@portel/photon 1.4.1 → 1.6.0

package/dist/serv/auth/oauth.js

@@ -0,0 +1,395 @@
+/**
+ * OAuth Flow Handler
+ *
+ * Handles OAuth 2.1 flows for:
+ * 1. SERV as authorization server (client access to SERV)
+ * 2. SERV as client (third-party OAuth for photon access)
+ */
+import { randomBytes } from 'crypto';
+import { encodeOAuthState, decodeOAuthState, generateCodeVerifier, generateCodeChallenge, } from './jwt.js';
+// Timeout for OAuth token exchange requests
+const OAUTH_TIMEOUT_MS = 30 * 1000;
+const BUILTIN_PROVIDERS = {
+    google: {
+        id: 'google',
+        name: 'Google',
+        authorizationUrl: 'https://accounts.google.com/o/oauth2/v2/auth',
+        tokenUrl: 'https://oauth2.googleapis.com/token',
+        userInfoUrl: 'https://www.googleapis.com/oauth2/v2/userinfo',
+        scopes: ['openid', 'email', 'profile'],
+    },
+    github: {
+        id: 'github',
+        name: 'GitHub',
+        authorizationUrl: 'https://github.com/login/oauth/authorize',
+        tokenUrl: 'https://github.com/login/oauth/access_token',
+        userInfoUrl: 'https://api.github.com/user',
+        scopes: ['read:user', 'user:email'],
+    },
+    microsoft: {
+        id: 'microsoft',
+        name: 'Microsoft',
+        authorizationUrl: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
+        tokenUrl: 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
+        userInfoUrl: 'https://graph.microsoft.com/v1.0/me',
+        scopes: ['openid', 'email', 'profile', 'User.Read'],
+    },
+};
+export class OAuthProviderRegistry {
+    providers = new Map();
+    /**
+     * Register a provider with credentials
+     */
+    register(providerId, clientId, clientSecret) {
+        const builtin = BUILTIN_PROVIDERS[providerId];
+        if (builtin) {
+            this.providers.set(providerId, {
+                ...builtin,
+                clientId,
+                clientSecret,
+            });
+        }
+    }
+    /**
+     * Register a custom provider
+     */
+    registerCustom(config) {
+        this.providers.set(config.id, config);
+    }
+    /**
+     * Get a provider by ID
+     */
+    get(providerId) {
+        return this.providers.get(providerId) ?? null;
+    }
+    /**
+     * Check if a provider is registered
+     */
+    has(providerId) {
+        return this.providers.has(providerId);
+    }
+}
+// ============================================================================
+// In-Memory Elicitation Store
+// ============================================================================
+export class MemoryElicitationStore {
+    requests = new Map();
+    async create(data) {
+        const request = {
+            ...data,
+            id: randomBytes(16).toString('hex'),
+            createdAt: new Date(),
+        };
+        this.requests.set(request.id, request);
+        return request;
+    }
+    async get(id) {
+        const request = this.requests.get(id);
+        if (!request)
+            return null;
+        if (request.expiresAt.getTime() < Date.now()) {
+            this.requests.delete(id);
+            return null;
+        }
+        return request;
+    }
+    async update(id, data) {
+        const existing = this.requests.get(id);
+        if (existing) {
+            this.requests.set(id, { ...existing, ...data });
+        }
+    }
+    async delete(id) {
+        this.requests.delete(id);
+    }
+    async cleanup() {
+        const now = Date.now();
+        let count = 0;
+        for (const [id, request] of this.requests) {
+            if (request.expiresAt.getTime() < now) {
+                this.requests.delete(id);
+                count++;
+            }
+        }
+        return count;
+    }
+}
+// ============================================================================
+// In-Memory Grant Store
+// ============================================================================
+export class MemoryGrantStore {
+    grants = new Map();
+    key(tenantId, photonId, provider, userId) {
+        return `${tenantId}:${photonId}:${provider}:${userId ?? 'anonymous'}`;
+    }
+    async find(tenantId, photonId, provider, userId) {
+        const k = this.key(tenantId, photonId, provider, userId);
+        return this.grants.get(k) ?? null;
+    }
+    async create(data) {
+        const now = new Date();
+        const grant = {
+            ...data,
+            id: randomBytes(16).toString('hex'),
+            createdAt: now,
+            updatedAt: now,
+        };
+        const k = this.key(grant.tenantId, grant.photonId, grant.provider, grant.userId);
+        this.grants.set(k, grant);
+        return grant;
+    }
+    async update(id, data) {
+        for (const [key, grant] of this.grants) {
+            if (grant.id === id) {
+                this.grants.set(key, { ...grant, ...data, updatedAt: new Date() });
+                return;
+            }
