@sentropic/h2a-cli 0.33.0 → 0.39.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/runtime/mcp-http/app.d.ts +21 -0
- package/dist/runtime/mcp-http/app.d.ts.map +1 -1
- package/dist/runtime/mcp-http/app.js +75 -3
- package/dist/runtime/mcp-http/app.js.map +1 -1
- package/dist/runtime/mcp-http/index.d.ts +3 -0
- package/dist/runtime/mcp-http/index.d.ts.map +1 -1
- package/dist/runtime/mcp-http/index.js +3 -0
- package/dist/runtime/mcp-http/index.js.map +1 -1
- package/dist/runtime/mcp-http/oauth/broker-login.d.ts +50 -0
- package/dist/runtime/mcp-http/oauth/broker-login.d.ts.map +1 -0
- package/dist/runtime/mcp-http/oauth/broker-login.js +41 -0
- package/dist/runtime/mcp-http/oauth/broker-login.js.map +1 -0
- package/dist/runtime/mcp-http/oauth/broker-routes.d.ts +29 -0
- package/dist/runtime/mcp-http/oauth/broker-routes.d.ts.map +1 -0
- package/dist/runtime/mcp-http/oauth/broker-routes.js +46 -0
- package/dist/runtime/mcp-http/oauth/broker-routes.js.map +1 -0
- package/dist/runtime/mcp-http/oauth/config.d.ts +13 -0
- package/dist/runtime/mcp-http/oauth/config.d.ts.map +1 -1
- package/dist/runtime/mcp-http/oauth/config.js +29 -1
- package/dist/runtime/mcp-http/oauth/config.js.map +1 -1
- package/dist/runtime/mcp-http/oauth/crypto.d.ts +9 -0
- package/dist/runtime/mcp-http/oauth/crypto.d.ts.map +1 -1
- package/dist/runtime/mcp-http/oauth/crypto.js +10 -0
- package/dist/runtime/mcp-http/oauth/crypto.js.map +1 -1
- package/dist/runtime/mcp-http/oauth/file-store.d.ts +8 -0
- package/dist/runtime/mcp-http/oauth/file-store.d.ts.map +1 -1
- package/dist/runtime/mcp-http/oauth/file-store.js.map +1 -1
- package/dist/runtime/mcp-http/oauth/single-tenant-provider.d.ts +2 -0
- package/dist/runtime/mcp-http/oauth/single-tenant-provider.d.ts.map +1 -1
- package/dist/runtime/mcp-http/oauth/single-tenant-provider.js +16 -7
- package/dist/runtime/mcp-http/oauth/single-tenant-provider.js.map +1 -1
- package/dist/runtime/mcp-http/oauth/tenancy.d.ts +3 -0
- package/dist/runtime/mcp-http/oauth/tenancy.d.ts.map +1 -0
- package/dist/runtime/mcp-http/oauth/tenancy.js +18 -0
- package/dist/runtime/mcp-http/oauth/tenancy.js.map +1 -0
- package/dist/runtime/mcp-http/serve.d.ts +8 -0
- package/dist/runtime/mcp-http/serve.d.ts.map +1 -1
- package/dist/runtime/mcp-http/serve.js +46 -2
- package/dist/runtime/mcp-http/serve.js.map +1 -1
- package/package.json +2 -2
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { Hono } from "hono";
|
|
2
2
|
import type { McpServer } from "../mcp/server.js";
|
|
3
|
+
import type { BrokerLogin } from "./oauth/broker-login.js";
|
|
3
4
|
import { type H2AHostedOAuthConfig } from "./oauth/config.js";
|
|
4
5
|
import type { SingleTenantOAuthProvider } from "./oauth/single-tenant-provider.js";
|
|
5
6
|
export interface HostedAppDeps {
|
|
@@ -7,6 +8,26 @@ export interface HostedAppDeps {
|
|
|
7
8
|
oauthConfig: H2AHostedOAuthConfig;
|
|
8
9
|
/** The in-process h2a MCP dispatch (createMcpServer) — its read-only tools are exposed. */
|
|
9
10
|
h2aMcpServer: McpServer;
|
|
11
|
+
/**
|
|
12
|
+
* EVO-12 P2 (mode 3): when `oauthConfig.brokerMode`, the broker login (built
|
|
13
|
+
* from `oauthConfig.upstream`). Its /authorize delegates the user login to
|
|
14
|
+
* 39-auth instead of the consent secret. Omit for single-tenant.
|
|
15
|
+
*/
|
|
16
|
+
brokerLogin?: BrokerLogin;
|
|
17
|
+
/**
|
|
18
|
+
* EVO-12 P2 (mode 3, multi-tenant): per-user /mcp serving. When present AND
|
|
19
|
+
* `oauthConfig.brokerMode`, the /mcp handler derives each request's tenant
|
|
20
|
+
* root from the access token's `sub` (rootForSub(baseRoot, sub)) and serves
|
|
21
|
+
* that tenant's h2a dispatch — instead of the single `h2aMcpServer`. Underlying
|
|
22
|
+
* servers are cached per root; a session is pinned to the tenant that opened
|
|
23
|
+
* it (a token for another tenant cannot reuse it). `h2aMcpServer` remains the
|
|
24
|
+
* fallback for any non-broker path.
|
|
25
|
+
*/
|
|
26
|
+
tenancy?: {
|
|
27
|
+
baseRoot: string;
|
|
28
|
+
/** Build the in-process h2a dispatch rooted at `root` (e.g. createMcpServer({ root })). */
|
|
29
|
+
createServer: (root: string) => McpServer;
|
|
30
|
+
};
|
|
10
31
|
}
|
|
11
32
|
export declare function createHostedApp(deps: HostedAppDeps): Hono;
|
|
12
33
|
//# sourceMappingURL=app.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"app.d.ts","sourceRoot":"","sources":["../../../src/runtime/mcp-http/app.ts"],"names":[],"mappings":"AAQA,OAAO,EAAgB,IAAI,EAAE,MAAM,MAAM,CAAC;AAE1C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAElD,OAAO,EAA0B,KAAK,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAEtF,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAC;
|
|
1
|
+
{"version":3,"file":"app.d.ts","sourceRoot":"","sources":["../../../src/runtime/mcp-http/app.ts"],"names":[],"mappings":"AAQA,OAAO,EAAgB,IAAI,EAAE,MAAM,MAAM,CAAC;AAE1C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAElD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAA0B,KAAK,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAEtF,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAC;AAGnF,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,yBAAyB,CAAC;IACzC,WAAW,EAAE,oBAAoB,CAAC;IAClC,2FAA2F;IAC3F,YAAY,EAAE,SAAS,CAAC;IACxB;;;;OAIG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B;;;;;;;;OAQG;IACH,OAAO,CAAC,EAAE;QACR,QAAQ,EAAE,MAAM,CAAC;QACjB,2FAA2F;QAC3F,YAAY,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,SAAS,CAAC;KAC3C,CAAC;CACH;AAQD,wBAAgB,eAAe,CAAC,IAAI,EAAE,aAAa,GAAG,IAAI,CAmIzD"}
|
|
@@ -8,13 +8,42 @@ import { StreamableHTTPTransport } from "@hono/mcp";
|
|
|
8
8
|
import { bearerAuth } from "@hono/mcp/auth";
|
|
9
9
|
import { Hono } from "hono";
|
|
10
10
|
import { buildHostedMcpServer } from "./hosted-mcp-server.js";
|
|
11
|
+
import { buildBrokerRoutes } from "./oauth/broker-routes.js";
|
|
11
12
|
import { H2A_HOSTED_OAUTH_SCOPE } from "./oauth/config.js";
|
|
12
13
|
import { buildOAuthRoutes } from "./oauth/hono-oauth-router.js";
|
|
14
|
+
import { rootForSub } from "./oauth/tenancy.js";
|
|
13
15
|
export function createHostedApp(deps) {
|
|
14
16
|
const app = new Hono();
|
|
15
17
|
const wwwAuthenticateHeader = `Bearer error="Unauthorized", error_description="Unauthorized", resource_metadata="${deps.oauthConfig.resourceMetadataUrl}"`;
|
|
16
18
|
app.get("/healthz", (c) => c.json({ ok: true }));
|
|
17
19
|
app.get("/readyz", (c) => c.json({ ok: true }));
|
|
20
|
+
// EVO-12 P2 (mode 3): in broker mode, the broker's /authorize + /oidc/callback
|
|
21
|
+
// are registered FIRST (Hono first-match wins) so /authorize delegates to
|
|
22
|
+
// 39-auth; /token, /register, well-known still fall through to buildOAuthRoutes.
|
|
23
|
+
if (deps.oauthConfig.brokerMode && deps.brokerLogin) {
|
|
24
|
+
app.route("/", buildBrokerRoutes({
|
|
25
|
+
brokerLogin: deps.brokerLogin,
|
|
26
|
+
issueClaudeaiCode: async (claudeai, ctx) => {
|
|
27
|
+
const client = await deps.oauthProvider.clientsStore.getClient(claudeai.client_id);
|
|
28
|
+
if (!client)
|
|
29
|
+
throw new Error("unknown client_id");
|
|
30
|
+
// Bind the 39-auth subject to the issued code: it rides code→token so
|
|
31
|
+
// verifyAccessToken restores it and /mcp serves rootForSub(base, sub).
|
|
32
|
+
const code = await deps.oauthProvider.issueAuthorizationCode(client, {
|
|
33
|
+
redirectUri: claudeai.redirect_uri,
|
|
34
|
+
codeChallenge: claudeai.code_challenge ?? "",
|
|
35
|
+
scopes: [H2A_HOSTED_OAUTH_SCOPE],
|
|
36
|
+
...(claudeai.state ? { state: claudeai.state } : {}),
|
|
37
|
+
...(ctx.sub ? { sub: ctx.sub } : {})
|
|
38
|
+
});
|
|
39
|
+
const redirect = new URL(claudeai.redirect_uri);
|
|
40
|
+
redirect.searchParams.set("code", code);
|
|
41
|
+
if (claudeai.state)
|
|
42
|
+
redirect.searchParams.set("state", claudeai.state);
|
|
43
|
+
return redirect.href;
|
|
44
|
+
}
|
|
45
|
+
}));
|
|
46
|
+
}
|
|
18
47
|
// OAuth AS + protected-resource metadata (unauthenticated) at the root.
|
|
19
48
|
app.route("/", buildOAuthRoutes(deps.oauthProvider, deps.oauthConfig));
|
|
20
49
|
// Bearer gate for /mcp: valid access token AND the read-only scope.
|
|
@@ -32,9 +61,50 @@ export function createHostedApp(deps) {
|
|
|
32
61
|
invalidAuthenticationHeader: { wwwAuthenticateHeader: () => wwwAuthenticateHeader }
|
|
33
62
|
});
|
|
34
63
|
const sessions = new Map();
|
|
64
|
+
// EVO-12 P2 (mode 3): per-tenant h2a dispatch, cached by root. The underlying
|
|
65
|
+
// server is reused across sessions/requests of the same tenant; the hosted
|
|
66
|
+
// read-only wrapper is still built per session.
|
|
67
|
+
const multiTenant = Boolean(deps.oauthConfig.brokerMode && deps.tenancy);
|
|
68
|
+
const tenantServers = new Map();
|
|
69
|
+
const tenantServerFor = (root) => {
|
|
70
|
+
let server = tenantServers.get(root);
|
|
71
|
+
if (!server) {
|
|
72
|
+
server = deps.tenancy.createServer(root);
|
|
73
|
+
tenantServers.set(root, server);
|
|
74
|
+
}
|
|
75
|
+
return server;
|
|
76
|
+
};
|
|
77
|
+
/**
|
|
78
|
+
* Resolve the tenant root for a request from its (already bearer-validated)
|
|
79
|
+
* access token. Returns undefined in single-tenant mode. Throws if a broker
|
|
80
|
+
* token carries no `sub` (it is not bound to any tenant → forbidden).
