nitrostack 1.0.0

package/dist/auth/server-metadata.js

@@ -0,0 +1,106 @@
+/**
+ * Protected Resource Metadata (RFC 9728)
+ *
+ * MCP servers MUST implement this to advertise their authorization servers
+ * to MCP clients. This enables automatic discovery of auth configuration.
+ */
+/**
+ * Create protected resource metadata document
+ *
+ * @param resourceUri - The URI of this MCP server
+ * @param authorizationServers - Array of authorization server issuer URLs
+ * @param scopesSupported - Optional: scopes this resource supports
+ */
+export function createProtectedResourceMetadata(resourceUri, authorizationServers, scopesSupported) {
+    return {
+        resource: resourceUri,
+        authorization_servers: authorizationServers,
+        scopes_supported: scopesSupported,
+        bearer_methods_supported: ['header'], // MCP uses Bearer tokens in headers
+    };
+}
+/**
+ * Get well-known URI for protected resource metadata
+ * Per RFC 9728, can be at:
+ * 1. Resource path: /.well-known/oauth-protected-resource{path}
+ * 2. Root: /.well-known/oauth-protected-resource
+ */
+export function getWellKnownMetadataUris(resourceUrl) {
+    const urls = [];
+    // Method 1: At the path of the resource
+    if (resourceUrl.pathname && resourceUrl.pathname !== '/') {
+        const pathUri = new URL('/.well-known/oauth-protected-resource' + resourceUrl.pathname, resourceUrl.origin);
+        urls.push(pathUri.toString());
+    }
+    // Method 2: At the root
+    const rootUri = new URL('/.well-known/oauth-protected-resource', resourceUrl.origin);
+    urls.push(rootUri.toString());
+    return urls;
+}
+/**
+ * Generate WWW-Authenticate header value for 401 responses
+ * Per RFC 6750 and MCP spec
+ *
+ * @param resourceMetadataUrl - URL to protected resource metadata
+ * @param scope - Optional: required scopes for this request
+ * @param error - Optional: error code (invalid_token, insufficient_scope, etc.)
+ * @param errorDescription - Optional: human-readable error description
+ */
+export function generateWWWAuthenticateHeader(options) {
+    const parts = ['Bearer'];
+    if (options.realm) {
+        parts.push(`realm="${options.realm}"`);
+    }
+    if (options.scope) {
+        parts.push(`scope="${options.scope}"`);
+    }
+    if (options.resourceMetadataUrl) {
+        parts.push(`resource_metadata="${options.resourceMetadataUrl}"`);
+    }
+    if (options.error) {
+        parts.push(`error="${options.error}"`);
+    }
+    if (options.errorDescription) {
+        parts.push(`error_description="${options.errorDescription}"`);
+    }
+    return parts.join(', ');
+}
+/**
+ * Parse WWW-Authenticate header
+ * Extracts Bearer auth challenge parameters
+ */
+export function parseWWWAuthenticateHeader(headerValue) {
+    if (!headerValue)
+        return null;
+    // Parse Bearer scheme
+    const bearerMatch = headerValue.match(/Bearer\s+(.+)/i);
+    if (!bearerMatch)
+        return null;
+    const params = bearerMatch[1];
+    const result = { scheme: 'Bearer' };
+    // Parse key="value" pairs
+    const paramRegex = /(\w+)="([^"]+)"/g;
+    let match;
+    while ((match = paramRegex.exec(params)) !== null) {
+        const [, key, value] = match;
+        switch (key) {
+            case 'realm':
+                result.realm = value;
+                break;
+            case 'scope':
+                result.scope = value;
+                break;
+            case 'resource_metadata':
+                result.resourceMetadata = value;
+                break;
+            case 'error':
+                result.error = value;
+                break;
+            case 'error_description':
+                result.errorDescription = value;
+                break;
+        }
+    }
+    return result;
+}
+//# sourceMappingURL=server-metadata.js.map

