actionmcp 0.71.0 → 0.72.0

data/lib/action_mcp/gateway_identifier.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  class GatewayIdentifier
+    class Unauthorized < StandardError; end
+
+    class << self
+      # e.g. JwtIdentifier.identifier_name => :user
+      attr_reader :identifier_name, :auth_method
+
+      def identifier(name)
+        @identifier_name = name.to_sym
+      end
+
+      def authenticates(method)
+        @auth_method = method.to_s
+      end
+    end
+
+    def initialize(request)
+      @request = request
+    end
+
+    # must return a truthy identity object, or raise Unauthorized
+    def resolve
+      raise NotImplementedError, "#{self.class}#resolve must be implemented"
+    end
+  end
+end

data/lib/action_mcp/json_rpc_handler_base.rb

@@ -64,8 +64,6 @@ module ActionMCP
       when %r{^notifications/}
         process_notifications(rpc_method, params)
         true
-      else
-        nil
       end
     end
 

data/lib/action_mcp/jwt_decoder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "jwt"
 
 module ActionMCP
@@ -13,14 +15,14 @@ module ActionMCP
         payload
       rescue JWT::ExpiredSignature
         raise DecodeError, "Token has expired"
-      rescue JWT::DecodeError => e
+      rescue JWT::DecodeError
         # Simplify the error message for invalid tokens
         raise DecodeError, "Invalid token"
       end
     end
 
     # Defaults (can be overridden in an initializer)
-    self.secret = ENV.fetch("ACTION_MCP_JWT_SECRET") { "change-me" }
+    self.secret = ENV.fetch("ACTION_MCP_JWT_SECRET", "change-me")
     self.algorithm = "HS256"
   end
 end

data/lib/action_mcp/jwt_identifier.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  class JwtIdentifier < GatewayIdentifier
+    identifier :user
+    authenticates :jwt
+
+    def resolve
+      token = extract_bearer_token
+      raise Unauthorized, "Missing JWT" unless token
+
+      payload = ActionMCP::JwtDecoder.decode(token)
+      user = User.find_by(id: payload["sub"] || payload["user_id"])
+      return user if user
+
+      raise Unauthorized, "Invalid JWT user"
+    rescue ActionMCP::JwtDecoder::DecodeError => e
+      raise Unauthorized, "Invalid JWT token: #{e.message}"
+    end
+
+    private
+
+    def extract_bearer_token
+      header = @request.env["HTTP_AUTHORIZATION"] || ""
+      header[/\ABearer (.+)\z/, 1]
+    end
+  end
+end

data/lib/action_mcp/none_identifier.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  class NoneIdentifier < GatewayIdentifier
+    identifier :user
+    authenticates :none
+
+    def resolve
+      Rails.env.production? &&
+        raise(Unauthorized, "No auth allowed in production")
+
+      return "anonymous_user" unless defined?(User)
+
+      User.find_or_create_by!(email: "dev@localhost") do |user|
+        user.name = "Development User" if user.respond_to?(:name=)
+      end
+    end
+  end
+end

data/lib/action_mcp/o_auth_identifier.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  class OAuthIdentifier < GatewayIdentifier
+    identifier :user
+    authenticates :oauth
+
+    def resolve
+      info = @request.env["action_mcp.oauth_token_info"] or
+        raise Unauthorized, "Missing OAuth info"
+
+      uid = info["user_id"] || info["sub"] || info[:user_id]
+      raise Unauthorized, "Invalid OAuth info" unless uid
+
+      # Try to find existing user or create one for demo purposes
+      user = User.find_by(email: uid) ||
+             User.find_by(email: "#{uid}@example.com") ||
+             create_oauth_user(uid)
+
+      user || raise(Unauthorized, "Unable to resolve OAuth user")
+    end
+
+    private
+
+    def create_oauth_user(uid)
+      return nil unless defined?(User)
+
+      email = uid.include?("@") ? uid : "#{uid}@example.com"
+      User.create!(email: email)
+    rescue ActiveRecord::RecordInvalid
+      nil
+    end
+  end
+end

data/lib/action_mcp/oauth/active_record_storage.rb

@@ -18,7 +18,7 @@ module ActionMCP
           code_challenge_method: data[:code_challenge_method],
           expires_at: data[:expires_at],
           metadata: data.except(:client_id, :user_id, :redirect_uri, :scope,
-                               :code_challenge, :code_challenge_method, :expires_at)
+                                :code_challenge, :code_challenge_method, :expires_at)
         )
       end
 

data/lib/action_mcp/oauth/memory_storage.rb

@@ -66,9 +66,7 @@ module ActionMCP
 
       def update_refresh_token(token, new_access_token)
         @mutex.synchronize do
-          if @refresh_tokens[token]
-            @refresh_tokens[token][:access_token] = new_access_token
-          end
+          @refresh_tokens[token][:access_token] = new_access_token if @refresh_tokens[token]
         end
       end
 

data/lib/action_mcp/oauth/middleware.rb

@@ -18,17 +18,13 @@ module ActionMCP
         return @app.call(env) unless should_process_oauth?(request)
 
