sub-bridge 1.0.0 → 1.0.3

package/dist/oauth/crypto.js

@@ -0,0 +1,170 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getServerSecret = getServerSecret;
+exports.encrypt = encrypt;
+exports.decrypt = decrypt;
+exports.createAccessToken = createAccessToken;
+exports.decodeAccessToken = decodeAccessToken;
+exports.generateAuthCode = generateAuthCode;
+exports.generateClientId = generateClientId;
+exports.generateClientSecret = generateClientSecret;
+/**
+ * Cryptographic utilities for MCP OAuth token encryption
+ *
+ * Uses AES-256-GCM for authenticated encryption of upstream credentials.
+ * Server secret is generated on first run and stored locally.
+ */
+const node_crypto_1 = __importDefault(require("node:crypto"));
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+const node_os_1 = __importDefault(require("node:os"));
+// ============================================================================
+// Configuration
+// ============================================================================
+const SECRET_DIR = node_path_1.default.join(node_os_1.default.homedir(), '.sub-bridge');
+const SECRET_FILE = node_path_1.default.join(SECRET_DIR, 'secret.key');
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12; // GCM recommended IV length
+const TAG_LENGTH = 16; // GCM auth tag length
+// ============================================================================
+// Server Secret Management
+// ============================================================================
+let cachedSecret = null;
+/**
+ * Get or generate the server encryption secret.
+ * Secret is 32 bytes (256 bits) for AES-256.
+ */
+function getServerSecret() {
+    if (cachedSecret)
+        return cachedSecret;
+    // Try to read existing secret
+    try {
+        if (node_fs_1.default.existsSync(SECRET_FILE)) {
+            const secret = node_fs_1.default.readFileSync(SECRET_FILE);
+            if (secret.length === 32) {
+                cachedSecret = secret;
+                return cachedSecret;
+            }
+        }
+    }
+    catch {
+        // Will generate new secret
+    }
+    // Generate new secret
+    const secret = node_crypto_1.default.randomBytes(32);
+    // Ensure directory exists
+    if (!node_fs_1.default.existsSync(SECRET_DIR)) {
+        node_fs_1.default.mkdirSync(SECRET_DIR, { recursive: true, mode: 0o700 });
+    }
+    // Write secret with restrictive permissions
+    node_fs_1.default.writeFileSync(SECRET_FILE, secret, { mode: 0o600 });
+    cachedSecret = secret;
+    return cachedSecret;
+}
+// ============================================================================
+// Encryption / Decryption
+// ============================================================================
+/**
+ * Encrypt data using AES-256-GCM.
+ * Returns base64url-encoded string: IV + ciphertext + authTag
+ */
+function encrypt(data) {
+    const secret = getServerSecret();
+    const iv = node_crypto_1.default.randomBytes(IV_LENGTH);
+    const cipher = node_crypto_1.default.createCipheriv(ALGORITHM, secret, iv);
+    const encrypted = Buffer.concat([
+        cipher.update(data, 'utf8'),
+        cipher.final()
+    ]);
+    const authTag = cipher.getAuthTag();
+    // Combine: IV (12) + encrypted + authTag (16)
+    const combined = Buffer.concat([iv, encrypted, authTag]);
+    return combined.toString('base64url');
+}
+/**
+ * Decrypt data encrypted with encrypt().
+ * Throws on invalid/tampered data.
+ */
+function decrypt(encryptedData) {
+    const secret = getServerSecret();
+    const combined = Buffer.from(encryptedData, 'base64url');
+    if (combined.length < IV_LENGTH + TAG_LENGTH) {
+        throw new Error('Invalid encrypted data: too short');
+    }
+    const iv = combined.subarray(0, IV_LENGTH);
+    const authTag = combined.subarray(combined.length - TAG_LENGTH);
+    const encrypted = combined.subarray(IV_LENGTH, combined.length - TAG_LENGTH);
+    const decipher = node_crypto_1.default.createDecipheriv(ALGORITHM, secret, iv);
+    decipher.setAuthTag(authTag);
+    try {
+        const decrypted = Buffer.concat([
+            decipher.update(encrypted),
+            decipher.final()
+        ]);
+        return decrypted.toString('utf8');
+    }
+    catch {
+        throw new Error('Decryption failed: invalid or tampered data');
+    }
+}
+/**
+ * Create an encrypted access token containing upstream credentials.
+ * Format: sb1.<encrypted_payload>
+ *
+ * The "sb1" prefix identifies this as a Sub Bridge v1 token.
+ */
+function createAccessToken(payload) {
+    const json = JSON.stringify(payload);
+    const encrypted = encrypt(json);
+    return `sb1.${encrypted}`;
+}
+/**
+ * Decode and validate an access token.
+ * Returns null if token is invalid or expired.
+ */
+function decodeAccessToken(token) {
+    if (!token.startsWith('sb1.')) {
+        return null;
+    }
+    try {
+        const encrypted = token.slice(4); // Remove "sb1." prefix
+        const json = decrypt(encrypted);
+        const payload = JSON.parse(json);
+        // Validate required fields
+        if (payload.iss !== 'sub-bridge')
+            return null;
+        if (!payload.sub || !payload.aud)
+            return null;
+        if (!payload.exp || !payload.iat)
+            return null;
+        // Check expiration
+        if (Date.now() > payload.exp * 1000)
+            return null;
+        return payload;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Generate a random authorization code.
+ */
+function generateAuthCode() {
+    return node_crypto_1.default.randomBytes(32).toString('base64url');
+}
+/**
+ * Generate a random client ID for DCR.
+ */
+function generateClientId() {
+    return `sb_${node_crypto_1.default.randomBytes(16).toString('hex')}`;
+}
+/**
+ * Generate a random client secret for DCR.
+ */
+function generateClientSecret() {
+    return node_crypto_1.default.randomBytes(32).toString('base64url');
+}
+//# sourceMappingURL=crypto.js.map

