npm - @mcp-z/oauth - Versions diffs - 1.0.0 - Mend

@mcp-z/oauth 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (131) hide show

package/LICENSE +21 -0
package/README.md +71 -0
package/dist/cjs/account-utils.d.cts +107 -0
package/dist/cjs/account-utils.d.ts +107 -0
package/dist/cjs/account-utils.js +481 -0
package/dist/cjs/account-utils.js.map +1 -0
package/dist/cjs/index.d.cts +19 -0
package/dist/cjs/index.d.ts +19 -0
package/dist/cjs/index.js +149 -0
package/dist/cjs/index.js.map +1 -0
package/dist/cjs/jwt-auth.d.cts +53 -0
package/dist/cjs/jwt-auth.d.ts +53 -0
package/dist/cjs/jwt-auth.js +417 -0
package/dist/cjs/jwt-auth.js.map +1 -0
package/dist/cjs/key-utils.d.cts +131 -0
package/dist/cjs/key-utils.d.ts +131 -0
package/dist/cjs/key-utils.js +421 -0
package/dist/cjs/key-utils.js.map +1 -0
package/dist/cjs/lib/account-server/index.d.cts +45 -0
package/dist/cjs/lib/account-server/index.d.ts +45 -0
package/dist/cjs/lib/account-server/index.js +67 -0
package/dist/cjs/lib/account-server/index.js.map +1 -0
package/dist/cjs/lib/account-server/loopback.d.cts +22 -0
package/dist/cjs/lib/account-server/loopback.d.ts +22 -0
package/dist/cjs/lib/account-server/loopback.js +778 -0
package/dist/cjs/lib/account-server/loopback.js.map +1 -0
package/dist/cjs/lib/account-server/me.d.cts +23 -0
package/dist/cjs/lib/account-server/me.d.ts +23 -0
package/dist/cjs/lib/account-server/me.js +412 -0
package/dist/cjs/lib/account-server/me.js.map +1 -0
package/dist/cjs/lib/account-server/shared-utils.d.cts +6 -0
package/dist/cjs/lib/account-server/shared-utils.d.ts +6 -0
package/dist/cjs/lib/account-server/shared-utils.js +235 -0
package/dist/cjs/lib/account-server/shared-utils.js.map +1 -0
package/dist/cjs/lib/account-server/stateless.d.cts +20 -0
package/dist/cjs/lib/account-server/stateless.d.ts +20 -0
package/dist/cjs/lib/account-server/stateless.js +32 -0
package/dist/cjs/lib/account-server/stateless.js.map +1 -0
package/dist/cjs/lib/account-server/types.d.cts +32 -0
package/dist/cjs/lib/account-server/types.d.ts +32 -0
package/dist/cjs/lib/account-server/types.js +7 -0
package/dist/cjs/lib/account-server/types.js.map +1 -0
package/dist/cjs/lib/dcr-types.d.cts +126 -0
package/dist/cjs/lib/dcr-types.d.ts +126 -0
package/dist/cjs/lib/dcr-types.js +12 -0
package/dist/cjs/lib/dcr-types.js.map +1 -0
package/dist/cjs/lib/rfc-metadata-types.d.cts +46 -0
package/dist/cjs/lib/rfc-metadata-types.d.ts +46 -0
package/dist/cjs/lib/rfc-metadata-types.js +8 -0
package/dist/cjs/lib/rfc-metadata-types.js.map +1 -0
package/dist/cjs/package.json +1 -0
package/dist/cjs/pkce.d.cts +36 -0
package/dist/cjs/pkce.d.ts +36 -0
package/dist/cjs/pkce.js +25 -0
package/dist/cjs/pkce.js.map +1 -0
package/dist/cjs/sanitizer.d.cts +37 -0
package/dist/cjs/sanitizer.d.ts +37 -0
package/dist/cjs/sanitizer.js +407 -0
package/dist/cjs/sanitizer.js.map +1 -0
package/dist/cjs/schemas/index.d.cts +36 -0
package/dist/cjs/schemas/index.d.ts +36 -0
package/dist/cjs/schemas/index.js +28 -0
