nitrostack 1.0.83 → 1.0.85

package/dist/auth/simple-jwt.js

@@ -1,162 +0,0 @@
-import jwt from 'jsonwebtoken';
-import { unwrapSecret } from './secure-secret.js';
-/**
- * Create Simple JWT authentication middleware
- *
- * @example
- * ```typescript
- * const server = createServer({...});
- *
- * // Simple JWT auth (no OAuth complexity!)
- * server.app.use('/mcp', createSimpleJWTAuth({
- *   secret: process.env.JWT_SECRET!,
- *   audience: 'my-mcp-server',
- *   issuer: 'my-app',
- * }));
- *
- * server.start();
- * ```
- */
-export function createSimpleJWTAuth(config) {
-    const algorithm = config.algorithm || 'HS256';
-    return async (req, res, next) => {
-        try {
-            // 1. Extract token from Authorization header
-            const authHeader = req.headers.authorization;
-            if (!authHeader || !authHeader.startsWith('Bearer ')) {
-                return res.status(401).json({
-                    error: 'unauthorized',
-                    message: 'Missing or invalid Authorization header. Use: Authorization: Bearer <token>',
-                });
-            }
-            const token = authHeader.substring(7); // Remove 'Bearer '
-            // 2. Verify JWT
-            const verifyOptions = {
-                algorithms: [algorithm],
-            };
-            if (config.audience) {
-                verifyOptions.audience = config.audience;
-            }
-            if (config.issuer) {
-                verifyOptions.issuer = config.issuer;
-            }
-            const secretValue = unwrapSecret(config.secret);
-            const payload = jwt.verify(token, secretValue, verifyOptions);
-            // 3. Custom validation
-            if (config.customValidation && !config.customValidation(payload)) {
-                return res.status(403).json({
-                    error: 'forbidden',
-                    message: 'Token validation failed',
-                });
-            }
-            // 4. Attach to request
-            req.auth = {
-                authenticated: true,
-                tokenInfo: {
-                    active: true,
-                    sub: payload.sub,
-                    aud: typeof payload.aud === 'string' ? [payload.aud] : payload.aud,
-                    iss: payload.iss,
-                    exp: payload.exp,
-                    iat: payload.iat,
-                },
-                scopes: payload.scopes || payload.scope?.split(' ') || [],
-                clientId: payload.client_id || payload.sub,
-                subject: payload.sub,
-            };
-            next();
-        }
-        catch (error) {
-            const err = error;
-            if (err.name === 'TokenExpiredError') {
-                return res.status(401).json({
-                    error: 'token_expired',
-                    message: 'JWT has expired',
-                });
-            }
-            if (err.name === 'JsonWebTokenError') {
-                return res.status(401).json({
-                    error: 'invalid_token',
-                    message: 'Invalid JWT: ' + err.message,
-                });
-            }
-            return res.status(500).json({
-                error: 'server_error',
-                message: 'Token validation failed',
-            });
-        }
-    };
-}
-/**
- * Generate a JWT token
- *
- * @example
- * ```typescript
- * const token = generateJWT({
- *   secret: SecretValue.fromEnv('JWT_SECRET'),
- *   payload: {
- *     sub: 'user123',
- *     scopes: ['mcp:read', 'mcp:write'],
- *   },
- *   expiresIn: '1h',
- * });
- * ```
- */
-export function generateJWT(options) {
-    const signOptions = {
-        algorithm: options.algorithm || 'HS256',
-    };
-    if (options.expiresIn !== undefined) {
-        // Cast to jwt.SignOptions['expiresIn'] which accepts string | number
-        signOptions.expiresIn = options.expiresIn;
-    }
-    if (options.audience) {
-        signOptions.audience = options.audience;
-    }
-    if (options.issuer) {
-        signOptions.issuer = options.issuer;
-    }
-    const secretValue = unwrapSecret(options.secret);
-    return jwt.sign(options.payload, secretValue, signOptions);
-}
-/**
- * Verify a JWT token without middleware (helper)
