@rekog/mcp-nest 1.9.0 → 1.9.2

package/README.md

@@ -20,8 +20,8 @@ With `@rekog/mcp-nest` you define tools, resources, and prompts in a way that's
 - 🚀 **[Multi-Transport Support](docs/server-examples.md#multiple-transport-types)**: HTTP+SSE, Streamable HTTP, and STDIO
 - 🔧 **[Tools](docs/tools.md)**: Expose NestJS methods as MCP tools with automatic discovery and Zod validation
   - 🛠️ **[Elicitation](docs/tools.md#interactive-tool-calls)**: Interactive tool calls with user input elicitation
-  - 📊 **[Progress Notifications](docs/tools.md#tool-with-progress-reporting)**: Real-time progress updates for long-running operations
   - 🌐 **[HTTP Request Access](docs/tools.md#understanding-tool-method-parameters)**: Full access to request context within MCP handlers
+  - 🔐 **[Per-Tool Authorization](./per-tool-authorization.md)**: Implement fine-grained authorization for tools
 - 📁 **[Resources](docs/resources.md)**: Serve content and data through MCP resource system
 - 📚 **[Resource Templates](docs/resource-templates.md)**: Dynamic resources with parameterized URIs
 - 💬 **[Prompts](docs/prompts.md)**: Define reusable prompt templates for AI interactions
@@ -29,7 +29,6 @@ With `@rekog/mcp-nest` you define tools, resources, and prompts in a way that's
 - 🏠 **[Built-in Authorization Server](docs/built-in-authorization-server.md)** — Using the built-in Authorization Server for easy setups. **(Beta)**
 - 🌐 **[External Authorization Server](docs/external-authorization-server/README.md)** — Securing your MCP server with an external authorization server (Keycloak, Auth0, etc).
 - 💉 **[Dependency Injection](docs/dependency-injection.md)**: Leverage NestJS DI system throughout MCP components
-- 📝 **[Logging Configuration](docs/server-examples.md#logging-configuration)**: Fine-grained control over MCP module logging levels
 
 **Are you interested to build ChatGPT widgets (with the OpenAI SDK)?**
 Find out how to do that with `@rekog/MCP-Nest` in this repository [MCP-Nest-Samples/pizzaz-openai-apps-sdk](https://github.com/rinormaloku/MCP-Nest-Samples/tree/main/pizzaz-openai-apps-sdk)

package/dist/authz/guards/jwt-auth.guard.d.ts

@@ -2,8 +2,8 @@ import { CanActivate, ExecutionContext } from '@nestjs/common';
 import { ModuleRef } from '@nestjs/core';
 import { Request } from 'express';
 import { JwtPayload, JwtTokenService } from '../services/jwt-token.service';
-import { IOAuthStore } from '../stores/oauth-store.interface';
-import { McpOptions } from '../../mcp';
+import type { IOAuthStore } from '../stores/oauth-store.interface';
+import type { McpOptions } from '../../mcp';
 export interface AuthenticatedRequest extends Request {
     user: JwtPayload;
 }

package/dist/authz/guards/jwt-auth.guard.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwt-auth.guard.d.ts","sourceRoot":"","sources":["../../../src/authz/guards/jwt-auth.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,WAAW,EACX,gBAAgB,EAIjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAC5E,OAAO,EAAE,WAAW,EAAE,MAAM,iCAAiC,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAEvC,MAAM,WAAW,oBAAqB,SAAQ,OAAO;IACnD,IAAI,EAAE,UAAU,CAAC;CAClB;AAED,qBACa,eAAgB,YAAW,WAAW;IAEnC,OAAO,CAAC,QAAQ,CAAC,eAAe;IAG5C,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,SAAS;IAG1B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAPI,eAAe,EAAE,eAAe,GAAG,IAAI,EAGnD,KAAK,EAAE,WAAW,GAAG,IAAI,EACzB,SAAS,EAAE,SAAS,EAGpB,OAAO,CAAC,EAAE,UAAU,YAAA;IAGjC,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;IAsF9D,OAAO,CAAC,sBAAsB;CAS/B"}
+{"version":3,"file":"jwt-auth.guard.d.ts","sourceRoot":"","sources":["../../../src/authz/guards/jwt-auth.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,WAAW,EACX,gBAAgB,EAIjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAC5E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,iCAAiC,CAAC;AACnE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAE5C,MAAM,WAAW,oBAAqB,SAAQ,OAAO;IACnD,IAAI,EAAE,UAAU,CAAC;CAClB;AAED,qBACa,eAAgB,YAAW,WAAW;IAEnC,OAAO,CAAC,QAAQ,CAAC,eAAe;IAG5C,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,SAAS;IAG1B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAPI,eAAe,EAAE,eAAe,GAAG,IAAI,EAGnD,KAAK,EAAE,WAAW,GAAG,IAAI,EACzB,SAAS,EAAE,SAAS,EAGpB,OAAO,CAAC,EAAE,UAAU,YAAA;IAGjC,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;IAsF9D,OAAO,CAAC,sBAAsB;CAS/B"}

package/dist/authz/guards/jwt-auth.guard.js.map

@@ -1 +1 @@
-{"version":3,"file":"jwt-auth.guard.js","sourceRoot":"","sources":["../../../src/authz/guards/jwt-auth.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,2CAOwB;AACxB,uCAAyC;AAEzC,qEAA4E;AASrE,IAAM,eAAe,GAArB,MAAM,eAAe;IAC1B,YAC+B,eAAuC,EAGnD,KAAyB,EACzB,SAAoB,EAGpB,OAAoB;QAPR,oBAAe,GAAf,eAAe,CAAwB;QAGnD,UAAK,GAAL,KAAK,CAAoB;QACzB,cAAS,GAAT,SAAS,CAAW;QAGpB,YAAO,GAAP,OAAO,CAAa;IACpC,CAAC;IAEJ,KAAK,CAAC,WAAW,CAAC,OAAyB;QACzC,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAwB,CAAC;QAC1E,MAAM,KAAK,GAAG,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,CAAC;QAGnD,MAAM,oBAAoB,GACxB,IAAI,CAAC,OAAO,EAAE,0BAA0B,IAAI,KAAK,CAAC;QAEpD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,IAAI,oBAAoB,EAAE,CAAC;gBAGzB,OAAO,IAAI,CAAC;YACd,CAAC;iBAAM,CAAC;gBAEN,MAAM,IAAI,8BAAqB,CAAC,uBAAuB,CAAC,CAAC;YAC3D,CAAC;QACH,CAAC;QAGD,MAAM,eAAe,GACnB,IAAI,CAAC,eAAe;YACpB,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,mCAAe,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QACzD,MAAM,KAAK,GACT,IAAI,CAAC,KAAK;YACV,IAAI,CAAC,SAAS,CAAC,GAAG,CAAc,aAAa,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAEpE,IAAI,CAAC,eAAe,IAAI,CAAC,KAAK,EAAE,CAAC;YAC/B,MAAM,IAAI,8BAAqB,CAAC,sCAAsC,CAAC,CAAC;QAC1E,CAAC;QAGD,MAAM,OAAO,GAAG,eAAe,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAErD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,8BAAqB,CAAC,iCAAiC,CAAC,CAAC;QACrE,CAAC;QAGD,MAAM,QAAQ,GAAQ,EAAE,GAAG,OAAO,EAAE,CAAC;QACrC,IAAI,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,QAAQ,CAAC,eAAe,EAAE,CAAC;gBACpD,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,kBAAkB,CAC5C,QAAQ,CAAC,eAAe,CACzB,CAAC;gBACF,IAAI,OAAO,EAAE,CAAC;oBACZ,QAAQ,CAAC,SAAS,GAAG,OAAO,CAAC;gBAC/B,CAAC;YACH,CAAC;YACD,MAAM,EAAE,GAAG,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC;YAEpC,QAAQ,CAAC,QAAQ;gBACf,QAAQ,CAAC,QAAQ,IAAI,EAAE,CAAC,QAAQ,IAAI,EAAE,CAAC,EAAE,IAAI,QAAQ,CAAC,GAAG,CAAC;YAC5D,QAAQ,CAAC,KAAK,GAAG,QAAQ,CAAC,KAAK,IAAI,EAAE,CAAC,KAAK,CAAC;YAC5C,QAAQ,CAAC,WAAW,GAAG,QAAQ,CAAC,WAAW,IAAI,EAAE,CAAC,WAAW,CAAC;YAC9D,QAAQ,CAAC,SAAS,GAAG,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC,SAAS,CAAC;YACxD,QAAQ,CAAC,IAAI;gBACX,QAAQ,CAAC,IAAI;oBACb,EAAE,CAAC,WAAW;oBACd,EAAE,CAAC,QAAQ;oBACX,EAAE,CAAC,KAAK;oBACR,QAAQ,CAAC,GAAG,CAAC;YAGf,IAAI,QAAQ,CAAC,KAAK,IAAI,OAAO,QAAQ,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACzD,QAAQ,CAAC,MAAM,GAAG,QAAQ,CAAC,KAAK;qBAC7B,KAAK,CAAC,GAAG,CAAC;qBACV,MAAM,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YACzC,CAAC;iBAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;gBAC5B,QAAQ,CAAC,MAAM,GAAG,EAAE,CAAC;YACvB,CAAC;YAGD,IAAI,CAAC,QAAQ,CAAC,KAAK,IAAI,EAAE,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC3D,QAAQ,CAAC,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC;YAC5B,CAAC;iBAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;gBAC3B,QAAQ,CAAC,KAAK,GAAG,EAAE,CAAC;YACtB,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;QAET,CAAC;QAED,OAAO,CAAC,IAAI,GAAG,QAAsB,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,sBAAsB,CAAC,OAAgB;QAC7C,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QACjD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC5C,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;IAC/C,CAAC;CACF,CAAA;AA3GY,0CAAe;0BAAf,eAAe;IAD3B,IAAA,mBAAU,GAAE;IAGR,WAAA,IAAA,iBAAQ,GAAE,CAAA;IACV,WAAA,IAAA,iBAAQ,GAAE,CAAA;IACV,WAAA,IAAA,eAAM,EAAC,aAAa,CAAC,CAAA;IAGrB,WAAA,IAAA,iBAAQ,GAAE,CAAA;IACV,WAAA,IAAA,eAAM,EAAC,aAAa,CAAC,CAAA;qDAFM,gBAAS;GAN5B,eAAe,CA2G3B","sourcesContent":["import {\n  Injectable,\n  CanActivate,\n  ExecutionContext,\n  UnauthorizedException,\n  Inject,\n  Optional,\n} from '@nestjs/common';\nimport { ModuleRef } from '@nestjs/core';\nimport { Request } from 'express';\nimport { JwtPayload, JwtTokenService } from '../services/jwt-token.service';\nimport { IOAuthStore } from '../stores/oauth-store.interface';\nimport { McpOptions } from '../../mcp';\n\nexport interface AuthenticatedRequest extends Request {\n  user: JwtPayload;\n}\n\n@Injectable()\nexport class McpAuthJwtGuard implements CanActivate {\n  constructor(\n    @Optional() private readonly jwtTokenService: JwtTokenService | null,\n    @Optional()\n    @Inject('IOAuthStore')\n    private readonly store: IOAuthStore | null,\n    private readonly moduleRef: ModuleRef,\n    @Optional()\n    @Inject('MCP_OPTIONS')\n    private readonly options?: McpOptions,\n  ) {}\n\n  async canActivate(context: ExecutionContext): Promise<boolean> {\n    const request = context.switchToHttp().getRequest<AuthenticatedRequest>();\n    const token = this.extractTokenFromHeader(request);\n\n    // Check if unauthenticated access is allowed\n    const allowUnauthenticated =\n      this.options?.allowUnauthenticatedAccess ?? false;\n\n    if (!token) {\n      if (allowUnauthenticated) {\n        // Allow unauthenticated sessions\n        // Per-tool authorization will decide what's accessible (@PublicTool() tools only)\n        return true;\n      } else {\n        // Standard OAuth flow: Reject and trigger authorization\n        throw new UnauthorizedException('Access token required');\n      }\n    }\n\n    // Resolve services dynamically if not injected directly\n    const jwtTokenService =\n      this.jwtTokenService ||\n      this.moduleRef.get(JwtTokenService, { strict: false });\n    const store =\n      this.store ||\n      this.moduleRef.get<IOAuthStore>('IOAuthStore', { strict: false });\n\n    if (!jwtTokenService || !store) {\n      throw new UnauthorizedException('Authentication service not available');\n    }\n\n    // If a token is provided, it must be valid\n    const payload = jwtTokenService.validateToken(token);\n\n    if (!payload) {\n      throw new UnauthorizedException('Invalid or expired access token');\n    }\n\n    // Enrich request.user with friendly fields for tools\n    const enriched: any = { ...payload };\n    try {\n      if (!enriched.user_data && enriched.user_profile_id) {\n        const profile = await store.getUserProfileById(\n          enriched.user_profile_id,\n        );\n        if (profile) {\n          enriched.user_data = profile;\n        }\n      }\n      const ud = enriched.user_data || {};\n      // Provide convenient top-level fields commonly used by tools\n      enriched.username =\n        enriched.username || ud.username || ud.id || enriched.sub;\n      enriched.email = enriched.email || ud.email;\n      enriched.displayName = enriched.displayName || ud.displayName;\n      enriched.avatarUrl = enriched.avatarUrl || ud.avatarUrl;\n      enriched.name =\n        enriched.name ||\n        ud.displayName ||\n        ud.username ||\n        ud.email ||\n        enriched.sub;\n\n      // Parse scopes: OAuth 2.0 standard is space-delimited string in 'scope' field\n      if (enriched.scope && typeof enriched.scope === 'string') {\n        enriched.scopes = enriched.scope\n          .split(' ')\n          .filter((s: string) => s.length > 0);\n      } else if (!enriched.scopes) {\n        enriched.scopes = [];\n      }\n\n      // Extract roles from user_data if present\n      if (!enriched.roles && ud.roles && Array.isArray(ud.roles)) {\n        enriched.roles = ud.roles;\n      } else if (!enriched.roles) {\n        enriched.roles = [];\n      }\n    } catch {\n      // Non-fatal; proceed with raw payload\n    }\n\n    request.user = enriched as JwtPayload;\n    return true;\n  }\n\n  private extractTokenFromHeader(request: Request): string | undefined {\n    const authHeader = request.headers.authorization;\n    if (!authHeader) {\n      return undefined;\n    }\n\n    const [type, token] = authHeader.split(' ');\n    return type === 'Bearer' ? token : undefined;\n  }\n}\n"]}
+{"version":3,"file":"jwt-auth.guard.js","sourceRoot":"","sources":["../../../src/authz/guards/jwt-auth.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,2CAOwB;AACxB,uCAAyC;AAEzC,qEAA4E;AASrE,IAAM,eAAe,GAArB,MAAM,eAAe;IAC1B,YAC+B,eAAuC,EAGnD,KAAyB,EACzB,SAAoB,EAGpB,OAAoB;QAPR,oBAAe,GAAf,eAAe,CAAwB;QAGnD,UAAK,GAAL,KAAK,CAAoB;QACzB,cAAS,GAAT,SAAS,CAAW;QAGpB,YAAO,GAAP,OAAO,CAAa;IACpC,CAAC;IAEJ,KAAK,CAAC,WAAW,CAAC,OAAyB;QACzC,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAwB,CAAC;QAC1E,MAAM,KAAK,GAAG,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,CAAC;QAGnD,MAAM,oBAAoB,GACxB,IAAI,CAAC,OAAO,EAAE,0BAA0B,IAAI,KAAK,CAAC;QAEpD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,IAAI,oBAAoB,EAAE,CAAC;gBAGzB,OAAO,IAAI,CAAC;YACd,CAAC;iBAAM,CAAC;gBAEN,MAAM,IAAI,8BAAqB,CAAC,uBAAuB,CAAC,CAAC;YAC3D,CAAC;QACH,CAAC;QAGD,MAAM,eAAe,GACnB,IAAI,CAAC,eAAe;YACpB,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,mCAAe,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QACzD,MAAM,KAAK,GACT,IAAI,CAAC,KAAK;YACV,IAAI,CAAC,SAAS,CAAC,GAAG,CAAc,aAAa,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAEpE,IAAI,CAAC,eAAe,IAAI,CAAC,KAAK,EAAE,CAAC;YAC/B,MAAM,IAAI,8BAAqB,CAAC,sCAAsC,CAAC,CAAC;QAC1E,CAAC;QAGD,MAAM,OAAO,GAAG,eAAe,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAErD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,8BAAqB,CAAC,iCAAiC,CAAC,CAAC;QACrE,CAAC;QAGD,MAAM,QAAQ,GAAQ,EAAE,GAAG,OAAO,EAAE,CAAC;QACrC,IAAI,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,QAAQ,CAAC,eAAe,EAAE,CAAC;gBACpD,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,kBAAkB,CAC5C,QAAQ,CAAC,eAAe,CACzB,CAAC;gBACF,IAAI,OAAO,EAAE,CAAC;oBACZ,QAAQ,CAAC,SAAS,GAAG,OAAO,CAAC;gBAC/B,CAAC;YACH,CAAC;YACD,MAAM,EAAE,GAAG,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC;YAEpC,QAAQ,CAAC,QAAQ;gBACf,QAAQ,CAAC,QAAQ,IAAI,EAAE,CAAC,QAAQ,IAAI,EAAE,CAAC,EAAE,IAAI,QAAQ,CAAC,GAAG,CAAC;YAC5D,QAAQ,CAAC,KAAK,GAAG,QAAQ,CAAC,KAAK,IAAI,EAAE,CAAC,KAAK,CAAC;YAC5C,QAAQ,CAAC,WAAW,GAAG,QAAQ,CAAC,WAAW,IAAI,EAAE,CAAC,WAAW,CAAC;YAC9D,QAAQ,CAAC,SAAS,GAAG,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC,SAAS,CAAC;YACxD,QAAQ,CAAC,IAAI;gBACX,QAAQ,CAAC,IAAI;oBACb,EAAE,CAAC,WAAW;oBACd,EAAE,CAAC,QAAQ;oBACX,EAAE,CAAC,KAAK;oBACR,QAAQ,CAAC,GAAG,CAAC;YAGf,IAAI,QAAQ,CAAC,KAAK,IAAI,OAAO,QAAQ,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACzD,QAAQ,CAAC,MAAM,GAAG,QAAQ,CAAC,KAAK;qBAC7B,KAAK,CAAC,GAAG,CAAC;qBACV,MAAM,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YACzC,CAAC;iBAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;gBAC5B,QAAQ,CAAC,MAAM,GAAG,EAAE,CAAC;YACvB,CAAC;YAGD,IAAI,CAAC,QAAQ,CAAC,KAAK,IAAI,EAAE,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC3D,QAAQ,CAAC,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC;YAC5B,CAAC;iBAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;gBAC3B,QAAQ,CAAC,KAAK,GAAG,EAAE,CAAC;YACtB,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;QAET,CAAC;QAED,OAAO,CAAC,IAAI,GAAG,QAAsB,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,sBAAsB,CAAC,OAAgB;QAC7C,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QACjD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC5C,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;IAC/C,CAAC;CACF,CAAA;AA3GY,0CAAe;0BAAf,eAAe;IAD3B,IAAA,mBAAU,GAAE;IAGR,WAAA,IAAA,iBAAQ,GAAE,CAAA;IACV,WAAA,IAAA,iBAAQ,GAAE,CAAA;IACV,WAAA,IAAA,eAAM,EAAC,aAAa,CAAC,CAAA;IAGrB,WAAA,IAAA,iBAAQ,GAAE,CAAA;IACV,WAAA,IAAA,eAAM,EAAC,aAAa,CAAC,CAAA;qDAFM,gBAAS;GAN5B,eAAe,CA2G3B","sourcesContent":["import {\n  Injectable,\n  CanActivate,\n  ExecutionContext,\n  UnauthorizedException,\n  Inject,\n  Optional,\n} from '@nestjs/common';\nimport { ModuleRef } from '@nestjs/core';\nimport { Request } from 'express';\nimport { JwtPayload, JwtTokenService } from '../services/jwt-token.service';\nimport type { IOAuthStore } from '../stores/oauth-store.interface';\nimport type { McpOptions } from '../../mcp';\n\nexport interface AuthenticatedRequest extends Request {\n  user: JwtPayload;\n}\n\n@Injectable()\nexport class McpAuthJwtGuard implements CanActivate {\n  constructor(\n    @Optional() private readonly jwtTokenService: JwtTokenService | null,\n    @Optional()\n    @Inject('IOAuthStore')\n    private readonly store: IOAuthStore | null,\n    private readonly moduleRef: ModuleRef,\n    @Optional()\n    @Inject('MCP_OPTIONS')\n    private readonly options?: McpOptions,\n  ) {}\n\n  async canActivate(context: ExecutionContext): Promise<boolean> {\n    const request = context.switchToHttp().getRequest<AuthenticatedRequest>();\n    const token = this.extractTokenFromHeader(request);\n\n    // Check if unauthenticated access is allowed\n    const allowUnauthenticated =\n      this.options?.allowUnauthenticatedAccess ?? false;\n\n    if (!token) {\n      if (allowUnauthenticated) {\n        // Allow unauthenticated sessions\n        // Per-tool authorization will decide what's accessible (@PublicTool() tools only)\n        return true;\n      } else {\n        // Standard OAuth flow: Reject and trigger authorization\n        throw new UnauthorizedException('Access token required');\n      }\n    }\n\n    // Resolve services dynamically if not injected directly\n    const jwtTokenService =\n      this.jwtTokenService ||\n      this.moduleRef.get(JwtTokenService, { strict: false });\n    const store =\n      this.store ||\n      this.moduleRef.get<IOAuthStore>('IOAuthStore', { strict: false });\n\n    if (!jwtTokenService || !store) {\n      throw new UnauthorizedException('Authentication service not available');\n    }\n\n    // If a token is provided, it must be valid\n    const payload = jwtTokenService.validateToken(token);\n\n    if (!payload) {\n      throw new UnauthorizedException('Invalid or expired access token');\n    }\n\n    // Enrich request.user with friendly fields for tools\n    const enriched: any = { ...payload };\n    try {\n      if (!enriched.user_data && enriched.user_profile_id) {\n        const profile = await store.getUserProfileById(\n          enriched.user_profile_id,\n        );\n        if (profile) {\n          enriched.user_data = profile;\n        }\n      }\n      const ud = enriched.user_data || {};\n      // Provide convenient top-level fields commonly used by tools\n      enriched.username =\n        enriched.username || ud.username || ud.id || enriched.sub;\n      enriched.email = enriched.email || ud.email;\n      enriched.displayName = enriched.displayName || ud.displayName;\n      enriched.avatarUrl = enriched.avatarUrl || ud.avatarUrl;\n      enriched.name =\n        enriched.name ||\n        ud.displayName ||\n        ud.username ||\n        ud.email ||\n        enriched.sub;\n\n      // Parse scopes: OAuth 2.0 standard is space-delimited string in 'scope' field\n      if (enriched.scope && typeof enriched.scope === 'string') {\n        enriched.scopes = enriched.scope\n          .split(' ')\n          .filter((s: string) => s.length > 0);\n      } else if (!enriched.scopes) {\n        enriched.scopes = [];\n      }\n\n      // Extract roles from user_data if present\n      if (!enriched.roles && ud.roles && Array.isArray(ud.roles)) {\n        enriched.roles = ud.roles;\n      } else if (!enriched.roles) {\n        enriched.roles = [];\n      }\n    } catch {\n      // Non-fatal; proceed with raw payload\n    }\n\n    request.user = enriched as JwtPayload;\n    return true;\n  }\n\n  private extractTokenFromHeader(request: Request): string | undefined {\n    const authHeader = request.headers.authorization;\n    if (!authHeader) {\n      return undefined;\n    }\n\n    const [type, token] = authHeader.split(' ');\n    return type === 'Bearer' ? token : undefined;\n  }\n}\n"]}

package/dist/authz/interfaces/oauth-common.interface.d.ts

@@ -0,0 +1,21 @@
+export interface OAuthUserProfile {
+    id: string;
+    username: string;
+    email?: string;
+    displayName?: string;
+    avatarUrl?: string;
+    raw?: any;
+}
+export interface OAuthSession {
+    sessionId: string;
+    state: string;
+    clientId?: string;
+    redirectUri?: string;
+    codeChallenge?: string;
+    codeChallengeMethod?: string;
+    oauthState?: string;
+    scope?: string;
+    resource?: string;
+    expiresAt: number;
+}
+//# sourceMappingURL=oauth-common.interface.d.ts.map

package/dist/authz/interfaces/oauth-common.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-common.interface.d.ts","sourceRoot":"","sources":["../../../src/authz/interfaces/oauth-common.interface.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,GAAG,CAAC,EAAE,GAAG,CAAC;CACX;AAED,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB"}

package/dist/authz/interfaces/oauth-common.interface.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=oauth-common.interface.js.map

package/dist/authz/interfaces/oauth-common.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-common.interface.js","sourceRoot":"","sources":["../../../src/authz/interfaces/oauth-common.interface.ts"],"names":[],"mappings":"","sourcesContent":["export interface OAuthUserProfile {\n  id: string;\n  username: string;\n  email?: string;\n  displayName?: string;\n  avatarUrl?: string;\n  raw?: any; // Original profile data\n}\n\nexport interface OAuthSession {\n  sessionId: string;\n  state: string;\n  clientId?: string;\n  redirectUri?: string;\n  codeChallenge?: string;\n  codeChallengeMethod?: string;\n  oauthState?: string;\n  scope?: string;\n  resource?: string;\n  expiresAt: number;\n}\n"]}

package/dist/authz/mcp-oauth.controller.d.ts

@@ -1,10 +1,10 @@
 import { Logger } from '@nestjs/common';
-import { Request as ExpressRequest, NextFunction, Response } from 'express';
-import { OAuthEndpointConfiguration, OAuthModuleOptions, OAuthUserProfile } from './providers/oauth-provider.interface';
+import type { Request as ExpressRequest, NextFunction, Response } from 'express';
+import type { OAuthEndpointConfiguration, OAuthModuleOptions, OAuthUserProfile } from './providers/oauth-provider.interface';
 import { ClientService } from './services/client.service';
 import { JwtTokenService, TokenPair } from './services/jwt-token.service';
 import { OAuthStrategyService } from './services/oauth-strategy.service';
-import { IOAuthStore } from './stores/oauth-store.interface';
+import type { IOAuthStore } from './stores/oauth-store.interface';
 interface OAuthCallbackRequest extends ExpressRequest {
     user?: {
         profile: OAuthUserProfile;

