bitfire-lark-mcp 1.0.0

package/dist/auth/provider/oidc.js

@@ -0,0 +1,172 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LarkOIDC2OAuthServerProvider = void 0;
+const store_1 = require("../store");
+const is_token_valid_1 = require("../utils/is-token-valid");
+const pkce_1 = require("../utils/pkce");
+const zod_1 = require("zod");
+const http_instance_1 = require("../../utils/http-instance");
+const logger_1 = require("../../utils/logger");
+const LarkOIDCTokenSchema = zod_1.z.object({
+    code: zod_1.z.number(),
+    msg: zod_1.z.string().optional(),
+    data: zod_1.z.object({
+        access_token: zod_1.z.string(),
+        token_type: zod_1.z.string(),
+        refresh_token: zod_1.z.string().optional(),
+        expires_in: zod_1.z.number().optional(),
+        refresh_expires_in: zod_1.z.number().optional(),
+        scope: zod_1.z.string().optional(),
+    }),
+});
+class LarkOIDC2OAuthServerProvider {
+    constructor(options) {
+        this.skipLocalPkceValidation = true;
+        const { domain } = options;
+        this._endpoints = {
+            appAccessTokenUrl: `${domain}/open-apis/auth/v3/app_access_token/internal`,
+            authorizationUrl: `${domain}/open-apis/authen/v1/index`,
+            tokenUrl: `${domain}/open-apis/authen/v1/oidc/access_token`,
+            refreshTokenUrl: `${domain}/open-apis/authen/v1/oidc/refresh_access_token`,
+            registrationUrl: `${domain}/open-apis/authen/v1/index`,
+        };
+        this._options = options;
+    }
+    get clientsStore() {
+        return store_1.authStore;
+    }
+    async authorize(client, params, res) {
+        const targetUrl = new URL(this._endpoints.authorizationUrl);
+        const searchParams = new URLSearchParams({
+            app_id: this._options.appId,
+            redirect_uri: this._options.callbackUrl + '?redirect_uri=' + client.redirect_uris[0],
+        });
+        if (params.state) {
+            searchParams.set('state', params.state);
+        }
+        if (params.codeChallenge) {
+            store_1.authStore.storeCodeVerifier(`challenge_${client.client_id}`, params.codeChallenge);
+        }
+        targetUrl.search = searchParams.toString();
+        logger_1.logger.info(`[LarkOIDC2OAuthServerProvider] Redirecting to authorization URL: ${targetUrl.toString()}`);
+        res.redirect(targetUrl.toString());
+    }
+    async challengeForAuthorizationCode(_client, _authorizationCode) {
+        return '';
+    }
+    async exchangeAuthorizationCode(client, authorizationCode, codeVerifier, _redirectUri) {
+        var _a, _b, _c, _d, _e;
+        if (codeVerifier) {
+            const storedChallenge = store_1.authStore.getCodeVerifier(`challenge_${client.client_id}`);
+            if (!storedChallenge) {
+                logger_1.logger.error(`[LarkOIDC2OAuthServerProvider] exchangeAuthorizationCode: PKCE validation failed: code challenge not found`);
+                throw new Error('PKCE validation failed: code challenge not found');
+            }
+            const expectedChallenge = (0, pkce_1.generateCodeChallenge)(codeVerifier);
+            if (expectedChallenge !== storedChallenge) {
+                logger_1.logger.error(`[LarkOIDC2OAuthServerProvider] exchangeAuthorizationCode: PKCE validation failed: code verifier does not match challenge`);
+                throw new Error('PKCE validation failed: code verifier does not match challenge');
+            }
+            store_1.authStore.removeCodeVerifier(`challenge_${client.client_id}`);
+        }
+        const params = {
+            grant_type: 'authorization_code',
+            code: authorizationCode,
+        };
+        try {
+            logger_1.logger.info(`[LarkOIDC2OAuthServerProvider] Exchanging authorization code for client ${client.client_id}; appId: ${this._options.appId}`);
+            const appAccessTokenResponse = await http_instance_1.commonHttpInstance.post(this._endpoints.appAccessTokenUrl, { app_id: this._options.appId, app_secret: this._options.appSecret }, { headers: { 'Content-Type': 'application/json; charset=utf-8' } });
+            const { app_access_token: appAccessToken } = appAccessTokenResponse.data;
+            const response = await http_instance_1.commonHttpInstance.post(this._endpoints.tokenUrl, params, {
+                headers: { 'Content-Type': 'application/json; charset=utf-8', Authorization: `Bearer ${appAccessToken}` },
+            });
+            const data = response.data;
+            const parseResult = LarkOIDCTokenSchema.safeParse(data);
+            if (!parseResult.success) {
+                throw new Error(`Token parse failed: invalid response: ${data === null || data === void 0 ? void 0 : data.code}, ${data === null || data === void 0 ? void 0 : data.msg}`);
+            }
+            const token = parseResult.data;
+            const expiresAt = token.data.expires_in ? token.data.expires_in + Date.now() / 1000 : undefined;
+            await store_1.authStore.storeToken({
+                clientId: client.client_id,
+                token: token.data.access_token,
+                scopes: ((_a = token.data.scope) === null || _a === void 0 ? void 0 : _a.split(' ')) || [],
+                expiresAt,
+                extra: {
+                    refreshToken: token.data.refresh_token,
+                    token,
+                    appId: this._options.appId,
+                    appSecret: this._options.appSecret,
+                },
+            });
