@shin1ohno/sage 0.3.0 → 0.5.5

package/dist/oauth/refresh-token-store.d.ts

@@ -0,0 +1,45 @@
+/**
+ * OAuth Refresh Token Store
+ * Requirements: 21.6, 26.3, 26.8
+ *
+ * Manages refresh token generation, storage, validation, and rotation.
+ */
+import { RefreshToken } from './types.js';
+/**
+ * Configuration for Refresh Token Store
+ */
+export interface RefreshTokenStoreConfig {
+    expirySeconds: number;
+}
+/**
+ * Options for generating a refresh token
+ */
+export interface GenerateRefreshTokenOptions {
+    clientId: string;
+    userId: string;
+    scope: string;
+}
+/**
+ * Result of validating a refresh token
+ */
+export interface RefreshTokenValidationResult {
+    valid: boolean;
+    tokenData?: RefreshToken;
+    error?: string;
+}
+/**
+ * Refresh Token Store Interface
+ */
+export interface RefreshTokenStore {
+    generateToken(options: GenerateRefreshTokenOptions): Promise<string>;
+    validateToken(token: string, clientId: string): Promise<RefreshTokenValidationResult>;
+    rotateToken(token: string, clientId: string): Promise<string | null>;
+    revokeToken(token: string): Promise<void>;
+    revokeAllForClient(clientId: string): Promise<void>;
+    cleanup(): Promise<number>;
+}
+/**
+ * Create a Refresh Token Store instance
+ */
+export declare function createRefreshTokenStore(config: RefreshTokenStoreConfig): RefreshTokenStore;
+//# sourceMappingURL=refresh-token-store.d.ts.map

package/dist/oauth/refresh-token-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh-token-store.d.ts","sourceRoot":"","sources":["../../src/oauth/refresh-token-store.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE1C;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC3C,KAAK,EAAE,OAAO,CAAC;IACf,SAAS,CAAC,EAAE,YAAY,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,aAAa,CAAC,OAAO,EAAE,2BAA2B,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACrE,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,4BAA4B,CAAC,CAAC;IACtF,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACrE,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1C,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,OAAO,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CAC5B;AA6GD;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,uBAAuB,GAAG,iBAAiB,CAE1F"}

package/dist/oauth/refresh-token-store.js

@@ -0,0 +1,98 @@
+/**
+ * OAuth Refresh Token Store
+ * Requirements: 21.6, 26.3, 26.8
+ *
+ * Manages refresh token generation, storage, validation, and rotation.
+ */
+import { randomBytes } from 'crypto';
+/**
+ * In-memory Refresh Token Store Implementation
+ */
+class InMemoryRefreshTokenStore {
+    tokens = new Map();
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    async generateToken(options) {
+        // Generate secure random token
+        const token = randomBytes(32).toString('base64url');
+        const now = Date.now();
+        const expiresAt = now + this.config.expirySeconds * 1000;
+        const tokenData = {
+            token,
+            client_id: options.clientId,
+            user_id: options.userId,
+            scope: options.scope,
+            created_at: now,
+            expires_at: expiresAt,
+            rotated: false,
+        };
+        this.tokens.set(token, tokenData);
+        return token;
+    }
+    async validateToken(token, clientId) {
+        const tokenData = this.tokens.get(token);
+        if (!tokenData) {
+            return { valid: false, error: 'invalid_grant' };
+        }
+        // Check if token has been rotated
+        if (tokenData.rotated) {
+            return { valid: false, error: 'invalid_grant' };
+        }
+        // Check if token has expired
+        if (Date.now() > tokenData.expires_at) {
+            this.tokens.delete(token);
+            return { valid: false, error: 'invalid_grant' };
+        }
+        // Verify client_id matches
+        if (tokenData.client_id !== clientId) {
+            return { valid: false, error: 'invalid_grant' };
+        }
+        return { valid: true, tokenData };
+    }
+    async rotateToken(token, clientId) {
+        const validationResult = await this.validateToken(token, clientId);
+        if (!validationResult.valid || !validationResult.tokenData) {
+            return null;
+        }
+        // Mark old token as rotated (Requirement 26.8)
+        const oldTokenData = this.tokens.get(token);
+        oldTokenData.rotated = true;
+        // Generate new token with same scope
+        const newToken = await this.generateToken({
+            clientId: validationResult.tokenData.client_id,
+            userId: validationResult.tokenData.user_id,
+            scope: validationResult.tokenData.scope,
+        });
+        return newToken;
+    }
+    async revokeToken(token) {
+        this.tokens.delete(token);
+    }
+    async revokeAllForClient(clientId) {
+        for (const [token, data] of this.tokens.entries()) {
+            if (data.client_id === clientId) {
+                this.tokens.delete(token);
+            }
+        }
+    }
+    async cleanup() {
+        const now = Date.now();
+        let cleanedCount = 0;
+        for (const [token, data] of this.tokens.entries()) {
+            if (data.expires_at < now || data.rotated) {
+                this.tokens.delete(token);
+                cleanedCount++;
+            }
+        }
+        return cleanedCount;
+    }
+}
+/**
+ * Create a Refresh Token Store instance
+ */
+export function createRefreshTokenStore(config) {
+    return new InMemoryRefreshTokenStore(config);
+}
+//# sourceMappingURL=refresh-token-store.js.map

