actor-gate 0.1.0

package/src/core/services/revocation-policy.js

@@ -0,0 +1,51 @@
+export function shouldValidateSession(input) {
+    if (input.sessionMode === 'stateless') {
+        return false;
+    }
+    if (input.sessionMode === 'stateful') {
+        return true;
+    }
+    return input.hasSessionAdapter;
+}
+export function shouldCheckAccessTokenRevocation(input) {
+    if (!input.hasRevocationAdapter) {
+        return false;
+    }
+    return input.revocationGuarantee !== 'ttl_only';
+}
+function shouldUseBoundedCache(input) {
+    return (input.nowUnix - input.entry.checkedAtUnix <
+        input.boundedRevocationCacheSeconds);
+}
+export function createRevocationDecisionEngine() {
+    const boundedCache = new Map();
+    return {
+        async isAccessTokenRevoked({ jti, nowUnix, revocationGuarantee, boundedRevocationCacheSeconds, accessTokenRevocationAdapter, }) {
+            if (!shouldCheckAccessTokenRevocation({
+                revocationGuarantee,
+                hasRevocationAdapter: accessTokenRevocationAdapter !== undefined,
+            }) ||
+                !accessTokenRevocationAdapter) {
+                return false;
+            }
+            if (revocationGuarantee === 'strict') {
+                return accessTokenRevocationAdapter.isRevoked(jti);
+            }
+            const cached = boundedCache.get(jti);
+            if (cached &&
+                shouldUseBoundedCache({
+                    nowUnix,
+                    boundedRevocationCacheSeconds,
+                    entry: cached,
+                })) {
+                return cached.revoked;
+            }
+            const revoked = await accessTokenRevocationAdapter.isRevoked(jti);
+            boundedCache.set(jti, {
+                checkedAtUnix: nowUnix,
+                revoked,
+            });
+            return revoked;
+        },
+    };
+}

package/src/core/sessions/client-session.d.ts

@@ -0,0 +1,7 @@
+import type { AuthActor, ClientSession, SessionRecord } from '../types/auth-contract';
+export declare function buildClientSession<TSessionId, TUserId, TActor extends AuthActor = AuthActor, TServerSessionData extends Record<string, unknown> = Record<string, never>, TClientSessionData extends Record<string, unknown> = Record<string, never>>(input: {
+    session: SessionRecord<TSessionId, TUserId, TActor, TServerSessionData>;
+    buildClientSessionData?: (input: {
+        session: SessionRecord<TSessionId, TUserId, TActor, TServerSessionData>;
+    }) => TClientSessionData;
+}): ClientSession<TSessionId, TUserId, TActor, TClientSessionData>;

package/src/core/sessions/client-session.js

@@ -0,0 +1,18 @@
+export function buildClientSession(input) {
+    const clientSession = {
+        sessionId: input.session.sessionId,
+        userId: input.session.userId,
+        actor: input.session.actor,
+        issuedAt: input.session.issuedAt,
+        expiresAt: input.session.expiresAt,
+    };
+    if (input.session.clientId !== undefined) {
+        clientSession.clientId = input.session.clientId;
+    }
+    if (input.buildClientSessionData) {
+        clientSession.clientSessionData = input.buildClientSessionData({
+            session: input.session,
+        });
+    }
+    return clientSession;
+}

