@mcp-abap-adt/auth-stores 0.3.0 → 1.0.0

package/CHANGELOG.md

@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.0.0] - 2026-02-10
+
+### Added
+- ABAP session stores now support SAML session cookies (stored as base64 in env files).
+- Exports: `SamlSessionStore` and `SafeSamlSessionStore` aliases for ABAP stores.
+- Tests for SAML cookie storage and connection config handling.
+
+### Fixed
+- Persist SAML session cookies in file-backed and in-memory ABAP session stores.
+
 ## [0.2.10] - 2025-12-25
 
 ### Changed

package/README.md

@@ -115,7 +115,13 @@ const safeSessionStore = new SafeBtpSessionStore('https://default.mcp.com', logg
 ### ABAP Stores (with sapUrl)
 
 ```typescript
-import { AbapServiceKeyStore, AbapSessionStore, SafeAbapSessionStore } from '@mcp-abap-adt/auth-stores';
+import {
+  AbapServiceKeyStore,
+  AbapSessionStore,
+  SafeAbapSessionStore,
+  SamlSessionStore,
+  SafeSamlSessionStore,
+} from '@mcp-abap-adt/auth-stores';
 
 // Service key store - reads ABAP service keys with nested uaa object
 const serviceKeyStore = new AbapServiceKeyStore('/path/to/service-keys');
@@ -125,6 +131,10 @@ const sessionStore = new AbapSessionStore('/path/to/sessions');
 
 // In-memory session store
 const safeSessionStore = new SafeAbapSessionStore();
+
+// SAML aliases (same behavior as ABAP stores)
+const samlSessionStore = new SamlSessionStore('/path/to/sessions');
+const safeSamlSessionStore = new SafeSamlSessionStore();
 ```
 
 ### XSUAA Stores
@@ -155,7 +165,7 @@ import { EnvFileSessionStore } from '@mcp-abap-adt/auth-stores';
 const store = new EnvFileSessionStore('/path/to/.env', logger);
 
 // Check the auth type from the file
-const authType = store.getAuthType(); // 'basic' | 'jwt' | null
+const authType = store.getAuthType(); // 'basic' | 'jwt' | 'saml' | null
 
 // Load session (works like other session stores)
 const config = await store.loadSession('default');
@@ -174,7 +184,7 @@ console.log(config?.authorizationToken, config?.refreshToken);
 SAP_URL=https://your-sap-system.com
 SAP_CLIENT=100
 
-# Auth type: 'basic' or 'jwt' (defaults to 'basic')
+# Auth type: 'basic', 'jwt', or 'saml' (defaults to 'basic')
 SAP_AUTH_TYPE=basic
 
 # Basic auth credentials
@@ -188,6 +198,10 @@ SAP_PASSWORD=your-password
 # SAP_UAA_URL=https://uaa.example.com
 # SAP_UAA_CLIENT_ID=client-id
 # SAP_UAA_CLIENT_SECRET=client-secret
+
+# OR SAML auth (session cookies, base64-encoded)
+# SAP_AUTH_TYPE=saml
+# SAP_SESSION_COOKIES_B64=base64-encoded-cookie-string
 ```
 
 **Important**: This store is **read-only** for the file. Token updates (e.g., refreshed JWT tokens) are stored in memory only and do not modify the original `.env` file.

