npm - toolcraft - Versions diffs - 0.0.5 → 0.0.7 - Mend

toolcraft 0.0.5 → 0.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (149) hide show

package/node_modules/mcp-oauth/dist/client/default-oauth-client-provider.js ADDED Viewed

@@ -0,0 +1,491 @@
+import { URL } from "node:url";
+import { createAuthStoreClientStore, createAuthStoreSessionStore, } from "./auth-store-session-store.js";
+import { createLoopbackAuthorizationSession } from "./loopback-authorization.js";
+import { createAuthorizationState } from "./authorization-state.js";
+import { generateCodeChallenge, generateCodeVerifier } from "./pkce.js";
+import { exchangeAuthorizationCode, OAuthError, refreshAccessToken, isRetryableOAuthError, readOAuthJsonObjectResponse, } from "./token-endpoint.js";
+import { canonicalizeResourceIndicator } from "../resource-indicator.js";
+export function createOAuthClientProvider(options) {
+    if (isProviderOptions(options)) {
+        return options.provider;
+    }
+    return createDefaultOAuthClientProvider(options);
+}
+export function createDefaultOAuthClientProvider(options) {
+    const sessionStore = options.sessionStore ?? createAuthStoreSessionStore(options.authStore);
+    const clientStore = options.authStore === undefined ? null : createAuthStoreClientStore(options.authStore);
+    const now = options.now ?? Date.now;
+    const sessions = new Map();
+    const registeredClients = new Map();
+    const refreshPromises = new Map();
+    const authorizationPromises = new Map();
+    return {
+        async authorizeRequest(input) {
+            assertNoAccessTokenInUrl(input.requestUrl, "Protected resource request URL");
+            const requestUrl = canonicalizeResourceIndicator(input.requestUrl);
+            const session = await ensureAuthorizedSession(requestUrl, undefined, input.fetch, false);
+            const accessToken = session?.tokens?.accessToken;
+            if (session === null || accessToken === undefined) {
+                return;
+            }
+            assertRequestMatchesResource(requestUrl, session.resource);
+            input.headers.set("Authorization", `Bearer ${accessToken}`);
+        },
+        async handleUnauthorized(input) {
+            try {
+                assertNoAccessTokenInUrl(input.requestUrl, "Protected resource request URL");
+                const requestUrl = canonicalizeResourceIndicator(input.requestUrl);
+                const resource = canonicalizeResourceIndicator(input.discovery.resource);
+                assertRequestMatchesResource(requestUrl, resource);
+                const forceRefresh = hasCachedAccessToken(await loadSession(resource))
+                    && input.challenge?.params.error === "invalid_token";
+                const session = await ensureAuthorizedSession(resource, {
+                    ...input.discovery,
+                    resource,
+                }, input.fetch, true, forceRefresh);
+                if (session?.tokens?.accessToken === undefined) {
+                    return { action: "fail" };
+                }
+                return { action: "retry" };
+            }
+            catch (error) {
+                return {
+                    action: "fail",
+                    error: error instanceof Error ? error : new Error(String(error)),
+                };
+            }
+        },
+    };
+    async function ensureAuthorizedSession(resource, discovery, fetch, allowInteractive, forceRefresh = false) {
+        const canonicalResource = canonicalizeResourceIndicator(resource);
+        let session = await loadSession(canonicalResource);
+        const sessionDiscovery = resolveDiscovery(discovery, session);
+        if (session?.tokens !== undefined && !forceRefresh && !isExpired(session.tokens, now)) {
+            return session;
+        }
+        if (session?.tokens?.refreshToken !== undefined
+            && sessionDiscovery !== undefined
+            && (forceRefresh || isExpired(session.tokens, now))) {
+            session = await refreshSession(canonicalResource, session, sessionDiscovery, fetch);
+            if (session?.tokens !== undefined && !isExpired(session.tokens, now)) {
+                return session;
+            }
+        }
+        if (!allowInteractive || sessionDiscovery === undefined) {
+            return session;
+        }
+        if (forceRefresh && session?.tokens !== undefined) {
+            return session;
+        }
+        return authorizeSession(canonicalResource, session, sessionDiscovery, fetch);
+    }
+    async function refreshSession(resource, session, discovery, fetch) {
+        assertSecureOAuthFlowEndpoints(discovery.authorizationServerMetadata);
+        const inFlight = refreshPromises.get(resource);
+        if (inFlight !== undefined) {
+            return inFlight;
+        }
+        const promise = (async () => {
+            try {
+                if (session.tokens?.refreshToken === undefined) {
+                    return session;
+                }
+                let refreshAttempted = false;
+                let refreshedTokens;
