actionmcp 0.60.2 → 0.71.0

data/lib/action_mcp/filtered_logger.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  # Custom logger that filters out repetitive MCP requests
+  class FilteredLogger < ActiveSupport::Logger
+    FILTERED_PATHS = [
+      "/oauth/authorize",
+      "/.well-known/oauth-protected-resource",
+      "/.well-known/oauth-authorization-server"
+    ].freeze
+
+    FILTERED_METHODS = [
+      "notifications/initialized",
+      "notifications/ping"
+    ].freeze
+
+    def add(severity, message = nil, progname = nil, &block)
+      # Filter out repetitive OAuth metadata requests
+      if message && message.is_a?(String)
+        return if FILTERED_PATHS.any? { |path| message.include?(path) && message.include?("200 OK") }
+
+        # Filter out repetitive MCP notifications
+        return if FILTERED_METHODS.any? { |method| message.include?(method) }
+
+        # Filter out MCP protocol version debug messages
+        return if message.include?("MCP-Protocol-Version header validation passed")
+      end
+
+      super
+    end
+  end
+end

data/lib/action_mcp/oauth/active_record_storage.rb

@@ -0,0 +1,183 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  module OAuth
+    # ActiveRecord storage for OAuth tokens and codes
+    # This is suitable for production multi-server environments
+    class ActiveRecordStorage
+      # Authorization code storage
+      def store_authorization_code(code, data)
+        OAuthToken.create!(
+          token: code,
+          token_type: OAuthToken::AUTHORIZATION_CODE,
+          client_id: data[:client_id],
+          user_id: data[:user_id],
+          redirect_uri: data[:redirect_uri],
+          scope: data[:scope],
+          code_challenge: data[:code_challenge],
+          code_challenge_method: data[:code_challenge_method],
+          expires_at: data[:expires_at],
+          metadata: data.except(:client_id, :user_id, :redirect_uri, :scope,
+                               :code_challenge, :code_challenge_method, :expires_at)
+        )
+      end
+
+      def retrieve_authorization_code(code)
+        token = OAuthToken.authorization_codes.active.find_by(token: code)
+        return nil unless token
+
+        {
+          client_id: token.client_id,
+          user_id: token.user_id,
+          redirect_uri: token.redirect_uri,
+          scope: token.scope,
+          code_challenge: token.code_challenge,
+          code_challenge_method: token.code_challenge_method,
+          expires_at: token.expires_at,
+          created_at: token.created_at
+        }.merge(token.metadata || {})
+      end
+
+      def remove_authorization_code(code)
+        OAuthToken.authorization_codes.where(token: code).destroy_all
+      end
+
+      # Access token storage
+      def store_access_token(token, data)
+        OAuthToken.create!(
+          token: token,
+          token_type: OAuthToken::ACCESS_TOKEN,
+          client_id: data[:client_id],
+          user_id: data[:user_id],
+          scope: data[:scope],
+          expires_at: data[:expires_at],
+          metadata: data.except(:client_id, :user_id, :scope, :expires_at)
+        )
+      end
+
+      def retrieve_access_token(token)
+        token_record = OAuthToken.access_tokens.find_by(token: token)
+        return nil unless token_record
+
+        {
+          client_id: token_record.client_id,
+          user_id: token_record.user_id,
+          scope: token_record.scope,
+          expires_at: token_record.expires_at,
+          created_at: token_record.created_at,
+          active: token_record.still_valid?
+        }.merge(token_record.metadata || {})
+      end
+
+      def remove_access_token(token)
+        OAuthToken.access_tokens.where(token: token).destroy_all
+      end
+
+      # Refresh token storage
+      def store_refresh_token(token, data)
+        OAuthToken.create!(
+          token: token,
+          token_type: OAuthToken::REFRESH_TOKEN,
+          client_id: data[:client_id],
+          user_id: data[:user_id],
+          scope: data[:scope],
+          access_token: data[:access_token],
+          expires_at: data[:expires_at],
+          metadata: data.except(:client_id, :user_id, :scope, :access_token, :expires_at)
+        )
+      end
+
+      def retrieve_refresh_token(token)
+        token_record = OAuthToken.refresh_tokens.active.find_by(token: token)
+        return nil unless token_record
+
+        {
+          client_id: token_record.client_id,
+          user_id: token_record.user_id,
+          scope: token_record.scope,
+          access_token: token_record.access_token,
+          expires_at: token_record.expires_at,
+          created_at: token_record.created_at
+        }.merge(token_record.metadata || {})
+      end
+
+      def update_refresh_token(token, new_access_token)
+        token_record = OAuthToken.refresh_tokens.find_by(token: token)
+        token_record&.update!(access_token: new_access_token)
+      end
+
+      def remove_refresh_token(token)
+        OAuthToken.refresh_tokens.where(token: token).destroy_all
+      end
+
+      # Client registration storage
+      def store_client_registration(client_id, data)
+        client = OAuthClient.new
+
+        # Map data fields to model attributes
+        client.client_id = client_id
+        client.client_secret = data[:client_secret]
+        client.client_id_issued_at = data[:client_id_issued_at]
+        client.registration_access_token = data[:registration_access_token]
+
+        # Handle client metadata
+        metadata = data[:client_metadata] || {}
+        %w[
+          client_name redirect_uris grant_types response_types
+          token_endpoint_auth_method scope
+        ].each do |field|
+          client.send("#{field}=", metadata[field]) if metadata.key?(field)
+        end
+
+        # Store any additional metadata
+        known_fields = %w[
+          client_name redirect_uris grant_types response_types
+          token_endpoint_auth_method scope
+        ]
+        additional_metadata = metadata.except(*known_fields)
+        client.metadata = additional_metadata if additional_metadata.present?
+
+        client.save!
+        data
+      end
+
+      def retrieve_client_registration(client_id)
+        client = OAuthClient.active.find_by(client_id: client_id)
+        return nil unless client
+
+        {
+          client_id: client.client_id,
+          client_secret: client.client_secret,
+          client_id_issued_at: client.client_id_issued_at,
+          registration_access_token: client.registration_access_token,
+          client_metadata: client.to_api_response
+        }
+      end
+
+      def remove_client_registration(client_id)
+        OAuthClient.where(client_id: client_id).destroy_all
+      end
+
+      # Cleanup expired tokens
+      def cleanup_expired
+        OAuthToken.cleanup_expired
+      end
+
+      # Statistics (for debugging/monitoring)
+      def stats
+        {
+          authorization_codes: OAuthToken.authorization_codes.active.count,
+          access_tokens: OAuthToken.access_tokens.active.count,
+          refresh_tokens: OAuthToken.refresh_tokens.active.count,
+          client_registrations: OAuthClient.active.count
+        }
+      end
+
+      # Clear all data (for testing)
+      def clear_all
+        OAuthToken.delete_all
+        OAuthClient.delete_all
+      end
+    end
+  end
+end