- *
- * @param token - The JWT token to verify
- * @param config - JWT configuration including secret
- * @returns The decoded payload if valid, null otherwise
- */
-export function verifyJWT(token, config) {
-    try {
-        const verifyOptions = {
-            algorithms: [config.algorithm || 'HS256'],
-        };
-        if (config.audience) {
-            verifyOptions.audience = config.audience;
-        }
-        if (config.issuer) {
-            verifyOptions.issuer = config.issuer;
-        }
-        const secretValue = unwrapSecret(config.secret);
-        const payload = jwt.verify(token, secretValue, verifyOptions);
-        if (config.customValidation && !config.customValidation(payload)) {
-            return null;
-        }
-        return payload;
-    }
-    catch {
-        return null;
-    }
-}
-/**
- * Decode JWT without verification (for debugging)
- */
-export function decodeJWT(token) {
-    try {
-        return jwt.decode(token);
-    }
-    catch {
-        return null;
-    }
-}
-//# sourceMappingURL=simple-jwt.js.map

package/dist/auth/simple-jwt.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"simple-jwt.js","sourceRoot":"","sources":["../../src/auth/simple-jwt.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,MAAM,cAAc,CAAC;AAE/B,OAAO,EAAe,YAAY,EAAE,MAAM,oBAAoB,CAAC;AA+F/D;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAuB;IACzD,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC;IAE9C,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QAC/D,IAAI,CAAC;YACH,6CAA6C;YAC7C,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;YAE7C,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACrD,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBAC1B,KAAK,EAAE,cAAc;oBACrB,OAAO,EAAE,6EAA6E;iBACvF,CAAC,CAAC;YACL,CAAC;YAED,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,mBAAmB;YAE1D,gBAAgB;YAChB,MAAM,aAAa,GAAsB;gBACvC,UAAU,EAAE,CAAC,SAAS,CAAC;aACxB,CAAC;YAEF,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACpB,aAAa,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;YAC3C,CAAC;YAED,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;gBAClB,aAAa,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;YACvC,CAAC;YAED,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAChD,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,WAAW,EAAE,aAAa,CAAe,CAAC;YAE5E,uBAAuB;YACvB,IAAI,MAAM,CAAC,gBAAgB,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;gBACjE,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBAC1B,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,yBAAyB;iBACnC,CAAC,CAAC;YACL,CAAC;YAED,uBAAuB;YACvB,GAAG,CAAC,IAAI,GAAG;gBACT,aAAa,EAAE,IAAI;gBACnB,SAAS,EAAE;oBACT,MAAM,EAAE,IAAI;oBACZ,GAAG,EAAE,OAAO,CAAC,GAAG;oBAChB,GAAG,EAAE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG;oBAClE,GAAG,EAAE,OAAO,CAAC,GAAG;oBAChB,GAAG,EAAE,OAAO,CAAC,GAAG;oBAChB,GAAG,EAAE,OAAO,CAAC,GAAG;iBACjB;gBACD,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE;gBACzD,QAAQ,EAAE,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG;gBAC1C,OAAO,EAAE,OAAO,CAAC,GAAG;aACrB,CAAC;YAEF,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,KAAkC,CAAC;YAE/C,IAAI,GAAG,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;gBACrC,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBAC1B,KAAK,EAAE,eAAe;oBACtB,OAAO,EAAE,iBAAiB;iBAC3B,CAAC,CAAC;YACL,CAAC;YAED,IAAI,GAAG,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;gBACrC,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBAC1B,KAAK,EAAE,eAAe;oBACtB,OAAO,EAAE,eAAe,GAAG,GAAG,CAAC,OAAO;iBACvC,CAAC,CAAC;YACL,CAAC;YAED,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC1B,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE,yBAAyB;aACnC,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAiDD;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,WAAW,CAAC,OAA2B;IACrD,MAAM,WAAW,GAAoB;QACnC,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,OAAO;KACxC,CAAC;IAEF,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACpC,qEAAqE;QACrE,WAAW,CAAC,SAAS,GAAG,OAAO,CAAC,SAAyC,CAAC;IAC5E,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,WAAW,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAC1C,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,WAAW,