@mcp-abap-adt/auth-stores 0.1.6 → 0.1.7

package/CHANGELOG.md

@@ -7,6 +7,48 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.1.7] - 2025-12-08
+
+### Added
+- **Broker Usage Tests**: Added comprehensive test suites for broker usage scenarios
+  - Tests verify stores work correctly when used as in `AuthBroker` (without `saveSession`)
+  - Tests cover `setConnectionConfig` and `setAuthorizationConfig` on empty stores
+  - Tests verify session creation and updates in broker flow scenarios
+  - Test files: `*SessionStore.broker.test.ts` for all store types
+
+### Changed
+- **Session Store Initialization**: File-based session stores now automatically create directory in constructor
+  - `AbapSessionStore`, `BtpSessionStore`, `XsuaaSessionStore` create directory if it doesn't exist
+  - Stores are ready to use immediately after construction
+  - Directory creation is logged at debug level
+- **Session Creation Logic**: Session stores now automatically create sessions when calling `setConnectionConfig` or `setAuthorizationConfig`
+  - No need to call `saveSession` first - stores handle session creation internally
+  - `setConnectionConfig` creates new session if none exists (requires `serviceUrl` for ABAP)
+  - `setAuthorizationConfig` creates new session if none exists (for BTP/XSUAA, `mcpUrl` is optional)
+  - For ABAP: `setAuthorizationConfig` requires existing `serviceUrl` (from `setConnectionConfig` or throws error)
+  - This matches how `AuthBroker` uses stores - stores are now fully ready after construction
+- **Token Validation**: Updated validation to allow empty string for `jwtToken` in BTP/XSUAA stores
+  - Empty token is allowed (can be set later via `setConnectionConfig`)
+  - Only `undefined` or `null` tokens are rejected
+  - This enables creating sessions with authorization config first, then adding connection config
+
+### Fixed
+- **getConnectionConfig**: Fixed to allow empty string tokens (not just non-empty strings)
+  - Returns `null` only if token is `undefined` or `null`
+  - Empty string tokens are valid (can be set later)
+- **setConnectionConfig Updates**: Fixed to preserve existing token when updating connection config
+  - Only updates `jwtToken` if `authorizationToken` is provided in config
+  - Preserves existing token if `authorizationToken` is `undefined`
+- **Safe Session Stores**: Fixed session creation in `setConnectionConfig` and `setAuthorizationConfig`
+  - Now saves directly to Map (internal format) instead of calling `saveSession` with wrong format
+  - This fixes issues where `mcpUrl`/`serviceUrl` was not being saved correctly
+- **loadXsuaaEnvFile**: Fixed to allow empty string for `jwtToken` (can be set later)
+  - Only rejects `undefined` or `null` tokens
+  - Empty string tokens are valid and can be set later via `setConnectionConfig`
+- **testLogger**: Fixed to not output by default in test environment
+  - Now requires explicit enable via `DEBUG_AUTH_STORES=true` or `DEBUG=true`
+  - No longer enables logging automatically when `NODE_ENV === 'test'`
+
 ## [0.1.6] - 2025-12-08
 
 ### Added

package/README.md

@@ -145,11 +145,12 @@ All stores accept a single directory path in the constructor:
 // Single directory path
 const store = new BtpServiceKeyStore('/path/to/service-keys');
 
-// Directory will be created automatically if it doesn't exist when saving files
-const sessionStore = new AbapSessionStore('/path/to/sessions');
-await sessionStore.saveSession('TRIAL', config); // Creates directory if needed
+// File-based session stores automatically create directory in constructor if it doesn't exist
+const sessionStore = new AbapSessionStore('/path/to/sessions'); // Directory created automatically
 ```
 
+**Note**: File-based session stores (`AbapSessionStore`, `BtpSessionStore`, `XsuaaSessionStore`) automatically create the directory in the constructor if it doesn't exist. Stores are ready to use immediately after construction.
