actionmcp 0.52.2 → 0.54.0

data/lib/action_mcp/gateway.rb

@@ -49,13 +49,22 @@ module ActionMCP
     protected
 
     def authenticate!
-      token = extract_bearer_token
-      raise UnauthorizedError, "Missing token" unless token
+      auth_methods = ActionMCP.configuration.authentication_methods || [ "jwt" ]
+
+      auth_methods.each do |method|
+        case method
+        when "none"
+          return default_user_identity
+        when "jwt"
+          result = jwt_authenticate
+          return result if result
+        when "oauth"
+          result = oauth_authenticate
+          return result if result
+        end
+      end
 
-      payload = ActionMCP::JwtDecoder.decode(token)
-      resolve_user(payload)
-    rescue ActionMCP::JwtDecoder::DecodeError => e
-      raise UnauthorizedError, e.message
+      raise UnauthorizedError, "No valid authentication found"
     end
 
     def extract_bearer_token
@@ -81,5 +90,85 @@ module ActionMCP
     def reject_unauthorized_connection
       raise UnauthorizedError, "Unauthorized"
     end
+
+    # Default user identity for "none" authentication
+    def default_user_identity
+      # Return a hash with all identified_by attributes set to a default user
+      self.class.identifiers.each_with_object({}) do |identifier, hash|
+        if identifier == :user
+          # Create or find a default user for development
+          hash[identifier] = find_or_create_default_user
+        end
+        # Add support for other identifiers as needed
+      end
+    end
+
+    # JWT authentication (existing implementation)
+    def jwt_authenticate
+      token = extract_bearer_token
+      unless token
+        raise UnauthorizedError, "Missing token" if ActionMCP.configuration.authentication_methods == [ "jwt" ]
+        return nil
+      end
+
+      payload = ActionMCP::JwtDecoder.decode(token)
+      result = resolve_user(payload)
+      unless result
+        raise UnauthorizedError, "Unauthorized" if ActionMCP.configuration.authentication_methods == [ "jwt" ]
+        return nil
+      end
+      result
+    rescue ActionMCP::JwtDecoder::DecodeError => e
+      if ActionMCP.configuration.authentication_methods == [ "jwt" ]
+        raise UnauthorizedError, "Invalid token"
+      else
+        nil # Let it try other authentication methods
+      end
+    end
+
+    # OAuth authentication via middleware
+    def oauth_authenticate
+      return nil unless oauth_enabled?
+
+      # Check if OAuth middleware has already validated the token
+      token_info = request.env["action_mcp.oauth_token_info"]
+      return nil unless token_info && token_info["active"]
+
+      resolve_user_from_oauth(token_info)
+    rescue ActionMCP::OAuth::Error
+      nil # Let it try other authentication methods
+    end
+
+    def oauth_enabled?
+      ActionMCP.configuration.authentication_methods&.include?("oauth") &&
+        ActionMCP.configuration.oauth_config.present?
+    end
+
+    def resolve_user_from_oauth(token_info)
+      return nil unless token_info.is_a?(Hash)
+
+      user_id = token_info["sub"] || token_info["user_id"]
+      return nil unless user_id
+
+      user = User.find_by(id: user_id) || User.find_by(oauth_subject: user_id)
+      return nil unless user
+
+      # Return a hash with all identified_by attributes
+      self.class.identifiers.each_with_object({}) do |identifier, hash|
+        hash[identifier] = user if identifier == :user
+        # Add support for other identifiers as needed
+      end
+    end
+
+    def find_or_create_default_user
+      # Only for development/testing with "none" authentication
+      return nil unless Rails.env.development? || Rails.env.test?
+
+      if defined?(User)
+        User.find_or_create_by(email: "dev@localhost") do |user|
+          user.name = "Development User" if user.respond_to?(:name=)
+        end
+      end
+    end
   end
 end

data/lib/action_mcp/oauth/error.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  module OAuth
+    # Base OAuth error class
+    class Error < StandardError
+      attr_reader :oauth_error_code
+
+      def initialize(message, oauth_error_code = "invalid_request")
+        super(message)
+        @oauth_error_code = oauth_error_code
+      end
+    end
+
+    # OAuth 2.1 standard error types
+    class InvalidRequestError < Error
+      def initialize(message = "Invalid request")
+        super(message, "invalid_request")
+      end
+    end
+
+    class InvalidClientError < Error
+      def initialize(message = "Invalid client")
+        super(message, "invalid_client")
+      end
+    end
+
+    class InvalidGrantError < Error
+      def initialize(message = "Invalid grant")
+        super(message, "invalid_grant")
+      end
+    end
+
+    class UnauthorizedClientError < Error
+      def initialize(message = "Unauthorized client")
+        super(message, "unauthorized_client")
+      end
+    end
+
+    class UnsupportedGrantTypeError < Error
+      def initialize(message = "Unsupported grant type")
+        super(message, "unsupported_grant_type")
+      end
+    end
+
+    class InvalidScopeError < Error
+      def initialize(message = "Invalid scope")
+        super(message, "invalid_scope")
+      end
+    end
+
+    class InvalidTokenError < Error
+      def initialize(message = "Invalid token")
+        super(message, "invalid_token")
+      end
+    end
+
+    class InsufficientScopeError < Error
+      attr_reader :required_scope
+
+      def initialize(message = "Insufficient scope", required_scope = nil)
+        super(message, "insufficient_scope")
+        @required_scope = required_scope
+      end
+    end
+
+    class ServerError < Error
+      def initialize(message = "Server error")
+        super(message, "server_error")
+      end
+    end
+
+    class TemporarilyUnavailableError < Error
+      def initialize(message = "Temporarily unavailable")
+        super(message, "temporarily_unavailable")
+      end
+    end
+  end
+end

