@silkweave/auth 1.3.0 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -10,9 +10,9 @@
10
10
  CLI Target: node18
11
11
  CLI Cleaning output folder
12
12
  ESM Build start
13
- ESM build/index.js 25.84 KB
14
- ESM build/index.js.map 46.97 KB
13
+ ESM build/index.js 25.86 KB
14
+ ESM build/index.js.map 46.99 KB
15
15
  ESM ⚡️ Build success in 9ms
16
16
  DTS Build start
17
- DTS ⚡️ Build success in 447ms
17
+ DTS ⚡️ Build success in 455ms
18
18
  DTS build/index.d.ts 5.81 KB
@@ -1,13 +1,16 @@
1
-
2
- 
3
- > @silkweave/auth@1.3.0 check /Users/atomic/projects/ai/silkweave/packages/auth
4
- > pnpm lint && pnpm typecheck
5
-
6
-
7
- > @silkweave/auth@1.3.0 lint /Users/atomic/projects/ai/silkweave/packages/auth
8
- > eslint
9
-
10
-
11
- > @silkweave/auth@1.3.0 typecheck /Users/atomic/projects/ai/silkweave/packages/auth
12
- > tsc --noEmit
13
-
1
+
2
+ > @silkweave/auth@1.3.0 check /Users/atomic/projects/ai/silkweave/packages/auth
3
+ > pnpm lint && pnpm typecheck
4
+
5
+
6
+ > @silkweave/auth@1.3.0 lint /Users/atomic/projects/ai/silkweave/packages/auth
7
+ > eslint
8
+
9
+
10
+ > @silkweave/auth@1.3.0 typecheck /Users/atomic/projects/ai/silkweave/packages/auth
11
+ > tsc --noEmit
12
+
13
+  ELIFECYCLE  Command failed.
14
+  WARN  Local package.json exists, but node_modules missing, did you mean to install?
15
+  ELIFECYCLE  Command failed.
16
+  WARN  Local package.json exists, but node_modules missing, did you mean to install?
@@ -1,26 +1,26 @@
1
1
 
2
2
  
3
- > @silkweave/auth@1.3.0 prepack /Users/atomic/projects/ai/mcphero/packages/auth
3
+ > @silkweave/auth@1.3.0 prepack /Users/atomic/projects/ai/silkweave/packages/auth
4
4
  > pnpm clean && pnpm build
5
5
 
6
6
 
7
- > @silkweave/auth@1.3.0 clean /Users/atomic/projects/ai/mcphero/packages/auth
7
+ > @silkweave/auth@1.3.0 clean /Users/atomic/projects/ai/silkweave/packages/auth
8
8
  > rimraf build
9
9
 
10
10
 
11
- > @silkweave/auth@1.3.0 build /Users/atomic/projects/ai/mcphero/packages/auth
11
+ > @silkweave/auth@1.3.0 build /Users/atomic/projects/ai/silkweave/packages/auth
12
12
  > tsup
13
13
 
14
14
  CLI Building entry: src/index.ts
15
15
  CLI Using tsconfig: tsconfig.json
16
16
  CLI tsup v8.5.1
17
- CLI Using tsup config: /Users/atomic/projects/ai/mcphero/packages/auth/tsup.config.ts
17
+ CLI Using tsup config: /Users/atomic/projects/ai/silkweave/packages/auth/tsup.config.ts
18
18
  CLI Target: node18
19
19
  CLI Cleaning output folder
20
20
  ESM Build start
21
- ESM build/index.js 25.84 KB
22
- ESM build/index.js.map 46.97 KB
23
- ESM ⚡️ Build success in 10ms
21
+ ESM build/index.js 25.86 KB
22
+ ESM build/index.js.map 46.99 KB
23
+ ESM ⚡️ Build success in 9ms
24
24
  DTS Build start
25
- DTS ⚡️ Build success in 434ms
25
+ DTS ⚡️ Build success in 471ms
26
26
  DTS build/index.d.ts 5.81 KB
package/README.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # @silkweave/auth
2
2
 
3
- OAuth 2.1 authentication for [Silkweave](https://github.com/atomicbi/silkweave) MCP servers. Acts as an OAuth proxy between MCP clients and upstream identity providers (Google, etc.), handling PKCE, refresh tokens, dynamic client registration (CIMD), and protected resource metadata (RFC 9728).
3
+ OAuth 2.1 authentication for [Silkweave](https://github.com/silkweave/silkweave) MCP servers. Acts as an OAuth proxy between MCP clients and upstream identity providers (Google, etc.), handling PKCE, refresh tokens, dynamic client registration (CIMD), and protected resource metadata (RFC 9728).
4
4
 
5
5
  Standalone package -- only depends on `jose` for JWT signing/verification.
6
6
 
@@ -240,6 +240,6 @@ The proxy also supports:
240
240
 
241
241
  ## See Also
242
242
 
243
- - [Silkweave README](https://github.com/atomicbi/silkweave) -- Full documentation
243
+ - [Silkweave README](https://github.com/silkweave/silkweave) -- Full documentation
244
244
  - [`@silkweave/core`](https://www.npmjs.com/package/@silkweave/core) -- Core library
245
245
  - [`@silkweave/mcp`](https://www.npmjs.com/package/@silkweave/mcp) -- MCP stdio and HTTP adapters
package/build/index.js CHANGED
@@ -6,6 +6,8 @@ var AuthError = class extends Error {
6
6
  this.statusCode = statusCode;
7
7
  this.name = "AuthError";
8
8
  }
9
+ code;
10
+ statusCode;
9
11
  };
10
12
  function invalidToken(message = "Invalid token") {
11
13
  return new AuthError(message, "invalid_token", 401);
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/errors.ts","../src/extract.ts","../src/metadata.ts","../src/store/memory-store.ts","../src/provider/proxy.ts","../src/provider/uri.ts","../src/provider/google.ts","../src/store/json-store.ts","../src/store/redis-store.ts","../src/validate.ts"],"sourcesContent":["export class AuthError extends Error {\n constructor(\n message: string,\n public readonly code: string,\n public readonly statusCode = 401\n ) {\n super(message)\n this.name = 'AuthError'\n }\n}\n\nexport function invalidToken(message = 'Invalid token') {\n return new AuthError(message, 'invalid_token', 401)\n}\n\nexport function insufficientScope(message = 'Insufficient scope') {\n return new AuthError(message, 'insufficient_scope', 403)\n}\n\nexport function missingToken(message = 'No authorization provided') {\n return new AuthError(message, 'missing_token', 401)\n}\n","export function extractBearerToken(header: string | null | undefined): string | null {\n if (!header) { return null }\n const match = /^Bearer\\s+(.+)$/i.exec(header)\n return match?.[1] ?? null\n}\n\nexport function buildWWWAuthenticate(\n error?: string,\n description?: string,\n resourceMetadataUrl?: string\n): string {\n const parts: string[] = []\n if (error) {\n parts.push(`error=\"${error}\"`)\n }\n if (description) {\n parts.push(`error_description=\"${description}\"`)\n }\n if (resourceMetadataUrl) {\n parts.push(`resource_metadata=\"${resourceMetadataUrl}\"`)\n }\n return parts.length > 0 ? `Bearer ${parts.join(', ')}` : 'Bearer'\n}\n","export interface ProtectedResourceMetadata {\n resource: string\n authorization_servers: string[]\n scopes_supported?: string[]\n bearer_methods_supported?: string[]\n}\n\nexport function generateProtectedResourceMetadata(\n resourceUrl: string,\n authorizationServers: string[]\n): ProtectedResourceMetadata {\n return {\n resource: resourceUrl,\n authorization_servers: authorizationServers,\n bearer_methods_supported: ['header']\n }\n}\n","import { AuthCodeData, ClientRegistration, OAuthStore, PendingAuthData, RefreshTokenData } from '../provider/store.js'\n\nfunction withTtl<T extends { expiresAt: number }>(map: Map<string, T>, key: string): T | undefined {\n const item = map.get(key)\n if (!item) { return undefined }\n if (item.expiresAt < Date.now() / 1000) {\n map.delete(key)\n return undefined\n }\n return item\n}\n\nexport function createMemoryStore(): OAuthStore {\n const authCodes = new Map<string, AuthCodeData>()\n const pendingAuths = new Map<string, PendingAuthData>()\n const pkceVerifiers = new Map<string, { verifier: string; expiresAt: number }>()\n const clients = new Map<string, ClientRegistration>()\n const refreshTokens = new Map<string, RefreshTokenData>()\n\n return {\n async saveAuthCode(code, data) { authCodes.set(code, data) },\n async getAuthCode(code) { return withTtl(authCodes, code) },\n async deleteAuthCode(code) { authCodes.delete(code) },\n\n async savePendingAuth(state, data) { pendingAuths.set(state, data) },\n async getPendingAuth(state) { return withTtl(pendingAuths, state) },\n async deletePendingAuth(state) { pendingAuths.delete(state) },\n\n async savePkceVerifier(state, verifier) {\n pkceVerifiers.set(state, { verifier, expiresAt: Date.now() / 1000 + 600 })\n },\n async getPkceVerifier(state) {\n const item = pkceVerifiers.get(state)\n if (!item) { return undefined }\n if (item.expiresAt < Date.now() / 1000) {\n pkceVerifiers.delete(state)\n return undefined\n }\n return item.verifier\n },\n async deletePkceVerifier(state) { pkceVerifiers.delete(state) },\n\n async saveClient(clientId, data) { clients.set(clientId, data) },\n async getClient(clientId) { return clients.get(clientId) },\n\n async saveRefreshToken(token, data) { refreshTokens.set(token, data) },\n async getRefreshToken(token) { return withTtl(refreshTokens, token) },\n async deleteRefreshToken(token) { refreshTokens.delete(token) }\n }\n}\n","import { randomBytes, randomUUID } from 'crypto'\nimport { SignJWT, jwtVerify } from 'jose'\nimport { createMemoryStore } from '../store/memory-store.js'\nimport { AuthInfo } from '../types.js'\nimport { OAuthStore } from './store.js'\nimport { OAuthProvider, OAuthResponse } from './types.js'\nimport { matchRedirectUri } from './uri.js'\n\nexport interface OAuthProxyConfig {\n authorizeUrl: string\n tokenUrl: string\n userinfoUrl?: string\n clientId: string\n clientSecret: string\n resourceUrl: string\n redirectUris: string[]\n requiredScopes?: string[]\n callbackPath?: string\n signingKey?: string\n tokenTtl?: number\n store?: OAuthStore\n}\n\nconst CORS_HEADERS: Record<string, string> = {\n 'Access-Control-Allow-Origin': '*',\n 'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',\n 'Access-Control-Allow-Headers': '*'\n}\n\nexport function createOAuthProxy(config: OAuthProxyConfig): OAuthProvider {\n const store = config.store ?? createMemoryStore()\n const callbackPath = config.callbackPath ?? '/auth/callback'\n const tokenTtl = config.tokenTtl ?? 3600\n const scopes = config.requiredScopes ?? []\n\n let signingKey: Uint8Array | null = null\n\n async function getSigningKey(): Promise<Uint8Array> {\n if (signingKey) { return signingKey }\n if (config.signingKey) {\n signingKey = new TextEncoder().encode(config.signingKey)\n } else {\n signingKey = randomBytes(32)\n }\n return signingKey\n }\n\n function generateCode(): string {\n return randomBytes(32).toString('base64url')\n }\n\n async function generatePkce(): Promise<{ verifier: string; challenge: string }> {\n const verifier = randomBytes(32).toString('base64url')\n const hash = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(verifier))\n const challenge = Buffer.from(hash).toString('base64url')\n return { verifier, challenge }\n }\n\n async function verifyPkce(verifier: string, challenge: string): Promise<boolean> {\n const hash = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(verifier))\n const computed = Buffer.from(hash).toString('base64url')\n return computed === challenge\n }\n\n function jsonResponse(status: number, body: Record<string, unknown>, headers: Record<string, string> = {}): OAuthResponse {\n return {\n status,\n headers: { 'Content-Type': 'application/json', ...CORS_HEADERS, ...headers },\n body\n }\n }\n\n function redirectResponse(url: string): OAuthResponse {\n return {\n status: 302,\n headers: { Location: url, ...CORS_HEADERS },\n body: undefined\n }\n }\n\n function errorResponse(status: number, error: string, description: string): OAuthResponse {\n return jsonResponse(status, { error, error_description: description })\n }\n\n const provider: OAuthProvider = {\n metadata(): OAuthResponse {\n return jsonResponse(200, {\n issuer: config.resourceUrl,\n authorization_endpoint: `${config.resourceUrl}/authorize`,\n token_endpoint: `${config.resourceUrl}/token`,\n registration_endpoint: `${config.resourceUrl}/register`,\n response_types_supported: ['code'],\n grant_types_supported: ['authorization_code', 'refresh_token'],\n code_challenge_methods_supported: ['S256'],\n token_endpoint_auth_methods_supported: ['none', 'client_secret_post'],\n scopes_supported: scopes\n }, { 'Cache-Control': 'max-age=3600' })\n },\n\n async register(req): Promise<OAuthResponse> {\n const body = req.body\n if (!body) { return errorResponse(400, 'invalid_request', 'Missing request body') }\n\n const redirectUris = body.redirect_uris\n if (!redirectUris) { return errorResponse(400, 'invalid_request', 'redirect_uris is required') }\n\n let uris: string[]\n try {\n uris = typeof redirectUris === 'string' ? JSON.parse(redirectUris) : redirectUris\n } catch {\n uris = [redirectUris]\n }\n\n if (!Array.isArray(uris) || uris.length === 0) {\n return errorResponse(400, 'invalid_request', 'redirect_uris must be a non-empty array')\n }\n\n for (const uri of uris) {\n if (!matchRedirectUri(uri, config.redirectUris)) {\n return errorResponse(400, 'invalid_redirect_uri', `Redirect URI not allowed: ${uri}`)\n }\n }\n\n const clientId = randomUUID()\n const clientSecret = randomBytes(32).toString('base64url')\n const registration = {\n clientId,\n clientSecret,\n redirectUris: uris,\n clientName: body.client_name,\n createdAt: Date.now() / 1000\n }\n\n await store.saveClient(clientId, registration)\n\n return jsonResponse(201, {\n client_id: clientId,\n client_secret: clientSecret,\n redirect_uris: uris,\n client_name: body.client_name,\n token_endpoint_auth_method: 'none'\n })\n },\n\n async authorize(req): Promise<OAuthResponse> {\n const params = req.url.searchParams\n const responseType = params.get('response_type')\n const clientId = params.get('client_id')\n const redirectUri = params.get('redirect_uri')\n const scope = params.get('scope') ?? ''\n const clientState = params.get('state') ?? ''\n const codeChallenge = params.get('code_challenge')\n const codeChallengeMethod = params.get('code_challenge_method')\n const resource = params.get('resource')\n\n if (responseType !