nitrostack 1.0.0

package/dist/auth/quick-setup.d.ts

@@ -0,0 +1,94 @@
+import { Express } from 'express';
+import { SimpleJWTConfig } from './simple-jwt.js';
+import { APIKeyConfig } from './api-key.js';
+import { McpAuthConfig } from './server-integration.js';
+/**
+ * Quick Setup Helpers
+ *
+ * Make it dead simple to add authentication to NitroStack servers
+ */
+/**
+ * Setup Simple JWT Authentication (1-liner!)
+ *
+ * @example
+ * ```typescript
+ * const server = createServer({...});
+ *
+ * // That's it! JWT auth enabled
+ * setupJWTAuth(server.app, {
+ *   secret: process.env.JWT_SECRET!,
+ * });
+ *
+ * server.start();
+ * ```
+ */
+export declare function setupJWTAuth(app: Express, config: SimpleJWTConfig, path?: string): void;
+/**
+ * Setup API Key Authentication (1-liner!)
+ *
+ * @example
+ * ```typescript
+ * const server = createServer({...});
+ *
+ * // That's it! API key auth enabled
+ * setupAPIKeyAuth(server.app, {
+ *   keys: [process.env.API_KEY!],
+ * });
+ *
+ * server.start();
+ * ```
+ */
+export declare function setupAPIKeyAuth(app: Express, config: APIKeyConfig, path?: string): void;
+/**
+ * Setup OAuth 2.1 Authentication (full enterprise setup)
+ *
+ * @example
+ * ```typescript
+ * const server = createServer({...});
+ *
+ * // Full OAuth 2.1 with PKCE
+ * setupOAuthAuth(server.app, {
+ *   resourceUri: 'https://mcp.example.com',
+ *   authorizationServers: ['https://auth.example.com'],
+ *   tokenIntrospectionEndpoint: '...',
+ *   tokenIntrospectionClientId: '...',
+ *   tokenIntrospectionClientSecret: process.env.INTROSPECTION_SECRET,
+ * });
+ *
+ * server.start();
+ * ```
+ */
+export declare function setupOAuthAuth(app: Express, config: McpAuthConfig, path?: string): void;
+/**
+ * Generate test credentials (for development)
+ *
+ * @example
+ * ```typescript
+ * const creds = generateTestCredentials();
+ * console.log('JWT Secret:', creds.jwtSecret);
+ * console.log('API Key:', creds.apiKey);
+ * console.log('Sample Token:', creds.sampleToken);
+ * ```
+ */
+export declare function generateTestCredentials(options?: {
+    jwtAudience?: string;
+    jwtIssuer?: string;
+    apiKeyPrefix?: string;
+}): {
+    jwtSecret: string;
+    apiKey: string;
+    apiKeyHashed: string;
+    sampleToken: string;
+};
+/**
+ * Print auth setup instructions
+ */
+export declare function printAuthSetupInstructions(type: 'jwt' | 'apikey' | 'oauth'): void;
+/**
+ * Validate auth environment variables
+ */
+export declare function validateAuthEnv(type: 'jwt' | 'apikey' | 'oauth'): {
+    valid: boolean;
+    missing: string[];
+};
+//# sourceMappingURL=quick-setup.d.ts.map

package/dist/auth/quick-setup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"quick-setup.d.ts","sourceRoot":"","sources":["../../src/auth/quick-setup.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAuB,eAAe,EAAe,MAAM,iBAAiB,CAAC;AACpF,OAAO,EAAoB,YAAY,EAA8B,MAAM,cAAc,CAAC;AAC1F,OAAO,EAAuB,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAE7E;;;;GAIG;AAEH;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,YAAY,CAC1B,GAAG,EAAE,OAAO,EACZ,MAAM,EAAE,eAAe,EACvB,IAAI,GAAE,MAAe,GACpB,IAAI,CAQN;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,eAAe,CAC7B,GAAG,EAAE,OAAO,EACZ,MAAM,EAAE,YAAY,EACpB,IAAI,GAAE,MAAe,GACpB,IAAI,CAQN;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,cAAc,CAC5B,GAAG,EAAE,OAAO,EACZ,MAAM,EAAE,aAAa,EACrB,IAAI,GAAE,MAAe,GACpB,IAAI,CASN;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,CAAC,EAAE;IAChD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;;;;;EAqBA;AAED;;GAEG;AACH,wBAAgB,0BAA0B,CAAC,IAAI,EAAE,KAAK,GAAG,QAAQ,GAAG,OAAO,GAAG,IAAI,CA8DjF;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,KAAK,GAAG,QAAQ,GAAG,OAAO,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,EAAE,CAAA;CAAE,CAmCvG"}

