npm - @prmichaelsen/mcp-auth - Versions diffs - 0.1.1 → 0.1.3 - Mend

@prmichaelsen/mcp-auth 0.1.1 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (50) hide show

package/README.md +5 -0
package/dist/auth/base-provider.d.ts +85 -0
package/dist/auth/base-provider.d.ts.map +1 -0
package/dist/auth/index.d.ts +7 -0
package/dist/auth/index.d.ts.map +1 -0
package/dist/auth/providers/api-token-resolver.d.ts +110 -0
package/dist/auth/providers/api-token-resolver.d.ts.map +1 -0
package/dist/auth/providers/env-provider.d.ts +65 -0
package/dist/auth/providers/env-provider.d.ts.map +1 -0
package/dist/auth/providers/index.d.ts +9 -0
package/dist/auth/providers/index.d.ts.map +1 -0
package/dist/auth/providers/jwt-provider.d.ts +133 -0
package/dist/auth/providers/jwt-provider.d.ts.map +1 -0
package/dist/auth/providers/jwt-token-resolver.d.ts +84 -0
package/dist/auth/providers/jwt-token-resolver.d.ts.map +1 -0
package/dist/auth/providers/simple-resolver.d.ts +109 -0
package/dist/auth/providers/simple-resolver.d.ts.map +1 -0
package/dist/auth/types.d.ts +215 -0
package/dist/auth/types.d.ts.map +1 -0
package/dist/index.d.ts +57 -0
package/dist/index.d.ts.map +1 -0
package/dist/server/config.d.ts +90 -0
package/dist/server/config.d.ts.map +1 -0
package/dist/server/decorators.d.ts +136 -0
package/dist/server/decorators.d.ts.map +1 -0
package/dist/server/index.d.ts +10 -0
package/dist/server/index.d.ts.map +1 -0
package/dist/server/mcp-server.d.ts +122 -0
package/dist/server/mcp-server.d.ts.map +1 -0
package/dist/server/tool.d.ts +120 -0
package/dist/server/tool.d.ts.map +1 -0
package/dist/types.d.ts +202 -0
package/dist/types.d.ts.map +1 -0
package/dist/utils/errors.d.ts +116 -0
package/dist/utils/errors.d.ts.map +1 -0
package/dist/utils/index.d.ts +7 -0
package/dist/utils/index.d.ts.map +1 -0
package/dist/utils/logger.d.ts +94 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/validation.d.ts +70 -0
package/dist/utils/validation.d.ts.map +1 -0
package/dist/wrapper/config.d.ts +158 -0
package/dist/wrapper/config.d.ts.map +1 -0
package/dist/wrapper/index.d.ts +36 -0
package/dist/wrapper/index.d.ts.map +1 -0
package/dist/wrapper/server-wrapper.d.ts +103 -0
package/dist/wrapper/server-wrapper.d.ts.map +1 -0
package/dist/wrapper/server-wrapper.js +12 -0
package/dist/wrapper/server-wrapper.js.map +2 -2
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -230,6 +230,11 @@ transport: {
 }
 ```
+**Endpoints created:**
+- `GET /mcp` - Server info and available endpoints
+- `POST /mcp/message` - MCP protocol messages (requires JWT)
+- `GET /mcp/health` - Health check endpoint
 ### HTTP (Remote)
 ```typescript

