npm - @mcp-z/oauth-microsoft - Versions diffs - 1.0.3 → 1.0.5 - Mend

@mcp-z/oauth-microsoft 1.0.3 → 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/cjs/lib/dcr-router.js +15 -0
package/dist/cjs/lib/dcr-router.js.map +1 -1
package/dist/cjs/lib/dcr-utils.js +7 -4
package/dist/cjs/lib/dcr-utils.js.map +1 -1
package/dist/esm/lib/dcr-router.js +15 -0
package/dist/esm/lib/dcr-router.js.map +1 -1
package/dist/esm/lib/dcr-utils.js +7 -4
package/dist/esm/lib/dcr-utils.js.map +1 -1
package/package.json +10 -11

package/dist/cjs/lib/dcr-router.js CHANGED Viewed

@@ -309,6 +309,21 @@ function _ts_generator(thisArg, body) {
 function createDcrRouter(config) {
     var router = _express.default.Router();
     var store = config.store, issuerUrl = config.issuerUrl, baseUrl = config.baseUrl, scopesSupported = config.scopesSupported, clientConfig = config.clientConfig;
+    router.use('/mcp', function(req, res, next) {
+        var authHeader = req.headers.authorization || req.headers.Authorization;
+        var headerValue = Array.isArray(authHeader) ? authHeader[0] : authHeader;
+        if (!headerValue || !headerValue.toLowerCase().startsWith('bearer ')) {
+            return res.status(401).set('WWW-Authenticate', 'Bearer resource_metadata="'.concat(baseUrl, '/.well-known/oauth-protected-resource"')).json({
+                jsonrpc: '2.0',
+                error: {
+                    code: -32600,
+                    message: 'Missing Authorization header. DCR mode requires bearer token.'
+                },
+                id: null
+            });
+        }
+        return next();
+    });
     // Apply required middleware for OAuth 2.0 endpoints (RFC 6749)
     router.use(_express.default.json()); // For /oauth/register (application/json)
     router.use(_express.default.urlencoded({

package/dist/cjs/lib/dcr-router.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth-microsoft/src/lib/dcr-router.ts"],"sourcesContent":["/*\n DCR Router - OAuth 2.0 Authorization Server\n \n Implements OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591)\n * and OAuth 2.0 Authorization Server endpoints (RFC 6749, RFC 8414, RFC 9728).\n \n Endpoints:\n * - GET /.well-known/oauth-authorization-server (RFC 8414 metadata)\n * - GET /.well-known/oauth-protected-resource (RFC 9728 metadata - root)\n * - GET /.well-known/oauth-protected-resource/mcp (RFC 9728 metadata - sub-path)\n * - POST /oauth/register (RFC 7591 client registration)\n * - GET /oauth/authorize (RFC 6749 authorization endpoint)\n * - POST /oauth/token (RFC 6749 token endpoint)\n * - POST /oauth/revoke (RFC 7009 token revocation)\n * - GET /oauth/verify (token verification for Resource Server)\n /\n\nimport type { ProviderTokens, RFC8414Metadata, RFC9728Metadata } from '@mcp-z/oauth';\nimport { createHash, randomUUID } from 'crypto';\nimport type { Request, Response } from 'express';\nimport express from 'express';\nimport type { Keyv } from 'keyv';\nimport { DcrOAuthProvider } from '../providers/dcr.ts';\nimport type { AccessToken, AuthorizationCode, OAuthClientConfig } from '../types.ts';\nimport as dcrUtils from './dcr-utils.ts';\n\n/*\n Configuration for DCR Router (self-hosted mode only)\n /\nexport interface DcrRouterConfig {\n /* Single Keyv store for all DCR data /\n store: Keyv;\n\n /* Authorization Server issuer URL /\n issuerUrl: string;\n\n /* Base URL for OAuth endpoints /\n baseUrl: string;\n\n /* Supported OAuth scopes /\n scopesSupported: string[];\n\n /* OAuth client configuration for upstream provider /\n clientConfig: OAuthClientConfig;\n}\n\n/\n Create DCR Router with OAuth 2.0 endpoints (self-hosted mode)\n \n For external mode (Auth0/Stitch), don't call this function - no router needed.\n * The server code should check DcrConfig.mode and only call this for 'self-hosted'.\n \n @param config - Router configuration\n * @returns Express router with OAuth endpoints\n /\nexport function createDcrRouter(config: DcrRouterConfig): express.Router {\n const router = express.Router();\n const { store, issuerUrl, baseUrl, scopesSupported, clientConfig } = config;\n\n // Apply required middleware for OAuth 2.0 endpoints (RFC 6749)\n router.use(express.json()); // For /oauth/register (application/json)\n router.use(express.urlencoded({ extended: true })); // For /oauth/token (application/x-www-form-urlencoded)\n\n /\n OAuth Authorization Server Metadata (RFC 8414)\n * GET /.well-known/oauth-authorization-server\n /\n router.get('/.well-known/oauth-authorization-server', (_req: Request, res: Response) => {\n const metadata: RFC8414Metadata = {\n issuer: issuerUrl,\n authorization_endpoint: `${baseUrl}/oauth/authorize`,\n token_endpoint: `${baseUrl}/oauth/token`,\n registration_endpoint: `${baseUrl}/oauth/register`,\n revocation_endpoint: `${baseUrl}/oauth/revoke`,\n scopes_supported: scopesSupported,\n response_types_supported: ['code'],\n grant_types_supported: ['authorization_code', 'refresh_token'],\n token_endpoint_auth_methods_supported: ['client_secret_basic', 'client_secret_post'],\n code_challenge_methods_supported: ['S256', 'plain'],\n service_documentation: `${baseUrl}/docs`,\n };\n res.json(metadata);\n });\n\n /\n OAuth Protected Resource Metadata (RFC 9728 - Root)\n * GET /.well-known/oauth-protected-resource\n /\n router.get('/.well-known/oauth-protected-resource', (_req: Request, res: Response) => {\n const metadata: RFC9728Metadata = {\n resource: baseUrl,\n authorization_servers: [baseUrl],\n scopes_supported: scopesSupported,\n bearer_methods_supported: ['header'],\n };\n res.json(metadata);\n });\n\n /\n OAuth Protected Resource Metadata (RFC 9728 - Sub-path /mcp)\n * GET /.well-known/oauth-protected-resource/mcp\n /\n router.get('/.well-known/oauth-protected-resource/mcp', (_req: Request, res: Response) => {\n const metadata: RFC9728Metadata = {\n resource: `${baseUrl}/mcp`,\n authorization_servers: [baseUrl],\n scopes_supported: scopesSupported,\n bearer_methods_supported: ['header'],\n };\n res.json(metadata);\n });\n\n /\n Dynamic Client Registration (RFC 7591)\n * POST /oauth/register\n /\n router.post('/oauth/register', async (req: Request, res: Response) => {\n try {\n const registrationRequest = req.body;\n\n // Register the client\n const client = await dcrUtils.registerClient(store, registrationRequest);\n\n // Return client information (RFC 7591 Section 3.2.1)\n res.status(201).json(client);\n } catch (error) {\n res.status(400).json({\n error: 'invalid_client_metadata',\n error_description: error instanceof Error ? error.message : 'Invalid registration request',\n });\n }\n });\n\n /\n OAuth Authorization Endpoint (RFC 6749 Section 3.1)\n * GET /oauth/authorize\n \n Initiates Microsoft OAuth flow, then generates DCR authorization code\n /\n router.get('/oauth/authorize', async (req: Request, res: Response) => {\n const { response_type, client_id, redirect_uri, scope = '', state = '', code_challenge, code_challenge_method } = req.query;\n\n // Validate required parameters\n if (response_type !== 'code') {\n return res.status(400).json({\n error: 'unsupported_response_type',\n error_description: 'Only response_type=code is supported',\n });\n }\n\n if (!client_id \|\| typeof client_id !== 'string') {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'client_id is required',\n });\n }\n\n if (!redirect_uri \|\| typeof redirect_uri !== 'string') {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'redirect_uri is required',\n });\n }\n\n // Validate client\n const client = await dcrUtils.getClient(store, client_id);\n if (!client) {\n return res.status(400).json({\n error: 'invalid_client',\n error_description: 'Unknown client_id',\n });\n }\n\n // Validate redirect_uri\n const isValidRedirect = await dcrUtils.validateRedirectUri(store, client_id, redirect_uri);\n if (!isValidRedirect) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'Invalid redirect_uri',\n });\n }\n\n // Store DCR request state for Microsoft OAuth callback\n const msState = randomUUID();\n const dcrRequestState = {\n client_id,\n redirect_uri,\n scope: typeof scope === 'string' ? scope : '',\n state: typeof state === 'string' ? state : undefined,\n code_challenge: typeof code_challenge === 'string' ? code_challenge : undefined,\n code_challenge_method: typeof code_challenge_method === 'string' ? code_challenge_method : undefined,\n created_at: Date.now(),\n expires_at: Date.now() + 600000, // 10 minutes\n };\n\n await store.set(`dcr:ms-state:${msState}`, dcrRequestState, 600000); // 10 min TTL\n\n // Build Microsoft authorization URL\n const msAuthUrl = new URL(`https://login.microsoftonline.com/${clientConfig.tenantId \|\| 'common'}/oauth2/v2.0/authorize`);\n msAuthUrl.searchParams.set('client_id', clientConfig.clientId);\n msAuthUrl.searchParams.set('response_type', 'code');\n msAuthUrl.searchParams.set('redirect_uri', `${baseUrl}/oauth/callback`);\n msAuthUrl.searchParams.set('scope', typeof scope === 'string' ? scope : '');\n msAuthUrl.searchParams.set('state', msState);\n msAuthUrl.searchParams.set('response_mode', 'query');\n\n // Redirect user to Microsoft for authorization\n return res.redirect(msAuthUrl.toString());\n });\n\n /\n OAuth Callback Handler\n * GET /oauth/callback\n \n Handles callback from Microsoft after user authorization\n /\n router.get('/oauth/callback', async (req: Request, res: Response) => {\n const { code: msCode, state: msState, error, error_description } = req.query;\n\n // Handle Microsoft OAuth errors\n if (error) {\n return res.status(400).json({\n error,\n error_description: error_description \|\| 'Microsoft OAuth authorization failed',\n });\n }\n\n if (!msCode \|\| typeof msCode !== 'string') {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'Authorization code is required',\n });\n }\n\n if (!msState \|\| typeof msState !== 'string') {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'State parameter is required',\n });\n }\n\n // Retrieve original DCR request state\n const dcrRequestState = await store.get(`dcr:ms-state:${msState}`);\n if (!dcrRequestState) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'Invalid or expired state parameter',\n });\n }\n\n // Delete state (one-time use)\n await store.delete(`dcr:ms-state:${msState}`);\n\n // Exchange Microsoft authorization code for tokens\n try {\n const tokenUrl = `https://login.microsoftonline.com/${clientConfig.tenantId \|\| 'common'}/oauth2/v2.0/token`;\n const tokenParams = new URLSearchParams({\n grant_type: 'authorization_code',\n code: msCode,\n client_id: clientConfig.clientId,\n redirect_uri: `${baseUrl}/oauth/callback`,\n scope: dcrRequestState.scope,\n });\n\n // Add client_secret if available (confidential client)\n if (clientConfig.clientSecret) {\n tokenParams.set('client_secret', clientConfig.clientSecret);\n }\n\n const tokenResponse = await fetch(tokenUrl, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: tokenParams.toString(),\n });\n\n if (!tokenResponse.ok) {\n const errorData = (await tokenResponse.json()) as { error?: string; error_description?: string };\n throw new Error(`Microsoft token exchange failed: ${errorData.error_description \|\| errorData.error}`);\n }\n\n const tokenData = (await tokenResponse.json()) as {\n access_token: string;\n refresh_token?: string;\n expires_in: number;\n scope: string;\n };\n\n // Create provider tokens from Microsoft response\n const providerTokens: ProviderTokens = {\n accessToken: tokenData.access_token,\n ...(tokenData.refresh_token && { refreshToken: tokenData.refresh_token }),\n expiresAt: Date.now() + tokenData.expires_in 1000,\n scope: tokenData.scope,\n };\n\n // Generate DCR authorization code with real provider tokens\n const dcrCode = randomUUID();\n const authCode: AuthorizationCode = {\n code: dcrCode,\n client_id: dcrRequestState.client_id,\n redirect_uri: dcrRequestState.redirect_uri,\n scope: dcrRequestState.scope,\n ...(dcrRequestState.code_challenge && { code_challenge: dcrRequestState.code_challenge }),\n ...(dcrRequestState.code_challenge_method && { code_challenge_method: dcrRequestState.code_challenge_method }),\n providerTokens,\n created_at: Date.now(),\n expires_at: Date.now() + 600000, // 10 minutes\n };\n\n await dcrUtils.setAuthCode(store, dcrCode, authCode);\n\n // Redirect back to MCP client with DCR authorization code\n const clientRedirectUrl = new URL(dcrRequestState.redirect_uri);\n clientRedirectUrl.searchParams.set('code', dcrCode);\n if (dcrRequestState.state) {\n clientRedirectUrl.searchParams.set('state', dcrRequestState.state);\n }\n\n return res.redirect(clientRedirectUrl.toString());\n } catch (error) {\n return res.status(500).json({\n error: 'server_error',\n error_description: error instanceof Error ? error.message : 'Failed to exchange authorization code',\n });\n }\n });\n\n /*\n OAuth Token Endpoint (RFC 6749 Section 3.2)\n * POST /oauth/token\n /\n router.post('/oauth/token', async (req: Request, res: Response) => {\n // Extract client credentials from either body or Basic Auth header\n let client_id = req.body.client_id;\n let client_secret = req.body.client_secret;\n\n // Support client_secret_basic authentication (RFC 6749 Section 2.3.1)\n const authHeader = req.headers.authorization;\n if (authHeader && authHeader.startsWith('Basic ')) {\n const base64Credentials = authHeader.substring(6);\n const credentials = Buffer.from(base64Credentials, 'base64').toString('utf-8');\n const [id, secret] = credentials.split(':');\n client_id = id;\n client_secret = secret;\n }\n\n const { grant_type, code, redirect_uri, refresh_token, code_verifier } = req.body;\n\n // Validate grant_type\n if (!grant_type) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'grant_type is required',\n });\n }\n\n if (grant_type === 'authorization_code') {\n // Authorization Code Grant\n if (!code \|\| !client_id \|\| !redirect_uri) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'code, client_id, and redirect_uri are required',\n });\n }\n\n // Validate client credentials\n const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret ?? '');\n if (!isValidClient) {\n return res.status(401).json({\n error: 'invalid_client',\n error_description: 'Invalid client credentials',\n });\n }\n\n // Get authorization code\n const authCode = await dcrUtils.getAuthCode(store, code);\n if (!authCode) {\n return res.status(400).json({\n error: 'invalid_grant',\n error_description: 'Invalid or expired authorization code',\n });\n }\n\n // Validate authorization code\n if (authCode.client_id !== client_id \|\| authCode.redirect_uri !== redirect_uri) {\n return res.status(400).json({\n error: 'invalid_grant',\n error_description: 'Authorization code mismatch',\n });\n }\n\n if (Date.now() > authCode.expires_at) {\n await dcrUtils.deleteAuthCode(store, code);\n return res.status(400).json({\n error: 'invalid_grant',\n error_description: 'Authorization code expired',\n });\n }\n\n // Validate PKCE if used\n if (authCode.code_challenge) {\n if (!code_verifier) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'code_verifier is required for PKCE',\n });\n }\n\n // Validate code_verifier against code_challenge\n const method = authCode.code_challenge_method ?? 'plain';\n const computedChallenge = method === 'S256' ? createHash('sha256').update(code_verifier).digest('base64url') : code_verifier;\n\n if (computedChallenge !== authCode.code_challenge) {\n return res.status(400).json({\n error: 'invalid_grant',\n error_description: 'Invalid code_verifier',\n });\n }\n }\n\n // Delete authorization code (one-time use)\n await dcrUtils.deleteAuthCode(store, code);\n\n // Generate DCR access token\n const accessToken = randomUUID();\n const refreshTokenValue = randomUUID();\n\n const tokenData: AccessToken = {\n access_token: accessToken,\n token_type: 'Bearer',\n expires_in: 3600,\n refresh_token: refreshTokenValue,\n scope: authCode.scope,\n client_id,\n providerTokens: authCode.providerTokens,\n created_at: Date.now(),\n };\n\n await dcrUtils.setAccessToken(store, accessToken, tokenData);\n await dcrUtils.setRefreshToken(store, refreshTokenValue, tokenData);\n\n // Store provider tokens indexed by DCR access token\n await dcrUtils.setProviderTokens(store, accessToken, authCode.providerTokens);\n\n // Return token response\n return res.json({\n access_token: tokenData.access_token,\n token_type: tokenData.token_type,\n expires_in: tokenData.expires_in,\n refresh_token: tokenData.refresh_token,\n scope: tokenData.scope,\n });\n }\n if (grant_type === 'refresh_token') {\n // Refresh Token Grant\n if (!refresh_token \|\| !client_id) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'refresh_token and client_id are required',\n });\n }\n\n // Validate client credentials\n const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret ?? '');\n if (!isValidClient) {\n return res.status(401).json({\n error: 'invalid_client',\n error_description: 'Invalid client credentials',\n });\n }\n\n // Get refresh token\n const tokenData = await dcrUtils.getRefreshToken(store, refresh_token);\n if (!tokenData \|\| tokenData.client_id !== client_id) {\n return res.status(400).json({\n error: 'invalid_grant',\n error_description: 'Invalid refresh token',\n });\n }\n\n // Refresh provider tokens if available\n let refreshedProviderTokens = tokenData.providerTokens;\n if (tokenData.providerTokens.refreshToken) {\n try {\n // Create DcrOAuthProvider instance to refresh Microsoft tokens\n const provider = new DcrOAuthProvider({\n clientId: clientConfig.clientId,\n ...(clientConfig.clientSecret && { clientSecret: clientConfig.clientSecret }),\n tenantId: clientConfig.tenantId ?? 'common',\n scope: tokenData.scope,\n verifyEndpoint: `${baseUrl}/oauth/verify`,\n logger: {\n info: console.log,\n error: console.error,\n warn: console.warn,\n debug: () => {},\n },\n });\n\n // Refresh the Microsoft access token\n refreshedProviderTokens = await provider.refreshAccessToken(tokenData.providerTokens.refreshToken);\n } catch (error) {\n // If refresh fails, continue with existing tokens (they may still be valid)\n console.warn('Provider token refresh failed, using existing tokens:', error instanceof Error ? error.message : String(error));\n }\n }\n\n // Generate new DCR access token\n const newAccessToken = randomUUID();\n const newTokenData: AccessToken = {\n ...tokenData,\n access_token: newAccessToken,\n created_at: Date.now(),\n };\n\n await dcrUtils.setAccessToken(store, newAccessToken, newTokenData);\n\n // Store refreshed provider tokens indexed by new DCR access token\n await dcrUtils.setProviderTokens(store, newAccessToken, refreshedProviderTokens);\n\n return res.json({\n access_token: newTokenData.access_token,\n token_type: newTokenData.token_type,\n expires_in: newTokenData.expires_in,\n scope: newTokenData.scope,\n });\n }\n return res.status(400).json({\n error: 'unsupported_grant_type',\n error_description: 'Only authorization_code and refresh_token grants are supported',\n });\n });\n\n /\n OAuth Token Revocation (RFC 7009)\n * POST /oauth/revoke\n /\n router.post('/oauth/revoke', async (req: Request, res: Response) => {\n const { token, token_type_hint, client_id, client_secret } = req.body;\n\n if (!token) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'token is required',\n });\n }\n\n // Validate client if credentials provided\n if (client_id && client_secret) {\n const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret);\n if (!isValidClient) {\n return res.status(401).json({\n error: 'invalid_client',\n error_description: 'Invalid client credentials',\n });\n }\n }\n\n // Revoke the token\n if (token_type_hint === 'refresh_token') {\n await dcrUtils.deleteRefreshToken(store, token);\n } else if (token_type_hint === 'access_token') {\n await dcrUtils.deleteAccessToken(store, token);\n await dcrUtils.deleteProviderTokens(store, token);\n } else {\n // No hint - try both\n await dcrUtils.deleteRefreshToken(store, token);\n await dcrUtils.deleteAccessToken(store, token);\n await dcrUtils.deleteProviderTokens(store, token);\n }\n\n // RFC 7009: Return 200 even if token not found\n return res.status(200).send();\n });\n\n /\n Token Verification Endpoint\n * GET /oauth/verify\n \n Validates bearer tokens for Resource Server.\n * Returns AuthInfo with provider tokens for stateless DCR pattern.\n /\n router.get('/oauth/verify', async (req: Request, res: Response) => {\n // Extract bearer token from Authorization header\n const authHeader = req.headers.authorization;\n\n if (!authHeader \|\| !authHeader.startsWith('Bearer ')) {\n return res.status(401).json({\n error: 'invalid_request',\n error_description: 'Missing or invalid Authorization header',\n });\n }\n\n const token = authHeader.substring(7); // Remove 'Bearer ' prefix\n\n // Validate token exists in access tokens store\n const tokenData = await dcrUtils.getAccessToken(store, token);\n\n if (!tokenData) {\n return res.status(401).json({\n error: 'invalid_token',\n error_description: 'Unknown or expired access token',\n });\n }\n\n // Check if token is expired\n const now = Date.now();\n const expiresAt = tokenData.created_at + tokenData.expires_in 1000;\n\n if (now > expiresAt) {\n // Remove expired token\n await dcrUtils.deleteAccessToken(store, token);\n await dcrUtils.deleteProviderTokens(store, token);\n return res.status(401).json({\n error: 'invalid_token',\n error_description: 'Access token has expired',\n });\n }\n\n // Return AuthInfo with provider tokens for stateless DCR\n const authInfo = {\n token,\n clientId: tokenData.client_id,\n scopes: tokenData.scope ? tokenData.scope.split(' ') : [],\n expiresAt,\n providerTokens: tokenData.providerTokens,\n };\n\n return res.json(authInfo);\n });\n\n /*\n Debug endpoint to list registered clients (development only)\n */\n router.get('/debug/clients', async (_req: Request, res: Response) => {\n const clients = await dcrUtils.listClients(store);\n res.json(clients);\n });\n\n return router;\n}\n"],"names":["createDcrRouter","config","router","express","Router","store","issuerUrl","baseUrl","scopesSupported","clientConfig","use","json","urlencoded","extended","get","_req","res","metadata","issuer","authorization_endpoint","token_endpoint","registration_endpoint","revocation_endpoint","scopes_supported","response_types_supported","grant_types_supported","token_endpoint_auth_methods_supported","code_challenge_methods_supported","service_documentation","resource","authorization_servers","bearer_methods_supported","post","req","registrationRequest","client","error","body","dcrUtils","registerClient","status","error_description","Error","message","response_type","client_id","redirect_uri","scope","state","code_challenge","code_challenge_method","isValidRedirect","msState","dcrRequestState","msAuthUrl","query","getClient","validateRedirectUri","randomUUID","undefined","created_at","Date","now","expires_at","set","URL","tenantId","searchParams","clientId","redirect","toString","msCode","tokenUrl","tokenParams","tokenResponse","errorData","tokenData","providerTokens","dcrCode","authCode","clientRedirectUrl","code","delete","URLSearchParams","grant_type","clientSecret","fetch","method","headers","ok","accessToken","access_token","refresh_token","refreshToken","expiresAt","expires_in","setAuthCode","client_secret","authHeader","base64Credentials","credentials","id","secret","code_verifier","isValidClient","computedChallenge","refreshTokenValue","refreshedProviderTokens","provider","newAccessToken","newTokenData","authorization","startsWith","substring","Buffer","from","split","validateClient","getAuthCode","deleteAuthCode","createHash","update","digest","token_type","setAccessToken","setRefreshToken","setProviderTokens","getRefreshToken","DcrOAuthProvider","verifyEndpoint","logger","info","console","log","warn","debug","refreshAccessToken","String","token","token_type_hint","deleteRefreshToken","deleteAccessToken","deleteProviderTokens","send","authInfo","getAccessToken","scopes","clients","listClients"],"mappings":"AAAA;;;;;;;;;;;;;;;CAeC;;;;+BAwCeA;;;eAAAA;;;sBArCuB;8DAEnB;qBAEa;kEAEP;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+BnB,SAASA,gBAAgBC,MAAuB;IACrD,IAAMC,SAASC,gBAAO,CAACC,MAAM;IAC7B,IAAQC,QAA6DJ,OAA7DI,OAAOC,YAAsDL,OAAtDK,WAAWC,UAA2CN,OAA3CM,SAASC,kBAAkCP,OAAlCO,iBAAiBC,eAAiBR,OAAjBQ;IAEpD,+DAA+D;IAC/DP,OAAOQ,GAAG,CAACP,gBAAO,CAACQ,IAAI,KAAK,yCAAyC;IACrET,OAAOQ,GAAG,CAACP,gBAAO,CAACS,UAAU,CAAC;QAAEC,UAAU;IAAK,KAAK,uDAAuD;IAE3G;;;GAGC,GACDX,OAAOY,GAAG,CAAC,2CAA2C,SAACC,MAAeC;QACpE,IAAMC,WAA4B;YAChCC,QAAQZ;YACRa,wBAAwB,AAAC,GAAU,OAARZ,SAAQ;YACnCa,gBAAgB,AAAC,GAAU,OAARb,SAAQ;YAC3Bc,uBAAuB,AAAC,GAAU,OAARd,SAAQ;YAClCe,qBAAqB,AAAC,GAAU,OAARf,SAAQ;YAChCgB,kBAAkBf;YAClBgB,0BAA0B;gBAAC;aAAO;YAClCC,uBAAuB;gBAAC;gBAAsB;aAAgB;YAC9DC,uCAAuC;gBAAC;gBAAuB;aAAqB;YACpFC,kCAAkC;gBAAC;gBAAQ;aAAQ;YACnDC,uBAAuB,AAAC,GAAU,OAARrB,SAAQ;QACpC;QACAS,IAAIL,IAAI,CAACM;IACX;IAEA;;;GAGC,GACDf,OAAOY,GAAG,CAAC,yCAAyC,SAACC,MAAeC;QAClE,IAAMC,WAA4B;YAChCY,UAAUtB;YACVuB,uBAAuB;gBAACvB;aAAQ;YAChCgB,kBAAkBf;YAClBuB,0BAA0B;gBAAC;aAAS;QACtC;QACAf,IAAIL,IAAI,CAACM;IACX;IAEA;;;GAGC,GACDf,OAAOY,GAAG,CAAC,6CAA6C,SAACC,MAAeC;QACtE,IAAMC,WAA4B;YAChCY,UAAU,AAAC,GAAU,OAARtB,SAAQ;YACrBuB,uBAAuB;gBAACvB;aAAQ;YAChCgB,kBAAkBf;YAClBuB,0BAA0B;gBAAC;aAAS;QACtC;QACAf,IAAIL,IAAI,CAACM;IACX;IAEA;;;GAGC,GACDf,OAAO8B,IAAI,CAAC,mBAAmB,SAAOC,KAAcjB;;gBAE1CkB,qBAGAC,QAICC;;;;;;;;;;wBAPDF,sBAAsBD,IAAII,IAAI;wBAGrB;;4BAAMC,YAASC,cAAc,CAAClC,OAAO6B;;;wBAA9CC,SAAS;wBAEf,qDAAqD;wBACrDnB,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAACwB;;;;;;wBACdC;wBACPpB,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;4BACnByB,OAAO;4BACPK,mBAAmBL,AAAK,YAALA,OAAiBM,SAAQN,MAAMO,OAAO,GAAG;wBAC9D;;;;;;;;;;;QAEJ;;IAEA;;;;;GAKC,GACDzC,OAAOY,GAAG,CAAC,oBAAoB,SAAOmB,KAAcjB;;gBACgEiB,YAA1GW,eAAeC,WAAWC,gCAAcC,yBAAYC,OAAYC,gBAAgBC,uBAyBlFf,QASAgB,iBASAC,SACAC,iBAcAC;;;;wBA1D4GrB,aAAAA,IAAIsB,KAAK,EAAnHX,gBAA0GX,WAA1GW,eAAeC,YAA2FZ,WAA3FY,WAAWC,eAAgFb,WAAhFa,iCAAgFb,WAAlEc,OAAAA,sCAAQ,0CAA0Dd,WAAtDe,OAAAA,sCAAQ,uBAAIC,iBAA0ChB,WAA1CgB,gBAAgBC,wBAA0BjB,WAA1BiB;wBAExF,+BAA+B;wBAC/B,IAAIN,kBAAkB,QAAQ;4BAC5B;;gCAAO5B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEA,IAAI,CAACI,aAAa,OAAOA,cAAc,UAAU;4BAC/C;;gCAAO7B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEA,IAAI,CAACK,gBAAgB,OAAOA,iBAAiB,UAAU;4BACrD;;gCAAO9B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAGe;;4BAAMH,YAASkB,SAAS,CAACnD,OAAOwC;;;wBAAzCV,SAAS;wBACf,IAAI,CAACA,QAAQ;4BACX;;gCAAOnB,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAGwB;;4BAAMH,YAASmB,mBAAmB,CAACpD,OAAOwC,WAAWC;;;wBAAvEK,kBAAkB;wBACxB,IAAI,CAACA,iBAAiB;4BACpB;;gCAAOnC,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEA,uDAAuD;wBACjDW,UAAUM,IAAAA,kBAAU;wBACpBL,kBAAkB;4BACtBR,WAAAA;4BACAC,cAAAA;4BACAC,OAAO,OAAOA,UAAU,WAAWA,QAAQ;4BAC3CC,OAAO,OAAOA,UAAU,WAAWA,QAAQW;4BAC3CV,gBAAgB,OAAOA,mBAAmB,WAAWA,iBAAiBU;4BACtET,uBAAuB,OAAOA,0BAA0B,WAAWA,wBAAwBS;4BAC3FC,YAAYC,KAAKC,GAAG;4BACpBC,YAAYF,KAAKC,GAAG,KAAK;wBAC3B;wBAEA;;4BAAMzD,MAAM2D,GAAG,CAAC,AAAC,gBAAuB,OAARZ,UAAWC,iBAAiB;;;wBAA5D,eAAqE,aAAa;wBAElF,oCAAoC;wBAC9BC,YAAY,IAAIW,IAAI,AAAC,qCAAsE,OAAlCxD,aAAayD,QAAQ,IAAI,UAAS;wBACjGZ,UAAUa,YAAY,CAACH,GAAG,CAAC,aAAavD,aAAa2D,QAAQ;wBAC7Dd,UAAUa,YAAY,CAACH,GAAG,CAAC,iBAAiB;wBAC5CV,UAAUa,YAAY,CAACH,GAAG,CAAC,gBAAgB,AAAC,GAAU,OAARzD,SAAQ;wBACtD+C,UAAUa,YAAY,CAACH,GAAG,CAAC,SAAS,OAAOjB,UAAU,WAAWA,QAAQ;wBACxEO,UAAUa,YAAY,CAACH,GAAG,CAAC,SAASZ;wBACpCE,UAAUa,YAAY,CAACH,GAAG,CAAC,iBAAiB;wBAE5C,+CAA+C;wBAC/C;;4BAAOhD,IAAIqD,QAAQ,CAACf,UAAUgB,QAAQ;;;;QACxC;;IAEA;;;;;GAKC,GACDpE,OAAOY,GAAG,CAAC,mBAAmB,SAAOmB,KAAcjB;;gBACkBiB,YAArDsC,QAAenB,SAAShB,SAAOK,mBAyBvCY,iBAaEmB,UACAC,aAaAC,eAOEC,WAIFC,WAQAC,gBAQAC,SACAC,UAeAC,mBAOC5C;;;;wBAtG0DH,aAAAA,IAAIsB,KAAK,EAA9DgB,SAAqDtC,WAA3DgD,MAAqB7B,UAAsCnB,WAA7Ce,OAAgBZ,UAA6BH,WAA7BG,OAAOK,oBAAsBR,WAAtBQ;wBAE7C,gCAAgC;wBAChC,IAAIL,SAAO;4BACT;;gCAAOpB,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAAA;oCACAK,mBAAmBA,qBAAqB;gCAC1C;;wBACF;wBAEA,IAAI,CAAC8B,UAAU,OAAOA,WAAW,UAAU;4BACzC;;gCAAOvD,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEA,IAAI,CAACW,WAAW,OAAOA,YAAY,UAAU;4BAC3C;;gCAAOpC,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAGwB;;4BAAMpC,MAAMS,GAAG,CAAC,AAAC,gBAAuB,OAARsC;;;wBAAlDC,kBAAkB;wBACxB,IAAI,CAACA,iBAAiB;4BACpB;;gCAAOrC,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEA,8BAA8B;wBAC9B;;4BAAMpC,MAAM6E,MAAM,CAAC,AAAC,gBAAuB,OAAR9B;;;wBAAnC;;;;;;;;;wBAIQoB,WAAW,AAAC,qCAAsE,OAAlC/D,aAAayD,QAAQ,IAAI,UAAS;wBAClFO,cAAc,IAAIU,gBAAgB;4BACtCC,YAAY;4BACZH,MAAMV;4BACN1B,WAAWpC,aAAa2D,QAAQ;4BAChCtB,cAAc,AAAC,GAAU,OAARvC,SAAQ;4BACzBwC,OAAOM,gBAAgBN,KAAK;wBAC9B;wBAEA,uDAAuD;wBACvD,IAAItC,aAAa4E,YAAY,EAAE;4BAC7BZ,YAAYT,GAAG,CAAC,iBAAiBvD,aAAa4E,YAAY;wBAC5D;wBAEsB;;4BAAMC,MAAMd,UAAU;gCAC1Ce,QAAQ;gCACRC,SAAS;oCAAE,gBAAgB;gCAAoC;gCAC/DnD,MAAMoC,YAAYH,QAAQ;4BAC5B;;;wBAJMI,gBAAgB;6BAMlB,CAACA,cAAce,EAAE,EAAjB;;;;wBACiB;;4BAAMf,cAAc/D,IAAI;;;wBAArCgE,YAAa;wBACnB,MAAM,IAAIjC,MAAM,AAAC,oCAAkF,OAA/CiC,UAAUlC,iBAAiB,IAAIkC,UAAUvC,KAAK;;wBAGjF;;4BAAMsC,cAAc/D,IAAI;;;wBAArCiE,YAAa;wBAOnB,iDAAiD;wBAC3CC,iBAAiC;4BACrCa,aAAad,UAAUe,YAAY;2BAC/Bf,UAAUgB,aAAa,IAAI;4BAAEC,cAAcjB,UAAUgB,aAAa;wBAAC;4BACvEE,WAAWjC,KAAKC,GAAG,KAAKc,UAAUmB,UAAU,GAAG;4BAC/ChD,OAAO6B,UAAU7B,KAAK;;wBAGxB,4DAA4D;wBACtD+B,UAAUpB,IAAAA,kBAAU;wBACpBqB,WAA8B;4BAClCE,MAAMH;4BACNjC,WAAWQ,gBAAgBR,SAAS;4BACpCC,cAAcO,gBAAgBP,YAAY;4BAC1CC,OAAOM,gBAAgBN,KAAK;2BACxBM,gBAAgBJ,cAAc,IAAI;4BAAEA,gBAAgBI,gBAAgBJ,cAAc;wBAAC,GACnFI,gBAAgBH,qBAAqB,IAAI;4BAAEA,uBAAuBG,gBAAgBH,qBAAqB;wBAAC;4BAC5G2B,gBAAAA;4BACAjB,YAAYC,KAAKC,GAAG;4BACpBC,YAAYF,KAAKC,GAAG,KAAK;;wBAG3B;;4BAAMxB,YAAS0D,WAAW,CAAC3F,OAAOyE,SAASC;;;wBAA3C;wBAEA,0DAA0D;wBACpDC,oBAAoB,IAAIf,IAAIZ,gBAAgBP,YAAY;wBAC9DkC,kBAAkBb,YAAY,CAACH,GAAG,CAAC,QAAQc;wBAC3C,IAAIzB,gBAAgBL,KAAK,EAAE;4BACzBgC,kBAAkBb,YAAY,CAACH,GAAG,CAAC,SAASX,gBAAgBL,KAAK;wBACnE;wBAEA;;4BAAOhC,IAAIqD,QAAQ,CAACW,kBAAkBV,QAAQ;;;wBACvClC;wBACP;;4BAAOpB,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;gCAC1ByB,OAAO;gCACPK,mBAAmBL,AAAK,YAALA,OAAiBM,SAAQN,MAAMO,OAAO,GAAG;4BAC9D;;;;;;;;QAEJ;;IAEA;;;GAGC,GACDzC,OAAO8B,IAAI,CAAC,gBAAgB,SAAOC,KAAcjB;;gBAE3C6B,WACAoD,eAGEC,YAEEC,mBACAC,aACeA,oBAAdC,IAAIC,QAK4DrE,WAAjEmD,YAAYH,MAAMnC,cAAc8C,eAAeW,eAoB/CC,eASAzB,UAkCWA,iCAATQ,QACAkB,mBAcFf,aACAgB,mBAEA9B,WAoCA4B,gBASA5B,YASF+B,yBAOYlG,wBAHNmG,UAgBCxE,OAOLyE,gBACAC;;;;wBAjLR,mEAAmE;wBAC/DjE,YAAYZ,IAAII,IAAI,CAACQ,SAAS;wBAC9BoD,gBAAgBhE,IAAII,IAAI,CAAC4D,aAAa;wBAE1C,sEAAsE;wBAChEC,aAAajE,IAAIuD,OAAO,CAACuB,aAAa;wBAC5C,IAAIb,cAAcA,WAAWc,UAAU,CAAC,WAAW;4BAC3Cb,oBAAoBD,WAAWe,SAAS,CAAC;4BACzCb,cAAcc,OAAOC,IAAI,CAAChB,mBAAmB,UAAU7B,QAAQ,CAAC;4BACjD8B,sCAAAA,YAAYgB,KAAK,CAAC,UAAhCf,KAAcD,uBAAVE,SAAUF;4BACrBvD,YAAYwD;4BACZJ,gBAAgBK;wBAClB;wBAEyErE,YAAAA,IAAII,IAAI,EAAzE+C,aAAiEnD,UAAjEmD,YAAYH,OAAqDhD,UAArDgD,MAAMnC,eAA+Cb,UAA/Ca,cAAc8C,gBAAiC3D,UAAjC2D,eAAeW,gBAAkBtE,UAAlBsE;wBAEvD,sBAAsB;wBACtB,IAAI,CAACnB,YAAY;4BACf;;gCAAOpE,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;6BAEI2C,CAAAA,eAAe,oBAAmB,GAAlCA;;;;wBACF,2BAA2B;wBAC3B,IAAI,CAACH,QAAQ,CAACpC,aAAa,CAACC,cAAc;4BACxC;;gCAAO9B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAGsB;;4BAAMH,YAAS+E,cAAc,CAAChH,OAAOwC,WAAWoD,0BAAAA,2BAAAA,gBAAiB;;;wBAAjFO,gBAAgB;wBACtB,IAAI,CAACA,eAAe;4BAClB;;gCAAOxF,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAGiB;;4BAAMH,YAASgF,WAAW,CAACjH,OAAO4E;;;wBAA7CF,WAAW;wBACjB,IAAI,CAACA,UAAU;4BACb;;gCAAO/D,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEA,8BAA8B;wBAC9B,IAAIsC,SAASlC,SAAS,KAAKA,aAAakC,SAASjC,YAAY,KAAKA,cAAc;4BAC9E;;gCAAO9B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;6BAEIoB,CAAAA,KAAKC,GAAG,KAAKiB,SAAShB,UAAU,AAAD,GAA/BF;;;;wBACF;;4BAAMvB,YAASiF,cAAc,CAAClH,OAAO4E;;;wBAArC;wBACA;;4BAAOjE,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;gCAC1ByB,OAAO;gCACPK,mBAAmB;4BACrB;;;wBAGF,wBAAwB;wBACxB,IAAIsC,SAAS9B,cAAc,EAAE;;4BAC3B,IAAI,CAACsD,eAAe;gCAClB;;oCAAOvF,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;wCAC1ByB,OAAO;wCACPK,mBAAmB;oCACrB;;4BACF;4BAEA,gDAAgD;4BAC1C8C,UAASR,kCAAAA,SAAS7B,qBAAqB,cAA9B6B,6CAAAA,kCAAkC;4BAC3C0B,oBAAoBlB,WAAW,SAASiC,IAAAA,kBAAU,EAAC,UAAUC,MAAM,CAAClB,eAAemB,MAAM,CAAC,eAAenB;4BAE/G,IAAIE,sBAAsB1B,SAAS9B,cAAc,EAAE;gCACjD;;oCAAOjC,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;wCAC1ByB,OAAO;wCACPK,mBAAmB;oCACrB;;4BACF;wBACF;wBAEA,2CAA2C;wBAC3C;;4BAAMH,YAASiF,cAAc,CAAClH,OAAO4E;;;wBAArC;wBAEA,4BAA4B;wBACtBS,cAAchC,IAAAA,kBAAU;wBACxBgD,oBAAoBhD,IAAAA,kBAAU;wBAE9BkB,YAAyB;4BAC7Be,cAAcD;4BACdiC,YAAY;4BACZ5B,YAAY;4BACZH,eAAec;4BACf3D,OAAOgC,SAAShC,KAAK;4BACrBF,WAAAA;4BACAgC,gBAAgBE,SAASF,cAAc;4BACvCjB,YAAYC,KAAKC,GAAG;wBACtB;wBAEA;;4BAAMxB,YAASsF,cAAc,CAACvH,OAAOqF,aAAad;;;wBAAlD;wBACA;;4BAAMtC,YAASuF,eAAe,CAACxH,OAAOqG,mBAAmB9B;;;wBAAzD;wBAEA,oDAAoD;wBACpD;;4BAAMtC,YAASwF,iBAAiB,CAACzH,OAAOqF,aAAaX,SAASF,cAAc;;;wBAA5E;wBAEA,wBAAwB;wBACxB;;4BAAO7D,IAAIL,IAAI,CAAC;gCACdgF,cAAcf,UAAUe,YAAY;gCACpCgC,YAAY/C,UAAU+C,UAAU;gCAChC5B,YAAYnB,UAAUmB,UAAU;gCAChCH,eAAehB,UAAUgB,aAAa;gCACtC7C,OAAO6B,UAAU7B,KAAK;4BACxB;;;6BAEEqC,CAAAA,eAAe,eAAc,GAA7BA;;;;wBACF,sBAAsB;wBACtB,IAAI,CAACQ,iBAAiB,CAAC/C,WAAW;4BAChC;;gCAAO7B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAGsB;;4BAAMH,YAAS+E,cAAc,CAAChH,OAAOwC,WAAWoD,0BAAAA,2BAAAA,gBAAiB;;;wBAAjFO,iBAAgB;wBACtB,IAAI,CAACA,gBAAe;4BAClB;;gCAAOxF,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAGkB;;4BAAMH,YAASyF,eAAe,CAAC1H,OAAOuF;;;wBAAlDhB,aAAY;wBAClB,IAAI,CAACA,cAAaA,WAAU/B,SAAS,KAAKA,WAAW;4BACnD;;gCAAO7B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEA,uCAAuC;wBACnCkE,0BAA0B/B,WAAUC,cAAc;6BAClDD,WAAUC,cAAc,CAACgB,YAAY,EAArCjB;;;;;;;;;;;;wBAEA,+DAA+D;wBACzDgC,WAAW,IAAIoB,uBAAgB,CAAC;4BACpC5D,UAAU3D,aAAa2D,QAAQ;2BAC3B3D,aAAa4E,YAAY,IAAI;4BAAEA,cAAc5E,aAAa4E,YAAY;wBAAC;4BAC3EnB,QAAQ,GAAEzD,yBAAAA,aAAayD,QAAQ,cAArBzD,oCAAAA,yBAAyB;4BACnCsC,OAAO6B,WAAU7B,KAAK;4BACtBkF,gBAAgB,AAAC,GAAU,OAAR1H,SAAQ;4BAC3B2H,QAAQ;gCACNC,MAAMC,QAAQC,GAAG;gCACjBjG,OAAOgG,QAAQhG,KAAK;gCACpBkG,MAAMF,QAAQE,IAAI;gCAClBC,OAAO,YAAO;4BAChB;;wBAIwB;;4BAAM3B,SAAS4B,kBAAkB,CAAC5D,WAAUC,cAAc,CAACgB,YAAY;;;wBADjG,qCAAqC;wBACrCc,0BAA0B;;;;;;wBACnBvE;wBACP,4EAA4E;wBAC5EgG,QAAQE,IAAI,CAAC,yDAAyDlG,AAAK,YAALA,OAAiBM,SAAQN,MAAMO,OAAO,GAAG8F,OAAOrG;;;;;;wBAI1H,gCAAgC;wBAC1ByE,iBAAiBnD,IAAAA,kBAAU;wBAC3BoD,eAA4B,wCAC7BlC;4BACHe,cAAckB;4BACdjD,YAAYC,KAAKC,GAAG;;wBAGtB;;4BAAMxB,YAASsF,cAAc,CAACvH,OAAOwG,gBAAgBC;;;wBAArD;wBAEA,kEAAkE;wBAClE;;4BAAMxE,YAASwF,iBAAiB,CAACzH,OAAOwG,gBAAgBF;;;wBAAxD;wBAEA;;4BAAO3F,IAAIL,IAAI,CAAC;gCACdgF,cAAcmB,aAAanB,YAAY;gCACvCgC,YAAYb,aAAaa,UAAU;gCACnC5B,YAAYe,aAAaf,UAAU;gCACnChD,OAAO+D,aAAa/D,KAAK;4BAC3B;;;wBAEF;;4BAAO/B,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;gCAC1ByB,OAAO;gCACPK,mBAAmB;4BACrB;;;;QACF;;IAEA;;;GAGC,GACDvC,OAAO8B,IAAI,CAAC,iBAAiB,SAAOC,KAAcjB;;gBACaiB,WAArDyG,OAAOC,iBAAiB9F,WAAWoD,eAWnCO;;;;wBAXqDvE,YAAAA,IAAII,IAAI,EAA7DqG,QAAqDzG,UAArDyG,OAAOC,kBAA8C1G,UAA9C0G,iBAAiB9F,YAA6BZ,UAA7BY,WAAWoD,gBAAkBhE,UAAlBgE;wBAE3C,IAAI,CAACyC,OAAO;4BACV;;gCAAO1H,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;6BAGII,CAAAA,aAAaoD,aAAY,GAAzBpD;;;;wBACoB;;4BAAMP,YAAS+E,cAAc,CAAChH,OAAOwC,WAAWoD;;;wBAAhEO,gBAAgB;wBACtB,IAAI,CAACA,eAAe;4BAClB;;gCAAOxF,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;;;6BAIEkG,CAAAA,oBAAoB,eAAc,GAAlCA;;;;wBACF;;4BAAMrG,YAASsG,kBAAkB,CAACvI,OAAOqI;;;wBAAzC;;;;;;6BACSC,CAAAA,oBAAoB,cAAa,GAAjCA;;;;wBACT;;4BAAMrG,YAASuG,iBAAiB,CAACxI,OAAOqI;;;wBAAxC;wBACA;;4BAAMpG,YAASwG,oBAAoB,CAACzI,OAAOqI;;;wBAA3C;;;;;;wBAEA,qBAAqB;wBACrB;;4BAAMpG,YAASsG,kBAAkB,CAACvI,OAAOqI;;;wBAAzC;wBACA;;4BAAMpG,YAASuG,iBAAiB,CAACxI,OAAOqI;;;wBAAxC;wBACA;;4BAAMpG,YAASwG,oBAAoB,CAACzI,OAAOqI;;;wBAA3C;;;wBAGF,+CAA+C;wBAC/C;;4BAAO1H,IAAIwB,MAAM,CAAC,KAAKuG,IAAI;;;;QAC7B;;IAEA;;;;;;GAMC,GACD7I,OAAOY,GAAG,CAAC,iBAAiB,SAAOmB,KAAcjB;;gBAEzCkF,YASAwC,OAGA9D,WAUAd,KACAgC,WAaAkD;;;;wBArCN,iDAAiD;wBAC3C9C,aAAajE,IAAIuD,OAAO,CAACuB,aAAa;wBAE5C,IAAI,CAACb,cAAc,CAACA,WAAWc,UAAU,CAAC,YAAY;4BACpD;;gCAAOhG,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEMiG,QAAQxC,WAAWe,SAAS,CAAC,IAAI,0BAA0B;wBAG/C;;4BAAM3E,YAAS2G,cAAc,CAAC5I,OAAOqI;;;wBAAjD9D,YAAY;wBAElB,IAAI,CAACA,WAAW;4BACd;;gCAAO5D,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;oCAC1ByB,OAAO;oCACPK,mBAAmB;gCACrB;;wBACF;wBAEA,4BAA4B;wBACtBqB,MAAMD,KAAKC,GAAG;wBACdgC,YAAYlB,UAAUhB,UAAU,GAAGgB,UAAUmB,UAAU,GAAG;6BAE5DjC,CAAAA,MAAMgC,SAAQ,GAAdhC;;;;wBACF,uBAAuB;wBACvB;;4BAAMxB,YAASuG,iBAAiB,CAACxI,OAAOqI;;;wBAAxC;wBACA;;4BAAMpG,YAASwG,oBAAoB,CAACzI,OAAOqI;;;wBAA3C;wBACA;;4BAAO1H,IAAIwB,MAAM,CAAC,KAAK7B,IAAI,CAAC;gCAC1ByB,OAAO;gCACPK,mBAAmB;4BACrB;;;wBAGF,yDAAyD;wBACnDuG,WAAW;4BACfN,OAAAA;4BACAtE,UAAUQ,UAAU/B,SAAS;4BAC7BqG,QAAQtE,UAAU7B,KAAK,GAAG6B,UAAU7B,KAAK,CAACqE,KAAK,CAAC;4BAChDtB,WAAAA;4BACAjB,gBAAgBD,UAAUC,cAAc;wBAC1C;wBAEA;;4BAAO7D,IAAIL,IAAI,CAACqI;;;;QAClB;;IAEA;;GAEC,GACD9I,OAAOY,GAAG,CAAC,kBAAkB,SAAOC,MAAeC;;gBAC3CmI;;;;wBAAU;;4BAAM7G,YAAS8G,WAAW,CAAC/I;;;wBAArC8I,UAAU;wBAChBnI,IAAIL,IAAI,CAACwI;;;;;;QACX;;IAEA,OAAOjJ;AACT"}
1	+ {"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth-microsoft/src/lib/dcr-router.ts"],"sourcesContent":["/*\n DCR Router - OAuth 2.0 Authorization Server\n \n Implements OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591)\n * and OAuth 2.0 Authorization Server endpoints (RFC 6749, RFC 8414, RFC 9728).\n \n Endpoints:\n * - GET /.well-known/oauth-authorization-server (RFC 8414 metadata)\n * - GET /.well-known/oauth-protected-resource (RFC 9728 metadata - root)\n * - GET /.well-known/oauth-protected-resource/mcp (RFC 9728 metadata - sub-path)\n * - POST /oauth/register (RFC 7591 client registration)\n * - GET /oauth/authorize (RFC 6749 authorization endpoint)\n * - POST /oauth/token (RFC 6749 token endpoint)\n * - POST /oauth/revoke (RFC 7009 token revocation)\n * - GET /oauth/verify (token verification for Resource Server)\n /\n\nimport type { ProviderTokens, RFC8414Metadata, RFC9728Metadata } from '@mcp-z/oauth';\nimport { createHash, randomUUID } from 'crypto';\nimport type { Request, Response } from 'express';\nimport express from 'express';\nimport type { Keyv } from 'keyv';\nimport { DcrOAuthProvider } from '../providers/dcr.ts';\nimport type { AccessToken, AuthorizationCode, OAuthClientConfig } from '../types.ts';\nimport as dcrUtils from './dcr-utils.ts';\n\n/*\n Configuration for DCR Router (self-hosted mode only)\n /\nexport interface DcrRouterConfig {\n /* Single Keyv store for all DCR data /\n store: Keyv;\n\n /* Authorization Server issuer URL /\n issuerUrl: string;\n\n /* Base URL for OAuth endpoints /\n baseUrl: string;\n\n /* Supported OAuth scopes /\n scopesSupported: string[];\n\n /* OAuth client configuration for upstream provider /\n clientConfig: OAuthClientConfig;\n}\n\n/\n Create DCR Router with OAuth 2.0 endpoints (self-hosted mode)\n \n For external mode (Auth0/Stitch), don't call this function - no router needed.\n * The server code should check DcrConfig.mode and only call this for 'self-hosted'.\n \n @param config - Router configuration\n * @returns Express router with OAuth endpoints\n /\nexport function createDcrRouter(config: DcrRouterConfig): express.Router {\n const router = express.Router();\n const { store, issuerUrl, baseUrl, scopesSupported, clientConfig } = config;\n\n router.use('/mcp', (req: Request, res: Response, next) => {\n const authHeader = req.headers.authorization \|\| req.headers.Authorization;\n const headerValue = Array.isArray(authHeader) ? authHeader[0] : authHeader;\n\n if (!headerValue \|\| !headerValue.toLowerCase().startsWith('bearer ')) {\n return res\n .status(401)\n .set('WWW-Authenticate', `Bearer resource_metadata=\"${baseUrl}/.well-known/oauth-protected-resource\"`)\n .json({\n jsonrpc: '2.0',\n error: {\n code: -32600,\n message: 'Missing Authorization header. DCR mode requires bearer token.',\n },\n id: null,\n });\n }\n\n return next();\n });\n\n // Apply required middleware for OAuth 2.0 endpoints (RFC 6749)\n router.use(express.json()); // For /oauth/register (application/json)\n router.use(express.urlencoded({ extended: true })); // For /oauth/token (application/x-www-form-urlencoded)\n\n /\n OAuth Authorization Server Metadata (RFC 8414)\n * GET /.well-known/oauth-authorization-server\n /\n router.get('/.well-known/oauth-authorization-server', (_req: Request, res: Response) => {\n const metadata: RFC8414Metadata = {\n issuer: issuerUrl,\n authorization_endpoint: `${baseUrl}/oauth/authorize`,\n token_endpoint: `${baseUrl}/oauth/token`,\n registration_endpoint: `${baseUrl}/oauth/register`,\n revocation_endpoint: `${baseUrl}/oauth/revoke`,\n scopes_supported: scopesSupported,\n response_types_supported: ['code'],\n grant_types_supported: ['authorization_code', 'refresh_token'],\n token_endpoint_auth_methods_supported: ['client_secret_basic', 'client_secret_post'],\n code_challenge_methods_supported: ['S256', 'plain'],\n service_documentation: `${baseUrl}/docs`,\n };\n res.json(metadata);\n });\n\n /\n OAuth Protected Resource Metadata (RFC 9728 - Root)\n * GET /.well-known/oauth-protected-resource\n /\n router.get('/.well-known/oauth-protected-resource', (_req: Request, res: Response) => {\n const metadata: RFC9728Metadata = {\n resource: baseUrl,\n authorization_servers: [baseUrl],\n scopes_supported: scopesSupported,\n bearer_methods_supported: ['header'],\n };\n res.json(metadata);\n });\n\n /\n OAuth Protected Resource Metadata (RFC 9728 - Sub-path /mcp)\n * GET /.well-known/oauth-protected-resource/mcp\n /\n router.get('/.well-known/oauth-protected-resource/mcp', (_req: Request, res: Response) => {\n const metadata: RFC9728Metadata = {\n resource: `${baseUrl}/mcp`,\n authorization_servers: [baseUrl],\n scopes_supported: scopesSupported,\n bearer_methods_supported: ['header'],\n };\n res.json(metadata);\n });\n\n /\n Dynamic Client Registration (RFC 7591)\n * POST /oauth/register\n /\n router.post('/oauth/register', async (req: Request, res: Response) => {\n try {\n const registrationRequest = req.body;\n\n // Register the client\n const client = await dcrUtils.registerClient(store, registrationRequest);\n\n // Return client information (RFC 7591 Section 3.2.1)\n res.status(201).json(client);\n } catch (error) {\n res.status(400).json({\n error: 'invalid_client_metadata',\n error_description: error instanceof Error ? error.message : 'Invalid registration request',\n });\n }\n });\n\n /\n OAuth Authorization Endpoint (RFC 6749 Section 3.1)\n * GET /oauth/authorize\n \n Initiates Microsoft OAuth flow, then generates DCR authorization code\n /\n router.get('/oauth/authorize', async (req: Request, res: Response) => {\n const { response_type, client_id, redirect_uri, scope = '', state = '', code_challenge, code_challenge_method } = req.query;\n\n // Validate required parameters\n if (response_type !== 'code') {\n return res.status(400).json({\n error: 'unsupported_response_type',\n error_description: 'Only response_type=code is supported',\n });\n }\n\n if (!client_id \|\| typeof client_id !== 'string') {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'client_id is required',\n });\n }\n\n if (!redirect_uri \|\| typeof redirect_uri !== 'string') {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'redirect_uri is required',\n });\n }\n\n // Validate client\n const client = await dcrUtils.getClient(store, client_id);\n if (!client) {\n return res.status(400).json({\n error: 'invalid_client',\n error_description: 'Unknown client_id',\n });\n }\n\n // Validate redirect_uri\n const isValidRedirect = await dcrUtils.validateRedirectUri(store, client_id, redirect_uri);\n if (!isValidRedirect) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'Invalid redirect_uri',\n });\n }\n\n // Store DCR request state for Microsoft OAuth callback\n const msState = randomUUID();\n const dcrRequestState = {\n client_id,\n redirect_uri,\n scope: typeof scope === 'string' ? scope : '',\n state: typeof state === 'string' ? state : undefined,\n code_challenge: typeof code_challenge === 'string' ? code_challenge : undefined,\n code_challenge_method: typeof code_challenge_method === 'string' ? code_challenge_method : undefined,\n created_at: Date.now(),\n expires_at: Date.now() + 600000, // 10 minutes\n };\n\n await store.set(`dcr:ms-state:${msState}`, dcrRequestState, 600000); // 10 min TTL\n\n // Build Microsoft authorization URL\n const msAuthUrl = new URL(`https://login.microsoftonline.com/${clientConfig.tenantId \|\| 'common'}/oauth2/v2.0/authorize`);\n msAuthUrl.searchParams.set('client_id', clientConfig.clientId);\n msAuthUrl.searchParams.set('response_type', 'code');\n msAuthUrl.searchParams.set('redirect_uri', `${baseUrl}/oauth/callback`);\n msAuthUrl.searchParams.set('scope', typeof scope === 'string' ? scope : '');\n msAuthUrl.searchParams.set('state', msState);\n msAuthUrl.searchParams.set('response_mode', 'query');\n\n // Redirect user to Microsoft for authorization\n return res.redirect(msAuthUrl.toString());\n });\n\n /\n OAuth Callback Handler\n * GET /oauth/callback\n \n Handles callback from Microsoft after user authorization\n /\n router.get('/oauth/callback', async (req: Request, res: Response) => {\n const { code: msCode, state: msState, error, error_description } = req.query;\n\n // Handle Microsoft OAuth errors\n if (error) {\n return res.status(400).json({\n error,\n error_description: error_description \|\| 'Microsoft OAuth authorization failed',\n });\n }\n\n if (!msCode \|\| typeof msCode !== 'string') {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'Authorization code is required',\n });\n }\n\n if (!msState \|\| typeof msState !== 'string') {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'State parameter is required',\n });\n }\n\n // Retrieve original DCR request state\n const dcrRequestState = await store.get(`dcr:ms-state:${msState}`);\n if (!dcrRequestState) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'Invalid or expired state parameter',\n });\n }\n\n // Delete state (one-time use)\n await store.delete(`dcr:ms-state:${msState}`);\n\n // Exchange Microsoft authorization code for tokens\n try {\n const tokenUrl = `https://login.microsoftonline.com/${clientConfig.tenantId \|\| 'common'}/oauth2/v2.0/token`;\n const tokenParams = new URLSearchParams({\n grant_type: 'authorization_code',\n code: msCode,\n client_id: clientConfig.clientId,\n redirect_uri: `${baseUrl}/oauth/callback`,\n scope: dcrRequestState.scope,\n });\n\n // Add client_secret if available (confidential client)\n if (clientConfig.clientSecret) {\n tokenParams.set('client_secret', clientConfig.clientSecret);\n }\n\n const tokenResponse = await fetch(tokenUrl, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: tokenParams.toString(),\n });\n\n if (!tokenResponse.ok) {\n const errorData = (await tokenResponse.json()) as { error?: string; error_description?: string };\n throw new Error(`Microsoft token exchange failed: ${errorData.error_description \|\| errorData.error}`);\n }\n\n const tokenData = (await tokenResponse.json()) as {\n access_token: string;\n refresh_token?: string;\n expires_in: number;\n scope: string;\n };\n\n // Create provider tokens from Microsoft response\n const providerTokens: ProviderTokens = {\n accessToken: tokenData.access_token,\n ...(tokenData.refresh_token && { refreshToken: tokenData.refresh_token }),\n expiresAt: Date.now() + tokenData.expires_in 1000,\n scope: tokenData.scope,\n };\n\n // Generate DCR authorization code with real provider tokens\n const dcrCode = randomUUID();\n const authCode: AuthorizationCode = {\n code: dcrCode,\n client_id: dcrRequestState.client_id,\n redirect_uri: dcrRequestState.redirect_uri,\n scope: dcrRequestState.scope,\n ...(dcrRequestState.code_challenge && { code_challenge: dcrRequestState.code_challenge }),\n ...(dcrRequestState.code_challenge_method && { code_challenge_method: dcrRequestState.code_challenge_method }),\n providerTokens,\n created_at: Date.now(),\n expires_at: Date.now() + 600000, // 10 minutes\n };\n\n await dcrUtils.setAuthCode(store, dcrCode, authCode);\n\n // Redirect back to MCP client with DCR authorization code\n const clientRedirectUrl = new URL(dcrRequestState.redirect_uri);\n clientRedirectUrl.searchParams.set('code', dcrCode);\n if (dcrRequestState.state) {\n clientRedirectUrl.searchParams.set('state', dcrRequestState.state);\n }\n\n return res.redirect(clientRedirectUrl.toString());\n } catch (error) {\n return res.status(500).json({\n error: 'server_error',\n error_description: error instanceof Error ? error.message : 'Failed to exchange authorization code',\n });\n }\n });\n\n /*\n OAuth Token Endpoint (RFC 6749 Section 3.2)\n * POST /oauth/token\n /\n router.post('/oauth/token', async (req: Request, res: Response) => {\n // Extract client credentials from either body or Basic Auth header\n let client_id = req.body.client_id;\n let client_secret = req.body.client_secret;\n\n // Support client_secret_basic authentication (RFC 6749 Section 2.3.1)\n const authHeader = req.headers.authorization;\n if (authHeader && authHeader.startsWith('Basic ')) {\n const base64Credentials = authHeader.substring(6);\n const credentials = Buffer.from(base64Credentials, 'base64').toString('utf-8');\n const [id, secret] = credentials.split(':');\n client_id = id;\n client_secret = secret;\n }\n\n const { grant_type, code, redirect_uri, refresh_token, code_verifier } = req.body;\n\n // Validate grant_type\n if (!grant_type) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'grant_type is required',\n });\n }\n\n if (grant_type === 'authorization_code') {\n // Authorization Code Grant\n if (!code \|\| !client_id \|\| !redirect_uri) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'code, client_id, and redirect_uri are required',\n });\n }\n\n // Validate client credentials\n const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret ?? '');\n if (!isValidClient) {\n return res.status(401).json({\n error: 'invalid_client',\n error_description: 'Invalid client credentials',\n });\n }\n\n // Get authorization code\n const authCode = await dcrUtils.getAuthCode(store, code);\n if (!authCode) {\n return res.status(400).json({\n error: 'invalid_grant',\n error_description: 'Invalid or expired authorization code',\n });\n }\n\n // Validate authorization code\n if (authCode.client_id !== client_id \|\| authCode.redirect_uri !== redirect_uri) {\n return res.status(400).json({\n error: 'invalid_grant',\n error_description: 'Authorization code mismatch',\n });\n }\n\n if (Date.now() > authCode.expires_at) {\n await dcrUtils.deleteAuthCode(store, code);\n return res.status(400).json({\n error: 'invalid_grant',\n error_description: 'Authorization code expired',\n });\n }\n\n // Validate PKCE if used\n if (authCode.code_challenge) {\n if (!code_verifier) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'code_verifier is required for PKCE',\n });\n }\n\n // Validate code_verifier against code_challenge\n const method = authCode.code_challenge_method ?? 'plain';\n const computedChallenge = method === 'S256' ? createHash('sha256').update(code_verifier).digest('base64url') : code_verifier;\n\n if (computedChallenge !== authCode.code_challenge) {\n return res.status(400).json({\n error: 'invalid_grant',\n error_description: 'Invalid code_verifier',\n });\n }\n }\n\n // Delete authorization code (one-time use)\n await dcrUtils.deleteAuthCode(store, code);\n\n // Generate DCR access token\n const accessToken = randomUUID();\n const refreshTokenValue = randomUUID();\n\n const tokenData: AccessToken = {\n access_token: accessToken,\n token_type: 'Bearer',\n expires_in: 3600,\n refresh_token: refreshTokenValue,\n scope: authCode.scope,\n client_id,\n providerTokens: authCode.providerTokens,\n created_at: Date.now(),\n };\n\n await dcrUtils.setAccessToken(store, accessToken, tokenData);\n await dcrUtils.setRefreshToken(store, refreshTokenValue, tokenData);\n\n // Store provider tokens indexed by DCR access token\n await dcrUtils.setProviderTokens(store, accessToken, authCode.providerTokens);\n\n // Return token response\n return res.json({\n access_token: tokenData.access_token,\n token_type: tokenData.token_type,\n expires_in: tokenData.expires_in,\n refresh_token: tokenData.refresh_token,\n scope: tokenData.scope,\n });\n }\n if (grant_type === 'refresh_token') {\n // Refresh Token Grant\n if (!refresh_token \|\| !client_id) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'refresh_token and client_id are required',\n });\n }\n\n // Validate client credentials\n const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret ?? '');\n if (!isValidClient) {\n return res.status(401).json({\n error: 'invalid_client',\n error_description: 'Invalid client credentials',\n });\n }\n\n // Get refresh token\n const tokenData = await dcrUtils.getRefreshToken(store, refresh_token);\n if (!tokenData \|\| tokenData.client_id !== client_id) {\n return res.status(400).json({\n error: 'invalid_grant',\n error_description: 'Invalid refresh token',\n });\n }\n\n // Refresh provider tokens if available\n let refreshedProviderTokens = tokenData.providerTokens;\n if (tokenData.providerTokens.refreshToken) {\n try {\n // Create DcrOAuthProvider instance to refresh Microsoft tokens\n const provider = new DcrOAuthProvider({\n clientId: clientConfig.clientId,\n ...(clientConfig.clientSecret && { clientSecret: clientConfig.clientSecret }),\n tenantId: clientConfig.tenantId ?? 