@structured-world/gitlab-mcp 5.7.0 → 6.0.0

package/dist/src/oauth/endpoints/callback.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback.js","sourceRoot":"","sources":["../../../../src/oauth/endpoints/callback.ts"],"names":[],"mappings":";;AAoCA,0CAmKC;AAtLD,sCAA4C;AAC5C,oDAAgD;AAChD,8DAA8E;AAC9E,gDAAoG;AACpG,yCAAsC;AAe/B,KAAK,UAAU,eAAe,CAAC,GAAY,EAAE,GAAa;IAC/D,MAAM,MAAM,GAAG,IAAA,wBAAe,GAAE,CAAC;IACjC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,cAAc;YACrB,iBAAiB,EAAE,sBAAsB;SAC1C,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,iBAAiB,EAAE,GAAG,GAAG,CAAC,KAA2C,CAAC;IAGlG,IAAI,KAAK,EAAE,CAAC;QACV,eAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,EAAE,4BAA4B,CAAC,CAAC;QAExE,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,IAAI,GAAG,4BAAY,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;YACjD,IAAI,IAAI,EAAE,CAAC;gBACT,4BAAY,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;gBACvC,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;gBACpD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;gBAC7C,IAAI,iBAAiB,EAAE,CAAC;oBACtB,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,EAAE,iBAAiB,CAAC,CAAC;gBACvE,CAAC;gBACD,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;oBACrB,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;gBAC1D,CAAC;gBACD,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC;gBACrC,OAAO;YACT,CAAC;QACH,CAAC;QACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,KAAK;YACZ,iBAAiB,EAAE,iBAAiB,IAAI,6BAA6B;SACtE,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAGD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,iBAAiB;YACxB,iBAAiB,EAAE,wCAAwC;SAC5D,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,iBAAiB;YACxB,iBAAiB,EAAE,yBAAyB;SAC7C,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAGD,MAAM,IAAI,GAAG,4BAAY,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IACjD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,iBAAiB;YACxB,iBAAiB,EAAE,6DAA6D;SACjF,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAGD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;QAChC,4BAAY,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;QACvC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,iBAAiB;YACxB,iBAAiB,EAAE,iDAAiD;SACrE,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QAEH,MAAM,YAAY,GAAG,MAAM,IAAA,2CAAsB,EAAC,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAGlF,MAAM,QAAQ,GAAG,MAAM,IAAA,kCAAa,EAAC,YAAY,CAAC,YAAY,CAAC,CAAC;QAGhE,MAAM,SAAS,GAAG,IAAA,+BAAiB,GAAE,CAAC;QACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAGvB,MAAM,WAAW,GAAG,IAAA,uCAAyB,GAAE,CAAC;QAGhD,4BAAY,CAAC,aAAa,CAAC;YACzB,IAAI,EAAE,WAAW;YACjB,SAAS;YACT,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,aAAa,EAAE,IAAI,CAAC,aAAa;YACjC,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;YAC7C,WAAW,EAAE,IAAI,CAAC,iBAAiB;YACnC,SAAS,EAAE,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;SAChC,CAAC,CAAC;QAIH,4BAAY,CAAC,aAAa,CAAC;YACzB,EAAE,EAAE,SAAS;YACb,cAAc,EAAE,EAAE;YAClB,eAAe,EAAE,EAAE;YACnB,cAAc,EAAE,CAAC;YACjB,iBAAiB,EAAE,YAAY,CAAC,YAAY;YAC5C,kBAAkB,EAAE,YAAY,CAAC,aAAa;YAC9C,iBAAiB,EAAE,IAAA,kCAAoB,EAAC,YAAY,CAAC,UAAU,CAAC;YAChE,YAAY,EAAE,QAAQ,CAAC,EAAE;YACzB,cAAc,EAAE,QAAQ,CAAC,QAAQ;YACjC,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,MAAM,EAAE,CAAC,WAAW,EAAE,eAAe,CAAC;YACtC,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG;SACf,CAAC,CAAC;QAGH,4BAAY,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAEvC,eAAM,CAAC,IAAI,CACT;YACE,SAAS,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK;YAC5C,MAAM,EAAE,QAAQ,CAAC,EAAE;YACnB,QAAQ,EAAE,QAAQ,CAAC,QAAQ;SAC5B,EACD,gDAAgD,CACjD,CAAC;QAGF,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QACpD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;QAClD,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QAC1D,CAAC;QAED,eAAM,CAAC,KAAK,CACV,EAAE,WAAW,EAAE,IAAI,CAAC,iBAAiB,EAAE,EACvC,+CAA+C,CAChD,CAAC;QAEF,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC;IACvC,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,eAAM,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,KAAc,EAAE,EAAE,4CAA4C,CAAC,CAAC;QAGpF,4BAAY,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAGvC,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QACpD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;QACtD,WAAW,CAAC,YAAY,CAAC,GAAG,CAC1B,mBAAmB,EACnB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,kCAAkC,CAC5E,CAAC;QACF,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QAC1D,CAAC;QAED,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC;IACvC,CAAC;AACH,CAAC"}

package/dist/src/oauth/endpoints/index.d.ts

@@ -0,0 +1,5 @@
+export { metadataHandler, healthHandler, protectedResourceHandler, getBaseUrl } from "./metadata";
+export { authorizeHandler, pollHandler } from "./authorize";
+export { callbackHandler } from "./callback";
+export { tokenHandler } from "./token";
+export { registerHandler, getRegisteredClient, isValidRedirectUri } from "./register";

package/dist/src/oauth/endpoints/index.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isValidRedirectUri = exports.getRegisteredClient = exports.registerHandler = exports.tokenHandler = exports.callbackHandler = exports.pollHandler = exports.authorizeHandler = exports.getBaseUrl = exports.protectedResourceHandler = exports.healthHandler = exports.metadataHandler = void 0;
+var metadata_1 = require("./metadata");
+Object.defineProperty(exports, "metadataHandler", { enumerable: true, get: function () { return metadata_1.metadataHandler; } });
+Object.defineProperty(exports, "healthHandler", { enumerable: true, get: function () { return metadata_1.healthHandler; } });
+Object.defineProperty(exports, "protectedResourceHandler", { enumerable: true, get: function () { return metadata_1.protectedResourceHandler; } });
+Object.defineProperty(exports, "getBaseUrl", { enumerable: true, get: function () { return metadata_1.getBaseUrl; } });
+var authorize_1 = require("./authorize");
+Object.defineProperty(exports, "authorizeHandler", { enumerable: true, get: function () { return authorize_1.authorizeHandler; } });
+Object.defineProperty(exports, "pollHandler", { enumerable: true, get: function () { return authorize_1.pollHandler; } });
+var callback_1 = require("./callback");
+Object.defineProperty(exports, "callbackHandler", { enumerable: true, get: function () { return callback_1.callbackHandler; } });
+var token_1 = require("./token");
+Object.defineProperty(exports, "tokenHandler", { enumerable: true, get: function () { return token_1.tokenHandler; } });
+var register_1 = require("./register");
+Object.defineProperty(exports, "registerHandler", { enumerable: true, get: function () { return register_1.registerHandler; } });
+Object.defineProperty(exports, "getRegisteredClient", { enumerable: true, get: function () { return register_1.getRegisteredClient; } });
+Object.defineProperty(exports, "isValidRedirectUri", { enumerable: true, get: function () { return register_1.isValidRedirectUri; } });
+//# sourceMappingURL=index.js.map