package/dist/oauth/refresh-token-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh-token-store.js","sourceRoot":"","sources":["../../src/oauth/refresh-token-store.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAwCrC;;GAEG;AACH,MAAM,yBAAyB;IACrB,MAAM,GAA8B,IAAI,GAAG,EAAE,CAAC;IAC9C,MAAM,CAA0B;IAExC,YAAY,MAA+B;QACzC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAAoC;QACtD,+BAA+B;QAC/B,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAEpD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,SAAS,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,GAAG,IAAI,CAAC;QAEzD,MAAM,SAAS,GAAiB;YAC9B,KAAK;YACL,SAAS,EAAE,OAAO,CAAC,QAAQ;YAC3B,OAAO,EAAE,OAAO,CAAC,MAAM;YACvB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,UAAU,EAAE,GAAG;YACf,UAAU,EAAE,SAAS;YACrB,OAAO,EAAE,KAAK;SACf,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;QAElC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,KAAa,EAAE,QAAgB;QACjD,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAEzC,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;QAClD,CAAC;QAED,kCAAkC;QAClC,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;YACtB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;QAClD,CAAC;QAED,6BAA6B;QAC7B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,UAAU,EAAE,CAAC;YACtC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC1B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;QAClD,CAAC;QAED,2BAA2B;QAC3B,IAAI,SAAS,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;YACrC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;QAClD,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAAa,EAAE,QAAgB;QAC/C,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QAEnE,IAAI,CAAC,gBAAgB,CAAC,KAAK,IAAI,CAAC,gBAAgB,CAAC,SAAS,EAAE,CAAC;YAC3D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,+CAA+C;QAC/C,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAE,CAAC;QAC7C,YAAY,CAAC,OAAO,GAAG,IAAI,CAAC;QAE5B,qCAAqC;QACrC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC;YACxC,QAAQ,EAAE,gBAAgB,CAAC,SAAS,CAAC,SAAS;YAC9C,MAAM,EAAE,gBAAgB,CAAC,SAAS,CAAC,OAAO;YAC1C,KAAK,EAAE,gBAAgB,CAAC,SAAS,CAAC,KAAK;SACxC,CAAC,CAAC;QAEH,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAAa;QAC7B,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC5B,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,QAAgB;QACvC,KAAK,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;YAClD,IAAI,IAAI,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;gBAChC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO;QACX,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,YAAY,GAAG,CAAC,CAAC;QAErB,KAAK,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;YAClD,IAAI,IAAI,CAAC,UAAU,GAAG,GAAG,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBAC1C,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC1B,YAAY,EAAE,CAAC;YACjB,CAAC;QACH,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,MAA+B;IACrE,OAAO,IAAI,yBAAyB,CAAC,MAAM,CAAC,CAAC;AAC/C,CAAC"}