package/dist/cjs/schemas/index.js.map +1 -0
package/dist/cjs/session-auth.d.cts +79 -0
package/dist/cjs/session-auth.d.ts +79 -0
package/dist/cjs/session-auth.js +354 -0
package/dist/cjs/session-auth.js.map +1 -0
package/dist/cjs/templates.d.cts +18 -0
package/dist/cjs/templates.d.ts +18 -0
package/dist/cjs/templates.js +38 -0
package/dist/cjs/templates.js.map +1 -0
package/dist/cjs/types.d.cts +343 -0
package/dist/cjs/types.d.ts +343 -0
package/dist/cjs/types.js +210 -0
package/dist/cjs/types.js.map +1 -0
package/dist/esm/account-utils.d.ts +107 -0
package/dist/esm/account-utils.js +179 -0
package/dist/esm/account-utils.js.map +1 -0
package/dist/esm/index.d.ts +19 -0
package/dist/esm/index.js +23 -0
package/dist/esm/index.js.map +1 -0
package/dist/esm/jwt-auth.d.ts +53 -0
package/dist/esm/jwt-auth.js +164 -0
package/dist/esm/jwt-auth.js.map +1 -0
package/dist/esm/key-utils.d.ts +131 -0
package/dist/esm/key-utils.js +143 -0
package/dist/esm/key-utils.js.map +1 -0
package/dist/esm/lib/account-server/index.d.ts +45 -0
package/dist/esm/lib/account-server/index.js +41 -0
package/dist/esm/lib/account-server/index.js.map +1 -0
package/dist/esm/lib/account-server/loopback.d.ts +22 -0
package/dist/esm/lib/account-server/loopback.js +372 -0
package/dist/esm/lib/account-server/loopback.js.map +1 -0
package/dist/esm/lib/account-server/me.d.ts +23 -0
package/dist/esm/lib/account-server/me.js +170 -0
package/dist/esm/lib/account-server/me.js.map +1 -0
package/dist/esm/lib/account-server/shared-utils.d.ts +6 -0
package/dist/esm/lib/account-server/shared-utils.js +24 -0
package/dist/esm/lib/account-server/shared-utils.js.map +1 -0
package/dist/esm/lib/account-server/stateless.d.ts +20 -0
package/dist/esm/lib/account-server/stateless.js +25 -0
package/dist/esm/lib/account-server/stateless.js.map +1 -0
package/dist/esm/lib/account-server/types.d.ts +32 -0
package/dist/esm/lib/account-server/types.js +6 -0
package/dist/esm/lib/account-server/types.js.map +1 -0
package/dist/esm/lib/dcr-types.d.ts +126 -0
package/dist/esm/lib/dcr-types.js +13 -0
package/dist/esm/lib/dcr-types.js.map +1 -0
package/dist/esm/lib/rfc-metadata-types.d.ts +46 -0
package/dist/esm/lib/rfc-metadata-types.js +7 -0
package/dist/esm/lib/rfc-metadata-types.js.map +1 -0
package/dist/esm/package.json +1 -0
package/dist/esm/pkce.d.ts +36 -0
package/dist/esm/pkce.js +33 -0
package/dist/esm/pkce.js.map +1 -0
package/dist/esm/sanitizer.d.ts +37 -0
package/dist/esm/sanitizer.js +256 -0
package/dist/esm/sanitizer.js.map +1 -0
package/dist/esm/schemas/index.d.ts +36 -0
package/dist/esm/schemas/index.js +19 -0
package/dist/esm/schemas/index.js.map +1 -0
package/dist/esm/session-auth.d.ts +79 -0
package/dist/esm/session-auth.js +141 -0
package/dist/esm/session-auth.js.map +1 -0
package/dist/esm/templates.d.ts +18 -0
package/dist/esm/templates.js +132 -0
package/dist/esm/templates.js.map +1 -0
package/dist/esm/types.d.ts +343 -0
package/dist/esm/types.js +34 -0
package/dist/esm/types.js.map +1 -0
package/package.json +82 -0