data/lib/action_mcp/oauth/memory_storage.rb

@@ -9,6 +9,7 @@ module ActionMCP
         @authorization_codes = {}
         @access_tokens = {}
         @refresh_tokens = {}
+        @client_registrations = {}
         @mutex = Mutex.new
       end
 
@@ -77,6 +78,25 @@ module ActionMCP
         end
       end
 
+      # Client registration storage
+      def store_client_registration(client_id, data)
+        @mutex.synchronize do
+          @client_registrations[client_id] = data
+        end
+      end
+
+      def retrieve_client_registration(client_id)
+        @mutex.synchronize do
+          @client_registrations[client_id]
+        end
+      end
+
+      def remove_client_registration(client_id)
+        @mutex.synchronize do
+          @client_registrations.delete(client_id)
+        end
+      end
+
       # Cleanup expired tokens (optional utility method)
       def cleanup_expired
         current_time = Time.current
@@ -94,7 +114,8 @@ module ActionMCP
           {
             authorization_codes: @authorization_codes.size,
             access_tokens: @access_tokens.size,
-            refresh_tokens: @refresh_tokens.size
+            refresh_tokens: @refresh_tokens.size,
+            client_registrations: @client_registrations.size
           }
         end
       end
@@ -105,6 +126,7 @@ module ActionMCP
           @authorization_codes.clear
           @access_tokens.clear
           @refresh_tokens.clear
+          @client_registrations.clear
         end
       end
     end

data/lib/action_mcp/oauth/middleware.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require_relative "error"
+
 module ActionMCP
   module OAuth
     # OAuth middleware that integrates with Omniauth for request authentication
@@ -15,6 +17,15 @@ module ActionMCP
         # Skip OAuth processing for non-MCP requests or if OAuth not configured
         return @app.call(env) unless should_process_oauth?(request)
 
