mcp-twake-mail 0.1.0 → 2.0.0

package/build/discovery/oauth-discovery.js

@@ -0,0 +1,160 @@
+/**
+ * OAuth/OIDC discovery from JMAP resource server
+ * Implements RFC 9728 Protected Resource Metadata discovery
+ */
+/**
+ * Parse WWW-Authenticate header to extract OAuth metadata.
+ * Supports Bearer scheme with realm, scope, and issuer parameters.
+ *
+ * Example header:
+ * Bearer realm="example", scope="openid email", issuer="https://auth.example.com"
+ *
+ * @param header WWW-Authenticate header value
+ * @returns Parsed metadata or null if not Bearer auth
+ */
+export function parseWwwAuthenticate(header) {
+    // Check if header starts with "Bearer " (case-insensitive)
+    if (!header.match(/^Bearer\s+/i)) {
+        return null;
+    }
+    // Extract the part after "Bearer "
+    const params = header.replace(/^Bearer\s+/i, '');
+    // Parse key="value" pairs using regex
+    const paramRegex = /(\w+)="([^"]+)"/g;
+    const result = {};
+    let match;
+    while ((match = paramRegex.exec(params)) !== null) {
+        const [, key, value] = match;
+        if (key === 'issuer' || key === 'realm' || key === 'scope') {
+            result[key] = value;
+        }
+    }
+    // Return null if no metadata found
+    if (Object.keys(result).length === 0) {
+        return null;
+    }
+    return result;
+}
+/**
+ * Try common SSO subdomain patterns for OIDC discovery.
+ * Many organizations use predictable subdomain patterns for their SSO.
+ *
+ * @param domain The base domain to check
+ * @param timeout Request timeout in ms
+ * @returns OidcDiscoveryResult or null if no valid OIDC endpoint found
+ */
+async function tryCommonSsoPatterns(domain, timeout) {
+    // Extract base domain (remove subdomain like 'jmap.' or 'mail.')
+    const parts = domain.split('.');
+    const baseDomain = parts.length > 2 ? parts.slice(-2).join('.') : domain;
+    // Common SSO subdomain patterns
+    const ssoPatterns = ['sso', 'auth', 'login', 'id', 'accounts'];
+    for (const pattern of ssoPatterns) {
+        const issuerUrl = `https://${pattern}.${baseDomain}`;
+        const discoveryUrl = `${issuerUrl}/.well-known/openid-configuration`;
+        try {
+            const controller = new AbortController();
+            const timeoutId = setTimeout(() => controller.abort(), timeout);
+            const response = await fetch(discoveryUrl, {
+                signal: controller.signal,
+            });
+            clearTimeout(timeoutId);
+            if (response.ok) {
+                const config = await response.json();
+                // Verify it's a valid OIDC config with issuer field
+                if (config.issuer) {
+                    return {
+                        issuer: config.issuer,
+                        method: 'well-known-oidc',
+                    };
+                }
+            }
+        }
+        catch {
+            // This pattern didn't work, try next
+        }
+    }
+    return null;
+}
+/**
+ * Discover OAuth authorization server from JMAP resource URL.
+ * Implements RFC 9728 Protected Resource Metadata discovery with fallbacks.
+ *
+ * Discovery order:
+ * 1. Try /.well-known/oauth-protected-resource at resource origin
+ * 2. If that fails, try fetching JMAP URL to trigger 401 with WWW-Authenticate
+ * 3. If that fails, try common SSO subdomain patterns (sso., auth., login.)