'common',\n scope: tokenData.scope,\n verifyEndpoint: `${baseUrl}/oauth/verify`,\n logger: {\n info: console.log,\n error: console.error,\n warn: console.warn,\n debug: () => {},\n },\n });\n\n // Refresh the Microsoft access token\n refreshedProviderTokens = await provider.refreshAccessToken(tokenData.providerTokens.refreshToken);\n } catch (error) {\n // If refresh fails, continue with existing tokens (they may still be valid)\n console.warn('Provider token refresh failed, using existing tokens:', error instanceof Error ? error.message : String(error));\n }\n }\n\n // Generate new DCR access token\n const newAccessToken = randomUUID();\n const newTokenData: AccessToken = {\n ...tokenData,\n access_token: newAccessToken,\n created_at: Date.now(),\n };\n\n await dcrUtils.setAccessToken(store, newAccessToken, newTokenData);\n\n // Store refreshed provider tokens indexed by new DCR access token\n await dcrUtils.setProviderTokens(store, newAccessToken, refreshedProviderTokens);\n\n return res.json({\n access_token: newTokenData.access_token,\n token_type: newTokenData.token_type,\n expires_in: newTokenData.expires_in,\n scope: newTokenData.scope,\n });\n }\n return res.status(400).json({\n error: 'unsupported_grant_type',\n error_description: 'Only authorization_code and refresh_token grants are supported',\n });\n });\n\n /\n OAuth Token Revocation (RFC 7009)\n * POST /oauth/revoke\n /\n router.post('/oauth/revoke', async (req: Request, res: Response) => {\n const { token, token_type_hint, client_id, client_secret } = req.body;\n\n if (!token) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'token is required',\n });\n }\n\n // Validate client if credentials provided\n if (client_id && client_secret) {\n const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret);\n if (!isValidClient) {\n return res.status(401).json({\n error: 'invalid_client',\n error_description: 'Invalid client credentials',\n });\n }\n }\n\n // Revoke the token\n if (token_type_hint === 'refresh_token') {\n await dcrUtils.deleteRefreshToken(store, token);\n } else if (token_type_hint === 'access_token') {\n await dcrUtils.deleteAccessToken(store, token);\n await dcrUtils.deleteProviderTokens(store, token);\n } else {\n // No hint - try both\n await dcrUtils.deleteRefreshToken(store, token);\n await dcrUtils.deleteAccessToken(store, token);\n await dcrUtils.deleteProviderTokens(store, token);\n }\n\n // RFC 7009: Return 200 even if token not found\n return res.status(200).send();\n });\n\n /\n Token Verification Endpoint\n * GET /oauth/verify\n \n Validates bearer tokens for Resource Server.\n * Returns AuthInfo with provider tokens for stateless DCR pattern.\n /\n router.get('/oauth/verify', async (req: Request, res: Response) => {\n // Extract bearer token from Authorization header\n const authHeader = req.headers.authorization;\n\n if (!authHeader \|\| !authHeader.startsWith('Bearer ')) {\n return res.status(401).json({\n error: 'invalid_request',\n error_description: 'Missing or invalid Authorization header',\n });\n }\n\n const token = authHeader.substring(7); // Remove 'Bearer ' prefix\n\n // Validate token exists in access tokens store\n const tokenData = await dcrUtils.getAccessToken(store, token);\n\n if (!tokenData) {\n return res.status(401).json({\n error: 'invalid_token',\n error_description: 'Unknown or expired access token',\n });\n }\n\n // Check if token is expired\n const now = Date.now();\n const expiresAt = tokenData.created_at + tokenData.expires_in 1000;\n\n if (now > expiresAt) {\n // Remove expired token\n await dcrUtils.deleteAccessToken(store, token);\n await dcrUtils.deleteProviderTokens(store, token);\n return res.status(401).json({\n error: 'invalid_token',\n error_description: 'Access token has expired',\n });\n }\n\n // Return AuthInfo with provider tokens for stateless DCR\n const authInfo = {\n token,\n clientId: tokenData.client_id,\n scopes: tokenData.scope ? tokenData.scope.split(' ') : [],\n expiresAt,\n providerTokens: tokenData.providerTokens,\n };\n\n return res.json(authInfo);\n });\n\n /*\n Debug endpoint to list registered clients (development only)\n */\n router.get('/debug/clients', async (_req: Request, res: Response) => {\n const clients = await dcrUtils.listClients(store);\n res.json(clients);\n });\n\n return router;\n}\n"],"names":["createDcrRouter","config","router","express","Router","store","issuerUrl","baseUrl","scopesSupported","clientConfig","use","req","res","next","authHeader","headers","authorization","Authorization","headerValue","Array","isArray","toLowerCase","startsWith","status","set","json","jsonrpc","error","code","message","id","urlencoded","extended","get","_req","metadata","issuer","authorization_endpoint","token_endpoint","registration_endpoint","revocation_endpoint","scopes_supported","response_types_supported","grant_types_supported","token_endpoint_auth_methods_supported","code_challenge_methods_supported","service_documentation","resource","authorization_servers","bearer_methods_supported","post","registrationRequest","client","body","dcrUtils","registerClient","error_description","Error","response_type","client_id","redirect_uri","scope","state","code_challenge","code_challenge_method","isValidRedirect","msState","dcrRequestState","msAuthUrl","query","getClient","validateRedirectUri","randomUUID","undefined","created_at","Date","now","expires_at","URL","tenantId","searchParams","clientId","redirect","toString","msCode","tokenUrl","tokenParams","tokenResponse","errorData","tokenData","providerTokens","dcrCode","authCode","clientRedirectUrl","delete","URLSearchParams","grant_type","clientSecret","fetch","method","ok","accessToken","access_token","refresh_token","refreshToken","expiresAt","expires_in","setAuthCode","client_secret","base64Credentials","credentials","secret","code_verifier","isValidClient","computedChallenge","refreshTokenValue","refreshedProviderTokens","provider","newAccessToken","newTokenData","substring","Buffer","from","split","validateClient","getAuthCode","deleteAuthCode","createHash","update","digest","token_type","setAccessToken","setRefreshToken","setProviderTokens","getRefreshToken","DcrOAuthProvider","verifyEndpoint","logger","info","console","log","warn","debug","refreshAccessToken","String","token","token_type_hint","deleteRefreshToken","deleteAccessToken","deleteProviderTokens","send","authInfo","getAccessToken","scopes","clients","listClients"],"mappings":"AAAA;;;;;;;;;;;;;;;CAeC;;;;+BAwCeA;;;eAAAA;;;sBArCuB;8DAEnB;qBAEa;kEAEP;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+BnB,SAASA,gBAAgBC,MAAuB;IACrD,IAAMC,SAASC,gBAAO,CAACC,MAAM;IAC7B,IAAQC,QAA6DJ,OAA7DI,OAAOC,YAAsDL,OAAtDK,WAAWC,UAA2CN,OAA3CM,SAASC,kBAAkCP,OAAlCO,iBAAiBC,eAAiBR,OAAjBQ;IAEpDP,OAAOQ,GAAG,CAAC,QAAQ,SAACC,KAAcC,KAAeC;QAC/C,IAAMC,aAAaH,IAAII,OAAO,CAACC,aAAa,IAAIL,IAAII,OAAO,CAACE,aAAa;QACzE,IAAMC,cAAcC,MAAMC,OAAO,CAACN,cAAcA,UAAU,CAAC,EAAE,GAAGA;QAEhE,IAAI,CAACI,eAAe,CAACA,YAAYG,WAAW,GAAGC,UAAU,CAAC,YAAY;YACpE,OAAOV,IACJW,MAAM,CAAC,KACPC,GAAG,CAAC,oBAAoB,AAAC,6BAAoC,OAARjB,SAAQ,2CAC7DkB,IAAI,CAAC;gBACJC,SAAS;gBACTC,OAAO;oBACLC,MAAM,CAAC;oBACPC,SAAS;gBACX;gBACAC,IAAI;YACN;QACJ;QAEA,OAAOjB;IACT;IAEA,+DAA+D;IAC/DX,OAAOQ,GAAG,CAACP,gBAAO,CAACsB,IAAI,KAAK,yCAAyC;IACrEvB,OAAOQ,GAAG,CAACP,gBAAO,CAAC4B,UAAU,CAAC;QAAEC,UAAU;IAAK,KAAK,uDAAuD;IAE3G;;;GAGC,GACD9B,OAAO+B,GAAG,CAAC,2CAA2C,SAACC,MAAetB;QACpE,IAAMuB,WAA4B;YAChCC,QAAQ9B;YACR+B,wBAAwB,AAAC,GAAU,OAAR9B,SAAQ;YACnC+B,gBAAgB,AAAC,GAAU,OAAR/B,SAAQ;YAC3BgC,uBAAuB,AAAC,GAAU,OAARhC,SAAQ;YAClCiC,qBAAqB,AAAC,GAAU,OAARjC,SAAQ;YAChCkC,kBAAkBjC;YAClBkC,0BAA0B;gBAAC;aAAO;YAClCC,uBAAuB;gBAAC;gBAAsB;aAAgB;YAC9DC,uCAAuC;gBAAC;gBAAuB;aAAqB;YACpFC,kCAAkC;gBAAC;gBAAQ;aAAQ;YACnDC,uBAAuB,AAAC,GAAU,OAARvC,SAAQ;QACpC;QACAK,IAAIa,IAAI,CAACU;IACX;IAEA;;;GAGC,GACDjC,OAAO+B,GAAG,CAAC,yCAAyC,SAACC,MAAetB;QAClE,IAAMuB,WAA4B;YAChCY,UAAUxC;YACVyC,uBAAuB;gBAACzC;aAAQ;YAChCkC,kBAAkBjC;YAClByC,0BAA0B;gBAAC;aAAS;QACtC;QACArC,IAAIa,IAAI,CAACU;IACX;IAEA;;;GAGC,GACDjC,OAAO+B,GAAG,CAAC,6CAA6C,SAACC,MAAetB;QACtE,IAAMuB,WAA4B;YAChCY,UAAU,AAAC,GAAU,OAARxC,SAAQ;YACrByC,uBAAuB;gBAACzC;aAAQ;YAChCkC,kBAAkBjC;YAClByC,0BAA0B;gBAAC;aAAS;QACtC;QACArC,IAAIa,IAAI,CAACU;IACX;IAEA;;;GAGC,GACDjC,OAAOgD,IAAI,CAAC,mBAAmB,SAAOvC,KAAcC;;gBAE1CuC,qBAGAC,QAICzB;;;;;;;;;;wBAPDwB,sBAAsBxC,IAAI0C,IAAI;wBAGrB;;4BAAMC,YAASC,cAAc,CAAClD,OAAO8C;;;wBAA9CC,SAAS;wBAEf,qDAAqD;wBACrDxC,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC2B;;;;;;wBACdzB;wBACPf,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;4BACnBE,OAAO;4BACP6B,mBAAmB7B,AAAK,YAALA,OAAiB8B,SAAQ9B,MAAME,OAAO,GAAG;wBAC9D;;;;;;;;;;;QAEJ;;IAEA;;;;;GAKC,GACD3B,OAAO+B,GAAG,CAAC,oBAAoB,SAAOtB,KAAcC;;gBACgED,YAA1G+C,eAAeC,WAAWC,gCAAcC,yBAAYC,OAAYC,gBAAgBC,uBAyBlFZ,QASAa,iBASAC,SACAC,iBAcAC;;;;wBA1D4GzD,aAAAA,IAAI0D,KAAK,EAAnHX,gBAA0G/C,WAA1G+C,eAAeC,YAA2FhD,WAA3FgD,WAAWC,eAAgFjD,WAAhFiD,iCAAgFjD,WAAlEkD,OAAAA,sCAAQ,0CAA0DlD,WAAtDmD,OAAAA,sCAAQ,uBAAIC,iBAA0CpD,WAA1CoD,gBAAgBC,wBAA0BrD,WAA1BqD;wBAExF,+BAA+B;wBAC/B,IAAIN,kBAAkB,QAAQ;4BAC5B;;gCAAO9C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEA,IAAI,CAACG,aAAa,OAAOA,cAAc,UAAU;4BAC/C;;gCAAO/C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEA,IAAI,CAACI,gBAAgB,OAAOA,iBAAiB,UAAU;4BACrD;;gCAAOhD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAGe;;4BAAMF,YAASgB,SAAS,CAACjE,OAAOsD;;;wBAAzCP,SAAS;wBACf,IAAI,CAACA,QAAQ;4BACX;;gCAAOxC,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAGwB;;4BAAMF,YAASiB,mBAAmB,CAAClE,OAAOsD,WAAWC;;;wBAAvEK,kBAAkB;wBACxB,IAAI,CAACA,iBAAiB;4BACpB;;gCAAOrD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEA,uDAAuD;wBACjDU,UAAUM,IAAAA,kBAAU;wBACpBL,kBAAkB;4BACtBR,WAAAA;4BACAC,cAAAA;4BACAC,OAAO,OAAOA,UAAU,WAAWA,QAAQ;4BAC3CC,OAAO,OAAOA,UAAU,WAAWA,QAAQW;4BAC3CV,gBAAgB,OAAOA,mBAAmB,WAAWA,iBAAiBU;4BACtET,uBAAuB,OAAOA,0BAA0B,WAAWA,wBAAwBS;4BAC3FC,YAAYC,KAAKC,GAAG;4BACpBC,YAAYF,KAAKC,GAAG,KAAK;wBAC3B;wBAEA;;4BAAMvE,MAAMmB,GAAG,CAAC,AAAC,gBAAuB,OAAR0C,UAAWC,iBAAiB;;;wBAA5D,eAAqE,aAAa;wBAElF,oCAAoC;wBAC9BC,YAAY,IAAIU,IAAI,AAAC,qCAAsE,OAAlCrE,aAAasE,QAAQ,IAAI,UAAS;wBACjGX,UAAUY,YAAY,CAACxD,GAAG,CAAC,aAAaf,aAAawE,QAAQ;wBAC7Db,UAAUY,YAAY,CAACxD,GAAG,CAAC,iBAAiB;wBAC5C4C,UAAUY,YAAY,CAACxD,GAAG,CAAC,gBAAgB,AAAC,GAAU,OAARjB,SAAQ;wBACtD6D,UAAUY,YAAY,CAACxD,GAAG,CAAC,SAAS,OAAOqC,UAAU,WAAWA,QAAQ;wBACxEO,UAAUY,YAAY,CAACxD,GAAG,CAAC,SAAS0C;wBACpCE,UAAUY,YAAY,CAACxD,GAAG,CAAC,iBAAiB;wBAE5C,+CAA+C;wBAC/C;;4BAAOZ,IAAIsE,QAAQ,CAACd,UAAUe,QAAQ;;;;QACxC;;IAEA;;;;;GAKC,GACDjF,OAAO+B,GAAG,CAAC,mBAAmB,SAAOtB,KAAcC;;gBACkBD,YAArDyE,QAAelB,SAASvC,SAAO6B,mBAyBvCW,iBAaEkB,UACAC,aAaAC,eAOEC,WAIFC,WAQAC,gBAQAC,SACAC,UAeAC,mBAOClE;;;;wBAtG0DhB,aAAAA,IAAI0D,KAAK,EAA9De,SAAqDzE,WAA3DiB,MAAqBsC,UAAsCvD,WAA7CmD,OAAgBnC,UAA6BhB,WAA7BgB,OAAO6B,oBAAsB7C,WAAtB6C;wBAE7C,gCAAgC;wBAChC,IAAI7B,SAAO;4BACT;;gCAAOf,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAAA;oCACA6B,mBAAmBA,qBAAqB;gCAC1C;;wBACF;wBAEA,IAAI,CAAC4B,UAAU,OAAOA,WAAW,UAAU;4BACzC;;gCAAOxE,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEA,IAAI,CAACU,WAAW,OAAOA,YAAY,UAAU;4BAC3C;;gCAAOtD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAGwB;;4BAAMnD,MAAM4B,GAAG,CAAC,AAAC,gBAAuB,OAARiC;;;wBAAlDC,kBAAkB;wBACxB,IAAI,CAACA,iBAAiB;4BACpB;;gCAAOvD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEA,8BAA8B;wBAC9B;;4BAAMnD,MAAMyF,MAAM,CAAC,AAAC,gBAAuB,OAAR5B;;;wBAAnC;;;;;;;;;wBAIQmB,WAAW,AAAC,qCAAsE,OAAlC5E,aAAasE,QAAQ,IAAI,UAAS;wBAClFO,cAAc,IAAIS,gBAAgB;4BACtCC,YAAY;4BACZpE,MAAMwD;4BACNzB,WAAWlD,aAAawE,QAAQ;4BAChCrB,cAAc,AAAC,GAAU,OAARrD,SAAQ;4BACzBsD,OAAOM,gBAAgBN,KAAK;wBAC9B;wBAEA,uDAAuD;wBACvD,IAAIpD,aAAawF,YAAY,EAAE;4BAC7BX,YAAY9D,GAAG,CAAC,iBAAiBf,aAAawF,YAAY;wBAC5D;wBAEsB;;4BAAMC,MAAMb,UAAU;gCAC1Cc,QAAQ;gCACRpF,SAAS;oCAAE,gBAAgB;gCAAoC;gCAC/DsC,MAAMiC,YAAYH,QAAQ;4BAC5B;;;wBAJMI,gBAAgB;6BAMlB,CAACA,cAAca,EAAE,EAAjB;;;;wBACiB;;4BAAMb,cAAc9D,IAAI;;;wBAArC+D,YAAa;wBACnB,MAAM,IAAI/B,MAAM,AAAC,oCAAkF,OAA/C+B,UAAUhC,iBAAiB,IAAIgC,UAAU7D,KAAK;;wBAGjF;;4BAAM4D,cAAc9D,IAAI;;;wBAArCgE,YAAa;wBAOnB,iDAAiD;wBAC3CC,iBAAiC;4BACrCW,aAAaZ,UAAUa,YAAY;2BAC/Bb,UAAUc,aAAa,IAAI;4BAAEC,cAAcf,UAAUc,aAAa;wBAAC;4BACvEE,WAAW9B,KAAKC,GAAG,KAAKa,UAAUiB,UAAU,GAAG;4BAC/C7C,OAAO4B,UAAU5B,KAAK;;wBAGxB,4DAA4D;wBACtD8B,UAAUnB,IAAAA,kBAAU;wBACpBoB,WAA8B;4BAClChE,MAAM+D;4BACNhC,WAAWQ,gBAAgBR,SAAS;4BACpCC,cAAcO,gBAAgBP,YAAY;4BAC1CC,OAAOM,gBAAgBN,KAAK;2BACxBM,gBAAgBJ,cAAc,IAAI;4BAAEA,gBAAgBI,gBAAgBJ,cAAc;wBAAC,GACnFI,gBAAgBH,qBAAqB,IAAI;4BAAEA,uBAAuBG,gBAAgBH,qBAAqB;wBAAC;4BAC5G0B,gBAAAA;4BACAhB,YAAYC,KAAKC,GAAG;4BACpBC,YAAYF,KAAKC,GAAG,KAAK;;wBAG3B;;4BAAMtB,YAASqD,WAAW,CAACtG,OAAOsF,SAASC;;;wBAA3C;wBAEA,0DAA0D;wBACpDC,oBAAoB,IAAIf,IAAIX,gBAAgBP,YAAY;wBAC9DiC,kBAAkBb,YAAY,CAACxD,GAAG,CAAC,QAAQmE;wBAC3C,IAAIxB,gBAAgBL,KAAK,EAAE;4BACzB+B,kBAAkBb,YAAY,CAACxD,GAAG,CAAC,SAAS2C,gBAAgBL,KAAK;wBACnE;wBAEA;;4BAAOlD,IAAIsE,QAAQ,CAACW,kBAAkBV,QAAQ;;;wBACvCxD;wBACP;;4BAAOf,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gCAC1BE,OAAO;gCACP6B,mBAAmB7B,AAAK,YAALA,OAAiB8B,SAAQ9B,MAAME,OAAO,GAAG;4BAC9D;;;;;;;;QAEJ;;IAEA;;;GAGC,GACD3B,OAAOgD,IAAI,CAAC,gBAAgB,SAAOvC,KAAcC;;gBAE3C+C,WACAiD,eAGE9F,YAEE+F,mBACAC,aACeA,oBAAdhF,IAAIiF,QAK4DpG,WAAjEqF,YAAYpE,MAAMgC,cAAc2C,eAAeS,eAoB/CC,eASArB,UAkCWA,iCAATO,QACAe,mBAcFb,aACAc,mBAEA1B,WAoCAwB,gBASAxB,YASF2B,yBAOY3G,wBAHN4G,UAgBC1F,OAOL2F,gBACAC;;;;wBAjLR,mEAAmE;wBAC/D5D,YAAYhD,IAAI0C,IAAI,CAACM,SAAS;wBAC9BiD,gBAAgBjG,IAAI0C,IAAI,CAACuD,aAAa;wBAE1C,sEAAsE;wBAChE9F,aAAaH,IAAII,OAAO,CAACC,aAAa;wBAC5C,IAAIF,cAAcA,WAAWQ,UAAU,CAAC,WAAW;4BAC3CuF,oBAAoB/F,WAAW0G,SAAS,CAAC;4BACzCV,cAAcW,OAAOC,IAAI,CAACb,mBAAmB,UAAU1B,QAAQ,CAAC;4BACjD2B,sCAAAA,YAAYa,KAAK,CAAC,UAAhC7F,KAAcgF,uBAAVC,SAAUD;4BACrBnD,YAAY7B;4BACZ8E,gBAAgBG;wBAClB;wBAEyEpG,YAAAA,IAAI0C,IAAI,EAAzE2C,aAAiErF,UAAjEqF,YAAYpE,OAAqDjB,UAArDiB,MAAMgC,eAA+CjD,UAA/CiD,cAAc2C,gBAAiC5F,UAAjC4F,eAAeS,gBAAkBrG,UAAlBqG;wBAEvD,sBAAsB;wBACtB,IAAI,CAAChB,YAAY;4BACf;;gCAAOpF,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;6BAEIwC,CAAAA,eAAe,oBAAmB,GAAlCA;;;;wBACF,2BAA2B;wBAC3B,IAAI,CAACpE,QAAQ,CAAC+B,aAAa,CAACC,cAAc;4BACxC;;gCAAOhD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAGsB;;4BAAMF,YAASsE,cAAc,CAACvH,OAAOsD,WAAWiD,0BAAAA,2BAAAA,gBAAiB;;;wBAAjFK,gBAAgB;wBACtB,IAAI,CAACA,eAAe;4BAClB;;gCAAOrG,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAGiB;;4BAAMF,YAASuE,WAAW,CAACxH,OAAOuB;;;wBAA7CgE,WAAW;wBACjB,IAAI,CAACA,UAAU;4BACb;;gCAAOhF,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEA,8BAA8B;wBAC9B,IAAIoC,SAASjC,SAAS,KAAKA,aAAaiC,SAAShC,YAAY,KAAKA,cAAc;4BAC9E;;gCAAOhD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;6BAEImB,CAAAA,KAAKC,GAAG,KAAKgB,SAASf,UAAU,AAAD,GAA/BF;;;;wBACF;;4BAAMrB,YAASwE,cAAc,CAACzH,OAAOuB;;;wBAArC;wBACA;;4BAAOhB,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gCAC1BE,OAAO;gCACP6B,mBAAmB;4BACrB;;;wBAGF,wBAAwB;wBACxB,IAAIoC,SAAS7B,cAAc,EAAE;;4BAC3B,IAAI,CAACiD,eAAe;gCAClB;;oCAAOpG,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;wCAC1BE,OAAO;wCACP6B,mBAAmB;oCACrB;;4BACF;4BAEA,gDAAgD;4BAC1C2C,UAASP,kCAAAA,SAAS5B,qBAAqB,cAA9B4B,6CAAAA,kCAAkC;4BAC3CsB,oBAAoBf,WAAW,SAAS4B,IAAAA,kBAAU,EAAC,UAAUC,MAAM,CAAChB,eAAeiB,MAAM,CAAC,eAAejB;4BAE/G,IAAIE,sBAAsBtB,SAAS7B,cAAc,EAAE;gCACjD;;oCAAOnD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;wCAC1BE,OAAO;wCACP6B,mBAAmB;oCACrB;;4BACF;wBACF;wBAEA,2CAA2C;wBAC3C;;4BAAMF,YAASwE,cAAc,CAACzH,OAAOuB;;;wBAArC;wBAEA,4BAA4B;wBACtByE,cAAc7B,IAAAA,kBAAU;wBACxB2C,oBAAoB3C,IAAAA,kBAAU;wBAE9BiB,YAAyB;4BAC7Ba,cAAcD;4BACd6B,YAAY;4BACZxB,YAAY;4BACZH,eAAeY;4BACftD,OAAO+B,SAAS/B,KAAK;4BACrBF,WAAAA;4BACA+B,gBAAgBE,SAASF,cAAc;4BACvChB,YAAYC,KAAKC,GAAG;wBACtB;wBAEA;;4BAAMtB,YAAS6E,cAAc,CAAC9H,OAAOgG,aAAaZ;;;wBAAlD;wBACA;;4BAAMnC,YAAS8E,eAAe,CAAC/H,OAAO8G,mBAAmB1B;;;wBAAzD;wBAEA,oDAAoD;wBACpD;;4BAAMnC,YAAS+E,iBAAiB,CAAChI,OAAOgG,aAAaT,SAASF,cAAc;;;wBAA5E;wBAEA,wBAAwB;wBACxB;;4BAAO9E,IAAIa,IAAI,CAAC;gCACd6E,cAAcb,UAAUa,YAAY;gCACpC4B,YAAYzC,UAAUyC,UAAU;gCAChCxB,YAAYjB,UAAUiB,UAAU;gCAChCH,eAAed,UAAUc,aAAa;gCACtC1C,OAAO4B,UAAU5B,KAAK;4BACxB;;;6BAEEmC,CAAAA,eAAe,eAAc,GAA7BA;;;;wBACF,sBAAsB;wBACtB,IAAI,CAACO,iBAAiB,CAAC5C,WAAW;4BAChC;;gCAAO/C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAGsB;;4BAAMF,YAASsE,cAAc,CAACvH,OAAOsD,WAAWiD,0BAAAA,2BAAAA,gBAAiB;;;wBAAjFK,iBAAgB;wBACtB,IAAI,CAACA,gBAAe;4BAClB;;gCAAOrG,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAGkB;;4BAAMF,YAASgF,eAAe,CAACjI,OAAOkG;;;wBAAlDd,aAAY;wBAClB,IAAI,CAACA,cAAaA,WAAU9B,SAAS,KAAKA,WAAW;4BACnD;;gCAAO/C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEA,uCAAuC;wBACnC4D,0BAA0B3B,WAAUC,cAAc;6BAClDD,WAAUC,cAAc,CAACc,YAAY,EAArCf;;;;;;;;;;;;wBAEA,+DAA+D;wBACzD4B,WAAW,IAAIkB,uBAAgB,CAAC;4BACpCtD,UAAUxE,aAAawE,QAAQ;2BAC3BxE,aAAawF,YAAY,IAAI;4BAAEA,cAAcxF,aAAawF,YAAY;wBAAC;4BAC3ElB,QAAQ,GAAEtE,yBAAAA,aAAasE,QAAQ,cAArBtE,oCAAAA,yBAAyB;4BACnCoD,OAAO4B,WAAU5B,KAAK;4BACtB2E,gBAAgB,AAAC,GAAU,OAARjI,SAAQ;4BAC3BkI,QAAQ;gCACNC,MAAMC,QAAQC,GAAG;gCACjBjH,OAAOgH,QAAQhH,KAAK;gCACpBkH,MAAMF,QAAQE,IAAI;gCAClBC,OAAO,YAAO;4BAChB;;wBAIwB;;4BAAMzB,SAAS0B,kBAAkB,CAACtD,WAAUC,cAAc,CAACc,YAAY;;;wBADjG,qCAAqC;wBACrCY,0BAA0B;;;;;;wBACnBzF;wBACP,4EAA4E;wBAC5EgH,QAAQE,IAAI,CAAC,yDAAyDlH,AAAK,YAALA,OAAiB8B,SAAQ9B,MAAME,OAAO,GAAGmH,OAAOrH;;;;;;wBAI1H,gCAAgC;wBAC1B2F,iBAAiB9C,IAAAA,kBAAU;wBAC3B+C,eAA4B,wCAC7B9B;4BACHa,cAAcgB;4BACd5C,YAAYC,KAAKC,GAAG;;wBAGtB;;4BAAMtB,YAAS6E,cAAc,CAAC9H,OAAOiH,gBAAgBC;;;wBAArD;wBAEA,kEAAkE;wBAClE;;4BAAMjE,YAAS+E,iBAAiB,CAAChI,OAAOiH,gBAAgBF;;;wBAAxD;wBAEA;;4BAAOxG,IAAIa,IAAI,CAAC;gCACd6E,cAAciB,aAAajB,YAAY;gCACvC4B,YAAYX,aAAaW,UAAU;gCACnCxB,YAAYa,aAAab,UAAU;gCACnC7C,OAAO0D,aAAa1D,KAAK;4BAC3B;;;wBAEF;;4BAAOjD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gCAC1BE,OAAO;gCACP6B,mBAAmB;4BACrB;;;;QACF;;IAEA;;;GAGC,GACDtD,OAAOgD,IAAI,CAAC,iBAAiB,SAAOvC,KAAcC;;gBACaD,WAArDsI,OAAOC,iBAAiBvF,WAAWiD,eAWnCK;;;;wBAXqDtG,YAAAA,IAAI0C,IAAI,EAA7D4F,QAAqDtI,UAArDsI,OAAOC,kBAA8CvI,UAA9CuI,iBAAiBvF,YAA6BhD,UAA7BgD,WAAWiD,gBAAkBjG,UAAlBiG;wBAE3C,IAAI,CAACqC,OAAO;4BACV;;gCAAOrI,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;6BAGIG,CAAAA,aAAaiD,aAAY,GAAzBjD;;;;wBACoB;;4BAAML,YAASsE,cAAc,CAACvH,OAAOsD,WAAWiD;;;wBAAhEK,gBAAgB;wBACtB,IAAI,CAACA,eAAe;4BAClB;;gCAAOrG,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;;;6BAIE0F,CAAAA,oBAAoB,eAAc,GAAlCA;;;;wBACF;;4BAAM5F,YAAS6F,kBAAkB,CAAC9I,OAAO4I;;;wBAAzC;;;;;;6BACSC,CAAAA,oBAAoB,cAAa,GAAjCA;;;;wBACT;;4BAAM5F,YAAS8F,iBAAiB,CAAC/I,OAAO4I;;;wBAAxC;wBACA;;4BAAM3F,YAAS+F,oBAAoB,CAAChJ,OAAO4I;;;wBAA3C;;;;;;wBAEA,qBAAqB;wBACrB;;4BAAM3F,YAAS6F,kBAAkB,CAAC9I,OAAO4I;;;wBAAzC;wBACA;;4BAAM3F,YAAS8F,iBAAiB,CAAC/I,OAAO4I;;;wBAAxC;wBACA;;4BAAM3F,YAAS+F,oBAAoB,CAAChJ,OAAO4I;;;wBAA3C;;;wBAGF,+CAA+C;wBAC/C;;4BAAOrI,IAAIW,MAAM,CAAC,KAAK+H,IAAI;;;;QAC7B;;IAEA;;;;;;GAMC,GACDpJ,OAAO+B,GAAG,CAAC,iBAAiB,SAAOtB,KAAcC;;gBAEzCE,YASAmI,OAGAxD,WAUAb,KACA6B,WAaA8C;;;;wBArCN,iDAAiD;wBAC3CzI,aAAaH,IAAII,OAAO,CAACC,aAAa;wBAE5C,IAAI,CAACF,cAAc,CAACA,WAAWQ,UAAU,CAAC,YAAY;4BACpD;;gCAAOV,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEMyF,QAAQnI,WAAW0G,SAAS,CAAC,IAAI,0BAA0B;wBAG/C;;4BAAMlE,YAASkG,cAAc,CAACnJ,OAAO4I;;;wBAAjDxD,YAAY;wBAElB,IAAI,CAACA,WAAW;4BACd;;gCAAO7E,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oCAC1BE,OAAO;oCACP6B,mBAAmB;gCACrB;;wBACF;wBAEA,4BAA4B;wBACtBoB,MAAMD,KAAKC,GAAG;wBACd6B,YAAYhB,UAAUf,UAAU,GAAGe,UAAUiB,UAAU,GAAG;6BAE5D9B,CAAAA,MAAM6B,SAAQ,GAAd7B;;;;wBACF,uBAAuB;wBACvB;;4BAAMtB,YAAS8F,iBAAiB,CAAC/I,OAAO4I;;;wBAAxC;wBACA;;4BAAM3F,YAAS+F,oBAAoB,CAAChJ,OAAO4I;;;wBAA3C;wBACA;;4BAAOrI,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gCAC1BE,OAAO;gCACP6B,mBAAmB;4BACrB;;;wBAGF,yDAAyD;wBACnD+F,WAAW;4BACfN,OAAAA;4BACAhE,UAAUQ,UAAU9B,SAAS;4BAC7B8F,QAAQhE,UAAU5B,KAAK,GAAG4B,UAAU5B,KAAK,CAAC8D,KAAK,CAAC;4BAChDlB,WAAAA;4BACAf,gBAAgBD,UAAUC,cAAc;wBAC1C;wBAEA;;4BAAO9E,IAAIa,IAAI,CAAC8H;;;;QAClB;;IAEA;;GAEC,GACDrJ,OAAO+B,GAAG,CAAC,kBAAkB,SAAOC,MAAetB;;gBAC3C8I;;;;wBAAU;;4BAAMpG,YAASqG,WAAW,CAACtJ;;;wBAArCqJ,UAAU;wBAChB9I,IAAIa,IAAI,CAACiI;;;;;;QACX;;IAEA,OAAOxJ;AACT"}

package/dist/cjs/lib/dcr-utils.js CHANGED Viewed

@@ -380,6 +380,9 @@ function _ts_generator(thisArg, body) {
         };
     }
 }
+var TEN_MINUTES_MS = 10 * 60 * 1000;
+var ONE_HOUR_MS = 60 * 60 * 1000;
+var THIRTY_DAYS_MS = 30 * 24 * 60 * 60 * 1000;
 function registerClient(store, metadata) {
     return _async_to_generator(function() {
         var _metadata_grant_types, _metadata_response_types, _metadata_token_endpoint_auth_method, client_id, client_secret, grant_types, response_types, client, created_at, clientInfo;
@@ -648,7 +651,7 @@ function setProviderTokens(store, dcrToken, tokens) {
                 case 0:
                     return [
                         4,
-                        store.set("dcr:provider:".concat(dcrToken), tokens)
+                        store.set("dcr:provider:".concat(dcrToken), tokens, ONE_HOUR_MS)
                     ];
                 case 1:
                     _state.sent();
@@ -702,7 +705,7 @@ function setAuthCode(store, code, authCode) {
                 case 0:
                     return [
                         4,
-                        store.set("dcr:authcode:".concat(code), authCode)
+                        store.set("dcr:authcode:".concat(code), authCode, TEN_MINUTES_MS)
                     ];
                 case 1:
                     _state.sent();
@@ -756,7 +759,7 @@ function setAccessToken(store, token, tokenData) {
                 case 0:
                     return [
                         4,
-                        store.set("dcr:access:".concat(token), tokenData)
+                        store.set("dcr:access:".concat(token), tokenData, ONE_HOUR_MS)
                     ];
                 case 1:
                     _state.sent();
@@ -810,7 +813,7 @@ function setRefreshToken(store, token, tokenData) {
                 case 0:
                     return [
                         4,
-                        store.set("dcr:refresh:".concat(token), tokenData)
+                        store.set("dcr:refresh:".concat(token), tokenData, THIRTY_DAYS_MS)
                     ];
                 case 1:
                     _state.sent();

package/dist/cjs/lib/dcr-utils.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth-microsoft/src/lib/dcr-utils.ts"],"sourcesContent":["/*\n DCR Storage Utilities\n \n Keyv-based storage utilities for Dynamic Client Registration.\n * Follows @mcp-z/oauth pattern: single Keyv store with compound keys.\n \n Key Patterns:\n * - dcr:client:{clientId} -> RegisteredClient\n * - dcr:provider:{dcrToken} -> ProviderTokens\n * - dcr:authcode:{code} -> AuthorizationCode\n * - dcr:access:{token} -> AccessToken\n * - dcr:refresh:{token} -> AccessToken\n /\n\nimport type { DcrClientInformation, DcrClientMetadata, ProviderTokens } from '@mcp-z/oauth';\nimport { randomUUID } from 'crypto';\nimport type { Keyv } from 'keyv';\nimport type { AccessToken, AuthorizationCode, RegisteredClient } from '../types.ts';\n\n// ============================================================================\n// Client Operations\n// ============================================================================\n\n/\n Register a new OAuth client (RFC 7591 Section 3.1)\n \n @param store - Keyv store for all DCR data\n * @param metadata - Client registration metadata\n * @returns Registered client with credentials\n * @throws Error if validation fails\n /\nexport async function registerClient(store: Keyv, metadata: DcrClientMetadata): Promise<DcrClientInformation> {\n // Validate redirect URIs (required per RFC 7591)\n if (!metadata.redirect_uris \|\| metadata.redirect_uris.length === 0) {\n throw new Error('redirect_uris is required');\n }\n\n // Generate client credentials\n const client_id = `dcr_${randomUUID()}`;\n const client_secret = randomUUID();\n\n // Default grant types and response types per RFC 7591 Section 2\n const grant_types = metadata.grant_types ?? ['authorization_code', 'refresh_token'];\n const response_types = metadata.response_types ?? ['code'];\n\n // Build registered client - only include optional fields if they have values\n const client: RegisteredClient = {\n client_id,\n client_secret,\n client_id_issued_at: Math.floor(Date.now() / 1000),\n client_secret_expires_at: 0, // Never expires\n redirect_uris: metadata.redirect_uris,\n token_endpoint_auth_method: metadata.token_endpoint_auth_method ?? 'client_secret_basic',\n grant_types,\n response_types,\n ...(metadata.client_name !== undefined && { client_name: metadata.client_name }),\n ...(metadata.client_uri !== undefined && { client_uri: metadata.client_uri }),\n ...(metadata.logo_uri !== undefined && { logo_uri: metadata.logo_uri }),\n ...(metadata.scope !== undefined && { scope: metadata.scope }),\n ...(metadata.contacts !== undefined && { contacts: metadata.contacts }),\n ...(metadata.tos_uri !== undefined && { tos_uri: metadata.tos_uri }),\n ...(metadata.policy_uri !== undefined && { policy_uri: metadata.policy_uri }),\n ...(metadata.jwks_uri !== undefined && { jwks_uri: metadata.jwks_uri }),\n ...(metadata.jwks !== undefined && { jwks: metadata.jwks }),\n ...(metadata.software_id !== undefined && { software_id: metadata.software_id }),\n ...(metadata.software_version !== undefined && { software_version: metadata.software_version }),\n created_at: Date.now(),\n };\n\n // Store client\n await store.set(`dcr:client:${client_id}`, client);\n\n // Return client information (excluding internal created_at)\n const { created_at, ...clientInfo } = client;\n return clientInfo;\n}\n\n/\n Get a registered client by ID\n \n @param store - Keyv store for all DCR data\n * @param clientId - Client identifier\n * @returns Registered client or undefined if not found\n /\nexport async function getClient(store: Keyv, clientId: string): Promise<RegisteredClient \| undefined> {\n return await store.get(`dcr:client:${clientId}`);\n}\n\n/\n Validate client credentials\n \n @param store - Keyv store for all DCR data\n * @param clientId - Client identifier\n * @param clientSecret - Client secret\n * @returns True if credentials are valid\n /\nexport async function validateClient(store: Keyv, clientId: string, clientSecret: string): Promise<boolean> {\n const client = await getClient(store, clientId);\n if (!client) return false;\n return client.client_secret === clientSecret;\n}\n\n/\n Validate redirect URI for a client\n \n @param store - Keyv store for all DCR data\n * @param clientId - Client identifier\n * @param redirectUri - Redirect URI to validate\n * @returns True if redirect URI is registered\n /\nexport async function validateRedirectUri(store: Keyv, clientId: string, redirectUri: string): Promise<boolean> {\n const client = await getClient(store, clientId);\n if (!client \|\| !client.redirect_uris) return false;\n return client.redirect_uris.includes(redirectUri);\n}\n\n/\n List all registered clients (for debugging)\n \n Note: This method uses Keyv's iterator which may not be available on all storage adapters.\n * For production use, consider maintaining a separate index of client IDs.\n \n @param store - Keyv store for all DCR data\n * @returns Array of all registered clients\n /\nexport async function listClients(store: Keyv): Promise<RegisteredClient[]> {\n const clients: RegisteredClient[] = [];\n\n // Check if iterator is available on the store\n if (store.iterator) {\n // Use iterator with namespace to iterate through dcr:client: keys\n const iterator = store.iterator('dcr:client:');\n for await (const [_key, value] of iterator) {\n if (value !