+
 ### Service Key Format
 
 **ABAP Service Key** (with nested `uaa` object):
@@ -355,12 +356,23 @@ Integration tests will skip if `test-config.yaml` is not configured or contains
 
 - All stores implement `IServiceKeyStore` or `ISessionStore` interfaces from `@mcp-abap-adt/auth-broker`
 - Stores accept a single directory path in constructor
-- File-based stores automatically create directories when saving
+- File-based session stores automatically create directories in constructor if they don't exist
+- Session stores automatically create sessions when calling `setConnectionConfig` or `setAuthorizationConfig` (no need to call `saveSession` first)
 - In-memory stores (`Safe*SessionStore`) don't persist data to disk
 
+### Session Store Behavior
+
+Session stores are designed to work seamlessly with `AuthBroker`:
+
+- **Ready after construction**: File-based stores create directory automatically, stores are ready to use immediately
+- **Automatic session creation**: Calling `setConnectionConfig` or `setAuthorizationConfig` on an empty store creates a new session
+- **ABAP stores**: Require `serviceUrl` when creating new session via `setConnectionConfig` or `setAuthorizationConfig`
+- **BTP/XSUAA stores**: `mcpUrl` is optional - can create session with authorization config first, then add connection config
+- **Token updates**: `setConnectionConfig` updates token if provided, preserves existing token if not provided
+
 ## Dependencies
 
-- `@mcp-abap-adt/auth-broker` (^0.1.6) - Interface definitions
+- `@mcp-abap-adt/interfaces` (^0.1.3) - Interface definitions (`IServiceKeyStore`, `ISessionStore`, `IConfig`, `IConnectionConfig`, `IAuthorizationConfig`, `ILogger`)
 - `dotenv` - Environment variable parsing
 
 ## License

package/dist/storage/xsuaa/xsuaaEnvLoader.js

@@ -65,8 +65,10 @@ async function loadXsuaaEnvFile(destination, directory, log) {
         log?.debug(`Parsed XSUAA env variables: ${Object.keys(parsed).filter(k => k.startsWith('XSUAA_')).join(', ')}`);
         // Extract required fields (XSUAA_* variables)
         const jwtToken = parsed[constants_1.XSUAA_CONNECTION_VARS.AUTHORIZATION_TOKEN];
-        log?.debug(`Extracted fields: hasJwtToken(${!!jwtToken})`);
-        if (!jwtToken) {
+        log?.debug(`Extracted fields: hasJwtToken(${jwtToken !== undefined && jwtToken !== null})`);
+        // Allow empty string for jwtToken (can be set later via setConnectionConfig)
+        // Only reject if jwtToken is undefined or null
+        if (jwtToken === undefined || jwtToken === null) {
             log?.warn(`XSUAA env file missing required field: jwtToken`);
             return null;
         }

package/dist/stores/abap/AbapSessionStore.d.ts

@@ -83,6 +83,7 @@ export declare class AbapSessionStore implements ISessionStore {
     /**
      * Set authorization configuration
      * Updates values needed for obtaining and refreshing tokens
+     * Creates new session if it doesn't exist
      * @param destination Destination name
      * @param config IAuthorizationConfig with values to set
      */
@@ -90,6 +91,7 @@ export declare class AbapSessionStore implements ISessionStore {
     /**
      * Set connection configuration
      * Updates values needed for connecting to services
+     * Creates new session if it doesn't exist
      * @param destination Destination name
      * @param config IConnectionConfig with values to set
      */

package/dist/stores/abap/AbapSessionStore.js

@@ -66,6 +66,11 @@ class AbapSessionStore {
     constructor(directory, log) {
         this.directory = directory;
         this.log = log;
+        // Ensure directory exists - create if it doesn't
+        if (!fs.existsSync(directory)) {
+            fs.mkdirSync(directory, { recursive: true });
+            this.log?.debug(`Created session directory: ${directory}`);
+        }
     }
     /**
      * Load session from file
@@ -252,13 +257,31 @@ class AbapSessionStore {
     /**
      * Set authorization configuration
      * Updates values needed for obtaining and refreshing tokens
+     * Creates new session if it doesn't exist
      * @param destination Destination name
      * @param config IAuthorizationConfig with values to set
      */
     async setAuthorizationConfig(destination, config) {
         const current = await this.loadRawSession(destination);
         if (!current) {
-            throw new Error(`No session found for destination "${destination}"`);
+            // Session doesn't exist - try to get serviceUrl from connection config
+            // For ABAP, we need sapUrl to create session
+            const connConfig = await this.getConnectionConfig(destination);
+            const sapUrl = connConfig?.serviceUrl;
+            if (!sapUrl) {