package/dist/esm/lib/account-server/shared-utils.js ADDED Viewed

@@ -0,0 +1,24 @@
+import { getAccountInfo, getLinkedAccounts } from '../../account-utils.js';
+/**
+ * Find account ID by email or alias lookup.
+ * Returns accountId if found, otherwise null.
+ */ export async function findAccountByEmailOrAlias(store, service, emailOrAlias) {
+    const linkedAccountIds = await getLinkedAccounts(store, {
+        service
+    });
+    // Try exact email match first
+    if (linkedAccountIds.includes(emailOrAlias)) {
+        return emailOrAlias;
+    }
+    // Search by alias
+    for (const accountId of linkedAccountIds){
+        const info = await getAccountInfo(store, {
+            accountId,
+            service
+        });
+        if ((info === null || info === void 0 ? void 0 : info.alias) === emailOrAlias) {
+            return accountId;
+        }
+    }
+    return null;
+}

package/dist/esm/lib/account-server/shared-utils.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/lib/account-server/shared-utils.ts"],"sourcesContent":["import type { Keyv } from 'keyv';\nimport { getAccountInfo, getLinkedAccounts } from '../../account-utils.ts';\n\n/**\n * Find account ID by email or alias lookup.\n * Returns accountId if found, otherwise null.\n */\nexport async function findAccountByEmailOrAlias(store: Keyv, service: string, emailOrAlias: string): Promise<string | null> {\n const linkedAccountIds = await getLinkedAccounts(store, { service });\n\n // Try exact email match first\n if (linkedAccountIds.includes(emailOrAlias)) {\n return emailOrAlias;\n }\n\n // Search by alias\n for (const accountId of linkedAccountIds) {\n const info = await getAccountInfo(store, { accountId, service });\n if (info?.alias === emailOrAlias) {\n return accountId;\n }\n }\n\n return null;\n}\n"],"names":["getAccountInfo","getLinkedAccounts","findAccountByEmailOrAlias","store","service","emailOrAlias","linkedAccountIds","includes","accountId","info","alias"],"mappings":"AACA,SAASA,cAAc,EAAEC,iBAAiB,QAAQ,yBAAyB;AAE3E;;;CAGC,GACD,OAAO,eAAeC,0BAA0BC,KAAW,EAAEC,OAAe,EAAEC,YAAoB;IAChG,MAAMC,mBAAmB,MAAML,kBAAkBE,OAAO;QAAEC;IAAQ;IAElE,8BAA8B;IAC9B,IAAIE,iBAAiBC,QAAQ,CAACF,eAAe;QAC3C,OAAOA;IACT;IAEA,kBAAkB;IAClB,KAAK,MAAMG,aAAaF,iBAAkB;QACxC,MAAMG,OAAO,MAAMT,eAAeG,OAAO;YAAEK;YAAWJ;QAAQ;QAC9D,IAAIK,CAAAA,iBAAAA,2BAAAA,KAAMC,KAAK,MAAKL,cAAc;YAChC,OAAOG;QACT;IACF;IAEA,OAAO;AACT"}

package/dist/esm/lib/account-server/stateless.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+/**
+ * Stateless tool set for MCP OAuth mode (DCR).
+ *
+ * Use this when authentication is managed by the MCP client.
+ * Tokens are provided per-request and not stored by the server.
+ *
+ * Tools:
+ * - {service}-account-me: Show current user identity from bearer token
+ */
+import type { McpPrompt, McpTool } from '../../types.js';
+import type { AccountStatelessConfig } from './types.js';
+/**
+ * Create stateless mode tools.
+ * MCP client manages authentication. Server provides user identity from bearer token.
+ * Returns 1 tool: account-me.
+ */
+export declare function createStateless(config: AccountStatelessConfig): {
+    tools: McpTool[];
+    prompts: McpPrompt[];
+};

package/dist/esm/lib/account-server/stateless.js ADDED Viewed

@@ -0,0 +1,25 @@
+/**
+ * Stateless tool set for MCP OAuth mode (DCR).
+ *
+ * Use this when authentication is managed by the MCP client.
+ * Tokens are provided per-request and not stored by the server.
+ *
+ * Tools:
+ * - {service}-account-me: Show current user identity from bearer token
+ */ import { createAccountMe } from './me.js';
+/**
+ * Create stateless mode tools.
+ * MCP client manages authentication. Server provides user identity from bearer token.
+ * Returns 1 tool: account-me.
+ */ export function createStateless(config) {
+    const { service } = config;
+    // Create account-me tool for stateless mode
+    const meTools = createAccountMe({
+        service,
+        mode: 'stateless'
+    });
+    return {
+        tools: meTools.tools,
+        prompts: []
+    };
+}

package/dist/esm/lib/account-server/stateless.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/lib/account-server/stateless.ts"],"sourcesContent":["/**\n * Stateless tool set for MCP OAuth mode (DCR).\n *\n * Use this when authentication is managed by the MCP client.\n * Tokens are provided per-request and not stored by the server.\n *\n * Tools:\n * - {service}-account-me: Show current user identity from bearer token\n */\n\nimport type { McpPrompt, McpTool } from '../../types.ts';\nimport { createAccountMe } from './me.ts';\nimport type { AccountStatelessConfig } from './types.ts';\n\n/**\n * Create stateless mode tools.\n * MCP client manages authentication. Server provides user identity from bearer token.\n * Returns 1 tool: account-me.\n */\nexport function createStateless(config: AccountStatelessConfig): { tools: McpTool[]; prompts: McpPrompt[] } {\n const { service } = config;\n\n // Create account-me tool for stateless mode\n const meTools = createAccountMe({ service, mode: 'stateless' });\n\n return { tools: meTools.tools, prompts: [] };\n}\n"],"names":["createAccountMe","createStateless","config","service","meTools","mode","tools","prompts"],"mappings":"AAAA;;;;;;;;CAQC,GAGD,SAASA,eAAe,QAAQ,UAAU;AAG1C;;;;CAIC,GACD,OAAO,SAASC,gBAAgBC,MAA8B;IAC5D,MAAM,EAAEC,OAAO,EAAE,GAAGD;IAEpB,4CAA4C;IAC5C,MAAME,UAAUJ,gBAAgB;QAAEG;QAASE,MAAM;IAAY;IAE7D,OAAO;QAAEC,OAAOF,QAAQE,KAAK;QAAEC,SAAS,EAAE;IAAC;AAC7C"}

