@mseep/affine-mcp-server 2.3.0

package/dist/config.js

@@ -0,0 +1,178 @@
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+import { createRequire } from "module";
+const require = createRequire(import.meta.url);
+const pkg = require("../package.json");
+export const VERSION = pkg.version;
+/** Config file location: ~/.config/affine-mcp/config */
+const CONFIG_DIR = path.join(process.env.XDG_CONFIG_HOME || path.join(os.homedir(), ".config"), "affine-mcp");
+export const CONFIG_FILE = path.join(CONFIG_DIR, "config");
+/** Read key=value config file, returns empty object if missing */
+export function loadConfigFile() {
+    if (!fs.existsSync(CONFIG_FILE))
+        return {};
+    const content = fs.readFileSync(CONFIG_FILE, "utf-8");
+    const result = {};
+    for (const line of content.split("\n")) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith("#"))
+            continue;
+        const eq = trimmed.indexOf("=");
+        if (eq === -1)
+            continue;
+        result[trimmed.slice(0, eq)] = trimmed.slice(eq + 1);
+    }
+    return result;
+}
+/** Write config file atomically with 600 permissions (temp + rename). */
+export function writeConfigFile(vars) {
+    fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+    const lines = [
+        "# Affine MCP Server credentials",
+        "# Generated by: affine-mcp login",
+        `# ${new Date().toISOString()}`,
+    ];
+    for (const [key, value] of Object.entries(vars)) {
+        if (value)
+            lines.push(`${key}=${value}`);
+    }
+    lines.push("");
+    // Atomic write: write to temp file then rename to prevent partial reads
+    const tmpFile = path.join(CONFIG_DIR, `.config.tmp.${process.pid}`);
+    try {
+        fs.writeFileSync(tmpFile, lines.join("\n"), { mode: 0o600 });
+        fs.renameSync(tmpFile, CONFIG_FILE);
+    }
+    catch (err) {
+        // Clean up temp file on failure
+        try {
+            fs.unlinkSync(tmpFile);
+        }
+        catch { }
+        throw err;
+    }
+}
+/** Validate and sanitize a base URL. Throws on invalid or dangerous URLs. */
+export function validateBaseUrl(input) {
+    let parsed;
+    try {
+        parsed = new URL(input);
+    }
+    catch {
+        throw new Error(`Invalid URL: ${input}`);
+    }
+    // Reject credentials embedded in URL (SSRF vector)
+    if (parsed.username || parsed.password) {
+        throw new Error("URL must not contain embedded credentials (user:pass@host)");
+    }
+    // Only allow http and https schemes
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+        throw new Error(`Unsupported URL scheme: ${parsed.protocol} (only http/https allowed)`);
+    }
+    // Warn (but allow) plain HTTP for non-local targets
+    const host = parsed.hostname;
+    const isLocal = host === "localhost" || host === "127.0.0.1" || host === "::1" || host === "0.0.0.0";
+    if (parsed.protocol === "http:" && !isLocal) {
+        console.error("WARNING: Using plain HTTP for a non-localhost URL. Consider HTTPS for security.");
+    }
+    // Return normalized URL without trailing slash
+    return parsed.origin + parsed.pathname.replace(/\/$/, "");
+}
+/**
+ * Helper: read env var with config file fallback.
+ * Environment variables always take priority over the config file.
