actionmcp 0.60.2 → 0.71.0

data/app/controllers/action_mcp/oauth/registration_controller.rb

@@ -0,0 +1,206 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  module OAuth
+    # OAuth 2.0 Dynamic Client Registration Controller (RFC 7591)
+    # Allows clients to dynamically register with the authorization server
+    class RegistrationController < ActionController::Base
+      protect_from_forgery with: :null_session
+      before_action :check_oauth_enabled
+      before_action :check_registration_enabled
+
+      # POST /oauth/register
+      # Dynamic client registration endpoint as per RFC 7591
+      def create
+        # Parse client metadata from request body
+        client_metadata = parse_client_metadata
+
+        # Validate required fields
+        validate_client_metadata(client_metadata)
+
+        # Generate client credentials
+        client_id = generate_client_id
+        client_secret = nil # Public clients by default
+
+        # Generate client secret for confidential clients
+        if client_metadata["token_endpoint_auth_method"] != "none"
+          client_secret = generate_client_secret
+        end
+
+        # Store client registration
+        client_info = {
+          client_id: client_id,
+          client_secret: client_secret,
+          client_id_issued_at: Time.current.to_i,
+          client_metadata: client_metadata,
+          created_at: Time.current
+        }
+
+        # Save client registration (delegated to provider)
+        ActionMCP::OAuth::Provider.register_client(client_info)
+
+        # Build response according to RFC 7591
+        response_data = {
+          client_id: client_id,
+          client_id_issued_at: client_info[:client_id_issued_at]
+        }
+
+        # Include client secret for confidential clients
+        if client_secret
+          response_data[:client_secret] = client_secret
+          response_data[:client_secret_expires_at] = 0 # Never expires
+        end
+
+        # Include all client metadata in response
+        response_data.merge!(client_metadata)
+
+        # Add registration management fields if enabled
+        if oauth_config[:enable_registration_management]
+          response_data[:registration_access_token] = generate_registration_access_token(client_id)
+          response_data[:registration_client_uri] = registration_client_url(client_id)
+        end
+
+        render json: response_data, status: :created
+      rescue ActionMCP::OAuth::Error => e
+        render_registration_error(e.oauth_error_code, e.message)
+      rescue StandardError => e
+        Rails.logger.error "Registration error: #{e.message}"
+        render_registration_error("invalid_client_metadata", "Invalid client metadata")
+      end
+
+      private
+
+      def check_oauth_enabled
+        auth_methods = ActionMCP.configuration.authentication_methods
+        unless auth_methods&.include?("oauth")
+          head :not_found
+        end
+      end
+
+      def check_registration_enabled
+        unless oauth_config[:enable_dynamic_registration]
+          head :not_found
+        end
+      end
+
+      def oauth_config
+        @oauth_config ||= HashWithIndifferentAccess.new(ActionMCP.configuration.oauth_config || {})
+      end
+
+      def parse_client_metadata
+        # RFC 7591 requires JSON request body
+        unless request.content_type&.include?("application/json")
+          raise ActionMCP::OAuth::InvalidRequestError, "Content-Type must be application/json"
+        end
+
+        JSON.parse(request.body.read)
+      rescue JSON::ParserError
+        raise ActionMCP::OAuth::InvalidRequestError, "Invalid JSON"
+      end
+
+      def validate_client_metadata(metadata)
