@modelcontextprotocol/sdk 1.5.0 → 1.6.0

package/dist/cjs/server/auth/handlers/revoke.d.ts

@@ -0,0 +1,13 @@
+import { OAuthServerProvider } from "../provider.js";
+import { RequestHandler } from "express";
+import { Options as RateLimitOptions } from "express-rate-limit";
+export type RevocationHandlerOptions = {
+    provider: OAuthServerProvider;
+    /**
+     * Rate limiting configuration for the token revocation endpoint.
+     * Set to false to disable rate limiting for this endpoint.
+     */
+    rateLimit?: Partial<RateLimitOptions> | false;
+};
+export declare function revocationHandler({ provider, rateLimit: rateLimitConfig }: RevocationHandlerOptions): RequestHandler;
+//# sourceMappingURL=revoke.d.ts.map

package/dist/cjs/server/auth/handlers/revoke.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"revoke.d.ts","sourceRoot":"","sources":["../../../../../src/server/auth/handlers/revoke.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAgB,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAIlD,OAAO,EAAa,OAAO,IAAI,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAS5E,MAAM,MAAM,wBAAwB,GAAG;IACrC,QAAQ,EAAE,mBAAmB,CAAC;IAC9B;;;OAGG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,GAAG,KAAK,CAAC;CAC/C,CAAC;AAEF,wBAAgB,iBAAiB,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,EAAE,EAAE,wBAAwB,GAAG,cAAc,CA4DpH"}

package/dist/cjs/server/auth/handlers/revoke.js

@@ -0,0 +1,67 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.revocationHandler = revocationHandler;
+const express_1 = __importDefault(require("express"));
+const cors_1 = __importDefault(require("cors"));
+const clientAuth_js_1 = require("../middleware/clientAuth.js");
+const auth_js_1 = require("../../../shared/auth.js");
+const express_rate_limit_1 = require("express-rate-limit");
+const allowedMethods_js_1 = require("../middleware/allowedMethods.js");
+const errors_js_1 = require("../errors.js");
+function revocationHandler({ provider, rateLimit: rateLimitConfig }) {
+    if (!provider.revokeToken) {
+        throw new Error("Auth provider does not support revoking tokens");
+    }
+    // Nested router so we can configure middleware and restrict HTTP method
+    const router = express_1.default.Router();
+    // Configure CORS to allow any origin, to make accessible to web-based MCP clients
+    router.use((0, cors_1.default)());
+    router.use((0, allowedMethods_js_1.allowedMethods)(["POST"]));
+    router.use(express_1.default.urlencoded({ extended: false }));
+    // Apply rate limiting unless explicitly disabled
+    if (rateLimitConfig !== false) {
+        router.use((0, express_rate_limit_1.rateLimit)({
+            windowMs: 15 * 60 * 1000, // 15 minutes
+            max: 50, // 50 requests per windowMs
+            standardHeaders: true,
+            legacyHeaders: false,
+            message: new errors_js_1.TooManyRequestsError('You have exceeded the rate limit for token revocation requests').toResponseObject(),
+            ...rateLimitConfig
+        }));
+    }
+    // Authenticate and extract client details
+    router.use((0, clientAuth_js_1.authenticateClient)({ clientsStore: provider.clientsStore }));
+    router.post("/", async (req, res) => {
+        res.setHeader('Cache-Control', 'no-store');
+        try {
+            const parseResult = auth_js_1.OAuthTokenRevocationRequestSchema.safeParse(req.body);
+            if (!parseResult.success) {
+                throw new errors_js_1.InvalidRequestError(parseResult.error.message);
+            }
+            const client = req.client;
+            if (!client) {
+                // This should never happen
+                console.error("Missing client information after authentication");
+                throw new errors_js_1.ServerError("Internal Server Error");
+            }
+            await provider.revokeToken(client, parseResult.data);
+            res.status(200).json({});
+        }
+        catch (error) {
+            if (error instanceof errors_js_1.OAuthError) {
+                const status = error instanceof errors_js_1.ServerError ? 500 : 400;
+                res.status(status).json(error.toResponseObject());
+            }
+            else {
+                console.error("Unexpected error revoking token:", error);
+                const serverError = new errors_js_1.ServerError("Internal Server Error");
+                res.status(500).json(serverError.toResponseObject());
+            }
+        }
+    });
+    return router;
+}
+//# sourceMappingURL=revoke.js.map

