@rekog/mcp-nest 1.9.10 → 2.0.0-alpha.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +76 -29
- package/dist/index.d.ts +0 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +0 -1
- package/dist/index.js.map +1 -1
- package/dist/mcp/decorators/constants.d.ts +1 -0
- package/dist/mcp/decorators/constants.d.ts.map +1 -1
- package/dist/mcp/decorators/constants.js +2 -1
- package/dist/mcp/decorators/constants.js.map +1 -1
- package/dist/mcp/decorators/index.d.ts +3 -1
- package/dist/mcp/decorators/index.d.ts.map +1 -1
- package/dist/mcp/decorators/index.js +3 -1
- package/dist/mcp/decorators/index.js.map +1 -1
- package/dist/mcp/decorators/mcp-controller.decorator.d.ts +6 -0
- package/dist/mcp/decorators/mcp-controller.decorator.d.ts.map +1 -0
- package/dist/mcp/decorators/mcp-controller.decorator.js +43 -0
- package/dist/mcp/decorators/mcp-controller.decorator.js.map +1 -0
- package/dist/mcp/decorators/mcp-message-pattern.d.ts +3 -0
- package/dist/mcp/decorators/mcp-message-pattern.d.ts.map +1 -0
- package/dist/mcp/decorators/mcp-message-pattern.js +13 -0
- package/dist/mcp/decorators/mcp-message-pattern.js.map +1 -0
- package/dist/mcp/decorators/prompt.decorator.d.ts +4 -1
- package/dist/mcp/decorators/prompt.decorator.d.ts.map +1 -1
- package/dist/mcp/decorators/prompt.decorator.js +2 -1
- package/dist/mcp/decorators/prompt.decorator.js.map +1 -1
- package/dist/mcp/decorators/public.decorator.js.map +1 -1
- package/dist/mcp/decorators/raw-request.decorator.d.ts +2 -0
- package/dist/mcp/decorators/raw-request.decorator.d.ts.map +1 -0
- package/dist/mcp/decorators/raw-request.decorator.js +6 -0
- package/dist/mcp/decorators/raw-request.decorator.js.map +1 -0
- package/dist/mcp/decorators/resource-template.decorator.d.ts +1 -1
- package/dist/mcp/decorators/resource-template.decorator.d.ts.map +1 -1
- package/dist/mcp/decorators/resource-template.decorator.js +2 -1
- package/dist/mcp/decorators/resource-template.decorator.js.map +1 -1
- package/dist/mcp/decorators/resource.decorator.d.ts +1 -1
- package/dist/mcp/decorators/resource.decorator.d.ts.map +1 -1
- package/dist/mcp/decorators/resource.decorator.js +2 -1
- package/dist/mcp/decorators/resource.decorator.js.map +1 -1
- package/dist/mcp/decorators/tool.decorator.d.ts +1 -3
- package/dist/mcp/decorators/tool.decorator.d.ts.map +1 -1
- package/dist/mcp/decorators/tool.decorator.js +2 -1
- package/dist/mcp/decorators/tool.decorator.js.map +1 -1
- package/dist/mcp/filters/mcp-exception.filter.d.ts +6 -0
- package/dist/mcp/filters/mcp-exception.filter.d.ts.map +1 -0
- package/dist/mcp/filters/mcp-exception.filter.js +26 -0
- package/dist/mcp/filters/mcp-exception.filter.js.map +1 -0
- package/dist/mcp/index.d.ts +11 -7
- package/dist/mcp/index.d.ts.map +1 -1
- package/dist/mcp/index.js +11 -7
- package/dist/mcp/index.js.map +1 -1
- package/dist/mcp/interfaces/authenticated-user.interface.d.ts +9 -0
- package/dist/mcp/interfaces/authenticated-user.interface.d.ts.map +1 -0
- package/dist/{authz/interfaces/request-with-user.js → mcp/interfaces/authenticated-user.interface.js} +1 -1
- package/dist/mcp/interfaces/authenticated-user.interface.js.map +1 -0
- package/dist/mcp/interfaces/dynamic-prompt.interface.d.ts +1 -1
- package/dist/mcp/interfaces/dynamic-prompt.interface.d.ts.map +1 -1
- package/dist/mcp/interfaces/dynamic-prompt.interface.js.map +1 -1
- package/dist/mcp/interfaces/dynamic-resource.interface.d.ts +1 -1
- package/dist/mcp/interfaces/dynamic-resource.interface.d.ts.map +1 -1
- package/dist/mcp/interfaces/dynamic-resource.interface.js.map +1 -1
- package/dist/mcp/interfaces/dynamic-tool.interface.d.ts +1 -1
- package/dist/mcp/interfaces/dynamic-tool.interface.d.ts.map +1 -1
- package/dist/mcp/interfaces/dynamic-tool.interface.js.map +1 -1
- package/dist/mcp/interfaces/index.d.ts +2 -2
- package/dist/mcp/interfaces/index.d.ts.map +1 -1
- package/dist/mcp/interfaces/index.js +0 -3
- package/dist/mcp/interfaces/index.js.map +1 -1
- package/dist/mcp/services/tool-authorization.service.d.ts +7 -5
- package/dist/mcp/services/tool-authorization.service.d.ts.map +1 -1
- package/dist/mcp/services/tool-authorization.service.js +9 -6
- package/dist/mcp/services/tool-authorization.service.js.map +1 -1
- package/dist/mcp/transport/mcp-context.d.ts +34 -0
- package/dist/mcp/transport/mcp-context.d.ts.map +1 -0
- package/dist/mcp/transport/mcp-context.js +74 -0
- package/dist/mcp/transport/mcp-context.js.map +1 -0
- package/dist/mcp/transport/mcp-http-handler.d.ts +7 -0
- package/dist/mcp/transport/mcp-http-handler.d.ts.map +1 -0
- package/dist/mcp/transport/mcp-http-handler.js +5 -0
- package/dist/mcp/transport/mcp-http-handler.js.map +1 -0
- package/dist/mcp/transport/mcp-server-options.interface.d.ts +23 -0
- package/dist/mcp/transport/mcp-server-options.interface.d.ts.map +1 -0
- package/dist/{authz/providers/oauth-provider.interface.js → mcp/transport/mcp-server-options.interface.js} +1 -1
- package/dist/mcp/transport/mcp-server-options.interface.js.map +1 -0
- package/dist/mcp/transport/mcp-transport.constants.d.ts +19 -0
- package/dist/mcp/transport/mcp-transport.constants.d.ts.map +1 -0
- package/dist/mcp/transport/mcp-transport.constants.js +21 -0
- package/dist/mcp/transport/mcp-transport.constants.js.map +1 -0
- package/dist/mcp/transport/mcp-transport.interface.d.ts +17 -0
- package/dist/mcp/transport/mcp-transport.interface.d.ts.map +1 -0
- package/dist/{authz/interfaces/oauth-common.interface.js → mcp/transport/mcp-transport.interface.js} +1 -1
- package/dist/mcp/transport/mcp-transport.interface.js.map +1 -0
- package/dist/mcp/transport/mcp.strategy.d.ts +56 -0
- package/dist/mcp/transport/mcp.strategy.d.ts.map +1 -0
- package/dist/mcp/transport/mcp.strategy.js +446 -0
- package/dist/mcp/transport/mcp.strategy.js.map +1 -0
- package/dist/mcp/transport/resource-matcher.d.ts +13 -0
- package/dist/mcp/transport/resource-matcher.d.ts.map +1 -0
- package/dist/mcp/transport/resource-matcher.js +83 -0
- package/dist/mcp/transport/resource-matcher.js.map +1 -0
- package/dist/mcp/transport/streamable-http.controller.d.ts +16 -0
- package/dist/mcp/transport/streamable-http.controller.d.ts.map +1 -0
- package/dist/mcp/transport/streamable-http.controller.js +98 -0
- package/dist/mcp/transport/streamable-http.controller.js.map +1 -0
- package/dist/mcp/transport/transports/index.d.ts +3 -0
- package/dist/mcp/transport/transports/index.d.ts.map +1 -0
- package/dist/{authz → mcp/transport/transports}/index.js +2 -10
- package/dist/mcp/transport/transports/index.js.map +1 -0
- package/dist/mcp/transport/transports/read-body.d.ts +3 -0
- package/dist/mcp/transport/transports/read-body.d.ts.map +1 -0
- package/dist/mcp/transport/transports/read-body.js +32 -0
- package/dist/mcp/transport/transports/read-body.js.map +1 -0
- package/dist/mcp/transport/transports/stdio.transport.d.ts +9 -0
- package/dist/mcp/transport/transports/stdio.transport.d.ts.map +1 -0
- package/dist/mcp/transport/transports/stdio.transport.js +27 -0
- package/dist/mcp/transport/transports/stdio.transport.js.map +1 -0
- package/dist/mcp/transport/transports/streamable-http.transport.d.ts +33 -0
- package/dist/mcp/transport/transports/streamable-http.transport.d.ts.map +1 -0
- package/dist/mcp/transport/transports/streamable-http.transport.js +216 -0
- package/dist/mcp/transport/transports/streamable-http.transport.js.map +1 -0
- package/dist/mcp/utils/mcp-logger.factory.d.ts +6 -2
- package/dist/mcp/utils/mcp-logger.factory.d.ts.map +1 -1
- package/dist/mcp/utils/mcp-logger.factory.js.map +1 -1
- package/package.json +3 -66
- package/src/index.ts +0 -1
- package/src/mcp/decorators/constants.ts +1 -0
- package/src/mcp/decorators/index.ts +3 -1
- package/src/mcp/decorators/mcp-controller.decorator.ts +126 -0
- package/src/mcp/decorators/mcp-message-pattern.ts +38 -0
- package/src/mcp/decorators/prompt.decorator.ts +32 -2
- package/src/mcp/decorators/public.decorator.ts +3 -3
- package/src/mcp/decorators/raw-request.decorator.ts +32 -0
- package/src/mcp/decorators/resource-template.decorator.ts +6 -2
- package/src/mcp/decorators/resource.decorator.ts +6 -2
- package/src/mcp/decorators/tool.decorator.ts +6 -3
- package/src/mcp/filters/mcp-exception.filter.ts +47 -0
- package/src/mcp/index.ts +13 -7
- package/src/mcp/interfaces/authenticated-user.interface.ts +22 -0
- package/src/mcp/interfaces/dynamic-prompt.interface.ts +1 -1
- package/src/mcp/interfaces/dynamic-resource.interface.ts +1 -1
- package/src/mcp/interfaces/dynamic-tool.interface.ts +2 -2
- package/src/mcp/interfaces/index.ts +3 -7
- package/src/mcp/services/tool-authorization.service.ts +52 -72
- package/src/mcp/transport/mcp-context.ts +138 -0
- package/src/mcp/transport/mcp-http-handler.ts +32 -0
- package/src/mcp/transport/mcp-server-options.interface.ts +75 -0
- package/src/mcp/transport/mcp-transport.constants.ts +99 -0
- package/src/mcp/transport/mcp-transport.interface.ts +50 -0
- package/src/mcp/transport/mcp.strategy.ts +752 -0
- package/src/mcp/transport/resource-matcher.ts +107 -0
- package/src/mcp/transport/streamable-http.controller.ts +114 -0
- package/src/mcp/transport/transports/index.ts +2 -0
- package/src/mcp/transport/transports/read-body.ts +39 -0
- package/src/mcp/transport/transports/stdio.transport.ts +35 -0
- package/src/mcp/transport/transports/streamable-http.transport.ts +384 -0
- package/src/mcp/utils/mcp-logger.factory.spec.ts +8 -22
- package/src/mcp/utils/mcp-logger.factory.ts +13 -2
- package/dist/authz/guards/jwt-auth.guard.d.ts +0 -19
- package/dist/authz/guards/jwt-auth.guard.d.ts.map +0 -1
- package/dist/authz/guards/jwt-auth.guard.js +0 -108
- package/dist/authz/guards/jwt-auth.guard.js.map +0 -1
- package/dist/authz/index.d.ts +0 -11
- package/dist/authz/index.d.ts.map +0 -1
- package/dist/authz/index.js.map +0 -1
- package/dist/authz/interfaces/oauth-common.interface.d.ts +0 -21
- package/dist/authz/interfaces/oauth-common.interface.d.ts.map +0 -1
- package/dist/authz/interfaces/oauth-common.interface.js.map +0 -1
- package/dist/authz/interfaces/request-with-user.d.ts +0 -13
- package/dist/authz/interfaces/request-with-user.d.ts.map +0 -1
- package/dist/authz/interfaces/request-with-user.js.map +0 -1
- package/dist/authz/mcp-oauth.controller.d.ts +0 -81
- package/dist/authz/mcp-oauth.controller.d.ts.map +0 -1
- package/dist/authz/mcp-oauth.controller.js +0 -540
- package/dist/authz/mcp-oauth.controller.js.map +0 -1
- package/dist/authz/mcp-oauth.module.d.ts +0 -12
- package/dist/authz/mcp-oauth.module.d.ts.map +0 -1
- package/dist/authz/mcp-oauth.module.js +0 -271
- package/dist/authz/mcp-oauth.module.js.map +0 -1
- package/dist/authz/providers/azure-ad.provider.d.ts +0 -3
- package/dist/authz/providers/azure-ad.provider.d.ts.map +0 -1
- package/dist/authz/providers/azure-ad.provider.js +0 -37
- package/dist/authz/providers/azure-ad.provider.js.map +0 -1
- package/dist/authz/providers/github.provider.d.ts +0 -3
- package/dist/authz/providers/github.provider.d.ts.map +0 -1
- package/dist/authz/providers/github.provider.js +0 -24
- package/dist/authz/providers/github.provider.js.map +0 -1
- package/dist/authz/providers/google.provider.d.ts +0 -3
- package/dist/authz/providers/google.provider.d.ts.map +0 -1
- package/dist/authz/providers/google.provider.js +0 -25
- package/dist/authz/providers/google.provider.js.map +0 -1
- package/dist/authz/providers/oauth-provider.interface.d.ts +0 -107
- package/dist/authz/providers/oauth-provider.interface.d.ts.map +0 -1
