client_credentials)**: Attempt to get token using UAA credentials (via tokenProvider)
+     *    - If UAA parameters are available and authentication succeeds, save token to session and return it
+     *    - If failed or parameters missing, continue to next step
+     *
+     * 5. **Try browser authentication**: Attempt browser-based OAuth2 flow using service key (via tokenProvider)
+     *    - If successful, save token and refresh token to session and return it
+     *    - If failed, continue to next step
+     *
+     * 6. **Throw error**: If all authentication methods failed, throw comprehensive error with details
+     *
+     * **Note**: Token validation is performed only when checking existing session (step 1).
+     * Tokens obtained through refresh/UAA/browser authentication are not validated before being saved.
+     *
      * @param destination Destination name (e.g., "TRIAL")
      * @returns Promise that resolves to JWT token string
-     * @throws Error if neither session data nor service key found
+     * @throws Error if neither session data nor service key found, or if all authentication methods failed
      */
     getToken(destination: string): Promise<string>;
     /**

package/dist/AuthBroker.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AuthBroker.d.ts","sourceRoot":"","sources":["../src/AuthBroker.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,MAAM,EAAiB,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAC/G,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C;;GAEG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,OAAO,CAAqB;IACpC,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,eAAe,CAAmB;IAC1C,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,aAAa,CAAiB;IAEtC;;;;;;;;;;OAUG;gBAED,MAAM,EAAE;QAAE,eAAe,EAAE,gBAAgB,CAAC;QAAC,YAAY,EAAE,aAAa,CAAC;QAAC,aAAa,EAAE,cAAc,CAAA;KAAE,EACzG,OAAO,CAAC,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,MAAM;IASjB;;;;;;OAMG;IACG,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAwDpD;;;;;OAKG;IACG,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAuCxD;;;;OAIG;IACG,sBAAsB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IAWvF;;;;OAIG;IACG,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;CAWlF"}
+{"version":3,"file":"AuthBroker.d.ts","sourceRoot":"","sources":["../src/AuthBroker.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,MAAM,EAAiB,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAC/G,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C;;GAEG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,OAAO,CAAqB;IACpC,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,eAAe,CAAmB;IAC1C,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,aAAa,CAAiB;IAEtC;;;;;;;;;;OAUG;gBAED,MAAM,EAAE;QAAE,eAAe,EAAE,gBAAgB,CAAC;QAAC,YAAY,EAAE,aAAa,CAAC;QAAC,aAAa,EAAE,cAAc,CAAA;KAAE,EACzG,OAAO,CAAC,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,MAAM;IASjB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAgCG;IACG,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAmIpD;;;;;OAKG;IACG,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAuCxD;;;;OAIG;IACG,sBAAsB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IAWvF;;;;OAIG;IACG,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;CAWlF"}

