actionmcp 0.70.0 → 0.71.1

data/lib/action_mcp/gateway.rb

@@ -5,170 +5,84 @@ module ActionMCP
 
   class Gateway
     class << self
-      def identified_by(*attrs)
-        @identifiers ||= []
-        @identifiers.concat(attrs.map(&:to_sym)).uniq!
-        attr_accessor(*attrs)
+      # pluck in one or many GatewayIdentifier classes
+      def identified_by(*klasses)
+        @identifier_classes = klasses.flatten
       end
 
-      def identifiers
-        @identifiers ||= []
+      def identifier_classes
+        @identifier_classes || []
       end
     end
 
-    identified_by :user
-
-    attr_reader :request
-
-    def call(request)
+    def initialize(request)
       @request = request
-      connect
-      self
     end
 
-    def connect
+    # called by your rack/websocket layer
+    def call
       identities = authenticate!
-      reject_unauthorized_connection unless identities.is_a?(Hash)
-
-      # Assign all identities (e.g., :user, :account)
-      self.class.identifiers.each do |id|
-        value = identities[id]
-        reject_unauthorized_connection unless value
-
-        public_send("#{id}=", value)
-
-        # Set to ActionMCP::Current
-        ActionMCP::Current.public_send("#{id}=", value)
-      end
-
-      # Also set the gateway instance itself
-      ActionMCP::Current.gateway = self
+      assign_identities(identities)
+      self
     end
 
-
     protected
 
     def authenticate!
-      auth_methods = ActionMCP.configuration.authentication_methods || [ "jwt" ]
-
-      auth_methods.each do |method|
-        case method
-        when "none"
-          return default_user_identity
-        when "jwt"
-          result = jwt_authenticate
-          return result if result
-        when "oauth"
-          result = oauth_authenticate
-          return result if result
-        end
-      end
-
-      raise UnauthorizedError, "No valid authentication found"
-    end
-
-    def extract_bearer_token
-      header = request.headers["Authorization"] || request.headers["authorization"]
-      return nil unless header&.start_with?("Bearer ")
-      header.split(" ", 2).last
-    end
+      active_identifiers = filter_active_identifiers
 
-    def resolve_user(payload)
-      return nil unless payload.is_a?(Hash)
-      user_id = payload["user_id"] || payload["sub"]
-      return nil unless user_id
-      user = User.find_by(id: user_id)
-      return nil unless user
-
-      # Return a hash with all identified_by attributes
-      self.class.identifiers.each_with_object({}) do |identifier, hash|
-        hash[identifier] = user if identifier == :user
-        # Add support for other identifiers as needed
+      if active_identifiers.empty?
+        raise ActionMCP::UnauthorizedError, "No authentication methods available"
       end
-    end
-
-    def reject_unauthorized_connection
-      raise UnauthorizedError, "Unauthorized"
-    end
 
-    # Default user identity for "none" authentication
-    def default_user_identity
-      # Return a hash with all identified_by attributes set to a default user
-      self.class.identifiers.each_with_object({}) do |identifier, hash|
-        if identifier == :user
-          # Create or find a default user for development
-          hash[identifier] = find_or_create_default_user
+      # Try identifiers in order, use the first one that succeeds
+      last_error = nil
+      active_identifiers.each do |klass|
+        begin
+          result = klass.new(@request).resolve
+          return { klass.identifier_name => result }
+        rescue ActionMCP::GatewayIdentifier::Unauthorized => e
+          last_error = e
+          # Try next identifier
+          next
         end
-        # Add support for other identifiers as needed
-      end
-    end
-
-    # JWT authentication (existing implementation)
-    def jwt_authenticate
-      token = extract_bearer_token
-      unless token
-        raise UnauthorizedError, "Missing token" if ActionMCP.configuration.authentication_methods == [ "jwt" ]
-        return nil
       end
 
-      payload = ActionMCP::JwtDecoder.decode(token)
-      result = resolve_user(payload)
-      unless result
-        raise UnauthorizedError, "Unauthorized" if ActionMCP.configuration.authentication_methods == [ "jwt" ]
-        return nil
-      end
-      result
-    rescue ActionMCP::JwtDecoder::DecodeError => e
-      if ActionMCP.configuration.authentication_methods == [ "jwt" ]
-        raise UnauthorizedError, "Invalid token"
-      else
-        nil # Let it try other authentication methods
-      end
+      # If we get here, all identifiers failed
+      # Use the last specific error message if available, otherwise generic message
+      error_message = last_error&.message || "Authentication failed"
+      raise ActionMCP::UnauthorizedError, error_message
     end
 
-    # OAuth authentication via middleware
-    def oauth_authenticate
-      return nil unless oauth_enabled?
-
-      # Check if OAuth middleware has already validated the token
-      token_info = request.env["action_mcp.oauth_token_info"]
-      return nil unless token_info && token_info["active"]
+    private
 
-      resolve_user_from_oauth(token_info)
-    rescue ActionMCP::OAuth::Error
-      nil # Let it try other authentication methods
-    end
+    def filter_active_identifiers
+      configured_methods = ActionMCP.configuration.authentication_methods || []
 
-    def oauth_enabled?
-      ActionMCP.configuration.authentication_methods&.include?("oauth") &&
-        ActionMCP.configuration.oauth_config.present?
-    end
+      # If no authentication methods configured, use all identifiers
+      return self.class.identifier_classes if configured_methods.empty?
 