+            logger_1.logger.info(`[LarkOIDC2OAuthServerProvider] Successfully exchanged authorization code for client ${client.client_id}; appId: ${this._options.appId}; token: ${Boolean(token.data.access_token)}; refreshToken: ${Boolean(token.data.refresh_token)};expiresAt: ${expiresAt}`);
+            return {
+                access_token: token.data.access_token,
+                token_type: token.data.token_type,
+                expires_in: token.data.expires_in,
+                scope: token.data.scope,
+                refresh_token: token.data.refresh_token,
+            };
+        }
+        catch (error) {
+            logger_1.logger.error(`[LarkOIDC2OAuthServerProvider] exchangeAuthorizationCode: Token exchange failed: ${((_b = error.response) === null || _b === void 0 ? void 0 : _b.status) || error.status} ${((_c = error.response) === null || _c === void 0 ? void 0 : _c.data) || error.message}`);
+            throw new Error(`Token exchange failed: ${((_d = error.response) === null || _d === void 0 ? void 0 : _d.status) || error.status} ${((_e = error.response) === null || _e === void 0 ? void 0 : _e.data) || error.message}`);
+        }
+    }
+    async exchangeRefreshToken(client, refreshToken, _scopes) {
+        var _a, _b, _c, _d, _e, _f, _g;
+        const originalToken = await store_1.authStore.getTokenByRefreshToken(refreshToken);
+        if (!originalToken) {
+            logger_1.logger.error(`[LarkOIDC2OAuthServerProvider] exchangeRefreshToken: Refresh token is invalid`);
+            throw new Error('refresh token is invalid');
+        }
+        const appId = ((_a = originalToken.extra) === null || _a === void 0 ? void 0 : _a.app_id) || this._options.appId;
+        const appSecret = ((_b = originalToken.extra) === null || _b === void 0 ? void 0 : _b.app_secret) || this._options.appSecret;
+        try {
+            logger_1.logger.info(`[LarkOIDC2OAuthServerProvider] Refreshing token for client ${client.client_id}`);
+            const appAccessTokenResponse = await http_instance_1.commonHttpInstance.post(this._endpoints.appAccessTokenUrl, { app_id: appId, app_secret: appSecret }, { headers: { 'Content-Type': 'application/json; charset=utf-8' } });
+            const { app_access_token: appAccessToken } = appAccessTokenResponse.data;
+            const response = await http_instance_1.commonHttpInstance.post(this._endpoints.refreshTokenUrl, { grant_type: 'refresh_token', refresh_token: refreshToken }, { headers: { 'Content-Type': 'application/json; charset=utf-8', Authorization: `Bearer ${appAccessToken}` } });
+            const data = response.data;
+            const parseResult = LarkOIDCTokenSchema.safeParse(data);
+            if (!parseResult.success) {
+                throw new Error(`Token parse failed: invalid response: ${data === null || data === void 0 ? void 0 : data.code}, ${data === null || data === void 0 ? void 0 : data.msg}`);
+            }
+            const token = parseResult.data;
+            const expiresAt = token.data.expires_in ? token.data.expires_in + Date.now() / 1000 : undefined;
+            await store_1.authStore.storeToken({
+                clientId: client.client_id,
+                token: token.data.access_token,
+                scopes: ((_c = token.data.scope) === null || _c === void 0 ? void 0 : _c.split(' ')) || [],
+                expiresAt,
+                extra: { refreshToken: token.data.refresh_token, token, appId, appSecret },
+            });
+            logger_1.logger.info(`[LarkOIDC2OAuthServerProvider] Successfully refreshed token for client ${client.client_id}; appId: ${appId}; token: ${Boolean(token.data.access_token)}; refreshToken: ${Boolean(token.data.refresh_token)};expiresAt: ${expiresAt}`);
+            return {
+                access_token: token.data.access_token,
+                token_type: token.data.token_type,
+                expires_in: token.data.expires_in,
+                scope: token.data.scope,
+                refresh_token: token.data.refresh_token,
+            };
+        }
+        catch (error) {
+            logger_1.logger.error(`[LarkOIDC2OAuthServerProvider] exchangeRefreshToken: Token refresh failed: ${((_d = error.response) === null || _d === void 0 ? void 0 : _d.status) || error.status} ${((_e = error.response) === null || _e === void 0 ? void 0 : _e.data) || error.message}`);
+            throw new Error(`Token refresh failed: ${((_f = error.response) === null || _f === void 0 ? void 0 : _f.status) || error.status} ${((_g = error.response) === null || _g === void 0 ? void 0 : _g.data) || error.message}`);
+        }
+    }
+    async verifyAccessToken(token) {
+        const { valid, token: storedToken } = await (0, is_token_valid_1.isTokenValid)(token);
+        if (!valid) {
+            return {
+                token: (storedToken === null || storedToken === void 0 ? void 0 : storedToken.token) || '',
+                clientId: (storedToken === null || storedToken === void 0 ? void 0 : storedToken.clientId) || '',
+                scopes: (storedToken === null || storedToken === void 0 ? void 0 : storedToken.scopes) || [],
+                expiresAt: (storedToken === null || storedToken === void 0 ? void 0 : storedToken.expiresAt) || 1,
+                extra: (storedToken === null || storedToken === void 0 ? void 0 : storedToken.extra) || {},
+            };
+        }
+        return storedToken;
+    }
+}
+exports.LarkOIDC2OAuthServerProvider = LarkOIDC2OAuthServerProvider;