package/dist/auth/quick-setup.js

@@ -0,0 +1,210 @@
+import { createSimpleJWTAuth, generateJWT } from './simple-jwt.js';
+import { createAPIKeyAuth, generateAPIKey, hashAPIKey } from './api-key.js';
+import { configureServerAuth } from './server-integration.js';
+/**
+ * Quick Setup Helpers
+ *
+ * Make it dead simple to add authentication to NitroStack servers
+ */
+/**
+ * Setup Simple JWT Authentication (1-liner!)
+ *
+ * @example
+ * ```typescript
+ * const server = createServer({...});
+ *
+ * // That's it! JWT auth enabled
+ * setupJWTAuth(server.app, {
+ *   secret: process.env.JWT_SECRET!,
+ * });
+ *
+ * server.start();
+ * ```
+ */
+export function setupJWTAuth(app, config, path = '/mcp') {
+    const middleware = createSimpleJWTAuth(config);
+    app.use(path, middleware);
+    console.log(`✅ Simple JWT auth enabled on ${path}`);
+    console.log(`   Audience: ${config.audience || 'any'}`);
+    console.log(`   Issuer: ${config.issuer || 'any'}`);
+    console.log(`   Algorithm: ${config.algorithm || 'HS256'}`);
+}
+/**
+ * Setup API Key Authentication (1-liner!)
+ *
+ * @example
+ * ```typescript
+ * const server = createServer({...});
+ *
+ * // That's it! API key auth enabled
+ * setupAPIKeyAuth(server.app, {
+ *   keys: [process.env.API_KEY!],
+ * });
+ *
+ * server.start();
+ * ```
+ */
+export function setupAPIKeyAuth(app, config, path = '/mcp') {
+    const middleware = createAPIKeyAuth(config);
+    app.use(path, middleware);
+    console.log(`✅ API Key auth enabled on ${path}`);
+    console.log(`   Header: ${config.headerName || 'X-API-Key'}`);
+    console.log(`   Keys: ${config.keys.length} configured`);
+    console.log(`   Query param: ${config.allowQueryParam ? 'enabled' : 'disabled'}`);
+}
+/**
+ * Setup OAuth 2.1 Authentication (full enterprise setup)
+ *
+ * @example
+ * ```typescript
+ * const server = createServer({...});
+ *
+ * // Full OAuth 2.1 with PKCE
+ * setupOAuthAuth(server.app, {
+ *   resourceUri: 'https://mcp.example.com',
+ *   authorizationServers: ['https://auth.example.com'],
+ *   tokenIntrospectionEndpoint: '...',
+ *   tokenIntrospectionClientId: '...',
+ *   tokenIntrospectionClientSecret: process.env.INTROSPECTION_SECRET,
+ * });
+ *
+ * server.start();
+ * ```
+ */
+export function setupOAuthAuth(app, config, path = '/mcp') {
+    configureServerAuth(app, config, {
+        protectRoutes: [path],
+    });
+    console.log(`✅ OAuth 2.1 auth enabled on ${path}`);
+    console.log(`   Resource URI: ${config.resourceUri}`);
+    console.log(`   Auth Servers: ${config.authorizationServers.join(', ')}`);
+    console.log(`   Scopes: ${config.scopesSupported?.join(', ') || 'none'}`);
+}
+/**
+ * Generate test credentials (for development)
+ *
+ * @example
+ * ```typescript
+ * const creds = generateTestCredentials();
+ * console.log('JWT Secret:', creds.jwtSecret);
+ * console.log('API Key:', creds.apiKey);
+ * console.log('Sample Token:', creds.sampleToken);
+ * ```
+ */
+export function generateTestCredentials(options) {
+    const jwtSecret = generateAPIKey('jwt_secret');
+    const apiKey = generateAPIKey(options?.apiKeyPrefix);
+    const sampleToken = generateJWT({
+        secret: jwtSecret,
+        payload: {
+            sub: 'test-user',
+            scopes: ['mcp:read', 'mcp:write'],
+        },
+        expiresIn: '1h',
+        audience: options?.jwtAudience,
+        issuer: options?.jwtIssuer,
+    });
+    return {
+        jwtSecret,
+        apiKey,
+        apiKeyHashed: hashAPIKey(apiKey),
+        sampleToken,
+    };
+}
+/**
+ * Print auth setup instructions
+ */
+export function printAuthSetupInstructions(type) {
+    console.log('\n╔══════════════════════════════════════════════════════════════╗');
+    console.log('║                    AUTH SETUP INSTRUCTIONS                   ║');
