@prmichaelsen/mcp-auth 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 prmichaelsen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,195 @@
+# @prmichaelsen/mcp-auth
+
+Authentication and multi-tenancy framework for MCP (Model Context Protocol) servers.
+
+## Overview
+
+`@prmichaelsen/mcp-auth` provides a pluggable authentication system for MCP servers, enabling:
+
+- **Multi-tenancy**: Multiple users with separate resource tokens
+- **Auth-agnostic**: Support for JWT, OAuth, API Keys, or custom auth schemes
+- **Transport-agnostic**: Works with stdio, HTTP, and SSE transports
+- **Type-safe**: Full TypeScript support
+- **Composable**: Middleware for rate limiting, logging, etc.
+
+## Installation
+
+```bash
+npm install @prmichaelsen/mcp-auth @modelcontextprotocol/sdk
+```
+
+## Quick Start
+
+### Simple Function-Based Tool
+
+```typescript
+import { withAuth, AuthenticatedMCPServer } from '@prmichaelsen/mcp-auth';
+import { EnvAuthProvider, SimpleTokenResolver } from '@prmichaelsen/mcp-auth/providers/env';
+
+// Setup auth provider
+const authProvider = new EnvAuthProvider();
+const tokenResolver = new SimpleTokenResolver({ tokenEnvVar: 'API_TOKEN' });
+
+// Create server
+const server = new AuthenticatedMCPServer({
+  name: 'my-mcp-server',
+  authProvider,
+  tokenResolver,
+  resourceType: 'myapi',
+  transport: { type: 'stdio' }
+});
+
+// Register tool with automatic auth
+server.registerTool('get_data', withAuth(async (args, accessToken, userId) => {
+  // accessToken and userId are automatically injected
+  const client = new MyAPIClient(accessToken);
+  return client.getData(args);
+}));
+
+await server.start();
+```
+
+### Class-Based Tool
+
+```typescript
+import { Tool, AuthenticatedTool } from '@prmichaelsen/mcp-auth';
+
+class GetDataTool implements Tool {
+  name = 'get_data';
+  description = 'Fetch data from API';
+  
+  async execute(args, accessToken, userId) {
+    const client = new MyAPIClient(accessToken);
+    return client.getData(args);
+  }
+}
+
+server.registerTool(new AuthenticatedTool(new GetDataTool()));
+```
+
+## Authentication Providers
+
+### Environment Variable (Simple)
+
+```typescript
+import { EnvAuthProvider, SimpleTokenResolver } from '@prmichaelsen/mcp-auth/providers/env';
+
+const authProvider = new EnvAuthProvider();
+const tokenResolver = new SimpleTokenResolver({ tokenEnvVar: 'API_TOKEN' });
+```
+
+### JWT (Multi-tenant)
+
+```typescript
+import { JWTAuthProvider } from '@prmichaelsen/mcp-auth/providers/jwt';
+
+const authProvider = new JWTAuthProvider({
+  jwtSecret: process.env.JWT_SECRET,
+  database: {
+    host: 'localhost',
+    database: 'users'
+  }
+});
+```
+
+### OAuth 2.0
+
+```typescript
+import { OAuthProvider } from '@prmichaelsen/mcp-auth/providers/oauth';
+
+const authProvider = new OAuthProvider({
+  authorizationUrl: 'https://auth.example.com/authorize',
+  tokenUrl: 'https://auth.example.com/token',
+  clientId: process.env.OAUTH_CLIENT_ID,
+  clientSecret: process.env.OAUTH_CLIENT_SECRET
+});
+```
+
+### Custom Provider
+
+```typescript
+import { AuthProvider, AuthResult, RequestContext } from '@prmichaelsen/mcp-auth';
+
+class CustomAuthProvider implements AuthProvider {
+  async authenticate(context: RequestContext): Promise<AuthResult> {
+    // Your custom auth logic
+    const apiKey = context.headers?.['x-api-key'];
+    
+    if (!apiKey) {
+      return { authenticated: false, error: 'No API key' };
+    }
+    
+    // Validate and return user ID
+    return {
+      authenticated: true,
+      userId: 'user-123'
+    };
+  }
+}
+```
+
+## Middleware Composition
+
+```typescript
+import { compose, withAuth, withRateLimit, withLogging } from '@prmichaelsen/mcp-auth';
+
+const getTool = compose(
+  withLogging(),
+  withRateLimit({ maxRequests: 100, windowMs: 60000 }),
+  withAuth(),
+  async (args, accessToken, userId) => {
+    // Your tool logic
+  }
+);
+
+server.registerTool('get_data', getTool);
+```
+
+## Transports
+
+### Stdio (Local)
+
+```typescript
+const server = new AuthenticatedMCPServer({
+  // ...