package/src/core/tokens/access-claims.d.ts

@@ -0,0 +1,21 @@
+import type { IdCodec } from '../ids/id-codec';
+import type { AccessClaims, AuthActor, SessionRecord } from '../types/auth-contract';
+export declare const DEFAULT_TOKEN_CLAIMS_VERSION = 1;
+export type BuildAccessClaimsInput<TSessionId, TUserId, TActor extends AuthActor, TServerSessionData extends Record<string, unknown> = Record<string, never>, TExtClaims extends Record<string, unknown> = Record<string, never>> = {
+    session: SessionRecord<TSessionId, TUserId, TActor, TServerSessionData>;
+    sessionIdCodec: IdCodec<TSessionId>;
+    userIdCodec: IdCodec<TUserId>;
+    audience: string;
+    accessTokenTtlSeconds: number;
+    tokenClaimsVersion?: number;
+    nowUnix?: number;
+    jtiFactory?: () => string;
+    buildExtClaims?: (input: {
+        session: SessionRecord<TSessionId, TUserId, TActor, TServerSessionData>;
+    }) => TExtClaims;
+};
+export declare function buildAccessClaims<TSessionId, TUserId, TActor extends AuthActor, TServerSessionData extends Record<string, unknown> = Record<string, never>, TExtClaims extends Record<string, unknown> = Record<string, never>>(input: BuildAccessClaimsInput<TSessionId, TUserId, TActor, TServerSessionData, TExtClaims>): AccessClaims<TActor, TExtClaims>;
+export declare function parseAccessClaims<TActor extends AuthActor = AuthActor, TExtClaims extends Record<string, unknown> = Record<string, never>>(input: {
+    claims: unknown;
+    tokenClaimsVersion?: number;
+}): AccessClaims<TActor, TExtClaims>;

package/src/core/tokens/access-claims.js

@@ -0,0 +1,128 @@
+import { randomUUID } from 'node:crypto';
+import { encodeSubjectClaims } from './id-claims';
+export const DEFAULT_TOKEN_CLAIMS_VERSION = 1;
+const ALLOWED_TOP_LEVEL_CLAIM_KEYS = new Set([
+    'sub',
+    'uid',
+    'actor',
+    'cid',
+    'ver',
+    'jti',
+    'ext',
+    'iat',
+    'exp',
+    'aud',
+]);
+function assertPositiveSafeInteger(value, fieldName) {
+    if (!Number.isSafeInteger(value) || value <= 0) {
+        throw new Error(`${fieldName} must be a positive safe integer.`);
+    }
+}
+function readRequiredStringClaim(claims, claimName) {
+    const value = claims[claimName];
+    if (typeof value !== 'string' || value.length === 0) {
+        throw new Error(`Invalid or missing "${claimName}" claim.`);
+    }
+    return value;
+}
+function readOptionalStringClaim(claims, claimName) {
+    const value = claims[claimName];
+    if (value === undefined) {
+        return undefined;
+    }
+    if (typeof value !== 'string' || value.length === 0) {
+        throw new Error(`Invalid "${claimName}" claim.`);
+    }
+    return value;
+}
+function readRequiredPositiveSafeIntegerClaim(claims, claimName) {
+    const value = claims[claimName];
+    if (typeof value !== 'number') {
+        throw new Error(`Invalid or missing "${claimName}" claim.`);
+    }
+    assertPositiveSafeInteger(value, claimName);
+    return value;
+}
+function assertOnlyExpectedTopLevelClaims(claims) {
+    for (const key of Object.keys(claims)) {
+        if (!ALLOWED_TOP_LEVEL_CLAIM_KEYS.has(key)) {
+            throw new Error(`Unexpected top-level claim "${key}".`);
+        }
+    }
+}
+export function buildAccessClaims(input) {
+    if (input.audience.length === 0) {
+        throw new Error('audience must be a non-empty string.');
+    }
+    assertPositiveSafeInteger(input.accessTokenTtlSeconds, 'accessTokenTtlSeconds');
+    const version = input.tokenClaimsVersion ?? DEFAULT_TOKEN_CLAIMS_VERSION;
+    assertPositiveSafeInteger(version, 'tokenClaimsVersion');
+    const issuedAtUnix = input.nowUnix ?? Math.floor(Date.now() / 1000);
+    assertPositiveSafeInteger(issuedAtUnix, 'nowUnix');
+    const expiresAtUnix = issuedAtUnix + input.accessTokenTtlSeconds;
+    assertPositiveSafeInteger(expiresAtUnix, 'exp');
+    const jtiFactory = input.jtiFactory ?? (() => randomUUID());
+    const jti = jtiFactory();
+    if (jti.length === 0) {
+        throw new Error('jti must be a non-empty string.');
+    }
+    const subjectClaims = encodeSubjectClaims({
+        sessionId: input.session.sessionId,
+        userId: input.session.userId,
+        sessionIdCodec: input.sessionIdCodec,
+        userIdCodec: input.userIdCodec,
+    });
+    const extClaims = input.buildExtClaims?.({ session: input.session });
+    return {
+        ...subjectClaims,
+        actor: input.session.actor,
+        ...(input.session.clientId === undefined
+            ? {}
+            : { cid: input.session.clientId }),
+        ver: version,
+        jti,
+        ...(extClaims === undefined ? {} : { ext: extClaims }),
+        iat: issuedAtUnix,
+        exp: expiresAtUnix,
+        aud: input.audience,
+    };
+}
+export function parseAccessClaims(input) {
+    // Actor allowlist enforcement is intentionally handled by higher-level
+    // services using bootstrap config (default reserved actor: 'USER', plus any
+    // app-provided actors). This function validates claim shape only.
+    if (!input.claims || typeof input.claims !== 'object') {
+        throw new Error('Token claims payload must be an object.');
+    }
+    const claims = input.claims;
+    assertOnlyExpectedTopLevelClaims(claims);
+    const version = readRequiredPositiveSafeIntegerClaim(claims, 'ver');
+    const expectedVersion = input.tokenClaimsVersion ?? DEFAULT_TOKEN_CLAIMS_VERSION;
+    assertPositiveSafeInteger(expectedVersion, 'tokenClaimsVersion');
+    if (version !== expectedVersion) {
+        throw new Error(`Unsupported token claims version "${version}". Expected "${expectedVersion}".`);
+    }
+    const issuedAtUnix = readRequiredPositiveSafeIntegerClaim(claims, 'iat');
+    const expiresAtUnix = readRequiredPositiveSafeIntegerClaim(claims, 'exp');
+    if (expiresAtUnix <= issuedAtUnix) {
+        throw new Error('Invalid token lifetime: "exp" must be greater than "iat".');
+    }
+    const extClaims = claims['ext'];
+    if (extClaims !== undefined &&
+        (!extClaims || typeof extClaims !== 'object' || Array.isArray(extClaims))) {
+        throw new Error('Invalid "ext" claim.');
+    }
+    const clientId = readOptionalStringClaim(claims, 'cid');
+    return {
+        sub: readRequiredStringClaim(claims, 'sub'),
+        uid: readRequiredStringClaim(claims, 'uid'),
+        actor: readRequiredStringClaim(claims, 'actor'),
+        ...(clientId === undefined ? {} : { cid: clientId }),
+        ver: version,
+        jti: readRequiredStringClaim(claims, 'jti'),
+        ...(extClaims === undefined ? {} : { ext: extClaims }),
+        iat: issuedAtUnix,
+        exp: expiresAtUnix,
+        aud: readRequiredStringClaim(claims, 'aud'),
+    };
+}