+ *
+ * @param jmapUrl The JMAP session or API URL
+ * @param timeout Request timeout in ms (default 10000)
+ * @returns OidcDiscoveryResult or null if no OAuth info found
+ */
+export async function discoverOAuthFromResource(jmapUrl, timeout = 10000) {
+    try {
+        // Parse jmapUrl to get origin
+        const url = new URL(jmapUrl);
+        const origin = `${url.protocol}//${url.host}`;
+        // Try RFC 9728 Protected Resource Metadata first
+        const metadataUrl = `${origin}/.well-known/oauth-protected-resource`;
+        try {
+            const controller = new AbortController();
+            const timeoutId = setTimeout(() => controller.abort(), timeout);
+            const metadataResponse = await fetch(metadataUrl, {
+                signal: controller.signal,
+            });
+            clearTimeout(timeoutId);
+            if (metadataResponse.ok) {
+                const metadata = await metadataResponse.json();
+                // Extract issuer from authorization_servers array
+                if (metadata.authorization_servers &&
+                    Array.isArray(metadata.authorization_servers) &&
+                    metadata.authorization_servers.length > 0) {
+                    return {
+                        issuer: metadata.authorization_servers[0],
+                        method: 'protected-resource',
+                    };
+                }
+            }
+        }
+        catch {
+            // Protected resource metadata failed, try WWW-Authenticate fallback
+        }
+        // Fallback 1: Try fetching JMAP URL directly to get 401 with WWW-Authenticate
+        try {
+            const controller = new AbortController();
+            const timeoutId = setTimeout(() => controller.abort(), timeout);
+            const jmapResponse = await fetch(jmapUrl, {
+                signal: controller.signal,
+            });
+            clearTimeout(timeoutId);
+            // Check for 401 response with WWW-Authenticate header
+            if (jmapResponse.status === 401) {
+                const wwwAuth = jmapResponse.headers.get('WWW-Authenticate');
+                if (wwwAuth) {
+                    const parsed = parseWwwAuthenticate(wwwAuth);
+                    if (parsed?.issuer) {
+                        return {
+                            issuer: parsed.issuer,
+                            method: 'www-authenticate',
+                        };
+                    }
+                }
+            }
+        }
+        catch {
+            // WWW-Authenticate fallback also failed
+        }
+        // Fallback 2: Try common SSO subdomain patterns
+        const ssoResult = await tryCommonSsoPatterns(url.hostname, timeout);
+        if (ssoResult) {
+            return ssoResult;
+        }
+        // No OAuth info found
+        return null;
+    }
+    catch {
+        // URL parsing or other error
+        return null;
+    }
+}
+//# sourceMappingURL=oauth-discovery.js.map

package/build/discovery/oauth-discovery.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-discovery.js","sourceRoot":"","sources":["../../src/discovery/oauth-discovery.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH;;;;;;;;;GASG;AACH,MAAM,UAAU,oBAAoB,CAClC,MAAc;IAEd,2DAA2D;IAC3D,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC;QACjC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,mCAAmC;IACnC,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;IAEjD,sCAAsC;IACtC,MAAM,UAAU,GAAG,kBAAkB,CAAC;IACtC,MAAM,MAAM,GAAwD,EAAE,CAAC;IAEvE,IAAI,KAAK,CAAC;IACV,OAAO,CAAC,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAClD,MAAM,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC;QAC7B,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,OAAO,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;YAC3D,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACtB,CAAC;IACH,CAAC;IAED,mCAAmC;IACnC,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;GAOG;AACH,KAAK,UAAU,oBAAoB,CACjC,MAAc,EACd,OAAe;IAEf,iEAAiE;IACjE,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IAEzE,gCAAgC;IAChC,MAAM,WAAW,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;IAE/D,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