mcp-creatio 0.6.1 → 0.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (327) hide show
  1. package/README.md +236 -149
  2. package/dist/cli.d.ts.map +1 -1
  3. package/dist/cli.js +22 -10
  4. package/dist/cli.js.map +1 -1
  5. package/dist/config-builder.d.ts +8 -0
  6. package/dist/config-builder.d.ts.map +1 -1
  7. package/dist/config-builder.js +147 -43
  8. package/dist/config-builder.js.map +1 -1
  9. package/dist/consts.d.ts.map +1 -1
  10. package/dist/consts.js +2 -1
  11. package/dist/consts.js.map +1 -1
  12. package/dist/creatio/auth/auth-manager.d.ts.map +1 -1
  13. package/dist/creatio/auth/auth-manager.js +5 -2
  14. package/dist/creatio/auth/auth-manager.js.map +1 -1
  15. package/dist/creatio/auth/auth.d.ts +4 -31
  16. package/dist/creatio/auth/auth.d.ts.map +1 -1
  17. package/dist/creatio/auth/auth.js +20 -26
  18. package/dist/creatio/auth/auth.js.map +1 -1
  19. package/dist/creatio/auth/constants.d.ts +14 -0
  20. package/dist/creatio/auth/constants.d.ts.map +1 -0
  21. package/dist/creatio/auth/constants.js +20 -0
  22. package/dist/creatio/auth/constants.js.map +1 -0
  23. package/dist/creatio/auth/contracts.d.ts +15 -0
  24. package/dist/creatio/auth/contracts.d.ts.map +1 -0
  25. package/dist/creatio/auth/contracts.js +3 -0
  26. package/dist/creatio/auth/contracts.js.map +1 -0
  27. package/dist/creatio/auth/headers.d.ts +3 -0
  28. package/dist/creatio/auth/headers.d.ts.map +1 -0
  29. package/dist/creatio/auth/headers.js +15 -0
  30. package/dist/creatio/auth/headers.js.map +1 -0
  31. package/dist/creatio/auth/identity.d.ts +8 -0
  32. package/dist/creatio/auth/identity.d.ts.map +1 -0
  33. package/dist/creatio/auth/identity.js +18 -0
  34. package/dist/creatio/auth/identity.js.map +1 -0
  35. package/dist/creatio/auth/index.d.ts +4 -3
  36. package/dist/creatio/auth/index.d.ts.map +1 -1
  37. package/dist/creatio/auth/index.js +5 -3
  38. package/dist/creatio/auth/index.js.map +1 -1
  39. package/dist/creatio/auth/providers/base-oauth2-provider.d.ts +13 -7
  40. package/dist/creatio/auth/providers/base-oauth2-provider.d.ts.map +1 -1
  41. package/dist/creatio/auth/providers/base-oauth2-provider.js +29 -19
  42. package/dist/creatio/auth/providers/base-oauth2-provider.js.map +1 -1
  43. package/dist/creatio/auth/providers/base-provider.js +1 -1
  44. package/dist/creatio/auth/providers/base-provider.js.map +1 -1
  45. package/dist/creatio/auth/providers/broker-provider.d.ts +20 -0
  46. package/dist/creatio/auth/providers/broker-provider.d.ts.map +1 -0
  47. package/dist/creatio/auth/providers/broker-provider.js +72 -0
  48. package/dist/creatio/auth/providers/broker-provider.js.map +1 -0
  49. package/dist/creatio/auth/providers/creatio-oauth-client.d.ts +27 -0
  50. package/dist/creatio/auth/providers/creatio-oauth-client.d.ts.map +1 -0
  51. package/dist/creatio/auth/providers/creatio-oauth-client.js +122 -0
  52. package/dist/creatio/auth/providers/creatio-oauth-client.js.map +1 -0
  53. package/dist/creatio/auth/providers/index.d.ts +3 -1
  54. package/dist/creatio/auth/providers/index.d.ts.map +1 -1
  55. package/dist/creatio/auth/providers/index.js +3 -1
  56. package/dist/creatio/auth/providers/index.js.map +1 -1
  57. package/dist/creatio/auth/providers/oauth2-bearer-provider.d.ts +17 -0
  58. package/dist/creatio/auth/providers/oauth2-bearer-provider.d.ts.map +1 -0
  59. package/dist/creatio/auth/providers/oauth2-bearer-provider.js +33 -0
  60. package/dist/creatio/auth/providers/oauth2-bearer-provider.js.map +1 -0
  61. package/dist/creatio/auth/providers/oauth2-provider.d.ts +2 -2
  62. package/dist/creatio/auth/providers/oauth2-provider.d.ts.map +1 -1
  63. package/dist/creatio/auth/providers/oauth2-provider.js +4 -9
  64. package/dist/creatio/auth/providers/oauth2-provider.js.map +1 -1
  65. package/dist/creatio/auth/providers/type.d.ts +20 -1
  66. package/dist/creatio/auth/providers/type.d.ts.map +1 -1
  67. package/dist/creatio/auth/providers/type.js +22 -2
  68. package/dist/creatio/auth/providers/type.js.map +1 -1
  69. package/dist/creatio/client-config.d.ts +26 -5
  70. package/dist/creatio/client-config.d.ts.map +1 -1
  71. package/dist/creatio/engines/admin-operation-engine.d.ts +1 -1
  72. package/dist/creatio/engines/admin-operation-engine.d.ts.map +1 -1
  73. package/dist/creatio/engines/admin-operation-engine.js +3 -3
  74. package/dist/creatio/engines/admin-operation-engine.js.map +1 -1
  75. package/dist/creatio/engines/configuration-engine.d.ts +1 -1
  76. package/dist/creatio/engines/configuration-engine.d.ts.map +1 -1
  77. package/dist/creatio/engines/configuration-engine.js +3 -3
  78. package/dist/creatio/engines/configuration-engine.js.map +1 -1
  79. package/dist/creatio/engines/crud-engine.d.ts +1 -1
  80. package/dist/creatio/engines/crud-engine.d.ts.map +1 -1
  81. package/dist/creatio/engines/crud-engine.js +4 -4
  82. package/dist/creatio/engines/crud-engine.js.map +1 -1
  83. package/dist/creatio/engines/engine-manager.d.ts +1 -2
  84. package/dist/creatio/engines/engine-manager.d.ts.map +1 -1
  85. package/dist/creatio/engines/engine-manager.js +4 -10
  86. package/dist/creatio/engines/engine-manager.js.map +1 -1
  87. package/dist/creatio/engines/engine.d.ts.map +1 -1
  88. package/dist/creatio/engines/engine.js +12 -1
  89. package/dist/creatio/engines/engine.js.map +1 -1
  90. package/dist/creatio/engines/feature-engine.d.ts +1 -1
  91. package/dist/creatio/engines/feature-engine.d.ts.map +1 -1
  92. package/dist/creatio/engines/feature-engine.js +3 -3
  93. package/dist/creatio/engines/feature-engine.js.map +1 -1
  94. package/dist/creatio/engines/process-engine.d.ts +1 -1
  95. package/dist/creatio/engines/process-engine.d.ts.map +1 -1
  96. package/dist/creatio/engines/process-engine.js +3 -3
  97. package/dist/creatio/engines/process-engine.js.map +1 -1
  98. package/dist/creatio/engines/sys-settings-engine.d.ts +1 -1
  99. package/dist/creatio/engines/sys-settings-engine.d.ts.map +1 -1
  100. package/dist/creatio/engines/sys-settings-engine.js +3 -3
  101. package/dist/creatio/engines/sys-settings-engine.js.map +1 -1
  102. package/dist/creatio/engines/user-engine.d.ts +1 -1
  103. package/dist/creatio/engines/user-engine.d.ts.map +1 -1
  104. package/dist/creatio/engines/user-engine.js +3 -3
  105. package/dist/creatio/engines/user-engine.js.map +1 -1
  106. package/dist/creatio/services/creatio-service-context.d.ts +1 -1
  107. package/dist/creatio/services/creatio-service-context.d.ts.map +1 -1
  108. package/dist/creatio/services/crud-provider-factory.d.ts.map +1 -1
  109. package/dist/creatio/services/crud-provider-factory.js.map +1 -1
  110. package/dist/creatio/services/dataservice/data-service-column-values.d.ts.map +1 -1
  111. package/dist/creatio/services/dataservice/data-service-crud-provider.d.ts +3 -3
  112. package/dist/creatio/services/dataservice/data-service-crud-provider.d.ts.map +1 -1
  113. package/dist/creatio/services/dataservice/data-service-crud-provider.js +5 -5
  114. package/dist/creatio/services/dataservice/data-service-crud-provider.js.map +1 -1
  115. package/dist/creatio/services/dataservice/data-service-filter-translator.d.ts.map +1 -1
  116. package/dist/creatio/services/dataservice/data-service-filter-translator.js +7 -2
  117. package/dist/creatio/services/dataservice/data-service-filter-translator.js.map +1 -1
  118. package/dist/creatio/services/dataservice/data-service-query-builder.d.ts.map +1 -1
  119. package/dist/creatio/services/dataservice/data-service-query-builder.js.map +1 -1
  120. package/dist/creatio/services/dataservice/data-service-schema.d.ts +3 -3
  121. package/dist/creatio/services/dataservice/data-service-schema.d.ts.map +1 -1
  122. package/dist/creatio/services/dataservice/data-service-schema.js +19 -17
  123. package/dist/creatio/services/dataservice/data-service-schema.js.map +1 -1
  124. package/dist/creatio/services/dataservice/data-service-transport.d.ts +1 -1
  125. package/dist/creatio/services/dataservice/data-service-transport.d.ts.map +1 -1
  126. package/dist/creatio/services/dataservice/data-service-transport.js +3 -3
  127. package/dist/creatio/services/dataservice/data-service-transport.js.map +1 -1
  128. package/dist/creatio/services/dataservice/data-service-types.d.ts +0 -19
  129. package/dist/creatio/services/dataservice/data-service-types.d.ts.map +1 -1
  130. package/dist/creatio/services/dataservice/data-service-value-type.d.ts +2 -1
  131. package/dist/creatio/services/dataservice/data-service-value-type.d.ts.map +1 -1
  132. package/dist/creatio/services/dataservice/data-service-value-type.js +20 -16
  133. package/dist/creatio/services/dataservice/data-service-value-type.js.map +1 -1
  134. package/dist/creatio/services/http-client.d.ts +13 -0
  135. package/dist/creatio/services/http-client.d.ts.map +1 -1
  136. package/dist/creatio/services/http-client.js +26 -2
  137. package/dist/creatio/services/http-client.js.map +1 -1