package/src/core/tokens/id-claims.d.ts

@@ -0,0 +1,20 @@
+import type { IdCodec } from '../ids/id-codec';
+export type SubjectClaims = {
+    sub: string;
+    uid: string;
+};
+export type AuthContext<TSessionId, TUserId> = {
+    sessionId: TSessionId;
+    userId: TUserId;
+};
+export declare function encodeSubjectClaims<TSessionId, TUserId>(input: {
+    sessionId: TSessionId;
+    userId: TUserId;
+    sessionIdCodec: IdCodec<TSessionId>;
+    userIdCodec: IdCodec<TUserId>;
+}): SubjectClaims;
+export declare function decodeSubjectClaims<TSessionId, TUserId>(input: {
+    claims: unknown;
+    sessionIdCodec: IdCodec<TSessionId>;
+    userIdCodec: IdCodec<TUserId>;
+}): AuthContext<TSessionId, TUserId>;

package/src/core/tokens/id-claims.js

@@ -0,0 +1,25 @@
+function readRequiredStringClaim(rawClaims, claimName) {
+    const value = rawClaims[claimName];
+    if (typeof value !== 'string' || value.length === 0) {
+        throw new Error(`Invalid or missing "${claimName}" claim.`);
+    }
+    return value;
+}
+export function encodeSubjectClaims(input) {
+    return {
+        sub: input.sessionIdCodec.toClaim(input.sessionId),
+        uid: input.userIdCodec.toClaim(input.userId),
+    };
+}
+export function decodeSubjectClaims(input) {
+    if (!input.claims || typeof input.claims !== 'object') {
+        throw new Error('Token claims payload must be an object.');
+    }
+    const rawClaims = input.claims;
+    const subClaim = readRequiredStringClaim(rawClaims, 'sub');
+    const uidClaim = readRequiredStringClaim(rawClaims, 'uid');
+    return {
+        sessionId: input.sessionIdCodec.fromClaim(subClaim),
+        userId: input.userIdCodec.fromClaim(uidClaim),
+    };
+}