package/dist/src/oauth/endpoints/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/oauth/endpoints/index.ts"],"names":[],"mappings":";;;AAMA,uCAAkG;AAAzF,2GAAA,eAAe,OAAA;AAAE,yGAAA,aAAa,OAAA;AAAE,oHAAA,wBAAwB,OAAA;AAAE,sGAAA,UAAU,OAAA;AAC7E,yCAA4D;AAAnD,6GAAA,gBAAgB,OAAA;AAAE,wGAAA,WAAW,OAAA;AACtC,uCAA6C;AAApC,2GAAA,eAAe,OAAA;AACxB,iCAAuC;AAA9B,qGAAA,YAAY,OAAA;AACrB,uCAAsF;AAA7E,2GAAA,eAAe,OAAA;AAAE,+GAAA,mBAAmB,OAAA;AAAE,8GAAA,kBAAkB,OAAA"}

package/dist/src/oauth/endpoints/metadata.d.ts

@@ -0,0 +1,5 @@
+import { Request, Response } from "express";
+export declare function getBaseUrl(req: Request): string;
+export declare function metadataHandler(req: Request, res: Response): void;
+export declare function protectedResourceHandler(req: Request, res: Response): void;
+export declare function healthHandler(req: Request, res: Response): void;

package/dist/src/oauth/endpoints/metadata.js

@@ -0,0 +1,48 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getBaseUrl = getBaseUrl;
+exports.metadataHandler = metadataHandler;
+exports.protectedResourceHandler = protectedResourceHandler;
+exports.healthHandler = healthHandler;
+const config_1 = require("../../config");
+function getBaseUrl(req) {
+    const forwardedProto = req.get("x-forwarded-proto");
+    const protocol = forwardedProto ?? req.protocol ?? "http";
+    const forwardedHost = req.get("x-forwarded-host");
+    const host = forwardedHost ?? req.get("host") ?? `${config_1.HOST}:${config_1.PORT}`;
+    return `${protocol}://${host}`;
+}
+function metadataHandler(req, res) {
+    const baseUrl = getBaseUrl(req);
+    const metadata = {
+        issuer: baseUrl,
+        authorization_endpoint: `${baseUrl}/authorize`,
+        token_endpoint: `${baseUrl}/token`,
+        response_types_supported: ["code"],
+        grant_types_supported: ["authorization_code", "refresh_token"],
+        code_challenge_methods_supported: ["S256"],
+        token_endpoint_auth_methods_supported: ["none"],
+        scopes_supported: ["mcp:tools", "mcp:resources"],
+        registration_endpoint: `${baseUrl}/register`,
+        mcp_version: "2025-03-26",
+    };
+    res.json(metadata);
+}
+function protectedResourceHandler(req, res) {
+    const baseUrl = getBaseUrl(req);
+    const metadata = {
+        resource: baseUrl,
+        authorization_servers: [baseUrl],
+        scopes_supported: ["mcp:tools", "mcp:resources"],
+        bearer_methods_supported: ["header"],
+    };
+    res.json(metadata);
+}
+function healthHandler(req, res) {
+    res.json({
+        status: "ok",
+        mode: "oauth",
+        timestamp: new Date().toISOString(),
+    });
+}
+//# sourceMappingURL=metadata.js.map

package/dist/src/oauth/endpoints/metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"metadata.js","sourceRoot":"","sources":["../../../../src/oauth/endpoints/metadata.ts"],"names":[],"mappings":";;AAoBA,gCAUC;AAaD,0CAsCC;AAWD,4DAmBC;AAUD,sCAMC;AArHD,yCAA0C;AAU1C,SAAgB,UAAU,CAAC,GAAY;IAErC,MAAM,cAAc,GAAG,GAAG,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IACpD,MAAM,QAAQ,GAAG,cAAc,IAAI,GAAG,CAAC,QAAQ,IAAI,MAAM,CAAC;IAG1D,MAAM,aAAa,GAAG,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAClD,MAAM,IAAI,GAAG,aAAa,IAAI,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,aAAI,IAAI,aAAI,EAAE,CAAC;IAEnE,OAAO,GAAG,QAAQ,MAAM,IAAI,EAAE,CAAC;AACjC,CAAC;AAaD,SAAgB,eAAe,CAAC,GAAY,EAAE,GAAa;IACzD,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAGhC,MAAM,QAAQ,GAAG;QAEf,MAAM,EAAE,OAAO;QAGf,sBAAsB,EAAE,GAAG,OAAO,YAAY;QAG9C,cAAc,EAAE,GAAG,OAAO,QAAQ;QAGlC,wBAAwB,EAAE,CAAC,MAAM,CAAC;QAGlC,qBAAqB,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;QAG9D,gCAAgC,EAAE,CAAC,MAAM,CAAC;QAI1C,qCAAqC,EAAE,CAAC,MAAM,CAAC;QAG/C,gBAAgB,EAAE,CAAC,WAAW,EAAE,eAAe,CAAC;QAGhD,qBAAqB,EAAE,GAAG,OAAO,WAAW;QAG5C,WAAW,EAAE,YAAY;KAC1B,CAAC;IAEF,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACrB,CAAC;AAWD,SAAgB,wBAAwB,CAAC,GAAY,EAAE,GAAa;IAClE,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAGhC,MAAM,QAAQ,GAAG;QAEf,QAAQ,EAAE,OAAO;QAGjB,qBAAqB,EAAE,CAAC,OAAO,CAAC;QAGhC,gBAAgB,EAAE,CAAC,WAAW,EAAE,eAAe,CAAC;QAGhD,wBAAwB,EAAE,CAAC,QAAQ,CAAC;KACrC,CAAC;IAEF,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACrB,CAAC;AAUD,SAAgB,aAAa,CAAC,GAAY,EAAE,GAAa;IACvD,GAAG,CAAC,IAAI,CAAC;QACP,MAAM,EAAE,IAAI;QACZ,IAAI,EAAE,OAAO;QACb,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC,CAAC;AACL,CAAC"}

package/dist/src/oauth/endpoints/register.d.ts

@@ -0,0 +1,15 @@
+import { Request, Response } from "express";
+interface RegisteredClient {
+    client_id: string;
+    client_secret?: string;
+    redirect_uris: string[];
+    client_name?: string;
+    token_endpoint_auth_method: string;
+    grant_types: string[];
+    response_types: string[];
+    created_at: number;
+}
+export declare function registerHandler(req: Request, res: Response): Promise<void>;
+export declare function getRegisteredClient(clientId: string): RegisteredClient | undefined;
+export declare function isValidRedirectUri(clientId: string, redirectUri: string): boolean;
+export {};