== undefined) {\n clients.push(value as RegisteredClient);\n }\n }\n }\n\n return clients;\n}\n\n/\n Delete a registered client\n \n @param store - Keyv store for all DCR data\n * @param clientId - Client identifier\n /\nexport async function deleteClient(store: Keyv, clientId: string): Promise<void> {\n await store.delete(`dcr:client:${clientId}`);\n}\n\n// ============================================================================\n// Provider Token Operations\n// ============================================================================\n\n/\n Store provider tokens for a DCR access token\n \n @param store - Keyv store for all DCR data\n * @param dcrToken - DCR-issued access token (used as key)\n * @param tokens - Microsoft provider tokens (access, refresh, expiry)\n /\nexport async function setProviderTokens(store: Keyv, dcrToken: string, tokens: ProviderTokens): Promise<void> {\n await store.set(`dcr:provider:${dcrToken}`, tokens);\n}\n\n/\n Retrieve provider tokens for a DCR access token\n \n @param store - Keyv store for all DCR data\n * @param dcrToken - DCR-issued access token\n * @returns Provider tokens or undefined if not found\n /\nexport async function getProviderTokens(store: Keyv, dcrToken: string): Promise<ProviderTokens \| undefined> {\n return await store.get(`dcr:provider:${dcrToken}`);\n}\n\n/\n Delete provider tokens for a DCR access token\n \n @param store - Keyv store for all DCR data\n * @param dcrToken - DCR-issued access token\n /\nexport async function deleteProviderTokens(store: Keyv, dcrToken: string): Promise<void> {\n await store.delete(`dcr:provider:${dcrToken}`);\n}\n\n// ============================================================================\n// Authorization Code Operations\n// ============================================================================\n\n/\n Store an authorization code\n \n @param store - Keyv store for all DCR data\n * @param code - Authorization code\n * @param authCode - Authorization code data\n /\nexport async function setAuthCode(store: Keyv, code: string, authCode: AuthorizationCode): Promise<void> {\n await store.set(`dcr:authcode:${code}`, authCode);\n}\n\n/\n Get an authorization code\n \n @param store - Keyv store for all DCR data\n * @param code - Authorization code\n * @returns Authorization code data or undefined if not found\n /\nexport async function getAuthCode(store: Keyv, code: string): Promise<AuthorizationCode \| undefined> {\n return await store.get(`dcr:authcode:${code}`);\n}\n\n/\n Delete an authorization code\n \n @param store - Keyv store for all DCR data\n * @param code - Authorization code\n /\nexport async function deleteAuthCode(store: Keyv, code: string): Promise<void> {\n await store.delete(`dcr:authcode:${code}`);\n}\n\n// ============================================================================\n// Access Token Operations\n// ============================================================================\n\n/\n Store an access token\n \n @param store - Keyv store for all DCR data\n * @param token - Access token\n * @param tokenData - Access token data\n /\nexport async function setAccessToken(store: Keyv, token: string, tokenData: AccessToken): Promise<void> {\n await store.set(`dcr:access:${token}`, tokenData);\n}\n\n/\n Get an access token\n \n @param store - Keyv store for all DCR data\n * @param token - Access token\n * @returns Access token data or undefined if not found\n /\nexport async function getAccessToken(store: Keyv, token: string): Promise<AccessToken \| undefined> {\n return await store.get(`dcr:access:${token}`);\n}\n\n/\n Delete an access token\n \n @param store - Keyv store for all DCR data\n * @param token - Access token\n /\nexport async function deleteAccessToken(store: Keyv, token: string): Promise<void> {\n await store.delete(`dcr:access:${token}`);\n}\n\n// ============================================================================\n// Refresh Token Operations\n// ============================================================================\n\n/\n Store a refresh token\n \n @param store - Keyv store for all DCR data\n * @param token - Refresh token\n * @param tokenData - Access token data (contains refresh token context)\n /\nexport async function setRefreshToken(store: Keyv, token: string, tokenData: AccessToken): Promise<void> {\n await store.set(`dcr:refresh:${token}`, tokenData);\n}\n\n/\n Get a refresh token\n \n @param store - Keyv store for all DCR data\n * @param token - Refresh token\n * @returns Access token data or undefined if not found\n /\nexport async function getRefreshToken(store: Keyv, token: string): Promise<AccessToken \| undefined> {\n return await store.get(`dcr:refresh:${token}`);\n}\n\n/\n Delete a refresh token\n \n @param store - Keyv store for all DCR data\n * @param token - Refresh token\n */\nexport async function deleteRefreshToken(store: Keyv, token: string): Promise<void> {\n await store.delete(`dcr:refresh:${token}`);\n}\n"],"names":["deleteAccessToken","deleteAuthCode","deleteClient","deleteProviderTokens","deleteRefreshToken","getAccessToken","getAuthCode","getClient","getProviderTokens","getRefreshToken","listClients","registerClient","setAccessToken","setAuthCode","setProviderTokens","setRefreshToken","validateClient","validateRedirectUri","store","metadata","client_id","client_secret","grant_types","response_types","client","created_at","clientInfo","redirect_uris","length","Error","randomUUID","client_id_issued_at","Math","floor","Date","now","client_secret_expires_at","token_endpoint_auth_method","client_name","undefined","client_uri","logo_uri","scope","contacts","tos_uri","policy_uri","jwks_uri","jwks","software_id","software_version","set","clientId","get","clientSecret","redirectUri","includes","clients","iterator","_key","value","push","delete","dcrToken","tokens","code","authCode","token","tokenData"],"mappings":"AAAA;;;;;;;;;;;;CAYC;;;;;;;;;;;QAoPqBA;eAAAA;;QApCAC;eAAAA;;QAxEAC;eAAAA;;QAoCAC;eAAAA;;QA4GAC;eAAAA;;QA9CAC;eAAAA;;QApCAC;eAAAA;;QA9HAC;eAAAA;;QA0FAC;eAAAA;;QA4GAC;eAAAA;;QA7JAC;eAAAA;;QA9FAC;eAAAA;;QA4MAC;eAAAA;;QApCAC;eAAAA;;QApCAC;eAAAA;;QA4GAC;eAAAA;;QA/KAC;eAAAA;;QAcAC;eAAAA;;;sBA/FK;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgBpB,SAAeN,eAAeO,KAAW,EAAEC,QAA2B;;YAWvDA,uBACGA,0BASOA,sCAdxBC,WACAC,eAGAC,aACAC,gBAGAC,QA2BEC,YAAeC;;;;oBAzCvB,iDAAiD;oBACjD,IAAI,CAACP,SAASQ,aAAa,IAAIR,SAASQ,aAAa,CAACC,MAAM,KAAK,GAAG;wBAClE,MAAM,IAAIC,MAAM;oBAClB;oBAEA,8BAA8B;oBACxBT,YAAY,AAAC,OAAmB,OAAbU,IAAAA,kBAAU;oBAC7BT,gBAAgBS,IAAAA,kBAAU;oBAEhC,gEAAgE;oBAC1DR,eAAcH,wBAAAA,SAASG,WAAW,cAApBH,mCAAAA;wBAAyB;wBAAsB;;oBAC7DI,kBAAiBJ,2BAAAA,SAASI,cAAc,cAAvBJ,sCAAAA;wBAA4B;;oBAEnD,6EAA6E;oBACvEK,SAA2B;wBAC/BJ,WAAAA;wBACAC,eAAAA;wBACAU,qBAAqBC,KAAKC,KAAK,CAACC,KAAKC,GAAG,KAAK;wBAC7CC,0BAA0B;wBAC1BT,eAAeR,SAASQ,aAAa;wBACrCU,0BAA0B,GAAElB,uCAAAA,SAASkB,0BAA0B,cAAnClB,kDAAAA,uCAAuC;wBACnEG,aAAAA;wBACAC,gBAAAA;uBACIJ,SAASmB,WAAW,KAAKC,aAAa;wBAAED,aAAanB,SAASmB,WAAW;oBAAC,GAC1EnB,SAASqB,UAAU,KAAKD,aAAa;wBAAEC,YAAYrB,SAASqB,UAAU;oBAAC,GACvErB,SAASsB,QAAQ,KAAKF,aAAa;wBAAEE,UAAUtB,SAASsB,QAAQ;oBAAC,GACjEtB,SAASuB,KAAK,KAAKH,aAAa;wBAAEG,OAAOvB,SAASuB,KAAK;oBAAC,GACxDvB,SAASwB,QAAQ,KAAKJ,aAAa;wBAAEI,UAAUxB,SAASwB,QAAQ;oBAAC,GACjExB,SAASyB,OAAO,KAAKL,aAAa;wBAAEK,SAASzB,SAASyB,OAAO;oBAAC,GAC9DzB,SAAS0B,UAAU,KAAKN,aAAa;wBAAEM,YAAY1B,SAAS0B,UAAU;oBAAC,GACvE1B,SAAS2B,QAAQ,KAAKP,aAAa;wBAAEO,UAAU3B,SAAS2B,QAAQ;oBAAC,GACjE3B,SAAS4B,IAAI,KAAKR,aAAa;wBAAEQ,MAAM5B,SAAS4B,IAAI;oBAAC,GACrD5B,SAAS6B,WAAW,KAAKT,aAAa;wBAAES,aAAa7B,SAAS6B,WAAW;oBAAC,GAC1E7B,SAAS8B,gBAAgB,KAAKV,aAAa;wBAAEU,kBAAkB9B,SAAS8B,gBAAgB;oBAAC;wBAC7FxB,YAAYS,KAAKC,GAAG;;oBAGtB,eAAe;oBACf;;wBAAMjB,MAAMgC,GAAG,CAAC,AAAC,cAAuB,OAAV9B,YAAaI;;;oBAA3C;oBAEA,4DAA4D;oBACpDC,aAA8BD,OAA9BC,YAAeC,wCAAeF;;;oBACtC;;wBAAOE;;;;IACT;;AASO,SAAenB,UAAUW,KAAW,EAAEiC,QAAgB;;;;;oBACpD;;wBAAMjC,MAAMkC,GAAG,CAAC,AAAC,cAAsB,OAATD;;;oBAArC;;wBAAO;;;;IACT;;AAUO,SAAenC,eAAeE,KAAW,EAAEiC,QAAgB,EAAEE,YAAoB;;YAChF7B;;;;oBAAS;;wBAAMjB,UAAUW,OAAOiC;;;oBAAhC3B,SAAS;oBACf,IAAI,CAACA,QAAQ;;wBAAO;;oBACpB;;wBAAOA,OAAOH,aAAa,KAAKgC;;;;IAClC;;AAUO,SAAepC,oBAAoBC,KAAW,EAAEiC,QAAgB,EAAEG,WAAmB;;YACpF9B;;;;oBAAS;;wBAAMjB,UAAUW,OAAOiC;;;oBAAhC3B,SAAS;oBACf,IAAI,CAACA,UAAU,CAACA,OAAOG,aAAa,EAAE;;wBAAO;;oBAC7C;;wBAAOH,OAAOG,aAAa,CAAC4B,QAAQ,CAACD;;;;IACvC;;AAWO,SAAe5C,YAAYQ,KAAW;;YACrCsC,SAKEC,2GACYC,MAAMC;;;;oBANpBH;yBAGFtC,MAAMuC,QAAQ,EAAdvC;;;;oBACF,kEAAkE;oBAC5DuC,WAAWvC,MAAMuC,QAAQ,CAAC;;;;;;;;;;gDACEA;;;;;;;;;;;;;2DAAhBC,mBAAMC;oBACtB,IAAIA,UAAUpB,WAAW;wBACvBiB,QAAQI,IAAI,CAACD;oBACf;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;oBAIJ;;wBAAOH;;;;IACT;;AAQO,SAAetD,aAAagB,KAAW,EAAEiC,QAAgB;;;;;oBAC9D;;wBAAMjC,MAAM2C,MAAM,CAAC,AAAC,cAAsB,OAATV;;;oBAAjC;;;;;;IACF;;AAaO,SAAerC,kBAAkBI,KAAW,EAAE4C,QAAgB,EAAEC,MAAsB;;;;;oBAC3F;;wBAAM7C,MAAMgC,GAAG,CAAC,AAAC,gBAAwB,OAATY,WAAYC;;;oBAA5C;;;;;;IACF;;AASO,SAAevD,kBAAkBU,KAAW,EAAE4C,QAAgB;;;;;oBAC5D;;wBAAM5C,MAAMkC,GAAG,CAAC,AAAC,gBAAwB,OAATU;;;oBAAvC;;wBAAO;;;;IACT;;AAQO,SAAe3D,qBAAqBe,KAAW,EAAE4C,QAAgB;;;;;oBACtE;;wBAAM5C,MAAM2C,MAAM,CAAC,AAAC,gBAAwB,OAATC;;;oBAAnC;;;;;;IACF;;AAaO,SAAejD,YAAYK,KAAW,EAAE8C,IAAY,EAAEC,QAA2B;;;;;oBACtF;;wBAAM/C,MAAMgC,GAAG,CAAC,AAAC,gBAAoB,OAALc,OAAQC;;;oBAAxC;;;;;;IACF;;AASO,SAAe3D,YAAYY,KAAW,EAAE8C,IAAY;;;;;oBAClD;;wBAAM9C,MAAMkC,GAAG,CAAC,AAAC,gBAAoB,OAALY;;;oBAAvC;;wBAAO;;;;IACT;;AAQO,SAAe/D,eAAeiB,KAAW,EAAE8C,IAAY;;;;;oBAC5D;;wBAAM9C,MAAM2C,MAAM,CAAC,AAAC,gBAAoB,OAALG;;;oBAAnC;;;;;;IACF;;AAaO,SAAepD,eAAeM,KAAW,EAAEgD,KAAa,EAAEC,SAAsB;;;;;oBACrF;;wBAAMjD,MAAMgC,GAAG,CAAC,AAAC,cAAmB,OAANgB,QAASC;;;oBAAvC;;;;;;IACF;;AASO,SAAe9D,eAAea,KAAW,EAAEgD,KAAa;;;;;oBACtD;;wBAAMhD,MAAMkC,GAAG,CAAC,AAAC,cAAmB,OAANc;;;oBAArC;;wBAAO;;;;IACT;;AAQO,SAAelE,kBAAkBkB,KAAW,EAAEgD,KAAa;;;;;oBAChE;;wBAAMhD,MAAM2C,MAAM,CAAC,AAAC,cAAmB,OAANK;;;oBAAjC;;;;;;IACF;;AAaO,SAAenD,gBAAgBG,KAAW,EAAEgD,KAAa,EAAEC,SAAsB;;;;;oBACtF;;wBAAMjD,MAAMgC,GAAG,CAAC,AAAC,eAAoB,OAANgB,QAASC;;;oBAAxC;;;;;;IACF;;AASO,SAAe1D,gBAAgBS,KAAW,EAAEgD,KAAa;;;;;oBACvD;;wBAAMhD,MAAMkC,GAAG,CAAC,AAAC,eAAoB,OAANc;;;oBAAtC;;wBAAO;;;;IACT;;AAQO,SAAe9D,mBAAmBc,KAAW,EAAEgD,KAAa;;;;;oBACjE;;wBAAMhD,MAAM2C,MAAM,CAAC,AAAC,eAAoB,OAANK;;;oBAAlC;;;;;;IACF"}
1	+ {"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth-microsoft/src/lib/dcr-utils.ts"],"sourcesContent":["/*\n DCR Storage Utilities\n \n Keyv-based storage utilities for Dynamic Client Registration.\n * Follows @mcp-z/oauth pattern: single Keyv store with compound keys.\n \n Key Patterns:\n * - dcr:client:{clientId} -> RegisteredClient\n * - dcr:provider:{dcrToken} -> ProviderTokens\n * - dcr:authcode:{code} -> AuthorizationCode\n * - dcr:access:{token} -> AccessToken\n * - dcr:refresh:{token} -> AccessToken\n /\n\nimport type { DcrClientInformation, DcrClientMetadata, ProviderTokens } from '@mcp-z/oauth';\nimport { randomUUID } from 'crypto';\nimport type { Keyv } from 'keyv';\nimport type { AccessToken, AuthorizationCode, RegisteredClient } from '../types.ts';\n\nconst TEN_MINUTES_MS = 10 60 * 1000;\nconst ONE_HOUR_MS = 60 * 60 * 1000;\nconst THIRTY_DAYS_MS = 30 * 24 * 60 * 60 * 1000;\n\n// ============================================================================\n// Client Operations\n// ============================================================================\n\n/*\n Register a new OAuth client (RFC 7591 Section 3.1)\n \n @param store - Keyv store for all DCR data\n * @param metadata - Client registration metadata\n * @returns Registered client with credentials\n * @throws Error if validation fails\n /\nexport async function registerClient(store: Keyv, metadata: DcrClientMetadata): Promise<DcrClientInformation> {\n // Validate redirect URIs (required per RFC 7591)\n if (!metadata.redirect_uris \|\| metadata.redirect_uris.length === 0) {\n throw new Error('redirect_uris is required');\n }\n\n // Generate client credentials\n const client_id = `dcr_${randomUUID()}`;\n const client_secret = randomUUID();\n\n // Default grant types and response types per RFC 7591 Section 2\n const grant_types = metadata.grant_types ?? ['authorization_code', 'refresh_token'];\n const response_types = metadata.response_types ?? ['code'];\n\n // Build registered client - only include optional fields if they have values\n const client: RegisteredClient = {\n client_id,\n client_secret,\n client_id_issued_at: Math.floor(Date.now() / 1000),\n client_secret_expires_at: 0, // Never expires\n redirect_uris: metadata.redirect_uris,\n token_endpoint_auth_method: metadata.token_endpoint_auth_method ?? 'client_secret_basic',\n grant_types,\n response_types,\n ...(metadata.client_name !== undefined && { client_name: metadata.client_name }),\n ...(metadata.client_uri !== undefined && { client_uri: metadata.client_uri }),\n ...(metadata.logo_uri !== undefined && { logo_uri: metadata.logo_uri }),\n ...(metadata.scope !== undefined && { scope: metadata.scope }),\n ...(metadata.contacts !== undefined && { contacts: metadata.contacts }),\n ...(metadata.tos_uri !== undefined && { tos_uri: metadata.tos_uri }),\n ...(metadata.policy_uri !== undefined && { policy_uri: metadata.policy_uri }),\n ...(metadata.jwks_uri !== undefined && { jwks_uri: metadata.jwks_uri }),\n ...(metadata.jwks !== undefined && { jwks: metadata.jwks }),\n ...(metadata.software_id !== undefined && { software_id: metadata.software_id }),\n ...(metadata.software_version !== undefined && { software_version: metadata.software_version }),\n created_at: Date.now(),\n };\n\n // Store client\n await store.set(`dcr:client:${client_id}`, client);\n\n // Return client information (excluding internal created_at)\n const { created_at, ...clientInfo } = client;\n return clientInfo;\n}\n\n/\n Get a registered client by ID\n \n @param store - Keyv store for all DCR data\n * @param clientId - Client identifier\n * @returns Registered client or undefined if not found\n /\nexport async function getClient(store: Keyv, clientId: string): Promise<RegisteredClient \| undefined> {\n return await store.get(`dcr:client:${clientId}`);\n}\n\n/\n Validate client credentials\n \n @param store - Keyv store for all DCR data\n * @param clientId - Client identifier\n * @param clientSecret - Client secret\n * @returns True if credentials are valid\n /\nexport async function validateClient(store: Keyv, clientId: string, clientSecret: string): Promise<boolean> {\n const client = await getClient(store, clientId);\n if (!client) return false;\n return client.client_secret === clientSecret;\n}\n\n/\n Validate redirect URI for a client\n \n @param store - Keyv store for all DCR data\n * @param clientId - Client identifier\n * @param redirectUri - Redirect URI to validate\n * @returns True if redirect URI is registered\n /\nexport async function validateRedirectUri(store: Keyv, clientId: string, redirectUri: string): Promise<boolean> {\n const client = await getClient(store, clientId);\n if (!client \|\| !client.redirect_uris) return false;\n return client.redirect_uris.includes(redirectUri);\n}\n\n/\n List all registered clients (for debugging)\n \n Note: This method uses Keyv's iterator which may not be available on all storage adapters.\n * For production use, consider maintaining a separate index of client IDs.\n \n @param store - Keyv store for all DCR data\n * @returns Array of all registered clients\n /\nexport async function listClients(store: Keyv): Promise<RegisteredClient[]> {\n const clients: RegisteredClient[] = [];\n\n // Check if iterator is available on the store\n if (store.iterator) {\n // Use iterator with namespace to iterate through dcr:client: keys\n const iterator = store.iterator('dcr:client:');\n for await (const [_key, value] of iterator) {\n if (value !== undefined) {\n clients.push(value as RegisteredClient);\n }\n }\n }\n\n return clients;\n}\n\n/\n Delete a registered client\n \n @param store - Keyv store for all DCR data\n * @param clientId - Client identifier\n /\nexport async function deleteClient(store: Keyv, clientId: string): Promise<void> {\n await store.delete(`dcr:client:${clientId}`);\n}\n\n// ============================================================================\n// Provider Token Operations\n// ============================================================================\n\n/\n Store provider tokens for a DCR access token\n \n @param store - Keyv store for all DCR data\n * @param dcrToken - DCR-issued access token (used as key)\n * @param tokens - Microsoft provider tokens (access, refresh, expiry)\n /\nexport async function setProviderTokens(store: Keyv, dcrToken: string, tokens: ProviderTokens): Promise<void> {\n await store.set(`dcr:provider:${dcrToken}`, tokens, ONE_HOUR_MS);\n}\n\n/\n Retrieve provider tokens for a DCR access token\n \n @param store - Keyv store for all DCR data\n * @param dcrToken - DCR-issued access token\n * @returns Provider tokens or undefined if not found\n /\nexport async function getProviderTokens(store: Keyv, dcrToken: string): Promise<ProviderTokens \| undefined> {\n return await store.get(`dcr:provider:${dcrToken}`);\n}\n\n/\n Delete provider tokens for a DCR access token\n \n @param store - Keyv store for all DCR data\n * @param dcrToken - DCR-issued access token\n /\nexport async function deleteProviderTokens(store: Keyv, dcrToken: string): Promise<void> {\n await store.delete(`dcr:provider:${dcrToken}`);\n}\n\n// ============================================================================\n// Authorization Code Operations\n// ============================================================================\n\n/\n Store an authorization code\n \n @param store - Keyv store for all DCR data\n * @param code - Authorization code\n * @param authCode - Authorization code data\n /\nexport async function setAuthCode(store: Keyv, code: string, authCode: AuthorizationCode): Promise<void> {\n await store.set(`dcr:authcode:${code}`, authCode, TEN_MINUTES_MS);\n}\n\n/\n Get an authorization code\n \n @param store - Keyv store for all DCR data\n * @param code - Authorization code\n * @returns Authorization code data or undefined if not found\n /\nexport async function getAuthCode(store: Keyv, code: string): Promise<AuthorizationCode \| undefined> {\n return await store.get(`dcr:authcode:${code}`);\n}\n\n/\n Delete an authorization code\n \n @param store - Keyv store for all DCR data\n * @param code - Authorization code\n /\nexport async function deleteAuthCode(store: Keyv, code: string): Promise<void> {\n await store.delete(`dcr:authcode:${code}`);\n}\n\n// ============================================================================\n// Access Token Operations\n// ============================================================================\n\n/\n Store an access token\n \n @param store - Keyv store for all DCR data\n * @param token - Access token\n * @param tokenData - Access token data\n /\nexport async function setAccessToken(store: Keyv, token: string, tokenData: AccessToken): Promise<void> {\n await store.set(`dcr:access:${token}`, tokenData, ONE_HOUR_MS);\n}\n\n/\n Get an access token\n \n @param store - Keyv store for all DCR data\n * @param token - Access token\n * @returns Access token data or undefined if not found\n /\nexport async function getAccessToken(store: Keyv, token: string): Promise<AccessToken \| undefined> {\n return await store.get(`dcr:access:${token}`);\n}\n\n/\n Delete an access token\n \n @param store - Keyv store for all DCR data\n * @param token - Access token\n /\nexport async function deleteAccessToken(store: Keyv, token: string): Promise<void> {\n await store.delete(`dcr:access:${token}`);\n}\n\n// ============================================================================\n// Refresh Token Operations\n// ============================================================================\n\n/\n Store a refresh token\n \n @param store - Keyv store for all DCR data\n * @param token - Refresh token\n * @param tokenData - Access token data (contains refresh token context)\n /\nexport async function setRefreshToken(store: Keyv, token: string, tokenData: AccessToken): Promise<void> {\n await store.set(`dcr:refresh:${token}`, tokenData, THIRTY_DAYS_MS);\n}\n\n/\n Get a refresh token\n \n @param store - Keyv store for all DCR data\n * @param token - Refresh token\n * @returns Access token data or undefined if not found\n /\nexport async function getRefreshToken(store: Keyv, token: string): Promise<AccessToken \| undefined> {\n return await store.get(`dcr:refresh:${token}`);\n}\n\n/\n Delete a refresh token\n \n @param store - Keyv store for all DCR data\n * @param token - Refresh token\n */\nexport async function deleteRefreshToken(store: Keyv, token: string): Promise<void> {\n await store.delete(`dcr:refresh:${token}`);\n}\n"],"names":["deleteAccessToken","deleteAuthCode","deleteClient","deleteProviderTokens","deleteRefreshToken","getAccessToken","getAuthCode","getClient","getProviderTokens","getRefreshToken","listClients","registerClient","setAccessToken","setAuthCode","setProviderTokens","setRefreshToken","validateClient","validateRedirectUri","TEN_MINUTES_MS","ONE_HOUR_MS","THIRTY_DAYS_MS","store","metadata","client_id","client_secret","grant_types","response_types","client","created_at","clientInfo","redirect_uris","length","Error","randomUUID","client_id_issued_at","Math","floor","Date","now","client_secret_expires_at","token_endpoint_auth_method","client_name","undefined","client_uri","logo_uri","scope","contacts","tos_uri","policy_uri","jwks_uri","jwks","software_id","software_version","set","clientId","get","clientSecret","redirectUri","includes","clients","iterator","_key","value","push","delete","dcrToken","tokens","code","authCode","token","tokenData"],"mappings":"AAAA;;;;;;;;;;;;CAYC;;;;;;;;;;;QAwPqBA;eAAAA;;QApCAC;eAAAA;;QAxEAC;eAAAA;;QAoCAC;eAAAA;;QA4GAC;eAAAA;;QA9CAC;eAAAA;;QApCAC;eAAAA;;QA9HAC;eAAAA;;QA0FAC;eAAAA;;QA4GAC;eAAAA;;QA7JAC;eAAAA;;QA9FAC;eAAAA;;QA4MAC;eAAAA;;QApCAC;eAAAA;;QApCAC;eAAAA;;QA4GAC;eAAAA;;QA/KAC;eAAAA;;QAcAC;eAAAA;;;sBAnGK;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAI3B,IAAMC,iBAAiB,KAAK,KAAK;AACjC,IAAMC,cAAc,KAAK,KAAK;AAC9B,IAAMC,iBAAiB,KAAK,KAAK,KAAK,KAAK;AAcpC,SAAeT,eAAeU,KAAW,EAAEC,QAA2B;;YAWvDA,uBACGA,0BASOA,sCAdxBC,WACAC,eAGAC,aACAC,gBAGAC,QA2BEC,YAAeC;;;;oBAzCvB,iDAAiD;oBACjD,IAAI,CAACP,SAASQ,aAAa,IAAIR,SAASQ,aAAa,CAACC,MAAM,KAAK,GAAG;wBAClE,MAAM,IAAIC,MAAM;oBAClB;oBAEA,8BAA8B;oBACxBT,YAAY,AAAC,OAAmB,OAAbU,IAAAA,kBAAU;oBAC7BT,gBAAgBS,IAAAA,kBAAU;oBAEhC,gEAAgE;oBAC1DR,eAAcH,wBAAAA,SAASG,WAAW,cAApBH,mCAAAA;wBAAyB;wBAAsB;;oBAC7DI,kBAAiBJ,2BAAAA,SAASI,cAAc,cAAvBJ,sCAAAA;wBAA4B;;oBAEnD,6EAA6E;oBACvEK,SAA2B;wBAC/BJ,WAAAA;wBACAC,eAAAA;wBACAU,qBAAqBC,KAAKC,KAAK,CAACC,KAAKC,GAAG,KAAK;wBAC7CC,0BAA0B;wBAC1BT,eAAeR,SAASQ,aAAa;wBACrCU,0BAA0B,GAAElB,uCAAAA,SAASkB,0BAA0B,cAAnClB,kDAAAA,uCAAuC;wBACnEG,aAAAA;wBACAC,gBAAAA;uBACIJ,SAASmB,WAAW,KAAKC,aAAa;wBAAED,aAAanB,SAASmB,WAAW;oBAAC,GAC1EnB,SAASqB,UAAU,KAAKD,aAAa;wBAAEC,YAAYrB,SAASqB,UAAU;oBAAC,GACvErB,SAASsB,QAAQ,KAAKF,aAAa;wBAAEE,UAAUtB,SAASsB,QAAQ;oBAAC,GACjEtB,SAASuB,KAAK,KAAKH,aAAa;wBAAEG,OAAOvB,SAASuB,KAAK;oBAAC,GACxDvB,SAASwB,QAAQ,KAAKJ,aAAa;wBAAEI,UAAUxB,SAASwB,QAAQ;oBAAC,GACjExB,SAASyB,OAAO,KAAKL,aAAa;wBAAEK,SAASzB,SAASyB,OAAO;oBAAC,GAC9DzB,SAAS0B,UAAU,KAAKN,aAAa;wBAAEM,YAAY1B,SAAS0B,UAAU;oBAAC,GACvE1B,SAAS2B,QAAQ,KAAKP,aAAa;wBAAEO,UAAU3B,SAAS2B,QAAQ;oBAAC,GACjE3B,SAAS4B,IAAI,KAAKR,aAAa;wBAAEQ,MAAM5B,SAAS4B,IAAI;oBAAC,GACrD5B,SAAS6B,WAAW,KAAKT,aAAa;wBAAES,aAAa7B,SAAS6B,WAAW;oBAAC,GAC1E7B,SAAS8B,gBAAgB,KAAKV,aAAa;wBAAEU,kBAAkB9B,SAAS8B,gBAAgB;oBAAC;wBAC7FxB,YAAYS,KAAKC,GAAG;;oBAGtB,eAAe;oBACf;;wBAAMjB,MAAMgC,GAAG,CAAC,AAAC,cAAuB,OAAV9B,YAAaI;;;oBAA3C;oBAEA,4DAA4D;oBACpDC,aAA8BD,OAA9BC,YAAeC,wCAAeF;;;oBACtC;;wBAAOE;;;;IACT;;AASO,SAAetB,UAAUc,KAAW,EAAEiC,QAAgB;;;;;oBACpD;;wBAAMjC,MAAMkC,GAAG,CAAC,AAAC,cAAsB,OAATD;;;oBAArC;;wBAAO;;;;IACT;;AAUO,SAAetC,eAAeK,KAAW,EAAEiC,QAAgB,EAAEE,YAAoB;;YAChF7B;;;;oBAAS;;wBAAMpB,UAAUc,OAAOiC;;;oBAAhC3B,SAAS;oBACf,IAAI,CAACA,QAAQ;;wBAAO;;oBACpB;;wBAAOA,OAAOH,aAAa,KAAKgC;;;;IAClC;;AAUO,SAAevC,oBAAoBI,KAAW,EAAEiC,QAAgB,EAAEG,WAAmB;;YACpF9B;;;;oBAAS;;wBAAMpB,UAAUc,OAAOiC;;;oBAAhC3B,SAAS;oBACf,IAAI,CAACA,UAAU,CAACA,OAAOG,aAAa,EAAE;;wBAAO;;oBAC7C;;wBAAOH,OAAOG,aAAa,CAAC4B,QAAQ,CAACD;;;;IACvC;;AAWO,SAAe/C,YAAYW,KAAW;;YACrCsC,SAKEC,2GACYC,MAAMC;;;;oBANpBH;yBAGFtC,MAAMuC,QAAQ,EAAdvC;;;;oBACF,kEAAkE;oBAC5DuC,WAAWvC,MAAMuC,QAAQ,CAAC;;;;;;;;;;gDACEA;;;;;;;;;;;;;2DAAhBC,mBAAMC;oBACtB,IAAIA,UAAUpB,WAAW;wBACvBiB,QAAQI,IAAI,CAACD;oBACf;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;oBAIJ;;wBAAOH;;;;IACT;;AAQO,SAAezD,aAAamB,KAAW,EAAEiC,QAAgB;;;;;oBAC9D;;wBAAMjC,MAAM2C,MAAM,CAAC,AAAC,cAAsB,OAATV;;;oBAAjC;;;;;;IACF;;AAaO,SAAexC,kBAAkBO,KAAW,EAAE4C,QAAgB,EAAEC,MAAsB;;;;;oBAC3F;;wBAAM7C,MAAMgC,GAAG,CAAC,AAAC,gBAAwB,OAATY,WAAYC,QAAQ/C;;;oBAApD;;;;;;IACF;;AASO,SAAeX,kBAAkBa,KAAW,EAAE4C,QAAgB;;;;;oBAC5D;;wBAAM5C,MAAMkC,GAAG,CAAC,AAAC,gBAAwB,OAATU;;;oBAAvC;;wBAAO;;;;IACT;;AAQO,SAAe9D,qBAAqBkB,KAAW,EAAE4C,QAAgB;;;;;oBACtE;;wBAAM5C,MAAM2C,MAAM,CAAC,AAAC,gBAAwB,OAATC;;;oBAAnC;;;;;;IACF;;AAaO,SAAepD,YAAYQ,KAAW,EAAE8C,IAAY,EAAEC,QAA2B;;;;;oBACtF;;wBAAM/C,MAAMgC,GAAG,CAAC,AAAC,gBAAoB,OAALc,OAAQC,UAAUlD;;;oBAAlD;;;;;;IACF;;AASO,SAAeZ,YAAYe,KAAW,EAAE8C,IAAY;;;;;oBAClD;;wBAAM9C,MAAMkC,GAAG,CAAC,AAAC,gBAAoB,OAALY;;;oBAAvC;;wBAAO;;;;IACT;;AAQO,SAAelE,eAAeoB,KAAW,EAAE8C,IAAY;;;;;oBAC5D;;wBAAM9C,MAAM2C,MAAM,CAAC,AAAC,gBAAoB,OAALG;;;oBAAnC;;;;;;IACF;;AAaO,SAAevD,eAAeS,KAAW,EAAEgD,KAAa,EAAEC,SAAsB;;;;;oBACrF;;wBAAMjD,MAAMgC,GAAG,CAAC,AAAC,cAAmB,OAANgB,QAASC,WAAWnD;;;oBAAlD;;;;;;IACF;;AASO,SAAed,eAAegB,KAAW,EAAEgD,KAAa;;;;;oBACtD;;wBAAMhD,MAAMkC,GAAG,CAAC,AAAC,cAAmB,OAANc;;;oBAArC;;wBAAO;;;;IACT;;AAQO,SAAerE,kBAAkBqB,KAAW,EAAEgD,KAAa;;;;;oBAChE;;wBAAMhD,MAAM2C,MAAM,CAAC,AAAC,cAAmB,OAANK;;;oBAAjC;;;;;;IACF;;AAaO,SAAetD,gBAAgBM,KAAW,EAAEgD,KAAa,EAAEC,SAAsB;;;;;oBACtF;;wBAAMjD,MAAMgC,GAAG,CAAC,AAAC,eAAoB,OAANgB,QAASC,WAAWlD;;;oBAAnD;;;;;;IACF;;AASO,SAAeX,gBAAgBY,KAAW,EAAEgD,KAAa;;;;;oBACvD;;wBAAMhD,MAAMkC,GAAG,CAAC,AAAC,eAAoB,OAANc;;;oBAAtC;;wBAAO;;;;IACT;;AAQO,SAAejE,mBAAmBiB,KAAW,EAAEgD,KAAa;;;;;oBACjE;;wBAAMhD,MAAM2C,MAAM,CAAC,AAAC,eAAoB,OAANK;;;oBAAlC;;;;;;IACF"}

package/dist/esm/lib/dcr-router.js CHANGED Viewed

@@ -28,6 +28,21 @@ import * as dcrUtils from './dcr-utils.js';
  */ export function createDcrRouter(config) {
     const router = express.Router();
     const { store, issuerUrl, baseUrl, scopesSupported, clientConfig } = config;
+    router.use('/mcp', (req, res, next)=>{
+        const authHeader = req.headers.authorization || req.headers.Authorization;
+        const headerValue = Array.isArray(authHeader) ? authHeader[0] : authHeader;
+        if (!headerValue || !headerValue.toLowerCase().startsWith('bearer ')) {
+            return res.status(401).set('WWW-Authenticate', `Bearer resource_metadata="${baseUrl}/.well-known/oauth-protected-resource"`).json({
+                jsonrpc: '2.0',
+                error: {
+                    code: -32600,
+                    message: 'Missing Authorization header. DCR mode requires bearer token.'