package/dist/cjs/server/auth/handlers/revoke.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"revoke.js","sourceRoot":"","sources":["../../../../../src/server/auth/handlers/revoke.ts"],"names":[],"mappings":";;;;;AAuBA,8CA4DC;AAlFD,sDAAkD;AAClD,gDAAwB;AACxB,+DAAiE;AACjE,qDAA4E;AAC5E,2DAA4E;AAC5E,uEAAiE;AACjE,4CAKsB;AAWtB,SAAgB,iBAAiB,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,EAA4B;IAClG,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IAED,wEAAwE;IACxE,MAAM,MAAM,GAAG,iBAAO,CAAC,MAAM,EAAE,CAAC;IAEhC,kFAAkF;IAClF,MAAM,CAAC,GAAG,CAAC,IAAA,cAAI,GAAE,CAAC,CAAC;IAEnB,MAAM,CAAC,GAAG,CAAC,IAAA,kCAAc,EAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACrC,MAAM,CAAC,GAAG,CAAC,iBAAO,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IAEpD,iDAAiD;IACjD,IAAI,eAAe,KAAK,KAAK,EAAE,CAAC;QAC9B,MAAM,CAAC,GAAG,CAAC,IAAA,8BAAS,EAAC;YACnB,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;YACvC,GAAG,EAAE,EAAE,EAAE,2BAA2B;YACpC,eAAe,EAAE,IAAI;YACrB,aAAa,EAAE,KAAK;YACpB,OAAO,EAAE,IAAI,gCAAoB,CAAC,gEAAgE,CAAC,CAAC,gBAAgB,EAAE;YACtH,GAAG,eAAe;SACnB,CAAC,CAAC,CAAC;IACN,CAAC;IAED,0CAA0C;IAC1C,MAAM,CAAC,GAAG,CAAC,IAAA,kCAAkB,EAAC,EAAE,YAAY,EAAE,QAAQ,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC;IAExE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAClC,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;QAE3C,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,2CAAiC,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC1E,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;gBACzB,MAAM,IAAI,+BAAmB,CAAC,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC3D,CAAC;YAED,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;YAC1B,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,2BAA2B;gBAC3B,OAAO,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;gBACjE,MAAM,IAAI,uBAAW,CAAC,uBAAuB,CAAC,CAAC;YACjD,CAAC;YAED,MAAM,QAAQ,CAAC,WAAY,CAAC,MAAM,EAAE,WAAW,CAAC,IAAI,CAAC,CAAC;YACtD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC3B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,sBAAU,EAAE,CAAC;gBAChC,MAAM,MAAM,GAAG,KAAK,YAAY,uBAAW,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBACxD,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACpD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CAAC,kCAAkC,EAAE,KAAK,CAAC,CAAC;gBACzD,MAAM,WAAW,GAAG,IAAI,uBAAW,CAAC,uBAAuB,CAAC,CAAC;gBAC7D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/cjs/server/auth/handlers/token.d.ts

@@ -0,0 +1,13 @@
+import { RequestHandler } from "express";
+import { OAuthServerProvider } from "../provider.js";
+import { Options as RateLimitOptions } from "express-rate-limit";
+export type TokenHandlerOptions = {
+    provider: OAuthServerProvider;
+    /**
+     * Rate limiting configuration for the token endpoint.
+     * Set to false to disable rate limiting for this endpoint.
+     */
+    rateLimit?: Partial<RateLimitOptions> | false;
+};
+export declare function tokenHandler({ provider, rateLimit: rateLimitConfig }: TokenHandlerOptions): RequestHandler;
+//# sourceMappingURL=token.d.ts.map

package/dist/cjs/server/auth/handlers/token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../../../../src/server/auth/handlers/token.ts"],"names":[],"mappings":"AACA,OAAgB,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAClD,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAIrD,OAAO,EAAa,OAAO,IAAI,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAW5E,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,EAAE,mBAAmB,CAAC;IAC9B;;;OAGG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,GAAG,KAAK,CAAC;CAC/C,CAAC;AAgBF,wBAAgB,YAAY,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,EAAE,EAAE,mBAAmB,GAAG,cAAc,CAkG1G"}

package/dist/cjs/server/auth/handlers/token.js

@@ -0,0 +1,107 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.tokenHandler = tokenHandler;
+const zod_1 = require("zod");
+const express_1 = __importDefault(require("express"));
+const cors_1 = __importDefault(require("cors"));
+const pkce_challenge_1 = require("pkce-challenge");
+const clientAuth_js_1 = require("../middleware/clientAuth.js");
+const express_rate_limit_1 = require("express-rate-limit");
+const allowedMethods_js_1 = require("../middleware/allowedMethods.js");
+const errors_js_1 = require("../errors.js");
+const TokenRequestSchema = zod_1.z.object({
+    grant_type: zod_1.z.string(),
+});
+const AuthorizationCodeGrantSchema = zod_1.z.object({
+    code: zod_1.z.string(),
+    code_verifier: zod_1.z.string(),
+});
+const RefreshTokenGrantSchema = zod_1.z.object({
+    refresh_token: zod_1.z.string(),
+    scope: zod_1.z.string().optional(),
+});
+function tokenHandler({ provider, rateLimit: rateLimitConfig }) {
+    // Nested router so we can configure middleware and restrict HTTP method
+    const router = express_1.default.Router();
+    // Configure CORS to allow any origin, to make accessible to web-based MCP clients
+    router.use((0, cors_1.default)());
+    router.use((0, allowedMethods_js_1.allowedMethods)(["POST"]));
+    router.use(express_1.default.urlencoded({ extended: false }));
+    // Apply rate limiting unless explicitly disabled
+    if (rateLimitConfig !== false) {
+        router.use((0, express_rate_limit_1.rateLimit)({
+            windowMs: 15 * 60 * 1000, // 15 minutes
+            max: 50, // 50 requests per windowMs 
+            standardHeaders: true,
+            legacyHeaders: false,
+            message: new errors_js_1.TooManyRequestsError('You have exceeded the rate limit for token requests').toResponseObject(),
+            ...rateLimitConfig
+        }));
+    }
+    // Authenticate and extract client details
+    router.use((0, clientAuth_js_1.authenticateClient)({ clientsStore: provider.clientsStore }));
+    router.post("/", async (req, res) => {
+        res.setHeader('Cache-Control', 'no-store');
+        try {
+            const parseResult = TokenRequestSchema.safeParse(req.body);
+            if (!parseResult.success) {
+                throw new errors_js_1.InvalidRequestError(parseResult.error.message);
+            }
+            const { grant_type } = parseResult.data;
+            const client = req.client;
+            if (!client) {
+                // This should never happen
+                console.error("Missing client information after authentication");
+                throw new errors_js_1.ServerError("Internal Server Error");
+            }
+            switch (grant_type) {
+                case "authorization_code": {
+                    const parseResult = AuthorizationCodeGrantSchema.safeParse(req.body);
+                    if (!parseResult.success) {
+                        throw new errors_js_1.InvalidRequestError(parseResult.error.message);
+                    }
+                    const { code, code_verifier } = parseResult.data;
+                    // Verify PKCE challenge
+                    const codeChallenge = await provider.challengeForAuthorizationCode(client, code);
+                    if (!(await (0, pkce_challenge_1.verifyChallenge)(code_verifier, codeChallenge))) {
+                        throw new errors_js_1.InvalidGrantError("code_verifier does not match the challenge");
+                    }
+                    const tokens = await provider.exchangeAuthorizationCode(client, code);
+                    res.status(200).json(tokens);
+                    break;
+                }
+                case "refresh_token": {
+                    const parseResult = RefreshTokenGrantSchema.safeParse(req.body);
+                    if (!parseResult.success) {
+                        throw new errors_js_1.InvalidRequestError(parseResult.error.message);
+                    }
+                    const { refresh_token, scope } = parseResult.data;
+                    const scopes = scope === null || scope === void 0 ? void 0 : scope.split(" ");
+                    const tokens = await provider.exchangeRefreshToken(client, refresh_token, scopes);
+                    res.status(200).json(tokens);
+                    break;
+                }
+                // Not supported right now
+                //case "client_credentials":
+                default:
+                    throw new errors_js_1.UnsupportedGrantTypeError("The grant type is not supported by this authorization server.");
+            }
+        }
+        catch (error) {
+            if (error instanceof errors_js_1.OAuthError) {
+                const status = error instanceof errors_js_1.ServerError ? 500 : 400;
+                res.status(status).json(error.toResponseObject());
+            }
+            else {
+                console.error("Unexpected error exchanging token:", error);
+                const serverError = new errors_js_1.ServerError("Internal Server Error");
+                res.status(500).json(serverError.toResponseObject());
+            }
+        }
+    });
+    return router;
+}
+//# sourceMappingURL=token.js.map