package/dist/esm/lib/account-server/types.d.ts ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * Configuration types for account tool factories.
+ */
+import type { Keyv } from 'keyv';
+import type { AuthEmailProvider, Logger } from '../../types.js';
+/**
+ * Configuration for loopback OAuth account management.
+ * Supports multiple accounts with server-managed tokens (LoopbackOAuthProvider).
+ */
+export interface AccountLoopbackConfig {
+    service: string;
+    store: Keyv;
+    logger: Logger;
+    auth: AuthEmailProvider;
+}
+/**
+ * Configuration for stateless mode.
+ * MCP client manages authentication. Server provides read-only status.
+ */
+export interface AccountStatelessConfig {
+    service: string;
+}
+/**
+ * Configuration for account-me tool.
+ * Works across all auth modes: loopback, stateless, device code, service account.
+ */
+export interface AccountMeConfig {
+    service: string;
+    store?: Keyv;
+    logger?: Logger;
+    mode: 'loopback' | 'stateless' | 'device-code' | 'service-account';
+}

package/dist/esm/lib/account-server/types.js ADDED Viewed

@@ -0,0 +1,6 @@
+/**
+ * Configuration types for account tool factories.
+ */ /**
+ * Configuration for account-me tool.
+ * Works across all auth modes: loopback, stateless, device code, service account.
+ */ export { };

package/dist/esm/lib/account-server/types.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/lib/account-server/types.ts"],"sourcesContent":["/**\n * Configuration types for account tool factories.\n */\n\nimport type { Keyv } from 'keyv';\nimport type { AuthEmailProvider, Logger } from '../../types.ts';\n\n/**\n * Configuration for loopback OAuth account management.\n * Supports multiple accounts with server-managed tokens (LoopbackOAuthProvider).\n */\nexport interface AccountLoopbackConfig {\n service: string;\n store: Keyv;\n logger: Logger;\n auth: AuthEmailProvider;\n}\n\n/**\n * Configuration for stateless mode.\n * MCP client manages authentication. Server provides read-only status.\n */\nexport interface AccountStatelessConfig {\n service: string;\n}\n\n/**\n * Configuration for account-me tool.\n * Works across all auth modes: loopback, stateless, device code, service account.\n */\nexport interface AccountMeConfig {\n service: string;\n store?: Keyv;\n logger?: Logger;\n mode: 'loopback' | 'stateless' | 'device-code' | 'service-account';\n}\n"],"names":[],"mappings":"AAAA;;CAEC,GAwBD;;;CAGC,GACD,WAKC"}