package/dist/index.d.ts

@@ -8,8 +8,8 @@ export { FileNotFoundError, InvalidConfigError, ParseError, StorageError, StoreE
 export { loadServiceKey } from './loaders/abap/serviceKeyLoader';
 export { loadXSUAAServiceKey } from './loaders/xsuaa/xsuaaServiceKeyLoader';
 export { AbapServiceKeyStore } from './stores/abap/AbapServiceKeyStore';
-export { AbapSessionStore } from './stores/abap/AbapSessionStore';
-export { SafeAbapSessionStore } from './stores/abap/SafeAbapSessionStore';
+export { AbapSessionStore, AbapSessionStore as SamlSessionStore, } from './stores/abap/AbapSessionStore';
+export { SafeAbapSessionStore, SafeAbapSessionStore as SafeSamlSessionStore, } from './stores/abap/SafeAbapSessionStore';
 export { EnvFileSessionStore } from './stores/env/EnvFileSessionStore';
 export { SafeXsuaaSessionStore, SafeXsuaaSessionStore as SafeBtpSessionStore, } from './stores/xsuaa/SafeXsuaaSessionStore';
 export { XsuaaServiceKeyStore, XsuaaServiceKeyStore as BtpServiceKeyStore, } from './stores/xsuaa/XsuaaServiceKeyStore';

package/dist/index.js

@@ -6,7 +6,7 @@
  * Provides ABAP and XSUAA store implementations
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.resolveSearchPaths = exports.findFileInPaths = exports.JsonFileHandler = exports.EnvFileHandler = exports.XSUAA_CONNECTION_VARS = exports.XSUAA_AUTHORIZATION_VARS = exports.BTP_CONNECTION_VARS = exports.BTP_AUTHORIZATION_VARS = exports.ABAP_CONNECTION_VARS = exports.ABAP_AUTHORIZATION_VARS = exports.BtpSessionStore = exports.XsuaaSessionStore = exports.BtpServiceKeyStore = exports.XsuaaServiceKeyStore = exports.SafeBtpSessionStore = exports.SafeXsuaaSessionStore = exports.EnvFileSessionStore = exports.SafeAbapSessionStore = exports.AbapSessionStore = exports.AbapServiceKeyStore = exports.loadXSUAAServiceKey = exports.loadServiceKey = exports.StoreError = exports.StorageError = exports.ParseError = exports.InvalidConfigError = exports.FileNotFoundError = void 0;
+exports.resolveSearchPaths = exports.findFileInPaths = exports.JsonFileHandler = exports.EnvFileHandler = exports.XSUAA_CONNECTION_VARS = exports.XSUAA_AUTHORIZATION_VARS = exports.BTP_CONNECTION_VARS = exports.BTP_AUTHORIZATION_VARS = exports.ABAP_CONNECTION_VARS = exports.ABAP_AUTHORIZATION_VARS = exports.BtpSessionStore = exports.XsuaaSessionStore = exports.BtpServiceKeyStore = exports.XsuaaServiceKeyStore = exports.SafeBtpSessionStore = exports.SafeXsuaaSessionStore = exports.EnvFileSessionStore = exports.SafeSamlSessionStore = exports.SafeAbapSessionStore = exports.SamlSessionStore = exports.AbapSessionStore = exports.AbapServiceKeyStore = exports.loadXSUAAServiceKey = exports.loadServiceKey = exports.StoreError = exports.StorageError = exports.ParseError = exports.InvalidConfigError = exports.FileNotFoundError = void 0;
 // Error classes
 var StoreErrors_1 = require("./errors/StoreErrors");
 Object.defineProperty(exports, "FileNotFoundError", { enumerable: true, get: function () { return StoreErrors_1.FileNotFoundError; } });
@@ -24,8 +24,10 @@ Object.defineProperty(exports, "AbapServiceKeyStore", { enumerable: true, get: f
 // ABAP stores (with sapUrl)
 var AbapSessionStore_1 = require("./stores/abap/AbapSessionStore");
 Object.defineProperty(exports, "AbapSessionStore", { enumerable: true, get: function () { return AbapSessionStore_1.AbapSessionStore; } });
+Object.defineProperty(exports, "SamlSessionStore", { enumerable: true, get: function () { return AbapSessionStore_1.AbapSessionStore; } });
 var SafeAbapSessionStore_1 = require("./stores/abap/SafeAbapSessionStore");
 Object.defineProperty(exports, "SafeAbapSessionStore", { enumerable: true, get: function () { return SafeAbapSessionStore_1.SafeAbapSessionStore; } });
