@nitrostack/core 1.0.0

package/dist/auth/simple-jwt.js

@@ -0,0 +1,162 @@
+import jwt from 'jsonwebtoken';
+import { unwrapSecret } from './secure-secret.js';
+/**
+ * Create Simple JWT authentication middleware
+ *
+ * @example
+ * ```typescript
+ * const server = createServer({...});
+ *
+ * // Simple JWT auth (no OAuth complexity!)
+ * server.app.use('/mcp', createSimpleJWTAuth({
+ *   secret: process.env.JWT_SECRET!,
+ *   audience: 'my-mcp-server',
+ *   issuer: 'my-app',
+ * }));
+ *
+ * server.start();
+ * ```
+ */
+export function createSimpleJWTAuth(config) {
+    const algorithm = config.algorithm || 'HS256';
+    return async (req, res, next) => {
+        try {
+            // 1. Extract token from Authorization header
+            const authHeader = req.headers.authorization;
+            if (!authHeader || !authHeader.startsWith('Bearer ')) {
+                return res.status(401).json({
+                    error: 'unauthorized',
+                    message: 'Missing or invalid Authorization header. Use: Authorization: Bearer <token>',
+                });
+            }
+            const token = authHeader.substring(7); // Remove 'Bearer '
+            // 2. Verify JWT
+            const verifyOptions = {
+                algorithms: [algorithm],
+            };
+            if (config.audience) {
+                verifyOptions.audience = config.audience;
+            }
+            if (config.issuer) {
+                verifyOptions.issuer = config.issuer;
+            }
+            const secretValue = unwrapSecret(config.secret);
+            const payload = jwt.verify(token, secretValue, verifyOptions);
+            // 3. Custom validation
+            if (config.customValidation && !config.customValidation(payload)) {
+                return res.status(403).json({
+                    error: 'forbidden',
+                    message: 'Token validation failed',
+                });
+            }
+            // 4. Attach to request
+            req.auth = {
+                authenticated: true,
+                tokenInfo: {
+                    active: true,
+                    sub: payload.sub,
+                    aud: typeof payload.aud === 'string' ? [payload.aud] : payload.aud,
+                    iss: payload.iss,
+                    exp: payload.exp,
+                    iat: payload.iat,
+                },
+                scopes: payload.scopes || payload.scope?.split(' ') || [],
+                clientId: payload.client_id || payload.sub,
+                subject: payload.sub,
+            };
+            next();
+        }
+        catch (error) {
+            const err = error;
+            if (err.name === 'TokenExpiredError') {
+                return res.status(401).json({
+                    error: 'token_expired',
+                    message: 'JWT has expired',
+                });
+            }
+            if (err.name === 'JsonWebTokenError') {
+                return res.status(401).json({
+                    error: 'invalid_token',
+                    message: 'Invalid JWT: ' + err.message,
+                });
+            }
+            return res.status(500).json({
+                error: 'server_error',
+                message: 'Token validation failed',
+            });
+        }
+    };
+}
+/**
+ * Generate a JWT token
+ *
+ * @example
+ * ```typescript
+ * const token = generateJWT({
+ *   secret: SecretValue.fromEnv('JWT_SECRET'),
+ *   payload: {
+ *     sub: 'user123',
+ *     scopes: ['mcp:read', 'mcp:write'],
+ *   },
+ *   expiresIn: '1h',
+ * });
+ * ```
+ */
+export function generateJWT(options) {
+    const signOptions = {
+        algorithm: options.algorithm || 'HS256',
+    };
+    if (options.expiresIn !== undefined) {
+        // Cast to jwt.SignOptions['expiresIn'] which accepts string | number
+        signOptions.expiresIn = options.expiresIn;
+    }
+    if (options.audience) {
+        signOptions.audience = options.audience;
+    }
+    if (options.issuer) {
+        signOptions.issuer = options.issuer;
+    }
+    const secretValue = unwrapSecret(options.secret);
+    return jwt.sign(options.payload, secretValue, signOptions);
+}
+/**
+ * Verify a JWT token without middleware (helper)
