integrate-sdk 0.7.48 → 0.7.50

package/dist/oauth.js

@@ -27,6 +27,280 @@ var __export = (target, all) => {
 var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
+// src/adapters/session-detector.ts
+var exports_session_detector = {};
+__export(exports_session_detector, {
+  tryDecodeJWT: () => tryDecodeJWT,
+  detectSessionContext: () => detectSessionContext
+});
+function tryDecodeJWT(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+      return;
+    }
+    const payloadPart = parts[1];
+    if (!payloadPart) {
+      return;
+    }
+    const base64 = payloadPart.replace(/-/g, "+").replace(/_/g, "/");
+    const jsonPayload = decodeURIComponent(atob(base64).split("").map((c) => "%" + ("00" + c.charCodeAt(0).toString(16)).slice(-2)).join(""));
+    return JSON.parse(jsonPayload);
+  } catch (error) {
+    return;
+  }
+}
+function getCookies(request) {
+  const cookies = new Map;
+  const cookieHeader = request.headers.get("cookie");
+  if (!cookieHeader) {
+    return cookies;
+  }
+  const pairs = cookieHeader.split(";");
+  for (const pair of pairs) {
+    const [name, ...valueParts] = pair.split("=");
+    if (name && valueParts.length > 0) {
+      const trimmedName = name.trim();
+      const value = valueParts.join("=").trim();
+      cookies.set(trimmedName, value);
+    }
+  }
+  return cookies;
+}
+function tryBetterAuth(cookies) {
+  const sessionToken = cookies.get("better-auth.session_token");
+  if (!sessionToken) {
+    return;
+  }
+  const payload = tryDecodeJWT(sessionToken);
+  if (!payload) {
+    return;
+  }
+  const userId = payload.sub || payload.userId || payload.user_id || payload.id;
+  if (!userId) {
+    return;
+  }
+  return {
+    userId,
+    sessionId: payload.jti || payload.sessionId
+  };
+}
+function tryNextAuth(cookies) {
+  const sessionToken = cookies.get("__Secure-next-auth.session-token") || cookies.get("next-auth.session-token");
+  if (!sessionToken) {
+    return;
+  }
+  if (sessionToken.includes(".")) {
+    const payload = tryDecodeJWT(sessionToken);
+    if (payload) {
+      return {
+        userId: payload.sub || payload.userId || payload.user_id || payload.id,
+        sessionId: payload.jti
+      };
+    }
+  }
+  return;
+}
+function tryClerk(cookies) {
+  const sessionToken = cookies.get("__session");
+  if (!sessionToken) {
+    return;
+  }
+  const payload = tryDecodeJWT(sessionToken);
+  if (!payload) {
+    return;
+  }
+  return {
+    userId: payload.sub || payload.userId,
+    organizationId: payload.org_id || payload.organizationId,
+    sessionId: payload.sid || payload.sessionId
+  };
+}
+function tryLucia(cookies) {
+  const sessionToken = cookies.get("lucia_session");
+  if (!sessionToken) {
+    return;
+  }
+  return {
+    sessionId: sessionToken
+  };
+}
+function tryGenericSession(cookies) {
+  const sessionToken = cookies.get("auth_session") || cookies.get("session");
+  if (!sessionToken) {
+    return;
+  }
+  if (sessionToken.includes(".")) {
+    const payload = tryDecodeJWT(sessionToken);
+    if (payload) {
+      return {
+        userId: payload.sub || payload.userId || payload.user_id || payload.id,
+        sessionId: payload.jti || payload.sessionId || payload.sid
+      };
+    }
+  }
+  return {
+    sessionId: sessionToken
+  };
+}
+async function detectSessionContext(request) {
+  const cookies = getCookies(request);
+  let context;
+  context = tryBetterAuth(cookies);
+  if (context?.userId) {
+    return context;
+  }
+  context = tryNextAuth(cookies);
+  if (context?.userId) {
+    return context;
+  }
+  context = tryClerk(cookies);
+  if (context?.userId) {
+    return context;
+  }
+  context = tryLucia(cookies);
+  if (context?.userId) {
+    return context;
+  }
+  context = tryGenericSession(cookies);
+  if (context?.userId) {
+    return context;
+  }
+  return;
+}
+
+// src/adapters/context-cookie.ts
+var exports_context_cookie = {};
+__export(exports_context_cookie, {
+  readContextCookie: () => readContextCookie,
+  getSetCookieHeader: () => getSetCookieHeader,
+  getContextCookieFromRequest: () => getContextCookieFromRequest,