package/dist/esm/lib/dcr-types.d.ts ADDED Viewed

@@ -0,0 +1,126 @@
+/**
+ * Dynamic Client Registration (DCR) types per RFC 7591
+ *
+ * Defines core types for OAuth 2.0 Dynamic Client Registration Protocol.
+ * Used by providers to register clients dynamically with authorization servers.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc7591
+ */
+import type { Logger } from '../types.js';
+/**
+ * Client metadata for dynamic registration request (RFC 7591 Section 2)
+ *
+ * All fields are optional per RFC 7591. Authorization server may have
+ * required fields or default values based on policy.
+ */
+export interface DcrClientMetadata {
+    /** Array of redirection URI strings for redirect-based flows */
+    redirect_uris?: string[];
+    /** Client authentication method for token endpoint */
+    token_endpoint_auth_method?: 'none' | 'client_secret_post' | 'client_secret_basic';
+    /** OAuth 2.0 grant types the client may use */
+    grant_types?: string[];
+    /** OAuth 2.0 response types the client may use */
+    response_types?: string[];
+    /** Human-readable client name */
+    client_name?: string;
+    /** URL providing information about the client */
+    client_uri?: string;
+    /** URL referencing a logo for the client */
+    logo_uri?: string;
+    /** Space-separated list of scope values */
+    scope?: string;
+    /** Array of contact strings (typically email addresses) */
+    contacts?: string[];
+    /** URL pointing to terms of service document */
+    tos_uri?: string;
+    /** URL pointing to privacy policy document */
+    policy_uri?: string;
+    /** URL referencing the client's JSON Web Key Set */
+    jwks_uri?: string;
+    /** Client's JSON Web Key Set document value */
+    jwks?: object;
+    /** Unique identifier for the client software */
+    software_id?: string;
+    /** Version identifier for the client software */
+    software_version?: string;
+    /** JWT containing client metadata claims (signed software statement) */
+    software_statement?: string;
+}
+/**
+ * Client information response from successful registration (RFC 7591 Section 3.2.1)
+ *
+ * Authorization server returns client credentials and echoes/modifies metadata.
+ * client_id is always returned, client_secret is optional for public clients.
+ */
+export interface DcrClientInformation {
+    /** REQUIRED: OAuth 2.0 client identifier string */
+    client_id: string;
+    /** OPTIONAL: OAuth 2.0 client secret (omitted for public clients) */
+    client_secret?: string;
+    /** OPTIONAL: Timestamp of client ID issuance (seconds since Unix epoch) */
+    client_id_issued_at?: number;
+    /**
+     * REQUIRED if client_secret issued: Expiration timestamp (seconds since epoch)
+     * Value of 0 indicates the secret does not expire
+     */
+    client_secret_expires_at?: number;
+    redirect_uris?: string[];
+    token_endpoint_auth_method?: string;
+    grant_types?: string[];
+    response_types?: string[];
+    client_name?: string;
+    client_uri?: string;
+    logo_uri?: string;
+    scope?: string;
+    contacts?: string[];
+    tos_uri?: string;
+    policy_uri?: string;
+    jwks_uri?: string;
+    jwks?: object;
+    software_id?: string;
+    software_version?: string;
+}
+/**
+ * Provider tokens for stateless DCR pattern
+ *
+ * In stateless mode, DCR provider receives provider credentials from context
+ * rather than managing token storage. Used for MCP server deployments where
+ * client manages all tokens.
+ */
+export interface ProviderTokens {
+    /** OAuth 2.0 access token for provider API calls */
+    accessToken: string;
+    /** Optional refresh token for token renewal */
+    refreshToken?: string;
+    /** Token expiration timestamp (seconds since Unix epoch) */
+    expiresAt?: number;
+    /** Space-separated list of granted scopes */
+    scope?: string;
+}
+/**
+ * Configuration for DCR provider initialization
+ *
+ * Minimal config for creating DCR provider instances. Additional provider-specific
+ * config (client IDs, secrets, redirect URIs) handled by concrete implementations.
+ */
+export interface DcrConfig {
+    /** Authorization server's registration endpoint URL */
+    registrationEndpoint: string;
+    /** Client metadata to register with authorization server */
+    metadata: DcrClientMetadata;
+    /** Optional logger for DCR operations */
+    logger?: Logger;
+}
+/**
+ * DCR error response per RFC 7591 Section 3.2.2
+ *
+ * Authorization server returns HTTP 400 with error details when
+ * registration fails due to invalid metadata or policy violations.
+ */
+export interface DcrErrorResponse {
+    /** REQUIRED: Single ASCII error code string */
+    error: 'invalid_redirect_uri' | 'invalid_client_metadata' | 'invalid_software_statement' | 'unapproved_software_statement' | string;
+    /** OPTIONAL: Human-readable ASCII description */
+    error_description?: string;
+}

package/dist/esm/lib/dcr-types.js ADDED Viewed

@@ -0,0 +1,13 @@
+/**
+ * Dynamic Client Registration (DCR) types per RFC 7591
+ *
+ * Defines core types for OAuth 2.0 Dynamic Client Registration Protocol.
+ * Used by providers to register clients dynamically with authorization servers.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc7591
+ */ /**
+ * DCR error response per RFC 7591 Section 3.2.2
+ *
+ * Authorization server returns HTTP 400 with error details when
+ * registration fails due to invalid metadata or policy violations.
+ */ export { };