+ *
+ * @param token - The JWT token to verify
+ * @param config - JWT configuration including secret
+ * @returns The decoded payload if valid, null otherwise
+ */
+export function verifyJWT(token, config) {
+    try {
+        const verifyOptions = {
+            algorithms: [config.algorithm || 'HS256'],
+        };
+        if (config.audience) {
+            verifyOptions.audience = config.audience;
+        }
+        if (config.issuer) {
+            verifyOptions.issuer = config.issuer;
+        }
+        const secretValue = unwrapSecret(config.secret);
+        const payload = jwt.verify(token, secretValue, verifyOptions);
+        if (config.customValidation && !config.customValidation(payload)) {
+            return null;
+        }
+        return payload;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Decode JWT without verification (for debugging)
+ */
+export function decodeJWT(token) {
+    try {
+        return jwt.decode(token);
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=simple-jwt.js.map

package/dist/auth/simple-jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"simple-jwt.js","sourceRoot":"","sources":["../../src/auth/simple-jwt.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,MAAM,cAAc,CAAC;AAE/B,OAAO,EAAe,YAAY,EAAE,MAAM,oBAAoB,CAAC;AA+F/D;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAuB;IACzD,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC;IAE9C,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QAC/D,IAAI,CAAC;YACH,6CAA6C;YAC7C,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;YAE7C,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACrD,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBAC1B,KAAK,EAAE,cAAc;oBACrB,OAAO,EAAE,6EAA6E;iBACvF,CAAC,CAAC;YACL,CAAC;YAED,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,mBAAmB;YAE1D,gBAAgB;YAChB,MAAM,aAAa,GAAsB;gBACvC,UAAU,EAAE,CAAC,SAAS,CAAC;aACxB,CAAC;YAEF,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACpB,aAAa,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;YAC3C,CAAC;YAED,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;gBAClB,aAAa,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;YACvC,CAAC;YAED,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAChD,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,WAAW,EAAE,aAAa,CAAe,CAAC;YAE5E,uBAAuB;YACvB,IAAI,MAAM,CAAC,gBAAgB,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;gBACjE,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBAC1B,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,yBAAyB;iBACnC,CAAC,CAAC;YACL,CAAC;YAED,uBAAuB;YACvB,GAAG,CAAC,IAAI,GAAG;gBACT,aAAa,EAAE,IAAI;gBACnB,SAAS,EAAE;oBACT,MAAM,EAAE,IAAI;oBACZ,GAAG,EAAE,OAAO,CAAC,GAAG;oBAChB,GAAG,EAAE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG;oBAClE,GAAG,EAAE,OAAO,CAAC,GAAG;oBAChB,GAAG,EAAE,OAAO,CAAC,GAAG;oBAChB,GAAG,EAAE,OAAO,CAAC,GAAG;iBACjB;gBACD,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE;gBACzD,QAAQ,EAAE,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG;gBAC1C,OAAO,EAAE,OAAO,CAAC,GAAG;aACrB,CAAC;YAEF,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,KAAkC,CAAC;YAE/C,IAAI,GAAG,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;gBACrC,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBAC1B,KAAK,EAAE,eAAe;oBACtB,OAAO,EAAE,iBAAiB;iBAC3B,CAAC,CAAC;YACL,CAAC;YAED,IAAI,GAAG,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;gBACrC,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBAC1B,KAAK,EAAE,eAAe;oBACtB,OAAO,EAAE,eAAe,GAAG,GAAG,CAAC,OAAO;iBACvC,CAAC,CAAC;YACL,CAAC;YAED,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC1B,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE,yBAAyB;aACnC,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAiDD;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,WAAW,CAAC,OAA2B;IACrD,MAAM,WAAW,GAAoB;QACnC,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,OAAO;KACxC,CAAC;IAEF,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACpC,qEAAqE;QACrE,WAAW,CAAC,SAAS,GAAG,OAAO,CAAC,SAAyC,CAAC;IAC5E,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,WAAW,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAC1C,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,WAAW,