+    console.log('╚══════════════════════════════════════════════════════════════╝\n');
+    if (type === 'jwt') {
+        console.log('📝 Simple JWT Authentication Setup:\n');
+        console.log('1. Generate a secret:');
+        console.log('   const creds = generateTestCredentials();');
+        console.log('   console.log(creds.jwtSecret);\n');
+        console.log('2. Add to .env:');
+        console.log('   JWT_SECRET=jwt_secret_...\n');
+        console.log('3. Enable in server:');
+        console.log('   setupJWTAuth(server.app, {');
+        console.log('     secret: process.env.JWT_SECRET!,');
+        console.log('     audience: "my-mcp-server",');
+        console.log('   });\n');
+        console.log('4. Generate tokens:');
+        console.log('   const token = generateJWT({');
+        console.log('     secret: process.env.JWT_SECRET!,');
+        console.log('     payload: { sub: "user123" },');
+        console.log('     expiresIn: "1h",');
+        console.log('   });\n');
+        console.log('5. Use in client:');
+        console.log('   Authorization: Bearer <token>\n');
+    }
+    if (type === 'apikey') {
+        console.log('📝 API Key Authentication Setup:\n');
+        console.log('1. Generate API keys:');
+        console.log('   const key1 = generateAPIKey();');
+        console.log('   const key2 = generateAPIKey();\n');
+        console.log('2. Add to .env:');
+        console.log('   API_KEY_1=sk_...');
+        console.log('   API_KEY_2=sk_...\n');
+        console.log('3. Enable in server:');
+        console.log('   setupAPIKeyAuth(server.app, {');
+        console.log('     keys: [');
+        console.log('       process.env.API_KEY_1!,');
+        console.log('       process.env.API_KEY_2!,');
+        console.log('     ],');
+        console.log('   });\n');
+        console.log('4. Use in client:');
+        console.log('   X-API-Key: sk_...\n');
+    }
+    if (type === 'oauth') {
+        console.log('📝 OAuth 2.1 Authentication Setup:\n');
+        console.log('1. Deploy an OAuth 2.1 authorization server');
+        console.log('   (e.g., Auth0, Keycloak, Azure AD)\n');
+        console.log('2. Configure in server:');
+        console.log('   setupOAuthAuth(server.app, {');
+        console.log('     resourceUri: "https://mcp.example.com",');
+        console.log('     authorizationServers: ["https://auth.example.com"],');
+        console.log('     tokenIntrospectionEndpoint: "...",');
+        console.log('     tokenIntrospectionClientId: "...",');
+        console.log('     tokenIntrospectionClientSecret: process.env.SECRET,');
+        console.log('   });\n');
+        console.log('3. Use the inspector AUTH tab to test\n');
+    }
+    console.log('═══════════════════════════════════════════════════════════════\n');
+}
+/**
+ * Validate auth environment variables
+ */
+export function validateAuthEnv(type) {
+    const missing = [];
+    if (type === 'jwt') {
+        if (!process.env.JWT_SECRET) {
+            missing.push('JWT_SECRET');
+        }
+    }
+    if (type === 'apikey') {
+        if (!process.env.API_KEY_1 && !process.env.API_KEY) {
+            missing.push('API_KEY_1 or API_KEY');
+        }
+    }
+    if (type === 'oauth') {
+        const required = [
+            'OAUTH_RESOURCE_URI',
+            'OAUTH_AUTH_SERVER',
+            'OAUTH_INTROSPECTION_ENDPOINT',
+            'OAUTH_CLIENT_ID',
+            'OAUTH_CLIENT_SECRET',
+        ];
+        for (const key of required) {
+            if (!process.env[key]) {
+                missing.push(key);
+            }
+        }
+    }
+    return {
+        valid: missing.length === 0,
+        missing,
+    };
+}
+//# sourceMappingURL=quick-setup.js.map