== 'code') {\n return errorResponse(400, 'unsupported_response_type', 'Only response_type=code is supported')\n }\n if (!clientId) { return errorResponse(400, 'invalid_request', 'client_id is required') }\n if (!redirectUri) { return errorResponse(400, 'invalid_request', 'redirect_uri is required') }\n if (!codeChallenge || codeChallengeMethod !== 'S256') {\n return errorResponse(400, 'invalid_request', 'PKCE with S256 is required')\n }\n\n let client = await store.getClient(clientId)\n\n if (!client && clientId.startsWith('https://')) {\n try {\n const metaRes = await fetch(clientId)\n if (!metaRes.ok) {\n return errorResponse(400, 'invalid_client', 'Failed to fetch client metadata document')\n }\n const meta = await metaRes.json() as Record<string, unknown>\n const metaRedirectUris = meta.redirect_uris as string[] | undefined\n if (!Array.isArray(metaRedirectUris) || metaRedirectUris.length === 0) {\n return errorResponse(400, 'invalid_client', 'Client metadata must include redirect_uris')\n }\n for (const uri of metaRedirectUris) {\n if (!matchRedirectUri(uri, config.redirectUris)) {\n return errorResponse(400, 'invalid_redirect_uri', `Redirect URI not allowed: ${uri}`)\n }\n }\n client = {\n clientId,\n clientSecret: '',\n redirectUris: metaRedirectUris,\n clientName: meta.client_name as string | undefined,\n createdAt: Date.now() / 1000\n }\n await store.saveClient(clientId, client)\n } catch {\n return errorResponse(400, 'invalid_client', 'Failed to fetch client metadata document')\n }\n }\n\n if (!client) { return errorResponse(400, 'invalid_client', 'Unknown client_id') }\n\n if (!client.redirectUris.includes(redirectUri)) {\n return errorResponse(400, 'invalid_redirect_uri', 'redirect_uri does not match registered URIs')\n }\n\n const proxyState = randomUUID()\n const pkce = await generatePkce()\n\n await store.savePendingAuth(proxyState, {\n clientId,\n redirectUri,\n codeChallenge,\n codeChallengeMethod,\n scope,\n clientState,\n resource: resource ?? undefined,\n expiresAt: Date.now() / 1000 + 600\n })\n\n await store.savePkceVerifier(proxyState, pkce.verifier)\n\n const upstreamScopes = scopes.length > 0 ? scopes.join(' ') : scope\n const upstreamUrl = new URL(config.authorizeUrl)\n upstreamUrl.searchParams.set('response_type', 'code')\n upstreamUrl.searchParams.set('client_id', config.clientId)\n upstreamUrl.searchParams.set('redirect_uri', `${config.resourceUrl}${callbackPath}`)\n upstreamUrl.searchParams.set('scope', upstreamScopes)\n upstreamUrl.searchParams.set('state', proxyState)\n upstreamUrl.searchParams.set('code_challenge', pkce.challenge)\n upstreamUrl.searchParams.set('code_challenge_method', 'S256')\n if (params.has('access_type')) {\n upstreamUrl.searchParams.set('access_type', params.get('access_type')!)\n }\n\n return redirectResponse(upstreamUrl.toString())\n },\n\n async callback(req): Promise<OAuthResponse> {\n const params = req.url.searchParams\n const upstreamCode = params.get('code')\n const proxyState = params.get('state')\n const upstreamError = params.get('error')\n\n if (upstreamError) {\n return errorResponse(400, 'upstream_error', params.get('error_description') ?? upstreamError)\n }\n if (!upstreamCode || !proxyState) {\n return errorResponse(400, 'invalid_request', 'Missing code or state')\n }\n\n const pending = await store.getPendingAuth(proxyState)\n if (!pending) { return errorResponse(400, 'invalid_request', 'Unknown or expired state') }\n\n const pkceVerifier = await store.getPkceVerifier(proxyState)\n if (!pkceVerifier) { return errorResponse(400, 'invalid_request', 'Missing PKCE verifier') }\n\n await store.deletePendingAuth(proxyState)\n await store.deletePkceVerifier(proxyState)\n\n const tokenBody = new URLSearchParams({\n grant_type: 'authorization_code',\n code: upstreamCode,\n redirect_uri: `${config.resourceUrl}${callbackPath}`,\n client_id: config.clientId,\n client_secret: config.clientSecret,\n code_verifier: pkceVerifier\n })\n\n const tokenResponse = await fetch(config.tokenUrl, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: tokenBody.toString()\n })\n\n if (!tokenResponse.ok) {\n const errorBody = await tokenResponse.text()\n console.error('Upstream token exchange failed:', errorBody)\n return errorResponse(502, 'upstream_error', 'Failed to exchange code with upstream provider')\n }\n\n const tokens = await tokenResponse.json() as Record<string, unknown>\n const upstreamAccessToken = tokens.access_token as string\n const upstreamIdToken = tokens.id_token as string | undefined\n\n let email: string | undefined\n let sub: string | undefined\n if (config.userinfoUrl && upstreamAccessToken) {\n try {\n const userinfoResponse = await fetch(config.userinfoUrl, {\n headers: { Authorization: `Bearer ${upstreamAccessToken}` }\n })\n if (userinfoResponse.ok) {\n const userinfo = await userinfoResponse.json() as Record<string, unknown>\n email = userinfo.email as string | undefined\n sub = userinfo.sub as string | undefined\n }\n } catch {\n // Userinfo fetch is best-effort\n }\n }\n\n const mcpCode = generateCode()\n await store.saveAuthCode(mcpCode, {\n clientId: pending.clientId,\n redirectUri: pending.redirectUri,\n codeChallenge: pending.codeChallenge,\n codeChallengeMethod: pending.codeChallengeMethod,\n scopes: pending.scope.split(' ').filter(Boolean),\n upstreamAccessToken,\n upstreamIdToken,\n email,\n sub,\n expiresAt: Date.now() / 1000 + 600\n })\n\n const clientRedirect = new URL(pending.redirectUri)\n clientRedirect.searchParams.set('code', mcpCode)\n if (pending.clientState) {\n clientRedirect.searchParams.set('state', pending.clientState)\n }\n\n return redirectResponse(clientRedirect.toString())\n },\n\n async token(req): Promise<OAuthResponse> {\n const body = req.body\n if (!body) { return errorResponse(400, 'invalid_request', 'Missing request body') }\n\n const grantType = body.grant_type\n\n if (grantType === 'refresh_token') {\n const refreshToken = body.refresh_token\n if (!refreshToken) {\n return errorResponse(400, 'invalid_request', 'Missing refresh_token')\n }\n\n const tokenData = await store.getRefreshToken(refreshToken)\n if (!tokenData) {\n return errorResponse(400, 'invalid_grant', 'Invalid or expired refresh token')\n }\n\n const key = await getSigningKey()\n const now = Math.floor(Date.now() / 1000)\n const accessToken = await new SignJWT({\n scope: tokenData.scopes.join(' '),\n email: tokenData.email\n })\n .setProtectedHeader({ alg: 'HS256' })\n .setSubject(tokenData.sub ?? tokenData.email ?? tokenData.clientId)\n .setIssuer(config.resourceUrl)\n .setAudience(config.resourceUrl)\n .setIssuedAt(now)\n .setExpirationTime(now + tokenTtl)\n .sign(key)\n\n return jsonResponse(200, {\n access_token: accessToken,\n token_type: 'Bearer',\n expires_in: tokenTtl,\n scope: tokenData.scopes.join(' '),\n refresh_token: refreshToken\n })\n }\n\n if (grantType !== 'authorization_code') {\n return errorResponse(400, 'unsupported_grant_type', 'Supported grant types: authorization_code, refresh_token')\n }\n\n const code = body.code\n const redirectUri = body.redirect_uri\n const clientId = body.client_id\n const codeVerifier = body.code_verifier\n\n if (!code || !codeVerifier || !clientId) {\n return errorResponse(400, 'invalid_request', 'Missing required parameters')\n }\n\n const authCode = await store.getAuthCode(code)\n if (!authCode) { return errorResponse(400, 'invalid_grant', 'Invalid or expired authorization code') }\n\n await store.deleteAuthCode(code)\n\n if (authCode.clientId !== clientId) {\n return errorResponse(400, 'invalid_grant', 'client_id mismatch')\n }\n if (redirectUri && authCode.redirectUri !== redirectUri) {\n return errorResponse(400, 'invalid_grant', 'redirect_uri mismatch')\n }\n\n const pkceValid = await verifyPkce(codeVerifier, authCode.codeChallenge)\n if (!pkceValid) {\n return errorResponse(400, 'invalid_grant', 'PKCE verification failed')\n }\n\n const key = await getSigningKey()\n const now = Math.floor(Date.now() / 1000)\n const accessToken = await new SignJWT({\n scope: authCode.scopes.join(' '),\n email: authCode.email\n })\n .setProtectedHeader({ alg: 'HS256' })\n .setSubject(authCode.sub ?? authCode.email ?? authCode.clientId)\n .setIssuer(config.resourceUrl)\n .setAudience(config.resourceUrl)\n .setIssuedAt(now)\n .setExpirationTime(now + tokenTtl)\n .sign(key)\n\n const refreshToken = randomBytes(32).toString('base64url')\n await store.saveRefreshToken(refreshToken, {\n clientId: authCode.clientId,\n scopes: authCode.scopes,\n email: authCode.email,\n sub: authCode.sub,\n expiresAt: now + 30 * 24 * 3600\n })\n\n return jsonResponse(200, {\n access_token: accessToken,\n token_type: 'Bearer',\n expires_in: tokenTtl,\n scope: authCode.scopes.join(' '),\n refresh_token: refreshToken\n })\n },\n\n async verifyToken(token): Promise<AuthInfo | undefined> {\n try {\n const key = await getSigningKey()\n const { payload } = await jwtVerify(token, key, {\n issuer: config.resourceUrl,\n audience: config.resourceUrl\n })\n return {\n token,\n clientId: payload.sub ?? undefined,\n scopes: typeof payload.scope === 'string' ? payload.scope.split(' ').filter(Boolean) : [],\n expiresAt: payload.exp,\n email: payload.email as string | undefined\n }\n } catch {\n return undefined\n }\n }\n }\n\n return provider\n}\n","export function matchRedirectUri(uri: string, patterns: string[]): boolean {\n return patterns.some((pattern) => {\n const regex = patternToRegex(pattern)\n return regex.test(uri)\n })\n}\n\nfunction patternToRegex(pattern: string): RegExp {\n const escaped = pattern\n .replace(/[.+?^${}()|[\\]\\\\]/g, '\\\\$&')\n .replace(/\\*/g, '.