@mcp-z/client 1.0.0

package/dist/cjs/dcr/dcr-authenticator.js

@@ -0,0 +1,655 @@
+/**
+ * DCR Authenticator
+ * Consolidates DCR and OAuth flow logic for MCP HTTP servers
+ */ "use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "DcrAuthenticator", {
+    enumerable: true,
+    get: function() {
+        return DcrAuthenticator;
+    }
+});
+var _nodepath = /*#__PURE__*/ _interop_require_default(require("node:path"));
+var _fs = /*#__PURE__*/ _interop_require_wildcard(require("fs"));
+var _keyv = /*#__PURE__*/ _interop_require_default(require("keyv"));
+var _keyvfile = require("keyv-file");
+var _interactiveoauthflowts = require("../auth/interactive-oauth-flow.js");
+var _loggerts = require("../utils/logger.js");
+var _dynamicclientregistrarts = require("./dynamic-client-registrar.js");
+function asyncGeneratorStep(gen, resolve, reject, _next, _throw, key, arg) {
+    try {
+        var info = gen[key](arg);
+        var value = info.value;
+    } catch (error) {
+        reject(error);
+        return;
+    }
+    if (info.done) {
+        resolve(value);
+    } else {
+        Promise.resolve(value).then(_next, _throw);
+    }
+}
+function _async_to_generator(fn) {
+    return function() {
+        var self = this, args = arguments;
+        return new Promise(function(resolve, reject) {
+            var gen = fn.apply(self, args);
+            function _next(value) {
+                asyncGeneratorStep(gen, resolve, reject, _next, _throw, "next", value);
+            }
+            function _throw(err) {
+                asyncGeneratorStep(gen, resolve, reject, _next, _throw, "throw", err);
+            }
+            _next(undefined);
+        });
+    };
+}
+function _class_call_check(instance, Constructor) {
+    if (!(instance instanceof Constructor)) {
+        throw new TypeError("Cannot call a class as a function");
+    }
+}
+function _instanceof(left, right) {
+    if (right != null && typeof Symbol !== "undefined" && right[Symbol.hasInstance]) {
+        return !!right[Symbol.hasInstance](left);
+    } else {
+        return left instanceof right;
+    }
+}
+function _interop_require_default(obj) {
+    return obj && obj.__esModule ? obj : {
+        default: obj
+    };
+}
+function _getRequireWildcardCache(nodeInterop) {
+    if (typeof WeakMap !== "function") return null;
+    var cacheBabelInterop = new WeakMap();
+    var cacheNodeInterop = new WeakMap();
+    return (_getRequireWildcardCache = function(nodeInterop) {
+        return nodeInterop ? cacheNodeInterop : cacheBabelInterop;
+    })(nodeInterop);
+}
+function _interop_require_wildcard(obj, nodeInterop) {
+    if (!nodeInterop && obj && obj.__esModule) {
+        return obj;
+    }
+    if (obj === null || typeof obj !== "object" && typeof obj !== "function") {
+        return {
+            default: obj
+        };
+    }
+    var cache = _getRequireWildcardCache(nodeInterop);
+    if (cache && cache.has(obj)) {
+        return cache.get(obj);
+    }
+    var newObj = {
+        __proto__: null
+    };
+    var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor;
+    for(var key in obj){
+        if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) {
+            var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null;
+            if (desc && (desc.get || desc.set)) {
+                Object.defineProperty(newObj, key, desc);
+            } else {
+                newObj[key] = obj[key];
+            }
+        }
+    }
+    newObj.default = obj;
+    if (cache) {
+        cache.set(obj, newObj);
+    }
+    return newObj;
+}
+function _ts_generator(thisArg, body) {
+    var f, y, t, _ = {
+        label: 0,
+        sent: function() {
+            if (t[0] & 1) throw t[1];
+            return t[1];
+        },
+        trys: [],
+        ops: []
+    }, g = Object.create((typeof Iterator === "function" ? Iterator : Object).prototype), d = Object.defineProperty;
+    return d(g, "next", {
+        value: verb(0)
+    }), d(g, "throw", {
+        value: verb(1)
+    }), d(g, "return", {
+        value: verb(2)
+    }), typeof Symbol === "function" && d(g, Symbol.iterator, {
+        value: function() {
+            return this;
+        }
+    }), g;
+    function verb(n) {
+        return function(v) {
+            return step([
+                n,
+                v
+            ]);
+        };
+    }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while(g && (g = 0, op[0] && (_ = 0)), _)try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [
+                op[0] & 2,
+                t.value
+            ];
+            switch(op[0]){
+                case 0:
+                case 1:
+                    t = op;
+                    break;
+                case 4:
+                    _.label++;
+                    return {
+                        value: op[1],
+                        done: false
+                    };
+                case 5:
+                    _.label++;
+                    y = op[1];
+                    op = [
+                        0
+                    ];
+                    continue;
+                case 7:
+                    op = _.ops.pop();
+                    _.trys.pop();
+                    continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) {
+                        _ = 0;
+                        continue;
+                    }