-    def resolve_user_from_oauth(token_info)
-      return nil unless token_info.is_a?(Hash)
+      # Normalize configured methods to strings for consistent comparison
+      normalized_methods = configured_methods.map(&:to_s)
 
-      user_id = token_info["sub"] || token_info["user_id"]
-      return nil unless user_id
-
-      user = User.find_by(id: user_id) || User.find_by(oauth_subject: user_id)
-      return nil unless user
-
-      # Return a hash with all identified_by attributes
-      self.class.identifiers.each_with_object({}) do |identifier, hash|
-        hash[identifier] = user if identifier == :user
-        # Add support for other identifiers as needed
+      # Filter identifiers to only those matching configured authentication methods
+      self.class.identifier_classes.select do |klass|
+        normalized_methods.include?(klass.auth_method.to_s)
       end
     end
 
-    def find_or_create_default_user
-      # Only for development/testing with "none" authentication
-      return nil unless Rails.env.development? || Rails.env.test?
+    def assign_identities(identities)
+      identities.each do |name, value|
+        # define accessor on the fly
+        self.class.attr_reader name unless respond_to?(name)
+        instance_variable_set("@#{name}", value)
 
-      if defined?(User)
-        User.find_or_create_by(email: "dev@localhost") do |user|
-          user.name = "Development User" if user.respond_to?(:name=)
-        end
+        # also set current context if you have one
+        ActionMCP::Current.public_send("#{name}=", value) if
+          ActionMCP::Current.respond_to?("#{name}=")
       end
+      ActionMCP::Current.gateway = self if
+        ActionMCP::Current.respond_to?(:gateway=)
     end
   end
 end

data/lib/action_mcp/gateway_identifier.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  class GatewayIdentifier
+    class Unauthorized < StandardError; end
+
+    class << self
+      # e.g. JwtIdentifier.identifier_name => :user
+      attr_reader :identifier_name, :auth_method
+
+      def identifier(name)
+        @identifier_name = name.to_sym
+      end
+
+      def authenticates(method)
+        @auth_method = method.to_s
+      end
+    end
+
+    def initialize(request)
+      @request = request
+    end
+
+    # must return a truthy identity object, or raise Unauthorized
+    def resolve
+      raise NotImplementedError, "#{self.class}#resolve must be implemented"
+    end
+  end
+end

data/lib/action_mcp/jwt_identifier.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  class JwtIdentifier < GatewayIdentifier
+    identifier :user
+    authenticates :jwt
+
+    def resolve
+      token = extract_bearer_token
+      raise Unauthorized, "Missing JWT" unless token
+
+      payload = ActionMCP::JwtDecoder.decode(token)
+      user = User.find_by(id: payload["sub"] || payload["user_id"])
+      return user if user
+
+      raise Unauthorized, "Invalid JWT user"
+    rescue ActionMCP::JwtDecoder::DecodeError => e
+      raise Unauthorized, "Invalid JWT token: #{e.message}"
+    end
+
+    private
+
+    def extract_bearer_token
+      header = @request.env["HTTP_AUTHORIZATION"] || ""
+      header[/\ABearer (.+)\z/, 1]
+    end
+  end
+end

data/lib/action_mcp/none_identifier.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  class NoneIdentifier < GatewayIdentifier
+    identifier :user
+    authenticates :none
+
+    def resolve
+      Rails.env.production? &&
+        raise(Unauthorized, "No auth allowed in production")
+
+      return "anonymous_user" unless defined?(User)
+
+      User.find_or_create_by!(email: "dev@localhost") do |user|
+        user.name = "Development User" if user.respond_to?(:name=)
+      end
+    end
+  end
+end

