npm - @modelcontextprotocol/sdk - Versions diffs - 1.5.0 → 1.6.1 - Mend

@modelcontextprotocol/sdk 1.5.0 → 1.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (149) hide show

package/dist/cjs/client/auth.d.ts +116 -0
package/dist/cjs/client/auth.d.ts.map +1 -0
package/dist/cjs/client/auth.js +251 -0
package/dist/cjs/client/auth.js.map +1 -0
package/dist/cjs/client/sse.d.ts +43 -4
package/dist/cjs/client/sse.d.ts.map +1 -1
package/dist/cjs/client/sse.js +72 -5
package/dist/cjs/client/sse.js.map +1 -1
package/dist/cjs/server/auth/clients.d.ts +19 -0
package/dist/cjs/server/auth/clients.d.ts.map +1 -0
package/dist/cjs/server/auth/clients.js +3 -0
package/dist/cjs/server/auth/clients.js.map +1 -0
package/dist/cjs/server/auth/errors.d.ts +126 -0
package/dist/cjs/server/auth/errors.d.ts.map +1 -0
package/dist/cjs/server/auth/errors.js +189 -0
package/dist/cjs/server/auth/errors.js.map +1 -0
package/dist/cjs/server/auth/handlers/authorize.d.ts +13 -0
package/dist/cjs/server/auth/handlers/authorize.d.ts.map +1 -0
package/dist/cjs/server/auth/handlers/authorize.js +149 -0
package/dist/cjs/server/auth/handlers/authorize.js.map +1 -0
package/dist/cjs/server/auth/handlers/metadata.d.ts +4 -0
package/dist/cjs/server/auth/handlers/metadata.d.ts.map +1 -0
package/dist/cjs/server/auth/handlers/metadata.js +21 -0
package/dist/cjs/server/auth/handlers/metadata.js.map +1 -0
package/dist/cjs/server/auth/handlers/register.d.ts +23 -0
package/dist/cjs/server/auth/handlers/register.d.ts.map +1 -0
package/dist/cjs/server/auth/handlers/register.js +79 -0
package/dist/cjs/server/auth/handlers/register.js.map +1 -0
package/dist/cjs/server/auth/handlers/revoke.d.ts +13 -0
package/dist/cjs/server/auth/handlers/revoke.d.ts.map +1 -0
package/dist/cjs/server/auth/handlers/revoke.js +67 -0
package/dist/cjs/server/auth/handlers/revoke.js.map +1 -0
package/dist/cjs/server/auth/handlers/token.d.ts +13 -0
package/dist/cjs/server/auth/handlers/token.d.ts.map +1 -0
package/dist/cjs/server/auth/handlers/token.js +107 -0
package/dist/cjs/server/auth/handlers/token.js.map +1 -0
package/dist/cjs/server/auth/middleware/allowedMethods.d.ts +9 -0
package/dist/cjs/server/auth/middleware/allowedMethods.d.ts.map +1 -0
package/dist/cjs/server/auth/middleware/allowedMethods.js +23 -0
package/dist/cjs/server/auth/middleware/allowedMethods.js.map +1 -0
package/dist/cjs/server/auth/middleware/bearerAuth.d.ts +28 -0
package/dist/cjs/server/auth/middleware/bearerAuth.d.ts.map +1 -0
package/dist/cjs/server/auth/middleware/bearerAuth.js +59 -0
package/dist/cjs/server/auth/middleware/bearerAuth.js.map +1 -0
package/dist/cjs/server/auth/middleware/clientAuth.d.ts +19 -0
package/dist/cjs/server/auth/middleware/clientAuth.d.ts.map +1 -0
package/dist/cjs/server/auth/middleware/clientAuth.js +53 -0
package/dist/cjs/server/auth/middleware/clientAuth.js.map +1 -0
package/dist/cjs/server/auth/provider.d.ts +50 -0
package/dist/cjs/server/auth/provider.d.ts.map +1 -0
package/dist/cjs/server/auth/provider.js +3 -0
package/dist/cjs/server/auth/provider.js.map +1 -0
package/dist/cjs/server/auth/router.d.ts +36 -0
package/dist/cjs/server/auth/router.d.ts.map +1 -0
package/dist/cjs/server/auth/router.js +68 -0
package/dist/cjs/server/auth/router.js.map +1 -0
package/dist/cjs/server/auth/types.d.ts +22 -0
package/dist/cjs/server/auth/types.d.ts.map +1 -0
package/dist/cjs/server/auth/types.js +3 -0
package/dist/cjs/server/auth/types.js.map +1 -0
package/dist/cjs/server/mcp.d.ts.map +1 -1
package/dist/cjs/server/mcp.js +3 -1
package/dist/cjs/server/mcp.js.map +1 -1
package/dist/cjs/shared/auth.d.ts +271 -0
package/dist/cjs/shared/auth.d.ts.map +1 -0
package/dist/cjs/shared/auth.js +106 -0
package/dist/cjs/shared/auth.js.map +1 -0
package/dist/cjs/shared/protocol.d.ts +16 -0
package/dist/cjs/shared/protocol.d.ts.map +1 -1
package/dist/cjs/shared/protocol.js +66 -33
package/dist/cjs/shared/protocol.js.map +1 -1
package/dist/cjs/types.d.ts.map +1 -1
package/dist/cjs/types.js +1 -0
package/dist/cjs/types.js.map +1 -1
package/dist/esm/client/auth.d.ts +116 -0
package/dist/esm/client/auth.d.ts.map +1 -0
package/dist/esm/client/auth.js +238 -0
package/dist/esm/client/auth.js.map +1 -0
package/dist/esm/client/sse.d.ts +43 -4
package/dist/esm/client/sse.d.ts.map +1 -1
package/dist/esm/client/sse.js +72 -5
package/dist/esm/client/sse.js.map +1 -1
package/dist/esm/server/auth/clients.d.ts +19 -0
package/dist/esm/server/auth/clients.d.ts.map +1 -0
package/dist/esm/server/auth/clients.js +2 -0
package/dist/esm/server/auth/clients.js.map +1 -0
package/dist/esm/server/auth/errors.d.ts +126 -0
package/dist/esm/server/auth/errors.d.ts.map +1 -0
package/dist/esm/server/auth/errors.js +169 -0
package/dist/esm/server/auth/errors.js.map +1 -0
package/dist/esm/server/auth/handlers/authorize.d.ts +13 -0
package/dist/esm/server/auth/handlers/authorize.d.ts.map +1 -0
package/dist/esm/server/auth/handlers/authorize.js +143 -0
package/dist/esm/server/auth/handlers/authorize.js.map +1 -0
package/dist/esm/server/auth/handlers/metadata.d.ts +4 -0
package/dist/esm/server/auth/handlers/metadata.d.ts.map +1 -0
package/dist/esm/server/auth/handlers/metadata.js +15 -0
package/dist/esm/server/auth/handlers/metadata.js.map +1 -0
package/dist/esm/server/auth/handlers/register.d.ts +23 -0
package/dist/esm/server/auth/handlers/register.d.ts.map +1 -0
package/dist/esm/server/auth/handlers/register.js +73 -0
package/dist/esm/server/auth/handlers/register.js.map +1 -0
package/dist/esm/server/auth/handlers/revoke.d.ts +13 -0
package/dist/esm/server/auth/handlers/revoke.d.ts.map +1 -0
package/dist/esm/server/auth/handlers/revoke.js +61 -0
package/dist/esm/server/auth/handlers/revoke.js.map +1 -0
package/dist/esm/server/auth/handlers/token.d.ts +13 -0
package/dist/esm/server/auth/handlers/token.d.ts.map +1 -0
package/dist/esm/server/auth/handlers/token.js +101 -0
package/dist/esm/server/auth/handlers/token.js.map +1 -0
package/dist/esm/server/auth/middleware/allowedMethods.d.ts +9 -0
package/dist/esm/server/auth/middleware/allowedMethods.d.ts.map +1 -0
package/dist/esm/server/auth/middleware/allowedMethods.js +20 -0
package/dist/esm/server/auth/middleware/allowedMethods.js.map +1 -0
package/dist/esm/server/auth/middleware/bearerAuth.d.ts +28 -0
package/dist/esm/server/auth/middleware/bearerAuth.d.ts.map +1 -0
package/dist/esm/server/auth/middleware/bearerAuth.js +56 -0
package/dist/esm/server/auth/middleware/bearerAuth.js.map +1 -0
package/dist/esm/server/auth/middleware/clientAuth.d.ts +19 -0
package/dist/esm/server/auth/middleware/clientAuth.d.ts.map +1 -0
package/dist/esm/server/auth/middleware/clientAuth.js +50 -0
package/dist/esm/server/auth/middleware/clientAuth.js.map +1 -0
package/dist/esm/server/auth/provider.d.ts +50 -0
package/dist/esm/server/auth/provider.d.ts.map +1 -0
package/dist/esm/server/auth/provider.js +2 -0
package/dist/esm/server/auth/provider.js.map +1 -0
package/dist/esm/server/auth/router.d.ts +36 -0
package/dist/esm/server/auth/router.d.ts.map +1 -0
package/dist/esm/server/auth/router.js +62 -0
package/dist/esm/server/auth/router.js.map +1 -0
package/dist/esm/server/auth/types.d.ts +22 -0
package/dist/esm/server/auth/types.d.ts.map +1 -0
package/dist/esm/server/auth/types.js +2 -0
package/dist/esm/server/auth/types.js.map +1 -0
package/dist/esm/server/mcp.d.ts.map +1 -1
package/dist/esm/server/mcp.js +3 -1
package/dist/esm/server/mcp.js.map +1 -1
package/dist/esm/shared/auth.d.ts +271 -0
package/dist/esm/shared/auth.d.ts.map +1 -0
package/dist/esm/shared/auth.js +103 -0
package/dist/esm/shared/auth.js.map +1 -0
package/dist/esm/shared/protocol.d.ts +16 -0
package/dist/esm/shared/protocol.d.ts.map +1 -1
package/dist/esm/shared/protocol.js +66 -33
package/dist/esm/shared/protocol.js.map +1 -1
package/dist/esm/types.d.ts.map +1 -1
package/dist/esm/types.js +1 -0
package/dist/esm/types.js.map +1 -1
package/package.json +10 -3

