@mcp-z/oauth 1.0.0

package/dist/cjs/session-auth.d.ts

@@ -0,0 +1,79 @@
+/**
+ * Session-based user authentication for multi-tenant deployments
+ *
+ * Extracts user ID from HTTP session cookies with HMAC signature verification.
+ * Compatible with Express/Connect session middleware patterns.
+ */
+import type { SessionUserAuthConfig, UserAuthProvider } from './types.js';
+/**
+ * Session-based user authentication provider
+ *
+ * Verifies signed session cookies and extracts user IDs.
+ * Use for multi-tenant deployments where users authenticate via web sessions.
+ *
+ * @example
+ * ```typescript
+ * // Multi-tenant server setup with session-based user authentication
+ * const userAuth = new SessionUserAuth({
+ *   sessionSecret: process.env.SESSION_SECRET!,
+ *   cookieName: 'app_session',
+ * });
+ *
+ * // Create OAuth adapters with session-based user identification
+ * const oauthAdapters = await createOAuthAdapters(
+ *   config.transport,
+ *   {
+ *     service: 'gmail',
+ *     clientId: process.env.GOOGLE_CLIENT_ID!,
+ *     clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+ *     scope: GOOGLE_SCOPE,
+ *     auth: 'loopback-oauth',
+ *     headless: false,
+ *     redirectUri: undefined,
+ *   },
+ *   {
+ *     logger,
+ *     tokenStore,
+ *     userAuth, // Session-based user identification for multi-tenant deployments
+ *   }
+ * );
+ *
+ * // Use auth middleware with tools
+ * const { middleware: authMiddleware } = oauthAdapters;
+ * const tools = toolFactories.map(f => f()).map(authMiddleware.withToolAuth);
+ * ```
+ */
+export declare class SessionUserAuth implements UserAuthProvider {
+    private readonly secret;
+    private readonly cookieName;
+    private readonly algorithm;
+    constructor(config: SessionUserAuthConfig);
+    /**
+     * Extract and verify user ID from session cookie
+     *
+     * @param req - HTTP request object with cookie header
+     * @returns User ID from verified session
+     * @throws Error if session missing, invalid, or expired
+     */
+    getUserId(req: unknown): Promise<string>;
+    /**
+     * Parse cookie from header string
+     */
+    private parseCookie;
+    /**
+     * Generate HMAC signature for session data
+     */
+    private sign;
+    /**
+     * Constant-time string comparison to prevent timing attacks
+     */
+    private constantTimeCompare;
+    /**
+     * Helper for creating session cookies (for testing/integration)
+     *
+     * @param userId - User ID to encode in session
+     * @param expiresInMs - Optional expiration time in milliseconds from now
+     * @returns Signed session cookie value
+     */
+    createSessionCookie(userId: string, expiresInMs?: number): string;
+}

package/dist/cjs/session-auth.js

@@ -0,0 +1,354 @@
+/**
+ * Session-based user authentication for multi-tenant deployments
+ *
+ * Extracts user ID from HTTP session cookies with HMAC signature verification.
+ * Compatible with Express/Connect session middleware patterns.
+ */ "use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "SessionUserAuth", {
+    enumerable: true,
+    get: function() {
+        return SessionUserAuth;
+    }
+});
+var _crypto = require("crypto");
+function _array_like_to_array(arr, len) {
+    if (len == null || len > arr.length) len = arr.length;
+    for(var i = 0, arr2 = new Array(len); i < len; i++)arr2[i] = arr[i];
+    return arr2;
+}
+function _array_with_holes(arr) {
+    if (Array.isArray(arr)) return arr;
+}
+function asyncGeneratorStep(gen, resolve, reject, _next, _throw, key, arg) {
+    try {
+        var info = gen[key](arg);
+        var value = info.value;
+    } catch (error) {
+        reject(error);
+        return;
+    }
+    if (info.done) {
+        resolve(value);
+    } else {
+        Promise.resolve(value).then(_next, _throw);
+    }
+}
+function _async_to_generator(fn) {
+    return function() {
+        var self = this, args = arguments;
+        return new Promise(function(resolve, reject) {
+            var gen = fn.apply(self, args);
+            function _next(value) {
+                asyncGeneratorStep(gen, resolve, reject, _next, _throw, "next", value);
+            }
+            function _throw(err) {
+                asyncGeneratorStep(gen, resolve, reject, _next, _throw, "throw", err);
+            }
+            _next(undefined);
+        });