+                    if (op[0] === 3 && (!t || op[1] > t[0] && op[1] < t[3])) {
+                        _.label = op[1];
+                        break;
+                    }
+                    if (op[0] === 6 && _.label < t[1]) {
+                        _.label = t[1];
+                        t = op;
+                        break;
+                    }
+                    if (t && _.label < t[2]) {
+                        _.label = t[2];
+                        _.ops.push(op);
+                        break;
+                    }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop();
+                    continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) {
+            op = [
+                6,
+                e
+            ];
+            y = 0;
+        } finally{
+            f = t = 0;
+        }
+        if (op[0] & 5) throw op[1];
+        return {
+            value: op[0] ? op[1] : void 0,
+            done: true
+        };
+    }
+}
+/**
+ * Buffer time before token expiry to trigger proactive refresh (5 minutes)
+ */ var REFRESH_BUFFER_MS = 5 * 60 * 1000;
+var DcrAuthenticator = /*#__PURE__*/ function() {
+    "use strict";
+    function DcrAuthenticator(options) {
+        _class_call_check(this, DcrAuthenticator);
+        var _options_logger;
+        if (options.tokenStore) {
+            this.tokenStore = options.tokenStore;
+        } else {
+            // Default CLI store in .mcp-z directory (per-project)
+            var storePath = _nodepath.default.join(process.cwd(), '.mcp-z', 'tokens.json');
+            // Ensure directory exists before creating store
+            _fs.mkdirSync(_nodepath.default.dirname(storePath), {
+                recursive: true
+            });
+            this.tokenStore = new _keyv.default({
+                store: new _keyvfile.KeyvFile({
+                    filename: storePath
+                })
+            });
+        }
+        this.dcrClient = new _dynamicclientregistrarts.DynamicClientRegistrar();
+        this.oauthFlow = new _interactiveoauthflowts.InteractiveOAuthFlow();
+        this.headless = options.headless || false;
+        this.redirectUri = options.redirectUri;
+        this.logger = (_options_logger = options.logger) !== null && _options_logger !== void 0 ? _options_logger : _loggerts.logger;
+    }
+    var _proto = DcrAuthenticator.prototype;
+    /**
+   * Detect if server is self-hosted DCR (vs external OAuth provider)
+   * Self-hosted servers have their own OAuth endpoints and manage token storage
+   */ _proto.detectSelfHostedMode = function detectSelfHostedMode(baseUrl) {
+        return _async_to_generator(function() {
+            return _ts_generator(this, function(_state) {
+                try {
+                    // Self-hosted DCR servers typically run their own OAuth server
+                    // Check if this is a self-hosted instance by testing OAuth metadata
+                    // For now, assume self-hosted if baseUrl matches common localhost patterns
+                    // TODO: Implement proper self-hosted detection logic
+                    return [
+                        2,
+                        baseUrl.includes('localhost') || baseUrl.includes('127.0.0.1')
+                    ];
+                } catch (_error) {
+                    return [
+                        2,
+                        false
+                    ]; // Assume external mode if detection fails
+                }
+                return [
+                    2
+                ];
+            });
+        })();
+    };
+    /**
+   * Ensure server is authenticated, performing DCR and OAuth if needed
+   * Proactively refreshes tokens if they're within 5 minutes of expiry
+   *
+   * @param baseUrl - Base URL of the server (e.g., https://example.com)
+   * @param capabilities - Auth capabilities from .well-known endpoint
+   * @returns Valid token set ready to use
+   *
+   * @throws Error if authentication fails
+   *
+   * @example
+   * const authenticator = new DcrAuthenticator({ redirectUri: 'http://localhost:3000/callback' });
+   * const tokens = await authenticator.ensureAuthenticated(
+   *   'https://example.com',
+   *   capabilities
+   * );
+   */ _proto.ensureAuthenticated = function ensureAuthenticated(baseUrl, capabilities) {
+        return _async_to_generator(function() {
+            var isSelfHosted;
+            return _ts_generator(this, function(_state) {
+                switch(_state.label){
+                    case 0:
+                        return [
+                            4,
+                            this.detectSelfHostedMode(baseUrl)
+                        ];
+                    case 1:
+                        isSelfHosted = _state.sent();
+                        if (isSelfHosted) {
+                            return [
+                                2,
+                                this.ensureAuthenticatedSelfHosted(baseUrl, capabilities)
+                            ];
+                        }
+                        return [
+                            2,
+                            this.ensureAuthenticatedExternal(baseUrl, capabilities)
+                        ];
+                }
+            });
+        }).call(this);
+    };
+    /**
+   * Handle authentication for self-hosted DCR servers
