npm - dineway - Versions diffs - 0.1.9 → 0.1.12 - Mend

dineway 0.1.9 → 0.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (720) hide show

package/dist/oauth-authorization-DxGjiWKL.mjs ADDED Viewed

@@ -0,0 +1,283 @@
+import { t as withTransaction } from "./transaction-x2tJQ-A1.mjs";
+import { a as filterExperimentalSiteContextWorkflowScopes, i as experimentalSiteContextWorkflowsEnabled, o as getExperimentalSiteContextWorkflowScopesDisabledMessage, r as disabledExperimentalSiteContextWorkflowScopes } from "./experimental-workflows-C9X7yblQ.mjs";
+import { a as hashApiToken, n as TOKEN_PREFIXES, r as generatePrefixedToken, t as ALL_VALID_SCOPES } from "./api-tokens-CPjC3zf8.mjs";
+import { c as validateRedirectUri, o as lookupOAuthClient, s as validateClientRedirectUri } from "./oauth-clients-DxO_NO7k.mjs";
+import { t as lookupUserRoleAndStatus } from "./oauth-user-lookup-Bi0ek9eM.mjs";
+import { clampScopes, computeS256Challenge, secureCompare } from "@dineway-ai/auth";
+import { generateCodeVerifier } from "arctic";
+//#region src/api/handlers/oauth-authorization.ts
+/**
+* OAuth 2.1 Authorization Code + PKCE handlers.
+*
+* Implements the server side of the authorization code grant for MCP clients
+* (Claude Desktop, VS Code, etc.) per the MCP authorization spec (draft).
+*
+* Uses arctic for PKCE challenge generation and @dineway-ai/auth for token
+* utilities. Token infrastructure is shared with the device flow.
+*/
+/** Authorization codes expire after 10 minutes (RFC 6749 §4.1.2 recommends short-lived) */
+const AUTH_CODE_TTL_SECONDS = 600;
+/** Access token TTL: 1 hour */
+const ACCESS_TOKEN_TTL_SECONDS = 3600;
+/** Refresh token TTL: 90 days */
+const REFRESH_TOKEN_TTL_SECONDS = 2160 * 60 * 60;
+function expiresAt(seconds) {
+	return new Date(Date.now() + seconds * 1e3).toISOString();
+}
+/**
+* Validate and normalize scopes. Returns validated scope list.
+*/
+function normalizeScopes(requested) {
+	if (!requested || requested.length === 0) return [];
+	const validSet = new Set(filterExperimentalSiteContextWorkflowScopes(ALL_VALID_SCOPES));
+	return requested.filter((scope) => validSet.has(scope));
+}
+/**
+* Process an authorization request after the user approves consent.
+*
+* Generates an authorization code, stores it with the PKCE challenge,
+* and returns the redirect URL with the code appended.
+*
+* Scopes are clamped to the user's role to prevent scope escalation.
+*/
+async function handleAuthorizationApproval(db, userId, userRole, params) {
+	try {
+		if (params.response_type !== "code") return {
+			success: false,
+			error: {
+				code: "UNSUPPORTED_RESPONSE_TYPE",
+				message: "Only response_type=code is supported"
+			}
+		};
+		const uriError = validateRedirectUri(params.redirect_uri);
+		if (uriError) return {
+			success: false,
+			error: {
+				code: "INVALID_REDIRECT_URI",
+				message: uriError
+			}
+		};
+		const client = await lookupOAuthClient(db, params.client_id);
+		if (!client) return {
+			success: false,
+			error: {
+				code: "INVALID_CLIENT",
+				message: "Unknown client_id"
+			}
+		};
+		const clientUriError = validateClientRedirectUri(params.redirect_uri, client.redirectUris);
+		if (clientUriError) return {
+			success: false,
+			error: {
+				code: "INVALID_REDIRECT_URI",
+				message: clientUriError
+			}
+		};
+		if (params.code_challenge_method !== "S256") return {
+			success: false,
+			error: {
+				code: "INVALID_REQUEST",
+				message: "Only S256 code_challenge_method is supported"