package/dist/cjs/server/auth/handlers/token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.js","sourceRoot":"","sources":["../../../../../src/server/auth/handlers/token.ts"],"names":[],"mappings":";;;;;AAwCA,oCAkGC;AA1ID,6BAAwB;AACxB,sDAAkD;AAElD,gDAAwB;AACxB,mDAAiD;AACjD,+DAAiE;AACjE,2DAA4E;AAC5E,uEAAiE;AACjE,4CAOsB;AAWtB,MAAM,kBAAkB,GAAG,OAAC,CAAC,MAAM,CAAC;IAClC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE;CACvB,CAAC,CAAC;AAEH,MAAM,4BAA4B,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5C,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE;IAChB,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE;CAC1B,CAAC,CAAC;AAEH,MAAM,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;IACvC,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE;IACzB,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC7B,CAAC,CAAC;AAEH,SAAgB,YAAY,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,EAAuB;IACxF,wEAAwE;IACxE,MAAM,MAAM,GAAG,iBAAO,CAAC,MAAM,EAAE,CAAC;IAEhC,kFAAkF;IAClF,MAAM,CAAC,GAAG,CAAC,IAAA,cAAI,GAAE,CAAC,CAAC;IAEnB,MAAM,CAAC,GAAG,CAAC,IAAA,kCAAc,EAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACrC,MAAM,CAAC,GAAG,CAAC,iBAAO,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IAEpD,iDAAiD;IACjD,IAAI,eAAe,KAAK,KAAK,EAAE,CAAC;QAC9B,MAAM,CAAC,GAAG,CAAC,IAAA,8BAAS,EAAC;YACnB,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;YACvC,GAAG,EAAE,EAAE,EAAE,4BAA4B;YACrC,eAAe,EAAE,IAAI;YACrB,aAAa,EAAE,KAAK;YACpB,OAAO,EAAE,IAAI,gCAAoB,CAAC,qDAAqD,CAAC,CAAC,gBAAgB,EAAE;YAC3G,GAAG,eAAe;SACnB,CAAC,CAAC,CAAC;IACN,CAAC;IAED,0CAA0C;IAC1C,MAAM,CAAC,GAAG,CAAC,IAAA,kCAAkB,EAAC,EAAE,YAAY,EAAE,QAAQ,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC;IAExE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAClC,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;QAE3C,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,kBAAkB,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC3D,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;gBACzB,MAAM,IAAI,+BAAmB,CAAC,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC3D,CAAC;YAED,MAAM,EAAE,UAAU,EAAE,GAAG,WAAW,CAAC,IAAI,CAAC;YAExC,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;YAC1B,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,2BAA2B;gBAC3B,OAAO,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;gBACjE,MAAM,IAAI,uBAAW,CAAC,uBAAuB,CAAC,CAAC;YACjD,CAAC;YAED,QAAQ,UAAU,EAAE,CAAC;gBACnB,KAAK,oBAAoB,CAAC,CAAC,CAAC;oBAC1B,MAAM,WAAW,GAAG,4BAA4B,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;oBACrE,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;wBACzB,MAAM,IAAI,+BAAmB,CAAC,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;oBAC3D,CAAC;oBAED,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,GAAG,WAAW,CAAC,IAAI,CAAC;oBAEjD,wBAAwB;oBACxB,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,6BAA6B,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;oBACjF,IAAI,CAAC,CAAC,MAAM,IAAA,gCAAe,EAAC,aAAa,EAAE,aAAa,CAAC,CAAC,EAAE,CAAC;wBAC3D,MAAM,IAAI,6BAAiB,CAAC,4CAA4C,CAAC,CAAC;oBAC5E,CAAC;oBAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,yBAAyB,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;oBACtE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;oBAC7B,MAAM;gBACR,CAAC;gBAED,KAAK,eAAe,CAAC,CAAC,CAAC;oBACrB,MAAM,WAAW,GAAG,uBAAuB,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;oBAChE,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;wBACzB,MAAM,IAAI,+BAAmB,CAAC,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;oBAC3D,CAAC;oBAED,MAAM,EAAE,aAAa,EAAE,KAAK,EAAE,GAAG,WAAW,CAAC,IAAI,CAAC;oBAElD,MAAM,MAAM,GAAG,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,KAAK,CAAC,GAAG,CAAC,CAAC;oBACjC,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,oBAAoB,CAAC,MAAM,EAAE,aAAa,EAAE,MAAM,CAAC,CAAC;oBAClF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;oBAC7B,MAAM;gBACR,CAAC;gBAED,0BAA0B;gBAC1B,4BAA4B;gBAE5B;oBACE,MAAM,IAAI,qCAAyB,CACjC,+DAA+D,CAChE,CAAC;YACN,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,sBAAU,EAAE,CAAC;gBAChC,MAAM,MAAM,GAAG,KAAK,YAAY,uBAAW,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBACxD,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACpD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CAAC,oCAAoC,EAAE,KAAK,CAAC,CAAC;gBAC3D,MAAM,WAAW,GAAG,IAAI,uBAAW,CAAC,uBAAuB,CAAC,CAAC;gBAC7D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/cjs/server/auth/middleware/allowedMethods.d.ts