*')\n return new RegExp(`^${escaped}$`)\n}\n","import { AuthConfig } from '../types.js'\nimport { createOAuthProxy } from './proxy.js'\nimport { OAuthStore } from './store.js'\n\nexport interface GoogleOAuthOptions {\n clientId: string\n clientSecret: string\n resourceUrl: string\n redirectUris: string[]\n requiredScopes?: string[]\n callbackPath?: string\n signingKey?: string\n tokenTtl?: number\n store?: OAuthStore\n}\n\nexport function google(options: GoogleOAuthOptions): AuthConfig {\n const provider = createOAuthProxy({\n authorizeUrl: 'https://accounts.google.com/o/oauth2/v2/auth',\n tokenUrl: 'https://oauth2.googleapis.com/token',\n userinfoUrl: 'https://openidconnect.googleapis.com/v1/userinfo',\n clientId: options.clientId,\n clientSecret: options.clientSecret,\n resourceUrl: options.resourceUrl,\n redirectUris: options.redirectUris,\n requiredScopes: options.requiredScopes ?? ['openid', 'email'],\n callbackPath: options.callbackPath,\n signingKey: options.signingKey,\n tokenTtl: options.tokenTtl,\n store: options.store\n })\n\n return {\n verifyToken: (token) => provider.verifyToken(token),\n required: true,\n resourceUrl: options.resourceUrl,\n authorizationServers: [options.resourceUrl],\n provider,\n callbackPath: options.callbackPath ?? '/auth/callback'\n }\n}\n","import { existsSync, readFileSync, writeFileSync } from 'fs'\nimport { AuthCodeData, ClientRegistration, OAuthStore, PendingAuthData, RefreshTokenData } from '../provider/store.js'\n\nfunction withTtl<T extends { expiresAt: number }>(obj: Record<string, T>, key: string): T | undefined {\n const item = obj[key]\n if (!item) { return undefined }\n if (item.expiresAt < Date.now() / 1000) {\n delete obj[key]\n return undefined\n }\n return item\n}\n\ninterface JsonStore {\n authCodes: Record<string, AuthCodeData>\n pendingAuths: Record<string, PendingAuthData>\n pkceVerifiers: Record<string, { verifier: string; expiresAt: number }>\n clients: Record<string, ClientRegistration>\n refreshTokens: Record<string, RefreshTokenData>\n}\n\nfunction writeJsonStore(path: string, store: JsonStore) {\n writeFileSync(path, JSON.stringify(store, null, 2), 'utf-8')\n}\n\nfunction readJsonStore(path: string): JsonStore {\n if (!existsSync(path)) {\n return {\n authCodes: {},\n pendingAuths: {},\n pkceVerifiers: {},\n clients: {},\n refreshTokens: {}\n }\n }\n const data = JSON.parse(readFileSync(path, 'utf-8'))\n if (!data.refreshTokens) { data.refreshTokens = {} }\n return data\n}\n\nexport function createJsonStore(path: string): OAuthStore {\n const store: JsonStore = readJsonStore(path)\n\n return {\n async saveAuthCode(code, data) {\n store.authCodes[code] = data\n writeJsonStore(path, store)\n },\n async getAuthCode(code) { return withTtl(store.authCodes, code) },\n async deleteAuthCode(code) {\n delete store.authCodes[code]\n writeJsonStore(path, store)\n },\n async savePendingAuth(state, data) {\n store.pendingAuths[state] = data\n writeJsonStore(path, store)\n },\n async getPendingAuth(state) { return withTtl(store.pendingAuths, state) },\n async deletePendingAuth(state) {\n delete store.pendingAuths[state]\n writeJsonStore(path, store)\n },\n async savePkceVerifier(state, verifier) {\n store.pkceVerifiers[state] = { verifier, expiresAt: Date.now() / 1000 + 600 }\n writeJsonStore(path, store)\n },\n async getPkceVerifier(state) {\n const item = store.pkceVerifiers[state]\n if (!item) { return undefined }\n if (item.expiresAt < Date.now() / 1000) {\n delete store.pkceVerifiers[state]\n writeJsonStore(path, store)\n return undefined\n }\n return item.verifier\n },\n async deletePkceVerifier(state) {\n delete store.pkceVerifiers[state]\n writeJsonStore(path, store)\n },\n async saveClient(clientId, data) {\n store.clients[clientId] = data\n writeJsonStore(path, store)\n },\n async getClient(clientId) { return store.clients[clientId] },\n\n async saveRefreshToken(token, data) {\n store.refreshTokens[token] = data\n writeJsonStore(path, store)\n },\n async getRefreshToken(token) { return withTtl(store.refreshTokens, token) },\n async deleteRefreshToken(token) {\n delete store.refreshTokens[token]\n writeJsonStore(path, store)\n }\n }\n}\n","import type { OAuthStore } from '../provider/store.js'\n\nexport interface RedisClient {\n get(key: string): Promise<unknown>\n set(key: string, value: string, options?: { ex?: number }): Promise<unknown>\n del(key: string): Promise<unknown>\n}\n\nexport interface RedisStoreOptions {\n client: RedisClient\n prefix?: string\n}\n\nexport function createRedisStore(options: RedisStoreOptions): OAuthStore {\n const { client, prefix = 'silkweave:oauth:' } = options\n\n function key(namespace: string, id: string) {\n return `${prefix}${namespace}:${id}`\n }\n\n function ttlFromExpiry(expiresAt: number): number | undefined {\n const seconds = Math.floor(expiresAt - Date.now() / 1000)\n return seconds > 0 ? seconds : undefined\n }\n\n async function save<T>(namespace: string, id: string, data: T, expiresAt?: number) {\n const opts: { ex?: number } = {}\n const ttl = expiresAt != null ? ttlFromExpiry(expiresAt) : undefined\n if (ttl != null) { opts.ex = ttl }\n await client.set(key(namespace, id), JSON.stringify(data), opts)\n }\n\n async function load<T>(namespace: string, id: string): Promise<T | undefined> {\n const raw = await client.get(key(namespace, id))\n if (raw == null) { return undefined }\n return (typeof raw === 'string' ? JSON.parse(raw) : raw) as T\n }\n\n async function remove(namespace: string, id: string) {\n await client.del(key(namespace, id))\n }\n\n return {\n async saveAuthCode(code, data) { await save('auth-code', code, data, data.expiresAt) },\n async getAuthCode(code) { return load('auth-code', code) },\n async deleteAuthCode(code) { await remove('auth-code', code) },\n\n async savePendingAuth(state, data) { await save('pending-auth', state, data, data.expiresAt) },\n async getPendingAuth(state) { return load('pending-auth', state) },\n async deletePendingAuth(state) { await remove('pending-auth', state) },\n\n async savePkceVerifier(state, verifier) {\n const expiresAt = Date.now() / 1000 + 600\n await save('pkce-verifier', state, { verifier, expiresAt }, expiresAt)\n },\n async getPkceVerifier(state) {\n const item = await load<{ verifier: string; expiresAt: number }>('pkce-verifier', state)\n return item?.verifier\n },\n async deletePkceVerifier(state) { await remove('pkce-verifier', state) },\n\n async saveClient(clientId, data) { await save('client', clientId, data) },\n async getClient(clientId) { return load('client', clientId) },\n\n async saveRefreshToken(token, data) { await save('refresh-token', token, data, data.expiresAt) },\n async getRefreshToken(token) { return load('refresh-token', token) },\n async deleteRefreshToken(token) { await remove('refresh-token', token) }\n }\n}\n","import { AuthError, insufficientScope, invalidToken } from './errors.js'\nimport { extractBearerToken, buildWWWAuthenticate } from './extract.js'\nimport { AuthConfig, AuthInfo } from './types.js'\n\nexport interface ValidateResult {\n auth?: AuthInfo\n error?: {\n statusCode: number\n headers: Record<string, string>\n body: { error: string; error_description: string }\n }\n}\n\nexport async function validateToken(\n authorizationHeader: string | null | undefined,\n config: AuthConfig\n): Promise<ValidateResult> {\n const required = config.required ?? true\n const resourceMetadataUrl = config.resourceUrl\n ? `${config.resourceUrl}/.well-known/oauth-protected-resource`\n : undefined\n\n const token = extractBearerToken(authorizationHeader)\n\n if (!token) {\n if (!required) { return {} }\n return buildChallengeResult(resourceMetadataUrl)\n }\n\n let authInfo: AuthInfo | undefined\n try {\n authInfo = await config.verifyToken(token)\n } catch (_e) {\n const err = invalidToken()\n return buildErrorResult(err, resourceMetadataUrl)\n }\n\n if (!authInfo) {\n const err = invalidToken()\n return buildErrorResult(err, resourceMetadataUrl)\n }\n\n if (authInfo.expiresAt && authInfo.expiresAt < Date.now() / 1000) {\n const err = invalidToken('Token has expired')\n return buildErrorResult(err, resourceMetadataUrl)\n }\n\n if (config.requiredScopes?.length) {\n const scopes = authInfo.scopes ?? []\n const hasAll = config.requiredScopes.every((s) => scopes.includes(s))\n if (!hasAll) {\n const err = insufficientScope()\n return buildErrorResult(err, resourceMetadataUrl)\n }\n }\n\n return { auth: authInfo }\n}\n\nfunction buildChallengeResult(resourceMetadataUrl?: string): ValidateResult {\n return {\n error: {\n statusCode: 401,\n headers: {\n 'WWW-Authenticate': buildWWWAuthenticate(undefined, undefined, resourceMetadataUrl),\n 'Content-Type': 'application/json'\n },\n body: { error: 'missing_token', error_description: 'No authorization provided' }\n }\n }\n}\n\nfunction buildErrorResult(\n err: AuthError,\n resourceMetadataUrl?: string\n): ValidateResult {\n return {\n error: {\n statusCode: err.statusCode,\n headers: {\n 'WWW-Authenticate': buildWWWAuthenticate(err.code, err.message, resourceMetadataUrl),\n 'Content-Type': 'application/json'\n },\n body: { error: err.code, error_description: err.message }\n }\n }\n}\n"],"mappings":";AAAO,IAAM,YAAN,cAAwB,MAAM;AAAA,EACnC,YACE,SACgB,MACA,aAAa,KAC7B;AACA,UAAM,OAAO;AAHG;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAEO,SAAS,aAAa,UAAU,iBAAiB;AACtD,SAAO,IAAI,UAAU,SAAS,iBAAiB,GAAG;AACpD;AAEO,SAAS,kBAAkB,UAAU,sBAAsB;AAChE,SAAO,IAAI,UAAU,SAAS,sBAAsB,GAAG;AACzD;AAEO,SAAS,aAAa,UAAU,6BAA6B;AAClE,SAAO,IAAI,UAAU,SAAS,iBAAiB,GAAG;AACpD;;;ACrBO,SAAS,mBAAmB,QAAkD;AACnF,MAAI,CAAC,QAAQ;AAAE,WAAO;AAAA,EAAK;AAC3B,QAAM,QAAQ,mBAAmB,KAAK,MAAM;AAC5C,SAAO,QAAQ,CAAC,KAAK;AACvB;AAEO,SAAS,qBACd,OACA,aACA,qBACQ;AACR,QAAM,QAAkB,CAAC;AACzB,MAAI,OAAO;AACT,UAAM,KAAK,UAAU,KAAK,GAAG;AAAA,EAC/B;AACA,MAAI,aAAa;AACf,UAAM,KAAK,sBAAsB,WAAW,GAAG;AAAA,EACjD;AACA,MAAI,qBAAqB;AACvB,UAAM,KAAK,sBAAsB,mBAAmB,GAAG;AAAA,EACzD;AACA,SAAO,MAAM,SAAS,IAAI,UAAU,MAAM,KAAK,IAAI,CAAC,KAAK;AAC3D;;;ACfO,SAAS,kCACd,aACA,sBAC2B;AAC3B,SAAO;AAAA,IACL,UAAU;AAAA,IACV,uBAAuB;AAAA,IACvB,0BAA0B,CAAC,QAAQ;AAAA,EACrC;AACF;;;ACdA,SAAS,QAAyC,KAAqB,KAA4B;AACjG,QAAM,OAAO,IAAI,IAAI,GAAG;AACxB,MAAI,CAAC,MAAM;AAAE,WAAO;AAAA,EAAU;AAC9B,MAAI,KAAK,YAAY,KAAK,IAAI,IAAI,KAAM;AACtC,QAAI,OAAO,GAAG;AACd,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEO,SAAS,oBAAgC;AAC9C,QAAM,YAAY,oBAAI,IAA0B;AAChD,QAAM,eAAe,oBAAI,IAA6B;AACtD,QAAM,gBAAgB,oBAAI,IAAqD;AAC/E,QAAM,UAAU,oBAAI,IAAgC;AACpD,QAAM,gBAAgB,oBAAI,IAA8B;AAExD,SAAO;AAAA,IACL,MAAM,aAAa,MAAM,MAAM;AAAE,gBAAU,IAAI,MAAM,IAAI;AAAA,IAAE;AAAA,IAC3D,MAAM,YAAY,MAAM;AAAE,aAAO,QAAQ,WAAW,IAAI;AAAA,IAAE;AAAA,IAC1D,MAAM,eAAe,MAAM;AAAE,gBAAU,OAAO,IAAI;AAAA,IAAE;AAAA,IAEpD,MAAM,gBAAgB,OAAO,MAAM;AAAE,mBAAa,IAAI,OAAO,IAAI;AAAA,IAAE;AAAA,IACnE,MAAM,eAAe,OAAO;AAAE,aAAO,QAAQ,cAAc,KAAK;AAAA,IAAE;AAAA,IAClE,MAAM,kBAAkB,OAAO;AAAE,mBAAa,OAAO,KAAK;AAAA,IAAE;AAAA,IAE5D,MAAM,iBAAiB,OAAO,UAAU;AACtC,oBAAc,IAAI,OAAO,EAAE,UAAU,WAAW,KAAK,IAAI,IAAI,MAAO,IAAI,CAAC;AAAA,IAC3E;AAAA,IACA,MAAM,gBAAgB,OAAO;AAC3B,YAAM,OAAO,cAAc,IAAI,KAAK;AACpC,UAAI,CAAC,MAAM;AAAE,eAAO;AAAA,MAAU;AAC9B,UAAI,KAAK,YAAY,KAAK,IAAI,IAAI,KAAM;AACtC,sBAAc,OAAO,KAAK;AAC1B,eAAO;AAAA,MACT;AACA,aAAO,KAAK;AAAA,IACd;AAAA,IACA,MAAM,mBAAmB,OAAO;AAAE,oBAAc,OAAO,KAAK;AAAA,IAAE;AAAA,IAE9D,MAAM,WAAW,UAAU,MAAM;AAAE,cAAQ,IAAI,UAAU,IAAI;AAAA,IAAE;AAAA,IAC/D,MAAM,UAAU,UAAU;AAAE,aAAO,QAAQ,IAAI,QAAQ;AAAA,IAAE;AAAA,IAEzD,MAAM,iBAAiB,OAAO,MAAM;AAAE,oBAAc,IAAI,OAAO,IAAI;AAAA,IAAE;AAAA,IACrE,MAAM,gBAAgB,OAAO;AAAE,aAAO,QAAQ,eAAe,KAAK;AAAA,IAAE;AAAA,IACpE,MAAM,mBAAmB,OAAO;AAAE,oBAAc,OAAO,KAAK;AAAA,IAAE;AAAA,EAChE;AACF;;;ACjDA,SAAS,aAAa,kBAAkB;AACxC,SAAS,SAAS,iBAAiB;;;ACD5B,SAAS,iBAAiB,KAAa,UAA6B;AACzE,SAAO,SAAS,KAAK,CAAC,YAAY;AAChC,UAAM,QAAQ,eAAe,OAAO;AACpC,WAAO,MAAM,KAAK,GAAG;AAAA,EACvB,CAAC;AACH;AAEA,SAAS,eAAe,SAAyB;AAC/C,QAAM,UAAU,QACb,QAAQ,sBAAsB,MAAM,EACpC,QAAQ,OAAO,IAAI;AACtB,SAAO,IAAI,OAAO,IAAI,OAAO,GAAG;AAClC;;;ADWA,IAAM,eAAuC;AAAA,EAC3C,+BAA+B;AAAA,EAC/B,gCAAgC;AAAA,EAChC,gCAAgC;AAClC;AAEO,SAAS,iBAAiB,QAAyC;AACxE,QAAM,QAAQ,OAAO,SAAS,kBAAkB;AAChD,QAAM,eAAe,OAAO,gBAAgB;AAC5C,QAAM,WAAW,OAAO,YAAY;AACpC,QAAM,SAAS,OAAO,kBAAkB,CAAC;AAEzC,MAAI,aAAgC;AAEpC,iBAAe,gBAAqC;AAClD,QAAI,YAAY;AAAE,aAAO;AAAA,IAAW;AACpC,QAAI,OAAO,YAAY;AACrB,mBAAa,IAAI,YAAY,EAAE,OAAO,OAAO,UAAU;AAAA,IACzD,OAAO;AACL,mBAAa,YAAY,EAAE;AAAA,IAC7B;AACA,WAAO;AAAA,EACT;AAEA,WAAS,eAAuB;AAC9B,WAAO,YAAY,EAAE,EAAE,SAAS,WAAW;AAAA,EAC7C;AAEA,iBAAe,eAAiE;AAC9E,UAAM,WAAW,YAAY,EAAE,EAAE,SAAS,WAAW;AACrD,UAAM,OAAO,MAAM,OAAO,OAAO,OAAO,WAAW,IAAI,YAAY,EAAE,OAAO,QAAQ,CAAC;AACrF,UAAM,YAAY,OAAO,KAAK,IAAI,EAAE,SAAS,WAAW;AACxD,WAAO,EAAE,UAAU,UAAU;AAAA,EAC/B;AAEA,iBAAe,WAAW,UAAkB,WAAqC;AAC/E,UAAM,OAAO,MAAM,OAAO,OAAO,OAAO,WAAW,IAAI,YAAY,EAAE,OAAO,QAAQ,CAAC;AACrF,UAAM,WAAW,OAAO,KAAK,IAAI,EAAE,SAAS,WAAW;AACvD,WAAO,aAAa;AAAA,EACtB;AAEA,WAAS,aAAa,QAAgB,MAA+B,UAAkC,CAAC,GAAkB;AACxH,WAAO;AAAA,MACL;AAAA,MACA,SAAS,EAAE,gBAAgB,oBAAoB,GAAG,cAAc,GAAG,QAAQ;AAAA,MAC3E;AAAA,IACF;AAAA,EACF;AAEA,WAAS,iBAAiB,KAA4B;AACpD,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,SAAS,EAAE,UAAU,KAAK,GAAG,aAAa;AAAA,MAC1C,MAAM;AAAA,IACR;AAAA,EACF;AAEA,WAAS,cAAc,QAAgB,OAAe,aAAoC;AACxF,WAAO,aAAa,QAAQ,EAAE,OAAO,mBAAmB,YAAY,CAAC;AAAA,EACvE;AAEA,QAAM,WAA0B;AAAA,IAC9B,WAA0B;AACxB,aAAO,aAAa,KAAK;AAAA,QACvB,QAAQ,OAAO;AAAA,QACf,wBAAwB,GAAG,OAAO,WAAW;AAAA,QAC7C,gBAAgB,GAAG,OAAO,WAAW;AAAA,QACrC,uBAAuB,GAAG,OAAO,WAAW;AAAA,QAC5C,0BAA0B,CAAC,MAAM;AAAA,QACjC,uBAAuB,CAAC,sBAAsB,eAAe;AAAA,QAC7D,kCAAkC,CAAC,MAAM;AAAA,QACzC,uCAAuC,CAAC,QAAQ,oBAAoB;AAAA,QACpE,kBAAkB;AAAA,MACpB,GAAG,EAAE,iBAAiB,eAAe,CAAC;AAAA,IACxC;AAAA,IAEA,MAAM,SAAS,KAA6B;AAC1C,YAAM,OAAO,IAAI;AACjB,UAAI,CAAC,MAAM;AAAE,eAAO,cAAc,KAAK,mBAAmB,sBAAsB;AAAA,MAAE;AAElF,YAAM,eAAe,KAAK;AAC1B,UAAI,CAAC,cAAc;AAAE,eAAO,cAAc,KAAK,mBAAmB,2BAA2B;AAAA,MAAE;AAE/F,UAAI;AACJ,UAAI;AACF,eAAO,OAAO,iBAAiB,WAAW,KAAK,MAAM,YAAY,IAAI;AAAA,MACvE,QAAQ;AACN,eAAO,CAAC,YAAY;AAAA,MACtB;AAEA,UAAI,CAAC,MAAM,QAAQ,IAAI,KAAK,KAAK,WAAW,GAAG;AAC7C,eAAO,cAAc,KAAK,mBAAmB,yCAAyC;AAAA,MACxF;AAEA,iBAAW,OAAO,MAAM;AACtB,YAAI,CAAC,iBAAiB,KAAK,OAAO,YAAY,GAAG;AAC/C,iBAAO,cAAc,KAAK,wBAAwB,6BAA6B,GAAG,EAAE;AAAA,QACtF;AAAA,MACF;AAEA,YAAM,WAAW,WAAW;AAC5B,YAAM,eAAe,YAAY,EAAE,EAAE,SAAS,WAAW;AACzD,YAAM,eAAe;AAAA,QACnB;AAAA,QACA;AAAA,QACA,cAAc;AAAA,QACd,YAAY,KAAK;AAAA,QACjB,WAAW,KAAK,IAAI,IAAI;AAAA,MAC1B;AAEA,YAAM,MAAM,WAAW,UAAU,YAAY;AAE7C,aAAO,aAAa,KAAK;AAAA,QACvB,WAAW;AAAA,QACX,eAAe;AAAA,QACf,eAAe;AAAA,QACf,aAAa,KAAK;AAAA,QAClB,4BAA4B;AAAA,MAC9B,CAAC;AAAA,IACH;AAAA,IAEA,MAAM,UAAU,KAA6B;AAC3C,YAAM,SAAS,IAAI,IAAI;AACvB,YAAM,eAAe,OAAO,IAAI,eAAe;AAC/C,YAAM,WAAW,OAAO,IAAI,WAAW;AACvC,YAAM,cAAc,OAAO,IAAI,cAAc;AAC7C,YAAM,QAAQ,OAAO,IAAI,OAAO,KAAK;AACrC,YAAM,cAAc,OAAO,IAAI,OAAO,KAAK;AAC3C,YAAM,gBAAgB,OAAO,IAAI,gBAAgB;AACjD,YAAM,sBAAsB,OAAO,IAAI,uBAAuB;AAC9D,YAAM,WAAW,OAAO,IAAI,UAAU;AAEtC,UAAI,iBAAiB,QAAQ;AAC3B,eAAO,cAAc,KAAK,6BAA6B,sCAAsC;AAAA,MAC/F;AACA,UAAI,CAAC,UAAU;AAAE,eAAO,cAAc,KAAK,mBAAmB,uBAAuB;AAAA,MAAE;AACvF,UAAI,CAAC,aAAa;AAAE,eAAO,cAAc,KAAK,mBAAmB,0BAA0B;AAAA,MAAE;AAC7F,UAAI,CAAC,iBAAiB,wBAAwB,QAAQ;AACpD,eAAO,cAAc,KAAK,mBAAmB,4BAA4B;AAAA,MAC3E;AAEA,UAAI,SAAS,MAAM,MAAM,UAAU,QAAQ;AAE3C,UAAI,CAAC,UAAU,SAAS,WAAW,UAAU,GAAG;AAC9C,YAAI;AACF,gBAAM,UAAU,MAAM,MAAM,QAAQ;AACpC,cAAI,CAAC,QAAQ,IAAI;AACf,mBAAO,cAAc,KAAK,kBAAkB,0CAA0C;AAAA,UACxF;AACA,gBAAM,OAAO,MAAM,QAAQ,KAAK;AAChC,gBAAM,mBAAmB,KAAK;AAC9B,cAAI,CAAC,MAAM,QAAQ,gBAAgB,KAAK,iBAAiB,WAAW,GAAG;AACrE,mBAAO,cAAc,KAAK,kBAAkB,4CAA4C;AAAA,UAC1F;AACA,qBAAW,OAAO,kBAAkB;AAClC,gBAAI,CAAC,iBAAiB,KAAK,OAAO,YAAY,GAAG;AAC/C,qBAAO,cAAc,KAAK,wBAAwB,6BAA6B,GAAG,EAAE;AAAA,YACtF;AAAA,UACF;AACA,mBAAS;AAAA,YACP;AAAA,YACA,cAAc;AAAA,YACd,cAAc;AAAA,YACd,YAAY,KAAK;AAAA,YACjB,WAAW,KAAK,IAAI,IAAI;AAAA,UAC1B;AACA,gBAAM,MAAM,WAAW,UAAU,MAAM;AAAA,QACzC,QAAQ;AACN,iBAAO,cAAc,KAAK,kBAAkB,0CAA0C;AAAA,QACxF;AAAA,MACF;AAEA,UAAI,CAAC,QAAQ;AAAE,eAAO,cAAc,KAAK,kBAAkB,mBAAmB;AAAA,MAAE;AAEhF,UAAI,CAAC,OAAO,aAAa,SAAS,WAAW,GAAG;AAC9C,eAAO,cAAc,KAAK,wBAAwB,6CAA6C;AAAA,MACjG;AAEA,YAAM,aAAa,WAAW;AAC9B,YAAM,OAAO,MAAM,aAAa;AAEhC,YAAM,MAAM,gBAAgB,YAAY;AAAA,QACtC;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,UAAU,YAAY;AAAA,QACtB,WAAW,KAAK,IAAI,IAAI,MAAO;AAAA,MACjC,CAAC;AAED,YAAM,MAAM,iBAAiB,YAAY,KAAK,QAAQ;AAEtD,YAAM,iBAAiB,OAAO,SAAS,IAAI,OAAO,KAAK,GAAG,IAAI;AAC9D,YAAM,cAAc,IAAI,IAAI,OAAO,YAAY;AAC/C,kBAAY,aAAa,IAAI,iBAAiB,MAAM;AACpD,kBAAY,aAAa,IAAI,aAAa,OAAO,QAAQ;AACzD,kBAAY,aAAa,IAAI,gBAAgB,GAAG,OAAO,WAAW,GAAG,YAAY,EAAE;AACnF,kBAAY,aAAa,IAAI,SAAS,cAAc;AACpD,kBAAY,aAAa,IAAI,SAAS,UAAU;AAChD,kBAAY,aAAa,IAAI,kBAAkB,KAAK,SAAS;AAC7D,kBAAY,aAAa,IAAI,yBAAyB,MAAM;AAC5D,UAAI,OAAO,IAAI,aAAa,GAAG;AAC7B,oBAAY,aAAa,IAAI,eAAe,OAAO,IAAI,aAAa,CAAE;AAAA,MACxE;AAEA,aAAO,iBAAiB,YAAY,SAAS,CAAC;AAAA,IAChD;AAAA,IAEA,MAAM,SAAS,KAA6B;AAC1C,YAAM,SAAS,IAAI,IAAI;AACvB,YAAM,eAAe,OAAO,IAAI,MAAM;AACtC,YAAM,aAAa,OAAO,IAAI,OAAO;AACrC,YAAM,gBAAgB,OAAO,IAAI,OAAO;AAExC,UAAI,eAAe;AACjB,eAAO,cAAc,KAAK,kBAAkB,OAAO,IAAI,mBAAmB,KAAK,aAAa;AAAA,MAC9F;AACA,UAAI,CAAC,gBAAgB,CAAC,YAAY;AAChC,eAAO,cAAc,KAAK,mBAAmB,uBAAuB;AAAA,MACtE;AAEA,YAAM,UAAU,MAAM,MAAM,eAAe,UAAU;AACrD,UAAI,CAAC,SAAS;AAAE,eAAO,cAAc,KAAK,mBAAmB,0BAA0B;AAAA,MAAE;AAEzF,YAAM,eAAe,MAAM,MAAM,gBAAgB,UAAU;AAC3D,UAAI,CAAC,cAAc;AAAE,eAAO,cAAc,KAAK,mBAAmB,uBAAuB;AAAA,MAAE;AAE3F,YAAM,MAAM,kBAAkB,UAAU;AACxC,YAAM,MAAM,mBAAmB,UAAU;AAEzC,YAAM,YAAY,IAAI,gBAAgB;AAAA,QACpC,YAAY;AAAA,QACZ,MAAM;AAAA,QACN,cAAc,GAAG,OAAO,WAAW,GAAG,YAAY;AAAA,QAClD,WAAW,OAAO;AAAA,QAClB,eAAe,OAAO;AAAA,QACtB,eAAe;AAAA,MACjB,CAAC;AAED,YAAM,gBAAgB,MAAM,MAAM,OAAO,UAAU;AAAA,QACjD,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,QAC/D,MAAM,UAAU,SAAS;AAAA,MAC3B,CAAC;AAED,UAAI,CAAC,cAAc,IAAI;AACrB,cAAM,YAAY,MAAM,cAAc,KAAK;AAC3C,gBAAQ,MAAM,mCAAmC,SAAS;AAC1D,eAAO,cAAc,KAAK,kBAAkB,gDAAgD;AAAA,MAC9F;AAEA,YAAM,SAAS,MAAM,cAAc,KAAK;AACxC,YAAM,sBAAsB,OAAO;AACnC,YAAM,kBAAkB,OAAO;AAE/B,UAAI;AACJ,UAAI;AACJ,UAAI,OAAO,eAAe,qBAAqB;AAC7C,YAAI;AACF,gBAAM,mBAAmB,MAAM,MAAM,OAAO,aAAa;AAAA,YACvD,SAAS,EAAE,eAAe,UAAU,mBAAmB,GAAG;AAAA,UAC5D,CAAC;AACD,cAAI,iBAAiB,IAAI;AACvB,kBAAM,WAAW,MAAM,iBAAiB,KAAK;AAC7C,oBAAQ,SAAS;AACjB,kBAAM,SAAS;AAAA,UACjB;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAEA,YAAM,UAAU,aAAa;AAC7B,YAAM,MAAM,aAAa,SAAS;AAAA,QAChC,UAAU,QAAQ;AAAA,QAClB,aAAa,QAAQ;AAAA,QACrB,eAAe,QAAQ;AAAA,QACvB,qBAAqB,QAAQ;AAAA,QAC7B,QAAQ,QAAQ,MAAM,MAAM,GAAG,EAAE,OAAO,OAAO;AAAA,QAC/C;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,WAAW,KAAK,IAAI,IAAI,MAAO;AAAA,MACjC,CAAC;AAED,YAAM,iBAAiB,IAAI,IAAI,QAAQ,WAAW;AAClD,qBAAe,aAAa,IAAI,QAAQ,OAAO;AAC/C,UAAI,QAAQ,aAAa;AACvB,uBAAe,aAAa,IAAI,SAAS,QAAQ,WAAW;AAAA,MAC9D;AAEA,aAAO,iBAAiB,eAAe,SAAS,CAAC;AAAA,IACnD;AAAA,IAEA,MAAM,MAAM,KAA6B;AACvC,YAAM,OAAO,IAAI;AACjB,UAAI,CAAC,MAAM;AAAE,eAAO,cAAc,KAAK,mBAAmB,sBAAsB;AAAA,MAAE;AAElF,YAAM,YAAY,KAAK;AAEvB,UAAI,cAAc,iBAAiB;AACjC,cAAMA,gBAAe,KAAK;AAC1B,YAAI,CAACA,eAAc;AACjB,iBAAO,cAAc,KAAK,mBAAmB,uBAAuB;AAAA,QACtE;AAEA,cAAM,YAAY,MAAM,MAAM,gBAAgBA,aAAY;AAC1D,YAAI,CAAC,WAAW;AACd,iBAAO,cAAc,KAAK,iBAAiB,kCAAkC;AAAA,QAC/E;AAEA,cAAMC,OAAM,MAAM,cAAc;AAChC,cAAMC,OAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,cAAMC,eAAc,MAAM,IAAI,QAAQ;AAAA,UACpC,OAAO,UAAU,OAAO,KAAK,GAAG;AAAA,UAChC,OAAO,UAAU;AAAA,QACnB,CAAC,EACE,mBAAmB,EAAE,KAAK,QAAQ,CAAC,EACnC,WAAW,UAAU,OAAO,UAAU,SAAS,UAAU,QAAQ,EACjE,UAAU,OAAO,WAAW,EAC5B,YAAY,OAAO,WAAW,EAC9B,YAAYD,IAAG,EACf,kBAAkBA,OAAM,QAAQ,EAChC,KAAKD,IAAG;AAEX,eAAO,aAAa,KAAK;AAAA,UACvB,cAAcE;AAAA,UACd,YAAY;AAAA,UACZ,YAAY;AAAA,UACZ,OAAO,UAAU,OAAO,KAAK,GAAG;AAAA,UAChC,eAAeH;AAAA,QACjB,CAAC;AAAA,MACH;AAEA,UAAI,cAAc,sBAAsB;AACtC,eAAO,cAAc,KAAK,0BAA0B,0DAA0D;AAAA,MAChH;AAEA,YAAM,OAAO,KAAK;AAClB,YAAM,cAAc,KAAK;AACzB,YAAM,WAAW,KAAK;AACtB,YAAM,eAAe,KAAK;AAE1B,UAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,UAAU;AACvC,eAAO,cAAc,KAAK,mBAAmB,6BAA6B;AAAA,MAC5E;AAEA,YAAM,WAAW,MAAM,MAAM,YAAY,IAAI;AAC7C,UAAI,CAAC,UAAU;AAAE,eAAO,cAAc,KAAK,iBAAiB,uCAAuC;AAAA,MAAE;AAErG,YAAM,MAAM,eAAe,IAAI;AAE/B,UAAI,SAAS,aAAa,UAAU;AAClC,eAAO,cAAc,KAAK,iBAAiB,oBAAoB;AAAA,MACjE;AACA,UAAI,eAAe,SAAS,gBAAgB,aAAa;AACvD,eAAO,cAAc,KAAK,iBAAiB,uBAAuB;AAAA,MACpE;AAEA,YAAM,YAAY,MAAM,WAAW,cAAc,SAAS,aAAa;AACvE,UAAI,CAAC,WAAW;AACd,eAAO,cAAc,KAAK,iBAAiB,0BAA0B;AAAA,MACvE;AAEA,YAAM,MAAM,MAAM,cAAc;AAChC,YAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,YAAM,cAAc,MAAM,IAAI,QAAQ;AAAA,QACpC,OAAO,SAAS,OAAO,KAAK,GAAG;AAAA,QAC/B,OAAO,SAAS;AAAA,MAClB,CAAC,EACE,mBAAmB,EAAE,KAAK,QAAQ,CAAC,EACnC,WAAW,SAAS,OAAO,SAAS,SAAS,SAAS,QAAQ,EAC9D,UAAU,OAAO,WAAW,EAC5B,YAAY,OAAO,WAAW,EAC9B,YAAY,GAAG,EACf,kBAAkB,MAAM,QAAQ,EAChC,KAAK,GAAG;AAEX,YAAM,eAAe,YAAY,EAAE,EAAE,SAAS,WAAW;AACzD,YAAM,MAAM,iBAAiB,cAAc;AAAA,QACzC,UAAU,SAAS;AAAA,QACnB,QAAQ,SAAS;AAAA,QACjB,OAAO,SAAS;AAAA,QAChB,KAAK,SAAS;AAAA,QACd,WAAW,MAAM,KAAK,KAAK;AAAA,MAC7B,CAAC;AAED,aAAO,aAAa,KAAK;AAAA,QACvB,cAAc;AAAA,QACd,YAAY;AAAA,QACZ,YAAY;AAAA,QACZ,OAAO,SAAS,OAAO,KAAK,GAAG;AAAA,QAC/B,eAAe;AAAA,MACjB,CAAC;AAAA,IACH;AAAA,IAEA,MAAM,YAAY,OAAsC;AACtD,UAAI;AACF,cAAM,MAAM,MAAM,cAAc;AAChC,cAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,KAAK;AAAA,UAC9C,QAAQ,OAAO;AAAA,UACf,UAAU,OAAO;AAAA,QACnB,CAAC;AACD,eAAO;AAAA,UACL;AAAA,UACA,UAAU,QAAQ,OAAO;AAAA,UACzB,QAAQ,OAAO,QAAQ,UAAU,WAAW,QAAQ,MAAM,MAAM,GAAG,EAAE,OAAO,OAAO,IAAI,CAAC;AAAA,UACxF,WAAW,QAAQ;AAAA,UACnB,OAAO,QAAQ;AAAA,QACjB;AAAA,MACF,QAAQ;AACN,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;;;AE3aO,SAAS,OAAO,SAAyC;AAC9D,QAAM,WAAW,iBAAiB;AAAA,IAChC,cAAc;AAAA,IACd,UAAU;AAAA,IACV,aAAa;AAAA,IACb,UAAU,QAAQ;AAAA,IAClB,cAAc,QAAQ;AAAA,IACtB,aAAa,QAAQ;AAAA,IACrB,cAAc,QAAQ;AAAA,IACtB,gBAAgB,QAAQ,kBAAkB,CAAC,UAAU,OAAO;AAAA,IAC5D,cAAc,QAAQ;AAAA,IACtB,YAAY,QAAQ;AAAA,IACpB,UAAU,QAAQ;AAAA,IAClB,OAAO,QAAQ;AAAA,EACjB,CAAC;AAED,SAAO;AAAA,IACL,aAAa,CAAC,UAAU,SAAS,YAAY,KAAK;AAAA,IAClD,UAAU;AAAA,IACV,aAAa,QAAQ;AAAA,IACrB,sBAAsB,CAAC,QAAQ,WAAW;AAAA,IAC1C;AAAA,IACA,cAAc,QAAQ,gBAAgB;AAAA,EACxC;AACF;;;ACxCA,SAAS,YAAY,cAAc,qBAAqB;AAGxD,SAASI,SAAyC,KAAwB,KAA4B;AACpG,QAAM,OAAO,IAAI,GAAG;AACpB,MAAI,CAAC,MAAM;AAAE,WAAO;AAAA,EAAU;AAC9B,MAAI,KAAK,YAAY,KAAK,IAAI,IAAI,KAAM;AACtC,WAAO,IAAI,GAAG;AACd,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAUA,SAAS,eAAe,MAAc,OAAkB;AACtD,gBAAc,MAAM,KAAK,UAAU,OAAO,MAAM,CAAC,GAAG,OAAO;AAC7D;AAEA,SAAS,cAAc,MAAyB;AAC9C,MAAI,CAAC,WAAW,IAAI,GAAG;AACrB,WAAO;AAAA,MACL,WAAW,CAAC;AAAA,MACZ,cAAc,CAAC;AAAA,MACf,eAAe,CAAC;AAAA,MAChB,SAAS,CAAC;AAAA,MACV,eAAe,CAAC;AAAA,IAClB;AAAA,EACF;AACA,QAAM,OAAO,KAAK,MAAM,aAAa,MAAM,OAAO,CAAC;AACnD,MAAI,CAAC,KAAK,eAAe;AAAE,SAAK,gBAAgB,CAAC;AAAA,EAAE;AACnD,SAAO;AACT;AAEO,SAAS,gBAAgB,MAA0B;AACxD,QAAM,QAAmB,cAAc,IAAI;AAE3C,SAAO;AAAA,IACL,MAAM,aAAa,MAAM,MAAM;AAC7B,YAAM,UAAU,IAAI,IAAI;AACxB,qBAAe,MAAM,KAAK;AAAA,IAC5B;AAAA,IACA,MAAM,YAAY,MAAM;AAAE,aAAOA,SAAQ,MAAM,WAAW,IAAI;AAAA,IAAE;AAAA,IAChE,MAAM,eAAe,MAAM;AACzB,aAAO,MAAM,UAAU,IAAI;AAC3B,qBAAe,MAAM,KAAK;AAAA,IAC5B;AAAA,IACA,MAAM,gBAAgB,OAAO,MAAM;AACjC,YAAM,aAAa,KAAK,IAAI;AAC5B,qBAAe,MAAM,KAAK;AAAA,IAC5B;AAAA,IACA,MAAM,eAAe,OAAO;AAAE,aAAOA,SAAQ,MAAM,cAAc,KAAK;AAAA,IAAE;AAAA,IACxE,MAAM,kBAAkB,OAAO;AAC7B,aAAO,MAAM,aAAa,KAAK;AAC/B,qBAAe,MAAM,KAAK;AAAA,IAC5B;AAAA,IACA,MAAM,iBAAiB,OAAO,UAAU;AACtC,YAAM,cAAc,KAAK,IAAI,EAAE,UAAU,WAAW,KAAK,IAAI,IAAI,MAAO,IAAI;AAC5E,qBAAe,MAAM,KAAK;AAAA,IAC5B;AAAA,IACA,MAAM,gBAAgB,OAAO;AAC3B,YAAM,OAAO,MAAM,cAAc,KAAK;AACtC,UAAI,CAAC,MAAM;AAAE,eAAO;AAAA,MAAU;AAC9B,UAAI,KAAK,YAAY,KAAK,IAAI,IAAI,KAAM;AACtC,eAAO,MAAM,cAAc,KAAK;AAChC,uBAAe,MAAM,KAAK;AAC1B,eAAO;AAAA,MACT;AACA,aAAO,KAAK;AAAA,IACd;AAAA,IACA,MAAM,mBAAmB,OAAO;AAC9B,aAAO,MAAM,cAAc,KAAK;AAChC,qBAAe,MAAM,KAAK;AAAA,IAC5B;AAAA,IACA,MAAM,WAAW,UAAU,MAAM;AAC/B,YAAM,QAAQ,QAAQ,IAAI;AAC1B,qBAAe,MAAM,KAAK;AAAA,IAC5B;AAAA,IACA,MAAM,UAAU,UAAU;AAAE,aAAO,MAAM,QAAQ,QAAQ;AAAA,IAAE;AAAA,IAE3D,MAAM,iBAAiB,OAAO,MAAM;AAClC,YAAM,cAAc,KAAK,IAAI;AAC7B,qBAAe,MAAM,KAAK;AAAA,IAC5B;AAAA,IACA,MAAM,gBAAgB,OAAO;AAAE,aAAOA,SAAQ,MAAM,eAAe,KAAK;AAAA,IAAE;AAAA,IAC1E,MAAM,mBAAmB,OAAO;AAC9B,aAAO,MAAM,cAAc,KAAK;AAChC,qBAAe,MAAM,KAAK;AAAA,IAC5B;AAAA,EACF;AACF;;;ACnFO,SAAS,iBAAiB,SAAwC;AACvE,QAAM,EAAE,QAAQ,SAAS,mBAAmB,IAAI;AAEhD,WAAS,IAAI,WAAmB,IAAY;AAC1C,WAAO,GAAG,MAAM,GAAG,SAAS,IAAI,EAAE;AAAA,EACpC;AAEA,WAAS,cAAc,WAAuC;AAC5D,UAAM,UAAU,KAAK,MAAM,YAAY,KAAK,IAAI,IAAI,GAAI;AACxD,WAAO,UAAU,IAAI,UAAU;AAAA,EACjC;AAEA,iBAAe,KAAQ,WAAmB,IAAY,MAAS,WAAoB;AACjF,UAAM,OAAwB,CAAC;AAC/B,UAAM,MAAM,aAAa,OAAO,cAAc,SAAS,IAAI;AAC3D,QAAI,OAAO,MAAM;AAAE,WAAK,KAAK;AAAA,IAAI;AACjC,UAAM,OAAO,IAAI,IAAI,WAAW,EAAE,GAAG,KAAK,UAAU,IAAI,GAAG,IAAI;AAAA,EACjE;AAEA,iBAAe,KAAQ,WAAmB,IAAoC;AAC5E,UAAM,MAAM,MAAM,OAAO,IAAI,IAAI,WAAW,EAAE,CAAC;AAC/C,QAAI,OAAO,MAAM;AAAE,aAAO;AAAA,IAAU;AACpC,WAAQ,OAAO,QAAQ,WAAW,KAAK,MAAM,GAAG,IAAI;AAAA,EACtD;AAEA,iBAAe,OAAO,WAAmB,IAAY;AACnD,UAAM,OAAO,IAAI,IAAI,WAAW,EAAE,CAAC;AAAA,EACrC;AAEA,SAAO;AAAA,IACL,MAAM,aAAa,MAAM,MAAM;AAAE,YAAM,KAAK,aAAa,MAAM,MAAM,KAAK,SAAS;AAAA,IAAE;AAAA,IACrF,MAAM,YAAY,MAAM;AAAE,aAAO,KAAK,aAAa,IAAI;AAAA,IAAE;AAAA,IACzD,MAAM,eAAe,MAAM;AAAE,YAAM,OAAO,aAAa,IAAI;AAAA,IAAE;AAAA,IAE7D,MAAM,gBAAgB,OAAO,MAAM;AAAE,YAAM,KAAK,gBAAgB,OAAO,MAAM,KAAK,SAAS;AAAA,IAAE;AAAA,IAC7F,MAAM,eAAe,OAAO;AAAE,aAAO,KAAK,gBAAgB,KAAK;AAAA,IAAE;AAAA,IACjE,MAAM,kBAAkB,OAAO;AAAE,YAAM,OAAO,gBAAgB,KAAK;AAAA,IAAE;AAAA,IAErE,MAAM,iBAAiB,OAAO,UAAU;AACtC,YAAM,YAAY,KAAK,IAAI,IAAI,MAAO;AACtC,YAAM,KAAK,iBAAiB,OAAO,EAAE,UAAU,UAAU,GAAG,SAAS;AAAA,IACvE;AAAA,IACA,MAAM,gBAAgB,OAAO;AAC3B,YAAM,OAAO,MAAM,KAA8C,iBAAiB,KAAK;AACvF,aAAO,MAAM;AAAA,IACf;AAAA,IACA,MAAM,mBAAmB,OAAO;AAAE,YAAM,OAAO,iBAAiB,KAAK;AAAA,IAAE;AAAA,IAEvE,MAAM,WAAW,UAAU,MAAM;AAAE,YAAM,KAAK,UAAU,UAAU,IAAI;AAAA,IAAE;AAAA,IACxE,MAAM,UAAU,UAAU;AAAE,aAAO,KAAK,UAAU,QAAQ;AAAA,IAAE;AAAA,IAE5D,MAAM,iBAAiB,OAAO,MAAM;AAAE,YAAM,KAAK,iBAAiB,OAAO,MAAM,KAAK,SAAS;AAAA,IAAE;AAAA,IAC/F,MAAM,gBAAgB,OAAO;AAAE,aAAO,KAAK,iBAAiB,KAAK;AAAA,IAAE;AAAA,IACnE,MAAM,mBAAmB,OAAO;AAAE,YAAM,OAAO,iBAAiB,KAAK;AAAA,IAAE;AAAA,EACzE;AACF;;;ACvDA,eAAsB,cACpB,qBACA,QACyB;AACzB,QAAM,WAAW,OAAO,YAAY;AACpC,QAAM,sBAAsB,OAAO,cAC/B,GAAG,OAAO,WAAW,0CACrB;AAEJ,QAAM,QAAQ,mBAAmB,mBAAmB;AAEpD,MAAI,CAAC,OAAO;AACV,QAAI,CAAC,UAAU;AAAE,aAAO,CAAC;AAAA,IAAE;AAC3B,WAAO,qBAAqB,mBAAmB;AAAA,EACjD;AAEA,MAAI;AACJ,MAAI;AACF,eAAW,MAAM,OAAO,YAAY,KAAK;AAAA,EAC3C,SAAS,IAAI;AACX,UAAM,MAAM,aAAa;AACzB,WAAO,iBAAiB,KAAK,mBAAmB;AAAA,EAClD;AAEA,MAAI,CAAC,UAAU;AACb,UAAM,MAAM,aAAa;AACzB,WAAO,iBAAiB,KAAK,mBAAmB;AAAA,EAClD;AAEA,MAAI,SAAS,aAAa,SAAS,YAAY,KAAK,IAAI,IAAI,KAAM;AAChE,UAAM,MAAM,aAAa,mBAAmB;AAC5C,WAAO,iBAAiB,KAAK,mBAAmB;AAAA,EAClD;AAEA,MAAI,OAAO,gBAAgB,QAAQ;AACjC,UAAM,SAAS,SAAS,UAAU,CAAC;AACnC,UAAM,SAAS,OAAO,eAAe,MAAM,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AACpE,QAAI,CAAC,QAAQ;AACX,YAAM,MAAM,kBAAkB;AAC9B,aAAO,iBAAiB,KAAK,mBAAmB;AAAA,IAClD;AAAA,EACF;AAEA,SAAO,EAAE,MAAM,SAAS;AAC1B;AAEA,SAAS,qBAAqB,qBAA8C;AAC1E,SAAO;AAAA,IACL,OAAO;AAAA,MACL,YAAY;AAAA,MACZ,SAAS;AAAA,QACP,oBAAoB,qBAAqB,QAAW,QAAW,mBAAmB;AAAA,QAClF,gBAAgB;AAAA,MAClB;AAAA,MACA,MAAM,EAAE,OAAO,iBAAiB,mBAAmB,4BAA4B;AAAA,IACjF;AAAA,EACF;AACF;AAEA,SAAS,iBACP,KACA,qBACgB;AAChB,SAAO;AAAA,IACL,OAAO;AAAA,MACL,YAAY,IAAI;AAAA,MAChB,SAAS;AAAA,QACP,oBAAoB,qBAAqB,IAAI,MAAM,IAAI,SAAS,mBAAmB;AAAA,QACnF,gBAAgB;AAAA,MAClB;AAAA,MACA,MAAM,EAAE,OAAO,IAAI,MAAM,mBAAmB,IAAI,QAAQ;AAAA,IAC1D;AAAA,EACF;AACF;","names":["refreshToken","key","now","accessToken","withTtl"]}
1
+ {"version":3,"sources":["../src/errors.ts","../src/extract.ts","../src/metadata.ts","../src/store/memory-store.ts","../src/provider/proxy.ts","../src/provider/uri.ts","../src/provider/google.ts","../src/store/json-store.ts","../src/store/redis-store.ts","../src/validate.ts"],"sourcesContent":["export class AuthError extends Error {\n constructor(\n message: string,\n public readonly code: string,\n public readonly statusCode = 401\n ) {\n super(message)\n this.name = 'AuthError'\n }\n}\n\nexport function invalidToken(message = 'Invalid token') {\n return new AuthError(message, 'invalid_token', 401)\n}\n\nexport function insufficientScope(message = 'Insufficient scope') {\n return new AuthError(message, 'insufficient_scope', 403)\n}\n\nexport function missingToken(message = 'No authorization provided') {\n return new AuthError(message, 'missing_token', 401)\n}\n","export function extractBearerToken(header: string | null | undefined): string | null {\n if (!header) { return null }\n const match = /^Bearer\\s+(.+)$/i.exec(header)\n return match?.[1] ?? null\n}\n\nexport function buildWWWAuthenticate(\n error?: string,\n description?: string,\n resourceMetadataUrl?: string\n): string {\n const parts: string[] = []\n if (error) {\n parts.push(`error=\"${error}\"`)\n }\n if (description) {\n parts.push(`error_description=\"${description}\"`)\n }\n if (resourceMetadataUrl) {\n parts.push(`resource_metadata=\"${resourceMetadataUrl}\"`)\n }\n return parts.length > 0 ? `Bearer ${parts.join(', ')}` : 'Bearer'\n}\n","export interface ProtectedResourceMetadata {\n resource: string\n authorization_servers: string[]\n scopes_supported?: string[]\n bearer_methods_supported?: string[]\n}\n\nexport function generateProtectedResourceMetadata(\n resourceUrl: string,\n authorizationServers: string[]\n): ProtectedResourceMetadata {\n return {\n resource: resourceUrl,\n authorization_servers: authorizationServers,\n bearer_methods_supported: ['header']\n }\n}\n","import { AuthCodeData, ClientRegistration, OAuthStore, PendingAuthData, RefreshTokenData } from '../provider/store.js'\n\nfunction withTtl<T extends { expiresAt: number }>(map: Map<string, T>, key: string): T | undefined {\n const item = map.get(key)\n if (!item) { return undefined }\n if (item.expiresAt < Date.now() / 1000) {\n map.delete(key)\n return undefined\n }\n return item\n}\n\nexport function createMemoryStore(): OAuthStore {\n const authCodes = new Map<string, AuthCodeData>()\n const pendingAuths = new Map<string, PendingAuthData>()\n const pkceVerifiers = new Map<string, { verifier: string; expiresAt: number }>()\n const clients = new Map<string, ClientRegistration>()\n const refreshTokens = new Map<string, RefreshTokenData>()\n\n return {\n async saveAuthCode(code, data) { authCodes.set(code, data) },\n async getAuthCode(code) { return withTtl(authCodes, code) },\n async deleteAuthCode(code) { authCodes.delete(code) },\n\n async savePendingAuth(state, data) { pendingAuths.set(state, data) },\n async getPendingAuth(state) { return withTtl(pendingAuths, state) },\n async deletePendingAuth(state) { pendingAuths.delete(state) },\n\n async savePkceVerifier(state, verifier) {\n pkceVerifiers.set(state, { verifier, expiresAt: Date.now() / 1000 + 600 })\n },\n async getPkceVerifier(state) {\n const item = pkceVerifiers.get(state)\n if (!item) { return undefined }\n if (item.expiresAt < Date.now() / 1000) {\n pkceVerifiers.delete(state)\n return undefined\n }\n return item.verifier\n },\n async deletePkceVerifier(state) { pkceVerifiers.delete(state) },\n\n async saveClient(clientId, data) { clients.set(clientId, data) },\n async getClient(clientId) { return clients.get(clientId) },\n\n async saveRefreshToken(token, data) { refreshTokens.set(token, data) },\n async getRefreshToken(token) { return withTtl(refreshTokens, token) },\n async deleteRefreshToken(token) { refreshTokens.delete(token) }\n }\n}\n","import { randomBytes, randomUUID } from 'crypto'\nimport { SignJWT, jwtVerify } from 'jose'\nimport { createMemoryStore } from '../store/memory-store.js'\nimport { AuthInfo } from '../types.js'\nimport { OAuthStore } from './store.js'\nimport { OAuthProvider, OAuthResponse } from './types.js'\nimport { matchRedirectUri } from './uri.js'\n\nexport interface OAuthProxyConfig {\n authorizeUrl: string\n tokenUrl: string\n userinfoUrl?: string\n clientId: string\n clientSecret: string\n resourceUrl: string\n redirectUris: string[]\n requiredScopes?: string[]\n callbackPath?: string\n signingKey?: string\n tokenTtl?: number\n store?: OAuthStore\n}\n\nconst CORS_HEADERS: Record<string, string> = {\n 'Access-Control-Allow-Origin': '*',\n 'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',\n 'Access-Control-Allow-Headers': '*'\n}\n\nexport function createOAuthProxy(config: OAuthProxyConfig): OAuthProvider {\n const store = config.store ?? createMemoryStore()\n const callbackPath = config.callbackPath ?? '/auth/callback'\n const tokenTtl = config.tokenTtl ?? 3600\n const scopes = config.requiredScopes ?? []\n\n let signingKey: Uint8Array | null = null\n\n async function getSigningKey(): Promise<Uint8Array> {\n if (signingKey) { return signingKey }\n if (config.signingKey) {\n signingKey = new TextEncoder().encode(config.signingKey)\n } else {\n signingKey = randomBytes(32)\n }\n return signingKey\n }\n\n function generateCode(): string {\n return randomBytes(32).toString('base64url')\n }\n\n async function generatePkce(): Promise<{ verifier: string; challenge: string }> {\n const verifier = randomBytes(32).toString('base64url')\n const hash = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(verifier))\n const challenge = Buffer.from(hash).toString('base64url')\n return { verifier, challenge }\n }\n\n async function verifyPkce(verifier: string, challenge: string): Promise<boolean> {\n const hash = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(verifier))\n const computed = Buffer.from(hash).toString('base64url')\n return computed === challenge\n }\n\n function jsonResponse(status: number, body: Record<string, unknown>, headers: Record<string, string> = {}): OAuthResponse {\n return {\n status,\n headers: { 'Content-Type': 'application/json', ...CORS_HEADERS, ...headers },\n body\n }\n }\n\n function redirectResponse(url: string): OAuthResponse {\n return {\n status: 302,\n headers: { Location: url, ...CORS_HEADERS },\n body: undefined\n }\n }\n\n function errorResponse(status: number, error: string, description: string): OAuthResponse {\n return jsonResponse(status, { error, error_description: description })\n }\n\n const provider: OAuthProvider = {\n metadata(): OAuthResponse {\n return jsonResponse(200, {\n issuer: config.resourceUrl,\n authorization_endpoint: `${config.resourceUrl}/authorize`,\n token_endpoint: `${config.resourceUrl}/token`,\n registration_endpoint: `${config.resourceUrl}/register`,\n response_types_supported: ['code'],\n grant_types_supported: ['authorization_code', 'refresh_token'],\n code_challenge_methods_supported: ['S256'],\n token_endpoint_auth_methods_supported: ['none', 'client_secret_post'],\n scopes_supported: scopes\n }, { 'Cache-Control': 'max-age=3600' })\n },\n\n async register(req): Promise<OAuthResponse> {\n const body = req.body\n if (!body) { return errorResponse(400, 'invalid_request', 'Missing request body') }\n\n const redirectUris = body.redirect_uris\n if (!redirectUris) { return errorResponse(400, 'invalid_request', 'redirect_uris is required') }\n\n let uris: string[]\n try {\n uris = typeof redirectUris === 'string' ? JSON.parse(redirectUris) : redirectUris\n } catch {\n uris = [redirectUris]\n }\n\n if (!Array.isArray(uris) || uris.length === 0) {\n return errorResponse(400, 'invalid_request', 'redirect_uris must be a non-empty array')\n }\n\n for (const uri of uris) {\n if (!matchRedirectUri(uri, config.redirectUris)) {\n return errorResponse(400, 'invalid_redirect_uri', `Redirect URI not allowed: ${uri}`)\n }\n }\n\n const clientId = randomUUID()\n const clientSecret = randomBytes(32).toString('base64url')\n const registration = {\n clientId,\n clientSecret,\n redirectUris: uris,\n clientName: body.client_name,\n createdAt: Date.now() / 1000\n }\n\n await store.saveClient(clientId, registration)\n\n return jsonResponse(201, {\n client_id: clientId,\n client_secret: clientSecret,\n redirect_uris: uris,\n client_name: body.client_name,\n token_endpoint_auth_method: 'none'\n })\n },\n\n async authorize(req): Promise<OAuthResponse> {\n const params = req.url.searchParams\n const responseType = params.get('response_type')\n const clientId = params.get('client_id')\n const redirectUri = params.get('redirect_uri')\n const scope = params.get('scope') ?? ''\n const clientState = params.get('state') ?? ''\n const codeChallenge = params.get('code_challenge')\n const codeChallengeMethod = params.get('code_challenge_method')\n const resource = params.get('resource')\n\n if (responseType !== 'code') {\n return errorResponse(400, 'unsupported_response_type', 'Only response_type=code is supported')\n }\n if (!clientId) { return errorResponse(400, 'invalid_request', 'client_id is required') }\n if (!redirectUri) { return errorResponse(400, 'invalid_request', 'redirect_uri is required') }\n if (!codeChallenge || codeChallengeMethod !