@mcp-z/oauth-google 1.0.0

package/dist/esm/lib/dcr-utils.d.ts

@@ -0,0 +1,160 @@
+/**
+ * DCR Storage Utilities
+ *
+ * Keyv-based storage utilities for Dynamic Client Registration.
+ * Follows @mcp-z/oauth pattern: single Keyv store with compound keys.
+ *
+ * Key Patterns:
+ * - dcr:client:{clientId} -> RegisteredClient
+ * - dcr:provider:{dcrToken} -> ProviderTokens
+ * - dcr:authcode:{code} -> AuthorizationCode
+ * - dcr:access:{token} -> AccessToken
+ * - dcr:refresh:{token} -> AccessToken
+ */
+import type { DcrClientInformation, DcrClientMetadata, ProviderTokens } from '@mcp-z/oauth';
+import type { Keyv } from 'keyv';
+import type { AccessToken, AuthorizationCode, RegisteredClient } from '../types.js';
+/**
+ * Register a new OAuth client (RFC 7591 Section 3.1)
+ *
+ * @param store - Keyv store for all DCR data
+ * @param metadata - Client registration metadata
+ * @returns Registered client with credentials
+ * @throws Error if validation fails
+ */
+export declare function registerClient(store: Keyv, metadata: DcrClientMetadata): Promise<DcrClientInformation>;
+/**
+ * Get a registered client by ID
+ *
+ * @param store - Keyv store for all DCR data
+ * @param clientId - Client identifier
+ * @returns Registered client or undefined if not found
+ */
+export declare function getClient(store: Keyv, clientId: string): Promise<RegisteredClient | undefined>;
+/**
+ * Validate client credentials
+ *
+ * @param store - Keyv store for all DCR data
+ * @param clientId - Client identifier
+ * @param clientSecret - Client secret
+ * @returns True if credentials are valid
+ */
+export declare function validateClient(store: Keyv, clientId: string, clientSecret: string): Promise<boolean>;
+/**
+ * Validate redirect URI for a client
+ *
+ * @param store - Keyv store for all DCR data
+ * @param clientId - Client identifier
+ * @param redirectUri - Redirect URI to validate
+ * @returns True if redirect URI is registered
+ */
+export declare function validateRedirectUri(store: Keyv, clientId: string, redirectUri: string): Promise<boolean>;
+/**
+ * List all registered clients (for debugging)
+ *
+ * Note: This method uses Keyv's iterator which may not be available on all storage adapters.
+ * For production use, consider maintaining a separate index of client IDs.
+ *
+ * @param store - Keyv store for all DCR data
+ * @returns Array of all registered clients
+ */
+export declare function listClients(store: Keyv): Promise<RegisteredClient[]>;
+/**
+ * Delete a registered client
+ *
+ * @param store - Keyv store for all DCR data
+ * @param clientId - Client identifier
+ */
+export declare function deleteClient(store: Keyv, clientId: string): Promise<void>;
+/**
+ * Store provider tokens for a DCR access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param dcrToken - DCR-issued access token (used as key)
+ * @param tokens - Google provider tokens (access, refresh, expiry)
+ */
+export declare function setProviderTokens(store: Keyv, dcrToken: string, tokens: ProviderTokens): Promise<void>;
+/**
+ * Retrieve provider tokens for a DCR access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param dcrToken - DCR-issued access token
+ * @returns Provider tokens or undefined if not found
+ */
+export declare function getProviderTokens(store: Keyv, dcrToken: string): Promise<ProviderTokens | undefined>;
+/**
+ * Delete provider tokens for a DCR access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param dcrToken - DCR-issued access token
+ */
+export declare function deleteProviderTokens(store: Keyv, dcrToken: string): Promise<void>;
+/**
+ * Store an authorization code
+ *
+ * @param store - Keyv store for all DCR data
+ * @param code - Authorization code
+ * @param authCode - Authorization code data
+ */
+export declare function setAuthCode(store: Keyv, code: string, authCode: AuthorizationCode): Promise<void>;
+/**
+ * Get an authorization code
+ *
+ * @param store - Keyv store for all DCR data
+ * @param code - Authorization code
+ * @returns Authorization code data or undefined if not found
+ */
+export declare function getAuthCode(store: Keyv, code: string): Promise<AuthorizationCode | undefined>;
+/**
+ * Delete an authorization code
+ *
+ * @param store - Keyv store for all DCR data
+ * @param code - Authorization code
+ */
+export declare function deleteAuthCode(store: Keyv, code: string): Promise<void>;
+/**
+ * Store an access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Access token
+ * @param tokenData - Access token data
+ */
+export declare function setAccessToken(store: Keyv, token: string, tokenData: AccessToken): Promise<void>;
+/**
+ * Get an access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Access token
+ * @returns Access token data or undefined if not found
+ */
+export declare function getAccessToken(store: Keyv, token: string): Promise<AccessToken | undefined>;
+/**
+ * Delete an access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Access token
+ */
+export declare function deleteAccessToken(store: Keyv, token: string): Promise<void>;
+/**
+ * Store a refresh token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Refresh token
+ * @param tokenData - Access token data (contains refresh token context)
+ */
+export declare function setRefreshToken(store: Keyv, token: string, tokenData: AccessToken): Promise<void>;
+/**
+ * Get a refresh token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Refresh token
+ * @returns Access token data or undefined if not found
+ */
+export declare function getRefreshToken(store: Keyv, token: string): Promise<AccessToken | undefined>;
+/**
+ * Delete a refresh token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Refresh token
+ */
+export declare function deleteRefreshToken(store: Keyv, token: string): Promise<void>;

package/dist/esm/lib/dcr-utils.js

@@ -0,0 +1,270 @@
+/**
+ * DCR Storage Utilities
+ *
+ * Keyv-based storage utilities for Dynamic Client Registration.
+ * Follows @mcp-z/oauth pattern: single Keyv store with compound keys.