package/src/core/types/auth-contract.d.ts

@@ -0,0 +1,33 @@
+export type UserActor = 'USER';
+export type AuthActor = UserActor | string;
+export type SessionRecord<TSessionId, TUserId, TActor extends AuthActor = AuthActor, TServerSessionData extends Record<string, unknown> = Record<string, never>> = {
+    sessionId: TSessionId;
+    userId: TUserId;
+    actor: TActor;
+    clientId?: string;
+    issuedAt: number;
+    expiresAt: number;
+    revokedAt?: number | null;
+    serverSessionData?: TServerSessionData;
+};
+export type AccessClaims<TActor extends AuthActor = AuthActor, TExtClaims extends Record<string, unknown> = Record<string, never>> = {
+    sub: string;
+    uid: string;
+    actor: TActor;
+    cid?: string;
+    ver: number;
+    jti: string;
+    ext?: TExtClaims;
+    iat: number;
+    exp: number;
+    aud: string;
+};
+export type ClientSession<TSessionId, TUserId, TActor extends AuthActor = AuthActor, TClientSessionData extends Record<string, unknown> = Record<string, never>> = {
+    sessionId: TSessionId;
+    userId: TUserId;
+    actor: TActor;
+    clientId?: string;
+    issuedAt: number;
+    expiresAt: number;
+    clientSessionData?: TClientSessionData;
+};

package/src/core/types/auth-contract.js

@@ -0,0 +1 @@
+export {};

package/src/express/index.d.ts

@@ -0,0 +1 @@
+export { withExpressProtectedRoute, type ExpressProtectedAuth, type ExpressProtectedRouteContext, type ExpressRequestLike, type ExpressResponseLike, type WithExpressProtectedRouteOptions, } from './protected-route';

package/src/express/index.js

@@ -0,0 +1 @@
+export { withExpressProtectedRoute, } from './protected-route';

