@mcp-z/oauth-google 1.0.0

package/dist/cjs/providers/loopback-oauth.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth-google/src/providers/loopback-oauth.ts"],"sourcesContent":["/**\n * Loopback OAuth Implementation (RFC 8252)\n *\n * Implements OAuth 2.0 Authorization Code Flow with PKCE using loopback interface redirection.\n * Uses ephemeral local server with OS-assigned port (RFC 8252 Section 8.3).\n */\n\nimport { addAccount, generatePKCE, getActiveAccount, getErrorTemplate, getSuccessTemplate, getToken, listAccountIds, type OAuth2TokenStorageProvider, setAccountInfo, setActiveAccount, setToken } from '@mcp-z/oauth';\nimport { OAuth2Client } from 'google-auth-library';\nimport * as http from 'http';\nimport open from 'open';\nimport { type AuthContext, type AuthFlowDescriptor, AuthRequiredError, type CachedToken, type EnrichedExtra, type LoopbackOAuthConfig } from '../types.ts';\n\ninterface TokenResponse {\n  access_token: string;\n  refresh_token?: string;\n  expires_in?: number;\n  scope?: string;\n  token_type?: string;\n}\n\n/**\n * Loopback OAuth Client (RFC 8252 Section 7.3)\n *\n * Implements OAuth 2.0 Authorization Code Flow with PKCE for native applications\n * using loopback interface redirection. Manages ephemeral OAuth flows and token persistence\n * with Keyv for key-based token storage using compound keys.\n *\n * Token key format: {accountId}:{service}:token (e.g., \"user@example.com:gmail:token\")\n */\nexport class LoopbackOAuthProvider implements OAuth2TokenStorageProvider {\n  private config: LoopbackOAuthConfig;\n\n  constructor(config: LoopbackOAuthConfig) {\n    this.config = config;\n  }\n\n  /**\n   * Get access token from Keyv using compound key\n   *\n   * @param accountId - Account identifier (email address). Required for loopback OAuth.\n   * @returns Access token for API requests\n   */\n  async getAccessToken(accountId?: string): Promise<string> {\n    const { logger, service, tokenStore } = this.config;\n\n    // Use active account if no accountId specified\n    const effectiveAccountId = accountId ?? (await getActiveAccount(tokenStore, { service }));\n\n    // If we have an accountId, try to use existing token\n    if (effectiveAccountId) {\n      logger.debug('Getting access token', { service, accountId: effectiveAccountId });\n\n      // Check Keyv for token using new key format\n      const storedToken = await getToken<CachedToken>(tokenStore, { accountId: effectiveAccountId, service });\n\n      if (storedToken && this.isTokenValid(storedToken)) {\n        logger.debug('Using stored access token', { accountId: effectiveAccountId });\n        return storedToken.accessToken;\n      }\n\n      // If stored token expired but has refresh token, try refresh\n      if (storedToken?.refreshToken) {\n        try {\n          logger.info('Refreshing expired access token', { accountId: effectiveAccountId });\n          const refreshedToken = await this.refreshAccessToken(storedToken.refreshToken);\n          await setToken(tokenStore, { accountId: effectiveAccountId, service }, refreshedToken);\n          return refreshedToken.accessToken;\n        } catch (error) {\n          logger.info('Token refresh failed, starting new OAuth flow', {\n            accountId: effectiveAccountId,\n            error: error instanceof Error ? error.message : String(error),\n          });\n          // Fall through to new OAuth flow\n        }\n      }\n    }\n\n    // No valid token or no account - check if we can start OAuth flow\n    const { headless } = this.config;\n    if (headless) {\n      // In headless mode (production), cannot start OAuth flow\n      // Throw AuthRequiredError with auth_url descriptor for MCP tool response\n      const { clientId, scope } = this.config;\n\n      // Incremental OAuth detection: Check if other accounts exist\n      const existingAccounts = await this.getExistingAccounts();\n      const hasOtherAccounts = effectiveAccountId ? existingAccounts.length > 0 && !existingAccounts.includes(effectiveAccountId) : existingAccounts.length > 0;\n\n      // Build informational OAuth URL for headless mode\n      // Note: No redirect_uri included - user must use account-add tool which starts proper ephemeral server\n      const authUrl = new URL('https://accounts.google.com/o/oauth2/v2/auth');\n      authUrl.searchParams.set('client_id', clientId);\n      authUrl.searchParams.set('response_type', 'code');\n      authUrl.searchParams.set('scope', scope);\n      authUrl.searchParams.set('access_type', 'offline');\n      authUrl.searchParams.set('prompt', 'consent');\n\n      let hint: string;\n      if (hasOtherAccounts) {\n        hint = `Existing ${service} accounts found. Use account-list to view, account-switch to change account, or account-add to add new account`;\n      } else if (effectiveAccountId) {\n        hint = `Use account-add to authenticate ${effectiveAccountId}`;\n      } else {\n        hint = 'Use account-add to authenticate interactively';\n      }\n\n      const baseDescriptor = {\n        kind: 'auth_url' as const,\n        provider: 'google',\n        url: authUrl.toString(),\n        hint,\n      };\n\n      const descriptor: AuthFlowDescriptor & { accountId?: string } = effectiveAccountId ? { ...baseDescriptor, accountId: effectiveAccountId } : baseDescriptor;\n\n      throw new AuthRequiredError(descriptor);\n    }\n\n    // Interactive mode - start ephemeral OAuth flow\n    logger.info('Starting ephemeral OAuth flow', { service, headless });\n    const { token, email } = await this.performEphemeralOAuthFlow();\n\n    // Store token with email as accountId\n    await setToken(tokenStore, { accountId: email, service }, token);\n\n    // Register account in account management system\n    await addAccount(tokenStore, { service, accountId: email });\n\n    // Set as active account so subsequent getAccessToken() calls find it\n    await setActiveAccount(tokenStore, { service, accountId: email });\n\n    // Store account metadata (email, added timestamp)\n    await setAccountInfo(\n      tokenStore,\n      { service, accountId: email },\n      {\n        email,\n        addedAt: new Date().toISOString(),\n      }\n    );\n\n    logger.info('OAuth flow completed', { service, accountId: email });\n\n    return token.accessToken;\n  }\n\n  /**\n   * Convert to googleapis-compatible OAuth2Client\n   *\n   * @param accountId - Account identifier for multi-account support (e.g., 'user@example.com')\n   * @returns OAuth2Client configured for the specified account\n   */\n  toAuth(accountId?: string): OAuth2Client {\n    const { clientId, clientSecret } = this.config;\n    const client = new OAuth2Client({\n      clientId,\n      ...