+                while (true) {
+                    try {
+                        refreshedTokens = await refreshAccessToken({
+                            tokenEndpoint: discovery.authorizationServerMetadata.token_endpoint,
+                            clientId: session.client.clientId,
+                            clientSecret: session.client.clientSecret,
+                            refreshToken: session.tokens.refreshToken,
+                            resource,
+                            fetch,
+                            now,
+                        });
+                        break;
+                    }
+                    catch (error) {
+                        if (error instanceof OAuthError && error.error === "invalid_grant") {
+                            const clearedSession = clearSessionTokens(session);
+                            await saveSession(resource, clearedSession);
+                            return clearedSession;
+                        }
+                        if (shouldReRegisterStoredDynamicClient(error, await loadRegisteredClient(discovery.authorizationServer), false)) {
+                            await clearRegisteredClient(discovery.authorizationServer);
+                            await clearSession(resource);
+                            return null;
+                        }
+                        if (!refreshAttempted && isRetryableOAuthError(error)) {
+                            refreshAttempted = true;
+                            continue;
+                        }
+                        throw error;
+                    }
+                }
+                const updatedSession = {
+                    ...session,
+                    tokens: refreshedTokens,
+                    discovery: toStoredDiscovery(discovery),
+                };
+                await saveSession(resource, updatedSession);
+                return updatedSession;
+            }
+            finally {
+                refreshPromises.delete(resource);
+            }
+        })();
+        refreshPromises.set(resource, promise);
+        return promise;
+    }
+    async function authorizeSession(resource, existingSession, discovery, fetch) {
+        const inFlight = authorizationPromises.get(resource);
+        if (inFlight !== undefined) {
+            return inFlight;
+        }
+        const promise = (async () => {
+            assertS256PkceSupport(discovery.authorizationServerMetadata);
+            assertSecureOAuthFlowEndpoints(discovery.authorizationServerMetadata);
+            let currentSession = existingSession;
+            let transientRetryAttempted = false;
+            let reRegistrationAttempted = false;
+            while (true) {
+                const loopback = await createLoopbackAuthorizationSession({
+                    openBrowser: options.browser.openBrowser,
+                    readLine: options.browser.readLine,
+                    createServer: options.browser.createServer,
+                    landingPage: options.browser.landingPage,
+                });
+                let resolvedClient = null;
+                try {
+                    resolvedClient = await resolveClient(currentSession, discovery, loopback.redirectUri, fetch);
+                    const sessionWithoutTokens = {
+                        resource,
+                        authorizationServer: discovery.authorizationServer,
+                        client: resolvedClient.client,
+                        discovery: toStoredDiscovery(discovery),
+                    };
+                    await saveSession(resource, sessionWithoutTokens);
+                    const verifier = generateCodeVerifier();
+                    const challenge = generateCodeChallenge(verifier);
+                    const authorizationUrl = buildAuthorizationUrl({
+                        metadata: discovery.authorizationServerMetadata,
+                        resource,
+                        clientId: resolvedClient.client.clientId,
+                        redirectUri: loopback.redirectUri,
+                        codeChallenge: challenge,
+                        clientMetadata: getClientMetadata(options.client),
+                    });
+                    const code = await loopback.waitForCode(authorizationUrl);
+                    const tokens = await exchangeAuthorizationCode({
+                        tokenEndpoint: discovery.authorizationServerMetadata.token_endpoint,
+                        clientId: resolvedClient.client.clientId,
+                        clientSecret: resolvedClient.client.clientSecret,
+                        code,
+                        codeVerifier: verifier,
+                        redirectUri: loopback.redirectUri,
+                        resource,
+                        fetch,
+                        now,
+                    });
+                    const session = {
+                        ...sessionWithoutTokens,
+                        tokens,
+                    };
+                    await saveSession(resource, session);