@@ -0,0 +1,9 @@
+import { RequestHandler } from "express";
+/**
+ * Middleware to handle unsupported HTTP methods with a 405 Method Not Allowed response.
+ *
+ * @param allowedMethods Array of allowed HTTP methods for this endpoint (e.g., ['GET', 'POST'])
+ * @returns Express middleware that returns a 405 error if method not in allowed list
+ */
+export declare function allowedMethods(allowedMethods: string[]): RequestHandler;
+//# sourceMappingURL=allowedMethods.d.ts.map

package/dist/cjs/server/auth/middleware/allowedMethods.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"allowedMethods.d.ts","sourceRoot":"","sources":["../../../../../src/server/auth/middleware/allowedMethods.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAGzC;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,cAAc,EAAE,MAAM,EAAE,GAAG,cAAc,CAYvE"}

package/dist/cjs/server/auth/middleware/allowedMethods.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.allowedMethods = allowedMethods;
+const errors_js_1 = require("../errors.js");
+/**
+ * Middleware to handle unsupported HTTP methods with a 405 Method Not Allowed response.
+ *
+ * @param allowedMethods Array of allowed HTTP methods for this endpoint (e.g., ['GET', 'POST'])
+ * @returns Express middleware that returns a 405 error if method not in allowed list
+ */
+function allowedMethods(allowedMethods) {
+    return (req, res, next) => {
+        if (allowedMethods.includes(req.method)) {
+            next();
+            return;
+        }
+        const error = new errors_js_1.MethodNotAllowedError(`The method ${req.method} is not allowed for this endpoint`);
+        res.status(405)
+            .set('Allow', allowedMethods.join(', '))
+            .json(error.toResponseObject());
+    };
+}
+//# sourceMappingURL=allowedMethods.js.map

package/dist/cjs/server/auth/middleware/allowedMethods.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"allowedMethods.js","sourceRoot":"","sources":["../../../../../src/server/auth/middleware/allowedMethods.ts"],"names":[],"mappings":";;AASA,wCAYC;AApBD,4CAAqD;AAErD;;;;;GAKG;AACH,SAAgB,cAAc,CAAC,cAAwB;IACrD,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACxB,IAAI,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YACxC,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,iCAAqB,CAAC,cAAc,GAAG,CAAC,MAAM,mCAAmC,CAAC,CAAC;QACrG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC;aACZ,GAAG,CAAC,OAAO,EAAE,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;aACvC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;IACpC,CAAC,CAAC;AACJ,CAAC"}

package/dist/cjs/server/auth/middleware/bearerAuth.d.ts

@@ -0,0 +1,28 @@
+import { RequestHandler } from "express";
+import { OAuthServerProvider } from "../provider.js";
+import { AuthInfo } from "../types.js";
+export type BearerAuthMiddlewareOptions = {
+    /**
+     * A provider used to verify tokens.
+     */
+    provider: OAuthServerProvider;
+    /**
+     * Optional scopes that the token must have.
+     */
+    requiredScopes?: string[];
+};
+declare module "express-serve-static-core" {
+    interface Request {
+        /**
+         * Information about the validated access token, if the `requireBearerAuth` middleware was used.
+         */
+        auth?: AuthInfo;
+    }
+}
+/**
+ * Middleware that requires a valid Bearer token in the Authorization header.
+ *
+ * This will validate the token with the auth provider and add the resulting auth info to the request object.
+ */
+export declare function requireBearerAuth({ provider, requiredScopes }: BearerAuthMiddlewareOptions): RequestHandler;
+//# sourceMappingURL=bearerAuth.d.ts.map

