couchloop-eq-mcp 1.0.0

package/dist/server/oauth/authServer.js

@@ -0,0 +1,283 @@
+import { config } from 'dotenv';
+// Load environment variables before class initialization
+config({ path: '.env.local' });
+import { v4 as uuidv4 } from 'uuid';
+import jwt from 'jsonwebtoken';
+import bcrypt from 'bcryptjs';
+import { getDb } from '../../db/client.js';
+import { users, oauthClients, oauthTokens, authorizationCodes } from '../../db/schema.js';
+import { eq, and } from 'drizzle-orm';
+import { logger } from '../../utils/logger.js';
+export class OAuthServer {
+    jwtSecret;
+    jwtExpiresIn;
+    constructor() {
+        this.jwtSecret = process.env.JWT_SECRET || 'dev-secret-change-in-production';
+        this.jwtExpiresIn = process.env.JWT_EXPIRES_IN || '24h';
+        if (!process.env.JWT_SECRET) {
+            logger.warn('Using default JWT secret - CHANGE IN PRODUCTION!');
+        }
+    }
+    /**
+     * Validate client credentials
+     */
+    async validateClient(clientId, clientSecret) {
+        const db = getDb();
+        try {
+            const [client] = await db
+                .select()
+                .from(oauthClients)
+                .where(eq(oauthClients.clientId, clientId))
+                .limit(1);
+            if (!client) {
+                logger.warn(`Invalid client ID: ${clientId}`);
+                return false;
+            }
+            // If secret provided, verify it
+            if (clientSecret) {
+                const validSecret = await bcrypt.compare(clientSecret, client.clientSecret);
+                if (!validSecret) {
+                    logger.warn(`Invalid client secret for client: ${clientId}`);
+                    return false;
+                }
+            }
+            return true;
+        }
+        catch (error) {
+            logger.error('Error validating client:', error);
+            return false;
+        }
+    }
+    /**
+     * Generate authorization code for OAuth flow
+     */
+    async generateAuthCode(clientId, userId, redirectUri, scope = 'read write') {
+        const db = getDb();
+        const code = uuidv4();
+        const expiresAt = new Date(Date.now() + 10 * 60 * 1000); // 10 minutes
+        try {
+            await db.insert(authorizationCodes).values({
+                code,
+                userId,
+                clientId,
+                redirectUri,
+                scope,
+                expiresAt,
+                used: false,
+            });
+            logger.info(`Generated auth code for user ${userId}, client ${clientId}`);
+            return code;
+        }
+        catch (error) {
+            logger.error('Error generating auth code:', error);
+            throw new Error('Failed to generate authorization code');
+        }
+    }
+    /**
+     * Exchange authorization code for access token
+     */
+    async exchangeCodeForToken(code, clientId, clientSecret, redirectUri) {
+        const db = getDb();
+        try {
+            // Validate client
+            const validClient = await this.validateClient(clientId, clientSecret);
+            if (!validClient) {
+                throw new Error('Invalid client credentials');
+            }
+            // Get and validate auth code
+            const [authCode] = await db
+                .select()
+                .from(authorizationCodes)
+                .where(and(eq(authorizationCodes.code, code), eq(authorizationCodes.clientId, clientId)))
+                .limit(1);
+            if (!authCode) {
+                throw new Error('Invalid authorization code');
+            }
+            // Check if code is expired
+            if (new Date() > authCode.expiresAt) {
+                throw new Error('Authorization code expired');
+            }
+            // Check if code was already used
+            if (authCode.used) {
+                throw new Error('Authorization code already used');
+            }
+            // Validate redirect URI
