@modelcontextprotocol/sdk 1.5.0 → 1.6.0

package/dist/esm/client/auth.js

@@ -0,0 +1,226 @@
+import pkceChallenge from "pkce-challenge";
+import { LATEST_PROTOCOL_VERSION } from "../types.js";
+import { OAuthClientInformationFullSchema, OAuthMetadataSchema, OAuthTokensSchema } from "../shared/auth.js";
+export class UnauthorizedError extends Error {
+    constructor(message) {
+        super(message !== null && message !== void 0 ? message : "Unauthorized");
+    }
+}
+/**
+ * Orchestrates the full auth flow with a server.
+ *
+ * This can be used as a single entry point for all authorization functionality,
+ * instead of linking together the other lower-level functions in this module.
+ */
+export async function auth(provider, { serverUrl, authorizationCode }) {
+    const metadata = await discoverOAuthMetadata(serverUrl);
+    // Handle client registration if needed
+    let clientInformation = await Promise.resolve(provider.clientInformation());
+    if (!clientInformation) {
+        if (authorizationCode !== undefined) {
+            throw new Error("Existing OAuth client information is required when exchanging an authorization code");
+        }
+        if (!provider.saveClientInformation) {
+            throw new Error("OAuth client information must be saveable for dynamic registration");
+        }
+        const fullInformation = await registerClient(serverUrl, {
+            metadata,
+            clientMetadata: provider.clientMetadata,
+        });
+        await provider.saveClientInformation(fullInformation);
+        clientInformation = fullInformation;
+    }
+    // Exchange authorization code for tokens
+    if (authorizationCode !== undefined) {
+        const codeVerifier = await provider.codeVerifier();
+        const tokens = await exchangeAuthorization(serverUrl, {
+            metadata,
+            clientInformation,
+            authorizationCode,
+            codeVerifier,
+        });
+        await provider.saveTokens(tokens);
+        return "AUTHORIZED";
+    }
+    const tokens = await provider.tokens();
+    // Handle token refresh or new authorization
+    if (tokens === null || tokens === void 0 ? void 0 : tokens.refresh_token) {
+        try {
+            // Attempt to refresh the token
+            const newTokens = await refreshAuthorization(serverUrl, {
+                metadata,
+                clientInformation,
+                refreshToken: tokens.refresh_token,
+            });
+            await provider.saveTokens(newTokens);
+            return "AUTHORIZED";
+        }
+        catch (error) {
+            console.error("Could not refresh OAuth tokens:", error);
+        }
+    }
+    // Start new authorization flow
+    const { authorizationUrl, codeVerifier } = await startAuthorization(serverUrl, {
+        metadata,
+        clientInformation,
+        redirectUrl: provider.redirectUrl
+    });
+    await provider.saveCodeVerifier(codeVerifier);
+    await provider.redirectToAuthorization(authorizationUrl);
+    return "REDIRECT";
+}
+/**
+ * Looks up RFC 8414 OAuth 2.0 Authorization Server Metadata.
+ *
+ * If the server returns a 404 for the well-known endpoint, this function will
+ * return `undefined`. Any other errors will be thrown as exceptions.
+ */
+export async function discoverOAuthMetadata(serverUrl, opts) {
+    var _a;
+    const url = new URL("/.well-known/oauth-authorization-server", serverUrl);
+    const response = await fetch(url, {
+        headers: {
+            "MCP-Protocol-Version": (_a = opts === null || opts === void 0 ? void 0 : opts.protocolVersion) !== null && _a !== void 0 ? _a : LATEST_PROTOCOL_VERSION
+        }
+    });
+    if (response.status === 404) {
+        return undefined;
+    }
+    if (!response.ok) {
+        throw new Error(`HTTP ${response.status} trying to load well-known OAuth metadata`);
+    }
+    return OAuthMetadataSchema.parse(await response.json());
+}
+/**
+ * Begins the authorization flow with the given server, by generating a PKCE challenge and constructing the authorization URL.
+ */
+export async function startAuthorization(serverUrl, { metadata, clientInformation, redirectUrl, }) {
+    const responseType = "code";
+    const codeChallengeMethod = "S256";
+    let authorizationUrl;
+    if (metadata) {
+        authorizationUrl = new URL(metadata.authorization_endpoint);
+        if (!metadata.response_types_supported.includes(responseType)) {
+            throw new Error(`Incompatible auth server: does not support response type ${responseType}`);