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IACtC,CAAC;IAED,MAAM,WAAW,GAAG,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjD,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,OAAiB,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;AACvE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,SAAS,CACvB,KAAa,EACb,MAAuB;IAEvB,IAAI,CAAC;QACH,MAAM,aAAa,GAAsB;YACvC,UAAU,EAAE,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC;SAC1C,CAAC;QAEF,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,aAAa,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;QAC3C,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClB,aAAa,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QACvC,CAAC;QAED,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAChD,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,WAAW,EAAE,aAAa,CAAe,CAAC;QAE5E,IAAI,MAAM,CAAC,gBAAgB,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;YACjE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,IAAI,CAAC;QACH,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,CAAe,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/auth/token-store.d.ts

@@ -1,104 +0,0 @@
-import { StoredToken } from './types.js';
-/**
- * Token Storage Interface
- *
- * Provides secure storage for OAuth tokens
- */
-export interface TokenStore {
-    /**
-     * Save a token
-     */
-    saveToken(key: string, token: StoredToken): Promise<void>;
-    /**
-     * Get a token
-     */
-    getToken(key: string): Promise<StoredToken | null>;
-    /**
-     * Delete a token
-     */
-    deleteToken(key: string): Promise<void>;
-    /**
-     * List all stored token keys
-     */
-    listKeys(): Promise<string[]>;
-    /**
-     * Clear all tokens
-     */
-    clear(): Promise<void>;
-}
-/**
- * In-memory token store
- * For testing and ephemeral storage
- */
-export declare class MemoryTokenStore implements TokenStore {
-    private tokens;
-    saveToken(key: string, token: StoredToken): Promise<void>;
-    getToken(key: string): Promise<StoredToken | null>;
-    deleteToken(key: string): Promise<void>;
-    listKeys(): Promise<string[]>;
-    clear(): Promise<void>;
-    private isTokenExpired;
-}
-/**
- * File-based token store with encryption
- * For CLI applications and development
- */
-export declare class FileTokenStore implements TokenStore {
-    private storePath;
-    private encryptionKey?;
-    constructor(storePath: string, encryptionKey?: string);
-    saveToken(key: string, token: StoredToken): Promise<void>;
-    getToken(key: string): Promise<StoredToken | null>;
-    deleteToken(key: string): Promise<void>;
-    listKeys(): Promise<string[]>;
-    clear(): Promise<void>;
-    /**
-     * Load tokens from file
-     */
-    private loadTokens;
-    /**
-     * Save tokens to file
-     */
-    private saveTokens;
-    /**
-     * Encrypt data using AES-256-GCM
-     */
-    private encrypt;
-    /**
-     * Decrypt data using AES-256-GCM
-     */
-    private decrypt;
-    /**
-     * Derive 256-bit key from password using PBKDF2
-     */
-    private deriveKey;
-    private isTokenExpired;
-}
-/**
- * Create default token store
- *
- * Uses file-based storage with encryption if password provided
- *
- * @param storePath - Path to store tokens (default: ~/.nitrostack/tokens.json)
- * @param encryptionKey - Optional encryption key
- */
-export declare function createDefaultTokenStore(storePath?: string, encryptionKey?: string): TokenStore;
-/**
- * Utility: Check if token is expired
- */
-export declare function isTokenExpired(token: StoredToken): boolean;
-/**
- * Utility: Calculate token expiration timestamp
- */
-export declare function calculateExpiration(expiresIn: number): number;
-/**
- * Utility: Convert TokenResponse to StoredToken
- */
-export declare function tokenResponseToStored(response: {
-    access_token: string;
-    token_type: 'Bearer';
-    expires_in?: number;
-    refresh_token?: string;
-    scope?: string;
-}, resource?: string): StoredToken;
-//# sourceMappingURL=token-store.d.ts.map

