mcp-oauth-provider 0.0.1

package/dist/client/config.js

@@ -0,0 +1,30 @@
+/**
+ * Default OAuth client metadata
+ */ export const DEFAULT_CLIENT_METADATA = {
+    redirect_uris: [],
+    grant_types: [
+        'authorization_code',
+        'refresh_token'
+    ],
+    response_types: [
+        'code'
+    ],
+    token_endpoint_auth_method: 'client_secret_post',
+    scope: 'openid profile email',
+    client_name: 'MCP OAuth Client',
+    client_uri: 'https://github.com/modelcontextprotocol/typescript-sdk'
+};
+/**
+ * Generate a random session ID
+ */ export function generateSessionId() {
+    return crypto.randomUUID();
+}
+/**
+ * Generate a random state parameter for CSRF protection
+ */ export function generateState() {
+    const array = new Uint8Array(32);
+    crypto.getRandomValues(array);
+    return Array.from(array, (byte)=>byte.toString(16).padStart(2, '0')).join('');
+}
+
+//# sourceMappingURL=config.js.map

package/dist/client/config.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/client/config.ts"],"sourcesContent":["import type {\n  OAuthClientInformation,\n  OAuthClientInformationFull,\n  OAuthClientMetadata,\n  OAuthTokens,\n} from '@modelcontextprotocol/sdk/shared/auth.js';\n\nexport type {\n  OAuthClientInformation,\n  OAuthClientInformationFull,\n  OAuthClientMetadata,\n  OAuthTokens,\n};\n\n/**\n * Storage adapter interface for persisting OAuth data\n */\nexport interface StorageAdapter {\n  /**\n   * Get a value by key\n   */\n  get(key: string): Promise<string | undefined> | string | undefined;\n\n  /**\n   * Set a value by key\n   */\n  set(key: string, value: string): Promise<void> | void;\n\n  /**\n   * Delete a value by key\n   */\n  delete(key: string): Promise<void> | void;\n}\n\n/**\n * Configuration for OAuth client provider\n */\nexport interface OAuthConfig {\n  /**\n   * OAuth client ID (can be provided or dynamically registered)\n   */\n  clientId?: string;\n\n  /**\n   * OAuth client secret (optional for public clients)\n   */\n  clientSecret?: string;\n\n  /**\n   * Redirect URI for OAuth callbacks\n   */\n  redirectUri: string;\n\n  /**\n   * OAuth scope to request\n   */\n  scope?: string;\n\n  /**\n   * Session identifier for this OAuth client instance\n   */\n  sessionId?: string;\n\n  /**\n   * Storage adapter for persisting OAuth data\n   */\n  storage?: StorageAdapter;\n\n  /**\n   * OAuth client metadata for registration\n   */\n  clientMetadata?: Partial<OAuthClientMetadata>;\n\n  /**\n   * OAuth tokens (can be provided statically or loaded from storage)\n   */\n  tokens?: OAuthTokens;\n\n  /**\n   * Token refresh configuration\n   */\n  tokenRefresh?: {\n    /**\n     * Maximum number of retry attempts for token refresh\n     */\n    maxRetries?: number;\n\n    /**\n     * Delay between retry attempts in milliseconds\n     */\n    retryDelay?: number;\n  };\n\n  /**\n   * Authorization server metadata (can be provided or obtained during auth flow)\n   */\n  authorizationServerMetadata?: {\n    issuer: string;\n    authorization_endpoint: string;\n    token_endpoint: string;\n    [key: string]: unknown;\n  };\n}\n\n/**\n * Default OAuth client metadata\n */\nexport const DEFAULT_CLIENT_METADATA: OAuthClientMetadata = {\n  redirect_uris: [],\n  grant_types: ['authorization_code', 'refresh_token'],\n  response_types: ['code'],\n  token_endpoint_auth_method: 'client_secret_post',\n  scope: 'openid profile email',\n  client_name: 'MCP OAuth Client',\n  client_uri: 'https://github.com/modelcontextprotocol/typescript-sdk',\n};\n\n/**\n * Generate a random session ID\n */\nexport function generateSessionId(): string {\n  return crypto.randomUUID();\n}\n\n/**\n * Generate a random state parameter for CSRF protection\n */\nexport function generateState(): string {\n  const array = new Uint8Array(32);\n\n  crypto.getRandomValues(array);\n\n  return Array.from(array, byte => byte.toString(16).padStart(2, '0')).join('');\n}\n"],"names":["DEFAULT_CLIENT_METADATA","redirect_uris","grant_types","response_types","token_endpoint_auth_method","scope","client_name","client_uri","generateSessionId","crypto","randomUUID","generateState","array","Uint8Array","getRandomValues","Array","from","byte","toString","padStart","join"],"mappings":"AAwGA;;CAEC,GACD,OAAO,MAAMA,0BAA+C;IAC1DC,eAAe,EAAE;IACjBC,aAAa;QAAC;QAAsB;KAAgB;IACpDC,gBAAgB;QAAC;KAAO;IACxBC,4BAA4B;IAC5BC,OAAO;IACPC,aAAa;IACbC,YAAY;AACd,EAAE;AAEF;;CAEC,GACD,OAAO,SAASC;IACd,OAAOC,OAAOC,UAAU;AAC1B;AAEA;;CAEC,GACD,OAAO,SAASC;IACd,MAAMC,QAAQ,IAAIC,WAAW;IAE7BJ,OAAOK,eAAe,CAACF;IAEvB,OAAOG,MAAMC,IAAI,CAACJ,OAAOK,CAAAA,OAAQA,KAAKC,QAAQ,CAAC,IAAIC,QAAQ,CAAC,GAAG,MAAMC,IAAI,CAAC;AAC5E"}

package/dist/client/factory.js

@@ -0,0 +1,16 @@
+import { MCPOAuthClientProvider } from './index.js';
+/**
+ * Factory function to create an OAuth client provider
+ *
+ * @example
+ * ```typescript
+ * const provider = createOAuthProvider({
+ *   redirectUri: 'http://localhost:8080/callback',
+ *   scope: 'openid profile email',
+ * });
+ * ```
+ */ export function createOAuthProvider(config) {
+    return new MCPOAuthClientProvider(config);
+}
+
+//# sourceMappingURL=factory.js.map

package/dist/client/factory.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/client/factory.ts"],"sourcesContent":["import type { OAuthConfig } from './config.js';\nimport { MCPOAuthClientProvider } from './index.js';\n\n/**\n * Factory function to create an OAuth client provider\n *\n * @example\n * ```typescript\n * const provider = createOAuthProvider({\n *   redirectUri: 'http://localhost:8080/callback',\n *   scope: 'openid profile email',\n * });\n * ```\n */\nexport function createOAuthProvider(\n  config: OAuthConfig\n): MCPOAuthClientProvider {\n  return new MCPOAuthClientProvider(config);\n}\n"],"names":["MCPOAuthClientProvider","createOAuthProvider","config"],"mappings":"AACA,SAASA,sBAAsB,QAAQ,aAAa;AAEpD;;;;;;;;;;CAUC,GACD,OAAO,SAASC,oBACdC,MAAmB;IAEnB,OAAO,IAAIF,uBAAuBE;AACpC"}

package/dist/client/index.js

@@ -0,0 +1,237 @@
+import { _ as _define_property } from "@swc/helpers/_/_define_property";