package/dist/auth/quick-setup.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"quick-setup.js","sourceRoot":"","sources":["../../src/auth/quick-setup.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,mBAAmB,EAAmB,WAAW,EAAE,MAAM,iBAAiB,CAAC;AACpF,OAAO,EAAE,gBAAgB,EAAgB,cAAc,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1F,OAAO,EAAE,mBAAmB,EAAiB,MAAM,yBAAyB,CAAC;AAE7E;;;;GAIG;AAEH;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,YAAY,CAC1B,GAAY,EACZ,MAAuB,EACvB,OAAe,MAAM;IAErB,MAAM,UAAU,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC/C,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IAE1B,OAAO,CAAC,GAAG,CAAC,gCAAgC,IAAI,EAAE,CAAC,CAAC;IACpD,OAAO,CAAC,GAAG,CAAC,gBAAgB,MAAM,CAAC,QAAQ,IAAI,KAAK,EAAE,CAAC,CAAC;IACxD,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,MAAM,IAAI,KAAK,EAAE,CAAC,CAAC;IACpD,OAAO,CAAC,GAAG,CAAC,iBAAiB,MAAM,CAAC,SAAS,IAAI,OAAO,EAAE,CAAC,CAAC;AAC9D,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,eAAe,CAC7B,GAAY,EACZ,MAAoB,EACpB,OAAe,MAAM;IAErB,MAAM,UAAU,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC5C,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IAE1B,OAAO,CAAC,GAAG,CAAC,6BAA6B,IAAI,EAAE,CAAC,CAAC;IACjD,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,UAAU,IAAI,WAAW,EAAE,CAAC,CAAC;IAC9D,OAAO,CAAC,GAAG,CAAC,YAAY,MAAM,CAAC,IAAI,CAAC,MAAM,aAAa,CAAC,CAAC;IACzD,OAAO,CAAC,GAAG,CAAC,mBAAmB,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC;AACpF,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,cAAc,CAC5B,GAAY,EACZ,MAAqB,EACrB,OAAe,MAAM;IAErB,mBAAmB,CAAC,GAAG,EAAE,MAAM,EAAE;QAC/B,aAAa,EAAE,CAAC,IAAI,CAAC;KACtB,CAAC,CAAC;IAEH,OAAO,CAAC,GAAG,CAAC,+BAA+B,IAAI,EAAE,CAAC,CAAC;IACnD,OAAO,CAAC,GAAG,CAAC,oBAAoB,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IACtD,OAAO,CAAC,GAAG,CAAC,oBAAoB,MAAM,CAAC,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC1E,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,eAAe,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,MAAM,EAAE,CAAC,CAAC;AAC5E,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAIvC;IACC,MAAM,SAAS,GAAG,cAAc,CAAC,YAAY,CAAC,CAAC;IAC/C,MAAM,MAAM,GAAG,cAAc,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IAErD,MAAM,WAAW,GAAG,WAAW,CAAC;QAC9B,MAAM,EAAE,SAAS;QACjB,OAAO,EAAE;YACP,GAAG,EAAE,WAAW;YAChB,MAAM,EAAE,CAAC,UAAU,EAAE,WAAW,CAAC;SAClC;QACD,SAAS,EAAE,IAAI;QACf,QAAQ,EAAE,OAAO,EAAE,WAAW;QAC9B,MAAM,EAAE,OAAO,EAAE,SAAS;KAC3B,CAAC,CAAC;IAEH,OAAO;QACL,SAAS;QACT,MAAM;QACN,YAAY,EAAE,UAAU,CAAC,MAAM,CAAC;QAChC,WAAW;KACZ,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,0BAA0B,CAAC,IAAgC;IACzE,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;IAClF,OAAO,CAAC,GAAG,CAAC,kEAAkE,CAAC,CAAC;IAChF,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;IAElF,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QACnB,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;QAC3D,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;QAClD,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QAC/B,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,iCAAiC,CAAC,CAAC;QAC/C,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;QACnC,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;QACjD,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;IACpD,CAAC;IAED,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtB,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;QAClD,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;QACjD,OAAO,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;QACnD,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QAC/B,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;QACnC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;QAChD,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACvB,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;IACxC,CAAC;IAED,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;QACrB,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;QAC3D,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC;QACtD,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;QACvC,OAAO,CAAC,GAAG,CAAC,iCAAiC,CAAC,CAAC;QAC/C,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;QAC5D,OAAO,CAAC,GAAG,CAAC,0DAA0D,CAAC,CAAC;QACxE,OAAO,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAC;QACvD,OAAO,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAC;QACvD,OAAO,CAAC,GAAG,CAAC,0DAA0D,CAAC,CAAC;QACxE,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,mEAAmE,CAAC,CAAC;AACnF,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,IAAgC;IAC9D,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QACnB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC;YAC5B,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;YACnD,OAAO,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IAED,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;QACrB,MAAM,QAAQ,GAAG;YACf,oBAAoB;YACpB,mBAAmB;YACnB,8BAA8B;YAC9B,iBAAiB;YACjB,qBAAqB;SACtB,CAAC;QAEF,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;YAC3B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtB,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACpB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,KAAK,EAAE,OAAO,CAAC,MAAM,KAAK,CAAC;QAC3B,OAAO;KACR,CAAC;AACJ,CAAC"}