+			}
+		};
+		if (!params.code_challenge) return {
+			success: false,
+			error: {
+				code: "INVALID_REQUEST",
+				message: "code_challenge is required"
+			}
+		};
+		const requestedScopes = params.scope?.split(" ").filter(Boolean) ?? [];
+		if (disabledExperimentalSiteContextWorkflowScopes(requestedScopes).length > 0) return {
+			success: false,
+			error: {
+				code: "INVALID_SCOPE",
+				message: getExperimentalSiteContextWorkflowScopesDisabledMessage()
+			}
+		};
+		const userScopes = clampScopes(normalizeScopes(requestedScopes), userRole, { includeExperimental: experimentalSiteContextWorkflowsEnabled() });
+		const clientScopes = client.scopes;
+		const scopes = clientScopes?.length ? userScopes.filter((s) => clientScopes.includes(s)) : userScopes;
+		if (scopes.length === 0) return {
+			success: false,
+			error: {
+				code: "INVALID_SCOPE",
+				message: "No valid scopes requested"
+			}
+		};
+		const code = generateCodeVerifier();
+		const codeHash = hashApiToken(code);
+		await db.insertInto("_dineway_authorization_codes").values({
+			code_hash: codeHash,
+			client_id: params.client_id,
+			redirect_uri: params.redirect_uri,
+			user_id: userId,
+			scopes: JSON.stringify(scopes),
+			code_challenge: params.code_challenge,
+			code_challenge_method: params.code_challenge_method,
+			resource: params.resource ?? null,
+			expires_at: expiresAt(AUTH_CODE_TTL_SECONDS)
+		}).execute();
+		const redirectUrl = new URL(params.redirect_uri);
+		redirectUrl.searchParams.set("code", code);
+		if (params.state) redirectUrl.searchParams.set("state", params.state);
+		return {
+			success: true,
+			data: { redirect_url: redirectUrl.toString() }
+		};
+	} catch (error) {
+		console.error("Authorization error:", error);
+		return {
+			success: false,
+			error: {
+				code: "AUTHORIZATION_ERROR",
+				message: "Failed to process authorization"
+			}
+		};
+	}
+}
+/**
+* Exchange an authorization code for access + refresh tokens.
+*
+* Validates the code, verifies PKCE, and issues tokens using the same
+* infrastructure as the device flow (ec_oat_*, ec_ort_*).
+*/
+async function handleAuthorizationCodeExchange(db, params) {
+	try {
+		if (params.grant_type !== "authorization_code") return {
+			success: false,
+			error: {
+				code: "unsupported_grant_type",
+				message: "Invalid grant_type"
+			}
+		};
+		const codeHash = hashApiToken(params.code);
+		const row = await db.deleteFrom("_dineway_authorization_codes").where("code_hash", "=", codeHash).returningAll().executeTakeFirst();
+		if (!row) return {
+			success: false,
+			error: {
+				code: "invalid_grant",
+				message: "Invalid authorization code"
+			}
+		};
+		if (new Date(row.expires_at) < /* @__PURE__ */ new Date()) return {
+			success: false,
+			error: {
+				code: "invalid_grant",
+				message: "Authorization code expired"
+			}
+		};
+		if (row.redirect_uri !== params.redirect_uri) return {
+			success: false,
+			error: {
+				code: "invalid_grant",
+				message: "redirect_uri mismatch"
+			}
+		};
+		if (row.client_id !== params.client_id) return {
+			success: false,
+			error: {
+				code: "invalid_grant",
+				message: "client_id mismatch"
+			}
+		};
+		if (!secureCompare(computeS256Challenge(params.code_verifier), row.code_challenge)) return {
+			success: false,
+			error: {
+				code: "invalid_grant",
+				message: "PKCE verification failed"
+			}
+		};
+		if (row.resource && params.resource && row.resource !== params.resource) return {