+import { DEFAULT_CLIENT_METADATA, generateSessionId, generateState } from './config.js';
+import { areTokensExpired, refreshTokensWithRetry } from './oauth-flow.js';
+import { MemoryStorage, OAuthStorage } from './storage.js';
+export class MCPOAuthClientProvider {
+    /**
+   * The URL to redirect the user agent to after authorization
+   */ get redirectUrl() {
+        return this.config.redirectUri;
+    }
+    /**
+   * Metadata about this OAuth client
+   */ get clientMetadata() {
+        return this.config.clientMetadata;
+    }
+    /**
+   * Returns a OAuth2 state parameter for CSRF protection
+   */ async state() {
+        return generateState();
+    }
+    /**
+   * Loads information about this OAuth client
+   * Config credentials are initialized into storage, so all reads go through storage
+   */ async clientInformation() {
+        return await this.oauthStorage.getClientInfo();
+    }
+    /**
+   * Saves client information after dynamic registration
+   */ async saveClientInformation(clientInformation) {
+        this.cachedClientInformation = clientInformation;
+        await this.oauthStorage.saveClientInfo(clientInformation);
+    }
+    /**
+   * Loads any existing OAuth tokens for the current session
+   * Automatically refreshes tokens if they're expired or about to expire (within 5 minutes)
+   * Requires authorizationServerMetadata to be set (from auth flow) for automatic refresh
+   */ async tokens() {
+        const currentTokens = await this.oauthStorage.getTokens();
+        if (!currentTokens) {
+            return undefined;
+        }
+        // Check if tokens are expired or about to expire (within 5 minutes)
+        const needsRefresh = areTokensExpired(currentTokens, undefined, 300);
+        // If tokens need refresh and we have the server metadata and refresh token, refresh automatically
+        if (needsRefresh && currentTokens.refresh_token && this.authorizationServerMetadata?.token_endpoint) {
+            try {
+                // Use the token endpoint from authorization server metadata
+                const newTokens = await this.refreshTokens();
+                return newTokens;
+            } catch (error) {
+                // If refresh fails, return the current tokens and let the caller handle it
+                // This prevents breaking existing flows that might handle refresh differently
+                return currentTokens;
+            }
+        }
+        return currentTokens;
+    }
+    /**
+   * Refresh tokens using helper function
+   * Uses the token endpoint from authorizationServerMetadata
+   *
+   * @returns New OAuth tokens
+   * @throws Error if no authorization server metadata is available
+   */ async refreshTokens() {
+        if (!this.authorizationServerMetadata?.token_endpoint) {
+            throw new Error('No authorization server metadata available. Cannot refresh tokens without token_endpoint.');
+        }
+        const { maxRetries, retryDelay } = this.config.tokenRefresh;
+        const currentTokens = await this.oauthStorage.getTokens();
+        if (!currentTokens?.refresh_token) {
+            throw new Error('No refresh token available');
+        }
+        const clientInfo = await this.clientInformation();
+        if (!clientInfo) {
+            throw new Error('No client information available');
+        }
+        try {
+            // Use helper function for retry logic with token endpoint
+            const newTokens = await refreshTokensWithRetry(this.authorizationServerMetadata.token_endpoint, clientInfo, currentTokens.refresh_token, this.addClientAuthentication, maxRetries, retryDelay);
+            // Save the new tokens
+            await this.oauthStorage.saveTokens(newTokens);
+            return newTokens;
+        } catch (error) {
+            // All retries failed, invalidate tokens
+            await this.invalidateCredentials('tokens');
+            throw error;
+        }
+    }
+    /**
+   * Loads any existing OAuth tokens for the current session (without auto-refresh)
+   * Use this if you want to check tokens without triggering a refresh
+   */ async getStoredTokens() {
+        return this.oauthStorage.getTokens();
+    }
+    /**
+   * Stores new OAuth tokens for the current session
+   */ async saveTokens(tokens) {
+        await this.oauthStorage.saveTokens(tokens);
+    }
+    /**
+   * Invoked to redirect the user agent to the given URL to begin the authorization flow
+   */ async redirectToAuthorization(authorizationUrl) {
+        // In a real implementation, this would open a browser or redirect the user
+        // For now, we'll let the caller handle the redirect by throwing an error with the URL
+        // In a Bun environment, we could automatically open the browser:
+        if (typeof Bun !== 'undefined') {
+            try {
+                await Bun.$`open ${authorizationUrl.toString()}`;
+                return;
+            } catch  {
+            // Fallback if 'open' command is not available
+            }
+        }
+        // If we can't automatically open, throw an error with the URL for the caller to handle
+        throw new Error(`Please navigate to: ${authorizationUrl.toString()}`);
+    }
+    /**
+   * Saves a PKCE code verifier for the current session
+   */ async saveCodeVerifier(codeVerifier) {
+        await this.oauthStorage.saveCodeVerifier(codeVerifier);
+    }
+    /**
+   * Loads the PKCE code verifier for the current session
+   */ async codeVerifier() {
+        const verifier = await this.oauthStorage.getCodeVerifier();
+        if (!verifier) {
+            throw new Error('No code verifier found for current session');
+        }
+        return verifier;
+    }
+    /**
+   * Validates the resource URL for OAuth requests
+   */ async validateResourceURL(serverUrl, resource) {
+        // Simple validation - in a real implementation you might want more sophisticated logic
+        if (resource) {
+            try {
+                return new URL(resource);
+            } catch  {