+ *
+ * Key Patterns:
+ * - dcr:client:{clientId} -> RegisteredClient
+ * - dcr:provider:{dcrToken} -> ProviderTokens
+ * - dcr:authcode:{code} -> AuthorizationCode
+ * - dcr:access:{token} -> AccessToken
+ * - dcr:refresh:{token} -> AccessToken
+ */ import { randomUUID } from 'crypto';
+// ============================================================================
+// Client Operations
+// ============================================================================
+/**
+ * Register a new OAuth client (RFC 7591 Section 3.1)
+ *
+ * @param store - Keyv store for all DCR data
+ * @param metadata - Client registration metadata
+ * @returns Registered client with credentials
+ * @throws Error if validation fails
+ */ export async function registerClient(store, metadata) {
+    var _metadata_grant_types, _metadata_response_types, _metadata_token_endpoint_auth_method;
+    // Validate redirect URIs (required per RFC 7591)
+    if (!metadata.redirect_uris || metadata.redirect_uris.length === 0) {
+        throw new Error('redirect_uris is required');
+    }
+    // Generate client credentials
+    const client_id = `dcr_${randomUUID()}`;
+    const client_secret = randomUUID();
+    // Default grant types and response types per RFC 7591 Section 2
+    const grant_types = (_metadata_grant_types = metadata.grant_types) !== null && _metadata_grant_types !== void 0 ? _metadata_grant_types : [
+        'authorization_code',
+        'refresh_token'
+    ];
+    const response_types = (_metadata_response_types = metadata.response_types) !== null && _metadata_response_types !== void 0 ? _metadata_response_types : [
+        'code'
+    ];
+    // Build registered client - only include optional fields if they have values
+    const client = {
+        client_id,
+        client_secret,
+        client_id_issued_at: Math.floor(Date.now() / 1000),
+        client_secret_expires_at: 0,
+        redirect_uris: metadata.redirect_uris,
+        token_endpoint_auth_method: (_metadata_token_endpoint_auth_method = metadata.token_endpoint_auth_method) !== null && _metadata_token_endpoint_auth_method !== void 0 ? _metadata_token_endpoint_auth_method : 'client_secret_basic',
+        grant_types,
+        response_types,
+        ...metadata.client_name !== undefined && {
+            client_name: metadata.client_name
+        },
+        ...metadata.client_uri !== undefined && {
+            client_uri: metadata.client_uri
+        },
+        ...metadata.logo_uri !== undefined && {
+            logo_uri: metadata.logo_uri
+        },
+        ...metadata.scope !== undefined && {
+            scope: metadata.scope
+        },
+        ...metadata.contacts !== undefined && {
+            contacts: metadata.contacts
+        },
+        ...metadata.tos_uri !== undefined && {
+            tos_uri: metadata.tos_uri
+        },
+        ...metadata.policy_uri !== undefined && {
+            policy_uri: metadata.policy_uri
+        },
+        ...metadata.jwks_uri !== undefined && {
+            jwks_uri: metadata.jwks_uri
+        },
+        ...metadata.jwks !== undefined && {
+            jwks: metadata.jwks
+        },
+        ...metadata.software_id !== undefined && {
+            software_id: metadata.software_id
+        },
+        ...metadata.software_version !== undefined && {
+            software_version: metadata.software_version
+        },
+        created_at: Date.now()
+    };
+    // Store client
+    await store.set(`dcr:client:${client_id}`, client);
+    // Return client information (excluding internal created_at)
+    const { created_at, ...clientInfo } = client;
+    return clientInfo;
+}
+/**
+ * Get a registered client by ID
+ *
+ * @param store - Keyv store for all DCR data
+ * @param clientId - Client identifier
+ * @returns Registered client or undefined if not found
+ */ export async function getClient(store, clientId) {
+    return await store.get(`dcr:client:${clientId}`);
+}
+/**
+ * Validate client credentials
+ *
+ * @param store - Keyv store for all DCR data
+ * @param clientId - Client identifier
+ * @param clientSecret - Client secret
+ * @returns True if credentials are valid
+ */ export async function validateClient(store, clientId, clientSecret) {
+    const client = await getClient(store, clientId);
+    if (!client) return false;
+    return client.client_secret === clientSecret;
+}
+/**
+ * Validate redirect URI for a client
+ *
+ * @param store - Keyv store for all DCR data
+ * @param clientId - Client identifier
+ * @param redirectUri - Redirect URI to validate
+ * @returns True if redirect URI is registered
+ */ export async function validateRedirectUri(store, clientId, redirectUri) {
+    const client = await getClient(store, clientId);
+    if (!client || !client.redirect_uris) return false;
+    return client.redirect_uris.includes(redirectUri);
+}
+/**
+ * List all registered clients (for debugging)
+ *
+ * Note: This method uses Keyv's iterator which may not be available on all storage adapters.
+ * For production use, consider maintaining a separate index of client IDs.