package/src/express/protected-route.d.ts

@@ -0,0 +1,44 @@
+import type { AccessTokenSource } from '../core/adapters/access-token-transport-adapter';
+import type { ValidatedAccessTokenResult } from '../core/services/contracts';
+import type { DirectAuthService } from '../core/services/direct-auth-service';
+import type { AuthActor } from '../core/types/auth-contract';
+import { type DirectAccessTokenTransportConfig } from '../next/shared/direct-auth-utils';
+type ExpressHeaderValue = string | string[] | undefined;
+export type ExpressRequestLike = {
+    headers: Record<string, ExpressHeaderValue>;
+    cookies?: Record<string, string | undefined>;
+};
+export type ExpressResponseLike = {
+    headersSent?: boolean;
+    writableEnded?: boolean;
+    setHeader(name: string, value: string): void;
+    status(code: number): ExpressResponseLike;
+    json(value: unknown): ExpressResponseLike;
+    end?: () => void;
+};
+export type ExpressProtectedAuth<TSessionId, TUserId, TActor extends AuthActor = AuthActor, TServerSessionData extends Record<string, unknown> = Record<string, never>, TClientSessionData extends Record<string, unknown> = Record<string, never>, TExtClaims extends Record<string, unknown> = Record<string, never>> = ValidatedAccessTokenResult<TSessionId, TUserId, TActor, TServerSessionData, TClientSessionData, TExtClaims> & {
+    accessToken: string;
+    accessTokenSource: AccessTokenSource | undefined;
+};
+export type ExpressProtectedRouteContext<TSessionId, TUserId, TActor extends AuthActor = AuthActor, TServerSessionData extends Record<string, unknown> = Record<string, never>, TClientSessionData extends Record<string, unknown> = Record<string, never>, TExtClaims extends Record<string, unknown> = Record<string, never>, TReq extends ExpressRequestLike = ExpressRequestLike, TRes extends ExpressResponseLike = ExpressResponseLike> = {
+    req: TReq;
+    res: TRes;
+    requestId: string | undefined;
+    auth: ExpressProtectedAuth<TSessionId, TUserId, TActor, TServerSessionData, TClientSessionData, TExtClaims>;
+};
+export type WithExpressProtectedRouteOptions<TSessionId, TUserId, TActor extends AuthActor = AuthActor, TServerSessionData extends Record<string, unknown> = Record<string, never>, TClientSessionData extends Record<string, unknown> = Record<string, never>, TExtClaims extends Record<string, unknown> = Record<string, never>, TReq extends ExpressRequestLike = ExpressRequestLike, TRes extends ExpressResponseLike = ExpressResponseLike, TOutput = unknown> = {
+    directAuthService: DirectAuthService<TSessionId, TUserId, TActor, TServerSessionData, TClientSessionData, TExtClaims>;
+    handler: (input: ExpressProtectedRouteContext<TSessionId, TUserId, TActor, TServerSessionData, TClientSessionData, TExtClaims, TReq, TRes>) => Promise<TOutput | void> | TOutput | void;
+    expectedAudience?: string;
+    allowedActors?: readonly TActor[] | ReadonlySet<TActor>;
+    accessTokenTransport?: DirectAccessTokenTransportConfig<TActor>;
+    requestIdHeaderName?: string;
+    authorizationHeaderName?: string;
+    challenge?: {
+        includeErrorInWwwAuthenticate?: boolean;
+        scope?: string;
+        resourceMetadataUrl?: string;
+    };
+};
+export declare function withExpressProtectedRoute<TSessionId, TUserId, TActor extends AuthActor = AuthActor, TServerSessionData extends Record<string, unknown> = Record<string, never>, TClientSessionData extends Record<string, unknown> = Record<string, never>, TExtClaims extends Record<string, unknown> = Record<string, never>, TReq extends ExpressRequestLike = ExpressRequestLike, TRes extends ExpressResponseLike = ExpressResponseLike, TOutput = unknown>(options: WithExpressProtectedRouteOptions<TSessionId, TUserId, TActor, TServerSessionData, TClientSessionData, TExtClaims, TReq, TRes, TOutput>): (req: TReq, res: TRes) => Promise<void>;
+export {};

