npm - @mcp-z/oauth - Versions diffs - 1.0.0 - Mend

@mcp-z/oauth 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (131) hide show

package/LICENSE +21 -0
package/README.md +71 -0
package/dist/cjs/account-utils.d.cts +107 -0
package/dist/cjs/account-utils.d.ts +107 -0
package/dist/cjs/account-utils.js +481 -0
package/dist/cjs/account-utils.js.map +1 -0
package/dist/cjs/index.d.cts +19 -0
package/dist/cjs/index.d.ts +19 -0
package/dist/cjs/index.js +149 -0
package/dist/cjs/index.js.map +1 -0
package/dist/cjs/jwt-auth.d.cts +53 -0
package/dist/cjs/jwt-auth.d.ts +53 -0
package/dist/cjs/jwt-auth.js +417 -0
package/dist/cjs/jwt-auth.js.map +1 -0
package/dist/cjs/key-utils.d.cts +131 -0
package/dist/cjs/key-utils.d.ts +131 -0
package/dist/cjs/key-utils.js +421 -0
package/dist/cjs/key-utils.js.map +1 -0
package/dist/cjs/lib/account-server/index.d.cts +45 -0
package/dist/cjs/lib/account-server/index.d.ts +45 -0
package/dist/cjs/lib/account-server/index.js +67 -0
package/dist/cjs/lib/account-server/index.js.map +1 -0
package/dist/cjs/lib/account-server/loopback.d.cts +22 -0
package/dist/cjs/lib/account-server/loopback.d.ts +22 -0
package/dist/cjs/lib/account-server/loopback.js +778 -0
package/dist/cjs/lib/account-server/loopback.js.map +1 -0
package/dist/cjs/lib/account-server/me.d.cts +23 -0
package/dist/cjs/lib/account-server/me.d.ts +23 -0
package/dist/cjs/lib/account-server/me.js +412 -0
package/dist/cjs/lib/account-server/me.js.map +1 -0
package/dist/cjs/lib/account-server/shared-utils.d.cts +6 -0
package/dist/cjs/lib/account-server/shared-utils.d.ts +6 -0
package/dist/cjs/lib/account-server/shared-utils.js +235 -0
package/dist/cjs/lib/account-server/shared-utils.js.map +1 -0
package/dist/cjs/lib/account-server/stateless.d.cts +20 -0
package/dist/cjs/lib/account-server/stateless.d.ts +20 -0
package/dist/cjs/lib/account-server/stateless.js +32 -0
package/dist/cjs/lib/account-server/stateless.js.map +1 -0
package/dist/cjs/lib/account-server/types.d.cts +32 -0
package/dist/cjs/lib/account-server/types.d.ts +32 -0
package/dist/cjs/lib/account-server/types.js +7 -0
package/dist/cjs/lib/account-server/types.js.map +1 -0
package/dist/cjs/lib/dcr-types.d.cts +126 -0
package/dist/cjs/lib/dcr-types.d.ts +126 -0
package/dist/cjs/lib/dcr-types.js +12 -0
package/dist/cjs/lib/dcr-types.js.map +1 -0
package/dist/cjs/lib/rfc-metadata-types.d.cts +46 -0
package/dist/cjs/lib/rfc-metadata-types.d.ts +46 -0
package/dist/cjs/lib/rfc-metadata-types.js +8 -0
package/dist/cjs/lib/rfc-metadata-types.js.map +1 -0
package/dist/cjs/package.json +1 -0
package/dist/cjs/pkce.d.cts +36 -0
package/dist/cjs/pkce.d.ts +36 -0
package/dist/cjs/pkce.js +25 -0
package/dist/cjs/pkce.js.map +1 -0
package/dist/cjs/sanitizer.d.cts +37 -0
package/dist/cjs/sanitizer.d.ts +37 -0
package/dist/cjs/sanitizer.js +407 -0
package/dist/cjs/sanitizer.js.map +1 -0
package/dist/cjs/schemas/index.d.cts +36 -0
package/dist/cjs/schemas/index.d.ts +36 -0
package/dist/cjs/schemas/index.js +28 -0
package/dist/cjs/schemas/index.js.map +1 -0
package/dist/cjs/session-auth.d.cts +79 -0
package/dist/cjs/session-auth.d.ts +79 -0
package/dist/cjs/session-auth.js +354 -0
package/dist/cjs/session-auth.js.map +1 -0
package/dist/cjs/templates.d.cts +18 -0
package/dist/cjs/templates.d.ts +18 -0
package/dist/cjs/templates.js +38 -0
package/dist/cjs/templates.js.map +1 -0
package/dist/cjs/types.d.cts +343 -0
package/dist/cjs/types.d.ts +343 -0
package/dist/cjs/types.js +210 -0
package/dist/cjs/types.js.map +1 -0
package/dist/esm/account-utils.d.ts +107 -0
package/dist/esm/account-utils.js +179 -0
package/dist/esm/account-utils.js.map +1 -0
package/dist/esm/index.d.ts +19 -0
package/dist/esm/index.js +23 -0
package/dist/esm/index.js.map +1 -0
package/dist/esm/jwt-auth.d.ts +53 -0
package/dist/esm/jwt-auth.js +164 -0
package/dist/esm/jwt-auth.js.map +1 -0
package/dist/esm/key-utils.d.ts +131 -0
package/dist/esm/key-utils.js +143 -0
package/dist/esm/key-utils.js.map +1 -0
package/dist/esm/lib/account-server/index.d.ts +45 -0
package/dist/esm/lib/account-server/index.js +41 -0
package/dist/esm/lib/account-server/index.js.map +1 -0
package/dist/esm/lib/account-server/loopback.d.ts +22 -0
package/dist/esm/lib/account-server/loopback.js +372 -0
package/dist/esm/lib/account-server/loopback.js.map +1 -0
package/dist/esm/lib/account-server/me.d.ts +23 -0
package/dist/esm/lib/account-server/me.js +170 -0
package/dist/esm/lib/account-server/me.js.map +1 -0
package/dist/esm/lib/account-server/shared-utils.d.ts +6 -0
package/dist/esm/lib/account-server/shared-utils.js +24 -0
package/dist/esm/lib/account-server/shared-utils.js.map +1 -0
package/dist/esm/lib/account-server/stateless.d.ts +20 -0
package/dist/esm/lib/account-server/stateless.js +25 -0
package/dist/esm/lib/account-server/stateless.js.map +1 -0
package/dist/esm/lib/account-server/types.d.ts +32 -0
package/dist/esm/lib/account-server/types.js +6 -0
package/dist/esm/lib/account-server/types.js.map +1 -0
package/dist/esm/lib/dcr-types.d.ts +126 -0
package/dist/esm/lib/dcr-types.js +13 -0
package/dist/esm/lib/dcr-types.js.map +1 -0
package/dist/esm/lib/rfc-metadata-types.d.ts +46 -0
package/dist/esm/lib/rfc-metadata-types.js +7 -0
package/dist/esm/lib/rfc-metadata-types.js.map +1 -0
package/dist/esm/package.json +1 -0
package/dist/esm/pkce.d.ts +36 -0
package/dist/esm/pkce.js +33 -0
package/dist/esm/pkce.js.map +1 -0
package/dist/esm/sanitizer.d.ts +37 -0
package/dist/esm/sanitizer.js +256 -0
package/dist/esm/sanitizer.js.map +1 -0
package/dist/esm/schemas/index.d.ts +36 -0
package/dist/esm/schemas/index.js +19 -0
package/dist/esm/schemas/index.js.map +1 -0
package/dist/esm/session-auth.d.ts +79 -0
package/dist/esm/session-auth.js +141 -0
package/dist/esm/session-auth.js.map +1 -0
package/dist/esm/templates.d.ts +18 -0
package/dist/esm/templates.js +132 -0
package/dist/esm/templates.js.map +1 -0
package/dist/esm/types.d.ts +343 -0
package/dist/esm/types.js +34 -0
package/dist/esm/types.js.map +1 -0
package/package.json +82 -0