+            if (authCode.redirectUri !== redirectUri) {
+                throw new Error('Redirect URI mismatch');
+            }
+            // Mark code as used
+            await db
+                .update(authorizationCodes)
+                .set({ used: true })
+                .where(eq(authorizationCodes.code, code));
+            // Generate tokens
+            const accessToken = this.generateAccessToken(authCode.userId, clientId, authCode.scope || 'read write');
+            const refreshToken = this.generateRefreshToken(authCode.userId, clientId, authCode.scope || 'read write');
+            // Store tokens in database
+            const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000); // 24 hours
+            await db.insert(oauthTokens).values({
+                userId: authCode.userId,
+                accessToken,
+                refreshToken,
+                expiresAt,
+                scope: authCode.scope,
+                tokenType: 'Bearer',
+            });
+            logger.info(`Issued tokens for user ${authCode.userId}, client ${clientId}`);
+            return {
+                access_token: accessToken,
+                refresh_token: refreshToken,
+                token_type: 'Bearer',
+                expires_in: 86400, // 24 hours in seconds
+                scope: authCode.scope || 'read write',
+            };
+        }
+        catch (error) {
+            logger.error('Error exchanging code for token:', error);
+            throw error;
+        }
+    }
+    /**
+     * Generate access token (JWT)
+     */
+    generateAccessToken(userId, clientId, scope) {
+        const payload = {
+            sub: userId,
+            client_id: clientId,
+            scope,
+        };
+        return jwt.sign(payload, this.jwtSecret, {
+            expiresIn: this.jwtExpiresIn,
+        });
+    }
+    /**
+     * Generate refresh token
+     */
+    generateRefreshToken(userId, clientId, scope) {
+        const payload = {
+            sub: userId,
+            client_id: clientId,
+            scope,
+        };
+        return jwt.sign(payload, this.jwtSecret, {
+            expiresIn: '30d', // Refresh tokens last longer
+        });
+    }
+    /**
+     * Validate access token
+     */
+    async validateAccessToken(token) {
+        try {
+            // Verify JWT signature
+            const decoded = jwt.verify(token, this.jwtSecret);
+            // Check if token exists in database and is not expired
+            const db = getDb();
+            const [dbToken] = await db
+                .select()
+                .from(oauthTokens)
+                .where(eq(oauthTokens.accessToken, token))
+                .limit(1);
+            if (!dbToken || new Date() > dbToken.expiresAt) {
+                return null;
+            }
+            return decoded;
+        }
+        catch (error) {
+            logger.debug('Invalid access token:', error);
+            return null;
+        }
+    }
+    /**
+     * Refresh access token using refresh token
+     */
+    async refreshAccessToken(refreshToken) {
+        const db = getDb();
+        try {
+            // Verify refresh token
+            const decoded = jwt.verify(refreshToken, this.jwtSecret);
+            // Find existing token
+            const [existingToken] = await db
+                .select()
+                .from(oauthTokens)
+                .where(eq(oauthTokens.refreshToken, refreshToken))
+                .limit(1);
+            if (!existingToken) {
+                throw new Error('Invalid refresh token');
+            }
+            // Generate new access token
+            const newAccessToken = this.generateAccessToken(decoded.sub, decoded.client_id, decoded.scope);
+            // Update token in database
+            const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000);
+            await db
+                .update(oauthTokens)
+                .set({
+                accessToken: newAccessToken,
