/** * DCR Provider - Stateless Dynamic Client Registration Provider * * Implements stateless provider pattern where provider tokens are received from * token verification context rather than managed by the provider itself. * * Use case: MCP HTTP servers with DCR authentication where client manages tokens * and provider only handles Google API calls with provided credentials. */ import type { ProviderTokens } from '@mcp-z/oauth'; import { OAuth2Client } from 'google-auth-library'; import type { Logger } from '../types.js'; /** * DCR Provider configuration */ export interface DcrOAuthProviderConfig { /** Google application client ID */ clientId: string; /** Google application client secret (optional for public clients) */ clientSecret?: string; /** OAuth scopes */ scope: string; /** DCR token verification endpoint URL (e.g., http://localhost:3000/oauth/verify) */ verifyEndpoint: string; /** Logger for auth operations */ logger: Logger; } /** * DCR Provider - Stateless OAuth provider for Dynamic Client Registration * * Unlike LoopbackOAuthProvider which manages token storage, DcrOAuthProvider is stateless: * - Receives provider tokens from verification context (HTTP bearer auth) * - Creates auth providers on-demand from tokens * - Handles token refresh using Google OAuth 2.0 * - No token storage dependency * * Pattern: * ```typescript * const provider = new DcrOAuthProvider(config); * const auth = provider.toAuth(providerTokens); * const accessToken = await getAccessToken(auth); * ``` */ export declare class DcrOAuthProvider { private config; private emailCache; constructor(config: DcrOAuthProviderConfig); /** * Create Google OAuth2Client from provider tokens * * This is the core stateless pattern - provider receives tokens from context * (token verification, HTTP request) and creates OAuth2Client on-demand. * * @param tokens - Provider tokens (Google access/refresh tokens) * @returns Google OAuth2Client configured with credentials */ toAuth(tokens: ProviderTokens): OAuth2Client; /** * Check if token needs refresh (with 1 minute buffer) */ private needsRefresh; /** * Refresh Google access token using refresh token * * @param refreshToken - Google refresh token * @returns New provider tokens */ refreshAccessToken(refreshToken: string): Promise; /** * Get user email from Google userinfo API (with caching) * * @param tokens - Provider tokens to use for API call * @returns User's email address */ getUserEmail(tokens: ProviderTokens): Promise; /** * Auth middleware for HTTP servers with DCR bearer auth * Validates bearer tokens and enriches extra with provider tokens * * Pattern: * ```typescript * const provider = new DcrOAuthProvider({ ..., verifyEndpoint: 'http://localhost:3000/oauth/verify' }); * const authMiddleware = provider.authMiddleware(); * const tools = toolFactories.map(f => f()).map(authMiddleware.withToolAuth); * const resources = resourceFactories.map(f => f()).map(authMiddleware.withResourceAuth); * const prompts = promptFactories.map(f => f()).map(authMiddleware.withPromptAuth); * ``` */ authMiddleware(): { withToolAuth: (module: T) => T; withResourceAuth: (module: T) => T; withPromptAuth: (module: T) => T; }; }