@solvapay/server 1.0.8-preview.6 → 1.0.8-preview.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (139) hide show
  1. package/dist/chunk-R5U7XKVJ.js +16 -0
  2. package/dist/dist-EPVKJAIP.js +94 -0
  3. package/dist/dist-JBJ4HMP7.js +94 -0
  4. package/dist/esm-5GYCIXIY.js +3475 -0
  5. package/dist/esm-UW7WCMEK.js +3475 -0
  6. package/dist/index.cjs +307 -12
  7. package/dist/index.d.cts +35 -3
  8. package/dist/index.d.ts +35 -3
  9. package/dist/index.js +303 -12
  10. package/dist/src/adapters/base.d.ts +57 -0
  11. package/dist/src/adapters/base.d.ts.map +1 -0
  12. package/dist/src/adapters/base.js +73 -0
  13. package/dist/src/adapters/base.js.map +1 -0
  14. package/dist/src/adapters/http.d.ts +25 -0
  15. package/dist/src/adapters/http.d.ts.map +1 -0
  16. package/dist/src/adapters/http.js +99 -0
  17. package/dist/src/adapters/http.js.map +1 -0
  18. package/dist/src/adapters/index.d.ts +11 -0
  19. package/dist/src/adapters/index.d.ts.map +1 -0
  20. package/dist/src/adapters/index.js +10 -0
  21. package/dist/src/adapters/index.js.map +1 -0
  22. package/dist/src/adapters/mcp.d.ts +24 -0
  23. package/dist/src/adapters/mcp.d.ts.map +1 -0
  24. package/dist/src/adapters/mcp.js +75 -0
  25. package/dist/src/adapters/mcp.js.map +1 -0
  26. package/dist/src/adapters/next.d.ts +24 -0
  27. package/dist/src/adapters/next.d.ts.map +1 -0
  28. package/dist/src/adapters/next.js +109 -0
  29. package/dist/src/adapters/next.js.map +1 -0
  30. package/dist/src/client.d.ts +58 -0
  31. package/dist/src/client.d.ts.map +1 -0
  32. package/dist/src/client.js +495 -0
  33. package/dist/src/client.js.map +1 -0
  34. package/dist/src/edge.d.ts +22 -0
  35. package/dist/src/edge.d.ts.map +1 -0
  36. package/dist/src/edge.js +91 -0
  37. package/dist/src/edge.js.map +1 -0
  38. package/dist/src/factory.d.ts +605 -0
  39. package/dist/src/factory.d.ts.map +1 -0
  40. package/dist/src/factory.js +215 -0
  41. package/dist/src/factory.js.map +1 -0
  42. package/dist/src/helpers/auth.d.ts +47 -0
  43. package/dist/src/helpers/auth.d.ts.map +1 -0
  44. package/dist/src/helpers/auth.js +73 -0
  45. package/dist/src/helpers/auth.js.map +1 -0
  46. package/dist/src/helpers/checkout.d.ts +45 -0
  47. package/dist/src/helpers/checkout.d.ts.map +1 -0
  48. package/dist/src/helpers/checkout.js +89 -0
  49. package/dist/src/helpers/checkout.js.map +1 -0
  50. package/dist/src/helpers/customer.d.ts +51 -0
  51. package/dist/src/helpers/customer.d.ts.map +1 -0
  52. package/dist/src/helpers/customer.js +77 -0
  53. package/dist/src/helpers/customer.js.map +1 -0
  54. package/dist/src/helpers/error.d.ts +15 -0
  55. package/dist/src/helpers/error.d.ts.map +1 -0
  56. package/dist/src/helpers/error.js +35 -0
  57. package/dist/src/helpers/error.js.map +1 -0
  58. package/dist/src/helpers/index.d.ts +17 -0
  59. package/dist/src/helpers/index.d.ts.map +1 -0
  60. package/dist/src/helpers/index.js +23 -0
  61. package/dist/src/helpers/index.js.map +1 -0
  62. package/dist/src/helpers/payment.d.ts +107 -0
  63. package/dist/src/helpers/payment.d.ts.map +1 -0
  64. package/dist/src/helpers/payment.js +150 -0
  65. package/dist/src/helpers/payment.js.map +1 -0
  66. package/dist/src/helpers/plans.d.ts +19 -0
  67. package/dist/src/helpers/plans.d.ts.map +1 -0
  68. package/dist/src/helpers/plans.js +53 -0
  69. package/dist/src/helpers/plans.js.map +1 -0
  70. package/dist/src/helpers/renewal.d.ts +23 -0
  71. package/dist/src/helpers/renewal.d.ts.map +1 -0
  72. package/dist/src/helpers/renewal.js +90 -0
  73. package/dist/src/helpers/renewal.js.map +1 -0
  74. package/dist/src/helpers/subscription.d.ts +23 -0
  75. package/dist/src/helpers/subscription.d.ts.map +1 -0
  76. package/dist/src/helpers/subscription.js +101 -0
  77. package/dist/src/helpers/subscription.js.map +1 -0
  78. package/dist/src/helpers/types.d.ts +22 -0
  79. package/dist/src/helpers/types.d.ts.map +1 -0
  80. package/dist/src/helpers/types.js +7 -0
  81. package/dist/src/helpers/types.js.map +1 -0
  82. package/dist/src/index.d.ts +73 -0
  83. package/dist/src/index.d.ts.map +1 -0
  84. package/dist/src/index.js +106 -0
  85. package/dist/src/index.js.map +1 -0
  86. package/dist/src/mcp/auth-bridge.d.ts +9 -0
  87. package/dist/src/mcp/auth-bridge.d.ts.map +1 -0
  88. package/dist/src/mcp/auth-bridge.js +46 -0
  89. package/dist/src/mcp/auth-bridge.js.map +1 -0
  90. package/dist/src/mcp/oauth-bridge.d.ts +48 -0
