@softtechai/quickmcp 1.0.14 → 1.1.0

package/dist/server/api/authApi.js

@@ -0,0 +1,1472 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthApi = void 0;
+const path_1 = __importDefault(require("path"));
+const crypto_1 = __importDefault(require("crypto"));
+const token_utils_1 = require("../../auth/token-utils");
+const jwks_provider_1 = require("../../auth/jwks-provider");
+const logger_1 = require("../../utils/logger");
+class AuthApi {
+    constructor(deps) {
+        this.deps = deps;
+        this.oauthRequestCookieName = 'quickmcp_oauth_req';
+        this.oauthNextCookieName = 'quickmcp_oauth_next';
+        this.oauthCodeTtlMs = 5 * 60 * 1000;
+        this.oauthAccessTokenTtlSec = Number(process.env.QUICKMCP_OAUTH_ACCESS_TTL_SEC || '3600');
+        this.oauthClients = new Map();
+        this.getJwks = (_req, res) => {
+            res.setHeader('Cache-Control', 'public, max-age=3600');
+            res.json((0, jwks_provider_1.getJwks)());
+        };
+        this.getOAuthAuthorizationServerMetadata = (req, res) => {
+            const issuer = this.resolveAppBaseUrl(req).replace(/\/+$/, '');
+            res.json({
+                issuer,
+                authorization_endpoint: `${issuer}/oauth/authorize`,
+                token_endpoint: `${issuer}/oauth/token`,
+                introspection_endpoint: `${issuer}/oauth/introspect`,
+                userinfo_endpoint: `${issuer}/oauth/userinfo`,
+                registration_endpoint: `${issuer}/oauth/register`,
+                jwks_uri: `${issuer}/oauth/jwks`,
+                response_types_supported: ['code'],
+                response_modes_supported: ['query'],
+                grant_types_supported: ['authorization_code', 'refresh_token'],
+                code_challenge_methods_supported: ['S256'],
+                scopes_supported: ['openid', 'profile', 'email', 'offline_access', 'mcp'],
+                token_endpoint_auth_methods_supported: ['none', 'client_secret_post', 'client_secret_basic']
+            });
+        };
+        this.getOAuthProtectedResourceMetadata = (req, res) => {
+            const issuer = this.resolveAppBaseUrl(req).replace(/\/+$/, '');
+            res.json({
+                resource: `${issuer}/mcp`,
+                authorization_servers: [issuer],
+                scopes_supported: ['openid', 'profile', 'email', 'offline_access', 'mcp'],
+                jwks_uri: `${issuer}/oauth/jwks`,
+                bearer_methods_supported: ['header', 'body'],
+                resource_documentation: 'https://www.quickmcp.ai/docs',
+                resource_registration: `${issuer}/oauth/register`
+            });
+        };
+        this.getOpenIdConfigurationMetadata = (req, res) => {
+            const issuer = this.resolveAppBaseUrl(req).replace(/\/+$/, '');
+            res.json({
+                issuer,
+                authorization_endpoint: `${issuer}/oauth/authorize`,
+                token_endpoint: `${issuer}/oauth/token`,
+                introspection_endpoint: `${issuer}/oauth/introspect`,
+                userinfo_endpoint: `${issuer}/oauth/userinfo`,
+                registration_endpoint: `${issuer}/oauth/register`,
+                jwks_uri: `${issuer}/oauth/jwks`,
+                response_types_supported: ['code'],
+                response_modes_supported: ['query'],
+                grant_types_supported: ['authorization_code', 'refresh_token'],
+                code_challenge_methods_supported: ['S256'],
+                scopes_supported: ['openid', 'profile', 'email', 'offline_access', 'mcp'],
+                token_endpoint_auth_methods_supported: ['none', 'client_secret_post', 'client_secret_basic'],
+                request_uri_parameter_supported: false,
+                require_request_uri_registration: false,
+                request_parameter_supported: false,
+                authorization_response_iss_parameter_supported: true
+            });
+        };
+        this.oauthRegister = (req, res) => {
+            const body = (req.body && typeof req.body === 'object') ? req.body : {};
+            const redirectUrisRaw = body.redirect_uris;
+            const redirectUris = Array.isArray(redirectUrisRaw)
+                ? redirectUrisRaw.map((v) => String(v || '').trim()).filter(Boolean)
+                : [];
+            const clientName = String(body.client_name || 'QuickMCP ChatGPT Client').trim();
+            if (redirectUris.length === 0) {
+                res.status(400).json({ error: 'invalid_client_metadata', error_description: 'redirect_uris is required' });
+                return;
+            }
+            if (redirectUris.some((uri) => !/^https?:\/\//i.test(uri))) {
+                res.status(400).json({ error: 'invalid_redirect_uri', error_description: 'redirect_uris must be absolute URLs' });
+                return;
+            }
+            const clientId = `quickmcp_${crypto_1.default.randomBytes(16).toString('hex')}`;
+            const createdAt = Math.floor(Date.now() / 1000);
+            this.oauthClients.set(clientId, {
+                clientId,
+                redirectUris,
+                clientName,
+                tokenEndpointAuthMethod: 'none',
+                createdAt
+            });
+            res.status(201).json({
+                client_id: clientId,
+                client_id_issued_at: createdAt,
+                client_name: clientName,
+                redirect_uris: redirectUris,
+                grant_types: ['authorization_code', 'refresh_token'],
+                response_types: ['code'],
+                token_endpoint_auth_method: 'none'
+            });
+        };
+        this.oauthAuthorize = (req, res) => {
+            const responseType = String(req.query.response_type || '').trim();
+            const clientId = String(req.query.client_id || 'chatgpt').trim();
+            const redirectUri = String(req.query.redirect_uri || '').trim();
+            const state = String(req.query.state || '').trim();
+            const scope = String(req.query.scope || '').trim();
+            const canonicalResource = `${this.resolveAppBaseUrl(req).replace(/\/+$/, '')}/mcp`;
+            const requestedResource = String(req.query.resource || '').trim();
+            // Force canonical resource host to prevent quickmcp.ai vs www.quickmcp.ai token-binding drift.
+            const resource = canonicalResource;
+            const codeChallenge = String(req.query.code_challenge || '').trim();
+            const codeChallengeMethod = this.normalizeOAuthCodeChallengeMethod(String(req.query.code_challenge_method || 'S256'));
+            const nonce = String(req.query.nonce || '').trim() || undefined;
+            if (responseType !== 'code') {
+                if (redirectUri) {
+                    this.redirectOAuthError(res, redirectUri, state, 'unsupported_response_type', 'response_type must be code');
+                }
+                else {
+                    res.status(400).json({ error: 'unsupported_response_type', error_description: 'response_type must be code' });
+                }
+                return;
+            }
+            if (!redirectUri) {
+                res.status(400).json({ error: 'invalid_request', error_description: 'redirect_uri is required' });
+                return;
+            }
+            if (clientId) {
+                const registeredClient = this.oauthClients.get(clientId);
+                if (registeredClient && !registeredClient.redirectUris.includes(redirectUri)) {
+                    this.redirectOAuthError(res, redirectUri, state, 'invalid_request', 'redirect_uri is not registered for client_id');
+                    return;
+                }
+            }
+            if (!codeChallenge) {
+                this.redirectOAuthError(res, redirectUri, state, 'invalid_request', 'code_challenge is required');
+                return;
+            }
+            const pending = {
+                clientId,
+                redirectUri,
+                state,
+                scope,
+                resource,
+                codeChallenge,
+                codeChallengeMethod,
+                nonce,
+                createdAt: Date.now()
+            };
+            if (requestedResource && requestedResource !== resource) {
+                logger_1.logger.info(`[oauth/authorize] normalize resource requested=${requestedResource} canonical=${resource}`);
+            }
+            const encoded = this.encodeOAuthPendingRequest(pending);
+            this.deps.setCookie(res, this.oauthRequestCookieName, encoded, 10 * 60);
+            res.redirect('/oauth/authorize/complete');
+        };
+        this.oauthAuthorizeComplete = async (req, res) => {
+            const cookies = this.deps.parseCookies(req);
+            const rawPending = cookies[this.oauthRequestCookieName];
+            const pending = this.decodeOAuthPendingRequest(rawPending || '');
+            if (!pending || !pending.redirectUri) {
+                res.status(400).json({ error: 'invalid_request', error_description: 'Missing or invalid OAuth authorization request' });
+                return;
+            }
+            if (Date.now() - pending.createdAt > 10 * 60 * 1000) {
+                this.deps.clearCookie(res, this.oauthRequestCookieName);
+                this.redirectOAuthError(res, pending.redirectUri, pending.state, 'invalid_request', 'OAuth authorization request expired');