+ *
+ * @param store - Keyv store for all DCR data
+ * @returns Array of all registered clients
+ */ export async function listClients(store) {
+    const clients = [];
+    // Check if iterator is available on the store
+    if (store.iterator) {
+        // Use iterator with namespace to iterate through dcr:client: keys
+        const iterator = store.iterator('dcr:client:');
+        for await (const [_key, value] of iterator){
+            if (value !== undefined) {
+                clients.push(value);
+            }
+        }
+    }
+    return clients;
+}
+/**
+ * Delete a registered client
+ *
+ * @param store - Keyv store for all DCR data
+ * @param clientId - Client identifier
+ */ export async function deleteClient(store, clientId) {
+    await store.delete(`dcr:client:${clientId}`);
+}
+// ============================================================================
+// Provider Token Operations
+// ============================================================================
+/**
+ * Store provider tokens for a DCR access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param dcrToken - DCR-issued access token (used as key)
+ * @param tokens - Google provider tokens (access, refresh, expiry)
+ */ export async function setProviderTokens(store, dcrToken, tokens) {
+    await store.set(`dcr:provider:${dcrToken}`, tokens);
+}
+/**
+ * Retrieve provider tokens for a DCR access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param dcrToken - DCR-issued access token
+ * @returns Provider tokens or undefined if not found
+ */ export async function getProviderTokens(store, dcrToken) {
+    return await store.get(`dcr:provider:${dcrToken}`);
+}
+/**
+ * Delete provider tokens for a DCR access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param dcrToken - DCR-issued access token
+ */ export async function deleteProviderTokens(store, dcrToken) {
+    await store.delete(`dcr:provider:${dcrToken}`);
+}
+// ============================================================================
+// Authorization Code Operations
+// ============================================================================
+/**
+ * Store an authorization code
+ *
+ * @param store - Keyv store for all DCR data
+ * @param code - Authorization code
+ * @param authCode - Authorization code data
+ */ export async function setAuthCode(store, code, authCode) {
+    await store.set(`dcr:authcode:${code}`, authCode);
+}
+/**
+ * Get an authorization code
+ *
+ * @param store - Keyv store for all DCR data
+ * @param code - Authorization code
+ * @returns Authorization code data or undefined if not found
+ */ export async function getAuthCode(store, code) {
+    return await store.get(`dcr:authcode:${code}`);
+}
+/**
+ * Delete an authorization code
+ *
+ * @param store - Keyv store for all DCR data
+ * @param code - Authorization code
+ */ export async function deleteAuthCode(store, code) {
+    await store.delete(`dcr:authcode:${code}`);
+}
+// ============================================================================
+// Access Token Operations
+// ============================================================================
+/**
+ * Store an access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Access token
+ * @param tokenData - Access token data
+ */ export async function setAccessToken(store, token, tokenData) {
+    await store.set(`dcr:access:${token}`, tokenData);
+}
+/**
+ * Get an access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Access token
+ * @returns Access token data or undefined if not found
+ */ export async function getAccessToken(store, token) {
+    return await store.get(`dcr:access:${token}`);
+}
+/**
+ * Delete an access token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Access token
+ */ export async function deleteAccessToken(store, token) {
+    await store.delete(`dcr:access:${token}`);
+}
+// ============================================================================
+// Refresh Token Operations
+// ============================================================================
+/**
+ * Store a refresh token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Refresh token
+ * @param tokenData - Access token data (contains refresh token context)
+ */ export async function setRefreshToken(store, token, tokenData) {
+    await store.set(`dcr:refresh:${token}`, tokenData);
+}
+/**
+ * Get a refresh token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Refresh token
+ * @returns Access token data or undefined if not found
+ */ export async function getRefreshToken(store, token) {
+    return await store.get(`dcr:refresh:${token}`);
+}
+/**
+ * Delete a refresh token
+ *
+ * @param store - Keyv store for all DCR data
+ * @param token - Refresh token
+ */ export async function deleteRefreshToken(store, token) {
+    await store.delete(`dcr:refresh:${token}`);
+}