package/dist/auth/base-provider.d.ts ADDED Viewed

@@ -0,0 +1,85 @@
+/**
+ * Base authentication provider implementation
+ *
+ * Provides common functionality for authentication providers.
+ */
+import type { AuthProvider, AuthProviderConfig } from './types.js';
+import type { RequestContext, AuthResult } from '../types.js';
+import { type Logger } from '../utils/logger.js';
+/**
+ * Abstract base class for authentication providers
+ *
+ * Provides common functionality like caching, logging, and error handling.
+ * Extend this class to implement custom authentication logic.
+ *
+ * @example
+ * ```typescript
+ * class MyAuthProvider extends BaseAuthProvider {
+ *   protected async doAuthenticate(context: RequestContext): Promise<AuthResult> {
+ *     // Your authentication logic here
+ *     return { authenticated: true, userId: 'user-123' };
+ *   }
+ * }
+ * ```
+ */
+export declare abstract class BaseAuthProvider implements AuthProvider {
+    protected config: AuthProviderConfig;
+    protected logger: Logger;
+    private authCache;
+    constructor(config?: AuthProviderConfig);
+    /**
+     * Authenticate a request
+     * Implements caching if enabled
+     */
+    authenticate(context: RequestContext): Promise<AuthResult>;
+    /**
+     * Abstract method to implement authentication logic
+     * Override this in your provider implementation
+     */
+    protected abstract doAuthenticate(context: RequestContext): Promise<AuthResult>;
+    /**
+     * Generate cache key from request context
+     * Override this to customize caching behavior
+     */
+    protected getCacheKey(context: RequestContext): string | null;
+    /**
+     * Extract authorization header from context
+     */
+    protected getAuthorizationHeader(context: RequestContext): string | null;
+    /**
+     * Extract bearer token from authorization header
+     */
+    protected extractBearerToken(context: RequestContext): string | null;
+    /**
+     * Create authentication failure result
+     */
+    protected createFailureResult(error: string): AuthResult;
+    /**
+     * Create authentication success result
+     */
+    protected createSuccessResult(userId: string, metadata?: Record<string, unknown>): AuthResult;
+    /**
+     * Optional: Initialize the provider
+     */
+    initialize(): Promise<void>;
+    /**
+     * Optional: Cleanup resources
+     */
+    cleanup(): Promise<void>;
+    /**
+     * Optional: Validate provider configuration
+     */
+    validate(): Promise<boolean>;
+    /**
+     * Clear authentication cache
+     */
+    clearCache(): void;
+    /**
+     * Get cache statistics
+     */
+    getCacheStats(): {
+        size: number;
+        keys: string[];
+    };
+}
+//# sourceMappingURL=base-provider.d.ts.map

package/dist/auth/base-provider.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"base-provider.d.ts","sourceRoot":"","sources":["../../src/auth/base-provider.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AACnE,OAAO,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE9D,OAAO,EAAgB,KAAK,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAE/D;;;;;;;;;;;;;;;GAeG;AACH,8BAAsB,gBAAiB,YAAW,YAAY;IAC5D,SAAS,CAAC,MAAM,EAAE,kBAAkB,CAAC;IACrC,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC;IACzB,OAAO,CAAC,SAAS,CAAyD;gBAE9D,MAAM,GAAE,kBAAuB;IAgB3C;;;OAGG;IACG,YAAY,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,UAAU,CAAC;IA6DhE;;;OAGG;IACH,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,UAAU,CAAC;IAE/E;;;OAGG;IACH,SAAS,CAAC,WAAW,CAAC,OAAO,EAAE,cAAc,GAAG,MAAM,GAAG,IAAI;IAS7D;;OAEG;IACH,SAAS,CAAC,sBAAsB,CAAC,OAAO,EAAE,cAAc,GAAG,MAAM,GAAG,IAAI;IAcxE;;OAEG;IACH,SAAS,CAAC,kBAAkB,CAAC,OAAO,EAAE,cAAc,GAAG,MAAM,GAAG,IAAI;IAepE;;OAEG;IACH,SAAS,CAAC,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU;IAOxD;;OAEG;IACH,SAAS,CAAC,mBAAmB,CAC3B,MAAM,EAAE,MAAM,EACd,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACjC,UAAU;IAQb;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAOjC;;OAEG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAS9B;;OAEG;IACG,QAAQ,IAAI,OAAO,CAAC,OAAO,CAAC;IAMlC;;OAEG;IACH,UAAU,IAAI,IAAI;IAKlB;;OAEG;IACH,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE;CAMlD"}

package/dist/auth/index.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+/**
+ * Authentication module exports
+ */
+export type { AuthProvider, ResourceTokenResolver, AuthenticatedContext, AuthProviderConfig, TokenResolverConfig } from './types.js';
+export { BaseAuthProvider } from './base-provider.js';
+export { EnvAuthProvider, type EnvAuthProviderConfig, SimpleTokenResolver, type SimpleTokenResolverConfig, JWTAuthProvider, type JWTAuthProviderConfig, type JWTPayload, JWTTokenResolver, type JWTTokenResolverConfig, APITokenResolver, type APITokenResolverConfig } from './providers/index.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,YAAY,EACV,YAAY,EACZ,qBAAqB,EACrB,oBAAoB,EACpB,kBAAkB,EAClB,mBAAmB,EACpB,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAGtD,OAAO,EACL,eAAe,EACf,KAAK,qBAAqB,EAC1B,mBAAmB,EACnB,KAAK,yBAAyB,EAC9B,eAAe,EACf,KAAK,qBAAqB,EAC1B,KAAK,UAAU,EACf,gBAAgB,EAChB,KAAK,sBAAsB,EAC3B,gBAAgB,EAChB,KAAK,sBAAsB,EAC5B,MAAM,sBAAsB,CAAC"}