+        }
+        if (!metadata.code_challenge_methods_supported ||
+            !metadata.code_challenge_methods_supported.includes(codeChallengeMethod)) {
+            throw new Error(`Incompatible auth server: does not support code challenge method ${codeChallengeMethod}`);
+        }
+    }
+    else {
+        authorizationUrl = new URL("/authorize", serverUrl);
+    }
+    // Generate PKCE challenge
+    const challenge = await pkceChallenge();
+    const codeVerifier = challenge.code_verifier;
+    const codeChallenge = challenge.code_challenge;
+    authorizationUrl.searchParams.set("response_type", responseType);
+    authorizationUrl.searchParams.set("client_id", clientInformation.client_id);
+    authorizationUrl.searchParams.set("code_challenge", codeChallenge);
+    authorizationUrl.searchParams.set("code_challenge_method", codeChallengeMethod);
+    authorizationUrl.searchParams.set("redirect_uri", String(redirectUrl));
+    return { authorizationUrl, codeVerifier };
+}
+/**
+ * Exchanges an authorization code for an access token with the given server.
+ */
+export async function exchangeAuthorization(serverUrl, { metadata, clientInformation, authorizationCode, codeVerifier, }) {
+    const grantType = "authorization_code";
+    let tokenUrl;
+    if (metadata) {
+        tokenUrl = new URL(metadata.token_endpoint);
+        if (metadata.grant_types_supported &&
+            !metadata.grant_types_supported.includes(grantType)) {
+            throw new Error(`Incompatible auth server: does not support grant type ${grantType}`);
+        }
+    }
+    else {
+        tokenUrl = new URL("/token", serverUrl);
+    }
+    // Exchange code for tokens
+    const params = new URLSearchParams({
+        grant_type: grantType,
+        client_id: clientInformation.client_id,
+        code: authorizationCode,
+        code_verifier: codeVerifier,
+    });
+    if (clientInformation.client_secret) {
+        params.set("client_secret", clientInformation.client_secret);
+    }
+    const response = await fetch(tokenUrl, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+        },
+        body: params,
+    });
+    if (!response.ok) {
+        throw new Error(`Token exchange failed: HTTP ${response.status}`);
+    }
+    return OAuthTokensSchema.parse(await response.json());
+}
+/**
+ * Exchange a refresh token for an updated access token.
+ */
+export async function refreshAuthorization(serverUrl, { metadata, clientInformation, refreshToken, }) {
+    const grantType = "refresh_token";
+    let tokenUrl;
+    if (metadata) {
+        tokenUrl = new URL(metadata.token_endpoint);
+        if (metadata.grant_types_supported &&
+            !metadata.grant_types_supported.includes(grantType)) {
+            throw new Error(`Incompatible auth server: does not support grant type ${grantType}`);
+        }
+    }
+    else {
+        tokenUrl = new URL("/token", serverUrl);
+    }
+    // Exchange refresh token
+    const params = new URLSearchParams({
+        grant_type: grantType,
+        client_id: clientInformation.client_id,
+        refresh_token: refreshToken,
+    });
+    if (clientInformation.client_secret) {
+        params.set("client_secret", clientInformation.client_secret);
+    }
+    const response = await fetch(tokenUrl, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+        },
+        body: params,
+    });
+    if (!response.ok) {
+        throw new Error(`Token refresh failed: HTTP ${response.status}`);
+    }
+    return OAuthTokensSchema.parse(await response.json());
+}
+/**
+ * Performs OAuth 2.0 Dynamic Client Registration according to RFC 7591.
+ */
+export async function registerClient(serverUrl, { metadata, clientMetadata, }) {
+    let registrationUrl;
+    if (metadata) {
+        if (!metadata.registration_endpoint) {
+            throw new Error("Incompatible auth server: does not support dynamic client registration");
+        }
+        registrationUrl = new URL(metadata.registration_endpoint);
+    }
+    else {
+        registrationUrl = new URL("/register", serverUrl);
+    }
+    const response = await fetch(registrationUrl, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+        },
+        body: JSON.stringify(clientMetadata),
+    });
+    if (!response.ok) {
+        throw new Error(`Dynamic client registration failed: HTTP ${response.status}`);
+    }
+    return OAuthClientInformationFullSchema.parse(await response.json());
+}
+//# sourceMappingURL=auth.js.map

