@mcp-z/oauth-microsoft 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +98 -0
- package/dist/cjs/index.d.cts +16 -0
- package/dist/cjs/index.d.ts +16 -0
- package/dist/cjs/index.js +112 -0
- package/dist/cjs/index.js.map +1 -0
- package/dist/cjs/lib/dcr-router.d.cts +44 -0
- package/dist/cjs/lib/dcr-router.d.ts +44 -0
- package/dist/cjs/lib/dcr-router.js +1227 -0
- package/dist/cjs/lib/dcr-router.js.map +1 -0
- package/dist/cjs/lib/dcr-utils.d.cts +160 -0
- package/dist/cjs/lib/dcr-utils.d.ts +160 -0
- package/dist/cjs/lib/dcr-utils.js +860 -0
- package/dist/cjs/lib/dcr-utils.js.map +1 -0
- package/dist/cjs/lib/dcr-verify.d.cts +53 -0
- package/dist/cjs/lib/dcr-verify.d.ts +53 -0
- package/dist/cjs/lib/dcr-verify.js +193 -0
- package/dist/cjs/lib/dcr-verify.js.map +1 -0
- package/dist/cjs/lib/fetch-with-timeout.d.cts +14 -0
- package/dist/cjs/lib/fetch-with-timeout.d.ts +14 -0
- package/dist/cjs/lib/fetch-with-timeout.js +257 -0
- package/dist/cjs/lib/fetch-with-timeout.js.map +1 -0
- package/dist/cjs/lib/token-verifier.d.cts +44 -0
- package/dist/cjs/lib/token-verifier.d.ts +44 -0
- package/dist/cjs/lib/token-verifier.js +253 -0
- package/dist/cjs/lib/token-verifier.js.map +1 -0
- package/dist/cjs/package.json +1 -0
- package/dist/cjs/providers/dcr.d.cts +110 -0
- package/dist/cjs/providers/dcr.d.ts +110 -0
- package/dist/cjs/providers/dcr.js +600 -0
- package/dist/cjs/providers/dcr.js.map +1 -0
- package/dist/cjs/providers/device-code.d.cts +179 -0
- package/dist/cjs/providers/device-code.d.ts +179 -0
- package/dist/cjs/providers/device-code.js +896 -0
- package/dist/cjs/providers/device-code.js.map +1 -0
- package/dist/cjs/providers/loopback-oauth.d.cts +125 -0
- package/dist/cjs/providers/loopback-oauth.d.ts +125 -0
- package/dist/cjs/providers/loopback-oauth.js +1325 -0
- package/dist/cjs/providers/loopback-oauth.js.map +1 -0
- package/dist/cjs/schemas/index.d.cts +20 -0
- package/dist/cjs/schemas/index.d.ts +20 -0
- package/dist/cjs/schemas/index.js +37 -0
- package/dist/cjs/schemas/index.js.map +1 -0
- package/dist/cjs/setup/config.d.cts +113 -0
- package/dist/cjs/setup/config.d.ts +113 -0
- package/dist/cjs/setup/config.js +246 -0
- package/dist/cjs/setup/config.js.map +1 -0
- package/dist/cjs/types.d.cts +188 -0
- package/dist/cjs/types.d.ts +188 -0
- package/dist/cjs/types.js +18 -0
- package/dist/cjs/types.js.map +1 -0
- package/dist/esm/index.d.ts +16 -0
- package/dist/esm/index.js +16 -0
- package/dist/esm/index.js.map +1 -0
- package/dist/esm/lib/dcr-router.d.ts +44 -0
- package/dist/esm/lib/dcr-router.js +556 -0
- package/dist/esm/lib/dcr-router.js.map +1 -0
- package/dist/esm/lib/dcr-utils.d.ts +160 -0
- package/dist/esm/lib/dcr-utils.js +270 -0
- package/dist/esm/lib/dcr-utils.js.map +1 -0
- package/dist/esm/lib/dcr-verify.d.ts +53 -0
- package/dist/esm/lib/dcr-verify.js +53 -0
- package/dist/esm/lib/dcr-verify.js.map +1 -0
- package/dist/esm/lib/fetch-with-timeout.d.ts +14 -0
- package/dist/esm/lib/fetch-with-timeout.js +30 -0
- package/dist/esm/lib/fetch-with-timeout.js.map +1 -0
- package/dist/esm/lib/token-verifier.d.ts +44 -0
- package/dist/esm/lib/token-verifier.js +53 -0
- package/dist/esm/lib/token-verifier.js.map +1 -0
- package/dist/esm/package.json +1 -0
- package/dist/esm/providers/dcr.d.ts +110 -0
- package/dist/esm/providers/dcr.js +235 -0
- package/dist/esm/providers/dcr.js.map +1 -0
- package/dist/esm/providers/device-code.d.ts +179 -0
- package/dist/esm/providers/device-code.js +417 -0
- package/dist/esm/providers/device-code.js.map +1 -0
- package/dist/esm/providers/loopback-oauth.d.ts +125 -0
- package/dist/esm/providers/loopback-oauth.js +643 -0
- package/dist/esm/providers/loopback-oauth.js.map +1 -0
- package/dist/esm/schemas/index.d.ts +20 -0
- package/dist/esm/schemas/index.js +18 -0
- package/dist/esm/schemas/index.js.map +1 -0
- package/dist/esm/setup/config.d.ts +113 -0
- package/dist/esm/setup/config.js +268 -0
- package/dist/esm/setup/config.js.map +1 -0
- package/dist/esm/types.d.ts +188 -0
- package/dist/esm/types.js +8 -0
- package/dist/esm/types.js.map +1 -0
- package/package.json +87 -0
|
@@ -0,0 +1,600 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* DCR Provider - Stateless Dynamic Client Registration Provider
|
|
3
|
+
*
|
|
4
|
+
* Implements stateless provider pattern where provider tokens are received from
|
|
5
|
+
* token verification context rather than managed by the provider itself.
|
|
6
|
+
*
|
|
7
|
+
* Use case: MCP HTTP servers with DCR authentication where client manages tokens
|
|
8
|
+
* and provider only handles Microsoft Graph API calls with provided credentials.