+        }
+    }
+    async delete(id) {
+        for (const [key, grant] of this.grants) {
+            if (grant.id === id) {
+                this.grants.delete(key);
+                return;
+            }
+        }
+    }
+    async findByUser(tenantId, userId) {
+        const grants = [];
+        for (const grant of this.grants.values()) {
+            if (grant.tenantId === tenantId && grant.userId === userId) {
+                grants.push(grant);
+            }
+        }
+        return grants;
+    }
+}
+export class OAuthFlowHandler {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    /**
+     * Start an OAuth elicitation flow
+     */
+    async startElicitation(session, photonId, provider, scopes) {
+        const providerConfig = this.config.providers.get(provider);
+        if (!providerConfig) {
+            throw new Error(`Unknown OAuth provider: ${provider}`);
+        }
+        // Generate PKCE
+        const codeVerifier = generateCodeVerifier();
+        const codeChallenge = generateCodeChallenge(codeVerifier);
+        // Create elicitation request
+        const elicitation = await this.config.elicitationStore.create({
+            sessionId: session.id,
+            photonId,
+            provider,
+            requiredScopes: scopes,
+            status: 'pending',
+            redirectUri: `${this.config.baseUrl}/auth/oauth/callback`,
+            codeVerifier,
+            expiresAt: new Date(Date.now() + 5 * 60 * 1000), // 5 minutes
+        });
+        // Build OAuth state
+        const state = encodeOAuthState({
+            sessionId: session.id,
+            elicitationId: elicitation.id,
+            photonId,
+            provider,
+            nonce: randomBytes(16).toString('hex'),
+            timestamp: Date.now(),
+        }, this.config.stateSecret);
+        // Build authorization URL
+        const params = new URLSearchParams({
+            client_id: providerConfig.clientId,
+            redirect_uri: elicitation.redirectUri,
+            response_type: 'code',
+            scope: scopes.join(' '),
+            state,
+            code_challenge: codeChallenge,
+            code_challenge_method: 'S256',
+        });
+        const url = `${providerConfig.authorizationUrl}?${params.toString()}`;
+        return { url, elicitationId: elicitation.id };
+    }
+    /**
+     * Handle OAuth callback
+     */
+    async handleCallback(code, state, tenantId) {
+        // Decode and verify state
+        const stateData = decodeOAuthState(state, this.config.stateSecret);
+        if (!stateData) {
+            return { success: false, error: 'Invalid or expired state' };
+        }
+        // Get elicitation request
+        const elicitation = await this.config.elicitationStore.get(stateData.elicitationId);
+        if (!elicitation) {
+            return { success: false, error: 'Elicitation request not found or expired' };
+        }
+        if (elicitation.status !== 'pending') {
+            return { success: false, error: 'Elicitation already processed' };
+        }
+        // Get provider
+        const providerConfig = this.config.providers.get(elicitation.provider);
+        if (!providerConfig) {
+            return { success: false, error: 'Provider not configured' };
+        }
+        // Exchange code for tokens
+        try {
+            const tokens = await this.exchangeCode(providerConfig, code, elicitation.redirectUri, elicitation.codeVerifier);
+            // Encrypt and store tokens
+            const accessTokenEncrypted = await this.config.tokenVault.encrypt(tenantId, tokens.accessToken);
+            const refreshTokenEncrypted = tokens.refreshToken
+                ? await this.config.tokenVault.encrypt(tenantId, tokens.refreshToken)
+                : undefined;
+            // Check for existing grant
+            // Note: userId is undefined here as grants are scoped to tenant+photon+provider
+            // User-scoped grants would require session-based auth which isn't implemented yet
+            const existingGrant = await this.config.grantStore.find(tenantId, elicitation.photonId, elicitation.provider, undefined);
+            if (existingGrant) {
+                await this.config.grantStore.update(existingGrant.id, {
+                    accessTokenEncrypted,
+                    refreshTokenEncrypted,
+                    scopes: elicitation.requiredScopes,
+                    tokenExpiresAt: new Date(Date.now() + tokens.expiresIn * 1000),
+                });
+            }
+            else {
+                await this.config.grantStore.create({
+                    tenantId,
+                    photonId: elicitation.photonId,
+                    provider: elicitation.provider,
+                    scopes: elicitation.requiredScopes,
+                    accessTokenEncrypted,
+                    refreshTokenEncrypted,