+        # Validate redirect URIs (required for authorization code flow)
+        if metadata["grant_types"]&.include?("authorization_code") ||
+           metadata["response_types"]&.include?("code")
+          unless metadata["redirect_uris"].is_a?(Array) && metadata["redirect_uris"].any?
+            raise ActionMCP::OAuth::InvalidClientMetadataError, "redirect_uris required for authorization code flow"
+          end
+
+          # Validate redirect URI format
+          metadata["redirect_uris"].each do |uri|
+            validate_redirect_uri(uri)
+          end
+        end
+
+        # Validate grant types
+        if metadata["grant_types"]
+          unsupported = metadata["grant_types"] - supported_grant_types
+          if unsupported.any?
+            raise ActionMCP::OAuth::InvalidClientMetadataError, "Unsupported grant types: #{unsupported.join(', ')}"
+          end
+        end
+
+        # Validate response types
+        if metadata["response_types"]
+          unsupported = metadata["response_types"] - supported_response_types
+          if unsupported.any?
+            raise ActionMCP::OAuth::InvalidClientMetadataError, "Unsupported response types: #{unsupported.join(', ')}"
+          end
+        end
+
+        # Validate token endpoint auth method
+        if metadata["token_endpoint_auth_method"]
+          unless supported_auth_methods.include?(metadata["token_endpoint_auth_method"])
+            raise ActionMCP::OAuth::InvalidClientMetadataError, "Unsupported token endpoint auth method"
+          end
+        end
+      end
+
+      def validate_redirect_uri(uri)
+        parsed = URI.parse(uri)
+
+        # Must be absolute URI
+        unless parsed.absolute?
+          raise ActionMCP::OAuth::InvalidClientMetadataError, "Redirect URI must be absolute"
+        end
+
+        # For non-localhost, must use HTTPS
+        unless parsed.host == "localhost" || parsed.host == "127.0.0.1" || parsed.scheme == "https"
+          raise ActionMCP::OAuth::InvalidClientMetadataError, "Redirect URI must use HTTPS"
+        end
+      rescue URI::InvalidURIError
+        raise ActionMCP::OAuth::InvalidClientMetadataError, "Invalid redirect URI format"
+      end
+
+      def generate_client_id
+        # Generate a unique client identifier
+        "mcp_#{SecureRandom.hex(16)}"
+      end
+
+      def generate_client_secret
+        # Generate a secure client secret
+        SecureRandom.urlsafe_base64(32)
+      end
+
+      def generate_registration_access_token(client_id)
+        # Generate a token for managing this registration
+        SecureRandom.urlsafe_base64(32)
+      end
+
+      def registration_client_url(client_id)
+        "#{request.base_url}/oauth/register/#{client_id}"
+      end
+
+      def supported_grant_types
+        grants = [ "authorization_code" ]
+        grants << "refresh_token" if oauth_config[:enable_refresh_tokens]
+        grants << "client_credentials" if oauth_config[:enable_client_credentials]
+        grants
+      end
+
+      def supported_response_types
+        [ "code" ]
+      end
+
+      def supported_auth_methods
+        methods = [ "client_secret_basic", "client_secret_post" ]
+        methods << "none" if oauth_config.fetch(:allow_public_clients, true)
+        methods
+      end
+
+      def render_registration_error(error_code, description)
+        render json: {
+          error: error_code,
+          error_description: description
+        }, status: :bad_request
+      end
+    end
+
+    # Custom error for invalid client metadata
+    class InvalidClientMetadataError < Error
+      def initialize(message = "Invalid client metadata")
+        super(message, "invalid_client_metadata")
+      end
+    end
+  end
+end