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IACtC,CAAC;IAED,MAAM,WAAW,GAAG,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjD,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,OAAiB,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;AACvE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,SAAS,CACvB,KAAa,EACb,MAAuB;IAEvB,IAAI,CAAC;QACH,MAAM,aAAa,GAAsB;YACvC,UAAU,EAAE,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC;SAC1C,CAAC;QAEF,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,aAAa,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;QAC3C,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClB,aAAa,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QACvC,CAAC;QAED,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAChD,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,WAAW,EAAE,aAAa,CAAe,CAAC;QAE5E,IAAI,MAAM,CAAC,gBAAgB,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;YACjE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,IAAI,CAAC;QACH,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,CAAe,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/auth/token-store.d.ts

@@ -0,0 +1,104 @@
+import { StoredToken } from './types.js';
+/**
+ * Token Storage Interface
+ *
+ * Provides secure storage for OAuth tokens
+ */
+export interface TokenStore {
+    /**
+     * Save a token
+     */
+    saveToken(key: string, token: StoredToken): Promise<void>;
+    /**
+     * Get a token
+     */
+    getToken(key: string): Promise<StoredToken | null>;
+    /**
+     * Delete a token
+     */
+    deleteToken(key: string): Promise<void>;
+    /**
+     * List all stored token keys
+     */
+    listKeys(): Promise<string[]>;
+    /**
+     * Clear all tokens
+     */
+    clear(): Promise<void>;
+}
+/**
+ * In-memory token store
+ * For testing and ephemeral storage
+ */
+export declare class MemoryTokenStore implements TokenStore {
+    private tokens;
+    saveToken(key: string, token: StoredToken): Promise<void>;
+    getToken(key: string): Promise<StoredToken | null>;
+    deleteToken(key: string): Promise<void>;
+    listKeys(): Promise<string[]>;
+    clear(): Promise<void>;
+    private isTokenExpired;
+}
+/**
+ * File-based token store with encryption
+ * For CLI applications and development
+ */
+export declare class FileTokenStore implements TokenStore {
+    private storePath;
+    private encryptionKey?;
+    constructor(storePath: string, encryptionKey?: string);
+    saveToken(key: string, token: StoredToken): Promise<void>;
+    getToken(key: string): Promise<StoredToken | null>;
+    deleteToken(key: string): Promise<void>;
+    listKeys(): Promise<string[]>;
+    clear(): Promise<void>;
+    /**
+     * Load tokens from file
+     */
+    private loadTokens;
+    /**
+     * Save tokens to file
+     */
+    private saveTokens;
+    /**
+     * Encrypt data using AES-256-GCM
+     */
+    private encrypt;
+    /**
+     * Decrypt data using AES-256-GCM
+     */
+    private decrypt;
+    /**
+     * Derive 256-bit key from password using PBKDF2
+     */
+    private deriveKey;
+    private isTokenExpired;
+}
+/**
+ * Create default token store
+ *
+ * Uses file-based storage with encryption if password provided
+ *
+ * @param storePath - Path to store tokens (default: ~/.nitrostack/tokens.json)
+ * @param encryptionKey - Optional encryption key
+ */
+export declare function createDefaultTokenStore(storePath?: string, encryptionKey?: string): TokenStore;
+/**
+ * Utility: Check if token is expired
+ */
+export declare function isTokenExpired(token: StoredToken): boolean;
+/**
+ * Utility: Calculate token expiration timestamp
+ */
+export declare function calculateExpiration(expiresIn: number): number;
+/**
+ * Utility: Convert TokenResponse to StoredToken
+ */
+export declare function tokenResponseToStored(response: {
+    access_token: string;
+    token_type: 'Bearer';
+    expires_in?: number;
+    refresh_token?: string;
+    scope?: string;
+}, resource?: string): StoredToken;
+//# sourceMappingURL=token-store.d.ts.map

