@mcp-z/oauth-google 1.0.3 → 1.0.4

package/dist/cjs/lib/dcr-router.js

@@ -309,6 +309,21 @@ function _ts_generator(thisArg, body) {
 function createDcrRouter(config) {
     var router = _express.default.Router();
     var store = config.store, issuerUrl = config.issuerUrl, baseUrl = config.baseUrl, scopesSupported = config.scopesSupported, clientConfig = config.clientConfig;
+    router.use('/mcp', function(req, res, next) {
+        var authHeader = req.headers.authorization || req.headers.Authorization;
+        var headerValue = Array.isArray(authHeader) ? authHeader[0] : authHeader;
+        if (!headerValue || !headerValue.toLowerCase().startsWith('bearer ')) {
+            return res.status(401).set('WWW-Authenticate', 'Bearer resource_metadata="'.concat(baseUrl, '/.well-known/oauth-protected-resource"')).json({
+                jsonrpc: '2.0',
+                error: {
+                    code: -32600,
+                    message: 'Missing Authorization header. DCR mode requires bearer token.'
+                },
+                id: null
+            });
+        }
+        return next();
+    });
     router.use(_express.default.json());
     router.use(_express.default.urlencoded({
         extended: true

package/dist/cjs/lib/dcr-router.js.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth-google/src/lib/dcr-router.ts"],"sourcesContent":["/**\n * DCR Router - OAuth 2.0 Authorization Server\n *\n * Implements OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591)\n * and OAuth 2.0 Authorization Server endpoints (RFC 6749, RFC 8414, RFC 9728).\n *\n * Endpoints:\n * - GET /.well-known/oauth-authorization-server (RFC 8414 metadata)\n * - GET /.well-known/oauth-protected-resource (RFC 9728 metadata - root)\n * - GET /.well-known/oauth-protected-resource/mcp (RFC 9728 metadata - sub-path)\n * - POST /oauth/register (RFC 7591 client registration)\n * - GET /oauth/authorize (RFC 6749 authorization endpoint)\n * - POST /oauth/token (RFC 6749 token endpoint)\n * - POST /oauth/revoke (RFC 7009 token revocation)\n * - GET /oauth/verify (token verification for Resource Server)\n */\n\nimport type { ProviderTokens, RFC8414Metadata, RFC9728Metadata } from '@mcp-z/oauth';\nimport { createHash, randomUUID } from 'crypto';\nimport type { Request, Response } from 'express';\nimport express from 'express';\nimport type { Keyv } from 'keyv';\nimport { DcrOAuthProvider } from '../providers/dcr.ts';\nimport type { AccessToken, AuthorizationCode, OAuthClientConfig } from '../types.ts';\nimport * as dcrUtils from './dcr-utils.ts';\n\n/**\n * Configuration for DCR Router (self-hosted mode only)\n */\nexport interface DcrRouterConfig {\n  /** Single Keyv store for all DCR data */\n  store: Keyv;\n\n  /** Authorization Server issuer URL */\n  issuerUrl: string;\n\n  /** Base URL for OAuth endpoints */\n  baseUrl: string;\n\n  /** Supported OAuth scopes */\n  scopesSupported: string[];\n\n  /** OAuth client configuration for upstream provider */\n  clientConfig: OAuthClientConfig;\n}\n\n/**\n * Create DCR Router with OAuth 2.0 endpoints (self-hosted mode)\n *\n * For external mode (Auth0/Stitch), don't call this function - no router needed.\n * The server code should check DcrConfig.mode and only call this for 'self-hosted'.\n *\n * @param config - Router configuration\n * @returns Express router with OAuth endpoints\n */\nexport function createDcrRouter(config: DcrRouterConfig): express.Router {\n  const router = express.Router();\n  const { store, issuerUrl, baseUrl, scopesSupported, clientConfig } = config;\n\n  router.use(express.json());\n  router.use(express.urlencoded({ extended: true }));\n\n  /**\n   * OAuth Authorization Server Metadata (RFC 8414)\n   * GET /.well-known/oauth-authorization-server\n   */\n  router.get('/.well-known/oauth-authorization-server', (_req: Request, res: Response) => {\n    const metadata: RFC8414Metadata = {\n      issuer: issuerUrl,\n      authorization_endpoint: `${baseUrl}/oauth/authorize`,\n      token_endpoint: `${baseUrl}/oauth/token`,\n      registration_endpoint: `${baseUrl}/oauth/register`,\n      revocation_endpoint: `${baseUrl}/oauth/revoke`,\n      scopes_supported: scopesSupported,\n      response_types_supported: ['code'],\n      grant_types_supported: ['authorization_code', 'refresh_token'],\n      token_endpoint_auth_methods_supported: ['client_secret_basic', 'client_secret_post'],\n      code_challenge_methods_supported: ['S256', 'plain'],\n      service_documentation: `${baseUrl}/docs`,\n    };\n    res.json(metadata);\n  });\n\n  /**\n   * OAuth Protected Resource Metadata (RFC 9728 - Root)\n   * GET /.well-known/oauth-protected-resource\n   */\n  router.get('/.well-known/oauth-protected-resource', (_req: Request, res: Response) => {\n    const metadata: RFC9728Metadata = {\n      resource: baseUrl,\n      authorization_servers: [baseUrl],\n      scopes_supported: scopesSupported,\n      bearer_methods_supported: ['header'],\n    };\n    res.json(metadata);\n  });\n\n  /**\n   * OAuth Protected Resource Metadata (RFC 9728 - Sub-path /mcp)\n   * GET /.well-known/oauth-protected-resource/mcp\n   */\n  router.get('/.well-known/oauth-protected-resource/mcp', (_req: Request, res: Response) => {\n    const metadata: RFC9728Metadata = {\n      resource: `${baseUrl}/mcp`,\n      authorization_servers: [baseUrl],\n      scopes_supported: scopesSupported,\n      bearer_methods_supported: ['header'],\n    };\n    res.json(metadata);\n  });\n\n  /**\n   * Dynamic Client Registration (RFC 7591)\n   * POST /oauth/register\n   */\n  router.post('/oauth/register', async (req: Request, res: Response) => {\n    try {\n      const registrationRequest = req.body;\n      const client = await dcrUtils.registerClient(store, registrationRequest);\n      res.status(201).json(client);\n    } catch (error) {\n      res.status(400).json({\n        error: 'invalid_client_metadata',\n        error_description: error instanceof Error ? error.message : 'Invalid registration request',\n      });\n    }\n  });\n\n  /**\n   * OAuth Authorization Endpoint (RFC 6749 Section 3.1)\n   * GET /oauth/authorize\n   *\n   * Initiates Google OAuth flow, then generates DCR authorization code\n   */\n  router.get('/oauth/authorize', async (req: Request, res: Response) => {\n    const { response_type, client_id, redirect_uri, scope = '', state = '', code_challenge, code_challenge_method } = req.query;\n\n    if (response_type !== 'code') {\n      return res.status(400).json({\n        error: 'unsupported_response_type',\n        error_description: 'Only response_type=code is supported',\n      });\n    }\n\n    if (!client_id || typeof client_id !== 'string') {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'client_id is required',\n      });\n    }\n\n    if (!redirect_uri || typeof redirect_uri !== 'string') {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'redirect_uri is required',\n      });\n    }\n\n    const client = await dcrUtils.getClient(store, client_id);\n    if (!client) {\n      return res.status(400).json({\n        error: 'invalid_client',\n        error_description: 'Unknown client_id',\n      });\n    }\n\n    const isValidRedirect = await dcrUtils.validateRedirectUri(store, client_id, redirect_uri);\n    if (!isValidRedirect) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'Invalid redirect_uri',\n      });\n    }\n\n    const googleState = randomUUID();\n    const dcrRequestState = {\n      client_id,\n      redirect_uri,\n      scope: typeof scope === 'string' ? scope : '',\n      state: typeof state === 'string' ? state : undefined,\n      code_challenge: typeof code_challenge === 'string' ? code_challenge : undefined,\n      code_challenge_method: typeof code_challenge_method === 'string' ? code_challenge_method : undefined,\n      created_at: Date.now(),\n      expires_at: Date.now() + 600000, // 10 minutes\n    };\n\n    await store.set(`dcr:google-state:${googleState}`, dcrRequestState, 600000);\n\n    const googleAuthUrl = new URL('https://accounts.google.com/o/oauth2/v2/auth');\n    googleAuthUrl.searchParams.set('client_id', clientConfig.clientId);\n    googleAuthUrl.searchParams.set('redirect_uri', `${baseUrl}/oauth/callback`);\n    googleAuthUrl.searchParams.set('response_type', 'code');\n    googleAuthUrl.searchParams.set('scope', typeof scope === 'string' ? scope : '');\n    googleAuthUrl.searchParams.set('state', googleState);\n    googleAuthUrl.searchParams.set('access_type', 'offline');\n    googleAuthUrl.searchParams.set('prompt', 'consent');\n\n    return res.redirect(googleAuthUrl.toString());\n  });\n\n  /**\n   * OAuth Callback Handler\n   * GET /oauth/callback\n   *\n   * Handles OAuth callback from Google, exchanges authorization code for tokens,\n   * and redirects back to client with DCR authorization code.\n   */\n  router.get('/oauth/callback', async (req: Request, res: Response) => {\n    const { code: googleCode, state: googleState, error } = req.query;\n\n    if (error) {\n      return res.status(400).json({\n        error: typeof error === 'string' ? error : 'access_denied',\n        error_description: 'Google OAuth authorization failed',\n      });\n    }\n\n    if (!googleCode || typeof googleCode !== 'string') {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'Missing authorization code from Google',\n      });\n    }\n\n    if (!googleState || typeof googleState !== 'string') {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'Missing state parameter',\n      });\n    }\n\n    const dcrRequestState = await store.get(`dcr:google-state:${googleState}`);\n    if (!dcrRequestState) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'Invalid or expired state parameter',\n      });\n    }\n\n    await store.delete(`dcr:google-state:${googleState}`);\n\n    if (Date.now() > dcrRequestState.expires_at) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'DCR request state expired',\n      });\n    }\n\n    const tokenUrl = 'https://oauth2.googleapis.com/token';\n    // Build token params - only include client_secret for confidential clients\n    // Public clients (Desktop apps) should NOT send client_secret at all\n    const tokenParamsObj: Record<string, string> = {\n      code: googleCode,\n      client_id: clientConfig.clientId,\n      redirect_uri: `${baseUrl}/oauth/callback`,\n      grant_type: 'authorization_code',\n    };\n    if (clientConfig.clientSecret) {\n      tokenParamsObj.client_secret = clientConfig.clientSecret;\n    }\n    const tokenParams = new URLSearchParams(tokenParamsObj);\n\n    const tokenResponse = await fetch(tokenUrl, {\n      method: 'POST',\n      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n      body: tokenParams.toString(),\n    });\n\n    if (!tokenResponse.ok) {\n      const errorText = await tokenResponse.text();\n      return res.status(400).json({\n        error: 'server_error',\n        error_description: `Failed to exchange Google authorization code: ${errorText}`,\n      });\n    }\n\n    const tokenData = (await tokenResponse.json()) as {\n      access_token: string;\n      refresh_token?: string;\n      expires_in: number;\n      scope: string;\n    };\n\n    // Create provider tokens from Google response\n    const providerTokens: ProviderTokens = {\n      accessToken: tokenData.access_token,\n      ...(tokenData.refresh_token && { refreshToken: tokenData.refresh_token }),\n      expiresAt: Date.now() + tokenData.expires_in * 1000,\n      scope: tokenData.scope,\n    };\n\n    const dcrCode = randomUUID();\n    const authCode: AuthorizationCode = {\n      code: dcrCode,\n      client_id: dcrRequestState.client_id,\n      redirect_uri: dcrRequestState.redirect_uri,\n      scope: dcrRequestState.scope,\n      ...(dcrRequestState.code_challenge && { code_challenge: dcrRequestState.code_challenge }),\n      ...(dcrRequestState.code_challenge_method && { code_challenge_method: dcrRequestState.code_challenge_method }),\n      providerTokens,\n      created_at: Date.now(),\n      expires_at: Date.now() + 600000, // 10 minutes\n    };\n\n    await dcrUtils.setAuthCode(store, dcrCode, authCode);\n\n    const clientRedirectUrl = new URL(dcrRequestState.redirect_uri);\n    clientRedirectUrl.searchParams.set('code', dcrCode);\n    if (dcrRequestState.state) {\n      clientRedirectUrl.searchParams.set('state', dcrRequestState.state);\n    }\n\n    return res.redirect(clientRedirectUrl.toString());\n  });\n\n  /**\n   * OAuth Token Endpoint (RFC 6749 Section 3.2)\n   * POST /oauth/token\n   */\n  router.post('/oauth/token', async (req: Request, res: Response) => {\n    let client_id = req.body.client_id;\n    let client_secret = req.body.client_secret;\n\n    const authHeader = req.headers.authorization;\n    if (authHeader && authHeader.startsWith('Basic ')) {\n      const base64Credentials = authHeader.substring(6);\n      const credentials = Buffer.from(base64Credentials, 'base64').toString('utf-8');\n      const [id, secret] = credentials.split(':');\n      client_id = id;\n      client_secret = secret;\n    }\n\n    const { grant_type, code, redirect_uri, refresh_token, code_verifier } = req.body;\n\n    if (!grant_type) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'grant_type is required',\n      });\n    }\n\n    if (grant_type === 'authorization_code') {\n      if (!code || !client_id || !redirect_uri) {\n        return res.status(400).json({\n          error: 'invalid_request',\n          error_description: 'code, client_id, and redirect_uri are required',\n        });\n      }\n\n      // Validate client credentials\n      const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret ?? '');\n      if (!isValidClient) {\n        return res.status(401).json({\n          error: 'invalid_client',\n          error_description: 'Invalid client credentials',\n        });\n      }\n\n      const authCode = await dcrUtils.getAuthCode(store, code);\n      if (!authCode) {\n        return res.status(400).json({\n          error: 'invalid_grant',\n          error_description: 'Invalid or expired authorization code',\n        });\n      }\n\n      if (authCode.client_id !== client_id || authCode.redirect_uri !== redirect_uri) {\n        return res.status(400).json({\n          error: 'invalid_grant',\n          error_description: 'Authorization code mismatch',\n        });\n      }\n\n      if (Date.now() > authCode.expires_at) {\n        await dcrUtils.deleteAuthCode(store, code);\n        return res.status(400).json({\n          error: 'invalid_grant',\n          error_description: 'Authorization code expired',\n        });\n      }\n\n      if (authCode.code_challenge) {\n        if (!code_verifier) {\n          return res.status(400).json({\n            error: 'invalid_request',\n            error_description: 'code_verifier is required for PKCE',\n          });\n        }\n\n        const method = authCode.code_challenge_method ?? 'plain';\n        const computedChallenge = method === 'S256' ? createHash('sha256').update(code_verifier).digest('base64url') : code_verifier;\n\n        if (computedChallenge !== authCode.code_challenge) {\n          return res.status(400).json({\n            error: 'invalid_grant',\n            error_description: 'Invalid code_verifier',\n          });\n        }\n      }\n\n      await dcrUtils.deleteAuthCode(store, code);\n\n      const accessToken = randomUUID();\n      const refreshTokenValue = randomUUID();\n\n      const tokenData: AccessToken = {\n        access_token: accessToken,\n        token_type: 'Bearer',\n        expires_in: 3600,\n        refresh_token: refreshTokenValue,\n        scope: authCode.scope,\n        client_id,\n        providerTokens: authCode.providerTokens,\n        created_at: Date.now(),\n      };\n\n      await dcrUtils.setAccessToken(store, accessToken, tokenData);\n      await dcrUtils.setRefreshToken(store, refreshTokenValue, tokenData);\n      await dcrUtils.setProviderTokens(store, accessToken, authCode.providerTokens);\n\n      return res.json({\n        access_token: tokenData.access_token,\n        token_type: tokenData.token_type,\n        expires_in: tokenData.expires_in,\n        refresh_token: tokenData.refresh_token,\n        scope: tokenData.scope,\n      });\n    }\n    if (grant_type === 'refresh_token') {\n      if (!refresh_token || !client_id) {\n        return res.status(400).json({\n          error: 'invalid_request',\n          error_description: 'refresh_token and client_id are required',\n        });\n      }\n\n      const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret ?? '');\n      if (!isValidClient) {\n        return res.status(401).json({\n          error: 'invalid_client',\n          error_description: 'Invalid client credentials',\n        });\n      }\n\n      const tokenData = await dcrUtils.getRefreshToken(store, refresh_token);\n      if (!tokenData || tokenData.client_id !