package/dist/oauth/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/oauth/crypto.ts"],"names":[],"mappings":";;;;;AA+BA,0CA4BC;AAUD,0BAcC;AAMD,0BAwBC;AA+BD,8CAIC;AAMD,8CAsBC;AAKD,4CAEC;AAKD,4CAEC;AAKD,oDAEC;AArMD;;;;;GAKG;AACH,8DAAgC;AAChC,sDAAwB;AACxB,0DAA4B;AAC5B,sDAAwB;AAExB,+EAA+E;AAC/E,gBAAgB;AAChB,+EAA+E;AAE/E,MAAM,UAAU,GAAG,mBAAI,CAAC,IAAI,CAAC,iBAAE,CAAC,OAAO,EAAE,EAAE,aAAa,CAAC,CAAA;AACzD,MAAM,WAAW,GAAG,mBAAI,CAAC,IAAI,CAAC,UAAU,EAAE,YAAY,CAAC,CAAA;AACvD,MAAM,SAAS,GAAG,aAAa,CAAA;AAC/B,MAAM,SAAS,GAAG,EAAE,CAAA,CAAC,4BAA4B;AACjD,MAAM,UAAU,GAAG,EAAE,CAAA,CAAC,sBAAsB;AAE5C,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E,IAAI,YAAY,GAAkB,IAAI,CAAA;AAEtC;;;GAGG;AACH,SAAgB,eAAe;IAC7B,IAAI,YAAY;QAAE,OAAO,YAAY,CAAA;IAErC,8BAA8B;IAC9B,IAAI,CAAC;QACH,IAAI,iBAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YAC/B,MAAM,MAAM,GAAG,iBAAE,CAAC,YAAY,CAAC,WAAW,CAAC,CAAA;YAC3C,IAAI,MAAM,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;gBACzB,YAAY,GAAG,MAAM,CAAA;gBACrB,OAAO,YAAY,CAAA;YACrB,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,2BAA2B;IAC7B,CAAC;IAED,sBAAsB;IACtB,MAAM,MAAM,GAAG,qBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAA;IAErC,0BAA0B;IAC1B,IAAI,CAAC,iBAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,iBAAE,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAA;IAC5D,CAAC;IAED,4CAA4C;IAC5C,iBAAE,CAAC,aAAa,CAAC,WAAW,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAA;IACtD,YAAY,GAAG,MAAM,CAAA;IACrB,OAAO,YAAY,CAAA;AACrB,CAAC;AAED,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E;;;GAGG;AACH,SAAgB,OAAO,CAAC,IAAY;IAClC,MAAM,MAAM,GAAG,eAAe,EAAE,CAAA;IAChC,MAAM,EAAE,GAAG,qBAAM,CAAC,WAAW,CAAC,SAAS,CAAC,CAAA;IAExC,MAAM,MAAM,GAAG,qBAAM,CAAC,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,CAAC,CAAA;IAC3D,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC9B,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC;QAC3B,MAAM,CAAC,KAAK,EAAE;KACf,CAAC,CAAA;IACF,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAA;IAEnC,8CAA8C;IAC9C,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC,CAAA;IACxD,OAAO,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;AACvC,CAAC;AAED;;;GAGG;AACH,SAAgB,OAAO,CAAC,aAAqB;IAC3C,MAAM,MAAM,GAAG,eAAe,EAAE,CAAA;IAChC,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,WAAW,CAAC,CAAA;IAExD,IAAI,QAAQ,CAAC,MAAM,GAAG,SAAS,GAAG,UAAU,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAA;IACtD,CAAC;IAED,MAAM,EAAE,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,SAAS,CAAC,CAAA;IAC1C,MAAM,OAAO,GAAG,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,UAAU,CAAC,CAAA;IAC/D,MAAM,SAAS,GAAG,QAAQ,CAAC,QAAQ,CAAC,SAAS,EAAE,QAAQ,CAAC,MAAM,GAAG,UAAU,CAAC,CAAA;IAE5E,MAAM,QAAQ,GAAG,qBAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,CAAC,CAAA;IAC/D,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAA;IAE5B,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;YAC9B,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC;YAC1B,QAAQ,CAAC,KAAK,EAAE;SACjB,CAAC,CAAA;QACF,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAA;IAChE,CAAC;AACH,CAAC;AAyBD;;;;;GAKG;AACH,SAAgB,iBAAiB,CAAC,OAA8B;IAC9D,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IACpC,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC/B,OAAO,OAAO,SAAS,EAAE,CAAA;AAC3B,CAAC;AAED;;;GAGG;AACH,SAAgB,iBAAiB,CAAC,KAAa;IAC7C,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAA;IACb,CAAC;IAED,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA,CAAC,uBAAuB;QACxD,MAAM,IAAI,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;QAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAA0B,CAAA;QAEzD,2BAA2B;QAC3B,IAAI,OAAO,CAAC,GAAG,KAAK,YAAY;YAAE,OAAO,IAAI,CAAA;QAC7C,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG;YAAE,OAAO,IAAI,CAAA;QAC7C,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG;YAAE,OAAO,IAAI,CAAA;QAE7C,mBAAmB;QACnB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI;YAAE,OAAO,IAAI,CAAA;QAEhD,OAAO,OAAO,CAAA;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB;IAC9B,OAAO,qBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;AACrD,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB;IAC9B,OAAO,MAAM,qBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAA;AACvD,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB;IAClC,OAAO,qBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;AACrD,CAAC"}