(clientSecret && { clientSecret }),\n    });\n\n    // @ts-expect-error - Override protected method to inject fresh token\n    client.getRequestMetadataAsync = async (_url?: string) => {\n      // Get token from FileAuthAdapter (not from client to avoid recursion)\n      const token = await this.getAccessToken(accountId);\n\n      // Update client credentials for googleapis compatibility\n      client.credentials = {\n        access_token: token,\n        token_type: 'Bearer',\n      };\n\n      // Return headers as Map (required by authclient.js addUserProjectAndAuthHeaders)\n      const headers = new Map<string, string>();\n      headers.set('authorization', `Bearer ${token}`);\n      return { headers };\n    };\n\n    return client;\n  }\n\n  /**\n   * Authenticate new account with OAuth flow\n   * Triggers account selection, stores token, registers account\n   *\n   * @returns Email address of newly authenticated account\n   * @throws Error in headless mode (cannot open browser for OAuth)\n   */\n  async authenticateNewAccount(): Promise<string> {\n    const { logger, headless, service, tokenStore } = this.config;\n\n    if (headless) {\n      throw new Error('Cannot authenticate new account in headless mode - interactive OAuth required');\n    }\n\n    logger.info('Starting new account authentication', { service });\n\n    // Trigger OAuth with account selection\n    const { token, email } = await this.performEphemeralOAuthFlow();\n\n    // Store token\n    await setToken(tokenStore, { accountId: email, service }, token);\n\n    // Register account\n    await addAccount(tokenStore, { service, accountId: email });\n\n    // Set as active account\n    await setActiveAccount(tokenStore, { service, accountId: email });\n\n    // Store account metadata\n    await setAccountInfo(\n      tokenStore,\n      { service, accountId: email },\n      {\n        email,\n        addedAt: new Date().toISOString(),\n      }\n    );\n\n    logger.info('New account authenticated', { service, email });\n    return email;\n  }\n\n  /**\n   * Get user email from Google's userinfo endpoint (pure query)\n   * Used to query email for existing authenticated account\n   *\n   * @param accountId - Account identifier to get email for\n   * @returns User's email address\n   */\n  async getUserEmail(accountId?: string): Promise<string> {\n    // Get token for existing account\n    const token = await this.getAccessToken(accountId);\n\n    // Fetch email from Google userinfo\n    const response = await fetch('https://www.googleapis.com/oauth2/v2/userinfo', {\n      headers: {\n        Authorization: `Bearer ${token}`,\n      },\n    });\n\n    if (!response.ok) {\n      throw new Error(`Failed to get user info: ${response.status} ${await response.text()}`);\n    }\n\n    const userInfo = (await response.json()) as { email: string };\n    return userInfo.email;\n  }\n\n  /**\n   * Check for existing accounts in token storage (incremental OAuth detection)\n   *\n   * Uses key-utils helper for forward compatibility with key format changes.\n   *\n   * @returns Array of account IDs that have tokens for this service\n   */\n  private async getExistingAccounts(): Promise<string[]> {\n    const { service, tokenStore } = this.config;\n    return listAccountIds(tokenStore, service);\n  }\n\n  private isTokenValid(token: CachedToken): boolean {\n    if (!token.expiresAt) return true; // No expiry = assume valid\n    return Date.now() < token.expiresAt - 60000; // 1 minute buffer\n  }\n\n  /**\n   * Fetch user email from Google OAuth2 userinfo endpoint\n   * Called during OAuth flow to get email for accountId\n   *\n   * @param accessToken - Fresh access token from OAuth exchange\n   * @returns User's email address\n   */\n  private async fetchUserEmailFromToken(accessToken: string): Promise<string> {\n    const { logger } = this.config;\n\n    const response = await fetch('https://www.googleapis.com/oauth2/v2/userinfo', {\n      headers: {\n        Authorization: `Bearer ${accessToken}`,\n      },\n    });\n\n    if (!response.ok) {\n      const errorText = await response.text();\n      throw new Error(`Failed to fetch user email: HTTP ${response.status} - ${errorText}`);\n    }\n\n    const userInfo = (await response.json()) as { email: string };\n    const email = userInfo.email;\n\n    logger.debug('Fetched user email from Google userinfo API', { email });\n    return email;\n  }\n\n  private async performEphemeralOAuthFlow(): Promise<{ token: CachedToken; email: string }> {\n    const { clientId, scope, headless, logger, redirectUri: configRedirectUri } = this.config;\n\n    // Parse redirectUri if provided to extract host, protocol, port, and path\n    let targetHost = 'localhost'; // Default: localhost (match registered redirect URI)\n    let targetPort = 0; // Default: OS-assigned ephemeral port\n    let targetProtocol = 'http:'; // Default: http\n    let callbackPath = '/callback'; // Default callback path\n    let useConfiguredUri = false;\n\n    if (configRedirectUri) {\n      try {\n        const parsed = new URL(configRedirectUri);\n\n        // Use configured redirect URI as-is for production deployments\n        targetHost = parsed.hostname;\n        targetProtocol = parsed.protocol;\n\n        // Extract port from URL (use default ports if not specified)\n        if (parsed.port) {\n          targetPort = Number.parseInt(parsed.port, 10);\n        } else {\n          targetPort = parsed.protocol === 'https:' ? 