  138. package/dist/creatio/services/identifiers.d.ts +10 -0
  139. package/dist/creatio/services/identifiers.d.ts.map +1 -0
  140. package/dist/creatio/services/identifiers.js +20 -0
  141. package/dist/creatio/services/identifiers.js.map +1 -0
  142. package/dist/creatio/services/odata/metadata-store.d.ts +6 -2
  143. package/dist/creatio/services/odata/metadata-store.d.ts.map +1 -1
  144. package/dist/creatio/services/odata/metadata-store.js +30 -34
  145. package/dist/creatio/services/odata/metadata-store.js.map +1 -1
  146. package/dist/creatio/services/odata/odata-crud-provider.d.ts.map +1 -1
  147. package/dist/creatio/services/odata/odata-crud-provider.js +10 -25
  148. package/dist/creatio/services/odata/odata-crud-provider.js.map +1 -1
  149. package/dist/creatio/services/odata/odata-query-translator.d.ts +4 -5
  150. package/dist/creatio/services/odata/odata-query-translator.d.ts.map +1 -1
  151. package/dist/creatio/services/odata/odata-query-translator.js +32 -20
  152. package/dist/creatio/services/odata/odata-query-translator.js.map +1 -1
  153. package/dist/creatio/services/user-info-provider.d.ts.map +1 -1
  154. package/dist/creatio/services/user-info-provider.js +2 -2
  155. package/dist/creatio/services/user-info-provider.js.map +1 -1
  156. package/dist/index.js +30 -4
  157. package/dist/index.js.map +1 -1
  158. package/dist/log.d.ts +1 -1
  159. package/dist/log.d.ts.map +1 -1
  160. package/dist/log.js +2 -1
  161. package/dist/log.js.map +1 -1
  162. package/dist/server/bearer/base-url-guard.d.ts +20 -0
  163. package/dist/server/bearer/base-url-guard.d.ts.map +1 -0
  164. package/dist/server/bearer/base-url-guard.js +55 -0
  165. package/dist/server/bearer/base-url-guard.js.map +1 -0
  166. package/dist/server/bearer/bearer-edge.d.ts +42 -0
  167. package/dist/server/bearer/bearer-edge.d.ts.map +1 -0
  168. package/dist/server/bearer/bearer-edge.js +122 -0
  169. package/dist/server/bearer/bearer-edge.js.map +1 -0
  170. package/dist/server/bearer/bearer-token.d.ts +27 -0
  171. package/dist/server/bearer/bearer-token.d.ts.map +1 -0
  172. package/dist/server/bearer/bearer-token.js +50 -0
  173. package/dist/server/bearer/bearer-token.js.map +1 -0
  174. package/dist/server/bearer/index.d.ts +3 -0
  175. package/dist/server/bearer/index.d.ts.map +1 -0
  176. package/dist/server/bearer/index.js +19 -0
  177. package/dist/server/bearer/index.js.map +1 -0
  178. package/dist/server/http/auth-edge.d.ts +26 -0
  179. package/dist/server/http/auth-edge.d.ts.map +1 -0
  180. package/dist/server/http/auth-edge.js +75 -0
  181. package/dist/server/http/auth-edge.js.map +1 -0
  182. package/dist/server/http/broker-handlers.d.ts +45 -0
  183. package/dist/server/http/broker-handlers.d.ts.map +1 -0
  184. package/dist/server/http/broker-handlers.js +224 -0
  185. package/dist/server/http/broker-handlers.js.map +1 -0
  186. package/dist/server/http/{httpServer.d.ts → http-server.d.ts} +5 -13
  187. package/dist/server/http/http-server.d.ts.map +1 -0
  188. package/dist/server/http/{httpServer.js → http-server.js} +19 -53
  189. package/dist/server/http/http-server.js.map +1 -0
  190. package/dist/server/http/index.d.ts +1 -3
  191. package/dist/server/http/index.d.ts.map +1 -1
  192. package/dist/server/http/index.js +1 -3
  193. package/dist/server/http/index.js.map +1 -1
  194. package/dist/server/http/mcp-handlers.d.ts.map +1 -1
  195. package/dist/server/http/mcp-handlers.js +16 -3
  196. package/dist/server/http/mcp-handlers.js.map +1 -1
  197. package/dist/server/http/middleware.d.ts +3 -4
  198. package/dist/server/http/middleware.d.ts.map +1 -1
  199. package/dist/server/http/middleware.js +33 -23
  200. package/dist/server/http/middleware.js.map +1 -1
  201. package/dist/server/http/public-origin.d.ts +10 -0
  202. package/dist/server/http/public-origin.d.ts.map +1 -0
  203. package/dist/server/http/public-origin.js +19 -0
  204. package/dist/server/http/public-origin.js.map +1 -0
  205. package/dist/server/http/rate-limiter.d.ts +1 -1
  206. package/dist/server/http/rate-limiter.d.ts.map +1 -1
  207. package/dist/server/http/rate-limiter.js +11 -11
  208. package/dist/server/http/rate-limiter.js.map +1 -1
  209. package/dist/server/http-agent.d.ts +9 -0
  210. package/dist/server/http-agent.d.ts.map +1 -0
  211. package/dist/server/http-agent.js +35 -0
  212. package/dist/server/http-agent.js.map +1 -0
  213. package/dist/server/index.d.ts +2 -0
  214. package/dist/server/index.d.ts.map +1 -1
  215. package/dist/server/index.js +2 -0
  216. package/dist/server/index.js.map +1 -1
  217. package/dist/server/keepalive.d.ts +26 -0
  218. package/dist/server/keepalive.d.ts.map +1 -0
  219. package/dist/server/keepalive.js +64 -0
  220. package/dist/server/keepalive.js.map +1 -0
  221. package/dist/server/mcp/creatio-rest.d.ts +6 -0
  222. package/dist/server/mcp/creatio-rest.d.ts.map +1 -1
  223. package/dist/server/mcp/creatio-rest.js +21 -3
  224. package/dist/server/mcp/creatio-rest.js.map +1 -1
  225. package/dist/server/mcp/crtmcp/crt-mcp-client.d.ts +1 -1
  226. package/dist/server/mcp/crtmcp/crt-mcp-client.d.ts.map +1 -1
  227. package/dist/server/mcp/crtmcp/crt-mcp-client.js +16 -13
  228. package/dist/server/mcp/crtmcp/crt-mcp-client.js.map +1 -1
  229. package/dist/server/mcp/crtmcp/crt-mcp-tool-preparer.d.ts +2 -2
  230. package/dist/server/mcp/crtmcp/crt-mcp-tool-preparer.d.ts.map +1 -1
  231. package/dist/server/mcp/crtmcp/crt-mcp-tool-preparer.js +17 -17
  232. package/dist/server/mcp/crtmcp/crt-mcp-tool-preparer.js.map +1 -1
  233. package/dist/server/mcp/dataforge/dataforge-client.d.ts +12 -12
  234. package/dist/server/mcp/dataforge/dataforge-client.d.ts.map +1 -1
  235. package/dist/server/mcp/dataforge/dataforge-client.js +40 -47
  236. package/dist/server/mcp/dataforge/dataforge-client.js.map +1 -1
  237. package/dist/server/mcp/dataforge/dataforge-tool-preparer.d.ts +2 -2
  238. package/dist/server/mcp/dataforge/dataforge-tool-preparer.d.ts.map +1 -1
  239. package/dist/server/mcp/dataforge/dataforge-tool-preparer.js +9 -9
  240. package/dist/server/mcp/dataforge/dataforge-tool-preparer.js.map +1 -1
  241. package/dist/server/mcp/filters.d.ts.map +1 -1
  242. package/dist/server/mcp/filters.js +4 -1
  243. package/dist/server/mcp/filters.js.map +1 -1
  244. package/dist/server/mcp/globalsearch/globalsearch-client.d.ts +4 -4
  245. package/dist/server/mcp/globalsearch/globalsearch-client.d.ts.map +1 -1
  246. package/dist/server/mcp/globalsearch/globalsearch-client.js +39 -50
  247. package/dist/server/mcp/globalsearch/globalsearch-client.js.map +1 -1
  248. package/dist/server/mcp/globalsearch/globalsearch-tool-preparer.d.ts +1 -1
  249. package/dist/server/mcp/globalsearch/globalsearch-tool-preparer.d.ts.map +1 -1
  250. package/dist/server/mcp/globalsearch/globalsearch-tool-preparer.js +1 -1
  251. package/dist/server/mcp/globalsearch/globalsearch-tool-preparer.js.map +1 -1
  252. package/dist/server/mcp/server.d.ts +35 -8
  253. package/dist/server/mcp/server.d.ts.map +1 -1
  254. package/dist/server/mcp/server.js +104 -44
  255. package/dist/server/mcp/server.js.map +1 -1
  256. package/dist/server/mcp/tools-data.d.ts +2 -2
  257. package/dist/server/mcp/tools-data.d.ts.map +1 -1
  258. package/dist/server/mcp/tools-data.js +1 -1
  259. package/dist/server/mcp/tools-data.js.map +1 -1
  260. package/dist/server/oauth/oauth-server.d.ts +41 -10
  261. package/dist/server/oauth/oauth-server.d.ts.map +1 -1
  262. package/dist/server/oauth/oauth-server.js +82 -48
  263. package/dist/server/oauth/oauth-server.js.map +1 -1
  264. package/dist/server/oauth/storage.d.ts +42 -5
  265. package/dist/server/oauth/storage.d.ts.map +1 -1
  266. package/dist/server/oauth/storage.js +81 -18
  267. package/dist/server/oauth/storage.js.map +1 -1
  268. package/dist/server/oauth/token-manager.d.ts +21 -4
  269. package/dist/server/oauth/token-manager.d.ts.map +1 -1
  270. package/dist/server/oauth/token-manager.js +18 -19
  271. package/dist/server/oauth/token-manager.js.map +1 -1
  272. package/dist/server/oauth/types.d.ts +0 -12
  273. package/dist/server/oauth/types.d.ts.map +1 -1
  274. package/dist/server/oauth/validators.d.ts.map +1 -1
  275. package/dist/server/oauth/validators.js +14 -5
  276. package/dist/server/oauth/validators.js.map +1 -1
  277. package/dist/sessions/index.d.ts +1 -1
  278. package/dist/sessions/index.d.ts.map +1 -1
  279. package/dist/sessions/index.js +1 -1
  280. package/dist/sessions/index.js.map +1 -1
  281. package/dist/sessions/redis-token-store.d.ts +22 -0
  282. package/dist/sessions/redis-token-store.d.ts.map +1 -0
  283. package/dist/sessions/redis-token-store.js +70 -0
  284. package/dist/sessions/redis-token-store.js.map +1 -0
  285. package/dist/sessions/session-context.d.ts +21 -40
  286. package/dist/sessions/session-context.d.ts.map +1 -1
  287. package/dist/sessions/session-context.js +25 -105