package/dist/esm/server/auth/handlers/register.js ADDED Viewed

@@ -0,0 +1,73 @@
+import express from "express";
+import { OAuthClientMetadataSchema } from "../../../shared/auth.js";
+import crypto from 'node:crypto';
+import cors from 'cors';
+import { rateLimit } from "express-rate-limit";
+import { allowedMethods } from "../middleware/allowedMethods.js";
+import { InvalidClientMetadataError, ServerError, TooManyRequestsError, OAuthError } from "../errors.js";
+const DEFAULT_CLIENT_SECRET_EXPIRY_SECONDS = 30 * 24 * 60 * 60; // 30 days
+export function clientRegistrationHandler({ clientsStore, clientSecretExpirySeconds = DEFAULT_CLIENT_SECRET_EXPIRY_SECONDS, rateLimit: rateLimitConfig }) {
+    if (!clientsStore.registerClient) {
+        throw new Error("Client registration store does not support registering clients");
+    }
+    // Nested router so we can configure middleware and restrict HTTP method
+    const router = express.Router();
+    // Configure CORS to allow any origin, to make accessible to web-based MCP clients
+    router.use(cors());
+    router.use(allowedMethods(["POST"]));
+    router.use(express.json());
+    // Apply rate limiting unless explicitly disabled - stricter limits for registration
+    if (rateLimitConfig !== false) {
+        router.use(rateLimit({
+            windowMs: 60 * 60 * 1000, // 1 hour
+            max: 20, // 20 requests per hour - stricter as registration is sensitive
+            standardHeaders: true,
+            legacyHeaders: false,
+            message: new TooManyRequestsError('You have exceeded the rate limit for client registration requests').toResponseObject(),
+            ...rateLimitConfig
+        }));
+    }
+    router.post("/", async (req, res) => {
+        res.setHeader('Cache-Control', 'no-store');
+        try {
+            const parseResult = OAuthClientMetadataSchema.safeParse(req.body);
+            if (!parseResult.success) {
+                throw new InvalidClientMetadataError(parseResult.error.message);
+            }
+            const clientMetadata = parseResult.data;
+            const isPublicClient = clientMetadata.token_endpoint_auth_method === 'none';
+            // Generate client credentials
+            const clientId = crypto.randomUUID();
+            const clientSecret = isPublicClient
+                ? undefined
+                : crypto.randomBytes(32).toString('hex');
+            const clientIdIssuedAt = Math.floor(Date.now() / 1000);
+            // Calculate client secret expiry time
+            const clientsDoExpire = clientSecretExpirySeconds > 0;
+            const secretExpiryTime = clientsDoExpire ? clientIdIssuedAt + clientSecretExpirySeconds : 0;
+            const clientSecretExpiresAt = isPublicClient ? undefined : secretExpiryTime;
+            let clientInfo = {
+                ...clientMetadata,
+                client_id: clientId,
+                client_secret: clientSecret,
+                client_id_issued_at: clientIdIssuedAt,
+                client_secret_expires_at: clientSecretExpiresAt,
+            };
+            clientInfo = await clientsStore.registerClient(clientInfo);
+            res.status(201).json(clientInfo);
+        }
+        catch (error) {
+            if (error instanceof OAuthError) {
+                const status = error instanceof ServerError ? 500 : 400;
+                res.status(status).json(error.toResponseObject());
+            }
+            else {
+                console.error("Unexpected error registering client:", error);
+                const serverError = new ServerError("Internal Server Error");
+                res.status(500).json(serverError.toResponseObject());
+            }
+        }
+    });
+    return router;
+}
+//# sourceMappingURL=register.js.map

