memory-journal-mcp 6.1.2 → 6.2.1

package/src/auth/auth-context.ts

@@ -1,78 +0,0 @@
-/**
- * memory-journal-mcp — Auth Context (AsyncLocalStorage)
- *
- * Provides per-request authentication context threading using Node.js
- * AsyncLocalStorage. Allows the HTTP transport to store the validated
- * auth context so that tool handlers can enforce per-tool scopes
- * without direct parameter coupling through the MCP SDK layer.
- */
-
-import { AsyncLocalStorage } from 'node:async_hooks'
-import type { AuthenticatedContext } from './middleware.js'
-
-/**
- * Singleton AsyncLocalStorage instance for auth context.
- * Each HTTP request runs within its own async context.
- */
-const authContextStorage = new AsyncLocalStorage<AuthenticatedContext>()
-
-/**
- * Run a function within an authenticated context.
- * Called by the HTTP transport after token validation.
- *
- * @param context - The validated auth context from middleware
- * @param fn - The async function to run (MCP SDK request handling)
- * @returns The result of the wrapped function
- */
-export function runWithAuthContext<T>(context: AuthenticatedContext, fn: () => T): T {
-    return authContextStorage.run(context, fn)
-}
-
-/**
- * Get the current request's auth context.
- * Returns undefined when:
- * - OAuth is not configured (stdio transport, no auth)
- * - Called outside of an HTTP request context
- *
- * Tool handlers use this to enforce per-tool scope checks.
- */
-export function getAuthContext(): AuthenticatedContext | undefined {
-    return authContextStorage.getStore()
-}
-
-/**
- * Set auth context imperatively using enterWith().
- * Replaces the current store for the remainder of the async context.
- * Prefer runWithAuthContext() for request-scoped usage.
- */
-export function setAuthContext(context: AuthenticatedContext): void {
-    authContextStorage.enterWith(context)
-}
-
-/**
- * Run a callback within a specific auth context.
- * Alias for runWithAuthContext with synchronous return type.
- */
-export function withAuthContext<T>(context: AuthenticatedContext, fn: () => T): T {
-    return authContextStorage.run(context, fn)
-}
-
-/**
- * Check if the current request has an authenticated context.
- */
-export function isAuthenticated(): boolean {
-    const ctx = authContextStorage.getStore()
-    return ctx?.authenticated === true
-}
-
-/**
- * Get the scopes from the current authenticated context.
- * Returns empty array if not authenticated.
- */
-export function getAuthenticatedScopes(): string[] {
-    const ctx = authContextStorage.getStore()
-    if (ctx?.authenticated && ctx.claims?.scopes) {
-        return ctx.claims.scopes
-    }
-    return []
-}

package/src/auth/authorization-server-discovery.ts

@@ -1,263 +0,0 @@
-/**
- * memory-journal-mcp — Authorization Server Discovery (RFC 8414)
- *
- * Discovers and caches OAuth 2.0 Authorization Server Metadata
- * as specified in RFC 8414.
- *
- * @see https://datatracker.ietf.org/doc/html/rfc8414
- */
-
-import type { AuthorizationServerMetadata, AuthServerDiscoveryConfig } from './types.js'
-import { AuthServerDiscoveryError } from './errors.js'
-import { ConfigurationError } from '../types/errors.js'
-import { logger } from '../utils/logger.js'
-
-// =============================================================================
-// Authorization Server Discovery
-// =============================================================================
-
-/**
- * Authorization Server Metadata Discovery
- *
- * Fetches and caches OAuth 2.0 authorization server metadata
- * from the /.well-known/oauth-authorization-server endpoint.
