actionmcp 0.70.0 → 0.71.0

data/db/migrate/20250708105124_create_action_mcp_oauth_clients.rb

@@ -0,0 +1,42 @@
+class CreateActionMCPOAuthClients < ActiveRecord::Migration[7.2]
+  def change
+    create_table :action_mcp_oauth_clients do |t|
+      t.string :client_id, null: false, index: { unique: true }
+      t.string :client_secret
+      t.string :client_name
+
+      # Store arrays as JSON for database compatibility
+      if connection.adapter_name.downcase.include?('postgresql')
+        t.text :redirect_uris, array: true, default: []
+        t.text :grant_types, array: true, default: [ "authorization_code" ]
+        t.text :response_types, array: true, default: [ "code" ]
+      else
+        # For SQLite and other databases, use JSON
+        t.json :redirect_uris, default: []
+        t.json :grant_types, default: [ "authorization_code" ]
+        t.json :response_types, default: [ "code" ]
+      end
+
+      t.string :token_endpoint_auth_method, default: "client_secret_basic"
+      t.text :scope
+      t.boolean :active, default: true
+
+      # Registration metadata
+      t.integer :client_id_issued_at
+      t.integer :client_secret_expires_at
+      t.string :registration_access_token # OAuth 2.1 Dynamic Client Registration
+
+      # Additional metadata as JSON for database compatibility
+      if connection.adapter_name.downcase.include?('postgresql')
+        t.jsonb :metadata, default: {}
+      else
+        t.json :metadata, default: {}
+      end
+
+      t.timestamps
+    end
+
+    add_index :action_mcp_oauth_clients, :active
+    add_index :action_mcp_oauth_clients, :client_id_issued_at
+  end
+end

data/db/migrate/20250708105226_create_action_mcp_oauth_tokens.rb

@@ -0,0 +1,37 @@
+class CreateActionMCPOAuthTokens < ActiveRecord::Migration[7.2]
+  def change
+    create_table :action_mcp_oauth_tokens do |t|
+      t.string :token, null: false, index: { unique: true }
+      t.string :token_type, null: false # 'access_token', 'refresh_token', 'authorization_code'
+      t.string :client_id, null: false
+      t.string :user_id
+      t.text :scope
+      t.datetime :expires_at
+      t.boolean :revoked, default: false
+
+      # For authorization codes
+      t.string :redirect_uri
+      t.string :code_challenge
+      t.string :code_challenge_method
+
+      # For refresh tokens
+      t.string :access_token # Reference to associated access token
+
+      # Additional data - use JSON for database compatibility
+      if connection.adapter_name.downcase.include?('postgresql')
+        t.jsonb :metadata, default: {}
+      else
+        t.json :metadata, default: {}
+      end
+
+      t.timestamps
+    end
+
+    add_index :action_mcp_oauth_tokens, :token_type
+    add_index :action_mcp_oauth_tokens, :client_id
+    add_index :action_mcp_oauth_tokens, :user_id
+    add_index :action_mcp_oauth_tokens, :expires_at
+    add_index :action_mcp_oauth_tokens, :revoked
+    add_index :action_mcp_oauth_tokens, [ :token_type, :expires_at ]
+  end
+end