data/lib/action_mcp/o_auth_identifier.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  class OAuthIdentifier < GatewayIdentifier
+    identifier :user
+    authenticates :oauth
+
+    def resolve
+      info = @request.env["action_mcp.oauth_token_info"] or
+        raise Unauthorized, "Missing OAuth info"
+
+      uid = info["user_id"] || info["sub"] || info[:user_id]
+      raise Unauthorized, "Invalid OAuth info" unless uid
+
+      # Try to find existing user or create one for demo purposes
+      user = User.find_by(email: uid) ||
+             User.find_by(email: "#{uid}@example.com") ||
+             create_oauth_user(uid)
+
+      user || raise(Unauthorized, "Unable to resolve OAuth user")
+    end
+
+    private
+
+    def create_oauth_user(uid)
+      return nil unless defined?(User)
+
+      email = uid.include?("@") ? uid : "#{uid}@example.com"
+      User.create!(email: email)
+    rescue ActiveRecord::RecordInvalid
+      nil
+    end
+  end
+end

data/lib/action_mcp/oauth/active_record_storage.rb

@@ -0,0 +1,183 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  module OAuth
+    # ActiveRecord storage for OAuth tokens and codes
+    # This is suitable for production multi-server environments
+    class ActiveRecordStorage
+      # Authorization code storage
+      def store_authorization_code(code, data)
+        OAuthToken.create!(
+          token: code,
+          token_type: OAuthToken::AUTHORIZATION_CODE,
+          client_id: data[:client_id],
+          user_id: data[:user_id],
+          redirect_uri: data[:redirect_uri],
+          scope: data[:scope],
+          code_challenge: data[:code_challenge],
+          code_challenge_method: data[:code_challenge_method],
+          expires_at: data[:expires_at],
+          metadata: data.except(:client_id, :user_id, :redirect_uri, :scope,
+                               :code_challenge, :code_challenge_method, :expires_at)
+        )
+      end
+
+      def retrieve_authorization_code(code)
+        token = OAuthToken.authorization_codes.active.find_by(token: code)
+        return nil unless token
+
+        {
+          client_id: token.client_id,
+          user_id: token.user_id,
+          redirect_uri: token.redirect_uri,
+          scope: token.scope,
+          code_challenge: token.code_challenge,
+          code_challenge_method: token.code_challenge_method,
+          expires_at: token.expires_at,
+          created_at: token.created_at
+        }.merge(token.metadata || {})
+      end
+
+      def remove_authorization_code(code)
+        OAuthToken.authorization_codes.where(token: code).destroy_all
+      end
+
+      # Access token storage
+      def store_access_token(token, data)
+        OAuthToken.create!(
+          token: token,
+          token_type: OAuthToken::ACCESS_TOKEN,
+          client_id: data[:client_id],
+          user_id: data[:user_id],
+          scope: data[:scope],
+          expires_at: data[:expires_at],
+          metadata: data.except(:client_id, :user_id, :scope, :expires_at)
+        )
+      end
+
+      def retrieve_access_token(token)
+        token_record = OAuthToken.access_tokens.find_by(token: token)
+        return nil unless token_record
+
+        {
+          client_id: token_record.client_id,
+          user_id: token_record.user_id,
+          scope: token_record.scope,
+          expires_at: token_record.expires_at,
+          created_at: token_record.created_at,
+          active: token_record.still_valid?
+        }.merge(token_record.metadata || {})
+      end
+
+      def remove_access_token(token)
+        OAuthToken.access_tokens.where(token: token).destroy_all
+      end
+
+      # Refresh token storage
+      def store_refresh_token(token, data)
+        OAuthToken.create!(
+          token: token,
+          token_type: OAuthToken::REFRESH_TOKEN,
+          client_id: data[:client_id],
+          user_id: data[:user_id],
+          scope: data[:scope],
+          access_token: data[:access_token],
+          expires_at: data[:expires_at],
+          metadata: data.except(:client_id, :user_id, :scope, :access_token, :expires_at)
+        )
+      end
+
+      def retrieve_refresh_token(token)
+        token_record = OAuthToken.refresh_tokens.active.find_by(token: token)
+        return nil unless token_record
+
+        {
+          client_id: token_record.client_id,
+          user_id: token_record.user_id,
+          scope: token_record.scope,
+          access_token: token_record.access_token,
+          expires_at: token_record.expires_at,
+          created_at: token_record.created_at
+        }.merge(token_record.metadata || {})
+      end
+
+      def update_refresh_token(token, new_access_token)
+        token_record = OAuthToken.refresh_tokens.find_by(token: token)
+        token_record&.update!(access_token: new_access_token)
+      end
+
+      def remove_refresh_token(token)
+        OAuthToken.refresh_tokens.where(token: token).destroy_all
+      end
+
+      # Client registration storage
+      def store_client_registration(client_id, data)
+        client = OAuthClient.new
+
+        # Map data fields to model attributes
+        client.client_id = client_id
+        client.client_secret = data[:client_secret]
+        client.client_id_issued_at = data[:client_id_issued_at]
+        client.registration_access_token = data[:registration_access_token]
+
+        # Handle client metadata
+        metadata = data[:client_metadata] || {}
+        %w[
+          client_name redirect_uris grant_types response_types
+          token_endpoint_auth_method scope
+        ].each do |field|
+          client.send("#{field}=", metadata[field]) if metadata.key?(field)
+        end
+
+        # Store any additional metadata
+        known_fields = %w[
+          client_name redirect_uris grant_types response_types
+          token_endpoint_auth_method scope
+        ]
+        additional_metadata = metadata.except(*known_fields)
+        client.metadata = additional_metadata if additional_metadata.present?
+
+        client.save!
+        data
+      end
+
+      def retrieve_client_registration(client_id)
+        client = OAuthClient.active.find_by(client_id: client_id)
+        return nil unless client
+
+        {
+          client_id: client.client_id,
+          client_secret: client.client_secret,
+          client_id_issued_at: client.client_id_issued_at,
+          registration_access_token: client.registration_access_token,
+          client_metadata: client.to_api_response
+        }
+      end
+
+      def remove_client_registration(client_id)
+        OAuthClient.where(client_id: client_id).destroy_all
+      end
+
+      # Cleanup expired tokens
+      def cleanup_expired
+        OAuthToken.cleanup_expired
+      end
+
+      # Statistics (for debugging/monitoring)
+      def stats
+        {
+          authorization_codes: OAuthToken.authorization_codes.active.count,
+          access_tokens: OAuthToken.access_tokens.active.count,
+          refresh_tokens: OAuthToken.refresh_tokens.active.count,
+          client_registrations: OAuthClient.active.count
+        }
+      end
+
+      # Clear all data (for testing)
+      def clear_all
+        OAuthToken.delete_all
+        OAuthClient.delete_all
+      end
+    end
+  end
+end

