better-auth/dist/plugins/mcp/authorize.mjs.map

The most comprehensive authentication framework for TypeScript.

{"version":3,"file":"authorize.mjs","names":["redirectURIWithCode"],"sources":["../../../src/plugins/mcp/authorize.ts"],"sourcesContent":["import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { APIError } from \"better-call\";\nimport { getSessionFromCtx } from \"../../api\";\nimport { generateRandomString } from \"../../crypto\";\nimport type { OAuthApplication } from \"../oidc-provider/schema\";\nimport type {\n\tAuthorizationQuery,\n\tClient,\n\tOIDCOptions,\n} from \"../oidc-provider/types\";\n\nfunction redirectErrorURL(url: string, error: string, description: string) {\n\treturn `${\n\t\turl.includes(\"?\") ? \"&\" : \"?\"\n\t}error=${error}&error_description=${description}`;\n}\n\nexport async function authorizeMCPOAuth(\n\tctx: GenericEndpointContext,\n\toptions: OIDCOptions,\n) {\n\tctx.setHeader(\"Access-Control-Allow-Origin\", \"*\");\n\tctx.setHeader(\"Access-Control-Allow-Methods\", \"POST, OPTIONS\");\n\tctx.setHeader(\"Access-Control-Allow-Headers\", \"Content-Type, Authorization\");\n\tctx.setHeader(\"Access-Control-Max-Age\", \"86400\");\n\tconst opts = {\n\t\tcodeExpiresIn: 600,\n\t\tdefaultScope: \"openid\",\n\t\t...options,\n\t\tscopes: [\n\t\t\t\"openid\",\n\t\t\t\"profile\",\n\t\t\t\"email\",\n\t\t\t\"offline_access\",\n\t\t\t...(options?.scopes || []),\n\t\t],\n\t};\n\tif (!ctx.request) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror_description: \"request not found\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\tconst session = await getSessionFromCtx(ctx);\n\tif (!session) {\n\t\t/**\n\t\t * If the user is not logged in, we need to redirect them to the\n\t\t * login page.\n\t\t */\n\t\tawait ctx.setSignedCookie(\n\t\t\t\"oidc_login_prompt\",\n\t\t\tJSON.stringify(ctx.query),\n\t\t\tctx.context.secret,\n\t\t\t{\n\t\t\t\tmaxAge: 600,\n\t\t\t\tpath: \"/\",\n\t\t\t\tsameSite: \"lax\",\n\t\t\t},\n\t\t);\n\t\tconst queryFromURL = ctx.request.url?.split(\"?\")[1]!;\n\t\tthrow ctx.redirect(`${options.loginPage}?${queryFromURL}`);\n\t}\n\n\tconst query = ctx.query as AuthorizationQuery;\n\tif (!query.client_id) {\n\t\tthrow ctx.redirect(`${ctx.context.baseURL}/error?error=invalid_client`);\n\t}\n\n\tif (!query.response_type) {\n\t\tthrow ctx.redirect(\n\t\t\tredirectErrorURL(\n\t\t\t\t`${ctx.context.baseURL}/error`,\n\t\t\t\t\"invalid_request\",\n\t\t\t\t\"response_type is required\",\n\t\t\t),\n\t\t);\n\t}\n\n\tconst client = await ctx.context.adapter\n\t\t.findOne<OAuthApplication>({\n\t\t\tmodel: \"oauthApplication\",\n\t\t\twhere: [\n\t\t\t\t{\n\t\t\t\t\tfield: \"clientId\",\n\t\t\t\t\tvalue: ctx.query.client_id,\n\t\t\t\t},\n\t\t\t],\n\t\t})\n\t\t.then((res) => {\n\t\t\tif (!res) {\n\t\t\t\treturn