+                throw new Error(`Invalid resource URL: ${resource}`);
+            }
+        }
+        // Default to server URL if no specific resource is provided
+        return new URL(serverUrl);
+    }
+    /**
+   * Invalidates stored credentials based on the specified scope
+   */ async invalidateCredentials(scope) {
+        switch(scope){
+            case 'all':
+                await this.oauthStorage.clearAll();
+                break;
+            case 'client':
+                await this.oauthStorage.clearClientInfo();
+                break;
+            case 'tokens':
+                await this.oauthStorage.clearTokens();
+                break;
+            case 'verifier':
+                await this.oauthStorage.clearCodeVerifier();
+                break;
+        }
+    }
+    /**
+   * Get the current session ID
+   */ getSessionId() {
+        return this.sessionId;
+    }
+    /**
+   * Get the OAuth storage helper
+   */ getOAuthStorage() {
+        return this.oauthStorage;
+    }
+    /**
+   * Clear the current session
+   */ async clearSession() {
+        await this.oauthStorage.clearSession();
+    }
+    constructor(config){
+        _define_property(this, "config", void 0);
+        _define_property(this, "oauthStorage", void 0);
+        _define_property(this, "sessionId", void 0);
+        _define_property(this, "cachedClientInformation", void 0);
+        _define_property(this, "authorizationServerMetadata", void 0);
+        /**
+   * Adds custom client authentication to OAuth token requests
+   */ _define_property(this, "addClientAuthentication", (headers, params, url, metadata)=>{
+            const clientInfo = this.cachedClientInformation;
+            this.authorizationServerMetadata = metadata;
+            if (!clientInfo) {
+                throw new Error('No client information available for authentication');
+            }
+            // Use client_secret_post method by default
+            params.set('client_id', clientInfo.client_id);
+            if (clientInfo.client_secret) {
+                params.set('client_secret', clientInfo.client_secret);
+            }
+        });
+        this.sessionId = config.sessionId ?? generateSessionId();
+        const storage = config.storage ?? new MemoryStorage();
+        // Set authorization server metadata if provided
+        if (config.authorizationServerMetadata) {
+            this.authorizationServerMetadata = config.authorizationServerMetadata;
+        }
+        this.oauthStorage = new OAuthStorage(storage, this.sessionId, {
+            staticClientInfo: config.clientId ? {
+                client_id: config.clientId,
+                client_secret: config.clientSecret
+            } : undefined,
+            initialTokens: config.tokens
+        });
+        // Merge with defaults
+        this.config = {
+            clientId: config.clientId ?? '',
+            clientSecret: config.clientSecret ?? undefined,
+            redirectUri: config.redirectUri,
+            scope: config.scope ?? 'read write',
+            sessionId: this.sessionId,
+            storage,
+            tokens: config.tokens,
+            clientMetadata: {
+                ...DEFAULT_CLIENT_METADATA,
+                ...config.clientMetadata ?? {},
+                redirect_uris: [
+                    config.redirectUri
+                ],
+                scope: config.scope ?? DEFAULT_CLIENT_METADATA.scope
+            },
+            tokenRefresh: {
+                maxRetries: 3,
+                retryDelay: 1000,
+                ...config.tokenRefresh ?? {}
+            }
+        };
+    }
+}
+
+//# sourceMappingURL=index.js.map

package/dist/client/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/client/index.ts"],"sourcesContent":["import type { OAuthClientProvider } from '@modelcontextprotocol/sdk/client/auth.js';\nimport { AuthorizationServerMetadata } from '@modelcontextprotocol/sdk/shared/auth.js';\nimport type {\n  OAuthClientInformation,\n  OAuthClientInformationFull,\n  OAuthClientMetadata,\n  OAuthConfig,\n  OAuthTokens,\n} from './config.js';\nimport {\n  DEFAULT_CLIENT_METADATA,\n  generateSessionId,\n  generateState,\n} from './config.js';\nimport { areTokensExpired, refreshTokensWithRetry } from './oauth-flow.js';\nimport { MemoryStorage, OAuthStorage } from './storage.js';\n\n/**\n * Options for token refresh\n */\ninterface TokenRefreshConfig {\n  maxRetries: number;\n  retryDelay: number;\n}\n\n/**\n * MCP OAuth Client Provider implementation with automatic token refresh\n */\ninterface ProcessedOAuthConfig\n  extends Omit<\n    Required<OAuthConfig>,\n    'clientSecret' | 'tokens' | 'authorizationServerMetadata'\n  > {\n  clientSecret?: string;\n  tokens?: OAuthTokens;\n  clientMetadata: OAuthClientMetadata;\n  tokenRefresh: TokenRefreshConfig;\n}\n\nexport class MCPOAuthClientProvider implements OAuthClientProvider {\n  private readonly config: ProcessedOAuthConfig;\n  private readonly oauthStorage: OAuthStorage;\n  private readonly sessionId: string;\n  private cachedClientInformation?: OAuthClientInformationFull;\n\n  public authorizationServerMetadata?: AuthorizationServerMetadata;\n\n  constructor(config: OAuthConfig) {\n    this.sessionId = config.sessionId ?? generateSessionId();\n    const storage = config.storage ?? new MemoryStorage();\n\n    // Set authorization server metadata if provided\n    if (config.authorizationServerMetadata) {\n      this.authorizationServerMetadata =\n        config.authorizationServerMetadata as AuthorizationServerMetadata;\n    }\n\n    this.oauthStorage = new OAuthStorage(storage, this.sessionId, {\n      staticClientInfo: config.clientId\n        ? {\n            client_id: config.clientId,\n            client_secret: config.clientSecret,\n          }\n        : undefined,\n      initialTokens: config.tokens,\n    });\n\n    // Merge with defaults\n    this.config = {\n      clientId: config.clientId ?? '',\n      clientSecret: config.clientSecret ?? undefined,\n      redirectUri: config.redirectUri,\n      scope: config.scope ?? 