data/lib/action_mcp/client/jwt_client_provider.rb

@@ -0,0 +1,134 @@
+# frozen_string_literal: true
+
+require "json"
+require "base64"
+
+module ActionMCP
+  module Client
+    # JWT client provider for MCP client authentication
+    # Provides clean JWT token management for ActionMCP client connections
+    class JwtClientProvider
+      class AuthenticationError < StandardError; end
+      class TokenExpiredError < StandardError; end
+
+      attr_reader :storage
+
+      def initialize(token: nil, storage: nil, logger: ActionMCP.logger)
+        @storage = storage || MemoryStorage.new
+        @logger = logger
+
+        # If token provided during initialization, store it
+        if token
+          save_token(token)
+        end
+      end
+
+      # Check if client has valid authentication
+      def authenticated?
+        token = current_token
+        return false unless token
+
+        !token_expired?(token)
+      end
+
+      # Get authorization headers for HTTP requests
+      def authorization_headers
+        token = current_token
+        return {} unless token
+
+        if token_expired?(token)
+          log_debug("JWT token expired")
+          clear_tokens!
+          return {}
+        end
+
+        { "Authorization" => "Bearer #{token}" }
+      end
+
+      # Set/update the JWT token
+      def set_token(token)
+        save_token(token)
+        log_debug("JWT token updated")
+      end
+
+      # Clear stored tokens (logout)
+      def clear_tokens!
+        @storage.clear_token
+        log_debug("Cleared JWT token")
+      end
+
+      # Get current valid token
+      def access_token
+        token = current_token
+        return nil unless token
+        return nil if token_expired?(token)
+        token
+      end
+
+      private
+
+      def current_token
+        @storage.load_token
+      end
+
+      def save_token(token)
+        @storage.save_token(token)
+      end
+
+      def token_expired?(token)
+        return false unless token
+
+        begin
+          payload = decode_jwt_payload(token)
+          exp = payload["exp"]
+          return false unless exp
+
+          # Add 30 second buffer for clock skew
+          Time.at(exp) <= Time.now + 30
+        rescue => e
+          log_debug("Error checking token expiration: #{e.message}")
+          true # Treat invalid tokens as expired
+        end
+      end
+
+      def decode_jwt_payload(token)
+        # Split JWT into parts
+        parts = token.split(".")
+        raise AuthenticationError, "Invalid JWT format" unless parts.length == 3
+
+        # Decode payload (second part)
+        payload_base64 = parts[1]
+        # Add padding if needed
+        payload_base64 += "=" * (4 - payload_base64.length % 4) if payload_base64.length % 4 != 0
+
+        payload_json = Base64.urlsafe_decode64(payload_base64)
+        JSON.parse(payload_json)
+      rescue => e
+        raise AuthenticationError, "Failed to decode JWT: #{e.message}"
+      end
+
+      def log_debug(message)
+        @logger.debug("[ActionMCP::JwtClientProvider] #{message}")
+      end
+
+      # Simple memory storage for JWT tokens
+      class MemoryStorage
+        def initialize
+          @token = nil
+        end
+
+        def save_token(token)
+          @token = token
+        end
+
+        def load_token
+          @token
+        end
+
+        def clear_token
+          @token = nil
+        end
+      end
+    end
+  end
+end

data/lib/action_mcp/configuration.rb

@@ -26,6 +26,7 @@ module ActionMCP
                   :active_profile,
                   :profiles,
                   :elicitation_enabled,
+                  :verbose_logging,
                   # --- Authentication Options ---
                   :authentication_methods,
                   :oauth_config,
@@ -56,12 +57,13 @@ module ActionMCP
       @logging_level = :info
       @resources_subscribe = false
       @elicitation_enabled = false
+      @verbose_logging = false
       @active_profile = :primary
       @profiles = default_profiles
 
       # Authentication defaults
       @authentication_methods = Rails.env.production? ? [ "jwt" ] : [ "none" ]
-      @oauth_config = {}
+      @oauth_config = HashWithIndifferentAccess.new
 
       @sse_heartbeat_interval = 30
       @post_response_preference = :json
@@ -73,6 +75,7 @@ module ActionMCP
 
       # Gateway - default to ApplicationGateway if it exists, otherwise ActionMCP::Gateway
       @gateway_class = defined?(::ApplicationGateway) ? ::ApplicationGateway : ActionMCP::Gateway
+      @gateway_class_name = nil
 
       # Session Store
       @session_store_type = Rails.env.production? ? :active_record : :volatile
@@ -88,6 +91,15 @@ module ActionMCP
       @version || (has_rails_version ? Rails.application.version.to_s : "0.0.1")
     end
 