+  transport: { type: 'stdio' }
+});
+```
+
+### HTTP/SSE (Remote)
+
+```typescript
+const server = new AuthenticatedMCPServer({
+  // ...
+  transport: {
+    type: 'sse',
+    port: 3000,
+    host: '0.0.0.0',
+    basePath: '/mcp'
+  }
+});
+```
+
+## Documentation
+
+See the [`agent/`](./agent/) directory for detailed architecture documentation:
+
+- [`multi-tenant-architecture.md`](./agent/multi-tenant-architecture.md) - Overall architecture and auth schemes
+- [`lib-structure.md`](./agent/lib-structure.md) - Package structure and design
+- [`tool-patterns.md`](./agent/tool-patterns.md) - Tool registration patterns
+
+## Examples
+
+See the [`examples/`](./examples/) directory for complete examples:
+
+- `simple-stdio/` - Single-user stdio server
+- `jwt-multi-tenant/` - Multi-tenant JWT server
+- `oauth-server/` - OAuth authentication flow
+
+## License
+
+MIT
+
+## Contributing
+
+Contributions welcome! Please see [CONTRIBUTING.md](./CONTRIBUTING.md) for details.

package/dist/auth/base-provider.js

@@ -0,0 +1,173 @@
+import { createLogger } from "../utils/logger.js";
+class BaseAuthProvider {
+  config;
+  logger;
+  authCache;
+  constructor(config = {}) {
+    this.config = {
+      errorMessages: {
+        noAuth: "No authentication credentials provided",
+        invalidAuth: "Invalid authentication credentials",
+        expiredAuth: "Authentication credentials have expired",
+        ...config.errorMessages
+      },
+      cacheResults: config.cacheResults ?? false,
+      cacheTtl: config.cacheTtl ?? 6e4
+      // 1 minute default
+    };
+    this.logger = createLogger({ enabled: true, level: "info" });
+    this.authCache = /* @__PURE__ */ new Map();
+  }
+  /**
+   * Authenticate a request
+   * Implements caching if enabled
+   */
+  async authenticate(context) {
+    try {
+      const cacheKey = this.getCacheKey(context);
+      if (this.config.cacheResults && cacheKey) {
+        const cached = this.authCache.get(cacheKey);
+        if (cached && cached.expiresAt > Date.now()) {
+          this.logger.debug("Authentication result retrieved from cache", {
+            cacheKey,
+            userId: cached.result.userId
+          });
+          return cached.result;
+        }
+      }
+      const result = await this.doAuthenticate(context);
+      if (result.authenticated && this.config.cacheResults && cacheKey) {
+        this.authCache.set(cacheKey, {
+          result,
+          expiresAt: Date.now() + (this.config.cacheTtl ?? 6e4)
+        });
+        this.logger.debug("Authentication result cached", {
+          cacheKey,
+          userId: result.userId,
+          ttl: this.config.cacheTtl
+        });
+      }
+      if (result.authenticated) {
+        this.logger.info("Authentication successful", {
+          userId: result.userId,
+          transport: context.transport
+        });
+      } else {
+        this.logger.warn("Authentication failed", {
+          error: result.error,
+          transport: context.transport
+        });
+      }
+      return result;
+    } catch (error) {
+      this.logger.error("Authentication error", error, {
+        transport: context.transport
+      });
+      return {
+        authenticated: false,
+        error: error instanceof Error ? error.message : "Authentication failed"
+      };
+    }
+  }
+  /**
+   * Generate cache key from request context
+   * Override this to customize caching behavior
+   */
+  getCacheKey(context) {
+    const authHeader = context.headers?.["authorization"];