+                },
+                id: null
+            });
+        }
+        return next();
+    });
     // Apply required middleware for OAuth 2.0 endpoints (RFC 6749)
     router.use(express.json()); // For /oauth/register (application/json)
     router.use(express.urlencoded({

package/dist/esm/lib/dcr-router.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth-microsoft/src/lib/dcr-router.ts"],"sourcesContent":["/*\n DCR Router - OAuth 2.0 Authorization Server\n \n Implements OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591)\n * and OAuth 2.0 Authorization Server endpoints (RFC 6749, RFC 8414, RFC 9728).\n \n Endpoints:\n * - GET /.well-known/oauth-authorization-server (RFC 8414 metadata)\n * - GET /.well-known/oauth-protected-resource (RFC 9728 metadata - root)\n * - GET /.well-known/oauth-protected-resource/mcp (RFC 9728 metadata - sub-path)\n * - POST /oauth/register (RFC 7591 client registration)\n * - GET /oauth/authorize (RFC 6749 authorization endpoint)\n * - POST /oauth/token (RFC 6749 token endpoint)\n * - POST /oauth/revoke (RFC 7009 token revocation)\n * - GET /oauth/verify (token verification for Resource Server)\n /\n\nimport type { ProviderTokens, RFC8414Metadata, RFC9728Metadata } from '@mcp-z/oauth';\nimport { createHash, randomUUID } from 'crypto';\nimport type { Request, Response } from 'express';\nimport express from 'express';\nimport type { Keyv } from 'keyv';\nimport { DcrOAuthProvider } from '../providers/dcr.ts';\nimport type { AccessToken, AuthorizationCode, OAuthClientConfig } from '../types.ts';\nimport as dcrUtils from './dcr-utils.ts';\n\n/*\n Configuration for DCR Router (self-hosted mode only)\n /\nexport interface DcrRouterConfig {\n /* Single Keyv store for all DCR data /\n store: Keyv;\n\n /* Authorization Server issuer URL /\n issuerUrl: string;\n\n /* Base URL for OAuth endpoints /\n baseUrl: string;\n\n /* Supported OAuth scopes /\n scopesSupported: string[];\n\n /* OAuth client configuration for upstream provider /\n clientConfig: OAuthClientConfig;\n}\n\n/\n Create DCR Router with OAuth 2.0 endpoints (self-hosted mode)\n \n For external mode (Auth0/Stitch), don't call this function - no router needed.\n * The server code should check DcrConfig.mode and only call this for 'self-hosted'.\n \n @param config - Router configuration\n * @returns Express router with OAuth endpoints\n /\nexport function createDcrRouter(config: DcrRouterConfig): express.Router {\n const router = express.Router();\n const { store, issuerUrl, baseUrl, scopesSupported, clientConfig } = config;\n\n // Apply required middleware for OAuth 2.0 endpoints (RFC 6749)\n router.use(express.json()); // For /oauth/register (application/json)\n router.use(express.urlencoded({ extended: true })); // For /oauth/token (application/x-www-form-urlencoded)\n\n /\n OAuth Authorization Server Metadata (RFC 8414)\n * GET /.well-known/oauth-authorization-server\n /\n router.get('/.well-known/oauth-authorization-server', (_req: Request, res: Response) => {\n const metadata: RFC8414Metadata = {\n issuer: issuerUrl,\n authorization_endpoint: `${baseUrl}/oauth/authorize`,\n token_endpoint: `${baseUrl}/oauth/token`,\n registration_endpoint: `${baseUrl}/oauth/register`,\n revocation_endpoint: `${baseUrl}/oauth/revoke`,\n scopes_supported: scopesSupported,\n response_types_supported: ['code'],\n grant_types_supported: ['authorization_code', 'refresh_token'],\n token_endpoint_auth_methods_supported: ['client_secret_basic', 'client_secret_post'],\n code_challenge_methods_supported: ['S256', 'plain'],\n service_documentation: `${baseUrl}/docs`,\n };\n res.json(metadata);\n });\n\n /\n OAuth Protected Resource Metadata (RFC 9728 - Root)\n * GET /.well-known/oauth-protected-resource\n /\n router.get('/.well-known/oauth-protected-resource', (_req: Request, res: Response) => {\n const metadata: RFC9728Metadata = {\n resource: baseUrl,\n authorization_servers: [baseUrl],\n scopes_supported: scopesSupported,\n bearer_methods_supported: ['header'],\n };\n res.json(metadata);\n });\n\n /\n OAuth Protected Resource Metadata (RFC 9728 - Sub-path /mcp)\n * GET /.well-known/oauth-protected-resource/mcp\n /\n router.get('/.well-known/oauth-protected-resource/mcp', (_req: Request, res: Response) => {\n const metadata: RFC9728Metadata = {\n resource: `${baseUrl}/mcp`,\n authorization_servers: [baseUrl],\n scopes_supported: scopesSupported,\n bearer_methods_supported: ['header'],\n };\n res.json(metadata);\n });\n\n /\n Dynamic Client Registration (RFC 7591)\n * POST /oauth/register\n /\n router.post('/oauth/register', async (req: Request, res: Response) => {\n try {\n const registrationRequest = req.body;\n\n // Register the client\n const client = await dcrUtils.registerClient(store, registrationRequest);\n\n // Return client information (RFC 7591 Section 3.2.1)\n res.status(201).json(client);\n } catch (error) {\n res.status(400).json({\n error: 'invalid_client_metadata',\n error_description: error instanceof Error ? error.message : 'Invalid registration request',\n });\n }\n });\n\n /\n OAuth Authorization Endpoint (RFC 6749 Section 3.1)\n * GET /oauth/authorize\n \n Initiates Microsoft OAuth flow, then generates DCR authorization code\n /\n router.get('/oauth/authorize', async (req: Request, res: Response) => {\n const { response_type, client_id, redirect_uri, scope = '', state = '', code_challenge, code_challenge_method } = req.query;\n\n // Validate required parameters\n if (response_type !== 'code') {\n return res.status(400).json({\n error: 'unsupported_response_type',\n error_description: 'Only response_type=code is supported',\n });\n }\n\n if (!client_id \|\| typeof client_id !== 'string') {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'client_id is required',\n });\n }\n\n if (!redirect_uri \|\| typeof redirect_uri !== 'string') {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'redirect_uri is required',\n });\n }\n\n // Validate client\n const client = await dcrUtils.getClient(store, client_id);\n if (!client) {\n return res.status(400).json({\n error: 'invalid_client',\n error_description: 'Unknown client_id',\n });\n }\n\n // Validate redirect_uri\n const isValidRedirect = await dcrUtils.validateRedirectUri(store, client_id, redirect_uri);\n if (!isValidRedirect) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'Invalid redirect_uri',\n });\n }\n\n // Store DCR request state for Microsoft OAuth callback\n const msState = randomUUID();\n const dcrRequestState = {\n client_id,\n redirect_uri,\n scope: typeof scope === 'string' ? scope : '',\n state: typeof state === 'string' ? state : undefined,\n code_challenge: typeof code_challenge === 'string' ? code_challenge : undefined,\n code_challenge_method: typeof code_challenge_method === 'string' ? code_challenge_method : undefined,\n created_at: Date.now(),\n expires_at: Date.now() + 600000, // 10 minutes\n };\n\n await store.set(`dcr:ms-state:${msState}`, dcrRequestState, 600000); // 10 min TTL\n\n // Build Microsoft authorization URL\n const msAuthUrl = new URL(`https://login.microsoftonline.com/${clientConfig.tenantId \|\| 'common'}/oauth2/v2.0/authorize`);\n msAuthUrl.searchParams.set('client_id', clientConfig.clientId);\n msAuthUrl.searchParams.set('response_type', 'code');\n msAuthUrl.searchParams.set('redirect_uri', `${baseUrl}/oauth/callback`);\n msAuthUrl.searchParams.set('scope', typeof scope === 'string' ? scope : '');\n msAuthUrl.searchParams.set('state', msState);\n msAuthUrl.searchParams.set('response_mode', 'query');\n\n // Redirect user to Microsoft for authorization\n return res.redirect(msAuthUrl.toString());\n });\n\n /\n OAuth Callback Handler\n * GET /oauth/callback\n \n Handles callback from Microsoft after user authorization\n /\n router.get('/oauth/callback', async (req: Request, res: Response) => {\n const { code: msCode, state: msState, error, error_description } = req.query;\n\n // Handle Microsoft OAuth errors\n if (error) {\n return res.status(400).json({\n error,\n error_description: error_description \|\| 'Microsoft OAuth authorization failed',\n });\n }\n\n if (!msCode \|\| typeof msCode !== 'string') {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'Authorization code is required',\n });\n }\n\n if (!msState \|\| typeof msState !== 'string') {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'State parameter is required',\n });\n }\n\n // Retrieve original DCR request state\n const dcrRequestState = await store.get(`dcr:ms-state:${msState}`);\n if (!dcrRequestState) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'Invalid or expired state parameter',\n });\n }\n\n // Delete state (one-time use)\n await store.delete(`dcr:ms-state:${msState}`);\n\n // Exchange Microsoft authorization code for tokens\n try {\n const tokenUrl = `https://login.microsoftonline.com/${clientConfig.tenantId \|\| 'common'}/oauth2/v2.0/token`;\n const tokenParams = new URLSearchParams({\n grant_type: 'authorization_code',\n code: msCode,\n client_id: clientConfig.clientId,\n redirect_uri: `${baseUrl}/oauth/callback`,\n scope: dcrRequestState.scope,\n });\n\n // Add client_secret if available (confidential client)\n if (clientConfig.clientSecret) {\n tokenParams.set('client_secret', clientConfig.clientSecret);\n }\n\n const tokenResponse = await fetch(tokenUrl, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: tokenParams.toString(),\n });\n\n if (!tokenResponse.ok) {\n const errorData = (await tokenResponse.json()) as { error?: string; error_description?: string };\n throw new Error(`Microsoft token exchange failed: ${errorData.error_description \|\| errorData.error}`);\n }\n\n const tokenData = (await tokenResponse.json()) as {\n access_token: string;\n refresh_token?: string;\n expires_in: number;\n scope: string;\n };\n\n // Create provider tokens from Microsoft response\n const providerTokens: ProviderTokens = {\n accessToken: tokenData.access_token,\n ...(tokenData.refresh_token && { refreshToken: tokenData.refresh_token }),\n expiresAt: Date.now() + tokenData.expires_in 1000,\n scope: tokenData.scope,\n };\n\n // Generate DCR authorization code with real provider tokens\n const dcrCode = randomUUID();\n const authCode: AuthorizationCode = {\n code: dcrCode,\n client_id: dcrRequestState.client_id,\n redirect_uri: dcrRequestState.redirect_uri,\n scope: dcrRequestState.scope,\n ...(dcrRequestState.code_challenge && { code_challenge: dcrRequestState.code_challenge }),\n ...(dcrRequestState.code_challenge_method && { code_challenge_method: dcrRequestState.code_challenge_method }),\n providerTokens,\n created_at: Date.now(),\n expires_at: Date.now() + 600000, // 10 minutes\n };\n\n await dcrUtils.setAuthCode(store, dcrCode, authCode);\n\n // Redirect back to MCP client with DCR authorization code\n const clientRedirectUrl = new URL(dcrRequestState.redirect_uri);\n clientRedirectUrl.searchParams.set('code', dcrCode);\n if (dcrRequestState.state) {\n clientRedirectUrl.searchParams.set('state', dcrRequestState.state);\n }\n\n return res.redirect(clientRedirectUrl.toString());\n } catch (error) {\n return res.status(500).json({\n error: 'server_error',\n error_description: error instanceof Error ? error.message : 'Failed to exchange authorization code',\n });\n }\n });\n\n /*\n OAuth Token Endpoint (RFC 6749 Section 3.2)\n * POST /oauth/token\n /\n router.post('/oauth/token', async (req: Request, res: Response) => {\n // Extract client credentials from either body or Basic Auth header\n let client_id = req.body.client_id;\n let client_secret = req.body.client_secret;\n\n // Support client_secret_basic authentication (RFC 6749 Section 2.3.1)\n const authHeader = req.headers.authorization;\n if (authHeader && authHeader.startsWith('Basic ')) {\n const base64Credentials = authHeader.substring(6);\n const credentials = Buffer.from(base64Credentials, 'base64').toString('utf-8');\n const [id, secret] = credentials.split(':');\n client_id = id;\n client_secret = secret;\n }\n\n const { grant_type, code, redirect_uri, refresh_token, code_verifier } = req.body;\n\n // Validate grant_type\n if (!grant_type) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'grant_type is required',\n });\n }\n\n if (grant_type === 'authorization_code') {\n // Authorization Code Grant\n if (!code \|\| !client_id \|\| !redirect_uri) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'code, client_id, and redirect_uri are required',\n });\n }\n\n // Validate client credentials\n const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret ?? '');\n if (!isValidClient) {\n return res.status(401).json({\n error: 'invalid_client',\n error_description: 'Invalid client credentials',\n });\n }\n\n // Get authorization code\n const authCode = await dcrUtils.getAuthCode(store, code);\n if (!authCode) {\n return res.status(400).json({\n error: 'invalid_grant',\n error_description: 'Invalid or expired authorization code',\n });\n }\n\n // Validate authorization code\n if (authCode.client_id !== client_id \|\| authCode.redirect_uri !== redirect_uri) {\n return res.status(400).json({\n error: 'invalid_grant',\n error_description: 'Authorization code mismatch',\n });\n }\n\n if (Date.now() > authCode.expires_at) {\n await dcrUtils.deleteAuthCode(store, code);\n return res.status(400).json({\n error: 'invalid_grant',\n error_description: 'Authorization code expired',\n });\n }\n\n // Validate PKCE if used\n if (authCode.code_challenge) {\n if (!code_verifier) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'code_verifier is required for PKCE',\n });\n }\n\n // Validate code_verifier against code_challenge\n const method = authCode.code_challenge_method ?? 'plain';\n const computedChallenge = method === 'S256' ? createHash('sha256').update(code_verifier).digest('base64url') : code_verifier;\n\n if (computedChallenge !== authCode.code_challenge) {\n return res.status(400).json({\n error: 'invalid_grant',\n error_description: 'Invalid code_verifier',\n });\n }\n }\n\n // Delete authorization code (one-time use)\n await dcrUtils.deleteAuthCode(store, code);\n\n // Generate DCR access token\n const accessToken = randomUUID();\n const refreshTokenValue = randomUUID();\n\n const tokenData: AccessToken = {\n access_token: accessToken,\n token_type: 'Bearer',\n expires_in: 3600,\n refresh_token: refreshTokenValue,\n scope: authCode.scope,\n client_id,\n providerTokens: authCode.providerTokens,\n created_at: Date.now(),\n };\n\n await dcrUtils.setAccessToken(store, accessToken, tokenData);\n await dcrUtils.setRefreshToken(store, refreshTokenValue, tokenData);\n\n // Store provider tokens indexed by DCR access token\n await dcrUtils.setProviderTokens(store, accessToken, authCode.providerTokens);\n\n // Return token response\n return res.json({\n access_token: tokenData.access_token,\n token_type: tokenData.token_type,\n expires_in: tokenData.expires_in,\n refresh_token: tokenData.refresh_token,\n scope: tokenData.scope,\n });\n }\n if (grant_type === 'refresh_token') {\n // Refresh Token Grant\n if (!refresh_token \|\| !client_id) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'refresh_token and client_id are required',\n });\n }\n\n // Validate client credentials\n const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret ?? '');\n if (!isValidClient) {\n return res.status(401).json({\n error: 'invalid_client',\n error_description: 'Invalid client credentials',\n });\n }\n\n // Get refresh token\n const tokenData = await dcrUtils.getRefreshToken(store, refresh_token);\n if (!tokenData \|\| tokenData.client_id !== client_id) {\n return res.status(400).json({\n error: 'invalid_grant',\n error_description: 'Invalid refresh token',\n });\n }\n\n // Refresh provider tokens if available\n let refreshedProviderTokens = tokenData.providerTokens;\n if (tokenData.providerTokens.refreshToken) {\n try {\n // Create DcrOAuthProvider instance to refresh Microsoft tokens\n const provider = new DcrOAuthProvider({\n clientId: clientConfig.clientId,\n ...(clientConfig.clientSecret && { clientSecret: clientConfig.clientSecret }),\n tenantId: clientConfig.tenantId ?? 'common',\n scope: tokenData.scope,\n verifyEndpoint: `${baseUrl}/oauth/verify`,\n logger: {\n info: console.log,\n error: console.error,\n warn: console.warn,\n debug: () => {},\n },\n });\n\n // Refresh the Microsoft access token\n refreshedProviderTokens = await provider.refreshAccessToken(tokenData.providerTokens.refreshToken);\n } catch (error) {\n // If refresh fails, continue with existing tokens (they may still be valid)\n console.warn('Provider token refresh failed, using existing tokens:', error instanceof Error ? error.message : String(error));\n }\n }\n\n // Generate new DCR access token\n const newAccessToken = randomUUID();\n const newTokenData: AccessToken = {\n ...tokenData,\n access_token: newAccessToken,\n created_at: Date.now(),\n };\n\n await dcrUtils.setAccessToken(store, newAccessToken, newTokenData);\n\n // Store refreshed provider tokens indexed by new DCR access token\n await dcrUtils.setProviderTokens(store, newAccessToken, refreshedProviderTokens);\n\n return res.json({\n access_token: newTokenData.access_token,\n token_type: newTokenData.token_type,\n expires_in: newTokenData.expires_in,\n scope: newTokenData.scope,\n });\n }\n return res.status(400).json({\n error: 'unsupported_grant_type',\n error_description: 'Only authorization_code and refresh_token grants are supported',\n });\n });\n\n /\n OAuth Token Revocation (RFC 7009)\n * POST /oauth/revoke\n /\n router.post('/oauth/revoke', async (req: Request, res: Response) => {\n const { token, token_type_hint, client_id, client_secret } = req.body;\n\n if (!token) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'token is required',\n });\n }\n\n // Validate client if credentials provided\n if (client_id && client_secret) {\n const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret);\n if (!isValidClient) {\n return res.status(401).json({\n error: 'invalid_client',\n error_description: 'Invalid client credentials',\n });\n }\n }\n\n // Revoke the token\n if (token_type_hint === 'refresh_token') {\n await dcrUtils.deleteRefreshToken(store, token);\n } else if (token_type_hint === 'access_token') {\n await dcrUtils.deleteAccessToken(store, token);\n await dcrUtils.deleteProviderTokens(store, token);\n } else {\n // No hint - try both\n await dcrUtils.deleteRefreshToken(store, token);\n await dcrUtils.deleteAccessToken(store, token);\n await dcrUtils.deleteProviderTokens(store, token);\n }\n\n // RFC 7009: Return 200 even if token not found\n return res.status(200).send();\n });\n\n /\n Token Verification Endpoint\n * GET /oauth/verify\n \n Validates bearer tokens for Resource Server.\n * Returns AuthInfo with provider tokens for stateless DCR pattern.\n /\n router.get('/oauth/verify', async (req: Request, res: Response) => {\n // Extract bearer token from Authorization header\n const authHeader = req.headers.authorization;\n\n if (!authHeader \|\| !authHeader.startsWith('Bearer ')) {\n return res.status(401).json({\n error: 'invalid_request',\n error_description: 'Missing or invalid Authorization header',\n });\n }\n\n const token = authHeader.substring(7); // Remove 'Bearer ' prefix\n\n // Validate token exists in access tokens store\n const tokenData = await dcrUtils.getAccessToken(store, token);\n\n if (!tokenData) {\n return res.status(401).json({\n error: 'invalid_token',\n error_description: 'Unknown or expired access token',\n });\n }\n\n // Check if token is expired\n const now = Date.now();\n const expiresAt = tokenData.created_at + tokenData.expires_in 1000;\n\n if (now > expiresAt) {\n // Remove expired token\n await dcrUtils.deleteAccessToken(store, token);\n await dcrUtils.deleteProviderTokens(store, token);\n return res.status(401).json({\n error: 'invalid_token',\n error_description: 'Access token has expired',\n });\n }\n\n // Return AuthInfo with provider tokens for stateless DCR\n const authInfo = {\n token,\n clientId: tokenData.client_id,\n scopes: tokenData.scope ? tokenData.scope.split(' ') : [],\n expiresAt,\n providerTokens: tokenData.providerTokens,\n };\n\n return res.json(authInfo);\n });\n\n /*\n Debug endpoint to list registered clients (development only)\n */\n router.get('/debug/clients', async (_req: Request, res: Response) => {\n const clients = await dcrUtils.listClients(store);\n res.json(clients);\n });\n\n return router;\n}\n"],"names":["createHash","randomUUID","express","DcrOAuthProvider","dcrUtils","createDcrRouter","config","router","Router","store","issuerUrl","baseUrl","scopesSupported","clientConfig","use","json","urlencoded","extended","get","_req","res","metadata","issuer","authorization_endpoint","token_endpoint","registration_endpoint","revocation_endpoint","scopes_supported","response_types_supported","grant_types_supported","token_endpoint_auth_methods_supported","code_challenge_methods_supported","service_documentation","resource","authorization_servers","bearer_methods_supported","post","req","registrationRequest","body","client","registerClient","status","error","error_description","Error","message","response_type","client_id","redirect_uri","scope","state","code_challenge","code_challenge_method","query","getClient","isValidRedirect","validateRedirectUri","msState","dcrRequestState","undefined","created_at","Date","now","expires_at","set","msAuthUrl","URL","tenantId","searchParams","clientId","redirect","toString","code","msCode","delete","tokenUrl","tokenParams","URLSearchParams","grant_type","clientSecret","tokenResponse","fetch","method","headers","ok","errorData","tokenData","providerTokens","accessToken","access_token","refresh_token","refreshToken","expiresAt","expires_in","dcrCode","authCode","setAuthCode","clientRedirectUrl","client_secret","authHeader","authorization","startsWith","base64Credentials","substring","credentials","Buffer","from","id","secret","split","code_verifier","isValidClient","validateClient","getAuthCode","deleteAuthCode","computedChallenge","update","digest","refreshTokenValue","token_type","setAccessToken","setRefreshToken","setProviderTokens","getRefreshToken","refreshedProviderTokens","provider","verifyEndpoint","logger","info","console","log","warn","debug","refreshAccessToken","String","newAccessToken","newTokenData","token","token_type_hint","deleteRefreshToken","deleteAccessToken","deleteProviderTokens","send","getAccessToken","authInfo","scopes","clients","listClients"],"mappings":"AAAA;;;;;;;;;;;;;;;CAeC,GAGD,SAASA,UAAU,EAAEC,UAAU,QAAQ,SAAS;AAEhD,OAAOC,aAAa,UAAU;AAE9B,SAASC,gBAAgB,QAAQ,sBAAsB;AAEvD,YAAYC,cAAc,iBAAiB;AAsB3C;;;;;;;;CAQC,GACD,OAAO,SAASC,gBAAgBC,MAAuB;IACrD,MAAMC,SAASL,QAAQM,MAAM;IAC7B,MAAM,EAAEC,KAAK,EAAEC,SAAS,EAAEC,OAAO,EAAEC,eAAe,EAAEC,YAAY,EAAE,GAAGP;IAErE,+DAA+D;IAC/DC,OAAOO,GAAG,CAACZ,QAAQa,IAAI,KAAK,yCAAyC;IACrER,OAAOO,GAAG,CAACZ,QAAQc,UAAU,CAAC;QAAEC,UAAU;IAAK,KAAK,uDAAuD;IAE3G;;;GAGC,GACDV,OAAOW,GAAG,CAAC,2CAA2C,CAACC,MAAeC;QACpE,MAAMC,WAA4B;YAChCC,QAAQZ;YACRa,wBAAwB,GAAGZ,QAAQ,gBAAgB,CAAC;YACpDa,gBAAgB,GAAGb,QAAQ,YAAY,CAAC;YACxCc,uBAAuB,GAAGd,QAAQ,eAAe,CAAC;YAClDe,qBAAqB,GAAGf,QAAQ,aAAa,CAAC;YAC9CgB,kBAAkBf;YAClBgB,0BAA0B;gBAAC;aAAO;YAClCC,uBAAuB;gBAAC;gBAAsB;aAAgB;YAC9DC,uCAAuC;gBAAC;gBAAuB;aAAqB;YACpFC,kCAAkC;gBAAC;gBAAQ;aAAQ;YACnDC,uBAAuB,GAAGrB,QAAQ,KAAK,CAAC;QAC1C;QACAS,IAAIL,IAAI,CAACM;IACX;IAEA;;;GAGC,GACDd,OAAOW,GAAG,CAAC,yCAAyC,CAACC,MAAeC;QAClE,MAAMC,WAA4B;YAChCY,UAAUtB;YACVuB,uBAAuB;gBAACvB;aAAQ;YAChCgB,kBAAkBf;YAClBuB,0BAA0B;gBAAC;aAAS;QACtC;QACAf,IAAIL,IAAI,CAACM;IACX;IAEA;;;GAGC,GACDd,OAAOW,GAAG,CAAC,6CAA6C,CAACC,MAAeC;QACtE,MAAMC,WAA4B;YAChCY,UAAU,GAAGtB,QAAQ,IAAI,CAAC;YAC1BuB,uBAAuB;gBAACvB;aAAQ;YAChCgB,kBAAkBf;YAClBuB,0BAA0B;gBAAC;aAAS;QACtC;QACAf,IAAIL,IAAI,CAACM;IACX;IAEA;;;GAGC,GACDd,OAAO6B,IAAI,CAAC,mBAAmB,OAAOC,KAAcjB;QAClD,IAAI;YACF,MAAMkB,sBAAsBD,IAAIE,IAAI;YAEpC,sBAAsB;YACtB,MAAMC,SAAS,MAAMpC,SAASqC,cAAc,CAAChC,OAAO6B;YAEpD,qDAAqD;YACrDlB,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAACyB;QACvB,EAAE,OAAOG,OAAO;YACdvB,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBACnB4B,OAAO;gBACPC,mBAAmBD,iBAAiBE,QAAQF,MAAMG,OAAO,GAAG;YAC9D;QACF;IACF;IAEA;;;;;GAKC,GACDvC,OAAOW,GAAG,CAAC,oBAAoB,OAAOmB,KAAcjB;QAClD,MAAM,EAAE2B,aAAa,EAAEC,SAAS,EAAEC,YAAY,EAAEC,QAAQ,EAAE,EAAEC,QAAQ,EAAE,EAAEC,cAAc,EAAEC,qBAAqB,EAAE,GAAGhB,IAAIiB,KAAK;QAE3H,+BAA+B;QAC/B,IAAIP,kBAAkB,QAAQ;YAC5B,OAAO3B,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,IAAI,CAACI,aAAa,OAAOA,cAAc,UAAU;YAC/C,OAAO5B,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,IAAI,CAACK,gBAAgB,OAAOA,iBAAiB,UAAU;YACrD,OAAO7B,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,kBAAkB;QAClB,MAAMJ,SAAS,MAAMpC,SAASmD,SAAS,CAAC9C,OAAOuC;QAC/C,IAAI,CAACR,QAAQ;YACX,OAAOpB,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,wBAAwB;QACxB,MAAMY,kBAAkB,MAAMpD,SAASqD,mBAAmB,CAAChD,OAAOuC,WAAWC;QAC7E,IAAI,CAACO,iBAAiB;YACpB,OAAOpC,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,uDAAuD;QACvD,MAAMc,UAAUzD;QAChB,MAAM0D,kBAAkB;YACtBX;YACAC;YACAC,OAAO,OAAOA,UAAU,WAAWA,QAAQ;YAC3CC,OAAO,OAAOA,UAAU,WAAWA,QAAQS;YAC3CR,gBAAgB,OAAOA,mBAAmB,WAAWA,iBAAiBQ;YACtEP,uBAAuB,OAAOA,0BAA0B,WAAWA,wBAAwBO;YAC3FC,YAAYC,KAAKC,GAAG;YACpBC,YAAYF,KAAKC,GAAG,KAAK;QAC3B;QAEA,MAAMtD,MAAMwD,GAAG,CAAC,CAAC,aAAa,EAAEP,SAAS,EAAEC,iBAAiB,SAAS,aAAa;QAElF,oCAAoC;QACpC,MAAMO,YAAY,IAAIC,IAAI,CAAC,kCAAkC,EAAEtD,aAAauD,QAAQ,IAAI,SAAS,sBAAsB,CAAC;QACxHF,UAAUG,YAAY,CAACJ,GAAG,CAAC,aAAapD,aAAayD,QAAQ;QAC7DJ,UAAUG,YAAY,CAACJ,GAAG,CAAC,iBAAiB;QAC5CC,UAAUG,YAAY,CAACJ,GAAG,CAAC,gBAAgB,GAAGtD,QAAQ,eAAe,CAAC;QACtEuD,UAAUG,YAAY,CAACJ,GAAG,CAAC,SAAS,OAAOf,UAAU,WAAWA,QAAQ;QACxEgB,UAAUG,YAAY,CAACJ,GAAG,CAAC,SAASP;QACpCQ,UAAUG,YAAY,CAACJ,GAAG,CAAC,iBAAiB;QAE5C,+CAA+C;QAC/C,OAAO7C,IAAImD,QAAQ,CAACL,UAAUM,QAAQ;IACxC;IAEA;;;;;GAKC,GACDjE,OAAOW,GAAG,CAAC,mBAAmB,OAAOmB,KAAcjB;QACjD,MAAM,EAAEqD,MAAMC,MAAM,EAAEvB,OAAOO,OAAO,EAAEf,KAAK,EAAEC,iBAAiB,EAAE,GAAGP,IAAIiB,KAAK;QAE5E,gCAAgC;QAChC,IAAIX,OAAO;YACT,OAAOvB,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B;gBACAC,mBAAmBA,qBAAqB;YAC1C;QACF;QAEA,IAAI,CAAC8B,UAAU,OAAOA,WAAW,UAAU;YACzC,OAAOtD,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