§
    "¾<i  م                  ٍَ   — d Z ddlmZ ddlZddlZddlmZmZ ddlm	Z	 ddl
mZ ddlmZ ddlmZ dd	lmZ dd
lmZ  ee¦  «        ZdZedd„¦   «         Zedd„¦   «         Zdddœdd„Z G d„ d¦  «        ZdS )a"  JWT token issuance and verification for FastMCP OAuth Proxy.

This module implements the token factory pattern for OAuth proxies, where the proxy
issues its own JWT tokens to clients instead of forwarding upstream provider tokens.
This maintains proper OAuth 2.0 token audience boundaries.
é    )عannotationsN)عAnyعoverload)عJsonWebToken)ع	JoseError)عhashes)عHKDF)ع
PBKDF2HMAC)ع
get_loggeri@B عhigh_entropy_materialعstrعsaltعreturnعbytesc                َ   — dS )zHDerive JWT signing key from a high-entropy key material and server salt.N© )r   r   s     ْ™/Users/kimhansen/Desktop/03 Workspace/ceo-agents/chl-effectiveness/mcp-servers/whoop/.venv/lib/python3.11/site-packages/fastmcp/server/auth/jwt_issuer.pyعderive_jwt_keyr      َ   € € € َ    عlow_entropy_materialc                َ   — dS )zGDerive JWT signing key from a low-entropy key material and server salt.Nr   )r   r   s     r   r   r       r   r   )r   r   ْ
str | Nonec                َ  — | پ|پt          d¦  «        ‚| پpt          t          j        ¦   «         d|                     ¦   «         d¬¦  «                             |                      ¦   «         ¬¦  «        }t          j        |¦  «        S |پut          t          j        ¦   «         d|                     ¦   «         t          ¬¦  «                             |                     ¦   «         ¬¦  «        }t          j        |¦  «        S t          d¦  «        ‚)	zWDerive JWT signing key from a high-entropy or low-entropy key material and server salt.NzSEither high_entropy_material or low_entropy_material must be provided, but not bothé    s   Fernet)ع	algorithmعlengthr   عinfo)عkey_material)r   r   r   ع
iterationszEEither high_entropy_material or low_entropy_material must be provided)
ع
ValueErrorr	   r   عSHA256عencodeعderiveعbase64عurlsafe_b64encoder
   عKDF_ITERATIONS)r   r   r   عderived_keyعpbkdf2s        r   r   r   %   s  € ً ذ(ذ-Aذ-Mفطaٌ
ô 
ً 	
ً ذ(فف”m‘o”oطط—’‘”طً	
ٌ 
ô 
÷
 ٹ&ذ3×:ز:ر<ش<ˆ&ر
=ش
=ً 	ُ ش'¨ر4ش4ذ4àذ'فف”m‘o”oطط—’‘”ف%ً	
ٌ 
ô 
÷
 ٹ&ذ2×9ز9ر;ش;ˆ&ر
<ش
<ً 	ُ ش'¨ر/ش/ذ/ه
طOٌô ً r   c                  َ6   — e Zd ZdZdd„Z	 ddd„Zdd„Zdd„ZdS )ع	JWTIssuera  Issues and validates FastMCP-signed JWT tokens using HS256.

    This issuer creates JWT tokens for MCP clients with proper audience claims,
    maintaining OAuth 2.0 token boundaries. Tokens are signed with HS256 using
    a key derived from the upstream client secret.
    عissuerr   عaudienceعsigning_keyr   c                َZ   — || _         || _        || _        t          dg¦  «        | _        dS )zكInitialize JWT issuer.

        Args:
            issuer: Token issuer (FastMCP server base URL)
            audience: Token audience (typically {base_url}/mcp)
            signing_key: HS256 signing key (32 bytes)
        عHS256N)r,   r-   ع_signing_keyr   ع_jwt)عselfr,   r-   r.   s       r   ع__init__zJWTIssuer.__init__R   s/   € ً ˆŒط ˆŒط'ˆشف  ' ر+ش+ˆŒ	ˆ	ˆ	r   é  ع	client_idعscopesْ	list[str]عjtiع
expires_inعintr   c                َf  — t          t          j        ¦   «         ¦  «        }dddœ}| j        | j        |d                     |¦  «        ||z   ||dœ}| j                             ||| j        ¦  «        }|                     d¦  «        }	t           
                    d||dd	…         |d
         ¦  «         |	S )a  Issue a minimal FastMCP access token.

        FastMCP tokens are reference tokens containing only the minimal claims
        needed for validation and lookup. The JTI maps to the upstream token
        which contains actual user identity and authorization data.

        Args:
            client_id: MCP client ID
            scopes: Token scopes
            jti: Unique token identifier (maps to upstream token)
            expires_in: Token lifetime in seconds

        Returns:
            Signed JWT token
        r0   عJWT©عalgعtypْ )عissعaudr6   عscopeعexpعiatr9   ْutf-8z/Issued access token for client=%s jti=%s exp=%dNé   rE   ©r;   عtimer,   r-   عjoinr2   r#   r1   عdecodeعloggerعdebug©
r3   r6   r7   r9   r:   عnowعheaderعpayloadعtoken_bytesعtokens
             r   عissue_access_tokenzJWTIssuer.issue_access_tokend   sہ   € ُ, •$”)‘+”+رشˆà ¨ذ/ذ/ˆà”;ط”=ط"ط—X’Xکfر%ش%طکر#ططً
ً 
ˆً ”i×&ز& v¨w¸ش8IرJشJˆط×"ز" 7ر+ش+ˆهڈٹط=ططگگگŒGطگEŒNٌ		
ô 	
ً 	
ً ˆr   c           	     َh  — t          t          j        ¦   «         ¦  «        }dddœ}| j        | j        |d                     |¦  «        ||z   ||ddœ}| j                             ||| j        ¦  «        }|                     d¦  «        }	t           
                    d||d	d
…         |d         ¦  «         |	S )a7  Issue a minimal FastMCP refresh token.