+    if (typeof authHeader === "string") {
+      return authHeader;
+    }
+    return null;
+  }
+  /**
+   * Extract authorization header from context
+   */
+  getAuthorizationHeader(context) {
+    const authHeader = context.headers?.["authorization"];
+    if (typeof authHeader === "string") {
+      return authHeader;
+    }
+    if (Array.isArray(authHeader) && authHeader.length > 0) {
+      return authHeader[0];
+    }
+    return null;
+  }
+  /**
+   * Extract bearer token from authorization header
+   */
+  extractBearerToken(context) {
+    const authHeader = this.getAuthorizationHeader(context);
+    if (!authHeader) {
+      return null;
+    }
+    const parts = authHeader.split(" ");
+    if (parts.length === 2 && parts[0].toLowerCase() === "bearer") {
+      return parts[1];
+    }
+    return null;
+  }
+  /**
+   * Create authentication failure result
+   */
+  createFailureResult(error) {
+    return {
+      authenticated: false,
+      error
+    };
+  }
+  /**
+   * Create authentication success result
+   */
+  createSuccessResult(userId, metadata) {
+    return {
+      authenticated: true,
+      userId,
+      metadata
+    };
+  }
+  /**
+   * Optional: Initialize the provider
+   */
+  async initialize() {
+    this.logger.info("Authentication provider initialized", {
+      provider: this.constructor.name,
+      cacheEnabled: this.config.cacheResults
+    });
+  }
+  /**
+   * Optional: Cleanup resources
+   */
+  async cleanup() {
+    this.authCache.clear();
+    this.logger.info("Authentication provider cleaned up", {
+      provider: this.constructor.name
+    });
+  }
+  /**
+   * Optional: Validate provider configuration
+   */
+  async validate() {
+    return true;
+  }
+  /**
+   * Clear authentication cache
+   */
+  clearCache() {
+    this.authCache.clear();
+    this.logger.debug("Authentication cache cleared");
+  }
+  /**
+   * Get cache statistics
+   */
+  getCacheStats() {
+    return {
+      size: this.authCache.size,
+      keys: Array.from(this.authCache.keys())
+    };
+  }
+}
+export {
+  BaseAuthProvider
+};
+//# sourceMappingURL=base-provider.js.map

package/dist/auth/base-provider.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/auth/base-provider.ts"],
+  "sourcesContent": ["/**\n * Base authentication provider implementation\n * \n * Provides common functionality for authentication providers.\n */\n\nimport type { AuthProvider, AuthProviderConfig } from './types.js';\nimport type { RequestContext, AuthResult } from '../types.js';\nimport { AuthenticationError } from '../utils/errors.js';\nimport { createLogger, type Logger } from '../utils/logger.js';\n\n/**\n * Abstract base class for authentication providers\n * \n * Provides common functionality like caching, logging, and error handling.\n * Extend this class to implement custom authentication logic.\n * \n * @example\n * ```typescript\n * class MyAuthProvider extends BaseAuthProvider {\n *   protected async doAuthenticate(context: RequestContext): Promise<AuthResult> {\n *     // Your authentication logic here\n *     return { authenticated: true, userId: 'user-123' };\n *   }\n * }\n * ```\n */\nexport abstract class BaseAuthProvider implements AuthProvider {\n  protected config: AuthProviderConfig;\n  protected logger: Logger;\n  private authCache: Map<string, { result: AuthResult; expiresAt: number }>;\n  \n  constructor(config: AuthProviderConfig = {}) {\n    this.config = {\n      errorMessages: {\n        noAuth: 'No authentication credentials provided',\n        invalidAuth: 'Invalid authentication credentials',\n        expiredAuth: 'Authentication credentials have expired',\n        ...config.errorMessages\n      },\n      cacheResults: config.cacheResults ?? false,\n      cacheTtl: config.cacheTtl ?? 