+                    tokenExpiresAt: new Date(Date.now() + tokens.expiresIn * 1000),
+                });
+            }
+            // Mark elicitation as completed
+            await this.config.elicitationStore.update(elicitation.id, {
+                status: 'completed',
+            });
+            return { success: true };
+        }
+        catch (err) {
+            await this.config.elicitationStore.update(elicitation.id, {
+                status: 'cancelled',
+            });
+            return {
+                success: false,
+                error: err instanceof Error ? err.message : 'Token exchange failed',
+            };
+        }
+    }
+    /**
+     * Check if a grant exists and is valid
+     */
+    async checkGrant(tenantId, photonId, provider, requiredScopes, userId) {
+        const grant = await this.config.grantStore.find(tenantId, photonId, provider, userId);
+        if (!grant) {
+            return { valid: false };
+        }
+        // Check scopes
+        const hasAllScopes = requiredScopes.every((s) => grant.scopes.includes(s));
+        if (!hasAllScopes) {
+            return { valid: false };
+        }
+        // Check expiry (with 5 minute buffer)
+        if (grant.tokenExpiresAt.getTime() < Date.now() + 5 * 60 * 1000) {
+            // Try to refresh
+            if (grant.refreshTokenEncrypted) {
+                const refreshed = await this.refreshGrant(grant);
+                if (refreshed) {
+                    const token = await this.config.tokenVault.decrypt(tenantId, refreshed.accessTokenEncrypted);
+                    return { valid: true, token };
+                }
+            }
+            return { valid: false };
+        }
+        const token = await this.config.tokenVault.decrypt(tenantId, grant.accessTokenEncrypted);
+        return { valid: true, token };
+    }
+    /**
+     * Exchange authorization code for tokens
+     */
+    async exchangeCode(provider, code, redirectUri, codeVerifier) {
+        const response = await fetch(provider.tokenUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                Accept: 'application/json',
+            },
+            body: new URLSearchParams({
+                grant_type: 'authorization_code',
+                client_id: provider.clientId,
+                client_secret: provider.clientSecret,
+                code,
+                redirect_uri: redirectUri,
+                code_verifier: codeVerifier,
+            }).toString(),
+            signal: AbortSignal.timeout(OAUTH_TIMEOUT_MS),
+        });
+        if (!response.ok) {
+            const error = await response.text();
+            throw new Error(`Token exchange failed: ${error}`);
+        }
+        const data = (await response.json());
+        return {
+            accessToken: data.access_token,
+            refreshToken: data.refresh_token,
+            tokenType: data.token_type ?? 'Bearer',
+            expiresIn: data.expires_in ?? 3600,
+            scope: data.scope,
+        };
+    }
+    /**
+     * Refresh an expired grant
+     */
+    async refreshGrant(grant) {
+        if (!grant.refreshTokenEncrypted)
+            return null;
+        const provider = this.config.providers.get(grant.provider);
+        if (!provider)
+            return null;
+        try {
+            const refreshToken = await this.config.tokenVault.decrypt(grant.tenantId, grant.refreshTokenEncrypted);
+            const response = await fetch(provider.tokenUrl, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                    Accept: 'application/json',
+                },
+                body: new URLSearchParams({
+                    grant_type: 'refresh_token',
+                    client_id: provider.clientId,
+                    client_secret: provider.clientSecret,
+                    refresh_token: refreshToken,
+                }).toString(),
+                signal: AbortSignal.timeout(OAUTH_TIMEOUT_MS),
+            });
+            if (!response.ok)
+                return null;
+            const data = (await response.json());
+            const accessTokenEncrypted = await this.config.tokenVault.encrypt(grant.tenantId, data.access_token);
+            const refreshTokenEncrypted = data.refresh_token
+                ? await this.config.tokenVault.encrypt(grant.tenantId, data.refresh_token)
+                : grant.refreshTokenEncrypted;
+            await this.config.grantStore.update(grant.id, {
+                accessTokenEncrypted,
+                refreshTokenEncrypted,
+                tokenExpiresAt: new Date(Date.now() + (data.expires_in ?? 3600) * 1000),
+            });
+            return {
+                ...grant,
+                accessTokenEncrypted,
+                refreshTokenEncrypted,
+                tokenExpiresAt: new Date(Date.now() + (data.expires_in ?? 3600) * 1000),
+            };
