actionmcp 0.71.0 → 0.71.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 83f504b6f7171acf10239a3873a3cf967243ed8fa598603b72ec3e265cf9ba7a
-  data.tar.gz: 4b50494bcf216f93243d2068c2d9f211c25a9fe5166fb01f21518321716a4d54
+  metadata.gz: 203f9e44a8802e007a19f41ddb89e2961fae87fb14bc0157e398dd6b80561cc3
+  data.tar.gz: d644c46fe4e73c1c5532d14f2e1541d511e4311479c15ef5d946aa135c4f290d
 SHA512:
-  metadata.gz: e2f3c857fdfd8404660d508ff620500676c71f629b5ac0a7ab0e7190248d25ea81d15eef679cbb14cba5f15ff119e882502de28d830f6c67a10c8ee7254a4301
-  data.tar.gz: 3d44ee314a37df260fbc00c5d7488330f0d0e5e637c5b200a784bf62301b2feb7b330796cd2ff0268a96de70f498d946983aa89c745e6e636e915b37f5d81587
+  metadata.gz: c9472a20f2aafc0c4ac4b74d8924e741b4cb94dd69154d44b060d2a75fcc01edcda857be40611c7c24b6d1c4ee5410705b776999534c35521301fef737e57d35
+  data.tar.gz: 78afc85939383e260a89726dbc10c516a4c7da3dded794d55545c51ed98ba2179b433d402a552c1964f15a95c9e51c0e2e6ac531f18e1e145ae4a9ebe47b893e

data/app/controllers/action_mcp/application_controller.rb

@@ -512,8 +512,8 @@ module ActionMCP
       gateway_class = ActionMCP.configuration.gateway_class
       return unless gateway_class # Skip if no gateway configured
 
-      gateway = gateway_class.new
-      gateway.call(request)
+      gateway = gateway_class.new(request)
+      gateway.call
     rescue ActionMCP::UnauthorizedError => e
       render_unauthorized(e.message)
     end

data/lib/action_mcp/client/base.rb

@@ -23,11 +23,12 @@ module ActionMCP
 
       delegate :connected?, :ready?, to: :transport
 
-      def initialize(transport:, logger: ActionMCP.logger, **options)
+      def initialize(transport:, logger: ActionMCP.logger, protocol_version: nil, **options)
         @logger = logger
         @transport = transport
         @session = nil  # Session will be created/loaded based on server response
         @session_id = options[:session_id]  # Optional session ID for resumption
+        @protocol_version = protocol_version || ActionMCP::DEFAULT_PROTOCOL_VERSION
         @server_capabilities = nil
         @connection_error = nil
         @initialized = false
@@ -180,7 +181,7 @@ module ActionMCP
         end
 
         params = {
-          protocolVersion: ActionMCP::DEFAULT_PROTOCOL_VERSION,
+          protocolVersion: @protocol_version,
           capabilities: client_capabilities,
           clientInfo: client_info
         }

data/lib/action_mcp/client/collection.rb

@@ -143,14 +143,14 @@ module ActionMCP
       def silence_logs
         return yield unless @silence_sql
 
-        original_log_level = Session.logger&.level
+        original_log_level = ActionMCP::Session.logger&.level
         begin
           # Temporarily increase log level to suppress SQL queries
-          Session.logger.level = Logger::WARN if Session.logger
+          ActionMCP::Session.logger.level = Logger::WARN if ActionMCP::Session.logger
           yield
         ensure
           # Restore original log level
-          Session.logger.level = original_log_level if Session.logger
+          ActionMCP::Session.logger.level = original_log_level if ActionMCP::Session.logger && original_log_level
         end
       end
 

data/lib/action_mcp/client/streamable_http_transport.rb

@@ -13,12 +13,15 @@ module ActionMCP
       SSE_TIMEOUT = 10
       ENDPOINT_TIMEOUT = 5
 
-      attr_reader :session_id, :last_event_id
+      attr_reader :session_id, :last_event_id, :protocol_version
 
