@nestr/mcp 0.1.52 → 0.1.54

package/build/oauth/redis-store.js

@@ -0,0 +1,174 @@
+/**
+ * Redis-backed OAuthStore Implementation
+ *
+ * Uses Redis for shared state across multiple pods.
+ * Activated when REDIS_URL environment variable is set.
+ *
+ * Features:
+ * - Native TTL for automatic expiry (no cleanup timers needed)
+ * - Atomic GETDEL for consume-once operations (pending auth, PKCE)
+ * - Optional AES-256-GCM encryption for session values (OAUTH_ENCRYPTION_KEY)
+ */
+import { Redis } from "ioredis";
+import { randomBytes, createCipheriv, createDecipheriv } from "node:crypto";
+// Key prefixes
+const PREFIX = {
+    client: "oauth:client:",
+    clientCount: "oauth:client:count",
+    pending: "oauth:pending:",
+    pkce: "oauth:pkce:",
+    session: "oauth:session:",
+};
+// TTLs in seconds
+const PENDING_AUTH_TTL = 300; // 5 minutes
+const PKCE_TTL = 300; // 5 minutes
+const CLIENT_TTL = 86400; // 24 hours (clients re-register on reconnect)
+const SESSION_REFRESH_TTL = 30 * 86400; // 30 days for sessions with refresh tokens
+// Encryption constants
+const ALGORITHM = "aes-256-gcm";
+const IV_LENGTH = 16;
+function getEncryptionKey() {
+    if (!process.env.OAUTH_ENCRYPTION_KEY)
+        return null;
+    const key = Buffer.from(process.env.OAUTH_ENCRYPTION_KEY, "base64");
+    if (key.length !== 32) {
+        throw new Error("OAUTH_ENCRYPTION_KEY must be 32 bytes (256 bits) base64-encoded");
+    }
+    return key;
+}
+function encrypt(data, key) {
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, key, iv);
+    let encrypted = cipher.update(data, "utf8", "base64");
+    encrypted += cipher.final("base64");
+    const authTag = cipher.getAuthTag();
+    return `${iv.toString("base64")}:${authTag.toString("base64")}:${encrypted}`;
+}
+function decrypt(encryptedData, key) {
+    const parts = encryptedData.split(":");
+    if (parts.length !== 3)
+        throw new Error("Invalid encrypted data format");
+    const iv = Buffer.from(parts[0], "base64");
+    const authTag = Buffer.from(parts[1], "base64");
+    const data = parts[2];
+    const decipher = createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(data, "base64", "utf8");
+    decrypted += decipher.final("utf8");
+    return decrypted;
+}
+class RedisStore {
+    redis;
+    encryptionKey;
+    constructor(redis) {
+        this.redis = redis;
+        this.encryptionKey = getEncryptionKey();
+    }
+    // ---- Helpers ----
+    serialize(data) {
+        const json = JSON.stringify(data);
+        if (this.encryptionKey)
+            return encrypt(json, this.encryptionKey);
+        return json;
+    }
+    deserialize(raw) {
+        if (this.encryptionKey) {
+            const json = decrypt(raw, this.encryptionKey);
+            return JSON.parse(json);
+        }
+        return JSON.parse(raw);
+    }
+    // ---- Clients ----
+    async registerClient(client) {
+        const key = PREFIX.client + client.client_id;
+        // Only increment the counter for genuinely new clients (SET NX returns 1 if key didn't exist).
+        // Without this, the counter drifts upward as clients re-register and eventually blocks
+        // all registrations when it hits MAX_REGISTERED_CLIENTS.
