@nocoo/base-mcp 0.1.0 → 0.1.1

package/README.md

@@ -20,7 +20,319 @@ Peer dependencies:
 pnpm add @modelcontextprotocol/sdk zod
 ```
 
-## Quick Start
+## Full Integration Guide
+
+This guide covers the complete setup for integrating MCP with OAuth 2.1 authentication in a Next.js/Hono app.
+
+### Architecture Overview
+
+```
+┌─────────────────┐     ┌──────────────────────────────────────┐
+│   MCP Client    │     │           Your App                    │
+│ (Claude Code,   │     │  ┌─────────────────────────────────┐  │
+│  Cursor, etc.)  │────▶│  │ /.well-known/oauth-auth-server │  │  OAuth Discovery
+│                 │     │  └─────────────────────────────────┘  │
+│                 │     │                                        │
+│                 │────▶│  /api/mcp/register  (Client Reg)      │
+│                 │────▶│  /api/mcp/authorize (Auth Start)      │
+│                 │────▶│  /api/mcp/callback  (Auth Complete)   │
+│                 │────▶│  /api/mcp/token     (Token Exchange)  │
+│                 │     │                                        │
+│                 │────▶│  /api/mcp           (MCP Endpoint)    │
+└─────────────────┘     └──────────────────────────────────────┘
+```
+
+### Step 1: OAuth Discovery Endpoint
+
+Create `/.well-known/oauth-authorization-server` to expose OAuth metadata.
+
+**CRITICAL**: This endpoint must NOT be protected by authentication.
+
+```typescript
+// src/app/.well-known/oauth-authorization-server/route.ts
+import { getOAuthMetadata } from "@nocoo/base-mcp/auth";
+import { NextResponse } from "next/server";
+
+export function GET() {
+  // Use environment variable or derive from request
+  const issuer = process.env.AUTH_URL ?? "http://localhost:3000";
+  const metadata = getOAuthMetadata(issuer);
+
+  return NextResponse.json(metadata, {
+    headers: { "Cache-Control": "public, max-age=3600" },
+  });
+}
+```
+
+The metadata includes:
+- `authorization_endpoint`: `/api/mcp/authorize`
+- `token_endpoint`: `/api/mcp/token`
+- `registration_endpoint`: `/api/mcp/register`
+
+### Step 2: Middleware Configuration
+
+Ensure `/.well-known/` is publicly accessible without authentication:
+
+```typescript
+// middleware.ts or proxy-logic.ts
+const PUBLIC_PATHS = [
+  "/login",
+  "/terms",
+  "/privacy",
+  "/.well-known/",  // OAuth metadata - must be public
+];
+
+function isPublicPath(pathname: string): boolean {
+  return PUBLIC_PATHS.some(p => pathname === p || pathname.startsWith(p));
+}
+```
+
+### Step 3: OAuth Endpoints
+
+#### 3.1 Dynamic Client Registration (`/api/mcp/register`)
+
+```typescript
+// src/app/api/mcp/register/route.ts
+import { isLoopbackRedirectUri } from "@nocoo/base-mcp/auth";
+import { createMcpClient } from "@/data/mcp-clients"; // Your data layer
+
+export async function POST(request: Request) {
+  const body = await request.json();
+
+  // Validate redirect_uris (loopback only for security)
+  for (const uri of body.redirect_uris) {
+    if (!isLoopbackRedirectUri(uri)) {
+      return errorResponse("Only loopback redirect URIs are allowed");
+    }
+  }
+
+  const client = await createMcpClient(db, {
+    client_name: body.client_name,
+    redirect_uris: body.redirect_uris,
+    grant_types: body.grant_types ?? ["authorization_code"],
+  });
+
+  return jsonResponse({
+    client_id: client.client_id,
+    client_name: client.client_name,
+    redirect_uris: JSON.parse(client.redirect_uris),
+    grant_types: JSON.parse(client.grant_types),
+    token_endpoint_auth_method: "none",
+  }, 201);
+}
+```
+
+#### 3.2 Authorization (`/api/mcp/authorize`)
+
+```typescript
+// src/app/api/mcp/authorize/route.ts