package/dist/auth/token-store.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"token-store.d.ts","sourceRoot":"","sources":["../../src/auth/token-store.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEzC;;;;GAIG;AACH,MAAM,WAAW,UAAU;IACzB;;OAEG;IACH,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE1D;;OAEG;IACH,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAEnD;;OAEG;IACH,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAExC;;OAEG;IACH,QAAQ,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAE9B;;OAEG;IACH,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACxB;AAED;;;GAGG;AACH,qBAAa,gBAAiB,YAAW,UAAU;IACjD,OAAO,CAAC,MAAM,CAAuC;IAE/C,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAIzD,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAalD,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIvC,QAAQ,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAI7B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAI5B,OAAO,CAAC,cAAc;CAGvB;AAED;;;GAGG;AACH,qBAAa,cAAe,YAAW,UAAU;IAC/C,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,aAAa,CAAC,CAAS;gBAEnB,SAAS,EAAE,MAAM,EAAE,aAAa,CAAC,EAAE,MAAM;IAK/C,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAMzD,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAgBlD,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAMvC,QAAQ,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAK7B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAI5B;;OAEG;YACW,UAAU;IAoBxB;;OAEG;YACW,UAAU;IAYxB;;OAEG;IACH,OAAO,CAAC,OAAO;IAgBf;;OAEG;IACH,OAAO,CAAC,OAAO;IAuBf;;OAEG;IACH,OAAO,CAAC,SAAS;IAOjB,OAAO,CAAC,cAAc;CAGvB;AAED;;;;;;;GAOG;AACH,wBAAgB,uBAAuB,CACrC,SAAS,CAAC,EAAE,MAAM,EAClB,aAAa,CAAC,EAAE,MAAM,GACrB,UAAU,CAQZ;AAUD;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAE1D;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAE7D;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,QAAQ,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,EACrH,QAAQ,CAAC,EAAE,MAAM,GAChB,WAAW,CASb"}

package/dist/auth/token-store.js

@@ -1,205 +0,0 @@
-import fs from 'fs/promises';
-import path from 'path';
-import crypto from 'crypto';
-/**
- * In-memory token store
- * For testing and ephemeral storage
- */
-export class MemoryTokenStore {
-    tokens = new Map();
-    async saveToken(key, token) {
-        this.tokens.set(key, token);
-    }
-    async getToken(key) {
-        const token = this.tokens.get(key);
-        if (!token)
-            return null;
-        // Check if expired
-        if (this.isTokenExpired(token)) {
-            this.tokens.delete(key);
-            return null;
-        }
-        return token;
-    }
-    async deleteToken(key) {
-        this.tokens.delete(key);
-    }
-    async listKeys() {
-        return Array.from(this.tokens.keys());
-    }
-    async clear() {
-        this.tokens.clear();
-    }
-    isTokenExpired(token) {
-        return Date.now() > token.expires_at;
-    }
-}
-/**
- * File-based token store with encryption
- * For CLI applications and development
- */
-export class FileTokenStore {
-    storePath;
-    encryptionKey;
-    constructor(storePath, encryptionKey) {
-        this.storePath = storePath;
-        this.encryptionKey = encryptionKey;
-    }
-    async saveToken(key, token) {
-        const tokens = await this.loadTokens();
-        tokens[key] = token;
-        await this.saveTokens(tokens);
-    }
-    async getToken(key) {
-        const tokens = await this.loadTokens();
-        const token = tokens[key];
-        if (!token)
-            return null;
-        // Check if expired
-        if (this.isTokenExpired(token)) {
-            delete tokens[key];
-            await this.saveTokens(tokens);
-            return null;
-        }
-        return token;
-    }
-    async deleteToken(key) {
-        const tokens = await this.loadTokens();
-        delete tokens[key];
-        await this.saveTokens(tokens);
-    }
-    async listKeys() {
-        const tokens = await this.loadTokens();
-        return Object.keys(tokens);
-    }
-    async clear() {
-        await this.saveTokens({});
-    }
-    /**
-     * Load tokens from file
-     */
-    async loadTokens() {
-        try {
-            // Ensure directory exists
-            await fs.mkdir(path.dirname(this.storePath), { recursive: true });
-            // Read file
-            const data = await fs.readFile(this.storePath, 'utf-8');
-            // Decrypt if encryption is enabled