+        const isNew = await this.redis.set(key, this.serialize(client), "EX", CLIENT_TTL, "GET");
+        if (isNew === null) {
+            await this.redis.incr(PREFIX.clientCount);
+        }
+        console.log(`Registered OAuth client: ${client.client_id}`);
+    }
+    async getClient(clientId) {
+        const raw = await this.redis.get(PREFIX.client + clientId);
+        if (!raw)
+            return undefined;
+        return this.deserialize(raw);
+    }
+    async getClientCount() {
+        const count = await this.redis.get(PREFIX.clientCount);
+        return count ? parseInt(count, 10) : 0;
+    }
+    async clientExists(clientId) {
+        return (await this.redis.exists(PREFIX.client + clientId)) === 1;
+    }
+    // ---- Pending Auth ----
+    async storePendingAuth(pending) {
+        await this.redis.set(PREFIX.pending + pending.state, this.serialize(pending), "EX", PENDING_AUTH_TTL);
+    }
+    async consumePendingAuth(state) {
+        const raw = await this.redis.getdel(PREFIX.pending + state);
+        if (!raw)
+            return undefined;
+        return this.deserialize(raw);
+    }
+    // ---- PKCE Codes ----
+    async storePkceForCode(code, codeChallenge, codeChallengeMethod) {
+        const data = { codeChallenge, codeChallengeMethod, createdAt: Date.now() };
+        await this.redis.set(PREFIX.pkce + code, this.serialize(data), "EX", PKCE_TTL);
+    }
+    async consumePkceForCode(code) {
+        const raw = await this.redis.getdel(PREFIX.pkce + code);
+        if (!raw)
+            return undefined;
+        return this.deserialize(raw);
+    }
+    // ---- Sessions ----
+    sessionTtl(session) {
+        if (session.refreshToken)
+            return SESSION_REFRESH_TTL;
+        // TTL = time until expiry (minimum 60s to avoid immediate deletion)
+        const ttl = Math.max(60, Math.ceil((session.expiresAt - Date.now()) / 1000));
+        return ttl;
+    }
+    async storeSession(sessionId, session) {
+        await this.redis.set(PREFIX.session + sessionId, this.serialize(session), "EX", this.sessionTtl(session));
+    }
+    async getSession(sessionId) {
+        const raw = await this.redis.get(PREFIX.session + sessionId);
+        if (!raw)
+            return undefined;
+        return this.deserialize(raw);
+    }
+    async updateSession(sessionId, session) {
+        // Unconditional SET — the EXISTS + SET pattern has a TOCTOU race across pods.
+        // If the session was deleted between the two calls, this would silently re-create it.
+        // Matching FileStore behavior: just overwrite.
+        await this.redis.set(PREFIX.session + sessionId, this.serialize(session), "EX", this.sessionTtl(session));
+    }
+    async removeSession(sessionId) {
+        await this.redis.del(PREFIX.session + sessionId);
+    }
+    // ---- Lifecycle ----
+    async close() {
+        await this.redis.quit();
+    }
+}
+/**
+ * Create a Redis-backed OAuthStore instance.
+ */
+export async function createRedisStore(redisUrl) {
+    const redis = new Redis(redisUrl, {
+        maxRetriesPerRequest: 3,
+        retryStrategy(times) {
+            // Exponential backoff: 50ms, 100ms, 200ms, ... capped at 2s
+            return Math.min(times * 50, 2000);
+        },
+    });
+    // Verify connection
+    await redis.ping();
+    console.log("Redis connected for OAuth storage");
+    return new RedisStore(redis);
+}
+//# sourceMappingURL=redis-store.js.map

package/build/oauth/redis-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redis-store.js","sourceRoot":"","sources":["../../src/oauth/redis-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAChC,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAS5E,eAAe;AACf,MAAM,MAAM,GAAG;IACb,MAAM,EAAE,eAAe;IACvB,WAAW,EAAE,oBAAoB;IACjC,OAAO,EAAE,gBAAgB;IACzB,IAAI,EAAE,aAAa;IACnB,OAAO,EAAE,gBAAgB;CACjB,CAAC;AAEX,kBAAkB;AAClB,MAAM,gBAAgB,GAAG,GAAG,CAAC,CAAC,YAAY;AAC1C,MAAM,QAAQ,GAAG,GAAG,CAAC,CAAC,YAAY;AAClC,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,8CAA8C;AACxE,MAAM,mBAAmB,GAAG,EAAE,GAAG,KAAK,CAAC,CAAC,2CAA2C;AAEnF,uBAAuB;AACvB,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,SAAS,GAAG,EAAE,CAAC;AAErB,SAAS,gBAAgB;IACvB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB;QAAE,OAAO,IAAI,CAAC;IACnD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,QAAQ,CAAC,CAAC;IACpE,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAC;IACrF,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,OAAO,CAAC,IAAY,EAAE,GAAW;IACxC,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAClD,IAAI,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IACtD,SAAS,IAAI,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IACpC,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,EAAE,CAAC;AAC/E,CAAC;AAED,SAAS,OAAO,CAAC,aAAqB,EAAE,GAAW;IACjD,MAAM,KAAK,GAAG,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACvC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IAEzE,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IAC3C,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IAChD,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAEtB,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAC7B,IAAI,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IACxD,SAAS,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACpC,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU;IACN,KAAK,CAAQ;IACb,aAAa,CAAgB;IAErC,YAAY,KAAY;QACtB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,aAAa,GAAG,gBAAgB,EAAE,CAAC;IAC1C,CAAC;IAED,oBAAoB;IAEZ,SAAS,CAAC,IAAa;QAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,IAAI,CAAC,aAAa;YAAE,OAAO,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;QACjE,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,WAAW,CAAI,GAAW;QAChC,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;YAC9C,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;IAED,oBAAoB;IAEpB,KAAK,CAAC,cAAc,CAAC,MAAwB;QAC3C,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC;QAC7C,+FAA+F;QAC/F,uFAAuF;QACvF,yDAAyD;QACzD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;QACzF,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACnB,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAC5C,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,4BAA4B,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,QAAgB;QAC9B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,QAAQ,CAAC,CAAC;QAC3D,IAAI,CAAC,GAAG;YAAE,OAAO,SAAS,CAAC;QAC3B,OAAO,IAAI,CAAC,WAAW,CAAmB,GAAG,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,cAAc;QAClB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACvD,OAAO,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,QAAgB;QACjC,OAAO,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC;IACnE,CAAC;IAED,yBAAyB;IAEzB,KAAK,CAAC,gBAAgB,CAAC,OAA4B;QACjD,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAClB,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC,KAAK,EAC9B,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EACvB,IAAI,EACJ,gBAAgB,CACjB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,KAAa;QACpC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,GAAG,KAAK,CAAC,CAAC;QAC5D,IAAI,CAAC,GAAG;YAAE,OAAO,SAAS,CAAC;QAC3B,OAAO,IAAI,CAAC,WAAW,CAAsB,GAAG,CAAC,CAAC;IACpD,CAAC;IAED,uBAAuB;IAEvB,KAAK,CAAC,gBAAgB,CAAC,IAAY,EAAE,aAAqB,EAAE,mBAA2B;QACrF,MAAM,IAAI,GAAoB,EAAE,aAAa,EAAE,mBAAmB,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QAC5F,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;IACjF,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,IAAY;QACnC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;QACxD,IAAI,CAAC,GAAG;YAAE,OAAO,SAAS,CAAC;QAC3B,OAAO,IAAI,CAAC,WAAW,CAAkB,GAAG,CAAC,CAAC;IAChD,CAAC;IAED,qBAAqB;IAEb,UAAU,CAAC,OAA2B;QAC5C,IAAI,OAAO,CAAC,YAAY;YAAE,OAAO,mBAAmB,CAAC;QACrD,oEAAoE;QACpE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;QAC7E,OAAO,GAAG,CAAC;IACb,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,SAAiB,EAAE,OAA2B;QAC/D,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAClB,MAAM,CAAC,OAAO,GAAG,SAAS,EAC1B,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EACvB,IAAI,EACJ,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CACzB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,SAAiB;QAChC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,GAAG,SAAS,CAAC,CAAC;QAC7D,IAAI,CAAC,GAAG;YAAE,OAAO,SAAS,CAAC;QAC3B,OAAO,IAAI,CAAC,WAAW,CAAqB,GAAG,CAAC,CAAC;IACnD,