+Object.defineProperty(exports, "SafeSamlSessionStore", { enumerable: true, get: function () { return SafeAbapSessionStore_1.SafeAbapSessionStore; } });
 // Env file stores (for --env=path scenarios)
 var EnvFileSessionStore_1 = require("./stores/env/EnvFileSessionStore");
 Object.defineProperty(exports, "EnvFileSessionStore", { enumerable: true, get: function () { return EnvFileSessionStore_1.EnvFileSessionStore; } });

package/dist/storage/abap/envLoader.d.ts

@@ -6,9 +6,10 @@ interface EnvConfig {
     sapUrl: string;
     sapClient?: string;
     jwtToken?: string;
+    sessionCookies?: string;
     username?: string;
     password?: string;
-    authType?: 'basic' | 'jwt';
+    authType?: 'basic' | 'jwt' | 'saml';
     refreshToken?: string;
     uaaUrl?: string;
     uaaClientId?: string;

package/dist/storage/abap/envLoader.js

@@ -65,6 +65,7 @@ async function loadEnvFile(destination, directory, log) {
         // Extract required fields
         const sapUrl = parsed[constants_1.ABAP_CONNECTION_VARS.SERVICE_URL];
         const jwtToken = parsed[constants_1.ABAP_CONNECTION_VARS.AUTHORIZATION_TOKEN];
+        const sessionCookiesB64 = parsed[constants_1.ABAP_CONNECTION_VARS.SESSION_COOKIES_B64];
         const username = parsed[constants_1.ABAP_CONNECTION_VARS.USERNAME];
         const password = parsed[constants_1.ABAP_CONNECTION_VARS.PASSWORD];
         log?.debug(`Extracted fields: hasSapUrl(${!!sapUrl}), hasJwtToken(${jwtToken !== undefined && jwtToken !== null}), hasUsername(${!!username}), hasPassword(${!!password})`);
@@ -76,14 +77,19 @@ async function loadEnvFile(destination, directory, log) {
         // Determine auth type: if username/password present and no jwtToken, use basic auth
         // If jwtToken present, use JWT auth
         // If neither is present, it's OK - auth can be set later (e.g., via setAuthorizationConfig)
+        const hasSamlCookies = !!(sessionCookiesB64 && sessionCookiesB64.trim() !== '');
         const isBasicAuth = !!(username && password) && (!jwtToken || jwtToken.trim() === '');
         const isJwtAuth = !!(jwtToken && jwtToken.trim() !== '');
-        const _hasNoAuth = !isBasicAuth && !isJwtAuth;
+        const _hasNoAuth = !isBasicAuth && !isJwtAuth && !hasSamlCookies;
         const config = {
             sapUrl: sapUrl.trim(),
         };
         // Set authentication fields based on type
-        if (isBasicAuth) {
+        if (hasSamlCookies) {
+            config.sessionCookies = Buffer.from(sessionCookiesB64, 'base64').toString('utf8');
+            config.authType = 'saml';
+        }
+        else if (isBasicAuth) {
             config.username = username.trim();
             config.password = password.trim();
             config.authType = 'basic';
@@ -121,7 +127,9 @@ async function loadEnvFile(destination, directory, log) {
         const tokenLength = config.jwtToken?.length || 0;
         const authInfo = config.authType === 'basic'
             ? `basic auth (username: ${config.username})`
-            : `JWT token(${tokenLength} chars)`;
+            : config.authType === 'saml'
+                ? `SAML session cookies(${config.sessionCookies?.length || 0} chars)`
+                : `JWT token(${tokenLength} chars)`;
         log?.info(`Env config loaded from ${envFilePath}: sapUrl(${config.sapUrl.substring(0, 50)}...), ${authInfo}, hasRefreshToken(${!!config.refreshToken}), hasUaaUrl(${!!config.uaaUrl})`);
         return config;
     }

package/dist/storage/abap/tokenStorage.d.ts

@@ -6,9 +6,10 @@ interface EnvConfig {
     sapUrl: string;
     sapClient?: string;
     jwtToken?: string;
+    sessionCookies?: string;
     username?: string;
     password?: string;