- package/dist/authz/providers/oauth-provider.interface.js.map +0 -1
- package/dist/authz/services/client.service.d.ts +0 -12
- package/dist/authz/services/client.service.d.ts.map +0 -1
- package/dist/authz/services/client.service.js +0 -81
- package/dist/authz/services/client.service.js.map +0 -1
- package/dist/authz/services/jwt-token.service.d.ts +0 -37
- package/dist/authz/services/jwt-token.service.d.ts.map +0 -1
- package/dist/authz/services/jwt-token.service.js +0 -182
- package/dist/authz/services/jwt-token.service.js.map +0 -1
- package/dist/authz/services/oauth-strategy.service.d.ts +0 -13
- package/dist/authz/services/oauth-strategy.service.d.ts.map +0 -1
- package/dist/authz/services/oauth-strategy.service.js +0 -71
- package/dist/authz/services/oauth-strategy.service.js.map +0 -1
- package/dist/authz/stores/memory-store.service.d.ts +0 -27
- package/dist/authz/stores/memory-store.service.d.ts.map +0 -1
- package/dist/authz/stores/memory-store.service.js +0 -107
- package/dist/authz/stores/memory-store.service.js.map +0 -1
- package/dist/authz/stores/oauth-store.interface.d.ts +0 -61
- package/dist/authz/stores/oauth-store.interface.d.ts.map +0 -1
- package/dist/authz/stores/oauth-store.interface.js +0 -5
- package/dist/authz/stores/oauth-store.interface.js.map +0 -1
- package/dist/authz/stores/typeorm/constants.d.ts +0 -3
- package/dist/authz/stores/typeorm/constants.d.ts.map +0 -1
- package/dist/authz/stores/typeorm/constants.js +0 -6
- package/dist/authz/stores/typeorm/constants.js.map +0 -1
- package/dist/authz/stores/typeorm/entities/authorization-code.entity.d.ts +0 -15
- package/dist/authz/stores/typeorm/entities/authorization-code.entity.d.ts.map +0 -1
- package/dist/authz/stores/typeorm/entities/authorization-code.entity.js +0 -69
- package/dist/authz/stores/typeorm/entities/authorization-code.entity.js.map +0 -1
- package/dist/authz/stores/typeorm/entities/index.d.ts +0 -5
- package/dist/authz/stores/typeorm/entities/index.d.ts.map +0 -1
- package/dist/authz/stores/typeorm/entities/index.js +0 -12
- package/dist/authz/stores/typeorm/entities/index.js.map +0 -1
- package/dist/authz/stores/typeorm/entities/oauth-client.entity.d.ts +0 -17
- package/dist/authz/stores/typeorm/entities/oauth-client.entity.d.ts.map +0 -1
- package/dist/authz/stores/typeorm/entities/oauth-client.entity.js +0 -77
- package/dist/authz/stores/typeorm/entities/oauth-client.entity.js.map +0 -1
- package/dist/authz/stores/typeorm/entities/oauth-session.entity.d.ts +0 -14
- package/dist/authz/stores/typeorm/entities/oauth-session.entity.d.ts.map +0 -1
- package/dist/authz/stores/typeorm/entities/oauth-session.entity.js +0 -65
- package/dist/authz/stores/typeorm/entities/oauth-session.entity.js.map +0 -1
- package/dist/authz/stores/typeorm/entities/user-profile.entity.d.ts +0 -13
- package/dist/authz/stores/typeorm/entities/user-profile.entity.d.ts.map +0 -1
- package/dist/authz/stores/typeorm/entities/user-profile.entity.js +0 -62
- package/dist/authz/stores/typeorm/entities/user-profile.entity.js.map +0 -1
- package/dist/authz/stores/typeorm/typeorm-store.service.d.ts +0 -28
- package/dist/authz/stores/typeorm/typeorm-store.service.d.ts.map +0 -1
- package/dist/authz/stores/typeorm/typeorm-store.service.js +0 -138
- package/dist/authz/stores/typeorm/typeorm-store.service.js.map +0 -1
- package/dist/mcp/constants/feature-registration.constants.d.ts +0 -7
- package/dist/mcp/constants/feature-registration.constants.d.ts.map +0 -1
- package/dist/mcp/constants/feature-registration.constants.js +0 -5
- package/dist/mcp/constants/feature-registration.constants.js.map +0 -1
- package/dist/mcp/decorators/tool-guards.decorator.d.ts +0 -12
- package/dist/mcp/decorators/tool-guards.decorator.d.ts.map +0 -1
- package/dist/mcp/decorators/tool-guards.decorator.js +0 -13
- package/dist/mcp/decorators/tool-guards.decorator.js.map +0 -1
- package/dist/mcp/interfaces/mcp-options.interface.d.ts +0 -53
- package/dist/mcp/interfaces/mcp-options.interface.d.ts.map +0 -1
- package/dist/mcp/interfaces/mcp-options.interface.js +0 -10
- package/dist/mcp/interfaces/mcp-options.interface.js.map +0 -1
- package/dist/mcp/mcp.module.d.ts +0 -15
- package/dist/mcp/mcp.module.d.ts.map +0 -1
- package/dist/mcp/mcp.module.js +0 -248
- package/dist/mcp/mcp.module.js.map +0 -1
- package/dist/mcp/services/handlers/mcp-handler.base.d.ts +0 -117
- package/dist/mcp/services/handlers/mcp-handler.base.d.ts.map +0 -1
- package/dist/mcp/services/handlers/mcp-handler.base.js +0 -125
- package/dist/mcp/services/handlers/mcp-handler.base.js.map +0 -1
- package/dist/mcp/services/handlers/mcp-prompts.handler.d.ts +0 -12
- package/dist/mcp/services/handlers/mcp-prompts.handler.d.ts.map +0 -1
- package/dist/mcp/services/handlers/mcp-prompts.handler.js +0 -98
- package/dist/mcp/services/handlers/mcp-prompts.handler.js.map +0 -1
- package/dist/mcp/services/handlers/mcp-resources.handler.d.ts +0 -13
- package/dist/mcp/services/handlers/mcp-resources.handler.d.ts.map +0 -1
- package/dist/mcp/services/handlers/mcp-resources.handler.js +0 -117
- package/dist/mcp/services/handlers/mcp-resources.handler.js.map +0 -1
- package/dist/mcp/services/handlers/mcp-tools.handler.d.ts +0 -22
- package/dist/mcp/services/handlers/mcp-tools.handler.d.ts.map +0 -1
- package/dist/mcp/services/handlers/mcp-tools.handler.js +0 -258
- package/dist/mcp/services/handlers/mcp-tools.handler.js.map +0 -1
- package/dist/mcp/services/mcp-dynamic-registry.service.d.ts +0 -26
- package/dist/mcp/services/mcp-dynamic-registry.service.d.ts.map +0 -1
- package/dist/mcp/services/mcp-dynamic-registry.service.js +0 -133
- package/dist/mcp/services/mcp-dynamic-registry.service.js.map +0 -1
- package/dist/mcp/services/mcp-executor.service.d.ts +0 -15
- package/dist/mcp/services/mcp-executor.service.d.ts.map +0 -1
- package/dist/mcp/services/mcp-executor.service.js +0 -47
- package/dist/mcp/services/mcp-executor.service.js.map +0 -1
- package/dist/mcp/services/mcp-registry-discovery.service.d.ts +0 -63
- package/dist/mcp/services/mcp-registry-discovery.service.d.ts.map +0 -1
- package/dist/mcp/services/mcp-registry-discovery.service.js +0 -397
- package/dist/mcp/services/mcp-registry-discovery.service.js.map +0 -1
- package/dist/mcp/services/mcp-sse.service.d.ts +0 -20
- package/dist/mcp/services/mcp-sse.service.d.ts.map +0 -1
- package/dist/mcp/services/mcp-sse.service.js +0 -91
- package/dist/mcp/services/mcp-sse.service.js.map +0 -1
- package/dist/mcp/services/mcp-streamable-http.service.d.ts +0 -32
- package/dist/mcp/services/mcp-streamable-http.service.d.ts.map +0 -1
- package/dist/mcp/services/mcp-streamable-http.service.js +0 -327
- package/dist/mcp/services/mcp-streamable-http.service.js.map +0 -1
- package/dist/mcp/services/sse-ping.service.d.ts +0 -23
- package/dist/mcp/services/sse-ping.service.d.ts.map +0 -1
- package/dist/mcp/services/sse-ping.service.js +0 -99
- package/dist/mcp/services/sse-ping.service.js.map +0 -1
- package/dist/mcp/transport/sse.controller.factory.d.ts +0 -14
- package/dist/mcp/transport/sse.controller.factory.d.ts.map +0 -1
- package/dist/mcp/transport/sse.controller.factory.js +0 -67
- package/dist/mcp/transport/sse.controller.factory.js.map +0 -1
- package/dist/mcp/transport/stdio.service.d.ts +0 -14
- package/dist/mcp/transport/stdio.service.d.ts.map +0 -1
- package/dist/mcp/transport/stdio.service.js +0 -66
- package/dist/mcp/transport/stdio.service.js.map +0 -1
- package/dist/mcp/transport/streamable-http.controller.factory.d.ts +0 -14
- package/dist/mcp/transport/streamable-http.controller.factory.d.ts.map +0 -1
- package/dist/mcp/transport/streamable-http.controller.factory.js +0 -74
- package/dist/mcp/transport/streamable-http.controller.factory.js.map +0 -1
- package/dist/mcp/utils/capabilities-builder.d.ts +0 -5
- package/dist/mcp/utils/capabilities-builder.d.ts.map +0 -1
- package/dist/mcp/utils/capabilities-builder.js +0 -25
- package/dist/mcp/utils/capabilities-builder.js.map +0 -1
- package/dist/mcp/utils/mcp-server.factory.d.ts +0 -6
- package/dist/mcp/utils/mcp-server.factory.d.ts.map +0 -1
- package/dist/mcp/utils/mcp-server.factory.js +0 -22
- package/dist/mcp/utils/mcp-server.factory.js.map +0 -1
- package/src/authz/guards/jwt-auth.guard.ts +0 -127
- package/src/authz/index.ts +0 -10
- package/src/authz/interfaces/oauth-common.interface.ts +0 -21
- package/src/authz/interfaces/request-with-user.ts +0 -16
- package/src/authz/mcp-oauth.controller.ts +0 -860
- package/src/authz/mcp-oauth.module.ts +0 -384
- package/src/authz/providers/azure-ad.provider.ts +0 -40
- package/src/authz/providers/github.provider.ts +0 -22
- package/src/authz/providers/google.provider.ts +0 -23
- package/src/authz/providers/oauth-provider.interface.ts +0 -147
- package/src/authz/services/client.service.ts +0 -125
- package/src/authz/services/jwt-token.service.spec.ts +0 -67
- package/src/authz/services/jwt-token.service.ts +0 -188
- package/src/authz/services/oauth-strategy.service.ts +0 -64
- package/src/authz/stores/memory-store.service.spec.ts +0 -475
- package/src/authz/stores/memory-store.service.ts +0 -141
- package/src/authz/stores/oauth-store.interface.ts +0 -131
- package/src/authz/stores/typeorm/README.md +0 -140
- package/src/authz/stores/typeorm/constants.ts +0 -6
- package/src/authz/stores/typeorm/entities/authorization-code.entity.ts +0 -41
- package/src/authz/stores/typeorm/entities/index.ts +0 -4
- package/src/authz/stores/typeorm/entities/oauth-client.entity.ts +0 -53
- package/src/authz/stores/typeorm/entities/oauth-session.entity.ts +0 -38
- package/src/authz/stores/typeorm/entities/user-profile.entity.ts +0 -46
- package/src/authz/stores/typeorm/typeorm-store.service.spec.ts +0 -494
- package/src/authz/stores/typeorm/typeorm-store.service.ts +0 -165
- package/src/mcp/constants/feature-registration.constants.ts +0 -24
- package/src/mcp/decorators/tool-guards.decorator.ts +0 -82
- package/src/mcp/interfaces/mcp-options.interface.ts +0 -95
- package/src/mcp/mcp.module.ts +0 -349
- package/src/mcp/services/handlers/mcp-handler.base.ts +0 -203
- package/src/mcp/services/handlers/mcp-prompts.handler.ts +0 -143
- package/src/mcp/services/handlers/mcp-resources.handler.ts +0 -183
- package/src/mcp/services/handlers/mcp-tools.handler.spec.ts +0 -41
- package/src/mcp/services/handlers/mcp-tools.handler.ts +0 -436
- package/src/mcp/services/mcp-dynamic-registry.service.ts +0 -236
- package/src/mcp/services/mcp-executor.service.ts +0 -64
- package/src/mcp/services/mcp-registry-discovery.service.spec.ts +0 -306
- package/src/mcp/services/mcp-registry-discovery.service.ts +0 -849
- package/src/mcp/services/mcp-sse.service.ts +0 -124
- package/src/mcp/services/mcp-streamable-http.service.ts +0 -472
- package/src/mcp/services/sse-ping.service.ts +0 -144
- package/src/mcp/transport/custom-decorator.spec.ts +0 -75
- package/src/mcp/transport/sse.controller.factory.ts +0 -84
- package/src/mcp/transport/stdio.service.ts +0 -75
- package/src/mcp/transport/streamable-http.controller.factory.ts +0 -80
- package/src/mcp/utils/capabilities-builder.ts +0 -43
- package/src/mcp/utils/mcp-server.factory.ts +0 -33
|
@@ -1,540 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
3
|
-
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
4
|
-
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
5
|
-
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
6
|
-
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
7
|
-
};
|
|
8
|
-