+export async function GET(request: Request) {
+  const url = new URL(request.url);
+  const params = url.searchParams;
+
+  // Required OAuth params
+  const responseType = params.get("response_type"); // Must be "code"
+  const clientId = params.get("client_id");
+  const redirectUri = params.get("redirect_uri");
+  const codeChallenge = params.get("code_challenge");
+  const codeChallengeMethod = params.get("code_challenge_method"); // Must be "S256"
+  const state = params.get("state");
+
+  // Store auth session keyed by state
+  await createAuthSession(db, {
+    state,
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    code_challenge: codeChallenge,
+    code_challenge_method: codeChallengeMethod,
+    scope,
+    expires_at: now + AUTH_CODE_TTL,
+  });
+
+  // Check if user already authenticated
+  const session = await auth();
+  if (session?.user?.email) {
+    return NextResponse.redirect(`/api/mcp/callback?state=${state}`);
+  }
+
+  // Redirect to login
+  return NextResponse.redirect(`/login?callbackUrl=/api/mcp/callback?state=${state}`);
+}
+```
+
+#### 3.3 Callback (`/api/mcp/callback`)
+
+```typescript
+// src/app/api/mcp/callback/route.ts
+export async function GET(request: Request) {
+  const state = new URL(request.url).searchParams.get("state");
+
+  // Verify user is authenticated
+  const session = await auth();
+  if (!session?.user?.email) {
+    return errorResponse("Authentication required", 401);
+  }
+
+  // Look up auth session
+  const authSession = await getAuthSessionByState(db, state);
+  if (!authSession) {
+    return errorResponse("Invalid or expired session");
+  }
+
+  // Generate authorization code
+  const code = randomBytes(32).toString("hex");
+  await upgradeAuthSession(db, state, code, session.user.email);
+
+  // Redirect to client's redirect_uri
+  const redirectUrl = new URL(authSession.redirect_uri);
+  redirectUrl.searchParams.set("code", code);
+  redirectUrl.searchParams.set("state", state);
+
+  return NextResponse.redirect(redirectUrl.toString());
+}
+```
+
+#### 3.4 Token Exchange (`/api/mcp/token`)
+
+```typescript
+// src/app/api/mcp/token/route.ts
+import { verifyPkceS256 } from "@nocoo/base-mcp/auth";
+
+export async function POST(request: Request) {
+  const body = await request.formData();
+  const grantType = body.get("grant_type");
+
+  if (grantType === "authorization_code") {
+    const code = body.get("code");
+    const codeVerifier = body.get("code_verifier");
+
+    // Look up and validate auth code
+    const authCode = await getAuthCodeByCode(db, code);
+
+    // Verify PKCE
+    const pkceValid = await verifyPkceS256(codeVerifier, authCode.code_challenge);
+    if (!pkceValid) {
+      return oauthError("invalid_grant", "PKCE verification failed");
+    }
+
+    // Issue tokens
+    return jsonResponse({
+      access_token: accessToken,
+      token_type: "Bearer",
+      expires_in: ACCESS_TOKEN_TTL,
+      refresh_token: refreshToken,
+      scope,
+    });
+  }
+
+  if (grantType === "refresh_token") {
+    // Handle refresh token exchange
+  }
+}
+```
+
+### Step 4: MCP Endpoint
+
+```typescript
+// src/app/api/mcp/route.ts
+import { validateMcpToken, validateOrigin } from "@nocoo/base-mcp/auth";
+
+export async function POST(request: Request) {
+  const siteUrl = process.env.AUTH_URL ?? "http://localhost:3000";
+
+  // Step 1: Validate Origin (DNS rebinding protection)
+  const origin = request.headers.get("origin");
+  const originResult = validateOrigin(origin, siteUrl);
+  if (!originResult.valid) {
+    return errorResponse(originResult.error, originResult.status);
+  }
+
