@modelcontextprotocol/sdk 1.5.0 → 1.6.1

package/dist/cjs/server/auth/errors.d.ts

@@ -0,0 +1,126 @@
+import { OAuthErrorResponse } from "../../shared/auth.js";
+/**
+ * Base class for all OAuth errors
+ */
+export declare class OAuthError extends Error {
+    readonly errorCode: string;
+    readonly errorUri?: string | undefined;
+    constructor(errorCode: string, message: string, errorUri?: string | undefined);
+    /**
+     * Converts the error to a standard OAuth error response object
+     */
+    toResponseObject(): OAuthErrorResponse;
+}
+/**
+ * Invalid request error - The request is missing a required parameter,
+ * includes an invalid parameter value, includes a parameter more than once,
+ * or is otherwise malformed.
+ */
+export declare class InvalidRequestError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Invalid client error - Client authentication failed (e.g., unknown client, no client
+ * authentication included, or unsupported authentication method).
+ */
+export declare class InvalidClientError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Invalid grant error - The provided authorization grant or refresh token is
+ * invalid, expired, revoked, does not match the redirection URI used in the
+ * authorization request, or was issued to another client.
+ */
+export declare class InvalidGrantError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Unauthorized client error - The authenticated client is not authorized to use
+ * this authorization grant type.
+ */
+export declare class UnauthorizedClientError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Unsupported grant type error - The authorization grant type is not supported
+ * by the authorization server.
+ */
+export declare class UnsupportedGrantTypeError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Invalid scope error - The requested scope is invalid, unknown, malformed, or
+ * exceeds the scope granted by the resource owner.
+ */
+export declare class InvalidScopeError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Access denied error - The resource owner or authorization server denied the request.
+ */
+export declare class AccessDeniedError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Server error - The authorization server encountered an unexpected condition
+ * that prevented it from fulfilling the request.
+ */
+export declare class ServerError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Temporarily unavailable error - The authorization server is currently unable to
+ * handle the request due to a temporary overloading or maintenance of the server.
+ */
+export declare class TemporarilyUnavailableError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Unsupported response type error - The authorization server does not support
+ * obtaining an authorization code using this method.
+ */
+export declare class UnsupportedResponseTypeError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Unsupported token type error - The authorization server does not support
+ * the requested token type.
+ */
+export declare class UnsupportedTokenTypeError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Invalid token error - The access token provided is expired, revoked, malformed,
+ * or invalid for other reasons.
+ */
+export declare class InvalidTokenError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Method not allowed error - The HTTP method used is not allowed for this endpoint.
+ * (Custom, non-standard error)
+ */
+export declare class MethodNotAllowedError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Too many requests error - Rate limit exceeded.
+ * (Custom, non-standard error based on RFC 6585)
+ */
+export declare class TooManyRequestsError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Invalid client metadata error - The client metadata is invalid.
+ * (Custom error for dynamic client registration - RFC 7591)
+ */
+export declare class InvalidClientMetadataError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+/**
+ * Insufficient scope error - The request requires higher privileges than provided by the access token.
+ */
+export declare class InsufficientScopeError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/cjs/server/auth/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../../../src/server/auth/errors.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAE1D;;GAEG;AACH,qBAAa,UAAW,SAAQ,KAAK;aAEjB,SAAS,EAAE,MAAM;aAEjB,QAAQ,CAAC,EAAE,MAAM;gBAFjB,SAAS,EAAE,MAAM,EACjC,OAAO,EAAE,MAAM,EACC,QAAQ,CAAC,EAAE,MAAM,YAAA;IAMnC;;OAEG;IACH,gBAAgB,IAAI,kBAAkB;CAYvC;AAED;;;;GAIG;AACH,qBAAa,mBAAoB,SAAQ,UAAU;gBACrC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,kBAAmB,SAAQ,UAAU;gBACpC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;;GAIG;AACH,qBAAa,iBAAkB,SAAQ,UAAU;gBACnC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,uBAAwB,SAAQ,UAAU;gBACzC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,yBAA0B,SAAQ,UAAU;gBAC3C,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,iBAAkB,SAAQ,UAAU;gBACnC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,UAAU;gBACnC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,WAAY,SAAQ,UAAU;gBAC7B,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,2BAA4B,SAAQ,UAAU;gBAC7C,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,4BAA6B,SAAQ,UAAU;gBAC9C,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,yBAA0B,SAAQ,UAAU;gBAC3C,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,iBAAkB,SAAQ,UAAU;gBACnC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,qBAAsB,SAAQ,UAAU;gBACvC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,oBAAqB,SAAQ,UAAU;gBACtC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;;GAGG;AACH,qBAAa,0BAA2B,SAAQ,UAAU;gBAC5C,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED;;GAEG;AACH,qBAAa,sBAAuB,SAAQ,UAAU;gBACxC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C"}