package/dist/oauth/dcr.d.ts

@@ -0,0 +1,44 @@
+export interface ClientRegistration {
+    client_id: string;
+    client_secret?: string;
+    client_name?: string;
+    redirect_uris: string[];
+    grant_types: string[];
+    response_types: string[];
+    token_endpoint_auth_method: string;
+    created_at: number;
+}
+export interface RegistrationRequest {
+    client_name?: string;
+    redirect_uris?: string[];
+    grant_types?: string[];
+    response_types?: string[];
+    token_endpoint_auth_method?: string;
+}
+export interface RegistrationResponse {
+    client_id: string;
+    client_secret?: string;
+    client_name?: string;
+    redirect_uris: string[];
+    grant_types: string[];
+    response_types: string[];
+    token_endpoint_auth_method: string;
+    client_id_issued_at: number;
+}
+/**
+ * Register a new OAuth client.
+ */
+export declare function registerClient(request: RegistrationRequest): RegistrationResponse;
+/**
+ * Get a registered client by ID.
+ */
+export declare function getClient(clientId: string): ClientRegistration | undefined;
+/**
+ * Validate client credentials for token endpoint.
+ */
+export declare function validateClient(clientId: string, clientSecret?: string): ClientRegistration | null;
+/**
+ * Validate redirect URI against registered URIs.
+ */
+export declare function validateRedirectUri(clientId: string, redirectUri: string): boolean;
+//# sourceMappingURL=dcr.d.ts.map

