@nitrostack/core 1.0.0

package/dist/auth/server-integration.js

@@ -0,0 +1,182 @@
+import { createProtectedResourceMetadata } from './server-metadata.js';
+import { createAuthMiddleware, requireScopes } from './middleware.js';
+/**
+ * Server Integration Utilities
+ *
+ * Easy integration of OAuth 2.1 auth into MCP servers
+ */
+/**
+ * Configure authentication for MCP server
+ *
+ * This adds:
+ * 1. Protected Resource Metadata endpoint
+ * 2. Authentication middleware to specified routes
+ *
+ * @param app - Express application
+ * @param config - Auth configuration
+ * @param protectRoutes - Routes to protect with auth (default: all /mcp routes)
+ *
+ * @example
+ * ```typescript
+ * const app = express();
+ *
+ * configureServerAuth(app, {
+ *   resourceUri: 'https://mcp.example.com',
+ *   authorizationServers: ['https://auth.example.com'],
+ *   tokenIntrospectionEndpoint: 'https://auth.example.com/oauth/introspect',
+ *   tokenIntrospectionClientId: 'mcp-server',
+ *   tokenIntrospectionClientSecret: process.env.INTROSPECTION_SECRET,
+ *   audience: 'https://mcp.example.com',
+ *   scopesSupported: ['mcp:read', 'mcp:write']
+ * }, {
+ *   protectRoutes: ['/mcp/*']
+ * });
+ * ```
+ */
+export function configureServerAuth(app, config, options) {
+    const metadataPath = options?.metadataPath || '/.well-known/oauth-protected-resource';
+    const protectRoutes = options?.protectRoutes || ['/mcp/*'];
+    // 1. Add Protected Resource Metadata endpoint
+    app.get(metadataPath, (req, res) => {
+        const metadata = createProtectedResourceMetadata(config.resourceUri, config.authorizationServers, config.scopesSupported);
+        res.json(metadata);
+    });
+    // 2. Apply auth middleware to protected routes
+    const authMiddleware = createAuthMiddleware(config);
+    for (const route of protectRoutes) {
+        app.use(route, authMiddleware);
+    }
+    console.log(`🔐 OAuth 2.1 authentication configured for ${config.resourceUri}`);
+    console.log(`   Authorization servers: ${config.authorizationServers.join(', ')}`);
+    console.log(`   Protected routes: ${protectRoutes.join(', ')}`);
+    console.log(`   Metadata endpoint: ${metadataPath}`);
+}
+/**
+ * Scope-based route protection helper
+ *
+ * @example
+ * ```typescript
+ * const scopes = createScopeGuards(['mcp:read', 'mcp:write', 'mcp:admin']);
+ *
+ * app.get('/mcp/tools', scopes.read, (req, res) => {
+ *   // List tools - requires mcp:read
+ * });
+ *
+ * app.post('/mcp/tools/execute', scopes.write, (req, res) => {
+ *   // Execute tool - requires mcp:write
+ * });
+ *
+ * app.delete('/mcp/resources', scopes.admin, (req, res) => {
+ *   // Delete resource - requires mcp:admin
+ * });
+ * ```
+ */
+export function createScopeGuards(scopeConfig) {
+    const guards = {};
+    for (const [name, scopes] of Object.entries(scopeConfig)) {
+        if (scopes && scopes.length > 0) {
+            guards[name] = requireScopes(...scopes);
+        }
+    }
+    return guards;
+}
+/**
+ * Create standard MCP scope configuration
+ *
+ * Returns scope guards for common MCP operations:
+ * - read: List tools, resources, prompts
+ * - execute: Execute tools, get prompts
+ * - write: Modify resources
+ * - admin: Server configuration
+ *
+ * @param scopePrefix - Scope prefix (default: 'mcp')
+ */
+export function createMCPScopeGuards(scopePrefix = 'mcp') {
+    return createScopeGuards({
+        read: [`${scopePrefix}:read`],
+        execute: [`${scopePrefix}:read`, `${scopePrefix}:execute`],
+        write: [`${scopePrefix}:read`, `${scopePrefix}:write`],
+        admin: [`${scopePrefix}:admin`],
+    });
+}
+/**
+ * Generate suggested scopes for MCP server