+   * Self-hosted servers manage their own token storage via /oauth/verify
+   */ _proto.ensureAuthenticatedSelfHosted = function ensureAuthenticatedSelfHosted(baseUrl, capabilities) {
+        return _async_to_generator(function() {
+            var dcrTokenKey, tokens, verifyUrl, verifyResponse, verifyData, _error, port, client, flowOptions, verifyUrl1, verifyResponse1, verifyData1, error;
+            return _ts_generator(this, function(_state) {
+                switch(_state.label){
+                    case 0:
+                        dcrTokenKey = "dcr-tokens:".concat(baseUrl);
+                        return [
+                            4,
+                            this.tokenStore.get(dcrTokenKey)
+                        ];
+                    case 1:
+                        tokens = _state.sent();
+                        if (!tokens) return [
+                            3,
+                            9
+                        ];
+                        _state.label = 2;
+                    case 2:
+                        _state.trys.push([
+                            2,
+                            6,
+                            ,
+                            7
+                        ]);
+                        verifyUrl = "".concat(baseUrl, "/oauth/verify");
+                        return [
+                            4,
+                            fetch(verifyUrl, {
+                                headers: {
+                                    Authorization: "Bearer ".concat(tokens.accessToken),
+                                    Connection: 'close'
+                                }
+                            })
+                        ];
+                    case 3:
+                        verifyResponse = _state.sent();
+                        if (!verifyResponse.ok) return [
+                            3,
+                            5
+                        ];
+                        return [
+                            4,
+                            verifyResponse.json()
+                        ];
+                    case 4:
+                        verifyData = _state.sent();
+                        if (verifyData.token === tokens.accessToken) {
+                            // Token is still valid with the self-hosted server
+                            return [
+                                2,
+                                tokens
+                            ];
+                        }
+                        _state.label = 5;
+                    case 5:
+                        return [
+                            3,
+                            7
+                        ];
+                    case 6:
+                        _error = _state.sent();
+                        return [
+                            3,
+                            7
+                        ];
+                    case 7:
+                        // Token is expired or invalid
+                        return [
+                            4,
+                            this.tokenStore.delete(dcrTokenKey)
+                        ];
+                    case 8:
+                        _state.sent();
+                        tokens = undefined;
+                        _state.label = 9;
+                    case 9:
+                        // 3. No valid tokens - perform full DCR + OAuth flow
+                        if (!capabilities.registrationEndpoint || !capabilities.authorizationEndpoint || !capabilities.tokenEndpoint) {
+                            throw new Error('Server does not provide required OAuth endpoints');
+                        }
+                        this.logger.debug('🔐 No valid tokens found, starting self-hosted DCR authentication...');
+                        // Extract port from pre-resolved redirectUri
+                        port = parseInt(new URL(this.redirectUri).port, 10) || (this.redirectUri.startsWith('https:') ? 443 : 80);
+                        // Register OAuth client via DCR
+                        this.logger.debug('📝 Registering OAuth client with self-hosted server...');
+                        return [
+                            4,
+                            this.dcrClient.registerClient(capabilities.registrationEndpoint, {
+                                redirectUri: this.redirectUri
+                            })
+                        ];
+                    case 10:
+                        client = _state.sent();
+                        // Perform OAuth authorization flow with PKCE (RFC 7636)
+                        flowOptions = {
+                            port: port,
+                            headless: this.headless,
+                            redirectUri: this.redirectUri,
+                            pkce: true,
+                            logger: this.logger
+                        };
+                        if (capabilities.scopes) {
+                            flowOptions.scopes = capabilities.scopes;
+                        }
+                        return [
+                            4,
+                            this.oauthFlow.performAuthFlow(capabilities.authorizationEndpoint, capabilities.tokenEndpoint, client.clientId, client.clientSecret, flowOptions)
+                        ];
+                    case 11:
+                        tokens = _state.sent();