-      def initialize(url, session_store:, session_id: nil, oauth_provider: nil, **options)
+      def initialize(url, session_store:, session_id: nil, oauth_provider: nil, jwt_provider: nil, protocol_version: nil, **options)
         super(url, session_store: session_store, **options)
         @session_id = session_id
         @oauth_provider = oauth_provider
+        @jwt_provider = jwt_provider
+        @protocol_version = protocol_version || ActionMCP::DEFAULT_PROTOCOL_VERSION
+        @negotiated_protocol_version = nil
         @last_event_id = nil
         @buffer = +""
         @current_event = nil
@@ -38,8 +41,9 @@ module ActionMCP
         # Start SSE stream if server supports it
         start_sse_stream
 
-        set_connected(true)
+        # Set ready first, then connected (so transport is ready when on_connect fires)
         set_ready(true)
+        set_connected(true)
         log_debug("StreamableHTTP connection established")
         true
       rescue StandardError => e
@@ -98,7 +102,15 @@ module ActionMCP
         }
         headers["mcp-session-id"] = @session_id if @session_id
         headers["Last-Event-ID"] = @last_event_id if @last_event_id
+
+        # Add MCP-Protocol-Version header for GET requests when we have a negotiated version
+        if @negotiated_protocol_version
+          headers["MCP-Protocol-Version"] = @negotiated_protocol_version
+        end
+
         headers.merge!(oauth_headers)
+        headers.merge!(jwt_headers)
+        log_debug("Final GET headers: #{headers}")
         headers
       end
 
@@ -108,7 +120,16 @@ module ActionMCP
           "Accept" => "application/json, text/event-stream"
         }
         headers["mcp-session-id"] = @session_id if @session_id
+
+        # Add MCP-Protocol-Version header as per 2025-06-18 spec
+        # Only include when we have a negotiated version from previous handshake
+        if @negotiated_protocol_version
+          headers["MCP-Protocol-Version"] = @negotiated_protocol_version
+        end
+
         headers.merge!(oauth_headers)
+        headers.merge!(jwt_headers)
+        log_debug("Final POST headers: #{headers}")
         headers
       end
 
@@ -218,6 +239,13 @@ module ActionMCP
       def handle_json_response(response)
         begin
           message = MultiJson.load(response.body)
+
+          # Check if this is an initialize response to capture negotiated protocol version
+          if message.is_a?(Hash) && message["result"] && message["result"]["protocolVersion"]
+            @negotiated_protocol_version = message["result"]["protocolVersion"]
+            log_debug("Negotiated protocol version: #{@negotiated_protocol_version}")
+          end
+
           handle_message(message)
         rescue MultiJson::ParseError => e
           log_error("Failed to parse JSON response: #{e}")
@@ -232,7 +260,7 @@ module ActionMCP
       end
 
       def handle_error_response(response)
-        error_msg = "HTTP #{response.status}: #{response.reason_phrase}"
+        error_msg = +"HTTP #{response.status}: #{response.reason_phrase}"
         if response.body && !response.body.empty?
           error_msg << " - #{response.body}"
         end
@@ -280,7 +308,7 @@ module ActionMCP
           id: @session_id,
           last_event_id: @last_event_id,
           session_data: {},
-          protocol_version: PROTOCOL_VERSION
+          protocol_version: @protocol_version
         }
 
         @session_store.save_session(@session_id, session_data)
@@ -290,20 +318,38 @@ module ActionMCP
       def oauth_headers
         return {} unless @oauth_provider&.authenticated?
 
-        @oauth_provider.authorization_headers
+        headers = @oauth_provider.authorization_headers
+        log_debug("OAuth headers: #{headers}") unless headers.empty?
+        headers
       rescue StandardError => e
         log_error("Failed to get OAuth headers: #{e.message}")
         {}
       end
 
-      def handle_authentication_error(response)
-        return unless @oauth_provider
+      def jwt_headers
+        return {} unless @jwt_provider&.authenticated?
 
