@mcp-z/oauth-microsoft 1.0.0 → 1.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +8 -0
- package/dist/cjs/index.d.cts +2 -1
- package/dist/cjs/index.d.ts +2 -1
- package/dist/cjs/index.js +4 -0
- package/dist/cjs/index.js.map +1 -1
- package/dist/cjs/lib/dcr-router.js.map +1 -1
- package/dist/cjs/lib/dcr-utils.js.map +1 -1
- package/dist/cjs/lib/dcr-verify.js.map +1 -1
- package/dist/cjs/lib/fetch-with-timeout.js.map +1 -1
- package/dist/cjs/lib/loopback-router.d.cts +8 -0
- package/dist/cjs/lib/loopback-router.d.ts +8 -0
- package/dist/cjs/lib/loopback-router.js +219 -0
- package/dist/cjs/lib/loopback-router.js.map +1 -0
- package/dist/cjs/lib/token-verifier.js.map +1 -1
- package/dist/cjs/providers/dcr.js.map +1 -1
- package/dist/cjs/providers/device-code.js.map +1 -1
- package/dist/cjs/providers/loopback-oauth.d.cts +93 -18
- package/dist/cjs/providers/loopback-oauth.d.ts +93 -18
- package/dist/cjs/providers/loopback-oauth.js +877 -491
- package/dist/cjs/providers/loopback-oauth.js.map +1 -1
- package/dist/cjs/schemas/index.js +1 -1
- package/dist/cjs/schemas/index.js.map +1 -1
- package/dist/cjs/setup/config.d.cts +4 -1
- package/dist/cjs/setup/config.d.ts +4 -1
- package/dist/cjs/setup/config.js +7 -4
- package/dist/cjs/setup/config.js.map +1 -1
- package/dist/cjs/types.js.map +1 -1
- package/dist/esm/index.d.ts +2 -1
- package/dist/esm/index.js +1 -0
- package/dist/esm/index.js.map +1 -1
- package/dist/esm/lib/dcr-router.js.map +1 -1
- package/dist/esm/lib/dcr-utils.js.map +1 -1
- package/dist/esm/lib/dcr-verify.js.map +1 -1
- package/dist/esm/lib/fetch-with-timeout.js.map +1 -1
- package/dist/esm/lib/loopback-router.d.ts +8 -0
- package/dist/esm/lib/loopback-router.js +32 -0
- package/dist/esm/lib/loopback-router.js.map +1 -0
- package/dist/esm/lib/token-verifier.js.map +1 -1
- package/dist/esm/providers/dcr.js.map +1 -1
- package/dist/esm/providers/device-code.js +2 -2
- package/dist/esm/providers/device-code.js.map +1 -1
- package/dist/esm/providers/loopback-oauth.d.ts +93 -18
- package/dist/esm/providers/loopback-oauth.js +470 -289
- package/dist/esm/providers/loopback-oauth.js.map +1 -1
- package/dist/esm/schemas/index.js +1 -1
- package/dist/esm/schemas/index.js.map +1 -1
- package/dist/esm/setup/config.d.ts +4 -1
- package/dist/esm/setup/config.js +7 -4
- package/dist/esm/setup/config.js.map +1 -1
- package/dist/esm/types.js.map +1 -1
- package/package.json +1 -1
|
@@ -13,9 +13,19 @@
|
|
|
13
13
|
* 5. Handle callback, exchange code for token
|
|
14
14
|
* 6. Cache token to storage
|
|
15
15
|
* 7. Close ephemeral server
|
|
16
|
+
*
|
|
17
|
+
* CHANGE (2026-01-03):
|
|
18
|
+
* - Non-headless mode now opens the auth URL AND blocks (polls) until tokens are available,
|
|
19
|
+
* for BOTH redirectUri (persistent) and ephemeral (loopback) modes.
|
|
20
|
+
* - Ephemeral flow no longer calls `open()` itself. Instead it:
|
|
21
|
+
* 1) starts the loopback callback server
|
|
22
|
+
* 2) throws AuthRequiredError(auth_url)
|
|
23
|
+
* - Middleware catches AuthRequiredError(auth_url):
|
|
24
|
+
* - if not headless: open(url) once + poll pending state until callback completes (or timeout)
|
|
25
|
+
* - then retries token acquisition and injects authContext in the SAME tool call.