+  getClearCookieHeader: () => getClearCookieHeader,
+  createContextCookie: () => createContextCookie,
+  CONTEXT_COOKIE_NAME: () => CONTEXT_COOKIE_NAME,
+  CONTEXT_COOKIE_MAX_AGE: () => CONTEXT_COOKIE_MAX_AGE
+});
+async function deriveKey(secret) {
+  const encoder = new TextEncoder;
+  const secretData = encoder.encode(secret);
+  const keyMaterial = await crypto.subtle.importKey("raw", secretData, { name: "PBKDF2" }, false, ["deriveBits", "deriveKey"]);
+  const salt = encoder.encode("integrate-oauth-context-v1");
+  return await crypto.subtle.deriveKey({
+    name: "PBKDF2",
+    salt,
+    iterations: 1e5,
+    hash: "SHA-256"
+  }, keyMaterial, { name: "AES-GCM", length: 256 }, false, ["encrypt", "decrypt"]);
+}
+async function encryptPayload(payload, secret) {
+  const key = await deriveKey(secret);
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const encoder = new TextEncoder;
+  const data = encoder.encode(JSON.stringify(payload));
+  const encrypted = await crypto.subtle.encrypt({
+    name: "AES-GCM",
+    iv
+  }, key, data);
+  const combined = new Uint8Array(iv.length + encrypted.byteLength);
+  combined.set(iv, 0);
+  combined.set(new Uint8Array(encrypted), iv.length);
+  return base64UrlEncode(combined);
+}
+async function decryptPayload(cookieValue, secret) {
+  try {
+    const combined = base64UrlDecode(cookieValue);
+    const iv = combined.slice(0, 12);
+    const encrypted = combined.slice(12);
+    const key = await deriveKey(secret);
+    const decrypted = await crypto.subtle.decrypt({
+      name: "AES-GCM",
+      iv
+    }, key, encrypted);
+    const decoder = new TextDecoder;
+    const json = decoder.decode(decrypted);
+    const payload = JSON.parse(json);
+    const age = Date.now() - payload.timestamp;
+    if (age > CONTEXT_COOKIE_MAX_AGE * 1000) {
+      return;
+    }
+    return payload;
+  } catch (error) {
+    return;
+  }
+}
+function base64UrlEncode(data) {
+  const base64 = btoa(String.fromCharCode(...data));
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function base64UrlDecode(str) {
+  let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  const padding = base64.length % 4;
+  if (padding) {
+    base64 += "=".repeat(4 - padding);
+  }
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0;i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+async function createContextCookie(context, provider, secret) {
+  const payload = {
+    context,
+    provider,
+    timestamp: Date.now()
+  };
+  return await encryptPayload(payload, secret);
+}
+async function readContextCookie(cookieValue, secret) {
+  const payload = await decryptPayload(cookieValue, secret);
+  if (!payload) {
+    return;
+  }
+  return {
+    context: payload.context,
+    provider: payload.provider
+  };
+}
+function getSetCookieHeader(cookieValue, maxAge = CONTEXT_COOKIE_MAX_AGE) {
+  const attributes = [
+    `${CONTEXT_COOKIE_NAME}=${cookieValue}`,
+    `Max-Age=${maxAge}`,
+    "HttpOnly",
+    "Secure",
+    "SameSite=Lax",
+    "Path=/"
+  ];
+  return attributes.join("; ");
+}
+function getClearCookieHeader() {
+  const attributes = [
+    `${CONTEXT_COOKIE_NAME}=`,
+    "Max-Age=0",
+    "HttpOnly",
+    "Secure",
+    "SameSite=Lax",
+    "Path=/"
+  ];
+  return attributes.join("; ");
+}
+function getContextCookieFromRequest(request) {
+  const cookieHeader = request.headers.get("cookie");
+  if (!cookieHeader) {
+    return;
+  }
+  const cookies = cookieHeader.split(";");
+  for (const cookie of cookies) {
+    const [name, ...valueParts] = cookie.split("=");
+    if (name && name.trim() === CONTEXT_COOKIE_NAME) {
+      return valueParts.join("=").trim();
+    }
+  }
+  return;
+}
+var CONTEXT_COOKIE_NAME = "__integrate_oauth_ctx", CONTEXT_COOKIE_MAX_AGE = 300;
+
 // src/adapters/base-handler.ts
 var exports_base_handler = {};
 __export(exports_base_handler, {
@@ -55,25 +329,35 @@ class OAuthHandler {
     return headers;
   }
   async handleAuthorize(request) {
-    const providerConfig = this.config.providers[request.provider];
+    let webRequest;
+    let authorizeRequest;