== client_id) {\n        return res.status(400).json({\n          error: 'invalid_grant',\n          error_description: 'Invalid refresh token',\n        });\n      }\n\n      let refreshedProviderTokens = tokenData.providerTokens;\n      if (tokenData.providerTokens.refreshToken) {\n        try {\n          // Create DcrOAuthProvider instance to refresh Google tokens\n          const provider = new DcrOAuthProvider({\n            ...clientConfig,\n            scope: tokenData.scope,\n            verifyEndpoint: `${baseUrl}/oauth/verify`,\n            logger: {\n              info: console.log,\n              error: console.error,\n              warn: console.warn,\n              debug: () => {},\n            },\n          });\n\n          // Refresh the Google access token\n          refreshedProviderTokens = await provider.refreshAccessToken(tokenData.providerTokens.refreshToken);\n        } catch (error) {\n          // If refresh fails, continue with existing tokens (they may still be valid)\n          console.warn('Provider token refresh failed, using existing tokens:', error instanceof Error ? error.message : String(error));\n        }\n      }\n\n      const newAccessToken = randomUUID();\n      const newTokenData: AccessToken = {\n        ...tokenData,\n        access_token: newAccessToken,\n        created_at: Date.now(),\n      };\n\n      await dcrUtils.setAccessToken(store, newAccessToken, newTokenData);\n      await dcrUtils.setProviderTokens(store, newAccessToken, refreshedProviderTokens);\n\n      return res.json({\n        access_token: newTokenData.access_token,\n        token_type: newTokenData.token_type,\n        expires_in: newTokenData.expires_in,\n        scope: newTokenData.scope,\n      });\n    }\n    return res.status(400).json({\n      error: 'unsupported_grant_type',\n      error_description: 'Only authorization_code and refresh_token grants are supported',\n    });\n  });\n\n  /**\n   * OAuth Token Revocation (RFC 7009)\n   * POST /oauth/revoke\n   */\n  router.post('/oauth/revoke', async (req: Request, res: Response) => {\n    const { token, token_type_hint, client_id, client_secret } = req.body;\n\n    if (!token) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'token is required',\n      });\n    }\n\n    if (client_id && client_secret) {\n      const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret);\n      if (!isValidClient) {\n        return res.status(401).json({\n          error: 'invalid_client',\n          error_description: 'Invalid client credentials',\n        });\n      }\n    }\n\n    if (token_type_hint === 'refresh_token') {\n      await dcrUtils.deleteRefreshToken(store, token);\n    } else if (token_type_hint === 'access_token') {\n      await dcrUtils.deleteAccessToken(store, token);\n      await dcrUtils.deleteProviderTokens(store, token);\n    } else {\n      // No hint - try both\n      await dcrUtils.deleteRefreshToken(store, token);\n      await dcrUtils.deleteAccessToken(store, token);\n      await dcrUtils.deleteProviderTokens(store, token);\n    }\n\n    return res.status(200).send();\n  });\n\n  /**\n   * Token Verification Endpoint\n   * GET /oauth/verify\n   *\n   * Validates bearer tokens for Resource Server.\n   * Returns AuthInfo with provider tokens for stateless DCR pattern.\n   */\n  router.get('/oauth/verify', async (req: Request, res: Response) => {\n    const authHeader = req.headers.authorization;\n\n    if (!authHeader || !authHeader.startsWith('Bearer ')) {\n      return res.status(401).json({\n        error: 'invalid_request',\n        error_description: 'Missing or invalid Authorization header',\n      });\n    }\n\n    const token = authHeader.substring(7);\n    const tokenData = await dcrUtils.getAccessToken(store, token);\n\n    if (!tokenData) {\n      return res.status(401).json({\n        error: 'invalid_token',\n        error_description: 'Unknown or expired access token',\n      });\n    }\n\n    const now = Date.now();\n    const expiresAt = tokenData.created_at + tokenData.expires_in * 1000;\n\n    if (now > expiresAt) {\n      await dcrUtils.deleteAccessToken(store, token);\n      await dcrUtils.deleteProviderTokens(store, token);\n      return res.status(401).json({\n        error: 'invalid_token',\n        error_description: 'Access token has expired',\n      });\n    }\n\n    const authInfo = {\n      token,\n      clientId: tokenData.client_id,\n      scopes: tokenData.scope ? tokenData.scope.split(' ') : [],\n      expiresAt,\n      providerTokens: tokenData.providerTokens,\n    };\n\n    return res.json(authInfo);\n  });\n\n  /**\n   * Debug endpoint to list registered clients (development only)\n   */\n  router.get('/debug/clients', async (_req: Request, res: Response) => {\n    const clients = await dcrUtils.listClients(store);\n    return res.json(clients);\n  });\n\n  return router;\n}\n"],"names":["createDcrRouter","config","router","express","Router","store","issuerUrl","baseUrl","scopesSupported","clientConfig","use","json","urlencoded","extended","get","_req","res","metadata","issuer","authorization_endpoint","token_endpoint","registration_endpoint","revocation_endpoint","scopes_supported","response_types_supported","grant_types_supported","token_endpoint_auth_methods_supported","code_challenge_methods_supported","service_documentation","resource","authorization_servers","bearer_methods_supported","post","req","registrationRequest","client","error","body","dcrUtils","registerClient","status","error_description","Error","message","response_type","client_id","redirect_uri","scope","state","code_challenge","code_challenge_method","isValidRedirect","googleState","dcrRequestState","googleAuthUrl","query","getClient","validateRedirectUri","randomUUID","undefined","created_at","Date","now","expires_at","set","URL","searchParams","clientId","redirect","toString","googleCode","tokenUrl","tokenParamsObj","tokenParams","tokenResponse","errorText","tokenData","providerTokens","dcrCode","authCode","clientRedirectUrl","code","delete","grant_type","clientSecret","client_secret","URLSearchParams","fetch","method","headers","ok","text","accessToken","access_token","refresh_token","refreshToken","expiresAt","expires_in","setAuthCode","authHeader","base64Credentials","credentials","id","secret","code_verifier","isValidClient","computedChallenge","refreshTokenValue","refreshedProviderTokens","provider","newAccessToken","newTokenData","authorization","startsWith","substring","Buffer","from","split","validateClient","getAuthCode","deleteAuthCode","createHash","update","digest","token_type","setAccessToken","setRefreshToken","setProviderTokens","getRefreshToken","DcrOAuthProvider","verifyEndpoint","logger","info","console","log","warn","debug","refreshAccessToken","String","token","token_type_hint","deleteRefreshToken","deleteAccessToken","deleteProviderTokens","send","authInfo","getAccessToken","scopes","clients","listClients"],"mappings":"AAAA;;;;;;;;;;;;;;;CAeC;;;;+BAwCeA;;;eAAAA;;;sBArCuB;8DAEnB;qBAEa;kEAEP;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+BnB,SAASA,gBAAgBC,MAAuB;IACrD,IAAMC,SAASC,gBAAO,CAACC,MAAM;IAC7B,IAAQC,QAA6DJ,OAA7DI,OAAOC,YAAsDL,OAAtDK,WAAWC,UAA2CN,OAA3CM,SAASC,kBAAkCP,OAAlCO,iBAAiBC,eAAiBR,OAAjBQ;IAEpDP,OAAOQ,GAAG,CAACP,gBAAO,CAACQ,IAAI;IACvBT,OAAOQ,GAAG,CAACP,gBAAO,CAACS,UAAU,CAAC;QAAEC,UAAU;IAAK;IAE/C;;;GAGC,GACDX,OAAOY,GAAG,CAAC,2CAA2C,SAACC,MAAeC;QACpE,IAAMC,WAA4B;YAChCC,QAAQZ;YACRa,wBAAwB,AAAC,GAAU,OAARZ,SAAQ;YACnCa,gBAAgB,AAAC,GAAU,OAARb,SAAQ;YAC3Bc,uBAAuB,AAAC,GAAU,OAARd,SAAQ;YAClCe,qBAAqB,AAAC,GAAU,OAARf,SAAQ;YAChCgB,kBAAkBf;YAClBgB,0BAA0B;gBAAC;aAAO;YAClCC,uBAAuB;gBAAC;gBAAsB;aAAgB;YAC9DC,uCAAuC;gBAAC;gBAAuB;aAAqB;YACpFC,kCAAkC;gBAAC;gBAAQ;aAAQ;YACnDC,uBAAuB,AAAC,GAAU,OAARrB,SAAQ;QACpC;QACAS,IAAIL,IAAI,CAACM;IACX;IAEA;;;GAGC,GACDf,OAAOY,GAAG,CAAC,yCAAyC,SAACC,MAAeC;QAClE,IAAMC,WAA4B;YAChCY,UAAUtB;YACVuB,uBAAuB;gBAACvB;aAAQ;YAChCgB,kBAAkBf;YAClBuB,0BAA0B;gBAAC;aAAS;QACtC;QACAf,IAAIL,IAAI,CAACM;IACX;IAEA;;;GAGC,GACDf,OAAOY,GAAG,CAAC,6CAA6C,SAACC,MAAeC;QACtE,IAAMC,WAA4B;YAChCY,UAAU,AAAC,GAAU,OAARtB,SAAQ;YACrBuB,uBAAuB;gBAACvB;aAAQ;YAChCgB,kBAAkBf;YAClBuB,0BAA0B;gBAAC;aAAS;QACtC;QACAf,IAAIL,IAAI,CAACM;IACX;IAEA;;;GAGC,GACDf,OAAO8B,IAAI,CAAC,mBAAmB,SAAOC,KAAcjB;;gBAE1CkB,qBACAC,QAECC;;;;;;;;;;wBAHDF,sBAAsBD,IAAII,IAAI;wBACrB;;4BAAMC,YAASC,cAAc,CAAClC,OAAO6B;;;wBAA9CC,SAAS;wBACfnB,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAACwB;;;;;;wBACdC;wBACPpB,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;4BACnByB,OAAO;4BACPK,mBAAmBL,AAAK,YAALA,OAAiBM,SAAQN,MAAMO,OAAO,GAAG;wBAC9D;;;;;;;;;;;QAEJ;;IAEA;;;;;GAKC,GACDzC,OAAOY,GAAG,CAAC,oBAAoB,SAAOmB,KAAcjB;;gBACgEiB,YAA1GW,eAAeC,WAAWC,gCAAcC,yBAAYC,OAAYC,gBAAgBC,uBAuBlFf,QAQAgB,iBAQAC,aACAC,iBAaAC;;;;wBArD4GrB,aAAAA,IAAIsB,KAAK,EAAnHX,gBAA0GX,WAA1GW,eAAeC,YAA2FZ,WAA3FY,WAAWC,eAAgFb,WAAhFa,iCAAgFb,WAAlEc,OAAAA,sCAAQ,0CAA0Dd,WAAtDe,OAAAA,sCAAQ,uBAAIC,iBAA0ChB,WAA1CgB,gBAAgBC,wBAA0BjB,WAA1BiB;wBAExF,IAAIN,kBAAkB,QAAQ;4BAC5B;;gCAAO5B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEA,IAAI,CAACI,aAAa,OAAOA,cAAc,UAAU;4BAC/C;;gCAAO7B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEA,IAAI,CAACK,gBAAgB,OAAOA,iBAAiB,UAAU;4BACrD;;gCAAO9B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEe;;4BAAMH,YAASkB,SAAS,CAACnD,OAAOwC;;;wBAAzCV,SAAS;wBACf,IAAI,CAACA,QAAQ;4BACX;;gCAAOnB,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEwB;;4BAAMH,YAASmB,mBAAmB,CAACpD,OAAOwC,WAAWC;;;wBAAvEK,kBAAkB;wBACxB,IAAI,CAACA,iBAAiB;4BACpB;;gCAAOnC,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEMW,cAAcM,IAAAA,kBAAU;wBACxBL,kBAAkB;4BACtBR,WAAAA;4BACAC,cAAAA;4BACAC,OAAO,OAAOA,UAAU,WAAWA,QAAQ;4BAC3CC,OAAO,OAAOA,UAAU,WAAWA,QAAQW;4BAC3CV,gBAAgB,OAAOA,mBAAmB,WAAWA,iBAAiBU;4BACtET,uBAAuB,OAAOA,0BAA0B,WAAWA,wBAAwBS;4BAC3FC,YAAYC,KAAKC,GAAG;4BACpBC,YAAYF,KAAKC,GAAG,KAAK;wBAC3B;wBAEA;;4BAAMzD,MAAM2D,GAAG,CAAC,AAAC,oBAA+B,OAAZZ,cAAeC,iBAAiB;;;wBAApE;wBAEMC,gBAAgB,IAAIW,IAAI;wBAC9BX,cAAcY,YAAY,CAACF,GAAG,CAAC,aAAavD,aAAa0D,QAAQ;wBACjEb,cAAcY,YAAY,CAACF,GAAG,CAAC,gBAAgB,AAAC,GAAU,OAARzD,SAAQ;wBAC1D+C,cAAcY,YAAY,CAACF,GAAG,CAAC,iBAAiB;wBAChDV,cAAcY,YAAY,CAACF,GAAG,CAAC,SAAS,OAAOjB,UAAU,WAAWA,QAAQ;wBAC5EO,cAAcY,YAAY,CAACF,GAAG,CAAC,SAASZ;wBACxCE,cAAcY,YAAY,CAACF,GAAG,CAAC,eAAe;wBAC9CV,cAAcY,YAAY,CAACF,GAAG,CAAC,UAAU;wBAEzC;;4BAAOhD,IAAIoD,QAAQ,CAACd,cAAce,QAAQ;;;;QAC5C;;IAEA;;;;;;GAMC,GACDnE,OAAOY,GAAG,CAAC,mBAAmB,SAAOmB,KAAcjB;;gBACOiB,YAA1CqC,YAAmBlB,aAAahB,OAuBxCiB,iBAiBAkB,UAGAC,gBASAC,aAEAC,eAOEC,WAOFC,WAQAC,gBAOAC,SACAC,UAcAC;;;;wBAlGkD/C,aAAAA,IAAIsB,KAAK,EAAnDe,aAA0CrC,WAAhDgD,MAAyB7B,cAAuBnB,WAA9Be,OAAoBZ,QAAUH,WAAVG;wBAE9C,IAAIA,OAAO;4BACT;;gCAAOpB,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO,OAAOA,UAAU,WAAWA,QAAQ;oCAC3CK,mBAAmB;gCACrB;;wBACF;wBAEA,IAAI,CAAC6B,cAAc,OAAOA,eAAe,UAAU;4BACjD;;gCAAOtD,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEA,IAAI,CAACW,eAAe,OAAOA,gBAAgB,UAAU;4BACnD;;gCAAOpC,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEwB;;4BAAMpC,MAAMS,GAAG,CAAC,AAAC,oBAA+B,OAAZsC;;;wBAAtDC,kBAAkB;wBACxB,IAAI,CAACA,iBAAiB;4BACpB;;gCAAOrC,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEA;;4BAAMpC,MAAM6E,MAAM,CAAC,AAAC,oBAA+B,OAAZ9B;;;wBAAvC;wBAEA,IAAIS,KAAKC,GAAG,KAAKT,gBAAgBU,UAAU,EAAE;4BAC3C;;gCAAO/C,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEM8B,WAAW;wBACjB,2EAA2E;wBAC3E,qEAAqE;wBAC/DC,iBAAyC;4BAC7CS,MAAMX;4BACNzB,WAAWpC,aAAa0D,QAAQ;4BAChCrB,cAAc,AAAC,GAAU,OAARvC,SAAQ;4BACzB4E,YAAY;wBACd;wBACA,IAAI1E,aAAa2E,YAAY,EAAE;4BAC7BZ,eAAea,aAAa,GAAG5E,aAAa2E,YAAY;wBAC1D;wBACMX,cAAc,IAAIa,gBAAgBd;wBAElB;;4BAAMe,MAAMhB,UAAU;gCAC1CiB,QAAQ;gCACRC,SAAS;oCAAE,gBAAgB;gCAAoC;gCAC/DpD,MAAMoC,YAAYJ,QAAQ;4BAC5B;;;wBAJMK,gBAAgB;6BAMlB,CAACA,cAAcgB,EAAE,EAAjB;;;;wBACgB;;4BAAMhB,cAAciB,IAAI;;;wBAApChB,YAAY;wBAClB;;4BAAO3D,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;gCAC1ByB,OAAO;gCACPK,mBAAmB,AAAC,iDAA0D,OAAVkC;4BACtE;;;wBAGiB;;4BAAMD,cAAc/D,IAAI;;;wBAArCiE,YAAa;wBAOnB,8CAA8C;wBACxCC,iBAAiC;4BACrCe,aAAahB,UAAUiB,YAAY;2BAC/BjB,UAAUkB,aAAa,IAAI;4BAAEC,cAAcnB,UAAUkB,aAAa;wBAAC;4BACvEE,WAAWnC,KAAKC,GAAG,KAAKc,UAAUqB,UAAU,GAAG;4BAC/ClD,OAAO6B,UAAU7B,KAAK;;wBAGlB+B,UAAUpB,IAAAA,kBAAU;wBACpBqB,WAA8B;4BAClCE,MAAMH;4BACNjC,WAAWQ,gBAAgBR,SAAS;4BACpCC,cAAcO,gBAAgBP,YAAY;4BAC1CC,OAAOM,gBAAgBN,KAAK;2BACxBM,gBAAgBJ,cAAc,IAAI;4BAAEA,gBAAgBI,gBAAgBJ,cAAc;wBAAC,GACnFI,gBAAgBH,qBAAqB,IAAI;4BAAEA,uBAAuBG,gBAAgBH,qBAAqB;wBAAC;4BAC5G2B,gBAAAA;4BACAjB,YAAYC,KAAKC,GAAG;4BACpBC,YAAYF,KAAKC,GAAG,KAAK;;wBAG3B;;4BAAMxB,YAAS4D,WAAW,CAAC7F,OAAOyE,SAASC;;;wBAA3C;wBAEMC,oBAAoB,IAAIf,IAAIZ,gBAAgBP,YAAY;wBAC9DkC,kBAAkBd,YAAY,CAACF,GAAG,CAAC,QAAQc;wBAC3C,IAAIzB,gBAAgBL,KAAK,EAAE;4BACzBgC,kBAAkBd,YAAY,CAACF,GAAG,CAAC,SAASX,gBAAgBL,KAAK;wBACnE;wBAEA;;4BAAOhC,IAAIoD,QAAQ,CAACY,kBAAkBX,QAAQ;;;;QAChD;;IAEA;;;GAGC,GACDnE,OAAO8B,IAAI,CAAC,gBAAgB,SAAOC,KAAcjB;;gBAC3C6B,WACAwC,eAEEc,YAEEC,mBACAC,aACeA,oBAAdC,IAAIC,QAK4DtE,WAAjEkD,YAAYF,MAAMnC,cAAcgD,eAAeU,eAkB/CC,eAQA1B,UA+BWA,iCAATS,QACAkB,mBAYFd,aACAe,mBAEA/B,WA+BA6B,gBAQA7B,YAQFgC,yBAIMC,UAcCzE,OAML0E,gBACAC;;;;wBA7JJlE,YAAYZ,IAAII,IAAI,CAACQ,SAAS;wBAC9BwC,gBAAgBpD,IAAII,IAAI,CAACgD,aAAa;wBAEpCc,aAAalE,IAAIwD,OAAO,CAACuB,aAAa;wBAC5C,IAAIb,cAAcA,WAAWc,UAAU,CAAC,WAAW;4BAC3Cb,oBAAoBD,WAAWe,SAAS,CAAC;4BACzCb,cAAcc,OAAOC,IAAI,CAAChB,mBAAmB,UAAU/B,QAAQ,CAAC;4BACjDgC,sCAAAA,YAAYgB,KAAK,CAAC,UAAhCf,KAAcD,uBAAVE,SAAUF;4BACrBxD,YAAYyD;4BACZjB,gBAAgBkB;wBAClB;wBAEyEtE,YAAAA,IAAII,IAAI,EAAzE8C,aAAiElD,UAAjEkD,YAAYF,OAAqDhD,UAArDgD,MAAMnC,eAA+Cb,UAA/Ca,cAAcgD,gBAAiC7D,UAAjC6D,eAAeU,gBAAkBvE,UAAlBuE;wBAEvD,IAAI,CAACrB,YAAY;4BACf;;gCAAOnE,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;6BAEI0C,CAAAA,eAAe,oBAAmB,GAAlCA;;;;wBACF,IAAI,CAACF,QAAQ,CAACpC,aAAa,CAACC,cAAc;4BACxC;;gCAAO9B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAGsB;;4BAAMH,YAASgF,cAAc,CAACjH,OAAOwC,WAAWwC,0BAAAA,2BAAAA,gBAAiB;;;wBAAjFoB,gBAAgB;wBACtB,IAAI,CAACA,eAAe;4BAClB;;gCAAOzF,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEiB;;4BAAMH,YAASiF,WAAW,CAAClH,OAAO4E;;;wBAA7CF,WAAW;wBACjB,IAAI,CAACA,UAAU;4BACb;;gCAAO/D,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEA,IAAIsC,SAASlC,SAAS,KAAKA,aAAakC,SAASjC,YAAY,KAAKA,cAAc;4BAC9E;;gCAAO9B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;6BAEIoB,CAAAA,KAAKC,GAAG,KAAKiB,SAAShB,UAAU,AAAD,GAA/BF;;;;wBACF;;4BAAMvB,YAASkF,cAAc,CAACnH,OAAO4E;;;wBAArC;wBACA;;4BAAOjE,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;gCAC1ByB,OAAO;gCACPK,mBAAmB;4BACrB;;;wBAGF,IAAIsC,SAAS9B,cAAc,EAAE;;4BAC3B,IAAI,CAACuD,eAAe;gCAClB;;oCAAOxF,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;wCAC1ByB,OAAO;wCACPK,mBAAmB;oCACrB;;4BACF;4BAEM+C,UAAST,kCAAAA,SAAS7B,qBAAqB,cAA9B6B,6CAAAA,kCAAkC;4BAC3C2B,oBAAoBlB,WAAW,SAASiC,IAAAA,kBAAU,EAAC,UAAUC,MAAM,CAAClB,eAAemB,MAAM,CAAC,eAAenB;4BAE/G,IAAIE,sBAAsB3B,SAAS9B,cAAc,EAAE;gCACjD;;oCAAOjC,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;wCAC1ByB,OAAO;wCACPK,mBAAmB;oCACrB;;4BACF;wBACF;wBAEA;;4BAAMH,YAASkF,cAAc,CAACnH,OAAO4E;;;wBAArC;wBAEMW,cAAclC,IAAAA,kBAAU;wBACxBiD,oBAAoBjD,IAAAA,kBAAU;wBAE9BkB,YAAyB;4BAC7BiB,cAAcD;4BACdgC,YAAY;4BACZ3B,YAAY;4BACZH,eAAea;4BACf5D,OAAOgC,SAAShC,KAAK;4BACrBF,WAAAA;4BACAgC,gBAAgBE,SAASF,cAAc;4BACvCjB,YAAYC,KAAKC,GAAG;wBACtB;wBAEA;;4BAAMxB,YAASuF,cAAc,CAACxH,OAAOuF,aAAahB;;;wBAAlD;wBACA;;4BAAMtC,YAASwF,eAAe,CAACzH,OAAOsG,mBAAmB/B;;;wBAAzD;wBACA;;4BAAMtC,YAASyF,iBAAiB,CAAC1H,OAAOuF,aAAab,SAASF,cAAc;;;wBAA5E;wBAEA;;4BAAO7D,IAAIL,IAAI,CAAC;gCACdkF,cAAcjB,UAAUiB,YAAY;gCACpC+B,YAAYhD,UAAUgD,UAAU;gCAChC3B,YAAYrB,UAAUqB,UAAU;gCAChCH,eAAelB,UAAUkB,aAAa;gCACtC/C,OAAO6B,UAAU7B,KAAK;4BACxB;;;6BAEEoC,CAAAA,eAAe,eAAc,GAA7BA;;;;wBACF,IAAI,CAACW,iBAAiB,CAACjD,WAAW;4BAChC;;gCAAO7B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEsB;;4BAAMH,YAASgF,cAAc,CAACjH,OAAOwC,WAAWwC,0BAAAA,2BAAAA,gBAAiB;;;wBAAjFoB,iBAAgB;wBACtB,IAAI,CAACA,gBAAe;4BAClB;;gCAAOzF,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEkB;;4BAAMH,YAAS0F,eAAe,CAAC3H,OAAOyF;;;wBAAlDlB,aAAY;wBAClB,IAAI,CAACA,cAAaA,WAAU/B,SAAS,KAAKA,WAAW;4BACnD;;gCAAO7B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEImE,0BAA0BhC,WAAUC,cAAc;6BAClDD,WAAUC,cAAc,CAACkB,YAAY,EAArCnB;;;;;;;;;;;;wBAEA,4DAA4D;wBACtDiC,WAAW,IAAIoB,uBAAgB,CAAC,wCACjCxH;4BACHsC,OAAO6B,WAAU7B,KAAK;4BACtBmF,gBAAgB,AAAC,GAAU,OAAR3H,SAAQ;4BAC3B4H,QAAQ;gCACNC,MAAMC,QAAQC,GAAG;gCACjBlG,OAAOiG,QAAQjG,KAAK;gCACpBmG,MAAMF,QAAQE,IAAI;gCAClBC,OAAO,YAAO;4BAChB;;wBAIwB;;4BAAM3B,SAAS4B,kBAAkB,CAAC7D,WAAUC,cAAc,CAACkB,YAAY;;;wBADjG,kCAAkC;wBAClCa,0BAA0B;;;;;;wBACnBxE;wBACP,4EAA4E;wBAC5EiG,QAAQE,IAAI,CAAC,yDAAyDnG,AAAK,YAALA,OAAiBM,SAAQN,MAAMO,OAAO,GAAG+F,OAAOtG;;;;;;wBAIpH0E,iBAAiBpD,IAAAA,kBAAU;wBAC3BqD,eAA4B,wCAC7BnC;4BACHiB,cAAciB;4BACdlD,YAAYC,KAAKC,GAAG;;wBAGtB;;4BAAMxB,YAASuF,cAAc,CAACxH,OAAOyG,gBAAgBC;;;wBAArD;wBACA;;4BAAMzE,YAASyF,iBAAiB,CAAC1H,OAAOyG,gBAAgBF;;;wBAAxD;wBAEA;;4BAAO5F,IAAIL,IAAI,CAAC;gCACdkF,cAAckB,aAAalB,YAAY;gCACvC+B,YAAYb,aAAaa,UAAU;gCACnC3B,YAAYc,aAAad,UAAU;gCACnClD,OAAOgE,aAAahE,KAAK;4BAC3B;;;wBAEF;;4BAAO/B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;gCAC1ByB,OAAO;gCACPK,mBAAmB;4BACrB;;;;QACF;;IAEA;;;GAGC,GACDvC,OAAO8B,IAAI,CAAC,iBAAiB,SAAOC,KAAcjB;;gBACaiB,WAArD0G,OAAOC,iBAAiB/F,WAAWwC,eAUnCoB;;;;wBAVqDxE,YAAAA,IAAII,IAAI,EAA7DsG,QAAqD1G,UAArD0G,OAAOC,kBAA8C3G,UAA9C2G,iBAAiB/F,YAA6BZ,UAA7BY,WAAWwC,gBAAkBpD,UAAlBoD;wBAE3C,IAAI,CAACsD,OAAO;4BACV;;gCAAO3H,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;6BAEII,CAAAA,aAAawC,aAAY,GAAzBxC;;;;wBACoB;;4BAAMP,YAASgF,cAAc,CAACjH,OAAOwC,WAAWwC;;;wBAAhEoB,gBAAgB;wBACtB,IAAI,CAACA,eAAe;4BAClB;;gCAAOzF,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;;;6BAGEmG,CAAAA,oBAAoB,eAAc,GAAlCA;;;;wBACF;;4BAAMtG,YAASuG,kBAAkB,CAACxI,OAAOsI;;;wBAAzC;;;;;;6BACSC,CAAAA,oBAAoB,cAAa,GAAjCA;;;;wBACT;;4BAAMtG,YAASwG,iBAAiB,CAACzI,OAAOsI;;;wBAAxC;wBACA;;4BAAMrG,YAASyG,oBAAoB,CAAC1I,OAAOsI;;;wBAA3C;;;;;;wBAEA,qBAAqB;wBACrB;;4BAAMrG,YAASuG,kBAAkB,CAACxI,OAAOsI;;;wBAAzC;wBACA;;4BAAMrG,YAASwG,iBAAiB,CAACzI,OAAOsI;;;wBAAxC;wBACA;;4BAAMrG,YAASyG,oBAAoB,CAAC1I,OAAOsI;;;wBAA3C;;;wBAGF;;4BAAO3H,IAAIwB,MAAM,CAAC,KAAKwG,IAAI;;;;QAC7B;;IAEA;;;;;;GAMC,GACD9I,OAAOY,GAAG,CAAC,iBAAiB,SAAOmB,KAAcjB;;gBACzCmF,YASAwC,OACA/D,WASAd,KACAkC,WAWAiD;;;;wBA/BA9C,aAAalE,IAAIwD,OAAO,CAACuB,aAAa;wBAE5C,IAAI,CAACb,cAAc,CAACA,WAAWc,UAAU,CAAC,YAAY;4BACpD;;gCAAOjG,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEMkG,QAAQxC,WAAWe,SAAS,CAAC;wBACjB;;4BAAM5E,YAAS4G,cAAc,CAAC7I,OAAOsI;;;wBAAjD/D,YAAY;wBAElB,IAAI,CAACA,WAAW;4BACd;;gCAAO5D,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEMqB,MAAMD,KAAKC,GAAG;wBACdkC,YAAYpB,UAAUhB,UAAU,GAAGgB,UAAUqB,UAAU,GAAG;6BAE5DnC,CAAAA,MAAMkC,SAAQ,GAAdlC;;;;wBACF;;4BAAMxB,YAASwG,iBAAiB,CAACzI,OAAOsI;;;wBAAxC;wBACA;;4BAAMrG,YAASyG,oBAAoB,CAAC1I,OAAOsI;;;wBAA3C;wBACA;;4BAAO3H,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;gCAC1ByB,OAAO;gCACPK,mBAAmB;4BACrB;;;wBAGIwG,WAAW;4BACfN,OAAAA;4BACAxE,UAAUS,UAAU/B,SAAS;4BAC7BsG,QAAQvE,UAAU7B,KAAK,GAAG6B,UAAU7B,KAAK,CAACsE,KAAK,CAAC;4BAChDrB,WAAAA;4BACAnB,gBAAgBD,UAAUC,cAAc;wBAC1C;wBAEA;;4BAAO7D,IAAIL,IAAI,CAACsI;;;;QAClB;;IAEA;;GAEC,GACD/I,OAAOY,GAAG,CAAC,kBAAkB,SAAOC,MAAeC;;gBAC3CoI;;;;wBAAU;;4BAAM9G,YAAS+G,WAAW,CAAChJ;;;wBAArC+I,UAAU;wBAChB;;4BAAOpI,IAAIL,IAAI,CAACyI;;;;QAClB;;IAEA,OAAOlJ;AACT"}