+    };
+}
+function _class_call_check(instance, Constructor) {
+    if (!(instance instanceof Constructor)) {
+        throw new TypeError("Cannot call a class as a function");
+    }
+}
+function _define_property(obj, key, value) {
+    if (key in obj) {
+        Object.defineProperty(obj, key, {
+            value: value,
+            enumerable: true,
+            configurable: true,
+            writable: true
+        });
+    } else {
+        obj[key] = value;
+    }
+    return obj;
+}
+function _iterable_to_array(iter) {
+    if (typeof Symbol !== "undefined" && iter[Symbol.iterator] != null || iter["@@iterator"] != null) return Array.from(iter);
+}
+function _iterable_to_array_limit(arr, i) {
+    var _i = arr == null ? null : typeof Symbol !== "undefined" && arr[Symbol.iterator] || arr["@@iterator"];
+    if (_i == null) return;
+    var _arr = [];
+    var _n = true;
+    var _d = false;
+    var _s, _e;
+    try {
+        for(_i = _i.call(arr); !(_n = (_s = _i.next()).done); _n = true){
+            _arr.push(_s.value);
+            if (i && _arr.length === i) break;
+        }
+    } catch (err) {
+        _d = true;
+        _e = err;
+    } finally{
+        try {
+            if (!_n && _i["return"] != null) _i["return"]();
+        } finally{
+            if (_d) throw _e;
+        }
+    }
+    return _arr;
+}
+function _non_iterable_rest() {
+    throw new TypeError("Invalid attempt to destructure non-iterable instance.\\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
+}
+function _object_spread(target) {
+    for(var i = 1; i < arguments.length; i++){
+        var source = arguments[i] != null ? arguments[i] : {};
+        var ownKeys = Object.keys(source);
+        if (typeof Object.getOwnPropertySymbols === "function") {
+            ownKeys = ownKeys.concat(Object.getOwnPropertySymbols(source).filter(function(sym) {
+                return Object.getOwnPropertyDescriptor(source, sym).enumerable;
+            }));
+        }
+        ownKeys.forEach(function(key) {
+            _define_property(target, key, source[key]);
+        });
+    }
+    return target;
+}
+function _sliced_to_array(arr, i) {
+    return _array_with_holes(arr) || _iterable_to_array_limit(arr, i) || _unsupported_iterable_to_array(arr, i) || _non_iterable_rest();
+}
+function _to_array(arr) {
+    return _array_with_holes(arr) || _iterable_to_array(arr) || _unsupported_iterable_to_array(arr) || _non_iterable_rest();
+}
+function _unsupported_iterable_to_array(o, minLen) {
+    if (!o) return;
+    if (typeof o === "string") return _array_like_to_array(o, minLen);
+    var n = Object.prototype.toString.call(o).slice(8, -1);
+    if (n === "Object" && o.constructor) n = o.constructor.name;
+    if (n === "Map" || n === "Set") return Array.from(n);
+    if (n === "Arguments" || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n)) return _array_like_to_array(o, minLen);
+}
+function _ts_generator(thisArg, body) {
+    var f, y, t, _ = {
+        label: 0,
+        sent: function() {
+            if (t[0] & 1) throw t[1];
+            return t[1];
+        },
+        trys: [],
+        ops: []
+    }, g = Object.create((typeof Iterator === "function" ? Iterator : Object).prototype), d = Object.defineProperty;
+    return d(g, "next", {
+        value: verb(0)
+    }), d(g, "throw", {
+        value: verb(1)
+    }), d(g, "return", {
+        value: verb(2)
+    }), typeof Symbol === "function" && d(g, Symbol.iterator, {
+        value: function() {
+            return this;
+        }
+    }), g;
+    function verb(n) {
+        return function(v) {
+            return step([
+                n,
+                v
+            ]);
+        };
+    }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while(g && (g = 0, op[0] && (_ = 0)), _)try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [
+                op[0] & 2,
+                t.value
+            ];
+            switch(op[0]){
+                case 0:
+                case 1:
+                    t = op;
+                    break;
+                case 4:
+                    _.label++;
+                    return {
+                        value: op[1],
+                        done: false
+                    };
+                case 5:
+                    _.label++;
+                    y = op[1];