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
9
|
-
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
|
-
};
|
|
11
|
-
var __param = (this && this.__param) || function (paramIndex, decorator) {
|
|
12
|
-
return function (target, key) { decorator(target, key, paramIndex); }
|
|
13
|
-
};
|
|
14
|
-
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
15
|
-
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
16
|
-
};
|
|
17
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
18
|
-
exports.createMcpOAuthController = createMcpOAuthController;
|
|
19
|
-
const common_1 = require("@nestjs/common");
|
|
20
|
-
const crypto_1 = require("crypto");
|
|
21
|
-
const passport_1 = __importDefault(require("passport"));
|
|
22
|
-
const normalize_endpoint_1 = require("../mcp/utils/normalize-endpoint");
|
|
23
|
-
const client_service_1 = require("./services/client.service");
|
|
24
|
-
const jwt_token_service_1 = require("./services/jwt-token.service");
|
|
25
|
-
const oauth_strategy_service_1 = require("./services/oauth-strategy.service");
|
|
26
|
-
function createMcpOAuthController(endpoints = {}, options, authModuleId) {
|
|
27
|
-
var McpOAuthController_1;
|
|
28
|
-
const OptionalGet = (path, enabled) => {
|
|
29
|
-
return enabled && path
|
|
30
|
-
? common_1.Get(path)
|
|
31
|
-
: (() => { });
|
|
32
|
-
};
|
|
33
|
-
const OptionalHeader = (name, value, enabled) => {
|
|
34
|
-
return enabled
|
|
35
|
-
? common_1.Header(name, value)
|
|
36
|
-
: (() => { });
|
|
37
|
-
};
|
|
38
|
-
let McpOAuthController = McpOAuthController_1 = class McpOAuthController {
|
|
39
|
-
constructor(options, store, jwtTokenService, clientService, oauthStrategyService) {
|
|
40
|
-
this.store = store;
|
|
41
|
-
this.jwtTokenService = jwtTokenService;
|
|
42
|
-
this.clientService = clientService;
|
|
43
|
-
this.oauthStrategyService = oauthStrategyService;
|
|
44
|
-
this.logger = new common_1.Logger(McpOAuthController_1.name);
|
|
45
|
-
this.serverUrl = options.serverUrl;
|
|
46
|
-
this.isProduction = options.cookieSecure;
|
|
47
|
-
this.options = options;
|
|
48
|
-
this.strategyName = oauthStrategyService.getStrategyName();
|
|
49
|
-
}
|
|
50
|
-
parseRequestBody(body, req) {
|
|
51
|
-
if (body && typeof body === 'object' && Object.keys(body).length > 0) {
|
|
52
|
-
return body;
|
|
53
|
-
}
|
|
54
|
-
if (typeof body === 'string' && body.length > 0) {
|
|
55
|
-
const params = new URLSearchParams(body);
|
|
56
|
-
const parsedBody = {};
|
|
57
|
-
for (const [key, value] of params.entries()) {
|
|
58
|
-
parsedBody[key] = value;
|
|
59
|
-
}
|
|
60
|
-
return parsedBody;
|
|
61
|
-
}
|
|
62
|
-
if (req?.textBody) {
|
|
63
|
-
const params = new URLSearchParams(req.textBody);
|
|
64
|
-
const parsedBody = {};
|
|
65
|
-
for (const [key, value] of params.entries()) {
|
|
66
|
-
parsedBody[key] = value;
|
|
67
|
-
}
|
|
68
|
-
return parsedBody;
|
|
69
|
-
}
|
|
70
|
-
if (req?.rawBody) {
|
|
71
|
-
const bodyString = req.rawBody.toString('utf-8');
|
|
72
|
-
if (bodyString) {
|
|
73
|
-
const params = new URLSearchParams(bodyString);
|
|
74
|
-
const parsedBody = {};
|
|
75
|
-
for (const [key, value] of params.entries()) {
|
|
76
|
-
parsedBody[key] = value;
|
|
77
|
-
}
|
|
78
|
-
return parsedBody;
|
|
79
|
-
}
|
|
80
|
-
}
|
|
81
|
-
return {};
|
|
82
|
-
}
|
|
83
|
-
captureRawBody(req, res, next) {
|
|
84
|
-
if (req.headers['content-type']?.includes('application/x-www-form-urlencoded')) {
|
|
85
|
-
let rawBody = '';
|
|
86
|
-
req.on('data', (chunk) => {
|
|
87
|
-
rawBody += chunk.toString('utf-8');
|
|
88
|
-
});
|
|
89
|
-
req.on('end', () => {
|
|
90
|
-
req.textBody = rawBody;
|
|
91
|
-
if (rawBody) {
|
|
92
|
-
const params = new URLSearchParams(rawBody);
|
|
93
|
-
const parsedBody = {};
|
|
94
|
-
for (const [key, value] of params.entries()) {
|
|
95
|
-
parsedBody[key] = value;
|
|
96
|
-
}
|
|
97
|
-
req.body = parsedBody;
|
|
98
|
-
}
|
|
99
|
-
next();
|
|
100
|
-
});
|
|
101
|
-
req.on('error', (err) => {
|
|
102
|
-
this.logger.error('Error reading request body:', err);
|
|
103
|
-
next(err);
|
|
104
|
-
});
|
|
105
|
-
}
|
|
106
|
-
else {
|
|
107
|
-
next();
|
|
108
|
-
}
|
|
109
|
-
}
|
|
110
|
-
getProtectedResourceMetadata() {
|
|
111
|
-
const authorizationServerIssuer = this.options.jwtIssuer;
|
|
112
|
-
const resourceIdentifier = this.options.resource;
|
|
113
|
-
const metadata = {
|
|
114
|
-
authorization_servers: [authorizationServerIssuer],
|
|
115
|
-
resource: resourceIdentifier,
|
|
116
|
-
scopes_supported: this.options.protectedResourceMetadata.scopesSupported,
|
|
117
|
-
bearer_methods_supported: this.options.protectedResourceMetadata.bearerMethodsSupported,
|
|
118
|
-
mcp_versions_supported: this.options.protectedResourceMetadata.mcpVersionsSupported,
|
|
119
|
-
};
|
|
120
|
-
return metadata;
|
|
121
|
-
}
|
|
122
|
-
getAuthorizationServerMetadata() {
|
|
123
|
-
return {
|
|
124
|
-
issuer: this.serverUrl,
|
|
125
|
-
authorization_endpoint: (0, normalize_endpoint_1.normalizeEndpoint)(`${this.serverUrl}/${endpoints.authorize}`),
|
|
126
|
-
token_endpoint: (0, normalize_endpoint_1.normalizeEndpoint)(`${this.serverUrl}/${endpoints.token}`),
|
|
127
|
-
registration_endpoint: (0, normalize_endpoint_1.normalizeEndpoint)(`${this.serverUrl}/${endpoints.register}`),
|
|
128
|
-
response_types_supported: this.options.authorizationServerMetadata.responseTypesSupported,
|
|
129
|
-
response_modes_supported: this.options.authorizationServerMetadata.responseModesSupported,
|
|
130
|
-
grant_types_supported: this.options.authorizationServerMetadata.grantTypesSupported,
|
|
131
|
-
token_endpoint_auth_methods_supported: this.options.authorizationServerMetadata
|
|
132
|
-
.tokenEndpointAuthMethodsSupported,
|
|
133
|
-
scopes_supported: this.options.authorizationServerMetadata.scopesSupported,
|
|
134
|
-
revocation_endpoint: (0, normalize_endpoint_1.normalizeEndpoint)(`${this.serverUrl}/${endpoints?.revoke}`),
|
|
135
|
-
code_challenge_methods_supported: this.options.authorizationServerMetadata
|
|
136
|
-
.codeChallengeMethodsSupported,
|
|
137
|
-
};
|
|
138
|
-
}
|
|
139
|
-
async registerClient(registrationDto) {
|
|
140
|
-
return await this.clientService.registerClient(registrationDto);
|
|
141
|
-
}
|
|
142
|
-
async authorize(query, req, res, next) {
|
|
143
|
-
const { response_type, client_id, redirect_uri, code_challenge, code_challenge_method, state, scope, } = query;
|
|
144
|
-
const resource = this.options.resource;
|
|
145
|
-
if (response_type !== 'code') {
|
|
146
|
-
throw new common_1.BadRequestException('Only response_type=code is supported');
|
|
147
|
-
}
|
|
148
|
-
if (!client_id) {
|
|
149
|
-
throw new common_1.BadRequestException('Missing required parameters');
|
|
150
|
-
}
|
|
151
|
-
const client = await this.clientService.getClient(client_id);
|
|
152
|
-
if (!client) {
|
|
153
|
-
throw new common_1.BadRequestException('Invalid client_id');
|
|
154
|
-
}
|
|
155
|
-
const validRedirect = await this.clientService.validateRedirectUri(client_id, redirect_uri);
|
|
156
|
-
if (!validRedirect) {
|
|
157
|
-
throw new common_1.BadRequestException('Invalid redirect_uri');
|
|
158
|
-
}
|
|
159
|
-
const sessionId = (0, crypto_1.randomBytes)(32).toString('base64url');
|
|
160
|
-
const sessionState = (0, crypto_1.randomBytes)(32).toString('base64url');
|
|
161
|
-
const oauthSession = {
|
|
162
|
-
sessionId,
|
|
163
|
-
state: sessionState,
|
|
164
|
-
clientId: client_id,
|
|
165
|
-
redirectUri: redirect_uri,
|
|
166
|
-
codeChallenge: code_challenge,
|
|
167
|
-
codeChallengeMethod: code_challenge_method || 'plain',
|
|
168
|
-
oauthState: state,
|
|
169
|
-
scope: scope,
|
|
170
|
-
resource,
|
|
171
|
-
expiresAt: Date.now() + this.options.oauthSessionExpiresIn,
|
|
172
|
-
};
|
|
173
|
-
await this.store.storeOAuthSession(sessionId, oauthSession);
|
|
174
|
-
res.cookie('oauth_session', sessionId, {
|
|
175
|
-
httpOnly: true,
|
|
176
|
-
secure: this.isProduction,
|
|
177
|
-
maxAge: this.options.oauthSessionExpiresIn,
|
|
178
|
-
});
|
|
179
|
-
res.cookie('oauth_state', sessionState, {
|
|
180
|
-
httpOnly: true,
|
|
181
|
-
secure: this.isProduction,
|
|
182
|
-
maxAge: this.options.oauthSessionExpiresIn,
|
|
183
|
-
});
|
|
184
|
-
passport_1.default.authenticate(this.strategyName, {
|
|
185
|
-
state: req.cookies?.oauth_state,
|
|
186
|
-
})(req, res, next);
|
|
187
|
-
}
|
|
188
|
-
handleProviderCallback(req, res, next) {
|
|
189
|
-
passport_1.default.authenticate(this.strategyName, { session: false }, async (err, user) => {
|
|
190
|
-
try {
|
|
191
|
-
if (err) {
|
|
192
|
-
this.logger.error('OAuth callback error:', err);
|
|
193
|
-
throw new common_1.BadRequestException('Authentication failed');
|
|
194
|
-
}
|
|
195
|
-
if (!user) {
|
|
196
|
-
throw new common_1.BadRequestException('Authentication failed');
|
|
197
|
-
}
|
|
198
|
-
req.user = user;
|
|
199
|
-
await this.processAuthenticationSuccess(req, res);
|
|
200
|
-
}
|
|
201
|
-
catch (error) {
|
|
202
|
-
next(error);
|
|
203
|
-
}
|
|
204
|
-
})(req, res, next);
|
|
205
|
-
}
|
|
206
|
-
async processAuthenticationSuccess(req, res) {
|
|
207
|
-
const user = req.user;
|
|
208
|
-
if (!user) {
|
|
209
|
-
throw new common_1.BadRequestException('Authentication failed');
|
|
210
|
-
}
|
|
211
|
-
const sessionId = req.cookies?.oauth_session;
|
|
212
|
-
if (!sessionId) {
|
|
213
|
-
throw new common_1.BadRequestException('Missing OAuth session');
|
|
214
|
-
}
|
|
215
|
-
const session = await this.store.getOAuthSession(sessionId);
|
|
216
|
-
if (!session) {
|
|
217
|
-
throw new common_1.BadRequestException('Invalid or expired OAuth session');
|
|
218
|
-
}
|
|
219
|
-
const stateFromCookie = req.cookies?.oauth_state;
|
|
220
|
-
if (session.state !== stateFromCookie) {
|
|
221
|
-
throw new common_1.BadRequestException('Invalid state parameter');
|
|
222
|
-
}
|
|
223
|
-
const jwt = this.jwtTokenService.generateUserToken(user.profile.username, user.profile);
|
|
224
|
-
res.cookie('auth_token', jwt, {
|
|
225
|
-
httpOnly: true,
|
|
226
|
-
secure: this.isProduction,
|
|
227
|
-
maxAge: this.options.cookieMaxAge,
|
|
228
|
-
});
|
|
229
|
-
res.clearCookie('oauth_session');
|
|
230
|
-
res.clearCookie('oauth_state');
|
|
231
|
-
const user_profile_id = await this.store.upsertUserProfile(user.profile, user.provider);
|
|
232
|
-
const authCode = (0, crypto_1.randomBytes)(32).toString('base64url');
|
|
233
|
-
await this.store.storeAuthCode({
|
|
234
|
-
code: authCode,
|
|
235
|
-
user_id: user.profile.username,
|
|
236
|
-
client_id: session.clientId,
|
|
237
|
-
redirect_uri: session.redirectUri,
|
|
238
|
-
code_challenge: session.codeChallenge,
|
|
239
|
-
code_challenge_method: session.codeChallengeMethod,
|
|
240
|
-
expires_at: Date.now() + this.options.authCodeExpiresIn,
|
|
241
|
-
resource: session.resource,
|
|
242
|
-
scope: session.scope,
|
|
243
|
-
user_profile_id,
|
|
244
|
-
});
|
|
245
|
-
const redirectUrl = new URL(session.redirectUri);
|
|
246
|
-
redirectUrl.searchParams.set('code', authCode);
|
|
247
|
-
if (session.oauthState) {
|
|
248
|
-
redirectUrl.searchParams.set('state', session.oauthState);
|
|
249
|
-
}
|
|
250
|
-
await this.store.removeOAuthSession(sessionId);
|
|
251
|
-
res.redirect(redirectUrl.toString());
|
|
252
|
-
}
|
|
253
|
-
async exchangeToken(body, req, res) {
|
|
254
|
-
const isFormUrlEncoded = req.headers['content-type']?.includes('application/x-www-form-urlencoded');