  91. package/dist/src/mcp/oauth-bridge.d.ts.map +1 -0
  92. package/dist/src/mcp/oauth-bridge.js +110 -0
  93. package/dist/src/mcp/oauth-bridge.js.map +1 -0
  94. package/dist/src/mcp-auth.d.ts +17 -0
  95. package/dist/src/mcp-auth.d.ts.map +1 -0
  96. package/dist/src/mcp-auth.js +57 -0
  97. package/dist/src/mcp-auth.js.map +1 -0
  98. package/dist/src/paywall.d.ts +119 -0
  99. package/dist/src/paywall.d.ts.map +1 -0
  100. package/dist/src/paywall.js +700 -0
  101. package/dist/src/paywall.js.map +1 -0
  102. package/dist/src/register-virtual-tools-mcp.d.ts +23 -0
  103. package/dist/src/register-virtual-tools-mcp.d.ts.map +1 -0
  104. package/dist/src/register-virtual-tools-mcp.js +86 -0
  105. package/dist/src/register-virtual-tools-mcp.js.map +1 -0
  106. package/dist/src/types/client.d.ts +216 -0
  107. package/dist/src/types/client.d.ts.map +1 -0
  108. package/dist/src/types/client.js +7 -0
  109. package/dist/src/types/client.js.map +1 -0
  110. package/dist/src/types/generated.d.ts +2834 -0
  111. package/dist/src/types/generated.d.ts.map +1 -0
  112. package/dist/src/types/generated.js +6 -0
  113. package/dist/src/types/generated.js.map +1 -0
  114. package/dist/src/types/index.d.ts +13 -0
  115. package/dist/src/types/index.d.ts.map +1 -0
  116. package/dist/src/types/index.js +8 -0
  117. package/dist/src/types/index.js.map +1 -0
  118. package/dist/src/types/options.d.ts +126 -0
  119. package/dist/src/types/options.d.ts.map +1 -0
  120. package/dist/src/types/options.js +8 -0
  121. package/dist/src/types/options.js.map +1 -0
  122. package/dist/src/types/paywall.d.ts +64 -0
  123. package/dist/src/types/paywall.d.ts.map +1 -0
  124. package/dist/src/types/paywall.js +7 -0
  125. package/dist/src/types/paywall.js.map +1 -0
  126. package/dist/src/types/webhook.d.ts +50 -0
  127. package/dist/src/types/webhook.d.ts.map +1 -0
  128. package/dist/src/types/webhook.js +2 -0
  129. package/dist/src/types/webhook.js.map +1 -0
  130. package/dist/src/utils.d.ts +110 -0
  131. package/dist/src/utils.d.ts.map +1 -0
  132. package/dist/src/utils.js +217 -0
  133. package/dist/src/utils.js.map +1 -0
  134. package/dist/src/virtual-tools.d.ts +44 -0
  135. package/dist/src/virtual-tools.d.ts.map +1 -0
  136. package/dist/src/virtual-tools.js +140 -0
  137. package/dist/src/virtual-tools.js.map +1 -0
  138. package/dist/tsconfig.tsbuildinfo +1 -0
  139. package/package.json +7 -7
package/dist/index.cjs CHANGED
@@ -4321,6 +4321,10 @@ __export(index_exports, {
4321
4321
  createCheckoutSessionCore: () => createCheckoutSessionCore,
4322
4322
  createCustomerSessionCore: () => createCustomerSessionCore,
4323
4323
  createMcpOAuthBridge: () => createMcpOAuthBridge,
4324
+ createOAuthAuthorizeHandler: () => createOAuthAuthorizeHandler,
4325
+ createOAuthRegisterHandler: () => createOAuthRegisterHandler,
4326
+ createOAuthRevokeHandler: () => createOAuthRevokeHandler,
4327
+ createOAuthTokenHandler: () => createOAuthTokenHandler,
4324
4328
  createPaymentIntentCore: () => createPaymentIntentCore,
4325
4329
  createSolvaPay: () => createSolvaPay,
4326
4330
  createSolvaPayClient: () => createSolvaPayClient,
@@ -6175,15 +6179,31 @@ function buildAuthInfoFromBearer(authorization, options = {}) {
6175
6179
  }
6176
6180
 
6177
6181
  // src/mcp/oauth-bridge.ts
6182
+ var DEFAULT_OAUTH_PATHS = {
6183
+ register: "/oauth/register",
6184
+ authorize: "/oauth/authorize",
6185
+ token: "/oauth/token",
6186
+ revoke: "/oauth/revoke"
6187
+ };
6188
+ var NATIVE_CLIENT_ORIGIN_SCHEMES = ["cursor:", "vscode:", "vscode-webview:", "claude:"];
6178
6189
  function withoutTrailingSlash(value) {
6179
6190
  return value.replace(/\/$/, "");
6180
6191
  }
6192
+ function resolvePaths(paths = {}) {
6193
+ return { ...DEFAULT_OAUTH_PATHS, ...paths };
6194
+ }
6181
6195
  function getRequestAuthHeader(req) {
6182
6196
  const header = req.headers?.authorization;
6183
6197
  if (typeof header === "string") return header;
6184
6198
  if (Array.isArray(header)) return header[0] || null;
6185
6199
  return null;
6186
6200
  }
6201
+ function getHeader(req, name) {
6202
+ const header = req.headers?.[name.toLowerCase()];
6203
+ if (typeof header === "string") return header;
6204
+ if (Array.isArray(header)) return header[0] || null;
6205
+ return null;
6206
+ }
6187
6207
  function getRequestJsonRpcId(body) {
6188
6208
  if (body && typeof body === "object" && "id" in body) {
6189
6209
  const id = body.id;