+                    op = [
+                        0
+                    ];
+                    continue;
+                case 7:
+                    op = _.ops.pop();
+                    _.trys.pop();
+                    continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) {
+                        _ = 0;
+                        continue;
+                    }
+                    if (op[0] === 3 && (!t || op[1] > t[0] && op[1] < t[3])) {
+                        _.label = op[1];
+                        break;
+                    }
+                    if (op[0] === 6 && _.label < t[1]) {
+                        _.label = t[1];
+                        t = op;
+                        break;
+                    }
+                    if (t && _.label < t[2]) {
+                        _.label = t[2];
+                        _.ops.push(op);
+                        break;
+                    }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop();
+                    continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) {
+            op = [
+                6,
+                e
+            ];
+            y = 0;
+        } finally{
+            f = t = 0;
+        }
+        if (op[0] & 5) throw op[1];
+        return {
+            value: op[0] ? op[1] : void 0,
+            done: true
+        };
+    }
+}
+var SessionUserAuth = /*#__PURE__*/ function() {
+    "use strict";
+    function SessionUserAuth(config) {
+        _class_call_check(this, SessionUserAuth);
+        var _config_cookieName, _config_algorithm;
+        if (!config.sessionSecret || config.sessionSecret.length < 32) {
+            throw new Error('SessionUserAuth: sessionSecret must be at least 32 characters');
+        }
+        this.secret = config.sessionSecret;
+        this.cookieName = (_config_cookieName = config.cookieName) !== null && _config_cookieName !== void 0 ? _config_cookieName : 'session';
+        this.algorithm = (_config_algorithm = config.algorithm) !== null && _config_algorithm !== void 0 ? _config_algorithm : 'sha256';
+    }
+    var _proto = SessionUserAuth.prototype;
+    /**
+   * Extract and verify user ID from session cookie
+   *
+   * @param req - HTTP request object with cookie header
+   * @returns User ID from verified session
+   * @throws Error if session missing, invalid, or expired
+   */ _proto.getUserId = function getUserId(req) {
+        return _async_to_generator(function() {
+            var _httpReq_headers, httpReq, cookieHeader, sessionCookie, parts, _parts, dataB64, signature, expectedSignature, sessionData, dataJson;
+            return _ts_generator(this, function(_state) {
+                httpReq = req;
+                cookieHeader = (_httpReq_headers = httpReq.headers) === null || _httpReq_headers === void 0 ? void 0 : _httpReq_headers.cookie;
+                if (!cookieHeader) {
+                    throw new Error('SessionUserAuth: No cookie header found');
+                }
+                sessionCookie = this.parseCookie(cookieHeader, this.cookieName);
+                if (!sessionCookie) {
+                    throw new Error("SessionUserAuth: Session cookie '".concat(this.cookieName, "' not found"));
+                }
+                // Format: base64(data).signature
+                parts = sessionCookie.split('.');
+                if (parts.length !== 2) {
+                    throw new Error('SessionUserAuth: Invalid session format (expected data.signature)');
+                }
+                _parts = _sliced_to_array(parts, 2), dataB64 = _parts[0], signature = _parts[1];
+                expectedSignature = this.sign(dataB64);
+                if (!this.constantTimeCompare(signature, expectedSignature)) {
+                    throw new Error('SessionUserAuth: Invalid session signature');
+                }
+                try {
+                    dataJson = Buffer.from(dataB64, 'base64').toString('utf8');
+                    sessionData = JSON.parse(dataJson);
+                } catch (unused) {
+                    throw new Error('SessionUserAuth: Invalid session data encoding');
+                }
+                if (sessionData.exp !== undefined && Date.now() > sessionData.exp) {
+                    throw new Error('SessionUserAuth: Session expired');
+                }