443 : 80;\n        }\n\n        // Extract path (default to /callback if URL has no path or just '/')\n        if (parsed.pathname && parsed.pathname !== '/') {\n          callbackPath = parsed.pathname;\n        }\n\n        useConfiguredUri = true;\n\n        logger.debug('Using configured redirect URI', {\n          host: targetHost,\n          protocol: targetProtocol,\n          port: targetPort,\n          path: callbackPath,\n          redirectUri: configRedirectUri,\n        });\n      } catch (error) {\n        logger.warn('Failed to parse redirectUri, using ephemeral defaults', {\n          redirectUri: configRedirectUri,\n          error: error instanceof Error ? error.message : String(error),\n        });\n        // Continue with defaults (127.0.0.1, port 0, http, /callback)\n      }\n    }\n\n    return new Promise((resolve, reject) => {\n      // Generate PKCE challenge\n      const { verifier: codeVerifier, challenge: codeChallenge } = generatePKCE();\n\n      let server: http.Server | null = null;\n      let serverPort: number;\n      let finalRedirectUri: string; // Will be set in server.listen callback\n\n      // Create ephemeral server with OS-assigned port (RFC 8252)\n      server = http.createServer(async (req, res) => {\n        if (!req.url) {\n          res.writeHead(400, { 'Content-Type': 'text/html' });\n          res.end(getErrorTemplate('Invalid request'));\n          server?.close();\n          reject(new Error('Invalid request: missing URL'));\n          return;\n        }\n        const url = new URL(req.url, `http://127.0.0.1:${serverPort}`);\n\n        if (url.pathname === callbackPath) {\n          const code = url.searchParams.get('code');\n          const error = url.searchParams.get('error');\n\n          if (error) {\n            res.writeHead(400, { 'Content-Type': 'text/html' });\n            res.end(getErrorTemplate(error));\n            server?.close();\n            reject(new Error(`OAuth error: ${error}`));\n            return;\n          }\n\n          if (!code) {\n            res.writeHead(400, { 'Content-Type': 'text/html' });\n            res.end(getErrorTemplate('No authorization code received'));\n            server?.close();\n            reject(new Error('No authorization code received'));\n            return;\n          }\n\n          try {\n            // Exchange code for token (must use same redirect_uri as in authorization request)\n            const tokenResponse = await this.exchangeCodeForToken(code, codeVerifier, finalRedirectUri);\n\n            // Build cached token\n            const cachedToken: CachedToken = {\n              accessToken: tokenResponse.access_token,\n              ...(tokenResponse.refresh_token !== undefined && { refreshToken: tokenResponse.refresh_token }),\n              ...(tokenResponse.expires_in !== undefined && { expiresAt: Date.now() + tokenResponse.expires_in * 1000 }),\n              ...(tokenResponse.scope !== undefined && { scope: tokenResponse.scope }),\n            };\n\n            // Fetch user email immediately using the new access token\n            const email = await this.fetchUserEmailFromToken(tokenResponse.access_token);\n\n            res.writeHead(200, { 'Content-Type': 'text/html' });\n            res.end(getSuccessTemplate());\n            server?.close();\n            resolve({ token: cachedToken, email });\n          } catch (exchangeError) {\n            logger.error('Token exchange failed', { error: exchangeError instanceof Error ? exchangeError.message : String(exchangeError) });\n            res.writeHead(500, { 'Content-Type': 'text/html' });\n            res.end(getErrorTemplate('Token exchange failed'));\n            server?.close();\n            reject(exchangeError);\n          }\n        } else {\n          res.writeHead(404, { 'Content-Type': 'text/plain' });\n          res.end('Not Found');\n        }\n      });\n\n      // Listen on targetPort (0 for OS assignment, or custom port from redirectUri)\n      server.listen(targetPort, targetHost, () => {\n        const address = server?.address();\n        if (!address || typeof address === 'string') {\n          server?.close();\n          reject(new Error('Failed to start ephemeral server'));\n          return;\n        }\n\n        serverPort = address.port;\n\n        // Construct final redirect URI\n        if (useConfiguredUri && configRedirectUri) {\n          // Use configured redirect URI as-is for production\n          finalRedirectUri = configRedirectUri;\n        } else {\n          // Construct ephemeral redirect URI with actual server port\n          finalRedirectUri = `${targetProtocol}//${targetHost}:${serverPort}${callbackPath}`;\n        }\n\n        // Build auth URL\n        const authUrl = new URL('https://accounts.google.com/o/oauth2/v2/auth');\n        authUrl.searchParams.set('client_id', clientId);\n        authUrl.searchParams.set('redirect_uri', finalRedirectUri);\n        authUrl.searchParams.set('response_type', 'code');\n        authUrl.searchParams.set('scope', scope);\n        authUrl.searchParams.set('access_type', 'offline');\n        authUrl.searchParams.set('prompt', 'consent');\n        authUrl.searchParams.set('code_challenge', codeChallenge);\n        authUrl.searchParams.set('code_challenge_method', 'S256');\n\n        logger.info('Ephemeral OAuth server started', { port: serverPort, headless });\n\n        if (headless) {\n          // Headless mode: Print auth URL to stderr (stdout is MCP protocol)\n          console.error('\\n🔐 OAuth Authorization Required');\n          console.error('📋 Please visit this URL in your browser:\\n');\n          console.error(`   ${authUrl.toString()}\\n`);\n          console.error('⏳ Waiting for authorization...