mcp-creatio 0.3.10 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (225) hide show
  1. package/README.md +117 -108
  2. package/dist/cli.d.ts +5 -0
  3. package/dist/cli.d.ts.map +1 -1
  4. package/dist/cli.js +18 -11
  5. package/dist/cli.js.map +1 -1
  6. package/dist/creatio/auth/auth.d.ts +2 -0
  7. package/dist/creatio/auth/auth.d.ts.map +1 -1
  8. package/dist/creatio/auth/auth.js.map +1 -1
  9. package/dist/creatio/auth/providers/base-provider.d.ts +1 -0
  10. package/dist/creatio/auth/providers/base-provider.d.ts.map +1 -1
  11. package/dist/creatio/auth/providers/base-provider.js +3 -0
  12. package/dist/creatio/auth/providers/base-provider.js.map +1 -1
  13. package/dist/creatio/auth/providers/oauth2-code-provider.d.ts +3 -0
  14. package/dist/creatio/auth/providers/oauth2-code-provider.d.ts.map +1 -1
  15. package/dist/creatio/auth/providers/oauth2-code-provider.js +30 -24
  16. package/dist/creatio/auth/providers/oauth2-code-provider.js.map +1 -1
  17. package/dist/creatio/engines/admin-operation/admin-operation-engine.d.ts +13 -0
  18. package/dist/creatio/engines/admin-operation/admin-operation-engine.d.ts.map +1 -0
  19. package/dist/creatio/engines/admin-operation/admin-operation-engine.js +27 -0
  20. package/dist/creatio/engines/admin-operation/admin-operation-engine.js.map +1 -0
  21. package/dist/creatio/engines/configuration/configuration-engine.d.ts +10 -0
  22. package/dist/creatio/engines/configuration/configuration-engine.d.ts.map +1 -0
  23. package/dist/creatio/engines/configuration/configuration-engine.js +18 -0
  24. package/dist/creatio/engines/configuration/configuration-engine.js.map +1 -0
  25. package/dist/creatio/engines/engine-manager.d.ts +13 -1
  26. package/dist/creatio/engines/engine-manager.d.ts.map +1 -1
  27. package/dist/creatio/engines/engine-manager.js +17 -0
  28. package/dist/creatio/engines/engine-manager.js.map +1 -1
  29. package/dist/creatio/engines/engine-registry.d.ts +3 -0
  30. package/dist/creatio/engines/engine-registry.d.ts.map +1 -1
  31. package/dist/creatio/engines/engine-registry.js +3 -0
  32. package/dist/creatio/engines/engine-registry.js.map +1 -1
  33. package/dist/creatio/engines/feature/feature-engine.d.ts +10 -0
  34. package/dist/creatio/engines/feature/feature-engine.d.ts.map +1 -0
  35. package/dist/creatio/engines/feature/feature-engine.js +18 -0
  36. package/dist/creatio/engines/feature/feature-engine.js.map +1 -0
  37. package/dist/creatio/engines/index.d.ts +3 -0
  38. package/dist/creatio/engines/index.d.ts.map +1 -1
  39. package/dist/creatio/engines/index.js +3 -0
  40. package/dist/creatio/engines/index.js.map +1 -1
  41. package/dist/creatio/provider-context.d.ts +4 -1
  42. package/dist/creatio/provider-context.d.ts.map +1 -1
  43. package/dist/creatio/providers/admin-operation-provider.d.ts +27 -0
  44. package/dist/creatio/providers/admin-operation-provider.d.ts.map +1 -0
  45. package/dist/creatio/providers/admin-operation-provider.js +3 -0
  46. package/dist/creatio/providers/admin-operation-provider.js.map +1 -0
  47. package/dist/creatio/providers/configuration-provider.d.ts +19 -0
  48. package/dist/creatio/providers/configuration-provider.d.ts.map +1 -0
  49. package/dist/creatio/providers/configuration-provider.js +3 -0
  50. package/dist/creatio/providers/configuration-provider.js.map +1 -0
  51. package/dist/creatio/providers/feature-provider.d.ts +10 -0
  52. package/dist/creatio/providers/feature-provider.d.ts.map +1 -0
  53. package/dist/creatio/providers/feature-provider.js +3 -0
  54. package/dist/creatio/providers/feature-provider.js.map +1 -0
  55. package/dist/creatio/providers/index.d.ts +3 -0
  56. package/dist/creatio/providers/index.d.ts.map +1 -1
  57. package/dist/creatio/providers/index.js +3 -0
  58. package/dist/creatio/providers/index.js.map +1 -1
  59. package/dist/creatio/services/admin-operation-service-provider.d.ts +15 -0
  60. package/dist/creatio/services/admin-operation-service-provider.d.ts.map +1 -0
  61. package/dist/creatio/services/admin-operation-service-provider.js +69 -0
  62. package/dist/creatio/services/admin-operation-service-provider.js.map +1 -0
  63. package/dist/creatio/services/configuration-service-provider.d.ts +14 -0
  64. package/dist/creatio/services/configuration-service-provider.d.ts.map +1 -0
  65. package/dist/creatio/services/configuration-service-provider.js +90 -0
  66. package/dist/creatio/services/configuration-service-provider.js.map +1 -0
  67. package/dist/creatio/services/creatio-service-context.d.ts +4 -1
  68. package/dist/creatio/services/creatio-service-context.d.ts.map +1 -1
  69. package/dist/creatio/services/creatio-service-context.js +9 -0
  70. package/dist/creatio/services/creatio-service-context.js.map +1 -1
  71. package/dist/creatio/services/feature-service-provider.d.ts +10 -0
  72. package/dist/creatio/services/feature-service-provider.d.ts.map +1 -0
  73. package/dist/creatio/services/feature-service-provider.js +43 -0
  74. package/dist/creatio/services/feature-service-provider.js.map +1 -0
  75. package/dist/creatio/services/http-client.d.ts.map +1 -1
  76. package/dist/creatio/services/http-client.js +0 -1
  77. package/dist/creatio/services/http-client.js.map +1 -1
  78. package/dist/creatio/services/index.d.ts +3 -0
  79. package/dist/creatio/services/index.d.ts.map +1 -1
  80. package/dist/creatio/services/index.js +3 -0
  81. package/dist/creatio/services/index.js.map +1 -1
  82. package/dist/creatio/services/metadata-store.d.ts +5 -0
  83. package/dist/creatio/services/metadata-store.d.ts.map +1 -1
  84. package/dist/creatio/services/metadata-store.js +18 -6
  85. package/dist/creatio/services/metadata-store.js.map +1 -1
  86. package/dist/creatio/services/odata-crud-provider.d.ts +2 -0
  87. package/dist/creatio/services/odata-crud-provider.d.ts.map +1 -1
  88. package/dist/creatio/services/odata-crud-provider.js +10 -1
  89. package/dist/creatio/services/odata-crud-provider.js.map +1 -1
  90. package/dist/server/http/creatio-oauth-handlers.d.ts +0 -1
  91. package/dist/server/http/creatio-oauth-handlers.d.ts.map +1 -1
  92. package/dist/server/http/creatio-oauth-handlers.js +30 -23
  93. package/dist/server/http/creatio-oauth-handlers.js.map +1 -1
  94. package/dist/server/http/httpServer.d.ts +9 -0
  95. package/dist/server/http/httpServer.d.ts.map +1 -1
  96. package/dist/server/http/httpServer.js +34 -11
  97. package/dist/server/http/httpServer.js.map +1 -1
  98. package/dist/server/http/mcp-handlers.d.ts.map +1 -1
  99. package/dist/server/http/mcp-handlers.js +4 -1
  100. package/dist/server/http/mcp-handlers.js.map +1 -1
  101. package/dist/server/http/mcp-oauth-handlers.d.ts.map +1 -1
  102. package/dist/server/http/mcp-oauth-handlers.js +18 -6
  103. package/dist/server/http/mcp-oauth-handlers.js.map +1 -1
  104. package/dist/server/http/middleware.d.ts +7 -0
  105. package/dist/server/http/middleware.d.ts.map +1 -1
  106. package/dist/server/http/middleware.js +23 -0
  107. package/dist/server/http/middleware.js.map +1 -1
  108. package/dist/server/http/rate-limiter.d.ts +24 -0
  109. package/dist/server/http/rate-limiter.d.ts.map +1 -0
  110. package/dist/server/http/rate-limiter.js +42 -0
  111. package/dist/server/http/rate-limiter.js.map +1 -0
  112. package/dist/server/mcp/prompts-data.d.ts +58 -0
  113. package/dist/server/mcp/prompts-data.d.ts.map +1 -1
  114. package/dist/server/mcp/prompts-data.js +391 -1
  115. package/dist/server/mcp/prompts-data.js.map +1 -1
  116. package/dist/server/mcp/server.d.ts.map +1 -1
  117. package/dist/server/mcp/server.js +69 -0
  118. package/dist/server/mcp/server.js.map +1 -1
  119. package/dist/server/mcp/tools-data.d.ts +63 -0
  120. package/dist/server/mcp/tools-data.d.ts.map +1 -1
  121. package/dist/server/mcp/tools-data.js +110 -5
  122. package/dist/server/mcp/tools-data.js.map +1 -1
  123. package/dist/server/oauth/oauth-server.d.ts +0 -1
  124. package/dist/server/oauth/oauth-server.d.ts.map +1 -1
  125. package/dist/server/oauth/oauth-server.js +11 -21
  126. package/dist/server/oauth/oauth-server.js.map +1 -1
  127. package/dist/server/oauth/storage.d.ts +0 -2
  128. package/dist/server/oauth/storage.d.ts.map +1 -1
  129. package/dist/server/oauth/storage.js +0 -6
  130. package/dist/server/oauth/storage.js.map +1 -1
  131. package/dist/server/oauth/validators.d.ts +6 -0
  132. package/dist/server/oauth/validators.d.ts.map +1 -1
  133. package/dist/server/oauth/validators.js +28 -0
  134. package/dist/server/oauth/validators.js.map +1 -1
  135. package/dist/services/session-context.d.ts +8 -7
  136. package/dist/services/session-context.d.ts.map +1 -1
  137. package/dist/services/session-context.js +7 -27
  138. package/dist/services/session-context.js.map +1 -1
  139. package/package.json +19 -10
  140. package/.dockerignore +0 -12
  141. package/.editorconfig +0 -14
  142. package/.eslintrc.cjs +0 -18
  143. package/.gitattributes +0 -8
  144. package/.github/workflows/docker-publish.yml +0 -50
  145. package/.prettierignore +0 -3
  146. package/.prettierrc +0 -9
  147. package/.vscode/launch.json +0 -23
  148. package/.vscode/mcp.json +0 -13
  149. package/.vscode/settings.json +0 -16
  150. package/Agent.md +0 -187
  151. package/Debug.md +0 -32
  152. package/Dockerfile +0 -23
  153. package/docs/coding-style.md +0 -30
  154. package/eslint.config.cjs +0 -95