+  // Step 2: Validate Bearer token
+  const authResult = await validateMcpToken(
+    db,
+    request.headers.get("authorization"),
+  );
+  if (!authResult.valid) {
+    return errorResponse(authResult.error, authResult.status);
+  }
+
+  // Step 3: Create MCP server and handle request
+  const server = createMcpServer(db);
+  const transport = new WebStandardStreamableHTTPServerTransport({
+    enableJsonResponse: true, // Stateless mode
+  });
+
+  await server.connect(transport);
+  return transport.handleRequest(request);
+}
+```
+
+### Step 5: MCP Configuration Page
+
+Create a user-facing page to help configure MCP clients:
+
+```typescript
+// src/app/mcp-tokens/mcp-tokens-client.tsx
+"use client";
+
+function getMcpUrl(): string {
+  if (typeof window === "undefined") {
+    return "https://your-app.com/api/mcp";
+  }
+  // Dynamic URL derivation - no hardcoding
+  const { protocol, hostname, port } = window.location;
+  let baseUrl = `${protocol}//${hostname}`;
+  if (port && port !== "80" && port !== "443") {
+    baseUrl += `:${port}`;
+  }
+  return `${baseUrl}/api/mcp`;
+}
+
+export function McpConfigPage() {
+  const mcpUrl = useMemo(() => getMcpUrl(), []);
+
+  const configs = {
+    "claude-code": `{
+  "mcpServers": {
+    "your-app": {
+      "type": "http",
+      "url": "${mcpUrl}"
+    }
+  }
+}`,
+    "claude-desktop": `{
+  "mcpServers": {
+    "your-app": {
+      "command": "npx",
+      "args": ["-y", "mcp-remote", "${mcpUrl}"]
+    }
+  }
+}`,
+  };
+
+  // Render configuration tabs...
+}
+```
+
+**Key principles:**
+- Never hardcode domains - derive from `window.location`
+- Use `type: "http"` for Claude Code (supports Streamable HTTP natively)
+- Use `mcp-remote` bridge for Claude Desktop (requires stdio)
+
+### Summary Checklist
+
+- [ ] `/.well-known/oauth-authorization-server` returns JSON without auth
+- [ ] Middleware allows `/.well-known/` paths through without login
+- [ ] `/api/mcp/register` validates loopback redirect URIs
+- [ ] `/api/mcp/authorize` stores auth session and redirects to login
+- [ ] `/api/mcp/callback` generates auth code after login
+- [ ] `/api/mcp/token` verifies PKCE and issues tokens
+- [ ] `/api/mcp` validates origin and bearer token
+- [ ] MCP config page derives URL dynamically (no hardcoding)
+
+---
+
+## Quick Start (Entity-Driven CRUD)
 
 ```typescript
 import { createMcpServer, registerEntityTools, ok, error } from "@nocoo/base-mcp";
@@ -57,7 +369,7 @@ const ctx = { repos: createRepos(db) };
 registerEntityTools(server, productEntity, ctx);
 
 // 4. Handle HTTP requests (Hono/Cloudflare Worker example)
-app.post("/mcp", async (c) => {
+app.post("/api/mcp", async (c) => {
   const transport = new WebStandardStreamableHTTPServerTransport({
     sessionIdGenerator: undefined, // Stateless
     enableJsonResponse: true,
@@ -67,7 +379,7 @@ app.post("/mcp", async (c) => {
 });
 ```
 
-## API Reference
+---
 
 ### Server
 

package/dist/auth/index.d.ts

@@ -2,4 +2,5 @@ export { verifyPkceS256, generateCodeVerifier, generateCodeChallenge, isLoopback
 export { getOAuthMetadata, type OAuthMetadata, type OAuthMetadataOptions, } from "./oauth-metadata.js";
 export { validateOrigin, isLoopbackHost, type OriginValidationResult, } from "./origin.js";
 export { generateToken, hashToken, tokenPreview, extractBearerToken, validateMcpToken, type TokenStore, type TokenValidationResult, type TokenValidationSuccess, type TokenValidationError, } from "./token.js";