,SAAS,GAAG,WAAW,OAAO,IAAI,UAAU,EAAE,CAAC;QACrD,MAAM,YAAY,GAAG,GAAG,SAAS,mCAAmC,CAAC;QAErE,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,CAAC;YAEhE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,YAAY,EAAE;gBACzC,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;YAEH,YAAY,CAAC,SAAS,CAAC,CAAC;YAExB,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;gBAChB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACrC,oDAAoD;gBACpD,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;oBAClB,OAAO;wBACL,MAAM,EAAE,MAAM,CAAC,MAAM;wBACrB,MAAM,EAAE,iBAAiB;qBAC1B,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,qCAAqC;QACvC,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,OAAe,EACf,OAAO,GAAG,KAAK;IAEf,IAAI,CAAC;QACH,8BAA8B;QAC9B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;QAC7B,MAAM,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,IAAI,EAAE,CAAC;QAE9C,iDAAiD;QACjD,MAAM,WAAW,GAAG,GAAG,MAAM,uCAAuC,CAAC;QAErE,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,CAAC;YAEhE,MAAM,gBAAgB,GAAG,MAAM,KAAK,CAAC,WAAW,EAAE;gBAChD,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;YAEH,YAAY,CAAC,SAAS,CAAC,CAAC;YAExB,IAAI,gBAAgB,CAAC,EAAE,EAAE,CAAC;gBACxB,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,EAAE,CAAC;gBAE/C,kDAAkD;gBAClD,IACE,QAAQ,CAAC,qBAAqB;oBAC9B,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAC;oBAC7C,QAAQ,CAAC,qBAAqB,CAAC,MAAM,GAAG,CAAC,EACzC,CAAC;oBACD,OAAO;wBACL,MAAM,EAAE,QAAQ,CAAC,qBAAqB,CAAC,CAAC,CAAC;wBACzC,MAAM,EAAE,oBAAoB;qBAC7B,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,oEAAoE;QACtE,CAAC;QAED,8EAA8E;QAC9E,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,CAAC;YAEhE,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;gBACxC,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;YAEH,YAAY,CAAC,SAAS,CAAC,CAAC;YAExB,sDAAsD;YACtD,IAAI,YAAY,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAChC,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;gBAC7D,IAAI,OAAO,EAAE,CAAC;oBACZ,MAAM,MAAM,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;oBAC7C,IAAI,MAAM,EAAE,MAAM,EAAE,CAAC;wBACnB,OAAO;4BACL,MAAM,EAAE,MAAM,CAAC,MAAM;4BACrB,MAAM,EAAE,kBAAkB;yBAC3B,CAAC;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,wCAAwC;QAC1C,CAAC;QAED,gDAAgD;QAChD,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACpE,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,sBAAsB;QACtB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,6BAA6B;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/build/discovery/oauth-discovery.test.d.ts

@@ -0,0 +1 @@
+export {};

package/build/discovery/oauth-discovery.test.js

@@ -0,0 +1,198 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { parseWwwAuthenticate, discoverOAuthFromResource, } from './oauth-discovery.js';
+describe('parseWwwAuthenticate', () => {
+    it('should parse valid Bearer header with issuer', () => {
+        const header = 'Bearer issuer="https://auth.example.com"';
+        const result = parseWwwAuthenticate(header);
+        expect(result).toEqual({
+            issuer: 'https://auth.example.com',
+        });
+    });
+    it('should parse Bearer header with multiple parameters', () => {
+        const header = 'Bearer realm="example", scope="openid email", issuer="https://auth.example.com"';
+        const result = parseWwwAuthenticate(header);
+        expect(result).toEqual({
+            realm: 'example',
+            scope: 'openid email',
+            issuer: 'https://auth.example.com',
+        });
+    });
+    it('should be case-insensitive for Bearer scheme', () => {
+        const header = 'bearer issuer="https://auth.example.com"';
+        const result = parseWwwAuthenticate(header);
+        expect(result).toEqual({
+            issuer: 'https://auth.example.com',
+        });
+    });
+    it('should return null for non-Bearer header', () => {
+        const header = 'Basic realm="example"';
+        const result = parseWwwAuthenticate(header);
+        expect(result).toBeNull();
+    });
+    it('should return null for malformed header without parameters', () => {
+        const header = 'Bearer';
+        const result = parseWwwAuthenticate(header);
+        expect(result).toBeNull();
+    });