package/dist/auth/server-metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server-metadata.js","sourceRoot":"","sources":["../../src/auth/server-metadata.ts"],"names":[],"mappings":"AAEA;;;;;GAKG;AAEH;;;;;;GAMG;AACH,MAAM,UAAU,+BAA+B,CAC7C,WAAmB,EACnB,oBAA8B,EAC9B,eAA0B;IAE1B,OAAO;QACL,QAAQ,EAAE,WAAW;QACrB,qBAAqB,EAAE,oBAAoB;QAC3C,gBAAgB,EAAE,eAAe;QACjC,wBAAwB,EAAE,CAAC,QAAQ,CAAC,EAAE,oCAAoC;KAC3E,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,wBAAwB,CAAC,WAAgB;IACvD,MAAM,IAAI,GAAa,EAAE,CAAC;IAE1B,wCAAwC;IACxC,IAAI,WAAW,CAAC,QAAQ,IAAI,WAAW,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;QACzD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,uCAAuC,GAAG,WAAW,CAAC,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;QAC5G,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAChC,CAAC;IAED,wBAAwB;IACxB,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,uCAAuC,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IACrF,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAE9B,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,6BAA6B,CAAC,OAM7C;IACC,MAAM,KAAK,GAAa,CAAC,QAAQ,CAAC,CAAC;IAEnC,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,KAAK,CAAC,IAAI,CAAC,UAAU,OAAO,CAAC,KAAK,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,KAAK,CAAC,IAAI,CAAC,UAAU,OAAO,CAAC,KAAK,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,IAAI,OAAO,CAAC,mBAAmB,EAAE,CAAC;QAChC,KAAK,CAAC,IAAI,CAAC,sBAAsB,OAAO,CAAC,mBAAmB,GAAG,CAAC,CAAC;IACnE,CAAC;IAED,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,KAAK,CAAC,IAAI,CAAC,UAAU,OAAO,CAAC,KAAK,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;QAC7B,KAAK,CAAC,IAAI,CAAC,sBAAsB,OAAO,CAAC,gBAAgB,GAAG,CAAC,CAAC;IAChE,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,0BAA0B,CAAC,WAAmB;IAQ5D,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAE9B,sBAAsB;IACtB,MAAM,WAAW,GAAG,WAAW,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;IACxD,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAE9B,MAAM,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;IAC9B,MAAM,MAAM,GAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;IAEzC,0BAA0B;IAC1B,MAAM,UAAU,GAAG,kBAAkB,CAAC;IACtC,IAAI,KAAK,CAAC;IAEV,OAAO,CAAC,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAClD,MAAM,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC;QAC7B,QAAQ,GAAG,EAAE,CAAC;YACZ,KAAK,OAAO;gBACV,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC;gBACrB,MAAM;YACR,KAAK,OAAO;gBACV,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC;gBACrB,MAAM;YACR,KAAK,mBAAmB;gBACtB,MAAM,CAAC,gBAAgB,GAAG,KAAK,CAAC;gBAChC,MAAM;YACR,KAAK,OAAO;gBACV,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC;gBACrB,MAAM;YACR,KAAK,mBAAmB;gBACtB,MAAM,CAAC,gBAAgB,GAAG,KAAK,CAAC;gBAChC,MAAM;QACV,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/auth/simple-jwt.d.ts

@@ -0,0 +1,88 @@
+import { RequestHandler } from 'express';
+/**
+ * Simple JWT Authentication
+ *
+ * For 70% of use cases where you don't need full OAuth 2.1 complexity.
+ * Perfect for internal tools, APIs, and services that manage their own tokens.
+ */
+export interface SimpleJWTConfig {
+    /**
+     * JWT secret for signing/verification (HS256)
+     * Store in environment variable!
+     */
+    secret: string;
+    /**
+     * Expected audience (who the token is for)
+     */
+    audience?: string;
+    /**
+     * Expected issuer (who created the token)
+     */
+    issuer?: string;
+    /**
+     * Custom claims to validate
+     */
+    customValidation?: (payload: any) => boolean;
+    /**
+     * Algorithm (default: HS256)
+     */
+    algorithm?: 'HS256' | 'HS384' | 'HS512';
+}
+export interface JWTPayload {
+    sub?: string;
+    aud?: string | string[];
+    iss?: string;
+    exp?: number;
+    iat?: number;
+    [key: string]: any;
+}
+/**
+ * Create Simple JWT authentication middleware
+ *
+ * @example
+ * ```typescript
+ * const server = createServer({...});
+ *
+ * // Simple JWT auth (no OAuth complexity!)