+{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth-google/src/lib/dcr-router.ts"],"sourcesContent":["/**\n * DCR Router - OAuth 2.0 Authorization Server\n *\n * Implements OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591)\n * and OAuth 2.0 Authorization Server endpoints (RFC 6749, RFC 8414, RFC 9728).\n *\n * Endpoints:\n * - GET /.well-known/oauth-authorization-server (RFC 8414 metadata)\n * - GET /.well-known/oauth-protected-resource (RFC 9728 metadata - root)\n * - GET /.well-known/oauth-protected-resource/mcp (RFC 9728 metadata - sub-path)\n * - POST /oauth/register (RFC 7591 client registration)\n * - GET /oauth/authorize (RFC 6749 authorization endpoint)\n * - POST /oauth/token (RFC 6749 token endpoint)\n * - POST /oauth/revoke (RFC 7009 token revocation)\n * - GET /oauth/verify (token verification for Resource Server)\n */\n\nimport type { ProviderTokens, RFC8414Metadata, RFC9728Metadata } from '@mcp-z/oauth';\nimport { createHash, randomUUID } from 'crypto';\nimport type { Request, Response } from 'express';\nimport express from 'express';\nimport type { Keyv } from 'keyv';\nimport { DcrOAuthProvider } from '../providers/dcr.ts';\nimport type { AccessToken, AuthorizationCode, OAuthClientConfig } from '../types.ts';\nimport * as dcrUtils from './dcr-utils.ts';\n\n/**\n * Configuration for DCR Router (self-hosted mode only)\n */\nexport interface DcrRouterConfig {\n  /** Single Keyv store for all DCR data */\n  store: Keyv;\n\n  /** Authorization Server issuer URL */\n  issuerUrl: string;\n\n  /** Base URL for OAuth endpoints */\n  baseUrl: string;\n\n  /** Supported OAuth scopes */\n  scopesSupported: string[];\n\n  /** OAuth client configuration for upstream provider */\n  clientConfig: OAuthClientConfig;\n}\n\n/**\n * Create DCR Router with OAuth 2.0 endpoints (self-hosted mode)\n *\n * For external mode (Auth0/Stitch), don't call this function - no router needed.\n * The server code should check DcrConfig.mode and only call this for 'self-hosted'.\n *\n * @param config - Router configuration\n * @returns Express router with OAuth endpoints\n */\nexport function createDcrRouter(config: DcrRouterConfig): express.Router {\n  const router = express.Router();\n  const { store, issuerUrl, baseUrl, scopesSupported, clientConfig } = config;\n\n  router.use('/mcp', (req: Request, res: Response, next) => {\n    const authHeader = req.headers.authorization || req.headers.Authorization;\n    const headerValue = Array.isArray(authHeader) ? authHeader[0] : authHeader;\n\n    if (!headerValue || !headerValue.toLowerCase().startsWith('bearer ')) {\n      return res\n        .status(401)\n        .set('WWW-Authenticate', `Bearer resource_metadata=\"${baseUrl}/.well-known/oauth-protected-resource\"`)\n        .json({\n          jsonrpc: '2.0',\n          error: {\n            code: -32600,\n            message: 'Missing Authorization header. DCR mode requires bearer token.',\n          },\n          id: null,\n        });\n    }\n\n    return next();\n  });\n\n  router.use(express.json());\n  router.use(express.urlencoded({ extended: true }));\n\n  /**\n   * OAuth Authorization Server Metadata (RFC 8414)\n   * GET /.well-known/oauth-authorization-server\n   */\n  router.get('/.well-known/oauth-authorization-server', (_req: Request, res: Response) => {\n    const metadata: RFC8414Metadata = {\n      issuer: issuerUrl,\n      authorization_endpoint: `${baseUrl}/oauth/authorize`,\n      token_endpoint: `${baseUrl}/oauth/token`,\n      registration_endpoint: `${baseUrl}/oauth/register`,\n      revocation_endpoint: `${baseUrl}/oauth/revoke`,\n      scopes_supported: scopesSupported,\n      response_types_supported: ['code'],\n      grant_types_supported: ['authorization_code', 'refresh_token'],\n      token_endpoint_auth_methods_supported: ['client_secret_basic', 'client_secret_post'],\n      code_challenge_methods_supported: ['S256', 'plain'],\n      service_documentation: `${baseUrl}/docs`,\n    };\n    res.json(metadata);\n  });\n\n  /**\n   * OAuth Protected Resource Metadata (RFC 9728 - Root)\n   * GET /.well-known/oauth-protected-resource\n   */\n  router.get('/.well-known/oauth-protected-resource', (_req: Request, res: Response) => {\n    const metadata: RFC9728Metadata = {\n      resource: baseUrl,\n      authorization_servers: [baseUrl],\n      scopes_supported: scopesSupported,\n      bearer_methods_supported: ['header'],\n    };\n    res.json(metadata);\n  });\n\n  /**\n   * OAuth Protected Resource Metadata (RFC 9728 - Sub-path /mcp)\n   * GET /.well-known/oauth-protected-resource/mcp\n   */\n  router.get('/.well-known/oauth-protected-resource/mcp', (_req: Request, res: Response) => {\n    const metadata: RFC9728Metadata = {\n      resource: `${baseUrl}/mcp`,\n      authorization_servers: [baseUrl],\n      scopes_supported: scopesSupported,\n      bearer_methods_supported: ['header'],\n    };\n    res.json(metadata);\n  });\n\n  /**\n   * Dynamic Client Registration (RFC 7591)\n   * POST /oauth/register\n   */\n  router.post('/oauth/register', async (req: Request, res: Response) => {\n    try {\n      const registrationRequest = req.body;\n      const client = await dcrUtils.registerClient(store, registrationRequest);\n      res.status(201).json(client);\n    } catch (error) {\n      res.status(400).json({\n        error: 'invalid_client_metadata',\n        error_description: error instanceof Error ? error.message : 'Invalid registration request',\n      });\n    }\n  });\n\n  /**\n   * OAuth Authorization Endpoint (RFC 6749 Section 3.1)\n   * GET /oauth/authorize\n   *\n   * Initiates Google OAuth flow, then generates DCR authorization code\n   */\n  router.get('/oauth/authorize', async (req: Request, res: Response) => {\n    const { response_type, client_id, redirect_uri, scope = '', state = '', code_challenge, code_challenge_method } = req.query;\n\n    if (response_type !== 'code') {\n      return res.status(400).json({\n        error: 'unsupported_response_type',\n        error_description: 'Only response_type=code is supported',\n      });\n    }\n\n    if (!client_id || typeof client_id !== 'string') {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'client_id is required',\n      });\n    }\n\n    if (!redirect_uri || typeof redirect_uri !== 'string') {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'redirect_uri is required',\n      });\n    }\n\n    const client = await dcrUtils.getClient(store, client_id);\n    if (!client) {\n      return res.status(400).json({\n        error: 'invalid_client',\n        error_description: 'Unknown client_id',\n      });\n    }\n\n    const isValidRedirect = await dcrUtils.validateRedirectUri(store, client_id, redirect_uri);\n    if (!isValidRedirect) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'Invalid redirect_uri',\n      });\n    }\n\n    const googleState = randomUUID();\n    const dcrRequestState = {\n      client_id,\n      redirect_uri,\n      scope: typeof scope === 'string' ? scope : '',\n      state: typeof state === 'string' ? state : undefined,\n      code_challenge: typeof code_challenge === 'string' ? code_challenge : undefined,\n      code_challenge_method: typeof code_challenge_method === 'string' ? code_challenge_method : undefined,\n      created_at: Date.now(),\n      expires_at: Date.now() + 600000, // 10 minutes\n    };\n\n    await store.set(`dcr:google-state:${googleState}`, dcrRequestState, 600000);\n\n    const googleAuthUrl = new URL('https://accounts.google.com/o/oauth2/v2/auth');\n    googleAuthUrl.searchParams.set('client_id', clientConfig.clientId);\n    googleAuthUrl.searchParams.set('redirect_uri', `${baseUrl}/oauth/callback`);\n    googleAuthUrl.searchParams.set('response_type', 'code');\n    googleAuthUrl.searchParams.set('scope', typeof scope === 'string' ? scope : '');\n    googleAuthUrl.searchParams.set('state', googleState);\n    googleAuthUrl.searchParams.set('access_type', 'offline');\n    googleAuthUrl.searchParams.set('prompt', 'consent');\n\n    return res.redirect(googleAuthUrl.toString());\n  });\n\n  /**\n   * OAuth Callback Handler\n   * GET /oauth/callback\n   *\n   * Handles OAuth callback from Google, exchanges authorization code for tokens,\n   * and redirects back to client with DCR authorization code.\n   */\n  router.get('/oauth/callback', async (req: Request, res: Response) => {\n    const { code: googleCode, state: googleState, error } = req.query;\n\n    if (error) {\n      return res.status(400).json({\n        error: typeof error === 'string' ? error : 'access_denied',\n        error_description: 'Google OAuth authorization failed',\n      });\n    }\n\n    if (!googleCode || typeof googleCode !== 'string') {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'Missing authorization code from Google',\n      });\n    }\n\n    if (!googleState || typeof googleState !== 'string') {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'Missing state parameter',\n      });\n    }\n\n    const dcrRequestState = await store.get(`dcr:google-state:${googleState}`);\n    if (!dcrRequestState) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'Invalid or expired state parameter',\n      });\n    }\n\n    await store.delete(`dcr:google-state:${googleState}`);\n\n    if (Date.now() > dcrRequestState.expires_at) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'DCR request state expired',\n      });\n    }\n\n    const tokenUrl = 'https://oauth2.googleapis.com/token';\n    // Build token params - only include client_secret for confidential clients\n    // Public clients (Desktop apps) should NOT send client_secret at all\n    const tokenParamsObj: Record<string, string> = {\n      code: googleCode,\n      client_id: clientConfig.clientId,\n      redirect_uri: `${baseUrl}/oauth/callback`,\n      grant_type: 'authorization_code',\n    };\n    if (clientConfig.clientSecret) {\n      tokenParamsObj.client_secret = clientConfig.clientSecret;\n    }\n    const tokenParams = new URLSearchParams(tokenParamsObj);\n\n    const tokenResponse = await fetch(tokenUrl, {\n      method: 'POST',\n      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n      body: tokenParams.toString(),\n    });\n\n    if (!tokenResponse.ok) {\n      const errorText = await tokenResponse.text();\n      return res.status(400).json({\n        error: 'server_error',\n        error_description: `Failed to exchange Google authorization code: ${errorText}`,\n      });\n    }\n\n    const tokenData = (await tokenResponse.json()) as {\n      access_token: string;\n      refresh_token?: string;\n      expires_in: number;\n      scope: string;\n    };\n\n    // Create provider tokens from Google response\n    const providerTokens: ProviderTokens = {\n      accessToken: tokenData.access_token,\n      ...(tokenData.refresh_token && { refreshToken: tokenData.refresh_token }),\n      expiresAt: Date.now() + tokenData.expires_in * 1000,\n      scope: tokenData.scope,\n    };\n\n    const dcrCode = randomUUID();\n    const authCode: AuthorizationCode = {\n      code: dcrCode,\n      client_id: dcrRequestState.client_id,\n      redirect_uri: dcrRequestState.redirect_uri,\n      scope: dcrRequestState.scope,\n      ...(dcrRequestState.code_challenge && { code_challenge: dcrRequestState.code_challenge }),\n      ...(dcrRequestState.code_challenge_method && { code_challenge_method: dcrRequestState.code_challenge_method }),\n      providerTokens,\n      created_at: Date.now(),\n      expires_at: Date.now() + 600000, // 10 minutes\n    };\n\n    await dcrUtils.setAuthCode(store, dcrCode, authCode);\n\n    const clientRedirectUrl = new URL(dcrRequestState.redirect_uri);\n    clientRedirectUrl.searchParams.set('code', dcrCode);\n    if (dcrRequestState.state) {\n      clientRedirectUrl.searchParams.set('state', dcrRequestState.state);\n    }\n\n    return res.redirect(clientRedirectUrl.toString());\n  });\n\n  /**\n   * OAuth Token Endpoint (RFC 6749 Section 3.2)\n   * POST /oauth/token\n   */\n  router.post('/oauth/token', async (req: Request, res: Response) => {\n    let client_id = req.body.client_id;\n    let client_secret = req.body.client_secret;\n\n    const authHeader = req.headers.authorization;\n    if (authHeader && authHeader.startsWith('Basic ')) {\n      const base64Credentials = authHeader.substring(6);\n      const credentials = Buffer.from(base64Credentials, 'base64').toString('utf-8');\n      const [id, secret] = credentials.split(':');\n      client_id = id;\n      client_secret = secret;\n    }\n\n    const { grant_type, code, redirect_uri, refresh_token, code_verifier } = req.body;\n\n    if (!grant_type) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'grant_type is required',\n      });\n    }\n\n    if (grant_type === 'authorization_code') {\n      if (!code || !client_id || !redirect_uri) {\n        return res.status(400).json({\n          error: 'invalid_request',\n          error_description: 'code, client_id, and redirect_uri are required',\n        });\n      }\n\n      // Validate client credentials\n      const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret ?? '');\n      if (!isValidClient) {\n        return res.status(401).json({\n          error: 'invalid_client',\n          error_description: 'Invalid client credentials',\n        });\n      }\n\n      const authCode = await dcrUtils.getAuthCode(store, code);\n      if (!authCode) {\n        return res.status(400).json({\n          error: 'invalid_grant',\n          error_description: 'Invalid or expired authorization code',\n        });\n      }\n\n      if (authCode.client_id !== client_id || authCode.redirect_uri !== redirect_uri) {\n        return res.status(400).json({\n          error: 'invalid_grant',\n          error_description: 'Authorization code mismatch',\n        });\n      }\n\n      if (Date.now() > authCode.expires_at) {\n        await dcrUtils.deleteAuthCode(store, code);\n        return res.status(400).json({\n          error: 'invalid_grant',\n          error_description: 'Authorization code expired',\n        });\n      }\n\n      if (authCode.code_challenge) {\n        if (!code_verifier) {\n          return res.status(400).json({\n            error: 'invalid_request',\n            error_description: 'code_verifier is required for PKCE',\n          });\n        }\n\n        const method = authCode.code_challenge_method ?? 'plain';\n        const computedChallenge = method === 'S256' ? createHash('sha256').update(code_verifier).digest('base64url') : code_verifier;\n\n        if (computedChallenge !== authCode.code_challenge) {\n          return res.status(400).json({\n            error: 'invalid_grant',\n            error_description: 'Invalid code_verifier',\n          });\n        }\n      }\n\n      await dcrUtils.deleteAuthCode(store, code);\n\n      const accessToken = randomUUID();\n      const refreshTokenValue = randomUUID();\n\n      const tokenData: AccessToken = {\n        access_token: accessToken,\n        token_type: 'Bearer',\n        expires_in: 3600,\n        refresh_token: refreshTokenValue,\n        scope: authCode.scope,\n        client_id,\n        providerTokens: authCode.providerTokens,\n        created_at: Date.now(),\n      };\n\n      await dcrUtils.setAccessToken(store, accessToken, tokenData);\n      await dcrUtils.setRefreshToken(store, refreshTokenValue, tokenData);\n      await dcrUtils.setProviderTokens(store, accessToken, authCode.providerTokens);\n\n      return res.json({\n        access_token: tokenData.access_token,\n        token_type: tokenData.token_type,\n        expires_in: tokenData.expires_in,\n        refresh_token: tokenData.refresh_token,\n        scope: tokenData.scope,\n      });\n    }\n    if (grant_type === 'refresh_token') {\n      if (!refresh_token || !client_id) {\n        return res.status(400).json({\n          error: 'invalid_request',\n          error_description: 'refresh_token and client_id are required',\n        });\n      }\n\n      const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret ?? '');\n      if (!isValidClient) {\n        return res.status(401).json({\n          error: 'invalid_client',\n          error_description: 'Invalid client credentials',\n        });\n      }\n\n      const tokenData = await dcrUtils.getRefreshToken(store, refresh_token);\n      if (!tokenData || tokenData.client_id !== client_id) {\n        return res.status(400).json({\n          error: 'invalid_grant',\n          error_description: 'Invalid refresh token',\n        });\n      }\n\n      let refreshedProviderTokens = tokenData.providerTokens;\n      if (tokenData.providerTokens.refreshToken) {\n        try {\n          // Create DcrOAuthProvider instance to refresh Google tokens\n          const provider = new DcrOAuthProvider({\n            ...clientConfig,\n            scope: tokenData.scope,\n            verifyEndpoint: `${baseUrl}/oauth/verify`,\n            logger: {\n              info: console.log,\n              error: console.error,\n              warn: console.warn,\n              debug: () => {},\n            },\n          });\n\n          // Refresh the Google access token\n          refreshedProviderTokens = await provider.refreshAccessToken(tokenData.providerTokens.refreshToken);\n        } catch (error) {\n          // If refresh fails, continue with existing tokens (they may still be valid)\n          console.warn('Provider token refresh failed, using existing tokens:', error instanceof Error ? error.message : String(error));\n        }\n      }\n\n      const newAccessToken = randomUUID();\n      const newTokenData: AccessToken = {\n        ...tokenData,\n        access_token: newAccessToken,\n        created_at: Date.now(),\n      };\n\n      await dcrUtils.setAccessToken(store, newAccessToken, newTokenData);\n      await dcrUtils.setProviderTokens(store, newAccessToken, refreshedProviderTokens);\n\n      return res.json({\n        access_token: newTokenData.access_token,\n        token_type: newTokenData.token_type,\n        expires_in: newTokenData.expires_in,\n        scope: newTokenData.scope,\n      });\n    }\n    return res.status(400).json({\n      error: 'unsupported_grant_type',\n      error_description: 'Only authorization_code and refresh_token grants are supported',\n    });\n  });\n\n  /**\n   * OAuth Token Revocation (RFC 7009)\n   * POST /oauth/revoke\n   */\n  router.post('/oauth/revoke', async (req: Request, res: Response) => {\n    const { token, token_type_hint, client_id, client_secret } = req.body;\n\n    if (!token) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'token is required',\n      });\n    }\n\n    if (client_id && client_secret) {\n      const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret);\n      if (!isValidClient) {\n        return res.status(401).json({\n          error: 'invalid_client',\n          error_description: 'Invalid client credentials',\n        });\n      }\n    }\n\n    if (token_type_hint === 'refresh_token') {\n      await dcrUtils.deleteRefreshToken(store, token);\n    } else if (token_type_hint === 'access_token') {\n      await dcrUtils.deleteAccessToken(store, token);\n      await dcrUtils.deleteProviderTokens(store, token);\n    } else {\n      // No hint - try both\n      await dcrUtils.deleteRefreshToken(store, token);\n      await dcrUtils.deleteAccessToken(store, token);\n      await dcrUtils.deleteProviderTokens(store, token);\n    }\n\n    return res.status(200).send();\n  });\n\n  /**\n   * Token Verification Endpoint\n   * GET /oauth/verify\n   *\n   * Validates bearer tokens for Resource Server.