package/dist/esm/server/auth/handlers/register.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"register.js","sourceRoot":"","sources":["../../../../../src/server/auth/handlers/register.ts"],"names":[],"mappings":"AAAA,OAAO,OAA2B,MAAM,SAAS,CAAC;AAClD,OAAO,EAA8B,yBAAyB,EAAE,MAAM,yBAAyB,CAAC;AAChG,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,OAAO,EAAE,SAAS,EAA+B,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EAAE,cAAc,EAAE,MAAM,iCAAiC,CAAC;AACjE,OAAO,EACL,0BAA0B,EAC1B,WAAW,EACX,oBAAoB,EACpB,UAAU,EACX,MAAM,cAAc,CAAC;AAuBtB,MAAM,oCAAoC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,UAAU;AAE1E,MAAM,UAAU,yBAAyB,CAAC,EACxC,YAAY,EACZ,yBAAyB,GAAG,oCAAoC,EAChE,SAAS,EAAE,eAAe,EACO;IACjC,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;IACpF,CAAC;IAED,wEAAwE;IACxE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAEhC,kFAAkF;IAClF,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IAEnB,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACrC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAE3B,oFAAoF;IACpF,IAAI,eAAe,KAAK,KAAK,EAAE,CAAC;QAC9B,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC;YACnB,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,SAAS;YACnC,GAAG,EAAE,EAAE,EAAE,+DAA+D;YACxE,eAAe,EAAE,IAAI;YACrB,aAAa,EAAE,KAAK;YACpB,OAAO,EAAE,IAAI,oBAAoB,CAAC,mEAAmE,CAAC,CAAC,gBAAgB,EAAE;YACzH,GAAG,eAAe;SACnB,CAAC,CAAC,CAAC;IACN,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAClC,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;QAE3C,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,yBAAyB,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAClE,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;gBACzB,MAAM,IAAI,0BAA0B,CAAC,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAClE,CAAC;YAED,MAAM,cAAc,GAAG,WAAW,CAAC,IAAI,CAAC;YACxC,MAAM,cAAc,GAAG,cAAc,CAAC,0BAA0B,KAAK,MAAM,CAAA;YAE3E,8BAA8B;YAC9B,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;YACrC,MAAM,YAAY,GAAG,cAAc;gBACjC,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAC3C,MAAM,gBAAgB,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAEvD,sCAAsC;YACtC,MAAM,eAAe,GAAG,yBAAyB,GAAG,CAAC,CAAA;YACrD,MAAM,gBAAgB,GAAG,eAAe,CAAC,CAAC,CAAC,gBAAgB,GAAG,yBAAyB,CAAC,CAAC,CAAC,CAAC,CAAA;YAC3F,MAAM,qBAAqB,GAAG,cAAc,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,gBAAgB,CAAA;YAE3E,IAAI,UAAU,GAA+B;gBAC3C,GAAG,cAAc;gBACjB,SAAS,EAAE,QAAQ;gBACnB,aAAa,EAAE,YAAY;gBAC3B,mBAAmB,EAAE,gBAAgB;gBACrC,wBAAwB,EAAE,qBAAqB;aAChD,CAAC;YAEF,UAAU,GAAG,MAAM,YAAY,CAAC,cAAe,CAAC,UAAU,CAAC,CAAC;YAC5D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACnC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,UAAU,EAAE,CAAC;gBAChC,MAAM,MAAM,GAAG,KAAK,YAAY,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBACxD,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACpD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CAAC,sCAAsC,EAAE,KAAK,CAAC,CAAC;gBAC7D,MAAM,WAAW,GAAG,IAAI,WAAW,CAAC,uBAAuB,CAAC,CAAC;gBAC7D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/esm/server/auth/handlers/revoke.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import { OAuthServerProvider } from "../provider.js";
+import { RequestHandler } from "express";
+import { Options as RateLimitOptions } from "express-rate-limit";
+export type RevocationHandlerOptions = {
+    provider: OAuthServerProvider;
+    /**
+     * Rate limiting configuration for the token revocation endpoint.
+     * Set to false to disable rate limiting for this endpoint.
+     */
+    rateLimit?: Partial<RateLimitOptions> | false;
+};
+export declare function revocationHandler({ provider, rateLimit: rateLimitConfig }: RevocationHandlerOptions): RequestHandler;
+//# sourceMappingURL=revoke.d.ts.map

package/dist/esm/server/auth/handlers/revoke.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"revoke.d.ts","sourceRoot":"","sources":["../../../../../src/server/auth/handlers/revoke.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAgB,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAIlD,OAAO,EAAa,OAAO,IAAI,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAS5E,MAAM,MAAM,wBAAwB,GAAG;IACrC,QAAQ,EAAE,mBAAmB,CAAC;IAC9B;;;OAGG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,GAAG,KAAK,CAAC;CAC/C,CAAC;AAEF,wBAAgB,iBAAiB,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,EAAE,EAAE,wBAAwB,GAAG,cAAc,CA4DpH"}

package/dist/esm/server/auth/handlers/revoke.js ADDED Viewed

@@ -0,0 +1,61 @@
+import express from "express";
+import cors from "cors";
+import { authenticateClient } from "../middleware/clientAuth.js";
+import { OAuthTokenRevocationRequestSchema } from "../../../shared/auth.js";
+import { rateLimit } from "express-rate-limit";
+import { allowedMethods } from "../middleware/allowedMethods.js";
+import { InvalidRequestError, ServerError, TooManyRequestsError, OAuthError } from "../errors.js";
+export function revocationHandler({ provider, rateLimit: rateLimitConfig }) {
+    if (!provider.revokeToken) {
+        throw new Error("Auth provider does not support revoking tokens");
+    }
+    // Nested router so we can configure middleware and restrict HTTP method
+    const router = express.Router();
+    // Configure CORS to allow any origin, to make accessible to web-based MCP clients
+    router.use(cors());
+    router.use(allowedMethods(["POST"]));
+    router.use(express.urlencoded({ extended: false }));
+    // Apply rate limiting unless explicitly disabled
+    if (rateLimitConfig !== false) {
+        router.use(rateLimit({
+            windowMs: 15 * 60 * 1000, // 15 minutes
+            max: 50, // 50 requests per windowMs
+            standardHeaders: true,
+            legacyHeaders: false,
+            message: new TooManyRequestsError('You have exceeded the rate limit for token revocation requests').toResponseObject(),
+            ...rateLimitConfig
+        }));
+    }
+    // Authenticate and extract client details
+    router.use(authenticateClient({ clientsStore: provider.clientsStore }));
+    router.post("/", async (req, res) => {
+        res.setHeader('Cache-Control', 'no-store');
+        try {
+            const parseResult = OAuthTokenRevocationRequestSchema.safeParse(req.body);
+            if (!parseResult.success) {
+                throw new InvalidRequestError(parseResult.error.message);
+            }
+            const client = req.client;
+            if (!client) {
+                // This should never happen
+                console.error("Missing client information after authentication");
+                throw new ServerError("Internal Server Error");
+            }
+            await provider.revokeToken(client, parseResult.data);
+            res.status(200).json({});
+        }
+        catch (error) {
+            if (error instanceof OAuthError) {
+                const status = error instanceof ServerError ? 500 : 400;
+                res.status(status).json(error.toResponseObject());
+            }
+            else {
+                console.error("Unexpected error revoking token:", error);
+                const serverError = new ServerError("Internal Server Error");
+                res.status(500).json(serverError.toResponseObject());
+            }
+        }
+    });
+    return router;
+}
+//# sourceMappingURL=revoke.js.map