60000 // 1 minute default\n    };\n    \n    this.logger = createLogger({ enabled: true, level: 'info' });\n    this.authCache = new Map();\n  }\n  \n  /**\n   * Authenticate a request\n   * Implements caching if enabled\n   */\n  async authenticate(context: RequestContext): Promise<AuthResult> {\n    try {\n      // Generate cache key from context\n      const cacheKey = this.getCacheKey(context);\n      \n      // Check cache if enabled\n      if (this.config.cacheResults && cacheKey) {\n        const cached = this.authCache.get(cacheKey);\n        if (cached && cached.expiresAt > Date.now()) {\n          this.logger.debug('Authentication result retrieved from cache', {\n            cacheKey,\n            userId: cached.result.userId\n          });\n          return cached.result;\n        }\n      }\n      \n      // Perform authentication\n      const result = await this.doAuthenticate(context);\n      \n      // Cache result if successful and caching is enabled\n      if (result.authenticated && this.config.cacheResults && cacheKey) {\n        this.authCache.set(cacheKey, {\n          result,\n          expiresAt: Date.now() + (this.config.cacheTtl ?? 60000)\n        });\n        \n        this.logger.debug('Authentication result cached', {\n          cacheKey,\n          userId: result.userId,\n          ttl: this.config.cacheTtl\n        });\n      }\n      \n      // Log result\n      if (result.authenticated) {\n        this.logger.info('Authentication successful', {\n          userId: result.userId,\n          transport: context.transport\n        });\n      } else {\n        this.logger.warn('Authentication failed', {\n          error: result.error,\n          transport: context.transport\n        });\n      }\n      \n      return result;\n      \n    } catch (error) {\n      this.logger.error('Authentication error', error as Error, {\n        transport: context.transport\n      });\n      \n      return {\n        authenticated: false,\n        error: error instanceof Error ? error.message : 'Authentication failed'\n      };\n    }\n  }\n  \n  /**\n   * Abstract method to implement authentication logic\n   * Override this in your provider implementation\n   */\n  protected abstract doAuthenticate(context: RequestContext): Promise<AuthResult>;\n  \n  /**\n   * Generate cache key from request context\n   * Override this to customize caching behavior\n   */\n  protected getCacheKey(context: RequestContext): string | null {\n    // Default: use authorization header as cache key\n    const authHeader = context.headers?.['authorization'];\n    if (typeof authHeader === 'string') {\n      return authHeader;\n    }\n    return null;\n  }\n  \n  /**\n   * Extract authorization header from context\n   */\n  protected getAuthorizationHeader(context: RequestContext): string | null {\n    const authHeader = context.headers?.