package/dist/oauth/dcr.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dcr.d.ts","sourceRoot":"","sources":["../../src/oauth/dcr.ts"],"names":[],"mappings":"AAYA,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,MAAM,CAAA;IACjB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,aAAa,EAAE,MAAM,EAAE,CAAA;IACvB,WAAW,EAAE,MAAM,EAAE,CAAA;IACrB,cAAc,EAAE,MAAM,EAAE,CAAA;IACxB,0BAA0B,EAAE,MAAM,CAAA;IAClC,UAAU,EAAE,MAAM,CAAA;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAA;IACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;IACtB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,0BAA0B,CAAC,EAAE,MAAM,CAAA;CACpC;AAED,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,CAAA;IACjB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,aAAa,EAAE,MAAM,EAAE,CAAA;IACvB,WAAW,EAAE,MAAM,EAAE,CAAA;IACrB,cAAc,EAAE,MAAM,EAAE,CAAA;IACxB,0BAA0B,EAAE,MAAM,CAAA;IAClC,mBAAmB,EAAE,MAAM,CAAA;CAC5B;AAQD;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,mBAAmB,GAAG,oBAAoB,CA+BjF;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,kBAAkB,GAAG,SAAS,CAE1E;AAED;;GAEG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,MAAM,EAChB,YAAY,CAAC,EAAE,MAAM,GACpB,kBAAkB,GAAG,IAAI,CAe3B;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,GAClB,OAAO,CAQT"}

package/dist/oauth/dcr.js

@@ -0,0 +1,84 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerClient = registerClient;
+exports.getClient = getClient;
+exports.validateClient = validateClient;
+exports.validateRedirectUri = validateRedirectUri;
+/**
+ * Dynamic Client Registration (RFC 7591)
+ *
+ * Allows MCP clients to register themselves without manual setup.
+ * Client registrations are stored in-memory (local-only deployment).
+ */
+const crypto_1 = require("./crypto");
+// ============================================================================
+// Client Storage (In-Memory)
+// ============================================================================
+const clients = new Map();
+/**
+ * Register a new OAuth client.
+ */
+function registerClient(request) {
+    const clientId = (0, crypto_1.generateClientId)();
+    const clientSecret = request.token_endpoint_auth_method === 'none'
+        ? undefined
+        : (0, crypto_1.generateClientSecret)();
+    const now = Math.floor(Date.now() / 1000);
+    const registration = {
+        client_id: clientId,
+        client_secret: clientSecret,
+        client_name: request.client_name,
+        redirect_uris: request.redirect_uris || [],
+        grant_types: request.grant_types || ['authorization_code'],
+        response_types: request.response_types || ['code'],
+        token_endpoint_auth_method: request.token_endpoint_auth_method || 'client_secret_post',
+        created_at: now,
+    };
+    clients.set(clientId, registration);
+    return {
+        client_id: clientId,
+        client_secret: clientSecret,
+        client_name: registration.client_name,
+        redirect_uris: registration.redirect_uris,
+        grant_types: registration.grant_types,
+        response_types: registration.response_types,
+        token_endpoint_auth_method: registration.token_endpoint_auth_method,
+        client_id_issued_at: now,
+    };
+}
+/**
+ * Get a registered client by ID.
+ */
+function getClient(clientId) {
+    return clients.get(clientId);
+}
+/**
+ * Validate client credentials for token endpoint.
+ */
+function validateClient(clientId, clientSecret) {
+    const client = clients.get(clientId);
+    if (!client)
+        return null;
+    // For public clients (no secret required)
+    if (client.token_endpoint_auth_method === 'none') {
+        return client;
+    }
+    // For confidential clients, verify secret
+    if (client.client_secret && client.client_secret === clientSecret) {
+        return client;
+    }
+    return null;
+}
+/**
+ * Validate redirect URI against registered URIs.
+ */
+function validateRedirectUri(clientId, redirectUri) {
+    const client = clients.get(clientId);
+    if (!client)
+        return false;
+    // If no redirect URIs registered, allow any (for development)
+    if (client.redirect_uris.length === 0)
+        return true;
+    return client.redirect_uris.includes(redirectUri);
+}
+//# sourceMappingURL=dcr.js.map