  288. package/dist/sessions/session-context.js.map +1 -1
  289. package/dist/sessions/token-crypto.d.ts +8 -0
  290. package/dist/sessions/token-crypto.d.ts.map +1 -0
  291. package/dist/sessions/token-crypto.js +43 -0
  292. package/dist/sessions/token-crypto.js.map +1 -0
  293. package/dist/sessions/token-store.d.ts +42 -0
  294. package/dist/sessions/token-store.d.ts.map +1 -0
  295. package/dist/sessions/token-store.js +66 -0
  296. package/dist/sessions/token-store.js.map +1 -0
  297. package/dist/utils/context.d.ts +12 -0
  298. package/dist/utils/context.d.ts.map +1 -1
  299. package/dist/utils/context.js +16 -0
  300. package/dist/utils/context.js.map +1 -1
  301. package/dist/utils/env-aliases.d.ts +9 -0
  302. package/dist/utils/env-aliases.d.ts.map +1 -0
  303. package/dist/utils/env-aliases.js +61 -0
  304. package/dist/utils/env-aliases.js.map +1 -0
  305. package/dist/utils/env.d.ts +5 -0
  306. package/dist/utils/env.d.ts.map +1 -1
  307. package/dist/utils/env.js +10 -1
  308. package/dist/utils/env.js.map +1 -1
  309. package/package.json +78 -74
  310. package/dist/creatio/auth/providers/oauth2-code-provider.d.ts +0 -21
  311. package/dist/creatio/auth/providers/oauth2-code-provider.d.ts.map +0 -1
  312. package/dist/creatio/auth/providers/oauth2-code-provider.js +0 -251
  313. package/dist/creatio/auth/providers/oauth2-code-provider.js.map +0 -1
  314. package/dist/server/http/creatio-oauth-handlers.d.ts +0 -13
  315. package/dist/server/http/creatio-oauth-handlers.d.ts.map +0 -1
  316. package/dist/server/http/creatio-oauth-handlers.js +0 -160
  317. package/dist/server/http/creatio-oauth-handlers.js.map +0 -1
  318. package/dist/server/http/httpServer.d.ts.map +0 -1
  319. package/dist/server/http/httpServer.js.map +0 -1
  320. package/dist/server/http/mcp-oauth-handlers.d.ts +0 -11
  321. package/dist/server/http/mcp-oauth-handlers.d.ts.map +0 -1
  322. package/dist/server/http/mcp-oauth-handlers.js +0 -118
  323. package/dist/server/http/mcp-oauth-handlers.js.map +0 -1
  324. package/dist/sessions/token-refresh-scheduler.d.ts +0 -16
  325. package/dist/sessions/token-refresh-scheduler.d.ts.map +0 -1
  326. package/dist/sessions/token-refresh-scheduler.js +0 -66
  327. package/dist/sessions/token-refresh-scheduler.js.map +0 -1
@@ -10,14 +10,17 @@ const client_manager_1 = require("./client-manager");
10
10
  const storage_1 = require("./storage");
11
11
  const token_manager_1 = require("./token-manager");
12
12
  const validators_1 = require("./validators");
13
+ const ACCESS_TOKEN_TTL_SECONDS = 3600;
14
+ const ISSUED_SCOPE = 'offline_access';
13
15
  class OAuthServer {
14
- _jwtSecret = crypto_1.default.randomBytes(32).toString('hex');
15
16
  _storage = new storage_1.OAuthStorage();
16
17
  _tokenManager;
17
- _baseUrl;
18
- constructor(baseUrl = 'http://localhost:3000') {
19
- this._baseUrl = baseUrl;
20
- this._tokenManager = new token_manager_1.OAuthTokenManager(this._jwtSecret);
18
+ /**
19
+ * @param jwtSecret stable secret (from `CREATIO_MCP_JWT_SECRET`) signing the tokens issued to
20
+ * MCP clients — stable so issued tokens survive a restart, unlike a random per-process key.
21
+ */
22
+ constructor(jwtSecret) {
23
+ this._tokenManager = new token_manager_1.OAuthTokenManager(jwtSecret);
21
24
  }
22
25
  _autoRegisterClientIfNeeded(client_id, redirect_uri) {
23
26
  if (this._storage.hasClient(client_id)) {
@@ -33,19 +36,32 @@ class OAuthServer {
33
36
  this._storage.addClient(client);
34
37
  return true;
35
38
  }
36
- getAuthorizationServerMetadata() {
39
+ /** Mint an access token + a freshly-stored (rotating) refresh token as a standard OAuth response. */
40
+ _issueTokens(userKey, client_id, aud) {
41
+ const access_token = this._tokenManager.generateAccessToken(userKey, client_id, aud);
42
+ const refresh_token = this._tokenManager.generateRefreshToken();
43
+ this._storage.storeRefreshToken(refresh_token, userKey, client_id);
37
44
  return {
38
- issuer: this._baseUrl,
39
- authorization_endpoint: `${this._baseUrl}/authorize`,
40
- token_endpoint: `${this._baseUrl}/token`,
41
- registration_endpoint: `${this._baseUrl}/register`,
42
- response_types_supported: ['code'],
43
- grant_types_supported: ['authorization_code'],
44
- token_endpoint_auth_methods_supported: ['none', 'client_secret_post'],
45
- code_challenge_methods_supported: ['S256'],
46
- scopes_supported: ['openid'],
45
+ access_token,
46
+ token_type: 'Bearer',
47
+ expires_in: ACCESS_TOKEN_TTL_SECONDS,
48
+ refresh_token,
49
+ scope: ISSUED_SCOPE,
47
50
  };
48
51
  }
52
+ /**
53
+ * Records a brokered authorization in flight and returns its opaque broker state (used as the
54
+ * `state` on the Creatio leg). Server-side storage keeps the client's PKCE and our Creatio-leg
55
+ * verifier apart — nothing is embedded in the Creatio `state`.
56
+ */
57
+ createPendingAuthorization(data) {
58
+ const brokerState = crypto_1.default.randomBytes(32).toString('base64url');
59
+ this._storage.storePendingAuthorization(brokerState, data);
60
+ return brokerState;
61
+ }
62
+ takePendingAuthorization(brokerState) {
63
+ return this._storage.takePendingAuthorization(brokerState);
64
+ }
49
65
  registerClient(redirect_uris) {
50
66
  const client = client_manager_1.OAuthClientManager.createClient(redirect_uris);
51
67
  this._storage.addClient(client);
@@ -61,39 +77,13 @@ class OAuthServer {
61
77
  }
62
78
  return validators_1.OAuthValidators.validateAuthorizationRequest(params, client);
63
79
  }
64
- storeState(state, client_id) {
65
- this._storage.storeState(state, client_id);
66
- log_1.default.info('oauth.state.stored', { client_id });
67
- }
68
- validateState(state, client_id) {
69
- const stateData = this._storage.getState(state);
70
- if (!stateData) {
71
- log_1.default.warn('oauth.state.not_found', { client_id });
72
- return false;
73
- }
74
- if (stateData.expires_at < Date.now()) {
75
- this._storage.deleteState(state);
76
- log_1.default.warn('oauth.state.expired', { client_id });
77
- return false;
78
- }
79
- if (stateData.client_id !== client_id) {
80
- log_1.default.warn('oauth.state.client_mismatch', {
81
- expected: stateData.client_id,
82
- actual: client_id,
83
- });
84
- return false;
85
- }
86
- this._storage.deleteState(state);
87
- log_1.default.info('oauth.state.validated_successfully', { client_id });
88
- return true;
89
- }
90
80
  generateAuthorizationCode(client_id, redirect_uri, code_challenge, code_challenge_method, userKey) {
91
81
  const code = crypto_1.default.randomBytes(32).toString('base64url');
92
82
  this._storage.storeAuthorizationCode(code, client_id, redirect_uri, code_challenge, code_challenge_method, userKey);
93
83
  log_1.default.info('oauth.authorization_code.generated', { client_id, userKey });
94
84
  return code;
95
85
  }
96
- async exchangeCodeForToken(params) {
86
+ async exchangeCodeForToken(params, aud) {
97
87
  log_1.default.info('oauth.token.exchange_start', {
98
88
  grant_type: params.grant_type,
99
89
  client_id: params.client_id,
@@ -117,16 +107,60 @@ class OAuthServer {
117
107
  }
118
108
  return codeValidationError;
119
109
  }
120
- const tokenResponse = this._tokenManager.createTokenResponse(authCode.userKey, params.client_id);
121
110
  this._storage.deleteAuthorizationCode(params.code);
122
111
  log_1.default.info('oauth.token.issued', { client_id: params.client_id, userKey: authCode.userKey });
123
- return tokenResponse;
112
+ return this._issueTokens(authCode.userKey, params.client_id, aud);
124
113
  }
125
- validateAccessToken(token) {
126
- return this._tokenManager.validateAccessToken(token);
114
+ /**
115
+ * `refresh_token` grant: rotate the refresh token and mint a fresh access token WITHOUT a browser
116
+ * round-trip — bound to the same client (a stolen token can't be redeemed by another) and gated on
117
+ * the broker still holding this user's Creatio tokens, so a client never re-consents every hour.
118
+ */
119
+ async exchangeRefreshToken(params, aud, sessionStillHeld) {
120
+ const validationError = validators_1.OAuthValidators.validateTokenRequest(params);
121
+ if (validationError) {
122
+ return validationError;
123
+ }
124
+ const data = this._storage.getRefreshToken(params.refresh_token);
125
+ if (!data) {
126
+ return {
127
+ error: 'invalid_grant',
128
+ error_description: 'Invalid or expired refresh token',
129
+ };
130
+ }
131
+ if (data.client_id !== params.client_id) {
132
+ // Token presented by a different client than it was issued to — reuse/theft signal.
133
+ this._storage.deleteRefreshToken(params.refresh_token);
134
+ return { error: 'invalid_grant', error_description: 'Client mismatch' };
135
+ }
136
+ if (!(await sessionStillHeld(data.userKey))) {
137
+ this._storage.deleteRefreshToken(params.refresh_token);
138
+ return {
139
+ error: 'invalid_grant',
140
+ error_description: 'Session expired; re-authorization required',
141
+ };
142
+ }
143
+ // Rotate: the presented refresh token is single-use.
