mcp-creatio 0.6.1 → 0.6.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +236 -149
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +22 -10
- package/dist/cli.js.map +1 -1
- package/dist/config-builder.d.ts +8 -0
- package/dist/config-builder.d.ts.map +1 -1
- package/dist/config-builder.js +147 -43
- package/dist/config-builder.js.map +1 -1
- package/dist/consts.d.ts.map +1 -1
- package/dist/consts.js +2 -1
- package/dist/consts.js.map +1 -1
- package/dist/creatio/auth/auth-manager.d.ts.map +1 -1
- package/dist/creatio/auth/auth-manager.js +5 -2
- package/dist/creatio/auth/auth-manager.js.map +1 -1
- package/dist/creatio/auth/auth.d.ts +4 -31
- package/dist/creatio/auth/auth.d.ts.map +1 -1
- package/dist/creatio/auth/auth.js +20 -26
- package/dist/creatio/auth/auth.js.map +1 -1
- package/dist/creatio/auth/constants.d.ts +14 -0
- package/dist/creatio/auth/constants.d.ts.map +1 -0
- package/dist/creatio/auth/constants.js +20 -0
- package/dist/creatio/auth/constants.js.map +1 -0
- package/dist/creatio/auth/contracts.d.ts +15 -0
- package/dist/creatio/auth/contracts.d.ts.map +1 -0
- package/dist/creatio/auth/contracts.js +3 -0
- package/dist/creatio/auth/contracts.js.map +1 -0
- package/dist/creatio/auth/headers.d.ts +3 -0
- package/dist/creatio/auth/headers.d.ts.map +1 -0
- package/dist/creatio/auth/headers.js +15 -0
- package/dist/creatio/auth/headers.js.map +1 -0
- package/dist/creatio/auth/identity.d.ts +8 -0
- package/dist/creatio/auth/identity.d.ts.map +1 -0
- package/dist/creatio/auth/identity.js +18 -0
- package/dist/creatio/auth/identity.js.map +1 -0
- package/dist/creatio/auth/index.d.ts +4 -3
- package/dist/creatio/auth/index.d.ts.map +1 -1
- package/dist/creatio/auth/index.js +5 -3
- package/dist/creatio/auth/index.js.map +1 -1
- package/dist/creatio/auth/providers/base-oauth2-provider.d.ts +13 -7
- package/dist/creatio/auth/providers/base-oauth2-provider.d.ts.map +1 -1
- package/dist/creatio/auth/providers/base-oauth2-provider.js +29 -19
- package/dist/creatio/auth/providers/base-oauth2-provider.js.map +1 -1
- package/dist/creatio/auth/providers/base-provider.js +1 -1
- package/dist/creatio/auth/providers/base-provider.js.map +1 -1
- package/dist/creatio/auth/providers/broker-provider.d.ts +20 -0
- package/dist/creatio/auth/providers/broker-provider.d.ts.map +1 -0
- package/dist/creatio/auth/providers/broker-provider.js +72 -0
- package/dist/creatio/auth/providers/broker-provider.js.map +1 -0
- package/dist/creatio/auth/providers/creatio-oauth-client.d.ts +27 -0
- package/dist/creatio/auth/providers/creatio-oauth-client.d.ts.map +1 -0
- package/dist/creatio/auth/providers/creatio-oauth-client.js +122 -0
- package/dist/creatio/auth/providers/creatio-oauth-client.js.map +1 -0
- package/dist/creatio/auth/providers/index.d.ts +3 -1
- package/dist/creatio/auth/providers/index.d.ts.map +1 -1
- package/dist/creatio/auth/providers/index.js +3 -1
- package/dist/creatio/auth/providers/index.js.map +1 -1
- package/dist/creatio/auth/providers/oauth2-bearer-provider.d.ts +17 -0
- package/dist/creatio/auth/providers/oauth2-bearer-provider.d.ts.map +1 -0
- package/dist/creatio/auth/providers/oauth2-bearer-provider.js +33 -0
- package/dist/creatio/auth/providers/oauth2-bearer-provider.js.map +1 -0
- package/dist/creatio/auth/providers/oauth2-provider.d.ts +2 -2
- package/dist/creatio/auth/providers/oauth2-provider.d.ts.map +1 -1
- package/dist/creatio/auth/providers/oauth2-provider.js +4 -9
- package/dist/creatio/auth/providers/oauth2-provider.js.map +1 -1
- package/dist/creatio/auth/providers/type.d.ts +20 -1
- package/dist/creatio/auth/providers/type.d.ts.map +1 -1
- package/dist/creatio/auth/providers/type.js +22 -2
- package/dist/creatio/auth/providers/type.js.map +1 -1
- package/dist/creatio/client-config.d.ts +26 -5
- package/dist/creatio/client-config.d.ts.map +1 -1
- package/dist/creatio/engines/admin-operation-engine.d.ts +1 -1
- package/dist/creatio/engines/admin-operation-engine.d.ts.map +1 -1
- package/dist/creatio/engines/admin-operation-engine.js +3 -3
- package/dist/creatio/engines/admin-operation-engine.js.map +1 -1
- package/dist/creatio/engines/configuration-engine.d.ts +1 -1
- package/dist/creatio/engines/configuration-engine.d.ts.map +1 -1
- package/dist/creatio/engines/configuration-engine.js +3 -3
- package/dist/creatio/engines/configuration-engine.js.map +1 -1
- package/dist/creatio/engines/crud-engine.d.ts +1 -1
- package/dist/creatio/engines/crud-engine.d.ts.map +1 -1
- package/dist/creatio/engines/crud-engine.js +4 -4
- package/dist/creatio/engines/crud-engine.js.map +1 -1
- package/dist/creatio/engines/engine-manager.d.ts +1 -2
- package/dist/creatio/engines/engine-manager.d.ts.map +1 -1
- package/dist/creatio/engines/engine-manager.js +4 -10
- package/dist/creatio/engines/engine-manager.js.map +1 -1
- package/dist/creatio/engines/engine.d.ts.map +1 -1
- package/dist/creatio/engines/engine.js +12 -1
- package/dist/creatio/engines/engine.js.map +1 -1
- package/dist/creatio/engines/feature-engine.d.ts +1 -1
- package/dist/creatio/engines/feature-engine.d.ts.map +1 -1
- package/dist/creatio/engines/feature-engine.js +3 -3
- package/dist/creatio/engines/feature-engine.js.map +1 -1
- package/dist/creatio/engines/process-engine.d.ts +1 -1
- package/dist/creatio/engines/process-engine.d.ts.map +1 -1
- package/dist/creatio/engines/process-engine.js +3 -3
- package/dist/creatio/engines/process-engine.js.map +1 -1
- package/dist/creatio/engines/sys-settings-engine.d.ts +1 -1
- package/dist/creatio/engines/sys-settings-engine.d.ts.map +1 -1
- package/dist/creatio/engines/sys-settings-engine.js +3 -3
- package/dist/creatio/engines/sys-settings-engine.js.map +1 -1
- package/dist/creatio/engines/user-engine.d.ts +1 -1
- package/dist/creatio/engines/user-engine.d.ts.map +1 -1
- package/dist/creatio/engines/user-engine.js +3 -3
- package/dist/creatio/engines/user-engine.js.map +1 -1
- package/dist/creatio/services/creatio-service-context.d.ts +1 -1
- package/dist/creatio/services/creatio-service-context.d.ts.map +1 -1
- package/dist/creatio/services/crud-provider-factory.d.ts.map +1 -1
- package/dist/creatio/services/crud-provider-factory.js.map +1 -1
- package/dist/creatio/services/dataservice/data-service-column-values.d.ts.map +1 -1
- package/dist/creatio/services/dataservice/data-service-crud-provider.d.ts +3 -3
- package/dist/creatio/services/dataservice/data-service-crud-provider.d.ts.map +1 -1
- package/dist/creatio/services/dataservice/data-service-crud-provider.js +5 -5
- package/dist/creatio/services/dataservice/data-service-crud-provider.js.map +1 -1
- package/dist/creatio/services/dataservice/data-service-filter-translator.d.ts.map +1 -1
- package/dist/creatio/services/dataservice/data-service-filter-translator.js +7 -2
- package/dist/creatio/services/dataservice/data-service-filter-translator.js.map +1 -1
- package/dist/creatio/services/dataservice/data-service-query-builder.d.ts.map +1 -1
- package/dist/creatio/services/dataservice/data-service-query-builder.js.map +1 -1