|
|
81
|
+
*/
|
|
82
|
+
const resolveTenantRoot = async (c) => {
|
|
83
|
+
if (!multiTenant)
|
|
84
|
+
return undefined;
|
|
85
|
+
const header = c.req.header("authorization") ?? "";
|
|
86
|
+
const token = header.startsWith("Bearer ") ? header.slice("Bearer ".length) : "";
|
|
87
|
+
const info = await deps.oauthProvider.verifyAccessToken(token);
|
|
88
|
+
const sub = typeof info.extra?.sub === "string" ? info.extra.sub : undefined;
|
|
89
|
+
if (!sub)
|
|
90
|
+
throw new Error("access token is not bound to a tenant");
|
|
91
|
+
return rootForSub(deps.tenancy.baseRoot, sub);
|
|
92
|
+
};
|
|
93
|
+
const forbidden = (c) => c.json({ error: "access_denied", error_description: "token is not bound to this tenant" }, 403);
|
|
35
94
|
const mcpHandler = async (c) => {
|
|
95
|
+
let tenantRoot;
|
|
96
|
+
try {
|
|
97
|
+
tenantRoot = await resolveTenantRoot(c);
|
|
98
|
+
}
|
|
99
|
+
catch {
|
|
100
|
+
return forbidden(c);
|
|
101
|
+
}
|
|
36
102
|
const requestedSessionId = c.req.header("mcp-session-id");
|
|
37
103
|
let session = requestedSessionId ? sessions.get(requestedSessionId) : undefined;
|
|
104
|
+
// A session is pinned to the tenant that opened it: a token for another
|
|
105
|
+
// tenant must not be able to reuse it.
|
|
106
|
+
if (session && session.tenantRoot !== tenantRoot)
|
|
107
|
+
return forbidden(c);
|
|
38
108
|
if (!session) {
|
|
39
109
|
let created;
|
|
40
110
|
const transport = new StreamableHTTPTransport({
|
|
@@ -48,9 +118,11 @@ export function createHostedApp(deps) {
|
|
|
48
118
|
sessions.delete(sessionId);
|
|
49
119
|
}
|
|
50
120
|
});
|
|
51
|
-
created = { transport };
|
|
52
|
-
// One SDK server per session, exposing ONLY the read-only allowlist
|
|
53
|
-
|
|
121
|
+
created = { transport, ...(tenantRoot !== undefined && { tenantRoot }) };
|
|
122
|
+
// One SDK server per session, exposing ONLY the read-only allowlist —
|
|
123
|
+
// backed by the tenant's root in multi-tenant mode, else the single server.
|
|
124
|
+
const base = tenantRoot !== undefined ? tenantServerFor(tenantRoot) : deps.h2aMcpServer;
|
|
125
|
+
const server = buildHostedMcpServer(base);
|
|
54
126
|
await server.connect(transport);
|
|
55
127
|
session = created;
|
|
56
128
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"app.js","sourceRoot":"","sources":["../../../src/runtime/mcp-http/app.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,uBAAuB,EAAE,MAAM,WAAW,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAC5C,OAAO,EAAgB,IAAI,EAAE,MAAM,MAAM,CAAC;AAG1C,OAAO,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;
|
|
1
|
+
{"version":3,"file":"app.js","sourceRoot":"","sources":["../../../src/runtime/mcp-http/app.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,uBAAuB,EAAE,MAAM,WAAW,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAC5C,OAAO,EAAgB,IAAI,EAAE,MAAM,MAAM,CAAC;AAG1C,OAAO,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAE9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,sBAAsB,EAA6B,MAAM,mBAAmB,CAAC;AACtF,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAEhE,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAmChD,MAAM,UAAU,eAAe,CAAC,IAAmB;IACjD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,qBAAqB,GAAG,qFAAqF,IAAI,CAAC,WAAW,CAAC,mBAAmB,GAAG,CAAC;IAE3J,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IACjD,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IAEhD,+EAA+E;IAC/E,0EAA0E;IAC1E,iFAAiF;IACjF,IAAI,IAAI,CAAC,WAAW,CAAC,UAAU,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,GAAG,CAAC,KAAK,CACP,GAAG,EACH,iBAAiB,CAAC;YAChB,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,iBAAiB,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,EAAE,EAAE;gBACzC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;gBACnF,IAAI,CAAC,MAAM;oBAAE,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;gBAClD,sEAAsE;gBACtE,uEAAuE;gBACvE,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,sBAAsB,CAAC,MAAM,EAAE;oBACnE,WAAW,EAAE,QAAQ,CAAC,YAAY;oBAClC,aAAa,EAAE,QAAQ,CAAC,cAAc,IAAI,EAAE;oBAC5C,MAAM,EAAE,CAAC,sBAAsB,CAAC;oBAChC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACpD,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBACrC,CAAC,CAAC;gBACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;gBAChD,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;gBACxC,IAAI,QAAQ,CAAC,KAAK;oBAAE,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC;gBACvE,OAAO,QAAQ,CAAC,IAAI,CAAC;YACvB,CAAC;SACF,CAAC,CACH,CAAC;IACJ,CAAC;IAED,wEAAwE;IACxE,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,gBAAgB,CAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;IAEvE,oEAAoE;IACpE,MAAM,WAAW,GAAG,UAAU,CAAC;QAC7B,WAAW,EAAE,KAAK,EAAE,KAAa,EAAoB,EAAE;YACrD,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;gBAC/D,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;YACtD,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,sBAAsB,EAAE,EAAE,qBAAqB,EAAE,GAAG,EAAE,CAAC,qBAAqB,EAAE;QAC9E,2BAA2B,EAAE,EAAE,qBAAqB,EAAE,GAAG,EAAE,CAAC,qBAAqB,EAAE;KACpF,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,IAAI,GAAG,EAA0B,CAAC;IAEnD,8EAA8E;IAC9E,2EAA2E;IAC3E,gDAAgD;IAChD,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC;IACzE,MAAM,aAAa,GAAG,IAAI,GAAG,EAAqB,CAAC;IACnD,MAAM,eAAe,GAAG,CAAC,IAAY,EAAa,EAAE;QAClD,IAAI,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,GAAG,IAAI,CAAC,OAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;YAC1C,aAAa,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAClC,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC;IAEF;;;;OAIG;IACH,MAAM,iBAAiB,GAAG,KAAK,EAAE,CAAU,EAA+B,EAAE;QAC1E,IAAI,CAAC,WAAW;YAAE,OAAO,SAAS,CAAC;QACnC,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC;QACnD,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACjF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QAC/D,MAAM,GAAG,GAAG,OAAO,IAAI,CAAC,KAAK,EAAE,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;QAC7E,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QACnE,OAAO,UAAU,CAAC,IAAI,CAAC,OAAQ,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IACjD,CAAC,CAAC;IAEF,MAAM,SAAS,GAAG,CAAC,CAAU,EAAE,EAAE,CAC/B,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,mCAAmC,EAAE,EAAE,GAAG,CAAC,CAAC;IAElG,MAAM,UAAU,GAAG,KAAK,EAAE,CAAU,EAAE,EAAE;QACtC,IAAI,UAA8B,CAAC;QACnC,IAAI,CAAC;YACH,UAAU,GAAG,MAAM,iBAAiB,CAAC,CAAC,CAAC,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC;QACtB,CAAC;QAED,MAAM,kBAAkB,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAC1D,IAAI,OAAO,GAAG,kBAAkB,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEhF,wEAAwE;QACxE,uCAAuC;QACvC,IAAI,OAAO,IAAI,OAAO,CAAC,UAAU,KAAK,UAAU;YAAE,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC;QAEtE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,IAAI,OAAmC,CAAC;YACxC,MAAM,SAAS,GAAG,IAAI,uBAAuB,CAAC;gBAC5C,kBAAkB,EAAE,IAAI;gBACxB,kBAAkB,EAAE,GAAG,EAAE,CAAC,UAAU,EAAE;gBACtC,oBAAoB,EAAE,CAAC,SAAS,EAAE,EAAE;oBAClC,IAAI,OAAO;wBAAE,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;gBAChD,CAAC;gBACD,eAAe,EAAE,CAAC,SAAS,EAAE,EAAE;oBAC7B,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBAC7B,CAAC;aACF,CAAC,CAAC;YACH,OAAO,GAAG,EAAE,SAAS,EAAE,GAAG,CAAC,UAAU,KAAK,SAAS,IAAI,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;YACzE,sEAAsE;YACtE,4EAA4E;YAC5E,MAAM,IAAI,GAAG,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC;YACxF,MAAM,MAAM,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC;YAC1C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAChC,OAAO,GAAG,OAAO,CAAC;QACpB,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;QACrD,OAAO,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAClC,CAAC,CAAC;IAEF,mFAAmF;IACnF,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;IAEzC,OAAO,GAAG,CAAC;AACb,CAAC"}
|
|
@@ -11,5 +11,8 @@ export { FileOAuthStore } from "./oauth/file-store.js";
|
|
|
11
11
|
export { SingleTenantOAuthProvider } from "./oauth/single-tenant-provider.js";
|
|
12
12
|
export { buildOAuthRoutes } from "./oauth/hono-oauth-router.js";
|
|
13
13
|
export { buildUpstreamAuthorizeUrl, exchangeUpstreamCode, type H2AUpstreamOidcConfig, type UpstreamFetch, type UpstreamLogin } from "./oauth/oidc-rp.js";
|
|
14
|
+
export { rootForSub } from "./oauth/tenancy.js";
|
|
15
|
+
export { createBrokerLogin, type BrokerLogin, type BrokerLoginDeps, type BrokerStart, type BrokerComplete } from "./oauth/broker-login.js";
|
|
16
|
+
export { buildBrokerRoutes, type BrokerRoutesDeps } from "./oauth/broker-routes.js";
|
|
14
17
|
export { oauthConfigFromEnv, H2A_HOSTED_OAUTH_SCOPE, type H2AHostedOAuthConfig, type H2AHostedOAuthEnv } from "./oauth/config.js";
|
|
15
18
|
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/runtime/mcp-http/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,oBAAoB,EACpB,mBAAmB,EACpB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAClF,OAAO,EAAE,eAAe,EAAE,KAAK,aAAa,EAAE,MAAM,UAAU,CAAC;AAC/D,OAAO,EACL,iBAAiB,EACjB,wBAAwB,EACxB,KAAK,SAAS,EACd,KAAK,YAAY,EACjB,KAAK,mBAAmB,EACzB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAC;AAC9E,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EACL,yBAAyB,EACzB,oBAAoB,EACpB,KAAK,qBAAqB,EAC1B,KAAK,aAAa,EAClB,KAAK,aAAa,EACnB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EACtB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,EACvB,MAAM,mBAAmB,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/runtime/mcp-http/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,oBAAoB,EACpB,mBAAmB,EACpB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAClF,OAAO,EAAE,eAAe,EAAE,KAAK,aAAa,EAAE,MAAM,UAAU,CAAC;AAC/D,OAAO,EACL,iBAAiB,EACjB,wBAAwB,EACxB,KAAK,SAAS,EACd,KAAK,YAAY,EACjB,KAAK,mBAAmB,EACzB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAC;AAC9E,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EACL,yBAAyB,EACzB,oBAAoB,EACpB,KAAK,qBAAqB,EAC1B,KAAK,aAAa,EAClB,KAAK,aAAa,EACnB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EACL,iBAAiB,EACjB,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,KAAK,WAAW,EAChB,KAAK,cAAc,EACpB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,iBAAiB,EAAE,KAAK,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AACpF,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EACtB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,EACvB,MAAM,mBAAmB,CAAC"}
|
|
@@ -11,5 +11,8 @@ export { FileOAuthStore } from "./oauth/file-store.js";
|
|
|
11
11
|
export { SingleTenantOAuthProvider } from "./oauth/single-tenant-provider.js";
|
|
12
12
|
export { buildOAuthRoutes } from "./oauth/hono-oauth-router.js";
|
|
13
13
|
export { buildUpstreamAuthorizeUrl, exchangeUpstreamCode } from "./oauth/oidc-rp.js";
|
|
14
|
+
export { rootForSub } from "./oauth/tenancy.js";
|
|
15
|
+
export { createBrokerLogin } from "./oauth/broker-login.js";
|
|
16
|
+
export { buildBrokerRoutes } from "./oauth/broker-routes.js";
|
|
14
17
|
export { oauthConfigFromEnv, H2A_HOSTED_OAUTH_SCOPE } from "./oauth/config.js";
|
|
15
18
|
//# sourceMappingURL=index.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/runtime/mcp-http/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,oBAAoB,EACpB,mBAAmB,EACpB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAClF,OAAO,EAAE,eAAe,EAAsB,MAAM,UAAU,CAAC;AAC/D,OAAO,EACL,iBAAiB,EACjB,wBAAwB,EAIzB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAC;AAC9E,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EACL,yBAAyB,EACzB,oBAAoB,EAIrB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EAGvB,MAAM,mBAAmB,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/runtime/mcp-http/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,oBAAoB,EACpB,mBAAmB,EACpB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAClF,OAAO,EAAE,eAAe,EAAsB,MAAM,UAAU,CAAC;AAC/D,OAAO,EACL,iBAAiB,EACjB,wBAAwB,EAIzB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAC;AAC9E,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EACL,yBAAyB,EACzB,oBAAoB,EAIrB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EACL,iBAAiB,EAKlB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,iBAAiB,EAAyB,MAAM,0BAA0B,CAAC;AACpF,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EAGvB,MAAM,mBAAmB,CAAC"}
|
|
@@ -0,0 +1,50 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* EVO-12 P2 (mode 3) — broker-login state machine. The stateful heart of the
|
|
3
|
+
* gateway: on claude.ai's /authorize, `start()` stores the claude.ai request +
|
|
4
|
+
* a fresh upstream PKCE/state and returns the 39-auth /authorize URL to redirect
|
|
5
|
+
* to; on the /oidc/callback, `complete()` looks the pending entry up by state,
|
|
6
|
+
* exchanges the code at 39-auth for the user's `sub`, and resolves that user's
|
|
7
|
+
* per-tenant root. The hono routes are thin wrappers over this.