144
+ this._storage.deleteRefreshToken(params.refresh_token);
145
+ log_1.default.info('oauth.token.refreshed', { client_id: data.client_id, userKey: data.userKey });
146
+ return this._issueTokens(data.userKey, data.client_id, aud);
147
+ }
148
+ /** Verify a client-presented access token against this deployment's `iss`/`aud`; returns userKey. */
149
+ validateAccessToken(token, aud) {
150
+ return this._tokenManager.validateAccessToken(token, aud)?.userKey ?? null;
151
+ }
152
+ /** RFC 7009: resolve the user a presented token belongs to — our access JWT, or an issued
153
+ * refresh token. Returns `null` for an unknown/invalid token (caller still answers 200). */
154
+ resolveUserFromToken(token, aud) {
155
+ const decoded = this._tokenManager.validateAccessToken(token, aud);
156
+ if (decoded) {
157
+ return decoded.userKey;
158
+ }
159
+ return this._storage.getRefreshToken(token)?.userKey ?? null;
127
160
  }
128
- getClient(client_id) {
129
- return this._storage.getClient(client_id);
161
+ /** Invalidate every refresh token we issued for a user (logout / revoke). */
162
+ purgeRefreshTokensForUser(userKey) {
163
+ this._storage.deleteRefreshTokensForUser(userKey);
130
164
  }
131
165
  cleanup() {
132
166
  this._storage.cleanup();
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-server.js","sourceRoot":"","sources":["../../../src/server/oauth/oauth-server.ts"],"names":[],"mappings":";;;;;;AAAA,oDAA4B;AAE5B,oDAA4B;AAE5B,qDAAsD;AACtD,uCAAyC;AACzC,mDAAoD;AACpD,6CAA+C;AAW/C,MAAa,WAAW;IACN,UAAU,GAAW,gBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC5D,QAAQ,GAAG,IAAI,sBAAY,EAAE,CAAC;IAC9B,aAAa,CAAoB;IAC1C,QAAQ,CAAS;IAEzB,YAAY,UAAkB,uBAAuB;QACpD,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;QACxB,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAiB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7D,CAAC;IAEO,2BAA2B,CAAC,SAAiB,EAAE,YAAoB;QAC1E,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,CAAC;YACxC,OAAO,KAAK,CAAC;QACd,CAAC;QACD,8EAA8E;QAC9E,yFAAyF;QACzF,IAAI,CAAC,4BAAe,CAAC,oBAAoB,CAAC,YAAY,CAAC,EAAE,CAAC;YACzD,aAAG,CAAC,IAAI,CAAC,qCAAqC,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;YAC/D,OAAO,KAAK,CAAC;QACd,CAAC;QACD,MAAM,MAAM,GAAG,mCAAkB,CAAC,kBAAkB,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;QAC9E,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAChC,OAAO,IAAI,CAAC;IACb,CAAC;IAEM,8BAA8B;QACpC,OAAO;YACN,MAAM,EAAE,IAAI,CAAC,QAAQ;YACrB,sBAAsB,EAAE,GAAG,IAAI,CAAC,QAAQ,YAAY;YACpD,cAAc,EAAE,GAAG,IAAI,CAAC,QAAQ,QAAQ;YACxC,qBAAqB,EAAE,GAAG,IAAI,CAAC,QAAQ,WAAW;YAClD,wBAAwB,EAAE,CAAC,MAAM,CAAC;YAClC,qBAAqB,EAAE,CAAC,oBAAoB,CAAC;YAC7C,qCAAqC,EAAE,CAAC,MAAM,EAAE,oBAAoB,CAAC;YACrE,gCAAgC,EAAE,CAAC,MAAM,CAAC;YAC1C,gBAAgB,EAAE,CAAC,QAAQ,CAAC;SAC5B,CAAC;IACH,CAAC;IAEM,cAAc,CAAC,aAAuB;QAC5C,MAAM,MAAM,GAAG,mCAAkB,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;QAC9D,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAChC,OAAO,MAAM,CAAC;IACf,CAAC;IAEM,4BAA4B,CAAC,MAAiC;QACpE,IAAI,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACvD,IAAI,CAAC,MAAM,EAAE,CAAC;YACb,MAAM,aAAa,GAAG,IAAI,CAAC,2BAA2B,CACrD,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,YAAY,CACnB,CAAC;YACF,IAAI,aAAa,EAAE,CAAC;gBACnB,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACpD,CAAC;QACF,CAAC;QACD,OAAO,4BAAe,CAAC,4BAA4B,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrE,CAAC;IAEM,UAAU,CAAC,KAAa,EAAE,SAAiB;QACjD,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;QAC3C,aAAG,CAAC,IAAI,CAAC,oBAAoB,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;IAC/C,CAAC;IAEM,aAAa,CAAC,KAAa,EAAE,SAAiB;QACpD,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAChD,IAAI,CAAC,SAAS,EAAE,CAAC;YAChB,aAAG,CAAC,IAAI,CAAC,uBAAuB,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;YACjD,OAAO,KAAK,CAAC;QACd,CAAC;QACD,IAAI,SAAS,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACvC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;YACjC,aAAG,CAAC,IAAI,CAAC,qBAAqB,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;YAC/C,OAAO,KAAK,CAAC;QACd,CAAC;QACD,IAAI,SAAS,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACvC,aAAG,CAAC,IAAI,CAAC,6BAA6B,EAAE;gBACvC,QAAQ,EAAE,SAAS,CAAC,SAAS;gBAC7B,MAAM,EAAE,SAAS;aACjB,CAAC,CAAC;YACH,OAAO,KAAK,CAAC;QACd,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;QACjC,aAAG,CAAC,IAAI,CAAC,oCAAoC,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;QAC9D,OAAO,IAAI,CAAC;IACb,CAAC;IAEM,yBAAyB,CAC/B,SAAiB,EACjB,YAAoB,EACpB,cAAsB,EACtB,qBAA6B,EAC7B,OAAe;QAEf,MAAM,IAAI,GAAG,gBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC1D,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CACnC,IAAI,EACJ,SAAS,EACT,YAAY,EACZ,cAAc,EACd,qBAAqB,EACrB,OAAO,CACP,CAAC;QACF,aAAG,CAAC,IAAI,CAAC,oCAAoC,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;QACvE,OAAO,IAAI,CAAC;IACb,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAChC,MAAyB;QAEzB,aAAG,CAAC,IAAI,CAAC,4BAA4B,EAAE;YACtC,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,iBAAiB,EAAE,CAAC,CAAC,MAAM,CAAC,aAAa;SACzC,CAAC,CAAC;QACH,MAAM,eAAe,GAAG,4BAAe,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC;QACrE,IAAI,eAAe,EAAE,CAAC;YACrB,OAAO,eAAe,CAAC;QACxB,CAAC;QACD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,oBAAoB,CAAC,MAAM,CAAC,IAAK,CAAC,CAAC;QAClE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACf,aAAG,CAAC,KAAK,CAAC,4BAA4B,EAAE,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;YACzE,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,4BAA4B,EAAE,CAAC;QACpF,CAAC;QACD,MAAM,mBAAmB,GAAG,IAAI,CAAC,aAAa,CAAC,oBAAoB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACtF,IAAI,mBAAmB,EAAE,CAAC;YACzB,IACC,mBAAmB,CAAC,KAAK,KAAK,eAAe;gBAC7C,mBAAmB,CAAC,iBAAiB,KAAK,4BAA4B,EACrE,CAAC;gBACF,IAAI,CAAC,QAAQ,CAAC,uBAAuB,CAAC,MAAM,CAAC,IAAK,CAAC,CAAC;YACrD,CAAC;YACD,OAAO,mBAAmB,CAAC;QAC5B,CAAC;QACD,MAAM,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAC3D,QAAQ,CAAC,OAAO,EAChB,MAAM,CAAC,SAAS,CAChB,CAAC;QACF,IAAI,CAAC,QAAQ,CAAC,uBAAuB,CAAC,MAAM,CAAC,IAAK,CAAC,CAAC;QACpD,aAAG,CAAC,IAAI,CAAC,oBAAoB,EAAE,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3F,OAAO,aAAa,CAAC;IACtB,CAAC;IAEM,mBAAmB,CAAC,KAAa;QACvC,OAAO,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;IACtD,CAAC;IAEM,SAAS,CAAC,SAAiB;QACjC,OAAO,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IAC3C,CAAC;IAEM,OAAO;QACb,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;IACzB,CAAC;CACD;AA5JD,kCA4JC"}
1
+ {"version":3,"file":"oauth-server.js","sourceRoot":"","sources":["../../../src/server/oauth/oauth-server.ts"],"names":[],"mappings":";;;;;;AAAA,oDAA4B;AAE5B,oDAA4B;AAE5B,qDAAsD;AACtD,uCAAyC;AACzC,mDAAmE;AACnE,6CAA+C;AAc/C,MAAM,wBAAwB,GAAG,IAAI,CAAC;AACtC,MAAM,YAAY,GAAG,gBAAgB,CAAC;AAEtC,MAAa,WAAW;IACN,QAAQ,GAAG,IAAI,sBAAY,EAAE,CAAC;IAC9B,aAAa,CAAoB;IAElD;;;OAGG;IACH,YAAY,SAAiB;QAC5B,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAiB,CAAC,SAAS,CAAC,CAAC;IACvD,CAAC;IAEO,2BAA2B,CAAC,SAAiB,EAAE,YAAoB;QAC1E,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,CAAC;YACxC,OAAO,KAAK,CAAC;QACd,CAAC;QACD,8EAA8E;QAC9E,yFAAyF;QACzF,IAAI,CAAC,4BAAe,CAAC,oBAAoB,CAAC,YAAY,CAAC,EAAE,CAAC;YACzD,aAAG,CAAC,IAAI,CAAC,qCAAqC,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;YAC/D,OAAO,KAAK,CAAC;QACd,CAAC;QACD,MAAM,MAAM,GAAG,mCAAkB,CAAC,kBAAkB,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;QAC9E,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAChC,OAAO,IAAI,CAAC;IACb,CAAC;IAED,qGAAqG;IAC7F,YAAY,CAAC,OAAe,EAAE,SAAiB,EAAE,GAAkB;QAC1E,MAAM,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAAC,OAAO,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;QACrF,MAAM,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC,oBAAoB,EAAE,CAAC;QAChE,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC,aAAa,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;QACnE,OAAO;YACN,YAAY;YACZ,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,wBAAwB;YACpC,aAAa;YACb,KAAK,EAAE,YAAY;SACnB,CAAC;IACH,CAAC;IAED;;;;OAIG;IACI,0BAA0B,CAAC,IAOjC;QACA,MAAM,WAAW,GAAG,gBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACjE,IAAI,CAAC,QAAQ,CAAC,yBAAyB,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QAC3D,OAAO,WAAW,CAAC;IACpB,CAAC;IAEM,wBAAwB,CAAC,WAAmB;QAClD,OAAO,IAAI,CAAC,QAAQ,CAAC,wBAAwB,CAAC,WAAW,CAAC,CAAC;IAC5D,CAAC;IAEM,cAAc,CAAC,aAAuB;QAC5C,MAAM,MAAM,GAAG,mCAAkB,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;QAC9D,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAChC,OAAO,MAAM,CAAC;IACf,CAAC;IAEM,4BAA4B,CAAC,MAAiC;QACpE,IAAI,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACvD,IAAI,CAAC,MAAM,EAAE,CAAC;YACb,MAAM,aAAa,GAAG,IAAI,CAAC,2BAA2B,CACrD,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,YAAY,CACnB,CAAC;YACF,IAAI,aAAa,EAAE,CAAC;gBACnB,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACpD,CAAC;QACF,CAAC;QACD,OAAO,4BAAe,CAAC,4BAA4B,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrE,CAAC;IAEM,yBAAyB,CAC/B,SAAiB,EACjB,YAAoB,EACpB,cAAsB,EACtB,qBAA6B,EAC7B,OAAe;QAEf,MAAM,IAAI,GAAG,gBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC1D,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CACnC,IAAI,EACJ,SAAS,EACT,YAAY,EACZ,cAAc,EACd,qBAAqB,EACrB,OAAO,CACP,CAAC;QACF,aAAG,CAAC,IAAI,CAAC,oCAAoC,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;QACvE,OAAO,IAAI,CAAC;IACb,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAChC,MAAyB,EACzB,GAAkB;QAElB,aAAG,CAAC,IAAI,CAAC,4BAA4B,EAAE;YACtC,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,iBAAiB,EAAE,CAAC,CAAC,MAAM,CAAC,aAAa;SACzC,CAAC,CAAC;QACH,MAAM,eAAe,GAAG,4BAAe,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC;QACrE,IAAI,eAAe,EAAE,CAAC;YACrB,OAAO,eAAe,CAAC;QACxB,CAAC;QACD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,oBAAoB,CAAC,MAAM,CAAC,IAAK,CAAC,CAAC;QAClE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACf,aAAG,CAAC,KAAK,CAAC,4BAA4B,EAAE,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