|
|
16
26
|
*/
|
|
17
27
|
import { type OAuth2TokenStorageProvider } from '@mcp-z/oauth';
|
|
18
|
-
import { type LoopbackOAuthConfig } from '../types.js';
|
|
28
|
+
import { type CachedToken, type LoopbackOAuthConfig } from '../types.js';
|
|
19
29
|
/**
|
|
20
30
|
* Loopback OAuth Client (RFC 8252 Section 7.3)
|
|
21
31
|
*
|
|
@@ -27,6 +37,7 @@ import { type LoopbackOAuthConfig } from '../types.js';
|
|
|
27
37
|
*/
|
|
28
38
|
export declare class LoopbackOAuthProvider implements OAuth2TokenStorageProvider {
|
|
29
39
|
private config;
|
|
40
|
+
private openedStates;
|
|
30
41
|
constructor(config: LoopbackOAuthConfig);
|
|
31
42
|
/**
|
|
32
43
|
* Get access token from Keyv using compound key
|
|
@@ -44,14 +55,6 @@ export declare class LoopbackOAuthProvider implements OAuth2TokenStorageProvider
|
|
|
44
55
|
toAuthProvider(accountId?: string): {
|
|
45
56
|
getAccessToken: () => Promise<string>;
|
|
46
57
|
};
|
|
47
|
-
/**
|
|
48
|
-
* Authenticate new account with OAuth flow
|
|
49
|
-
* Triggers account selection, stores token, registers account
|
|
50
|
-
*
|
|
51
|
-
* @returns Email address of newly authenticated account
|
|
52
|
-
* @throws Error in headless mode (cannot open browser for OAuth)
|
|
53
|
-
*/
|
|
54
|
-
authenticateNewAccount(): Promise<string>;
|
|
55
58
|
/**
|
|
56
59
|
* Get user email from Microsoft Graph API (pure query)
|
|
57
60
|
* Used to query email for existing authenticated account
|
|
@@ -60,14 +63,6 @@ export declare class LoopbackOAuthProvider implements OAuth2TokenStorageProvider
|
|
|
60
63
|
* @returns User's email address
|
|
61
64
|
*/
|
|
62
65
|
getUserEmail(accountId?: string): Promise<string>;
|
|
63
|
-
/**
|
|
64
|
-
* Check for existing accounts in token storage (incremental OAuth detection)
|
|
65
|
-
*
|
|
66
|
-
* Uses key-utils helper for forward compatibility with key format changes.
|
|
67
|
-
*
|
|
68
|
-
* @returns Array of account IDs that have tokens for this service
|
|
69
|
-
*/
|
|
70
|
-
private getExistingAccounts;
|
|
71
66
|
private isTokenValid;
|
|
72
67
|
/**
|
|
73
68
|
* Fetch user email from Microsoft Graph using access token
|
|
@@ -77,9 +72,89 @@ export declare class LoopbackOAuthProvider implements OAuth2TokenStorageProvider
|
|
|
77
72
|
* @returns User's email address (mail field or userPrincipalName fallback)
|
|
78
73
|
*/
|
|
79
74
|
private fetchUserEmailFromToken;
|
|
80
|
-
|
|
75
|
+
/**
|
|
76
|
+
* Build Microsoft OAuth authorization URL with the "most parameters" baseline.
|
|
77
|
+
* This is shared by BOTH persistent (redirectUri) and ephemeral (loopback) modes.
|
|
78
|
+
*/
|
|
79
|
+
private buildAuthUrl;
|
|
80
|
+
/**
|
|
81
|
+
* Create a cached token + email from an authorization code.
|
|
82
|
+
* This is the shared callback handler for BOTH persistent and ephemeral modes.
|
|
83
|
+
*/
|
|
84
|
+
private handleAuthorizationCode;
|
|
85
|
+
/**
|
|
86
|
+
* Store token + account metadata. Shared by BOTH persistent and ephemeral modes.