+    it('should ignore unknown parameters', () => {
+        const header = 'Bearer issuer="https://auth.example.com", unknown="value"';
+        const result = parseWwwAuthenticate(header);
+        expect(result).toEqual({
+            issuer: 'https://auth.example.com',
+        });
+    });
+});
+describe('discoverOAuthFromResource', () => {
+    const mockFetch = vi.fn();
+    beforeEach(() => {
+        global.fetch = mockFetch;
+        vi.clearAllMocks();
+    });
+    afterEach(() => {
+        vi.restoreAllMocks();
+    });
+    it('should discover issuer from protected-resource metadata', async () => {
+        mockFetch.mockResolvedValueOnce({
+            ok: true,
+            json: async () => ({
+                authorization_servers: ['https://auth.example.com'],
+            }),
+        });
+        const result = await discoverOAuthFromResource('https://jmap.example.com/api');
+        expect(result).toEqual({
+            issuer: 'https://auth.example.com',
+            method: 'protected-resource',
+        });
+        expect(mockFetch).toHaveBeenCalledWith('https://jmap.example.com/.well-known/oauth-protected-resource', expect.objectContaining({ signal: expect.any(AbortSignal) }));
+    });
+    it('should fallback to WWW-Authenticate on 401 response', async () => {
+        // First call: protected-resource fails
+        mockFetch.mockResolvedValueOnce({
+            ok: false,
+            status: 404,
+        });
+        // Second call: JMAP URL returns 401 with WWW-Authenticate
+        mockFetch.mockResolvedValueOnce({
+            ok: false,
+            status: 401,
+            headers: {
+                get: (name) => {
+                    if (name === 'WWW-Authenticate') {
+                        return 'Bearer issuer="https://auth.example.com"';
+                    }
+                    return null;
+                },
+            },
+        });
+        const result = await discoverOAuthFromResource('https://jmap.example.com/api');
+        expect(result).toEqual({
+            issuer: 'https://auth.example.com',
+            method: 'www-authenticate',
+        });
+        expect(mockFetch).toHaveBeenCalledTimes(2);
+    });
+    it('should return null when no OAuth info available', async () => {
+        // First call: protected-resource fails
+        mockFetch.mockResolvedValueOnce({
+            ok: false,
+            status: 404,
+        });
+        // Second call: JMAP URL returns 200 (no auth required)
+        mockFetch.mockResolvedValueOnce({
+            ok: true,
+            status: 200,
+        });
+        const result = await discoverOAuthFromResource('https://jmap.example.com/api');
+        expect(result).toBeNull();
+    });
+    it('should return null when WWW-Authenticate has no issuer', async () => {
+        // First call: protected-resource fails
+        mockFetch.mockResolvedValueOnce({
+            ok: false,
+            status: 404,
+        });
+        // Second call: JMAP URL returns 401 with WWW-Authenticate but no issuer
+        mockFetch.mockResolvedValueOnce({
+            ok: false,
+            status: 401,
+            headers: {
+                get: (name) => {
+                    if (name === 'WWW-Authenticate') {
+                        return 'Bearer realm="example"';
+                    }
+                    return null;
+                },
+            },
+        });
+        const result = await discoverOAuthFromResource('https://jmap.example.com/api');
+        expect(result).toBeNull();
+    });
+    it('should handle network errors gracefully', async () => {
+        mockFetch.mockRejectedValue(new Error('Network error'));
+        const result = await discoverOAuthFromResource('https://jmap.example.com/api');
+        expect(result).toBeNull();
+    });
+    it('should handle invalid URL gracefully', async () => {
+        const result = await discoverOAuthFromResource('not-a-url');
+        expect(result).toBeNull();
+        expect(mockFetch).not.toHaveBeenCalled();
+    });
+    it('should respect custom timeout', async () => {
+        const abortError = new Error('Aborted');
+        abortError.name = 'AbortError';
+        mockFetch.mockRejectedValue(abortError);