package/dist/cjs/server/auth/errors.js

@@ -0,0 +1,189 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InsufficientScopeError = exports.InvalidClientMetadataError = exports.TooManyRequestsError = exports.MethodNotAllowedError = exports.InvalidTokenError = exports.UnsupportedTokenTypeError = exports.UnsupportedResponseTypeError = exports.TemporarilyUnavailableError = exports.ServerError = exports.AccessDeniedError = exports.InvalidScopeError = exports.UnsupportedGrantTypeError = exports.UnauthorizedClientError = exports.InvalidGrantError = exports.InvalidClientError = exports.InvalidRequestError = exports.OAuthError = void 0;
+/**
+ * Base class for all OAuth errors
+ */
+class OAuthError extends Error {
+    constructor(errorCode, message, errorUri) {
+        super(message);
+        this.errorCode = errorCode;
+        this.errorUri = errorUri;
+        this.name = this.constructor.name;
+    }
+    /**
+     * Converts the error to a standard OAuth error response object
+     */
+    toResponseObject() {
+        const response = {
+            error: this.errorCode,
+            error_description: this.message
+        };
+        if (this.errorUri) {
+            response.error_uri = this.errorUri;
+        }
+        return response;
+    }
+}
+exports.OAuthError = OAuthError;
+/**
+ * Invalid request error - The request is missing a required parameter,
+ * includes an invalid parameter value, includes a parameter more than once,
+ * or is otherwise malformed.
+ */
+class InvalidRequestError extends OAuthError {
+    constructor(message, errorUri) {
+        super("invalid_request", message, errorUri);
+    }
+}
+exports.InvalidRequestError = InvalidRequestError;
+/**
+ * Invalid client error - Client authentication failed (e.g., unknown client, no client
+ * authentication included, or unsupported authentication method).
+ */
+class InvalidClientError extends OAuthError {
+    constructor(message, errorUri) {
+        super("invalid_client", message, errorUri);
+    }
+}
+exports.InvalidClientError = InvalidClientError;
+/**
+ * Invalid grant error - The provided authorization grant or refresh token is
+ * invalid, expired, revoked, does not match the redirection URI used in the
+ * authorization request, or was issued to another client.
+ */
+class InvalidGrantError extends OAuthError {
+    constructor(message, errorUri) {
+        super("invalid_grant", message, errorUri);
+    }
+}
+exports.InvalidGrantError = InvalidGrantError;
+/**
+ * Unauthorized client error - The authenticated client is not authorized to use
+ * this authorization grant type.
+ */
+class UnauthorizedClientError extends OAuthError {
+    constructor(message, errorUri) {
+        super("unauthorized_client", message, errorUri);
+    }
+}
+exports.UnauthorizedClientError = UnauthorizedClientError;
+/**
+ * Unsupported grant type error - The authorization grant type is not supported
+ * by the authorization server.
+ */
+class UnsupportedGrantTypeError extends OAuthError {
+    constructor(message, errorUri) {
+        super("unsupported_grant_type", message, errorUri);
+    }
+}
+exports.UnsupportedGrantTypeError = UnsupportedGrantTypeError;
+/**
+ * Invalid scope error - The requested scope is invalid, unknown, malformed, or
+ * exceeds the scope granted by the resource owner.
+ */
+class InvalidScopeError extends OAuthError {
+    constructor(message, errorUri) {
+        super("invalid_scope", message, errorUri);
+    }
+}
+exports.InvalidScopeError = InvalidScopeError;
+/**
+ * Access denied error - The resource owner or authorization server denied the request.
+ */
+class AccessDeniedError extends OAuthError {
+    constructor(message, errorUri) {
+        super("access_denied", message, errorUri);
+    }
+}
+exports.AccessDeniedError = AccessDeniedError;
+/**
+ * Server error - The authorization server encountered an unexpected condition
+ * that prevented it from fulfilling the request.
+ */
+class ServerError extends OAuthError {
+    constructor(message, errorUri) {
+        super("server_error", message, errorUri);
+    }
+}
+exports.ServerError = ServerError;
+/**
+ * Temporarily unavailable error - The authorization server is currently unable to
+ * handle the request due to a temporary overloading or maintenance of the server.
+ */
+class TemporarilyUnavailableError extends OAuthError {
+    constructor(message, errorUri) {
+        super("temporarily_unavailable", message, errorUri);
+    }
+}
+exports.TemporarilyUnavailableError = TemporarilyUnavailableError;
+/**
+ * Unsupported response type error - The authorization server does not support
+ * obtaining an authorization code using this method.
+ */
+class UnsupportedResponseTypeError extends OAuthError {
+    constructor(message, errorUri) {
+        super("unsupported_response_type", message, errorUri);
+    }
+}
+exports.UnsupportedResponseTypeError = UnsupportedResponseTypeError;
+/**
+ * Unsupported token type error - The authorization server does not support
+ * the requested token type.
+ */
+class UnsupportedTokenTypeError extends OAuthError {
+    constructor(message, errorUri) {
+        super("unsupported_token_type", message, errorUri);
+    }
+}
+exports.UnsupportedTokenTypeError = UnsupportedTokenTypeError;
+/**
+ * Invalid token error - The access token provided is expired, revoked, malformed,
+ * or invalid for other reasons.
+ */
+class InvalidTokenError extends OAuthError {
+    constructor(message, errorUri) {
+        super("invalid_token", message, errorUri);
+    }
+}
+exports.InvalidTokenError = InvalidTokenError;
+/**
+ * Method not allowed error - The HTTP method used is not allowed for this endpoint.
+ * (Custom, non-standard error)
+ */
+class MethodNotAllowedError extends OAuthError {
+    constructor(message, errorUri) {
+        super("method_not_allowed", message, errorUri);
+    }
+}
+exports.MethodNotAllowedError = MethodNotAllowedError;
+/**
+ * Too many requests error - Rate limit exceeded.
+ * (Custom, non-standard error based on RFC 6585)
+ */
+class TooManyRequestsError extends OAuthError {
+    constructor(message, errorUri) {
+        super("too_many_requests", message, errorUri);
+    }
+}
+exports.TooManyRequestsError = TooManyRequestsError;
+/**
+ * Invalid client metadata error - The client metadata is invalid.
+ * (Custom error for dynamic client registration - RFC 7591)
+ */
+class InvalidClientMetadataError extends OAuthError {
+    constructor(message, errorUri) {
+        super("invalid_client_metadata", message, errorUri);
+    }
+}
+exports.InvalidClientMetadataError = InvalidClientMetadataError;
+/**
+ * Insufficient scope error - The request requires higher privileges than provided by the access token.
+ */
+class InsufficientScopeError extends OAuthError {
+    constructor(message, errorUri) {
+        super("insufficient_scope", message, errorUri);
+    }
+}
+exports.InsufficientScopeError = InsufficientScopeError;
+//# sourceMappingURL=errors.js.map