package/dist/auth/provider/types.d.ts

@@ -0,0 +1,8 @@
+export interface LarkProxyOAuthServerProviderOptions {
+    domain: string;
+    host: string;
+    port: number;
+    appId: string;
+    appSecret: string;
+    callbackUrl: string;
+}

package/dist/auth/provider/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/auth/store.d.ts

@@ -0,0 +1,39 @@
+import { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';
+import { OAuthClientInformationFull } from '@modelcontextprotocol/sdk/shared/auth.js';
+import { OAuthRegisteredClientsStore } from '@modelcontextprotocol/sdk/server/auth/clients.js';
+export declare class AuthStore implements OAuthRegisteredClientsStore {
+    private storageDataCache;
+    private codeVerifiers;
+    private initializePromise;
+    private fileWatcher;
+    private isReloading;
+    private isInitializedStorageSuccess;
+    constructor();
+    private initialize;
+    private performInitialization;
+    private setupFileWatcher;
+    private handleFileChange;
+    private loadFromStorage;
+    private saveToStorage;
+    private clearExpiredTokens;
+    storeToken(token: AuthInfo): Promise<AuthInfo>;
+    removeToken(accessToken: string): Promise<void>;
+    getToken(accessToken: string): Promise<AuthInfo | undefined>;
+    getTokenByRefreshToken(refreshToken: string): Promise<AuthInfo | undefined>;
+    getLocalAccessToken(appId: string): Promise<string | undefined>;
+    storeLocalAccessToken(accessToken: string, appId: string): Promise<string>;
+    removeLocalAccessToken(appId: string): Promise<void>;
+    removeAllLocalAccessTokens(): Promise<void>;
+    getAllLocalAccessTokens(): Promise<{
+        [appId: string]: string;
+    }>;
+    registerClient(client: OAuthClientInformationFull): Promise<OAuthClientInformationFull>;
+    getClient(id: string): Promise<OAuthClientInformationFull | undefined>;
+    removeClient(clientId: string): Promise<void>;
+    storeCodeVerifier(key: string, codeVerifier: string): void;
+    getCodeVerifier(key: string): string | undefined;
+    removeCodeVerifier(key: string): void;
+    clearExpiredCodeVerifiers(): void;
+    destroy(): void;
+}
+export declare const authStore: AuthStore;