+        const result = await discoverOAuthFromResource('https://jmap.example.com/api', 100);
+        expect(result).toBeNull();
+    });
+    it('should handle protected-resource with empty authorization_servers', async () => {
+        mockFetch.mockResolvedValueOnce({
+            ok: true,
+            json: async () => ({
+                authorization_servers: [],
+            }),
+        });
+        // Second call: fallback to WWW-Authenticate
+        mockFetch.mockResolvedValueOnce({
+            ok: false,
+            status: 401,
+            headers: {
+                get: (name) => {
+                    if (name === 'WWW-Authenticate') {
+                        return 'Bearer issuer="https://auth.example.com"';
+                    }
+                    return null;
+                },
+            },
+        });
+        const result = await discoverOAuthFromResource('https://jmap.example.com/api');
+        expect(result).toEqual({
+            issuer: 'https://auth.example.com',
+            method: 'www-authenticate',
+        });
+    });
+    it('should handle protected-resource with missing authorization_servers', async () => {
+        mockFetch.mockResolvedValueOnce({
+            ok: true,
+            json: async () => ({}),
+        });
+        // Second call: fallback to WWW-Authenticate
+        mockFetch.mockResolvedValueOnce({
+            ok: false,
+            status: 401,
+            headers: {
+                get: (name) => {
+                    if (name === 'WWW-Authenticate') {
+                        return 'Bearer issuer="https://auth.example.com"';
+                    }
+                    return null;
+                },
+            },
+        });
+        const result = await discoverOAuthFromResource('https://jmap.example.com/api');
+        expect(result).toEqual({
+            issuer: 'https://auth.example.com',
+            method: 'www-authenticate',
+        });
+    });
+});
+//# sourceMappingURL=oauth-discovery.test.js.map

package/build/discovery/oauth-discovery.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-discovery.test.js","sourceRoot":"","sources":["../../src/discovery/oauth-discovery.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,EACL,oBAAoB,EACpB,yBAAyB,GAC1B,MAAM,sBAAsB,CAAC;AAE9B,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;IACpC,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,MAAM,GAAG,0CAA0C,CAAC;QAC1D,MAAM,MAAM,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;QAE5C,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,MAAM,EAAE,0BAA0B;SACnC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,MAAM,MAAM,GACV,iFAAiF,CAAC;QACpF,MAAM,MAAM,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;QAE5C,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,KAAK,EAAE,SAAS;YAChB,KAAK,EAAE,cAAc;YACrB,MAAM,EAAE,0BAA0B;SACnC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,MAAM,GAAG,0CAA0C,CAAC;QAC1D,MAAM,MAAM,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;QAE5C,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,MAAM,EAAE,0BAA0B;SACnC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,MAAM,GAAG,uBAAuB,CAAC;QACvC,MAAM,MAAM,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;QAE5C,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,MAAM,MAAM,GAAG,QAAQ,CAAC;QACxB,MAAM,MAAM,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;QAE5C,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,MAAM,GACV,2DAA2D,CAAC;QAC9D,MAAM,MAAM,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;QAE5C,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,MAAM,EAAE,0BAA0B;SACnC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,MAAM,SAAS,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;IAE1B,UAAU,CAAC,GAAG,EAAE;QACd,MAAM,CAAC,KAAK,GAAG,SAAS,CAAC;QACzB,EAAE,CAAC,aAAa,EAAE,CAAC;IACrB,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,EAAE,CAAC,eAAe,EAAE,CAAC;IACvB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACvE,SAAS,CAAC,qBAAqB,CAAC;YAC9B,EAAE,EAAE,IAAI;YACR,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;gBACjB,qBAAqB,EAAE,CAAC,0BAA0B,CAAC;aACpD,CAAC;SACH,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAC5C,8BAA