package/dist/cjs/server/auth/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../../../src/server/auth/errors.ts"],"names":[],"mappings":";;;AAEA;;GAEG;AACH,MAAa,UAAW,SAAQ,KAAK;IACnC,YACkB,SAAiB,EACjC,OAAe,EACC,QAAiB;QAEjC,KAAK,CAAC,OAAO,CAAC,CAAC;QAJC,cAAS,GAAT,SAAS,CAAQ;QAEjB,aAAQ,GAAR,QAAQ,CAAS;QAGjC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,gBAAgB;QACd,MAAM,QAAQ,GAAuB;YACnC,KAAK,EAAE,IAAI,CAAC,SAAS;YACrB,iBAAiB,EAAE,IAAI,CAAC,OAAO;SAChC,CAAC;QAEF,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC;QACrC,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AAzBD,gCAyBC;AAED;;;;GAIG;AACH,MAAa,mBAAoB,SAAQ,UAAU;IACjD,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,iBAAiB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC9C,CAAC;CACF;AAJD,kDAIC;AAED;;;GAGG;AACH,MAAa,kBAAmB,SAAQ,UAAU;IAChD,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,gBAAgB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC7C,CAAC;CACF;AAJD,gDAIC;AAED;;;;GAIG;AACH,MAAa,iBAAkB,SAAQ,UAAU;IAC/C,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,eAAe,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC5C,CAAC;CACF;AAJD,8CAIC;AAED;;;GAGG;AACH,MAAa,uBAAwB,SAAQ,UAAU;IACrD,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,qBAAqB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAClD,CAAC;CACF;AAJD,0DAIC;AAED;;;GAGG;AACH,MAAa,yBAA0B,SAAQ,UAAU;IACvD,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,wBAAwB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACrD,CAAC;CACF;AAJD,8DAIC;AAED;;;GAGG;AACH,MAAa,iBAAkB,SAAQ,UAAU;IAC/C,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,eAAe,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC5C,CAAC;CACF;AAJD,8CAIC;AAED;;GAEG;AACH,MAAa,iBAAkB,SAAQ,UAAU;IAC/C,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,eAAe,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC5C,CAAC;CACF;AAJD,8CAIC;AAED;;;GAGG;AACH,MAAa,WAAY,SAAQ,UAAU;IACzC,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,cAAc,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC3C,CAAC;CACF;AAJD,kCAIC;AAED;;;GAGG;AACH,MAAa,2BAA4B,SAAQ,UAAU;IACzD,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,yBAAyB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACtD,CAAC;CACF;AAJD,kEAIC;AAED;;;GAGG;AACH,MAAa,4BAA6B,SAAQ,UAAU;IAC1D,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,2BAA2B,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACxD,CAAC;CACF;AAJD,oEAIC;AAED;;;GAGG;AACH,MAAa,yBAA0B,SAAQ,UAAU;IACvD,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,wBAAwB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACrD,CAAC;CACF;AAJD,8DAIC;AAED;;;GAGG;AACH,MAAa,iBAAkB,SAAQ,UAAU;IAC/C,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,eAAe,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC5C,CAAC;CACF;AAJD,8CAIC;AAED;;;GAGG;AACH,MAAa,qBAAsB,SAAQ,UAAU;IACnD,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,oBAAoB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACjD,CAAC;CACF;AAJD,sDAIC;AAED;;;GAGG;AACH,MAAa,oBAAqB,SAAQ,UAAU;IAClD,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,mBAAmB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAChD,CAAC;CACF;AAJD,oDAIC;AAED;;;GAGG;AACH,MAAa,0BAA2B,SAAQ,UAAU;IACxD,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,yBAAyB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACtD,CAAC;CACF;AAJD,gEAIC;AAED;;GAEG;AACH,MAAa,sBAAuB,SAAQ,UAAU;IACpD,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,oBAAoB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACjD,CAAC;CACF;AAJD,wDAIC"}