+                    return session;
+                }
+                catch (error) {
+                    if (shouldReRegisterStoredDynamicClient(error, resolvedClient, reRegistrationAttempted)) {
+                        reRegistrationAttempted = true;
+                        await clearRegisteredClient(discovery.authorizationServer);
+                        await clearSession(resource);
+                        currentSession = null;
+                        continue;
+                    }
+                    if (!transientRetryAttempted && isRetryableOAuthError(error)) {
+                        transientRetryAttempted = true;
+                        await clearSession(resource);
+                        currentSession = null;
+                        continue;
+                    }
+                    throw error;
+                }
+                finally {
+                    loopback.close();
+                }
+            }
+        })();
+        const finalPromise = promise.finally(() => {
+            authorizationPromises.delete(resource);
+        });
+        authorizationPromises.set(resource, finalPromise);
+        return finalPromise;
+    }
+    async function resolveClient(existingSession, discovery, redirectUri, fetch) {
+        if (options.client.mode === "static") {
+            return {
+                kind: "static",
+                fromStoredRegistration: false,
+                client: {
+                    clientId: options.client.clientId,
+                    clientSecret: options.client.clientSecret,
+                },
+            };
+        }
+        const registrationEndpoint = discovery.authorizationServerMetadata.registration_endpoint;
+        if (registrationEndpoint === undefined && options.client.clientId !== undefined) {
+            return {
+                kind: "static",
+                fromStoredRegistration: false,
+                client: {
+                    clientId: options.client.clientId,
+                    clientSecret: options.client.clientSecret,
+                },
+            };
+        }
+        const storedClient = await loadRegisteredClient(discovery.authorizationServer);
+        if (storedClient !== null) {
+            return {
+                kind: "dynamic",
+                fromStoredRegistration: true,
+                client: storedClient,
+            };
+        }
+        if (registrationEndpoint === undefined) {
+            if (existingSession !== null && existingSession.client.clientId.length > 0) {
+                return {
+                    kind: "dynamic",
+                    fromStoredRegistration: true,
+                    client: existingSession.client,
+                };
+            }
+            throw new Error("Authorization server metadata is missing registration_endpoint");
+        }
+        if (existingSession !== null && existingSession.client.clientId.length > 0) {
+            const isConfiguredStaticFallback = options.client.clientId !== undefined
+                && existingSession.client.clientId === options.client.clientId
+                && existingSession.client.clientSecret === options.client.clientSecret;
+            if (!isConfiguredStaticFallback) {
+                await saveRegisteredClient(discovery.authorizationServer, existingSession.client);
+                return {
+                    kind: "dynamic",
+                    fromStoredRegistration: true,
+                    client: existingSession.client,
+                };
+            }
+        }
+        const registrationBody = buildClientRegistrationBody(getClientMetadata(options.client), redirectUri);
+        const response = await fetch(registrationEndpoint, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify(registrationBody),
+        });
+        const payload = await readOAuthJsonObjectResponse(response);
+        if (typeof payload.client_id !== "string" ||
+            payload.client_id.length === 0) {
+            throw new Error("OAuth client registration response missing client_id");
+        }
+        const registeredClient = {
+            clientId: payload.client_id,
+            clientSecret: typeof payload.client_secret === "string" && payload.client_secret.length > 0
+                ? payload.client_secret
+                : undefined,
+        };
+        await saveRegisteredClient(discovery.authorizationServer, registeredClient);
+        return {
+            kind: "dynamic",
+            fromStoredRegistration: false,
+            client: registeredClient,
+        };
+    }
+    async function loadSession(resource) {
+        if (sessions.has(resource)) {
+            return sessions.get(resource) ?? null;
+        }
+        const session = await sessionStore.load(resource);
+        sessions.set(resource, session);
+        return session;
+    }
+    async function saveSession(resource, session) {
+        sessions.set(resource, session);
+        await sessionStore.save(resource, session);
+    }
+    async function clearSession(resource) {