+ * server.app.use('/mcp', createSimpleJWTAuth({
+ *   secret: process.env.JWT_SECRET!,
+ *   audience: 'my-mcp-server',
+ *   issuer: 'my-app',
+ * }));
+ *
+ * server.start();
+ * ```
+ */
+export declare function createSimpleJWTAuth(config: SimpleJWTConfig): RequestHandler;
+/**
+ * Generate a JWT token (helper for testing/development)
+ *
+ * @example
+ * ```typescript
+ * const token = generateJWT({
+ *   secret: process.env.JWT_SECRET!,
+ *   payload: {
+ *     sub: 'user123',
+ *     scopes: ['mcp:read', 'mcp:write'],
+ *   },
+ *   expiresIn: '1h',
+ * });
+ * ```
+ */
+export declare function generateJWT(options: {
+    secret: string;
+    payload: JWTPayload;
+    expiresIn?: string | number;
+    audience?: string;
+    issuer?: string;
+    algorithm?: 'HS256' | 'HS384' | 'HS512';
+}): string;
+/**
+ * Verify a JWT token without middleware (helper)
+ */
+export declare function verifyJWT(token: string, config: SimpleJWTConfig): JWTPayload | null;
+/**
+ * Decode JWT without verification (for debugging)
+ */
+export declare function decodeJWT(token: string): JWTPayload | null;
+//# sourceMappingURL=simple-jwt.d.ts.map

package/dist/auth/simple-jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"simple-jwt.d.ts","sourceRoot":"","sources":["../../src/auth/simple-jwt.ts"],"names":[],"mappings":"AACA,OAAO,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE1E;;;;;GAKG;AAEH,MAAM,WAAW,eAAe;IAC9B;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;OAEG;IACH,gBAAgB,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,KAAK,OAAO,CAAC;IAE7C;;OAEG;IACH,SAAS,CAAC,EAAE,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;CACzC;AAED,MAAM,WAAW,UAAU;IACzB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,eAAe,GAAG,cAAc,CA8E3E;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,UAAU,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC5B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;CACzC,GAAG,MAAM,CAkBT;AAED;;GAEG;AACH,wBAAgB,SAAS,CACvB,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,eAAe,GACtB,UAAU,GAAG,IAAI,CAwBnB;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAM1D"}

package/dist/auth/simple-jwt.js

@@ -0,0 +1,152 @@
+import jwt from 'jsonwebtoken';
+/**
+ * Create Simple JWT authentication middleware
+ *
+ * @example
+ * ```typescript
+ * const server = createServer({...});
+ *
+ * // Simple JWT auth (no OAuth complexity!)
+ * server.app.use('/mcp', createSimpleJWTAuth({
+ *   secret: process.env.JWT_SECRET!,
+ *   audience: 'my-mcp-server',
+ *   issuer: 'my-app',
+ * }));
+ *
+ * server.start();
+ * ```
+ */
+export function createSimpleJWTAuth(config) {
+    const algorithm = config.algorithm || 'HS256';
+    return async (req, res, next) => {
+        try {
+            // 1. Extract token from Authorization header
+            const authHeader = req.headers.authorization;
+            if (!authHeader || !authHeader.startsWith('Bearer ')) {
+                return res.status(401).json({
+                    error: 'unauthorized',
+                    message: 'Missing or invalid Authorization header. Use: Authorization: Bearer <token>',
+                });
+            }
+            const token = authHeader.substring(7); // Remove 'Bearer '
+            // 2. Verify JWT
+            const verifyOptions = {
+                algorithms: [algorithm],
+            };
+            if (config.audience) {
+                verifyOptions.audience = config.audience;
+            }
+            if (config.issuer) {
+                verifyOptions.issuer = config.issuer;
+            }
+            const payload = jwt.verify(token, config.secret, verifyOptions);
+            // 3. Custom validation
+            if (config.customValidation && !config.customValidation(payload)) {
+                return res.status(403).json({
+                    error: 'forbidden',
+                    message: 'Token validation failed',
+                });
+            }
+            // 4. Attach to request
+            req.auth = {
+                authenticated: true,
+                tokenInfo: {
+                    active: true,
+                    sub: payload.sub,
+                    aud: typeof payload.aud === 'string' ? [payload.aud] : payload.aud,
+                    iss: payload.iss,
+                    exp: payload.exp,
+                    iat: payload.iat,
+                },
+                scopes: payload.scopes || payload.scope?.split(' ') || [],