|
|
9
|
+
*/ "use strict";
|
|
10
|
+
Object.defineProperty(exports, "__esModule", {
|
|
11
|
+
value: true
|
|
12
|
+
});
|
|
13
|
+
Object.defineProperty(exports, "DcrOAuthProvider", {
|
|
14
|
+
enumerable: true,
|
|
15
|
+
get: function() {
|
|
16
|
+
return DcrOAuthProvider;
|
|
17
|
+
}
|
|
18
|
+
});
|
|
19
|
+
var _types = require("@modelcontextprotocol/sdk/types.js");
|
|
20
|
+
var _fetchwithtimeoutts = require("../lib/fetch-with-timeout.js");
|
|
21
|
+
function _array_like_to_array(arr, len) {
|
|
22
|
+
if (len == null || len > arr.length) len = arr.length;
|
|
23
|
+
for(var i = 0, arr2 = new Array(len); i < len; i++)arr2[i] = arr[i];
|
|
24
|
+
return arr2;
|
|
25
|
+
}
|
|
26
|
+
function _array_without_holes(arr) {
|
|
27
|
+
if (Array.isArray(arr)) return _array_like_to_array(arr);
|
|
28
|
+
}
|
|
29
|
+
function asyncGeneratorStep(gen, resolve, reject, _next, _throw, key, arg) {
|
|
30
|
+
try {
|
|
31
|
+
var info = gen[key](arg);
|
|
32
|
+
var value = info.value;
|
|
33
|
+
} catch (error) {
|
|
34
|
+
reject(error);
|
|
35
|
+
return;
|
|
36
|
+
}
|
|
37
|
+
if (info.done) {
|
|
38
|
+
resolve(value);
|
|
39
|
+
} else {
|
|
40
|
+
Promise.resolve(value).then(_next, _throw);
|
|
41
|
+
}
|
|
42
|
+
}
|
|
43
|
+
function _async_to_generator(fn) {
|
|
44
|
+
return function() {
|
|
45
|
+
var self = this, args = arguments;
|
|
46
|
+
return new Promise(function(resolve, reject) {
|
|
47
|
+
var gen = fn.apply(self, args);
|
|
48
|
+
function _next(value) {
|
|
49
|
+
asyncGeneratorStep(gen, resolve, reject, _next, _throw, "next", value);
|
|
50
|
+
}
|
|
51
|
+
function _throw(err) {
|
|
52
|
+
asyncGeneratorStep(gen, resolve, reject, _next, _throw, "throw", err);
|
|
53
|
+
}
|
|
54
|
+
_next(undefined);
|
|
55
|
+
});
|
|
56
|
+
};
|
|
57
|
+
}
|
|
58
|
+
function _class_call_check(instance, Constructor) {
|
|
59
|
+
if (!(instance instanceof Constructor)) {
|
|
60
|
+
throw new TypeError("Cannot call a class as a function");
|
|
61
|
+
}
|
|
62
|
+
}
|
|
63
|
+
function _define_property(obj, key, value) {
|
|
64
|
+
if (key in obj) {
|
|
65
|
+
Object.defineProperty(obj, key, {
|
|
66
|
+
value: value,
|
|
67
|
+
enumerable: true,
|
|
68
|
+
configurable: true,
|
|
69
|
+
writable: true
|
|
70
|
+
});
|
|
71
|
+
} else {
|
|
72
|
+
obj[key] = value;
|
|
73
|
+
}
|
|
74
|
+
return obj;
|
|
75
|
+
}
|
|
76
|
+
function _instanceof(left, right) {
|
|
77
|
+
if (right != null && typeof Symbol !== "undefined" && right[Symbol.hasInstance]) {
|
|
78
|
+
return !!right[Symbol.hasInstance](left);
|
|
79
|
+
} else {
|
|
80
|
+
return left instanceof right;
|
|
81
|
+
}
|
|
82
|
+
}
|
|
83
|
+
function _iterable_to_array(iter) {
|
|
84
|
+
if (typeof Symbol !== "undefined" && iter[Symbol.iterator] != null || iter["@@iterator"] != null) return Array.from(iter);
|
|
85
|
+
}
|
|
86
|
+
function _non_iterable_spread() {
|
|
87
|
+
throw new TypeError("Invalid attempt to spread non-iterable instance.\\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
|
|
88
|
+
}
|
|
89
|
+
function _object_spread(target) {
|
|
90
|
+
for(var i = 1; i < arguments.length; i++){
|
|
91
|
+
var source = arguments[i] != null ? arguments[i] : {};
|
|
92
|
+
var ownKeys = Object.keys(source);
|
|
93
|
+
if (typeof Object.getOwnPropertySymbols === "function") {
|
|
94
|
+
ownKeys = ownKeys.concat(Object.getOwnPropertySymbols(source).filter(function(sym) {
|
|
95
|
+
return Object.getOwnPropertyDescriptor(source, sym).enumerable;
|
|
96
|
+
}));
|
|
97
|
+
}
|
|
98
|
+
ownKeys.forEach(function(key) {
|
|
99
|
+
_define_property(target, key, source[key]);
|
|
100
|
+
});
|
|
101
|
+
}
|
|
102
|
+
return target;
|
|
103
|
+
}
|
|
104
|
+
function ownKeys(object, enumerableOnly) {
|
|
105
|
+
var keys = Object.keys(object);
|
|
106
|
+
if (Object.getOwnPropertySymbols) {
|
|
107
|
+
var symbols = Object.getOwnPropertySymbols(object);
|
|
108
|
+
if (enumerableOnly) {
|
|
109
|
+
symbols = symbols.filter(function(sym) {
|
|
110
|
+
return Object.getOwnPropertyDescriptor(object, sym).enumerable;
|
|
111
|
+
});
|
|
112
|
+
}
|
|
113
|
+
keys.push.apply(keys, symbols);
|
|
114
|
+
}
|
|
115
|
+
return keys;
|
|
116
|
+
}
|
|
117
|
+
function _object_spread_props(target, source) {
|
|
118
|
+
source = source != null ? source : {};
|
|
119
|
+
if (Object.getOwnPropertyDescriptors) {
|
|
120
|
+
Object.defineProperties(target, Object.getOwnPropertyDescriptors(source));
|
|
121
|
+
} else {
|
|
122
|
+
ownKeys(Object(source)).forEach(function(key) {
|
|
123
|
+
Object.defineProperty(target, key, Object.getOwnPropertyDescriptor(source, key));
|
|
124
|
+
});
|
|
125
|
+
}
|
|
126
|
+
return target;
|
|
127
|
+
}
|
|
128
|
+
function _to_consumable_array(arr) {
|
|
129
|
+
return _array_without_holes(arr) || _iterable_to_array(arr) || _unsupported_iterable_to_array(arr) || _non_iterable_spread();
|
|
130
|
+
}
|
|
131
|
+
function _type_of(obj) {
|
|
132
|
+
"@swc/helpers - typeof";
|
|
133
|
+
return obj && typeof Symbol !== "undefined" && obj.constructor === Symbol ? "symbol" : typeof obj;
|
|
134
|
+
}
|
|
135
|
+
function _unsupported_iterable_to_array(o, minLen) {
|
|
136
|
+
if (!o) return;
|
|
137
|
+
if (typeof o === "string") return _array_like_to_array(o, minLen);
|
|
138
|
+
var n = Object.prototype.toString.call(o).slice(8, -1);
|
|
139
|
+
if (n === "Object" && o.constructor) n = o.constructor.name;
|
|
140
|
+
if (n === "Map" || n === "Set") return Array.from(n);
|
|
141
|
+