package/dist/auth/store.js

@@ -0,0 +1,213 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authStore = exports.AuthStore = void 0;
+const fs_1 = __importDefault(require("fs"));
+const storage_manager_1 = require("./utils/storage-manager");
+const logger_1 = require("../utils/logger");
+class AuthStore {
+    constructor() {
+        this.storageDataCache = { tokens: {}, clients: {} };
+        this.codeVerifiers = new Map();
+        this.isReloading = false;
+        this.isInitializedStorageSuccess = false;
+        this.initialize();
+    }
+    async initialize() {
+        if (this.initializePromise) {
+            return this.initializePromise;
+        }
+        this.initializePromise = this.performInitialization();
+        await this.initializePromise;
+    }
+    async performInitialization() {
+        try {
+            await this.loadFromStorage();
+            logger_1.logger.info(`[AuthStore] Initialized storage successfully with ${Object.keys(this.storageDataCache.tokens).length} tokens`);
+            await this.clearExpiredTokens();
+            this.setupFileWatcher();
+            this.isInitializedStorageSuccess = true;
+        }
+        catch (error) {
+            logger_1.logger.error(`[AuthStore] Failed to initialize: ${error}`);
+            this.isInitializedStorageSuccess = false;
+        }
+    }
+    setupFileWatcher() {
+        try {
+            if (fs_1.default.existsSync(storage_manager_1.storageManager.storageFile)) {
+                logger_1.logger.info(`[AuthStore] Setup file watcher for ${storage_manager_1.storageManager.storageFile}`);
+                this.fileWatcher = fs_1.default.watch(storage_manager_1.storageManager.storageFile, () => {
+                    this.handleFileChange();
+                });
+            }
+        }
+        catch (error) {
+            logger_1.logger.error(`[AuthStore] Failed to setup file watcher: ${error}`);
+        }
+    }
+    async handleFileChange() {
+        if (this.isReloading) {
+            return;
+        }
+        this.isReloading = true;
+        try {
+            logger_1.logger.info(`[AuthStore] Reloading storage from ${storage_manager_1.storageManager.storageFile}`);
+            await new Promise((resolve) => setTimeout(resolve, 100));
+            await this.loadFromStorage();
+        }
+        catch (error) {
+            logger_1.logger.error(`[AuthStore] Failed to reload storage: ${error}`);
+        }
+        finally {
+            this.isReloading = false;
+        }
+    }
+    async loadFromStorage() {
+        const storageData = await storage_manager_1.storageManager.loadStorageData();
+        this.storageDataCache = storageData;
+    }
+    async saveToStorage() {
+        if (!this.isInitializedStorageSuccess) {
+            return;
+        }
+        await storage_manager_1.storageManager.saveStorageData(this.storageDataCache);
+    }
+    async clearExpiredTokens() {
+        if (!this.storageDataCache || !this.storageDataCache.tokens) {
+            return;
+        }
+        const now = Date.now() / 1000;
+        let hasExpiredTokens = false;
+        const expiredTokenKeys = [];
+        for (const [tokenKey, token] of Object.entries(this.storageDataCache.tokens)) {
+            // 7 days after expires clear the token
+            if (token.expiresAt && token.expiresAt + 7 * 24 * 60 * 60 < now) {
+                expiredTokenKeys.push(tokenKey);
+            }
+        }
+        if (expiredTokenKeys.length > 0) {
+            for (const tokenKey of expiredTokenKeys) {
+                delete this.storageDataCache.tokens[tokenKey];
+            }
+            hasExpiredTokens = true;
+        }
+        if (this.storageDataCache.localTokens) {
+            const orphanedLocalTokenKeys = [];
+            for (const [appId, tokenKey] of Object.entries(this.storageDataCache.localTokens)) {
+                if (!this.storageDataCache.tokens[tokenKey]) {
+                    orphanedLocalTokenKeys.push(appId);
+                }
+            }
+            if (orphanedLocalTokenKeys.length > 0) {