package/dist/esm/sanitizer.js ADDED Viewed

@@ -0,0 +1,256 @@
+/**
+ * Data sanitization utilities for secure logging.
+ * Redacts sensitive OAuth tokens, API keys, and credentials from log output.
+ *
+ * @example
+ * ```typescript
+ * sanitizeData({ accountId: 'test@example.com', access_token: 'secret_token_value' })
+ * // { accountId: 'test@example.com', access_token: 'secr****alue' }
+ *
+ * sanitizeForLogging('Processing token', { token: 'secret_value' })
+ * // { message: 'Processing token', meta: { token: 'secr****alue' } }
+ * ```
+ */ /** Regex patterns for sensitive data that should be redacted from logs */ const SENSITIVE_PATTERNS = [
+    // OAuth tokens, codes, and secrets
+    /access_token['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /(access_token_[a-zA-Z0-9_]+)/gi,
+    /refresh_token['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /client_secret['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /id_token['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /\bcode['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /\bstate['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /code_verifier['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /code_challenge['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /codeVerifier['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /codeChallenge['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /device_code['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /user_code['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /verification_uri['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /verification_uri_complete['":\s]*['"]\s*([^'"]+)['"]/gi,
+    // Provider credentials and identifiers
+    /app_secret['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /appSecret['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /tenant_id['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /tenantId['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /client_id['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /clientId['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /app_id['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /appId['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /redirect_uri['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /redirectUri['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /subscription_key['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /subscriptionKey['":\s]*['"]\s*([^'"]+)['"]/gi,
+    // Security secrets and keys
+    /webhook_secret['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /webhookSecret['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /signing_secret['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /signingSecret['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /encryption_key['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /encryptionKey['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /private_key['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /privateKey['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /certificate['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /cert['":\s]*['"]\s*([^'"]+)['"]/gi,
+    // Authorization headers
+    /Authorization['":\s]*['"]\s*Bearer\s+([^'"]+)['"]/gi,
+    /authorization['":\s]*['"]\s*Bearer\s+([^'"]+)['"]/gi,
+    /Bearer\s+([A-Za-z0-9+/=\-_.]+)/gi,
+    /Authorization:\s*Bearer\s+([A-Za-z0-9+/=\-_.]+)/gi,
+    /[A-Z_]+_(SECRET|KEY|TOKEN|PASSWORD)['":\s]*['"]\s*([^'"]+)['"]/gi,
+    // Session and CSRF tokens
+    /\bnonce['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /session[_-]?id['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /csrf[_-]?token['":\s]*['"]\s*([^'"]+)['"]/gi,
+    // Other sensitive patterns
+    /"email"\s*:\s*"([^@"]{1,64}@[^."]{1,63}\.[a-z]{2,6})"/gi,
+    /api[_-]?key['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /password['":\s]*['"]\s*([^'"]+)['"]/gi,
+    /\b(ey[A-Za-z0-9+/=]+\.[A-Za-z0-9+/=]+\.[A-Za-z0-9+/=\-_]+)/g,
+    // Base64 secrets (split into length ranges for practical matching)
+    /\b([A-Za-z0-9+/]{60,200}={0,2})\b/g,
+    /\b([A-Za-z0-9+/]{201,1000}={0,2})\b/g,
+    /\b([A-Za-z0-9+/]{1001,5000}={0,2})\b/g,
+    // Connection identifiers
+    /connection[_-]?id['":\s]*['"]\s*([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})['"]/gi
+];
+/** Field names that should be redacted when found as object keys */ const SENSITIVE_FIELDS = new Set([
+    'access_token',
+    'accessToken',
+    'refresh_token',
+    'refreshToken',
+    'client_secret',
+    'clientSecret',
+    'id_token',
+    'idToken',
+    'code',
+    'authorization_code',
+    'authorizationCode',
+    'device_code',
+    'deviceCode',
+    'user_code',
+    'userCode',
+    'verification_uri',
+    'verificationUri',
+    'verification_uri_complete',
+    'verificationUriComplete',
+    'client_id',
+    'clientId',
+    'app_id',
+    'appId',
+    'app_secret',
+    'appSecret',
+    'tenant_id',
+    'tenantId',
+    'bot_id',
+    'botId',
+    'workspace_id',
+    'workspaceId',
+    'organization_id',
+    'organizationId',
+    'redirect_uri',
+    'redirectUri',
+    'audience',
+    'realm',
+    'domain',
+    'webhook_secret',
+    'webhookSecret',
+    'signing_secret',
+    'signingSecret',
+    'subscription_key',
+    'subscriptionKey',
+    'encryption_key',
+    'encryptionKey',
+    'private_key',
+    'privateKey',
+    'certificate',
+    'cert',
+    'stripe-signature',
+    'x-hub-signature',
+    'x-hub-signature-256',
+    'x-slack-signature',
+    'x-mcp-z-webhook-secret',
+    'password',
+    'secret',
+    'token',
+    'authorization',
+    'credential',
+    'auth',
+    'verifier',
+    'challenge',
+    'code_verifier',
+    'codeVerifier',
+    'code_challenge',
+    'codeChallenge',
+    'nonce',
+    'session_id',
+    'sessionId',
+    'csrf_token',
+    'csrfToken',
+    'api_key',
+    'apiKey',
+    'state',
+    'connection_id',
+    'connectionId',
+    'gmail_connection_id',
+    'gmailConnectionId'
+]);
+function isAlreadySanitized(value) {
+    return value.includes('****') || value.includes('[REDACTED]') || value === '[REDACTED]';
+}
+function redactValue(value) {
+    if (isAlreadySanitized(value)) {
+        return value;
+    }
+    if (value.length <= 8) {
+        return '*'.repeat(value.length);
+    }
+    // Show first 4 and last 4 characters
+    return `${value.substring(0, 4)}****${value.substring(value.length - 4)}`;
+}
+export function sanitizeData(data) {
+    if (typeof data === 'string') {
+        if (isAlreadySanitized(data)) {
+            return data;
+        }
+        let sanitized = data;
+        for (const pattern of SENSITIVE_PATTERNS){
+            sanitized = sanitized.replace(pattern, (match, captured)=>{
+                if (typeof captured === 'string') {
+                    const redacted = redactValue(captured);
+                    return match.replace(captured, redacted);
+                }
+                return match;
+            });
+        }
+        return sanitized;
+    }
+    if (Array.isArray(data)) {
+        return data.map(sanitizeData);
+    }
+    if (data && typeof data === 'object') {
+        const sanitized = {};
+        for (const [key, value] of Object.entries(data)){
+            const lowerKey = key.toLowerCase();
+            if (SENSITIVE_FIELDS.has(lowerKey) || SENSITIVE_FIELDS.has(key)) {
+                if (typeof value === 'string') {
+                    sanitized[key] = redactValue(value);
+                } else {
+                    sanitized[key] = '[REDACTED]';
+                }
+            } else {
+                sanitized[key] = sanitizeData(value);
+            }
+        }
+        return sanitized;
+    }
+    return data;
+}
+/**
+ * Prevent log injection attacks by escaping control characters
+ * SECURITY: Critical for preventing CRLF injection (OWASP A03)
+ */ export function sanitizeLogMessage(message, maxLength = 50000) {
+    if (typeof message !== 'string') {
+        return String(message);
+    }
+    // Truncation protection - prevent log poisoning via huge payloads
+    let processedMessage = message;
+    if (processedMessage.length > maxLength) {
+        processedMessage = `${processedMessage.substring(0, maxLength)} [TRUNCATED]`;
+    }
+    return processedMessage.normalize('NFKC').replace(/\r\n|\r|\n/g, ' ').replace(/\t/g, ' ')// biome-ignore lint/suspicious/noControlCharactersInRegex: Security sanitization requires control character removal
+    .replace(/[\x00-\x1F\x7F-\x9F]/g, '').replace(/[\u200B-\u200D\uFEFF]/g, '') // Zero-width chars used for obfuscation
+    .trim();
+}
+/**
+ * Sanitize log message and metadata for safe logging
+ * Applies both CRLF protection and sensitive data redaction
+ *
+ * @param message - The log message to sanitize
+ * @param meta - Optional metadata object to sanitize
+ * @param enableDataSanitization - Whether to apply sensitive data redaction (default: true)
+ * @returns Sanitized message and metadata ready for logging
+ */ export function sanitizeForLogging(message, meta, enableDataSanitization = true) {
+    const cleanMessage = sanitizeLogMessage(message);
+    if (!enableDataSanitization) {
+        return {
+            message: cleanMessage,
+            meta: meta || {}
+        };
+    }
+    return {
+        message: sanitizeData(cleanMessage),
+        meta: sanitizeData(meta || {})
+    };
+}
+export function sanitizeForLoggingFormatter() {
+    return {
+        log: (obj)=>{
+            const message = obj.msg || obj.message || '';
+            const { message: clean, meta } = sanitizeForLogging(message, obj);
+            return {
+                ...meta,
+                msg: clean
+            };
+        }
+    };
+}