null;\n\t\t\t}\n\t\t\treturn {\n\t\t\t\t...res,\n\t\t\t\tredirectUrls: res.redirectUrls.split(\",\"),\n\t\t\t\tmetadata: res.metadata ? JSON.parse(res.metadata) : {},\n\t\t\t} as Client;\n\t\t});\n\tif (!client) {\n\t\tthrow ctx.redirect(`${ctx.context.baseURL}/error?error=invalid_client`);\n\t}\n\tconst redirectURI = client.redirectUrls.find(\n\t\t(url) => url === ctx.query.redirect_uri,\n\t);\n\n\tif (!redirectURI || !query.redirect_uri) {\n\t\t/**\n\t\t * show UI error here warning the user that the redirect URI is invalid\n\t\t */\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\tmessage: \"Invalid redirect URI\",\n\t\t});\n\t}\n\tif (client.disabled) {\n\t\tthrow ctx.redirect(`${ctx.context.baseURL}/error?error=client_disabled`);\n\t}\n\n\tif (query.response_type !== \"code\") {\n\t\tthrow ctx.redirect(\n\t\t\t`${ctx.context.baseURL}/error?error=unsupported_response_type`,\n\t\t);\n\t}\n\n\tconst requestScope =\n\t\tquery.scope?.split(\" \").filter((s) => s) || opts.defaultScope.split(\" \");\n\tconst invalidScopes = requestScope.filter((scope) => {\n\t\treturn !opts.scopes.includes(scope);\n\t});\n\tif (invalidScopes.length) {\n\t\tthrow ctx.redirect(\n\t\t\tredirectErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"invalid_scope\",\n\t\t\t\t`The following scopes are invalid: ${invalidScopes.join(\", \")}`,\n\t\t\t),\n\t\t);\n\t}\n\n\tif (\n\t\t(!query.code_challenge || !query.code_challenge_method) &&\n\t\toptions.requirePKCE\n\t) {\n\t\tthrow ctx.redirect(\n\t\t\tredirectErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"invalid_request\",\n\t\t\t\t\"pkce is required\",\n\t\t\t),\n\t\t);\n\t}\n\n\tif (!query.code_challenge_method) {\n\t\tquery.code_challenge_method = \"plain\";\n\t}\n\n\tif (\n\t\t![\n\t\t\t\"s256\",\n\t\t\toptions.allowPlainCodeChallengeMethod ? \"plain\" : \"s256\",\n\t\t].includes(query.code_challenge_method?.toLowerCase() || \"\")\n\t) {\n\t\tthrow ctx.redirect(\n\t\t\tredirectErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"invalid_request\",\n\t\t\t\t\"invalid code_challenge method\",\n\t\t\t),\n\t\t);\n\t}\n\n\tconst code = generateRandomString(32, \"a-z\", \"A-Z\", \"0-9\");\n\tconst codeExpiresInMs = opts.codeExpiresIn * 1000;\n\tconst expiresAt = new Date(Date.now() + codeExpiresInMs);\n\ttry {\n\t\t/**\n\t\t * Save the code in the database\n\t\t */\n\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\tvalue: JSON.stringify({\n\t\t\t\tclientId: client.clientId,\n\t\t\t\tredirectURI: query.redirect_uri,\n\t\t\t\tscope: requestScope,\n\t\t\t\tuserId: session.user.id,\n\t\t\t\tauthTime: new Date(session.session.createdAt).getTime(),\n\t\t\t\t/**\n\t\t\t\t * If the prompt is set to `consent`, then we need\n\t\t\t\t * to require the user to consent to the scopes.