if (n === "Arguments" || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n)) return _array_like_to_array(o, minLen);
|
|
142
|
+
}
|
|
143
|
+
function _ts_generator(thisArg, body) {
|
|
144
|
+
var f, y, t, _ = {
|
|
145
|
+
label: 0,
|
|
146
|
+
sent: function() {
|
|
147
|
+
if (t[0] & 1) throw t[1];
|
|
148
|
+
return t[1];
|
|
149
|
+
},
|
|
150
|
+
trys: [],
|
|
151
|
+
ops: []
|
|
152
|
+
}, g = Object.create((typeof Iterator === "function" ? Iterator : Object).prototype), d = Object.defineProperty;
|
|
153
|
+
return d(g, "next", {
|
|
154
|
+
value: verb(0)
|
|
155
|
+
}), d(g, "throw", {
|
|
156
|
+
value: verb(1)
|
|
157
|
+
}), d(g, "return", {
|
|
158
|
+
value: verb(2)
|
|
159
|
+
}), typeof Symbol === "function" && d(g, Symbol.iterator, {
|
|
160
|
+
value: function() {
|
|
161
|
+
return this;
|
|
162
|
+
}
|
|
163
|
+
}), g;
|
|
164
|
+
function verb(n) {
|
|
165
|
+
return function(v) {
|
|
166
|
+
return step([
|
|
167
|
+
n,
|
|
168
|
+
v
|
|
169
|
+
]);
|
|
170
|
+
};
|
|
171
|
+
}
|
|
172
|
+
function step(op) {
|
|
173
|
+
if (f) throw new TypeError("Generator is already executing.");
|
|
174
|
+
while(g && (g = 0, op[0] && (_ = 0)), _)try {
|
|
175
|
+
if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
|
|
176
|
+
if (y = 0, t) op = [
|
|
177
|
+
op[0] & 2,
|
|
178
|
+
t.value
|
|
179
|
+
];
|
|
180
|
+
switch(op[0]){
|
|
181
|
+
case 0:
|
|
182
|
+
case 1:
|
|
183
|
+
t = op;
|
|
184
|
+
break;
|
|
185
|
+
case 4:
|
|
186
|
+
_.label++;
|
|
187
|
+
return {
|
|
188
|
+
value: op[1],
|
|
189
|
+
done: false
|
|
190
|
+
};
|
|
191
|
+
case 5:
|
|
192
|
+
_.label++;
|
|
193
|
+
y = op[1];
|
|
194
|
+
op = [
|
|
195
|
+
0
|
|
196
|
+
];
|
|
197
|
+
continue;
|
|
198
|
+
case 7:
|
|
199
|
+
op = _.ops.pop();
|
|
200
|
+
_.trys.pop();
|
|
201
|
+
continue;
|
|
202
|
+
default:
|
|
203
|
+
if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) {
|
|
204
|
+
_ = 0;
|
|
205
|
+
continue;
|
|
206
|
+
}
|
|
207
|
+
if (op[0] === 3 && (!t || op[1] > t[0] && op[1] < t[3])) {
|
|
208
|
+
_.label = op[1];
|
|
209
|
+
break;
|
|
210
|
+
}
|
|
211
|
+
if (op[0] === 6 && _.label < t[1]) {
|
|
212
|
+
_.label = t[1];
|
|
213
|
+
t = op;
|
|
214
|
+
break;
|
|
215
|
+
}
|
|
216
|
+
if (t && _.label < t[2]) {
|
|
217
|
+
_.label = t[2];
|
|
218
|
+
_.ops.push(op);
|
|
219
|
+
break;
|
|
220
|
+
}
|
|
221
|
+
if (t[2]) _.ops.pop();
|
|
222
|
+
_.trys.pop();
|
|
223
|
+
continue;
|
|
224
|
+
}
|
|
225
|
+
op = body.call(thisArg, _);
|
|
226
|
+
} catch (e) {
|
|
227
|
+
op = [
|
|
228
|
+
6,
|
|
229
|
+
e
|
|
230
|
+
];
|
|
231
|
+
y = 0;
|
|
232
|
+
} finally{
|
|
233
|
+
f = t = 0;
|
|
234
|
+
}
|
|
235
|
+
if (op[0] & 5) throw op[1];
|
|
236
|
+
return {
|
|
237
|
+
value: op[0] ? op[1] : void 0,
|
|
238
|
+
done: true
|
|
239
|
+
};
|
|
240
|
+
}
|
|
241
|
+
}
|
|
242
|
+
var DcrOAuthProvider = /*#__PURE__*/ function() {
|
|
243
|
+
"use strict";
|
|
244
|
+
function DcrOAuthProvider(config) {
|
|
245
|
+
_class_call_check(this, DcrOAuthProvider);
|
|
246
|
+
this.emailCache = new Map();
|
|
247
|
+
this.config = config;
|
|
248
|
+
}
|
|
249
|
+
var _proto = DcrOAuthProvider.prototype;
|
|
250
|
+
/**
|
|
251
|
+
* Create Microsoft Graph auth provider from provider tokens
|
|
252
|
+
*
|
|
253
|
+
* This is the core stateless pattern - provider receives tokens from context
|
|
254
|
+
* (token verification, HTTP request) and creates auth provider on-demand.
|
|
255
|
+
*
|
|
256
|
+
* @param tokens - Provider tokens (Microsoft access/refresh tokens)
|
|
257
|
+
* @returns Microsoft Graph-compatible auth provider
|
|
258
|
+
*/ _proto.toAuthProvider = function toAuthProvider(tokens) {
|
|
259
|
+
var _this = this;
|
|
260
|
+
// Capture tokens in closure for auth provider
|
|
261
|
+
var currentTokens = _object_spread({}, tokens);
|
|
262
|
+
return {
|
|
263
|
+
getAccessToken: function() {
|
|
264
|
+
return _async_to_generator(function() {
|
|
265
|
+
var refreshedTokens, error;
|
|
266
|
+
return _ts_generator(this, function(_state) {
|
|
267
|
+
switch(_state.label){
|
|
268
|
+
case 0:
|
|
269
|
+
// Check if token is still valid
|
|
270
|
+
if (this.isTokenValid(currentTokens)) {
|
|
271
|
+
return [
|
|
272
|
+
2,
|
|
273
|
+
currentTokens.accessToken
|
|
274
|
+
];
|
|
275
|
+
}
|
|
276
|
+
if (!currentTokens.refreshToken) return [
|
|
277
|
+
3,
|
|
278
|
+
4
|
|
279
|
+
];
|
|
280
|
+
_state.label = 1;
|
|
281
|
+
case 1:
|
|
282
|
+
_state.trys.push([
|
|
283
|
+
1,
|
|
284
|
+
3,
|
|
285
|
+
,
|
|
286
|
+
4
|
|
287
|
+
]);
|
|
288
|
+
return [
|
|
289
|
+
4,
|
|
290
|
+
this.refreshAccessToken(currentTokens.refreshToken)
|
|
291
|
+
];
|
|
292
|
+
case 2:
|
|
293
|
+
refreshedTokens = _state.sent();
|
|
294
|
+
currentTokens = refreshedTokens;
|
|
295
|
+
return [
|
|
296
|
+
2,
|
|
297
|
+
currentTokens.accessToken
|
|
298
|
+
];
|
|
299
|
+
case 3:
|
|
300
|
+
error = _state.sent();
|
|
301
|
+
throw new Error("Token refresh failed: ".concat(_instanceof(error, Error) ? error.message : String(error)));
|
|
302
|
+
case 4:
|
|
303
|
+
// No refresh token - token expired and cannot refresh
|
|
304
|
+
throw new Error('Access token expired and no refresh token available');
|
|
305
|
+
}
|
|
306
|
+
});
|
|
307
|
+
}).call(_this);
|
|
308
|
+
}
|
|
309
|
+
};
|
|
310
|
+
};
|
|
311
|
+
/**
|
|
312
|
+
* Check if token is still valid (with 1 minute buffer)
|
|
313
|
+
*/ _proto.isTokenValid = function isTokenValid(tokens) {
|
|
314
|
+
if (!tokens.expiresAt) return true; // No expiry = assume valid