'read write',\n      sessionId: this.sessionId,\n      storage,\n      tokens: config.tokens,\n      clientMetadata: {\n        ...DEFAULT_CLIENT_METADATA,\n        ...(config.clientMetadata ?? {}),\n        redirect_uris: [config.redirectUri], // Always required\n        scope: config.scope ?? DEFAULT_CLIENT_METADATA.scope,\n      },\n      tokenRefresh: {\n        maxRetries: 3,\n        retryDelay: 1000,\n        ...(config.tokenRefresh ?? {}),\n      },\n    };\n  }\n\n  /**\n   * The URL to redirect the user agent to after authorization\n   */\n  get redirectUrl(): string | URL {\n    return this.config.redirectUri;\n  }\n\n  /**\n   * Metadata about this OAuth client\n   */\n  get clientMetadata(): OAuthClientMetadata {\n    return this.config.clientMetadata;\n  }\n\n  /**\n   * Returns a OAuth2 state parameter for CSRF protection\n   */\n  async state(): Promise<string> {\n    return generateState();\n  }\n\n  /**\n   * Loads information about this OAuth client\n   * Config credentials are initialized into storage, so all reads go through storage\n   */\n  async clientInformation(): Promise<OAuthClientInformation | undefined> {\n    return await this.oauthStorage.getClientInfo();\n  }\n\n  /**\n   * Saves client information after dynamic registration\n   */\n  async saveClientInformation(\n    clientInformation: OAuthClientInformationFull\n  ): Promise<void> {\n    this.cachedClientInformation = clientInformation;\n\n    await this.oauthStorage.saveClientInfo(clientInformation);\n  }\n\n  /**\n   * Loads any existing OAuth tokens for the current session\n   * Automatically refreshes tokens if they're expired or about to expire (within 5 minutes)\n   * Requires authorizationServerMetadata to be set (from auth flow) for automatic refresh\n   */\n  async tokens(): Promise<OAuthTokens | undefined> {\n    const currentTokens = await this.oauthStorage.getTokens();\n\n    if (!currentTokens) {\n      return undefined;\n    }\n\n    // Check if tokens are expired or about to expire (within 5 minutes)\n    const needsRefresh = areTokensExpired(currentTokens, undefined, 300);\n\n    // If tokens need refresh and we have the server metadata and refresh token, refresh automatically\n    if (\n      needsRefresh &&\n      currentTokens.refresh_token &&\n      this.authorizationServerMetadata?.token_endpoint\n    ) {\n      try {\n        // Use the token endpoint from authorization server metadata\n        const newTokens = await this.refreshTokens();\n\n        return newTokens;\n      } catch (error) {\n        // If refresh fails, return the current tokens and let the caller handle it\n        // This prevents breaking existing flows that might handle refresh differently\n        return currentTokens;\n      }\n    }\n\n    return currentTokens;\n  }\n\n  /**\n   * Refresh tokens using helper function\n   * Uses the token endpoint from authorizationServerMetadata\n   *\n   * @returns New OAuth tokens\n   * @throws Error if no authorization server metadata is available\n   */\n  async refreshTokens(): Promise<OAuthTokens> {\n    if (!this.authorizationServerMetadata?.token_endpoint) {\n      throw new Error(\n        'No authorization server metadata available. Cannot refresh tokens without token_endpoint.'\n      );\n    }\n\n    const { maxRetries, retryDelay } = this.config.tokenRefresh;\n\n    const currentTokens = await this.oauthStorage.getTokens();\n\n    if (!currentTokens?.refresh_token) {\n      throw new Error('No refresh token available');\n    }\n\n    const clientInfo = await this.clientInformation();\n\n    if (!clientInfo) {\n      throw new Error('No client information available');\n    }\n\n    try {\n      // Use helper function for retry logic with token endpoint\n      const newTokens = await refreshTokensWithRetry(\n        this.authorizationServerMetadata.token_endpoint,\n        clientInfo,\n        currentTokens.refresh_token,\n        this.addClientAuthentication,\n        maxRetries,\n        retryDelay\n      );\n\n      // Save the new tokens\n      await this.oauthStorage.saveTokens(newTokens);\n\n      return newTokens;\n    } catch (error) {\n      // All retries failed, invalidate tokens\n      await this.invalidateCredentials('tokens');\n      throw error;\n    }\n  }\n\n  /**\n   * Loads any existing OAuth tokens for the current session (without auto-refresh)\n   * Use this if you want to check tokens without triggering a refresh\n   */\n  async getStoredTokens(): Promise<OAuthTokens | undefined> {\n    return this.oauthStorage.getTokens();\n  }\n\n  /**\n   * Stores new OAuth tokens for the current session\n   */\n  async saveTokens(tokens: OAuthTokens): Promise<void> {\n    await this.oauthStorage.saveTokens(tokens);\n  }\n\n  /**\n   * Invoked to redirect the user agent to the given URL to begin the authorization flow\n   */\n  async redirectToAuthorization(authorizationUrl: URL): Promise<void> {\n    // In a real implementation, this would open a browser or redirect the user\n    // For now, we'll let the caller handle the redirect by throwing an error with the URL\n\n    // In a Bun environment, we could automatically open the browser:\n    if (typeof Bun !== 'undefined') {\n      try {\n        await Bun.