@mcp-z/oauth 1.0.0

package/dist/cjs/sanitizer.js

@@ -0,0 +1,407 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+function _export(target, all) {
+    for(var name in all)Object.defineProperty(target, name, {
+        enumerable: true,
+        get: Object.getOwnPropertyDescriptor(all, name).get
+    });
+}
+_export(exports, {
+    get sanitizeData () {
+        return sanitizeData;
+    },
+    get sanitizeForLogging () {
+        return sanitizeForLogging;
+    },
+    get sanitizeForLoggingFormatter () {
+        return sanitizeForLoggingFormatter;
+    },
+    get sanitizeLogMessage () {
+        return sanitizeLogMessage;
+    }
+});
+function _array_like_to_array(arr, len) {
+    if (len == null || len > arr.length) len = arr.length;
+    for(var i = 0, arr2 = new Array(len); i < len; i++)arr2[i] = arr[i];
+    return arr2;
+}
+function _array_with_holes(arr) {
+    if (Array.isArray(arr)) return arr;
+}
+function _define_property(obj, key, value) {
+    if (key in obj) {
+        Object.defineProperty(obj, key, {
+            value: value,
+            enumerable: true,
+            configurable: true,
+            writable: true
+        });
+    } else {
+        obj[key] = value;
+    }
+    return obj;
+}
+function _iterable_to_array_limit(arr, i) {
+    var _i = arr == null ? null : typeof Symbol !== "undefined" && arr[Symbol.iterator] || arr["@@iterator"];
+    if (_i == null) return;
+    var _arr = [];
+    var _n = true;
+    var _d = false;
+    var _s, _e;
+    try {
+        for(_i = _i.call(arr); !(_n = (_s = _i.next()).done); _n = true){
+            _arr.push(_s.value);
+            if (i && _arr.length === i) break;
+        }
+    } catch (err) {
+        _d = true;
+        _e = err;
+    } finally{
+        try {
+            if (!_n && _i["return"] != null) _i["return"]();
+        } finally{
+            if (_d) throw _e;
+        }
+    }
+    return _arr;
+}
+function _non_iterable_rest() {
+    throw new TypeError("Invalid attempt to destructure non-iterable instance.\\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
+}
+function _object_spread(target) {
+    for(var i = 1; i < arguments.length; i++){
+        var source = arguments[i] != null ? arguments[i] : {};
+        var ownKeys = Object.keys(source);
+        if (typeof Object.getOwnPropertySymbols === "function") {
+            ownKeys = ownKeys.concat(Object.getOwnPropertySymbols(source).filter(function(sym) {
+                return Object.getOwnPropertyDescriptor(source, sym).enumerable;
+            }));
+        }
+        ownKeys.forEach(function(key) {
+            _define_property(target, key, source[key]);
+        });
+    }
+    return target;
+}
+function ownKeys(object, enumerableOnly) {
+    var keys = Object.keys(object);
+    if (Object.getOwnPropertySymbols) {
+        var symbols = Object.getOwnPropertySymbols(object);
+        if (enumerableOnly) {
+            symbols = symbols.filter(function(sym) {
+                return Object.getOwnPropertyDescriptor(object, sym).enumerable;
+            });
+        }
+        keys.push.apply(keys, symbols);
+    }
+    return keys;
+}
+function _object_spread_props(target, source) {
+    source = source != null ? source : {};
+    if (Object.getOwnPropertyDescriptors) {
+        Object.defineProperties(target, Object.getOwnPropertyDescriptors(source));
+    } else {
+        ownKeys(Object(source)).forEach(function(key) {
+            Object.defineProperty(target, key, Object.getOwnPropertyDescriptor(source, key));
+        });
+    }
+    return target;
+}
+function _sliced_to_array(arr, i) {
+    return _array_with_holes(arr) || _iterable_to_array_limit(arr, i) || _unsupported_iterable_to_array(arr, i) || _non_iterable_rest();
+}
+function _type_of(obj) {
+    "@swc/helpers - typeof";
+    return obj && typeof Symbol !== "undefined" && obj.constructor === Symbol ? "symbol" : typeof obj;
+}
+function _unsupported_iterable_to_array(o, minLen) {
+    if (!o) return;
+    if (typeof o === "string") return _array_like_to_array(o, minLen);
+    var n = Object.prototype.toString.call(o).slice(8, -1);
+    if (n === "Object" && o.constructor) n = o.constructor.name;
+    if (n === "Map" || n === "Set") return Array.from(n);
+    if (n === "Arguments" || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n)) return _array_like_to_array(o, minLen);
+}
+/**
+ * Data sanitization utilities for secure logging.
+ * Redacts sensitive OAuth tokens, API keys, and credentials from log output.