|
|
315
|
+
return Date.now() < tokens.expiresAt - 60000; // 1 minute buffer
|
|
316
|
+
};
|
|
317
|
+
/**
|
|
318
|
+
* Refresh Microsoft access token using refresh token
|
|
319
|
+
*
|
|
320
|
+
* @param refreshToken - Microsoft refresh token
|
|
321
|
+
* @returns New provider tokens
|
|
322
|
+
*/ _proto.refreshAccessToken = function refreshAccessToken(refreshToken) {
|
|
323
|
+
return _async_to_generator(function() {
|
|
324
|
+
var _this_config, clientId, clientSecret, tenantId, scope, customTokenUrl, tokenUrl, params, body, response, errorText, tokenResponse;
|
|
325
|
+
return _ts_generator(this, function(_state) {
|
|
326
|
+
switch(_state.label){
|
|
327
|
+
case 0:
|
|
328
|
+
_this_config = this.config, clientId = _this_config.clientId, clientSecret = _this_config.clientSecret, tenantId = _this_config.tenantId, scope = _this_config.scope, customTokenUrl = _this_config.tokenUrl;
|
|
329
|
+
tokenUrl = customTokenUrl !== null && customTokenUrl !== void 0 ? customTokenUrl : "https://login.microsoftonline.com/".concat(tenantId, "/oauth2/v2.0/token");
|
|
330
|
+
params = {
|
|
331
|
+
refresh_token: refreshToken,
|
|
332
|
+
client_id: clientId,
|
|
333
|
+
grant_type: 'refresh_token',
|
|
334
|
+
scope: scope
|
|
335
|
+
};
|
|
336
|
+
// Only include client_secret for confidential clients
|
|
337
|
+
if (clientSecret) {
|
|
338
|
+
params.client_secret = clientSecret;
|
|
339
|
+
}
|
|
340
|
+
body = new URLSearchParams(params);
|
|
341
|
+
return [
|
|
342
|
+
4,
|
|
343
|
+
(0, _fetchwithtimeoutts.fetchWithTimeout)(tokenUrl, {
|
|
344
|
+
method: 'POST',
|
|
345
|
+
headers: {
|
|
346
|
+
'Content-Type': 'application/x-www-form-urlencoded'
|
|
347
|
+
},
|
|
348
|
+
body: body.toString()
|
|
349
|
+
})
|
|
350
|
+
];
|
|
351
|
+
case 1:
|
|
352
|
+
response = _state.sent();
|
|
353
|
+
if (!!response.ok) return [
|
|
354
|
+
3,
|
|
355
|
+
3
|
|
356
|
+
];
|
|
357
|
+
return [
|
|
358
|
+
4,
|
|
359
|
+
response.text()
|
|
360
|
+
];
|
|
361
|
+
case 2:
|
|
362
|
+
errorText = _state.sent();
|
|
363
|
+
throw new Error("Token refresh failed: ".concat(response.status, " ").concat(errorText));
|
|
364
|
+
case 3:
|
|
365
|
+
return [
|
|
366
|
+
4,
|
|
367
|
+
response.json()
|
|
368
|
+
];
|
|
369
|
+
case 4:
|
|
370
|
+
tokenResponse = _state.sent();
|
|
371
|
+
return [
|
|
372
|
+
2,
|
|
373
|
+
_object_spread({
|
|
374
|
+
accessToken: tokenResponse.access_token,
|
|
375
|
+
refreshToken: refreshToken
|
|
376
|
+
}, tokenResponse.expires_in !== undefined && {
|
|
377
|
+
expiresAt: Date.now() + tokenResponse.expires_in * 1000
|
|
378
|
+
}, tokenResponse.scope !== undefined && {
|
|
379
|
+
scope: tokenResponse.scope
|
|
380
|
+
})
|
|
381
|
+
];
|
|
382
|
+
}
|
|
383
|
+
});
|
|
384
|
+
}).call(this);
|
|
385
|
+
};
|
|
386
|
+
/**
|
|
387
|
+
* Get user email from Microsoft Graph API (with caching)
|
|
388
|
+
*
|
|
389
|
+
* @param tokens - Provider tokens to use for API call
|
|
390
|
+
* @returns User's email address
|
|
391
|
+
*/ _proto.getUserEmail = function getUserEmail(tokens) {
|
|
392
|
+
return _async_to_generator(function() {
|
|
393
|
+
var _userInfo_mail, _tokens_expiresAt, cacheKey, cached, auth, accessToken, response, _, _1, _2, userInfo, email;
|
|
394
|
+
return _ts_generator(this, function(_state) {
|
|
395
|
+
switch(_state.label){
|
|
396
|
+
case 0:
|
|
397
|
+
cacheKey = tokens.accessToken;
|
|
398
|
+
cached = this.emailCache.get(cacheKey);
|
|
399
|
+
// Check cache (with same expiry as access token)
|
|
400
|
+
if (cached && Date.now() < cached.expiresAt) {
|
|
401
|
+
return [
|
|
402
|
+
2,
|
|
403
|
+
cached.email
|
|
404
|
+
];
|
|
405
|
+
}
|
|
406
|
+
auth = this.toAuthProvider(tokens);
|
|
407
|
+
return [
|
|
408
|
+
4,
|
|
409
|
+
auth.getAccessToken()
|
|
410
|
+
];
|
|
411
|
+
case 1:
|
|
412
|
+
accessToken = _state.sent();
|
|
413
|
+
return [
|
|
414
|
+
4,
|
|
415
|
+
(0, _fetchwithtimeoutts.fetchWithTimeout)('https://graph.microsoft.com/v1.0/me', {
|
|
416
|
+
headers: {
|
|
417
|
+
Authorization: "Bearer ".concat(accessToken)
|
|
418
|
+
}
|
|
419
|
+
})
|
|
420
|
+
];
|
|
421
|
+
case 2:
|
|
422
|
+
response = _state.sent();
|
|
423
|
+
if (!!response.ok) return [
|
|
424
|
+
3,
|
|
425
|
+
4
|
|
426
|
+
];
|
|
427
|
+
_ = Error.bind;
|
|
428
|
+
_2 = (_1 = "Failed to get user info: ".concat(response.status, " ")).concat;
|
|
429
|
+
return [
|
|
430
|
+
4,
|
|
431
|
+
response.text()
|
|
432
|
+
];
|
|
433
|
+
case 3:
|
|
434
|
+
throw new (_.apply(Error, [
|
|
435
|
+
void 0,
|
|
436
|
+
_2.apply(_1, [
|
|
437
|
+
_state.sent()
|
|
438
|
+
])
|
|
439
|
+
]));
|
|
440
|
+
case 4:
|
|
441
|
+
return [
|
|
442
|
+
4,
|
|
443
|
+
response.json()
|
|
444
|
+
];
|
|
445
|
+
case 5:
|
|
446
|
+
userInfo = _state.sent();
|
|
447
|
+
email = (_userInfo_mail = userInfo.mail) !== null && _userInfo_mail !== void 0 ? _userInfo_mail : userInfo.userPrincipalName;
|
|
448
|
+
// Cache with token expiration (default 1 hour if not specified)
|
|
449
|
+
this.emailCache.set(cacheKey, {
|
|
450
|
+
email: email,
|
|
451
|
+
expiresAt: (_tokens_expiresAt = tokens.expiresAt) !== null && _tokens_expiresAt !== void 0 ? _tokens_expiresAt : Date.now() + 3600000
|
|
452
|
+
});
|
|
453
|
+
return [
|
|
454
|
+
2,
|
|
455
|
+
email
|
|
456
|
+
];
|
|
457
|
+
}
|
|
458
|
+
});
|
|
459
|
+
}).call(this);
|
|
460
|
+
};
|
|
461
|
+
/**
|
|
462
|
+
* Auth middleware for HTTP servers with DCR bearer auth
|
|
463
|
+