+ *
+ * Returns standard scope definitions for MCP operations
+ */
+export function getStandardMCPScopes(scopePrefix = 'mcp') {
+    const scopes = [
+        `${scopePrefix}:read`,
+        `${scopePrefix}:execute`,
+        `${scopePrefix}:write`,
+        `${scopePrefix}:admin`,
+    ];
+    const descriptions = {
+        [`${scopePrefix}:read`]: 'Read access to tools, resources, and prompts',
+        [`${scopePrefix}:execute`]: 'Execute tools and get prompts',
+        [`${scopePrefix}:write`]: 'Modify resources and server state',
+        [`${scopePrefix}:admin`]: 'Administrative access to server configuration',
+    };
+    return { scopes, descriptions };
+}
+/**
+ * Helper to validate auth configuration
+ */
+export function validateAuthConfig(config) {
+    const errors = [];
+    const warnings = [];
+    // Required fields
+    if (!config.resourceUri) {
+        errors.push('resourceUri is required');
+    }
+    if (!config.authorizationServers || config.authorizationServers.length === 0) {
+        errors.push('At least one authorization server is required');
+    }
+    // Token validation method
+    const hasIntrospection = !!config.tokenIntrospectionEndpoint;
+    const hasJWT = !!config.jwksUri;
+    if (!hasIntrospection && !hasJWT) {
+        errors.push('Either tokenIntrospectionEndpoint or jwksUri must be configured');
+    }
+    // Introspection credentials
+    if (hasIntrospection) {
+        if (!config.tokenIntrospectionClientId) {
+            warnings.push('tokenIntrospectionClientId not set - introspection may fail');
+        }
+        if (!config.tokenIntrospectionClientSecret) {
+            warnings.push('tokenIntrospectionClientSecret not set - introspection may fail');
+        }
+    }
+    // JWT validation
+    if (hasJWT) {
+        if (!config.audience) {
+            errors.push('audience is required for JWT validation (prevents confused deputy attacks)');
+        }
+        if (!config.issuer) {
+            warnings.push('issuer not set - JWT validation may be less strict');
+        }
+    }
+    // Audience (critical for security)
+    if (!config.audience) {
+        warnings.push('audience not set - tokens will not be validated for this resource. ' +
+            'This is a security risk (confused deputy attacks).');
+    }
+    // HTTPS
+    if (config.requireHttps !== false && process.env.NODE_ENV === 'production') {
+        try {
+            const url = new URL(config.resourceUri);
+            if (url.protocol !== 'https:') {
+                errors.push('resourceUri must use HTTPS in production');
+            }
+        }
+        catch {
+            errors.push('resourceUri is not a valid URL');
+        }
+    }
+    return {
+        valid: errors.length === 0,
+        errors,
+        warnings,
+    };
+}
+//# sourceMappingURL=server-integration.js.map

package/dist/auth/server-integration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server-integration.js","sourceRoot":"","sources":["../../src/auth/server-integration.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,+BAA+B,EAAE,MAAM,sBAAsB,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAKtE;;;;GAIG;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,UAAU,mBAAmB,CACjC,GAAY,EACZ,MAAqB,EACrB,OAGC;IAED,MAAM,YAAY,GAAG,OAAO,EAAE,YAAY,IAAI,uCAAuC,CAAC;IACtF,MAAM,aAAa,GAAG,OAAO,EAAE,aAAa,IAAI,CAAC,QAAQ,CAAC,CAAC;IAE3D,8CAA8C;IAC9C,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QACpD,MAAM,QAAQ,GAAG,+BAA+B,CAC9C,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,oBAAoB,EAC3B,MAAM,CAAC,eAAe,CACvB,CAAC;QAEF,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACrB,CAAC,