+    if (request instanceof Request) {
+      webRequest = request;
+      authorizeRequest = await request.json();
+    } else if (typeof request === "object" && "json" in request && typeof request.json === "function") {
+      authorizeRequest = await request.json();
+    } else {
+      authorizeRequest = request;
+    }
+    const providerConfig = this.config.providers[authorizeRequest.provider];
     if (!providerConfig) {
-      throw new Error(`Provider ${request.provider} not configured. Add OAuth credentials to your API route configuration.`);
+      throw new Error(`Provider ${authorizeRequest.provider} not configured. Add OAuth credentials to your API route configuration.`);
     }
     if (!providerConfig.clientId || !providerConfig.clientSecret) {
-      throw new Error(`Missing OAuth credentials for ${request.provider}. Check your environment variables.`);
+      throw new Error(`Missing OAuth credentials for ${authorizeRequest.provider}. Check your environment variables.`);
     }
     const url = new URL("/oauth/authorize", this.serverUrl);
-    url.searchParams.set("provider", request.provider);
+    url.searchParams.set("provider", authorizeRequest.provider);
     url.searchParams.set("client_id", providerConfig.clientId);
     url.searchParams.set("client_secret", providerConfig.clientSecret);
-    const scopes = request.scopes || providerConfig.scopes || [];
+    const scopes = authorizeRequest.scopes || providerConfig.scopes || [];
     if (scopes.length > 0) {
       url.searchParams.set("scope", scopes.join(","));
     }
-    url.searchParams.set("state", request.state);
-    url.searchParams.set("code_challenge", request.codeChallenge);
-    url.searchParams.set("code_challenge_method", request.codeChallengeMethod);
-    const redirectUri = request.redirectUri || providerConfig.redirectUri;
+    url.searchParams.set("state", authorizeRequest.state);
+    url.searchParams.set("code_challenge", authorizeRequest.codeChallenge);
+    url.searchParams.set("code_challenge_method", authorizeRequest.codeChallengeMethod);
+    const redirectUri = authorizeRequest.redirectUri || providerConfig.redirectUri;
     if (redirectUri) {
       url.searchParams.set("redirect_uri", redirectUri);
     }
@@ -86,15 +370,62 @@ class OAuthHandler {
       throw new Error(`MCP server failed to generate authorization URL: ${error}`);
     }
     const data = await response.json();
-    return data;
+    const result = data;
+    if (webRequest) {
+      try {
+        const { detectSessionContext: detectSessionContext2 } = await Promise.resolve().then(() => exports_session_detector);
+        const { createContextCookie: createContextCookie2, getSetCookieHeader: getSetCookieHeader2 } = await Promise.resolve().then(() => exports_context_cookie);
+        let context;
+        if (this.config.getSessionContext) {
+          context = await this.config.getSessionContext(webRequest);
+        }
+        if (!context || !context.userId) {
+          context = await detectSessionContext2(webRequest);
+        }
+        if (context && context.userId) {
+          const secret = this.apiKey || providerConfig.clientSecret;
+          const cookieValue = await createContextCookie2(context, authorizeRequest.provider, secret);
+          result.setCookie = getSetCookieHeader2(cookieValue);
+        }
+      } catch (error) {
+        console.warn("[OAuth] Failed to capture user context:", error);
+      }
+    }
+    return result;
   }
   async handleCallback(request) {
-    const providerConfig = this.config.providers[request.provider];
+    let webRequest;
+    let callbackRequest;
+    if (request instanceof Request) {
+      webRequest = request;
+      callbackRequest = await request.json();
+    } else if (typeof request === "object" && "json" in request && typeof request.json === "function") {
+      callbackRequest = await request.json();
+    } else {
+      callbackRequest = request;
+    }
+    const providerConfig = this.config.providers[callbackRequest.provider];
     if (!providerConfig) {