-    authType?: 'basic' | 'jwt';
+    authType?: 'basic' | 'jwt' | 'saml';
     refreshToken?: string;
     uaaUrl?: string;
     uaaClientId?: string;

package/dist/storage/abap/tokenStorage.js

@@ -54,9 +54,10 @@ async function saveTokenToEnv(destination, savePath, config, log) {
     log?.debug(`Saving token to env file: ${envFilePath}`);
     const tokenLength = config.jwtToken?.length || 0;
     const hasBasicAuth = !!(config.username && config.password);
+    const hasSamlCookies = !!config.sessionCookies;
     const formattedToken = (0, formatting_1.formatToken)(config.jwtToken);
     const formattedRefreshToken = (0, formatting_1.formatToken)(config.refreshToken);
-    log?.debug(`Config to save: hasSapUrl(${!!config.sapUrl}), token(${tokenLength} chars${formattedToken ? `, ${formattedToken}` : ''}), hasBasicAuth(${hasBasicAuth}), refreshToken(${formattedRefreshToken || 'none'}), hasUaaUrl(${!!config.uaaUrl})`);
+    log?.debug(`Config to save: hasSapUrl(${!!config.sapUrl}), token(${tokenLength} chars${formattedToken ? `, ${formattedToken}` : ''}), hasBasicAuth(${hasBasicAuth}), hasSamlCookies(${hasSamlCookies}), refreshToken(${formattedRefreshToken || 'none'}), hasUaaUrl(${!!config.uaaUrl})`);
     // Ensure directory exists
     if (!fs.existsSync(savePath)) {
         log?.debug(`Creating directory: ${savePath}`);
@@ -90,8 +91,15 @@ async function saveTokenToEnv(destination, savePath, config, log) {
     // Update with new values
     // sapUrl is required - always save it
     existingVars.set(constants_1.ABAP_CONNECTION_VARS.SERVICE_URL, config.sapUrl);
-    // Handle authentication: JWT or basic auth
-    if (config.username && config.password) {
+    // Handle authentication: SAML cookies, JWT, or basic auth
+    if (config.sessionCookies) {
+        const cookiesB64 = Buffer.from(config.sessionCookies, 'utf8').toString('base64');
+        existingVars.set(constants_1.ABAP_CONNECTION_VARS.SESSION_COOKIES_B64, cookiesB64);
+        existingVars.set(constants_1.ABAP_CONNECTION_VARS.AUTHORIZATION_TOKEN, '');
+        existingVars.delete(constants_1.ABAP_CONNECTION_VARS.USERNAME);
+        existingVars.delete(constants_1.ABAP_CONNECTION_VARS.PASSWORD);
+    }
+    else if (config.username && config.password) {
         // Basic auth - save username/password
         existingVars.set(constants_1.ABAP_CONNECTION_VARS.USERNAME, config.username);
         existingVars.set(constants_1.ABAP_CONNECTION_VARS.PASSWORD, config.password);
@@ -99,6 +107,7 @@ async function saveTokenToEnv(destination, savePath, config, log) {
         if (config.jwtToken) {
             existingVars.set(constants_1.ABAP_CONNECTION_VARS.AUTHORIZATION_TOKEN, '');
         }
+        existingVars.delete(constants_1.ABAP_CONNECTION_VARS.SESSION_COOKIES_B64);
     }
     else if (config.jwtToken) {
         // JWT auth - save token
@@ -106,6 +115,7 @@ async function saveTokenToEnv(destination, savePath, config, log) {
         // Clear username/password if JWT auth is used
         existingVars.delete(constants_1.ABAP_CONNECTION_VARS.USERNAME);
         existingVars.delete(constants_1.ABAP_CONNECTION_VARS.PASSWORD);
+        existingVars.delete(constants_1.ABAP_CONNECTION_VARS.SESSION_COOKIES_B64);
     }
     if (config.sapClient) {
         existingVars.set(constants_1.ABAP_CONNECTION_VARS.SAP_CLIENT, config.sapClient);

package/dist/stores/abap/AbapSessionStore.js

@@ -104,8 +104,13 @@ class AbapSessionStore {
             sapClient: obj.sapClient,
             language: obj.language,
         };
-        // Handle authentication: JWT or basic auth
-        if (obj.username && obj.password) {
+        // Handle authentication: SAML cookies, basic auth, or JWT auth