- */
-export class AuthorizationServerDiscovery {
-    private readonly authServerUrl: string
-    private readonly cacheTtl: number
-    private readonly timeout: number
-
-    private cachedMetadata: AuthorizationServerMetadata | null = null
-    private cacheExpiry = 0
-
-    constructor(config: AuthServerDiscoveryConfig) {
-        // Normalize URL (remove trailing slash)
-        this.authServerUrl = config.authServerUrl.replace(/\/+$/, '')
-        this.cacheTtl = config.cacheTtl ?? 3600
-        this.timeout = config.timeout ?? 5000
-
-        logger.info(`Authorization Server Discovery initialized for: ${this.authServerUrl}`, {
-            module: 'AUTH',
-            operation: 'init',
-        })
-    }
-
-    /**
-     * Discover authorization server metadata
-     *
-     * Fetches from /.well-known/oauth-authorization-server
-     * Results are cached for cacheTtl seconds.
-     *
-     * @returns Authorization server metadata
-     * @throws AuthServerDiscoveryError if discovery fails
-     */
-    async discover(): Promise<AuthorizationServerMetadata> {
-        // Check cache
-        if (this.cachedMetadata && Date.now() < this.cacheExpiry) {
-            logger.info('Using cached authorization server metadata', {
-                module: 'AUTH',
-                operation: 'cache-hit',
-            })
-            return this.cachedMetadata
-        }
-
-        const metadataUrl = `${this.authServerUrl}/.well-known/oauth-authorization-server`
-
-        logger.info(`Fetching authorization server metadata from: ${metadataUrl}`, {
-            module: 'AUTH',
-            operation: 'discovery',
-        })
-
-        try {
-            const controller = new AbortController()
-            const timeoutId = setTimeout(() => controller.abort(), this.timeout)
-
-            const response = await fetch(metadataUrl, {
-                method: 'GET',
-                headers: {
-                    Accept: 'application/json',
-                },
-                signal: controller.signal,
-            })
-
-            clearTimeout(timeoutId)
-
-            if (!response.ok) {
-                throw new ConfigurationError(
-                    `HTTP ${String(response.status)}: ${response.statusText}`
-                )
-            }
-
-            const metadata = (await response.json()) as AuthorizationServerMetadata
-
-            // Validate required fields per RFC 8414
-            this.validateMetadata(metadata)
-
-            // Cache the metadata
-            this.cachedMetadata = metadata
-            this.cacheExpiry = Date.now() + this.cacheTtl * 1000
-
-            logger.info(`Authorization server metadata cached for ${String(this.cacheTtl)}s`, {
-                module: 'AUTH',
-                operation: 'discovery-success',
-            })
-
-            return metadata
-        } catch (error) {
-            if (error instanceof AuthServerDiscoveryError) {
-                throw error
-            }
-
-            const cause = error instanceof Error ? error : new Error(String(error))
-
-            logger.error(`Failed to discover authorization server: ${this.authServerUrl}`, {
-                module: 'AUTH',
-                operation: 'discovery',
-                error: cause.message,
-            })
-
-            throw new AuthServerDiscoveryError(this.authServerUrl, cause)
-        }
-    }
-
-    /**
-     * Validate required metadata fields per RFC 8414
-     */
-    private validateMetadata(metadata: AuthorizationServerMetadata): void {
-        if (!metadata.issuer) {
-            throw new ConfigurationError('Missing required field: issuer')
-        }
-
-        if (!metadata.token_endpoint) {
-            throw new ConfigurationError('Missing required field: token_endpoint')
-        }
-
-        // Validate issuer matches the expected URL
-        // Per RFC 8414, issuer MUST be identical to the authorization server URL
-        const expectedIssuer = this.authServerUrl
-        if (metadata.issuer !== expectedIssuer) {
-            logger.warning(`Issuer mismatch: expected ${expectedIssuer}, got ${metadata.issuer}`, {
-                module: 'AUTH',
-                operation: 'discovery-validation',
-            })
-            // Note: This is a warning, not an error, as some auth servers may use different URLs
-        }
-    }
-
-    /**
-     * Get cached metadata (throws if not discovered)
-     */
-    getMetadata(): AuthorizationServerMetadata {
-        if (!this.cachedMetadata) {
-            throw new ConfigurationError(
-                'Authorization server metadata not yet discovered. Call discover() first.'