  155. package/src/cli.ts +0 -162
  156. package/src/config-builder.ts +0 -76
  157. package/src/consts.ts +0 -3
  158. package/src/creatio/auth/auth-manager.ts +0 -27
  159. package/src/creatio/auth/auth.ts +0 -31
  160. package/src/creatio/auth/index.ts +0 -3
  161. package/src/creatio/auth/providers/base-oauth2-provider.ts +0 -62
  162. package/src/creatio/auth/providers/base-provider.ts +0 -42
  163. package/src/creatio/auth/providers/index.ts +0 -4
  164. package/src/creatio/auth/providers/legacy-provider.ts +0 -70
  165. package/src/creatio/auth/providers/oauth2-code-provider.ts +0 -252
  166. package/src/creatio/auth/providers/oauth2-provider.ts +0 -91
  167. package/src/creatio/auth/providers/type.ts +0 -5
  168. package/src/creatio/client-config.ts +0 -34
  169. package/src/creatio/engines/crud/crud-engine.ts +0 -47
  170. package/src/creatio/engines/engine-manager.ts +0 -102
  171. package/src/creatio/engines/engine-registry.ts +0 -36
  172. package/src/creatio/engines/engine.ts +0 -3
  173. package/src/creatio/engines/index.ts +0 -7
  174. package/src/creatio/engines/process/process-engine.ts +0 -20
  175. package/src/creatio/engines/sys-settings/sys-settings-engine.ts +0 -41
  176. package/src/creatio/engines/user/user-engine.ts +0 -20
  177. package/src/creatio/index.ts +0 -6
  178. package/src/creatio/provider-context.ts +0 -10
  179. package/src/creatio/providers/crud-provider.ts +0 -45
  180. package/src/creatio/providers/index.ts +0 -4
  181. package/src/creatio/providers/process-provider.ts +0 -15
  182. package/src/creatio/providers/sys-settings-provider.ts +0 -63
  183. package/src/creatio/providers/user-provider.ts +0 -12
  184. package/src/creatio/services/creatio-service-context.ts +0 -38
  185. package/src/creatio/services/http-client.ts +0 -174
  186. package/src/creatio/services/index.ts +0 -7
  187. package/src/creatio/services/metadata-store.ts +0 -181
  188. package/src/creatio/services/odata-crud-provider.ts +0 -210
  189. package/src/creatio/services/process-service-provider.ts +0 -76
  190. package/src/creatio/services/sys-settings-service-provider.ts +0 -192
  191. package/src/creatio/services/user-info-provider.ts +0 -41
  192. package/src/index.ts +0 -44
  193. package/src/log.ts +0 -183
  194. package/src/server/http/creatio-oauth-handlers.ts +0 -146
  195. package/src/server/http/httpServer.ts +0 -150
  196. package/src/server/http/index.ts +0 -5
  197. package/src/server/http/mcp-handlers.ts +0 -92
  198. package/src/server/http/mcp-oauth-handlers.ts +0 -108
  199. package/src/server/http/middleware.ts +0 -91
  200. package/src/server/index.ts +0 -2
  201. package/src/server/mcp/filters.ts +0 -97
  202. package/src/server/mcp/index.ts +0 -1
  203. package/src/server/mcp/prompts-data.ts +0 -896
  204. package/src/server/mcp/server.ts +0 -331
  205. package/src/server/mcp/tools-data.ts +0 -592
  206. package/src/server/oauth/client-manager.ts +0 -47
  207. package/src/server/oauth/index.ts +0 -6
  208. package/src/server/oauth/oauth-server.ts +0 -185
  209. package/src/server/oauth/storage.ts +0 -106
  210. package/src/server/oauth/token-manager.ts +0 -80
  211. package/src/server/oauth/types.ts +0 -55
  212. package/src/server/oauth/validators.ts +0 -56
  213. package/src/services/index.ts +0 -2
  214. package/src/services/session-context.ts +0 -232
  215. package/src/services/token-refresh-scheduler.ts +0 -68
  216. package/src/types/index.ts +0 -1
  217. package/src/types/network.ts +0 -7
  218. package/src/utils/context.ts +0 -49
  219. package/src/utils/env.ts +0 -12
  220. package/src/utils/index.ts +0 -5
  221. package/src/utils/mcp.ts +0 -8
  222. package/src/utils/network.ts +0 -65
  223. package/src/utils/pkce.ts +0 -39
  224. package/src/version.ts +0 -15
  225. package/tsconfig.json +0 -28
@@ -7,6 +7,7 @@ exports.CreatioOAuthHandlers = void 0;
7
7
  const log_1 = __importDefault(require("../../log"));
8
8
  const services_1 = require("../../services");
9
9
  const utils_1 = require("../../utils");
10
+ const oauth_1 = require("../oauth");
10
11
  class CreatioOAuthHandlers {
11
12
  _sessionContext = services_1.SessionContext.instance;
12
13
  _server;
@@ -15,14 +16,6 @@ class CreatioOAuthHandlers {
15
16
  this._server = server;
16
17
  this._oauthServer = oauthServer;
17
18
  }
18
- _mapAllSessionsToUser(userKey) {
19
- const sessions = this._sessionContext.getAllSessions();
20
- const sessionIds = sessions.map((s) => s.id);
21
- log_1.default.info('mapping_all_sessions', { userKey, sessionCount: sessionIds.length, sessionIds });
22
- for (const sessionId of sessionIds) {
23
- this._sessionContext.setSessionUserKey(sessionId, userKey);
24
- }
25
- }
26
19
  async handleOAuthStart(req, res) {
27
20
  try {
28
21
  const userKey = req.query.userKey;
@@ -32,7 +25,10 @@ class CreatioOAuthHandlers {
32
25
  res.status(400).send('Missing userKey parameter. Add ?userKey=your_user_key to URL');
33
26
  return;
34
27
  }
35
- const state = this._sessionContext.createOAuthState(effectiveUserKey);
28
+ // Bind the OAuth state to the session that initiated the flow (if any),
29
+ // so the callback maps only that session — never every active session (CWE-639).
30
+ const initiatingSessionId = (0, utils_1.getSessionIdFromRequest)(req) ?? undefined;
31
+ const state = this._sessionContext.createOAuthState(effectiveUserKey, initiatingSessionId);
36
32
  const url = await this._server.authProvider.getAuthorizeUrl(state);
37
33
  const mcpParams = req.query;
38
34
  if (mcpParams.client_id && mcpParams.redirect_uri) {
@@ -53,9 +49,8 @@ class CreatioOAuthHandlers {
53
49
  const code = String(req.query?.code ?? '') || String(req.body?.code ?? '');
54
50
  const state = String(req.query?.state ?? '') || String(req.body?.state ?? '');
55
51
  log_1.default.info('oauth.callback.start', {
56
- code: code ? '***' + code.slice(-4) : 'missing',
57
- state: state ? state.substring(0, 50) + '...' : 'missing',
58
- fullState: state,
52
+ hasCode: !!code,
53
+ hasState: !!state,
59
54
  });
60
55
  if (!code || !state) {
61
56
  res.status(400).send('Missing code or state');
@@ -64,36 +59,46 @@ class CreatioOAuthHandlers {
64
59
  const stateParts = state.split('&');
65
60
  const creatioState = stateParts[0];
66
61
  log_1.default.info('oauth.callback.state_parse', {
67
- originalState: state,
68
- creatioState,
69
62
  hasMcpParams: stateParts.length > 1,
70
63
  });
71
64
  if (!creatioState) {
72
- log_1.default.error('oauth.callback.no_creatio_state', { originalState: state });
65
+ log_1.default.error('oauth.callback.no_creatio_state');
73
66
  res.status(400).send('Invalid state format');
74
67
  return;
75
68
  }
76
- const userKey = this._sessionContext.validateAndConsumeOAuthState(creatioState);
77
- if (!userKey) {
78
- log_1.default.error('oauth.callback.creatio_state_invalid', { creatioState });
69
+ const stateResult = this._sessionContext.validateAndConsumeOAuthState(creatioState);
70
+ if (!stateResult) {
71
+ log_1.default.error('oauth.callback.creatio_state_invalid');
79
72
  res.status(400).send('Unknown or expired state');
80
73
  return;
81
74
  }
75
+ const { userKey, sessionId: boundSessionId } = stateResult;
82
76
  await (0, utils_1.runWithContext)({ userKey }, async () => this._server.authProvider.finishAuthorization(code));
83
- this._mapAllSessionsToUser(userKey);
77
+ // Map ONLY the session that initiated this flow, if it still exists.
78
+ // Bearer-token MCP clients carry their identity in the issued JWT and need
79
+ // no session mapping at all.
80
+ if (boundSessionId && this._sessionContext.hasSession(boundSessionId)) {
81
+ this._sessionContext.mapSessionToUser(boundSessionId, userKey);
82
+ }
84
83
  const stateParams = new URLSearchParams(state);
85
84
  const clientId = stateParams.get('client_id');
86
85
  const redirectUri = stateParams.get('redirect_uri');
87
86
  const codeChallenge = stateParams.get('code_challenge');
88
87
  if (clientId && redirectUri && codeChallenge) {
88
+ // Re-validate the redirect target before emitting any redirect: the MCP params
89
+ // are appended to the state in plaintext and must not be trusted blindly (CWE-601).
90
+ if (!oauth_1.OAuthValidators.isAllowedRedirectUri(redirectUri)) {
91
+ log_1.default.error('oauth.callback.redirect_uri_disallowed', { clientId });
92
+ res.status(400).send('Disallowed redirect_uri');
93
+ return;
94
+ }
89
95
  const mcpState = stateParams.get('mcp_state');
90
96
  log_1.default.info('oauth.callback.state_validation', {
91
- mcpState,
92
97
  clientId,
93
98
  hasState: !!mcpState,
94
99
  });
95
100
  if (mcpState && !this._oauthServer.validateState(mcpState, clientId)) {
96
- log_1.default.error('oauth.callback.state_invalid', { mcpState, clientId });
101
+ log_1.default.error('oauth.callback.state_invalid', { clientId });
97
102
  const errorUrl = new URL(redirectUri);
98
103
  errorUrl.searchParams.set('error', 'invalid_request');
99
104
  errorUrl.searchParams.set('error_description', 'Unknown or expired state');
@@ -119,9 +124,11 @@ class CreatioOAuthHandlers {
119
124
  }
120
125
  async handleOAuthRevoke(req, res) {
121
126
  try {
122
- const userKey = req.query.userKey || req.body?.userKey;
127
+ // Identity comes ONLY from the validated Bearer token (set by bearerAuth middleware).
128
+ // A caller must never be able to revoke another user's tokens via ?userKey= (CWE-639).
