actionmcp 0.52.2 → 0.53.0

data/lib/action_mcp/client/oauth_client_provider.rb

@@ -0,0 +1,234 @@
+# frozen_string_literal: true
+
+require "faraday"
+require "pkce_challenge"
+require "securerandom"
+require "uri"
+require "json"
+
+module ActionMCP
+  module Client
+    # OAuth client provider for MCP client authentication
+    # Implements OAuth 2.1 authorization code flow with PKCE
+    class OauthClientProvider
+      class AuthenticationError < StandardError; end
+      class TokenExpiredError < StandardError; end
+      attr_reader :redirect_url, :client_metadata, :authorization_server_url
+
+      def initialize(
+        authorization_server_url:,
+        redirect_url:,
+        client_metadata: {},
+        storage: nil,
+        logger: ActionMCP.logger
+      )
+        @authorization_server_url = URI(authorization_server_url)
+        @redirect_url = URI(redirect_url)
+        @client_metadata = default_client_metadata.merge(client_metadata)
+        @storage = storage || MemoryStorage.new
+        @logger = logger
+        @http_client = build_http_client
+      end
+
+      # Get current access token for authorization headers
+      def access_token
+        tokens = current_tokens
+        return nil unless tokens
+
+        if token_expired?(tokens)
+          refresh_tokens! if tokens[:refresh_token]
+          tokens = current_tokens
+        end
+
+        tokens&.dig(:access_token)
+      end
+
+      # Check if client has valid authentication
+      def authenticated?
+        !access_token.nil?
+      end
+
+      # Start OAuth authorization flow
+      def start_authorization_flow(scope: nil, state: nil)
+        # Generate PKCE challenge
+        pkce = PkceChallenge.challenge
+        code_verifier = pkce.code_verifier
+        code_challenge = pkce.code_challenge
+        @storage.save_code_verifier(code_verifier)
+
+        # Build authorization URL
+        auth_params = {
+          response_type: "code",
+          client_id: client_id,
+          redirect_uri: @redirect_url.to_s,
+          code_challenge: code_challenge,
+          code_challenge_method: "S256"
+        }
+        auth_params[:scope] = scope if scope
+        auth_params[:state] = state if state
+
+        authorization_url = build_url(server_metadata[:authorization_endpoint], auth_params)
+
+        log_debug("Starting OAuth flow: #{authorization_url}")
+        authorization_url
+      end
+
+      # Complete OAuth flow with authorization code
+      def complete_authorization_flow(authorization_code, state: nil)
+        code_verifier = @storage.load_code_verifier
+        raise AuthenticationError, "No code verifier found" unless code_verifier
+
+        # Exchange code for tokens
+        token_params = {
+          grant_type: "authorization_code",
+          code: authorization_code,
+          redirect_uri: @redirect_url.to_s,
+          code_verifier: code_verifier,
+          client_id: client_id
+        }
+
+        response = @http_client.post(server_metadata[:token_endpoint]) do |req|
+          req.headers["Content-Type"] = "application/x-www-form-urlencoded"
+          req.headers["Accept"] = "application/json"
+          req.body = URI.encode_www_form(token_params)
+        end
+
+        handle_token_response(response)
+      end
+
+      # Refresh access token using refresh token
+      def refresh_tokens!
+        tokens = current_tokens
+        refresh_token = tokens&.dig(:refresh_token)
+        raise TokenExpiredError, "No refresh token available" unless refresh_token
+
+        token_params = {
+          grant_type: "refresh_token",
+          refresh_token: refresh_token,
+          client_id: client_id
+        }
+
+        response = @http_client.post(server_metadata[:token_endpoint]) do |req|
+          req.headers["Content-Type"] = "application/x-www-form-urlencoded"
+          req.headers["Accept"] = "application/json"
+          req.body = URI.encode_www_form(token_params)
+        end
+
+        handle_token_response(response)
+      end
+
+      # Clear stored tokens (logout)
+      def clear_tokens!
+        @storage.clear_tokens
+        @storage.clear_code_verifier if @storage.respond_to?(:clear_code_verifier)
+        log_debug("Cleared OAuth tokens and code verifier")
+      end
+
+      # Get client information for registration
+      def client_information
+        @storage.load_client_information
+      end
+
+      # Save client information after registration
+      def save_client_information(client_info)
+        @storage.save_client_information(client_info)
+      end
+
+      # Get authorization headers for HTTP requests
+      def authorization_headers
+        token = access_token
+        return {} unless token
+
+        { "Authorization" => "Bearer #{token}" }
+      end
+
+      private
+
+      def current_tokens
+        @storage.load_tokens
+      end
+
+      def save_tokens(tokens)
+        @storage.save_tokens(tokens)
+      end
+
+      def token_expired?(tokens)
+        expires_at = tokens[:expires_at]
+        return false unless expires_at
+
+        Time.at(expires_at) <= Time.now + 30 # 30 second buffer
+      end
+
+      def client_id
+        client_info = client_information
+        client_info&.dig(:client_id) || @client_metadata[:client_id]
+      end
+
+      def server_metadata
+        @server_metadata ||= fetch_server_metadata
+      end
+
+      def fetch_server_metadata
+        well_known_url = @authorization_server_url.dup
+        well_known_url.path = "/.well-known/oauth-authorization-server"
+
+        response = @http_client.get(well_known_url)
+        unless response.success?
+          raise AuthenticationError, "Failed to fetch server metadata: #{response.status}"
+        end
+
+        JSON.parse(response.body, symbolize_names: true)
+      end
+
+      def handle_token_response(response)
+        unless response.success?
+          error_body = JSON.parse(response.body) rescue {}
+          error_msg = error_body["error_description"] || error_body["error"] || "Token request failed"
+          raise AuthenticationError, "#{error_msg} (#{response.status})"
+        end
+
+        token_data = JSON.parse(response.body, symbolize_names: true)
+
+        # Calculate token expiration
+        if token_data[:expires_in]
+          token_data[:expires_at] = Time.now.to_i + token_data[:expires_in].to_i
+        end
+
+        save_tokens(token_data)
+        log_debug("OAuth tokens obtained successfully")
+        token_data
+      end
+
+      def build_url(base_url, params)
+        uri = URI(base_url)
+        uri.query = URI.encode_www_form(params)
+        uri.to_s
+      end
+
+      def build_http_client
+        Faraday.new do |f|
+          f.headers["User-Agent"] = "ActionMCP-OAuth/#{ActionMCP.gem_version}"
+          f.options.timeout = 30
+          f.options.open_timeout = 10
+          f.adapter :net_http
+        end
+      end
+
+      def default_client_metadata
+        {
+          client_name: "ActionMCP Client",
+          client_uri: "https://github.com/anthropics/action_mcp",
+          redirect_uris: [ @redirect_url.to_s ],
+          grant_types: [ "authorization_code", "refresh_token" ],
+          response_types: [ "code" ],
+          token_endpoint_auth_method: "none", # Public client
+          code_challenge_methods_supported: [ "S256" ]
+        }
+      end
+
+      def log_debug(message)
+        @logger.debug("[ActionMCP::OAuthClientProvider] #{message}")
+      end
+    end
+  end
+end