CAAC,CAAC;IAEH,+CAA+C;IAC/C,MAAM,cAAc,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;IAEpD,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;QAClC,GAAG,CAAC,GAAG,CAAC,KAAK,EAAE,cAAc,CAAC,CAAC;IACjC,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,8CAA8C,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IAChF,OAAO,CAAC,GAAG,CAAC,6BAA6B,MAAM,CAAC,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACnF,OAAO,CAAC,GAAG,CAAC,wBAAwB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAChE,OAAO,CAAC,GAAG,CAAC,yBAAyB,YAAY,EAAE,CAAC,CAAC;AACvD,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,iBAAiB,CAAC,WAKjC;IACC,MAAM,MAAM,GAAqD,EAAE,CAAC;IAEpE,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QACzD,IAAI,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChC,MAAM,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,GAAG,MAAM,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,oBAAoB,CAAC,cAAsB,KAAK;IAC9D,OAAO,iBAAiB,CAAC;QACvB,IAAI,EAAE,CAAC,GAAG,WAAW,OAAO,CAAC;QAC7B,OAAO,EAAE,CAAC,GAAG,WAAW,OAAO,EAAE,GAAG,WAAW,UAAU,CAAC;QAC1D,KAAK,EAAE,CAAC,GAAG,WAAW,OAAO,EAAE,GAAG,WAAW,QAAQ,CAAC;QACtD,KAAK,EAAE,CAAC,GAAG,WAAW,QAAQ,CAAC;KAChC,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,cAAsB,KAAK;IAI9D,MAAM,MAAM,GAAG;QACb,GAAG,WAAW,OAAO;QACrB,GAAG,WAAW,UAAU;QACxB,GAAG,WAAW,QAAQ;QACtB,GAAG,WAAW,QAAQ;KACvB,CAAC;IAEF,MAAM,YAAY,GAAG;QACnB,CAAC,GAAG,WAAW,OAAO,CAAC,EAAE,8CAA8C;QACvE,CAAC,GAAG,WAAW,UAAU,CAAC,EAAE,+BAA+B;QAC3D,CAAC,GAAG,WAAW,QAAQ,CAAC,EAAE,mCAAmC;QAC7D,CAAC,GAAG,WAAW,QAAQ,CAAC,EAAE,+CAA+C;KAC1E,CAAC;IAEF,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAqB;IAKtD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,kBAAkB;IAClB,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QACxB,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;IACzC,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,oBAAoB,IAAI,MAAM,CAAC,oBAAoB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7E,MAAM,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;IAC/D,CAAC;IAED,0BAA0B;IAC1B,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC,0BAA0B,CAAC;IAC7D,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;IAEhC,IAAI,CAAC,gBAAgB,IAAI,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,iEAAiE,CAAC,CAAC;IACjF,CAAC;IAED,4BAA4B;IAC5B,IAAI,gBAAgB,EAAE,CAAC;QACrB,IAAI,CAAC,MAAM,CAAC,0BAA0B,EAAE,CAAC;YACvC,QAAQ,CAAC,IAAI,CAAC,6DAA6D,CAAC,CAAC;QAC/E,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,8BAA8B,EAAE,CAAC;YAC3C,QAAQ,CAAC,IAAI,CAAC,iEAAiE,CAAC,CAAC;QACnF,CAAC;IACH,CAAC;IAED,iBAAiB;IACjB,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACrB,MAAM,CAAC,IAAI,CAAC,4EAA4E,CAAC,CAAC;QAC5F,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACnB,QAAQ,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;QACtE,CAAC;IACH,CAAC;IAED,mCAAmC;IACnC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,QAAQ,CAAC,IAAI,CACX,qEAAqE;YACrE,oDAAoD,CACrD,CAAC;IACJ,CAAC;IAED,QAAQ;IACR,IAAI,MAAM,CAAC,YAAY,KAAK,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC3E,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YACxC,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBAC9B,MAAM,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;YAC1D,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAED,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;QAC1B,MAAM;QACN,QAAQ;KACT,CAAC;AACJ,CAAC"}

package/dist/auth/server-metadata.d.ts

@@ -0,0 +1,51 @@
+import { ProtectedResourceMetadata } from './types.js';
+/**
+ * Protected Resource Metadata (RFC 9728)
+ *
+ * MCP servers MUST implement this to advertise their authorization servers
+ * to MCP clients. This enables automatic discovery of auth configuration.