package/dist/esm/client/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/client/auth.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,MAAM,gBAAgB,CAAC;AAC3C,OAAO,EAAE,uBAAuB,EAAE,MAAM,aAAa,CAAC;AAEtD,OAAO,EAAE,gCAAgC,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAqE7G,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C,YAAY,OAAgB;QAC1B,KAAK,CAAC,OAAO,aAAP,OAAO,cAAP,OAAO,GAAI,cAAc,CAAC,CAAC;IACnC,CAAC;CACF;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,IAAI,CACxB,QAA6B,EAC7B,EAAE,SAAS,EAAE,iBAAiB,EAA2D;IACzF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,SAAS,CAAC,CAAC;IAExD,uCAAuC;IACvC,IAAI,iBAAiB,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,EAAE,CAAC,CAAC;IAC5E,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,qFAAqF,CAAC,CAAC;QACzG,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,qBAAqB,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;QACxF,CAAC;QAED,MAAM,eAAe,GAAG,MAAM,cAAc,CAAC,SAAS,EAAE;YACtD,QAAQ;YACR,cAAc,EAAE,QAAQ,CAAC,cAAc;SACxC,CAAC,CAAC;QAEH,MAAM,QAAQ,CAAC,qBAAqB,CAAC,eAAe,CAAC,CAAC;QACtD,iBAAiB,GAAG,eAAe,CAAC;IACtC,CAAC;IAED,yCAAyC;IACzC,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;QACpC,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,YAAY,EAAE,CAAC;QACnD,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,SAAS,EAAE;YACpD,QAAQ;YACR,iBAAiB;YACjB,iBAAiB;YACjB,YAAY;SACb,CAAC,CAAC;QAEH,MAAM,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QAClC,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE,CAAC;IAEvC,4CAA4C;IAC5C,IAAI,MAAM,aAAN,MAAM,uBAAN,MAAM,CAAE,aAAa,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,+BAA+B;YAC/B,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAAC,SAAS,EAAE;gBACtD,QAAQ;gBACR,iBAAiB;gBACjB,YAAY,EAAE,MAAM,CAAC,aAAa;aACnC,CAAC,CAAC;YAEH,MAAM,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;YACrC,OAAO,YAAY,CAAC;QACtB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,KAAK,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,MAAM,EAAE,gBAAgB,EAAE,YAAY,EAAE,GAAG,MAAM,kBAAkB,CAAC,SAAS,EAAE;QAC7E,QAAQ;QACR,iBAAiB;QACjB,WAAW,EAAE,QAAQ,CAAC,WAAW;KAClC,CAAC,CAAC;IAEH,MAAM,QAAQ,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;IAC9C,MAAM,QAAQ,CAAC,uBAAuB,CAAC,gBAAgB,CAAC,CAAC;IACzD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,SAAuB,EACvB,IAAmC;;IAEnC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,yCAAyC,EAAE,SAAS,CAAC,CAAC;IAC1E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,OAAO,EAAE;YACP,sBAAsB,EAAE,MAAA,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,eAAe,mCAAI,uBAAuB;SACzE;KACF,CAAC,CAAC;IAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CACb,QAAQ,QAAQ,CAAC,MAAM,2CAA2C,CACnE,CAAC;IACJ,CAAC;IAED,OAAO,mBAAmB,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;AAC1D,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,SAAuB,EACvB,EACE,QAAQ,EACR,iBAAiB,EACjB,WAAW,GAKZ;IAED,MAAM,YAAY,GAAG,MAAM,CAAC;IAC5B,MAAM,mBAAmB,GAAG,MAAM,CAAC;IAEnC,IAAI,gBAAqB,CAAC;IAC1B,IAAI,QAAQ,EAAE,CAAC;QACb,gBAAgB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;QAE5D,IAAI,CAAC,QAAQ,CAAC,wBAAwB,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YAC9D,MAAM,IAAI,KAAK,CACb,4DAA4D,YAAY,EAAE,CAC3E,CAAC;QACJ,CAAC;QAED,IACE,CAAC,QAAQ,CAAC,gCAAgC;YAC1C,CAAC,QAAQ,CAAC,gCAAgC,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EACxE,CAAC;YACD,MAAM,IAAI,KAAK,CACb,oEAAoE,mBAAmB,EAAE,CAC1F,CAAC;QACJ,CAAC;IACH,CAAC;SAAM,CAAC;QACN,gBAAgB,GAAG,IAAI,GAAG,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;IACtD,CAAC;IAED,0BAA0B;IAC1B,MAAM,SAAS,GAAG,MAAM,aAAa,EAAE,CAAC;IACxC,MAAM,YAAY,GAAG,SAAS,CAAC,aAAa,CAAC;IAC7C,MAAM,aAAa,GAAG,SAAS,CAAC,cAAc,CAAC;IAE/C,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,YAAY,CAAC,CAAC;IACjE,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAC5E,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;IACnE,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAC/B,uBAAuB,EACvB,mBAAmB,CACpB,CAAC;IACF,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;IAEvE,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,SAAuB,EACvB,EACE,QAAQ,EACR,iBAAiB,EACjB,iBAAiB,EACjB,YAAY,GAMb;IAED,MAAM,SAAS,GAAG,oBAAoB,CAAC;IAEvC,IAAI,QAAa,CAAC;IAClB,IAAI,QAAQ,EAAE,CAAC;QACb,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;QAE5C,IACE,QAAQ,CAAC,qBAAqB;YAC9B,CAAC,QAAQ,CAAC,qBAAqB,CAAC,QAAQ,CAAC,SAAS,CAAC,EACnD,CAAC;YACD,MAAM,IAAI,KAAK,CACb,yDAAyD,SAAS,EAAE,CACrE,CAAC;QACJ,CAAC;IACH,CAAC;SAAM,CAAC;QACN,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAC1C,CAAC;IAED,2BAA2B;IAC3B,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,UAAU,EAAE,SAAS;QACrB,SAAS,EAAE,iBAAiB,CAAC,SAAS;QACtC,IAAI,EAAE,iBAAiB;QACvB,aAAa,EAAE,YAAY;KAC5B,CAAC,CAAC;IAEH,IAAI,iBAAiB,CAAC,aAAa,EAAE,CAAC;QACpC,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,iBAAiB,CAAC,aAAa,CAAC,CAAC;IAC/D,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;QACrC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,mCAAmC;SACpD;QACD,IAAI,EAAE,MAAM;KACb,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,+BAA+B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACpE,CAAC;IAED,OAAO,iBAAiB,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,SAAuB,EACvB,EACE,QAAQ,EACR,iBAAiB,EACjB,YAAY,GAKb;IAED,MAAM,SAAS,GAAG,eAAe,CAAC;IAElC,IAAI,QAAa,CAAC;IAClB,IAAI,QAAQ,EAAE,CAAC;QACb,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;QAE5C,IACE,QAAQ,CAAC,qBAAqB;YAC9B,CAAC,QAAQ,CAAC,qBAAqB,CAAC,QAAQ,CAAC,SAAS,CAAC,EACnD,CAAC;YACD,MAAM,IAAI,KAAK,CACb,yDAAyD,SAAS,EAAE,CACrE,CAAC;QACJ,CAAC;IACH,CAAC;SAAM,CAAC;QACN,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAC1C,CAAC;IAED,yBAAyB;IACzB,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,UAAU,EAAE,SAAS;QACrB,SAAS,EAAE,iBAAiB,CAAC,SAAS;QACtC,aAAa,EAAE,YAAY;KAC5B,CAAC,CAAC;IAEH,IAAI,iBAAiB,CAAC,aAAa,EAAE,CAAC;QACpC,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,iBAAiB,CAAC,aAAa,CAAC,CAAC;IAC/D,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;QACrC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,mCAAmC;SACpD;QACD,IAAI,EAAE,MAAM;KACb,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,8BAA8B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACnE,CAAC;IAED,OAAO,iBAAiB,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,SAAuB,EACvB,EACE,QAAQ,EACR,cAAc,GAIf;IAED,IAAI,eAAoB,CAAC;IAEzB,IAAI,QAAQ,EAAE,CAAC;QACb,IAAI,CAAC,QAAQ,CAAC,qBAAqB,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC,CAAC;QAC5F,CAAC;QAED,eAAe,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC;IAC5D,CAAC;SAAM,CAAC;QACN,eAAe,GAAG,IAAI,GAAG,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,eAAe,EAAE;QAC5C,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC;KACrC,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,4CAA4C,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACjF,CAAC;IAED,OAAO,gCAAgC,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;AACvE,CAAC"}