|
|
8
|
+
*
|
|
9
|
+
* Deps injected (exchange / pkce / randomState / clock) → unit-testable against
|
|
10
|
+
* a mock IdP, no network. Pending entries are single-use + time-boxed.
|
|
11
|
+
*/
|
|
12
|
+
import { type H2AUpstreamOidcConfig, type UpstreamLogin } from "./oidc-rp.js";
|
|
13
|
+
export interface BrokerLoginDeps {
|
|
14
|
+
readonly config: H2AUpstreamOidcConfig;
|
|
15
|
+
/** Bound `exchangeUpstreamCode(config, {code, codeVerifier}, fetch)`. */
|
|
16
|
+
readonly exchange: (code: string, codeVerifier: string) => Promise<UpstreamLogin>;
|
|
17
|
+
/** Base h2a root; the per-user root is `rootForSub(baseRoot, sub)`. */
|
|
18
|
+
readonly baseRoot: string;
|
|
19
|
+
/** Fresh opaque state per login (e.g. `randomToken()`). */
|
|
20
|
+
readonly randomState: () => string;
|
|
21
|
+
/** Fresh PKCE pair for the upstream leg. */
|
|
22
|
+
readonly pkce: () => {
|
|
23
|
+
verifier: string;
|
|
24
|
+
challenge: string;
|
|
25
|
+
};
|
|
26
|
+
readonly now?: () => number;
|
|
27
|
+
/** Pending-login TTL (ms). Default 10 min. */
|
|
28
|
+
readonly maxAgeMs?: number;
|
|
29
|
+
}
|
|
30
|
+
export interface BrokerStart {
|
|
31
|
+
/** 39-auth /authorize URL to redirect the user to. */
|
|
32
|
+
readonly redirectUrl: string;
|
|
33
|
+
/** The upstream state (also the pending-entry key). */
|
|
34
|
+
readonly state: string;
|
|
35
|
+
}
|
|
36
|
+
export interface BrokerComplete {
|
|
37
|
+
/** The original claude.ai /authorize request, opaque to the broker — to resume issuing the claude.ai code. */
|
|
38
|
+
readonly claudeai: unknown;
|
|
39
|
+
/** The authenticated 39-auth user. */
|
|
40
|
+
readonly sub: string;
|
|
41
|
+
/** That user's per-tenant h2a root. */
|
|
42
|
+
readonly root: string;
|
|
43
|
+
}
|
|
44
|
+
export interface BrokerLogin {
|
|
45
|
+
start(claudeaiParams: unknown): BrokerStart;
|
|
46
|
+
complete(state: string, code: string): Promise<BrokerComplete>;
|
|
47
|
+
pendingCount(): number;
|
|
48
|
+
}
|
|
49
|
+
export declare function createBrokerLogin(deps: BrokerLoginDeps): BrokerLogin;
|
|
50
|
+
//# sourceMappingURL=broker-login.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"broker-login.d.ts","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/broker-login.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,EAA6B,KAAK,qBAAqB,EAAE,KAAK,aAAa,EAAE,MAAM,cAAc,CAAC;AAGzG,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,MAAM,EAAE,qBAAqB,CAAC;IACvC,yEAAyE;IACzE,QAAQ,CAAC,QAAQ,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,aAAa,CAAC,CAAC;IAClF,uEAAuE;IACvE,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,2DAA2D;IAC3D,QAAQ,CAAC,WAAW,EAAE,MAAM,MAAM,CAAC;IACnC,4CAA4C;IAC5C,QAAQ,CAAC,IAAI,EAAE,MAAM;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAC7D,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;IAC5B,8CAA8C;IAC9C,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,WAAW;IAC1B,sDAAsD;IACtD,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,uDAAuD;IACvD,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,cAAc;IAC7B,8GAA8G;IAC9G,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B,sCAAsC;IACtC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,uCAAuC;IACvC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,CAAC,cAAc,EAAE,OAAO,GAAG,WAAW,CAAC;IAC5C,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC;IAC/D,YAAY,IAAI,MAAM,CAAC;CACxB;AAED,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,eAAe,GAAG,WAAW,CAwBpE"}
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* EVO-12 P2 (mode 3) — broker-login state machine. The stateful heart of the
|
|
3
|
+
* gateway: on claude.ai's /authorize, `start()` stores the claude.ai request +
|
|
4
|
+
* a fresh upstream PKCE/state and returns the 39-auth /authorize URL to redirect
|
|
5
|
+
* to; on the /oidc/callback, `complete()` looks the pending entry up by state,
|
|
6
|
+
* exchanges the code at 39-auth for the user's `sub`, and resolves that user's
|
|
7
|
+
* per-tenant root. The hono routes are thin wrappers over this.
|
|
8
|
+
*
|
|
9
|
+
* Deps injected (exchange / pkce / randomState / clock) → unit-testable against
|
|
10
|
+
* a mock IdP, no network. Pending entries are single-use + time-boxed.
|
|
11
|
+
*/
|
|
12
|
+
import { buildUpstreamAuthorizeUrl } from "./oidc-rp.js";
|
|
13
|
+
import { rootForSub } from "./tenancy.js";
|
|
14
|
+
export function createBrokerLogin(deps) {
|
|
15
|
+
const now = deps.now ?? Date.now;
|
|
16
|
+
const maxAgeMs = deps.maxAgeMs ?? 600_000;
|
|
17
|
+
const pending = new Map();
|
|
18
|
+
return {
|
|
19
|
+
start(claudeaiParams) {
|
|
20
|
+
const { verifier, challenge } = deps.pkce();
|
|
21
|
+
const state = deps.randomState();
|
|
22
|
+
pending.set(state, { verifier, claudeai: claudeaiParams, at: now() });
|
|
23
|
+
return {
|
|
24
|
+
redirectUrl: buildUpstreamAuthorizeUrl(deps.config, { state, codeChallenge: challenge }),
|
|
25
|
+
state
|
|
26
|
+
};
|
|
27
|
+
},
|
|
28
|
+
async complete(state, code) {
|
|
29
|
+
const entry = pending.get(state);
|
|
30
|
+
if (!entry)
|
|
31
|
+
throw new Error("broker: unknown state");
|
|
32
|
+
pending.delete(state); // single-use
|
|
33
|
+
if (now() - entry.at > maxAgeMs)
|
|
34
|
+
throw new Error("broker: state expired");
|
|
35
|
+
const login = await deps.exchange(code, entry.verifier);
|
|
36
|
+
return { claudeai: entry.claudeai, sub: login.sub, root: rootForSub(deps.baseRoot, login.sub) };
|
|
37
|
+
},
|
|
38
|
+
pendingCount: () => pending.size
|
|
39
|
+
};
|
|
40
|
+
}
|
|
41
|
+
//# sourceMappingURL=broker-login.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"broker-login.js","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/broker-login.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,EAAE,yBAAyB,EAAkD,MAAM,cAAc,CAAC;AACzG,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAuC1C,MAAM,UAAU,iBAAiB,CAAC,IAAqB;IACrD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC;IACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC;IAC1C,MAAM,OAAO,GAAG,IAAI,GAAG,EAA+D,CAAC;IACvF,OAAO;QACL,KAAK,CAAC,cAAc;YAClB,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5C,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YACjC,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,cAAc,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;YACtE,OAAO;gBACL,WAAW,EAAE,yBAAyB,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,CAAC;gBACxF,KAAK;aACN,CAAC;QACJ,CAAC;QACD,KAAK,CAAC,QAAQ,CAAC,KAAK,EAAE,IAAI;YACxB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YACjC,IAAI,CAAC,KAAK;gBAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;YACrD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,aAAa;YACpC,IAAI,GAAG,EAAE,GAAG,KAAK,CAAC,EAAE,GAAG,QAAQ;gBAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;YAC1E,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC;YACxD,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QAClG,CAAC;QACD,YAAY,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI;KACjC,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* EVO-12 P2 (mode 3) — hono routes for the broker login. Thin wrapper over
|
|
3
|
+
* `createBrokerLogin`: `/authorize` starts a login (302 → 39-auth) instead of
|
|
4
|
+
* the single-tenant consent form; `/oidc/callback` completes it (exchange →
|
|
5
|
+
* sub → per-user root) and hands off to the provider to issue the claude.ai
|
|
6
|
+
* authorization code, then 302s back to claude.ai.
|
|
7
|
+
*
|
|
8
|
+
* `issueClaudeaiCode` is injected (the SingleTenantOAuthProvider's code issuance,
|
|
9
|
+
* bound to the resolved user/root) → routes are testable via `app.request` with
|
|
10
|
+
* a mock IdP, no provider/network.
|
|
11
|
+
*/
|
|
12
|
+
import { Hono } from "hono";
|
|
13
|
+
import type { BrokerLogin } from "./broker-login.js";
|
|
14
|
+
export interface BrokerRoutesDeps {
|
|
15
|
+
readonly brokerLogin: BrokerLogin;
|
|
16
|
+
/**
|
|
17
|
+
* Issue the claude.ai authorization code for the original request, bound to
|
|
18
|
+
* the authenticated user/root, and return the claude.ai redirect URL
|
|
19
|
+
* (`<redirect_uri>?code=…&state=…`).
|
|
20
|
+
*/
|
|
21
|
+
readonly issueClaudeaiCode: (claudeai: Record<string, string>, ctx: {
|
|
22
|
+
sub: string;
|
|
23
|
+
root: string;
|
|
24
|
+
}) => string | Promise<string>;
|
|
25
|
+
/** Callback path registered at 39-auth. Default `/oidc/callback`. */
|
|
26
|
+
readonly callbackPath?: string;
|
|
27
|
+
}
|
|
28
|
+
export declare function buildBrokerRoutes(deps: BrokerRoutesDeps): Hono;
|
|
29
|
+
//# sourceMappingURL=broker-routes.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"broker-routes.d.ts","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/broker-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE5B,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErD,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC;IAClC;;;;OAIG;IACH,QAAQ,CAAC,iBAAiB,EAAE,CAC1B,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAChC,GAAG,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,KAC/B,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC9B,qEAAqE;IACrE,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;CAChC;AAED,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,gBAAgB,GAAG,IAAI,CAkC9D"}
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* EVO-12 P2 (mode 3) — hono routes for the broker login. Thin wrapper over
|
|
3
|
+
* `createBrokerLogin`: `/authorize` starts a login (302 → 39-auth) instead of
|
|
4
|
+
* the single-tenant consent form; `/oidc/callback` completes it (exchange →
|
|
5
|
+
* sub → per-user root) and hands off to the provider to issue the claude.ai
|
|
6
|
+
* authorization code, then 302s back to claude.ai.
|
|
7
|
+
*
|
|
8
|
+
* `issueClaudeaiCode` is injected (the SingleTenantOAuthProvider's code issuance,
|
|
9
|
+
* bound to the resolved user/root) → routes are testable via `app.request` with
|
|
10
|
+
* a mock IdP, no provider/network.