+                for (const appId of orphanedLocalTokenKeys) {
+                    delete this.storageDataCache.localTokens[appId];
+                }
+                hasExpiredTokens = true;
+            }
+        }
+        if (hasExpiredTokens) {
+            logger_1.logger.info(`[AuthStore] Cleared expired tokens`);
+            await this.saveToStorage();
+        }
+    }
+    async storeToken(token) {
+        await this.initialize();
+        this.storageDataCache.tokens[token.token] = token;
+        await this.saveToStorage();
+        return token;
+    }
+    async removeToken(accessToken) {
+        await this.initialize();
+        delete this.storageDataCache.tokens[accessToken];
+        await this.saveToStorage();
+    }
+    async getToken(accessToken) {
+        await this.initialize();
+        return this.storageDataCache.tokens[accessToken];
+    }
+    async getTokenByRefreshToken(refreshToken) {
+        await this.initialize();
+        return Object.values(this.storageDataCache.tokens).find((token) => { var _a; return ((_a = token.extra) === null || _a === void 0 ? void 0 : _a.refreshToken) === refreshToken; });
+    }
+    async getLocalAccessToken(appId) {
+        var _a;
+        await this.initialize();
+        return (_a = this.storageDataCache.localTokens) === null || _a === void 0 ? void 0 : _a[appId];
+    }
+    async storeLocalAccessToken(accessToken, appId) {
+        await this.initialize();
+        if (!this.storageDataCache.localTokens) {
+            this.storageDataCache.localTokens = {};
+        }
+        this.storageDataCache.localTokens[appId] = accessToken;
+        await this.saveToStorage();
+        return accessToken;
+    }
+    async removeLocalAccessToken(appId) {
+        var _a;
+        await this.initialize();
+        if ((_a = this.storageDataCache.localTokens) === null || _a === void 0 ? void 0 : _a[appId]) {
+            logger_1.logger.info(`[AuthStore] Removing local access token for app: ${appId}`);
+            const tokenToRemove = this.storageDataCache.localTokens[appId];
+            delete this.storageDataCache.tokens[tokenToRemove];
+            delete this.storageDataCache.localTokens[appId];
+            await this.saveToStorage();
+        }
+    }
+    async removeAllLocalAccessTokens() {
+        await this.initialize();
+        logger_1.logger.info('[AuthStore] Removing all local access tokens');
+        if (this.storageDataCache.localTokens) {
+            const tokens = Object.values(this.storageDataCache.localTokens);
+            for (const token of tokens) {
+                if (this.storageDataCache.tokens[token]) {
+                    delete this.storageDataCache.tokens[token];
+                }
+            }
+        }
+        this.storageDataCache.localTokens = {};
+        await this.saveToStorage();
+    }
+    async getAllLocalAccessTokens() {
+        await this.initialize();
+        return this.storageDataCache.localTokens || {};
+    }
+    async registerClient(client) {
+        await this.initialize();
+        this.storageDataCache.clients[client.client_id] = client;
+        await this.saveToStorage();
+        return client;
+    }
+    async getClient(id) {
+        await this.initialize();
+        return this.storageDataCache.clients[id];
+    }
+    async removeClient(clientId) {
+        await this.initialize();
+        delete this.storageDataCache.clients[clientId];
+        await this.saveToStorage();
+    }
+    storeCodeVerifier(key, codeVerifier) {
+        this.codeVerifiers.set(key, codeVerifier);
+    }
+    getCodeVerifier(key) {
+        return this.codeVerifiers.get(key);
+    }
+    removeCodeVerifier(key) {
+        this.codeVerifiers.delete(key);
+    }
+    clearExpiredCodeVerifiers() {
+        this.codeVerifiers.clear();
+    }
+    destroy() {
+        if (this.fileWatcher) {
+            this.fileWatcher.close();
+            this.fileWatcher = undefined;
+        }
+    }
+}
+exports.AuthStore = AuthStore;
+exports.authStore = new AuthStore();