package/dist/esm/client/sse.d.ts

@@ -1,11 +1,45 @@
 import { type ErrorEvent, type EventSourceInit } from "eventsource";
 import { Transport } from "../shared/transport.js";
 import { JSONRPCMessage } from "../types.js";
+import { OAuthClientProvider } from "./auth.js";
 export declare class SseError extends Error {
     readonly code: number | undefined;
     readonly event: ErrorEvent;
     constructor(code: number | undefined, message: string | undefined, event: ErrorEvent);
 }
+/**
+ * Configuration options for the `SSEClientTransport`.
+ */
+export type SSEClientTransportOptions = {
+    /**
+     * An OAuth client provider to use for authentication.
+     *
+     * When an `authProvider` is specified and the SSE connection is started:
+     * 1. The connection is attempted with any existing access token from the `authProvider`.
+     * 2. If the access token has expired, the `authProvider` is used to refresh the token.
+     * 3. If token refresh fails or no access token exists, and auth is required, `OAuthClientProvider.redirectToAuthorization` is called, and an `UnauthorizedError` will be thrown from `connect`/`start`.
+     *
+     * After the user has finished authorizing via their user agent, and is redirected back to the MCP client application, call `SSEClientTransport.finishAuth` with the authorization code before retrying the connection.
+     *
+     * If an `authProvider` is not provided, and auth is required, an `UnauthorizedError` will be thrown.
+     *
+     * `UnauthorizedError` might also be thrown when sending any message over the SSE transport, indicating that the session has expired, and needs to be re-authed and reconnected.
+     */
+    authProvider?: OAuthClientProvider;
+    /**
+     * Customizes the initial SSE request to the server (the request that begins the stream).
+     *
+     * NOTE: Setting this property will prevent an `Authorization` header from
+     * being automatically attached to the SSE request, if an `authProvider` is
+     * also given. This can be worked around by setting the `Authorization` header
+     * manually.
+     */
+    eventSourceInit?: EventSourceInit;
+    /**
+     * Customizes recurring POST requests to the server.
+     */
+    requestInit?: RequestInit;
+};
 /**
  * Client transport for SSE: this will connect to a server using Server-Sent Events for receiving
  * messages and make separate POST requests for sending messages.
@@ -17,14 +51,19 @@ export declare class SSEClientTransport implements Transport {
     private _url;
     private _eventSourceInit?;
     private _requestInit?;
+    private _authProvider?;
     onclose?: () => void;
     onerror?: (error: Error) => void;
     onmessage?: (message: JSONRPCMessage) => void;
-    constructor(url: URL, opts?: {
-        eventSourceInit?: EventSourceInit;
-        requestInit?: RequestInit;
-    });
+    constructor(url: URL, opts?: SSEClientTransportOptions);
+    private _authThenStart;
+    private _commonHeaders;
+    private _startOrAuth;
     start(): Promise<void>;
+    /**
+     * Call this method after the user has finished authorizing via their user agent and is redirected back to the MCP client application. This will exchange the authorization code for an access token, enabling the next connection attempt to successfully auth.
+     */
+    finishAuth(authorizationCode: string): Promise<void>;
     close(): Promise<void>;
     send(message: JSONRPCMessage): Promise<void>;
 }

package/dist/esm/client/sse.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sse.d.ts","sourceRoot":"","sources":["../../../src/client/sse.ts"],"names":[],"mappings":"AAAA,OAAO,EAAe,KAAK,UAAU,EAAE,KAAK,eAAe,EAAE,MAAM,aAAa,CAAC;AACjF,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,cAAc,EAAwB,MAAM,aAAa,CAAC;AAEnE,qBAAa,QAAS,SAAQ,KAAK;aAEf,IAAI,EAAE,MAAM,GAAG,SAAS;aAExB,KAAK,EAAE,UAAU;gBAFjB,IAAI,EAAE,MAAM,GAAG,SAAS,EACxC,OAAO,EAAE,MAAM,GAAG,SAAS,EACX,KAAK,EAAE,UAAU;CAIpC;AAED;;;GAGG;AACH,qBAAa,kBAAmB,YAAW,SAAS;IAClD,OAAO,CAAC,YAAY,CAAC,CAAc;IACnC,OAAO,CAAC,SAAS,CAAC,CAAM;IACxB,OAAO,CAAC,gBAAgB,CAAC,CAAkB;IAC3C,OAAO,CAAC,IAAI,CAAM;IAClB,OAAO,CAAC,gBAAgB,CAAC,CAAkB;IAC3C,OAAO,CAAC,YAAY,CAAC,CAAc;IAEnC,OAAO,CAAC,EAAE,MAAM,IAAI,CAAC;IACrB,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;IACjC,SAAS,CAAC,EAAE,CAAC,OAAO,EAAE,cAAc,KAAK,IAAI,CAAC;gBAG5C,GAAG,EAAE,GAAG,EACR,IAAI,CAAC,EAAE;QAAE,eAAe,CAAC,EAAE,eAAe,CAAC;QAAC,WAAW,CAAC,EAAE,WAAW,CAAA;KAAE;IAOzE,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IA4DhB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAMtB,IAAI,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;CA6BnD"}
+{"version":3,"file":"sse.d.ts","sourceRoot":"","sources":["../../../src/client/sse.ts"],"names":[],"mappings":"AAAA,OAAO,EAAe,KAAK,UAAU,EAAE,KAAK,eAAe,EAAE,MAAM,aAAa,CAAC;AACjF,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,cAAc,EAAwB,MAAM,aAAa,CAAC;AACnE,OAAO,EAAoB,mBAAmB,EAAqB,MAAM,WAAW,CAAC;AAErF,qBAAa,QAAS,SAAQ,KAAK;aAEf,IAAI,EAAE,MAAM,GAAG,SAAS;aAExB,KAAK,EAAE,UAAU;gBAFjB,IAAI,EAAE,MAAM,GAAG,SAAS,EACxC,OAAO,EAAE,MAAM,GAAG,SAAS,EACX,KAAK,EAAE,UAAU;CAIpC;AAED;;GAEG;AACH,MAAM,MAAM,yBAAyB,GAAG;IACtC;;;;;;;;;;;;;OAaG;IACH,YAAY,CAAC,EAAE,mBAAmB,CAAC;IAEnC;;;;;;;OAOG;IACH,eAAe,CAAC,EAAE,eAAe,CAAC;IAElC;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;CAC3B,CAAC;AAEF;;;GAGG;AACH,qBAAa,kBAAmB,YAAW,SAAS;IAClD,OAAO,CAAC,YAAY,CAAC,CAAc;IACnC,OAAO,CAAC,SAAS,CAAC,CAAM;IACxB,OAAO,CAAC,gBAAgB,CAAC,CAAkB;IAC3C,OAAO,CAAC,IAAI,CAAM;IAClB,OAAO,CAAC,gBAAgB,CAAC,CAAkB;IAC3C,OAAO,CAAC,YAAY,CAAC,CAAc;IACnC,OAAO,CAAC,aAAa,CAAC,CAAsB;IAE5C,OAAO,CAAC,EAAE,MAAM,IAAI,CAAC;IACrB,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;IACjC,SAAS,CAAC,EAAE,CAAC,OAAO,EAAE,cAAc,KAAK,IAAI,CAAC;gBAG5C,GAAG,EAAE,GAAG,EACR,IAAI,CAAC,EAAE,yBAAyB;YAQpB,cAAc;YAoBd,cAAc;IAY5B,OAAO,CAAC,YAAY;IAmEd,KAAK;IAUX;;OAEG;IACG,UAAU,CAAC,iBAAiB,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAWpD,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAMtB,IAAI,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;CAuCnD"}