package/dist/oauth/dcr.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dcr.js","sourceRoot":"","sources":["../../src/oauth/dcr.ts"],"names":[],"mappings":";;AAmDA,wCA+BC;AAKD,8BAEC;AAKD,wCAkBC;AAKD,kDAWC;AAhID;;;;;GAKG;AACH,qCAAiE;AAoCjE,+EAA+E;AAC/E,6BAA6B;AAC7B,+EAA+E;AAE/E,MAAM,OAAO,GAAG,IAAI,GAAG,EAA8B,CAAA;AAErD;;GAEG;AACH,SAAgB,cAAc,CAAC,OAA4B;IACzD,MAAM,QAAQ,GAAG,IAAA,yBAAgB,GAAE,CAAA;IACnC,MAAM,YAAY,GAAG,OAAO,CAAC,0BAA0B,KAAK,MAAM;QAChE,CAAC,CAAC,SAAS;QACX,CAAC,CAAC,IAAA,6BAAoB,GAAE,CAAA;IAE1B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;IAEzC,MAAM,YAAY,GAAuB;QACvC,SAAS,EAAE,QAAQ;QACnB,aAAa,EAAE,YAAY;QAC3B,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,aAAa,EAAE,OAAO,CAAC,aAAa,IAAI,EAAE;QAC1C,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,CAAC,oBAAoB,CAAC;QAC1D,cAAc,EAAE,OAAO,CAAC,cAAc,IAAI,CAAC,MAAM,CAAC;QAClD,0BAA0B,EAAE,OAAO,CAAC,0BAA0B,IAAI,oBAAoB;QACtF,UAAU,EAAE,GAAG;KAChB,CAAA;IAED,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAA;IAEnC,OAAO;QACL,SAAS,EAAE,QAAQ;QACnB,aAAa,EAAE,YAAY;QAC3B,WAAW,EAAE,YAAY,CAAC,WAAW;QACrC,aAAa,EAAE,YAAY,CAAC,aAAa;QACzC,WAAW,EAAE,YAAY,CAAC,WAAW;QACrC,cAAc,EAAE,YAAY,CAAC,cAAc;QAC3C,0BAA0B,EAAE,YAAY,CAAC,0BAA0B;QACnE,mBAAmB,EAAE,GAAG;KACzB,CAAA;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,SAAS,CAAC,QAAgB;IACxC,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;AAC9B,CAAC;AAED;;GAEG;AACH,SAAgB,cAAc,CAC5B,QAAgB,EAChB,YAAqB;IAErB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IACpC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAA;IAExB,0CAA0C;IAC1C,IAAI,MAAM,CAAC,0BAA0B,KAAK,MAAM,EAAE,CAAC;QACjD,OAAO,MAAM,CAAA;IACf,CAAC;IAED,0CAA0C;IAC1C,IAAI,MAAM,CAAC,aAAa,IAAI,MAAM,CAAC,aAAa,KAAK,YAAY,EAAE,CAAC;QAClE,OAAO,MAAM,CAAA;IACf,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;GAEG;AACH,SAAgB,mBAAmB,CACjC,QAAgB,EAChB,WAAmB;IAEnB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IACpC,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IAEzB,8DAA8D;IAC9D,IAAI,MAAM,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IAElD,OAAO,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;AACnD,CAAC"}

package/dist/oauth/metadata.d.ts

@@ -0,0 +1,23 @@
+/**
+ * OAuth 2.0 Authorization Server Metadata (RFC 8414)
+ *
+ * Provides the /.well-known/oauth-authorization-server endpoint
+ * that MCP clients use to discover OAuth endpoints.
+ */
+export interface OAuthMetadata {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    registration_endpoint?: string;
+    scopes_supported: string[];
+    response_types_supported: string[];
+    grant_types_supported: string[];
+    token_endpoint_auth_methods_supported: string[];
+    code_challenge_methods_supported: string[];
+    service_documentation?: string;
+}
+/**
+ * Generate OAuth metadata for the given issuer URL.
+ */
+export declare function getOAuthMetadata(issuerUrl: string): OAuthMetadata;
+//# sourceMappingURL=metadata.d.ts.map

package/dist/oauth/metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"metadata.d.ts","sourceRoot":"","sources":["../../src/oauth/metadata.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAA;IACd,sBAAsB,EAAE,MAAM,CAAA;IAC9B,cAAc,EAAE,MAAM,CAAA;IACtB,qBAAqB,CAAC,EAAE,MAAM,CAAA;IAC9B,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAC1B,wBAAwB,EAAE,MAAM,EAAE,CAAA;IAClC,qBAAqB,EAAE,MAAM,EAAE,CAAA;IAC/B,qCAAqC,EAAE,MAAM,EAAE,CAAA;IAC/C,gCAAgC,EAAE,MAAM,EAAE,CAAA;IAC1C,qBAAqB,CAAC,EAAE,MAAM,CAAA;CAC/B;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,aAAa,CAgBjE"}