+                return;
+            }
+            const ctx = await this.deps.resolveAuthContext(req, res);
+            if (!ctx) {
+                const next = '/oauth/authorize/complete';
+                res.redirect(`/login?next=${encodeURIComponent(next)}`);
+                return;
+            }
+            const code = this.createAuthorizationCode({
+                clientId: pending.clientId,
+                redirectUri: pending.redirectUri,
+                scope: pending.scope,
+                resource: pending.resource,
+                codeChallenge: pending.codeChallenge,
+                codeChallengeMethod: pending.codeChallengeMethod,
+                nonce: pending.nonce,
+                username: ctx.username,
+                workspaceId: ctx.workspaceId,
+                role: ctx.role
+            });
+            this.deps.clearCookie(res, this.oauthRequestCookieName);
+            let location = this.appendQueryParam(pending.redirectUri, 'code', code);
+            if (pending.state)
+                location = this.appendQueryParam(location, 'state', pending.state);
+            res.redirect(location);
+        };
+        this.oauthToken = async (req, res) => {
+            const body = (req.body && typeof req.body === 'object') ? req.body : {};
+            const grantType = String(body.grant_type || '').trim();
+            const code = String(body.code || '').trim();
+            const redirectUri = String(body.redirect_uri || '').trim();
+            const clientId = String(body.client_id || '').trim();
+            const codeVerifier = String(body.code_verifier || '').trim();
+            const requestId = crypto_1.default.randomBytes(6).toString('hex');
+            logger_1.logger.info(`[oauth/token:${requestId}] headers=${JSON.stringify(req.headers)}`);
+            logger_1.logger.info(`[oauth/token:${requestId}] body=${JSON.stringify(body)}`);
+            logger_1.logger.info(`[oauth/token:${requestId}] request grant_type=${grantType || '(empty)'} client_id=${clientId || '(empty)'}`);
+            // refresh_token grant: look up the token and issue a new access token
+            if (grantType === 'refresh_token') {
+                const refreshTokenValue = String(body.refresh_token || '').trim();
+                if (!refreshTokenValue) {
+                    res.status(400).json({ error: 'invalid_request', error_description: 'refresh_token is required' });
+                    return;
+                }
+                try {
+                    const store = this.deps.ensureDataStore();
+                    const refreshHash = crypto_1.default.createHash('sha256').update(refreshTokenValue).digest('hex');
+                    const existingToken = await store.getMcpTokenByHash(refreshHash);
+                    if (!existingToken || existingToken.revokedAt) {
+                        logger_1.logger.warn(`[oauth/token:${requestId}] refresh_token invalid or revoked`);
+                        res.status(400).json({ error: 'invalid_grant', error_description: 'refresh_token is invalid or revoked' });
+                        return;
+                    }
+                    const refreshTtlSec = Number.isFinite(this.oauthAccessTokenTtlSec) && this.oauthAccessTokenTtlSec > 0
+                        ? Math.floor(this.oauthAccessTokenTtlSec)
+                        : 3600;
+                    const resourceUrl = `${this.resolveAppBaseUrl(req).replace(/\/+$/, '')}/mcp`;
+                    const issuerUrl = this.resolveAppBaseUrl(req).replace(/\/+$/, '');
+                    const newTokenPack = this.deps.createMcpToken(existingToken.subjectUsername, existingToken.workspaceId, this.deps.getUserRole(existingToken.subjectUsername, existingToken.workspaceId), refreshTtlSec, resourceUrl, issuerUrl, 'mcp');
+                    await store.createMcpToken({
+                        id: newTokenPack.tokenId,
+                        tokenName: `oauth:refresh:${clientId || 'chatgpt'}`,
+                        workspaceId: existingToken.workspaceId,
+                        subjectUsername: existingToken.subjectUsername,
+                        createdBy: existingToken.subjectUsername,
+                        tokenHash: newTokenPack.tokenHash,
+                        tokenValue: newTokenPack.token,
+                        allowAllServers: true,
+                        allowAllTools: true,
+                        allowAllResources: true,
+                        serverIds: [],
+                        allowedTools: [],
+                        allowedResources: [],
+                        serverRules: {},
+                        toolRules: {},
+                        resourceRules: {},
+                        neverExpires: false,
+                        expiresAt: newTokenPack.expiresAt
+                    });
+                    const newRefreshToken = crypto_1.default.randomBytes(48).toString('base64url');
+                    const newRefreshHash = crypto_1.default.createHash('sha256').update(newRefreshToken).digest('hex');
+                    await store.createMcpToken({
+                        id: crypto_1.default.randomUUID(),
+                        tokenName: `oauth:refresh-token:${clientId || 'chatgpt'}`,
+                        workspaceId: existingToken.workspaceId,
+                        subjectUsername: existingToken.subjectUsername,
+                        createdBy: existingToken.subjectUsername,
+                        tokenHash: newRefreshHash,
+                        tokenValue: newRefreshToken,
+                        allowAllServers: false,
+                        allowAllTools: false,
+                        allowAllResources: false,
+                        serverIds: [],
+                        allowedTools: [],
+                        allowedResources: [],
+                        serverRules: {},
+                        toolRules: {},
+                        resourceRules: {},
+                        neverExpires: true,
+                        expiresAt: null
+                    });
+                    res.setHeader('Cache-Control', 'no-store');
+                    res.setHeader('Pragma', 'no-cache');
+                    logger_1.logger.info(`[oauth/token:${requestId}] refresh success user=${existingToken.subjectUsername}`);
+                    const refreshIdToken = this.createIdToken({ sub: existingToken.subjectUsername, issuer: issuerUrl, clientId: clientId || 'chatgpt', ttlSec: refreshTtlSec });
+                    const refreshResponse = {
+                        access_token: newTokenPack.token,
+                        token_type: 'Bearer',
+                        expires_in: refreshTtlSec,
+                        refresh_token: newRefreshToken,
+                        id_token: refreshIdToken,
+                        scope: 'mcp openid',
+                        resource: resourceUrl
+                    };
+                    logger_1.logger.info(`[oauth/token:${requestId}] refresh response token_type=${refreshResponse.token_type} scope="${refreshResponse.scope}" resource="${refreshResponse.resource}" access_token=${this.maskTokenForLog(refreshResponse.access_token)} refresh_token=${this.maskTokenForLog(refreshResponse.refresh_token)} id_token=${this.maskTokenForLog(refreshResponse.id_token)}`);
+                    res.json(refreshResponse);
+                }
+                catch (err) {
+                    logger_1.logger.warn(`[oauth/token:${requestId}] refresh_token error: ${err instanceof Error ? err.message : String(err)}`);
+                    res.status(400).json({ error: 'invalid_grant', error_description: 'refresh_token processing failed' });
+                }
+                return;
+            }
+            if (grantType !== 'authorization_code') {
+                logger_1.logger.warn(`[oauth/token:${requestId}] rejected unsupported grant_type`);
+                res.status(400).json({ error: 'unsupported_grant_type', error_description: 'grant_type must be authorization_code or refresh_token' });
+                return;
+            }
+            if (!code) {
+                logger_1.logger.warn(`[oauth/token:${requestId}] rejected missing code`);
+                res.status(400).json({ error: 'invalid_request', error_description: 'code is required' });
+                return;
+            }
+            const record = this.decodeOAuthCode(code);
+            if (!record || record.expiresAt <= Date.now()) {
+                logger_1.logger.warn(`[oauth/token:${requestId}] invalid or expired code`);
+                res.status(400).json({ error: 'invalid_grant', error_description: 'authorization code is invalid or expired' });
+                return;
+            }
+            if (redirectUri && this.normalizeRedirectUri(record.redirectUri) !== this.normalizeRedirectUri(redirectUri)) {
+                logger_1.logger.warn(`[oauth/token:${requestId}] redirect mismatch expected=${record.redirectUri} got=${redirectUri}`);
+                res.status(400).json({ error: 'invalid_grant', error_description: 'redirect_uri does not match authorization request' });
+                return;
+            }
+            if (clientId && record.clientId && record.clientId !== clientId) {
+                // Some clients can rotate/re-register IDs between registration and callback retries.
+                // Do not hard-fail here; rely on redirect_uri + PKCE for validation.