['authorization'];\n    \n    if (typeof authHeader === 'string') {\n      return authHeader;\n    }\n    \n    if (Array.isArray(authHeader) && authHeader.length > 0) {\n      return authHeader[0];\n    }\n    \n    return null;\n  }\n  \n  /**\n   * Extract bearer token from authorization header\n   */\n  protected extractBearerToken(context: RequestContext): string | null {\n    const authHeader = this.getAuthorizationHeader(context);\n    \n    if (!authHeader) {\n      return null;\n    }\n    \n    const parts = authHeader.split(' ');\n    if (parts.length === 2 && parts[0].toLowerCase() === 'bearer') {\n      return parts[1];\n    }\n    \n    return null;\n  }\n  \n  /**\n   * Create authentication failure result\n   */\n  protected createFailureResult(error: string): AuthResult {\n    return {\n      authenticated: false,\n      error\n    };\n  }\n  \n  /**\n   * Create authentication success result\n   */\n  protected createSuccessResult(\n    userId: string,\n    metadata?: Record<string, unknown>\n  ): AuthResult {\n    return {\n      authenticated: true,\n      userId,\n      metadata\n    };\n  }\n  \n  /**\n   * Optional: Initialize the provider\n   */\n  async initialize(): Promise<void> {\n    this.logger.info('Authentication provider initialized', {\n      provider: this.constructor.name,\n      cacheEnabled: this.config.cacheResults\n    });\n  }\n  \n  /**\n   * Optional: Cleanup resources\n   */\n  async cleanup(): Promise<void> {\n    // Clear cache\n    this.authCache.clear();\n    \n    this.logger.info('Authentication provider cleaned up', {\n      provider: this.constructor.name\n    });\n  }\n  \n  /**\n   * Optional: Validate provider configuration\n   */\n  async validate(): Promise<boolean> {\n    // Base implementation always returns true\n    // Override in subclasses to add validation logic\n    return true;\n  }\n  \n  /**\n   * Clear authentication cache\n   */\n  clearCache(): void {\n    this.authCache.clear();\n    this.logger.debug('Authentication cache cleared');\n  }\n  \n  /**\n   * Get cache statistics\n   */\n  getCacheStats(): { size: number; keys: string[] } {\n    return {\n      size: this.authCache.size,\n      keys: Array.from(this.authCache.keys())\n    };\n  }\n}\n"],
+  "mappings": "AASA,SAAS,oBAAiC;AAkBnC,MAAe,iBAAyC;AAAA,EACnD;AAAA,EACA;AAAA,EACF;AAAA,EAER,YAAY,SAA6B,CAAC,GAAG;AAC3C,SAAK,SAAS;AAAA,MACZ,eAAe;AAAA,QACb,QAAQ;AAAA,QACR,aAAa;AAAA,QACb,aAAa;AAAA,QACb,GAAG,OAAO;AAAA,MACZ;AAAA,MACA,cAAc,OAAO,gBAAgB;AAAA,MACrC,UAAU,OAAO,YAAY;AAAA;AAAA,IAC/B;AAEA,SAAK,SAAS,aAAa,EAAE,SAAS,MAAM,OAAO,OAAO,CAAC;AAC3D,SAAK,YAAY,oBAAI,IAAI;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,aAAa,SAA8C;AAC/D,QAAI;AAEF,YAAM,WAAW,KAAK,YAAY,OAAO;AAGzC,UAAI,KAAK,OAAO,gBAAgB,UAAU;AACxC,cAAM,SAAS,KAAK,UAAU,IAAI,QAAQ;AAC1C,YAAI,UAAU,OAAO,YAAY,KAAK,IAAI,GAAG;AAC3C,eAAK,OAAO,MAAM,8CAA8C;AAAA,YAC9D;AAAA,YACA,QAAQ,OAAO,OAAO;AAAA,UACxB,CAAC;AACD,iBAAO,OAAO;AAAA,QAChB;AAAA,MACF;AAGA,YAAM,SAAS,MAAM,KAAK,eAAe,OAAO;AAGhD,UAAI,OAAO,iBAAiB,KAAK,OAAO,gBAAgB,UAAU;AAChE,aAAK,UAAU,IAAI,UAAU;AAAA,UAC3B;AAAA,UACA,WAAW,KAAK,IAAI,KAAK,KAAK,OAAO,YAAY;AAAA,QACnD,CAAC;AAED,aAAK,OAAO,MAAM,gCAAgC;AAAA,UAChD;AAAA,UACA,QAAQ,OAAO;AAAA,UACf,KAAK,KAAK,OAAO;AAAA,QACnB,CAAC;AAAA,MACH;AAGA,UAAI,OAAO,eAAe;AACxB,aAAK,OAAO,KAAK,6BAA6B;AAAA,UAC5C,QAAQ,OAAO;AAAA,UACf,WAAW,QAAQ;AAAA,QACrB,CAAC;AAAA,MACH,OAAO;AACL,aAAK,OAAO,KAAK,yBAAyB;AAAA,UACxC,OAAO,OAAO;AAAA,UACd,WAAW,QAAQ;AAAA,QACrB,CAAC;AAAA,MACH;AAEA,aAAO;AAAA,IAET,SAAS,OAAO;AACd,WAAK,OAAO,MAAM,wBAAwB,OAAgB;AAAA,QACxD,WAAW,QAAQ;AAAA,MACrB,CAAC;AAED,aAAO;AAAA,QACL,eAAe;AAAA,QACf,OAAO,iBAAiB,QAAQ,MAAM,UAAU;AAAA,MAClD;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAYU,YAAY,SAAwC;AAE5D,UAAM,aAAa,QAAQ,UAAU,eAAe;AACpD,QAAI,OAAO,eAAe,UAAU;AAClC,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKU,uBAAuB,SAAwC;AACvE,UAAM,aAAa,QAAQ,UAAU,eAAe