package/dist/esm/lib/dcr-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth-google/src/lib/dcr-utils.ts"],"sourcesContent":["/**\n * DCR Storage Utilities\n *\n * Keyv-based storage utilities for Dynamic Client Registration.\n * Follows @mcp-z/oauth pattern: single Keyv store with compound keys.\n *\n * Key Patterns:\n * - dcr:client:{clientId} -> RegisteredClient\n * - dcr:provider:{dcrToken} -> ProviderTokens\n * - dcr:authcode:{code} -> AuthorizationCode\n * - dcr:access:{token} -> AccessToken\n * - dcr:refresh:{token} -> AccessToken\n */\n\nimport type { DcrClientInformation, DcrClientMetadata, ProviderTokens } from '@mcp-z/oauth';\nimport { randomUUID } from 'crypto';\nimport type { Keyv } from 'keyv';\nimport type { AccessToken, AuthorizationCode, RegisteredClient } from '../types.ts';\n\n// ============================================================================\n// Client Operations\n// ============================================================================\n\n/**\n * Register a new OAuth client (RFC 7591 Section 3.1)\n *\n * @param store - Keyv store for all DCR data\n * @param metadata - Client registration metadata\n * @returns Registered client with credentials\n * @throws Error if validation fails\n */\nexport async function registerClient(store: Keyv, metadata: DcrClientMetadata): Promise<DcrClientInformation> {\n  // Validate redirect URIs (required per RFC 7591)\n  if (!metadata.redirect_uris || metadata.redirect_uris.length === 0) {\n    throw new Error('redirect_uris is required');\n  }\n\n  // Generate client credentials\n  const client_id = `dcr_${randomUUID()}`;\n  const client_secret = randomUUID();\n\n  // Default grant types and response types per RFC 7591 Section 2\n  const grant_types = metadata.grant_types ?? ['authorization_code', 'refresh_token'];\n  const response_types = metadata.response_types ?? ['code'];\n\n  // Build registered client - only include optional fields if they have values\n  const client: RegisteredClient = {\n    client_id,\n    client_secret,\n    client_id_issued_at: Math.floor(Date.now() / 1000),\n    client_secret_expires_at: 0, // Never expires\n    redirect_uris: metadata.redirect_uris,\n    token_endpoint_auth_method: metadata.token_endpoint_auth_method ?? 'client_secret_basic',\n    grant_types,\n    response_types,\n    ...(metadata.client_name !== undefined && { client_name: metadata.client_name }),\n    ...(metadata.client_uri !== undefined && { client_uri: metadata.client_uri }),\n    ...(metadata.logo_uri !== undefined && { logo_uri: metadata.logo_uri }),\n    ...(metadata.scope !== undefined && { scope: metadata.scope }),\n    ...(metadata.contacts !== undefined && { contacts: metadata.contacts }),\n    ...(metadata.tos_uri !== undefined && { tos_uri: metadata.tos_uri }),\n    ...(metadata.policy_uri !== undefined && { policy_uri: metadata.policy_uri }),\n    ...(metadata.jwks_uri !== undefined && { jwks_uri: metadata.jwks_uri }),\n    ...(metadata.jwks !== undefined && { jwks: metadata.jwks }),\n    ...(metadata.software_id !== undefined && { software_id: metadata.software_id }),\n    ...(metadata.software_version !== undefined && { software_version: metadata.software_version }),\n    created_at: Date.now(),\n  };\n\n  // Store client\n  await store.set(`dcr:client:${client_id}`, client);\n\n  // Return client information (excluding internal created_at)\n  const { created_at, ...clientInfo } = client;\n  return clientInfo;\n}\n\n/**\n * Get a registered client by ID\n *\n * @param store - Keyv store for all DCR data\n * @param clientId - Client identifier\n * @returns Registered client or undefined if not found\n */\nexport async function getClient(store: Keyv, clientId: string): Promise<RegisteredClient | undefined> {\n  return await store.get(`dcr:client:${clientId}`);\n}\n\n/**\n * Validate client credentials\n *\n * @param store - Keyv store for all DCR data\n * @param clientId - Client identifier\n * @param clientSecret - Client secret\n * @returns True if credentials are valid\n */\nexport async function validateClient(store: Keyv, clientId: string, clientSecret: string): Promise<boolean> {\n  const client = await getClient(store, clientId);\n  if (!client) return false;\n  return client.client_secret === clientSecret;\n}\n\n/**\n * Validate redirect URI for a client\n *\n * @param store - Keyv store for all DCR data\n * @param clientId - Client identifier\n * @param redirectUri - Redirect URI to validate\n * @returns True if redirect URI is registered\n */\nexport async function validateRedirectUri(store: Keyv, clientId: string, redirectUri: string): Promise<boolean> {\n  const client = await getClient(store, clientId);\n  if (!client || !client.redirect_uris) return false;\n  return client.redirect_uris.includes(redirectUri);\n}\n\n/**\n * List all registered clients (for debugging)\n *\n * Note: This method uses Keyv's iterator which may not be available on all storage adapters.\n * For production use, consider maintaining a separate index of client IDs.\n *\n * @param store - Keyv store for all DCR data\n * @returns Array of all registered clients\n */\nexport async function listClients(store: Keyv): Promise<RegisteredClient[]> {\n  const clients: RegisteredClient[] = [];\n\n  // Check if iterator is available on the store\n  if (store.iterator) {\n    // Use iterator with namespace to iterate through dcr:client: keys\n    const iterator = store.iterator('dcr:client:');\n    for await (const [_key, value] of iterator) {\n      if (value !