data/lib/action_mcp/client/streamable_http_transport.rb

@@ -15,9 +15,10 @@ module ActionMCP
 
       attr_reader :session_id, :last_event_id
 
-      def initialize(url, session_store:, session_id: nil, **options)
+      def initialize(url, session_store:, session_id: nil, oauth_provider: nil, **options)
         super(url, session_store: session_store, **options)
         @session_id = session_id
+        @oauth_provider = oauth_provider
         @last_event_id = nil
         @buffer = +""
         @current_event = nil
@@ -97,6 +98,7 @@ module ActionMCP
         }
         headers["mcp-session-id"] = @session_id if @session_id
         headers["Last-Event-ID"] = @last_event_id if @last_event_id
+        headers.merge!(oauth_headers)
         headers
       end
 
@@ -106,6 +108,7 @@ module ActionMCP
           "Accept" => "application/json, text/event-stream"
         }
         headers["mcp-session-id"] = @session_id if @session_id
+        headers.merge!(oauth_headers)
         headers
       end
 
@@ -190,6 +193,7 @@ module ActionMCP
           # Accepted - message received, no immediate response
           log_debug("Message accepted (202)")
         when 401
+          handle_authentication_error(response)
           raise AuthenticationError, "Authentication required"
         when 405
           # Method not allowed - server doesn't support this operation
@@ -283,6 +287,26 @@ module ActionMCP
         log_debug("Saved session state")
       end
 