+        # Skip OAuth processing for metadata endpoints
+        if request.path.start_with?("/.well-known/") || request.path.start_with?("/oauth/")
+          return @app.call(env)
+        end
+
+        # Skip OAuth processing for initialization-related requests
+        if initialization_related_request?(request)
+          return @app.call(env)
+        end
 
         # Validate Bearer token for API requests
         if bearer_token = extract_bearer_token(request)
@@ -37,6 +48,28 @@ module ActionMCP
         true
       end
 
+      def initialization_related_request?(request)
+        # Only check JSON-RPC POST requests to MCP endpoints
+        # The path might include the mount path (e.g., /action_mcp/ or just /)
+        return false unless request.post? && request.content_type&.include?("application/json")
+
+        # Check if this is an MCP endpoint (ends with / or is the root)
+        path = request.path
+        return false unless path == "/" || path.match?(/\/action_mcp\/?$/)
+
+        # Read and parse the request body
+        body = request.body.read
+        request.body.rewind # Reset for subsequent reads
+
+        json = JSON.parse(body)
+        method = json["method"]
+
+        # Check if it's an initialization-related method
+        %w[initialize notifications/initialized].include?(method)
+      rescue JSON::ParserError, StandardError
+        false
+      end
+
 
       def extract_bearer_token(request)
         auth_header = request.headers["Authorization"] || request.headers["authorization"]

data/lib/action_mcp/oauth/provider.rb

@@ -79,7 +79,7 @@ module ActionMCP
 
           # Generate refresh token if enabled
           refresh_token = nil
-          if oauth_config["enable_refresh_tokens"]
+          if oauth_config[:enable_refresh_tokens]
             refresh_token = generate_refresh_token(
               client_id: client_id,
               scope: code_data[:scope],
@@ -206,13 +206,29 @@ module ActionMCP
           revoked
         end
 
+        # Register a new OAuth client (Dynamic Client Registration)
+        # @param client_info [Hash] Client registration information
+        # @return [Hash] Registered client information
+        def register_client(client_info)
+          # Store client registration
+          storage.store_client_registration(client_info[:client_id], client_info)
+          client_info
+        end
+
+        # Retrieve registered client information
+        # @param client_id [String] OAuth client identifier
+        # @return [Hash, nil] Client information or nil if not found
+        def get_client(client_id)
+          storage.retrieve_client_registration(client_id)
+        end
+
         # Client Credentials Grant (for server-to-server)
         # @param client_id [String] OAuth client identifier
         # @param client_secret [String] OAuth client secret
         # @param scope [String] Requested scope
         # @return [Hash] Token response
         def client_credentials_grant(client_id:, client_secret:, scope: nil)
-          unless oauth_config["enable_client_credentials"]
+          unless oauth_config[:enable_client_credentials]
             raise UnsupportedGrantTypeError, "Client credentials grant not supported"
           end
 
@@ -244,19 +260,37 @@ module ActionMCP
         private
 
         def oauth_config
-          @oauth_config ||= ActionMCP.configuration.oauth_config || {}
+          @oauth_config ||= HashWithIndifferentAccess.new(ActionMCP.configuration.oauth_config || {})
         end
 
         def validate_client(client_id, client_secret, require_secret: false)
-          # This should be implemented by the application
-          # For now, we'll use a simple validation approach
-          provider_class = oauth_config["provider"]
+          # First check if client is registered via dynamic registration
+          client_info = get_client(client_id)
+          if client_info
+            # Validate client secret for confidential clients
+            if client_info[:client_secret]
+              unless client_secret == client_info[:client_secret]
+                raise InvalidClientError, "Invalid client credentials"
+              end
+            elsif require_secret
+              raise InvalidClientError, "Client authentication required"
+            end
+            return true
+          end
+
+          # Fall back to custom provider validation
+          provider_class = oauth_config[:provider]
           if provider_class && provider_class.respond_to?(:validate_client)
             provider_class.validate_client(client_id, client_secret)
           elsif require_secret && client_secret.nil?
             raise InvalidClientError, "Client authentication required"
+          else
+            # In development, allow unregistered clients if configured
+            if Rails.env.development? && oauth_config[:allow_unregistered_clients] != false
+              return true
+            end
+            raise InvalidClientError, "Unknown client"
           end
-          # Default: allow any client for development
         end
 