|
|
255
|
-
const isBodyEmpty = !body ||
|
|
256
|
-
(typeof body === 'object' &&
|
|
257
|
-
Object.keys(body).length === 0);
|
|
258
|
-
if (isFormUrlEncoded && isBodyEmpty) {
|
|
259
|
-
return new Promise((resolve, reject) => {
|
|
260
|
-
this.captureRawBody(req, res, (err) => {
|
|
261
|
-
if (err) {
|
|
262
|
-
reject(err instanceof Error ? err : new Error(String(err ?? 'error')));
|
|
263
|
-
return;
|
|
264
|
-
}
|
|
265
|
-
void (async () => {
|
|
266
|
-
try {
|
|
267
|
-
const parsedBody = this.parseRequestBody(req.body || body, req);
|
|
268
|
-
const result = await this.processTokenExchange(parsedBody, req);
|
|
269
|
-
resolve(result);
|
|
270
|
-
}
|
|
271
|
-
catch (error) {
|
|
272
|
-
reject(error instanceof Error
|
|
273
|
-
? error
|
|
274
|
-
: new Error(String(error ?? 'error')));
|
|
275
|
-
}
|
|
276
|
-
})();
|
|
277
|
-
});
|
|
278
|
-
});
|
|
279
|
-
}
|
|
280
|
-
const parsedBody = this.parseRequestBody(body, req);
|
|
281
|
-
return this.processTokenExchange(parsedBody, req);
|
|
282
|
-
}
|
|
283
|
-
async processTokenExchange(parsedBody, req) {
|
|
284
|
-
const { grant_type, code, code_verifier, redirect_uri, refresh_token } = parsedBody;
|
|
285
|
-
if (!grant_type) {
|
|
286
|
-
this.logger.error('Missing grant_type in request body:', {
|
|
287
|
-
parsedBodyKeys: Object.keys(parsedBody),
|
|
288
|
-
contentType: req.headers['content-type'],
|
|
289
|
-
textBody: req.textBody,
|
|
290
|
-
parsedBody,
|
|
291
|
-
});
|
|
292
|
-
throw new common_1.BadRequestException('Missing grant_type parameter');
|
|
293
|
-
}
|
|
294
|
-
switch (grant_type) {
|
|
295
|
-
case 'authorization_code': {
|
|
296
|
-
const clientCredentials = this.extractClientCredentials(req, parsedBody);
|
|
297
|
-
return await this.handleAuthorizationCodeGrant(typeof code === 'string' ? code : String(code ?? ''), typeof code_verifier === 'string'
|
|
298
|
-
? code_verifier
|
|
299
|
-
: String(code_verifier ?? ''), typeof redirect_uri === 'string'
|
|
300
|
-
? redirect_uri
|
|
301
|
-
: String(redirect_uri ?? ''), clientCredentials);
|
|
302
|
-
}
|
|
303
|
-
case 'refresh_token': {
|
|
304
|
-
let clientCredentials;
|
|
305
|
-
try {
|
|
306
|
-
clientCredentials = this.extractClientCredentials(req, parsedBody);
|
|
307
|
-
}
|
|
308
|
-
catch {
|
|
309
|
-
clientCredentials = { client_id: '' };
|
|
310
|
-
}
|
|
311
|
-
return await this.handleRefreshTokenGrant(typeof refresh_token === 'string'
|
|
312
|
-
? refresh_token
|
|
313
|
-
: String(refresh_token ?? ''), clientCredentials);
|
|
314
|
-
}
|
|
315
|
-
default:
|
|
316
|
-
throw new common_1.BadRequestException(`Unsupported grant_type: ${grant_type}`);
|
|
317
|
-
}
|
|
318
|
-
}
|
|
319
|
-
extractClientCredentials(req, body) {
|
|
320
|
-
const parsedBody = this.parseRequestBody(body, req);
|
|
321
|
-
const authHeader = req.headers?.authorization;
|
|
322
|
-
if (authHeader && authHeader.startsWith('Basic ')) {
|
|
323
|
-
const credentials = Buffer.from(authHeader.slice(6), 'base64').toString('utf-8');
|
|
324
|
-
const [client_id, client_secret] = credentials.split(':', 2);
|
|
325
|
-
if (client_id) {
|
|
326
|
-
return { client_id, client_secret };
|
|
327
|
-
}
|
|
328
|
-
}
|
|
329
|
-
if (parsedBody.client_id) {
|
|
330
|
-
return {
|
|
331
|
-
client_id: parsedBody.client_id,
|
|
332
|
-
client_secret: parsedBody.client_secret,
|
|
333
|
-
};
|
|
334
|
-
}
|
|
335
|
-
throw new common_1.BadRequestException('Missing client credentials');
|
|
336
|
-
}
|
|
337
|
-
validateClientAuthentication(client, clientCredentials) {
|
|
338
|
-
if (!client) {
|
|
339
|
-
throw new common_1.BadRequestException('Invalid client_id');
|
|
340
|
-
}
|
|
341
|
-
const { token_endpoint_auth_method } = client;
|
|
342
|
-
switch (token_endpoint_auth_method) {
|
|
343
|
-
case 'client_secret_basic':
|
|
344
|
-
case 'client_secret_post':
|
|
345
|
-
if (!clientCredentials.client_secret) {
|
|
346
|
-
throw new common_1.BadRequestException('Client secret required for this authentication method');
|
|
347
|
-
}
|
|
348
|
-
if (client.client_secret !== clientCredentials.client_secret) {
|
|
349
|
-
throw new common_1.BadRequestException('Invalid client credentials');
|
|
350
|
-
}
|
|
351
|
-
break;
|
|
352
|
-
case 'none':
|
|
353
|
-
if (clientCredentials.client_secret) {
|
|
354
|
-
throw new common_1.BadRequestException('Client secret not allowed for public clients');
|
|
355
|
-
}
|
|
356
|
-
break;
|
|
357
|
-
default:
|
|
358
|
-
throw new common_1.BadRequestException(`Unsupported authentication method: ${token_endpoint_auth_method}`);
|
|
359
|
-
}
|
|
360
|
-
}
|
|
361
|
-
async handleAuthorizationCodeGrant(code, code_verifier, _redirect_uri, clientCredentials) {
|
|
362
|
-
this.logger.debug('handleAuthorizationCodeGrant - Params:', {
|
|
363
|
-
code,
|
|
364
|
-
client_id: clientCredentials.client_id,
|
|
365
|
-
});
|
|
366
|
-
const authCode = await this.store.getAuthCode(code);
|
|
367
|
-
if (!authCode) {
|
|
368
|
-
this.logger.error('handleAuthorizationCodeGrant - Invalid authorization code:', code);
|
|
369
|
-
throw new common_1.BadRequestException('Invalid authorization code');
|
|
370
|
-
}
|
|
371
|
-
if (authCode.expires_at < Date.now()) {
|
|
372
|
-
await this.store.removeAuthCode(code);
|
|
373
|
-
this.logger.error('handleAuthorizationCodeGrant - Authorization code expired:', code);
|
|
374
|
-
throw new common_1.BadRequestException('Authorization code has expired');
|
|
375
|
-
}
|
|
376
|
-
if (authCode.client_id !== clientCredentials.client_id) {
|
|
377
|
-
this.logger.error('handleAuthorizationCodeGrant - Client ID mismatch:', { expected: authCode.client_id, got: clientCredentials.client_id });
|
|
378
|
-
throw new common_1.BadRequestException('Client ID mismatch');
|
|
379
|
-
}
|
|
380
|
-
const client = await this.clientService.getClient(clientCredentials.client_id);
|
|
381
|
-
this.validateClientAuthentication(client, clientCredentials);
|
|
382
|
-
if (authCode.code_challenge) {
|
|
383
|
-
const isValid = this.validatePKCE(code_verifier, authCode.code_challenge, authCode.code_challenge_method);
|
|
384
|
-
if (!isValid) {
|
|
385
|
-
this.logger.error('handleAuthorizationCodeGrant - Invalid PKCE verification');
|
|
386
|
-
throw new common_1.BadRequestException('Invalid PKCE verification');
|
|
387
|
-
}
|
|
388
|
-
}
|
|
389
|
-
if (!authCode.resource) {
|
|
390
|
-
this.logger.error('handleAuthorizationCodeGrant - No resource associated with code');
|
|
391
|
-
throw new common_1.BadRequestException('Authorization code is not associated with a resource');
|
|
392
|
-
}
|
|
393
|
-
let userData = undefined;
|
|
394
|
-
if (authCode.user_profile_id) {
|
|
395
|
-
try {
|
|
396
|
-
const profile = await this.store.getUserProfileById(authCode.user_profile_id);
|
|
397
|
-
if (profile) {
|
|
398
|
-
userData = { ...profile };
|
|
399
|
-
}
|
|
400
|
-
}
|
|
401
|
-
catch (e) {
|
|
402
|
-
this.logger.warn('Failed to load user profile for token payload', e);
|
|
403
|
-
}
|
|
404
|
-
}
|
|
405
|
-
const tokens = this.jwtTokenService.generateTokenPair(authCode.user_id, clientCredentials.client_id, authCode.scope, authCode.resource, {
|
|
406
|
-
user_profile_id: authCode.user_profile_id,
|
|
407
|
-
user_data: userData,
|
|
408
|
-
});
|
|
409
|
-
await this.store.removeAuthCode(code);
|
|
410
|
-
this.logger.debug('handleAuthorizationCodeGrant - Token pair generated for user:', authCode.user_id);
|
|
411
|
-
return tokens;
|
|
412
|
-
}
|
|
413
|
-
async handleRefreshTokenGrant(refresh_token, clientCredentials) {
|
|
414
|
-
const payload = this.jwtTokenService.validateToken(refresh_token);
|
|
415
|
-
if (!payload || payload.type !== 'refresh') {
|
|
416
|
-
throw new common_1.BadRequestException('Invalid or expired refresh token');
|
|
417
|
-
}
|
|
418
|
-
const clientId = clientCredentials.client_id || payload.client_id;
|
|
419
|
-
if (!clientId) {
|
|
420
|
-
throw new common_1.BadRequestException('Unable to determine client_id');
|
|
421
|
-
}
|
|
422
|
-
const client = await this.clientService.getClient(clientId);
|
|
423
|
-
if (client?.token_endpoint_auth_method !== 'none') {
|
|
424
|
-
this.validateClientAuthentication(client, {
|
|
425
|
-
...clientCredentials,
|
|
426
|
-
client_id: clientId,
|
|
427
|
-
});
|
|
428
|
-
}
|
|
429
|
-
if (payload.client_id !== clientId) {
|
|
430
|
-
throw new common_1.BadRequestException('Invalid refresh token or token does not belong to this client');
|
|
431
|
-
}
|
|
432
|
-
let newTokens = null;
|
|
433
|
-
try {
|
|
434
|
-
const payload = this.jwtTokenService.validateToken(refresh_token);
|
|
435
|
-
if (!payload || payload.type !== 'refresh') {
|
|
436
|
-
throw new common_1.BadRequestException('Invalid or expired refresh token');
|
|
437
|
-
}
|
|
438
|
-
let userData = undefined;
|
|
439
|
-
if (payload.user_profile_id) {
|
|
440
|
-
try {
|
|
441
|
-
const profile = await this.store.getUserProfileById(payload.user_profile_id);
|
|
442
|
-
if (profile)
|
|
443
|
-
userData = { ...profile };
|
|
444
|
-
}
|
|
445
|
-
catch (e) {
|
|
446
|
-
this.logger.warn('Failed to load user profile for refreshed token payload', e);
|
|
447
|
-
}
|
|
448
|
-
}
|
|
449
|
-
newTokens = this.jwtTokenService.generateTokenPair(payload.sub, clientId, payload.scope, payload.resource, {
|
|
450
|
-
user_profile_id: payload.user_profile_id,
|
|
451
|
-
user_data: userData,
|
|
452
|
-
});
|
|
453
|
-
}
|
|
454
|
-
catch (e) {
|
|
455
|
-
this.logger.warn('Refresh flow failed using enriched path, fallback', e);
|
|
456
|
-
newTokens = this.jwtTokenService.refreshAccessToken(refresh_token);
|
|
457
|
-
}
|
|
458
|
-
if (!newTokens)
|
|
459
|
-
throw new common_1.BadRequestException('Failed to refresh token');
|
|
460
|
-
return newTokens;
|
|
461
|
-
}
|
|
462
|
-
validatePKCE(code_verifier, code_challenge, method) {
|
|
463
|
-
if (method === 'plain') {
|
|
464
|
-
return code_verifier === code_challenge;
|
|
465
|
-
}
|
|
466
|
-
else if (method === 'S256') {
|
|
467
|
-
const hash = (0, crypto_1.createHash)('sha256')
|
|
468
|
-
.update(code_verifier)
|
|
469
|
-
.digest('base64url');
|
|
470
|
-
return hash === code_challenge;
|
|
471
|
-
}
|
|
472
|
-
return false;
|
|
473
|
-
}
|
|
474
|
-
};
|
|
475
|
-
__decorate([
|
|
476
|
-
OptionalGet(endpoints.wellKnownProtectedResourceMetadata, !options?.disableWellKnownProtectedResourceMetadata),
|
|
477
|
-
OptionalHeader('content-type', 'application/json', !options?.disableWellKnownProtectedResourceMetadata),
|
|
478
|
-
__metadata("design:type", Function),
|
|
479
|
-
__metadata("design:paramtypes", []),
|
|
480
|
-
__metadata("design:returntype", void 0)
|
|
481
|
-
], McpOAuthController.prototype, "getProtectedResourceMetadata", null);
|
|
482
|
-
__decorate([
|
|
483
|
-
OptionalGet(endpoints.wellKnownAuthorizationServerMetadata, !options?.disableWellKnownAuthorizationServerMetadata),
|
|
484
|
-
OptionalHeader('content-type', 'application/json', !options?.disableWellKnownAuthorizationServerMetadata),
|
|
485
|
-
__metadata("design:type", Function),
|
|
486
|
-
__metadata("design:paramtypes", []),
|
|
487
|
-
__metadata("design:returntype", void 0)
|
|
488
|
-
], McpOAuthController.prototype, "getAuthorizationServerMetadata", null);
|
|
489
|
-
__decorate([
|
|
490
|
-
(0, common_1.Post)(endpoints.register),
|
|
491
|
-
__param(0, (0, common_1.Body)()),
|
|
492
|
-
__metadata("design:type", Function),
|
|
493
|
-
__metadata("design:paramtypes", [Object]),
|
|
494
|
-