\\n');\n        } else {\n          // Interactive mode: Open browser automatically\n          logger.info('Opening browser for OAuth authorization');\n          open(authUrl.toString()).catch((error: Error) => {\n            logger.info('Failed to open browser automatically', { error: error.message });\n            console.error('\\n🔐 OAuth Authorization Required');\n            console.error(`   ${authUrl.toString()}\\n`);\n          });\n        }\n      });\n\n      // Timeout after 5 minutes\n      setTimeout(\n        () => {\n          if (server) {\n            server.close();\n            reject(new Error('OAuth flow timed out after 5 minutes'));\n          }\n        },\n        5 * 60 * 1000\n      );\n    });\n  }\n\n  private async exchangeCodeForToken(code: string, codeVerifier: string, redirectUri: string): Promise<TokenResponse> {\n    const { clientId, clientSecret } = this.config;\n\n    const tokenUrl = 'https://oauth2.googleapis.com/token';\n    const params: Record<string, string> = {\n      code,\n      client_id: clientId,\n      redirect_uri: redirectUri,\n      grant_type: 'authorization_code',\n      code_verifier: codeVerifier,\n    };\n    if (clientSecret) {\n      params.client_secret = clientSecret;\n    }\n    const body = new URLSearchParams(params);\n\n    const response = await fetch(tokenUrl, {\n      method: 'POST',\n      headers: {\n        'Content-Type': 'application/x-www-form-urlencoded',\n      },\n      body: body.toString(),\n    });\n\n    if (!response.ok) {\n      const errorText = await response.text();\n      throw new Error(`Token exchange failed: ${response.status} ${errorText}`);\n    }\n\n    return (await response.json()) as TokenResponse;\n  }\n\n  private async refreshAccessToken(refreshToken: string): Promise<CachedToken> {\n    const { clientId, clientSecret } = this.config;\n\n    const tokenUrl = 'https://oauth2.googleapis.com/token';\n    const params: Record<string, string> = {\n      refresh_token: refreshToken,\n      client_id: clientId,\n      grant_type: 'refresh_token',\n    };\n    if (clientSecret) {\n      params.client_secret = clientSecret;\n    }\n    const body = new URLSearchParams(params);\n\n    const response = await fetch(tokenUrl, {\n      method: 'POST',\n      headers: {\n        'Content-Type': 'application/x-www-form-urlencoded',\n      },\n      body: body.toString(),\n    });\n\n    if (!response.ok) {\n      const errorText = await response.text();\n      throw new Error(`Token refresh failed: ${response.status} ${errorText}`);\n    }\n\n    const tokenResponse = (await response.json()) as TokenResponse;\n\n    return {\n      accessToken: tokenResponse.access_token,\n      refreshToken: refreshToken, // Keep original refresh token\n      ...(tokenResponse.expires_in !== undefined && { expiresAt: Date.now() + tokenResponse.expires_in * 1000 }),\n      ...(tokenResponse.scope !== undefined && { scope: tokenResponse.scope }),\n    };\n  }\n\n  /**\n   * Create authentication middleware for MCP tools, resources, and prompts\n   *\n   * Returns position-aware middleware wrappers that enrich handlers with authentication context.\n   * The middleware handles token retrieval, refresh, and AuthRequiredError automatically.\n   *\n   * Single-user middleware for desktop/CLI apps where ONE user runs the entire process:\n   * - Desktop applications (Claude Desktop)\n   * - CLI tools (Gmail CLI)\n   * - Personal automation scripts\n   *\n   * All requests use token lookups based on the active account or account override.\n   *\n   * @returns Object with withToolAuth, withResourceAuth, withPromptAuth methods\n   *\n   * @example\n   * ```typescript\n   * const loopback = new LoopbackOAuthProvider({ service: 'gmail', ... });\n   * const authMiddleware = loopback.authMiddleware();\n   * const tools = toolFactories.map(f => f()).map(authMiddleware.withToolAuth);\n   * const resources = resourceFactories.map(f => f()).map(authMiddleware.withResourceAuth);\n   * const prompts = promptFactories.map(f => f()).map(authMiddleware.withPromptAuth);\n   * ```\n   */\n  authMiddleware() {\n    const { service, tokenStore, logger } = this.config;\n\n    // Shared wrapper logic - extracts extra parameter from specified position\n    // Generic T captures the actual module type; handler is cast from unknown to callable\n    const wrapAtPosition = <T extends { name: string; handler: unknown; [key: string]: unknown }>(module: T, extraPosition: number): T => {\n      const operation = module.name;\n      const originalHandler = module.handler as (...args: unknown[]) => Promise<unknown>;\n\n      const wrappedHandler = async (...allArgs: unknown[]) => {\n        // Extract extra from the correct position\n        const extra = allArgs[extraPosition] as EnrichedExtra;\n\n        try {\n          // Check for backchannel override via _meta.accountId\n          let accountId: string | undefined;\n          try {\n            accountId = (extra as { _meta?: { accountId?: string } })._meta?.accountId ?? (await getActiveAccount(tokenStore, { service }));\n          } catch (error) {\n            if (error instanceof Error && ((error as { code?: string }).code === 'REQUIRES_AUTHENTICATION' || error.name === 'AccountManagerError')) {\n              accountId = undefined;\n            } else {\n              throw error;\n            }\n          }\n\n          // Eagerly validate token exists or trigger OAuth flow\n          await this.getAccessToken(accountId);\n\n          // After OAuth flow completes, get the actual accountId (email) that was set\n          const effectiveAccountId = accountId ?? (await getActiveAccount(tokenStore, { service }));\n          if (!effectiveAccountId) {\n            throw new Error(`No account found after OAuth flow for service ${service}`);\n          }\n\n          const auth = this.toAuth(effectiveAccountId);\n\n          // Inject authContext and logger into extra\n          (extra as { authContext?: AuthContext }).authContext = {\n            auth,\n            accountId: effectiveAccountId,\n          };\n          (extra as { logger?: unknown }).logger = logger;\n\n          // Call original handler with all args\n          return await originalHandler(...allArgs);\n        } catch (error) {\n          if (error instanceof AuthRequiredError) {\n            logger.info('Authentication required', {\n              service,\n              tool: operation,\n              descriptor: error.descriptor,\n            });\n            // Return auth_required response wrapped in { result } to match tool outputSchema pattern\n            // Tools define outputSchema: z.object({ result: discriminatedUnion(...) }) where auth_required is a branch\n            const authRequiredResponse = {\n              type: 'auth_required' as const,\n              provider: service,\n              message: `Authentication required for ${operation}. Please authenticate with ${service}.