,IAAI,CAACc,WAAW,OAAOA,YAAY,UAAU;YAC3C,OAAOtC,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,sCAAsC;QACtC,MAAMe,kBAAkB,MAAMlD,MAAMS,GAAG,CAAC,CAAC,aAAa,EAAEwC,SAAS;QACjE,IAAI,CAACC,iBAAiB;YACpB,OAAOvC,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,8BAA8B;QAC9B,MAAMnC,MAAMkE,MAAM,CAAC,CAAC,aAAa,EAAEjB,SAAS;QAE5C,mDAAmD;QACnD,IAAI;YACF,MAAMkB,WAAW,CAAC,kCAAkC,EAAE/D,aAAauD,QAAQ,IAAI,SAAS,kBAAkB,CAAC;YAC3G,MAAMS,cAAc,IAAIC,gBAAgB;gBACtCC,YAAY;gBACZN,MAAMC;gBACN1B,WAAWnC,aAAayD,QAAQ;gBAChCrB,cAAc,GAAGtC,QAAQ,eAAe,CAAC;gBACzCuC,OAAOS,gBAAgBT,KAAK;YAC9B;YAEA,uDAAuD;YACvD,IAAIrC,aAAamE,YAAY,EAAE;gBAC7BH,YAAYZ,GAAG,CAAC,iBAAiBpD,aAAamE,YAAY;YAC5D;YAEA,MAAMC,gBAAgB,MAAMC,MAAMN,UAAU;gBAC1CO,QAAQ;gBACRC,SAAS;oBAAE,gBAAgB;gBAAoC;gBAC/D7C,MAAMsC,YAAYL,QAAQ;YAC5B;YAEA,IAAI,CAACS,cAAcI,EAAE,EAAE;gBACrB,MAAMC,YAAa,MAAML,cAAclE,IAAI;gBAC3C,MAAM,IAAI8B,MAAM,CAAC,iCAAiC,EAAEyC,UAAU1C,iBAAiB,IAAI0C,UAAU3C,KAAK,EAAE;YACtG;YAEA,MAAM4C,YAAa,MAAMN,cAAclE,IAAI;YAO3C,iDAAiD;YACjD,MAAMyE,iBAAiC;gBACrCC,aAAaF,UAAUG,YAAY;gBACnC,GAAIH,UAAUI,aAAa,IAAI;oBAAEC,cAAcL,UAAUI,aAAa;gBAAC,CAAC;gBACxEE,WAAW/B,KAAKC,GAAG,KAAKwB,UAAUO,UAAU,GAAG;gBAC/C5C,OAAOqC,UAAUrC,KAAK;YACxB;YAEA,4DAA4D;YAC5D,MAAM6C,UAAU9F;YAChB,MAAM+F,WAA8B;gBAClCvB,MAAMsB;gBACN/C,WAAWW,gBAAgBX,SAAS;gBACpCC,cAAcU,gBAAgBV,YAAY;gBAC1CC,OAAOS,gBAAgBT,KAAK;gBAC5B,GAAIS,gBAAgBP,cAAc,IAAI;oBAAEA,gBAAgBO,gBAAgBP,cAAc;gBAAC,CAAC;gBACxF,GAAIO,gBAAgBN,qBAAqB,IAAI;oBAAEA,uBAAuBM,gBAAgBN,qBAAqB;gBAAC,CAAC;gBAC7GmC;gBACA3B,YAAYC,KAAKC,GAAG;gBACpBC,YAAYF,KAAKC,GAAG,KAAK;YAC3B;YAEA,MAAM3D,SAAS6F,WAAW,CAACxF,OAAOsF,SAASC;YAE3C,0DAA0D;YAC1D,MAAME,oBAAoB,IAAI/B,IAAIR,gBAAgBV,YAAY;YAC9DiD,kBAAkB7B,YAAY,CAACJ,GAAG,CAAC,QAAQ8B;YAC3C,IAAIpC,gBAAgBR,KAAK,EAAE;gBACzB+C,kBAAkB7B,YAAY,CAACJ,GAAG,CAAC,SAASN,gBAAgBR,KAAK;YACnE;YAEA,OAAO/B,IAAImD,QAAQ,CAAC2B,kBAAkB1B,QAAQ;QAChD,EAAE,OAAO7B,OAAO;YACd,OAAOvB,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmBD,iBAAiBE,QAAQF,MAAMG,OAAO,GAAG;YAC9D;QACF;IACF;IAEA;;;GAGC,GACDvC,OAAO6B,IAAI,CAAC,gBAAgB,OAAOC,KAAcjB;QAC/C,mEAAmE;QACnE,IAAI4B,YAAYX,IAAIE,IAAI,CAACS,SAAS;QAClC,IAAImD,gBAAgB9D,IAAIE,IAAI,CAAC4D,aAAa;QAE1C,sEAAsE;QACtE,MAAMC,aAAa/D,IAAI+C,OAAO,CAACiB,aAAa;QAC5C,IAAID,cAAcA,WAAWE,UAAU,CAAC,WAAW;YACjD,MAAMC,oBAAoBH,WAAWI,SAAS,CAAC;YAC/C,MAAMC,cAAcC,OAAOC,IAAI,CAACJ,mBAAmB,UAAU/B,QAAQ,CAAC;YACtE,MAAM,CAACoC,IAAIC,OAAO,GAAGJ,YAAYK,KAAK,CAAC;YACvC9D,YAAY4D;YACZT,gBAAgBU;QAClB;QAEA,MAAM,EAAE9B,UAAU,EAAEN,IAAI,EAAExB,YAAY,EAAE0C,aAAa,EAAEoB,aAAa,EAAE,GAAG1E,IAAIE,IAAI;QAEjF,sBAAsB;QACtB,IAAI,CAACwC,YAAY;YACf,OAAO3D,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,IAAImC,eAAe,sBAAsB;YACvC,2BAA2B;YAC3B,IAAI,CAACN,QAAQ,CAACzB,aAAa,CAACC,cAAc;gBACxC,OAAO7B,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;oBAC1B4B,OAAO;oBACPC,mBAAmB;gBACrB;YACF;YAEA,8BAA8B;YAC9B,MAAMoE,gBAAgB,MAAM5G,SAAS6G,cAAc,CAACxG,OAAOuC,WAAWmD,0BAAAA,2BAAAA,gBAAiB;YACvF,IAAI,CAACa,eAAe;gBAClB,OAAO5F,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;oBAC1B4B,OAAO;oBACPC,mBAAmB;gBACrB;YACF;YAEA,yBAAyB;YACzB,MAAMoD,WAAW,MAAM5F,SAAS8G,WAAW,CAACzG,OAAOgE;YACnD,IAAI,CAACuB,UAAU;gBACb,OAAO5E,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;oBAC1B4B,OAAO;oBACPC,mBAAmB;gBACrB;YACF;YAEA,8BAA8B;YAC9B,IAAIoD,SAAShD,SAAS,KAAKA,aAAagD,SAAS/C,YAAY,KAAKA,cAAc;gBAC9E,OAAO7B,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;oBAC1B4B,OAAO;oBACPC,mBAAmB;gBACrB;YACF;YAEA,IAAIkB,KAAKC,GAAG,KAAKiC,SAAShC,UAAU,EAAE;gBACpC,MAAM5D,SAAS+G,cAAc,CAAC1G,OAAOgE;gBACrC,OAAOrD,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;oBAC1B4B,OAAO;oBACPC,mBAAmB;gBACrB;YACF;YAEA,wBAAwB;YACxB,IAAIoD,SAAS5C,cAAc,EAAE;oBASZ4C;gBARf,IAAI,CAACe,eAAe;oBAClB,OAAO3F,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;wBAC1B4B,OAAO;wBACPC,mBAAmB;oBACrB;gBACF;gBAEA,gDAAgD;gBAChD,MAAMuC,UAASa,kCAAAA,SAAS3C,qBAAqB,cAA9B2C,6CAAAA,kCAAkC;gBACjD,MAAMoB,oBAAoBjC,WAAW,SAASnF,WAAW,UAAUqH,MAAM,CAACN,eAAeO,MAAM,CAAC,eAAeP;gBAE/G,IAAIK,sBAAsBpB,SAAS5C,cAAc,EAAE;oBACjD,OAAOhC,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;wBAC1B4B,OAAO;wBACPC,mBAAmB;oBACrB;gBACF;YACF;YAEA,2CAA2C;YAC3C,MAAMxC,SAAS+G,cAAc,CAAC1G,OAAOgE;YAErC,4BAA4B;YAC5B,MAAMgB,cAAcxF;YACpB,MAAMsH,oBAAoBtH;YAE1B,MAAMsF,YAAyB;gBAC7BG,cAAcD;gBACd+B,YAAY;gBACZ1B,YAAY;gBACZH,eAAe4B;gBACfrE,OAAO8C,SAAS9C,KAAK;gBACrBF;gBACAwC,gBAAgBQ,SAASR,cAAc;gBACvC3B,YAAYC,KAAKC,GAAG;YACtB;YAEA,MAAM3D,SAASqH,cAAc,CAAChH,OAAOgF,aAAaF;YAClD,MAAMnF,SAASsH,eAAe,CAACjH,OAAO8G,mBAAmBhC;YAEzD,oDAAoD;YACpD,MAAMnF,SAASuH,iBAAiB,CAAClH,OAAOgF,aAAaO,SAASR,cAAc;YAE5E,wBAAwB;YACxB,OAAOpE,IAAIL,IAAI,CAAC;gBACd2E,cAAcH,UAAUG,YAAY;gBACpC8B,YAAYjC,UAAUiC,UAAU;gBAChC1B,YAAYP,UAAUO,UAAU;gBAChCH,eAAeJ,UAAUI,aAAa;gBACtCzC,OAAOqC,UAAUrC,KAAK;YACxB;QACF;QACA,IAAI6B,eAAe,iBAAiB;YAClC,sBAAsB;YACtB,IAAI,CAACY,iBAAiB,CAAC3C,WAAW;gBAChC,OAAO5B,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;oBAC1B4B,OAAO;oBACPC,mBAAmB;gBACrB;YACF;YAEA,8BAA8B;YAC9B,MAAMoE,gBAAgB,MAAM5G,SAAS6G,cAAc,CAACxG,OAAOuC,WAAWmD,0BAAAA,2BAAAA,gBAAiB;YACvF,IAAI,CAACa,eAAe;gBAClB,OAAO5F,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;oBAC1B4B,OAAO;oBACPC,mBAAmB;gBACrB;YACF;YAEA,oBAAoB;YACpB,MAAM2C,YAAY,MAAMnF,SAASwH,eAAe,CAACnH,OAAOkF;YACxD,IAAI,CAACJ,aAAaA,UAAUvC,SAAS,KAAKA,WAAW;gBACnD,OAAO5B,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;oBAC1B4B,OAAO;oBACPC,mBAAmB;gBACrB;YACF;YAEA,uCAAuC;YACvC,IAAIiF,0BAA0BtC,UAAUC,cAAc;YACtD,IAAID,UAAUC,cAAc,CAACI,YAAY,EAAE;gBACzC,IAAI;wBAKU/E;oBAJZ,+DAA+D;oBAC/D,MAAMiH,WAAW,IAAI3H,iBAAiB;wBACpCmE,UAAUzD,aAAayD,QAAQ;wBAC/B,GAAIzD,aAAamE,YAAY,IAAI;4BAAEA,cAAcnE,aAAamE,YAAY;wBAAC,CAAC;wBAC5EZ,QAAQ,GAAEvD,yBAAAA,aAAauD,QAAQ,cAArBvD,oCAAAA,yBAAyB;wBACnCqC,OAAOqC,UAAUrC,KAAK;wBACtB6E,gBAAgB,GAAGpH,QAAQ,aAAa,CAAC;wBACzCqH,QAAQ;4BACNC,MAAMC,QAAQC,GAAG;4BACjBxF,OAAOuF,QAAQvF,KAAK;4BACpByF,MAAMF,QAAQE,IAAI;4BAClBC,OAAO,KAAO;wBAChB;oBACF;oBAEA,qCAAqC;oBACrCR,0BAA0B,MAAMC,SAASQ,kBAAkB,CAAC/C,UAAUC,cAAc,CAACI,YAAY;gBACnG,EAAE,OAAOjD,OAAO;oBACd,4EAA4E;oBAC5EuF,QAAQE,IAAI,CAAC,yDAAyDzF,iBAAiBE,QAAQF,MAAMG,OAAO,GAAGyF,OAAO5F;gBACxH;YACF;YAEA,gCAAgC;YAChC,MAAM6F,iBAAiBvI;YACvB,MAAMwI,eAA4B;gBAChC,GAAGlD,SAAS;gBACZG,cAAc8C;gBACd3E,YAAYC,KAAKC,GAAG;YACtB;YAEA,MAAM3D,SAASqH,cAAc,CAAChH,OAAO+H,gBAAgBC;YAErD,kEAAkE;YAClE,MAAMrI,SAASuH,iBAAiB,CAAClH,OAAO+H,gBAAgBX;YAExD,OAAOzG,IAAIL,IAAI,CAAC;gBACd2E,cAAc+C,aAAa/C,YAAY;gBACvC8B,YAAYiB,aAAajB,UAAU;gBACnC1B,YAAY2C,aAAa3C,UAAU;gBACnC5C,OAAOuF,aAAavF,KAAK;YAC3B;QACF;QACA,OAAO9B,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;YAC1B4B,OAAO;YACPC,mBAAmB;QACrB;IACF;IAEA;;;GAGC,GACDrC,OAAO6B,IAAI,CAAC,iBAAiB,OAAOC,KAAcjB;QAChD,MAAM,EAAEsH,KAAK,EAAEC,eAAe,EAAE3F,SAAS,EAAEmD,aAAa,EAAE,GAAG9D,IAAIE,IAAI;QAErE,IAAI,CAACmG,OAAO;YACV,OAAOtH,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,0CAA0C;QAC1C,IAAII,aAAamD,eAAe;YAC9B,MAAMa,gBAAgB,MAAM5G,SAAS6G,cAAc,CAACxG,OAAOuC,WAAWmD;YACtE,IAAI,CAACa,eAAe;gBAClB,OAAO5F,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;oBAC1B4B,OAAO;oBACPC,mBAAmB;gBACrB;YACF;QACF;QAEA,mBAAmB;QACnB,IAAI+F,oBAAoB,iBAAiB;YACvC,MAAMvI,SAASwI,kBAAkB,CAACnI,OAAOiI;QAC3C,OAAO,IAAIC,oBAAoB,gBAAgB;YAC7C,MAAMvI,SAASyI,iBAAiB,CAACpI,OAAOiI;YACxC,MAAMtI,SAAS0I,oBAAoB,CAACrI,OAAOiI;QAC7C,OAAO;YACL,qBAAqB;YACrB,MAAMtI,SAASwI,kBAAkB,CAACnI,OAAOiI;YACzC,MAAMtI,SAASyI,iBAAiB,CAACpI,OAAOiI;YACxC,MAAMtI,SAAS0I,oBAAoB,CAACrI,OAAOiI;QAC7C;QAEA,+CAA+C;QAC/C,OAAOtH,IAAIsB,MAAM,CAAC,KAAKqG,IAAI;IAC7B;IAEA;;;;;;GAMC,GACDxI,OAAOW,GAAG,CAAC,iBAAiB,OAAOmB,KAAcjB;QAC/C,iDAAiD;QACjD,MAAMgF,aAAa/D,IAAI+C,OAAO,CAACiB,aAAa;QAE5C,IAAI,CAACD,cAAc,CAACA,WAAWE,UAAU,CAAC,YAAY;YACpD,OAAOlF,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,MAAM8F,QAAQtC,WAAWI,SAAS,CAAC,IAAI,0BAA0B;QAEjE,+CAA+C;QAC/C,MAAMjB,YAAY,MAAMnF,SAAS4I,cAAc,CAACvI,OAAOiI;QAEvD,IAAI,CAACnD,WAAW;YACd,OAAOnE,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,4BAA4B;QAC5B,MAAMmB,MAAMD,KAAKC,GAAG;QACpB,MAAM8B,YAAYN,UAAU1B,UAAU,GAAG0B,UAAUO,UAAU,GAAG;QAEhE,IAAI/B,MAAM8B,WAAW;YACnB,uBAAuB;YACvB,MAAMzF,SAASyI,iBAAiB,CAACpI,OAAOiI;YACxC,MAAMtI,SAAS0I,oBAAoB,CAACrI,OAAOiI;YAC3C,OAAOtH,IAAIsB,MAAM,CAAC,KAAK3B,IAAI,CAAC;gBAC1B4B,OAAO;gBACPC,mBAAmB;YACrB;QACF;QAEA,yDAAyD;QACzD,MAAMqG,WAAW;YACfP;YACApE,UAAUiB,UAAUvC,SAAS;YAC7BkG,QAAQ3D,UAAUrC,KAAK,GAAGqC,UAAUrC,KAAK,CAAC4D,KAAK,CAAC,OAAO,EAAE;YACzDjB;YACAL,gBAAgBD,UAAUC,cAAc;QAC1C;QAEA,OAAOpE,IAAIL,IAAI,CAACkI;IAClB;IAEA;;GAEC,GACD1I,OAAOW,GAAG,CAAC,kBAAkB,OAAOC,MAAeC;QACjD,MAAM+H,UAAU,MAAM/I,SAASgJ,WAAW,CAAC3I;QAC3CW,IAAIL,IAAI,CAACoI;IACX;IAEA,OAAO5I;AACT"}
1	+ {"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth-microsoft/src/lib/dcr-router.ts"],"sourcesContent":["/*\n DCR Router - OAuth 2.0 Authorization Server\n \n Implements OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591)\n * and OAuth 2.0 Authorization Server endpoints (RFC 6749, RFC 8414, RFC 9728).\n \n Endpoints:\n * - GET /.well-known/oauth-authorization-server (RFC 8414 metadata)\n * - GET /.well-known/oauth-protected-resource (RFC 9728 metadata - root)\n * - GET /.well-known/oauth-protected-resource/mcp (RFC 9728 metadata - sub-path)\n * - POST /oauth/register (RFC 7591 client registration)\n * - GET /oauth/authorize (RFC 6749 authorization endpoint)\n * - POST /oauth/token (RFC 6749 token endpoint)\n * - POST /oauth/revoke (RFC 7009 token revocation)\n * - GET /oauth/verify (token verification for Resource Server)\n /\n\nimport type { ProviderTokens, RFC8414Metadata, RFC9728Metadata } from '@mcp-z/oauth';\nimport { createHash, randomUUID } from 'crypto';\nimport type { Request, Response } from 'express';\nimport express from 'express';\nimport type { Keyv } from 'keyv';\nimport { DcrOAuthProvider } from '../providers/dcr.ts';\nimport type { AccessToken, AuthorizationCode, OAuthClientConfig } from '../types.ts';\nimport as dcrUtils from './dcr-utils.ts';\n\n/*\n Configuration for DCR Router (self-hosted mode only)\n /\nexport interface DcrRouterConfig {\n /* Single Keyv store for all DCR data /\n store: Keyv;\n\n /* Authorization Server issuer URL /\n issuerUrl: string;\n\n /* Base URL for OAuth endpoints /\n baseUrl: string;\n\n /* Supported OAuth scopes /\n scopesSupported: string[];\n\n /* OAuth client configuration for upstream provider /\n clientConfig: OAuthClientConfig;\n}\n\n/\n Create DCR Router with OAuth 2.0 endpoints (self-hosted mode)\n \n For external mode (Auth0/Stitch), don't call this function - no router needed.\n * The server code should check DcrConfig.mode and only call this for 'self-hosted'.\n \n @param config - Router configuration\n * @returns Express router with OAuth endpoints\n /\nexport function createDcrRouter(config: DcrRouterConfig): express.Router {\n const router = express.Router();\n const { store, issuerUrl, baseUrl, scopesSupported, clientConfig } = config;\n\n router.use('/mcp', (req: Request, res: Response, next) => {\n const authHeader = req.headers.authorization \|\| req.headers.Authorization;\n const headerValue = Array.isArray(authHeader) ? authHeader[0] : authHeader;\n\n if (!headerValue \|\| !headerValue.toLowerCase().startsWith('bearer ')) {\n return res\n .status(401)\n .set('WWW-Authenticate', `Bearer resource_metadata=\"${baseUrl}/.well-known/oauth-protected-resource\"`)\n .json({\n jsonrpc: '2.0',\n error: {\n code: -32600,\n message: 'Missing Authorization header. DCR mode requires bearer token.',\n },\n id: null,\n });\n }\n\n return next();\n });\n\n // Apply required middleware for OAuth 2.0 endpoints (RFC 6749)\n router.use(express.json()); // For /oauth/register (application/json)\n router.use(express.urlencoded({ extended: true })); // For /oauth/token (application/x-www-form-urlencoded)\n\n /\n OAuth Authorization Server Metadata (RFC 8414)\n * GET /.well-known/oauth-authorization-server\n /\n router.get('/.well-known/oauth-authorization-server', (_req: Request, res: Response) => {\n const metadata: RFC8414Metadata = {\n issuer: issuerUrl,\n authorization_endpoint: `${baseUrl}/oauth/authorize`,\n token_endpoint: `${baseUrl}/oauth/token`,\n registration_endpoint: `${baseUrl}/oauth/register`,\n revocation_endpoint: `${baseUrl}/oauth/revoke`,\n scopes_supported: scopesSupported,\n response_types_supported: ['code'],\n grant_types_supported: ['authorization_code', 'refresh_token'],\n token_endpoint_auth_methods_supported: ['client_secret_basic', 'client_secret_post'],\n code_challenge_methods_supported: ['S256', 'plain'],\n service_documentation: `${baseUrl}/docs`,\n };\n res.json(metadata);\n });\n\n /\n OAuth Protected Resource Metadata (RFC 9728 - Root)\n * GET /.well-known/oauth-protected-resource\n /\n router.get('/.well-known/oauth-protected-resource', (_req: Request, res: Response) => {\n const metadata: RFC9728Metadata = {\n resource: baseUrl,\n authorization_servers: [baseUrl],\n scopes_supported: scopesSupported,\n bearer_methods_supported: ['header'],\n };\n res.json(metadata);\n });\n\n /\n OAuth Protected Resource Metadata (RFC 9728 - Sub-path /mcp)\n * GET /.well-known/oauth-protected-resource/mcp\n /\n router.get('/.well-known/oauth-protected-resource/mcp', (_req: Request, res: Response) => {\n const metadata: RFC9728Metadata = {\n resource: `${baseUrl}/mcp`,\n authorization_servers: [baseUrl],\n scopes_supported: scopesSupported,\n bearer_methods_supported: ['header'],\n };\n res.json(metadata);\n });\n\n /\n Dynamic Client Registration (RFC 7591)\n * POST /oauth/register\n /\n router.post('/oauth/register', async (req: Request, res: Response) => {\n try {\n const registrationRequest = req.body;\n\n // Register the client\n const client = await dcrUtils.registerClient(store, registrationRequest);\n\n // Return client information (RFC 7591 Section 3.2.1)\n res.status(201).json(client);\n } catch (error) {\n res.status(400).json({\n error: 'invalid_client_metadata',\n error_description: error instanceof Error ? error.message : 'Invalid registration request',\n });\n }\n });\n\n /\n OAuth Authorization Endpoint (RFC 6749 Section 3.1)\n * GET /oauth/authorize\n \n Initiates Microsoft OAuth flow, then generates DCR authorization code\n /\n router.get('/oauth/authorize', async (req: Request, res: Response) => {\n const { response_type, client_id, redirect_uri, scope = '', state = '', code_challenge, code_challenge_method } = req.query;\n\n // Validate required parameters\n if (response_type !== 'code') {\n return res.status(400).json({\n error: 'unsupported_response_type',\n error_description: 'Only response_type=code is supported',\n });\n }\n\n if (!client_id \|\| typeof client_id !== 'string') {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'client_id is required',\n });\n }\n\n if (!redirect_uri \|\| typeof redirect_uri !== 'string') {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'redirect_uri is required',\n });\n }\n\n // Validate client\n const client = await dcrUtils.getClient(store, client_id);\n if (!client) {\n return res.status(400).json({\n error: 'invalid_client',\n error_description: 'Unknown client_id',\n });\n }\n\n // Validate redirect_uri\n const isValidRedirect = await dcrUtils.validateRedirectUri(store, client_id, redirect_uri);\n if (!isValidRedirect) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'Invalid redirect_uri',\n });\n }\n\n // Store DCR request state for Microsoft OAuth callback\n const msState = randomUUID();\n const dcrRequestState = {\n client_id,\n redirect_uri,\n scope: typeof scope === 'string' ? scope : '',\n state: typeof state === 'string' ? state : undefined,\n code_challenge: typeof code_challenge === 'string' ? code_challenge : undefined,\n code_challenge_method: typeof code_challenge_method === 'string' ? code_challenge_method : undefined,\n created_at: Date.now(),\n expires_at: Date.now() + 600000, // 10 minutes\n };\n\n await store.set(`dcr:ms-state:${msState}`, dcrRequestState, 600000); // 10 min TTL\n\n // Build Microsoft authorization URL\n const msAuthUrl = new URL(`https://login.microsoftonline.com/${clientConfig.tenantId \|\| 'common'}/oauth2/v2.0/authorize`);\n msAuthUrl.searchParams.set('client_id', clientConfig.clientId);\n msAuthUrl.searchParams.set('response_type', 'code');\n msAuthUrl.searchParams.set('redirect_uri', `${baseUrl}/oauth/callback`);\n msAuthUrl.searchParams.set('scope', typeof scope === 'string' ? scope : '');\n msAuthUrl.searchParams.set('state', msState);\n msAuthUrl.searchParams.set('response_mode', 'query');\n\n // Redirect user to Microsoft for authorization\n return res.redirect(msAuthUrl.toString());\n });\n\n /\n OAuth Callback Handler\n * GET /oauth/callback\n \n Handles callback from Microsoft after user authorization\n /\n router.get('/oauth/callback', async (req: Request, res: Response) => {\n const { code: msCode, state: msState, error, error_description } = req.query;\n\n // Handle Microsoft OAuth errors\n if (error) {\n return res.status(400).json({\n error,\n error_description: error_description \|\| 'Microsoft OAuth authorization failed',\n });\n }\n\n if (!msCode \|\| typeof msCode !== 'string') {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'Authorization code is required',\n });\n }\n\n if (!msState \|\| typeof msState !== 'string') {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'State parameter is required',\n });\n }\n\n // Retrieve original DCR request state\n const dcrRequestState = await store.get(`dcr:ms-state:${msState}`);\n if (!dcrRequestState) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'Invalid or expired state parameter',\n });\n }\n\n // Delete state (one-time use)\n await store.delete(`dcr:ms-state:${msState}`);\n\n // Exchange Microsoft authorization code for tokens\n try {\n const tokenUrl = `https://login.microsoftonline.com/${clientConfig.tenantId \|\| 'common'}/oauth2/v2.0/token`;\n const tokenParams = new URLSearchParams({\n grant_type: 'authorization_code',\n code: msCode,\n client_id: clientConfig.clientId,\n redirect_uri: `${baseUrl}/oauth/callback`,\n scope: dcrRequestState.scope,\n });\n\n // Add client_secret if available (confidential client)\n if (clientConfig.clientSecret) {\n tokenParams.set('client_secret', clientConfig.clientSecret);\n }\n\n const tokenResponse = await fetch(tokenUrl, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: tokenParams.toString(),\n });\n\n if (!tokenResponse.ok) {\n const errorData = (await tokenResponse.json()) as { error?: string; error_description?: string };\n throw new Error(`Microsoft token exchange failed: ${errorData.error_description \|\| errorData.error}`);\n }\n\n const tokenData = (await tokenResponse.json()) as {\n access_token: string;\n refresh_token?: string;\n expires_in: number;\n scope: string;\n };\n\n // Create provider tokens from Microsoft response\n const providerTokens: ProviderTokens = {\n accessToken: tokenData.access_token,\n ...(tokenData.refresh_token && { refreshToken: tokenData.refresh_token }),\n expiresAt: Date.now() + tokenData.expires_in 1000,\n scope: tokenData.scope,\n };\n\n // Generate DCR authorization code with real provider tokens\n const dcrCode = randomUUID();\n const authCode: AuthorizationCode = {\n code: dcrCode,\n client_id: dcrRequestState.client_id,\n redirect_uri: dcrRequestState.redirect_uri,\n scope: dcrRequestState.scope,\n ...(dcrRequestState.code_challenge && { code_challenge: dcrRequestState.code_challenge }),\n ...(dcrRequestState.code_challenge_method && { code_challenge_method: dcrRequestState.code_challenge_method }),\n providerTokens,\n created_at: Date.now(),\n expires_at: Date.now() + 600000, // 10 minutes\n };\n\n await dcrUtils.setAuthCode(store, dcrCode, authCode);\n\n // Redirect back to MCP client with DCR authorization code\n const clientRedirectUrl = new URL(dcrRequestState.redirect_uri);\n clientRedirectUrl.searchParams.set('code', dcrCode);\n if (dcrRequestState.state) {\n clientRedirectUrl.searchParams.set('state', dcrRequestState.state);\n }\n\n return res.redirect(clientRedirectUrl.toString());\n } catch (error) {\n return res.status(500).json({\n error: 'server_error',\n error_description: error instanceof Error ? error.message : 'Failed to exchange authorization code',\n });\n }\n });\n\n /*\n OAuth Token Endpoint (RFC 6749 Section 3.2)\n * POST /oauth/token\n /\n router.post('/oauth/token', async (req: Request, res: Response) => {\n // Extract client credentials from either body or Basic Auth header\n let client_id = req.body.client_id;\n let client_secret = req.body.client_secret;\n\n // Support client_secret_basic authentication (RFC 6749 Section 2.3.1)\n const authHeader = req.headers.authorization;\n if (authHeader && authHeader.startsWith('Basic ')) {\n const base64Credentials = authHeader.substring(6);\n const credentials = Buffer.from(base64Credentials, 'base64').toString('utf-8');\n const [id, secret] = credentials.split(':');\n client_id = id;\n client_secret = secret;\n }\n\n const { grant_type, code, redirect_uri, refresh_token, code_verifier } = req.body;\n\n // Validate grant_type\n if (!grant_type) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'grant_type is required',\n });\n }\n\n if (grant_type === 'authorization_code') {\n // Authorization Code Grant\n if (!code \|\| !client_id \|\| !redirect_uri) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'code, client_id, and redirect_uri are required',\n });\n }\n\n // Validate client credentials\n const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret ?? '');\n if (!isValidClient) {\n return res.status(401).json({\n error: 'invalid_client',\n error_description: 'Invalid client credentials',\n });\n }\n\n // Get authorization code\n const authCode = await dcrUtils.getAuthCode(store, code);\n if (!authCode) {\n return res.status(400).json({\n error: 'invalid_grant',\n error_description: 'Invalid or expired authorization code',\n });\n }\n\n // Validate authorization code\n if (authCode.client_id !== client_id \|\| authCode.redirect_uri !== redirect_uri) {\n return res.status(400).json({\n error: 'invalid_grant',\n error_description: 'Authorization code mismatch',\n });\n }\n\n if (Date.now() > authCode.expires_at) {\n await dcrUtils.deleteAuthCode(store, code);\n return res.status(400).json({\n error: 'invalid_grant',\n error_description: 'Authorization code expired',\n });\n }\n\n // Validate PKCE if used\n if (authCode.code_challenge) {\n if (!code_verifier) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'code_verifier is required for PKCE',\n });\n }\n\n // Validate code_verifier against code_challenge\n const method = authCode.code_challenge_method ?? 'plain';\n const computedChallenge = method === 'S256' ? createHash('sha256').update(code_verifier).digest('base64url') : code_verifier;\n\n if (computedChallenge !== authCode.code_challenge) {\n return res.status(400).json({\n error: 'invalid_grant',\n error_description: 'Invalid code_verifier',\n });\n }\n }\n\n // Delete authorization code (one-time use)\n await dcrUtils.deleteAuthCode(store, code);\n\n // Generate DCR access token\n const accessToken = randomUUID();\n const refreshTokenValue = randomUUID();\n\n const tokenData: AccessToken = {\n access_token: accessToken,\n token_type: 'Bearer',\n expires_in: 3600,\n refresh_token: refreshTokenValue,\n scope: authCode.scope,\n client_id,\n providerTokens: authCode.providerTokens,\n created_at: Date.now(),\n };\n\n await dcrUtils.setAccessToken(store, accessToken, tokenData);\n await dcrUtils.setRefreshToken(store, refreshTokenValue, tokenData);\n\n // Store provider tokens indexed by DCR access token\n await dcrUtils.setProviderTokens(store, accessToken, authCode.providerTokens);\n\n // Return token response\n return res.json({\n access_token: tokenData.access_token,\n token_type: tokenData.token_type,\n expires_in: tokenData.expires_in,\n refresh_token: tokenData.refresh_token,\n scope: tokenData.scope,\n });\n }\n if (grant_type === 'refresh_token') {\n // Refresh Token Grant\n if (!refresh_token \|\| !client_id) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'refresh_token and client_id are required',\n });\n }\n\n // Validate client credentials\n const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret ?? '');\n if (!isValidClient) {\n return res.status(401).json({\n error: 'invalid_client',\n error_description: 'Invalid client credentials',\n });\n }\n\n // Get refresh token\n const tokenData = await dcrUtils.getRefreshToken(store, refresh_token);\n if (!tokenData \|\| tokenData.client_id !== client_id) {\n return res.status(400).json({\n error: 'invalid_grant',\n error_description: 'Invalid refresh token',\n });\n }\n\n // Refresh provider tokens if available\n let refreshedProviderTokens = tokenData.providerTokens;\n if (tokenData.providerTokens.refreshToken) {\n try {\n // Create DcrOAuthProvider instance to refresh Microsoft tokens\n const provider = new DcrOAuthProvider({\n clientId: clientConfig.clientId,\n ...(clientConfig.clientSecret && { clientSecret: clientConfig.clientSecret }),\n tenantId: clientConfig.tenantId ?? 