129
+ const userKey = req.userKey;
123
130
  if (!userKey) {
124
- res.status(400).send('Missing userKey parameter');
131
+ res.status(401).send('Valid Bearer token required');
125
132
  return;
126
133
  }
127
134
  await (0, utils_1.runWithContext)({ userKey }, async () => this._server.authProvider.revoke());
@@ -1 +1 @@
1
- {"version":3,"file":"creatio-oauth-handlers.js","sourceRoot":"","sources":["../../../src/server/http/creatio-oauth-handlers.ts"],"names":[],"mappings":";;;;;;AAAA,oDAA4B;AAC5B,6CAAgD;AAChD,uCAA6C;AAM7C,MAAa,oBAAoB;IACf,eAAe,GAAG,yBAAc,CAAC,QAAQ,CAAC;IAC1C,OAAO,CAAS;IAChB,YAAY,CAAc;IAE3C,YAAY,MAAc,EAAE,WAAwB;QACnD,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC;IACjC,CAAC;IAEO,qBAAqB,CAAC,OAAe;QAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,eAAe,CAAC,cAAc,EAAE,CAAC;QACvD,MAAM,UAAU,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC7C,aAAG,CAAC,IAAI,CAAC,sBAAsB,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,UAAU,CAAC,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;QAC3F,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACpC,IAAI,CAAC,eAAe,CAAC,iBAAiB,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAC5D,CAAC;IACF,CAAC;IAEM,KAAK,CAAC,gBAAgB,CAAC,GAAY,EAAE,GAAa;QACxD,IAAI,CAAC;YACJ,MAAM,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,OAAiB,CAAC;YAC5C,MAAM,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,OAAiB,CAAC;YAC5C,MAAM,gBAAgB,GAAG,OAAO,IAAI,OAAO,CAAC;YAC5C,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACvB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CACnB,8DAA8D,CAC9D,CAAC;gBACF,OAAO;YACR,CAAC;YACD,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,gBAAgB,CAAC,gBAAgB,CAAC,CAAC;YACtE,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;YACnE,MAAM,SAAS,GAAG,GAAG,CAAC,KAAY,CAAC;YACnC,IAAI,SAAS,CAAC,SAAS,IAAI,SAAS,CAAC,YAAY,EAAE,CAAC;gBACnD,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;gBAC5B,MAAM,YAAY,GAAG,GAAG,KAAK,cAAc,SAAS,CAAC,SAAS,iBAAiB,kBAAkB,CAAC,SAAS,CAAC,YAAY,CAAC,mBAAmB,SAAS,CAAC,cAAc,0BAA0B,SAAS,CAAC,qBAAqB,cAAc,SAAS,CAAC,KAAK,IAAI,EAAE,EAAE,CAAC;gBACnQ,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;gBAC/C,OAAO,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC7C,CAAC;YACD,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACxB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YACnB,aAAG,CAAC,KAAK,CAAC,mBAAmB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,EAAE,OAAO,IAAI,GAAG,CAAC,EAAE,CAAC,CAAC;YACvE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QAC5C,CAAC;IACF,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAAC,GAAY,EAAE,GAAa;QAC3D,IAAI,CAAC;YACJ,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,IAAI,EAAE,CAAC,IAAI,MAAM,CAAE,GAAW,CAAC,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;YACpF,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,IAAI,MAAM,CAAE,GAAW,CAAC,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;YACvF,aAAG,CAAC,IAAI,CAAC,sBAAsB,EAAE;gBAChC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS;gBAC/C,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,SAAS;gBACzD,SAAS,EAAE,KAAK;aAChB,CAAC,CAAC;YACH,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBACrB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;gBAC9C,OAAO;YACR,CAAC;YACD,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,YAAY,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;YACnC,aAAG,CAAC,IAAI,CAAC,4BAA4B,EAAE;gBACtC,aAAa,EAAE,KAAK;gBACpB,YAAY;gBACZ,YAAY,EAAE,UAAU,CAAC,MAAM,GAAG,CAAC;aACnC,CAAC,CAAC;YACH,IAAI,CAAC,YAAY,EAAE,CAAC;gBACnB,aAAG,CAAC,KAAK,CAAC,iCAAiC,EAAE,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC,CAAC;gBACvE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;gBAC7C,OAAO;YACR,CAAC;YACD,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,4BAA4B,CAAC,YAAY,CAAC,CAAC;YAChF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACd,aAAG,CAAC,KAAK,CAAC,sCAAsC,EAAE,EAAE,YAAY,EAAE,CAAC,CAAC;gBACpE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;gBACjD,OAAO;YACR,CAAC;YACD,MAAM,IAAA,sBAAc,EAAC,EAAE,OAAO,EAAE,EAAE,KAAK,IAAI,EAAE,CAC5C,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,mBAAmB,CAAC,IAAI,CAAC,CACnD,CAAC;YACF,IAAI,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC;YACpC,MAAM,WAAW,GAAG,IAAI,eAAe,CAAC,KAAK,CAAC,CAAC;YAC/C,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;YAC9C,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YACpD,MAAM,aAAa,GAAG,WAAW,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;YACxD,IAAI,QAAQ,IAAI,WAAW,IAAI,aAAa,EAAE,CAAC;gBAC9C,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBAC9C,aAAG,CAAC,IAAI,CAAC,iCAAiC,EAAE;oBAC3C,QAAQ;oBACR,QAAQ;oBACR,QAAQ,EAAE,CAAC,CAAC,QAAQ;iBACpB,CAAC,CAAC;gBACH,IAAI,QAAQ,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC;oBACtE,aAAG,CAAC,KAAK,CAAC,8BAA8B,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;oBAClE,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;oBACtC,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;oBACtD,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,EAAE,0BAA0B,CAAC,CAAC;oBAC3E,IAAI,QAAQ,EAAE,CAAC;wBACd,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;oBAC9C,CAAC;oBACD,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;gBAC1C,CAAC;gBACD,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,yBAAyB,CAC3D,QAAQ,EACR,WAAW,EACX,aAAa,EACb,WAAW,CAAC,GAAG,CAAC,uBAAuB,CAAC,IAAI,MAAM,EAClD,OAAO,CACP,CAAC;gBACF,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;gBACzC,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;gBAC/C,IAAI,QAAQ,EAAE,CAAC;oBACd,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;gBACjD,CAAC;gBACD,OAAO,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC7C,CAAC;YACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;QAC9E,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YACnB,aAAG,CAAC,KAAK,CAAC,sBAAsB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,EAAE,OAAO,IAAI,GAAG,CAAC,EAAE,CAAC,CAAC;YAC1E,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAC/C,CAAC;IACF,CAAC;IAEM,KAAK,CAAC,iBAAiB,CAAC,GAAY,EAAE,GAAa;QACzD,IAAI,CAAC;YACJ,MAAM,OAAO,GAAI,GAAG,CAAC,KAAK,CAAC,OAAkB,IAAK,GAAG,CAAC,IAAI,EAAE,OAAkB,CAAC;YAC/E,IAAI,CAAC,OAAO,EAAE,CAAC;gBACd,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;gBAClD,OAAO;YACR,CAAC;YACD,MAAM,IAAA,sBAAc,EAAC,EAAE,OAAO,EAAE,EAAE,KAAK,IAAI,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC;YAClF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACjC,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YACnB,aAAG,CAAC,KAAK,CAAC,oBAAoB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,EAAE,OAAO,IAAI,GAAG,CAAC,EAAE,CAAC,CAAC;YACxE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QAC7C,CAAC;IACF,CAAC;CACD;AAzID,oDAyIC"}
1
+ {"version":3,"file":"creatio-oauth-handlers.js","sourceRoot":"","sources":["../../../src/server/http/creatio-oauth-handlers.ts"],"names":[],"mappings":";;;;;;AAAA,oDAA4B;AAC5B,6CAAgD;AAChD,uCAAsE;AACtE,oCAA2C;AAM3C,MAAa,oBAAoB;IACf,eAAe,GAAG,yBAAc,CAAC,QAAQ,CAAC;IAC1C,OAAO,CAAS;IAChB,YAAY,CAAc;IAE3C,YAAY,MAAc,EAAE,WAAwB;QACnD,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC;IACjC,CAAC;IAEM,KAAK,CAAC,gBAAgB,CAAC,GAAY,EAAE,GAAa;QACxD,IAAI,CAAC;YACJ,MAAM,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,OAAiB,CAAC;YAC5C,MAAM,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,OAAiB,CAAC;YAC5C,MAAM,gBAAgB,GAAG,OAAO,IAAI,OAAO,CAAC;YAC5C,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACvB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CACnB,8DAA8D,CAC9D,CAAC;gBACF,OAAO;YACR,CAAC;YACD,wEAAwE;YACxE,iFAAiF;YACjF,MAAM,mBAAmB,GAAG,IAAA,+BAAuB,EAAC,GAAG,CAAC,IAAI,SAAS,CAAC;YACtE,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,gBAAgB,CAClD,gBAAgB,EAChB,mBAAmB,CACnB,CAAC;YACF,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;YACnE,MAAM,SAAS,GAAG,GAAG,CAAC,KAAY,CAAC;YACnC,IAAI,SAAS,CAAC,SAAS,IAAI,SAAS,CAAC,YAAY,EAAE,CAAC;gBACnD,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;gBAC5B,MAAM,YAAY,GAAG,GAAG,KAAK,cAAc,SAAS,CAAC,SAAS,iBAAiB,kBAAkB,CAAC,SAAS,CAAC,YAAY,CAAC,mBAAmB,SAAS,CAAC,cAAc,0BAA0B,SAAS,CAAC,qBAAqB,cAAc,SAAS,CAAC,KAAK,IAAI,EAAE,EAAE,CAAC;gBACnQ,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;gBAC/C,OAAO,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC7C,CAAC;YACD,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACxB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YACnB,aAAG,CAAC,KAAK,CAAC,mBAAmB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,EAAE,OAAO,IAAI,GAAG,CAAC,EAAE,CAAC,CAAC;YACvE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QAC5C,CAAC;IACF,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAAC,GAAY,EAAE,GAAa;QAC3D,IAAI,CAAC;YACJ,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,IAAI,EAAE,CAAC,IAAI,MAAM,CAAE,GAAW,CAAC,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;YACpF,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,IAAI,MAAM,CAAE,GAAW,CAAC,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;YACvF,aAAG,CAAC,IAAI,CAAC,sBAAsB,EAAE;gBAChC,OAAO,EAAE,CAAC,CAAC,IAAI;gBACf,QAAQ,EAAE,CAAC,CAAC,KAAK;aACjB,CAAC,CAAC;YACH,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBACrB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;gBAC9C,OAAO;YACR,CAAC;YACD,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,YAAY,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;YACnC,aAAG,CAAC,IAAI,CAAC,4BAA4B,EAAE;gBACtC,YAAY,EAAE,UAAU,CAAC,MAAM,GAAG,CAAC;aACnC,CAAC,CAAC;YACH,IAAI,CAAC,YAAY,EAAE,CAAC;gBACnB,aAAG,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;gBAC7C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;gBAC7C,OAAO;YACR,CAAC;YACD,MAAM,WAAW,GAAG,IAAI,CAAC,eAAe,CAAC,4BAA4B,CAAC,YAAY,CAAC,CAAC;YACpF,IAAI,CAAC,WAAW,EAAE,CAAC;gBAClB,aAAG,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;gBAClD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;gBACjD,OAAO;YACR,CAAC;YACD,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,cAAc,EAAE,GAAG,WAAW,CAAC;YAC3D,MAAM,IAAA,sBAAc,EAAC,EAAE,OAAO,EAAE,EAAE,KAAK,IAAI,EAAE,CAC5C,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,mBAAmB,CAAC,IAAI,CAAC,CACnD,CAAC;YACF,qEAAqE;YACrE,2EAA2E;YAC3E,6BAA6B;YAC7B,IAAI,cAAc,IAAI,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;gBACvE,IAAI,CAAC,eAAe,CAAC,gBAAgB,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;YAChE,CAAC;YACD,MAAM,WAAW,GAAG,IAAI,eAAe,CAAC,KAAK,CAAC,CAAC;YAC/C,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;YAC9C,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YACpD,MAAM,aAAa,GAAG,WAAW,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;YACxD,IAAI,QAAQ,IAAI,WAAW,IAAI,aAAa,EAAE,CAAC;gBAC9C,+EAA+E;gBAC/E,oFAAoF;gBACpF,IAAI,CAAC,uBAAe,CAAC,oBAAoB,CAAC,WAAW,CAAC,EAAE,CAAC;oBACxD,aAAG,CAAC,KAAK,CAAC,wCAAwC,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;oBAClE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;oBAChD,OAAO;gBACR,CAAC;gBACD,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBAC9C,aAAG,CAAC,IAAI,CAAC,iCAAiC,EAAE;oBAC3C,QAAQ;oBACR,QAAQ,EAAE,CAAC,CAAC,QAAQ;iBACpB,CAAC,CAAC;gBACH,IAAI,QAAQ,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC;oBACtE,aAAG,CAAC,KAAK,CAAC,8BAA8B,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;oBACxD,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;oBACtC,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;oBACtD,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,EAAE,0BAA0B,CAAC,CAAC;oBAC3E,IAAI,QAAQ,EAAE,CAAC;wBACd,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;oBAC9C,CAAC;oBACD,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;gBAC1C,CAAC;gBACD,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,yBAAyB,CAC3D,QAAQ,EACR,WAAW,EACX,aAAa,EACb,WAAW,CAAC,GAAG,CAAC,uBAAuB,CAAC,IAAI,MAAM,EAClD,OAAO,CACP,CAAC;gBACF,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;gBACzC,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;gBAC/C,IAAI,QAAQ,EAAE,CAAC;oBACd,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;gBACjD,CAAC;gBACD,OAAO,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC7C,CAAC;YACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;QAC9E,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YACnB,aAAG,CAAC,KAAK,CAAC,sBAAsB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,EAAE,OAAO,IAAI,GAAG,CAAC,EAAE,CAAC,CAAC;YAC1E,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAC/C,CAAC;IACF,CAAC;IAEM,KAAK,CAAC,iBAAiB,CAAC,GAAY,EAAE,GAAa;QACzD,IAAI,CAAC;YACJ,sFAAsF;YACtF,uFAAuF;YACvF,MAAM,OAAO,GAAI,GAAW,CAAC,OAA6B,CAAC;YAC3D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACd,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;gBACpD,OAAO;YACR,CAAC;YACD,MAAM,IAAA,sBAAc,EAAC,EAAE,OAAO,EAAE,EAAE,KAAK,IAAI,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC;YAClF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACjC,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YACnB,aAAG,CAAC,KAAK,CAAC,oBAAoB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,EAAE,OAAO,IAAI,GAAG,CAAC,EAAE,CAAC,CAAC;YACxE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QAC7C,CAAC;IACF,CAAC;CACD;AAjJD,oDAiJC"}
@@ -1,15 +1,24 @@
1
+ import express from 'express';
1
2
  import type { Server } from '../mcp';
2
3
  export declare class HttpServer {
4
+ private static readonly CLEANUP_INTERVAL_MS;
5
+ private static readonly BODY_LIMIT;
6
+ private static readonly RATE_LIMIT_AUTH_FLOW;
7
+ private static readonly RATE_LIMIT_TOKEN;
8
+ private static readonly RATE_LIMIT_REGISTER;
9
+ private static readonly RATE_LIMIT_REVOKE;
3
10
  private readonly _server;
4
11
  private readonly _app;
5
12
  private readonly _connections;
6
13
  private _srv;
14
+ private _cleanupTimer;
7
15
  private readonly _sessionContext;
8
16
  private readonly _oauthServer;
9
17
  private readonly _middleware;
10
18
  private readonly _mcpHandlers;
11
19
  private readonly _creatioOauthHandlers;
12
20
  private readonly _mcpOauthHandlers;
21
+ get app(): express.Express;
13
22
  constructor(server: Server);
14
23
  private _setupMiddleware;
15
24
  private _setupRoutes;
@@ -1 +1 @@
1
- {"version":3,"file":"httpServer.d.ts","sourceRoot":"","sources":["../../../src/server/http/httpServer.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAErC,qBAAa,UAAU;IACtB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAa;IAClC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAqB;IAClD,OAAO,CAAC,IAAI,CAAe;IAC3B,OAAO,CAAC,QAAQ,CAAC,eAAe,CAA2B;IAC3D,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAc;IAC3C,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAiB;IAC7C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAc;IAC3C,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAuB;IAC7D,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAmB;gBAEzC,MAAM,EAAE,MAAM;IAW1B,OAAO,CAAC,gBAAgB;IAWxB,OAAO,CAAC,YAAY;IAQpB,OAAO,CAAC,kBAAkB;IAM1B,OAAO,CAAC,eAAe;IAIvB,OAAO,CAAC,2BAA2B;IAYnC,OAAO,CAAC,uBAAuB;IAexB,KAAK,CAAC,IAAI,EAAE,MAAM;IAmBZ,IAAI;CAkCjB"}
1
+ {"version":3,"file":"httpServer.d.ts","sourceRoot":"","sources":["../../../src/server/http/httpServer.ts"],"names":[],"mappings":"AAGA,OAAO,OAAO,MAAM,SAAS,CAAC;AAa9B,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAErC,qBAAa,UAAU;IACtB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,mBAAmB,CAAiB;IAG5D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAsC;IAExE,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,oBAAoB,CAAiC;IAC7E,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAiC;IACzE,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,mBAAmB,CAAiC;IAC5E,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,iBAAiB,CAAiC;IAC1E,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAa;IAClC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAqB;IAClD,OAAO,CAAC,IAAI,CAAe;IAC3B,OAAO,CAAC,aAAa,CAA6B;IAClD,OAAO,CAAC,QAAQ,CAAC,eAAe,CAA2B;IAC3D,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAc;IAC3C,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAiB;IAC7C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAc;IAC3C,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAuB;IAC7D,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAmB;IAErD,IAAW,GAAG,IAAI,OAAO,CAAC,OAAO,CAEhC;gBAEW,MAAM,EAAE,MAAM;IAW1B,OAAO,CAAC,gBAAgB;IAWxB,OAAO,CAAC,YAAY;IAQpB,OAAO,CAAC,kBAAkB;IAM1B,OAAO,CAAC,eAAe;IAIvB,OAAO,CAAC,2BAA2B;IAmBnC,OAAO,CAAC,uBAAuB;IAqBxB,KAAK,CAAC,IAAI,EAAE,MAAM;IA0BZ,IAAI;CAoCjB"}
@@ -8,22 +8,36 @@ const express_1 = __importDefault(require("express"));
8
8
  const creatio_1 = require("../../creatio/");
9
9
  const log_1 = __importDefault(require("../../log"));
10
10
  const services_1 = require("../../services");
11
+ const utils_1 = require("../../utils");
11
12
  const oauth_1 = require("../oauth");
12
13
  const creatio_oauth_handlers_1 = require("./creatio-oauth-handlers");
13
14
  const mcp_handlers_1 = require("./mcp-handlers");
14
15
  const mcp_oauth_handlers_1 = require("./mcp-oauth-handlers");
15
16
  const middleware_1 = require("./middleware");
16
17
  class HttpServer {
18
+ static CLEANUP_INTERVAL_MS = 5 * 60 * 1000;
19
+ // Generous, configurable cap so large CRM payloads/filters are not truncated.