;YACzE,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,4BAA4B,EAAE,CAAC;QACpF,CAAC;QACD,MAAM,mBAAmB,GAAG,IAAI,CAAC,aAAa,CAAC,oBAAoB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACtF,IAAI,mBAAmB,EAAE,CAAC;YACzB,IACC,mBAAmB,CAAC,KAAK,KAAK,eAAe;gBAC7C,mBAAmB,CAAC,iBAAiB,KAAK,4BAA4B,EACrE,CAAC;gBACF,IAAI,CAAC,QAAQ,CAAC,uBAAuB,CAAC,MAAM,CAAC,IAAK,CAAC,CAAC;YACrD,CAAC;YACD,OAAO,mBAAmB,CAAC;QAC5B,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,uBAAuB,CAAC,MAAM,CAAC,IAAK,CAAC,CAAC;QACpD,aAAG,CAAC,IAAI,CAAC,oBAAoB,EAAE,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3F,OAAO,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IACnE,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,oBAAoB,CAChC,MAAyB,EACzB,GAAkB,EAClB,gBAAkC;QAElC,MAAM,eAAe,GAAG,4BAAe,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC;QACrE,IAAI,eAAe,EAAE,CAAC;YACrB,OAAO,eAAe,CAAC;QACxB,CAAC;QACD,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,MAAM,CAAC,aAAc,CAAC,CAAC;QAClE,IAAI,CAAC,IAAI,EAAE,CAAC;YACX,OAAO;gBACN,KAAK,EAAE,eAAe;gBACtB,iBAAiB,EAAE,kCAAkC;aACrD,CAAC;QACH,CAAC;QACD,IAAI,IAAI,CAAC,SAAS,KAAK,MAAM,CAAC,SAAS,EAAE,CAAC;YACzC,oFAAoF;YACpF,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,MAAM,CAAC,aAAc,CAAC,CAAC;YACxD,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,CAAC;QACzE,CAAC;QACD,IAAI,CAAC,CAAC,MAAM,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YAC7C,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,MAAM,CAAC,aAAc,CAAC,CAAC;YACxD,OAAO;gBACN,KAAK,EAAE,eAAe;gBACtB,iBAAiB,EAAE,4CAA4C;aAC/D,CAAC;QACH,CAAC;QACD,qDAAqD;QACrD,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,MAAM,CAAC,aAAc,CAAC,CAAC;QACxD,aAAG,CAAC,IAAI,CAAC,uBAAuB,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;QACxF,OAAO,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IAC7D,CAAC;IAED,qGAAqG;IAC9F,mBAAmB,CAAC,KAAa,EAAE,GAAkB;QAC3D,OAAO,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE,OAAO,IAAI,IAAI,CAAC;IAC5E,CAAC;IAED;iGAC6F;IACtF,oBAAoB,CAAC,KAAa,EAAE,GAAkB;QAC5D,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACnE,IAAI,OAAO,EAAE,CAAC;YACb,OAAO,OAAO,CAAC,OAAO,CAAC;QACxB,CAAC;QACD,OAAO,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,KAAK,CAAC,EAAE,OAAO,IAAI,IAAI,CAAC;IAC9D,CAAC;IAED,6EAA6E;IACtE,yBAAyB,CAAC,OAAe;QAC/C,IAAI,CAAC,QAAQ,CAAC,0BAA0B,CAAC,OAAO,CAAC,CAAC;IACnD,CAAC;IAEM,OAAO;QACb,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;IACzB,CAAC;CACD;AAvMD,kCAuMC"}
@@ -7,23 +7,60 @@ export interface AuthorizationCodeData {
7
7
  userKey: string;
8
8
  expires_at: number;
9
9
  }
10
- export interface StateData {
10
+ /**
11
+ * A brokered authorization in flight between `/authorize` and `/oauth/callback`. It links the MCP
12
+ * client's request (its redirect + PKCE + state) to our own Creatio-leg PKCE verifier, keyed by an
13
+ * opaque broker state. Kept server-side ON PURPOSE — nothing is embedded in the Creatio `state`
14
+ * string, so the two PKCE pairs never collide.
15
+ */
16
+ export interface PendingAuthorizationData {
17
+ client_id: string;
18
+ /** The MCP client's redirect URI (where we send our code at the end). */
19
+ redirect_uri: string;
20
+ /** The MCP client's PKCE challenge (verified later at /token). */
21
+ code_challenge: string;
22
+ code_challenge_method: string;
23
+ /** The MCP client's state, echoed back to it. */
24
+ client_state?: string | undefined;
25
+ /** Our Creatio-leg PKCE verifier, used to exchange the Creatio code in the callback. */
26
+ creatio_verifier: string;
27
+ expires_at: number;
28
+ }
29
+ /** A refresh token the broker issued to a client, bound to the user it represents and the client
30
+ * it was issued to (so a stolen token can't be redeemed by a different client). Single-use:
31
+ * rotated on every refresh. */
32
+ export interface RefreshTokenData {
33
+ userKey: string;
11
34
  client_id: string;
12
35
  expires_at: number;
13
36
  }
14
37
  export declare class OAuthStorage {
38
+ private static readonly CLIENT_TTL_MS;
39
+ private static readonly MAX_CLIENTS;
40
+ private static readonly REFRESH_TOKEN_TTL_MS;
15
41
  private readonly _clients;
16
42
  private readonly _authorizationCodes;
17
- private readonly _authorizationStates;
43
+ private readonly _pendingAuthorizations;
44
+ private readonly _refreshTokens;
45
+ private _evictExpired;
46
+ private _evictExpiredClients;
47
+ /** Hard-cap the client store, evicting the oldest (insertion order ~ creation order). */
48
+ private _capClients;
18
49
  addClient(client: OAuthClient): void;
19
50
  getClient(client_id: string): OAuthClient | undefined;
20
51
  hasClient(client_id: string): boolean;
21
52
  storeAuthorizationCode(code: string, client_id: string, redirect_uri: string, code_challenge: string, code_challenge_method: string, userKey: string, expiresInMs?: number): void;
22
53
  getAuthorizationCode(code: string): AuthorizationCodeData | undefined;
23
54
  deleteAuthorizationCode(code: string): void;
24
- storeState(state: string, client_id: string, expiresInMs?: number): void;
25
- getState(state: string): StateData | undefined;
26
- deleteState(state: string): void;
55
+ storePendingAuthorization(brokerState: string, data: Omit<PendingAuthorizationData, 'expires_at'>, expiresInMs?: number): void;
56
+ /** Returns and removes the pending authorization (single-use), or `undefined` if absent/expired. */
57
+ takePendingAuthorization(brokerState: string): PendingAuthorizationData | undefined;
58
+ storeRefreshToken(token: string, userKey: string, client_id: string, expiresInMs?: number): void;
59
+ /** Returns the refresh-token record, or `undefined` if absent/expired (expired ones are pruned). */
60
+ getRefreshToken(token: string): RefreshTokenData | undefined;
61
+ deleteRefreshToken(token: string): void;
62
+ /** Drop every refresh token issued for a user (logout / revoke). */
63
+ deleteRefreshTokensForUser(userKey: string): void;
27
64
  cleanup(): void;
28
65
  }
29
66
  //# sourceMappingURL=storage.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/storage.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAE3C,MAAM,WAAW,qBAAqB;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,SAAS;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,qBAAa,YAAY;IACxB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAkC;IAC3D,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAA4C;IAChF,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAgC;IAE9D,SAAS,CAAC,MAAM,EAAE,WAAW,GAAG,IAAI;IAIpC,SAAS,CAAC,SAAS,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS;IAIrD,SAAS,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO;IAIrC,sBAAsB,CAC5B,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,YAAY,EAAE,MAAM,EACpB,cAAc,EAAE,MAAM,EACtB,qBAAqB,EAAE,MAAM,EAC7B,OAAO,EAAE,MAAM,EACf,WAAW,GAAE,MAAuB,GAClC,IAAI;IAYA,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,qBAAqB,GAAG,SAAS;IAIrE,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAI3C,UAAU,CAChB,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,WAAW,GAAE,MAAuB,GAClC,IAAI;IAKA,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS;IAI9C,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAIhC,OAAO,IAAI,IAAI;CAiBtB"}
1
+ {"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/storage.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAE3C,MAAM,WAAW,qBAAqB;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;CACnB;AAED;;;;;GAKG;AACH,MAAM,WAAW,wBAAwB;IACxC,SAAS,EAAE,MAAM,CAAC;IAClB,yEAAyE;IACzE,YAAY,EAAE,MAAM,CAAC;IACrB,kEAAkE;IAClE,cAAc,EAAE,MAAM,CAAC;IACvB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,iDAAiD;IACjD,YAAY,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAClC,wFAAwF;IACxF,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;CACnB;AAED;;gCAEgC;AAChC,MAAM,WAAW,gBAAgB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,qBAAa,YAAY;IAGxB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAuB;IAC5D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAQ;IAC3C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,oBAAoB,CAA4B;IAExE,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAkC;IAC3D,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAA4C;IAChF,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAA+C;IACtF,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAuC;IAEtE,OAAO,CAAC,aAAa;IAQrB,OAAO,CAAC,oBAAoB;IAS5B,yFAAyF;IACzF,OAAO,CAAC,WAAW;IAUZ,SAAS,CAAC,MAAM,EAAE,WAAW,GAAG,IAAI;IAKpC,SAAS,CAAC,SAAS,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS;IAIrD,SAAS,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO;IAIrC,sBAAsB,CAC5B,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,YAAY,EAAE,MAAM,EACpB,cAAc,EAAE,MAAM,EACtB,qBAAqB,EAAE,MAAM,EAC7B,OAAO,EAAE,MAAM,EACf,WAAW,GAAE,MAAuB,GAClC,IAAI;IAYA,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,qBAAqB,GAAG,SAAS;IAIrE,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAI3C,yBAAyB,CAC/B,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,IAAI,CAAC,wBAAwB,EAAE,YAAY,CAAC,EAClD,WAAW,GAAE,MAAuB,GAClC,IAAI;IAOP,oGAAoG;IAC7F,wBAAwB,CAAC,WAAW,EAAE,MAAM,GAAG,wBAAwB,GAAG,SAAS;IASnF,iBAAiB,CACvB,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,WAAW,GAAE,MAA0C,GACrD,IAAI;IAQP,oGAAoG;IAC7F,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,gBAAgB,GAAG,SAAS;IAY5D,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAI9C,oEAAoE;IAC7D,0BAA0B,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAQjD,OAAO,IAAI,IAAI;CAatB"}
@@ -6,11 +6,43 @@ Object.defineProperty(exports, "__esModule", { value: true });
6
6
  exports.OAuthStorage = void 0;
7
7
  const log_1 = __importDefault(require("../../log"));
8
8
  class OAuthStorage {
9
+ // Dynamically-registered clients are unauthenticated (open DCR), so the store is bounded by TTL
10
+ // + a hard cap, evicting the oldest, to deny a memory-exhaustion DoS via IP-rotating /register.
