acuity-mcp-server 1.0.0

package/dist/auth/device-flow.js

@@ -0,0 +1,141 @@
+/**
+ * OAuth 2.0 Device Authorization Flow for Auth0
+ *
+ * Implements the Device Code flow for CLI/MCP authentication
+ * Reference: https://auth0.com/docs/get-started/authentication-and-authorization-flow/device-authorization-flow
+ */
+import open from 'open';
+/**
+ * Request a device code from Auth0
+ */
+export async function requestDeviceCode(config) {
+    const url = `https://${config.domain}/oauth/device/code`;
+    const body = new URLSearchParams({
+        client_id: config.clientId,
+        scope: config.scope || 'openid profile email offline_access',
+    });
+    if (config.audience) {
+        body.append('audience', config.audience);
+    }
+    const response = await fetch(url, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body: body.toString(),
+    });
+    if (!response.ok) {
+        const error = await response.json().catch(() => ({}));
+        throw new Error(`Failed to get device code: ${error.error_description || response.statusText}`);
+    }
+    return response.json();
+}
+/**
+ * Poll for access token
+ * Returns token when user completes authorization, or throws on timeout/error
+ */
+export async function pollForToken(config, deviceCode, interval, expiresIn, onPoll) {
+    const url = `https://${config.domain}/oauth/token`;
+    const startTime = Date.now();
+    const timeout = expiresIn * 1000;
+    while (Date.now() - startTime < timeout) {
+        // Wait for the specified interval before polling
+        await sleep(interval * 1000);
+        if (onPoll) {
+            onPoll();
+        }
+        const body = new URLSearchParams({
+            grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+            device_code: deviceCode,
+            client_id: config.clientId,
+        });
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+            },
+            body: body.toString(),
+        });
+        const data = await response.json();
+        if (response.ok) {
+            return data;
+        }
+        // Handle expected errors during polling
+        switch (data.error) {
+            case 'authorization_pending':
+                // User hasn't authorized yet, continue polling
+                continue;
+            case 'slow_down':
+                // Increase polling interval
+                interval += 5;
+                continue;
+            case 'expired_token':
+                throw new Error('Device code expired. Please try again.');
+            case 'access_denied':
+                throw new Error('Authorization was denied by the user.');
+            default:
+                throw new Error(`Token request failed: ${data.error_description || data.error || 'Unknown error'}`);
+        }
+    }
+    throw new Error('Authorization timed out. Please try again.');
+}
+/**
+ * Refresh an access token using a refresh token
+ */
+export async function refreshAccessToken(config, refreshToken) {
+    const url = `https://${config.domain}/oauth/token`;
+    const body = new URLSearchParams({
+        grant_type: 'refresh_token',
+        client_id: config.clientId,
+        refresh_token: refreshToken,
+    });
+    const response = await fetch(url, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body: body.toString(),
+    });
+    if (!response.ok) {
+        const error = await response.json().catch(() => ({}));
+        throw new Error(`Failed to refresh token: ${error.error_description || response.statusText}`);
+    }
+    return response.json();
+}
+/**
+ * Run the complete Device Authorization Flow
+ */
+export async function runDeviceFlow(config) {
+    // Step 1: Request device code
+    console.error('\n[Auth] Initiating Device Authorization Flow...\n');
+    const deviceCodeResponse = await requestDeviceCode(config);
+    // Step 2: Display instructions to user
+    console.error('To authorize this device, please:');
+    console.error(`\n  1. Visit: ${deviceCodeResponse.verification_uri}`);
+    console.error(`  2. Enter code: ${deviceCodeResponse.user_code}\n`);
+    console.error(`Or open this URL directly: ${deviceCodeResponse.verification_uri_complete}\n`);
+    // Step 3: Open browser automatically
+    console.error('[Auth] Opening browser...\n');
+    try {
+        await open(deviceCodeResponse.verification_uri_complete);
+    }
+    catch {
+        console.error('[Auth] Could not open browser automatically. Please visit the URL manually.\n');
+    }
+    // Step 4: Poll for token
+    console.error('[Auth] Waiting for authorization...');
+    let dots = 0;
+    const token = await pollForToken(config, deviceCodeResponse.device_code, deviceCodeResponse.interval, deviceCodeResponse.expires_in, () => {
+        dots = (dots + 1) % 4;
+        process.stderr.write(`\r[Auth] Waiting for authorization${'.'.repeat(dots)}${' '.repeat(3 - dots)}`);
+    });
+    console.error('\n\n[Auth] Authorization successful!\n');
+    return token;
+}
+/**
+ * Helper: Sleep for specified milliseconds
+ */
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+//# sourceMappingURL=device-flow.js.map