package/dist/esm/sanitizer.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/sanitizer.ts"],"sourcesContent":["/**\n * Data sanitization utilities for secure logging.\n * Redacts sensitive OAuth tokens, API keys, and credentials from log output.\n *\n * @example\n * ```typescript\n * sanitizeData({ accountId: 'test@example.com', access_token: 'secret_token_value' })\n * // { accountId: 'test@example.com', access_token: 'secr****alue' }\n *\n * sanitizeForLogging('Processing token', { token: 'secret_value' })\n * // { message: 'Processing token', meta: { token: 'secr****alue' } }\n * ```\n */\n\n/** Regex patterns for sensitive data that should be redacted from logs */\nconst SENSITIVE_PATTERNS = [\n // OAuth tokens, codes, and secrets\n /access_token['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /(access_token_[a-zA-Z0-9_]+)/gi,\n /refresh_token['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /client_secret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /id_token['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /\\bcode['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /\\bstate['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /code_verifier['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /code_challenge['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /codeVerifier['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /codeChallenge['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /device_code['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /user_code['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /verification_uri['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /verification_uri_complete['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n\n // Provider credentials and identifiers\n /app_secret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /appSecret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /tenant_id['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /tenantId['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /client_id['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /clientId['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /app_id['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /appId['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /redirect_uri['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /redirectUri['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /subscription_key['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /subscriptionKey['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n\n // Security secrets and keys\n /webhook_secret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /webhookSecret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /signing_secret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /signingSecret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /encryption_key['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /encryptionKey['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /private_key['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /privateKey['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /certificate['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /cert['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n\n // Authorization headers\n /Authorization['\":\\s]*['\"]\\s*Bearer\\s+([^'\"]+)['\"]/gi,\n /authorization['\":\\s]*['\"]\\s*Bearer\\s+([^'\"]+)['\"]/gi,\n /Bearer\\s+([A-Za-z0-9+/=\\-_.]+)/gi,\n /Authorization:\\s*Bearer\\s+([A-Za-z0-9+/=\\-_.]+)/gi,\n /[A-Z_]+_(SECRET|KEY|TOKEN|PASSWORD)['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n\n // Session and CSRF tokens\n /\\bnonce['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /session[_-]?id['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /csrf[_-]?token['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n\n // Other sensitive patterns\n /\"email\"\\s*:\\s*\"([^@\"]{1,64}@[^.\"]{1,63}\\.[a-z]{2,6})\"/gi,\n /api[_-]?key['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /password['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n /\\b(ey[A-Za-z0-9+/=]+\\.[A-Za-z0-9+/=]+\\.[A-Za-z0-9+/=\\-_]+)/g,\n\n // Base64 secrets (split into length ranges for practical matching)\n /\\b([A-Za-z0-9+/]{60,200}={0,2})\\b/g,\n /\\b([A-Za-z0-9+/]{201,1000}={0,2})\\b/g,\n /\\b([A-Za-z0-9+/]{1001,5000}={0,2})\\b/g,\n\n // Connection identifiers\n /connection[_-]?id['\":\\s]*['\"]\\s*([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})['\"]/gi,\n];\n\n/** Field names that should be redacted when found as object keys */\nconst SENSITIVE_FIELDS = new Set([\n 'access_token',\n 'accessToken',\n 'refresh_token',\n 'refreshToken',\n 'client_secret',\n 'clientSecret',\n 'id_token',\n 'idToken',\n 'code',\n 'authorization_code',\n 'authorizationCode',\n 'device_code',\n 'deviceCode',\n 'user_code',\n 'userCode',\n 'verification_uri',\n 'verificationUri',\n 'verification_uri_complete',\n 'verificationUriComplete',\n 'client_id',\n 'clientId',\n 'app_id',\n 'appId',\n 'app_secret',\n 'appSecret',\n 'tenant_id',\n 'tenantId',\n 'bot_id',\n 'botId',\n 'workspace_id',\n 'workspaceId',\n 'organization_id',\n 'organizationId',\n 'redirect_uri',\n 'redirectUri',\n 'audience',\n 'realm',\n 'domain',\n 'webhook_secret',\n 'webhookSecret',\n 'signing_secret',\n 'signingSecret',\n 'subscription_key',\n 'subscriptionKey',\n 'encryption_key',\n 'encryptionKey',\n 'private_key',\n 'privateKey',\n 'certificate',\n 'cert',\n 'stripe-signature',\n 'x-hub-signature',\n 'x-hub-signature-256',\n 'x-slack-signature',\n 'x-mcp-z-webhook-secret',\n 'password',\n 'secret',\n 'token',\n 'authorization',\n 'credential',\n 'auth',\n 'verifier',\n 'challenge',\n 'code_verifier',\n 'codeVerifier',\n 'code_challenge',\n 'codeChallenge',\n 'nonce',\n 'session_id',\n 'sessionId',\n 'csrf_token',\n 'csrfToken',\n 'api_key',\n 'apiKey',\n 'state',\n 'connection_id',\n 'connectionId',\n 'gmail_connection_id',\n 'gmailConnectionId',\n]);\n\nfunction isAlreadySanitized(value: string): boolean {\n return value.includes('****') || value.includes('[REDACTED]') || value === '[REDACTED]';\n}\n\nfunction redactValue(value: string): string {\n if (isAlreadySanitized(value)) {\n return value;\n }\n\n if (value.length <= 8) {\n return '*'.repeat(value.length);\n }\n\n // Show first 4 and last 4 characters\n return `${value.substring(0, 4)}****${value.substring(value.length - 4)}`;\n}\n\nexport function sanitizeData(data: unknown): unknown {\n if (typeof data === 'string') {\n if (isAlreadySanitized(data)) {\n return data;\n }\n\n let sanitized = data;\n for (const pattern of SENSITIVE_PATTERNS) {\n sanitized = sanitized.replace(pattern, (match, captured) => {\n if (typeof captured === 'string') {\n const redacted = redactValue(captured);\n return match.replace(captured, redacted);\n }\n return match;\n });\n }\n\n return sanitized;\n }\n\n if (Array.isArray(data)) {\n return data.map(sanitizeData);\n }\n\n if (data && typeof data === 'object') {\n const sanitized: Record<string, unknown> = {};\n\n for (const [key, value] of Object.entries(data)) {\n const lowerKey = key.toLowerCase();\n\n if (SENSITIVE_FIELDS.has(lowerKey) || SENSITIVE_FIELDS.has(key)) {\n if (typeof value === 'string') {\n sanitized[key] = redactValue(value);\n } else {\n sanitized[key] = '[REDACTED]';\n }\n } else {\n sanitized[key] = sanitizeData(value);\n }\n }\n\n return sanitized;\n }\n\n return data;\n}\n\n/**\n * Prevent log injection attacks by escaping control characters\n * SECURITY: Critical for preventing CRLF injection (OWASP A03)\n */\nexport function sanitizeLogMessage(message: string, maxLength = 50000): string {\n if (typeof message !== 'string') {\n return String(message);\n }\n\n // Truncation protection - prevent log poisoning via huge payloads\n let processedMessage = message;\n if (processedMessage.length > maxLength) {\n processedMessage = `${processedMessage.substring(0, maxLength)} [TRUNCATED]`;\n }\n\n return (\n processedMessage\n .normalize('NFKC')\n .replace(/\\r\\n|\\r|\\n/g, ' ')\n .replace(/\\t/g, ' ')\n // biome-ignore lint/suspicious/noControlCharactersInRegex: Security sanitization requires control character removal\n .replace(/[\\x00-\\x1F\\x7F-\\x9F]/g, '')\n .replace(/[\\u200B-\\u200D\\uFEFF]/g, '') // Zero-width chars used for obfuscation\n .trim()\n );\n}\n\n/**\n * Sanitize log message and metadata for safe logging\n * Applies both CRLF protection and sensitive data redaction\n *\n * @param message - The log message to sanitize\n * @param meta - Optional metadata object to sanitize\n * @param enableDataSanitization - Whether to apply sensitive data redaction (default: true)\n * @returns Sanitized message and metadata ready for logging\n */\nexport function sanitizeForLogging(message: string, meta?: Record<string, unknown>, enableDataSanitization = true): { message: string; meta: Record<string, unknown> } {\n const cleanMessage = sanitizeLogMessage(message);\n\n if (!enableDataSanitization) {\n return {\n message: cleanMessage,\n meta: meta || {},\n };\n }\n\n return {\n message: sanitizeData(cleanMessage) as string,\n meta: sanitizeData(meta || {}) as Record<string, unknown>,\n };\n}\n\nexport function sanitizeForLoggingFormatter() {\n return {\n log: (obj) => {\n const message = (obj.msg || obj.message || '') as string;\n const { message: clean, meta } = sanitizeForLogging(message, obj as Record<string, unknown>);\n return { ...meta, msg: clean };\n },\n };\n}\n"],"names":["SENSITIVE_PATTERNS","SENSITIVE_FIELDS","Set","isAlreadySanitized","value","includes","redactValue","length","repeat","substring","sanitizeData","data","sanitized","pattern","replace","match","captured","redacted","Array","isArray","map","key","Object","entries","lowerKey","toLowerCase","has","sanitizeLogMessage","message","maxLength","String","processedMessage","normalize","trim","sanitizeForLogging","meta","enableDataSanitization","cleanMessage","sanitizeForLoggingFormatter","log","obj","msg","clean"],"mappings":"AAAA;;;;;;;;;;;;CAYC,GAED,wEAAwE,GACxE,MAAMA,qBAAqB;IACzB,mCAAmC;IACnC;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IAEA,uCAAuC;IACvC;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IAEA,4BAA4B;IAC5B;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IAEA,wBAAwB;IACxB;IACA;IACA;IACA;IACA;IAEA,0BAA0B;IAC1B;IACA;IACA;IAEA,2BAA2B;IAC3B;IACA;IACA;IACA;IAEA,mEAAmE;IACnE;IACA;IACA;IAEA,yBAAyB;IACzB;CACD;AAED,kEAAkE,GAClE,MAAMC,mBAAmB,IAAIC,IAAI;IAC/B;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;CACD;AAED,SAASC,mBAAmBC,KAAa;IACvC,OAAOA,MAAMC,QAAQ,CAAC,WAAWD,MAAMC,QAAQ,CAAC,iBAAiBD,UAAU;AAC7E;AAEA,SAASE,YAAYF,KAAa;IAChC,IAAID,mBAAmBC,QAAQ;QAC7B,OAAOA;IACT;IAEA,IAAIA,MAAMG,MAAM,IAAI,GAAG;QACrB,OAAO,IAAIC,MAAM,CAACJ,MAAMG,MAAM;IAChC;IAEA,qCAAqC;IACrC,OAAO,GAAGH,MAAMK,SAAS,CAAC,GAAG,GAAG,IAAI,EAAEL,MAAMK,SAAS,CAACL,MAAMG,MAAM,GAAG,IAAI;AAC3E;AAEA,OAAO,SAASG,aAAaC,IAAa;IACxC,IAAI,OAAOA,SAAS,UAAU;QAC5B,IAAIR,mBAAmBQ,OAAO;YAC5B,OAAOA;QACT;QAEA,IAAIC,YAAYD;QAChB,KAAK,MAAME,WAAWb,mBAAoB;YACxCY,YAAYA,UAAUE,OAAO,CAACD,SAAS,CAACE,OAAOC;gBAC7C,IAAI,OAAOA,aAAa,UAAU;oBAChC,MAAMC,WAAWX,YAAYU;oBAC7B,OAAOD,MAAMD,OAAO,CAACE,UAAUC;gBACjC;gBACA,OAAOF;YACT;QACF;QAEA,OAAOH;IACT;IAEA,IAAIM,MAAMC,OAAO,CAACR,OAAO;QACvB,OAAOA,KAAKS,GAAG,CAACV;IAClB;IAEA,IAAIC,QAAQ,OAAOA,SAAS,UAAU;QACpC,MAAMC,YAAqC,CAAC;QAE5C,KAAK,MAAM,CAACS,KAAKjB,MAAM,IAAIkB,OAAOC,OAAO,CAACZ,MAAO;YAC/C,MAAMa,WAAWH,IAAII,WAAW;YAEhC,IAAIxB,iBAAiByB,GAAG,CAACF,aAAavB,iBAAiByB,GAAG,CAACL,MAAM;gBAC/D,IAAI,OAAOjB,UAAU,UAAU;oBAC7BQ,SAAS,CAACS,IAAI,GAAGf,YAAYF;gBAC/B,OAAO;oBACLQ,SAAS,CAACS,IAAI,GAAG;gBACnB;YACF,OAAO;gBACLT,SAAS,CAACS,IAAI,GAAGX,aAAaN;YAChC;QACF;QAEA,OAAOQ;IACT;IAEA,OAAOD;AACT;AAEA;;;CAGC,GACD,OAAO,SAASgB,mBAAmBC,OAAe,EAAEC,YAAY,KAAK;IACnE,IAAI,OAAOD,YAAY,UAAU;QAC/B,OAAOE,OAAOF;IAChB;IAEA,kEAAkE;IAClE,IAAIG,mBAAmBH;IACvB,IAAIG,iBAAiBxB,MAAM,GAAGsB,WAAW;QACvCE,mBAAmB,GAAGA,iBAAiBtB,SAAS,CAAC,GAAGoB,WAAW,YAAY,CAAC;IAC9E;IAEA,OACEE,iBACGC,SAAS,CAAC,QACVlB,OAAO,CAAC,eAAe,KACvBA,OAAO,CAAC,OAAO,IAChB,oHAAoH;KACnHA,OAAO,CAAC,yBAAyB,IACjCA,OAAO,CAAC,0BAA0B,IAAI,wCAAwC;KAC9EmB,IAAI;AAEX;AAEA;;;;;;;;CAQC,GACD,OAAO,SAASC,mBAAmBN,OAAe,EAAEO,IAA8B,EAAEC,yBAAyB,IAAI;IAC/G,MAAMC,eAAeV,mBAAmBC;IAExC,IAAI,CAACQ,wBAAwB;QAC3B,OAAO;YACLR,SAASS;YACTF,MAAMA,QAAQ,CAAC;QACjB;IACF;IAEA,OAAO;QACLP,SAASlB,aAAa2B;QACtBF,MAAMzB,aAAayB,QAAQ,CAAC;IAC9B;AACF;AAEA,OAAO,SAASG;IACd,OAAO;QACLC,KAAK,CAACC;YACJ,MAAMZ,UAAWY,IAAIC,GAAG,IAAID,IAAIZ,OAAO,IAAI;YAC3C,MAAM,EAAEA,SAASc,KAAK,EAAEP,IAAI,EAAE,GAAGD,mBAAmBN,SAASY;YAC7D,OAAO;gBAAE,GAAGL,IAAI;gBAAEM,KAAKC;YAAM;QAC/B;IACF;AACF"}