-      throw new Error(`Provider ${request.provider} not configured. Add OAuth credentials to your API route configuration.`);
+      throw new Error(`Provider ${callbackRequest.provider} not configured. Add OAuth credentials to your API route configuration.`);
     }
     if (!providerConfig.clientId || !providerConfig.clientSecret) {
-      throw new Error(`Missing OAuth credentials for ${request.provider}. Check your environment variables.`);
+      throw new Error(`Missing OAuth credentials for ${callbackRequest.provider}. Check your environment variables.`);
+    }
+    let context;
+    if (webRequest) {
+      try {
+        const { getContextCookieFromRequest: getContextCookieFromRequest2, readContextCookie: readContextCookie2 } = await Promise.resolve().then(() => exports_context_cookie);
+        const cookieValue = getContextCookieFromRequest2(webRequest);
+        if (cookieValue) {
+          const secret = this.apiKey || providerConfig.clientSecret;
+          const contextData = await readContextCookie2(cookieValue, secret);
+          if (contextData && contextData.provider === callbackRequest.provider) {
+            context = contextData.context;
+          }
+        }
+      } catch (error) {
+        console.warn("[OAuth] Failed to restore user context:", error);
+      }
     }
     const url = new URL("/oauth/callback", this.serverUrl);
     const response = await fetch(url.toString(), {
@@ -103,10 +434,10 @@ class OAuthHandler {
         "Content-Type": "application/json"
       }),
       body: JSON.stringify({
-        provider: request.provider,
-        code: request.code,
-        code_verifier: request.codeVerifier,
-        state: request.state,
+        provider: callbackRequest.provider,
+        code: callbackRequest.code,
+        code_verifier: callbackRequest.codeVerifier,
+        state: callbackRequest.state,
         client_id: providerConfig.clientId,
         client_secret: providerConfig.clientSecret,
         redirect_uri: providerConfig.redirectUri
@@ -117,7 +448,26 @@ class OAuthHandler {
       throw new Error(`MCP server failed to exchange authorization code: ${error}`);
     }
     const data = await response.json();
-    return data;
+    const result = data;
+    if (this.config.setProviderToken && context) {
+      try {
+        const tokenData = {
+          accessToken: result.accessToken,
+          refreshToken: result.refreshToken,
+          tokenType: result.tokenType,
+          expiresIn: result.expiresIn,
+          expiresAt: result.expiresAt
+        };
+        await this.config.setProviderToken(callbackRequest.provider, tokenData, context);
+      } catch (error) {
+        console.error("[OAuth] Failed to save provider token:", error);
+      }
+    }
+    if (webRequest) {
+      const { getClearCookieHeader: getClearCookieHeader2 } = await Promise.resolve().then(() => exports_context_cookie);
+      result.clearCookie = getClearCookieHeader2();
+    }
+    return result;
   }
   async handleStatus(provider, accessToken) {
     const url = new URL("/oauth/status", this.serverUrl);
@@ -213,14 +563,20 @@ async function POST(req, context) {
   }
   try {
     if (action === "authorize") {
-      const body = await parseRequestBody(req);
-      const result = await handler.handleAuthorize(body);
-      return createSuccessResponse(result);
+      const result = await handler.handleAuthorize(req);
+      const response = createSuccessResponse(result);
+      if (result.setCookie) {
+        response.headers?.set?.("Set-Cookie", result.setCookie);
+      }
+      return response;
     }
     if (action === "callback") {
-      const body = await parseRequestBody(req);
-      const result = await handler.handleCallback(body);
-      return createSuccessResponse(result);
+      const result = await handler.handleCallback(req);
+      const response = createSuccessResponse(result);
+      if (result.clearCookie) {
+        response.headers?.set?.("Set-Cookie", result.clearCookie);
+      }
+      return response;
     }
     if (action === "disconnect") {
       const body = await parseRequestBody(req);