@workglow/util 0.0.110 → 0.0.113

package/dist/bun.js

@@ -2570,6 +2570,450 @@ function base64ToBuf(b64) {
   }
   return buf;
 }
+// src/mcp/McpAuthTypes.ts
+var mcpAuthTypes = [
+  "none",
+  "bearer",
+  "client_credentials",
+  "private_key_jwt",
+  "static_private_key_jwt",
+  "authorization_code"
+];
+var mcpAuthConfigSchema = {
+  auth_type: {
+    type: "string",
+    enum: mcpAuthTypes,
+    title: "Auth Type",
+    description: "Authentication method for connecting to the MCP server",
+    default: "none"
+  },
+  auth_token: {
+    type: "string",
+    format: "credential",
+    title: "Bearer Token",
+    description: "Static bearer token or API key (for bearer auth)"
+  },
+  auth_client_id: {
+    type: "string",
+    title: "Client ID",
+    description: "OAuth client ID (for OAuth auth types)"
+  },
+  auth_client_secret: {
+    type: "string",
+    format: "credential",
+    title: "Client Secret",
+    description: "OAuth client secret (for client_credentials auth)"
+  },
+  auth_private_key: {
+    type: "string",
+    format: "credential",
+    title: "Private Key",
+    description: "PEM or JWK private key (for private_key_jwt auth)"
+  },
+  auth_algorithm: {
+    type: "string",
+    title: "Algorithm",
+    description: "JWT signing algorithm, e.g. RS256, ES256 (for private_key_jwt auth)"
+  },
+  auth_jwt_bearer_assertion: {
+    type: "string",
+    format: "credential",
+    title: "JWT Assertion",
+    description: "Pre-built JWT assertion (for static_private_key_jwt auth)"
+  },
+  auth_redirect_url: {
+    type: "string",
+    format: "uri",
+    title: "Redirect URL",
+    description: "OAuth redirect URL (for authorization_code auth)"
+  },
+  auth_scope: {
+    type: "string",
+    title: "Scope",
+    description: "OAuth scope (space-separated)"
+  },
+  auth_client_name: {
+    type: "string",
+    title: "Client Name",
+    description: "Optional OAuth client display name"
+  },
+  auth_jwt_lifetime_seconds: {
+    type: "number",
+    title: "JWT Lifetime",
+    description: "JWT lifetime in seconds (default: 300)",
+    minimum: 1
+  }
+};
+function isMcpAuthType(value) {
+  return typeof value === "string" && mcpAuthTypes.includes(value);
+}
+function asNonEmptyString(value) {
+  if (typeof value !== "string")
+    return;
+  const trimmed = value.trim();
+  return trimmed === "" ? undefined : trimmed;
+}
+function asNumber(value) {
+  return typeof value === "number" ? value : undefined;
+}
+function buildAuthConfig(flat) {
+  const rawAuthType = flat.auth_type;
+  if (!isMcpAuthType(rawAuthType) || rawAuthType === "none") {
+    return;
+  }
+  const authType = rawAuthType;
+  switch (authType) {
+    case "bearer": {
+      const token = asNonEmptyString(flat.auth_token);
+      if (!token)
+        return;
+      return { type: "bearer", token };
+    }
+    case "client_credentials": {
+      const client_id = asNonEmptyString(flat.auth_client_id);
+      const client_secret = asNonEmptyString(flat.auth_client_secret);
+      if (!client_id || !client_secret)
+        return;
+      return {
+        type: "client_credentials",
+        client_id,
+        client_secret,
+        client_name: asNonEmptyString(flat.auth_client_name),
+        scope: asNonEmptyString(flat.auth_scope)
+      };
+    }
+    case "private_key_jwt": {
+      const client_id = asNonEmptyString(flat.auth_client_id);
+      const private_key = asNonEmptyString(flat.auth_private_key);
+      const algorithm = asNonEmptyString(flat.auth_algorithm);
+      if (!client_id || !private_key || !algorithm)
+        return;
+      return {
+        type: "private_key_jwt",
+        client_id,
+        private_key,
+        algorithm,
+        client_name: asNonEmptyString(flat.auth_client_name),
+        jwt_lifetime_seconds: asNumber(flat.auth_jwt_lifetime_seconds),
+        scope: asNonEmptyString(flat.auth_scope)
+      };
+    }
+    case "static_private_key_jwt": {
+      const client_id = asNonEmptyString(flat.auth_client_id);
+      const jwt_bearer_assertion = asNonEmptyString(flat.auth_jwt_bearer_assertion);
+      if (!client_id || !jwt_bearer_assertion)
+        return;
+      return {
+        type: "static_private_key_jwt",
+        client_id,
+        jwt_bearer_assertion,