20
+ // DoS on the OAuth surface is handled by the rate limiter (frequency), not body size.
21
+ static BODY_LIMIT = (0, utils_1.env)('MCP_MAX_BODY_SIZE') || '10mb';
22
+ // Per-route fixed-window limits (per client IP) for the unauthenticated OAuth surface.
23
+ static RATE_LIMIT_AUTH_FLOW = { windowMs: 60_000, max: 60 };
24
+ static RATE_LIMIT_TOKEN = { windowMs: 60_000, max: 30 };
25
+ static RATE_LIMIT_REGISTER = { windowMs: 60_000, max: 10 };
26
+ static RATE_LIMIT_REVOKE = { windowMs: 60_000, max: 20 };
17
27
  _server;
18
28
  _app = (0, express_1.default)();
19
29
  _connections = new Set();
20
30
  _srv;
31
+ _cleanupTimer;
21
32
  _sessionContext = services_1.SessionContext.instance;
22
33
  _oauthServer;
23
34
  _middleware;
24
35
  _mcpHandlers;
25
36
  _creatioOauthHandlers;
26
37
  _mcpOauthHandlers;
38
+ get app() {
39
+ return this._app;
40
+ }
27
41
  constructor(server) {
28
42
  this._server = server;
29
43
  this._oauthServer = new oauth_1.OAuthServer();
@@ -37,8 +51,8 @@ class HttpServer {
37
51
  _setupMiddleware() {
38
52
  this._app.use(this._middleware.correlationId());
39
53
  this._app.use(this._middleware.requestLogging());
40
- this._app.use(express_1.default.json());
41
- this._app.use(express_1.default.urlencoded({ extended: true }));
54
+ this._app.use(express_1.default.json({ limit: HttpServer.BODY_LIMIT }));
55
+ this._app.use(express_1.default.urlencoded({ extended: true, limit: HttpServer.BODY_LIMIT }));
42
56
  if (this._isNeedMCPOAuth()) {
43
57
  this._app.use('/mcp', this._middleware.bearerAuth());
44
58
  }
@@ -60,15 +74,15 @@ class HttpServer {
60
74
  return this._server.authProvider.type === creatio_1.AuthProviderType.OAuth2Code;
61
75
  }
62
76
  _setupCreatioOAuthEndpoints() {
63
- this._app.get('/oauth/start', (req, res) => this._creatioOauthHandlers.handleOAuthStart(req, res));
64
- this._app.get('/oauth/callback', (req, res) => this._creatioOauthHandlers.handleOAuthCallback(req, res));
65
- this._app.post('/oauth/revoke', (req, res) => this._creatioOauthHandlers.handleOAuthRevoke(req, res));
77
+ this._app.get('/oauth/start', this._middleware.rateLimit(HttpServer.RATE_LIMIT_AUTH_FLOW), (req, res) => this._creatioOauthHandlers.handleOAuthStart(req, res));
78
+ this._app.get('/oauth/callback', this._middleware.rateLimit(HttpServer.RATE_LIMIT_AUTH_FLOW), (req, res) => this._creatioOauthHandlers.handleOAuthCallback(req, res));
79
+ this._app.post('/oauth/revoke', this._middleware.rateLimit(HttpServer.RATE_LIMIT_REVOKE), this._middleware.bearerAuth(), (req, res) => this._creatioOauthHandlers.handleOAuthRevoke(req, res));
66
80
  }
67
81
  _setupMCPOAuthEndpoints() {
68
82
  this._app.get('/.well-known/oauth-authorization-server', (req, res) => this._mcpOauthHandlers.handleMetadata(req, res));
69
- this._app.post('/register', (req, res) => this._mcpOauthHandlers.handleClientRegistration(req, res));
70
- this._app.get('/authorize', (req, res) => this._mcpOauthHandlers.handleAuthorization(req, res));
71
- this._app.post('/token', (req, res) => this._mcpOauthHandlers.handleTokenExchange(req, res));
83
+ this._app.post('/register', this._middleware.rateLimit(HttpServer.RATE_LIMIT_REGISTER), (req, res) => this._mcpOauthHandlers.handleClientRegistration(req, res));
84
+ this._app.get('/authorize', this._middleware.rateLimit(HttpServer.RATE_LIMIT_AUTH_FLOW), (req, res) => this._mcpOauthHandlers.handleAuthorization(req, res));
85
+ this._app.post('/token', this._middleware.rateLimit(HttpServer.RATE_LIMIT_TOKEN), (req, res) => this._mcpOauthHandlers.handleTokenExchange(req, res));
72
86
  }
73
87
  start(port) {
74
88
  return new Promise((resolve, reject) => {
@@ -86,13 +100,22 @@ class HttpServer {
86
100
  this._connections.add(socket);
87
101
  socket.once('close', () => this._connections.delete(socket));
88
102
  });
103
+ // Periodically evict expired OAuth codes/states so these maps stay bounded
104
+ // over a long-running process. Unref'd so it never holds the event loop open.
105
+ this._cleanupTimer = setInterval(() => {
106
+ this._oauthServer.cleanup();
107
+ this._sessionContext.cleanupExpiredOAuthStates();
108
+ }, HttpServer.CLEANUP_INTERVAL_MS);
109
+ this._cleanupTimer.unref();
89
110
  });
90
111
  }
91
112
  async stop() {
113
+ if (this._cleanupTimer) {
114
+ clearInterval(this._cleanupTimer);
115
+ this._cleanupTimer = undefined;
116
+ }
92
117
  try {
93
- if (this._server.authProvider && 'cancelAllRefresh' in this._server.authProvider) {
94
- this._server.authProvider.cancelAllRefresh();
95
- }
118
+ this._server.authProvider.cancelAllRefresh();
96
119
  }
97
120
  catch (err) {
98
121
  log_1.default.warn('token_refresh_cleanup_failed', { error: String(err) });
@@ -1 +1 @@
1
- {"version":3,"file":"httpServer.js","sourceRoot":"","sources":["../../../src/server/http/httpServer.ts"],"names":[],"mappings":";;;;;;AAGA,sDAA8B;AAE9B,4CAAkD;AAClD,oDAA4B;AAC5B,6CAAgD;AAChD,oCAAuC;AAEvC,qEAAgE;AAChE,iDAA6C;AAC7C,6DAAwD;AACxD,6CAA8C;AAI9C,MAAa,UAAU;IACL,OAAO,CAAS;IAChB,IAAI,GAAG,IAAA,iBAAO,GAAE,CAAC;IACjB,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IAC1C,IAAI,CAAe;IACV,eAAe,GAAG,yBAAc,CAAC,QAAQ,CAAC;IAC1C,YAAY,CAAc;IAC1B,WAAW,CAAiB;IAC5B,YAAY,CAAc;IAC1B,qBAAqB,CAAuB;IAC5C,iBAAiB,CAAmB;IAErD,YAAY,MAAc;QACzB,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAI,CAAC,YAAY,GAAG,IAAI,mBAAW,EAAE,CAAC;QACtC,IAAI,CAAC,WAAW,GAAG,IAAI,2BAAc,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACzD,IAAI,CAAC,YAAY,GAAG,IAAI,0BAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,CAAC,qBAAqB,GAAG,IAAI,6CAAoB,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QACvF,IAAI,CAAC,iBAAiB,GAAG,IAAI,qCAAgB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACjE,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACxB,IAAI,CAAC,YAAY,EAAE,CAAC;IACrB,CAAC;IAEO,gBAAgB;QACvB,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC,CAAC;QAChD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,cAAc,EAAE,CAAC,CAAC;QACjD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,iBAAO,CAAC,IAAI,EAAE,CAAC,CAAC;QAC9B,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,iBAAO,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QACtD,IAAI,IAAI,CAAC,eAAe,EAAE,EAAE,CAAC;YAC5B,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC,CAAC;QACtD,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,YAAY,EAAE,CAAC,CAAC;IAChD,CAAC;IAEO,YAAY;QACnB,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC1B,IAAI,IAAI,CAAC,eAAe,EAAE,EAAE,CAAC;YAC5B,IAAI,CAAC,2BAA2B,EAAE,CAAC;YACnC,IAAI,CAAC,uBAAuB,EAAE,CAAC;QAChC,CAAC;IACF,CAAC;IAEO,kBAAkB;QACzB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;QAChF,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,oBAAoB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;QACtF,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,oBAAoB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;IAC1F,CAAC;IAEO,eAAe;QACtB,OAAO,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,KAAK,0BAAgB,CAAC,UAAU,CAAC;IACvE,CAAC;IAEO,2BAA2B;QAClC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAC1C,IAAI,CAAC,qBAAqB,CAAC,gBAAgB,CAAC,GAAG,EAAE,GAAG,CAAC,CACrD,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAC7C,IAAI,CAAC,qBAAqB,CAAC,mBAAmB,CAAC,GAAG,EAAE,GAAG,CAAC,CACxD,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAC5C,IAAI,CAAC,qBAAqB,CAAC,iBAAiB,CAAC,GAAG,EAAE,GAAG,CAAC,CACtD,CAAC;IACH,CAAC;IAEO,uBAAuB;QAC9B,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,yCAAyC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CACrE,IAAI,CAAC,iBAAiB,CAAC,cAAc,CAAC,GAAG,EAAE,GAAG,CAAC,CAC/C,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CACxC,IAAI,CAAC,iBAAiB,CAAC,wBAAwB,CAAC,GAAG,EAAE,GAAG,CAAC,CACzD,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CACxC,IAAI,CAAC,iBAAiB,CAAC,mBAAmB,CAAC,GAAG,EAAE,GAAG,CAAC,CACpD,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CACrC,IAAI,CAAC,iBAAiB,CAAC,mBAAmB,CAAC,GAAG,EAAE,GAAG,CAAC,CACpD,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,IAAY;QACxB,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC5C,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE;gBACvC,aAAG,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;gBACpB,OAAO,EAAE,CAAC;YACX,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC;YAClC,IAAI,CAAC,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,GAAG,IAAI,EAAE,IAAI,CAAC,CAAC;YAC7E,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBAC7B,aAAG,CAAC,KAAK,CAAC,kBAAkB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;gBAC5D,MAAM,CAAC,GAAG,CAAC,CAAC;YACb,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,YAAY,EAAE,CAAC,MAAc,EAAE,EAAE;gBAC7C,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAC9B,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;YAC9D,CAAC,CAAC,CAAC;QACJ,CAAC,CAAC,CAAC;IACJ,CAAC;IAEM,KAAK,CAAC,IAAI;QAChB,IAAI,CAAC;YACJ,IAAI,IAAI,CAAC,OAAO,CAAC,YAAY,IAAI,kBAAkB,IAAI,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;gBACjF,IAAI,CAAC,OAAO,CAAC,YAAoB,CAAC,gBAAgB,EAAE,CAAC;YACvD,CAAC;QACF,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,aAAG,CAAC,IAAI,CAAC,8BAA8B,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClE,CAAC;QACD,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACf,IAAI,CAAC;gBACJ,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;gBAC7B,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;oBACnC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;gBAClC,CAAC,CAAC,CAAC;YACJ,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACd,aAAG,CAAC,KAAK,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACtD,CAAC;QACF,CAAC;QACD,KAAK,MAAM,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YACpD,IAAI,CAAC;gBACJ,MAAM,CAAC,OAAO,EAAE,CAAC;YAClB,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;QACX,CAAC;QACD,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;QAC1B,MAAM,QAAQ,GAAG,IAAI,CAAC,eAAe,CAAC,cAAc,EAAE,CAAC;QACvD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAChC,IAAI,CAAC;gBACJ,OAAO,CAAC,SAAS,EAAE,KAAK,EAAE,CAAC;YAC5B,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACd,aAAG,CAAC,IAAI,CAAC,wBAAwB,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACnF,CAAC;YACD,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAChD,CAAC;IACF,CAAC;CACD;AApID,gCAoIC"}