;AAEpD,QAAI,OAAO,eAAe,UAAU;AAClC,aAAO;AAAA,IACT;AAEA,QAAI,MAAM,QAAQ,UAAU,KAAK,WAAW,SAAS,GAAG;AACtD,aAAO,WAAW,CAAC;AAAA,IACrB;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKU,mBAAmB,SAAwC;AACnE,UAAM,aAAa,KAAK,uBAAuB,OAAO;AAEtD,QAAI,CAAC,YAAY;AACf,aAAO;AAAA,IACT;AAEA,UAAM,QAAQ,WAAW,MAAM,GAAG;AAClC,QAAI,MAAM,WAAW,KAAK,MAAM,CAAC,EAAE,YAAY,MAAM,UAAU;AAC7D,aAAO,MAAM,CAAC;AAAA,IAChB;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKU,oBAAoB,OAA2B;AACvD,WAAO;AAAA,MACL,eAAe;AAAA,MACf;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKU,oBACR,QACA,UACY;AACZ,WAAO;AAAA,MACL,eAAe;AAAA,MACf;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,aAA4B;AAChC,SAAK,OAAO,KAAK,uCAAuC;AAAA,MACtD,UAAU,KAAK,YAAY;AAAA,MAC3B,cAAc,KAAK,OAAO;AAAA,IAC5B,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,UAAyB;AAE7B,SAAK,UAAU,MAAM;AAErB,SAAK,OAAO,KAAK,sCAAsC;AAAA,MACrD,UAAU,KAAK,YAAY;AAAA,IAC7B,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,WAA6B;AAGjC,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,aAAmB;AACjB,SAAK,UAAU,MAAM;AACrB,SAAK,OAAO,MAAM,8BAA8B;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAkD;AAChD,WAAO;AAAA,MACL,MAAM,KAAK,UAAU;AAAA,MACrB,MAAM,MAAM,KAAK,KAAK,UAAU,KAAK,CAAC;AAAA,IACxC;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/auth/index.js

@@ -0,0 +1,11 @@
+import { BaseAuthProvider } from "./base-provider.js";
+import {
+  EnvAuthProvider,
+  SimpleTokenResolver
+} from "./providers/index.js";
+export {
+  BaseAuthProvider,
+  EnvAuthProvider,
+  SimpleTokenResolver
+};
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/auth/index.ts"],
+  "sourcesContent": ["/**\n * Authentication module exports\n */\n\n// Types\nexport type {\n  AuthProvider,\n  ResourceTokenResolver,\n  AuthenticatedContext,\n  AuthProviderConfig,\n  TokenResolverConfig\n} from './types.js';\n\n// Base provider\nexport { BaseAuthProvider } from './base-provider.js';\n\n// Providers\nexport {\n  EnvAuthProvider,\n  type EnvAuthProviderConfig,\n  SimpleTokenResolver,\n  type SimpleTokenResolverConfig\n} from './providers/index.js';\n"],
+  "mappings": "AAcA,SAAS,wBAAwB;AAGjC;AAAA,EACE;AAAA,EAEA;AAAA,OAEK;",
+  "names": []
+}

package/dist/auth/providers/env-provider.js

@@ -0,0 +1,71 @@
+import { BaseAuthProvider } from "../base-provider.js";
+class EnvAuthProvider extends BaseAuthProvider {
+  envConfig;
+  constructor(config = {}) {
+    super(config);
+    this.envConfig = {
+      ...config,
+      userIdEnvVar: config.userIdEnvVar ?? "MCP_USER_ID",
+      defaultUserId: config.defaultUserId ?? "default-user",
+      requireUserId: config.requireUserId ?? false,
+      errorMessages: config.errorMessages ?? {},
+      cacheResults: config.cacheResults ?? false,
+      cacheTtl: config.cacheTtl ?? 6e4
+    };
+  }
+  /**
+   * Authenticate request by reading user ID from environment
+   */
+  async doAuthenticate(context) {
+    const userId = process.env[this.envConfig.userIdEnvVar];
+    if (!userId) {
+      if (this.envConfig.requireUserId) {
+        return this.createFailureResult(
+          `${this.envConfig.userIdEnvVar} environment variable is required`
+        );
+      }
+      this.logger.debug("Using default user ID", {
+        defaultUserId: this.envConfig.defaultUserId
+      });
+      return this.createSuccessResult(this.envConfig.defaultUserId, {
+        source: "default"
+      });
+    }
+    if (userId.trim().length === 0) {
+      return this.createFailureResult("User ID cannot be empty");
+    }