package/dist/oauth/token-service.d.ts

@@ -0,0 +1,46 @@
+/**
+ * OAuth Token Service
+ * Requirements: 21.4, 21.5, 26.6, 26.7, 27.1-27.5
+ *
+ * Implements JWT access token generation and verification using RS256 signing.
+ */
+import { TokenResponse, VerifyTokenResult } from './types.js';
+/**
+ * Token Service Configuration
+ */
+export interface TokenServiceConfig {
+    issuer: string;
+    privateKey: string;
+    publicKey: string;
+    accessTokenExpiry: string;
+}
+/**
+ * Access Token Generation Options
+ */
+export interface GenerateAccessTokenOptions {
+    clientId: string;
+    userId: string;
+    scope: string;
+    audience: string;
+}
+/**
+ * Token Service Interface
+ */
+export interface TokenService {
+    generateAccessToken(options: GenerateAccessTokenOptions): Promise<TokenResponse>;
+    verifyAccessToken(token: string, expectedAudience?: string): Promise<VerifyTokenResult>;
+    extractTokenFromHeader(header: string | undefined): string | null;
+}
+/**
+ * Create a Token Service instance
+ */
+export declare function createTokenService(config: TokenServiceConfig): TokenService;
+/**
+ * Generate RSA key pair for JWT signing
+ * Requirement: RS256 signing
+ */
+export declare function generateKeyPair(): Promise<{
+    privateKey: string;
+    publicKey: string;
+}>;
+//# sourceMappingURL=token-service.d.ts.map

package/dist/oauth/token-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-service.d.ts","sourceRoot":"","sources":["../../src/oauth/token-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAqB,aAAa,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAEjF;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,mBAAmB,CAAC,OAAO,EAAE,0BAA0B,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IACjF,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,gBAAgB,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACxF,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,IAAI,CAAC;CACnE;AAgND;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,kBAAkB,GAAG,YAAY,CAE3E;AAED;;;GAGG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC,CAc1F"}