         # Skip OAuth processing for metadata endpoints
-        if request.path.start_with?("/.well-known/") || request.path.start_with?("/oauth/")
-          return @app.call(env)
-        end
+        return @app.call(env) if request.path.start_with?("/.well-known/") || request.path.start_with?("/oauth/")
 
         # Skip OAuth processing for initialization-related requests
-        if initialization_related_request?(request)
-          return @app.call(env)
-        end
+        return @app.call(env) if initialization_related_request?(request)
 
         # Validate Bearer token for API requests
-        if bearer_token = extract_bearer_token(request)
+        if (bearer_token = extract_bearer_token(request))
           validate_oauth_token(request, bearer_token)
         end
 
@@ -39,7 +35,7 @@ module ActionMCP
 
       private
 
-      def should_process_oauth?(request)
+      def should_process_oauth?(_request)
         # Check if OAuth is enabled in configuration
         auth_methods = ActionMCP.configuration.authentication_methods
         return false unless auth_methods&.include?("oauth")
@@ -55,7 +51,7 @@ module ActionMCP
 
         # Check if this is an MCP endpoint (ends with / or is the root)
         path = request.path
-        return false unless path == "/" || path.match?(/\/action_mcp\/?$/)
+        return false unless path == "/" || path.match?(%r{/action_mcp/?$})
 
         # Read and parse the request body
         body = request.body.read
@@ -70,7 +66,6 @@ module ActionMCP
         false
       end
 
-
       def extract_bearer_token(request)
         auth_header = request.headers["Authorization"] || request.headers["authorization"]
         return nil unless auth_header&.start_with?("Bearer ")
@@ -82,23 +77,23 @@ module ActionMCP
         # Use the OAuth provider for token introspection
         token_info = ActionMCP::OAuth::Provider.introspect_token(token)
 
-        if token_info && token_info[:active]
-          # Store OAuth token info in request environment for Gateway
-          request.env["action_mcp.oauth_token_info"] = token_info
-          request.env["action_mcp.oauth_token"] = token
-        else
+        unless token_info && token_info[:active]
           raise ActionMCP::OAuth::InvalidTokenError, "Invalid or expired OAuth token"
         end
+
+        # Store OAuth token info in request environment for Gateway
+        request.env["action_mcp.oauth_token_info"] = token_info
+        request.env["action_mcp.oauth_token"] = token
       end
 
       def oauth_error_response(error)
         status = case error
         when ActionMCP::OAuth::InvalidTokenError
-                  401
+                   401
         when ActionMCP::OAuth::InsufficientScopeError
-                  403
+                   403
         else
-                  400
+                   400
         end
 
         headers = {

data/lib/action_mcp/oauth/provider.rb

@@ -18,7 +18,8 @@ module ActionMCP
         # @param code_challenge_method [String] PKCE challenge method (S256, plain)
         # @param user_id [String] User identifier
         # @return [String] Authorization code
-        def generate_authorization_code(client_id:, redirect_uri:, scope:, code_challenge: nil, code_challenge_method: nil, user_id:)
+        def generate_authorization_code(client_id:, redirect_uri:, scope:, user_id:, code_challenge: nil,
+                                        code_challenge_method: nil)
           # Validate scope
           validate_scope(scope) if scope
 