+                expiresAt,
+                updatedAt: new Date(),
+            })
+                .where(eq(oauthTokens.id, existingToken.id));
+            logger.info(`Refreshed token for user ${decoded.sub}`);
+            return {
+                access_token: newAccessToken,
+                token_type: 'Bearer',
+                expires_in: 86400,
+            };
+        }
+        catch (error) {
+            logger.error('Error refreshing token:', error);
+            throw new Error('Failed to refresh token');
+        }
+    }
+    /**
+     * Revoke token
+     */
+    async revokeToken(token) {
+        const db = getDb();
+        try {
+            await db
+                .delete(oauthTokens)
+                .where(eq(oauthTokens.accessToken, token));
+            logger.info('Revoked token');
+        }
+        catch (error) {
+            logger.error('Error revoking token:', error);
+            throw new Error('Failed to revoke token');
+        }
+    }
+    /**
+     * Create or get user from external ID
+     */
+    async getOrCreateUser(externalId) {
+        const db = getDb();
+        try {
+            // Check if user exists
+            const [existingUser] = await db
+                .select()
+                .from(users)
+                .where(eq(users.externalId, externalId))
+                .limit(1);
+            if (existingUser) {
+                return existingUser.id;
+            }
+            // Create new user
+            const [newUser] = await db
+                .insert(users)
+                .values({
+                externalId,
+            })
+                .returning();
+            if (!newUser) {
+                throw new Error('Failed to create user');
+            }
+            logger.info(`Created new user with external ID: ${externalId}`);
+            return newUser.id;
+        }
+        catch (error) {
+            logger.error('Error getting/creating user:', error);
+            throw new Error('Failed to get or create user');
+        }
+    }
+}
+// Export singleton instance
+export const oauthServer = new OAuthServer();
+//# sourceMappingURL=authServer.js.map

package/dist/server/oauth/authServer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authServer.js","sourceRoot":"","sources":["../../../src/server/oauth/authServer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAChC,yDAAyD;AACzD,MAAM,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC,CAAC;AAE/B,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAC;AACpC,OAAO,GAAG,MAAM,cAAc,CAAC;AAC/B,OAAO,MAAM,MAAM,UAAU,CAAC;AAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAU/C,MAAM,OAAO,WAAW;IACL,SAAS,CAAS;IAClB,YAAY,CAAS;IAEtC;QACE,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,iCAAiC,CAAC;QAC7E,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,KAAK,CAAC;QAExD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC;YAC5B,MAAM,CAAC,IAAI,CAAC,kDAAkD,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAAC,QAAgB,EAAE,YAAqB;QAC1D,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;QAEnB,IAAI,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,EAAE;iBACtB,MAAM,EAAE;iBACR,IAAI,CAAC,YAAY,CAAC;iBAClB,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;iBAC1C,KAAK,CAAC,CAAC,CAAC,CAAC;YAEZ,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,CAAC,IAAI,CAAC,sBAAsB,QAAQ,EAAE,CAAC,CAAC;gBAC9C,OAAO,KAAK,CAAC;YACf,CAAC;YAED,gCAAgC;YAChC,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;gBAC5E,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,MAAM,CAAC,IAAI,CAAC,qCAAqC,QAAQ,EAAE,CAAC,CAAC;oBAC7D,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,0BAA0B,EAAE,KAAK,CAAC,CAAC;YAChD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,gBAAgB,CACpB,QAAgB,EAChB,MAAc,EACd,WAAmB,EACnB,QAAgB,YAAY;QAE5B,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC;QACtB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,aAAa;QAEtE,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