`,\n              url: error.descriptor.kind === 'auth_url' ? error.descriptor.url : undefined,\n            };\n\n            return {\n              content: [\n                {\n                  type: 'text' as const,\n                  text: JSON.stringify({ result: authRequiredResponse }),\n                },\n              ],\n              structuredContent: { result: authRequiredResponse },\n            };\n          }\n          throw error;\n        }\n      };\n\n      return {\n        ...module,\n        handler: wrappedHandler,\n      } as T;\n    };\n\n    return {\n      withToolAuth: <T extends { name: string; config: unknown; handler: unknown }>(module: T) => wrapAtPosition(module, 1),\n      withResourceAuth: <T extends { name: string; template?: unknown; config?: unknown; handler: unknown }>(module: T) => wrapAtPosition(module, 2),\n      withPromptAuth: <T extends { name: string; config: unknown; handler: unknown }>(module: T) => wrapAtPosition(module, 0),\n    };\n  }\n}\n\n/**\n * Create a loopback OAuth client for Google services\n * Works for both stdio and HTTP transports\n */\nexport function createGoogleFileAuth(config: LoopbackOAuthConfig): OAuth2TokenStorageProvider {\n  return new LoopbackOAuthProvider(config);\n}\n"],"names":["LoopbackOAuthProvider","createGoogleFileAuth","config","getAccessToken","accountId","logger","service","tokenStore","effectiveAccountId","storedToken","refreshedToken","error","headless","clientId","scope","existingAccounts","hasOtherAccounts","authUrl","hint","baseDescriptor","descriptor","token","email","getActiveAccount","debug","getToken","isTokenValid","accessToken","refreshToken","info","refreshAccessToken","setToken","Error","message","String","getExistingAccounts","length","includes","URL","searchParams","set","kind","provider","url","toString","AuthRequiredError","performEphemeralOAuthFlow","addAccount","setActiveAccount","setAccountInfo","addedAt","Date","toISOString","toAuth","clientSecret","client","OAuth2Client","getRequestMetadataAsync","_url","headers","credentials","access_token","token_type","Map","authenticateNewAccount","getUserEmail","response","userInfo","fetch","Authorization","ok","status","text","json","listAccountIds","expiresAt","now","fetchUserEmailFromToken","errorText","configRedirectUri","targetHost","targetPort","targetProtocol","callbackPath","useConfiguredUri","parsed","redirectUri","hostname","protocol","port","Number","parseInt","pathname","host","path","warn","Promise","resolve","reject","generatePKCE","verifier","codeVerifier","challenge","codeChallenge","server","serverPort","finalRedirectUri","http","createServer","req","res","code","tokenResponse","cachedToken","exchangeError","writeHead","end","getErrorTemplate","close","get","exchangeCodeForToken","refresh_token","undefined","expires_in","getSuccessTemplate","listen","address","console","open","catch","setTimeout","tokenUrl","params","body","client_id","redirect_uri","grant_type","code_verifier","client_secret","URLSearchParams","method","authMiddleware","wrapAtPosition","module","extraPosition","operation","name","originalHandler","handler","wrappedHandler","allArgs","extra","auth","authRequiredResponse","_meta","authContext","tool","type","content","JSON","stringify","result","structuredContent","withToolAuth","withResourceAuth","withPromptAuth"],"mappings":"AAAA;;;;;CAKC;;;;;;;;;;;QAyBYA;eAAAA;;QAwnBGC;eAAAA;;;qBA/oBwL;iCAC3K;4DACP;2DACL;uBAC4H;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmBtI,IAAA,AAAMD,sCAAN;;aAAMA,sBAGCE,MAA2B;gCAH5BF;QAIT,IAAI,CAACE,MAAM,GAAGA;;iBAJLF;IAOX;;;;;GAKC,GACD,OAAMG,cAsGL,GAtGD,SAAMA,eAAeC,SAAkB;;gBACG,cAAhCC,QAAQC,SAASC,YAGnBC,0BAOEC,aAWIC,gBAGCC,OAWLC,UAIsB,eAApBC,UAAUC,OAGZC,kBACAC,kBAIAC,SAOFC,MASEC,gBAOAC,YAOiB,MAAjBC,OAAOC;;;;wBA7EyB,eAAA,IAAI,CAACpB,MAAM,EAA3CG,SAAgC,aAAhCA,QAAQC,UAAwB,aAAxBA,SAASC,aAAe,aAAfA;8BAGEH,sBAAAA;;;;+BAAAA;;;;;;wBAAc;;4BAAMmB,IAAAA,uBAAgB,EAAChB,YAAY;gCAAED,SAAAA;4BAAQ;;;+BAA7C;;;wBAAnCE;6BAGFA,oBAAAA;;;;wBACFH,OAAOmB,KAAK,CAAC,wBAAwB;4BAAElB,SAAAA;4BAASF,WAAWI;wBAAmB;wBAG1D;;4BAAMiB,IAAAA,eAAQ,EAAclB,YAAY;gCAAEH,WAAWI;gCAAoBF,SAAAA;4BAAQ;;;wBAA/FG,cAAc;wBAEpB,IAAIA,eAAe,IAAI,CAACiB,YAAY,CAACjB,cAAc;4BACjDJ,OAAOmB,KAAK,CAAC,6BAA6B;gCAAEpB,WAAWI;4BAAmB;4BAC1E;;gCAAOC,YAAYkB,WAAW;;wBAChC;8BAGIlB,wBAAAA,kCAAAA,YAAamB,YAAY;;;;;;;;;;;;wBAEzBvB,OAAOwB,IAAI,CAAC,mCAAmC;4BAAEzB,WAAWI;wBAAmB;wBACxD;;4BAAM,IAAI,CAACsB,kBAAkB,CAACrB,YAAYmB,YAAY;;;wBAAvElB,iBAAiB;wBACvB;;4BAAMqB,IAAAA,eAAQ,EAACxB,YAAY;gCAAEH,WAAWI;gCAAoBF,SAAAA;4BAAQ,GAAGI;;;wBAAvE;wBACA;;4BAAOA,eAAeiB,WAAW;;;wBAC1BhB;wBACPN,OAAOwB,IAAI,CAAC,iDAAiD;4BAC3DzB,WAAWI;4BACXG,OAAOA,AAAK,YAALA,OAAiBqB,SAAQrB,MAAMsB,OAAO,GAAGC,OAAOvB;wBACzD;;;;;;wBAMN,kEAAkE;wBAC1DC,WAAa,IAAI,CAACV,MAAM,CAAxBU;6BACJA,UAAAA;;;;wBACF,yDAAyD;wBACzD,yEAAyE;wBAC7C,gBAAA,IAAI,CAACV,MAAM,EAA/BW,WAAoB,cAApBA,UAAUC,QAAU,cAAVA;wBAGO;;4BAAM,IAAI,CAACqB,mBAAmB;;;wBAAjDpB,mBAAmB;wBACnBC,mBAAmBR,qBAAqBO,iBAAiBqB,MAAM,GAAG,KAAK,CAACrB,iBAAiBsB,QAAQ,CAAC7B,sBAAsBO,iBAAiBqB,MAAM,GAAG;wBAExJ,kDAAkD;wBAClD,uGAAuG;wBACjGnB,UAAU,IAAIqB,IAAI;wBACxBrB,QAAQsB,YAAY,CAACC,GAAG,CAAC,aAAa3B;wBACtCI,QAAQsB,YAAY,CAACC,GAAG,CAAC,iBAAiB;wBAC1CvB,QAAQsB,YAAY,CAACC,GAAG,CAAC,SAAS1B;wBAClCG,QAAQsB,YAAY,CAACC,GAAG,CAAC,eAAe;wBACxCvB,QAAQsB,YAAY,CAACC,GAAG,CAAC,UAAU;wBAGnC,IAAIxB,kBAAkB;4BACpBE,OAAO,AAAC,YAAmB,OAARZ,SAAQ;wBAC7B,OAAO,IAAIE,oBAAoB;4BAC7BU,OAAO,AAAC,mCAAqD,OAAnBV;wBAC5C,OAAO;4BACLU,OAAO;wBACT;wBAEMC,iBAAiB;4BACrBsB,MAAM;4BACNC,UAAU;4BACVC,KAAK1B,QAAQ2B,QAAQ;4BACrB1B,MAAAA;wBACF;wBAEME,aAA0DZ,qBAAqB,wCAAKW;4BAAgBf,WAAWI;6BAAuBW;wBAE5I,MAAM,IAAI0B,0BAAiB,CAACzB;;wBAG9B,gDAAgD;wBAChDf,OAAOwB,IAAI,CAAC,iCAAiC;4BAAEvB,SAAAA;4BAASM,UAAAA;wBAAS;wBACxC;;4BAAM,IAAI,CAACkC,yBAAyB;;;wBAApC,OAAA,eAAjBzB,QAAiB,KAAjBA,OAAOC,QAAU,KAAVA;wBAEf,sCAAsC;wBACtC;;4BAAMS,IAAAA,eAAQ,EAACxB,YAAY;gCAAEH,WAAWkB;gCAAOhB,SAAAA;4BAAQ,GAAGe;;;wBAA1D;wBAEA,gDAAgD;wBAChD;;4BAAM0B,IAAAA,iBAAU,EAACxC,YAAY;gCAAED,SAAAA;gCAASF,WAAWkB;4BAAM;;;wBAAzD;wBAEA,qEAAqE;wBACrE;;4BAAM0B,IAAAA,uBAAgB,EAACzC,YAAY;gCAAED,SAAAA;gCAASF,WAAWkB;4BAAM;;;wBAA/D;wBAEA,kDAAkD;wBAClD;;4BAAM2B,IAAAA,qBAAc,EAClB1C,YACA;gCAAED,SAAAA;gCAASF,WAAWkB;4BAAM,GAC5B;gCACEA,OAAAA;gCACA4B,SAAS,IAAIC,OAAOC,WAAW;4BACjC;;;wBANF;wBASA/C,OAAOwB,IAAI,CAAC,wBAAwB;4BAAEvB,SAAAA;4BAASF,WAAWkB;wBAAM;wBAEhE;;4BAAOD,MAAMM,WAAW;;;;QAC1B;;IAEA;;;;;GAKC,GACD0B,OAAAA,MAyBC,GAzBDA,SAAAA,OAAOjD,SAAkB;;QACvB,IAAmC,eAAA,IAAI,CAACF,MAAM,EAAtCW,WAA2B,aAA3BA,UAAUyC,eAAiB,aAAjBA;QAClB,IAAMC,SAAS,IAAIC,+BAAY,CAAC;YAC9B3C,UAAAA;WACIyC,gBAAgB;YAAEA,cAAAA;QAAa;QAGrC,qEAAqE;QACrEC,OAAOE,uBAAuB,GAAG,SAAOC;;oBAEhCrC,OASAsC;;;;4BATQ;;gCAAM,IAAI,CAACxD,cAAc,CAACC;;;4BAAlCiB,QAAQ;4BAEd,yDAAyD;4BACzDkC,OAAOK,WAAW,GAAG;gCACnBC,cAAcxC;gCACdyC,YAAY;4BACd;4BAEA,iFAAiF;4BAC3EH,UAAU,IAAII;4BACpBJ,QAAQnB,GAAG,CAAC,iBAAiB,AAAC,UAAe,OAANnB;4BACvC;;gCAAO;oCAAEsC,SAAAA;gCAAQ;;;;YACnB;;QAEA,OAAOJ;IACT;IAEA;;;;;;GAMC,GACD,OAAMS,sBAiCL,GAjCD,SAAMA;;gBAC8C,cAA1C3D,QAAQO,UAAUN,SAASC,YASV,MAAjBc,OAAOC;;;;wBATmC,eAAA,IAAI,CAACpB,MAAM,EAArDG,SAA0C,aAA1CA,QAAQO,WAAkC,aAAlCA,UAAUN,UAAwB,aAAxBA,SAASC,aAAe,aAAfA;wBAEnC,IAAIK,UAAU;4BACZ,MAAM,IAAIoB,MAAM;wBAClB;wBAEA3B,OAAOwB,IAAI,CAAC,uCAAuC;4BAAEvB,SAAAA;wBAAQ;wBAGpC;;4BAAM,IAAI,CAACwC,yBAAyB;;;wBAApC,OAAA,eAAjBzB,QAAiB,KAAjBA,OAAOC,QAAU,KAAVA;wBAEf,cAAc;wBACd;;4BAAMS,IAAAA,eAAQ,EAACxB,YAAY;gCAAEH,WAAWkB;gCAAOhB,SAAAA;4BAAQ,GAAGe;;;wBAA1D;wBAEA,mBAAmB;wBACnB;;4BAAM0B,IAAAA,iBAAU,EAACxC,YAAY;gCAAED,SAAAA;gCAASF,WAAWkB;4BAAM;;;wBAAzD;wBAEA,wBAAwB;wBACxB;;4BAAM0B,IAAAA,uBAAgB,EAACzC,YAAY;gCAAED,SAAAA;gCAASF,WAAWkB;4BAAM;;;wBAA/D;wBAEA,yBAAyB;wBACzB;;4BAAM2B,IAAAA,qBAAc,EAClB1C,YACA;gCAAED,SAAAA;gCAASF,WAAWkB;4BAAM,GAC5B;gCACEA,OAAAA;gCACA4B,SAAS,IAAIC,OAAOC,WAAW;4BACjC;;;wBANF;wBASA/C,OAAOwB,IAAI,CAAC,6BAA6B;4BAAEvB,SAAAA;4BAASgB,OAAAA;wBAAM;wBAC1D;;4BAAOA;;;;QACT;;IAEA;;;;;;GAMC,GACD,OAAM2C,YAiBL,GAjBD,SAAMA,aAAa7D,SAAkB;;gBAE7BiB,OAGA6C,qBAUAC;;;;wBAbQ;;4BAAM,IAAI,CAAChE,cAAc,CAACC;;;wBAAlCiB,QAAQ;wBAGG;;4BAAM+C,MAAM,iDAAiD;gCAC5ET,SAAS;oCACPU,eAAe,AAAC,UAAe,OAANhD;gCAC3B;4BACF;;;wBAJM6C,WAAW;6BAMb,CAACA,SAASI,EAAE,EAAZ;;;;4BACQtC;mCAAM,AAAC,4BAA8C,OAAnBkC,SAASK,MAAM,EAAC,MAAyB;wBAAtB;;4BAAML,SAASM,IAAI;;;wBAAlF,MAAM,IAAA,CAAA,EAAA,MAAIxC;;4BAAM;gCAA+C;;0BAAuB;;wBAGtE;;4BAAMkC,SAASO,IAAI;;;wBAA/BN,WAAY;wBAClB;;4BAAOA,SAAS7C,KAAK;;;;QACvB;;IAEA;;;;;;GAMC,GACD,OAAca,mBAGb,GAHD,SAAcA;;gBACoB,cAAxB7B,SAASC;;gBAAe,eAAA,IAAI,CAACL,MAAM,EAAnCI,UAAwB,aAAxBA,SAASC,aAAe,aAAfA;gBACjB;;oBAAOmE,IAAAA,qBAAc,EAACnE,YAAYD;;;QACpC;;IAEA,OAAQoB,YAGP,GAHD,SAAQA,aAAaL,KAAkB;QACrC,IAAI,CAACA,MAAMsD,SAAS,EAAE,OAAO,MAAM,2BAA2B;QAC9D,OAAOxB,KAAKyB,GAAG,KAAKvD,MAAMsD,SAAS,GAAG,OAAO,kBAAkB;IACjE;IAEA;;;;;;GAMC,GACD,OAAcE,uBAmBb,GAnBD,SAAcA,wBAAwBlD,WAAmB;;gBAC/CtB,QAEF6D,UAOEY,WAIFX,UACA7C;;;;wBAdEjB,SAAW,IAAI,CAACH,MAAM,CAAtBG;wBAES;;4BAAM+D,MAAM,iDAAiD;gCAC5ET,SAAS;oCACPU,eAAe,AAAC,UAAqB,OAAZ1C;gCAC3B;4BACF;;;wBAJMuC,WAAW;6BAMb,CAACA,SAASI,EAAE,EAAZ;;;;wBACgB;;4BAAMJ,SAASM,IAAI;;;wBAA/BM,YAAY;wBAClB,MAAM,IAAI9C,MAAM,AAAC,oCAAwD8C,OAArBZ,SAASK,MAAM,EAAC,OAAe,OAAVO;;wBAGzD;;4BAAMZ,SAASO,IAAI;;;wBAA/BN,WAAY;wBACZ7C,QAAQ6C,SAAS7C,KAAK;wBAE5BjB,OAAOmB,KAAK,CAAC,+CAA+C;4BAAEF,OAAAA;wBAAM;wBACpE;;4BAAOA;;;;QACT;;IAEA,OAAcwB,yBAoLb,GApLD,SAAcA;;uBACkE,cAAtEjC,UAAUC,OAAOF,UAAUP,QAAqB0E,mBAGpDC,YACAC,YACAC,gBACAC,cACAC,kBAIMC;;;gBAXoE,eAAA,IAAI,CAACnF,MAAM,EAAjFW,WAAsE,aAAtEA,UAAUC,QAA4D,aAA5DA,OAAOF,WAAqD,aAArDA,UAAUP,SAA2C,aAA3CA,QAAqB0E,oBAAsB,aAAnCO;gBAE3C,0EAA0E;gBACtEN,aAAa,aAAa,qDAAqD;gBAC/EC,aAAa,GAAG,sCAAsC;gBACtDC,iBAAiB,SAAS,gBAAgB;gBAC1CC,eAAe,aAAa,wBAAwB;gBACpDC,mBAAmB;gBAEvB,IAAIL,mBAAmB;oBACrB,IAAI;wBACIM,SAAS,IAAI/C,IAAIyC;wBAEvB,+DAA+D;wBAC/DC,aAAaK,OAAOE,QAAQ;wBAC5BL,iBAAiBG,OAAOG,QAAQ;wBAEhC,6DAA6D;wBAC7D,IAAIH,OAAOI,IAAI,EAAE;4BACfR,aAAaS,OAAOC,QAAQ,CAACN,OAAOI,IAAI,EAAE;wBAC5C,OAAO;4BACLR,aAAaI,OAAOG,QAAQ,KAAK,WAAW,MAAM;wBACpD;wBAEA,qEAAqE;wBACrE,IAAIH,OAAOO,QAAQ,IAAIP,OAAOO,QAAQ,KAAK,KAAK;4BAC9CT,eAAeE,OAAOO,QAAQ;wBAChC;wBAEAR,mBAAmB;wBAEnB/E,OAAOmB,KAAK,CAAC,iCAAiC;4BAC5CqE,MAAMb;4BACNQ,UAAUN;4BACVO,MAAMR;4BACNa,MAAMX;4BACNG,aAAaP;wBACf;oBACF,EAAE,OAAOpE,OAAO;wBACdN,OAAO0F,IAAI,CAAC,yDAAyD;4BACnET,aAAaP;4BACbpE,OAAOA,AAAK,YAALA,OAAiBqB,SAAQrB,MAAMsB,OAAO,GAAGC,OAAOvB;wBACzD;oBACA,8DAA8D;oBAChE;gBACF;gBAEA;;oBAAO,IAAIqF,QAAQ,SAACC,SAASC;wBAC3B,0BAA0B;wBAC1B,IAA6DC,gBAAAA,IAAAA,mBAAY,KAAjEC,AAAUC,eAA2CF,cAArDC,UAAwBE,AAAWC,gBAAkBJ,cAA7BG;wBAEhC,IAAIE,SAA6B;wBACjC,IAAIC;wBACJ,IAAIC,kBAA0B,wCAAwC;wBAEtE,2DAA2D;wBAC3DF,SAASG,MAAKC,YAAY,CAAC,SAAOC,KAAKC;;oCAQ/BnE,KAGEoE,MACApG,SAoBEqG,eAGAC,aAQA3F,OAMC4F;;;;4CAhDX,IAAI,CAACL,IAAIlE,GAAG,EAAE;gDACZmE,IAAIK,SAAS,CAAC,KAAK;oDAAE,gBAAgB;gDAAY;gDACjDL,IAAIM,GAAG,CAACC,IAAAA,uBAAgB,EAAC;gDACzBb,mBAAAA,6BAAAA,OAAQc,KAAK;gDACbpB,OAAO,IAAIlE,MAAM;gDACjB;;;4CACF;4CACMW,MAAM,IAAIL,IAAIuE,IAAIlE,GAAG,EAAE,AAAC,oBAA8B,OAAX8D;iDAE7C9D,CAAAA,IAAIiD,QAAQ,KAAKT,YAAW,GAA5BxC;;;;4CACIoE,OAAOpE,IAAIJ,YAAY,CAACgF,GAAG,CAAC;4CAC5B5G,UAAQgC,IAAIJ,YAAY,CAACgF,GAAG,CAAC;4CAEnC,IAAI5G,SAAO;gDACTmG,IAAIK,SAAS,CAAC,KAAK;oDAAE,gBAAgB;gDAAY;gDACjDL,IAAIM,GAAG,CAACC,IAAAA,uBAAgB,EAAC1G;gDACzB6F,mBAAAA,6BAAAA,OAAQc,KAAK;gDACbpB,OAAO,IAAIlE,MAAM,AAAC,gBAAqB,OAANrB;gDACjC;;;4CACF;4CAEA,IAAI,CAACoG,MAAM;gDACTD,IAAIK,SAAS,CAAC,KAAK;oDAAE,gBAAgB;gDAAY;gDACjDL,IAAIM,GAAG,CAACC,IAAAA,uBAAgB,EAAC;gDACzBb,mBAAAA,6BAAAA,OAAQc,KAAK;gDACbpB,OAAO,IAAIlE,MAAM;gDACjB;;;4CACF;;;;;;;;;4CAIwB;;gDAAM,IAAI,CAACwF,oBAAoB,CAACT,MAAMV,cAAcK;;;4CAApEM,gBAAgB;4CAEtB,qBAAqB;4CACfC,cAA2B;gDAC/BtF,aAAaqF,cAAcnD,YAAY;+CACnCmD,cAAcS,aAAa,KAAKC,aAAa;gDAAE9F,cAAcoF,cAAcS,aAAa;4CAAC,GACzFT,cAAcW,UAAU,KAAKD,aAAa;gDAAE/C,WAAWxB,KAAKyB,GAAG,KAAKoC,cAAcW,UAAU,GAAG;4CAAK,GACpGX,cAAclG,KAAK,KAAK4G,aAAa;gDAAE5G,OAAOkG,cAAclG,KAAK;4CAAC;4CAI1D;;gDAAM,IAAI,CAAC+D,uBAAuB,CAACmC,cAAcnD,YAAY;;;4CAArEvC,QAAQ;4CAEdwF,IAAIK,SAAS,CAAC,KAAK;gDAAE,gBAAgB;4CAAY;4CACjDL,IAAIM,GAAG,CAACQ,IAAAA,yBAAkB;4CAC1BpB,mBAAAA,6BAAAA,OAAQc,KAAK;