-            const content = this.decrypt(data);
-            return JSON.parse(content);
-        }
-        catch (error) {
-            if (error instanceof Error && error.code === 'ENOENT') {
-                return {}; // File doesn't exist yet
-            }
-            throw error;
-        }
-    }
-    /**
-     * Save tokens to file
-     */
-    async saveTokens(tokens) {
-        const content = JSON.stringify(tokens, null, 2);
-        // Encrypt if encryption is enabled
-        const data = this.encrypt(content);
-        // Write to file with restricted permissions
-        await fs.writeFile(this.storePath, data, {
-            mode: 0o600, // Read/write for owner only
-        });
-    }
-    /**
-     * Encrypt data using AES-256-GCM
-     */
-    encrypt(data) {
-        if (!this.encryptionKey)
-            return data;
-        const key = this.deriveKey(this.encryptionKey);
-        const iv = crypto.randomBytes(16);
-        const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
-        let encrypted = cipher.update(data, 'utf8', 'hex');
-        encrypted += cipher.final('hex');
-        const authTag = cipher.getAuthTag();
-        // Return: iv:authTag:encrypted
-        return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
-    }
-    /**
-     * Decrypt data using AES-256-GCM
-     */
-    decrypt(data) {
-        if (!this.encryptionKey)
-            return data;
-        const key = this.deriveKey(this.encryptionKey);
-        const parts = data.split(':');
-        if (parts.length !== 3) {
-            throw new Error('Invalid encrypted data format');
-        }
-        const [ivHex, authTagHex, encrypted] = parts;
-        const iv = Buffer.from(ivHex, 'hex');
-        const authTag = Buffer.from(authTagHex, 'hex');
-        const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
-        decipher.setAuthTag(authTag);
-        let decrypted = decipher.update(encrypted, 'hex', 'utf8');
-        decrypted += decipher.final('utf8');
-        return decrypted;
-    }
-    /**
-     * Derive 256-bit key from password using PBKDF2
-     */
-    deriveKey(password) {
-        // Use a fixed salt for key derivation
-        // In production, consider using a per-user salt
-        const salt = 'nitrostack-token-store';
-        return crypto.pbkdf2Sync(password, salt, 100000, 32, 'sha256');
-    }
-    isTokenExpired(token) {
-        return Date.now() > token.expires_at;
-    }
-}
-/**
- * Create default token store
- *
- * Uses file-based storage with encryption if password provided
- *
- * @param storePath - Path to store tokens (default: ~/.nitrostack/tokens.json)
- * @param encryptionKey - Optional encryption key
- */
-export function createDefaultTokenStore(storePath, encryptionKey) {
-    const defaultPath = storePath || getDefaultStorePath();
-    if (encryptionKey) {
-        return new FileTokenStore(defaultPath, encryptionKey);
-    }
-    return new FileTokenStore(defaultPath);
-}
-/**
- * Get default token store path
- */
-function getDefaultStorePath() {
-    const home = process.env.HOME || process.env.USERPROFILE || '';
-    return path.join(home, '.nitrostack', 'tokens.json');
-}
-/**
- * Utility: Check if token is expired
- */
-export function isTokenExpired(token) {
-    return Date.now() > token.expires_at;
-}
-/**
- * Utility: Calculate token expiration timestamp
- */
-export function calculateExpiration(expiresIn) {
-    return Date.now() + expiresIn * 1000;
-}
-/**
- * Utility: Convert TokenResponse to StoredToken
- */
-export function tokenResponseToStored(response, resource) {
-    return {
-        access_token: response.access_token,
-        token_type: response.token_type,
-        expires_at: response.expires_in ? calculateExpiration(response.expires_in) : Date.now() + 3600000, // Default 1 hour
-        refresh_token: response.refresh_token,
-        scope: response.scope,
-        resource,
-    };
-}
-//# sourceMappingURL=token-store.js.map