+        }
+        catch {
+            return null; // token exchange failed
+        }
+    }
+}
+//# sourceMappingURL=oauth.js.map

package/dist/serv/auth/oauth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.js","sourceRoot":"","sources":["../../../src/serv/auth/oauth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,WAAW,EAAc,MAAM,QAAQ,CAAC;AASjD,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,UAAU,CAAC;AAGlB,4CAA4C;AAC5C,MAAM,gBAAgB,GAAG,EAAE,GAAG,IAAI,CAAC;AAiBnC,MAAM,iBAAiB,GAA2E;IAChG,MAAM,EAAE;QACN,EAAE,EAAE,QAAQ;QACZ,IAAI,EAAE,QAAQ;QACd,gBAAgB,EAAE,8CAA8C;QAChE,QAAQ,EAAE,qCAAqC;QAC/C,WAAW,EAAE,+CAA+C;QAC5D,MAAM,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC;KACvC;IACD,MAAM,EAAE;QACN,EAAE,EAAE,QAAQ;QACZ,IAAI,EAAE,QAAQ;QACd,gBAAgB,EAAE,0CAA0C;QAC5D,QAAQ,EAAE,6CAA6C;QACvD,WAAW,EAAE,6BAA6B;QAC1C,MAAM,EAAE,CAAC,WAAW,EAAE,YAAY,CAAC;KACpC;IACD,SAAS,EAAE;QACT,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,WAAW;QACjB,gBAAgB,EAAE,gEAAgE;QAClF,QAAQ,EAAE,4DAA4D;QACtE,WAAW,EAAE,qCAAqC;QAClD,MAAM,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,CAAC;KACpD;CACF,CAAC;AAEF,MAAM,OAAO,qBAAqB;IACxB,SAAS,GAAqC,IAAI,GAAG,EAAE,CAAC;IAEhE;;OAEG;IACH,QAAQ,CAAC,UAAkB,EAAE,QAAgB,EAAE,YAAoB;QACjE,MAAM,OAAO,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;QAC9C,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,UAAU,EAAE;gBAC7B,GAAG,OAAO;gBACV,QAAQ;gBACR,YAAY;aACb,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,MAA2B;QACxC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,GAAG,CAAC,UAAkB;QACpB,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC;IAChD,CAAC;IAED;;OAEG;IACH,GAAG,CAAC,UAAkB;QACpB,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACxC,CAAC;CACF;AAcD,+EAA+E;AAC/E,8BAA8B;AAC9B,+EAA+E;AAE/E,MAAM,OAAO,sBAAsB;IACzB,QAAQ,GAAoC,IAAI,GAAG,EAAE,CAAC;IAE9D,KAAK,CAAC,MAAM,CAAC,IAAkD;QAC7D,MAAM,OAAO,GAAuB;YAClC,GAAG,IAAI;YACP,EAAE,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YACnC,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC;QACF,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;QACvC,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,EAAU;QAClB,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACtC,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAC1B,IAAI,OAAO,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC7C,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU,EAAE,IAAiC;QACxD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACvC,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,GAAG,QAAQ,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU;QACrB,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,OAAO;QACX,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,KAAK,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC1C,IAAI,OAAO,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,GAAG,EAAE,CAAC;gBACtC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;gBACzB,KAAK,EAAE,CAAC;YACV,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAmBD,+EAA+E;AAC/E,wBAAwB;AACxB,+EAA+E;AAE/E,MAAM,OAAO,gBAAgB;IACnB,MAAM,GAA6B,IAAI,GAAG,EAAE,CAAC;IAE7C,GAAG,CAAC,QAAgB,EAAE,QAAgB,EAAE,QAAgB,EAAE,MAAe;QAC/E,OAAO,GAAG,QAAQ,IAAI,QAAQ,IAAI,QAAQ,IAAI,MAAM,IAAI,WAAW,EAAE,CAAC;IACxE,CAAC;IAED,KAAK,CAAC,IAAI,CACR,QAAgB,EAChB,QAAgB,EAChB,QAAgB,EAChB,MAAe;QAEf,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;QACzD,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,IAAyD;QACpE,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,KAAK,GAAgB;YACzB,GAAG,IAAI;YACP,EAAE,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YACnC,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG;SACf,CAAC;QACF,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QACjF,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU,EAAE,IAA0B;QACjD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YACvC,IAAI,KAAK,CAAC,EAAE,KAAK,EAAE,EAAE,CAAC;gBACpB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,GAAG,KAAK,EAAE,GAAG,IAAI,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,EAAE,CAAC,CAAC;gBACnE,OAAO;YACT,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU;QACrB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YACvC,IAAI,KAAK,CAAC,EAAE,KAAK,EAAE,EAAE,CAAC;gBACpB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBACxB,OAAO;YACT,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,QAAgB,EAAE,MAAc;QAC/C,MAAM,MAAM,GAAkB,EAAE,CAAC;QACjC,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,EAAE,CAAC;YACzC,IAAI,KAAK,CAAC,QAAQ,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC3D,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACrB,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAqBD,MAAM,OAAO,gBAAgB;IACnB,MAAM,CAAkB;IAEhC,YAAY,MAAuB;QACjC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,gBAAgB,CACpB,OAAgB,EAChB,QAAgB,EAChB,QAAgB,EAChB,MAAgB;QAEhB,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC3D,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