* Validates bearer tokens and enriches extra with provider tokens
|
|
464
|
+
*
|
|
465
|
+
* Pattern:
|
|
466
|
+
* ```typescript
|
|
467
|
+
* const provider = new DcrOAuthProvider({ ..., verifyEndpoint: 'http://localhost:3000/oauth/verify' });
|
|
468
|
+
* const middleware = provider.authMiddleware();
|
|
469
|
+
* const tools = toolFactories.map(f => f()).map(middleware.withToolAuth);
|
|
470
|
+
* const resources = resourceFactories.map(f => f()).map(middleware.withResourceAuth);
|
|
471
|
+
* const prompts = promptFactories.map(f => f()).map(middleware.withPromptAuth);
|
|
472
|
+
* ```
|
|
473
|
+
*/ _proto.authMiddleware = function authMiddleware() {
|
|
474
|
+
var _this = this;
|
|
475
|
+
// Shared wrapper logic - extracts extra parameter from specified position
|
|
476
|
+
// Generic T captures the actual module type; handler is cast from unknown to callable
|
|
477
|
+
var wrapAtPosition = function(module, extraPosition) {
|
|
478
|
+
var _this1 = _this;
|
|
479
|
+
var originalHandler = module.handler;
|
|
480
|
+
var wrappedHandler = function() {
|
|
481
|
+
for(var _len = arguments.length, allArgs = new Array(_len), _key = 0; _key < _len; _key++){
|
|
482
|
+
allArgs[_key] = arguments[_key];
|
|
483
|
+
}
|
|
484
|
+
return _async_to_generator(function() {
|
|
485
|
+
var _extra_requestInfo, extra, bearerToken, _ref, authInfo, authHeader, headerValue, match, verifyResponse, verifyData, accountId, error, auth;
|
|
486
|
+
return _ts_generator(this, function(_state) {
|
|
487
|
+
switch(_state.label){
|
|
488
|
+
case 0:
|
|
489
|
+
// Extract extra from the correct position
|
|
490
|
+
extra = allArgs[extraPosition];
|
|
491
|
+
// Option 1: Token already verified by SDK's bearerAuth middleware
|
|
492
|
+
if (extra.authInfo && _type_of(extra.authInfo) === 'object') {
|
|
493
|
+
;
|
|
494
|
+
// authInfo contains the validated token - extract it
|
|
495
|
+
// The SDK's bearerAuth middleware already validated it, but we need the raw token for /oauth/verify
|
|
496
|
+
// Check if authInfo has the token directly, otherwise extract from headers
|
|
497
|
+
authInfo = extra.authInfo;
|
|
498
|
+
bearerToken = (_ref = typeof authInfo.accessToken === 'string' ? authInfo.accessToken : undefined) !== null && _ref !== void 0 ? _ref : typeof authInfo.token === 'string' ? authInfo.token : undefined;
|
|
499
|
+
}
|
|
500
|
+
// Option 2: Extract from Authorization header
|
|
501
|
+
if (!bearerToken && ((_extra_requestInfo = extra.requestInfo) === null || _extra_requestInfo === void 0 ? void 0 : _extra_requestInfo.headers)) {
|
|
502
|
+
authHeader = extra.requestInfo.headers.authorization || extra.requestInfo.headers.Authorization;
|
|
503
|
+
if (authHeader) {
|
|
504
|
+
// Handle both string and string[] types
|
|
505
|
+
headerValue = Array.isArray(authHeader) ? authHeader[0] : authHeader;
|
|
506
|
+
if (headerValue) {
|
|
507
|
+
match = /^Bearer\s+(.+)$/i.exec(headerValue);
|
|
508
|
+
if (match) {
|
|
509
|
+
bearerToken = match[1];
|
|
510
|
+
}
|
|
511
|
+
}
|
|
512
|
+
}
|
|
513
|
+
}
|
|
514
|
+
if (!bearerToken) {
|
|
515
|
+
throw new _types.McpError(_types.ErrorCode.InvalidRequest, 'Missing Authorization header. DCR mode requires bearer token.');
|
|
516
|
+
}
|
|
517
|
+
return [
|
|
518
|
+
4,
|
|
519
|
+
(0, _fetchwithtimeoutts.fetchWithTimeout)(this.config.verifyEndpoint, {
|
|
520
|
+
headers: {
|
|
521
|
+
Authorization: "Bearer ".concat(bearerToken)
|
|
522
|
+
}
|
|
523
|
+
})
|
|
524
|
+
];
|
|
525
|
+
case 1:
|
|
526
|
+
verifyResponse = _state.sent();
|
|
527
|
+
if (!verifyResponse.ok) {
|
|
528
|
+
throw new _types.McpError(_types.ErrorCode.InvalidRequest, "Token verification failed: ".concat(verifyResponse.status));
|
|
529
|
+
}
|
|
530
|
+
return [
|
|
531
|
+
4,
|
|
532
|
+
verifyResponse.json()
|
|
533
|
+
];
|
|
534
|
+
case 2:
|
|
535
|
+
verifyData = _state.sent();
|
|
536
|
+
_state.label = 3;
|
|
537
|
+
case 3:
|
|
538
|
+
_state.trys.push([
|
|
539
|
+
3,
|
|
540
|
+
5,
|
|
541
|
+
,
|
|
542
|
+
6
|
|
543
|
+
]);
|
|
544
|
+
return [
|
|
545
|
+
4,
|
|
546
|
+
this.getUserEmail(verifyData.providerTokens)
|
|
547
|
+
];
|
|
548
|
+
case 4:
|
|
549
|
+
accountId = _state.sent();
|
|
550
|
+
return [
|
|
551
|
+
3,
|
|
552
|
+
6
|
|
553
|
+
];
|
|
554
|
+
case 5:
|
|
555
|
+
error = _state.sent();
|
|
556
|
+
throw new _types.McpError(_types.ErrorCode.InternalError, "Failed to get user email for DCR authentication: ".concat(_instanceof(error, Error) ? error.message : String(error)));
|
|
557
|
+
case 6:
|
|
558
|
+
// Create auth provider from provider tokens
|
|
559
|
+
auth = this.toAuthProvider(verifyData.providerTokens);
|
|
560
|
+
// Inject authContext and logger into extra
|
|
561
|
+
extra.authContext = {
|
|
562
|
+
auth: auth,
|
|
563
|
+
accountId: accountId
|
|
564
|
+
};
|
|
565
|
+
extra.logger = this.config.logger;
|
|
566
|
+
return [
|
|
567
|
+
4,
|
|
568
|
+
originalHandler.apply(void 0, _to_consumable_array(allArgs))
|
|
569
|
+
];
|
|
570
|
+
case 7:
|
|
571
|
+
// Call original handler with all args
|
|
572
|
+
return [
|
|
573
|
+
2,
|
|
574
|
+
_state.sent()
|
|
575
|
+
];
|
|
576
|
+
}
|
|
577
|
+
});
|
|
578
|
+
}).call(_this1);
|
|
579
|
+
};
|
|
580
|
+
return _object_spread_props(_object_spread({}, module), {
|
|
581
|
+
handler: wrappedHandler
|
|
582
|
+
});
|
|
583
|
+
};
|
|
584
|
+
return {
|
|
585
|
+
// Use structural constraints to avoid contravariance check on handler type.
|
|
586
|
+
// wrapAtPosition is now generic and returns T directly.