+        sessions.delete(resource);
+        await sessionStore.clear(resource);
+    }
+    async function loadRegisteredClient(issuer) {
+        if (registeredClients.has(issuer)) {
+            return registeredClients.get(issuer) ?? null;
+        }
+        if (clientStore === null) {
+            return null;
+        }
+        const client = await clientStore.load(issuer);
+        registeredClients.set(issuer, client);
+        return client;
+    }
+    async function saveRegisteredClient(issuer, client) {
+        registeredClients.set(issuer, client);
+        if (clientStore !== null) {
+            await clientStore.save(issuer, client);
+        }
+    }
+    async function clearRegisteredClient(issuer) {
+        registeredClients.delete(issuer);
+        if (clientStore !== null) {
+            await clientStore.clear(issuer);
+        }
+    }
+}
+function isProviderOptions(options) {
+    return "provider" in options;
+}
+function isExpired(tokens, now) {
+    return tokens.expiresAt !== null && tokens.expiresAt <= now();
+}
+function resolveDiscovery(discovery, session) {
+    if (discovery !== undefined) {
+        return {
+            ...discovery,
+            resource: canonicalizeResourceIndicator(discovery.resource),
+        };
+    }
+    if (session === null) {
+        return undefined;
+    }
+    const metadata = session.discovery.authorizationServerMetadata;
+    if (typeof metadata.issuer !== "string" ||
+        typeof metadata.authorization_endpoint !== "string" ||
+        typeof metadata.token_endpoint !== "string" ||
+        !Array.isArray(metadata.code_challenge_methods_supported) ||
+        !metadata.code_challenge_methods_supported.includes("S256")) {
+        return undefined;
+    }
+    return {
+        resource: canonicalizeResourceIndicator(session.resource),
+        resourceMetadataUrl: session.discovery.resourceMetadataUrl,
+        resourceMetadata: session.discovery.resourceMetadata,
+        authorizationServer: session.authorizationServer,
+        authorizationServerMetadataUrl: "",
+        authorizationServerMetadata: metadata,
+    };
+}
+function clearSessionTokens(session) {
+    const nextSession = { ...session };
+    delete nextSession.tokens;
+    return nextSession;
+}
+function hasCachedAccessToken(session) {
+    return session?.tokens?.accessToken !== undefined;
+}
+function getClientMetadata(client) {
+    return client.metadata;
+}
+function buildAuthorizationUrl(input) {
+    const url = new URL(input.metadata.authorization_endpoint);
+    const resource = canonicalizeResourceIndicator(input.resource);
+    const state = createAuthorizationState({
+        issuer: input.metadata.issuer,
+        requireIssuer: input.metadata.authorization_response_iss_parameter_supported === true,
+    });
+    url.searchParams.set("response_type", "code");
+    url.searchParams.set("client_id", input.clientId);
+    url.searchParams.set("redirect_uri", input.redirectUri);
+    url.searchParams.set("code_challenge", input.codeChallenge);
+    url.searchParams.set("code_challenge_method", "S256");
+    url.searchParams.set("resource", resource);
+    url.searchParams.set("state", state);
+    if (input.clientMetadata?.scope !== undefined && input.clientMetadata.scope.length > 0) {
+        url.searchParams.set("scope", input.clientMetadata.scope);
+    }
+    return url.toString();
+}
+function assertS256PkceSupport(metadata) {
+    if (!metadata.code_challenge_methods_supported.includes("S256")) {
+        throw new Error("Authorization server metadata must advertise code_challenge_methods_supported including S256");
+    }
+}
+function normalizeHostname(hostname) {
+    return hostname.endsWith(".") ? hostname.slice(0, -1).toLowerCase() : hostname.toLowerCase();
+}
+function isLoopbackHostname(hostname) {
+    const normalizedHostname = normalizeHostname(hostname);
+    return normalizedHostname === "localhost"
+        || normalizedHostname === "::1"
+        || normalizedHostname.startsWith("127.");
+}
+function assertSecureUrl(value, label) {
+    const url = new URL(value);
+    if (url.protocol === "https:") {
+        return;
+    }
+    if (url.protocol === "http:" && isLoopbackHostname(url.hostname)) {
+        return;
+    }
+    throw new Error(`${label} must use https unless it targets a loopback host`);
+}
+function assertSecureOAuthFlowEndpoints(metadata) {
+    assertNoAccessTokenInUrl(metadata.authorization_endpoint, "Authorization endpoint");
+    assertNoAccessTokenInUrl(metadata.token_endpoint, "Token endpoint");
+    assertSecureUrl(metadata.authorization_endpoint, "Authorization endpoint");
+    assertSecureUrl(metadata.token_endpoint, "Token endpoint");
+    if (metadata.registration_endpoint !== undefined) {
+        assertNoAccessTokenInUrl(metadata.registration_endpoint, "Registration endpoint");
+        assertSecureUrl(metadata.registration_endpoint, "Registration endpoint");
+    }
+}
+function assertNoAccessTokenInUrl(value, label) {
+    const url = value instanceof URL ? new URL(value.toString()) : new URL(value);