+			success: false,
+			error: {
+				code: "invalid_grant",
+				message: "resource mismatch"
+			}
+		};
+		const userInfo = await lookupUserRoleAndStatus(db, row.user_id);
+		if (!userInfo) return {
+			success: false,
+			error: {
+				code: "invalid_grant",
+				message: "User not found"
+			}
+		};
+		if (userInfo.disabled) return {
+			success: false,
+			error: {
+				code: "invalid_grant",
+				message: "User account is disabled"
+			}
+		};
+		let scopes = clampScopes(filterExperimentalSiteContextWorkflowScopes(JSON.parse(row.scopes)), userInfo.role, { includeExperimental: experimentalSiteContextWorkflowsEnabled() });
+		const client = await lookupOAuthClient(db, row.client_id);
+		if (client?.scopes?.length) scopes = scopes.filter((scope) => client.scopes.includes(scope));
+		if (scopes.length === 0) return {
+			success: false,
+			error: {
+				code: "invalid_grant",
+				message: "User role no longer supports any of the requested scopes"
+			}
+		};
+		const accessToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_ACCESS);
+		const accessExpires = expiresAt(ACCESS_TOKEN_TTL_SECONDS);
+		const refreshToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_REFRESH);
+		const refreshExpires = expiresAt(REFRESH_TOKEN_TTL_SECONDS);
+		await withTransaction(db, async (trx) => {
+			await trx.insertInto("_dineway_oauth_tokens").values({
+				token_hash: accessToken.hash,
+				token_type: "access",
+				user_id: row.user_id,
+				scopes: JSON.stringify(scopes),
+				client_type: "mcp",
+				expires_at: accessExpires,
+				refresh_token_hash: refreshToken.hash,
+				client_id: row.client_id
+			}).execute();
+			await trx.insertInto("_dineway_oauth_tokens").values({
+				token_hash: refreshToken.hash,
+				token_type: "refresh",
+				user_id: row.user_id,
+				scopes: JSON.stringify(scopes),
+				client_type: "mcp",
+				expires_at: refreshExpires,
+				refresh_token_hash: null,
+				client_id: row.client_id
+			}).execute();
+		});
+		return {
+			success: true,
+			data: {
+				access_token: accessToken.raw,
+				refresh_token: refreshToken.raw,
+				token_type: "Bearer",
+				expires_in: ACCESS_TOKEN_TTL_SECONDS,
+				scope: scopes.join(" ")
+			}
+		};
+	} catch (error) {
+		console.error("Token exchange error:", error);
+		return {
+			success: false,
+			error: {
+				code: "TOKEN_EXCHANGE_ERROR",
+				message: "Failed to exchange authorization code"
+			}
+		};
+	}
+}
+/**
+* Build the authorization denied redirect URL.
+*/
+function buildDeniedRedirect(redirectUri, state) {
+	const url = new URL(redirectUri);
+	url.searchParams.set("error", "access_denied");
+	url.searchParams.set("error_description", "The user denied the authorization request");
+	if (state) url.searchParams.set("state", state);
+	return url.toString();
+}
+//#endregion
+export { handleAuthorizationApproval as n, handleAuthorizationCodeExchange as r, buildDeniedRedirect as t };

package/dist/oauth-clients-DxO_NO7k.mjs ADDED Viewed

@@ -0,0 +1,298 @@
+import { o as getExperimentalSiteContextWorkflowScopesDisabledMessage, r as disabledExperimentalSiteContextWorkflowScopes } from "./experimental-workflows-C9X7yblQ.mjs";
+import { o as validateScopes } from "./api-tokens-CPjC3zf8.mjs";
+//#region src/api/oauth/redirect-uri.ts
+/**
+* Validate a redirect URI per OAuth 2.1 security requirements.
+*
+* Allows localhost / loopback redirect URIs over HTTP for native clients,
+* and any HTTPS URL for web-based flows.