$`open ${authorizationUrl.toString()}`;\n\n        return;\n      } catch {\n        // Fallback if 'open' command is not available\n      }\n    }\n\n    // If we can't automatically open, throw an error with the URL for the caller to handle\n    throw new Error(`Please navigate to: ${authorizationUrl.toString()}`);\n  }\n\n  /**\n   * Saves a PKCE code verifier for the current session\n   */\n  async saveCodeVerifier(codeVerifier: string): Promise<void> {\n    await this.oauthStorage.saveCodeVerifier(codeVerifier);\n  }\n\n  /**\n   * Loads the PKCE code verifier for the current session\n   */\n  async codeVerifier(): Promise<string> {\n    const verifier = await this.oauthStorage.getCodeVerifier();\n\n    if (!verifier) {\n      throw new Error('No code verifier found for current session');\n    }\n\n    return verifier;\n  }\n\n  /**\n   * Adds custom client authentication to OAuth token requests\n   */\n  addClientAuthentication = (\n    headers: Headers,\n    params: URLSearchParams,\n    url: string | URL,\n    metadata?: AuthorizationServerMetadata\n  ): void => {\n    const clientInfo = this.cachedClientInformation;\n\n    this.authorizationServerMetadata = metadata;\n\n    if (!clientInfo) {\n      throw new Error('No client information available for authentication');\n    }\n\n    // Use client_secret_post method by default\n    params.set('client_id', clientInfo.client_id);\n\n    if (clientInfo.client_secret) {\n      params.set('client_secret', clientInfo.client_secret);\n    }\n  };\n\n  /**\n   * Validates the resource URL for OAuth requests\n   */\n  async validateResourceURL(\n    serverUrl: string | URL,\n    resource?: string\n  ): Promise<URL | undefined> {\n    // Simple validation - in a real implementation you might want more sophisticated logic\n    if (resource) {\n      try {\n        return new URL(resource);\n      } catch {\n        throw new Error(`Invalid resource URL: ${resource}`);\n      }\n    }\n\n    // Default to server URL if no specific resource is provided\n    return new URL(serverUrl);\n  }\n\n  /**\n   * Invalidates stored credentials based on the specified scope\n   */\n  async invalidateCredentials(\n    scope: 'all' | 'client' | 'tokens' | 'verifier'\n  ): Promise<void> {\n    switch (scope) {\n      case 'all':\n        await this.oauthStorage.clearAll();\n        break;\n      case 'client':\n        await this.oauthStorage.clearClientInfo();\n        break;\n      case 'tokens':\n        await this.oauthStorage.clearTokens();\n        break;\n      case 'verifier':\n        await this.oauthStorage.clearCodeVerifier();\n        break;\n    }\n  }\n\n  /**\n   * Get the current session ID\n   */\n  getSessionId(): string {\n    return this.sessionId;\n  }\n\n  /**\n   * Get the OAuth storage helper\n   */\n  getOAuthStorage(): OAuthStorage {\n    return this.oauthStorage;\n  }\n\n  /**\n   * Clear the current session\n   */\n  async clearSession(): Promise<void> {\n    await this.oauthStorage.clearSession();\n  }\n}\n"],"names":["DEFAULT_CLIENT_METADATA","generateSessionId","generateState","areTokensExpired","refreshTokensWithRetry","MemoryStorage","OAuthStorage","MCPOAuthClientProvider","redirectUrl","config","redirectUri","clientMetadata","state","clientInformation","oauthStorage","getClientInfo","saveClientInformation","cachedClientInformation","saveClientInfo","tokens","currentTokens","getTokens","undefined","needsRefresh","refresh_token","authorizationServerMetadata","token_endpoint","newTokens","refreshTokens","error","Error","maxRetries","retryDelay","tokenRefresh","clientInfo","addClientAuthentication","saveTokens","invalidateCredentials","getStoredTokens","redirectToAuthorization","authorizationUrl","Bun","$","toString","saveCodeVerifier","codeVerifier","verifier","getCodeVerifier","validateResourceURL","serverUrl","resource","URL","scope","clearAll","clearClientInfo","clearTokens","clearCodeVerifier","getSessionId","sessionId","getOAuthStorage","clearSession","headers","params","url","metadata","set","client_id","client_secret","storage","staticClientInfo","clientId","clientSecret","initialTokens","redirect_uris"],"mappings":";AASA,SACEA,uBAAuB,EACvBC,iBAAiB,EACjBC,aAAa,QACR,cAAc;AACrB,SAASC,gBAAgB,EAAEC,sBAAsB,QAAQ,kBAAkB;AAC3E,SAASC,aAAa,EAAEC,YAAY,QAAQ,eAAe;AAwB3D,OAAO,MAAMC;IAmDX;;GAEC,GACD,IAAIC,cAA4B;QAC9B,OAAO,IAAI,CAACC,MAAM,CAACC,WAAW;IAChC;IAEA;;GAEC,GACD,IAAIC,iBAAsC;QACxC,OAAO,IAAI,CAACF,MAAM,CAACE,cAAc;IACnC;IAEA;;GAEC,GACD,MAAMC,QAAyB;QAC7B,OAAOV;IACT;IAEA;;;GAGC,GACD,MAAMW,oBAAiE;QACrE,OAAO,MAAM,IAAI,CAACC,YAAY,CAACC,aAAa;IAC9C;IAEA;;GAEC,GACD,MAAMC,sBACJH,iBAA6C,EAC9B;QACf,IAAI,CAACI,uBAAuB,GAAGJ;QAE/B,MAAM,IAAI,CAACC,YAAY,CAACI,cAAc,CAACL;IACzC;IAEA;;;;GAIC,GACD,MAAMM,SAA2C;QAC/C,MAAMC,gBAAgB,MAAM,IAAI,CAACN,YAAY,CAACO,SAAS;QAEvD,IAAI,CAACD,eAAe;YAClB,OAAOE;QACT;QAEA,oEAAoE;QACpE,MAAMC,eAAepB,iBAAiBiB,eAAeE,WAAW;QAEhE,kGAAkG;QAClG,IACEC,gBACAH,cAAcI,aAAa,IAC3B,IAAI,CAACC,2BAA2B,EAAEC,gBAClC;YACA,IAAI;gBACF,4DAA4D;gBAC5D,MAAMC,YAAY,MAAM,IAAI,CAACC,aAAa;gBAE1C,OAAOD;YACT,EAAE,OAAOE,OAAO;gBACd,2EAA2E;gBAC3E,8EAA8E;gBAC9E,OAAOT;YACT;QACF;QAEA,OAAOA;IACT;IAEA;;;;;;GAMC,GACD,MAAMQ,gBAAsC;QAC1C,IAAI,CAAC,IAAI,CAACH,2BAA2B,EAAEC,gBAAgB;YACrD,MAAM,IAAII,MACR;QAEJ;QAEA,MAAM,EAAEC,UAAU,EAAEC,UAAU,EAAE,GAAG,IAAI,CAACvB,MAAM,CAACwB,YAAY;QAE3D,MAAMb,gBAAgB,MAAM,IAAI,CAACN,YAAY,CAACO,SAAS;QAEvD,IAAI,CAACD,eAAeI,eAAe;YACjC,MAAM,IAAIM,MAAM;QAClB;QAEA,MAAMI,aAAa,MAAM,IAAI,CAACrB,iBAAiB;QAE/C,IAAI,CAACqB,YAAY;YACf,MAAM,IAAIJ,MAAM;QAClB;QAEA,IAAI;YACF,0DAA0D;YAC1D,MAAMH,YAAY,MAAMvB,uBACtB,IAAI,CAACqB,2BAA2B,CAACC,cAAc,EAC/CQ,YACAd,cAAcI,aAAa,EAC3B,IAAI,CAACW,uBAAuB,EAC5BJ,YACAC;YAGF,sBAAsB;YACtB,MAAM,IAAI,CAAClB,YAAY,CAACsB,UAAU,CAACT;YAEnC,OAAOA;QACT,EAAE,OAAOE,OAAO;YACd,wCAAwC;YACxC,MAAM,IAAI,CAACQ,qBAAqB,CAAC;YACjC,MAAMR;QACR;IACF;IAEA;;;GAGC,GACD,MAAMS,kBAAoD;QACxD,OAAO,IAAI,CAACxB,YAAY,CAACO,SAAS;IACpC;IAEA;;GAEC,GACD,MAAMe,WAAWjB,MAAmB,EAAiB;QACnD,MAAM,IAAI,CAACL,YAAY,CAACsB,UAAU,CAACjB;IACrC;IAEA;;GAEC,GACD,MAAMoB,wBAAwBC,gBAAqB,EAAiB;QAClE,2EAA2E;QAC3E,sFAAsF;QAEtF,iEAAiE;QACjE,IAAI,OAAOC,QAAQ,aAAa;YAC9B,IAAI;gBACF,MAAMA,IAAIC,CAAC,CAAC,KAAK,EAAEF,iBAAiBG,QAAQ,GAAG,CAAC;gBAEhD;YACF,EAAE,OAAM;YACN,8CAA8C;YAChD;QACF;QAEA,uFAAuF;QACvF,MAAM,IAAIb,MAAM,CAAC,oBAAoB,EAAEU,iBAAiBG,QAAQ,IAAI;IACtE;IAEA;;GAEC,GACD,MAAMC,iBAAiBC,YAAoB,EAAiB;QAC1D,MAAM,IAAI,CAAC/B,YAAY,CAAC8B,gBAAgB,CAACC;IAC3C;IAEA;;GAEC,GACD,MAAMA,eAAgC;QACpC,MAAMC,WAAW,MAAM,IAAI,CAAChC,YAAY,CAACiC,eAAe;QAExD,IAAI,CAACD,UAAU;YACb,MAAM,IAAIhB,MAAM;QAClB;QAEA,OAAOgB;IACT;IA2BA;;GAEC,GACD,MAAME,oBACJC,SAAuB,EACvBC,QAAiB,EACS;QAC1B,uFAAuF;QACvF,IAAIA,UAAU;YACZ,IAAI;gBACF,OAAO,IAAIC,IAAID;YACjB,EAAE,OAAM;gBACN,MAAM,IAAIpB,MAAM,CAAC,sBAAsB,EAAEoB,UAAU;YACrD;QACF;QAEA,4DAA4D;QAC5D,OAAO,IAAIC,IAAIF;IACjB;IAEA;;GAEC,GACD,MAAMZ,sBACJe,KAA+C,EAChC;QACf,OAAQA;YACN,KAAK;gBACH,MAAM,IAAI,CAACtC,YAAY,CAACuC,QAAQ;gBAChC;YACF