+                if (!sessionData.userId || typeof sessionData.userId !== 'string') {
+                    throw new Error('SessionUserAuth: Session missing userId field');
+                }
+                return [
+                    2,
+                    sessionData.userId
+                ];
+            });
+        }).call(this);
+    };
+    /**
+   * Parse cookie from header string
+   */ _proto.parseCookie = function parseCookie(cookieHeader, name) {
+        var cookies = cookieHeader.split(';');
+        var _iteratorNormalCompletion = true, _didIteratorError = false, _iteratorError = undefined;
+        try {
+            for(var _iterator = cookies[Symbol.iterator](), _step; !(_iteratorNormalCompletion = (_step = _iterator.next()).done); _iteratorNormalCompletion = true){
+                var cookie = _step.value;
+                var _cookie_trim_split = _to_array(cookie.trim().split('=')), key = _cookie_trim_split[0], valueParts = _cookie_trim_split.slice(1);
+                if (key === name) {
+                    return valueParts.join('='); // Handle values with = in them
+                }
+            }
+        } catch (err) {
+            _didIteratorError = true;
+            _iteratorError = err;
+        } finally{
+            try {
+                if (!_iteratorNormalCompletion && _iterator.return != null) {
+                    _iterator.return();
+                }
+            } finally{
+                if (_didIteratorError) {
+                    throw _iteratorError;
+                }
+            }
+        }
+        return null;
+    };
+    /**
+   * Generate HMAC signature for session data
+   */ _proto.sign = function sign(data) {
+        return (0, _crypto.createHmac)(this.algorithm, this.secret).update(data).digest('hex');
+    };
+    /**
+   * Constant-time string comparison to prevent timing attacks
+   */ _proto.constantTimeCompare = function constantTimeCompare(a, b) {
+        if (a.length !== b.length) {
+            return false;
+        }
+        var bufA = Buffer.from(a);
+        var bufB = Buffer.from(b);
+        return (0, _crypto.timingSafeEqual)(bufA, bufB);
+    };
+    /**
+   * Helper for creating session cookies (for testing/integration)
+   *
+   * @param userId - User ID to encode in session
+   * @param expiresInMs - Optional expiration time in milliseconds from now
+   * @returns Signed session cookie value
+   */ _proto.createSessionCookie = function createSessionCookie(userId, expiresInMs) {
+        var sessionData = _object_spread({
+            userId: userId
+        }, expiresInMs !== undefined && {
+            exp: Date.now() + expiresInMs
+        });
+        var dataJson = JSON.stringify(sessionData);
+        var dataB64 = Buffer.from(dataJson).toString('base64');
+        var signature = this.sign(dataB64);
+        return "".concat(dataB64, ".").concat(signature);
+    };
+    return SessionUserAuth;
+}();
+/* CJS INTEROP */ if (exports.__esModule && exports.default) { try { Object.defineProperty(exports.default, '__esModule', { value: true }); for (var key in exports) { exports.default[key] = exports[key]; } } catch (_) {}; module.exports = exports.default; }

package/dist/cjs/session-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/session-auth.ts"],"sourcesContent":["/**\n * Session-based user authentication for multi-tenant deployments\n *\n * Extracts user ID from HTTP session cookies with HMAC signature verification.\n * Compatible with Express/Connect session middleware patterns.\n */\n\nimport { createHmac, timingSafeEqual } from 'crypto';\nimport type { SessionUserAuthConfig, UserAuthProvider } from './types.ts';\n\n/**\n * HTTP request interface (subset needed for session auth)\n */\ninterface HttpRequest {\n  headers?: {\n    cookie?: string;\n  };\n}\n\n/**\n * Session cookie structure\n */\ninterface SessionData {\n  userId: string;\n  exp?: number; // Optional expiration timestamp (ms)\n}\n\n/**\n * Session-based user authentication provider\n *\n * Verifies signed session cookies and extracts user IDs.\n * Use for multi-tenant deployments where users authenticate via web sessions.