@@ -6207,6 +6227,100 @@ function setMcpChallengeHeader(res, publicBaseUrl, protectedResourcePath) {
6207
6227
  `Bearer resource_metadata="${withoutTrailingSlash(publicBaseUrl)}${protectedResourcePath}"`
6208
6228
  );
6209
6229
  }
6230
+ function getRequestQuery(req) {
6231
+ const raw = req.url ?? req.path ?? "";
6232
+ const qIndex = raw.indexOf("?");
6233
+ return qIndex === -1 ? "" : raw.slice(qIndex);
6234
+ }
6235
+ function isNativeClientOrigin(origin) {
6236
+ try {
6237
+ const url = new URL(origin);
6238
+ return NATIVE_CLIENT_ORIGIN_SCHEMES.includes(
6239
+ url.protocol
6240
+ );
6241
+ } catch {
6242
+ return false;
6243
+ }
6244
+ }
6245
+ function applyCorsHeaders(req, res) {
6246
+ const origin = getHeader(req, "origin");
6247
+ if (!origin) return;
6248
+ if (isNativeClientOrigin(origin)) {
6249
+ res.setHeader("Access-Control-Allow-Origin", origin);
6250
+ res.setHeader("Vary", "Origin");
6251
+ }
6252
+ }
6253
+ function handlePreflight(req, res) {
6254
+ applyCorsHeaders(req, res);
6255
+ const requestedMethod = getHeader(req, "access-control-request-method") ?? "POST";
6256
+ const requestedHeaders = getHeader(req, "access-control-request-headers") ?? "authorization, content-type";
6257
+ res.setHeader("Access-Control-Allow-Methods", `${requestedMethod}, OPTIONS`);
6258
+ res.setHeader("Access-Control-Allow-Headers", requestedHeaders);
6259
+ res.setHeader("Access-Control-Max-Age", "600");
6260
+ res.status(204);
6261
+ if (typeof res.end === "function") {
6262
+ res.end();
6263
+ } else {
6264
+ res.json({});
6265
+ }
6266
+ }
6267
+ async function readJsonFromResponse(upstream) {
6268
+ const text = await upstream.text();
6269
+ if (!text) return { body: {}, text: "" };
6270
+ try {
6271
+ return { body: JSON.parse(text), text };
6272
+ } catch {
6273
+ return { body: text, text };
6274
+ }
6275
+ }
6276
+ async function relayJsonResponse(upstream, res) {
6277
+ const { body, text } = await readJsonFromResponse(upstream);
6278
+ res.status(upstream.status);
6279
+ const contentType = upstream.headers.get("content-type");
6280
+ if (contentType) res.setHeader("Content-Type", contentType);
6281
+ if (text === "" && upstream.status === 204) {
6282
+ if (typeof res.end === "function") {
6283
+ res.end();
6284
+ return;
6285
+ }
6286
+ }
6287
+ res.json(body);
6288
+ }
6289
+ function sendUpstreamError(res, _error) {
6290
+ res.status(502);
6291
+ res.setHeader("Content-Type", "application/json");
6292
+ res.json({ error: "upstream_unreachable" });
6293
+ }
6294
+ function serializeRegisterBody(body) {
6295
+ if (typeof body === "string") return body;
6296
+ if (body instanceof Uint8Array) return Buffer.from(body).toString("utf8");
6297
+ return JSON.stringify(body ?? {});
6298
+ }
6299
+ function serializeFormBody(body) {
6300
+ if (typeof body === "string") return body;
6301
+ if (body instanceof Uint8Array) return Buffer.from(body).toString("utf8");
6302
+ if (body && typeof body === "object") {
6303
+ const params = new URLSearchParams();
6304
+ for (const [key, value] of Object.entries(body)) {
6305
+ if (value === void 0 || value === null) continue;
6306
+ if (Array.isArray(value)) {
6307
+ for (const entry of value) params.append(key, String(entry));
6308
+ } else {
6309
+ params.append(key, String(value));
6310
+ }
6311
+ }
6312
+ return params.toString();
6313
+ }
6314
+ return "";
6315
+ }
6316
+ function serializeRequestBody(contentType, body) {
6317
+ if (contentType && contentType.includes("application/x-www-form-urlencoded")) {
6318
+ return serializeFormBody(body);
6319
+ }
6320
+ if (typeof body === "string") return body;
6321
+ if (body instanceof Uint8Array) return Buffer.from(body).toString("utf8");
6322
+ return JSON.stringify(body ?? {});
6323
+ }
6210
6324
  function getOAuthProtectedResourceResponse(publicBaseUrl) {
6211
6325
  const resource = withoutTrailingSlash(publicBaseUrl);
6212
6326
  return {
@@ -6216,16 +6330,17 @@ function getOAuthProtectedResourceResponse(publicBaseUrl) {
6216
6330
  };
6217
6331
  }
6218
6332
  function getOAuthAuthorizationServerResponse({
6219
- apiBaseUrl,
6220
- productRef
6333
+ publicBaseUrl,
6334
+ paths
6221
6335
  }) {
6222
- const normalizedApiBaseUrl = withoutTrailingSlash(apiBaseUrl);
6223
- const registrationEndpoint = `${normalizedApiBaseUrl}/v1/customer/auth/register?product_ref=${encodeURIComponent(productRef)}`;
6336
+ const base = withoutTrailingSlash(publicBaseUrl);
6337
+ const p = resolvePaths(paths);
6224
6338