package/dist/authz/mcp-oauth.controller.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mcp-oauth.controller.d.ts","sourceRoot":"","sources":["../../src/authz/mcp-oauth.controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAQL,MAAM,EAMP,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAAE,OAAO,IAAI,cAAc,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAG5E,OAAO,EACL,0BAA0B,EAC1B,kBAAkB,EAElB,gBAAgB,EACjB,MAAM,sCAAsC,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,8BAA8B,CAAC;AAC1E,OAAO,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAC;AACzE,OAAO,EAAE,WAAW,EAAE,MAAM,gCAAgC,CAAC;AAE7D,UAAU,oBAAqB,SAAQ,cAAc;IACnD,IAAI,CAAC,EAAE;QACL,OAAO,EAAE,gBAAgB,CAAC;QAC1B,WAAW,EAAE,MAAM,CAAC;QACpB,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;CACH;AAGD,UAAU,kBAAmB,SAAQ,cAAc;IACjD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,wBAAwB,CACtC,SAAS,GAAE,0BAA+B,EAC1C,OAAO,CAAC,EAAE;IACR,yCAAyC,CAAC,EAAE,OAAO,CAAC;IACpD,2CAA2C,CAAC,EAAE,OAAO,CAAC;CACvD,EACD,YAAY,CAAC,EAAE,MAAM;kBAsCR,kBAAkB,SAEX,WAAW,mBACD,eAAe,iBACjB,aAAa,wBACN,oBAAoB;;4BAhBjC,MAAM;+BACH,OAAO;0BACZ,kBAAkB;+BACb,MAAM;wBAUX,WAAW;kCACD,eAAe;gCACjB,aAAa;uCACN,oBAAoB;+BAY9B,GAAG,QAAQ,kBAAkB,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC;4BA+CtD,kBAAkB,OAAO,QAAQ,QAAQ,YAAY;;;;;;;;;;;;;;;;;;;;;wCAoI3B,GAAG;yBAM/B,GAAG,OAEd,GAAG,OACI,QAAQ,QACN,YAAY;oCA2Ed,oBAAoB,OACpB,QAAQ,QACN,YAAY;0CA2BrB,oBAAoB,OACpB,QAAQ;4BAkFC,GAAG,OACL,kBAAkB,OACG,QAAQ,GACxC,OAAO,CAAC,SAAS,CAAC;yCA6CP,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,OAC1B,kBAAkB,GACtB,OAAO,CAAC,SAAS,CAAC;sCA4Dd,kBAAkB,QACjB,GAAG,GACR;YAAE,SAAS,EAAE,MAAM,CAAC;YAAC,aAAa,CAAC,EAAE,MAAM,CAAA;SAAE;6CA+BtC,GAAG,qBACQ;YAAE,SAAS,EAAE,MAAM,CAAC;YAAC,aAAa,CAAC,EAAE,MAAM,CAAA;SAAE,GAC/D,IAAI;2CAqCC,MAAM,iBACG,MAAM,iBACN,MAAM,qBACF;YAAE,SAAS,EAAE,MAAM,CAAC;YAAC,aAAa,CAAC,EAAE,MAAM,CAAA;SAAE,GAC/D,OAAO,CAAC,SAAS,CAAC;+CA4FJ,MAAM,qBACF;YAAE,SAAS,EAAE,MAAM,CAAC;YAAC,aAAa,CAAC,EAAE,MAAM,CAAA;SAAE,GAC/D,OAAO,CAAC,SAAS,CAAC;oCA6EJ,MAAM,kBACL,MAAM,UACd,MAAM,GACb,OAAO;;EAcb"}
+{"version":3,"file":"mcp-oauth.controller.d.ts","sourceRoot":"","sources":["../../src/authz/mcp-oauth.controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAQL,MAAM,EAMP,MAAM,gBAAgB,CAAC;AAExB,OAAO,KAAK,EACV,OAAO,IAAI,cAAc,EACzB,YAAY,EACZ,QAAQ,EACT,MAAM,SAAS,CAAC;AAGjB,OAAO,KAAK,EACV,0BAA0B,EAC1B,kBAAkB,EAElB,gBAAgB,EACjB,MAAM,sCAAsC,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,8BAA8B,CAAC;AAC1E,OAAO,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAC;AACzE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gCAAgC,CAAC;AAElE,UAAU,oBAAqB,SAAQ,cAAc;IACnD,IAAI,CAAC,EAAE;QACL,OAAO,EAAE,gBAAgB,CAAC;QAC1B,WAAW,EAAE,MAAM,CAAC;QACpB,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;CACH;AAGD,UAAU,kBAAmB,SAAQ,cAAc;IACjD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,wBAAwB,CACtC,SAAS,GAAE,0BAA+B,EAC1C,OAAO,CAAC,EAAE;IACR,yCAAyC,CAAC,EAAE,OAAO,CAAC;IACpD,2CAA2C,CAAC,EAAE,OAAO,CAAC;CACvD,EACD,YAAY,CAAC,EAAE,MAAM;kBAsCR,kBAAkB,SAEX,WAAW,mBACD,eAAe,iBACjB,aAAa,wBACN,oBAAoB;;4BAhBjC,MAAM;+BACH,OAAO;0BACZ,kBAAkB;+BACb,MAAM;wBAUX,WAAW;kCACD,eAAe;gCACjB,aAAa;uCACN,oBAAoB;+BAY9B,GAAG,QAAQ,kBAAkB,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC;4BA+CtD,kBAAkB,OAAO,QAAQ,QAAQ,YAAY;;;;;;;;;;;;;;;;;;;;;wCAoI3B,GAAG;yBAM/B,GAAG,OAEd,GAAG,OACI,QAAQ,QACN,YAAY;oCA2Ed,oBAAoB,OACpB,QAAQ,QACN,YAAY;0CA2BrB,oBAAoB,OACpB,QAAQ;4BAkFC,GAAG,OACL,kBAAkB,OACG,QAAQ,GACxC,OAAO,CAAC,SAAS,CAAC;yCA6CP,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,OAC1B,kBAAkB,GACtB,OAAO,CAAC,SAAS,CAAC;sCA4Dd,kBAAkB,QACjB,GAAG,GACR;YAAE,SAAS,EAAE,MAAM,CAAC;YAAC,aAAa,CAAC,EAAE,MAAM,CAAA;SAAE;6CA+BtC,GAAG,qBACQ;YAAE,SAAS,EAAE,MAAM,CAAC;YAAC,aAAa,CAAC,EAAE,MAAM,CAAA;SAAE,GAC/D,IAAI;2CAqCC,MAAM,iBACG,MAAM,iBACN,MAAM,qBACF;YAAE,SAAS,EAAE,MAAM,CAAC;YAAC,aAAa,CAAC,EAAE,MAAM,CAAA;SAAE,GAC/D,OAAO,CAAC,SAAS,CAAC;+CA4FJ,MAAM,qBACF;YAAE,SAAS,EAAE,MAAM,CAAC;YAAC,aAAa,CAAC,EAAE,MAAM,CAAA;SAAE,GAC/D,OAAO,CAAC,SAAS,CAAC;oCA6EJ,MAAM,kBACL,MAAM,UACd,MAAM,GACb,OAAO;;EAcb"}