- package/dist/creatio/services/dataservice/data-service-schema.d.ts +3 -3
- package/dist/creatio/services/dataservice/data-service-schema.d.ts.map +1 -1
- package/dist/creatio/services/dataservice/data-service-schema.js +19 -17
- package/dist/creatio/services/dataservice/data-service-schema.js.map +1 -1
- package/dist/creatio/services/dataservice/data-service-transport.d.ts +1 -1
- package/dist/creatio/services/dataservice/data-service-transport.d.ts.map +1 -1
- package/dist/creatio/services/dataservice/data-service-transport.js +3 -3
- package/dist/creatio/services/dataservice/data-service-transport.js.map +1 -1
- package/dist/creatio/services/dataservice/data-service-types.d.ts +0 -19
- package/dist/creatio/services/dataservice/data-service-types.d.ts.map +1 -1
- package/dist/creatio/services/dataservice/data-service-value-type.d.ts +2 -1
- package/dist/creatio/services/dataservice/data-service-value-type.d.ts.map +1 -1
- package/dist/creatio/services/dataservice/data-service-value-type.js +20 -16
- package/dist/creatio/services/dataservice/data-service-value-type.js.map +1 -1
- package/dist/creatio/services/http-client.d.ts +13 -0
- package/dist/creatio/services/http-client.d.ts.map +1 -1
- package/dist/creatio/services/http-client.js +26 -2
- package/dist/creatio/services/http-client.js.map +1 -1
- package/dist/creatio/services/identifiers.d.ts +10 -0
- package/dist/creatio/services/identifiers.d.ts.map +1 -0
- package/dist/creatio/services/identifiers.js +20 -0
- package/dist/creatio/services/identifiers.js.map +1 -0
- package/dist/creatio/services/odata/metadata-store.d.ts +6 -2
- package/dist/creatio/services/odata/metadata-store.d.ts.map +1 -1
- package/dist/creatio/services/odata/metadata-store.js +30 -34
- package/dist/creatio/services/odata/metadata-store.js.map +1 -1
- package/dist/creatio/services/odata/odata-crud-provider.d.ts.map +1 -1
- package/dist/creatio/services/odata/odata-crud-provider.js +10 -25
- package/dist/creatio/services/odata/odata-crud-provider.js.map +1 -1
- package/dist/creatio/services/odata/odata-query-translator.d.ts +4 -5
- package/dist/creatio/services/odata/odata-query-translator.d.ts.map +1 -1
- package/dist/creatio/services/odata/odata-query-translator.js +32 -20
- package/dist/creatio/services/odata/odata-query-translator.js.map +1 -1
- package/dist/creatio/services/user-info-provider.d.ts.map +1 -1
- package/dist/creatio/services/user-info-provider.js +2 -2
- package/dist/creatio/services/user-info-provider.js.map +1 -1
- package/dist/index.js +30 -4
- package/dist/index.js.map +1 -1
- package/dist/log.d.ts +1 -1
- package/dist/log.d.ts.map +1 -1
- package/dist/log.js +2 -1
- package/dist/log.js.map +1 -1
- package/dist/server/bearer/base-url-guard.d.ts +20 -0
- package/dist/server/bearer/base-url-guard.d.ts.map +1 -0
- package/dist/server/bearer/base-url-guard.js +55 -0
- package/dist/server/bearer/base-url-guard.js.map +1 -0
- package/dist/server/bearer/bearer-edge.d.ts +42 -0
- package/dist/server/bearer/bearer-edge.d.ts.map +1 -0
- package/dist/server/bearer/bearer-edge.js +122 -0
- package/dist/server/bearer/bearer-edge.js.map +1 -0
- package/dist/server/bearer/bearer-token.d.ts +27 -0
- package/dist/server/bearer/bearer-token.d.ts.map +1 -0
- package/dist/server/bearer/bearer-token.js +50 -0
- package/dist/server/bearer/bearer-token.js.map +1 -0
- package/dist/server/bearer/index.d.ts +3 -0
- package/dist/server/bearer/index.d.ts.map +1 -0
- package/dist/server/bearer/index.js +19 -0
- package/dist/server/bearer/index.js.map +1 -0
- package/dist/server/http/auth-edge.d.ts +26 -0
- package/dist/server/http/auth-edge.d.ts.map +1 -0
- package/dist/server/http/auth-edge.js +75 -0
- package/dist/server/http/auth-edge.js.map +1 -0
- package/dist/server/http/broker-handlers.d.ts +45 -0
- package/dist/server/http/broker-handlers.d.ts.map +1 -0
- package/dist/server/http/broker-handlers.js +224 -0
- package/dist/server/http/broker-handlers.js.map +1 -0
- package/dist/server/http/{httpServer.d.ts → http-server.d.ts} +5 -13
- package/dist/server/http/http-server.d.ts.map +1 -0
- package/dist/server/http/{httpServer.js → http-server.js} +19 -53
- package/dist/server/http/http-server.js.map +1 -0
- package/dist/server/http/index.d.ts +1 -3
- package/dist/server/http/index.d.ts.map +1 -1
- package/dist/server/http/index.js +1 -3
- package/dist/server/http/index.js.map +1 -1
- package/dist/server/http/mcp-handlers.d.ts.map +1 -1
- package/dist/server/http/mcp-handlers.js +16 -3
- package/dist/server/http/mcp-handlers.js.map +1 -1
- package/dist/server/http/middleware.d.ts +3 -4
- package/dist/server/http/middleware.d.ts.map +1 -1
- package/dist/server/http/middleware.js +33 -23
- package/dist/server/http/middleware.js.map +1 -1
- package/dist/server/http/public-origin.d.ts +10 -0
- package/dist/server/http/public-origin.d.ts.map +1 -0
- package/dist/server/http/public-origin.js +19 -0
- package/dist/server/http/public-origin.js.map +1 -0
- package/dist/server/http/rate-limiter.d.ts +1 -1
- package/dist/server/http/rate-limiter.d.ts.map +1 -1
- package/dist/server/http/rate-limiter.js +11 -11
- package/dist/server/http/rate-limiter.js.map +1 -1
- package/dist/server/http-agent.d.ts +9 -0
- package/dist/server/http-agent.d.ts.map +1 -0
- package/dist/server/http-agent.js +35 -0
- package/dist/server/http-agent.js.map +1 -0
- package/dist/server/index.d.ts +2 -0
- package/dist/server/index.d.ts.map +1 -1
- package/dist/server/index.js +2 -0
- package/dist/server/index.js.map +1 -1
- package/dist/server/keepalive.d.ts +26 -0
- package/dist/server/keepalive.d.ts.map +1 -0
- package/dist/server/keepalive.js +64 -0
- package/dist/server/keepalive.js.map +1 -0
- package/dist/server/mcp/creatio-rest.d.ts +6 -0
- package/dist/server/mcp/creatio-rest.d.ts.map +1 -1
- package/dist/server/mcp/creatio-rest.js +21 -3
- package/dist/server/mcp/creatio-rest.js.map +1 -1
- package/dist/server/mcp/crtmcp/crt-mcp-client.d.ts +1 -1
- package/dist/server/mcp/crtmcp/crt-mcp-client.d.ts.map +1 -1
- package/dist/server/mcp/crtmcp/crt-mcp-client.js +16 -13
- package/dist/server/mcp/crtmcp/crt-mcp-client.js.map +1 -1
- package/dist/server/mcp/crtmcp/crt-mcp-tool-preparer.d.ts +2 -2
- package/dist/server/mcp/crtmcp/crt-mcp-tool-preparer.d.ts.map +1 -1
- package/dist/server/mcp/crtmcp/crt-mcp-tool-preparer.js +17 -17
- package/dist/server/mcp/crtmcp/crt-mcp-tool-preparer.js.map +1 -1
- package/dist/server/mcp/dataforge/dataforge-client.d.ts +12 -12
- package/dist/server/mcp/dataforge/dataforge-client.d.ts.map +1 -1
- package/dist/server/mcp/dataforge/dataforge-client.js +40 -47
- package/dist/server/mcp/dataforge/dataforge-client.js.map +1 -1
- package/dist/server/mcp/dataforge/dataforge-tool-preparer.d.ts +2 -2
- package/dist/server/mcp/dataforge/dataforge-tool-preparer.d.ts.map +1 -1
- package/dist/server/mcp/dataforge/dataforge-tool-preparer.js +9 -9
- package/dist/server/mcp/dataforge/dataforge-tool-preparer.js.map +1 -1
- package/dist/server/mcp/filters.d.ts.map +1 -1