  return {
6225
- issuer: normalizedApiBaseUrl,
6226
- authorization_endpoint: `${normalizedApiBaseUrl}/v1/customer/auth/authorize`,
6227
- token_endpoint: `${normalizedApiBaseUrl}/v1/customer/auth/token`,
6228
- registration_endpoint: registrationEndpoint,
6339
+ issuer: base,
6340
+ authorization_endpoint: `${base}${p.authorize}`,
6341
+ token_endpoint: `${base}${p.token}`,
6342
+ registration_endpoint: `${base}${p.register}`,
6343
+ revocation_endpoint: `${base}${p.revoke}`,
6229
6344
  token_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
6230
6345
  response_types_supported: ["code"],
6231
6346
  grant_types_supported: ["authorization_code", "refresh_token"],
@@ -6233,6 +6348,134 @@ function getOAuthAuthorizationServerResponse({
6233
6348
  code_challenge_methods_supported: ["S256"]
6234
6349
  };
6235
6350
  }
6351
+ function createOAuthRegisterHandler(options) {
6352
+ const path = options.path ?? DEFAULT_OAUTH_PATHS.register;
6353
+ const api = withoutTrailingSlash(options.apiBaseUrl);
6354
+ const upstream = `${api}/v1/customer/auth/register?product_ref=${encodeURIComponent(options.productRef)}`;
6355
+ return async (req, res, next) => {
6356
+ if (req.path !== path) {
6357
+ next();
6358
+ return;
6359
+ }
6360
+ if (req.method === "OPTIONS") {
6361
+ handlePreflight(req, res);
6362
+ return;
6363
+ }
6364
+ if (req.method !== "POST") {
6365
+ next();
6366
+ return;
6367
+ }
6368
+ try {
6369
+ const response = await fetch(upstream, {
6370
+ method: "POST",
6371
+ headers: { "content-type": "application/json" },
6372
+ body: serializeRegisterBody(req.body)
6373
+ });
6374
+ applyCorsHeaders(req, res);
6375
+ await relayJsonResponse(response, res);
6376
+ } catch (error) {
6377
+ applyCorsHeaders(req, res);
6378
+ sendUpstreamError(res, error);
6379
+ }
6380
+ };
6381
+ }
6382
+ function createOAuthAuthorizeHandler(options) {
6383
+ const path = options.path ?? DEFAULT_OAUTH_PATHS.authorize;
6384
+ const api = withoutTrailingSlash(options.apiBaseUrl);
6385
+ return (req, res, next) => {
6386
+ if (req.path !== path) {
6387
+ next();
6388
+ return;
6389
+ }
6390
+ if (req.method === "OPTIONS") {
6391
+ handlePreflight(req, res);
6392
+ return;
6393
+ }
6394
+ if (req.method !== "GET") {
6395
+ next();
6396
+ return;
6397
+ }
6398
+ const query = getRequestQuery(req);
6399
+ const location = `${api}/v1/customer/auth/authorize${query}`;
6400
+ res.setHeader("Location", location);
6401
+ res.status(302);
6402
+ if (typeof res.end === "function") {
6403
+ res.end();
6404
+ return;
6405
+ }
6406
+ res.json({});
6407
+ };
6408
+ }
6409
+ function createOAuthTokenHandler(options) {
6410
+ const path = options.path ?? DEFAULT_OAUTH_PATHS.token;
6411
+ const api = withoutTrailingSlash(options.apiBaseUrl);
6412
+ const upstream = `${api}/v1/customer/auth/token`;
6413
+ return async (req, res, next) => {
6414
+ if (req.path !== path) {
6415
+ next();
6416
+ return;
6417
+ }
6418
+ if (req.method === "OPTIONS") {
6419
+ handlePreflight(req, res);
6420
+ return;
6421
+ }
6422
+ if (req.method !== "POST") {
6423
+ next();
6424
+ return;
6425
+ }
6426
+ const contentType = getHeader(req, "content-type") ?? "application/x-www-form-urlencoded";
6427
+ const authorization = getHeader(req, "authorization");
6428
+ const headers = { "content-type": contentType };
6429
+ if (authorization) headers["authorization"] = authorization;
6430
+ try {
6431
+ const response = await fetch(upstream, {
6432
+ method: "POST",
6433
+ headers,
6434
+ body: serializeRequestBody(contentType, req.body)
6435
+ });
6436
+ applyCorsHeaders(req, res);
6437
+ await relayJsonResponse(response, res);
6438
+ } catch (error) {
6439
+ applyCorsHeaders(req, res);
6440
+ sendUpstreamError(res, error);
6441
+ }
6442
+ };
6443
+ }
6444
+ function createOAuthRevokeHandler(options) {
6445
+ const path = options.path ?? DEFAULT_OAUTH_PATHS.revoke;
6446
+ const api = withoutTrailingSlash(options.apiBaseUrl);
6447
+ const upstream = `${api}/v1/customer/auth/revoke`;
6448
+ return async (req, res, next) => {
6449
+ if (req.path !== path) {
6450
+ next();
6451
+ return;
6452
+ }
6453
+ if (req.method === "OPTIONS") {
6454
+ handlePreflight(req, res);
6455
+ return;
6456
+ }
6457
+ if (req.method !== "POST") {
6458
+ next();
6459
+ return;
6460
+ }
6461
+ const contentType = getHeader(req, "content-type") ?? "application/x-www-form-urlencoded";
6462
+ const authorization = getHeader(req, "authorization");
6463