package/dist/src/oauth/endpoints/register.js

@@ -0,0 +1,85 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerHandler = registerHandler;
+exports.getRegisteredClient = getRegisteredClient;
+exports.isValidRedirectUri = isValidRedirectUri;
+const crypto_1 = require("crypto");
+const logger_1 = require("../../logger");
+const registeredClients = new Map();
+async function registerHandler(req, res) {
+    try {
+        const body = req.body;
+        const { redirect_uris, client_name, token_endpoint_auth_method = "none", grant_types = ["authorization_code", "refresh_token"], response_types = ["code"], } = body;
+        if (!redirect_uris || !Array.isArray(redirect_uris) || redirect_uris.length === 0) {
+            res.status(400).json({
+                error: "invalid_client_metadata",
+                error_description: "redirect_uris is required and must be a non-empty array",
+            });
+            return;
+        }
+        for (const uri of redirect_uris) {
+            try {
+                new URL(uri);
+            }
+            catch {
+                res.status(400).json({
+                    error: "invalid_redirect_uri",
+                    error_description: `Invalid redirect URI: ${uri}`,
+                });
+                return;
+            }
+        }
+        const client_id = (0, crypto_1.randomUUID)();
+        let client_secret;
+        if (token_endpoint_auth_method !== "none") {
+            client_secret = (0, crypto_1.randomUUID)() + (0, crypto_1.randomUUID)();
+        }
+        const clientData = {
+            client_id,
+            client_secret,
+            redirect_uris,
+            client_name,
+            token_endpoint_auth_method,
+            grant_types,
+            response_types,
+            created_at: Date.now(),
+        };
+        registeredClients.set(client_id, clientData);
+        logger_1.logger.info({
+            client_id,
+            client_name,
+            redirect_uris,
+            token_endpoint_auth_method,
+        }, "New OAuth client registered via DCR");
+        const response = {
+            client_id,
+            redirect_uris,
+            client_name,
+            token_endpoint_auth_method,
+            grant_types,
+            response_types,
+        };
+        if (client_secret) {
+            response.client_secret = client_secret;
+        }
+        res.status(201).json(response);
+    }
+    catch (error) {
+        logger_1.logger.error({ err: error }, "Error in dynamic client registration");
+        res.status(500).json({
+            error: "server_error",
+            error_description: "Failed to register client",
+        });
+    }
+}
+function getRegisteredClient(clientId) {
+    return registeredClients.get(clientId);
+}
+function isValidRedirectUri(clientId, redirectUri) {
+    const client = registeredClients.get(clientId);
+    if (!client) {
+        return true;
+    }
+    return client.redirect_uris.includes(redirectUri);
+}
+//# sourceMappingURL=register.js.map

package/dist/src/oauth/endpoints/register.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.js","sourceRoot":"","sources":["../../../../src/oauth/endpoints/register.ts"],"names":[],"mappings":";;AA2CA,0CA0FC;AAKD,kDAEC;AAKD,gDAQC;AAjJD,mCAAoC;AACpC,yCAAsC;AAwBtC,MAAM,iBAAiB,GAAkC,IAAI,GAAG,EAAE,CAAC;AAU5D,KAAK,UAAU,eAAe,CAAC,GAAY,EAAE,GAAa;IAC/D,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,GAAG,CAAC,IAAiC,CAAC;QACnD,MAAM,EACJ,aAAa,EACb,WAAW,EACX,0BAA0B,GAAG,MAAM,EACnC,WAAW,GAAG,CAAC,oBAAoB,EAAE,eAAe,CAAC,EACrD,cAAc,GAAG,CAAC,MAAM,CAAC,GAC1B,GAAG,IAAI,CAAC;QAGT,IAAI,CAAC,aAAa,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAClF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,yBAAyB;gBAChC,iBAAiB,EAAE,yDAAyD;aAC7E,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAGD,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC;gBACH,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YACf,CAAC;YAAC,MAAM,CAAC;gBACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,KAAK,EAAE,sBAAsB;oBAC7B,iBAAiB,EAAE,yBAAyB,GAAG,EAAE;iBAClD,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;QACH,CAAC;QAGD,MAAM,SAAS,GAAG,IAAA,mBAAU,GAAE,CAAC;QAI/B,IAAI,aAAiC,CAAC;QACtC,IAAI,0BAA0B,KAAK,MAAM,EAAE,CAAC;YAC1C,aAAa,GAAG,IAAA,mBAAU,GAAE,GAAG,IAAA,mBAAU,GAAE,CAAC;QAC9C,CAAC;QAGD,MAAM,UAAU,GAAqB;YACnC,SAAS;YACT,aAAa;YACb,aAAa;YACb,WAAW;YACX,0BAA0B;YAC1B,WAAW;YACX,cAAc;YACd,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE;SACvB,CAAC;QAEF,iBAAiB,CAAC,GAAG,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAE7C,eAAM,CAAC,IAAI,CACT;YACE,SAAS;YACT,WAAW;YACX,aAAa;YACb,0BAA0B;SAC3B,EACD,qCAAqC,CACtC,CAAC;QAGF,MAAM,QAAQ,GAA4B;YACxC,SAAS;YACT,aAAa;YACb,WAAW;YACX,0BAA0B;YAC1B,WAAW;YACX,cAAc;SACf,CAAC;QAGF,IAAI,aAAa,EAAE,CAAC;YAClB,QAAQ,CAAC,aAAa,GAAG,aAAa,CAAC;QACzC,CAAC;QAED,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,eAAM,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,KAAc,EAAE,EAAE,sCAAsC,CAAC,CAAC;QAC9E,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,cAAc;YACrB,iBAAiB,EAAE,2BAA2B;SAC/C,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAKD,SAAgB,mBAAmB,CAAC,QAAgB;IAClD,OAAO,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AACzC,CAAC;AAKD,SAAgB,kBAAkB,CAAC,QAAgB,EAAE,WAAmB;IACtE,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC/C,IAAI,CAAC,MAAM,EAAE,CAAC;QAGZ,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACpD,CAAC"}

package/dist/src/oauth/endpoints/token.d.ts

@@ -0,0 +1,2 @@
+import { Request, Response } from "express";
+export declare function tokenHandler(req: Request, res: Response): Promise<void>;