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,SAAiB,EAAE,OAA2B;QAChE,8EAA8E;QAC9E,sFAAsF;QACtF,+CAA+C;QAC/C,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAClB,MAAM,CAAC,OAAO,GAAG,SAAS,EAC1B,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EACvB,IAAI,EACJ,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CACzB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,GAAG,SAAS,CAAC,CAAC;IACnD,CAAC;IAED,sBAAsB;IAEtB,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;IAC1B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,QAAgB;IACrD,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,QAAQ,EAAE;QAChC,oBAAoB,EAAE,CAAC;QACvB,aAAa,CAAC,KAAa;YACzB,4DAA4D;YAC5D,OAAO,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,IAAI,CAAC,CAAC;QACpC,CAAC;KACF,CAAC,CAAC;IAEH,oBAAoB;IACpB,MAAM,KAAK,CAAC,IAAI,EAAE,CAAC;IACnB,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;IAEjD,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;AAC/B,CAAC"}

package/build/oauth/storage.d.ts

@@ -1,111 +1,36 @@
 /**
- * Persistent Storage for OAuth Data
+ * Backward-compatibility re-exports from the OAuthStore abstraction.
  *
- * Stores registered OAuth clients and pending auth requests to disk.
- * Uses a simple JSON file-based storage that persists across restarts.
- * OAuth sessions are encrypted at rest using AES-256-GCM.
- */
-/**
- * Registered OAuth Client (RFC 7591)
- */
-export interface RegisteredClient {
-    client_id: string;
-    client_secret?: string;
-    client_name?: string;
-    redirect_uris: string[];
-    grant_types: string[];
-    response_types: string[];
-    token_endpoint_auth_method: string;
-    scope?: string;
-    registered_at: number;
-}
-/**
- * Pending OAuth authorization with PKCE
- */
-export interface PendingAuthWithPKCE {
-    state: string;
-    redirectUri: string;
-    clientId: string;
-    codeChallenge?: string;
-    codeChallengeMethod?: string;
-    createdAt: number;
-    scope?: string;
-    /** Identifier for the MCP client (e.g., "claude-code", "cursor") for token metadata */
-    clientConsumer?: string;
-    /** GA4 client_id for cross-domain analytics tracking */
-    gaClientId?: string;
-}
-/**
- * Stored OAuth session after successful authentication
- */
-export interface StoredOAuthSession {
-    accessToken: string;
-    refreshToken?: string;
-    expiresAt: number;
-    scope?: string;
-    /** Nestr user ID for analytics (GA4 user_id) */
-    userId?: string;
-}
-/**
- * Register a new OAuth client
- */
-export declare function registerClient(client: RegisteredClient): void;
-/**
- * Get a registered client by ID
- */
-export declare function getClient(clientId: string): RegisteredClient | undefined;
-/**
- * Check if a client ID exists
- */
-export declare function clientExists(clientId: string): boolean;
-/**
- * Validate client credentials
- */
-export declare function validateClientCredentials(clientId: string, clientSecret?: string): boolean;
-/**
- * Validate redirect URI for a client
- */
-export declare function validateRedirectUri(clientId: string, redirectUri: string): boolean;
-/**
- * Store a pending auth request
- */
-export declare function storePendingAuth(pending: PendingAuthWithPKCE): void;
-/**
- * Get and remove a pending auth request
- */
-export declare function consumePendingAuth(state: string): PendingAuthWithPKCE | undefined;
-/**
- * Cleanup expired pending auth requests
- */
-export declare function cleanupExpiredPendingAuth(): void;
-interface PkceForCodeData {
-    codeChallenge: string;
-    codeChallengeMethod: string;
-    createdAt: number;
-}
-export declare function storePkceForCode(code: string, codeChallenge: string, codeChallengeMethod: string): void;
-export declare function consumePkceForCode(code: string): PkceForCodeData | undefined;
-/**
- * Store an OAuth session
- */
-export declare function storeSession(sessionId: string, session: StoredOAuthSession): void;
-/**
- * Get an OAuth session by ID
- */
-export declare function getSession(sessionId: string): StoredOAuthSession | undefined;
-/**
- * Update an existing OAuth session (e.g., after token refresh)
+ * All types and the store singleton are canonical in store.ts.
