@structured-world/gitlab-mcp 5.7.0 → 6.0.0

package/dist/src/oauth/config.js

@@ -0,0 +1,70 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadOAuthConfig = loadOAuthConfig;
+exports.validateStaticConfig = validateStaticConfig;
+exports.isOAuthEnabled = isOAuthEnabled;
+exports.resetOAuthConfigCache = resetOAuthConfigCache;
+exports.getAuthModeDescription = getAuthModeDescription;
+const zod_1 = require("zod");
+const logger_1 = require("../logger");
+const OAuthConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.literal(true),
+    sessionSecret: zod_1.z.string().min(32, "OAUTH_SESSION_SECRET must be at least 32 characters"),
+    gitlabClientId: zod_1.z.string().min(1, "GITLAB_OAUTH_CLIENT_ID is required"),
+    gitlabClientSecret: zod_1.z.string().optional(),
+    gitlabScopes: zod_1.z.string().default("api,read_user"),
+    tokenTtl: zod_1.z.number().positive().default(3600),
+    refreshTokenTtl: zod_1.z.number().positive().default(604800),
+    devicePollInterval: zod_1.z.number().positive().default(5),
+    deviceTimeout: zod_1.z.number().positive().default(300),
+});
+let cachedOAuthConfig = undefined;
+function loadOAuthConfig() {
+    if (cachedOAuthConfig !== undefined) {
+        return cachedOAuthConfig;
+    }
+    if (process.env.OAUTH_ENABLED !== "true") {
+        cachedOAuthConfig = null;
+        logger_1.logger.debug("OAuth mode disabled (OAUTH_ENABLED !== 'true')");
+        return null;
+    }
+    const result = OAuthConfigSchema.safeParse({
+        enabled: true,
+        sessionSecret: process.env.OAUTH_SESSION_SECRET,
+        gitlabClientId: process.env.GITLAB_OAUTH_CLIENT_ID,
+        gitlabClientSecret: process.env.GITLAB_OAUTH_CLIENT_SECRET,
+        gitlabScopes: process.env.GITLAB_OAUTH_SCOPES ?? "api,read_user",
+        tokenTtl: parseInt(process.env.OAUTH_TOKEN_TTL ?? "3600", 10),
+        refreshTokenTtl: parseInt(process.env.OAUTH_REFRESH_TOKEN_TTL ?? "604800", 10),
+        devicePollInterval: parseInt(process.env.OAUTH_DEVICE_POLL_INTERVAL ?? "5", 10),
+        deviceTimeout: parseInt(process.env.OAUTH_DEVICE_TIMEOUT ?? "300", 10),
+    });
+    if (!result.success) {
+        const errorMessages = result.error.issues
+            .map(e => `${e.path.join(".")}: ${e.message}`)
+            .join(", ");
+        throw new Error(`Invalid OAuth configuration: ${errorMessages}`);
+    }
+    cachedOAuthConfig = result.data;
+    logger_1.logger.info("OAuth mode enabled with valid configuration");
+    return result.data;
+}
+function validateStaticConfig() {
+    if (!process.env.GITLAB_TOKEN) {
+        throw new Error("GITLAB_TOKEN is required when OAUTH_ENABLED is not true");
+    }
+    logger_1.logger.debug("Static token mode: GITLAB_TOKEN configured");
+}
+function isOAuthEnabled() {
+    return loadOAuthConfig() !== null;
+}
+function resetOAuthConfigCache() {
+    cachedOAuthConfig = undefined;
+}
+function getAuthModeDescription() {
+    if (isOAuthEnabled()) {
+        return "OAuth mode (per-user authentication via GitLab Device Flow)";
+    }
+    return "Static token mode (shared GITLAB_TOKEN)";
+}
+//# sourceMappingURL=config.js.map

package/dist/src/oauth/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../src/oauth/config.ts"],"names":[],"mappings":";;AAqDA,0CAoCC;AAOD,oDAKC;AAOD,wCAEC;AAKD,sDAEC;AAOD,wDAKC;AA1HD,6BAAwB;AACxB,sCAAmC;AAMnC,MAAM,iBAAiB,GAAG,OAAC,CAAC,MAAM,CAAC;IAEjC,OAAO,EAAE,OAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IAExB,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,EAAE,qDAAqD,CAAC;IAExF,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,oCAAoC,CAAC;IAEvE,kBAAkB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAEzC,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,eAAe,CAAC;IAEjD,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAE7C,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;IAEtD,kBAAkB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAEpD,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC;CAClD,CAAC,CAAC;AAUH,IAAI,iBAAiB,GAAmC,SAAS,CAAC;AAUlE,SAAgB,eAAe;IAE7B,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;QACpC,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAGD,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,MAAM,EAAE,CAAC;QACzC,iBAAiB,GAAG,IAAI,CAAC;QACzB,eAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAC/D,OAAO,IAAI,CAAC;IACd,CAAC;IAGD,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC;QACzC,OAAO,EAAE,IAAa;QACtB,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB;QAC/C,cAAc,EAAE,OAAO,CAAC,GAAG,CAAC,sBAAsB;QAClD,kBAAkB,EAAE,OAAO,CAAC,GAAG,CAAC,0BAA0B;QAC1D,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,eAAe;QAChE,QAAQ,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,MAAM,EAAE,EAAE,CAAC;QAC7D,eAAe,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