+ const headers = { "content-type": contentType };
6464
+ if (authorization) headers["authorization"] = authorization;
6465
+ try {
6466
+ const response = await fetch(upstream, {
6467
+ method: "POST",
6468
+ headers,
6469
+ body: serializeRequestBody(contentType, req.body)
6470
+ });
6471
+ applyCorsHeaders(req, res);
6472
+ await relayJsonResponse(response, res);
6473
+ } catch (error) {
6474
+ applyCorsHeaders(req, res);
6475
+ sendUpstreamError(res, error);
6476
+ }
6477
+ };
6478
+ }
6236
6479
  function createMcpOAuthBridge(options) {
6237
6480
  const {
6238
6481
  publicBaseUrl,
@@ -6242,8 +6485,23 @@ function createMcpOAuthBridge(options) {
6242
6485
  requireAuth = true,
6243
6486
  authInfo,
6244
6487
  protectedResourcePath = "/.well-known/oauth-protected-resource",
6245
- authorizationServerPath = "/.well-known/oauth-authorization-server"
6488
+ authorizationServerPath = "/.well-known/oauth-authorization-server",
6489
+ oauthPaths
6246
6490
  } = options;
6491
+ const paths = resolvePaths(oauthPaths);
6492
+ const openidDiscoveryMiddleware = (req, res, next) => {
6493
+ if (req.method !== "GET" || req.path !== "/.well-known/openid-configuration") {
6494
+ next();
6495
+ return;
6496
+ }
6497
+ applyCorsHeaders(req, res);
6498
+ res.status(404);
6499
+ if (typeof res.end === "function") {
6500
+ res.end();
6501
+ } else {
6502
+ res.json({ error: "not_found" });
6503
+ }
6504
+ };
6247
6505
  const protectedResourceMiddleware = (req, res, next) => {
6248
6506
  if (req.method !== "GET" || req.path !== protectedResourcePath) {
6249
6507
  next();
@@ -6262,16 +6520,38 @@ function createMcpOAuthBridge(options) {
6262
6520
  }
6263
6521
  res.json(
6264
6522
  getOAuthAuthorizationServerResponse({
6265
- apiBaseUrl,
6266
- productRef
6523
+ publicBaseUrl,
6524
+ paths
6267
6525
  })
6268
6526
  );
6269
6527
  };
6528
+ const registerMiddleware = createOAuthRegisterHandler({
6529
+ apiBaseUrl,
6530
+ productRef,
6531
+ path: paths.register
6532
+ });
6533
+ const authorizeMiddleware = createOAuthAuthorizeHandler({
6534
+ apiBaseUrl,
6535
+ path: paths.authorize
6536
+ });
6537
+ const tokenMiddleware = createOAuthTokenHandler({ apiBaseUrl, path: paths.token });
6538
+ const revokeMiddleware = createOAuthRevokeHandler({ apiBaseUrl, path: paths.revoke });
6270
6539
  const mcpAuthMiddleware = (req, res, next) => {
6271
6540
  if (req.path !== mcpPath) {
6272
6541
  next();
6273
6542
  return;
6274
6543
  }
6544
+ if (req.method && req.method !== "POST" && req.method !== "OPTIONS") {
6545
+ applyCorsHeaders(req, res);
6546
+ res.setHeader("Allow", "POST, OPTIONS");
6547
+ res.status(405);
6548
+ if (typeof res.end === "function") {
6549
+ res.end();
6550
+ } else {
6551
+ res.json({ error: "method_not_allowed" });
6552
+ }
6553
+ return;
6554
+ }
6275
6555
  const authHeader = getRequestAuthHeader(req);
6276
6556
  const id = getRequestJsonRpcId(req.body);
6277
6557
  if (!authHeader && !requireAuth) {
@@ -6286,6 +6566,8 @@ function createMcpOAuthBridge(options) {
6286
6566
  req.auth = auth;
6287
6567
  next();
6288
6568
  } catch {
6569
+ applyCorsHeaders(req, res);
6570
+ res.setHeader("Access-Control-Expose-Headers", "WWW-Authenticate");
6289
6571
  setMcpChallengeHeader(res, publicBaseUrl, protectedResourcePath);
6290
6572
  if (req.method === "POST") {
6291
6573
  res.status(401).json(makeUnauthorizedJsonRpc(id));
@@ -6294,7 +6576,16 @@ function createMcpOAuthBridge(options) {
6294
6576
  res.status(401).json({ error: "Unauthorized" });
6295
6577
  }
6296
6578
  };
6297
- return [protectedResourceMiddleware, authorizationServerMiddleware, mcpAuthMiddleware];
6579
+ return [
6580
+ openidDiscoveryMiddleware,
6581
+ protectedResourceMiddleware,
6582
+ authorizationServerMiddleware,
6583
+ registerMiddleware,
6584
+ authorizeMiddleware,
6585
+ tokenMiddleware,
6586
+ revokeMiddleware,
6587
+ mcpAuthMiddleware
6588
+ ];
6298
6589
  }
6299
6590
 
6300
6591
  // src/helpers/error.ts
@@ -6978,6 +7269,10 @@ function verifyWebhook({
6978
7269
  createCheckoutSessionCore,
6979
7270
  createCustomerSessionCore,
6980
7271
  createMcpOAuthBridge,
7272
+ createOAuthAuthorizeHandler,
7273
+ createOAuthRegisterHandler,
7274
+ createOAuthRevokeHandler,
7275
+ createOAuthTokenHandler,
6981
7276
  createPaymentIntentCore,
6982
7277
  createSolvaPay,
6983
7278
  createSolvaPayClient,
package/dist/index.d.cts CHANGED
@@ -3675,6 +3675,7 @@ declare function buildAuthInfoFromBearer(authorization?: string | null, options?