package/dist/cjs/server/auth/middleware/bearerAuth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bearerAuth.d.ts","sourceRoot":"","sources":["../../../../../src/server/auth/middleware/bearerAuth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAEzC,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEvC,MAAM,MAAM,2BAA2B,GAAG;IACxC;;OAEG;IACH,QAAQ,EAAE,mBAAmB,CAAC;IAE9B;;OAEG;IACH,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B,CAAC;AAEF,OAAO,QAAQ,2BAA2B,CAAC;IACzC,UAAU,OAAO;QACf;;WAEG;QACH,IAAI,CAAC,EAAE,QAAQ,CAAC;KACjB;CACF;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,EAAE,QAAQ,EAAE,cAAmB,EAAE,EAAE,2BAA2B,GAAG,cAAc,CA8ChH"}

package/dist/cjs/server/auth/middleware/bearerAuth.js

@@ -0,0 +1,55 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requireBearerAuth = requireBearerAuth;
+const errors_js_1 = require("../errors.js");
+/**
+ * Middleware that requires a valid Bearer token in the Authorization header.
+ *
+ * This will validate the token with the auth provider and add the resulting auth info to the request object.
+ */
+function requireBearerAuth({ provider, requiredScopes = [] }) {
+    return async (req, res, next) => {
+        try {
+            const authHeader = req.headers.authorization;
+            if (!authHeader) {
+                throw new errors_js_1.InvalidTokenError("Missing Authorization header");
+            }
+            const [type, token] = authHeader.split(' ');
+            if (type.toLowerCase() !== 'bearer' || !token) {
+                throw new errors_js_1.InvalidTokenError("Invalid Authorization header format, expected 'Bearer TOKEN'");
+            }
+            const authInfo = await provider.verifyAccessToken(token);
+            // Check if token has the required scopes (if any)
+            if (requiredScopes.length > 0) {
+                const hasAllScopes = requiredScopes.every(scope => authInfo.scopes.includes(scope));
+                if (!hasAllScopes) {
+                    throw new errors_js_1.InsufficientScopeError("Insufficient scope");
+                }
+            }
+            req.auth = authInfo;
+            next();
+        }
+        catch (error) {
+            if (error instanceof errors_js_1.InvalidTokenError) {
+                res.set("WWW-Authenticate", `Bearer error="${error.errorCode}", error_description="${error.message}"`);
+                res.status(401).json(error.toResponseObject());
+            }
+            else if (error instanceof errors_js_1.InsufficientScopeError) {
+                res.set("WWW-Authenticate", `Bearer error="${error.errorCode}", error_description="${error.message}"`);
+                res.status(403).json(error.toResponseObject());
+            }
+            else if (error instanceof errors_js_1.ServerError) {
+                res.status(500).json(error.toResponseObject());
+            }
+            else if (error instanceof errors_js_1.OAuthError) {
+                res.status(400).json(error.toResponseObject());
+            }
+            else {
+                console.error("Unexpected error authenticating bearer token:", error);
+                const serverError = new errors_js_1.ServerError("Internal Server Error");
+                res.status(500).json(serverError.toResponseObject());
+            }
+        }
+    };
+}
+//# sourceMappingURL=bearerAuth.js.map

package/dist/cjs/server/auth/middleware/bearerAuth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bearerAuth.js","sourceRoot":"","sources":["../../../../../src/server/auth/middleware/bearerAuth.ts"],"names":[],"mappings":";;AA+BA,8CA8CC;AA5ED,4CAAkG;AAyBlG;;;;GAIG;AACH,SAAgB,iBAAiB,CAAC,EAAE,QAAQ,EAAE,cAAc,GAAG,EAAE,EAA+B;IAC9F,OAAO,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC9B,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;YAC7C,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,6BAAiB,CAAC,8BAA8B,CAAC,CAAC;YAC9D,CAAC;YAED,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC5C,IAAI,IAAI,CAAC,WAAW,EAAE,KAAK,QAAQ,IAAI,CAAC,KAAK,EAAE,CAAC;gBAC9C,MAAM,IAAI,6BAAiB,CAAC,8DAA8D,CAAC,CAAC;YAC9F,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;YAEzD,kDAAkD;YAClD,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9B,MAAM,YAAY,GAAG,cAAc,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAChD,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAChC,CAAC;gBAEF,IAAI,CAAC,YAAY,EAAE,CAAC;oBAClB,MAAM,IAAI,kCAAsB,CAAC,oBAAoB,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAED,GAAG,CAAC,IAAI,GAAG,QAAQ,CAAC;YACpB,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,6BAAiB,EAAE,CAAC;gBACvC,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAAE,iBAAiB,KAAK,CAAC,SAAS,yBAAyB,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC;gBACvG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACjD,CAAC;iBAAM,IAAI,KAAK,YAAY,kCAAsB,EAAE,CAAC;gBACnD,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAAE,iBAAiB,KAAK,CAAC,SAAS,yBAAyB,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC;gBACvG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACjD,CAAC;iBAAM,IAAI,KAAK,YAAY,uBAAW,EAAE,CAAC;gBACxC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACjD,CAAC;iBAAM,IAAI,KAAK,YAAY,sBAAU,EAAE,CAAC;gBACvC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACjD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CAAC,+CAA+C,EAAE,KAAK,CAAC,CAAC;gBACtE,MAAM,WAAW,GAAG,IAAI,uBAAW,CAAC,uBAAuB,CAAC,CAAC;gBAC7D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/cjs/server/auth/middleware/clientAuth.d.ts