\n   * Returns AuthInfo with provider tokens for stateless DCR pattern.\n   */\n  router.get('/oauth/verify', async (req: Request, res: Response) => {\n    const authHeader = req.headers.authorization;\n\n    if (!authHeader || !authHeader.startsWith('Bearer ')) {\n      return res.status(401).json({\n        error: 'invalid_request',\n        error_description: 'Missing or invalid Authorization header',\n      });\n    }\n\n    const token = authHeader.substring(7);\n    const tokenData = await dcrUtils.getAccessToken(store, token);\n\n    if (!tokenData) {\n      return res.status(401).json({\n        error: 'invalid_token',\n        error_description: 'Unknown or expired access token',\n      });\n    }\n\n    const now = Date.now();\n    const expiresAt = tokenData.created_at + tokenData.expires_in * 1000;\n\n    if (now > expiresAt) {\n      await dcrUtils.deleteAccessToken(store, token);\n      await dcrUtils.deleteProviderTokens(store, token);\n      return res.status(401).json({\n        error: 'invalid_token',\n        error_description: 'Access token has expired',\n      });\n    }\n\n    const authInfo = {\n      token,\n      clientId: tokenData.client_id,\n      scopes: tokenData.scope ? tokenData.scope.split(' ') : [],\n      expiresAt,\n      providerTokens: tokenData.providerTokens,\n    };\n\n    return res.json(authInfo);\n  });\n\n  /**\n   * Debug endpoint to list registered clients (development only)\n   */\n  router.get('/debug/clients', async (_req: Request, res: Response) => {\n    const clients = await dcrUtils.listClients(store);\n    return res.json(clients);\n  });\n\n  return router;\n}\n"],"names":["createDcrRouter","config","router","express","Router","store","issuerUrl","baseUrl","scopesSupported","clientConfig","use","req","res","next","authHeader","headers","authorization","Authorization","headerValue","Array","isArray","toLowerCase","startsWith","status","set","json","jsonrpc","error","code","message","id","urlencoded","extended","get","_req","metadata","issuer","authorization_endpoint","token_endpoint","registration_endpoint","revocation_endpoint","scopes_supported","response_types_supported","grant_types_supported","token_endpoint_auth_methods_supported","code_challenge_methods_supported","service_documentation","resource","authorization_servers","bearer_methods_supported","post","registrationRequest","client","body","dcrUtils","registerClient","error_description","Error","response_type","client_id","redirect_uri","scope","state","code_challenge","code_challenge_method","isValidRedirect","googleState","dcrRequestState","googleAuthUrl","query","getClient","validateRedirectUri","randomUUID","undefined","created_at","Date","now","expires_at","URL","searchParams","clientId","redirect","toString","googleCode","tokenUrl","tokenParamsObj","tokenParams","tokenResponse","errorText","tokenData","providerTokens","dcrCode","authCode","clientRedirectUrl","delete","grant_type","clientSecret","client_secret","URLSearchParams","fetch","method","ok","text","accessToken","access_token","refresh_token","refreshToken","expiresAt","expires_in","setAuthCode","base64Credentials","credentials","secret","code_verifier","isValidClient","computedChallenge","refreshTokenValue","refreshedProviderTokens","provider","newAccessToken","newTokenData","substring","Buffer","from","split","validateClient","getAuthCode","deleteAuthCode","createHash","update","digest","token_type","setAccessToken","setRefreshToken","setProviderTokens","getRefreshToken","DcrOAuthProvider","verifyEndpoint","logger","info","console","log","warn","debug","refreshAccessToken","String","token","token_type_hint","deleteRefreshToken","deleteAccessToken","deleteProviderTokens","send","authInfo","getAccessToken","scopes","clients","listClients"],"mappings":"AAAA;;;;;;;;;;;;;;;CAeC;;;;+BAwCeA;;;eAAAA;;;sBArCuB;8DAEnB;qBAEa;kEAEP;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+BnB,SAASA,gBAAgBC,MAAuB;IACrD,IAAMC,SAASC,gBAAO,CAACC,MAAM;IAC7B,IAAQC,QAA6DJ,OAA7DI,OAAOC,YAAsDL,OAAtDK,WAAWC,UAA2CN,OAA3CM,SAASC,kBAAkCP,OAAlCO,iBAAiBC,eAAiBR,OAAjBQ;IAEpDP,OAAOQ,GAAG,CAAC,QAAQ,SAACC,KAAcC,KAAeC;QAC/C,IAAMC,aAAaH,IAAII,OAAO,CAACC,aAAa,IAAIL,IAAII,OAAO,CAACE,aAAa;QACzE,IAAMC,cAAcC,MAAMC,OAAO,CAACN,cAAcA,UAAU,CAAC,EAAE,GAAGA;QAEhE,IAAI,CAACI,eAAe,CAACA,YAAYG,WAAW,GAAGC,UAAU,CAAC,YAAY;YACpE,OAAOV,IACJW,MAAM,CAAC,KACPC,GAAG,CAAC,oBAAoB,AAAC,6BAAoC,OAARjB,SAAQ,2CAC7DkB,IAAI,CAAC;gBACJC,SAAS;gBACTC,OAAO;oBACLC,MAAM,CAAC;oBACPC,SAAS;gBACX;gBACAC,IAAI;YACN;QACJ;QAEA,OAAOjB;IACT;IAEAX,OAAOQ,GAAG,CAACP,gBAAO,CAACsB,IAAI;IACvBvB,OAAOQ,GAAG,CAACP,gBAAO,CAAC4B,UAAU,CAAC;QAAEC,UAAU;IAAK;IAE/C;;;GAGC,GACD9B,OAAO+B,GAAG,CAAC,2CAA2C,SAACC,MAAetB;QACpE,IAAMuB,WAA4B;YAChCC,QAAQ9B;YACR+B,wBAAwB,AAAC,GAAU,OAAR9B,SAAQ;YACnC+B,gBAAgB,AAAC,GAAU,OAAR/B,SAAQ;YAC3BgC,uBAAuB,AAAC,GAAU,OAARhC,SAAQ;YAClCiC,qBAAqB,AAAC,GAAU,OAARjC,SAAQ;YAChCkC,kBAAkBjC;YAClBkC,0BAA0B;gBAAC;aAAO;YAClCC,uBAAuB;gBAAC;gBAAsB;aAAgB;YAC9DC,uCAAuC;gBAAC;gBAAuB;aAAqB;YACpFC,kCAAkC;gBAAC;gBAAQ;aAAQ;YACnDC,uBAAuB,AAAC,GAAU,OAARvC,SAAQ;QACpC;QACAK,IAAIa,IAAI,CAACU;IACX;IAEA;;;GAGC,GACDjC,OAAO+B,GAAG,CAAC,yCAAyC,SAACC,MAAetB;QAClE,IAAMuB,WAA4B;YAChCY,UAAUxC;YACVyC,uBAAuB;gBAACzC;aAAQ;YAChCkC,kBAAkBjC;YAClByC,0BAA0B;gBAAC;aAAS;QACtC;QACArC,IAAIa,IAAI,CAACU;IACX;IAEA;;;GAGC,GACDjC,OAAO+B,GAAG,CAAC,6CAA6C,SAACC,MAAetB;QACtE,IAAMuB,WAA4B;YAChCY,UAAU,AAAC,GAAU,OAARxC,SAAQ;YACrByC,uBAAuB;gBAACzC;aAAQ;YAChCkC,kBAAkBjC;YAClByC,0BAA0B;gBAAC;aAAS;QACtC;QACArC,IAAIa,IAAI,CAACU;IACX;IAEA;;;GAGC,GACDjC,OAAOgD,IAAI,CAAC,mBAAmB,SAAOvC,KAAcC;;gBAE1CuC,qBACAC,QAECzB;;;;;;;;;;wBAHDwB,sBAAsBxC,IAAI0C,IAAI;wBACrB;;4BAAMC,YAASC,cAAc,CAAClD,OAAO8C;;;wBAA9CC,SAAS;wBACfxC,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC2B;;;;;;wBACdzB;wBACPf,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;4BACnBE,OAAO;4BACP6B,mBAAmB7B,AAAK,YAALA,OAAiB8B,SAAQ9B,MAAME,OAAO,GAAG;wBAC9D;;;;;;;;;;;QAEJ;;IAEA;;;;;GAKC,GACD3B,OAAO+B,GAAG,CAAC,oBAAoB,SAAOtB,KAAcC;;gBACgED,YAA1G+C,eAAeC,WAAWC,gCAAcC,yBAAYC,OAAYC,gBAAgBC,uBAuBlFZ,QAQAa,iBAQAC,aACAC,iBAaAC;;;;wBArD4GzD,aAAAA,IAAI0D,KAAK,EAAnHX,gBAA0G/C,WAA1G+C,eAAeC,YAA2FhD,WAA3FgD,WAAWC,eAAgFjD,WAAhFiD,iCAAgFjD,WAAlEkD,OAAAA,sCAAQ,0CAA0DlD,WAAtDmD,OAAAA,sCAAQ,uBAAIC,iBAA0CpD,WAA1CoD,gBAAgBC,wBAA0BrD,WAA1BqD;wBAExF,IAAIN,kBAAkB,QAAQ;4BAC5B;;gCAAO9C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEA,IAAI,CAACG,aAAa,OAAOA,cAAc,UAAU;4BAC/C;;gCAAO/C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEA,IAAI,CAACI,gBAAgB,OAAOA,iBAAiB,UAAU;4BACrD;;gCAAOhD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEe;;4BAAMF,YAASgB,SAAS,CAACjE,OAAOsD;;;wBAAzCP,SAAS;wBACf,IAAI,CAACA,QAAQ;4BACX;;gCAAOxC,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEwB;;4BAAMF,YAASiB,mBAAmB,CAAClE,OAAOsD,WAAWC;;;wBAAvEK,kBAAkB;wBACxB,IAAI,CAACA,iBAAiB;4BACpB;;gCAAOrD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEMU,cAAcM,IAAAA,kBAAU;wBACxBL,kBAAkB;4BACtBR,WAAAA;4BACAC,cAAAA;4BACAC,OAAO,OAAOA,UAAU,WAAWA,QAAQ;4BAC3CC,OAAO,OAAOA,UAAU,WAAWA,QAAQW;4BAC3CV,gBAAgB,OAAOA,mBAAmB,WAAWA,iBAAiBU;4BACtET,uBAAuB,OAAOA,0BAA0B,WAAWA,wBAAwBS;4BAC3FC,YAAYC,KAAKC,GAAG;4BACpBC,YAAYF,KAAKC,GAAG,KAAK;wBAC3B;wBAEA;;4BAAMvE,MAAMmB,GAAG,CAAC,AAAC,oBAA+B,OAAZ0C,cAAeC,iBAAiB;;;wBAApE;wBAEMC,gBAAgB,IAAIU,IAAI;wBAC9BV,cAAcW,YAAY,CAACvD,GAAG,CAAC,aAAaf,aAAauE,QAAQ;wBACjEZ,cAAcW,YAAY,CAACvD,GAAG,CAAC,gBAAgB,AAAC,GAAU,OAARjB,SAAQ;wBAC1D6D,cAAcW,YAAY,CAACvD,GAAG,CAAC,iBAAiB;wBAChD4C,cAAcW,YAAY,CAACvD,GAAG,CAAC,SAAS,OAAOqC,UAAU,WAAWA,QAAQ;wBAC5EO,cAAcW,YAAY,CAACvD,GAAG,CAAC,SAAS0C;wBACxCE,cAAcW,YAAY,CAACvD,GAAG,CAAC,eAAe;wBAC9C4C,cAAcW,YAAY,CAACvD,GAAG,CAAC,UAAU;wBAEzC;;4BAAOZ,IAAIqE,QAAQ,CAACb,cAAcc,QAAQ;;;;QAC5C;;IAEA;;;;;;GAMC,GACDhF,OAAO+B,GAAG,CAAC,mBAAmB,SAAOtB,KAAcC;;gBACOD,YAA1CwE,YAAmBjB,aAAavC,OAuBxCwC,iBAiBAiB,UAGAC,gBASAC,aAEAC,eAOEC,WAOFC,WAQAC,gBAOAC,SACAC,UAcAC;;;;wBAlGkDlF,aAAAA,IAAI0D,KAAK,EAAnDc,aAA0CxE,WAAhDiB,MAAyBsC,cAAuBvD,WAA9BmD,OAAoBnC,QAAUhB,WAAVgB;wBAE9C,IAAIA,OAAO;4BACT;;gCAAOf,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO,OAAOA,UAAU,WAAWA,QAAQ;oCAC3C6B,mBAAmB;gCACrB;;wBACF;wBAEA,IAAI,CAAC2B,cAAc,OAAOA,eAAe,UAAU;4BACjD;;gCAAOvE,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEA,IAAI,CAACU,eAAe,OAAOA,gBAAgB,UAAU;4BACnD;;gCAAOtD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEwB;;4BAAMnD,MAAM4B,GAAG,CAAC,AAAC,oBAA+B,OAAZiC;;;wBAAtDC,kBAAkB;wBACxB,IAAI,CAACA,iBAAiB;4BACpB;;gCAAOvD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEA;;4BAAMnD,MAAMyF,MAAM,CAAC,AAAC,oBAA+B,OAAZ5B;;;wBAAvC;wBAEA,IAAIS,KAAKC,GAAG,KAAKT,gBAAgBU,UAAU,EAAE;4BAC3C;;gCAAOjE,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEM4B,WAAW;wBACjB,2EAA2E;wBAC3E,qEAAqE;wBAC/DC,iBAAyC;4BAC7CzD,MAAMuD;4BACNxB,WAAWlD,aAAauE,QAAQ;4BAChCpB,cAAc,AAAC,GAAU,OAARrD,SAAQ;4BACzBwF,YAAY;wBACd;wBACA,IAAItF,aAAauF,YAAY,EAAE;4BAC7BX,eAAeY,aAAa,GAAGxF,aAAauF,YAAY;wBAC1D;wBACMV,cAAc,IAAIY,gBAAgBb;wBAElB;;4BAAMc,MAAMf,UAAU;gCAC1CgB,QAAQ;gCACRrF,SAAS;oCAAE,gBAAgB;gCAAoC;gCAC/DsC,MAAMiC,YAAYJ,QAAQ;4BAC5B;;;wBAJMK,gBAAgB;6BAMlB,CAACA,cAAcc,EAAE,EAAjB;;;;wBACgB;;4BAAMd,cAAce,IAAI;;;wBAApCd,YAAY;wBAClB;;4BAAO5E,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gCAC1BE,OAAO;gCACP6B,mBAAmB,AAAC,iDAA0D,OAAVgC;4BACtE;;;wBAGiB;;4BAAMD,cAAc9D,IAAI;;;wBAArCgE,YAAa;wBAOnB,8CAA8C;wBACxCC,iBAAiC;4BACrCa,aAAad,UAAUe,YAAY;2BAC/Bf,UAAUgB,aAAa,IAAI;4BAAEC,cAAcjB,UAAUgB,aAAa;wBAAC;4BACvEE,WAAWhC,KAAKC,GAAG,KAAKa,UAAUmB,UAAU,GAAG;4BAC/C/C,OAAO4B,UAAU5B,KAAK;;wBAGlB8B,UAAUnB,IAAAA,kBAAU;wBACpBoB,WAA8B;4BAClChE,MAAM+D;4BACNhC,WAAWQ,gBAAgBR,SAAS;4BACpCC,cAAcO,gBAAgBP,YAAY;4BAC1CC,OAAOM,gBAAgBN,KAAK;2BACxBM,gBAAgBJ,cAAc,IAAI;4BAAEA,gBAAgBI,gBAAgBJ,cAAc;wBAAC,GACnFI,gBAAgBH,qBAAqB,IAAI;4BAAEA,uBAAuBG,gBAAgBH,qBAAqB;wBAAC;4BAC5G0B,gBAAAA;4BACAhB,YAAYC,KAAKC,GAAG;4BACpBC,YAAYF,KAAKC,GAAG,KAAK;;wBAG3B;;4BAAMtB,YAASuD,WAAW,CAACxG,OAAOsF,SAASC;;;wBAA3C;wBAEMC,oBAAoB,IAAIf,IAAIX,gBAAgBP,YAAY;wBAC9DiC,kBAAkBd,YAAY,CAACvD,GAAG,CAAC,QAAQmE;wBAC3C,IAAIxB,gBAAgBL,KAAK,EAAE;4BACzB+B,kBAAkBd,YAAY,CAACvD,GAAG,CAAC,SAAS2C,gBAAgBL,KAAK;wBACnE;wBAEA;;4BAAOlD,IAAIqE,QAAQ,CAACY,kBAAkBX,QAAQ;;;;QAChD;;IAEA;;;GAGC,GACDhF,OAAOgD,IAAI,CAAC,gBAAgB,SAAOvC,KAAcC;;gBAC3C+C,WACAsC,eAEEnF,YAEEgG,mBACAC,aACeA,oBAAdjF,IAAIkF,QAK4DrG,WAAjEoF,YAAYnE,MAAMgC,cAAc6C,eAAeQ,eAkB/CC,eAQAtB,UA+BWA,iCAATQ,QACAe,mBAYFZ,aACAa,mBAEA3B,WA+BAyB,gBAQAzB,YAQF4B,yBAIMC,UAcC3F,OAML4F,gBACAC;;;;wBA7JJ7D,YAAYhD,IAAI0C,IAAI,CAACM,SAAS;wBAC9BsC,gBAAgBtF,IAAI0C,IAAI,CAAC4C,aAAa;wBAEpCnF,aAAaH,IAAII,OAAO,CAACC,aAAa;wBAC5C,IAAIF,cAAcA,WAAWQ,UAAU,CAAC,WAAW;4BAC3CwF,oBAAoBhG,WAAW2G,SAAS,CAAC;4BACzCV,cAAcW,OAAOC,IAAI,CAACb,mBAAmB,UAAU5B,QAAQ,CAAC;4BACjD6B,sCAAAA,YAAYa,KAAK,CAAC,UAAhC9F,KAAciF,uBAAVC,SAAUD;4BACrBpD,YAAY7B;4BACZmE,gBAAgBe;wBAClB;wBAEyErG,YAAAA,IAAI0C,IAAI,EAAzE0C,aAAiEpF,UAAjEoF,YAAYnE,OAAqDjB,UAArDiB,MAAMgC,eAA+CjD,UAA/CiD,cAAc6C,gBAAiC9F,UAAjC8F,eAAeQ,gBAAkBtG,UAAlBsG;wBAEvD,IAAI,CAAClB,YAAY;4BACf;;gCAAOnF,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;6BAEIuC,CAAAA,eAAe,oBAAmB,GAAlCA;;;;wBACF,IAAI,CAACnE,QAAQ,CAAC+B,aAAa,CAACC,cAAc;4BACxC;;gCAAOhD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAGsB;;4BAAMF,YAASuE,cAAc,CAACxH,OAAOsD,WAAWsC,0BAAAA,2BAAAA,gBAAiB;;;wBAAjFiB,gBAAgB;wBACtB,IAAI,CAACA,eAAe;4BAClB;;gCAAOtG,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEiB;;4BAAMF,YAASwE,WAAW,CAACzH,OAAOuB;;;wBAA7CgE,WAAW;wBACjB,IAAI,CAACA,UAAU;4BACb;;gCAAOhF,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEA,IAAIoC,SAASjC,SAAS,KAAKA,aAAaiC,SAAShC,YAAY,KAAKA,cAAc;4BAC9E;;gCAAOhD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;6BAEImB,CAAAA,KAAKC,GAAG,KAAKgB,SAASf,UAAU,AAAD,GAA/BF;;;;wBACF;;4BAAMrB,YAASyE,cAAc,CAAC1H,OAAOuB;;;wBAArC;wBACA;;4BAAOhB,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gCAC1BE,OAAO;gCACP6B,mBAAmB;4BACrB;;;wBAGF,IAAIoC,SAAS7B,cAAc,EAAE;;4BAC3B,IAAI,CAACkD,eAAe;gCAClB;;oCAAOrG,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;wCAC1BE,OAAO;wCACP6B,mBAAmB;oCACrB;;4BACF;4BAEM4C,UAASR,kCAAAA,SAAS5B,qBAAqB,cAA9B4B,6CAAAA,kCAAkC;4BAC3CuB,oBAAoBf,WAAW,SAAS4B,IAAAA,kBAAU,EAAC,UAAUC,MAAM,CAAChB,eAAeiB,MAAM,CAAC,eAAejB;4BAE/G,IAAIE,sBAAsBvB,SAAS7B,cAAc,EAAE;gCACjD;;oCAAOnD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;wCAC1BE,OAAO;wCACP6B,mBAAmB;oCACrB;;4BACF;wBACF;wBAEA;;4BAAMF,YAASyE,cAAc,CAAC1H,OAAOuB;;;wBAArC;wBAEM2E,cAAc/B,IAAAA,kBAAU;wBACxB4C,oBAAoB5C,IAAAA,kBAAU;wBAE9BiB,YAAyB;4BAC7Be,cAAcD;4BACd4B,YAAY;4BACZvB,YAAY;4BACZH,eAAeW;4BACfvD,OAAO+B,SAAS/B,KAAK;4BACrBF,WAAAA;4BACA+B,gBAAgBE,SAASF,cAAc;4BACvChB,YAAYC,KAAKC,GAAG;wBACtB;wBAEA;;4BAAMtB,YAAS8E,cAAc,CAAC/H,OAAOkG,aAAad;;;wBAAlD;wBACA;;4BAAMnC,YAAS+E,eAAe,CAAChI,OAAO+G,mBAAmB3B;;;wBAAzD;wBACA;;4BAAMnC,YAASgF,iBAAiB,CAACjI,OAAOkG,aAAaX,SAASF,cAAc;;;wBAA5E;wBAEA;;4BAAO9E,IAAIa,IAAI,CAAC;gCACd+E,cAAcf,UAAUe,YAAY;gCACpC2B,YAAY1C,UAAU0C,UAAU;gCAChCvB,YAAYnB,UAAUmB,UAAU;gCAChCH,eAAehB,UAAUgB,aAAa;gCACtC5C,OAAO4B,UAAU5B,KAAK;4BACxB;;;6BAEEkC,CAAAA,eAAe,eAAc,GAA7BA;;;;wBACF,IAAI,CAACU,iBAAiB,CAAC9C,WAAW;4BAChC;;gCAAO/C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEsB;;4BAAMF,YAASuE,cAAc,CAACxH,OAAOsD,WAAWsC,0BAAAA,2BAAAA,gBAAiB;;;wBAAjFiB,iBAAgB;wBACtB,IAAI,CAACA,gBAAe;4BAClB;;gCAAOtG,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEkB;;4BAAMF,YAASiF,eAAe,CAAClI,OAAOoG;;;wBAAlDhB,aAAY;wBAClB,IAAI,CAACA,cAAaA,WAAU9B,SAAS,KAAKA,WAAW;4BACnD;;gCAAO/C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEI6D,0BAA0B5B,WAAUC,cAAc;6BAClDD,WAAUC,cAAc,CAACgB,YAAY,EAArCjB;;;;;;;;;;;;wBAEA,4DAA4D;wBACtD6B,WAAW,IAAIkB,uBAAgB,CAAC,wCACjC/H;4BACHoD,OAAO4B,WAAU5B,KAAK;4BACtB4E,gBAAgB,AAAC,GAAU,OAARlI,SAAQ;4BAC3BmI,QAAQ;gCACNC,MAAMC,QAAQC,GAAG;gCACjBlH,OAAOiH,QAAQjH,KAAK;gCACpBmH,MAAMF,QAAQE,IAAI;gCAClBC,OAAO,YAAO;4BAChB;;wBAIwB;;4BAAMzB,SAAS0B,kBAAkB,CAACvD,WAAUC,cAAc,CAACgB,YAAY;;;wBADjG,kCAAkC;wBAClCW,0BAA0B;;;;;;wBACnB1F;wBACP,4EAA4E;wBAC5EiH,QAAQE,IAAI,CAAC,yDAAyDnH,AAAK,YAALA,OAAiB8B,SAAQ9B,MAAME,OAAO,GAAGoH,OAAOtH;;;;;;wBAIpH4F,iBAAiB/C,IAAAA,kBAAU;wBAC3BgD,eAA4B,wCAC7B/B;4BACHe,cAAce;4BACd7C,YAAYC,KAAKC,GAAG;;wBAGtB;;4BAAMtB,YAAS8E,cAAc,CAAC/H,OAAOkH,gBAAgBC;;;wBAArD;wBACA;;4BAAMlE,YAASgF,iBAAiB,CAACjI,OAAOkH,gBAAgBF;;;wBAAxD;wBAEA;;4BAAOzG,IAAIa,IAAI,CAAC;gCACd+E,cAAcgB,aAAahB,YAAY;gCACvC2B,YAAYX,aAAaW,UAAU;gCACnCvB,YAAYY,aAAaZ,UAAU;gCACnC/C,OAAO2D,aAAa3D,KAAK;4BAC3B;;;wBAEF;;4BAAOjD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gCAC1BE,OAAO;gCACP6B,mBAAmB;4BACrB;;;;QACF;;IAEA;;;GAGC,GACDtD,OAAOgD,IAAI,CAAC,iBAAiB,SAAOvC,KAAcC;;gBACaD,WAArDuI,OAAOC,iBAAiBxF,WAAWsC,eAUnCiB;;;;wBAVqDvG,YAAAA,IAAI0C,IAAI,EAA7D6F,QAAqDvI,UAArDuI,OAAOC,kBAA8CxI,UAA9CwI,iBAAiBxF,YAA6BhD,UAA7BgD,WAAWsC,gBAAkBtF,UAAlBsF;wBAE3C,IAAI,CAACiD,OAAO;4BACV;;gCAAOtI,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;6BAEIG,CAAAA,aAAasC,aAAY,GAAzBtC;;;;wBACoB;;4BAAML,YAASuE,cAAc,CAACxH,OAAOsD,WAAWsC;;;wBAAhEiB,gBAAgB;wBACtB,IAAI,CAACA,eAAe;4BAClB;;gCAAOtG,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;;;6BAGE2F,CAAAA,oBAAoB,eAAc,GAAlCA;;;;wBACF;;4BAAM7F,YAAS8F,kBAAkB,CAAC/I,OAAO6I;;;wBAAzC;;;;;;6BACSC,CAAAA,oBAAoB,cAAa,GAAjCA;;;;wBACT;;4BAAM7F,YAAS+F,iBAAiB,CAAChJ,OAAO6I;;;wBAAxC;wBACA;;4BAAM5F,YAASgG,oBAAoB,CAACjJ,OAAO6I;;;wBAA3C;;;;;;wBAEA,qBAAqB;wBACrB;;4BAAM5F,YAAS8F,kBAAkB,CAAC/I,OAAO6I;;;wBAAzC;wBACA;;4BAAM5F,YAAS+F,iBAAiB,CAAChJ,OAAO6I;;;wBAAxC;wBACA;;4BAAM5F,YAASgG,oBAAoB,CAACjJ,OAAO6I;;;wBAA3C;;;wBAGF;;4BAAOtI,IAAIW,MAAM,CAAC,KAAKgI,IAAI;;;;QAC7B;;IAEA;;;;;;GAMC,GACDrJ,OAAO+B,GAAG,CAAC,iBAAiB,SAAOtB,KAAcC;;gBACzCE,YASAoI,OACAzD,WASAb,KACA+B,WAWA6C;;;;wBA/BA1I,aAAaH,IAAII,OAAO,CAACC,aAAa;wBAE5C,IAAI,CAACF,cAAc,CAACA,WAAWQ,UAAU,CAAC,YAAY;4BACpD;;gCAAOV,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEM0F,QAAQpI,WAAW2G,SAAS,CAAC;wBACjB;;4BAAMnE,YAASmG,cAAc,CAACpJ,OAAO6I;;;wBAAjDzD,YAAY;wBAElB,IAAI,CAACA,WAAW;4BACd;;gCAAO7E,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEMoB,MAAMD,KAAKC,GAAG;wBACd+B,YAAYlB,UAAUf,UAAU,GAAGe,UAAUmB,UAAU,GAAG;6BAE5DhC,CAAAA,MAAM+B,SAAQ,GAAd/B;;;;wBACF;;4BAAMtB,YAAS+F,iBAAiB,CAAChJ,OAAO6I;;;wBAAxC;wBACA;;4BAAM5F,YAASgG,oBAAoB,CAACjJ,OAAO6I;;;wBAA3C;wBACA;;4BAAOtI,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gCAC1BE,OAAO;gCACP6B,mBAAmB;4BACrB;;;wBAGIgG,WAAW;4BACfN,OAAAA;4BACAlE,UAAUS,UAAU9B,SAAS;4BAC7B+F,QAAQjE,UAAU5B,KAAK,GAAG4B,UAAU5B,KAAK,CAAC+D,KAAK,CAAC;4BAChDjB,WAAAA;4BACAjB,gBAAgBD,UAAUC,cAAc;wBAC1C;wBAEA;;4BAAO9E,IAAIa,IAAI,CAAC+H;;;;QAClB;;IAEA;;GAEC,GACDtJ,OAAO+B,GAAG,CAAC,kBAAkB,SAAOC,MAAetB;;gBAC3C+I;;;;wBAAU;;4BAAMrG,YAASsG,WAAW,CAACvJ;;;wBAArCsJ,UAAU;wBAChB;;4BAAO/I,IAAIa,IAAI,CAACkI;;;;QAClB;;IAEA,OAAOzJ;AACT"}

package/dist/esm/lib/dcr-router.js

@@ -28,6 +28,21 @@ import * as dcrUtils from './dcr-utils.js';
  */ export function createDcrRouter(config) {
     const router = express.Router();
     const { store, issuerUrl, baseUrl, scopesSupported, clientConfig } = config;
+    router.use('/mcp', (req, res, next)=>{
+        const authHeader = req.headers.authorization || req.headers.Authorization;
+        const headerValue = Array.isArray(authHeader) ? authHeader[0] : authHeader;
+        if (!headerValue || !headerValue.toLowerCase().startsWith('bearer ')) {
+            return res.status(401).set('WWW-Authenticate', `Bearer resource_metadata="${baseUrl}/.well-known/oauth-protected-resource"`).json({
+                jsonrpc: '2.0',
+                error: {
+                    code: -32600,
+                    message: 'Missing Authorization header. DCR mode requires bearer token.'