package/dist/src/oauth/endpoints/token.js

@@ -0,0 +1,159 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.tokenHandler = tokenHandler;
+const config_1 = require("../config");
+const session_store_1 = require("../session-store");
+const token_utils_1 = require("../token-utils");
+const gitlab_device_flow_1 = require("../gitlab-device-flow");
+const metadata_1 = require("./metadata");
+const logger_1 = require("../../logger");
+async function tokenHandler(req, res) {
+    const config = (0, config_1.loadOAuthConfig)();
+    if (!config) {
+        sendError(res, 500, "server_error", "OAuth not configured");
+        return;
+    }
+    const { grant_type } = req.body;
+    switch (grant_type) {
+        case "authorization_code":
+            await handleAuthorizationCode(req, res, config);
+            break;
+        case "refresh_token":
+            await handleRefreshToken(req, res, config);
+            break;
+        default:
+            sendError(res, 400, "unsupported_grant_type", `Grant type "${grant_type}" is not supported`);
+    }
+}
+async function handleAuthorizationCode(req, res, config) {
+    const { code, code_verifier, redirect_uri } = req.body;
+    if (!code) {
+        sendError(res, 400, "invalid_request", "Missing authorization code");
+        return;
+    }
+    if (!code_verifier) {
+        sendError(res, 400, "invalid_request", "Missing code_verifier (PKCE required)");
+        return;
+    }
+    const authCode = session_store_1.sessionStore.getAuthCode(code);
+    if (!authCode) {
+        sendError(res, 400, "invalid_grant", "Invalid or expired authorization code");
+        return;
+    }
+    if (Date.now() > authCode.expiresAt) {
+        session_store_1.sessionStore.deleteAuthCode(code);
+        sendError(res, 400, "invalid_grant", "Authorization code has expired");
+        return;
+    }
+    if (!(0, token_utils_1.verifyCodeChallenge)(code_verifier, authCode.codeChallenge, authCode.codeChallengeMethod)) {
+        sendError(res, 400, "invalid_grant", "Invalid code_verifier");
+        return;
+    }
+    if (authCode.redirectUri && redirect_uri !== authCode.redirectUri) {
+        sendError(res, 400, "invalid_grant", "redirect_uri does not match");
+        return;
+    }
+    const session = session_store_1.sessionStore.getSession(authCode.sessionId);
+    if (!session) {
+        sendError(res, 400, "invalid_grant", "Session not found");
+        return;
+    }
+    const baseUrl = (0, metadata_1.getBaseUrl)(req);
+    const accessToken = (0, token_utils_1.createJWT)({
+        iss: baseUrl,
+        sub: session.gitlabUserId.toString(),
+        aud: authCode.clientId,
+        sid: session.id,
+        scope: session.scopes.join(" "),
+        gitlab_user: session.gitlabUsername,
+    }, config.sessionSecret, config.tokenTtl);
+    const refreshToken = (0, token_utils_1.generateRefreshToken)();
+    session_store_1.sessionStore.updateSession(session.id, {
+        mcpAccessToken: accessToken,
+        mcpRefreshToken: refreshToken,
+        mcpTokenExpiry: (0, token_utils_1.calculateTokenExpiry)(config.tokenTtl),
+    });
+    session_store_1.sessionStore.deleteAuthCode(code);
+    logger_1.logger.info({
+        sessionId: session.id.substring(0, 8) + "...",
+        userId: session.gitlabUserId,
+    }, "MCP tokens issued via authorization_code grant");
+    const response = {
+        access_token: accessToken,
+        token_type: "Bearer",
+        expires_in: config.tokenTtl,
+        refresh_token: refreshToken,
+        scope: session.scopes.join(" "),
+    };
+    res.json(response);
+}
+async function handleRefreshToken(req, res, config) {
+    const { refresh_token } = req.body;
+    if (!refresh_token) {
+        sendError(res, 400, "invalid_request", "Missing refresh_token");
+        return;
+    }
+    const session = session_store_1.sessionStore.getSessionByRefreshToken(refresh_token);
+    if (!session) {
+        sendError(res, 400, "invalid_grant", "Invalid refresh token");
+        return;
+    }
+    let updatedSession = session;
+    if ((0, token_utils_1.isTokenExpiringSoon)(session.gitlabTokenExpiry)) {
+        try {
+            const newTokens = await (0, gitlab_device_flow_1.refreshGitLabToken)(session.gitlabRefreshToken, config);
+            session_store_1.sessionStore.updateSession(session.id, {
+                gitlabAccessToken: newTokens.access_token,
+                gitlabRefreshToken: newTokens.refresh_token,
+                gitlabTokenExpiry: (0, token_utils_1.calculateTokenExpiry)(newTokens.expires_in),
+            });
+            const refreshedSession = session_store_1.sessionStore.getSession(session.id);
+            if (!refreshedSession) {
+                sendError(res, 400, "invalid_grant", "Session lost during refresh");
+                return;
+            }
+            updatedSession = refreshedSession;
+            logger_1.logger.debug({ sessionId: session.id.substring(0, 8) + "..." }, "GitLab token refreshed");
+        }
+        catch (error) {
+            logger_1.logger.error({ err: error }, "Failed to refresh GitLab token");
+            sendError(res, 400, "invalid_grant", "Failed to refresh underlying GitLab token");
+            return;
+        }
+    }
+    const baseUrl = (0, metadata_1.getBaseUrl)(req);
+    const accessToken = (0, token_utils_1.createJWT)({
+        iss: baseUrl,
+        sub: updatedSession.gitlabUserId.toString(),
+        aud: updatedSession.clientId,
+        sid: updatedSession.id,
+        scope: updatedSession.scopes.join(" "),
+        gitlab_user: updatedSession.gitlabUsername,
+    }, config.sessionSecret, config.tokenTtl);
+    const newRefreshToken = (0, token_utils_1.generateRefreshToken)();
+    session_store_1.sessionStore.updateSession(updatedSession.id, {
+        mcpAccessToken: accessToken,
+        mcpRefreshToken: newRefreshToken,
+        mcpTokenExpiry: (0, token_utils_1.calculateTokenExpiry)(config.tokenTtl),
+    });
+    logger_1.logger.info({
+        sessionId: updatedSession.id.substring(0, 8) + "...",
+        userId: updatedSession.gitlabUserId,
+    }, "MCP tokens refreshed via refresh_token grant");
+    const response = {
+        access_token: accessToken,
+        token_type: "Bearer",
+        expires_in: config.tokenTtl,
+        refresh_token: newRefreshToken,
+        scope: updatedSession.scopes.join(" "),
+    };
+    res.json(response);
+}
+function sendError(res, status, error, description) {
+    const response = {
+        error,
+        error_description: description,
+    };
+    res.status(status).json(response);
+}
+//# sourceMappingURL=token.js.map