|
|
11
|
+
*/
|
|
12
|
+
import { Hono } from "hono";
|
|
13
|
+
export function buildBrokerRoutes(deps) {
|
|
14
|
+
const router = new Hono();
|
|
15
|
+
const callbackPath = deps.callbackPath ?? "/oidc/callback";
|
|
16
|
+
// claude.ai lands here (DCR+PKCE already done against our self-AS); we redirect
|
|
17
|
+
// the human to 39-auth to actually log in.
|
|
18
|
+
router.get("/authorize", (c) => {
|
|
19
|
+
c.header("Cache-Control", "no-store");
|
|
20
|
+
const claudeai = c.req.query();
|
|
21
|
+
const { redirectUrl } = deps.brokerLogin.start(claudeai);
|
|
22
|
+
return c.redirect(redirectUrl, 302);
|
|
23
|
+
});
|
|
24
|
+
// 39-auth redirects back here with code+state; we exchange, resolve the user's
|
|
25
|
+
// root, issue the claude.ai code, and bounce back to claude.ai.
|
|
26
|
+
router.get(callbackPath, async (c) => {
|
|
27
|
+
const code = c.req.query("code");
|
|
28
|
+
const state = c.req.query("state");
|
|
29
|
+
if (!code || !state) {
|
|
30
|
+
return c.json({ error: "invalid_request", error_description: "missing code/state" }, 400);
|
|
31
|
+
}
|
|
32
|
+
try {
|
|
33
|
+
const done = await deps.brokerLogin.complete(state, code);
|
|
34
|
+
const redirectUrl = await deps.issueClaudeaiCode(done.claudeai, {
|
|
35
|
+
sub: done.sub,
|
|
36
|
+
root: done.root
|
|
37
|
+
});
|
|
38
|
+
return c.redirect(redirectUrl, 302);
|
|
39
|
+
}
|
|
40
|
+
catch (err) {
|
|
41
|
+
return c.json({ error: "access_denied", error_description: err.message }, 400);
|
|
42
|
+
}
|
|
43
|
+
});
|
|
44
|
+
return router;
|
|
45
|
+
}
|
|
46
|
+
//# sourceMappingURL=broker-routes.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"broker-routes.js","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/broker-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAmB5B,MAAM,UAAU,iBAAiB,CAAC,IAAsB;IACtD,MAAM,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;IAC1B,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,gBAAgB,CAAC;IAE3D,gFAAgF;IAChF,2CAA2C;IAC3C,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,CAAC,EAAE,EAAE;QAC7B,CAAC,CAAC,MAAM,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;QACtC,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,EAA4B,CAAC;QACzD,MAAM,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QACzD,OAAO,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,+EAA+E;IAC/E,gEAAgE;IAChE,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACnC,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACjC,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACnC,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACpB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,EAAE,GAAG,CAAC,CAAC;QAC5F,CAAC;QACD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;YAC1D,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAkC,EAAE;gBACxF,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,IAAI,EAAE,IAAI,CAAC,IAAI;aAChB,CAAC,CAAC;YACH,OAAO,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;QACtC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAG,GAAa,CAAC,OAAO,EAAE,EAAE,GAAG,CAAC,CAAC;QAC5F,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC"}
|
|
@@ -5,6 +5,7 @@
|
|
|
5
5
|
* Scope is read-only (`h2a:read`) — the hosted surface exposes only read tools
|
|
6
6
|
* (DEC-116 key custody; see ../readonly-allowlist).
|
|
7
7
|
*/
|
|
8
|
+
import type { H2AUpstreamOidcConfig } from "./oidc-rp.js";
|
|
8
9
|
export declare const H2A_HOSTED_OAUTH_SCOPE = "h2a:read";
|
|
9
10
|
export interface H2AHostedOAuthEnv {
|
|
10
11
|
PUBLIC_BASE_URL: string;
|
|
@@ -16,6 +17,14 @@ export interface H2AHostedOAuthEnv {
|
|
|
16
17
|
OAUTH_AUTH_CODE_TTL_SECONDS: number;
|
|
17
18
|
H2A_HOSTED_ENROLLMENT_ENABLED?: string;
|
|
18
19
|
NODE_ENV?: string;
|
|
20
|
+
H2A_BROKER_MODE?: string;
|
|
21
|
+
H2A_UPSTREAM_ISSUER?: string;
|
|
22
|
+
H2A_UPSTREAM_AUTHORIZE_URL?: string;
|
|
23
|
+
H2A_UPSTREAM_TOKEN_URL?: string;
|
|
24
|
+
H2A_UPSTREAM_CLIENT_ID?: string;
|
|
25
|
+
H2A_UPSTREAM_CLIENT_SECRET?: string;
|
|
26
|
+
H2A_UPSTREAM_REDIRECT_URI?: string;
|
|
27
|
+
H2A_UPSTREAM_SCOPES?: string;
|
|
19
28
|
}
|
|
20
29
|
export interface H2AHostedOAuthConfig {
|
|
21
30
|
issuerUrl: URL;
|
|
@@ -29,6 +38,10 @@ export interface H2AHostedOAuthConfig {
|
|
|
29
38
|
refreshTokenTtlSeconds: number;
|
|
30
39
|
authCodeTtlSeconds: number;
|
|
31
40
|
nodeEnv: string;
|
|
41
|
+
/** EVO-12 P2: broker mode (delegate login to 39-auth). */
|
|
42
|
+
brokerMode: boolean;
|
|
43
|
+
/** The seeded 39-auth RP config — present iff broker mode. */
|
|
44
|
+
upstream?: H2AUpstreamOidcConfig;
|
|
32
45
|
}
|
|
33
46
|
export declare function parseOAuthCsv(value: string): string[];
|
|
34
47
|
export declare function parseHostedEnrollmentEnabled(value: string | undefined): boolean;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,eAAO,MAAM,sBAAsB,aAAa,CAAC;AAEjD,MAAM,WAAW,iBAAiB;IAChC,eAAe,EAAE,MAAM,CAAC;IACxB,gBAAgB,EAAE,MAAM,CAAC;IACzB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,2BAA2B,EAAE,MAAM,CAAC;IACpC,8BAA8B,EAAE,MAAM,CAAC;IACvC,+BAA+B,EAAE,MAAM,CAAC;IACxC,2BAA2B,EAAE,MAAM,CAAC;IACpC,6BAA6B,CAAC,EAAE,MAAM,CAAC;IACvC,QAAQ,CAAC,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AAE1D,eAAO,MAAM,sBAAsB,aAAa,CAAC;AAEjD,MAAM,WAAW,iBAAiB;IAChC,eAAe,EAAE,MAAM,CAAC;IACxB,gBAAgB,EAAE,MAAM,CAAC;IACzB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,2BAA2B,EAAE,MAAM,CAAC;IACpC,8BAA8B,EAAE,MAAM,CAAC;IACvC,+BAA+B,EAAE,MAAM,CAAC;IACxC,2BAA2B,EAAE,MAAM,CAAC;IACpC,6BAA6B,CAAC,EAAE,MAAM,CAAC;IACvC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAIlB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,yBAAyB,CAAC,EAAE,MAAM,CAAC;IACnC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,GAAG,CAAC;IACf,aAAa,EAAE,GAAG,CAAC;IACnB,iBAAiB,EAAE,GAAG,CAAC;IACvB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,aAAa,EAAE,MAAM,CAAC;IACtB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,mBAAmB,EAAE,SAAS,MAAM,EAAE,CAAC;IACvC,qBAAqB,EAAE,MAAM,CAAC;IAC9B,sBAAsB,EAAE,MAAM,CAAC;IAC/B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,0DAA0D;IAC1D,UAAU,EAAE,OAAO,CAAC;IACpB,8DAA8D;IAC9D,QAAQ,CAAC,EAAE,qBAAqB,CAAC;CAClC;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,EAAE,CAKrD;AAED,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CAG/E;AAED,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,iBAAiB,GAAG,oBAAoB,CAwB/E"}
|
|
@@ -24,6 +24,8 @@ export function oauthConfigFromEnv(env) {
|
|
|
24
24
|
if (enrollmentEnabled && !env.OAUTH_CONSENT_SECRET) {
|
|
25
25
|
throw new Error("OAUTH_CONSENT_SECRET is required when H2A_HOSTED_ENROLLMENT_ENABLED=true");
|
|
26
26
|
}
|
|
27
|
+
const brokerMode = env.H2A_BROKER_MODE === "true";
|
|
28
|
+
const upstream = brokerMode ? upstreamFromEnv(env) : undefined;
|
|
27
29
|
return {
|
|
28
30
|
issuerUrl,
|
|
29
31
|
publicBaseUrl,
|
|
@@ -35,7 +37,33 @@ export function oauthConfigFromEnv(env) {
|
|
|
35
37
|
accessTokenTtlSeconds: env.OAUTH_ACCESS_TOKEN_TTL_SECONDS,
|
|
36
38
|
refreshTokenTtlSeconds: env.OAUTH_REFRESH_TOKEN_TTL_SECONDS,
|
|
37
39
|
authCodeTtlSeconds: env.OAUTH_AUTH_CODE_TTL_SECONDS,
|
|
38
|
-
nodeEnv: env.NODE_ENV ?? "development"
|
|
40
|
+
nodeEnv: env.NODE_ENV ?? "development",
|
|
41
|
+
brokerMode,
|
|
42
|
+
...(upstream ? { upstream } : {})
|
|
43
|
+
};
|
|
44
|
+
}
|
|
45
|
+
/** Parse the seeded 39-auth RP config from env; throws if a field is missing. */
|
|
46
|
+
function upstreamFromEnv(env) {
|
|
47
|
+
const required = {
|
|
48
|
+
issuer: env.H2A_UPSTREAM_ISSUER,
|
|
49
|
+
authorizeUrl: env.H2A_UPSTREAM_AUTHORIZE_URL,
|
|
50
|
+
tokenUrl: env.H2A_UPSTREAM_TOKEN_URL,
|
|
51
|
+
clientId: env.H2A_UPSTREAM_CLIENT_ID,
|
|
52
|
+
clientSecret: env.H2A_UPSTREAM_CLIENT_SECRET,
|
|
53
|
+
redirectUri: env.H2A_UPSTREAM_REDIRECT_URI
|
|
54
|
+
};
|
|
55
|
+
for (const [key, value] of Object.entries(required)) {
|
|
56
|
+
if (!value)
|
|
57
|
+
throw new Error(`H2A_BROKER_MODE=true requires H2A_UPSTREAM_* (missing ${key})`);
|
|
58
|
+
}
|
|
59
|
+
return {
|
|
60
|
+
issuer: required.issuer,
|
|
61
|
+
authorizeUrl: required.authorizeUrl,
|
|
62
|
+
tokenUrl: required.tokenUrl,
|
|
63
|
+
clientId: required.clientId,
|
|
64
|
+
clientSecret: required.clientSecret,
|
|
65
|
+
redirectUri: required.redirectUri,
|
|
66
|
+
scopes: env.H2A_UPSTREAM_SCOPES ? parseOAuthCsv(env.H2A_UPSTREAM_SCOPES) : ["openid", "profile", "email"]
|
|
39
67
|
};
|
|
40
68
|
}
|
|
41
69
|
//# sourceMappingURL=config.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;
|
|
1
|
+
{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,MAAM,CAAC,MAAM,sBAAsB,GAAG,UAAU,CAAC;AA2CjD,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,OAAO,KAAK;SACT,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;SAC1B,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,KAAyB;IACpE,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IACtC,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;AACzE,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,GAAsB;IACvD,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACnD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAChD,MAAM,iBAAiB,GAAG,4BAA4B,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;IAC1F,IAAI,iBAAiB,IAAI,CAAC,GAAG,CAAC,oBAAoB,EAAE,CAAC;QACnD,MAAM,IAAI,KAAK,CAAC,0EAA0E,CAAC,CAAC;IAC9F,CAAC;IACD,MAAM,UAAU,GAAG,GAAG,CAAC,eAAe,KAAK,MAAM,CAAC;IAClD,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC/D,OAAO;QACL,SAAS;QACT,aAAa;QACb,iBAAiB,EAAE,IAAI,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC;QACjD,mBAAmB,EAAE,IAAI,GAAG,CAAC,2CAA2C,EAAE,aAAa,CAAC,CAAC,IAAI;QAC7F,aAAa,EAAE,GAAG,CAAC,oBAAoB,IAAI,mBAAmB;QAC9D,iBAAiB;QACjB,mBAAmB,EAAE,aAAa,CAAC,GAAG,CAAC,2BAA2B,CAAC;QACnE,qBAAqB,EAAE,GAAG,CAAC,8BAA8B;QACzD,sBAAsB,EAAE,GAAG,CAAC,+BAA+B;QAC3D,kBAAkB,EAAE,GAAG,CAAC,2BAA2B;QACnD,OAAO,EAAE,GAAG,CAAC,QAAQ,IAAI,aAAa;QACtC,UAAU;QACV,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAClC,CAAC;AACJ,CAAC;AAED,iFAAiF;AACjF,SAAS,eAAe,CAAC,GAAsB;IAC7C,MAAM,QAAQ,GAAG;QACf,MAAM,EAAE,GAAG,CAAC,mBAAmB;QAC/B,YAAY,EAAE,GAAG,CAAC,0BAA0B;QAC5C,QAAQ,EAAE,GAAG,CAAC,sBAAsB;QACpC,QAAQ,EAAE,GAAG,CAAC,sBAAsB;QACpC,YAAY,EAAE,GAAG,CAAC,0BAA0B;QAC5C,WAAW,EAAE,GAAG,CAAC,yBAAyB;KAC3C,CAAC;IACF,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpD,IAAI,CAAC,KAAK;YAAE,MAAM,IAAI,KAAK,CAAC,yDAAyD,GAAG,GAAG,CAAC,CAAC;IAC/F,CAAC;IACD,OAAO;QACL,MAAM,EAAE,QAAQ,CAAC,MAAgB;QACjC,YAAY,EAAE,QAAQ,CAAC,YAAsB;QAC7C,QAAQ,EAAE,QAAQ,CAAC,QAAkB;QACrC,QAAQ,EAAE,QAAQ,CAAC,QAAkB;QACrC,YAAY,EAAE,QAAQ,CAAC,YAAsB;QAC7C,WAAW,EAAE,QAAQ,CAAC,WAAqB;QAC3C,MAAM,EAAE,GAAG,CAAC,mBAAmB,CAAC,CAAC,CAAC,aAAa,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC;KAC1G,CAAC;AACJ,CAAC"}
|
|
@@ -2,4 +2,13 @@ export declare function randomToken(byteLength?: number): string;
|
|
|
2
2
|
export declare function sha256Hex(value: string): string;
|
|
3
3
|
export declare function tokenHashPrefix(tokenHash: string): string;
|
|
4
4
|
export declare function timingSafeEqualString(a: string, b: string): boolean;
|
|
5
|
+
/**
|
|
6
|
+
* EVO-12 P2 (mode 3): a fresh PKCE pair for the gateway's upstream 39-auth leg.