+                throw new Error(`Cannot set authorization config for destination "${destination}": session does not exist and serviceUrl is required for ABAP sessions. Call setConnectionConfig first.`);
+            }
+            this.log?.debug(`Creating new session for ${destination} via setAuthorizationConfig: sapUrl(${sapUrl.substring(0, 40)}...)`);
+            const newSession = {
+                sapUrl,
+                jwtToken: connConfig?.authorizationToken || '', // Use token from connection config if available
+                uaaUrl: config.uaaUrl,
+                uaaClientId: config.uaaClientId,
+                uaaClientSecret: config.uaaClientSecret,
+                refreshToken: config.refreshToken,
+            };
+            await this.saveSession(destination, newSession);
+            return;
         }
         // Update authorization fields
         const updated = {
@@ -273,13 +296,28 @@ class AbapSessionStore {
     /**
      * Set connection configuration
      * Updates values needed for connecting to services
+     * Creates new session if it doesn't exist
      * @param destination Destination name
      * @param config IConnectionConfig with values to set
      */
     async setConnectionConfig(destination, config) {
         const current = await this.loadRawSession(destination);
         if (!current) {
-            throw new Error(`No session found for destination "${destination}"`);
+            // Session doesn't exist - create new one
+            // For ABAP, serviceUrl is required
+            if (!config.serviceUrl) {
+                throw new Error(`Cannot create session for destination "${destination}": serviceUrl is required for ABAP sessions`);
+            }
+            this.log?.debug(`Creating new session for ${destination} via setConnectionConfig: serviceUrl(${config.serviceUrl.substring(0, 40)}...), token(${config.authorizationToken?.length || 0} chars)`);
+            const newSession = {
+                sapUrl: config.serviceUrl,
+                jwtToken: config.authorizationToken || '',
+                sapClient: config.sapClient,
+                language: config.language,
+            };
+            await this.saveSession(destination, newSession);
+            this.log?.info(`Session created for ${destination}: serviceUrl(${config.serviceUrl.substring(0, 40)}...), token(${config.authorizationToken?.length || 0} chars)`);
+            return;
         }
         // Update connection fields
         const updated = {

package/dist/stores/abap/SafeAbapSessionStore.d.ts

@@ -22,7 +22,6 @@ export declare class SafeAbapSessionStore implements ISessionStore {
     private loadRawSession;
     private validateSessionConfig;
     private convertToInternalFormat;
-    private isValidSessionConfig;
     loadSession(destination: string): Promise<IConfig | null>;
     saveSession(destination: string, config: IConfig): Promise<void>;
     deleteSession(destination: string): Promise<void>;

package/dist/stores/abap/SafeAbapSessionStore.js

@@ -58,13 +58,6 @@ class SafeAbapSessionStore {
         };
         return internal;
     }
-    isValidSessionConfig(config) {
-        if (!config || typeof config !== 'object')
-            return false;
-        const obj = config;
-        // Accept both IConfig format (serviceUrl, authorizationToken) and internal format (sapUrl, jwtToken)
-        return (('serviceUrl' in obj || 'sapUrl' in obj) && ('authorizationToken' in obj || 'jwtToken' in obj));
-    }
     async loadSession(destination) {
         this.log?.debug(`Loading session for destination: ${destination}`);
         const authConfig = await this.getAuthorizationConfig(destination);
@@ -96,7 +89,7 @@ class SafeAbapSessionStore {
     }
     async getConnectionConfig(destination) {
         const sessionConfig = this.loadRawSession(destination);
-        if (!this.isValidSessionConfig(sessionConfig)) {
+        if (!sessionConfig) {
             return null;
         }
         if (!sessionConfig.jwtToken || !sessionConfig.sapUrl) {
@@ -111,8 +104,23 @@ class SafeAbapSessionStore {
     }
     async setConnectionConfig(destination, config) {
         const current = this.loadRawSession(destination);
-        if (!this.isValidSessionConfig(current)) {
-            throw new Error(`No ABAP session found for destination "${destination}"`);
+        if (!current) {
+            // Session doesn't exist - create new one
+            // For ABAP, serviceUrl is required
+            if (!config.serviceUrl) {
+                throw new Error(`Cannot create session for destination "${destination}": serviceUrl is required for ABAP sessions`);
+            }
+            this.log?.debug(`Creating new session for ${destination} via setConnectionConfig: serviceUrl(${config.serviceUrl.substring(0, 40)}...), token(${config.authorizationToken?.length || 0} chars)`);