package/dist/src/oauth/endpoints/token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.js","sourceRoot":"","sources":["../../../../src/oauth/endpoints/token.ts"],"names":[],"mappings":";;AAmCA,oCAqBC;AA5CD,sCAAyD;AACzD,oDAAgD;AAChD,gDAMwB;AACxB,8DAA2D;AAC3D,yCAAwC;AACxC,yCAAsC;AAY/B,KAAK,UAAU,YAAY,CAAC,GAAY,EAAE,GAAa;IAC5D,MAAM,MAAM,GAAG,IAAA,wBAAe,GAAE,CAAC;IACjC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,cAAc,EAAE,sBAAsB,CAAC,CAAC;QAC5D,OAAO;IACT,CAAC;IAED,MAAM,EAAE,UAAU,EAAE,GAAG,GAAG,CAAC,IAA+B,CAAC;IAE3D,QAAQ,UAAU,EAAE,CAAC;QACnB,KAAK,oBAAoB;YACvB,MAAM,uBAAuB,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;YAChD,MAAM;QAER,KAAK,eAAe;YAClB,MAAM,kBAAkB,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;YAC3C,MAAM;QAER;YACE,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,wBAAwB,EAAE,eAAe,UAAU,oBAAoB,CAAC,CAAC;IACjG,CAAC;AACH,CAAC;AAQD,KAAK,UAAU,uBAAuB,CACpC,GAAY,EACZ,GAAa,EACb,MAAmB;IAEnB,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,YAAY,EAAE,GAAG,GAAG,CAAC,IAIjD,CAAC;IAGF,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,iBAAiB,EAAE,4BAA4B,CAAC,CAAC;QACrE,OAAO;IACT,CAAC;IAED,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,iBAAiB,EAAE,uCAAuC,CAAC,CAAC;QAChF,OAAO;IACT,CAAC;IAGD,MAAM,QAAQ,GAAG,4BAAY,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;IAChD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,eAAe,EAAE,uCAAuC,CAAC,CAAC;QAC9E,OAAO;IACT,CAAC;IAGD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,SAAS,EAAE,CAAC;QACpC,4BAAY,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QAClC,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,eAAe,EAAE,gCAAgC,CAAC,CAAC;QACvE,OAAO;IACT,CAAC;IAGD,IAAI,CAAC,IAAA,iCAAmB,EAAC,aAAa,EAAE,QAAQ,CAAC,aAAa,EAAE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QAC9F,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,eAAe,EAAE,uBAAuB,CAAC,CAAC;QAC9D,OAAO;IACT,CAAC;IAGD,IAAI,QAAQ,CAAC,WAAW,IAAI,YAAY,KAAK,QAAQ,CAAC,WAAW,EAAE,CAAC;QAClE,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,eAAe,EAAE,6BAA6B,CAAC,CAAC;QACpE,OAAO;IACT,CAAC;IAGD,MAAM,OAAO,GAAG,4BAAY,CAAC,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IAC5D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,eAAe,EAAE,mBAAmB,CAAC,CAAC;QAC1D,OAAO;IACT,CAAC;IAGD,MAAM,OAAO,GAAG,IAAA,qBAAU,EAAC,GAAG,CAAC,CAAC;IAEhC,MAAM,WAAW,GAAG,IAAA,uBAAS,EAC3B;QACE,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,OAAO,CAAC,YAAY,CAAC,QAAQ,EAAE;QACpC,GAAG,EAAE,QAAQ,CAAC,QAAQ;QACtB,GAAG,EAAE,OAAO,CAAC,EAAE;QACf,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;QAC/B,WAAW,EAAE,OAAO,CAAC,cAAc;KACpC,EACD,MAAM,CAAC,aAAa,EACpB,MAAM,CAAC,QAAQ,CAChB,CAAC;IAEF,MAAM,YAAY,GAAG,IAAA,kCAAoB,GAAE,CAAC;IAG5C,4BAAY,CAAC,aAAa,CAAC,OAAO,CAAC,EAAE,EAAE;QACrC,cAAc,EAAE,WAAW;QAC3B,eAAe,EAAE,YAAY;QAC7B,cAAc,EAAE,IAAA,kCAAoB,EAAC,MAAM,CAAC,QAAQ,CAAC;KACtD,CAAC,CAAC;IAGH,4BAAY,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;IAElC,eAAM,CAAC,IAAI,CACT;QACE,SAAS,EAAE,OAAO,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK;QAC7C,MAAM,EAAE,OAAO,CAAC,YAAY;KAC7B,EACD,gDAAgD,CACjD,CAAC;IAGF,MAAM,QAAQ,GAAqB;QACjC,YAAY,EAAE,WAAW;QACzB,UAAU,EAAE,QAAQ;QACpB,UAAU,EAAE,MAAM,CAAC,QAAQ;QAC3B,aAAa,EAAE,YAAY;QAC3B,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;KAChC,CAAC;IAEF,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACrB,CAAC;AAQD,KAAK,UAAU,kBAAkB,CAAC,GAAY,EAAE,GAAa,EAAE,MAAmB;IAChF,MAAM,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC,IAAkC,CAAC;IAEjE,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,iBAAiB,EAAE,uBAAuB,CAAC,CAAC;QAChE,OAAO;IACT,CAAC;IAGD,MAAM,OAAO,GAAG,4BAAY,CAAC,wBAAwB,CAAC,aAAa,CAAC,CAAC;IACrE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,eAAe,EAAE,uBAAuB,CAAC,CAAC;QAC9D,OAAO;IACT,CAAC;IAGD,IAAI,cAAc,GAAiB,OAAO,CAAC;IAE3C,IAAI,IAAA,iCAAmB,EAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACnD,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,IAAA,uCAAkB,EAAC,OAAO,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC;YAE/E,4BAAY,CAAC,aAAa,CAAC,OAAO,CAAC,EAAE,EAAE;gBACrC,iBAAiB,EAAE,SAAS,CAAC,YAAY;gBACzC,kBAAkB,EAAE,SAAS,CAAC,aAAa;gBAC3C,iBAAiB,EAAE,IAAA,kCAAoB,EAAC,SAAS,CAAC,UAAU,CAAC;aAC9D,CAAC,CAAC;YAGH,MAAM,gBAAgB,GAAG,4BAAY,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YAC7D,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACtB,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,eAAe,EAAE,6BAA6B,CAAC,CAAC;gBACpE,OAAO;YACT,CAAC;YACD,cAAc,GAAG,gBAAgB,CAAC;YAElC,eAAM,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,EAAE,EAAE,wBAAwB,CAAC,CAAC;QAC5F,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,eAAM,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,KAAc,EAAE,EAAE,gCAAgC,CAAC,CAAC;YACxE,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,eAAe,EAAE,2CAA2C,CAAC,CAAC;YAClF,OAAO;QACT,CAAC;IACH,CAAC;IAGD,MAAM,OAAO,GAAG,IAAA,qBAAU,EAAC,GAAG,CAAC,CAAC;IAEhC,MAAM,WAAW,GAAG,IAAA,uBAAS,EAC3B;QACE,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,cAAc,CAAC,YAAY,CAAC,QAAQ,EAAE;QAC3C,GAAG,EAAE,cAAc,CAAC,QAAQ;QAC5B,GAAG,EAAE,cAAc,CAAC,EAAE;QACtB,KAAK,EAAE,cAAc,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;QACtC,WAAW,EAAE,cAAc,CAAC,cAAc;KAC3C,EACD,MAAM,CAAC,aAAa,EACpB,MAAM,CAAC,QAAQ,CAChB,CAAC;IAEF,MAAM,eAAe,GAAG,IAAA,kCAAoB,GAAE,CAAC;IAG/C,4BAAY,CAAC,aAAa,CAAC,cAAc,CAAC,EAAE,EAAE;QAC5C,cAAc,EAAE,WAAW;QAC3B,eAAe,EAAE,eAAe;QAChC,cAAc,EAAE,IAAA,kCAAoB,EAAC,MAAM,CAAC,QAAQ,CAAC;KACtD,CAAC,CAAC;IAEH,eAAM,CAAC,IAAI,CACT;QACE,SAAS,EAAE,cAAc,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK;QACpD,MAAM,EAAE,cAAc,CAAC,YAAY;KACpC,EACD,8CAA8C,CAC/C,CAAC;IAGF,MAAM,QAAQ,GAAqB;QACjC,YAAY,EAAE,WAAW;QACzB,UAAU,EAAE,QAAQ;QACpB,UAAU,EAAE,MAAM,CAAC,QAAQ;QAC3B,aAAa,EAAE,eAAe;QAC9B,KAAK,EAAE,cAAc,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;KACvC,CAAC;IAEF,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACrB,CAAC;AAKD,SAAS,SAAS,CAAC,GAAa,EAAE,MAAc,EAAE,KAAa,EAAE,WAAmB;IAClF,MAAM,QAAQ,GAAuB;QACnC,KAAK;QACL,iBAAiB,EAAE,WAAW;KAC/B,CAAC;IACF,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACpC,CAAC"}