3675
3675
  type RequestLike = {
3676
3676
  method?: string;
3677
3677
  path?: string;
3678
+ url?: string;
3678
3679
  headers?: Record<string, string | string[] | undefined>;
3679
3680
  body?: unknown;
3680
3681
  auth?: unknown;
@@ -3683,12 +3684,37 @@ type ResponseLike = {
3683
3684
  status: (code: number) => ResponseLike;
3684
3685
  json: (payload: unknown) => void;
3685
3686
  setHeader: (name: string, value: string) => void;
3687
+ end?: (body?: string) => void;
3688
+ send?: (body?: string | Buffer) => void;
3686
3689
  };
3687
3690
  type NextLike = () => void;
3688
- type Middleware = (req: RequestLike, res: ResponseLike, next: NextLike) => void;
3691
+ type Middleware = (req: RequestLike, res: ResponseLike, next: NextLike) => void | Promise<void>;
3692
+ interface OAuthBridgePaths {
3693
+ register?: string;
3694
+ authorize?: string;
3695
+ token?: string;
3696
+ revoke?: string;
3697
+ }
3689
3698
  interface OAuthAuthorizationServerOptions {
3699
+ publicBaseUrl: string;
3700
+ paths?: OAuthBridgePaths;
3701
+ }
3702
+ interface OAuthRegisterHandlerOptions {
3690
3703
  apiBaseUrl: string;
3691
3704
  productRef: string;
3705
+ path?: string;
3706
+ }
3707
+ interface OAuthAuthorizeHandlerOptions {
3708
+ apiBaseUrl: string;
3709
+ path?: string;
3710
+ }
3711
+ interface OAuthTokenHandlerOptions {
3712
+ apiBaseUrl: string;
3713
+ path?: string;
3714
+ }
3715
+ interface OAuthRevokeHandlerOptions {
3716
+ apiBaseUrl: string;
3717
+ path?: string;
3692
3718
  }
3693
3719
  interface McpOAuthBridgeOptions {
3694
3720
  publicBaseUrl: string;
@@ -3699,23 +3725,29 @@ interface McpOAuthBridgeOptions {
3699
3725
  authInfo?: BuildAuthInfoFromBearerOptions;
3700
3726
  protectedResourcePath?: string;
3701
3727
  authorizationServerPath?: string;
3728
+ oauthPaths?: OAuthBridgePaths;
3702
3729
  }
3703
3730
  declare function getOAuthProtectedResourceResponse(publicBaseUrl: string): {
3704
3731
  resource: string;
3705
3732
  authorization_servers: string[];
3706
3733
  scopes_supported: string[];
3707
3734
  };
3708
- declare function getOAuthAuthorizationServerResponse({ apiBaseUrl, productRef, }: OAuthAuthorizationServerOptions): {
3735
+ declare function getOAuthAuthorizationServerResponse({ publicBaseUrl, paths, }: OAuthAuthorizationServerOptions): {
3709
3736
  issuer: string;
3710
3737
  authorization_endpoint: string;
3711
3738
  token_endpoint: string;
3712
3739
  registration_endpoint: string;
3740
+ revocation_endpoint: string;
3713
3741
  token_endpoint_auth_methods_supported: string[];
3714
3742
  response_types_supported: string[];
3715
3743
  grant_types_supported: string[];
3716
3744
  scopes_supported: string[];
3717
3745
  code_challenge_methods_supported: string[];
3718
3746
  };
3747
+ declare function createOAuthRegisterHandler(options: OAuthRegisterHandlerOptions): Middleware;
3748
+ declare function createOAuthAuthorizeHandler(options: OAuthAuthorizeHandlerOptions): Middleware;
3749
+ declare function createOAuthTokenHandler(options: OAuthTokenHandlerOptions): Middleware;
3750
+ declare function createOAuthRevokeHandler(options: OAuthRevokeHandlerOptions): Middleware;
3719
3751
  declare function createMcpOAuthBridge(options: McpOAuthBridgeOptions): Middleware[];
3720
3752
 
3721
3753
  /**
@@ -4277,4 +4309,4 @@ declare function verifyWebhook({ body, signature, secret, }: {
4277
4309
  secret: string;
4278
4310
  }): WebhookEvent;
4279
4311
 
4280
- export { type ActivatePlanResult, type AuthenticatedUser, type ConfigureMcpPlansRequest, type ConfigureMcpPlansResponse, type CreateSolvaPayConfig, type CustomerBalanceResult, type CustomerResponseMapped, type CustomerWebhookObject, type ErrorResult, type HttpAdapterOptions, type LimitActivationBalance, type LimitActivationProduct, type LimitPlanSummary, type McpAdapterOptions, McpBearerAuthError, type McpBootstrapPlanInput, type McpBootstrapRequest, type McpBootstrapResponse, type McpServerLike, type McpToolExtra, type McpToolPlanMappingInput, type NextAdapterOptions, type OneTimePurchaseInfo, type PayableFunction, type PayableOptions, type PaywallArgs, PaywallError, type PaywallMetadata, type PaywallStructuredContent, type PaywallToolResult, type ProcessPaymentResult, type PurchaseCheckResult, type RegisterVirtualToolsMcpOptions, type RetryOptions, type SdkMerchantResponse, type SdkProductResponse, type ServerClientOptions, type SolvaPay, type SolvaPayClient, type ToolPlanMappingInput, VIRTUAL_TOOL_DEFINITIONS, type VirtualToolDefinition, type VirtualToolsOptions, type WebhookEvent, type WebhookEventForType, type WebhookEventObjectMap, type WebhookEventType, type WebhookProduct, activatePlanCore, buildAuthInfoFromBearer, cancelPurchaseCore, checkPurchaseCore, type components, createCheckoutSessionCore, createCustomerSessionCore, createMcpOAuthBridge, createPaymentIntentCore, createSolvaPay, createSolvaPayClient, createTopupPaymentIntentCore, createVirtualTools, decodeJwtPayload, extractBearerToken, getAuthenticatedUserCore, getCustomerBalanceCore, getCustomerRefFromBearerAuthHeader, getCustomerRefFromJwtPayload, getMerchantCore, getOAuthAuthorizationServerResponse, getOAuthProtectedResourceResponse, getProductCore, handleRouteError, isErrorResult, jsonSchemaToZodRawShape, listPlansCore, paywallErrorToClientPayload, processPaymentIntentCore, reactivatePurchaseCore, registerVirtualToolsMcpImpl, syncCustomerCore, trackUsageCore, verifyWebhook, withRetry };