,MAAM,CAAC;gBACzC,IAAI;gBACJ,MAAM;gBACN,QAAQ;gBACR,WAAW;gBACX,KAAK;gBACL,SAAS;gBACT,IAAI,EAAE,KAAK;aACZ,CAAC,CAAC;YAEH,MAAM,CAAC,IAAI,CAAC,gCAAgC,MAAM,YAAY,QAAQ,EAAE,CAAC,CAAC;YAC1E,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,6BAA6B,EAAE,KAAK,CAAC,CAAC;YACnD,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,oBAAoB,CACxB,IAAY,EACZ,QAAgB,EAChB,YAAoB,EACpB,WAAmB;QAQnB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;QAEnB,IAAI,CAAC;YACH,kBAAkB;YAClB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;YACtE,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;YAChD,CAAC;YAED,6BAA6B;YAC7B,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,EAAE;iBACxB,MAAM,EAAE;iBACR,IAAI,CAAC,kBAAkB,CAAC;iBACxB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,kBAAkB,CAAC,IAAI,EAAE,IAAI,CAAC,EACjC,EAAE,CAAC,kBAAkB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAC1C,CACF;iBACA,KAAK,CAAC,CAAC,CAAC,CAAC;YAEZ,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;YAChD,CAAC;YAED,2BAA2B;YAC3B,IAAI,IAAI,IAAI,EAAE,GAAG,QAAQ,CAAC,SAAS,EAAE,CAAC;gBACpC,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;YAChD,CAAC;YAED,iCAAiC;YACjC,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;gBAClB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;YACrD,CAAC;YAED,wBAAwB;YACxB,IAAI,QAAQ,CAAC,WAAW,KAAK,WAAW,EAAE,CAAC;gBACzC,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;YAC3C,CAAC;YAED,oBAAoB;YACpB,MAAM,EAAE;iBACL,MAAM,CAAC,kBAAkB,CAAC;iBAC1B,GAAG,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;iBACnB,KAAK,CAAC,EAAE,CAAC,kBAAkB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;YAE5C,kBAAkB;YAClB,MAAM,WAAW,GAAG,IAAI,CAAC,mBAAmB,CAC1C,QAAQ,CAAC,MAAM,EACf,QAAQ,EACR,QAAQ,CAAC,KAAK,IAAI,YAAY,CAC/B,CAAC;YAEF,MAAM,YAAY,GAAG,IAAI,CAAC,oBAAoB,CAC5C,QAAQ,CAAC,MAAM,EACf,QAAQ,EACR,QAAQ,CAAC,KAAK,IAAI,YAAY,CAC/B,CAAC;YAEF,2BAA2B;YAC3B,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,WAAW;YAEzE,MAAM,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC;gBAClC,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,WAAW;gBACX,YAAY;gBACZ,SAAS;gBACT,KAAK,EAAE,QAAQ,CAAC,KAAK;gBACrB,SAAS,EAAE,QAAQ;aACpB,CAAC,CAAC;YAEH,MAAM,CAAC,IAAI,CAAC,0BAA0B,QAAQ,CAAC,MAAM,YAAY,QAAQ,EAAE,CAAC,CAAC;YAE7E,OAAO;gBACL,YAAY,EAAE,WAAW;gBACzB,aAAa,EAAE,YAAY;gBAC3B,UAAU,EAAE,QAAQ;gBACpB,UAAU,EAAE,KAAK,EAAE,sBAAsB;gBACzC,KAAK,EAAE,QAAQ,CAAC,KAAK,IAAI,YAAY;aACtC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,kCAAkC,EAAE,KAAK,CAAC,CAAC;YACxD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,mBAAmB,CAAC,MAAc,EAAE,QAAgB,EAAE,KAAa;QACzE,MAAM,OAAO,GAAiB;YAC5B,GAAG,EAAE,MAAM;YACX,SAAS,EAAE,QAAQ;YACnB,KAAK;SACN,CAAC;QAEF,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE;YACvC,SAAS,EAAE,IAAI,CAAC,YAAmB;SACpC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,oBAAoB,CAAC,MAAc,EAAE,QAAgB,EAAE,KAAa;QAC1E,MAAM,OAAO,GAAiB;YAC5B,GAAG,EAAE,MAAM;YACX,SAAS,EAAE,QAAQ;YACnB,KAAK;SACN,CAAC;QAEF,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE;YACvC,SAAS,EAAE,KAAY,EAAE,6BAA6B;SACvD,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,mBAAmB,CAAC,KAAa;QACrC,IAAI,CAAC;YACH,uBAAuB;YACvB,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,SAAS,CAAiB,CAAC;YAElE,uDAAuD;YACvD,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;YACnB,MAAM,CAAC,OAAO,CAAC,GAAG,MAAM,EAAE;iBACvB,MAAM,EAAE;iBACR,IAAI,CAAC,WAAW,CAAC;iBACjB,KAAK,CAAC,EAAE,CAAC,WAAW,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;iBACzC,KAAK,CAAC,CAAC,CAAC,CAAC;YAEZ,IAAI,CAAC,OAAO,IAAI,IAAI,IAAI,EAAE,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;gBAC/C,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,OAAO,CAAC;QACjB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,uBAAuB,EAAE,KAAK,CAAC,CAAC;YAC7C,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,kBAAkB,CAAC,YAAoB;QAK3C,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;QAEnB,IAAI,CAAC;YACH,uBAAuB;YACvB,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAiB,CAAC;YAEzE,sBAAsB;YACtB,MAAM,CAAC,aAAa,CAAC,GAAG,MAAM,EAAE;iBAC7B,MAAM,EAAE;iBACR,IAAI,CAAC,WAAW,CAAC;iBACjB,KAAK,CAAC,EAAE,CAAC,WAAW,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;iBACjD,KAAK,CAAC,CAAC,CAAC,CAAC;YAEZ,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;YAC3C,CAAC;YAED,4BAA4B;YAC5B,MAAM,cAAc,GAAG,IAAI,CAAC,mBAAmB,CAC7C,OAAO,CAAC,GAAG,EACX,OAAO,CAAC,SAAS,EACjB,OAAO,CAAC,KAAK,CACd,CAAC;YAEF,2BAA2B;YAC3B,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAE7D,MAAM,EAAE;iBACL,MAAM,CAAC,WAAW,CAAC;iBACnB,GAAG,CAAC;gBACH,WAAW,EAAE,cAAc;gBAC3B,SAAS;gBACT,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAC;iBACD,KAAK,CAAC,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,aAAa,CAAC,EAAE,CAAC,CAAC,CAAC;YAE/C,MAAM,CAAC,IAAI,CAAC,4BAA4B,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;YAEvD,OAAO;gBACL,YAAY,EAAE,cAAc;gBAC5B,UAAU,EAAE,QAAQ;gBACpB,UAAU,EAAE,KAAK;aAClB,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE,KAAK,CAAC,CAAC;YAC/C,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW,CAAC,KAAa;QAC7B,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;QAEnB,IAAI,CAAC;YACH,MAAM,EAAE;iBACL,MAAM,CAAC,WAAW,CAAC;iBACnB,KAAK,CAAC,EAAE,CAAC,WAAW,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC;YAE7C,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QAC/B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,uBAAuB,EAAE,KAAK,CAAC,CAAC;YAC7C,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CAAC,UAAkB;QACtC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;QAEnB,IAAI,CAAC;YACH,uBAAuB;YACvB,MAAM,CAAC,YAAY,CAAC,GAAG,MAAM,EAAE;iBAC5B,MAAM,EAAE;iBACR,IAAI,CAAC,KAAK,CAAC;iBACX,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;iBACvC,KAAK,CAAC,CAAC,CAAC,CAAC;YAEZ,IAAI,YAAY,EAAE,CAAC;gBACjB,OAAO,YAAY,CAAC,EAAE,CAAC;YACzB,CAAC;YAED,kBAAkB;YAClB,MAAM,CAAC,OAAO,CAAC,GAAG,MAAM,EAAE;iBACvB,MAAM,CAAC,KAAK,CAAC;iBACb,MAAM,CAAC;gBACN,UAAU;aACX,CAAC;iBACD,SAAS,EAAE,CAAC;YAEf,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;YAC3C,CAAC;YAED,MAAM,CAAC,IAAI,CAAC,sCAAsC,UAAU,EAAE,CAAC,CAAC;YAChE,OAAO,OAAO,CAAC,EAAE,CAAC;QACpB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,8BAA8B,EAAE,KAAK,CAAC,CAAC;YACpD,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;CACF;AAED,4BAA4B;AAC5B,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC"}

package/dist/server/oauth/dpop.d.ts

@@ -0,0 +1,135 @@
+import { KeyObject } from 'crypto';
+import { JWK } from 'jose';
+/**
+ * DPoP Proof structure according to RFC draft
+ */
+export interface DPoPProof {
+    typ: 'dpop+jwt';
+    alg: 'RS256' | 'ES256';
+    jwk: JWK;
+}
+/**
+ * DPoP Proof payload
+ */
+export interface DPoPPayload {
+    jti: string;
+    htm: string;
+    htu: string;
+    iat: number;
+    ath?: string;
+    nonce?: string;
+}
+/**
+ * DPoP Token binding
+ */
+export interface DPoPBinding {
+    jkt: string;
+    cnf?: {
+        jkt: string;
+    };
+}
+/**
+ * DPoP Manager for Demonstration of Proof of Possession
+ * Implements sender-constrained tokens to prevent token theft
+ * Based on OAuth 2.0 DPoP draft specification
+ */
+export declare class DPoPManager {
+    private readonly jtiCache;
+    private readonly nonceCache;
+    private readonly JTI_TTL;
+    private readonly NONCE_TTL;
+    private readonly MAX_TIME_SKEW;
+    /**
+     * Generate a DPoP key pair for client
+     */
+    generateKeyPair(algorithm?: 'RS256' | 'ES256'): {
+        publicKey: KeyObject;
+        privateKey: KeyObject;
+        jwk: JWK;
+    };
+    /**
+     * Create a DPoP proof JWT
+     */
+    createDPoPProof(privateKey: KeyObject, httpMethod: string, httpUri: string, options?: {
+        accessToken?: string;
+        nonce?: string;
+        algorithm?: 'RS256' | 'ES256';
+    }): Promise<string>;
+    /**
+     * Validate a DPoP proof
+     */
+    validateDPoPProof(dpopProof: string, httpMethod: string, httpUri: string, options?: {
+        accessToken?: string;
+        expectedNonce?: string;
+        requireNonce?: boolean;
+    }): Promise<{
+        valid: boolean;