+        headers = @jwt_provider.authorization_headers
+        log_debug("JWT headers: #{headers}") unless headers.empty?
+        headers
+      rescue StandardError => e
+        log_error("Failed to get JWT headers: #{e.message}")
+        {}
+      end
+
+      def handle_authentication_error(response)
         # Check for OAuth challenge in WWW-Authenticate header
         www_auth = response.headers["www-authenticate"]
         if www_auth&.include?("Bearer")
-          log_debug("Received OAuth challenge, clearing tokens")
-          @oauth_provider.clear_tokens!
+          if @oauth_provider
+            log_debug("Received OAuth challenge, clearing OAuth tokens")
+            @oauth_provider.clear_tokens!
+          end
+
+          if @jwt_provider
+            log_debug("Received Bearer challenge, clearing JWT tokens")
+            @jwt_provider.clear_tokens!
+          end
         end
       end
 

data/lib/action_mcp/client.rb

@@ -4,6 +4,7 @@ require_relative "client/transport"
 require_relative "client/session_store"
 require_relative "client/streamable_http_transport"
 require_relative "client/oauth_client_provider"
+require_relative "client/jwt_client_provider"
 
 module ActionMCP
   # Creates a client appropriate for the given endpoint.
@@ -13,6 +14,8 @@ module ActionMCP
   # @param session_store [Symbol] The session store type (:memory, :active_record)
   # @param session_id [String] Optional session ID for resuming connections
   # @param oauth_provider [ActionMCP::Client::OauthClientProvider] Optional OAuth provider for authentication
+  # @param jwt_provider [ActionMCP::Client::JwtClientProvider] Optional JWT provider for authentication
+  # @param protocol_version [String] The MCP protocol version to use (defaults to ActionMCP::DEFAULT_PROTOCOL_VERSION)
   # @param logger [Logger] The logger to use. Default is Logger.new($stdout).
   # @param options [Hash] Additional options to pass to the client constructor.
   #
@@ -46,7 +49,16 @@ module ActionMCP
   #     "http://127.0.0.1:3001/action_mcp",
   #     oauth_provider: oauth_provider
   #   )
-  def self.create_client(endpoint, transport: :streamable_http, session_store: nil, session_id: nil, oauth_provider: nil, logger: Logger.new($stdout), **options)
+  #
+  # @example With JWT authentication
+  #   jwt_provider = ActionMCP::Client::JwtClientProvider.new(
+  #     token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."
+  #   )
+  #   client = ActionMCP.create_client(
+  #     "http://127.0.0.1:3001/action_mcp",
+  #     jwt_provider: jwt_provider
+  #   )
+  def self.create_client(endpoint, transport: :streamable_http, session_store: nil, session_id: nil, oauth_provider: nil, jwt_provider: nil, protocol_version: nil, logger: Logger.new($stdout), **options)
     unless endpoint =~ %r{\Ahttps?://}
       raise ArgumentError, "Only HTTP(S) endpoints are supported. STDIO and other transports are not supported."
     end
@@ -55,11 +67,11 @@ module ActionMCP
     store = Client::SessionStoreFactory.create(session_store, **options)
 
     # Create transport
-    transport_instance = create_transport(transport, endpoint, session_store: store, session_id: session_id, oauth_provider: oauth_provider, logger: logger, **options)
+    transport_instance = create_transport(transport, endpoint, session_store: store, session_id: session_id, oauth_provider: oauth_provider, jwt_provider: jwt_provider, protocol_version: protocol_version, logger: logger, **options)
 
     logger.info("Creating #{transport} client for endpoint: #{endpoint}")
-    # Pass session_id to the client
-    Client::Base.new(transport: transport_instance, logger: logger, session_id: session_id, **options)
+    # Pass session_id and protocol_version to the client
+    Client::Base.new(transport: transport_instance, logger: logger, session_id: session_id, protocol_version: protocol_version, **options)
   end
 
   private_class_method def self.create_transport(type, endpoint, **options)

data/lib/action_mcp/engine.rb

@@ -61,9 +61,10 @@ module ActionMCP
       end
     end
 
-    # Configure autoloading for the mcp/tools directory
+    # Configure autoloading for the mcp/tools directory and identifiers
     initializer "action_mcp.autoloading", before: :set_autoload_paths do |app|
       mcp_path = app.root.join("app/mcp")
+      identifiers_path = app.root.join("app/identifiers")
 
       if mcp_path.exist?
         # First add the parent mcp directory
@@ -74,6 +75,11 @@ module ActionMCP
           app.autoloaders.main.collapse(dir)
         end
       end
+
+      # Add identifiers directory for gateway identifiers
+      if identifiers_path.exist?
+        app.autoloaders.main.push_dir(identifiers_path, namespace: Object)
+      end
     end
 