+ */
+/**
+ * Create protected resource metadata document
+ *
+ * @param resourceUri - The URI of this MCP server
+ * @param authorizationServers - Array of authorization server issuer URLs
+ * @param scopesSupported - Optional: scopes this resource supports
+ */
+export declare function createProtectedResourceMetadata(resourceUri: string, authorizationServers: string[], scopesSupported?: string[]): ProtectedResourceMetadata;
+/**
+ * Get well-known URI for protected resource metadata
+ * Per RFC 9728, can be at:
+ * 1. Resource path: /.well-known/oauth-protected-resource{path}
+ * 2. Root: /.well-known/oauth-protected-resource
+ */
+export declare function getWellKnownMetadataUris(resourceUrl: URL): string[];
+/**
+ * Generate WWW-Authenticate header value for 401 responses
+ * Per RFC 6750 and MCP spec
+ *
+ * @param resourceMetadataUrl - URL to protected resource metadata
+ * @param scope - Optional: required scopes for this request
+ * @param error - Optional: error code (invalid_token, insufficient_scope, etc.)
+ * @param errorDescription - Optional: human-readable error description
+ */
+export declare function generateWWWAuthenticateHeader(options: {
+    resourceMetadataUrl?: string;
+    scope?: string;
+    error?: string;
+    errorDescription?: string;
+    realm?: string;
+}): string;
+/**
+ * Parse WWW-Authenticate header
+ * Extracts Bearer auth challenge parameters
+ */
+export declare function parseWWWAuthenticateHeader(headerValue: string): {
+    scheme: string;
+    realm?: string;
+    scope?: string;
+    resourceMetadata?: string;
+    error?: string;
+    errorDescription?: string;
+} | null;
+//# sourceMappingURL=server-metadata.d.ts.map

package/dist/auth/server-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server-metadata.d.ts","sourceRoot":"","sources":["../../src/auth/server-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,yBAAyB,EAAE,MAAM,YAAY,CAAC;AAEvD;;;;;GAKG;AAEH;;;;;;GAMG;AACH,wBAAgB,+BAA+B,CAC7C,WAAW,EAAE,MAAM,EACnB,oBAAoB,EAAE,MAAM,EAAE,EAC9B,eAAe,CAAC,EAAE,MAAM,EAAE,GACzB,yBAAyB,CAO3B;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,WAAW,EAAE,GAAG,GAAG,MAAM,EAAE,CAcnE;AAED;;;;;;;;GAQG;AACH,wBAAgB,6BAA6B,CAAC,OAAO,EAAE;IACrD,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GAAG,MAAM,CAwBT;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,WAAW,EAAE,MAAM,GAAG;IAC/D,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,GAAG,IAAI,CA2CP"}

package/dist/auth/server-metadata.js

@@ -0,0 +1,106 @@
+/**
+ * Protected Resource Metadata (RFC 9728)
+ *
+ * MCP servers MUST implement this to advertise their authorization servers
+ * to MCP clients. This enables automatic discovery of auth configuration.
+ */
+/**
+ * Create protected resource metadata document
+ *
+ * @param resourceUri - The URI of this MCP server
+ * @param authorizationServers - Array of authorization server issuer URLs
+ * @param scopesSupported - Optional: scopes this resource supports
+ */
+export function createProtectedResourceMetadata(resourceUri, authorizationServers, scopesSupported) {
+    return {
+        resource: resourceUri,
+        authorization_servers: authorizationServers,
+        scopes_supported: scopesSupported,
+        bearer_methods_supported: ['header'], // MCP uses Bearer tokens in headers
+    };
+}
+/**
+ * Get well-known URI for protected resource metadata
+ * Per RFC 9728, can be at:
+ * 1. Resource path: /.well-known/oauth-protected-resource{path}
+ * 2. Root: /.well-known/oauth-protected-resource
+ */
+export function getWellKnownMetadataUris(resourceUrl) {
+    const urls = [];
+    // Method 1: At the path of the resource
+    if (resourceUrl.pathname && resourceUrl.pathname !== '/') {
+        const pathUri = new URL('/.well-known/oauth-protected-resource' + resourceUrl.pathname, resourceUrl.origin);
+        urls.push(pathUri.toString());
+    }
+    // Method 2: At the root
+    const rootUri = new URL('/.well-known/oauth-protected-resource', resourceUrl.origin);
+    urls.push(rootUri.toString());
+    return urls;
+}
+/**
+ * Generate WWW-Authenticate header value for 401 responses
+ * Per RFC 6750 and MCP spec
+ *
+ * @param resourceMetadataUrl - URL to protected resource metadata
+ * @param scope - Optional: required scopes for this request
+ * @param error - Optional: error code (invalid_token, insufficient_scope, etc.)