data/app/models/action_mcp/oauth_client.rb

@@ -0,0 +1,157 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  # OAuth 2.0 Client model for storing registered clients
+  # == Schema Information
+  #
+  # Table name: action_mcp_oauth_clients
+  #
+  #  id                         :integer          not null, primary key
+  #  active                     :boolean          default(TRUE)
+  #  client_id_issued_at        :integer
+  #  client_name                :string
+  #  client_secret              :string
+  #  client_secret_expires_at   :integer
+  #  grant_types                :json
+  #  metadata                   :json
+  #  redirect_uris              :json
+  #  registration_access_token  :string
+  #  response_types             :json
+  #  scope                      :text
+  #  token_endpoint_auth_method :string           default("client_secret_basic")
+  #  created_at                 :datetime         not null
+  #  updated_at                 :datetime         not null
+  #  client_id                  :string           not null
+  #
+  # Indexes
+  #
+  #  index_action_mcp_oauth_clients_on_active               (active)
+  #  index_action_mcp_oauth_clients_on_client_id            (client_id) UNIQUE
+  #  index_action_mcp_oauth_clients_on_client_id_issued_at  (client_id_issued_at)
+  #
+  # Implements RFC 7591 Dynamic Client Registration
+  class OAuthClient < ApplicationRecord
+    self.table_name = "action_mcp_oauth_clients"
+
+    # Validations
+    validates :client_id, presence: true, uniqueness: true
+    validates :token_endpoint_auth_method, inclusion: {
+      in: %w[none client_secret_basic client_secret_post client_secret_jwt private_key_jwt]
+    }
+
+    # Scopes
+    scope :active, -> { where(active: true) }
+    scope :expired, -> { where("client_secret_expires_at < ?", Time.current.to_i).where.not(client_secret_expires_at: [ nil, 0 ]) }
+
+    # Callbacks
+    before_create :set_issued_at
+
+    # Check if client secret is expired
+    def secret_expired?
+      return false if client_secret_expires_at.nil? || client_secret_expires_at == 0
+      Time.current.to_i > client_secret_expires_at
+    end
+
+    # Check if client is public (no authentication required)
+    def public_client?
+      token_endpoint_auth_method == "none"
+    end
+
+    # Check if client is confidential (authentication required)
+    def confidential_client?
+      !public_client?
+    end
+
+    # Validate redirect URI against registered URIs
+    def valid_redirect_uri?(uri)
+      return false if redirect_uris.blank?
+      redirect_uris.include?(uri)
+    end
+
+    # Check if grant type is supported by this client
+    def supports_grant_type?(grant_type)
+      grant_types.include?(grant_type)
+    end
+
+    # Check if response type is supported by this client
+    def supports_response_type?(response_type)
+      response_types.include?(response_type)
+    end
+
+    # Check if scope is allowed for this client
+    def valid_scope?(requested_scope)
+      return true if scope.blank? # No scope restrictions
+
+      requested_scopes = requested_scope.split(" ")
+      allowed_scopes = scope.split(" ")
+
+      # All requested scopes must be in allowed scopes
+      (requested_scopes - allowed_scopes).empty?
+    end
+
+    # Convert to hash for API responses
+    def to_api_response
+      response = {
+        client_id: client_id,
+        client_id_issued_at: client_id_issued_at
+      }
+
+      # Include client secret for confidential clients
+      if client_secret.present?
+        response[:client_secret] = client_secret
+        response[:client_secret_expires_at] = client_secret_expires_at || 0
+      end
+
+      # Include metadata fields
+      %w[
+        client_name redirect_uris grant_types response_types
+        token_endpoint_auth_method scope
+      ].each do |field|
+        value = send(field)
+        response[field.to_sym] = value if value.present?
+      end
+
+      # Include additional metadata
+      response.merge!(metadata) if metadata.present?
+
+      response
+    end
+
+    # Create from registration request
+    def self.create_from_registration(client_metadata)
+      client = new
+
+      # Set basic fields
+      client.client_id = "mcp_#{SecureRandom.hex(16)}"
+
+      # Set metadata fields
+      %w[
+        client_name redirect_uris grant_types response_types
+        token_endpoint_auth_method scope
+      ].each do |field|
+        client.send("#{field}=", client_metadata[field]) if client_metadata[field]
+      end
+
+      # Generate client secret for confidential clients
+      if client.confidential_client?
+        client.client_secret = SecureRandom.urlsafe_base64(32)
+      end
+
+      # Store any additional metadata
+      known_fields = %w[
+        client_name redirect_uris grant_types response_types
+        token_endpoint_auth_method scope
+      ]
+      additional_metadata = client_metadata.except(*known_fields)
+      client.metadata = additional_metadata if additional_metadata.present?
+
+      client
+    end
+
+    private
+
+    def set_issued_at
+      self.client_id_issued_at ||= Time.current.to_i
+    end
+  end
+end