package/dist/esm/schemas/index.d.ts ADDED Viewed

@@ -0,0 +1,36 @@
+/**
+ * OAuth-specific schemas and response builders
+ *
+ * Provider-agnostic schemas and utilities for building OAuth auth_required responses.
+ * Individual OAuth packages (oauth-google, oauth-microsoft) wrap these with provider-specific defaults.
+ */
+import { z } from 'zod';
+export type { z };
+/**
+ * Authentication required response type
+ */
+export interface AuthRequired {
+    type: 'auth_required';
+    provider: string;
+    message: string;
+    url: string;
+    flow?: string;
+    instructions: string;
+    user_code?: string;
+    expires_in?: number;
+    accountId?: string;
+}
+/**
+ * Zod schema for auth_required responses
+ */
+export declare const AuthRequiredSchema: z.ZodObject<{
+    type: z.ZodLiteral<"auth_required">;
+    provider: z.ZodString;
+    message: z.ZodString;
+    url: z.ZodString;
+    flow: z.ZodOptional<z.ZodString>;
+    instructions: z.ZodString;
+    user_code: z.ZodOptional<z.ZodString>;
+    expires_in: z.ZodOptional<z.ZodNumber>;
+    accountId: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;

package/dist/esm/schemas/index.js ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * OAuth-specific schemas and response builders
+ *
+ * Provider-agnostic schemas and utilities for building OAuth auth_required responses.
+ * Individual OAuth packages (oauth-google, oauth-microsoft) wrap these with provider-specific defaults.
+ */ import { z } from 'zod';
+/**
+ * Zod schema for auth_required responses
+ */ export const AuthRequiredSchema = z.object({
+    type: z.literal('auth_required'),
+    provider: z.string().describe('OAuth provider name (e.g., "google", "microsoft")'),
+    message: z.string().describe('Human-readable message explaining why auth is needed'),
+    url: z.string().url().describe('Authentication URL to open in browser'),
+    flow: z.string().optional().describe('Authentication flow type (e.g., "auth_url", "device_code")'),
+    instructions: z.string().describe('Clear instructions for the user'),
+    user_code: z.string().optional().describe('Code user must enter at verification URL (device flows only)'),
+    expires_in: z.number().optional().describe('Seconds until code expires (device flows only)'),
+    accountId: z.string().optional().describe('Account identifier (email) that requires authentication')
+}).describe('Authentication required with clear actionable instructions for user');

package/dist/esm/schemas/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/schemas/index.ts"],"sourcesContent":["/**\n * OAuth-specific schemas and response builders\n *\n * Provider-agnostic schemas and utilities for building OAuth auth_required responses.\n * Individual OAuth packages (oauth-google, oauth-microsoft) wrap these with provider-specific defaults.\n */\n\nimport { z } from 'zod';\n\n// Re-export z for use in middleware (MCP requires zod)\nexport type { z };\n\n/**\n * Authentication required response type\n */\nexport interface AuthRequired {\n type: 'auth_required';\n provider: string;\n message: string;\n url: string;\n flow?: string;\n instructions: string;\n user_code?: string;\n expires_in?: number;\n accountId?: string;\n}\n\n/**\n * Zod schema for auth_required responses\n */\nexport const AuthRequiredSchema = z\n .object({\n type: z.literal('auth_required'),\n provider: z.string().describe('OAuth provider name (e.g., \"google\", \"microsoft\")'),\n message: z.string().describe('Human-readable message explaining why auth is needed'),\n url: z.string().url().describe('Authentication URL to open in browser'),\n flow: z.string().optional().describe('Authentication flow type (e.g., \"auth_url\", \"device_code\")'),\n instructions: z.string().describe('Clear instructions for the user'),\n user_code: z.string().optional().describe('Code user must enter at verification URL (device flows only)'),\n expires_in: z.number().optional().describe('Seconds until code expires (device flows only)'),\n accountId: z.string().optional().describe('Account identifier (email) that requires authentication'),\n })\n .describe('Authentication required with clear actionable instructions for user');\n"],"names":["z","AuthRequiredSchema","object","type","literal","provider","string","describe","message","url","flow","optional","instructions","user_code","expires_in","number","accountId"],"mappings":"AAAA;;;;;CAKC,GAED,SAASA,CAAC,QAAQ,MAAM;AAoBxB;;CAEC,GACD,OAAO,MAAMC,qBAAqBD,EAC/BE,MAAM,CAAC;IACNC,MAAMH,EAAEI,OAAO,CAAC;IAChBC,UAAUL,EAAEM,MAAM,GAAGC,QAAQ,CAAC;IAC9BC,SAASR,EAAEM,MAAM,GAAGC,QAAQ,CAAC;IAC7BE,KAAKT,EAAEM,MAAM,GAAGG,GAAG,GAAGF,QAAQ,CAAC;IAC/BG,MAAMV,EAAEM,MAAM,GAAGK,QAAQ,GAAGJ,QAAQ,CAAC;IACrCK,cAAcZ,EAAEM,MAAM,GAAGC,QAAQ,CAAC;IAClCM,WAAWb,EAAEM,MAAM,GAAGK,QAAQ,GAAGJ,QAAQ,CAAC;IAC1CO,YAAYd,EAAEe,MAAM,GAAGJ,QAAQ,GAAGJ,QAAQ,CAAC;IAC3CS,WAAWhB,EAAEM,MAAM,GAAGK,QAAQ,GAAGJ,QAAQ,CAAC;AAC5C,GACCA,QAAQ,CAAC,uEAAuE"}