package/dist/auth/server-integration.d.ts

@@ -0,0 +1,97 @@
+import { Express } from 'express';
+import { McpAuthConfig } from './types.js';
+import { requireScopes } from './middleware.js';
+export type { McpAuthConfig } from './types.js';
+/**
+ * Server Integration Utilities
+ *
+ * Easy integration of OAuth 2.1 auth into MCP servers
+ */
+/**
+ * Configure authentication for MCP server
+ *
+ * This adds:
+ * 1. Protected Resource Metadata endpoint
+ * 2. Authentication middleware to specified routes
+ *
+ * @param app - Express application
+ * @param config - Auth configuration
+ * @param protectRoutes - Routes to protect with auth (default: all /mcp routes)
+ *
+ * @example
+ * ```typescript
+ * const app = express();
+ *
+ * configureServerAuth(app, {
+ *   resourceUri: 'https://mcp.example.com',
+ *   authorizationServers: ['https://auth.example.com'],
+ *   tokenIntrospectionEndpoint: 'https://auth.example.com/oauth/introspect',
+ *   tokenIntrospectionClientId: 'mcp-server',
+ *   tokenIntrospectionClientSecret: process.env.INTROSPECTION_SECRET,
+ *   audience: 'https://mcp.example.com',
+ *   scopesSupported: ['mcp:read', 'mcp:write']
+ * }, {
+ *   protectRoutes: ['/mcp/*']
+ * });
+ * ```
+ */
+export declare function configureServerAuth(app: Express, config: McpAuthConfig, options?: {
+    protectRoutes?: string[];
+    metadataPath?: string;
+}): void;
+/**
+ * Scope-based route protection helper
+ *
+ * @example
+ * ```typescript
+ * const scopes = createScopeGuards(['mcp:read', 'mcp:write', 'mcp:admin']);
+ *
+ * app.get('/mcp/tools', scopes.read, (req, res) => {
+ *   // List tools - requires mcp:read
+ * });
+ *
+ * app.post('/mcp/tools/execute', scopes.write, (req, res) => {
+ *   // Execute tool - requires mcp:write
+ * });
+ *
+ * app.delete('/mcp/resources', scopes.admin, (req, res) => {
+ *   // Delete resource - requires mcp:admin
+ * });
+ * ```
+ */
+export declare function createScopeGuards(scopeConfig: {
+    read?: string[];
+    write?: string[];
+    admin?: string[];
+    [key: string]: string[] | undefined;
+}): Record<string, ReturnType<typeof requireScopes>>;
+/**
+ * Create standard MCP scope configuration
+ *
+ * Returns scope guards for common MCP operations:
+ * - read: List tools, resources, prompts
+ * - execute: Execute tools, get prompts
+ * - write: Modify resources
+ * - admin: Server configuration
+ *
+ * @param scopePrefix - Scope prefix (default: 'mcp')
+ */
+export declare function createMCPScopeGuards(scopePrefix?: string): Record<string, import("express").RequestHandler<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>>;
+/**
+ * Generate suggested scopes for MCP server
+ *
+ * Returns standard scope definitions for MCP operations
+ */
+export declare function getStandardMCPScopes(scopePrefix?: string): {
+    scopes: string[];
+    descriptions: Record<string, string>;
+};
+/**
+ * Helper to validate auth configuration
+ */
+export declare function validateAuthConfig(config: McpAuthConfig): {
+    valid: boolean;
+    errors: string[];
+    warnings: string[];
+};
+//# sourceMappingURL=server-integration.d.ts.map

package/dist/auth/server-integration.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server-integration.d.ts","sourceRoot":"","sources":["../../src/auth/server-integration.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAqB,MAAM,SAAS,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE3C,OAAO,EAAwB,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAGtE,YAAY,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAEhD;;;;GAIG;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,mBAAmB,CACjC,GAAG,EAAE,OAAO,EACZ,MAAM,EAAE,aAAa,EACrB,OAAO,CAAC,EAAE;IACR,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,GACA,IAAI,CA0BN;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,iBAAiB,CAAC,WAAW,EAAE;IAC7C,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC;CACrC,GAAG,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,OAAO,aAAa,CAAC,CAAC,CAUnD;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,oBAAoB,CAAC,WAAW,GAAE,MAAc,gKAO/D;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,WAAW,GAAE,MAAc,GAAG;IACjE,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACtC,CAgBA;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,aAAa,GAAG;IACzD,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB,CAkEA"}