,IAAI,QAAQ,EAAE,EAAE,CAAC;QAC9E,kBAAkB,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,0BAA0B,IAAI,GAAG,EAAE,EAAE,CAAC;QAC/E,aAAa,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,KAAK,EAAE,EAAE,CAAC;KACvE,CAAC,CAAC;IAEH,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,aAAa,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM;aACtC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;aAC7C,IAAI,CAAC,IAAI,CAAC,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,gCAAgC,aAAa,EAAE,CAAC,CAAC;IACnE,CAAC;IAED,iBAAiB,GAAG,MAAM,CAAC,IAAI,CAAC;IAChC,eAAM,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;IAC3D,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC;AAOD,SAAgB,oBAAoB;IAClC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;IAC7E,CAAC;IACD,eAAM,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;AAC7D,CAAC;AAOD,SAAgB,cAAc;IAC5B,OAAO,eAAe,EAAE,KAAK,IAAI,CAAC;AACpC,CAAC;AAKD,SAAgB,qBAAqB;IACnC,iBAAiB,GAAG,SAAS,CAAC;AAChC,CAAC;AAOD,SAAgB,sBAAsB;IACpC,IAAI,cAAc,EAAE,EAAE,CAAC;QACrB,OAAO,6DAA6D,CAAC;IACvE,CAAC;IACD,OAAO,yCAAyC,CAAC;AACnD,CAAC"}

package/dist/src/oauth/endpoints/authorize.d.ts

@@ -0,0 +1,3 @@
+import { Request, Response } from "express";
+export declare function authorizeHandler(req: Request, res: Response): Promise<void>;
+export declare function pollHandler(req: Request, res: Response): Promise<void>;

package/dist/src/oauth/endpoints/authorize.js

@@ -0,0 +1,454 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authorizeHandler = authorizeHandler;
+exports.pollHandler = pollHandler;
+const config_1 = require("../config");
+const session_store_1 = require("../session-store");
+const gitlab_device_flow_1 = require("../gitlab-device-flow");
+const token_utils_1 = require("../token-utils");
+const metadata_1 = require("./metadata");
+const logger_1 = require("../../logger");
+async function authorizeHandler(req, res) {
+    const config = (0, config_1.loadOAuthConfig)();
+    if (!config) {
+        res.status(500).json({
+            error: "server_error",
+            error_description: "OAuth not configured",
+        });
+        return;
+    }
+    const { client_id, redirect_uri, response_type, state, code_challenge, code_challenge_method } = req.query;
+    if (response_type !== "code") {
+        res.status(400).json({
+            error: "unsupported_response_type",
+            error_description: 'Only "code" response type is supported',
+        });
+        return;
+    }
+    if (!client_id) {
+        res.status(400).json({
+            error: "invalid_request",
+            error_description: "client_id is required",
+        });
+        return;
+    }
+    if (!code_challenge) {
+        res.status(400).json({
+            error: "invalid_request",
+            error_description: "code_challenge is required (PKCE)",
+        });
+        return;
+    }
+    if (code_challenge_method !== "S256") {
+        res.status(400).json({
+            error: "invalid_request",
+            error_description: 'code_challenge_method must be "S256"',
+        });
+        return;
+    }
+    if (redirect_uri) {
+        await handleAuthorizationCodeFlow(req, res, config, {
+            clientId: client_id,
+            redirectUri: redirect_uri,
+            state: state ?? "",
+            codeChallenge: code_challenge,
+            codeChallengeMethod: code_challenge_method,
+        });
+    }
+    else {
+        await handleDeviceFlow(req, res, config, {
+            clientId: client_id,
+            state: state ?? "",
+            codeChallenge: code_challenge,
+            codeChallengeMethod: code_challenge_method,
+        });
+    }
+}
+async function handleAuthorizationCodeFlow(req, res, config, params) {
+    const baseUrl = (0, metadata_1.getBaseUrl)(req);
+    const callbackUri = `${baseUrl}/oauth/callback`;
+    const internalState = (0, token_utils_1.generateRandomString)(32);
+    session_store_1.sessionStore.storeAuthCodeFlow(internalState, {
+        clientId: params.clientId,
+        codeChallenge: params.codeChallenge,
+        codeChallengeMethod: params.codeChallengeMethod,
+        clientState: params.state,
+        internalState: internalState,
+        clientRedirectUri: params.redirectUri,
+        callbackUri: callbackUri,
+        expiresAt: Date.now() + 10 * 60 * 1000,
+    });
+    const gitlabAuthUrl = (0, gitlab_device_flow_1.buildGitLabAuthUrl)(config, callbackUri, internalState);
+    logger_1.logger.info({
+        internalState: internalState.substring(0, 8) + "...",
+        clientRedirectUri: params.redirectUri,
+    }, "Authorization Code Flow initiated, redirecting to GitLab");
+    res.redirect(gitlabAuthUrl);
+}
+async function handleDeviceFlow(req, res, config, params) {
+    try {