+                clientId: payload.client_id || payload.sub,
+                subject: payload.sub,
+            };
+            next();
+        }
+        catch (error) {
+            if (error.name === 'TokenExpiredError') {
+                return res.status(401).json({
+                    error: 'token_expired',
+                    message: 'JWT has expired',
+                });
+            }
+            if (error.name === 'JsonWebTokenError') {
+                return res.status(401).json({
+                    error: 'invalid_token',
+                    message: 'Invalid JWT: ' + error.message,
+                });
+            }
+            return res.status(500).json({
+                error: 'server_error',
+                message: 'Token validation failed',
+            });
+        }
+    };
+}
+/**
+ * Generate a JWT token (helper for testing/development)
+ *
+ * @example
+ * ```typescript
+ * const token = generateJWT({
+ *   secret: process.env.JWT_SECRET!,
+ *   payload: {
+ *     sub: 'user123',
+ *     scopes: ['mcp:read', 'mcp:write'],
+ *   },
+ *   expiresIn: '1h',
+ * });
+ * ```
+ */
+export function generateJWT(options) {
+    const signOptions = {
+        algorithm: options.algorithm || 'HS256',
+    };
+    if (options.expiresIn !== undefined) {
+        signOptions.expiresIn = options.expiresIn; // jwt types are inconsistent
+    }
+    if (options.audience) {
+        signOptions.audience = options.audience;
+    }
+    if (options.issuer) {
+        signOptions.issuer = options.issuer;
+    }
+    return jwt.sign(options.payload, options.secret, signOptions);
+}
+/**
+ * Verify a JWT token without middleware (helper)
+ */
+export function verifyJWT(token, config) {
+    try {
+        const verifyOptions = {
+            algorithms: [config.algorithm || 'HS256'],
+        };
+        if (config.audience) {
+            verifyOptions.audience = config.audience;
+        }
+        if (config.issuer) {
+            verifyOptions.issuer = config.issuer;
+        }
+        const payload = jwt.verify(token, config.secret, verifyOptions);
+        if (config.customValidation && !config.customValidation(payload)) {
+            return null;
+        }
+        return payload;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Decode JWT without verification (for debugging)
+ */
+export function decodeJWT(token) {
+    try {
+        return jwt.decode(token);
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=simple-jwt.js.map

package/dist/auth/simple-jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"simple-jwt.js","sourceRoot":"","sources":["../../src/auth/simple-jwt.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,MAAM,cAAc,CAAC;AA+C/B;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAuB;IACzD,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC;IAE9C,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QAC/D,IAAI,CAAC;YACH,6CAA6C;YAC7C,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;YAE7C,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACrD,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBAC1B,KAAK,EAAE,cAAc;oBACrB,OAAO,EAAE,6EAA6E;iBACvF,CAAC,CAAC;YACL,CAAC;YAED,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,mBAAmB;YAE1D,gBAAgB;YAChB,MAAM,aAAa,GAAsB;gBACvC,UAAU,EAAE,CAAC,SAAS,CAAC;aACxB,CAAC;YAEF,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACpB,aAAa,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;YAC3C,CAAC;YAED,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;gBAClB,aAAa,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;YACvC,CAAC;YAED,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAe,CAAC;YAE9E,uBAAuB;YACvB,IAAI,MAAM,CAAC,gBAAgB,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;gBACjE,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBAC1B,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,yBAAyB;iBACnC,CAAC,CAAC;YACL,CAAC;YAED,uBAAuB;YACvB,GAAG,CAAC,IAAI,GAAG;gBACT,aAAa,EAAE,IAAI;gBACnB,SAAS,EAAE;oBACT,MAAM,EAAE,IAAI;oBACZ,GAAG,EAAE,OAAO,CAAC,GAAG;oBAChB,GAAG,EAAE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG;oBAClE,GAAG,EAAE,OAAO,CAAC,GAAG;oBAChB,GAAG,EAAE,OAAO,CAAC,GAAG;oBAChB,GAAG,EAAE,OAAO,CAAC,GAAG;iBACjB;gBACD,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE;gBACzD,QAAQ,EAAE,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG;gBAC1C,OAAO,EAAE,OAAO,CAAC,GAAG;aACrB,CAAC;YAEF,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