package/dist/esm/server/auth/handlers/revoke.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"revoke.js","sourceRoot":"","sources":["../../../../../src/server/auth/handlers/revoke.ts"],"names":[],"mappings":"AACA,OAAO,OAA2B,MAAM,SAAS,CAAC;AAClD,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,EAAE,iCAAiC,EAAE,MAAM,yBAAyB,CAAC;AAC5E,OAAO,EAAE,SAAS,EAA+B,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EAAE,cAAc,EAAE,MAAM,iCAAiC,CAAC;AACjE,OAAO,EACL,mBAAmB,EACnB,WAAW,EACX,oBAAoB,EACpB,UAAU,EACX,MAAM,cAAc,CAAC;AAWtB,MAAM,UAAU,iBAAiB,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,EAA4B;IAClG,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IAED,wEAAwE;IACxE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAEhC,kFAAkF;IAClF,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IAEnB,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACrC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IAEpD,iDAAiD;IACjD,IAAI,eAAe,KAAK,KAAK,EAAE,CAAC;QAC9B,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC;YACnB,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;YACvC,GAAG,EAAE,EAAE,EAAE,2BAA2B;YACpC,eAAe,EAAE,IAAI;YACrB,aAAa,EAAE,KAAK;YACpB,OAAO,EAAE,IAAI,oBAAoB,CAAC,gEAAgE,CAAC,CAAC,gBAAgB,EAAE;YACtH,GAAG,eAAe;SACnB,CAAC,CAAC,CAAC;IACN,CAAC;IAED,0CAA0C;IAC1C,MAAM,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,YAAY,EAAE,QAAQ,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC;IAExE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAClC,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;QAE3C,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,iCAAiC,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC1E,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;gBACzB,MAAM,IAAI,mBAAmB,CAAC,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC3D,CAAC;YAED,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;YAC1B,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,2BAA2B;gBAC3B,OAAO,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;gBACjE,MAAM,IAAI,WAAW,CAAC,uBAAuB,CAAC,CAAC;YACjD,CAAC;YAED,MAAM,QAAQ,CAAC,WAAY,CAAC,MAAM,EAAE,WAAW,CAAC,IAAI,CAAC,CAAC;YACtD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC3B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,UAAU,EAAE,CAAC;gBAChC,MAAM,MAAM,GAAG,KAAK,YAAY,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBACxD,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACpD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CAAC,kCAAkC,EAAE,KAAK,CAAC,CAAC;gBACzD,MAAM,WAAW,GAAG,IAAI,WAAW,CAAC,uBAAuB,CAAC,CAAC;gBAC7D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/esm/server/auth/handlers/token.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import { RequestHandler } from "express";
+import { OAuthServerProvider } from "../provider.js";
+import { Options as RateLimitOptions } from "express-rate-limit";
+export type TokenHandlerOptions = {
+    provider: OAuthServerProvider;
+    /**
+     * Rate limiting configuration for the token endpoint.
+     * Set to false to disable rate limiting for this endpoint.
+     */
+    rateLimit?: Partial<RateLimitOptions> | false;
+};
+export declare function tokenHandler({ provider, rateLimit: rateLimitConfig }: TokenHandlerOptions): RequestHandler;
+//# sourceMappingURL=token.d.ts.map

package/dist/esm/server/auth/handlers/token.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../../../../src/server/auth/handlers/token.ts"],"names":[],"mappings":"AACA,OAAgB,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAClD,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAIrD,OAAO,EAAa,OAAO,IAAI,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAW5E,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,EAAE,mBAAmB,CAAC;IAC9B;;;OAGG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,GAAG,KAAK,CAAC;CAC/C,CAAC;AAgBF,wBAAgB,YAAY,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,EAAE,EAAE,mBAAmB,GAAG,cAAc,CAkG1G"}

package/dist/esm/server/auth/handlers/token.js ADDED Viewed

@@ -0,0 +1,101 @@
+import { z } from "zod";
+import express from "express";
+import cors from "cors";
+import { verifyChallenge } from "pkce-challenge";
+import { authenticateClient } from "../middleware/clientAuth.js";
+import { rateLimit } from "express-rate-limit";
+import { allowedMethods } from "../middleware/allowedMethods.js";
+import { InvalidRequestError, InvalidGrantError, UnsupportedGrantTypeError, ServerError, TooManyRequestsError, OAuthError } from "../errors.js";
+const TokenRequestSchema = z.object({
+    grant_type: z.string(),
+});
+const AuthorizationCodeGrantSchema = z.object({
+    code: z.string(),
+    code_verifier: z.string(),
+});
+const RefreshTokenGrantSchema = z.object({
+    refresh_token: z.string(),
+    scope: z.string().optional(),
+});
+export function tokenHandler({ provider, rateLimit: rateLimitConfig }) {
+    // Nested router so we can configure middleware and restrict HTTP method
+    const router = express.Router();
+    // Configure CORS to allow any origin, to make accessible to web-based MCP clients
+    router.use(cors());
+    router.use(allowedMethods(["POST"]));
+    router.use(express.urlencoded({ extended: false }));
+    // Apply rate limiting unless explicitly disabled
+    if (rateLimitConfig !== false) {
+        router.use(rateLimit({
+            windowMs: 15 * 60 * 1000, // 15 minutes
+            max: 50, // 50 requests per windowMs
+            standardHeaders: true,
+            legacyHeaders: false,
+            message: new TooManyRequestsError('You have exceeded the rate limit for token requests').toResponseObject(),
+            ...rateLimitConfig
+        }));
+    }
+    // Authenticate and extract client details
+    router.use(authenticateClient({ clientsStore: provider.clientsStore }));
+    router.post("/", async (req, res) => {
+        res.setHeader('Cache-Control', 'no-store');
+        try {
+            const parseResult = TokenRequestSchema.safeParse(req.body);
+            if (!parseResult.success) {
+                throw new InvalidRequestError(parseResult.error.message);
+            }
+            const { grant_type } = parseResult.data;
+            const client = req.client;
+            if (!client) {
+                // This should never happen
+                console.error("Missing client information after authentication");
+                throw new ServerError("Internal Server Error");
+            }
+            switch (grant_type) {
+                case "authorization_code": {
+                    const parseResult = AuthorizationCodeGrantSchema.safeParse(req.body);
+                    if (!parseResult.success) {
+                        throw new InvalidRequestError(parseResult.error.message);
+                    }
+                    const { code, code_verifier } = parseResult.data;
+                    // Verify PKCE challenge
+                    const codeChallenge = await provider.challengeForAuthorizationCode(client, code);
+                    if (!(await verifyChallenge(code_verifier, codeChallenge))) {
+                        throw new InvalidGrantError("code_verifier does not match the challenge");
+                    }
+                    const tokens = await provider.exchangeAuthorizationCode(client, code);
+                    res.status(200).json(tokens);
+                    break;
+                }
+                case "refresh_token": {
+                    const parseResult = RefreshTokenGrantSchema.safeParse(req.body);
+                    if (!parseResult.success) {
+                        throw new InvalidRequestError(parseResult.error.message);
+                    }
+                    const { refresh_token, scope } = parseResult.data;
+                    const scopes = scope === null || scope === void 0 ? void 0 : scope.split(" ");
+                    const tokens = await provider.exchangeRefreshToken(client, refresh_token, scopes);
+                    res.status(200).json(tokens);
+                    break;
+                }
+                // Not supported right now
+                //case "client_credentials":
+                default:
+                    throw new UnsupportedGrantTypeError("The grant type is not supported by this authorization server.");
+            }
+        }
+        catch (error) {
+            if (error instanceof OAuthError) {
+                const status = error instanceof ServerError ? 500 : 400;
+                res.status(status).json(error.toResponseObject());
+            }
+            else {
+                console.error("Unexpected error exchanging token:", error);
+                const serverError = new ServerError("Internal Server Error");
+                res.status(500).json(serverError.toResponseObject());
+            }
+        }
+    });
+    return router;
+}
+//# sourceMappingURL=token.js.map