+ *
+ * @example
+ * ```typescript
+ * sanitizeData({ accountId: 'test@example.com', access_token: 'secret_token_value' })
+ * // { accountId: 'test@example.com', access_token: 'secr****alue' }
+ *
+ * sanitizeForLogging('Processing token', { token: 'secret_value' })
+ * // { message: 'Processing token', meta: { token: 'secr****alue' } }
+ * ```
+ */ /** Regex patterns for sensitive data that should be redacted from logs */ var SENSITIVE_PATTERNS = [
+    // OAuth tokens, codes, and secrets
+    /access_token['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /(access_token_[a-zA-Z0-9_]+)/gi,
+    /refresh_token['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /client_secret['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /id_token['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /\bcode['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /\bstate['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /code_verifier['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /code_challenge['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /codeVerifier['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /codeChallenge['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /device_code['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /user_code['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /verification_uri['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /verification_uri_complete['":\s]*['"]\s*([^'"]+)['"]/gi,
+    // Provider credentials and identifiers
+    /app_secret['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /appSecret['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /tenant_id['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /tenantId['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /client_id['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /clientId['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /app_id['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /appId['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /redirect_uri['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /redirectUri['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /subscription_key['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /subscriptionKey['":\s]*['"]\s*([^'"]+)['"]/gi,
+    // Security secrets and keys
+    /webhook_secret['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /webhookSecret['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /signing_secret['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /signingSecret['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /encryption_key['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /encryptionKey['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /private_key['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /privateKey['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /certificate['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /cert['":\s]*['"]\s*([^'"]+)['"]/gi,
+    // Authorization headers
+    /Authorization['":\s]*['"]\s*Bearer\s+([^'"]+)['"]/gi,
+    /authorization['":\s]*['"]\s*Bearer\s+([^'"]+)['"]/gi,
+    /Bearer\s+([A-Za-z0-9+/=\-_.]+)/gi,
+    /Authorization:\s*Bearer\s+([A-Za-z0-9+/=\-_.]+)/gi,
+    /[A-Z_]+_(SECRET|KEY|TOKEN|PASSWORD)['":\s]*['"]\s*([^'"]+)['"]/gi,
+    // Session and CSRF tokens
+    /\bnonce['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /session[_-]?id['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /csrf[_-]?token['":\s]*['"]\s*([^'"]+)['"]/gi,
+    // Other sensitive patterns
+    /"email"\s*:\s*"([^@"]{1,64}@[^."]{1,63}\.[a-z]{2,6})"/gi,
+    /api[_-]?key['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /password['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /\b(ey[A-Za-z0-9+/=]+\.[A-Za-z0-9+/=]+\.[A-Za-z0-9+/=\-_]+)/g,
+    // Base64 secrets (split into length ranges for practical matching)
+    /\b([A-Za-z0-9+/]{60,200}={0,2})\b/g,
+    /\b([A-Za-z0-9+/]{201,1000}={0,2})\b/g,
+    /\b([A-Za-z0-9+/]{1001,5000}={0,2})\b/g,
+    // Connection identifiers
+    /connection[_-]?id['":\s]*['"]\s*([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})['"]/gi
+];
+/** Field names that should be redacted when found as object keys */ var SENSITIVE_FIELDS = new Set([
+    'access_token',
+    'accessToken',
+    'refresh_token',
+    'refreshToken',
+    'client_secret',
+    'clientSecret',
+    'id_token',
+    'idToken',
+    'code',
+    'authorization_code',
+    'authorizationCode',
+    'device_code',
+    'deviceCode',
+    'user_code',
+    'userCode',
+    'verification_uri',
+    'verificationUri',
+    'verification_uri_complete',
+    'verificationUriComplete',
+    'client_id',
+    'clientId',
+    'app_id',
+    'appId',
+    'app_secret',
+    'appSecret',
+    'tenant_id',
+    'tenantId',
+    'bot_id',
+    'botId',
+    'workspace_id',
+    'workspaceId',
+    'organization_id',
+    'organizationId',