-            )
-        }
-        return this.cachedMetadata
-    }
-
-    /**
-     * Get JWKS URI from metadata
-     *
-     * @throws Error if metadata not discovered or jwks_uri not present
-     */
-    getJwksUri(): string {
-        const metadata = this.getMetadata()
-
-        if (!metadata.jwks_uri) {
-            throw new ConfigurationError('Authorization server does not provide jwks_uri')
-        }
-
-        return metadata.jwks_uri
-    }
-
-    /**
-     * Get token endpoint from metadata
-     */
-    getTokenEndpoint(): string {
-        return this.getMetadata().token_endpoint
-    }
-
-    /**
-     * Get issuer from metadata
-     */
-    getIssuer(): string {
-        return this.getMetadata().issuer
-    }
-
-    /**
-     * Get registration endpoint from metadata (RFC 7591)
-     *
-     * @returns Registration endpoint or null if not supported
-     */
-    getRegistrationEndpoint(): string | null {
-        return this.getMetadata().registration_endpoint ?? null
-    }
-
-    /**
-     * Check if dynamic client registration is supported
-     */
-    supportsClientRegistration(): boolean {
-        return this.getRegistrationEndpoint() !== null
-    }
-
-    /**
-     * Get supported scopes from metadata
-     */
-    getSupportedScopes(): string[] {
-        return this.getMetadata().scopes_supported ?? []
-    }
-
-    /**
-     * Check if a specific scope is supported
-     */
-    isScopeSupported(scope: string): boolean {
-        const supportedScopes = this.getSupportedScopes()
-        // If no scopes are listed, assume all scopes are supported
-        return supportedScopes.length === 0 || supportedScopes.includes(scope)
-    }
-
-    /**
-     * Clear cached metadata
-     */
-    clearCache(): void {
-        this.cachedMetadata = null
-        this.cacheExpiry = 0
-        logger.info('Authorization server metadata cache cleared', {
-            module: 'AUTH',
-            operation: 'cache-clear',
-        })
-    }
-
-    /**
-     * Check if cache is valid
-     */
-    isCacheValid(): boolean {
-        return this.cachedMetadata !== null && Date.now() < this.cacheExpiry
-    }
-
-    /**
-     * Get the authorization server URL
-     */
-    getAuthServerUrl(): string {
-        return this.authServerUrl
-    }
-}
-
-// =============================================================================
-// Factory Function
-// =============================================================================
-
-/**
- * Create an Authorization Server Discovery instance
- */
-export function createAuthServerDiscovery(
-    authServerUrl: string,
-    options?: Partial<Omit<AuthServerDiscoveryConfig, 'authServerUrl'>>
-): AuthorizationServerDiscovery {
-    return new AuthorizationServerDiscovery({
-        authServerUrl,
-        cacheTtl: options?.cacheTtl,
-        timeout: options?.timeout,
-    })
-}

package/src/auth/errors.ts

@@ -1,215 +0,0 @@
-/**
- * memory-journal-mcp — OAuth Error Classes
- *
- * Module-prefixed error classes for OAuth 2.0 authentication
- * and authorization failures. Extends MemoryJournalMcpError
- * for harmonized error handling across the MCP ecosystem.
- */
-
-import { MemoryJournalMcpError } from '../types/errors.js'
-import { ErrorCategory } from '../types/error-types.js'
-
-// =============================================================================
-// Error Codes
-// =============================================================================
-
-/**
- * OAuth error code constants
- */
-export const AUTH_ERROR_CODES = {
-    TOKEN_MISSING: 'AUTH_TOKEN_MISSING',
-    TOKEN_INVALID: 'AUTH_TOKEN_INVALID',
-    TOKEN_EXPIRED: 'AUTH_TOKEN_EXPIRED',
-    SIGNATURE_INVALID: 'AUTH_SIGNATURE_INVALID',
-    SCOPE_DENIED: 'AUTH_SCOPE_DENIED',
-    DISCOVERY_FAILED: 'AUTH_DISCOVERY_FAILED',
-    JWKS_FETCH_FAILED: 'AUTH_JWKS_FETCH_FAILED',
-    REGISTRATION_FAILED: 'AUTH_REGISTRATION_FAILED',
-} as const
-
-// =============================================================================
-// Base OAuth Error
-// =============================================================================
-
-/**
- * Base class for OAuth-related errors.