+export * from "./oauth/index.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,gBAAgB,EAChB,KAAK,aAAa,EAClB,KAAK,oBAAoB,GAC1B,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,cAAc,EACd,cAAc,EACd,KAAK,sBAAsB,GAC5B,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,aAAa,EACb,SAAS,EACT,YAAY,EACZ,kBAAkB,EAClB,gBAAgB,EAChB,KAAK,UAAU,EACf,KAAK,qBAAqB,EAC1B,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,GAC1B,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,gBAAgB,EAChB,KAAK,aAAa,EAClB,KAAK,oBAAoB,GAC1B,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,cAAc,EACd,cAAc,EACd,KAAK,sBAAsB,GAC5B,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,aAAa,EACb,SAAS,EACT,YAAY,EACZ,kBAAkB,EAClB,gBAAgB,EAChB,KAAK,UAAU,EACf,KAAK,qBAAqB,EAC1B,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,GAC1B,MAAM,YAAY,CAAC;AAGpB,cAAc,kBAAkB,CAAC"}

package/dist/auth/index.js

@@ -3,4 +3,6 @@ export { verifyPkceS256, generateCodeVerifier, generateCodeChallenge, isLoopback
 export { getOAuthMetadata, } from "./oauth-metadata.js";
 export { validateOrigin, isLoopbackHost, } from "./origin.js";
 export { generateToken, hashToken, tokenPreview, extractBearerToken, validateMcpToken, } from "./token.js";
+// OAuth handlers module
+export * from "./oauth/index.js";
 //# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,eAAe;AACf,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,gBAAgB,GAGjB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,cAAc,EACd,cAAc,GAEf,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,aAAa,EACb,SAAS,EACT,YAAY,EACZ,kBAAkB,EAClB,gBAAgB,GAKjB,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,eAAe;AACf,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,gBAAgB,GAGjB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,cAAc,EACd,cAAc,GAEf,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,aAAa,EACb,SAAS,EACT,YAAY,EACZ,kBAAkB,EAClB,gBAAgB,GAKjB,MAAM,YAAY,CAAC;AAEpB,wBAAwB;AACxB,cAAc,kBAAkB,CAAC"}

package/dist/auth/oauth/constants.d.ts

@@ -0,0 +1,7 @@
+/** Authorization code TTL in seconds (10 minutes) */
+export declare const AUTH_CODE_TTL: number;
+/** Access token TTL in seconds (30 days) */
+export declare const ACCESS_TOKEN_TTL: number;
+/** Refresh token TTL in seconds (90 days) */
+export declare const REFRESH_TOKEN_TTL: number;
+//# sourceMappingURL=constants.d.ts.map

package/dist/auth/oauth/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../../src/auth/oauth/constants.ts"],"names":[],"mappings":"AAIA,qDAAqD;AACrD,eAAO,MAAM,aAAa,QAAU,CAAC;AAErC,4CAA4C;AAC5C,eAAO,MAAM,gBAAgB,QAAoB,CAAC;AAElD,6CAA6C;AAC7C,eAAO,MAAM,iBAAiB,QAAoB,CAAC"}

package/dist/auth/oauth/constants.js

@@ -0,0 +1,10 @@
+// ---------------------------------------------------------------------------
+// OAuth Constants
+// ---------------------------------------------------------------------------
+/** Authorization code TTL in seconds (10 minutes) */
+export const AUTH_CODE_TTL = 10 * 60;
+/** Access token TTL in seconds (30 days) */
+export const ACCESS_TOKEN_TTL = 30 * 24 * 60 * 60;
+/** Refresh token TTL in seconds (90 days) */
+export const REFRESH_TOKEN_TTL = 90 * 24 * 60 * 60;
+//# sourceMappingURL=constants.js.map

package/dist/auth/oauth/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../src/auth/oauth/constants.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,kBAAkB;AAClB,8EAA8E;AAE9E,qDAAqD;AACrD,MAAM,CAAC,MAAM,aAAa,GAAG,EAAE,GAAG,EAAE,CAAC;AAErC,4CAA4C;AAC5C,MAAM,CAAC,MAAM,gBAAgB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;AAElD,6CAA6C;AAC7C,MAAM,CAAC,MAAM,iBAAiB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC"}

package/dist/auth/oauth/handlers/authorize.d.ts

@@ -0,0 +1,12 @@
+import type { OAuthContext, AuthorizeInput, AuthorizeResult } from "../types.js";
+/**
+ * Handle OAuth authorization request.