@@ -0,0 +1,19 @@
+import { RequestHandler } from "express";
+import { OAuthRegisteredClientsStore } from "../clients.js";
+import { OAuthClientInformationFull } from "../../../shared/auth.js";
+export type ClientAuthenticationMiddlewareOptions = {
+    /**
+     * A store used to read information about registered OAuth clients.
+     */
+    clientsStore: OAuthRegisteredClientsStore;
+};
+declare module "express-serve-static-core" {
+    interface Request {
+        /**
+         * The authenticated client for this request, if the `authenticateClient` middleware was used.
+         */
+        client?: OAuthClientInformationFull;
+    }
+}
+export declare function authenticateClient({ clientsStore }: ClientAuthenticationMiddlewareOptions): RequestHandler;
+//# sourceMappingURL=clientAuth.d.ts.map

package/dist/cjs/server/auth/middleware/clientAuth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"clientAuth.d.ts","sourceRoot":"","sources":["../../../../../src/server/auth/middleware/clientAuth.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,2BAA2B,EAAE,MAAM,eAAe,CAAC;AAC5D,OAAO,EAAE,0BAA0B,EAAE,MAAM,yBAAyB,CAAC;AAGrE,MAAM,MAAM,qCAAqC,GAAG;IAClD;;OAEG;IACH,YAAY,EAAE,2BAA2B,CAAC;CAC3C,CAAA;AAOD,OAAO,QAAQ,2BAA2B,CAAC;IACzC,UAAU,OAAO;QACf;;WAEG;QACH,MAAM,CAAC,EAAE,0BAA0B,CAAC;KACrC;CACF;AAED,wBAAgB,kBAAkB,CAAC,EAAE,YAAY,EAAE,EAAE,qCAAqC,GAAG,cAAc,CA6C1G"}

package/dist/cjs/server/auth/middleware/clientAuth.js

@@ -0,0 +1,53 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authenticateClient = authenticateClient;
+const zod_1 = require("zod");
+const errors_js_1 = require("../errors.js");
+const ClientAuthenticatedRequestSchema = zod_1.z.object({
+    client_id: zod_1.z.string(),
+    client_secret: zod_1.z.string().optional(),
+});
+function authenticateClient({ clientsStore }) {
+    return async (req, res, next) => {
+        try {
+            const result = ClientAuthenticatedRequestSchema.safeParse(req.body);
+            if (!result.success) {
+                throw new errors_js_1.InvalidRequestError(String(result.error));
+            }
+            const { client_id, client_secret } = result.data;
+            const client = await clientsStore.getClient(client_id);
+            if (!client) {
+                throw new errors_js_1.InvalidClientError("Invalid client_id");
+            }
+            // If client has a secret, validate it
+            if (client.client_secret) {
+                // Check if client_secret is required but not provided
+                if (!client_secret) {
+                    throw new errors_js_1.InvalidClientError("Client secret is required");
+                }
+                // Check if client_secret matches
+                if (client.client_secret !== client_secret) {
+                    throw new errors_js_1.InvalidClientError("Invalid client_secret");
+                }
+                // Check if client_secret has expired
+                if (client.client_secret_expires_at && client.client_secret_expires_at < Math.floor(Date.now() / 1000)) {
+                    throw new errors_js_1.InvalidClientError("Client secret has expired");
+                }
+            }
+            req.client = client;
+            next();
+        }
+        catch (error) {
+            if (error instanceof errors_js_1.OAuthError) {
+                const status = error instanceof errors_js_1.ServerError ? 500 : 400;
+                res.status(status).json(error.toResponseObject());
+            }
+            else {
+                console.error("Unexpected error authenticating client:", error);
+                const serverError = new errors_js_1.ServerError("Internal Server Error");
+                res.status(500).json(serverError.toResponseObject());
+            }
+        }
+    };
+}
+//# sourceMappingURL=clientAuth.js.map

package/dist/cjs/server/auth/middleware/clientAuth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"clientAuth.js","sourceRoot":"","sources":["../../../../../src/server/auth/middleware/clientAuth.ts"],"names":[],"mappings":";;AA2BA,gDA6CC;AAxED,6BAAwB;AAIxB,4CAAgG;AAShG,MAAM,gCAAgC,GAAG,OAAC,CAAC,MAAM,CAAC;IAChD,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;IACrB,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACrC,CAAC,CAAC;AAWH,SAAgB,kBAAkB,CAAC,EAAE,YAAY,EAAyC;IACxF,OAAO,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC9B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,gCAAgC,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACpE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,MAAM,IAAI,+BAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;YACtD,CAAC;YAED,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC;YACjD,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;YACvD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,8BAAkB,CAAC,mBAAmB,CAAC,CAAC;YACpD,CAAC;YAED,sCAAsC;YACtC,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;gBACzB,sDAAsD;gBACtD,IAAI,CAAC,aAAa,EAAE,CAAC;oBACnB,MAAM,IAAI,8BAAkB,CAAC,2BAA2B,CAAC,CAAC;gBAC5D,CAAC;gBAED,iCAAiC;gBACjC,IAAI,MAAM,CAAC,aAAa,KAAK,aAAa,EAAE,CAAC;oBAC3C,MAAM,IAAI,8BAAkB,CAAC,uBAAuB,CAAC,CAAC;gBACxD,CAAC;gBAED,qCAAqC;gBACrC,IAAI,MAAM,CAAC,wBAAwB,IAAI,MAAM,CAAC,wBAAwB,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;oBACvG,MAAM,IAAI,8BAAkB,CAAC,2BAA2B,CAAC,CAAC;gBAC5D,CAAC;YACH,CAAC;YAED,GAAG,CAAC,MAAM,GAAG,MAAM,CAAC;YACpB,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,sBAAU,EAAE,CAAC;gBAChC,MAAM,MAAM,GAAG,KAAK,YAAY,uBAAW,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBACxD,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACpD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CAAC,yCAAyC,EAAE,KAAK,CAAC,CAAC;gBAChE,MAAM,WAAW,GAAG,IAAI,uBAAW,CAAC,uBAAuB,CAAC,CAAC;gBAC7D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;IACH,CAAC,CAAA;AACH,CAAC"}