data/lib/action_mcp/oauth/memory_storage.rb

@@ -0,0 +1,112 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  module OAuth
+    # In-memory storage for OAuth tokens and codes
+    # This is suitable for development and testing, but not for production
+    class MemoryStorage
+      def initialize
+        @authorization_codes = {}
+        @access_tokens = {}
+        @refresh_tokens = {}
+        @mutex = Mutex.new
+      end
+
+      # Authorization code storage
+      def store_authorization_code(code, data)
+        @mutex.synchronize do
+          @authorization_codes[code] = data
+        end
+      end
+
+      def retrieve_authorization_code(code)
+        @mutex.synchronize do
+          @authorization_codes[code]
+        end
+      end
+
+      def remove_authorization_code(code)
+        @mutex.synchronize do
+          @authorization_codes.delete(code)
+        end
+      end
+
+      # Access token storage
+      def store_access_token(token, data)
+        @mutex.synchronize do
+          @access_tokens[token] = data
+        end
+      end
+
+      def retrieve_access_token(token)
+        @mutex.synchronize do
+          @access_tokens[token]
+        end
+      end
+
+      def remove_access_token(token)
+        @mutex.synchronize do
+          @access_tokens.delete(token)
+        end
+      end
+
+      # Refresh token storage
+      def store_refresh_token(token, data)
+        @mutex.synchronize do
+          @refresh_tokens[token] = data
+        end
+      end
+
+      def retrieve_refresh_token(token)
+        @mutex.synchronize do
+          @refresh_tokens[token]
+        end
+      end
+
+      def update_refresh_token(token, new_access_token)
+        @mutex.synchronize do
+          if @refresh_tokens[token]
+            @refresh_tokens[token][:access_token] = new_access_token
+          end
+        end
+      end
+
+      def remove_refresh_token(token)
+        @mutex.synchronize do
+          @refresh_tokens.delete(token)
+        end
+      end
+
+      # Cleanup expired tokens (optional utility method)
+      def cleanup_expired
+        current_time = Time.current
+
+        @mutex.synchronize do
+          @authorization_codes.reject! { |_, data| data[:expires_at] < current_time }
+          @access_tokens.reject! { |_, data| data[:expires_at] < current_time }
+          @refresh_tokens.reject! { |_, data| data[:expires_at] < current_time }
+        end
+      end
+
+      # Statistics (for debugging/monitoring)
+      def stats
+        @mutex.synchronize do
+          {
+            authorization_codes: @authorization_codes.size,
+            access_tokens: @access_tokens.size,
+            refresh_tokens: @refresh_tokens.size
+          }
+        end
+      end
+
+      # Clear all data (for testing)
+      def clear_all
+        @mutex.synchronize do
+          @authorization_codes.clear
+          @access_tokens.clear
+          @refresh_tokens.clear
+        end
+      end
+    end
+  end
+end

data/lib/action_mcp/oauth/middleware.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  module OAuth
+    # OAuth middleware that integrates with Omniauth for request authentication
+    # Handles Bearer token validation for API requests
+    class Middleware
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        request = ActionDispatch::Request.new(env)
+
+        # Skip OAuth processing for non-MCP requests or if OAuth not configured
+        return @app.call(env) unless should_process_oauth?(request)
+
+
+        # Validate Bearer token for API requests
+        if bearer_token = extract_bearer_token(request)
+          validate_oauth_token(request, bearer_token)
+        end
+
+        @app.call(env)
+      rescue ActionMCP::OAuth::Error => e
+        oauth_error_response(e)
+      end
+
+      private
+
+      def should_process_oauth?(request)
+        # Check if OAuth is enabled in configuration
+        auth_methods = ActionMCP.configuration.authentication_methods
+        return false unless auth_methods&.include?("oauth")
+
+        # Process all MCP requests (ActionMCP serves at root "/") and OAuth-related paths
+        true
+      end
+
+
+      def extract_bearer_token(request)
+        auth_header = request.headers["Authorization"] || request.headers["authorization"]
+        return nil unless auth_header&.start_with?("Bearer ")
+
+        auth_header.split(" ", 2).last
+      end
+
+      def validate_oauth_token(request, token)
+        # Use the OAuth provider for token introspection
+        token_info = ActionMCP::OAuth::Provider.introspect_token(token)
+
+        if token_info && token_info[:active]
+          # Store OAuth token info in request environment for Gateway
+          request.env["action_mcp.oauth_token_info"] = token_info
+          request.env["action_mcp.oauth_token"] = token
+        else
+          raise ActionMCP::OAuth::InvalidTokenError, "Invalid or expired OAuth token"
+        end
+      end
+
+      def oauth_error_response(error)
+        status = case error
+        when ActionMCP::OAuth::InvalidTokenError
+                  401
+        when ActionMCP::OAuth::InsufficientScopeError
+                  403
+        else
+                  400
+        end
+
+        headers = {
+          "Content-Type" => "application/json",
+          "WWW-Authenticate" => www_authenticate_header(error)
+        }
+
+        body = {
+          error: error.oauth_error_code,
+          error_description: error.message
+        }.to_json
+
+        [ status, headers, [ body ] ]
+      end
+
+      def www_authenticate_header(error)
+        params = []
+        params << 'realm="MCP API"'
+
+        case error
+        when ActionMCP::OAuth::InvalidTokenError
+          params << 'error="invalid_token"'
+        when ActionMCP::OAuth::InsufficientScopeError
+          params << 'error="insufficient_scope"'
+          params << "scope=\"#{error.required_scope}\"" if error.required_scope
+        end
+
+        "Bearer #{params.join(', ')}"
+      end
+    end
+  end
+end