+ * @param errorDescription - Optional: human-readable error description
+ */
+export function generateWWWAuthenticateHeader(options) {
+    const parts = ['Bearer'];
+    if (options.realm) {
+        parts.push(`realm="${options.realm}"`);
+    }
+    if (options.scope) {
+        parts.push(`scope="${options.scope}"`);
+    }
+    if (options.resourceMetadataUrl) {
+        parts.push(`resource_metadata="${options.resourceMetadataUrl}"`);
+    }
+    if (options.error) {
+        parts.push(`error="${options.error}"`);
+    }
+    if (options.errorDescription) {
+        parts.push(`error_description="${options.errorDescription}"`);
+    }
+    return parts.join(', ');
+}
+/**
+ * Parse WWW-Authenticate header
+ * Extracts Bearer auth challenge parameters
+ */
+export function parseWWWAuthenticateHeader(headerValue) {
+    if (!headerValue)
+        return null;
+    // Parse Bearer scheme
+    const bearerMatch = headerValue.match(/Bearer\s+(.+)/i);
+    if (!bearerMatch)
+        return null;
+    const params = bearerMatch[1];
+    const result = { scheme: 'Bearer' };
+    // Parse key="value" pairs
+    const paramRegex = /(\w+)="([^"]+)"/g;
+    let match;
+    while ((match = paramRegex.exec(params)) !== null) {
+        const [, key, value] = match;
+        switch (key) {
+            case 'realm':
+                result.realm = value;
+                break;
+            case 'scope':
+                result.scope = value;
+                break;
+            case 'resource_metadata':
+                result.resourceMetadata = value;
+                break;
+            case 'error':
+                result.error = value;
+                break;
+            case 'error_description':
+                result.errorDescription = value;
+                break;
+        }
+    }
+    return result;
+}
+//# sourceMappingURL=server-metadata.js.map

package/dist/auth/server-metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server-metadata.js","sourceRoot":"","sources":["../../src/auth/server-metadata.ts"],"names":[],"mappings":"AAEA;;;;;GAKG;AAEH;;;;;;GAMG;AACH,MAAM,UAAU,+BAA+B,CAC7C,WAAmB,EACnB,oBAA8B,EAC9B,eAA0B;IAE1B,OAAO;QACL,QAAQ,EAAE,WAAW;QACrB,qBAAqB,EAAE,oBAAoB;QAC3C,gBAAgB,EAAE,eAAe;QACjC,wBAAwB,EAAE,CAAC,QAAQ,CAAC,EAAE,oCAAoC;KAC3E,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,wBAAwB,CAAC,WAAgB;IACvD,MAAM,IAAI,GAAa,EAAE,CAAC;IAE1B,wCAAwC;IACxC,IAAI,WAAW,CAAC,QAAQ,IAAI,WAAW,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;QACzD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,uCAAuC,GAAG,WAAW,CAAC,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;QAC5G,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAChC,CAAC;IAED,wBAAwB;IACxB,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,uCAAuC,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IACrF,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAE9B,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,6BAA6B,CAAC,OAM7C;IACC,MAAM,KAAK,GAAa,CAAC,QAAQ,CAAC,CAAC;IAEnC,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,KAAK,CAAC,IAAI,CAAC,UAAU,OAAO,CAAC,KAAK,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,KAAK,CAAC,IAAI,CAAC,UAAU,OAAO,CAAC,KAAK,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,IAAI,OAAO,CAAC,mBAAmB,EAAE,CAAC;QAChC,KAAK,CAAC,IAAI,CAAC,sBAAsB,OAAO,CAAC,mBAAmB,GAAG,CAAC,CAAC;IACnE,CAAC;IAED,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,KAAK,CAAC,IAAI,CAAC,UAAU,OAAO,CAAC,KAAK,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;QAC7B,KAAK,CAAC,IAAI,CAAC,sBAAsB,OAAO,CAAC,gBAAgB,GAAG,CAAC,CAAC;IAChE,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,0BAA0B,CAAC,