+ * This file provides synchronous-looking wrappers that delegate to the
+ * initialized store for callers that haven't migrated yet.
+ *
+ * TODO: Remove this file once all callers import from store.ts directly.
  */
-export declare function updateSession(sessionId: string, session: StoredOAuthSession): void;
+import { getStore } from "./store.js";
+export type { RegisteredClient, PendingAuthWithPKCE, StoredOAuthSession, PkceForCodeData, } from "./store.js";
 /**
- * Remove an OAuth session
+ * Constant-time string comparison to prevent timing attacks on secrets.
+ * Standalone utility — not part of the store interface.
  */
-export declare function removeSession(sessionId: string): void;
+export declare function constantTimeCompare(a: string, b: string): boolean;
 /**
- * Cleanup expired OAuth sessions
- * Sessions are considered expired if their expiresAt time has passed
- * and they have no refresh token
+ * Validate redirect URI against a registered client's allowed URIs.
+ * Accepts the client object directly to avoid an extra async lookup.
  */
-export declare function cleanupExpiredSessions(): void;
-export {};
+export declare function validateRedirectUri(client: {
+    redirect_uris: string[];
+}, redirectUri: string): boolean;
+export declare function registerClient(...args: Parameters<ReturnType<typeof getStore>["registerClient"]>): Promise<void>;
+export declare function getClient(...args: Parameters<ReturnType<typeof getStore>["getClient"]>): Promise<import("./store.js").RegisteredClient | undefined>;
+export declare function getClientCount(): Promise<number>;
+export declare function clientExists(...args: Parameters<ReturnType<typeof getStore>["clientExists"]>): Promise<boolean>;
+export declare function storePendingAuth(...args: Parameters<ReturnType<typeof getStore>["storePendingAuth"]>): Promise<void>;
+export declare function consumePendingAuth(...args: Parameters<ReturnType<typeof getStore>["consumePendingAuth"]>): Promise<import("./store.js").PendingAuthWithPKCE | undefined>;
+export declare function storePkceForCode(...args: Parameters<ReturnType<typeof getStore>["storePkceForCode"]>): Promise<void>;
+export declare function consumePkceForCode(...args: Parameters<ReturnType<typeof getStore>["consumePkceForCode"]>): Promise<import("./store.js").PkceForCodeData | undefined>;
+export declare function storeSession(...args: Parameters<ReturnType<typeof getStore>["storeSession"]>): Promise<void>;
+export declare function getSession(...args: Parameters<ReturnType<typeof getStore>["getSession"]>): Promise<import("./store.js").StoredOAuthSession | undefined>;
+export declare function updateSession(...args: Parameters<ReturnType<typeof getStore>["updateSession"]>): Promise<void>;
+export declare function removeSession(...args: Parameters<ReturnType<typeof getStore>["removeSession"]>): Promise<void>;
 //# sourceMappingURL=storage.d.ts.map