package/dist/esm/client/sse.js

@@ -1,5 +1,6 @@
 import { EventSource } from "eventsource";
 import { JSONRPCMessageSchema } from "../types.js";
+import { auth, UnauthorizedError } from "./auth.js";
 export class SseError extends Error {
     constructor(code, message, event) {
         super(`SSE error: ${message}`);
@@ -16,16 +17,55 @@ export class SSEClientTransport {
         this._url = url;
         this._eventSourceInit = opts === null || opts === void 0 ? void 0 : opts.eventSourceInit;
         this._requestInit = opts === null || opts === void 0 ? void 0 : opts.requestInit;
+        this._authProvider = opts === null || opts === void 0 ? void 0 : opts.authProvider;
     }
-    start() {
-        if (this._eventSource) {
-            throw new Error("SSEClientTransport already started! If using Client class, note that connect() calls start() automatically.");
+    async _authThenStart() {
+        var _a;
+        if (!this._authProvider) {
+            throw new UnauthorizedError("No auth provider");
+        }
+        let result;
+        try {
+            result = await auth(this._authProvider, { serverUrl: this._url });
+        }
+        catch (error) {
+            (_a = this.onerror) === null || _a === void 0 ? void 0 : _a.call(this, error);
+            throw error;
         }
+        if (result !== "AUTHORIZED") {
+            throw new UnauthorizedError();
+        }
+        return await this._startOrAuth();
+    }
+    async _commonHeaders() {
+        const headers = {};
+        if (this._authProvider) {
+            const tokens = await this._authProvider.tokens();
+            if (tokens) {
+                headers["Authorization"] = `Bearer ${tokens.access_token}`;
+            }
+        }
+        return headers;
+    }
+    _startOrAuth() {
         return new Promise((resolve, reject) => {
-            this._eventSource = new EventSource(this._url.href, this._eventSourceInit);
+            var _a;
+            this._eventSource = new EventSource(this._url.href, (_a = this._eventSourceInit) !== null && _a !== void 0 ? _a : {
+                fetch: (url, init) => this._commonHeaders().then((headers) => fetch(url, {
+                    ...init,
+                    headers: {
+                        ...headers,
+                        Accept: "text/event-stream"
+                    }
+                })),
+            });
             this._abortController = new AbortController();
             this._eventSource.onerror = (event) => {
                 var _a;
+                if (event.code === 401 && this._authProvider) {
+                    this._authThenStart().then(resolve, reject);
+                    return;
+                }
                 const error = new SseError(event.code, event.message, event);
                 reject(error);
                 (_a = this.onerror) === null || _a === void 0 ? void 0 : _a.call(this, error);
@@ -65,6 +105,24 @@ export class SSEClientTransport {
             };
         });
     }
+    async start() {
+        if (this._eventSource) {
+            throw new Error("SSEClientTransport already started! If using Client class, note that connect() calls start() automatically.");
+        }
+        return await this._startOrAuth();
+    }
+    /**
+     * Call this method after the user has finished authorizing via their user agent and is redirected back to the MCP client application. This will exchange the authorization code for an access token, enabling the next connection attempt to successfully auth.
+     */
+    async finishAuth(authorizationCode) {
+        if (!this._authProvider) {
+            throw new UnauthorizedError("No auth provider");
+        }
+        const result = await auth(this._authProvider, { serverUrl: this._url, authorizationCode });
+        if (result !== "AUTHORIZED") {
+            throw new UnauthorizedError("Failed to authorize");
+        }
+    }
     async close() {
         var _a, _b, _c;
         (_a = this._abortController) === null || _a === void 0 ? void 0 : _a.abort();
@@ -77,7 +135,8 @@ export class SSEClientTransport {
             throw new Error("Not connected");
         }
         try {
-            const headers = new Headers((_a = this._requestInit) === null || _a === void 0 ? void 0 : _a.headers);
+            const commonHeaders = await this._commonHeaders();
+            const headers = new Headers({ ...commonHeaders, ...(_a = this._requestInit) === null || _a === void 0 ? void 0 : _a.headers });
             headers.set("content-type", "application/json");
             const init = {
                 ...this._requestInit,
@@ -88,6 +147,14 @@ export class SSEClientTransport {
             };
             const response = await fetch(this._endpoint, init);
             if (!response.ok) {
+                if (response.status === 401 && this._authProvider) {
+                    const result = await auth(this._authProvider, { serverUrl: this._url });
+                    if (result !== "AUTHORIZED") {
+                        throw new UnauthorizedError();
+                    }
+                    // Purposely _not_ awaited, so we don't call onerror twice
+                    return this.send(message);
+                }
                 const text = await response.text().catch(() => null);
                 throw new Error(`Error POSTing to endpoint (HTTP ${response.status}): ${text}`);
             }