+*/
+function validateRedirectUri(uri) {
+	try {
+		const url = new URL(uri);
+		if (uri.startsWith("//")) return "Protocol-relative redirect URIs are not allowed";
+		if (url.protocol === "http:") {
+			const host = url.hostname;
+			if (host === "127.0.0.1" || host === "localhost" || host === "[::1]") return null;
+			return "HTTP redirect URIs are only allowed for localhost";
+		}
+		if (url.protocol === "https:") return null;
+		return `Unsupported redirect URI scheme: ${url.protocol}`;
+	} catch {
+		return "Invalid redirect URI";
+	}
+}
+//#endregion
+//#region src/api/handlers/oauth-clients.ts
+/** Parse a JSON string column into a typed value. */
+function parseJsonColumn(value) {
+	return JSON.parse(value);
+}
+function validateRegisteredRedirectUris(redirectUris) {
+	for (const redirectUri of redirectUris) {
+		const error = validateRedirectUri(redirectUri);
+		if (error) return `Invalid redirect URI: ${error}`;
+	}
+	return null;
+}
+function validateClientScopes(scopes) {
+	if (scopes === void 0 || scopes === null) return null;
+	const invalidScopes = validateScopes(scopes, { includeExperimental: true });
+	if (invalidScopes.length > 0) return {
+		success: false,
+		error: {
+			code: "VALIDATION_ERROR",
+			message: "OAuth client scopes contain invalid values",
+			details: { scopes: invalidScopes }
+		}
+	};
+	const requestedWorkflowScopes = disabledExperimentalSiteContextWorkflowScopes(scopes);
+	if (requestedWorkflowScopes.length > 0) return {
+		success: false,
+		error: {
+			code: "NOT_IMPLEMENTED",
+			message: getExperimentalSiteContextWorkflowScopesDisabledMessage(),
+			details: {
+				status: "workflow_oauth_client_scopes_disabled",
+				reason: "workflow_oauth_client_scopes_disabled",
+				scopes: requestedWorkflowScopes
+			}
+		}
+	};
+	return null;
+}
+/**
+* Create a new OAuth client.
+*/
+async function handleOAuthClientCreate(db, input) {
+	try {
+		if (input.redirectUris.length === 0) return {
+			success: false,
+			error: {
+				code: "VALIDATION_ERROR",
+				message: "At least one redirect URI is required"
+			}
+		};
+		const redirectUriError = validateRegisteredRedirectUris(input.redirectUris);
+		if (redirectUriError) return {
+			success: false,
+			error: {
+				code: "VALIDATION_ERROR",
+				message: redirectUriError
+			}
+		};
+		const scopeError = validateClientScopes(input.scopes);
+		if (scopeError) return scopeError;
+		if (await db.selectFrom("_dineway_oauth_clients").select("id").where("id", "=", input.id).executeTakeFirst()) return {
+			success: false,
+			error: {
+				code: "CONFLICT",
+				message: "OAuth client with this ID already exists"
+			}
+		};
+		const now = (/* @__PURE__ */ new Date()).toISOString();
+		await db.insertInto("_dineway_oauth_clients").values({
+			id: input.id,
+			name: input.name,
+			redirect_uris: JSON.stringify(input.redirectUris),
+			scopes: input.scopes ? JSON.stringify(input.scopes) : null
+		}).execute();
+		return {
+			success: true,
+			data: {
+				id: input.id,
+				name: input.name,
+				redirectUris: input.redirectUris,
+				scopes: input.scopes ?? null,
+				createdAt: now,
+				updatedAt: now
+			}
+		};
+	} catch {
+		return {
+			success: false,
+			error: {
+				code: "CLIENT_CREATE_ERROR",
+				message: "Failed to create OAuth client"
+			}
+		};
+	}
+}
+/**
+* List all registered OAuth clients.
+*/
+async function handleOAuthClientList(db) {
+	try {
+		return {
+			success: true,
+			data: { items: (await db.selectFrom("_dineway_oauth_clients").selectAll().orderBy("created_at", "desc").execute()).map((row) => ({
+				id: row.id,
+				name: row.name,
+				redirectUris: parseJsonColumn(row.redirect_uris),
+				scopes: row.scopes ? parseJsonColumn(row.scopes) : null,
+				createdAt: row.created_at,
+				updatedAt: row.updated_at
+			})) }
+		};
+	} catch {
+		return {
+			success: false,
+			error: {
+				code: "CLIENT_LIST_ERROR",
+				message: "Failed to list OAuth clients"
+			}
+		};
+	}
+}
+/**
+* Get a single OAuth client by ID.