+ */
+function env(name, file, fallback) {
+    return process.env[name] || file[name] || fallback;
+}
+function parseHeadersJson(raw) {
+    if (!raw)
+        return undefined;
+    try {
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+            console.warn("Failed to parse AFFINE_HEADERS_JSON; expected a JSON object of string headers.");
+            return undefined;
+        }
+        const headers = {};
+        for (const [key, value] of Object.entries(parsed)) {
+            if (typeof value !== "string") {
+                console.warn(`Ignoring non-string AFFINE_HEADERS_JSON value for header '${key}'.`);
+                continue;
+            }
+            headers[key] = value;
+        }
+        const sensitiveKeys = Object.keys(headers).filter((k) => /^(authorization|cookie)$/i.test(k));
+        if (sensitiveKeys.length) {
+            console.warn(`WARNING: AFFINE_HEADERS_JSON contains sensitive key(s): ${sensitiveKeys.join(", ")}. ` +
+                `These may conflict with built-in auth and are not protected by debug-logging guards.`);
+        }
+        return headers;
+    }
+    catch {
+        console.warn("Failed to parse AFFINE_HEADERS_JSON; ignoring.");
+        return undefined;
+    }
+}
+function parseAuthMode(raw) {
+    if (!raw)
+        return "bearer";
+    const normalized = raw.trim().toLowerCase();
+    if (normalized === "bearer" || normalized === "oauth") {
+        return normalized;
+    }
+    throw new Error(`Invalid AFFINE_MCP_AUTH_MODE: ${raw}. Expected 'bearer' or 'oauth'.`);
+}
+function parseOAuthScopes(raw) {
+    const scopes = (raw || "mcp")
+        .split(/[\s,]+/)
+        .map((scope) => scope.trim())
+        .filter(Boolean);
+    return scopes.length > 0 ? scopes : ["mcp"];
+}
+function parsePositiveIntegerEnv(name, raw, fallback) {
+    if (!raw)
+        return fallback;
+    const parsed = Number.parseInt(raw, 10);
+    if (!Number.isFinite(parsed) || parsed <= 0) {
+        throw new Error(`${name} must be a positive integer. Received: ${raw}`);
+    }
+    return parsed;
+}
+export function loadConfig() {
+    const file = loadConfigFile();
+    const baseUrl = validateBaseUrl(env("AFFINE_BASE_URL", file, "http://localhost:3010"));
+    const authMode = parseAuthMode(env("AFFINE_MCP_AUTH_MODE", file, "bearer"));
+    const apiToken = env("AFFINE_API_TOKEN", file);
+    const cookie = env("AFFINE_COOKIE", file);
+    const email = env("AFFINE_EMAIL", file);
+    const password = env("AFFINE_PASSWORD", file);
+    let headers = parseHeadersJson(process.env.AFFINE_HEADERS_JSON);
+    if (cookie) {
+        headers = { ...(headers || {}), Cookie: cookie };
+    }
+    const graphqlPath = env("AFFINE_GRAPHQL_PATH", file, "/graphql");
+    const defaultWorkspaceId = env("AFFINE_WORKSPACE_ID", file);
+    const publicBaseUrlRaw = env("AFFINE_MCP_PUBLIC_BASE_URL", file);
+    const oauthIssuerUrlRaw = env("AFFINE_OAUTH_ISSUER_URL", file);
+    const publicBaseUrl = publicBaseUrlRaw ? validateBaseUrl(publicBaseUrlRaw) : undefined;
+    const oauthIssuerUrl = oauthIssuerUrlRaw ? validateBaseUrl(oauthIssuerUrlRaw) : undefined;
+    const oauthScopes = parseOAuthScopes(env("AFFINE_OAUTH_SCOPES", file, "mcp"));
+    const oauthClockSkewSeconds = parsePositiveIntegerEnv("AFFINE_OAUTH_CLOCK_SKEW_SECONDS", env("AFFINE_OAUTH_CLOCK_SKEW_SECONDS", file), 60);
+    return {
+        baseUrl,
+        apiToken,
+        cookie,
+        headers,
+        graphqlPath,
+        email,
+        password,
+        defaultWorkspaceId,
+        authMode,
+        publicBaseUrl,
+        oauthIssuerUrl,
+        oauthScopes,
+        oauthClockSkewSeconds,
+    };
+}

package/dist/edgeless/layout.js

@@ -0,0 +1,222 @@
+/** Pure-function edgeless-canvas layout helpers. No Y.Doc, no MCP wiring. */
+/** Only these four positions carry tangent vectors in BlockSuite's connector model. */
+export const SIDE_TO_NORMALIZED_POSITION = {
+    top: [0.5, 0],
+    bottom: [0.5, 1],
+    left: [0, 0.5],
+    right: [1, 0.5],