package/dist/esm/lib/dcr-types.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/lib/dcr-types.ts"],"sourcesContent":["/**\n * Dynamic Client Registration (DCR) types per RFC 7591\n *\n * Defines core types for OAuth 2.0 Dynamic Client Registration Protocol.\n * Used by providers to register clients dynamically with authorization servers.\n *\n * @see https://datatracker.ietf.org/doc/html/rfc7591\n */\n\nimport type { Logger } from '../types.ts';\n\n/**\n * Client metadata for dynamic registration request (RFC 7591 Section 2)\n *\n * All fields are optional per RFC 7591. Authorization server may have\n * required fields or default values based on policy.\n */\nexport interface DcrClientMetadata {\n /** Array of redirection URI strings for redirect-based flows */\n redirect_uris?: string[];\n\n /** Client authentication method for token endpoint */\n token_endpoint_auth_method?: 'none' | 'client_secret_post' | 'client_secret_basic';\n\n /** OAuth 2.0 grant types the client may use */\n grant_types?: string[];\n\n /** OAuth 2.0 response types the client may use */\n response_types?: string[];\n\n /** Human-readable client name */\n client_name?: string;\n\n /** URL providing information about the client */\n client_uri?: string;\n\n /** URL referencing a logo for the client */\n logo_uri?: string;\n\n /** Space-separated list of scope values */\n scope?: string;\n\n /** Array of contact strings (typically email addresses) */\n contacts?: string[];\n\n /** URL pointing to terms of service document */\n tos_uri?: string;\n\n /** URL pointing to privacy policy document */\n policy_uri?: string;\n\n /** URL referencing the client's JSON Web Key Set */\n jwks_uri?: string;\n\n /** Client's JSON Web Key Set document value */\n jwks?: object;\n\n /** Unique identifier for the client software */\n software_id?: string;\n\n /** Version identifier for the client software */\n software_version?: string;\n\n /** JWT containing client metadata claims (signed software statement) */\n software_statement?: string;\n}\n\n/**\n * Client information response from successful registration (RFC 7591 Section 3.2.1)\n *\n * Authorization server returns client credentials and echoes/modifies metadata.\n * client_id is always returned, client_secret is optional for public clients.\n */\nexport interface DcrClientInformation {\n /** REQUIRED: OAuth 2.0 client identifier string */\n client_id: string;\n\n /** OPTIONAL: OAuth 2.0 client secret (omitted for public clients) */\n client_secret?: string;\n\n /** OPTIONAL: Timestamp of client ID issuance (seconds since Unix epoch) */\n client_id_issued_at?: number;\n\n /**\n * REQUIRED if client_secret issued: Expiration timestamp (seconds since epoch)\n * Value of 0 indicates the secret does not expire\n */\n client_secret_expires_at?: number;\n\n // All registered metadata fields (echoed or server-modified)\n redirect_uris?: string[];\n token_endpoint_auth_method?: string;\n grant_types?: string[];\n response_types?: string[];\n client_name?: string;\n client_uri?: string;\n logo_uri?: string;\n scope?: string;\n contacts?: string[];\n tos_uri?: string;\n policy_uri?: string;\n jwks_uri?: string;\n jwks?: object;\n software_id?: string;\n software_version?: string;\n}\n\n/**\n * Provider tokens for stateless DCR pattern\n *\n * In stateless mode, DCR provider receives provider credentials from context\n * rather than managing token storage. Used for MCP server deployments where\n * client manages all tokens.\n */\nexport interface ProviderTokens {\n /** OAuth 2.0 access token for provider API calls */\n accessToken: string;\n\n /** Optional refresh token for token renewal */\n refreshToken?: string;\n\n /** Token expiration timestamp (seconds since Unix epoch) */\n expiresAt?: number;\n\n /** Space-separated list of granted scopes */\n scope?: string;\n}\n\n/**\n * Configuration for DCR provider initialization\n *\n * Minimal config for creating DCR provider instances. Additional provider-specific\n * config (client IDs, secrets, redirect URIs) handled by concrete implementations.\n */\nexport interface DcrConfig {\n /** Authorization server's registration endpoint URL */\n registrationEndpoint: string;\n\n /** Client metadata to register with authorization server */\n metadata: DcrClientMetadata;\n\n /** Optional logger for DCR operations */\n logger?: Logger;\n}\n\n/**\n * DCR error response per RFC 7591 Section 3.2.2\n *\n * Authorization server returns HTTP 400 with error details when\n * registration fails due to invalid metadata or policy violations.\n */\nexport interface DcrErrorResponse {\n /** REQUIRED: Single ASCII error code string */\n error: 'invalid_redirect_uri' | 'invalid_client_metadata' | 'invalid_software_statement' | 'unapproved_software_statement' | string;\n\n /** OPTIONAL: Human-readable ASCII description */\n error_description?: string;\n}\n"],"names":[],"mappings":"AAAA;;;;;;;CAOC,GA0ID;;;;;CAKC,GACD,WAMC"}

package/dist/esm/lib/rfc-metadata-types.d.ts ADDED Viewed

@@ -0,0 +1,46 @@
+/**
+ * RFC 8414 Authorization Server Metadata
+ * @see https://www.rfc-editor.org/rfc/rfc8414.html
+ */
+export interface RFC8414Metadata {
+    /** Authorization server issuer URL */
+    issuer: string;
+    /** OAuth 2.0 authorization endpoint */
+    authorization_endpoint: string;
+    /** OAuth 2.0 token endpoint */
+    token_endpoint: string;
+    /** Dynamic Client Registration endpoint (RFC 7591) */
+    registration_endpoint: string;
+    /** Optional: Token revocation endpoint */
+    revocation_endpoint?: string;
+    /** Optional: Supported OAuth scopes */
+    scopes_supported?: string[];
+    /** Optional: Supported response types */
+    response_types_supported?: string[];
+    /** Optional: Supported grant types */
+    grant_types_supported?: string[];
+    /** Optional: Supported token endpoint auth methods */
+    token_endpoint_auth_methods_supported?: string[];
+    /** Optional: Supported PKCE code challenge methods (RFC 7636) */
+    code_challenge_methods_supported?: string[];
+    /** Optional: Service documentation URL */
+    service_documentation?: string;
+    /** Allow additional provider-specific fields */
+    [key: string]: unknown;
+}
+/**
+ * RFC 9728 Protected Resource Metadata
+ * @see https://www.rfc-editor.org/rfc/rfc9728.html
+ */
+export interface RFC9728Metadata {
+    /** Protected resource URL */
+    resource: string;
+    /** List of authorization servers that can issue tokens for this resource */
+    authorization_servers: string[];
+    /** OAuth scopes supported by this resource */
+    scopes_supported: string[];
+    /** Methods for providing bearer tokens (typically ['header']) */
+    bearer_methods_supported: string[];
+    /** Allow additional provider-specific fields */
+    [key: string]: unknown;
+}