8B,CAC/B,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,MAAM,EAAE,0BAA0B;YAClC,MAAM,EAAE,oBAAoB;SAC7B,CAAC,CAAC;QAEH,MAAM,CAAC,SAAS,CAAC,CAAC,oBAAoB,CACpC,+DAA+D,EAC/D,MAAM,CAAC,gBAAgB,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC,CAC7D,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,uCAAuC;QACvC,SAAS,CAAC,qBAAqB,CAAC;YAC9B,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,GAAG;SACZ,CAAC,CAAC;QAEH,0DAA0D;QAC1D,SAAS,CAAC,qBAAqB,CAAC;YAC9B,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACP,GAAG,EAAE,CAAC,IAAY,EAAE,EAAE;oBACpB,IAAI,IAAI,KAAK,kBAAkB,EAAE,CAAC;wBAChC,OAAO,0CAA0C,CAAC;oBACpD,CAAC;oBACD,OAAO,IAAI,CAAC;gBACd,CAAC;aACF;SACF,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAC5C,8BAA8B,CAC/B,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,MAAM,EAAE,0BAA0B;YAClC,MAAM,EAAE,kBAAkB;SAC3B,CAAC,CAAC;QAEH,MAAM,CAAC,SAAS,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC/D,uCAAuC;QACvC,SAAS,CAAC,qBAAqB,CAAC;YAC9B,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,GAAG;SACZ,CAAC,CAAC;QAEH,uDAAuD;QACvD,SAAS,CAAC,qBAAqB,CAAC;YAC9B,EAAE,EAAE,IAAI;YACR,MAAM,EAAE,GAAG;SACZ,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAC5C,8BAA8B,CAC/B,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;QACtE,uCAAuC;QACvC,SAAS,CAAC,qBAAqB,CAAC;YAC9B,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,GAAG;SACZ,CAAC,CAAC;QAEH,wEAAwE;QACxE,SAAS,CAAC,qBAAqB,CAAC;YAC9B,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACP,GAAG,EAAE,CAAC,IAAY,EAAE,EAAE;oBACpB,IAAI,IAAI,KAAK,kBAAkB,EAAE,CAAC;wBAChC,OAAO,wBAAwB,CAAC;oBAClC,CAAC;oBACD,OAAO,IAAI,CAAC;gBACd,CAAC;aACF;SACF,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAC5C,8BAA8B,CAC/B,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,SAAS,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC;QAExD,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAC5C,8BAA8B,CAC/B,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;QACpD,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAAC,WAAW,CAAC,CAAC;QAE5D,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;QAC1B,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;QAC7C,MAAM,UAAU,GAAG,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC;QACxC,UAAU,CAAC,IAAI,GAAG,YAAY,CAAC;QAC/B,SAAS,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;QAExC,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAC5C,8BAA8B,EAC9B,GAAG,CACJ,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mEAAmE,EAAE,KAAK,IAAI,EAAE;QACjF,SAAS,CAAC,qBAAqB,CAAC;YAC9B,EAAE,EAAE,IAAI;YACR,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;gBACjB,qBAAqB,EAAE,EAAE;aAC1B,CAAC;SACH,CAAC,CAAC;QAEH,4CAA4C;QAC5C,SAAS,CAAC,qBAAqB,CAAC;YAC9B,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACP,GAAG,EAAE,CAAC,IAAY,EAAE,EAAE;oBACpB,IAAI,IAAI,KAAK,kBAAkB,EAAE,CAAC;wBAChC,OAAO,0CAA0C,CAAC;oBACpD,CAAC;oBACD,OAAO,IAAI,CAAC;gBACd,CAAC;aACF;SACF,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAC5C,8BAA8B,CAC/B,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,MAAM,EAAE,0BAA0B;YAClC,MAAM,EAAE,kBAAkB;SAC3B,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;QACnF,SAAS,CAAC,qBAAqB,CAAC;YAC9B,EAAE,EAAE,IAAI;YACR,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;SACvB,CAAC,CAAC;QAEH,4CAA4C;QAC5C,SAAS,CAAC,qBAAqB,CAAC;YAC9B,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACP,GAAG,EAAE,CAAC,IAAY,EAAE,EAAE;oBACpB,IAAI,IAAI,KAAK,kBAAkB,EAAE,CAAC;wBAChC,OAAO,0CAA0C,CAAC;oBACpD,CAAC;oBACD,OAAO,IAAI,CAAC;gBACd,CAAC;aACF;SACF,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAC5C,8BAA8B,CAC/B,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,MAAM,EAAE,0BAA0B;YAClC,MAAM,EAAE,kBAAkB;SAC3B,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/build/discovery/orchestrator.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Discovery orchestrator - chains DNS SRV, well-known, and OAuth discovery
+ * Provides high-level API to discover JMAP and OIDC settings from email address
+ */
+import { JmapDiscoveryResult, OidcDiscoveryResult } from './types.js';
+export interface FullDiscoveryResult {
+    jmap: JmapDiscoveryResult;
+    oidc?: OidcDiscoveryResult;
+    email: string;
+    domain: string;
+}
+/**
+ * Extract domain from email address.