+    'redirect_uri',
+    'redirectUri',
+    'audience',
+    'realm',
+    'domain',
+    'webhook_secret',
+    'webhookSecret',
+    'signing_secret',
+    'signingSecret',
+    'subscription_key',
+    'subscriptionKey',
+    'encryption_key',
+    'encryptionKey',
+    'private_key',
+    'privateKey',
+    'certificate',
+    'cert',
+    'stripe-signature',
+    'x-hub-signature',
+    'x-hub-signature-256',
+    'x-slack-signature',
+    'x-mcp-z-webhook-secret',
+    'password',
+    'secret',
+    'token',
+    'authorization',
+    'credential',
+    'auth',
+    'verifier',
+    'challenge',
+    'code_verifier',
+    'codeVerifier',
+    'code_challenge',
+    'codeChallenge',
+    'nonce',
+    'session_id',
+    'sessionId',
+    'csrf_token',
+    'csrfToken',
+    'api_key',
+    'apiKey',
+    'state',
+    'connection_id',
+    'connectionId',
+    'gmail_connection_id',
+    'gmailConnectionId'
+]);
+function isAlreadySanitized(value) {
+    return value.includes('****') || value.includes('[REDACTED]') || value === '[REDACTED]';
+}
+function redactValue(value) {
+    if (isAlreadySanitized(value)) {
+        return value;
+    }
+    if (value.length <= 8) {
+        return '*'.repeat(value.length);
+    }
+    // Show first 4 and last 4 characters
+    return "".concat(value.substring(0, 4), "****").concat(value.substring(value.length - 4));
+}
+function sanitizeData(data) {
+    if (typeof data === 'string') {
+        if (isAlreadySanitized(data)) {
+            return data;
+        }
+        var sanitized = data;
+        var _iteratorNormalCompletion = true, _didIteratorError = false, _iteratorError = undefined;
+        try {
+            for(var _iterator = SENSITIVE_PATTERNS[Symbol.iterator](), _step; !(_iteratorNormalCompletion = (_step = _iterator.next()).done); _iteratorNormalCompletion = true){
+                var pattern = _step.value;
+                sanitized = sanitized.replace(pattern, function(match, captured) {
+                    if (typeof captured === 'string') {
+                        var redacted = redactValue(captured);
+                        return match.replace(captured, redacted);
+                    }
+                    return match;
+                });
+            }
+        } catch (err) {
+            _didIteratorError = true;
+            _iteratorError = err;
+        } finally{
+            try {
+                if (!_iteratorNormalCompletion && _iterator.return != null) {
+                    _iterator.return();
+                }
+            } finally{
+                if (_didIteratorError) {
+                    throw _iteratorError;
+                }
+            }
+        }
+        return sanitized;
+    }
+    if (Array.isArray(data)) {
+        return data.map(sanitizeData);
+    }
+    if (data && (typeof data === "undefined" ? "undefined" : _type_of(data)) === 'object') {
+        var sanitized1 = {};
+        var _iteratorNormalCompletion1 = true, _didIteratorError1 = false, _iteratorError1 = undefined;
+        try {
+            for(var _iterator1 = Object.entries(data)[Symbol.iterator](), _step1; !(_iteratorNormalCompletion1 = (_step1 = _iterator1.next()).done); _iteratorNormalCompletion1 = true){
+                var _step_value = _sliced_to_array(_step1.value, 2), key = _step_value[0], value = _step_value[1];
+                var lowerKey = key.toLowerCase();
+                if (SENSITIVE_FIELDS.has(lowerKey) || SENSITIVE_FIELDS.has(key)) {
+                    if (typeof value === 'string') {
+                        sanitized1[key] = redactValue(value);
+                    } else {
+                        sanitized1[key] = '[REDACTED]';
+                    }
+                } else {
+                    sanitized1[key] = sanitizeData(value);
+                }
+            }
+        } catch (err) {
+            _didIteratorError1 = true;
+            _iteratorError1 = err;
+        } finally{
+            try {
+                if (!_iteratorNormalCompletion1 && _iterator1.return != null) {
+                    _iterator1.return();
+                }
+            } finally{
+                if (_didIteratorError1) {
+                    throw _iteratorError1;
+                }
+            }
+        }
+        return sanitized1;
+    }
+    return data;
+}
+function sanitizeLogMessage(message) {
+    var maxLength = arguments.length > 1 && arguments[1] !== void 0 ? arguments[1] : 50000;
+    if (typeof message !== 'string') {
+        return String(message);
+    }
+    // Truncation protection - prevent log poisoning via huge payloads
+    var processedMessage = message;
+    if (processedMessage.length > maxLength) {
+        processedMessage = "".concat(processedMessage.substring(0, maxLength), " [TRUNCATED]");
+    }
+    return processedMessage.normalize('NFKC').replace(/\r\n|\r|\n/g, ' ').replace(/\t/g, ' ')// biome-ignore lint/suspicious/noControlCharactersInRegex: Security sanitization requires control character removal