package/dist/auth/providers/api-token-resolver.d.ts ADDED Viewed

@@ -0,0 +1,110 @@
+/**
+ * API-based token resolver
+ *
+ * Resolves tokens by calling the tenant manager's API.
+ * Alternative to JWT-embedded tokens for better separation.
+ */
+import type { ResourceTokenResolver, TokenResolverConfig } from '../types.js';
+/**
+ * Configuration for APITokenResolver
+ */
+export interface APITokenResolverConfig extends TokenResolverConfig {
+    /**
+     * Tenant manager API base URL
+     * @example 'https://tenant-manager.example.com'
+     */
+    tenantManagerUrl: string;
+    /**
+     * Service token for authenticating MCP server → tenant manager requests
+     * This is a separate token from user JWTs
+     */
+    serviceToken: string;
+    /**
+     * API endpoint path template
+     * @default '/api/credentials/:userId/:resourceType'
+     *
+     * Variables:
+     * - :userId - Will be replaced with actual user ID
+     * - :resourceType - Will be replaced with resource type
+     */
+    endpointPath?: string;
+    /**
+     * Request timeout in milliseconds
+     * @default 5000
+     */
+    timeoutMs?: number;
+    /**
+     * Whether to throw error if token is not found
+     * @default true
+     */
+    throwOnMissing?: boolean;
+    /**
+     * Whether to validate token format
+     * @default true
+     */
+    validateToken?: boolean;
+    /**
+     * Custom headers to include in API requests
+     */
+    customHeaders?: Record<string, string>;
+}
+/**
+ * API token resolver
+ *
+ * Resolves tokens by calling the tenant manager's API endpoint.
+ * This approach provides better separation between MCP server and tenant manager.
+ *
+ * @example
+ * ```typescript
+ * const resolver = new APITokenResolver({
+ *   tenantManagerUrl: 'https://tenant-manager.example.com',
+ *   serviceToken: process.env.SERVICE_TOKEN
+ * });
+ *
+ * // Calls: GET https://tenant-manager.example.com/api/credentials/user-123/instagram
+ * // Headers: { Authorization: Bearer <service-token> }
+ * // Returns: { accessToken: "IGQVJXabc..." }
+ * ```
+ */
+export declare class APITokenResolver implements ResourceTokenResolver {
+    private config;
+    private logger;
+    private tokenCache;
+    constructor(config: APITokenResolverConfig);
+    /**
+     * Resolve token by calling tenant manager API
+     */
+    resolveToken(userId: string, resourceType: string): Promise<string | null>;
+    /**
+     * Build API URL from template
+     */
+    private buildUrl;
+    /**
+     * Refresh token (calls API again)
+     */
+    refreshToken(userId: string, resourceType: string): Promise<string | null>;
+    /**
+     * Validate token (basic check)
+     */
+    validateToken(token: string, resourceType: string): Promise<boolean>;
+    /**
+     * Initialize resolver
+     */
+    initialize(): Promise<void>;
+    /**
+     * Cleanup resources
+     */
+    cleanup(): Promise<void>;
+    /**
+     * Clear token cache
+     */
+    clearCache(): void;
+    /**
+     * Get cache statistics
+     */
+    getCacheStats(): {
+        size: number;
+        keys: string[];
+    };
+}
+//# sourceMappingURL=api-token-resolver.d.ts.map

package/dist/auth/providers/api-token-resolver.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"api-token-resolver.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/api-token-resolver.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAK9E;;GAEG;AACH,MAAM,WAAW,sBAAuB,SAAQ,mBAAmB;IACjE;;;OAGG;IACH,gBAAgB,EAAE,MAAM,CAAC;IAEzB;;;OAGG;IACH,YAAY,EAAE,MAAM,CAAC;IAErB;;;;;;;OAOG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;IAEzB;;;OAGG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;IAExB;;OAEG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACxC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,gBAAiB,YAAW,qBAAqB;IAC5D,OAAO,CAAC,MAAM,CAAmC;IACjD,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,UAAU,CAAoD;gBAE1D,MAAM,EAAE,sBAAsB;IAyB1C;;OAEG;IACG,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAqJhF;;OAEG;IACH,OAAO,CAAC,QAAQ;IAQhB;;OAEG;IACG,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAUhF;;OAEG;IACG,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAa1E;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAgBjC;;OAEG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAK9B;;OAEG;IACH,UAAU,IAAI,IAAI;IAKlB;;OAEG;IACH,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE;CAMlD"}