package/dist/src/oauth/gitlab-device-flow.d.ts

@@ -0,0 +1,10 @@
+import { OAuthConfig } from "./config";
+import { GitLabDeviceResponse, GitLabTokenResponse, GitLabUserInfo } from "./types";
+export declare function initiateDeviceFlow(config: OAuthConfig): Promise<GitLabDeviceResponse>;
+export declare function pollDeviceFlowOnce(deviceCode: string, config: OAuthConfig): Promise<GitLabTokenResponse | null>;
+export declare function pollForToken(deviceCode: string, config: OAuthConfig, onPending?: () => void): Promise<GitLabTokenResponse>;
+export declare function refreshGitLabToken(refreshToken: string, config: OAuthConfig): Promise<GitLabTokenResponse>;
+export declare function getGitLabUser(accessToken: string): Promise<GitLabUserInfo>;
+export declare function validateGitLabToken(accessToken: string): Promise<boolean>;
+export declare function exchangeGitLabAuthCode(code: string, redirectUri: string, config: OAuthConfig): Promise<GitLabTokenResponse>;
+export declare function buildGitLabAuthUrl(config: OAuthConfig, redirectUri: string, state: string): string;

package/dist/src/oauth/gitlab-device-flow.js

@@ -0,0 +1,215 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.initiateDeviceFlow = initiateDeviceFlow;
+exports.pollDeviceFlowOnce = pollDeviceFlowOnce;
+exports.pollForToken = pollForToken;
+exports.refreshGitLabToken = refreshGitLabToken;
+exports.getGitLabUser = getGitLabUser;
+exports.validateGitLabToken = validateGitLabToken;
+exports.exchangeGitLabAuthCode = exchangeGitLabAuthCode;
+exports.buildGitLabAuthUrl = buildGitLabAuthUrl;
+const config_1 = require("../config");
+const logger_1 = require("../logger");
+async function initiateDeviceFlow(config) {
+    const url = `${config_1.GITLAB_BASE_URL}/oauth/authorize_device`;
+    logger_1.logger.debug({ url, clientId: config.gitlabClientId }, "Initiating GitLab device flow");
+    const scopes = config.gitlabScopes.replace(/,/g, " ");
+    const response = await fetch(url, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+            Accept: "application/json",
+        },
+        body: new URLSearchParams({
+            client_id: config.gitlabClientId,
+            scope: scopes,
+        }),
+    });
+    if (!response.ok) {
+        const errorText = await response.text();
+        logger_1.logger.error({ status: response.status, error: errorText }, "Failed to initiate device flow");
+        throw new Error(`Failed to initiate device flow: ${response.status} ${errorText}`);
+    }
+    const data = (await response.json());
+    logger_1.logger.info({
+        userCode: data.user_code,
+        verificationUri: data.verification_uri,
+        expiresIn: data.expires_in,
+    }, "Device flow initiated");
+    return data;
+}
+async function pollDeviceFlowOnce(deviceCode, config) {
+    const url = `${config_1.GITLAB_BASE_URL}/oauth/token`;
+    const params = {
+        client_id: config.gitlabClientId,
+        device_code: deviceCode,
+        grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+    };
+    if (config.gitlabClientSecret) {
+        params.client_secret = config.gitlabClientSecret;
+    }
+    const response = await fetch(url, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+            Accept: "application/json",
+        },
+        body: new URLSearchParams(params),
+    });
+    if (response.ok) {
+        const data = (await response.json());
+        logger_1.logger.info("Device flow authorization completed successfully");
+        return data;
+    }
+    const error = (await response.json());
+    switch (error.error) {
+        case "authorization_pending":
+            return null;
+        case "slow_down":
+            logger_1.logger.debug("Device flow: slow_down received, should increase poll interval");
+            return null;
+        case "expired_token":
+            throw new Error("Device code expired. Please start a new authorization.");
+        case "access_denied":
+            throw new Error("User denied the authorization request.");
+        case "invalid_grant":
+            throw new Error("Invalid device code or grant.");
+        default:
+            throw new Error(`Device flow error: ${error.error_description ?? error.error}`);
+    }
+}
+async function pollForToken(deviceCode, config, onPending) {
+    const startTime = Date.now();
+    const timeout = config.deviceTimeout * 1000;
+    let interval = config.devicePollInterval * 1000;
+    while (Date.now() - startTime < timeout) {
+        await sleep(interval);
+        try {
+            const result = await pollDeviceFlowOnce(deviceCode, config);
+            if (result) {
+                return result;
+            }
+            onPending?.();
+        }
+        catch (error) {
+            if (error instanceof Error) {
+                if (error.message.includes("expired") ||
+                    error.message.includes("denied") ||
+                    error.message.includes("invalid")) {
+                    throw error;
+                }
+            }
+            logger_1.logger.warn({ err: error }, "Device flow poll error, will retry");
+        }
+    }
+    throw new Error(`Device flow timeout after ${config.deviceTimeout} seconds`);
+}
+async function refreshGitLabToken(refreshToken, config) {
+    const url = `${config_1.GITLAB_BASE_URL}/oauth/token`;
+    const params = {
+        client_id: config.gitlabClientId,
+        refresh_token: refreshToken,
+        grant_type: "refresh_token",
+    };
+    if (config.gitlabClientSecret) {
+        params.client_secret = config.gitlabClientSecret;
+    }
+    logger_1.logger.debug("Refreshing GitLab token");
+    const response = await fetch(url, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+            Accept: "application/json",
+        },
+        body: new URLSearchParams(params),
+    });
+    if (!response.ok) {
+        const errorText = await response.text();
+        logger_1.logger.error({ status: response.status, error: errorText }, "Failed to refresh GitLab token");
+        throw new Error(`Failed to refresh token: ${response.status} ${errorText}`);
+    }
+    const data = (await response.json());
+    logger_1.logger.info("GitLab token refreshed successfully");
+    return data;
+}
+async function getGitLabUser(accessToken) {
+    const url = `${config_1.GITLAB_BASE_URL}/api/v4/user`;
+    const response = await fetch(url, {
+        headers: {
+            Authorization: `Bearer ${accessToken}`,
+            Accept: "application/json",
+        },
+    });
+    if (!response.ok) {
+        const errorText = await response.text();
+        logger_1.logger.error({ status: response.status, error: errorText }, "Failed to get GitLab user info");
+        throw new Error(`Failed to get GitLab user info: ${response.status}`);
+    }
+    const user = (await response.json());
+    logger_1.logger.debug({ userId: user.id, username: user.username }, "Retrieved GitLab user info");
+    return {
+        id: user.id,
+        username: user.username,
+        name: user.name,
+        email: user.email,
+    };
+}
+async function validateGitLabToken(accessToken) {
+    try {
+        const url = `${config_1.GITLAB_BASE_URL}/api/v4/user`;
+        const response = await fetch(url, {
+            method: "HEAD",
+            headers: {
+                Authorization: `Bearer ${accessToken}`,
+            },
+        });
+        return response.ok;
+    }
+    catch {
+        return false;
+    }
+}
+async function exchangeGitLabAuthCode(code, redirectUri, config) {
+    const url = `${config_1.GITLAB_BASE_URL}/oauth/token`;
+    const params = {
+        client_id: config.gitlabClientId,
+        code: code,
+        grant_type: "authorization_code",
+        redirect_uri: redirectUri,
+    };
+    if (config.gitlabClientSecret) {
+        params.client_secret = config.gitlabClientSecret;
+    }
+    logger_1.logger.debug({ redirectUri }, "Exchanging GitLab authorization code for tokens");
+    const response = await fetch(url, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+            Accept: "application/json",
+        },
+        body: new URLSearchParams(params),
+    });
+    if (!response.ok) {
+        const errorText = await response.text();
+        logger_1.logger.error({ status: response.status, error: errorText }, "Failed to exchange GitLab auth code");
+        throw new Error(`Failed to exchange authorization code: ${response.status} ${errorText}`);
+    }
+    const data = (await response.json());
+    logger_1.logger.info("GitLab authorization code exchanged successfully");
+    return data;
+}
+function buildGitLabAuthUrl(config, redirectUri, state) {
+    const scopes = config.gitlabScopes.replace(/,/g, " ");
+    const params = new URLSearchParams({
+        client_id: config.gitlabClientId,
+        redirect_uri: redirectUri,
+        response_type: "code",
+        state: state,
+        scope: scopes,
+    });
+    return `${config_1.GITLAB_BASE_URL}/oauth/authorize?${params.toString()}`;
+}
+function sleep(ms) {
+    return new Promise(resolve => setTimeout(resolve, ms));
+}
+//# sourceMappingURL=gitlab-device-flow.js.map