,KAAU,EAAE,CAAC;YACpB,IAAI,KAAK,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;gBACvC,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBAC1B,KAAK,EAAE,eAAe;oBACtB,OAAO,EAAE,iBAAiB;iBAC3B,CAAC,CAAC;YACL,CAAC;YAED,IAAI,KAAK,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;gBACvC,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBAC1B,KAAK,EAAE,eAAe;oBACtB,OAAO,EAAE,eAAe,GAAG,KAAK,CAAC,OAAO;iBACzC,CAAC,CAAC;YACL,CAAC;YAED,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC1B,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE,yBAAyB;aACnC,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,WAAW,CAAC,OAO3B;IACC,MAAM,WAAW,GAAoB;QACnC,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,OAAO;KACxC,CAAC;IAEF,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACpC,WAAW,CAAC,SAAS,GAAG,OAAO,CAAC,SAAgB,CAAC,CAAC,6BAA6B;IACjF,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,WAAW,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAC1C,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,WAAW,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IACtC,CAAC;IAED,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;AAChE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CACvB,KAAa,EACb,MAAuB;IAEvB,IAAI,CAAC;QACH,MAAM,aAAa,GAAsB;YACvC,UAAU,EAAE,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC;SAC1C,CAAC;QAEF,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,aAAa,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;QAC3C,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClB,aAAa,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QACvC,CAAC;QAED,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAe,CAAC;QAE9E,IAAI,MAAM,CAAC,gBAAgB,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;YACjE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,IAAI,CAAC;QACH,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,CAAe,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/auth/token-store.d.ts

@@ -0,0 +1,104 @@
+import { StoredToken } from './types.js';
+/**
+ * Token Storage Interface
+ *
+ * Provides secure storage for OAuth tokens
+ */
+export interface TokenStore {
+    /**
+     * Save a token
+     */
+    saveToken(key: string, token: StoredToken): Promise<void>;
+    /**
+     * Get a token
+     */
+    getToken(key: string): Promise<StoredToken | null>;
+    /**
+     * Delete a token
+     */
+    deleteToken(key: string): Promise<void>;
+    /**
+     * List all stored token keys
+     */
+    listKeys(): Promise<string[]>;
+    /**
+     * Clear all tokens
+     */
+    clear(): Promise<void>;
+}
+/**
+ * In-memory token store
+ * For testing and ephemeral storage
+ */
+export declare class MemoryTokenStore implements TokenStore {
+    private tokens;
+    saveToken(key: string, token: StoredToken): Promise<void>;
+    getToken(key: string): Promise<StoredToken | null>;
+    deleteToken(key: string): Promise<void>;
+    listKeys(): Promise<string[]>;
+    clear(): Promise<void>;
+    private isTokenExpired;
+}
+/**
+ * File-based token store with encryption
+ * For CLI applications and development
+ */
+export declare class FileTokenStore implements TokenStore {
+    private storePath;
+    private encryptionKey?;
+    constructor(storePath: string, encryptionKey?: string);
+    saveToken(key: string, token: StoredToken): Promise<void>;
+    getToken(key: string): Promise<StoredToken | null>;
+    deleteToken(key: string): Promise<void>;
+    listKeys(): Promise<string[]>;
+    clear(): Promise<void>;
+    /**
+     * Load tokens from file
+     */
+    private loadTokens;
+    /**
+     * Save tokens to file
+     */
+    private saveTokens;
+    /**
+     * Encrypt data using AES-256-GCM
+     */
+    private encrypt;
+    /**
+     * Decrypt data using AES-256-GCM
+     */
+    private decrypt;
+    /**
+     * Derive 256-bit key from password using PBKDF2
+     */
+    private deriveKey;
+    private isTokenExpired;
+}
+/**
+ * Create default token store
+ *
+ * Uses file-based storage with encryption if password provided
+ *
+ * @param storePath - Path to store tokens (default: ~/.nitrostack/tokens.json)
+ * @param encryptionKey - Optional encryption key
+ */
+export declare function createDefaultTokenStore(storePath?: string, encryptionKey?: string): TokenStore;
+/**
+ * Utility: Check if token is expired
+ */
+export declare function isTokenExpired(token: StoredToken): boolean;
+/**