package/dist/auth/providers/env-provider.d.ts ADDED Viewed

@@ -0,0 +1,65 @@
+/**
+ * Environment variable authentication provider
+ *
+ * Simple provider for single-user scenarios that reads credentials from environment variables.
+ * Useful for local development and stdio mode.
+ */
+import { BaseAuthProvider } from '../base-provider.js';
+import type { AuthProviderConfig } from '../types.js';
+import type { RequestContext, AuthResult } from '../../types.js';
+/**
+ * Configuration for EnvAuthProvider
+ */
+export interface EnvAuthProviderConfig extends AuthProviderConfig {
+    /**
+     * Environment variable name containing the user ID
+     * @default 'MCP_USER_ID'
+     */
+    userIdEnvVar?: string;
+    /**
+     * Default user ID if environment variable is not set
+     * @default 'default-user'
+     */
+    defaultUserId?: string;
+    /**
+     * Whether to require user ID environment variable
+     * @default false
+     */
+    requireUserId?: boolean;
+}
+/**
+ * Environment variable authentication provider
+ *
+ * This provider is designed for single-user scenarios where authentication
+ * is not required (e.g., local development, stdio mode).
+ *
+ * It reads the user ID from an environment variable or uses a default value.
+ *
+ * @example
+ * ```typescript
+ * const provider = new EnvAuthProvider({
+ *   userIdEnvVar: 'MY_USER_ID',
+ *   defaultUserId: 'local-user'
+ * });
+ *
+ * // Or with defaults
+ * const provider = new EnvAuthProvider();
+ * ```
+ */
+export declare class EnvAuthProvider extends BaseAuthProvider {
+    private envConfig;
+    constructor(config?: EnvAuthProviderConfig);
+    /**
+     * Authenticate request by reading user ID from environment
+     */
+    protected doAuthenticate(context: RequestContext): Promise<AuthResult>;
+    /**
+     * Validate provider configuration
+     */
+    validate(): Promise<boolean>;
+    /**
+     * Get current user ID from environment
+     */
+    getUserId(): string;
+}
+//# sourceMappingURL=env-provider.d.ts.map

package/dist/auth/providers/env-provider.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"env-provider.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/env-provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACtD,OAAO,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAGjE;;GAEG;AACH,MAAM,WAAW,qBAAsB,SAAQ,kBAAkB;IAC/D;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;OAGG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,qBAAa,eAAgB,SAAQ,gBAAgB;IACnD,OAAO,CAAC,SAAS,CAAkC;gBAEvC,MAAM,GAAE,qBAA0B;IAc9C;;OAEG;cACa,cAAc,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,UAAU,CAAC;IAqC5E;;OAEG;IACG,QAAQ,IAAI,OAAO,CAAC,OAAO,CAAC;IAclC;;OAEG;IACH,SAAS,IAAI,MAAM;CAGpB"}

package/dist/auth/providers/index.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * Authentication providers module exports
+ */
+export { EnvAuthProvider, type EnvAuthProviderConfig } from './env-provider.js';
+export { SimpleTokenResolver, type SimpleTokenResolverConfig } from './simple-resolver.js';
+export { JWTAuthProvider, type JWTAuthProviderConfig, type JWTPayload } from './jwt-provider.js';
+export { JWTTokenResolver, type JWTTokenResolverConfig } from './jwt-token-resolver.js';
+export { APITokenResolver, type APITokenResolverConfig } from './api-token-resolver.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/providers/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EACL,eAAe,EACf,KAAK,qBAAqB,EAC3B,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EACL,mBAAmB,EACnB,KAAK,yBAAyB,EAC/B,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EACL,eAAe,EACf,KAAK,qBAAqB,EAC1B,KAAK,UAAU,EAChB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,gBAAgB,EAChB,KAAK,sBAAsB,EAC5B,MAAM,yBAAyB,CAAC;AAGjC,OAAO,EACL,gBAAgB,EAChB,KAAK,sBAAsB,EAC5B,MAAM,yBAAyB,CAAC"}