+            const newSession = {
+                sapUrl: config.serviceUrl,
+                jwtToken: config.authorizationToken || '',
+                sapClient: config.sapClient,
+                language: config.language,
+            };
+            // Save directly to Map (internal format)
+            this.sessions.set(destination, newSession);
+            this.log?.info(`Session created for ${destination}: serviceUrl(${config.serviceUrl.substring(0, 40)}...), token(${config.authorizationToken?.length || 0} chars)`);
+            return;
         }
         const updated = {
             ...current,
@@ -121,11 +129,12 @@ class SafeAbapSessionStore {
             sapClient: config.sapClient !== undefined ? config.sapClient : current.sapClient,
             language: config.language !== undefined ? config.language : current.language,
         };
-        await this.saveSession(destination, updated);
+        // Save directly to Map (internal format)
+        this.sessions.set(destination, updated);
     }
     async getAuthorizationConfig(destination) {
         const sessionConfig = this.loadRawSession(destination);
-        if (!this.isValidSessionConfig(sessionConfig)) {
+        if (!sessionConfig) {
             return null;
         }
         if (!sessionConfig.uaaUrl || !sessionConfig.uaaClientId || !sessionConfig.uaaClientSecret) {
@@ -140,8 +149,26 @@ class SafeAbapSessionStore {
     }
     async setAuthorizationConfig(destination, config) {
         const current = this.loadRawSession(destination);
-        if (!this.isValidSessionConfig(current)) {
-            throw new Error(`No ABAP session found for destination "${destination}"`);
+        if (!current) {
+            // Session doesn't exist - try to get serviceUrl from connection config
+            // For ABAP, we need sapUrl to create session
+            const connConfig = await this.getConnectionConfig(destination);
+            const sapUrl = connConfig?.serviceUrl;
+            if (!sapUrl) {
+                throw new Error(`Cannot set authorization config for destination "${destination}": session does not exist and serviceUrl is required for ABAP sessions. Call setConnectionConfig first.`);
+            }
+            this.log?.debug(`Creating new session for ${destination} via setAuthorizationConfig: sapUrl(${sapUrl.substring(0, 40)}...)`);
+            const newSession = {
+                sapUrl,
+                jwtToken: connConfig?.authorizationToken || '', // Use token from connection config if available
+                uaaUrl: config.uaaUrl,
+                uaaClientId: config.uaaClientId,
+                uaaClientSecret: config.uaaClientSecret,
+                refreshToken: config.refreshToken,
+            };
+            // Save directly to Map (internal format)
+            this.sessions.set(destination, newSession);
+            return;
         }
         const updated = {
             ...current,
@@ -150,7 +177,8 @@ class SafeAbapSessionStore {
             uaaClientSecret: config.uaaClientSecret,
             refreshToken: config.refreshToken || current.refreshToken,
         };
-        await this.saveSession(destination, updated);
+        // Save directly to Map (internal format)
+        this.sessions.set(destination, updated);
     }
 }
 exports.SafeAbapSessionStore = SafeAbapSessionStore;

package/dist/stores/btp/BtpSessionStore.js

@@ -64,6 +64,11 @@ class BtpSessionStore {
     constructor(directory, log) {
         this.directory = directory;
         this.log = log;
+        // Ensure directory exists - create if it doesn't
+        if (!fs.existsSync(directory)) {
+            fs.mkdirSync(directory, { recursive: true });
+            this.log?.debug(`Created session directory: ${directory}`);
+        }
     }
     /**
      * Load session from file
@@ -117,7 +122,8 @@ class BtpSessionStore {
             throw new Error('BtpSessionStore can only store base BTP sessions (without abapUrl)');
         }
         // Validate required fields
-        if (!config.jwtToken) {
+        // Allow empty string for jwtToken (can be set later via setConnectionConfig)
+        if (config.jwtToken === undefined || config.jwtToken === null) {
             throw new Error('Base BTP session config missing required field: jwtToken');
         }
         // Extract destination from file path
@@ -242,7 +248,8 @@ class BtpSessionStore {
             this.log?.debug(`Connection config not found for ${destination}`);
             return null;
         }
-        if (!sessionConfig.jwtToken) {
+        // Return null if jwtToken is undefined or null (but allow empty string)
+        if (sessionConfig.jwtToken === undefined || sessionConfig.jwtToken === null) {