|
|
587
|
+
withToolAuth: function(module) {
|
|
588
|
+
return wrapAtPosition(module, 1);
|
|
589
|
+
},
|
|
590
|
+
withResourceAuth: function(module) {
|
|
591
|
+
return wrapAtPosition(module, 2);
|
|
592
|
+
},
|
|
593
|
+
withPromptAuth: function(module) {
|
|
594
|
+
return wrapAtPosition(module, 0);
|
|
595
|
+
}
|
|
596
|
+
};
|
|
597
|
+
};
|
|
598
|
+
return DcrOAuthProvider;
|
|
599
|
+
}();
|
|
600
|
+
/* CJS INTEROP */ if (exports.__esModule && exports.default) { try { Object.defineProperty(exports.default, '__esModule', { value: true }); for (var key in exports) { exports.default[key] = exports[key]; } } catch (_) {}; module.exports = exports.default; }
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth-microsoft/src/providers/dcr.ts"],"sourcesContent":["/**\n * DCR Provider - Stateless Dynamic Client Registration Provider\n *\n * Implements stateless provider pattern where provider tokens are received from\n * token verification context rather than managed by the provider itself.\n *\n * Use case: MCP HTTP servers with DCR authentication where client manages tokens\n * and provider only handles Microsoft Graph API calls with provided credentials.\n */\n\nimport type { ProviderTokens } from '@mcp-z/oauth';\nimport { ErrorCode, McpError } from '@modelcontextprotocol/sdk/types.js';\nimport { fetchWithTimeout } from '../lib/fetch-with-timeout.ts';\nimport type { AuthContext, EnrichedExtra, Logger, MicrosoftAuthProvider } from '../types.ts';\n\n/**\n * DCR Provider configuration\n */\nexport interface DcrOAuthProviderConfig {\n /** Microsoft application client ID */\n clientId: string;\n\n /** Microsoft application client secret (optional for public clients) */\n clientSecret?: string;\n\n /** Azure AD tenant ID */\n tenantId: string;\n\n /** OAuth scopes */\n scope: string;\n\n /** Custom token endpoint URL (for testing, defaults to Microsoft OAuth endpoint) */\n tokenUrl?: string;\n\n /** DCR token verification endpoint URL (e.g., http://localhost:3000/oauth/verify) */\n verifyEndpoint: string;\n\n /** Logger for auth operations */\n logger: Logger;\n}\n\n/**\n * Microsoft Graph TokenResponse\n */\ninterface TokenResponse {\n access_token: string;\n refresh_token?: string;\n expires_in?: number;\n scope?: string;\n token_type?: string;\n}\n\n/**\n * DCR Provider - Stateless OAuth provider for Dynamic Client Registration\n *\n * Unlike LoopbackOAuthProvider which manages token storage, DcrOAuthProvider is stateless:\n * - Receives provider tokens from verification context (HTTP bearer auth)\n * - Creates auth providers on-demand from tokens\n * - Handles token refresh using Microsoft OAuth\n * - No token storage dependency\n *\n * Pattern:\n * ```typescript\n * const provider = new DcrOAuthProvider(config);\n * const auth = provider.toAuthProvider(providerTokens);\n * const accessToken = await auth.getAccessToken();\n * ```\n */\nexport class DcrOAuthProvider {\n private config: DcrOAuthProviderConfig;\n private emailCache = new Map<string, { email: string; expiresAt: number }>();\n\n constructor(config: DcrOAuthProviderConfig) {\n this.config = config;\n }\n\n /**\n * Create Microsoft Graph auth provider from provider tokens\n *\n * This is the core stateless pattern - provider receives tokens from context\n * (token verification, HTTP request) and creates auth provider on-demand.\n *\n * @param tokens - Provider tokens (Microsoft access/refresh tokens)\n * @returns Microsoft Graph-compatible auth provider\n */\n toAuthProvider(tokens: ProviderTokens): MicrosoftAuthProvider {\n // Capture tokens in closure for auth provider\n let currentTokens = { ...tokens };\n\n return {\n getAccessToken: async (): Promise<string> => {\n // Check if token is still valid\n if (this.isTokenValid(currentTokens)) {\n return currentTokens.accessToken;\n }\n\n // Token expired - try refresh if available\n if (currentTokens.refreshToken) {\n try {\n const refreshedTokens = await this.refreshAccessToken(currentTokens.refreshToken);\n currentTokens = refreshedTokens;\n return currentTokens.accessToken;\n } catch (error) {\n throw new Error(`Token refresh failed: ${error instanceof Error ? error.message : String(error)}`);\n }\n }\n\n // No refresh token - token expired and cannot refresh\n throw new Error('Access token expired and no refresh token available');\n },\n };\n }\n\n /**\n * Check if token is still valid (with 1 minute buffer)\n */\n private isTokenValid(tokens: ProviderTokens): boolean {\n if (!tokens.expiresAt) return true; // No expiry = assume valid\n return Date.now() < tokens.expiresAt - 60000; // 1 minute buffer\n }\n\n /**\n * Refresh Microsoft access token using refresh token\n *\n * @param refreshToken - Microsoft refresh token\n * @returns New provider tokens\n */\n async refreshAccessToken(refreshToken: string): Promise<ProviderTokens> {\n const { clientId, clientSecret, tenantId, scope, tokenUrl: customTokenUrl } = this.config;\n\n const tokenUrl = customTokenUrl ?? `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;\n const params: Record<string, string> = {\n refresh_token: refreshToken,\n client_id: clientId,\n grant_type: 'refresh_token',\n scope,\n };\n\n // Only include client_secret for confidential clients\n if (clientSecret) {\n params.client_secret = clientSecret;\n }\n\n const body = new URLSearchParams(params);\n\n const response = await fetchWithTimeout(tokenUrl, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/x-www-form-urlencoded',\n },\n body: body.toString(),\n });\n\n if (!response.ok) {\n const errorText = await response.text();\n throw new Error(`Token refresh failed: ${response.status} ${errorText}`);\n }\n\n const tokenResponse = (await response.json()) as TokenResponse;\n\n return {\n accessToken: tokenResponse.access_token,\n refreshToken: refreshToken, // Keep original refresh token\n ...(tokenResponse.expires_in !