__metadata("design:returntype", Promise)
|
|
495
|
-
], McpOAuthController.prototype, "registerClient", null);
|
|
496
|
-
__decorate([
|
|
497
|
-
(0, common_1.Get)(endpoints.authorize),
|
|
498
|
-
__param(0, (0, common_1.Query)()),
|
|
499
|
-
__param(1, (0, common_1.Req)()),
|
|
500
|
-
__param(2, (0, common_1.Res)()),
|
|
501
|
-
__param(3, (0, common_1.Next)()),
|
|
502
|
-
__metadata("design:type", Function),
|
|
503
|
-
__metadata("design:paramtypes", [Object, Object, Object, Function]),
|
|
504
|
-
__metadata("design:returntype", Promise)
|
|
505
|
-
], McpOAuthController.prototype, "authorize", null);
|
|
506
|
-
__decorate([
|
|
507
|
-
(0, common_1.Get)(endpoints.callback),
|
|
508
|
-
__param(0, (0, common_1.Req)()),
|
|
509
|
-
__param(1, (0, common_1.Res)()),
|
|
510
|
-
__param(2, (0, common_1.Next)()),
|
|
511
|
-
__metadata("design:type", Function),
|
|
512
|
-
__metadata("design:paramtypes", [Object, Object, Function]),
|
|
513
|
-
__metadata("design:returntype", void 0)
|
|
514
|
-
], McpOAuthController.prototype, "handleProviderCallback", null);
|
|
515
|
-
__decorate([
|
|
516
|
-
(0, common_1.Post)(endpoints.token),
|
|
517
|
-
(0, common_1.Header)('content-type', 'application/json'),
|
|
518
|
-
(0, common_1.Header)('Cache-Control', 'no-store'),
|
|
519
|
-
(0, common_1.Header)('Pragma', 'no-cache'),
|
|
520
|
-
(0, common_1.HttpCode)(200),
|
|
521
|
-
__param(0, (0, common_1.Body)()),
|
|
522
|
-
__param(1, (0, common_1.Req)()),
|
|
523
|
-
__param(2, (0, common_1.Res)({ passthrough: true })),
|
|
524
|
-
__metadata("design:type", Function),
|
|
525
|
-
__metadata("design:paramtypes", [Object, Object, Object]),
|
|
526
|
-
__metadata("design:returntype", Promise)
|
|
527
|
-
], McpOAuthController.prototype, "exchangeToken", null);
|
|
528
|
-
McpOAuthController = McpOAuthController_1 = __decorate([
|
|
529
|
-
(0, common_1.Controller)(),
|
|
530
|
-
__param(0, (0, common_1.Inject)(authModuleId
|
|
531
|
-
? `OAUTH_MODULE_OPTIONS_${authModuleId}`
|
|
532
|
-
: 'OAUTH_MODULE_OPTIONS')),
|
|
533
|
-
__param(1, (0, common_1.Inject)(authModuleId ? `IOAuthStore_${authModuleId}` : 'IOAuthStore')),
|
|
534
|
-
__metadata("design:paramtypes", [Object, Object, jwt_token_service_1.JwtTokenService,
|
|
535
|
-
client_service_1.ClientService,
|
|
536
|
-
oauth_strategy_service_1.OAuthStrategyService])
|
|
537
|
-
], McpOAuthController);
|
|
538
|
-
return McpOAuthController;
|
|
539
|
-
}
|
|
540
|
-
//# sourceMappingURL=mcp-oauth.controller.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"mcp-oauth.controller.js","sourceRoot":"","sources":["../../src/authz/mcp-oauth.controller.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAgDA,4DA2yBC;AA31BD,2CAcwB;AACxB,mCAAiD;AAMjD,wDAAgC;AAChC,wEAAoE;AAOpE,8DAA0D;AAC1D,oEAA0E;AAC1E,8EAAyE;AAiBzE,SAAgB,wBAAwB,CACtC,YAAwC,EAAE,EAC1C,OAGC,EACD,YAAqB;;IAGrB,MAAM,WAAW,GAAG,CAClB,IAAmC,EACnC,OAAgB,EACC,EAAE;QACnB,OAAO,OAAO,IAAI,IAAI;YACpB,CAAC,CAAE,YAA+C,CAAC,IAAI,CAAC;YACxD,CAAC,CAAE,CAAC,GAAG,EAAE,GAAE,CAAC,CAAgC,CAAC;IACjD,CAAC,CAAC;IACF,MAAM,cAAc,GAAG,CACrB,IAAY,EACZ,KAAa,EACb,OAAgB,EACC,EAAE;QACnB,OAAO,OAAO;YACZ,CAAC,CAAE,eAA+D,CAC9D,IAAI,EACJ,KAAK,CACN;YACH,CAAC,CAAE,CAAC,GAAG,EAAE,GAAE,CAAC,CAAgC,CAAC;IACjD,CAAC,CAAC;IAEF,IACM,kBAAkB,0BADxB,MACM,kBAAkB;QAOtB,YAME,OAA2B,EAE3B,KAA2B,EAClB,eAAgC,EAChC,aAA4B,EAC5B,oBAA0C;YAH1C,UAAK,GAAL,KAAK,CAAa;YAClB,oBAAe,GAAf,eAAe,CAAiB;YAChC,kBAAa,GAAb,aAAa,CAAe;YAC5B,yBAAoB,GAApB,oBAAoB,CAAsB;YAjB5C,WAAM,GAAG,IAAI,eAAM,CAAC,oBAAkB,CAAC,IAAI,CAAC,CAAC;YAmBpD,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;YACnC,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;YACzC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;YACvB,IAAI,CAAC,YAAY,GAAG,oBAAoB,CAAC,eAAe,EAAE,CAAC;QAC7D,CAAC;QAMD,gBAAgB,CAAC,IAAS,EAAE,GAAwB;YAElD,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACrE,OAAO,IAAI,CAAC;YACd,CAAC;YAGD,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAChD,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC;gBACzC,MAAM,UAAU,GAAwB,EAAE,CAAC;gBAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;oBAC5C,UAAU,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;gBAC1B,CAAC;gBACD,OAAO,UAAU,CAAC;YACpB,CAAC;YAGD,IAAI,GAAG,EAAE,QAAQ,EAAE,CAAC;gBAClB,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBACjD,MAAM,UAAU,GAAwB,EAAE,CAAC;gBAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;oBAC5C,UAAU,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;gBAC1B,CAAC;gBACD,OAAO,UAAU,CAAC;YACpB,CAAC;YAGD,IAAI,GAAG,EAAE,OAAO,EAAE,CAAC;gBACjB,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBACjD,IAAI,UAAU,EAAE,CAAC;oBACf,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,UAAU,CAAC,CAAC;oBAC/C,MAAM,UAAU,GAAwB,EAAE,CAAC;oBAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;wBAC5C,UAAU,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;oBAC1B,CAAC;oBACD,OAAO,UAAU,CAAC;gBACpB,CAAC;YACH,CAAC;YAGD,OAAO,EAAE,CAAC;QACZ,CAAC;QAMD,cAAc,CAAC,GAAuB,EAAE,GAAa,EAAE,IAAkB;YACvE,IACE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,QAAQ,CACnC,mCAAmC,CACpC,EACD,CAAC;gBACD,IAAI,OAAO,GAAG,EAAE,CAAC;gBAEjB,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;oBAC/B,OAAO,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBACrC,CAAC,CAAC,CAAC;gBAEH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;oBACjB,GAAG,CAAC,QAAQ,GAAG,OAAO,CAAC;oBAEvB,IAAI,OAAO,EAAE,CAAC;wBACZ,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,OAAO,CAAC,CAAC;wBAC5C,MAAM,UAAU,GAAQ,EAAE,CAAC;wBAC3B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;4BAC5C,UAAU,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;wBAC1B,CAAC;wBACA,GAAW,CAAC,IAAI,GAAG,UAAU,CAAC;oBACjC,CAAC;oBACD,IAAI,EAAE,CAAC;gBACT,CAAC,CAAC,CAAC;gBAEH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;oBACtB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;oBACtD,IAAI,CAAC,GAAG,CAAC,CAAC;gBACZ,CAAC,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,IAAI,EAAE,CAAC;YACT,CAAC;QACH,CAAC;QAWD,4BAA4B;YAE1B,MAAM,yBAAyB,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC;YAGzD,MAAM,kBAAkB,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC;YAEjD,MAAM,QAAQ,GAAG;gBAKf,qBAAqB,EAAE,CAAC,yBAAyB,CAAC;gBAMlD,QAAQ,EAAE,kBAAkB;gBAM5B,gBAAgB,EACd,IAAI,CAAC,OAAO,CAAC,yBAAyB,CAAC,eAAe;gBAMxD,wBAAwB,EACtB,IAAI,CAAC,OAAO,CAAC,yBAAyB,CAAC,sBAAsB;gBAM/D,sBAAsB,EACpB,IAAI,CAAC,OAAO,CAAC,yBAAyB,CAAC,oBAAoB;aAC9D,CAAC;YAEF,OAAO,QAAQ,CAAC;QAClB,CAAC;QAYD,8BAA8B;YAC5B,OAAO;gBACL,MAAM,EAAE,IAAI,CAAC,SAAS;gBACtB,sBAAsB,EAAE,IAAA,sCAAiB,EACvC,GAAG,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,SAAS,EAAE,CAC3C;gBACD,cAAc,EAAE,IAAA,sCAAiB,EAC/B,GAAG,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,KAAK,EAAE,CACvC;gBACD,qBAAqB,EAAE,IAAA,sCAAiB,EACtC,GAAG,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,QAAQ,EAAE,CAC1C;gBACD,wBAAwB,EACtB,IAAI,CAAC,OAAO,CAAC,2BAA2B,CAAC,sBAAsB;gBACjE,wBAAwB,EACtB,IAAI,CAAC,OAAO,CAAC,2BAA2B,CAAC,sBAAsB;gBACjE,qBAAqB,EACnB,IAAI,CAAC,OAAO,CAAC,2BAA2B,CAAC,mBAAmB;gBAC9D,qCAAqC,EACnC,IAAI,CAAC,OAAO,CAAC,2BAA2B;qBACrC,iCAAiC;gBACtC,gBAAgB,EACd,IAAI,CAAC,OAAO,CAAC,2BAA2B,CAAC,eAAe;gBAC1D,mBAAmB,EAAE,IAAA,sCAAiB,EACpC,GAAG,IAAI,CAAC,SAAS,IAAI,SAAS,EAAE,MAAM,EAAE,CACzC;gBACD,gCAAgC,EAC9B,IAAI,CAAC,OAAO,CAAC,2BAA2B;qBACrC,6BAA6B;aACnC,CAAC;QACJ,CAAC;QAGK,AAAN,KAAK,CAAC,cAAc,CAAS,eAAoB;YAC/C,OAAO,MAAM,IAAI,CAAC,aAAa,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;QAClE,CAAC;QAGK,AAAN,KAAK,CAAC,SAAS,CACJ,KAAU,EAEnB,GAAQ,EACD,GAAa,EACZ,IAAkB;YAE1B,MAAM,EACJ,aAAa,EACb,SAAS,EACT,YAAY,EACZ,cAAc,EACd,qBAAqB,EACrB,KAAK,EACL,KAAK,GACN,GAAG,KAAK,CAAC;YACV,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC;YACvC,IAAI,aAAa,KAAK,MAAM,EAAE,CAAC;gBAC7B,MAAM,IAAI,4BAAmB,CAAC,sCAAsC,CAAC,CAAC;YACxE,CAAC;YAED,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,4BAAmB,CAAC,6BAA6B,CAAC,CAAC;YAC/D,CAAC;YAGD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;YAC7D,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,4BAAmB,CAAC,mBAAmB,CAAC,CAAC;YACrD,CAAC;YAED,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAChE,SAAS,EACT,YAAY,CACb,CAAC;YACF,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,MAAM,IAAI,4BAAmB,CAAC,sBAAsB,CAAC,CAAC;YACxD,CAAC;YAGD,MAAM,SAAS,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YACxD,MAAM,YAAY,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAE3D,MAAM,YAAY,GAAiB;gBACjC,SAAS;gBACT,KAAK,EAAE,YAAY;gBACnB,QAAQ,EAAE,SAAS;gBACnB,WAAW,EAAE,YAAY;gBACzB,aAAa,EAAE,cAAc;gBAC7B,mBAAmB,EAAE,qBAAqB,IAAI,OAAO;gBACrD,UAAU,EAAE,KAAK;gBACjB,KAAK,EAAE,KAAK;gBACZ,QAAQ;gBACR,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,qBAAqB;aAC3D,CAAC;YAEF,MAAM,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;YAG5D,GAAG,CAAC,MAAM,CAAC,eAAe,EAAE,SAAS,EAAE;gBACrC,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,IAAI,CAAC,YAAY;gBACzB,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,qBAAqB;aAC3C,CAAC,CAAC;YAGH,GAAG,CAAC,MAAM,CAAC,aAAa,EAAE,YAAY,EAAE;gBACtC,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,IAAI,CAAC,YAAY;gBACzB,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,qBAAqB;aAC3C,CAAC,CAAC;YAGH,kBAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,YAAY,EAAE;gBACvC,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,WAAW;aAChC,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QACrB,CAAC;QAGD,sBAAsB,CACb,GAAyB,EACzB,GAAa,EACZ,IAAkB;YAG1B,kBAAQ,CAAC,YAAY,CACnB,IAAI,CAAC,YAAY,EACjB,EAAE,OAAO,EAAE,KAAK,EAAE,EAClB,KAAK,EAAE,GAAQ,EAAE,IAAS,EAAE,EAAE;gBAC5B,IAAI,CAAC;oBACH,IAAI,GAAG,EAAE,CAAC;wBACR,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,uBAAuB,EAAE,GAAG,CAAC,CAAC;wBAChD,MAAM,IAAI,4BAAmB,CAAC,uBAAuB,CAAC,CAAC;oBACzD,CAAC;oBAED,IAAI,CAAC,IAAI,EAAE,CAAC;wBACV,MAAM,IAAI,4BAAmB,CAAC,uBAAuB,CAAC,CAAC;oBACzD,CAAC;oBAED,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;oBAChB,MAAM,IAAI,CAAC,4BAA4B,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;gBACpD,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,IAAI,CAAC,KAAK,CAAC,CAAC;gBACd,CAAC;YACH,CAAC,CACF,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QACpB,CAAC;QAED,KAAK,CAAC,4BAA4B,CAChC,GAAyB,EACzB,GAAa;YAEb,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;YACtB,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,MAAM,IAAI,4BAAmB,CAAC,uBAAuB,CAAC,CAAC;YACzD,CAAC;YAED,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,EAAE,aAAa,CAAC;YAC7C,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,4BAAmB,CAAC,uBAAuB,CAAC,CAAC;YACzD,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;YAC5D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,4BAAmB,CAAC,kCAAkC,CAAC,CAAC;YACpE,CAAC;YAGD,MAAM,eAAe,GAAG,GAAG,CAAC,OAAO,EAAE,WAAW,CAAC;YACjD,IAAI,OAAO,CAAC,KAAK,KAAK,eAAe,EAAE,CAAC;gBACtC,MAAM,IAAI,4BAAmB,CAAC,yBAAyB,CAAC,CAAC;YAC3D,CAAC;YAGD,MAAM,GAAG,GAAG,IAAI,CAAC,eAAe,CAAC,iBAAiB,CAChD,IAAI,CAAC,OAAO,CAAC,QAAQ,EACrB,IAAI,CAAC,OAAO,CACb,CAAC;YAGF,GAAG,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,EAAE;gBAC5B,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,IAAI,CAAC,YAAY;gBACzB,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,YAAY;aAClC,CAAC,CAAC;YAGH,GAAG,CAAC,WAAW,CAAC,eAAe,CAAC,CAAC;YACjC,GAAG,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;YAG/B,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,iBAAiB,CACxD,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,QAAQ,CACd,CAAC;YAGF,MAAM,QAAQ,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAGvD,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC;gBAC7B,IAAI,EAAE,QAAQ;gBACd,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