package/dist/esm/session-auth.d.ts ADDED Viewed

@@ -0,0 +1,79 @@
+/**
+ * Session-based user authentication for multi-tenant deployments
+ *
+ * Extracts user ID from HTTP session cookies with HMAC signature verification.
+ * Compatible with Express/Connect session middleware patterns.
+ */
+import type { SessionUserAuthConfig, UserAuthProvider } from './types.js';
+/**
+ * Session-based user authentication provider
+ *
+ * Verifies signed session cookies and extracts user IDs.
+ * Use for multi-tenant deployments where users authenticate via web sessions.
+ *
+ * @example
+ * ```typescript
+ * // Multi-tenant server setup with session-based user authentication
+ * const userAuth = new SessionUserAuth({
+ *   sessionSecret: process.env.SESSION_SECRET!,
+ *   cookieName: 'app_session',
+ * });
+ *
+ * // Create OAuth adapters with session-based user identification
+ * const oauthAdapters = await createOAuthAdapters(
+ *   config.transport,
+ *   {
+ *     service: 'gmail',
+ *     clientId: process.env.GOOGLE_CLIENT_ID!,
+ *     clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+ *     scope: GOOGLE_SCOPE,
+ *     auth: 'loopback-oauth',
+ *     headless: false,
+ *     redirectUri: undefined,
+ *   },
+ *   {
+ *     logger,
+ *     tokenStore,
+ *     userAuth, // Session-based user identification for multi-tenant deployments
+ *   }
+ * );
+ *
+ * // Use auth middleware with tools
+ * const { middleware: authMiddleware } = oauthAdapters;
+ * const tools = toolFactories.map(f => f()).map(authMiddleware.withToolAuth);
+ * ```
+ */
+export declare class SessionUserAuth implements UserAuthProvider {
+    private readonly secret;
+    private readonly cookieName;
+    private readonly algorithm;
+    constructor(config: SessionUserAuthConfig);
+    /**
+     * Extract and verify user ID from session cookie
+     *
+     * @param req - HTTP request object with cookie header
+     * @returns User ID from verified session
+     * @throws Error if session missing, invalid, or expired
+     */
+    getUserId(req: unknown): Promise<string>;
+    /**
+     * Parse cookie from header string
+     */
+    private parseCookie;
+    /**
+     * Generate HMAC signature for session data
+     */
+    private sign;
+    /**
+     * Constant-time string comparison to prevent timing attacks
+     */
+    private constantTimeCompare;
+    /**
+     * Helper for creating session cookies (for testing/integration)
+     *
+     * @param userId - User ID to encode in session
+     * @param expiresInMs - Optional expiration time in milliseconds from now
+     * @returns Signed session cookie value
+     */
+    createSessionCookie(userId: string, expiresInMs?: number): string;
+}

package/dist/esm/session-auth.js ADDED Viewed

@@ -0,0 +1,141 @@
+/**
+ * Session-based user authentication for multi-tenant deployments
+ *
+ * Extracts user ID from HTTP session cookies with HMAC signature verification.
+ * Compatible with Express/Connect session middleware patterns.
+ */ import { createHmac, timingSafeEqual } from 'crypto';
+/**
+ * Session-based user authentication provider
+ *
+ * Verifies signed session cookies and extracts user IDs.
+ * Use for multi-tenant deployments where users authenticate via web sessions.
+ *
+ * @example
+ * ```typescript
+ * // Multi-tenant server setup with session-based user authentication
+ * const userAuth = new SessionUserAuth({
+ *   sessionSecret: process.env.SESSION_SECRET!,
+ *   cookieName: 'app_session',
+ * });
+ *
+ * // Create OAuth adapters with session-based user identification
+ * const oauthAdapters = await createOAuthAdapters(
+ *   config.transport,
+ *   {
+ *     service: 'gmail',
+ *     clientId: process.env.GOOGLE_CLIENT_ID!,
+ *     clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+ *     scope: GOOGLE_SCOPE,
+ *     auth: 'loopback-oauth',
+ *     headless: false,
+ *     redirectUri: undefined,
+ *   },
+ *   {
+ *     logger,
+ *     tokenStore,
+ *     userAuth, // Session-based user identification for multi-tenant deployments
+ *   }
+ * );
+ *
+ * // Use auth middleware with tools
+ * const { middleware: authMiddleware } = oauthAdapters;
+ * const tools = toolFactories.map(f => f()).map(authMiddleware.withToolAuth);
+ * ```
+ */ export class SessionUserAuth {
+    /**
+   * Extract and verify user ID from session cookie
+   *
+   * @param req - HTTP request object with cookie header
+   * @returns User ID from verified session
+   * @throws Error if session missing, invalid, or expired
+   */ async getUserId(req) {
+        var _httpReq_headers;
+        const httpReq = req;
+        const cookieHeader = (_httpReq_headers = httpReq.headers) === null || _httpReq_headers === void 0 ? void 0 : _httpReq_headers.cookie;
+        if (!cookieHeader) {
+            throw new Error('SessionUserAuth: No cookie header found');
+        }
+        const sessionCookie = this.parseCookie(cookieHeader, this.cookieName);
+        if (!sessionCookie) {
+            throw new Error(`SessionUserAuth: Session cookie '${this.cookieName}' not found`);
+        }
+        // Format: base64(data).signature
+        const parts = sessionCookie.split('.');
+        if (parts.length !== 2) {
+            throw new Error('SessionUserAuth: Invalid session format (expected data.signature)');
+        }
+        const [dataB64, signature] = parts;
+        const expectedSignature = this.sign(dataB64);
+        if (!this.constantTimeCompare(signature, expectedSignature)) {
+            throw new Error('SessionUserAuth: Invalid session signature');
+        }
+        let sessionData;
+        try {
+            const dataJson = Buffer.from(dataB64, 'base64').toString('utf8');
+            sessionData = JSON.parse(dataJson);
+        } catch  {
+            throw new Error('SessionUserAuth: Invalid session data encoding');
+        }
+        if (sessionData.exp !== undefined && Date.now() > sessionData.exp) {
+            throw new Error('SessionUserAuth: Session expired');
+        }
+        if (!sessionData.userId || typeof sessionData.userId !== 'string') {
+            throw new Error('SessionUserAuth: Session missing userId field');
+        }
+        return sessionData.userId;
+    }
+    /**
+   * Parse cookie from header string
+   */ parseCookie(cookieHeader, name) {
+        const cookies = cookieHeader.split(';');
+        for (const cookie of cookies){
+            const [key, ...valueParts] = cookie.trim().split('=');
+            if (key === name) {
+                return valueParts.join('='); // Handle values with = in them
+            }
+        }
+        return null;
+    }
+    /**
+   * Generate HMAC signature for session data
+   */ sign(data) {
+        return createHmac(this.algorithm, this.secret).update(data).digest('hex');
+    }
+    /**
+   * Constant-time string comparison to prevent timing attacks
+   */ constantTimeCompare(a, b) {
+        if (a.length !== b.length) {
+            return false;
+        }
+        const bufA = Buffer.from(a);
+        const bufB = Buffer.from(b);
+        return timingSafeEqual(bufA, bufB);
+    }
+    /**
+   * Helper for creating session cookies (for testing/integration)
+   *
+   * @param userId - User ID to encode in session
+   * @param expiresInMs - Optional expiration time in milliseconds from now
+   * @returns Signed session cookie value
+   */ createSessionCookie(userId, expiresInMs) {
+        const sessionData = {
+            userId,
+            ...expiresInMs !== undefined && {
+                exp: Date.now() + expiresInMs
+            }
+        };
+        const dataJson = JSON.stringify(sessionData);
+        const dataB64 = Buffer.from(dataJson).toString('base64');
+        const signature = this.sign(dataB64);
+        return `${dataB64}.${signature}`;
+    }
+    constructor(config){
+        var _config_cookieName, _config_algorithm;
+        if (!config.sessionSecret || config.sessionSecret.length < 32) {
+            throw new Error('SessionUserAuth: sessionSecret must be at least 32 characters');
+        }
+        this.secret = config.sessionSecret;
+        this.cookieName = (_config_cookieName = config.cookieName) !== null && _config_cookieName !== void 0 ? _config_cookieName : 'session';
+        this.algorithm = (_config_algorithm = config.algorithm) !== null && _config_algorithm !== void 0 ? _config_algorithm : 'sha256';
+    }
+}