+        const deviceResponse = await (0, gitlab_device_flow_1.initiateDeviceFlow)(config);
+        const flowState = (0, token_utils_1.generateRandomString)(32);
+        session_store_1.sessionStore.storeDeviceFlow(flowState, {
+            deviceCode: deviceResponse.device_code,
+            userCode: deviceResponse.user_code,
+            verificationUri: deviceResponse.verification_uri,
+            verificationUriComplete: deviceResponse.verification_uri_complete,
+            expiresAt: Date.now() + deviceResponse.expires_in * 1000,
+            interval: deviceResponse.interval,
+            clientId: params.clientId,
+            codeChallenge: params.codeChallenge,
+            codeChallengeMethod: params.codeChallengeMethod,
+            state: params.state,
+            redirectUri: undefined,
+        });
+        logger_1.logger.info({
+            flowState: flowState.substring(0, 8) + "...",
+            userCode: deviceResponse.user_code,
+        }, "Device flow initiated for authorization");
+        const baseUrl = (0, metadata_1.getBaseUrl)(req);
+        const html = getDeviceFlowHTML({
+            userCode: deviceResponse.user_code,
+            verificationUri: deviceResponse.verification_uri,
+            verificationUriComplete: deviceResponse.verification_uri_complete,
+            flowState,
+            pollUrl: `${baseUrl}/oauth/poll`,
+            expiresIn: deviceResponse.expires_in,
+        });
+        res.setHeader("Content-Type", "text/html");
+        res.send(html);
+    }
+    catch (error) {
+        logger_1.logger.error({ err: error }, "Failed to initiate device flow");
+        res.status(500).json({
+            error: "server_error",
+            error_description: "Failed to initiate authentication",
+        });
+    }
+}
+async function pollHandler(req, res) {
+    const config = (0, config_1.loadOAuthConfig)();
+    if (!config) {
+        res.status(500).json({ error: "server_error" });
+        return;
+    }
+    const { flow_state } = req.query;
+    if (!flow_state) {
+        res
+            .status(400)
+            .json({ status: "failed", error: "Missing flow_state" });
+        return;
+    }
+    const flow = session_store_1.sessionStore.getDeviceFlow(flow_state);
+    if (!flow) {
+        res.status(400).json({ status: "expired", error: "Flow not found" });
+        return;
+    }
+    if (Date.now() > flow.expiresAt) {
+        session_store_1.sessionStore.deleteDeviceFlow(flow_state);
+        res
+            .status(400)
+            .json({ status: "expired", error: "Device code expired" });
+        return;
+    }
+    try {
+        const tokenResponse = await (0, gitlab_device_flow_1.pollDeviceFlowOnce)(flow.deviceCode, config);
+        if (tokenResponse) {
+            const userInfo = await (0, gitlab_device_flow_1.getGitLabUser)(tokenResponse.access_token);
+            const sessionId = (0, token_utils_1.generateSessionId)();
+            const now = Date.now();
+            const authCode = (0, token_utils_1.generateAuthorizationCode)();
+            session_store_1.sessionStore.storeAuthCode({
+                code: authCode,
+                sessionId,
+                clientId: flow.clientId,
+                codeChallenge: flow.codeChallenge,
+                codeChallengeMethod: flow.codeChallengeMethod,
+                redirectUri: flow.redirectUri,
+                expiresAt: now + 10 * 60 * 1000,
+            });
+            session_store_1.sessionStore.createSession({
+                id: sessionId,
+                mcpAccessToken: "",
+                mcpRefreshToken: "",
+                mcpTokenExpiry: 0,
+                gitlabAccessToken: tokenResponse.access_token,
+                gitlabRefreshToken: tokenResponse.refresh_token,
+                gitlabTokenExpiry: (0, token_utils_1.calculateTokenExpiry)(tokenResponse.expires_in),
+                gitlabUserId: userInfo.id,
+                gitlabUsername: userInfo.username,
+                clientId: flow.clientId,
+                scopes: ["mcp:tools", "mcp:resources"],
+                createdAt: now,
+                updatedAt: now,
+            });
+            session_store_1.sessionStore.deleteDeviceFlow(flow_state);
+            logger_1.logger.info({
+                sessionId: sessionId.substring(0, 8) + "...",
+                userId: userInfo.id,
+                username: userInfo.username,
+            }, "Device flow authorization completed");
+            const response = {
+                status: "complete",
+                redirect_uri: flow.redirectUri,
+                code: authCode,
+                state: flow.state ? flow.state : undefined,
+            };
+            res.json(response);
+        }
+        else {
+            res.json({ status: "pending" });