,QAAQ;gBAC9B,SAAS,EAAE,OAAO,CAAC,QAAS;gBAC5B,YAAY,EAAE,OAAO,CAAC,WAAY;gBAClC,cAAc,EAAE,OAAO,CAAC,aAAc;gBACtC,qBAAqB,EAAE,OAAO,CAAC,mBAAoB;gBACnD,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,iBAAiB;gBACvD,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,eAAe;aAChB,CAAC,CAAC;YAGH,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,WAAY,CAAC,CAAC;YAClD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YAC/C,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;gBACvB,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;YAC5D,CAAC;YAGD,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC;YAE/C,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC;QACvC,CAAC;QAOK,AAAN,KAAK,CAAC,aAAa,CACT,IAAS,EACV,GAAuB,EACF,GAAa;YAGzC,MAAM,gBAAgB,GAAG,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,QAAQ,CAC5D,mCAAmC,CACpC,CAAC;YACF,MAAM,WAAW,GACf,CAAC,IAAI;gBACL,CAAC,OAAO,IAAI,KAAK,QAAQ;oBACvB,MAAM,CAAC,IAAI,CAAC,IAA+B,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC;YAE/D,IAAI,gBAAgB,IAAI,WAAW,EAAE,CAAC;gBACpC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;oBACrC,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,GAAS,EAAE,EAAE;wBAC1C,IAAI,GAAG,EAAE,CAAC;4BACR,MAAM,CACJ,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI,OAAO,CAAC,CAAC,CAC/D,CAAC;4BACF,OAAO;wBACT,CAAC;wBAGD,KAAK,CAAC,KAAK,IAAI,EAAE;4BACf,IAAI,CAAC;gCAEH,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,EAAE,GAAG,CAAC,CAAC;gCAChE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;gCAChE,OAAO,CAAC,MAAM,CAAC,CAAC;4BAClB,CAAC;4BAAC,OAAO,KAAK,EAAE,CAAC;gCACf,MAAM,CACJ,KAAK,YAAY,KAAK;oCACpB,CAAC,CAAC,KAAK;oCACP,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,IAAI,OAAO,CAAC,CAAC,CACxC,CAAC;4BACJ,CAAC;wBACH,CAAC,CAAC,EAAE,CAAC;oBACP,CAAC,CAAC,CAAC;gBACL,CAAC,CAAC,CAAC;YACL,CAAC;YAGD,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YACpD,OAAO,IAAI,CAAC,oBAAoB,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QACpD,CAAC;QAED,KAAK,CAAC,oBAAoB,CACxB,UAA+B,EAC/B,GAAuB;YAEvB,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,aAAa,EAAE,YAAY,EAAE,aAAa,EAAE,GACpE,UAAU,CAAC;YAGb,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,qCAAqC,EAAE;oBACvD,cAAc,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;oBACvC,WAAW,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC;oBACxC,QAAQ,EAAE,GAAG,CAAC,QAAQ;oBACtB,UAAU;iBACX,CAAC,CAAC;gBACH,MAAM,IAAI,4BAAmB,CAAC,8BAA8B,CAAC,CAAC;YAChE,CAAC;YAED,QAAQ,UAAU,EAAE,CAAC;gBACnB,KAAK,oBAAoB,CAAC,CAAC,CAAC;oBAE1B,MAAM,iBAAiB,GAAG,IAAI,CAAC,wBAAwB,CACrD,GAAG,EACH,UAAU,CACX,CAAC;oBACF,OAAO,MAAM,IAAI,CAAC,4BAA4B,CAC5C,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC,EACpD,OAAO,aAAa,KAAK,QAAQ;wBAC/B,CAAC,CAAC,aAAa;wBACf,CAAC,CAAC,MAAM,CAAC,aAAa,IAAI,EAAE,CAAC,EAC/B,OAAO,YAAY,KAAK,QAAQ;wBAC9B,CAAC,CAAC,YAAY;wBACd,CAAC,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC,EAC9B,iBAAiB,CAClB,CAAC;gBACJ,CAAC;gBACD,KAAK,eAAe,CAAC,CAAC,CAAC;oBAErB,IAAI,iBAAgE,CAAC;oBACrE,IAAI,CAAC;wBACH,iBAAiB,GAAG,IAAI,CAAC,wBAAwB,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;oBACrE,CAAC;oBAAC,MAAM,CAAC;wBAEP,iBAAiB,GAAG,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;oBACxC,CAAC;oBACD,OAAO,MAAM,IAAI,CAAC,uBAAuB,CACvC,OAAO,aAAa,KAAK,QAAQ;wBAC/B,CAAC,CAAC,aAAa;wBACf,CAAC,CAAC,MAAM,CAAC,aAAa,IAAI,EAAE,CAAC,EAC/B,iBAAiB,CAClB,CAAC;gBACJ,CAAC;gBACD;oBACE,MAAM,IAAI,4BAAmB,CAC3B,2BAA2B,UAAU,EAAE,CACxC,CAAC;YACN,CAAC;QACH,CAAC;QAKD,wBAAwB,CACtB,GAAuB,EACvB,IAAS;YAGT,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YAGpD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,EAAE,aAAa,CAAC;YAC9C,IAAI,UAAU,IAAI,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAClD,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,CACrE,OAAO,CACR,CAAC;gBACF,MAAM,CAAC,SAAS,EAAE,aAAa,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;gBAC7D,IAAI,SAAS,EAAE,CAAC;oBACd,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,CAAC;gBACtC,CAAC;YACH,CAAC;YAGD,IAAI,UAAU,CAAC,SAAS,EAAE,CAAC;gBACzB,OAAO;oBACL,SAAS,EAAE,UAAU,CAAC,SAAS;oBAC/B,aAAa,EAAE,UAAU,CAAC,aAAa;iBACxC,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,4BAAmB,CAAC,4BAA4B,CAAC,CAAC;QAC9D,CAAC;QAKD,4BAA4B,CAC1B,MAAW,EACX,iBAAgE;YAEhE,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,4BAAmB,CAAC,mBAAmB,CAAC,CAAC;YACrD,CAAC;YAED,MAAM,EAAE,0BAA0B,EAAE,GAAG,MAAM,CAAC;YAE9C,QAAQ,0BAA0B,EAAE,CAAC;gBACnC,KAAK,qBAAqB,CAAC;gBAC3B,KAAK,oBAAoB;oBACvB,IAAI,CAAC,iBAAiB,CAAC,aAAa,EAAE,CAAC;wBACrC,MAAM,IAAI,4BAAmB,CAC3B,uDAAuD,CACxD,CAAC;oBACJ,CAAC;oBACD,IAAI,MAAM,CAAC,aAAa,KAAK,iBAAiB,CAAC,aAAa,EAAE,CAAC;wBAC7D,MAAM,IAAI,4BAAmB,CAAC,4BAA4B,CAAC,CAAC;oBAC9D,CAAC;oBACD,MAAM;gBAER,KAAK,MAAM;oBAET,IAAI,iBAAiB,CAAC,aAAa,EAAE,CAAC;wBACpC,MAAM,IAAI,4BAAmB,CAC3B,8CAA8C,CAC/C,CAAC;oBACJ,CAAC;oBACD,MAAM;gBAER;oBACE,MAAM,IAAI,4BAAmB,CAC3B,sCAAsC,0BAA0B,EAAE,CACnE,CAAC;YACN,CAAC;QACH,CAAC;QAED,KAAK,CAAC,4BAA4B,CAChC,IAAY,EACZ,aAAqB,EACrB,aAAqB,EACrB,iBAAgE;YAEhE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,wCAAwC,EAAE;gBAC1D,IAAI;gBACJ,SAAS,EAAE,iBAAiB,CAAC,SAAS;aACvC,CAAC,CAAC;YAGH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;YACpD,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,4DAA4D,EAC5D,IAAI,CACL,CAAC;gBACF,MAAM,IAAI,4BAAmB,CAAC,4BAA4B,CAAC,CAAC;YAC9D,CAAC;YACD,IAAI,QAAQ,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBACrC,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;gBACtC,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,4DAA4D,EAC5D,IAAI,CACL,CAAC;gBACF,MAAM,IAAI,4BAAmB,CAAC,gCAAgC,CAAC,CAAC;YAClE,CAAC;YACD,IAAI,QAAQ,CAAC,SAAS,KAAK,iBAAiB,CAAC,SAAS,EAAE,CAAC;gBACvD,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,oDAAoD,EACpD,EAAE,QAAQ,EAAE,QAAQ,CAAC,SAAS,EAAE,GAAG,EAAE,iBAAiB,CAAC,SAAS,EAAE,CACnE,CAAC;gBACF,MAAM,IAAI,4BAAmB,CAAC,oBAAoB,CAAC,CAAC;YACtD,CAAC;YAGD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAC/C,iBAAiB,CAAC,SAAS,CAC5B,CAAC;YACF,IAAI,CAAC,4BAA4B,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;YAC7D,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC;gBAC5B,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAC/B,aAAa,EACb,QAAQ,CAAC,cAAc,EACvB,QAAQ,CAAC,qBAAqB,CAC/B,CAAC;gBACF,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,0DAA0D,CAC3D,CAAC;oBACF,MAAM,IAAI,4BAAmB,CAAC,2BAA2B,CAAC,CAAC;gBAC7D,CAAC;YACH,CAAC;YACD,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBACvB,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,iEAAiE,CAClE,CAAC;gBACF,MAAM,IAAI,4BAAmB,CAC3B,sDAAsD,CACvD,CAAC;YACJ,CAAC;YAED,IAAI,QAAQ,GAAwC,SAAS,CAAC;YAC9D,IAAI,QAAQ,CAAC,eAAe,EAAE,CAAC;gBAC7B,IAAI,CAAC;oBACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CACjD,QAAQ,CAAC,eAAe,CACzB,CAAC;oBACF,IAAI,OAAO,EAAE,CAAC;wBAEZ,QAAQ,GAAG,EAAE,GAAG,OAAO,EAAE,CAAC;oBAC5B,CAAC;gBACH,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACX,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,+CAA+C,EAAE,CAAC,CAAC,CAAC;gBACvE,CAAC;YACH,CAAC;YAED,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,iBAAiB,CACnD,QAAQ,CAAC,OAAO,EAChB,iBAAiB,CAAC,SAAS,EAC3B,QAAQ,CAAC,KAAK,EACd,QAAQ,CAAC,QAAQ,EACjB;gBACE,eAAe,EAAE,QAAQ,CAAC,eAAe;gBACzC,SAAS,EAAE,QAAQ;aACpB,CACF,CAAC;YACF,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;YACtC,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,+DAA+D,EAC/D,QAAQ,CAAC,OAAO,CACjB,CAAC;YACF,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,KAAK,CAAC,uBAAuB,CAC3B,aAAqB,EACrB,iBAAgE;YAGhE,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,aAAa,CAAC,CAAC;YAClE,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBAC3C,MAAM,IAAI,4BAAmB,CAAC,kCAAkC,CAAC,CAAC;YACpE,CAAC;YAGD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,SAAS,IAAI,OAAO,CAAC,SAAS,CAAC;YAClE,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,MAAM,IAAI,4BAAmB,CAAC,+BAA+B,CAAC,CAAC;YACjE,CAAC;YAGD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAI5D,IAAI,MAAM,EAAE,0BAA0B,KAAK,MAAM,EAAE,CAAC;gBAClD,IAAI,CAAC,4BAA4B,CAAC,MAAM,EAAE;oBACxC,GAAG,iBAAiB;oBACpB,SAAS,EAAE,QAAQ;iBACpB,CAAC,CAAC;YACL,CAAC;YAGD,IAAI,OAAO,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;gBACnC,MAAM,IAAI,4BAAmB,CAC3B,+DAA+D,CAChE,CAAC;YACJ,CAAC;YAED,IAAI,SAAS,GAAqB,IAAI,CAAC;YACvC,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,aAAa,CAAC,CAAC;gBAClE,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;oBAC3C,MAAM,IAAI,4BAAmB,CAAC,kCAAkC,CAAC,CAAC;gBACpE,CAAC;gBAED,IAAI,QAAQ,GAAwC,SAAS,CAAC;gBAC9D,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;oBAC5B,IAAI,CAAC;wBACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CACjD,OAAO,CAAC,eAAe,CACxB,CAAC;wBACF,IAAI,OAAO;4BAAE,QAAQ,GAAG,EAAE,GAAG,OAAO,EAAE,CAAC;oBACzC,CAAC;oBAAC,OAAO,CAAC,EAAE,CAAC;wBACX,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,yDAAyD,EACzD,CAAC,CACF,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAED,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,iBAAiB,CAChD,OAAO,CAAC,GAAG,EACX,QAAQ,EACR,OAAO,CAAC,KAAK,EACb,OAAO,CAAC,QAAQ,EAChB;oBACE,eAAe,EAAE,OAAO,CAAC,eAAe;oBACxC,SAAS,EAAE,QAAQ;iBACpB,CACF,CAAC;YACJ,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,mDAAmD,EACnD,CAAC,CACF,CAAC;gBACF,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,kBAAkB,CAAC,aAAa,CAAC,CAAC;YACrE,CAAC;YAED,IAAI,CAAC,SAAS;gBAAE,MAAM,IAAI,4BAAmB,CAAC,yBAAyB,CAAC,CAAC;YACzE,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,YAAY,CACV,aAAqB,EACrB,cAAsB,EACtB,MAAc;YAEd,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;gBACvB,OAAO,aAAa,KAAK,cAAc,CAAC;YAC1C,CAAC;iBAAM,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC7B,MAAM,IAAI,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC;qBAC9B,MAAM,CAAC,aAAa,CAAC;qBACrB,MAAM,CAAC,WAAW,CAAC,CAAC;gBACvB,OAAO,IAAI,KAAK,cAAc,CAAC;YACjC,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;KACF,CAAA;IAhpBC;QATC,WAAW,CACV,SAAS,CAAC,kCAAkC,EAC5C,CAAC,OAAO,EAAE,yCAAyC,CACpD;QACA,cAAc,CACb,cAAc,EACd,kBAAkB,EAClB,CAAC,OAAO,EAAE,yCAAyC,CACpD;;;;0EA4CA;IAYD;QATC,WAAW,CACV,SAAS,CAAC,oCAAoC,EAC9C,CAAC,OAAO,EAAE,2CAA2C,CACtD;QACA,cAAc,CACb,cAAc,EACd,kBAAkB,EAClB,CAAC,OAAO,EAAE,2CAA2C,CACtD;;;;4EA+BA;IAGK;QADL,IAAA,aAAI,EAAC,SAAS,CAAC,QAAQ,CAAC;QACH,WAAA,IAAA,aAAI,GAAE,CAAA;;;;4DAE3B;IAGK;QADL,IAAA,YAAG,EAAC,SAAS,CAAC,SAAS,CAAC;QAEtB,WAAA,IAAA,cAAK,GAAE,CAAA;QACP,WAAA,IAAA,YAAG,GAAE,CAAA;QAEL,WAAA,IAAA,YAAG,GAAE,CAAA;QACL,WAAA,IAAA,aAAI,GAAE,CAAA;;;;uDAuER;IAGD;QADC,IAAA,YAAG,EAAC,SAAS,CAAC,QAAQ,CAAC;QAErB,WAAA,IAAA,YAAG,GAAE,CAAA;QACL,WAAA,IAAA,YAAG,GAAE,CAAA;QACL,WAAA,IAAA,aAAI,GAAE,CAAA;;;;oEAwBR;IAqFK;QALL,IAAA,aAAI,EAAC,SAAS,CAAC,KAAK,CAAC;QACrB,IAAA,eAAM,EAAC,cAAc,EAAE,kBAAkB,CAAC;QAC1C,IAAA,eAAM,EAAC,eAAe,EAAE,UAAU,CAAC;QACnC,IAAA,eAAM,EAAC,QAAQ,EAAE,UAAU,CAAC;QAC5B,IAAA,iBAAQ,EAAC,GAAG,CAAC;QAEX,WAAA,IAAA,aAAI,GAAE,CAAA;QACN,WAAA,IAAA,YAAG,GAAE,CAAA;QACL,WAAA,IAAA,YAAG,EAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAA;;;;2DA2C5B;IAncG,kBAAkB;QADvB,IAAA,mBAAU,GAAE;QASR,WAAA,IAAA,eAAM,EACL,YAAY;YACV,CAAC,CAAC,wBAAwB,YAAY,EAAE;YACxC,CAAC,CAAC,sBAAsB,CAC3B,CAAA;QAEA,WAAA,IAAA,eAAM,EAAC,YAAY,CAAC,CAAC,CAAC,eAAe,YAAY,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAA;yDAE3C,mCAAe;YACjB,8BAAa;YACN,6CAAoB;OAlBjD,kBAAkB,CAywBvB;IAED,OAAO,kBAAkB,CAAC;AAC5B,CAAC","sourcesContent":["import {\n BadRequestException,\n Body,\n Controller,\n Get,\n Header,\n HttpCode,\n Inject,\n Logger,\n Next,\n Post,\n Query,\n Req,\n Res,\n} from '@nestjs/common';\nimport { createHash, randomBytes } from 'crypto';\nimport type {\n Request as ExpressRequest,\n NextFunction,\n Response,\n} from 'express';\nimport passport from 'passport';\nimport { normalizeEndpoint } from '../mcp/utils/normalize-endpoint';\nimport type {\n OAuthEndpointConfiguration,\n OAuthModuleOptions,\n OAuthSession,\n OAuthUserProfile,\n} from './providers/oauth-provider.interface';\nimport { ClientService } from './services/client.service';\nimport { JwtTokenService, TokenPair } from './services/jwt-token.service';\nimport { OAuthStrategyService } from './services/oauth-strategy.service';\nimport type { IOAuthStore } from './stores/oauth-store.interface';\n\ninterface OAuthCallbackRequest extends ExpressRequest {\n user?: {\n profile: OAuthUserProfile;\n accessToken: string;\n provider: string;\n };\n}\n\n// Add this interface to properly type the Express request with raw body\ninterface RequestWithRawBody extends ExpressRequest {\n rawBody?: Buffer;\n textBody?: string;\n}\n\nexport function createMcpOAuthController(\n endpoints: OAuthEndpointConfiguration = {},\n options?: {\n disableWellKnownProtectedResourceMetadata?: boolean;\n disableWellKnownAuthorizationServerMetadata?: boolean;\n },\n authModuleId?: string,\n) {\n // Optional decorator helpers\n const OptionalGet = (\n path: string | string[] | undefined,\n enabled: boolean,\n ): MethodDecorator => {\n return enabled && path\n ? (Get as unknown as (p?: any) => MethodDecorator)(path)\n : ((() => {}) as unknown as MethodDecorator);\n };\n const OptionalHeader = (\n name: string,\n value: string,\n enabled: boolean,\n ): MethodDecorator => {\n return enabled\n ? (Header as unknown as (n: string, v: string) => MethodDecorator)(\n name,\n value,\n )\n : ((() => {}) as unknown as MethodDecorator);\n };\n\n @Controller()\n class McpOAuthController {\n readonly logger = new Logger(McpOAuthController.name);\n readonly serverUrl: string;\n readonly isProduction: boolean;\n readonly options: OAuthModuleOptions;\n readonly strategyName: string;\n\n constructor(\n @Inject(\n authModuleId\n ? `OAUTH_MODULE_OPTIONS_${authModuleId}`\n : 'OAUTH_MODULE_OPTIONS',\n )\n options: OAuthModuleOptions,\n @Inject(authModuleId ? `IOAuthStore_${authModuleId}` : 'IOAuthStore')\n readonly store: IOAuthStore,\n readonly jwtTokenService: JwtTokenService,\n readonly clientService: ClientService,\n readonly oauthStrategyService: OAuthStrategyService,\n ) {\n this.serverUrl = options.serverUrl;\n this.isProduction = options.cookieSecure;\n this.options = options;\n this.strategyName = oauthStrategyService.getStrategyName();\n }\n\n /**\n * Utility function to parse form-encoded or JSON bodies\n * Handles both string (raw form data) and object bodies\n */\n parseRequestBody(body: any, req?: RequestWithRawBody): Record<string, any> {\n // If body is already a parsed object with properties, return it\n if (body && typeof body === 'object' && Object.keys(body).length > 0) {\n return body;\n }\n\n // If body is a string (raw form data), parse it\n if (typeof body === 'string' && body.length > 0) {\n const params = new URLSearchParams(body);\n const parsedBody: Record<string, any> = {};\n for (const [key, value] of params.entries()) {\n parsedBody[key] = value;\n }\n return parsedBody;\n }\n\n // Check if we have a text body stored on the request (from our middleware)\n if (req?.textBody) {\n const params = new URLSearchParams(req.textBody);\n const parsedBody: Record<string, any> = {};\n for (const [key, value] of params.entries()) {\n parsedBody[key] = value;\n }\n return parsedBody;\n }\n\n // Check if we have a raw body buffer stored on the request\n if (req?.rawBody) {\n const bodyString = req.rawBody.toString('utf-8');\n if (bodyString) {\n const params = new URLSearchParams(bodyString);\n const parsedBody: Record<string, any> = {};\n for (const [key, value] of params.entries()) {\n parsedBody[key] = value;\n }\n return parsedBody;\n }\n }\n\n // Return empty object if no valid body\n return {};\n }\n\n /**\n * Middleware to capture raw body for form-encoded requests\n * This is needed when bodyParser is disabled in the main app\n */\n captureRawBody(req: RequestWithRawBody, res: Response, next: NextFunction) {\n if (\n req.headers['content-type']?.includes(\n 'application/x-www-form-urlencoded',\n )\n ) {\n let rawBody = '';\n\n req.on('data', (chunk: Buffer) => {\n rawBody += chunk.toString('utf-8');\n });\n\n req.on('end', () => {\n req.textBody = rawBody;\n // Also parse and set it as body for NestJS\n if (rawBody) {\n const params = new URLSearchParams(rawBody);\n const parsedBody: any = {};\n for (const [key, value] of params.entries()) {\n parsedBody[key] = value;\n }\n (req as any).body = parsedBody;\n }\n next();\n });\n\n req.on('error', (err) => {\n this.logger.error('Error reading request body:', err);\n next(err);\n });\n } else {\n next();\n }\n }\n\n @OptionalGet(\n endpoints.wellKnownProtectedResourceMetadata,\n !options?.disableWellKnownProtectedResourceMetadata,\n )\n @OptionalHeader(\n 'content-type',\n 'application/json',\n !options?.disableWellKnownProtectedResourceMetadata,\n )\n getProtectedResourceMetadata() {\n // The issuer URL of your authorization server.\n const authorizationServerIssuer = this.options.jwtIssuer;\n\n // The canonical URI of the MCP server resource itself.\n const resourceIdentifier = this.options.resource;\n\n const metadata = {\n /**\n * REQUIRED by MCP Spec.\n * A list of authorization server issuer URLs that can issue tokens for this resource.\n */\n authorization_servers: [authorizationServerIssuer],\n\n /**\n * RECOMMENDED by RFC 9728.\n * The identifier for this resource server.\n */\n resource: resourceIdentifier,\n\n /**\n * RECOMMENDED by RFC 9728.\n * A list of scopes that this resource server understands.\n */\n scopes_supported:\n this.options.protectedResourceMetadata.scopesSupported,\n\n /**\n * RECOMMENDED by RFC 9728.\n * A list of methods clients can use to present the access token.\n */\n bearer_methods_supported:\n this.options.protectedResourceMetadata.bearerMethodsSupported,\n\n /**\n * OPTIONAL but helpful custom metadata.\n * Declares which version of the MCP spec this server supports.\n */\n mcp_versions_supported:\n this.options.protectedResourceMetadata.mcpVersionsSupported,\n };\n\n return metadata;\n }\n\n // OAuth endpoints\n @OptionalGet(\n endpoints.wellKnownAuthorizationServerMetadata,\n !options?.disableWellKnownAuthorizationServerMetadata,\n )\n @OptionalHeader(\n 'content-type',\n 'application/json',\n !options?.disableWellKnownAuthorizationServerMetadata,\n )\n getAuthorizationServerMetadata() {\n return {\n issuer: this.serverUrl,\n authorization_endpoint: normalizeEndpoint(\n `${this.serverUrl}/${endpoints.authorize}`,\n ),\n token_endpoint: normalizeEndpoint(\n `${this.serverUrl}/${endpoints.token}`,\n ),\n registration_endpoint: normalizeEndpoint(\n `${this.serverUrl}/${endpoints.register}`,\n ),\n response_types_supported:\n this.options.authorizationServerMetadata.responseTypesSupported,\n response_modes_supported:\n this.options.authorizationServerMetadata.responseModesSupported,\n grant_types_supported:\n this.options.authorizationServerMetadata.grantTypesSupported,\n token_endpoint_auth_methods_supported:\n this.options.authorizationServerMetadata\n .tokenEndpointAuthMethodsSupported,\n scopes_supported:\n this.options.authorizationServerMetadata.scopesSupported,\n revocation_endpoint: normalizeEndpoint(\n `${this.serverUrl}/${endpoints?.revoke}`,\n ),\n code_challenge_methods_supported:\n this.options.authorizationServerMetadata\n .codeChallengeMethodsSupported,\n };\n }\n\n @Post(endpoints.register)\n async registerClient(@Body() registrationDto: any) {\n return await this.clientService.registerClient(registrationDto);\n }\n\n @Get(endpoints.authorize)\n async authorize(\n @Query() query: any,\n @Req()\n req: any,\n @Res() res: Response,\n @Next() next: NextFunction,\n ) {\n const {\n response_type,\n client_id,\n redirect_uri,\n code_challenge,\n code_challenge_method,\n state,\n scope,\n } = query;\n const resource = this.options.resource;\n if (response_type !== 'code') {\n throw new BadRequestException('Only response_type=code is supported');\n }\n\n if (!client_id) {\n throw new BadRequestException('Missing required parameters');\n }\n\n // Validate client and redirect URI\n const client = await this.clientService.getClient(client_id);\n if (!client) {\n throw new BadRequestException('Invalid client_id');\n }\n\n const validRedirect = await this.clientService.validateRedirectUri(\n client_id,\n redirect_uri,\n );\n if (!validRedirect) {\n throw new BadRequestException('Invalid redirect_uri');\n }\n\n // Create OAuth session\n const sessionId = randomBytes(32).toString('base64url');\n const sessionState = randomBytes(32).toString('base64url');\n\n const oauthSession: OAuthSession = {\n sessionId,\n state: sessionState,\n clientId: client_id,\n redirectUri: redirect_uri,\n codeChallenge: code_challenge,\n codeChallengeMethod: code_challenge_method || 'plain',\n oauthState: state,\n scope: scope,\n resource,\n expiresAt: Date.now() + this.options.oauthSessionExpiresIn,\n };\n\n await this.store.storeOAuthSession(sessionId, oauthSession);\n\n // Set session cookie\n res.cookie('oauth_session', sessionId, {\n httpOnly: true,\n secure: this.isProduction,\n maxAge: this.options.oauthSessionExpiresIn,\n });\n\n // Store state for passport\n res.cookie('oauth_state', sessionState, {\n httpOnly: true,\n secure: this.isProduction,\n maxAge: this.options.oauthSessionExpiresIn,\n });\n\n // Redirect to the provider's auth endpoint\n passport.authenticate(this.strategyName, {\n state: req.cookies?.oauth_state,\n })(req, res, next);\n }\n\n @Get(endpoints.callback)\n handleProviderCallback(\n @Req() req: OAuthCallbackRequest,\n @Res() res: Response,\n @Next() next: NextFunction,\n ) {\n // Use a custom callback to handle the authentication result\n passport.authenticate(\n this.strategyName,\n { session: false },\n async (err: any, user: any) => {\n try {\n if (err) {\n this.logger.error('OAuth callback error:', err);\n throw new BadRequestException('Authentication failed');\n }\n\n if (!user) {\n throw new BadRequestException('Authentication failed');\n }\n\n req.user = user;\n await this.processAuthenticationSuccess(req, res);\n } catch (error) {\n next(error);\n }\n },\n )(req, res, next);\n }\n\n async processAuthenticationSuccess(\n req: OAuthCallbackRequest,\n res: Response,\n ) {\n const user = req.user;\n if (!user) {\n throw new BadRequestException('Authentication failed');\n }\n\n const sessionId = req.cookies?.oauth_session;\n if (!sessionId) {\n throw new BadRequestException('Missing OAuth session');\n }\n\n const session = await this.store.getOAuthSession(sessionId);\n if (!session) {\n throw new BadRequestException('Invalid or expired OAuth session');\n }\n\n // Verify state\n const stateFromCookie = req.cookies?.oauth_state;\n if (session.state !