+        if (obj.sessionCookies) {
+            result.sessionCookies = obj.sessionCookies;
+            result.authType = 'saml';
+            result.jwtToken = '';
+        }
+        else if (obj.username && obj.password) {
             // Basic auth
             result.username = obj.username;
             result.password = obj.password;
@@ -141,6 +146,7 @@ class AbapSessionStore {
         await (0, tokenStorage_1.saveTokenToEnv)(destination, savePath, {
             sapUrl: abapConfig.sapUrl,
             jwtToken: abapConfig.jwtToken,
+            sessionCookies: abapConfig.sessionCookies,
             username: abapConfig.username,
             password: abapConfig.password,
             authType: abapConfig.authType,
@@ -216,6 +222,9 @@ class AbapSessionStore {
         if (rawSession.jwtToken !== undefined) {
             result.authorizationToken = rawSession.jwtToken;
         }
+        if (rawSession.sessionCookies !== undefined) {
+            result.sessionCookies = rawSession.sessionCookies;
+        }
         // Basic auth fields (if present)
         if (rawSession.username) {
             result.username = rawSession.username;
@@ -317,6 +326,21 @@ class AbapSessionStore {
             this.log?.warn(`Connection config for ${destination} missing required field: sapUrl`);
             return null;
         }
+        // SAML auth: session cookies
+        if (sessionConfig.authType === 'saml' || sessionConfig.sessionCookies) {
+            if (!sessionConfig.sessionCookies) {
+                this.log?.warn(`Connection config for ${destination} missing required field for SAML auth: sessionCookies`);
+                return null;
+            }
+            this.log?.debug(`Connection config loaded for ${destination} (SAML auth): cookies(${sessionConfig.sessionCookies.length} chars), sapUrl(${sessionConfig.sapUrl.substring(0, 40)}...)`);
+            return {
+                serviceUrl: sessionConfig.sapUrl,
+                sessionCookies: sessionConfig.sessionCookies,
+                authType: 'saml',
+                sapClient: sessionConfig.sapClient,
+                language: sessionConfig.language,
+            };
+        }
         // Check for basic auth: if username/password present and no jwtToken, use basic auth
         const isBasicAuth = sessionConfig.authType === 'basic' ||
             (!sessionConfig.jwtToken &&
@@ -448,6 +472,7 @@ class AbapSessionStore {
             const newSession = {
                 serviceUrl: serviceUrl,
                 authorizationToken: config.authorizationToken || '',
+                sessionCookies: config.sessionCookies,
                 sapClient: config.sapClient,
                 language: config.language,
             };
@@ -460,6 +485,9 @@ class AbapSessionStore {
         const updated = {
             serviceUrl: config.serviceUrl || current.sapUrl,
             authorizationToken: config.authorizationToken,
+            sessionCookies: config.sessionCookies !== undefined
+                ? config.sessionCookies
+                : current.sessionCookies,
             sapClient: config.sapClient !== undefined ? config.sapClient : current.sapClient,
             language: config.language !== undefined ? config.language : current.language,
             uaaUrl: current.uaaUrl,

package/dist/stores/abap/SafeAbapSessionStore.js

@@ -84,6 +84,9 @@ class SafeAbapSessionStore {
         if (rawSession.jwtToken !== undefined) {
             result.authorizationToken = rawSession.jwtToken;
         }
+        if (rawSession.sessionCookies !== undefined) {
+            result.sessionCookies = rawSession.sessionCookies;
+        }
         if (rawSession.sapClient) {
             result.sapClient = rawSession.sapClient;