package/dist/auth/types.d.ts

@@ -0,0 +1,13 @@
+import { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';
+import { OAuthClientInformationFull } from '@modelcontextprotocol/sdk/shared/auth.js';
+export interface StorageData {
+    localTokens?: {
+        [appId: string]: string;
+    };
+    tokens: {
+        [key: string]: AuthInfo;
+    };
+    clients: {
+        [key: string]: OAuthClientInformationFull;
+    };
+}

package/dist/auth/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/auth/utils/encryption.d.ts

@@ -0,0 +1,7 @@
+export declare class EncryptionUtil {
+    private aesKey;
+    constructor(aesKey: string);
+    encrypt(data: string): string;
+    decrypt(encryptedData: string): string;
+    static generateKey(): string;
+}

package/dist/auth/utils/encryption.js

@@ -0,0 +1,40 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EncryptionUtil = void 0;
+const crypto_1 = __importDefault(require("crypto"));
+const config_1 = require("../config");
+const logger_1 = require("../../utils/logger");
+class EncryptionUtil {
+    constructor(aesKey) {
+        this.aesKey = aesKey;
+    }
+    encrypt(data) {
+        const iv = crypto_1.default.randomBytes(config_1.AUTH_CONFIG.ENCRYPTION.IV_LENGTH);
+        const key = Buffer.from(this.aesKey, 'hex');
+        const cipher = crypto_1.default.createCipheriv(config_1.AUTH_CONFIG.ENCRYPTION.ALGORITHM, key, iv);
+        let encrypted = cipher.update(data, 'utf8', 'hex');
+        encrypted += cipher.final('hex');
+        return iv.toString('hex') + ':' + encrypted;
+    }
+    decrypt(encryptedData) {
+        const parts = encryptedData.split(':');
+        if (parts.length !== 2) {
+            logger_1.logger.error(`[EncryptionUtil] decrypt: Invalid encrypted data format`);
+            throw new Error('Invalid encrypted data format');
+        }
+        const iv = Buffer.from(parts[0], 'hex');
+        const encrypted = parts[1];
+        const key = Buffer.from(this.aesKey, 'hex');
+        const decipher = crypto_1.default.createDecipheriv(config_1.AUTH_CONFIG.ENCRYPTION.ALGORITHM, key, iv);
+        let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+        decrypted += decipher.final('utf8');
+        return decrypted;
+    }
+    static generateKey() {
+        return crypto_1.default.randomBytes(config_1.AUTH_CONFIG.ENCRYPTION.KEY_LENGTH).toString('hex');
+    }
+}
+exports.EncryptionUtil = EncryptionUtil;