package/dist/oauth/metadata.js

@@ -0,0 +1,29 @@
+"use strict";
+/**
+ * OAuth 2.0 Authorization Server Metadata (RFC 8414)
+ *
+ * Provides the /.well-known/oauth-authorization-server endpoint
+ * that MCP clients use to discover OAuth endpoints.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getOAuthMetadata = getOAuthMetadata;
+/**
+ * Generate OAuth metadata for the given issuer URL.
+ */
+function getOAuthMetadata(issuerUrl) {
+    // Ensure no trailing slash
+    const baseUrl = issuerUrl.replace(/\/$/, '');
+    return {
+        issuer: baseUrl,
+        authorization_endpoint: `${baseUrl}/oauth/authorize`,
+        token_endpoint: `${baseUrl}/oauth/token`,
+        registration_endpoint: `${baseUrl}/oauth/register`,
+        scopes_supported: ['openid', 'profile', 'offline_access'],
+        response_types_supported: ['code'],
+        grant_types_supported: ['authorization_code', 'refresh_token'],
+        token_endpoint_auth_methods_supported: ['client_secret_post', 'none'],
+        code_challenge_methods_supported: ['S256', 'plain'],
+        service_documentation: 'https://github.com/anthropics/sub-bridge',
+    };
+}
+//# sourceMappingURL=metadata.js.map

package/dist/oauth/metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"metadata.js","sourceRoot":"","sources":["../../src/oauth/metadata.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAkBH,4CAgBC;AAnBD;;GAEG;AACH,SAAgB,gBAAgB,CAAC,SAAiB;IAChD,2BAA2B;IAC3B,MAAM,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;IAE5C,OAAO;QACL,MAAM,EAAE,OAAO;QACf,sBAAsB,EAAE,GAAG,OAAO,kBAAkB;QACpD,cAAc,EAAE,GAAG,OAAO,cAAc;QACxC,qBAAqB,EAAE,GAAG,OAAO,iBAAiB;QAClD,gBAAgB,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,gBAAgB,CAAC;QACzD,wBAAwB,EAAE,CAAC,MAAM,CAAC;QAClC,qBAAqB,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;QAC9D,qCAAqC,EAAE,CAAC,oBAAoB,EAAE,MAAM,CAAC;QACrE,gCAAgC,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC;QACnD,qBAAqB,EAAE,0CAA0C;KAClE,CAAA;AACH,CAAC"}

package/dist/oauth/token.d.ts

@@ -0,0 +1,29 @@
+export interface TokenRequest {
+    grant_type: string;
+    code?: string;
+    redirect_uri?: string;
+    client_id?: string;
+    client_secret?: string;
+    code_verifier?: string;
+    refresh_token?: string;
+}
+export interface TokenResponse {
+    access_token: string;
+    token_type: 'Bearer';
+    expires_in: number;
+    refresh_token?: string;
+    scope?: string;
+}
+export interface TokenError {
+    error: string;
+    error_description: string;
+}
+/**
+ * Process a token request and return an access token or error.
+ */
+export declare function processTokenRequest(request: TokenRequest): TokenResponse | TokenError;
+/**
+ * Check if a response is an error.
+ */
+export declare function isTokenError(response: TokenResponse | TokenError): response is TokenError;
+//# sourceMappingURL=token.d.ts.map

package/dist/oauth/token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../src/oauth/token.ts"],"names":[],"mappings":"AAcA,MAAM,WAAW,YAAY;IAC3B,UAAU,EAAE,MAAM,CAAA;IAClB,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB;AAED,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,MAAM,CAAA;IACpB,UAAU,EAAE,QAAQ,CAAA;IACpB,UAAU,EAAE,MAAM,CAAA;IAClB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAA;IACb,iBAAiB,EAAE,MAAM,CAAA;CAC1B;AAQD;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,OAAO,EAAE,YAAY,GACpB,aAAa,GAAG,UAAU,CAc5B;AAuGD;;GAEG;AACH,wBAAgB,YAAY,CAC1B,QAAQ,EAAE,aAAa,GAAG,UAAU,GACnC,QAAQ,IAAI,UAAU,CAExB"}

