UNPKG

@vfarcic/dot-ai

Version:

AI-powered development productivity platform that enhances software development workflows through intelligent automation and AI-driven assistance

github.com/vfarcic/dot-ai

vfarcic/dot-ai

115 lines 5.43 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
/** * MCP SDK OAuth Server Provider for PRD #380. * * Implements the SDK's OAuthServerProvider interface with: * - In-memory client store (clients re-register on restart per MCP spec) * - Dual-mode token verification (JWT + legacy DOT_AI_AUTH_TOKEN) * - Dex OIDC integration for authorize/callback/token flow (Task 2.3) */ import type { Request, Response } from 'express'; import type { OAuthRegisteredClientsStore } from '@modelcontextprotocol/sdk/server/auth/clients.js'; import type { OAuthServerProvider, AuthorizationParams } from '@modelcontextprotocol/sdk/server/auth/provider.js'; import type { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js'; import type { OAuthClientInformationFull, OAuthTokens } from '@modelcontextprotocol/sdk/shared/auth.js'; /** * In-memory client store for OAuth registered clients. * Clients re-register on server restart per the MCP Authorization spec. */ export declare class DotAIClientsStore implements OAuthRegisteredClientsStore { private clients; getClient(clientId: string): OAuthClientInformationFull | undefined; registerClient(client: Omit<OAuthClientInformationFull, 'client_id' | 'client_id_issued_at'>): OAuthClientInformationFull; /** Clear all registered clients. For testing only. @internal */ _clearClients(): void; } /** * OAuth Server Provider for dot-ai. * * Acts as the OAuth Authorization Server for MCP clients. On authorize, * redirects the browser to Dex for authentication, then exchanges the * Dex code for an ID token and issues a dot-ai JWT. * * Token verification supports dual-mode: JWT first, legacy token fallback. */ export declare class DotAIOAuthProvider implements OAuthServerProvider { readonly clientsStore: DotAIClientsStore; private pendingRequests; private authCodes; private requestedExpiries; private dexConfig; private dotAiExternalUrl; private pruneTimer; constructor(); /** * Periodically remove expired entries from pendingRequests and authCodes * to prevent unbounded memory growth from abandoned OAuth flows. */ private startPruning; /** Remove expired pending requests and authorization codes. */ private pruneExpired; /** Stop the pruning timer. For testing only. @internal */ _stopPruning(): void; /** * Store a client-requested token expiry for an upcoming token exchange. * Called by middleware that intercepts POST /token before the SDK handler. * * @param authorizationCode - The authorization code from the token request * @param requestedExpiry - Requested expiry in seconds */ setRequestedExpiry(authorizationCode: string, requestedExpiry: number): void; /** * Calculate token expiry based on client request, defaults, and limits. * * Priority: * 1. Client-requested expiry (if valid and within max limit) * 2. OAUTH_DEFAULT_TOKEN_TTL_SECONDS env var * 3. Built-in default (1 day) * * @param authorizationCode - The authorization code being exchanged * @returns Expiry time in seconds */ private getTokenExpiry; private loadDexConfig; /** * Start the authorization flow by redirecting the browser to Dex. * * Stores the pending auth request (PKCE challenge, redirect URI, state) * keyed by a random session ID, then encodes sessionId|originalState * in the Dex state param so the callback can recover the pending request. */ authorize(client: OAuthClientInformationFull, params: AuthorizationParams, res: Response): Promise<void>; /** * Return the PKCE code challenge for a given authorization code. * * Called by the SDK's tokenHandler BEFORE exchangeAuthorizationCode. * Do NOT delete the code here — it is consumed in exchangeAuthorizationCode. */ challengeForAuthorizationCode(client: OAuthClientInformationFull, authorizationCode: string): Promise<string>; /** * Exchange a dot-ai authorization code for a JWT access token. * * Called by the SDK's tokenHandler AFTER PKCE verification passes. * Consumes the authorization code (one-time use) and signs a JWT * containing the user's identity from the Dex ID token. */ exchangeAuthorizationCode(client: OAuthClientInformationFull, authorizationCode: string, _codeVerifier?: string, redirectUri?: string, _resource?: URL): Promise<OAuthTokens>; exchangeRefreshToken(_client: OAuthClientInformationFull, _refreshToken: string, _scopes?: string[], _resource?: URL): Promise<OAuthTokens>; /** * Handle the Dex OIDC callback after user authenticates. * * Receives the redirect from Dex with ?code=DEX_CODE&state=sessionId|originalState. * Exchanges the Dex code for an ID token, extracts user identity, * creates a dot-ai authorization code, and redirects to the MCP client. */ handleCallback(req: Request, res: Response): Promise<void>; /** * Verify an access token (dual-mode: JWT + legacy token). * * 1. If no auth configured → anonymous access (backward compatible) * 2. Try JWT verification → returns AuthInfo with identity in `extra` * 3. Fall back to legacy DOT_AI_AUTH_TOKEN → returns AuthInfo without identity * 4. Throw InvalidTokenError on failure */ verifyAccessToken(token: string): Promise<AuthInfo>; } //# sourceMappingURL=provider.d.ts.map