+                logger_1.logger.warn(`[oauth/token:${requestId}] client_id mismatch expected=${record.clientId} got=${clientId}`);
+            }
+            if (record.codeChallenge) {
+                if (!codeVerifier) {
+                    logger_1.logger.warn(`[oauth/token:${requestId}] missing code_verifier`);
+                    res.status(400).json({ error: 'invalid_request', error_description: 'code_verifier is required' });
+                    return;
+                }
+                const computed = record.codeChallengeMethod === 'plain'
+                    ? codeVerifier
+                    : crypto_1.default.createHash('sha256').update(codeVerifier).digest('base64url');
+                if (computed !== record.codeChallenge) {
+                    logger_1.logger.warn(`[oauth/token:${requestId}] invalid code_verifier`);
+                    res.status(400).json({ error: 'invalid_grant', error_description: 'code_verifier is invalid' });
+                    return;
+                }
+            }
+            const ttlSec = Number.isFinite(this.oauthAccessTokenTtlSec) && this.oauthAccessTokenTtlSec > 0
+                ? Math.floor(this.oauthAccessTokenTtlSec)
+                : 3600;
+            const resourceUrl = record.resource || `${this.resolveAppBaseUrl(req).replace(/\/+$/, '')}/mcp`;
+            const issuerUrl = this.resolveAppBaseUrl(req).replace(/\/+$/, '');
+            const tokenPack = this.deps.createMcpToken(record.username, record.workspaceId, record.role, ttlSec, resourceUrl, issuerUrl, record.scope || 'mcp');
+            // Generate a refresh token (stored as a special token record in the DB)
+            const refreshToken = crypto_1.default.randomBytes(48).toString('base64url');
+            const refreshTokenHash = crypto_1.default.createHash('sha256').update(refreshToken).digest('hex');
+            try {
+                const store = this.deps.ensureDataStore();
+                await store.createMcpToken({
+                    id: tokenPack.tokenId,
+                    tokenName: `oauth:${clientId || 'chatgpt'}`,
+                    workspaceId: record.workspaceId,
+                    subjectUsername: record.username,
+                    createdBy: record.username,
+                    tokenHash: tokenPack.tokenHash,
+                    tokenValue: tokenPack.token,
+                    allowAllServers: true,
+                    allowAllTools: true,
+                    allowAllResources: true,
+                    serverIds: [],
+                    allowedTools: [],
+                    allowedResources: [],
+                    serverRules: {},
+                    toolRules: {},
+                    resourceRules: {},
+                    neverExpires: false,
+                    expiresAt: tokenPack.expiresAt
+                });
+                // Store refresh token as a long-lived record so it can be looked up later
+                await store.createMcpToken({
+                    id: crypto_1.default.randomUUID(),
+                    tokenName: `oauth:refresh-token:${clientId || 'chatgpt'}`,
+                    workspaceId: record.workspaceId,
+                    subjectUsername: record.username,
+                    createdBy: record.username,
+                    tokenHash: refreshTokenHash,
+                    tokenValue: refreshToken,
+                    allowAllServers: false,
+                    allowAllTools: false,
+                    allowAllResources: false,
+                    serverIds: [],
+                    allowedTools: [],
+                    allowedResources: [],
+                    serverRules: {},
+                    toolRules: {},
+                    resourceRules: {},
+                    neverExpires: true,
+                    expiresAt: null
+                });
+            }
+            catch (err) {
+                logger_1.logger.warn(`[oauth/token:${requestId}] failed to persist token: ${err instanceof Error ? err.message : String(err)}`);
+            }
+            res.setHeader('Cache-Control', 'no-store');
+            res.setHeader('Pragma', 'no-cache');
+            logger_1.logger.info(`[oauth/token:${requestId}] success user=${record.username} ws=${record.workspaceId}`);
+            const grantScopes = (record.scope || '').split(/\s+/);
+            const idToken = grantScopes.includes('openid')
+                ? this.createIdToken({ sub: record.username, issuer: issuerUrl, clientId: clientId || record.clientId, ttlSec, nonce: record.nonce })
+                : undefined;
+            const responseScope = [...new Set([...grantScopes, 'openid'])].join(' ');
+            const tokenResponse = {
+                access_token: tokenPack.token,
+                token_type: 'Bearer',
+                expires_in: ttlSec,
+                refresh_token: refreshToken,
+                ...(idToken ? { id_token: idToken } : {}),
+                scope: responseScope,
+                resource: resourceUrl
+            };
+            logger_1.logger.info(`[oauth/token:${requestId}] response token_type=${tokenResponse.token_type} scope="${tokenResponse.scope}" resource="${tokenResponse.resource}" access_token=${this.maskTokenForLog(tokenResponse.access_token)} refresh_token=${this.maskTokenForLog(tokenResponse.refresh_token)} id_token=${this.maskTokenForLog(tokenResponse.id_token)}`);
+            res.json(tokenResponse);
+        };
+        // RFC 7662 Token Introspection
+        this.oauthIntrospect = async (req, res) => {
+            const body = (req.body && typeof req.body === 'object') ? req.body : {};
+            const token = String(body.token || '').trim();
+            res.setHeader('Cache-Control', 'no-store');
+            if (!token) {
+                res.json({ active: false });
+                return;
+            }
+            try {
+                const tokenSecret = String(process.env.QUICKMCP_TOKEN_SECRET || process.env.AUTH_COOKIE_SECRET || 'change-me');
+                const rsaPublicKey = (0, jwks_provider_1.getRsaPublicKey)();
+                const payload = (rsaPublicKey ? (0, token_utils_1.verifyMcpTokenRS256)(token, rsaPublicKey) : null)
+                    ?? (0, token_utils_1.verifyMcpToken)(token, tokenSecret);
+                if (!payload) {
+                    res.json({ active: false });
+                    return;
+                }
+                const issuer = this.resolveAppBaseUrl(req).replace(/\/+$/, '');
+                res.json({
+                    active: true,
+                    sub: payload.sub,
+                    scope: payload.scope || 'mcp openid',
+                    username: payload.sub,
+                    token_type: 'Bearer',
+                    exp: payload.exp,
+                    iat: payload.iat,
+                    iss: payload.iss || issuer,
+                    aud: payload.aud,
+                    jti: payload.jti
+                });
+            }
+            catch {
+                res.json({ active: false });
+            }
+        };
+        // OIDC UserInfo endpoint (RFC 7517)
+        this.oauthUserinfo = async (req, res) => {
+            const authHeader = String(req.headers.authorization || '').trim();
+            const bearerMatch = authHeader.match(/^Bearer\s+(.+)$/i);
+            const token = bearerMatch ? bearerMatch[1].trim() : '';
+            if (!token) {
+                res.setHeader('WWW-Authenticate', 'Bearer error="invalid_token"');
+                res.status(401).json({ error: 'invalid_token', error_description: 'Bearer token required' });
+                return;
+            }
+            try {
+                const tokenSecret = String(process.env.QUICKMCP_TOKEN_SECRET || process.env.AUTH_COOKIE_SECRET || 'change-me');
+                const rsaPublicKey = (0, jwks_provider_1.getRsaPublicKey)();
+                const payload = (rsaPublicKey ? (0, token_utils_1.verifyMcpTokenRS256)(token, rsaPublicKey) : null)
+                    ?? (0, token_utils_1.verifyMcpToken)(token, tokenSecret);
+                if (!payload) {
+                    res.setHeader('WWW-Authenticate', 'Bearer error="invalid_token"');
+                    res.status(401).json({ error: 'invalid_token', error_description: 'Token is invalid or expired' });
+                    return;
+                }
+                res.json({
+                    sub: payload.sub,
+                    name: payload.sub,
+                    preferred_username: payload.sub,
+                    profile: `${this.resolveAppBaseUrl(req).replace(/\/+$/, '')}/users/${encodeURIComponent(payload.sub)}`
+                });
+            }
+            catch {
+                res.status(500).json({ error: 'server_error' });
+            }
+        };
+        this.getMe = async (req, res) => {
+            const ctx = await this.deps.resolveAuthContext(req, res);
+            if (!ctx) {
+                res.status(401).json({ success: false, error: 'Unauthorized' });
+                return;
+            }
+            const cookies = this.deps.parseCookies(req);
+            const accessToken = cookies[this.deps.accessCookieName];
+            const payload = accessToken
+                ? ((0, token_utils_1.verifyAccessToken)(accessToken, this.deps.authCookieSecret)
+                    || (0, token_utils_1.verifyAccessTokenAllowExpired)(accessToken, this.deps.authCookieSecret))
+                : null;
+            let storeUser = null;
+            try {
+                storeUser = await this.deps.ensureDataStore().getUser(ctx.username);
+            }
+            catch { }
+            const createdDate = payload?.createdDate || storeUser?.createdAt || '';
+            const lastSignInDate = payload?.lastSignInDate || (payload?.iat ? new Date(payload.iat * 1000).toISOString() : '');
+            res.json({
+                success: true,
+                data: {
+                    username: ctx.username,
+                    displayName: payload?.displayName || ctx.username,
+                    workspaceId: ctx.workspaceId,
+                    authMode: this.deps.authMode,
+                    email: payload?.email || '',
+                    avatarUrl: payload?.avatarUrl || '',
+                    createdDate,
+                    lastSignInDate,
+                    role: ctx.role,
+                    isAdmin: ctx.role === 'admin'
+                }
+            });
+        };
+        this.getRoles = async (req, res) => {
+            const ctx = await this.deps.resolveAuthContext(req, res);
+            if (!ctx) {
+                res.status(401).json({ success: false, error: 'Unauthorized' });
+                return;
+            }
+            res.json({
+                success: true,
+                data: {
+                    roles: [
+                        { id: 'admin', name: 'Admin', description: 'Can manage users and all servers.' },
+                        { id: 'user', name: 'User', description: 'Can use the app and manage own servers.' }
+                    ],
+                    currentUser: { username: ctx.username, workspaceId: ctx.workspaceId, role: ctx.role, isAdmin: ctx.role === 'admin' }
+                }
+            });
+        };
+        this.getUsers = async (req, res) => {
+            if (this.isSaasMode()) {
+                res.status(404).json({ success: false, error: 'Users API is not available in SAAS mode' });
+                return;
+            }
+            const actor = await this.deps.requireAdminApi(req, res);
+            if (!actor)
+                return;
+            try {
+                const users = await this.deps.ensureDataStore().getAllUsersByWorkspace(actor.workspaceId);
+                res.json({ success: true, data: { users, requestedBy: actor.username, workspaceId: actor.workspaceId } });
+            }
+            catch (error) {