11
+ static CLIENT_TTL_MS = 24 * 60 * 60 * 1000;
12
+ static MAX_CLIENTS = 1000;
13
+ static REFRESH_TOKEN_TTL_MS = 30 * 24 * 60 * 60 * 1000;
9
14
  _clients = new Map();
10
15
  _authorizationCodes = new Map();
11
- _authorizationStates = new Map();
16
+ _pendingAuthorizations = new Map();
17
+ _refreshTokens = new Map();
18
+ _evictExpired(map, now) {
19
+ for (const [key, data] of map.entries()) {
20
+ if (now > data.expires_at) {
21
+ map.delete(key);
22
+ }
23
+ }
24
+ }
25
+ _evictExpiredClients(now) {
26
+ for (const [id, client] of this._clients.entries()) {
27
+ if (now - client.created_at > OAuthStorage.CLIENT_TTL_MS) {
28
+ this._clients.delete(id);
29
+ }
30
+ }
31
+ this._capClients();
32
+ }
33
+ /** Hard-cap the client store, evicting the oldest (insertion order ~ creation order). */
34
+ _capClients() {
35
+ while (this._clients.size > OAuthStorage.MAX_CLIENTS) {
36
+ const oldest = this._clients.keys().next().value;
37
+ if (oldest === undefined) {
38
+ break;
39
+ }
40
+ this._clients.delete(oldest);
41
+ }
42
+ }
12
43
  addClient(client) {
13
44
  this._clients.set(client.client_id, client);
45
+ this._capClients();
14
46
  }
15
47
  getClient(client_id) {
16
48
  return this._clients.get(client_id);
@@ -35,31 +67,62 @@ class OAuthStorage {
35
67
  deleteAuthorizationCode(code) {
36
68
  this._authorizationCodes.delete(code);
37
69
  }
38
- storeState(state, client_id, expiresInMs = 30 * 60 * 1000) {
39
- const expires_at = Date.now() + expiresInMs;
40
- this._authorizationStates.set(state, { client_id, expires_at });
70
+ storePendingAuthorization(brokerState, data, expiresInMs = 10 * 60 * 1000) {
71
+ this._pendingAuthorizations.set(brokerState, {
72
+ ...data,
73
+ expires_at: Date.now() + expiresInMs,
74
+ });
41
75
  }
42
- getState(state) {
43
- return this._authorizationStates.get(state);
76
+ /** Returns and removes the pending authorization (single-use), or `undefined` if absent/expired. */
77
+ takePendingAuthorization(brokerState) {
78
+ const data = this._pendingAuthorizations.get(brokerState);
79
+ if (!data) {
80
+ return undefined;
81
+ }
82
+ this._pendingAuthorizations.delete(brokerState);
83
+ return Date.now() > data.expires_at ? undefined : data;
44
84
  }
45
- deleteState(state) {
46
- this._authorizationStates.delete(state);
85
+ storeRefreshToken(token, userKey, client_id, expiresInMs = OAuthStorage.REFRESH_TOKEN_TTL_MS) {
86
+ this._refreshTokens.set(token, {
87
+ userKey,
88
+ client_id,
89
+ expires_at: Date.now() + expiresInMs,
90
+ });
47
91
  }
48
- cleanup() {
49
- const now = Date.now();
50
- for (const [code, data] of this._authorizationCodes.entries()) {
51
- if (now > data.expires_at) {
52
- this._authorizationCodes.delete(code);
53
- }
92
+ /** Returns the refresh-token record, or `undefined` if absent/expired (expired ones are pruned). */
93
+ getRefreshToken(token) {
94
+ const data = this._refreshTokens.get(token);
95
+ if (!data) {
96
+ return undefined;
54
97
  }
55
- for (const [state, data] of this._authorizationStates.entries()) {
56
- if (now > data.expires_at) {
57
- this._authorizationStates.delete(state);
98
+ if (Date.now() > data.expires_at) {
99
+ this._refreshTokens.delete(token);
100
+ return undefined;
101
+ }
102
+ return data;
103
+ }
104
+ deleteRefreshToken(token) {
105
+ this._refreshTokens.delete(token);
106
+ }
107
+ /** Drop every refresh token issued for a user (logout / revoke). */
108
+ deleteRefreshTokensForUser(userKey) {
109
+ for (const [token, data] of this._refreshTokens) {
110
+ if (data.userKey === userKey) {
111
+ this._refreshTokens.delete(token);
58
112
  }
59
113
  }
114
+ }
115
+ cleanup() {
116
+ const now = Date.now();
117
+ this._evictExpired(this._authorizationCodes, now);
118
+ this._evictExpired(this._pendingAuthorizations, now);
119
+ this._evictExpired(this._refreshTokens, now);
120
+ this._evictExpiredClients(now);
60
121
  log_1.default.info('oauth.storage.cleanup.completed', {
61
122
  remaining_codes: this._authorizationCodes.size,
62
- remaining_states: this._authorizationStates.size,
123
+ remaining_pending: this._pendingAuthorizations.size,
124
+ remaining_refresh: this._refreshTokens.size,
125
+ remaining_clients: this._clients.size,
63
126
  });
64
127
  }
65
128
  }
@@ -1 +1 @@
1
- {"version":3,"file":"storage.js","sourceRoot":"","sources":["../../../src/server/oauth/storage.ts"],"names":[],"mappings":";;;;;;AAAA,oDAA4B;AAkB5B,MAAa,YAAY;IACP,QAAQ,GAAG,IAAI,GAAG,EAAuB,CAAC;IAC1C,mBAAmB,GAAG,IAAI,GAAG,EAAiC,CAAC;IAC/D,oBAAoB,GAAG,IAAI,GAAG,EAAqB,CAAC;IAE9D,SAAS,CAAC,MAAmB;QACnC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAC7C,CAAC;IAEM,SAAS,CAAC,SAAiB;QACjC,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACrC,CAAC;IAEM,SAAS,CAAC,SAAiB;QACjC,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACrC,CAAC;IAEM,sBAAsB,CAC5B,IAAY,EACZ,SAAiB,EACjB,YAAoB,EACpB,cAAsB,EACtB,qBAA6B,EAC7B,OAAe,EACf,cAAsB,EAAE,GAAG,EAAE,GAAG,IAAI;QAEpC,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC;QAC5C,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,IAAI,EAAE;YAClC,SAAS;YACT,YAAY;YACZ,cAAc;YACd,qBAAqB;YACrB,OAAO;YACP,UAAU;SACV,CAAC,CAAC;IACJ,CAAC;IAEM,oBAAoB,CAAC,IAAY;QACvC,OAAO,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3C,CAAC;IAEM,uBAAuB,CAAC,IAAY;QAC1C,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACvC,CAAC;IAEM,UAAU,CAChB,KAAa,EACb,SAAiB,EACjB,cAAsB,EAAE,GAAG,EAAE,GAAG,IAAI;QAEpC,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC;QAC5C,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,CAAC;IACjE,CAAC;IAEM,QAAQ,CAAC,KAAa;QAC5B,OAAO,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC;IAEM,WAAW,CAAC,KAAa;QAC/B,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC;IAEM,OAAO;QACb,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC,mBAAmB,CAAC,OAAO,EAAE,EAAE,CAAC;YAC/D,IAAI,GAAG,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;gBAC3B,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACvC,CAAC;QACF,CAAC;QACD,KAAK,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC,oBAAoB,CAAC,OAAO,EAAE,EAAE,CAAC;YACjE,IAAI,GAAG,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;gBAC3B,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACzC,CAAC;QACF,CAAC;QACD,aAAG,CAAC,IAAI,CAAC,iCAAiC,EAAE;YAC3C,eAAe,EAAE,IAAI,CAAC,mBAAmB,CAAC,IAAI;YAC9C,gBAAgB,EAAE,IAAI,CAAC,oBAAoB,CAAC,IAAI;SAChD,CAAC,CAAC;IACJ,CAAC;CACD;AA/ED,oCA+EC"}
1
+ {"version":3,"file":"storage.js","sourceRoot":"","sources":["../../../src/server/oauth/storage.ts"],"names":[],"mappings":";;;;;;AAAA,oDAA4B;AA0C5B,MAAa,YAAY;IACxB,gGAAgG;IAChG,gGAAgG;IACxF,MAAM,CAAU,aAAa,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IACpD,MAAM,CAAU,WAAW,GAAG,IAAI,CAAC;IACnC,MAAM,CAAU,oBAAoB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAEvD,QAAQ,GAAG,IAAI,GAAG,EAAuB,CAAC;IAC1C,mBAAmB,GAAG,IAAI,GAAG,EAAiC,CAAC;IAC/D,sBAAsB,GAAG,IAAI,GAAG,EAAoC,CAAC;IACrE,cAAc,GAAG,IAAI,GAAG,EAA4B,CAAC;IAE9D,aAAa,CAAC,GAAwC,EAAE,GAAW;QAC1E,KAAK,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;YACzC,IAAI,GAAG,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;gBAC3B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjB,CAAC;QACF,CAAC;IACF,CAAC;IAEO,oBAAoB,CAAC,GAAW;QACvC,KAAK,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC;YACpD,IAAI,GAAG,GAAG,MAAM,CAAC,UAAU,GAAG,YAAY,CAAC,aAAa,EAAE,CAAC;gBAC1D,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAC1B,CAAC;QACF,CAAC;QACD,IAAI,CAAC,WAAW,EAAE,CAAC;IACpB,CAAC;IAED,yFAAyF;IACjF,WAAW;QAClB,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,GAAG,YAAY,CAAC,WAAW,EAAE,CAAC;YACtD,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;YACjD,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBAC1B,MAAM;YACP,CAAC;YACD,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;IACF,CAAC;IAEM,SAAS,CAAC,MAAmB;QACnC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAC5C,IAAI,CAAC,WAAW,EAAE,CAAC;IACpB,CAAC;IAEM,SAAS,CAAC,SAAiB;QACjC,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACrC,CAAC;IAEM,SAAS,CAAC,SAAiB;QACjC,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACrC,CAAC;IAEM,sBAAsB,CAC5B,IAAY,EACZ,SAAiB,EACjB,YAAoB,EACpB,cAAsB,EACtB,qBAA6B,EAC7B,OAAe,EACf,cAAsB,EAAE,GAAG,EAAE,GAAG,IAAI;QAEpC,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC;QAC5C,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,IAAI,EAAE;YAClC,SAAS;YACT,YAAY;YACZ,cAAc;YACd,qBAAqB;YACrB