+*/
+async function handleOAuthClientGet(db, clientId) {
+	try {
+		const row = await db.selectFrom("_dineway_oauth_clients").selectAll().where("id", "=", clientId).executeTakeFirst();
+		if (!row) return {
+			success: false,
+			error: {
+				code: "NOT_FOUND",
+				message: "OAuth client not found"
+			}
+		};
+		return {
+			success: true,
+			data: {
+				id: row.id,
+				name: row.name,
+				redirectUris: parseJsonColumn(row.redirect_uris),
+				scopes: row.scopes ? parseJsonColumn(row.scopes) : null,
+				createdAt: row.created_at,
+				updatedAt: row.updated_at
+			}
+		};
+	} catch {
+		return {
+			success: false,
+			error: {
+				code: "CLIENT_GET_ERROR",
+				message: "Failed to get OAuth client"
+			}
+		};
+	}
+}
+/**
+* Update an OAuth client.
+*/
+async function handleOAuthClientUpdate(db, clientId, input) {
+	try {
+		if (!await db.selectFrom("_dineway_oauth_clients").selectAll().where("id", "=", clientId).executeTakeFirst()) return {
+			success: false,
+			error: {
+				code: "NOT_FOUND",
+				message: "OAuth client not found"
+			}
+		};
+		if (input.redirectUris !== void 0 && input.redirectUris.length === 0) return {
+			success: false,
+			error: {
+				code: "VALIDATION_ERROR",
+				message: "At least one redirect URI is required"
+			}
+		};
+		if (input.redirectUris !== void 0) {
+			const redirectUriError = validateRegisteredRedirectUris(input.redirectUris);
+			if (redirectUriError) return {
+				success: false,
+				error: {
+					code: "VALIDATION_ERROR",
+					message: redirectUriError
+				}
+			};
+		}
+		const scopeError = validateClientScopes(input.scopes);
+		if (scopeError) return scopeError;
+		const updates = { updated_at: (/* @__PURE__ */ new Date()).toISOString() };
+		if (input.name !== void 0) updates.name = input.name;
+		if (input.redirectUris !== void 0) updates.redirect_uris = JSON.stringify(input.redirectUris);
+		if (input.scopes !== void 0) updates.scopes = input.scopes ? JSON.stringify(input.scopes) : null;
+		await db.updateTable("_dineway_oauth_clients").set(updates).where("id", "=", clientId).execute();
+		const updated = await db.selectFrom("_dineway_oauth_clients").selectAll().where("id", "=", clientId).executeTakeFirst();
+		if (!updated) return {
+			success: false,
+			error: {
+				code: "NOT_FOUND",
+				message: "OAuth client not found after update"
+			}
+		};
+		return {
+			success: true,
+			data: {
+				id: updated.id,
+				name: updated.name,
+				redirectUris: parseJsonColumn(updated.redirect_uris),
+				scopes: updated.scopes ? parseJsonColumn(updated.scopes) : null,
+				createdAt: updated.created_at,
+				updatedAt: updated.updated_at
+			}
+		};
+	} catch {
+		return {
+			success: false,
+			error: {
+				code: "CLIENT_UPDATE_ERROR",
+				message: "Failed to update OAuth client"
+			}
+		};
+	}
+}
+/**
+* Delete an OAuth client.
+*/
+async function handleOAuthClientDelete(db, clientId) {
+	try {
+		if ((await db.deleteFrom("_dineway_oauth_clients").where("id", "=", clientId).executeTakeFirst()).numDeletedRows === 0n) return {
+			success: false,
+			error: {
+				code: "NOT_FOUND",
+				message: "OAuth client not found"
+			}
+		};
+		return {
+			success: true,
+			data: { deleted: true }
+		};
+	} catch {
+		return {
+			success: false,
+			error: {
+				code: "CLIENT_DELETE_ERROR",
+				message: "Failed to delete OAuth client"
+			}
+		};
+	}
+}
+/**
+* Look up a registered OAuth client by ID.
+* Returns the client's redirect URIs or null if the client is not registered.