package/dist/auth/device-flow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-flow.js","sourceRoot":"","sources":["../../src/auth/device-flow.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,IAAI,MAAM,MAAM,CAAC;AAgCxB;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAAwB;IAC9D,MAAM,GAAG,GAAG,WAAW,MAAM,CAAC,MAAM,oBAAoB,CAAC;IAEzD,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,qCAAqC;KAC7D,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC3C,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,mCAAmC;SACpD;QACD,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;KACtB,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAuB,CAAC;QAC5E,MAAM,IAAI,KAAK,CAAC,8BAA8B,KAAK,CAAC,iBAAiB,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;IAClG,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAAiC,CAAC;AACxD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAAwB,EACxB,UAAkB,EAClB,QAAgB,EAChB,SAAiB,EACjB,MAAmB;IAEnB,MAAM,GAAG,GAAG,WAAW,MAAM,CAAC,MAAM,cAAc,CAAC;IACnD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,OAAO,GAAG,SAAS,GAAG,IAAI,CAAC;IAEjC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,OAAO,EAAE,CAAC;QACxC,iDAAiD;QACjD,MAAM,KAAK,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;QAE7B,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,EAAE,CAAC;QACX,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;YAC/B,UAAU,EAAE,8CAA8C;YAC1D,WAAW,EAAE,UAAU;YACvB,SAAS,EAAE,MAAM,CAAC,QAAQ;SAC3B,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;aACpD;YACD,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA0C,CAAC;QAE3E,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;YAChB,OAAO,IAAqB,CAAC;QAC/B,CAAC;QAED,wCAAwC;QACxC,QAAQ,IAAI,CAAC,KAAK,EAAE,CAAC;YACnB,KAAK,uBAAuB;gBAC1B,+CAA+C;gBAC/C,SAAS;YAEX,KAAK,WAAW;gBACd,4BAA4B;gBAC5B,QAAQ,IAAI,CAAC,CAAC;gBACd,SAAS;YAEX,KAAK,eAAe;gBAClB,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;YAE5D,KAAK,eAAe;gBAClB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;YAE3D;gBACE,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,CAAC,iBAAiB,IAAI,IAAI,CAAC,KAAK,IAAI,eAAe,EAAE,CAAC,CAAC;QACxG,CAAC;IACH,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;AAChE,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,MAAwB,EACxB,YAAoB;IAEpB,MAAM,GAAG,GAAG,WAAW,MAAM,CAAC,MAAM,cAAc,CAAC;IAEnD,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,eAAe;QAC3B,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,aAAa,EAAE,YAAY;KAC5B,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,mCAAmC;SACpD;QACD,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;KACtB,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAuB,CAAC;QAC5E,MAAM,IAAI,KAAK,CAAC,4BAA4B,KAAK,CAAC,iBAAiB,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;IAChG,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAA4B,CAAC;AACnD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,MAAwB;IAC1D,8BAA8B;IAC9B,OAAO,CAAC,KAAK,CAAC,oDAAoD,CAAC,CAAC;IAEpE,MAAM,kBAAkB,GAAG,MAAM,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAE3D,uCAAuC;IACvC,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACnD,OAAO,CAAC,KAAK,CAAC,iBAAiB,kBAAkB,CAAC,gBAAgB,EAAE,CAAC,CAAC;IACtE,OAAO,CAAC,KAAK,CAAC,oBAAoB,kBAAkB,CAAC,SAAS,IAAI,CAAC,CAAC;IACpE,OAAO,CAAC,KAAK,CAAC,8BAA8B,kBAAkB,CAAC,yBAAyB,IAAI,CAAC,CAAC;IAE9F,qCAAqC;IACrC,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;IAC7C,IAAI,CAAC;QACH,MAAM,IAAI,CAAC,kBAAkB,CAAC,yBAAyB,CAAC,CAAC;IAC3D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,KAAK,CAAC,+EAA+E,CAAC,CAAC;IACjG,CAAC;IAED,yBAAyB;IACzB,OAAO,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;IAErD,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,MAAM,KAAK,GAAG,MAAM,YAAY,CAC9B,MAAM,EACN,kBAAkB,CAAC,WAAW,EAC9B,kBAAkB,CAAC,QAAQ,EAC3B,kBAAkB,CAAC,UAAU,EAC7B,GAAG,EAAE;QACH,IAAI,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;QACtB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,qCAAqC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC;IACvG,CAAC,CACF,CAAC;IAEF,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAExD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC"}