,OAAO;YACP,UAAU;SACV,CAAC,CAAC;IACJ,CAAC;IAEM,oBAAoB,CAAC,IAAY;QACvC,OAAO,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3C,CAAC;IAEM,uBAAuB,CAAC,IAAY;QAC1C,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACvC,CAAC;IAEM,yBAAyB,CAC/B,WAAmB,EACnB,IAAkD,EAClD,cAAsB,EAAE,GAAG,EAAE,GAAG,IAAI;QAEpC,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,WAAW,EAAE;YAC5C,GAAG,IAAI;YACP,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW;SACpC,CAAC,CAAC;IACJ,CAAC;IAED,oGAAoG;IAC7F,wBAAwB,CAAC,WAAmB;QAClD,MAAM,IAAI,GAAG,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAC1D,IAAI,CAAC,IAAI,EAAE,CAAC;YACX,OAAO,SAAS,CAAC;QAClB,CAAC;QACD,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC;IACxD,CAAC;IAEM,iBAAiB,CACvB,KAAa,EACb,OAAe,EACf,SAAiB,EACjB,cAAsB,YAAY,CAAC,oBAAoB;QAEvD,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,KAAK,EAAE;YAC9B,OAAO;YACP,SAAS;YACT,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW;SACpC,CAAC,CAAC;IACJ,CAAC;IAED,oGAAoG;IAC7F,eAAe,CAAC,KAAa;QACnC,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC5C,IAAI,CAAC,IAAI,EAAE,CAAC;YACX,OAAO,SAAS,CAAC;QAClB,CAAC;QACD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;YAClC,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAClC,OAAO,SAAS,CAAC;QAClB,CAAC;QACD,OAAO,IAAI,CAAC;IACb,CAAC;IAEM,kBAAkB,CAAC,KAAa;QACtC,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;IAED,oEAAoE;IAC7D,0BAA0B,CAAC,OAAe;QAChD,KAAK,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACjD,IAAI,IAAI,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;gBAC9B,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnC,CAAC;QACF,CAAC;IACF,CAAC;IAEM,OAAO;QACb,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,mBAAmB,EAAE,GAAG,CAAC,CAAC;QAClD,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,sBAAsB,EAAE,GAAG,CAAC,CAAC;QACrD,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC;QAC7C,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAC/B,aAAG,CAAC,IAAI,CAAC,iCAAiC,EAAE;YAC3C,eAAe,EAAE,IAAI,CAAC,mBAAmB,CAAC,IAAI;YAC9C,iBAAiB,EAAE,IAAI,CAAC,sBAAsB,CAAC,IAAI;YACnD,iBAAiB,EAAE,IAAI,CAAC,cAAc,CAAC,IAAI;YAC3C,iBAAiB,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;SACrC,CAAC,CAAC;IACJ,CAAC;;AAzJF,oCA0JC"}
@@ -1,12 +1,29 @@
1
1
  import type { AuthorizationCodeData } from './storage';
2
- import type { OAuthAccessToken, OAuthError, OAuthTokenRequest } from './types';
2
+ import type { OAuthError, OAuthTokenRequest } from './types';
3
+ /**
4
+ * Issuer + audience an access token is bound to: this MCP deployment's own origin (`iss`) and its
5
+ * `/mcp` resource (`aud`). Binding both closes token-redirection / confused-deputy — a token minted
6
+ * for deployment A is rejected by deployment B even when both share `CREATIO_MCP_JWT_SECRET`
7
+ * (the documented multi-instance setup). Mirrors RFC 9068 (`aud`) / RFC 8707 (resource indicators).
8
+ */
9
+ export interface TokenAudience {
10
+ issuer: string;
11
+ audience: string;
12
+ }
13
+ /** The claims we trust off a verified access token. */
14
+ export interface DecodedAccessToken {
15
+ userKey: string;
16
+ client_id: string;
17
+ }
3
18
  export declare class OAuthTokenManager {
4
19
  private readonly _jwtSecret;
5
20
  constructor(jwtSecret: string);
6
- generateAccessToken(userKey: string, client_id: string): string;
21
+ /** Mint a 1h access token bound to `userKey` (as `sub`), the issuing `client_id`, and the
22
+ * deployment's `iss`/`aud`. */
23
+ generateAccessToken(userKey: string, client_id: string, aud: TokenAudience): string;
7
24
  generateRefreshToken(): string;
8
- validateAccessToken(token: string): string | null;
9
- createTokenResponse(userKey: string, client_id: string, refresh_token_required?: boolean): OAuthAccessToken;
25
+ /** Verify signature AND issuer/audience binding; return the trusted claims or `null`. */
26
+ validateAccessToken(token: string, aud: TokenAudience): DecodedAccessToken | null;
10
27
  verifyPKCE(code_verifier: string, code_challenge: string): boolean;
11
28
  validateAuthCodeData(authCode: AuthorizationCodeData, params: OAuthTokenRequest): OAuthError | null;
12
29
  }
@@ -1 +1 @@
1
- {"version":3,"file":"token-manager.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/token-manager.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC;AACvD,OAAO,KAAK,EAAE,gBAAgB,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAE/E,qBAAa,iBAAiB;IAC7B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;gBAExB,SAAS,EAAE,MAAM;IAItB,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM;IAI/D,oBAAoB,IAAI,MAAM;IAI9B,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAUjD,mBAAmB,CACzB,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,sBAAsB,GAAE,OAAc,GACpC,gBAAgB;IAeZ,UAAU,CAAC,aAAa,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO;IAKlE,oBAAoB,CAC1B,QAAQ,EAAE,qBAAqB,EAC/B,MAAM,EAAE,iBAAiB,GACvB,UAAU,GAAG,IAAI;CAkBpB"}
1
+ {"version":3,"file":"token-manager.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/token-manager.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC;AACvD,OAAO,KAAK,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAE7D;;;;;GAKG;AACH,MAAM,WAAW,aAAa;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CACjB;AAED,uDAAuD;AACvD,MAAM,WAAW,kBAAkB;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CAClB;AAED,qBAAa,iBAAiB;IAC7B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;gBAExB,SAAS,EAAE,MAAM;IAI7B;oCACgC;IACzB,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,aAAa,GAAG,MAAM;IASnF,oBAAoB,IAAI,MAAM;IAIrC,yFAAyF;IAClF,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,aAAa,GAAG,kBAAkB,GAAG,IAAI;IAejF,UAAU,CAAC,aAAa,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO;IAKlE,oBAAoB,CAC1B,QAAQ,EAAE,qBAAqB,EAC/B,MAAM,EAAE,iBAAiB,GACvB,UAAU,GAAG,IAAI;CAkBpB"}
@@ -12,36 +12,35 @@ class OAuthTokenManager {
12
12
  constructor(jwtSecret) {
13
13
  this._jwtSecret = jwtSecret;
14
14
  }
15
- generateAccessToken(userKey, client_id) {
16
- return jsonwebtoken_1.default.sign({ userKey, client_id }, this._jwtSecret, { expiresIn: '1h' });
15
+ /** Mint a 1h access token bound to `userKey` (as `sub`), the issuing `client_id`, and the
16
+ * deployment's `iss`/`aud`. */
17
+ generateAccessToken(userKey, client_id, aud) {
18
+ return jsonwebtoken_1.default.sign({ client_id }, this._jwtSecret, {
19
+ subject: userKey,
20
+ expiresIn: '1h',
21
+ issuer: aud.issuer,
22
+ audience: aud.audience,
23
+ });
17
24
  }
18
25
  generateRefreshToken() {
19
26
  return crypto_1.default.randomBytes(32).toString('base64url');
20
27
  }
21
- validateAccessToken(token) {
28
+ /** Verify signature AND issuer/audience binding; return the trusted claims or `null`. */
29
+ validateAccessToken(token, aud) {
22
30
  try {
23
- const decoded = jsonwebtoken_1.default.verify(token, this._jwtSecret);
24
- return decoded.userKey || null;
31
+ const decoded = jsonwebtoken_1.default.verify(token, this._jwtSecret, {
32
+ issuer: aud.issuer,
33
+ audience: aud.audience,
34
+ });
35
+ const userKey = typeof decoded.sub === 'string' ? decoded.sub : null;
36
+ const client_id = typeof decoded.client_id === 'string' ? decoded.client_id : '';
37
+ return userKey ? { userKey, client_id } : null;
25
38
  }
26
39
  catch (error) {
27
40
  log_1.default.warn('oauth.token.invalid', { error: String(error) });
28
41
  return null;
29
42
  }
30
43
  }
31
- createTokenResponse(userKey, client_id, refresh_token_required = true) {
32
- const access_token = this.generateAccessToken(userKey, client_id);
33
- const expires_in = 3600;
34
- const tokenResponse = {
35
- access_token,
36
- token_type: 'Bearer',
37
- expires_in,
38
- userKey,
39
- };
40
- if (refresh_token_required) {
41
- tokenResponse.refresh_token = this.generateRefreshToken();
42
- }
43
- return tokenResponse;
44
- }
45
44
  verifyPKCE(code_verifier, code_challenge) {
46
45
  const hash = crypto_1.default.createHash('sha256').update(code_verifier).digest('base64url');
47
46
  return hash === code_challenge;
@@ -1 +1 @@
1