+    .replace(/[\x00-\x1F\x7F-\x9F]/g, '').replace(/[\u200B-\u200D\uFEFF]/g, '') // Zero-width chars used for obfuscation
+    .trim();
+}
+function sanitizeForLogging(message, meta) {
+    var enableDataSanitization = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : true;
+    var cleanMessage = sanitizeLogMessage(message);
+    if (!enableDataSanitization) {
+        return {
+            message: cleanMessage,
+            meta: meta || {}
+        };
+    }
+    return {
+        message: sanitizeData(cleanMessage),
+        meta: sanitizeData(meta || {})
+    };
+}
+function sanitizeForLoggingFormatter() {
+    return {
+        log: function(obj) {
+            var message = obj.msg || obj.message || '';
+            var _sanitizeForLogging = sanitizeForLogging(message, obj), clean = _sanitizeForLogging.message, meta = _sanitizeForLogging.meta;
+            return _object_spread_props(_object_spread({}, meta), {
+                msg: clean
+            });
+        }
+    };
+}
+/* CJS INTEROP */ if (exports.__esModule && exports.default) { try { Object.defineProperty(exports.default, '__esModule', { value: true }); for (var key in exports) { exports.default[key] = exports[key]; } } catch (_) {}; module.exports = exports.default; }

package/dist/cjs/sanitizer.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/sanitizer.ts"],"sourcesContent":["/**\n * Data sanitization utilities for secure logging.\n * Redacts sensitive OAuth tokens, API keys, and credentials from log output.\n *\n * @example\n * ```typescript\n * sanitizeData({ accountId: 'test@example.com', access_token: 'secret_token_value' })\n * // { accountId: 'test@example.com', access_token: 'secr****alue' }\n *\n * sanitizeForLogging('Processing token', { token: 'secret_value' })\n * // { message: 'Processing token', meta: { token: 'secr****alue' } }\n * ```\n */\n\n/** Regex patterns for sensitive data that should be redacted from logs */\nconst SENSITIVE_PATTERNS = [\n  // OAuth tokens, codes, and secrets\n  /access_token['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /(access_token_[a-zA-Z0-9_]+)/gi,\n  /refresh_token['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /client_secret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /id_token['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /\\bcode['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /\\bstate['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /code_verifier['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /code_challenge['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /codeVerifier['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /codeChallenge['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /device_code['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /user_code['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /verification_uri['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /verification_uri_complete['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n\n  // Provider credentials and identifiers\n  /app_secret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /appSecret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /tenant_id['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /tenantId['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /client_id['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /clientId['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /app_id['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /appId['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /redirect_uri['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /redirectUri['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /subscription_key['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /subscriptionKey['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n\n  // Security secrets and keys\n  /webhook_secret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /webhookSecret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /signing_secret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /signingSecret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /encryption_key['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /encryptionKey['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /private_key['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /privateKey['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /certificate['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /cert['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n\n  // Authorization headers\n  /Authorization['\":\\s]*['\"]\\s*Bearer\\s+([^'\"]+)['\"]/gi,\n  /authorization['\":\\s]*['\"]\\s*Bearer\\s+([^'\"]+)['\"]/gi,\n  /Bearer\\s+([A-Za-z0-9+/=\\-_.]+)/gi,\n  /Authorization:\\s*Bearer\\s+([A-Za-z0-9+/=\\-_.]