+};
+/** Pick connector sides for a src/tgt pair. Single-axis → that axis; diagonal →
+ *  dominant by center displacement; overlap → 4×4 midpoint minimization. Ports
+ *  BlockSuite's `getNearestConnectableAnchor` (`connector-manager.ts:174-190`). */
+export function pickConnectorSides(src, tgt) {
+    const srcBottom = src.y + src.h;
+    const srcRight = src.x + src.w;
+    const tgtBottom = tgt.y + tgt.h;
+    const tgtRight = tgt.x + tgt.w;
+    const above = srcBottom <= tgt.y;
+    const below = tgtBottom <= src.y;
+    const leftOf = srcRight <= tgt.x;
+    const rightOf = tgtRight <= src.x;
+    const vSeparated = above || below;
+    const hSeparated = leftOf || rightOf;
+    if (vSeparated && !hSeparated) {
+        return above ? { from: "bottom", to: "top" } : { from: "top", to: "bottom" };
+    }
+    if (hSeparated && !vSeparated) {
+        return leftOf ? { from: "right", to: "left" } : { from: "left", to: "right" };
+    }
+    if (vSeparated && hSeparated) {
+        const dx = (tgt.x + tgt.w / 2) - (src.x + src.w / 2);
+        const dy = (tgt.y + tgt.h / 2) - (src.y + src.h / 2);
+        if (Math.abs(dx) >= Math.abs(dy)) {
+            return dx >= 0 ? { from: "right", to: "left" } : { from: "left", to: "right" };
+        }
+        return dy >= 0 ? { from: "bottom", to: "top" } : { from: "top", to: "bottom" };
+    }
+    const anchors = (b) => [
+        { side: "top", x: b.x + b.w / 2, y: b.y },
+        { side: "bottom", x: b.x + b.w / 2, y: b.y + b.h },
+        { side: "left", x: b.x, y: b.y + b.h / 2 },
+        { side: "right", x: b.x + b.w, y: b.y + b.h / 2 },
+    ];
+    const srcA = anchors(src);
+    const tgtA = anchors(tgt);
+    let best = {
+        from: "bottom",
+        to: "top",
+        dist: Infinity,
+    };
+    for (const a of srcA) {
+        for (const b of tgtA) {
+            const dx = b.x - a.x;
+            const dy = b.y - a.y;
+            const dist = dx * dx + dy * dy;
+            if (dist < best.dist)
+                best = { from: a.side, to: b.side, dist };
+        }
+    }
+    return { from: best.from, to: best.to };
+}
+/** Enclosing bound of `children`, expanded by `padding` and `titleBand` (extra on top for a frame title). */
+export function encloseBounds(children, opts = {}) {
+    if (children.length === 0)
+        return null;
+    const padding = opts.padding ?? 40;
+    const titleBand = opts.titleBand ?? 60;
+    let minX = Infinity;
+    let minY = Infinity;
+    let maxX = -Infinity;
+    let maxY = -Infinity;
+    for (const c of children) {
+        minX = Math.min(minX, c.x);
+        minY = Math.min(minY, c.y);
+        maxX = Math.max(maxX, c.x + c.w);
+        maxY = Math.max(maxY, c.y + c.h);
+    }
+    return {
+        x: Math.floor(minX - padding),
+        y: Math.floor(minY - padding - titleBand),
+        w: Math.max(1, Math.ceil(maxX - minX + padding * 2)),
+        h: Math.max(1, Math.ceil(maxY - minY + padding * 2 + titleBand)),
+    };
+}
+/** Pick the bound furthest along `direction` (bottommost for `"down"`, etc). */
+export function pickFurthestInDirection(candidates, direction) {
+    if (candidates.length === 0)
+        return null;
+    let chosen = candidates[0];
+    for (let i = 1; i < candidates.length; i++) {
+        const c = candidates[i];
+        if (direction === "down" && c.y + c.h > chosen.y + chosen.h)
+            chosen = c;
+        else if (direction === "up" && c.y < chosen.y)
+            chosen = c;
+        else if (direction === "right" && c.x + c.w > chosen.x + chosen.w)
+            chosen = c;
+        else if (direction === "left" && c.x < chosen.x)
+            chosen = c;
+    }
+    return chosen;
+}
+/** Parse BlockSuite's `[x,y,w,h]` string. Returns null if the input isn't well-formed. */
+export function parseXywhString(value) {
+    if (typeof value !== "string")
+        return null;
+    const m = value.match(/^\s*\[\s*(-?\d+(?:\.\d+)?)\s*,\s*(-?\d+(?:\.\d+)?)\s*,\s*(-?\d+(?:\.\d+)?)\s*,\s*(-?\d+(?:\.\d+)?)\s*\]\s*$/);