package/dist/auth/http-auth.d.ts

@@ -0,0 +1,25 @@
+/**
+ * HTTP Authentication Middleware
+ * Validates OAuth 2.0 Bearer tokens for HTTP requests
+ */
+import { Request, Response, NextFunction } from 'express';
+/**
+ * Extended Request type with authenticated user info
+ */
+export interface AuthenticatedRequest extends Request {
+    userEmail: string;
+    userToken: string;
+}
+/**
+ * Express middleware to validate OAuth 2.0 Bearer tokens
+ *
+ * Extracts JWT from Authorization header, validates it using Auth0 JWKS,
+ * and attaches user email to the request for downstream use.
+ */
+export declare function validateHttpAuth(req: Request, res: Response, next: NextFunction): Promise<void>;
+/**
+ * Optional middleware for endpoints that don't require auth
+ * but should use auth if provided
+ */
+export declare function optionalHttpAuth(req: Request, _res: Response, next: NextFunction): Promise<void>;
+//# sourceMappingURL=http-auth.d.ts.map

package/dist/auth/http-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-auth.d.ts","sourceRoot":"","sources":["../../src/auth/http-auth.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAG1D;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,OAAO;IACnD,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAkBD;;;;;GAKG;AACH,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,YAAY,GACjB,OAAO,CAAC,IAAI,CAAC,CA8Df;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,OAAO,EACZ,IAAI,EAAE,QAAQ,EACd,IAAI,EAAE,YAAY,GACjB,OAAO,CAAC,IAAI,CAAC,CAgBf"}