== undefined) {\n        clients.push(value as RegisteredClient);\n      }\n    }\n  }\n\n  return clients;\n}\n\n/**\n * Delete a registered client\n *\n * @param store - Keyv store for all DCR data\n * @param clientId - Client identifier\n */\nexport async function deleteClient(store: Keyv, clientId: string): Promise<void> {\n  await store.delete(`dcr:client:${clientId}`);\n}\n\n// ============================================================================\n// Provider Token Operations\n// ============================================================================\n\n/**\n * Store provider tokens for a DCR access token\n *\n * @param store - Keyv store for all DCR data\n * @param dcrToken - DCR-issued access token (used as key)\n * @param tokens - Google provider tokens (access, refresh, expiry)\n */\nexport async function setProviderTokens(store: Keyv, dcrToken: string, tokens: ProviderTokens): Promise<void> {\n  await store.set(`dcr:provider:${dcrToken}`, tokens);\n}\n\n/**\n * Retrieve provider tokens for a DCR access token\n *\n * @param store - Keyv store for all DCR data\n * @param dcrToken - DCR-issued access token\n * @returns Provider tokens or undefined if not found\n */\nexport async function getProviderTokens(store: Keyv, dcrToken: string): Promise<ProviderTokens | undefined> {\n  return await store.get(`dcr:provider:${dcrToken}`);\n}\n\n/**\n * Delete provider tokens for a DCR access token\n *\n * @param store - Keyv store for all DCR data\n * @param dcrToken - DCR-issued access token\n */\nexport async function deleteProviderTokens(store: Keyv, dcrToken: string): Promise<void> {\n  await store.delete(`dcr:provider:${dcrToken}`);\n}\n\n// ============================================================================\n// Authorization Code Operations\n// ============================================================================\n\n/**\n * Store an authorization code\n *\n * @param store - Keyv store for all DCR data\n * @param code - Authorization code\n * @param authCode - Authorization code data\n */\nexport async function setAuthCode(store: Keyv, code: string, authCode: AuthorizationCode): Promise<void> {\n  await store.set(`dcr:authcode:${code}`, authCode);\n}\n\n/**\n * Get an authorization code\n *\n * @param store - Keyv store for all DCR data\n * @param code - Authorization code\n * @returns Authorization code data or undefined if not found\n */\nexport async function getAuthCode(store: Keyv, code: string): Promise<AuthorizationCode | undefined> {\n  return await store.get(`dcr:authcode:${code}`);\n}\n\n/**\n * Delete an authorization code\n *\n * @param store - Keyv store for all DCR data\n * @param code - Authorization code\n */\nexport async function deleteAuthCode(store: Keyv, code: string): Promise<void> {\n  await store.delete(`dcr:authcode:${code}`);\n}\n\n// ============================================================================\n// Access Token Operations\n// ============================================================================\n\n/**\n * Store an access token\n *\n * @param store - Keyv store for all DCR data\n * @param token - Access token\n * @param tokenData - Access token data\n */\nexport async function setAccessToken(store: Keyv, token: string, tokenData: AccessToken): Promise<void> {\n  await store.set(`dcr:access:${token}`, tokenData);\n}\n\n/**\n * Get an access token\n *\n * @param store - Keyv store for all DCR data\n * @param token - Access token\n * @returns Access token data or undefined if not found\n */\nexport async function getAccessToken(store: Keyv, token: string): Promise<AccessToken | undefined> {\n  return await store.get(`dcr:access:${token}`);\n}\n\n/**\n * Delete an access token\n *\n * @param store - Keyv store for all DCR data\n * @param token - Access token\n */\nexport async function deleteAccessToken(store: Keyv, token: string): Promise<void> {\n  await store.delete(`dcr:access:${token}`);\n}\n\n// ============================================================================\n// Refresh Token Operations\n// ============================================================================\n\n/**\n * Store a refresh token\n *\n * @param store - Keyv store for all DCR data\n * @param token - Refresh token\n * @param tokenData - Access token data (contains refresh token context)\n */\nexport async function setRefreshToken(store: Keyv, token: string, tokenData: AccessToken): Promise<void> {\n  await store.set(`dcr:refresh:${token}`, tokenData);\n}\n\n/**\n * Get a refresh token\n *\n * @param store - Keyv store for all DCR data\n * @param token - Refresh token\n * @returns Access token data or undefined if not found\n */\nexport async function getRefreshToken(store: Keyv, token: string): Promise<AccessToken | undefined> {\n  return await store.get(`dcr:refresh:${token}`);\n}\n\n/**\n * Delete a refresh token\n *\n * @param store - Keyv store for all DCR data\n * @param token - Refresh token\n */\nexport async function deleteRefreshToken(store: Keyv, token: string): Promise<void> {\n  await store.delete(`dcr:refresh:${token}`);\n}\n"],"names":["randomUUID","registerClient","store","metadata","redirect_uris","length","Error","client_id","client_secret","grant_types","response_types","client","client_id_issued_at","Math","floor","Date","now","client_secret_expires_at","token_endpoint_auth_method","client_name","undefined","client_uri","logo_uri","scope","contacts","tos_uri","policy_uri","jwks_uri","jwks","software_id","software_version","created_at","set","clientInfo","getClient","clientId","get","validateClient","clientSecret","validateRedirectUri","redirectUri","includes","listClients","clients","iterator","_key","value","push","deleteClient","delete","setProviderTokens","dcrToken","tokens","getProviderTokens","deleteProviderTokens","setAuthCode","code","authCode","getAuthCode","deleteAuthCode","setAccessToken","token","tokenData","getAccessToken","deleteAccessToken","setRefreshToken","getRefreshToken","deleteRefreshToken"],"mappings":"AAAA;;;;;;;;;;;;CAYC,GAGD,SAASA,UAAU,QAAQ,SAAS;AAIpC,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;;;;;;CAOC,GACD,OAAO,eAAeC,eAAeC,KAAW,EAAEC,QAA2B;QAWvDA,uBACGA,0BASOA;IApB9B,iDAAiD;IACjD,IAAI,CAACA,SAASC,aAAa,IAAID,SAASC,aAAa,CAACC,MAAM,KAAK,GAAG;QAClE,MAAM,IAAIC,MAAM;IAClB;IAEA,8BAA8B;IAC9B,MAAMC,YAAY,CAAC,IAAI,EAAEP,cAAc;IACvC,MAAMQ,gBAAgBR;IAEtB,gEAAgE;IAChE,MAAMS,eAAcN,wBAAAA,SAASM,WAAW,cAApBN,mCAAAA,wBAAwB;QAAC;QAAsB;KAAgB;IACnF,MAAMO,kBAAiBP,2BAAAA,SAASO,cAAc,cAAvBP,sCAAAA,2BAA2B;QAAC;KAAO;IAE1D,6EAA6E;IAC7E,MAAMQ,SAA2B;QAC/BJ;QACAC;QACAI,qBAAqBC,KAAKC,KAAK,CAACC,KAAKC,GAAG,KAAK;QAC7CC,0BAA0B;QAC1Bb,eAAeD,SAASC,aAAa;QACrCc,0BAA0B,GAAEf,uCAAAA,SAASe,0BAA0B,cAAnCf,kDAAAA,uCAAuC;QACnEM;QACAC;QACA,GAAIP,SAASgB,WAAW,KAAKC,aAAa;YAAED,aAAahB,SAASgB,WAAW;QAAC,CAAC;QAC/E,GAAIhB,SAASkB,UAAU,KAAKD,aAAa;YAAEC,YAAYlB,SAASkB,UAAU;QAAC,CAAC;QAC5E,GAAIlB,SAASmB,QAAQ,KAAKF,aAAa;YAAEE,UAAUnB,SAASmB,QAAQ;QAAC,CAAC;QACtE,GAAInB,SAASoB,KAAK,KAAKH,aAAa;YAAEG,OAAOpB,SAASoB,KAAK;QAAC,CAAC;QAC7D,GAAIpB,SAASqB,QAAQ,KAAKJ,aAAa;YAAEI,UAAUrB,SAASqB,QAAQ;QAAC,CAAC;QACtE,GAAIrB,SAASsB,OAAO,KAAKL,aAAa;YAAEK,SAAStB,SAASsB,OAAO;QAAC,CAAC;QACnE,GAAItB,SAASuB,UAAU,KAAKN,aAAa;YAAEM,YAAYvB,SAASuB,UAAU;QAAC,CAAC;QAC5E,GAAIvB,SAASwB,QAAQ,KAAKP,aAAa;YAAEO,UAAUxB,SAASwB,QAAQ;QAAC,CAAC;QACtE,GAAIxB,SAASyB,IAAI,KAAKR,aAAa;YAAEQ,MAAMzB,SAASyB,IAAI;QAAC,CAAC;QAC1D,GAAIzB,SAAS0B,WAAW,KAAKT,aAAa;YAAES,aAAa1B,SAAS0B,WAAW;QAAC,CAAC;QAC/E,GAAI1B,SAAS2B,gBAAgB,KAAKV,aAAa;YAAEU,kBAAkB3B,SAAS2B,gBAAgB;QAAC,CAAC;QAC9FC,YAAYhB,KAAKC,GAAG;IACtB;IAEA,eAAe;IACf,MAAMd,MAAM8B,GAAG,CAAC,CAAC,WAAW,EAAEzB,WAAW,EAAEI;IAE3C,4DAA4D;IAC5D,MAAM,EAAEoB,UAAU,EAAE,GAAGE,YAAY,GAAGtB;IACtC,OAAOsB;AACT;AAEA;;;;;;CAMC,GACD,OAAO,eAAeC,UAAUhC,KAAW,EAAEiC,QAAgB;IAC3D,OAAO,MAAMjC,MAAMkC,GAAG,CAAC,CAAC,WAAW,EAAED,UAAU;AACjD;AAEA;;;;;;;CAOC,GACD,OAAO,eAAeE,eAAenC,KAAW,EAAEiC,QAAgB,EAAEG,YAAoB;IACtF,MAAM3B,SAAS,MAAMuB,UAAUhC,OAAOiC;IACtC,IAAI,CAACxB,QAAQ,OAAO;IACpB,OAAOA,OAAOH,aAAa,KAAK8B;AAClC;AAEA;;;;;;;CAOC,GACD,OAAO,eAAeC,oBAAoBrC,KAAW,EAAEiC,QAAgB,EAAEK,WAAmB;IAC1F,MAAM7B,SAAS,MAAMuB,UAAUhC,OAAOiC;IACtC,IAAI,CAACxB,UAAU,CAACA,OAAOP,aAAa,EAAE,OAAO;IAC7C,OAAOO,OAAOP,aAAa,CAACqC,QAAQ,CAACD;AACvC;AAEA;;;;;;;;CAQC,GACD,OAAO,eAAeE,YAAYxC,KAAW;IAC3C,MAAMyC,UAA8B,EAAE;IAEtC,8CAA8C;IAC9C,IAAIzC,MAAM0C,QAAQ,EAAE;QAClB,kEAAkE;QAClE,MAAMA,WAAW1C,MAAM0C,QAAQ,CAAC;QAChC,WAAW,MAAM,CAACC,MAAMC,MAAM,IAAIF,SAAU;YAC1C,IAAIE,UAAU1B,WAAW;gBACvBuB,QAAQI,IAAI,CAACD;YACf;QACF;IACF;IAEA,OAAOH;AACT;AAEA;;;;;CAKC,GACD,OAAO,eAAeK,aAAa9C,KAAW,EAAEiC,QAAgB;IAC9D,MAAMjC,MAAM+C,MAAM,CAAC,CAAC,WAAW,EAAEd,UAAU;AAC7C;AAEA,+EAA+E;AAC/E,4BAA4B;AAC5B,+EAA+E;AAE/E;;;;;;CAMC,GACD,OAAO,eAAee,kBAAkBhD,KAAW,EAAEiD,QAAgB,EAAEC,MAAsB;IAC3F,MAAMlD,MAAM8B,GAAG,CAAC,CAAC,aAAa,EAAEmB,UAAU,EAAEC;AAC9C;AAEA;;;;;;CAMC,GACD,OAAO,eAAeC,kBAAkBnD,KAAW,EAAEiD,QAAgB;IACnE,OAAO,MAAMjD,MAAMkC,GAAG,CAAC,CAAC,aAAa,EAAEe,UAAU;AACnD;AAEA;;;;;CAKC,GACD,OAAO,eAAeG,qBAAqBpD,KAAW,EAAEiD,QAAgB;IACtE,MAAMjD,MAAM+C,MAAM,CAAC,CAAC,aAAa,EAAEE,UAAU;AAC/C;AAEA,+EAA+E;AAC/E,gCAAgC;AAChC,+EAA+E;AAE/E;;;;;;CAMC,GACD,OAAO,eAAeI,YAAYrD,KAAW,EAAEsD,IAAY,EAAEC,QAA2B;IACtF,MAAMvD,MAAM8B,GAAG,CAAC,CAAC,aAAa,EAAEwB,MAAM,EAAEC;AAC1C;AAEA;;;;;;CAMC,GACD,OAAO,eAAeC,YAAYxD,KAAW,EAAEsD,IAAY;IACzD,OAAO,MAAMtD,MAAMkC,GAAG,CAAC,CAAC,aAAa,EAAEoB,MAAM;AAC/C;AAEA;;;;;CAKC,GACD,OAAO,eAAeG,eAAezD,KAAW,EAAEsD,IAAY;IAC5D,MAAMtD,MAAM+C,MAAM,CAAC,CAAC,aAAa,EAAEO,MAAM;AAC3C;AAEA,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E;;;;;;CAMC,GACD,OAAO,eAAeI,eAAe1D,KAAW,EAAE2D,KAAa,EAAEC,SAAsB;IACrF,MAAM5D,MAAM8B,GAAG,CAAC,CAAC,WAAW,EAAE6B,OAAO,EAAEC;AACzC;AAEA;;;;;;CAMC,GACD,OAAO,eAAeC,eAAe7D,KAAW,EAAE2D,KAAa;IAC7D,OAAO,MAAM3D,MAAMkC,GAAG,CAAC,CAAC,WAAW,EAAEyB,OAAO;AAC9C;AAEA;;;;;CAKC,GACD,OAAO,eAAeG,kBAAkB9D,KAAW,EAAE2D,KAAa;IAChE,MAAM3D,MAAM+C,MAAM,CAAC,CAAC,WAAW,EAAEY,OAAO;AAC1C;AAEA,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E;;;;;;CAMC,GACD,OAAO,eAAeI,gBAAgB/D,KAAW,EAAE2D,KAAa,EAAEC,SAAsB;IACtF,MAAM5D,MAAM8B,GAAG,CAAC,CAAC,YAAY,EAAE6B,OAAO,EAAEC;AAC1C;AAEA;;;;;;CAMC,GACD,OAAO,eAAeI,gBAAgBhE,KAAW,EAAE2D,KAAa;IAC9D,OAAO,MAAM3D,MAAMkC,GAAG,CAAC,CAAC,YAAY,EAAEyB,OAAO;AAC/C;AAEA;;;;;CAKC,GACD,OAAO,eAAeM,mBAAmBjE,KAAW,EAAE2D,KAAa;IACjE,MAAM3D,MAAM+C,MAAM,CAAC,CAAC,YAAY,EAAEY,OAAO;AAC3C"}

package/dist/esm/lib/dcr-verify.d.ts

@@ -0,0 +1,53 @@
+/**
+ * DCR Token Verification Utilities
+ *
+ * Provides token verification for both self-hosted and external DCR modes:
+ * - Self-hosted: Verifies tokens against local DCR router (/oauth/verify)
+ * - External: Verifies tokens against Auth0/Stitch verification endpoint
+ */
+import type { ProviderTokens } from '@mcp-z/oauth';
+/**
+ * Verification result from DCR authorization server
+ */
+export interface VerificationResult {
+    /** Bearer token that was verified */
+    token: string;
+    /** Client ID associated with the token */
+    clientId: string;
+    /** OAuth scopes granted to the token */
+    scopes: string[];
+    /** Token expiration timestamp (milliseconds since epoch) */
+    expiresAt: number;
+    /** Provider tokens (Google access/refresh tokens) */
+    providerTokens: ProviderTokens;
+}
+/**
+ * Verify bearer token against DCR authorization server
+ *
+ * Supports both self-hosted and external DCR modes by calling the
+ * /oauth/verify endpoint (or equivalent external URL).