+        client_name: asNonEmptyString(flat.auth_client_name),
+        scope: asNonEmptyString(flat.auth_scope)
+      };
+    }
+    case "authorization_code": {
+      const client_id = asNonEmptyString(flat.auth_client_id);
+      const redirect_url = asNonEmptyString(flat.auth_redirect_url);
+      if (!client_id || !redirect_url)
+        return;
+      return {
+        type: "authorization_code",
+        client_id,
+        client_secret: asNonEmptyString(flat.auth_client_secret),
+        redirect_url,
+        scope: asNonEmptyString(flat.auth_scope)
+      };
+    }
+    default:
+      return;
+  }
+}
+// src/mcp/McpAuthProvider.ts
+import {
+  ClientCredentialsProvider,
+  PrivateKeyJwtProvider,
+  StaticPrivateKeyJwtProvider,
+  createPrivateKeyJwtAuth
+} from "@modelcontextprotocol/sdk/client/auth-extensions.js";
+function normalizeServerUrl(serverUrl) {
+  try {
+    const u = new URL(serverUrl);
+    return u.origin + u.pathname.replace(/\/+$/, "");
+  } catch {
+    return serverUrl;
+  }
+}
+function storeKey(serverUrl, suffix) {
+  return `mcp:oauth:${normalizeServerUrl(serverUrl)}:${suffix}`;
+}
+
+class CredentialStoreOAuthProvider {
+  store;
+  serverUrl;
+  _clientMetadata;
+  _redirectUrl;
+  _initialClientInfo;
+  prepareTokenRequest;
+  addClientAuthentication;
+  constructor(options) {
+    this.store = options.store;
+    this.serverUrl = options.serverUrl;
+    this._clientMetadata = options.clientMetadata;
+    this._redirectUrl = options.redirectUrl;
+    this._initialClientInfo = options.initialClientInfo;
+    if (options.prepareTokenRequest) {
+      this.prepareTokenRequest = options.prepareTokenRequest;
+    }
+    if (options.addClientAuthentication) {
+      this.addClientAuthentication = options.addClientAuthentication;
+    }
+  }
+  get redirectUrl() {
+    return this._redirectUrl;
+  }
+  get clientMetadata() {
+    return this._clientMetadata;
+  }
+  async clientInformation() {
+    const raw = await this.store.get(storeKey(this.serverUrl, "client_info"));
+    if (!raw)
+      return this._initialClientInfo;
+    return JSON.parse(raw);
+  }
+  async saveClientInformation(info) {
+    await this.store.put(storeKey(this.serverUrl, "client_info"), JSON.stringify(info));
+  }
+  async tokens() {
+    const raw = await this.store.get(storeKey(this.serverUrl, "tokens"));
+    if (!raw)
+      return;
+    return JSON.parse(raw);
+  }
+  async saveTokens(tokens) {
+    const expiresAt = tokens.expires_in != null ? new Date(Date.now() + tokens.expires_in * 1000) : undefined;
+    await this.store.put(storeKey(this.serverUrl, "tokens"), JSON.stringify(tokens), {
+      expiresAt
+    });
+  }
+  async redirectToAuthorization(authorizationUrl) {
+    throw new Error(`MCP OAuth authorization required. ` + `Open this URL to authorize: ${authorizationUrl.toString()}`);
+  }
+  async saveCodeVerifier(codeVerifier) {
+    await this.store.put(storeKey(this.serverUrl, "code_verifier"), codeVerifier);
+  }
+  async codeVerifier() {
+    const v = await this.store.get(storeKey(this.serverUrl, "code_verifier"));
+    if (!v)
+      throw new Error("No code verifier saved for this session");
+    return v;
+  }
+  async saveDiscoveryState(state) {
+    await this.store.put(storeKey(this.serverUrl, "discovery"), JSON.stringify(state));
+  }
+  async discoveryState() {
+    const raw = await this.store.get(storeKey(this.serverUrl, "discovery"));
+    if (!raw)
+      return;
+    return JSON.parse(raw);
+  }
+  async invalidateCredentials(scope) {
+    const deleteKey = async (suffix) => {
+      await this.store.delete(storeKey(this.serverUrl, suffix));
+    };
+    switch (scope) {
+      case "all":
+        await deleteKey("tokens");
+        await deleteKey("client_info");
+        await deleteKey("code_verifier");
+        await deleteKey("discovery");
+        break;
+      case "client":
+        await deleteKey("client_info");
+        break;
+      case "tokens":
+        await deleteKey("tokens");
+        break;
+      case "verifier":
+        await deleteKey("code_verifier");
+        break;
+      case "discovery":
+        await deleteKey("discovery");
+        break;
+    }
+  }
+}
+function createAuthProvider(auth, serverUrl, credentialStore) {
+  switch (auth.type) {
+    case "none":
+    case "bearer":