package/dist/authz/mcp-oauth.controller.js.map

@@ -1 +1 @@
-{"version":3,"file":"mcp-oauth.controller.js","sourceRoot":"","sources":["../../src/authz/mcp-oauth.controller.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AA4CA,4DA2yBC;AAv1BD,2CAcwB;AACxB,mCAAiD;AAEjD,wDAAgC;AAChC,wEAAoE;AAOpE,8DAA0D;AAC1D,oEAA0E;AAC1E,8EAAyE;AAiBzE,SAAgB,wBAAwB,CACtC,YAAwC,EAAE,EAC1C,OAGC,EACD,YAAqB;;IAGrB,MAAM,WAAW,GAAG,CAClB,IAAmC,EACnC,OAAgB,EACC,EAAE;QACnB,OAAO,OAAO,IAAI,IAAI;YACpB,CAAC,CAAE,YAA+C,CAAC,IAAI,CAAC;YACxD,CAAC,CAAE,CAAC,GAAG,EAAE,GAAE,CAAC,CAAgC,CAAC;IACjD,CAAC,CAAC;IACF,MAAM,cAAc,GAAG,CACrB,IAAY,EACZ,KAAa,EACb,OAAgB,EACC,EAAE;QACnB,OAAO,OAAO;YACZ,CAAC,CAAE,eAA+D,CAC9D,IAAI,EACJ,KAAK,CACN;YACH,CAAC,CAAE,CAAC,GAAG,EAAE,GAAE,CAAC,CAAgC,CAAC;IACjD,CAAC,CAAC;IAEF,IACM,kBAAkB,0BADxB,MACM,kBAAkB;QAOtB,YAME,OAA2B,EAE3B,KAA2B,EAClB,eAAgC,EAChC,aAA4B,EAC5B,oBAA0C;YAH1C,UAAK,GAAL,KAAK,CAAa;YAClB,oBAAe,GAAf,eAAe,CAAiB;YAChC,kBAAa,GAAb,aAAa,CAAe;YAC5B,yBAAoB,GAApB,oBAAoB,CAAsB;YAjB5C,WAAM,GAAG,IAAI,eAAM,CAAC,oBAAkB,CAAC,IAAI,CAAC,CAAC;YAmBpD,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;YACnC,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;YACzC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;YACvB,IAAI,CAAC,YAAY,GAAG,oBAAoB,CAAC,eAAe,EAAE,CAAC;QAC7D,CAAC;QAMD,gBAAgB,CAAC,IAAS,EAAE,GAAwB;YAElD,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACrE,OAAO,IAAI,CAAC;YACd,CAAC;YAGD,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAChD,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC;gBACzC,MAAM,UAAU,GAAwB,EAAE,CAAC;gBAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;oBAC5C,UAAU,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;gBAC1B,CAAC;gBACD,OAAO,UAAU,CAAC;YACpB,CAAC;YAGD,IAAI,GAAG,EAAE,QAAQ,EAAE,CAAC;gBAClB,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBACjD,MAAM,UAAU,GAAwB,EAAE,CAAC;gBAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;oBAC5C,UAAU,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;gBAC1B,CAAC;gBACD,OAAO,UAAU,CAAC;YACpB,CAAC;YAGD,IAAI,GAAG,EAAE,OAAO,EAAE,CAAC;gBACjB,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBACjD,IAAI,UAAU,EAAE,CAAC;oBACf,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,UAAU,CAAC,CAAC;oBAC/C,MAAM,UAAU,GAAwB,EAAE,CAAC;oBAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;wBAC5C,UAAU,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;oBAC1B,CAAC;oBACD,OAAO,UAAU,CAAC;gBACpB,CAAC;YACH,CAAC;YAGD,OAAO,EAAE,CAAC;QACZ,CAAC;QAMD,cAAc,CAAC,GAAuB,EAAE,GAAa,EAAE,IAAkB;YACvE,IACE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,QAAQ,CACnC,mCAAmC,CACpC,EACD,CAAC;gBACD,IAAI,OAAO,GAAG,EAAE,CAAC;gBAEjB,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;oBAC/B,OAAO,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBACrC,CAAC,CAAC,CAAC;gBAEH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;oBACjB,GAAG,CAAC,QAAQ,GAAG,OAAO,CAAC;oBAEvB,IAAI,OAAO,EAAE,CAAC;wBACZ,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,OAAO,CAAC,CAAC;wBAC5C,MAAM,UAAU,GAAQ,EAAE,CAAC;wBAC3B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;4BAC5C,UAAU,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;wBAC1B,CAAC;wBACA,GAAW,CAAC,IAAI,GAAG,UAAU,CAAC;oBACjC,CAAC;oBACD,IAAI,EAAE,CAAC;gBACT,CAAC,CAAC,CAAC;gBAEH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;oBACtB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;oBACtD,IAAI,CAAC,GAAG,CAAC,CAAC;gBACZ,CAAC,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,IAAI,EAAE,CAAC;YACT,CAAC;QACH,CAAC;QAWD,4BAA4B;YAE1B,MAAM,yBAAyB,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC;YAGzD,MAAM,kBAAkB,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC;YAEjD,MAAM,QAAQ,GAAG;gBAKf,qBAAqB,EAAE,CAAC,yBAAyB,CAAC;gBAMlD,QAAQ,EAAE,kBAAkB;gBAM5B,gBAAgB,EACd,IAAI,CAAC,OAAO,CAAC,yBAAyB,CAAC,eAAe;gBAMxD,wBAAwB,EACtB,IAAI,CAAC,OAAO,CAAC,yBAAyB,CAAC,sBAAsB;gBAM/D,sBAAsB,EACpB,IAAI,CAAC,OAAO,CAAC,yBAAyB,CAAC,oBAAoB;aAC9D,CAAC;YAEF,OAAO,QAAQ,CAAC;QAClB,CAAC;QAYD,8BAA8B;YAC5B,OAAO;gBACL,MAAM,EAAE,IAAI,CAAC,SAAS;gBACtB,sBAAsB,EAAE,IAAA,sCAAiB,EACvC,GAAG,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,SAAS,EAAE,CAC3C;gBACD,cAAc,EAAE,IAAA,sCAAiB,EAC/B,GAAG,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,KAAK,EAAE,CACvC;gBACD,qBAAqB,EAAE,IAAA,sCAAiB,EACtC,GAAG,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,QAAQ,EAAE,CAC1C;gBACD,wBAAwB,EACtB,IAAI,CAAC,OAAO,CAAC,2BAA2B,CAAC,sBAAsB;gBACjE,wBAAwB,EACtB,IAAI,CAAC,OAAO,CAAC,2BAA2B,CAAC,sBAAsB;gBACjE,qBAAqB,EACnB,IAAI,CAAC,OAAO,CAAC,2BAA2B,CAAC,mBAAmB;gBAC9D,qCAAqC,EACnC,IAAI,CAAC,OAAO,CAAC,2BAA2B;qBACrC,iCAAiC;gBACtC,gBAAgB,EACd,IAAI,CAAC,OAAO,CAAC,2BAA2B,CAAC,eAAe;gBAC1D,mBAAmB,EAAE,IAAA,sCAAiB,EACpC,GAAG,IAAI,CAAC,SAAS,IAAI,SAAS,EAAE,MAAM,EAAE,CACzC;gBACD,gCAAgC,EAC9B,IAAI,CAAC,OAAO,CAAC,2BAA2B;qBACrC,6BAA6B;aACnC,CAAC;QACJ,CAAC;QAGK,AAAN,KAAK,CAAC,cAAc,CAAS,eAAoB;YAC/C,OAAO,MAAM,IAAI,CAAC,aAAa,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;QAClE,CAAC;QAGK,AAAN,KAAK,CAAC,SAAS,CACJ,KAAU,EAEnB,GAAQ,EACD,GAAa,EACZ,IAAkB;YAE1B,MAAM,EACJ,aAAa,EACb,SAAS,EACT,YAAY,EACZ,cAAc,EACd,qBAAqB,EACrB,KAAK,EACL,KAAK,GACN,GAAG,KAAK,CAAC;YACV,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC;YACvC,IAAI,aAAa,KAAK,MAAM,EAAE,CAAC;gBAC7B,MAAM,IAAI,4BAAmB,CAAC,sCAAsC,CAAC,CAAC;YACxE,CAAC;YAED,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,4BAAmB,CAAC,6BAA6B,CAAC,CAAC;YAC/D,CAAC;YAGD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;YAC7D,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,4BAAmB,CAAC,mBAAmB,CAAC,CAAC;YACrD,CAAC;YAED,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAChE,SAAS,EACT,YAAY,CACb,CAAC;YACF,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,MAAM,IAAI,4BAAmB,CAAC,sBAAsB,CAAC,CAAC;YACxD,CAAC;YAGD,MAAM,SAAS,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YACxD,MAAM,YAAY,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAE3D,MAAM,YAAY,GAAiB;gBACjC,SAAS;gBACT,KAAK,EAAE,YAAY;gBACnB,QAAQ,EAAE,SAAS;gBACnB,WAAW,EAAE,YAAY;gBACzB,aAAa,EAAE,cAAc;gBAC7B,mBAAmB,EAAE,qBAAqB,IAAI,OAAO;gBACrD,UAAU,EAAE,KAAK;gBACjB,KAAK,EAAE,KAAK;gBACZ,QAAQ;gBACR,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,qBAAqB;aAC3D,CAAC;YAEF,MAAM,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;YAG5D,GAAG,CAAC,MAAM,CAAC,eAAe,EAAE,SAAS,EAAE;gBACrC,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,IAAI,CAAC,YAAY;gBACzB,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,qBAAqB;aAC3C,CAAC,CAAC;YAGH,GAAG,CAAC,MAAM,CAAC,aAAa,EAAE,YAAY,EAAE;gBACtC,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,IAAI,CAAC,YAAY;gBACzB,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,qBAAqB;aAC3C,CAAC,CAAC;YAGH,kBAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,YAAY,EAAE;gBACvC,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,WAAW;aAChC,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QACrB,CAAC;QAGD,sBAAsB,CACb,GAAyB,EACzB,GAAa,EACZ,IAAkB;YAG1B,kBAAQ,CAAC,YAAY,CACnB,IAAI,CAAC,YAAY,EACjB,EAAE,OAAO,EAAE,KAAK,EAAE,EAClB,KAAK,EAAE,GAAQ,EAAE,IAAS,EAAE,EAAE;gBAC5B,IAAI,CAAC;oBACH,IAAI,GAAG,EAAE,CAAC;wBACR,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,uBAAuB,EAAE,GAAG,CAAC,CAAC;wBAChD,MAAM,IAAI,4BAAmB,CAAC,uBAAuB,CAAC,CAAC;oBACzD,CAAC;oBAED,IAAI,CAAC,IAAI,EAAE,CAAC;wBACV,MAAM,IAAI,4BAAmB,CAAC,uBAAuB,CAAC,CAAC;oBACzD,CAAC;oBAED,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;oBAChB,MAAM,IAAI,CAAC,4BAA4B,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;gBACpD,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,IAAI,CAAC,KAAK,CAAC,CAAC;gBACd,CAAC;YACH,CAAC,CACF,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QACpB,CAAC;QAED,KAAK,CAAC,4BAA4B,CAChC,GAAyB,EACzB,GAAa;YAEb,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;YACtB,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,MAAM,IAAI,4BAAmB,CAAC,uBAAuB,CAAC,CAAC;YACzD,CAAC;YAED,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,EAAE,aAAa,CAAC;YAC7C,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,4BAAmB,CAAC,uBAAuB,CAAC,CAAC;YACzD,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;YAC5D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,4BAAmB,CAAC,kCAAkC,CAAC,CAAC;YACpE,CAAC;YAGD,MAAM,eAAe,GAAG,GAAG,CAAC,OAAO,EAAE,WAAW,CAAC;YACjD,IAAI,OAAO,CAAC,KAAK,KAAK,eAAe,EAAE,CAAC;gBACtC,MAAM,IAAI,4BAAmB,CAAC,yBAAyB,CAAC,CAAC;YAC3D,CAAC;YAGD,MAAM,GAAG,GAAG,IAAI,CAAC,eAAe,CAAC,iBAAiB,CAChD,IAAI,CAAC,OAAO,CAAC,QAAQ,EACrB,IAAI,CAAC,OAAO,CACb,CAAC;YAGF,GAAG,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,EAAE;gBAC5B,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,IAAI,CAAC,YAAY;gBACzB,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,YAAY;aAClC,CAAC,CAAC;YAGH,GAAG,CAAC,WAAW,CAAC,eAAe,CAAC,CAAC;YACjC,GAAG,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;YAG/B,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,iBAAiB,CACxD,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,QAAQ,CACd,CAAC;YAGF,MAAM,QAAQ,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAGvD,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC;gBAC7B,IAAI,EAAE,QAAQ;gBACd,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,QAAQ;gBAC9B,SAAS,EAAE,OAAO,CAAC,QAAS;gBAC5B,YAAY,EAAE,OAAO,CAAC,WAAY;gBAClC,cAAc,EAAE,OAAO,CAAC,aAAc;gBACtC,qBAAqB,EAAE,OAAO,CAAC,mBAAoB;gBACnD,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,iBAAiB;gBACvD,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,eAAe;aAChB,CAAC,CAAC;YAGH,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,WAAY,CAAC,CAAC;YAClD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YAC/C,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;gBACvB,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;YAC5D,CAAC;YAGD,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC;YAE/C,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC;QACvC,CAAC;QAOK,AAAN,KAAK,CAAC,aAAa,CACT,IAAS,EACV,GAAuB,EACF,GAAa;YAGzC,MAAM,gBAAgB,GAAG,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,QAAQ,CAC5D,mCAAmC,CACpC,CAAC;YACF,MAAM,WAAW,GACf,CAAC,IAAI;gBACL,CAAC,OAAO,IAAI,KAAK,QAAQ;oBACvB,MAAM,CAAC,IAAI,CAAC,IAA+B,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC;YAE/D,IAAI,gBAAgB,IAAI,WAAW,EAAE,CAAC;gBACpC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;oBACrC,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,GAAS,EAAE,EAAE;wBAC1C,IAAI,GAAG,EAAE,CAAC;4BACR,MAAM,CACJ,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI,OAAO,CAAC,CAAC,CAC/D,CAAC;4BACF,OAAO;wBACT,CAAC;wBAGD,KAAK,CAAC,KAAK,IAAI,EAAE;4BACf,IAAI,CAAC;gCAEH,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,EAAE,GAAG,CAAC,CAAC;gCAChE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;gCAChE,OAAO,CAAC,MAAM,CAAC,CAAC;4BAClB,CAAC;4BAAC,OAAO,KAAK,EAAE,CAAC;gCACf,MAAM,CACJ,KAAK,YAAY,KAAK;oCACpB,CAAC,CAAC,KAAK;oCACP,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,IAAI,OAAO,CAAC,CAAC,CACxC,CAAC;4BACJ,CAAC;wBACH,CAAC,CAAC,EAAE,CAAC;oBACP,CAAC,CAAC,CAAC;gBACL,CAAC,CAAC,CAAC;YACL,CAAC;YAGD,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YACpD,OAAO,IAAI,CAAC,oBAAoB,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QACpD,CAAC;QAED,KAAK,CAAC,oBAAoB,CACxB,UAA+B,EAC/B,GAAuB;YAEvB,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,aAAa,EAAE,YAAY,EAAE,aAAa,EAAE,GACpE,UAAU,CAAC;YAGb,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,qCAAqC,EAAE;oBACvD,cAAc,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;oBACvC,WAAW,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC;oBACxC,QAAQ,EAAE,GAAG,CAAC,QAAQ;oBACtB,UAAU;iBACX,CAAC,CAAC;gBACH,MAAM,IAAI,4BAAmB,CAAC,8BAA8B,CAAC,CAAC;YAChE,CAAC;YAED,QAAQ,UAAU,EAAE,CAAC;gBACnB,KAAK,oBAAoB,CAAC,CAAC,CAAC;oBAE1B,MAAM,iBAAiB,GAAG,IAAI,CAAC,wBAAwB,CACrD,GAAG,EACH,UAAU,CACX,CAAC;oBACF,OAAO,MAAM,IAAI,CAAC,4BAA4B,CAC5C,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC,EACpD,OAAO,aAAa,KAAK,QAAQ;wBAC/B,CAAC,CAAC,aAAa;wBACf,CAAC,CAAC,MAAM,CAAC,aAAa,IAAI,EAAE,CAAC,EAC/B,OAAO,YAAY,KAAK,QAAQ;wBAC9B,CAAC,CAAC,YAAY;wBACd,CAAC,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC,EAC9B,iBAAiB,CAClB,CAAC;gBACJ,CAAC;gBACD,KAAK,eAAe,CAAC,CAAC,CAAC;oBAErB,IAAI,iBAAgE,CAAC;oBACrE,IAAI,CAAC;wBACH,iBAAiB,GAAG,IAAI,CAAC,wBAAwB,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;oBACrE,CAAC;oBAAC,MAAM,CAAC;wBAEP,iBAAiB,GAAG,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;oBACxC,CAAC;oBACD,OAAO,MAAM,IAAI,CAAC,uBAAuB,CACvC,OAAO,aAAa,KAAK,QAAQ;wBAC/B,CAAC,CAAC,aAAa;wBACf,CAAC,CAAC,MAAM,CAAC,aAAa,IAAI,EAAE,CAAC,EAC/B,iBAAiB,CAClB,CAAC;gBACJ,CAAC;gBACD;oBACE,MAAM,IAAI,4BAAmB,CAC3B,2BAA2B,UAAU,EAAE,CACxC,CAAC;YACN,CAAC;QACH,CAAC;QAKD,wBAAwB,CACtB,GAAuB,EACvB,IAAS;YAGT,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YAGpD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,EAAE,aAAa,CAAC;YAC9C,IAAI,UAAU,IAAI,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAClD,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,CACrE,OAAO,CACR,CAAC;gBACF,MAAM,CAAC,SAAS,EAAE,aAAa,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;gBAC7D,IAAI,SAAS,EAAE,CAAC;oBACd,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,CAAC;gBACtC,CAAC;YACH,CAAC;YAGD,IAAI,UAAU,CAAC,SAAS,EAAE,CAAC;gBACzB,OAAO;oBACL,SAAS,EAAE,UAAU,CAAC,SAAS;oBAC/B,aAAa,EAAE,UAAU,CAAC,aAAa;iBACxC,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,4BAAmB,CAAC,4BAA4B,CAAC,CAAC;QAC9D,CAAC;QAKD,4BAA4B,CAC1B,MAAW,EACX,iBAAgE;YAEhE,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,4BAAmB,CAAC,mBAAmB,CAAC,CAAC;YACrD,CAAC;YAED,MAAM,EAAE,0BAA0B,EAAE,GAAG,MAAM,CAAC;YAE9C,QAAQ,0BAA0B,EAAE,CAAC;gBACnC,KAAK,qBAAqB,CAAC;gBAC3B,KAAK,oBAAoB;oBACvB,IAAI,CAAC,iBAAiB,CAAC,aAAa,EAAE,CAAC;wBACrC,MAAM,IAAI,4BAAmB,CAC3B,uDAAuD,CACxD,CAAC;oBACJ,CAAC;oBACD,IAAI,MAAM,CAAC,aAAa,KAAK,iBAAiB,CAAC,aAAa,EAAE,CAAC;wBAC7D,MAAM,IAAI,4BAAmB,CAAC,4BAA4B,CAAC,CAAC;oBAC9D,CAAC;oBACD,MAAM;gBAER,KAAK,MAAM;oBAET,IAAI,iBAAiB,CAAC,aAAa,EAAE,CAAC;wBACpC,MAAM,IAAI,4BAAmB,CAC3B,8CAA8C,CAC/C,CAAC;oBACJ,CAAC;oBACD,MAAM;gBAER;oBACE,MAAM,IAAI,4BAAmB,CAC3B,sCAAsC,0BAA0B,EAAE,CACnE,CAAC;YACN,CAAC;QACH,CAAC;QAED,KAAK,CAAC,4BAA4B,CAChC,IAAY,EACZ,aAAqB,EACrB,aAAqB,EACrB,iBAAgE;YAEhE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,wCAAwC,EAAE;gBAC1D,IAAI;gBACJ,SAAS,EAAE,iBAAiB,CAAC,SAAS;aACvC,CAAC,CAAC;YAGH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;YACpD,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,4DAA4D,EAC5D,IAAI,CACL,CAAC;gBACF,MAAM,IAAI,4BAAmB,CAAC,4BAA4B,CAAC,CAAC;YAC9D,CAAC;YACD,IAAI,QAAQ,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBACrC,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;gBACtC,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,4DAA4D,EAC5D,IAAI,CACL,CAAC;gBACF,MAAM,IAAI,4BAAmB,CAAC,gCAAgC,CAAC,CAAC;YAClE,CAAC;YACD,IAAI,QAAQ,CAAC,SAAS,KAAK,iBAAiB,CAAC,SAAS,EAAE,CAAC;gBACvD,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,oDAAoD,EACpD,EAAE,QAAQ,EAAE,QAAQ,CAAC,SAAS,EAAE,GAAG,EAAE,iBAAiB,CAAC,SAAS,EAAE,CACnE,CAAC;gBACF,MAAM,IAAI,4BAAmB,CAAC,oBAAoB,CAAC,CAAC;YACtD,CAAC;YAGD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAC/C,iBAAiB,CAAC,SAAS,CAC5B,CAAC;YACF,IAAI,CAAC,4BAA4B,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;YAC7D,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC;gBAC5B,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAC/B,aAAa,EACb,QAAQ,CAAC,cAAc,EACvB,QAAQ,CAAC,qBAAqB,CAC/B,CAAC;gBACF,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,0DAA0D,CAC3D,CAAC;oBACF,MAAM,IAAI,4BAAmB,CAAC,2BAA2B,CAAC,CAAC;gBAC7D,CAAC;YACH,CAAC;YACD,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBACvB,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,iEAAiE,CAClE,CAAC;gBACF,MAAM,IAAI,4BAAmB,CAC3B,sDAAsD,CACvD,CAAC;YACJ,CAAC;YAED,IAAI,QAAQ,GAAwC,SAAS,CAAC;YAC9D,IAAI,QAAQ,CAAC,eAAe,EAAE,CAAC;gBAC7B,IAAI,CAAC;oBACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CACjD,QAAQ,CAAC,eAAe,CACzB,CAAC;oBACF,IAAI,OAAO,EAAE,CAAC;wBAEZ,QAAQ,GAAG,EAAE,GAAG,OAAO,EAAE,CAAC;oBAC5B,CAAC;gBACH,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACX,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,+CAA+C,EAAE,CAAC,CAAC,CAAC;gBACvE,CAAC;YACH,CAAC;YAED,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,iBAAiB,CACnD,QAAQ,CAAC,OAAO,EAChB,iBAAiB,CAAC,SAAS,EAC3B,QAAQ,CAAC,KAAK,EACd,QAAQ,CAAC,QAAQ,EACjB;gBACE,eAAe,EAAE,QAAQ,CAAC,eAAe;gBACzC,SAAS,EAAE,QAAQ;aACpB,CACF,CAAC;YACF,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;YACtC,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,+DAA+D,EAC/D,QAAQ,CAAC,OAAO,CACjB,CAAC;YACF,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,KAAK,CAAC,uBAAuB,CAC3B,aAAqB,EACrB,iBAAgE;YAGhE,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,aAAa,CAAC,CAAC;YAClE,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBAC3C,MAAM,IAAI,4BAAmB,CAAC,kCAAkC,CAAC,CAAC;YACpE,CAAC;YAGD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,SAAS,IAAI,OAAO,CAAC,SAAS,CAAC;YAClE,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,MAAM,IAAI,4BAAmB,CAAC,+BAA+B,CAAC,CAAC;YACjE,CAAC;YAGD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAI5D,IAAI,MAAM,EAAE,0BAA0B,KAAK,MAAM,EAAE,CAAC;gBAClD,IAAI,CAAC,4BAA4B,CAAC,MAAM,EAAE;oBACxC,GAAG,iBAAiB;oBACpB,SAAS,EAAE,QAAQ;iBACpB,CAAC,CAAC;YACL,CAAC;YAGD,IAAI,OAAO,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;gBACnC,MAAM,IAAI,4BAAmB,CAC3B,+DAA+D,CAChE,CAAC;YACJ,CAAC;YAED,IAAI,SAAS,GAAqB,IAAI,CAAC;YACvC,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,aAAa,CAAC,CAAC;gBAClE,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;oBAC3C,MAAM,IAAI,4BAAmB,CAAC,kCAAkC,CAAC,CAAC;gBACpE,CAAC;gBAED,IAAI,QAAQ,GAAwC,SAAS,CAAC;gBAC9D,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;oBAC5B,IAAI,CAAC;wBACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CACjD,OAAO,CAAC,eAAe,CACxB,CAAC;wBACF,IAAI,OAAO;4BAAE,QAAQ,GAAG,EAAE,GAAG,OAAO,EAAE,CAAC;oBACzC,CAAC;oBAAC,OAAO,CAAC,EAAE,CAAC;wBACX,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,yDAAyD,EACzD,CAAC,CACF,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAED,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,iBAAiB,CAChD,OAAO,CAAC,GAAG,EACX,QAAQ,EACR,OAAO,CAAC,KAAK,EACb,OAAO,CAAC,QAAQ,EAChB;oBACE,eAAe,EAAE,OAAO,CAAC,eAAe;oBACxC,SAAS,EAAE,QAAQ;iBACpB,CACF,CAAC;YACJ,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,mDAAmD,EACnD,CAAC,CACF,CAAC;gBACF,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,kBAAkB,CAAC,aAAa,CAAC,CAAC;YACrE,CAAC;YAED,IAAI,CAAC,SAAS;gBAAE,MAAM,IAAI,4BAAmB,CAAC,yBAAyB,CAAC,CAAC;YACzE,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,YAAY,CACV,aAAqB,EACrB,cAAsB,EACtB,MAAc;YAEd,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;gBACvB,OAAO,aAAa,KAAK,cAAc,CAAC;YAC1C,CAAC;iBAAM,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC7B,MAAM,IAAI,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC;qBAC9B,MAAM,CAAC,aAAa,CAAC;qBACrB,MAAM,CAAC,WAAW,CAAC,CAAC;gBACvB,OAAO,IAAI,KAAK,cAAc,CAAC;YACjC,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;KACF,CAAA;IAhpBC;QATC,WAAW,CACV,SAAS,CAAC,kCAAkC,EAC5C,CAAC,OAAO,EAAE,yCAAyC,CACpD;QACA,cAAc,CACb,cAAc,EACd,kBAAkB,EAClB,CAAC,OAAO,EAAE,yCAAyC,CACpD;;;;0EA4CA;IAYD;QATC,WAAW,CACV,SAAS,CAAC,oCAAoC,EAC9C,CAAC,OAAO,EAAE,2CAA2C,CACtD;QACA,cAAc,CACb,cAAc,EACd,kBAAkB,EAClB,CAAC,OAAO,EAAE,2CAA2C,CACtD;;;;4EA+BA;IAGK;QADL,IAAA,aAAI,EAAC,SAAS,CAAC,QAAQ,CAAC;QACH,WAAA,IAAA,aAAI,GAAE,CAAA;;;;4DAE3B;IAGK;QADL,IAAA,YAAG,EAAC,SAAS,CAAC,SAAS,CAAC;QAEtB,WAAA,IAAA,cAAK,GAAE,CAAA;QACP,WAAA,IAAA,YAAG,GAAE,CAAA;QAEL,WAAA,IAAA,YAAG,GAAE,CAAA;QACL,WAAA,IAAA,aAAI,GAAE,CAAA;;;;uDAuER;IAGD;QADC,IAAA,YAAG,EAAC,SAAS,CAAC,QAAQ,CAAC;QAErB,WAAA,IAAA,YAAG,GAAE,CAAA;QACL,WAAA,IAAA,YAAG,GAAE,CAAA;QACL,WAAA,IAAA,aAAI,GAAE,CAAA;;;;oEAwBR;IAqFK;QALL,IAAA,aAAI,EAAC,SAAS,CAAC,KAAK,CAAC;QACrB,IAAA,eAAM,EAAC,cAAc,EAAE,kBAAkB,CAAC;QAC1C,IAAA,eAAM,EAAC,eAAe,EAAE,UAAU,CAAC;QACnC,IAAA,eAAM,EAAC,QAAQ,EAAE,UAAU,CAAC;QAC5B,IAAA,iBAAQ,EAAC,GAAG,CAAC;QAEX,WAAA,IAAA,aAAI,GAAE,CAAA;QACN,WAAA,IAAA,YAAG,GAAE,CAAA;QACL,WAAA,IAAA,YAAG,EAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAA;;;;2DA2C5B;IAncG,kBAAkB;QADvB,IAAA,mBAAU,GAAE;QASR,WAAA,IAAA,eAAM,EACL,YAAY;YACV,CAAC,CAAC,wBAAwB,YAAY,EAAE;YACxC,CAAC,CAAC,sBAAsB,CAC3B,CAAA;QAEA,WAAA,IAAA,eAAM,EAAC,YAAY,CAAC,CAAC,CAAC,eAAe,YAAY,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAA;yDAE3C,mCAAe;YACjB,8BAAa;YACN,6CAAoB;OAlBjD,kBAAkB,CAywBvB;IAED,OAAO,kBAAkB,CAAC;AAC5B,CAAC","sourcesContent":["import {\n  BadRequestException,\n  Body,\n  Controller,\n  Get,\n  Header,\n  HttpCode,\n  Inject,\n  Logger,\n  Next,\n  Post,\n  Query,\n  Req,\n  Res,\n} from '@nestjs/common';\nimport { createHash, randomBytes } from 'crypto';\nimport { Request as ExpressRequest, NextFunction, Response } from 'express';\nimport passport from 'passport';\nimport { normalizeEndpoint } from '../mcp/utils/normalize-endpoint';\nimport {\n  OAuthEndpointConfiguration,\n  OAuthModuleOptions,\n  OAuthSession,\n  OAuthUserProfile,\n} from './providers/oauth-provider.interface';\nimport { ClientService } from './services/client.service';\nimport { JwtTokenService, TokenPair } from './services/jwt-token.service';\nimport { OAuthStrategyService } from './services/oauth-strategy.service';\nimport { IOAuthStore } from './stores/oauth-store.interface';\n\ninterface OAuthCallbackRequest extends ExpressRequest {\n  user?: {\n    profile: OAuthUserProfile;\n    accessToken: string;\n    provider: string;\n  };\n}\n\n// Add this interface to properly type the Express request with raw body\ninterface RequestWithRawBody extends ExpressRequest {\n  rawBody?: Buffer;\n  textBody?: string;\n}\n\nexport function createMcpOAuthController(\n  endpoints: OAuthEndpointConfiguration = {},\n  options?: {\n    disableWellKnownProtectedResourceMetadata?: boolean;\n    disableWellKnownAuthorizationServerMetadata?: boolean;\n  },\n  authModuleId?: string,\n) {\n  // Optional decorator helpers\n  const OptionalGet = (\n    path: string | string[] | undefined,\n    enabled: boolean,\n  ): MethodDecorator => {\n    return enabled && path\n      ? (Get as unknown as (p?: any) => MethodDecorator)(path)\n      : ((() => {}) as unknown as MethodDecorator);\n  };\n  const OptionalHeader = (\n    name: string,\n    value: string,\n    enabled: boolean,\n  ): MethodDecorator => {\n    return enabled\n      ? (Header as unknown as (n: string, v: string) => MethodDecorator)(\n          name,\n          value,\n        )\n      : ((() => {}) as unknown as MethodDecorator);\n  };\n\n  @Controller()\n  class McpOAuthController {\n    readonly logger = new Logger(McpOAuthController.name);\n    readonly serverUrl: string;\n    readonly isProduction: boolean;\n    readonly options: OAuthModuleOptions;\n    readonly strategyName: string;\n\n    constructor(\n      @Inject(\n        authModuleId\n          ? `OAUTH_MODULE_OPTIONS_${authModuleId}`\n          : 'OAUTH_MODULE_OPTIONS',\n      )\n      options: OAuthModuleOptions,\n      @Inject(authModuleId ? `IOAuthStore_${authModuleId}` : 'IOAuthStore')\n      readonly store: IOAuthStore,\n      readonly jwtTokenService: JwtTokenService,\n      readonly clientService: ClientService,\n      readonly oauthStrategyService: OAuthStrategyService,\n    ) {\n      this.serverUrl = options.serverUrl;\n      this.isProduction = options.cookieSecure;\n      this.options = options;\n      this.strategyName = oauthStrategyService.getStrategyName();\n    }\n\n    /**\n     * Utility function to parse form-encoded or JSON bodies\n     * Handles both string (raw form data) and object bodies\n     */\n    parseRequestBody(body: any, req?: RequestWithRawBody): Record<string, any> {\n      // If body is already a parsed object with properties, return it\n      if (body && typeof body === 'object' && Object.keys(body).length > 0) {\n        return body;\n      }\n\n      // If body is a string (raw form data), parse it\n      if (typeof body === 'string' && body.length > 0) {\n        const params = new URLSearchParams(body);\n        const parsedBody: Record<string, any> = {};\n        for (const [key, value] of params.entries()) {\n          parsedBody[key] = value;\n        }\n        return parsedBody;\n      }\n\n      // Check if we have a text body stored on the request (from our middleware)\n      if (req?.textBody) {\n        const params = new URLSearchParams(req.textBody);\n        const parsedBody: Record<string, any> = {};\n        for (const [key, value] of params.entries()) {\n          parsedBody[key] = value;\n        }\n        return parsedBody;\n      }\n\n      // Check if we have a raw body buffer stored on the request\n      if (req?.rawBody) {\n        const bodyString = req.rawBody.toString('utf-8');\n        if (bodyString) {\n          const params = new URLSearchParams(bodyString);\n          const parsedBody: Record<string, any> = {};\n          for (const [key, value] of params.entries()) {\n            parsedBody[key] = value;\n          }\n          return parsedBody;\n        }\n      }\n\n      // Return empty object if no valid body\n      return {};\n    }\n\n    /**\n     * Middleware to capture raw body for form-encoded requests\n     * This is needed when bodyParser is disabled in the main app\n     */\n    captureRawBody(req: RequestWithRawBody, res: Response, next: NextFunction) {\n      if (\n        req.headers['content-type']?.includes(\n          'application/x-www-form-urlencoded',\n        )\n      ) {\n        let rawBody = '';\n\n        req.on('data', (chunk: Buffer) => {\n          rawBody += chunk.toString('utf-8');\n        });\n\n        req.on('end', () => {\n          req.textBody = rawBody;\n          // Also parse and set it as body for NestJS\n          if (rawBody) {\n            const params = new URLSearchParams(rawBody);\n            const parsedBody: any = {};\n            for (const [key, value] of params.entries()) {\n              parsedBody[key] = value;\n            }\n            (req as any).body = parsedBody;\n          }\n          next();\n        });\n\n        req.on('error', (err) => {\n          this.logger.error('Error reading request body:', err);\n          next(err);\n        });\n      } else {\n        next();\n      }\n    }\n\n    @OptionalGet(\n      endpoints.wellKnownProtectedResourceMetadata,\n      !options?.disableWellKnownProtectedResourceMetadata,\n    )\n    @OptionalHeader(\n      'content-type',\n      'application/json',\n      !options?.disableWellKnownProtectedResourceMetadata,\n    )\n    getProtectedResourceMetadata() {\n      // The issuer URL of your authorization server.\n      const authorizationServerIssuer = this.options.jwtIssuer;\n\n      // The canonical URI of the MCP server resource itself.\n      const resourceIdentifier = this.options.resource;\n\n      const metadata = {\n        /**\n         * REQUIRED by MCP Spec.\n         * A list of authorization server issuer URLs that can issue tokens for this resource.\n         */\n        authorization_servers: [authorizationServerIssuer],\n\n        /**\n         * RECOMMENDED by RFC 9728.\n         * The identifier for this resource server.\n         */\n        resource: resourceIdentifier,\n\n        /**\n         * RECOMMENDED by RFC 9728.\n         * A list of scopes that this resource server understands.\n         */\n        scopes_supported:\n          this.options.protectedResourceMetadata.scopesSupported,\n\n        /**\n         * RECOMMENDED by RFC 9728.\n         * A list of methods clients can use to present the access token.\n         */\n        bearer_methods_supported:\n          this.options.protectedResourceMetadata.bearerMethodsSupported,\n\n        /**\n         * OPTIONAL but helpful custom metadata.\n         * Declares which version of the MCP spec this server supports.\n         */\n        mcp_versions_supported:\n          this.options.protectedResourceMetadata.mcpVersionsSupported,\n      };\n\n      return metadata;\n    }\n\n    // OAuth endpoints\n    @OptionalGet(\n      endpoints.wellKnownAuthorizationServerMetadata,\n      !options?.disableWellKnownAuthorizationServerMetadata,\n    )\n    @OptionalHeader(\n      'content-type',\n      'application/json',\n      !options?.disableWellKnownAuthorizationServerMetadata,\n    )\n    getAuthorizationServerMetadata() {\n      return {\n        issuer: this.serverUrl,\n        authorization_endpoint: normalizeEndpoint(\n          `${this.serverUrl}/${endpoints.authorize}`,\n        ),\n        token_endpoint: normalizeEndpoint(\n          `${this.serverUrl}/${endpoints.token}`,\n        ),\n        registration_endpoint: normalizeEndpoint(\n          `${this.serverUrl}/${endpoints.register}`,\n        ),\n        response_types_supported:\n          this.options.authorizationServerMetadata.responseTypesSupported,\n        response_modes_supported:\n          this.options.authorizationServerMetadata.responseModesSupported,\n        grant_types_supported:\n          this.options.authorizationServerMetadata.grantTypesSupported,\n        token_endpoint_auth_methods_supported:\n          this.options.authorizationServerMetadata\n            .tokenEndpointAuthMethodsSupported,\n        scopes_supported:\n          this.options.authorizationServerMetadata.scopesSupported,\n        revocation_endpoint: normalizeEndpoint(\n          `${this.serverUrl}/${endpoints?.revoke}`,\n        ),\n        code_challenge_methods_supported:\n          this.options.authorizationServerMetadata\n            .codeChallengeMethodsSupported,\n      };\n    }\n\n    @Post(endpoints.register)\n    async registerClient(@Body() registrationDto: any) {\n      return await this.clientService.registerClient(registrationDto);\n    }\n\n    @Get(endpoints.authorize)\n    async authorize(\n      @Query() query: any,\n      @Req()\n      req: any,\n      @Res() res: Response,\n      @Next() next: NextFunction,\n    ) {\n      const {\n        response_type,\n        client_id,\n        redirect_uri,\n        code_challenge,\n        code_challenge_method,\n        state,\n        scope,\n      } = query;\n      const resource = this.options.resource;\n      if (response_type !== 'code') {\n        throw new BadRequestException('Only response_type=code is supported');\n      }\n\n      if (!client_id) {\n        throw new BadRequestException('Missing required parameters');\n      }\n\n      // Validate client and redirect URI\n      const client = await this.clientService.getClient(client_id);\n      if (!client) {\n        throw new BadRequestException('Invalid client_id');\n      }\n\n      const validRedirect = await this.clientService.validateRedirectUri(\n        client_id,\n        redirect_uri,\n      );\n      if (!validRedirect) {\n        throw new BadRequestException('Invalid redirect_uri');\n      }\n\n      // Create OAuth session\n      const sessionId = randomBytes(32).toString('base64url');\n      const sessionState = randomBytes(32).toString('base64url');\n\n      const oauthSession: OAuthSession = {\n        sessionId,\n        state: sessionState,\n        clientId: client_id,\n        redirectUri: redirect_uri,\n        codeChallenge: code_challenge,\n        codeChallengeMethod: code_challenge_method || 'plain',\n        oauthState: state,\n        scope: scope,\n        resource,\n        expiresAt: Date.now() + this.options.oauthSessionExpiresIn,\n      };\n\n      await this.store.storeOAuthSession(sessionId, oauthSession);\n\n      // Set session cookie\n      res.cookie('oauth_session', sessionId, {\n        httpOnly: true,\n        secure: this.isProduction,\n        maxAge: this.options.oauthSessionExpiresIn,\n      });\n\n      // Store state for passport\n      res.cookie('oauth_state', sessionState, {\n        httpOnly: true,\n        secure: this.isProduction,\n        maxAge: this.options.oauthSessionExpiresIn,\n      });\n\n      // Redirect to the provider's auth endpoint\n      passport.authenticate(this.strategyName, {\n        state: req.cookies?.oauth_state,\n      })(req, res, next);\n    }\n\n    @Get(endpoints.callback)\n    handleProviderCallback(\n      @Req() req: OAuthCallbackRequest,\n      @Res() res: Response,\n      @Next() next: NextFunction,\n    ) {\n      // Use a custom callback to handle the authentication result\n      passport.authenticate(\n        this.strategyName,\n        { session: false },\n        async (err: any, user: any) => {\n          try {\n            if (err) {\n              this.logger.error('OAuth callback error:', err);\n              throw new BadRequestException('Authentication failed');\n            }\n\n            if (!user) {\n              throw new BadRequestException('Authentication failed');\n            }\n\n            req.user = user;\n            await this.processAuthenticationSuccess(req, res);\n          } catch (error) {\n            next(error);\n          }\n        },\n      )(req, res, next);\n    }\n\n    async processAuthenticationSuccess(\n      req: OAuthCallbackRequest,\n      res: Response,\n    ) {\n      const user = req.user;\n      if (!user) {\n        throw new BadRequestException('Authentication failed');\n      }\n\n      const sessionId = req.cookies?.oauth_session;\n      if (!sessionId) {\n        throw new BadRequestException('Missing OAuth session');\n      }\n\n      const session = await this.store.getOAuthSession(sessionId);\n      if (!session) {\n        throw new BadRequestException('Invalid or expired OAuth session');\n      }\n\n      // Verify state\n      const stateFromCookie = req.cookies?.oauth_state;\n      if (session.state !