             this.log?.warn(`Connection config for ${destination} missing required field: jwtToken`);
             return null;
         }
@@ -261,7 +268,19 @@ class BtpSessionStore {
     async setAuthorizationConfig(destination, config) {
         const current = await this.loadRawSession(destination);
         if (!current) {
-            throw new Error(`No session found for destination "${destination}"`);
+            // Session doesn't exist - create new one
+            // For BTP, mcpUrl is optional, so we can create session without it
+            this.log?.debug(`Creating new session for ${destination} via setAuthorizationConfig`);
+            const newSession = {
+                mcpUrl: undefined, // Will be set when connection config is set
+                jwtToken: '', // Will be set when connection config is set
+                uaaUrl: config.uaaUrl,
+                uaaClientId: config.uaaClientId,
+                uaaClientSecret: config.uaaClientSecret,
+                refreshToken: config.refreshToken,
+            };
+            await this.saveSession(destination, newSession);
+            return;
         }
         // Update authorization fields
         const updated = {
@@ -282,13 +301,22 @@ class BtpSessionStore {
     async setConnectionConfig(destination, config) {
         const current = await this.loadRawSession(destination);
         if (!current) {
-            throw new Error(`No session found for destination "${destination}"`);
+            // Session doesn't exist - create new one
+            // For BTP, mcpUrl is optional
+            this.log?.debug(`Creating new session for ${destination} via setConnectionConfig: mcpUrl(${config.serviceUrl ? config.serviceUrl.substring(0, 40) + '...' : 'none'}), token(${config.authorizationToken?.length || 0} chars)`);
+            const newSession = {
+                mcpUrl: config.serviceUrl,
+                jwtToken: config.authorizationToken || '',
+            };
+            await this.saveSession(destination, newSession);
+            this.log?.info(`Session created for ${destination}: mcpUrl(${config.serviceUrl ? config.serviceUrl.substring(0, 40) + '...' : 'none'}), token(${config.authorizationToken?.length || 0} chars)`);
+            return;
         }
         // Update connection fields
         const updated = {
             ...current,
             mcpUrl: config.serviceUrl !== undefined ? config.serviceUrl : current.mcpUrl,
-            jwtToken: config.authorizationToken,
+            jwtToken: config.authorizationToken !== undefined ? config.authorizationToken : current.jwtToken,
         };
         await this.saveSession(destination, updated);
     }

package/dist/stores/btp/SafeBtpSessionStore.d.ts

@@ -22,7 +22,6 @@ export declare class SafeBtpSessionStore implements ISessionStore {
     private loadRawSession;
     private validateSessionConfig;
     private convertToInternalFormat;
-    private isValidSessionConfig;
     loadSession(destination: string): Promise<IConfig | null>;
     saveSession(destination: string, config: IConfig): Promise<void>;
     deleteSession(destination: string): Promise<void>;

package/dist/stores/btp/SafeBtpSessionStore.js

@@ -40,7 +40,10 @@ class SafeBtpSessionStore {
             throw new Error('SafeBtpSessionStore can only store base BTP sessions (without abapUrl)');
         }
         // Accept IConfig format (has authorizationToken) or internal format (has jwtToken)
-        if (!obj.authorizationToken && !obj.jwtToken) {
+        // Allow empty string for token (can be set later via setConnectionConfig)
+        const hasToken = (obj.authorizationToken !== undefined && obj.authorizationToken !== null) ||
+            (obj.jwtToken !== undefined && obj.jwtToken !== null);
+        if (!hasToken) {
             throw new Error('Base BTP session config missing required field: authorizationToken or jwtToken');
         }
     }
@@ -60,14 +63,6 @@ class SafeBtpSessionStore {
         };
         return internal;
     }
-    isValidSessionConfig(config) {
-        if (!config || typeof config !== 'object')
-            return false;
-        const obj = config;
-        // Accept both IConfig format (authorizationToken) and internal format (jwtToken)
-        // Reject ABAP (sapUrl) and BTP with abapUrl
-        return (('authorizationToken' in obj || 'jwtToken' in obj) && !('sapUrl' in obj) && !('abapUrl' in obj));
-    }
     async loadSession(destination) {
         this.log?.debug(`Loading session for destination: ${destination}`);
         const authConfig = await this.getAuthorizationConfig(destination);
@@ -99,10 +94,11 @@ class SafeBtpSessionStore {
     }
     async getConnectionConfig(destination) {
         const sessionConfig = this.loadRawSession(destination);