+ *
+ * This endpoint:
+ * 1. Validates all required parameters
+ * 2. Verifies client_id and redirect_uri
+ * 3. Stores the authorization session
+ * 4. Redirects to callback (if already logged in) or login page
+ */
+export declare function handleAuthorize(ctx: OAuthContext, input: AuthorizeInput): Promise<AuthorizeResult>;
+//# sourceMappingURL=authorize.d.ts.map

package/dist/auth/oauth/handlers/authorize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../../../src/auth/oauth/handlers/authorize.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAGjF;;;;;;;;GAQG;AACH,wBAAsB,eAAe,CACnC,GAAG,EAAE,YAAY,EACjB,KAAK,EAAE,cAAc,GACpB,OAAO,CAAC,eAAe,CAAC,CA8F1B"}

package/dist/auth/oauth/handlers/authorize.js

@@ -0,0 +1,89 @@
+// ---------------------------------------------------------------------------
+// OAuth Authorize Handler — Authorization Endpoint
+// ---------------------------------------------------------------------------
+import { AUTH_CODE_TTL } from "../constants.js";
+/**
+ * Handle OAuth authorization request.
+ *
+ * This endpoint:
+ * 1. Validates all required parameters
+ * 2. Verifies client_id and redirect_uri
+ * 3. Stores the authorization session
+ * 4. Redirects to callback (if already logged in) or login page
+ */
+export async function handleAuthorize(ctx, input) {
+    const { response_type, client_id, redirect_uri, code_challenge, code_challenge_method, state, scope, } = input;
+    // Validate required params
+    if (!response_type ||
+        !client_id ||
+        !redirect_uri ||
+        !code_challenge ||
+        !code_challenge_method ||
+        !state) {
+        return {
+            action: "error",
+            error: "Missing required parameters: response_type, client_id, redirect_uri, code_challenge, code_challenge_method, state",
+            status: 400,
+        };
+    }
+    if (response_type !== "code") {
+        return {
+            action: "error",
+            error: "response_type must be 'code'",
+            status: 400,
+        };
+    }
+    if (code_challenge_method !== "S256") {
+        return {
+            action: "error",
+            error: "code_challenge_method must be 'S256'",
+            status: 400,
+        };
+    }
+    // Verify client exists
+    const client = await ctx.clients.findByClientId(client_id);
+    if (!client) {
+        return {
+            action: "error",
+            error: "Unknown client_id",
+            status: 401,
+        };
+    }
+    // Verify redirect_uri matches registered URIs
+    const registeredUris = JSON.parse(client.redirect_uris);
+    if (!registeredUris.includes(redirect_uri)) {
+        return {
+            action: "error",
+            error: "redirect_uri does not match any registered URIs",
+            status: 400,
+        };
+    }
+    // Store authorization session
+    const now = Math.floor(Date.now() / 1000);
+    await ctx.authCodes.createSession({
+        state,
+        client_id,
+        redirect_uri,
+        code_challenge,
+        code_challenge_method,