package/dist/esm/client/sse.js.map

@@ -1 +1 @@
-{"version":3,"file":"sse.js","sourceRoot":"","sources":["../../../src/client/sse.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAyC,MAAM,aAAa,CAAC;AAEjF,OAAO,EAAkB,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAEnE,MAAM,OAAO,QAAS,SAAQ,KAAK;IACjC,YACkB,IAAwB,EACxC,OAA2B,EACX,KAAiB;QAEjC,KAAK,CAAC,cAAc,OAAO,EAAE,CAAC,CAAC;QAJf,SAAI,GAAJ,IAAI,CAAoB;QAExB,UAAK,GAAL,KAAK,CAAY;IAGnC,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,OAAO,kBAAkB;IAY7B,YACE,GAAQ,EACR,IAAuE;QAEvE,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;QAChB,IAAI,CAAC,gBAAgB,GAAG,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,eAAe,CAAC;QAC9C,IAAI,CAAC,YAAY,GAAG,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,WAAW,CAAC;IACxC,CAAC;IAED,KAAK;QACH,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CACb,6GAA6G,CAC9G,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,IAAI,CAAC,YAAY,GAAG,IAAI,WAAW,CACjC,IAAI,CAAC,IAAI,CAAC,IAAI,EACd,IAAI,CAAC,gBAAgB,CACtB,CAAC;YACF,IAAI,CAAC,gBAAgB,GAAG,IAAI,eAAe,EAAE,CAAC;YAE9C,IAAI,CAAC,YAAY,CAAC,OAAO,GAAG,CAAC,KAAK,EAAE,EAAE;;gBACpC,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;gBAC7D,MAAM,CAAC,KAAK,CAAC,CAAC;gBACd,MAAA,IAAI,CAAC,OAAO,qDAAG,KAAK,CAAC,CAAC;YACxB,CAAC,CAAC;YAEF,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,GAAG,EAAE;gBAC9B,+EAA+E;YACjF,CAAC,CAAC;YAEF,IAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC,UAAU,EAAE,CAAC,KAAY,EAAE,EAAE;;gBAC9D,MAAM,YAAY,GAAG,KAAqB,CAAC;gBAE3C,IAAI,CAAC;oBACH,IAAI,CAAC,SAAS,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;oBACvD,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;wBAC/C,MAAM,IAAI,KAAK,CACb,qDAAqD,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,CAC7E,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,MAAM,CAAC,KAAK,CAAC,CAAC;oBACd,MAAA,IAAI,CAAC,OAAO,qDAAG,KAAc,CAAC,CAAC;oBAE/B,KAAK,IAAI,CAAC,KAAK,EAAE,CAAC;oBAClB,OAAO;gBACT,CAAC;gBAED,OAAO,EAAE,CAAC;YACZ,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,YAAY,CAAC,SAAS,GAAG,CAAC,KAAY,EAAE,EAAE;;gBAC7C,MAAM,YAAY,GAAG,KAAqB,CAAC;gBAC3C,IAAI,OAAuB,CAAC;gBAC5B,IAAI,CAAC;oBACH,OAAO,GAAG,oBAAoB,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;gBACtE,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,MAAA,IAAI,CAAC,OAAO,qDAAG,KAAc,CAAC,CAAC;oBAC/B,OAAO;gBACT,CAAC;gBAED,MAAA,IAAI,CAAC,SAAS,qDAAG,OAAO,CAAC,CAAC;YAC5B,CAAC,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,KAAK;;QACT,MAAA,IAAI,CAAC,gBAAgB,0CAAE,KAAK,EAAE,CAAC;QAC/B,MAAA,IAAI,CAAC,YAAY,0CAAE,KAAK,EAAE,CAAC;QAC3B,MAAA,IAAI,CAAC,OAAO,oDAAI,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAuB;;QAChC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;QACnC,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,MAAA,IAAI,CAAC,YAAY,0CAAE,OAAO,CAAC,CAAC;YACxD,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;YAChD,MAAM,IAAI,GAAG;gBACX,GAAG,IAAI,CAAC,YAAY;gBACpB,MAAM,EAAE,MAAM;gBACd,OAAO;gBACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;gBAC7B,MAAM,EAAE,MAAA,IAAI,CAAC,gBAAgB,0CAAE,MAAM;aACtC,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;YAEnD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;gBACrD,MAAM,IAAI,KAAK,CACb,mCAAmC,QAAQ,CAAC,MAAM,MAAM,IAAI,EAAE,CAC/D,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAA,IAAI,CAAC,OAAO,qDAAG,KAAc,CAAC,CAAC;YAC/B,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;CACF"}
+{"version":3,"file":"sse.js","sourceRoot":"","sources":["../../../src/client/sse.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAyC,MAAM,aAAa,CAAC;AAEjF,OAAO,EAAkB,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnE,OAAO,EAAE,IAAI,EAAmC,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAErF,MAAM,OAAO,QAAS,SAAQ,KAAK;IACjC,YACkB,IAAwB,EACxC,OAA2B,EACX,KAAiB;QAEjC,KAAK,CAAC,cAAc,OAAO,EAAE,CAAC,CAAC;QAJf,SAAI,GAAJ,IAAI,CAAoB;QAExB,UAAK,GAAL,KAAK,CAAY;IAGnC,CAAC;CACF;AAsCD;;;GAGG;AACH,MAAM,OAAO,kBAAkB;IAa7B,YACE,GAAQ,EACR,IAAgC;QAEhC,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;QAChB,IAAI,CAAC,gBAAgB,GAAG,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,eAAe,CAAC;QAC9C,IAAI,CAAC,YAAY,GAAG,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,WAAW,CAAC;QACtC,IAAI,CAAC,aAAa,GAAG,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,YAAY,CAAC;IAC1C,CAAC;IAEO,KAAK,CAAC,cAAc;;QAC1B,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,MAAM,IAAI,iBAAiB,CAAC,kBAAkB,CAAC,CAAC;QAClD,CAAC;QAED,IAAI,MAAkB,CAAC;QACvB,IAAI,CAAC;YACH,