\n *\n * @example\n * ```typescript\n * // Multi-tenant server setup with session-based user authentication\n * const userAuth = new SessionUserAuth({\n *   sessionSecret: process.env.SESSION_SECRET!,\n *   cookieName: 'app_session',\n * });\n *\n * // Create OAuth adapters with session-based user identification\n * const oauthAdapters = await createOAuthAdapters(\n *   config.transport,\n *   {\n *     service: 'gmail',\n *     clientId: process.env.GOOGLE_CLIENT_ID!,\n *     clientSecret: process.env.GOOGLE_CLIENT_SECRET,\n *     scope: GOOGLE_SCOPE,\n *     auth: 'loopback-oauth',\n *     headless: false,\n *     redirectUri: undefined,\n *   },\n *   {\n *     logger,\n *     tokenStore,\n *     userAuth, // Session-based user identification for multi-tenant deployments\n *   }\n * );\n *\n * // Use auth middleware with tools\n * const { middleware: authMiddleware } = oauthAdapters;\n * const tools = toolFactories.map(f => f()).map(authMiddleware.withToolAuth);\n * ```\n */\nexport class SessionUserAuth implements UserAuthProvider {\n  private readonly secret: string;\n  private readonly cookieName: string;\n  private readonly algorithm: 'sha256' | 'sha512';\n\n  constructor(config: SessionUserAuthConfig) {\n    if (!config.sessionSecret || config.sessionSecret.length < 32) {\n      throw new Error('SessionUserAuth: sessionSecret must be at least 32 characters');\n    }\n\n    this.secret = config.sessionSecret;\n    this.cookieName = config.cookieName ?? 'session';\n    this.algorithm = config.algorithm ?? 'sha256';\n  }\n\n  /**\n   * Extract and verify user ID from session cookie\n   *\n   * @param req - HTTP request object with cookie header\n   * @returns User ID from verified session\n   * @throws Error if session missing, invalid, or expired\n   */\n  async getUserId(req: unknown): Promise<string> {\n    const httpReq = req as HttpRequest;\n\n    const cookieHeader = httpReq.headers?.cookie;\n    if (!cookieHeader) {\n      throw new Error('SessionUserAuth: No cookie header found');\n    }\n\n    const sessionCookie = this.parseCookie(cookieHeader, this.cookieName);\n    if (!sessionCookie) {\n      throw new Error(`SessionUserAuth: Session cookie '${this.cookieName}' not found`);\n    }\n\n    // Format: base64(data).signature\n    const parts = sessionCookie.split('.');\n    if (parts.length !== 2) {\n      throw new Error('SessionUserAuth: Invalid session format (expected data.signature)');\n    }\n\n    const [dataB64, signature] = parts as [string, string];\n\n    const expectedSignature = this.sign(dataB64);\n    if (!this.constantTimeCompare(signature, expectedSignature)) {\n      throw new Error('SessionUserAuth: Invalid session signature');\n    }\n\n    let sessionData: SessionData;\n    try {\n      const dataJson = Buffer.from(dataB64, 'base64').toString('utf8');\n      sessionData = JSON.parse(dataJson) as SessionData;\n    } catch {\n      throw new Error('SessionUserAuth: Invalid session data encoding');\n    }\n\n    if (sessionData.exp !== undefined && Date.now() > sessionData.exp) {\n      throw new Error('SessionUserAuth: Session expired');\n    }\n\n    if (!sessionData.userId || typeof sessionData.userId !== 'string') {\n      throw new Error('SessionUserAuth: Session missing userId field');\n    }\n\n    return sessionData.userId;\n  }\n\n  /**\n   * Parse cookie from header string\n   */\n  private parseCookie(cookieHeader: string, name: string): string | null {\n    const cookies = cookieHeader.split(';');\n    for (const cookie of cookies) {\n      const [key, ...valueParts] = cookie.trim().split('=');\n      if (key === name) {\n        return valueParts.join('='); // Handle values with = in them\n      }\n    }\n    return null;\n  }\n\n  /**\n   * Generate HMAC signature for session data\n   */\n  private sign(data: string): string {\n    return createHmac(this.algorithm, this.secret).update(data).digest('hex');\n  }\n\n  /**\n   * Constant-time string comparison to prevent timing attacks\n   */\n  private constantTimeCompare(a: string, b: string): boolean {\n    if (a.length !== b.length) {\n      return false;\n    }\n\n    const bufA = Buffer.from(a);\n    const bufB = Buffer.from(b);\n\n    return timingSafeEqual(bufA, bufB);\n  }\n\n  /**\n   * Helper for creating session cookies (for testing/integration)\n   *\n   * @param userId - User ID to encode in session\n   * @param expiresInMs - Optional expiration time in milliseconds from now\n   * @returns Signed session cookie value\n   */\n  createSessionCookie(userId: string, expiresInMs?: number): string {\n    const sessionData: SessionData = {\n      userId,\n      ...