- package/dist/server/mcp/filters.js +4 -1
- package/dist/server/mcp/filters.js.map +1 -1
- package/dist/server/mcp/globalsearch/globalsearch-client.d.ts +4 -4
- package/dist/server/mcp/globalsearch/globalsearch-client.d.ts.map +1 -1
- package/dist/server/mcp/globalsearch/globalsearch-client.js +39 -50
- package/dist/server/mcp/globalsearch/globalsearch-client.js.map +1 -1
- package/dist/server/mcp/globalsearch/globalsearch-tool-preparer.d.ts +1 -1
- package/dist/server/mcp/globalsearch/globalsearch-tool-preparer.d.ts.map +1 -1
- package/dist/server/mcp/globalsearch/globalsearch-tool-preparer.js +1 -1
- package/dist/server/mcp/globalsearch/globalsearch-tool-preparer.js.map +1 -1
- package/dist/server/mcp/server.d.ts +35 -8
- package/dist/server/mcp/server.d.ts.map +1 -1
- package/dist/server/mcp/server.js +104 -44
- package/dist/server/mcp/server.js.map +1 -1
- package/dist/server/mcp/tools-data.d.ts +2 -2
- package/dist/server/mcp/tools-data.d.ts.map +1 -1
- package/dist/server/mcp/tools-data.js +1 -1
- package/dist/server/mcp/tools-data.js.map +1 -1
- package/dist/server/oauth/oauth-server.d.ts +41 -10
- package/dist/server/oauth/oauth-server.d.ts.map +1 -1
- package/dist/server/oauth/oauth-server.js +82 -48
- package/dist/server/oauth/oauth-server.js.map +1 -1
- package/dist/server/oauth/storage.d.ts +42 -5
- package/dist/server/oauth/storage.d.ts.map +1 -1
- package/dist/server/oauth/storage.js +81 -18
- package/dist/server/oauth/storage.js.map +1 -1
- package/dist/server/oauth/token-manager.d.ts +21 -4
- package/dist/server/oauth/token-manager.d.ts.map +1 -1
- package/dist/server/oauth/token-manager.js +18 -19
- package/dist/server/oauth/token-manager.js.map +1 -1
- package/dist/server/oauth/types.d.ts +0 -12
- package/dist/server/oauth/types.d.ts.map +1 -1
- package/dist/server/oauth/validators.d.ts.map +1 -1
- package/dist/server/oauth/validators.js +14 -5
- package/dist/server/oauth/validators.js.map +1 -1
- package/dist/sessions/index.d.ts +1 -1
- package/dist/sessions/index.d.ts.map +1 -1
- package/dist/sessions/index.js +1 -1
- package/dist/sessions/index.js.map +1 -1
- package/dist/sessions/redis-token-store.d.ts +22 -0
- package/dist/sessions/redis-token-store.d.ts.map +1 -0
- package/dist/sessions/redis-token-store.js +70 -0
- package/dist/sessions/redis-token-store.js.map +1 -0
- package/dist/sessions/session-context.d.ts +21 -40
- package/dist/sessions/session-context.d.ts.map +1 -1
- package/dist/sessions/session-context.js +25 -105
- package/dist/sessions/session-context.js.map +1 -1
- package/dist/sessions/token-crypto.d.ts +8 -0
- package/dist/sessions/token-crypto.d.ts.map +1 -0
- package/dist/sessions/token-crypto.js +43 -0
- package/dist/sessions/token-crypto.js.map +1 -0
- package/dist/sessions/token-store.d.ts +42 -0
- package/dist/sessions/token-store.d.ts.map +1 -0
- package/dist/sessions/token-store.js +66 -0
- package/dist/sessions/token-store.js.map +1 -0
- package/dist/utils/context.d.ts +12 -0
- package/dist/utils/context.d.ts.map +1 -1
- package/dist/utils/context.js +16 -0
- package/dist/utils/context.js.map +1 -1
- package/dist/utils/env-aliases.d.ts +9 -0
- package/dist/utils/env-aliases.d.ts.map +1 -0
- package/dist/utils/env-aliases.js +61 -0
- package/dist/utils/env-aliases.js.map +1 -0
- package/dist/utils/env.d.ts +5 -0
- package/dist/utils/env.d.ts.map +1 -1
- package/dist/utils/env.js +10 -1
- package/dist/utils/env.js.map +1 -1
- package/package.json +78 -74
- package/dist/creatio/auth/providers/oauth2-code-provider.d.ts +0 -21
- package/dist/creatio/auth/providers/oauth2-code-provider.d.ts.map +0 -1
- package/dist/creatio/auth/providers/oauth2-code-provider.js +0 -251
- package/dist/creatio/auth/providers/oauth2-code-provider.js.map +0 -1
- package/dist/server/http/creatio-oauth-handlers.d.ts +0 -13
- package/dist/server/http/creatio-oauth-handlers.d.ts.map +0 -1
- package/dist/server/http/creatio-oauth-handlers.js +0 -160
- package/dist/server/http/creatio-oauth-handlers.js.map +0 -1
- package/dist/server/http/httpServer.d.ts.map +0 -1
- package/dist/server/http/httpServer.js.map +0 -1
- package/dist/server/http/mcp-oauth-handlers.d.ts +0 -11
- package/dist/server/http/mcp-oauth-handlers.d.ts.map +0 -1
- package/dist/server/http/mcp-oauth-handlers.js +0 -118
- package/dist/server/http/mcp-oauth-handlers.js.map +0 -1
- package/dist/sessions/token-refresh-scheduler.d.ts +0 -16
- package/dist/sessions/token-refresh-scheduler.d.ts.map +0 -1
- package/dist/sessions/token-refresh-scheduler.js +0 -66
- package/dist/sessions/token-refresh-scheduler.js.map +0 -1
|
@@ -10,14 +10,17 @@ const client_manager_1 = require("./client-manager");
|
|
|
10
10
|
const storage_1 = require("./storage");
|
|
11
11
|
const token_manager_1 = require("./token-manager");
|
|
12
12
|
const validators_1 = require("./validators");
|
|
13
|
+
const ACCESS_TOKEN_TTL_SECONDS = 3600;
|
|
14
|
+
const ISSUED_SCOPE = 'offline_access';
|
|
13
15
|
class OAuthServer {
|
|
14
|
-
_jwtSecret = crypto_1.default.randomBytes(32).toString('hex');
|
|
15
16
|
_storage = new storage_1.OAuthStorage();
|
|
16
17
|
_tokenManager;
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
18
|
+
/**
|
|
19
|
+
* @param jwtSecret stable secret (from `CREATIO_MCP_JWT_SECRET`) signing the tokens issued to
|
|
20
|
+
* MCP clients — stable so issued tokens survive a restart, unlike a random per-process key.
|
|
21
|
+
*/
|
|
22
|
+
constructor(jwtSecret) {
|
|
23
|
+
this._tokenManager = new token_manager_1.OAuthTokenManager(jwtSecret);
|
|
21
24
|
}
|
|
22
25
|
_autoRegisterClientIfNeeded(client_id, redirect_uri) {
|
|
23
26
|
if (this._storage.hasClient(client_id)) {
|
|
@@ -33,19 +36,32 @@ class OAuthServer {
|
|
|
33
36
|
this._storage.addClient(client);
|
|
34
37
|
return true;
|
|
35
38
|
}
|
|
36
|
-
|
|
39
|
+
/** Mint an access token + a freshly-stored (rotating) refresh token as a standard OAuth response. */
|
|
40
|
+
_issueTokens(userKey, client_id, aud) {
|
|
41
|
+
const access_token = this._tokenManager.generateAccessToken(userKey, client_id, aud);
|
|
42
|
+
const refresh_token = this._tokenManager.generateRefreshToken();
|
|
43
|
+
this._storage.storeRefreshToken(refresh_token, userKey, client_id);
|
|
37
44
|
return {
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
grant_types_supported: ['authorization_code'],
|
|
44
|
-
token_endpoint_auth_methods_supported: ['none', 'client_secret_post'],
|
|
45
|
-
code_challenge_methods_supported: ['S256'],
|
|
46
|
-
scopes_supported: ['openid'],
|
|
45
|
+
access_token,
|
|
46
|
+
token_type: 'Bearer',
|
|
47
|
+
expires_in: ACCESS_TOKEN_TTL_SECONDS,
|
|
48
|
+
refresh_token,
|
|
49
|
+
scope: ISSUED_SCOPE,
|
|
47
50
|
};
|
|
48
51
|
}
|
|
52
|
+
/**
|
|
53
|
+
* Records a brokered authorization in flight and returns its opaque broker state (used as the
|
|
54
|
+
* `state` on the Creatio leg). Server-side storage keeps the client's PKCE and our Creatio-leg
|
|
55
|
+
* verifier apart — nothing is embedded in the Creatio `state`.