== 'S256') {\n return errorResponse(400, 'invalid_request', 'PKCE with S256 is required')\n }\n\n let client = await store.getClient(clientId)\n\n if (!client && clientId.startsWith('https://')) {\n try {\n const metaRes = await fetch(clientId)\n if (!metaRes.ok) {\n return errorResponse(400, 'invalid_client', 'Failed to fetch client metadata document')\n }\n const meta = await metaRes.json() as Record<string, unknown>\n const metaRedirectUris = meta.redirect_uris as string[] | undefined\n if (!Array.isArray(metaRedirectUris) || metaRedirectUris.length === 0) {\n return errorResponse(400, 'invalid_client', 'Client metadata must include redirect_uris')\n }\n for (const uri of metaRedirectUris) {\n if (!matchRedirectUri(uri, config.redirectUris)) {\n return errorResponse(400, 'invalid_redirect_uri', `Redirect URI not allowed: ${uri}`)\n }\n }\n client = {\n clientId,\n clientSecret: '',\n redirectUris: metaRedirectUris,\n clientName: meta.client_name as string | undefined,\n createdAt: Date.now() / 1000\n }\n await store.saveClient(clientId, client)\n } catch {\n return errorResponse(400, 'invalid_client', 'Failed to fetch client metadata document')\n }\n }\n\n if (!client) { return errorResponse(400, 'invalid_client', 'Unknown client_id') }\n\n if (!client.redirectUris.includes(redirectUri)) {\n return errorResponse(400, 'invalid_redirect_uri', 'redirect_uri does not match registered URIs')\n }\n\n const proxyState = randomUUID()\n const pkce = await generatePkce()\n\n await store.savePendingAuth(proxyState, {\n clientId,\n redirectUri,\n codeChallenge,\n codeChallengeMethod,\n scope,\n clientState,\n resource: resource ?? undefined,\n expiresAt: Date.now() / 1000 + 600\n })\n\n await store.savePkceVerifier(proxyState, pkce.verifier)\n\n const upstreamScopes = scopes.length > 0 ? scopes.join(' ') : scope\n const upstreamUrl = new URL(config.authorizeUrl)\n upstreamUrl.searchParams.set('response_type', 'code')\n upstreamUrl.searchParams.set('client_id', config.clientId)\n upstreamUrl.searchParams.set('redirect_uri', `${config.resourceUrl}${callbackPath}`)\n upstreamUrl.searchParams.set('scope', upstreamScopes)\n upstreamUrl.searchParams.set('state', proxyState)\n upstreamUrl.searchParams.set('code_challenge', pkce.challenge)\n upstreamUrl.searchParams.set('code_challenge_method', 'S256')\n if (params.has('access_type')) {\n upstreamUrl.searchParams.set('access_type', params.get('access_type')!)\n }\n\n return redirectResponse(upstreamUrl.toString())\n },\n\n async callback(req): Promise<OAuthResponse> {\n const params = req.url.searchParams\n const upstreamCode = params.get('code')\n const proxyState = params.get('state')\n const upstreamError = params.get('error')\n\n if (upstreamError) {\n return errorResponse(400, 'upstream_error', params.get('error_description') ?? upstreamError)\n }\n if (!upstreamCode || !proxyState) {\n return errorResponse(400, 'invalid_request', 'Missing code or state')\n }\n\n const pending = await store.getPendingAuth(proxyState)\n if (!pending) { return errorResponse(400, 'invalid_request', 'Unknown or expired state') }\n\n const pkceVerifier = await store.getPkceVerifier(proxyState)\n if (!pkceVerifier) { return errorResponse(400, 'invalid_request', 'Missing PKCE verifier') }\n\n await store.deletePendingAuth(proxyState)\n await store.deletePkceVerifier(proxyState)\n\n const tokenBody = new URLSearchParams({\n grant_type: 'authorization_code',\n code: upstreamCode,\n redirect_uri: `${config.resourceUrl}${callbackPath}`,\n client_id: config.clientId,\n client_secret: config.clientSecret,\n code_verifier: pkceVerifier\n })\n\n const tokenResponse = await fetch(config.tokenUrl, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: tokenBody.toString()\n })\n\n if (!tokenResponse.ok) {\n const errorBody = await tokenResponse.text()\n console.error('Upstream token exchange failed:', errorBody)\n return errorResponse(502, 'upstream_error', 'Failed to exchange code with upstream provider')\n }\n\n const tokens = await tokenResponse.json() as Record<string, unknown>\n const upstreamAccessToken = tokens.access_token as string\n const upstreamIdToken = tokens.id_token as string | undefined\n\n let email: string | undefined\n let sub: string | undefined\n if (config.userinfoUrl && upstreamAccessToken) {\n try {\n const userinfoResponse = await fetch(config.userinfoUrl, {\n headers: { Authorization: `Bearer ${upstreamAccessToken}` }\n })\n if (userinfoResponse.ok) {\n const userinfo = await userinfoResponse.json() as Record<string, unknown>\n email = userinfo.email as string | undefined\n sub = userinfo.sub as string | undefined\n }\n } catch {\n // Userinfo fetch is best-effort\n }\n }\n\n const mcpCode = generateCode()\n await store.saveAuthCode(mcpCode, {\n clientId: pending.clientId,\n redirectUri: pending.redirectUri,\n codeChallenge: pending.codeChallenge,\n codeChallengeMethod: pending.codeChallengeMethod,\n scopes: pending.scope.split(' ').filter(Boolean),\n upstreamAccessToken,\n upstreamIdToken,\n email,\n sub,\n expiresAt: Date.now() / 1000 + 600\n })\n\n const clientRedirect = new URL(pending.redirectUri)\n clientRedirect.searchParams.set('code', mcpCode)\n if (pending.clientState) {\n clientRedirect.searchParams.set('state', pending.clientState)\n }\n\n return redirectResponse(clientRedirect.toString())\n },\n\n async token(req): Promise<OAuthResponse> {\n const body = req.body\n if (!body) { return errorResponse(400, 'invalid_request', 'Missing request body') }\n\n const grantType = body.grant_type\n\n if (grantType === 'refresh_token') {\n const refreshToken = body.refresh_token\n if (!refreshToken) {\n return errorResponse(400, 'invalid_request', 'Missing refresh_token')\n }\n\n const tokenData = await store.getRefreshToken(refreshToken)\n if (!tokenData) {\n return errorResponse(400, 'invalid_grant', 'Invalid or expired refresh token')\n }\n\n const key = await getSigningKey()\n const now = Math.floor(Date.now() / 1000)\n const accessToken = await new SignJWT({\n scope: tokenData.scopes.join(' '),\n email: tokenData.email\n })\n .setProtectedHeader({ alg: 'HS256' })\n .setSubject(tokenData.sub ?? tokenData.email ?? tokenData.clientId)\n .setIssuer(config.resourceUrl)\n .setAudience(config.resourceUrl)\n .setIssuedAt(now)\n .setExpirationTime(now + tokenTtl)\n .sign(key)\n\n return jsonResponse(200, {\n access_token: accessToken,\n token_type: 'Bearer',\n expires_in: tokenTtl,\n scope: tokenData.scopes.join(' '),\n refresh_token: refreshToken\n })\n }\n\n if (grantType !== 'authorization_code') {\n return errorResponse(400, 'unsupported_grant_type', 'Supported grant types: authorization_code, refresh_token')\n }\n\n const code = body.code\n const redirectUri = body.redirect_uri\n const clientId = body.client_id\n const codeVerifier = body.code_verifier\n\n if (!code || !codeVerifier || !clientId) {\n return errorResponse(400, 'invalid_request', 'Missing required parameters')\n }\n\n const authCode = await store.getAuthCode(code)\n if (!authCode) { return errorResponse(400, 'invalid_grant', 'Invalid or expired authorization code') }\n\n await store.deleteAuthCode(code)\n\n if (authCode.clientId !== clientId) {\n return errorResponse(400, 'invalid_grant', 'client_id mismatch')\n }\n if (redirectUri && authCode.redirectUri !== redirectUri) {\n return errorResponse(400, 'invalid_grant', 'redirect_uri mismatch')\n }\n\n const pkceValid = await verifyPkce(codeVerifier, authCode.codeChallenge)\n if (!pkceValid) {\n return errorResponse(400, 'invalid_grant', 'PKCE verification failed')\n }\n\n const key = await getSigningKey()\n const now = Math.floor(Date.now() / 1000)\n const accessToken = await new SignJWT({\n scope: authCode.scopes.join(' '),\n email: authCode.email\n })\n .setProtectedHeader({ alg: 'HS256' })\n .setSubject(authCode.sub ?? authCode.email ?? authCode.clientId)\n .setIssuer(config.resourceUrl)\n .setAudience(config.resourceUrl)\n .setIssuedAt(now)\n .setExpirationTime(now + tokenTtl)\n .sign(key)\n\n const refreshToken = randomBytes(32).toString('base64url')\n await store.saveRefreshToken(refreshToken, {\n clientId: authCode.clientId,\n scopes: authCode.scopes,\n email: authCode.email,\n sub: authCode.sub,\n expiresAt: now + 30 * 24 * 3600\n })\n\n return jsonResponse(200, {\n access_token: accessToken,\n token_type: 'Bearer',\n expires_in: tokenTtl,\n scope: authCode.scopes.join(' '),\n refresh_token: refreshToken\n })\n },\n\n async verifyToken(token): Promise<AuthInfo | undefined> {\n try {\n const key = await getSigningKey()\n const { payload } = await jwtVerify(token, key, {\n issuer: config.resourceUrl,\n audience: config.resourceUrl\n })\n return {\n token,\n clientId: payload.sub ?? undefined,\n scopes: typeof payload.scope === 'string' ? payload.scope.split(' ').filter(Boolean) : [],\n expiresAt: payload.exp,\n email: payload.email as string | undefined\n }\n } catch {\n return undefined\n }\n }\n }\n\n return provider\n}\n","export function matchRedirectUri(uri: string, patterns: string[]): boolean {\n return patterns.some((pattern) => {\n const regex = patternToRegex(pattern)\n return regex.test(uri)\n })\n}\n\nfunction patternToRegex(pattern: string): RegExp {\n const escaped = pattern\n .replace(/[.+?^${}()|[\\]\\\\]/g, '\\\\$&')\n .replace(/\\*/g, '.*')\n return new RegExp(`^${escaped}$`)\n}\n","import { AuthConfig } from '../types.js'\nimport { createOAuthProxy } from './proxy.js'\nimport { OAuthStore } from './store.js'\n\nexport interface GoogleOAuthOptions {\n clientId: string\n clientSecret: string\n resourceUrl: string\n redirectUris: string[]\n requiredScopes?: string[]\n callbackPath?: string\n signingKey?: string\n tokenTtl?: number\n store?: OAuthStore\n}\n\nexport function google(options: GoogleOAuthOptions): AuthConfig {\n const provider = createOAuthProxy({\n authorizeUrl: 'https://accounts.google.com/o/oauth2/v2/auth',\n tokenUrl: 'https://oauth2.googleapis.com/token',\n userinfoUrl: 'https://openidconnect.googleapis.com/v1/userinfo',\n clientId: options.clientId,\n clientSecret: options.clientSecret,\n resourceUrl: options.resourceUrl,\n redirectUris: options.redirectUris,\n requiredScopes: options.requiredScopes ?? ['openid', 'email'],\n callbackPath: options.callbackPath,\n signingKey: options.signingKey,\n tokenTtl: options.tokenTtl,\n store: options.store\n })\n\n return {\n verifyToken: (token) => provider.verifyToken(token),\n required: true,\n resourceUrl: options.resourceUrl,\n authorizationServers: [options.resourceUrl],\n provider,\n callbackPath: options.callbackPath ?? '/auth/callback'\n }\n}\n","import { existsSync, readFileSync, writeFileSync } from 'fs'\nimport { AuthCodeData, ClientRegistration, OAuthStore, PendingAuthData, RefreshTokenData } from '../provider/store.js'\n\nfunction withTtl<T extends { expiresAt: number }>(obj: Record<string, T>, key: string): T | undefined {\n const item = obj[key]\n if (!item) { return undefined }\n if (item.expiresAt < Date.now() / 1000) {\n delete obj[key]\n return undefined\n }\n return item\n}\n\ninterface JsonStore {\n authCodes: Record<string, AuthCodeData>\n pendingAuths: Record<string, PendingAuthData>\n pkceVerifiers: Record<string, { verifier: string; expiresAt: number }>\n clients: Record<string, ClientRegistration>\n refreshTokens: Record<string, RefreshTokenData>\n}\n\nfunction writeJsonStore(path: string, store: JsonStore) {\n writeFileSync(path, JSON.stringify(store, null, 2), 'utf-8')\n}\n\nfunction readJsonStore(path: string): JsonStore {\n if (!existsSync(path)) {\n return {\n authCodes: {},\n pendingAuths: {},\n pkceVerifiers: {},\n clients: {},\n refreshTokens: {}\n }\n }\n const data = JSON.parse(readFileSync(path, 'utf-8'))\n if (!data.refreshTokens) { data.refreshTokens = {} }\n return data\n}\n\nexport function createJsonStore(path: string): OAuthStore {\n const store: JsonStore = readJsonStore(path)\n\n return {\n async saveAuthCode(code, data) {\n store.authCodes[code] = data\n writeJsonStore(path, store)\n },\n async getAuthCode(code) { return withTtl(store.authCodes, code) },\n async deleteAuthCode(code) {\n delete store.authCodes[code]\n writeJsonStore(path, store)\n },\n async savePendingAuth(state, data) {\n store.pendingAuths[state] = data\n writeJsonStore(path, store)\n },\n async getPendingAuth(state) { return withTtl(store.pendingAuths, state) },\n async deletePendingAuth(state) {\n delete store.pendingAuths[state]\n writeJsonStore(path, store)\n },\n async savePkceVerifier(state, verifier) {\n store.pkceVerifiers[state] = { verifier, expiresAt: Date.now() / 1000 + 600 }\n writeJsonStore(path, store)\n },\n async getPkceVerifier(state) {\n const item = store.pkceVerifiers[state]\n if (!item) { return undefined }\n if (item.expiresAt < Date.now() / 1000) {\n delete store.pkceVerifiers[state]\n writeJsonStore(path, store)\n return undefined\n }\n return item.verifier\n },\n async deletePkceVerifier(state) {\n delete store.pkceVerifiers[state]\n writeJsonStore(path, store)\n },\n async saveClient(clientId, data) {\n store.clients[clientId] = data\n writeJsonStore(path, store)\n },\n async getClient(clientId) { return store.clients[clientId] },\n\n async saveRefreshToken(token, data) {\n store.refreshTokens[token] = data\n writeJsonStore(path, store)\n },\n async getRefreshToken(token) { return withTtl(store.refreshTokens, token) },\n async deleteRefreshToken(token) {\n delete store.refreshTokens[token]\n writeJsonStore(path, store)\n }\n }\n}\n","import type { OAuthStore } from '../provider/store.js'\n\nexport interface RedisClient {\n get(key: string): Promise<unknown>\n set(key: string, value: string, options?: { ex?: number }): Promise<unknown>\n del(key: string): Promise<unknown>\n}\n\nexport interface RedisStoreOptions {\n client: RedisClient\n prefix?: string\n}\n\nexport function createRedisStore(options: RedisStoreOptions): OAuthStore {\n const { client, prefix = 'silkweave:oauth:' } = options\n\n function key(namespace: string, id: string) {\n return `${prefix}${namespace}:${id}`\n }\n\n function ttlFromExpiry(expiresAt: number): number | undefined {\n const seconds = Math.floor(expiresAt - Date.now() / 1000)\n return seconds > 0 ? seconds : undefined\n }\n\n async function save<T>(namespace: string, id: string, data: T, expiresAt?: number) {\n const opts: { ex?: number } = {}\n const ttl = expiresAt != null ? ttlFromExpiry(expiresAt) : undefined\n if (ttl != null) { opts.ex = ttl }\n await client.set(key(namespace, id), JSON.stringify(data), opts)\n }\n\n async function load<T>(namespace: string, id: string): Promise<T | undefined> {\n const raw = await client.get(key(namespace, id))\n if (raw == null) { return undefined }\n return (typeof raw === 'string' ? JSON.parse(raw) : raw) as T\n }\n\n async function remove(namespace: string, id: string) {\n await client.del(key(namespace, id))\n }\n\n return {\n async saveAuthCode(code, data) { await save('auth-code', code, data, data.expiresAt) },\n async getAuthCode(code) { return load('auth-code', code) },\n async deleteAuthCode(code) { await remove('auth-code', code) },\n\n async savePendingAuth(state, data) { await save('pending-auth', state, data, data.expiresAt) },\n async getPendingAuth(state) { return load('pending-auth', state) },\n async deletePendingAuth(state) { await remove('pending-auth', state) },\n\n async savePkceVerifier(state, verifier) {\n const expiresAt = Date.now() / 1000 + 600\n await save('pkce-verifier', state, { verifier, expiresAt }, expiresAt)\n },\n async getPkceVerifier(state) {\n const item = await load<{ verifier: string; expiresAt: number }>('pkce-verifier', state)\n return item?.verifier\n },\n async deletePkceVerifier(state) { await remove('pkce-verifier', state) },\n\n async saveClient(clientId, data) { await save('client', clientId, data) },\n async getClient(clientId) { return load('client', clientId) },\n\n async saveRefreshToken(token, data) { await save('refresh-token', token, data, data.expiresAt) },\n async getRefreshToken(token) { return load('refresh-token', token) },\n async deleteRefreshToken(token) { await remove('refresh-token', token) }\n }\n}\n","import { AuthError, insufficientScope, invalidToken } from './errors.js'\nimport { extractBearerToken, buildWWWAuthenticate } from './extract.js'\nimport { AuthConfig, AuthInfo } from './types.js'\n\nexport interface ValidateResult {\n auth?: AuthInfo\n error?: {\n statusCode: number\n headers: Record<string, string>\n body: { error: string; error_description: string }\n }\n}\n\nexport async function validateToken(\n authorizationHeader: string | null | undefined,\n config: AuthConfig\n): Promise<ValidateResult> {\n const required = config.required ?? true\n const resourceMetadataUrl = config.resourceUrl\n ? `${config.resourceUrl}/.well-known/oauth-protected-resource`\n : undefined\n\n const token = extractBearerToken(authorizationHeader)\n\n if (!token) {\n if (!required) { return {} }\n return buildChallengeResult(resourceMetadataUrl)\n }\n\n let authInfo: AuthInfo | undefined\n try {\n authInfo = await config.verifyToken(token)\n } catch (_e) {\n const err = invalidToken()\n return buildErrorResult(err, resourceMetadataUrl)\n }\n\n if (!authInfo) {\n const err = invalidToken()\n return buildErrorResult(err, resourceMetadataUrl)\n }\n\n if (authInfo.expiresAt && authInfo.expiresAt < Date.now() / 1000) {\n const err = invalidToken('Token has expired')\n return buildErrorResult(err, resourceMetadataUrl)\n }\n\n if (config.requiredScopes?.length) {\n const scopes = authInfo.scopes ?? []\n const hasAll = config.requiredScopes.every((s) => scopes.includes(s))\n if (!hasAll) {\n const err = insufficientScope()\n return buildErrorResult(err, resourceMetadataUrl)\n }\n }\n\n return { auth: authInfo }\n}\n\nfunction buildChallengeResult(resourceMetadataUrl?: string): ValidateResult {\n return {\n error: {\n statusCode: 401,\n headers: {\n 'WWW-Authenticate': buildWWWAuthenticate(undefined, undefined, resourceMetadataUrl),\n 'Content-Type': 'application/json'\n },\n body: { error: 'missing_token', error_description: 'No authorization provided' }\n }\n }\n}\n\nfunction buildErrorResult(\n err: AuthError,\n resourceMetadataUrl?: string\n): ValidateResult {\n return {\n error: {\n statusCode: err.statusCode,\n headers: {\n 'WWW-Authenticate': buildWWWAuthenticate(err.code, err.message, resourceMetadataUrl),\n 'Content-Type': 'application/json'\n },\n body: { error: err.code, error_description: err.message }\n }\n }\n}\n"],"mappings":";AAAO,IAAM,YAAN,cAAwB,MAAM;AAAA,EACnC,YACE,SACgB,MACA,aAAa,KAC7B;AACA,UAAM,OAAO;AAHG;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AAAA,EALkB;AAAA,EACA;AAKpB;AAEO,SAAS,aAAa,UAAU,iBAAiB;AACtD,SAAO,IAAI,UAAU,SAAS,iBAAiB,GAAG;AACpD;AAEO,SAAS,kBAAkB,UAAU,sBAAsB;AAChE,SAAO,IAAI,UAAU,SAAS,sBAAsB,GAAG;AACzD;AAEO,SAAS,aAAa,UAAU,6BAA6B;AAClE,SAAO,IAAI,UAAU,SAAS,iBAAiB,GAAG;AACpD;;;ACrBO,SAAS,mBAAmB,QAAkD;AACnF,MAAI,CAAC,QAAQ;AAAE,WAAO;AAAA,EAAK;AAC3B,QAAM,QAAQ,mBAAmB,KAAK,MAAM;AAC5C,SAAO,QAAQ,CAAC,KAAK;AACvB;AAEO,SAAS,qBACd,OACA,aACA,qBACQ;AACR,QAAM,QAAkB,CAAC;AACzB,MAAI,OAAO;AACT,UAAM,KAAK,UAAU,KAAK,GAAG;AAAA,EAC/B;AACA,MAAI,aAAa;AACf,UAAM,KAAK,sBAAsB,WAAW,GAAG;AAAA,EACjD;AACA,MAAI,qBAAqB;AACvB,UAAM,KAAK,sBAAsB,mBAAmB,GAAG;AAAA,EACzD;AACA,SAAO,MAAM,SAAS,IAAI,UAAU,MAAM,KAAK,IAAI,CAAC,KAAK;AAC3D;;;ACfO,SAAS,kCACd,aACA,sBAC2B;AAC3B,SAAO;AAAA,IACL,UAAU;AAAA,IACV,uBAAuB;AAAA,IACvB,0BAA0B,CAAC,QAAQ;AAAA,EACrC;AACF;;;ACdA,SAAS,QAAyC,KAAqB,KAA4B;AACjG,QAAM,OAAO,IAAI,IAAI,GAAG;AACxB,MAAI,CAAC,MAAM;AAAE,WAAO;AAAA,EAAU;AAC9B,MAAI,KAAK,YAAY,KAAK,IAAI,IAAI,KAAM;AACtC,QAAI,OAAO,GAAG;AACd,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEO,SAAS,oBAAgC;AAC9C,QAAM,YAAY,oBAAI,IAA0B;AAChD,QAAM,eAAe,oBAAI,IAA6B;AACtD,QAAM,gBAAgB,oBAAI,IAAqD;AAC/E,QAAM,UAAU,oBAAI,IAAgC;AACpD,QAAM,gBAAgB,oBAAI,IAA8B;AAExD,SAAO;AAAA,IACL,MAAM,aAAa,MAAM,MAAM;AAAE,gBAAU,IAAI,MAAM,IAAI;AAAA,IAAE;AAAA,IAC3D,MAAM,YAAY,MAAM;AAAE,aAAO,QAAQ,WAAW,IAAI;AAAA,IAAE;AAAA,IAC1D,MAAM,eAAe,MAAM;AAAE,gBAAU,OAAO,IAAI;AAAA,IAAE;AAAA,IAEpD,MAAM,gBAAgB,OAAO,MAAM;AAAE,mBAAa,IAAI,OAAO,IAAI;AAAA,IAAE;AAAA,IACnE,MAAM,eAAe,OAAO;AAAE,aAAO,QAAQ,cAAc,KAAK;AAAA,IAAE;AAAA,IAClE,MAAM,kBAAkB,OAAO;AAAE,mBAAa,OAAO,KAAK;AAAA,IAAE;AAAA,IAE5D,MAAM,iBAAiB,OAAO,UAAU;AACtC,oBAAc,IAAI,OAAO,EAAE,UAAU,WAAW,KAAK,IAAI,IAAI,MAAO,IAAI,CAAC;AAAA,IAC3E;AAAA,IACA,MAAM,gBAAgB,OAAO;AAC3B,YAAM,OAAO,cAAc,IAAI,KAAK;AACpC,UAAI,CAAC,MAAM;AAAE,eAAO;AAAA,MAAU;AAC9B,UAAI,KAAK,YAAY,KAAK,IAAI,IAAI,KAAM;AACtC,sBAAc,OAAO,KAAK;AAC1B,eAAO;AAAA,MACT;AACA,aAAO,KAAK;AAAA,IACd;AAAA,IACA,MAAM,mBAAmB,OAAO;AAAE,oBAAc,OAAO,KAAK;AAAA,IAAE;AAAA,IAE9D,MAAM,WAAW,UAAU,MAAM;AAAE,cAAQ,IAAI,UAAU,IAAI;AAAA,IAAE;AAAA,IAC/D,MAAM,UAAU,UAAU;AAAE,aAAO,QAAQ,IAAI,QAAQ;AAAA,IAAE;AAAA,IAEzD,MAAM,iBAAiB,OAAO,MAAM;AAAE,oBAAc,IAAI,OAAO,IAAI;AAAA,IAAE;AAAA,IACrE,MAAM,gBAAgB,OAAO;AAAE,aAAO,QAAQ,eAAe,KAAK;AAAA,IAAE;AAAA,IACpE,MAAM,mBAAmB,OAAO;AAAE,oBAAc,OAAO,KAAK;AAAA,IAAE;AAAA,EAChE;AACF;;;ACjDA,SAAS,aAAa,kBAAkB;AACxC,SAAS,SAAS,iBAAiB;;;ACD5B,SAAS,iBAAiB,KAAa,UAA6B;AACzE,SAAO,SAAS,KAAK,CAAC,YAAY;AAChC,UAAM,QAAQ,eAAe,OAAO;AACpC,WAAO,MAAM,KAAK,GAAG;AAAA,EACvB,CAAC;AACH;AAEA,SAAS,eAAe,SAAyB;AAC/C,QAAM,UAAU,QACb,QAAQ,sBAAsB,MAAM,EACpC,QAAQ,OAAO,IAAI;AACtB,SAAO,IAAI,OAAO,IAAI,OAAO,GAAG;AAClC;;;ADWA,IAAM,eAAuC;AAAA,EAC3C,+BAA+B;AAAA,EAC/B,gCAAgC;AAAA,EAChC,gCAAgC;AAClC;AAEO,SAAS,iBAAiB,QAAyC;AACxE,QAAM,QAAQ,OAAO,SAAS,kBAAkB;AAChD,QAAM,eAAe,OAAO,gBAAgB;AAC5C,QAAM,WAAW,OAAO,YAAY;AACpC,QAAM,SAAS,OAAO,kBAAkB,CAAC;AAEzC,MAAI,aAAgC;AAEpC,iBAAe,gBAAqC;AAClD,QAAI,YAAY;AAAE,aAAO;AAAA,IAAW;AACpC,QAAI,OAAO,YAAY;AACrB,mBAAa,IAAI,YAAY,EAAE,OAAO,OAAO,UAAU;AAAA,IACzD,OAAO;AACL,mBAAa,YAAY,EAAE;AAAA,IAC7B;AACA,WAAO;AAAA,EACT;AAEA,WAAS,eAAuB;AAC9B,WAAO,YAAY,EAAE,EAAE,SAAS,WAAW;AAAA,EAC7C;AAEA,iBAAe,eAAiE;AAC9E,UAAM,WAAW,YAAY,EAAE,EAAE,SAAS,WAAW;AACrD,UAAM,OAAO,MAAM,OAAO,OAAO,OAAO,WAAW,IAAI,YAAY,EAAE,OAAO,QAAQ,CAAC;AACrF,UAAM,YAAY,OAAO,KAAK,IAAI,EAAE,SAAS,WAAW;AACxD,WAAO,EAAE,UAAU,UAAU;AAAA,EAC/B;AAEA,iBAAe,WAAW,UAAkB,WAAqC;AAC/E,UAAM,OAAO,MAAM,OAAO,OAAO,OAAO,WAAW,IAAI,YAAY,EAAE,OAAO,QAAQ,CAAC;AACrF,UAAM,WAAW,OAAO,KAAK,IAAI,EAAE,SAAS,WAAW;AACvD,WAAO,aAAa;AAAA,EACtB;AAEA,WAAS,aAAa,QAAgB,MAA+B,UAAkC,CAAC,GAAkB;AACxH,WAAO;AAAA,MACL;AAAA,MACA,SAAS,EAAE,gBAAgB,oBAAoB,GAAG,cAAc,GAAG,QAAQ;AAAA,MAC3E;AAAA,IACF;AAAA,EACF;AAEA,WAAS,iBAAiB,KAA4B;AACpD,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,SAAS,EAAE,UAAU,KAAK,GAAG,aAAa;AAAA,MAC1C,MAAM;AAAA,IACR;AAAA,EACF;AAEA,WAAS,cAAc,QAAgB,OAAe,aAAoC;AACxF,WAAO,aAAa,QAAQ,EAAE,OAAO,mBAAmB,YAAY,CAAC;AAAA,EACvE;AAEA,QAAM,WAA0B;AAAA,IAC9B,WAA0B;AACxB,aAAO,aAAa,KAAK;AAAA,QACvB,QAAQ,OAAO;AAAA,QACf,wBAAwB,GAAG,OAAO,WAAW;AAAA,QAC7C,gBAAgB,GAAG,OAAO,WAAW;AAAA,QACrC,uBAAuB,GAAG,OAAO,WAAW;AAAA,QAC5C,0BAA0B,CAAC,MAAM;AAAA,QACjC,uBAAuB,CAAC,sBAAsB,eAAe;AAAA,QAC7D,kCAAkC,CAAC,MAAM;AAAA,QACzC,uCAAuC,CAAC,QAAQ,oBAAoB;AAAA,QACpE,kBAAkB;AAAA,MACpB,GAAG,EAAE,iBAAiB,eAAe,CAAC;AAAA,IACxC;AAAA,IAEA,MAAM,SAAS,KAA6B;AAC1C,YAAM,OAAO,IAAI;AACjB,UAAI,CAAC,MAAM;AAAE,eAAO,cAAc,KAAK,mBAAmB,sBAAsB;AAAA,MAAE;AAElF,YAAM,eAAe,KAAK;AAC1B,UAAI,CAAC,cAAc;AAAE,eAAO,cAAc,KAAK,mBAAmB,2BAA2B;AAAA,MAAE;AAE/F,UAAI;AACJ,UAAI;AACF,eAAO,OAAO,iBAAiB,WAAW,KAAK,MAAM,YAAY,IAAI;AAAA,MACvE,QAAQ;AACN,eAAO,CAAC,YAAY;AAAA,MACtB;AAEA,UAAI,CAAC,MAAM,QAAQ,IAAI,KAAK,KAAK,WAAW,GAAG;AAC7C,eAAO,cAAc,KAAK,mBAAmB,yCAAyC;AAAA,MACxF;AAEA,iBAAW,OAAO,MAAM;AACtB,YAAI,CAAC,iBAAiB,KAAK,OAAO,YAAY,GAAG;AAC/C,iBAAO,cAAc,KAAK,wBAAwB,6BAA6B,GAAG,EAAE;AAAA,QACtF;AAAA,MACF;AAEA,YAAM,WAAW,WAAW;AAC5B,YAAM,eAAe,YAAY,EAAE,EAAE,SAAS,WAAW;AACzD,YAAM,eAAe;AAAA,QACnB;AAAA,QACA;AAAA,QACA,cAAc;AAAA,QACd,YAAY,KAAK;AAAA,QACjB,WAAW,KAAK,IAAI,IAAI;AAAA,MAC1B;AAEA,YAAM,MAAM,WAAW,UAAU,YAAY;AAE7C,aAAO,aAAa,KAAK;AAAA,QACvB,WAAW;AAAA,QACX,eAAe;AAAA,QACf,eAAe;AAAA,QACf,aAAa,KAAK;AAAA,QAClB,4BAA4B;AAAA,MAC9B,CAAC;AAAA,IACH;AAAA,IAEA,MAAM,UAAU,KAA6B;AAC3C,YAAM,SAAS,IAAI,IAAI;AACvB,YAAM,eAAe,OAAO,IAAI,eAAe;AAC/C,YAAM,WAAW,OAAO,IAAI,WAAW;AACvC,YAAM,cAAc,OAAO,IAAI,cAAc;AAC7C,YAAM,QAAQ,OAAO,IAAI,OAAO,KAAK;AACrC,YAAM,cAAc,OAAO,IAAI,OAAO,KAAK;AAC3C,YAAM,gBAAgB,OAAO,IAAI,gBAAgB;AACjD,YAAM,sBAAsB,OAAO,IAAI,uBAAuB;AAC9D,YAAM,WAAW,OAAO,IAAI,UAAU;AAEtC,UAAI,iBAAiB,QAAQ;AAC3B,eAAO,cAAc,KAAK,6BAA6B,sCAAsC;AAAA,MAC/F;AACA,UAAI,CAAC,UAAU;AAAE,eAAO,cAAc,KAAK,mBAAmB,uBAAuB;AAAA,MAAE;AACvF,UAAI,CAAC,aAAa;AAAE,eAAO,cAAc,KAAK,mBAAmB,0BAA0B;AAAA,MAAE;AAC7F,UAAI,CAAC,iBAAiB,wBAAwB,QAAQ;AACpD,eAAO,cAAc,KAAK,mBAAmB,4BAA4B;AAAA,MAC3E;AAEA,UAAI,SAAS,MAAM,MAAM,UAAU,QAAQ;AAE3C,UAAI,CAAC,UAAU,SAAS,WAAW,UAAU,GAAG;AAC9C,YAAI;AACF,gBAAM,UAAU,MAAM,MAAM,QAAQ;AACpC,cAAI,CAAC,QAAQ,IAAI;AACf,mBAAO,cAAc,KAAK,kBAAkB,0CAA0C;AAAA,UACxF;AACA,gBAAM,OAAO,MAAM,QAAQ,KAAK;AAChC,gBAAM,mBAAmB,KAAK;AAC9B,cAAI,CAAC,MAAM,QAAQ,gBAAgB,KAAK,iBAAiB,WAAW,GAAG;AACrE,mBAAO,cAAc,KAAK,kBAAkB,4CAA4C;AAAA,UAC1F;AACA,qBAAW,OAAO,kBAAkB;AAClC,gBAAI,CAAC,iBAAiB,KAAK,OAAO,YAAY,GAAG;AAC/C,qBAAO,cAAc,KAAK,wBAAwB,6BAA6B,GAAG,EAAE;AAAA,YACtF;AAAA,UACF;AACA,mBAAS;AAAA,YACP;AAAA,YACA,cAAc;AAAA,YACd,cAAc;AAAA,YACd,YAAY,KAAK;AAAA,YACjB,WAAW,KAAK,IAAI,IAAI;AAAA,UAC1B;AACA,gBAAM,MAAM,WAAW,UAAU,MAAM;AAAA,QACzC,QAAQ;AACN,iBAAO,cAAc,KAAK,kBAAkB,0CAA0C;AAAA,QACxF;AAAA,MACF;AAEA,UAAI,CAAC,QAAQ;AAAE,eAAO,cAAc,KAAK,kBAAkB,mBAAmB;AAAA,MAAE;AAEhF,UAAI,CAAC,OAAO,aAAa,SAAS,WAAW,GAAG;AAC9C,eAAO,cAAc,KAAK,wBAAwB,6CAA6C;AAAA,MACjG;AAEA,YAAM,aAAa,WAAW;AAC9B,YAAM,OAAO,MAAM,aAAa;AAEhC,YAAM,MAAM,gBAAgB,YAAY;AAAA,QACtC;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,UAAU,YAAY;AAAA,QACtB,WAAW,KAAK,IAAI,IAAI,MAAO;AAAA,MACjC,CAAC;AAED,YAAM,MAAM,iBAAiB,YAAY,KAAK,QAAQ;AAEtD,YAAM,iBAAiB,OAAO,SAAS,IAAI,OAAO,KAAK,GAAG,IAAI;AAC9D,YAAM,cAAc,IAAI,IAAI,OAAO,YAAY;AAC/C,kBAAY,aAAa,IAAI,iBAAiB,MAAM;AACpD,kBAAY,aAAa,IAAI,aAAa,OAAO,QAAQ;AACzD,kBAAY,aAAa,IAAI,gBAAgB,GAAG,OAAO,WAAW,GAAG,YAAY,EAAE;AACnF,kBAAY,aAAa,IAAI,SAAS,cAAc;AACpD,kBAAY,aAAa,IAAI,SAAS,UAAU;AAChD,kBAAY,aAAa,IAAI,kBAAkB,KAAK,SAAS;AAC7D,kBAAY,aAAa,IAAI,yBAAyB,MAAM;AAC5D,UAAI,OAAO,IAAI,aAAa,GAAG;AAC7B,oBAAY,aAAa,IAAI,eAAe,OAAO,IAAI,aAAa,CAAE;AAAA,MACxE;AAEA,aAAO,iBAAiB,YAAY,SAAS,CAAC;AAAA,IAChD;AAAA,IAEA,MAAM,SAAS,KAA6B;AAC1C,YAAM,SAAS,IAAI,IAAI;AACvB,YAAM,eAAe,OAAO,IAAI,MAAM;AACtC,YAAM,aAAa,OAAO,IAAI,OAAO;AACrC,YAAM,gBAAgB,OAAO,IAAI,OAAO;AAExC,UAAI,eAAe;AACjB,eAAO,cAAc,KAAK,kBAAkB,OAAO,IAAI,mBAAmB,KAAK,aAAa;AAAA,MAC9F;AACA,UAAI,CAAC,gBAAgB,CAAC,YAAY;AAChC,eAAO,cAAc,KAAK,mBAAmB,uBAAuB;AAAA,MACtE;AAEA,YAAM,UAAU,MAAM,MAAM,eAAe,UAAU;AACrD,UAAI,CAAC,SAAS;AAAE,eAAO,cAAc,KAAK,mBAAmB,0BAA0B;AAAA,MAAE;AAEzF,YAAM,eAAe,MAAM,MAAM,gBAAgB,UAAU;AAC3D,UAAI,CAAC,cAAc;AAAE,eAAO,cAAc,KAAK,mBAAmB,uBAAuB;AAAA,MAAE;AAE3F,YAAM,MAAM,kBAAkB,UAAU;AACxC,YAAM,MAAM,mBAAmB,UAAU;AAEzC,YAAM,YAAY,IAAI,gBAAgB;AAAA,QACpC,YAAY;AAAA,QACZ,MAAM;AAAA,QACN,cAAc,GAAG,OAAO,WAAW,GAAG,YAAY;AAAA,QAClD,WAAW,OAAO;AAAA,QAClB,eAAe,OAAO;AAAA,QACtB,eAAe;AAAA,MACjB,CAAC;AAED,YAAM,gBAAgB,MAAM,MAAM,OAAO,UAAU;AAAA,QACjD,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,QAC/D,MAAM,UAAU,SAAS;AAAA,MAC3B,CAAC;AAED,UAAI,CAAC,cAAc,IAAI;AACrB,cAAM,YAAY,MAAM,cAAc,KAAK;AAC3C,gBAAQ,MAAM,mCAAmC,SAAS;AAC1D,eAAO,cAAc,KAAK,kBAAkB,gDAAgD;AAAA,MAC9F;AAEA,YAAM,SAAS,MAAM,cAAc,KAAK;AACxC,YAAM,sBAAsB,OAAO;AACnC,YAAM,kBAAkB,OAAO;AAE/B,UAAI;AACJ,UAAI;AACJ,UAAI,OAAO,eAAe,qBAAqB;AAC7C,YAAI;AACF,gBAAM,mBAAmB,MAAM,MAAM,OAAO,aAAa;AAAA,YACvD,SAAS,EAAE,eAAe,UAAU,mBAAmB,GAAG;AAAA,UAC5D,CAAC;AACD,cAAI,iBAAiB,IAAI;AACvB,kBAAM,WAAW,MAAM,iBAAiB,KAAK;AAC7C,oBAAQ,SAAS;AACjB,kBAAM,SAAS;AAAA,UACjB;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAEA,YAAM,UAAU,aAAa;AAC7B,YAAM,MAAM,aAAa,SAAS;AAAA,QAChC,UAAU,QAAQ;AAAA,QAClB,aAAa,QAAQ;AAAA,QACrB,eAAe,QAAQ;AAAA,QACvB,qBAAqB,QAAQ;AAAA,QAC7B,QAAQ,QAAQ,MAAM,MAAM,GAAG,EAAE,OAAO,OAAO;AAAA,QAC/C;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,WAAW,KAAK,IAAI,IAAI,MAAO;AAAA,MACjC,CAAC;AAED,YAAM,iBAAiB,IAAI,IAAI,QAAQ,WAAW;AAClD,qBAAe,aAAa,IAAI,QAAQ,OAAO;AAC/C,UAAI,QAAQ,aAAa;AACvB,uBAAe,aAAa,IAAI,SAAS,QAAQ,WAAW;AAAA,MAC9D;AAEA,aAAO,iBAAiB,eAAe,SAAS,CAAC;AAAA,IACnD;AAAA,IAEA,MAAM,MAAM,KAA6B;AACvC,YAAM,OAAO,IAAI;AACjB,UAAI,CAAC,MAAM;AAAE,eAAO,cAAc,KAAK,mBAAmB,sBAAsB;AAAA,MAAE;AAElF,YAAM,YAAY,KAAK;AAEvB,UAAI,cAAc,iBAAiB;AACjC,cAAMA,gBAAe,KAAK;AAC1B,YAAI,CAACA,eAAc;AACjB,iBAAO,cAAc,KAAK,mBAAmB,uBAAuB;AAAA,QACtE;AAEA,cAAM,YAAY,MAAM,MAAM,gBAAgBA,aAAY;AAC1D,YAAI,CAAC,WAAW;AACd,iBAAO,cAAc,KAAK,iBAAiB,kCAAkC;AAAA,QAC/E;AAEA,cAAMC,OAAM,MAAM,cAAc;AAChC,cAAMC,OAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,cAAMC,eAAc,MAAM,IAAI,QAAQ;AAAA,UACpC,OAAO,UAAU,OAAO,KAAK,GAAG;AAAA,UAChC,OAAO,UAAU;AAAA,QACnB,CAAC,EACE,mBAAmB,EAAE,KAAK,QAAQ,CAAC,EACnC,WAAW,UAAU,OAAO,UAAU,SAAS,UAAU,QAAQ,EACjE,UAAU,OAAO,WAAW,EAC5B,YAAY,OAAO,WAAW,EAC9B,YAAYD,IAAG,EACf,kBAAkBA,OAAM,QAAQ,EAChC,KAAKD,IAAG;AAEX,eAAO,aAAa,KAAK;AAAA,UACvB,cAAcE;AAAA,UACd,YAAY;AAAA,UACZ,YAAY;AAAA,UACZ,OAAO,UAAU,OAAO,KAAK,GAAG;AAAA,UAChC,eAAeH;AAAA,QACjB,CAAC;AAAA,MACH;AAEA,UAAI,cAAc,sBAAsB;AACtC,eAAO,cAAc,KAAK,0BAA0B,0DAA0D;AAAA,MAChH;AAEA,YAAM,OAAO,KAAK;AAClB,YAAM,cAAc,KAAK;AACzB,YAAM,WAAW,KAAK;AACtB,YAAM,eAAe,KAAK;AAE1B,UAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,UAAU;AACvC,eAAO,cAAc,KAAK,mBAAmB,6BAA6B;AAAA,MAC5E;AAEA,YAAM,WAAW,MAAM,MAAM,YAAY,IAAI;AAC7C,UAAI,CAAC,UAAU;AAAE,eAAO,cAAc,KAAK,iBAAiB,uCAAuC;AAAA,MAAE;AAErG,YAAM,MAAM,eAAe,IAAI;AAE/B,UAAI,SAAS,aAAa,UAAU;AAClC,eAAO,cAAc,KAAK,iBAAiB,oBAAoB;AAAA,MACjE;AACA,UAAI,eAAe,SAAS,gBAAgB,aAAa;AACvD,eAAO,cAAc,KAAK,iBAAiB,uBAAuB;AAAA,MACpE;AAEA,YAAM,YAAY,MAAM,WAAW,cAAc,SAAS,aAAa;AACvE,UAAI,CAAC,WAAW;AACd,eAAO,cAAc,KAAK,iBAAiB,0BAA0B;AAAA,MACvE;AAEA,YAAM,MAAM,MAAM,cAAc;AAChC,YAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,YAAM,cAAc,MAAM,IAAI,QAAQ;AAAA,QACpC,OAAO,SAAS,OAAO,KAAK,GAAG;AAAA,QAC/B,OAAO,SAAS;AAAA,MAClB,CAAC,EACE,mBAAmB,EAAE,KAAK,QAAQ,CAAC,EACnC,WAAW,SAAS,OAAO,SAAS,SAAS,SAAS,QAAQ,EAC9D,UAAU,OAAO,WAAW,EAC5B,YAAY,OAAO,WAAW,EAC9B,YAAY,GAAG,EACf,kBAAkB,MAAM,QAAQ,EAChC,KAAK,GAAG;AAEX,YAAM,eAAe,YAAY,EAAE,EAAE,SAAS,WAAW;AACzD,YAAM,MAAM,iBAAiB,cAAc;AAAA,QACzC,UAAU,SAAS;AAAA,QACnB,QAAQ,SAAS;AAAA,QACjB,OAAO,SAAS;AAAA,QAChB,KAAK,SAAS;AAAA,QACd,WAAW,MAAM,KAAK,KAAK;AAAA,MAC7B,CAAC;AAED,aAAO,aAAa,KAAK;AAAA,QACvB,cAAc;AAAA,QACd,YAAY;AAAA,QACZ,YAAY;AAAA,QACZ,OAAO,SAAS,OAAO,KAAK,GAAG;AAAA,QAC/B,eAAe;AAAA,MACjB,CAAC;AAAA,IACH;AAAA,IAEA,MAAM,YAAY,OAAsC;AACtD,UAAI;AACF,cAAM,MAAM,MAAM,cAAc;AAChC,cAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,KAAK;AAAA,UAC9C,QAAQ,OAAO;AAAA,UACf,UAAU,OAAO;AAAA,QACnB,CAAC;AACD,eAAO;AAAA,UACL;AAAA,UACA,UAAU,QAAQ,OAAO;AAAA,UACzB,QAAQ,OAAO,QAAQ,UAAU,WAAW,QAAQ,MAAM,MAAM,GAAG,EAAE,OAAO,OAAO,IAAI,CAAC;AAAA,UACxF,WAAW,QAAQ;AAAA,UACnB,OAAO,QAAQ;AAAA,QACjB;AAAA,MACF,QAAQ;AACN,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;;;AE3aO,SAAS,OAAO,SAAyC;AAC9D,QAAM,WAAW,iBAAiB;AAAA,IAChC,cAAc;AAAA,IACd,UAAU;AAAA,IACV,aAAa;AAAA,IACb,UAAU,QAAQ;AAAA,IAClB,cAAc,QAAQ;AAAA,IACtB,aAAa,QAAQ;AAAA,IACrB,cAAc,QAAQ;AAAA,IACtB,gBAAgB,QAAQ,kBAAkB,CAAC,UAAU,OAAO;AAAA,IAC5D,cAAc,QAAQ;AAAA,IACtB,YAAY,QAAQ;AAAA,IACpB,UAAU,QAAQ;AAAA,IAClB,OAAO,QAAQ;AAAA,EACjB,CAAC;AAED,SAAO;AAAA,IACL,aAAa,CAAC,UAAU,SAAS,YAAY,KAAK;AAAA,IAClD,UAAU;AAAA,IACV,aAAa,QAAQ;AAAA,IACrB,sBAAsB,CAAC,QAAQ,WAAW;AAAA,IAC1C;AAAA,IACA,cAAc,QAAQ,gBAAgB;AAAA,EACxC;AACF;;;ACxCA,SAAS,YAAY,cAAc,qBAAqB;AAGxD,SAASI,SAAyC,KAAwB,KAA4B;AACpG,QAAM,OAAO,IAAI,GAAG;AACpB,MAAI,CAAC,MAAM;AAAE,WAAO;AAAA,EAAU;AAC9B,MAAI,KAAK,YAAY,KAAK,IAAI,IAAI,KAAM;AACtC,WAAO,IAAI,GAAG;AACd,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAUA,SAAS,eAAe,MAAc,OAAkB;AACtD,gBAAc,MAAM,KAAK,UAAU,OAAO,MAAM,CAAC,GAAG,OAAO;AAC7D;AAEA,SAAS,cAAc,MAAyB;AAC9C,MAAI,CAAC,WAAW,IAAI,GAAG;AACrB,WAAO;AAAA,MACL,WAAW,CAAC;AAAA,MACZ,cAAc,CAAC;AAAA,MACf,eAAe,CAAC;AAAA,MAChB,SAAS,CAAC;AAAA,MACV,eAAe,CAAC;AAAA,IAClB;AAAA,EACF;AACA,QAAM,OAAO,KAAK,MAAM,aAAa,MAAM,OAAO,CAAC;AACnD,MAAI,CAAC,KAAK,eAAe;AAAE,SAAK,gBAAgB,CAAC;AAAA,EAAE;AACnD,SAAO;AACT;AAEO,SAAS,gBAAgB,MAA0B;AACxD,QAAM,QAAmB,cAAc,IAAI;AAE3C,SAAO;AAAA,IACL,MAAM,aAAa,MAAM,MAAM;AAC7B,YAAM,UAAU,IAAI,IAAI;AACxB,qBAAe,MAAM,KAAK;AAAA,IAC5B;AAAA,IACA,MAAM,YAAY,MAAM;AAAE,aAAOA,SAAQ,MAAM,WAAW,IAAI;AAAA,IAAE;AAAA,IAChE,MAAM,eAAe,MAAM;AACzB,aAAO,MAAM,UAAU,IAAI;AAC3B,qBAAe,MAAM,KAAK;AAAA,IAC5B;AAAA,IACA,MAAM,gBAAgB,OAAO,MAAM;AACjC,YAAM,aAAa,KAAK,IAAI;AAC5B,qBAAe,MAAM,KAAK;AAAA,IAC5B;AAAA,IACA,MAAM,eAAe,OAAO;AAAE,aAAOA,SAAQ,MAAM,cAAc,KAAK;AAAA,IAAE;AAAA,IACxE,MAAM,kBAAkB,OAAO;AAC7B,aAAO,MAAM,aAAa,KAAK;AAC/B,qBAAe,MAAM,KAAK;AAAA,IAC5B;AAAA,IACA,MAAM,iBAAiB,OAAO,UAAU;AACtC,YAAM,cAAc,KAAK,IAAI,EAAE,UAAU,WAAW,KAAK,IAAI,IAAI,MAAO,IAAI;AAC5E,qBAAe,MAAM,KAAK;AAAA,IAC5B;AAAA,IACA,MAAM,gBAAgB,OAAO;AAC3B,YAAM,OAAO,MAAM,cAAc,KAAK;AACtC,UAAI,CAAC,MAAM;AAAE,eAAO;AAAA,MAAU;AAC9B,UAAI,KAAK,YAAY,KAAK,IAAI,IAAI,KAAM;AACtC,eAAO,MAAM,cAAc,KAAK;AAChC,uBAAe,MAAM,KAAK;AAC1B,eAAO;AAAA,MACT;AACA,aAAO,KAAK;AAAA,IACd;AAAA,IACA,MAAM,mBAAmB,OAAO;AAC9B,aAAO,MAAM,cAAc,KAAK;AAChC,qBAAe,MAAM,KAAK;AAAA,IAC5B;AAAA,IACA,MAAM,WAAW,UAAU,MAAM;AAC/B,YAAM,QAAQ,QAAQ,IAAI;AAC1B,qBAAe,MAAM,KAAK;AAAA,IAC5B;AAAA,IACA,MAAM,UAAU,UAAU;AAAE,aAAO,MAAM,QAAQ,QAAQ;AAAA,IAAE;AAAA,IAE3D,MAAM,iBAAiB,OAAO,MAAM;AAClC,YAAM,cAAc,KAAK,IAAI;AAC7B,qBAAe,MAAM,KAAK;AAAA,IAC5B;AAAA,IACA,MAAM,gBAAgB,OAAO;AAAE,aAAOA,SAAQ,MAAM,eAAe,KAAK;AAAA,IAAE;AAAA,IAC1E,MAAM,mBAAmB,OAAO;AAC9B,aAAO,MAAM,cAAc,KAAK;AAChC,qBAAe,MAAM,KAAK;AAAA,IAC5B;AAAA,EACF;AACF;;;ACnFO,SAAS,iBAAiB,SAAwC;AACvE,QAAM,EAAE,QAAQ,SAAS,mBAAmB,IAAI;AAEhD,WAAS,IAAI,WAAmB,IAAY;AAC1C,WAAO,GAAG,MAAM,GAAG,SAAS,IAAI,EAAE;AAAA,EACpC;AAEA,WAAS,cAAc,WAAuC;AAC5D,UAAM,UAAU,KAAK,MAAM,YAAY,KAAK,IAAI,IAAI,GAAI;AACxD,WAAO,UAAU,IAAI,UAAU;AAAA,EACjC;AAEA,iBAAe,KAAQ,WAAmB,IAAY,MAAS,WAAoB;AACjF,UAAM,OAAwB,CAAC;AAC/B,UAAM,MAAM,aAAa,OAAO,cAAc,SAAS,IAAI;AAC3D,QAAI,OAAO,MAAM;AAAE,WAAK,KAAK;AAAA,IAAI;AACjC,UAAM,OAAO,IAAI,IAAI,WAAW,EAAE,GAAG,KAAK,UAAU,IAAI,GAAG,IAAI;AAAA,EACjE;AAEA,iBAAe,KAAQ,WAAmB,IAAoC;AAC5E,UAAM,MAAM,MAAM,OAAO,IAAI,IAAI,WAAW,EAAE,CAAC;AAC/C,QAAI,OAAO,MAAM;AAAE,aAAO;AAAA,IAAU;AACpC,WAAQ,OAAO,QAAQ,WAAW,KAAK,MAAM,GAAG,IAAI;AAAA,EACtD;AAEA,iBAAe,OAAO,WAAmB,IAAY;AACnD,UAAM,OAAO,IAAI,IAAI,WAAW,EAAE,CAAC;AAAA,EACrC;AAEA,SAAO;AAAA,IACL,MAAM,aAAa,MAAM,MAAM;AAAE,YAAM,KAAK,aAAa,MAAM,MAAM,KAAK,SAAS;AAAA,IAAE;AAAA,IACrF,MAAM,YAAY,MAAM;AAAE,aAAO,KAAK,aAAa,IAAI;AAAA,IAAE;AAAA,IACzD,MAAM,eAAe,MAAM;AAAE,YAAM,OAAO,aAAa,IAAI;AAAA,IAAE;AAAA,IAE7D,MAAM,gBAAgB,OAAO,MAAM;AAAE,YAAM,KAAK,gBAAgB,OAAO,MAAM,KAAK,SAAS;AAAA,IAAE;AAAA,IAC7F,MAAM,eAAe,OAAO;AAAE,aAAO,KAAK,gBAAgB,KAAK;AAAA,IAAE;AAAA,IACjE,MAAM,kBAAkB,OAAO;AAAE,YAAM,OAAO,gBAAgB,KAAK;AAAA,IAAE;AAAA,IAErE,MAAM,iBAAiB,OAAO,UAAU;AACtC,YAAM,YAAY,KAAK,IAAI,IAAI,MAAO;AACtC,YAAM,KAAK,iBAAiB,OAAO,EAAE,UAAU,UAAU,GAAG,SAAS;AAAA,IACvE;AAAA,IACA,MAAM,gBAAgB,OAAO;AAC3B,YAAM,OAAO,MAAM,KAA8C,iBAAiB,KAAK;AACvF,aAAO,MAAM;AAAA,IACf;AAAA,IACA,MAAM,mBAAmB,OAAO;AAAE,YAAM,OAAO,iBAAiB,KAAK;AAAA,IAAE;AAAA,IAEvE,MAAM,WAAW,UAAU,MAAM;AAAE,YAAM,KAAK,UAAU,UAAU,IAAI;AAAA,IAAE;AAAA,IACxE,MAAM,UAAU,UAAU;AAAE,aAAO,KAAK,UAAU,QAAQ;AAAA,IAAE;AAAA,IAE5D,MAAM,iBAAiB,OAAO,MAAM;AAAE,YAAM,KAAK,iBAAiB,OAAO,MAAM,KAAK,SAAS;AAAA,IAAE;AAAA,IAC/F,MAAM,gBAAgB,OAAO;AAAE,aAAO,KAAK,iBAAiB,KAAK;AAAA,IAAE;AAAA,IACnE,MAAM,mBAAmB,OAAO;AAAE,YAAM,OAAO,iBAAiB,KAAK;AAAA,IAAE;AAAA,EACzE;AACF;;;ACvDA,eAAsB,cACpB,qBACA,QACyB;AACzB,QAAM,WAAW,OAAO,YAAY;AACpC,QAAM,sBAAsB,OAAO,cAC/B,GAAG,OAAO,WAAW,0CACrB;AAEJ,QAAM,QAAQ,mBAAmB,mBAAmB;AAEpD,MAAI,CAAC,OAAO;AACV,QAAI,CAAC,UAAU;AAAE,aAAO,CAAC;AAAA,IAAE;AAC3B,WAAO,qBAAqB,mBAAmB;AAAA,EACjD;AAEA,MAAI;AACJ,MAAI;AACF,eAAW,MAAM,OAAO,YAAY,KAAK;AAAA,EAC3C,SAAS,IAAI;AACX,UAAM,MAAM,aAAa;AACzB,WAAO,iBAAiB,KAAK,mBAAmB;AAAA,EAClD;AAEA,MAAI,CAAC,UAAU;AACb,UAAM,MAAM,aAAa;AACzB,WAAO,iBAAiB,KAAK,mBAAmB;AAAA,EAClD;AAEA,MAAI,SAAS,aAAa,SAAS,YAAY,KAAK,IAAI,IAAI,KAAM;AAChE,UAAM,MAAM,aAAa,mBAAmB;AAC5C,WAAO,iBAAiB,KAAK,mBAAmB;AAAA,EAClD;AAEA,MAAI,OAAO,gBAAgB,QAAQ;AACjC,UAAM,SAAS,SAAS,UAAU,CAAC;AACnC,UAAM,SAAS,OAAO,eAAe,MAAM,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AACpE,QAAI,CAAC,QAAQ;AACX,YAAM,MAAM,kBAAkB;AAC9B,aAAO,iBAAiB,KAAK,mBAAmB;AAAA,IAClD;AAAA,EACF;AAEA,SAAO,EAAE,MAAM,SAAS;AAC1B;AAEA,SAAS,qBAAqB,qBAA8C;AAC1E,SAAO;AAAA,IACL,OAAO;AAAA,MACL,YAAY;AAAA,MACZ,SAAS;AAAA,QACP,oBAAoB,qBAAqB,QAAW,QAAW,mBAAmB;AAAA,QAClF,gBAAgB;AAAA,MAClB;AAAA,MACA,MAAM,EAAE,OAAO,iBAAiB,mBAAmB,4BAA4B;AAAA,IACjF;AAAA,EACF;AACF;AAEA,SAAS,iBACP,KACA,qBACgB;AAChB,SAAO;AAAA,IACL,OAAO;AAAA,MACL,YAAY,IAAI;AAAA,MAChB,SAAS;AAAA,QACP,oBAAoB,qBAAqB,IAAI,MAAM,IAAI,SAAS,mBAAmB;AAAA,QACnF,gBAAgB;AAAA,MAClB;AAAA,MACA,MAAM,EAAE,OAAO,IAAI,MAAM,mBAAmB,IAAI,QAAQ;AAAA,IAC1D;AAAA,EACF;AACF;","names":["refreshToken","key","now","accessToken","withTtl"]}
package/package.json CHANGED
@@ -1,10 +1,10 @@
1
1
  {
2
2
  "name": "@silkweave/auth",
3
- "version": "1.3.0",
3
+ "version": "1.3.1",
4
4
  "description": "Silkweave Auth — Bearer token and OAuth 2.1 support for MCP servers",
5
5
  "repository": {
6
6
  "type": "git",
7
- "url": "git+ssh://git@github.com/atomicbi/silkweave.git",
7
+ "url": "git+ssh://git@github.com/silkweave/silkweave.git",
8
8
  "directory": "packages/auth"
9
9
  },
10
10
  "type": "module",