== stateFromCookie) {\n        throw new BadRequestException('Invalid state parameter');\n      }\n\n      // Generate JWT for UI access\n      const jwt = this.jwtTokenService.generateUserToken(\n        user.profile.username,\n        user.profile,\n      );\n\n      // Set JWT token as cookie for UI endpoints\n      res.cookie('auth_token', jwt, {\n        httpOnly: true,\n        secure: this.isProduction,\n        maxAge: this.options.cookieMaxAge,\n      });\n\n      // Clear temporary cookies\n      res.clearCookie('oauth_session');\n      res.clearCookie('oauth_state');\n\n      // Persist user profile and get stable profile_id\n      const user_profile_id = await this.store.upsertUserProfile(\n        user.profile,\n        user.provider,\n      );\n\n      // Generate authorization code\n      const authCode = randomBytes(32).toString('base64url');\n\n      // Store the auth code\n      await this.store.storeAuthCode({\n        code: authCode,\n        user_id: user.profile.username,\n        client_id: session.clientId!,\n        redirect_uri: session.redirectUri!,\n        code_challenge: session.codeChallenge!,\n        code_challenge_method: session.codeChallengeMethod!,\n        expires_at: Date.now() + this.options.authCodeExpiresIn,\n        resource: session.resource,\n        scope: session.scope,\n        user_profile_id,\n      });\n\n      // Build redirect URL with authorization code\n      const redirectUrl = new URL(session.redirectUri!);\n      redirectUrl.searchParams.set('code', authCode);\n      if (session.oauthState) {\n        redirectUrl.searchParams.set('state', session.oauthState);\n      }\n\n      // Clean up session\n      await this.store.removeOAuthSession(sessionId);\n\n      res.redirect(redirectUrl.toString());\n    }\n\n    @Post(endpoints.token)\n    @Header('content-type', 'application/json')\n    @Header('Cache-Control', 'no-store')\n    @Header('Pragma', 'no-cache')\n    @HttpCode(200)\n    async exchangeToken(\n      @Body() body: any,\n      @Req() req: RequestWithRawBody,\n      @Res({ passthrough: true }) res: Response,\n    ): Promise<TokenPair> {\n      // Apply middleware to capture raw body if needed\n      const isFormUrlEncoded = req.headers['content-type']?.includes(\n        'application/x-www-form-urlencoded',\n      );\n      const isBodyEmpty =\n        !body ||\n        (typeof body === 'object' &&\n          Object.keys(body as Record<string, unknown>).length === 0);\n\n      if (isFormUrlEncoded && isBodyEmpty) {\n        return new Promise((resolve, reject) => {\n          this.captureRawBody(req, res, (err?: any) => {\n            if (err) {\n              reject(\n                err instanceof Error ? err : new Error(String(err ?? 'error')),\n              );\n              return;\n            }\n\n            // Avoid returning a Promise from the callback; use an IIFE\n            void (async () => {\n              try {\n                // Re-parse the body after middleware has captured it\n                const parsedBody = this.parseRequestBody(req.body || body, req);\n                const result = await this.processTokenExchange(parsedBody, req);\n                resolve(result);\n              } catch (error) {\n                reject(\n                  error instanceof Error\n                    ? error\n                    : new Error(String(error ?? 'error')),\n                );\n              }\n            })();\n          });\n        });\n      }\n\n      // Body is already parsed, process directly\n      const parsedBody = this.parseRequestBody(body, req);\n      return this.processTokenExchange(parsedBody, req);\n    }\n\n    async processTokenExchange(\n      parsedBody: Record<string, any>,\n      req: RequestWithRawBody,\n    ): Promise<TokenPair> {\n      const { grant_type, code, code_verifier, redirect_uri, refresh_token } =\n        parsedBody;\n\n      // Add debugging to help identify issues\n      if (!grant_type) {\n        this.logger.error('Missing grant_type in request body:', {\n          parsedBodyKeys: Object.keys(parsedBody),\n          contentType: req.headers['content-type'],\n          textBody: req.textBody,\n          parsedBody,\n        });\n        throw new BadRequestException('Missing grant_type parameter');\n      }\n\n      switch (grant_type) {\n        case 'authorization_code': {\n          // Extract client credentials based on authentication method\n          const clientCredentials = this.extractClientCredentials(\n            req,\n            parsedBody,\n          );\n          return await this.handleAuthorizationCodeGrant(\n            typeof code === 'string' ? code : String(code ?? ''),\n            typeof code_verifier === 'string'\n              ? code_verifier\n              : String(code_verifier ?? ''),\n            typeof redirect_uri === 'string'\n              ? redirect_uri\n              : String(redirect_uri ?? ''),\n            clientCredentials,\n          );\n        }\n        case 'refresh_token': {\n          // For refresh tokens, try to extract client credentials, but allow fallback to token-based extraction\n          let clientCredentials: { client_id: string; client_secret?: string };\n          try {\n            clientCredentials = this.extractClientCredentials(req, parsedBody);\n          } catch {\n            // If we can't extract credentials, we'll try to get them from the refresh token\n            clientCredentials = { client_id: '' }; // Will be filled from token\n          }\n          return await this.handleRefreshTokenGrant(\n            typeof refresh_token === 'string'\n              ? refresh_token\n              : String(refresh_token ?? ''),\n            clientCredentials,\n          );\n        }\n        default:\n          throw new BadRequestException(\n            `Unsupported grant_type: ${grant_type}`,\n          );\n      }\n    }\n\n    /**\n     * Extract client credentials from request based on authentication method\n     */\n    extractClientCredentials(\n      req: RequestWithRawBody,\n      body: any,\n    ): { client_id: string; client_secret?: string } {\n      // Parse the body using the shared utility function\n      const parsedBody = this.parseRequestBody(body, req);\n\n      // Try client_secret_basic first (Authorization header)\n      const authHeader = req.headers?.authorization;\n      if (authHeader && authHeader.startsWith('Basic ')) {\n        const credentials = Buffer.from(authHeader.slice(6), 'base64').toString(\n          'utf-8',\n        );\n        const [client_id, client_secret] = credentials.split(':', 2);\n        if (client_id) {\n          return { client_id, client_secret };\n        }\n      }\n\n      // Try client_secret_post (body parameters)\n      if (parsedBody.client_id) {\n        return {\n          client_id: parsedBody.client_id,\n          client_secret: parsedBody.client_secret,\n        };\n      }\n\n      throw new BadRequestException('Missing client credentials');\n    }\n\n    /**\n     * Validate client authentication based on the client's configured method\n     */\n    validateClientAuthentication(\n      client: any,\n      clientCredentials: { client_id: string; client_secret?: string },\n    ): void {\n      if (!client) {\n        throw new BadRequestException('Invalid client_id');\n      }\n\n      const { token_endpoint_auth_method } = client;\n\n      switch (token_endpoint_auth_method) {\n        case 'client_secret_basic':\n        case 'client_secret_post':\n          if (!clientCredentials.client_secret) {\n            throw new BadRequestException(\n              'Client secret required for this authentication method',\n            );\n          }\n          if (client.client_secret !== clientCredentials.client_secret) {\n            throw new BadRequestException('Invalid client credentials');\n          }\n          break;\n\n        case 'none':\n          // Public client - no secret required\n          if (clientCredentials.client_secret) {\n            throw new BadRequestException(\n              'Client secret not allowed for public clients',\n            );\n          }\n          break;\n\n        default:\n          throw new BadRequestException(\n            `Unsupported authentication method: ${token_endpoint_auth_method}`,\n          );\n      }\n    }\n\n    async handleAuthorizationCodeGrant(\n      code: string,\n      code_verifier: string,\n      _redirect_uri: string,\n      clientCredentials: { client_id: string; client_secret?: string },\n    ): Promise<TokenPair> {\n      this.logger.debug('handleAuthorizationCodeGrant - Params:', {\n        code,\n        client_id: clientCredentials.client_id,\n      });\n\n      // Get and validate the authorization code\n      const authCode = await this.store.getAuthCode(code);\n      if (!authCode) {\n        this.logger.error(\n          'handleAuthorizationCodeGrant - Invalid authorization code:',\n          code,\n        );\n        throw new BadRequestException('Invalid authorization code');\n      }\n      if (authCode.expires_at < Date.now()) {\n        await this.store.removeAuthCode(code);\n        this.logger.error(\n          'handleAuthorizationCodeGrant - Authorization code expired:',\n          code,\n        );\n        throw new BadRequestException('Authorization code has expired');\n      }\n      if (authCode.client_id !== clientCredentials.client_id) {\n        this.logger.error(\n          'handleAuthorizationCodeGrant - Client ID mismatch:',\n          { expected: authCode.client_id, got: clientCredentials.client_id },\n        );\n        throw new BadRequestException('Client ID mismatch');\n      }\n\n      // Get client and validate authentication\n      const client = await this.clientService.getClient(\n        clientCredentials.client_id,\n      );\n      this.validateClientAuthentication(client, clientCredentials);\n      if (authCode.code_challenge) {\n        const isValid = this.validatePKCE(\n          code_verifier,\n          authCode.code_challenge,\n          authCode.code_challenge_method,\n        );\n        if (!isValid) {\n          this.logger.error(\n            'handleAuthorizationCodeGrant - Invalid PKCE verification',\n          );\n          throw new BadRequestException('Invalid PKCE verification');\n        }\n      }\n      if (!authCode.resource) {\n        this.logger.error(\n          'handleAuthorizationCodeGrant - No resource associated with code',\n        );\n        throw new BadRequestException(\n          'Authorization code is not associated with a resource',\n        );\n      }\n\n      let userData: Record<string, unknown> | undefined = undefined;\n      if (authCode.user_profile_id) {\n        try {\n          const profile = await this.store.getUserProfileById(\n            authCode.user_profile_id,\n          );\n          if (profile) {\n            // Avoid circular/large raw payloads if present\n            userData = { ...profile };\n          }\n        } catch (e) {\n          this.logger.warn('Failed to load user profile for token payload', e);\n        }\n      }\n\n      const tokens = this.jwtTokenService.generateTokenPair(\n        authCode.user_id,\n        clientCredentials.client_id,\n        authCode.scope,\n        authCode.resource,\n        {\n          user_profile_id: authCode.user_profile_id,\n          user_data: userData,\n        },\n      );\n      await this.store.removeAuthCode(code);\n      this.logger.debug(\n        'handleAuthorizationCodeGrant - Token pair generated for user:',\n        authCode.user_id,\n      );\n      return tokens;\n    }\n\n    async handleRefreshTokenGrant(\n      refresh_token: string,\n      clientCredentials: { client_id: string; client_secret?: string },\n    ): Promise<TokenPair> {\n      // Verify the refresh token first to get client_id from token if not provided\n      const payload = this.jwtTokenService.validateToken(refresh_token);\n      if (!payload || payload.type !== 'refresh') {\n        throw new BadRequestException('Invalid or expired refresh token');\n      }\n\n      // Use client_id from token if not provided in credentials\n      const clientId = clientCredentials.client_id || payload.client_id;\n      if (!clientId) {\n        throw new BadRequestException('Unable to determine client_id');\n      }\n\n      // Get client and validate authentication\n      const client = await this.clientService.getClient(clientId);\n\n      // For refresh token grants, we can be more lenient with client authentication\n      // if the token already contains the client_id and the client is public\n      if (client?.token_endpoint_auth_method !== 'none') {\n        this.validateClientAuthentication(client, {\n          ...clientCredentials,\n          client_id: clientId,\n        });\n      }\n\n      // Verify the refresh token belongs to the client\n      if (payload.client_id !== clientId) {\n        throw new BadRequestException(\n          'Invalid refresh token or token does not belong to this client',\n        );\n      }\n\n      let newTokens: TokenPair | null = null;\n      try {\n        const payload = this.jwtTokenService.validateToken(refresh_token);\n        if (!payload || payload.type !== 'refresh') {\n          throw new BadRequestException('Invalid or expired refresh token');\n        }\n\n        let userData: Record<string, unknown> | undefined = undefined;\n        if (payload.user_profile_id) {\n          try {\n            const profile = await this.store.getUserProfileById(\n              payload.user_profile_id,\n            );\n            if (profile) userData = { ...profile };\n          } catch (e) {\n            this.logger.warn(\n              'Failed to load user profile for refreshed token payload',\n              e,\n            );\n          }\n        }\n\n        newTokens = this.jwtTokenService.generateTokenPair(\n          payload.sub,\n          clientId,\n          payload.scope,\n          payload.resource,\n          {\n            user_profile_id: payload.user_profile_id,\n            user_data: userData,\n          },\n        );\n      } catch (e) {\n        this.logger.warn(\n          'Refresh flow failed using enriched path, fallback',\n          e,\n        );\n        newTokens = this.jwtTokenService.refreshAccessToken(refresh_token);\n      }\n\n      if (!newTokens) throw new BadRequestException('Failed to refresh token');\n      return newTokens;\n    }\n\n    validatePKCE(\n      code_verifier: string,\n      code_challenge: string,\n      method: string,\n    ): boolean {\n      if (method === 'plain') {\n        return code_verifier === code_challenge;\n      } else if (method === 'S256') {\n        const hash = createHash('sha256')\n          .update(code_verifier)\n          .digest('base64url');\n        return hash === code_challenge;\n      }\n      return false;\n    }\n  }\n\n  return McpOAuthController;\n}\n"]}
+{"version":3,"file":"mcp-oauth.controller.js","sourceRoot":"","sources":["../../src/authz/mcp-oauth.controller.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAgDA,4DA2yBC;AA31BD,2CAcwB;AACxB,mCAAiD;AAMjD,wDAAgC;AAChC,wEAAoE;AAOpE,8DAA0D;AAC1D,oEAA0E;AAC1E,8EAAyE;AAiBzE,SAAgB,wBAAwB,CACtC,YAAwC,EAAE,EAC1C,OAGC,EACD,YAAqB;;IAGrB,MAAM,WAAW,GAAG,CAClB,IAAmC,EACnC,OAAgB,EACC,EAAE;QACnB,OAAO,OAAO,IAAI,IAAI;YACpB,CAAC,CAAE,YAA+C,CAAC,IAAI,CAAC;YACxD,CAAC,CAAE,CAAC,GAAG,EAAE,GAAE,CAAC,CAAgC,CAAC;IACjD,CAAC,CAAC;IACF,MAAM,cAAc,GAAG,CACrB,IAAY,EACZ,KAAa,EACb,OAAgB,EACC,EAAE;QACnB,OAAO,OAAO;YACZ,CAAC,CAAE,eAA+D,CAC9D,IAAI,EACJ,KAAK,CACN;YACH,CAAC,CAAE,CAAC,GAAG,EAAE,GAAE,CAAC,CAAgC,CAAC;IACjD,CAAC,CAAC;IAEF,IACM,kBAAkB,0BADxB,MACM,kBAAkB;QAOtB,YAME,OAA2B,EAE3B,KAA2B,EAClB,eAAgC,EAChC,aAA4B,EAC5B,oBAA0C;YAH1C,UAAK,GAAL,KAAK,CAAa;YAClB,oBAAe,GAAf,eAAe,CAAiB;YAChC,kBAAa,GAAb,aAAa,CAAe;YAC5B,yBAAoB,GAApB,oBAAoB,CAAsB;YAjB5C,WAAM,GAAG,IAAI,eAAM,CAAC,oBAAkB,CAAC,IAAI,CAAC,CAAC;YAmBpD,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;YACnC,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;YACzC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;YACvB,IAAI,CAAC,YAAY,GAAG,oBAAoB,CAAC,eAAe,EAAE,CAAC;QAC7D,CAAC;QAMD,gBAAgB,CAAC,IAAS,EAAE,GAAwB;YAElD,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACrE,OAAO,IAAI,CAAC;YACd,CAAC;YAGD,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAChD,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC;gBACzC,MAAM,UAAU,GAAwB,EAAE,CAAC;gBAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;oBAC5C,UAAU,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;gBAC1B,CAAC;gBACD,OAAO,UAAU,CAAC;YACpB,CAAC;YAGD,IAAI,GAAG,EAAE,QAAQ,EAAE,CAAC;gBAClB,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBACjD,MAAM,UAAU,GAAwB,EAAE,CAAC;gBAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;oBAC5C,UAAU,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;gBAC1B,CAAC;gBACD,OAAO,UAAU,CAAC;YACpB,CAAC;YAGD,IAAI,GAAG,EAAE,OAAO,EAAE,CAAC;gBACjB,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBACjD,IAAI,UAAU,EAAE,CAAC;oBACf,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,UAAU,CAAC,CAAC;oBAC/C,MAAM,UAAU,GAAwB,EAAE,CAAC;oBAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;wBAC5C,UAAU,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;oBAC1B,CAAC;oBACD,OAAO,UAAU,CAAC;gBACpB,CAAC;YACH,CAAC;YAGD,OAAO,EAAE,CAAC;QACZ,CAAC;QAMD,cAAc,CAAC,GAAuB,EAAE,GAAa,EAAE,IAAkB;YACvE,IACE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,QAAQ,CACnC,mCAAmC,CACpC,EACD,CAAC;gBACD,IAAI,OAAO,GAAG,EAAE,CAAC;gBAEjB,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;oBAC/B,OAAO,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBACrC,CAAC,CAAC,CAAC;gBAEH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;oBACjB,GAAG,CAAC,QAAQ,GAAG,OAAO,CAAC;oBAEvB,IAAI,OAAO,EAAE,CAAC;wBACZ,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,OAAO,CAAC,CAAC;wBAC5C,MAAM,UAAU,GAAQ,EAAE,CAAC;wBAC3B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;4BAC5C,UAAU,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;wBAC1B,CAAC;wBACA,GAAW,CAAC,IAAI,GAAG,UAAU,CAAC;oBACjC,CAAC;oBACD,IAAI,EAAE,CAAC;gBACT,CAAC,CAAC,CAAC;gBAEH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;oBACtB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;oBACtD,IAAI,CAAC,GAAG,CAAC,CAAC;gBACZ,CAAC,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,IAAI,EAAE,CAAC;YACT,CAAC;QACH,CAAC;QAWD,4BAA4B;YAE1B,MAAM,yBAAyB,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC;YAGzD,MAAM,kBAAkB,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC;YAEjD,MAAM,QAAQ,GAAG;gBAKf,qBAAqB,EAAE,CAAC,yBAAyB,CAAC;gBAMlD,QAAQ,EAAE,kBAAkB;gBAM5B,gBAAgB,EACd,IAAI,CAAC,OAAO,CAAC,yBAAyB,CAAC,eAAe;gBAMxD,wBAAwB,EACtB,IAAI,CAAC,OAAO,CAAC,yBAAyB,CAAC,sBAAsB;gBAM/D,sBAAsB,EACpB,IAAI,CAAC,OAAO,CAAC,yBAAyB,CAAC,oBAAoB;aAC9D,CAAC;YAEF,OAAO,QAAQ,CAAC;QAClB,CAAC;QAYD,8BAA8B;YAC5B,OAAO;gBACL,MAAM,EAAE,IAAI,CAAC,SAAS;gBACtB,sBAAsB,EAAE,IAAA,sCAAiB,EACvC,GAAG,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,SAAS,EAAE,CAC3C;gBACD,cAAc,EAAE,IAAA,sCAAiB,EAC/B,GAAG,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,KAAK,EAAE,CACvC;gBACD,qBAAqB,EAAE,IAAA,sCAAiB,EACtC,GAAG,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,QAAQ,EAAE,CAC1C;gBACD,wBAAwB,EACtB,IAAI,CAAC,OAAO,CAAC,2BAA2B,CAAC,sBAAsB;gBACjE,wBAAwB,EACtB,IAAI,CAAC,OAAO,CAAC,2BAA2B,CAAC,sBAAsB;gBACjE,qBAAqB,EACnB,IAAI,CAAC,OAAO,CAAC,2BAA2B,CAAC,mBAAmB;gBAC9D,qCAAqC,EACnC,IAAI,CAAC,OAAO,CAAC,2BAA2B;qBACrC,iCAAiC;gBACtC,gBAAgB,EACd,IAAI,CAAC,OAAO,CAAC,2BAA2B,CAAC,eAAe;gBAC1D,mBAAmB,EAAE,IAAA,sCAAiB,EACpC,GAAG,IAAI,CAAC,SAAS,IAAI,SAAS,EAAE,MAAM,EAAE,CACzC;gBACD,gCAAgC,EAC9B,IAAI,CAAC,OAAO,CAAC,2BAA2B;qBACrC,6BAA6B;aACnC,CAAC;QACJ,CAAC;QAGK,AAAN,KAAK,CAAC,cAAc,CAAS,eAAoB;YAC/C,OAAO,MAAM,IAAI,CAAC,aAAa,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;QAClE,CAAC;QAGK,AAAN,KAAK,CAAC,SAAS,CACJ,KAAU,EAEnB,GAAQ,EACD,GAAa,EACZ,IAAkB;YAE1B,MAAM,EACJ,aAAa,EACb,SAAS,EACT,YAAY,EACZ,cAAc,EACd,qBAAqB,EACrB,KAAK,EACL,KAAK,GACN,GAAG,KAAK,CAAC;YACV,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC;YACvC,IAAI,aAAa,KAAK,MAAM,EAAE,CAAC;gBAC7B,MAAM,IAAI,4BAAmB,CAAC,sCAAsC,CAAC,CAAC;YACxE,CAAC;YAED,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,4BAAmB,CAAC,6BAA6B,CAAC,CAAC;YAC/D,CAAC;YAGD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;YAC7D,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,4BAAmB,CAAC,mBAAmB,CAAC,CAAC;YACrD,CAAC;YAED,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAChE,SAAS,EACT,YAAY,CACb,CAAC;YACF,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,MAAM,IAAI,4BAAmB,CAAC,sBAAsB,CAAC,CAAC;YACxD,CAAC;YAGD,MAAM,SAAS,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YACxD,MAAM,YAAY,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAE3D,MAAM,YAAY,GAAiB;gBACjC,SAAS;gBACT,KAAK,EAAE,YAAY;gBACnB,QAAQ,EAAE,SAAS;gBACnB,WAAW,EAAE,YAAY;gBACzB,aAAa,EAAE,cAAc;gBAC7B,mBAAmB,EAAE,qBAAqB,IAAI,OAAO;gBACrD,UAAU,EAAE,KAAK;gBACjB,KAAK,EAAE,KAAK;gBACZ,QAAQ;gBACR,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,qBAAqB;aAC3D,CAAC;YAEF,MAAM,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;YAG5D,GAAG,CAAC,MAAM,CAAC,eAAe,EAAE,SAAS,EAAE;gBACrC,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,IAAI,CAAC,YAAY;gBACzB,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,qBAAqB;aAC3C,CAAC,CAAC;YAGH,GAAG,CAAC,MAAM,CAAC,aAAa,EAAE,YAAY,EAAE;gBACtC,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,IAAI,CAAC,YAAY;gBACzB,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,qBAAqB;aAC3C,CAAC,CAAC;YAGH,kBAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,YAAY,EAAE;gBACvC,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,WAAW;aAChC,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QACrB,CAAC;QAGD,sBAAsB,CACb,GAAyB,EACzB,GAAa,EACZ,IAAkB;YAG1B,kBAAQ,CAAC,YAAY,CACnB,IAAI,CAAC,YAAY,EACjB,EAAE,OAAO,EAAE,KAAK,EAAE,EAClB,KAAK,EAAE,GAAQ,EAAE,IAAS,EAAE,EAAE;gBAC5B,IAAI,CAAC;oBACH,IAAI,GAAG,EAAE,CAAC;wBACR,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,uBAAuB,EAAE,GAAG,CAAC,CAAC;wBAChD,MAAM,IAAI,4BAAmB,CAAC,uBAAuB,CAAC,CAAC;oBACzD,CAAC;oBAED,IAAI,CAAC,IAAI,EAAE,CAAC;wBACV,MAAM,IAAI,4BAAmB,CAAC,uBAAuB,CAAC,CAAC;oBACzD,CAAC;oBAED,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;oBAChB,MAAM,IAAI,CAAC,4BAA4B,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;gBACpD,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,IAAI,CAAC,KAAK,CAAC,CAAC;gBACd,CAAC;YACH,CAAC,CACF,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QACpB,CAAC;QAED,KAAK,CAAC,4BAA4B,CAChC,GAAyB,EACzB,GAAa;YAEb,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;YACtB,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,MAAM,IAAI,4BAAmB,CAAC,uBAAuB,CAAC,CAAC;YACzD,CAAC;YAED,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,EAAE,aAAa,CAAC;YAC7C,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,4BAAmB,CAAC,uBAAuB,CAAC,CAAC;YACzD,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;YAC5D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,4BAAmB,CAAC,kCAAkC,CAAC,CAAC;YACpE,CAAC;YAGD,MAAM,eAAe,GAAG,GAAG,CAAC,OAAO,EAAE,WAAW,CAAC;YACjD,IAAI,OAAO,CAAC,KAAK,KAAK,eAAe,EAAE,CAAC;gBACtC,MAAM,IAAI,4BAAmB,CAAC,yBAAyB,CAAC,CAAC;YAC3D,CAAC;YAGD,MAAM,GAAG,GAAG,IAAI,CAAC,eAAe,CAAC,iBAAiB,CAChD,IAAI,CAAC,OAAO,CAAC,QAAQ,EACrB,IAAI,CAAC,OAAO,CACb,CAAC;YAGF,GAAG,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,EAAE;gBAC5B,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,IAAI,CAAC,YAAY;gBACzB,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,YAAY;aAClC,CAAC,CAAC;YAGH,GAAG,CAAC,WAAW,CAAC,eAAe,CAAC,CAAC;YACjC,GAAG,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;YAG/B,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,iBAAiB,CACxD,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,QAAQ,CACd,CAAC;YAGF,MAAM,QAAQ,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAGvD,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC;gBAC7B,IAAI,EAAE,QAAQ;gBACd,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,QAAQ;gBAC9B,SAAS,EAAE,OAAO,CAAC,QAAS;gBAC5B,YAAY,EAAE,OAAO,CAAC,WAAY;gBAClC,cAAc,EAAE,OAAO,CAAC,aAAc;gBACtC,qBAAqB,EAAE,OAAO,CAAC,mBAAoB;gBACnD,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,iBAAiB;gBACvD,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,eAAe;aAChB,CAAC,CAAC;YAGH,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,WAAY,CAAC,CAAC;YAClD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YAC/C,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;gBACvB,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;YAC5D,CAAC;YAGD,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC;YAE/C,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC;QACvC,CAAC;QAOK,AAAN,KAAK,CAAC,aAAa,CACT,IAAS,EACV,GAAuB,EACF,GAAa;YAGzC,MAAM,gBAAgB,GAAG,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,QAAQ,CAC5D,mCAAmC,CACpC,CAAC;YACF,MAAM,WAAW,GACf,CAAC,IAAI;gBACL,CAAC,OAAO,IAAI,KAAK,QAAQ;oBACvB,MAAM,CAAC,IAAI,CAAC,IAA+B,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC;YAE/D,IAAI,gBAAgB,IAAI,WAAW,EAAE,CAAC;gBACpC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;oBACrC,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,GAAS,EAAE,EAAE;wBAC1C,IAAI,GAAG,EAAE,CAAC;4BACR,MAAM,CACJ,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI,OAAO,CAAC,CAAC,CAC/D,CAAC;4BACF,OAAO;wBACT,CAAC;wBAGD,KAAK,CAAC,KAAK,IAAI,EAAE;4BACf,IAAI,CAAC;gCAEH,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,EAAE,GAAG,CAAC,CAAC;gCAChE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;gCAChE,OAAO,CAAC,MAAM,CAAC,CAAC;4BAClB,CAAC;4BAAC,OAAO,KAAK,EAAE,CAAC;gCACf,MAAM,CACJ,KAAK,YAAY,KAAK;oCACpB,CAAC,CAAC,KAAK;oCACP,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,IAAI,OAAO,CAAC,CAAC,CACxC,CAAC;4BACJ,CAAC;wBACH,CAAC,CAAC,EAAE,CAAC;oBACP,CAAC,CAAC,CAAC;gBACL,CAAC,CAAC,CAAC;YACL,CAAC;YAGD,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YACpD,OAAO,IAAI,CAAC,oBAAoB,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QACpD,CAAC;QAED,KAAK,CAAC,oBAAoB,CACxB,UAA+B,EAC/B,GAAuB;YAEvB,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,aAAa,EAAE,YAAY,EAAE,aAAa,EAAE,GACpE,UAAU,CAAC;YAGb,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,qCAAqC,EAAE;oBACvD,cAAc,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;oBACvC,WAAW,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC;oBACxC,QAAQ,EAAE,GAAG,CAAC,QAAQ;oBACtB,UAAU;iBACX,CAAC,CAAC;gBACH,MAAM,IAAI,4BAAmB,CAAC,8BAA8B,CAAC,CAAC;YAChE,CAAC;YAED,QAAQ,UAAU,EAAE,CAAC;gBACnB,KAAK,oBAAoB,CAAC,CAAC,CAAC;oBAE1B,MAAM,iBAAiB,GAAG,IAAI,CAAC,wBAAwB,CACrD,GAAG,EACH,UAAU,CACX,CAAC;oBACF,OAAO,MAAM,IAAI,CAAC,4BAA4B,CAC5C,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC,EACpD,OAAO,aAAa,KAAK,QAAQ;wBAC/B,CAAC,CAAC,aAAa;wBACf,CAAC,CAAC,MAAM,CAAC,aAAa,IAAI,EAAE,CAAC,EAC/B,OAAO,YAAY,KAAK,QAAQ;wBAC9B,CAAC,CAAC,YAAY;wBACd,CAAC,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC,EAC9B,iBAAiB,CAClB,CAAC;gBACJ,CAAC;gBACD,KAAK,eAAe,CAAC,CAAC,CAAC;oBAErB,IAAI,iBAAgE,CAAC;oBACrE,IAAI,CAAC;wBACH,iBAAiB,GAAG,IAAI,CAAC,wBAAwB,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;oBACrE,CAAC;oBAAC,MAAM,CAAC;wBAEP,iBAAiB,GAAG,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;oBACxC,CAAC;oBACD,OAAO,MAAM,IAAI,CAAC,uBAAuB,CACvC,OAAO,aAAa,KAAK,QAAQ;wBAC/B,CAAC,CAAC,aAAa;wBACf,CAAC,CAAC,MAAM,CAAC,aAAa,IAAI,EAAE,CAAC,EAC/B,iBAAiB,CAClB,CAAC;gBACJ,CAAC;gBACD;oBACE,MAAM,IAAI,4BAAmB,CAC3B,2BAA2B,UAAU,EAAE,CACxC,CAAC;YACN,CAAC;QACH,CAAC;QAKD,wBAAwB,CACtB,GAAuB,EACvB,IAAS;YAGT,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YAGpD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,EAAE,aAAa,CAAC;YAC9C,IAAI,UAAU,IAAI,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAClD,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,CACrE,OAAO,CACR,CAAC;gBACF,MAAM,CAAC,SAAS,EAAE,aAAa,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;gBAC7D,IAAI,SAAS,EAAE,CAAC;oBACd,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,CAAC;gBACtC,CAAC;YACH,CAAC;YAGD,IAAI,UAAU,CAAC,SAAS,EAAE,CAAC;gBACzB,OAAO;oBACL,SAAS,EAAE,UAAU,CAAC,SAAS;oBAC/B,aAAa,EAAE,UAAU,CAAC,aAAa;iBACxC,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,4BAAmB,CAAC,4BAA4B,CAAC,CAAC;QAC9D,CAAC;QAKD,4BAA4B,CAC1B,MAAW,EACX,iBAAgE;YAEhE,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,4BAAmB,CAAC,mBAAmB,CAAC,CAAC;YACrD,CAAC;YAED,MAAM,EAAE,0BAA0B,EAAE,GAAG,MAAM,CAAC;YAE9C,QAAQ,0BAA0B,EAAE,CAAC;gBACnC,KAAK,qBAAqB,CAAC;gBAC3B,KAAK,oBAAoB;oBACvB,IAAI,CAAC,iBAAiB,CAAC,aAAa,EAAE,CAAC;wBACrC,MAAM,IAAI,4BAAmB,CAC3B,uDAAuD,CACxD,CAAC;oBACJ,CAAC;oBACD,IAAI,MAAM,CAAC,aAAa,KAAK,iBAAiB,CAAC,aAAa,EAAE,CAAC;wBAC7D,MAAM,IAAI,4BAAmB,CAAC,4BAA4B,CAAC,CAAC;oBAC9D,CAAC;oBACD,MAAM;gBAER,KAAK,MAAM;oBAET,IAAI,iBAAiB,CAAC,aAAa,EAAE,CAAC;wBACpC,MAAM,IAAI,4BAAmB,CAC3B,8CAA8C,CAC/C,CAAC;oBACJ,CAAC;oBACD,MAAM;gBAER;oBACE,MAAM,IAAI,4BAAmB,CAC3B,sCAAsC,0BAA0B,EAAE,CACnE,CAAC;YACN,CAAC;QACH,CAAC;QAED,KAAK,CAAC,4BAA4B,CAChC,IAAY,EACZ,aAAqB,EACrB,aAAqB,EACrB,iBAAgE;YAEhE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,wCAAwC,EAAE;gBAC1D,IAAI;gBACJ,SAAS,EAAE,iBAAiB,CAAC,SAAS;aACvC,CAAC,CAAC;YAGH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;YACpD,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,4DAA4D,EAC5D,IAAI,CACL,CAAC;gBACF,MAAM,IAAI,4BAAmB,CAAC,4BAA4B,CAAC,CAAC;YAC9D,CAAC;YACD,IAAI,QAAQ,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBACrC,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;gBACtC,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,4DAA4D,EAC5D,IAAI,CACL,CAAC;gBACF,MAAM,IAAI,4BAAmB,CAAC,gCAAgC,CAAC,CAAC;YAClE,CAAC;YACD,IAAI,QAAQ,CAAC,SAAS,KAAK,iBAAiB,CAAC,SAAS,EAAE,CAAC;gBACvD,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,oDAAoD,EACpD,EAAE,QAAQ,EAAE,QAAQ,CAAC,SAAS,EAAE,GAAG,EAAE,iBAAiB,CAAC,SAAS,EAAE,CACnE,CAAC;gBACF,MAAM,IAAI,4BAAmB,CAAC,oBAAoB,CAAC,CAAC;YACtD,CAAC;YAGD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAC/C,iBAAiB,CAAC,SAAS,CAC5B,CAAC;YACF,IAAI,CAAC,4BAA4B,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;YAC7D,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC;gBAC5B,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAC/B,aAAa,EACb,QAAQ,CAAC,cAAc,EACvB,QAAQ,CAAC,qBAAqB,CAC/B,CAAC;gBACF,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,0DAA0D,CAC3D,CAAC;oBACF,MAAM,IAAI,4BAAmB,CAAC,2BAA2B,CAAC,CAAC;gBAC7D,CAAC;YACH,CAAC;YACD,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBACvB,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,iEAAiE,CAClE,CAAC;gBACF,MAAM,IAAI,4BAAmB,CAC3B,sDAAsD,CACvD,CAAC;YACJ,CAAC;YAED,IAAI,QAAQ,GAAwC,SAAS,CAAC;YAC9D,IAAI,QAAQ,CAAC,eAAe,EAAE,CAAC;gBAC7B,IAAI,CAAC;oBACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CACjD,QAAQ,CAAC,eAAe,CACzB,CAAC;oBACF,IAAI,OAAO,EAAE,CAAC;wBAEZ,QAAQ,GAAG,EAAE,GAAG,OAAO,EAAE,CAAC;oBAC5B,CAAC;gBACH,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACX,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,+CAA+C,EAAE,CAAC,CAAC,CAAC;gBACvE,CAAC;YACH,CAAC;YAED,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,iBAAiB,CACnD,QAAQ,CAAC,OAAO,EAChB,iBAAiB,CAAC,SAAS,EAC3B,QAAQ,CAAC,KAAK,EACd,QAAQ,CAAC,QAAQ,EACjB;gBACE,eAAe,EAAE,QAAQ,CAAC,eAAe;gBACzC,SAAS,EAAE,QAAQ;aACpB,CACF,CAAC;YACF,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;YACtC,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,+DAA+D,EAC/D,QAAQ,CAAC,OAAO,CACjB,CAAC;YACF,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,KAAK,CAAC,uBAAuB,CAC3B,aAAqB,EACrB,iBAAgE;YAGhE,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,aAAa,CAAC,CAAC;YAClE,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBAC3C,MAAM,IAAI,4BAAmB,CAAC,kCAAkC,CAAC,CAAC;YACpE,CAAC;YAGD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,SAAS,IAAI,OAAO,CAAC,SAAS,CAAC;YAClE,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,MAAM,IAAI,4BAAmB,CAAC,+BAA+B,CAAC,CAAC;YACjE,CAAC;YAGD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAI5D,IAAI,MAAM,EAAE,0BAA0B,KAAK,MAAM,EAAE,CAAC;gBAClD,IAAI,CAAC,4BAA4B,CAAC,MAAM,EAAE;oBACxC,GAAG,iBAAiB;oBACpB,SAAS,EAAE,QAAQ;iBACpB,CAAC,CAAC;YACL,CAAC;YAGD,IAAI,OAAO,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;gBACnC,MAAM,IAAI,4BAAmB,CAC3B,+DAA+D,CAChE,CAAC;YACJ,CAAC;YAED,IAAI,SAAS,GAAqB,IAAI,CAAC;YACvC,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,aAAa,CAAC,CAAC;gBAClE,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;oBAC3C,MAAM,IAAI,4BAAmB,CAAC,kCAAkC,CAAC,CAAC;gBACpE,CAAC;gBAED,IAAI,QAAQ,GAAwC,SAAS,CAAC;gBAC9D,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;oBAC5B,IAAI,CAAC;wBACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CACjD,OAAO,CAAC,eAAe,CACxB,CAAC;wBACF,IAAI,OAAO;4BAAE,QAAQ,GAAG,EAAE,GAAG,OAAO,EAAE,CAAC;oBACzC,CAAC;oBAAC,OAAO,CAAC,EAAE,CAAC;wBACX,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,yDAAyD,EACzD,CAAC,CACF,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAED,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,iBAAiB,CAChD,OAAO,CAAC,GAAG,EACX,QAAQ,EACR,OAAO,CAAC,KAAK,EACb,OAAO,CAAC,QAAQ,EAChB;oBACE,eAAe,EAAE,OAAO,CAAC,eAAe;oBACxC,SAAS,EAAE,QAAQ;iBACpB,CACF,CAAC;YACJ,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,mDAAmD,EACnD,CAAC,CACF,CAAC;gBACF,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,kBAAkB,CAAC,aAAa,CAAC,CAAC;YACrE,CAAC;YAED,IAAI,CAAC,SAAS;gBAAE,MAAM,IAAI,4BAAmB,CAAC,yBAAyB,CAAC,CAAC;YACzE,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,YAAY,CACV,aAAqB,EACrB,cAAsB,EACtB,MAAc;YAEd,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;gBACvB,OAAO,aAAa,KAAK,cAAc,CAAC;YAC1C,CAAC;iBAAM,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC7B,MAAM,IAAI,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC;qBAC9B,MAAM,CAAC,aAAa,CAAC;qBACrB,MAAM,CAAC,WAAW,CAAC,CAAC;gBACvB,OAAO,IAAI,KAAK,cAAc,CAAC;YACjC,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;KACF,CAAA;IAhpBC;QATC,WAAW,CACV,SAAS,CAAC,kCAAkC,EAC5C,CAAC,OAAO,EAAE,yCAAyC,CACpD;QACA,cAAc,CACb,cAAc,EACd,kBAAkB,EAClB,CAAC,OAAO,EAAE,yCAAyC,CACpD;;;;0EA4CA;IAYD;QATC,WAAW,CACV,SAAS,CAAC,oCAAoC,EAC9C,CAAC,OAAO,EAAE,2CAA2C,CACtD;QACA,cAAc,CACb,cAAc,EACd,kBAAkB,EAClB,CAAC,OAAO,EAAE,2CAA2C,CACtD;;;;4EA+BA;IAGK;QADL,IAAA,aAAI,EAAC,SAAS,CAAC,QAAQ,CAAC;QACH,WAAA,IAAA,aAAI,GAAE,CAAA;;;;4DAE3B;IAGK;QADL,IAAA,YAAG,EAAC,SAAS,CAAC,SAAS,CAAC;QAEtB,WAAA,IAAA,cAAK,GAAE,CAAA;QACP,WAAA,IAAA,YAAG,GAAE,CAAA;QAEL,WAAA,IAAA,YAAG,GAAE,CAAA;QACL,WAAA,IAAA,aAAI,GAAE,CAAA;;;;uDAuER;IAGD;QADC,IAAA,YAAG,EAAC,SAAS,CAAC,QAAQ,CAAC;QAErB,WAAA,IAAA,YAAG,GAAE,CAAA;QACL,WAAA,IAAA,YAAG,GAAE,CAAA;QACL,WAAA,IAAA,aAAI,GAAE,CAAA;;;;oEAwBR;IAqFK;QALL,IAAA,aAAI,EAAC,SAAS,CAAC,KAAK,CAAC;QACrB,IAAA,eAAM,EAAC,cAAc,EAAE,kBAAkB,CAAC;QAC1C,IAAA,eAAM,EAAC,eAAe,EAAE,UAAU,CAAC;QACnC,IAAA,eAAM,EAAC,QAAQ,EAAE,UAAU,CAAC;QAC5B,IAAA,iBAAQ,EAAC,GAAG,CAAC;QAEX,WAAA,IAAA,aAAI,GAAE,CAAA;QACN,WAAA,IAAA,YAAG,GAAE,CAAA;QACL,WAAA,IAAA,YAAG,EAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAA;;;;2DA2C5B;IAncG,kBAAkB;QADvB,IAAA,mBAAU,GAAE;QASR,WAAA,IAAA,eAAM,EACL,YAAY;YACV,CAAC,CAAC,wBAAwB,YAAY,EAAE;YACxC,CAAC,CAAC,sBAAsB,CAC3B,CAAA;QAEA,WAAA,IAAA,eAAM,EAAC,YAAY,CAAC,CAAC,CAAC,eAAe,YAAY,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAA;yDAE3C,mCAAe;YACjB,8BAAa;YACN,6CAAoB;OAlBjD,kBAAkB,CAywBvB;IAED,OAAO,kBAAkB,CAAC;AAC5B,CAAC","sourcesContent":["import {\n  BadRequestException,\n  Body,\n  Controller,\n  Get,\n  Header,\n  HttpCode,\n  Inject,\n  Logger,\n  Next,\n  Post,\n  Query,\n  Req,\n  Res,\n} from '@nestjs/common';\nimport { createHash, randomBytes } from 'crypto';\nimport type {\n  Request as ExpressRequest,\n  NextFunction,\n  Response,\n} from 'express';\nimport passport from 'passport';\nimport { normalizeEndpoint } from '../mcp/utils/normalize-endpoint';\nimport type {\n  OAuthEndpointConfiguration,\n  OAuthModuleOptions,\n  OAuthSession,\n  OAuthUserProfile,\n} from './providers/oauth-provider.interface';\nimport { ClientService } from './services/client.service';\nimport { JwtTokenService, TokenPair } from './services/jwt-token.service';\nimport { OAuthStrategyService } from './services/oauth-strategy.service';\nimport type { IOAuthStore } from './stores/oauth-store.interface';\n\ninterface OAuthCallbackRequest extends ExpressRequest {\n  user?: {\n    profile: OAuthUserProfile;\n    accessToken: string;\n    provider: string;\n  };\n}\n\n// Add this interface to properly type the Express request with raw body\ninterface RequestWithRawBody extends ExpressRequest {\n  rawBody?: Buffer;\n  textBody?: string;\n}\n\nexport function createMcpOAuthController(\n  endpoints: OAuthEndpointConfiguration = {},\n  options?: {\n    disableWellKnownProtectedResourceMetadata?: boolean;\n    disableWellKnownAuthorizationServerMetadata?: boolean;\n  },\n  authModuleId?: string,\n) {\n  // Optional decorator helpers\n  const OptionalGet = (\n    path: string | string[] | undefined,\n    enabled: boolean,\n  ): MethodDecorator => {\n    return enabled && path\n      ? (Get as unknown as (p?: any) => MethodDecorator)(path)\n      : ((() => {}) as unknown as MethodDecorator);\n  };\n  const OptionalHeader = (\n    name: string,\n    value: string,\n    enabled: boolean,\n  ): MethodDecorator => {\n    return enabled\n      ? (Header as unknown as (n: string, v: string) => MethodDecorator)(\n          name,\n          value,\n        )\n      : ((() => {}) as unknown as MethodDecorator);\n  };\n\n  @Controller()\n  class McpOAuthController {\n    readonly logger = new Logger(McpOAuthController.name);\n    readonly serverUrl: string;\n    readonly isProduction: boolean;\n    readonly options: OAuthModuleOptions;\n    readonly strategyName: string;\n\n    constructor(\n      @Inject(\n        authModuleId\n          ? `OAUTH_MODULE_OPTIONS_${authModuleId}`\n          : 'OAUTH_MODULE_OPTIONS',\n      )\n      options: OAuthModuleOptions,\n      @Inject(authModuleId ? `IOAuthStore_${authModuleId}` : 'IOAuthStore')\n      readonly store: IOAuthStore,\n      readonly jwtTokenService: JwtTokenService,\n      readonly clientService: ClientService,\n      readonly oauthStrategyService: OAuthStrategyService,\n    ) {\n      this.serverUrl = options.serverUrl;\n      this.isProduction = options.cookieSecure;\n      this.options = options;\n      this.strategyName = oauthStrategyService.getStrategyName();\n    }\n\n    /**\n     * Utility function to parse form-encoded or JSON bodies\n     * Handles both string (raw form data) and object bodies\n     */\n    parseRequestBody(body: any, req?: RequestWithRawBody): Record<string, any> {\n      // If body is already a parsed object with properties, return it\n      if (body && typeof body === 'object' && Object.keys(body).length > 0) {\n        return body;\n      }\n\n      // If body is a string (raw form data), parse it\n      if (typeof body === 'string' && body.length > 0) {\n        const params = new URLSearchParams(body);\n        const parsedBody: Record<string, any> = {};\n        for (const [key, value] of params.entries()) {\n          parsedBody[key] = value;\n        }\n        return parsedBody;\n      }\n\n      // Check if we have a text body stored on the request (from our middleware)\n      if (req?.textBody) {\n        const params = new URLSearchParams(req.textBody);\n        const parsedBody: Record<string, any> = {};\n        for (const [key, value] of params.entries()) {\n          parsedBody[key] = value;\n        }\n        return parsedBody;\n      }\n\n      // Check if we have a raw body buffer stored on the request\n      if (req?.rawBody) {\n        const bodyString = req.rawBody.toString('utf-8');\n        if (bodyString) {\n          const params = new URLSearchParams(bodyString);\n          const parsedBody: Record<string, any> = {};\n          for (const [key, value] of params.entries()) {\n            parsedBody[key] = value;\n          }\n          return parsedBody;\n        }\n      }\n\n      // Return empty object if no valid body\n      return {};\n    }\n\n    /**\n     * Middleware to capture raw body for form-encoded requests\n     * This is needed when bodyParser is disabled in the main app\n     */\n    captureRawBody(req: RequestWithRawBody, res: Response, next: NextFunction) {\n      if (\n        req.headers['content-type']?.includes(\n          'application/x-www-form-urlencoded',\n        )\n      ) {\n        let rawBody = '';\n\n        req.on('data', (chunk: Buffer) => {\n          rawBody += chunk.toString('utf-8');\n        });\n\n        req.on('end', () => {\n          req.textBody = rawBody;\n          // Also parse and set it as body for NestJS\n          if (rawBody) {\n            const params = new URLSearchParams(rawBody);\n            const parsedBody: any = {};\n            for (const [key, value] of params.entries()) {\n              parsedBody[key] = value;\n            }\n            (req as any).body = parsedBody;\n          }\n          next();\n        });\n\n        req.on('error', (err) => {\n          this.logger.error('Error reading request body:', err);\n          next(err);\n        });\n      } else {\n        next();\n      }\n    }\n\n    @OptionalGet(\n      endpoints.wellKnownProtectedResourceMetadata,\n      !options?.disableWellKnownProtectedResourceMetadata,\n    )\n    @OptionalHeader(\n      'content-type',\n      'application/json',\n      !options?.disableWellKnownProtectedResourceMetadata,\n    )\n    getProtectedResourceMetadata() {\n      // The issuer URL of your authorization server.\n      const authorizationServerIssuer = this.options.jwtIssuer;\n\n      // The canonical URI of the MCP server resource itself.\n      const resourceIdentifier = this.options.resource;\n\n      const metadata = {\n        /**\n         * REQUIRED by MCP Spec.\n         * A list of authorization server issuer URLs that can issue tokens for this resource.\n         */\n        authorization_servers: [authorizationServerIssuer],\n\n        /**\n         * RECOMMENDED by RFC 9728.\n         * The identifier for this resource server.\n         */\n        resource: resourceIdentifier,\n\n        /**\n         * RECOMMENDED by RFC 9728.\n         * A list of scopes that this resource server understands.\n         */\n        scopes_supported:\n          this.options.protectedResourceMetadata.scopesSupported,\n\n        /**\n         * RECOMMENDED by RFC 9728.\n         * A list of methods clients can use to present the access token.\n         */\n        bearer_methods_supported:\n          this.options.protectedResourceMetadata.bearerMethodsSupported,\n\n        /**\n         * OPTIONAL but helpful custom metadata.\n         * Declares which version of the MCP spec this server supports.\n         */\n        mcp_versions_supported:\n          this.options.protectedResourceMetadata.mcpVersionsSupported,\n      };\n\n      return metadata;\n    }\n\n    // OAuth endpoints\n    @OptionalGet(\n      endpoints.wellKnownAuthorizationServerMetadata,\n      !options?.disableWellKnownAuthorizationServerMetadata,\n    )\n    @OptionalHeader(\n      'content-type',\n      'application/json',\n      !options?.disableWellKnownAuthorizationServerMetadata,\n    )\n    getAuthorizationServerMetadata() {\n      return {\n        issuer: this.serverUrl,\n        authorization_endpoint: normalizeEndpoint(\n          `${this.serverUrl}/${endpoints.authorize}`,\n        ),\n        token_endpoint: normalizeEndpoint(\n          `${this.serverUrl}/${endpoints.token}`,\n        ),\n        registration_endpoint: normalizeEndpoint(\n          `${this.serverUrl}/${endpoints.register}`,\n        ),\n        response_types_supported:\n          this.options.authorizationServerMetadata.responseTypesSupported,\n        response_modes_supported:\n          this.options.authorizationServerMetadata.responseModesSupported,\n        grant_types_supported:\n          this.options.authorizationServerMetadata.grantTypesSupported,\n        token_endpoint_auth_methods_supported:\n          this.options.authorizationServerMetadata\n            .tokenEndpointAuthMethodsSupported,\n        scopes_supported:\n          this.options.authorizationServerMetadata.scopesSupported,\n        revocation_endpoint: normalizeEndpoint(\n          `${this.serverUrl}/${endpoints?.revoke}`,\n        ),\n        code_challenge_methods_supported:\n          this.options.authorizationServerMetadata\n            .codeChallengeMethodsSupported,\n      };\n    }\n\n    @Post(endpoints.register)\n    async registerClient(@Body() registrationDto: any) {\n      return await this.clientService.registerClient(registrationDto);\n    }\n\n    @Get(endpoints.authorize)\n    async authorize(\n      @Query() query: any,\n      @Req()\n      req: any,\n      @Res() res: Response,\n      @Next() next: NextFunction,\n    ) {\n      const {\n        response_type,\n        client_id,\n        redirect_uri,\n        code_challenge,\n        code_challenge_method,\n        state,\n        scope,\n      } = query;\n      const resource = this.options.resource;\n      if (response_type !== 'code') {\n        throw new BadRequestException('Only response_type=code is supported');\n      }\n\n      if (!client_id) {\n        throw new BadRequestException('Missing required parameters');\n      }\n\n      // Validate client and redirect URI\n      const client = await this.clientService.getClient(client_id);\n      if (!client) {\n        throw new BadRequestException('Invalid client_id');\n      }\n\n      const validRedirect = await this.clientService.validateRedirectUri(\n        client_id,\n        redirect_uri,\n      );\n      if (!validRedirect) {\n        throw new BadRequestException('Invalid redirect_uri');\n      }\n\n      // Create OAuth session\n      const sessionId = randomBytes(32).toString('base64url');\n      const sessionState = randomBytes(32).toString('base64url');\n\n      const oauthSession: OAuthSession = {\n        sessionId,\n        state: sessionState,\n        clientId: client_id,\n        redirectUri: redirect_uri,\n        codeChallenge: code_challenge,\n        codeChallengeMethod: code_challenge_method || 'plain',\n        oauthState: state,\n        scope: scope,\n        resource,\n        expiresAt: Date.now() + this.options.oauthSessionExpiresIn,\n      };\n\n      await this.store.storeOAuthSession(sessionId, oauthSession);\n\n      // Set session cookie\n      res.cookie('oauth_session', sessionId, {\n        httpOnly: true,\n        secure: this.isProduction,\n        maxAge: this.options.oauthSessionExpiresIn,\n      });\n\n      // Store state for passport\n      res.cookie('oauth_state', sessionState, {\n        httpOnly: true,\n        secure: this.isProduction,\n        maxAge: this.options.oauthSessionExpiresIn,\n      });\n\n      // Redirect to the provider's auth endpoint\n      passport.authenticate(this.strategyName, {\n        state: req.cookies?.oauth_state,\n      })(req, res, next);\n    }\n\n    @Get(endpoints.callback)\n    handleProviderCallback(\n      @Req() req: OAuthCallbackRequest,\n      @Res() res: Response,\n      @Next() next: NextFunction,\n    ) {\n      // Use a custom callback to handle the authentication result\n      passport.authenticate(\n        this.strategyName,\n        { session: false },\n        async (err: any, user: any) => {\n          try {\n            if (err) {\n              this.logger.error('OAuth callback error:', err);\n              throw new BadRequestException('Authentication failed');\n            }\n\n            if (!user) {\n              throw new BadRequestException('Authentication failed');\n            }\n\n            req.user = user;\n            await this.processAuthenticationSuccess(req, res);\n          } catch (error) {\n            next(error);\n          }\n        },\n      )(req, res, next);\n    }\n\n    async processAuthenticationSuccess(\n      req: OAuthCallbackRequest,\n      res: Response,\n    ) {\n      const user = req.user;\n      if (!user) {\n        throw new BadRequestException('Authentication failed');\n      }\n\n      const sessionId = req.cookies?.oauth_session;\n      if (!sessionId) {\n        throw new BadRequestException('Missing OAuth session');\n      }\n\n      const session = await this.store.getOAuthSession(sessionId);\n      if (!session) {\n        throw new BadRequestException('Invalid or expired OAuth session');\n      }\n\n      // Verify state\n      const stateFromCookie = req.cookies?.oauth_state;\n      if (session.state !== stateFromCookie) {\n        throw new BadRequestException('Invalid state parameter');\n      }\n\n      // Generate JWT for UI access\n      const jwt = this.jwtTokenService.generateUserToken(\n        user.profile.username,\n        user.profile,\n      );\n\n      // Set JWT token as cookie for UI endpoints\n      res.cookie('auth_token', jwt, {\n        httpOnly: true,\n        secure: this.isProduction,\n        maxAge: this.options.cookieMaxAge,\n      });\n\n      // Clear temporary cookies\n      res.clearCookie('oauth_session');\n      res.clearCookie('oauth_state');\n\n      // Persist user profile and get stable profile_id\n      const user_profile_id = await this.store.upsertUserProfile(\n        user.profile,\n        user.provider,\n      );\n\n      // Generate authorization code\n      const authCode = randomBytes(32).toString('base64url');\n\n      // Store the auth code\n      await this.store.storeAuthCode({\n        code: authCode,\n        user_id: user.profile.username,\n        client_id: session.clientId!,\n        redirect_uri: session.redirectUri!,\n        code_challenge: session.codeChallenge!,\n        code_challenge_method: session.codeChallengeMethod!,\n        expires_at: Date.now() + this.options.authCodeExpiresIn,\n        resource: session.resource,\n        scope: session.scope,\n        user_profile_id,\n      });\n\n      // Build redirect URL with authorization code\n      const redirectUrl = new URL(session.redirectUri!);\n      redirectUrl.searchParams.set('code', authCode);\n      if (session.oauthState) {\n        redirectUrl.searchParams.set('state', session.oauthState);\n      }\n\n      // Clean up session\n      await this.store.removeOAuthSession(sessionId);\n\n      res.redirect(redirectUrl.toString());\n    }\n\n    @Post(endpoints.token)\n    @Header('content-type', 'application/json')\n    @Header('Cache-Control', 'no-store')\n    @Header('Pragma', 'no-cache')\n    @HttpCode(200)\n    async exchangeToken(\n      @Body() body: any,\n      @Req() req: RequestWithRawBody,\n      @Res({ passthrough: true }) res: Response,\n    ): Promise<TokenPair> {\n      // Apply middleware to capture raw body if needed\n      const isFormUrlEncoded = req.headers['content-type']?.includes(\n        'application/x-www-form-urlencoded',\n      );\n      const isBodyEmpty =\n        !body ||\n        (typeof body === 'object' &&\n          Object.keys(body as Record<string, unknown>).length === 0);\n\n      if (isFormUrlEncoded && isBodyEmpty) {\n        return new Promise((resolve, reject) => {\n          this.captureRawBody(req, res, (err?: any) => {\n            if (err) {\n              reject(\n                err instanceof Error ? err : new Error(String(err ?? 'error')),\n              );\n              return;\n            }\n\n            // Avoid returning a Promise from the callback; use an IIFE\n            void (async () => {\n              try {\n                // Re-parse the body after middleware has captured it\n                const parsedBody = this.parseRequestBody(req.body || body, req);\n                const result = await this.processTokenExchange(parsedBody, req);\n                resolve(result);\n              } catch (error) {\n                reject(\n                  error instanceof Error\n                    ? error\n                    : new Error(String(error ?? 'error')),\n                );\n              }\n            })();\n          });\n        });\n      }\n\n      // Body is already parsed, process directly\n      const parsedBody = this.parseRequestBody(body, req);\n      return this.processTokenExchange(parsedBody, req);\n    }\n\n    async processTokenExchange(\n      parsedBody: Record<string, any>,\n      req: RequestWithRawBody,\n    ): Promise<TokenPair> {\n      const { grant_type, code, code_verifier, redirect_uri, refresh_token } =\n        parsedBody;\n\n      // Add debugging to help identify issues\n      if (!grant_type) {\n        this.logger.error('Missing grant_type in request body:', {\n          parsedBodyKeys: Object.keys(parsedBody),\n          contentType: req.headers['content-type'],\n          textBody: req.textBody,\n          parsedBody,\n        });\n        throw new BadRequestException('Missing grant_type parameter');\n      }\n\n      switch (grant_type) {\n        case 'authorization_code': {\n          // Extract client credentials based on authentication method\n          const clientCredentials = this.extractClientCredentials(\n            req,\n            parsedBody,\n          );\n          return await this.handleAuthorizationCodeGrant(\n            typeof code === 'string' ? code : String(code ?? ''),\n            typeof code_verifier === 'string'\n              ? code_verifier\n              : String(code_verifier ?? ''),\n            typeof redirect_uri === 'string'\n              ? redirect_uri\n              : String(redirect_uri ?? ''),\n            clientCredentials,\n          );\n        }\n        case 'refresh_token': {\n          // For refresh tokens, try to extract client credentials, but allow fallback to token-based extraction\n          let clientCredentials: { client_id: string; client_secret?: string };\n          try {\n            clientCredentials = this.extractClientCredentials(req, parsedBody);\n          } catch {\n            // If we can't extract credentials, we'll try to get them from the refresh token\n            clientCredentials = { client_id: '' }; // Will be filled from token\n          }\n          return await this.handleRefreshTokenGrant(\n            typeof refresh_token === 'string'\n              ? refresh_token\n              : String(refresh_token ?? ''),\n            clientCredentials,\n          );\n        }\n        default:\n          throw new BadRequestException(\n            `Unsupported grant_type: ${grant_type}`,\n          );\n      }\n    }\n\n    /**\n     * Extract client credentials from request based on authentication method\n     */\n    extractClientCredentials(\n      req: RequestWithRawBody,\n      body: any,\n    ): { client_id: string; client_secret?: string } {\n      // Parse the body using the shared utility function\n      const parsedBody = this.parseRequestBody(body, req);\n\n      // Try client_secret_basic first (Authorization header)\n      const authHeader = req.headers?.authorization;\n      if (authHeader && authHeader.startsWith('Basic ')) {\n        const credentials = Buffer.from(authHeader.slice(6), 'base64').toString(\n          'utf-8',\n        );\n        const [client_id, client_secret] = credentials.split(':', 2);\n        if (client_id) {\n          return { client_id, client_secret };\n        }\n      }\n\n      // Try client_secret_post (body parameters)\n      if (parsedBody.client_id) {\n        return {\n          client_id: parsedBody.client_id,\n          client_secret: parsedBody.client_secret,\n        };\n      }\n\n      throw new BadRequestException('Missing client credentials');\n    }\n\n    /**\n     * Validate client authentication based on the client's configured method\n     */\n    validateClientAuthentication(\n      client: any,\n      clientCredentials: { client_id: string; client_secret?: string },\n    ): void {\n      if (!client) {\n        throw new BadRequestException('Invalid client_id');\n      }\n\n      const { token_endpoint_auth_method } = client;\n\n      switch (token_endpoint_auth_method) {\n        case 'client_secret_basic':\n        case 'client_secret_post':\n          if (!clientCredentials.client_secret) {\n            throw new BadRequestException(\n              'Client secret required for this authentication method',\n            );\n          }\n          if (client.client_secret !== clientCredentials.client_secret) {\n            throw new BadRequestException('Invalid client credentials');\n          }\n          break;\n\n        case 'none':\n          // Public client - no secret required\n          if (clientCredentials.client_secret) {\n            throw new BadRequestException(\n              'Client secret not allowed for public clients',\n            );\n          }\n          break;\n\n        default:\n          throw new BadRequestException(\n            `Unsupported authentication method: ${token_endpoint_auth_method}`,\n          );\n      }\n    }\n\n    async handleAuthorizationCodeGrant(\n      code: string,\n      code_verifier: string,\n      _redirect_uri: string,\n      clientCredentials: { client_id: string; client_secret?: string },\n    ): Promise<TokenPair> {\n      this.logger.debug('handleAuthorizationCodeGrant - Params:', {\n        code,\n        client_id: clientCredentials.client_id,\n      });\n\n      // Get and validate the authorization code\n      const authCode = await this.store.getAuthCode(code);\n      if (!authCode) {\n        this.logger.error(\n          'handleAuthorizationCodeGrant - Invalid authorization code:',\n          code,\n        );\n        throw new BadRequestException('Invalid authorization code');\n      }\n      if (authCode.expires_at < Date.now()) {\n        await this.store.removeAuthCode(code);\n        this.logger.error(\n          'handleAuthorizationCodeGrant - Authorization code expired:',\n          code,\n        );\n        throw new BadRequestException('Authorization code has expired');\n      }\n      if (authCode.client_id !== clientCredentials.client_id) {\n        this.logger.error(\n          'handleAuthorizationCodeGrant - Client ID mismatch:',\n          { expected: authCode.client_id, got: clientCredentials.client_id },\n        );\n        throw new BadRequestException('Client ID mismatch');\n      }\n\n      // Get client and validate authentication\n      const client = await this.clientService.getClient(\n        clientCredentials.client_id,\n      );\n      this.validateClientAuthentication(client, clientCredentials);\n      if (authCode.code_challenge) {\n        const isValid = this.validatePKCE(\n          code_verifier,\n          authCode.code_challenge,\n          authCode.code_challenge_method,\n        );\n        if (!isValid) {\n          this.logger.error(\n            'handleAuthorizationCodeGrant - Invalid PKCE verification',\n          );\n          throw new BadRequestException('Invalid PKCE verification');\n        }\n      }\n      if (!authCode.resource) {\n        this.logger.error(\n          'handleAuthorizationCodeGrant - No resource associated with code',\n        );\n        throw new BadRequestException(\n          'Authorization code is not associated with a resource',\n        );\n      }\n\n      let userData: Record<string, unknown> | undefined = undefined;\n      if (authCode.user_profile_id) {\n        try {\n          const profile = await this.store.getUserProfileById(\n            authCode.user_profile_id,\n          );\n          if (profile) {\n            // Avoid circular/large raw payloads if present\n            userData = { ...profile };\n          }\n        } catch (e) {\n          this.logger.warn('Failed to load user profile for token payload', e);\n        }\n      }\n\n      const tokens = this.jwtTokenService.generateTokenPair(\n        authCode.user_id,\n        clientCredentials.client_id,\n        authCode.scope,\n        authCode.resource,\n        {\n          user_profile_id: authCode.user_profile_id,\n          user_data: userData,\n        },\n      );\n      await this.store.removeAuthCode(code);\n      this.logger.debug(\n        'handleAuthorizationCodeGrant - Token pair generated for user:',\n        authCode.user_id,\n      );\n      return tokens;\n    }\n\n    async handleRefreshTokenGrant(\n      refresh_token: string,\n      clientCredentials: { client_id: string; client_secret?: string },\n    ): Promise<TokenPair> {\n      // Verify the refresh token first to get client_id from token if not provided\n      const payload = this.jwtTokenService.validateToken(refresh_token);\n      if (!payload || payload.type !== 'refresh') {\n        throw new BadRequestException('Invalid or expired refresh token');\n      }\n\n      // Use client_id from token if not provided in credentials\n      const clientId = clientCredentials.client_id || payload.client_id;\n      if (!clientId) {\n        throw new BadRequestException('Unable to determine client_id');\n      }\n\n      // Get client and validate authentication\n      const client = await this.clientService.getClient(clientId);\n\n      // For refresh token grants, we can be more lenient with client authentication\n      // if the token already contains the client_id and the client is public\n      if (client?.token_endpoint_auth_method !== 'none') {\n        this.validateClientAuthentication(client, {\n          ...clientCredentials,\n          client_id: clientId,\n        });\n      }\n\n      // Verify the refresh token belongs to the client\n      if (payload.client_id !== clientId) {\n        throw new BadRequestException(\n          'Invalid refresh token or token does not belong to this client',\n        );\n      }\n\n      let newTokens: TokenPair | null = null;\n      try {\n        const payload = this.jwtTokenService.validateToken(refresh_token);\n        if (!payload || payload.type !== 'refresh') {\n          throw new BadRequestException('Invalid or expired refresh token');\n        }\n\n        let userData: Record<string, unknown> | undefined = undefined;\n        if (payload.user_profile_id) {\n          try {\n            const profile = await this.store.getUserProfileById(\n              payload.user_profile_id,\n            );\n            if (profile) userData = { ...profile };\n          } catch (e) {\n            this.logger.warn(\n              'Failed to load user profile for refreshed token payload',\n              e,\n            );\n          }\n        }\n\n        newTokens = this.jwtTokenService.generateTokenPair(\n          payload.sub,\n          clientId,\n          payload.scope,\n          payload.resource,\n          {\n            user_profile_id: payload.user_profile_id,\n            user_data: userData,\n          },\n        );\n      } catch (e) {\n        this.logger.warn(\n          'Refresh flow failed using enriched path, fallback',\n          e,\n        );\n        newTokens = this.jwtTokenService.refreshAccessToken(refresh_token);\n      }\n\n      if (!newTokens) throw new BadRequestException('Failed to refresh token');\n      return newTokens;\n    }\n\n    validatePKCE(\n      code_verifier: string,\n      code_challenge: string,\n      method: string,\n    ): boolean {\n      if (method === 'plain') {\n        return code_verifier === code_challenge;\n      } else if (method === 'S256') {\n        const hash = createHash('sha256')\n          .update(code_verifier)\n          .digest('base64url');\n        return hash === code_challenge;\n      }\n      return false;\n    }\n  }\n\n  return McpOAuthController;\n}\n"]}