+    if (!m)
+        return null;
+    return { x: Number(m[1]), y: Number(m[2]), width: Number(m[3]), height: Number(m[4]) };
+}
+/** Inverse of `parseXywhString`. */
+export function formatXywhString(x, y, width, height) {
+    return `[${x},${y},${width},${height}]`;
+}
+/** Asymmetric defaults: notes default to wide/short, so equal gaps feel tight horizontally. */
+export const DEFAULT_STACK_GAP_VERTICAL = 40;
+export const DEFAULT_STACK_GAP_HORIZONTAL = 80;
+/** BlockSuite's createDefaultDoc constants (packages/affine/model/src/consts/note.ts). */
+export const DEFAULT_PAGE_BLOCK_WIDTH = 800;
+export const DEFAULT_NOTE_HEIGHT = 92;
+export const DEFAULT_NOTE_XYWH = `[0,0,${DEFAULT_PAGE_BLOCK_WIDTH},${DEFAULT_NOTE_HEIGHT}]`;
+/** Position a new block relative to `ref` along `direction`. The orthogonal axis
+ *  inherits from `ref` unless `preserveX` / `preserveY` is supplied. */
+export function stackRelativeTo(ref, newSize, opts = {}) {
+    const direction = opts.direction ?? "down";
+    const isHorizontal = direction === "left" || direction === "right";
+    const gap = opts.gap ?? (isHorizontal ? DEFAULT_STACK_GAP_HORIZONTAL : DEFAULT_STACK_GAP_VERTICAL);
+    if (direction === "down") {
+        return { x: opts.preserveX ?? ref.x, y: ref.y + ref.h + gap };
+    }
+    if (direction === "up") {
+        return { x: opts.preserveX ?? ref.x, y: ref.y - gap - newSize.h };
+    }
+    if (direction === "right") {
+        return { x: ref.x + ref.w + gap, y: opts.preserveY ?? ref.y };
+    }
+    return { x: ref.x - gap - newSize.w, y: opts.preserveY ?? ref.y };
+}
+/** Over-estimate note height from markdown. BlockSuite's `EdgelessNoteMask`
+ *  `ResizeObserver` corrects `prop:xywh.h` to the DOM-measured height on first render. */
+export function estimateNoteHeightForMarkdown(markdown, widthPx) {
+    const NOTE_V_PADDING = 64;
+    const BODY_LINE_H = 34;
+    const CHAR_WIDTH = 8;
+    const H_PADDING = 52;
+    const H1_LINE_H = 58;
+    const H2_LINE_H = 48;
+    const H3_LINE_H = 40;
+    const CODE_LINE_H = 32;
+    const CODE_FENCE_PAD = 30;
+    const CODE_BLOCK_EXTRA = 20;
+    const BLANK_LINE_H = 14;
+    const usableWidth = Math.max(80, widthPx - H_PADDING);
+    const charsPerLine = Math.max(16, Math.floor(usableWidth / CHAR_WIDTH));
+    let total = NOTE_V_PADDING;
+    let inCode = false;
+    const lines = markdown.split("\n");
+    for (const raw of lines) {
+        const line = raw.trim();
+        if (line.startsWith("```")) {
+            inCode = !inCode;
+            total += CODE_FENCE_PAD;
+            if (inCode)
+                total += CODE_BLOCK_EXTRA;
+            continue;
+        }
+        if (inCode) {
+            total += CODE_LINE_H;
+            continue;
+        }
+        if (line === "") {
+            total += BLANK_LINE_H;
+            continue;
+        }
+        let lineHeight = BODY_LINE_H;
+        let prefixChars = 0;
+        if (/^#\s/.test(line)) {
+            lineHeight = H1_LINE_H;
+            prefixChars = 2;
+        }
+        else if (/^##\s/.test(line)) {
+            lineHeight = H2_LINE_H;
+            prefixChars = 3;
+        }
+        else if (/^###\s/.test(line)) {
+            lineHeight = H3_LINE_H;
+            prefixChars = 4;
+        }
+        else if (/^[-*]\s/.test(line)) {
+            prefixChars = 2;
+        }
+        else if (/^\d+\.\s/.test(line)) {
+            prefixChars = 3;
+        }
+        const contentChars = Math.max(1, line.length - prefixChars);
+        const wraps = Math.max(1, Math.ceil(contentChars / charsPerLine));
+        total += lineHeight * wraps;
+    }
+    return Math.max(120, Math.ceil(total));
+}
+/** Initial `labelXYWH` at source→target midpoint so BlockSuite's `hasLabel()` gate passes on first render. */
+export function estimateConnectorLabelXYWH(labelText, fontSize, midpoint, maxWidth) {
+    const charWidth = fontSize * 0.55;
+    const estimatedW = Math.max(16, Math.ceil(labelText.length * charWidth));