package/dist/oauth/token-service.js

@@ -0,0 +1,199 @@
+/**
+ * OAuth Token Service
+ * Requirements: 21.4, 21.5, 26.6, 26.7, 27.1-27.5
+ *
+ * Implements JWT access token generation and verification using RS256 signing.
+ */
+import { createSign, createVerify, generateKeyPairSync, randomUUID } from 'crypto';
+/**
+ * Parse duration string to seconds
+ * Supports: s (seconds), m (minutes), h (hours), d (days), w (weeks)
+ */
+function parseDuration(duration) {
+    const match = duration.match(/^(\d+)([smhdw])$/);
+    if (!match) {
+        throw new Error(`Invalid duration format: ${duration}`);
+    }
+    const value = parseInt(match[1], 10);
+    const unit = match[2];
+    switch (unit) {
+        case 's':
+            return value;
+        case 'm':
+            return value * 60;
+        case 'h':
+            return value * 3600;
+        case 'd':
+            return value * 86400;
+        case 'w':
+            return value * 604800;
+        default:
+            throw new Error(`Unknown duration unit: ${unit}`);
+    }
+}
+/**
+ * Base64URL encode a string
+ */
+function base64UrlEncode(data) {
+    const base64 = typeof data === 'string' ? Buffer.from(data).toString('base64') : data.toString('base64');
+    return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+/**
+ * Base64URL decode a string
+ */
+function base64UrlDecode(data) {
+    // Add padding if needed
+    const padding = 4 - (data.length % 4);
+    const padded = padding < 4 ? data + '='.repeat(padding) : data;
+    const base64 = padded.replace(/-/g, '+').replace(/_/g, '/');
+    return Buffer.from(base64, 'base64');
+}
+/**
+ * Create JWT token using RS256
+ */
+function createJWT(payload, privateKey) {
+    // Header
+    const header = {
+        alg: 'RS256',
+        typ: 'JWT',
+    };
+    // Encode header and payload
+    const encodedHeader = base64UrlEncode(JSON.stringify(header));
+    const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+    // Create signature input
+    const signatureInput = `${encodedHeader}.${encodedPayload}`;
+    // Sign using RS256
+    const sign = createSign('RSA-SHA256');
+    sign.update(signatureInput);
+    const signature = sign.sign(privateKey);
+    // Encode signature
+    const encodedSignature = base64UrlEncode(signature);
+    return `${signatureInput}.${encodedSignature}`;
+}
+/**
+ * Verify JWT token using RS256
+ */
+function verifyJWT(token, publicKey) {
+    const parts = token.split('.');
+    if (parts.length !== 3) {
+        return { valid: false, error: 'Invalid token format' };
+    }
+    const [encodedHeader, encodedPayload, encodedSignature] = parts;
+    try {
+        // Decode and verify header
+        const header = JSON.parse(base64UrlDecode(encodedHeader).toString());
+        if (header.alg !== 'RS256') {
+            return { valid: false, error: 'Invalid algorithm' };
+        }
+        // Verify signature
+        const signatureInput = `${encodedHeader}.${encodedPayload}`;
+        const signature = base64UrlDecode(encodedSignature);
+        const verify = createVerify('RSA-SHA256');
+        verify.update(signatureInput);
+        const isValid = verify.verify(publicKey, signature);
+        if (!isValid) {
+            return { valid: false, error: 'Invalid signature' };
+        }
+        // Decode payload
+        const payload = JSON.parse(base64UrlDecode(encodedPayload).toString());
+        return { valid: true, payload };
+    }
+    catch (error) {
+        return { valid: false, error: error instanceof Error ? error.message : 'Token verification failed' };
+    }
+}
+/**
+ * Token Service Implementation
+ */
+class TokenServiceImpl {
+    config;
+    expirySeconds;
+    constructor(config) {
+        this.config = config;
+        this.expirySeconds = parseDuration(config.accessTokenExpiry);
+    }
+    async generateAccessToken(options) {
+        const now = Math.floor(Date.now() / 1000);
+        const exp = now + this.expirySeconds;
+        const claims = {
+            iss: this.config.issuer,
+            sub: options.userId,
+            aud: options.audience,
+            exp,
+            iat: now,
+            jti: randomUUID(),
+            client_id: options.clientId,
+            scope: options.scope,
+        };
+        const accessToken = createJWT(claims, this.config.privateKey);
+        return {
+            access_token: accessToken,
+            token_type: 'Bearer',
+            expires_in: this.expirySeconds,
+            scope: options.scope,
+        };
+    }
+    async verifyAccessToken(token, expectedAudience) {
+        const result = verifyJWT(token, this.config.publicKey);
+        if (!result.valid) {
+            return { valid: false, error: result.error };
+        }
+        const payload = result.payload;
+        // Verify issuer
+        if (payload.iss !== this.config.issuer) {
+            return { valid: false, error: 'Invalid issuer' };
+        }
+        // Verify expiration
+        const now = Math.floor(Date.now() / 1000);
+        if (payload.exp < now) {
+            return { valid: false, error: 'Token expired' };
+        }
+        // Verify audience if specified
+        if (expectedAudience && payload.aud !== expectedAudience) {
+            return { valid: false, error: 'Invalid audience' };
+        }
+        return { valid: true, claims: payload };
+    }
+    extractTokenFromHeader(header) {
+        if (!header) {
+            return null;
+        }
+        const parts = header.split(' ');
+        if (parts.length !== 2) {
+            return null;
+        }
+        if (parts[0].toLowerCase() !== 'bearer') {
+            return null;
+        }
+        const token = parts[1];
+        if (!token || token.trim() === '') {
+            return null;
+        }
+        return token;
+    }
+}
+/**
+ * Create a Token Service instance
+ */
+export function createTokenService(config) {
+    return new TokenServiceImpl(config);
+}
+/**
+ * Generate RSA key pair for JWT signing
+ * Requirement: RS256 signing
+ */
+export async function generateKeyPair() {
+    const { privateKey, publicKey } = generateKeyPairSync('rsa', {
+        modulusLength: 2048,
+        publicKeyEncoding: {
+            type: 'spki',
+            format: 'pem',
+        },
+        privateKeyEncoding: {
+            type: 'pkcs8',
+            format: 'pem',
+        },
+    });
+    return { privateKey, publicKey };
+}
+//# sourceMappingURL=token-service.js.map