package/dist/cjs/server/auth/handlers/authorize.d.ts

@@ -0,0 +1,13 @@
+import { RequestHandler } from "express";
+import { OAuthServerProvider } from "../provider.js";
+import { Options as RateLimitOptions } from "express-rate-limit";
+export type AuthorizationHandlerOptions = {
+    provider: OAuthServerProvider;
+    /**
+     * Rate limiting configuration for the authorization endpoint.
+     * Set to false to disable rate limiting for this endpoint.
+     */
+    rateLimit?: Partial<RateLimitOptions> | false;
+};
+export declare function authorizationHandler({ provider, rateLimit: rateLimitConfig }: AuthorizationHandlerOptions): RequestHandler;
+//# sourceMappingURL=authorize.d.ts.map

package/dist/cjs/server/auth/handlers/authorize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../../../../src/server/auth/handlers/authorize.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAGzC,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EAAa,OAAO,IAAI,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAW5E,MAAM,MAAM,2BAA2B,GAAG;IACxC,QAAQ,EAAE,mBAAmB,CAAC;IAC9B;;;OAGG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,GAAG,KAAK,CAAC;CAC/C,CAAC;AAiBF,wBAAgB,oBAAoB,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,EAAE,EAAE,2BAA2B,GAAG,cAAc,CAmH1H"}

package/dist/cjs/server/auth/handlers/authorize.js

@@ -0,0 +1,149 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authorizationHandler = authorizationHandler;
+const zod_1 = require("zod");
+const express_1 = __importDefault(require("express"));
+const express_rate_limit_1 = require("express-rate-limit");
+const allowedMethods_js_1 = require("../middleware/allowedMethods.js");
+const errors_js_1 = require("../errors.js");
+// Parameters that must be validated in order to issue redirects.
+const ClientAuthorizationParamsSchema = zod_1.z.object({
+    client_id: zod_1.z.string(),
+    redirect_uri: zod_1.z.string().optional().refine((value) => value === undefined || URL.canParse(value), { message: "redirect_uri must be a valid URL" }),
+});
+// Parameters that must be validated for a successful authorization request. Failure can be reported to the redirect URI.
+const RequestAuthorizationParamsSchema = zod_1.z.object({
+    response_type: zod_1.z.literal("code"),
+    code_challenge: zod_1.z.string(),
+    code_challenge_method: zod_1.z.literal("S256"),
+    scope: zod_1.z.string().optional(),
+    state: zod_1.z.string().optional(),
+});
+function authorizationHandler({ provider, rateLimit: rateLimitConfig }) {
+    // Create a router to apply middleware
+    const router = express_1.default.Router();
+    router.use((0, allowedMethods_js_1.allowedMethods)(["GET", "POST"]));
+    router.use(express_1.default.urlencoded({ extended: false }));
+    // Apply rate limiting unless explicitly disabled
+    if (rateLimitConfig !== false) {
+        router.use((0, express_rate_limit_1.rateLimit)({
+            windowMs: 15 * 60 * 1000, // 15 minutes
+            max: 100, // 100 requests per windowMs
+            standardHeaders: true,
+            legacyHeaders: false,
+            message: new errors_js_1.TooManyRequestsError('You have exceeded the rate limit for authorization requests').toResponseObject(),
+            ...rateLimitConfig
+        }));
+    }
+    router.all("/", async (req, res) => {
+        var _a;
+        res.setHeader('Cache-Control', 'no-store');
+        // In the authorization flow, errors are split into two categories:
+        // 1. Pre-redirect errors (direct response with 400)
+        // 2. Post-redirect errors (redirect with error parameters)
+        // Phase 1: Validate client_id and redirect_uri. Any errors here must be direct responses.
+        let client_id, redirect_uri, client;
+        try {
+            const result = ClientAuthorizationParamsSchema.safeParse(req.method === 'POST' ? req.body : req.query);
+            if (!result.success) {
+                throw new errors_js_1.InvalidRequestError(result.error.message);
+            }
+            client_id = result.data.client_id;
+            redirect_uri = result.data.redirect_uri;
+            client = await provider.clientsStore.getClient(client_id);
+            if (!client) {
+                throw new errors_js_1.InvalidClientError("Invalid client_id");
+            }
+            if (redirect_uri !== undefined) {
+                if (!client.redirect_uris.includes(redirect_uri)) {
+                    throw new errors_js_1.InvalidRequestError("Unregistered redirect_uri");
+                }
+            }
+            else if (client.redirect_uris.length === 1) {
+                redirect_uri = client.redirect_uris[0];
+            }
+            else {
+                throw new errors_js_1.InvalidRequestError("redirect_uri must be specified when client has multiple registered URIs");
+            }
+        }
+        catch (error) {
+            // Pre-redirect errors - return direct response
+            //
+            // These don't need to be JSON encoded, as they'll be displayed in a user
+            // agent, but OTOH they all represent exceptional situations (arguably,
+            // "programmer error"), so presenting a nice HTML page doesn't help the
+            // user anyway.
+            if (error instanceof errors_js_1.OAuthError) {
+                const status = error instanceof errors_js_1.ServerError ? 500 : 400;
+                res.status(status).json(error.toResponseObject());
+            }
+            else {
+                console.error("Unexpected error looking up client:", error);
+                const serverError = new errors_js_1.ServerError("Internal Server Error");
+                res.status(500).json(serverError.toResponseObject());
+            }
+            return;
+        }
+        // Phase 2: Validate other parameters. Any errors here should go into redirect responses.
+        let state;
+        try {
+            // Parse and validate authorization parameters
+            const parseResult = RequestAuthorizationParamsSchema.safeParse(req.method === 'POST' ? req.body : req.query);
+            if (!parseResult.success) {
+                throw new errors_js_1.InvalidRequestError(parseResult.error.message);
+            }
+            const { scope, code_challenge } = parseResult.data;
+            state = parseResult.data.state;
+            // Validate scopes
+            let requestedScopes = [];
+            if (scope !== undefined) {
+                requestedScopes = scope.split(" ");
+                const allowedScopes = new Set((_a = client.scope) === null || _a === void 0 ? void 0 : _a.split(" "));
+                // Check each requested scope against allowed scopes
+                for (const scope of requestedScopes) {
+                    if (!allowedScopes.has(scope)) {
+                        throw new errors_js_1.InvalidScopeError(`Client was not registered with scope ${scope}`);
+                    }
+                }
+            }
+            // All validation passed, proceed with authorization
+            await provider.authorize(client, {
+                state,
+                scopes: requestedScopes,
+                redirectUri: redirect_uri,
+                codeChallenge: code_challenge,
+            }, res);
+        }
+        catch (error) {
+            // Post-redirect errors - redirect with error parameters
+            if (error instanceof errors_js_1.OAuthError) {
+                res.redirect(302, createErrorRedirect(redirect_uri, error, state));
+            }
+            else {
+                console.error("Unexpected error during authorization:", error);
+                const serverError = new errors_js_1.ServerError("Internal Server Error");
+                res.redirect(302, createErrorRedirect(redirect_uri, serverError, state));
+            }
+        }
+    });
+    return router;
+}
+/**
+ * Helper function to create redirect URL with error parameters
+ */
+function createErrorRedirect(redirectUri, error, state) {
+    const errorUrl = new URL(redirectUri);
+    errorUrl.searchParams.set("error", error.errorCode);
+    errorUrl.searchParams.set("error_description", error.message);
+    if (error.errorUri) {
+        errorUrl.searchParams.set("error_uri", error.errorUri);
+    }
+    if (state) {
+        errorUrl.searchParams.set("state", state);
+    }
+    return errorUrl.href;
+}
+//# sourceMappingURL=authorize.js.map