== undefined && { expiresAt: Date.now() + tokenResponse.expires_in * 1000 }),\n ...(tokenResponse.scope !== undefined && { scope: tokenResponse.scope }),\n };\n }\n\n /**\n * Get user email from Microsoft Graph API (with caching)\n *\n * @param tokens - Provider tokens to use for API call\n * @returns User's email address\n */\n async getUserEmail(tokens: ProviderTokens): Promise<string> {\n const cacheKey = tokens.accessToken;\n const cached = this.emailCache.get(cacheKey);\n\n // Check cache (with same expiry as access token)\n if (cached && Date.now() < cached.expiresAt) {\n return cached.email;\n }\n\n const auth = this.toAuthProvider(tokens);\n const accessToken = await auth.getAccessToken();\n\n const response = await fetchWithTimeout('https://graph.microsoft.com/v1.0/me', {\n headers: {\n Authorization: `Bearer ${accessToken}`,\n },\n });\n\n if (!response.ok) {\n throw new Error(`Failed to get user info: ${response.status} ${await response.text()}`);\n }\n\n const userInfo = (await response.json()) as { mail?: string; userPrincipalName: string };\n const email = userInfo.mail ?? userInfo.userPrincipalName;\n\n // Cache with token expiration (default 1 hour if not specified)\n this.emailCache.set(cacheKey, {\n email,\n expiresAt: tokens.expiresAt ?? Date.now() + 3600000,\n });\n\n return email;\n }\n\n /**\n * Auth middleware for HTTP servers with DCR bearer auth\n * Validates bearer tokens and enriches extra with provider tokens\n *\n * Pattern:\n * ```typescript\n * const provider = new DcrOAuthProvider({ ..., verifyEndpoint: 'http://localhost:3000/oauth/verify' });\n * const middleware = provider.authMiddleware();\n * const tools = toolFactories.map(f => f()).map(middleware.withToolAuth);\n * const resources = resourceFactories.map(f => f()).map(middleware.withResourceAuth);\n * const prompts = promptFactories.map(f => f()).map(middleware.withPromptAuth);\n * ```\n */\n authMiddleware() {\n // Shared wrapper logic - extracts extra parameter from specified position\n // Generic T captures the actual module type; handler is cast from unknown to callable\n const wrapAtPosition = <T extends { name: string; handler: unknown; [key: string]: unknown }>(module: T, extraPosition: number): T => {\n const originalHandler = module.handler as (...args: unknown[]) => Promise<unknown>;\n\n const wrappedHandler = async (...allArgs: unknown[]) => {\n // Extract extra from the correct position\n const extra = allArgs[extraPosition] as EnrichedExtra;\n\n // Extract DCR bearer token from SDK's authInfo (if present) or request headers\n let bearerToken: string | undefined;\n\n // Option 1: Token already verified by SDK's bearerAuth middleware\n if (extra.authInfo && typeof extra.authInfo === 'object') {\n // authInfo contains the validated token - extract it\n // The SDK's bearerAuth middleware already validated it, but we need the raw token for /oauth/verify\n // Check if authInfo has the token directly, otherwise extract from headers\n const authInfo = extra.authInfo as unknown as Record<string, unknown>;\n bearerToken = (typeof authInfo.accessToken === 'string' ? authInfo.accessToken : undefined) ?? (typeof authInfo.token === 'string' ? authInfo.token : undefined);\n }\n\n // Option 2: Extract from Authorization header\n if (!bearerToken && extra.requestInfo?.headers) {\n const authHeader = extra.requestInfo.headers.authorization || extra.requestInfo.headers.Authorization;\n if (authHeader) {\n // Handle both string and string[] types\n const headerValue = Array.isArray(authHeader) ? authHeader[0] : authHeader;\n if (headerValue) {\n const match = /^Bearer\\s+(.+)$/i.exec(headerValue);\n if (match) {\n bearerToken = match[1];\n }\n }\n }\n }\n\n if (!bearerToken) {\n throw new McpError(ErrorCode.InvalidRequest, 'Missing Authorization header. DCR mode requires bearer token.');\n }\n\n // Call /oauth/verify to validate DCR token and get provider tokens\n const verifyResponse = await fetchWithTimeout(this.config.verifyEndpoint, {\n headers: { Authorization: `Bearer ${bearerToken}` },\n });\n\n if (!verifyResponse.ok) {\n throw new McpError(ErrorCode.InvalidRequest, `Token verification failed: ${verifyResponse.status}`);\n }\n\n const verifyData = (await verifyResponse.json()) as {\n providerTokens: ProviderTokens;\n };\n\n // Fetch user email to use as accountId (with caching)\n let accountId: string;\n try {\n accountId = await this.getUserEmail(verifyData.providerTokens);\n } catch (error) {\n throw new McpError(ErrorCode.InternalError, `Failed to get user email for DCR authentication: ${error instanceof Error ? error.message : String(error)}`);\n }\n\n // Create auth provider from provider tokens\n const auth = this.toAuthProvider(verifyData.providerTokens);\n\n // Inject authContext and logger into extra\n (extra as { authContext?: AuthContext }).authContext = {\n auth,\n accountId, // User's email address\n };\n (extra as { logger?: unknown }).logger = this.config.logger;\n\n // Call original handler with all args\n return await originalHandler(...allArgs);\n };\n\n return {\n ...module,\n handler: wrappedHandler,\n } as T;\n };\n\n return {\n // Use structural constraints to avoid contravariance check on handler type.\n // wrapAtPosition is now generic and returns T directly.