package/dist/oauth/token.js

@@ -0,0 +1,117 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.processTokenRequest = processTokenRequest;
+exports.isTokenError = isTokenError;
+/**
+ * OAuth Token Endpoint
+ *
+ * Handles token exchange and issues encrypted access tokens
+ * containing upstream provider credentials.
+ */
+const crypto_1 = require("./crypto");
+const dcr_1 = require("./dcr");
+const authorize_1 = require("./authorize");
+// ============================================================================
+// Token Generation
+// ============================================================================
+const ACCESS_TOKEN_TTL_SECONDS = 3600 * 24 * 7; // 7 days
+/**
+ * Process a token request and return an access token or error.
+ */
+function processTokenRequest(request) {
+    // Validate grant_type
+    if (request.grant_type === 'authorization_code') {
+        return handleAuthorizationCodeGrant(request);
+    }
+    if (request.grant_type === 'refresh_token') {
+        return handleRefreshTokenGrant(request);
+    }
+    return {
+        error: 'unsupported_grant_type',
+        error_description: 'Only authorization_code and refresh_token grants are supported',
+    };
+}
+/**
+ * Handle authorization_code grant type.
+ */
+function handleAuthorizationCodeGrant(request) {
+    // Validate required parameters
+    if (!request.code) {
+        return {
+            error: 'invalid_request',
+            error_description: 'Missing authorization code',
+        };
+    }
+    if (!request.client_id) {
+        return {
+            error: 'invalid_request',
+            error_description: 'Missing client_id',
+        };
+    }
+    if (!request.redirect_uri) {
+        return {
+            error: 'invalid_request',
+            error_description: 'Missing redirect_uri',
+        };
+    }
+    // Validate client
+    const client = (0, dcr_1.validateClient)(request.client_id, request.client_secret);
+    if (!client) {
+        return {
+            error: 'invalid_client',
+            error_description: 'Client authentication failed',
+        };
+    }
+    // Exchange authorization code
+    const codeResult = (0, authorize_1.exchangeAuthorizationCode)(request.code, request.client_id, request.redirect_uri, request.code_verifier);
+    if ('error' in codeResult) {
+        return {
+            error: codeResult.error,
+            error_description: codeResult.errorDescription,
+        };
+    }
+    // Create access token
+    return createTokenResponse(codeResult, request.client_id);
+}
+/**
+ * Handle refresh_token grant type.
+ * For now, we don't support refresh tokens on the Sub Bridge side.
+ * Users need to re-authenticate when tokens expire.
+ */
+function handleRefreshTokenGrant(_request) {
+    // TODO: Implement refresh token support
+    // This would require storing refresh tokens securely
+    return {
+        error: 'unsupported_grant_type',
+        error_description: 'Refresh tokens are not yet supported. Please re-authenticate.',
+    };
+}
+/**
+ * Create a token response from an authorization code.
+ */
+function createTokenResponse(authCode, clientId) {
+    const now = Math.floor(Date.now() / 1000);
+    const expiresAt = now + ACCESS_TOKEN_TTL_SECONDS;
+    const payload = {
+        iss: 'sub-bridge',
+        sub: authCode.userId,
+        aud: clientId,
+        exp: expiresAt,
+        iat: now,
+        providers: authCode.providers,
+    };
+    const accessToken = (0, crypto_1.createAccessToken)(payload);
+    return {
+        access_token: accessToken,
+        token_type: 'Bearer',
+        expires_in: ACCESS_TOKEN_TTL_SECONDS,
+        scope: 'openid profile',
+    };
+}
+/**
+ * Check if a response is an error.
+ */
+function isTokenError(response) {
+    return 'error' in response;
+}
+//# sourceMappingURL=token.js.map