+ *
+ * @param bearerToken - Bearer token to verify (without "Bearer " prefix)
+ * @param verifyUrl - Verification endpoint URL (self-hosted or external)
+ * @returns Verification result with provider tokens
+ * @throws Error if verification fails
+ *
+ * @example Self-hosted mode
+ * ```typescript
+ * const result = await verifyBearerToken(
+ *   token,
+ *   'http://localhost:3456/oauth/verify'
+ * );
+ * const auth = provider.toAuth(result.providerTokens);
+ * ```
+ *
+ * @example External mode (Auth0/Stitch)
+ * ```typescript
+ * const result = await verifyBearerToken(
+ *   token,
+ *   'https://auth.example.com/oauth/verify'
+ * );
+ * const auth = provider.toAuth(result.providerTokens);
+ * ```
+ */
+export declare function verifyBearerToken(bearerToken: string, verifyUrl: string): Promise<VerificationResult>;

package/dist/esm/lib/dcr-verify.js

@@ -0,0 +1,53 @@
+/**
+ * DCR Token Verification Utilities
+ *
+ * Provides token verification for both self-hosted and external DCR modes:
+ * - Self-hosted: Verifies tokens against local DCR router (/oauth/verify)
+ * - External: Verifies tokens against Auth0/Stitch verification endpoint
+ */ import { fetchWithTimeout } from './fetch-with-timeout.js';
+/**
+ * Verify bearer token against DCR authorization server
+ *
+ * Supports both self-hosted and external DCR modes by calling the
+ * /oauth/verify endpoint (or equivalent external URL).
+ *
+ * @param bearerToken - Bearer token to verify (without "Bearer " prefix)
+ * @param verifyUrl - Verification endpoint URL (self-hosted or external)
+ * @returns Verification result with provider tokens
+ * @throws Error if verification fails
+ *
+ * @example Self-hosted mode
+ * ```typescript
+ * const result = await verifyBearerToken(
+ *   token,
+ *   'http://localhost:3456/oauth/verify'
+ * );
+ * const auth = provider.toAuth(result.providerTokens);
+ * ```
+ *
+ * @example External mode (Auth0/Stitch)
+ * ```typescript
+ * const result = await verifyBearerToken(
+ *   token,
+ *   'https://auth.example.com/oauth/verify'
+ * );
+ * const auth = provider.toAuth(result.providerTokens);
+ * ```
+ */ export async function verifyBearerToken(bearerToken, verifyUrl) {
+    const response = await fetchWithTimeout(verifyUrl, {
+        method: 'GET',
+        headers: {
+            Authorization: `Bearer ${bearerToken}`
+        }
+    });
+    if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`Token verification failed: ${response.status} ${errorText}`);
+    }
+    const result = await response.json();
+    // Validate required fields
+    if (!result.providerTokens || !result.providerTokens.accessToken) {
+        throw new Error('Verification response missing required provider tokens');
+    }
+    return result;
+}

package/dist/esm/lib/dcr-verify.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth-google/src/lib/dcr-verify.ts"],"sourcesContent":["/**\n * DCR Token Verification Utilities\n *\n * Provides token verification for both self-hosted and external DCR modes:\n * - Self-hosted: Verifies tokens against local DCR router (/oauth/verify)\n * - External: Verifies tokens against Auth0/Stitch verification endpoint\n */\n\nimport type { ProviderTokens } from '@mcp-z/oauth';\nimport { fetchWithTimeout } from './fetch-with-timeout.ts';\n\n/**\n * Verification result from DCR authorization server\n */\nexport interface VerificationResult {\n  /** Bearer token that was verified */\n  token: string;\n  /** Client ID associated with the token */\n  clientId: string;\n  /** OAuth scopes granted to the token */\n  scopes: string[];\n  /** Token expiration timestamp (milliseconds since epoch) */\n  expiresAt: number;\n  /** Provider tokens (Google access/refresh tokens) */\n  providerTokens: ProviderTokens;\n}\n\n/**\n * Verify bearer token against DCR authorization server\n *\n * Supports both self-hosted and external DCR modes by calling the\n * /oauth/verify endpoint (or equivalent external URL).\n *\n * @param bearerToken - Bearer token to verify (without \"Bearer \" prefix)\n * @param verifyUrl - Verification endpoint URL (self-hosted or external)\n * @returns Verification result with provider tokens\n * @throws Error if verification fails\n *\n * @example Self-hosted mode\n * ```typescript\n * const result = await verifyBearerToken(\n *   token,\n *   'http://localhost:3456/oauth/verify'\n * );\n * const auth = provider.toAuth(result.providerTokens);\n * ```\n *\n * @example External mode (Auth0/Stitch)\n * ```typescript\n * const result = await verifyBearerToken(\n *   token,\n *   'https://auth.example.com/oauth/verify'\n * );\n * const auth = provider.toAuth(result.providerTokens);\n * ```\n */\nexport async function verifyBearerToken(bearerToken: string, verifyUrl: string): Promise<VerificationResult> {\n  const response = await fetchWithTimeout(verifyUrl, {\n    method: 'GET',\n    headers: {\n      Authorization: `Bearer ${bearerToken}`,\n    },\n  });\n\n  if (!response.ok) {\n    