+        scope: scope ?? "mcp:full",
+        expires_at: now + AUTH_CODE_TTL,
+    });
+    // Build callback URL
+    const callbackUrl = `${ctx.issuer}/api/mcp/callback?state=${encodeURIComponent(state)}`;
+    // If user already authenticated, go straight to callback
+    const isAuthenticated = await ctx.auth.isAuthenticated();
+    if (isAuthenticated) {
+        return {
+            action: "redirect_to_callback",
+            url: callbackUrl,
+        };
+    }
+    // Otherwise, redirect to login
+    const loginUrl = `${ctx.issuer}/login?callbackUrl=${encodeURIComponent(callbackUrl)}`;
+    return {
+        action: "redirect_to_login",
+        loginUrl,
+    };
+}
+//# sourceMappingURL=authorize.js.map

package/dist/auth/oauth/handlers/authorize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize.js","sourceRoot":"","sources":["../../../../src/auth/oauth/handlers/authorize.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,mDAAmD;AACnD,8EAA8E;AAG9E,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAEhD;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,GAAiB,EACjB,KAAqB;IAErB,MAAM,EACJ,aAAa,EACb,SAAS,EACT,YAAY,EACZ,cAAc,EACd,qBAAqB,EACrB,KAAK,EACL,KAAK,GACN,GAAG,KAAK,CAAC;IAEV,2BAA2B;IAC3B,IACE,CAAC,aAAa;QACd,CAAC,SAAS;QACV,CAAC,YAAY;QACb,CAAC,cAAc;QACf,CAAC,qBAAqB;QACtB,CAAC,KAAK,EACN,CAAC;QACD,OAAO;YACL,MAAM,EAAE,OAAO;YACf,KAAK,EACH,mHAAmH;YACrH,MAAM,EAAE,GAAG;SACZ,CAAC;IACJ,CAAC;IAED,IAAI,aAAa,KAAK,MAAM,EAAE,CAAC;QAC7B,OAAO;YACL,MAAM,EAAE,OAAO;YACf,KAAK,EAAE,8BAA8B;YACrC,MAAM,EAAE,GAAG;SACZ,CAAC;IACJ,CAAC;IAED,IAAI,qBAAqB,KAAK,MAAM,EAAE,CAAC;QACrC,OAAO;YACL,MAAM,EAAE,OAAO;YACf,KAAK,EAAE,sCAAsC;YAC7C,MAAM,EAAE,GAAG;SACZ,CAAC;IACJ,CAAC;IAED,uBAAuB;IACvB,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;IAC3D,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO;YACL,MAAM,EAAE,OAAO;YACf,KAAK,EAAE,mBAAmB;YAC1B,MAAM,EAAE,GAAG;SACZ,CAAC;IACJ,CAAC;IAED,8CAA8C;IAC9C,MAAM,cAAc,GAAa,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;IAClE,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QAC3C,OAAO;YACL,MAAM,EAAE,OAAO;YACf,KAAK,EAAE,iDAAiD;YACxD,MAAM,EAAE,GAAG;SACZ,CAAC;IACJ,CAAC;IAED,8BAA8B;IAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,GAAG,CAAC,SAAS,CAAC,aAAa,CAAC;QAChC,KAAK;QACL,SAAS;QACT,YAAY;QACZ,cAAc;QACd,qBAAqB;QACrB,KAAK,EAAE,KAAK,IAAI,UAAU;QAC1B,UAAU,EAAE,GAAG,GAAG,aAAa;KAChC,CAAC,CAAC;IAEH,qBAAqB;IACrB,MAAM,WAAW,GAAG,GAAG,GAAG,CAAC,MAAM,2BAA2B,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC;IAExF,yDAAyD;IACzD,MAAM,eAAe,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC;IACzD,IAAI,eAAe,EAAE,CAAC;QACpB,OAAO;YACL,MAAM,EAAE,sBAAsB;YAC9B,GAAG,EAAE,WAAW;SACjB,CAAC;IACJ,CAAC;IAED,+BAA+B;IAC/B,MAAM,QAAQ,GAAG,GAAG,GAAG,CAAC,MAAM,sBAAsB,kBAAkB,CAAC,WAAW,CAAC,EAAE,CAAC;IACtF,OAAO;QACL,MAAM,EAAE,mBAAmB;QAC3B,QAAQ;KACT,CAAC;AACJ,CAAC"}

package/dist/auth/oauth/handlers/callback.d.ts

@@ -0,0 +1,13 @@
+import type { OAuthContext, CallbackInput, CallbackResult } from "../types.js";
+/**
+ * Handle OAuth callback after user authentication.