package/dist/esm/lib/rfc-metadata-types.js ADDED Viewed

@@ -0,0 +1,7 @@
+/**
+ * RFC 8414 Authorization Server Metadata
+ * @see https://www.rfc-editor.org/rfc/rfc8414.html
+ */ /**
+ * RFC 9728 Protected Resource Metadata
+ * @see https://www.rfc-editor.org/rfc/rfc9728.html
+ */ export { };

package/dist/esm/lib/rfc-metadata-types.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/lib/rfc-metadata-types.ts"],"sourcesContent":["/**\n * RFC 8414 Authorization Server Metadata\n * @see https://www.rfc-editor.org/rfc/rfc8414.html\n */\nexport interface RFC8414Metadata {\n /** Authorization server issuer URL */\n issuer: string;\n /** OAuth 2.0 authorization endpoint */\n authorization_endpoint: string;\n /** OAuth 2.0 token endpoint */\n token_endpoint: string;\n /** Dynamic Client Registration endpoint (RFC 7591) */\n registration_endpoint: string;\n /** Optional: Token revocation endpoint */\n revocation_endpoint?: string;\n /** Optional: Supported OAuth scopes */\n scopes_supported?: string[];\n /** Optional: Supported response types */\n response_types_supported?: string[];\n /** Optional: Supported grant types */\n grant_types_supported?: string[];\n /** Optional: Supported token endpoint auth methods */\n token_endpoint_auth_methods_supported?: string[];\n /** Optional: Supported PKCE code challenge methods (RFC 7636) */\n code_challenge_methods_supported?: string[];\n /** Optional: Service documentation URL */\n service_documentation?: string;\n /** Allow additional provider-specific fields */\n [key: string]: unknown;\n}\n\n/**\n * RFC 9728 Protected Resource Metadata\n * @see https://www.rfc-editor.org/rfc/rfc9728.html\n */\nexport interface RFC9728Metadata {\n /** Protected resource URL */\n resource: string;\n /** List of authorization servers that can issue tokens for this resource */\n authorization_servers: string[];\n /** OAuth scopes supported by this resource */\n scopes_supported: string[];\n /** Methods for providing bearer tokens (typically ['header']) */\n bearer_methods_supported: string[];\n /** Allow additional provider-specific fields */\n [key: string]: unknown;\n}\n"],"names":[],"mappings":"AAAA;;;CAGC,GA4BD;;;CAGC,GACD,WAWC"}

package/dist/esm/package.json ADDED Viewed

	@@ -0,0 +1 @@
1	+ { "type": "module" }

package/dist/esm/pkce.d.ts ADDED Viewed

@@ -0,0 +1,36 @@
+/**
+ * PKCE (Proof Key for Code Exchange) utilities for OAuth 2.0
+ *
+ * Implements RFC 7636 PKCE extension for public OAuth clients.
+ * Generates cryptographically secure code verifier and challenge.
+ */
+/**
+ * PKCE code verifier and challenge pair
+ */
+export interface PKCEPair {
+    /** Code verifier - random string sent to token endpoint */
+    verifier: string;
+    /** Code challenge - SHA256 hash of verifier sent to authorization endpoint */
+    challenge: string;
+}
+/**
+ * Generate PKCE code verifier and challenge pair
+ *
+ * Uses SHA-256 hashing (S256 method) as recommended by RFC 7636.
+ * Code verifier is 32 random bytes base64url-encoded (43 characters).
+ *
+ * @returns PKCE pair with verifier and challenge
+ *
+ * @example
+ * ```typescript
+ * const { verifier, challenge } = generatePKCE();
+ *
+ * // Use challenge in authorization URL
+ * authUrl.searchParams.set('code_challenge', challenge);
+ * authUrl.searchParams.set('code_challenge_method', 'S256');
+ *
+ * // Later, use verifier in token exchange
+ * tokenParams.code_verifier = verifier;
+ * ```
+ */
+export declare function generatePKCE(): PKCEPair;