+      return;
+    case "client_credentials": {
+      if (!credentialStore) {
+        return new ClientCredentialsProvider({
+          clientId: auth.client_id,
+          clientSecret: auth.client_secret,
+          clientName: auth.client_name,
+          scope: auth.scope
+        });
+      }
+      const prepareTokenRequest = (scope) => {
+        const params = new URLSearchParams({ grant_type: "client_credentials" });
+        const effectiveScope = scope ?? auth.scope;
+        if (effectiveScope)
+          params.set("scope", effectiveScope);
+        return params;
+      };
+      return new CredentialStoreOAuthProvider({
+        store: credentialStore,
+        serverUrl,
+        clientMetadata: {
+          redirect_uris: [],
+          grant_types: ["client_credentials"],
+          token_endpoint_auth_method: "client_secret_basic",
+          client_name: auth.client_name
+        },
+        initialClientInfo: {
+          client_id: auth.client_id,
+          client_secret: auth.client_secret
+        },
+        prepareTokenRequest
+      });
+    }
+    case "private_key_jwt": {
+      if (!credentialStore) {
+        return new PrivateKeyJwtProvider({
+          clientId: auth.client_id,
+          privateKey: auth.private_key,
+          algorithm: auth.algorithm,
+          clientName: auth.client_name,
+          jwtLifetimeSeconds: auth.jwt_lifetime_seconds,
+          scope: auth.scope
+        });
+      }
+      const addClientAuth = createPrivateKeyJwtAuth({
+        issuer: auth.client_id,
+        subject: auth.client_id,
+        privateKey: auth.private_key,
+        alg: auth.algorithm,
+        lifetimeSeconds: auth.jwt_lifetime_seconds
+      });
+      const prepareTokenRequest = (scope) => {
+        const params = new URLSearchParams({ grant_type: "client_credentials" });
+        const effectiveScope = scope ?? auth.scope;
+        if (effectiveScope)
+          params.set("scope", effectiveScope);
+        return params;
+      };
+      return new CredentialStoreOAuthProvider({
+        store: credentialStore,
+        serverUrl,
+        clientMetadata: {
+          redirect_uris: [],
+          grant_types: ["client_credentials"],
+          token_endpoint_auth_method: "private_key_jwt",
+          client_name: auth.client_name
+        },
+        initialClientInfo: { client_id: auth.client_id },
+        prepareTokenRequest,
+        addClientAuthentication: addClientAuth
+      });
+    }
+    case "static_private_key_jwt": {
+      if (!credentialStore) {
+        return new StaticPrivateKeyJwtProvider({
+          clientId: auth.client_id,
+          jwtBearerAssertion: auth.jwt_bearer_assertion,
+          clientName: auth.client_name,
+          scope: auth.scope
+        });
+      }
+      const assertion = auth.jwt_bearer_assertion;
+      const addClientAuth = (_headers, params) => {
+        params.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
+        params.set("client_assertion", assertion);
+      };
+      const prepareTokenRequest = (scope) => {
+        const params = new URLSearchParams({ grant_type: "client_credentials" });
+        const effectiveScope = scope ?? auth.scope;
+        if (effectiveScope)
+          params.set("scope", effectiveScope);
+        return params;
+      };
+      return new CredentialStoreOAuthProvider({
+        store: credentialStore,
+        serverUrl,
+        clientMetadata: {
+          redirect_uris: [],
+          grant_types: ["client_credentials"],
+          token_endpoint_auth_method: "private_key_jwt",
+          client_name: auth.client_name
+        },
+        initialClientInfo: { client_id: auth.client_id },
+        prepareTokenRequest,
+        addClientAuthentication: addClientAuth
+      });
+    }
+    case "authorization_code": {
+      if (!credentialStore) {
+        throw new Error("authorization_code auth requires a credential store for token persistence");
+      }
+      return new CredentialStoreOAuthProvider({
+        store: credentialStore,
+        serverUrl,
+        clientMetadata: {
+          redirect_uris: [auth.redirect_url],
+          grant_types: ["authorization_code", "refresh_token"],
+          token_endpoint_auth_method: auth.client_secret ? "client_secret_basic" : "none",