package/dist/AuthBroker.js

@@ -34,13 +34,39 @@ class AuthBroker {
     }
     /**
      * Get authentication token for destination.
-     * Tries to load from session store, validates it, and refreshes if needed.
+     * Tries to load from session store, validates it, and refreshes if needed using a fallback chain.
+     *
+     * **Fallback Chain:**
+     * 1. **Check session**: Load token from session store and validate it
+     *    - If token is valid, return it immediately
+     *    - If token is invalid or missing, continue to next step
+     *
+     * 2. **Check service key**: Verify that service key exists
+     *    - If no service key found, throw error
+     *
+     * 3. **Try refresh token**: If refresh token is available in session, attempt to refresh using it (via tokenProvider)
+     *    - If successful, save new token to session and return it
+     *    - If failed, continue to next step
+     *
+     * 4. **Try UAA (client_credentials)**: Attempt to get token using UAA credentials (via tokenProvider)
+     *    - If UAA parameters are available and authentication succeeds, save token to session and return it
+     *    - If failed or parameters missing, continue to next step
+     *
+     * 5. **Try browser authentication**: Attempt browser-based OAuth2 flow using service key (via tokenProvider)
+     *    - If successful, save token and refresh token to session and return it
+     *    - If failed, continue to next step
+     *
+     * 6. **Throw error**: If all authentication methods failed, throw comprehensive error with details
+     *
+     * **Note**: Token validation is performed only when checking existing session (step 1).
+     * Tokens obtained through refresh/UAA/browser authentication are not validated before being saved.
+     *
      * @param destination Destination name (e.g., "TRIAL")
      * @returns Promise that resolves to JWT token string
-     * @throws Error if neither session data nor service key found
+     * @throws Error if neither session data nor service key found, or if all authentication methods failed
      */
     async getToken(destination) {
-        // Load connection config from session store
+        // Step 1: Check if session exists and token is valid
         const connConfig = await this.sessionStore.getConnectionConfig(destination);
         if (connConfig?.authorizationToken) {
             // Validate token if provider supports validation and we have service URL
@@ -55,7 +81,7 @@ class AuthBroker {
                 return connConfig.authorizationToken;
             }
         }
-        // Token not found or expired, check if we have service key
+        // Step 2: No valid session, check if we have service key
         const serviceKey = await this.serviceKeyStore.getServiceKey(destination);
         if (!serviceKey) {
             // No service key and no valid token
@@ -67,24 +93,92 @@ class AuthBroker {
         if (!authConfig) {
             throw new Error(`Service key for destination "${destination}" does not contain UAA credentials`);
         }
-        // Get refresh token from session
+        // Get refresh token from session (if exists)
         const sessionAuthConfig = await this.sessionStore.getAuthorizationConfig(destination);
-        const authConfigWithRefresh = { ...authConfig, refreshToken: sessionAuthConfig?.refreshToken || authConfig.refreshToken };
-        // Get connection config with token from provider
-        const tokenResult = await this.tokenProvider.getConnectionConfig(authConfigWithRefresh, {
-            browser: this.browser,
-            logger: this.logger,
-        });
-        // Update session with new token
-        await this.sessionStore.setConnectionConfig(destination, tokenResult.connectionConfig);
-        // Update authorization config with new refresh token if available
-        if (tokenResult.refreshToken) {
-            await this.sessionStore.setAuthorizationConfig(destination, {
-                ...authConfig,
-                refreshToken: tokenResult.refreshToken,
+        const refreshToken = sessionAuthConfig?.refreshToken || authConfig.refreshToken;
+        let tokenResult;
+        let lastError = null;
+        // Step 3: Try to refresh using refresh token (if available) via tokenProvider
+        if (refreshToken) {
+            try {
+                this.logger.debug(`Attempting to refresh token using refresh token for destination "${destination}"...`);
+                const authConfigWithRefresh = { ...authConfig, refreshToken };