package/dist/auth/http-auth.js

@@ -0,0 +1,101 @@
+/**
+ * HTTP Authentication Middleware
+ * Validates OAuth 2.0 Bearer tokens for HTTP requests
+ */
+import { validateJWT } from './jwt-validator.js';
+/**
+ * Extract Bearer token from Authorization header
+ */
+function extractBearerToken(authHeader) {
+    if (!authHeader) {
+        return null;
+    }
+    const parts = authHeader.split(' ');
+    if (parts.length !== 2 || parts[0].toLowerCase() !== 'bearer') {
+        return null;
+    }
+    return parts[1];
+}
+/**
+ * Express middleware to validate OAuth 2.0 Bearer tokens
+ *
+ * Extracts JWT from Authorization header, validates it using Auth0 JWKS,
+ * and attaches user email to the request for downstream use.
+ */
+export async function validateHttpAuth(req, res, next) {
+    try {
+        // Check for API key first (simpler auth for testing/internal use)
+        const apiKey = req.headers['x-api-key'];
+        if (apiKey && process.env.MCP_API_KEY && apiKey === process.env.MCP_API_KEY) {
+            // API key auth - use configured service account email
+            const serviceEmail = process.env.MCP_SERVICE_EMAIL || 'mcp-service@acuityppm.com';
+            req.userEmail = serviceEmail;
+            req.userToken = apiKey;
+            next();
+            return;
+        }
+        // Extract Bearer token
+        const token = extractBearerToken(req.headers.authorization);
+        if (!token) {
+            res.status(401).json({
+                jsonrpc: '2.0',
+                error: {
+                    code: -32001,
+                    message: 'Authentication required. Provide Authorization: Bearer <token> header.'
+                },
+                id: null
+            });
+            return;
+        }
+        // Validate JWT and extract email
+        const { email } = await validateJWT(token);
+        if (!email) {
+            res.status(401).json({
+                jsonrpc: '2.0',
+                error: {
+                    code: -32001,
+                    message: 'Invalid token: could not extract user email.'
+                },
+                id: null
+            });
+            return;
+        }
+        // Attach user info to request
+        req.userEmail = email;
+        req.userToken = token;
+        next();
+    }
+    catch (error) {
+        console.error('[HTTP Auth] Token validation failed:', error);
+        const message = error instanceof Error ? error.message : 'Token validation failed';
+        res.status(401).json({
+            jsonrpc: '2.0',
+            error: {
+                code: -32001,
+                message: `Authentication failed: ${message}`
+            },
+            id: null
+        });
+    }
+}
+/**
+ * Optional middleware for endpoints that don't require auth
+ * but should use auth if provided
+ */
+export async function optionalHttpAuth(req, _res, next) {
+    try {
+        const token = extractBearerToken(req.headers.authorization);
+        if (token) {
+            const { email } = await validateJWT(token);
+            if (email) {
+                req.userEmail = email;
+                req.userToken = token;
+            }
+        }
+    }
+    catch {
+        // Ignore auth errors for optional auth
+    }
+    next();
+}
+//# sourceMappingURL=http-auth.js.map

package/dist/auth/http-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-auth.js","sourceRoot":"","sources":["../../src/auth/http-auth.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAUjD;;GAEG;AACH,SAAS,kBAAkB,CAAC,UAA8B;IACxD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,QAAQ,EAAE,CAAC;QAC9D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,GAAY,EACZ,GAAa,EACb,IAAkB;IAElB,IAAI,CAAC;QACH,kEAAkE;QAClE,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,WAAW,CAAuB,CAAC;QAC9D,IAAI,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,MAAM,KAAK,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;YAC5E,sDAAsD;YACtD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,2BAA2B,CAAC;YACjF,GAA4B,CAAC,SAAS,GAAG,YAAY,CAAC;YACtD,GAA4B,CAAC,SAAS,GAAG,MAAM,CAAC;YACjD,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,uBAAuB;QACvB,MAAM,KAAK,GAAG,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QAE5D,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,CAAC,KAAK;oBACZ,OAAO,EAAE,wEAAwE;iBAClF;gBACD,EAAE,EAAE,IAAI;aACT,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,iCAAiC;QACjC,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,WAAW,CAAC,KAAK,CAAC,CAAC;QAE3C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,CAAC,KAAK;oBACZ,OAAO,EAAE,8CAA8C;iBACxD;gBACD,EAAE,EAAE,IAAI;aACT,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,8BAA8B;QAC7B,GAA4B,CAAC,SAAS,GAAG,KAAK,CAAC;QAC/C,GAA4B,CAAC,SAAS,GAAG,KAAK,CAAC;QAEhD,IAAI,EAAE,CAAC;IACT,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,sCAAsC,EAAE,KAAK,CAAC,CAAC;QAE7D,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,yBAAyB,CAAC;QAEnF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,OAAO,EAAE,KAAK;YACd,KAAK,EAAE;gBACL,IAAI,EAAE,CAAC,KAAK;gBACZ,OAAO,EAAE,0BAA0B,OAAO,EAAE;aAC7C;YACD,EAAE,EAAE,IAAI;SACT,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,GAAY,EACZ,IAAc,EACd,IAAkB;IAElB,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QAE5D,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,WAAW,CAAC,KAAK,CAAC,CAAC;YAC3C,IAAI,KAAK,EAAE,CAAC;gBACT,GAA4B,CAAC,SAAS,GAAG,KAAK,CAAC;gBAC/C,GAA4B,CAAC,SAAS,GAAG,KAAK,CAAC;YAClD,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,uCAAuC;IACzC,CAAC;IAED,IAAI,EAAE,CAAC;AACT,CAAC"}