+)/gi,\n  /[A-Z_]+_(SECRET|KEY|TOKEN|PASSWORD)['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n\n  // Session and CSRF tokens\n  /\\bnonce['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /session[_-]?id['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /csrf[_-]?token['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n\n  // Other sensitive patterns\n  /\"email\"\\s*:\\s*\"([^@\"]{1,64}@[^.\"]{1,63}\\.[a-z]{2,6})\"/gi,\n  /api[_-]?key['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /password['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /\\b(ey[A-Za-z0-9+/=]+\\.[A-Za-z0-9+/=]+\\.[A-Za-z0-9+/=\\-_]+)/g,\n\n  // Base64 secrets (split into length ranges for practical matching)\n  /\\b([A-Za-z0-9+/]{60,200}={0,2})\\b/g,\n  /\\b([A-Za-z0-9+/]{201,1000}={0,2})\\b/g,\n  /\\b([A-Za-z0-9+/]{1001,5000}={0,2})\\b/g,\n\n  // Connection identifiers\n  /connection[_-]?id['\":\\s]*['\"]\\s*([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})['\"]/gi,\n];\n\n/** Field names that should be redacted when found as object keys */\nconst SENSITIVE_FIELDS = new Set([\n  'access_token',\n  'accessToken',\n  'refresh_token',\n  'refreshToken',\n  'client_secret',\n  'clientSecret',\n  'id_token',\n  'idToken',\n  'code',\n  'authorization_code',\n  'authorizationCode',\n  'device_code',\n  'deviceCode',\n  'user_code',\n  'userCode',\n  'verification_uri',\n  'verificationUri',\n  'verification_uri_complete',\n  'verificationUriComplete',\n  'client_id',\n  'clientId',\n  'app_id',\n  'appId',\n  'app_secret',\n  'appSecret',\n  'tenant_id',\n  'tenantId',\n  'bot_id',\n  'botId',\n  'workspace_id',\n  'workspaceId',\n  'organization_id',\n  'organizationId',\n  'redirect_uri',\n  'redirectUri',\n  'audience',\n  'realm',\n  'domain',\n  'webhook_secret',\n  'webhookSecret',\n  'signing_secret',\n  'signingSecret',\n  'subscription_key',\n  'subscriptionKey',\n  'encryption_key',\n  'encryptionKey',\n  'private_key',\n  'privateKey',\n  'certificate',\n  'cert',\n  'stripe-signature',\n  'x-hub-signature',\n  'x-hub-signature-256',\n  'x-slack-signature',\n  'x-mcp-z-webhook-secret',\n  'password',\n  'secret',\n  'token',\n  'authorization',\n  'credential',\n  'auth',\n  'verifier',\n  'challenge',\n  'code_verifier',\n  'codeVerifier',\n  'code_challenge',\n  'codeChallenge',\n  'nonce',\n  'session_id',\n  'sessionId',\n  'csrf_token',\n  'csrfToken',\n  'api_key',\n  'apiKey',\n  'state',\n  'connection_id',\n  'connectionId',\n  'gmail_connection_id',\n  'gmailConnectionId',\n]);\n\nfunction isAlreadySanitized(value: string): boolean {\n  return value.includes('****') || value.includes('[REDACTED]') || value === '[REDACTED]';\n}\n\nfunction redactValue(value: string): string {\n  if (isAlreadySanitized(value)) {\n    return value;\n  }\n\n  if (value.length <= 8) {\n    return '*'.repeat(value.length);\n  }\n\n  // Show first 4 and last 4 characters\n  return `${value.substring(0, 4)}****${value.substring(value.length - 4)}`;\n}\n\nexport function sanitizeData(data: unknown): unknown {\n  if (typeof data === 'string') {\n    if (isAlreadySanitized(data)) {\n      return data;\n    }\n\n    let sanitized = data;\n    for (const pattern of SENSITIVE_PATTERNS) {\n      sanitized = sanitized.replace(pattern, (match, captured) => {\n        if (typeof captured === 'string') {\n          const redacted = redactValue(captured);\n          return match.replace(captured, redacted);\n        }\n        return match;\n      });\n    }\n\n    return sanitized;\n  }\n\n  if (Array.isArray(data)) {\n    return data.map(sanitizeData);\n  }\n\n  if (data && typeof data === 'object') {\n    const sanitized: Record<string, unknown> = {};\n\n    for (const [key, value] of Object.entries(data)) {\n      const lowerKey = key.toLowerCase();\n\n      if (SENSITIVE_FIELDS.has(lowerKey) || SENSITIVE_FIELDS.has(key)) {\n        if (typeof value === 'string') {\n          sanitized[key] = redactValue(value);\n        } else {\n          sanitized[key] = '[REDACTED]';\n        }\n      } else {\n        sanitized[key] = sanitizeData(value);\n      }\n    }\n\n    return sanitized;\n  }\n\n  return data;\n}\n\n/**\n * Prevent log injection attacks by escaping control characters\n * SECURITY: Critical for preventing CRLF injection (OWASP A03)\n */\nexport function sanitizeLogMessage(message: string, maxLength = 50000): string {\n  if (typeof message !