+                tokenResult = await this.tokenProvider.getConnectionConfig(authConfigWithRefresh, {
+                    browser: this.browser,
+                    logger: this.logger,
+                });
+                this.logger.debug(`Token refreshed successfully using refresh token for destination "${destination}"`);
+                // Update session with new token
+                await this.sessionStore.setConnectionConfig(destination, tokenResult.connectionConfig);
+                if (tokenResult.refreshToken) {
+                    await this.sessionStore.setAuthorizationConfig(destination, {
+                        ...authConfig,
+                        refreshToken: tokenResult.refreshToken,
+                    });
+                }
+                return tokenResult.connectionConfig.authorizationToken;
+            }
+            catch (error) {
+                lastError = error;
+                this.logger.debug(`Token refresh failed for destination "${destination}": ${error.message}. Trying without refresh token...`);
+                // Continue to next step
+            }
+        }
+        // Step 4: Try UAA (client_credentials) via tokenProvider (without refresh token)
+        // TokenProvider should try client_credentials if refresh token is not provided
+        try {
+            this.logger.debug(`Attempting to get token using UAA (client_credentials) for destination "${destination}"...`);
+            const authConfigWithoutRefresh = { ...authConfig, refreshToken: undefined };
+            tokenResult = await this.tokenProvider.getConnectionConfig(authConfigWithoutRefresh, {
+                browser: this.browser,
+                logger: this.logger,
+            });
+            this.logger.debug(`Token obtained successfully using UAA for destination "${destination}"`);
+            // Update session with new token
+            await this.sessionStore.setConnectionConfig(destination, tokenResult.connectionConfig);
+            if (tokenResult.refreshToken) {
+                await this.sessionStore.setAuthorizationConfig(destination, {
+                    ...authConfig,
+                    refreshToken: tokenResult.refreshToken,
+                });
+            }
+            return tokenResult.connectionConfig.authorizationToken;
+        }
+        catch (error) {
+            lastError = error;
+            this.logger.debug(`UAA authentication failed for destination "${destination}": ${error.message}. Trying browser authentication...`);
+            // Continue to next step
+        }
+        // Step 5: Try browser authentication via tokenProvider (should be last resort)
+        // TokenProvider should use browser auth if refresh token and client_credentials don't work
+        try {
+            this.logger.debug(`Starting browser authentication flow for destination "${destination}"...`);
+            const authConfigForBrowser = { ...authConfig, refreshToken: undefined };
+            tokenResult = await this.tokenProvider.getConnectionConfig(authConfigForBrowser, {
+                browser: this.browser,
+                logger: this.logger,
             });
+            this.logger.debug(`Token obtained successfully using browser authentication for destination "${destination}"`);
+            // Update session with new token
+            await this.sessionStore.setConnectionConfig(destination, tokenResult.connectionConfig);
+            if (tokenResult.refreshToken) {
+                await this.sessionStore.setAuthorizationConfig(destination, {
+                    ...authConfig,
+                    refreshToken: tokenResult.refreshToken,
+                });
+            }
+            return tokenResult.connectionConfig.authorizationToken;
+        }
+        catch (error) {
+            lastError = error;
+            // Step 6: All methods failed - throw error
+            const errorMessage = `All authentication methods failed for destination "${destination}". ` +
+                `Refresh token: ${refreshToken ? 'failed' : 'not available'}. ` +
+                `UAA: ${authConfig.uaaUrl && authConfig.uaaClientId && authConfig.uaaClientSecret ? 'failed' : 'parameters missing'}. ` +
+                `Browser authentication: failed (${error.message})`;
+            this.logger.error(errorMessage);
+            throw new Error(errorMessage);
         }
-        return tokenResult.connectionConfig.authorizationToken;
     }
     /**
      * Force refresh token for destination using service key.