+        jkt?: string;
+        error?: string;
+    }>;
+    /**
+     * Generate a server nonce for enhanced security
+     */
+    generateNonce(): string;
+    /**
+     * Validate a nonce
+     */
+    validateNonce(nonce: string): Promise<boolean>;
+    /**
+     * Bind an access token to a DPoP key
+     */
+    createDPoPBoundToken(token: any, jkt: string): any;
+    /**
+     * Validate that a token is bound to the correct DPoP key
+     */
+    validateTokenBinding(token: any, dpopJkt: string): boolean;
+    /**
+     * Hash a token for the 'ath' claim
+     */
+    private hashToken;
+    /**
+     * Calculate JWK thumbprint (RFC 7638)
+     */
+    private calculateJwkThumbprint;
+    /**
+     * Normalize URI for comparison
+     */
+    private normalizeUri;
+    /**
+     * Generate unique JTI
+     */
+    private generateJti;
+    /**
+     * Check if JTI has been used
+     */
+    private isJtiUsed;
+    /**
+     * Store JTI to prevent replay
+     */
+    private storeJti;
+    /**
+     * Clean up expired JTIs
+     */
+    private cleanupExpiredJtis;
+    /**
+     * Clean up expired nonces
+     */
+    private cleanupExpiredNonces;
+    /**
+     * Middleware for Express to validate DPoP proofs
+     */
+    middleware(options?: {
+        requireDPoP?: boolean;
+        requireNonce?: boolean;
+    }): (req: any, res: any, next: any) => Promise<any>;
+    /**
+     * Get statistics about DPoP usage
+     */
+    getStats(): {
+        activeJtis: number;
+        activeNonces: number;
+        totalValidations: number;
+    };
+}
+export declare const dpopManager: DPoPManager;
+//# sourceMappingURL=dpop.d.ts.map

package/dist/server/oauth/dpop.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpop.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/dpop.ts"],"names":[],"mappings":"AAAA,OAAO,EAAiD,SAAS,EAAE,MAAM,QAAQ,CAAC;AAClF,OAAO,EAAiC,GAAG,EAAa,MAAM,MAAM,CAAC;AAGrE;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,UAAU,CAAC;IAChB,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC;IACvB,GAAG,EAAE,GAAG,CAAC;CACV;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE;QACJ,GAAG,EAAE,MAAM,CAAC;KACb,CAAC;CACH;AAED;;;;GAIG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAA6B;IACtD,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA6B;IACxD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAW;IACnC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAU;IACpC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAO;IAErC;;OAEG;IACH,eAAe,CAAC,SAAS,GAAE,OAAO,GAAG,OAAiB,GAAG;QACvD,SAAS,EAAE,SAAS,CAAC;QACrB,UAAU,EAAE,SAAS,CAAC;QACtB,GAAG,EAAE,GAAG,CAAC;KACV;IA6BD;;OAEG;IACG,eAAe,CACnB,UAAU,EAAE,SAAS,EACrB,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;QACR,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,SAAS,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC;KAC/B,GACA,OAAO,CAAC,MAAM,CAAC;IAsClB;;OAEG;IACG,iBAAiB,CACrB,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;QACR,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,YAAY,CAAC,EAAE,OAAO,CAAC;KACxB,GACA,OAAO,CAAC;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAmF5D;;OAEG;IACH,aAAa,IAAI,MAAM;IAWvB;;OAEG;IACG,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAiBpD;;OAEG;IACH,oBAAoB,CAClB,KAAK,EAAE,GAAG,EACV,GAAG,EAAE,MAAM,GACV,GAAG;IAUN;;OAEG;IACH,oBAAoB,CAClB,KAAK,EAAE,GAAG,EACV,OAAO,EAAE,MAAM,GACd,OAAO;IAcV;;OAEG;YACW,SAAS;IAOvB;;OAEG;YACW,sBAAsB;IAwBpC;;OAEG;IACH,OAAO,CAAC,YAAY;IAMpB;;OAEG;IACH,OAAO,CAAC,WAAW;IAInB;;OAEG;YACW,SAAS;IAIvB;;OAEG;YACW,QAAQ;IAMtB;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAS1B;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAS5B;;OAEG;IACH,UAAU,CAAC,OAAO,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,OAAO,CAAC;QAAC,YAAY,CAAC,EAAE,OAAO,CAAA;KAAE,IACtD,KAAK,GAAG,EAAE,KAAK,GAAG,EAAE,MAAM,GAAG;IAgD7C;;OAEG;IACH,QAAQ,IAAI;QACV,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,MAAM,CAAC;QACrB,gBAAgB,EAAE,MAAM,CAAC;KAC1B;CAUF;AAGD,eAAO,MAAM,WAAW,aAAoB,CAAC"}