+    const w = Math.min(estimatedW, maxWidth);
+    const h = Math.ceil(fontSize + 4);
+    if (!midpoint)
+        return [0, 0, Math.max(w, 16), Math.max(h, 16)];
+    return [Math.round(midpoint.x - w / 2), Math.round(midpoint.y - h / 2), w, h];
+}
+/** Sort by fractional `index` string ascending. Y.Map iteration order is not stable across reloads. */
+export function sortByFractionalIndex(entries) {
+    return entries.slice().sort((a, b) => {
+        const ai = typeof a.index === "string" ? a.index : "";
+        const bi = typeof b.index === "string" ? b.index : "";
+        if (ai < bi)
+            return -1;
+        if (ai > bi)
+            return 1;
+        return 0;
+    });
+}

package/dist/graphqlClient.js

@@ -0,0 +1,116 @@
+import { fetch } from "undici";
+import { VERSION } from "./config.js";
+const GQL_FETCH_TIMEOUT_MS = 30_000;
+/** Strip HTML tags and truncate to a safe length for error messages. */
+function sanitizeErrorBody(s, max = 200) {
+    const stripped = s.replace(/<[^>]*>/g, "").replace(/\s+/g, " ").trim();
+    return stripped.length > max ? stripped.slice(0, max) + "..." : stripped;
+}
+export class GraphQLClient {
+    opts;
+    _headers;
+    authenticated = false;
+    constructor(opts) {
+        this.opts = opts;
+        this._headers = { ...(opts.headers || {}) };
+        // Set authentication in priority order
+        if (opts.bearer) {
+            this._headers["Authorization"] = `Bearer ${opts.bearer}`;
+            this.authenticated = true;
+            console.error("Using Bearer token authentication");
+        }
+        else if (this._headers.Cookie) {
+            this.authenticated = true;
+            console.error("Using Cookie authentication");
+        }
+    }
+    /** The GraphQL endpoint URL */
+    get endpoint() {
+        return this.opts.endpoint;
+    }
+    /** Current request headers (including auth) */
+    get headers() {
+        return { ...this._headers };
+    }
+    /** Cookie header value, if set */
+    get cookie() {
+        return this._headers["Cookie"] || "";
+    }
+    /** Bearer token, if set */
+    get bearer() {
+        const auth = this._headers["Authorization"] || "";
+        return auth.startsWith("Bearer ") ? auth.slice(7) : "";
+    }
+    setHeaders(next) {
+        this._headers = { ...this._headers, ...next };
+    }
+    setCookie(cookieHeader) {
+        if (/[\r\n]/.test(cookieHeader)) {
+            throw new Error("Cookie header contains illegal CR/LF characters");
+        }
+        this._headers["Cookie"] = cookieHeader;
+        this.authenticated = true;
+        console.error("Session cookies set from email/password login");
+    }
+    isAuthenticated() {
+        return this.authenticated;
+    }
+    async request(query, variables) {
+        const headers = {
+            "Content-Type": "application/json",
+            "User-Agent": `affine-mcp-server/${VERSION}`,
+            ...this._headers,
+        };
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), GQL_FETCH_TIMEOUT_MS);
+        let res;
+        try {
+            res = await fetch(this.opts.endpoint, {
+                method: "POST",
+                headers,
+                body: JSON.stringify({ query, variables }),
+                signal: controller.signal,
+            });
+        }
+        catch (err) {
+            if (err.name === "AbortError")
+                throw new Error(`GraphQL request timed out after ${GQL_FETCH_TIMEOUT_MS / 1000}s`);
+            throw err;
+        }
+        finally {
+            clearTimeout(timer);
+        }
+        // Handle redirects (undici may follow them but strip auth headers)
+        if (res.status >= 300 && res.status < 400) {
+            const location = res.headers.get("location");
+            throw new Error(`GraphQL endpoint returned redirect ${res.status} -> ${location || "(no location)"}. ` +
+                `Check AFFINE_BASE_URL.`);
+        }
+        const contentType = res.headers.get("content-type") || "";