(expiresInMs !== undefined && { exp: Date.now() + expiresInMs }),\n    };\n\n    const dataJson = JSON.stringify(sessionData);\n    const dataB64 = Buffer.from(dataJson).toString('base64');\n    const signature = this.sign(dataB64);\n\n    return `${dataB64}.${signature}`;\n  }\n}\n"],"names":["SessionUserAuth","config","sessionSecret","length","Error","secret","cookieName","algorithm","getUserId","req","httpReq","cookieHeader","sessionCookie","parts","dataB64","signature","expectedSignature","sessionData","dataJson","headers","cookie","parseCookie","split","sign","constantTimeCompare","Buffer","from","toString","JSON","parse","exp","undefined","Date","now","userId","name","cookies","trim","key","valueParts","join","data","createHmac","update","digest","a","b","bufA","bufB","timingSafeEqual","createSessionCookie","expiresInMs","stringify"],"mappings":"AAAA;;;;;CAKC;;;;+BA4DYA;;;eAAAA;;;sBA1D+B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA0DrC,IAAA,AAAMA,gCAAN;;aAAMA,gBAKCC,MAA6B;gCAL9BD;YAWSC,oBACDA;QANjB,IAAI,CAACA,OAAOC,aAAa,IAAID,OAAOC,aAAa,CAACC,MAAM,GAAG,IAAI;YAC7D,MAAM,IAAIC,MAAM;QAClB;QAEA,IAAI,CAACC,MAAM,GAAGJ,OAAOC,aAAa;QAClC,IAAI,CAACI,UAAU,IAAGL,qBAAAA,OAAOK,UAAU,cAAjBL,gCAAAA,qBAAqB;QACvC,IAAI,CAACM,SAAS,IAAGN,oBAAAA,OAAOM,SAAS,cAAhBN,+BAAAA,oBAAoB;;iBAZ5BD;IAeX;;;;;;GAMC,GACD,OAAMQ,SA2CL,GA3CD,SAAMA,UAAUC,GAAY;;gBAGLC,kBAFfA,SAEAC,cAKAC,eAMAC,OAKuBA,QAAtBC,SAASC,WAEVC,mBAKFC,aAEIC;;gBA3BFR,UAAUD;gBAEVE,gBAAeD,mBAAAA,QAAQS,OAAO,cAAfT,uCAAAA,iBAAiBU,MAAM;gBAC5C,IAAI,CAACT,cAAc;oBACjB,MAAM,IAAIP,MAAM;gBAClB;gBAEMQ,gBAAgB,IAAI,CAACS,WAAW,CAACV,cAAc,IAAI,CAACL,UAAU;gBACpE,IAAI,CAACM,eAAe;oBAClB,MAAM,IAAIR,MAAM,AAAC,oCAAmD,OAAhB,IAAI,CAACE,UAAU,EAAC;gBACtE;gBAEA,iCAAiC;gBAC3BO,QAAQD,cAAcU,KAAK,CAAC;gBAClC,IAAIT,MAAMV,MAAM,KAAK,GAAG;oBACtB,MAAM,IAAIC,MAAM;gBAClB;gBAE6BS,0BAAAA,WAAtBC,UAAsBD,WAAbE,YAAaF;gBAEvBG,oBAAoB,IAAI,CAACO,IAAI,CAACT;gBACpC,IAAI,CAAC,IAAI,CAACU,mBAAmB,CAACT,WAAWC,oBAAoB;oBAC3D,MAAM,IAAIZ,MAAM;gBAClB;gBAGA,IAAI;oBACIc,WAAWO,OAAOC,IAAI,CAACZ,SAAS,UAAUa,QAAQ,CAAC;oBACzDV,cAAcW,KAAKC,KAAK,CAACX;gBAC3B,EAAE,eAAM;oBACN,MAAM,IAAId,MAAM;gBAClB;gBAEA,IAAIa,YAAYa,GAAG,KAAKC,aAAaC,KAAKC,GAAG,KAAKhB,YAAYa,GAAG,EAAE;oBACjE,MAAM,IAAI1B,MAAM;gBAClB;gBAEA,IAAI,CAACa,YAAYiB,MAAM,IAAI,OAAOjB,YAAYiB,MAAM,KAAK,UAAU;oBACjE,MAAM,IAAI9B,MAAM;gBAClB;gBAEA;;oBAAOa,YAAYiB,MAAM;;;QAC3B;;IAEA;;GAEC,GACD,OAAQb,WASP,GATD,SAAQA,YAAYV,YAAoB,EAAEwB,IAAY;QACpD,IAAMC,UAAUzB,aAAaW,KAAK,CAAC;YAC9B,kCAAA,2BAAA;;YAAL,QAAK,YAAgBc,4BAAhB,SAAA,6BAAA,QAAA,yBAAA,iCAAyB;gBAAzB,IAAMhB,SAAN;gBACH,IAA6BA,+BAAAA,OAAOiB,IAAI,GAAGf,KAAK,CAAC,OAA1CgB,MAAsBlB,uBAAjB,AAAGmB,aAAcnB,yBAAjB;gBACZ,IAAIkB,QAAQH,MAAM;oBAChB,OAAOI,WAAWC,IAAI,CAAC,MAAM,+BAA+B;gBAC9D;YACF;;YALK;YAAA;;;qBAAA,6BAAA;oBAAA;;;oBAAA;0BAAA;;;;QAML,OAAO;IACT;IAEA;;GAEC,GACD,OAAQjB,IAEP,GAFD,SAAQA,KAAKkB,IAAY;QACvB,OAAOC,IAAAA,kBAAU,EAAC,IAAI,CAACnC,SAAS,EAAE,IAAI,CAACF,MAAM,EAAEsC,MAAM,CAACF,MAAMG,MAAM,CAAC;IACrE;IAEA;;GAEC,GACD,OAAQpB,mBASP,GATD,SAAQA,oBAAoBqB,CAAS,EAAEC,CAAS;QAC9C,IAAID,EAAE1C,MAAM,KAAK2C,EAAE3C,MAAM,EAAE;YACzB,OAAO;QACT;QAEA,IAAM4C,OAAOtB,OAAOC,IAAI,CAACmB;QACzB,IAAMG,OAAOvB,OAAOC,IAAI,CAACoB;QAEzB,OAAOG,IAAAA,uBAAe,EAACF,MAAMC;IAC/B;IAEA;;;;;;GAMC,GACDE,OAAAA,mBAWC,GAXDA,SAAAA,oBAAoBhB,MAAc,EAAEiB,WAAoB;QACtD,IAAMlC,cAA2B;YAC/BiB,QAAAA;WACIiB,gBAAgBpB,aAAa;YAAED,KAAKE,KAAKC,GAAG,KAAKkB;QAAY;QAGnE,IAAMjC,WAAWU,KAAKwB,SAAS,CAACnC;QAChC,IAAMH,UAAUW,OAAOC,IAAI,CAACR,UAAUS,QAAQ,CAAC;QAC/C,IAAMZ,YAAY,IAAI,CAACQ,IAAI,CAACT;QAE5B,OAAO,AAAC,GAAaC,OAAXD,SAAQ,KAAa,OAAVC;IACvB;WAxHWf"}

package/dist/cjs/templates.d.cts

@@ -0,0 +1,18 @@
+/**
+ * HTML templates for OAuth callback pages
+ *
+ * These templates are shown in the browser after OAuth authorization
+ * for loopback OAuth flows (RFC 8252).
+ */
+/**
+ * HTML template for successful OAuth authorization
+ */
+export declare function getSuccessTemplate(): string;
+/**
+ * HTML template for OAuth error
+ */
+export declare function getErrorTemplate(error: string): string;
+/**
+ * Escape HTML special characters to prevent XSS
+ */
+export declare function escapeHtml(unsafe: string): string;

package/dist/cjs/templates.d.ts

@@ -0,0 +1,18 @@
+/**
+ * HTML templates for OAuth callback pages
+ *
+ * These templates are shown in the browser after OAuth authorization
+ * for loopback OAuth flows (RFC 8252).