data/app/models/action_mcp/oauth_token.rb

@@ -0,0 +1,141 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  # == Schema Information
+  #
+  # Table name: action_mcp_oauth_tokens
+  #
+  #  id                    :integer          not null, primary key
+  #  access_token          :string
+  #  code_challenge        :string
+  #  code_challenge_method :string
+  #  expires_at            :datetime
+  #  metadata              :json
+  #  redirect_uri          :string
+  #  revoked               :boolean          default(FALSE)
+  #  scope                 :text
+  #  token                 :string           not null
+  #  token_type            :string           not null
+  #  created_at            :datetime         not null
+  #  updated_at            :datetime         not null
+  #  client_id             :string           not null
+  #  user_id               :string
+  #
+  # Indexes
+  #
+  #  index_action_mcp_oauth_tokens_on_client_id                  (client_id)
+  #  index_action_mcp_oauth_tokens_on_expires_at                 (expires_at)
+  #  index_action_mcp_oauth_tokens_on_revoked                    (revoked)
+  #  index_action_mcp_oauth_tokens_on_token                      (token) UNIQUE
+  #  index_action_mcp_oauth_tokens_on_token_type                 (token_type)
+  #  index_action_mcp_oauth_tokens_on_token_type_and_expires_at  (token_type,expires_at)
+  #  index_action_mcp_oauth_tokens_on_user_id                    (user_id)
+  #
+  # OAuth 2.0 Token model for storing access tokens, refresh tokens, and authorization codes
+  class OAuthToken < ApplicationRecord
+    self.table_name = "action_mcp_oauth_tokens"
+
+    # Token types
+    ACCESS_TOKEN = "access_token"
+    REFRESH_TOKEN = "refresh_token"
+    AUTHORIZATION_CODE = "authorization_code"
+
+    # Validations
+    validates :token, presence: true, uniqueness: true
+    validates :token_type, presence: true, inclusion: { in: [ ACCESS_TOKEN, REFRESH_TOKEN, AUTHORIZATION_CODE ] }
+    validates :client_id, presence: true
+    validates :expires_at, presence: true
+
+    # Scopes
+    scope :active, -> { where(revoked: false).where("expires_at > ?", Time.current) }
+    scope :expired, -> { where("expires_at <= ?", Time.current) }
+    scope :access_tokens, -> { where(token_type: ACCESS_TOKEN) }
+    scope :refresh_tokens, -> { where(token_type: REFRESH_TOKEN) }
+    scope :authorization_codes, -> { where(token_type: AUTHORIZATION_CODE) }
+
+    # Check if token is still valid
+    def still_valid?
+      !revoked? && !expired?
+    end
+
+    # Check if token is expired
+    def expired?
+      expires_at <= Time.current
+    end
+
+    # Revoke the token
+    def revoke!
+      update!(revoked: true)
+    end
+
+    # Convert to introspection response
+    def to_introspection_response
+      if still_valid?
+        {
+          active: true,
+          scope: scope,
+          client_id: client_id,
+          username: user_id,
+          token_type: token_type == ACCESS_TOKEN ? "Bearer" : token_type,
+          exp: expires_at.to_i,
+          iat: created_at.to_i,
+          nbf: created_at.to_i,
+          sub: user_id,
+          aud: client_id,
+          iss: ActionMCP.configuration.oauth_config&.dig("issuer_url")
+        }.compact
+      else
+        { active: false }
+      end
+    end
+
+    # Create authorization code
+    def self.create_authorization_code(client_id:, user_id:, redirect_uri:, scope:, code_challenge: nil, code_challenge_method: nil)
+      create!(
+        token: SecureRandom.urlsafe_base64(32),
+        token_type: AUTHORIZATION_CODE,
+        client_id: client_id,
+        user_id: user_id,
+        redirect_uri: redirect_uri,
+        scope: scope,
+        code_challenge: code_challenge,
+        code_challenge_method: code_challenge_method,
+        expires_at: 10.minutes.from_now
+      )
+    end
+
+    # Create access token
+    def self.create_access_token(client_id:, user_id:, scope:)
+      expires_in = ActionMCP.configuration.oauth_config&.dig("access_token_expires_in") || 3600
+
+      create!(
+        token: SecureRandom.urlsafe_base64(32),
+        token_type: ACCESS_TOKEN,
+        client_id: client_id,
+        user_id: user_id,
+        scope: scope,
+        expires_at: expires_in.seconds.from_now
+      )
+    end
+
+    # Create refresh token
+    def self.create_refresh_token(client_id:, user_id:, scope:, access_token:)
+      expires_in = ActionMCP.configuration.oauth_config&.dig("refresh_token_expires_in") || 7.days.to_i
+
+      create!(
+        token: SecureRandom.urlsafe_base64(32),
+        token_type: REFRESH_TOKEN,
+        client_id: client_id,
+        user_id: user_id,
+        scope: scope,
+        access_token: access_token,
+        expires_at: expires_in.seconds.from_now
+      )
+    end
+
+    # Clean up expired tokens
+    def self.cleanup_expired
+      expired.delete_all
+    end
+  end
+end