,2BAA2B,QAAQ,EAAE,CAAC,CAAC;QACzD,CAAC;QAED,gBAAgB;QAChB,MAAM,YAAY,GAAG,oBAAoB,EAAE,CAAC;QAC5C,MAAM,aAAa,GAAG,qBAAqB,CAAC,YAAY,CAAC,CAAC;QAE1D,6BAA6B;QAC7B,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC;YAC5D,SAAS,EAAE,OAAO,CAAC,EAAE;YACrB,QAAQ;YACR,QAAQ;YACR,cAAc,EAAE,MAAM;YACtB,MAAM,EAAE,SAAS;YACjB,WAAW,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,sBAAsB;YACzD,YAAY;YACZ,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,YAAY;SAC9D,CAAC,CAAC;QAEH,oBAAoB;QACpB,MAAM,KAAK,GAAG,gBAAgB,CAC5B;YACE,SAAS,EAAE,OAAO,CAAC,EAAE;YACrB,aAAa,EAAE,WAAW,CAAC,EAAE;YAC7B,QAAQ;YACR,QAAQ;YACR,KAAK,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YACtC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,EACD,IAAI,CAAC,MAAM,CAAC,WAAW,CACxB,CAAC;QAEF,0BAA0B;QAC1B,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,SAAS,EAAE,cAAc,CAAC,QAAQ;YAClC,YAAY,EAAE,WAAW,CAAC,WAAW;YACrC,aAAa,EAAE,MAAM;YACrB,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;YACvB,KAAK;YACL,cAAc,EAAE,aAAa;YAC7B,qBAAqB,EAAE,MAAM;SAC9B,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,GAAG,cAAc,CAAC,gBAAgB,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QAEtE,OAAO,EAAE,GAAG,EAAE,aAAa,EAAE,WAAW,CAAC,EAAE,EAAE,CAAC;IAChD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAClB,IAAY,EACZ,KAAa,EACb,QAAgB;QAEhB,0BAA0B;QAC1B,MAAM,SAAS,GAAG,gBAAgB,CAAC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACnE,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC;QAC/D,CAAC;QAED,0BAA0B;QAC1B,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QACpF,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,0CAA0C,EAAE,CAAC;QAC/E,CAAC;QAED,IAAI,WAAW,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YACrC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,+BAA+B,EAAE,CAAC;QACpE,CAAC;QAED,eAAe;QACf,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QACvE,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC9D,CAAC;QAED,2BAA2B;QAC3B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,YAAY,CACpC,cAAc,EACd,IAAI,EACJ,WAAW,CAAC,WAAW,EACvB,WAAW,CAAC,YAAa,CAC1B,CAAC;YAEF,2BAA2B;YAC3B,MAAM,oBAAoB,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CAC/D,QAAQ,EACR,MAAM,CAAC,WAAW,CACnB,CAAC;YACF,MAAM,qBAAqB,GAAG,MAAM,CAAC,YAAY;gBAC/C,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,QAAQ,EAAE,MAAM,CAAC,YAAY,CAAC;gBACrE,CAAC,CAAC,SAAS,CAAC;YAEd,2BAA2B;YAC3B,gFAAgF;YAChF,kFAAkF;YAClF,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,CACrD,QAAQ,EACR,WAAW,CAAC,QAAQ,EACpB,WAAW,CAAC,QAAQ,EACpB,SAAS,CACV,CAAC;YAEF,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,EAAE;oBACpD,oBAAoB;oBACpB,qBAAqB;oBACrB,MAAM,EAAE,WAAW,CAAC,cAAc;oBAClC,cAAc,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC;iBAC/D,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC;oBAClC,QAAQ;oBACR,QAAQ,EAAE,WAAW,CAAC,QAAQ;oBAC9B,QAAQ,EAAE,WAAW,CAAC,QAAQ;oBAC9B,MAAM,EAAE,WAAW,CAAC,cAAc;oBAClC,oBAAoB;oBACpB,qBAAqB;oBACrB,cAAc,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC;iBAC/D,CAAC,CAAC;YACL,CAAC;YAED,gCAAgC;YAChC,MAAM,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE;gBACxD,MAAM,EAAE,WAAW;aACpB,CAAC,CAAC;YAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE;gBACxD,MAAM,EAAE,WAAW;aACpB,CAAC,CAAC;YACH,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB;aACpE,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CACd,QAAgB,EAChB,QAAgB,EAChB,QAAgB,EAChB,cAAwB,EACxB,MAAe;QAEf,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;QAEtF,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;QAC1B,CAAC;QAED,eAAe;QACf,MAAM,YAAY,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3E,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;QAC1B,CAAC;QAED,sCAAsC;QACtC,IAAI,KAAK,CAAC,cAAc,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;YAChE,iBAAiB;YACjB,IAAI,KAAK,CAAC,qBAAqB,EAAE,CAAC;gBAChC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;gBACjD,IAAI,SAAS,EAAE,CAAC;oBACd,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CAChD,QAAQ,EACR,SAAS,CAAC,oBAAoB,CAC/B,CAAC;oBACF,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;gBAChC,CAAC;YACH,CAAC;YACD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;QAC1B,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,QAAQ,EAAE,KAAK,CAAC,oBAAoB,CAAC,CAAC;QACzF,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IAChC,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,YAAY,CACxB,QAA6B,EAC7B,IAAY,EACZ,WAAmB,EACnB,YAAoB;QAEpB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,QAAQ,EAAE;YAC9C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,MAAM,EAAE,kBAAkB;aAC3B;YACD,IAAI,EAAE,IAAI,eAAe,CAAC;gBACxB,UAAU,EAAE,oBAAoB;gBAChC,SAAS,EAAE,QAAQ,CAAC,QAAQ;gBAC5B,aAAa,EAAE,QAAQ,CAAC,YAAY;gBACpC,IAAI;gBACJ,YAAY,EAAE,WAAW;gBACzB,aAAa,EAAE,YAAY;aAC5B,CAAC,CAAC,QAAQ,EAAE;YACb,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,gBAAgB,CAAC;SAC9C,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,0BAA0B,KAAK,EAAE,CAAC,CAAC;QACrD,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAMlC,CAAC;QACF,OAAO;YACL,WAAW,EAAE,IAAI,CAAC,YAAY;YAC9B,YAAY,EAAE,IAAI,CAAC,aAAa;YAChC,SAAS,EAAE,IAAI,CAAC,UAAU,IAAI,QAAQ;YACtC,SAAS,EAAE,IAAI,CAAC,UAAU,IAAI,IAAI;YAClC,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,YAAY,CAAC,KAAkB;QAC3C,IAAI,CAAC,KAAK,CAAC,qBAAqB;YAAE,OAAO,IAAI,CAAC;QAE9C,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC3D,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC;QAE3B,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CACvD,KAAK,CAAC,QAAQ,EACd,KAAK,CAAC,qBAAqB,CAC5B,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,QAAQ,EAAE;gBAC9C,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;oBACnD,MAAM,EAAE,kBAAkB;iBAC3B;gBACD,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,UAAU,EAAE,eAAe;oBAC3B,SAAS,EAAE,QAAQ,CAAC,QAAQ;oBAC5B,aAAa,EAAE,QAAQ,CAAC,YAAY;oBACpC,aAAa,EAAE,YAAY;iBAC5B,CAAC,CAAC,QAAQ,EAAE;gBACb,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,gBAAgB,CAAC;aAC9C,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE;gBAAE,OAAO,IAAI,CAAC;YAE9B,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAIlC,CAAC;YACF,MAAM,oBAAoB,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CAC/D,KAAK,CAAC,QAAQ,EACd,IAAI,CAAC,YAAY,CAClB,CAAC;YACF,MAAM,qBAAqB,GAAG,IAAI,CAAC,aAAa;gBAC9C,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,IAAI,CAAC,aAAa,CAAC;gBAC1E,CAAC,CAAC,KAAK,CAAC,qBAAqB,CAAC;YAEhC,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE;gBAC5C,oBAAoB;gBACpB,qBAAqB;gBACrB,cAAc,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,GAAG,IAAI,CAAC;aACxE,CAAC,CAAC;YAEH,OAAO;gBACL,GAAG,KAAK;gBACR,oBAAoB;gBACpB,qBAAqB;gBACrB,cAAc,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,GAAG,IAAI,CAAC;aACxE,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC,CAAC,wBAAwB;QACvC,CAAC;IACH,CAAC;CACF"}

package/dist/serv/auth/well-known.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Well-Known Endpoints
+ *
+ * Implements RFC 9728 (Protected Resource Metadata) and RFC 8414 (Authorization Server Metadata)
+ */
+import type { ProtectedResourceMetadata, AuthorizationServerMetadata, Tenant } from '../types/index.js';
+export interface WellKnownConfig {
+    /** Base URL for SERV (e.g., 'https://serv.example.com') */
+    baseUrl: string;
+    /** Scopes supported by SERV */
+    scopesSupported?: string[];
+    /** Documentation URL */
+    documentationUrl?: string;
+}
+/**
+ * Generate protected resource metadata for a tenant
+ */
+export declare function generateProtectedResourceMetadata(config: WellKnownConfig, tenant: Tenant): ProtectedResourceMetadata;
+/**
+ * Generate authorization server metadata for a tenant
+ */
+export declare function generateAuthServerMetadata(config: WellKnownConfig, tenant: Tenant): AuthorizationServerMetadata;
+export interface ClientMetadataDocument {
+    client_id: string;
+    client_name?: string;
+    client_uri?: string;
+    logo_uri?: string;
+    redirect_uris: string[];
+    grant_types?: string[];
+    response_types?: string[];
+    scope?: string;
+    contacts?: string[];
+    tos_uri?: string;
+    policy_uri?: string;
+}
+/**
+ * Fetch and validate a Client ID Metadata Document
+ */
+export declare function fetchClientMetadata(clientId: string): Promise<ClientMetadataDocument | null>;
+/**
+ * Handle /.well-known/oauth-protected-resource request
+ */
+export declare function handleProtectedResourceRequest(config: WellKnownConfig, tenant: Tenant): {
+    status: number;
+    headers: Record<string, string>;
+    body: string;
+};
+/**
+ * Handle /.well-known/oauth-authorization-server request
+ */
+export declare function handleAuthServerRequest(config: WellKnownConfig, tenant: Tenant): {
+    status: number;
+    headers: Record<string, string>;
+    body: string;
+};
+/**
+ * Generate WWW-Authenticate header for 401 responses
+ */
+export declare function generateWwwAuthenticate(baseUrl: string, tenant: Tenant, error?: string, errorDescription?: string): string;
+//# sourceMappingURL=well-known.d.ts.map

package/dist/serv/auth/well-known.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"well-known.d.ts","sourceRoot":"","sources":["../../../src/serv/auth/well-known.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,yBAAyB,EACzB,2BAA2B,EAC3B,MAAM,EACP,MAAM,mBAAmB,CAAC;AAS3B,MAAM,WAAW,eAAe;IAC9B,2DAA2D;IAC3D,OAAO,EAAE,MAAM,CAAC;IAChB,+BAA+B;IAC/B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,wBAAwB;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAMD;;GAEG;AACH,wBAAgB,iCAAiC,CAC/C,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,MAAM,GACb,yBAAyB,CAU3B;AAMD;;GAEG;AACH,wBAAgB,0BAA0B,CACxC,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,MAAM,GACb,2BAA2B,CA0B7B;AAMD,MAAM,WAAW,sBAAsB;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,sBAAsB,GAAG,IAAI,CAAC,CA6BxC;AA+BD;;GAEG;AACH,wBAAgB,8BAA8B,CAC5C,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,MAAM,GACb;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAWnE;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,MAAM,GACb;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAWnE;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,MAAM,EACd,gBAAgB,CAAC,EAAE,MAAM,GACxB,MAAM,CAeR"}