1
+ {"version":3,"file":"httpServer.js","sourceRoot":"","sources":["../../../src/server/http/httpServer.ts"],"names":[],"mappings":";;;;;;AAGA,sDAA8B;AAE9B,4CAAkD;AAClD,oDAA4B;AAC5B,6CAAgD;AAChD,uCAAkC;AAClC,oCAAuC;AAEvC,qEAAgE;AAChE,iDAA6C;AAC7C,6DAAwD;AACxD,6CAA8C;AAI9C,MAAa,UAAU;IACd,MAAM,CAAU,mBAAmB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;IAC5D,8EAA8E;IAC9E,sFAAsF;IAC9E,MAAM,CAAU,UAAU,GAAG,IAAA,WAAG,EAAC,mBAAmB,CAAC,IAAI,MAAM,CAAC;IACxE,uFAAuF;IAC/E,MAAM,CAAU,oBAAoB,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,EAAE,CAAC;IACrE,MAAM,CAAU,gBAAgB,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,EAAE,CAAC;IACjE,MAAM,CAAU,mBAAmB,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,EAAE,CAAC;IACpE,MAAM,CAAU,iBAAiB,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,EAAE,CAAC;IACzD,OAAO,CAAS;IAChB,IAAI,GAAG,IAAA,iBAAO,GAAE,CAAC;IACjB,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IAC1C,IAAI,CAAe;IACnB,aAAa,CAA6B;IACjC,eAAe,GAAG,yBAAc,CAAC,QAAQ,CAAC;IAC1C,YAAY,CAAc;IAC1B,WAAW,CAAiB;IAC5B,YAAY,CAAc;IAC1B,qBAAqB,CAAuB;IAC5C,iBAAiB,CAAmB;IAErD,IAAW,GAAG;QACb,OAAO,IAAI,CAAC,IAAI,CAAC;IAClB,CAAC;IAED,YAAY,MAAc;QACzB,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAI,CAAC,YAAY,GAAG,IAAI,mBAAW,EAAE,CAAC;QACtC,IAAI,CAAC,WAAW,GAAG,IAAI,2BAAc,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACzD,IAAI,CAAC,YAAY,GAAG,IAAI,0BAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,CAAC,qBAAqB,GAAG,IAAI,6CAAoB,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QACvF,IAAI,CAAC,iBAAiB,GAAG,IAAI,qCAAgB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACjE,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACxB,IAAI,CAAC,YAAY,EAAE,CAAC;IACrB,CAAC;IAEO,gBAAgB;QACvB,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC,CAAC;QAChD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,cAAc,EAAE,CAAC,CAAC;QACjD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,iBAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;QAC9D,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,iBAAO,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,UAAU,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;QACpF,IAAI,IAAI,CAAC,eAAe,EAAE,EAAE,CAAC;YAC5B,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC,CAAC;QACtD,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,YAAY,EAAE,CAAC,CAAC;IAChD,CAAC;IAEO,YAAY;QACnB,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC1B,IAAI,IAAI,CAAC,eAAe,EAAE,EAAE,CAAC;YAC5B,IAAI,CAAC,2BAA2B,EAAE,CAAC;YACnC,IAAI,CAAC,uBAAuB,EAAE,CAAC;QAChC,CAAC;IACF,CAAC;IAEO,kBAAkB;QACzB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;QAChF,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,oBAAoB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;QACtF,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,oBAAoB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;IAC1F,CAAC;IAEO,eAAe;QACtB,OAAO,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,KAAK,0BAAgB,CAAC,UAAU,CAAC;IACvE,CAAC;IAEO,2BAA2B;QAClC,IAAI,CAAC,IAAI,CAAC,GAAG,CACZ,cAAc,EACd,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,UAAU,CAAC,oBAAoB,CAAC,EAC3D,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,qBAAqB,CAAC,gBAAgB,CAAC,GAAG,EAAE,GAAG,CAAC,CACnE,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,GAAG,CACZ,iBAAiB,EACjB,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,UAAU,CAAC,oBAAoB,CAAC,EAC3D,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,qBAAqB,CAAC,mBAAmB,CAAC,GAAG,EAAE,GAAG,CAAC,CACtE,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,IAAI,CACb,eAAe,EACf,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,UAAU,CAAC,iBAAiB,CAAC,EACxD,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,EAC7B,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,qBAAqB,CAAC,iBAAiB,CAAC,GAAG,EAAE,GAAG,CAAC,CACpE,CAAC;IACH,CAAC;IAEO,uBAAuB;QAC9B,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,yCAAyC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CACrE,IAAI,CAAC,iBAAiB,CAAC,cAAc,CAAC,GAAG,EAAE,GAAG,CAAC,CAC/C,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,IAAI,CACb,WAAW,EACX,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,UAAU,CAAC,mBAAmB,CAAC,EAC1D,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,iBAAiB,CAAC,wBAAwB,CAAC,GAAG,EAAE,GAAG,CAAC,CACvE,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,GAAG,CACZ,YAAY,EACZ,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,UAAU,CAAC,oBAAoB,CAAC,EAC3D,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,iBAAiB,CAAC,mBAAmB,CAAC,GAAG,EAAE,GAAG,CAAC,CAClE,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,IAAI,CACb,QAAQ,EACR,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,UAAU,CAAC,gBAAgB,CAAC,EACvD,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,iBAAiB,CAAC,mBAAmB,CAAC,GAAG,EAAE,GAAG,CAAC,CAClE,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,IAAY;QACxB,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC5C,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE;gBACvC,aAAG,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;gBACpB,OAAO,EAAE,CAAC;YACX,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC;YAClC,IAAI,CAAC,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,GAAG,IAAI,EAAE,IAAI,CAAC,CAAC;YAC7E,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBAC7B,aAAG,CAAC,KAAK,CAAC,kBAAkB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;gBAC5D,MAAM,CAAC,GAAG,CAAC,CAAC;YACb,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,YAAY,EAAE,CAAC,MAAc,EAAE,EAAE;gBAC7C,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAC9B,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;YAC9D,CAAC,CAAC,CAAC;YACH,2EAA2E;YAC3E,8EAA8E;YAC9E,IAAI,CAAC,aAAa,GAAG,WAAW,CAAC,GAAG,EAAE;gBACrC,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;gBAC5B,IAAI,CAAC,eAAe,CAAC,yBAAyB,EAAE,CAAC;YAClD,CAAC,EAAE,UAAU,CAAC,mBAAmB,CAAC,CAAC;YACnC,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,CAAC;QAC5B,CAAC,CAAC,CAAC;IACJ,CAAC;IAEM,KAAK,CAAC,IAAI;QAChB,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,aAAa,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;YAClC,IAAI,CAAC,aAAa,GAAG,SAAS,CAAC;QAChC,CAAC;QACD,IAAI,CAAC;YACJ,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,gBAAgB,EAAE,CAAC;QAC9C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,aAAG,CAAC,IAAI,CAAC,8BAA8B,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClE,CAAC;QACD,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACf,IAAI,CAAC;gBACJ,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;gBAC7B,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;oBACnC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;gBAClC,CAAC,CAAC,CAAC;YACJ,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACd,aAAG,CAAC,KAAK,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACtD,CAAC;QACF,CAAC;QACD,KAAK,MAAM,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YACpD,IAAI,CAAC;gBACJ,MAAM,CAAC,OAAO,EAAE,CAAC;YAClB,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;QACX,CAAC;QACD,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;QAC1B,MAAM,QAAQ,GAAG,IAAI,CAAC,eAAe,CAAC,cAAc,EAAE,CAAC;QACvD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAChC,IAAI,CAAC;gBACJ,OAAO,CAAC,SAAS,EAAE,KAAK,EAAE,CAAC;YAC5B,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACd,aAAG,CAAC,IAAI,CAAC,wBAAwB,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACnF,CAAC;YACD,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAChD,CAAC;IACF,CAAC;;AAvKF,gCAwKC"}
@@ -1 +1 @@
1
- {"version":3,"file":"mcp-handlers.d.ts","sourceRoot":"","sources":["../../../src/server/http/mcp-handlers.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEjD,qBAAa,WAAW;IACvB,OAAO,CAAC,QAAQ,CAAC,eAAe,CAA2B;IAC3D,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;gBAErB,MAAM,EAAE,MAAM;IAIb,aAAa,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IAmDzD,oBAAoB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;CAe7E"}
1
+ {"version":3,"file":"mcp-handlers.d.ts","sourceRoot":"","sources":["../../../src/server/http/mcp-handlers.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEjD,qBAAa,WAAW;IACvB,OAAO,CAAC,QAAQ,CAAC,eAAe,CAA2B;IAC3D,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;gBAErB,MAAM,EAAE,MAAM;IAIb,aAAa,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IAmDzD,oBAAoB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;CAmB7E"}
@@ -74,7 +74,10 @@ class McpHandlers {
74
74
  res.status(400).send('Session has no transport');
75
75
  return;
76
76
  }
77
- const userKey = (0, utils_1.getUserKeyFromRequest)(req);
77
+ // Prefer the validated Bearer identity and the session's own mapping over any
78
+ // caller-supplied ?userKey=/x-user-key, which must not override an authenticated
79
+ // identity (CWE-639).