,KAAK;gBACH,MAAM,IAAI,CAACvC,YAAY,CAACwC,eAAe;gBACvC;YACF,KAAK;gBACH,MAAM,IAAI,CAACxC,YAAY,CAACyC,WAAW;gBACnC;YACF,KAAK;gBACH,MAAM,IAAI,CAACzC,YAAY,CAAC0C,iBAAiB;gBACzC;QACJ;IACF;IAEA;;GAEC,GACDC,eAAuB;QACrB,OAAO,IAAI,CAACC,SAAS;IACvB;IAEA;;GAEC,GACDC,kBAAgC;QAC9B,OAAO,IAAI,CAAC7C,YAAY;IAC1B;IAEA;;GAEC,GACD,MAAM8C,eAA8B;QAClC,MAAM,IAAI,CAAC9C,YAAY,CAAC8C,YAAY;IACtC;IAxTA,YAAYnD,MAAmB,CAAE;QAPjC,uBAAiBA,UAAjB,KAAA;QACA,uBAAiBK,gBAAjB,KAAA;QACA,uBAAiB4C,aAAjB,KAAA;QACA,uBAAQzC,2BAAR,KAAA;QAEA,uBAAOQ,+BAAP,KAAA;QAoOA;;GAEC,GACDU,uBAAAA,2BAA0B,CACxB0B,SACAC,QACAC,KACAC;YAEA,MAAM9B,aAAa,IAAI,CAACjB,uBAAuB;YAE/C,IAAI,CAACQ,2BAA2B,GAAGuC;YAEnC,IAAI,CAAC9B,YAAY;gBACf,MAAM,IAAIJ,MAAM;YAClB;YAEA,2CAA2C;YAC3CgC,OAAOG,GAAG,CAAC,aAAa/B,WAAWgC,SAAS;YAE5C,IAAIhC,WAAWiC,aAAa,EAAE;gBAC5BL,OAAOG,GAAG,CAAC,iBAAiB/B,WAAWiC,aAAa;YACtD;QACF;QAxPE,IAAI,CAACT,SAAS,GAAGjD,OAAOiD,SAAS,IAAIzD;QACrC,MAAMmE,UAAU3D,OAAO2D,OAAO,IAAI,IAAI/D;QAEtC,gDAAgD;QAChD,IAAII,OAAOgB,2BAA2B,EAAE;YACtC,IAAI,CAACA,2BAA2B,GAC9BhB,OAAOgB,2BAA2B;QACtC;QAEA,IAAI,CAACX,YAAY,GAAG,IAAIR,aAAa8D,SAAS,IAAI,CAACV,SAAS,EAAE;YAC5DW,kBAAkB5D,OAAO6D,QAAQ,GAC7B;gBACEJ,WAAWzD,OAAO6D,QAAQ;gBAC1BH,eAAe1D,OAAO8D,YAAY;YACpC,IACAjD;YACJkD,eAAe/D,OAAOU,MAAM;QAC9B;QAEA,sBAAsB;QACtB,IAAI,CAACV,MAAM,GAAG;YACZ6D,UAAU7D,OAAO6D,QAAQ,IAAI;YAC7BC,cAAc9D,OAAO8D,YAAY,IAAIjD;YACrCZ,aAAaD,OAAOC,WAAW;YAC/B0C,OAAO3C,OAAO2C,KAAK,IAAI;YACvBM,WAAW,IAAI,CAACA,SAAS;YACzBU;YACAjD,QAAQV,OAAOU,MAAM;YACrBR,gBAAgB;gBACd,GAAGX,uBAAuB;gBAC1B,GAAIS,OAAOE,cAAc,IAAI,CAAC,CAAC;gBAC/B8D,eAAe;oBAAChE,OAAOC,WAAW;iBAAC;gBACnC0C,OAAO3C,OAAO2C,KAAK,IAAIpD,wBAAwBoD,KAAK;YACtD;YACAnB,cAAc;gBACZF,YAAY;gBACZC,YAAY;gBACZ,GAAIvB,OAAOwB,YAAY,IAAI,CAAC,CAAC;YAC/B;QACF;IACF;AAgRF"}

package/dist/client/oauth-flow.js

@@ -0,0 +1,73 @@
+/**
+ * OAuth Flow Helpers
+ *
+ * Pure utility functions for OAuth operations
+ */ import { refreshAuthorization } from '@modelcontextprotocol/sdk/client/auth.js';
+/**
+ * Check if tokens are expired or about to expire
+ *
+ * @param tokens - OAuth tokens to check
+ * @param tokenExpiryTime - Tracked expiry timestamp (if available)
+ * @param bufferSeconds - Number of seconds before expiry to consider expired (default: 300 = 5 minutes)
+ * @returns true if tokens are expired or will expire soon
+ */ export function areTokensExpired(tokens, tokenExpiryTime, bufferSeconds = 300) {
+    if (!tokens) {
+        return true;
+    }
+    // If we have a tracked expiry time, use it (most accurate)
+    if (tokenExpiryTime) {
+        const now = Date.now();
+        return now >= tokenExpiryTime - bufferSeconds * 1000;
+    }
+    // If no expiry info, assume tokens are valid
+    if (tokens.expires_in === undefined) {
+        return false;
+    }
+    // Check if tokens will expire within the buffer period
+    // Note: expires_in is now derived from stored expires_at, so it's always accurate
+    return tokens.expires_in <= bufferSeconds;
+}
+/**
+ * Refresh OAuth tokens with retry logic
+ *
+ * @param serverUrl - Authorization server URL
+ * @param clientInfo - Client information
+ * @param refreshToken - Current refresh token
+ * @param addClientAuth - Client authentication function
+ * @param maxRetries - Maximum retry attempts (default: 3)
+ * @param retryDelay - Base delay between retries in ms (default: 1000)
+ * @param fetchFn - Optional custom fetch function
+ * @returns New OAuth tokens
+ * @throws Error if refresh fails after all retries
+ */ export async function refreshTokensWithRetry(serverUrl, clientInfo, refreshToken, addClientAuth, maxRetries = 3, retryDelay = 1000, fetchFn) {
+    let lastError;
+    /* eslint-disable no-await-in-loop */ for(let attempt = 0; attempt < maxRetries; attempt++){
+        try {
+            // Attempt token refresh using SDK function
+            const newTokens = await refreshAuthorization(serverUrl, {
+                clientInformation: clientInfo,
+                refreshToken,
+                addClientAuthentication: addClientAuth,
+                fetchFn
+            });
+            return newTokens;
+        } catch (error) {
+            lastError = error;
+            // If this isn't the last attempt, wait before retrying
+            if (attempt < maxRetries - 1) {
+                await new Promise((resolve)=>setTimeout(resolve, retryDelay * (attempt + 1)));
+            }
+        }
+    }
+    /* eslint-enable no-await-in-loop */ throw new Error(`Token refresh failed after ${maxRetries} attempts: ${lastError?.message || 'Unknown error'}`);
+}
+/**
+ * Calculate token expiry timestamp
+ *
+ * @param expiresIn - Token lifetime in seconds
+ * @returns Expiry timestamp in milliseconds
+ */ export function calculateTokenExpiry(expiresIn) {
+    return Date.now() + expiresIn * 1000;
+}
+
+//# sourceMappingURL=oauth-flow.js.map

package/dist/client/oauth-flow.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/client/oauth-flow.ts"],"sourcesContent":["/**\n * OAuth Flow Helpers\n *\n * Pure utility functions for OAuth operations\n */\n\nimport { refreshAuthorization } from '@modelcontextprotocol/sdk/client/auth.js';\nimport type {\n  AuthorizationServerMetadata,\n  OAuthClientInformation,\n  OAuthTokens,\n} from '@modelcontextprotocol/sdk/shared/auth.js';\n\n/**\n * Check if tokens are expired or about to expire\n *\n * @param tokens - OAuth tokens to check\n * @param tokenExpiryTime - Tracked expiry timestamp (if available)\n * @param bufferSeconds - Number of seconds before expiry to consider expired (default: 300 = 5 minutes)\n * @returns true if tokens are expired or will expire soon\n */\nexport function areTokensExpired(\n  tokens: OAuthTokens | undefined,\n  tokenExpiryTime?: number,\n  bufferSeconds = 300\n): boolean {\n  if (!tokens) {\n    return true;\n  }\n\n  // If we have a tracked expiry time, use it (most accurate)\n  if (tokenExpiryTime) {\n    const now = Date.now();\n\n    return now >= tokenExpiryTime - bufferSeconds * 1000;\n  }\n\n  // If no expiry info, assume tokens are valid\n  if (tokens.expires_in === undefined) {\n    return false;\n  }\n\n  // Check