|
|
56
|
+
*/
|
|
57
|
+
createPendingAuthorization(data) {
|
|
58
|
+
const brokerState = crypto_1.default.randomBytes(32).toString('base64url');
|
|
59
|
+
this._storage.storePendingAuthorization(brokerState, data);
|
|
60
|
+
return brokerState;
|
|
61
|
+
}
|
|
62
|
+
takePendingAuthorization(brokerState) {
|
|
63
|
+
return this._storage.takePendingAuthorization(brokerState);
|
|
64
|
+
}
|
|
49
65
|
registerClient(redirect_uris) {
|
|
50
66
|
const client = client_manager_1.OAuthClientManager.createClient(redirect_uris);
|
|
51
67
|
this._storage.addClient(client);
|
|
@@ -61,39 +77,13 @@ class OAuthServer {
|
|
|
61
77
|
}
|
|
62
78
|
return validators_1.OAuthValidators.validateAuthorizationRequest(params, client);
|
|
63
79
|
}
|
|
64
|
-
storeState(state, client_id) {
|
|
65
|
-
this._storage.storeState(state, client_id);
|
|
66
|
-
log_1.default.info('oauth.state.stored', { client_id });
|
|
67
|
-
}
|
|
68
|
-
validateState(state, client_id) {
|
|
69
|
-
const stateData = this._storage.getState(state);
|
|
70
|
-
if (!stateData) {
|
|
71
|
-
log_1.default.warn('oauth.state.not_found', { client_id });
|
|
72
|
-
return false;
|
|
73
|
-
}
|
|
74
|
-
if (stateData.expires_at < Date.now()) {
|
|
75
|
-
this._storage.deleteState(state);
|
|
76
|
-
log_1.default.warn('oauth.state.expired', { client_id });
|
|
77
|
-
return false;
|
|
78
|
-
}
|
|
79
|
-
if (stateData.client_id !== client_id) {
|
|
80
|
-
log_1.default.warn('oauth.state.client_mismatch', {
|
|
81
|
-
expected: stateData.client_id,
|
|
82
|
-
actual: client_id,
|
|
83
|
-
});
|
|
84
|
-
return false;
|
|
85
|
-
}
|
|
86
|
-
this._storage.deleteState(state);
|
|
87
|
-
log_1.default.info('oauth.state.validated_successfully', { client_id });
|
|
88
|
-
return true;
|
|
89
|
-
}
|
|
90
80
|
generateAuthorizationCode(client_id, redirect_uri, code_challenge, code_challenge_method, userKey) {
|
|
91
81
|
const code = crypto_1.default.randomBytes(32).toString('base64url');
|
|
92
82
|
this._storage.storeAuthorizationCode(code, client_id, redirect_uri, code_challenge, code_challenge_method, userKey);
|
|
93
83
|
log_1.default.info('oauth.authorization_code.generated', { client_id, userKey });
|
|
94
84
|
return code;
|
|
95
85
|
}
|
|
96
|
-
async exchangeCodeForToken(params) {
|
|
86
|
+
async exchangeCodeForToken(params, aud) {
|
|
97
87
|
log_1.default.info('oauth.token.exchange_start', {
|
|
98
88
|
grant_type: params.grant_type,
|
|
99
89
|
client_id: params.client_id,
|
|
@@ -117,16 +107,60 @@ class OAuthServer {
|
|
|
117
107
|
}
|
|
118
108
|
return codeValidationError;
|
|
119
109
|
}
|
|
120
|
-
const tokenResponse = this._tokenManager.createTokenResponse(authCode.userKey, params.client_id);
|
|
121
110
|
this._storage.deleteAuthorizationCode(params.code);
|
|
122
111
|
log_1.default.info('oauth.token.issued', { client_id: params.client_id, userKey: authCode.userKey });
|
|
123
|
-
return
|
|
112
|
+
return this._issueTokens(authCode.userKey, params.client_id, aud);
|
|
124
113
|
}
|
|
125
|
-
|
|
126
|
-
|
|
114
|
+
/**
|
|
115
|
+
* `refresh_token` grant: rotate the refresh token and mint a fresh access token WITHOUT a browser
|
|
116
|
+
* round-trip — bound to the same client (a stolen token can't be redeemed by another) and gated on
|
|
117
|
+
* the broker still holding this user's Creatio tokens, so a client never re-consents every hour.
|
|
118
|
+
*/
|
|
119
|
+
async exchangeRefreshToken(params, aud, sessionStillHeld) {
|
|
120
|
+
const validationError = validators_1.OAuthValidators.validateTokenRequest(params);
|
|
121
|
+
if (validationError) {
|
|
122
|
+
return validationError;
|
|
123
|
+
}
|
|
124
|
+
const data = this._storage.getRefreshToken(params.refresh_token);
|
|
125
|
+
if (!data) {
|
|
126
|
+
return {
|
|
127
|
+
error: 'invalid_grant',
|
|
128
|
+
error_description: 'Invalid or expired refresh token',
|
|
129
|
+
};
|
|
130
|
+
}
|
|
131
|
+
if (data.client_id !== params.client_id) {
|
|
132
|
+
// Token presented by a different client than it was issued to — reuse/theft signal.
|
|
133
|
+
this._storage.deleteRefreshToken(params.refresh_token);
|
|
134
|
+
return { error: 'invalid_grant', error_description: 'Client mismatch' };
|
|
135
|
+
}
|
|
136
|
+
if (!(await sessionStillHeld(data.userKey))) {
|
|
137
|
+
this._storage.deleteRefreshToken(params.refresh_token);
|
|
138
|
+
return {
|
|
139
|
+
error: 'invalid_grant',
|
|
140
|
+
error_description: 'Session expired; re-authorization required',
|
|
141
|
+
};
|
|
142
|
+
}
|
|
143
|
+
// Rotate: the presented refresh token is single-use.
|
|
144
|
+
this._storage.deleteRefreshToken(params.refresh_token);
|
|
145
|
+
log_1.default.info('oauth.token.refreshed', { client_id: data.client_id, userKey: data.userKey });
|
|
146
|
+
return this._issueTokens(data.userKey, data.client_id, aud);
|
|
147
|
+
}
|
|
148
|
+
/** Verify a client-presented access token against this deployment's `iss`/`aud`; returns userKey. */
|
|
149
|
+
validateAccessToken(token, aud) {
|
|
150
|
+
return this._tokenManager.validateAccessToken(token, aud)?.userKey ?? null;
|
|
151
|
+
}
|
|
152
|
+
/** RFC 7009: resolve the user a presented token belongs to — our access JWT, or an issued
|
|
153
|
+
* refresh token. Returns `null` for an unknown/invalid token (caller still answers 200). */
|
|
154
|
+
resolveUserFromToken(token, aud) {
|
|
155
|
+
const decoded = this._tokenManager.validateAccessToken(token, aud);
|
|
156
|
+
if (decoded) {
|
|
157
|
+
return decoded.userKey;
|
|
158
|
+
}
|
|
159
|
+
return this._storage.getRefreshToken(token)?.userKey ?? null;
|
|
127
160
|
}
|
|
128
|
-
|
|
129
|
-
|
|
161
|
+
/** Invalidate every refresh token we issued for a user (logout / revoke). */
|
|
162
|
+
purgeRefreshTokensForUser(userKey) {
|
|
163
|
+
this._storage.deleteRefreshTokensForUser(userKey);
|
|
130
164
|
}
|
|
131
165
|
cleanup() {
|
|
132
166
|
this._storage.cleanup();
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-server.js","sourceRoot":"","sources":["../../../src/server/oauth/oauth-server.ts"],"names":[],"mappings":";;;;;;AAAA,oDAA4B;AAE5B,oDAA4B;AAE5B,qDAAsD;AACtD,uCAAyC;AACzC,
|
|
1
|
+
{"version":3,"file":"oauth-server.js","sourceRoot":"","sources":["../../../src/server/oauth/oauth-server.ts"],"names":[],"mappings":";;;;;;AAAA,oDAA4B;AAE5B,oDAA4B;AAE5B,qDAAsD;AACtD,uCAAyC;AACzC,mDAAmE;AACnE,6CAA+C;AAc/C,MAAM,wBAAwB,GAAG,IAAI,CAAC;AACtC,MAAM,YAAY,GAAG,gBAAgB,CAAC;AAEtC,MAAa,WAAW;IACN,QAAQ,GAAG,IAAI,sBAAY,EAAE,CAAC;IAC9B,aAAa,CAAoB;IAElD;;;OAGG;IACH,YAAY,SAAiB;QAC5B,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAiB,CAAC,SAAS,CAAC,CAAC;IACvD,CAAC;IAEO,2BAA2B,CAAC,SAAiB,EAAE,YAAoB;QAC1E,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,CAAC;YACxC,OAAO,KAAK,CAAC;QACd,CAAC;QACD,8EAA8E;QAC9E,yFAAyF;QACzF,IAAI,CAAC,4BAAe,CAAC,oBAAoB,CAAC,YAAY,CAAC,EAAE,CAAC;YACzD,aAAG,CAAC,IAAI,CAAC,qCAAqC,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;YAC/D,OAAO,KAAK,CAAC;QACd,CAAC;QACD,MAAM,MAAM,GAAG,mCAAkB,CAAC,kBAAkB,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;QAC9E,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAChC,OAAO,IAAI,CAAC;IACb,CAAC;IAED,qGAAqG;IAC7F,YAAY,CAAC,OAAe,EAAE,SAAiB,EAAE,GAAkB;QAC1E,MAAM,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAAC,OAAO,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;QACrF,MAAM,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC,oBAAoB,EAAE,CAAC;QAChE,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC,aAAa,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;QACnE,OAAO;YACN,YAAY;YACZ,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,wBAAwB;YACpC,aAAa;YACb,KAAK,EAAE,YAAY;SACnB,CAAC;IACH,CAAC;IAED;;;;OAIG;IACI,0BAA0B,CAAC,IAOjC;QACA,MAAM,WAAW,GAAG,gBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACjE,IAAI,CAAC,QAAQ,CAAC,yBAAyB,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QAC3D,OAAO,WAAW,CAAC;IACpB,CAAC;IAEM,wBAAwB,CAAC,WAAmB;QAClD,OAAO,IAAI,CAAC,QAAQ,CAAC,wBAAwB,CAAC,WAAW,CAAC,CAAC;IAC5D,CAAC;IAEM,cAAc,CAAC,aAAuB;QAC5C,MAAM,MAAM,GAAG,mCAAkB,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;QAC9D,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAChC,OAAO,MAAM,CAAC;IACf,CAAC;IAEM,4BAA4B,CAAC,MAAiC;QACpE,IAAI,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACvD,IAAI,CAAC,MAAM,EAAE,CAAC;YACb,MAAM,aAAa,GAAG,IAAI,CAAC,2BAA2B,CACrD,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,YAAY,CACnB,CAAC;YACF,IAAI,aAAa,EAAE,CAAC;gBACnB,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACpD,CAAC;QACF,CAAC;QACD,OAAO,4BAAe,CAAC,4BAA4B,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrE,CAAC;IAEM,yBAAyB,CAC/B,SAAiB,EACjB,YAAoB,EACpB,cAAsB,EACtB,qBAA6B,EAC7B,OAAe;QAEf,MAAM,IAAI,GAAG,gBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC1D,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CACnC,IAAI,EACJ,SAAS,EACT,YAAY,EACZ,cAAc,EACd,qBAAqB,EACrB,OAAO,CACP,CAAC;QACF,aAAG,CAAC,IAAI,CAAC,oCAAoC,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;QACvE,OAAO,IAAI,CAAC;IACb,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAChC,MAAyB,EACzB,GAAkB;QAElB,aAAG,CAAC,IAAI,CAAC,4BAA4B,EAAE;YACtC,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,iBAAiB,EAAE,CAAC,CAAC,MAAM,CAAC,aAAa;SACzC,CAAC,CAAC;QACH,MAAM,eAAe,GAAG,4BAAe,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC;QACrE,IAAI,eAAe,EAAE,CAAC;YACrB,OAAO