80
+ const userKey = req.userKey || session?.userKey || (0, utils_1.getUserKeyFromRequest)(req);
78
81
  await (0, utils_1.runWithContext)({ userKey, sessionId }, async () => transport.handleRequest(req, res));
79
82
  }
80
83
  }
@@ -1 +1 @@
1
- {"version":3,"file":"mcp-handlers.js","sourceRoot":"","sources":["../../../src/server/http/mcp-handlers.ts"],"names":[],"mappings":";;;;;;AAAA,6CAAyC;AAEzC,0FAAmG;AACnG,iEAAyE;AAEzE,oDAA4B;AAC5B,6CAAgD;AAChD,uCAKqB;AAKrB,MAAa,WAAW;IACN,eAAe,GAAG,yBAAc,CAAC,QAAQ,CAAC;IAC1C,OAAO,CAAS;IAEjC,YAAY,MAAc;QACzB,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;IACvB,CAAC;IAEM,KAAK,CAAC,aAAa,CAAC,GAAY,EAAE,GAAa;QACrD,MAAM,SAAS,GAAG,IAAA,+BAAuB,EAAC,GAAG,CAAC,CAAC;QAC/C,MAAM,aAAa,GAAI,GAAW,CAAC,OAAO,CAAC;QAC3C,IAAI,SAAoD,CAAC;QACzD,MAAM,QAAQ,GAAG,IAAA,mBAAW,EAAC,GAAG,CAAC,CAAC;QAClC,IAAI,SAAS,IAAI,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC7D,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;YAC3D,SAAS,GAAG,OAAO,EAAE,SAAS,CAAC;YAC/B,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;gBAClC,IAAI,CAAC,eAAe,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;gBACpD,aAAG,CAAC,cAAc,CAAC,SAAS,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;YACjD,CAAC;QACF,CAAC;aAAM,IAAI,CAAC,SAAS,IAAI,IAAA,8BAAmB,EAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACxD,SAAS,GAAG,IAAI,iDAA6B,CAAC;gBAC7C,kBAAkB,EAAE,GAAG,EAAE,CAAC,IAAA,wBAAU,GAAE;gBACtC,oBAAoB,EAAE,CAAC,GAAG,EAAE,EAAE;oBAC7B,IAAI,SAAS,EAAE,CAAC;wBACf,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,aAAa,CACjD,GAAG,EACH,aAAa,EACb,QAAQ,CACR,CAAC;wBACF,IAAI,CAAC,eAAe,CAAC,mBAAmB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;wBACzD,IAAI,CAAC,eAAe,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC;wBAC9C,aAAG,CAAC,cAAc,CAAC,GAAG,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;oBAC3C,CAAC;gBACF,CAAC;aACD,CAAC,CAAC;YACH,SAAS,CAAC,OAAO,GAAG,GAAG,EAAE;gBACxB,IAAI,SAAS,EAAE,SAAS,EAAE,CAAC;oBAC1B,aAAG,CAAC,iBAAiB,CAAC,SAAS,CAAC,SAAS,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;oBAC7D,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;gBACzD,CAAC;YACF,CAAC,CAAC;YACF,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;YAC1C,MAAM,GAAG,CAAC,OAAO,CAAC,SAAgB,CAAC,CAAC;QACrC,CAAC;aAAM,CAAC;YACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,2CAA2C,EAAE;gBAC7E,EAAE,EAAE,IAAI;aACR,CAAC,CAAC;YACH,OAAO;QACR,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QAC3D,MAAM,OAAO,GAAG,aAAa,IAAI,OAAO,EAAE,OAAO,CAAC;QAClD,MAAM,IAAA,sBAAc,EAAC,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,KAAK,IAAI,EAAE,CACvD,SAAU,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAC5C,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAAC,GAAY,EAAE,GAAa;QAC5D,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAuB,CAAC;QACtE,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC/D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;YACtD,OAAO;QACR,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QAC3D,MAAM,SAAS,GAAG,OAAO,EAAE,SAAS,CAAC;QACrC,IAAI,CAAC,SAAS,EAAE,CAAC;YAChB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;YACjD,OAAO;QACR,CAAC;QACD,MAAM,OAAO,GAAG,IAAA,6BAAqB,EAAC,GAAU,CAAC,CAAC;QAClD,MAAM,IAAA,sBAAc,EAAC,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,KAAK,IAAI,EAAE,CAAC,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;IAC7F,CAAC;CACD;AA1ED,kCA0EC"}
1
+ {"version":3,"file":"mcp-handlers.js","sourceRoot":"","sources":["../../../src/server/http/mcp-handlers.ts"],"names":[],"mappings":";;;;;;AAAA,6CAAyC;AAEzC,0FAAmG;AACnG,iEAAyE;AAEzE,oDAA4B;AAC5B,6CAAgD;AAChD,uCAKqB;AAKrB,MAAa,WAAW;IACN,eAAe,GAAG,yBAAc,CAAC,QAAQ,CAAC;IAC1C,OAAO,CAAS;IAEjC,YAAY,MAAc;QACzB,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;IACvB,CAAC;IAEM,KAAK,CAAC,aAAa,CAAC,GAAY,EAAE,GAAa;QACrD,MAAM,SAAS,GAAG,IAAA,+BAAuB,EAAC,GAAG,CAAC,CAAC;QAC/C,MAAM,aAAa,GAAI,GAAW,CAAC,OAAO,CAAC;QAC3C,IAAI,SAAoD,CAAC;QACzD,MAAM,QAAQ,GAAG,IAAA,mBAAW,EAAC,GAAG,CAAC,CAAC;QAClC,IAAI,SAAS,IAAI,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC7D,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;YAC3D,SAAS,GAAG,OAAO,EAAE,SAAS,CAAC;YAC/B,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;gBAClC,IAAI,CAAC,eAAe,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;gBACpD,aAAG,CAAC,cAAc,CAAC,SAAS,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;YACjD,CAAC;QACF,CAAC;aAAM,IAAI,CAAC,SAAS,IAAI,IAAA,8BAAmB,EAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACxD,SAAS,GAAG,IAAI,iDAA6B,CAAC;gBAC7C,kBAAkB,EAAE,GAAG,EAAE,CAAC,IAAA,wBAAU,GAAE;gBACtC,oBAAoB,EAAE,CAAC,GAAG,EAAE,EAAE;oBAC7B,IAAI,SAAS,EAAE,CAAC;wBACf,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,aAAa,CACjD,GAAG,EACH,aAAa,EACb,QAAQ,CACR,CAAC;wBACF,IAAI,CAAC,eAAe,CAAC,mBAAmB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;wBACzD,IAAI,CAAC,eAAe,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC;wBAC9C,aAAG,CAAC,cAAc,CAAC,GAAG,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;oBAC3C,CAAC;gBACF,CAAC;aACD,CAAC,CAAC;YACH,SAAS,CAAC,OAAO,GAAG,GAAG,EAAE;gBACxB,IAAI,SAAS,EAAE,SAAS,EAAE,CAAC;oBAC1B,aAAG,CAAC,iBAAiB,CAAC,SAAS,CAAC,SAAS,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;oBAC7D,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;gBACzD,CAAC;YACF,CAAC,CAAC;YACF,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;YAC1C,MAAM,GAAG,CAAC,OAAO,CAAC,SAAgB,CAAC,CAAC;QACrC,CAAC;aAAM,CAAC;YACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,2CAA2C,EAAE;gBAC7E,EAAE,EAAE,IAAI;aACR,CAAC,CAAC;YACH,OAAO;QACR,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QAC3D,MAAM,OAAO,GAAG,aAAa,IAAI,OAAO,EAAE,OAAO,CAAC;QAClD,MAAM,IAAA,sBAAc,EAAC,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,KAAK,IAAI,EAAE,CACvD,SAAU,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAC5C,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAAC,GAAY,EAAE,GAAa;QAC5D,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAuB,CAAC;QACtE,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC/D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;YACtD,OAAO;QACR,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QAC3D,MAAM,SAAS,GAAG,OAAO,EAAE,SAAS,CAAC;QACrC,IAAI,CAAC,SAAS,EAAE,CAAC;YAChB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;YACjD,OAAO;QACR,CAAC;QACD,8EAA8E;QAC9E,iFAAiF;QACjF,sBAAsB;QACtB,MAAM,OAAO,GACX,GAAW,CAAC,OAAO,IAAI,OAAO,EAAE,OAAO,IAAI,IAAA,6BAAqB,EAAC,GAAU,CAAC,CAAC;QAC/E,MAAM,IAAA,sBAAc,EAAC,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,KAAK,IAAI,EAAE,CAAC,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;IAC7F,CAAC;CACD;AA9ED,kCA8EC"}
@@ -1 +1 @@
1
- {"version":3,"file":"mcp-oauth-handlers.d.ts","sourceRoot":"","sources":["../../../src/server/http/mcp-oauth-handlers.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAC5C,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEjD,qBAAa,gBAAgB;IAC5B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAc;gBAE/B,WAAW,EAAE,WAAW;IAI7B,cAAc,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,GAAG,IAAI;IAKjD,wBAAwB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,GAAG,QAAQ,GAAG,IAAI;IAqBhE,mBAAmB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IAsC/D,mBAAmB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;CA4BvF"}
1
+ {"version":3,"file":"mcp-oauth-handlers.d.ts","sourceRoot":"","sources":["../../../src/server/http/mcp-oauth-handlers.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAC5C,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEjD,qBAAa,gBAAgB;IAC5B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAc;gBAE/B,WAAW,EAAE,WAAW;IAI7B,cAAc,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,GAAG,IAAI;IAKjD,wBAAwB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,GAAG,QAAQ,GAAG,IAAI;IAqBhE,mBAAmB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IAkD/D,mBAAmB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;CA4BvF"}
@@ -48,6 +48,22 @@ class MCPOAuthHandlers {
48
48
  code_challenge_method: req.query.code_challenge_method,
49
49
  scope: req.query.scope,
50
50
  };
51
+ // Never redirect to an unvalidated target. If the redirect_uri is missing or
52
+ // not allow-listed, fail closed with a direct error response (CWE-601).
53
+ if (!params.redirect_uri || !validators_1.OAuthValidators.isAllowedRedirectUri(params.redirect_uri)) {
54
+ res.status(400).json({
55
+ error: 'invalid_request',
56
+ error_description: 'Missing or disallowed redirect_uri',
57
+ });
58
+ return;
59
+ }
60
+ // state is mandatory: it is the CSRF / session-binding control for the flow (CWE-352).