+    def gateway_class
+      if @gateway_class_name
+        klass = @gateway_class_name.constantize
+        klass
+      else
+        @gateway_class
+      end
+    end
+
     # Get active profile (considering thread-local override)
     def active_profile
       ActionMCP.thread_profiles.value || @active_profile
@@ -111,7 +123,7 @@ module ActionMCP
 
         # Extract OAuth configuration if present
         if app_config["oauth"]
-          @oauth_config = app_config["oauth"]
+          @oauth_config = HashWithIndifferentAccess.new(app_config["oauth"])
         end
 
         # Extract other top-level configuration settings
@@ -121,9 +133,10 @@ module ActionMCP
         if app_config["profiles"]
           @profiles = app_config["profiles"]
         end
-      rescue StandardError
+      rescue StandardError => e
         # If the config file doesn't exist in the Rails app, just use the defaults
-        Rails.logger.debug "No MCP config found in Rails app, using defaults from gem"
+        Rails.logger.warn "[Configuration] Failed to load MCP config: #{e.class} - #{e.message}"
+        # No MCP config found in Rails app, using defaults from gem
       end
 
       # Apply the active profile
@@ -294,6 +307,16 @@ module ActionMCP
         @connects_to = app_config["connects_to"]
       end
 
+      # Extract verbose logging setting
+      if app_config.key?("verbose_logging")
+        @verbose_logging = app_config["verbose_logging"]
+      end
+
+      # Extract gateway class configuration
+      if app_config["gateway_class"]
+        @gateway_class_name = app_config["gateway_class"]
+      end
+
       # Extract session store configuration
       if app_config["session_store_type"]
         @session_store_type = app_config["session_store_type"].to_sym

data/lib/action_mcp/filtered_logger.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  # Custom logger that filters out repetitive MCP requests
+  class FilteredLogger < ActiveSupport::Logger
+    FILTERED_PATHS = [
+      "/oauth/authorize",
+      "/.well-known/oauth-protected-resource",
+      "/.well-known/oauth-authorization-server"
+    ].freeze
+
+    FILTERED_METHODS = [
+      "notifications/initialized",
+      "notifications/ping"
+    ].freeze
+
+    def add(severity, message = nil, progname = nil, &block)
+      # Filter out repetitive OAuth metadata requests
+      if message && message.is_a?(String)
+        return if FILTERED_PATHS.any? { |path| message.include?(path) && message.include?("200 OK") }
+
+        # Filter out repetitive MCP notifications
+        return if FILTERED_METHODS.any? { |method| message.include?(method) }
+
+        # Filter out MCP protocol version debug messages
+        return if message.include?("MCP-Protocol-Version header validation passed")
+      end
+
+      super
+    end
+  end
+end