4CACbrB,QAAQ;gDAAE5E,OAAO4F;gDAAa3F,OAAAA;4CAAM;;;;;;4CAC7B4F;4CACP7G,OAAOM,KAAK,CAAC,yBAAyB;gDAAEA,OAAOuG,AAAa,YAAbA,eAAyBlF,SAAQkF,cAAcjF,OAAO,GAAGC,OAAOgF;4CAAe;4CAC9HJ,IAAIK,SAAS,CAAC,KAAK;gDAAE,gBAAgB;4CAAY;4CACjDL,IAAIM,GAAG,CAACC,IAAAA,uBAAgB,EAAC;4CACzBb,mBAAAA,6BAAAA,OAAQc,KAAK;4CACbpB,OAAOgB;;;;;;;;;;;4CAGTJ,IAAIK,SAAS,CAAC,KAAK;gDAAE,gBAAgB;4CAAa;4CAClDL,IAAIM,GAAG,CAAC;;;;;;;;4BAEZ;;wBAEA,8EAA8E;wBAC9EZ,OAAOqB,MAAM,CAAC5C,YAAYD,YAAY;4BACpC,IAAM8C,UAAUtB,mBAAAA,6BAAAA,OAAQsB,OAAO;4BAC/B,IAAI,CAACA,WAAW,OAAOA,YAAY,UAAU;gCAC3CtB,mBAAAA,6BAAAA,OAAQc,KAAK;gCACbpB,OAAO,IAAIlE,MAAM;gCACjB;4BACF;4BAEAyE,aAAaqB,QAAQrC,IAAI;4BAEzB,+BAA+B;4BAC/B,IAAIL,oBAAoBL,mBAAmB;gCACzC,mDAAmD;gCACnD2B,mBAAmB3B;4BACrB,OAAO;gCACL,2DAA2D;gCAC3D2B,mBAAmB,AAAC,GAAqB1B,OAAnBE,gBAAe,MAAkBuB,OAAdzB,YAAW,KAAgBG,OAAbsB,YAA0B,OAAbtB;4BACtE;4BAEA,iBAAiB;4BACjB,IAAMlE,UAAU,IAAIqB,IAAI;4BACxBrB,QAAQsB,YAAY,CAACC,GAAG,CAAC,aAAa3B;4BACtCI,QAAQsB,YAAY,CAACC,GAAG,CAAC,gBAAgBkE;4BACzCzF,QAAQsB,YAAY,CAACC,GAAG,CAAC,iBAAiB;4BAC1CvB,QAAQsB,YAAY,CAACC,GAAG,CAAC,SAAS1B;4BAClCG,QAAQsB,YAAY,CAACC,GAAG,CAAC,eAAe;4BACxCvB,QAAQsB,YAAY,CAACC,GAAG,CAAC,UAAU;4BACnCvB,QAAQsB,YAAY,CAACC,GAAG,CAAC,kBAAkB+D;4BAC3CtF,QAAQsB,YAAY,CAACC,GAAG,CAAC,yBAAyB;4BAElDnC,OAAOwB,IAAI,CAAC,kCAAkC;gCAAE4D,MAAMgB;gCAAY7F,UAAAA;4BAAS;4BAE3E,IAAIA,UAAU;gCACZ,mEAAmE;gCACnEmH,QAAQpH,KAAK,CAAC;gCACdoH,QAAQpH,KAAK,CAAC;gCACdoH,QAAQpH,KAAK,CAAC,AAAC,MAAwB,OAAnBM,QAAQ2B,QAAQ,IAAG;gCACvCmF,QAAQpH,KAAK,CAAC;4BAChB,OAAO;gCACL,+CAA+C;gCAC/CN,OAAOwB,IAAI,CAAC;gCACZmG,IAAAA,aAAI,EAAC/G,QAAQ2B,QAAQ,IAAIqF,KAAK,CAAC,SAACtH;oCAC9BN,OAAOwB,IAAI,CAAC,wCAAwC;wCAAElB,OAAOA,MAAMsB,OAAO;oCAAC;oCAC3E8F,QAAQpH,KAAK,CAAC;oCACdoH,QAAQpH,KAAK,CAAC,AAAC,MAAwB,OAAnBM,QAAQ2B,QAAQ,IAAG;gCACzC;4BACF;wBACF;wBAEA,0BAA0B;wBAC1BsF,WACE;4BACE,IAAI1B,QAAQ;gCACVA,OAAOc,KAAK;gCACZpB,OAAO,IAAIlE,MAAM;4BACnB;wBACF,GACA,IAAI,KAAK;oBAEb;;;QACF;;IAEA,OAAcwF,oBA8Bb,GA9BD,SAAcA,qBAAqBT,IAAY,EAAEV,YAAoB,EAAEf,WAAmB;;gBACrD,cAA3BzE,UAAUyC,cAEZ6E,UACAC,QAUAC,MAEAnE,UASEY;;;;wBAxB2B,eAAA,IAAI,CAAC5E,MAAM,EAAtCW,WAA2B,aAA3BA,UAAUyC,eAAiB,aAAjBA;wBAEZ6E,WAAW;wBACXC,SAAiC;4BACrCrB,MAAAA;4BACAuB,WAAWzH;4BACX0H,cAAcjD;4BACdkD,YAAY;4BACZC,eAAepC;wBACjB;wBACA,IAAI/C,cAAc;4BAChB8E,OAAOM,aAAa,GAAGpF;wBACzB;wBACM+E,OAAO,IAAIM,gBAAgBP;wBAEhB;;4BAAMhE,MAAM+D,UAAU;gCACrCS,QAAQ;gCACRjF,SAAS;oCACP,gBAAgB;gCAClB;gCACA0E,MAAMA,KAAKzF,QAAQ;4BACrB;;;wBANMsB,WAAW;6BAQb,CAACA,SAASI,EAAE,EAAZ;;;;wBACgB;;4BAAMJ,SAASM,IAAI;;;wBAA/BM,YAAY;wBAClB,MAAM,IAAI9C,MAAM,AAAC,0BAA4C8C,OAAnBZ,SAASK,MAAM,EAAC,KAAa,OAAVO;;wBAGvD;;4BAAMZ,SAASO,IAAI;;;wBAA3B;;4BAAQ;;;;QACV;;IAEA,OAAc3C,kBAmCb,GAnCD,SAAcA,mBAAmBF,YAAoB;;gBAChB,cAA3Bf,UAAUyC,cAEZ6E,UACAC,QAQAC,MAEAnE,UASEY,WAIFkC;;;;wBA1B6B,eAAA,IAAI,CAAC9G,MAAM,EAAtCW,WAA2B,aAA3BA,UAAUyC,eAAiB,aAAjBA;wBAEZ6E,WAAW;wBACXC,SAAiC;4BACrCX,eAAe7F;4BACf0G,WAAWzH;4BACX2H,YAAY;wBACd;wBACA,IAAIlF,cAAc;4BAChB8E,OAAOM,aAAa,GAAGpF;wBACzB;wBACM+E,OAAO,IAAIM,gBAAgBP;wBAEhB;;4BAAMhE,MAAM+D,UAAU;gCACrCS,QAAQ;gCACRjF,SAAS;oCACP,gBAAgB;gCAClB;gCACA0E,MAAMA,KAAKzF,QAAQ;4BACrB;;;wBANMsB,WAAW;6BAQb,CAACA,SAASI,EAAE,EAAZ;;;;wBACgB;;4BAAMJ,SAASM,IAAI;;;wBAA/BM,YAAY;wBAClB,MAAM,IAAI9C,MAAM,AAAC,yBAA2C8C,OAAnBZ,SAASK,MAAM,EAAC,KAAa,OAAVO;;wBAGvC;;4BAAMZ,SAASO,IAAI;;;wBAApCuC,gBAAiB;wBAEvB;;4BAAO;gCACLrF,aAAaqF,cAAcnD,YAAY;gCACvCjC,cAAcA;+BACVoF,cAAcW,UAAU,KAAKD,aAAa;gCAAE/C,WAAWxB,KAAKyB,GAAG,KAAKoC,cAAcW,UAAU,GAAG;4BAAK,GACpGX,cAAclG,KAAK,KAAK4G,aAAa;gCAAE5G,OAAOkG,cAAclG,KAAK;4BAAC;;;;QAE1E;;IAEA;;;;;;;;;;;;;;;;;;;;;;;GAuBC,GACD+H,OAAAA,cAuFC,GAvFDA,SAAAA;;QACE,IAAwC,eAAA,IAAI,CAAC3I,MAAM,EAA3CI,UAAgC,aAAhCA,SAASC,aAAuB,aAAvBA,YAAYF,SAAW,aAAXA;QAE7B,0EAA0E;QAC1E,sFAAsF;QACtF,IAAMyI,iBAAiB,SAAuEC,QAAWC;;YACvG,IAAMC,YAAYF,OAAOG,IAAI;YAC7B,IAAMC,kBAAkBJ,OAAOK,OAAO;YAEtC,IAAMC,iBAAiB;iDAAUC;oBAAAA;;;wBAEzBC,OAIAnJ,iBAEU,oBACLO,OAYHH,2BAKAgJ,MAWC7I,QASC8I;;;;gCA7CV,0CAA0C;gCACpCF,QAAQD,OAAO,CAACN,cAAc;;;;;;;;;;;;;;;;;+CAMpB,eAAA,AAACO,MAA6CG,KAAK,cAAnD,mCAAA,aAAqDtJ,SAAS;;;;;;;;;;gCAAK;;oCAAMmB,IAAAA,uBAAgB,EAAChB,YAAY;wCAAED,SAAAA;oCAAQ;;;uCAA7C;;;gCAA/EF;;;;;;gCACOO;gCACP,IAAIA,AAAK,YAALA,OAAiBqB,UAAU,CAAA,AAACrB,MAA4BoG,IAAI,KAAK,6BAA6BpG,MAAMuI,IAAI,KAAK,qBAAoB,GAAI;oCACvI9I,YAAYsH;gCACd,OAAO;oCACL,MAAM/G;gCACR;;;;;;gCAGF,sDAAsD;gCACtD;;oCAAM,IAAI,CAACR,cAAc,CAACC;;;gCAA1B;sCAG2BA,sBAAAA;;;;wCAAAA;;;;;;gCAAc;;oCAAMmB,IAAAA,uBAAgB,EAAChB,YAAY;wCAAED,SAAAA;oCAAQ;;;wCAA7C;;;gCAAnCE;gCACN,IAAI,CAACA,oBAAoB;oCACvB,MAAM,IAAIwB,MAAM,AAAC,iDAAwD,OAAR1B;gCACnE;gCAEMkJ,OAAO,IAAI,CAACnG,MAAM,CAAC7C;gCAEzB,2CAA2C;gCAC1C+I,MAAwCI,WAAW,GAAG;oCACrDH,MAAAA;oCACApJ,WAAWI;gCACb;gCACC+I,MAA+BlJ,MAAM,GAAGA;gCAGlC;;oCAAM8I,sBAAAA,KAAAA,GAAgB,qBAAGG;;;gCADhC,sCAAsC;gCACtC;;oCAAO;;;gCACA3I;gCACP,IAAIA,AAAK,YAALA,QAAiBkC,0BAAiB,GAAE;oCACtCxC,OAAOwB,IAAI,CAAC,2BAA2B;wCACrCvB,SAAAA;wCACAsJ,MAAMX;wCACN7H,YAAYT,OAAMS,UAAU;oCAC9B;oCACA,yFAAyF;oCACzF,2GAA2G;oCACrGqI,uBAAuB;wCAC3BI,MAAM;wCACNnH,UAAUpC;wCACV2B,SAAS,AAAC,+BAAqE3B,OAAvC2I,WAAU,+BAAqC,OAAR3I,SAAQ;wCACvFqC,KAAKhC,OAAMS,UAAU,CAACqB,IAAI,KAAK,aAAa9B,OAAMS,UAAU,CAACuB,GAAG,GAAG+E;oCACrE;oCAEA;;wCAAO;4CACLoC,OAAO;gDACL;oDACED,MAAM;oDACNrF,MAAMuF,KAAKC,SAAS,CAAC;wDAAEC,QAAQR;oDAAqB;gDACtD;;4CAEFS,mBAAmB;gDAAED,QAAQR;4CAAqB;wCACpD;;gCACF;gCACA,MAAM9I;;;;;;;gBAEV;;YAEA,OAAO,wCACFoI;gBACHK,SAASC;;QAEb;QAEA,OAAO;YACLc,cAAc,SAAgEpB;uBAAcD,eAAeC,QAAQ;;YACnHqB,kBAAkB,SAAqFrB;uBAAcD,eAAeC,QAAQ;;YAC5IsB,gBAAgB,SAAgEtB;uBAAcD,eAAeC,QAAQ;;QACvH;IACF;WAjnBW/I;;AAwnBN,SAASC,qBAAqBC,MAA2B;IAC9D,OAAO,IAAIF,sBAAsBE;AACnC"}

package/dist/cjs/providers/service-account.d.cts

@@ -0,0 +1,131 @@
+import { OAuth2Client } from 'google-auth-library';
+import type { Logger, OAuth2TokenStorageProvider } from '../types.js';
+/**
+ * Service Account Provider Configuration
+ */
+export interface ServiceAccountConfig {
+    /** Path to Google Cloud service account JSON key file */
+    keyFilePath: string;
+    /** OAuth scopes to request (e.g., ['https://www.googleapis.com/auth/gmail.readonly']) */
+    scopes: string[];
+    /** Logger for auth operations */
+    logger: Logger;
+}
+/**
+ * ServiceAccountProvider implements OAuth2TokenStorageProvider using Google Service Accounts
+ * with JWT-based (2-legged OAuth) authentication.