package/dist/cjs/server/auth/handlers/authorize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize.js","sourceRoot":"","sources":["../../../../../src/server/auth/handlers/authorize.ts"],"names":[],"mappings":";;;;;AAuCA,oDAmHC;AAzJD,6BAAwB;AACxB,sDAA8B;AAE9B,2DAA4E;AAC5E,uEAAiE;AACjE,4CAOsB;AAWtB,iEAAiE;AACjE,MAAM,+BAA+B,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;IACrB,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,SAAS,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC;CACnJ,CAAC,CAAC;AAEH,yHAAyH;AACzH,MAAM,gCAAgC,GAAG,OAAC,CAAC,MAAM,CAAC;IAChD,aAAa,EAAE,OAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IAChC,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE;IAC1B,qBAAqB,EAAE,OAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IACxC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC7B,CAAC,CAAC;AAEH,SAAgB,oBAAoB,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,EAA+B;IACxG,sCAAsC;IACtC,MAAM,MAAM,GAAG,iBAAO,CAAC,MAAM,EAAE,CAAC;IAChC,MAAM,CAAC,GAAG,CAAC,IAAA,kCAAc,EAAC,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;IAC5C,MAAM,CAAC,GAAG,CAAC,iBAAO,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IAEpD,iDAAiD;IACjD,IAAI,eAAe,KAAK,KAAK,EAAE,CAAC;QAC9B,MAAM,CAAC,GAAG,CAAC,IAAA,8BAAS,EAAC;YACnB,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;YACvC,GAAG,EAAE,GAAG,EAAE,4BAA4B;YACtC,eAAe,EAAE,IAAI;YACrB,aAAa,EAAE,KAAK;YACpB,OAAO,EAAE,IAAI,gCAAoB,CAAC,6DAA6D,CAAC,CAAC,gBAAgB,EAAE;YACnH,GAAG,eAAe;SACnB,CAAC,CAAC,CAAC;IACN,CAAC;IAED,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;;QACjC,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;QAE3C,mEAAmE;QACnE,oDAAoD;QACpD,2DAA2D;QAE3D,0FAA0F;QAC1F,IAAI,SAAS,EAAE,YAAY,EAAE,MAAM,CAAC;QACpC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,+BAA+B,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YACvG,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,MAAM,IAAI,+BAAmB,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACtD,CAAC;YAED,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC;YAClC,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC;YAExC,MAAM,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;YAC1D,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,8BAAkB,CAAC,mBAAmB,CAAC,CAAC;YACpD,CAAC;YAED,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;gBAC/B,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;oBACjD,MAAM,IAAI,+BAAmB,CAAC,2BAA2B,CAAC,CAAC;gBAC7D,CAAC;YACH,CAAC;iBAAM,IAAI,MAAM,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC7C,YAAY,GAAG,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;YACzC,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,+BAAmB,CAAC,yEAAyE,CAAC,CAAC;YAC3G,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,+CAA+C;YAC/C,EAAE;YACF,yEAAyE;YACzE,uEAAuE;YACvE,uEAAuE;YACvE,eAAe;YACf,IAAI,KAAK,YAAY,sBAAU,EAAE,CAAC;gBAChC,MAAM,MAAM,GAAG,KAAK,YAAY,uBAAW,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBACxD,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACpD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;gBAC5D,MAAM,WAAW,GAAG,IAAI,uBAAW,CAAC,uBAAuB,CAAC,CAAC;gBAC7D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACvD,CAAC;YAED,OAAO;QACT,CAAC;QAED,yFAAyF;QACzF,IAAI,KAAK,CAAC;QACV,IAAI,CAAC;YACH,8CAA8C;YAC9C,MAAM,WAAW,GAAG,gCAAgC,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YAC7G,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;gBACzB,MAAM,IAAI,+BAAmB,CAAC,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC3D,CAAC;YAED,MAAM,EAAE,KAAK,EAAE,cAAc,EAAE,GAAG,WAAW,CAAC,IAAI,CAAC;YACnD,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC;YAE/B,kBAAkB;YAClB,IAAI,eAAe,GAAa,EAAE,CAAC;YACnC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACxB,eAAe,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBACnC,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,MAAA,MAAM,CAAC,KAAK,0CAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;gBAExD,oDAAoD;gBACpD,KAAK,MAAM,KAAK,IAAI,eAAe,EAAE,CAAC;oBACpC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;wBAC9B,MAAM,IAAI,6BAAiB,CAAC,wCAAwC,KAAK,EAAE,CAAC,CAAC;oBAC/E,CAAC;gBACH,CAAC;YACH,CAAC;YAED,oDAAoD;YACpD,MAAM,QAAQ,CAAC,SAAS,CAAC,MAAM,EAAE;gBAC/B,KAAK;gBACL,MAAM,EAAE,eAAe;gBACvB,WAAW,EAAE,YAAY;gBACzB,aAAa,EAAE,cAAc;aAC9B,EAAE,GAAG,CAAC,CAAC;QACV,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,wDAAwD;YACxD,IAAI,KAAK,YAAY,sBAAU,EAAE,CAAC;gBAChC,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,mBAAmB,CAAC,YAAY,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;YACrE,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,KAAK,CAAC,CAAC;gBAC/D,MAAM,WAAW,GAAG,IAAI,uBAAW,CAAC,uBAAuB,CAAC,CAAC;gBAC7D,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,mBAAmB,CAAC,YAAY,EAAE,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC;YAC3E,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,WAAmB,EAAE,KAAiB,EAAE,KAAc;IACjF,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;IACtC,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IACpD,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;IAC9D,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QACnB,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,KAAK,EAAE,CAAC;QACV,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,QAAQ,CAAC,IAAI,CAAC;AACvB,CAAC"}