,eAAe,CAAC;QACxB,CAAC;QACD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,oBAAoB,CAAC,MAAM,CAAC,IAAK,CAAC,CAAC;QAClE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACf,aAAG,CAAC,KAAK,CAAC,4BAA4B,EAAE,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;YACzE,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,4BAA4B,EAAE,CAAC;QACpF,CAAC;QACD,MAAM,mBAAmB,GAAG,IAAI,CAAC,aAAa,CAAC,oBAAoB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACtF,IAAI,mBAAmB,EAAE,CAAC;YACzB,IACC,mBAAmB,CAAC,KAAK,KAAK,eAAe;gBAC7C,mBAAmB,CAAC,iBAAiB,KAAK,4BAA4B,EACrE,CAAC;gBACF,IAAI,CAAC,QAAQ,CAAC,uBAAuB,CAAC,MAAM,CAAC,IAAK,CAAC,CAAC;YACrD,CAAC;YACD,OAAO,mBAAmB,CAAC;QAC5B,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,uBAAuB,CAAC,MAAM,CAAC,IAAK,CAAC,CAAC;QACpD,aAAG,CAAC,IAAI,CAAC,oBAAoB,EAAE,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3F,OAAO,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IACnE,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,oBAAoB,CAChC,MAAyB,EACzB,GAAkB,EAClB,gBAAkC;QAElC,MAAM,eAAe,GAAG,4BAAe,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC;QACrE,IAAI,eAAe,EAAE,CAAC;YACrB,OAAO,eAAe,CAAC;QACxB,CAAC;QACD,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,MAAM,CAAC,aAAc,CAAC,CAAC;QAClE,IAAI,CAAC,IAAI,EAAE,CAAC;YACX,OAAO;gBACN,KAAK,EAAE,eAAe;gBACtB,iBAAiB,EAAE,kCAAkC;aACrD,CAAC;QACH,CAAC;QACD,IAAI,IAAI,CAAC,SAAS,KAAK,MAAM,CAAC,SAAS,EAAE,CAAC;YACzC,oFAAoF;YACpF,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,MAAM,CAAC,aAAc,CAAC,CAAC;YACxD,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,CAAC;QACzE,CAAC;QACD,IAAI,CAAC,CAAC,MAAM,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YAC7C,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,MAAM,CAAC,aAAc,CAAC,CAAC;YACxD,OAAO;gBACN,KAAK,EAAE,eAAe;gBACtB,iBAAiB,EAAE,4CAA4C;aAC/D,CAAC;QACH,CAAC;QACD,qDAAqD;QACrD,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,MAAM,CAAC,aAAc,CAAC,CAAC;QACxD,aAAG,CAAC,IAAI,CAAC,uBAAuB,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;QACxF,OAAO,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IAC7D,CAAC;IAED,qGAAqG;IAC9F,mBAAmB,CAAC,KAAa,EAAE,GAAkB;QAC3D,OAAO,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE,OAAO,IAAI,IAAI,CAAC;IAC5E,CAAC;IAED;iGAC6F;IACtF,oBAAoB,CAAC,KAAa,EAAE,GAAkB;QAC5D,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACnE,IAAI,OAAO,EAAE,CAAC;YACb,OAAO,OAAO,CAAC,OAAO,CAAC;QACxB,CAAC;QACD,OAAO,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,KAAK,CAAC,EAAE,OAAO,IAAI,IAAI,CAAC;IAC9D,CAAC;IAED,6EAA6E;IACtE,yBAAyB,CAAC,OAAe;QAC/C,IAAI,CAAC,QAAQ,CAAC,0BAA0B,CAAC,OAAO,CAAC,CAAC;IACnD,CAAC;IAEM,OAAO;QACb,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;IACzB,CAAC;CACD;AAvMD,kCAuMC"}
|
|
@@ -7,23 +7,60 @@ export interface AuthorizationCodeData {
|
|
|
7
7
|
userKey: string;
|
|
8
8
|
expires_at: number;
|
|
9
9
|
}
|
|
10
|
-
|
|
10
|
+
/**
|
|
11
|
+
* A brokered authorization in flight between `/authorize` and `/oauth/callback`. It links the MCP
|
|
12
|
+
* client's request (its redirect + PKCE + state) to our own Creatio-leg PKCE verifier, keyed by an
|
|
13
|
+
* opaque broker state. Kept server-side ON PURPOSE — nothing is embedded in the Creatio `state`
|
|
14
|
+
* string, so the two PKCE pairs never collide.
|
|
15
|
+
*/
|
|
16
|
+
export interface PendingAuthorizationData {
|
|
17
|
+
client_id: string;
|
|
18
|
+
/** The MCP client's redirect URI (where we send our code at the end). */
|
|
19
|
+
redirect_uri: string;
|
|
20
|
+
/** The MCP client's PKCE challenge (verified later at /token). */
|
|
21
|
+
code_challenge: string;
|
|
22
|
+
code_challenge_method: string;
|
|
23
|
+
/** The MCP client's state, echoed back to it. */
|
|
24
|
+
client_state?: string | undefined;
|
|
25
|
+
/** Our Creatio-leg PKCE verifier, used to exchange the Creatio code in the callback. */
|
|
26
|
+
creatio_verifier: string;
|
|
27
|
+
expires_at: number;
|
|
28
|
+
}
|
|
29
|
+
/** A refresh token the broker issued to a client, bound to the user it represents and the client
|
|
30
|
+
* it was issued to (so a stolen token can't be redeemed by a different client). Single-use:
|
|
31
|
+
* rotated on every refresh. */
|
|
32
|
+
export interface RefreshTokenData {
|
|
33
|
+
userKey: string;
|
|
11
34
|
client_id: string;
|
|
12
35
|
expires_at: number;
|
|
13
36
|
}
|
|
14
37
|
export declare class OAuthStorage {
|
|
38
|
+
private static readonly CLIENT_TTL_MS;
|
|
39
|
+
private static readonly MAX_CLIENTS;
|
|
40
|
+
private static readonly REFRESH_TOKEN_TTL_MS;
|
|
15
41
|
private readonly _clients;
|
|
16
42
|
private readonly _authorizationCodes;
|
|
17
|
-
private readonly
|
|
43
|
+
private readonly _pendingAuthorizations;
|
|
44
|
+
private readonly _refreshTokens;
|
|
45
|
+
private _evictExpired;
|
|
46
|
+
private _evictExpiredClients;
|
|
47
|
+
/** Hard-cap the client store, evicting the oldest (insertion order ~ creation order). */
|
|
48
|
+
private _capClients;
|
|
18
49
|
addClient(client: OAuthClient): void;
|
|
19
50
|
getClient(client_id: string): OAuthClient | undefined;
|
|
20
51
|
hasClient(client_id: string): boolean;
|
|
21
52
|
storeAuthorizationCode(code: string, client_id: string, redirect_uri: string, code_challenge: string, code_challenge_method: string, userKey: string, expiresInMs?: number): void;
|
|
22
53
|
getAuthorizationCode(code: string): AuthorizationCodeData | undefined;
|
|
23
54
|
deleteAuthorizationCode(code: string): void;
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
55
|
+
storePendingAuthorization(brokerState: string, data: Omit<PendingAuthorizationData, 'expires_at'>, expiresInMs?: number): void;
|
|
56
|
+
/** Returns and removes the pending authorization (single-use), or `undefined` if absent/expired. */
|
|
57
|
+
takePendingAuthorization(brokerState: string): PendingAuthorizationData | undefined;
|
|
58
|
+
storeRefreshToken(token: string, userKey: string, client_id: string, expiresInMs?: number): void;
|
|
59
|
+
/** Returns the refresh-token record, or `undefined` if absent/expired (expired ones are pruned). */
|
|
60
|
+
getRefreshToken(token: string): RefreshTokenData | undefined;
|
|
61
|
+
deleteRefreshToken(token: string): void;
|
|
62
|
+
/** Drop every refresh token issued for a user (logout / revoke). */
|
|
63
|
+
deleteRefreshTokensForUser(userKey: string): void;
|
|
27
64
|
cleanup(): void;
|
|
28
65
|
}
|
|
29
66
|
//# sourceMappingURL=storage.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/storage.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAE3C,MAAM,WAAW,qBAAqB;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,SAAS;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,qBAAa,YAAY;
|
|
1
|
+
{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/storage.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAE3C,MAAM,WAAW,qBAAqB;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;CACnB;AAED;;;;;GAKG;AACH,MAAM,WAAW,wBAAwB;IACxC,SAAS,EAAE,MAAM,CAAC;IAClB,yEAAyE;IACzE,YAAY,EAAE,MAAM,CAAC;IACrB,kEAAkE;IAClE,cAAc,EAAE,MAAM,CAAC;IACvB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,iDAAiD;IACjD,YAAY,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAClC,wFAAwF;IACxF,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;CACnB;AAED;;gCAEgC;AAChC,MAAM,WAAW,gBAAgB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,qBAAa,YAAY;IAGxB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAuB;IAC5D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAQ;IAC3C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,oBAAoB,CAA4B;IAExE,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAkC;IAC3D,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAA4C;IAChF,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAA+C;IACtF,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAuC;IAEtE,OAAO,CAAC,aAAa;IAQrB,OAAO,CAAC,oBAAoB;IAS5B,yFAAyF;IACzF,OAAO,CAAC,WAAW;IAUZ,SAAS,CAAC,MAAM,EAAE,WAAW,GAAG,IAAI;IAKpC,SAAS,CAAC,SAAS,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS;IAIrD,SAAS,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO;IAIrC,sBAAsB,CAC5B,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,YAAY,EAAE,MAAM,EACpB,cAAc,EAAE,MAAM,EACtB,qBAAqB,EAAE,MAAM,EAC7B,OAAO,EAAE,MAAM,EACf,WAAW,GAAE,MAAuB,GAClC,IAAI;IAYA,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,qBAAqB,GAAG,SAAS;IAIrE,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAI3C,yBAAyB,CAC/B,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,IAAI,CAAC,wBAAwB,EAAE,YAAY,CAAC,EAClD,WAAW,GAAE,MAAuB,GAClC,IAAI;IAOP,oGAAoG;IAC7F,wBAAwB,CAAC,WAAW,EAAE,MAAM,GAAG,wBAAwB,GAAG,SAAS;IASnF,iBAAiB,CACvB,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,WAAW,GAAE,MAA0C,GACrD,IAAI;IAQP,oGAAoG;IAC7F,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,gBAAgB,GAAG,SAAS;IAY5D,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAI9C,oEAAoE;IAC7D,0BAA0B,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAQjD,OAAO,IAAI,IAAI;CAatB"}
|
|
@@ -6,11 +6,43 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
6
6
|
exports.OAuthStorage = void 0;
|
|
7
7
|
const log_1 = __importDefault(require("../../log"));
|
|
8
8
|
class OAuthStorage {
|
|
9
|
+
// Dynamically-registered clients are unauthenticated (open DCR), so the store is bounded by TTL
|
|
10
|
+
// + a hard cap, evicting the oldest, to deny a memory-exhaustion DoS via IP-rotating /register.