package/dist/auth/token-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-store.d.ts","sourceRoot":"","sources":["../../src/auth/token-store.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEzC;;;;GAIG;AACH,MAAM,WAAW,UAAU;IACzB;;OAEG;IACH,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE1D;;OAEG;IACH,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAEnD;;OAEG;IACH,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAExC;;OAEG;IACH,QAAQ,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAE9B;;OAEG;IACH,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACxB;AAED;;;GAGG;AACH,qBAAa,gBAAiB,YAAW,UAAU;IACjD,OAAO,CAAC,MAAM,CAAuC;IAE/C,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAIzD,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAalD,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIvC,QAAQ,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAI7B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAI5B,OAAO,CAAC,cAAc;CAGvB;AAED;;;GAGG;AACH,qBAAa,cAAe,YAAW,UAAU;IAC/C,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,aAAa,CAAC,CAAS;gBAEnB,SAAS,EAAE,MAAM,EAAE,aAAa,CAAC,EAAE,MAAM;IAK/C,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAMzD,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAgBlD,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAMvC,QAAQ,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAK7B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAI5B;;OAEG;YACW,UAAU;IAoBxB;;OAEG;YACW,UAAU;IAYxB;;OAEG;IACH,OAAO,CAAC,OAAO;IAgBf;;OAEG;IACH,OAAO,CAAC,OAAO;IAuBf;;OAEG;IACH,OAAO,CAAC,SAAS;IAOjB,OAAO,CAAC,cAAc;CAGvB;AAED;;;;;;;GAOG;AACH,wBAAgB,uBAAuB,CACrC,SAAS,CAAC,EAAE,MAAM,EAClB,aAAa,CAAC,EAAE,MAAM,GACrB,UAAU,CAQZ;AAUD;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAE1D;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAE7D;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,QAAQ,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,EACrH,QAAQ,CAAC,EAAE,MAAM,GAChB,WAAW,CASb"}

package/dist/auth/token-store.js

@@ -0,0 +1,205 @@
+import fs from 'fs/promises';
+import path from 'path';
+import crypto from 'crypto';
+/**
+ * In-memory token store
+ * For testing and ephemeral storage
+ */
+export class MemoryTokenStore {
+    tokens = new Map();
+    async saveToken(key, token) {
+        this.tokens.set(key, token);
+    }
+    async getToken(key) {
+        const token = this.tokens.get(key);
+        if (!token)
+            return null;
+        // Check if expired
+        if (this.isTokenExpired(token)) {
+            this.tokens.delete(key);
+            return null;
+        }
+        return token;
+    }
+    async deleteToken(key) {
+        this.tokens.delete(key);
+    }
+    async listKeys() {
+        return Array.from(this.tokens.keys());
+    }
+    async clear() {
+        this.tokens.clear();
+    }
+    isTokenExpired(token) {
+        return Date.now() > token.expires_at;
+    }
+}
+/**
+ * File-based token store with encryption
+ * For CLI applications and development
+ */
+export class FileTokenStore {
+    storePath;
+    encryptionKey;
+    constructor(storePath, encryptionKey) {
+        this.storePath = storePath;
+        this.encryptionKey = encryptionKey;
+    }
+    async saveToken(key, token) {
+        const tokens = await this.loadTokens();
+        tokens[key] = token;
+        await this.saveTokens(tokens);
+    }
+    async getToken(key) {
+        const tokens = await this.loadTokens();
+        const token = tokens[key];
+        if (!token)
+            return null;
+        // Check if expired
+        if (this.isTokenExpired(token)) {
+            delete tokens[key];
+            await this.saveTokens(tokens);
+            return null;
+        }
+        return token;
+    }
+    async deleteToken(key) {
+        const tokens = await this.loadTokens();
+        delete tokens[key];
+        await this.saveTokens(tokens);
+    }
+    async listKeys() {
+        const tokens = await this.loadTokens();
+        return Object.keys(tokens);
+    }
+    async clear() {
+        await this.saveTokens({});
+    }
+    /**
+     * Load tokens from file
+     */
+    async loadTokens() {
+        try {
+            // Ensure directory exists
+            await fs.mkdir(path.dirname(this.storePath), { recursive: true });
+            // Read file
+            const data = await fs.readFile(this.storePath, 'utf-8');
+            // Decrypt if encryption is enabled