+                },
+                id: null
+            });
+        }
+        return next();
+    });
     router.use(express.json());
     router.use(express.urlencoded({
         extended: true

package/dist/esm/lib/dcr-router.js.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth-google/src/lib/dcr-router.ts"],"sourcesContent":["/**\n * DCR Router - OAuth 2.0 Authorization Server\n *\n * Implements OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591)\n * and OAuth 2.0 Authorization Server endpoints (RFC 6749, RFC 8414, RFC 9728).\n *\n * Endpoints:\n * - GET /.well-known/oauth-authorization-server (RFC 8414 metadata)\n * - GET /.well-known/oauth-protected-resource (RFC 9728 metadata - root)\n * - GET /.well-known/oauth-protected-resource/mcp (RFC 9728 metadata - sub-path)\n * - POST /oauth/register (RFC 7591 client registration)\n * - GET /oauth/authorize (RFC 6749 authorization endpoint)\n * - POST /oauth/token (RFC 6749 token endpoint)\n * - POST /oauth/revoke (RFC 7009 token revocation)\n * - GET /oauth/verify (token verification for Resource Server)\n */\n\nimport type { ProviderTokens, RFC8414Metadata, RFC9728Metadata } from '@mcp-z/oauth';\nimport { createHash, randomUUID } from 'crypto';\nimport type { Request, Response } from 'express';\nimport express from 'express';\nimport type { Keyv } from 'keyv';\nimport { DcrOAuthProvider } from '../providers/dcr.ts';\nimport type { AccessToken, AuthorizationCode, OAuthClientConfig } from '../types.ts';\nimport * as dcrUtils from './dcr-utils.ts';\n\n/**\n * Configuration for DCR Router (self-hosted mode only)\n */\nexport interface DcrRouterConfig {\n  /** Single Keyv store for all DCR data */\n  store: Keyv;\n\n  /** Authorization Server issuer URL */\n  issuerUrl: string;\n\n  /** Base URL for OAuth endpoints */\n  baseUrl: string;\n\n  /** Supported OAuth scopes */\n  scopesSupported: string[];\n\n  /** OAuth client configuration for upstream provider */\n  clientConfig: OAuthClientConfig;\n}\n\n/**\n * Create DCR Router with OAuth 2.0 endpoints (self-hosted mode)\n *\n * For external mode (Auth0/Stitch), don't call this function - no router needed.\n * The server code should check DcrConfig.mode and only call this for 'self-hosted'.\n *\n * @param config - Router configuration\n * @returns Express router with OAuth endpoints\n */\nexport function createDcrRouter(config: DcrRouterConfig): express.Router {\n  const router = express.Router();\n  const { store, issuerUrl, baseUrl, scopesSupported, clientConfig } = config;\n\n  router.use(express.json());\n  router.use(express.urlencoded({ extended: true }));\n\n  /**\n   * OAuth Authorization Server Metadata (RFC 8414)\n   * GET /.well-known/oauth-authorization-server\n   */\n  router.get('/.well-known/oauth-authorization-server', (_req: Request, res: Response) => {\n    const metadata: RFC8414Metadata = {\n      issuer: issuerUrl,\n      authorization_endpoint: `${baseUrl}/oauth/authorize`,\n      token_endpoint: `${baseUrl}/oauth/token`,\n      registration_endpoint: `${baseUrl}/oauth/register`,\n      revocation_endpoint: `${baseUrl}/oauth/revoke`,\n      scopes_supported: scopesSupported,\n      response_types_supported: ['code'],\n      grant_types_supported: ['authorization_code', 'refresh_token'],\n      token_endpoint_auth_methods_supported: ['client_secret_basic', 'client_secret_post'],\n      code_challenge_methods_supported: ['S256', 'plain'],\n      service_documentation: `${baseUrl}/docs`,\n    };\n    res.json(metadata);\n  });\n\n  /**\n   * OAuth Protected Resource Metadata (RFC 9728 - Root)\n   * GET /.well-known/oauth-protected-resource\n   */\n  router.get('/.well-known/oauth-protected-resource', (_req: Request, res: Response) => {\n    const metadata: RFC9728Metadata = {\n      resource: baseUrl,\n      authorization_servers: [baseUrl],\n      scopes_supported: scopesSupported,\n      bearer_methods_supported: ['header'],\n    };\n    res.json(metadata);\n  });\n\n  /**\n   * OAuth Protected Resource Metadata (RFC 9728 - Sub-path /mcp)\n   * GET /.well-known/oauth-protected-resource/mcp\n   */\n  router.get('/.well-known/oauth-protected-resource/mcp', (_req: Request, res: Response) => {\n    const metadata: RFC9728Metadata = {\n      resource: `${baseUrl}/mcp`,\n      authorization_servers: [baseUrl],\n      scopes_supported: scopesSupported,\n      bearer_methods_supported: ['header'],\n    };\n    res.json(metadata);\n  });\n\n  /**\n   * Dynamic Client Registration (RFC 7591)\n   * POST /oauth/register\n   */\n  router.post('/oauth/register', async (req: Request, res: Response) => {\n    try {\n      const registrationRequest = req.body;\n      const client = await dcrUtils.registerClient(store, registrationRequest);\n      res.status(201).json(client);\n    } catch (error) {\n      res.status(400).json({\n        error: 'invalid_client_metadata',\n        error_description: error instanceof Error ? error.message : 'Invalid registration request',\n      });\n    }\n  });\n\n  /**\n   * OAuth Authorization Endpoint (RFC 6749 Section 3.1)\n   * GET /oauth/authorize\n   *\n   * Initiates Google OAuth flow, then generates DCR authorization code\n   */\n  router.get('/oauth/authorize', async (req: Request, res: Response) => {\n    const { response_type, client_id, redirect_uri, scope = '', state = '', code_challenge, code_challenge_method } = req.query;\n\n    if (response_type !== 'code') {\n      return res.status(400).json({\n        error: 'unsupported_response_type',\n        error_description: 'Only response_type=code is supported',\n      });\n    }\n\n    if (!client_id || typeof client_id !== 'string') {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'client_id is required',\n      });\n    }\n\n    if (!redirect_uri || typeof redirect_uri !== 'string') {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'redirect_uri is required',\n      });\n    }\n\n    const client = await dcrUtils.getClient(store, client_id);\n    if (!client) {\n      return res.status(400).json({\n        error: 'invalid_client',\n        error_description: 'Unknown client_id',\n      });\n    }\n\n    const isValidRedirect = await dcrUtils.validateRedirectUri(store, client_id, redirect_uri);\n    if (!isValidRedirect) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'Invalid redirect_uri',\n      });\n    }\n\n    const googleState = randomUUID();\n    const dcrRequestState = {\n      client_id,\n      redirect_uri,\n      scope: typeof scope === 'string' ? scope : '',\n      state: typeof state === 'string' ? state : undefined,\n      code_challenge: typeof code_challenge === 'string' ? code_challenge : undefined,\n      code_challenge_method: typeof code_challenge_method === 'string' ? code_challenge_method : undefined,\n      created_at: Date.now(),\n      expires_at: Date.now() + 600000, // 10 minutes\n    };\n\n    await store.set(`dcr:google-state:${googleState}`, dcrRequestState, 600000);\n\n    const googleAuthUrl = new URL('https://accounts.google.com/o/oauth2/v2/auth');\n    googleAuthUrl.searchParams.set('client_id', clientConfig.clientId);\n    googleAuthUrl.searchParams.set('redirect_uri', `${baseUrl}/oauth/callback`);\n    googleAuthUrl.searchParams.set('response_type', 'code');\n    googleAuthUrl.searchParams.set('scope', typeof scope === 'string' ? scope : '');\n    googleAuthUrl.searchParams.set('state', googleState);\n    googleAuthUrl.searchParams.set('access_type', 'offline');\n    googleAuthUrl.searchParams.set('prompt', 'consent');\n\n    return res.redirect(googleAuthUrl.toString());\n  });\n\n  /**\n   * OAuth Callback Handler\n   * GET /oauth/callback\n   *\n   * Handles OAuth callback from Google, exchanges authorization code for tokens,\n   * and redirects back to client with DCR authorization code.\n   */\n  router.get('/oauth/callback', async (req: Request, res: Response) => {\n    const { code: googleCode, state: googleState, error } = req.query;\n\n    if (error) {\n      return res.status(400).json({\n        error: typeof error === 'string' ? error : 'access_denied',\n        error_description: 'Google OAuth authorization failed',\n      });\n    }\n\n    if (!googleCode || typeof googleCode !== 'string') {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'Missing authorization code from Google',\n      });\n    }\n\n    if (!googleState || typeof googleState !== 'string') {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'Missing state parameter',\n      });\n    }\n\n    const dcrRequestState = await store.get(`dcr:google-state:${googleState}`);\n    if (!dcrRequestState) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'Invalid or expired state parameter',\n      });\n    }\n\n    await store.delete(`dcr:google-state:${googleState}`);\n\n    if (Date.now() > dcrRequestState.expires_at) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'DCR request state expired',\n      });\n    }\n\n    const tokenUrl = 'https://oauth2.googleapis.com/token';\n    // Build token params - only include client_secret for confidential clients\n    // Public clients (Desktop apps) should NOT send client_secret at all\n    const tokenParamsObj: Record<string, string> = {\n      code: googleCode,\n      client_id: clientConfig.clientId,\n      redirect_uri: `${baseUrl}/oauth/callback`,\n      grant_type: 'authorization_code',\n    };\n    if (clientConfig.clientSecret) {\n      tokenParamsObj.client_secret = clientConfig.clientSecret;\n    }\n    const tokenParams = new URLSearchParams(tokenParamsObj);\n\n    const tokenResponse = await fetch(tokenUrl, {\n      method: 'POST',\n      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n      body: tokenParams.toString(),\n    });\n\n    if (!tokenResponse.ok) {\n      const errorText = await tokenResponse.text();\n      return res.status(400).json({\n        error: 'server_error',\n        error_description: `Failed to exchange Google authorization code: ${errorText}`,\n      });\n    }\n\n    const tokenData = (await tokenResponse.json()) as {\n      access_token: string;\n      refresh_token?: string;\n      expires_in: number;\n      scope: string;\n    };\n\n    // Create provider tokens from Google response\n    const providerTokens: ProviderTokens = {\n      accessToken: tokenData.access_token,\n      ...(tokenData.refresh_token && { refreshToken: tokenData.refresh_token }),\n      expiresAt: Date.now() + tokenData.expires_in * 1000,\n      scope: tokenData.scope,\n    };\n\n    const dcrCode = randomUUID();\n    const authCode: AuthorizationCode = {\n      code: dcrCode,\n      client_id: dcrRequestState.client_id,\n      redirect_uri: dcrRequestState.redirect_uri,\n      scope: dcrRequestState.scope,\n      ...(dcrRequestState.code_challenge && { code_challenge: dcrRequestState.code_challenge }),\n      ...(dcrRequestState.code_challenge_method && { code_challenge_method: dcrRequestState.code_challenge_method }),\n      providerTokens,\n      created_at: Date.now(),\n      expires_at: Date.now() + 600000, // 10 minutes\n    };\n\n    await dcrUtils.setAuthCode(store, dcrCode, authCode);\n\n    const clientRedirectUrl = new URL(dcrRequestState.redirect_uri);\n    clientRedirectUrl.searchParams.set('code', dcrCode);\n    if (dcrRequestState.state) {\n      clientRedirectUrl.searchParams.set('state', dcrRequestState.state);\n    }\n\n    return res.redirect(clientRedirectUrl.toString());\n  });\n\n  /**\n   * OAuth Token Endpoint (RFC 6749 Section 3.2)\n   * POST /oauth/token\n   */\n  router.post('/oauth/token', async (req: Request, res: Response) => {\n    let client_id = req.body.client_id;\n    let client_secret = req.body.client_secret;\n\n    const authHeader = req.headers.authorization;\n    if (authHeader && authHeader.startsWith('Basic ')) {\n      const base64Credentials = authHeader.substring(6);\n      const credentials = Buffer.from(base64Credentials, 'base64').toString('utf-8');\n      const [id, secret] = credentials.split(':');\n      client_id = id;\n      client_secret = secret;\n    }\n\n    const { grant_type, code, redirect_uri, refresh_token, code_verifier } = req.body;\n\n    if (!grant_type) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'grant_type is required',\n      });\n    }\n\n    if (grant_type === 'authorization_code') {\n      if (!code || !client_id || !redirect_uri) {\n        return res.status(400).json({\n          error: 'invalid_request',\n          error_description: 'code, client_id, and redirect_uri are required',\n        });\n      }\n\n      // Validate client credentials\n      const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret ?? '');\n      if (!isValidClient) {\n        return res.status(401).json({\n          error: 'invalid_client',\n          error_description: 'Invalid client credentials',\n        });\n      }\n\n      const authCode = await dcrUtils.getAuthCode(store, code);\n      if (!authCode) {\n        return res.status(400).json({\n          error: 'invalid_grant',\n          error_description: 'Invalid or expired authorization code',\n        });\n      }\n\n      if (authCode.client_id !== client_id || authCode.redirect_uri !== redirect_uri) {\n        return res.status(400).json({\n          error: 'invalid_grant',\n          error_description: 'Authorization code mismatch',\n        });\n      }\n\n      if (Date.now() > authCode.expires_at) {\n        await dcrUtils.deleteAuthCode(store, code);\n        return res.status(400).json({\n          error: 'invalid_grant',\n          error_description: 'Authorization code expired',\n        });\n      }\n\n      if (authCode.code_challenge) {\n        if (!code_verifier) {\n          return res.status(400).json({\n            error: 'invalid_request',\n            error_description: 'code_verifier is required for PKCE',\n          });\n        }\n\n        const method = authCode.code_challenge_method ?? 'plain';\n        const computedChallenge = method === 'S256' ? createHash('sha256').update(code_verifier).digest('base64url') : code_verifier;\n\n        if (computedChallenge !== authCode.code_challenge) {\n          return res.status(400).json({\n            error: 'invalid_grant',\n            error_description: 'Invalid code_verifier',\n          });\n        }\n      }\n\n      await dcrUtils.deleteAuthCode(store, code);\n\n      const accessToken = randomUUID();\n      const refreshTokenValue = randomUUID();\n\n      const tokenData: AccessToken = {\n        access_token: accessToken,\n        token_type: 'Bearer',\n        expires_in: 3600,\n        refresh_token: refreshTokenValue,\n        scope: authCode.scope,\n        client_id,\n        providerTokens: authCode.providerTokens,\n        created_at: Date.now(),\n      };\n\n      await dcrUtils.setAccessToken(store, accessToken, tokenData);\n      await dcrUtils.setRefreshToken(store, refreshTokenValue, tokenData);\n      await dcrUtils.setProviderTokens(store, accessToken, authCode.providerTokens);\n\n      return res.json({\n        access_token: tokenData.access_token,\n        token_type: tokenData.token_type,\n        expires_in: tokenData.expires_in,\n        refresh_token: tokenData.refresh_token,\n        scope: tokenData.scope,\n      });\n    }\n    if (grant_type === 'refresh_token') {\n      if (!refresh_token || !client_id) {\n        return res.status(400).json({\n          error: 'invalid_request',\n          error_description: 'refresh_token and client_id are required',\n        });\n      }\n\n      const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret ?? '');\n      if (!isValidClient) {\n        return res.status(401).json({\n          error: 'invalid_client',\n          error_description: 'Invalid client credentials',\n        });\n      }\n\n      const tokenData = await dcrUtils.getRefreshToken(store, refresh_token);\n      if (!tokenData || tokenData.client_id !== client_id) {\n        return res.status(400).json({\n          error: 'invalid_grant',\n          error_description: 'Invalid refresh token',\n        });\n      }\n\n      let refreshedProviderTokens = tokenData.providerTokens;\n      if (tokenData.providerTokens.refreshToken) {\n        try {\n          // Create DcrOAuthProvider instance to refresh Google tokens\n          const provider = new DcrOAuthProvider({\n            ...clientConfig,\n            scope: tokenData.scope,\n            verifyEndpoint: `${baseUrl}/oauth/verify`,\n            logger: {\n              info: console.log,\n              error: console.error,\n              warn: console.warn,\n              debug: () => {},\n            },\n          });\n\n          // Refresh the Google access token\n          refreshedProviderTokens = await provider.refreshAccessToken(tokenData.providerTokens.refreshToken);\n        } catch (error) {\n          // If refresh fails, continue with existing tokens (they may still be valid)\n          console.warn('Provider token refresh failed, using existing tokens:', error instanceof Error ? error.message : String(error));\n        }\n      }\n\n      const newAccessToken = randomUUID();\n      const newTokenData: AccessToken = {\n        ...tokenData,\n        access_token: newAccessToken,\n        created_at: Date.now(),\n      };\n\n      await dcrUtils.setAccessToken(store, newAccessToken, newTokenData);\n      await dcrUtils.setProviderTokens(store, newAccessToken, refreshedProviderTokens);\n\n      return res.json({\n        access_token: newTokenData.access_token,\n        token_type: newTokenData.token_type,\n        expires_in: newTokenData.expires_in,\n        scope: newTokenData.scope,\n      });\n    }\n    return res.status(400).json({\n      error: 'unsupported_grant_type',\n      error_description: 'Only authorization_code and refresh_token grants are supported',\n    });\n  });\n\n  /**\n   * OAuth Token Revocation (RFC 7009)\n   * POST /oauth/revoke\n   */\n  router.post('/oauth/revoke', async (req: Request, res: Response) => {\n    const { token, token_type_hint, client_id, client_secret } = req.body;\n\n    if (!token) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'token is required',\n      });\n    }\n\n    if (client_id && client_secret) {\n      const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret);\n      if (!isValidClient) {\n        return res.status(401).json({\n          error: 'invalid_client',\n          error_description: 'Invalid client credentials',\n        });\n      }\n    }\n\n    if (token_type_hint === 'refresh_token') {\n      await dcrUtils.deleteRefreshToken(store, token);\n    } else if (token_type_hint === 'access_token') {\n      await dcrUtils.deleteAccessToken(store, token);\n      await dcrUtils.deleteProviderTokens(store, token);\n    } else {\n      // No hint - try both\n      await dcrUtils.deleteRefreshToken(store, token);\n      await dcrUtils.deleteAccessToken(store, token);\n      await dcrUtils.deleteProviderTokens(store, token);\n    }\n\n    return res.status(200).send();\n  });\n\n  /**\n   * Token Verification Endpoint\n   * GET /oauth/verify\n   *\n   * Validates bearer tokens for Resource Server.