package/dist/esm/server/auth/handlers/token.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"token.js","sourceRoot":"","sources":["../../../../../src/server/auth/handlers/token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,OAA2B,MAAM,SAAS,CAAC;AAElD,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,EAAE,SAAS,EAA+B,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EAAE,cAAc,EAAE,MAAM,iCAAiC,CAAC;AACjE,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,yBAAyB,EACzB,WAAW,EACX,oBAAoB,EACpB,UAAU,EACX,MAAM,cAAc,CAAC;AAWtB,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IAClC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;CACvB,CAAC,CAAC;AAEH,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5C,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAChB,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE;CAC1B,CAAC,CAAC;AAEH,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE;IACzB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC7B,CAAC,CAAC;AAEH,MAAM,UAAU,YAAY,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,EAAuB;IACxF,wEAAwE;IACxE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAEhC,kFAAkF;IAClF,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IAEnB,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACrC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IAEpD,iDAAiD;IACjD,IAAI,eAAe,KAAK,KAAK,EAAE,CAAC;QAC9B,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC;YACnB,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;YACvC,GAAG,EAAE,EAAE,EAAE,4BAA4B;YACrC,eAAe,EAAE,IAAI;YACrB,aAAa,EAAE,KAAK;YACpB,OAAO,EAAE,IAAI,oBAAoB,CAAC,qDAAqD,CAAC,CAAC,gBAAgB,EAAE;YAC3G,GAAG,eAAe;SACnB,CAAC,CAAC,CAAC;IACN,CAAC;IAED,0CAA0C;IAC1C,MAAM,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,YAAY,EAAE,QAAQ,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC;IAExE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAClC,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;QAE3C,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,kBAAkB,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC3D,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;gBACzB,MAAM,IAAI,mBAAmB,CAAC,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC3D,CAAC;YAED,MAAM,EAAE,UAAU,EAAE,GAAG,WAAW,CAAC,IAAI,CAAC;YAExC,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;YAC1B,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,2BAA2B;gBAC3B,OAAO,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;gBACjE,MAAM,IAAI,WAAW,CAAC,uBAAuB,CAAC,CAAC;YACjD,CAAC;YAED,QAAQ,UAAU,EAAE,CAAC;gBACnB,KAAK,oBAAoB,CAAC,CAAC,CAAC;oBAC1B,MAAM,WAAW,GAAG,4BAA4B,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;oBACrE,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;wBACzB,MAAM,IAAI,mBAAmB,CAAC,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;oBAC3D,CAAC;oBAED,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,GAAG,WAAW,CAAC,IAAI,CAAC;oBAEjD,wBAAwB;oBACxB,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,6BAA6B,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;oBACjF,IAAI,CAAC,CAAC,MAAM,eAAe,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC,EAAE,CAAC;wBAC3D,MAAM,IAAI,iBAAiB,CAAC,4CAA4C,CAAC,CAAC;oBAC5E,CAAC;oBAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,yBAAyB,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;oBACtE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;oBAC7B,MAAM;gBACR,CAAC;gBAED,KAAK,eAAe,CAAC,CAAC,CAAC;oBACrB,MAAM,WAAW,GAAG,uBAAuB,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;oBAChE,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;wBACzB,MAAM,IAAI,mBAAmB,CAAC,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;oBAC3D,CAAC;oBAED,MAAM,EAAE,aAAa,EAAE,KAAK,EAAE,GAAG,WAAW,CAAC,IAAI,CAAC;oBAElD,MAAM,MAAM,GAAG,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,KAAK,CAAC,GAAG,CAAC,CAAC;oBACjC,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,oBAAoB,CAAC,MAAM,EAAE,aAAa,EAAE,MAAM,CAAC,CAAC;oBAClF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;oBAC7B,MAAM;gBACR,CAAC;gBAED,0BAA0B;gBAC1B,4BAA4B;gBAE5B;oBACE,MAAM,IAAI,yBAAyB,CACjC,+DAA+D,CAChE,CAAC;YACN,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,UAAU,EAAE,CAAC;gBAChC,MAAM,MAAM,GAAG,KAAK,YAAY,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBACxD,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACpD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CAAC,oCAAoC,EAAE,KAAK,CAAC,CAAC;gBAC3D,MAAM,WAAW,GAAG,IAAI,WAAW,CAAC,uBAAuB,CAAC,CAAC;gBAC7D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/esm/server/auth/middleware/allowedMethods.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import { RequestHandler } from "express";
+/**
+ * Middleware to handle unsupported HTTP methods with a 405 Method Not Allowed response.
+ *
+ * @param allowedMethods Array of allowed HTTP methods for this endpoint (e.g., ['GET', 'POST'])
+ * @returns Express middleware that returns a 405 error if method not in allowed list
+ */
+export declare function allowedMethods(allowedMethods: string[]): RequestHandler;
+//# sourceMappingURL=allowedMethods.d.ts.map

package/dist/esm/server/auth/middleware/allowedMethods.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"allowedMethods.d.ts","sourceRoot":"","sources":["../../../../../src/server/auth/middleware/allowedMethods.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAGzC;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,cAAc,EAAE,MAAM,EAAE,GAAG,cAAc,CAYvE"}