+            const content = this.decrypt(data);
+            return JSON.parse(content);
+        }
+        catch (error) {
+            if (error instanceof Error && error.code === 'ENOENT') {
+                return {}; // File doesn't exist yet
+            }
+            throw error;
+        }
+    }
+    /**
+     * Save tokens to file
+     */
+    async saveTokens(tokens) {
+        const content = JSON.stringify(tokens, null, 2);
+        // Encrypt if encryption is enabled
+        const data = this.encrypt(content);
+        // Write to file with restricted permissions
+        await fs.writeFile(this.storePath, data, {
+            mode: 0o600, // Read/write for owner only
+        });
+    }
+    /**
+     * Encrypt data using AES-256-GCM
+     */
+    encrypt(data) {
+        if (!this.encryptionKey)
+            return data;
+        const key = this.deriveKey(this.encryptionKey);
+        const iv = crypto.randomBytes(16);
+        const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+        let encrypted = cipher.update(data, 'utf8', 'hex');
+        encrypted += cipher.final('hex');
+        const authTag = cipher.getAuthTag();
+        // Return: iv:authTag:encrypted
+        return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
+    }
+    /**
+     * Decrypt data using AES-256-GCM
+     */
+    decrypt(data) {
+        if (!this.encryptionKey)
+            return data;
+        const key = this.deriveKey(this.encryptionKey);
+        const parts = data.split(':');
+        if (parts.length !== 3) {
+            throw new Error('Invalid encrypted data format');
+        }
+        const [ivHex, authTagHex, encrypted] = parts;
+        const iv = Buffer.from(ivHex, 'hex');
+        const authTag = Buffer.from(authTagHex, 'hex');
+        const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+        decipher.setAuthTag(authTag);
+        let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+        decrypted += decipher.final('utf8');
+        return decrypted;
+    }
+    /**
+     * Derive 256-bit key from password using PBKDF2
+     */
+    deriveKey(password) {
+        // Use a fixed salt for key derivation
+        // In production, consider using a per-user salt
+        const salt = 'nitrostack-token-store';
+        return crypto.pbkdf2Sync(password, salt, 100000, 32, 'sha256');
+    }
+    isTokenExpired(token) {
+        return Date.now() > token.expires_at;
+    }
+}
+/**
+ * Create default token store
+ *
+ * Uses file-based storage with encryption if password provided
+ *
+ * @param storePath - Path to store tokens (default: ~/.nitrostack/tokens.json)
+ * @param encryptionKey - Optional encryption key
+ */
+export function createDefaultTokenStore(storePath, encryptionKey) {
+    const defaultPath = storePath || getDefaultStorePath();
+    if (encryptionKey) {
+        return new FileTokenStore(defaultPath, encryptionKey);
+    }
+    return new FileTokenStore(defaultPath);
+}
+/**
+ * Get default token store path
+ */
+function getDefaultStorePath() {
+    const home = process.env.HOME || process.env.USERPROFILE || '';
+    return path.join(home, '.nitrostack', 'tokens.json');
+}
+/**
+ * Utility: Check if token is expired
+ */
+export function isTokenExpired(token) {
+    return Date.now() > token.expires_at;
+}
+/**
+ * Utility: Calculate token expiration timestamp
+ */
+export function calculateExpiration(expiresIn) {
+    return Date.now() + expiresIn * 1000;
+}
+/**
+ * Utility: Convert TokenResponse to StoredToken
+ */
+export function tokenResponseToStored(response, resource) {
+    return {
+        access_token: response.access_token,
+        token_type: response.token_type,
+        expires_at: response.expires_in ? calculateExpiration(response.expires_in) : Date.now() + 3600000, // Default 1 hour
+        refresh_token: response.refresh_token,
+        scope: response.scope,
+        resource,
+    };
+}
+//# sourceMappingURL=token-store.js.map