WAAmB;IAQ5D,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAE9B,sBAAsB;IACtB,MAAM,WAAW,GAAG,WAAW,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;IACxD,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAE9B,MAAM,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;IAC9B,MAAM,MAAM,GAOR,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;IAEzB,0BAA0B;IAC1B,MAAM,UAAU,GAAG,kBAAkB,CAAC;IACtC,IAAI,KAAK,CAAC;IAEV,OAAO,CAAC,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAClD,MAAM,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC;QAC7B,QAAQ,GAAG,EAAE,CAAC;YACZ,KAAK,OAAO;gBACV,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC;gBACrB,MAAM;YACR,KAAK,OAAO;gBACV,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC;gBACrB,MAAM;YACR,KAAK,mBAAmB;gBACtB,MAAM,CAAC,gBAAgB,GAAG,KAAK,CAAC;gBAChC,MAAM;YACR,KAAK,OAAO;gBACV,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC;gBACrB,MAAM;YACR,KAAK,mBAAmB;gBACtB,MAAM,CAAC,gBAAgB,GAAG,KAAK,CAAC;gBAChC,MAAM;QACV,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/auth/simple-jwt.d.ts

@@ -0,0 +1,174 @@
+import { RequestHandler } from 'express';
+import { SecretValue } from './secure-secret.js';
+/**
+ * Simple JWT Authentication
+ *
+ * For 70% of use cases where you don't need full OAuth 2.1 complexity.
+ * Perfect for internal tools, APIs, and services that manage their own tokens.
+ */
+/**
+ * Standard JWT claims that are commonly used
+ */
+export interface StandardJWTClaims {
+    /** Subject - typically user ID */
+    sub?: string;
+    /** Audience - who the token is intended for */
+    aud?: string | string[];
+    /** Issuer - who created the token */
+    iss?: string;
+    /** Expiration time (unix timestamp) */
+    exp?: number;
+    /** Issued at (unix timestamp) */
+    iat?: number;
+    /** Not before (unix timestamp) */
+    nbf?: number;
+    /** JWT ID - unique identifier */
+    jti?: string;
+}
+/**
+ * Custom claims that can be added to JWT payload
+ */
+export interface CustomJWTClaims {
+    /** User scopes/permissions */
+    scopes?: string[];
+    /** Space-separated scopes (OAuth style) */
+    scope?: string;
+    /** Client ID for machine-to-machine auth */
+    client_id?: string;
+    /** User's email */
+    email?: string;
+    /** User's name */
+    name?: string;
+    /** User roles */
+    roles?: string[];
+}
+/**
+ * Full JWT payload combining standard and custom claims
+ */
+export interface JWTPayload extends StandardJWTClaims, CustomJWTClaims {
+    /** Allow additional custom claims */
+    [key: string]: unknown;
+}
+export interface SimpleJWTConfig {
+    /**
+     * JWT secret for signing/verification (HS256)
+     *
+     * **Recommended:** Use SecretValue.fromEnv() to load from environment
+     *
+     * @example
+     * ```typescript
+     * // Recommended: Load from environment
+     * import { SecretValue } from '@nitrostack/sdk/auth';
+     *
+     * const config = {
+     *   secret: SecretValue.fromEnv('JWT_SECRET'),
+     *   audience: 'my-api',
+     * };
+     * ```
+     */
+    secret: SecretValue | string;
+    /**
+     * Expected audience (who the token is for)
+     */
+    audience?: string;
+    /**
+     * Expected issuer (who created the token)
+     */
+    issuer?: string;
+    /**
+     * Custom claims to validate
+     */
+    customValidation?: (payload: JWTPayload) => boolean;
+    /**
+     * Algorithm (default: HS256)
+     */
+    algorithm?: 'HS256' | 'HS384' | 'HS512';
+}
+/**
+ * Create Simple JWT authentication middleware
+ *
+ * @example
+ * ```typescript
+ * const server = createServer({...});
+ *
+ * // Simple JWT auth (no OAuth complexity!)