if tokens will expire within the buffer period\n  // Note: expires_in is now derived from stored expires_at, so it's always accurate\n  return tokens.expires_in <= bufferSeconds;\n}\n\n/**\n * Refresh OAuth tokens with retry logic\n *\n * @param serverUrl - Authorization server URL\n * @param clientInfo - Client information\n * @param refreshToken - Current refresh token\n * @param addClientAuth - Client authentication function\n * @param maxRetries - Maximum retry attempts (default: 3)\n * @param retryDelay - Base delay between retries in ms (default: 1000)\n * @param fetchFn - Optional custom fetch function\n * @returns New OAuth tokens\n * @throws Error if refresh fails after all retries\n */\nexport async function refreshTokensWithRetry(\n  serverUrl: string | URL,\n  clientInfo: OAuthClientInformation,\n  refreshToken: string,\n  addClientAuth?: (\n    headers: Headers,\n    params: URLSearchParams,\n    url: string | URL,\n    metadata?: AuthorizationServerMetadata\n  ) => void | Promise<void>,\n  maxRetries = 3,\n  retryDelay = 1000,\n  fetchFn?: typeof fetch\n): Promise<OAuthTokens> {\n  let lastError: Error | undefined;\n\n  /* eslint-disable no-await-in-loop */\n  for (let attempt = 0; attempt < maxRetries; attempt++) {\n    try {\n      // Attempt token refresh using SDK function\n      const newTokens = await refreshAuthorization(serverUrl, {\n        clientInformation: clientInfo,\n        refreshToken,\n        addClientAuthentication: addClientAuth,\n        fetchFn,\n      });\n\n      return newTokens;\n    } catch (error) {\n      lastError = error as Error;\n\n      // If this isn't the last attempt, wait before retrying\n      if (attempt < maxRetries - 1) {\n        await new Promise(resolve =>\n          setTimeout(resolve, retryDelay * (attempt + 1))\n        );\n      }\n    }\n  }\n  /* eslint-enable no-await-in-loop */\n\n  throw new Error(\n    `Token refresh failed after ${maxRetries} attempts: ${lastError?.message || 'Unknown error'}`\n  );\n}\n\n/**\n * Calculate token expiry timestamp\n *\n * @param expiresIn - Token lifetime in seconds\n * @returns Expiry timestamp in milliseconds\n */\nexport function calculateTokenExpiry(expiresIn: number): number {\n  return Date.now() + expiresIn * 1000;\n}\n"],"names":["refreshAuthorization","areTokensExpired","tokens","tokenExpiryTime","bufferSeconds","now","Date","expires_in","undefined","refreshTokensWithRetry","serverUrl","clientInfo","refreshToken","addClientAuth","maxRetries","retryDelay","fetchFn","lastError","attempt","newTokens","clientInformation","addClientAuthentication","error","Promise","resolve","setTimeout","Error","message","calculateTokenExpiry","expiresIn"],"mappings":"AAAA;;;;CAIC,GAED,SAASA,oBAAoB,QAAQ,2CAA2C;AAOhF;;;;;;;CAOC,GACD,OAAO,SAASC,iBACdC,MAA+B,EAC/BC,eAAwB,EACxBC,gBAAgB,GAAG;IAEnB,IAAI,CAACF,QAAQ;QACX,OAAO;IACT;IAEA,2DAA2D;IAC3D,IAAIC,iBAAiB;QACnB,MAAME,MAAMC,KAAKD,GAAG;QAEpB,OAAOA,OAAOF,kBAAkBC,gBAAgB;IAClD;IAEA,6CAA6C;IAC7C,IAAIF,OAAOK,UAAU,KAAKC,WAAW;QACnC,OAAO;IACT;IAEA,uDAAuD;IACvD,kFAAkF;IAClF,OAAON,OAAOK,UAAU,IAAIH;AAC9B;AAEA;;;;;;;;;;;;CAYC,GACD,OAAO,eAAeK,uBACpBC,SAAuB,EACvBC,UAAkC,EAClCC,YAAoB,EACpBC,aAKyB,EACzBC,aAAa,CAAC,EACdC,aAAa,IAAI,EACjBC,OAAsB;IAEtB,IAAIC;IAEJ,mCAAmC,GACnC,IAAK,IAAIC,UAAU,GAAGA,UAAUJ,YAAYI,UAAW;QACrD,IAAI;YACF,2CAA2C;YAC3C,MAAMC,YAAY,MAAMnB,qBAAqBU,WAAW;gBACtDU,mBAAmBT;gBACnBC;gBACAS,yBAAyBR;gBACzBG;YACF;YAEA,OAAOG;QACT,EAAE,OAAOG,OAAO;YACdL,YAAYK;YAEZ,uDAAuD;YACvD,IAAIJ,UAAUJ,aAAa,GAAG;gBAC5B,MAAM,IAAIS,QAAQC,CAAAA,UAChBC,WAAWD,SAAST,aAAcG,CAAAA,UAAU,CAAA;YAEhD;QACF;IACF;IACA,kCAAkC,GAElC,MAAM,IAAIQ,MACR,CAAC,2BAA2B,EAAEZ,WAAW,WAAW,EAAEG,WAAWU,WAAW,iBAAiB;AAEjG;AAEA;;;;;CAKC,GACD,OAAO,SAASC,qBAAqBC,SAAiB;IACpD,OAAOvB,KAAKD,GAAG,KAAKwB,YAAY;AAClC"}

package/dist/client/storage.js

@@ -0,0 +1,237 @@
+import { _ as _define_property } from "@swc/helpers/_/_define_property";
+/**
+ * Calculate expires_in from expires_at timestamp
+ */ function calculateExpiresIn(expiresAt) {
+    if (!expiresAt) {
+        return undefined;
+    }
+    const now = Date.now();
+    const expiresInMs = expiresAt - now;
+    const expiresInSeconds = Math.floor(expiresInMs / 1000);
+    // Return 0 if already expired, otherwise return remaining seconds
+    return Math.max(0, expiresInSeconds);
+}
+/**
+ * Calculate expires_at from expires_in
+ */ function calculateExpiresAt(expiresIn) {
+    return Date.now() + (expiresIn || 0) * 1000;
+}
+/**
+ * In-memory storage adapter for OAuth data
+ * Suitable for development and testing, but data is lost when process exits
+ */ export class MemoryStorage {
+    async get(key) {
+        return this.data.get(key);
+    }
+    async set(key, value) {
+        this.data.set(key, value);
+    }
+    async delete(key) {
+        this.data.delete(key);
+    }
+    /**
+   * Clear all data (useful for testing)
+   */ clear() {
+        this.data.clear();
+    }
+    constructor(){
+        _define_property(this, "data", new Map());
+    }
+}
+/**
+ * File-based storage adapter for OAuth data
+ * Persists data to the filesystem for longer-term storage
+ */ export class FileStorage {
+    getFilePath(key) {
+        // Sanitize key for filename
+        const sanitized = key.replace(/[^a-zA-Z0-9-_]/g, '_');
+        return `${this.basePath}/${sanitized}.json`;
+    }
+    async ensureDirectory() {
+        try {
+            await Bun.write(`${this.basePath}/.gitkeep`, '');
+        } catch  {
+        // Directory creation will happen automatically with Bun.write
+        }
+    }
+    async get(key) {
+        try {
+            const file = Bun.file(this.getFilePath(key));
+            const exists = await file.exists();
+            if (!exists) {
+                return undefined;
+            }
+            return await file.text();
+        } catch  {
+            return undefined;
+        }
+    }
+    async set(key, value) {
+        await this.ensureDirectory();
+        await Bun.write(this.getFilePath(key), value);
+    }
+    async delete(key) {
+        try {
+            await Bun.$`rm -f ${this.getFilePath(key)}`;