package/dist/esm/server/auth/middleware/allowedMethods.js ADDED Viewed

@@ -0,0 +1,20 @@
+import { MethodNotAllowedError } from "../errors.js";
+/**
+ * Middleware to handle unsupported HTTP methods with a 405 Method Not Allowed response.
+ *
+ * @param allowedMethods Array of allowed HTTP methods for this endpoint (e.g., ['GET', 'POST'])
+ * @returns Express middleware that returns a 405 error if method not in allowed list
+ */
+export function allowedMethods(allowedMethods) {
+    return (req, res, next) => {
+        if (allowedMethods.includes(req.method)) {
+            next();
+            return;
+        }
+        const error = new MethodNotAllowedError(`The method ${req.method} is not allowed for this endpoint`);
+        res.status(405)
+            .set('Allow', allowedMethods.join(', '))
+            .json(error.toResponseObject());
+    };
+}
+//# sourceMappingURL=allowedMethods.js.map

package/dist/esm/server/auth/middleware/allowedMethods.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"allowedMethods.js","sourceRoot":"","sources":["../../../../../src/server/auth/middleware/allowedMethods.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AAErD;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,cAAwB;IACrD,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACxB,IAAI,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YACxC,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,qBAAqB,CAAC,cAAc,GAAG,CAAC,MAAM,mCAAmC,CAAC,CAAC;QACrG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC;aACZ,GAAG,CAAC,OAAO,EAAE,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;aACvC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;IACpC,CAAC,CAAC;AACJ,CAAC"}

package/dist/esm/server/auth/middleware/bearerAuth.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import { RequestHandler } from "express";
+import { OAuthServerProvider } from "../provider.js";
+import { AuthInfo } from "../types.js";
+export type BearerAuthMiddlewareOptions = {
+    /**
+     * A provider used to verify tokens.
+     */
+    provider: OAuthServerProvider;
+    /**
+     * Optional scopes that the token must have.
+     */
+    requiredScopes?: string[];
+};
+declare module "express-serve-static-core" {
+    interface Request {
+        /**
+         * Information about the validated access token, if the `requireBearerAuth` middleware was used.
+         */
+        auth?: AuthInfo;
+    }
+}
+/**
+ * Middleware that requires a valid Bearer token in the Authorization header.
+ *
+ * This will validate the token with the auth provider and add the resulting auth info to the request object.
+ */
+export declare function requireBearerAuth({ provider, requiredScopes }: BearerAuthMiddlewareOptions): RequestHandler;
+//# sourceMappingURL=bearerAuth.d.ts.map

package/dist/esm/server/auth/middleware/bearerAuth.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"bearerAuth.d.ts","sourceRoot":"","sources":["../../../../../src/server/auth/middleware/bearerAuth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAEzC,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEvC,MAAM,MAAM,2BAA2B,GAAG;IACxC;;OAEG;IACH,QAAQ,EAAE,mBAAmB,CAAC;IAE9B;;OAEG;IACH,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B,CAAC;AAEF,OAAO,QAAQ,2BAA2B,CAAC;IACzC,UAAU,OAAO;QACf;;WAEG;QACH,IAAI,CAAC,EAAE,QAAQ,CAAC;KACjB;CACF;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,EAAE,QAAQ,EAAE,cAAmB,EAAE,EAAE,2BAA2B,GAAG,cAAc,CAmDhH"}

package/dist/esm/server/auth/middleware/bearerAuth.js ADDED Viewed

@@ -0,0 +1,56 @@
+import { InsufficientScopeError, InvalidTokenError, OAuthError, ServerError } from "../errors.js";
+/**
+ * Middleware that requires a valid Bearer token in the Authorization header.
+ *
+ * This will validate the token with the auth provider and add the resulting auth info to the request object.
+ */
+export function requireBearerAuth({ provider, requiredScopes = [] }) {
+    return async (req, res, next) => {
+        try {
+            const authHeader = req.headers.authorization;
+            if (!authHeader) {
+                throw new InvalidTokenError("Missing Authorization header");
+            }
+            const [type, token] = authHeader.split(' ');
+            if (type.toLowerCase() !== 'bearer' || !token) {
+                throw new InvalidTokenError("Invalid Authorization header format, expected 'Bearer TOKEN'");
+            }
+            const authInfo = await provider.verifyAccessToken(token);
+            // Check if token has the required scopes (if any)
+            if (requiredScopes.length > 0) {
+                const hasAllScopes = requiredScopes.every(scope => authInfo.scopes.includes(scope));
+                if (!hasAllScopes) {
+                    throw new InsufficientScopeError("Insufficient scope");
+                }
+            }
+            // Check if the token is expired
+            if (!!authInfo.expiresAt && authInfo.expiresAt < Date.now() / 1000) {
+                throw new InvalidTokenError("Token has expired");
+            }
+            req.auth = authInfo;
+            next();
+        }
+        catch (error) {
+            if (error instanceof InvalidTokenError) {
+                res.set("WWW-Authenticate", `Bearer error="${error.errorCode}", error_description="${error.message}"`);
+                res.status(401).json(error.toResponseObject());
+            }
+            else if (error instanceof InsufficientScopeError) {
+                res.set("WWW-Authenticate", `Bearer error="${error.errorCode}", error_description="${error.message}"`);
+                res.status(403).json(error.toResponseObject());
+            }
+            else if (error instanceof ServerError) {
+                res.status(500).json(error.toResponseObject());
+            }
+            else if (error instanceof OAuthError) {
+                res.status(400).json(error.toResponseObject());
+            }
+            else {
+                console.error("Unexpected error authenticating bearer token:", error);
+                const serverError = new ServerError("Internal Server Error");
+                res.status(500).json(serverError.toResponseObject());
+            }
+        }
+    };
+}
+//# sourceMappingURL=bearerAuth.js.map

package/dist/esm/server/auth/middleware/bearerAuth.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"bearerAuth.js","sourceRoot":"","sources":["../../../../../src/server/auth/middleware/bearerAuth.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,sBAAsB,EAAE,iBAAiB,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAyBlG;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,EAAE,QAAQ,EAAE,cAAc,GAAG,EAAE,EAA+B;IAC9F,OAAO,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC9B,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;YAC7C,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,iBAAiB,CAAC,8BAA8B,CAAC,CAAC;YAC9D,CAAC;YAED,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC5C,IAAI,IAAI,CAAC,WAAW,EAAE,KAAK,QAAQ,IAAI,CAAC,KAAK,EAAE,CAAC;gBAC9C,MAAM,IAAI,iBAAiB,CAAC,8DAA8D,CAAC,CAAC;YAC9F,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;YAEzD,kDAAkD;YAClD,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9B,MAAM,YAAY,GAAG,cAAc,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAChD,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAChC,CAAC;gBAEF,IAAI,CAAC,YAAY,EAAE,CAAC;oBAClB,MAAM,IAAI,sBAAsB,CAAC,oBAAoB,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAED,gCAAgC;YAChC,IAAI,CAAC,CAAC,QAAQ,CAAC,SAAS,IAAI,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;gBACnE,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;YACnD,CAAC;YAED,GAAG,CAAC,IAAI,GAAG,QAAQ,CAAC;YACpB,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,iBAAiB,EAAE,CAAC;gBACvC,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAAE,iBAAiB,KAAK,CAAC,SAAS,yBAAyB,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC;gBACvG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACjD,CAAC;iBAAM,IAAI,KAAK,YAAY,sBAAsB,EAAE,CAAC;gBACnD,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAAE,iBAAiB,KAAK,CAAC,SAAS,yBAAyB,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC;gBACvG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACjD,CAAC;iBAAM,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;gBACxC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACjD,CAAC;iBAAM,IAAI,KAAK,YAAY,UAAU,EAAE,CAAC;gBACvC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACjD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CAAC,+CAA+C,EAAE,KAAK,CAAC,CAAC;gBACtE,MAAM,WAAW,GAAG,IAAI,WAAW,CAAC,uBAAuB,CAAC,CAAC;gBAC7D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/esm/server/auth/middleware/clientAuth.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+import { RequestHandler } from "express";
+import { OAuthRegisteredClientsStore } from "../clients.js";
+import { OAuthClientInformationFull } from "../../../shared/auth.js";
+export type ClientAuthenticationMiddlewareOptions = {
+    /**
+     * A store used to read information about registered OAuth clients.
+     */
+    clientsStore: OAuthRegisteredClientsStore;
+};
+declare module "express-serve-static-core" {
+    interface Request {
+        /**
+         * The authenticated client for this request, if the `authenticateClient` middleware was used.
+         */
+        client?: OAuthClientInformationFull;
+    }
+}
+export declare function authenticateClient({ clientsStore }: ClientAuthenticationMiddlewareOptions): RequestHandler;
+//# sourceMappingURL=clientAuth.d.ts.map