package/dist/auth/token-store.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"token-store.js","sourceRoot":"","sources":["../../src/auth/token-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,aAAa,CAAC;AAC7B,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,MAAM,MAAM,QAAQ,CAAC;AAmC5B;;;GAGG;AACH,MAAM,OAAO,gBAAgB;IACnB,MAAM,GAA6B,IAAI,GAAG,EAAE,CAAC;IAErD,KAAK,CAAC,SAAS,CAAC,GAAW,EAAE,KAAkB;QAC7C,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,GAAW;QACxB,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,mBAAmB;QACnB,IAAI,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;YAC/B,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACxB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAW;QAC3B,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,QAAQ;QACZ,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;IACtB,CAAC;IAEO,cAAc,CAAC,KAAkB;QACvC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,UAAU,CAAC;IACvC,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,OAAO,cAAc;IACjB,SAAS,CAAS;IAClB,aAAa,CAAU;IAE/B,YAAY,SAAiB,EAAE,aAAsB;QACnD,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAW,EAAE,KAAkB;QAC7C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACvC,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACpB,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,GAAW;QACxB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACvC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QAE1B,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,mBAAmB;QACnB,IAAI,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;YACnB,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;YAC9B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAW;QAC3B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACvC,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;QACnB,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,QAAQ;QACZ,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACvC,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;IAC5B,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,UAAU;QACtB,IAAI,CAAC;YACH,0BAA0B;YAC1B,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAElE,YAAY;YACZ,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YAExD,mCAAmC;YACnC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAEnC,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,IAAI,KAAK,YAAY,KAAK,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACjF,OAAO,EAAE,CAAC,CAAC,yBAAyB;YACtC,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,UAAU,CAAC,MAAmC;QAC1D,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAEhD,mCAAmC;QACnC,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAEnC,4CAA4C;QAC5C,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE;YACvC,IAAI,EAAE,KAAK,EAAE,4BAA4B;SAC1C,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,OAAO,CAAC,IAAY;QAC1B,IAAI,CAAC,IAAI,CAAC,aAAa;YAAE,OAAO,IAAI,CAAC;QAErC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC/C,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAClC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QAE7D,IAAI,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;QACnD,SAAS,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAEjC,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAEpC,+BAA+B;QAC/B,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,EAAE,CAAC;IACzE,CAAC;IAED;;OAEG;IACK,OAAO,CAAC,IAAY;QAC1B,IAAI,CAAC,IAAI,CAAC,aAAa;YAAE,OAAO,IAAI,CAAC;QAErC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAE9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;QAED,MAAM,CAAC,KAAK,EAAE,UAAU,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAC7C,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QACrC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QAE/C,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QACjE,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAE7B,IAAI,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAC1D,SAAS,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAEpC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACK,SAAS,CAAC,QAAgB;QAChC,sCAAsC;QACtC,gDAAgD;QAChD,MAAM,IAAI,GAAG,wBAAwB,CAAC;QACtC,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;IACjE,CAAC;IAEO,cAAc,CAAC,KAAkB;QACvC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,UAAU,CAAC;IACvC,CAAC;CACF;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,uBAAuB,CACrC,SAAkB,EAClB,aAAsB;IAEtB,MAAM,WAAW,GAAG,SAAS,IAAI,mBAAmB,EAAE,CAAC;IAEvD,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