4312
+ export { type ActivatePlanResult, type AuthenticatedUser, type ConfigureMcpPlansRequest, type ConfigureMcpPlansResponse, type CreateSolvaPayConfig, type CustomerBalanceResult, type CustomerResponseMapped, type CustomerWebhookObject, type ErrorResult, type HttpAdapterOptions, type LimitActivationBalance, type LimitActivationProduct, type LimitPlanSummary, type McpAdapterOptions, McpBearerAuthError, type McpBootstrapPlanInput, type McpBootstrapRequest, type McpBootstrapResponse, type McpServerLike, type McpToolExtra, type McpToolPlanMappingInput, type NextAdapterOptions, type OneTimePurchaseInfo, type PayableFunction, type PayableOptions, type PaywallArgs, PaywallError, type PaywallMetadata, type PaywallStructuredContent, type PaywallToolResult, type ProcessPaymentResult, type PurchaseCheckResult, type RegisterVirtualToolsMcpOptions, type RetryOptions, type SdkMerchantResponse, type SdkProductResponse, type ServerClientOptions, type SolvaPay, type SolvaPayClient, type ToolPlanMappingInput, VIRTUAL_TOOL_DEFINITIONS, type VirtualToolDefinition, type VirtualToolsOptions, type WebhookEvent, type WebhookEventForType, type WebhookEventObjectMap, type WebhookEventType, type WebhookProduct, activatePlanCore, buildAuthInfoFromBearer, cancelPurchaseCore, checkPurchaseCore, type components, createCheckoutSessionCore, createCustomerSessionCore, createMcpOAuthBridge, createOAuthAuthorizeHandler, createOAuthRegisterHandler, createOAuthRevokeHandler, createOAuthTokenHandler, createPaymentIntentCore, createSolvaPay, createSolvaPayClient, createTopupPaymentIntentCore, createVirtualTools, decodeJwtPayload, extractBearerToken, getAuthenticatedUserCore, getCustomerBalanceCore, getCustomerRefFromBearerAuthHeader, getCustomerRefFromJwtPayload, getMerchantCore, getOAuthAuthorizationServerResponse, getOAuthProtectedResourceResponse, getProductCore, handleRouteError, isErrorResult, jsonSchemaToZodRawShape, listPlansCore, paywallErrorToClientPayload, processPaymentIntentCore, reactivatePurchaseCore, registerVirtualToolsMcpImpl, syncCustomerCore, trackUsageCore, verifyWebhook, withRetry };
package/dist/index.d.ts CHANGED
@@ -3675,6 +3675,7 @@ declare function buildAuthInfoFromBearer(authorization?: string | null, options?
3675
3675
  type RequestLike = {
3676
3676
  method?: string;
3677
3677
  path?: string;
3678
+ url?: string;
3678
3679
  headers?: Record<string, string | string[] | undefined>;
3679
3680
  body?: unknown;
3680
3681
  auth?: unknown;
@@ -3683,12 +3684,37 @@ type ResponseLike = {
3683
3684
  status: (code: number) => ResponseLike;
3684
3685
  json: (payload: unknown) => void;
3685
3686
  setHeader: (name: string, value: string) => void;
3687
+ end?: (body?: string) => void;
3688
+ send?: (body?: string | Buffer) => void;
3686
3689
  };
3687
3690
  type NextLike = () => void;
3688
- type Middleware = (req: RequestLike, res: ResponseLike, next: NextLike) => void;
3691
+ type Middleware = (req: RequestLike, res: ResponseLike, next: NextLike) => void | Promise<void>;
3692
+ interface OAuthBridgePaths {
3693
+ register?: string;
3694
+ authorize?: string;
3695
+ token?: string;
3696
+ revoke?: string;
3697
+ }
3689
3698
  interface OAuthAuthorizationServerOptions {
3699
+ publicBaseUrl: string;
3700
+ paths?: OAuthBridgePaths;
3701
+ }
3702
+ interface OAuthRegisterHandlerOptions {
3690
3703
  apiBaseUrl: string;
3691
3704
  productRef: string;
3705
+ path?: string;
3706
+ }
3707
+ interface OAuthAuthorizeHandlerOptions {
3708
+ apiBaseUrl: string;
3709
+ path?: string;
3710
+ }
3711
+ interface OAuthTokenHandlerOptions {
3712
+ apiBaseUrl: string;
3713
+ path?: string;
3714
+ }
3715
+ interface OAuthRevokeHandlerOptions {
3716
+ apiBaseUrl: string;
3717
+ path?: string;
3692
3718
  }
3693
3719
  interface McpOAuthBridgeOptions {
3694
3720
  publicBaseUrl: string;
@@ -3699,23 +3725,29 @@ interface McpOAuthBridgeOptions {
3699
3725
  authInfo?: BuildAuthInfoFromBearerOptions;
3700
3726
  protectedResourcePath?: string;
3701
3727
  authorizationServerPath?: string;
3728
+ oauthPaths?: OAuthBridgePaths;
3702
3729
  }
3703
3730
  declare function getOAuthProtectedResourceResponse(publicBaseUrl: string): {
3704
3731
  resource: string;
3705
3732
  authorization_servers: string[];
3706
3733
  scopes_supported: string[];
3707
3734
  };
3708
- declare function getOAuthAuthorizationServerResponse({ apiBaseUrl, productRef, }: OAuthAuthorizationServerOptions): {
3735
+ declare function getOAuthAuthorizationServerResponse({ publicBaseUrl, paths, }: OAuthAuthorizationServerOptions): {
3709
3736
  issuer: string;
3710
3737
  authorization_endpoint: string;
3711
3738
  token_endpoint: string;
3712
3739
  registration_endpoint: string;
3740