+ *
+ * This endpoint:
+ * 1. Verifies user is authenticated
+ * 2. Verifies email is allowed
+ * 3. Generates authorization code
+ * 4. Upgrades the session with the code
+ * 5. Redirects to client's redirect_uri
+ */
+export declare function handleCallback(ctx: OAuthContext, input: CallbackInput): Promise<CallbackResult>;
+//# sourceMappingURL=callback.d.ts.map

package/dist/auth/oauth/handlers/callback.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback.d.ts","sourceRoot":"","sources":["../../../../src/auth/oauth/handlers/callback.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAG/E;;;;;;;;;GASG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,YAAY,EACjB,KAAK,EAAE,aAAa,GACnB,OAAO,CAAC,cAAc,CAAC,CAoEzB"}

package/dist/auth/oauth/handlers/callback.js

@@ -0,0 +1,72 @@
+// ---------------------------------------------------------------------------
+// OAuth Callback Handler — Generate Authorization Code after Login
+// ---------------------------------------------------------------------------
+import { generateToken } from "../../token.js";
+import { AUTH_CODE_TTL } from "../constants.js";
+/**
+ * Handle OAuth callback after user authentication.
+ *
+ * This endpoint:
+ * 1. Verifies user is authenticated
+ * 2. Verifies email is allowed
+ * 3. Generates authorization code
+ * 4. Upgrades the session with the code
+ * 5. Redirects to client's redirect_uri
+ */
+export async function handleCallback(ctx, input) {
+    const { state } = input;
+    if (!state) {
+        return {
+            action: "error",
+            error: "Missing state parameter",
+            status: 400,
+        };
+    }
+    // Verify user is authenticated
+    const email = await ctx.auth.getEmail();
+    if (!email) {
+        return {
+            action: "error",
+            error: "Authentication required",
+            status: 401,
+        };
+    }
+    // Verify email is allowed
+    if (!ctx.auth.isEmailAllowed(email)) {
+        return {
+            action: "error",
+            error: "Email not authorized",
+            status: 403,
+        };
+    }
+    // Look up authorization session by state
+    const session = await ctx.authCodes.findByState(state);
+    if (!session) {
+        return {
+            action: "error",
+            error: "Invalid or expired authorization session",
+            status: 400,
+        };
+    }
+    // Generate authorization code (64 hex chars = 32 bytes)
+    const code = generateToken(32);
+    // Upgrade session with code and user email
+    const now = Math.floor(Date.now() / 1000);
+    const upgraded = await ctx.authCodes.upgrade(state, code, email, now + AUTH_CODE_TTL);
+    if (!upgraded) {
+        return {
+            action: "error",
+            error: "Authorization session already used or expired",
+            status: 400,
+        };
+    }
+    // Redirect to client
+    const redirectUrl = new URL(session.redirect_uri);
+    redirectUrl.searchParams.set("code", code);
+    redirectUrl.searchParams.set("state", state);
+    return {
+        action: "redirect_to_client",
+        url: redirectUrl.toString(),
+    };
+}
+//# sourceMappingURL=callback.js.map