|
|
11
|
+
static CLIENT_TTL_MS = 24 * 60 * 60 * 1000;
|
|
12
|
+
static MAX_CLIENTS = 1000;
|
|
13
|
+
static REFRESH_TOKEN_TTL_MS = 30 * 24 * 60 * 60 * 1000;
|
|
9
14
|
_clients = new Map();
|
|
10
15
|
_authorizationCodes = new Map();
|
|
11
|
-
|
|
16
|
+
_pendingAuthorizations = new Map();
|
|
17
|
+
_refreshTokens = new Map();
|
|
18
|
+
_evictExpired(map, now) {
|
|
19
|
+
for (const [key, data] of map.entries()) {
|
|
20
|
+
if (now > data.expires_at) {
|
|
21
|
+
map.delete(key);
|
|
22
|
+
}
|
|
23
|
+
}
|
|
24
|
+
}
|
|
25
|
+
_evictExpiredClients(now) {
|
|
26
|
+
for (const [id, client] of this._clients.entries()) {
|
|
27
|
+
if (now - client.created_at > OAuthStorage.CLIENT_TTL_MS) {
|
|
28
|
+
this._clients.delete(id);
|
|
29
|
+
}
|
|
30
|
+
}
|
|
31
|
+
this._capClients();
|
|
32
|
+
}
|
|
33
|
+
/** Hard-cap the client store, evicting the oldest (insertion order ~ creation order). */
|
|
34
|
+
_capClients() {
|
|
35
|
+
while (this._clients.size > OAuthStorage.MAX_CLIENTS) {
|
|
36
|
+
const oldest = this._clients.keys().next().value;
|
|
37
|
+
if (oldest === undefined) {
|
|
38
|
+
break;
|
|
39
|
+
}
|
|
40
|
+
this._clients.delete(oldest);
|
|
41
|
+
}
|
|
42
|
+
}
|
|
12
43
|
addClient(client) {
|
|
13
44
|
this._clients.set(client.client_id, client);
|
|
45
|
+
this._capClients();
|
|
14
46
|
}
|
|
15
47
|
getClient(client_id) {
|
|
16
48
|
return this._clients.get(client_id);
|
|
@@ -35,31 +67,62 @@ class OAuthStorage {
|
|
|
35
67
|
deleteAuthorizationCode(code) {
|
|
36
68
|
this._authorizationCodes.delete(code);
|
|
37
69
|
}
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
70
|
+
storePendingAuthorization(brokerState, data, expiresInMs = 10 * 60 * 1000) {
|
|
71
|
+
this._pendingAuthorizations.set(brokerState, {
|
|
72
|
+
...data,
|
|
73
|
+
expires_at: Date.now() + expiresInMs,
|
|
74
|
+
});
|
|
41
75
|
}
|
|
42
|
-
|
|
43
|
-
|
|
76
|
+
/** Returns and removes the pending authorization (single-use), or `undefined` if absent/expired. */
|
|
77
|
+
takePendingAuthorization(brokerState) {
|
|
78
|
+
const data = this._pendingAuthorizations.get(brokerState);
|
|
79
|
+
if (!data) {
|
|
80
|
+
return undefined;
|
|
81
|
+
}
|
|
82
|
+
this._pendingAuthorizations.delete(brokerState);
|
|
83
|
+
return Date.now() > data.expires_at ? undefined : data;
|
|
44
84
|
}
|
|
45
|
-
|
|
46
|
-
this.
|
|
85
|
+
storeRefreshToken(token, userKey, client_id, expiresInMs = OAuthStorage.REFRESH_TOKEN_TTL_MS) {
|
|
86
|
+
this._refreshTokens.set(token, {
|
|
87
|
+
userKey,
|
|
88
|
+
client_id,
|
|
89
|
+
expires_at: Date.now() + expiresInMs,
|
|
90
|
+
});
|
|
47
91
|
}
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
}
|
|
92
|
+
/** Returns the refresh-token record, or `undefined` if absent/expired (expired ones are pruned). */
|
|
93
|
+
getRefreshToken(token) {
|
|
94
|
+
const data = this._refreshTokens.get(token);
|
|
95
|
+
if (!data) {
|
|
96
|
+
return undefined;
|
|
54
97
|
}
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
98
|
+
if (Date.now() > data.expires_at) {
|
|
99
|
+
this._refreshTokens.delete(token);
|
|
100
|
+
return undefined;
|
|
101
|
+
}
|
|
102
|
+
return data;
|
|
103
|
+
}
|
|
104
|
+
deleteRefreshToken(token) {
|
|
105
|
+
this._refreshTokens.delete(token);
|
|
106
|
+
}
|
|
107
|
+
/** Drop every refresh token issued for a user (logout / revoke). */
|
|
108
|
+
deleteRefreshTokensForUser(userKey) {
|
|
109
|
+
for (const [token, data] of this._refreshTokens) {
|
|
110
|
+
if (data.userKey === userKey) {
|
|
111
|
+
this._refreshTokens.delete(token);
|
|
58
112
|
}
|
|
59
113
|
}
|
|
114
|
+
}
|
|
115
|
+
cleanup() {
|
|
116
|
+
const now = Date.now();
|
|
117
|
+
this._evictExpired(this._authorizationCodes, now);
|
|
118
|
+
this._evictExpired(this._pendingAuthorizations, now);
|
|
119
|
+
this._evictExpired(this._refreshTokens, now);
|
|
120
|
+
this._evictExpiredClients(now);
|
|
60
121
|
log_1.default.info('oauth.storage.cleanup.completed', {
|
|
61
122
|
remaining_codes: this._authorizationCodes.size,
|
|
62
|
-
|
|
123
|
+
remaining_pending: this._pendingAuthorizations.size,
|
|
124
|
+
remaining_refresh: this._refreshTokens.size,
|
|
125
|
+
remaining_clients: this._clients.size,
|
|
63
126
|
});
|
|
64
127
|
}
|
|
65
128
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"storage.js","sourceRoot":"","sources":["../../../src/server/oauth/storage.ts"],"names":[],"mappings":";;;;;;AAAA,oDAA4B;
|
|
1
|
+
{"version":3,"file":"storage.js","sourceRoot":"","sources":["../../../src/server/oauth/storage.ts"],"names":[],"mappings":";;;;;;AAAA,oDAA4B;AA0C5B,MAAa,YAAY;IACxB,gGAAgG;IAChG,gGAAgG;IACxF,MAAM,CAAU,aAAa,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IACpD,MAAM,CAAU,WAAW,GAAG,IAAI,CAAC;IACnC,MAAM,CAAU,oBAAoB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAEvD,QAAQ,GAAG,IAAI,GAAG,EAAuB,CAAC;IAC1C,mBAAmB,GAAG,IAAI,GAAG,EAAiC,CAAC;IAC/D,sBAAsB,GAAG,IAAI,GAAG,EAAoC,CAAC;IACrE,cAAc,GAAG,IAAI,GAAG,EAA4B,CAAC;IAE9D,aAAa,CAAC,GAAwC,EAAE,GAAW;QAC1E,KAAK,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;YACzC,IAAI,GAAG,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;gBAC3B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjB,CAAC;QACF,CAAC;IACF,CAAC;IAEO,oBAAoB,CAAC,GAAW;QACvC,KAAK,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC;YACpD,IAAI,GAAG,GAAG,MAAM,CAAC,UAAU,GAAG,YAAY,CAAC,aAAa,EAAE,CAAC;gBAC1D,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAC1B,CAAC;QACF,CAAC;QACD,IAAI,CAAC,WAAW,EAAE,CAAC;IACpB,CAAC;IAED,yFAAyF;IACjF,WAAW;QAClB,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,GAAG,YAAY,CAAC,WAAW,EAAE,CAAC;YACtD,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;YACjD,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBAC1B,MAAM;YACP,CAAC;YACD,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;IACF,CAAC;IAEM,SAAS,CAAC,MAAmB;QACnC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAC5C,IAAI,CAAC,WAAW,EAAE,CAAC;IACpB,CAAC;IAEM,SAAS,CAAC,SAAiB;QACjC,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACrC,CAAC;IAEM,SAAS,CAAC,SAAiB;QACjC,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACrC,CAAC;IAEM,sBAAsB,CAC5B,IAAY,EACZ,SAAiB,EACjB,YAAoB,EACpB,cAAsB,EACtB,qBAA6B,EAC7B,OAAe,EACf,cAAsB,EAAE,GAAG,EAAE,GAAG,IAAI;QAEpC,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC;QAC5C,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,IAAI,EAAE;YAClC,SAAS;YACT,YAAY;YACZ,cAAc;YACd,qBAAqB;YACrB,OAAO;YACP,UAAU;SACV,CAAC,CAAC;IACJ,CAAC;IAEM,oBAAoB,CAAC,IAAY;QACvC,OAAO,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3C,CAAC;IAEM,uBAAuB,CAAC,IAAY;QAC1C,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACvC,CAAC;IAEM,yBAAyB,CAC/