package/dist/serv/auth/well-known.js

@@ -0,0 +1,154 @@
+/**
+ * Well-Known Endpoints
+ *
+ * Implements RFC 9728 (Protected Resource Metadata) and RFC 8414 (Authorization Server Metadata)
+ */
+// Timeout for fetching client metadata
+const FETCH_TIMEOUT_MS = 10 * 1000;
+// ============================================================================
+// Protected Resource Metadata (RFC 9728)
+// ============================================================================
+/**
+ * Generate protected resource metadata for a tenant
+ */
+export function generateProtectedResourceMetadata(config, tenant) {
+    const resourceUri = buildResourceUri(config.baseUrl, tenant);
+    const authServerUri = buildAuthServerUri(config.baseUrl, tenant);
+    return {
+        resource: resourceUri,
+        authorization_servers: [authServerUri],
+        bearer_methods_supported: ['header'],
+        resource_documentation: config.documentationUrl,
+    };
+}
+// ============================================================================
+// Authorization Server Metadata (RFC 8414)
+// ============================================================================
+/**
+ * Generate authorization server metadata for a tenant
+ */
+export function generateAuthServerMetadata(config, tenant) {
+    const baseUri = buildTenantUri(config.baseUrl, tenant);
+    return {
+        issuer: baseUri,
+        authorization_endpoint: `${baseUri}/authorize`,
+        token_endpoint: `${baseUri}/token`,
+        registration_endpoint: `${baseUri}/register`,
+        jwks_uri: `${config.baseUrl}/.well-known/jwks.json`,
+        scopes_supported: config.scopesSupported ?? [
+            'openid',
+            'profile',
+            'email',
+            'mcp:read',
+            'mcp:write',
+            'mcp:admin',
+        ],
+        response_types_supported: ['code'],
+        grant_types_supported: ['authorization_code', 'refresh_token', 'client_credentials'],
+        code_challenge_methods_supported: ['S256'],
+        token_endpoint_auth_methods_supported: [
+            'client_secret_basic',
+            'client_secret_post',
+            'none', // For public clients
+        ],
+    };
+}
+/**
+ * Fetch and validate a Client ID Metadata Document
+ */
+export async function fetchClientMetadata(clientId) {
+    // Client ID should be a URL for CIMD
+    if (!clientId.startsWith('https://')) {
+        return null;
+    }
+    try {
+        const response = await fetch(clientId, {
+            headers: { Accept: 'application/json' },
+            signal: AbortSignal.timeout(FETCH_TIMEOUT_MS),
+        });
+        if (!response.ok)
+            return null;
+        const metadata = (await response.json());
+        // Validate required fields
+        if (!metadata.client_id || metadata.client_id !== clientId) {
+            return null;
+        }
+        if (!metadata.redirect_uris || metadata.redirect_uris.length === 0) {
+            return null;
+        }
+        return metadata;
+    }
+    catch {
+        return null; // discovery endpoint unreachable
+    }
+}
+// ============================================================================
+// URI Builders
+// ============================================================================
+function buildResourceUri(baseUrl, tenant) {
+    if (tenant.settings.customDomain) {
+        return `https://${tenant.settings.customDomain}/mcp`;
+    }
+    return `${baseUrl}/tenant/${tenant.slug}/mcp`;
+}
+function buildAuthServerUri(baseUrl, tenant) {
+    if (tenant.settings.customDomain) {
+        return `https://${tenant.settings.customDomain}`;
+    }
+    return `${baseUrl}/tenant/${tenant.slug}`;
+}
+function buildTenantUri(baseUrl, tenant) {
+    if (tenant.settings.customDomain) {
+        return `https://${tenant.settings.customDomain}`;
+    }
+    return `${baseUrl}/tenant/${tenant.slug}`;
+}
+// ============================================================================
+// HTTP Handler Helpers
+// ============================================================================
+/**
+ * Handle /.well-known/oauth-protected-resource request
+ */
+export function handleProtectedResourceRequest(config, tenant) {
+    const metadata = generateProtectedResourceMetadata(config, tenant);
+    return {
+        status: 200,
+        headers: {
+            'Content-Type': 'application/json',
+            'Cache-Control': 'public, max-age=3600',
+        },
+        body: JSON.stringify(metadata, null, 2),
+    };
+}
+/**