+ *
+ * This provider:
+ * - Loads service account key file from disk
+ * - Generates self-signed JWTs using RS256 algorithm
+ * - Exchanges JWTs for access tokens at Google's token endpoint
+ * - Does NOT store tokens (regenerates on each request)
+ * - Provides single static identity (no account management)
+ *
+ * @example
+ * ```typescript
+ * const provider = new ServiceAccountProvider({
+ *   keyFilePath: '/path/to/service-account-key.json',
+ *   scopes: ['https://www.googleapis.com/auth/drive.readonly'],
+ * });
+ *
+ * // Get authenticated OAuth2Client for googleapis
+ * const auth = provider.toAuth('default');
+ * const drive = google.drive({ version: 'v3', auth });
+ * ```
+ */
+export declare class ServiceAccountProvider implements OAuth2TokenStorageProvider {
+    private config;
+    private keyFilePath;
+    private scopes;
+    private keyData?;
+    private cachedToken?;
+    constructor(config: ServiceAccountConfig);
+    /**
+     * Load and parse service account key file from disk
+     * Validates structure and caches for subsequent calls
+     */
+    private loadKeyFile;
+    /**
+     * Validate service account key file structure
+     * Ensures all required fields are present and correctly typed
+     */
+    private validateKeyFile;
+    /**
+     * Generate signed JWT (JSON Web Token) for service account authentication
+     * Uses RS256 algorithm with private key from key file
+     */
+    private generateJWT;
+    /**
+     * Exchange signed JWT for access token at Google OAuth endpoint
+     * POST to https://oauth2.googleapis.com/token with grant_type=jwt-bearer
+     */
+    private exchangeJWT;
+    /**
+     * Get access token for Google APIs
+     * Generates fresh JWT and exchanges for access token on each call
+     *
+     * Note: accountId parameter is ignored for service accounts (service account is single static identity)
+     */
+    getAccessToken(_accountId?: string): Promise<string>;
+    /**
+     * Get OAuth2Client with service account credentials for googleapis
+     * This is the CRITICAL method that servers use to get authenticated API clients
+     *
+     * Service account ONLY works with accountId='service-account' (single static identity)
+     *
+      @param accountId - Account identifier (must be 'service-account' or undefined)
+     * @returns OAuth2Client instance with access token credentials set
+     */
+    toAuth(accountId?: string): OAuth2Client;
+    /**
+     * Get service account email address
+     * Used for account registration and display
+     *
+     * Note: accountId parameter is ignored for service accounts
+     * @returns Service account email from key file (e.g., "service-account@project.iam.gserviceaccount.com")
+     */
+    getUserEmail(_accountId?: string): Promise<string>;
+    /**
+     * Create middleware wrapper for single-user authentication
+     * This is the CRITICAL method that integrates service account auth into MCP servers
+     *
+     * Middleware wraps tool, resource, and prompt handlers and injects authContext into extra parameter.
+     * Handlers receive OAuth2Client via extra.authContext.auth for API calls.
+     *
+     * @returns Object with withToolAuth, withResourceAuth, withPromptAuth methods
+     *
+     * @example
+     * ```typescript
+     * // Server registration
+     * const authMiddleware = provider.authMiddleware();
+     * const tools = toolFactories.map(f => f()).map(authMiddleware.withToolAuth);
+     * const resources = resourceFactories.map(f => f()).map(authMiddleware.withResourceAuth);
+     * const prompts = promptFactories.map(f => f()).map(authMiddleware.withPromptAuth);
+     *
+     * // Tool handler receives auth
+     * async function handler({ id }: In, extra: EnrichedExtra) {
+     *   // extra.authContext.auth is OAuth2Client (from middleware)
+     *   const gmail = google.gmail({ version: 'v1', auth: extra.authContext.auth });
+     * }
+     * ```
+     */
+    authMiddleware(): {
+        withToolAuth: <T extends {
+            name: string;
+            config: unknown;
+            handler: unknown;
+        }>(module: T) => T;
+        withResourceAuth: <T extends {
+            name: string;
+            template?: unknown;
+            config?: unknown;
+            handler: unknown;
+        }>(module: T) => T;
+        withPromptAuth: <T extends {
+            name: string;
+            config: unknown;
+            handler: unknown;
+        }>(module: T) => T;
+    };
+}

package/dist/cjs/providers/service-account.d.ts

@@ -0,0 +1,131 @@
+import { OAuth2Client } from 'google-auth-library';
+import type { Logger, OAuth2TokenStorageProvider } from '../types.js';
+/**
+ * Service Account Provider Configuration
+ */
+export interface ServiceAccountConfig {
+    /** Path to Google Cloud service account JSON key file */
+    keyFilePath: string;
+    /** OAuth scopes to request (e.g., ['https://www.googleapis.com/auth/gmail.readonly']) */
+    scopes: string[];
+    /** Logger for auth operations */
+    logger: Logger;
+}
+/**
+ * ServiceAccountProvider implements OAuth2TokenStorageProvider using Google Service Accounts
+ * with JWT-based (2-legged OAuth) authentication.
+ *
+ * This provider:
+ * - Loads service account key file from disk
+ * - Generates self-signed JWTs using RS256 algorithm
+ * - Exchanges JWTs for access tokens at Google's token endpoint
+ * - Does NOT store tokens (regenerates on each request)
+ * - Provides single static identity (no account management)
+ *
+ * @example
+ * ```typescript
+ * const provider = new ServiceAccountProvider({
+ *   keyFilePath: '/path/to/service-account-key.json',
+ *   scopes: ['https://www.googleapis.com/auth/drive.readonly'],
+ * });
+ *
+ * // Get authenticated OAuth2Client for googleapis
+ * const auth = provider.toAuth('default');
+ * const drive = google.drive({ version: 'v3', auth });
+ * ```
+ */
+export declare class ServiceAccountProvider implements OAuth2TokenStorageProvider {
+    private config;
+    private keyFilePath;
+    private scopes;
+    private keyData?;
+    private cachedToken?;
+    constructor(config: ServiceAccountConfig);
+    /**
+     * Load and parse service account key file from disk
+     * Validates structure and caches for subsequent calls
+     */
+    private loadKeyFile;
+    /**
+     * Validate service account key file structure
+     * Ensures all required fields are present and correctly typed
+     */
+    private validateKeyFile;
+    /**
+     * Generate signed JWT (JSON Web Token) for service account authentication
+     * Uses RS256 algorithm with private key from key file
+     */
+    private generateJWT;
+    /**
+     * Exchange signed JWT for access token at Google OAuth endpoint
+     * POST to https://oauth2.googleapis.com/token with grant_type=jwt-bearer
+     */
+    private exchangeJWT;
+    /**
+     * Get access token for Google APIs
+     * Generates fresh JWT and exchanges for access token on each call
+     *
+     * Note: accountId parameter is ignored for service accounts (service account is single static identity)
+     */
+    getAccessToken(_accountId?: string): Promise<string>;
+    /**
+     * Get OAuth2Client with service account credentials for googleapis
+     * This is the CRITICAL method that servers use to get authenticated API clients
+     *
+     * Service account ONLY works with accountId='service-account' (single static identity)
+     *
+      @param accountId - Account identifier (must be 'service-account' or undefined)
+     * @returns OAuth2Client instance with access token credentials set
+     */
+    toAuth(accountId?: string): OAuth2Client;
+    /**
+     * Get service account email address
+     * Used for account registration and display
+     *
+     * Note: accountId parameter is ignored for service accounts
+     * @returns Service account email from key file (e.g., "service-account@project.iam.gserviceaccount.com")
+     */
+    getUserEmail(_accountId?: string): Promise<string>;
+    /**
+     * Create middleware wrapper for single-user authentication
+     * This is the CRITICAL method that integrates service account auth into MCP servers
+     *
+     * Middleware wraps tool, resource, and prompt handlers and injects authContext into extra parameter.
+     * Handlers receive OAuth2Client via extra.authContext.auth for API calls.
+     *
+     * @returns Object with withToolAuth, withResourceAuth, withPromptAuth methods
+     *
+     * @example
+     * ```typescript
+     * // Server registration
+     * const authMiddleware = provider.authMiddleware();
+     * const tools = toolFactories.map(f => f()).map(authMiddleware.withToolAuth);
+     * const resources = resourceFactories.map(f => f()).map(authMiddleware.withResourceAuth);
+     * const prompts = promptFactories.map(f => f()).map(authMiddleware.withPromptAuth);
+     *
+     * // Tool handler receives auth
+     * async function handler({ id }: In, extra: EnrichedExtra) {
+     *   // extra.authContext.auth is OAuth2Client (from middleware)
+     *   const gmail = google.gmail({ version: 'v1', auth: extra.authContext.auth });
+     * }
+     * ```
+     */
+    authMiddleware(): {
+        withToolAuth: <T extends {
+            name: string;
+            config: unknown;
+            handler: unknown;
+        }>(module: T) => T;
+        withResourceAuth: <T extends {
+            name: string;
+            template?: unknown;
+            config?: unknown;
+            handler: unknown;
+        }>(module: T) => T;
+        withPromptAuth: <T extends {
+            name: string;
+            config: unknown;
+            handler: unknown;
+        }>(module: T) => T;
+    };
+}