\n withToolAuth: <T extends { name: string; config: unknown; handler: unknown }>(module: T) => wrapAtPosition(module, 1),\n withResourceAuth: <T extends { name: string; template?: unknown; config?: unknown; handler: unknown }>(module: T) => wrapAtPosition(module, 2),\n withPromptAuth: <T extends { name: string; config: unknown; handler: unknown }>(module: T) => wrapAtPosition(module, 0),\n };\n }\n}\n"],"names":["DcrOAuthProvider","config","emailCache","Map","toAuthProvider","tokens","currentTokens","getAccessToken","refreshedTokens","error","isTokenValid","accessToken","refreshToken","refreshAccessToken","Error","message","String","expiresAt","Date","now","clientId","clientSecret","tenantId","scope","customTokenUrl","tokenUrl","params","body","response","errorText","tokenResponse","refresh_token","client_id","grant_type","client_secret","URLSearchParams","fetchWithTimeout","method","headers","toString","ok","text","status","json","access_token","expires_in","undefined","getUserEmail","userInfo","cacheKey","cached","auth","email","get","Authorization","mail","userPrincipalName","set","authMiddleware","wrapAtPosition","module","extraPosition","originalHandler","handler","wrappedHandler","allArgs","extra","bearerToken","authInfo","authHeader","headerValue","match","verifyResponse","verifyData","accountId","token","requestInfo","authorization","Array","isArray","exec","McpError","ErrorCode","InvalidRequest","verifyEndpoint","providerTokens","InternalError","authContext","logger","withToolAuth","withResourceAuth","withPromptAuth"],"mappings":"AAAA;;;;;;;;CAQC;;;;+BA4DYA;;;eAAAA;;;qBAzDuB;kCACH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwD1B,IAAA,AAAMA,iCAAN;;aAAMA,iBAICC,MAA8B;gCAJ/BD;aAEHE,aAAa,IAAIC;QAGvB,IAAI,CAACF,MAAM,GAAGA;;iBALLD;IAQX;;;;;;;;GAQC,GACDI,OAAAA,cA0BC,GA1BDA,SAAAA,eAAeC,MAAsB;;QACnC,8CAA8C;QAC9C,IAAIC,gBAAgB,mBAAKD;QAEzB,OAAO;YACLE,gBAAgB;;wBASJC,iBAGCC;;;;gCAXX,gCAAgC;gCAChC,IAAI,IAAI,CAACC,YAAY,CAACJ,gBAAgB;oCACpC;;wCAAOA,cAAcK,WAAW;;gCAClC;qCAGIL,cAAcM,YAAY,EAA1BN;;;;;;;;;;;;gCAEwB;;oCAAM,IAAI,CAACO,kBAAkB,CAACP,cAAcM,YAAY;;;gCAA1EJ,kBAAkB;gCACxBF,gBAAgBE;gCAChB;;oCAAOF,cAAcK,WAAW;;;gCACzBF;gCACP,MAAM,IAAIK,MAAM,AAAC,yBAA+E,OAAvDL,AAAK,YAALA,OAAiBK,SAAQL,MAAMM,OAAO,GAAGC,OAAOP;;gCAI7F,sDAAsD;gCACtD,MAAM,IAAIK,MAAM;;;gBAClB;;QACF;IACF;IAEA;;GAEC,GACD,OAAQJ,YAGP,GAHD,SAAQA,aAAaL,MAAsB;QACzC,IAAI,CAACA,OAAOY,SAAS,EAAE,OAAO,MAAM,2BAA2B;QAC/D,OAAOC,KAAKC,GAAG,KAAKd,OAAOY,SAAS,GAAG,OAAO,kBAAkB;IAClE;IAEA;;;;;GAKC,GACD,OAAMJ,kBAuCL,GAvCD,SAAMA,mBAAmBD,YAAoB;;gBACmC,cAAtEQ,UAAUC,cAAcC,UAAUC,OAAiBC,gBAErDC,UACAC,QAYAC,MAEAC,UASEC,WAIFC;;;;wBA9BwE,eAAA,IAAI,CAAC7B,MAAM,EAAjFmB,WAAsE,aAAtEA,UAAUC,eAA4D,aAA5DA,cAAcC,WAA8C,aAA9CA,UAAUC,QAAoC,aAApCA,OAAiBC,iBAAmB,aAA7BC;wBAE3CA,WAAWD,2BAAAA,4BAAAA,iBAAkB,AAAC,qCAA6C,OAATF,UAAS;wBAC3EI,SAAiC;4BACrCK,eAAenB;4BACfoB,WAAWZ;4BACXa,YAAY;4BACZV,OAAAA;wBACF;wBAEA,sDAAsD;wBACtD,IAAIF,cAAc;4BAChBK,OAAOQ,aAAa,GAAGb;wBACzB;wBAEMM,OAAO,IAAIQ,gBAAgBT;wBAEhB;;4BAAMU,IAAAA,oCAAgB,EAACX,UAAU;gCAChDY,QAAQ;gCACRC,SAAS;oCACP,gBAAgB;gCAClB;gCACAX,MAAMA,KAAKY,QAAQ;4BACrB;;;wBANMX,WAAW;6BAQb,CAACA,SAASY,EAAE,EAAZ;;;;wBACgB;;4BAAMZ,SAASa,IAAI;;;wBAA/BZ,YAAY;wBAClB,MAAM,IAAIf,MAAM,AAAC,yBAA2Ce,OAAnBD,SAASc,MAAM,EAAC,KAAa,OAAVb;;wBAGvC;;4BAAMD,SAASe,IAAI;;;wBAApCb,gBAAiB;wBAEvB;;4BAAO;gCACLnB,aAAamB,cAAcc,YAAY;gCACvChC,cAAcA;+BACVkB,cAAce,UAAU,KAAKC,aAAa;gCAAE7B,WAAWC,KAAKC,GAAG,KAAKW,cAAce,UAAU,GAAG;4BAAK,GACpGf,cAAcP,KAAK,KAAKuB,aAAa;gCAAEvB,OAAOO,cAAcP,KAAK;4BAAC;;;;QAE1E;;IAEA;;;;;GAKC,GACD,OAAMwB,YAgCL,GAhCD,SAAMA,aAAa1C,MAAsB;;gBAuBzB2C,gBAKD3C,mBA3BP4C,UACAC,QAOAC,MACAxC,aAEAiB,qBAUAoB,UACAI;;;;wBAtBAH,WAAW5C,OAAOM,WAAW;wBAC7BuC,SAAS,IAAI,CAAChD,UAAU,CAACmD,GAAG,CAACJ;wBAEnC,iDAAiD;wBACjD,IAAIC,UAAUhC,KAAKC,GAAG,KAAK+B,OAAOjC,SAAS,EAAE;4BAC3C;;gCAAOiC,OAAOE,KAAK;;wBACrB;wBAEMD,OAAO,IAAI,CAAC/C,cAAc,CAACC;wBACb;;4BAAM8C,KAAK5C,cAAc;;;wBAAvCI,cAAc;wBAEH;;4BAAMyB,IAAAA,oCAAgB,EAAC,uCAAuC;gCAC7EE,SAAS;oCACPgB,eAAe,AAAC,UAAqB,OAAZ3C;gCAC3B;4BACF;;;wBAJMiB,WAAW;6BAMb,CAACA,SAASY,EAAE,EAAZ;;;;4BACQ1B;mCAAM,AAAC,4BAA8C,OAAnBc,SAASc,MAAM,EAAC,MAAyB;wBAAtB;;4BAAMd,SAASa,IAAI;;;wBAAlF,MAAM,IAAA,CAAA,EAAA,MAAI3B;;4BAAM;gCAA+C;;0BAAuB;;wBAGtE;;4BAAMc,SAASe,IAAI;;;wBAA/BK,WAAY;wBACZI,SAAQJ,iBAAAA,SAASO,IAAI,cAAbP,4BAAAA,iBAAiBA,SAASQ,iBAAiB;wBAEzD,gEAAgE;wBAChE,IAAI,CAACtD,UAAU,CAACuD,GAAG,CAACR,UAAU;4BAC5BG,OAAAA;4BACAnC,SAAS,GAAEZ,oBAAAA,OAAOY,SAAS,cAAhBZ,+BAAAA,oBAAoBa,KAAKC,GAAG,KAAK;wBAC9C;wBAEA;;4BAAOiC;;;;QACT;;IAEA;;;;;;;;;;;;GAYC,GACDM,OAAAA,cAyFC,GAzFDA,SAAAA;;QACE,0EAA0E;QAC1E,sFAAsF;QACtF,IAAMC,iBAAiB,SAAuEC,QAAWC;;YACvG,IAAMC,kBAAkBF,OAAOG,OAAO;YAEtC,IAAMC,iBAAiB;iDAAUC;oBAAAA;;;wBAiBXC,oBAfdA,OAGFC,aAQa,MADTC,UAMAC,YAGEC,aAEEC,OAaNC,gBAQAC,YAKFC,WAGKjE,OAKH0C;;;;gCAxDN,0CAA0C;gCACpCe,QAAQD,OAAO,CAACJ,cAAc;gCAKpC,kEAAkE;gCAClE,IAAIK,MAAME,QAAQ,IAAI,SAAOF,MAAME,QAAQ,MAAK,UAAU;;oCACxD,qDAAqD;oCACrD,oGAAoG;oCACpG,2EAA2E;oCACrEA,WAAWF,MAAME,QAAQ;oCAC/BD,eAAe,OAAA,OAAOC,SAASzD,WAAW,KAAK,WAAWyD,SAASzD,WAAW,GAAGmC,uBAAlE,kBAAA,OAAiF,OAAOsB,SAASO,KAAK,KAAK,WAAWP,SAASO,KAAK,GAAG7B;gCACxJ;gCAEA,8CAA8C;gCAC9C,IAAI,CAACqB,iBAAeD,qBAAAA,MAAMU,WAAW,cAAjBV,yCAAAA,mBAAmB5B,OAAO,GAAE;oCACxC+B,aAAaH,MAAMU,WAAW,CAACtC,OAAO,CAACuC,aAAa,IAAIX,MAAMU,WAAW,CAACtC,OAAO,CAACgB,aAAa;oCACrG,IAAIe,YAAY;wCACd,wCAAwC;wCAClCC,cAAcQ,MAAMC,OAAO,CAACV,cAAcA,UAAU,CAAC,EAAE,GAAGA;wCAChE,IAAIC,aAAa;4CACTC,QAAQ,mBAAmBS,IAAI,CAACV;4CACtC,IAAIC,OAAO;gDACTJ,cAAcI,KAAK,CAAC,EAAE;4CACxB;wCACF;oCACF;gCACF;gCAEA,IAAI,CAACJ,aAAa;oCAChB,MAAM,IAAIc,eAAQ,CAACC,gBAAS,CAACC,cAAc,EAAE;gCAC/C;gCAGuB;;oCAAM/C,IAAAA,oCAAgB,EAAC,IAAI,CAACnC,MAAM,CAACmF,cAAc,EAAE;wCACxE9C,SAAS;4CAAEgB,eAAe,AAAC,UAAqB,OAAZa;wCAAc;oCACpD;;;gCAFMK,iBAAiB;gCAIvB,IAAI,CAACA,eAAehC,EAAE,EAAE;oCACtB,MAAM,IAAIyC,eAAQ,CAACC,gBAAS,CAACC,cAAc,EAAE,AAAC,8BAAmD,OAAtBX,eAAe9B,MAAM;gCAClG;gCAEoB;;oCAAM8B,eAAe7B,IAAI;;;gCAAvC8B,aAAc;;;;;;;;;gCAON;;oCAAM,IAAI,CAAC1B,YAAY,CAAC0B,WAAWY,cAAc;;;gCAA7DX,YAAY;;;;;;gCACLjE;gCACP,MAAM,IAAIwE,eAAQ,CAACC,gBAAS,CAACI,aAAa,EAAE,AAAC,oDAA0G,OAAvD7E,AAAK,YAALA,OAAiBK,SAAQL,MAAMM,OAAO,GAAGC,OAAOP;;gCAGlJ,4CAA4C;gCACtC0C,OAAO,IAAI,CAAC/C,cAAc,CAACqE,WAAWY,cAAc;gCAE1D,2CAA2C;gCAC1CnB,MAAwCqB,WAAW,GAAG;oCACrDpC,MAAAA;oCACAuB,WAAAA;gCACF;gCACCR,MAA+BsB,MAAM,GAAG,IAAI,CAACvF,MAAM,CAACuF,MAAM;gCAGpD;;oCAAM1B,sBAAAA,KAAAA,GAAgB,qBAAGG;;;gCADhC,sCAAsC;gCACtC;;oCAAO;;;;gBACT;;YAEA,OAAO,wCACFL;gBACHG,SAASC;;QAEb;QAEA,OAAO;YACL,4EAA4E;YAC5E,wDAAwD;YACxDyB,cAAc,SAAgE7B;uBAAcD,eAAeC,QAAQ;;YACnH8B,kBAAkB,SAAqF9B;uBAAcD,eAAeC,QAAQ;;YAC5I+B,gBAAgB,SAAgE/B;uBAAcD,eAAeC,QAAQ;;QACvH;IACF;WAlPW5D"}
|