         def validate_pkce(code_challenge, method, code_verifier)
@@ -271,7 +305,7 @@ module ActionMCP
               raise InvalidGrantError, "Invalid code verifier"
             end
           when "plain"
-            unless oauth_config["allow_plain_pkce"]
+            unless oauth_config[:allow_plain_pkce]
               raise InvalidGrantError, "Plain PKCE not allowed"
             end
             unless code_challenge == code_verifier
@@ -283,7 +317,7 @@ module ActionMCP
         end
 
         def validate_scope(scope)
-          supported_scopes = oauth_config["scopes_supported"] || [ "mcp:tools", "mcp:resources", "mcp:prompts" ]
+          supported_scopes = oauth_config.fetch(:scopes_supported, [ "mcp:tools", "mcp:resources", "mcp:prompts" ])
           requested_scopes = scope.split(" ")
           unsupported = requested_scopes - supported_scopes
           if unsupported.any?
@@ -292,7 +326,7 @@ module ActionMCP
         end
 
         def default_scope
-          oauth_config["default_scope"] || "mcp:tools mcp:resources mcp:prompts"
+          oauth_config.fetch(:default_scope, "mcp:tools mcp:resources mcp:prompts")
         end
 
         def generate_access_token(client_id:, scope:, user_id:)
@@ -325,17 +359,19 @@ module ActionMCP
         end
 
         def token_expires_in
-          oauth_config["access_token_expires_in"] || 3600 # 1 hour
+          oauth_config.fetch(:access_token_expires_in, 3600) # 1 hour
         end
 
         def refresh_token_expires_in
-          oauth_config["refresh_token_expires_in"] || 7.days.to_i # 1 week
+          oauth_config.fetch(:refresh_token_expires_in, 7.days.to_i) # 1 week
         end
 
         # Storage methods - these delegate to a configurable storage backend
         def storage
           @storage ||= begin
-            storage_class = oauth_config["storage"] || "ActionMCP::OAuth::MemoryStorage"
+            # Default to ActiveRecord storage for production, memory for test
+            default_storage = Rails.env.test? ? "ActionMCP::OAuth::MemoryStorage" : "ActionMCP::OAuth::ActiveRecordStorage"
+            storage_class = oauth_config.fetch(:storage, default_storage)
             storage_class = storage_class.constantize if storage_class.is_a?(String)
             storage_class.new
           end

data/lib/action_mcp/oauth.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  module OAuth
+    # Load OAuth components
+    autoload :Error, "action_mcp/oauth/error"
+    autoload :Provider, "action_mcp/oauth/provider"
+    autoload :Middleware, "action_mcp/oauth/middleware"
+    autoload :MemoryStorage, "action_mcp/oauth/memory_storage"
+    autoload :ActiveRecordStorage, "action_mcp/oauth/active_record_storage"
+  end
+end

data/lib/action_mcp/prompt.rb

@@ -27,6 +27,7 @@ module ActionMCP
     #
     # @return [String] The default prompt name.
     def self.default_prompt_name
+      return "" if name.nil?
       name.demodulize.underscore.sub(/_prompt$/, "")
     end
 