B,WAAmB,EACnB,IAAkD,EAClD,cAAsB,EAAE,GAAG,EAAE,GAAG,IAAI;QAEpC,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,WAAW,EAAE;YAC5C,GAAG,IAAI;YACP,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW;SACpC,CAAC,CAAC;IACJ,CAAC;IAED,oGAAoG;IAC7F,wBAAwB,CAAC,WAAmB;QAClD,MAAM,IAAI,GAAG,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAC1D,IAAI,CAAC,IAAI,EAAE,CAAC;YACX,OAAO,SAAS,CAAC;QAClB,CAAC;QACD,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC;IACxD,CAAC;IAEM,iBAAiB,CACvB,KAAa,EACb,OAAe,EACf,SAAiB,EACjB,cAAsB,YAAY,CAAC,oBAAoB;QAEvD,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,KAAK,EAAE;YAC9B,OAAO;YACP,SAAS;YACT,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW;SACpC,CAAC,CAAC;IACJ,CAAC;IAED,oGAAoG;IAC7F,eAAe,CAAC,KAAa;QACnC,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC5C,IAAI,CAAC,IAAI,EAAE,CAAC;YACX,OAAO,SAAS,CAAC;QAClB,CAAC;QACD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;YAClC,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAClC,OAAO,SAAS,CAAC;QAClB,CAAC;QACD,OAAO,IAAI,CAAC;IACb,CAAC;IAEM,kBAAkB,CAAC,KAAa;QACtC,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;IAED,oEAAoE;IAC7D,0BAA0B,CAAC,OAAe;QAChD,KAAK,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACjD,IAAI,IAAI,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;gBAC9B,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnC,CAAC;QACF,CAAC;IACF,CAAC;IAEM,OAAO;QACb,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,mBAAmB,EAAE,GAAG,CAAC,CAAC;QAClD,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,sBAAsB,EAAE,GAAG,CAAC,CAAC;QACrD,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC;QAC7C,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAC/B,aAAG,CAAC,IAAI,CAAC,iCAAiC,EAAE;YAC3C,eAAe,EAAE,IAAI,CAAC,mBAAmB,CAAC,IAAI;YAC9C,iBAAiB,EAAE,IAAI,CAAC,sBAAsB,CAAC,IAAI;YACnD,iBAAiB,EAAE,IAAI,CAAC,cAAc,CAAC,IAAI;YAC3C,iBAAiB,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;SACrC,CAAC,CAAC;IACJ,CAAC;;AAzJF,oCA0JC"}
|
|
@@ -1,12 +1,29 @@
|
|
|
1
1
|
import type { AuthorizationCodeData } from './storage';
|
|
2
|
-
import type {
|
|
2
|
+
import type { OAuthError, OAuthTokenRequest } from './types';
|
|
3
|
+
/**
|
|
4
|
+
* Issuer + audience an access token is bound to: this MCP deployment's own origin (`iss`) and its
|
|
5
|
+
* `/mcp` resource (`aud`). Binding both closes token-redirection / confused-deputy — a token minted
|
|
6
|
+
* for deployment A is rejected by deployment B even when both share `CREATIO_MCP_JWT_SECRET`
|
|
7
|
+
* (the documented multi-instance setup). Mirrors RFC 9068 (`aud`) / RFC 8707 (resource indicators).
|
|
8
|
+
*/
|
|
9
|
+
export interface TokenAudience {
|
|
10
|
+
issuer: string;
|
|
11
|
+
audience: string;
|
|
12
|
+
}
|
|
13
|
+
/** The claims we trust off a verified access token. */
|
|
14
|
+
export interface DecodedAccessToken {
|
|
15
|
+
userKey: string;
|
|
16
|
+
client_id: string;
|
|
17
|
+
}
|
|
3
18
|
export declare class OAuthTokenManager {
|
|
4
19
|
private readonly _jwtSecret;
|
|
5
20
|
constructor(jwtSecret: string);
|
|
6
|
-
|
|
21
|
+
/** Mint a 1h access token bound to `userKey` (as `sub`), the issuing `client_id`, and the
|
|
22
|
+
* deployment's `iss`/`aud`. */
|
|
23
|
+
generateAccessToken(userKey: string, client_id: string, aud: TokenAudience): string;
|
|
7
24
|
generateRefreshToken(): string;
|
|
8
|
-
|
|
9
|
-
|
|
25
|
+
/** Verify signature AND issuer/audience binding; return the trusted claims or `null`. */
|
|
26
|
+
validateAccessToken(token: string, aud: TokenAudience): DecodedAccessToken | null;
|
|
10
27
|
verifyPKCE(code_verifier: string, code_challenge: string): boolean;
|
|
11
28
|
validateAuthCodeData(authCode: AuthorizationCodeData, params: OAuthTokenRequest): OAuthError | null;
|
|
12
29
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"token-manager.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/token-manager.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC;AACvD,OAAO,KAAK,EAAE,
|
|
1
|
+
{"version":3,"file":"token-manager.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/token-manager.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC;AACvD,OAAO,KAAK,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAE7D;;;;;GAKG;AACH,MAAM,WAAW,aAAa;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CACjB;AAED,uDAAuD;AACvD,MAAM,WAAW,kBAAkB;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CAClB;AAED,qBAAa,iBAAiB;IAC7B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;gBAExB,SAAS,EAAE,MAAM;IAI7B;oCACgC;IACzB,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,aAAa,GAAG,MAAM;IASnF,oBAAoB,IAAI,MAAM;IAIrC,yFAAyF;IAClF,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,aAAa,GAAG,kBAAkB,GAAG,IAAI;IAejF,UAAU,CAAC,aAAa,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO;IAKlE,oBAAoB,CAC1B,QAAQ,EAAE,qBAAqB,EAC/B,MAAM,EAAE,iBAAiB,GACvB,UAAU,GAAG,IAAI;CAkBpB"}
|
|
@@ -12,36 +12,35 @@ class OAuthTokenManager {
|
|
|
12
12
|
constructor(jwtSecret) {
|
|
13
13
|
this._jwtSecret = jwtSecret;
|
|
14
14
|
}
|
|
15
|
-
|
|
16
|
-
|
|
15
|
+
/** Mint a 1h access token bound to `userKey` (as `sub`), the issuing `client_id`, and the
|
|
16
|
+
* deployment's `iss`/`aud`. */
|
|
17
|
+
generateAccessToken(userKey, client_id, aud) {
|
|
18
|
+
return jsonwebtoken_1.default.sign({ client_id }, this._jwtSecret, {
|
|
19
|
+
subject: userKey,
|
|
20
|
+
expiresIn: '1h',
|
|
21
|
+
issuer: aud.issuer,
|
|
22
|
+
audience: aud.audience,
|
|
23
|
+
});
|
|
17
24
|
}
|
|
18
25
|
generateRefreshToken() {
|
|
19
26
|
return crypto_1.default.randomBytes(32).toString('base64url');
|
|
20
27
|
}
|
|
21
|
-
|
|
28
|
+
/** Verify signature AND issuer/audience binding; return the trusted claims or `null`. */
|
|
29
|
+
validateAccessToken(token, aud) {
|
|
22
30
|
try {
|
|
23
|
-
const decoded = jsonwebtoken_1.default.verify(token, this._jwtSecret
|
|
24
|
-
|
|
31
|
+
const decoded = jsonwebtoken_1.default.verify(token, this._jwtSecret, {
|
|
32
|
+
issuer: aud.issuer,
|
|
33
|
+
audience: aud.audience,
|
|
34
|
+
});
|
|
35
|
+
const userKey = typeof decoded.sub === 'string' ? decoded.sub : null;
|
|
36
|
+
const client_id = typeof decoded.client_id === 'string' ? decoded.client_id : '';
|
|
37
|
+
return userKey ? { userKey, client_id } : null;
|
|
25
38
|
}
|
|
26
39
|
catch (error) {
|
|
27
40
|
log_1.default.warn('oauth.token.invalid', { error: String(error) });
|
|
28
41
|
return null;
|
|
29
42
|
}
|
|
30
43
|
}
|
|
31
|
-
createTokenResponse(userKey, client_id, refresh_token_required = true) {
|
|
32
|
-
const access_token = this.generateAccessToken(userKey, client_id);
|
|
33
|
-
const expires_in = 3600;
|
|
34
|
-
const tokenResponse = {