+ * @throws Error if email format invalid
+ */
+export declare function extractDomain(email: string): string;
+/**
+ * Discover JMAP and OIDC settings from an email address.
+ *
+ * Discovery stages:
+ * 1. Extract domain from email
+ * 2. Try DNS SRV lookup for _jmap._tcp.{domain}
+ * 3. If SRV found, construct URL and verify it works
+ * 4. If SRV fails, try .well-known/jmap on domain
+ * 5. If JMAP found, attempt OAuth discovery on that URL
+ *
+ * @param email User's email address (e.g., "user@example.com")
+ * @returns Full discovery result with JMAP and optional OIDC settings
+ * @throws DiscoveryError if JMAP server cannot be discovered
+ */
+export declare function discoverFromEmail(email: string): Promise<FullDiscoveryResult>;

package/build/discovery/orchestrator.js

@@ -0,0 +1,87 @@
+/**
+ * Discovery orchestrator - chains DNS SRV, well-known, and OAuth discovery
+ * Provides high-level API to discover JMAP and OIDC settings from email address
+ */
+import { resolveSrvRecord } from './dns-srv.js';
+import { fetchWellKnownJmap, verifyJmapUrl } from './well-known.js';
+import { discoverOAuthFromResource } from './oauth-discovery.js';
+import { DiscoveryError, } from './types.js';
+/**
+ * Extract domain from email address.
+ * @throws Error if email format invalid
+ */
+export function extractDomain(email) {
+    // Split on '@' and take second part
+    const parts = email.split('@');
+    if (parts.length !== 2) {
+        throw new Error('Invalid email format');
+    }
+    const domain = parts[1];
+    // Validate domain has at least one '.'
+    if (!domain.includes('.')) {
+        throw new Error('Invalid email format');
+    }
+    return domain;
+}
+/**
+ * Discover JMAP and OIDC settings from an email address.