     # Initialize the ActionMCP logger.

data/lib/action_mcp/gateway.rb

@@ -5,170 +5,84 @@ module ActionMCP
 
   class Gateway
     class << self
-      def identified_by(*attrs)
-        @identifiers ||= []
-        @identifiers.concat(attrs.map(&:to_sym)).uniq!
-        attr_accessor(*attrs)
+      # pluck in one or many GatewayIdentifier classes
+      def identified_by(*klasses)
+        @identifier_classes = klasses.flatten
       end
 
-      def identifiers
-        @identifiers ||= []
+      def identifier_classes
+        @identifier_classes || []
       end
     end
 
-    identified_by :user
-
-    attr_reader :request
-
-    def call(request)
+    def initialize(request)
       @request = request
-      connect
-      self
     end
 
-    def connect
+    # called by your rack/websocket layer
+    def call
       identities = authenticate!
-      reject_unauthorized_connection unless identities.is_a?(Hash)
-
-      # Assign all identities (e.g., :user, :account)
-      self.class.identifiers.each do |id|
-        value = identities[id]
-        reject_unauthorized_connection unless value
-
-        public_send("#{id}=", value)
-
-        # Set to ActionMCP::Current
-        ActionMCP::Current.public_send("#{id}=", value)
-      end
-
-      # Also set the gateway instance itself
-      ActionMCP::Current.gateway = self
+      assign_identities(identities)
+      self
     end
 
-
     protected
 
     def authenticate!
-      auth_methods = ActionMCP.configuration.authentication_methods || [ "jwt" ]
-
-      auth_methods.each do |method|
-        case method
-        when "none"
-          return default_user_identity
-        when "jwt"
-          result = jwt_authenticate
-          return result if result
-        when "oauth"
-          result = oauth_authenticate
-          return result if result
-        end
-      end
-
-      raise UnauthorizedError, "No valid authentication found"
-    end
-
-    def extract_bearer_token
-      header = request.headers["Authorization"] || request.headers["authorization"]
-      return nil unless header&.start_with?("Bearer ")
-      header.split(" ", 2).last
-    end
+      active_identifiers = filter_active_identifiers
 
-    def resolve_user(payload)
-      return nil unless payload.is_a?(Hash)
-      user_id = payload["user_id"] || payload["sub"]
-      return nil unless user_id
-      user = User.find_by(id: user_id)
-      return nil unless user
-
-      # Return a hash with all identified_by attributes
-      self.class.identifiers.each_with_object({}) do |identifier, hash|
-        hash[identifier] = user if identifier == :user
-        # Add support for other identifiers as needed
+      if active_identifiers.empty?
+        raise ActionMCP::UnauthorizedError, "No authentication methods available"
       end
-    end
-
-    def reject_unauthorized_connection
-      raise UnauthorizedError, "Unauthorized"
-    end
 
-    # Default user identity for "none" authentication
-    def default_user_identity
-      # Return a hash with all identified_by attributes set to a default user
-      self.class.identifiers.each_with_object({}) do |identifier, hash|
-        if identifier == :user
-          # Create or find a default user for development
-          hash[identifier] = find_or_create_default_user
+      # Try identifiers in order, use the first one that succeeds
+      last_error = nil
+      active_identifiers.each do |klass|
+        begin
+          result = klass.new(@request).resolve
+          return { klass.identifier_name => result }
+        rescue ActionMCP::GatewayIdentifier::Unauthorized => e
+          last_error = e
+          # Try next identifier
+          next
         end
-        # Add support for other identifiers as needed
-      end
-    end
-
-    # JWT authentication (existing implementation)
-    def jwt_authenticate
-      token = extract_bearer_token
-      unless token
-        raise UnauthorizedError, "Missing token" if ActionMCP.configuration.authentication_methods == [ "jwt" ]
-        return nil
       end
 