package/src/express/protected-route.js

@@ -0,0 +1,119 @@
+import { AuthServiceError, isAuthServiceError, } from '../core/services/auth-error';
+import { parseCookieHeader } from '../next/pages/request';
+import { buildAuthErrorHttpResponse, buildSystemErrorHttpResponse, } from '../next/shared/auth-http';
+import { assertBearerOnlyActorPolicy, getHeaderValue, resolveAccessTokenTransportAdapter, } from '../next/shared/direct-auth-utils';
+function normalizeRequestId(value) {
+    return value;
+}
+function buildAccessTokenTransportInput(req, authorizationHeaderName) {
+    const authorizationHeader = getHeaderValue(req.headers, authorizationHeaderName);
+    const cookies = req.cookies ?? parseCookieHeader(getHeaderValue(req.headers, 'cookie'));
+    return {
+        ...(authorizationHeader === undefined ? {} : { authorizationHeader }),
+        ...(Object.keys(cookies).length === 0 ? {} : { cookies }),
+    };
+}
+function isResponseCommitted(res) {
+    return res.headersSent === true || res.writableEnded === true;
+}
+function sendExpressAuthError(res, error, input) {
+    const built = buildAuthErrorHttpResponse({
+        error,
+        ...(input.requestId === undefined ? {} : { requestId: input.requestId }),
+        ...(input.challenge?.scope === undefined
+            ? {}
+            : { challengeScope: input.challenge.scope }),
+        ...(input.challenge?.resourceMetadataUrl === undefined
+            ? {}
+            : { resourceMetadataUrl: input.challenge.resourceMetadataUrl }),
+        ...(input.challenge?.includeErrorInWwwAuthenticate === undefined
+            ? {}
+            : {
+                includeChallengeError: input.challenge.includeErrorInWwwAuthenticate,
+            }),
+    });
+    if (built.challengeHeader !== undefined) {
+        res.setHeader('WWW-Authenticate', built.challengeHeader);
+    }
+    res.status(built.statusCode).json(built.body);
+}
+export function withExpressProtectedRoute(options) {
+    const authorizationHeaderName = options.authorizationHeaderName ?? 'authorization';
+    const requestIdHeaderName = options.requestIdHeaderName ?? 'x-request-id';
+    const accessTokenTransportAdapter = resolveAccessTokenTransportAdapter(options.accessTokenTransport);
+    return async function expressProtectedRoute(req, res) {
+        const requestId = normalizeRequestId(getHeaderValue(req.headers, requestIdHeaderName));
+        const transport = buildAccessTokenTransportInput(req, authorizationHeaderName);
+        try {
+            const extractedAccessToken = accessTokenTransportAdapter.extractAccessToken({
+                transport,
+            });
+            if (!extractedAccessToken.token) {
+                throw new AuthServiceError({
+                    code: 'invalid_token',
+                    message: 'Access token is required.',
+                });
+            }
+            const validatedAccessToken = await options.directAuthService.validateAccessToken({
+                accessToken: extractedAccessToken.token,
+                ...(requestId === undefined ? {} : { requestId }),
+                ...(options.expectedAudience === undefined
+                    ? {}
+                    : { expectedAudience: options.expectedAudience }),
+                ...(options.allowedActors === undefined
+                    ? {}
+                    : { allowedActors: options.allowedActors }),
+            });
+            assertBearerOnlyActorPolicy({
+                actor: validatedAccessToken.claims.actor,
+                ...(extractedAccessToken.source === undefined
+                    ? {}
+                    : { source: extractedAccessToken.source }),
+                ...(options.accessTokenTransport?.requireBearerForActors === undefined
+                    ? {}
+                    : {
+                        requireBearerForActors: options.accessTokenTransport.requireBearerForActors,
+                    }),
+            });
+            const output = await options.handler({
+                req,
+                res,
+                requestId,
+                auth: {
+                    ...validatedAccessToken,
+                    accessToken: extractedAccessToken.token,
+                    accessTokenSource: extractedAccessToken.source,
+                },
+            });
+            if (isResponseCommitted(res)) {
+                return;
+            }
+            if (output === undefined) {
+                res.status(204);
+                if (typeof res.end === 'function') {
+                    res.end();
+                    return;
+                }
+                res.json(null);
+                return;
+            }
+            res.status(200).json(output);
+        }
+        catch (error) {
+            if (isResponseCommitted(res)) {
+                return;
+            }
+            if (isAuthServiceError(error)) {
+                sendExpressAuthError(res, error, {
+                    requestId,
+                    challenge: options.challenge,
+                });
+                return;
+            }
+            const systemErrorResponse = buildSystemErrorHttpResponse({
+                ...(requestId === undefined ? {} : { requestId }),
+            });
+            res.status(systemErrorResponse.statusCode).json(systemErrorResponse.body);
+        }
+    };
+}

package/src/index.d.ts

@@ -0,0 +1,8 @@
+export * from './core/index';
+export * from './config/index';
+export * from './express/index';
+export * as config from './config/index';
+export * as express from './express/index';
+export * as mcp from './mcp/index';
+export * as next from './next/index';
+export * as testing from './testing/index';

package/src/index.js

@@ -0,0 +1,8 @@
+export * from './core/index';
+export * from './config/index';
+export * from './express/index';
+export * as config from './config/index';
+export * as express from './express/index';
+export * as mcp from './mcp/index';
+export * as next from './next/index';
+export * as testing from './testing/index';

package/src/mcp/index.d.ts

@@ -0,0 +1 @@
+export { DEFAULT_UNAUTHENTICATED_RPC_METHODS, getRpcMethodFromBody, getRpcMethodsFromBody, requiresAuth, requiresAuthForBody, } from './json-rpc-auth';

package/src/mcp/index.js

@@ -0,0 +1 @@
+export { DEFAULT_UNAUTHENTICATED_RPC_METHODS, getRpcMethodFromBody, getRpcMethodsFromBody, requiresAuth, requiresAuthForBody, } from './json-rpc-auth';