+        }
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : "Unknown error";
+        if (message.includes("expired") || message.includes("denied") || message.includes("invalid")) {
+            session_store_1.sessionStore.deleteDeviceFlow(flow_state);
+            res.json({ status: "failed", error: message });
+        }
+        else {
+            logger_1.logger.warn({ err: error }, "Device flow poll error");
+            res.json({ status: "pending" });
+        }
+    }
+}
+function getDeviceFlowHTML(params) {
+    const linkUrl = params.verificationUriComplete ?? params.verificationUri;
+    return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>GitLab MCP - Authentication</title>
+  <style>
+    * {
+      box-sizing: border-box;
+      margin: 0;
+      padding: 0;
+    }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif;
+      max-width: 600px;
+      margin: 0 auto;
+      padding: 40px 20px;
+      background: #f5f5f5;
+      min-height: 100vh;
+    }
+    .container {
+      background: white;
+      padding: 40px;
+      border-radius: 12px;
+      box-shadow: 0 2px 10px rgba(0,0,0,0.1);
+    }
+    h1 {
+      color: #333;
+      margin-bottom: 20px;
+      font-size: 24px;
+    }
+    p {
+      color: #666;
+      line-height: 1.6;
+      margin-bottom: 16px;
+    }
+    .code-container {
+      background: #f8f9fa;
+      border: 2px dashed #ddd;
+      border-radius: 8px;
+      padding: 24px;
+      margin: 24px 0;
+      text-align: center;
+    }
+    .code {
+      font-size: 36px;
+      font-weight: bold;
+      letter-spacing: 6px;
+      color: #333;
+      font-family: 'Courier New', monospace;
+    }
+    .code-label {
+      font-size: 12px;
+      color: #888;
+      text-transform: uppercase;
+      margin-bottom: 8px;
+    }
+    .link-button {
+      display: inline-block;
+      background: #fc6d26;
+      color: white;
+      padding: 14px 28px;
+      border-radius: 6px;
+      text-decoration: none;
+      font-weight: 500;
+      margin: 16px 0;
+      transition: background 0.2s;
+    }
+    .link-button:hover {
+      background: #e24329;
+    }
+    .status {
+      padding: 16px;
+      border-radius: 8px;
+      margin: 24px 0;
+      font-weight: 500;
+    }
+    .status.pending {
+      background: #fff3cd;
+      color: #856404;
+      border: 1px solid #ffeeba;
+    }
+    .status.success {
+      background: #d4edda;
+      color: #155724;
+      border: 1px solid #c3e6cb;
+    }
+    .status.error {
+      background: #f8d7da;
+      color: #721c24;
+      border: 1px solid #f5c6cb;
+    }
+    .instructions {
+      background: #e8f4fd;
+      border-left: 4px solid #0366d6;
+      padding: 16px;
+      margin: 24px 0;
+      border-radius: 0 8px 8px 0;
+    }
+    .instructions ol {
+      margin-left: 20px;
+    }
+    .instructions li {
+      margin: 8px 0;
+      color: #444;
+    }
+    .timer {
+      font-size: 14px;
+      color: #888;
+      margin-top: 16px;
+    }
+    .gitlab-logo {
+      width: 40px;
+      height: 40px;
+      margin-bottom: 16px;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <svg class="gitlab-logo" viewBox="0 0 380 380" xmlns="http://www.w3.org/2000/svg">
+      <path d="M190.2 350.2l62.5-192.5H127.7l62.5 192.5z" fill="#e24329"/>
+      <path d="M190.2 350.2l-62.5-192.5H38.4l151.8 192.5z" fill="#fc6d26"/>
+      <path d="M38.4 157.7L9.1 247.6c-2.7 8.2.1 17.2 6.9 22.5l174.2 126.6L38.4 157.7z" fill="#fca326"/>
+      <path d="M38.4 157.7h89.3L91.4 48.5c-3.3-10.2-17.8-10.2-21.1 0L38.4 157.7z" fill="#e24329"/>
+      <path d="M190.2 350.2l62.5-192.5h89.3L190.2 350.2z" fill="#fc6d26"/>
+      <path d="M342 157.7l29.3 89.9c2.7 8.2-.1 17.2-6.9 22.5L190.2 396.7 342 157.7z" fill="#fca326"/>
+      <path d="M342 157.7h-89.3l36.3-109.2c3.3-10.2 17.8-10.2 21.1 0L342 157.7z" fill="#e24329"/>
+    </svg>
+
+    <h1>Authenticate with GitLab</h1>
+
+    <p>To complete authentication, visit GitLab and enter the code below:</p>
+
+    <div class="code-container">
+      <div class="code-label">Your Code</div>
+      <div class="code">${params.userCode}</div>
+    </div>
+
+    <div style="text-align: center;">
+      <a href="${linkUrl}" target="_blank" rel="noopener" class="link-button">
+        Open GitLab Authentication Page
+      </a>
+    </div>
+
+    <div class="instructions">
+      <strong>Instructions:</strong>
+      <ol>
+        <li>Click the button above to open GitLab</li>
+        <li>Sign in to your GitLab account if needed</li>
+        <li>Enter the code shown above</li>
+        <li>Click "Authorize" to grant access</li>
+        <li>Return here - you'll be redirected automatically</li>
+      </ol>
+    </div>
+
+    <div id="status" class="status pending">
+      Waiting for authentication...