package/dist/src/oauth/gitlab-device-flow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gitlab-device-flow.js","sourceRoot":"","sources":["../../../src/oauth/gitlab-device-flow.ts"],"names":[],"mappings":";;AA6CA,gDAsCC;AAaD,gDA0DC;AAcD,oCAwCC;AAaD,gDAqCC;AAWD,sCA0BC;AAUD,kDAeC;AAaD,wDA0CC;AAYD,gDAiBC;AA1YD,sCAA4C;AAG5C,sCAAmC;AAgC5B,KAAK,UAAU,kBAAkB,CAAC,MAAmB;IAC1D,MAAM,GAAG,GAAG,GAAG,wBAAe,yBAAyB,CAAC;IAExD,eAAM,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,CAAC,cAAc,EAAE,EAAE,+BAA+B,CAAC,CAAC;IAGxF,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAEtD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,mCAAmC;YACnD,MAAM,EAAE,kBAAkB;SAC3B;QACD,IAAI,EAAE,IAAI,eAAe,CAAC;YACxB,SAAS,EAAE,MAAM,CAAC,cAAc;YAChC,KAAK,EAAE,MAAM;SACd,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACxC,eAAM,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,gCAAgC,CAAC,CAAC;QAC9F,MAAM,IAAI,KAAK,CAAC,mCAAmC,QAAQ,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAyB,CAAC;IAE7D,eAAM,CAAC,IAAI,CACT;QACE,QAAQ,EAAE,IAAI,CAAC,SAAS;QACxB,eAAe,EAAE,IAAI,CAAC,gBAAgB;QACtC,SAAS,EAAE,IAAI,CAAC,UAAU;KAC3B,EACD,uBAAuB,CACxB,CAAC;IAEF,OAAO,IAAI,CAAC;AACd,CAAC;AAaM,KAAK,UAAU,kBAAkB,CACtC,UAAkB,EAClB,MAAmB;IAEnB,MAAM,GAAG,GAAG,GAAG,wBAAe,cAAc,CAAC;IAE7C,MAAM,MAAM,GAA2B;QACrC,SAAS,EAAE,MAAM,CAAC,cAAc;QAChC,WAAW,EAAE,UAAU;QACvB,UAAU,EAAE,8CAA8C;KAC3D,CAAC;IAGF,IAAI,MAAM,CAAC,kBAAkB,EAAE,CAAC;QAC9B,MAAM,CAAC,aAAa,GAAG,MAAM,CAAC,kBAAkB,CAAC;IACnD,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,mCAAmC;YACnD,MAAM,EAAE,kBAAkB;SAC3B;QACD,IAAI,EAAE,IAAI,eAAe,CAAC,MAAM,CAAC;KAClC,CAAC,CAAC;IAEH,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;QAChB,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAwB,CAAC;QAC5D,eAAM,CAAC,IAAI,CAAC,kDAAkD,CAAC,CAAC;QAChE,OAAO,IAAI,CAAC;IACd,CAAC;IAGD,MAAM,KAAK,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;IAEjE,QAAQ,KAAK,CAAC,KAAK,EAAE,CAAC;QACpB,KAAK,uBAAuB;YAE1B,OAAO,IAAI,CAAC;QAEd,KAAK,WAAW;YAGd,eAAM,CAAC,KAAK,CAAC,gEAAgE,CAAC,CAAC;YAC/E,OAAO,IAAI,CAAC;QAEd,KAAK,eAAe;YAClB,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;QAE5E,KAAK,eAAe;YAClB,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAE5D,KAAK,eAAe;YAClB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QAEnD;YACE,MAAM,IAAI,KAAK,CAAC,sBAAsB,KAAK,CAAC,iBAAiB,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;IACpF,CAAC;AACH,CAAC;AAcM,KAAK,UAAU,YAAY,CAChC,UAAkB,EAClB,MAAmB,EACnB,SAAsB;IAEtB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,OAAO,GAAG,MAAM,CAAC,aAAa,GAAG,IAAI,CAAC;IAC5C,IAAI,QAAQ,GAAG,MAAM,CAAC,kBAAkB,GAAG,IAAI,CAAC;IAEhD,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,OAAO,EAAE,CAAC;QAExC,MAAM,KAAK,CAAC,QAAQ,CAAC,CAAC;QAEtB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;YAE5D,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,MAAM,CAAC;YAChB,CAAC;YAGD,SAAS,EAAE,EAAE,CAAC;QAChB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAEf,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;gBAC3B,IACE,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;oBACjC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBAChC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,EACjC,CAAC;oBACD,MAAM,KAAK,CAAC;gBACd,CAAC;YACH,CAAC;YAGD,eAAM,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,KAAc,EAAE,EAAE,oCAAoC,CAAC,CAAC;QAC7E,CAAC;IACH,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,6BAA6B,MAAM,CAAC,aAAa,UAAU,CAAC,CAAC;AAC/E,CAAC;AAaM,KAAK,UAAU,kBAAkB,CACtC,YAAoB,EACpB,MAAmB;IAEnB,MAAM,GAAG,GAAG,GAAG,wBAAe,cAAc,CAAC;IAE7C,MAAM,MAAM,GAA2B;QACrC,SAAS,EAAE,MAAM,CAAC,cAAc;QAChC,aAAa,EAAE,YAAY;QAC3B,UAAU,EAAE,eAAe;KAC5B,CAAC;IAGF,IAAI,MAAM,CAAC,kBAAkB,EAAE,CAAC;QAC9B,MAAM,CAAC,aAAa,GAAG,MAAM,CAAC,kBAAkB,CAAC;IACnD,CAAC;IAED,eAAM,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAExC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,mCAAmC;YACnD,MAAM,EAAE,kBAAkB;SAC3B;QACD,IAAI,EAAE,IAAI,eAAe,CAAC,MAAM,CAAC;KAClC,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACxC,eAAM,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,gCAAgC,CAAC,CAAC;QAC9F,MAAM,IAAI,KAAK,CAAC,4BAA4B,QAAQ,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC,CAAC;IAC9E,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAwB,CAAC;IAC5D,eAAM,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;IACnD,OAAO,IAAI,CAAC;AACd,CAAC;AAWM,KAAK,UAAU,aAAa,CAAC,WAAmB;IACrD,MAAM,GAAG,GAAG,GAAG,wBAAe,cAAc,CAAC;IAE7C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,WAAW,EAAE;YACtC,MAAM,EAAE,kBAAkB;SAC3B;KACF,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACxC,eAAM,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,gCAAgC,CAAC,CAAC;QAC9F,MAAM,IAAI,KAAK,CAAC,mCAAmC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAmB,CAAC;IAEvD,eAAM,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,EAAE,4BAA4B,CAAC,CAAC;IAEzF,OAAO;QACL,EAAE,EAAE,IAAI,CAAC,EAAE;QACX,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,KAAK,EAAE,IAAI,CAAC,KAAK;KAClB,CAAC;AACJ,CAAC;AAUM,KAAK,UAAU,mBAAmB,CAAC,WAAmB;IAC3D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,GAAG,wBAAe,cAAc,CAAC;QAE7C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,WAAW,EAAE;aACvC;SACF,CAAC,CAAC;QAEH,OAAO,QAAQ,CAAC,EAAE,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAaM,KAAK,UAAU,sBAAsB,CAC1C,IAAY,EACZ,WAAmB,EACnB,MAAmB;IAEnB,MAAM,GAAG,GAAG,GAAG,wBAAe,cAAc,CAAC;IAE7C,MAAM,MAAM,GAA2B;QACrC,SAAS,EAAE,MAAM,CAAC,cAAc;QAChC,IAAI,EAAE,IAAI;QACV,UAAU,EAAE,oBAAoB;QAChC,YAAY,EAAE,WAAW;KAC1B,CAAC;IAGF,IAAI,MAAM,CAAC,kBAAkB,EAAE,CAAC;QAC9B,MAAM,CAAC,aAAa,GAAG,MAAM,CAAC,kBAAkB,CAAC;IACnD,CAAC;IAED,eAAM,CAAC,KAAK,CAAC,EAAE,WAAW,EAAE,EAAE,iDAAiD,CAAC,CAAC;IAEjF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,mCAAmC;YACnD,MAAM,EAAE,kBAAkB;SAC3B;QACD,IAAI,EAAE,IAAI,eAAe,CAAC,MAAM,CAAC;KAClC,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACxC,eAAM,CAAC,KAAK,CACV,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,EAC7C,qCAAqC,CACtC,CAAC;QACF,MAAM,IAAI,KAAK,CAAC,0CAA0C,QAAQ,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC,CAAC;IAC5F,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAwB,CAAC;IAC5D,eAAM,CAAC,IAAI,CAAC,kDAAkD,CAAC,CAAC;IAChE,OAAO,IAAI,CAAC;AACd,CAAC;AAYD,SAAgB,kBAAkB,CAChC,MAAmB,EACnB,WAAmB,EACnB,KAAa;IAGb,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAEtD,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,SAAS,EAAE,MAAM,CAAC,cAAc;QAChC,YAAY,EAAE,WAAW;QACzB,aAAa,EAAE,MAAM;QACrB,KAAK,EAAE,KAAK;QACZ,KAAK,EAAE,MAAM;KACd,CAAC,CAAC;IAEH,OAAO,GAAG,wBAAe,oBAAoB,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;AACnE,CAAC;AAKD,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AACzD,CAAC"}