package/dist/auth/providers/jwt-provider.d.ts ADDED Viewed

@@ -0,0 +1,133 @@
+/**
+ * JWT authentication provider
+ *
+ * Reference implementation for JWT-based authentication.
+ * Validates JWT tokens and optionally extracts embedded resource tokens.
+ */
+import { BaseAuthProvider } from '../base-provider.js';
+import type { AuthProviderConfig } from '../types.js';
+import type { RequestContext, AuthResult } from '../../types.js';
+/**
+ * JWT payload structure
+ */
+export interface JWTPayload {
+    /**
+     * User ID (standard JWT claim: 'sub' or custom 'userId')
+     */
+    sub?: string;
+    userId?: string;
+    /**
+     * Optional: Embedded resource tokens
+     * { instagram: "token1", github: "token2" }
+     */
+    tokens?: Record<string, string>;
+    /**
+     * Expiration time (standard JWT claim)
+     */
+    exp?: number;
+    /**
+     * Issued at (standard JWT claim)
+     */
+    iat?: number;
+    /**
+     * Additional custom claims
+     */
+    [key: string]: any;
+}
+/**
+ * Configuration for JWTAuthProvider
+ */
+export interface JWTAuthProviderConfig extends AuthProviderConfig {
+    /**
+     * JWT secret for verification
+     */
+    jwtSecret: string;
+    /**
+     * JWT algorithm
+     * @default 'HS256'
+     */
+    algorithm?: string;
+    /**
+     * Whether to extract embedded tokens from JWT
+     * If true, tokens will be cached for JWTTokenResolver
+     * @default true
+     */
+    extractTokens?: boolean;
+    /**
+     * Custom user ID claim name
+     * @default 'sub' (falls back to 'userId')
+     */
+    userIdClaim?: string;
+    /**
+     * Custom tokens claim name
+     * @default 'tokens'
+     */
+    tokensClaim?: string;
+    /**
+     * Whether to validate token expiration
+     * @default true
+     */
+    validateExpiration?: boolean;
+    /**
+     * Clock tolerance in seconds for exp/nbf claims
+     * @default 0
+     */
+    clockTolerance?: number;
+}
+/**
+ * JWT authentication provider
+ *
+ * Validates JWT tokens issued by the tenant manager.
+ * Optionally extracts embedded resource tokens from the JWT payload.
+ *
+ * @example
+ * ```typescript
+ * // Basic usage
+ * const provider = new JWTAuthProvider({
+ *   jwtSecret: process.env.JWT_SECRET
+ * });
+ *
+ * // With token extraction
+ * const provider = new JWTAuthProvider({
+ *   jwtSecret: process.env.JWT_SECRET,
+ *   extractTokens: true
+ * });
+ * ```
+ */
+export declare class JWTAuthProvider extends BaseAuthProvider {
+    private jwtConfig;
+    /**
+     * Token cache for extracted tokens
+     * Maps userId → resourceType → token
+     */
+    readonly tokenCache: Map<string, Map<string, string>>;
+    constructor(config: JWTAuthProviderConfig);
+    /**
+     * Authenticate request by validating JWT
+     */
+    protected doAuthenticate(context: RequestContext): Promise<AuthResult>;
+    /**
+     * Validate provider configuration
+     */
+    validate(): Promise<boolean>;
+    /**
+     * Get cached token for a user and resource
+     */
+    getCachedToken(userId: string, resourceType: string): string | null;
+    /**
+     * Clear token cache
+     */
+    clearTokenCache(): void;
+    /**
+     * Get token cache statistics
+     */
+    getTokenCacheStats(): {
+        userCount: number;
+        totalTokens: number;
+        users: Array<{
+            userId: string;
+            resourceTypes: string[];
+        }>;
+    };
+}
+//# sourceMappingURL=jwt-provider.d.ts.map