+ revocation_endpoint: string;
3713
3741
  token_endpoint_auth_methods_supported: string[];
3714
3742
  response_types_supported: string[];
3715
3743
  grant_types_supported: string[];
3716
3744
  scopes_supported: string[];
3717
3745
  code_challenge_methods_supported: string[];
3718
3746
  };
3747
+ declare function createOAuthRegisterHandler(options: OAuthRegisterHandlerOptions): Middleware;
3748
+ declare function createOAuthAuthorizeHandler(options: OAuthAuthorizeHandlerOptions): Middleware;
3749
+ declare function createOAuthTokenHandler(options: OAuthTokenHandlerOptions): Middleware;
3750
+ declare function createOAuthRevokeHandler(options: OAuthRevokeHandlerOptions): Middleware;
3719
3751
  declare function createMcpOAuthBridge(options: McpOAuthBridgeOptions): Middleware[];
3720
3752
 
3721
3753
  /**
@@ -4277,4 +4309,4 @@ declare function verifyWebhook({ body, signature, secret, }: {
4277
4309
  secret: string;
4278
4310
  }): WebhookEvent;
4279
4311
 
4280
- export { type ActivatePlanResult, type AuthenticatedUser, type ConfigureMcpPlansRequest, type ConfigureMcpPlansResponse, type CreateSolvaPayConfig, type CustomerBalanceResult, type CustomerResponseMapped, type CustomerWebhookObject, type ErrorResult, type HttpAdapterOptions, type LimitActivationBalance, type LimitActivationProduct, type LimitPlanSummary, type McpAdapterOptions, McpBearerAuthError, type McpBootstrapPlanInput, type McpBootstrapRequest, type McpBootstrapResponse, type McpServerLike, type McpToolExtra, type McpToolPlanMappingInput, type NextAdapterOptions, type OneTimePurchaseInfo, type PayableFunction, type PayableOptions, type PaywallArgs, PaywallError, type PaywallMetadata, type PaywallStructuredContent, type PaywallToolResult, type ProcessPaymentResult, type PurchaseCheckResult, type RegisterVirtualToolsMcpOptions, type RetryOptions, type SdkMerchantResponse, type SdkProductResponse, type ServerClientOptions, type SolvaPay, type SolvaPayClient, type ToolPlanMappingInput, VIRTUAL_TOOL_DEFINITIONS, type VirtualToolDefinition, type VirtualToolsOptions, type WebhookEvent, type WebhookEventForType, type WebhookEventObjectMap, type WebhookEventType, type WebhookProduct, activatePlanCore, buildAuthInfoFromBearer, cancelPurchaseCore, checkPurchaseCore, type components, createCheckoutSessionCore, createCustomerSessionCore, createMcpOAuthBridge, createPaymentIntentCore, createSolvaPay, createSolvaPayClient, createTopupPaymentIntentCore, createVirtualTools, decodeJwtPayload, extractBearerToken, getAuthenticatedUserCore, getCustomerBalanceCore, getCustomerRefFromBearerAuthHeader, getCustomerRefFromJwtPayload, getMerchantCore, getOAuthAuthorizationServerResponse, getOAuthProtectedResourceResponse, getProductCore, handleRouteError, isErrorResult, jsonSchemaToZodRawShape, listPlansCore, paywallErrorToClientPayload, processPaymentIntentCore, reactivatePurchaseCore, registerVirtualToolsMcpImpl, syncCustomerCore, trackUsageCore, verifyWebhook, withRetry };
4312
+ export { type ActivatePlanResult, type AuthenticatedUser, type ConfigureMcpPlansRequest, type ConfigureMcpPlansResponse, type CreateSolvaPayConfig, type CustomerBalanceResult, type CustomerResponseMapped, type CustomerWebhookObject, type ErrorResult, type HttpAdapterOptions, type LimitActivationBalance, type LimitActivationProduct, type LimitPlanSummary, type McpAdapterOptions, McpBearerAuthError, type McpBootstrapPlanInput, type McpBootstrapRequest, type McpBootstrapResponse, type McpServerLike, type McpToolExtra, type McpToolPlanMappingInput, type NextAdapterOptions, type OneTimePurchaseInfo, type PayableFunction, type PayableOptions, type PaywallArgs, PaywallError, type PaywallMetadata, type PaywallStructuredContent, type PaywallToolResult, type ProcessPaymentResult, type PurchaseCheckResult, type RegisterVirtualToolsMcpOptions, type RetryOptions, type SdkMerchantResponse, type SdkProductResponse, type ServerClientOptions, type SolvaPay, type SolvaPayClient, type ToolPlanMappingInput, VIRTUAL_TOOL_DEFINITIONS, type VirtualToolDefinition, type VirtualToolsOptions, type WebhookEvent, type WebhookEventForType, type WebhookEventObjectMap, type WebhookEventType, type WebhookProduct, activatePlanCore, buildAuthInfoFromBearer, cancelPurchaseCore, checkPurchaseCore, type components, createCheckoutSessionCore, createCustomerSessionCore, createMcpOAuthBridge, createOAuthAuthorizeHandler, createOAuthRegisterHandler, createOAuthRevokeHandler, createOAuthTokenHandler, createPaymentIntentCore, createSolvaPay, createSolvaPayClient, createTopupPaymentIntentCore, createVirtualTools, decodeJwtPayload, extractBearerToken, getAuthenticatedUserCore, getCustomerBalanceCore, getCustomerRefFromBearerAuthHeader, getCustomerRefFromJwtPayload, getMerchantCore, getOAuthAuthorizationServerResponse, getOAuthProtectedResourceResponse, getProductCore, handleRouteError, isErrorResult, jsonSchemaToZodRawShape, listPlansCore, paywallErrorToClientPayload, processPaymentIntentCore, reactivatePurchaseCore, registerVirtualToolsMcpImpl, syncCustomerCore, trackUsageCore, verifyWebhook, withRetry };