package/build/oauth/storage.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../src/oauth/storage.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AA+EH;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,0BAA0B,EAAE,MAAM,CAAC;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,uFAAuF;IACvF,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wDAAwD;IACxD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gDAAgD;IAChD,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AA8GD;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,gBAAgB,GAAG,IAAI,CAK7D;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,gBAAgB,GAAG,SAAS,CAGxE;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAGtD;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,QAAQ,EAAE,MAAM,EAChB,YAAY,CAAC,EAAE,MAAM,GACpB,OAAO,CAST;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,GAClB,OAAO,CA0BT;AAID;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,mBAAmB,GAAG,IAAI,CAInE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,MAAM,GACZ,mBAAmB,GAAG,SAAS,CAkBjC;AAED;;GAEG;AACH,wBAAgB,yBAAyB,IAAI,IAAI,CAgBhD;AAQD,UAAU,eAAe;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,SAAS,EAAE,MAAM,CAAC;CACnB;AA4CD,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,MAAM,EACZ,aAAa,EAAE,MAAM,EACrB,mBAAmB,EAAE,MAAM,GAC1B,IAAI,CAQN;AAED,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAgB5E;AA2HD;;GAEG;AACH,wBAAgB,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,kBAAkB,GAAG,IAAI,CAIjF;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,kBAAkB,GAAG,SAAS,CAG5E;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,kBAAkB,GAAG,IAAI,CAMlF;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAKrD;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,IAAI,IAAI,CAkB7C"}
+{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../src/oauth/storage.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAGtC,YAAY,EACV,gBAAgB,EAChB,mBAAmB,EACnB,kBAAkB,EAClB,eAAe,GAChB,MAAM,YAAY,CAAC;AAEpB;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAKjE;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE;IAAE,aAAa,EAAE,MAAM,EAAE,CAAA;CAAE,EACnC,WAAW,EAAE,MAAM,GAClB,OAAO,CAwBT;AAKD,wBAAsB,cAAc,CAAC,GAAG,IAAI,EAAE,UAAU,CAAC,UAAU,CAAC,OAAO,QAAQ,CAAC,CAAC,gBAAgB,CAAC,CAAC,iBAEtG;AAED,wBAAsB,SAAS,CAAC,GAAG,IAAI,EAAE,UAAU,CAAC,UAAU,CAAC,OAAO,QAAQ,CAAC,CAAC,WAAW,CAAC,CAAC,8DAE5F;AAED,wBAAsB,cAAc,oBAEnC;AAED,wBAAsB,YAAY,CAAC,GAAG,IAAI,EAAE,UAAU,CAAC,UAAU,CAAC,OAAO,QAAQ,CAAC,CAAC,cAAc,CAAC,CAAC,oBAElG;AAED,wBAAsB,gBAAgB,CAAC,GAAG,IAAI,EAAE,UAAU,CAAC,UAAU,CAAC,OAAO,QAAQ,CAAC,CAAC,kBAAkB,CAAC,CAAC,iBAE1G;AAED,wBAAsB,kBAAkB,CAAC,GAAG,IAAI,EAAE,UAAU,CAAC,UAAU,CAAC,OAAO,QAAQ,CAAC,CAAC,oBAAoB,CAAC,CAAC,iEAE9G;AAED,wBAAsB,gBAAgB,CAAC,GAAG,IAAI,EAAE,UAAU,CAAC,UAAU,CAAC,OAAO,QAAQ,CAAC,CAAC,kBAAkB,CAAC,CAAC,iBAE1G;AAED,wBAAsB,kBAAkB,CAAC,GAAG,IAAI,EAAE,UAAU,CAAC,UAAU,CAAC,OAAO,QAAQ,CAAC,CAAC,oBAAoB,CAAC,CAAC,6DAE9G;AAED,wBAAsB,YAAY,CAAC,GAAG,IAAI,EAAE,UAAU,CAAC,UAAU,CAAC,OAAO,QAAQ,CAAC,CAAC,cAAc,CAAC,CAAC,iBAElG;AAED,wBAAsB,UAAU,CAAC,GAAG,IAAI,EAAE,UAAU,CAAC,UAAU,CAAC,OAAO,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,gEAE9F;AAED,wBAAsB,aAAa,CAAC,GAAG,IAAI,EAAE,UAAU,CAAC,UAAU,CAAC,OAAO,QAAQ,CAAC,CAAC,eAAe,CAAC,CAAC,iBAEpG;AAED,wBAAsB,aAAa,CAAC,GAAG,IAAI,EAAE,UAAU,CAAC,UAAU,CAAC,OAAO,QAAQ,CAAC,CAAC,eAAe,CAAC,CAAC,iBAEpG"}