61
+ if (!params.state) {
62
+ const errorUrl = new URL(params.redirect_uri);
63
+ errorUrl.searchParams.set('error', 'invalid_request');
64
+ errorUrl.searchParams.set('error_description', 'state parameter is required');
65
+ return res.redirect(errorUrl.toString());
66
+ }
51
67
  const validationError = this._oauthServer.validateAuthorizationRequest(params);
52
68
  if (validationError) {
53
69
  const errorUrl = new URL(params.redirect_uri);
@@ -55,14 +71,10 @@ class MCPOAuthHandlers {
55
71
  if (validationError.error_description) {
56
72
  errorUrl.searchParams.set('error_description', validationError.error_description);
57
73
  }
58
- if (params.state) {
59
- errorUrl.searchParams.set('state', params.state);
60
- }
74
+ errorUrl.searchParams.set('state', params.state);
61
75
  return res.redirect(errorUrl.toString());
62
76
  }
63
- if (params.state) {
64
- this._oauthServer.storeState(params.state, params.client_id);
65
- }
77
+ this._oauthServer.storeState(params.state, params.client_id);
66
78
  const authKey = (0, node_crypto_1.randomUUID)();
67
79
  const creatioAuthUrl = `/oauth/start?authKey=${authKey}&client_id=${params.client_id}&redirect_uri=${encodeURIComponent(params.redirect_uri)}&code_challenge=${params.code_challenge}&code_challenge_method=${params.code_challenge_method}&state=${params.state || ''}`;
68
80
  res.redirect(creatioAuthUrl);
@@ -1 +1 @@
1
- {"version":3,"file":"mcp-oauth-handlers.js","sourceRoot":"","sources":["../../../src/server/http/mcp-oauth-handlers.ts"],"names":[],"mappings":";;;;;;AAAA,6CAAyC;AAEzC,oDAA4B;AAC5B,oDAAsD;AAKtD,MAAa,gBAAgB;IACX,YAAY,CAAc;IAE3C,YAAY,WAAwB;QACnC,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC;IACjC,CAAC;IAEM,cAAc,CAAC,GAAY,EAAE,GAAa;QAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,8BAA8B,EAAE,CAAC;QACpE,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACpB,CAAC;IAEM,wBAAwB,CAAC,GAAY,EAAE,GAAa;QAC1D,IAAI,CAAC;YACJ,MAAM,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC;YACnC,MAAM,eAAe,GAAG,4BAAe,CAAC,0BAA0B,CAAC,aAAa,CAAC,CAAC;YAClF,IAAI,eAAe,EAAE,CAAC;gBACrB,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBAC3B,KAAK,EAAE,iBAAiB;oBACxB,iBAAiB,EAAE,eAAe;iBAClC,CAAC,CAAC;YACJ,CAAC;YACD,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC;YAC/D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,aAAG,CAAC,KAAK,CAAC,sBAAsB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAC5D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,KAAK,EAAE,cAAc;gBACrB,iBAAiB,EAAE,2BAA2B;aAC9C,CAAC,CAAC;QACJ,CAAC;IACF,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAAC,GAAY,EAAE,GAAa;QAC3D,IAAI,CAAC;YACJ,MAAM,MAAM,GAAG;gBACd,SAAS,EAAE,GAAG,CAAC,KAAK,CAAC,SAAmB;gBACxC,YAAY,EAAE,GAAG,CAAC,KAAK,CAAC,YAAsB;gBAC9C,aAAa,EAAE,GAAG,CAAC,KAAK,CAAC,aAAuB;gBAChD,KAAK,EAAE,GAAG,CAAC,KAAK,CAAC,KAAe;gBAChC,cAAc,EAAE,GAAG,CAAC,KAAK,CAAC,cAAwB;gBAClD,qBAAqB,EAAE,GAAG,CAAC,KAAK,CAAC,qBAA+B;gBAChE,KAAK,EAAE,GAAG,CAAC,KAAK,CAAC,KAAe;aAChC,CAAC;YACF,MAAM,eAAe,GAAG,IAAI,CAAC,YAAY,CAAC,4BAA4B,CAAC,MAAM,CAAC,CAAC;YAC/E,IAAI,eAAe,EAAE,CAAC;gBACrB,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;gBAC9C,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,eAAe,CAAC,KAAK,CAAC,CAAC;gBAC1D,IAAI,eAAe,CAAC,iBAAiB,EAAE,CAAC;oBACvC,QAAQ,CAAC,YAAY,CAAC,GAAG,CACxB,mBAAmB,EACnB,eAAe,CAAC,iBAAiB,CACjC,CAAC;gBACH,CAAC;gBACD,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;oBAClB,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;gBAClD,CAAC;gBACD,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC1C,CAAC;YACD,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBAClB,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;YAC9D,CAAC;YACD,MAAM,OAAO,GAAG,IAAA,wBAAU,GAAE,CAAC;YAC7B,MAAM,cAAc,GAAG,wBAAwB,OAAO,cAAc,MAAM,CAAC,SAAS,iBAAiB,kBAAkB,CAAC,MAAM,CAAC,YAAY,CAAC,mBAAmB,MAAM,CAAC,cAAc,0BAA0B,MAAM,CAAC,qBAAqB,UAAU,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE,CAAC;YACzQ,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,aAAG,CAAC,KAAK,CAAC,uBAAuB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAC7D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QAC9C,CAAC;IACF,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAAC,GAAY,EAAE,GAAa;QAC3D,IAAI,CAAC;YACJ,MAAM,WAAW,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;YACnC,aAAG,CAAC,IAAI,CAAC,qBAAqB,EAAE;gBAC/B,WAAW,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC;gBACxC,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI;gBACnB,QAAQ,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE;gBAC/C,MAAM,EAAE;oBACP,UAAU,EAAE,WAAW,CAAC,UAAU;oBAClC,IAAI,EAAE,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS;oBACvE,SAAS,EAAE,WAAW,CAAC,SAAS;oBAChC,YAAY,EAAE,WAAW,CAAC,YAAY;oBACtC,iBAAiB,EAAE,CAAC,CAAC,WAAW,CAAC,aAAa;iBAC9C;aACD,CAAC,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,oBAAoB,CAAC,WAAW,CAAC,CAAC;YACzE,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;gBACvB,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACrC,CAAC;YACD,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,aAAG,CAAC,KAAK,CAAC,mBAAmB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YACzD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,KAAK,EAAE,cAAc;gBACrB,iBAAiB,EAAE,0BAA0B;aAC7C,CAAC,CAAC;QACJ,CAAC;IACF,CAAC;CACD;AAnGD,4CAmGC"}
1
+ {"version":3,"file":"mcp-oauth-handlers.js","sourceRoot":"","sources":["../../../src/server/http/mcp-oauth-handlers.ts"],"names":[],"mappings":";;;;;;AAAA,6CAAyC;AAEzC,oDAA4B;AAC5B,oDAAsD;AAKtD,MAAa,gBAAgB;IACX,YAAY,CAAc;IAE3C,YAAY,WAAwB;QACnC,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC;IACjC,CAAC;IAEM,cAAc,CAAC,GAAY,EAAE,GAAa;QAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,8BAA8B,EAAE,CAAC;QACpE,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACpB,CAAC;IAEM,wBAAwB,CAAC,GAAY,EAAE,GAAa;QAC1D,IAAI,CAAC;YACJ,MAAM,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC;YACnC,MAAM,eAAe,GAAG,4BAAe,CAAC,0BAA0B,CAAC,aAAa,CAAC,CAAC;YAClF,IAAI,eAAe,EAAE,CAAC;gBACrB,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBAC3B,KAAK,EAAE,iBAAiB;oBACxB,iBAAiB,EAAE,eAAe;iBAClC,CAAC,CAAC;YACJ,CAAC;YACD,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC;YAC/D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,aAAG,CAAC,KAAK,CAAC,sBAAsB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAC5D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,KAAK,EAAE,cAAc;gBACrB,iBAAiB,EAAE,2BAA2B;aAC9C,CAAC,CAAC;QACJ,CAAC;IACF,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAAC,GAAY,EAAE,GAAa;QAC3D,IAAI,CAAC;YACJ,MAAM,MAAM,GAAG;gBACd,SAAS,EAAE,GAAG,CAAC,KAAK,CAAC,SAAmB;gBACxC,YAAY,EAAE,GAAG,CAAC,KAAK,CAAC,YAAsB;gBAC9C,aAAa,EAAE,GAAG,CAAC,KAAK,CAAC,aAAuB;gBAChD,KAAK,EAAE,GAAG,CAAC,KAAK,CAAC,KAAe;gBAChC,cAAc,EAAE,GAAG,CAAC,KAAK,CAAC,cAAwB;gBAClD,qBAAqB,EAAE,GAAG,CAAC,KAAK,CAAC,qBAA+B;gBAChE,KAAK,EAAE,GAAG,CAAC,KAAK,CAAC,KAAe;aAChC,CAAC;YACF,6EAA6E;YAC7E,wEAAwE;YACxE,IAAI,CAAC,MAAM,CAAC,YAAY,IAAI,CAAC,4BAAe,CAAC,oBAAoB,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC;gBACxF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACpB,KAAK,EAAE,iBAAiB;oBACxB,iBAAiB,EAAE,oCAAoC;iBACvD,CAAC,CAAC;gBACH,OAAO;YACR,CAAC;YACD,uFAAuF;YACvF,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;gBACnB,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;gBAC9C,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;gBACtD,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,EAAE,6BAA6B,CAAC,CAAC;gBAC9E,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC1C,CAAC;YACD,MAAM,eAAe,GAAG,IAAI,CAAC,YAAY,CAAC,4BAA4B,CAAC,MAAM,CAAC,CAAC;YAC/E,IAAI,eAAe,EAAE,CAAC;gBACrB,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;gBAC9C,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,eAAe,CAAC,KAAK,CAAC,CAAC;gBAC1D,IAAI,eAAe,CAAC,iBAAiB,EAAE,CAAC;oBACvC,QAAQ,CAAC,YAAY,CAAC,GAAG,CACxB,mBAAmB,EACnB,eAAe,CAAC,iBAAiB,CACjC,CAAC;gBACH,CAAC;gBACD,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;gBACjD,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC1C,CAAC;YACD,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;YAC7D,MAAM,OAAO,GAAG,IAAA,wBAAU,GAAE,CAAC;YAC7B,MAAM,cAAc,GAAG,wBAAwB,OAAO,cAAc,MAAM,CAAC,SAAS,iBAAiB,kBAAkB,CAAC,MAAM,CAAC,YAAY,CAAC,mBAAmB,MAAM,CAAC,cAAc,0BAA0B,MAAM,CAAC,qBAAqB,UAAU,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE,CAAC;YACzQ,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,aAAG,CAAC,KAAK,CAAC,uBAAuB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAC7D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QAC9C,CAAC;IACF,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAAC,GAAY,EAAE,GAAa;QAC3D,IAAI,CAAC;YACJ,MAAM,WAAW,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;YACnC,aAAG,CAAC,IAAI,CAAC,qBAAqB,EAAE;gBAC/B,WAAW,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC;gBACxC,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI;gBACnB,QAAQ,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE;gBAC/C,MAAM,EAAE;oBACP,UAAU,EAAE,WAAW,CAAC,UAAU;oBAClC,IAAI,EAAE,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS;oBACvE,SAAS,EAAE,WAAW,CAAC,SAAS;oBAChC,YAAY,EAAE,WAAW,CAAC,YAAY;oBACtC,iBAAiB,EAAE,CAAC,CAAC,WAAW,CAAC,aAAa;iBAC9C;aACD,CAAC,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,oBAAoB,CAAC,WAAW,CAAC,CAAC;YACzE,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;gBACvB,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACrC,CAAC;YACD,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,aAAG,CAAC,KAAK,CAAC,mBAAmB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YACzD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,KAAK,EAAE,cAAc;gBACrB,iBAAiB,EAAE,0BAA0B;aAC7C,CAAC,CAAC;QACJ,CAAC;IACF,CAAC;CACD;AA/GD,4CA+GC"}
@@ -1,8 +1,15 @@
1
+ import type { RateLimitOptions } from './rate-limiter';
1
2
  import type { OAuthServer } from '../oauth';
2
3
  import type { NextFunction, Request, Response } from 'express';
3
4
  export declare class HttpMiddleware {
4
5
  private readonly _oauthServer;
5
6
  constructor(oauthServer: OAuthServer);
7
+ /**
8
+ * Per-route fixed-window rate limit, keyed by the real connection IP (req.ip /
9
+ * socket address) rather than the spoofable X-Forwarded-For header, so an
10
+ * attacker cannot bypass the limit by rotating that header.
11
+ */
12
+ rateLimit(options: RateLimitOptions): (req: Request, res: Response, next: NextFunction) => void;
6
13
  bearerAuth(): (req: Request, res: Response, next: NextFunction) => void;
7
14
  errorHandler(): (error: Error, req: Request, res: Response, next: NextFunction) => void;
8
15
  correlationId(): (req: Request, res: Response, next: NextFunction) => void;
@@ -1 +1 @@
1
- {"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../../src/server/http/middleware.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAC5C,OAAO,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAE/D,qBAAa,cAAc;IAC1B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAc;gBAE/B,WAAW,EAAE,WAAW;IAI7B,UAAU,KACR,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY;IAkBjD,YAAY,KACV,OAAO,KAAK,EAAE,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY;IAiB/D,aAAa,KACX,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY;IAYjD,cAAc,KACZ,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY;CAwBxD"}
1
+ {"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../../src/server/http/middleware.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAC5C,OAAO,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAE/D,qBAAa,cAAc;IAC1B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAc;gBAE/B,WAAW,EAAE,WAAW;IAIpC;;;;OAIG;IACI,SAAS,CAAC,OAAO,EAAE,gBAAgB,IAEjC,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY;IAgBjD,UAAU,KACR,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY;IAkBjD,YAAY,KACV,OAAO,KAAK,EAAE,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY;IAiB/D,aAAa,KACX,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY;IAYjD,cAAc,KACZ,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY;CAwBxD"}
@@ -7,11 +7,34 @@ exports.HttpMiddleware = void 0;
7
7
  const crypto_1 = require("crypto");
8
8
  const log_1 = __importDefault(require("../../log"));
9
9
  const utils_1 = require("../../utils");
10
+ const rate_limiter_1 = require("./rate-limiter");
10
11
  class HttpMiddleware {
11
12
  _oauthServer;
12
13
  constructor(oauthServer) {
13
14
  this._oauthServer = oauthServer;
14
15
  }
16
+ /**
17
+ * Per-route fixed-window rate limit, keyed by the real connection IP (req.ip /
18
+ * socket address) rather than the spoofable X-Forwarded-For header, so an
19
+ * attacker cannot bypass the limit by rotating that header.