+                res.status(500).json({ success: false, error: error instanceof Error ? error.message : 'Failed to load users' });
+            }
+        };
+        this.getAuthorizationConfig = async (req, res) => {
+            const ctx = await this.deps.resolveAuthContext(req, res);
+            if (!ctx) {
+                res.status(401).json({ success: false, error: 'Unauthorized' });
+                return;
+            }
+            const isSaasMode = this.isSaasMode();
+            res.json({
+                success: true,
+                data: {
+                    authMode: this.deps.authMode,
+                    deployMode: String(this.deps.deployMode || '').trim().toUpperCase(),
+                    isSaasMode,
+                    mcpTokenRequired: this.deps.authMode !== 'NONE',
+                    username: ctx.username,
+                    workspaceId: ctx.workspaceId
+                }
+            });
+        };
+        this.getAuthorizationContext = async (req, res) => {
+            const ctx = await this.deps.resolveAuthContext(req, res);
+            if (!ctx) {
+                res.status(401).json({ success: false, error: 'Unauthorized' });
+                return;
+            }
+            try {
+                const store = this.deps.ensureDataStore();
+                const workspaceUsers = await store.getAllUsersByWorkspace(ctx.workspaceId);
+                const canManageWorkspace = ctx.role === 'admin' || this.isSaasMode();
+                const users = (canManageWorkspace
+                    ? workspaceUsers
+                    : workspaceUsers.filter((u) => u.username === ctx.username)).map((u) => ({ username: u.username, role: u.role }));
+                const serverRows = await store.getAllServersByOwner(ctx.workspaceId);
+                const servers = await Promise.all(serverRows.map(async (server) => {
+                    const tools = (await store.getToolsForServer(server.id)).map((t) => `${server.id}__${t.name}`);
+                    const resources = (await store.getResourcesForServer(server.id)).map((r) => `${server.id}__${r.name}`);
+                    const rawType = server.sourceConfig?.type;
+                    const type = typeof rawType === 'string' ? rawType : 'unknown';
+                    return { id: server.id, name: server.name, type, tools, resources };
+                }));
+                res.json({ success: true, data: { workspaceId: ctx.workspaceId, users, servers } });
+            }
+            catch (error) {
+                res.status(500).json({ success: false, error: error instanceof Error ? error.message : 'Failed to load authorization context' });
+            }
+        };
+        this.getAuthorizationServers = async (req, res) => {
+            const ctx = await this.deps.resolveAuthContext(req, res);
+            if (!ctx) {
+                res.status(401).json({ success: false, error: 'Unauthorized' });
+                return;
+            }
+            try {
+                const store = this.deps.ensureDataStore();
+                const servers = await store.getAllServersByOwner(ctx.workspaceId);
+                const data = await Promise.all(servers.map(async (server) => {
+                    const cfg = await store.getServerAuthConfig(server.id);
+                    return {
+                        id: server.id,
+                        name: server.name,
+                        ownerUsername: server.ownerUsername,
+                        requireMcpToken: cfg ? cfg.requireMcpToken : true
+                    };
+                }));
+                res.json({ success: true, data: { servers: data } });
+            }
+            catch (error) {
+                res.status(500).json({ success: false, error: error instanceof Error ? error.message : 'Failed to load authorization settings' });
+            }
+        };
+        this.getAuthorizationTokenPolicy = async (req, res) => {
+            const actor = this.isSaasMode()
+                ? await this.deps.resolveAuthContext(req, res)
+                : await this.deps.requireAdminApi(req, res);
+            if (this.isSaasMode() && !actor) {
+                res.status(401).json({ success: false, error: 'Unauthorized' });
+                return;
+            }
+            if (!actor)
+                return;
+            try {
+                const store = this.deps.ensureDataStore();
+                const users = (await store.getAllUsersByWorkspace(actor.workspaceId)).map((u) => u.username);
+                const servers = (await store.getAllServersByOwner(actor.workspaceId)).map((s) => s.id);
+                const toolsByServer = await Promise.all(servers.map((serverId) => store.getToolsForServer(serverId)));
+                const tools = servers.flatMap((serverId, index) => toolsByServer[index].map((t) => `${serverId}__${t.name}`));
+                const globalPolicy = await store.getMcpTokenPolicy('global', '*');
+                const userPolicies = await store.listMcpTokenPolicies('user');
+                const serverPolicies = await store.listMcpTokenPolicies('server');
+                const toolPolicies = await store.listMcpTokenPolicies('tool');
+                const userRules = {};
+                const serverRules = {};
+                const toolRules = {};
+                for (const username of users)
+                    userRules[username] = null;
+                for (const id of servers)
+                    serverRules[id] = null;
+                for (const id of tools)
+                    toolRules[id] = null;
+                userPolicies
+                    .filter((p) => users.includes(p.scopeId))
+                    .forEach((p) => { userRules[p.scopeId] = p.requireMcpToken; });
+                serverPolicies
+                    .filter((p) => p.scopeId.startsWith(`${actor.workspaceId}__`))
+                    .forEach((p) => { serverRules[p.scopeId] = p.requireMcpToken; });
+                toolPolicies
+                    .filter((p) => p.scopeId.startsWith(`${actor.workspaceId}__`))
+                    .forEach((p) => { toolRules[p.scopeId] = p.requireMcpToken; });
+                res.json({
+                    success: true,
+                    data: {
+                        globalRequireMcpToken: globalPolicy ? globalPolicy.requireMcpToken : true,
+                        userRules,
+                        serverRules,
+                        toolRules
+                    }
+                });
+            }
+            catch (error) {
+                res.status(500).json({ success: false, error: error instanceof Error ? error.message : 'Failed to load token policy' });
+            }
+        };
+        this.updateAuthorizationTokenPolicy = async (req, res) => {
+            const actor = this.isSaasMode()
+                ? await this.deps.resolveAuthContext(req, res)
+                : await this.deps.requireAdminApi(req, res);
+            if (this.isSaasMode() && !actor) {
+                res.status(401).json({ success: false, error: 'Unauthorized' });
+                return;
+            }
+            if (!actor)
+                return;
+            try {
+                const store = this.deps.ensureDataStore();
+                const users = (await store.getAllUsersByWorkspace(actor.workspaceId)).map((u) => u.username);
+                const usersSet = new Set(users);
+                const globalRequireMcpToken = req.body?.globalRequireMcpToken !== false;
+                const userRules = this.normalizePolicyMap(req.body?.userRules, 'user', actor.workspaceId, usersSet);
+                const serverRules = this.normalizePolicyMap(req.body?.serverRules, 'server', actor.workspaceId, usersSet);
+                const toolRules = this.normalizePolicyMap(req.body?.toolRules, 'tool', actor.workspaceId, usersSet);
+                await store.setMcpTokenPolicy('global', '*', globalRequireMcpToken);
+                await this.applyPolicyMap(store, 'user', userRules);
+                await this.applyPolicyMap(store, 'server', serverRules);
+                await this.applyPolicyMap(store, 'tool', toolRules);
+                res.json({
+                    success: true,
+                    data: {
+                        globalRequireMcpToken,
+                        userRules,
+                        serverRules,
+                        toolRules
+                    }
+                });
+            }
+            catch (error) {
+                res.status(500).json({ success: false, error: error instanceof Error ? error.message : 'Failed to update token policy' });
+            }
+        };
+        this.updateAuthorizationServer = async (req, res) => {
+            const ctx = await this.deps.resolveAuthContext(req, res);
+            if (!ctx) {
+                res.status(401).json({ success: false, error: 'Unauthorized' });
+                return;
+            }
+            const serverId = String(req.params.id || '').trim();
+            const requireMcpToken = req.body?.requireMcpToken !== false;
+            if (!serverId) {
+                res.status(400).json({ success: false, error: 'Server id is required' });
+                return;
+            }
+            try {
+                const store = this.deps.ensureDataStore();
+                const server = await store.getServerForOwner(serverId, ctx.workspaceId);
+                if (!server) {
+                    res.status(404).json({ success: false, error: 'Server not found for current user' });
+                    return;
+                }
+                await store.setServerAuthConfig(serverId, requireMcpToken);
+                res.json({ success: true, data: { serverId, requireMcpToken } });
+            }
+            catch (error) {
+                res.status(500).json({ success: false, error: error instanceof Error ? error.message : 'Failed to update authorization settings' });
+            }
+        };
+        this.createAuthorizationMcpToken = async (req, res) => {
+            const ctx = await this.deps.resolveAuthContext(req, res);
+            if (!ctx) {
+                res.status(401).json({ success: false, error: 'Unauthorized' });
+                return;
+            }
+            const store = this.deps.ensureDataStore();
+            const tokenName = String(req.body?.tokenName || '').trim();
+            if (!tokenName) {
+                res.status(400).json({ success: false, error: 'Token name is required' });
+                return;
+            }
+            const subjectUsername = this.deps.normalizeUsername(req.body?.subjectUsername) || ctx.username;
+            if (subjectUsername !== ctx.username && (this.isSaasMode() || ctx.role !== 'admin')) {
+                res.status(403).json({ success: false, error: 'Only admin can generate token for other users' });
+                return;
+            }
+            const subjectUser = await store.getUserInWorkspace(subjectUsername, ctx.workspaceId);
+            if (!subjectUser) {
+                res.status(404).json({ success: false, error: 'Selected user is not in this workspace' });
+                return;
+            }
+            const neverExpires = req.body?.neverExpires === true;
+            const rawTtlHours = Number(req.body?.ttlHours);
+            const ttlHours = neverExpires ? null : (Number.isFinite(rawTtlHours) && rawTtlHours > 0 ? Math.min(rawTtlHours, 24 * 3650) : 24 * 30);
+            const serverRules = this.normalizeTriStateRules(req.body?.serverRules, ctx.workspaceId, 'server');
+            const toolRules = this.normalizeTriStateRules(req.body?.toolRules, ctx.workspaceId, 'tool');
+            const resourceRules = this.normalizeTriStateRules(req.body?.resourceRules, ctx.workspaceId, 'resource');
+            // Backward-compatible fields derived from tri-state maps.