-      payload = ActionMCP::JwtDecoder.decode(token)
-      result = resolve_user(payload)
-      unless result
-        raise UnauthorizedError, "Unauthorized" if ActionMCP.configuration.authentication_methods == [ "jwt" ]
-        return nil
-      end
-      result
-    rescue ActionMCP::JwtDecoder::DecodeError => e
-      if ActionMCP.configuration.authentication_methods == [ "jwt" ]
-        raise UnauthorizedError, "Invalid token"
-      else
-        nil # Let it try other authentication methods
-      end
+      # If we get here, all identifiers failed
+      # Use the last specific error message if available, otherwise generic message
+      error_message = last_error&.message || "Authentication failed"
+      raise ActionMCP::UnauthorizedError, error_message
     end
 
-    # OAuth authentication via middleware
-    def oauth_authenticate
-      return nil unless oauth_enabled?
-
-      # Check if OAuth middleware has already validated the token
-      token_info = request.env["action_mcp.oauth_token_info"]
-      return nil unless token_info && token_info["active"]
+    private
 
-      resolve_user_from_oauth(token_info)
-    rescue ActionMCP::OAuth::Error
-      nil # Let it try other authentication methods
-    end
+    def filter_active_identifiers
+      configured_methods = ActionMCP.configuration.authentication_methods || []
 
-    def oauth_enabled?
-      ActionMCP.configuration.authentication_methods&.include?("oauth") &&
-        ActionMCP.configuration.oauth_config.present?
-    end
+      # If no authentication methods configured, use all identifiers
+      return self.class.identifier_classes if configured_methods.empty?
 
-    def resolve_user_from_oauth(token_info)
-      return nil unless token_info.is_a?(Hash)
+      # Normalize configured methods to strings for consistent comparison
+      normalized_methods = configured_methods.map(&:to_s)
 
-      user_id = token_info["sub"] || token_info["user_id"]
-      return nil unless user_id
-
-      user = User.find_by(id: user_id) || User.find_by(oauth_subject: user_id)
-      return nil unless user
-
-      # Return a hash with all identified_by attributes
-      self.class.identifiers.each_with_object({}) do |identifier, hash|
-        hash[identifier] = user if identifier == :user
-        # Add support for other identifiers as needed
+      # Filter identifiers to only those matching configured authentication methods
+      self.class.identifier_classes.select do |klass|
+        normalized_methods.include?(klass.auth_method.to_s)
       end
     end
 
-    def find_or_create_default_user
-      # Only for development/testing with "none" authentication
-      return nil unless Rails.env.development? || Rails.env.test?
+    def assign_identities(identities)
+      identities.each do |name, value|
+        # define accessor on the fly
+        self.class.attr_reader name unless respond_to?(name)
+        instance_variable_set("@#{name}", value)
 
-      if defined?(User)
-        User.find_or_create_by(email: "dev@localhost") do |user|
-          user.name = "Development User" if user.respond_to?(:name=)
-        end
+        # also set current context if you have one
+        ActionMCP::Current.public_send("#{name}=", value) if
+          ActionMCP::Current.respond_to?("#{name}=")
       end
+      ActionMCP::Current.gateway = self if
+        ActionMCP::Current.respond_to?(:gateway=)
     end
   end
 end

data/lib/action_mcp/gateway_identifier.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  class GatewayIdentifier
+    class Unauthorized < StandardError; end
+
+    class << self
+      # e.g. JwtIdentifier.identifier_name => :user
+      attr_reader :identifier_name, :auth_method
+
+      def identifier(name)
+        @identifier_name = name.to_sym
+      end
+
+      def authenticates(method)
+        @auth_method = method.to_s
+      end
+    end
+
+    def initialize(request)
+      @request = request
+    end
+
+    # must return a truthy identity object, or raise Unauthorized
+    def resolve
+      raise NotImplementedError, "#{self.class}#resolve must be implemented"
+    end
+  end
+end