package/dist/cjs/server/auth/provider.d.ts

@@ -0,0 +1,50 @@
+import { Response } from "express";
+import { OAuthRegisteredClientsStore } from "./clients.js";
+import { OAuthClientInformationFull, OAuthTokenRevocationRequest, OAuthTokens } from "../../shared/auth.js";
+import { AuthInfo } from "./types.js";
+export type AuthorizationParams = {
+    state?: string;
+    scopes?: string[];
+    codeChallenge: string;
+    redirectUri: string;
+};
+/**
+ * Implements an end-to-end OAuth server.
+ */
+export interface OAuthServerProvider {
+    /**
+     * A store used to read information about registered OAuth clients.
+     */
+    get clientsStore(): OAuthRegisteredClientsStore;
+    /**
+     * Begins the authorization flow, which can either be implemented by this server itself or via redirection to a separate authorization server.
+     *
+     * This server must eventually issue a redirect with an authorization response or an error response to the given redirect URI. Per OAuth 2.1:
+     * - In the successful case, the redirect MUST include the `code` and `state` (if present) query parameters.
+     * - In the error case, the redirect MUST include the `error` query parameter, and MAY include an optional `error_description` query parameter.
+     */
+    authorize(client: OAuthClientInformationFull, params: AuthorizationParams, res: Response): Promise<void>;
+    /**
+     * Returns the `codeChallenge` that was used when the indicated authorization began.
+     */
+    challengeForAuthorizationCode(client: OAuthClientInformationFull, authorizationCode: string): Promise<string>;
+    /**
+     * Exchanges an authorization code for an access token.
+     */
+    exchangeAuthorizationCode(client: OAuthClientInformationFull, authorizationCode: string): Promise<OAuthTokens>;
+    /**
+     * Exchanges a refresh token for an access token.
+     */
+    exchangeRefreshToken(client: OAuthClientInformationFull, refreshToken: string, scopes?: string[]): Promise<OAuthTokens>;
+    /**
+     * Verifies an access token and returns information about it.
+     */
+    verifyAccessToken(token: string): Promise<AuthInfo>;
+    /**
+     * Revokes an access or refresh token. If unimplemented, token revocation is not supported (not recommended).
+     *
+     * If the given token is invalid or already revoked, this method should do nothing.
+     */
+    revokeToken?(client: OAuthClientInformationFull, request: OAuthTokenRevocationRequest): Promise<void>;
+}
+//# sourceMappingURL=provider.d.ts.map

package/dist/cjs/server/auth/provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../../../src/server/auth/provider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACnC,OAAO,EAAE,2BAA2B,EAAE,MAAM,cAAc,CAAC;AAC3D,OAAO,EAAE,0BAA0B,EAAE,2BAA2B,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC5G,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAEtC,MAAM,MAAM,mBAAmB,GAAG;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC;;OAEG;IACH,IAAI,YAAY,IAAI,2BAA2B,CAAC;IAEhD;;;;;;OAMG;IACH,SAAS,CAAC,MAAM,EAAE,0BAA0B,EAAE,MAAM,EAAE,mBAAmB,EAAE,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzG;;OAEG;IACH,6BAA6B,CAAC,MAAM,EAAE,0BAA0B,EAAE,iBAAiB,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAE9G;;OAEG;IACH,yBAAyB,CAAC,MAAM,EAAE,0BAA0B,EAAE,iBAAiB,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IAE/G;;OAEG;IACH,oBAAoB,CAAC,MAAM,EAAE,0BAA0B,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IAExH;;OAEG;IACH,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEpD;;;;OAIG;IACH,WAAW,CAAC,CAAC,MAAM,EAAE,0BAA0B,EAAE,OAAO,EAAE,2BAA2B,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACvG"}

package/dist/cjs/server/auth/provider.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=provider.js.map

package/dist/cjs/server/auth/provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider.js","sourceRoot":"","sources":["../../../../src/server/auth/provider.ts"],"names":[],"mappings":""}

package/dist/cjs/server/auth/router.d.ts

@@ -0,0 +1,36 @@
+import { RequestHandler } from "express";
+import { ClientRegistrationHandlerOptions } from "./handlers/register.js";
+import { TokenHandlerOptions } from "./handlers/token.js";
+import { AuthorizationHandlerOptions } from "./handlers/authorize.js";
+import { RevocationHandlerOptions } from "./handlers/revoke.js";
+import { OAuthServerProvider } from "./provider.js";
+export type AuthRouterOptions = {
+    /**
+     * A provider implementing the actual authorization logic for this router.
+     */
+    provider: OAuthServerProvider;
+    /**
+     * The authorization server's issuer identifier, which is a URL that uses the "https" scheme and has no query or fragment components.
+     */
+    issuerUrl: URL;
+    /**
+     * An optional URL of a page containing human-readable information that developers might want or need to know when using the authorization server.
+     */
+    serviceDocumentationUrl?: URL;
+    authorizationOptions?: Omit<AuthorizationHandlerOptions, "provider">;
+    clientRegistrationOptions?: Omit<ClientRegistrationHandlerOptions, "clientsStore">;
+    revocationOptions?: Omit<RevocationHandlerOptions, "provider">;
+    tokenOptions?: Omit<TokenHandlerOptions, "provider">;
+};
+/**
+ * Installs standard MCP authorization endpoints, including dynamic client registration and token revocation (if supported). Also advertises standard authorization server metadata, for easier discovery of supported configurations by clients.
+ *
+ * By default, rate limiting is applied to all endpoints to prevent abuse.
+ *
+ * This router MUST be installed at the application root, like so:
+ *
+ *  const app = express();
+ *  app.use(mcpAuthRouter(...));
+ */
+export declare function mcpAuthRouter(options: AuthRouterOptions): RequestHandler;
+//# sourceMappingURL=router.d.ts.map