@@ -26,15 +27,15 @@ module ActionMCP
 
           # Store authorization code with metadata
           store_authorization_code(code, {
-            client_id: client_id,
-            redirect_uri: redirect_uri,
-            scope: scope,
-            code_challenge: code_challenge,
-            code_challenge_method: code_challenge_method,
-            user_id: user_id,
-            created_at: Time.current,
-            expires_at: 10.minutes.from_now
-          })
+                                     client_id: client_id,
+                                     redirect_uri: redirect_uri,
+                                     scope: scope,
+                                     code_challenge: code_challenge,
+                                     code_challenge_method: code_challenge_method,
+                                     user_id: user_id,
+                                     created_at: Time.current,
+                                     expires_at: 10.minutes.from_now
+                                   })
 
           code
         end
@@ -46,7 +47,7 @@ module ActionMCP
         # @param redirect_uri [String] Client redirect URI
         # @param code_verifier [String] PKCE code verifier
         # @return [Hash] Token response with access_token, token_type, expires_in, scope
-        def exchange_code_for_token(code:, client_id:, client_secret: nil, redirect_uri:, code_verifier: nil)
+        def exchange_code_for_token(code:, client_id:, redirect_uri:, client_secret: nil, code_verifier: nil)
           # Retrieve and validate authorization code
           code_data = retrieve_authorization_code(code)
           raise InvalidGrantError, "Invalid authorization code" unless code_data
@@ -56,14 +57,10 @@ module ActionMCP
           validate_client(client_id, client_secret)
 
           # Validate redirect URI matches
-          unless code_data[:redirect_uri] == redirect_uri
-            raise InvalidGrantError, "Redirect URI mismatch"
-          end
+          raise InvalidGrantError, "Redirect URI mismatch" unless code_data[:redirect_uri] == redirect_uri
 
           # Validate client ID matches
-          unless code_data[:client_id] == client_id
-            raise InvalidGrantError, "Client ID mismatch"
-          end
+          raise InvalidGrantError, "Client ID mismatch" unless code_data[:client_id] == client_id
 
           # Validate PKCE if challenge was provided during authorization
           if code_data[:code_challenge]
@@ -118,9 +115,7 @@ module ActionMCP
           validate_client(client_id, client_secret)
 
           # Validate client ID matches
-          unless token_data[:client_id] == client_id
-            raise InvalidGrantError, "Client ID mismatch"
-          end
+          raise InvalidGrantError, "Client ID mismatch" unless token_data[:client_id] == client_id
 
           # Validate scope if provided
           if scope
@@ -160,9 +155,7 @@ module ActionMCP
         def introspect_token(access_token)
           token_data = retrieve_access_token(access_token)
 
-          unless token_data
-            return { active: false }
-          end
+          return { active: false } unless token_data
 
           if token_data[:expires_at] < Time.current
             remove_access_token(access_token)
@@ -188,19 +181,15 @@ module ActionMCP
           revoked = false
 
           # Try access token first if hint suggests it or no hint provided
-          if token_type_hint == "access_token" || token_type_hint.nil?
-            if retrieve_access_token(token)
-              revoke_access_token(token)
-              revoked = true
-            end
+          if (token_type_hint == "access_token" || token_type_hint.nil?) && retrieve_access_token(token)
+            revoke_access_token(token)
+            revoked = true
           end
 
           # Try refresh token if not revoked yet
-          if !revoked && (token_type_hint == "refresh_token" || token_type_hint.nil?)
-            if retrieve_refresh_token(token)
-              revoke_refresh_token(token)
-              revoked = true
-            end
+          if !revoked && (token_type_hint == "refresh_token" || token_type_hint.nil?) && retrieve_refresh_token(token)
+            revoke_refresh_token(token)
+            revoked = true
           end
 
           revoked
@@ -269,9 +258,7 @@ module ActionMCP
           if client_info
             # Validate client secret for confidential clients
             if client_info[:client_secret]
-              unless client_secret == client_info[:client_secret]
-                raise InvalidClientError, "Invalid client credentials"
-              end
+              raise InvalidClientError, "Invalid client credentials" unless client_secret == client_info[:client_secret]
             elsif require_secret
               raise InvalidClientError, "Client authentication required"
             end
@@ -280,15 +267,14 @@ module ActionMCP
 