-        if (!this.isValidSessionConfig(sessionConfig)) {
+        if (!sessionConfig) {
             return null;
         }
-        if (!sessionConfig.jwtToken) {
+        // Return null if jwtToken is undefined or null (but allow empty string)
+        if (sessionConfig.jwtToken === undefined || sessionConfig.jwtToken === null) {
             return null;
         }
         return {
@@ -112,19 +108,30 @@ class SafeBtpSessionStore {
     }
     async setConnectionConfig(destination, config) {
         const current = this.loadRawSession(destination);
-        if (!this.isValidSessionConfig(current)) {
-            throw new Error(`No base BTP session found for destination "${destination}"`);
+        if (!current) {
+            // Session doesn't exist - create new one
+            // For BTP, mcpUrl is optional
+            this.log?.debug(`Creating new session for ${destination} via setConnectionConfig: mcpUrl(${config.serviceUrl ? config.serviceUrl.substring(0, 40) + '...' : 'none'}), token(${config.authorizationToken?.length || 0} chars)`);
+            const newSession = {
+                mcpUrl: config.serviceUrl,
+                jwtToken: config.authorizationToken || '',
+            };
+            // Save directly to Map (internal format)
+            this.sessions.set(destination, newSession);
+            this.log?.info(`Session created for ${destination}: mcpUrl(${config.serviceUrl ? config.serviceUrl.substring(0, 40) + '...' : 'none'}), token(${config.authorizationToken?.length || 0} chars)`);
+            return;
         }
         const updated = {
             ...current,
             mcpUrl: config.serviceUrl !== undefined ? config.serviceUrl : current.mcpUrl,
-            jwtToken: config.authorizationToken,
+            jwtToken: config.authorizationToken !== undefined ? config.authorizationToken : current.jwtToken,
         };
-        await this.saveSession(destination, updated);
+        // Save directly to Map (internal format)
+        this.sessions.set(destination, updated);
     }
     async getAuthorizationConfig(destination) {
         const sessionConfig = this.loadRawSession(destination);
-        if (!this.isValidSessionConfig(sessionConfig)) {
+        if (!sessionConfig) {
             return null;
         }
         if (!sessionConfig.uaaUrl || !sessionConfig.uaaClientId || !sessionConfig.uaaClientSecret) {
@@ -139,8 +146,21 @@ class SafeBtpSessionStore {
     }
     async setAuthorizationConfig(destination, config) {
         const current = this.loadRawSession(destination);
-        if (!this.isValidSessionConfig(current)) {
-            throw new Error(`No base BTP session found for destination "${destination}"`);
+        if (!current) {
+            // Session doesn't exist - create new one
+            // For BTP, mcpUrl is optional, so we can create session without it
+            this.log?.debug(`Creating new session for ${destination} via setAuthorizationConfig`);
+            const newSession = {
+                mcpUrl: undefined, // Will be set when connection config is set
+                jwtToken: '', // Will be set when connection config is set
+                uaaUrl: config.uaaUrl,
+                uaaClientId: config.uaaClientId,
+                uaaClientSecret: config.uaaClientSecret,
+                refreshToken: config.refreshToken,
+            };
+            // Save directly to Map (internal format)
+            this.sessions.set(destination, newSession);
+            return;
         }
         const updated = {
             ...current,
@@ -149,7 +169,8 @@ class SafeBtpSessionStore {
             uaaClientSecret: config.uaaClientSecret,
             refreshToken: config.refreshToken || current.refreshToken,
         };
-        await this.saveSession(destination, updated);
+        // Save directly to Map (internal format)
+        this.sessions.set(destination, updated);
     }
 }
 exports.SafeBtpSessionStore = SafeBtpSessionStore;

package/dist/stores/xsuaa/SafeXsuaaSessionStore.d.ts

@@ -22,7 +22,6 @@ export declare class SafeXsuaaSessionStore implements ISessionStore {
     private loadRawSession;
     private validateSessionConfig;
     private convertToInternalFormat;
-    private isValidSessionConfig;
     loadSession(destination: string): Promise<IConfig | null>;
     saveSession(destination: string, config: IConfig): Promise<void>;
     deleteSession(destination: string): Promise<void>;

package/dist/stores/xsuaa/SafeXsuaaSessionStore.js

@@ -40,7 +40,10 @@ class SafeXsuaaSessionStore {
             throw new Error('SafeXsuaaSessionStore can only store XSUAA sessions');
         }
         // Accept IConfig format (has authorizationToken) or internal format (has jwtToken)
-        if (!obj.authorizationToken && !obj.jwtToken) {