+ * Utility: Calculate token expiration timestamp
+ */
+export declare function calculateExpiration(expiresIn: number): number;
+/**
+ * Utility: Convert TokenResponse to StoredToken
+ */
+export declare function tokenResponseToStored(response: {
+    access_token: string;
+    token_type: 'Bearer';
+    expires_in?: number;
+    refresh_token?: string;
+    scope?: string;
+}, resource?: string): StoredToken;
+//# sourceMappingURL=token-store.d.ts.map

package/dist/auth/token-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-store.d.ts","sourceRoot":"","sources":["../../src/auth/token-store.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEzC;;;;GAIG;AACH,MAAM,WAAW,UAAU;IACzB;;OAEG;IACH,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE1D;;OAEG;IACH,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAEnD;;OAEG;IACH,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAExC;;OAEG;IACH,QAAQ,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAE9B;;OAEG;IACH,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACxB;AAED;;;GAGG;AACH,qBAAa,gBAAiB,YAAW,UAAU;IACjD,OAAO,CAAC,MAAM,CAAuC;IAE/C,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAIzD,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAalD,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIvC,QAAQ,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAI7B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAI5B,OAAO,CAAC,cAAc;CAGvB;AAED;;;GAGG;AACH,qBAAa,cAAe,YAAW,UAAU;IAC/C,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,aAAa,CAAC,CAAS;gBAEnB,SAAS,EAAE,MAAM,EAAE,aAAa,CAAC,EAAE,MAAM;IAK/C,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAMzD,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAgBlD,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAMvC,QAAQ,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAK7B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAI5B;;OAEG;YACW,UAAU;IAoBxB;;OAEG;YACW,UAAU;IAYxB;;OAEG;IACH,OAAO,CAAC,OAAO;IAgBf;;OAEG;IACH,OAAO,CAAC,OAAO;IAuBf;;OAEG;IACH,OAAO,CAAC,SAAS;IAOjB,OAAO,CAAC,cAAc;CAGvB;AAED;;;;;;;GAOG;AACH,wBAAgB,uBAAuB,CACrC,SAAS,CAAC,EAAE,MAAM,EAClB,aAAa,CAAC,EAAE,MAAM,GACrB,UAAU,CAQZ;AAUD;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAE1D;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAE7D;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,QAAQ,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,EACrH,QAAQ,CAAC,EAAE,MAAM,GAChB,WAAW,CASb"}

package/dist/auth/token-store.js

@@ -0,0 +1,205 @@
+import fs from 'fs/promises';
+import path from 'path';
+import crypto from 'crypto';
+/**
+ * In-memory token store
+ * For testing and ephemeral storage
+ */
+export class MemoryTokenStore {
+    tokens = new Map();
+    async saveToken(key, token) {
+        this.tokens.set(key, token);
+    }
+    async getToken(key) {
+        const token = this.tokens.get(key);
+        if (!token)
+            return null;
+        // Check if expired
+        if (this.isTokenExpired(token)) {
+            this.tokens.delete(key);
+            return null;
+        }
+        return token;
+    }
+    async deleteToken(key) {
+        this.tokens.delete(key);
+    }
+    async listKeys() {
+        return Array.from(this.tokens.keys());
+    }
+    async clear() {
+        this.tokens.clear();
+    }
+    isTokenExpired(token) {
+        return Date.now() > token.expires_at;
+    }
+}
+/**
+ * File-based token store with encryption
+ * For CLI applications and development
+ */
+export class FileTokenStore {
+    storePath;
+    encryptionKey;
+    constructor(storePath, encryptionKey) {
+        this.storePath = storePath;
+        this.encryptionKey = encryptionKey;
+    }
+    async saveToken(key, token) {
+        const tokens = await this.loadTokens();
+        tokens[key] = token;
+        await this.saveTokens(tokens);
+    }
+    async getToken(key) {
+        const tokens = await this.loadTokens();
+        const token = tokens[key];
+        if (!token)
+            return null;
+        // Check if expired
+        if (this.isTokenExpired(token)) {
+            delete tokens[key];
+            await this.saveTokens(tokens);
+            return null;
+        }
+        return token;
+    }
+    async deleteToken(key) {
+        const tokens = await this.loadTokens();
+        delete tokens[key];
+        await this.saveTokens(tokens);
+    }
+    async listKeys() {
+        const tokens = await this.loadTokens();
+        return Object.keys(tokens);