data/app/models/action_mcp/session/message.rb

@@ -4,17 +4,17 @@
 #
 # Table name: action_mcp_session_messages
 #
-#  id                                     :bigint           not null, primary key
-#  direction(The message recipient)       :string           default("client"), not null
-#  is_ping(Whether the message is a ping) :boolean          default(FALSE), not null
-#  message_json                           :json
-#  message_type(The type of the message)  :string           not null
-#  request_acknowledged                   :boolean          default(FALSE), not null
-#  request_cancelled                      :boolean          default(FALSE), not null
-#  created_at                             :datetime         not null
-#  updated_at                             :datetime         not null
-#  jsonrpc_id                             :string
-#  session_id                             :string           not null
+#  id                   :integer          not null, primary key
+#  direction            :string           default("client"), not null
+#  is_ping              :boolean          default(FALSE), not null
+#  message_json         :json
+#  message_type         :string           not null
+#  request_acknowledged :boolean          default(FALSE), not null
+#  request_cancelled    :boolean          default(FALSE), not null
+#  created_at           :datetime         not null
+#  updated_at           :datetime         not null
+#  jsonrpc_id           :string
+#  session_id           :string           not null
 #
 # Indexes
 #
@@ -22,7 +22,7 @@
 #
 # Foreign Keys
 #
-#  fk_action_mcp_session_messages_session_id  (session_id => action_mcp_sessions.id) ON DELETE => cascade ON UPDATE => cascade
+#  session_id  (session_id => action_mcp_sessions.id) ON DELETE => cascade ON UPDATE => cascade
 #
 module ActionMCP
   class Session

data/app/models/action_mcp/session/resource.rb

@@ -4,7 +4,7 @@
 #
 # Table name: action_mcp_session_resources
 #
-#  id               :bigint           not null, primary key
+#  id               :integer          not null, primary key
 #  created_by_tool  :boolean          default(FALSE)
 #  description      :text
 #  last_accessed_at :datetime
@@ -22,7 +22,7 @@
 #
 # Foreign Keys
 #
-#  fk_rails_...  (session_id => action_mcp_sessions.id) ON DELETE => cascade
+#  session_id  (session_id => action_mcp_sessions.id) ON DELETE => cascade
 #
 module ActionMCP
   class Session

data/app/models/action_mcp/session/sse_event.rb

@@ -4,7 +4,7 @@
 #
 # Table name: action_mcp_sse_events
 #
-#  id         :bigint           not null, primary key
+#  id         :integer          not null, primary key
 #  data       :text             not null
 #  created_at :datetime         not null
 #  updated_at :datetime         not null
@@ -19,7 +19,7 @@
 #
 # Foreign Keys
 #
-#  fk_rails_...  (session_id => action_mcp_sessions.id)
+#  session_id  (session_id => action_mcp_sessions.id)
 #
 module ActionMCP
   class Session

data/app/models/action_mcp/session/subscription.rb

@@ -4,7 +4,7 @@
 #
 # Table name: action_mcp_session_subscriptions
 #
-#  id                   :bigint           not null, primary key
+#  id                   :integer          not null, primary key
 #  last_notification_at :datetime
 #  uri                  :string           not null
 #  created_at           :datetime         not null
@@ -17,7 +17,7 @@
 #
 # Foreign Keys
 #
-#  fk_rails_...  (session_id => action_mcp_sessions.id) ON DELETE => cascade
+#  session_id  (session_id => action_mcp_sessions.id) ON DELETE => cascade
 #
 module ActionMCP
   class Session