data/lib/action_mcp/oauth/memory_storage.rb

@@ -9,6 +9,7 @@ module ActionMCP
         @authorization_codes = {}
         @access_tokens = {}
         @refresh_tokens = {}
+        @client_registrations = {}
         @mutex = Mutex.new
       end
 
@@ -77,6 +78,25 @@ module ActionMCP
         end
       end
 
+      # Client registration storage
+      def store_client_registration(client_id, data)
+        @mutex.synchronize do
+          @client_registrations[client_id] = data
+        end
+      end
+
+      def retrieve_client_registration(client_id)
+        @mutex.synchronize do
+          @client_registrations[client_id]
+        end
+      end
+
+      def remove_client_registration(client_id)
+        @mutex.synchronize do
+          @client_registrations.delete(client_id)
+        end
+      end
+
       # Cleanup expired tokens (optional utility method)
       def cleanup_expired
         current_time = Time.current
@@ -94,7 +114,8 @@ module ActionMCP
           {
             authorization_codes: @authorization_codes.size,
             access_tokens: @access_tokens.size,
-            refresh_tokens: @refresh_tokens.size
+            refresh_tokens: @refresh_tokens.size,
+            client_registrations: @client_registrations.size
           }
         end
       end
@@ -105,6 +126,7 @@ module ActionMCP
           @authorization_codes.clear
           @access_tokens.clear
           @refresh_tokens.clear
+          @client_registrations.clear
         end
       end
     end

data/lib/action_mcp/oauth/middleware.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require_relative "error"
+
 module ActionMCP
   module OAuth
     # OAuth middleware that integrates with Omniauth for request authentication
@@ -15,6 +17,15 @@ module ActionMCP
         # Skip OAuth processing for non-MCP requests or if OAuth not configured
         return @app.call(env) unless should_process_oauth?(request)
 
+        # Skip OAuth processing for metadata endpoints
+        if request.path.start_with?("/.well-known/") || request.path.start_with?("/oauth/")
+          return @app.call(env)
+        end
+
+        # Skip OAuth processing for initialization-related requests
+        if initialization_related_request?(request)
+          return @app.call(env)
+        end
 
         # Validate Bearer token for API requests
         if bearer_token = extract_bearer_token(request)
@@ -37,6 +48,28 @@ module ActionMCP
         true
       end
 
+      def initialization_related_request?(request)
+        # Only check JSON-RPC POST requests to MCP endpoints
+        # The path might include the mount path (e.g., /action_mcp/ or just /)
+        return false unless request.post? && request.content_type&.include?("application/json")
+
+        # Check if this is an MCP endpoint (ends with / or is the root)
+        path = request.path
+        return false unless path == "/" || path.match?(/\/action_mcp\/?$/)
+
+        # Read and parse the request body
+        body = request.body.read
+        request.body.rewind # Reset for subsequent reads
+
+        json = JSON.parse(body)
+        method = json["method"]
+
+        # Check if it's an initialization-related method
+        %w[initialize notifications/initialized].include?(method)
+      rescue JSON::ParserError, StandardError
+        false
+      end
+
 
       def extract_bearer_token(request)
         auth_header = request.headers["Authorization"] || request.headers["authorization"]