\n\t\t\t\t *\n\t\t\t\t * This means the code now needs to be treated as a\n\t\t\t\t * consent request.\n\t\t\t\t *\n\t\t\t\t * once the user consents, the code will be updated\n\t\t\t\t * with the actual code. This is to prevent the\n\t\t\t\t * client from using the code before the user\n\t\t\t\t * consents.\n\t\t\t\t */\n\t\t\t\trequireConsent: query.prompt === \"consent\",\n\t\t\t\tstate: query.prompt === \"consent\" ? query.state : null,\n\t\t\t\tcodeChallenge: query.code_challenge,\n\t\t\t\tcodeChallengeMethod: query.code_challenge_method,\n\t\t\t\tnonce: query.nonce,\n\t\t\t}),\n\t\t\tidentifier: code,\n\t\t\texpiresAt,\n\t\t});\n\t} catch {\n\t\tthrow ctx.redirect(\n\t\t\tredirectErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"server_error\",\n\t\t\t\t\"An error occurred while processing the request\",\n\t\t\t),\n\t\t);\n\t}\n\n\t// Consent is NOT required - redirect with the code immediately\n\tif (query.prompt !== \"consent\") {\n\t\tconst redirectURIWithCode = new URL(redirectURI);\n\t\tredirectURIWithCode.searchParams.set(\"code\", code);\n\t\tif (ctx.query.state) {\n\t\t\tredirectURIWithCode.searchParams.set(\"state\", ctx.query.state);\n\t\t}\n\t\tthrow ctx.redirect(redirectURIWithCode.toString());\n\t}\n\n\t// Consent is REQUIRED - redirect to consent page or show consent HTML\n\tif (options?.consentPage) {\n\t\t// Set cookie to support cookie-based consent flows\n\t\tawait ctx.setSignedCookie(\"oidc_consent_prompt\", code, ctx.context.secret, {\n\t\t\tmaxAge: 600,\n\t\t\tpath: \"/\",\n\t\t\tsameSite: \"lax\",\n\t\t});\n\n\t\t// Pass the consent code as a URL parameter to support URL-BASED consent flows\n\t\tconst urlParams = new URLSearchParams();\n\t\turlParams.set(\"consent_code\", code);\n\t\turlParams.set(\"client_id\", client.clientId);\n\t\turlParams.set(\"scope\", requestScope.join(\" \"));\n\t\tconst consentURI = `${options.consentPage}?${urlParams.toString()}`;\n\n\t\tthrow ctx.redirect(consentURI);\n\t}\n\n\t// No consent page configured - fall back to direct redirect with code\n\tconst redirectURIWithCode = new URL(redirectURI);\n\tredirectURIWithCode.searchParams.set(\"code\", code);\n\tif (ctx.query.state) {\n\t\tredirectURIWithCode.searchParams.set(\"state\", ctx.query.state);\n\t}\n\tthrow ctx.redirect(redirectURIWithCode.toString());\n}\n"],"mappings":";;;;;;;AAWA,SAAS,iBAAiB,KAAa,OAAe,aAAqB;AAC1E,QAAO,GACN,IAAI,SAAS,IAAI,GAAG,MAAM,IAC1B,QAAQ,MAAM,qBAAqB;;AAGrC,eAAsB,kBACrB,KACA,SACC;AACD,KAAI,UAAU,+BAA+B,IAAI;AACjD,KAAI,UAAU,gCAAgC,gBAAgB;AAC9D,KAAI,UAAU,gCAAgC,8BAA8B;AAC5E,KAAI,UAAU,0BAA0B,QAAQ;CAChD,MAAM,OAAO;EACZ,eAAe;EACf,cAAc;EACd,GAAG;EACH,QAAQ;GACP;GACA;GACA;GACA;GACA,GAAI,SAAS,UAAU,EAAE;GACzB;EACD;AACD,KAAI,CAAC,IAAI,QACR,OAAM,IAAI,SAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAEH,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAC5C,KAAI,CAAC,SAAS;;;;;AAKb,QAAM,IAAI,gBACT,qBACA,KAAK,UAAU,IAAI,MAAM,EACzB,IAAI,QAAQ,QACZ;GACC,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CACD;EACD,MAAM,eAAe,IAAI,QAAQ,KAAK,MAAM,IAAI,CAAC;AACjD,QAAM,IAAI,SAAS,GAAG,QAAQ,UAAU,GAAG,eAAe;;CAG3D,MAAM,QAAQ,IAAI;AAClB,KAAI,CAAC,MAAM,UACV,OAAM,IAAI,SAAS,GAAG,IAAI,QAAQ,QAAQ,6BAA6B;AAGxE,KAAI,CAAC,MAAM,cACV,OAAM,IAAI,SACT,iBACC,GAAG,IAAI,QAAQ,QAAQ,SACvB,mBACA,4BACA,CACD;CAGF,MAAM,SAAS,MAAM,IAAI,QAAQ,QAC/B,QAA0B;EAC1B,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO,IAAI,MAAM;GACjB,CACD;EACD,CAAC,CACD,MAAM,QAAQ;AACd,MAAI,CAAC,IACJ,QAAO;AAER,SAAO;GACN,GAAG;GACH,cAAc,IAAI,aAAa,MAAM,IAAI;GACzC,UAAU,IAAI,WAAW,KAAK,MAAM,IAAI,SAAS,GAAG,EAAE;GACtD;GACA;AACH,KAAI,CAAC,OACJ,OAAM,IAAI,SAAS,GAAG,IAAI,QAAQ,QAAQ,6BAA6B;CAExE,MAAM,cAAc,OAAO,aAAa,MACtC,QAAQ,QAAQ,IAAI,MAAM,aAC3B;AAED,KAAI,CAAC,eAAe,CAAC,MAAM;;;;AAI1B,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,wBACT,CAAC;AAEH,KAAI,OAAO,SACV,OAAM,IAAI,SAAS,GAAG,IAAI,QAAQ,QAAQ,8BAA8B;AAGzE,KAAI,MAAM,kBAAkB,OAC3B,OAAM,IAAI,SACT,GAAG,IAAI,QAAQ,QAAQ,wCACvB;CAGF,MAAM,eACL,MAAM,OAAO,MAAM,IAAI,CAAC,QAAQ,MAAM,EAAE,IAAI,KAAK,aAAa,MAAM,IAAI;CACzE,MAAM,gBAAgB,aAAa,QAAQ,UAAU;AACpD,SAAO,CAAC,KAAK,OAAO,SAAS,MAAM;GAClC;AACF,KAAI,cAAc,OACjB,OAAM,IAAI,SACT,iBACC,MAAM,cACN,iBACA,qCAAqC,cAAc,KAAK,KAAK,GAC7D,CACD;AAGF,MACE,CAAC,MAAM,kBAAkB,CAAC,MAAM,0BACjC,QAAQ,YAER,OAAM,IAAI,SACT,iBACC,MAAM,cACN,mBACA,mBACA,CACD;AAGF,KAAI,CAAC,MAAM,sBACV,OAAM,wBAAwB;AAG/B,KACC,CAAC,CACA,QACA,QAAQ,gCAAgC,UAAU,OAClD,CAAC,SAAS,MAAM,uBAAuB,aAAa,IAAI,GAAG,CAE5D,OAAM,IAAI,SACT,iBACC,MAAM,cACN,mBACA,gCACA,CACD;CAGF,MAAM,OAAO,qBAAqB,IAAI,OAAO,OAAO,MAAM;CAC1D,MAAM,kBAAkB,KAAK,gBAAgB;CAC7C,MAAM,YAAY,IAAI,KAAK,KAAK,KAAK,GAAG,gBAAgB;AACxD,KAAI;;;;AAIH,QAAM,IAAI,QAAQ,gBAAgB,wBAAwB;GACzD,OAAO,KAAK,UAAU;IACrB,UAAU,OAAO;IACjB,aAAa,MAAM;IACnB,OAAO;IACP,QAAQ,QAAQ,KAAK;IACrB,UAAU,IAAI,KAAK,QAAQ,QAAQ,UAAU,CAAC,SAAS;IAavD,gBAAgB,MAAM,WAAW;IACjC,OAAO,MAAM,WAAW,YAAY,MAAM,QAAQ;IAClD,eAAe,MAAM;IACrB,qBAAqB,MAAM;IAC3B,OAAO,MAAM;IACb,CAAC;GACF,YAAY;GACZ;GACA,CAAC;SACK;AACP,QAAM,IAAI,SACT,iBACC,MAAM,cACN,gBACA,iDACA,CACD;;AAIF,KAAI,MAAM,WAAW,WAAW;EAC/B,MAAMA,wBAAsB,IAAI,IAAI,YAAY;AAChD,wBAAoB,aAAa,IAAI,QAAQ,KAAK;AAClD,MAAI,IAAI,MAAM,MACb,uBAAoB,aAAa,IAAI,SAAS,IAAI,MAAM,MAAM;AAE/D,QAAM,IAAI,SAASA,sBAAoB,UAAU,CAAC;;AAInD,KAAI,SAAS,aAAa;AAEzB,QAAM,IAAI,gBAAgB,uBAAuB,MAAM,IAAI,QAAQ,QAAQ;GAC1E,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CAAC;EAGF,MAAM,YAAY,IAAI,iBAAiB;AACvC,YAAU,IAAI,gBAAgB,KAAK;AACnC,YAAU,IAAI,aAAa,OAAO,SAAS;AAC3C,YAAU,IAAI,SAAS,aAAa,KAAK,IAAI,CAAC;EAC9C,MAAM,aAAa,GAAG,QAAQ,YAAY,GAAG,UAAU,UAAU;AAEjE,QAAM,IAAI,SAAS,WAAW;;CAI/B,MAAM,sBAAsB,IAAI,IAAI,YAAY;AAChD,qBAAoB,aAAa,IAAI,QAAQ,KAAK;AAClD,KAAI,IAAI,MAAM,MACb,qBAAoB,aAAa,IAAI,SAAS,IAAI,MAAM,MAAM;AAE/D,OAAM,IAAI,SAAS,oBAAoB,UAAU,CAAC"}