package/dist/authz/mcp-oauth.module.d.ts

@@ -1,5 +1,5 @@
 import { DynamicModule } from '@nestjs/common';
-import { OAuthUserModuleOptions as AuthUserModuleOptions, OAuthModuleDefaults } from './providers/oauth-provider.interface';
+import type { OAuthUserModuleOptions as AuthUserModuleOptions, OAuthModuleDefaults } from './providers/oauth-provider.interface';
 export declare const DEFAULT_OPTIONS: OAuthModuleDefaults;
 export declare class McpAuthModule {
     readonly __isMcpAuthModule = true;

package/dist/authz/mcp-oauth.module.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mcp-oauth.module.d.ts","sourceRoot":"","sources":["../../src/authz/mcp-oauth.module.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAU,MAAM,gBAAgB,CAAC;AAMvD,OAAO,EACL,sBAAsB,IAAI,qBAAqB,EAE/C,mBAAmB,EAEpB,MAAM,sCAAsC,CAAC;AAW9C,eAAO,MAAM,eAAe,EAAE,mBA4C7B,CAAC;AAEF,qBACa,aAAa;IAIxB,QAAQ,CAAC,iBAAiB,QAAQ;IAElC,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,qBAAqB,GAAG,aAAa;IA4J7D,OAAO,CAAC,MAAM,CAAC,uBAAuB;IAkDtC,OAAO,CAAC,MAAM,CAAC,uBAAuB;IAiBtC,OAAO,CAAC,MAAM,CAAC,uBAAuB;IA0BtC,OAAO,CAAC,MAAM,CAAC,mBAAmB;CAoCnC"}
+{"version":3,"file":"mcp-oauth.module.d.ts","sourceRoot":"","sources":["../../src/authz/mcp-oauth.module.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAU,MAAM,gBAAgB,CAAC;AAMvD,OAAO,KAAK,EACV,sBAAsB,IAAI,qBAAqB,EAE/C,mBAAmB,EAEpB,MAAM,sCAAsC,CAAC;AAW9C,eAAO,MAAM,eAAe,EAAE,mBA4C7B,CAAC;AAEF,qBACa,aAAa;IAIxB,QAAQ,CAAC,iBAAiB,QAAQ;IAElC,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,qBAAqB,GAAG,aAAa;IA4J7D,OAAO,CAAC,MAAM,CAAC,uBAAuB;IAkDtC,OAAO,CAAC,MAAM,CAAC,uBAAuB;IAiBtC,OAAO,CAAC,MAAM,CAAC,uBAAuB;IA0BtC,OAAO,CAAC,MAAM,CAAC,mBAAmB;CAoCnC"}