20
+ */
21
+ rateLimit(options) {
22
+ const limiter = new rate_limiter_1.RateLimiter(options);
23
+ return (req, res, next) => {
24
+ const key = req.ip || req.socket?.remoteAddress || 'unknown';
25
+ const { allowed, retryAfterMs } = limiter.check(key, Date.now());
26
+ if (!allowed) {
27
+ res.setHeader('Retry-After', String(Math.ceil(retryAfterMs / 1000)));
28
+ log_1.default.warn('http.rate_limited', { path: req.path, ip: (0, utils_1.getClientIp)(req) });
29
+ res.status(429).json({
30
+ error: 'too_many_requests',
31
+ error_description: 'Rate limit exceeded. Try again later.',
32
+ });
33
+ return;
34
+ }
35
+ next();
36
+ };
37
+ }
15
38
  bearerAuth() {
16
39
  return (req, res, next) => {
17
40
  const authHeader = req.headers.authorization;
@@ -1 +1 @@
1
- {"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../../src/server/http/middleware.ts"],"names":[],"mappings":";;;;;;AAAA,mCAAoC;AAEpC,oDAA4B;AAC5B,uCAA0C;AAK1C,MAAa,cAAc;IACT,YAAY,CAAc;IAE3C,YAAY,WAAwB;QACnC,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC;IACjC,CAAC;IAEM,UAAU;QAChB,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;YAC1D,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;YAC7C,IAAI,UAAU,IAAI,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACpD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBAClC,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;gBAC7D,IAAI,OAAO,EAAE,CAAC;oBACZ,GAAW,CAAC,OAAO,GAAG,OAAO,CAAC;oBAC/B,OAAO,IAAI,EAAE,CAAC;gBACf,CAAC;YACF,CAAC;YACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,KAAK,EAAE,cAAc;gBACrB,iBAAiB,EAChB,yEAAyE;aAC1E,CAAC,CAAC;QACJ,CAAC,CAAC;IACH,CAAC;IAEM,YAAY;QAClB,OAAO,CAAC,KAAY,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;YACxE,aAAG,CAAC,KAAK,CAAC,YAAY,EAAE;gBACvB,KAAK,EAAE,KAAK,CAAC,OAAO;gBACpB,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,MAAM,EAAE,GAAG,CAAC,MAAM;aAClB,CAAC,CAAC;YACH,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrB,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC;YACpB,CAAC;YACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,KAAK,EAAE,cAAc;gBACrB,iBAAiB,EAAE,uBAAuB;aAC1C,CAAC,CAAC;QACJ,CAAC,CAAC;IACH,CAAC;IAEM,aAAa;QACnB,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;YAC1D,MAAM,aAAa,GAAI,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAY,IAAI,IAAA,mBAAU,GAAE,CAAC;YAClF,aAAG,CAAC,gBAAgB,CAAC,aAAa,CAAC,CAAC;YACnC,GAAW,CAAC,aAAa,GAAG,aAAa,CAAC;YAC3C,GAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,aAAa,CAAC,CAAC;YACjD,GAAG,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE;gBACrB,aAAG,CAAC,kBAAkB,EAAE,CAAC;YAC1B,CAAC,CAAC,CAAC;YACH,IAAI,EAAE,CAAC;QACR,CAAC,CAAC;IACH,CAAC;IAEM,cAAc;QACpB,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;YAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAC7B,MAAM,EAAE,GAAG,IAAA,mBAAW,EAAC,GAAG,CAAC,CAAC;YAC5B,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;YAC5C,MAAM,aAAa,GAAI,GAAW,CAAC,aAAa,CAAC;YACjD,aAAG,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,EAAE;gBACpC,EAAE;gBACF,SAAS;gBACT,aAAa;gBACb,aAAa,EAAE,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC;gBAC5C,WAAW,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC;aACxC,CAAC,CAAC;YACH,GAAG,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE;gBACrB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;gBACxC,aAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,UAAU,EAAE,QAAQ,EAAE;oBAC/D,EAAE;oBACF,aAAa;oBACb,aAAa,EAAE,GAAG,CAAC,SAAS,CAAC,gBAAgB,CAAC;oBAC9C,WAAW,EAAE,GAAG,CAAC,SAAS,CAAC,cAAc,CAAC;iBAC1C,CAAC,CAAC;YACJ,CAAC,CAAC,CAAC;YACH,IAAI,EAAE,CAAC;QACR,CAAC,CAAC;IACH,CAAC;CACD;AAlFD,wCAkFC"}
1
+ {"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../../src/server/http/middleware.ts"],"names":[],"mappings":";;;;;;AAAA,mCAAoC;AAEpC,oDAA4B;AAC5B,uCAA0C;AAE1C,iDAA6C;AAM7C,MAAa,cAAc;IACT,YAAY,CAAc;IAE3C,YAAY,WAAwB;QACnC,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC;IACjC,CAAC;IAED;;;;OAIG;IACI,SAAS,CAAC,OAAyB;QACzC,MAAM,OAAO,GAAG,IAAI,0BAAW,CAAC,OAAO,CAAC,CAAC;QACzC,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;YAC1D,MAAM,GAAG,GAAG,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,MAAM,EAAE,aAAa,IAAI,SAAS,CAAC;YAC7D,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;YACjE,IAAI,CAAC,OAAO,EAAE,CAAC;gBACd,GAAG,CAAC,SAAS,CAAC,aAAa,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;gBACrE,aAAG,CAAC,IAAI,CAAC,mBAAmB,EAAE,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,EAAE,EAAE,IAAA,mBAAW,EAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBACxE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACpB,KAAK,EAAE,mBAAmB;oBAC1B,iBAAiB,EAAE,uCAAuC;iBAC1D,CAAC,CAAC;gBACH,OAAO;YACR,CAAC;YACD,IAAI,EAAE,CAAC;QACR,CAAC,CAAC;IACH,CAAC;IAEM,UAAU;QAChB,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;YAC1D,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;YAC7C,IAAI,UAAU,IAAI,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACpD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBAClC,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;gBAC7D,IAAI,OAAO,EAAE,CAAC;oBACZ,GAAW,CAAC,OAAO,GAAG,OAAO,CAAC;oBAC/B,OAAO,IAAI,EAAE,CAAC;gBACf,CAAC;YACF,CAAC;YACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,KAAK,EAAE,cAAc;gBACrB,iBAAiB,EAChB,yEAAyE;aAC1E,CAAC,CAAC;QACJ,CAAC,CAAC;IACH,CAAC;IAEM,YAAY;QAClB,OAAO,CAAC,KAAY,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;YACxE,aAAG,CAAC,KAAK,CAAC,YAAY,EAAE;gBACvB,KAAK,EAAE,KAAK,CAAC,OAAO;gBACpB,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,MAAM,EAAE,GAAG,CAAC,MAAM;aAClB,CAAC,CAAC;YACH,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrB,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC;YACpB,CAAC;YACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,KAAK,EAAE,cAAc;gBACrB,iBAAiB,EAAE,uBAAuB;aAC1C,CAAC,CAAC;QACJ,CAAC,CAAC;IACH,CAAC;IAEM,aAAa;QACnB,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;YAC1D,MAAM,aAAa,GAAI,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAY,IAAI,IAAA,mBAAU,GAAE,CAAC;YAClF,aAAG,CAAC,gBAAgB,CAAC,aAAa,CAAC,CAAC;YACnC,GAAW,CAAC,aAAa,GAAG,aAAa,CAAC;YAC3C,GAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,aAAa,CAAC,CAAC;YACjD,GAAG,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE;gBACrB,aAAG,CAAC,kBAAkB,EAAE,CAAC;YAC1B,CAAC,CAAC,CAAC;YACH,IAAI,EAAE,CAAC;QACR,CAAC,CAAC;IACH,CAAC;IAEM,cAAc;QACpB,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;YAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAC7B,MAAM,EAAE,GAAG,IAAA,mBAAW,EAAC,GAAG,CAAC,CAAC;YAC5B,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;YAC5C,MAAM,aAAa,GAAI,GAAW,CAAC,aAAa,CAAC;YACjD,aAAG,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,EAAE;gBACpC,EAAE;gBACF,SAAS;gBACT,aAAa;gBACb,aAAa,EAAE,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC;gBAC5C,WAAW,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC;aACxC,CAAC,CAAC;YACH,GAAG,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE;gBACrB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;gBACxC,aAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,UAAU,EAAE,QAAQ,EAAE;oBAC/D,EAAE;oBACF,aAAa;oBACb,aAAa,EAAE,GAAG,CAAC,SAAS,CAAC,gBAAgB,CAAC;oBAC9C,WAAW,EAAE,GAAG,CAAC,SAAS,CAAC,cAAc,CAAC;iBAC1C,CAAC,CAAC;YACJ,CAAC,CAAC,CAAC;YACH,IAAI,EAAE,CAAC;QACR,CAAC,CAAC;IACH,CAAC;CACD;AAzGD,wCAyGC"}
@@ -0,0 +1,24 @@
1
+ export interface RateLimitOptions {
2
+ /** Length of the fixed window in milliseconds. */
3
+ windowMs: number;
4
+ /** Maximum number of requests allowed per key within the window. */
5
+ max: number;
6
+ }
7
+ export interface RateLimitResult {
8
+ allowed: boolean;
9
+ retryAfterMs: number;
10
+ }
11
+ /**
12
+ * Minimal fixed-window in-memory rate limiter. Keyed by an arbitrary string
13
+ * (typically the client IP). Bounded memory: expired buckets are swept lazily
14
+ * once per window, so there is no background timer to leak.
15
+ */
16
+ export declare class RateLimiter {
17
+ private readonly _buckets;
18
+ private readonly _options;
19
+ private _lastSweepAt;
20
+ constructor(options: RateLimitOptions);
21
+ check(key: string, now: number): RateLimitResult;
22
+ private _maybeSweep;
23
+ }
24
+ //# sourceMappingURL=rate-limiter.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"rate-limiter.d.ts","sourceRoot":"","sources":["../../../src/server/http/rate-limiter.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,gBAAgB;IAChC,kDAAkD;IAClD,QAAQ,EAAE,MAAM,CAAC;IACjB,oEAAoE;IACpE,GAAG,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,eAAe;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;CACrB;AAOD;;;;GAIG;AACH,qBAAa,WAAW;IACvB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAA6B;IACtD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAmB;IAC5C,OAAO,CAAC,YAAY,CAAK;gBAEb,OAAO,EAAE,gBAAgB;IAI9B,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,eAAe;IAcvD,OAAO,CAAC,WAAW;CAWnB"}
@@ -0,0 +1,42 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.RateLimiter = void 0;
4
+ /**
5
+ * Minimal fixed-window in-memory rate limiter. Keyed by an arbitrary string
6
+ * (typically the client IP). Bounded memory: expired buckets are swept lazily
7
+ * once per window, so there is no background timer to leak.
8
+ */
9
+ class RateLimiter {
10
+ _buckets = new Map();
11
+ _options;
12
+ _lastSweepAt = 0;
13
+ constructor(options) {
14
+ this._options = options;
15
+ }
16
+ check(key, now) {
17
+ this._maybeSweep(now);
18
+ const bucket = this._buckets.get(key);
19
+ if (!bucket || now >= bucket.resetAt) {
20
+ this._buckets.set(key, { count: 1, resetAt: now + this._options.windowMs });
21
+ return { allowed: true, retryAfterMs: 0 };
22
+ }
23
+ if (bucket.count >= this._options.max) {
24
+ return { allowed: false, retryAfterMs: bucket.resetAt - now };
25
+ }
26
+ bucket.count++;
27
+ return { allowed: true, retryAfterMs: 0 };
28
+ }
29
+ _maybeSweep(now) {
30
+ if (now - this._lastSweepAt < this._options.windowMs) {
31
+ return;
32
+ }
33
+ this._lastSweepAt = now;
34
+ for (const [key, bucket] of this._buckets.entries()) {
35
+ if (now >= bucket.resetAt) {
36
+ this._buckets.delete(key);
37
+ }
38
+ }
39
+ }
40
+ }
41
+ exports.RateLimiter = RateLimiter;
42
+ //# sourceMappingURL=rate-limiter.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"rate-limiter.js","sourceRoot":"","sources":["../../../src/server/http/rate-limiter.ts"],"names":[],"mappings":";;;AAiBA;;;;GAIG;AACH,MAAa,WAAW;IACN,QAAQ,GAAG,IAAI,GAAG,EAAkB,CAAC;IACrC,QAAQ,CAAmB;IACpC,YAAY,GAAG,CAAC,CAAC;IAEzB,YAAY,OAAyB;QACpC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;IACzB,CAAC;IAEM,KAAK,CAAC,GAAW,EAAE,GAAW;QACpC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACtB,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,IAAI,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACtC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC5E,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC;QAC3C,CAAC;QACD,IAAI,MAAM,CAAC,KAAK,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC;YACvC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,CAAC,OAAO,GAAG,GAAG,EAAE,CAAC;QAC/D,CAAC;QACD,MAAM,CAAC,KAAK,EAAE,CAAC;QACf,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC;IAC3C,CAAC;IAEO,WAAW,CAAC,GAAW;QAC9B,IAAI,GAAG,GAAG,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACtD,OAAO;QACR,CAAC;QACD,IAAI,CAAC,YAAY,GAAG,GAAG,CAAC;QACxB,KAAK,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC;YACrD,IAAI,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBAC3B,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC3B,CAAC;QACF,CAAC;IACF,CAAC;CACD;AAlCD,kCAkCC"}