- {"version":3,"file":"token-manager.js","sourceRoot":"","sources":["../../../src/server/oauth/token-manager.ts"],"names":[],"mappings":";;;;;;AAAA,oDAA4B;AAE5B,gEAA+B;AAE/B,oDAA4B;AAK5B,MAAa,iBAAiB;IACZ,UAAU,CAAS;IAEpC,YAAY,SAAiB;QAC5B,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;IAC7B,CAAC;IAEM,mBAAmB,CAAC,OAAe,EAAE,SAAiB;QAC5D,OAAO,sBAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,IAAI,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/E,CAAC;IAEM,oBAAoB;QAC1B,OAAO,gBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACrD,CAAC;IAEM,mBAAmB,CAAC,KAAa;QACvC,IAAI,CAAC;YACJ,MAAM,OAAO,GAAG,sBAAG,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,CAAQ,CAAC;YAC1D,OAAO,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC;QAChC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,aAAG,CAAC,IAAI,CAAC,qBAAqB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAC1D,OAAO,IAAI,CAAC;QACb,CAAC;IACF,CAAC;IAEM,mBAAmB,CACzB,OAAe,EACf,SAAiB,EACjB,yBAAkC,IAAI;QAEtC,MAAM,YAAY,GAAG,IAAI,CAAC,mBAAmB,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QAClE,MAAM,UAAU,GAAG,IAAI,CAAC;QACxB,MAAM,aAAa,GAAqB;YACvC,YAAY;YACZ,UAAU,EAAE,QAAQ;YACpB,UAAU;YACV,OAAO;SACP,CAAC;QACF,IAAI,sBAAsB,EAAE,CAAC;YAC5B,aAAa,CAAC,aAAa,GAAG,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC3D,CAAC;QACD,OAAO,aAAa,CAAC;IACtB,CAAC;IAEM,UAAU,CAAC,aAAqB,EAAE,cAAsB;QAC9D,MAAM,IAAI,GAAG,gBAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACnF,OAAO,IAAI,KAAK,cAAc,CAAC;IAChC,CAAC;IAEM,oBAAoB,CAC1B,QAA+B,EAC/B,MAAyB;QAEzB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,UAAU,EAAE,CAAC;YACtC,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,4BAA4B,EAAE,CAAC;QACpF,CAAC;QACD,IAAI,QAAQ,CAAC,SAAS,KAAK,MAAM,CAAC,SAAS,EAAE,CAAC;YAC7C,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,CAAC;QACzE,CAAC;QACD,IAAI,QAAQ,CAAC,YAAY,KAAK,MAAM,CAAC,YAAY,EAAE,CAAC;YACnD,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,CAAC;QAC/E,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAC3B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,CAAC;QACjF,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,aAAa,EAAE,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YACrE,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,0BAA0B,EAAE,CAAC;QAClF,CAAC;QACD,OAAO,IAAI,CAAC;IACb,CAAC;CACD;AAtED,8CAsEC"}
1
+ {"version":3,"file":"token-manager.js","sourceRoot":"","sources":["../../../src/server/oauth/token-manager.ts"],"names":[],"mappings":";;;;;;AAAA,oDAA4B;AAE5B,gEAA+B;AAE/B,oDAA4B;AAsB5B,MAAa,iBAAiB;IACZ,UAAU,CAAS;IAEpC,YAAY,SAAiB;QAC5B,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;IAC7B,CAAC;IAED;oCACgC;IACzB,mBAAmB,CAAC,OAAe,EAAE,SAAiB,EAAE,GAAkB;QAChF,OAAO,sBAAG,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,EAAE,IAAI,CAAC,UAAU,EAAE;YAC/C,OAAO,EAAE,OAAO;YAChB,SAAS,EAAE,IAAI;YACf,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,QAAQ,EAAE,GAAG,CAAC,QAAQ;SACtB,CAAC,CAAC;IACJ,CAAC;IAEM,oBAAoB;QAC1B,OAAO,gBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACrD,CAAC;IAED,yFAAyF;IAClF,mBAAmB,CAAC,KAAa,EAAE,GAAkB;QAC3D,IAAI,CAAC;YACJ,MAAM,OAAO,GAAG,sBAAG,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE;gBAClD,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,QAAQ,EAAE,GAAG,CAAC,QAAQ;aACtB,CAAmB,CAAC;YACrB,MAAM,OAAO,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;YACrE,MAAM,SAAS,GAAG,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC;YACjF,OAAO,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QAChD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,aAAG,CAAC,IAAI,CAAC,qBAAqB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAC1D,OAAO,IAAI,CAAC;QACb,CAAC;IACF,CAAC;IAEM,UAAU,CAAC,aAAqB,EAAE,cAAsB;QAC9D,MAAM,IAAI,GAAG,gBAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACnF,OAAO,IAAI,KAAK,cAAc,CAAC;IAChC,CAAC;IAEM,oBAAoB,CAC1B,QAA+B,EAC/B,MAAyB;QAEzB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,UAAU,EAAE,CAAC;YACtC,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,4BAA4B,EAAE,CAAC;QACpF,CAAC;QACD,IAAI,QAAQ,CAAC,SAAS,KAAK,MAAM,CAAC,SAAS,EAAE,CAAC;YAC7C,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,CAAC;QACzE,CAAC;QACD,IAAI,QAAQ,CAAC,YAAY,KAAK,MAAM,CAAC,YAAY,EAAE,CAAC;YACnD,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,CAAC;QAC/E,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAC3B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,CAAC;QACjF,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,aAAa,EAAE,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YACrE,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,0BAA0B,EAAE,CAAC;QAClF,CAAC;QACD,OAAO,IAAI,CAAC;IACb,CAAC;CACD;AAhED,8CAgEC"}
@@ -30,22 +30,10 @@ export interface OAuthAccessToken {
30
30
  expires_in: number;
31
31
  refresh_token?: string;
32
32
  scope?: string;
33
- userKey: string;
34
33
  }
35
34
  export interface OAuthError {
36
35
  error: string;
37
36
  error_description?: string;
38
37
  error_uri?: string;
39
38
  }
40
- export interface OAuthAuthorizationServerMetadata {
41
- issuer: string;
42
- authorization_endpoint: string;
43
- token_endpoint: string;
44
- registration_endpoint: string;
45
- response_types_supported: string[];
46
- grant_types_supported: string[];
47
- token_endpoint_auth_methods_supported: string[];
48
- code_challenge_methods_supported: string[];
49
- scopes_supported?: string[];
50
- }
51
39
  //# sourceMappingURL=types.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,WAAW;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,yBAAyB;IACzC,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,MAAM,CAAC;IACvB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,iBAAiB;IACjC,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,gBAAgB;IAChC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,QAAQ,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,UAAU;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,gCAAgC;IAChD,MAAM,EAAE,MAAM,CAAC;IACf,sBAAsB,EAAE,MAAM,CAAC;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,wBAAwB,EAAE,MAAM,EAAE,CAAC;IACnC,qBAAqB,EAAE,MAAM,EAAE,CAAC;IAChC,qCAAqC,EAAE,MAAM,EAAE,CAAC;IAChD,gCAAgC,EAAE,MAAM,EAAE,CAAC;IAC3C,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B"}
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,WAAW;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,yBAAyB;IACzC,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,MAAM,CAAC;IACvB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,iBAAiB;IACjC,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,gBAAgB;IAChC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,QAAQ,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB"}
@@ -1 +1 @@
1
- {"version":3,"file":"validators.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/validators.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACX,yBAAyB,EACzB,WAAW,EACX,UAAU,EACV,iBAAiB,EACjB,MAAM,SAAS,CAAC;AAIjB,qBAAa,eAAe;IAC3B;;;;OAIG;WACW,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;WAkB1C,4BAA4B,CACzC,MAAM,EAAE,yBAAyB,EACjC,MAAM,EAAE,WAAW,GAAG,SAAS,GAC7B,UAAU,GAAG,IAAI;WAgBN,oBAAoB,CAAC,MAAM,EAAE,iBAAiB,GAAG,UAAU,GAAG,IAAI;WAUlE,0BAA0B,CAAC,aAAa,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI;CAsB/E"}
1
+ {"version":3,"file":"validators.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/validators.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACX,yBAAyB,EACzB,WAAW,EACX,UAAU,EACV,iBAAiB,EACjB,MAAM,SAAS,CAAC;AAIjB,qBAAa,eAAe;IAC3B;;;;OAIG;WACW,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;WAkB1C,4BAA4B,CACzC,MAAM,EAAE,yBAAyB,EACjC,MAAM,EAAE,WAAW,GAAG,SAAS,GAC7B,UAAU,GAAG,IAAI;WAgBN,oBAAoB,CAAC,MAAM,EAAE,iBAAiB,GAAG,UAAU,GAAG,IAAI;WAmBlE,0BAA0B,CAAC,aAAa,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI;CAsB/E"}
@@ -43,13 +43,22 @@ class OAuthValidators {
43
43
  return null;
44
44
  }
45
45
  static validateTokenRequest(params) {
46
- if (params.grant_type !== 'authorization_code') {
47
- return { error: 'unsupported_grant_type' };
46
+ if (params.grant_type === 'authorization_code') {
47
+ if (!params.code || !params.code_verifier) {
48
+ return {
49
+ error: 'invalid_request',
50
+ error_description: 'Missing code or code_verifier',
51
+ };
52
+ }
53
+ return null;
48
54
  }
49
- if (!params.code || !params.code_verifier) {
50
- return { error: 'invalid_request', error_description: 'Missing code or code_verifier' };
55
+ if (params.grant_type === 'refresh_token') {
56
+ if (!params.refresh_token) {
57
+ return { error: 'invalid_request', error_description: 'Missing refresh_token' };
58
+ }
59
+ return null;
51
60
  }
52
- return null;
61
+ return { error: 'unsupported_grant_type' };
53
62
  }
54
63
  static validateClientRegistration(redirect_uris) {
55
64
  if (!redirect_uris || !Array.isArray(redirect_uris)) {