== 'string') {\n    return String(message);\n  }\n\n  // Truncation protection - prevent log poisoning via huge payloads\n  let processedMessage = message;\n  if (processedMessage.length > maxLength) {\n    processedMessage = `${processedMessage.substring(0, maxLength)} [TRUNCATED]`;\n  }\n\n  return (\n    processedMessage\n      .normalize('NFKC')\n      .replace(/\\r\\n|\\r|\\n/g, ' ')\n      .replace(/\\t/g, ' ')\n      // biome-ignore lint/suspicious/noControlCharactersInRegex: Security sanitization requires control character removal\n      .replace(/[\\x00-\\x1F\\x7F-\\x9F]/g, '')\n      .replace(/[\\u200B-\\u200D\\uFEFF]/g, '') // Zero-width chars used for obfuscation\n      .trim()\n  );\n}\n\n/**\n * Sanitize log message and metadata for safe logging\n * Applies both CRLF protection and sensitive data redaction\n *\n * @param message - The log message to sanitize\n * @param meta - Optional metadata object to sanitize\n * @param enableDataSanitization - Whether to apply sensitive data redaction (default: true)\n * @returns Sanitized message and metadata ready for logging\n */\nexport function sanitizeForLogging(message: string, meta?: Record<string, unknown>, enableDataSanitization = true): { message: string; meta: Record<string, unknown> } {\n  const cleanMessage = sanitizeLogMessage(message);\n\n  if (!enableDataSanitization) {\n    return {\n      message: cleanMessage,\n      meta: meta || {},\n    };\n  }\n\n  return {\n    message: sanitizeData(cleanMessage) as string,\n    meta: sanitizeData(meta || {}) as Record<string, unknown>,\n  };\n}\n\nexport function sanitizeForLoggingFormatter() {\n  return {\n    log: (obj) => {\n      const message = (obj.msg || obj.message || '') as string;\n      const { message: clean, meta } = sanitizeForLogging(message, obj as Record<string, unknown>);\n      return { ...meta, msg: clean };\n    },\n  };\n}\n"],"names":["sanitizeData","sanitizeForLogging","sanitizeForLoggingFormatter","sanitizeLogMessage","SENSITIVE_PATTERNS","SENSITIVE_FIELDS","Set","isAlreadySanitized","value","includes","redactValue","length","repeat","substring","data","sanitized","pattern","replace","match","captured","redacted","Array","isArray","map","Object","entries","key","lowerKey","toLowerCase","has","message","maxLength","String","processedMessage","normalize","trim","meta","enableDataSanitization","cleanMessage","log","obj","msg","clean"],"mappings":";;;;;;;;;;;QA0LgBA;eAAAA;;QAmFAC;eAAAA;;QAgBAC;eAAAA;;QAhDAC;eAAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA7OhB;;;;;;;;;;;;CAYC,GAED,wEAAwE,GACxE,IAAMC,qBAAqB;IACzB,mCAAmC;IACnC;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IAEA,uCAAuC;IACvC;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IAEA,4BAA4B;IAC5B;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IAEA,wBAAwB;IACxB;IACA;IACA;IACA;IACA;IAEA,0BAA0B;IAC1B;IACA;IACA;IAEA,2BAA2B;IAC3B;IACA;IACA;IACA;IAEA,mEAAmE;IACnE;IACA;IACA;IAEA,yBAAyB;IACzB;CACD;AAED,kEAAkE,GAClE,IAAMC,mBAAmB,IAAIC,IAAI;IAC/B;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;CACD;AAED,SAASC,mBAAmBC,KAAa;IACvC,OAAOA,MAAMC,QAAQ,CAAC,WAAWD,MAAMC,QAAQ,CAAC,iBAAiBD,UAAU;AAC7E;AAEA,SAASE,YAAYF,KAAa;IAChC,IAAID,mBAAmBC,QAAQ;QAC7B,OAAOA;IACT;IAEA,IAAIA,MAAMG,MAAM,IAAI,GAAG;QACrB,OAAO,IAAIC,MAAM,CAACJ,MAAMG,MAAM;IAChC;IAEA,qCAAqC;IACrC,OAAO,AAAC,GAA8BH,OAA5BA,MAAMK,SAAS,CAAC,GAAG,IAAG,QAAwC,OAAlCL,MAAMK,SAAS,CAACL,MAAMG,MAAM,GAAG;AACvE;AAEO,SAASX,aAAac,IAAa;IACxC,IAAI,OAAOA,SAAS,UAAU;QAC5B,IAAIP,mBAAmBO,OAAO;YAC5B,OAAOA;QACT;QAEA,IAAIC,YAAYD;YACX,kCAAA,2BAAA;;YAAL,QAAK,YAAiBV,uCAAjB,SAAA,6BAAA,QAAA,yBAAA,iCAAqC;gBAArC,IAAMY,UAAN;gBACHD,YAAYA,UAAUE,OAAO,CAACD,SAAS,SAACE,OAAOC;oBAC7C,IAAI,OAAOA,aAAa,UAAU;wBAChC,IAAMC,WAAWV,YAAYS;wBAC7B,OAAOD,MAAMD,OAAO,CAACE,UAAUC;oBACjC;oBACA,OAAOF;gBACT;YACF;;YARK;YAAA;;;qBAAA,6BAAA;oBAAA;;;oBAAA;0BAAA;;;;QAUL,OAAOH;IACT;IAEA,IAAIM,MAAMC,OAAO,CAACR,OAAO;QACvB,OAAOA,KAAKS,GAAG,CAACvB;IAClB;IAEA,IAAIc,QAAQ,CAAA,OAAOA,qCAAP,SAAOA,KAAG,MAAM,UAAU;QACpC,IAAMC,aAAqC,CAAC;YAEvC,mCAAA,4BAAA;;YAAL,QAAK,aAAsBS,OAAOC,OAAO,CAACX,0BAArC,UAAA,8BAAA,SAAA,0BAAA,kCAA4C;gBAA5C,mCAAA,kBAAOY,sBAAKlB;gBACf,IAAMmB,WAAWD,IAAIE,WAAW;gBAEhC,IAAIvB,iBAAiBwB,GAAG,CAACF,aAAatB,iBAAiBwB,GAAG,CAACH,MAAM;oBAC/D,IAAI,OAAOlB,UAAU,UAAU;wBAC7BO,UAAS,CAACW,IAAI,GAAGhB,YAAYF;oBAC/B,OAAO;wBACLO,UAAS,CAACW,IAAI,GAAG;oBACnB;gBACF,OAAO;oBACLX,UAAS,CAACW,IAAI,GAAG1B,aAAaQ;gBAChC;YACF;;YAZK;YAAA;;;qBAAA,8BAAA;oBAAA;;;oBAAA;0BAAA;;;;QAcL,OAAOO;IACT;IAEA,OAAOD;AACT;AAMO,SAASX,mBAAmB2B,OAAe;QAAEC,YAAAA,iEAAY;IAC9D,IAAI,OAAOD,YAAY,UAAU;QAC/B,OAAOE,OAAOF;IAChB;IAEA,kEAAkE;IAClE,IAAIG,mBAAmBH;IACvB,IAAIG,iBAAiBtB,MAAM,GAAGoB,WAAW;QACvCE,mBAAmB,AAAC,GAA2C,OAAzCA,iBAAiBpB,SAAS,CAAC,GAAGkB,YAAW;IACjE;IAEA,OACEE,iBACGC,SAAS,CAAC,QACVjB,OAAO,CAAC,eAAe,KACvBA,OAAO,CAAC,OAAO,IAChB,oHAAoH;KACnHA,OAAO,CAAC,yBAAyB,IACjCA,OAAO,CAAC,0BAA0B,IAAI,wCAAwC;KAC9EkB,IAAI;AAEX;AAWO,SAASlC,mBAAmB6B,OAAe,EAAEM,IAA8B;QAAEC,yBAAAA,iEAAyB;IAC3G,IAAMC,eAAenC,mBAAmB2B;IAExC,IAAI,CAACO,wBAAwB;QAC3B,OAAO;YACLP,SAASQ;YACTF,MAAMA,QAAQ,CAAC;QACjB;IACF;IAEA,OAAO;QACLN,SAAS9B,aAAasC;QACtBF,MAAMpC,aAAaoC,QAAQ,CAAC;IAC9B;AACF;AAEO,SAASlC;IACd,OAAO;QACLqC,KAAK,SAACC;YACJ,IAAMV,UAAWU,IAAIC,GAAG,IAAID,IAAIV,OAAO,IAAI;YAC3C,IAAiC7B,sBAAAA,mBAAmB6B,SAASU,MAArDV,AAASY,QAAgBzC,oBAAzB6B,SAAgBM,OAASnC,oBAATmC;YACxB,OAAO,wCAAKA;gBAAMK,KAAKC;;QACzB;IACF;AACF"}

package/dist/cjs/schemas/index.d.cts

@@ -0,0 +1,36 @@
+/**
+ * OAuth-specific schemas and response builders
+ *
+ * Provider-agnostic schemas and utilities for building OAuth auth_required responses.