package/dist/auth/providers/jwt-provider.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"jwt-provider.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/jwt-provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACtD,OAAO,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAGjE;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEhC;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAsB,SAAQ,kBAAkB;IAC/D;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;;OAIG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;IAExB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;OAGG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAE7B;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,qBAAa,eAAgB,SAAQ,gBAAgB;IACnD,OAAO,CAAC,SAAS,CAAkC;IAEnD;;;OAGG;IACH,SAAgB,UAAU,mCAA0C;gBAExD,MAAM,EAAE,qBAAqB;IAsBzC;;OAEG;cACa,cAAc,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,UAAU,CAAC;IA8E5E;;OAEG;IACG,QAAQ,IAAI,OAAO,CAAC,OAAO,CAAC;IAkBlC;;OAEG;IACH,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAInE;;OAEG;IACH,eAAe,IAAI,IAAI;IAKvB;;OAEG;IACH,kBAAkB,IAAI;QACpB,SAAS,EAAE,MAAM,CAAC;QAClB,WAAW,EAAE,MAAM,CAAC;QACpB,KAAK,EAAE,KAAK,CAAC;YAAE,MAAM,EAAE,MAAM,CAAC;YAAC,aAAa,EAAE,MAAM,EAAE,CAAA;SAAE,CAAC,CAAC;KAC3D;CAcF"}

package/dist/auth/providers/jwt-token-resolver.d.ts ADDED Viewed

@@ -0,0 +1,84 @@
+/**
+ * JWT token resolver
+ *
+ * Resolves tokens that were extracted from JWT by JWTAuthProvider.
+ * Works in conjunction with JWTAuthProvider for JWT-embedded token approach.
+ */
+import type { ResourceTokenResolver, TokenResolverConfig } from '../types.js';
+import type { JWTAuthProvider } from './jwt-provider.js';
+/**
+ * Configuration for JWTTokenResolver
+ */
+export interface JWTTokenResolverConfig extends TokenResolverConfig {
+    /**
+     * JWTAuthProvider instance that extracts tokens
+     */
+    authProvider: JWTAuthProvider;
+    /**
+     * Whether to throw error if token is not found
+     * @default true
+     */
+    throwOnMissing?: boolean;
+}
+/**
+ * JWT token resolver
+ *
+ * Resolves tokens that were cached by JWTAuthProvider during authentication.
+ * This is used for the JWT-embedded token approach where the JWT contains
+ * all resource tokens.
+ *
+ * @example
+ * ```typescript
+ * const authProvider = new JWTAuthProvider({
+ *   jwtSecret: process.env.JWT_SECRET,
+ *   extractTokens: true
+ * });
+ *
+ * const tokenResolver = new JWTTokenResolver({
+ *   authProvider
+ * });
+ *
+ * // JWT structure:
+ * // {
+ * //   "userId": "user-123",
+ * //   "tokens": {
+ * //     "instagram": "IGQVJXabc...",
+ * //     "github": "ghp_abc123..."
+ * //   }
+ * // }
+ * ```
+ */
+export declare class JWTTokenResolver implements ResourceTokenResolver {
+    private config;
+    private logger;
+    constructor(config: JWTTokenResolverConfig);
+    /**
+     * Resolve token from JWT auth provider's cache
+     */
+    resolveToken(userId: string, resourceType: string): Promise<string | null>;
+    /**
+     * Refresh token (not supported for JWT-embedded tokens)
+     */
+    refreshToken(userId: string, resourceType: string): Promise<string | null>;
+    /**
+     * Validate token (checks if token exists in cache)
+     */
+    validateToken(token: string, resourceType: string): Promise<boolean>;
+    /**
+     * Initialize resolver
+     */
+    initialize(): Promise<void>;
+    /**
+     * Cleanup resources
+     */
+    cleanup(): Promise<void>;
+    /**
+     * Get available resource types for a user
+     */
+    getAvailableResources(userId: string): string[];
+    /**
+     * Check if token is available for a user and resource
+     */
+    hasToken(userId: string, resourceType: string): boolean;
+}
+//# sourceMappingURL=jwt-token-resolver.d.ts.map

package/dist/auth/providers/jwt-token-resolver.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"jwt-token-resolver.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/jwt-token-resolver.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAIzD;;GAEG;AACH,MAAM,WAAW,sBAAuB,SAAQ,mBAAmB;IACjE;;OAEG;IACH,YAAY,EAAE,eAAe,CAAC;IAE9B;;;OAGG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,qBAAa,gBAAiB,YAAW,qBAAqB;IAC5D,OAAO,CAAC,MAAM,CAAmC;IACjD,OAAO,CAAC,MAAM,CAAS;gBAEX,MAAM,EAAE,sBAAsB;IAgB1C;;OAEG;IACG,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAgChF;;OAEG;IACG,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAUhF;;OAEG;IACG,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAK1E;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAMjC;;OAEG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAK9B;;OAEG;IACH,qBAAqB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE;IAK/C;;OAEG;IACH,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;CAGxD"}