package/dist/index.d.ts

@@ -7,4 +7,5 @@ export type { IAuthorizationConfig, IConnectionConfig, IServiceKeyStore, ISessio
 export type { IConfig } from './types';
 export type { ITokenProvider, TokenProviderOptions, TokenProviderResult } from './providers';
 export type { Logger } from '@mcp-abap-adt/logger';
+export type { AuthType } from '@mcp-abap-adt/interfaces';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAG1C,YAAY,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpH,YAAY,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAEvC,YAAY,EAAE,cAAc,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAE7F,YAAY,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAG1C,YAAY,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpH,YAAY,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAEvC,YAAY,EAAE,cAAc,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAE7F,YAAY,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAEnD,YAAY,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC"}

package/dist/providers/ITokenProvider.d.ts

@@ -6,44 +6,8 @@
  * - XSUAA: client_credentials grant type (no browser)
  * - BTP/ABAP: browser-based OAuth2 or refresh token
  */
-import { IAuthorizationConfig, IConnectionConfig } from '../stores/interfaces';
-/**
- * Result from token provider
- */
-export interface TokenProviderResult {
-    /** Connection configuration with authorization token */
-    connectionConfig: IConnectionConfig;
-    /** Refresh token (optional, for BTP/ABAP) */
-    refreshToken?: string;
-}
-/**
- * Interface for token providers
- *
- * Takes authorization configuration and returns connection configuration with token.
- */
-export interface ITokenProvider {
-    /**
-     * Get connection configuration with token from authorization configuration
-     * @param authConfig Authorization configuration (UAA credentials, optional refresh token)
-     * @param options Optional provider-specific options (e.g., browser type for BTP)
-     * @returns Promise that resolves to connection configuration with authorization token and optional refresh token
-     */
-    getConnectionConfig(authConfig: IAuthorizationConfig, options?: TokenProviderOptions): Promise<TokenProviderResult>;
-    /**
-     * Validate JWT token by testing connection to service
-     * @param token JWT token to validate
-     * @param serviceUrl Service URL (optional, for services that require URL validation)
-     * @returns Promise that resolves to true if token is valid, false otherwise
-     */
-    validateToken?(token: string, serviceUrl?: string): Promise<boolean>;
-}
-/**
- * Options for token providers
- */
-export interface TokenProviderOptions {
-    /** Browser type for browser-based authentication (chrome, edge, firefox, system, none) */
-    browser?: string;
-    /** Logger instance for logging */
-    logger?: import('@mcp-abap-adt/logger').Logger;
-}
+import type { IAuthorizationConfig, IConnectionConfig, ITokenProvider, ITokenProviderResult, ITokenProviderOptions } from '@mcp-abap-adt/interfaces';
+export type { ITokenProvider, IAuthorizationConfig, IConnectionConfig, };
+export type TokenProviderResult = ITokenProviderResult;
+export type TokenProviderOptions = ITokenProviderOptions;
 //# sourceMappingURL=ITokenProvider.d.ts.map

package/dist/providers/ITokenProvider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ITokenProvider.d.ts","sourceRoot":"","sources":["../../src/providers/ITokenProvider.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAE/E;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,wDAAwD;IACxD,gBAAgB,EAAE,iBAAiB,CAAC;IACpC,6CAA6C;IAC7C,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B;;;;;OAKG;IACH,mBAAmB,CACjB,UAAU,EAAE,oBAAoB,EAChC,OAAO,CAAC,EAAE,oBAAoB,GAC7B,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAEhC;;;;;OAKG;IACH,aAAa,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACtE;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,0FAA0F;IAC1F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kCAAkC;IAClC,MAAM,CAAC,EAAE,OAAO,sBAAsB,EAAE,MAAM,CAAC;CAChD"}
+{"version":3,"file":"ITokenProvider.d.ts","sourceRoot":"","sources":["../../src/providers/ITokenProvider.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EACV,oBAAoB,EACpB,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,qBAAqB,EACtB,MAAM,0BAA0B,CAAC;AAGlC,YAAY,EACV,cAAc,EACd,oBAAoB,EACpB,iBAAiB,GAClB,CAAC;AACF,MAAM,MAAM,mBAAmB,GAAG,oBAAoB,CAAC;AACvD,MAAM,MAAM,oBAAoB,GAAG,qBAAqB,CAAC"}