package/dist/esm/session-auth.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/session-auth.ts"],"sourcesContent":["/**\n * Session-based user authentication for multi-tenant deployments\n *\n * Extracts user ID from HTTP session cookies with HMAC signature verification.\n * Compatible with Express/Connect session middleware patterns.\n */\n\nimport { createHmac, timingSafeEqual } from 'crypto';\nimport type { SessionUserAuthConfig, UserAuthProvider } from './types.ts';\n\n/**\n * HTTP request interface (subset needed for session auth)\n */\ninterface HttpRequest {\n headers?: {\n cookie?: string;\n };\n}\n\n/**\n * Session cookie structure\n */\ninterface SessionData {\n userId: string;\n exp?: number; // Optional expiration timestamp (ms)\n}\n\n/**\n * Session-based user authentication provider\n *\n * Verifies signed session cookies and extracts user IDs.\n * Use for multi-tenant deployments where users authenticate via web sessions.\n *\n * @example\n * ```typescript\n * // Multi-tenant server setup with session-based user authentication\n * const userAuth = new SessionUserAuth({\n * sessionSecret: process.env.SESSION_SECRET!,\n * cookieName: 'app_session',\n * });\n *\n * // Create OAuth adapters with session-based user identification\n * const oauthAdapters = await createOAuthAdapters(\n * config.transport,\n * {\n * service: 'gmail',\n * clientId: process.env.GOOGLE_CLIENT_ID!,\n * clientSecret: process.env.GOOGLE_CLIENT_SECRET,\n * scope: GOOGLE_SCOPE,\n * auth: 'loopback-oauth',\n * headless: false,\n * redirectUri: undefined,\n * },\n * {\n * logger,\n * tokenStore,\n * userAuth, // Session-based user identification for multi-tenant deployments\n * }\n * );\n *\n * // Use auth middleware with tools\n * const { middleware: authMiddleware } = oauthAdapters;\n * const tools = toolFactories.map(f => f()).map(authMiddleware.withToolAuth);\n * ```\n */\nexport class SessionUserAuth implements UserAuthProvider {\n private readonly secret: string;\n private readonly cookieName: string;\n private readonly algorithm: 'sha256' | 'sha512';\n\n constructor(config: SessionUserAuthConfig) {\n if (!config.sessionSecret || config.sessionSecret.length < 32) {\n throw new Error('SessionUserAuth: sessionSecret must be at least 32 characters');\n }\n\n this.secret = config.sessionSecret;\n this.cookieName = config.cookieName ?? 'session';\n this.algorithm = config.algorithm ?? 'sha256';\n }\n\n /**\n * Extract and verify user ID from session cookie\n *\n * @param req - HTTP request object with cookie header\n * @returns User ID from verified session\n * @throws Error if session missing, invalid, or expired\n */\n async getUserId(req: unknown): Promise<string> {\n const httpReq = req as HttpRequest;\n\n const cookieHeader = httpReq.headers?.cookie;\n if (!cookieHeader) {\n throw new Error('SessionUserAuth: No cookie header found');\n }\n\n const sessionCookie = this.parseCookie(cookieHeader, this.cookieName);\n if (!sessionCookie) {\n throw new Error(`SessionUserAuth: Session cookie '${this.cookieName}' not found`);\n }\n\n // Format: base64(data).signature\n const parts = sessionCookie.split('.');\n if (parts.length !== 2) {\n throw new Error('SessionUserAuth: Invalid session format (expected data.signature)');\n }\n\n const [dataB64, signature] = parts as [string, string];\n\n const expectedSignature = this.sign(dataB64);\n if (!this.constantTimeCompare(signature, expectedSignature)) {\n throw new Error('SessionUserAuth: Invalid session signature');\n }\n\n let sessionData: SessionData;\n try {\n const dataJson = Buffer.from(dataB64, 'base64').toString('utf8');\n sessionData = JSON.parse(dataJson) as SessionData;\n } catch {\n throw new Error('SessionUserAuth: Invalid session data encoding');\n }\n\n if (sessionData.exp !== undefined && Date.now() > sessionData.exp) {\n throw new Error('SessionUserAuth: Session expired');\n }\n\n if (!sessionData.userId || typeof sessionData.userId !== 'string') {\n throw new Error('SessionUserAuth: Session missing userId field');\n }\n\n return sessionData.userId;\n }\n\n /**\n * Parse cookie from header string\n */\n private parseCookie(cookieHeader: string, name: string): string | null {\n const cookies = cookieHeader.split(';');\n for (const cookie of cookies) {\n const [key, ...valueParts] = cookie.trim().split('=');\n if (key === name) {\n return valueParts.join('='); // Handle values with = in them\n }\n }\n return null;\n }\n\n /**\n * Generate HMAC signature for session data\n */\n private sign(data: string): string {\n return createHmac(this.algorithm, this.secret).update(data).digest('hex');\n }\n\n /**\n * Constant-time string comparison to prevent timing attacks\n */\n private constantTimeCompare(a: string, b: string): boolean {\n if (a.length !