+        // Guard against non-JSON responses (Cloudflare challenges, HTML error pages)
+        if (!contentType.includes("application/json") && !contentType.includes("application/graphql")) {
+            const body = await res.text();
+            const snippet = sanitizeErrorBody(body);
+            throw new Error(`GraphQL endpoint returned non-JSON response (${res.status} ${res.statusText}, ` +
+                `Content-Type: ${contentType || "(none)"}). Body: ${snippet}`);
+        }
+        if (!res.ok) {
+            // Try to parse error body as JSON
+            let body;
+            try {
+                const json = await res.json();
+                body = json.errors?.map((e) => e.message).join("; ") || JSON.stringify(json);
+            }
+            catch {
+                body = await res.text().catch(() => "(unreadable body)");
+            }
+            throw new Error(`GraphQL HTTP ${res.status}: ${sanitizeErrorBody(body)}`);
+        }
+        const json = await res.json();
+        if (json.errors) {
+            const msg = json.errors.map((e) => e.message).join("; ");
+            throw new Error(`GraphQL error: ${sanitizeErrorBody(msg)}`);
+        }
+        return json.data;
+    }
+}

package/dist/httpAuth.js

@@ -0,0 +1,147 @@
+import { buildOAuthProtectedResourceMetadata, getOAuthProtectedResourceMetadataPaths, getOAuthProtectedResourceMetadataUrl, validateOAuthConfig, verifyOAuthAccessToken, } from "./oauth.js";
+function buildOAuthErrorResponse(error, description) {
+    return {
+        error,
+        error_description: description,
+    };
+}
+function buildWwwAuthenticateHeader(protectedResourceMetadataUrl, opts) {
+    const params = [];
+    if (opts?.error) {
+        params.push(`error="${opts.error}"`);
+    }
+    if (opts?.errorDescription) {
+        params.push(`error_description="${opts.errorDescription.replace(/"/g, "'")}"`);
+    }
+    if (opts?.scope) {
+        params.push(`scope="${opts.scope}"`);
+    }
+    if (protectedResourceMetadataUrl) {
+        params.push(`resource_metadata="${protectedResourceMetadataUrl}"`);
+    }
+    return params.length > 0 ? `Bearer ${params.join(", ")}` : "Bearer";
+}
+export function createHttpAuthState(config, opts) {
+    let oauthConfig = null;
+    let protectedResourceMetadataUrl = null;
+    let protectedResourceMetadataPaths = [];
+    if (config.authMode === "oauth") {
+        if (!config.publicBaseUrl) {
+            throw new Error("AFFINE_MCP_PUBLIC_BASE_URL is required when AFFINE_MCP_AUTH_MODE=oauth.");
+        }
+        if (!config.oauthIssuerUrl) {
+            throw new Error("AFFINE_OAUTH_ISSUER_URL is required when AFFINE_MCP_AUTH_MODE=oauth.");
+        }
+        oauthConfig = {
+            publicBaseUrl: config.publicBaseUrl,
+            issuerUrl: config.oauthIssuerUrl,
+            scopes: config.oauthScopes,
+            clockSkewSeconds: config.oauthClockSkewSeconds,
+        };
+        validateOAuthConfig(oauthConfig, opts);
+        protectedResourceMetadataUrl = getOAuthProtectedResourceMetadataUrl(oauthConfig.publicBaseUrl);
+        protectedResourceMetadataPaths = getOAuthProtectedResourceMetadataPaths(oauthConfig.publicBaseUrl);
+    }
+    const authMiddleware = (req, res, next) => {
+        if (req.method === "OPTIONS")
+            return next();
+        if (config.authMode === "oauth") {
+            if (!oauthConfig) {
+                res.status(500).json(buildOAuthErrorResponse("server_error", "OAuth configuration was not initialized."));
+                return;
+            }
+            if (typeof req.query.token === "string") {
+                res.set("WWW-Authenticate", buildWwwAuthenticateHeader(protectedResourceMetadataUrl, {
+                    error: "invalid_request",
+                    errorDescription: "Query parameter token is not allowed in oauth mode.",
+                }));
+                res.status(400).json(buildOAuthErrorResponse("invalid_request", "Query parameter token is not allowed in oauth mode."));