package/dist/stores/interfaces.d.ts

@@ -1,117 +1,9 @@
 /**
  * Storage interfaces for AuthBroker
  *
- * All interfaces are defined here. Types (type aliases) are in types.ts.
+ * All interfaces are imported from @mcp-abap-adt/interfaces package.
+ * Type aliases (type) are in types.ts.
  */
-import type { IConfig } from '../types';
-/**
- * Authorization configuration - values needed for obtaining and refreshing tokens
- * Returned by stores with actual values (not file paths)
- */
-export interface IAuthorizationConfig {
-    /** UAA URL for token refresh */
-    uaaUrl: string;
-    /** UAA client ID */
-    uaaClientId: string;
-    /** UAA client secret */
-    uaaClientSecret: string;
-    /** Refresh token for token renewal (optional) */
-    refreshToken?: string;
-}
-/**
- * Connection configuration - values needed for connecting to services
- * Returned by stores with actual values (not file paths)
- */
-export interface IConnectionConfig {
-    /** Service URL (SAP/ABAP/MCP URL) - undefined for XSUAA if not provided */
-    serviceUrl?: string;
-    /** Authorization token (JWT token) */
-    authorizationToken: string;
-    /** SAP client number (optional, for ABAP/BTP) */
-    sapClient?: string;
-    /** Language (optional, for ABAP/BTP) */
-    language?: string;
-}
-/**
- * Interface for storing and retrieving service keys
- *
- * Service keys contain UAA credentials and connection URLs.
- */
-export interface IServiceKeyStore {
-    /**
-     * Get raw service key for destination
-     * @param destination Destination name (e.g., "TRIAL")
-     * @returns Service key object (implementation-specific) or null if not found
-     */
-    getServiceKey(destination: string): Promise<IConfig | null>;
-    /**
-     * Get authorization configuration from service key
-     * Returns values needed for obtaining and refreshing tokens
-     * @param destination Destination name (e.g., "TRIAL")
-     * @returns IAuthorizationConfig with actual values or null if not found
-     */
-    getAuthorizationConfig(destination: string): Promise<IAuthorizationConfig | null>;
-    /**
-     * Get connection configuration from service key
-     * Returns values needed for connecting to services
-     * @param destination Destination name (e.g., "TRIAL")
-     * @returns IConnectionConfig with actual values or null if not found
-     */
-    getConnectionConfig(destination: string): Promise<IConnectionConfig | null>;
-}
-/**
- * Interface for session stores - stores and retrieves session data
- *
- * Session stores handle loading, saving, and managing session data (tokens, configuration).
- */
-export interface ISessionStore {
-    /**
-     * Load session configuration for destination
-     * Returns optional composition of IAuthorizationConfig and IConnectionConfig
-     * Can contain either authorization config, or connection config, or both
-     * @param destination Destination name (e.g., "TRIAL" or "mcp")
-     * @returns IConfig with actual values or null if not found
-     */
-    loadSession(destination: string): Promise<IConfig | null>;
-    /**
-     * Save session configuration for destination
-     * Accepts IConfig (optional composition) or internal representation (for backward compatibility)
-     * @param destination Destination name (e.g., "TRIAL" or "mcp")
-     * @param config IConfig or internal session configuration to save
-     */
-    saveSession(destination: string, config: IConfig | unknown): Promise<void>;
-    /**
-     * Delete session for destination (optional)
-     * @param destination Destination name (e.g., "TRIAL" or "mcp")
-     */
-    deleteSession?(destination: string): Promise<void>;
-    /**
-     * Get authorization configuration with actual values (not file paths)
-     * Returns values needed for obtaining and refreshing tokens
-     * @param destination Destination name (e.g., "TRIAL" or "mcp")
-     * @returns IAuthorizationConfig with actual values or null if not found
-     */
-    getAuthorizationConfig(destination: string): Promise<IAuthorizationConfig | null>;
-    /**
-     * Get connection configuration with actual values (not file paths)
-     * Returns values needed for connecting to services
-     * @param destination Destination name (e.g., "TRIAL" or "mcp")
-     * @returns IConnectionConfig with actual values or null if not found
-     */
-    getConnectionConfig(destination: string): Promise<IConnectionConfig | null>;
-    /**
-     * Set authorization configuration
-     * Updates values needed for obtaining and refreshing tokens
-     * @param destination Destination name (e.g., "TRIAL" or "mcp")
-     * @param config IAuthorizationConfig with values to set
-     */
-    setAuthorizationConfig(destination: string, config: IAuthorizationConfig): Promise<void>;
-    /**
-     * Set connection configuration
-     * Updates values needed for connecting to services
-     * @param destination Destination name (e.g., "TRIAL" or "mcp")
-     * @param config IConnectionConfig with values to set
-     */
-    setConnectionConfig(destination: string, config: IConnectionConfig): Promise<void>;
-}
+import type { IAuthorizationConfig, IConnectionConfig, IServiceKeyStore, ISessionStore } from '@mcp-abap-adt/interfaces';
+export type { IAuthorizationConfig, IConnectionConfig, IServiceKeyStore, ISessionStore, };
 //# sourceMappingURL=interfaces.d.ts.map