package/dist/cjs/server/auth/router.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../../../src/server/auth/router.ts"],"names":[],"mappings":"AAAA,OAAgB,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAClD,OAAO,EAA6B,gCAAgC,EAAE,MAAM,wBAAwB,CAAC;AACrG,OAAO,EAAgB,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AACxE,OAAO,EAAwB,2BAA2B,EAAE,MAAM,yBAAyB,CAAC;AAC5F,OAAO,EAAqB,wBAAwB,EAAE,MAAM,sBAAsB,CAAC;AAEnF,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAEpD,MAAM,MAAM,iBAAiB,GAAG;IAC9B;;OAEG;IACH,QAAQ,EAAE,mBAAmB,CAAC;IAE9B;;OAEG;IACH,SAAS,EAAE,GAAG,CAAC;IAEf;;OAEG;IACH,uBAAuB,CAAC,EAAE,GAAG,CAAC;IAG9B,oBAAoB,CAAC,EAAE,IAAI,CAAC,2BAA2B,EAAE,UAAU,CAAC,CAAC;IACrE,yBAAyB,CAAC,EAAE,IAAI,CAAC,gCAAgC,EAAE,cAAc,CAAC,CAAC;IACnF,iBAAiB,CAAC,EAAE,IAAI,CAAC,wBAAwB,EAAE,UAAU,CAAC,CAAC;IAC/D,YAAY,CAAC,EAAE,IAAI,CAAC,mBAAmB,EAAE,UAAU,CAAC,CAAC;CACtD,CAAC;AAEF;;;;;;;;;GASG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,iBAAiB,GAAG,cAAc,CAqExE"}

package/dist/cjs/server/auth/router.js

@@ -0,0 +1,68 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.mcpAuthRouter = mcpAuthRouter;
+const express_1 = __importDefault(require("express"));
+const register_js_1 = require("./handlers/register.js");
+const token_js_1 = require("./handlers/token.js");
+const authorize_js_1 = require("./handlers/authorize.js");
+const revoke_js_1 = require("./handlers/revoke.js");
+const metadata_js_1 = require("./handlers/metadata.js");
+/**
+ * Installs standard MCP authorization endpoints, including dynamic client registration and token revocation (if supported). Also advertises standard authorization server metadata, for easier discovery of supported configurations by clients.
+ *
+ * By default, rate limiting is applied to all endpoints to prevent abuse.
+ *
+ * This router MUST be installed at the application root, like so:
+ *
+ *  const app = express();
+ *  app.use(mcpAuthRouter(...));
+ */
+function mcpAuthRouter(options) {
+    var _a;
+    const issuer = options.issuerUrl;
+    // Technically RFC 8414 does not permit a localhost HTTPS exemption, but this will be necessary for ease of testing
+    if (issuer.protocol !== "https:" && issuer.hostname !== "localhost" && issuer.hostname !== "127.0.0.1") {
+        throw new Error("Issuer URL must be HTTPS");
+    }
+    if (issuer.hash) {
+        throw new Error("Issuer URL must not have a fragment");
+    }
+    if (issuer.search) {
+        throw new Error("Issuer URL must not have a query string");
+    }
+    const authorization_endpoint = "/authorize";
+    const token_endpoint = "/token";
+    const registration_endpoint = options.provider.clientsStore.registerClient ? "/register" : undefined;
+    const revocation_endpoint = options.provider.revokeToken ? "/revoke" : undefined;
+    const metadata = {
+        issuer: issuer.href,
+        service_documentation: (_a = options.serviceDocumentationUrl) === null || _a === void 0 ? void 0 : _a.href,
+        authorization_endpoint: new URL(authorization_endpoint, issuer).href,
+        response_types_supported: ["code"],
+        code_challenge_methods_supported: ["S256"],
+        token_endpoint: new URL(token_endpoint, issuer).href,
+        token_endpoint_auth_methods_supported: ["client_secret_post"],
+        grant_types_supported: ["authorization_code", "refresh_token"],
+        revocation_endpoint: revocation_endpoint ? new URL(revocation_endpoint, issuer).href : undefined,
+        revocation_endpoint_auth_methods_supported: revocation_endpoint ? ["client_secret_post"] : undefined,
+        registration_endpoint: registration_endpoint ? new URL(registration_endpoint, issuer).href : undefined,
+    };
+    const router = express_1.default.Router();
+    router.use(authorization_endpoint, (0, authorize_js_1.authorizationHandler)({ provider: options.provider, ...options.authorizationOptions }));
+    router.use(token_endpoint, (0, token_js_1.tokenHandler)({ provider: options.provider, ...options.tokenOptions }));
+    router.use("/.well-known/oauth-authorization-server", (0, metadata_js_1.metadataHandler)(metadata));
+    if (registration_endpoint) {
+        router.use(registration_endpoint, (0, register_js_1.clientRegistrationHandler)({
+            clientsStore: options.provider.clientsStore,
+            ...options,
+        }));
+    }
+    if (revocation_endpoint) {
+        router.use(revocation_endpoint, (0, revoke_js_1.revocationHandler)({ provider: options.provider, ...options.revocationOptions }));
+    }
+    return router;
+}
+//# sourceMappingURL=router.js.map