package/src/mcp/json-rpc-auth.d.ts

@@ -0,0 +1,5 @@
+export declare const DEFAULT_UNAUTHENTICATED_RPC_METHODS: readonly ["initialize", "ping", "tools/list", "resources/list", "resources/read", "prompts/list", "prompts/get"];
+export declare function getRpcMethodsFromBody(body: unknown): string[];
+export declare function getRpcMethodFromBody(body: unknown): string | null;
+export declare function requiresAuth(rpcMethod: string | null, unauthenticatedMethods?: ReadonlySet<string>): boolean;
+export declare function requiresAuthForBody(body: unknown, unauthenticatedMethods?: ReadonlySet<string>): boolean;

package/src/mcp/json-rpc-auth.js

@@ -0,0 +1,41 @@
+export const DEFAULT_UNAUTHENTICATED_RPC_METHODS = Object.freeze([
+    'initialize',
+    'ping',
+    'tools/list',
+    'resources/list',
+    'resources/read',
+    'prompts/list',
+    'prompts/get',
+]);
+const DEFAULT_UNAUTHENTICATED_RPC_METHOD_SET = new Set(DEFAULT_UNAUTHENTICATED_RPC_METHODS);
+function extractRpcMethod(payload) {
+    if (!payload || typeof payload !== 'object') {
+        return null;
+    }
+    const method = payload.method;
+    return typeof method === 'string' ? method : null;
+}
+export function getRpcMethodsFromBody(body) {
+    if (Array.isArray(body)) {
+        return body
+            .map(message => extractRpcMethod(message))
+            .filter((method) => method !== null);
+    }
+    const method = extractRpcMethod(body);
+    return method ? [method] : [];
+}
+export function getRpcMethodFromBody(body) {
+    return getRpcMethodsFromBody(body)[0] ?? null;
+}
+export function requiresAuth(rpcMethod, unauthenticatedMethods = DEFAULT_UNAUTHENTICATED_RPC_METHOD_SET) {
+    if (!rpcMethod) {
+        return false;
+    }
+    if (rpcMethod.startsWith('notifications/')) {
+        return false;
+    }
+    return !unauthenticatedMethods.has(rpcMethod);
+}
+export function requiresAuthForBody(body, unauthenticatedMethods = DEFAULT_UNAUTHENTICATED_RPC_METHOD_SET) {
+    return getRpcMethodsFromBody(body).some(method => requiresAuth(method, unauthenticatedMethods));
+}

package/src/next/app/catch-all.d.ts

@@ -0,0 +1,32 @@
+import { type AuthRouteAction, type AuthRouteHttpMethod } from '../shared/auth-routes';
+export type AppAuthCatchAllParams = {
+    auth?: string[] | undefined;
+};
+export type AppAuthCatchAllContext = {
+    params?: AppAuthCatchAllParams | Promise<AppAuthCatchAllParams>;
+};
+export type AppAuthCatchAllActionHandler = (input: {
+    req: Request;
+    params: AppAuthCatchAllParams;
+    action: AuthRouteAction;
+    segments: readonly string[];
+}) => Promise<Response> | Response;
+export type CreateAppAuthCatchAllHandlersOptions = {
+    handlers: Partial<Record<AuthRouteAction, AppAuthCatchAllActionHandler>>;
+    onUnsupportedRoute?: (input: {
+        req: Request;
+        params: AppAuthCatchAllParams;
+        segments: readonly string[];
+        action?: AuthRouteAction;
+    }) => Promise<Response> | Response;
+    onMethodNotAllowed?: (input: {
+        req: Request;
+        params: AppAuthCatchAllParams;
+        action: AuthRouteAction;
+        allowedMethods: readonly AuthRouteHttpMethod[];
+    }) => Promise<Response> | Response;
+};
+export type AppAuthCatchAllMethodHandler = (req: Request, context: AppAuthCatchAllContext) => Promise<Response>;
+export type AppAuthCatchAllHandlers = Record<AuthRouteHttpMethod, AppAuthCatchAllMethodHandler>;
+export declare function createAppAuthCatchAllHandlers(options: CreateAppAuthCatchAllHandlersOptions): AppAuthCatchAllHandlers;
+export declare const APP_AUTH_CATCH_ALL_METHODS: readonly AuthRouteHttpMethod[];