+    }
+    async clear() {
+        await this.saveTokens({});
+    }
+    /**
+     * Load tokens from file
+     */
+    async loadTokens() {
+        try {
+            // Ensure directory exists
+            await fs.mkdir(path.dirname(this.storePath), { recursive: true });
+            // Read file
+            const data = await fs.readFile(this.storePath, 'utf-8');
+            // Decrypt if encryption is enabled
+            const content = this.encryptionKey ? this.decrypt(data) : data;
+            return JSON.parse(content);
+        }
+        catch (error) {
+            if (error.code === 'ENOENT') {
+                return {}; // File doesn't exist yet
+            }
+            throw error;
+        }
+    }
+    /**
+     * Save tokens to file
+     */
+    async saveTokens(tokens) {
+        const content = JSON.stringify(tokens, null, 2);
+        // Encrypt if encryption is enabled
+        const data = this.encryptionKey ? this.encrypt(content) : content;
+        // Write to file with restricted permissions
+        await fs.writeFile(this.storePath, data, {
+            mode: 0o600, // Read/write for owner only
+        });
+    }
+    /**
+     * Encrypt data using AES-256-GCM
+     */
+    encrypt(data) {
+        if (!this.encryptionKey)
+            return data;
+        const key = this.deriveKey(this.encryptionKey);
+        const iv = crypto.randomBytes(16);
+        const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+        let encrypted = cipher.update(data, 'utf8', 'hex');
+        encrypted += cipher.final('hex');
+        const authTag = cipher.getAuthTag();
+        // Return: iv:authTag:encrypted
+        return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
+    }
+    /**
+     * Decrypt data using AES-256-GCM
+     */
+    decrypt(data) {
+        if (!this.encryptionKey)
+            return data;
+        const key = this.deriveKey(this.encryptionKey);
+        const parts = data.split(':');
+        if (parts.length !== 3) {
+            throw new Error('Invalid encrypted data format');
+        }
+        const [ivHex, authTagHex, encrypted] = parts;
+        const iv = Buffer.from(ivHex, 'hex');
+        const authTag = Buffer.from(authTagHex, 'hex');
+        const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+        decipher.setAuthTag(authTag);
+        let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+        decrypted += decipher.final('utf8');
+        return decrypted;
+    }
+    /**
+     * Derive 256-bit key from password using PBKDF2
+     */
+    deriveKey(password) {
+        // Use a fixed salt for key derivation
+        // In production, consider using a per-user salt
+        const salt = 'nitrostack-token-store';
+        return crypto.pbkdf2Sync(password, salt, 100000, 32, 'sha256');
+    }
+    isTokenExpired(token) {
+        return Date.now() > token.expires_at;
+    }
+}
+/**
+ * Create default token store
+ *
+ * Uses file-based storage with encryption if password provided
+ *
+ * @param storePath - Path to store tokens (default: ~/.nitrostack/tokens.json)
+ * @param encryptionKey - Optional encryption key
+ */
+export function createDefaultTokenStore(storePath, encryptionKey) {
+    const defaultPath = storePath || getDefaultStorePath();
+    if (encryptionKey) {
+        return new FileTokenStore(defaultPath, encryptionKey);
+    }
+    return new FileTokenStore(defaultPath);
+}
+/**
+ * Get default token store path
+ */
+function getDefaultStorePath() {
+    const home = process.env.HOME || process.env.USERPROFILE || '';
+    return path.join(home, '.nitrostack', 'tokens.json');
+}
+/**
+ * Utility: Check if token is expired
+ */
+export function isTokenExpired(token) {
+    return Date.now() > token.expires_at;
+}
+/**
+ * Utility: Calculate token expiration timestamp
+ */
+export function calculateExpiration(expiresIn) {
+    return Date.now() + expiresIn * 1000;
+}
+/**
+ * Utility: Convert TokenResponse to StoredToken
+ */
+export function tokenResponseToStored(response, resource) {
+    return {
+        access_token: response.access_token,
+        token_type: response.token_type,
+        expires_at: response.expires_in ? calculateExpiration(response.expires_in) : Date.now() + 3600000, // Default 1 hour
+        refresh_token: response.refresh_token,
+        scope: response.scope,
+        resource,
+    };
+}
+//# sourceMappingURL=token-store.js.map