+    </div>
+
+    <div class="timer" id="timer">
+      Code expires in <span id="countdown">${params.expiresIn}</span> seconds
+    </div>
+  </div>
+
+  <script>
+    const pollUrl = '${params.pollUrl}?flow_state=${params.flowState}';
+    const pollInterval = 5000; // 5 seconds
+    let countdown = ${params.expiresIn};
+
+    // Update countdown timer
+    const countdownEl = document.getElementById('countdown');
+    const timerInterval = setInterval(() => {
+      countdown--;
+      if (countdown <= 0) {
+        clearInterval(timerInterval);
+        document.getElementById('status').className = 'status error';
+        document.getElementById('status').textContent = 'Code expired. Please refresh to try again.';
+        document.getElementById('timer').style.display = 'none';
+      } else {
+        countdownEl.textContent = countdown;
+      }
+    }, 1000);
+
+    // Poll for completion
+    async function poll() {
+      try {
+        const response = await fetch(pollUrl);
+        const data = await response.json();
+
+        const statusEl = document.getElementById('status');
+
+        if (data.status === 'complete') {
+          clearInterval(timerInterval);
+          statusEl.className = 'status success';
+          statusEl.textContent = 'Authentication successful! Redirecting...';
+
+          // Build redirect URL with authorization code
+          if (data.redirect_uri) {
+            const redirectUrl = new URL(data.redirect_uri);
+            redirectUrl.searchParams.set('code', data.code);
+            if (data.state) {
+              redirectUrl.searchParams.set('state', data.state);
+            }
+
+            // Redirect after a brief delay
+            setTimeout(() => {
+              window.location.href = redirectUrl.toString();
+            }, 1000);
+          }
+          return;
+        }
+
+        if (data.status === 'failed' || data.status === 'expired') {
+          clearInterval(timerInterval);
+          statusEl.className = 'status error';
+          statusEl.textContent = 'Authentication failed: ' + (data.error || 'Unknown error');
+          document.getElementById('timer').style.display = 'none';
+          return;
+        }
+
+        // Still pending, continue polling
+        setTimeout(poll, pollInterval);
+
+      } catch (error) {
+        console.error('Poll error:', error);
+        // Continue polling on transient errors
+        setTimeout(poll, pollInterval);
+      }
+    }
+
+    // Start polling
+    setTimeout(poll, pollInterval);
+  </script>
+</body>
+</html>`;
+}
+//# sourceMappingURL=authorize.js.map

package/dist/src/oauth/endpoints/authorize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize.js","sourceRoot":"","sources":["../../../../src/oauth/endpoints/authorize.ts"],"names":[],"mappings":";;AA8DA,4CAmEC;AAkID,kCAiHC;AArWD,sCAA4C;AAC5C,oDAAgD;AAChD,8DAK+B;AAC/B,gDAKwB;AACxB,yCAAwC;AACxC,yCAAsC;AAgC/B,KAAK,UAAU,gBAAgB,CAAC,GAAY,EAAE,GAAa;IAChE,MAAM,MAAM,GAAG,IAAA,wBAAe,GAAE,CAAC;IACjC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,cAAc;YACrB,iBAAiB,EAAE,sBAAsB;SAC1C,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAGD,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,KAAK,EAAE,cAAc,EAAE,qBAAqB,EAAE,GAC5F,GAAG,CAAC,KAA2C,CAAC;IAGlD,IAAI,aAAa,KAAK,MAAM,EAAE,CAAC;QAC7B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,2BAA2B;YAClC,iBAAiB,EAAE,wCAAwC;SAC5D,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,iBAAiB;YACxB,iBAAiB,EAAE,uBAAuB;SAC3C,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAGD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,iBAAiB;YACxB,iBAAiB,EAAE,mCAAmC;SACvD,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,IAAI,qBAAqB,KAAK,MAAM,EAAE,CAAC;QACrC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,iBAAiB;YACxB,iBAAiB,EAAE,sCAAsC;SAC1D,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAGD,IAAI,YAAY,EAAE,CAAC;QAEjB,MAAM,2BAA2B,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE;YAClD,QAAQ,EAAE,SAAS;YACnB,WAAW,EAAE,YAAY;YACzB,KAAK,EAAE,KAAK,IAAI,EAAE;YAClB,aAAa,EAAE,cAAc;YAC7B,mBAAmB,EAAE,qBAAqB;SAC3C,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QAEN,MAAM,gBAAgB,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE;YACvC,QAAQ,EAAE,SAAS;YACnB,KAAK,EAAE,KAAK,IAAI,EAAE;YAClB,aAAa,EAAE,cAAc;YAC7B,mBAAmB,EAAE,qBAAqB;SAC3C,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAQD,KAAK,UAAU,2BAA2B,CACxC,GAAY,EACZ,GAAa,EACb,MAAmD,EACnD,MAMC;IAED,MAAM,OAAO,GAAG,IAAA,qBAAU,EAAC,GAAG,CAAC,CAAC;IAChC,MAAM,WAAW,GAAG,GAAG,OAAO,iBAAiB,CAAC;IAGhD,MAAM,aAAa,GAAG,IAAA,kCAAoB,EAAC,EAAE,CAAC,CAAC;IAG/C,4BAAY,CAAC,iBAAiB,CAAC,aAAa,EAAE;QAC5C,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,aAAa,EAAE,MAAM,CAAC,aAAa;QACnC,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;QAC/C,WAAW,EAAE,MAAM,CAAC,KAAK;QACzB,aAAa,EAAE,aAAa;QAC5B,iBAAiB,EAAE,MAAM,CAAC,WAAW;QACrC,WAAW,EAAE,WAAW;QACxB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;KACvC,CAAC,CAAC;IAGH,MAAM,aAAa,GAAG,IAAA,uCAAkB,EAAC,MAAM,EAAE,WAAW,EAAE,aAAa,CAAC,CAAC;IAE7E,eAAM,CAAC,IAAI,CACT;QACE,aAAa,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK;QACpD,iBAAiB,EAAE,MAAM,CAAC,WAAW;KACtC,EACD,0DAA0D,CAC3D,CAAC;IAGF,GAAG,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;AAC9B,CAAC;AAOD,KAAK,UAAU,gBAAgB,CAC7B,GAAY,EACZ,GAAa,EACb,MAAmD,EACnD,MAKC;IAED,IAAI,CAAC;QAEH,MAAM,cAAc,GAAG,MAAM,IAAA,uCAAkB,EAAC,MAAM,CAAC,CAAC;QAGxD,MAAM,SAAS,GAAG,IAAA,kCAAoB,EAAC,EAAE,CAAC,CAAC;QAG3C,4BAAY,CAAC,eAAe,CAAC,SAAS,EAAE;YACtC,UAAU,EAAE,cAAc,CAAC,WAAW;YACtC,QAAQ,EAAE,cAAc,CAAC,SAAS;YAClC,eAAe,EAAE,cAAc,CAAC,gBAAgB;YAChD,uBAAuB,EAAE,cAAc,CAAC,yBAAyB;YACjE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc,CAAC,UAAU,GAAG,IAAI;YACxD,QAAQ,EAAE,cAAc,CAAC,QAAQ;YACjC,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;YAC/C,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,WAAW,EAAE,SAAS;SACvB,CAAC,CAAC;QAEH,eAAM,CAAC,IAAI,CACT;YACE,SAAS,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK;YAC5C,QAAQ,EAAE,cAAc,CAAC,SAAS;SACnC,EACD,yCAAyC,CAC1C,CAAC;QAGF,MAAM,OAAO,GAAG,IAAA,qBAAU,EAAC,GAAG,CAAC,CAAC;QAChC,MAAM,IAAI,GAAG,iBAAiB,CAAC;YAC7B,QAAQ,EAAE,cAAc,CAAC,SAAS;YAClC,eAAe,EAAE,cAAc,CAAC,gBAAgB;YAChD,uBAAuB,EAAE,cAAc,CAAC,yBAAyB;YACjE,SAAS;YACT,OAAO,EAAE,GAAG,OAAO,aAAa;YAChC,SAAS,EAAE,cAAc,CAAC,UAAU;SACrC,CAAC,CAAC;QAEH,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;QAC3C,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjB,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,eAAM,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,KAAc,EAAE,EAAE,gCAAgC,CAAC,CAAC;QACxE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,cAAc;YACrB,iBAAiB,EAAE,mCAAmC;SACvD,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAWM,KAAK,UAAU,WAAW,CAAC,GAAY,EAAE,GAAa;IAC3D,MAAM,MAAM,GAAG,IAAA,wBAAe,GAAE,CAAC;IACjC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAA4B,CAAC,CAAC;QAC1E,OAAO;IACT,CAAC;IAED,MAAM,EAAE,UAAU,EAAE,GAAG,GAAG,CAAC,KAAgC,CAAC;IAE5D,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,GAAG;aACA,MAAM,CAAC,GAAG,CAAC;aACX,IAAI,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,oBAAoB,EAA4B,CAAC,CAAC;QACrF,OAAO;IACT,CAAC;IAED,MAAM,IAAI,GAAG,4BAAY,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;IAEpD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,gBAAgB,EAA4B,CAAC,CAAC;QAC/F,OAAO;IACT,CAAC;IAGD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;QAChC,4BAAY,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC;QAC1C,GAAG;aACA,MAAM,CAAC,GAAG,CAAC;aACX,IAAI,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,qBAAqB,EAA4B,CAAC,CAAC;QACvF,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QAEH,MAAM,aAAa,GAAG,MAAM,IAAA,uCAAkB,EAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QAExE,IAAI,aAAa,EAAE,CAAC;YAElB,MAAM,QAAQ,GAAG,MAAM,IAAA,kCAAa,EAAC,aAAa,CAAC,YAAY,CAAC,CAAC;YAEjE,MAAM,SAAS,GAAG,IAAA,+BAAiB,GAAE,CAAC;YACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAGvB,MAAM,QAAQ,GAAG,IAAA,uCAAyB,GAAE,CAAC;YAG7C,4BAAY,CAAC,aAAa,CAAC;gBACzB,IAAI,EAAE,QAAQ;gBACd,SAAS;gBACT,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,aAAa,EAAE,IAAI,CAAC,aAAa;gBACjC,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;gBAC7C,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,SAAS,EAAE,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;aAChC,CAAC,CAAC;YAIH,4BAAY,CAAC,aAAa,CAAC;gBACzB,EAAE,EAAE,SAAS;gBACb,cAAc,EAAE,EAAE;gBAClB,eAAe,EAAE,EAAE;gBACnB,cAAc,EAAE,CAAC;gBACjB,iBAAiB,EAAE,aAAa,CAAC,YAAY;gBAC7C,kBAAkB,EAAE,aAAa,CAAC,aAAa;gBAC/C,iBAAiB,EAAE,IAAA,kCAAoB,EAAC,aAAa,CAAC,UAAU,CAAC;gBACjE,YAAY,EAAE,QAAQ,CAAC,EAAE;gBACzB,cAAc,EAAE,QAAQ,CAAC,QAAQ;gBACjC,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,MAAM,EAAE,CAAC,WAAW,EAAE,eAAe,CAAC;gBACtC,SAAS,EAAE,GAAG;gBACd,SAAS,EAAE,GAAG;aACf,CAAC,CAAC;YAGH,4BAAY,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC;YAE1C,eAAM,CAAC,IAAI,CACT;gBACE,SAAS,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK;gBAC5C,MAAM,EAAE,QAAQ,CAAC,EAAE;gBACnB,QAAQ,EAAE,QAAQ,CAAC,QAAQ;aAC5B,EACD,qCAAqC,CACtC,CAAC;YAGF,MAAM,QAAQ,GAA2B;gBACvC,MAAM,EAAE,UAAU;gBAClB,YAAY,EAAE,IAAI,CAAC,WAAW;gBAC9B,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;aAC3C,CAAC;YAEF,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACrB,CAAC;aAAM,CAAC;YAEN,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,SAAS,EAA4B,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;QAGzE,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YAC7F,4BAAY,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC;YAC1C,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAA4B,CAAC,CAAC;QAC3E,CAAC;aAAM,CAAC;YAEN,eAAM,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,KAAc,EAAE,EAAE,wBAAwB,CAAC,CAAC;YAC/D,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,SAAS,EAA4B,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;AACH,CAAC;AAcD,SAAS,iBAAiB,CAAC,MAA4B;IACrD,MAAM,OAAO,GAAG,MAAM,CAAC,uBAAuB,IAAI,MAAM,CAAC,eAAe,CAAC;IAEzE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;0BAwIiB,MAAM,CAAC,QAAQ;;;;iBAIxB,OAAO;;;;;;;;;;;;;;;;;;;;;6CAqBqB,MAAM,CAAC,SAAS;;;;;uBAKtC,MAAM,CAAC,OAAO,eAAe,MAAM,CAAC,SAAS;;sBAE9C,MAAM,CAAC,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAmE9B,CAAC;AACT,CAAC"}

package/dist/src/oauth/endpoints/callback.d.ts

@@ -0,0 +1,2 @@
+import { Request, Response } from "express";
+export declare function callbackHandler(req: Request, res: Response): Promise<void>;

package/dist/src/oauth/endpoints/callback.js

@@ -0,0 +1,129 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.callbackHandler = callbackHandler;
+const config_1 = require("../config");
+const session_store_1 = require("../session-store");
+const gitlab_device_flow_1 = require("../gitlab-device-flow");
+const token_utils_1 = require("../token-utils");
+const logger_1 = require("../../logger");
+async function callbackHandler(req, res) {
+    const config = (0, config_1.loadOAuthConfig)();
+    if (!config) {
+        res.status(500).json({
+            error: "server_error",
+            error_description: "OAuth not configured",
+        });
+        return;
+    }
+    const { code, state, error, error_description } = req.query;
+    if (error) {
+        logger_1.logger.warn({ error, error_description }, "GitLab authorization error");
+        if (state) {
+            const flow = session_store_1.sessionStore.getAuthCodeFlow(state);
+            if (flow) {
+                session_store_1.sessionStore.deleteAuthCodeFlow(state);
+                const redirectUrl = new URL(flow.clientRedirectUri);
+                redirectUrl.searchParams.set("error", error);
+                if (error_description) {
+                    redirectUrl.searchParams.set("error_description", error_description);
+                }
+                if (flow.clientState) {
+                    redirectUrl.searchParams.set("state", flow.clientState);
+                }
+                res.redirect(redirectUrl.toString());