+ */
+/**
+ * HTML template for successful OAuth authorization
+ */
+export declare function getSuccessTemplate(): string;
+/**
+ * HTML template for OAuth error
+ */
+export declare function getErrorTemplate(error: string): string;
+/**
+ * Escape HTML special characters to prevent XSS
+ */
+export declare function escapeHtml(unsafe: string): string;

package/dist/cjs/templates.js

@@ -0,0 +1,38 @@
+/**
+ * HTML templates for OAuth callback pages
+ *
+ * These templates are shown in the browser after OAuth authorization
+ * for loopback OAuth flows (RFC 8252).
+ */ /**
+ * HTML template for successful OAuth authorization
+ */ "use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+function _export(target, all) {
+    for(var name in all)Object.defineProperty(target, name, {
+        enumerable: true,
+        get: Object.getOwnPropertyDescriptor(all, name).get
+    });
+}
+_export(exports, {
+    get escapeHtml () {
+        return escapeHtml;
+    },
+    get getErrorTemplate () {
+        return getErrorTemplate;
+    },
+    get getSuccessTemplate () {
+        return getSuccessTemplate;
+    }
+});
+function getSuccessTemplate() {
+    return '\n<!DOCTYPE html>\n<html>\n<head>\n  <meta charset="utf-8">\n  <title>Authorization Successful</title>\n  <style>\n    body {\n      font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Roboto, Oxygen, Ubuntu, Cantarell, sans-serif;\n      display: flex;\n      justify-content: center;\n      align-items: center;\n      height: 100vh;\n      margin: 0;\n      background: linear-gradient(135deg, #e8ebf7 0%, #ede9f2 100%);\n    }\n    .container {\n      background: white;\n      padding: 3rem;\n      border-radius: 1rem;\n      box-shadow: 0 20px 60px rgba(0,0,0,0.3);\n      text-align: center;\n      max-width: 400px;\n    }\n    h1 {\n      color: #2d3748;\n      margin-bottom: 1rem;\n      font-size: 1.875rem;\n    }\n    p {\n      color: #718096;\n      font-size: 1.125rem;\n      margin-bottom: 1.5rem;\n    }\n    .icon {\n      font-size: 4rem;\n      margin-bottom: 1rem;\n    }\n  </style>\n</head>\n<body>\n  <div class="container">\n    <div class="icon">✅</div>\n    <h1>Authorization Successful!</h1>\n    <p>You can close this window and return to your terminal.</p>\n  </div>\n  <script>\n    // Auto-close after 3 seconds\n    setTimeout(() => {\n      window.close();\n    }, 3000);\n  </script>\n</body>\n</html>\n  '.trim();
+}
+function getErrorTemplate(error) {
+    return '\n<!DOCTYPE html>\n<html>\n<head>\n  <meta charset="utf-8">\n  <title>Authorization Failed</title>\n  <style>\n    body {\n      font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Roboto, Oxygen, Ubuntu, Cantarell, sans-serif;\n      display: flex;\n      justify-content: center;\n      align-items: center;\n      height: 100vh;\n      margin: 0;\n      background: linear-gradient(135deg, #fce9f7 0%, #faebed 100%);\n    }\n    .container {\n      background: white;\n      padding: 3rem;\n      border-radius: 1rem;\n      box-shadow: 0 20px 60px rgba(0,0,0,0.3);\n      text-align: center;\n      max-width: 400px;\n    }\n    h1 {\n      color: #2d3748;\n      margin-bottom: 1rem;\n      font-size: 1.875rem;\n    }\n    p {\n      color: #718096;\n      font-size: 1.125rem;\n      margin-bottom: 1.5rem;\n    }\n    .error {\n      background: #fed7d7;\n      color: #9b2c2c;\n      padding: 0.75rem;\n      border-radius: 0.5rem;\n      margin-top: 1rem;\n      font-family: monospace;\n      font-size: 0.875rem;\n    }\n    .icon {\n      font-size: 4rem;\n      margin-bottom: 1rem;\n    }\n  </style>\n</head>\n<body>\n  <div class="container">\n    <div class="icon">❌</div>\n    <h1>Authorization Failed</h1>\n    <p>Please try again from your terminal.</p>\n    <div class="error">'.concat(escapeHtml(error), "</div>\n  </div>\n</body>\n</html>\n  ").trim();
+}
+function escapeHtml(unsafe) {
+    return unsafe.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;').replace(/'/g, '&#039;');
+}