package/dist/auth/server-integration.js

@@ -0,0 +1,182 @@
+import { createProtectedResourceMetadata } from './server-metadata.js';
+import { createAuthMiddleware, requireScopes } from './middleware.js';
+/**
+ * Server Integration Utilities
+ *
+ * Easy integration of OAuth 2.1 auth into MCP servers
+ */
+/**
+ * Configure authentication for MCP server
+ *
+ * This adds:
+ * 1. Protected Resource Metadata endpoint
+ * 2. Authentication middleware to specified routes
+ *
+ * @param app - Express application
+ * @param config - Auth configuration
+ * @param protectRoutes - Routes to protect with auth (default: all /mcp routes)
+ *
+ * @example
+ * ```typescript
+ * const app = express();
+ *
+ * configureServerAuth(app, {
+ *   resourceUri: 'https://mcp.example.com',
+ *   authorizationServers: ['https://auth.example.com'],
+ *   tokenIntrospectionEndpoint: 'https://auth.example.com/oauth/introspect',
+ *   tokenIntrospectionClientId: 'mcp-server',
+ *   tokenIntrospectionClientSecret: process.env.INTROSPECTION_SECRET,
+ *   audience: 'https://mcp.example.com',
+ *   scopesSupported: ['mcp:read', 'mcp:write']
+ * }, {
+ *   protectRoutes: ['/mcp/*']
+ * });
+ * ```
+ */
+export function configureServerAuth(app, config, options) {
+    const metadataPath = options?.metadataPath || '/.well-known/oauth-protected-resource';
+    const protectRoutes = options?.protectRoutes || ['/mcp/*'];
+    // 1. Add Protected Resource Metadata endpoint
+    app.get(metadataPath, (req, res) => {
+        const metadata = createProtectedResourceMetadata(config.resourceUri, config.authorizationServers, config.scopesSupported);
+        res.json(metadata);
+    });
+    // 2. Apply auth middleware to protected routes
+    const authMiddleware = createAuthMiddleware(config);
+    for (const route of protectRoutes) {
+        app.use(route, authMiddleware);
+    }
+    console.log(`🔐 OAuth 2.1 authentication configured for ${config.resourceUri}`);
+    console.log(`   Authorization servers: ${config.authorizationServers.join(', ')}`);
+    console.log(`   Protected routes: ${protectRoutes.join(', ')}`);
+    console.log(`   Metadata endpoint: ${metadataPath}`);
+}
+/**
+ * Scope-based route protection helper
+ *
+ * @example
+ * ```typescript
+ * const scopes = createScopeGuards(['mcp:read', 'mcp:write', 'mcp:admin']);
+ *
+ * app.get('/mcp/tools', scopes.read, (req, res) => {
+ *   // List tools - requires mcp:read
+ * });
+ *
+ * app.post('/mcp/tools/execute', scopes.write, (req, res) => {
+ *   // Execute tool - requires mcp:write
+ * });
+ *
+ * app.delete('/mcp/resources', scopes.admin, (req, res) => {
+ *   // Delete resource - requires mcp:admin
+ * });
+ * ```
+ */
+export function createScopeGuards(scopeConfig) {
+    const guards = {};
+    for (const [name, scopes] of Object.entries(scopeConfig)) {
+        if (scopes && scopes.length > 0) {
+            guards[name] = requireScopes(...scopes);
+        }
+    }
+    return guards;
+}
+/**
+ * Create standard MCP scope configuration
+ *
+ * Returns scope guards for common MCP operations:
+ * - read: List tools, resources, prompts
+ * - execute: Execute tools, get prompts
+ * - write: Modify resources
+ * - admin: Server configuration
+ *
+ * @param scopePrefix - Scope prefix (default: 'mcp')
+ */
+export function createMCPScopeGuards(scopePrefix = 'mcp') {
+    return createScopeGuards({
+        read: [`${scopePrefix}:read`],
+        execute: [`${scopePrefix}:read`, `${scopePrefix}:execute`],
+        write: [`${scopePrefix}:read`, `${scopePrefix}:write`],
+        admin: [`${scopePrefix}:admin`],
+    });
+}
+/**
+ * Generate suggested scopes for MCP server
+ *
+ * Returns standard scope definitions for MCP operations
+ */
+export function getStandardMCPScopes(scopePrefix = 'mcp') {
+    const scopes = [
+        `${scopePrefix}:read`,
+        `${scopePrefix}:execute`,
+        `${scopePrefix}:write`,
+        `${scopePrefix}:admin`,
+    ];
+    const descriptions = {
+        [`${scopePrefix}:read`]: 'Read access to tools, resources, and prompts',
+        [`${scopePrefix}:execute`]: 'Execute tools and get prompts',
+        [`${scopePrefix}:write`]: 'Modify resources and server state',
+        [`${scopePrefix}:admin`]: 'Administrative access to server configuration',
+    };
+    return { scopes, descriptions };
+}
+/**
+ * Helper to validate auth configuration
+ */
+export function validateAuthConfig(config) {
+    const errors = [];
+    const warnings = [];
+    // Required fields
+    if (!config.resourceUri) {
+        errors.push('resourceUri is required');
+    }
+    if (!config.authorizationServers || config.authorizationServers.length === 0) {
+        errors.push('At least one authorization server is required');
+    }
+    // Token validation method
+    const hasIntrospection = !!config.tokenIntrospectionEndpoint;
+    const hasJWT = !!config.jwksUri;
+    if (!hasIntrospection && !hasJWT) {
+        errors.push('Either tokenIntrospectionEndpoint or jwksUri must be configured');
+    }
+    // Introspection credentials
+    if (hasIntrospection) {
+        if (!config.tokenIntrospectionClientId) {
+            warnings.push('tokenIntrospectionClientId not set - introspection may fail');
+        }
+        if (!config.tokenIntrospectionClientSecret) {
+            warnings.push('tokenIntrospectionClientSecret not set - introspection may fail');
+        }
+    }
+    // JWT validation
+    if (hasJWT) {
+        if (!config.audience) {
+            errors.push('audience is required for JWT validation (prevents confused deputy attacks)');
+        }
+        if (!config.issuer) {
+            warnings.push('issuer not set - JWT validation may be less strict');
+        }
+    }
+    // Audience (critical for security)
+    if (!config.audience) {
+        warnings.push('audience not set - tokens will not be validated for this resource. ' +
+            'This is a security risk (confused deputy attacks).');
+    }
+    // HTTPS
+    if (config.requireHttps !== false && process.env.NODE_ENV === 'production') {
+        try {
+            const url = new URL(config.resourceUri);
+            if (url.protocol !== 'https:') {
+                errors.push('resourceUri must use HTTPS in production');
+            }
+        }
+        catch {
+            errors.push('resourceUri is not a valid URL');
+        }
+    }
+    return {
+        valid: errors.length === 0,
+        errors,
+        warnings,
+    };
+}
+//# sourceMappingURL=server-integration.js.map