package/dist/auth/jwt-validator.d.ts

@@ -0,0 +1,20 @@
+/**
+ * JWT Validator for Auth0 tokens
+ * Based on rails_api/app/lib/json_web_token.rb
+ */
+export interface JWTPayload {
+    email: string;
+    sub?: string;
+    aud?: string;
+    iss?: string;
+    exp?: number;
+}
+/**
+ * Validates a JWT token from Auth0
+ *
+ * @param token - The JWT token string
+ * @returns Promise resolving to payload with email
+ * @throws Error if token is invalid or email is missing
+ */
+export declare function validateJWT(token: string): Promise<JWTPayload>;
+//# sourceMappingURL=jwt-validator.d.ts.map

package/dist/auth/jwt-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-validator.d.ts","sourceRoot":"","sources":["../../src/auth/jwt-validator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAwCD;;;;;;GAMG;AACH,wBAAsB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAkDpE"}

package/dist/auth/jwt-validator.js

@@ -0,0 +1,83 @@
+/**
+ * JWT Validator for Auth0 tokens
+ * Based on rails_api/app/lib/json_web_token.rb
+ */
+import jwt from 'jsonwebtoken';
+import jwksClient from 'jwks-rsa';
+/**
+ * Creates a JWKS client for Auth0 public key retrieval
+ */
+function createJWKSClient() {
+    const managementDomain = process.env.AUTH0_MANAGEMENT_DOMAIN;
+    if (!managementDomain) {
+        throw new Error('AUTH0_MANAGEMENT_DOMAIN environment variable is required');
+    }
+    return jwksClient({
+        jwksUri: `https://${managementDomain}/.well-known/jwks.json`,
+        cache: true,
+        cacheMaxAge: 86400000, // 24 hours
+        rateLimit: true,
+        jwksRequestsPerMinute: 10
+    });
+}
+/**
+ * Get signing key from Auth0 JWKS
+ */
+function getKey(header, callback) {
+    const client = createJWKSClient();
+    client.getSigningKey(header.kid, (err, key) => {
+        if (err) {
+            callback(err);
+            return;
+        }
+        const signingKey = key?.getPublicKey();
+        callback(null, signingKey);
+    });
+}
+/**
+ * Validates a JWT token from Auth0
+ *
+ * @param token - The JWT token string
+ * @returns Promise resolving to payload with email
+ * @throws Error if token is invalid or email is missing
+ */
+export async function validateJWT(token) {
+    const auth0Domain = process.env.REACT_APP_AUTH0_DOMAIN || process.env.AUTH0_DOMAIN;
+    const clientId = process.env.REACT_APP_AUTH0_CLIENT_ID;
+    if (!auth0Domain) {
+        throw new Error('AUTH0_DOMAIN or REACT_APP_AUTH0_DOMAIN environment variable is required');
+    }
+    return new Promise((resolve, reject) => {
+        jwt.verify(token, getKey, {
+            algorithms: ['RS256', 'RS512'],
+            issuer: `https://${auth0Domain}/`,
+            audience: clientId,
+            ignoreExpiration: false
+        }, (err, decoded) => {
+            if (err) {
+                reject(new Error(`Invalid JWT token: ${err.message}`));
+                return;
+            }
+            if (!decoded || typeof decoded === 'string') {
+                reject(new Error('Invalid JWT token payload'));
+                return;
+            }
+            // Extract email from various possible claim locations
+            const email = decoded.email ||
+                decoded['https://acuity.com/email'] ||
+                decoded['https://acuityppm.com/email'];
+            if (!email || typeof email !== 'string') {
+                reject(new Error('Email not found in JWT token claims'));
+                return;
+            }
+            resolve({
+                email: email.toLowerCase(),
+                sub: decoded.sub,
+                aud: decoded.aud,
+                iss: decoded.iss,
+                exp: decoded.exp
+            });
+        });
+    });
+}
+//# sourceMappingURL=jwt-validator.js.map