|
|
7
|
+
* The verifier is held server-side (broker pending state); the S256 challenge
|
|
8
|
+
* goes on the wire to /authorize.
|
|
9
|
+
*/
|
|
10
|
+
export declare function pkceS256(): {
|
|
11
|
+
verifier: string;
|
|
12
|
+
challenge: string;
|
|
13
|
+
};
|
|
5
14
|
//# sourceMappingURL=crypto.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/crypto.ts"],"names":[],"mappings":"AAKA,wBAAgB,WAAW,CAAC,UAAU,SAAK,GAAG,MAAM,CAEnD;AAED,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE/C;AAED,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAEzD;AAED,wBAAgB,qBAAqB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAInE"}
|
|
1
|
+
{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/crypto.ts"],"names":[],"mappings":"AAKA,wBAAgB,WAAW,CAAC,UAAU,SAAK,GAAG,MAAM,CAEnD;AAED,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE/C;AAED,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAEzD;AAED,wBAAgB,qBAAqB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAInE;AAED;;;;GAIG;AACH,wBAAgB,QAAQ,IAAI;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAIlE"}
|
|
@@ -16,4 +16,14 @@ export function timingSafeEqualString(a, b) {
|
|
|
16
16
|
const right = Buffer.from(sha256Hex(b), "hex");
|
|
17
17
|
return timingSafeEqual(left, right);
|
|
18
18
|
}
|
|
19
|
+
/**
|
|
20
|
+
* EVO-12 P2 (mode 3): a fresh PKCE pair for the gateway's upstream 39-auth leg.
|
|
21
|
+
* The verifier is held server-side (broker pending state); the S256 challenge
|
|
22
|
+
* goes on the wire to /authorize.
|
|
23
|
+
*/
|
|
24
|
+
export function pkceS256() {
|
|
25
|
+
const verifier = randomBytes(32).toString("base64url");
|
|
26
|
+
const challenge = createHash("sha256").update(verifier).digest("base64url");
|
|
27
|
+
return { verifier, challenge };
|
|
28
|
+
}
|
|
19
29
|
//# sourceMappingURL=crypto.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/crypto.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEvE,MAAM,UAAU,WAAW,CAAC,UAAU,GAAG,EAAE;IACzC,OAAO,WAAW,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,SAAiB;IAC/C,OAAO,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,CAAS,EAAE,CAAS;IACxD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAC9C,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAC/C,OAAO,eAAe,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AACtC,CAAC"}
|
|
1
|
+
{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/crypto.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEvE,MAAM,UAAU,WAAW,CAAC,UAAU,GAAG,EAAE;IACzC,OAAO,WAAW,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,SAAiB;IAC/C,OAAO,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,CAAS,EAAE,CAAS;IACxD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAC9C,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAC/C,OAAO,eAAe,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AACtC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,QAAQ;IACtB,MAAM,QAAQ,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACvD,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC5E,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;AACjC,CAAC"}
|
|
@@ -10,6 +10,12 @@ export interface StoredAuthorizationCode {
|
|
|
10
10
|
createdAt: number;
|
|
11
11
|
expiresAt: number;
|
|
12
12
|
consumedAt?: number;
|
|
13
|
+
/**
|
|
14
|
+
* EVO-12 P2 (mode 3, multi-tenant): the upstream 39-auth subject this code was
|
|
15
|
+
* minted for. Threaded code→token so /mcp can serve the per-user root. Absent
|
|
16
|
+
* for single-tenant (consent-secret) codes.
|
|
17
|
+
*/
|
|
18
|
+
sub?: string;
|
|
13
19
|
}
|
|
14
20
|
export interface StoredToken {
|
|
15
21
|
tokenHash: string;
|
|
@@ -21,6 +27,8 @@ export interface StoredToken {
|
|
|
21
27
|
expiresAt: number;
|
|
22
28
|
revokedAt?: number;
|
|
23
29
|
parentRefreshTokenHash?: string;
|
|
30
|
+
/** EVO-12 P2: the 39-auth subject (see StoredAuthorizationCode.sub). */
|
|
31
|
+
sub?: string;
|
|
24
32
|
}
|
|
25
33
|
export declare class FileOAuthStore implements OAuthRegisteredClientsStore {
|
|
26
34
|
readonly path: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"file-store.d.ts","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/file-store.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,kDAAkD,CAAC;AACpG,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,0CAA0C,CAAC;AAI3F,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"file-store.d.ts","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/file-store.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,kDAAkD,CAAC;AACpG,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,0CAA0C,CAAC;AAI3F,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;;OAIG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,QAAQ,GAAG,SAAS,CAAC;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,wEAAwE;IACxE,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AASD,qBAAa,cAAe,YAAW,2BAA2B;IAGpD,QAAQ,CAAC,IAAI,EAAE,MAAM;IAFjC,OAAO,CAAC,QAAQ,CAA6E;gBAExE,IAAI,EAAE,MAAM;IAE3B,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAkBrB,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,GAAG,SAAS,CAAC;IAI5E,cAAc,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,0BAA0B,CAAC;IAMvF,oBAAoB,CACxB,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,IAAI,CAAC,uBAAuB,EAAE,UAAU,GAAG,YAAY,CAAC,GAC/D,OAAO,CAAC,IAAI,CAAC;IAMV,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,SAAS,CAAC;IAMpG,wBAAwB,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,SAAS,CAAC;IASxG,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,WAAW,EAAE,WAAW,GAAG,WAAW,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC;IAQnG,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC;IAI1D,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;YAQrD,OAAO;CAmBtB"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"file-store.js","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/file-store.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC5E,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIpC,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"file-store.js","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/file-store.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC5E,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIpC,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAyCxC,MAAM,OAAO,cAAc;IAGJ;IAFb,QAAQ,GAAa,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,kBAAkB,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IAE7F,YAAqB,IAAY;QAAZ,SAAI,GAAJ,IAAI,CAAQ;IAAG,CAAC;IAErC,KAAK,CAAC,IAAI;QACR,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAa,CAAC;YACzE,IAAI,CAAC,QAAQ,GAAG;gBACd,OAAO,EAAE,CAAC;gBACV,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,EAAE;gBAC7B,kBAAkB,EAAE,MAAM,CAAC,kBAAkB,IAAI,EAAE;gBACnD,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,EAAE;aAC5B,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,KAAK,IAAI,MAAM,IAAI,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACzE,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;gBACrB,OAAO;YACT,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,QAAgB;QAC9B,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,MAAkC;QACrD,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,MAAM,CAAC;QACjD,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,oBAAoB,CACxB,IAAY,EACZ,MAAgE;QAEhE,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;QACjC,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,CAAC;QACrE,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,IAAY,EAAE,UAAkB;QACzD,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;QACjE,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,SAAS,IAAI,UAAU;YAAE,OAAO,SAAS,CAAC;QACrF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,wBAAwB,CAAC,IAAY,EAAE,UAAkB;QAC7D,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;QACjC,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAC1D,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,SAAS,IAAI,UAAU;YAAE,OAAO,SAAS,CAAC;QACrF,MAAM,CAAC,UAAU,GAAG,UAAU,CAAC;QAC/B,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,KAAa,EAAE,MAAoD;QAChF,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,MAAM,GAAG,EAAE,GAAG,MAAM,EAAE,SAAS,EAAE,CAAC;QACxC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,MAAM,CAAC;QACzC,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,KAAa;QAC3B,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAAa,EAAE,UAAkB;QACjD,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QACtD,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YAC7C,MAAM,CAAC,SAAS,GAAG,UAAU,CAAC;YAC9B,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACvB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,OAAO;QACnB,MAAM,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACrD,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC;QAC3D,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC;QACjE,MAAM,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACjD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QACzC,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,uEAAuE;YACvE,qEAAqE;YACrE,gEAAgE;YAChE,MAAM,IAAI,GAAI,KAA+B,CAAC,IAAI,CAAC;YACnD,IAAI,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,QAAQ;gBAAE,MAAM,KAAK,CAAC;QACzD,CAAC;gBAAS,CAAC;YACT,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;QACvB,CAAC;QACD,MAAM,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC;CACF"}
|
|
@@ -39,6 +39,8 @@ interface IssueCodeParams {
|
|
|
39
39
|
scopes: string[];
|
|
40
40
|
resource?: URL;
|
|
41
41
|
state?: string;
|
|
42
|
+
/** EVO-12 P2 (mode 3): the 39-auth subject this code is minted for (broker flow). */
|
|
43
|
+
sub?: string;
|
|
42
44
|
}
|
|
43
45
|
type WideClientsStore = Omit<OAuthRegisteredClientsStore, "registerClient"> & {
|
|
44
46
|