package/dist/stores/interfaces.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"interfaces.d.ts","sourceRoot":"","sources":["../../src/stores/interfaces.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAExC;;;GAGG;AACH,MAAM,WAAW,oBAAoB;IACnC,gCAAgC;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,oBAAoB;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,wBAAwB;IACxB,eAAe,EAAE,MAAM,CAAC;IACxB,iDAAiD;IACjD,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,2EAA2E;IAC3E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,sCAAsC;IACtC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,iDAAiD;IACjD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;;;OAIG;IACH,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;IAE5D;;;;;OAKG;IACH,sBAAsB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAAC;IAElF;;;;;OAKG;IACH,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC,CAAC;CAC7E;AAED;;;;GAIG;AACH,MAAM,WAAW,aAAa;IAC5B;;;;;;OAMG;IACH,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;IAE1D;;;;;OAKG;IACH,WAAW,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE3E;;;OAGG;IACH,aAAa,CAAC,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEnD;;;;;OAKG;IACH,sBAAsB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAAC;IAElF;;;;;OAKG;IACH,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC,CAAC;IAE5E;;;;;OAKG;IACH,sBAAsB,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzF;;;;;OAKG;IACH,mBAAmB,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACpF"}
+{"version":3,"file":"interfaces.d.ts","sourceRoot":"","sources":["../../src/stores/interfaces.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EACV,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,aAAa,EAEd,MAAM,0BAA0B,CAAC;AAGlC,YAAY,EACV,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,aAAa,GACd,CAAC"}

package/dist/stores/interfaces.js

@@ -2,6 +2,7 @@
 /**
  * Storage interfaces for AuthBroker
  *
- * All interfaces are defined here. Types (type aliases) are in types.ts.
+ * All interfaces are imported from @mcp-abap-adt/interfaces package.
+ * Type aliases (type) are in types.ts.
  */
 Object.defineProperty(exports, "__esModule", { value: true });

package/dist/types.d.ts

@@ -1,13 +1,8 @@
 /**
  * Type definitions for auth-broker package
  *
- * Type aliases (type) are defined here. Interfaces are in stores/interfaces.ts.
+ * Type aliases (type) are defined here. Interfaces are imported from @mcp-abap-adt/interfaces.
  */
-import type { IAuthorizationConfig, IConnectionConfig } from './stores/interfaces';
-/**
- * Configuration - optional composition of authorization and connection configuration
- * Can contain either authorization config, or connection config, or both
- */
-export type IConfig = Partial<IAuthorizationConfig> & Partial<IConnectionConfig>;
-export type { IAuthorizationConfig, IConnectionConfig, IServiceKeyStore, ISessionStore, } from './stores/interfaces';
+import type { IAuthorizationConfig, IConnectionConfig, IConfig, IServiceKeyStore, ISessionStore } from '@mcp-abap-adt/interfaces';
+export type { IConfig, IAuthorizationConfig, IConnectionConfig, IServiceKeyStore, ISessionStore, };
 //# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAEnF;;;GAGG;AACH,MAAM,MAAM,OAAO,GAAG,OAAO,CAAC,oBAAoB,CAAC,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAGjF,YAAY,EACV,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,aAAa,GACd,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EACV,oBAAoB,EACpB,iBAAiB,EACjB,OAAO,EACP,gBAAgB,EAChB,aAAa,EACd,MAAM,0BAA0B,CAAC;AAGlC,YAAY,EACV,OAAO,EACP,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,aAAa,GACd,CAAC"}

package/dist/types.js

@@ -2,6 +2,6 @@
 /**
  * Type definitions for auth-broker package
  *
- * Type aliases (type) are defined here. Interfaces are in stores/interfaces.ts.
+ * Type aliases (type) are defined here. Interfaces are imported from @mcp-abap-adt/interfaces.
  */
 Object.defineProperty(exports, "__esModule", { value: true });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mcp-abap-adt/auth-broker",
-  "version": "0.1.6",
+  "version": "0.1.8",
   "description": "JWT authentication broker for MCP ABAP ADT - manages tokens based on destination headers",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -51,7 +51,8 @@
     "node": ">=18.0.0"
   },
   "dependencies": {
-    "@mcp-abap-adt/connection": "^0.1.13",
+    "@mcp-abap-adt/connection": "^0.1.14",
+    "@mcp-abap-adt/interfaces": "^0.1.0",
     "@mcp-abap-adt/logger": "^0.1.0"
   },
   "devDependencies": {