package/dist/auth/server-integration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server-integration.js","sourceRoot":"","sources":["../../src/auth/server-integration.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,+BAA+B,EAAE,MAAM,sBAAsB,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAKtE;;;;GAIG;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,UAAU,mBAAmB,CACjC,GAAY,EACZ,MAAqB,EACrB,OAGC;IAED,MAAM,YAAY,GAAG,OAAO,EAAE,YAAY,IAAI,uCAAuC,CAAC;IACtF,MAAM,aAAa,GAAG,OAAO,EAAE,aAAa,IAAI,CAAC,QAAQ,CAAC,CAAC;IAE3D,8CAA8C;IAC9C,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QACpD,MAAM,QAAQ,GAAG,+BAA+B,CAC9C,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,oBAAoB,EAC3B,MAAM,CAAC,eAAe,CACvB,CAAC;QAEF,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACrB,CAAC,CAAC,CAAC;IAEH,+CAA+C;IAC/C,MAAM,cAAc,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;IAEpD,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;QAClC,GAAG,CAAC,GAAG,CAAC,KAAK,EAAE,cAAc,CAAC,CAAC;IACjC,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,8CAA8C,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IAChF,OAAO,CAAC,GAAG,CAAC,6BAA6B,MAAM,CAAC,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACnF,OAAO,CAAC,GAAG,CAAC,wBAAwB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAChE,OAAO,CAAC,GAAG,CAAC,yBAAyB,YAAY,EAAE,CAAC,CAAC;AACvD,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,iBAAiB,CAAC,WAKjC;IACC,MAAM,MAAM,GAAqD,EAAE,CAAC;IAEpE,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QACzD,IAAI,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChC,MAAM,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,GAAG,MAAM,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,oBAAoB,CAAC,cAAsB,KAAK;IAC9D,OAAO,iBAAiB,CAAC;QACvB,IAAI,EAAE,CAAC,GAAG,WAAW,OAAO,CAAC;QAC7B,OAAO,EAAE,CAAC,GAAG,WAAW,OAAO,EAAE,GAAG,WAAW,UAAU,CAAC;QAC1D,KAAK,EAAE,CAAC,GAAG,WAAW,OAAO,EAAE,GAAG,WAAW,QAAQ,CAAC;QACtD,KAAK,EAAE,CAAC,GAAG,WAAW,QAAQ,CAAC;KAChC,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,cAAsB,KAAK;IAI9D,MAAM,MAAM,GAAG;QACb,GAAG,WAAW,OAAO;QACrB,GAAG,WAAW,UAAU;QACxB,GAAG,WAAW,QAAQ;QACtB,GAAG,WAAW,QAAQ;KACvB,CAAC;IAEF,MAAM,YAAY,GAAG;QACnB,CAAC,GAAG,WAAW,OAAO,CAAC,EAAE,8CAA8C;QACvE,CAAC,GAAG,WAAW,UAAU,CAAC,EAAE,+BAA+B;QAC3D,CAAC,GAAG,WAAW,QAAQ,CAAC,EAAE,mCAAmC;QAC7D,CAAC,GAAG,WAAW,QAAQ,CAAC,EAAE,+CAA+C;KAC1E,CAAC;IAEF,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAqB;IAKtD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,kBAAkB;IAClB,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QACxB,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;IACzC,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,oBAAoB,IAAI,MAAM,CAAC,oBAAoB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7E,MAAM,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;IAC/D,CAAC;IAED,0BAA0B;IAC1B,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC,0BAA0B,CAAC;IAC7D,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;IAEhC,IAAI,CAAC,gBAAgB,IAAI,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,iEAAiE,CAAC,CAAC;IACjF,CAAC;IAED,4BAA4B;IAC5B,IAAI,gBAAgB,EAAE,CAAC;QACrB,IAAI,CAAC,MAAM,CAAC,0BAA0B,EAAE,CAAC;YACvC,QAAQ,CAAC,IAAI,CAAC,6DAA6D,CAAC,CAAC;QAC/E,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,8BAA8B,EAAE,CAAC;YAC3C,QAAQ,CAAC,IAAI,CAAC,iEAAiE,CAAC,CAAC;QACnF,CAAC;IACH,CAAC;IAED,iBAAiB;IACjB,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACrB,MAAM,CAAC,IAAI,CAAC,4EAA4E,CAAC,CAAC;QAC5F,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACnB,QAAQ,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;QACtE,CAAC;IACH,CAAC;IAED,mCAAmC;IACnC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,QAAQ,CAAC,IAAI,CACX,qEAAqE;YACrE,oDAAoD,CACrD,CAAC;IACJ,CAAC;IAED,QAAQ;IACR,IAAI,MAAM,CAAC,YAAY,KAAK,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC3E,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YACxC,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBAC9B,MAAM,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;YAC1D,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAED,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;QAC1B,MAAM;QACN,QAAQ;KACT,CAAC;AACJ,CAAC"}