+      def oauth_headers
+        return {} unless @oauth_provider&.authenticated?
+
+        @oauth_provider.authorization_headers
+      rescue StandardError => e
+        log_error("Failed to get OAuth headers: #{e.message}")
+        {}
+      end
+
+      def handle_authentication_error(response)
+        return unless @oauth_provider
+
+        # Check for OAuth challenge in WWW-Authenticate header
+        www_auth = response.headers["www-authenticate"]
+        if www_auth&.include?("Bearer")
+          log_debug("Received OAuth challenge, clearing tokens")
+          @oauth_provider.clear_tokens!
+        end
+      end
+
       def user_agent
         "ActionMCP-StreamableHTTP/#{ActionMCP.gem_version}"
       end

data/lib/action_mcp/client.rb

@@ -3,6 +3,7 @@
 require_relative "client/transport"
 require_relative "client/session_store"
 require_relative "client/streamable_http_transport"
+require_relative "client/oauth_client_provider"
 
 module ActionMCP
   # Creates a client appropriate for the given endpoint.
@@ -11,6 +12,7 @@ module ActionMCP
   # @param transport [Symbol] The transport type to use (:streamable_http, :sse for legacy)
   # @param session_store [Symbol] The session store type (:memory, :active_record)
   # @param session_id [String] Optional session ID for resuming connections
+  # @param oauth_provider [ActionMCP::Client::OauthClientProvider] Optional OAuth provider for authentication
   # @param logger [Logger] The logger to use. Default is Logger.new($stdout).
   # @param options [Hash] Additional options to pass to the client constructor.
   #
@@ -33,7 +35,18 @@ module ActionMCP
   #     "http://127.0.0.1:3001/action_mcp",
   #     session_store: :memory
   #   )
-  def self.create_client(endpoint, transport: :streamable_http, session_store: nil, session_id: nil, logger: Logger.new($stdout), **options)
+  #
+  # @example With OAuth authentication
+  #   oauth_provider = ActionMCP::Client::OauthClientProvider.new(
+  #     authorization_server_url: "https://oauth.example.com",
+  #     redirect_url: "http://localhost:3000/callback",
+  #     client_metadata: { client_name: "My App" }
+  #   )
+  #   client = ActionMCP.create_client(
+  #     "http://127.0.0.1:3001/action_mcp",
+  #     oauth_provider: oauth_provider
+  #   )
+  def self.create_client(endpoint, transport: :streamable_http, session_store: nil, session_id: nil, oauth_provider: nil, logger: Logger.new($stdout), **options)
     unless endpoint =~ %r{\Ahttps?://}
       raise ArgumentError, "Only HTTP(S) endpoints are supported. STDIO and other transports are not supported."
     end
@@ -42,7 +55,7 @@ module ActionMCP
     store = Client::SessionStoreFactory.create(session_store, **options)
 
     # Create transport
-    transport_instance = create_transport(transport, endpoint, session_store: store, session_id: session_id, logger: logger, **options)
+    transport_instance = create_transport(transport, endpoint, session_store: store, session_id: session_id, oauth_provider: oauth_provider, logger: logger, **options)
 
     logger.info("Creating #{transport} client for endpoint: #{endpoint}")
     # Pass session_id to the client

data/lib/action_mcp/configuration.rb

@@ -25,6 +25,9 @@ module ActionMCP
                   :logging_level,
                   :active_profile,
                   :profiles,
+                  # --- Authentication Options ---
+                  :authentication_methods,
+                  :oauth_config,
                   # --- Transport Options ---
                   :sse_heartbeat_interval,
                   :post_response_preference, # :json or :sse
@@ -36,9 +39,15 @@ module ActionMCP
                   :max_stored_sse_events,
                   # --- Gateway Options ---
                   :gateway_class,
-                  :current_class,
                   # --- Session Store Options ---
-                  :session_store_type
+                  :session_store_type,
+                  # --- Pub/Sub and Thread Pool Options ---
+                  :adapter,
+                  :min_threads,
+                  :max_threads,
+                  :max_queue,
+                  :polling_interval,
+                  :connects_to
 
     def initialize
       @logging_enabled = true
@@ -47,6 +56,11 @@ module ActionMCP
       @resources_subscribe = false
       @active_profile = :primary
       @profiles = default_profiles
+
+      # Authentication defaults
+      @authentication_methods = Rails.env.production? ? [ "jwt" ] : [ "none" ]
+      @oauth_config = {}
+
       @sse_heartbeat_interval = 30
       @post_response_preference = :json
       @protocol_version = "2025-03-26"
@@ -58,7 +72,6 @@ module ActionMCP
 
       # Gateway - default to ApplicationGateway if it exists, otherwise ActionMCP::Gateway
       @gateway_class = defined?(::ApplicationGateway) ? ::ApplicationGateway : ActionMCP::Gateway
-      @current_class = nil
 