+          scope: auth.scope
+        },
+        initialClientInfo: {
+          client_id: auth.client_id,
+          ...auth.client_secret ? { client_secret: auth.client_secret } : {}
+        },
+        redirectUrl: auth.redirect_url
+      });
+    }
+    default:
+      return;
+  }
+}
+async function resolveAuthSecrets(auth, credentialStore) {
+  if (auth.type === "none")
+    return auth;
+  const store = credentialStore ?? getGlobalCredentialStore();
+  async function resolve(value) {
+    if (!value)
+      return value;
+    const resolved = await store.get(value);
+    return resolved ?? value;
+  }
+  switch (auth.type) {
+    case "bearer":
+      return { ...auth, token: await resolve(auth.token) ?? auth.token };
+    case "client_credentials":
+      return {
+        ...auth,
+        client_secret: await resolve(auth.client_secret) ?? auth.client_secret
+      };
+    case "private_key_jwt":
+      return {
+        ...auth,
+        private_key: await resolve(auth.private_key) ?? auth.private_key
+      };
+    case "static_private_key_jwt":
+      return {
+        ...auth,
+        jwt_bearer_assertion: await resolve(auth.jwt_bearer_assertion) ?? auth.jwt_bearer_assertion
+      };
+    case "authorization_code":
+      return {
+        ...auth,
+        client_secret: await resolve(auth.client_secret)
+      };
+    default:
+      return auth;
+  }
+}
 // src/compress/compress.node.ts
 import { promisify } from "util";
 import zlib from "zlib";
@@ -2624,12 +3068,24 @@ var mcpServerConfigSchema = {
     additionalProperties: { type: "string" },
     title: "Environment",
     description: "Environment variables (for stdio transport)"
-  }
+  },
+  ...mcpAuthConfigSchema
 };
 async function createMcpClient(config, signal) {
   let transport;
+  let auth = config.auth ?? buildAuthConfig({ ...config });
+  if (auth && auth.type !== "none") {
+    auth = await resolveAuthSecrets(auth, getGlobalCredentialStore());
+  }
+  const authProvider = auth && auth.type !== "none" && auth.type !== "bearer" ? createAuthProvider(auth, config.server_url ?? "", getGlobalCredentialStore()) : undefined;
+  const headers = {
+    ...auth?.type === "bearer" ? { Authorization: `Bearer ${auth.token}` } : {}
+  };
   switch (config.transport) {
     case "stdio":
+      if (auth && auth.type !== "none") {
+        getLogger().warn("MCP auth is not supported for stdio transport; auth config ignored. " + "Use env vars to pass credentials to stdio servers.");
+      }
       transport = new StdioClientTransport({
         command: config.command,
         args: config.args,
@@ -2637,11 +3093,17 @@ async function createMcpClient(config, signal) {
       });
       break;
     case "sse": {
-      transport = new SSEClientTransport(new URL(config.server_url));
+      transport = new SSEClientTransport(new URL(config.server_url), {
+        authProvider,
+        requestInit: { headers }
+      });
       break;
     }
     case "streamable-http": {
-      transport = new StreamableHTTPClientTransport(new URL(config.server_url));
+      transport = new StreamableHTTPClientTransport(new URL(config.server_url), {
+        authProvider,
+        requestInit: { headers }
+      });
       break;
     }
     default:
@@ -2717,6 +3179,7 @@ export {
   setGlobalCredentialStore,
   serialize,
   resolveCredential,
+  resolveAuthSecrets,
   registerInputResolver,
   parsePartialJson,
   parseDataUri,
@@ -2727,6 +3190,8 @@ export {
   mcpTransportTypes,
   mcpServerConfigSchema,
   mcpClientFactory,
+  mcpAuthTypes,
+  mcpAuthConfigSchema,
   makeFingerprint,
   magnitude,
   jaccardSimilarity,
@@ -2748,11 +3213,13 @@ export {
   createTypedArrayFrom,
   createServiceToken,
   createMcpClient,
+  createAuthProvider,
   cosineSimilarity,
   convertImageDataToUseableForm,
   compress,
   compileSchema,
   collectPropertyValues,
+  buildAuthConfig,
   bufToBase64,
   base64ToBuf,
   areSemanticallyCompatible,
@@ -2779,6 +3246,7 @@ export {
   DirectedGraph,
   DirectedAcyclicGraph,
   CycleError,
+  CredentialStoreOAuthProvider,
   Container,
   ConsoleLogger,
   ChainedCredentialStore,
@@ -2786,4 +3254,4 @@ export {
   BaseError
 };
 
-//# debugId=F0DE5778034FC8FD64756E2164756E21
+//# debugId=D6D92D7A74A232E064756E2164756E21