package/dist/oauth/token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.js","sourceRoot":"","sources":["../../src/oauth/token.ts"],"names":[],"mappings":";;AA8CA,kDAgBC;AA0GD,oCAIC;AA5KD;;;;;GAKG;AACH,qCAAwE;AACxE,+BAAsC;AACtC,2CAA+E;AA6B/E,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E,MAAM,wBAAwB,GAAG,IAAI,GAAG,EAAE,GAAG,CAAC,CAAA,CAAC,SAAS;AAExD;;GAEG;AACH,SAAgB,mBAAmB,CACjC,OAAqB;IAErB,sBAAsB;IACtB,IAAI,OAAO,CAAC,UAAU,KAAK,oBAAoB,EAAE,CAAC;QAChD,OAAO,4BAA4B,CAAC,OAAO,CAAC,CAAA;IAC9C,CAAC;IAED,IAAI,OAAO,CAAC,UAAU,KAAK,eAAe,EAAE,CAAC;QAC3C,OAAO,uBAAuB,CAAC,OAAO,CAAC,CAAA;IACzC,CAAC;IAED,OAAO;QACL,KAAK,EAAE,wBAAwB;QAC/B,iBAAiB,EAAE,gEAAgE;KACpF,CAAA;AACH,CAAC;AAED;;GAEG;AACH,SAAS,4BAA4B,CACnC,OAAqB;IAErB,+BAA+B;IAC/B,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClB,OAAO;YACL,KAAK,EAAE,iBAAiB;YACxB,iBAAiB,EAAE,4BAA4B;SAChD,CAAA;IACH,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;QACvB,OAAO;YACL,KAAK,EAAE,iBAAiB;YACxB,iBAAiB,EAAE,mBAAmB;SACvC,CAAA;IACH,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;QAC1B,OAAO;YACL,KAAK,EAAE,iBAAiB;YACxB,iBAAiB,EAAE,sBAAsB;SAC1C,CAAA;IACH,CAAC;IAED,kBAAkB;IAClB,MAAM,MAAM,GAAG,IAAA,oBAAc,EAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,aAAa,CAAC,CAAA;IACvE,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO;YACL,KAAK,EAAE,gBAAgB;YACvB,iBAAiB,EAAE,8BAA8B;SAClD,CAAA;IACH,CAAC;IAED,8BAA8B;IAC9B,MAAM,UAAU,GAAG,IAAA,qCAAyB,EAC1C,OAAO,CAAC,IAAI,EACZ,OAAO,CAAC,SAAS,EACjB,OAAO,CAAC,YAAY,EACpB,OAAO,CAAC,aAAa,CACtB,CAAA;IAED,IAAI,OAAO,IAAI,UAAU,EAAE,CAAC;QAC1B,OAAO;YACL,KAAK,EAAE,UAAU,CAAC,KAAK;YACvB,iBAAiB,EAAE,UAAU,CAAC,gBAAgB;SAC/C,CAAA;IACH,CAAC;IAED,sBAAsB;IACtB,OAAO,mBAAmB,CAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAC,CAAA;AAC3D,CAAC;AAED;;;;GAIG;AACH,SAAS,uBAAuB,CAC9B,QAAsB;IAEtB,wCAAwC;IACxC,qDAAqD;IACrD,OAAO;QACL,KAAK,EAAE,wBAAwB;QAC/B,iBAAiB,EAAE,+DAA+D;KACnF,CAAA;AACH,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAC1B,QAA2B,EAC3B,QAAgB;IAEhB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;IACzC,MAAM,SAAS,GAAG,GAAG,GAAG,wBAAwB,CAAA;IAEhD,MAAM,OAAO,GAA0B;QACrC,GAAG,EAAE,YAAY;QACjB,GAAG,EAAE,QAAQ,CAAC,MAAM;QACpB,GAAG,EAAE,QAAQ;QACb,GAAG,EAAE,SAAS;QACd,GAAG,EAAE,GAAG;QACR,SAAS,EAAE,QAAQ,CAAC,SAAS;KAC9B,CAAA;IAED,MAAM,WAAW,GAAG,IAAA,0BAAiB,EAAC,OAAO,CAAC,CAAA;IAE9C,OAAO;QACL,YAAY,EAAE,WAAW;QACzB,UAAU,EAAE,QAAQ;QACpB,UAAU,EAAE,wBAAwB;QACpC,KAAK,EAAE,gBAAgB;KACxB,CAAA;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,YAAY,CAC1B,QAAoC;IAEpC,OAAO,OAAO,IAAI,QAAQ,CAAA;AAC5B,CAAC"}

package/dist/routes/chat.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"chat.d.ts","sourceRoot":"","sources":["../../src/routes/chat.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,IAAI,EAAW,MAAM,MAAM,CAAA;AA+0BpC,wBAAgB,gBAAgB,+EAsB/B"}
+{"version":3,"file":"chat.d.ts","sourceRoot":"","sources":["../../src/routes/chat.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,IAAI,EAAW,MAAM,MAAM,CAAA;AA67BpC,wBAAgB,gBAAgB,+EAyB/B"}