\n   * Returns AuthInfo with provider tokens for stateless DCR pattern.\n   */\n  router.get('/oauth/verify', async (req: Request, res: Response) => {\n    const authHeader = req.headers.authorization;\n\n    if (!authHeader || !authHeader.startsWith('Bearer ')) {\n      return res.status(401).json({\n        error: 'invalid_request',\n        error_description: 'Missing or invalid Authorization header',\n      });\n    }\n\n    const token = authHeader.substring(7);\n    const tokenData = await dcrUtils.getAccessToken(store, token);\n\n    if (!tokenData) {\n      return res.status(401).json({\n        error: 'invalid_token',\n        error_description: 'Unknown or expired access token',\n      });\n    }\n\n    const now = Date.now();\n    const expiresAt = tokenData.created_at + tokenData.expires_in * 1000;\n\n    if (now > expiresAt) {\n      await dcrUtils.deleteAccessToken(store, token);\n      await dcrUtils.deleteProviderTokens(store, token);\n      return res.status(401).json({\n        error: 'invalid_token',\n        error_description: 'Access token has expired',\n      });\n    }\n\n    const authInfo = {\n      token,\n      clientId: tokenData.client_id,\n      scopes: tokenData.scope ? tokenData.scope.split(' ') : [],\n      expiresAt,\n      providerTokens: tokenData.providerTokens,\n    };\n\n    return res.json(authInfo);\n  });\n\n  /**\n   * Debug endpoint to list registered clients (development only)\n   */\n  router.get('/debug/clients', async (_req: Request, res: Response) => {\n    const clients = await dcrUtils.listClients(store);\n    return res.json(clients);\n  });\n\n  return router;\n}\n"],"names":["createHash","randomUUID","express","DcrOAuthProvider","dcrUtils","createDcrRouter","config","router","Router","store","issuerUrl","baseUrl","scopesSupported","clientConfig","use","json","urlencoded","extended","get","_req","res","metadata","issuer","authorization_endpoint","token_endpoint","registration_endpoint","revocation_endpoint","scopes_supported","response_types_supported","grant_types_supported","token_endpoint_auth_methods_supported","code_challenge_methods_supported","service_documentation","resource","authorization_servers","bearer_methods_supported","post","req","registrationRequest","body","client","registerClient","status","error","error_description","Error","message","response_type","client_id","redirect_uri","scope","state","code_challenge","code_challenge_method","query","getClient","isValidRedirect","validateRedirectUri","googleState","dcrRequestState","undefined","created_at","Date","now","expires_at","set","googleAuthUrl","URL","searchParams","clientId","redirect","toString","code","googleCode","delete","tokenUrl","tokenParamsObj","grant_type","clientSecret","client_secret","tokenParams","URLSearchParams","tokenResponse","fetch","method","headers","ok","errorText","text","tokenData","providerTokens","accessToken","access_token","refresh_token","refreshToken","expiresAt","expires_in","dcrCode","authCode","setAuthCode","clientRedirectUrl","authHeader","authorization","startsWith","base64Credentials","substring","credentials","Buffer","from","id","secret","split","code_verifier","isValidClient","validateClient","getAuthCode","deleteAuthCode","computedChallenge","update","digest","refreshTokenValue","token_type","setAccessToken","setRefreshToken","setProviderTokens","getRefreshToken","refreshedProviderTokens","provider","verifyEndpoint","logger","info","console","log","warn","debug","refreshAccessToken","String","newAccessToken","newTokenData","token","token_type_hint","deleteRefreshToken","deleteAccessToken","deleteProviderTokens","send","getAccessToken","authInfo","scopes","clients","listClients"],"mappings":"AAAA;;;;;;;;;;;;;;;CAeC,GAGD,SAASA,UAAU,EAAEC,UAAU,QAAQ,SAAS;AAEhD,OAAOC,aAAa,UAAU;AAE9B,SAASC,gBAAgB,QAAQ,sBAAsB;AAEvD,YAAYC,cAAc,iBAAiB;AAsB3C;;;;;;;;CAQC,GACD,OAAO,SAASC,gBAAgBC,MAAuB;IACrD,MAAMC,SAASL,QAAQM,MAAM;IAC7B,MAAM,EAAEC,KAAK,EAAEC,SAAS,EAAEC,OAAO,EAAEC,eAAe,EAAEC,YAAY,EAAE,GAAGP;IAErEC,OAAOO,GAAG,CAACZ,QAAQa,IAAI;IACvBR,OAAOO,GAAG,CAACZ,QAAQc,UAAU,CAAC;QAAEC,UAAU;IAAK;IAE/C;;;GAGC,GACDV,OAAOW,GAAG,CAAC,2CAA2C,CAACC,MAAeC;QACpE,MAAMC,WAA4B;YAChCC,QAAQZ;YACRa,wBAAwB,GAAGZ,QAAQ,gBAAgB,CAAC;YACpDa,gBAAgB,GAAGb,QAAQ,YAAY,CAAC;YACxCc,uBAAuB,GAAGd,QAAQ,eAAe,CAAC;YAClDe,qBAAqB,GAAGf,QAAQ,aAAa,CAAC;YAC9CgB,kBAAkBf;YAClBgB,0BAA0B;gBAAC;aAAO;YAClCC,uBAAuB;gBAAC;gBAAsB;aAAgB;YAC9DC,uCAAuC;gBAAC;gBAAuB;aAAqB;YACpFC,kCAAkC;gBAAC;gBAAQ;aAAQ;YACnDC,uBAAuB,GAAGrB,QAAQ,KAAK,CAAC;QAC1C;QACAS,IAAIL,IAAI,CAACM;IACX;IAEA;;;GAGC,GACDd,OAAOW,GAAG,CAAC,yCAAyC,CAACC,MAAeC;QAClE,MAAMC,WAA4B;YAChCY,UAAUtB;YACVuB,uBAAuB;gBAACvB;aAAQ;YAChCgB,kBAAkBf;YAClBuB,0BAA0B;gBAAC;aAAS;QACtC;QACAf,IAAIL,IAAI,CAACM;IACX;IAEA;;;GAGC,GACDd,OAAOW,GAAG,CAAC,6CAA6C,CAACC,MAAeC;QACtE,MAAMC,WAA4B;YAChCY,UAAU,GAAGtB,QAAQ,IAAI,CAAC;YAC1BuB,uBAAuB;gBAACvB;aAAQ;YAChCgB,kBAAkBf;YAClBuB,0BAA0B;gBAAC;aAAS;QACtC;QACAf,IAAIL,IAAI,CAACM;IACX;IAEA;;;GAGC,GACDd,OAAO6B,IAAI,CAAC,mBAAmB,OAAOC,KAAcjB;QAClD,IAAI;YACF,MAAMkB,sBAAsBD,IAAIE,IAAI;YACpC,MAAMC,SAAS,MAAMpC,SAASqC,cAAc,CAAChC,OAAO6B;YACpDlB,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAACyB;QACvB,EAAE,OAAOG,OAAO;YACdvB,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBACnB4B,OAAO;gBACPC,mBAAmBD,iBAAiBE,QAAQF,MAAMG,OAAO,GAAG;YAC9D;QACF;IACF;IAEA;;;;;GAKC,GACDvC,OAAOW,GAAG,CAAC,oBAAoB,OAAOmB,KAAcjB;QAClD,MAAM,EAAE2B,aAAa,EAAEC,SAAS,EAAEC,YAAY,EAAEC,QAAQ,EAAE,EAAEC,QAAQ,EAAE,EAAEC,cAAc,EAAEC,qBAAqB,EAAE,GAAGhB,IAAIiB,KAAK;QAE3H,IAAIP,kBAAkB,QAAQ;YAC5B,OAAO3B,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,IAAI,CAACI,aAAa,OAAOA,cAAc,UAAU;YAC/C,OAAO5B,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,IAAI,CAACK,gBAAgB,OAAOA,iBAAiB,UAAU;YACrD,OAAO7B,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,MAAMJ,SAAS,MAAMpC,SAASmD,SAAS,CAAC9C,OAAOuC;QAC/C,IAAI,CAACR,QAAQ;YACX,OAAOpB,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,MAAMY,kBAAkB,MAAMpD,SAASqD,mBAAmB,CAAChD,OAAOuC,WAAWC;QAC7E,IAAI,CAACO,iBAAiB;YACpB,OAAOpC,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,MAAMc,cAAczD;QACpB,MAAM0D,kBAAkB;YACtBX;YACAC;YACAC,OAAO,OAAOA,UAAU,WAAWA,QAAQ;YAC3CC,OAAO,OAAOA,UAAU,WAAWA,QAAQS;YAC3CR,gBAAgB,OAAOA,mBAAmB,WAAWA,iBAAiBQ;YACtEP,uBAAuB,OAAOA,0BAA0B,WAAWA,wBAAwBO;YAC3FC,YAAYC,KAAKC,GAAG;YACpBC,YAAYF,KAAKC,GAAG,KAAK;QAC3B;QAEA,MAAMtD,MAAMwD,GAAG,CAAC,CAAC,iBAAiB,EAAEP,aAAa,EAAEC,iBAAiB;QAEpE,MAAMO,gBAAgB,IAAIC,IAAI;QAC9BD,cAAcE,YAAY,CAACH,GAAG,CAAC,aAAapD,aAAawD,QAAQ;QACjEH,cAAcE,YAAY,CAACH,GAAG,CAAC,gBAAgB,GAAGtD,QAAQ,eAAe,CAAC;QAC1EuD,cAAcE,YAAY,CAACH,GAAG,CAAC,iBAAiB;QAChDC,cAAcE,YAAY,CAACH,GAAG,CAAC,SAAS,OAAOf,UAAU,WAAWA,QAAQ;QAC5EgB,cAAcE,YAAY,CAACH,GAAG,CAAC,SAASP;QACxCQ,cAAcE,YAAY,CAACH,GAAG,CAAC,eAAe;QAC9CC,cAAcE,YAAY,CAACH,GAAG,CAAC,UAAU;QAEzC,OAAO7C,IAAIkD,QAAQ,CAACJ,cAAcK,QAAQ;IAC5C;IAEA;;;;;;GAMC,GACDhE,OAAOW,GAAG,CAAC,mBAAmB,OAAOmB,KAAcjB;QACjD,MAAM,EAAEoD,MAAMC,UAAU,EAAEtB,OAAOO,WAAW,EAAEf,KAAK,EAAE,GAAGN,IAAIiB,KAAK;QAEjE,IAAIX,OAAO;YACT,OAAOvB,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO,OAAOA,UAAU,WAAWA,QAAQ;gBAC3CC,mBAAmB;YACrB;QACF;QAEA,IAAI,CAAC6B,cAAc,OAAOA,eAAe,UAAU;YACjD,OAAOrD,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,IAAI,CAACc,eAAe,OAAOA,gBAAgB,UAAU;YACnD,OAAOtC,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,MAAMe,kBAAkB,MAAMlD,MAAMS,GAAG,CAAC,CAAC,iBAAiB,EAAEwC,aAAa;QACzE,IAAI,CAACC,iBAAiB;YACpB,OAAOvC,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,MAAMnC,MAAMiE,MAAM,CAAC,CAAC,iBAAiB,EAAEhB,aAAa;QAEpD,IAAII,KAAKC,GAAG,KAAKJ,gBAAgBK,UAAU,EAAE;YAC3C,OAAO5C,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,MAAM+B,WAAW;QACjB,2EAA2E;QAC3E,qEAAqE;QACrE,MAAMC,iBAAyC;YAC7CJ,MAAMC;YACNzB,WAAWnC,aAAawD,QAAQ;YAChCpB,cAAc,GAAGtC,QAAQ,eAAe,CAAC;YACzCkE,YAAY;QACd;QACA,IAAIhE,aAAaiE,YAAY,EAAE;YAC7BF,eAAeG,aAAa,GAAGlE,aAAaiE,YAAY;QAC1D;QACA,MAAME,cAAc,IAAIC,gBAAgBL;QAExC,MAAMM,gBAAgB,MAAMC,MAAMR,UAAU;YAC1CS,QAAQ;YACRC,SAAS;gBAAE,gBAAgB;YAAoC;YAC/D9C,MAAMyC,YAAYT,QAAQ;QAC5B;QAEA,IAAI,CAACW,cAAcI,EAAE,EAAE;YACrB,MAAMC,YAAY,MAAML,cAAcM,IAAI;YAC1C,OAAOpE,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB,CAAC,8CAA8C,EAAE2C,WAAW;YACjF;QACF;QAEA,MAAME,YAAa,MAAMP,cAAcnE,IAAI;QAO3C,8CAA8C;QAC9C,MAAM2E,iBAAiC;YACrCC,aAAaF,UAAUG,YAAY;YACnC,GAAIH,UAAUI,aAAa,IAAI;gBAAEC,cAAcL,UAAUI,aAAa;YAAC,CAAC;YACxEE,WAAWjC,KAAKC,GAAG,KAAK0B,UAAUO,UAAU,GAAG;YAC/C9C,OAAOuC,UAAUvC,KAAK;QACxB;QAEA,MAAM+C,UAAUhG;QAChB,MAAMiG,WAA8B;YAClC1B,MAAMyB;YACNjD,WAAWW,gBAAgBX,SAAS;YACpCC,cAAcU,gBAAgBV,YAAY;YAC1CC,OAAOS,gBAAgBT,KAAK;YAC5B,GAAIS,gBAAgBP,cAAc,IAAI;gBAAEA,gBAAgBO,gBAAgBP,cAAc;YAAC,CAAC;YACxF,GAAIO,gBAAgBN,qBAAqB,IAAI;gBAAEA,uBAAuBM,gBAAgBN,qBAAqB;YAAC,CAAC;YAC7GqC;YACA7B,YAAYC,KAAKC,GAAG;YACpBC,YAAYF,KAAKC,GAAG,KAAK;QAC3B;QAEA,MAAM3D,SAAS+F,WAAW,CAAC1F,OAAOwF,SAASC;QAE3C,MAAME,oBAAoB,IAAIjC,IAAIR,gBAAgBV,YAAY;QAC9DmD,kBAAkBhC,YAAY,CAACH,GAAG,CAAC,QAAQgC;QAC3C,IAAItC,gBAAgBR,KAAK,EAAE;YACzBiD,kBAAkBhC,YAAY,CAACH,GAAG,CAAC,SAASN,gBAAgBR,KAAK;QACnE;QAEA,OAAO/B,IAAIkD,QAAQ,CAAC8B,kBAAkB7B,QAAQ;IAChD;IAEA;;;GAGC,GACDhE,OAAO6B,IAAI,CAAC,gBAAgB,OAAOC,KAAcjB;QAC/C,IAAI4B,YAAYX,IAAIE,IAAI,CAACS,SAAS;QAClC,IAAI+B,gBAAgB1C,IAAIE,IAAI,CAACwC,aAAa;QAE1C,MAAMsB,aAAahE,IAAIgD,OAAO,CAACiB,aAAa;QAC5C,IAAID,cAAcA,WAAWE,UAAU,CAAC,WAAW;YACjD,MAAMC,oBAAoBH,WAAWI,SAAS,CAAC;YAC/C,MAAMC,cAAcC,OAAOC,IAAI,CAACJ,mBAAmB,UAAUjC,QAAQ,CAAC;YACtE,MAAM,CAACsC,IAAIC,OAAO,GAAGJ,YAAYK,KAAK,CAAC;YACvC/D,YAAY6D;YACZ9B,gBAAgB+B;QAClB;QAEA,MAAM,EAAEjC,UAAU,EAAEL,IAAI,EAAEvB,YAAY,EAAE4C,aAAa,EAAEmB,aAAa,EAAE,GAAG3E,IAAIE,IAAI;QAEjF,IAAI,CAACsC,YAAY;YACf,OAAOzD,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,IAAIiC,eAAe,sBAAsB;YACvC,IAAI,CAACL,QAAQ,CAACxB,aAAa,CAACC,cAAc;gBACxC,OAAO7B,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;oBAC1B4B,OAAO;oBACPC,mBAAmB;gBACrB;YACF;YAEA,8BAA8B;YAC9B,MAAMqE,gBAAgB,MAAM7G,SAAS8G,cAAc,CAACzG,OAAOuC,WAAW+B,0BAAAA,2BAAAA,gBAAiB;YACvF,IAAI,CAACkC,eAAe;gBAClB,OAAO7F,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;oBAC1B4B,OAAO;oBACPC,mBAAmB;gBACrB;YACF;YAEA,MAAMsD,WAAW,MAAM9F,SAAS+G,WAAW,CAAC1G,OAAO+D;YACnD,IAAI,CAAC0B,UAAU;gBACb,OAAO9E,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;oBAC1B4B,OAAO;oBACPC,mBAAmB;gBACrB;YACF;YAEA,IAAIsD,SAASlD,SAAS,KAAKA,aAAakD,SAASjD,YAAY,KAAKA,cAAc;gBAC9E,OAAO7B,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;oBAC1B4B,OAAO;oBACPC,mBAAmB;gBACrB;YACF;YAEA,IAAIkB,KAAKC,GAAG,KAAKmC,SAASlC,UAAU,EAAE;gBACpC,MAAM5D,SAASgH,cAAc,CAAC3G,OAAO+D;gBACrC,OAAOpD,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;oBAC1B4B,OAAO;oBACPC,mBAAmB;gBACrB;YACF;YAEA,IAAIsD,SAAS9C,cAAc,EAAE;oBAQZ8C;gBAPf,IAAI,CAACc,eAAe;oBAClB,OAAO5F,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;wBAC1B4B,OAAO;wBACPC,mBAAmB;oBACrB;gBACF;gBAEA,MAAMwC,UAASc,kCAAAA,SAAS7C,qBAAqB,cAA9B6C,6CAAAA,kCAAkC;gBACjD,MAAMmB,oBAAoBjC,WAAW,SAASpF,WAAW,UAAUsH,MAAM,CAACN,eAAeO,MAAM,CAAC,eAAeP;gBAE/G,IAAIK,sBAAsBnB,SAAS9C,cAAc,EAAE;oBACjD,OAAOhC,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;wBAC1B4B,OAAO;wBACPC,mBAAmB;oBACrB;gBACF;YACF;YAEA,MAAMxC,SAASgH,cAAc,CAAC3G,OAAO+D;YAErC,MAAMmB,cAAc1F;YACpB,MAAMuH,oBAAoBvH;YAE1B,MAAMwF,YAAyB;gBAC7BG,cAAcD;gBACd8B,YAAY;gBACZzB,YAAY;gBACZH,eAAe2B;gBACftE,OAAOgD,SAAShD,KAAK;gBACrBF;gBACA0C,gBAAgBQ,SAASR,cAAc;gBACvC7B,YAAYC,KAAKC,GAAG;YACtB;YAEA,MAAM3D,SAASsH,cAAc,CAACjH,OAAOkF,aAAaF;YAClD,MAAMrF,SAASuH,eAAe,CAAClH,OAAO+G,mBAAmB/B;YACzD,MAAMrF,SAASwH,iBAAiB,CAACnH,OAAOkF,aAAaO,SAASR,cAAc;YAE5E,OAAOtE,IAAIL,IAAI,CAAC;gBACd6E,cAAcH,UAAUG,YAAY;gBACpC6B,YAAYhC,UAAUgC,UAAU;gBAChCzB,YAAYP,UAAUO,UAAU;gBAChCH,eAAeJ,UAAUI,aAAa;gBACtC3C,OAAOuC,UAAUvC,KAAK;YACxB;QACF;QACA,IAAI2B,eAAe,iBAAiB;YAClC,IAAI,CAACgB,iBAAiB,CAAC7C,WAAW;gBAChC,OAAO5B,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;oBAC1B4B,OAAO;oBACPC,mBAAmB;gBACrB;YACF;YAEA,MAAMqE,gBAAgB,MAAM7G,SAAS8G,cAAc,CAACzG,OAAOuC,WAAW+B,0BAAAA,2BAAAA,gBAAiB;YACvF,IAAI,CAACkC,eAAe;gBAClB,OAAO7F,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;oBAC1B4B,OAAO;oBACPC,mBAAmB;gBACrB;YACF;YAEA,MAAM6C,YAAY,MAAMrF,SAASyH,eAAe,CAACpH,OAAOoF;YACxD,IAAI,CAACJ,aAAaA,UAAUzC,SAAS,KAAKA,WAAW;gBACnD,OAAO5B,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;oBAC1B4B,OAAO;oBACPC,mBAAmB;gBACrB;YACF;YAEA,IAAIkF,0BAA0BrC,UAAUC,cAAc;YACtD,IAAID,UAAUC,cAAc,CAACI,YAAY,EAAE;gBACzC,IAAI;oBACF,4DAA4D;oBAC5D,MAAMiC,WAAW,IAAI5H,iBAAiB;wBACpC,GAAGU,YAAY;wBACfqC,OAAOuC,UAAUvC,KAAK;wBACtB8E,gBAAgB,GAAGrH,QAAQ,aAAa,CAAC;wBACzCsH,QAAQ;4BACNC,MAAMC,QAAQC,GAAG;4BACjBzF,OAAOwF,QAAQxF,KAAK;4BACpB0F,MAAMF,QAAQE,IAAI;4BAClBC,OAAO,KAAO;wBAChB;oBACF;oBAEA,kCAAkC;oBAClCR,0BAA0B,MAAMC,SAASQ,kBAAkB,CAAC9C,UAAUC,cAAc,CAACI,YAAY;gBACnG,EAAE,OAAOnD,OAAO;oBACd,4EAA4E;oBAC5EwF,QAAQE,IAAI,CAAC,yDAAyD1F,iBAAiBE,QAAQF,MAAMG,OAAO,GAAG0F,OAAO7F;gBACxH;YACF;YAEA,MAAM8F,iBAAiBxI;YACvB,MAAMyI,eAA4B;gBAChC,GAAGjD,SAAS;gBACZG,cAAc6C;gBACd5E,YAAYC,KAAKC,GAAG;YACtB;YAEA,MAAM3D,SAASsH,cAAc,CAACjH,OAAOgI,gBAAgBC;YACrD,MAAMtI,SAASwH,iBAAiB,CAACnH,OAAOgI,gBAAgBX;YAExD,OAAO1G,IAAIL,IAAI,CAAC;gBACd6E,cAAc8C,aAAa9C,YAAY;gBACvC6B,YAAYiB,aAAajB,UAAU;gBACnCzB,YAAY0C,aAAa1C,UAAU;gBACnC9C,OAAOwF,aAAaxF,KAAK;YAC3B;QACF;QACA,OAAO9B,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;YAC1B4B,OAAO;YACPC,mBAAmB;QACrB;IACF;IAEA;;;GAGC,GACDrC,OAAO6B,IAAI,CAAC,iBAAiB,OAAOC,KAAcjB;QAChD,MAAM,EAAEuH,KAAK,EAAEC,eAAe,EAAE5F,SAAS,EAAE+B,aAAa,EAAE,GAAG1C,IAAIE,IAAI;QAErE,IAAI,CAACoG,OAAO;YACV,OAAOvH,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,IAAII,aAAa+B,eAAe;YAC9B,MAAMkC,gBAAgB,MAAM7G,SAAS8G,cAAc,CAACzG,OAAOuC,WAAW+B;YACtE,IAAI,CAACkC,eAAe;gBAClB,OAAO7F,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;oBAC1B4B,OAAO;oBACPC,mBAAmB;gBACrB;YACF;QACF;QAEA,IAAIgG,oBAAoB,iBAAiB;YACvC,MAAMxI,SAASyI,kBAAkB,CAACpI,OAAOkI;QAC3C,OAAO,IAAIC,oBAAoB,gBAAgB;YAC7C,MAAMxI,SAAS0I,iBAAiB,CAACrI,OAAOkI;YACxC,MAAMvI,SAAS2I,oBAAoB,CAACtI,OAAOkI;QAC7C,OAAO;YACL,qBAAqB;YACrB,MAAMvI,SAASyI,kBAAkB,CAACpI,OAAOkI;YACzC,MAAMvI,SAAS0I,iBAAiB,CAACrI,OAAOkI;YACxC,MAAMvI,SAAS2I,oBAAoB,CAACtI,OAAOkI;QAC7C;QAEA,OAAOvH,IAAIsB,MAAM,CAAC,KAAKsG,IAAI;IAC7B;IAEA;;;;;;GAMC,GACDzI,OAAOW,GAAG,CAAC,iBAAiB,OAAOmB,KAAcjB;QAC/C,MAAMiF,aAAahE,IAAIgD,OAAO,CAACiB,aAAa;QAE5C,IAAI,CAACD,cAAc,CAACA,WAAWE,UAAU,CAAC,YAAY;YACpD,OAAOnF,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,MAAM+F,QAAQtC,WAAWI,SAAS,CAAC;QACnC,MAAMhB,YAAY,MAAMrF,SAAS6I,cAAc,CAACxI,OAAOkI;QAEvD,IAAI,CAAClD,WAAW;YACd,OAAOrE,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,MAAMmB,MAAMD,KAAKC,GAAG;QACpB,MAAMgC,YAAYN,UAAU5B,UAAU,GAAG4B,UAAUO,UAAU,GAAG;QAEhE,IAAIjC,MAAMgC,WAAW;YACnB,MAAM3F,SAAS0I,iBAAiB,CAACrI,OAAOkI;YACxC,MAAMvI,SAAS2I,oBAAoB,CAACtI,OAAOkI;YAC3C,OAAOvH,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,MAAMsG,WAAW;YACfP;YACAtE,UAAUoB,UAAUzC,SAAS;YAC7BmG,QAAQ1D,UAAUvC,KAAK,GAAGuC,UAAUvC,KAAK,CAAC6D,KAAK,CAAC,OAAO,EAAE;YACzDhB;YACAL,gBAAgBD,UAAUC,cAAc;QAC1C;QAEA,OAAOtE,IAAIL,IAAI,CAACmI;IAClB;IAEA;;GAEC,GACD3I,OAAOW,GAAG,CAAC,kBAAkB,OAAOC,MAAeC;QACjD,MAAMgI,UAAU,MAAMhJ,SAASiJ,WAAW,CAAC5I;QAC3C,OAAOW,IAAIL,IAAI,CAACqI;IAClB;IAEA,OAAO7I;AACT"}