data/lib/action_mcp/jwt_identifier.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  class JwtIdentifier < GatewayIdentifier
+    identifier :user
+    authenticates :jwt
+
+    def resolve
+      token = extract_bearer_token
+      raise Unauthorized, "Missing JWT" unless token
+
+      payload = ActionMCP::JwtDecoder.decode(token)
+      user = User.find_by(id: payload["sub"] || payload["user_id"])
+      return user if user
+
+      raise Unauthorized, "Invalid JWT user"
+    rescue ActionMCP::JwtDecoder::DecodeError => e
+      raise Unauthorized, "Invalid JWT token: #{e.message}"
+    end
+
+    private
+
+    def extract_bearer_token
+      header = @request.env["HTTP_AUTHORIZATION"] || ""
+      header[/\ABearer (.+)\z/, 1]
+    end
+  end
+end

data/lib/action_mcp/none_identifier.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  class NoneIdentifier < GatewayIdentifier
+    identifier :user
+    authenticates :none
+
+    def resolve
+      Rails.env.production? &&
+        raise(Unauthorized, "No auth allowed in production")
+
+      return "anonymous_user" unless defined?(User)
+
+      User.find_or_create_by!(email: "dev@localhost") do |user|
+        user.name = "Development User" if user.respond_to?(:name=)
+      end
+    end
+  end
+end

data/lib/action_mcp/o_auth_identifier.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  class OAuthIdentifier < GatewayIdentifier
+    identifier :user
+    authenticates :oauth
+
+    def resolve
+      info = @request.env["action_mcp.oauth_token_info"] or
+        raise Unauthorized, "Missing OAuth info"
+
+      uid = info["user_id"] || info["sub"] || info[:user_id]
+      raise Unauthorized, "Invalid OAuth info" unless uid
+
+      # Try to find existing user or create one for demo purposes
+      user = User.find_by(email: uid) ||
+             User.find_by(email: "#{uid}@example.com") ||
+             create_oauth_user(uid)
+
+      user || raise(Unauthorized, "Unable to resolve OAuth user")
+    end
+
+    private
+
+    def create_oauth_user(uid)
+      return nil unless defined?(User)
+
+      email = uid.include?("@") ? uid : "#{uid}@example.com"
+      User.create!(email: email)
+    rescue ActiveRecord::RecordInvalid
+      nil
+    end
+  end
+end

data/lib/action_mcp/version.rb

@@ -2,7 +2,7 @@
 
 require_relative "gem_version"
 module ActionMCP
-  VERSION = "0.71.0"
+  VERSION = "0.71.1"
 
   class << self
     alias version gem_version

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: actionmcp
 version: !ruby/object:Gem::Version
-  version: 0.71.0
+  version: 0.71.1
 platform: ruby
 authors:
 - Abdelkader Boudih
@@ -270,6 +270,7 @@ files:
 - lib/action_mcp/engine.rb
 - lib/action_mcp/filtered_logger.rb
 - lib/action_mcp/gateway.rb
+- lib/action_mcp/gateway_identifier.rb
 - lib/action_mcp/gem_version.rb
 - lib/action_mcp/instrumentation/controller_runtime.rb
 - lib/action_mcp/instrumentation/instrumentation.rb
@@ -277,8 +278,11 @@ files:
 - lib/action_mcp/integer_array.rb
 - lib/action_mcp/json_rpc_handler_base.rb
 - lib/action_mcp/jwt_decoder.rb
+- lib/action_mcp/jwt_identifier.rb
 - lib/action_mcp/log_subscriber.rb
 - lib/action_mcp/logging.rb
+- lib/action_mcp/none_identifier.rb
+- lib/action_mcp/o_auth_identifier.rb
 - lib/action_mcp/oauth.rb
 - lib/action_mcp/oauth/active_record_storage.rb
 - lib/action_mcp/oauth/error.rb