'common',\n scope: tokenData.scope,\n verifyEndpoint: `${baseUrl}/oauth/verify`,\n logger: {\n info: console.log,\n error: console.error,\n warn: console.warn,\n debug: () => {},\n },\n });\n\n // Refresh the Microsoft access token\n refreshedProviderTokens = await provider.refreshAccessToken(tokenData.providerTokens.refreshToken);\n } catch (error) {\n // If refresh fails, continue with existing tokens (they may still be valid)\n console.warn('Provider token refresh failed, using existing tokens:', error instanceof Error ? error.message : String(error));\n }\n }\n\n // Generate new DCR access token\n const newAccessToken = randomUUID();\n const newTokenData: AccessToken = {\n ...tokenData,\n access_token: newAccessToken,\n created_at: Date.now(),\n };\n\n await dcrUtils.setAccessToken(store, newAccessToken, newTokenData);\n\n // Store refreshed provider tokens indexed by new DCR access token\n await dcrUtils.setProviderTokens(store, newAccessToken, refreshedProviderTokens);\n\n return res.json({\n access_token: newTokenData.access_token,\n token_type: newTokenData.token_type,\n expires_in: newTokenData.expires_in,\n scope: newTokenData.scope,\n });\n }\n return res.status(400).json({\n error: 'unsupported_grant_type',\n error_description: 'Only authorization_code and refresh_token grants are supported',\n });\n });\n\n /\n OAuth Token Revocation (RFC 7009)\n * POST /oauth/revoke\n /\n router.post('/oauth/revoke', async (req: Request, res: Response) => {\n const { token, token_type_hint, client_id, client_secret } = req.body;\n\n if (!token) {\n return res.status(400).json({\n error: 'invalid_request',\n error_description: 'token is required',\n });\n }\n\n // Validate client if credentials provided\n if (client_id && client_secret) {\n const isValidClient = await dcrUtils.validateClient(store, client_id, client_secret);\n if (!isValidClient) {\n return res.status(401).json({\n error: 'invalid_client',\n error_description: 'Invalid client credentials',\n });\n }\n }\n\n // Revoke the token\n if (token_type_hint === 'refresh_token') {\n await dcrUtils.deleteRefreshToken(store, token);\n } else if (token_type_hint === 'access_token') {\n await dcrUtils.deleteAccessToken(store, token);\n await dcrUtils.deleteProviderTokens(store, token);\n } else {\n // No hint - try both\n await dcrUtils.deleteRefreshToken(store, token);\n await dcrUtils.deleteAccessToken(store, token);\n await dcrUtils.deleteProviderTokens(store, token);\n }\n\n // RFC 7009: Return 200 even if token not found\n return res.status(200).send();\n });\n\n /\n Token Verification Endpoint\n * GET /oauth/verify\n \n Validates bearer tokens for Resource Server.\n * Returns AuthInfo with provider tokens for stateless DCR pattern.\n /\n router.get('/oauth/verify', async (req: Request, res: Response) => {\n // Extract bearer token from Authorization header\n const authHeader = req.headers.authorization;\n\n if (!authHeader \|\| !authHeader.startsWith('Bearer ')) {\n return res.status(401).json({\n error: 'invalid_request',\n error_description: 'Missing or invalid Authorization header',\n });\n }\n\n const token = authHeader.substring(7); // Remove 'Bearer ' prefix\n\n // Validate token exists in access tokens store\n const tokenData = await dcrUtils.getAccessToken(store, token);\n\n if (!tokenData) {\n return res.status(401).json({\n error: 'invalid_token',\n error_description: 'Unknown or expired access token',\n });\n }\n\n // Check if token is expired\n const now = Date.now();\n const expiresAt = tokenData.created_at + tokenData.expires_in 1000;\n\n if (now > expiresAt) {\n // Remove expired token\n await dcrUtils.deleteAccessToken(store, token);\n await dcrUtils.deleteProviderTokens(store, token);\n return res.status(401).json({\n error: 'invalid_token',\n error_description: 'Access token has expired',\n });\n }\n\n // Return AuthInfo with provider tokens for stateless DCR\n const authInfo = {\n token,\n clientId: tokenData.client_id,\n scopes: tokenData.scope ? tokenData.scope.split(' ') : [],\n expiresAt,\n providerTokens: tokenData.providerTokens,\n };\n\n return res.json(authInfo);\n });\n\n /*\n Debug endpoint to list registered clients (development only)\n */\n router.get('/debug/clients', async (_req: Request, res: Response) => {\n const clients = await dcrUtils.listClients(store);\n res.json(clients);\n });\n\n return router;\n}\n"],"names":["createHash","randomUUID","express","DcrOAuthProvider","dcrUtils","createDcrRouter","config","router","Router","store","issuerUrl","baseUrl","scopesSupported","clientConfig","use","req","res","next","authHeader","headers","authorization","Authorization","headerValue","Array","isArray","toLowerCase","startsWith","status","set","json","jsonrpc","error","code","message","id","urlencoded","extended","get","_req","metadata","issuer","authorization_endpoint","token_endpoint","registration_endpoint","revocation_endpoint","scopes_supported","response_types_supported","grant_types_supported","token_endpoint_auth_methods_supported","code_challenge_methods_supported","service_documentation","resource","authorization_servers","bearer_methods_supported","post","registrationRequest","body","client","registerClient","error_description","Error","response_type","client_id","redirect_uri","scope","state","code_challenge","code_challenge_method","query","getClient","isValidRedirect","validateRedirectUri","msState","dcrRequestState","undefined","created_at","Date","now","expires_at","msAuthUrl","URL","tenantId","searchParams","clientId","redirect","toString","msCode","delete","tokenUrl","tokenParams","URLSearchParams","grant_type","clientSecret","tokenResponse","fetch","method","ok","errorData","tokenData","providerTokens","accessToken","access_token","refresh_token","refreshToken","expiresAt","expires_in","dcrCode","authCode","setAuthCode","clientRedirectUrl","client_secret","base64Credentials","substring","credentials","Buffer","from","secret","split","code_verifier","isValidClient","validateClient","getAuthCode","deleteAuthCode","computedChallenge","update","digest","refreshTokenValue","token_type","setAccessToken","setRefreshToken","setProviderTokens","getRefreshToken","refreshedProviderTokens","provider","verifyEndpoint","logger","info","console","log","warn","debug","refreshAccessToken","String","newAccessToken","newTokenData","token","token_type_hint","deleteRefreshToken","deleteAccessToken","deleteProviderTokens","send","getAccessToken","authInfo","scopes","clients","listClients"],"mappings":"AAAA;;;;;;;;;;;;;;;CAeC,GAGD,SAASA,UAAU,EAAEC,UAAU,QAAQ,SAAS;AAEhD,OAAOC,aAAa,UAAU;AAE9B,SAASC,gBAAgB,QAAQ,sBAAsB;AAEvD,YAAYC,cAAc,iBAAiB;AAsB3C;;;;;;;;CAQC,GACD,OAAO,SAASC,gBAAgBC,MAAuB;IACrD,MAAMC,SAASL,QAAQM,MAAM;IAC7B,MAAM,EAAEC,KAAK,EAAEC,SAAS,EAAEC,OAAO,EAAEC,eAAe,EAAEC,YAAY,EAAE,GAAGP;IAErEC,OAAOO,GAAG,CAAC,QAAQ,CAACC,KAAcC,KAAeC;QAC/C,MAAMC,aAAaH,IAAII,OAAO,CAACC,aAAa,IAAIL,IAAII,OAAO,CAACE,aAAa;QACzE,MAAMC,cAAcC,MAAMC,OAAO,CAACN,cAAcA,UAAU,CAAC,EAAE,GAAGA;QAEhE,IAAI,CAACI,eAAe,CAACA,YAAYG,WAAW,GAAGC,UAAU,CAAC,YAAY;YACpE,OAAOV,IACJW,MAAM,CAAC,KACPC,GAAG,CAAC,oBAAoB,CAAC,0BAA0B,EAAEjB,QAAQ,sCAAsC,CAAC,EACpGkB,IAAI,CAAC;gBACJC,SAAS;gBACTC,OAAO;oBACLC,MAAM,CAAC;oBACPC,SAAS;gBACX;gBACAC,IAAI;YACN;QACJ;QAEA,OAAOjB;IACT;IAEA,+DAA+D;IAC/DV,OAAOO,GAAG,CAACZ,QAAQ2B,IAAI,KAAK,yCAAyC;IACrEtB,OAAOO,GAAG,CAACZ,QAAQiC,UAAU,CAAC;QAAEC,UAAU;IAAK,KAAK,uDAAuD;IAE3G;;;GAGC,GACD7B,OAAO8B,GAAG,CAAC,2CAA2C,CAACC,MAAetB;QACpE,MAAMuB,WAA4B;YAChCC,QAAQ9B;YACR+B,wBAAwB,GAAG9B,QAAQ,gBAAgB,CAAC;YACpD+B,gBAAgB,GAAG/B,QAAQ,YAAY,CAAC;YACxCgC,uBAAuB,GAAGhC,QAAQ,eAAe,CAAC;YAClDiC,qBAAqB,GAAGjC,QAAQ,aAAa,CAAC;YAC9CkC,kBAAkBjC;YAClBkC,0BAA0B;gBAAC;aAAO;YAClCC,uBAAuB;gBAAC;gBAAsB;aAAgB;YAC9DC,uCAAuC;gBAAC;gBAAuB;aAAqB;YACpFC,kCAAkC;gBAAC;gBAAQ;aAAQ;YACnDC,uBAAuB,GAAGvC,QAAQ,KAAK,CAAC;QAC1C;QACAK,IAAIa,IAAI,CAACU;IACX;IAEA;;;GAGC,GACDhC,OAAO8B,GAAG,CAAC,yCAAyC,CAACC,MAAetB;QAClE,MAAMuB,WAA4B;YAChCY,UAAUxC;YACVyC,uBAAuB;gBAACzC;aAAQ;YAChCkC,kBAAkBjC;YAClByC,0BAA0B;gBAAC;aAAS;QACtC;QACArC,IAAIa,IAAI,CAACU;IACX;IAEA;;;GAGC,GACDhC,OAAO8B,GAAG,CAAC,6CAA6C,CAACC,MAAetB;QACtE,MAAMuB,WAA4B;YAChCY,UAAU,GAAGxC,QAAQ,IAAI,CAAC;YAC1ByC,uBAAuB;gBAACzC;aAAQ;YAChCkC,kBAAkBjC;YAClByC,0BAA0B;gBAAC;aAAS;QACtC;QACArC,IAAIa,IAAI,CAACU;IACX;IAEA;;;GAGC,GACDhC,OAAO+C,IAAI,CAAC,mBAAmB,OAAOvC,KAAcC;QAClD,IAAI;YACF,MAAMuC,sBAAsBxC,IAAIyC,IAAI;YAEpC,sBAAsB;YACtB,MAAMC,SAAS,MAAMrD,SAASsD,cAAc,CAACjD,OAAO8C;YAEpD,qDAAqD;YACrDvC,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC4B;QACvB,EAAE,OAAO1B,OAAO;YACdf,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBACnBE,OAAO;gBACP4B,mBAAmB5B,iBAAiB6B,QAAQ7B,MAAME,OAAO,GAAG;YAC9D;QACF;IACF;IAEA;;;;;GAKC,GACD1B,OAAO8B,GAAG,CAAC,oBAAoB,OAAOtB,KAAcC;QAClD,MAAM,EAAE6C,aAAa,EAAEC,SAAS,EAAEC,YAAY,EAAEC,QAAQ,EAAE,EAAEC,QAAQ,EAAE,EAAEC,cAAc,EAAEC,qBAAqB,EAAE,GAAGpD,IAAIqD,KAAK;QAE3H,+BAA+B;QAC/B,IAAIP,kBAAkB,QAAQ;YAC5B,OAAO7C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,IAAI,CAACG,aAAa,OAAOA,cAAc,UAAU;YAC/C,OAAO9C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,IAAI,CAACI,gBAAgB,OAAOA,iBAAiB,UAAU;YACrD,OAAO/C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,kBAAkB;QAClB,MAAMF,SAAS,MAAMrD,SAASiE,SAAS,CAAC5D,OAAOqD;QAC/C,IAAI,CAACL,QAAQ;YACX,OAAOzC,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,wBAAwB;QACxB,MAAMW,kBAAkB,MAAMlE,SAASmE,mBAAmB,CAAC9D,OAAOqD,WAAWC;QAC7E,IAAI,CAACO,iBAAiB;YACpB,OAAOtD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,uDAAuD;QACvD,MAAMa,UAAUvE;QAChB,MAAMwE,kBAAkB;YACtBX;YACAC;YACAC,OAAO,OAAOA,UAAU,WAAWA,QAAQ;YAC3CC,OAAO,OAAOA,UAAU,WAAWA,QAAQS;YAC3CR,gBAAgB,OAAOA,mBAAmB,WAAWA,iBAAiBQ;YACtEP,uBAAuB,OAAOA,0BAA0B,WAAWA,wBAAwBO;YAC3FC,YAAYC,KAAKC,GAAG;YACpBC,YAAYF,KAAKC,GAAG,KAAK;QAC3B;QAEA,MAAMpE,MAAMmB,GAAG,CAAC,CAAC,aAAa,EAAE4C,SAAS,EAAEC,iBAAiB,SAAS,aAAa;QAElF,oCAAoC;QACpC,MAAMM,YAAY,IAAIC,IAAI,CAAC,kCAAkC,EAAEnE,aAAaoE,QAAQ,IAAI,SAAS,sBAAsB,CAAC;QACxHF,UAAUG,YAAY,CAACtD,GAAG,CAAC,aAAaf,aAAasE,QAAQ;QAC7DJ,UAAUG,YAAY,CAACtD,GAAG,CAAC,iBAAiB;QAC5CmD,UAAUG,YAAY,CAACtD,GAAG,CAAC,gBAAgB,GAAGjB,QAAQ,eAAe,CAAC;QACtEoE,UAAUG,YAAY,CAACtD,GAAG,CAAC,SAAS,OAAOoC,UAAU,WAAWA,QAAQ;QACxEe,UAAUG,YAAY,CAACtD,GAAG,CAAC,SAAS4C;QACpCO,UAAUG,YAAY,CAACtD,GAAG,CAAC,iBAAiB;QAE5C,+CAA+C;QAC/C,OAAOZ,IAAIoE,QAAQ,CAACL,UAAUM,QAAQ;IACxC;IAEA;;;;;GAKC,GACD9E,OAAO8B,GAAG,CAAC,mBAAmB,OAAOtB,KAAcC;QACjD,MAAM,EAAEgB,MAAMsD,MAAM,EAAErB,OAAOO,OAAO,EAAEzC,KAAK,EAAE4B,iBAAiB,EAAE,GAAG5C,IAAIqD,KAAK;QAE5E,gCAAgC;QAChC,IAAIrC,OAAO;YACT,OAAOf,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE;gBACA4B,mBAAmBA,qBAAqB;YAC1C;QACF;QAEA,IAAI,CAAC2B,UAAU,OAAOA,WAAW,UAAU;YACzC,OAAOtE,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,IAAI,CAACa,WAAW,OAAOA,YAAY,UAAU;YAC3C,OAAOxD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,sCAAsC;QACtC,MAAMc,kBAAkB,MAAMhE,MAAM4B,GAAG,CAAC,CAAC,aAAa,EAAEmC,SAAS;QACjE,IAAI,CAACC,iBAAiB;YACpB,OAAOzD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,8BAA8B;QAC9B,MAAMlD,MAAM8E,MAAM,CAAC,CAAC,aAAa,EAAEf,SAAS;QAE5C,mDAAmD;QACnD,IAAI;YACF,MAAMgB,WAAW,CAAC,kCAAkC,EAAE3E,aAAaoE,QAAQ,IAAI,SAAS,kBAAkB,CAAC;YAC3G,MAAMQ,cAAc,IAAIC,gBAAgB;gBACtCC,YAAY;gBACZ3D,MAAMsD;gBACNxB,WAAWjD,aAAasE,QAAQ;gBAChCpB,cAAc,GAAGpD,QAAQ,eAAe,CAAC;gBACzCqD,OAAOS,gBAAgBT,KAAK;YAC9B;YAEA,uDAAuD;YACvD,IAAInD,aAAa+E,YAAY,EAAE;gBAC7BH,YAAY7D,GAAG,CAAC,iBAAiBf,aAAa+E,YAAY;YAC5D;YAEA,MAAMC,gBAAgB,MAAMC,MAAMN,UAAU;gBAC1CO,QAAQ;gBACR5E,SAAS;oBAAE,gBAAgB;gBAAoC;gBAC/DqC,MAAMiC,YAAYJ,QAAQ;YAC5B;YAEA,IAAI,CAACQ,cAAcG,EAAE,EAAE;gBACrB,MAAMC,YAAa,MAAMJ,cAAchE,IAAI;gBAC3C,MAAM,IAAI+B,MAAM,CAAC,iCAAiC,EAAEqC,UAAUtC,iBAAiB,IAAIsC,UAAUlE,KAAK,EAAE;YACtG;YAEA,MAAMmE,YAAa,MAAML,cAAchE,IAAI;YAO3C,iDAAiD;YACjD,MAAMsE,iBAAiC;gBACrCC,aAAaF,UAAUG,YAAY;gBACnC,GAAIH,UAAUI,aAAa,IAAI;oBAAEC,cAAcL,UAAUI,aAAa;gBAAC,CAAC;gBACxEE,WAAW5B,KAAKC,GAAG,KAAKqB,UAAUO,UAAU,GAAG;gBAC/CzC,OAAOkC,UAAUlC,KAAK;YACxB;YAEA,4DAA4D;YAC5D,MAAM0C,UAAUzG;YAChB,MAAM0G,WAA8B;gBAClC3E,MAAM0E;gBACN5C,WAAWW,gBAAgBX,SAAS;gBACpCC,cAAcU,gBAAgBV,YAAY;gBAC1CC,OAAOS,gBAAgBT,KAAK;gBAC5B,GAAIS,gBAAgBP,cAAc,IAAI;oBAAEA,gBAAgBO,gBAAgBP,cAAc;gBAAC,CAAC;gBACxF,GAAIO,gBAAgBN,qBAAqB,IAAI;oBAAEA,uBAAuBM,gBAAgBN,qBAAqB;gBAAC,CAAC;gBAC7GgC;gBACAxB,YAAYC,KAAKC,GAAG;gBACpBC,YAAYF,KAAKC,GAAG,KAAK;YAC3B;YAEA,MAAMzE,SAASwG,WAAW,CAACnG,OAAOiG,SAASC;YAE3C,0DAA0D;YAC1D,MAAME,oBAAoB,IAAI7B,IAAIP,gBAAgBV,YAAY;YAC9D8C,kBAAkB3B,YAAY,CAACtD,GAAG,CAAC,QAAQ8E;YAC3C,IAAIjC,gBAAgBR,KAAK,EAAE;gBACzB4C,kBAAkB3B,YAAY,CAACtD,GAAG,CAAC,SAAS6C,gBAAgBR,KAAK;YACnE;YAEA,OAAOjD,IAAIoE,QAAQ,CAACyB,kBAAkBxB,QAAQ;QAChD,EAAE,OAAOtD,OAAO;YACd,OAAOf,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB5B,iBAAiB6B,QAAQ7B,MAAME,OAAO,GAAG;YAC9D;QACF;IACF;IAEA;;;GAGC,GACD1B,OAAO+C,IAAI,CAAC,gBAAgB,OAAOvC,KAAcC;QAC/C,mEAAmE;QACnE,IAAI8C,YAAY/C,IAAIyC,IAAI,CAACM,SAAS;QAClC,IAAIgD,gBAAgB/F,IAAIyC,IAAI,CAACsD,aAAa;QAE1C,sEAAsE;QACtE,MAAM5F,aAAaH,IAAII,OAAO,CAACC,aAAa;QAC5C,IAAIF,cAAcA,WAAWQ,UAAU,CAAC,WAAW;YACjD,MAAMqF,oBAAoB7F,WAAW8F,SAAS,CAAC;YAC/C,MAAMC,cAAcC,OAAOC,IAAI,CAACJ,mBAAmB,UAAU1B,QAAQ,CAAC;YACtE,MAAM,CAACnD,IAAIkF,OAAO,GAAGH,YAAYI,KAAK,CAAC;YACvCvD,YAAY5B;YACZ4E,gBAAgBM;QAClB;QAEA,MAAM,EAAEzB,UAAU,EAAE3D,IAAI,EAAE+B,YAAY,EAAEuC,aAAa,EAAEgB,aAAa,EAAE,GAAGvG,IAAIyC,IAAI;QAEjF,sBAAsB;QACtB,IAAI,CAACmC,YAAY;YACf,OAAO3E,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,IAAIgC,eAAe,sBAAsB;YACvC,2BAA2B;YAC3B,IAAI,CAAC3D,QAAQ,CAAC8B,aAAa,CAACC,cAAc;gBACxC,OAAO/C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oBAC1BE,OAAO;oBACP4B,mBAAmB;gBACrB;YACF;YAEA,8BAA8B;YAC9B,MAAM4D,gBAAgB,MAAMnH,SAASoH,cAAc,CAAC/G,OAAOqD,WAAWgD,0BAAAA,2BAAAA,gBAAiB;YACvF,IAAI,CAACS,eAAe;gBAClB,OAAOvG,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oBAC1BE,OAAO;oBACP4B,mBAAmB;gBACrB;YACF;YAEA,yBAAyB;YACzB,MAAMgD,WAAW,MAAMvG,SAASqH,WAAW,CAAChH,OAAOuB;YACnD,IAAI,CAAC2E,UAAU;gBACb,OAAO3F,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oBAC1BE,OAAO;oBACP4B,mBAAmB;gBACrB;YACF;YAEA,8BAA8B;YAC9B,IAAIgD,SAAS7C,SAAS,KAAKA,aAAa6C,SAAS5C,YAAY,KAAKA,cAAc;gBAC9E,OAAO/C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oBAC1BE,OAAO;oBACP4B,mBAAmB;gBACrB;YACF;YAEA,IAAIiB,KAAKC,GAAG,KAAK8B,SAAS7B,UAAU,EAAE;gBACpC,MAAM1E,SAASsH,cAAc,CAACjH,OAAOuB;gBACrC,OAAOhB,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oBAC1BE,OAAO;oBACP4B,mBAAmB;gBACrB;YACF;YAEA,wBAAwB;YACxB,IAAIgD,SAASzC,cAAc,EAAE;oBASZyC;gBARf,IAAI,CAACW,eAAe;oBAClB,OAAOtG,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;wBAC1BE,OAAO;wBACP4B,mBAAmB;oBACrB;gBACF;gBAEA,gDAAgD;gBAChD,MAAMoC,UAASY,kCAAAA,SAASxC,qBAAqB,cAA9BwC,6CAAAA,kCAAkC;gBACjD,MAAMgB,oBAAoB5B,WAAW,SAAS/F,WAAW,UAAU4H,MAAM,CAACN,eAAeO,MAAM,CAAC,eAAeP;gBAE/G,IAAIK,sBAAsBhB,SAASzC,cAAc,EAAE;oBACjD,OAAOlD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;wBAC1BE,OAAO;wBACP4B,mBAAmB;oBACrB;gBACF;YACF;YAEA,2CAA2C;YAC3C,MAAMvD,SAASsH,cAAc,CAACjH,OAAOuB;YAErC,4BAA4B;YAC5B,MAAMoE,cAAcnG;YACpB,MAAM6H,oBAAoB7H;YAE1B,MAAMiG,YAAyB;gBAC7BG,cAAcD;gBACd2B,YAAY;gBACZtB,YAAY;gBACZH,eAAewB;gBACf9D,OAAO2C,SAAS3C,KAAK;gBACrBF;gBACAqC,gBAAgBQ,SAASR,cAAc;gBACvCxB,YAAYC,KAAKC,GAAG;YACtB;YAEA,MAAMzE,SAAS4H,cAAc,CAACvH,OAAO2F,aAAaF;YAClD,MAAM9F,SAAS6H,eAAe,CAACxH,OAAOqH,mBAAmB5B;YAEzD,oDAAoD;YACpD,MAAM9F,SAAS8H,iBAAiB,CAACzH,OAAO2F,aAAaO,SAASR,cAAc;YAE5E,wBAAwB;YACxB,OAAOnF,IAAIa,IAAI,CAAC;gBACdwE,cAAcH,UAAUG,YAAY;gBACpC0B,YAAY7B,UAAU6B,UAAU;gBAChCtB,YAAYP,UAAUO,UAAU;gBAChCH,eAAeJ,UAAUI,aAAa;gBACtCtC,OAAOkC,UAAUlC,KAAK;YACxB;QACF;QACA,IAAI2B,eAAe,iBAAiB;YAClC,sBAAsB;YACtB,IAAI,CAACW,iBAAiB,CAACxC,WAAW;gBAChC,OAAO9C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oBAC1BE,OAAO;oBACP4B,mBAAmB;gBACrB;YACF;YAEA,8BAA8B;YAC9B,MAAM4D,gBAAgB,MAAMnH,SAASoH,cAAc,CAAC/G,OAAOqD,WAAWgD,0BAAAA,2BAAAA,gBAAiB;YACvF,IAAI,CAACS,eAAe;gBAClB,OAAOvG,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oBAC1BE,OAAO;oBACP4B,mBAAmB;gBACrB;YACF;YAEA,oBAAoB;YACpB,MAAMuC,YAAY,MAAM9F,SAAS+H,eAAe,CAAC1H,OAAO6F;YACxD,IAAI,CAACJ,aAAaA,UAAUpC,SAAS,KAAKA,WAAW;gBACnD,OAAO9C,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oBAC1BE,OAAO;oBACP4B,mBAAmB;gBACrB;YACF;YAEA,uCAAuC;YACvC,IAAIyE,0BAA0BlC,UAAUC,cAAc;YACtD,IAAID,UAAUC,cAAc,CAACI,YAAY,EAAE;gBACzC,IAAI;wBAKU1F;oBAJZ,+DAA+D;oBAC/D,MAAMwH,WAAW,IAAIlI,iBAAiB;wBACpCgF,UAAUtE,aAAasE,QAAQ;wBAC/B,GAAItE,aAAa+E,YAAY,IAAI;4BAAEA,cAAc/E,aAAa+E,YAAY;wBAAC,CAAC;wBAC5EX,QAAQ,GAAEpE,yBAAAA,aAAaoE,QAAQ,cAArBpE,oCAAAA,yBAAyB;wBACnCmD,OAAOkC,UAAUlC,KAAK;wBACtBsE,gBAAgB,GAAG3H,QAAQ,aAAa,CAAC;wBACzC4H,QAAQ;4BACNC,MAAMC,QAAQC,GAAG;4BACjB3G,OAAO0G,QAAQ1G,KAAK;4BACpB4G,MAAMF,QAAQE,IAAI;4BAClBC,OAAO,KAAO;wBAChB;oBACF;oBAEA,qCAAqC;oBACrCR,0BAA0B,MAAMC,SAASQ,kBAAkB,CAAC3C,UAAUC,cAAc,CAACI,YAAY;gBACnG,EAAE,OAAOxE,OAAO;oBACd,4EAA4E;oBAC5E0G,QAAQE,IAAI,CAAC,yDAAyD5G,iBAAiB6B,QAAQ7B,MAAME,OAAO,GAAG6G,OAAO/G;gBACxH;YACF;YAEA,gCAAgC;YAChC,MAAMgH,iBAAiB9I;YACvB,MAAM+I,eAA4B;gBAChC,GAAG9C,SAAS;gBACZG,cAAc0C;gBACdpE,YAAYC,KAAKC,GAAG;YACtB;YAEA,MAAMzE,SAAS4H,cAAc,CAACvH,OAAOsI,gBAAgBC;YAErD,kEAAkE;YAClE,MAAM5I,SAAS8H,iBAAiB,CAACzH,OAAOsI,gBAAgBX;YAExD,OAAOpH,IAAIa,IAAI,CAAC;gBACdwE,cAAc2C,aAAa3C,YAAY;gBACvC0B,YAAYiB,aAAajB,UAAU;gBACnCtB,YAAYuC,aAAavC,UAAU;gBACnCzC,OAAOgF,aAAahF,KAAK;YAC3B;QACF;QACA,OAAOhD,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;YAC1BE,OAAO;YACP4B,mBAAmB;QACrB;IACF;IAEA;;;GAGC,GACDpD,OAAO+C,IAAI,CAAC,iBAAiB,OAAOvC,KAAcC;QAChD,MAAM,EAAEiI,KAAK,EAAEC,eAAe,EAAEpF,SAAS,EAAEgD,aAAa,EAAE,GAAG/F,IAAIyC,IAAI;QAErE,IAAI,CAACyF,OAAO;YACV,OAAOjI,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,0CAA0C;QAC1C,IAAIG,aAAagD,eAAe;YAC9B,MAAMS,gBAAgB,MAAMnH,SAASoH,cAAc,CAAC/G,OAAOqD,WAAWgD;YACtE,IAAI,CAACS,eAAe;gBAClB,OAAOvG,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;oBAC1BE,OAAO;oBACP4B,mBAAmB;gBACrB;YACF;QACF;QAEA,mBAAmB;QACnB,IAAIuF,oBAAoB,iBAAiB;YACvC,MAAM9I,SAAS+I,kBAAkB,CAAC1I,OAAOwI;QAC3C,OAAO,IAAIC,oBAAoB,gBAAgB;YAC7C,MAAM9I,SAASgJ,iBAAiB,CAAC3I,OAAOwI;YACxC,MAAM7I,SAASiJ,oBAAoB,CAAC5I,OAAOwI;QAC7C,OAAO;YACL,qBAAqB;YACrB,MAAM7I,SAAS+I,kBAAkB,CAAC1I,OAAOwI;YACzC,MAAM7I,SAASgJ,iBAAiB,CAAC3I,OAAOwI;YACxC,MAAM7I,SAASiJ,oBAAoB,CAAC5I,OAAOwI;QAC7C;QAEA,+CAA+C;QAC/C,OAAOjI,IAAIW,MAAM,CAAC,KAAK2H,IAAI;IAC7B;IAEA;;;;;;GAMC,GACD/I,OAAO8B,GAAG,CAAC,iBAAiB,OAAOtB,KAAcC;QAC/C,iDAAiD;QACjD,MAAME,aAAaH,IAAII,OAAO,CAACC,aAAa;QAE5C,IAAI,CAACF,cAAc,CAACA,WAAWQ,UAAU,CAAC,YAAY;YACpD,OAAOV,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,MAAMsF,QAAQ/H,WAAW8F,SAAS,CAAC,IAAI,0BAA0B;QAEjE,+CAA+C;QAC/C,MAAMd,YAAY,MAAM9F,SAASmJ,cAAc,CAAC9I,OAAOwI;QAEvD,IAAI,CAAC/C,WAAW;YACd,OAAOlF,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,4BAA4B;QAC5B,MAAMkB,MAAMD,KAAKC,GAAG;QACpB,MAAM2B,YAAYN,UAAUvB,UAAU,GAAGuB,UAAUO,UAAU,GAAG;QAEhE,IAAI5B,MAAM2B,WAAW;YACnB,uBAAuB;YACvB,MAAMpG,SAASgJ,iBAAiB,CAAC3I,OAAOwI;YACxC,MAAM7I,SAASiJ,oBAAoB,CAAC5I,OAAOwI;YAC3C,OAAOjI,IAAIW,MAAM,CAAC,KAAKE,IAAI,CAAC;gBAC1BE,OAAO;gBACP4B,mBAAmB;YACrB;QACF;QAEA,yDAAyD;QACzD,MAAM6F,WAAW;YACfP;YACA9D,UAAUe,UAAUpC,SAAS;YAC7B2F,QAAQvD,UAAUlC,KAAK,GAAGkC,UAAUlC,KAAK,CAACqD,KAAK,CAAC,OAAO,EAAE;YACzDb;YACAL,gBAAgBD,UAAUC,cAAc;QAC1C;QAEA,OAAOnF,IAAIa,IAAI,CAAC2H;IAClB;IAEA;;GAEC,GACDjJ,OAAO8B,GAAG,CAAC,kBAAkB,OAAOC,MAAetB;QACjD,MAAM0I,UAAU,MAAMtJ,SAASuJ,WAAW,CAAClJ;QAC3CO,IAAIa,IAAI,CAAC6H;IACX;IAEA,OAAOnJ;AACT"}

package/dist/esm/lib/dcr-utils.js CHANGED Viewed

@@ -11,6 +11,9 @@
  * - dcr:access:{token} -> AccessToken
  * - dcr:refresh:{token} -> AccessToken
  */ import { randomUUID } from 'crypto';
+const TEN_MINUTES_MS = 10 * 60 * 1000;
+const ONE_HOUR_MS = 60 * 60 * 1000;
+const THIRTY_DAYS_MS = 30 * 24 * 60 * 60 * 1000;
 // ============================================================================
 // Client Operations
 // ============================================================================
@@ -162,7 +165,7 @@
  * @param dcrToken - DCR-issued access token (used as key)
  * @param tokens - Microsoft provider tokens (access, refresh, expiry)
  */ export async function setProviderTokens(store, dcrToken, tokens) {
-    await store.set(`dcr:provider:${dcrToken}`, tokens);
+    await store.set(`dcr:provider:${dcrToken}`, tokens, ONE_HOUR_MS);
 }
 /**
  * Retrieve provider tokens for a DCR access token
@@ -191,7 +194,7 @@
  * @param code - Authorization code
  * @param authCode - Authorization code data
  */ export async function setAuthCode(store, code, authCode) {
-    await store.set(`dcr:authcode:${code}`, authCode);
+    await store.set(`dcr:authcode:${code}`, authCode, TEN_MINUTES_MS);
 }
 /**
  * Get an authorization code
@@ -220,7 +223,7 @@
  * @param token - Access token
  * @param tokenData - Access token data
  */ export async function setAccessToken(store, token, tokenData) {
-    await store.set(`dcr:access:${token}`, tokenData);
+    await store.set(`dcr:access:${token}`, tokenData, ONE_HOUR_MS);
 }
 /**
  * Get an access token
@@ -249,7 +252,7 @@
  * @param token - Refresh token
  * @param tokenData - Access token data (contains refresh token context)
  */ export async function setRefreshToken(store, token, tokenData) {
-    await store.set(`dcr:refresh:${token}`, tokenData);
+    await store.set(`dcr:refresh:${token}`, tokenData, THIRTY_DAYS_MS);
 }
 /**
  * Get a refresh token

package/dist/esm/lib/dcr-utils.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth-microsoft/src/lib/dcr-utils.ts"],"sourcesContent":["/*\n DCR Storage Utilities\n \n Keyv-based storage utilities for Dynamic Client Registration.\n * Follows @mcp-z/oauth pattern: single Keyv store with compound keys.\n \n Key Patterns:\n * - dcr:client:{clientId} -> RegisteredClient\n * - dcr:provider:{dcrToken} -> ProviderTokens\n * - dcr:authcode:{code} -> AuthorizationCode\n * - dcr:access:{token} -> AccessToken\n * - dcr:refresh:{token} -> AccessToken\n /\n\nimport type { DcrClientInformation, DcrClientMetadata, ProviderTokens } from '@mcp-z/oauth';\nimport { randomUUID } from 'crypto';\nimport type { Keyv } from 'keyv';\nimport type { AccessToken, AuthorizationCode, RegisteredClient } from '../types.ts';\n\n// ============================================================================\n// Client Operations\n// ============================================================================\n\n/\n Register a new OAuth client (RFC 7591 Section 3.1)\n \n @param store - Keyv store for all DCR data\n * @param metadata - Client registration metadata\n * @returns Registered client with credentials\n * @throws Error if validation fails\n /\nexport async function registerClient(store: Keyv, metadata: DcrClientMetadata): Promise<DcrClientInformation> {\n // Validate redirect URIs (required per RFC 7591)\n if (!metadata.redirect_uris \|\| metadata.redirect_uris.length === 0) {\n throw new Error('redirect_uris is required');\n }\n\n // Generate client credentials\n const client_id = `dcr_${randomUUID()}`;\n const client_secret = randomUUID();\n\n // Default grant types and response types per RFC 7591 Section 2\n const grant_types = metadata.grant_types ?? ['authorization_code', 'refresh_token'];\n const response_types = metadata.response_types ?? ['code'];\n\n // Build registered client - only include optional fields if they have values\n const client: RegisteredClient = {\n client_id,\n client_secret,\n client_id_issued_at: Math.floor(Date.now() / 1000),\n client_secret_expires_at: 0, // Never expires\n redirect_uris: metadata.redirect_uris,\n token_endpoint_auth_method: metadata.token_endpoint_auth_method ?? 'client_secret_basic',\n grant_types,\n response_types,\n ...(metadata.client_name !== undefined && { client_name: metadata.client_name }),\n ...(metadata.client_uri !== undefined && { client_uri: metadata.client_uri }),\n ...(metadata.logo_uri !== undefined && { logo_uri: metadata.logo_uri }),\n ...(metadata.scope !== undefined && { scope: metadata.scope }),\n ...(metadata.contacts !== undefined && { contacts: metadata.contacts }),\n ...(metadata.tos_uri !== undefined && { tos_uri: metadata.tos_uri }),\n ...(metadata.policy_uri !== undefined && { policy_uri: metadata.policy_uri }),\n ...(metadata.jwks_uri !== undefined && { jwks_uri: metadata.jwks_uri }),\n ...(metadata.jwks !== undefined && { jwks: metadata.jwks }),\n ...(metadata.software_id !== undefined && { software_id: metadata.software_id }),\n ...(metadata.software_version !== undefined && { software_version: metadata.software_version }),\n created_at: Date.now(),\n };\n\n // Store client\n await store.set(`dcr:client:${client_id}`, client);\n\n // Return client information (excluding internal created_at)\n const { created_at, ...clientInfo } = client;\n return clientInfo;\n}\n\n/\n Get a registered client by ID\n \n @param store - Keyv store for all DCR data\n * @param clientId - Client identifier\n * @returns Registered client or undefined if not found\n /\nexport async function getClient(store: Keyv, clientId: string): Promise<RegisteredClient \| undefined> {\n return await store.get(`dcr:client:${clientId}`);\n}\n\n/\n Validate client credentials\n \n @param store - Keyv store for all DCR data\n * @param clientId - Client identifier\n * @param clientSecret - Client secret\n * @returns True if credentials are valid\n /\nexport async function validateClient(store: Keyv, clientId: string, clientSecret: string): Promise<boolean> {\n const client = await getClient(store, clientId);\n if (!client) return false;\n return client.client_secret === clientSecret;\n}\n\n/\n Validate redirect URI for a client\n \n @param store - Keyv store for all DCR data\n * @param clientId - Client identifier\n * @param redirectUri - Redirect URI to validate\n * @returns True if redirect URI is registered\n /\nexport async function validateRedirectUri(store: Keyv, clientId: string, redirectUri: string): Promise<boolean> {\n const client = await getClient(store, clientId);\n if (!client \|\| !client.redirect_uris) return false;\n return client.redirect_uris.includes(redirectUri);\n}\n\n/\n List all registered clients (for debugging)\n \n Note: This method uses Keyv's iterator which may not be available on all storage adapters.\n * For production use, consider maintaining a separate index of client IDs.\n \n @param store - Keyv store for all DCR data\n * @returns Array of all registered clients\n /\nexport async function listClients(store: Keyv): Promise<RegisteredClient[]> {\n const clients: RegisteredClient[] = [];\n\n // Check if iterator is available on the store\n if (store.iterator) {\n // Use iterator with namespace to iterate through dcr:client: keys\n const iterator = store.iterator('dcr:client:');\n for await (const [_key, value] of iterator) {\n if (value !