- * Extends MemoryJournalMcpError with OAuth-specific properties.
- */
-export class OAuthError extends MemoryJournalMcpError {
-    /** HTTP status code for this error */
-    readonly httpStatus: number
-
-    /** WWW-Authenticate header value */
-    readonly wwwAuthenticate?: string | undefined
-
-    constructor(
-        message: string,
-        code: string,
-        httpStatus: number,
-        details?: Record<string, unknown>,
-        wwwAuthenticate?: string
-    ) {
-        const category =
-            httpStatus === 403 ? ErrorCategory.AUTHORIZATION : ErrorCategory.AUTHENTICATION
-        super(message, code, category, {
-            suggestion:
-                httpStatus === 403
-                    ? 'Request a token with the required scopes'
-                    : 'Provide a valid OAuth 2.0 bearer token',
-            recoverable: httpStatus !== 500,
-            details,
-        })
-        this.name = 'OAuthError'
-        this.httpStatus = httpStatus
-        this.wwwAuthenticate = wwwAuthenticate
-    }
-}
-
-// =============================================================================
-// Authentication Errors (401)
-// =============================================================================
-
-/**
- * Token is missing from the request
- */
-export class TokenMissingError extends OAuthError {
-    constructor(realm = 'memory-journal-mcp') {
-        super(
-            'No access token provided',
-            AUTH_ERROR_CODES.TOKEN_MISSING,
-            401,
-            undefined,
-            `Bearer realm="${realm}"`
-        )
-        this.name = 'TokenMissingError'
-    }
-}
-
-/**
- * Token is invalid (malformed, wrong format, etc.)
- */
-export class InvalidTokenError extends OAuthError {
-    constructor(message = 'Invalid access token', details?: Record<string, unknown>) {
-        super(message, AUTH_ERROR_CODES.TOKEN_INVALID, 401, details, 'Bearer error="invalid_token"')
-        this.name = 'InvalidTokenError'
-    }
-}
-
-/**
- * Token has expired
- */
-export class TokenExpiredError extends OAuthError {
-    constructor(expiredAt?: Date) {
-        super(
-            'Access token has expired',
-            AUTH_ERROR_CODES.TOKEN_EXPIRED,
-            401,
-            expiredAt ? { expiredAt: expiredAt.toISOString() } : undefined,
-            'Bearer error="invalid_token", error_description="Token has expired"'
-        )
-        this.name = 'TokenExpiredError'
-    }
-}
-
-/**
- * Token signature is invalid
- */
-export class InvalidSignatureError extends OAuthError {
-    constructor(message = 'Token signature verification failed') {
-        super(
-            message,
-            AUTH_ERROR_CODES.SIGNATURE_INVALID,
-            401,
-            undefined,
-            'Bearer error="invalid_token", error_description="Signature verification failed"'
-        )
-        this.name = 'InvalidSignatureError'
-    }
-}
-
-// =============================================================================
-// Authorization Errors (403)
-// =============================================================================
-
-/**
- * Token does not have required scope
- */
-export class InsufficientScopeError extends OAuthError {
-    constructor(requiredScope: string | string[], providedScopes?: string[]) {
-        const required = Array.isArray(requiredScope) ? requiredScope : [requiredScope]
-        const scopeValue = required.join(' ')
-
-        super(
-            `Insufficient scope. Required: ${scopeValue}`,
-            AUTH_ERROR_CODES.SCOPE_DENIED,
-            403,
-            { requiredScope: required, providedScopes },