         }
@@ -141,6 +144,21 @@ class SafeAbapSessionStore {
             this.log?.warn(`Connection config for ${destination} missing required field: sapUrl`);
             return null;
         }
+        // SAML auth: session cookies
+        if (sessionConfig.authType === 'saml' || sessionConfig.sessionCookies) {
+            if (!sessionConfig.sessionCookies) {
+                this.log?.warn(`Connection config for ${destination} missing required field for SAML auth: sessionCookies`);
+                return null;
+            }
+            this.log?.debug(`Connection config loaded for ${destination} (SAML auth): cookies(${sessionConfig.sessionCookies.length} chars), sapUrl(${sessionConfig.sapUrl.substring(0, 40)}...)`);
+            return {
+                serviceUrl: sessionConfig.sapUrl,
+                sessionCookies: sessionConfig.sessionCookies,
+                authType: 'saml',
+                sapClient: sessionConfig.sapClient,
+                language: sessionConfig.language,
+            };
+        }
         // Check for basic auth: if username/password present and no jwtToken, use basic auth
         const isBasicAuth = sessionConfig.authType === 'basic' ||
             (!sessionConfig.jwtToken &&
@@ -189,6 +207,7 @@ class SafeAbapSessionStore {
             const newSession = {
                 sapUrl: serviceUrl,
                 jwtToken: config.authorizationToken,
+                sessionCookies: config.sessionCookies,
                 username: config.username,
                 password: config.password,
                 authType: config.authType,
@@ -205,6 +224,9 @@ class SafeAbapSessionStore {
             ...current,
             sapUrl: config.serviceUrl || current.sapUrl,
             jwtToken: config.authorizationToken || current.jwtToken || '',
+            sessionCookies: config.sessionCookies !== undefined
+                ? config.sessionCookies
+                : current.sessionCookies,
             username: config.username !== undefined ? config.username : current.username,
             password: config.password !== undefined ? config.password : current.password,
             authType: config.authType !== undefined ? config.authType : current.authType,

package/dist/utils/constants.d.ts

@@ -48,6 +48,8 @@ export declare const ABAP_CONNECTION_VARS: {
     readonly SERVICE_URL: "SAP_URL";
     /** Authorization token (JWT token) */
     readonly AUTHORIZATION_TOKEN: "SAP_JWT_TOKEN";
+    /** Session cookies (base64-encoded) */
+    readonly SESSION_COOKIES_B64: "SAP_SESSION_COOKIES_B64";
     /** Username for basic authentication (on-premise systems) */
     readonly USERNAME: "SAP_USERNAME";
     /** Password for basic authentication (on-premise systems) */

package/dist/utils/constants.js

@@ -51,6 +51,8 @@ exports.ABAP_CONNECTION_VARS = {
     SERVICE_URL: 'SAP_URL',
     /** Authorization token (JWT token) */
     AUTHORIZATION_TOKEN: 'SAP_JWT_TOKEN',
+    /** Session cookies (base64-encoded) */
+    SESSION_COOKIES_B64: 'SAP_SESSION_COOKIES_B64',
     /** Username for basic authentication (on-premise systems) */
     USERNAME: 'SAP_USERNAME',
     /** Password for basic authentication (on-premise systems) */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mcp-abap-adt/auth-stores",
-  "version": "0.3.0",
+  "version": "1.0.0",
   "description": "Stores for MCP ABAP ADT auth-broker - BTP, ABAP, and XSUAA implementations",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -53,7 +53,7 @@
     "node": ">=18.0.0"
   },
   "dependencies": {
-    "@mcp-abap-adt/interfaces": "^0.2.14",
+    "@mcp-abap-adt/interfaces": "^2.3.0",
     "dotenv": "^17.2.1"
   },
   "devDependencies": {