== stateFromCookie) {\n throw new BadRequestException('Invalid state parameter');\n }\n\n // Generate JWT for UI access\n const jwt = this.jwtTokenService.generateUserToken(\n user.profile.username,\n user.profile,\n );\n\n // Set JWT token as cookie for UI endpoints\n res.cookie('auth_token', jwt, {\n httpOnly: true,\n secure: this.isProduction,\n maxAge: this.options.cookieMaxAge,\n });\n\n // Clear temporary cookies\n res.clearCookie('oauth_session');\n res.clearCookie('oauth_state');\n\n // Persist user profile and get stable profile_id\n const user_profile_id = await this.store.upsertUserProfile(\n user.profile,\n user.provider,\n );\n\n // Generate authorization code\n const authCode = randomBytes(32).toString('base64url');\n\n // Store the auth code\n await this.store.storeAuthCode({\n code: authCode,\n user_id: user.profile.username,\n client_id: session.clientId!,\n redirect_uri: session.redirectUri!,\n code_challenge: session.codeChallenge!,\n code_challenge_method: session.codeChallengeMethod!,\n expires_at: Date.now() + this.options.authCodeExpiresIn,\n resource: session.resource,\n scope: session.scope,\n user_profile_id,\n });\n\n // Build redirect URL with authorization code\n const redirectUrl = new URL(session.redirectUri!);\n redirectUrl.searchParams.set('code', authCode);\n if (session.oauthState) {\n redirectUrl.searchParams.set('state', session.oauthState);\n }\n\n // Clean up session\n await this.store.removeOAuthSession(sessionId);\n\n res.redirect(redirectUrl.toString());\n }\n\n @Post(endpoints.token)\n @Header('content-type', 'application/json')\n @Header('Cache-Control', 'no-store')\n @Header('Pragma', 'no-cache')\n @HttpCode(200)\n async exchangeToken(\n @Body() body: any,\n @Req() req: RequestWithRawBody,\n @Res({ passthrough: true }) res: Response,\n ): Promise<TokenPair> {\n // Apply middleware to capture raw body if needed\n const isFormUrlEncoded = req.headers['content-type']?.includes(\n 'application/x-www-form-urlencoded',\n );\n const isBodyEmpty =\n !body ||\n (typeof body === 'object' &&\n Object.keys(body as Record<string, unknown>).length === 0);\n\n if (isFormUrlEncoded && isBodyEmpty) {\n return new Promise((resolve, reject) => {\n this.captureRawBody(req, res, (err?: any) => {\n if (err) {\n reject(\n err instanceof Error ? err : new Error(String(err ?? 'error')),\n );\n return;\n }\n\n // Avoid returning a Promise from the callback; use an IIFE\n void (async () => {\n try {\n // Re-parse the body after middleware has captured it\n const parsedBody = this.parseRequestBody(req.body || body, req);\n const result = await this.processTokenExchange(parsedBody, req);\n resolve(result);\n } catch (error) {\n reject(\n error instanceof Error\n ? error\n : new Error(String(error ?? 'error')),\n );\n }\n })();\n });\n });\n }\n\n // Body is already parsed, process directly\n const parsedBody = this.parseRequestBody(body, req);\n return this.processTokenExchange(parsedBody, req);\n }\n\n async processTokenExchange(\n parsedBody: Record<string, any>,\n req: RequestWithRawBody,\n ): Promise<TokenPair> {\n const { grant_type, code, code_verifier, redirect_uri, refresh_token } =\n parsedBody;\n\n // Add debugging to help identify issues\n if (!grant_type) {\n this.logger.error('Missing grant_type in request body:', {\n parsedBodyKeys: Object.keys(parsedBody),\n contentType: req.headers['content-type'],\n textBody: req.textBody,\n parsedBody,\n });\n throw new BadRequestException('Missing grant_type parameter');\n }\n\n switch (grant_type) {\n case 'authorization_code': {\n // Extract client credentials based on authentication method\n const clientCredentials = this.extractClientCredentials(\n req,\n parsedBody,\n );\n return await this.handleAuthorizationCodeGrant(\n typeof code === 'string' ? code : String(code ?? ''),\n typeof code_verifier === 'string'\n ? code_verifier\n : String(code_verifier ?? ''),\n typeof redirect_uri === 'string'\n ? redirect_uri\n : String(redirect_uri ?? ''),\n clientCredentials,\n );\n }\n case 'refresh_token': {\n // For refresh tokens, try to extract client credentials, but allow fallback to token-based extraction\n let clientCredentials: { client_id: string; client_secret?: string };\n try {\n clientCredentials = this.extractClientCredentials(req, parsedBody);\n } catch {\n // If we can't extract credentials, we'll try to get them from the refresh token\n clientCredentials = { client_id: '' }; // Will be filled from token\n }\n return await this.handleRefreshTokenGrant(\n typeof refresh_token === 'string'\n ? refresh_token\n : String(refresh_token ?? ''),\n clientCredentials,\n );\n }\n default:\n throw new BadRequestException(\n `Unsupported grant_type: ${grant_type}`,\n );\n }\n }\n\n /**\n * Extract client credentials from request based on authentication method\n */\n extractClientCredentials(\n req: RequestWithRawBody,\n body: any,\n ): { client_id: string; client_secret?: string } {\n // Parse the body using the shared utility function\n const parsedBody = this.parseRequestBody(body, req);\n\n // Try client_secret_basic first (Authorization header)\n const authHeader = req.headers?.authorization;\n if (authHeader && authHeader.startsWith('Basic ')) {\n const credentials = Buffer.from(authHeader.slice(6), 'base64').toString(\n 'utf-8',\n );\n const [client_id, client_secret] = credentials.split(':', 2);\n if (client_id) {\n return { client_id, client_secret };\n }\n }\n\n // Try client_secret_post (body parameters)\n if (parsedBody.client_id) {\n return {\n client_id: parsedBody.client_id,\n client_secret: parsedBody.client_secret,\n };\n }\n\n throw new BadRequestException('Missing client credentials');\n }\n\n /**\n * Validate client authentication based on the client's configured method\n */\n validateClientAuthentication(\n client: any,\n clientCredentials: { client_id: string; client_secret?: string },\n ): void {\n if (!client) {\n throw new BadRequestException('Invalid client_id');\n }\n\n const { token_endpoint_auth_method } = client;\n\n switch (token_endpoint_auth_method) {\n case 'client_secret_basic':\n case 'client_secret_post':\n if (!clientCredentials.client_secret) {\n throw new BadRequestException(\n 'Client secret required for this authentication method',\n );\n }\n if (client.client_secret !== clientCredentials.client_secret) {\n throw new BadRequestException('Invalid client credentials');\n }\n break;\n\n case 'none':\n // Public client - no secret required\n if (clientCredentials.client_secret) {\n throw new BadRequestException(\n 'Client secret not allowed for public clients',\n );\n }\n break;\n\n default:\n throw new BadRequestException(\n `Unsupported authentication method: ${token_endpoint_auth_method}`,\n );\n }\n }\n\n async handleAuthorizationCodeGrant(\n code: string,\n code_verifier: string,\n _redirect_uri: string,\n clientCredentials: { client_id: string; client_secret?: string },\n ): Promise<TokenPair> {\n this.logger.debug('handleAuthorizationCodeGrant - Params:', {\n code,\n client_id: clientCredentials.client_id,\n });\n\n // Get and validate the authorization code\n const authCode = await this.store.getAuthCode(code);\n if (!authCode) {\n this.logger.error(\n 'handleAuthorizationCodeGrant - Invalid authorization code:',\n code,\n );\n throw new BadRequestException('Invalid authorization code');\n }\n if (authCode.expires_at < Date.now()) {\n await this.store.removeAuthCode(code);\n this.logger.error(\n 'handleAuthorizationCodeGrant - Authorization code expired:',\n code,\n );\n throw new BadRequestException('Authorization code has expired');\n }\n if (authCode.client_id !== clientCredentials.client_id) {\n this.logger.error(\n 'handleAuthorizationCodeGrant - Client ID mismatch:',\n { expected: authCode.client_id, got: clientCredentials.client_id },\n );\n throw new BadRequestException('Client ID mismatch');\n }\n\n // Get client and validate authentication\n const client = await this.clientService.getClient(\n clientCredentials.client_id,\n );\n this.validateClientAuthentication(client, clientCredentials);\n if (authCode.code_challenge) {\n const isValid = this.validatePKCE(\n code_verifier,\n authCode.code_challenge,\n authCode.code_challenge_method,\n );\n if (!isValid) {\n this.logger.error(\n 'handleAuthorizationCodeGrant - Invalid PKCE verification',\n );\n throw new BadRequestException('Invalid PKCE verification');\n }\n }\n if (!authCode.resource) {\n this.logger.error(\n 'handleAuthorizationCodeGrant - No resource associated with code',\n );\n throw new BadRequestException(\n 'Authorization code is not associated with a resource',\n );\n }\n\n let userData: Record<string, unknown> | undefined = undefined;\n if (authCode.user_profile_id) {\n try {\n const profile = await this.store.getUserProfileById(\n authCode.user_profile_id,\n );\n if (profile) {\n // Avoid circular/large raw payloads if present\n userData = { ...profile };\n }\n } catch (e) {\n this.logger.warn('Failed to load user profile for token payload', e);\n }\n }\n\n const tokens = this.jwtTokenService.generateTokenPair(\n authCode.user_id,\n clientCredentials.client_id,\n authCode.scope,\n authCode.resource,\n {\n user_profile_id: authCode.user_profile_id,\n user_data: userData,\n },\n );\n await this.store.removeAuthCode(code);\n this.logger.debug(\n 'handleAuthorizationCodeGrant - Token pair generated for user:',\n authCode.user_id,\n );\n return tokens;\n }\n\n async handleRefreshTokenGrant(\n refresh_token: string,\n clientCredentials: { client_id: string; client_secret?: string },\n ): Promise<TokenPair> {\n // Verify the refresh token first to get client_id from token if not provided\n const payload = this.jwtTokenService.validateToken(refresh_token);\n if (!payload || payload.type !== 'refresh') {\n throw new BadRequestException('Invalid or expired refresh token');\n }\n\n // Use client_id from token if not provided in credentials\n const clientId = clientCredentials.client_id || payload.client_id;\n if (!clientId) {\n throw new BadRequestException('Unable to determine client_id');\n }\n\n // Get client and validate authentication\n const client = await this.clientService.getClient(clientId);\n\n // For refresh token grants, we can be more lenient with client authentication\n // if the token already contains the client_id and the client is public\n if (client?.token_endpoint_auth_method !== 'none') {\n this.validateClientAuthentication(client, {\n ...clientCredentials,\n client_id: clientId,\n });\n }\n\n // Verify the refresh token belongs to the client\n if (payload.client_id !== clientId) {\n throw new BadRequestException(\n 'Invalid refresh token or token does not belong to this client',\n );\n }\n\n let newTokens: TokenPair | null = null;\n try {\n const payload = this.jwtTokenService.validateToken(refresh_token);\n if (!payload || payload.type !== 'refresh') {\n throw new BadRequestException('Invalid or expired refresh token');\n }\n\n let userData: Record<string, unknown> | undefined = undefined;\n if (payload.user_profile_id) {\n try {\n const profile = await this.store.getUserProfileById(\n payload.user_profile_id,\n );\n if (profile) userData = { ...profile };\n } catch (e) {\n this.logger.warn(\n 'Failed to load user profile for refreshed token payload',\n e,\n );\n }\n }\n\n newTokens = this.jwtTokenService.generateTokenPair(\n payload.sub,\n clientId,\n payload.scope,\n payload.resource,\n {\n user_profile_id: payload.user_profile_id,\n user_data: userData,\n },\n );\n } catch (e) {\n this.logger.warn(\n 'Refresh flow failed using enriched path, fallback',\n e,\n );\n newTokens = this.jwtTokenService.refreshAccessToken(refresh_token);\n }\n\n if (!newTokens) throw new BadRequestException('Failed to refresh token');\n return newTokens;\n }\n\n validatePKCE(\n code_verifier: string,\n code_challenge: string,\n method: string,\n ): boolean {\n if (method === 'plain') {\n return code_verifier === code_challenge;\n } else if (method === 'S256') {\n const hash = createHash('sha256')\n .update(code_verifier)\n .digest('base64url');\n return hash === code_challenge;\n }\n return false;\n }\n }\n\n return McpOAuthController;\n}\n"]}
|