package/dist/esm/server/auth/middleware/clientAuth.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"clientAuth.d.ts","sourceRoot":"","sources":["../../../../../src/server/auth/middleware/clientAuth.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,2BAA2B,EAAE,MAAM,eAAe,CAAC;AAC5D,OAAO,EAAE,0BAA0B,EAAE,MAAM,yBAAyB,CAAC;AAGrE,MAAM,MAAM,qCAAqC,GAAG;IAClD;;OAEG;IACH,YAAY,EAAE,2BAA2B,CAAC;CAC3C,CAAA;AAOD,OAAO,QAAQ,2BAA2B,CAAC;IACzC,UAAU,OAAO;QACf;;WAEG;QACH,MAAM,CAAC,EAAE,0BAA0B,CAAC;KACrC;CACF;AAED,wBAAgB,kBAAkB,CAAC,EAAE,YAAY,EAAE,EAAE,qCAAqC,GAAG,cAAc,CA6C1G"}

package/dist/esm/server/auth/middleware/clientAuth.js ADDED Viewed

@@ -0,0 +1,50 @@
+import { z } from "zod";
+import { InvalidRequestError, InvalidClientError, ServerError, OAuthError } from "../errors.js";
+const ClientAuthenticatedRequestSchema = z.object({
+    client_id: z.string(),
+    client_secret: z.string().optional(),
+});
+export function authenticateClient({ clientsStore }) {
+    return async (req, res, next) => {
+        try {
+            const result = ClientAuthenticatedRequestSchema.safeParse(req.body);
+            if (!result.success) {
+                throw new InvalidRequestError(String(result.error));
+            }
+            const { client_id, client_secret } = result.data;
+            const client = await clientsStore.getClient(client_id);
+            if (!client) {
+                throw new InvalidClientError("Invalid client_id");
+            }
+            // If client has a secret, validate it
+            if (client.client_secret) {
+                // Check if client_secret is required but not provided
+                if (!client_secret) {
+                    throw new InvalidClientError("Client secret is required");
+                }
+                // Check if client_secret matches
+                if (client.client_secret !== client_secret) {
+                    throw new InvalidClientError("Invalid client_secret");
+                }
+                // Check if client_secret has expired
+                if (client.client_secret_expires_at && client.client_secret_expires_at < Math.floor(Date.now() / 1000)) {
+                    throw new InvalidClientError("Client secret has expired");
+                }
+            }
+            req.client = client;
+            next();
+        }
+        catch (error) {
+            if (error instanceof OAuthError) {
+                const status = error instanceof ServerError ? 500 : 400;
+                res.status(status).json(error.toResponseObject());
+            }
+            else {
+                console.error("Unexpected error authenticating client:", error);
+                const serverError = new ServerError("Internal Server Error");
+                res.status(500).json(serverError.toResponseObject());
+            }
+        }
+    };
+}
+//# sourceMappingURL=clientAuth.js.map

package/dist/esm/server/auth/middleware/clientAuth.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"clientAuth.js","sourceRoot":"","sources":["../../../../../src/server/auth/middleware/clientAuth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAShG,MAAM,gCAAgC,GAAG,CAAC,CAAC,MAAM,CAAC;IAChD,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;IACrB,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACrC,CAAC,CAAC;AAWH,MAAM,UAAU,kBAAkB,CAAC,EAAE,YAAY,EAAyC;IACxF,OAAO,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC9B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,gCAAgC,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACpE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,MAAM,IAAI,mBAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;YACtD,CAAC;YAED,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC;YACjD,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;YACvD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,kBAAkB,CAAC,mBAAmB,CAAC,CAAC;YACpD,CAAC;YAED,sCAAsC;YACtC,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;gBACzB,sDAAsD;gBACtD,IAAI,CAAC,aAAa,EAAE,CAAC;oBACnB,MAAM,IAAI,kBAAkB,CAAC,2BAA2B,CAAC,CAAC;gBAC5D,CAAC;gBAED,iCAAiC;gBACjC,IAAI,MAAM,CAAC,aAAa,KAAK,aAAa,EAAE,CAAC;oBAC3C,MAAM,IAAI,kBAAkB,CAAC,uBAAuB,CAAC,CAAC;gBACxD,CAAC;gBAED,qCAAqC;gBACrC,IAAI,MAAM,CAAC,wBAAwB,IAAI,MAAM,CAAC,wBAAwB,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;oBACvG,MAAM,IAAI,kBAAkB,CAAC,2BAA2B,CAAC,CAAC;gBAC5D,CAAC;YACH,CAAC;YAED,GAAG,CAAC,MAAM,GAAG,MAAM,CAAC;YACpB,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,UAAU,EAAE,CAAC;gBAChC,MAAM,MAAM,GAAG,KAAK,YAAY,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBACxD,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACpD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CAAC,yCAAyC,EAAE,KAAK,CAAC,CAAC;gBAChE,MAAM,WAAW,GAAG,IAAI,WAAW,CAAC,uBAAuB,CAAC,CAAC;gBAC7D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;IACH,CAAC,CAAA;AACH,CAAC"}