+ *
+ * Discovery stages:
+ * 1. Extract domain from email
+ * 2. Try DNS SRV lookup for _jmap._tcp.{domain}
+ * 3. If SRV found, construct URL and verify it works
+ * 4. If SRV fails, try .well-known/jmap on domain
+ * 5. If JMAP found, attempt OAuth discovery on that URL
+ *
+ * @param email User's email address (e.g., "user@example.com")
+ * @returns Full discovery result with JMAP and optional OIDC settings
+ * @throws DiscoveryError if JMAP server cannot be discovered
+ */
+export async function discoverFromEmail(email) {
+    // Extract domain from email
+    const domain = extractDomain(email);
+    // Stage 1 - DNS SRV discovery
+    const srv = await resolveSrvRecord(domain);
+    if (srv) {
+        // Construct URL from SRV record
+        const url = srv.port === 443
+            ? `https://${srv.hostname}/.well-known/jmap`
+            : `https://${srv.hostname}:${srv.port}/.well-known/jmap`;
+        // Verify the URL works
+        const verified = await verifyJmapUrl(url);
+        if (verified) {
+            const jmap = {
+                sessionUrl: verified,
+                method: 'dns-srv',
+            };
+            // Stage 4 - OAuth discovery
+            const oidc = await discoverOAuthFromResource(verified);
+            return {
+                jmap,
+                oidc: oidc ?? undefined,
+                email,
+                domain,
+            };
+        }
+    }
+    // Stage 2 - Well-known fallback
+    const wellKnown = await fetchWellKnownJmap(domain);
+    if (wellKnown) {
+        const jmap = {
+            sessionUrl: wellKnown,
+            method: 'well-known-direct',
+        };
+        // Stage 4 - OAuth discovery
+        const oidc = await discoverOAuthFromResource(wellKnown);
+        return {
+            jmap,
+            oidc: oidc ?? undefined,
+            email,
+            domain,
+        };
+    }
+    // Stage 3 - Failure
+    throw new DiscoveryError(`Could not discover JMAP server for domain "${domain}". ` +
+        'The domain does not have a JMAP SRV record or .well-known/jmap endpoint.', domain, 'well-known');
+}
+//# sourceMappingURL=orchestrator.js.map

package/build/discovery/orchestrator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"orchestrator.js","sourceRoot":"","sources":["../../src/discovery/orchestrator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AACpE,OAAO,EAAE,yBAAyB,EAAE,MAAM,sBAAsB,CAAC;AACjE,OAAO,EAGL,cAAc,GACf,MAAM,YAAY,CAAC;AASpB;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,oCAAoC;IACpC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;IAC1C,CAAC;IAED,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAExB,uCAAuC;IACvC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;IAC1C,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,KAAa;IAEb,4BAA4B;IAC5B,MAAM,MAAM,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;IAEpC,8BAA8B;IAC9B,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC3C,IAAI,GAAG,EAAE,CAAC;QACR,gCAAgC;QAChC,MAAM,GAAG,GACP,GAAG,CAAC,IAAI,KAAK,GAAG;YACd,CAAC,CAAC,WAAW,GAAG,CAAC,QAAQ,mBAAmB;YAC5C,CAAC,CAAC,WAAW,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,IAAI,mBAAmB,CAAC;QAE7D,uBAAuB;QACvB,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,GAAG,CAAC,CAAC;QAC1C,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,IAAI,GAAwB;gBAChC,UAAU,EAAE,QAAQ;gBACpB,MAAM,EAAE,SAAS;aAClB,CAAC;YAEF,4BAA4B;YAC5B,MAAM,IAAI,GAAG,MAAM,yBAAyB,CAAC,QAAQ,CAAC,CAAC;YAEvD,OAAO;gBACL,IAAI;gBACJ,IAAI,EAAE,IAAI,IAAI,SAAS;gBACvB,KAAK;gBACL,MAAM;aACP,CAAC;QACJ,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,MAAM,SAAS,GAAG,MAAM,kBAAkB,CAAC,MAAM,CAAC,CAAC;IACnD,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,IAAI,GAAwB;YAChC,UAAU,EAAE,SAAS;YACrB,MAAM,EAAE,mBAAmB;SAC5B,CAAC;QAEF,4BAA4B;QAC5B,MAAM,IAAI,GAAG,MAAM,yBAAyB,CAAC,SAAS,CAAC,CAAC;QAExD,OAAO;YACL,IAAI;YACJ,IAAI,EAAE,IAAI,IAAI,SAAS;YACvB,KAAK;YACL,MAAM;SACP,CAAC;IACJ,CAAC;IAED,oBAAoB;IACpB,MAAM,IAAI,cAAc,CACtB,8CAA8C,MAAM,KAAK;QACvD,0EAA0E,EAC5E,MAAM,EACN,YAAY,CACb,CAAC;AACJ,CAAC"}

package/build/discovery/orchestrator.test.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Tests for discovery orchestrator
+ */
+export {};