package/dist/auth/jwt-validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-validator.js","sourceRoot":"","sources":["../../src/auth/jwt-validator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,GAAG,MAAM,cAAc,CAAC;AAC/B,OAAO,UAAU,MAAM,UAAU,CAAC;AAUlC;;GAEG;AACH,SAAS,gBAAgB;IACvB,MAAM,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC;IAE7D,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;IAC9E,CAAC;IAED,OAAO,UAAU,CAAC;QAChB,OAAO,EAAE,WAAW,gBAAgB,wBAAwB;QAC5D,KAAK,EAAE,IAAI;QACX,WAAW,EAAE,QAAQ,EAAE,WAAW;QAClC,SAAS,EAAE,IAAI;QACf,qBAAqB,EAAE,EAAE;KAC1B,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAS,MAAM,CACb,MAAqB,EACrB,QAAgC;IAEhC,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;IAElC,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC5C,IAAI,GAAG,EAAE,CAAC;YACR,QAAQ,CAAC,GAAG,CAAC,CAAC;YACd,OAAO;QACT,CAAC;QACD,MAAM,UAAU,GAAG,GAAG,EAAE,YAAY,EAAE,CAAC;QACvC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,KAAa;IAC7C,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IACnF,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC;IAEvD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,yEAAyE,CAAC,CAAC;IAC7F,CAAC;IAED,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,GAAG,CAAC,MAAM,CACR,KAAK,EACL,MAAM,EACN;YACE,UAAU,EAAE,CAAC,OAAO,EAAE,OAAO,CAAC;YAC9B,MAAM,EAAE,WAAW,WAAW,GAAG;YACjC,QAAQ,EAAE,QAAQ;YAClB,gBAAgB,EAAE,KAAK;SACxB,EACD,CAAC,GAAG,EAAE,OAAO,EAAE,EAAE;YACf,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,CAAC,IAAI,KAAK,CAAC,sBAAsB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;gBACvD,OAAO;YACT,CAAC;YAED,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;gBAC5C,MAAM,CAAC,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC,CAAC;gBAC/C,OAAO;YACT,CAAC;YAED,sDAAsD;YACtD,MAAM,KAAK,GACT,OAAO,CAAC,KAAK;gBACb,OAAO,CAAC,0BAA0B,CAAC;gBACnC,OAAO,CAAC,6BAA6B,CAAC,CAAC;YAEzC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACxC,MAAM,CAAC,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC,CAAC;gBACzD,OAAO;YACT,CAAC;YAED,OAAO,CAAC;gBACN,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE;gBAC1B,GAAG,EAAE,OAAO,CAAC,GAAG;gBAChB,GAAG,EAAE,OAAO,CAAC,GAAa;gBAC1B,GAAG,EAAE,OAAO,CAAC,GAAG;gBAChB,GAAG,EAAE,OAAO,CAAC,GAAG;aACjB,CAAC,CAAC;QACL,CAAC,CACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/auth/token-storage.d.ts