package/dist/auth/oauth/handlers/callback.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback.js","sourceRoot":"","sources":["../../../../src/auth/oauth/handlers/callback.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,mEAAmE;AACnE,8EAA8E;AAE9E,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAE/C,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAEhD;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,GAAiB,EACjB,KAAoB;IAEpB,MAAM,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC;IAExB,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;YACL,MAAM,EAAE,OAAO;YACf,KAAK,EAAE,yBAAyB;YAChC,MAAM,EAAE,GAAG;SACZ,CAAC;IACJ,CAAC;IAED,+BAA+B;IAC/B,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;IACxC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;YACL,MAAM,EAAE,OAAO;YACf,KAAK,EAAE,yBAAyB;YAChC,MAAM,EAAE,GAAG;SACZ,CAAC;IACJ,CAAC;IAED,0BAA0B;IAC1B,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;QACpC,OAAO;YACL,MAAM,EAAE,OAAO;YACf,KAAK,EAAE,sBAAsB;YAC7B,MAAM,EAAE,GAAG;SACZ,CAAC;IACJ,CAAC;IAED,yCAAyC;IACzC,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,SAAS,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;IACvD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO;YACL,MAAM,EAAE,OAAO;YACf,KAAK,EAAE,0CAA0C;YACjD,MAAM,EAAE,GAAG;SACZ,CAAC;IACJ,CAAC;IAED,wDAAwD;IACxD,MAAM,IAAI,GAAG,aAAa,CAAC,EAAE,CAAC,CAAC;IAE/B,2CAA2C;IAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,SAAS,CAAC,OAAO,CAC1C,KAAK,EACL,IAAI,EACJ,KAAK,EACL,GAAG,GAAG,aAAa,CACpB,CAAC;IACF,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO;YACL,MAAM,EAAE,OAAO;YACf,KAAK,EAAE,+CAA+C;YACtD,MAAM,EAAE,GAAG;SACZ,CAAC;IACJ,CAAC;IAED,qBAAqB;IACrB,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IAC3C,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAE7C,OAAO;QACL,MAAM,EAAE,oBAAoB;QAC5B,GAAG,EAAE,WAAW,CAAC,QAAQ,EAAE;KAC5B,CAAC;AACJ,CAAC"}

package/dist/auth/oauth/handlers/index.d.ts

@@ -0,0 +1,5 @@
+export { handleRegister } from "./register.js";
+export { handleAuthorize } from "./authorize.js";
+export { handleCallback } from "./callback.js";
+export { handleToken } from "./token.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/oauth/handlers/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/auth/oauth/handlers/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC"}

package/dist/auth/oauth/handlers/index.js

@@ -0,0 +1,8 @@
+// ---------------------------------------------------------------------------
+// OAuth Handlers Index — Export all handlers
+// ---------------------------------------------------------------------------
+export { handleRegister } from "./register.js";
+export { handleAuthorize } from "./authorize.js";
+export { handleCallback } from "./callback.js";
+export { handleToken } from "./token.js";
+//# sourceMappingURL=index.js.map

package/dist/auth/oauth/handlers/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/auth/oauth/handlers/index.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,6CAA6C;AAC7C,8EAA8E;AAE9E,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC"}

package/dist/auth/oauth/handlers/register.d.ts

@@ -0,0 +1,9 @@
+import type { OAuthContext, RegisterInput, RegisterResult } from "../types.js";
+/**
+ * Handle dynamic client registration.
+ *
+ * Per RFC 7591, clients can register themselves to obtain a client_id.
+ * Only loopback redirect URIs are allowed (native CLI apps).
+ */
+export declare function handleRegister(ctx: OAuthContext, input: RegisterInput): Promise<RegisterResult>;
+//# sourceMappingURL=register.d.ts.map

package/dist/auth/oauth/handlers/register.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../../../src/auth/oauth/handlers/register.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE/E;;;;;GAKG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,YAAY,EACjB,KAAK,EAAE,aAAa,GACnB,OAAO,CAAC,cAAc,CAAC,CAqDzB"}