+    this.logger.debug("User ID resolved from environment", {
+      envVar: this.envConfig.userIdEnvVar,
+      userId
+    });
+    return this.createSuccessResult(userId, {
+      source: "environment",
+      envVar: this.envConfig.userIdEnvVar
+    });
+  }
+  /**
+   * Validate provider configuration
+   */
+  async validate() {
+    if (this.envConfig.requireUserId) {
+      const userId = process.env[this.envConfig.userIdEnvVar];
+      if (!userId) {
+        this.logger.error("Validation failed: Required environment variable not set", void 0, {
+          envVar: this.envConfig.userIdEnvVar
+        });
+        return false;
+      }
+    }
+    return true;
+  }
+  /**
+   * Get current user ID from environment
+   */
+  getUserId() {
+    return process.env[this.envConfig.userIdEnvVar] ?? this.envConfig.defaultUserId;
+  }
+}
+export {
+  EnvAuthProvider
+};
+//# sourceMappingURL=env-provider.js.map

package/dist/auth/providers/env-provider.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/auth/providers/env-provider.ts"],
+  "sourcesContent": ["/**\n * Environment variable authentication provider\n * \n * Simple provider for single-user scenarios that reads credentials from environment variables.\n * Useful for local development and stdio mode.\n */\n\nimport { BaseAuthProvider } from '../base-provider.js';\nimport type { AuthProviderConfig } from '../types.js';\nimport type { RequestContext, AuthResult } from '../../types.js';\nimport { MissingCredentialsError } from '../../utils/errors.js';\n\n/**\n * Configuration for EnvAuthProvider\n */\nexport interface EnvAuthProviderConfig extends AuthProviderConfig {\n  /**\n   * Environment variable name containing the user ID\n   * @default 'MCP_USER_ID'\n   */\n  userIdEnvVar?: string;\n  \n  /**\n   * Default user ID if environment variable is not set\n   * @default 'default-user'\n   */\n  defaultUserId?: string;\n  \n  /**\n   * Whether to require user ID environment variable\n   * @default false\n   */\n  requireUserId?: boolean;\n}\n\n/**\n * Environment variable authentication provider\n * \n * This provider is designed for single-user scenarios where authentication\n * is not required (e.g., local development, stdio mode).\n * \n * It reads the user ID from an environment variable or uses a default value.\n * \n * @example\n * ```typescript\n * const provider = new EnvAuthProvider({\n *   userIdEnvVar: 'MY_USER_ID',\n *   defaultUserId: 'local-user'\n * });\n * \n * // Or with defaults\n * const provider = new EnvAuthProvider();\n * ```\n */\nexport class EnvAuthProvider extends BaseAuthProvider {\n  private envConfig: Required<EnvAuthProviderConfig>;\n  \n  constructor(config: EnvAuthProviderConfig = {}) {\n    super(config);\n    \n    this.envConfig = {\n      ...config,\n      userIdEnvVar: config.userIdEnvVar ?? 'MCP_USER_ID',\n      defaultUserId: config.defaultUserId ?? 'default-user',\n      requireUserId: config.requireUserId ?? false,\n      errorMessages: config.errorMessages ?? {},\n      cacheResults: config.cacheResults ?? false,\n      cacheTtl: config.cacheTtl ?? 