+                return;
+            }
+            const authHeader = req.headers.authorization;
+            if (!authHeader) {
+                res.set("WWW-Authenticate", buildWwwAuthenticateHeader(protectedResourceMetadataUrl));
+                res.status(401).json(buildOAuthErrorResponse("invalid_token", "Missing Authorization header."));
+                return;
+            }
+            const raw = Array.isArray(authHeader) ? authHeader[0] : authHeader;
+            const bearerMatch = /^Bearer\s+(.+)$/i.exec(raw);
+            if (!bearerMatch) {
+                res.set("WWW-Authenticate", buildWwwAuthenticateHeader(protectedResourceMetadataUrl, {
+                    error: "invalid_request",
+                    errorDescription: "Use 'Authorization: Bearer <token>'.",
+                }));
+                res.status(401).json(buildOAuthErrorResponse("invalid_request", "Use 'Authorization: Bearer <token>'."));
+                return;
+            }
+            void verifyOAuthAccessToken(bearerMatch[1], oauthConfig)
+                .then((authInfo) => {
+                const requiredScopes = oauthConfig?.scopes || [];
+                const hasAllScopes = requiredScopes.every((scope) => authInfo.scopes.includes(scope));
+                if (!hasAllScopes) {
+                    res.set("WWW-Authenticate", buildWwwAuthenticateHeader(protectedResourceMetadataUrl, {
+                        error: "insufficient_scope",
+                        errorDescription: "The access token does not include the required scope.",
+                        scope: requiredScopes.join(" "),
+                    }));
+                    res.status(403).json(buildOAuthErrorResponse("insufficient_scope", "The access token does not include the required scope."));
+                    return;
+                }
+                next();
+            })
+                .catch((error) => {
+                const message = error instanceof Error ? error.message : "Access token validation failed.";
+                res.set("WWW-Authenticate", buildWwwAuthenticateHeader(protectedResourceMetadataUrl, {
+                    error: "invalid_token",
+                    errorDescription: message,
+                }));
+                res.status(401).json(buildOAuthErrorResponse("invalid_token", message));
+            });
+            return;
+        }
+        const httpAuthToken = opts.httpAuthToken;
+        if (!httpAuthToken)
+            return next();
+        const authHeader = req.headers.authorization;
+        const queryToken = typeof req.query.token === "string" ? req.query.token : undefined;
+        let token;
+        if (authHeader !== undefined) {
+            const raw = Array.isArray(authHeader) ? authHeader[0] : authHeader;
+            const bearerMatch = /^Bearer\s+(.+)$/i.exec(raw);
+            if (bearerMatch) {
+                token = bearerMatch[1];
+            }
+            else {
+                res.status(401).send("Unauthorized: Use 'Authorization: Bearer <token>'");
+                return;
+            }
+        }
+        else if (queryToken !== undefined) {
+            token = queryToken;
+        }
+        if (token !== httpAuthToken) {
+            res.status(401).send("Unauthorized: Invalid or missing token");
+            return;
+        }
+        next();
+    };
+    return {
+        authMiddleware,
+        httpAuthToken: opts.httpAuthToken,
+        oauthConfig,
+        protectedResourceMetadataUrl,
+        protectedResourceMetadataPaths,
+    };
+}
+export function registerHttpAuthRoutes(app, state, corsMiddleware) {
+    if (!state.oauthConfig || state.protectedResourceMetadataPaths.length === 0) {
+        return;
+    }
+    const metadata = buildOAuthProtectedResourceMetadata(state.oauthConfig);
+    const metadataHandler = (_req, res) => {
+        res.json(metadata);
+    };
+    for (const path of state.protectedResourceMetadataPaths) {
+        app.get(path, corsMiddleware, metadataHandler);
+    }
+}