registerClient?(client: OAuthClientInformationFull): OAuthClientInformationFull | Promise<OAuthClientInformationFull>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"single-tenant-provider.d.ts","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/single-tenant-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,kDAAkD,CAAC;AAQpG,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,mDAAmD,CAAC;AAC7F,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gDAAgD,CAAC;AAC/E,OAAO,KAAK,EACV,0BAA0B,EAC1B,2BAA2B,EAC3B,WAAW,EACZ,MAAM,0CAA0C,CAAC;AAIlD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAGtD,MAAM,MAAM,gBAAgB,GACxB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,MAAM,EAAE,GAAG,GAAG,GAAG,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACpD;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC;AAE3C,UAAU,eAAe;IACvB,KAAK,EAAE,cAAc,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,GAAG,CAAC;IACf,aAAa,EAAE,GAAG,CAAC;IACnB,iBAAiB,EAAE,GAAG,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,SAAS,MAAM,EAAE,CAAC;IACvC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,sBAAsB,EAAE,MAAM,CAAC;IAC/B,UAAU,CAAC,EAAE,MAAM,MAAM,CAAC;CAC3B;AAED,UAAU,eAAe;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,GAAG,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"single-tenant-provider.d.ts","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/single-tenant-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,kDAAkD,CAAC;AAQpG,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,mDAAmD,CAAC;AAC7F,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gDAAgD,CAAC;AAC/E,OAAO,KAAK,EACV,0BAA0B,EAC1B,2BAA2B,EAC3B,WAAW,EACZ,MAAM,0CAA0C,CAAC;AAIlD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAGtD,MAAM,MAAM,gBAAgB,GACxB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,MAAM,EAAE,GAAG,GAAG,GAAG,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACpD;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC;AAE3C,UAAU,eAAe;IACvB,KAAK,EAAE,cAAc,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,GAAG,CAAC;IACf,aAAa,EAAE,GAAG,CAAC;IACnB,iBAAiB,EAAE,GAAG,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,SAAS,MAAM,EAAE,CAAC;IACvC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,sBAAsB,EAAE,MAAM,CAAC;IAC/B,UAAU,CAAC,EAAE,MAAM,MAAM,CAAC;CAC3B;AAED,UAAU,eAAe;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,GAAG,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,qFAAqF;IACrF,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,KAAK,gBAAgB,GAAG,IAAI,CAAC,2BAA2B,EAAE,gBAAgB,CAAC,GAAG;IAC5E,cAAc,CAAC,CACb,MAAM,EAAE,0BAA0B,GACjC,0BAA0B,GAAG,OAAO,CAAC,0BAA0B,CAAC,CAAC;CACrE,CAAC;AAEF,qBAAa,yBAAyB;IAGxB,OAAO,CAAC,QAAQ,CAAC,IAAI;IAFjC,QAAQ,CAAC,YAAY,EAAE,gBAAgB,CAAC;gBAEX,IAAI,EAAE,eAAe;IAmBlD,OAAO,CAAC,UAAU;IAIZ,gBAAgB,CACpB,MAAM,EAAE,0BAA0B,EAClC,MAAM,EAAE,mBAAmB,EAC3B,KAAK,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,aAAa,CAAC,EAAE,MAAM,CAAA;KAAE,GAChD,OAAO,CAAC,gBAAgB,CAAC;IAoBtB,sBAAsB,CAAC,MAAM,EAAE,0BAA0B,EAAE,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC;IAkB1G,OAAO,CAAC,iBAAiB;IAiEnB,6BAA6B,CACjC,OAAO,EAAE,0BAA0B,EACnC,iBAAiB,EAAE,MAAM,GACxB,OAAO,CAAC,MAAM,CAAC;IAMZ,yBAAyB,CAC7B,MAAM,EAAE,0BAA0B,EAClC,iBAAiB,EAAE,MAAM,EACzB,aAAa,CAAC,EAAE,MAAM,EACtB,WAAW,CAAC,EAAE,MAAM,EACpB,QAAQ,CAAC,EAAE,GAAG,GACb,OAAO,CAAC,WAAW,CAAC;IAYjB,oBAAoB,CACxB,MAAM,EAAE,0BAA0B,EAClC,YAAY,EAAE,MAAM,EACpB,MAAM,CAAC,EAAE,MAAM,EAAE,EACjB,QAAQ,CAAC,EAAE,GAAG,GACb,OAAO,CAAC,WAAW,CAAC;IAkBjB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAsBnD,WAAW,CAAC,OAAO,EAAE,0BAA0B,EAAE,OAAO,EAAE,2BAA2B,GAAG,OAAO,CAAC,IAAI,CAAC;IAIrG,mBAAmB,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,WAAW,CAAC;YAIrE,WAAW;IAuCzB,OAAO,CAAC,eAAe;IAQvB,OAAO,CAAC,iBAAiB;CAQ1B"}
|
|
@@ -59,7 +59,8 @@ export class SingleTenantOAuthProvider {
|
|
|
59
59
|
scopes,
|
|
60
60
|
resource: resource.href,
|
|
61
61
|
createdAt: now,
|
|
62
|
-
expiresAt: now + this.opts.authCodeTtlSeconds
|
|
62
|
+
expiresAt: now + this.opts.authCodeTtlSeconds,
|
|
63
|
+
...(params.sub !== undefined && { sub: params.sub })
|
|
63
64
|
});
|
|
64
65
|
return code;
|
|
65
66
|
}
|
|
@@ -139,7 +140,7 @@ export class SingleTenantOAuthProvider {
|
|
|
139
140
|
throw new InvalidGrantError("redirect_uri does not match authorization code");
|
|
140
141
|
if (this.normalizeResource(resource).href !== record.resource)
|
|
141
142
|
throw new InvalidTargetError("resource does not match authorization code");
|
|
142
|
-
return this.issueTokens(client, record.scopes, new URL(record.resource), undefined);
|
|
143
|
+
return this.issueTokens(client, record.scopes, new URL(record.resource), undefined, record.sub);
|
|
143
144
|
}
|
|
144
145
|
async exchangeRefreshToken(client, refreshToken, scopes, resource) {
|
|
145
146
|
const record = await this.opts.store.findToken(refreshToken);
|
|
@@ -156,7 +157,7 @@ export class SingleTenantOAuthProvider {
|
|
|
156
157
|
throw new InvalidScopeError("requested scope exceeds refresh token scope");
|
|
157
158
|
}
|
|
158
159
|
await this.opts.store.revokeToken(refreshToken, now);
|
|
159
|
-
return this.issueTokens(client, requestedScopes, new URL(record.resource), sha256Hex(refreshToken));
|
|
160
|
+
return this.issueTokens(client, requestedScopes, new URL(record.resource), sha256Hex(refreshToken), record.sub);
|
|
160
161
|
}
|
|
161
162
|
async verifyAccessToken(token) {
|
|
162
163
|
const record = await this.opts.store.findToken(token);
|
|
@@ -170,7 +171,13 @@ export class SingleTenantOAuthProvider {
|
|
|
170
171
|
scopes: record.scopes,
|
|
171
172
|
expiresAt: record.expiresAt,
|
|
172
173
|
resource: new URL(record.resource),
|
|
173
|
-
extra: {
|
|
174
|
+
extra: {
|
|
175
|
+
tokenHashPrefix: tokenHashPrefix(record.tokenHash),
|
|
176
|
+
// EVO-12 P2 (mode 3): the per-user root key. Present iff this token was
|
|
177
|
+
// minted through the broker flow; the /mcp handler derives the tenant
|
|
178
|
+
// root from it (rootForSub) and serves that root.
|
|
179
|
+
...(record.sub !== undefined && { sub: record.sub })
|
|
180
|
+
}
|
|
174
181
|
};
|
|
175
182
|
}
|
|
176
183
|
async revokeToken(_client, request) {
|
|
@@ -179,7 +186,7 @@ export class SingleTenantOAuthProvider {
|
|
|
179
186
|
async issueTokensForTests(client) {
|
|
180
187
|
return this.issueTokens(client, [OAUTH_SCOPE], this.opts.resourceServerUrl, undefined);
|
|
181
188
|
}
|
|
182
|
-
async issueTokens(client, scopes, resource, parentRefreshTokenHash) {
|
|
189
|
+
async issueTokens(client, scopes, resource, parentRefreshTokenHash, sub) {
|
|
183
190
|
const accessToken = randomToken();
|
|
184
191
|
const refreshToken = randomToken();
|
|
185
192
|
const now = this.nowSeconds();
|
|
@@ -190,7 +197,8 @@ export class SingleTenantOAuthProvider {
|
|
|
190
197
|
resource: resource.href,
|
|
191
198
|
issuedAt: now,
|
|
192
199
|
expiresAt: now + this.opts.accessTokenTtlSeconds,
|
|
193
|
-
...(parentRefreshTokenHash !== undefined && { parentRefreshTokenHash })
|
|
200
|
+
...(parentRefreshTokenHash !== undefined && { parentRefreshTokenHash }),
|
|
201
|
+
...(sub !== undefined && { sub })
|
|
194
202
|
});
|
|
195
203
|
await this.opts.store.putToken(refreshToken, {
|
|
196
204
|
tokenType: "refresh",
|
|
@@ -199,7 +207,8 @@ export class SingleTenantOAuthProvider {
|
|
|
199
207
|
resource: resource.href,
|
|
200
208
|
issuedAt: now,
|
|
201
209
|
expiresAt: now + this.opts.refreshTokenTtlSeconds,
|
|
202
|
-
...(parentRefreshTokenHash !== undefined && { parentRefreshTokenHash })
|
|
210
|
+
...(parentRefreshTokenHash !== undefined && { parentRefreshTokenHash }),
|
|
211
|
+
...(sub !== undefined && { sub })
|
|
203
212
|
});
|
|
204
213
|
return {
|
|
205
214
|
access_token: accessToken,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"single-tenant-provider.js","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/single-tenant-provider.ts"],"names":[],"mappings":"AAUA,OAAO,EACL,0BAA0B,EAC1B,iBAAiB,EACjB,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EAClB,MAAM,iDAAiD,CAAC;AASzD,OAAO,EAAE,sBAAsB,IAAI,WAAW,EAAE,MAAM,aAAa,CAAC;AACpE,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,qBAAqB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE7F,OAAO,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;
|
|
1
|
+
{"version":3,"file":"single-tenant-provider.js","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/single-tenant-provider.ts"],"names":[],"mappings":"AAUA,OAAO,EACL,0BAA0B,EAC1B,iBAAiB,EACjB,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EAClB,MAAM,iDAAiD,CAAC;AASzD,OAAO,EAAE,sBAAsB,IAAI,WAAW,EAAE,MAAM,aAAa,CAAC;AACpE,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,qBAAqB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE7F,OAAO,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAoC3D,MAAM,OAAO,yBAAyB;IAGP;IAFpB,YAAY,CAAmB;IAExC,YAA6B,IAAqB;QAArB,SAAI,GAAJ,IAAI,CAAiB;QAChD,IAAI,CAAC,YAAY,GAAG;YAClB,SAAS,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC;YAC5D,cAAc,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE;gBAC/B,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC,aAAa,EAAE,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBACpG,MAAM,IAAI,0BAA0B,CAAC,kDAAkD,CAAC,CAAC;gBAC3F,CAAC;gBACD,MAAM,UAAU,GAA+B;oBAC7C,GAAG,MAAM;oBACT,KAAK,EAAE,WAAW;oBAClB,WAAW,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;oBACpD,cAAc,EAAE,CAAC,MAAM,CAAC;oBACxB,0BAA0B,EAAE,MAAM,CAAC,0BAA0B,IAAI,MAAM;iBACxE,CAAC;gBACF,OAAO,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;YACpD,CAAC;SACF,CAAC;IACJ,CAAC;IAEO,UAAU;QAChB,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IACnE,CAAC;IAED,KAAK,CAAC,gBAAgB,CACpB,MAAkC,EAClC,MAA2B,EAC3B,KAAiD;QAEjD,IAAI,KAAK,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC5B,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,CAAC;QACnG,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,aAAa,IAAI,CAAC,qBAAqB,CAAC,KAAK,CAAC,aAAa,EAAE,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;YACjG,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,wBAAwB,CAAC,EAAE,CAAC;QAClH,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,MAAM,EAAE;YACrD,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,MAAM,EAAE,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC;YAC3C,GAAG,CAAC,MAAM,CAAC,QAAQ,KAAK,SAAS,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC;YACnE,GAAG,CAAC,MAAM,CAAC,KAAK,KAAK,SAAS,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC;SAC3D,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAC7C,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QACxC,IAAI,MAAM,CAAC,KAAK;YAAE,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC;IACvD,CAAC;IAED,KAAK,CAAC,sBAAsB,CAAC,MAAkC,EAAE,MAAuB;QACtF,MAAM,QAAQ,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACzD,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACnD,MAAM,IAAI,GAAG,WAAW,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QAC9B,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,IAAI,EAAE;YAC/C,QAAQ,EAAE,MAAM,CAAC,SAAS;YAC1B,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,MAAM;YACN,QAAQ,EAAE,QAAQ,CAAC,IAAI;YACvB,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,kBAAkB;YAC7C,GAAG,CAAC,MAAM,CAAC,GAAG,KAAK,SAAS,IAAI,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC;SACrD,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,iBAAiB,CACvB,MAAkC,EAClC,MAA2B,EAC3B,KAAyB;QAEzB,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC5D,MAAM,QAAQ,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC;QAC9D,MAAM,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,SAAS,CAAC,CAAC;QACtE,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,iCAAiC,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QACxF,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;4BA4BiB,UAAU;;;;IAIlC,SAAS;;yBAEY,UAAU;2BACR,UAAU,CAAC,MAAM,CAAC,WAAW,CAAC;wBACjC,UAAU,CAAC,KAAK,CAAC;;;;mDAIU,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC;sDACzB,UAAU,CAAC,MAAM,CAAC,WAAW,CAAC;wDAC5B,UAAU,CAAC,MAAM,CAAC,aAAa,CAAC;;+CAEzC,UAAU,CAAC,KAAK,CAAC;kDACd,UAAU,CAAC,QAAQ,CAAC;MAChE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,4CAA4C,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;;;;;;;QAO1F,CAAC;IACP,CAAC;IAED,KAAK,CAAC,6BAA6B,CACjC,OAAmC,EACnC,iBAAyB;QAEzB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,iBAAiB,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;QAChG,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,iBAAiB,CAAC,0CAA0C,CAAC,CAAC;QACrF,OAAO,MAAM,CAAC,aAAa,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,yBAAyB,CAC7B,MAAkC,EAClC,iBAAyB,EACzB,aAAsB,EACtB,WAAoB,EACpB,QAAc;QAEd,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,wBAAwB,CAAC,iBAAiB,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;QACpG,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,iBAAiB,CAAC,yDAAyD,CAAC,CAAC;QACpG,IAAI,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,SAAS;YACtC,MAAM,IAAI,iBAAiB,CAAC,iDAAiD,CAAC,CAAC;QACjF,IAAI,WAAW,IAAI,WAAW,KAAK,MAAM,CAAC,WAAW;YACnD,MAAM,IAAI,iBAAiB,CAAC,gDAAgD,CAAC,CAAC;QAChF,IAAI,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,QAAQ;YAC3D,MAAM,IAAI,kBAAkB,CAAC,4CAA4C,CAAC,CAAC;QAC7E,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;IAClG,CAAC;IAED,KAAK,CAAC,oBAAoB,CACxB,MAAkC,EAClC,YAAoB,EACpB,MAAiB,EACjB,QAAc;QAEd,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QAC7D,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QAC9B,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,IAAI,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,SAAS,IAAI,GAAG,EAAE,CAAC;YAC7F,MAAM,IAAI,iBAAiB,CAAC,qCAAqC,CAAC,CAAC;QACrE,CAAC;QACD,IAAI,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,SAAS;YACtC,MAAM,IAAI,iBAAiB,CAAC,4CAA4C,CAAC,CAAC;QAC5E,IAAI,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,QAAQ;YAC3D,MAAM,IAAI,kBAAkB,CAAC,uCAAuC,CAAC,CAAC;QACxE,MAAM,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,CAAC;QACtE,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACrE,MAAM,IAAI,iBAAiB,CAAC,6CAA6C,CAAC,CAAC;QAC7E,CAAC;QACD,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC;QACrD,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,eAAe,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,SAAS,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;IAClH,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,KAAa;QACnC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QACtD,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QAC9B,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,KAAK,QAAQ,IAAI,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,SAAS,IAAI,GAAG,EAAE,CAAC;YAC5F,MAAM,IAAI,iBAAiB,CAAC,oCAAoC,CAAC,CAAC;QACpE,CAAC;QACD,OAAO;YACL,KAAK;YACL,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,QAAQ,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC;YAClC,KAAK,EAAE;gBACL,eAAe,EAAE,eAAe,CAAC,MAAM,CAAC,SAAS,CAAC;gBAClD,wEAAwE;gBACxE,sEAAsE;gBACtE,kDAAkD;gBAClD,GAAG,CAAC,MAAM,CAAC,GAAG,KAAK,SAAS,IAAI,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC;aACrD;SACF,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,OAAmC,EAAE,OAAoC;QACzF,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;IACtE,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,MAAkC;QAC1D,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,SAAS,CAAC,CAAC;IACzF,CAAC;IAEO,KAAK,CAAC,WAAW,CACvB,MAAkC,EAClC,MAAgB,EAChB,QAAa,EACb,sBAA0C,EAC1C,GAAY;QAEZ,MAAM,WAAW,GAAG,WAAW,EAAE,CAAC;QAClC,MAAM,YAAY,GAAG,WAAW,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QAC9B,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,WAAW,EAAE;YAC1C,SAAS,EAAE,QAAQ;YACnB,QAAQ,EAAE,MAAM,CAAC,SAAS;YAC1B,MAAM;YACN,QAAQ,EAAE,QAAQ,CAAC,IAAI;YACvB,QAAQ,EAAE,GAAG;YACb,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,qBAAqB;YAChD,GAAG,CAAC,sBAAsB,KAAK,SAAS,IAAI,EAAE,sBAAsB,EAAE,CAAC;YACvE,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,EAAE,GAAG,EAAE,CAAC;SAClC,CAAC,CAAC;QACH,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,YAAY,EAAE;YAC3C,SAAS,EAAE,SAAS;YACpB,QAAQ,EAAE,MAAM,CAAC,SAAS;YAC1B,MAAM;YACN,QAAQ,EAAE,QAAQ,CAAC,IAAI;YACvB,QAAQ,EAAE,GAAG;YACb,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,sBAAsB;YACjD,GAAG,CAAC,sBAAsB,KAAK,SAAS,IAAI,EAAE,sBAAsB,EAAE,CAAC;YACvE,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,EAAE,GAAG,EAAE,CAAC;SAClC,CAAC,CAAC;QACH,OAAO;YACL,YAAY,EAAE,WAAW;YACzB,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,qBAAqB;YAC3C,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;SACxB,CAAC;IACJ,CAAC;IAEO,eAAe,CAAC,MAAqC;QAC3D,MAAM,SAAS,GAAG,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;QAC5E,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,WAAW,CAAC,EAAE,CAAC;YACvD,MAAM,IAAI,iBAAiB,CAAC,QAAQ,WAAW,qBAAqB,CAAC,CAAC;QACxE,CAAC;QACD,OAAO,CAAC,WAAW,CAAC,CAAC;IACvB,CAAC;IAEO,iBAAiB,CAAC,QAAyB;QACjD,MAAM,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC;QACvC,IAAI,QAAQ,KAAK,SAAS;YAAE,OAAO,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACnD,MAAM,MAAM,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAC/C,IAAI,QAAQ,CAAC,MAAM,KAAK,EAAE,CAAC,MAAM,IAAI,CAAC,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YAAE,OAAO,EAAE,CAAC;QACjF,MAAM,IAAI,kBAAkB,CAAC,iDAAiD,CAAC,CAAC;IAClF,CAAC;CACF;AAED,SAAS,UAAU,CAAC,KAAa;IAC/B,OAAO,KAAK;SACT,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC;SACxB,UAAU,CAAC,GAAG,EAAE,MAAM,CAAC;SACvB,UAAU,CAAC,GAAG,EAAE,MAAM,CAAC;SACvB,UAAU,CAAC,GAAG,EAAE,QAAQ,CAAC;SACzB,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AAC9B,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tenancy.d.ts","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/tenancy.ts"],"names":[],"mappings":"AAYA,sDAAsD;AACtD,wBAAgB,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAKhE"}
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* EVO-12 P2 (mode 3, multi-tenant) — map an authenticated 39-auth `sub` to that
|
|
3
|
+
* user's own h2a root, under `<baseRoot>/tenants/<safe(sub)>`. The gateway picks
|
|
4
|
+
* the per-user root after the broker login (so the read-only surface + mirror
|
|
5
|
+
* ingester scope to one user); the single-tenant mode keeps using `baseRoot`.
|
|
6
|
+
*
|
|
7
|
+
* Pure. `safePathSegment` neutralizes path-traversal / unsafe chars in `sub`.
|
|
8
|
+
*/
|
|
9
|
+
import { join } from "node:path";
|
|
10
|
+
import { safePathSegment } from "../../local-files/index.js";
|
|
11
|
+
/** Per-tenant h2a root for an authenticated `sub`. */
|
|
12
|
+
export function rootForSub(baseRoot, sub) {
|
|
13
|
+
if (typeof sub !== "string" || sub.length === 0) {
|
|
14
|
+
throw new Error("rootForSub: empty sub");
|
|
15
|
+
}
|
|
16
|
+
return join(baseRoot, "tenants", safePathSegment(sub));
|
|
17
|
+
}
|
|
18
|
+
//# sourceMappingURL=tenancy.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tenancy.js","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/tenancy.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAE7D,sDAAsD;AACtD,MAAM,UAAU,UAAU,CAAC,QAAgB,EAAE,GAAW;IACtD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC;AACzD,CAAC"}
|
|
@@ -13,6 +13,14 @@ export interface HostedEnv {
|
|
|
13
13
|
H2A_ROOT?: string;
|
|
14
14
|
PORT?: string;
|
|
15
15
|
NODE_ENV?: string;
|
|
16
|
+
H2A_BROKER_MODE?: string;
|
|
17
|
+
H2A_UPSTREAM_ISSUER?: string;
|
|
18
|
+
H2A_UPSTREAM_AUTHORIZE_URL?: string;
|
|
19
|
+
H2A_UPSTREAM_TOKEN_URL?: string;
|
|
20
|
+
H2A_UPSTREAM_CLIENT_ID?: string;
|
|
21
|
+
H2A_UPSTREAM_CLIENT_SECRET?: string;
|
|
22
|
+
H2A_UPSTREAM_REDIRECT_URI?: string;
|
|
23
|
+
H2A_UPSTREAM_SCOPES?: string;
|
|
16
24
|
}
|
|
17
25
|
export interface HostedConfig {
|
|
18
26
|
oauthConfig: H2AHostedOAuthConfig;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"serve.d.ts","sourceRoot":"","sources":["../../../src/runtime/mcp-http/serve.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;
|
|
1
|
+
{"version":3,"file":"serve.d.ts","sourceRoot":"","sources":["../../../src/runtime/mcp-http/serve.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAGlD,OAAO,EAAE,KAAK,oBAAoB,EAAsB,MAAM,mBAAmB,CAAC;AAMlF,MAAM,WAAW,SAAS;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,2BAA2B,CAAC,EAAE,MAAM,CAAC;IACrC,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,8BAA8B,CAAC,EAAE,MAAM,CAAC;IACxC,+BAA+B,CAAC,EAAE,MAAM,CAAC;IACzC,2BAA2B,CAAC,EAAE,MAAM,CAAC;IACrC,6BAA6B,CAAC,EAAE,MAAM,CAAC;IACvC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,yBAAyB,CAAC,EAAE,MAAM,CAAC;IACnC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAKD,MAAM,WAAW,YAAY;IAC3B,WAAW,EAAE,oBAAoB,CAAC;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd;AAED,yFAAyF;AACzF,wBAAgB,wBAAwB,CAAC,GAAG,EAAE,SAAS,GAAG,YAAY,CAuCrE;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,SAAS,CAAC;IACxB,IAAI,IAAI,IAAI,CAAC;CACd;AAED,wBAAsB,iBAAiB,CAAC,GAAG,GAAE,SAAuB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CA0ClG"}
|
|
@@ -7,8 +7,11 @@ import { join } from "node:path";
|
|
|
7
7
|
import { serve } from "@hono/node-server";
|
|
8
8
|
import { createMcpServer } from "../mcp/index.js";
|
|
9
9
|
import { createHostedApp } from "./app.js";
|
|
10
|
+
import { createBrokerLogin } from "./oauth/broker-login.js";
|
|
10
11
|
import { oauthConfigFromEnv } from "./oauth/config.js";
|
|
12
|
+
import { pkceS256, randomToken } from "./oauth/crypto.js";
|
|
11
13
|
import { FileOAuthStore } from "./oauth/file-store.js";
|
|
14
|
+
import { exchangeUpstreamCode } from "./oauth/oidc-rp.js";
|
|
12
15
|
import { SingleTenantOAuthProvider } from "./oauth/single-tenant-provider.js";
|
|
13
16
|
const DEFAULT_CLAUDE_REDIRECTS = "https://claude.ai/api/mcp/auth_callback,https://claude.com/api/mcp/auth_callback";
|
|
14
17
|
/** Pure: validate + derive the hosted config from env (defaults claude.ai redirects). */
|
|
@@ -28,7 +31,23 @@ export function buildHostedConfigFromEnv(env) {
|
|
|
28
31
|
OAUTH_ACCESS_TOKEN_TTL_SECONDS: Number(env.OAUTH_ACCESS_TOKEN_TTL_SECONDS ?? 3600),
|
|
29
32
|
OAUTH_REFRESH_TOKEN_TTL_SECONDS: Number(env.OAUTH_REFRESH_TOKEN_TTL_SECONDS ?? 1_209_600),
|
|
30
33
|
OAUTH_AUTH_CODE_TTL_SECONDS: Number(env.OAUTH_AUTH_CODE_TTL_SECONDS ?? 60),
|
|
31
|
-
NODE_ENV: env.NODE_ENV ?? "production"
|
|
34
|
+
NODE_ENV: env.NODE_ENV ?? "production",
|
|
35
|
+
// EVO-12 P2 (mode 3): broker passthrough — oauthConfigFromEnv parses these
|
|
36
|
+
// and throws if brokerMode is on but an upstream field is missing.