package/dist/oauth/token-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-service.js","sourceRoot":"","sources":["../../src/oauth/token-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,mBAAmB,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAgCnF;;;GAGG;AACH,SAAS,aAAa,CAAC,QAAgB;IACrC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IACjD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,4BAA4B,QAAQ,EAAE,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAEtB,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,GAAG;YACN,OAAO,KAAK,CAAC;QACf,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,EAAE,CAAC;QACpB,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,IAAI,CAAC;QACtB,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,KAAK,CAAC;QACvB,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,MAAM,CAAC;QACxB;YACE,MAAM,IAAI,KAAK,CAAC,0BAA0B,IAAI,EAAE,CAAC,CAAC;IACtD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAqB;IAC5C,MAAM,MAAM,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACzG,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAC3E,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAY;IACnC,wBAAwB;IACxB,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC/D,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC5D,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,SAAS,SAAS,CAAC,OAAgC,EAAE,UAAkB;IACrE,SAAS;IACT,MAAM,MAAM,GAAG;QACb,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,KAAK;KACX,CAAC;IAEF,4BAA4B;IAC5B,MAAM,aAAa,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IAC9D,MAAM,cAAc,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;IAEhE,yBAAyB;IACzB,MAAM,cAAc,GAAG,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;IAE5D,mBAAmB;IACnB,MAAM,IAAI,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IACtC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;IAC5B,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAExC,mBAAmB;IACnB,MAAM,gBAAgB,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;IAEpD,OAAO,GAAG,cAAc,IAAI,gBAAgB,EAAE,CAAC;AACjD,CAAC;AAED;;GAEG;AACH,SAAS,SAAS,CAChB,KAAa,EACb,SAAiB;IAEjB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC;IACzD,CAAC;IAED,MAAM,CAAC,aAAa,EAAE,cAAc,EAAE,gBAAgB,CAAC,GAAG,KAAK,CAAC;IAEhE,IAAI,CAAC;QACH,2BAA2B;QAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QACrE,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;YAC3B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACtD,CAAC;QAED,mBAAmB;QACnB,MAAM,cAAc,GAAG,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;QAC5D,MAAM,SAAS,GAAG,eAAe,CAAC,gBAAgB,CAAC,CAAC;QAEpD,MAAM,MAAM,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC9B,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAEpD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACtD,CAAC;QAED,iBAAiB;QACjB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QAEvE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IAClC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,2BAA2B,EAAE,CAAC;IACvG,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,gBAAgB;IACZ,MAAM,CAAqB;IAC3B,aAAa,CAAS;IAE9B,YAAY,MAA0B;QACpC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IAC/D,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,OAAmC;QAC3D,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC;QAErC,MAAM,MAAM,GAAsB;YAChC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YACvB,GAAG,EAAE,OAAO,CAAC,MAAM;YACnB,GAAG,EAAE,OAAO,CAAC,QAAQ;YACrB,GAAG;YACH,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,UAAU,EAAE;YACjB,SAAS,EAAE,OAAO,CAAC,QAAQ;YAC3B,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC;QAEF,MAAM,WAAW,GAAG,SAAS,CAAC,MAA4C,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAEpG,OAAO;YACL,YAAY,EAAE,WAAW;YACzB,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,IAAI,CAAC,aAAa;YAC9B,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,KAAa,EAAE,gBAAyB;QAC9D,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAEvD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC;QAC/C,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,CAAC,OAAuC,CAAC;QAE/D,gBAAgB;QAChB,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACvC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC;QACnD,CAAC;QAED,oBAAoB;QACpB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;YACtB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;QAClD,CAAC;QAED,+BAA+B;QAC/B,IAAI,gBAAgB,IAAI,OAAO,CAAC,GAAG,KAAK,gBAAgB,EAAE,CAAC;YACzD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;QACrD,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IAC1C,CAAC;IAED,sBAAsB,CAAC,MAA0B;QAC/C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,QAAQ,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACvB,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YAClC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAA0B;IAC3D,OAAO,IAAI,gBAAgB,CAAC,MAAM,CAAC,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,mBAAmB,CAAC,KAAK,EAAE;QAC3D,aAAa,EAAE,IAAI;QACnB,iBAAiB,EAAE;YACjB,IAAI,EAAE,MAAM;YACZ,MAAM,EAAE,KAAK;SACd;QACD,kBAAkB,EAAE;YAClB,IAAI,EAAE,OAAO;YACb,MAAM,EAAE,KAAK;SACd;KACF,CAAC,CAAC;IAEH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;AACnC,CAAC"}