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QACpE,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAA,IAAI,CAAC,OAAO,qDAAG,KAAc,CAAC,CAAC;YAC/B,MAAM,KAAK,CAAC;QACd,CAAC;QAED,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;YAC5B,MAAM,IAAI,iBAAiB,EAAE,CAAC;QAChC,CAAC;QAED,OAAO,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;IACnC,CAAC;IAEO,KAAK,CAAC,cAAc;QAC1B,MAAM,OAAO,GAAgB,EAAE,CAAC;QAChC,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,CAAC;YACjD,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,MAAM,CAAC,YAAY,EAAE,CAAC;YAC7D,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,YAAY;QAClB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;;YACrC,IAAI,CAAC,YAAY,GAAG,IAAI,WAAW,CACjC,IAAI,CAAC,IAAI,CAAC,IAAI,EACd,MAAA,IAAI,CAAC,gBAAgB,mCAAI;gBACvB,KAAK,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE;oBACvE,GAAG,IAAI;oBACP,OAAO,EAAE;wBACP,GAAG,OAAO;wBACV,MAAM,EAAE,mBAAmB;qBAC5B;iBACF,CAAC,CAAC;aACJ,CACF,CAAC;YACF,IAAI,CAAC,gBAAgB,GAAG,IAAI,eAAe,EAAE,CAAC;YAE9C,IAAI,CAAC,YAAY,CAAC,OAAO,GAAG,CAAC,KAAK,EAAE,EAAE;;gBACpC,IAAI,KAAK,CAAC,IAAI,KAAK,GAAG,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;oBAC7C,IAAI,CAAC,cAAc,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;oBAC5C,OAAO;gBACT,CAAC;gBAED,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;gBAC7D,MAAM,CAAC,KAAK,CAAC,CAAC;gBACd,MAAA,IAAI,CAAC,OAAO,qDAAG,KAAK,CAAC,CAAC;YACxB,CAAC,CAAC;YAEF,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,GAAG,EAAE;gBAC9B,+EAA+E;YACjF,CAAC,CAAC;YAEF,IAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC,UAAU,EAAE,CAAC,KAAY,EAAE,EAAE;;gBAC9D,MAAM,YAAY,GAAG,KAAqB,CAAC;gBAE3C,IAAI,CAAC;oBACH,IAAI,CAAC,SAAS,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;oBACvD,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;wBAC/C,MAAM,IAAI,KAAK,CACb,qDAAqD,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,CAC7E,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,MAAM,CAAC,KAAK,CAAC,CAAC;oBACd,MAAA,IAAI,CAAC,OAAO,qDAAG,KAAc,CAAC,CAAC;oBAE/B,KAAK,IAAI,CAAC,KAAK,EAAE,CAAC;oBAClB,OAAO;gBACT,CAAC;gBAED,OAAO,EAAE,CAAC;YACZ,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,YAAY,CAAC,SAAS,GAAG,CAAC,KAAY,EAAE,EAAE;;gBAC7C,MAAM,YAAY,GAAG,KAAqB,CAAC;gBAC3C,IAAI,OAAuB,CAAC;gBAC5B,IAAI,CAAC;oBACH,OAAO,GAAG,oBAAoB,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;gBACtE,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,MAAA,IAAI,CAAC,OAAO,qDAAG,KAAc,CAAC,CAAC;oBAC/B,OAAO;gBACT,CAAC;gBAED,MAAA,IAAI,CAAC,SAAS,qDAAG,OAAO,CAAC,CAAC;YAC5B,CAAC,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CACb,6GAA6G,CAC9G,CAAC;QACJ,CAAC;QAED,OAAO,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;IACnC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CAAC,iBAAyB;QACxC,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,MAAM,IAAI,iBAAiB,CAAC,kBAAkB,CAAC,CAAC;QAClD,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,IAAI,EAAE,iBAAiB,EAAE,CAAC,CAAC;QAC3F,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;YAC5B,MAAM,IAAI,iBAAiB,CAAC,qBAAqB,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAED,KAAK,CAAC,KAAK;;QACT,MAAA,IAAI,CAAC,gBAAgB,0CAAE,KAAK,EAAE,CAAC;QAC/B,MAAA,IAAI,CAAC,YAAY,0CAAE,KAAK,EAAE,CAAC;QAC3B,MAAA,IAAI,CAAC,OAAO,oDAAI,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAuB;;QAChC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;QACnC,CAAC;QAED,IAAI,CAAC;YACH,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;YAClD,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,EAAE,GAAG,aAAa,EAAE,GAAG,MAAA,IAAI,CAAC,YAAY,0CAAE,OAAO,EAAE,CAAC,CAAC;YACjF,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;YAChD,MAAM,IAAI,GAAG;gBACX,GAAG,IAAI,CAAC,YAAY;gBACpB,MAAM,EAAE,MAAM;gBACd,OAAO;gBACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;gBAC7B,MAAM,EAAE,MAAA,IAAI,CAAC,gBAAgB,0CAAE,MAAM;aACtC,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;YACnD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;oBAClD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;oBACxE,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;wBAC5B,MAAM,IAAI,iBAAiB,EAAE,CAAC;oBAChC,CAAC;oBAED,0DAA0D;oBAC1D,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC5B,CAAC;gBAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;gBACrD,MAAM,IAAI,KAAK,CACb,mCAAmC,QAAQ,CAAC,MAAM,MAAM,IAAI,EAAE,CAC/D,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAA,IAAI,CAAC,OAAO,qDAAG,KAAc,CAAC,CAAC;YAC/B,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;CACF"}