+{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth-google/src/lib/dcr-router.ts"],"sourcesContent":["/**\n * DCR Router - OAuth 2.0 Authorization Server\n *\n * Implements OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591)\n * and OAuth 2.0 Authorization Server endpoints (RFC 6749, RFC 8414, RFC 9728).\n *\n * Endpoints:\n * - GET /.well-known/oauth-authorization-server (RFC 8414 metadata)\n * - GET /.well-known/oauth-protected-resource (RFC 9728 metadata - root)\n * - GET /.well-known/oauth-protected-resource/mcp (RFC 9728 metadata - sub-path)\n * - POST /oauth/register (RFC 7591 client registration)\n * - GET /oauth/authorize (RFC 6749 authorization endpoint)\n * - POST /oauth/token (RFC 6749 token endpoint)\n * - POST /oauth/revoke (RFC 7009 token revocation)\n * - GET /oauth/verify (token verification for Resource Server)\n */\n\nimport type { ProviderTokens, RFC8414Metadata, RFC9728Metadata } from '@mcp-z/oauth';\nimport { createHash, randomUUID } from 'crypto';\nimport type { Request, Response } from 'express';\nimport express from 'express';\nimport type { Keyv } from 'keyv';\nimport { DcrOAuthProvider } from '../providers/dcr.ts';\nimport type { AccessToken, AuthorizationCode, OAuthClientConfig } from '../types.ts';\nimport * as dcrUtils from './dcr-utils.ts';\n\n/**\n * Configuration for DCR Router (self-hosted mode only)\n */\nexport interface DcrRouterConfig {\n  /** Single Keyv store for all DCR data */\n  store: Keyv;\n\n  /** Authorization Server issuer URL */\n  issuerUrl: string;\n\n  /** Base URL for OAuth endpoints */\n  baseUrl: string;\n\n  /** Supported OAuth scopes */\n  scopesSupported: string[];\n\n  /** OAuth client configuration for upstream provider */\n  clientConfig: OAuthClientConfig;\n}\n\n/**\n * Create DCR Router with OAuth 2.0 endpoints (self-hosted mode)\n *\n * For external mode (Auth0/Stitch), don't call this function - no router needed.\n * The server code should check DcrConfig.mode and only call this for 'self-hosted'.\n *\n * @param config - Router configuration\n * @returns Express router with OAuth endpoints\n */\nexport function createDcrRouter(config: DcrRouterConfig): express.Router {\n  const router = express.Router();\n  const { store, issuerUrl, baseUrl, scopesSupported, clientConfig } = config;\n\n  router.use('/mcp', (req: Request, res: Response, next) => {\n    const authHeader = req.headers.authorization || req.headers.Authorization;\n    const headerValue = Array.isArray(authHeader) ? authHeader[0] : authHeader;\n\n    if (!headerValue || !headerValue.toLowerCase().startsWith('bearer ')) {\n      return res\n        .status(401)\n        .set('WWW-Authenticate', `Bearer resource_metadata=\"${baseUrl}/.well-known/oauth-protected-resource\"`)\n        .json({\n          jsonrpc: '2.0',\n          error: {\n            code: -32600,\n            message: 'Missing Authorization header. DCR mode requires bearer token.',\n          },\n          id: null,\n        });\n    }\n\n    return next();\n  });\n\n  router.use(express.json());\n  router.use(express.urlencoded({ extended: true }));\n\n  /**\n   * OAuth Authorization Server Metadata (RFC 8414)\n   * GET /.well-known/oauth-authorization-server\n   */\n  router.get('/.well-known/oauth-authorization-server', (_req: Request, res: Response) => {\n    const metadata: RFC8414Metadata = {\n      issuer: issuerUrl,\n      authorization_endpoint: `${baseUrl}/oauth/authorize`,\n      token_endpoint: `${baseUrl}/oauth/token`,\n      registration_endpoint: `${baseUrl}/oauth/register`,\n      revocation_endpoint: `${baseUrl}/oauth/revoke`,\n      scopes_supported: scopesSupported,\n      response_types_supported: ['code'],\n      grant_types_supported: ['authorization_code', 'refresh_token'],\n      token_endpoint_auth_methods_supported: ['client_secret_basic', 'client_secret_post'],\n      code_challenge_methods_supported: ['S256', 'plain'],\n      service_documentation: `${baseUrl}/docs`,\n    };\n    res.json(metadata);\n  });\n\n  /**\n   * OAuth Protected Resource Metadata (RFC 9728 - Root)\n   * GET /.well-known/oauth-protected-resource\n   */\n  router.get('/.well-known/oauth-protected-resource', (_req: Request, res: Response) => {\n    const metadata: RFC9728Metadata = {\n      resource: baseUrl,\n      authorization_servers: [baseUrl],\n      scopes_supported: scopesSupported,\n      bearer_methods_supported: ['header'],\n    };\n    res.json(metadata);\n  });\n\n  /**\n   * OAuth Protected Resource Metadata (RFC 9728 - Sub-path /mcp)\n   * GET /.well-known/oauth-protected-resource/mcp\n   */\n  router.get('/.well-known/oauth-protected-resource/mcp', (_req: Request, res: Response) => {\n    const metadata: RFC9728Metadata = {\n      resource: `${baseUrl}/mcp`,\n      authorization_servers: [baseUrl],\n      scopes_supported: scopesSupported,\n      bearer_methods_supported: ['header'],\n    };\n    res.json(metadata);\n  });\n\n  /**\n   * Dynamic Client Registration (RFC 7591)\n   * POST /oauth/register\n   */\n  router.post('/oauth/register', async (req: Request, res: Response) => {\n    try {\n      const registrationRequest = req.body;\n      const client = await dcrUtils.registerClient(store, registrationRequest);\n      res.status(201).json(client);\n    } catch (error) {\n      res.status(400).json({\n        error: 'invalid_client_metadata',\n        error_description: error instanceof Error ? error.message : 'Invalid registration request',\n      });\n    }\n  });\n\n  /**\n   * OAuth Authorization Endpoint (RFC 6749 Section 3.1)\n   * GET /oauth/authorize\n   *\n   * Initiates Google OAuth flow, then generates DCR authorization code\n   */\n  router.get('/oauth/authorize', async (req: Request, res: Response) => {\n    const { response_type, client_id, redirect_uri, scope = '', state = '', code_challenge, code_challenge_method } = req.query;\n\n    if (response_type !== 'code') {\n      return res.status(400).json({\n        error: 'unsupported_response_type',\n        error_description: 'Only response_type=code is supported',\n      });\n    }\n\n    if (!client_id || typeof client_id !== 'string') {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'client_id is required',\n      });\n    }\n\n    if (!redirect_uri || typeof redirect_uri !== 'string') {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'redirect_uri is required',\n      });\n    }\n\n    const client = await dcrUtils.getClient(store, client_id);\n    if (!client) {\n      return res.status(400).json({\n        error: 'invalid_client',\n        error_description: 'Unknown client_id',\n      });\n    }\n\n    const isValidRedirect = await dcrUtils.validateRedirectUri(store, client_id, redirect_uri);\n    if (!isValidRedirect) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'Invalid redirect_uri',\n      });\n    }\n\n    const googleState = randomUUID();\n    const dcrRequestState = {\n      client_id,\n      redirect_uri,\n      scope: typeof scope === 'string' ? scope : '',\n      state: typeof state === 'string' ? state : undefined,\n      code_challenge: typeof code_challenge === 'string' ? code_challenge : undefined,\n      code_challenge_method: typeof code_challenge_method === 'string' ? code_challenge_method : undefined,\n      created_at: Date.now(),\n      expires_at: Date.now() + 600000, // 10 minutes\n    };\n\n    await store.set(`dcr:google-state:${googleState}`, dcrRequestState, 600000);\n\n    const googleAuthUrl = new URL('https://accounts.google.com/o/oauth2/v2/auth');\n    googleAuthUrl.searchParams.set('client_id', clientConfig.clientId);\n    googleAuthUrl.searchParams.set('redirect_uri', `${baseUrl}/oauth/callback`);\n    googleAuthUrl.searchParams.set('response_type', 'code');\n    googleAuthUrl.searchParams.set('scope', typeof scope === 'string' ? scope : '');\n    googleAuthUrl.searchParams.set('state', googleState);\n    googleAuthUrl.searchParams.set('access_type', 'offline');\n    googleAuthUrl.searchParams.set('prompt', 'consent');\n\n    return res.redirect(googleAuthUrl.toString());\n  });\n\n  /**\n   * OAuth Callback Handler\n   * GET /oauth/callback\n   *\n   * Handles OAuth callback from Google, exchanges authorization code for tokens,\n   * and redirects back to client with DCR authorization code.\n   */\n  router.get('/oauth/callback', async (req: Request, res: Response) => {\n    const { code: googleCode, state: googleState, error } = req.query;\n\n    if (error) {\n      return res.status(400).json({\n        error: typeof error === 'string' ? error : 'access_denied',\n        error_description: 'Google OAuth authorization failed',\n      });\n    }\n\n    if (!googleCode || typeof googleCode !== 'string') {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'Missing authorization code from Google',\n      });\n    }\n\n    if (!googleState || typeof googleState !== 'string') {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'Missing state parameter',\n      });\n    }\n\n    const dcrRequestState = await store.get(`dcr:google-state:${googleState}`);\n    if (!dcrRequestState) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'Invalid or expired state parameter',\n      });\n    }\n\n    await store.delete(`dcr:google-state:${googleState}`);\n\n    if (Date.now() > dcrRequestState.expires_at) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'DCR request state expired',\n      });\n    }\n\n    const tokenUrl = 'https://oauth2.googleapis.com/token';\n    // Build token params - only include client_secret for confidential clients\n    // Public clients (Desktop apps) should NOT send client_secret at all\n    const tokenParamsObj: Record<string, string> = {\n      code: googleCode,\n      client_id: clientConfig.clientId,\n      redirect_uri: `${baseUrl}/oauth/callback`,\n      grant_type: 'authorization_code',\n    };\n    if (clientConfig.clientSecret) {\n      tokenParamsObj.client_secret = clientConfig.clientSecret;\n    }\n    const tokenParams = new URLSearchParams(tokenParamsObj);\n\n    const tokenResponse = await fetch(tokenUrl, {\n      method: 'POST',\n      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n      body: tokenParams.toString(),\n    });\n\n    if (!tokenResponse.ok) {\n      const errorText = await tokenResponse.text();\n      return res.status(400).json({\n        error: 'server_error',\n        error_description: `Failed to exchange Google authorization code: ${errorText}`,\n      });\n    }\n\n    const tokenData = (await tokenResponse.json()) as {\n      access_token: string;\n      refresh_token?: string;\n      expires_in: number;\n      scope: string;\n    };\n\n    // Create provider tokens from Google response\n    const providerTokens: ProviderTokens = {\n      accessToken: tokenData.access_token,\n      ...(tokenData.refresh_token && { refreshToken: tokenData.refresh_token }),\n      expiresAt: Date.now() + tokenData.expires_in * 1000,\n      scope: tokenData.scope,\n    };\n\n    const dcrCode = randomUUID();\n    const authCode: AuthorizationCode = {\n      code: dcrCode,\n      client_id: dcrRequestState.client_id,\n      redirect_uri: dcrRequestState.redirect_uri,\n      scope: dcrRequestState.scope,\n      ...(dcrRequestState.code_challenge && { code_challenge: dcrRequestState.code_challenge }),\n      ...(dcrRequestState.code_challenge_method && { code_challenge_method: dcrRequestState.code_challenge_method }),\n      providerTokens,\n      created_at: Date.now(),\n      expires_at: Date.now() + 600000, // 10 minutes\n    };\n\n    await dcrUtils.setAuthCode(store, dcrCode, authCode);\n\n    const clientRedirectUrl = new URL(dcrRequestState.redirect_uri);\n    clientRedirectUrl.searchParams.set('code', dcrCode);\n    if (dcrRequestState.state) {\n      clientRedirectUrl.searchParams.set('state', dcrRequestState.state);\n    }\n\n    return res.redirect(clientRedirectUrl.toString());\n  });\n\n  /**\n   * OAuth Token Endpoint (RFC 6749 Section 3.2)\n   * POST /oauth/token\n   */\n  router.post('/oauth/token', async (req: Request, res: Response) => {\n    let client_id = req.body.client_id;\n    let client_secret = req.body.client_secret;\n\n    const authHeader = req.headers.authorization;\n    if (authHeader && authHeader.startsWith('Basic ')) {\n      const base64Credentials = authHeader.substring(6);\n      const credentials = Buffer.from(base64Credentials, 'base64').toString('utf-8');\n      const [id, secret] = credentials.split(':');\n      client_id = id;\n      client_secret = secret;\n    }\n\n    const { grant_type, code, redirect_uri, refresh_token, code_verifier } = req.body;\n\n    if (!grant_type) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'grant_type is required',\n      });\n    }\n\n    if (grant_type === 'authorization_code') {\n      if (!code || !client_id || !redirect_uri) {\n        return res.status(400).json({\n          error: 'invalid_request',\n          error_description: 'code, client_id, and redirect_uri are required',\n        });\n      }\n\n      // Validate client credentials\n      const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret ?? '');\n      if (!isValidClient) {\n        return res.status(401).json({\n          error: 'invalid_client',\n          error_description: 'Invalid client credentials',\n        });\n      }\n\n      const authCode = await dcrUtils.getAuthCode(store, code);\n      if (!authCode) {\n        return res.status(400).json({\n          error: 'invalid_grant',\n          error_description: 'Invalid or expired authorization code',\n        });\n      }\n\n      if (authCode.client_id !== client_id || authCode.redirect_uri !== redirect_uri) {\n        return res.status(400).json({\n          error: 'invalid_grant',\n          error_description: 'Authorization code mismatch',\n        });\n      }\n\n      if (Date.now() > authCode.expires_at) {\n        await dcrUtils.deleteAuthCode(store, code);\n        return res.status(400).json({\n          error: 'invalid_grant',\n          error_description: 'Authorization code expired',\n        });\n      }\n\n      if (authCode.code_challenge) {\n        if (!code_verifier) {\n          return res.status(400).json({\n            error: 'invalid_request',\n            error_description: 'code_verifier is required for PKCE',\n          });\n        }\n\n        const method = authCode.code_challenge_method ?? 'plain';\n        const computedChallenge = method === 'S256' ? createHash('sha256').update(code_verifier).digest('base64url') : code_verifier;\n\n        if (computedChallenge !== authCode.code_challenge) {\n          return res.status(400).json({\n            error: 'invalid_grant',\n            error_description: 'Invalid code_verifier',\n          });\n        }\n      }\n\n      await dcrUtils.deleteAuthCode(store, code);\n\n      const accessToken = randomUUID();\n      const refreshTokenValue = randomUUID();\n\n      const tokenData: AccessToken = {\n        access_token: accessToken,\n        token_type: 'Bearer',\n        expires_in: 3600,\n        refresh_token: refreshTokenValue,\n        scope: authCode.scope,\n        client_id,\n        providerTokens: authCode.providerTokens,\n        created_at: Date.now(),\n      };\n\n      await dcrUtils.setAccessToken(store, accessToken, tokenData);\n      await dcrUtils.setRefreshToken(store, refreshTokenValue, tokenData);\n      await dcrUtils.setProviderTokens(store, accessToken, authCode.providerTokens);\n\n      return res.json({\n        access_token: tokenData.access_token,\n        token_type: tokenData.token_type,\n        expires_in: tokenData.expires_in,\n        refresh_token: tokenData.refresh_token,\n        scope: tokenData.scope,\n      });\n    }\n    if (grant_type === 'refresh_token') {\n      if (!refresh_token || !client_id) {\n        return res.status(400).json({\n          error: 'invalid_request',\n          error_description: 'refresh_token and client_id are required',\n        });\n      }\n\n      const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret ?? '');\n      if (!isValidClient) {\n        return res.status(401).json({\n          error: 'invalid_client',\n          error_description: 'Invalid client credentials',\n        });\n      }\n\n      const tokenData = await dcrUtils.getRefreshToken(store, refresh_token);\n      if (!tokenData || tokenData.client_id !== client_id) {\n        return res.status(400).json({\n          error: 'invalid_grant',\n          error_description: 'Invalid refresh token',\n        });\n      }\n\n      let refreshedProviderTokens = tokenData.providerTokens;\n      if (tokenData.providerTokens.refreshToken) {\n        try {\n          // Create DcrOAuthProvider instance to refresh Google tokens\n          const provider = new DcrOAuthProvider({\n            ...clientConfig,\n            scope: tokenData.scope,\n            verifyEndpoint: `${baseUrl}/oauth/verify`,\n            logger: {\n              info: console.log,\n              error: console.error,\n              warn: console.warn,\n              debug: () => {},\n            },\n          });\n\n          // Refresh the Google access token\n          refreshedProviderTokens = await provider.refreshAccessToken(tokenData.providerTokens.refreshToken);\n        } catch (error) {\n          // If refresh fails, continue with existing tokens (they may still be valid)\n          console.warn('Provider token refresh failed, using existing tokens:', error instanceof Error ? error.message : String(error));\n        }\n      }\n\n      const newAccessToken = randomUUID();\n      const newTokenData: AccessToken = {\n        ...tokenData,\n        access_token: newAccessToken,\n        created_at: Date.now(),\n      };\n\n      await dcrUtils.setAccessToken(store, newAccessToken, newTokenData);\n      await dcrUtils.setProviderTokens(store, newAccessToken, refreshedProviderTokens);\n\n      return res.json({\n        access_token: newTokenData.access_token,\n        token_type: newTokenData.token_type,\n        expires_in: newTokenData.expires_in,\n        scope: newTokenData.scope,\n      });\n    }\n    return res.status(400).json({\n      error: 'unsupported_grant_type',\n      error_description: 'Only authorization_code and refresh_token grants are supported',\n    });\n  });\n\n  /**\n   * OAuth Token Revocation (RFC 7009)\n   * POST /oauth/revoke\n   */\n  router.post('/oauth/revoke', async (req: Request, res: Response) => {\n    const { token, token_type_hint, client_id, client_secret } = req.body;\n\n    if (!token) {\n      return res.status(400).json({\n        error: 'invalid_request',\n        error_description: 'token is required',\n      });\n    }\n\n    if (client_id && client_secret) {\n      const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret);\n      if (!isValidClient) {\n        return res.status(401).json({\n          error: 'invalid_client',\n          error_description: 'Invalid client credentials',\n        });\n      }\n    }\n\n    if (token_type_hint === 'refresh_token') {\n      await dcrUtils.deleteRefreshToken(store, token);\n    } else if (token_type_hint === 'access_token') {\n      await dcrUtils.deleteAccessToken(store, token);\n      await dcrUtils.deleteProviderTokens(store, token);\n    } else {\n      // No hint - try both\n      await dcrUtils.deleteRefreshToken(store, token);\n      await dcrUtils.deleteAccessToken(store, token);\n      await dcrUtils.deleteProviderTokens(store, token);\n    }\n\n    return res.status(200).send();\n  });\n\n  /**\n   * Token Verification Endpoint\n   * GET /oauth/verify\n   *\n   * Validates bearer tokens for Resource Server.