== b.length) {\n return false;\n }\n\n const bufA = Buffer.from(a);\n const bufB = Buffer.from(b);\n\n return timingSafeEqual(bufA, bufB);\n }\n\n /**\n * Helper for creating session cookies (for testing/integration)\n *\n * @param userId - User ID to encode in session\n * @param expiresInMs - Optional expiration time in milliseconds from now\n * @returns Signed session cookie value\n */\n createSessionCookie(userId: string, expiresInMs?: number): string {\n const sessionData: SessionData = {\n userId,\n ...(expiresInMs !== undefined && { exp: Date.now() + expiresInMs }),\n };\n\n const dataJson = JSON.stringify(sessionData);\n const dataB64 = Buffer.from(dataJson).toString('base64');\n const signature = this.sign(dataB64);\n\n return `${dataB64}.${signature}`;\n }\n}\n"],"names":["createHmac","timingSafeEqual","SessionUserAuth","getUserId","req","httpReq","cookieHeader","headers","cookie","Error","sessionCookie","parseCookie","cookieName","parts","split","length","dataB64","signature","expectedSignature","sign","constantTimeCompare","sessionData","dataJson","Buffer","from","toString","JSON","parse","exp","undefined","Date","now","userId","name","cookies","key","valueParts","trim","join","data","algorithm","secret","update","digest","a","b","bufA","bufB","createSessionCookie","expiresInMs","stringify","config","sessionSecret"],"mappings":"AAAA;;;;;CAKC,GAED,SAASA,UAAU,EAAEC,eAAe,QAAQ,SAAS;AAoBrD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAqCC,GACD,OAAO,MAAMC;IAeX;;;;;;GAMC,GACD,MAAMC,UAAUC,GAAY,EAAmB;YAGxBC;QAFrB,MAAMA,UAAUD;QAEhB,MAAME,gBAAeD,mBAAAA,QAAQE,OAAO,cAAfF,uCAAAA,iBAAiBG,MAAM;QAC5C,IAAI,CAACF,cAAc;YACjB,MAAM,IAAIG,MAAM;QAClB;QAEA,MAAMC,gBAAgB,IAAI,CAACC,WAAW,CAACL,cAAc,IAAI,CAACM,UAAU;QACpE,IAAI,CAACF,eAAe;YAClB,MAAM,IAAID,MAAM,CAAC,iCAAiC,EAAE,IAAI,CAACG,UAAU,CAAC,WAAW,CAAC;QAClF;QAEA,iCAAiC;QACjC,MAAMC,QAAQH,cAAcI,KAAK,CAAC;QAClC,IAAID,MAAME,MAAM,KAAK,GAAG;YACtB,MAAM,IAAIN,MAAM;QAClB;QAEA,MAAM,CAACO,SAASC,UAAU,GAAGJ;QAE7B,MAAMK,oBAAoB,IAAI,CAACC,IAAI,CAACH;QACpC,IAAI,CAAC,IAAI,CAACI,mBAAmB,CAACH,WAAWC,oBAAoB;YAC3D,MAAM,IAAIT,MAAM;QAClB;QAEA,IAAIY;QACJ,IAAI;YACF,MAAMC,WAAWC,OAAOC,IAAI,CAACR,SAAS,UAAUS,QAAQ,CAAC;YACzDJ,cAAcK,KAAKC,KAAK,CAACL;QAC3B,EAAE,OAAM;YACN,MAAM,IAAIb,MAAM;QAClB;QAEA,IAAIY,YAAYO,GAAG,KAAKC,aAAaC,KAAKC,GAAG,KAAKV,YAAYO,GAAG,EAAE;YACjE,MAAM,IAAInB,MAAM;QAClB;QAEA,IAAI,CAACY,YAAYW,MAAM,IAAI,OAAOX,YAAYW,MAAM,KAAK,UAAU;YACjE,MAAM,IAAIvB,MAAM;QAClB;QAEA,OAAOY,YAAYW,MAAM;IAC3B;IAEA;;GAEC,GACD,AAAQrB,YAAYL,YAAoB,EAAE2B,IAAY,EAAiB;QACrE,MAAMC,UAAU5B,aAAaQ,KAAK,CAAC;QACnC,KAAK,MAAMN,UAAU0B,QAAS;YAC5B,MAAM,CAACC,KAAK,GAAGC,WAAW,GAAG5B,OAAO6B,IAAI,GAAGvB,KAAK,CAAC;YACjD,IAAIqB,QAAQF,MAAM;gBAChB,OAAOG,WAAWE,IAAI,CAAC,MAAM,+BAA+B;YAC9D;QACF;QACA,OAAO;IACT;IAEA;;GAEC,GACD,AAAQnB,KAAKoB,IAAY,EAAU;QACjC,OAAOvC,WAAW,IAAI,CAACwC,SAAS,EAAE,IAAI,CAACC,MAAM,EAAEC,MAAM,CAACH,MAAMI,MAAM,CAAC;IACrE;IAEA;;GAEC,GACD,AAAQvB,oBAAoBwB,CAAS,EAAEC,CAAS,EAAW;QACzD,IAAID,EAAE7B,MAAM,KAAK8B,EAAE9B,MAAM,EAAE;YACzB,OAAO;QACT;QAEA,MAAM+B,OAAOvB,OAAOC,IAAI,CAACoB;QACzB,MAAMG,OAAOxB,OAAOC,IAAI,CAACqB;QAEzB,OAAO5C,gBAAgB6C,MAAMC;IAC/B;IAEA;;;;;;GAMC,GACDC,oBAAoBhB,MAAc,EAAEiB,WAAoB,EAAU;QAChE,MAAM5B,cAA2B;YAC/BW;YACA,GAAIiB,gBAAgBpB,aAAa;gBAAED,KAAKE,KAAKC,GAAG,KAAKkB;YAAY,CAAC;QACpE;QAEA,MAAM3B,WAAWI,KAAKwB,SAAS,CAAC7B;QAChC,MAAML,UAAUO,OAAOC,IAAI,CAACF,UAAUG,QAAQ,CAAC;QAC/C,MAAMR,YAAY,IAAI,CAACE,IAAI,CAACH;QAE5B,OAAO,GAAGA,QAAQ,CAAC,EAAEC,WAAW;IAClC;IAnHA,YAAYkC,MAA6B,CAAE;YAMvBA,oBACDA;QANjB,IAAI,CAACA,OAAOC,aAAa,IAAID,OAAOC,aAAa,CAACrC,MAAM,GAAG,IAAI;YAC7D,MAAM,IAAIN,MAAM;QAClB;QAEA,IAAI,CAACgC,MAAM,GAAGU,OAAOC,aAAa;QAClC,IAAI,CAACxC,UAAU,IAAGuC,qBAAAA,OAAOvC,UAAU,cAAjBuC,gCAAAA,qBAAqB;QACvC,IAAI,CAACX,SAAS,IAAGW,oBAAAA,OAAOX,SAAS,cAAhBW,+BAAAA,oBAAoB;IACvC;AA4GF"}

package/dist/esm/templates.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+/**
+ * HTML templates for OAuth callback pages
+ *
+ * These templates are shown in the browser after OAuth authorization
+ * for loopback OAuth flows (RFC 8252).
+ */
+/**
+ * HTML template for successful OAuth authorization
+ */
+export declare function getSuccessTemplate(): string;
+/**
+ * HTML template for OAuth error
+ */
+export declare function getErrorTemplate(error: string): string;
+/**
+ * Escape HTML special characters to prevent XSS
+ */
+export declare function escapeHtml(unsafe: string): string;