+*/
+async function lookupOAuthClient(db, clientId) {
+	const row = await db.selectFrom("_dineway_oauth_clients").select(["redirect_uris", "scopes"]).where("id", "=", clientId).executeTakeFirst();
+	if (!row) return null;
+	return {
+		redirectUris: parseJsonColumn(row.redirect_uris),
+		scopes: row.scopes ? parseJsonColumn(row.scopes) : null
+	};
+}
+/**
+* Validate that a redirect URI is in the client's registered set.
+*
+* Comparison is exact string match (per RFC 6749 §3.1.2.3).
+* Returns null if valid, or an error message if not.
+*/
+function validateClientRedirectUri(redirectUri, allowedUris) {
+	if (allowedUris.includes(redirectUri)) return null;
+	return "redirect_uri is not registered for this client";
+}
+//#endregion
+export { handleOAuthClientUpdate as a, validateRedirectUri as c, handleOAuthClientList as i, handleOAuthClientDelete as n, lookupOAuthClient as o, handleOAuthClientGet as r, validateClientRedirectUri as s, handleOAuthClientCreate as t };

package/dist/oauth-state-store-C5UFhzwD.mjs ADDED Viewed

@@ -0,0 +1,48 @@
+//#region src/auth/oauth-state-store.ts
+const OAUTH_STATE_TTL_MS = 600 * 1e3;
+function createOAuthStateStore(db) {
+	return {
+		async set(state, data) {
+			const expiresAt = new Date(Date.now() + OAUTH_STATE_TTL_MS).toISOString();
+			await db.insertInto("auth_challenges").values({
+				challenge: state,
+				type: "oauth",
+				user_id: null,
+				data: JSON.stringify(data),
+				expires_at: expiresAt
+			}).onConflict((oc) => oc.column("challenge").doUpdateSet({
+				type: "oauth",
+				data: JSON.stringify(data),
+				expires_at: expiresAt
+			})).execute();
+		},
+		async get(state) {
+			const row = await db.selectFrom("auth_challenges").selectAll().where("challenge", "=", state).where("type", "=", "oauth").executeTakeFirst();
+			if (!row) return null;
+			if (new Date(row.expires_at).getTime() < Date.now()) {
+				await this.delete(state);
+				return null;
+			}
+			if (!row.data) return null;
+			try {
+				const parsed = JSON.parse(row.data);
+				if (typeof parsed !== "object" || parsed === null || !("provider" in parsed) || typeof parsed.provider !== "string" || !("redirectUri" in parsed) || typeof parsed.redirectUri !== "string") return null;
+				const oauthState = {
+					provider: parsed.provider,
+					redirectUri: parsed.redirectUri
+				};
+				if ("codeVerifier" in parsed && typeof parsed.codeVerifier === "string") oauthState.codeVerifier = parsed.codeVerifier;
+				if ("nonce" in parsed && typeof parsed.nonce === "string") oauthState.nonce = parsed.nonce;
+				return oauthState;
+			} catch {
+				return null;
+			}
+		},
+		async delete(state) {
+			await db.deleteFrom("auth_challenges").where("challenge", "=", state).where("type", "=", "oauth").execute();
+		}
+	};
+}
+//#endregion
+export { createOAuthStateStore as t };

package/dist/oauth-user-lookup-Bi0ek9eM.mjs ADDED Viewed

@@ -0,0 +1,25 @@
+import { toRoleLevel } from "@dineway-ai/auth";
+//#region src/api/handlers/oauth-user-lookup.ts
+/**
+* Shared user lookup for OAuth token operations.
+*
+* Extracts user role and disabled status from the database. Used by
+* handleTokenRefresh() to revalidate scopes against the user's current
+* role and reject disabled users.
+*/
+/**
+* Look up a user's current role and disabled status.
+* Returns null if the user doesn't exist.
+*/
+async function lookupUserRoleAndStatus(db, userId) {
+	const row = await db.selectFrom("users").select(["role", "disabled"]).where("id", "=", userId).executeTakeFirst();
+	if (!row) return null;
+	return {
+		role: toRoleLevel(row.role),
+		disabled: row.disabled === 1
+	};
+}
+//#endregion
+export { lookupUserRoleAndStatus as t };