package/dist/auth/utils/index.d.ts

@@ -0,0 +1,3 @@
+export * from './is-token-valid';
+export * from './pkce';
+export * from './storage-manager';

package/dist/auth/utils/index.js

@@ -0,0 +1,19 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./is-token-valid"), exports);
+__exportStar(require("./pkce"), exports);
+__exportStar(require("./storage-manager"), exports);

package/dist/auth/utils/is-token-valid.d.ts

@@ -0,0 +1,7 @@
+import { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';
+export declare function isTokenValid(accessToken?: string): Promise<{
+    valid: boolean;
+    isExpired: boolean;
+    token: AuthInfo | undefined;
+}>;
+export declare function isTokenExpired(token?: AuthInfo): boolean;

package/dist/auth/utils/is-token-valid.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isTokenValid = isTokenValid;
+exports.isTokenExpired = isTokenExpired;
+const store_1 = require("../store");
+async function isTokenValid(accessToken) {
+    if (!accessToken) {
+        return { valid: false, isExpired: false, token: undefined };
+    }
+    const token = await store_1.authStore.getToken(accessToken);
+    if (!token) {
+        return { valid: false, isExpired: false, token: undefined };
+    }
+    const isExpired = isTokenExpired(token);
+    if (isExpired) {
+        return { valid: false, isExpired: true, token };
+    }
+    return { valid: true, isExpired: false, token };
+}
+function isTokenExpired(token) {
+    if (!token) {
+        return false;
+    }
+    if (token.expiresAt && token.expiresAt < Date.now() / 1000) {
+        return true;
+    }
+    return false;
+}

package/dist/auth/utils/pkce.d.ts

@@ -0,0 +1,6 @@
+export declare function generateCodeVerifier(): string;
+export declare function generateCodeChallenge(codeVerifier: string): string;
+export declare function generatePKCEPair(): {
+    codeVerifier: string;
+    codeChallenge: string;
+};

package/dist/auth/utils/pkce.js

@@ -0,0 +1,20 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateCodeVerifier = generateCodeVerifier;
+exports.generateCodeChallenge = generateCodeChallenge;
+exports.generatePKCEPair = generatePKCEPair;
+const crypto_1 = __importDefault(require("crypto"));
+function generateCodeVerifier() {
+    return crypto_1.default.randomBytes(32).toString('base64url');
+}
+function generateCodeChallenge(codeVerifier) {
+    return crypto_1.default.createHash('sha256').update(codeVerifier).digest('base64url');
+}
+function generatePKCEPair() {
+    const codeVerifier = generateCodeVerifier();
+    const codeChallenge = generateCodeChallenge(codeVerifier);
+    return { codeVerifier, codeChallenge };
+}

package/dist/auth/utils/storage-manager.d.ts

@@ -0,0 +1,17 @@
+import { StorageData } from '../types';
+export declare class StorageManager {
+    private encryptionUtil;
+    private initializePromise;
+    private isInitializedStorageSuccess;
+    constructor();
+    get storageFile(): string;
+    private initialize;
+    private performInitialization;
+    private initializeEncryption;
+    private ensureStorageDir;
+    encrypt(data: string): string;
+    decrypt(encryptedData: string): string;
+    loadStorageData(): Promise<StorageData>;
+    saveStorageData(data: StorageData): Promise<void>;
+}
+export declare const storageManager: StorageManager;