@@ -0,0 +1,88 @@
+/**
+ * Secure Token Storage using System Keychain
+ *
+ * Uses keytar for cross-platform keychain access:
+ * - macOS: Keychain Access
+ * - Windows: Credential Manager
+ * - Linux: libsecret
+ *
+ * If keytar is not available (e.g., no native build tools),
+ * falls back to no-op storage and users must use USER_JWT env var.
+ */
+import type { TokenResponse } from './device-flow.js';
+/**
+ * Check if keytar is available
+ */
+export declare function isKeytarAvailable(): Promise<boolean>;
+/**
+ * Get the error message if keytar failed to load
+ */
+export declare function getKeytarLoadError(): string | null;
+export interface PendingDeviceCode {
+    deviceCode: string;
+    userCode: string;
+    verificationUri: string;
+    interval: number;
+    expiresAt: number;
+}
+export interface StoredCredentials {
+    accessToken: string;
+    refreshToken?: string;
+    idToken?: string;
+    expiresAt: number;
+    email?: string;
+}
+/**
+ * Save credentials to the system keychain
+ * Returns false if keytar is not available
+ */
+export declare function saveCredentials(credentials: StoredCredentials): Promise<boolean>;
+/**
+ * Load credentials from the system keychain
+ * Returns null if keytar is not available or no credentials stored
+ */
+export declare function loadCredentials(): Promise<StoredCredentials | null>;
+/**
+ * Clear credentials from the system keychain
+ * Returns false if keytar is not available
+ */
+export declare function clearCredentials(): Promise<boolean>;
+/**
+ * Check if credentials exist in the keychain
+ */
+export declare function hasCredentials(): Promise<boolean>;
+/**
+ * Check if the stored access token is expired
+ * Returns true if expired or no credentials exist
+ */
+export declare function isTokenExpired(bufferSeconds?: number): Promise<boolean>;
+/**
+ * Convert TokenResponse from Device Flow to StoredCredentials
+ */
+export declare function tokenResponseToCredentials(token: TokenResponse, email?: string): StoredCredentials;
+/**
+ * Get the access token, refreshing if necessary
+ * Throws if no valid token available and refresh fails
+ */
+export declare function getValidAccessToken(refreshFn?: (refreshToken: string) => Promise<TokenResponse>): Promise<string>;
+/**
+ * Save pending device code during two-phase login
+ * Returns false if keytar is not available
+ */
+export declare function savePendingDeviceCode(pending: PendingDeviceCode): Promise<boolean>;
+/**
+ * Load pending device code
+ * Returns null if keytar is not available or no pending code
+ */
+export declare function loadPendingDeviceCode(): Promise<PendingDeviceCode | null>;
+/**
+ * Clear pending device code
+ * Returns false if keytar is not available
+ */
+export declare function clearPendingDeviceCode(): Promise<boolean>;
+/**
+ * Get the ID token (JWT) for Hasura authentication, refreshing if necessary
+ * Hasura requires a JWT, not an opaque access token
+ */
+export declare function getValidIdToken(refreshFn?: (refreshToken: string) => Promise<TokenResponse>): Promise<string>;
+//# sourceMappingURL=token-storage.d.ts.map

package/dist/auth/token-storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-storage.d.ts","sourceRoot":"","sources":["../../src/auth/token-storage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AA4CtD;;GAEG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,OAAO,CAAC,CAG1D;AAED;;GAEG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,GAAG,IAAI,CAElD;AAUD,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,WAAW,EAAE,iBAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,CAStF;AAED;;;GAGG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC,CAezE;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,OAAO,CAAC,CAOzD;AAED;;GAEG;AACH,wBAAsB,cAAc,IAAI,OAAO,CAAC,OAAO,CAAC,CAGvD;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAAC,aAAa,GAAE,MAAW,GAAG,OAAO,CAAC,OAAO,CAAC,CAQjF;AAED;;GAEG;AACH,wBAAgB,0BAA0B,CACxC,KAAK,EAAE,aAAa,EACpB,KAAK,CAAC,EAAE,MAAM,GACb,iBAAiB,CAUnB;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,SAAS,CAAC,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,aAAa,CAAC,GAC3D,OAAO,CAAC,MAAM,CAAC,CA0CjB;AAED;;;GAGG;AACH,wBAAsB,qBAAqB,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,CASxF;AAED;;;GAGG;AACH,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC,CAwB/E;AAED;;;GAGG;AACH,wBAAsB,sBAAsB,IAAI,OAAO,CAAC,OAAO,CAAC,CAO/D;AAED;;;GAGG;AACH,wBAAsB,eAAe,CACnC,SAAS,CAAC,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,aAAa,CAAC,GAC3D,OAAO,CAAC,MAAM,CAAC,CAkDjB"}