+        // Allow empty string for token (can be set later via setConnectionConfig)
+        const hasToken = (obj.authorizationToken !== undefined && obj.authorizationToken !== null) ||
+            (obj.jwtToken !== undefined && obj.jwtToken !== null);
+        if (!hasToken) {
             throw new Error('XSUAA session config missing required field: authorizationToken or jwtToken');
         }
     }
@@ -60,14 +63,6 @@ class SafeXsuaaSessionStore {
         };
         return internal;
     }
-    isValidSessionConfig(config) {
-        if (!config || typeof config !== 'object')
-            return false;
-        const obj = config;
-        // Accept both IConfig format (authorizationToken) and internal format (jwtToken)
-        // Reject ABAP (sapUrl) and BTP with abapUrl
-        return (('authorizationToken' in obj || 'jwtToken' in obj) && !('sapUrl' in obj) && !('abapUrl' in obj));
-    }
     async loadSession(destination) {
         this.log?.debug(`Loading session for destination: ${destination}`);
         const authConfig = await this.getAuthorizationConfig(destination);
@@ -99,10 +94,11 @@ class SafeXsuaaSessionStore {
     }
     async getConnectionConfig(destination) {
         const sessionConfig = this.loadRawSession(destination);
-        if (!this.isValidSessionConfig(sessionConfig)) {
+        if (!sessionConfig) {
             return null;
         }
-        if (!sessionConfig.jwtToken) {
+        // Return null if jwtToken is undefined or null (but allow empty string)
+        if (sessionConfig.jwtToken === undefined || sessionConfig.jwtToken === null) {
             return null;
         }
         return {
@@ -112,19 +108,30 @@ class SafeXsuaaSessionStore {
     }
     async setConnectionConfig(destination, config) {
         const current = this.loadRawSession(destination);
-        if (!this.isValidSessionConfig(current)) {
-            throw new Error(`No XSUAA session found for destination "${destination}"`);
+        if (!current) {
+            // Session doesn't exist - create new one
+            // For XSUAA, mcpUrl is optional
+            this.log?.debug(`Creating new session for ${destination} via setConnectionConfig: mcpUrl(${config.serviceUrl ? config.serviceUrl.substring(0, 40) + '...' : 'none'}), token(${config.authorizationToken?.length || 0} chars)`);
+            const newSession = {
+                mcpUrl: config.serviceUrl,
+                jwtToken: config.authorizationToken || '',
+            };
+            // Save directly to Map (internal format)
+            this.sessions.set(destination, newSession);
+            this.log?.info(`Session created for ${destination}: mcpUrl(${config.serviceUrl ? config.serviceUrl.substring(0, 40) + '...' : 'none'}), token(${config.authorizationToken?.length || 0} chars)`);
+            return;
         }
         const updated = {
             ...current,
             mcpUrl: config.serviceUrl !== undefined ? config.serviceUrl : current.mcpUrl,
-            jwtToken: config.authorizationToken,
+            jwtToken: config.authorizationToken !== undefined ? config.authorizationToken : current.jwtToken,
         };
-        await this.saveSession(destination, updated);
+        // Save directly to Map (internal format)
+        this.sessions.set(destination, updated);
     }
     async getAuthorizationConfig(destination) {
         const sessionConfig = this.loadRawSession(destination);
-        if (!this.isValidSessionConfig(sessionConfig)) {
+        if (!sessionConfig) {
             return null;
         }
         if (!sessionConfig.uaaUrl || !sessionConfig.uaaClientId || !sessionConfig.uaaClientSecret) {
@@ -139,8 +146,21 @@ class SafeXsuaaSessionStore {
     }
     async setAuthorizationConfig(destination, config) {
         const current = this.loadRawSession(destination);
-        if (!this.isValidSessionConfig(current)) {
-            throw new Error(`No XSUAA session found for destination "${destination}"`);
+        if (!current) {
+            // Session doesn't exist - create new one
+            // For XSUAA, mcpUrl is optional, so we can create session without it
+            this.log?.debug(`Creating new session for ${destination} via setAuthorizationConfig`);
+            const newSession = {
+                mcpUrl: undefined, // Will be set when connection config is set
+                jwtToken: '', // Will be set when connection config is set
+                uaaUrl: config.uaaUrl,
+                uaaClientId: config.uaaClientId,
+                uaaClientSecret: config.uaaClientSecret,
+                refreshToken: config.refreshToken,
+            };
+            // Save directly to Map (internal format)
+            this.sessions.set(destination, newSession);
+            return;
         }
         const updated = {