+            const serverAllows = Object.entries(serverRules).filter(([, v]) => v === true).map(([k]) => k);
+            const serverDenies = Object.entries(serverRules).filter(([, v]) => v === false).map(([k]) => k);
+            const toolAllows = Object.entries(toolRules).filter(([, v]) => v === true).map(([k]) => k);
+            const toolDenies = Object.entries(toolRules).filter(([, v]) => v === false).map(([k]) => k);
+            const resourceAllows = Object.entries(resourceRules).filter(([, v]) => v === true).map(([k]) => k);
+            const resourceDenies = Object.entries(resourceRules).filter(([, v]) => v === false).map(([k]) => k);
+            const allowAllServers = serverAllows.length === 0 && serverDenies.length === 0;
+            const allowAllTools = toolAllows.length === 0 && toolDenies.length === 0;
+            const allowAllResources = resourceAllows.length === 0 && resourceDenies.length === 0;
+            const serverIds = serverAllows;
+            const allowedTools = toolAllows;
+            const allowedResources = resourceAllows;
+            const tokenPack = this.deps.createMcpToken(subjectUser.username, subjectUser.workspaceId, subjectUser.role, ttlHours ? ttlHours * 3600 : undefined);
+            await store.createMcpToken({
+                id: tokenPack.tokenId,
+                tokenName,
+                workspaceId: subjectUser.workspaceId,
+                subjectUsername: subjectUser.username,
+                createdBy: ctx.username,
+                tokenHash: tokenPack.tokenHash,
+                tokenValue: tokenPack.token,
+                allowAllServers,
+                allowAllTools,
+                allowAllResources,
+                serverIds,
+                allowedTools,
+                allowedResources,
+                serverRules,
+                toolRules,
+                resourceRules,
+                neverExpires,
+                expiresAt: tokenPack.expiresAt
+            });
+            res.json({
+                success: true,
+                data: {
+                    id: tokenPack.tokenId,
+                    tokenName,
+                    token: tokenPack.token,
+                    expiresAt: tokenPack.expiresAt,
+                    neverExpires,
+                    subjectUsername: subjectUser.username,
+                    workspaceId: subjectUser.workspaceId
+                }
+            });
+        };
+        this.getAuthorizationTokens = async (req, res) => {
+            const ctx = await this.deps.resolveAuthContext(req, res);
+            if (!ctx) {
+                res.status(401).json({ success: false, error: 'Unauthorized' });
+                return;
+            }
+            const canManageWorkspace = ctx.role === 'admin' || this.isSaasMode();
+            const tokens = (await this.deps.ensureDataStore()
+                .getMcpTokensByWorkspace(ctx.workspaceId))
+                .filter((t) => canManageWorkspace || t.subjectUsername === ctx.username)
+                .map((t) => ({
+                id: t.id,
+                tokenName: t.tokenName,
+                subjectUsername: t.subjectUsername,
+                createdBy: t.createdBy,
+                createdAt: t.createdAt,
+                expiresAt: t.expiresAt,
+                neverExpires: t.neverExpires,
+                revokedAt: t.revokedAt,
+                allowAllServers: t.allowAllServers,
+                allowAllTools: t.allowAllTools,
+                allowAllResources: t.allowAllResources,
+                serverRules: t.serverRules || {},
+                toolRules: t.toolRules || {},
+                resourceRules: t.resourceRules || {}
+            }));
+            res.json({ success: true, data: { tokens } });
+        };
+        this.getAuthorizationTokenById = async (req, res) => {
+            const ctx = await this.deps.resolveAuthContext(req, res);
+            if (!ctx) {
+                res.status(401).json({ success: false, error: 'Unauthorized' });
+                return;
+            }
+            const canManageWorkspace = ctx.role === 'admin' || this.isSaasMode();
+            const token = await this.deps.ensureDataStore().getMcpTokenById(String(req.params.id || ''));
+            if (!token || token.workspaceId !== ctx.workspaceId || (!canManageWorkspace && token.subjectUsername !== ctx.username)) {
+                res.status(404).json({ success: false, error: 'Token not found' });
+                return;
+            }
+            res.json({
+                success: true,
+                data: {
+                    id: token.id,
+                    tokenName: token.tokenName,
+                    token: token.tokenValue,
+                    subjectUsername: token.subjectUsername,
+                    createdBy: token.createdBy,
+                    createdAt: token.createdAt,
+                    expiresAt: token.expiresAt,
+                    neverExpires: token.neverExpires,
+                    revokedAt: token.revokedAt,
+                    allowAllServers: token.allowAllServers,
+                    allowAllTools: token.allowAllTools,
+                    allowAllResources: token.allowAllResources,
+                    serverRules: token.serverRules || {},
+                    toolRules: token.toolRules || {},
+                    resourceRules: token.resourceRules || {}
+                }
+            });
+        };
+        this.deleteAuthorizationToken = async (req, res) => {
+            const ctx = await this.deps.resolveAuthContext(req, res);
+            if (!ctx) {
+                res.status(401).json({ success: false, error: 'Unauthorized' });
+                return;
+            }
+            const canManageWorkspace = ctx.role === 'admin' || this.isSaasMode();
+            const token = await this.deps.ensureDataStore().getMcpTokenById(String(req.params.id || ''));
+            if (!token || token.workspaceId !== ctx.workspaceId || (!canManageWorkspace && token.subjectUsername !== ctx.username)) {
+                res.status(404).json({ success: false, error: 'Token not found' });
+                return;
+            }
+            await this.deps.ensureDataStore().revokeMcpToken(token.id);
+            res.json({ success: true });
+        };
+        this.createUser = async (req, res) => {
+            if (this.isSaasMode()) {
+                res.status(404).json({ success: false, error: 'User management is not available in SAAS mode' });
+                return;
+            }
+            const actor = await this.deps.requireAdminApi(req, res);
+            if (!actor)
+                return;
+            const username = this.deps.normalizeUsername(req.body?.username);
+            const password = typeof req.body?.password === 'string' ? req.body.password : '';
+            const roleInput = typeof req.body?.role === 'string' ? req.body.role.trim().toLowerCase() : 'user';
+            const role = roleInput === 'admin' ? 'admin' : 'user';
+            if (!username) {
+                res.status(400).json({ success: false, error: 'Username is required' });
+                return;
+            }
+            if (!/^[a-zA-Z0-9._-]{3,64}$/.test(username)) {
+                res.status(400).json({ success: false, error: 'Username must be 3-64 chars and contain only letters, numbers, dot, underscore, or dash' });
+                return;
+            }
+            if (!password || password.length < 6) {
+                res.status(400).json({ success: false, error: 'Password must be at least 6 characters' });
+                return;
+            }
+            try {
+                const store = this.deps.ensureDataStore();
+                if (await store.getUserInWorkspace(username, actor.workspaceId)) {
+                    res.status(409).json({ success: false, error: `User "${username}" already exists` });
+                    return;
+                }
+                await store.createUser(username, this.deps.hashPassword(password), role, actor.workspaceId);
+                res.status(201).json({
+                    success: true,
+                    data: {
+                        user: { username, role, workspaceId: actor.workspaceId },
+                        createdBy: actor.username
+                    }
+                });
+            }
+            catch (error) {
+                res.status(500).json({ success: false, error: error instanceof Error ? error.message : 'Failed to create user' });
+            }
+        };
+        this.updateUserRole = async (req, res) => {
+            if (this.isSaasMode()) {
+                res.status(404).json({ success: false, error: 'User management is not available in SAAS mode' });
+                return;
+            }
+            const actor = await this.deps.requireAdminApi(req, res);
+            if (!actor)
+                return;
+            const targetUsername = this.deps.normalizeUsername(req.params.username);
+            const roleInput = typeof req.body?.role === 'string' ? req.body.role.trim().toLowerCase() : '';
+            const role = roleInput === 'admin' ? 'admin' : 'user';
+            if (!targetUsername) {
+                res.status(400).json({ success: false, error: 'Username is required' });
+                return;
+            }
+            const store = this.deps.ensureDataStore();
+            const target = await store.getUserInWorkspace(targetUsername, actor.workspaceId);
+            if (!target) {
+                res.status(404).json({ success: false, error: 'User not found in current workspace' });
+                return;
+            }
+            await store.updateUserRole(targetUsername, actor.workspaceId, role);
+            res.json({ success: true, data: { user: { username: targetUsername, workspaceId: actor.workspaceId, role } } });
+        };
+        this.login = async (req, res) => {
+            if (this.deps.authMode === 'NONE') {