package/dist/cjs/server/auth/handlers/metadata.d.ts

@@ -0,0 +1,4 @@
+import { RequestHandler } from "express";
+import { OAuthMetadata } from "../../../shared/auth.js";
+export declare function metadataHandler(metadata: OAuthMetadata): RequestHandler;
+//# sourceMappingURL=metadata.d.ts.map

package/dist/cjs/server/auth/handlers/metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"metadata.d.ts","sourceRoot":"","sources":["../../../../../src/server/auth/handlers/metadata.ts"],"names":[],"mappings":"AAAA,OAAgB,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAIxD,wBAAgB,eAAe,CAAC,QAAQ,EAAE,aAAa,GAAG,cAAc,CAavE"}

package/dist/cjs/server/auth/handlers/metadata.js

@@ -0,0 +1,21 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.metadataHandler = metadataHandler;
+const express_1 = __importDefault(require("express"));
+const cors_1 = __importDefault(require("cors"));
+const allowedMethods_js_1 = require("../middleware/allowedMethods.js");
+function metadataHandler(metadata) {
+    // Nested router so we can configure middleware and restrict HTTP method
+    const router = express_1.default.Router();
+    // Configure CORS to allow any origin, to make accessible to web-based MCP clients
+    router.use((0, cors_1.default)());
+    router.use((0, allowedMethods_js_1.allowedMethods)(['GET']));
+    router.get("/", (req, res) => {
+        res.status(200).json(metadata);
+    });
+    return router;
+}
+//# sourceMappingURL=metadata.js.map

package/dist/cjs/server/auth/handlers/metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"metadata.js","sourceRoot":"","sources":["../../../../../src/server/auth/handlers/metadata.ts"],"names":[],"mappings":";;;;;AAKA,0CAaC;AAlBD,sDAAkD;AAElD,gDAAwB;AACxB,uEAAiE;AAEjE,SAAgB,eAAe,CAAC,QAAuB;IACrD,wEAAwE;IACxE,MAAM,MAAM,GAAG,iBAAO,CAAC,MAAM,EAAE,CAAC;IAEhC,kFAAkF;IAClF,MAAM,CAAC,GAAG,CAAC,IAAA,cAAI,GAAE,CAAC,CAAC;IAEnB,MAAM,CAAC,GAAG,CAAC,IAAA,kCAAc,EAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACpC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC3B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/cjs/server/auth/handlers/register.d.ts