       # Session Store
       @session_store_type = Rails.env.production? ? :active_record : :volatile
@@ -77,7 +90,7 @@ module ActionMCP
       ActionMCP.thread_profiles.value || @active_profile
     end
 
-    # Load custom profiles from Rails configuration
+    # Load custom configuration from Rails configuration
     def load_profiles
       # First load defaults from the gem
       @profiles = default_profiles
@@ -88,8 +101,23 @@ module ActionMCP
 
         raise "Invalid MCP config file" unless app_config.is_a?(Hash)
 
-        # Merge with defaults so user config overrides gem defaults
-        @profiles = app_config
+        # Extract authentication configuration if present
+        if app_config["authentication"]
+          @authentication_methods = Array(app_config["authentication"])
+        end
+
+        # Extract OAuth configuration if present
+        if app_config["oauth"]
+          @oauth_config = app_config["oauth"]
+        end
+
+        # Extract other top-level configuration settings
+        extract_top_level_settings(app_config)
+
+        # Extract profiles configuration
+        if app_config["profiles"]
+          @profiles = app_config["profiles"]
+        end
       rescue StandardError
         # If the config file doesn't exist in the Rails app, just use the defaults
         Rails.logger.debug "No MCP config found in Rails app, using defaults from gem"
@@ -197,6 +225,37 @@ module ActionMCP
       }
     end
 
+    def extract_top_level_settings(app_config)
+      # Extract adapter configuration
+      if app_config["adapter"]
+        # This will be handled by the pub/sub system, we just store it for now
+        @adapter = app_config["adapter"]
+      end
+
+      # Extract thread pool settings
+      if app_config["min_threads"]
+        @min_threads = app_config["min_threads"]
+      end
+
+      if app_config["max_threads"]
+        @max_threads = app_config["max_threads"]
+      end
+
+      if app_config["max_queue"]
+        @max_queue = app_config["max_queue"]
+      end
+
+      # Extract polling interval for solid_cable
+      if app_config["polling_interval"]
+        @polling_interval = app_config["polling_interval"]
+      end
+
+      # Extract connects_to setting
+      if app_config["connects_to"]
+        @connects_to = app_config["connects_to"]
+      end
+    end
+
     def should_include_all?(type)
       return false unless @profiles[active_profile]
 

data/lib/action_mcp/engine.rb

@@ -12,6 +12,7 @@ module ActionMCP
     ActiveSupport::Inflector.inflections(:en) do |inflect|
       inflect.acronym "SSE"
       inflect.acronym "MCP"
+      inflect.acronym "OAuth"
     end
 
     # Provide a configuration namespace for ActionMCP
@@ -28,6 +29,13 @@ module ActionMCP
       ActionMCP.configuration.load_profiles
     end
 
+    # Add OAuth middleware if OAuth is configured
+    initializer "action_mcp.oauth_middleware", after: "action_mcp.load_profiles" do
+      if ActionMCP.configuration.authentication_methods&.include?("oauth")
+        config.middleware.use ActionMCP::OAuth::Middleware
+      end
+    end
+
     # Configure autoloading for the mcp/tools directory
     initializer "action_mcp.autoloading", before: :set_autoload_paths do |app|
       mcp_path = app.root.join("app/mcp")

data/lib/action_mcp/gateway.rb

@@ -49,13 +49,22 @@ module ActionMCP
     protected
 
     def authenticate!
-      token = extract_bearer_token
-      raise UnauthorizedError, "Missing token" unless token
+      auth_methods = ActionMCP.configuration.authentication_methods || [ "jwt" ]
+
+      auth_methods.each do |method|
+        case method
+        when "none"
+          return default_user_identity
+        when "jwt"
+          result = jwt_authenticate
+          return result if result
+        when "oauth"
+          result = oauth_authenticate
+          return result if result
+        end
+      end
 