data/lib/action_mcp/oauth/active_record_storage.rb

@@ -0,0 +1,183 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  module OAuth
+    # ActiveRecord storage for OAuth tokens and codes
+    # This is suitable for production multi-server environments
+    class ActiveRecordStorage
+      # Authorization code storage
+      def store_authorization_code(code, data)
+        OAuthToken.create!(
+          token: code,
+          token_type: OAuthToken::AUTHORIZATION_CODE,
+          client_id: data[:client_id],
+          user_id: data[:user_id],
+          redirect_uri: data[:redirect_uri],
+          scope: data[:scope],
+          code_challenge: data[:code_challenge],
+          code_challenge_method: data[:code_challenge_method],
+          expires_at: data[:expires_at],
+          metadata: data.except(:client_id, :user_id, :redirect_uri, :scope,
+                               :code_challenge, :code_challenge_method, :expires_at)
+        )
+      end
+
+      def retrieve_authorization_code(code)
+        token = OAuthToken.authorization_codes.active.find_by(token: code)
+        return nil unless token
+
+        {
+          client_id: token.client_id,
+          user_id: token.user_id,
+          redirect_uri: token.redirect_uri,
+          scope: token.scope,
+          code_challenge: token.code_challenge,
+          code_challenge_method: token.code_challenge_method,
+          expires_at: token.expires_at,
+          created_at: token.created_at
+        }.merge(token.metadata || {})
+      end
+
+      def remove_authorization_code(code)
+        OAuthToken.authorization_codes.where(token: code).destroy_all
+      end
+
+      # Access token storage
+      def store_access_token(token, data)
+        OAuthToken.create!(
+          token: token,
+          token_type: OAuthToken::ACCESS_TOKEN,
+          client_id: data[:client_id],
+          user_id: data[:user_id],
+          scope: data[:scope],
+          expires_at: data[:expires_at],
+          metadata: data.except(:client_id, :user_id, :scope, :expires_at)
+        )
+      end
+
+      def retrieve_access_token(token)
+        token_record = OAuthToken.access_tokens.find_by(token: token)
+        return nil unless token_record
+
+        {
+          client_id: token_record.client_id,
+          user_id: token_record.user_id,
+          scope: token_record.scope,
+          expires_at: token_record.expires_at,
+          created_at: token_record.created_at,
+          active: token_record.still_valid?
+        }.merge(token_record.metadata || {})
+      end
+
+      def remove_access_token(token)
+        OAuthToken.access_tokens.where(token: token).destroy_all
+      end
+
+      # Refresh token storage
+      def store_refresh_token(token, data)
+        OAuthToken.create!(
+          token: token,
+          token_type: OAuthToken::REFRESH_TOKEN,
+          client_id: data[:client_id],
+          user_id: data[:user_id],
+          scope: data[:scope],
+          access_token: data[:access_token],
+          expires_at: data[:expires_at],
+          metadata: data.except(:client_id, :user_id, :scope, :access_token, :expires_at)
+        )
+      end
+
+      def retrieve_refresh_token(token)
+        token_record = OAuthToken.refresh_tokens.active.find_by(token: token)
+        return nil unless token_record
+
+        {
+          client_id: token_record.client_id,
+          user_id: token_record.user_id,
+          scope: token_record.scope,
+          access_token: token_record.access_token,
+          expires_at: token_record.expires_at,
+          created_at: token_record.created_at
+        }.merge(token_record.metadata || {})
+      end
+
+      def update_refresh_token(token, new_access_token)
+        token_record = OAuthToken.refresh_tokens.find_by(token: token)
+        token_record&.update!(access_token: new_access_token)
+      end
+
+      def remove_refresh_token(token)
+        OAuthToken.refresh_tokens.where(token: token).destroy_all
+      end
+
+      # Client registration storage
+      def store_client_registration(client_id, data)
+        client = OAuthClient.new
+
+        # Map data fields to model attributes
+        client.client_id = client_id
+        client.client_secret = data[:client_secret]
+        client.client_id_issued_at = data[:client_id_issued_at]
+        client.registration_access_token = data[:registration_access_token]
+
+        # Handle client metadata
+        metadata = data[:client_metadata] || {}
+        %w[
+          client_name redirect_uris grant_types response_types
+          token_endpoint_auth_method scope
+        ].each do |field|
+          client.send("#{field}=", metadata[field]) if metadata.key?(field)
+        end
+
+        # Store any additional metadata
+        known_fields = %w[
+          client_name redirect_uris grant_types response_types
+          token_endpoint_auth_method scope
+        ]
+        additional_metadata = metadata.except(*known_fields)
+        client.metadata = additional_metadata if additional_metadata.present?
+
+        client.save!
+        data
+      end
+
+      def retrieve_client_registration(client_id)
+        client = OAuthClient.active.find_by(client_id: client_id)
+        return nil unless client
+
+        {
+          client_id: client.client_id,
+          client_secret: client.client_secret,
+          client_id_issued_at: client.client_id_issued_at,
+          registration_access_token: client.registration_access_token,
+          client_metadata: client.to_api_response
+        }
+      end
+
+      def remove_client_registration(client_id)
+        OAuthClient.where(client_id: client_id).destroy_all
+      end
+
+      # Cleanup expired tokens
+      def cleanup_expired
+        OAuthToken.cleanup_expired
+      end
+
+      # Statistics (for debugging/monitoring)
+      def stats
+        {
+          authorization_codes: OAuthToken.authorization_codes.active.count,
+          access_tokens: OAuthToken.access_tokens.active.count,
+          refresh_tokens: OAuthToken.refresh_tokens.active.count,
+          client_registrations: OAuthClient.active.count
+        }
+      end
+
+      # Clear all data (for testing)
+      def clear_all
+        OAuthToken.delete_all
+        OAuthClient.delete_all
+      end
+    end
+  end
+end