@@ -37,6 +38,19 @@ module ActionMCP
         :prompt
       end
 
+      def unregister_from_registry
+        ActionMCP::PromptsRegistry.unregister(self) if ActionMCP::PromptsRegistry.items.values.include?(self)
+      end
+
+      # Hook called when a class inherits from Prompt
+      def inherited(subclass)
+        super
+        # Run the ActiveSupport load hook when a prompt is defined
+        subclass.class_eval do
+          ActiveSupport.run_load_hooks(:action_mcp_prompt, subclass)
+        end
+      end
+
       # Sets or retrieves the _meta field
       def meta(data = nil)
         if data

data/lib/action_mcp/registry_base.rb

@@ -11,11 +11,25 @@ module ActionMCP
       #
       # @return [Hash] A hash of registered items.
       def items
-        @items = item_klass.descendants.each_with_object({}) do |klass, hash|
-          next if klass.abstract?
+        @items ||= {}
+      end
+
+      # Register an item explicitly
+      #
+      # @param klass [Class] The class to register
+      # @return [void]
+      def register(klass)
+        return if klass.abstract?
+
+        items[klass.capability_name] = klass
+      end
 
-          hash[klass.capability_name] = klass
-        end
+      # Unregister an item
+      #
+      # @param klass [Class] The class to unregister
+      # @return [void]
+      def unregister(klass)
+        items.delete(klass.capability_name)
       end
 
       # Retrieve an item by name.
@@ -44,6 +58,13 @@ module ActionMCP
         RegistryScope.new(items)
       end
 
+      # Clears the registry cache.
+      #
+      # @return [void]
+      def clear!
+        @items = nil
+      end
+
       private
 
       # Helper to determine if an item is abstract.

data/lib/action_mcp/resource_response.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  # Manages resource resolution results and errors for ResourceTemplate operations.
+  # Unlike ToolResponse, ResourceResponse only uses JSON-RPC protocol errors per MCP spec.
+  class ResourceResponse < BaseResponse
+    attr_reader :contents
+
+    delegate :empty?, :size, :each, :find, :map, to: :contents
+
+    def initialize
+      super
+      @contents = []
+    end
+
+    # Add a resource content item to the response
+    def add_content(content)
+      @contents << content
+      content # Return the content for chaining
+    end
+
+    # Add multiple content items
+    def add_contents(contents_array)
+      @contents.concat(contents_array)
+      self
+    end
+
+    # Mark as error with ResourceTemplate-specific error types
+    def mark_as_template_not_found!(uri)
+      mark_as_error!(
+        :invalid_params,
+        message: "Resource template not found for URI: #{uri}",
+        data: { uri: uri, error_type: "TEMPLATE_NOT_FOUND" }
+      )
+    end
+
+    def mark_as_parameter_validation_failed!(missing_params, uri)
+      mark_as_error!(
+        :invalid_params,
+        message: "Required parameters missing: #{missing_params.join(', ')}",
+        data: {
+          uri: uri,
+          missing_parameters: missing_params,
+          error_type: "PARAMETER_VALIDATION_FAILED"
+        }
+      )
+    end
+
+    def mark_as_resolution_failed!(uri, reason = nil)
+      message = "Resource resolution failed for URI: #{uri}"
+      message += " - #{reason}" if reason
+
+      mark_as_error!(
+        :internal_error,
+        message: message,
+        data: {
+          uri: uri,
+          reason: reason,
+          error_type: "RESOLUTION_FAILED"
+        }
+      )
+    end
+
+    def mark_as_callback_aborted!(uri)
+      mark_as_error!(
+        :internal_error,
+        message: "Resource resolution was aborted by callback chain",
+        data: {
+          uri: uri,
+          error_type: "CALLBACK_ABORTED"
+        }
+      )
+    end
+
+    def mark_as_not_found!(uri)
+      # Use method_not_found for resource not found (closest standard JSON-RPC error)
+      mark_as_error!(
+        :method_not_found, # -32601 - closest standard error for "not found"
+        message: "Resource not found",
+        data: { uri: uri }
+      )
+    end
+
+    # Implementation of build_success_hash for ResourceResponse
+    def build_success_hash
+      {
+        contents: @contents.map(&:to_h)
+      }
+    end
+
+    # Implementation of compare_with_same_class for ResourceResponse
+    def compare_with_same_class(other)
+      contents == other.contents && is_error == other.is_error
+    end
+
+    # Implementation of hash_components for ResourceResponse
+    def hash_components
+      [ contents, is_error ]
+    end
+
+    # Pretty print for better debugging
+    def inspect
+      if is_error
+        "#<#{self.class.name} error: #{@error_message}>"
+      else
+        "#<#{self.class.name} contents: #{contents.size} items>"
+      end
+    end
+  end
+end