package/dist/esm/pkce.js ADDED Viewed

@@ -0,0 +1,33 @@
+/**
+ * PKCE (Proof Key for Code Exchange) utilities for OAuth 2.0
+ *
+ * Implements RFC 7636 PKCE extension for public OAuth clients.
+ * Generates cryptographically secure code verifier and challenge.
+ */ import { createHash, randomBytes } from 'crypto';
+/**
+ * Generate PKCE code verifier and challenge pair
+ *
+ * Uses SHA-256 hashing (S256 method) as recommended by RFC 7636.
+ * Code verifier is 32 random bytes base64url-encoded (43 characters).
+ *
+ * @returns PKCE pair with verifier and challenge
+ *
+ * @example
+ * ```typescript
+ * const { verifier, challenge } = generatePKCE();
+ *
+ * // Use challenge in authorization URL
+ * authUrl.searchParams.set('code_challenge', challenge);
+ * authUrl.searchParams.set('code_challenge_method', 'S256');
+ *
+ * // Later, use verifier in token exchange
+ * tokenParams.code_verifier = verifier;
+ * ```
+ */ export function generatePKCE() {
+    const verifier = randomBytes(32).toString('base64url');
+    const challenge = createHash('sha256').update(verifier).digest('base64url');
+    return {
+        verifier,
+        challenge
+    };
+}

package/dist/esm/pkce.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/pkce.ts"],"sourcesContent":["/**\n * PKCE (Proof Key for Code Exchange) utilities for OAuth 2.0\n *\n * Implements RFC 7636 PKCE extension for public OAuth clients.\n * Generates cryptographically secure code verifier and challenge.\n */\n\nimport { createHash, randomBytes } from 'crypto';\n\n/**\n * PKCE code verifier and challenge pair\n */\nexport interface PKCEPair {\n /** Code verifier - random string sent to token endpoint */\n verifier: string;\n /** Code challenge - SHA256 hash of verifier sent to authorization endpoint */\n challenge: string;\n}\n\n/**\n * Generate PKCE code verifier and challenge pair\n *\n * Uses SHA-256 hashing (S256 method) as recommended by RFC 7636.\n * Code verifier is 32 random bytes base64url-encoded (43 characters).\n *\n * @returns PKCE pair with verifier and challenge\n *\n * @example\n * ```typescript\n * const { verifier, challenge } = generatePKCE();\n *\n * // Use challenge in authorization URL\n * authUrl.searchParams.set('code_challenge', challenge);\n * authUrl.searchParams.set('code_challenge_method', 'S256');\n *\n * // Later, use verifier in token exchange\n * tokenParams.code_verifier = verifier;\n * ```\n */\nexport function generatePKCE(): PKCEPair {\n const verifier = randomBytes(32).toString('base64url');\n const challenge = createHash('sha256').update(verifier).digest('base64url');\n\n return {\n verifier,\n challenge,\n };\n}\n"],"names":["createHash","randomBytes","generatePKCE","verifier","toString","challenge","update","digest"],"mappings":"AAAA;;;;;CAKC,GAED,SAASA,UAAU,EAAEC,WAAW,QAAQ,SAAS;AAYjD;;;;;;;;;;;;;;;;;;;CAmBC,GACD,OAAO,SAASC;IACd,MAAMC,WAAWF,YAAY,IAAIG,QAAQ,CAAC;IAC1C,MAAMC,YAAYL,WAAW,UAAUM,MAAM,CAACH,UAAUI,MAAM,CAAC;IAE/D,OAAO;QACLJ;QACAE;IACF;AACF"}

package/dist/esm/sanitizer.d.ts ADDED Viewed

@@ -0,0 +1,37 @@
+/**
+ * Data sanitization utilities for secure logging.
+ * Redacts sensitive OAuth tokens, API keys, and credentials from log output.
+ *
+ * @example
+ * ```typescript
+ * sanitizeData({ accountId: 'test@example.com', access_token: 'secret_token_value' })
+ * // { accountId: 'test@example.com', access_token: 'secr****alue' }
+ *
+ * sanitizeForLogging('Processing token', { token: 'secret_value' })
+ * // { message: 'Processing token', meta: { token: 'secr****alue' } }
+ * ```
+ */
+export declare function sanitizeData(data: unknown): unknown;
+/**
+ * Prevent log injection attacks by escaping control characters
+ * SECURITY: Critical for preventing CRLF injection (OWASP A03)
+ */
+export declare function sanitizeLogMessage(message: string, maxLength?: number): string;
+/**
+ * Sanitize log message and metadata for safe logging
+ * Applies both CRLF protection and sensitive data redaction
+ *
+ * @param message - The log message to sanitize
+ * @param meta - Optional metadata object to sanitize
+ * @param enableDataSanitization - Whether to apply sensitive data redaction (default: true)
+ * @returns Sanitized message and metadata ready for logging
+ */
+export declare function sanitizeForLogging(message: string, meta?: Record<string, unknown>, enableDataSanitization?: boolean): {
+    message: string;
+    meta: Record<string, unknown>;
+};
+export declare function sanitizeForLoggingFormatter(): {
+    log: (obj: any) => {
+        msg: string;
+    };
+};