@@ -0,0 +1,23 @@
+import { RequestHandler } from "express";
+import { OAuthRegisteredClientsStore } from "../clients.js";
+import { Options as RateLimitOptions } from "express-rate-limit";
+export type ClientRegistrationHandlerOptions = {
+    /**
+     * A store used to save information about dynamically registered OAuth clients.
+     */
+    clientsStore: OAuthRegisteredClientsStore;
+    /**
+     * The number of seconds after which to expire issued client secrets, or 0 to prevent expiration of client secrets (not recommended).
+     *
+     * If not set, defaults to 30 days.
+     */
+    clientSecretExpirySeconds?: number;
+    /**
+     * Rate limiting configuration for the client registration endpoint.
+     * Set to false to disable rate limiting for this endpoint.
+     * Registration endpoints are particularly sensitive to abuse and should be rate limited.
+     */
+    rateLimit?: Partial<RateLimitOptions> | false;
+};
+export declare function clientRegistrationHandler({ clientsStore, clientSecretExpirySeconds, rateLimit: rateLimitConfig }: ClientRegistrationHandlerOptions): RequestHandler;
+//# sourceMappingURL=register.d.ts.map

package/dist/cjs/server/auth/handlers/register.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../../../../src/server/auth/handlers/register.ts"],"names":[],"mappings":"AAAA,OAAgB,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAIlD,OAAO,EAAE,2BAA2B,EAAE,MAAM,eAAe,CAAC;AAC5D,OAAO,EAAa,OAAO,IAAI,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAS5E,MAAM,MAAM,gCAAgC,GAAG;IAC7C;;OAEG;IACH,YAAY,EAAE,2BAA2B,CAAC;IAE1C;;;;OAIG;IACH,yBAAyB,CAAC,EAAE,MAAM,CAAC;IAEnC;;;;OAIG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,GAAG,KAAK,CAAC;CAC/C,CAAC;AAIF,wBAAgB,yBAAyB,CAAC,EACxC,YAAY,EACZ,yBAAgE,EAChE,SAAS,EAAE,eAAe,EAC3B,EAAE,gCAAgC,GAAG,cAAc,CAyEnD"}

package/dist/cjs/server/auth/handlers/register.js

@@ -0,0 +1,79 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.clientRegistrationHandler = clientRegistrationHandler;
+const express_1 = __importDefault(require("express"));
+const auth_js_1 = require("../../../shared/auth.js");
+const node_crypto_1 = __importDefault(require("node:crypto"));
+const cors_1 = __importDefault(require("cors"));
+const express_rate_limit_1 = require("express-rate-limit");
+const allowedMethods_js_1 = require("../middleware/allowedMethods.js");
+const errors_js_1 = require("../errors.js");
+const DEFAULT_CLIENT_SECRET_EXPIRY_SECONDS = 30 * 24 * 60 * 60; // 30 days
+function clientRegistrationHandler({ clientsStore, clientSecretExpirySeconds = DEFAULT_CLIENT_SECRET_EXPIRY_SECONDS, rateLimit: rateLimitConfig }) {
+    if (!clientsStore.registerClient) {
+        throw new Error("Client registration store does not support registering clients");
+    }
+    // Nested router so we can configure middleware and restrict HTTP method
+    const router = express_1.default.Router();
+    // Configure CORS to allow any origin, to make accessible to web-based MCP clients
+    router.use((0, cors_1.default)());
+    router.use((0, allowedMethods_js_1.allowedMethods)(["POST"]));
+    router.use(express_1.default.json());
+    // Apply rate limiting unless explicitly disabled - stricter limits for registration
+    if (rateLimitConfig !== false) {
+        router.use((0, express_rate_limit_1.rateLimit)({
+            windowMs: 60 * 60 * 1000, // 1 hour
+            max: 20, // 20 requests per hour - stricter as registration is sensitive
+            standardHeaders: true,
+            legacyHeaders: false,
+            message: new errors_js_1.TooManyRequestsError('You have exceeded the rate limit for client registration requests').toResponseObject(),
+            ...rateLimitConfig
+        }));
+    }
+    router.post("/", async (req, res) => {
+        res.setHeader('Cache-Control', 'no-store');
+        try {
+            const parseResult = auth_js_1.OAuthClientMetadataSchema.safeParse(req.body);
+            if (!parseResult.success) {
+                throw new errors_js_1.InvalidClientMetadataError(parseResult.error.message);
+            }
+            const clientMetadata = parseResult.data;
+            const isPublicClient = clientMetadata.token_endpoint_auth_method === 'none';
+            // Generate client credentials
+            const clientId = node_crypto_1.default.randomUUID();
+            const clientSecret = isPublicClient
+                ? undefined
+                : node_crypto_1.default.randomBytes(32).toString('hex');
+            const clientIdIssuedAt = Math.floor(Date.now() / 1000);
+            // Calculate client secret expiry time
+            const clientsDoExpire = clientSecretExpirySeconds > 0;
+            const secretExpiryTime = clientsDoExpire ? clientIdIssuedAt + clientSecretExpirySeconds : 0;
+            const clientSecretExpiresAt = isPublicClient ? undefined : secretExpiryTime;
+            let clientInfo = {
+                ...clientMetadata,
+                client_id: clientId,
+                client_secret: clientSecret,
+                client_id_issued_at: clientIdIssuedAt,
+                client_secret_expires_at: clientSecretExpiresAt,
+            };
+            clientInfo = await clientsStore.registerClient(clientInfo);
+            res.status(201).json(clientInfo);
+        }
+        catch (error) {
+            if (error instanceof errors_js_1.OAuthError) {
+                const status = error instanceof errors_js_1.ServerError ? 500 : 400;
+                res.status(status).json(error.toResponseObject());
+            }
+            else {
+                console.error("Unexpected error registering client:", error);
+                const serverError = new errors_js_1.ServerError("Internal Server Error");
+                res.status(500).json(serverError.toResponseObject());
+            }
+        }
+    });
+    return router;
+}
+//# sourceMappingURL=register.js.map