package/dist/auth/token-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-store.js","sourceRoot":"","sources":["../../src/auth/token-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,aAAa,CAAC;AAC7B,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,MAAM,MAAM,QAAQ,CAAC;AAmC5B;;;GAGG;AACH,MAAM,OAAO,gBAAgB;IACnB,MAAM,GAA6B,IAAI,GAAG,EAAE,CAAC;IAErD,KAAK,CAAC,SAAS,CAAC,GAAW,EAAE,KAAkB;QAC7C,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,GAAW;QACxB,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,mBAAmB;QACnB,IAAI,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;YAC/B,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACxB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAW;QAC3B,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,QAAQ;QACZ,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;IACtB,CAAC;IAEO,cAAc,CAAC,KAAkB;QACvC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,UAAU,CAAC;IACvC,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,OAAO,cAAc;IACjB,SAAS,CAAS;IAClB,aAAa,CAAU;IAE/B,YAAY,SAAiB,EAAE,aAAsB;QACnD,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAW,EAAE,KAAkB;QAC7C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACvC,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACpB,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,GAAW;QACxB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACvC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QAE1B,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,mBAAmB;QACnB,IAAI,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;YACnB,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;YAC9B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAW;QAC3B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACvC,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;QACnB,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,QAAQ;QACZ,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACvC,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;IAC5B,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,UAAU;QACtB,IAAI,CAAC;YACH,0BAA0B;YAC1B,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAElE,YAAY;YACZ,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YAExD,mCAAmC;YACnC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAEnC,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,IAAI,KAAK,YAAY,KAAK,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACjF,OAAO,EAAE,CAAC,CAAC,yBAAyB;YACtC,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,UAAU,CAAC,MAAmC;QAC1D,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAEhD,mCAAmC;QACnC,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAEnC,4CAA4C;QAC5C,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE;YACvC,IAAI,EAAE,KAAK,EAAE,4BAA4B;SAC1C,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,OAAO,CAAC,IAAY;QAC1B,IAAI,CAAC,IAAI,CAAC,aAAa;YAAE,OAAO,IAAI,CAAC;QAErC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC/C,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAClC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QAE7D,IAAI,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;QACnD,SAAS,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAEjC,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAEpC,+BAA+B;QAC/B,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,EAAE,CAAC;IACzE,CAAC;IAED;;OAEG;IACK,OAAO,CAAC,IAAY;QAC1B,IAAI,CAAC,IAAI,CAAC,aAAa;YAAE,OAAO,IAAI,CAAC;QAErC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAE9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;QAED,MAAM,CAAC,KAAK,EAAE,UAAU,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAC7C,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QACrC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QAE/C,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QACjE,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAE7B,IAAI,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAC1D,SAAS,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAEpC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACK,SAAS,CAAC,QAAgB;QAChC,sCAAsC;QACtC,gDAAgD;QAChD,MAAM,IAAI,GAAG,wBAAwB,CAAC;QACtC,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;IACjE,CAAC;IAEO,cAAc,CAAC,KAAkB;QACvC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,UAAU,CAAC;IACvC,CAAC;CACF;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,uBAAuB,CACrC,SAAkB,EAClB,aAAsB;IAEtB,MAAM,WAAW,GAAG,SAAS,IAAI,mBAAmB,EAAE,CAAC;IAEvD,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