             ...current,
@@ -149,7 +169,8 @@ class SafeXsuaaSessionStore {
             uaaClientSecret: config.uaaClientSecret,
             refreshToken: config.refreshToken || current.refreshToken,
         };
-        await this.saveSession(destination, updated);
+        // Save directly to Map (internal format)
+        this.sessions.set(destination, updated);
     }
 }
 exports.SafeXsuaaSessionStore = SafeXsuaaSessionStore;

package/dist/stores/xsuaa/XsuaaSessionStore.js

@@ -64,6 +64,11 @@ class XsuaaSessionStore {
     constructor(directory, log) {
         this.directory = directory;
         this.log = log;
+        // Ensure directory exists - create if it doesn't
+        if (!fs.existsSync(directory)) {
+            fs.mkdirSync(directory, { recursive: true });
+            this.log?.debug(`Created session directory: ${directory}`);
+        }
     }
     /**
      * Get file name for destination
@@ -125,7 +130,8 @@ class XsuaaSessionStore {
             throw new Error('XsuaaSessionStore can only store XSUAA sessions');
         }
         // Validate required fields
-        if (!config.jwtToken) {
+        // Allow empty string for jwtToken (can be set later via setConnectionConfig)
+        if (config.jwtToken === undefined || config.jwtToken === null) {
             throw new Error('XSUAA session config missing required field: jwtToken');
         }
         // Extract destination from file path
@@ -219,7 +225,8 @@ class XsuaaSessionStore {
             this.log?.debug(`Connection config not found for ${destination}`);
             return null;
         }
-        if (!sessionConfig.jwtToken) {
+        // Return null if jwtToken is undefined or null (but allow empty string)
+        if (sessionConfig.jwtToken === undefined || sessionConfig.jwtToken === null) {
             this.log?.warn(`Connection config for ${destination} missing required field: jwtToken`);
             return null;
         }
@@ -232,13 +239,22 @@ class XsuaaSessionStore {
     async setConnectionConfig(destination, config) {
         const current = await this.loadRawSession(destination);
         if (!current) {
-            throw new Error(`No session found for destination "${destination}"`);
+            // Session doesn't exist - create new one
+            // For XSUAA, mcpUrl is optional
+            this.log?.debug(`Creating new session for ${destination} via setConnectionConfig: mcpUrl(${config.serviceUrl ? config.serviceUrl.substring(0, 40) + '...' : 'none'}), token(${config.authorizationToken?.length || 0} chars)`);
+            const newSession = {
+                mcpUrl: config.serviceUrl,
+                jwtToken: config.authorizationToken || '',
+            };
+            await this.saveSession(destination, newSession);
+            this.log?.info(`Session created for ${destination}: mcpUrl(${config.serviceUrl ? config.serviceUrl.substring(0, 40) + '...' : 'none'}), token(${config.authorizationToken?.length || 0} chars)`);
+            return;
         }
         // Update connection fields
         const updated = {
             ...current,
             mcpUrl: config.serviceUrl !== undefined ? config.serviceUrl : current.mcpUrl,
-            jwtToken: config.authorizationToken,
+            jwtToken: config.authorizationToken !== undefined ? config.authorizationToken : current.jwtToken,
         };
         await this.saveSession(destination, updated);
     }
@@ -263,7 +279,19 @@ class XsuaaSessionStore {
     async setAuthorizationConfig(destination, config) {
         const current = await this.loadRawSession(destination);
         if (!current) {
-            throw new Error(`No session found for destination "${destination}"`);
+            // Session doesn't exist - create new one
+            // For XSUAA, mcpUrl is optional, so we can create session without it
+            this.log?.debug(`Creating new session for ${destination} via setAuthorizationConfig`);
+            const newSession = {
+                mcpUrl: undefined, // Will be set when connection config is set
+                jwtToken: '', // Will be set when connection config is set
+                uaaUrl: config.uaaUrl,
+                uaaClientId: config.uaaClientId,
+                uaaClientSecret: config.uaaClientSecret,
+                refreshToken: config.refreshToken,
+            };
+            await this.saveSession(destination, newSession);
+            return;
         }
         // Update authorization fields
         const updated = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mcp-abap-adt/auth-stores",
-  "version": "0.1.6",
+  "version": "0.1.7",
   "description": "Stores for MCP ABAP ADT auth-broker - BTP, ABAP, and XSUAA implementations",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",