|
|
35
|
-
access_token,
|
|
36
|
-
token_type: 'Bearer',
|
|
37
|
-
expires_in,
|
|
38
|
-
userKey,
|
|
39
|
-
};
|
|
40
|
-
if (refresh_token_required) {
|
|
41
|
-
tokenResponse.refresh_token = this.generateRefreshToken();
|
|
42
|
-
}
|
|
43
|
-
return tokenResponse;
|
|
44
|
-
}
|
|
45
44
|
verifyPKCE(code_verifier, code_challenge) {
|
|
46
45
|
const hash = crypto_1.default.createHash('sha256').update(code_verifier).digest('base64url');
|
|
47
46
|
return hash === code_challenge;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"token-manager.js","sourceRoot":"","sources":["../../../src/server/oauth/token-manager.ts"],"names":[],"mappings":";;;;;;AAAA,oDAA4B;AAE5B,gEAA+B;AAE/B,oDAA4B;
|
|
1
|
+
{"version":3,"file":"token-manager.js","sourceRoot":"","sources":["../../../src/server/oauth/token-manager.ts"],"names":[],"mappings":";;;;;;AAAA,oDAA4B;AAE5B,gEAA+B;AAE/B,oDAA4B;AAsB5B,MAAa,iBAAiB;IACZ,UAAU,CAAS;IAEpC,YAAY,SAAiB;QAC5B,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;IAC7B,CAAC;IAED;oCACgC;IACzB,mBAAmB,CAAC,OAAe,EAAE,SAAiB,EAAE,GAAkB;QAChF,OAAO,sBAAG,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,EAAE,IAAI,CAAC,UAAU,EAAE;YAC/C,OAAO,EAAE,OAAO;YAChB,SAAS,EAAE,IAAI;YACf,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,QAAQ,EAAE,GAAG,CAAC,QAAQ;SACtB,CAAC,CAAC;IACJ,CAAC;IAEM,oBAAoB;QAC1B,OAAO,gBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACrD,CAAC;IAED,yFAAyF;IAClF,mBAAmB,CAAC,KAAa,EAAE,GAAkB;QAC3D,IAAI,CAAC;YACJ,MAAM,OAAO,GAAG,sBAAG,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE;gBAClD,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,QAAQ,EAAE,GAAG,CAAC,QAAQ;aACtB,CAAmB,CAAC;YACrB,MAAM,OAAO,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;YACrE,MAAM,SAAS,GAAG,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC;YACjF,OAAO,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QAChD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,aAAG,CAAC,IAAI,CAAC,qBAAqB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAC1D,OAAO,IAAI,CAAC;QACb,CAAC;IACF,CAAC;IAEM,UAAU,CAAC,aAAqB,EAAE,cAAsB;QAC9D,MAAM,IAAI,GAAG,gBAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACnF,OAAO,IAAI,KAAK,cAAc,CAAC;IAChC,CAAC;IAEM,oBAAoB,CAC1B,QAA+B,EAC/B,MAAyB;QAEzB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,UAAU,EAAE,CAAC;YACtC,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,4BAA4B,EAAE,CAAC;QACpF,CAAC;QACD,IAAI,QAAQ,CAAC,SAAS,KAAK,MAAM,CAAC,SAAS,EAAE,CAAC;YAC7C,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,CAAC;QACzE,CAAC;QACD,IAAI,QAAQ,CAAC,YAAY,KAAK,MAAM,CAAC,YAAY,EAAE,CAAC;YACnD,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,CAAC;QAC/E,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAC3B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,CAAC;QACjF,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,aAAa,EAAE,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YACrE,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,0BAA0B,EAAE,CAAC;QAClF,CAAC;QACD,OAAO,IAAI,CAAC;IACb,CAAC;CACD;AAhED,8CAgEC"}
|
|
@@ -30,22 +30,10 @@ export interface OAuthAccessToken {
|
|
|
30
30
|
expires_in: number;
|
|
31
31
|
refresh_token?: string;
|
|
32
32
|
scope?: string;
|
|
33
|
-
userKey: string;
|
|
34
33
|
}
|
|
35
34
|
export interface OAuthError {
|
|
36
35
|
error: string;
|
|
37
36
|
error_description?: string;
|
|
38
37
|
error_uri?: string;
|
|
39
38
|
}
|
|
40
|
-
export interface OAuthAuthorizationServerMetadata {
|
|
41
|
-
issuer: string;
|
|
42
|
-
authorization_endpoint: string;
|
|
43
|
-
token_endpoint: string;
|
|
44
|
-
registration_endpoint: string;
|
|
45
|
-
response_types_supported: string[];
|
|
46
|
-
grant_types_supported: string[];
|
|
47
|
-
token_endpoint_auth_methods_supported: string[];
|
|
48
|
-
code_challenge_methods_supported: string[];
|
|
49
|
-
scopes_supported?: string[];
|
|
50
|
-
}
|
|
51
39
|
//# sourceMappingURL=types.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,WAAW;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,yBAAyB;IACzC,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,MAAM,CAAC;IACvB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,iBAAiB;IACjC,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,gBAAgB;IAChC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,QAAQ,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,WAAW;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,yBAAyB;IACzC,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,MAAM,CAAC;IACvB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,iBAAiB;IACjC,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,gBAAgB;IAChC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,QAAQ,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"validators.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/validators.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACX,yBAAyB,EACzB,WAAW,EACX,UAAU,EACV,iBAAiB,EACjB,MAAM,SAAS,CAAC;AAIjB,qBAAa,eAAe;IAC3B;;;;OAIG;WACW,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;WAkB1C,4BAA4B,CACzC,MAAM,EAAE,yBAAyB,EACjC,MAAM,EAAE,WAAW,GAAG,SAAS,GAC7B,UAAU,GAAG,IAAI;WAgBN,oBAAoB,CAAC,MAAM,EAAE,iBAAiB,GAAG,UAAU,GAAG,IAAI;
|
|
1
|
+
{"version":3,"file":"validators.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/validators.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACX,yBAAyB,EACzB,WAAW,EACX,UAAU,EACV,iBAAiB,EACjB,MAAM,SAAS,CAAC;AAIjB,qBAAa,eAAe;IAC3B;;;;OAIG;WACW,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;WAkB1C,4BAA4B,CACzC,MAAM,EAAE,yBAAyB,EACjC,MAAM,EAAE,WAAW,GAAG,SAAS,GAC7B,UAAU,GAAG,IAAI;WAgBN,oBAAoB,CAAC,MAAM,EAAE,iBAAiB,GAAG,UAAU,GAAG,IAAI;WAmBlE,0BAA0B,CAAC,aAAa,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI;CAsB/E"}
|
|
@@ -43,13 +43,22 @@ class OAuthValidators {
|
|
|
43
43
|
return null;
|
|
44
44
|
}
|
|
45
45
|
static validateTokenRequest(params) {
|
|
46
|
-
if (params.grant_type
|
|
47
|
-
|
|
46
|
+
if (params.grant_type === 'authorization_code') {
|
|
47
|
+
if (!params.code || !params.code_verifier) {
|
|
48
|
+
return {
|
|
49
|
+
error: 'invalid_request',
|
|
50
|
+
error_description: 'Missing code or code_verifier',
|
|
51
|
+
};
|
|
52
|
+
}
|
|
53
|
+
return null;
|
|
48
54
|
}
|
|
49
|
-
if (
|
|
50
|
-
|
|
55
|
+
if (params.grant_type === 'refresh_token') {
|
|
56
|
+
if (!params.refresh_token) {
|
|
57
|
+
return { error: 'invalid_request', error_description: 'Missing refresh_token' };
|
|
58
|
+
}
|
|
59
|
+
return null;
|
|
51
60
|
}
|
|
52
|
-
return
|
|
61
|
+
return { error: 'unsupported_grant_type' };
|
|
53
62
|
}
|
|
54
63
|
static validateClientRegistration(redirect_uris) {
|
|
55
64
|
if (!redirect_uris || !Array.isArray(redirect_uris)) {
|