package/dist/cjs/server/auth/handlers/register.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.js","sourceRoot":"","sources":["../../../../../src/server/auth/handlers/register.ts"],"names":[],"mappings":";;;;;AAqCA,8DA6EC;AAlHD,sDAAkD;AAClD,qDAAgG;AAChG,8DAAiC;AACjC,gDAAwB;AAExB,2DAA4E;AAC5E,uEAAiE;AACjE,4CAKsB;AAuBtB,MAAM,oCAAoC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,UAAU;AAE1E,SAAgB,yBAAyB,CAAC,EACxC,YAAY,EACZ,yBAAyB,GAAG,oCAAoC,EAChE,SAAS,EAAE,eAAe,EACO;IACjC,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;IACpF,CAAC;IAED,wEAAwE;IACxE,MAAM,MAAM,GAAG,iBAAO,CAAC,MAAM,EAAE,CAAC;IAEhC,kFAAkF;IAClF,MAAM,CAAC,GAAG,CAAC,IAAA,cAAI,GAAE,CAAC,CAAC;IAEnB,MAAM,CAAC,GAAG,CAAC,IAAA,kCAAc,EAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACrC,MAAM,CAAC,GAAG,CAAC,iBAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAE3B,oFAAoF;IACpF,IAAI,eAAe,KAAK,KAAK,EAAE,CAAC;QAC9B,MAAM,CAAC,GAAG,CAAC,IAAA,8BAAS,EAAC;YACnB,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,SAAS;YACnC,GAAG,EAAE,EAAE,EAAE,+DAA+D;YACxE,eAAe,EAAE,IAAI;YACrB,aAAa,EAAE,KAAK;YACpB,OAAO,EAAE,IAAI,gCAAoB,CAAC,mEAAmE,CAAC,CAAC,gBAAgB,EAAE;YACzH,GAAG,eAAe;SACnB,CAAC,CAAC,CAAC;IACN,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAClC,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;QAE3C,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,mCAAyB,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAClE,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;gBACzB,MAAM,IAAI,sCAA0B,CAAC,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAClE,CAAC;YAED,MAAM,cAAc,GAAG,WAAW,CAAC,IAAI,CAAC;YACxC,MAAM,cAAc,GAAG,cAAc,CAAC,0BAA0B,KAAK,MAAM,CAAA;YAE3E,8BAA8B;YAC9B,MAAM,QAAQ,GAAG,qBAAM,CAAC,UAAU,EAAE,CAAC;YACrC,MAAM,YAAY,GAAG,cAAc;gBACjC,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,qBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAC3C,MAAM,gBAAgB,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAEvD,sCAAsC;YACtC,MAAM,eAAe,GAAG,yBAAyB,GAAG,CAAC,CAAA;YACrD,MAAM,gBAAgB,GAAG,eAAe,CAAC,CAAC,CAAC,gBAAgB,GAAG,yBAAyB,CAAC,CAAC,CAAC,CAAC,CAAA;YAC3F,MAAM,qBAAqB,GAAG,cAAc,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,gBAAgB,CAAA;YAE3E,IAAI,UAAU,GAA+B;gBAC3C,GAAG,cAAc;gBACjB,SAAS,EAAE,QAAQ;gBACnB,aAAa,EAAE,YAAY;gBAC3B,mBAAmB,EAAE,gBAAgB;gBACrC,wBAAwB,EAAE,qBAAqB;aAChD,CAAC;YAEF,UAAU,GAAG,MAAM,YAAY,CAAC,cAAe,CAAC,UAAU,CAAC,CAAC;YAC5D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACnC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,sBAAU,EAAE,CAAC;gBAChC,MAAM,MAAM,GAAG,KAAK,YAAY,uBAAW,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBACxD,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACpD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CAAC,sCAAsC,EAAE,KAAK,CAAC,CAAC;gBAC7D,MAAM,WAAW,GAAG,IAAI,uBAAW,CAAC,uBAAuB,CAAC,CAAC;gBAC7D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC"}