A file-backed TokenStore. Tokens for all resources are stored as a single JSON object ({ "<resource>": { ... } }) at path.
An in-memory TokenStore (no persistence across processes). Useful for tests and ephemeral sessions.
A live OAuth session bound to one MCP server. Holds the discovered authorization-server metadata and the registered client so it can refresh the access token automatically when it nears expiry. Created by useOAuth; also constructible directly for advanced/test use.
The RegisteredClient to use on the cache fast-path. The client_id is read from the persisted token (so DCR/CIMD users, who have no statically configured client_id, still carry the AS-issued one needed to refresh), falling back to the configured opts.clientId for records that predate persisting it. The secret comes from opts (it is not persisted).
The default token-store path under the user's config directory: $XDG_CONFIG_HOME/dlang-mcp/tokens.json (or ~/.config/...), falling back to ./.dlang-mcp-tokens.json when no home directory is known.
Apply the RFC 9207 iss authorization-response validation to a captured loopback redirect, given the selected authorization server's metadata. Returns the capture unchanged when iss is acceptable; otherwise clears the authorization code and records an invalid_iss error so the capture's ok is false and the caller rejects it. The validation runs regardless of any returned error/error_description, which are not acted on, mirroring the two-arg OAuthClient.authorizeAndGetCode(as_, ...) overload.
Generate a random state value (base64url, 16 bytes of randomness) for the authorization request (MCP "Open Redirection" mitigation). The bytes come from the OS CSPRNG -- state is the CSRF / mix-up defense and MUST be unpredictable. Throws CsprngException if the OS CSPRNG is unavailable.
The default loopback redirect URI for a given port and path.
The HTML body shown in the user's browser after the loopback listener captures the redirect, so the user knows to return to the application.
Whether the stored access token must be refreshed before use at time now (Unix seconds). A token with expiresAt == 0 (unknown expiry) is never considered expired here. A record with no access token always needs (re)acquisition and returns true.
Open url in the user's default browser using the platform launcher (open on macOS, xdg-open on Linux/BSD, cmd /c start on Windows).
Parse the path+query of an inbound loopback HTTP request (e.g. /callback?code=abc&state=xyz) and extract the OAuth authorization response parameters. When expectedState is non-empty, a missing or mismatched state clears the captured code and records an error (MCP "Open Redirection": clients SHOULD verify the state parameter and discard mismatched results). Extract just the path component of an inbound HTTP request target, dropping any ?query and #fragment. An empty target yields an empty path.
Perform the full interactive OAuth login for client and attach the resulting bearer token, refreshing automatically thereafter.
Pluggable persistence for OAuth tokens, keyed by the canonical resource (MCP server) URI. Implementations may encrypt at rest; the default FileTokenStore documents an encryption hook.
The outcome of parsing a loopback redirect request target: the captured authorization code and state, or an error (the OAuth error parameter) when the authorization server reported a failure.
Configuration for useOAuth: the requested scopes, the loopback callback port (0 = an ephemeral OS-assigned loopback port), the token store (defaults to a FileTokenStore under the user's config dir), and the client-registration inputs.
A persisted OAuth token set for a single resource (MCP server). expiresAt is an absolute Unix timestamp (seconds) at which the access token expires; 0 means "no known expiry" (treated as never auto-refreshed on a timer).
The default clock skew (seconds) treated as "about to expire": a token is refreshed this many seconds *before* its nominal expiry to avoid using a token that expires mid-flight.