-            `Bearer error="insufficient_scope", scope="${scopeValue}"`
-        )
-        this.name = 'InsufficientScopeError'
-    }
-}
-
-// =============================================================================
-// Server Errors (500)
-// =============================================================================
-
-/**
- * Failed to discover authorization server metadata
- */
-export class AuthServerDiscoveryError extends OAuthError {
-    constructor(serverUrl: string, cause?: Error) {
-        super(
-            'Failed to discover authorization server metadata: ' + serverUrl,
-            AUTH_ERROR_CODES.DISCOVERY_FAILED,
-            500,
-            {
-                serverUrl,
-                cause: cause?.message,
-            }
-        )
-        this.name = 'AuthServerDiscoveryError'
-    }
-}
-
-/**
- * Failed to fetch JWKS
- */
-export class JwksFetchError extends OAuthError {
-    constructor(jwksUri: string, cause?: Error) {
-        super('Failed to fetch JWKS: ' + jwksUri, AUTH_ERROR_CODES.JWKS_FETCH_FAILED, 500, {
-            jwksUri,
-            cause: cause?.message,
-        })
-        this.name = 'JwksFetchError'
-    }
-}
-
-/**
- * Failed to register client
- */
-export class ClientRegistrationError extends OAuthError {
-    constructor(message: string, details?: Record<string, unknown>) {
-        super(message, AUTH_ERROR_CODES.REGISTRATION_FAILED, 500, details)
-        this.name = 'ClientRegistrationError'
-    }
-}
-
-// =============================================================================
-// Utility Functions
-// =============================================================================
-
-/**
- * Check if an error is an OAuth error
- */
-export function isOAuthError(error: unknown): error is OAuthError {
-    return error instanceof OAuthError
-}
-
-/**
- * Get WWW-Authenticate header for an OAuth error.
- * @deprecated Use error.wwwAuthenticate property directly instead
- */
-export function getWWWAuthenticateHeader(error: OAuthError, realm = 'memory-journal-mcp'): string {
-    return error.wwwAuthenticate ?? `Bearer realm="${realm}"`
-}

package/src/auth/index.ts

@@ -1,58 +0,0 @@
-/**
- * memory-journal-mcp — Auth Module Public Exports
- *
- * OAuth 2.0 authentication and authorization components.
- */
-
-// Types
-export type * from './types.js'
-// Error classes
-export {
-    AUTH_ERROR_CODES,
-    OAuthError,
-    TokenMissingError,
-    InvalidTokenError,
-    TokenExpiredError,
-    InvalidSignatureError,
-    InsufficientScopeError,
-    AuthServerDiscoveryError,
-    JwksFetchError,
-    ClientRegistrationError,
-    isOAuthError,
-} from './errors.js'
-
-// Scopes
-export * from './scopes.js'
-
-// Scope Map (tool → scope reverse lookup)
-export { getRequiredScope, getToolScopeMap } from './scope-map.js'
-
-// Auth Context (AsyncLocalStorage per-request threading)
-export { runWithAuthContext, getAuthContext } from './auth-context.js'
-
-// Core classes
-export { OAuthResourceServer, createOAuthResourceServer } from './oauth-resource-server.js'
-export {
-    AuthorizationServerDiscovery,
-    createAuthServerDiscovery,
-} from './authorization-server-discovery.js'
-export { TokenValidator, createTokenValidator } from './token-validator.js'
-
-// Middleware (Express-specific)
-export {
-    createAuthMiddleware,
-    extractBearerToken,
-    requireScope,
-    requireAnyScope,
-    requireToolScope,
-    oauthErrorHandler,
-    type AuthMiddlewareConfig,
-} from './middleware.js'
-
-// Middleware (transport-agnostic)
-export {
-    createAuthenticatedContext,
-    validateAuth,
-    formatOAuthError,
-    type AuthenticatedContext,
-} from './middleware.js'