+        } catch  {
+        // File might not exist, ignore error
+        }
+    }
+    /**
+   * Clear all data (useful for testing)
+   */ async clear() {
+        try {
+            await Bun.$`rm -rf ${this.basePath}`;
+        } catch  {
+        // Directory might not exist, ignore error
+        }
+    }
+    constructor(basePath = './oauth-data'){
+        _define_property(this, "basePath", void 0);
+        this.basePath = basePath;
+    }
+}
+/**
+ * Create a storage adapter based on the provided configuration
+ */ export function createStorageAdapter(type, options) {
+    switch(type){
+        case 'file':
+            return new FileStorage(options?.path);
+        case 'memory':
+        default:
+            return new MemoryStorage();
+    }
+}
+/**
+ * Helper class to manage OAuth data with the simplified storage adapter
+ * Handles initialization from config and provides a unified storage interface
+ */ export class OAuthStorage {
+    /**
+   * Initialize storage with config values if provided
+   * This ensures config tokens are written to storage on first use
+   */ async initialize() {
+        if (this.initialized) {
+            return;
+        }
+        this.initialized = true;
+        // Initialize tokens if provided and not already in storage
+        // (tokens are one-time initialization, storage takes over after that)
+        if (this.options?.initialTokens) {
+            const existing = await this.storage.get(`tokens:${this.sessionId}`);
+            if (!existing) {
+                // Convert expires_in to expires_at before storing
+                const storedTokens = {
+                    access_token: this.options.initialTokens.access_token,
+                    token_type: this.options.initialTokens.token_type,
+                    refresh_token: this.options.initialTokens.refresh_token,
+                    scope: this.options.initialTokens.scope
+                };
+                // Only set expires_at if expires_in is provided
+                if (this.options.initialTokens.expires_in !== undefined) {
+                    storedTokens.expires_at = calculateExpiresAt(this.options.initialTokens.expires_in);
+                }
+                await this.storage.set(`tokens:${this.sessionId}`, JSON.stringify(storedTokens));
+            }
+        }
+    }
+    async saveTokens(tokens) {
+        await this.initialize();
+        // Convert expires_in to expires_at for storage
+        const storedTokens = {
+            access_token: tokens.access_token,
+            token_type: tokens.token_type,
+            refresh_token: tokens.refresh_token,
+            scope: tokens.scope
+        };
+        // Only set expires_at if expires_in is provided
+        if (tokens.expires_in !== undefined) {
+            storedTokens.expires_at = calculateExpiresAt(tokens.expires_in);
+        }
+        await this.storage.set(`tokens:${this.sessionId}`, JSON.stringify(storedTokens));
+    }
+    async getTokens() {
+        await this.initialize();
+        const data = await this.storage.get(`tokens:${this.sessionId}`);
+        if (!data) {
+            return undefined;
+        }
+        const storedTokens = JSON.parse(data);
+        // Convert expires_at back to expires_in for the OAuthTokens interface
+        const tokens = {
+            access_token: storedTokens.access_token,
+            token_type: storedTokens.token_type
+        };
+        // Only include optional fields if they exist
+        if (storedTokens.refresh_token !== undefined) {
+            tokens.refresh_token = storedTokens.refresh_token;
+        }
+        if (storedTokens.scope !== undefined) {
+            tokens.scope = storedTokens.scope;
+        }
+        if (storedTokens.expires_at !== undefined) {
+            tokens.expires_in = calculateExpiresIn(storedTokens.expires_at);
+        }
+        return tokens;
+    }
+    async clearTokens() {
+        await this.initialize();
+        await this.storage.delete(`tokens:${this.sessionId}`);
+    }
+    async saveClientInfo(clientInfo) {
+        await this.initialize();
+        await this.storage.set('client_info', JSON.stringify(clientInfo));
+    }
+    async getClientInfo() {
+        await this.initialize();
+        // Static client info from config ALWAYS takes precedence
+        // (client credentials are like API keys - they don't change)
+        if (this.options?.staticClientInfo?.client_id) {
+            return this.options.staticClientInfo;
+        }
+        const data = await this.storage.get('client_info');
+        return data ? JSON.parse(data) : undefined;
+    }
+    async clearClientInfo() {
+        await this.initialize();
+        await this.storage.delete('client_info');
+    }
+    async saveCodeVerifier(verifier) {
+        await this.initialize();
+        await this.storage.set(`verifier:${this.sessionId}`, verifier);
+    }
+    async getCodeVerifier() {
+        await this.initialize();
+        return this.storage.get(`verifier:${this.sessionId}`);
+    }
+    async clearCodeVerifier() {
+        await this.initialize();
+        await this.storage.delete(`verifier:${this.sessionId}`);
+    }
+    async clearSession() {
+        await this.initialize();
+        await Promise.all([
+            this.clearTokens(),
+            this.clearCodeVerifier()
+        ]);
+    }
+    async clearAll() {
+        await this.initialize();
+        await Promise.all([
+            this.clearTokens(),
+            this.clearCodeVerifier(),
+            this.clearClientInfo()
+        ]);
+    }
+    constructor(storage, sessionId, options){
+        _define_property(this, "storage", void 0);
+        _define_property(this, "sessionId", void 0);
+        _define_property(this, "options", void 0);
+        _define_property(this, "initialized", void 0);
+        this.storage = storage;
+        this.sessionId = sessionId;
+        this.options = options;
+        this.initialized = false;
+    }
+}
+
+//# sourceMappingURL=storage.js.map