package/dist/src/oauth/index.d.ts

@@ -0,0 +1,10 @@
+export { loadOAuthConfig, validateStaticConfig, isOAuthEnabled, getAuthModeDescription, resetOAuthConfigCache, } from "./config";
+export type { OAuthConfig } from "./config";
+export type { OAuthSession, AuthCodeFlowState, DeviceFlowState, AuthorizationCode, GitLabTokenResponse, GitLabDeviceResponse, TokenContext, GitLabUserInfo, MCPTokenResponse, OAuthErrorResponse, DeviceFlowPollStatus, DeviceFlowPollResponse, MCPTokenPayload, } from "./types";
+export { sessionStore, SessionStore } from "./session-store";
+export { createStorageBackend, getStorageType, validateStorageConfig, MemoryStorageBackend, FileStorageBackend, PostgreSQLStorageBackend, STORAGE_DATA_VERSION, } from "./storage";
+export type { SessionStorageBackend, StorageConfig, SessionStorageStats, StorageData, } from "./storage";
+export { runWithTokenContext, getTokenContext, getGitLabTokenFromContext, getGitLabUserIdFromContext, getGitLabUsernameFromContext, getSessionIdFromContext, isInOAuthContext, } from "./token-context";
+export { createJWT, verifyJWT, verifyMCPToken, generateCodeVerifier, generateCodeChallenge, verifyCodeChallenge, generateRandomString, generateUUID, generateAuthorizationCode, generateSessionId, generateRefreshToken, isTokenExpiringSoon, calculateTokenExpiry, } from "./token-utils";
+export { initiateDeviceFlow, pollDeviceFlowOnce, pollForToken, refreshGitLabToken, getGitLabUser, validateGitLabToken, exchangeGitLabAuthCode, buildGitLabAuthUrl, } from "./gitlab-device-flow";
+export { metadataHandler, healthHandler, protectedResourceHandler, getBaseUrl, authorizeHandler, pollHandler, callbackHandler, tokenHandler, registerHandler, getRegisteredClient, isValidRedirectUri, } from "./endpoints/index";