\n   * Returns AuthInfo with provider tokens for stateless DCR pattern.\n   */\n  router.get('/oauth/verify', async (req: Request, res: Response) => {\n    const authHeader = req.headers.authorization;\n\n    if (!authHeader || !authHeader.startsWith('Bearer ')) {\n      return res.status(401).json({\n        error: 'invalid_request',\n        error_description: 'Missing or invalid Authorization header',\n      });\n    }\n\n    const token = authHeader.substring(7);\n    const tokenData = await dcrUtils.getAccessToken(store, token);\n\n    if (!tokenData) {\n      return res.status(401).json({\n        error: 'invalid_token',\n        error_description: 'Unknown or expired access token',\n      });\n    }\n\n    const now = Date.now();\n    const expiresAt = tokenData.created_at + tokenData.expires_in * 1000;\n\n    if (now > expiresAt) {\n      await dcrUtils.deleteAccessToken(store, token);\n      await dcrUtils.deleteProviderTokens(store, token);\n      return res.status(401).json({\n        error: 'invalid_token',\n        error_description: 'Access token has expired',\n      });\n    }\n\n    const authInfo = {\n      token,\n      clientId: tokenData.client_id,\n      scopes: tokenData.scope ? tokenData.scope.split(' ') : [],\n      expiresAt,\n      providerTokens: tokenData.providerTokens,\n    };\n\n    return res.json(authInfo);\n  });\n\n  /**\n   * Debug endpoint to list registered clients (development only)\n   */\n  router.get('/debug/clients', async (_req: Request, res: Response) => {\n    const clients = await dcrUtils.listClients(store);\n    return res.json(clients);\n  });\n\n  return router;\n}\n"],"names":["createHash","randomUUID","express","DcrOAuthProvider","dcrUtils","createDcrRouter","config","router","Router","store","issuerUrl","baseUrl","scopesSupported","clientConfig","use","req","res","next","authHeader","headers","authorization","Authorization","headerValue","Array","isArray","toLowerCase","startsWith","status","set","json","jsonrpc","error","code","message","id","urlencoded","extended","get","_req","metadata","issuer","authorization_endpoint","token_endpoint","registration_endpoint","revocation_endpoint","scopes_supported","response_types_supported","grant_types_supported","token_endpoint_auth_methods_supported","code_challenge_methods_supported","service_documentation","resource","authorization_servers","bearer_methods_supported","post","registrationRequest","body","client","registerClient","error_description","Error","response_type","client_id","redirect_uri","scope","state","code_challenge","code_challenge_method","query","getClient","isValidRedirect","validateRedirectUri","googleState","dcrRequestState","undefined","created_at","Date","now","expires_at","googleAuthUrl","URL","searchParams","clientId","redirect","toString","googleCode","delete","tokenUrl","tokenParamsObj","grant_type","clientSecret","client_secret","tokenParams","URLSearchParams","tokenResponse","fetch","method","ok","errorText","text","tokenData","providerTokens","accessToken","access_token","refresh_token","refreshToken","expiresAt","expires_in","dcrCode","authCode","setAuthCode","clientRedirectUrl","base64Credentials","substring","credentials","Buffer","from","secret","split","code_verifier","isValidClient","validateClient","getAuthCode","deleteAuthCode","computedChallenge","update","digest","refreshTokenValue","token_type","setAccessToken","setRefreshToken","setProviderTokens","getRefreshToken","refreshedProviderTokens","provider","verifyEndpoint","logger","info","console","log","warn","debug","refreshAccessToken","String","newAccessToken","newTokenData","token","token_type_hint","deleteRefreshToken","deleteAccessToken","deleteProviderTokens","send","getAccessToken","authInfo","scopes","clients","listClients"],"mappings":"AAAA;;;;;;;;;;;;;;;CAeC,GAGD,SAASA,UAAU,EAAEC,UAAU,QAAQ,SAAS;AAEhD,OAAOC,aAAa,UAAU;AAE9B,SAASC,gBAAgB,QAAQ,sBAAsB;AAEvD,YAAYC,cAAc,iBAAiB;AAsB3C;;;;;;;;CAQC,GACD,OAAO,SAASC,gBAAgBC,MAAuB;IACrD,MAAMC,SAASL,QAAQM,MAAM;IAC7B,MAAM,EAAEC,KAAK,EAAEC,SAAS,EAAEC,OAAO,EAAEC,eAAe,EAAEC,YAAY,EAAE,GAAGP;IAErEC,OAAOO,GAAG,CAAC,QAAQ,CAACC,KAAcC,KAAeC;QAC/C,MAAMC,aAAaH,IAAII,OAAO,CAACC,aAAa,IAAIL,IAAII,OAAO,CAACE,aAAa;QACzE,MAAMC,cAAcC,MAAMC,OAAO,CAACN,cAAcA,UAAU,CAAC,EAAE,GAAGA;QAEhE,IAAI,CAACI,eAAe,CAACA,YAAYG,WAAW,GAAGC,UAAU,CAAC,YAAY;YACpE,OAAOV,IACJW,MAAM,CAAC,KACPC,GAAG,CAAC,oBAAoB,CAAC,0BAA0B,EAAEjB,QAAQ,sCAAsC,CAAC,EACpGkB,IAAI,CAAC;gBACJC,SAAS;gBACTC,OAAO;oBACLC,MAAM,CAAC;oBACPC,SAAS;gBACX;gBACAC,IAAI;YACN;QACJ;QAEA,OAAOjB;IACT;IAEAV,OAAOO,GAAG,CAACZ,QAAQ2B,IAAI;IACvBtB,OAAOO,GAAG,CAACZ,QAAQiC,UAAU,CAAC;QAAEC,UAAU;IAAK;IAE/C;;;GAGC,GACD7B,OAAO8B,GAAG,CAAC,2CAA2C,CAACC,MAAetB;QACpE,MAAMuB,WAA4B;YAChCC,QAAQ9B;YACR+B,wBAAwB,GAAG9B,QAAQ,gBAAgB,CAAC;YACpD+B,gBAAgB,GAAG/B,QAAQ,YAAY,CAAC;YACxCgC,uBAAuB,GAAGhC,QAAQ,eAAe,CAAC;YAClDiC,qBAAqB,GAAGjC,QAAQ,aAAa,CAAC;YAC9CkC,kBAAkBjC;YAClBkC,0BAA0B;gBAAC;aAAO;YAClCC,uBAAuB;gBAAC;gBAAsB;aAAgB;YAC9DC,uCAAuC;gBAAC;gBAAuB;aAAqB;YACpFC,kCAAkC;gBAAC;gBAAQ;aAAQ;YACnDC,uBAAuB,GAAGvC,QAAQ,KAAK,CAAC;QAC1C;QACAK,IAAIa,IAAI,CAACU;IACX;IAEA;;;GAGC,GACDhC,OAAO8B,GAAG,CAAC,yCAAyC,CAACC,MAAetB;QAClE,MAAMuB,WAA4B;YAChCY,UAAUxC;YACVyC,uBAAuB;gBAACzC;aAAQ;YAChCkC,kBAAkBjC;YAClByC,0BAA0B;gBAAC;aAAS;QACtC;QACArC,IAAIa,IAAI,CAACU;IACX;IAEA;;;GAGC,GACDhC,OAAO8B,GAAG,CAAC,6CAA6C,CAACC,MAAetB;QACtE,MAAMuB,WAA4B;YAChCY,UAAU,GAAGxC,QAAQ,IAAI,CAAC;YAC1ByC,uBAAuB;gBAACzC;aAAQ;YAChCkC,kBAAkBjC;YAClByC,0BAA0B;gBAAC;aAAS;QACtC;QACArC,IAAIa,IAAI,CAACU;IACX;IAEA;;;GAGC,GACDhC,OAAO+C,IAAI,CAAC,mBAAmB,OAAOvC,KAAcC;QAClD,IAAI;YACF,MAAMuC,sBAAsBxC,IAAIyC,IAAI;YACpC,MAAMC,SAAS,MAAMrD,SAASsD,cAAc,CAACjD,OAAO8C;YACpDvC,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC4B;QACvB,EAAE,OAAO1B,OAAO;YACdf,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBACnBE,OAAO;gBACP4B,mBAAmB5B,iBAAiB6B,QAAQ7B,MAAME,OAAO,GAAG;YAC9D;QACF;IACF;IAEA;;;;;GAKC,GACD1B,OAAO8B,GAAG,CAAC,oBAAoB,OAAOtB,KAAcC;QAClD,MAAM,EAAE6C,aAAa,EAAEC,SAAS,EAAEC,YAAY,EAAEC,QAAQ,EAAE,EAAEC,QAAQ,EAAE,EAAEC,cAAc,EAAEC,qBAAqB,EAAE,GAAGpD,IAAIqD,KAAK;QAE3H,IAAIP,kBAAkB,QAAQ;YAC5B,OAAO7C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,IAAI,CAACG,aAAa,OAAOA,cAAc,UAAU;YAC/C,OAAO9C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,IAAI,CAACI,gBAAgB,OAAOA,iBAAiB,UAAU;YACrD,OAAO/C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,MAAMF,SAAS,MAAMrD,SAASiE,SAAS,CAAC5D,OAAOqD;QAC/C,IAAI,CAACL,QAAQ;YACX,OAAOzC,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,MAAMW,kBAAkB,MAAMlE,SAASmE,mBAAmB,CAAC9D,OAAOqD,WAAWC;QAC7E,IAAI,CAACO,iBAAiB;YACpB,OAAOtD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,MAAMa,cAAcvE;QACpB,MAAMwE,kBAAkB;YACtBX;YACAC;YACAC,OAAO,OAAOA,UAAU,WAAWA,QAAQ;YAC3CC,OAAO,OAAOA,UAAU,WAAWA,QAAQS;YAC3CR,gBAAgB,OAAOA,mBAAmB,WAAWA,iBAAiBQ;YACtEP,uBAAuB,OAAOA,0BAA0B,WAAWA,wBAAwBO;YAC3FC,YAAYC,KAAKC,GAAG;YACpBC,YAAYF,KAAKC,GAAG,KAAK;QAC3B;QAEA,MAAMpE,MAAMmB,GAAG,CAAC,CAAC,iBAAiB,EAAE4C,aAAa,EAAEC,iBAAiB;QAEpE,MAAMM,gBAAgB,IAAIC,IAAI;QAC9BD,cAAcE,YAAY,CAACrD,GAAG,CAAC,aAAaf,aAAaqE,QAAQ;QACjEH,cAAcE,YAAY,CAACrD,GAAG,CAAC,gBAAgB,GAAGjB,QAAQ,eAAe,CAAC;QAC1EoE,cAAcE,YAAY,CAACrD,GAAG,CAAC,iBAAiB;QAChDmD,cAAcE,YAAY,CAACrD,GAAG,CAAC,SAAS,OAAOoC,UAAU,WAAWA,QAAQ;QAC5Ee,cAAcE,YAAY,CAACrD,GAAG,CAAC,SAAS4C;QACxCO,cAAcE,YAAY,CAACrD,GAAG,CAAC,eAAe;QAC9CmD,cAAcE,YAAY,CAACrD,GAAG,CAAC,UAAU;QAEzC,OAAOZ,IAAImE,QAAQ,CAACJ,cAAcK,QAAQ;IAC5C;IAEA;;;;;;GAMC,GACD7E,OAAO8B,GAAG,CAAC,mBAAmB,OAAOtB,KAAcC;QACjD,MAAM,EAAEgB,MAAMqD,UAAU,EAAEpB,OAAOO,WAAW,EAAEzC,KAAK,EAAE,GAAGhB,IAAIqD,KAAK;QAEjE,IAAIrC,OAAO;YACT,OAAOf,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO,OAAOA,UAAU,WAAWA,QAAQ;gBAC3C4B,mBAAmB;YACrB;QACF;QAEA,IAAI,CAAC0B,cAAc,OAAOA,eAAe,UAAU;YACjD,OAAOrE,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,IAAI,CAACa,eAAe,OAAOA,gBAAgB,UAAU;YACnD,OAAOxD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,MAAMc,kBAAkB,MAAMhE,MAAM4B,GAAG,CAAC,CAAC,iBAAiB,EAAEmC,aAAa;QACzE,IAAI,CAACC,iBAAiB;YACpB,OAAOzD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,MAAMlD,MAAM6E,MAAM,CAAC,CAAC,iBAAiB,EAAEd,aAAa;QAEpD,IAAII,KAAKC,GAAG,KAAKJ,gBAAgBK,UAAU,EAAE;YAC3C,OAAO9D,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,MAAM4B,WAAW;QACjB,2EAA2E;QAC3E,qEAAqE;QACrE,MAAMC,iBAAyC;YAC7CxD,MAAMqD;YACNvB,WAAWjD,aAAaqE,QAAQ;YAChCnB,cAAc,GAAGpD,QAAQ,eAAe,CAAC;YACzC8E,YAAY;QACd;QACA,IAAI5E,aAAa6E,YAAY,EAAE;YAC7BF,eAAeG,aAAa,GAAG9E,aAAa6E,YAAY;QAC1D;QACA,MAAME,cAAc,IAAIC,gBAAgBL;QAExC,MAAMM,gBAAgB,MAAMC,MAAMR,UAAU;YAC1CS,QAAQ;YACR7E,SAAS;gBAAE,gBAAgB;YAAoC;YAC/DqC,MAAMoC,YAAYR,QAAQ;QAC5B;QAEA,IAAI,CAACU,cAAcG,EAAE,EAAE;YACrB,MAAMC,YAAY,MAAMJ,cAAcK,IAAI;YAC1C,OAAOnF,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB,CAAC,8CAA8C,EAAEuC,WAAW;YACjF;QACF;QAEA,MAAME,YAAa,MAAMN,cAAcjE,IAAI;QAO3C,8CAA8C;QAC9C,MAAMwE,iBAAiC;YACrCC,aAAaF,UAAUG,YAAY;YACnC,GAAIH,UAAUI,aAAa,IAAI;gBAAEC,cAAcL,UAAUI,aAAa;YAAC,CAAC;YACxEE,WAAW9B,KAAKC,GAAG,KAAKuB,UAAUO,UAAU,GAAG;YAC/C3C,OAAOoC,UAAUpC,KAAK;QACxB;QAEA,MAAM4C,UAAU3G;QAChB,MAAM4G,WAA8B;YAClC7E,MAAM4E;YACN9C,WAAWW,gBAAgBX,SAAS;YACpCC,cAAcU,gBAAgBV,YAAY;YAC1CC,OAAOS,gBAAgBT,KAAK;YAC5B,GAAIS,gBAAgBP,cAAc,IAAI;gBAAEA,gBAAgBO,gBAAgBP,cAAc;YAAC,CAAC;YACxF,GAAIO,gBAAgBN,qBAAqB,IAAI;gBAAEA,uBAAuBM,gBAAgBN,qBAAqB;YAAC,CAAC;YAC7GkC;YACA1B,YAAYC,KAAKC,GAAG;YACpBC,YAAYF,KAAKC,GAAG,KAAK;QAC3B;QAEA,MAAMzE,SAAS0G,WAAW,CAACrG,OAAOmG,SAASC;QAE3C,MAAME,oBAAoB,IAAI/B,IAAIP,gBAAgBV,YAAY;QAC9DgD,kBAAkB9B,YAAY,CAACrD,GAAG,CAAC,QAAQgF;QAC3C,IAAInC,gBAAgBR,KAAK,EAAE;YACzB8C,kBAAkB9B,YAAY,CAACrD,GAAG,CAAC,SAAS6C,gBAAgBR,KAAK;QACnE;QAEA,OAAOjD,IAAImE,QAAQ,CAAC4B,kBAAkB3B,QAAQ;IAChD;IAEA;;;GAGC,GACD7E,OAAO+C,IAAI,CAAC,gBAAgB,OAAOvC,KAAcC;QAC/C,IAAI8C,YAAY/C,IAAIyC,IAAI,CAACM,SAAS;QAClC,IAAI6B,gBAAgB5E,IAAIyC,IAAI,CAACmC,aAAa;QAE1C,MAAMzE,aAAaH,IAAII,OAAO,CAACC,aAAa;QAC5C,IAAIF,cAAcA,WAAWQ,UAAU,CAAC,WAAW;YACjD,MAAMsF,oBAAoB9F,WAAW+F,SAAS,CAAC;YAC/C,MAAMC,cAAcC,OAAOC,IAAI,CAACJ,mBAAmB,UAAU5B,QAAQ,CAAC;YACtE,MAAM,CAAClD,IAAImF,OAAO,GAAGH,YAAYI,KAAK,CAAC;YACvCxD,YAAY5B;YACZyD,gBAAgB0B;QAClB;QAEA,MAAM,EAAE5B,UAAU,EAAEzD,IAAI,EAAE+B,YAAY,EAAEyC,aAAa,EAAEe,aAAa,EAAE,GAAGxG,IAAIyC,IAAI;QAEjF,IAAI,CAACiC,YAAY;YACf,OAAOzE,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,IAAI8B,eAAe,sBAAsB;YACvC,IAAI,CAACzD,QAAQ,CAAC8B,aAAa,CAACC,cAAc;gBACxC,OAAO/C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oBAC1BE,OAAO;oBACP4B,mBAAmB;gBACrB;YACF;YAEA,8BAA8B;YAC9B,MAAM6D,gBAAgB,MAAMpH,SAASqH,cAAc,CAAChH,OAAOqD,WAAW6B,0BAAAA,2BAAAA,gBAAiB;YACvF,IAAI,CAAC6B,eAAe;gBAClB,OAAOxG,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oBAC1BE,OAAO;oBACP4B,mBAAmB;gBACrB;YACF;YAEA,MAAMkD,WAAW,MAAMzG,SAASsH,WAAW,CAACjH,OAAOuB;YACnD,IAAI,CAAC6E,UAAU;gBACb,OAAO7F,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oBAC1BE,OAAO;oBACP4B,mBAAmB;gBACrB;YACF;YAEA,IAAIkD,SAAS/C,SAAS,KAAKA,aAAa+C,SAAS9C,YAAY,KAAKA,cAAc;gBAC9E,OAAO/C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oBAC1BE,OAAO;oBACP4B,mBAAmB;gBACrB;YACF;YAEA,IAAIiB,KAAKC,GAAG,KAAKgC,SAAS/B,UAAU,EAAE;gBACpC,MAAM1E,SAASuH,cAAc,CAAClH,OAAOuB;gBACrC,OAAOhB,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oBAC1BE,OAAO;oBACP4B,mBAAmB;gBACrB;YACF;YAEA,IAAIkD,SAAS3C,cAAc,EAAE;oBAQZ2C;gBAPf,IAAI,CAACU,eAAe;oBAClB,OAAOvG,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;wBAC1BE,OAAO;wBACP4B,mBAAmB;oBACrB;gBACF;gBAEA,MAAMqC,UAASa,kCAAAA,SAAS1C,qBAAqB,cAA9B0C,6CAAAA,kCAAkC;gBACjD,MAAMe,oBAAoB5B,WAAW,SAAShG,WAAW,UAAU6H,MAAM,CAACN,eAAeO,MAAM,CAAC,eAAeP;gBAE/G,IAAIK,sBAAsBf,SAAS3C,cAAc,EAAE;oBACjD,OAAOlD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;wBAC1BE,OAAO;wBACP4B,mBAAmB;oBACrB;gBACF;YACF;YAEA,MAAMvD,SAASuH,cAAc,CAAClH,OAAOuB;YAErC,MAAMsE,cAAcrG;YACpB,MAAM8H,oBAAoB9H;YAE1B,MAAMmG,YAAyB;gBAC7BG,cAAcD;gBACd0B,YAAY;gBACZrB,YAAY;gBACZH,eAAeuB;gBACf/D,OAAO6C,SAAS7C,KAAK;gBACrBF;gBACAuC,gBAAgBQ,SAASR,cAAc;gBACvC1B,YAAYC,KAAKC,GAAG;YACtB;YAEA,MAAMzE,SAAS6H,cAAc,CAACxH,OAAO6F,aAAaF;YAClD,MAAMhG,SAAS8H,eAAe,CAACzH,OAAOsH,mBAAmB3B;YACzD,MAAMhG,SAAS+H,iBAAiB,CAAC1H,OAAO6F,aAAaO,SAASR,cAAc;YAE5E,OAAOrF,IAAIa,IAAI,CAAC;gBACd0E,cAAcH,UAAUG,YAAY;gBACpCyB,YAAY5B,UAAU4B,UAAU;gBAChCrB,YAAYP,UAAUO,UAAU;gBAChCH,eAAeJ,UAAUI,aAAa;gBACtCxC,OAAOoC,UAAUpC,KAAK;YACxB;QACF;QACA,IAAIyB,eAAe,iBAAiB;YAClC,IAAI,CAACe,iBAAiB,CAAC1C,WAAW;gBAChC,OAAO9C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oBAC1BE,OAAO;oBACP4B,mBAAmB;gBACrB;YACF;YAEA,MAAM6D,gBAAgB,MAAMpH,SAASqH,cAAc,CAAChH,OAAOqD,WAAW6B,0BAAAA,2BAAAA,gBAAiB;YACvF,IAAI,CAAC6B,eAAe;gBAClB,OAAOxG,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oBAC1BE,OAAO;oBACP4B,mBAAmB;gBACrB;YACF;YAEA,MAAMyC,YAAY,MAAMhG,SAASgI,eAAe,CAAC3H,OAAO+F;YACxD,IAAI,CAACJ,aAAaA,UAAUtC,SAAS,KAAKA,WAAW;gBACnD,OAAO9C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oBAC1BE,OAAO;oBACP4B,mBAAmB;gBACrB;YACF;YAEA,IAAI0E,0BAA0BjC,UAAUC,cAAc;YACtD,IAAID,UAAUC,cAAc,CAACI,YAAY,EAAE;gBACzC,IAAI;oBACF,4DAA4D;oBAC5D,MAAM6B,WAAW,IAAInI,iBAAiB;wBACpC,GAAGU,YAAY;wBACfmD,OAAOoC,UAAUpC,KAAK;wBACtBuE,gBAAgB,GAAG5H,QAAQ,aAAa,CAAC;wBACzC6H,QAAQ;4BACNC,MAAMC,QAAQC,GAAG;4BACjB5G,OAAO2G,QAAQ3G,KAAK;4BACpB6G,MAAMF,QAAQE,IAAI;4BAClBC,OAAO,KAAO;wBAChB;oBACF;oBAEA,kCAAkC;oBAClCR,0BAA0B,MAAMC,SAASQ,kBAAkB,CAAC1C,UAAUC,cAAc,CAACI,YAAY;gBACnG,EAAE,OAAO1E,OAAO;oBACd,4EAA4E;oBAC5E2G,QAAQE,IAAI,CAAC,yDAAyD7G,iBAAiB6B,QAAQ7B,MAAME,OAAO,GAAG8G,OAAOhH;gBACxH;YACF;YAEA,MAAMiH,iBAAiB/I;YACvB,MAAMgJ,eAA4B;gBAChC,GAAG7C,SAAS;gBACZG,cAAcyC;gBACdrE,YAAYC,KAAKC,GAAG;YACtB;YAEA,MAAMzE,SAAS6H,cAAc,CAACxH,OAAOuI,gBAAgBC;YACrD,MAAM7I,SAAS+H,iBAAiB,CAAC1H,OAAOuI,gBAAgBX;YAExD,OAAOrH,IAAIa,IAAI,CAAC;gBACd0E,cAAc0C,aAAa1C,YAAY;gBACvCyB,YAAYiB,aAAajB,UAAU;gBACnCrB,YAAYsC,aAAatC,UAAU;gBACnC3C,OAAOiF,aAAajF,KAAK;YAC3B;QACF;QACA,OAAOhD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;YAC1BE,OAAO;YACP4B,mBAAmB;QACrB;IACF;IAEA;;;GAGC,GACDpD,OAAO+C,IAAI,CAAC,iBAAiB,OAAOvC,KAAcC;QAChD,MAAM,EAAEkI,KAAK,EAAEC,eAAe,EAAErF,SAAS,EAAE6B,aAAa,EAAE,GAAG5E,IAAIyC,IAAI;QAErE,IAAI,CAAC0F,OAAO;YACV,OAAOlI,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,IAAIG,aAAa6B,eAAe;YAC9B,MAAM6B,gBAAgB,MAAMpH,SAASqH,cAAc,CAAChH,OAAOqD,WAAW6B;YACtE,IAAI,CAAC6B,eAAe;gBAClB,OAAOxG,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oBAC1BE,OAAO;oBACP4B,mBAAmB;gBACrB;YACF;QACF;QAEA,IAAIwF,oBAAoB,iBAAiB;YACvC,MAAM/I,SAASgJ,kBAAkB,CAAC3I,OAAOyI;QAC3C,OAAO,IAAIC,oBAAoB,gBAAgB;YAC7C,MAAM/I,SAASiJ,iBAAiB,CAAC5I,OAAOyI;YACxC,MAAM9I,SAASkJ,oBAAoB,CAAC7I,OAAOyI;QAC7C,OAAO;YACL,qBAAqB;YACrB,MAAM9I,SAASgJ,kBAAkB,CAAC3I,OAAOyI;YACzC,MAAM9I,SAASiJ,iBAAiB,CAAC5I,OAAOyI;YACxC,MAAM9I,SAASkJ,oBAAoB,CAAC7I,OAAOyI;QAC7C;QAEA,OAAOlI,IAAIW,MAAM,CAAC,KAAK4H,IAAI;IAC7B;IAEA;;;;;;GAMC,GACDhJ,OAAO8B,GAAG,CAAC,iBAAiB,OAAOtB,KAAcC;QAC/C,MAAME,aAAaH,IAAII,OAAO,CAACC,aAAa;QAE5C,IAAI,CAACF,cAAc,CAACA,WAAWQ,UAAU,CAAC,YAAY;YACpD,OAAOV,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,MAAMuF,QAAQhI,WAAW+F,SAAS,CAAC;QACnC,MAAMb,YAAY,MAAMhG,SAASoJ,cAAc,CAAC/I,OAAOyI;QAEvD,IAAI,CAAC9C,WAAW;YACd,OAAOpF,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,MAAMkB,MAAMD,KAAKC,GAAG;QACpB,MAAM6B,YAAYN,UAAUzB,UAAU,GAAGyB,UAAUO,UAAU,GAAG;QAEhE,IAAI9B,MAAM6B,WAAW;YACnB,MAAMtG,SAASiJ,iBAAiB,CAAC5I,OAAOyI;YACxC,MAAM9I,SAASkJ,oBAAoB,CAAC7I,OAAOyI;YAC3C,OAAOlI,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,MAAM8F,WAAW;YACfP;YACAhE,UAAUkB,UAAUtC,SAAS;YAC7B4F,QAAQtD,UAAUpC,KAAK,GAAGoC,UAAUpC,KAAK,CAACsD,KAAK,CAAC,OAAO,EAAE;YACzDZ;YACAL,gBAAgBD,UAAUC,cAAc;QAC1C;QAEA,OAAOrF,IAAIa,IAAI,CAAC4H;IAClB;IAEA;;GAEC,GACDlJ,OAAO8B,GAAG,CAAC,kBAAkB,OAAOC,MAAetB;QACjD,MAAM2I,UAAU,MAAMvJ,SAASwJ,WAAW,CAACnJ;QAC3C,OAAOO,IAAIa,IAAI,CAAC8H;IAClB;IAEA,OAAOpJ;AACT"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mcp-z/oauth-google",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "description": "OAuth 2.0 client for Google APIs with multi-account support, PKCE security, and swappable storage backends",
   "keywords": [
     "oauth2",
@@ -52,29 +52,29 @@
     "version": "tsds version"
   },
   "dependencies": {
-    "@mcp-z/oauth": "^1.0.0",
-    "express": "^5.0.0",
-    "google-auth-library": "^10.0.0",
-    "jose": "^6.0.0",
+    "@mcp-z/oauth": "^1.0.1",
+    "express": "^5.2.1",
+    "google-auth-library": "^10.5.0",
+    "jose": "^6.1.3",
     "open": "^11.0.0",
-    "zod": "^4.0.0"
+    "zod": "^4.3.4"
   },
   "devDependencies": {
-    "@mcp-z/client": "^1.0.0",
-    "@modelcontextprotocol/sdk": "^1.0.0",
+    "@mcp-z/client": "^1.0.4",
+    "@modelcontextprotocol/sdk": "^1.25.1",
     "@types/cors": "^2.8.19",
     "@types/express": "^5.0.6",
     "@types/mocha": "^10.0.10",
-    "@types/node": "^25.0.2",
-    "cors": "^2.0.0",
+    "@types/node": "^25.0.3",
+    "cors": "^2.8.5",
     "dotenv": "^17.2.3",
     "get-port": "^7.1.0",
     "googleapis": "^169.0.0",
     "keyv": "^5.5.5",
     "keyv-file": "^5.3.3",
-    "node-version-use": "^2.1.6",
-    "ts-dev-stack": "^1.21.3",
-    "tsds-config": "^1.0.0",
+    "node-version-use": "^2.4.7",
+    "ts-dev-stack": "^1.22.1",
+    "tsds-config": "^1.0.4",
     "typescript": "^5.9.3"
   },
   "peerDependencies": {