package/dist/authz/mcp-oauth.module.js.map

@@ -1 +1 @@
-{"version":3,"file":"mcp-oauth.module.js","sourceRoot":"","sources":["../../src/authz/mcp-oauth.module.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,2CAAuD;AACvD,2CAA8C;AAC9C,qCAAwC;AACxC,+CAAkD;AAClD,4DAA0D;AAC1D,iEAAkE;AAOlE,8DAA0D;AAC1D,oEAA+D;AAC/D,8EAAyE;AACzE,wEAA4D;AAC5D,wEAAoE;AACpE,0DAA2E;AAE3E,IAAI,qBAAqB,GAAG,CAAC,CAAC;AAGjB,QAAA,eAAe,GAAwB;IAClD,SAAS,EAAE,uBAAuB;IAClC,QAAQ,EAAE,2BAA2B;IACrC,SAAS,EAAE,uBAAuB;IAClC,WAAW,EAAE,YAAY;IACzB,uBAAuB,EAAE,IAAI;IAC7B,wBAAwB,EAAE,KAAK;IAC/B,mBAAmB,EAAE,IAAI;IACzB,YAAY,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;IACjC,qBAAqB,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI;IACrC,iBAAiB,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI;IACjC,OAAO,EAAE,aAAa;IACtB,SAAS,EAAE,EAAE;IACb,SAAS,EAAE;QACT,oCAAoC,EAClC,yCAAyC;QAC3C,kCAAkC,EAAE,uCAAuC;QAC3E,QAAQ,EAAE,WAAW;QACrB,SAAS,EAAE,YAAY;QACvB,QAAQ,EAAE,WAAW;QACrB,KAAK,EAAE,QAAQ;QACf,MAAM,EAAE,SAAS;KAClB;IACD,gBAAgB,EAAE;QAChB,oCAAoC,EAAE,KAAK;QAC3C,kCAAkC,EAAE,KAAK;KAC1C;IACD,yBAAyB,EAAE;QACzB,eAAe,EAAE,CAAC,gBAAgB,CAAC;QACnC,sBAAsB,EAAE,CAAC,QAAQ,CAAC;QAClC,oBAAoB,EAAE,CAAC,YAAY,CAAC;KACrC;IACD,2BAA2B,EAAE;QAC3B,sBAAsB,EAAE,CAAC,MAAM,CAAC;QAChC,sBAAsB,EAAE,CAAC,OAAO,CAAC;QACjC,mBAAmB,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;QAC5D,iCAAiC,EAAE;YACjC,qBAAqB;YACrB,oBAAoB;YACpB,MAAM;SACP;QACD,eAAe,EAAE,CAAC,gBAAgB,CAAC;QACnC,6BAA6B,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC;KACjD;CACF,CAAC;AAGK,IAAM,aAAa,qBAAnB,MAAM,aAAa;IAAnB;QAII,sBAAiB,GAAG,IAAI,CAAC;IA+RpC,CAAC;IA7RC,MAAM,CAAC,OAAO,CAAC,OAA8B;QAE3C,MAAM,YAAY,GAAG,mBAAmB,qBAAqB,EAAE,EAAE,CAAC;QAGlE,MAAM,eAAe,GAAG,IAAI,CAAC,uBAAuB,CAClD,uBAAe,EACf,OAAO,CACR,CAAC;QAEF,eAAe,CAAC,SAAS,GAAG,gBAAgB,CAC1C,eAAe,CAAC,SAAS,EACzB,uBAAe,CAAC,SAAS,EACzB,OAAO,CAAC,SAAS,IAAI,EAAE,CACxB,CAAC;QAGF,MAAM,uBAAuB,GAAG,wBAAwB,YAAY,EAAE,CAAC;QACvE,MAAM,kBAAkB,GAAG;YACzB,OAAO,EAAE,uBAAuB;YAChC,QAAQ,EAAE,eAAe;SAC1B,CAAC;QAGF,MAAM,OAAO,GAAG;YACd,qBAAY;YACZ,yBAAc,CAAC,QAAQ,CAAC;gBACtB,eAAe,EAAE,KAAK;gBACtB,OAAO,EAAE,KAAK;aACf,CAAC;YACF,eAAS,CAAC,QAAQ,CAAC;gBACjB,MAAM,EAAE,eAAe,CAAC,SAAS;gBACjC,WAAW,EAAE;oBACX,MAAM,EAAE,eAAe,CAAC,SAAS;oBACjC,QAAQ,EAAE,eAAe,CAAC,WAAW;iBACtC;aACF,CAAC;SACH,CAAC;QAGF,MAAM,WAAW,GAAG,eAAe,CAAC,kBAAkB,CAAC;QACvD,MAAM,cAAc,GAAG,WAAW,EAAE,IAAI,KAAK,SAAS,CAAC;QACvD,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,cAAc,GAAG,WAAW,CAAC,OAAO,CAAC;YAC3C,IAAI,CAAC;gBAGH,MAAM,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;gBACrD,MAAM,EACJ,iBAAiB,EACjB,uBAAuB,EACvB,kBAAkB,EAClB,sBAAsB,GAEvB,GAAG,OAAO,CAAC,2BAA2B,CAAC,CAAC;gBAEzC,OAAO,CAAC,IAAI,CACV,aAAa,CAAC,OAAO,CAAC;oBACpB,GAAG,cAAc;oBAEjB,IAAI,EAAE,yCAA6B;oBACnC,QAAQ,EAAE;wBACR,iBAAiB;wBACjB,uBAAuB;wBACvB,kBAAkB;wBAClB,sBAAsB;qBACvB;iBACF,CAAC,EACF,aAAa,CAAC,UAAU,CACtB;oBACE,iBAAiB;oBACjB,uBAAuB;oBACvB,kBAAkB;oBAClB,sBAAsB;iBACvB,EACD,yCAA6B,CAC9B,CACF,CAAC;YACJ,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CACb,2EAA2E,CAC5E,CAAC;YACJ,CAAC;QACH,CAAC;QAGD,MAAM,eAAe,GAAG,eAAe,YAAY,EAAE,CAAC;QACtD,MAAM,kBAAkB,GAAG,IAAI,CAAC,mBAAmB,CACjD,eAAe,CAAC,kBAAkB,EAClC,eAAe,CAChB,CAAC;QAGF,MAAM,uBAAuB,GAAG;YAC9B,OAAO,EAAE,kCAAW;YACpB,WAAW,EAAE,eAAe;SAC7B,CAAC;QAEF,MAAM,SAAS,GAAU;YACvB;gBACE,OAAO,EAAE,iBAAiB;gBAC1B,QAAQ,EAAE,YAAY;aACvB;YACD,kBAAkB;YAClB,kBAAkB;YAClB,uBAAuB;YAEvB;gBACE,OAAO,EAAE,sBAAsB;gBAC/B,WAAW,EAAE,uBAAuB;aACrC;YACD;gBACE,OAAO,EAAE,aAAa;gBACtB,WAAW,EAAE,eAAe;aAC7B;YAED,6CAAoB;YACpB,8BAAa;YACb,mCAAe;YACf,gCAAe;SAChB,CAAC;QAKF,MAAM,oBAAoB,GAAG,IAAA,+CAAwB,EACnD,eAAe,CAAC,SAAS,EACzB;YACE,2CAA2C,EACzC,eAAe,CAAC,gBAAgB;iBAC7B,oCAAoC,IAAI,KAAK;YAClD,yCAAyC,EACvC,eAAe,CAAC,gBAAgB,CAAC,kCAAkC;gBACnE,KAAK;SACR,EACD,YAAY,CACb,CAAC;QAEF,OAAO;YACL,MAAM,EAAE,eAAa;YACrB,OAAO;YACP,WAAW,EAAE,CAAC,oBAAoB,CAAC;YACnC,SAAS;YACT,OAAO,EAAE;gBACP,iBAAiB;gBACjB,sBAAsB;gBACtB,aAAa;gBACb,mCAAe;gBACf,8BAAa;gBACb,6CAAoB;gBACpB,gCAAe;gBACf,kCAAW;aACZ;SACF,CAAC;IACJ,CAAC;IAEO,MAAM,CAAC,uBAAuB,CACpC,QAA6B,EAC7B,OAA8B;QAG9B,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;QAGtC,MAAM,eAAe,GAAuB;YAC1C,GAAG,QAAQ;YACX,GAAG,OAAO;YAEV,SAAS,EACP,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,SAAS,IAAI,uBAAe,CAAC,SAAS;YACrE,YAAY,EACV,OAAO,CAAC,YAAY,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;YAE/D,yBAAyB,EAAE;gBACzB,GAAG,QAAQ,CAAC,yBAAyB;gBACrC,GAAG,OAAO,CAAC,yBAAyB;aACrC;YAED,2BAA2B,EAAE;gBAC3B,GAAG,QAAQ,CAAC,2BAA2B;gBACvC,GAAG,OAAO,CAAC,2BAA2B;aACvC;YAED,gBAAgB,EAAE;gBAChB,GAAG,QAAQ,CAAC,gBAAgB;gBAC5B,GAAG,CAAC,OAAO,CAAC,gBAAgB,IAAI,EAAE,CAAC;aACpC;SACF,CAAC;QAEF,IAAI,CAAC,eAAe,CAAC,mBAAmB,EAAE,CAAC;YACzC,eAAe,CAAC,2BAA2B,CAAC,mBAAmB;gBAC7D,eAAe,CAAC,2BAA2B,CAAC,mBAAmB,CAAC,MAAM,CACpE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,eAAe,CAC7B,CAAC;YACJ,eAAe,CAAC,yBAAyB,CAAC,eAAe;gBACvD,eAAe,CAAC,yBAAyB,CAAC,eAAe,CAAC,MAAM,CAC9D,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,gBAAgB,CAC9B,CAAC;QACN,CAAC;QAGD,IAAI,CAAC,uBAAuB,CAAC,eAAe,CAAC,CAAC;QAE9C,OAAO,eAAe,CAAC;IACzB,CAAC;IAEO,MAAM,CAAC,uBAAuB,CAAC,OAA8B;QACnE,MAAM,cAAc,GAAoC;YACtD,UAAU;YACV,UAAU;YACV,cAAc;YACd,WAAW;SACZ,CAAC;QAEF,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;YACnC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACpB,MAAM,IAAI,KAAK,CACb,uBAAuB,MAAM,CAAC,KAAK,CAAC,+CAA+C,CACpF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAEO,MAAM,CAAC,uBAAuB,CAAC,OAA2B;QAEhE,IAAI,OAAO,CAAC,SAAS,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CACb,mEAAmE,CACpE,CAAC;QACJ,CAAC;QAGD,IAAI,CAAC;YACH,IAAI,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAC3B,IAAI,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAC7B,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CACb,gEAAgE,CACjE,CAAC;QACJ,CAAC;QAGD,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACzD,MAAM,IAAI,KAAK,CACb,0DAA0D,CAC3D,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,MAAM,CAAC,mBAAmB,CAChC,kBAA4D,EAC5D,YAAoB;QAEpB,IAAI,CAAC,kBAAkB,IAAI,kBAAkB,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAEhE,OAAO;gBACL,OAAO,EAAE,YAAY;gBACrB,QAAQ,EAAE,IAAI,kCAAW,EAAE;aAC5B,CAAC;QACJ,CAAC;QAED,IAAI,kBAAkB,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAE1C,MAAM,EACJ,YAAY,GAEb,GAAG,OAAO,CAAC,wCAAwC,CAAC,CAAC;YACtD,OAAO;gBACL,OAAO,EAAE,YAAY;gBACrB,QAAQ,EAAE,YAAY;aACvB,CAAC;QACJ,CAAC;QAED,IAAI,kBAAkB,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAEzC,OAAO;gBACL,OAAO,EAAE,YAAY;gBACrB,QAAQ,EAAE,kBAAkB,CAAC,KAAK;aACnC,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,KAAK,CACb,qCAAsC,kBAA0B,CAAC,IAAI,EAAE,CACxE,CAAC;IACJ,CAAC;CACF,CAAA;AAnSY,sCAAa;wBAAb,aAAa;IADzB,IAAA,eAAM,EAAC,EAAE,CAAC;GACE,aAAa,CAmSzB;AAED,SAAS,gBAAgB,CACvB,SAAiB,EACjB,gBAA4C,EAC5C,mBAA+C;IAE/C,MAAM,uBAAuB,GAAG;QAC9B,oCAAoC,EAClC,gBAAgB,CAAC,oCAAoC;QACvD,kCAAkC,EAChC,gBAAgB,CAAC,kCAAkC;QACrD,QAAQ,EAAE,IAAA,sCAAiB,EAAC,IAAI,SAAS,IAAI,gBAAgB,CAAC,QAAQ,EAAE,CAAC;QACzE,KAAK,EAAE,IAAA,sCAAiB,EAAC,IAAI,SAAS,IAAI,gBAAgB,CAAC,KAAK,EAAE,CAAC;QACnE,MAAM,EAAE,IAAA,sCAAiB,EAAC,IAAI,SAAS,IAAI,gBAAgB,CAAC,MAAM,EAAE,CAAC;QACrE,SAAS,EAAE,IAAA,sCAAiB,EAAC,IAAI,SAAS,IAAI,gBAAgB,CAAC,SAAS,EAAE,CAAC;QAC3E,QAAQ,EAAE,IAAA,sCAAiB,EAAC,IAAI,SAAS,IAAI,gBAAgB,CAAC,QAAQ,EAAE,CAAC;KAC5C,CAAC;IAEhC,OAAO;QACL,GAAG,uBAAuB;QAC1B,GAAG,mBAAmB;KACvB,CAAC;AACJ,CAAC","sourcesContent":["import { DynamicModule, Module } from '@nestjs/common';\nimport { ConfigModule } from '@nestjs/config';\nimport { JwtModule } from '@nestjs/jwt';\nimport { PassportModule } from '@nestjs/passport';\nimport { McpAuthJwtGuard } from './guards/jwt-auth.guard';\nimport { createMcpOAuthController } from './mcp-oauth.controller';\nimport {\n  OAuthUserModuleOptions as AuthUserModuleOptions,\n  OAuthEndpointConfiguration,\n  OAuthModuleDefaults,\n  OAuthModuleOptions,\n} from './providers/oauth-provider.interface';\nimport { ClientService } from './services/client.service';\nimport { JwtTokenService } from './services/jwt-token.service';\nimport { OAuthStrategyService } from './services/oauth-strategy.service';\nimport { MemoryStore } from './stores/memory-store.service';\nimport { normalizeEndpoint } from '../mcp/utils/normalize-endpoint';\nimport { OAUTH_TYPEORM_CONNECTION_NAME } from './stores/typeorm/constants';\n\nlet authInstanceIdCounter = 0;\n\n// Default configuration values\nexport const DEFAULT_OPTIONS: OAuthModuleDefaults = {\n  serverUrl: 'http://localhost:3000',\n  resource: 'http://localhost:3000/mcp',\n  jwtIssuer: 'http://localhost:3000',\n  jwtAudience: 'mcp-client',\n  jwtAccessTokenExpiresIn: '1d',\n  jwtRefreshTokenExpiresIn: '30d',\n  enableRefreshTokens: true,\n  cookieMaxAge: 24 * 60 * 60 * 1000, // 24 hours\n  oauthSessionExpiresIn: 10 * 60 * 1000, // 10 minutes\n  authCodeExpiresIn: 10 * 60 * 1000, // 10 minutes\n  nodeEnv: 'development',\n  apiPrefix: '',\n  endpoints: {\n    wellKnownAuthorizationServerMetadata:\n      '/.well-known/oauth-authorization-server',\n    wellKnownProtectedResourceMetadata: '/.well-known/oauth-protected-resource',\n    register: '/register',\n    authorize: '/authorize',\n    callback: '/callback',\n    token: '/token',\n    revoke: '/revoke',\n  },\n  disableEndpoints: {\n    wellKnownAuthorizationServerMetadata: false,\n    wellKnownProtectedResourceMetadata: false,\n  },\n  protectedResourceMetadata: {\n    scopesSupported: ['offline_access'],\n    bearerMethodsSupported: ['header'],\n    mcpVersionsSupported: ['2025-06-18'],\n  },\n  authorizationServerMetadata: {\n    responseTypesSupported: ['code'],\n    responseModesSupported: ['query'],\n    grantTypesSupported: ['authorization_code', 'refresh_token'],\n    tokenEndpointAuthMethodsSupported: [\n      'client_secret_basic',\n      'client_secret_post',\n      'none',\n    ],\n    scopesSupported: ['offline_access'],\n    codeChallengeMethodsSupported: ['plain', 'S256'],\n  },\n};\n\n@Module({})\nexport class McpAuthModule {\n  /**\n   * To avoid import circular dependency issues, we use a marker property.\n   */\n  readonly __isMcpAuthModule = true;\n\n  static forRoot(options: AuthUserModuleOptions): DynamicModule {\n    // Create a unique instance ID for this auth module\n    const authModuleId = `mcp-auth-module-${authInstanceIdCounter++}`;\n\n    // Merge user options with defaults and validate\n    const resolvedOptions = this.mergeAndValidateOptions(\n      DEFAULT_OPTIONS,\n      options,\n    );\n\n    resolvedOptions.endpoints = prepareEndpoints(\n      resolvedOptions.apiPrefix,\n      DEFAULT_OPTIONS.endpoints,\n      options.endpoints || {},\n    );\n\n    // Use instance-scoped token for OAuth options\n    const oauthModuleOptionsToken = `OAUTH_MODULE_OPTIONS_${authModuleId}`;\n    const oauthModuleOptions = {\n      provide: oauthModuleOptionsToken,\n      useValue: resolvedOptions,\n    };\n\n    // Determine imports based on configuration\n    const imports = [\n      ConfigModule,\n      PassportModule.register({\n        defaultStrategy: 'jwt',\n        session: false,\n      }),\n      JwtModule.register({\n        secret: resolvedOptions.jwtSecret,\n        signOptions: {\n          issuer: resolvedOptions.jwtIssuer,\n          audience: resolvedOptions.jwtAudience,\n        },\n      }),\n    ];\n\n    // Add TypeORM configuration if using TypeORM store\n    const storeConfig = resolvedOptions.storeConfiguration;\n    const isTypeOrmStore = storeConfig?.type === 'typeorm';\n    if (isTypeOrmStore) {\n      const typeormOptions = storeConfig.options;\n      try {\n        // Require TypeORM-related modules only when needed\n        // eslint-disable-next-line @typescript-eslint/no-require-imports\n        const { TypeOrmModule } = require('@nestjs/typeorm');\n        const {\n          OAuthClientEntity,\n          AuthorizationCodeEntity,\n          OAuthSessionEntity,\n          OAuthUserProfileEntity,\n          // eslint-disable-next-line @typescript-eslint/no-require-imports\n        } = require('./stores/typeorm/entities');\n\n        imports.push(\n          TypeOrmModule.forRoot({\n            ...typeormOptions,\n            // Use a unique connection name for the OAuth store to avoid clashes\n            name: OAUTH_TYPEORM_CONNECTION_NAME,\n            entities: [\n              OAuthClientEntity,\n              AuthorizationCodeEntity,\n              OAuthSessionEntity,\n              OAuthUserProfileEntity,\n            ],\n          }),\n          TypeOrmModule.forFeature(\n            [\n              OAuthClientEntity,\n              AuthorizationCodeEntity,\n              OAuthSessionEntity,\n              OAuthUserProfileEntity,\n            ],\n            OAUTH_TYPEORM_CONNECTION_NAME,\n          ),\n        );\n      } catch (err) {\n        throw new Error(\n          \"To use the TypeORM store, please install '@nestjs/typeorm' and 'typeorm'.\",\n        );\n      }\n    }\n\n    // Create store provider based on configuration with instance-scoped token\n    const oauthStoreToken = `IOAuthStore_${authModuleId}`;\n    const oauthStoreProvider = this.createStoreProvider(\n      resolvedOptions.storeConfiguration,\n      oauthStoreToken,\n    );\n\n    // Create alias for compatibility with injection\n    const oauthStoreAliasProvider = {\n      provide: MemoryStore,\n      useExisting: oauthStoreToken,\n    };\n\n    const providers: any[] = [\n      {\n        provide: 'OAUTH_MODULE_ID',\n        useValue: authModuleId,\n      },\n      oauthModuleOptions,\n      oauthStoreProvider,\n      oauthStoreAliasProvider,\n      // Provide backward-compatible tokens as aliases\n      {\n        provide: 'OAUTH_MODULE_OPTIONS',\n        useExisting: oauthModuleOptionsToken,\n      },\n      {\n        provide: 'IOAuthStore',\n        useExisting: oauthStoreToken,\n      },\n      // Provide services using their class tokens\n      OAuthStrategyService,\n      ClientService,\n      JwtTokenService,\n      McpAuthJwtGuard,\n    ];\n\n    // No additional providers needed for TypeORM store - provider is created dynamically\n\n    // Create controller with apiPrefix, passing the instance-scoped tokens\n    const OAuthControllerClass = createMcpOAuthController(\n      resolvedOptions.endpoints,\n      {\n        disableWellKnownAuthorizationServerMetadata:\n          resolvedOptions.disableEndpoints\n            .wellKnownAuthorizationServerMetadata ?? false,\n        disableWellKnownProtectedResourceMetadata:\n          resolvedOptions.disableEndpoints.wellKnownProtectedResourceMetadata ??\n          false,\n      },\n      authModuleId,\n    );\n\n    return {\n      module: McpAuthModule,\n      imports,\n      controllers: [OAuthControllerClass],\n      providers,\n      exports: [\n        'OAUTH_MODULE_ID',\n        'OAUTH_MODULE_OPTIONS',\n        'IOAuthStore',\n        JwtTokenService,\n        ClientService,\n        OAuthStrategyService,\n        McpAuthJwtGuard,\n        MemoryStore,\n      ],\n    };\n  }\n\n  private static mergeAndValidateOptions(\n    defaults: OAuthModuleDefaults,\n    options: AuthUserModuleOptions,\n  ): OAuthModuleOptions {\n    // Validate required options first\n    this.validateRequiredOptions(options);\n\n    // Merge with defaults\n    const resolvedOptions: OAuthModuleOptions = {\n      ...defaults,\n      ...options,\n      // Ensure jwtIssuer defaults to serverUrl if not provided\n      jwtIssuer:\n        options.jwtIssuer || options.serverUrl || DEFAULT_OPTIONS.jwtIssuer,\n      cookieSecure:\n        options.cookieSecure || process.env.NODE_ENV === 'production',\n      // Merge protectedResourceMetadata with defaults\n      protectedResourceMetadata: {\n        ...defaults.protectedResourceMetadata,\n        ...options.protectedResourceMetadata,\n      },\n      // Merge authorizationServerMetadata with defaults\n      authorizationServerMetadata: {\n        ...defaults.authorizationServerMetadata,\n        ...options.authorizationServerMetadata,\n      },\n      // Merge disableEndpoints with defaults\n      disableEndpoints: {\n        ...defaults.disableEndpoints,\n        ...(options.disableEndpoints || {}),\n      },\n    };\n\n    if (!resolvedOptions.enableRefreshTokens) {\n      resolvedOptions.authorizationServerMetadata.grantTypesSupported =\n        resolvedOptions.authorizationServerMetadata.grantTypesSupported.filter(\n          (g) => g !== 'refresh_token',\n        );\n      resolvedOptions.protectedResourceMetadata.scopesSupported =\n        resolvedOptions.protectedResourceMetadata.scopesSupported.filter(\n          (s) => s !== 'offline_access',\n        );\n    }\n\n    // Final validation of resolved options\n    this.validateResolvedOptions(resolvedOptions);\n\n    return resolvedOptions;\n  }\n\n  private static validateRequiredOptions(options: AuthUserModuleOptions): void {\n    const requiredFields: (keyof AuthUserModuleOptions)[] = [\n      'provider',\n      'clientId',\n      'clientSecret',\n      'jwtSecret',\n    ];\n\n    for (const field of requiredFields) {\n      if (!options[field]) {\n        throw new Error(\n          `OAuthModuleOptions: ${String(field)} is required and must be provided by the user`,\n        );\n      }\n    }\n  }\n\n  private static validateResolvedOptions(options: OAuthModuleOptions): void {\n    // Validate JWT secret is strong enough\n    if (options.jwtSecret.length < 32) {\n      throw new Error(\n        'OAuthModuleOptions: jwtSecret must be at least 32 characters long',\n      );\n    }\n\n    // Validate URLs are proper format\n    try {\n      new URL(options.serverUrl);\n      new URL(options.jwtIssuer);\n    } catch {\n      throw new Error(\n        'OAuthModuleOptions: serverUrl and jwtIssuer must be valid URLs',\n      );\n    }\n\n    // Validate provider configuration\n    if (!options.provider.name || !options.provider.strategy) {\n      throw new Error(\n        'OAuthModuleOptions: provider must have name and strategy',\n      );\n    }\n  }\n\n  private static createStoreProvider(\n    storeConfiguration: OAuthModuleOptions['storeConfiguration'],\n    provideToken: string,\n  ) {\n    if (!storeConfiguration || storeConfiguration.type === 'memory') {\n      // Default memory store\n      return {\n        provide: provideToken,\n        useValue: new MemoryStore(),\n      };\n    }\n\n    if (storeConfiguration.type === 'typeorm') {\n      // TypeORM store\n      const {\n        TypeOrmStore,\n        // eslint-disable-next-line @typescript-eslint/no-require-imports\n      } = require('./stores/typeorm/typeorm-store.service');\n      return {\n        provide: provideToken,\n        useClass: TypeOrmStore,\n      };\n    }\n\n    if (storeConfiguration.type === 'custom') {\n      // Custom store\n      return {\n        provide: provideToken,\n        useValue: storeConfiguration.store,\n      };\n    }\n\n    throw new Error(\n      `Unknown store configuration type: ${(storeConfiguration as any).type}`,\n    );\n  }\n}\n\nfunction prepareEndpoints(\n  apiPrefix: string,\n  defaultEndpoints: OAuthEndpointConfiguration,\n  configuredEndpoints: OAuthEndpointConfiguration,\n) {\n  const updatedDefaultEndpoints = {\n    wellKnownAuthorizationServerMetadata:\n      defaultEndpoints.wellKnownAuthorizationServerMetadata,\n    wellKnownProtectedResourceMetadata:\n      defaultEndpoints.wellKnownProtectedResourceMetadata,\n    callback: normalizeEndpoint(`/${apiPrefix}/${defaultEndpoints.callback}`),\n    token: normalizeEndpoint(`/${apiPrefix}/${defaultEndpoints.token}`),\n    revoke: normalizeEndpoint(`/${apiPrefix}/${defaultEndpoints.revoke}`),\n    authorize: normalizeEndpoint(`/${apiPrefix}/${defaultEndpoints.authorize}`),\n    register: normalizeEndpoint(`/${apiPrefix}/${defaultEndpoints.register}`),\n  } as OAuthEndpointConfiguration;\n\n  return {\n    ...updatedDefaultEndpoints,\n    ...configuredEndpoints,\n  };\n}\n"]}
+{"version":3,"file":"mcp-oauth.module.js","sourceRoot":"","sources":["../../src/authz/mcp-oauth.module.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,2CAAuD;AACvD,2CAA8C;AAC9C,qCAAwC;AACxC,+CAAkD;AAClD,4DAA0D;AAC1D,iEAAkE;AAOlE,8DAA0D;AAC1D,oEAA+D;AAC/D,8EAAyE;AACzE,wEAA4D;AAC5D,wEAAoE;AACpE,0DAA2E;AAE3E,IAAI,qBAAqB,GAAG,CAAC,CAAC;AAGjB,QAAA,eAAe,GAAwB;IAClD,SAAS,EAAE,uBAAuB;IAClC,QAAQ,EAAE,2BAA2B;IACrC,SAAS,EAAE,uBAAuB;IAClC,WAAW,EAAE,YAAY;IACzB,uBAAuB,EAAE,IAAI;IAC7B,wBAAwB,EAAE,KAAK;IAC/B,mBAAmB,EAAE,IAAI;IACzB,YAAY,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;IACjC,qBAAqB,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI;IACrC,iBAAiB,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI;IACjC,OAAO,EAAE,aAAa;IACtB,SAAS,EAAE,EAAE;IACb,SAAS,EAAE;QACT,oCAAoC,EAClC,yCAAyC;QAC3C,kCAAkC,EAAE,uCAAuC;QAC3E,QAAQ,EAAE,WAAW;QACrB,SAAS,EAAE,YAAY;QACvB,QAAQ,EAAE,WAAW;QACrB,KAAK,EAAE,QAAQ;QACf,MAAM,EAAE,SAAS;KAClB;IACD,gBAAgB,EAAE;QAChB,oCAAoC,EAAE,KAAK;QAC3C,kCAAkC,EAAE,KAAK;KAC1C;IACD,yBAAyB,EAAE;QACzB,eAAe,EAAE,CAAC,gBAAgB,CAAC;QACnC,sBAAsB,EAAE,CAAC,QAAQ,CAAC;QAClC,oBAAoB,EAAE,CAAC,YAAY,CAAC;KACrC;IACD,2BAA2B,EAAE;QAC3B,sBAAsB,EAAE,CAAC,MAAM,CAAC;QAChC,sBAAsB,EAAE,CAAC,OAAO,CAAC;QACjC,mBAAmB,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;QAC5D,iCAAiC,EAAE;YACjC,qBAAqB;YACrB,oBAAoB;YACpB,MAAM;SACP;QACD,eAAe,EAAE,CAAC,gBAAgB,CAAC;QACnC,6BAA6B,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC;KACjD;CACF,CAAC;AAGK,IAAM,aAAa,qBAAnB,MAAM,aAAa;IAAnB;QAII,sBAAiB,GAAG,IAAI,CAAC;IA+RpC,CAAC;IA7RC,MAAM,CAAC,OAAO,CAAC,OAA8B;QAE3C,MAAM,YAAY,GAAG,mBAAmB,qBAAqB,EAAE,EAAE,CAAC;QAGlE,MAAM,eAAe,GAAG,IAAI,CAAC,uBAAuB,CAClD,uBAAe,EACf,OAAO,CACR,CAAC;QAEF,eAAe,CAAC,SAAS,GAAG,gBAAgB,CAC1C,eAAe,CAAC,SAAS,EACzB,uBAAe,CAAC,SAAS,EACzB,OAAO,CAAC,SAAS,IAAI,EAAE,CACxB,CAAC;QAGF,MAAM,uBAAuB,GAAG,wBAAwB,YAAY,EAAE,CAAC;QACvE,MAAM,kBAAkB,GAAG;YACzB,OAAO,EAAE,uBAAuB;YAChC,QAAQ,EAAE,eAAe;SAC1B,CAAC;QAGF,MAAM,OAAO,GAAG;YACd,qBAAY;YACZ,yBAAc,CAAC,QAAQ,CAAC;gBACtB,eAAe,EAAE,KAAK;gBACtB,OAAO,EAAE,KAAK;aACf,CAAC;YACF,eAAS,CAAC,QAAQ,CAAC;gBACjB,MAAM,EAAE,eAAe,CAAC,SAAS;gBACjC,WAAW,EAAE;oBACX,MAAM,EAAE,eAAe,CAAC,SAAS;oBACjC,QAAQ,EAAE,eAAe,CAAC,WAAW;iBACtC;aACF,CAAC;SACH,CAAC;QAGF,MAAM,WAAW,GAAG,eAAe,CAAC,kBAAkB,CAAC;QACvD,MAAM,cAAc,GAAG,WAAW,EAAE,IAAI,KAAK,SAAS,CAAC;QACvD,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,cAAc,GAAG,WAAW,CAAC,OAAO,CAAC;YAC3C,IAAI,CAAC;gBAGH,MAAM,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;gBACrD,MAAM,EACJ,iBAAiB,EACjB,uBAAuB,EACvB,kBAAkB,EAClB,sBAAsB,GAEvB,GAAG,OAAO,CAAC,2BAA2B,CAAC,CAAC;gBAEzC,OAAO,CAAC,IAAI,CACV,aAAa,CAAC,OAAO,CAAC;oBACpB,GAAG,cAAc;oBAEjB,IAAI,EAAE,yCAA6B;oBACnC,QAAQ,EAAE;wBACR,iBAAiB;wBACjB,uBAAuB;wBACvB,kBAAkB;wBAClB,sBAAsB;qBACvB;iBACF,CAAC,EACF,aAAa,CAAC,UAAU,CACtB;oBACE,iBAAiB;oBACjB,uBAAuB;oBACvB,kBAAkB;oBAClB,sBAAsB;iBACvB,EACD,yCAA6B,CAC9B,CACF,CAAC;YACJ,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CACb,2EAA2E,CAC5E,CAAC;YACJ,CAAC;QACH,CAAC;QAGD,MAAM,eAAe,GAAG,eAAe,YAAY,EAAE,CAAC;QACtD,MAAM,kBAAkB,GAAG,IAAI,CAAC,mBAAmB,CACjD,eAAe,CAAC,kBAAkB,EAClC,eAAe,CAChB,CAAC;QAGF,MAAM,uBAAuB,GAAG;YAC9B,OAAO,EAAE,kCAAW;YACpB,WAAW,EAAE,eAAe;SAC7B,CAAC;QAEF,MAAM,SAAS,GAAU;YACvB;gBACE,OAAO,EAAE,iBAAiB;gBAC1B,QAAQ,EAAE,YAAY;aACvB;YACD,kBAAkB;YAClB,kBAAkB;YAClB,uBAAuB;YAEvB;gBACE,OAAO,EAAE,sBAAsB;gBAC/B,WAAW,EAAE,uBAAuB;aACrC;YACD;gBACE,OAAO,EAAE,aAAa;gBACtB,WAAW,EAAE,eAAe;aAC7B;YAED,6CAAoB;YACpB,8BAAa;YACb,mCAAe;YACf,gCAAe;SAChB,CAAC;QAKF,MAAM,oBAAoB,GAAG,IAAA,+CAAwB,EACnD,eAAe,CAAC,SAAS,EACzB;YACE,2CAA2C,EACzC,eAAe,CAAC,gBAAgB;iBAC7B,oCAAoC,IAAI,KAAK;YAClD,yCAAyC,EACvC,eAAe,CAAC,gBAAgB,CAAC,kCAAkC;gBACnE,KAAK;SACR,EACD,YAAY,CACb,CAAC;QAEF,OAAO;YACL,MAAM,EAAE,eAAa;YACrB,OAAO;YACP,WAAW,EAAE,CAAC,oBAAoB,CAAC;YACnC,SAAS;YACT,OAAO,EAAE;gBACP,iBAAiB;gBACjB,sBAAsB;gBACtB,aAAa;gBACb,mCAAe;gBACf,8BAAa;gBACb,6CAAoB;gBACpB,gCAAe;gBACf,kCAAW;aACZ;SACF,CAAC;IACJ,CAAC;IAEO,MAAM,CAAC,uBAAuB,CACpC,QAA6B,EAC7B,OAA8B;QAG9B,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;QAGtC,MAAM,eAAe,GAAuB;YAC1C,GAAG,QAAQ;YACX,GAAG,OAAO;YAEV,SAAS,EACP,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,SAAS,IAAI,uBAAe,CAAC,SAAS;YACrE,YAAY,EACV,OAAO,CAAC,YAAY,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;YAE/D,yBAAyB,EAAE;gBACzB,GAAG,QAAQ,CAAC,yBAAyB;gBACrC,GAAG,OAAO,CAAC,yBAAyB;aACrC;YAED,2BAA2B,EAAE;gBAC3B,GAAG,QAAQ,CAAC,2BAA2B;gBACvC,GAAG,OAAO,CAAC,2BAA2B;aACvC;YAED,gBAAgB,EAAE;gBAChB,GAAG,QAAQ,CAAC,gBAAgB;gBAC5B,GAAG,CAAC,OAAO,CAAC,gBAAgB,IAAI,EAAE,CAAC;aACpC;SACF,CAAC;QAEF,IAAI,CAAC,eAAe,CAAC,mBAAmB,EAAE,CAAC;YACzC,eAAe,CAAC,2BAA2B,CAAC,mBAAmB;gBAC7D,eAAe,CAAC,2BAA2B,CAAC,mBAAmB,CAAC,MAAM,CACpE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,eAAe,CAC7B,CAAC;YACJ,eAAe,CAAC,yBAAyB,CAAC,eAAe;gBACvD,eAAe,CAAC,yBAAyB,CAAC,eAAe,CAAC,MAAM,CAC9D,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,gBAAgB,CAC9B,CAAC;QACN,CAAC;QAGD,IAAI,CAAC,uBAAuB,CAAC,eAAe,CAAC,CAAC;QAE9C,OAAO,eAAe,CAAC;IACzB,CAAC;IAEO,MAAM,CAAC,uBAAuB,CAAC,OAA8B;QACnE,MAAM,cAAc,GAAoC;YACtD,UAAU;YACV,UAAU;YACV,cAAc;YACd,WAAW;SACZ,CAAC;QAEF,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;YACnC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACpB,MAAM,IAAI,KAAK,CACb,uBAAuB,MAAM,CAAC,KAAK,CAAC,+CAA+C,CACpF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAEO,MAAM,CAAC,uBAAuB,CAAC,OAA2B;QAEhE,IAAI,OAAO,CAAC,SAAS,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CACb,mEAAmE,CACpE,CAAC;QACJ,CAAC;QAGD,IAAI,CAAC;YACH,IAAI,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAC3B,IAAI,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAC7B,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CACb,gEAAgE,CACjE,CAAC;QACJ,CAAC;QAGD,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACzD,MAAM,IAAI,KAAK,CACb,0DAA0D,CAC3D,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,MAAM,CAAC,mBAAmB,CAChC,kBAA4D,EAC5D,YAAoB;QAEpB,IAAI,CAAC,kBAAkB,IAAI,kBAAkB,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAEhE,OAAO;gBACL,OAAO,EAAE,YAAY;gBACrB,QAAQ,EAAE,IAAI,kCAAW,EAAE;aAC5B,CAAC;QACJ,CAAC;QAED,IAAI,kBAAkB,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAE1C,MAAM,EACJ,YAAY,GAEb,GAAG,OAAO,CAAC,wCAAwC,CAAC,CAAC;YACtD,OAAO;gBACL,OAAO,EAAE,YAAY;gBACrB,QAAQ,EAAE,YAAY;aACvB,CAAC;QACJ,CAAC;QAED,IAAI,kBAAkB,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAEzC,OAAO;gBACL,OAAO,EAAE,YAAY;gBACrB,QAAQ,EAAE,kBAAkB,CAAC,KAAK;aACnC,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,KAAK,CACb,qCAAsC,kBAA0B,CAAC,IAAI,EAAE,CACxE,CAAC;IACJ,CAAC;CACF,CAAA;AAnSY,sCAAa;wBAAb,aAAa;IADzB,IAAA,eAAM,EAAC,EAAE,CAAC;GACE,aAAa,CAmSzB;AAED,SAAS,gBAAgB,CACvB,SAAiB,EACjB,gBAA4C,EAC5C,mBAA+C;IAE/C,MAAM,uBAAuB,GAAG;QAC9B,oCAAoC,EAClC,gBAAgB,CAAC,oCAAoC;QACvD,kCAAkC,EAChC,gBAAgB,CAAC,kCAAkC;QACrD,QAAQ,EAAE,IAAA,sCAAiB,EAAC,IAAI,SAAS,IAAI,gBAAgB,CAAC,QAAQ,EAAE,CAAC;QACzE,KAAK,EAAE,IAAA,sCAAiB,EAAC,IAAI,SAAS,IAAI,gBAAgB,CAAC,KAAK,EAAE,CAAC;QACnE,MAAM,EAAE,IAAA,sCAAiB,EAAC,IAAI,SAAS,IAAI,gBAAgB,CAAC,MAAM,EAAE,CAAC;QACrE,SAAS,EAAE,IAAA,sCAAiB,EAAC,IAAI,SAAS,IAAI,gBAAgB,CAAC,SAAS,EAAE,CAAC;QAC3E,QAAQ,EAAE,IAAA,sCAAiB,EAAC,IAAI,SAAS,IAAI,gBAAgB,CAAC,QAAQ,EAAE,CAAC;KAC5C,CAAC;IAEhC,OAAO;QACL,GAAG,uBAAuB;QAC1B,GAAG,mBAAmB;KACvB,CAAC;AACJ,CAAC","sourcesContent":["import { DynamicModule, Module } from '@nestjs/common';\nimport { ConfigModule } from '@nestjs/config';\nimport { JwtModule } from '@nestjs/jwt';\nimport { PassportModule } from '@nestjs/passport';\nimport { McpAuthJwtGuard } from './guards/jwt-auth.guard';\nimport { createMcpOAuthController } from './mcp-oauth.controller';\nimport type {\n  OAuthUserModuleOptions as AuthUserModuleOptions,\n  OAuthEndpointConfiguration,\n  OAuthModuleDefaults,\n  OAuthModuleOptions,\n} from './providers/oauth-provider.interface';\nimport { ClientService } from './services/client.service';\nimport { JwtTokenService } from './services/jwt-token.service';\nimport { OAuthStrategyService } from './services/oauth-strategy.service';\nimport { MemoryStore } from './stores/memory-store.service';\nimport { normalizeEndpoint } from '../mcp/utils/normalize-endpoint';\nimport { OAUTH_TYPEORM_CONNECTION_NAME } from './stores/typeorm/constants';\n\nlet authInstanceIdCounter = 0;\n\n// Default configuration values\nexport const DEFAULT_OPTIONS: OAuthModuleDefaults = {\n  serverUrl: 'http://localhost:3000',\n  resource: 'http://localhost:3000/mcp',\n  jwtIssuer: 'http://localhost:3000',\n  jwtAudience: 'mcp-client',\n  jwtAccessTokenExpiresIn: '1d',\n  jwtRefreshTokenExpiresIn: '30d',\n  enableRefreshTokens: true,\n  cookieMaxAge: 24 * 60 * 60 * 1000, // 24 hours\n  oauthSessionExpiresIn: 10 * 60 * 1000, // 10 minutes\n  authCodeExpiresIn: 10 * 60 * 1000, // 10 minutes\n  nodeEnv: 'development',\n  apiPrefix: '',\n  endpoints: {\n    wellKnownAuthorizationServerMetadata:\n      '/.well-known/oauth-authorization-server',\n    wellKnownProtectedResourceMetadata: '/.well-known/oauth-protected-resource',\n    register: '/register',\n    authorize: '/authorize',\n    callback: '/callback',\n    token: '/token',\n    revoke: '/revoke',\n  },\n  disableEndpoints: {\n    wellKnownAuthorizationServerMetadata: false,\n    wellKnownProtectedResourceMetadata: false,\n  },\n  protectedResourceMetadata: {\n    scopesSupported: ['offline_access'],\n    bearerMethodsSupported: ['header'],\n    mcpVersionsSupported: ['2025-06-18'],\n  },\n  authorizationServerMetadata: {\n    responseTypesSupported: ['code'],\n    responseModesSupported: ['query'],\n    grantTypesSupported: ['authorization_code', 'refresh_token'],\n    tokenEndpointAuthMethodsSupported: [\n      'client_secret_basic',\n      'client_secret_post',\n      'none',\n    ],\n    scopesSupported: ['offline_access'],\n    codeChallengeMethodsSupported: ['plain', 'S256'],\n  },\n};\n\n@Module({})\nexport class McpAuthModule {\n  /**\n   * To avoid import circular dependency issues, we use a marker property.\n   */\n  readonly __isMcpAuthModule = true;\n\n  static forRoot(options: AuthUserModuleOptions): DynamicModule {\n    // Create a unique instance ID for this auth module\n    const authModuleId = `mcp-auth-module-${authInstanceIdCounter++}`;\n\n    // Merge user options with defaults and validate\n    const resolvedOptions = this.mergeAndValidateOptions(\n      DEFAULT_OPTIONS,\n      options,\n    );\n\n    resolvedOptions.endpoints = prepareEndpoints(\n      resolvedOptions.apiPrefix,\n      DEFAULT_OPTIONS.endpoints,\n      options.endpoints || {},\n    );\n\n    // Use instance-scoped token for OAuth options\n    const oauthModuleOptionsToken = `OAUTH_MODULE_OPTIONS_${authModuleId}`;\n    const oauthModuleOptions = {\n      provide: oauthModuleOptionsToken,\n      useValue: resolvedOptions,\n    };\n\n    // Determine imports based on configuration\n    const imports = [\n      ConfigModule,\n      PassportModule.register({\n        defaultStrategy: 'jwt',\n        session: false,\n      }),\n      JwtModule.register({\n        secret: resolvedOptions.jwtSecret,\n        signOptions: {\n          issuer: resolvedOptions.jwtIssuer,\n          audience: resolvedOptions.jwtAudience,\n        },\n      }),\n    ];\n\n    // Add TypeORM configuration if using TypeORM store\n    const storeConfig = resolvedOptions.storeConfiguration;\n    const isTypeOrmStore = storeConfig?.type === 'typeorm';\n    if (isTypeOrmStore) {\n      const typeormOptions = storeConfig.options;\n      try {\n        // Require TypeORM-related modules only when needed\n        // eslint-disable-next-line @typescript-eslint/no-require-imports\n        const { TypeOrmModule } = require('@nestjs/typeorm');\n        const {\n          OAuthClientEntity,\n          AuthorizationCodeEntity,\n          OAuthSessionEntity,\n          OAuthUserProfileEntity,\n          // eslint-disable-next-line @typescript-eslint/no-require-imports\n        } = require('./stores/typeorm/entities');\n\n        imports.push(\n          TypeOrmModule.forRoot({\n            ...typeormOptions,\n            // Use a unique connection name for the OAuth store to avoid clashes\n            name: OAUTH_TYPEORM_CONNECTION_NAME,\n            entities: [\n              OAuthClientEntity,\n              AuthorizationCodeEntity,\n              OAuthSessionEntity,\n              OAuthUserProfileEntity,\n            ],\n          }),\n          TypeOrmModule.forFeature(\n            [\n              OAuthClientEntity,\n              AuthorizationCodeEntity,\n              OAuthSessionEntity,\n              OAuthUserProfileEntity,\n            ],\n            OAUTH_TYPEORM_CONNECTION_NAME,\n          ),\n        );\n      } catch (err) {\n        throw new Error(\n          \"To use the TypeORM store, please install '@nestjs/typeorm' and 'typeorm'.\",\n        );\n      }\n    }\n\n    // Create store provider based on configuration with instance-scoped token\n    const oauthStoreToken = `IOAuthStore_${authModuleId}`;\n    const oauthStoreProvider = this.createStoreProvider(\n      resolvedOptions.storeConfiguration,\n      oauthStoreToken,\n    );\n\n    // Create alias for compatibility with injection\n    const oauthStoreAliasProvider = {\n      provide: MemoryStore,\n      useExisting: oauthStoreToken,\n    };\n\n    const providers: any[] = [\n      {\n        provide: 'OAUTH_MODULE_ID',\n        useValue: authModuleId,\n      },\n      oauthModuleOptions,\n      oauthStoreProvider,\n      oauthStoreAliasProvider,\n      // Provide backward-compatible tokens as aliases\n      {\n        provide: 'OAUTH_MODULE_OPTIONS',\n        useExisting: oauthModuleOptionsToken,\n      },\n      {\n        provide: 'IOAuthStore',\n        useExisting: oauthStoreToken,\n      },\n      // Provide services using their class tokens\n      OAuthStrategyService,\n      ClientService,\n      JwtTokenService,\n      McpAuthJwtGuard,\n    ];\n\n    // No additional providers needed for TypeORM store - provider is created dynamically\n\n    // Create controller with apiPrefix, passing the instance-scoped tokens\n    const OAuthControllerClass = createMcpOAuthController(\n      resolvedOptions.endpoints,\n      {\n        disableWellKnownAuthorizationServerMetadata:\n          resolvedOptions.disableEndpoints\n            .wellKnownAuthorizationServerMetadata ?? false,\n        disableWellKnownProtectedResourceMetadata:\n          resolvedOptions.disableEndpoints.wellKnownProtectedResourceMetadata ??\n          false,\n      },\n      authModuleId,\n    );\n\n    return {\n      module: McpAuthModule,\n      imports,\n      controllers: [OAuthControllerClass],\n      providers,\n      exports: [\n        'OAUTH_MODULE_ID',\n        'OAUTH_MODULE_OPTIONS',\n        'IOAuthStore',\n        JwtTokenService,\n        ClientService,\n        OAuthStrategyService,\n        McpAuthJwtGuard,\n        MemoryStore,\n      ],\n    };\n  }\n\n  private static mergeAndValidateOptions(\n    defaults: OAuthModuleDefaults,\n    options: AuthUserModuleOptions,\n  ): OAuthModuleOptions {\n    // Validate required options first\n    this.validateRequiredOptions(options);\n\n    // Merge with defaults\n    const resolvedOptions: OAuthModuleOptions = {\n      ...defaults,\n      ...options,\n      // Ensure jwtIssuer defaults to serverUrl if not provided\n      jwtIssuer:\n        options.jwtIssuer || options.serverUrl || DEFAULT_OPTIONS.jwtIssuer,\n      cookieSecure:\n        options.cookieSecure || process.env.NODE_ENV === 'production',\n      // Merge protectedResourceMetadata with defaults\n      protectedResourceMetadata: {\n        ...defaults.protectedResourceMetadata,\n        ...options.protectedResourceMetadata,\n      },\n      // Merge authorizationServerMetadata with defaults\n      authorizationServerMetadata: {\n        ...defaults.authorizationServerMetadata,\n        ...options.authorizationServerMetadata,\n      },\n      // Merge disableEndpoints with defaults\n      disableEndpoints: {\n        ...defaults.disableEndpoints,\n        ...(options.disableEndpoints || {}),\n      },\n    };\n\n    if (!resolvedOptions.enableRefreshTokens) {\n      resolvedOptions.authorizationServerMetadata.grantTypesSupported =\n        resolvedOptions.authorizationServerMetadata.grantTypesSupported.filter(\n          (g) => g !== 'refresh_token',\n        );\n      resolvedOptions.protectedResourceMetadata.scopesSupported =\n        resolvedOptions.protectedResourceMetadata.scopesSupported.filter(\n          (s) => s !== 'offline_access',\n        );\n    }\n\n    // Final validation of resolved options\n    this.validateResolvedOptions(resolvedOptions);\n\n    return resolvedOptions;\n  }\n\n  private static validateRequiredOptions(options: AuthUserModuleOptions): void {\n    const requiredFields: (keyof AuthUserModuleOptions)[] = [\n      'provider',\n      'clientId',\n      'clientSecret',\n      'jwtSecret',\n    ];\n\n    for (const field of requiredFields) {\n      if (!options[field]) {\n        throw new Error(\n          `OAuthModuleOptions: ${String(field)} is required and must be provided by the user`,\n        );\n      }\n    }\n  }\n\n  private static validateResolvedOptions(options: OAuthModuleOptions): void {\n    // Validate JWT secret is strong enough\n    if (options.jwtSecret.length < 32) {\n      throw new Error(\n        'OAuthModuleOptions: jwtSecret must be at least 32 characters long',\n      );\n    }\n\n    // Validate URLs are proper format\n    try {\n      new URL(options.serverUrl);\n      new URL(options.jwtIssuer);\n    } catch {\n      throw new Error(\n        'OAuthModuleOptions: serverUrl and jwtIssuer must be valid URLs',\n      );\n    }\n\n    // Validate provider configuration\n    if (!options.provider.name || !options.provider.strategy) {\n      throw new Error(\n        'OAuthModuleOptions: provider must have name and strategy',\n      );\n    }\n  }\n\n  private static createStoreProvider(\n    storeConfiguration: OAuthModuleOptions['storeConfiguration'],\n    provideToken: string,\n  ) {\n    if (!storeConfiguration || storeConfiguration.type === 'memory') {\n      // Default memory store\n      return {\n        provide: provideToken,\n        useValue: new MemoryStore(),\n      };\n    }\n\n    if (storeConfiguration.type === 'typeorm') {\n      // TypeORM store\n      const {\n        TypeOrmStore,\n        // eslint-disable-next-line @typescript-eslint/no-require-imports\n      } = require('./stores/typeorm/typeorm-store.service');\n      return {\n        provide: provideToken,\n        useClass: TypeOrmStore,\n      };\n    }\n\n    if (storeConfiguration.type === 'custom') {\n      // Custom store\n      return {\n        provide: provideToken,\n        useValue: storeConfiguration.store,\n      };\n    }\n\n    throw new Error(\n      `Unknown store configuration type: ${(storeConfiguration as any).type}`,\n    );\n  }\n}\n\nfunction prepareEndpoints(\n  apiPrefix: string,\n  defaultEndpoints: OAuthEndpointConfiguration,\n  configuredEndpoints: OAuthEndpointConfiguration,\n) {\n  const updatedDefaultEndpoints = {\n    wellKnownAuthorizationServerMetadata:\n      defaultEndpoints.wellKnownAuthorizationServerMetadata,\n    wellKnownProtectedResourceMetadata:\n      defaultEndpoints.wellKnownProtectedResourceMetadata,\n    callback: normalizeEndpoint(`/${apiPrefix}/${defaultEndpoints.callback}`),\n    token: normalizeEndpoint(`/${apiPrefix}/${defaultEndpoints.token}`),\n    revoke: normalizeEndpoint(`/${apiPrefix}/${defaultEndpoints.revoke}`),\n    authorize: normalizeEndpoint(`/${apiPrefix}/${defaultEndpoints.authorize}`),\n    register: normalizeEndpoint(`/${apiPrefix}/${defaultEndpoints.register}`),\n  } as OAuthEndpointConfiguration;\n\n  return {\n    ...updatedDefaultEndpoints,\n    ...configuredEndpoints,\n  };\n}\n"]}