+                return;
+            }
+        }
+        res.status(400).json({
+            error: error,
+            error_description: error_description ?? "GitLab authorization failed",
+        });
+        return;
+    }
+    if (!code) {
+        res.status(400).json({
+            error: "invalid_request",
+            error_description: "Missing authorization code from GitLab",
+        });
+        return;
+    }
+    if (!state) {
+        res.status(400).json({
+            error: "invalid_request",
+            error_description: "Missing state parameter",
+        });
+        return;
+    }
+    const flow = session_store_1.sessionStore.getAuthCodeFlow(state);
+    if (!flow) {
+        res.status(400).json({
+            error: "invalid_request",
+            error_description: "Invalid or expired state. Please start authorization again.",
+        });
+        return;
+    }
+    if (Date.now() > flow.expiresAt) {
+        session_store_1.sessionStore.deleteAuthCodeFlow(state);
+        res.status(400).json({
+            error: "invalid_request",
+            error_description: "Authorization flow expired. Please start again.",
+        });
+        return;
+    }
+    try {
+        const gitlabTokens = await (0, gitlab_device_flow_1.exchangeGitLabAuthCode)(code, flow.callbackUri, config);
+        const userInfo = await (0, gitlab_device_flow_1.getGitLabUser)(gitlabTokens.access_token);
+        const sessionId = (0, token_utils_1.generateSessionId)();
+        const now = Date.now();
+        const mcpAuthCode = (0, token_utils_1.generateAuthorizationCode)();
+        session_store_1.sessionStore.storeAuthCode({
+            code: mcpAuthCode,
+            sessionId,
+            clientId: flow.clientId,
+            codeChallenge: flow.codeChallenge,
+            codeChallengeMethod: flow.codeChallengeMethod,
+            redirectUri: flow.clientRedirectUri,
+            expiresAt: now + 10 * 60 * 1000,
+        });
+        session_store_1.sessionStore.createSession({
+            id: sessionId,
+            mcpAccessToken: "",
+            mcpRefreshToken: "",
+            mcpTokenExpiry: 0,
+            gitlabAccessToken: gitlabTokens.access_token,
+            gitlabRefreshToken: gitlabTokens.refresh_token,
+            gitlabTokenExpiry: (0, token_utils_1.calculateTokenExpiry)(gitlabTokens.expires_in),
+            gitlabUserId: userInfo.id,
+            gitlabUsername: userInfo.username,
+            clientId: flow.clientId,
+            scopes: ["mcp:tools", "mcp:resources"],
+            createdAt: now,
+            updatedAt: now,
+        });
+        session_store_1.sessionStore.deleteAuthCodeFlow(state);
+        logger_1.logger.info({
+            sessionId: sessionId.substring(0, 8) + "...",
+            userId: userInfo.id,
+            username: userInfo.username,
+        }, "Authorization Code Flow completed successfully");
+        const redirectUrl = new URL(flow.clientRedirectUri);
+        redirectUrl.searchParams.set("code", mcpAuthCode);
+        if (flow.clientState) {
+            redirectUrl.searchParams.set("state", flow.clientState);
+        }
+        logger_1.logger.debug({ redirectUri: flow.clientRedirectUri }, "Redirecting to client with authorization code");
+        res.redirect(redirectUrl.toString());
+    }
+    catch (error) {
+        logger_1.logger.error({ err: error }, "Failed to complete authorization code flow");
+        session_store_1.sessionStore.deleteAuthCodeFlow(state);
+        const redirectUrl = new URL(flow.clientRedirectUri);
+        redirectUrl.searchParams.set("error", "server_error");
+        redirectUrl.searchParams.set("error_description", error instanceof Error ? error.message : "Failed to complete authorization");
+        if (flow.clientState) {
+            redirectUrl.searchParams.set("state", flow.clientState);
+        }
+        res.redirect(redirectUrl.toString());
+    }
+}
+//# sourceMappingURL=callback.js.map