package/dist/oauth/types.d.ts

@@ -0,0 +1,269 @@
+/**
+ * OAuth 2.1 Type Definitions
+ * Requirements: 21.1-21.6, 22.1-22.5, 23.1-23.9, 24.1-24.8, 25.1-25.10, 26.1-26.9
+ *
+ * Type definitions for OAuth 2.1 implementation based on:
+ * - OAuth 2.1 (draft-ietf-oauth-v2-1-13)
+ * - RFC 8414 (Authorization Server Metadata)
+ * - RFC 7591 (Dynamic Client Registration)
+ * - RFC 9728 (Protected Resource Metadata)
+ * - RFC 8707 (Resource Indicators)
+ * - RFC 7636 (PKCE)
+ */
+/**
+ * Supported OAuth scopes
+ * Requirement 22.2
+ */
+export type OAuthScope = 'mcp:read' | 'mcp:write' | 'mcp:admin';
+/**
+ * Supported response types
+ * Requirement 23.6
+ */
+export type ResponseType = 'code';
+/**
+ * Supported grant types
+ * Requirement 23.7
+ */
+export type GrantType = 'authorization_code' | 'refresh_token';
+/**
+ * Supported code challenge methods
+ * Requirement 21.2, 23.8
+ */
+export type CodeChallengeMethod = 'S256';
+/**
+ * Supported token endpoint auth methods
+ * Requirement 23.9
+ */
+export type TokenEndpointAuthMethod = 'none' | 'client_secret_post';
+/**
+ * OAuth Client Registration Request (RFC 7591)
+ * Requirement 24.1-24.7
+ */
+export interface ClientRegistrationRequest {
+    client_name: string;
+    redirect_uris: string[];
+    response_types?: ResponseType[];
+    grant_types?: GrantType[];
+    token_endpoint_auth_method?: TokenEndpointAuthMethod;
+    scope?: string;
+    contacts?: string[];
+    logo_uri?: string;
+    client_uri?: string;
+    policy_uri?: string;
+    tos_uri?: string;
+}
+/**
+ * OAuth Client Metadata (RFC 7591)
+ * Requirement 24.6
+ */
+export interface OAuthClient {
+    client_id: string;
+    client_name: string;
+    redirect_uris: string[];
+    response_types: ResponseType[];
+    grant_types: GrantType[];
+    token_endpoint_auth_method: TokenEndpointAuthMethod;
+    client_id_issued_at: number;
+    client_secret?: string;
+    client_secret_expires_at?: number;
+    scope?: string;
+}
+/**
+ * Authorization Request Parameters
+ * Requirement 25.1-25.10
+ */
+export interface AuthorizationRequest {
+    response_type: ResponseType;
+    client_id: string;
+    redirect_uri: string;
+    scope?: string;
+    state: string;
+    code_challenge: string;
+    code_challenge_method: CodeChallengeMethod;
+    resource?: string;
+}
+/**
+ * Authorization Code Data (internal)
+ * Requirement 25.9, 25.10
+ */
+export interface AuthorizationCode {
+    code: string;
+    client_id: string;
+    redirect_uri: string;
+    scope: string;
+    code_challenge: string;
+    code_challenge_method: CodeChallengeMethod;
+    resource?: string;
+    user_id: string;
+    created_at: number;
+    expires_at: number;
+    used: boolean;
+}
+/**
+ * Token Request for authorization_code grant
+ * Requirement 26.1-26.5
+ */
+export interface TokenRequestAuthorizationCode {
+    grant_type: 'authorization_code';
+    code: string;
+    client_id: string;
+    redirect_uri: string;
+    code_verifier: string;
+    resource?: string;
+}
+/**
+ * Token Request for refresh_token grant
+ * Requirement 26.3
+ */
+export interface TokenRequestRefreshToken {
+    grant_type: 'refresh_token';
+    refresh_token: string;
+    client_id: string;
+    scope?: string;
+}
+/**
+ * Token Request (union type)
+ */
+export type TokenRequest = TokenRequestAuthorizationCode | TokenRequestRefreshToken;
+/**
+ * Token Response
+ * Requirement 26.7
+ */
+export interface TokenResponse {
+    access_token: string;