-      payload = ActionMCP::JwtDecoder.decode(token)
-      resolve_user(payload)
-    rescue ActionMCP::JwtDecoder::DecodeError => e
-      raise UnauthorizedError, e.message
+      raise UnauthorizedError, "No valid authentication found"
     end
 
     def extract_bearer_token
@@ -81,5 +90,85 @@ module ActionMCP
     def reject_unauthorized_connection
       raise UnauthorizedError, "Unauthorized"
     end
+
+    # Default user identity for "none" authentication
+    def default_user_identity
+      # Return a hash with all identified_by attributes set to a default user
+      self.class.identifiers.each_with_object({}) do |identifier, hash|
+        if identifier == :user
+          # Create or find a default user for development
+          hash[identifier] = find_or_create_default_user
+        end
+        # Add support for other identifiers as needed
+      end
+    end
+
+    # JWT authentication (existing implementation)
+    def jwt_authenticate
+      token = extract_bearer_token
+      unless token
+        raise UnauthorizedError, "Missing token" if ActionMCP.configuration.authentication_methods == [ "jwt" ]
+        return nil
+      end
+
+      payload = ActionMCP::JwtDecoder.decode(token)
+      result = resolve_user(payload)
+      unless result
+        raise UnauthorizedError, "Unauthorized" if ActionMCP.configuration.authentication_methods == [ "jwt" ]
+        return nil
+      end
+      result
+    rescue ActionMCP::JwtDecoder::DecodeError => e
+      if ActionMCP.configuration.authentication_methods == [ "jwt" ]
+        raise UnauthorizedError, "Invalid token"
+      else
+        nil # Let it try other authentication methods
+      end
+    end
+
+    # OAuth authentication via middleware
+    def oauth_authenticate
+      return nil unless oauth_enabled?
+
+      # Check if OAuth middleware has already validated the token
+      token_info = request.env["action_mcp.oauth_token_info"]
+      return nil unless token_info && token_info["active"]
+
+      resolve_user_from_oauth(token_info)
+    rescue ActionMCP::OAuth::Error
+      nil # Let it try other authentication methods
+    end
+
+    def oauth_enabled?
+      ActionMCP.configuration.authentication_methods&.include?("oauth") &&
+        ActionMCP.configuration.oauth_config.present?
+    end
+
+    def resolve_user_from_oauth(token_info)
+      return nil unless token_info.is_a?(Hash)
+
+      user_id = token_info["sub"] || token_info["user_id"]
+      return nil unless user_id
+
+      user = User.find_by(id: user_id) || User.find_by(oauth_subject: user_id)
+      return nil unless user
+
+      # Return a hash with all identified_by attributes
+      self.class.identifiers.each_with_object({}) do |identifier, hash|
+        hash[identifier] = user if identifier == :user
+        # Add support for other identifiers as needed
+      end
+    end
+
+    def find_or_create_default_user
+      # Only for development/testing with "none" authentication
+      return nil unless Rails.env.development? || Rails.env.test?
+
+      if defined?(User)
+        User.find_or_create_by(email: "dev@localhost") do |user|
+          user.name = "Development User" if user.respond_to?(:name=)
+        end
+      end
+    end
   end
 end

data/lib/action_mcp/oauth/error.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  module OAuth
+    # Base OAuth error class
+    class Error < StandardError
+      attr_reader :oauth_error_code
+
+      def initialize(message, oauth_error_code = "invalid_request")
+        super(message)
+        @oauth_error_code = oauth_error_code
+      end
+    end
+
+    # OAuth 2.1 standard error types
+    class InvalidRequestError < Error
+      def initialize(message = "Invalid request")
+        super(message, "invalid_request")
+      end
+    end
+
+    class InvalidClientError < Error
+      def initialize(message = "Invalid client")
+        super(message, "invalid_client")
+      end
+    end
+
+    class InvalidGrantError < Error
+      def initialize(message = "Invalid grant")
+        super(message, "invalid_grant")
+      end
+    end
+
+    class UnauthorizedClientError < Error
+      def initialize(message = "Unauthorized client")
+        super(message, "unauthorized_client")
+      end
+    end
+
+    class UnsupportedGrantTypeError < Error
+      def initialize(message = "Unsupported grant type")
+        super(message, "unsupported_grant_type")
+      end
+    end
+
+    class InvalidScopeError < Error
+      def initialize(message = "Invalid scope")
+        super(message, "invalid_scope")
+      end
+    end
+
+    class InvalidTokenError < Error
+      def initialize(message = "Invalid token")
+        super(message, "invalid_token")
+      end
+    end
+
+    class InsufficientScopeError < Error
+      attr_reader :required_scope
+
+      def initialize(message = "Insufficient scope", required_scope = nil)
+        super(message, "insufficient_scope")
+        @required_scope = required_scope
+      end
+    end
+
+    class ServerError < Error
+      def initialize(message = "Server error")
+        super(message, "server_error")
+      end
+    end
+
+    class TemporarilyUnavailableError < Error
+      def initialize(message = "Temporarily unavailable")
+        super(message, "temporarily_unavailable")
+      end
+    end
+  end
+end