+ * Individual OAuth packages (oauth-google, oauth-microsoft) wrap these with provider-specific defaults.
+ */
+import { z } from 'zod';
+export type { z };
+/**
+ * Authentication required response type
+ */
+export interface AuthRequired {
+    type: 'auth_required';
+    provider: string;
+    message: string;
+    url: string;
+    flow?: string;
+    instructions: string;
+    user_code?: string;
+    expires_in?: number;
+    accountId?: string;
+}
+/**
+ * Zod schema for auth_required responses
+ */
+export declare const AuthRequiredSchema: z.ZodObject<{
+    type: z.ZodLiteral<"auth_required">;
+    provider: z.ZodString;
+    message: z.ZodString;
+    url: z.ZodString;
+    flow: z.ZodOptional<z.ZodString>;
+    instructions: z.ZodString;
+    user_code: z.ZodOptional<z.ZodString>;
+    expires_in: z.ZodOptional<z.ZodNumber>;
+    accountId: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;

package/dist/cjs/schemas/index.d.ts

@@ -0,0 +1,36 @@
+/**
+ * OAuth-specific schemas and response builders
+ *
+ * Provider-agnostic schemas and utilities for building OAuth auth_required responses.
+ * Individual OAuth packages (oauth-google, oauth-microsoft) wrap these with provider-specific defaults.
+ */
+import { z } from 'zod';
+export type { z };
+/**
+ * Authentication required response type
+ */
+export interface AuthRequired {
+    type: 'auth_required';
+    provider: string;
+    message: string;
+    url: string;
+    flow?: string;
+    instructions: string;
+    user_code?: string;
+    expires_in?: number;
+    accountId?: string;
+}
+/**
+ * Zod schema for auth_required responses
+ */
+export declare const AuthRequiredSchema: z.ZodObject<{
+    type: z.ZodLiteral<"auth_required">;
+    provider: z.ZodString;
+    message: z.ZodString;
+    url: z.ZodString;
+    flow: z.ZodOptional<z.ZodString>;
+    instructions: z.ZodString;
+    user_code: z.ZodOptional<z.ZodString>;
+    expires_in: z.ZodOptional<z.ZodNumber>;
+    accountId: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;

package/dist/cjs/schemas/index.js

@@ -0,0 +1,28 @@
+/**
+ * OAuth-specific schemas and response builders
+ *
+ * Provider-agnostic schemas and utilities for building OAuth auth_required responses.
+ * Individual OAuth packages (oauth-google, oauth-microsoft) wrap these with provider-specific defaults.
+ */ "use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "AuthRequiredSchema", {
+    enumerable: true,
+    get: function() {
+        return AuthRequiredSchema;
+    }
+});
+var _zod = require("zod");
+var AuthRequiredSchema = _zod.z.object({
+    type: _zod.z.literal('auth_required'),
+    provider: _zod.z.string().describe('OAuth provider name (e.g., "google", "microsoft")'),
+    message: _zod.z.string().describe('Human-readable message explaining why auth is needed'),
+    url: _zod.z.string().url().describe('Authentication URL to open in browser'),
+    flow: _zod.z.string().optional().describe('Authentication flow type (e.g., "auth_url", "device_code")'),
+    instructions: _zod.z.string().describe('Clear instructions for the user'),
+    user_code: _zod.z.string().optional().describe('Code user must enter at verification URL (device flows only)'),
+    expires_in: _zod.z.number().optional().describe('Seconds until code expires (device flows only)'),
+    accountId: _zod.z.string().optional().describe('Account identifier (email) that requires authentication')
+}).describe('Authentication required with clear actionable instructions for user');
+/* CJS INTEROP */ if (exports.__esModule && exports.default) { try { Object.defineProperty(exports.default, '__esModule', { value: true }); for (var key in exports) { exports.default[key] = exports[key]; } } catch (_) {}; module.exports = exports.default; }

package/dist/cjs/schemas/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/schemas/index.ts"],"sourcesContent":["/**\n * OAuth-specific schemas and response builders\n *\n * Provider-agnostic schemas and utilities for building OAuth auth_required responses.\n * Individual OAuth packages (oauth-google, oauth-microsoft) wrap these with provider-specific defaults.