package/dist/auth/server-metadata.d.ts

@@ -0,0 +1,51 @@
+import { ProtectedResourceMetadata } from './types.js';
+/**
+ * Protected Resource Metadata (RFC 9728)
+ *
+ * MCP servers MUST implement this to advertise their authorization servers
+ * to MCP clients. This enables automatic discovery of auth configuration.
+ */
+/**
+ * Create protected resource metadata document
+ *
+ * @param resourceUri - The URI of this MCP server
+ * @param authorizationServers - Array of authorization server issuer URLs
+ * @param scopesSupported - Optional: scopes this resource supports
+ */
+export declare function createProtectedResourceMetadata(resourceUri: string, authorizationServers: string[], scopesSupported?: string[]): ProtectedResourceMetadata;
+/**
+ * Get well-known URI for protected resource metadata
+ * Per RFC 9728, can be at:
+ * 1. Resource path: /.well-known/oauth-protected-resource{path}
+ * 2. Root: /.well-known/oauth-protected-resource
+ */
+export declare function getWellKnownMetadataUris(resourceUrl: URL): string[];
+/**
+ * Generate WWW-Authenticate header value for 401 responses
+ * Per RFC 6750 and MCP spec
+ *
+ * @param resourceMetadataUrl - URL to protected resource metadata
+ * @param scope - Optional: required scopes for this request
+ * @param error - Optional: error code (invalid_token, insufficient_scope, etc.)
+ * @param errorDescription - Optional: human-readable error description
+ */
+export declare function generateWWWAuthenticateHeader(options: {
+    resourceMetadataUrl?: string;
+    scope?: string;
+    error?: string;
+    errorDescription?: string;
+    realm?: string;
+}): string;
+/**
+ * Parse WWW-Authenticate header
+ * Extracts Bearer auth challenge parameters
+ */
+export declare function parseWWWAuthenticateHeader(headerValue: string): {
+    scheme: string;
+    realm?: string;
+    scope?: string;
+    resourceMetadata?: string;
+    error?: string;
+    errorDescription?: string;
+} | null;
+//# sourceMappingURL=server-metadata.d.ts.map

package/dist/auth/server-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server-metadata.d.ts","sourceRoot":"","sources":["../../src/auth/server-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,yBAAyB,EAAE,MAAM,YAAY,CAAC;AAEvD;;;;;GAKG;AAEH;;;;;;GAMG;AACH,wBAAgB,+BAA+B,CAC7C,WAAW,EAAE,MAAM,EACnB,oBAAoB,EAAE,MAAM,EAAE,EAC9B,eAAe,CAAC,EAAE,MAAM,EAAE,GACzB,yBAAyB,CAO3B;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,WAAW,EAAE,GAAG,GAAG,MAAM,EAAE,CAcnE;AAED;;;;;;;;GAQG;AACH,wBAAgB,6BAA6B,CAAC,OAAO,EAAE;IACrD,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GAAG,MAAM,CAwBT;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,WAAW,EAAE,MAAM,GAAG;IAC/D,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,GAAG,IAAI,CAoCP"}