|
|
37
|
+
...(env.H2A_BROKER_MODE !== undefined && { H2A_BROKER_MODE: env.H2A_BROKER_MODE }),
|
|
38
|
+
...(env.H2A_UPSTREAM_ISSUER !== undefined && { H2A_UPSTREAM_ISSUER: env.H2A_UPSTREAM_ISSUER }),
|
|
39
|
+
...(env.H2A_UPSTREAM_AUTHORIZE_URL !== undefined && {
|
|
40
|
+
H2A_UPSTREAM_AUTHORIZE_URL: env.H2A_UPSTREAM_AUTHORIZE_URL
|
|
41
|
+
}),
|
|
42
|
+
...(env.H2A_UPSTREAM_TOKEN_URL !== undefined && { H2A_UPSTREAM_TOKEN_URL: env.H2A_UPSTREAM_TOKEN_URL }),
|
|
43
|
+
...(env.H2A_UPSTREAM_CLIENT_ID !== undefined && { H2A_UPSTREAM_CLIENT_ID: env.H2A_UPSTREAM_CLIENT_ID }),
|
|
44
|
+
...(env.H2A_UPSTREAM_CLIENT_SECRET !== undefined && {
|
|
45
|
+
H2A_UPSTREAM_CLIENT_SECRET: env.H2A_UPSTREAM_CLIENT_SECRET
|
|
46
|
+
}),
|
|
47
|
+
...(env.H2A_UPSTREAM_REDIRECT_URI !== undefined && {
|
|
48
|
+
H2A_UPSTREAM_REDIRECT_URI: env.H2A_UPSTREAM_REDIRECT_URI
|
|
49
|
+
}),
|
|
50
|
+
...(env.H2A_UPSTREAM_SCOPES !== undefined && { H2A_UPSTREAM_SCOPES: env.H2A_UPSTREAM_SCOPES })
|
|
32
51
|
});
|
|
33
52
|
return {
|
|
34
53
|
oauthConfig,
|
|
@@ -43,7 +62,32 @@ export async function startHostedServer(env = process.env) {
|
|
|
43
62
|
await store.load();
|
|
44
63
|
const oauthProvider = new SingleTenantOAuthProvider({ store, ...cfg.oauthConfig });
|
|
45
64
|
const h2aMcpServer = createMcpServer({ root: cfg.root });
|
|
46
|
-
|
|
65
|
+
// EVO-12 P2 (mode 3, multi-tenant gateway): when broker mode is configured,
|
|
66
|
+
// delegate user login to 39-auth and serve each user their own root.
|
|
67
|
+
let brokerLogin;
|
|
68
|
+
let tenancy;
|
|
69
|
+
if (cfg.oauthConfig.brokerMode && cfg.oauthConfig.upstream) {
|
|
70
|
+
const upstream = cfg.oauthConfig.upstream;
|
|
71
|
+
const upstreamFetch = async (url, init) => {
|
|
72
|
+
const res = await fetch(url, init);
|
|
73
|
+
return { ok: res.ok, status: res.status, json: () => res.json() };
|
|
74
|
+
};
|
|
75
|
+
brokerLogin = createBrokerLogin({
|
|
76
|
+
config: upstream,
|
|
77
|
+
exchange: (code, codeVerifier) => exchangeUpstreamCode(upstream, { code, codeVerifier }, upstreamFetch),
|
|
78
|
+
baseRoot: cfg.root,
|
|
79
|
+
randomState: () => randomToken(),
|
|
80
|
+
pkce: pkceS256
|
|
81
|
+
});
|
|
82
|
+
tenancy = { baseRoot: cfg.root, createServer: (root) => createMcpServer({ root }) };
|
|
83
|
+
}
|
|
84
|
+
const app = createHostedApp({
|
|
85
|
+
oauthProvider,
|
|
86
|
+
oauthConfig: cfg.oauthConfig,
|
|
87
|
+
h2aMcpServer,
|
|
88
|
+
...(brokerLogin && { brokerLogin }),
|
|
89
|
+
...(tenancy && { tenancy })
|
|
90
|
+
});
|
|
47
91
|
const server = serve({ fetch: app.fetch, port: cfg.port });
|
|
48
92
|
return {
|
|
49
93
|
port: cfg.port,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"serve.js","sourceRoot":"","sources":["../../../src/runtime/mcp-http/serve.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAE1C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD,OAAO,EAAE,eAAe,
|
|
1
|
+
{"version":3,"file":"serve.js","sourceRoot":"","sources":["../../../src/runtime/mcp-http/serve.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAE1C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD,OAAO,EAAE,eAAe,EAAsB,MAAM,UAAU,CAAC;AAC/D,OAAO,EAAoB,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC9E,OAAO,EAA6B,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAClF,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,oBAAoB,EAAsB,MAAM,oBAAoB,CAAC;AAC9E,OAAO,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAC;AA0B9E,MAAM,wBAAwB,GAC5B,kFAAkF,CAAC;AASrF,yFAAyF;AACzF,MAAM,UAAU,wBAAwB,CAAC,GAAc;IACrD,MAAM,aAAa,GAAG,GAAG,CAAC,eAAe,CAAC;IAC1C,IAAI,CAAC,aAAa;QAAE,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACnE,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;IACzD,MAAM,WAAW,GAAG,kBAAkB,CAAC;QACrC,eAAe,EAAE,aAAa;QAC9B,gBAAgB,EAAE,GAAG,CAAC,gBAAgB,IAAI,aAAa;QACvD,2BAA2B,EAAE,GAAG,CAAC,2BAA2B,IAAI,wBAAwB;QACxF,GAAG,CAAC,GAAG,CAAC,oBAAoB,KAAK,SAAS,IAAI,EAAE,oBAAoB,EAAE,GAAG,CAAC,oBAAoB,EAAE,CAAC;QACjG,GAAG,CAAC,GAAG,CAAC,6BAA6B,KAAK,SAAS,IAAI;YACrD,6BAA6B,EAAE,GAAG,CAAC,6BAA6B;SACjE,CAAC;QACF,8BAA8B,EAAE,MAAM,CAAC,GAAG,CAAC,8BAA8B,IAAI,IAAI,CAAC;QAClF,+BAA+B,EAAE,MAAM,CAAC,GAAG,CAAC,+BAA+B,IAAI,SAAS,CAAC;QACzF,2BAA2B,EAAE,MAAM,CAAC,GAAG,CAAC,2BAA2B,IAAI,EAAE,CAAC;QAC1E,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,YAAY;QACtC,2EAA2E;QAC3E,mEAAmE;QACnE,GAAG,CAAC,GAAG,CAAC,eAAe,KAAK,SAAS,IAAI,EAAE,eAAe,EAAE,GAAG,CAAC,eAAe,EAAE,CAAC;QAClF,GAAG,CAAC,GAAG,CAAC,mBAAmB,KAAK,SAAS,IAAI,EAAE,mBAAmB,EAAE,GAAG,CAAC,mBAAmB,EAAE,CAAC;QAC9F,GAAG,CAAC,GAAG,CAAC,0BAA0B,KAAK,SAAS,IAAI;YAClD,0BAA0B,EAAE,GAAG,CAAC,0BAA0B;SAC3D,CAAC;QACF,GAAG,CAAC,GAAG,CAAC,sBAAsB,KAAK,SAAS,IAAI,EAAE,sBAAsB,EAAE,GAAG,CAAC,sBAAsB,EAAE,CAAC;QACvG,GAAG,CAAC,GAAG,CAAC,sBAAsB,KAAK,SAAS,IAAI,EAAE,sBAAsB,EAAE,GAAG,CAAC,sBAAsB,EAAE,CAAC;QACvG,GAAG,CAAC,GAAG,CAAC,0BAA0B,KAAK,SAAS,IAAI;YAClD,0BAA0B,EAAE,GAAG,CAAC,0BAA0B;SAC3D,CAAC;QACF,GAAG,CAAC,GAAG,CAAC,yBAAyB,KAAK,SAAS,IAAI;YACjD,yBAAyB,EAAE,GAAG,CAAC,yBAAyB;SACzD,CAAC;QACF,GAAG,CAAC,GAAG,CAAC,mBAAmB,KAAK,SAAS,IAAI,EAAE,mBAAmB,EAAE,GAAG,CAAC,mBAAmB,EAAE,CAAC;KAC/F,CAAC,CAAC;IACH,OAAO;QACL,WAAW;QACX,SAAS,EAAE,GAAG,CAAC,gBAAgB,IAAI,IAAI,CAAC,IAAI,EAAE,oBAAoB,CAAC;QACnE,IAAI;QACJ,IAAI,EAAE,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC;KAC/B,CAAC;AACJ,CAAC;AAQD,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAAiB,OAAO,CAAC,GAAG;IAClE,MAAM,GAAG,GAAG,wBAAwB,CAAC,GAAG,CAAC,CAAC;IAC1C,MAAM,KAAK,GAAG,IAAI,cAAc,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAChD,MAAM,KAAK,CAAC,IAAI,EAAE,CAAC;IACnB,MAAM,aAAa,GAAG,IAAI,yBAAyB,CAAC,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;IACnF,MAAM,YAAY,GAAG,eAAe,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IAEzD,4EAA4E;IAC5E,qEAAqE;IACrE,IAAI,WAAoC,CAAC;IACzC,IAAI,OAA6C,CAAC;IAClD,IAAI,GAAG,CAAC,WAAW,CAAC,UAAU,IAAI,GAAG,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC;QAC3D,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC;QAC1C,MAAM,aAAa,GAAkB,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;YACvD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YACnC,OAAO,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC;QACpE,CAAC,CAAC;QACF,WAAW,GAAG,iBAAiB,CAAC;YAC9B,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,CAAC,IAAI,EAAE,YAAY,EAAE,EAAE,CAAC,oBAAoB,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,EAAE,aAAa,CAAC;YACvG,QAAQ,EAAE,GAAG,CAAC,IAAI;YAClB,WAAW,EAAE,GAAG,EAAE,CAAC,WAAW,EAAE;YAChC,IAAI,EAAE,QAAQ;SACf,CAAC,CAAC;QACH,OAAO,GAAG,EAAE,QAAQ,EAAE,GAAG,CAAC,IAAI,EAAE,YAAY,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,eAAe,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IACtF,CAAC;IAED,MAAM,GAAG,GAAG,eAAe,CAAC;QAC1B,aAAa;QACb,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,YAAY;QACZ,GAAG,CAAC,WAAW,IAAI,EAAE,WAAW,EAAE,CAAC;QACnC,GAAG,CAAC,OAAO,IAAI,EAAE,OAAO,EAAE,CAAC;KAC5B,CAAC,CAAC;IACH,MAAM,MAAM,GAAG,KAAK,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3D,OAAO;QACL,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,YAAY;QACZ,IAAI,EAAE,GAAG,EAAE;YACR,MAAiC,CAAC,KAAK,EAAE,EAAE,CAAC;QAC/C,CAAC;KACF,CAAC;AACJ,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@sentropic/h2a-cli",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.39.0",
|
|
4
4
|
"description": "Unified CLI surface for h2a hosts and MCP-oriented coordination flows.",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"type": "module",
|
|
@@ -43,7 +43,7 @@
|
|
|
43
43
|
"@hono/mcp": "^0.3.0",
|
|
44
44
|
"@hono/node-server": "^2.0.4",
|
|
45
45
|
"@modelcontextprotocol/sdk": "^1.29.0",
|
|
46
|
-
"@sentropic/h2a": "^0.
|
|
46
|
+
"@sentropic/h2a": "^0.39.0",
|
|
47
47
|
"hono": "^4.12.23"
|
|
48
48
|
},
|
|
49
49
|
"publishConfig": {
|