+                res.status(400).json({ success: false, error: 'Login is disabled when AUTH_MODE=NONE' });
+                return;
+            }
+            if (this.deps.authMode === 'SUPABASE_GOOGLE') {
+                res.status(400).json({ success: false, error: 'Use Google Sign-In for SUPABASE_GOOGLE mode' });
+                return;
+            }
+            const username = this.deps.normalizeUsername(req.body?.username);
+            const password = typeof req.body?.password === 'string' ? req.body.password : '';
+            if (!username || !password) {
+                res.status(400).json({ success: false, error: 'Username and password are required' });
+                return;
+            }
+            let authenticatedUsername = '';
+            let authenticatedWorkspaceId = '';
+            let authenticatedRole = 'user';
+            try {
+                const storeUser = await this.deps.ensureDataStore().getUser(username);
+                if (storeUser && this.deps.verifyPassword(password, storeUser.passwordHash)) {
+                    authenticatedUsername = storeUser.username;
+                    authenticatedWorkspaceId = storeUser.workspaceId || storeUser.username;
+                    authenticatedRole = storeUser.role;
+                }
+                else {
+                    const legacyAdmin = this.deps.authAdminUsers.find((item) => item.username === username && item.password === password);
+                    if (legacyAdmin) {
+                        authenticatedUsername = legacyAdmin.username;
+                        authenticatedWorkspaceId = legacyAdmin.username;
+                        authenticatedRole = 'admin';
+                        await this.deps.ensureDataStore().upsertUser(legacyAdmin.username, this.deps.hashPassword(legacyAdmin.password), 'admin', legacyAdmin.username);
+                    }
+                }
+            }
+            catch (error) {
+                logger_1.logger.error('Login datastore error:', error);
+            }
+            if (!authenticatedUsername) {
+                res.status(401).json({ success: false, error: 'Invalid username or password' });
+                return;
+            }
+            if (!authenticatedWorkspaceId)
+                authenticatedWorkspaceId = authenticatedUsername;
+            await this.issueSession(res, authenticatedUsername, authenticatedWorkspaceId, authenticatedRole, {
+                displayName: authenticatedUsername
+            });
+            res.json({
+                success: true,
+                data: {
+                    username: authenticatedUsername,
+                    workspaceId: authenticatedWorkspaceId,
+                    role: authenticatedRole,
+                    isAdmin: authenticatedRole === 'admin'
+                }
+            });
+        };
+        this.oauthProviderStart = (req, res) => {
+            const authProperty = this.deps.getAuthProperty();
+            if (this.deps.authMode !== 'SUPABASE_GOOGLE') {
+                res.status(400).json({ success: false, error: 'Supabase login is only available when AUTH_MODE=SUPABASE_GOOGLE' });
+                return;
+            }
+            if (!authProperty.providerUrl) {
+                res.status(500).json({ success: false, error: 'SUPABASE_URL is not configured' });
+                return;
+            }
+            const next = typeof req.query.next === 'string' && req.query.next.startsWith('/') ? req.query.next : '/';
+            const appBaseUrl = this.resolveAppBaseUrl(req);
+            const redirectTo = `${appBaseUrl.replace(/\/+$/, '')}/login?oauth=callback`;
+            this.deps.setCookie(res, this.oauthNextCookieName, next, 10 * 60);
+            const authorizeUrl = `${authProperty.providerUrl.replace(/\/+$/, '')}/auth/v1/authorize?provider=google&redirect_to=${encodeURIComponent(redirectTo)}`;
+            res.redirect(authorizeUrl);
+        };
+        this.oauthProviderSession = async (req, res) => {
+            const authProperty = this.deps.getAuthProperty();
+            if (this.deps.authMode !== 'SUPABASE_GOOGLE') {
+                res.status(400).json({ success: false, error: 'Supabase session endpoint is only available when AUTH_MODE=SUPABASE_GOOGLE' });
+                return;
+            }
+            if (!authProperty.providerUrl || !authProperty.publicKey) {
+                res.status(500).json({ success: false, error: 'SUPABASE_URL or SUPABASE_ANON_KEY is not configured' });
+                return;
+            }
+            const cookies = this.deps.parseCookies(req);
+            const cookieNextRaw = String(cookies[this.oauthNextCookieName] || '').trim();
+            const cookieNext = cookieNextRaw.startsWith('/') ? cookieNextRaw : '/oauth/authorize/complete';
+            const accessToken = typeof req.body?.accessToken === 'string' ? req.body.accessToken.trim() : '';
+            if (!accessToken) {
+                res.status(400).json({ success: false, error: 'accessToken is required' });
+                return;
+            }
+            try {
+                const userRes = await fetch(`${authProperty.providerUrl.replace(/\/+$/, '')}/auth/v1/user`, {
+                    headers: {
+                        apikey: authProperty.publicKey,
+                        Authorization: `Bearer ${accessToken}`
+                    }
+                });
+                const userPayload = await userRes.json().catch(() => ({}));
+                if (!userRes.ok || !userPayload?.id) {
+                    res.status(401).json({ success: false, error: userPayload?.msg || userPayload?.error_description || 'Invalid Supabase access token' });
+                    return;
+                }
+                const email = typeof userPayload?.email === 'string' ? userPayload.email : '';
+                const avatarUrl = typeof userPayload?.user_metadata?.avatar_url === 'string'
+                    ? userPayload.user_metadata.avatar_url
+                    : '';
+                const displayNameRaw = userPayload?.user_metadata?.full_name
+                    || userPayload?.user_metadata?.name
+                    || userPayload?.user_metadata?.preferred_username
+                    || '';
+                const displayName = String(displayNameRaw || '').trim();
+                const createdDate = typeof userPayload?.created_at === 'string'
+                    ? userPayload.created_at
+                    : (typeof userPayload?.createdAt === 'string'
+                        ? userPayload.createdAt
+                        : (typeof userPayload?.identities?.[0]?.created_at === 'string'
+                            ? userPayload.identities[0].created_at
+                            : ''));
+                const lastSignInDate = typeof userPayload?.last_sign_in_at === 'string'
+                    ? userPayload.last_sign_in_at
+                    : (typeof userPayload?.lastSignInAt === 'string'
+                        ? userPayload.lastSignInAt
+                        : (typeof userPayload?.identities?.[0]?.last_sign_in_at === 'string'
+                            ? userPayload.identities[0].last_sign_in_at
+                            : new Date().toISOString()));
+                const username = this.normalizeSupabaseUsername(email, userPayload?.id);
+                const workspaceId = username;
+                const role = this.resolveSupabaseRole(username, email);
+                await this.deps.ensureDataStore().upsertUser(username, this.deps.hashPassword(`supabase:${userPayload.id}`), role, workspaceId);
+                await this.issueSession(res, username, workspaceId, role, {
+                    displayName: displayName || username,
+                    email,
+                    avatarUrl,
+                    createdDate,
+                    lastSignInDate
+                });
+                this.deps.clearCookie(res, this.oauthNextCookieName);
+                res.json({
+                    success: true,
+                    data: {
+                        username,
+                        workspaceId,
+                        role,
+                        isAdmin: role === 'admin',
+                        next: cookieNext
+                    }
+                });
+            }
+            catch (error) {
+                res.status(500).json({ success: false, error: error instanceof Error ? error.message : 'Failed to validate Supabase session' });
+            }
+        };
+        this.refresh = async (req, res) => {
+            if (this.deps.authMode === 'NONE') {
+                res.status(400).json({ success: false, error: 'Refresh endpoint is not available when AUTH_MODE=NONE' });
+                return;
+            }
+            const cookies = this.deps.parseCookies(req);
+            const refreshToken = cookies[this.deps.refreshCookieName];
+            const currentAccessToken = cookies[this.deps.accessCookieName];
+            const currentPayload = currentAccessToken
+                ? ((0, token_utils_1.verifyAccessToken)(currentAccessToken, this.deps.authCookieSecret)
+                    || (0, token_utils_1.verifyAccessTokenAllowExpired)(currentAccessToken, this.deps.authCookieSecret))
+                : null;
+            if (!refreshToken) {
+                res.status(401).json({ success: false, error: 'Missing refresh token' });
+                return;
+            }
+            const refreshTokenHash = (0, token_utils_1.hashRefreshToken)(refreshToken, this.deps.authCookieSecret);
+            const record = await this.deps.ensureDataStore().getRefreshToken(refreshTokenHash);
+            if (!record || record.revokedAt || new Date(record.expiresAt).getTime() <= Date.now()) {
+                if (record && !record.revokedAt)
+                    await this.deps.ensureDataStore().revokeRefreshToken(refreshTokenHash);
+                this.deps.clearCookie(res, this.deps.accessCookieName);