+    if (url.searchParams.has("access_token")) {
+        throw new Error(`${label} must not include access_token in the URI`);
+    }
+}
+function assertRequestMatchesResource(requestUrl, resource) {
+    if (requestUrl !== resource) {
+        throw new Error(`OAuth request URL ${requestUrl} does not match discovered resource ${resource}`);
+    }
+}
+function buildClientRegistrationBody(metadata, redirectUri) {
+    const body = {
+        redirect_uris: [redirectUri],
+        grant_types: ["authorization_code", "refresh_token"],
+        response_types: ["code"],
+        token_endpoint_auth_method: "none",
+    };
+    if (metadata?.clientName !== undefined && metadata.clientName.length > 0) {
+        body.client_name = metadata.clientName;
+    }
+    if (metadata?.scope !== undefined && metadata.scope.length > 0) {
+        body.scope = metadata.scope;
+    }
+    if (metadata?.softwareId !== undefined && metadata.softwareId.length > 0) {
+        body.software_id = metadata.softwareId;
+    }
+    if (metadata?.softwareVersion !== undefined && metadata.softwareVersion.length > 0) {
+        body.software_version = metadata.softwareVersion;
+    }
+    return body;
+}
+function toStoredDiscovery(discovery) {
+    return {
+        resourceMetadataUrl: discovery.resourceMetadataUrl,
+        resourceMetadata: discovery.resourceMetadata,
+        authorizationServerMetadata: discovery.authorizationServerMetadata,
+    };
+}
+function shouldReRegisterStoredDynamicClient(error, client, alreadyAttempted) {
+    if (!(error instanceof OAuthError) || error.error !== "invalid_client" || alreadyAttempted) {
+        return false;
+    }
+    if (client === null) {
+        return false;
+    }
+    if ("kind" in client) {
+        return client.kind === "dynamic" && client.fromStoredRegistration;
+    }
+    return true;
+}

package/node_modules/mcp-oauth/dist/client/loopback-authorization.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+import http from "node:http";
+export interface OAuthLandingPage {
+    title: string;
+    body: string;
+}
+export interface LoopbackAuthorizationOptions {
+    openBrowser?: (url: string) => Promise<void>;
+    readLine?: () => Promise<string>;
+    createServer?: () => http.Server;
+    landingPage?: OAuthLandingPage;
+    callbackPath?: string;
+}
+export interface LoopbackAuthorizationSession {
+    redirectUri: string;
+    waitForCode(authorizationUrl: string): Promise<string>;
+    close(): void;
+}
+export declare function createLoopbackAuthorizationSession(options?: LoopbackAuthorizationOptions): Promise<LoopbackAuthorizationSession>;
+export declare function extractCodeFromInput(input: string): string | null;
+export declare function buildSuccessPage(landingPage?: OAuthLandingPage): string;

package/node_modules/mcp-oauth/dist/client/loopback-authorization.js ADDED Viewed

@@ -0,0 +1,169 @@
+import http from "node:http";
+import { parseAuthorizationState } from "./authorization-state.js";
+export async function createLoopbackAuthorizationSession(options = {}) {
+    const callbackPath = options.callbackPath ?? "/callback";
+    const server = options.createServer ? options.createServer() : http.createServer();
+    const port = await startServer(server);
+    const redirectUri = `http://127.0.0.1:${port}${callbackPath}`;
+    return {
+        redirectUri,
+        async waitForCode(authorizationUrl) {
+            return waitForAuthorizationCode(server, authorizationUrl, options, callbackPath);
+        },
+        close() {
+            server.closeAllConnections?.();
+            server.close();
+        },
+    };
+}
+async function startServer(server) {
+    return new Promise((resolve) => {
+        server.listen(0, "127.0.0.1", () => {
+            const address = server.address();
+            resolve(address.port);
+        });
+    });
+}
+function waitForAuthorizationCode(server, authorizationUrl, options, callbackPath) {
+    const expectedAuthorization = readExpectedAuthorizationCallback(authorizationUrl);
+    return new Promise((resolve, reject) => {
+        let settled = false;
+        const settle = (fn) => {
+            if (!settled) {
+                settled = true;
+                fn();
+            }
+        };
+        server.on("request", (req, res) => {
+            const url = new URL(req.url ?? "/", "http://127.0.0.1");
+            if (url.pathname !== callbackPath) {
+                res.writeHead(404);
+                res.end("Not found");
+                return;
+            }
+            const error = url.searchParams.get("error");
+            if (error !== null) {
+                const description = url.searchParams.get("error_description") ?? error;
+                res.writeHead(400);
+                res.end(`Authorization failed: ${description}`);
+                settle(() => reject(new Error(`OAuth authorization failed: ${error} — ${description}`)));
+                return;
+            }
+            try {
+                const code = validateAuthorizationCallbackParameters({