+ * Handle /.well-known/oauth-authorization-server request
+ */
+export function handleAuthServerRequest(config, tenant) {
+    const metadata = generateAuthServerMetadata(config, tenant);
+    return {
+        status: 200,
+        headers: {
+            'Content-Type': 'application/json',
+            'Cache-Control': 'public, max-age=3600',
+        },
+        body: JSON.stringify(metadata, null, 2),
+    };
+}
+/**
+ * Generate WWW-Authenticate header for 401 responses
+ */
+export function generateWwwAuthenticate(baseUrl, tenant, error, errorDescription) {
+    const parts = [
+        'Bearer',
+        `realm="${tenant.slug}"`,
+        `resource_metadata="${baseUrl}/.well-known/oauth-protected-resource"`,
+    ];
+    if (error) {
+        parts.push(`error="${error}"`);
+        if (errorDescription) {
+            parts.push(`error_description="${errorDescription}"`);
+        }
+    }
+    return parts.join(', ');
+}
+//# sourceMappingURL=well-known.js.map

package/dist/serv/auth/well-known.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"well-known.js","sourceRoot":"","sources":["../../../src/serv/auth/well-known.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAQH,uCAAuC;AACvC,MAAM,gBAAgB,GAAG,EAAE,GAAG,IAAI,CAAC;AAenC,+EAA+E;AAC/E,yCAAyC;AACzC,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,iCAAiC,CAC/C,MAAuB,EACvB,MAAc;IAEd,MAAM,WAAW,GAAG,gBAAgB,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC7D,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAEjE,OAAO;QACL,QAAQ,EAAE,WAAW;QACrB,qBAAqB,EAAE,CAAC,aAAa,CAAC;QACtC,wBAAwB,EAAE,CAAC,QAAQ,CAAC;QACpC,sBAAsB,EAAE,MAAM,CAAC,gBAAgB;KAChD,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,2CAA2C;AAC3C,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,0BAA0B,CACxC,MAAuB,EACvB,MAAc;IAEd,MAAM,OAAO,GAAG,cAAc,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAEvD,OAAO;QACL,MAAM,EAAE,OAAO;QACf,sBAAsB,EAAE,GAAG,OAAO,YAAY;QAC9C,cAAc,EAAE,GAAG,OAAO,QAAQ;QAClC,qBAAqB,EAAE,GAAG,OAAO,WAAW;QAC5C,QAAQ,EAAE,GAAG,MAAM,CAAC,OAAO,wBAAwB;QACnD,gBAAgB,EAAE,MAAM,CAAC,eAAe,IAAI;YAC1C,QAAQ;YACR,SAAS;YACT,OAAO;YACP,UAAU;YACV,WAAW;YACX,WAAW;SACZ;QACD,wBAAwB,EAAE,CAAC,MAAM,CAAC;QAClC,qBAAqB,EAAE,CAAC,oBAAoB,EAAE,eAAe,EAAE,oBAAoB,CAAC;QACpF,gCAAgC,EAAE,CAAC,MAAM,CAAC;QAC1C,qCAAqC,EAAE;YACrC,qBAAqB;YACrB,oBAAoB;YACpB,MAAM,EAAE,qBAAqB;SAC9B;KACF,CAAC;AACJ,CAAC;AAoBD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,QAAgB;IAEhB,qCAAqC;IACrC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;YACrC,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,gBAAgB,CAAC;SAC9C,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QAE9B,MAAM,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA2B,CAAC;QAEnE,2BAA2B;QAC3B,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,QAAQ,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;YAC3D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,aAAa,IAAI,QAAQ,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACnE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,CAAC,iCAAiC;IAChD,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,eAAe;AACf,+EAA+E;AAE/E,SAAS,gBAAgB,CAAC,OAAe,EAAE,MAAc;IACvD,IAAI,MAAM,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC;QACjC,OAAO,WAAW,MAAM,CAAC,QAAQ,CAAC,YAAY,MAAM,CAAC;IACvD,CAAC;IACD,OAAO,GAAG,OAAO,WAAW,MAAM,CAAC,IAAI,MAAM,CAAC;AAChD,CAAC;AAED,SAAS,kBAAkB,CAAC,OAAe,EAAE,MAAc;IACzD,IAAI,MAAM,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC;QACjC,OAAO,WAAW,MAAM,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC;IACnD,CAAC;IACD,OAAO,GAAG,OAAO,WAAW,MAAM,CAAC,IAAI,EAAE,CAAC;AAC5C,CAAC;AAED,SAAS,cAAc,CAAC,OAAe,EAAE,MAAc;IACrD,IAAI,MAAM,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC;QACjC,OAAO,WAAW,MAAM,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC;IACnD,CAAC;IACD,OAAO,GAAG,OAAO,WAAW,MAAM,CAAC,IAAI,EAAE,CAAC;AAC5C,CAAC;AAED,+EAA+E;AAC/E,uBAAuB;AACvB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,8BAA8B,CAC5C,MAAuB,EACvB,MAAc;IAEd,MAAM,QAAQ,GAAG,iCAAiC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEnE,OAAO;QACL,MAAM,EAAE,GAAG;QACX,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,eAAe,EAAE,sBAAsB;SACxC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;KACxC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CACrC,MAAuB,EACvB,MAAc;IAEd,MAAM,QAAQ,GAAG,0BAA0B,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAE5D,OAAO;QACL,MAAM,EAAE,GAAG;QACX,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,eAAe,EAAE,sBAAsB;SACxC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;KACxC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CACrC,OAAe,EACf,MAAc,EACd,KAAc,EACd,gBAAyB;IAEzB,MAAM,KAAK,GAAG;QACZ,QAAQ;QACR,UAAU,MAAM,CAAC,IAAI,GAAG;QACxB,sBAAsB,OAAO,wCAAwC;KACtE,CAAC;IAEF,IAAI,KAAK,EAAE,CAAC;QACV,KAAK,CAAC,IAAI,CAAC,UAAU,KAAK,GAAG,CAAC,CAAC;QAC/B,IAAI,gBAAgB,EAAE,CAAC;YACrB,KAAK,CAAC,IAAI,CAAC,sBAAsB,gBAAgB,GAAG,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}