+/* CJS INTEROP */ if (exports.__esModule && exports.default) { try { Object.defineProperty(exports.default, '__esModule', { value: true }); for (var key in exports) { exports.default[key] = exports[key]; } } catch (_) {}; module.exports = exports.default; }

package/dist/cjs/templates.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/templates.ts"],"sourcesContent":["/**\n * HTML templates for OAuth callback pages\n *\n * These templates are shown in the browser after OAuth authorization\n * for loopback OAuth flows (RFC 8252).\n */\n\n/**\n * HTML template for successful OAuth authorization\n */\nexport function getSuccessTemplate(): string {\n  return `\n<!DOCTYPE html>\n<html>\n<head>\n  <meta charset=\"utf-8\">\n  <title>Authorization Successful</title>\n  <style>\n    body {\n      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, sans-serif;\n      display: flex;\n      justify-content: center;\n      align-items: center;\n      height: 100vh;\n      margin: 0;\n      background: linear-gradient(135deg, #e8ebf7 0%, #ede9f2 100%);\n    }\n    .container {\n      background: white;\n      padding: 3rem;\n      border-radius: 1rem;\n      box-shadow: 0 20px 60px rgba(0,0,0,0.3);\n      text-align: center;\n      max-width: 400px;\n    }\n    h1 {\n      color: #2d3748;\n      margin-bottom: 1rem;\n      font-size: 1.875rem;\n    }\n    p {\n      color: #718096;\n      font-size: 1.125rem;\n      margin-bottom: 1.5rem;\n    }\n    .icon {\n      font-size: 4rem;\n      margin-bottom: 1rem;\n    }\n  </style>\n</head>\n<body>\n  <div class=\"container\">\n    <div class=\"icon\">✅</div>\n    <h1>Authorization Successful!</h1>\n    <p>You can close this window and return to your terminal.</p>\n  </div>\n  <script>\n    // Auto-close after 3 seconds\n    setTimeout(() => {\n      window.close();\n    }, 3000);\n  </script>\n</body>\n</html>\n  `.trim();\n}\n\n/**\n * HTML template for OAuth error\n */\nexport function getErrorTemplate(error: string): string {\n  return `\n<!DOCTYPE html>\n<html>\n<head>\n  <meta charset=\"utf-8\">\n  <title>Authorization Failed</title>\n  <style>\n    body {\n      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, sans-serif;\n      display: flex;\n      justify-content: center;\n      align-items: center;\n      height: 100vh;\n      margin: 0;\n      background: linear-gradient(135deg, #fce9f7 0%, #faebed 100%);\n    }\n    .container {\n      background: white;\n      padding: 3rem;\n      border-radius: 1rem;\n      box-shadow: 0 20px 60px rgba(0,0,0,0.3);\n      text-align: center;\n      max-width: 400px;\n    }\n    h1 {\n      color: #2d3748;\n      margin-bottom: 1rem;\n      font-size: 1.875rem;\n    }\n    p {\n      color: #718096;\n      font-size: 1.125rem;\n      margin-bottom: 1.5rem;\n    }\n    .error {\n      background: #fed7d7;\n      color: #9b2c2c;\n      padding: 0.75rem;\n      border-radius: 0.5rem;\n      margin-top: 1rem;\n      font-family: monospace;\n      font-size: 0.875rem;\n    }\n    .icon {\n      font-size: 4rem;\n      margin-bottom: 1rem;\n    }\n  </style>\n</head>\n<body>\n  <div class=\"container\">\n    <div class=\"icon\">❌</div>\n    <h1>Authorization Failed</h1>\n    <p>Please try again from your terminal.</p>\n    <div class=\"error\">${escapeHtml(error)}</div>\n  </div>\n</body>\n</html>\n  `.trim();\n}\n\n/**\n * Escape HTML special characters to prevent XSS\n */\nexport function escapeHtml(unsafe: string): string {\n  return unsafe.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/\"/g, '&quot;').replace(/'/g, '&#039;');\n}\n"],"names":["escapeHtml","getErrorTemplate","getSuccessTemplate","trim","error","unsafe","replace"],"mappings":"AAAA;;;;;CAKC,GAED;;CAEC;;;;;;;;;;;QA+HeA;eAAAA;;QAjEAC;eAAAA;;QA7DAC;eAAAA;;;AAAT,SAASA;IACd,OAAO,yuCAsDLC,IAAI;AACR;AAKO,SAASF,iBAAiBG,KAAa;IAC5C,OAAO,AAAC,gyCAsDiC,OAAlBJ,WAAWI,QAAO,0CAIvCD,IAAI;AACR;AAKO,SAASH,WAAWK,MAAc;IACvC,OAAOA,OAAOC,OAAO,CAAC,MAAM,SAASA,OAAO,CAAC,MAAM,QAAQA,OAAO,CAAC,MAAM,QAAQA,OAAO,CAAC,MAAM,UAAUA,OAAO,CAAC,MAAM;AACzH"}