60000\n    };\n  }\n  \n  /**\n   * Authenticate request by reading user ID from environment\n   */\n  protected async doAuthenticate(context: RequestContext): Promise<AuthResult> {\n    // Read user ID from environment variable\n    const userId = process.env[this.envConfig.userIdEnvVar];\n    \n    if (!userId) {\n      if (this.envConfig.requireUserId) {\n        return this.createFailureResult(\n          `${this.envConfig.userIdEnvVar} environment variable is required`\n        );\n      }\n      \n      // Use default user ID\n      this.logger.debug('Using default user ID', {\n        defaultUserId: this.envConfig.defaultUserId\n      });\n      \n      return this.createSuccessResult(this.envConfig.defaultUserId, {\n        source: 'default'\n      });\n    }\n    \n    // Validate user ID\n    if (userId.trim().length === 0) {\n      return this.createFailureResult('User ID cannot be empty');\n    }\n    \n    this.logger.debug('User ID resolved from environment', {\n      envVar: this.envConfig.userIdEnvVar,\n      userId\n    });\n    \n    return this.createSuccessResult(userId, {\n      source: 'environment',\n      envVar: this.envConfig.userIdEnvVar\n    });\n  }\n  \n  /**\n   * Validate provider configuration\n   */\n  async validate(): Promise<boolean> {\n    if (this.envConfig.requireUserId) {\n      const userId = process.env[this.envConfig.userIdEnvVar];\n      if (!userId) {\n        this.logger.error('Validation failed: Required environment variable not set', undefined, {\n          envVar: this.envConfig.userIdEnvVar\n        });\n        return false;\n      }\n    }\n    \n    return true;\n  }\n  \n  /**\n   * Get current user ID from environment\n   */\n  getUserId(): string {\n    return process.env[this.envConfig.userIdEnvVar] ?? this.envConfig.defaultUserId;\n  }\n}\n"],
+  "mappings": "AAOA,SAAS,wBAAwB;AA+C1B,MAAM,wBAAwB,iBAAiB;AAAA,EAC5C;AAAA,EAER,YAAY,SAAgC,CAAC,GAAG;AAC9C,UAAM,MAAM;AAEZ,SAAK,YAAY;AAAA,MACf,GAAG;AAAA,MACH,cAAc,OAAO,gBAAgB;AAAA,MACrC,eAAe,OAAO,iBAAiB;AAAA,MACvC,eAAe,OAAO,iBAAiB;AAAA,MACvC,eAAe,OAAO,iBAAiB,CAAC;AAAA,MACxC,cAAc,OAAO,gBAAgB;AAAA,MACrC,UAAU,OAAO,YAAY;AAAA,IAC/B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAgB,eAAe,SAA8C;AAE3E,UAAM,SAAS,QAAQ,IAAI,KAAK,UAAU,YAAY;AAEtD,QAAI,CAAC,QAAQ;AACX,UAAI,KAAK,UAAU,eAAe;AAChC,eAAO,KAAK;AAAA,UACV,GAAG,KAAK,UAAU,YAAY;AAAA,QAChC;AAAA,MACF;AAGA,WAAK,OAAO,MAAM,yBAAyB;AAAA,QACzC,eAAe,KAAK,UAAU;AAAA,MAChC,CAAC;AAED,aAAO,KAAK,oBAAoB,KAAK,UAAU,eAAe;AAAA,QAC5D,QAAQ;AAAA,MACV,CAAC;AAAA,IACH;AAGA,QAAI,OAAO,KAAK,EAAE,WAAW,GAAG;AAC9B,aAAO,KAAK,oBAAoB,yBAAyB;AAAA,IAC3D;AAEA,SAAK,OAAO,MAAM,qCAAqC;AAAA,MACrD,QAAQ,KAAK,UAAU;AAAA,MACvB;AAAA,IACF,CAAC;AAED,WAAO,KAAK,oBAAoB,QAAQ;AAAA,MACtC,QAAQ;AAAA,MACR,QAAQ,KAAK,UAAU;AAAA,IACzB,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,WAA6B;AACjC,QAAI,KAAK,UAAU,eAAe;AAChC,YAAM,SAAS,QAAQ,IAAI,KAAK,UAAU,YAAY;AACtD,UAAI,CAAC,QAAQ;AACX,aAAK,OAAO,MAAM,4DAA4D,QAAW;AAAA,UACvF,QAAQ,KAAK,UAAU;AAAA,QACzB,CAAC;AACD,eAAO;AAAA,MACT;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,YAAoB;AAClB,WAAO,QAAQ,IAAI,KAAK,UAAU,YAAY,KAAK,KAAK,UAAU;AAAA,EACpE;AACF;",
+  "names": []
+}

package/dist/auth/providers/index.js

@@ -0,0 +1,11 @@
+import {
+  EnvAuthProvider
+} from "./env-provider.js";
+import {
+  SimpleTokenResolver
+} from "./simple-resolver.js";
+export {
+  EnvAuthProvider,
+  SimpleTokenResolver
+};
+//# sourceMappingURL=index.js.map

package/dist/auth/providers/index.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/auth/providers/index.ts"],
+  "sourcesContent": ["/**\n * Authentication providers module exports\n */\n\n// Environment-based provider\nexport { \n  EnvAuthProvider,\n  type EnvAuthProviderConfig \n} from './env-provider.js';\n\n// Simple token resolver\nexport { \n  SimpleTokenResolver,\n  type SimpleTokenResolverConfig \n} from './simple-resolver.js';\n"],
+  "mappings": "AAKA;AAAA,EACE;AAAA,OAEK;AAGP;AAAA,EACE;AAAA,OAEK;",
+  "names": []
+}