        FastMCP refresh tokens are reference tokens containing only the minimal
        claims needed for validation and lookup. The JTI maps to the upstream
        token which contains actual user identity and authorization data.

        Args:
            client_id: MCP client ID
            scopes: Token scopes
            jti: Unique token identifier (maps to upstream token)
            expires_in: Token lifetime in seconds (should match upstream refresh expiry)

        Returns:
            Signed JWT token
        r0   r=   r>   rA   عrefresh)rB   rC   r6   rD   rE   rF   r9   ع	token_userG   z0Issued refresh token for client=%s jti=%s exp=%dNrH   rE   rI   rO   s
             r   عissue_refresh_tokenzJWTIssuer.issue_refresh_token“   sأ   € ُ, •$”)‘+”+رشˆà ¨ذ/ذ/ˆà”;ط”=ط"ط—X’Xکfر%ش%طکر#ططط"ً	
ً 	
ˆً ”i×&ز& v¨w¸ش8IرJشJˆط×"ز" 7ر+ش+ˆهڈٹط>ططگگگŒGطگEŒNٌ		
ô 	
ً 	
ً ˆr   rT   ْdict[str, Any]c                َت  — 	 | j                              || j        ¦  «        }|                     d¦  «        }|r@|t	          j        ¦   «         k     r)t
                               d¦  «         t          d¦  «        ‚|                     d¦  «        | j        k    r)t
                               d¦  «         t          d¦  «        ‚|                     d¦  «        | j	        k    r)t
                               d¦  «         t          d	¦  «        ‚t
                               d
|                     d¦  «        ¦  «         |S # t          $ r!}t
                               d|¦  «         ‚ d}~ww xY w)a3  Verify and decode a FastMCP token.

        Validates JWT signature, expiration, issuer, and audience.

        Args:
            token: JWT token to verify

        Returns:
            Decoded token payload

        Raises:
            JoseError: If token is invalid, expired, or has wrong claims
        rE   zToken expiredzToken has expiredrB   zToken has invalid issuerzInvalid token issuerrC   zToken has invalid audiencezInvalid token audiencez*Token verified successfully for subject=%sعsubzToken validation failed: %sN)
r2   rL   r1   عgetrJ   rM   rN   r   r,   r-   )r3   rT   rR   rE   عes        r   عverify_tokenzJWTIssuer.verify_tokenأ   sL  € ً	à”i×&ز& u¨dش.?ر@ش@ˆGً —+’+کeر$ش$ˆCطً 5گs‌TœY™[œ[ز(ذ(ف—’ک_ر-ش-ذ-فذ 3ر4ش4ذ4ً ڈ{ٹ{ک5ر!ش! T¤[ز0ذ0ف—’ذ7ر8ش8ذ8فذ 6ر7ش7ذ7ً ڈ{ٹ{ک5ر!ش! T¤]ز2ذ2ف—’ذ9ر:ش:ذ:فذ 8ر9ش9ذ9هڈLٹLط<¸g؟k؛kب%ر>Pش>Pٌô ً ً ˆNّهً 	ً 	ً 	فڈLٹLذ6¸ر:ش:ذ:طًّّّّ	ّّّs   ‚D4D7 ؤ7
E"إEإE"N)r,   r   r-   r   r.   r   )r5   )
r6   r   r7   r8   r9   r   r:   r;   r   r   )rT   r   r   rZ   )ع__name__ع
__module__ع__qualname__ع__doc__r4   rU   rY   r_   r   r   r   r+   r+   J   sz   € € € € € ًً ً,ً ,ً ,ً ,ً. ً-ً -ً -ً -ً -ً^.ً .ً .ً .ً`)ً )ً )ً )ً )ً )r   r+   )r   r   r   r   r   r   )r   r   r   r   r   r   )r   r   r   r   r   r   r   r   )rc   ع
__future__r   r%   rJ   عtypingr   r   عauthlib.joser   عauthlib.jose.errorsr   عcryptography.hazmat.primitivesr   ع'cryptography.hazmat.primitives.kdf.hkdfr	   ع)cryptography.hazmat.primitives.kdf.pbkdf2r
   عfastmcp.utilities.loggingr   r`   rM   r'   r   r+   r   r   r   ْ<module>rl      sx  ًًً ً #ذ "ذ "ذ "ذ "ذ "à €€€ط €€€ط  ذ  ذ  ذ  ذ  ذ  ذ  ذ  à %ذ %ذ %ذ %ذ %ذ %ط )ذ )ذ )ذ )ذ )ذ )ط 1ذ 1ذ 1ذ 1ذ 1ذ 1ط 8ذ 8ذ 8ذ 8ذ 8ذ 8ط @ذ @ذ @ذ @ذ @ذ @à 0ذ 0ذ 0ذ 0ذ 0ذ 0à	ˆگHر	ش	€à€ً 
ًSً Sً Sٌ 
„ًSً 
ًRً Rً Rٌ 
„ًRً )-ط'+ً"ً "ً "ً "ً "ً "ًJbً bً bً bً bٌ bô bً bً bً br   