+                this.deps.clearCookie(res, this.deps.refreshCookieName);
+                res.status(401).json({ success: false, error: 'Refresh token is invalid or expired' });
+                return;
+            }
+            await this.deps.ensureDataStore().revokeRefreshToken(refreshTokenHash);
+            const newRefreshToken = (0, token_utils_1.createRefreshToken)();
+            const newRefreshHash = (0, token_utils_1.hashRefreshToken)(newRefreshToken, this.deps.authCookieSecret);
+            const refreshExpiresAt = new Date(Date.now() + this.deps.authRefreshTtlSec * 1000).toISOString();
+            await this.deps.ensureDataStore().saveRefreshToken(newRefreshHash, record.username, refreshExpiresAt);
+            const refreshedUser = await this.deps.ensureDataStore().getUser(record.username);
+            const refreshedWorkspaceId = refreshedUser?.workspaceId || record.username;
+            const refreshedRole = (refreshedUser?.role || this.deps.getUserRole(record.username, refreshedWorkspaceId));
+            const newAccessToken = (0, token_utils_1.createAccessToken)(record.username, this.deps.authCookieSecret, this.deps.authAccessTtlSec, refreshedWorkspaceId, refreshedRole, currentPayload?.displayName || record.username, currentPayload?.email, currentPayload?.avatarUrl, currentPayload?.createdDate, currentPayload?.lastSignInDate);
+            this.deps.setCookie(res, this.deps.accessCookieName, newAccessToken, this.deps.authAccessTtlSec);
+            this.deps.setCookie(res, this.deps.refreshCookieName, newRefreshToken, this.deps.authRefreshTtlSec);
+            res.json({ success: true, data: { username: record.username } });
+        };
+        this.logout = async (req, res) => {
+            const cookies = this.deps.parseCookies(req);
+            const refreshToken = cookies[this.deps.refreshCookieName];
+            if (refreshToken) {
+                const refreshTokenHash = (0, token_utils_1.hashRefreshToken)(refreshToken, this.deps.authCookieSecret);
+                await this.deps.ensureDataStore().revokeRefreshToken(refreshTokenHash);
+            }
+            this.deps.clearCookie(res, this.deps.accessCookieName);
+            this.deps.clearCookie(res, this.deps.refreshCookieName);
+            res.json({ success: true });
+        };
+        this.getLoginPage = async (req, res) => {
+            if (this.deps.authMode === 'NONE') {
+                res.redirect('/');
+                return;
+            }
+            const next = typeof req.query.next === 'string' && req.query.next.startsWith('/')
+                ? req.query.next
+                : '/';
+            const ctx = await this.deps.resolveAuthContext(req, res);
+            if (ctx) {
+                res.redirect(next);
+                return;
+            }
+            res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
+            res.setHeader('Pragma', 'no-cache');
+            res.setHeader('Expires', '0');
+            res.setHeader('Surrogate-Control', 'no-store');
+            res.sendFile(path_1.default.join(this.deps.publicDir, 'login.html'));
+        };
+        this.getUsersPage = (_req, res) => {
+            if (this.isSaasMode()) {
+                res.status(404).send('Not Found');
+                return;
+            }
+            res.sendFile(path_1.default.join(this.deps.publicDir, 'users.html'));
+        };
+        this.getAuthorizationPage = (_req, res) => {
+            res.sendFile(path_1.default.join(this.deps.publicDir, 'authorization.html'));
+        };
+    }
+    maskTokenForLog(value) {
+        const token = String(value || '');
+        if (!token)
+            return '';
+        if (token.length <= 16)
+            return `${token.slice(0, 4)}...(${token.length})`;
+        return `${token.slice(0, 8)}...${token.slice(-6)}(${token.length})`;
+    }
+    isSaasMode() {
+        return String(this.deps.deployMode || '').trim().toUpperCase() === 'SAAS';
+    }
+    resolveAppBaseUrl(req) {
+        const configured = this.deps.getAuthProperty().appBaseUrl.trim();
+        const hostHeader = (req.get('x-forwarded-host') || req.get('host') || '').trim();
+        const protoHeader = (req.get('x-forwarded-proto') || req.protocol || 'http').trim();
+        const host = hostHeader.split(',')[0].trim().toLowerCase();
+        const proto = protoHeader.split(',')[0].trim().toLowerCase() || 'http';
+        const requestOrigin = host ? `${proto}://${host}` : '';
+        if (!configured)
+            return requestOrigin;
+        // Use a single canonical issuer/resource in production to avoid token binding drift
+        // between www/non-www hosts.
+        try {
+            const configuredHost = new URL(configured).host.toLowerCase();
+            const isLocalConfigured = configuredHost.startsWith('localhost:') || configuredHost.startsWith('127.0.0.1:');
+            if (!isLocalConfigured)
+                return configured;
+        }
+        catch {
+            return requestOrigin || configured;
+        }
+        // Local development convenience: if APP_BASE_URL is localhost but request host differs,
+        // reflect request origin.
+        if (requestOrigin)
+            return requestOrigin;
+        return configured;
+    }
+    normalizeTriStateRules(raw, workspaceId, prefix) {
+        const input = raw && typeof raw === 'object' ? raw : {};
+        const out = {};
+        for (const [key, value] of Object.entries(input)) {
+            const id = String(key || '').trim();
+            if (!id || !id.startsWith(prefix === 'server' ? `${workspaceId}__` : `${workspaceId}__`))
+                continue;
+            if (value === true || value === 'allow' || value === 'true' || value === 1 || value === '1')
+                out[id] = true;
+            else if (value === false || value === 'deny' || value === 'false' || value === -1 || value === '-1')
+                out[id] = false;
+            else
+                out[id] = null;
+        }
+        return out;
+    }
+    normalizePolicyMap(raw, kind, workspaceId, usersInWorkspace) {
+        const input = raw && typeof raw === 'object' ? raw : {};
+        const out = {};
+        for (const [key, value] of Object.entries(input)) {
+            const id = String(key || '').trim();
+            if (!id)
+                continue;
+            if (kind === 'user' && !usersInWorkspace.has(id))
+                continue;
+            if ((kind === 'server' || kind === 'tool') && !id.startsWith(`${workspaceId}__`))
+                continue;
+            if (value === true || value === 'allow' || value === 'true' || value === 1 || value === '1')
+                out[id] = true;
+            else if (value === false || value === 'deny' || value === 'false' || value === 0 || value === '0')
+                out[id] = false;
+            else
+                out[id] = null;
+        }
+        return out;
+    }
+    applyPolicyMap(store, scopeType, map) {
+        const writes = [];
+        for (const [id, decision] of Object.entries(map)) {
+            writes.push(store.setMcpTokenPolicy(scopeType, id, decision));
+        }
+        return Promise.all(writes).then(() => undefined);
+    }
+    registerRoutes(app) {
+        app.get('/.well-known/oauth-authorization-server', this.getOAuthAuthorizationServerMetadata);
+        app.get('/.well-known/oauth-authorization-server/mcp', this.getOAuthAuthorizationServerMetadata);
+        app.get('/mcp/.well-known/oauth-authorization-server', this.getOAuthAuthorizationServerMetadata);
+        app.get('/.well-known/oauth-protected-resource', this.getOAuthProtectedResourceMetadata);
+        app.get('/.well-known/oauth-protected-resource/mcp', this.getOAuthProtectedResourceMetadata);
+        app.get('/mcp/.well-known/oauth-protected-resource', this.getOAuthProtectedResourceMetadata);
+        app.get('/.well-known/openid-configuration', this.getOpenIdConfigurationMetadata);
+        app.get('/.well-known/openid-configuration/mcp', this.getOpenIdConfigurationMetadata);
+        app.get('/mcp/.well-known/openid-configuration', this.getOpenIdConfigurationMetadata);
+        app.get('/oauth/jwks', this.getJwks);
+        app.post('/oauth/register', this.oauthRegister);
+        app.get('/oauth/authorize', this.oauthAuthorize);
+        app.get('/oauth/authorize/complete', this.oauthAuthorizeComplete);
+        app.post('/oauth/token', this.oauthToken);
+        app.post('/oauth/introspect', this.oauthIntrospect);
+        app.get('/oauth/userinfo', this.oauthUserinfo);
+        app.post('/oauth/userinfo', this.oauthUserinfo);
+        app.get('/api/auth/me', this.getMe);
+        app.get('/api/auth/roles', this.getRoles);
+        app.get('/api/auth/users', this.getUsers);
+        app.get('/api/authorization/config', this.getAuthorizationConfig);
+        app.get('/api/authorization/context', this.getAuthorizationContext);
+        app.get('/api/authorization/token-policy', this.getAuthorizationTokenPolicy);
+        app.post('/api/authorization/token-policy', this.updateAuthorizationTokenPolicy);
+        app.get('/api/authorization/servers', this.getAuthorizationServers);
+        app.post('/api/authorization/servers/:id', this.updateAuthorizationServer);
+        app.post('/api/authorization/mcp-token', this.createAuthorizationMcpToken);
+        app.get('/api/authorization/tokens', this.getAuthorizationTokens);
+        app.get('/api/authorization/tokens/:id', this.getAuthorizationTokenById);
+        app.delete('/api/authorization/tokens/:id', this.deleteAuthorizationToken);
+        app.post('/api/auth/users', this.createUser);
+        app.patch('/api/auth/users/:username/role', this.updateUserRole);
+        app.post('/api/auth/login', this.login);
+        app.get('/api/auth/oauth/start', this.oauthProviderStart);
+        app.post('/api/auth/oauth/session', this.oauthProviderSession);
+        // Backward-compatible aliases (deprecated).