data/lib/action_mcp/oauth/memory_storage.rb

@@ -9,6 +9,7 @@ module ActionMCP
         @authorization_codes = {}
         @access_tokens = {}
         @refresh_tokens = {}
+        @client_registrations = {}
         @mutex = Mutex.new
       end
 
@@ -77,6 +78,25 @@ module ActionMCP
         end
       end
 
+      # Client registration storage
+      def store_client_registration(client_id, data)
+        @mutex.synchronize do
+          @client_registrations[client_id] = data
+        end
+      end
+
+      def retrieve_client_registration(client_id)
+        @mutex.synchronize do
+          @client_registrations[client_id]
+        end
+      end
+
+      def remove_client_registration(client_id)
+        @mutex.synchronize do
+          @client_registrations.delete(client_id)
+        end
+      end
+
       # Cleanup expired tokens (optional utility method)
       def cleanup_expired
         current_time = Time.current
@@ -94,7 +114,8 @@ module ActionMCP
           {
             authorization_codes: @authorization_codes.size,
             access_tokens: @access_tokens.size,
-            refresh_tokens: @refresh_tokens.size
+            refresh_tokens: @refresh_tokens.size,
+            client_registrations: @client_registrations.size
           }
         end
       end
@@ -105,6 +126,7 @@ module ActionMCP
           @authorization_codes.clear
           @access_tokens.clear
           @refresh_tokens.clear
+          @client_registrations.clear
         end
       end
     end

data/lib/action_mcp/oauth/middleware.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require_relative "error"
+
 module ActionMCP
   module OAuth
     # OAuth middleware that integrates with Omniauth for request authentication
@@ -15,6 +17,15 @@ module ActionMCP
         # Skip OAuth processing for non-MCP requests or if OAuth not configured
         return @app.call(env) unless should_process_oauth?(request)
 
+        # Skip OAuth processing for metadata endpoints
+        if request.path.start_with?("/.well-known/") || request.path.start_with?("/oauth/")
+          return @app.call(env)
+        end
+
+        # Skip OAuth processing for initialization-related requests
+        if initialization_related_request?(request)
+          return @app.call(env)
+        end
 
         # Validate Bearer token for API requests
         if bearer_token = extract_bearer_token(request)
@@ -37,6 +48,28 @@ module ActionMCP
         true
       end
 
+      def initialization_related_request?(request)
+        # Only check JSON-RPC POST requests to MCP endpoints
+        # The path might include the mount path (e.g., /action_mcp/ or just /)
+        return false unless request.post? && request.content_type&.include?("application/json")
+
+        # Check if this is an MCP endpoint (ends with / or is the root)
+        path = request.path
+        return false unless path == "/" || path.match?(/\/action_mcp\/?$/)
+
+        # Read and parse the request body
+        body = request.body.read
+        request.body.rewind # Reset for subsequent reads
+
+        json = JSON.parse(body)
+        method = json["method"]
+
+        # Check if it's an initialization-related method
+        %w[initialize notifications/initialized].include?(method)
+      rescue JSON::ParserError, StandardError
+        false
+      end
+
 
       def extract_bearer_token(request)
         auth_header = request.headers["Authorization"] || request.headers["authorization"]