package/dist/esm/server/auth/clients.d.ts

@@ -0,0 +1,19 @@
+import { OAuthClientInformationFull } from "../../shared/auth.js";
+/**
+ * Stores information about registered OAuth clients for this server.
+ */
+export interface OAuthRegisteredClientsStore {
+    /**
+     * Returns information about a registered client, based on its ID.
+     */
+    getClient(clientId: string): OAuthClientInformationFull | undefined | Promise<OAuthClientInformationFull | undefined>;
+    /**
+     * Registers a new client with the server. The client ID and secret will be automatically generated by the library. A modified version of the client information can be returned to reflect specific values enforced by the server.
+     *
+     * NOTE: Implementations should NOT delete expired client secrets in-place. Auth middleware provided by this library will automatically check the `client_secret_expires_at` field and reject requests with expired secrets. Any custom logic for authenticating clients should check the `client_secret_expires_at` field as well.
+     *
+     * If unimplemented, dynamic client registration is unsupported.
+     */
+    registerClient?(client: OAuthClientInformationFull): OAuthClientInformationFull | Promise<OAuthClientInformationFull>;
+}
+//# sourceMappingURL=clients.d.ts.map

package/dist/esm/server/auth/clients.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"clients.d.ts","sourceRoot":"","sources":["../../../../src/server/auth/clients.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,0BAA0B,EAAE,MAAM,sBAAsB,CAAC;AAElE;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C;;OAEG;IACH,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,0BAA0B,GAAG,SAAS,GAAG,OAAO,CAAC,0BAA0B,GAAG,SAAS,CAAC,CAAC;IAEtH;;;;;;OAMG;IACH,cAAc,CAAC,CAAC,MAAM,EAAE,0BAA0B,GAAG,0BAA0B,GAAG,OAAO,CAAC,0BAA0B,CAAC,CAAC;CACvH"}

package/dist/esm/server/auth/clients.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=clients.js.map

package/dist/esm/server/auth/clients.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"clients.js","sourceRoot":"","sources":["../../../../src/server/auth/clients.ts"],"names":[],"mappings":""}

package/dist/esm/server/auth/errors.d.ts

@@ -0,0 +1,126 @@
+import { OAuthErrorResponse } from "../../shared/auth.js";
+/**
+ * Base class for all OAuth errors
+ */
+export declare class OAuthError extends Error {
+    readonly errorCode: string;
+    readonly errorUri?: string | undefined;
+    constructor(errorCode: string, message: string, errorUri?: string | undefined);
+    /**
+     * Converts the error to a standard OAuth error response object
+     */
+    toResponseObject(): OAuthErrorResponse;
+}
+/**
+ * Invalid request error - The request is missing a required parameter,
+ * includes an invalid parameter value, includes a parameter more than once,
+ * or is otherwise malformed.
+ */
+export declare class InvalidRequestError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Invalid client error - Client authentication failed (e.g., unknown client, no client
+ * authentication included, or unsupported authentication method).
+ */
+export declare class InvalidClientError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Invalid grant error - The provided authorization grant or refresh token is
+ * invalid, expired, revoked, does not match the redirection URI used in the
+ * authorization request, or was issued to another client.
+ */
+export declare class InvalidGrantError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Unauthorized client error - The authenticated client is not authorized to use
+ * this authorization grant type.
+ */
+export declare class UnauthorizedClientError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Unsupported grant type error - The authorization grant type is not supported
+ * by the authorization server.
+ */
+export declare class UnsupportedGrantTypeError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Invalid scope error - The requested scope is invalid, unknown, malformed, or
+ * exceeds the scope granted by the resource owner.
+ */
+export declare class InvalidScopeError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Access denied error - The resource owner or authorization server denied the request.
+ */
+export declare class AccessDeniedError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Server error - The authorization server encountered an unexpected condition
+ * that prevented it from fulfilling the request.
+ */
+export declare class ServerError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Temporarily unavailable error - The authorization server is currently unable to
+ * handle the request due to a temporary overloading or maintenance of the server.
+ */
+export declare class TemporarilyUnavailableError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Unsupported response type error - The authorization server does not support
+ * obtaining an authorization code using this method.
+ */
+export declare class UnsupportedResponseTypeError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Unsupported token type error - The authorization server does not support
+ * the requested token type.
+ */
+export declare class UnsupportedTokenTypeError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Invalid token error - The access token provided is expired, revoked, malformed,
+ * or invalid for other reasons.
+ */
+export declare class InvalidTokenError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Method not allowed error - The HTTP method used is not allowed for this endpoint.
+ * (Custom, non-standard error)
+ */
+export declare class MethodNotAllowedError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Too many requests error - Rate limit exceeded.
+ * (Custom, non-standard error based on RFC 6585)
+ */
+export declare class TooManyRequestsError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Invalid client metadata error - The client metadata is invalid.
+ * (Custom error for dynamic client registration - RFC 7591)
+ */
+export declare class InvalidClientMetadataError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Insufficient scope error - The request requires higher privileges than provided by the access token.
+ */
+export declare class InsufficientScopeError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/esm/server/auth/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../../../src/server/auth/errors.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAE1D;;GAEG;AACH,qBAAa,UAAW,SAAQ,KAAK;aAEjB,SAAS,EAAE,MAAM;aAEjB,QAAQ,CAAC,EAAE,MAAM;gBAFjB,SAAS,EAAE,MAAM,EACjC,OAAO,EAAE,MAAM,EACC,QAAQ,CAAC,EAAE,MAAM,YAAA;IAMnC;;OAEG;IACH,gBAAgB,IAAI,kBAAkB;CAYvC;AAED;;;;GAIG;AACH,qBAAa,mBAAoB,SAAQ,UAAU;gBACrC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,kBAAmB,SAAQ,UAAU;gBACpC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;;GAIG;AACH,qBAAa,iBAAkB,SAAQ,UAAU;gBACnC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,uBAAwB,SAAQ,UAAU;gBACzC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,yBAA0B,SAAQ,UAAU;gBAC3C,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,iBAAkB,SAAQ,UAAU;gBACnC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,UAAU;gBACnC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,WAAY,SAAQ,UAAU;gBAC7B,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,2BAA4B,SAAQ,UAAU;gBAC7C,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,4BAA6B,SAAQ,UAAU;gBAC9C,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,yBAA0B,SAAQ,UAAU;gBAC3C,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,iBAAkB,SAAQ,UAAU;gBACnC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,qBAAsB,SAAQ,UAAU;gBACvC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,oBAAqB,SAAQ,UAAU;gBACtC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,0BAA2B,SAAQ,UAAU;gBAC5C,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;GAEG;AACH,qBAAa,sBAAuB,SAAQ,UAAU;gBACxC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C"}