package/dist/esm/server/auth/provider.d.ts ADDED Viewed

@@ -0,0 +1,50 @@
+import { Response } from "express";
+import { OAuthRegisteredClientsStore } from "./clients.js";
+import { OAuthClientInformationFull, OAuthTokenRevocationRequest, OAuthTokens } from "../../shared/auth.js";
+import { AuthInfo } from "./types.js";
+export type AuthorizationParams = {
+    state?: string;
+    scopes?: string[];
+    codeChallenge: string;
+    redirectUri: string;
+};
+/**
+ * Implements an end-to-end OAuth server.
+ */
+export interface OAuthServerProvider {
+    /**
+     * A store used to read information about registered OAuth clients.
+     */
+    get clientsStore(): OAuthRegisteredClientsStore;
+    /**
+     * Begins the authorization flow, which can either be implemented by this server itself or via redirection to a separate authorization server.
+     *
+     * This server must eventually issue a redirect with an authorization response or an error response to the given redirect URI. Per OAuth 2.1:
+     * - In the successful case, the redirect MUST include the `code` and `state` (if present) query parameters.
+     * - In the error case, the redirect MUST include the `error` query parameter, and MAY include an optional `error_description` query parameter.
+     */
+    authorize(client: OAuthClientInformationFull, params: AuthorizationParams, res: Response): Promise<void>;
+    /**
+     * Returns the `codeChallenge` that was used when the indicated authorization began.
+     */
+    challengeForAuthorizationCode(client: OAuthClientInformationFull, authorizationCode: string): Promise<string>;
+    /**
+     * Exchanges an authorization code for an access token.
+     */
+    exchangeAuthorizationCode(client: OAuthClientInformationFull, authorizationCode: string): Promise<OAuthTokens>;
+    /**
+     * Exchanges a refresh token for an access token.
+     */
+    exchangeRefreshToken(client: OAuthClientInformationFull, refreshToken: string, scopes?: string[]): Promise<OAuthTokens>;
+    /**
+     * Verifies an access token and returns information about it.
+     */
+    verifyAccessToken(token: string): Promise<AuthInfo>;
+    /**
+     * Revokes an access or refresh token. If unimplemented, token revocation is not supported (not recommended).
+     *
+     * If the given token is invalid or already revoked, this method should do nothing.
+     */
+    revokeToken?(client: OAuthClientInformationFull, request: OAuthTokenRevocationRequest): Promise<void>;
+}
+//# sourceMappingURL=provider.d.ts.map

package/dist/esm/server/auth/provider.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../../../src/server/auth/provider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACnC,OAAO,EAAE,2BAA2B,EAAE,MAAM,cAAc,CAAC;AAC3D,OAAO,EAAE,0BAA0B,EAAE,2BAA2B,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC5G,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAEtC,MAAM,MAAM,mBAAmB,GAAG;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC;;OAEG;IACH,IAAI,YAAY,IAAI,2BAA2B,CAAC;IAEhD;;;;;;OAMG;IACH,SAAS,CAAC,MAAM,EAAE,0BAA0B,EAAE,MAAM,EAAE,mBAAmB,EAAE,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzG;;OAEG;IACH,6BAA6B,CAAC,MAAM,EAAE,0BAA0B,EAAE,iBAAiB,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAE9G;;OAEG;IACH,yBAAyB,CAAC,MAAM,EAAE,0BAA0B,EAAE,iBAAiB,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IAE/G;;OAEG;IACH,oBAAoB,CAAC,MAAM,EAAE,0BAA0B,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IAExH;;OAEG;IACH,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEpD;;;;OAIG;IACH,WAAW,CAAC,CAAC,MAAM,EAAE,0BAA0B,EAAE,OAAO,EAAE,2BAA2B,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACvG"}

package/dist/esm/server/auth/provider.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=provider.js.map

package/dist/esm/server/auth/provider.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"provider.js","sourceRoot":"","sources":["../../../../src/server/auth/provider.ts"],"names":[],"mappings":""}

package/dist/esm/server/auth/router.d.ts ADDED Viewed

@@ -0,0 +1,36 @@
+import { RequestHandler } from "express";
+import { ClientRegistrationHandlerOptions } from "./handlers/register.js";
+import { TokenHandlerOptions } from "./handlers/token.js";
+import { AuthorizationHandlerOptions } from "./handlers/authorize.js";
+import { RevocationHandlerOptions } from "./handlers/revoke.js";
+import { OAuthServerProvider } from "./provider.js";
+export type AuthRouterOptions = {
+    /**
+     * A provider implementing the actual authorization logic for this router.
+     */
+    provider: OAuthServerProvider;
+    /**
+     * The authorization server's issuer identifier, which is a URL that uses the "https" scheme and has no query or fragment components.
+     */
+    issuerUrl: URL;
+    /**
+     * An optional URL of a page containing human-readable information that developers might want or need to know when using the authorization server.
+     */
+    serviceDocumentationUrl?: URL;
+    authorizationOptions?: Omit<AuthorizationHandlerOptions, "provider">;
+    clientRegistrationOptions?: Omit<ClientRegistrationHandlerOptions, "clientsStore">;
+    revocationOptions?: Omit<RevocationHandlerOptions, "provider">;
+    tokenOptions?: Omit<TokenHandlerOptions, "provider">;
+};
+/**
+ * Installs standard MCP authorization endpoints, including dynamic client registration and token revocation (if supported). Also advertises standard authorization server metadata, for easier discovery of supported configurations by clients.
+ *
+ * By default, rate limiting is applied to all endpoints to prevent abuse.
+ *
+ * This router MUST be installed at the application root, like so:
+ *
+ *  const app = express();
+ *  app.use(mcpAuthRouter(...));
+ */
+export declare function mcpAuthRouter(options: AuthRouterOptions): RequestHandler;
+//# sourceMappingURL=router.d.ts.map

package/dist/esm/server/auth/router.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../../../src/server/auth/router.ts"],"names":[],"mappings":"AAAA,OAAgB,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAClD,OAAO,EAA6B,gCAAgC,EAAE,MAAM,wBAAwB,CAAC;AACrG,OAAO,EAAgB,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AACxE,OAAO,EAAwB,2BAA2B,EAAE,MAAM,yBAAyB,CAAC;AAC5F,OAAO,EAAqB,wBAAwB,EAAE,MAAM,sBAAsB,CAAC;AAEnF,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAEpD,MAAM,MAAM,iBAAiB,GAAG;IAC9B;;OAEG;IACH,QAAQ,EAAE,mBAAmB,CAAC;IAE9B;;OAEG;IACH,SAAS,EAAE,GAAG,CAAC;IAEf;;OAEG;IACH,uBAAuB,CAAC,EAAE,GAAG,CAAC;IAG9B,oBAAoB,CAAC,EAAE,IAAI,CAAC,2BAA2B,EAAE,UAAU,CAAC,CAAC;IACrE,yBAAyB,CAAC,EAAE,IAAI,CAAC,gCAAgC,EAAE,cAAc,CAAC,CAAC;IACnF,iBAAiB,CAAC,EAAE,IAAI,CAAC,wBAAwB,EAAE,UAAU,CAAC,CAAC;IAC/D,YAAY,CAAC,EAAE,IAAI,CAAC,mBAAmB,EAAE,UAAU,CAAC,CAAC;CACtD,CAAC;AAEF;;;;;;;;;GASG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,iBAAiB,GAAG,cAAc,CAqExE"}