+ * server.app.use('/mcp', createSimpleJWTAuth({
+ *   secret: process.env.JWT_SECRET!,
+ *   audience: 'my-mcp-server',
+ *   issuer: 'my-app',
+ * }));
+ *
+ * server.start();
+ * ```
+ */
+export declare function createSimpleJWTAuth(config: SimpleJWTConfig): RequestHandler;
+/**
+ * Generate a JWT token (helper for testing/development)
+ *
+ * @example
+ * ```typescript
+ * const token = generateJWT({
+ *   secret: process.env.JWT_SECRET!,
+ *   payload: {
+ *     sub: 'user123',
+ *     scopes: ['mcp:read', 'mcp:write'],
+ *   },
+ *   expiresIn: '1h',
+ * });
+ * ```
+ */
+/**
+ * Options for generating a JWT token
+ */
+export interface GenerateJWTOptions {
+    /**
+     * JWT secret for signing
+     *
+     * @example
+     * ```typescript
+     * secret: SecretValue.fromEnv('JWT_SECRET')
+     * // or for testing:
+     * secret: SecretValue.fromValue('test-secret', { allowHardcoded: true })
+     * ```
+     */
+    secret: SecretValue | string;
+    /** Payload to encode in the JWT */
+    payload: JWTPayload;
+    /** Token expiration (e.g., '1h', '7d', 3600) */
+    expiresIn?: string | number;
+    /** Expected audience */
+    audience?: string;
+    /** Token issuer */
+    issuer?: string;
+    /** Signing algorithm */
+    algorithm?: 'HS256' | 'HS384' | 'HS512';
+}
+/**
+ * Generate a JWT token
+ *
+ * @example
+ * ```typescript
+ * const token = generateJWT({
+ *   secret: SecretValue.fromEnv('JWT_SECRET'),
+ *   payload: {
+ *     sub: 'user123',
+ *     scopes: ['mcp:read', 'mcp:write'],
+ *   },
+ *   expiresIn: '1h',
+ * });
+ * ```
+ */
+export declare function generateJWT(options: GenerateJWTOptions): string;
+/**
+ * Verify a JWT token without middleware (helper)
+ *
+ * @param token - The JWT token to verify
+ * @param config - JWT configuration including secret
+ * @returns The decoded payload if valid, null otherwise
+ */
+export declare function verifyJWT(token: string, config: SimpleJWTConfig): JWTPayload | null;
+/**
+ * Decode JWT without verification (for debugging)
+ */
+export declare function decodeJWT(token: string): JWTPayload | null;
+//# sourceMappingURL=simple-jwt.d.ts.map

package/dist/auth/simple-jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"simple-jwt.d.ts","sourceRoot":"","sources":["../../src/auth/simple-jwt.ts"],"names":[],"mappings":"AACA,OAAO,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAgB,MAAM,oBAAoB,CAAC;AAE/D;;;;;GAKG;AAEH;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,kCAAkC;IAClC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,+CAA+C;IAC/C,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB,qCAAqC;IACrC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,uCAAuC;IACvC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,iCAAiC;IACjC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,kCAAkC;IAClC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,iCAAiC;IACjC,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,8BAA8B;IAC9B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,2CAA2C;IAC3C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,4CAA4C;IAC5C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,mBAAmB;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,iBAAiB;IACjB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,UAAW,SAAQ,iBAAiB,EAAE,eAAe;IACpE,qCAAqC;IACrC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,eAAe;IAC9B;;;;;;;;;;;;;;;OAeG;IACH,MAAM,EAAE,WAAW,GAAG,MAAM,CAAC;IAE7B;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;OAEG;IACH,gBAAgB,CAAC,EAAE,CAAC,OAAO,EAAE,UAAU,KAAK,OAAO,CAAC;IAEpD;;OAEG;IACH,SAAS,CAAC,EAAE,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;CACzC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,eAAe,GAAG,cAAc,CAiF3E;AAED;;;;;;;;;;;;;;GAcG;AACH;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;;;;;;;;OASG;IACH,MAAM,EAAE,WAAW,GAAG,MAAM,CAAC;IAE7B,mCAAmC;IACnC,OAAO,EAAE,UAAU,CAAC;IAEpB,gDAAgD;IAChD,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAE5B,wBAAwB;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,mBAAmB;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,wBAAwB;IACxB,SAAS,CAAC,EAAE,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;CACzC;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,kBAAkB,GAAG,MAAM,CAoB/D;AAED;;;;;;GAMG;AACH,wBAAgB,SAAS,CACvB,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,eAAe,GACtB,UAAU,GAAG,IAAI,CAyBnB;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAM1D"}