+                        _state.label = 12;
+                    case 12:
+                        _state.trys.push([
+                            12,
+                            15,
+                            ,
+                            16
+                        ]);
+                        verifyUrl1 = "".concat(baseUrl, "/oauth/verify");
+                        return [
+                            4,
+                            fetch(verifyUrl1, {
+                                headers: {
+                                    Authorization: "Bearer ".concat(tokens.accessToken),
+                                    Connection: 'close'
+                                }
+                            })
+                        ];
+                    case 13:
+                        verifyResponse1 = _state.sent();
+                        if (!verifyResponse1.ok) {
+                            throw new Error("DCR token verification failed after authentication: ".concat(verifyResponse1.status));
+                        }
+                        return [
+                            4,
+                            verifyResponse1.json()
+                        ];
+                    case 14:
+                        verifyData1 = _state.sent();
+                        if (verifyData1.token !== tokens.accessToken) {
+                            throw new Error('DCR server returned different token in verification');
+                        }
+                        this.logger.debug('✅ DCR token verified with self-hosted server');
+                        return [
+                            3,
+                            16
+                        ];
+                    case 15:
+                        error = _state.sent();
+                        this.logger.error('❌ DCR token verification failed:', _instanceof(error, Error) ? error.message : String(error));
+                        throw new Error('Self-hosted DCR authentication completed but token verification failed');
+                    case 16:
+                        // Save tokens for future use
+                        return [
+                            4,
+                            this.tokenStore.set(dcrTokenKey, tokens)
+                        ];
+                    case 17:
+                        _state.sent();
+                        this.logger.debug('✅ Self-hosted DCR authentication successful, tokens saved');
+                        return [
+                            2,
+                            tokens
+                        ];
+                }
+            });
+        }).call(this);
+    };
+    /**
+   * Handle authentication for external OAuth providers (original implementation)
+   */ _proto.ensureAuthenticatedExternal = function ensureAuthenticatedExternal(baseUrl, capabilities) {
+        return _async_to_generator(function() {
+            var tokenKey, tokens, _error, port, client, flowOptions;
+            return _ts_generator(this, function(_state) {
+                switch(_state.label){
+                    case 0:
+                        tokenKey = "tokens:".concat(baseUrl);
+                        return [
+                            4,
+                            this.tokenStore.get(tokenKey)
+                        ];
+                    case 1:
+                        tokens = _state.sent();
+                        if (!tokens) return [
+                            3,
+                            8
+                        ];
+                        if (!(tokens.expiresAt < Date.now() + REFRESH_BUFFER_MS)) return [
+                            3,
+                            7
+                        ];
+                        this.logger.debug('🔄 Refreshing access token...');
+                        _state.label = 2;
+                    case 2:
+                        _state.trys.push([
+                            2,
+                            5,
+                            ,
+                            7
+                        ]);
+                        return [
+                            4,
+                            this.refreshTokens(tokens, capabilities.tokenEndpoint)
+                        ];
+                    case 3:
+                        tokens = _state.sent();
+                        return [
+                            4,
+                            this.tokenStore.set(tokenKey, tokens)
+                        ];
+                    case 4:
+                        _state.sent();
+                        this.logger.debug('✅ Token refreshed successfully');
+                        return [
+                            3,
+                            7
+                        ];
+                    case 5:
+                        _error = _state.sent();
+                        // Refresh failed - clear tokens and re-authenticate
+                        this.logger.warn('⚠️  Token refresh failed, re-authenticating...');
+                        return [
+                            4,
+                            this.tokenStore.delete(tokenKey)
+                        ];
+                    case 6:
+                        _state.sent();
+                        tokens = undefined;
+                        return [
+                            3,
+                            7