package/dist/authz/providers/oauth-provider.interface.d.ts

@@ -1,4 +1,6 @@
-import { IOAuthStore } from '../stores/oauth-store.interface';
+import type { IOAuthStore } from '../stores/oauth-store.interface';
+import type { OAuthSession, OAuthUserProfile } from '../interfaces/oauth-common.interface';
+export type { OAuthSession, OAuthUserProfile };
 type TypeOrmModuleOptions = Record<string, unknown>;
 export interface OAuthProviderConfig {
     name: string;
@@ -13,14 +15,6 @@ export interface OAuthProviderConfig {
     scope?: string[];
     profileMapper: (profile: any) => OAuthUserProfile;
 }
-export interface OAuthUserProfile {
-    id: string;
-    username: string;
-    email?: string;
-    displayName?: string;
-    avatarUrl?: string;
-    raw?: any;
-}
 export type StoreConfiguration = {
     type: 'typeorm';
     options: TypeOrmModuleOptions;
@@ -110,17 +104,4 @@ export type OAuthModuleOptions = Required<Pick<OAuthUserModuleOptions, 'provider
     cookieSecure: boolean;
     storeConfiguration?: StoreConfiguration;
 };
-export interface OAuthSession {
-    sessionId: string;
-    state: string;
-    clientId?: string;
-    redirectUri?: string;
-    codeChallenge?: string;
-    codeChallengeMethod?: string;
-    oauthState?: string;
-    scope?: string;
-    resource?: string;
-    expiresAt: number;
-}
-export {};
 //# sourceMappingURL=oauth-provider.interface.d.ts.map

package/dist/authz/providers/oauth-provider.interface.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-provider.interface.d.ts","sourceRoot":"","sources":["../../../src/authz/providers/oauth-provider.interface.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,iCAAiC,CAAC;AAM9D,KAAK,oBAAoB,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAEpD,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,GAAG,CAAC;IACd,eAAe,EAAE,CAAC,OAAO,EAAE;QACzB,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,KAAK,GAAG,CAAC;IACV,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,aAAa,EAAE,CAAC,OAAO,EAAE,GAAG,KAAK,gBAAgB,CAAC;CACnD;AAED,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,GAAG,CAAC,EAAE,GAAG,CAAC;CACX;AAGD,MAAM,MAAM,kBAAkB,GAC1B;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,oBAAoB,CAAA;CAAE,GAClD;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,KAAK,EAAE,WAAW,CAAA;CAAE,GACtC;IAAE,IAAI,EAAE,QAAQ,CAAA;CAAE,GAClB,SAAS,CAAC;AAEd,MAAM,WAAW,0BAA0B;IACzC,oCAAoC,CAAC,EAAE,MAAM,CAAC;IAC9C,kCAAkC,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACvD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,2BAA2B;IAC1C,oCAAoC,CAAC,EAAE,OAAO,CAAC;IAC/C,kCAAkC,CAAC,EAAE,OAAO,CAAC;CAC9C;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,EAAE,mBAAmB,CAAC;IAG9B,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IAGrB,SAAS,EAAE,MAAM,CAAC;IAGlB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAG9B,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IAGtB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAG3B,yBAAyB,CAAC,EAAE;QAC1B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAC3B,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAC;QAClC,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;KACjC,CAAC;IAGF,2BAA2B,CAAC,EAAE;QAC5B,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAC;QAClC,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAC;QAClC,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;QAC/B,iCAAiC,CAAC,EAAE,MAAM,EAAE,CAAC;QAC7C,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAC3B,6BAA6B,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1C,CAAC;IAGF,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;IACxC,SAAS,CAAC,EAAE,MAAM,CAAC;IAGnB,SAAS,CAAC,EAAE,0BAA0B,CAAC;IACvC,gBAAgB,CAAC,EAAE,2BAA2B,CAAC;CAChD;AAED,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,uBAAuB,EAAE,MAAM,CAAC;IAChC,wBAAwB,EAAE,MAAM,CAAC;IACjC,mBAAmB,EAAE,OAAO,CAAC;IAC7B,YAAY,EAAE,MAAM,CAAC;IACrB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,0BAA0B,CAAC;IACtC,gBAAgB,EAAE,2BAA2B,CAAC;IAC9C,yBAAyB,EAAE;QACzB,eAAe,EAAE,MAAM,EAAE,CAAC;QAC1B,sBAAsB,EAAE,MAAM,EAAE,CAAC;QACjC,oBAAoB,EAAE,MAAM,EAAE,CAAC;KAChC,CAAC;IACF,2BAA2B,EAAE;QAC3B,sBAAsB,EAAE,MAAM,EAAE,CAAC;QACjC,sBAAsB,EAAE,MAAM,EAAE,CAAC;QACjC,mBAAmB,EAAE,MAAM,EAAE,CAAC;QAC9B,iCAAiC,EAAE,MAAM,EAAE,CAAC;QAC5C,eAAe,EAAE,MAAM,EAAE,CAAC;QAC1B,6BAA6B,EAAE,MAAM,EAAE,CAAC;KACzC,CAAC;CACH;AAGD,MAAM,MAAM,kBAAkB,GAAG,QAAQ,CACvC,IAAI,CACF,sBAAsB,EACtB,UAAU,GAAG,UAAU,GAAG,cAAc,GAAG,WAAW,CACvD,CACF,GACC,QAAQ,CAAC,mBAAmB,CAAC,GAAG;IAE9B,YAAY,EAAE,OAAO,CAAC;IACtB,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;CACzC,CAAC;AAEJ,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB"}
+{"version":3,"file":"oauth-provider.interface.d.ts","sourceRoot":"","sources":["../../../src/authz/providers/oauth-provider.interface.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,iCAAiC,CAAC;AACnE,OAAO,KAAK,EACV,YAAY,EACZ,gBAAgB,EACjB,MAAM,sCAAsC,CAAC;AAG9C,YAAY,EAAE,YAAY,EAAE,gBAAgB,EAAE,CAAC;AAM/C,KAAK,oBAAoB,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAEpD,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,GAAG,CAAC;IACd,eAAe,EAAE,CAAC,OAAO,EAAE;QACzB,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,KAAK,GAAG,CAAC;IACV,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,aAAa,EAAE,CAAC,OAAO,EAAE,GAAG,KAAK,gBAAgB,CAAC;CACnD;AAGD,MAAM,MAAM,kBAAkB,GAC1B;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,oBAAoB,CAAA;CAAE,GAClD;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,KAAK,EAAE,WAAW,CAAA;CAAE,GACtC;IAAE,IAAI,EAAE,QAAQ,CAAA;CAAE,GAClB,SAAS,CAAC;AAEd,MAAM,WAAW,0BAA0B;IACzC,oCAAoC,CAAC,EAAE,MAAM,CAAC;IAC9C,kCAAkC,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACvD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,2BAA2B;IAC1C,oCAAoC,CAAC,EAAE,OAAO,CAAC;IAC/C,kCAAkC,CAAC,EAAE,OAAO,CAAC;CAC9C;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,EAAE,mBAAmB,CAAC;IAG9B,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IAGrB,SAAS,EAAE,MAAM,CAAC;IAGlB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAG9B,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IAGtB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAG3B,yBAAyB,CAAC,EAAE;QAC1B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAC3B,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAC;QAClC,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;KACjC,CAAC;IAGF,2BAA2B,CAAC,EAAE;QAC5B,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAC;QAClC,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAC;QAClC,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;QAC/B,iCAAiC,CAAC,EAAE,MAAM,EAAE,CAAC;QAC7C,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAC3B,6BAA6B,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1C,CAAC;IAGF,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;IACxC,SAAS,CAAC,EAAE,MAAM,CAAC;IAGnB,SAAS,CAAC,EAAE,0BAA0B,CAAC;IACvC,gBAAgB,CAAC,EAAE,2BAA2B,CAAC;CAChD;AAED,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,uBAAuB,EAAE,MAAM,CAAC;IAChC,wBAAwB,EAAE,MAAM,CAAC;IACjC,mBAAmB,EAAE,OAAO,CAAC;IAC7B,YAAY,EAAE,MAAM,CAAC;IACrB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,0BAA0B,CAAC;IACtC,gBAAgB,EAAE,2BAA2B,CAAC;IAC9C,yBAAyB,EAAE;QACzB,eAAe,EAAE,MAAM,EAAE,CAAC;QAC1B,sBAAsB,EAAE,MAAM,EAAE,CAAC;QACjC,oBAAoB,EAAE,MAAM,EAAE,CAAC;KAChC,CAAC;IACF,2BAA2B,EAAE;QAC3B,sBAAsB,EAAE,MAAM,EAAE,CAAC;QACjC,sBAAsB,EAAE,MAAM,EAAE,CAAC;QACjC,mBAAmB,EAAE,MAAM,EAAE,CAAC;QAC9B,iCAAiC,EAAE,MAAM,EAAE,CAAC;QAC5C,eAAe,EAAE,MAAM,EAAE,CAAC;QAC1B,6BAA6B,EAAE,MAAM,EAAE,CAAC;KACzC,CAAC;CACH;AAGD,MAAM,MAAM,kBAAkB,GAAG,QAAQ,CACvC,IAAI,CACF,sBAAsB,EACtB,UAAU,GAAG,UAAU,GAAG,cAAc,GAAG,WAAW,CACvD,CACF,GACC,QAAQ,CAAC,mBAAmB,CAAC,GAAG;IAE9B,YAAY,EAAE,OAAO,CAAC;IACtB,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;CACzC,CAAC"}

package/dist/authz/providers/oauth-provider.interface.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-provider.interface.js","sourceRoot":"","sources":["../../../src/authz/providers/oauth-provider.interface.ts"],"names":[],"mappings":"","sourcesContent":["import { IOAuthStore } from '../stores/oauth-store.interface';\n\n// Define a minimal placeholder for TypeORM options so the type remains\n// available without requiring the optional `@nestjs/typeorm` package.\n// Consumers who use the TypeORM store should install the package to get\n// the full type definitions.\ntype TypeOrmModuleOptions = Record<string, unknown>;\n\nexport interface OAuthProviderConfig {\n  name: string;\n  displayName?: string;\n  strategy: any; // Passport Strategy constructor\n  strategyOptions: (options: {\n    serverUrl: string;\n    clientId: string;\n    clientSecret: string;\n    callbackPath?: string; // Optional custom callback path\n  }) => any;\n  scope?: string[];\n  profileMapper: (profile: any) => OAuthUserProfile;\n}\n\nexport interface OAuthUserProfile {\n  id: string;\n  username: string;\n  email?: string;\n  displayName?: string;\n  avatarUrl?: string;\n  raw?: any; // Original profile data\n}\n\n// Store configuration union type\nexport type StoreConfiguration =\n  | { type: 'typeorm'; options: TypeOrmModuleOptions }\n  | { type: 'custom'; store: IOAuthStore }\n  | { type: 'memory' }\n  | undefined; // Default to memory store\n\nexport interface OAuthEndpointConfiguration {\n  wellKnownAuthorizationServerMetadata?: string; // Default: '/.well-known/oauth-authorization-server'\n  wellKnownProtectedResourceMetadata?: string | string[]; // Default: '/.well-known/oauth-protected-resource'\n  register?: string; // Default: '/register'\n  authorize?: string; // Default: '/authorize'\n  callback?: string; // Default: '/callback'\n  token?: string; // Default: '/token'\n  revoke?: string; // Default: '/revoke'\n}\n\nexport interface OAuthEndpointDisableOptions {\n  wellKnownAuthorizationServerMetadata?: boolean;\n  wellKnownProtectedResourceMetadata?: boolean;\n}\n\nexport interface OAuthUserModuleOptions {\n  provider: OAuthProviderConfig;\n\n  // Required OAuth Provider Credentials\n  clientId: string;\n  clientSecret: string;\n\n  // Required JWT Configuration\n  jwtSecret: string;\n\n  // Server Configuration\n  serverUrl?: string;\n  resource?: string; // should be the endpoint clients connect to, e.g.: 'https://localhost:3000/mcp'\n  // JWT Configuration\n  jwtIssuer?: string;\n  jwtAudience?: string;\n  jwtAccessTokenExpiresIn?: string;\n  jwtRefreshTokenExpiresIn?: string;\n  enableRefreshTokens?: boolean;\n\n  // Cookie Configuration\n  cookieSecure?: boolean;\n  cookieMaxAge?: number;\n\n  // OAuth Session Configuration\n  oauthSessionExpiresIn?: number; // in milliseconds\n  authCodeExpiresIn?: number; // in milliseconds\n\n  // Protected Resource Metadata Configuration\n  protectedResourceMetadata?: {\n    scopesSupported?: string[];\n    bearerMethodsSupported?: string[];\n    mcpVersionsSupported?: string[];\n  };\n\n  // Authorization Server Metadata Configuration\n  authorizationServerMetadata?: {\n    responseTypesSupported?: string[];\n    responseModesSupported?: string[];\n    grantTypesSupported?: string[];\n    tokenEndpointAuthMethodsSupported?: string[];\n    scopesSupported?: string[];\n    codeChallengeMethodsSupported?: string[];\n  };\n\n  // Storage Configuration - single property for all storage options\n  storeConfiguration?: StoreConfiguration;\n  apiPrefix?: string;\n\n  // Endpoint Configuration\n  endpoints?: OAuthEndpointConfiguration;\n  disableEndpoints?: OAuthEndpointDisableOptions;\n}\n\nexport interface OAuthModuleDefaults {\n  serverUrl: string;\n  resource: string; // Default resource URL\n  jwtIssuer: string;\n  jwtAudience: string;\n  jwtAccessTokenExpiresIn: string;\n  jwtRefreshTokenExpiresIn: string;\n  enableRefreshTokens: boolean;\n  cookieMaxAge: number;\n  oauthSessionExpiresIn: number;\n  authCodeExpiresIn: number;\n  nodeEnv: string;\n  apiPrefix: string;\n  endpoints: OAuthEndpointConfiguration;\n  disableEndpoints: OAuthEndpointDisableOptions;\n  protectedResourceMetadata: {\n    scopesSupported: string[];\n    bearerMethodsSupported: string[];\n    mcpVersionsSupported: string[];\n  };\n  authorizationServerMetadata: {\n    responseTypesSupported: string[];\n    responseModesSupported: string[];\n    grantTypesSupported: string[];\n    tokenEndpointAuthMethodsSupported: string[];\n    scopesSupported: string[];\n    codeChallengeMethodsSupported: string[];\n  };\n}\n\n// Resolved options after merging with defaults\nexport type OAuthModuleOptions = Required<\n  Pick<\n    OAuthUserModuleOptions,\n    'provider' | 'clientId' | 'clientSecret' | 'jwtSecret'\n  >\n> &\n  Required<OAuthModuleDefaults> & {\n    // Optional fields that may remain undefined\n    cookieSecure: boolean;\n    storeConfiguration?: StoreConfiguration;\n  };\n\nexport interface OAuthSession {\n  sessionId: string;\n  state: string;\n  clientId?: string;\n  redirectUri?: string;\n  codeChallenge?: string;\n  codeChallengeMethod?: string;\n  oauthState?: string;\n  scope?: string;\n  resource?: string;\n  expiresAt: number;\n}\n"]}
+{"version":3,"file":"oauth-provider.interface.js","sourceRoot":"","sources":["../../../src/authz/providers/oauth-provider.interface.ts"],"names":[],"mappings":"","sourcesContent":["import type { IOAuthStore } from '../stores/oauth-store.interface';\nimport type {\n  OAuthSession,\n  OAuthUserProfile,\n} from '../interfaces/oauth-common.interface';\n\n// Re-export common interfaces\nexport type { OAuthSession, OAuthUserProfile };\n\n// Define a minimal placeholder for TypeORM options so the type remains\n// available without requiring the optional `@nestjs/typeorm` package.\n// Consumers who use the TypeORM store should install the package to get\n// the full type definitions.\ntype TypeOrmModuleOptions = Record<string, unknown>;\n\nexport interface OAuthProviderConfig {\n  name: string;\n  displayName?: string;\n  strategy: any; // Passport Strategy constructor\n  strategyOptions: (options: {\n    serverUrl: string;\n    clientId: string;\n    clientSecret: string;\n    callbackPath?: string; // Optional custom callback path\n  }) => any;\n  scope?: string[];\n  profileMapper: (profile: any) => OAuthUserProfile;\n}\n\n// Store configuration union type\nexport type StoreConfiguration =\n  | { type: 'typeorm'; options: TypeOrmModuleOptions }\n  | { type: 'custom'; store: IOAuthStore }\n  | { type: 'memory' }\n  | undefined; // Default to memory store\n\nexport interface OAuthEndpointConfiguration {\n  wellKnownAuthorizationServerMetadata?: string; // Default: '/.well-known/oauth-authorization-server'\n  wellKnownProtectedResourceMetadata?: string | string[]; // Default: '/.well-known/oauth-protected-resource'\n  register?: string; // Default: '/register'\n  authorize?: string; // Default: '/authorize'\n  callback?: string; // Default: '/callback'\n  token?: string; // Default: '/token'\n  revoke?: string; // Default: '/revoke'\n}\n\nexport interface OAuthEndpointDisableOptions {\n  wellKnownAuthorizationServerMetadata?: boolean;\n  wellKnownProtectedResourceMetadata?: boolean;\n}\n\nexport interface OAuthUserModuleOptions {\n  provider: OAuthProviderConfig;\n\n  // Required OAuth Provider Credentials\n  clientId: string;\n  clientSecret: string;\n\n  // Required JWT Configuration\n  jwtSecret: string;\n\n  // Server Configuration\n  serverUrl?: string;\n  resource?: string; // should be the endpoint clients connect to, e.g.: 'https://localhost:3000/mcp'\n  // JWT Configuration\n  jwtIssuer?: string;\n  jwtAudience?: string;\n  jwtAccessTokenExpiresIn?: string;\n  jwtRefreshTokenExpiresIn?: string;\n  enableRefreshTokens?: boolean;\n\n  // Cookie Configuration\n  cookieSecure?: boolean;\n  cookieMaxAge?: number;\n\n  // OAuth Session Configuration\n  oauthSessionExpiresIn?: number; // in milliseconds\n  authCodeExpiresIn?: number; // in milliseconds\n\n  // Protected Resource Metadata Configuration\n  protectedResourceMetadata?: {\n    scopesSupported?: string[];\n    bearerMethodsSupported?: string[];\n    mcpVersionsSupported?: string[];\n  };\n\n  // Authorization Server Metadata Configuration\n  authorizationServerMetadata?: {\n    responseTypesSupported?: string[];\n    responseModesSupported?: string[];\n    grantTypesSupported?: string[];\n    tokenEndpointAuthMethodsSupported?: string[];\n    scopesSupported?: string[];\n    codeChallengeMethodsSupported?: string[];\n  };\n\n  // Storage Configuration - single property for all storage options\n  storeConfiguration?: StoreConfiguration;\n  apiPrefix?: string;\n\n  // Endpoint Configuration\n  endpoints?: OAuthEndpointConfiguration;\n  disableEndpoints?: OAuthEndpointDisableOptions;\n}\n\nexport interface OAuthModuleDefaults {\n  serverUrl: string;\n  resource: string; // Default resource URL\n  jwtIssuer: string;\n  jwtAudience: string;\n  jwtAccessTokenExpiresIn: string;\n  jwtRefreshTokenExpiresIn: string;\n  enableRefreshTokens: boolean;\n  cookieMaxAge: number;\n  oauthSessionExpiresIn: number;\n  authCodeExpiresIn: number;\n  nodeEnv: string;\n  apiPrefix: string;\n  endpoints: OAuthEndpointConfiguration;\n  disableEndpoints: OAuthEndpointDisableOptions;\n  protectedResourceMetadata: {\n    scopesSupported: string[];\n    bearerMethodsSupported: string[];\n    mcpVersionsSupported: string[];\n  };\n  authorizationServerMetadata: {\n    responseTypesSupported: string[];\n    responseModesSupported: string[];\n    grantTypesSupported: string[];\n    tokenEndpointAuthMethodsSupported: string[];\n    scopesSupported: string[];\n    codeChallengeMethodsSupported: string[];\n  };\n}\n\n// Resolved options after merging with defaults\nexport type OAuthModuleOptions = Required<\n  Pick<\n    OAuthUserModuleOptions,\n    'provider' | 'clientId' | 'clientSecret' | 'jwtSecret'\n  >\n> &\n  Required<OAuthModuleDefaults> & {\n    // Optional fields that may remain undefined\n    cookieSecure: boolean;\n    storeConfiguration?: StoreConfiguration;\n  };\n"]}

package/dist/authz/services/client.service.d.ts

@@ -1,5 +1,5 @@
-import { ClientRegistrationDto, IOAuthStore, OAuthClient } from '../stores/oauth-store.interface';
-import { OAuthModuleOptions } from '../providers/oauth-provider.interface';
+import type { ClientRegistrationDto, IOAuthStore, OAuthClient } from '../stores/oauth-store.interface';
+import type { OAuthModuleOptions } from '../providers/oauth-provider.interface';
 export declare class ClientService {
     private readonly store;
     private readonly options;

package/dist/authz/services/client.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.service.d.ts","sourceRoot":"","sources":["../../../src/authz/services/client.service.ts"],"names":[],"mappings":"AACA,OAAO,EACL,qBAAqB,EACrB,WAAW,EACX,WAAW,EACZ,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,uCAAuC,CAAC;AAE3E,qBACa,aAAa;IAEC,OAAO,CAAC,QAAQ,CAAC,KAAK;IAE7C,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAFgB,KAAK,EAAE,WAAW,EAEzC,OAAO,EAAE,kBAAkB;IAUxC,cAAc,CAClB,eAAe,EAAE,qBAAqB,GACrC,OAAO,CAAC,WAAW,CAAC;cAuEP,qBAAqB,CACnC,IAAI,EAAE,qBAAqB,GAC1B,OAAO,CAAC,IAAI,CAAC;IAIV,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAcxD,mBAAmB,CACvB,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,OAAO,CAAC;CAIpB"}
+{"version":3,"file":"client.service.d.ts","sourceRoot":"","sources":["../../../src/authz/services/client.service.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,qBAAqB,EACrB,WAAW,EACX,WAAW,EACZ,MAAM,iCAAiC,CAAC;AAEzC,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,uCAAuC,CAAC;AAEhF,qBACa,aAAa;IAEC,OAAO,CAAC,QAAQ,CAAC,KAAK;IAE7C,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAFgB,KAAK,EAAE,WAAW,EAEzC,OAAO,EAAE,kBAAkB;IAUxC,cAAc,CAClB,eAAe,EAAE,qBAAqB,GACrC,OAAO,CAAC,WAAW,CAAC;cAuEP,qBAAqB,CACnC,IAAI,EAAE,qBAAqB,GAC1B,OAAO,CAAC,IAAI,CAAC;IAIV,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAcxD,mBAAmB,CACvB,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,OAAO,CAAC;CAIpB"}