== undefined) {\n clients.push(value as RegisteredClient);\n }\n }\n }\n\n return clients;\n}\n\n/\n Delete a registered client\n \n @param store - Keyv store for all DCR data\n * @param clientId - Client identifier\n /\nexport async function deleteClient(store: Keyv, clientId: string): Promise<void> {\n await store.delete(`dcr:client:${clientId}`);\n}\n\n// ============================================================================\n// Provider Token Operations\n// ============================================================================\n\n/\n Store provider tokens for a DCR access token\n \n @param store - Keyv store for all DCR data\n * @param dcrToken - DCR-issued access token (used as key)\n * @param tokens - Microsoft provider tokens (access, refresh, expiry)\n /\nexport async function setProviderTokens(store: Keyv, dcrToken: string, tokens: ProviderTokens): Promise<void> {\n await store.set(`dcr:provider:${dcrToken}`, tokens);\n}\n\n/\n Retrieve provider tokens for a DCR access token\n \n @param store - Keyv store for all DCR data\n * @param dcrToken - DCR-issued access token\n * @returns Provider tokens or undefined if not found\n /\nexport async function getProviderTokens(store: Keyv, dcrToken: string): Promise<ProviderTokens \| undefined> {\n return await store.get(`dcr:provider:${dcrToken}`);\n}\n\n/\n Delete provider tokens for a DCR access token\n \n @param store - Keyv store for all DCR data\n * @param dcrToken - DCR-issued access token\n /\nexport async function deleteProviderTokens(store: Keyv, dcrToken: string): Promise<void> {\n await store.delete(`dcr:provider:${dcrToken}`);\n}\n\n// ============================================================================\n// Authorization Code Operations\n// ============================================================================\n\n/\n Store an authorization code\n \n @param store - Keyv store for all DCR data\n * @param code - Authorization code\n * @param authCode - Authorization code data\n /\nexport async function setAuthCode(store: Keyv, code: string, authCode: AuthorizationCode): Promise<void> {\n await store.set(`dcr:authcode:${code}`, authCode);\n}\n\n/\n Get an authorization code\n \n @param store - Keyv store for all DCR data\n * @param code - Authorization code\n * @returns Authorization code data or undefined if not found\n /\nexport async function getAuthCode(store: Keyv, code: string): Promise<AuthorizationCode \| undefined> {\n return await store.get(`dcr:authcode:${code}`);\n}\n\n/\n Delete an authorization code\n \n @param store - Keyv store for all DCR data\n * @param code - Authorization code\n /\nexport async function deleteAuthCode(store: Keyv, code: string): Promise<void> {\n await store.delete(`dcr:authcode:${code}`);\n}\n\n// ============================================================================\n// Access Token Operations\n// ============================================================================\n\n/\n Store an access token\n \n @param store - Keyv store for all DCR data\n * @param token - Access token\n * @param tokenData - Access token data\n /\nexport async function setAccessToken(store: Keyv, token: string, tokenData: AccessToken): Promise<void> {\n await store.set(`dcr:access:${token}`, tokenData);\n}\n\n/\n Get an access token\n \n @param store - Keyv store for all DCR data\n * @param token - Access token\n * @returns Access token data or undefined if not found\n /\nexport async function getAccessToken(store: Keyv, token: string): Promise<AccessToken \| undefined> {\n return await store.get(`dcr:access:${token}`);\n}\n\n/\n Delete an access token\n \n @param store - Keyv store for all DCR data\n * @param token - Access token\n /\nexport async function deleteAccessToken(store: Keyv, token: string): Promise<void> {\n await store.delete(`dcr:access:${token}`);\n}\n\n// ============================================================================\n// Refresh Token Operations\n// ============================================================================\n\n/\n Store a refresh token\n \n @param store - Keyv store for all DCR data\n * @param token - Refresh token\n * @param tokenData - Access token data (contains refresh token context)\n /\nexport async function setRefreshToken(store: Keyv, token: string, tokenData: AccessToken): Promise<void> {\n await store.set(`dcr:refresh:${token}`, tokenData);\n}\n\n/\n Get a refresh token\n \n @param store - Keyv store for all DCR data\n * @param token - Refresh token\n * @returns Access token data or undefined if not found\n /\nexport async function getRefreshToken(store: Keyv, token: string): Promise<AccessToken \| undefined> {\n return await store.get(`dcr:refresh:${token}`);\n}\n\n/\n Delete a refresh token\n \n @param store - Keyv store for all DCR data\n * @param token - Refresh token\n */\nexport async function deleteRefreshToken(store: Keyv, token: string): Promise<void> {\n await store.delete(`dcr:refresh:${token}`);\n}\n"],"names":["randomUUID","registerClient","store","metadata","redirect_uris","length","Error","client_id","client_secret","grant_types","response_types","client","client_id_issued_at","Math","floor","Date","now","client_secret_expires_at","token_endpoint_auth_method","client_name","undefined","client_uri","logo_uri","scope","contacts","tos_uri","policy_uri","jwks_uri","jwks","software_id","software_version","created_at","set","clientInfo","getClient","clientId","get","validateClient","clientSecret","validateRedirectUri","redirectUri","includes","listClients","clients","iterator","_key","value","push","deleteClient","delete","setProviderTokens","dcrToken","tokens","getProviderTokens","deleteProviderTokens","setAuthCode","code","authCode","getAuthCode","deleteAuthCode","setAccessToken","token","tokenData","getAccessToken","deleteAccessToken","setRefreshToken","getRefreshToken","deleteRefreshToken"],"mappings":"AAAA;;;;;;;;;;;;CAYC,GAGD,SAASA,UAAU,QAAQ,SAAS;AAIpC,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;;;;;;CAOC,GACD,OAAO,eAAeC,eAAeC,KAAW,EAAEC,QAA2B;QAWvDA,uBACGA,0BASOA;IApB9B,iDAAiD;IACjD,IAAI,CAACA,SAASC,aAAa,IAAID,SAASC,aAAa,CAACC,MAAM,KAAK,GAAG;QAClE,MAAM,IAAIC,MAAM;IAClB;IAEA,8BAA8B;IAC9B,MAAMC,YAAY,CAAC,IAAI,EAAEP,cAAc;IACvC,MAAMQ,gBAAgBR;IAEtB,gEAAgE;IAChE,MAAMS,eAAcN,wBAAAA,SAASM,WAAW,cAApBN,mCAAAA,wBAAwB;QAAC;QAAsB;KAAgB;IACnF,MAAMO,kBAAiBP,2BAAAA,SAASO,cAAc,cAAvBP,sCAAAA,2BAA2B;QAAC;KAAO;IAE1D,6EAA6E;IAC7E,MAAMQ,SAA2B;QAC/BJ;QACAC;QACAI,qBAAqBC,KAAKC,KAAK,CAACC,KAAKC,GAAG,KAAK;QAC7CC,0BAA0B;QAC1Bb,eAAeD,SAASC,aAAa;QACrCc,0BAA0B,GAAEf,uCAAAA,SAASe,0BAA0B,cAAnCf,kDAAAA,uCAAuC;QACnEM;QACAC;QACA,GAAIP,SAASgB,WAAW,KAAKC,aAAa;YAAED,aAAahB,SAASgB,WAAW;QAAC,CAAC;QAC/E,GAAIhB,SAASkB,UAAU,KAAKD,aAAa;YAAEC,YAAYlB,SAASkB,UAAU;QAAC,CAAC;QAC5E,GAAIlB,SAASmB,QAAQ,KAAKF,aAAa;YAAEE,UAAUnB,SAASmB,QAAQ;QAAC,CAAC;QACtE,GAAInB,SAASoB,KAAK,KAAKH,aAAa;YAAEG,OAAOpB,SAASoB,KAAK;QAAC,CAAC;QAC7D,GAAIpB,SAASqB,QAAQ,KAAKJ,aAAa;YAAEI,UAAUrB,SAASqB,QAAQ;QAAC,CAAC;QACtE,GAAIrB,SAASsB,OAAO,KAAKL,aAAa;YAAEK,SAAStB,SAASsB,OAAO;QAAC,CAAC;QACnE,GAAItB,SAASuB,UAAU,KAAKN,aAAa;YAAEM,YAAYvB,SAASuB,UAAU;QAAC,CAAC;QAC5E,GAAIvB,SAASwB,QAAQ,KAAKP,aAAa;YAAEO,UAAUxB,SAASwB,QAAQ;QAAC,CAAC;QACtE,GAAIxB,SAASyB,IAAI,KAAKR,aAAa;YAAEQ,MAAMzB,SAASyB,IAAI;QAAC,CAAC;QAC1D,GAAIzB,SAAS0B,WAAW,KAAKT,aAAa;YAAES,aAAa1B,SAAS0B,WAAW;QAAC,CAAC;QAC/E,GAAI1B,SAAS2B,gBAAgB,KAAKV,aAAa;YAAEU,kBAAkB3B,SAAS2B,gBAAgB;QAAC,CAAC;QAC9FC,YAAYhB,KAAKC,GAAG;IACtB;IAEA,eAAe;IACf,MAAMd,MAAM8B,GAAG,CAAC,CAAC,WAAW,EAAEzB,WAAW,EAAEI;IAE3C,4DAA4D;IAC5D,MAAM,EAAEoB,UAAU,EAAE,GAAGE,YAAY,GAAGtB;IACtC,OAAOsB;AACT;AAEA;;;;;;CAMC,GACD,OAAO,eAAeC,UAAUhC,KAAW,EAAEiC,QAAgB;IAC3D,OAAO,MAAMjC,MAAMkC,GAAG,CAAC,CAAC,WAAW,EAAED,UAAU;AACjD;AAEA;;;;;;;CAOC,GACD,OAAO,eAAeE,eAAenC,KAAW,EAAEiC,QAAgB,EAAEG,YAAoB;IACtF,MAAM3B,SAAS,MAAMuB,UAAUhC,OAAOiC;IACtC,IAAI,CAACxB,QAAQ,OAAO;IACpB,OAAOA,OAAOH,aAAa,KAAK8B;AAClC;AAEA;;;;;;;CAOC,GACD,OAAO,eAAeC,oBAAoBrC,KAAW,EAAEiC,QAAgB,EAAEK,WAAmB;IAC1F,MAAM7B,SAAS,MAAMuB,UAAUhC,OAAOiC;IACtC,IAAI,CAACxB,UAAU,CAACA,OAAOP,aAAa,EAAE,OAAO;IAC7C,OAAOO,OAAOP,aAAa,CAACqC,QAAQ,CAACD;AACvC;AAEA;;;;;;;;CAQC,GACD,OAAO,eAAeE,YAAYxC,KAAW;IAC3C,MAAMyC,UAA8B,EAAE;IAEtC,8CAA8C;IAC9C,IAAIzC,MAAM0C,QAAQ,EAAE;QAClB,kEAAkE;QAClE,MAAMA,WAAW1C,MAAM0C,QAAQ,CAAC;QAChC,WAAW,MAAM,CAACC,MAAMC,MAAM,IAAIF,SAAU;YAC1C,IAAIE,UAAU1B,WAAW;gBACvBuB,QAAQI,IAAI,CAACD;YACf;QACF;IACF;IAEA,OAAOH;AACT;AAEA;;;;;CAKC,GACD,OAAO,eAAeK,aAAa9C,KAAW,EAAEiC,QAAgB;IAC9D,MAAMjC,MAAM+C,MAAM,CAAC,CAAC,WAAW,EAAEd,UAAU;AAC7C;AAEA,+EAA+E;AAC/E,4BAA4B;AAC5B,+EAA+E;AAE/E;;;;;;CAMC,GACD,OAAO,eAAee,kBAAkBhD,KAAW,EAAEiD,QAAgB,EAAEC,MAAsB;IAC3F,MAAMlD,MAAM8B,GAAG,CAAC,CAAC,aAAa,EAAEmB,UAAU,EAAEC;AAC9C;AAEA;;;;;;CAMC,GACD,OAAO,eAAeC,kBAAkBnD,KAAW,EAAEiD,QAAgB;IACnE,OAAO,MAAMjD,MAAMkC,GAAG,CAAC,CAAC,aAAa,EAAEe,UAAU;AACnD;AAEA;;;;;CAKC,GACD,OAAO,eAAeG,qBAAqBpD,KAAW,EAAEiD,QAAgB;IACtE,MAAMjD,MAAM+C,MAAM,CAAC,CAAC,aAAa,EAAEE,UAAU;AAC/C;AAEA,+EAA+E;AAC/E,gCAAgC;AAChC,+EAA+E;AAE/E;;;;;;CAMC,GACD,OAAO,eAAeI,YAAYrD,KAAW,EAAEsD,IAAY,EAAEC,QAA2B;IACtF,MAAMvD,MAAM8B,GAAG,CAAC,CAAC,aAAa,EAAEwB,MAAM,EAAEC;AAC1C;AAEA;;;;;;CAMC,GACD,OAAO,eAAeC,YAAYxD,KAAW,EAAEsD,IAAY;IACzD,OAAO,MAAMtD,MAAMkC,GAAG,CAAC,CAAC,aAAa,EAAEoB,MAAM;AAC/C;AAEA;;;;;CAKC,GACD,OAAO,eAAeG,eAAezD,KAAW,EAAEsD,IAAY;IAC5D,MAAMtD,MAAM+C,MAAM,CAAC,CAAC,aAAa,EAAEO,MAAM;AAC3C;AAEA,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E;;;;;;CAMC,GACD,OAAO,eAAeI,eAAe1D,KAAW,EAAE2D,KAAa,EAAEC,SAAsB;IACrF,MAAM5D,MAAM8B,GAAG,CAAC,CAAC,WAAW,EAAE6B,OAAO,EAAEC;AACzC;AAEA;;;;;;CAMC,GACD,OAAO,eAAeC,eAAe7D,KAAW,EAAE2D,KAAa;IAC7D,OAAO,MAAM3D,MAAMkC,GAAG,CAAC,CAAC,WAAW,EAAEyB,OAAO;AAC9C;AAEA;;;;;CAKC,GACD,OAAO,eAAeG,kBAAkB9D,KAAW,EAAE2D,KAAa;IAChE,MAAM3D,MAAM+C,MAAM,CAAC,CAAC,WAAW,EAAEY,OAAO;AAC1C;AAEA,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E;;;;;;CAMC,GACD,OAAO,eAAeI,gBAAgB/D,KAAW,EAAE2D,KAAa,EAAEC,SAAsB;IACtF,MAAM5D,MAAM8B,GAAG,CAAC,CAAC,YAAY,EAAE6B,OAAO,EAAEC;AAC1C;AAEA;;;;;;CAMC,GACD,OAAO,eAAeI,gBAAgBhE,KAAW,EAAE2D,KAAa;IAC9D,OAAO,MAAM3D,MAAMkC,GAAG,CAAC,CAAC,YAAY,EAAEyB,OAAO;AAC/C;AAEA;;;;;CAKC,GACD,OAAO,eAAeM,mBAAmBjE,KAAW,EAAE2D,KAAa;IACjE,MAAM3D,MAAM+C,MAAM,CAAC,CAAC,YAAY,EAAEY,OAAO;AAC3C"}
1	+ {"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth-microsoft/src/lib/dcr-utils.ts"],"sourcesContent":["/*\n DCR Storage Utilities\n \n Keyv-based storage utilities for Dynamic Client Registration.\n * Follows @mcp-z/oauth pattern: single Keyv store with compound keys.\n \n Key Patterns:\n * - dcr:client:{clientId} -> RegisteredClient\n * - dcr:provider:{dcrToken} -> ProviderTokens\n * - dcr:authcode:{code} -> AuthorizationCode\n * - dcr:access:{token} -> AccessToken\n * - dcr:refresh:{token} -> AccessToken\n /\n\nimport type { DcrClientInformation, DcrClientMetadata, ProviderTokens } from '@mcp-z/oauth';\nimport { randomUUID } from 'crypto';\nimport type { Keyv } from 'keyv';\nimport type { AccessToken, AuthorizationCode, RegisteredClient } from '../types.ts';\n\nconst TEN_MINUTES_MS = 10 60 * 1000;\nconst ONE_HOUR_MS = 60 * 60 * 1000;\nconst THIRTY_DAYS_MS = 30 * 24 * 60 * 60 * 1000;\n\n// ============================================================================\n// Client Operations\n// ============================================================================\n\n/*\n Register a new OAuth client (RFC 7591 Section 3.1)\n \n @param store - Keyv store for all DCR data\n * @param metadata - Client registration metadata\n * @returns Registered client with credentials\n * @throws Error if validation fails\n /\nexport async function registerClient(store: Keyv, metadata: DcrClientMetadata): Promise<DcrClientInformation> {\n // Validate redirect URIs (required per RFC 7591)\n if (!metadata.redirect_uris \|\| metadata.redirect_uris.length === 0) {\n throw new Error('redirect_uris is required');\n }\n\n // Generate client credentials\n const client_id = `dcr_${randomUUID()}`;\n const client_secret = randomUUID();\n\n // Default grant types and response types per RFC 7591 Section 2\n const grant_types = metadata.grant_types ?? ['authorization_code', 'refresh_token'];\n const response_types = metadata.response_types ?? ['code'];\n\n // Build registered client - only include optional fields if they have values\n const client: RegisteredClient = {\n client_id,\n client_secret,\n client_id_issued_at: Math.floor(Date.now() / 1000),\n client_secret_expires_at: 0, // Never expires\n redirect_uris: metadata.redirect_uris,\n token_endpoint_auth_method: metadata.token_endpoint_auth_method ?? 'client_secret_basic',\n grant_types,\n response_types,\n ...(metadata.client_name !== undefined && { client_name: metadata.client_name }),\n ...(metadata.client_uri !== undefined && { client_uri: metadata.client_uri }),\n ...(metadata.logo_uri !== undefined && { logo_uri: metadata.logo_uri }),\n ...(metadata.scope !== undefined && { scope: metadata.scope }),\n ...(metadata.contacts !== undefined && { contacts: metadata.contacts }),\n ...(metadata.tos_uri !== undefined && { tos_uri: metadata.tos_uri }),\n ...(metadata.policy_uri !== undefined && { policy_uri: metadata.policy_uri }),\n ...(metadata.jwks_uri !== undefined && { jwks_uri: metadata.jwks_uri }),\n ...(metadata.jwks !== undefined && { jwks: metadata.jwks }),\n ...(metadata.software_id !== undefined && { software_id: metadata.software_id }),\n ...(metadata.software_version !== undefined && { software_version: metadata.software_version }),\n created_at: Date.now(),\n };\n\n // Store client\n await store.set(`dcr:client:${client_id}`, client);\n\n // Return client information (excluding internal created_at)\n const { created_at, ...clientInfo } = client;\n return clientInfo;\n}\n\n/\n Get a registered client by ID\n \n @param store - Keyv store for all DCR data\n * @param clientId - Client identifier\n * @returns Registered client or undefined if not found\n /\nexport async function getClient(store: Keyv, clientId: string): Promise<RegisteredClient \| undefined> {\n return await store.get(`dcr:client:${clientId}`);\n}\n\n/\n Validate client credentials\n \n @param store - Keyv store for all DCR data\n * @param clientId - Client identifier\n * @param clientSecret - Client secret\n * @returns True if credentials are valid\n /\nexport async function validateClient(store: Keyv, clientId: string, clientSecret: string): Promise<boolean> {\n const client = await getClient(store, clientId);\n if (!client) return false;\n return client.client_secret === clientSecret;\n}\n\n/\n Validate redirect URI for a client\n \n @param store - Keyv store for all DCR data\n * @param clientId - Client identifier\n * @param redirectUri - Redirect URI to validate\n * @returns True if redirect URI is registered\n /\nexport async function validateRedirectUri(store: Keyv, clientId: string, redirectUri: string): Promise<boolean> {\n const client = await getClient(store, clientId);\n if (!client \|\| !client.redirect_uris) return false;\n return client.redirect_uris.includes(redirectUri);\n}\n\n/\n List all registered clients (for debugging)\n \n Note: This method uses Keyv's iterator which may not be available on all storage adapters.\n * For production use, consider maintaining a separate index of client IDs.\n \n @param store - Keyv store for all DCR data\n * @returns Array of all registered clients\n /\nexport async function listClients(store: Keyv): Promise<RegisteredClient[]> {\n const clients: RegisteredClient[] = [];\n\n // Check if iterator is available on the store\n if (store.iterator) {\n // Use iterator with namespace to iterate through dcr:client: keys\n const iterator = store.iterator('dcr:client:');\n for await (const [_key, value] of iterator) {\n if (value !== undefined) {\n clients.push(value as RegisteredClient);\n }\n }\n }\n\n return clients;\n}\n\n/\n Delete a registered client\n \n @param store - Keyv store for all DCR data\n * @param clientId - Client identifier\n /\nexport async function deleteClient(store: Keyv, clientId: string): Promise<void> {\n await store.delete(`dcr:client:${clientId}`);\n}\n\n// ============================================================================\n// Provider Token Operations\n// ============================================================================\n\n/\n Store provider tokens for a DCR access token\n \n @param store - Keyv store for all DCR data\n * @param dcrToken - DCR-issued access token (used as key)\n * @param tokens - Microsoft provider tokens (access, refresh, expiry)\n /\nexport async function setProviderTokens(store: Keyv, dcrToken: string, tokens: ProviderTokens): Promise<void> {\n await store.set(`dcr:provider:${dcrToken}`, tokens, ONE_HOUR_MS);\n}\n\n/\n Retrieve provider tokens for a DCR access token\n \n @param store - Keyv store for all DCR data\n * @param dcrToken - DCR-issued access token\n * @returns Provider tokens or undefined if not found\n /\nexport async function getProviderTokens(store: Keyv, dcrToken: string): Promise<ProviderTokens \| undefined> {\n return await store.get(`dcr:provider:${dcrToken}`);\n}\n\n/\n Delete provider tokens for a DCR access token\n \n @param store - Keyv store for all DCR data\n * @param dcrToken - DCR-issued access token\n /\nexport async function deleteProviderTokens(store: Keyv, dcrToken: string): Promise<void> {\n await store.delete(`dcr:provider:${dcrToken}`);\n}\n\n// ============================================================================\n// Authorization Code Operations\n// ============================================================================\n\n/\n Store an authorization code\n \n @param store - Keyv store for all DCR data\n * @param code - Authorization code\n * @param authCode - Authorization code data\n /\nexport async function setAuthCode(store: Keyv, code: string, authCode: AuthorizationCode): Promise<void> {\n await store.set(`dcr:authcode:${code}`, authCode, TEN_MINUTES_MS);\n}\n\n/\n Get an authorization code\n \n @param store - Keyv store for all DCR data\n * @param code - Authorization code\n * @returns Authorization code data or undefined if not found\n /\nexport async function getAuthCode(store: Keyv, code: string): Promise<AuthorizationCode \| undefined> {\n return await store.get(`dcr:authcode:${code}`);\n}\n\n/\n Delete an authorization code\n \n @param store - Keyv store for all DCR data\n * @param code - Authorization code\n /\nexport async function deleteAuthCode(store: Keyv, code: string): Promise<void> {\n await store.delete(`dcr:authcode:${code}`);\n}\n\n// ============================================================================\n// Access Token Operations\n// ============================================================================\n\n/\n Store an access token\n \n @param store - Keyv store for all DCR data\n * @param token - Access token\n * @param tokenData - Access token data\n /\nexport async function setAccessToken(store: Keyv, token: string, tokenData: AccessToken): Promise<void> {\n await store.set(`dcr:access:${token}`, tokenData, ONE_HOUR_MS);\n}\n\n/\n Get an access token\n \n @param store - Keyv store for all DCR data\n * @param token - Access token\n * @returns Access token data or undefined if not found\n /\nexport async function getAccessToken(store: Keyv, token: string): Promise<AccessToken \| undefined> {\n return await store.get(`dcr:access:${token}`);\n}\n\n/\n Delete an access token\n \n @param store - Keyv store for all DCR data\n * @param token - Access token\n /\nexport async function deleteAccessToken(store: Keyv, token: string): Promise<void> {\n await store.delete(`dcr:access:${token}`);\n}\n\n// ============================================================================\n// Refresh Token Operations\n// ============================================================================\n\n/\n Store a refresh token\n \n @param store - Keyv store for all DCR data\n * @param token - Refresh token\n * @param tokenData - Access token data (contains refresh token context)\n /\nexport async function setRefreshToken(store: Keyv, token: string, tokenData: AccessToken): Promise<void> {\n await store.set(`dcr:refresh:${token}`, tokenData, THIRTY_DAYS_MS);\n}\n\n/\n Get a refresh token\n \n @param store - Keyv store for all DCR data\n * @param token - Refresh token\n * @returns Access token data or undefined if not found\n /\nexport async function getRefreshToken(store: Keyv, token: string): Promise<AccessToken \| undefined> {\n return await store.get(`dcr:refresh:${token}`);\n}\n\n/\n Delete a refresh token\n \n @param store - Keyv store for all DCR data\n * @param token - Refresh token\n */\nexport async function deleteRefreshToken(store: Keyv, token: string): Promise<void> {\n await store.delete(`dcr:refresh:${token}`);\n}\n"],"names":["randomUUID","TEN_MINUTES_MS","ONE_HOUR_MS","THIRTY_DAYS_MS","registerClient","store","metadata","redirect_uris","length","Error","client_id","client_secret","grant_types","response_types","client","client_id_issued_at","Math","floor","Date","now","client_secret_expires_at","token_endpoint_auth_method","client_name","undefined","client_uri","logo_uri","scope","contacts","tos_uri","policy_uri","jwks_uri","jwks","software_id","software_version","created_at","set","clientInfo","getClient","clientId","get","validateClient","clientSecret","validateRedirectUri","redirectUri","includes","listClients","clients","iterator","_key","value","push","deleteClient","delete","setProviderTokens","dcrToken","tokens","getProviderTokens","deleteProviderTokens","setAuthCode","code","authCode","getAuthCode","deleteAuthCode","setAccessToken","token","tokenData","getAccessToken","deleteAccessToken","setRefreshToken","getRefreshToken","deleteRefreshToken"],"mappings":"AAAA;;;;;;;;;;;;CAYC,GAGD,SAASA,UAAU,QAAQ,SAAS;AAIpC,MAAMC,iBAAiB,KAAK,KAAK;AACjC,MAAMC,cAAc,KAAK,KAAK;AAC9B,MAAMC,iBAAiB,KAAK,KAAK,KAAK,KAAK;AAE3C,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;;;;;;CAOC,GACD,OAAO,eAAeC,eAAeC,KAAW,EAAEC,QAA2B;QAWvDA,uBACGA,0BASOA;IApB9B,iDAAiD;IACjD,IAAI,CAACA,SAASC,aAAa,IAAID,SAASC,aAAa,CAACC,MAAM,KAAK,GAAG;QAClE,MAAM,IAAIC,MAAM;IAClB;IAEA,8BAA8B;IAC9B,MAAMC,YAAY,CAAC,IAAI,EAAEV,cAAc;IACvC,MAAMW,gBAAgBX;IAEtB,gEAAgE;IAChE,MAAMY,eAAcN,wBAAAA,SAASM,WAAW,cAApBN,mCAAAA,wBAAwB;QAAC;QAAsB;KAAgB;IACnF,MAAMO,kBAAiBP,2BAAAA,SAASO,cAAc,cAAvBP,sCAAAA,2BAA2B;QAAC;KAAO;IAE1D,6EAA6E;IAC7E,MAAMQ,SAA2B;QAC/BJ;QACAC;QACAI,qBAAqBC,KAAKC,KAAK,CAACC,KAAKC,GAAG,KAAK;QAC7CC,0BAA0B;QAC1Bb,eAAeD,SAASC,aAAa;QACrCc,0BAA0B,GAAEf,uCAAAA,SAASe,0BAA0B,cAAnCf,kDAAAA,uCAAuC;QACnEM;QACAC;QACA,GAAIP,SAASgB,WAAW,KAAKC,aAAa;YAAED,aAAahB,SAASgB,WAAW;QAAC,CAAC;QAC/E,GAAIhB,SAASkB,UAAU,KAAKD,aAAa;YAAEC,YAAYlB,SAASkB,UAAU;QAAC,CAAC;QAC5E,GAAIlB,SAASmB,QAAQ,KAAKF,aAAa;YAAEE,UAAUnB,SAASmB,QAAQ;QAAC,CAAC;QACtE,GAAInB,SAASoB,KAAK,KAAKH,aAAa;YAAEG,OAAOpB,SAASoB,KAAK;QAAC,CAAC;QAC7D,GAAIpB,SAASqB,QAAQ,KAAKJ,aAAa;YAAEI,UAAUrB,SAASqB,QAAQ;QAAC,CAAC;QACtE,GAAIrB,SAASsB,OAAO,KAAKL,aAAa;YAAEK,SAAStB,SAASsB,OAAO;QAAC,CAAC;QACnE,GAAItB,SAASuB,UAAU,KAAKN,aAAa;YAAEM,YAAYvB,SAASuB,UAAU;QAAC,CAAC;QAC5E,GAAIvB,SAASwB,QAAQ,KAAKP,aAAa;YAAEO,UAAUxB,SAASwB,QAAQ;QAAC,CAAC;QACtE,GAAIxB,SAASyB,IAAI,KAAKR,aAAa;YAAEQ,MAAMzB,SAASyB,IAAI;QAAC,CAAC;QAC1D,GAAIzB,SAAS0B,WAAW,KAAKT,aAAa;YAAES,aAAa1B,SAAS0B,WAAW;QAAC,CAAC;QAC/E,GAAI1B,SAAS2B,gBAAgB,KAAKV,aAAa;YAAEU,kBAAkB3B,SAAS2B,gBAAgB;QAAC,CAAC;QAC9FC,YAAYhB,KAAKC,GAAG;IACtB;IAEA,eAAe;IACf,MAAMd,MAAM8B,GAAG,CAAC,CAAC,WAAW,EAAEzB,WAAW,EAAEI;IAE3C,4DAA4D;IAC5D,MAAM,EAAEoB,UAAU,EAAE,GAAGE,YAAY,GAAGtB;IACtC,OAAOsB;AACT;AAEA;;;;;;CAMC,GACD,OAAO,eAAeC,UAAUhC,KAAW,EAAEiC,QAAgB;IAC3D,OAAO,MAAMjC,MAAMkC,GAAG,CAAC,CAAC,WAAW,EAAED,UAAU;AACjD;AAEA;;;;;;;CAOC,GACD,OAAO,eAAeE,eAAenC,KAAW,EAAEiC,QAAgB,EAAEG,YAAoB;IACtF,MAAM3B,SAAS,MAAMuB,UAAUhC,OAAOiC;IACtC,IAAI,CAACxB,QAAQ,OAAO;IACpB,OAAOA,OAAOH,aAAa,KAAK8B;AAClC;AAEA;;;;;;;CAOC,GACD,OAAO,eAAeC,oBAAoBrC,KAAW,EAAEiC,QAAgB,EAAEK,WAAmB;IAC1F,MAAM7B,SAAS,MAAMuB,UAAUhC,OAAOiC;IACtC,IAAI,CAACxB,UAAU,CAACA,OAAOP,aAAa,EAAE,OAAO;IAC7C,OAAOO,OAAOP,aAAa,CAACqC,QAAQ,CAACD;AACvC;AAEA;;;;;;;;CAQC,GACD,OAAO,eAAeE,YAAYxC,KAAW;IAC3C,MAAMyC,UAA8B,EAAE;IAEtC,8CAA8C;IAC9C,IAAIzC,MAAM0C,QAAQ,EAAE;QAClB,kEAAkE;QAClE,MAAMA,WAAW1C,MAAM0C,QAAQ,CAAC;QAChC,WAAW,MAAM,CAACC,MAAMC,MAAM,IAAIF,SAAU;YAC1C,IAAIE,UAAU1B,WAAW;gBACvBuB,QAAQI,IAAI,CAACD;YACf;QACF;IACF;IAEA,OAAOH;AACT;AAEA;;;;;CAKC,GACD,OAAO,eAAeK,aAAa9C,KAAW,EAAEiC,QAAgB;IAC9D,MAAMjC,MAAM+C,MAAM,CAAC,CAAC,WAAW,EAAEd,UAAU;AAC7C;AAEA,+EAA+E;AAC/E,4BAA4B;AAC5B,+EAA+E;AAE/E;;;;;;CAMC,GACD,OAAO,eAAee,kBAAkBhD,KAAW,EAAEiD,QAAgB,EAAEC,MAAsB;IAC3F,MAAMlD,MAAM8B,GAAG,CAAC,CAAC,aAAa,EAAEmB,UAAU,EAAEC,QAAQrD;AACtD;AAEA;;;;;;CAMC,GACD,OAAO,eAAesD,kBAAkBnD,KAAW,EAAEiD,QAAgB;IACnE,OAAO,MAAMjD,MAAMkC,GAAG,CAAC,CAAC,aAAa,EAAEe,UAAU;AACnD;AAEA;;;;;CAKC,GACD,OAAO,eAAeG,qBAAqBpD,KAAW,EAAEiD,QAAgB;IACtE,MAAMjD,MAAM+C,MAAM,CAAC,CAAC,aAAa,EAAEE,UAAU;AAC/C;AAEA,+EAA+E;AAC/E,gCAAgC;AAChC,+EAA+E;AAE/E;;;;;;CAMC,GACD,OAAO,eAAeI,YAAYrD,KAAW,EAAEsD,IAAY,EAAEC,QAA2B;IACtF,MAAMvD,MAAM8B,GAAG,CAAC,CAAC,aAAa,EAAEwB,MAAM,EAAEC,UAAU3D;AACpD;AAEA;;;;;;CAMC,GACD,OAAO,eAAe4D,YAAYxD,KAAW,EAAEsD,IAAY;IACzD,OAAO,MAAMtD,MAAMkC,GAAG,CAAC,CAAC,aAAa,EAAEoB,MAAM;AAC/C;AAEA;;;;;CAKC,GACD,OAAO,eAAeG,eAAezD,KAAW,EAAEsD,IAAY;IAC5D,MAAMtD,MAAM+C,MAAM,CAAC,CAAC,aAAa,EAAEO,MAAM;AAC3C;AAEA,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E;;;;;;CAMC,GACD,OAAO,eAAeI,eAAe1D,KAAW,EAAE2D,KAAa,EAAEC,SAAsB;IACrF,MAAM5D,MAAM8B,GAAG,CAAC,CAAC,WAAW,EAAE6B,OAAO,EAAEC,WAAW/D;AACpD;AAEA;;;;;;CAMC,GACD,OAAO,eAAegE,eAAe7D,KAAW,EAAE2D,KAAa;IAC7D,OAAO,MAAM3D,MAAMkC,GAAG,CAAC,CAAC,WAAW,EAAEyB,OAAO;AAC9C;AAEA;;;;;CAKC,GACD,OAAO,eAAeG,kBAAkB9D,KAAW,EAAE2D,KAAa;IAChE,MAAM3D,MAAM+C,MAAM,CAAC,CAAC,WAAW,EAAEY,OAAO;AAC1C;AAEA,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E;;;;;;CAMC,GACD,OAAO,eAAeI,gBAAgB/D,KAAW,EAAE2D,KAAa,EAAEC,SAAsB;IACtF,MAAM5D,MAAM8B,GAAG,CAAC,CAAC,YAAY,EAAE6B,OAAO,EAAEC,WAAW9D;AACrD;AAEA;;;;;;CAMC,GACD,OAAO,eAAekE,gBAAgBhE,KAAW,EAAE2D,KAAa;IAC9D,OAAO,MAAM3D,MAAMkC,GAAG,CAAC,CAAC,YAAY,EAAEyB,OAAO;AAC/C;AAEA;;;;;CAKC,GACD,OAAO,eAAeM,mBAAmBjE,KAAW,EAAE2D,KAAa;IACjE,MAAM3D,MAAM+C,MAAM,CAAC,CAAC,YAAY,EAAEY,OAAO;AAC3C"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@mcp-z/oauth-microsoft",
-  "version": "1.0.3",
+  "version": "1.0.5",
   "description": "OAuth 2.0 client for Microsoft Graph with multi-account support, PKCE security, and swappable storage backends",
   "keywords": [
     "oauth2",
@@ -58,25 +58,24 @@
     "zod": "^4.0.0"
   },
   "devDependencies": {
-    "@mcp-z/client": "^1.0.0",
-    "@microsoft/microsoft-graph-client": "^3.0.7",
+    "@mcp-z/client": "^1.0.5",
+    "@microsoft/microsoft-graph-client": "^3.0.0",
     "@modelcontextprotocol/sdk": "^1.0.0",
     "@types/cors": "^2.8.19",
     "@types/express": "^5.0.6",
     "@types/mocha": "^10.0.10",
-    "@types/node": "^25.0.2",
+    "@types/node": "^25.0.3",
     "cors": "^2.0.0",
     "dotenv": "^17.2.3",
     "get-port": "^7.1.0",
-    "keyv": "^5.5.5",
-    "keyv-file": "^5.3.3",
-    "node-version-use": "^2.1.6",
-    "ts-dev-stack": "^1.21.3",
-    "tsds-config": "^1.0.0",
-    "typescript": "^5.9.3"
+    "keyv": "^5.0.0",
+    "keyv-file": "^5.0.0",
+    "node-version-use": "^2.4.7",
+    "ts-dev-stack": "^1.22.1",
+    "tsds-config": "^1.0.4"
   },
   "peerDependencies": {
-    "keyv": "^5.5.5"
+    "keyv": "^5.0.0"
   },
   "engines": {
     "node": ">=24"