|
|
87
|
+
*/
|
|
88
|
+
private persistAuthResult;
|
|
89
|
+
/**
|
|
90
|
+
* Pending auth (PKCE verifier) key format.
|
|
91
|
+
*/
|
|
92
|
+
private pendingKey;
|
|
93
|
+
/**
|
|
94
|
+
* Store PKCE verifier for callback (5 minute TTL).
|
|
95
|
+
* Shared by BOTH persistent and ephemeral modes.
|
|
96
|
+
*/
|
|
97
|
+
private createPendingAuth;
|
|
98
|
+
/**
|
|
99
|
+
* Load and validate pending auth state (5 minute TTL).
|
|
100
|
+
* Shared by BOTH persistent and ephemeral modes.
|
|
101
|
+
*/
|
|
102
|
+
private readAndValidatePendingAuth;
|
|
103
|
+
/**
|
|
104
|
+
* Mark pending auth as completed (used by middleware polling).
|
|
105
|
+
*/
|
|
106
|
+
private markPendingComplete;
|
|
107
|
+
/**
|
|
108
|
+
* Clean up pending auth state.
|
|
109
|
+
*/
|
|
110
|
+
private deletePendingAuth;
|
|
111
|
+
/**
|
|
112
|
+
* Wait until pending auth is marked completed (or timeout).
|
|
113
|
+
* Used by middleware after opening auth URL in non-headless mode.
|
|
114
|
+
*/
|
|
115
|
+
private waitForOAuthCompletion;
|
|
116
|
+
/**
|
|
117
|
+
* Process an OAuth callback using shared state validation + token exchange + persistence.
|
|
118
|
+
* Used by BOTH:
|
|
119
|
+
* - ephemeral loopback server callback handler
|
|
120
|
+
* - persistent redirectUri callback handler
|
|
121
|
+
*
|
|
122
|
+
* IMPORTANT CHANGE:
|
|
123
|
+
* - We do NOT delete pending state here anymore.
|
|
124
|
+
* - We mark it completed so middleware can poll and then clean it up.
|
|
125
|
+
*/
|
|
126
|
+
private processOAuthCallback;
|
|
127
|
+
/**
|
|
128
|
+
* Loopback OAuth server helper (RFC 8252 Section 7.3)
|
|
129
|
+
*
|
|
130
|
+
* Implements ephemeral local server with OS-assigned port (RFC 8252 Section 8.3).
|
|
131
|
+
* Shared callback handling uses:
|
|
132
|
+
* - the same authUrl builder as redirectUri mode
|
|
133
|
+
* - the same pending PKCE verifier storage as redirectUri mode
|
|
134
|
+
* - the same callback processor as redirectUri mode
|
|
135
|
+
*/
|
|
136
|
+
private createOAuthCallbackServer;
|
|
137
|
+
/**
|
|
138
|
+
* Starts the ephemeral loopback server and returns an AuthRequiredError(auth_url).
|
|
139
|
+
* Middleware will open+poll and then retry in the same call.
|
|
140
|
+
*/
|
|
141
|
+
private startEphemeralOAuthFlow;
|
|
81
142
|
private exchangeCodeForToken;
|
|
82
143
|
private refreshAccessToken;
|
|
144
|
+
/**
|
|
145
|
+
* Handle OAuth callback from persistent endpoint.
|
|
146
|
+
* Used by HTTP servers with configured redirectUri.
|
|
147
|
+
*
|
|
148
|
+
* @param params - OAuth callback parameters
|
|
149
|
+
* @returns Email and cached token
|
|
150
|
+
*/
|
|
151
|
+
handleOAuthCallback(params: {
|
|
152
|
+
code: string;
|
|
153
|
+
state?: string;
|
|
154
|
+
}): Promise<{
|
|
155
|
+
email: string;
|
|
156
|
+
token: CachedToken;
|
|
157
|
+
}>;
|
|
83
158
|
/**
|
|
84
159
|
* Create auth middleware for single-user context (single active account per service)
|
|
85
160
|
*
|