+                    code: url.searchParams.get("code"),
+                    state: url.searchParams.get("state"),
+                    iss: url.searchParams.get("iss"),
+                }, expectedAuthorization);
+                res.writeHead(200, { "Content-Type": "text/html" });
+                res.end(buildSuccessPage(options.landingPage));
+                settle(() => resolve(code));
+            }
+            catch (error) {
+                res.writeHead(400);
+                res.end(error instanceof Error ? error.message : "Invalid OAuth callback");
+                settle(() => reject(error instanceof Error ? error : new Error(String(error))));
+            }
+        });
+        if (options.readLine !== undefined) {
+            options.readLine().then((input) => {
+                const callbackParameters = extractCallbackParametersFromInput(input);
+                if (callbackParameters === null) {
+                    settle(() => reject(new Error("OAuth callback missing authorization code")));
+                    return;
+                }
+                try {
+                    const code = validateAuthorizationCallbackParameters(callbackParameters, expectedAuthorization);
+                    settle(() => resolve(code));
+                }
+                catch (error) {
+                    settle(() => reject(error instanceof Error ? error : new Error(String(error))));
+                }
+            }).catch(() => undefined);
+        }
+        if (options.openBrowser !== undefined) {
+            options.openBrowser(authorizationUrl).catch((error) => {
+                settle(() => reject(error));
+            });
+        }
+    });
+}
+export function extractCodeFromInput(input) {
+    return extractCallbackParametersFromInput(input)?.code ?? null;
+}
+function extractCallbackParametersFromInput(input) {
+    const trimmed = input.replaceAll("\r", "").replaceAll("\n", "").trim();
+    if (trimmed.length === 0) {
+        return null;
+    }
+    try {
+        const url = new URL(trimmed);
+        return {
+            code: url.searchParams.get("code"),
+            state: url.searchParams.get("state"),
+            iss: url.searchParams.get("iss"),
+        };
+    }
+    catch {
+        return {
+            code: trimmed,
+            state: null,
+            iss: null,
+        };
+    }
+}
+function readExpectedAuthorizationCallback(authorizationUrl) {
+    const url = new URL(authorizationUrl);
+    const state = url.searchParams.get("state");
+    const parsedState = parseAuthorizationState(state);
+    return {
+        state,
+        issuer: parsedState?.issuer ?? null,
+        requireIssuer: parsedState?.requireIssuer ?? false,
+    };
+}
+function validateAuthorizationCallbackParameters(callback, expected) {
+    if (callback.code === null || callback.code.length === 0) {
+        throw new Error("OAuth callback missing authorization code");
+    }
+    if (expected.state !== null) {
+        if (callback.state === null || callback.state.length === 0) {
+            throw new Error("OAuth callback missing state");
+        }
+        if (callback.state !== expected.state) {
+            throw new Error("OAuth callback state mismatch");
+        }
+    }
+    if (expected.requireIssuer) {
+        if (callback.iss === null || callback.iss.length === 0) {
+            throw new Error("OAuth callback missing issuer");
+        }
+    }
+    if (callback.iss !== null
+        && callback.iss.length > 0
+        && expected.issuer !== null
+        && callback.iss !== expected.issuer) {
+        throw new Error("OAuth callback issuer mismatch");
+    }
+    return callback.code;
+}
+function escapeHtml(text) {
+    return text
+        .replaceAll("&", "&amp;")
+        .replaceAll("<", "&lt;")
+        .replaceAll(">", "&gt;")
+        .replaceAll("\"", "&quot;");
+}
+export function buildSuccessPage(landingPage) {
+    const title = landingPage?.title ?? "Connected";
+    const body = landingPage?.body ?? "You can close this tab and return to your terminal.";
+    return [
+        "<!DOCTYPE html>",
+        `<html><head><meta charset=utf-8><title>${escapeHtml(title)}</title></head>`,
+        "<body style=\"font-family:system-ui,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0\">",
+        "<div style=\"text-align:center\">",
+        `<h1>${escapeHtml(title)}</h1>`,
+        `<p style="color:#666">${escapeHtml(body)}</p>`,
+        "</div></body></html>",
+    ].join("");
+}

package/node_modules/mcp-oauth/dist/client/pkce.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export declare function generateCodeVerifier(): string;
2	+ export declare function generateCodeChallenge(verifier: string): string;

package/node_modules/mcp-oauth/dist/client/pkce.js ADDED Viewed

@@ -0,0 +1,7 @@
+import crypto from "node:crypto";
+export function generateCodeVerifier() {
+    return crypto.randomBytes(32).toString("base64url");
+}
+export function generateCodeChallenge(verifier) {
+    return crypto.createHash("sha256").update(verifier).digest("base64url");
+}