+                        ];
+                    case 7:
+                        if (tokens) {
+                            return [
+                                2,
+                                tokens
+                            ];
+                        }
+                        _state.label = 8;
+                    case 8:
+                        // 3. No valid tokens - perform DCR + OAuth flow
+                        if (!capabilities.registrationEndpoint || !capabilities.authorizationEndpoint || !capabilities.tokenEndpoint) {
+                            throw new Error('Server does not provide required OAuth endpoints');
+                        }
+                        this.logger.debug('🔐 No valid tokens found, starting external OAuth authentication...');
+                        // Extract port from pre-resolved redirectUri
+                        port = parseInt(new URL(this.redirectUri).port, 10) || (this.redirectUri.startsWith('https:') ? 443 : 80);
+                        // Register OAuth client via DCR
+                        this.logger.debug('📝 Registering OAuth client...');
+                        return [
+                            4,
+                            this.dcrClient.registerClient(capabilities.registrationEndpoint, {
+                                redirectUri: this.redirectUri
+                            })
+                        ];
+                    case 9:
+                        client = _state.sent();
+                        // Perform OAuth authorization flow with PKCE (RFC 7636)
+                        flowOptions = {
+                            port: port,
+                            headless: this.headless,
+                            redirectUri: this.redirectUri,
+                            pkce: true,
+                            logger: this.logger
+                        };
+                        if (capabilities.scopes) {
+                            flowOptions.scopes = capabilities.scopes;
+                        }
+                        return [
+                            4,
+                            this.oauthFlow.performAuthFlow(capabilities.authorizationEndpoint, capabilities.tokenEndpoint, client.clientId, client.clientSecret, flowOptions)
+                        ];
+                    case 10:
+                        tokens = _state.sent();
+                        // Save tokens for future use
+                        return [
+                            4,
+                            this.tokenStore.set(tokenKey, tokens)
+                        ];
+                    case 11:
+                        _state.sent();
+                        this.logger.debug('✅ Authentication successful, tokens saved');
+                        return [
+                            2,
+                            tokens
+                        ];
+                }
+            });
+        }).call(this);
+    };
+    /**
+   * Refresh access token using refresh token
+   */ _proto.refreshTokens = function refreshTokens(tokens, tokenEndpoint) {
+        return _async_to_generator(function() {
+            return _ts_generator(this, function(_state) {
+                switch(_state.label){
+                    case 0:
+                        if (!tokenEndpoint) {
+                            throw new Error('Token endpoint not available for refresh');
+                        }
+                        if (!tokens.refreshToken) {
+                            throw new Error('No refresh token available');
+                        }
+                        if (!tokens.clientId || !tokens.clientSecret) {
+                            throw new Error('Client credentials not available for refresh');
+                        }
+                        return [
+                            4,
+                            this.oauthFlow.refreshTokens(tokenEndpoint, tokens.refreshToken, tokens.clientId, tokens.clientSecret)
+                        ];
+                    case 1:
+                        return [
+                            2,
+                            _state.sent()
+                        ];
+                }
+            });
+        }).call(this);
+    };
+    /**
+   * Delete stored tokens for a server
+   */ _proto.deleteTokens = function deleteTokens(baseUrl) {
+        return _async_to_generator(function() {
+            var tokenKey;
+            return _ts_generator(this, function(_state) {
+                switch(_state.label){
+                    case 0:
+                        tokenKey = "tokens:".concat(baseUrl);
+                        return [
+                            4,
+                            this.tokenStore.delete(tokenKey)
+                        ];
+                    case 1:
+                        _state.sent();
+                        this.logger.debug("\uD83D\uDDD1️  Deleted tokens for ".concat(baseUrl));
+                        return [
+                            2
+                        ];
+                }
+            });
+        }).call(this);
+    };
+    return DcrAuthenticator;
+}();
+/* CJS INTEROP */ if (exports.__esModule && exports.default) { try { Object.defineProperty(exports.default, '__esModule', { value: true }); for (var key in exports) { exports.default[key] = exports[key]; } } catch (_) {}; module.exports = exports.default; }