+        app.get('/api/auth/supabase/start', this.oauthProviderStart);
+        app.post('/api/auth/supabase/session', this.oauthProviderSession);
+        app.post('/api/auth/refresh', this.refresh);
+        app.post('/api/auth/logout', this.logout);
+        app.get('/login', this.getLoginPage);
+        app.get('/users', this.getUsersPage);
+        app.get('/authorization', this.getAuthorizationPage);
+    }
+    normalizeOAuthCodeChallengeMethod(value) {
+        const normalized = String(value || '').trim().toUpperCase();
+        return normalized === 'PLAIN' ? 'plain' : 'S256';
+    }
+    toBase64Url(input) {
+        return Buffer.from(input, 'utf8').toString('base64url');
+    }
+    fromBase64Url(input) {
+        return Buffer.from(input, 'base64url').toString('utf8');
+    }
+    signOAuthState(payloadEncoded) {
+        return crypto_1.default.createHmac('sha256', this.deps.authCookieSecret).update(payloadEncoded).digest('base64url');
+    }
+    encodeOAuthPendingRequest(payload) {
+        const encoded = this.toBase64Url(JSON.stringify(payload));
+        const sig = this.signOAuthState(encoded);
+        return `${encoded}.${sig}`;
+    }
+    decodeOAuthPendingRequest(raw) {
+        const value = String(raw || '').trim();
+        const dot = value.lastIndexOf('.');
+        if (dot <= 0 || dot >= value.length - 1)
+            return null;
+        const encoded = value.slice(0, dot);
+        const sig = value.slice(dot + 1);
+        const expected = this.signOAuthState(encoded);
+        if (sig !== expected)
+            return null;
+        try {
+            const parsed = JSON.parse(this.fromBase64Url(encoded));
+            if (!parsed || typeof parsed !== 'object')
+                return null;
+            return {
+                clientId: String(parsed.clientId || ''),
+                redirectUri: String(parsed.redirectUri || ''),
+                state: String(parsed.state || ''),
+                scope: String(parsed.scope || ''),
+                resource: String(parsed.resource || ''),
+                codeChallenge: String(parsed.codeChallenge || ''),
+                codeChallengeMethod: this.normalizeOAuthCodeChallengeMethod(String(parsed.codeChallengeMethod || 'S256')),
+                createdAt: Number(parsed.createdAt || 0)
+            };
+        }
+        catch {
+            return null;
+        }
+    }
+    encodeOAuthCode(record) {
+        const encoded = this.toBase64Url(JSON.stringify(record));
+        const sig = this.signOAuthState(encoded);
+        return `${encoded}.${sig}`;
+    }
+    decodeOAuthCode(code) {
+        const value = String(code || '').trim();
+        const dot = value.lastIndexOf('.');
+        if (dot <= 0 || dot >= value.length - 1)
+            return null;
+        const encoded = value.slice(0, dot);
+        const sig = value.slice(dot + 1);
+        const expected = this.signOAuthState(encoded);
+        if (sig !== expected)
+            return null;
+        try {
+            const parsed = JSON.parse(this.fromBase64Url(encoded));
+            if (!parsed || typeof parsed !== 'object')
+                return null;
+            return parsed;
+        }
+        catch {
+            return null;
+        }
+    }
+    createIdToken(params) {
+        const now = Math.floor(Date.now() / 1000);
+        const header = Buffer.from(JSON.stringify({ alg: 'RS256', typ: 'JWT', kid: (0, jwks_provider_1.getKid)() })).toString('base64url');
+        const payloadObj = {
+            iss: params.issuer,
+            sub: params.sub,
+            aud: params.clientId,
+            iat: now,
+            exp: now + params.ttlSec
+        };
+        if (params.nonce)
+            payloadObj.nonce = params.nonce;
+        const payloadEncoded = Buffer.from(JSON.stringify(payloadObj)).toString('base64url');
+        const signingInput = `${header}.${payloadEncoded}`;
+        const signature = crypto_1.default.sign('sha256', Buffer.from(signingInput), (0, jwks_provider_1.getRsaPrivateKey)()).toString('base64url');
+        return `${signingInput}.${signature}`;
+    }
+    createAuthorizationCode(record) {
+        const payload = {
+            ...record,
+            expiresAt: Date.now() + this.oauthCodeTtlMs
+        };
+        return this.encodeOAuthCode(payload);
+    }
+    appendQueryParam(urlStr, key, value) {
+        try {
+            const url = new URL(urlStr);
+            url.searchParams.set(key, value);
+            return url.toString();
+        }
+        catch {
+            const sep = urlStr.includes('?') ? '&' : '?';
+            return `${urlStr}${sep}${encodeURIComponent(key)}=${encodeURIComponent(value)}`;
+        }
+    }
+    normalizeRedirectUri(urlStr) {
+        try {
+            const u = new URL(urlStr);
+            const path = u.pathname !== '/' ? u.pathname.replace(/\/+$/, '') : '/';
+            const port = u.port ? `:${u.port}` : '';
+            return `${u.protocol}//${u.hostname}${port}${path}${u.search}`;
+        }
+        catch {
+            return String(urlStr || '').trim();
+        }
+    }
+    redirectOAuthError(res, redirectUri, state, error, errorDescription) {
+        let location = this.appendQueryParam(redirectUri, 'error', error);
+        location = this.appendQueryParam(location, 'error_description', errorDescription);
+        if (state)
+            location = this.appendQueryParam(location, 'state', state);
+        res.redirect(location);
+    }
+    async issueSession(res, username, workspaceId, role, profile) {
+        const accessToken = (0, token_utils_1.createAccessToken)(username, this.deps.authCookieSecret, this.deps.authAccessTtlSec, workspaceId, role, profile?.displayName || username, profile?.email, profile?.avatarUrl, profile?.createdDate, profile?.lastSignInDate);
+        const refreshToken = (0, token_utils_1.createRefreshToken)();
+        const refreshTokenHash = (0, token_utils_1.hashRefreshToken)(refreshToken, this.deps.authCookieSecret);
+        const refreshExpiresAt = new Date(Date.now() + this.deps.authRefreshTtlSec * 1000).toISOString();
+        await this.deps.ensureDataStore().saveRefreshToken(refreshTokenHash, username, refreshExpiresAt);
+        this.deps.setCookie(res, this.deps.accessCookieName, accessToken, this.deps.authAccessTtlSec);
+        this.deps.setCookie(res, this.deps.refreshCookieName, refreshToken, this.deps.authRefreshTtlSec);
+    }
+    normalizeSupabaseUsername(email, userId) {
+        const raw = String(email || '').trim().toLowerCase();
+        if (raw) {
+            const localPart = (raw.split('@')[0] || '').trim().toLowerCase();
+            const normalizedLocal = localPart.replace(/[^a-z0-9._-]/g, '_');
+            const shortHash = crypto_1.default.createHash('sha1').update(raw).digest('hex').slice(0, 8);
+            const maxBaseLen = 64 - (shortHash.length + 1);
+            const fallbackBase = raw.replace(/[^a-z0-9._-]/g, '_');
+            const baseSource = normalizedLocal.length >= 3 ? normalizedLocal : fallbackBase;
+            const base = baseSource.slice(0, Math.max(3, maxBaseLen));
+            const candidate = `${base}_${shortHash}`;
+            if (candidate.length >= 3)
+                return candidate.slice(0, 64);
+        }
+        const fallback = String(userId || '').trim().toLowerCase().replace(/[^a-z0-9._-]/g, '_').slice(0, 64);
+        return fallback || 'user';
+    }
+    resolveSupabaseRole(username, email) {
+        const authProperty = this.deps.getAuthProperty();
+        const normalizedEmail = String(email || '').trim().toLowerCase();
+        const isAdminEmail = authProperty.adminEmails.some((v) => v.toLowerCase() === normalizedEmail);
+        const isLegacyAdmin = this.deps.authAdminUsers.some((u) => u.username === username || u.username === normalizedEmail);
+        return (isAdminEmail || isLegacyAdmin) ? 'admin' : 'user';
+    }
+}
+exports.AuthApi = AuthApi;
+//# sourceMappingURL=authApi.js.map