,IAAI,cAAc,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;IACxD,CAAC;IAED,OAAO,IAAI,cAAc,CAAC,WAAW,CAAC,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB;IAC1B,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC;IAC/D,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,aAAa,EAAE,aAAa,CAAC,CAAC;AACvD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,KAAkB;IAC/C,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,UAAU,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,SAAiB;IACnD,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,IAAI,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,QAAqH,EACrH,QAAiB;IAEjB,OAAO;QACL,YAAY,EAAE,QAAQ,CAAC,YAAY;QACnC,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,mBAAmB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,EAAE,iBAAiB;QACpH,aAAa,EAAE,QAAQ,CAAC,aAAa;QACrC,KAAK,EAAE,QAAQ,CAAC,KAAK;QACrB,QAAQ;KACT,CAAC;AACJ,CAAC"}

package/dist/auth/token-validation.d.ts

@@ -1,59 +0,0 @@
-import { TokenIntrospection, McpAuthConfig } from './types.js';
-interface TokenValidationResult {
-    valid: boolean;
-    introspection?: TokenIntrospection;
-    error?: string;
-}
-/**
- * Validate a Bearer token
- *
- * @param token - The access token to validate
- * @param config - Auth configuration
- * @returns Validation result with token introspection data
- */
-export declare function validateToken(token: string, config: McpAuthConfig): Promise<TokenValidationResult>;
-/**
- * Introspect token using OAuth 2.0 Token Introspection (RFC 7662)
- *
- * @internal - Exported for testing
- */
-export declare function introspectToken(token: string, config: McpAuthConfig): Promise<TokenIntrospection>;
-/**
- * Validate JWT using JWKS
- *
- * @internal - Exported for testing
- */
-export declare function validateJWT(token: string, config: McpAuthConfig): Promise<TokenIntrospection>;
-/**
- * Validate token audience (RFC 8707)
- *
- * CRITICAL: This prevents confused deputy attacks
- * Token MUST be issued specifically for this resource
- *
- * @param introspection - Token introspection result
- * @param expectedAudience - Expected audience value(s)
- * @returns true if audience is valid
- */
-export declare function validateAudience(introspection: TokenIntrospection, expectedAudience?: string | string[]): boolean;
-/**
- * Validate scopes
- *
- * @param introspection - Token introspection result
- * @param requiredScopes - Scopes required for the operation
- * @returns true if token has all required scopes
- */
-export declare function validateScopes(introspection: TokenIntrospection, requiredScopes: string[]): boolean;
-/**
- * Extract Bearer token from Authorization header
- */
-export declare function extractBearerToken(authHeader: string | undefined): string | null;
-/**
- * Check if token is expired
- */
-export declare function isTokenExpired(introspection: TokenIntrospection): boolean;
-/**
- * Clear token cache (useful for testing)
- */
-export declare function clearTokenCache(): void;
-export {};
-//# sourceMappingURL=token-validation.d.ts.map

package/dist/auth/token-validation.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"token-validation.d.ts","sourceRoot":"","sources":["../../src/auth/token-validation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAqB/D,UAAU,qBAAqB;IAC7B,KAAK,EAAE,OAAO,CAAC;IACf,aAAa,CAAC,EAAE,kBAAkB,CAAC;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAQD;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,aAAa,GACpB,OAAO,CAAC,qBAAqB,CAAC,CA0ChC;AAED;;;;GAIG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,aAAa,GACpB,OAAO,CAAC,kBAAkB,CAAC,CAmC7B;AAED;;;;GAIG;AACH,wBAAsB,WAAW,CAC/B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,aAAa,GACpB,OAAO,CAAC,kBAAkB,CAAC,CAgC7B;AAED;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAC9B,aAAa,EAAE,kBAAkB,EACjC,gBAAgB,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,GACnC,OAAO,CAgBT;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAC5B,aAAa,EAAE,kBAAkB,EACjC,cAAc,EAAE,MAAM,EAAE,GACvB,OAAO,CAWT;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,IAAI,CAOhF;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,aAAa,EAAE,kBAAkB,GAAG,OAAO,CAOzE;AA4CD;;GAEG;AACH,wBAAgB,eAAe,IAAI,IAAI,CAEtC"}