\n */\n\nimport { z } from 'zod';\n\n// Re-export z for use in middleware (MCP requires zod)\nexport type { z };\n\n/**\n * Authentication required response type\n */\nexport interface AuthRequired {\n  type: 'auth_required';\n  provider: string;\n  message: string;\n  url: string;\n  flow?: string;\n  instructions: string;\n  user_code?: string;\n  expires_in?: number;\n  accountId?: string;\n}\n\n/**\n * Zod schema for auth_required responses\n */\nexport const AuthRequiredSchema = z\n  .object({\n    type: z.literal('auth_required'),\n    provider: z.string().describe('OAuth provider name (e.g., \"google\", \"microsoft\")'),\n    message: z.string().describe('Human-readable message explaining why auth is needed'),\n    url: z.string().url().describe('Authentication URL to open in browser'),\n    flow: z.string().optional().describe('Authentication flow type (e.g., \"auth_url\", \"device_code\")'),\n    instructions: z.string().describe('Clear instructions for the user'),\n    user_code: z.string().optional().describe('Code user must enter at verification URL (device flows only)'),\n    expires_in: z.number().optional().describe('Seconds until code expires (device flows only)'),\n    accountId: z.string().optional().describe('Account identifier (email) that requires authentication'),\n  })\n  .describe('Authentication required with clear actionable instructions for user');\n"],"names":["AuthRequiredSchema","z","object","type","literal","provider","string","describe","message","url","flow","optional","instructions","user_code","expires_in","number","accountId"],"mappings":"AAAA;;;;;CAKC;;;;+BAyBYA;;;eAAAA;;;mBAvBK;AAuBX,IAAMA,qBAAqBC,MAAC,CAChCC,MAAM,CAAC;IACNC,MAAMF,MAAC,CAACG,OAAO,CAAC;IAChBC,UAAUJ,MAAC,CAACK,MAAM,GAAGC,QAAQ,CAAC;IAC9BC,SAASP,MAAC,CAACK,MAAM,GAAGC,QAAQ,CAAC;IAC7BE,KAAKR,MAAC,CAACK,MAAM,GAAGG,GAAG,GAAGF,QAAQ,CAAC;IAC/BG,MAAMT,MAAC,CAACK,MAAM,GAAGK,QAAQ,GAAGJ,QAAQ,CAAC;IACrCK,cAAcX,MAAC,CAACK,MAAM,GAAGC,QAAQ,CAAC;IAClCM,WAAWZ,MAAC,CAACK,MAAM,GAAGK,QAAQ,GAAGJ,QAAQ,CAAC;IAC1CO,YAAYb,MAAC,CAACc,MAAM,GAAGJ,QAAQ,GAAGJ,QAAQ,CAAC;IAC3CS,WAAWf,MAAC,CAACK,MAAM,GAAGK,QAAQ,GAAGJ,QAAQ,CAAC;AAC5C,GACCA,QAAQ,CAAC"}

package/dist/cjs/session-auth.d.cts

@@ -0,0 +1,79 @@
+/**
+ * Session-based user authentication for multi-tenant deployments
+ *
+ * Extracts user ID from HTTP session cookies with HMAC signature verification.
+ * Compatible with Express/Connect session middleware patterns.
+ */
+import type { SessionUserAuthConfig, UserAuthProvider } from './types.js';
+/**
+ * Session-based user authentication provider
+ *
+ * Verifies signed session cookies and extracts user IDs.
+ * Use for multi-tenant deployments where users authenticate via web sessions.
+ *
+ * @example
+ * ```typescript
+ * // Multi-tenant server setup with session-based user authentication
+ * const userAuth = new SessionUserAuth({
+ *   sessionSecret: process.env.SESSION_SECRET!,
+ *   cookieName: 'app_session',
+ * });
+ *
+ * // Create OAuth adapters with session-based user identification
+ * const oauthAdapters = await createOAuthAdapters(
+ *   config.transport,
+ *   {
+ *     service: 'gmail',
+ *     clientId: process.env.GOOGLE_CLIENT_ID!,
+ *     clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+ *     scope: GOOGLE_SCOPE,
+ *     auth: 'loopback-oauth',
+ *     headless: false,
+ *     redirectUri: undefined,
+ *   },
+ *   {
+ *     logger,
+ *     tokenStore,
+ *     userAuth, // Session-based user identification for multi-tenant deployments
+ *   }
+ * );
+ *
+ * // Use auth middleware with tools
+ * const { middleware: authMiddleware } = oauthAdapters;
+ * const tools = toolFactories.map(f => f()).map(authMiddleware.withToolAuth);
+ * ```
+ */
+export declare class SessionUserAuth implements UserAuthProvider {
+    private readonly secret;
+    private readonly cookieName;
+    private readonly algorithm;
+    constructor(config: SessionUserAuthConfig);
+    /**
+     * Extract and verify user ID from session cookie
+     *
+     * @param req - HTTP request object with cookie header
+     * @returns User ID from verified session
+     * @throws Error if session missing, invalid, or expired
+     */
+    getUserId(req: unknown): Promise<string>;
+    /**
+     * Parse cookie from header string
+     */
+    private parseCookie;
+    /**
+     * Generate HMAC signature for session data
+     */
+    private sign;
+    /**
+     * Constant-time string comparison to prevent timing attacks
+     */
+    private constantTimeCompare;
+    /**
+     * Helper for creating session cookies (for testing/integration)
+     *
+     * @param userId - User ID to encode in session
+     * @param expiresInMs - Optional expiration time in milliseconds from now
+     * @returns Signed session cookie value
+     */
+    createSessionCookie(userId: string, expiresInMs?: number): string;
+}