const errorText = await response.text();\n    throw new Error(`Token verification failed: ${response.status} ${errorText}`);\n  }\n\n  const result = (await response.json()) as VerificationResult;\n\n  // Validate required fields\n  if (!result.providerTokens || !result.providerTokens.accessToken) {\n    throw new Error('Verification response missing required provider tokens');\n  }\n\n  return result;\n}\n"],"names":["fetchWithTimeout","verifyBearerToken","bearerToken","verifyUrl","response","method","headers","Authorization","ok","errorText","text","Error","status","result","json","providerTokens","accessToken"],"mappings":"AAAA;;;;;;CAMC,GAGD,SAASA,gBAAgB,QAAQ,0BAA0B;AAkB3D;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA4BC,GACD,OAAO,eAAeC,kBAAkBC,WAAmB,EAAEC,SAAiB;IAC5E,MAAMC,WAAW,MAAMJ,iBAAiBG,WAAW;QACjDE,QAAQ;QACRC,SAAS;YACPC,eAAe,CAAC,OAAO,EAAEL,aAAa;QACxC;IACF;IAEA,IAAI,CAACE,SAASI,EAAE,EAAE;QAChB,MAAMC,YAAY,MAAML,SAASM,IAAI;QACrC,MAAM,IAAIC,MAAM,CAAC,2BAA2B,EAAEP,SAASQ,MAAM,CAAC,CAAC,EAAEH,WAAW;IAC9E;IAEA,MAAMI,SAAU,MAAMT,SAASU,IAAI;IAEnC,2BAA2B;IAC3B,IAAI,CAACD,OAAOE,cAAc,IAAI,CAACF,OAAOE,cAAc,CAACC,WAAW,EAAE;QAChE,MAAM,IAAIL,MAAM;IAClB;IAEA,OAAOE;AACT"}

package/dist/esm/lib/fetch-with-timeout.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Fetch with timeout to prevent hanging requests
+ *
+ * This utility wraps the native fetch API with an AbortController to ensure
+ * requests don't hang indefinitely. This is critical for OAuth token operations
+ * where expired tokens might cause Google's servers to hang or respond slowly.
+ *
+ * @param url - URL to fetch
+ * @param options - Fetch options
+ * @param timeoutMs - Timeout in milliseconds (default: 30000)
+ * @returns Fetch response
+ * @throws Error if request times out
+ */
+export declare function fetchWithTimeout(url: string, options?: RequestInit, timeoutMs?: number): Promise<Response>;

package/dist/esm/lib/fetch-with-timeout.js

@@ -0,0 +1,30 @@
+/**
+ * Fetch with timeout to prevent hanging requests
+ *
+ * This utility wraps the native fetch API with an AbortController to ensure
+ * requests don't hang indefinitely. This is critical for OAuth token operations
+ * where expired tokens might cause Google's servers to hang or respond slowly.
+ *
+ * @param url - URL to fetch
+ * @param options - Fetch options
+ * @param timeoutMs - Timeout in milliseconds (default: 30000)
+ * @returns Fetch response
+ * @throws Error if request times out
+ */ export async function fetchWithTimeout(url, options, timeoutMs = 30000) {
+    const controller = new AbortController();
+    const timeoutId = setTimeout(()=>controller.abort(), timeoutMs);
+    try {
+        const response = await fetch(url, {
+            ...options,
+            signal: controller.signal
+        });
+        clearTimeout(timeoutId);
+        return response;
+    } catch (error) {
+        clearTimeout(timeoutId);
+        if (error instanceof Error && error.name === 'AbortError') {
+            throw new Error(`Request timeout after ${timeoutMs}ms`);
+        }
+        throw error;
+    }
+}

package/dist/esm/lib/fetch-with-timeout.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth-google/src/lib/fetch-with-timeout.ts"],"sourcesContent":["/**\n * Fetch with timeout to prevent hanging requests\n *\n * This utility wraps the native fetch API with an AbortController to ensure\n * requests don't hang indefinitely. This is critical for OAuth token operations\n * where expired tokens might cause Google's servers to hang or respond slowly.\n *\n * @param url - URL to fetch\n * @param options - Fetch options\n * @param timeoutMs - Timeout in milliseconds (default: 30000)\n * @returns Fetch response\n * @throws Error if request times out\n */\nexport async function fetchWithTimeout(url: string, options?: RequestInit, timeoutMs = 30000): Promise<Response> {\n  const controller = new AbortController();\n  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);\n\n  try {\n    const response = await fetch(url, {\n      ...options,\n      signal: controller.signal,\n    });\n    clearTimeout(timeoutId);\n    return response;\n  } catch (error) {\n    clearTimeout(timeoutId);\n    if (error instanceof Error && error.name === 'AbortError') {\n      throw new Error(`Request timeout after ${timeoutMs}ms`);\n    }\n    throw error;\n  }\n}\n"],"names":["fetchWithTimeout","url","options","timeoutMs","controller","AbortController","timeoutId","setTimeout","abort","response","fetch","signal","clearTimeout","error","Error","name"],"mappings":"AAAA;;;;;;;;;;;;CAYC,GACD,OAAO,eAAeA,iBAAiBC,GAAW,EAAEC,OAAqB,EAAEC,YAAY,KAAK;IAC1F,MAAMC,aAAa,IAAIC;IACvB,MAAMC,YAAYC,WAAW,IAAMH,WAAWI,KAAK,IAAIL;IAEvD,IAAI;QACF,MAAMM,WAAW,MAAMC,MAAMT,KAAK;YAChC,GAAGC,OAAO;YACVS,QAAQP,WAAWO,MAAM;QAC3B;QACAC,aAAaN;QACb,OAAOG;IACT,EAAE,OAAOI,OAAO;QACdD,aAAaN;QACb,IAAIO,iBAAiBC,SAASD,MAAME,IAAI,KAAK,cAAc;YACzD,MAAM,IAAID,MAAM,CAAC,sBAAsB,EAAEX,UAAU,EAAE,CAAC;QACxD;QACA,MAAMU;IACR;AACF"}