+    token_type: 'Bearer';
+    expires_in: number;
+    refresh_token?: string;
+    scope?: string;
+}
+/**
+ * Access Token Claims (JWT payload)
+ * Requirement 26.6, 27.4
+ */
+export interface AccessTokenClaims {
+    iss: string;
+    sub: string;
+    aud: string;
+    exp: number;
+    iat: number;
+    jti: string;
+    client_id: string;
+    scope: string;
+}
+/**
+ * Refresh Token Data (internal)
+ * Requirement 21.6, 26.8
+ */
+export interface RefreshToken {
+    token: string;
+    client_id: string;
+    user_id: string;
+    scope: string;
+    created_at: number;
+    expires_at: number;
+    rotated: boolean;
+}
+/**
+ * Protected Resource Metadata (RFC 9728)
+ * Requirement 22.1-22.3
+ */
+export interface ProtectedResourceMetadata {
+    resource: string;
+    authorization_servers: string[];
+    scopes_supported?: string[];
+    bearer_methods_supported?: string[];
+}
+/**
+ * Authorization Server Metadata (RFC 8414)
+ * Requirement 23.1-23.9
+ */
+export interface AuthorizationServerMetadata {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    registration_endpoint?: string;
+    scopes_supported?: string[];
+    response_types_supported: ResponseType[];
+    response_modes_supported?: string[];
+    grant_types_supported: GrantType[];
+    token_endpoint_auth_methods_supported: TokenEndpointAuthMethod[];
+    code_challenge_methods_supported: CodeChallengeMethod[];
+    service_documentation?: string;
+}
+/**
+ * OAuth Error Response
+ */
+export interface OAuthError {
+    error: string;
+    error_description?: string;
+    error_uri?: string;
+    state?: string;
+}
+/**
+ * OAuth Error Codes
+ */
+export type OAuthErrorCode = 'invalid_request' | 'unauthorized_client' | 'access_denied' | 'unsupported_response_type' | 'invalid_scope' | 'server_error' | 'temporarily_unavailable' | 'invalid_client' | 'invalid_grant' | 'unsupported_grant_type' | 'invalid_token' | 'insufficient_scope';
+/**
+ * User for authentication
+ * Requirement 29.1-29.4
+ */
+export interface OAuthUser {
+    id: string;
+    username: string;
+    passwordHash: string;
+    createdAt: number;
+}
+/**
+ * User Session
+ */
+export interface UserSession {
+    sessionId: string;
+    userId: string;
+    createdAt: number;
+    expiresAt: number;
+}
+/**
+ * OAuth Configuration
+ */
+export interface OAuthConfig {
+    issuer: string;
+    accessTokenExpiry: string;
+    refreshTokenExpiry: string;
+    authorizationCodeExpiry: string;
+    allowedRedirectUris: string[];
+    scopes: Record<OAuthScope, string>;
+    users: OAuthUser[];
+    privateKey?: string;
+    publicKey?: string;
+}
+/**
+ * Scope definitions with descriptions
+ */
+export declare const SCOPE_DEFINITIONS: Record<OAuthScope, string>;
+/**
+ * Claude official callback URLs
+ * Requirement 24.4, 24.5, 31.1, 31.2
+ */
+export declare const CLAUDE_CALLBACK_URLS: string[];
+/**
+ * Check if a redirect URI is a localhost callback (for CLI tools like Claude Code)
+ * Localhost callbacks are allowed on any port for local development/CLI usage
+ */
+export declare function isLocalhostCallback(uri: string): boolean;
+/**
+ * Default token expiry durations
+ */
+export declare const DEFAULT_TOKEN_EXPIRY: {
+    accessToken: string;
+    refreshToken: string;
+    authorizationCode: string;
+};
+/**
+ * Verify Token Result
+ */
+export interface VerifyTokenResult {
+    valid: boolean;
+    claims?: AccessTokenClaims;
+    error?: string;
+}
+//# sourceMappingURL=types.d.ts.map