package/dist/auth/providers/simple-resolver.d.ts ADDED Viewed

@@ -0,0 +1,109 @@
+/**
+ * Simple token resolver for single-user scenarios
+ *
+ * Resolves tokens from environment variables. Useful for local development
+ * and single-user deployments where all users share the same token.
+ */
+import type { ResourceTokenResolver, TokenResolverConfig } from '../types.js';
+/**
+ * Configuration for SimpleTokenResolver
+ */
+export interface SimpleTokenResolverConfig extends TokenResolverConfig {
+    /**
+     * Environment variable name containing the access token
+     * @default 'ACCESS_TOKEN'
+     */
+    tokenEnvVar?: string;
+    /**
+     * Optional: Map of resource types to environment variable names
+     * Overrides tokenEnvVar for specific resource types
+     *
+     * @example
+     * ```typescript
+     * {
+     *   instagram: 'INSTAGRAM_ACCESS_TOKEN',
+     *   github: 'GITHUB_ACCESS_TOKEN'
+     * }
+     * ```
+     */
+    resourceTokenEnvVars?: Record<string, string>;
+    /**
+     * Whether to throw error if token is not found
+     * @default true
+     */
+    throwOnMissing?: boolean;
+    /**
+     * Whether to validate token format
+     * @default true
+     */
+    validateToken?: boolean;
+}
+/**
+ * Simple token resolver that reads tokens from environment variables
+ *
+ * This resolver is designed for single-user scenarios where authentication
+ * is handled externally or not required. It reads resource-specific tokens
+ * from environment variables.
+ *
+ * @example
+ * ```typescript
+ * // Single token for all resources
+ * const resolver = new SimpleTokenResolver({
+ *   tokenEnvVar: 'API_TOKEN'
+ * });
+ *
+ * // Different tokens per resource
+ * const resolver = new SimpleTokenResolver({
+ *   resourceTokenEnvVars: {
+ *     instagram: 'INSTAGRAM_ACCESS_TOKEN',
+ *     github: 'GITHUB_ACCESS_TOKEN'
+ *   }
+ * });
+ * ```
+ */
+export declare class SimpleTokenResolver implements ResourceTokenResolver {
+    private config;
+    private logger;
+    private tokenCache;
+    constructor(config?: SimpleTokenResolverConfig);
+    /**
+     * Resolve access token for a user and resource type
+     */
+    resolveToken(userId: string, resourceType: string): Promise<string | null>;
+    /**
+     * Optional: Refresh token (not supported for env-based tokens)
+     */
+    refreshToken(userId: string, resourceType: string): Promise<string | null>;
+    /**
+     * Optional: Validate token (checks if env var is set)
+     */
+    validateToken(token: string, resourceType: string): Promise<boolean>;
+    /**
+     * Optional: Initialize resolver
+     */
+    initialize(): Promise<void>;
+    /**
+     * Optional: Cleanup resources
+     */
+    cleanup(): Promise<void>;
+    /**
+     * Clear token cache
+     */
+    clearCache(): void;
+    /**
+     * Get cache statistics
+     */
+    getCacheStats(): {
+        size: number;
+        keys: string[];
+    };
+    /**
+     * Check if token is available for a resource type
+     */
+    hasToken(resourceType: string): boolean;
+    /**
+     * Get all available resource types
+     */
+    getAvailableResources(): string[];
+}
+//# sourceMappingURL=simple-resolver.d.ts.map

package/dist/auth/providers/simple-resolver.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"simple-resolver.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/simple-resolver.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAK9E;;GAEG;AACH,MAAM,WAAW,yBAA0B,SAAQ,mBAAmB;IACpE;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;;;;;;;;;OAWG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAE9C;;;OAGG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;IAEzB;;;OAGG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,qBAAa,mBAAoB,YAAW,qBAAqB;IAC/D,OAAO,CAAC,MAAM,CAAsC;IACpD,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,UAAU,CAAoD;gBAE1D,MAAM,GAAE,yBAA8B;IAelD;;OAEG;IACG,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IA0FhF;;OAEG;IACG,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAUhF;;OAEG;IACG,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAa1E;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAoBjC;;OAEG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAK9B;;OAEG;IACH,UAAU,IAAI,IAAI;IAKlB;;OAEG;IACH,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE;IAOjD;;OAEG;IACH,QAAQ,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAOvC;;OAEG;IACH,qBAAqB,IAAI,MAAM,EAAE;CAiBlC"}