,IAAI,cAAc,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;IACxD,CAAC;IAED,OAAO,IAAI,cAAc,CAAC,WAAW,CAAC,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB;IAC1B,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC;IAC/D,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,aAAa,EAAE,aAAa,CAAC,CAAC;AACvD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,KAAkB;IAC/C,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,UAAU,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,SAAiB;IACnD,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,IAAI,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,QAAqH,EACrH,QAAiB;IAEjB,OAAO;QACL,YAAY,EAAE,QAAQ,CAAC,YAAY;QACnC,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,mBAAmB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,EAAE,iBAAiB;QACpH,aAAa,EAAE,QAAQ,CAAC,aAAa;QACrC,KAAK,EAAE,QAAQ,CAAC,KAAK;QACrB,QAAQ;KACT,CAAC;AACJ,CAAC"}

package/dist/auth/token-validation.d.ts

@@ -0,0 +1,59 @@
+import { TokenIntrospection, McpAuthConfig } from './types.js';
+interface TokenValidationResult {
+    valid: boolean;
+    introspection?: TokenIntrospection;
+    error?: string;
+}
+/**
+ * Validate a Bearer token
+ *
+ * @param token - The access token to validate
+ * @param config - Auth configuration
+ * @returns Validation result with token introspection data
+ */
+export declare function validateToken(token: string, config: McpAuthConfig): Promise<TokenValidationResult>;
+/**
+ * Introspect token using OAuth 2.0 Token Introspection (RFC 7662)
+ *
+ * @internal - Exported for testing
+ */
+export declare function introspectToken(token: string, config: McpAuthConfig): Promise<TokenIntrospection>;
+/**
+ * Validate JWT using JWKS
+ *
+ * @internal - Exported for testing
+ */
+export declare function validateJWT(token: string, config: McpAuthConfig): Promise<TokenIntrospection>;
+/**
+ * Validate token audience (RFC 8707)
+ *
+ * CRITICAL: This prevents confused deputy attacks
+ * Token MUST be issued specifically for this resource
+ *
+ * @param introspection - Token introspection result
+ * @param expectedAudience - Expected audience value(s)
+ * @returns true if audience is valid
+ */
+export declare function validateAudience(introspection: TokenIntrospection, expectedAudience?: string | string[]): boolean;
+/**
+ * Validate scopes
+ *
+ * @param introspection - Token introspection result
+ * @param requiredScopes - Scopes required for the operation
+ * @returns true if token has all required scopes
+ */
+export declare function validateScopes(introspection: TokenIntrospection, requiredScopes: string[]): boolean;
+/**
+ * Extract Bearer token from Authorization header
+ */
+export declare function extractBearerToken(authHeader: string | undefined): string | null;
+/**
+ * Check if token is expired
+ */
+export declare function isTokenExpired(introspection: TokenIntrospection): boolean;
+/**
+ * Clear token cache (useful for testing)
+ */
+export declare function clearTokenCache(): void;
+export {};
+//# sourceMappingURL=token-validation.d.ts.map

package/dist/auth/token-validation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-validation.d.ts","sourceRoot":"","sources":["../../src/auth/token-validation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAqB/D,UAAU,qBAAqB;IAC7B,KAAK,EAAE,OAAO,CAAC;IACf,aAAa,CAAC,EAAE,kBAAkB,CAAC;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAQD;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,aAAa,GACpB,OAAO,CAAC,qBAAqB,CAAC,CA0ChC;AAED;;;;GAIG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,aAAa,GACpB,OAAO,CAAC,kBAAkB,CAAC,CAmC7B;AAED;;;;GAIG;AACH,wBAAsB,WAAW,CAC/B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,aAAa,GACpB,OAAO,CAAC,kBAAkB,CAAC,CAgC7B;AAED;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAC9B,aAAa,EAAE,kBAAkB,EACjC,gBAAgB,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,GACnC,OAAO,CAgBT;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAC5B,aAAa,EAAE,kBAAkB,EACjC,cAAc,EAAE,MAAM,EAAE,GACvB,OAAO,CAWT;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,IAAI,CAOhF;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,aAAa,EAAE,kBAAkB,GAAG,OAAO,CAOzE;AA4CD;;GAEG;AACH,wBAAgB,eAAe,IAAI,IAAI,CAEtC"}