           # Fall back to custom provider validation
           provider_class = oauth_config[:provider]
-          if provider_class && provider_class.respond_to?(:validate_client)
+          if provider_class.respond_to?(:validate_client)
             provider_class.validate_client(client_id, client_secret)
           elsif require_secret && client_secret.nil?
             raise InvalidClientError, "Client authentication required"
           else
             # In development, allow unregistered clients if configured
-            if Rails.env.development? && oauth_config[:allow_unregistered_clients] != false
-              return true
-            end
+            return true if Rails.env.development? && oauth_config[:allow_unregistered_clients] != false
+
             raise InvalidClientError, "Unknown client"
           end
         end
@@ -301,16 +287,10 @@ module ActionMCP
             expected_challenge = Base64.urlsafe_encode64(
               Digest::SHA256.digest(code_verifier), padding: false
             )
-            unless code_challenge == expected_challenge
-              raise InvalidGrantError, "Invalid code verifier"
-            end
+            raise InvalidGrantError, "Invalid code verifier" unless code_challenge == expected_challenge
           when "plain"
-            unless oauth_config[:allow_plain_pkce]
-              raise InvalidGrantError, "Plain PKCE not allowed"
-            end
-            unless code_challenge == code_verifier
-              raise InvalidGrantError, "Invalid code verifier"
-            end
+            raise InvalidGrantError, "Plain PKCE not allowed" unless oauth_config[:allow_plain_pkce]
+            raise InvalidGrantError, "Invalid code verifier" unless code_challenge == code_verifier
           else
             raise InvalidGrantError, "Unsupported code challenge method"
           end
@@ -320,9 +300,9 @@ module ActionMCP
           supported_scopes = oauth_config.fetch(:scopes_supported, [ "mcp:tools", "mcp:resources", "mcp:prompts" ])
           requested_scopes = scope.split(" ")
           unsupported = requested_scopes - supported_scopes
-          if unsupported.any?
-            raise InvalidScopeError, "Unsupported scopes: #{unsupported.join(', ')}"
-          end
+          return unless unsupported.any?
+
+          raise InvalidScopeError, "Unsupported scopes: #{unsupported.join(', ')}"
         end
 
         def default_scope
@@ -333,12 +313,12 @@ module ActionMCP
           token = SecureRandom.urlsafe_base64(32)
 
           store_access_token(token, {
-            client_id: client_id,
-            scope: scope,
-            user_id: user_id,
-            created_at: Time.current,
-            expires_at: token_expires_in.seconds.from_now
-          })
+                               client_id: client_id,
+                               scope: scope,
+                               user_id: user_id,
+                               created_at: Time.current,
+                               expires_at: token_expires_in.seconds.from_now
+                             })
 
           token
         end
@@ -347,13 +327,13 @@ module ActionMCP
           token = SecureRandom.urlsafe_base64(32)
 
           store_refresh_token(token, {
-            client_id: client_id,
-            scope: scope,
-            user_id: user_id,
-            access_token: access_token,
-            created_at: Time.current,
-            expires_at: refresh_token_expires_in.seconds.from_now
-          })
+                                client_id: client_id,
+                                scope: scope,
+                                user_id: user_id,
+                                access_token: access_token,
+                                created_at: Time.current,
+                                expires_at: refresh_token_expires_in.seconds.from_now
+                              })
 
           token
         end

data/lib/action_mcp/omniauth/mcp_strategy.rb

@@ -38,17 +38,15 @@ module ActionMCP
 
       # User info from OAuth token response or userinfo endpoint
       def raw_info
-        @raw_info ||= begin
-          if options.userinfo_url
-            access_token.get(options.userinfo_url).parsed
-          else
-            # Extract user info from token response or use minimal info
-            token_response = access_token.token
-            {
-              "sub" => access_token.params["user_id"] || access_token.token,
-              "scope" => access_token.params["scope"] || options.scope
-            }
-          end
+        @raw_info ||= if options.userinfo_url
+                        access_token.get(options.userinfo_url).parsed
+        else
+                        # Extract user info from token response or use minimal info
+                        access_token.token
+                        {
+                          "sub" => access_token.params["user_id"] || access_token.token,
+                          "scope" => access_token.params["scope"] || options.scope
+                        }
         end
       rescue ::OAuth2::Error => e
         log(:error, "Failed to fetch user info: #{e.message}")
@@ -93,11 +91,11 @@ module ActionMCP
       # Override client to use discovered endpoints if available
       def client
         @client ||= begin
-          if discovery_info.any?
+          if discovery_info.any? && discovery_info["authorization_endpoint"] && discovery_info["token_endpoint"]
             options.client_options.merge!(
               authorize_url: discovery_info["authorization_endpoint"],
               token_url: discovery_info["token_endpoint"]
-            ) if discovery_info["authorization_endpoint"] && discovery_info["token_endpoint"]
+            )
           end
           super
         end
@@ -115,9 +113,9 @@ module ActionMCP
 
         begin
           response = client.request(:post, options.introspection_url || "/oauth/introspect", {
-            body: { token: token },
-            headers: { "Content-Type" => "application/x-www-form-urlencoded" }
-          })
+                                      body: { token: token },
+                                      headers: { "Content-Type" => "application/x-www-form-urlencoded" }
+                                    })
 
           token_info = JSON.parse(response.body)
           return nil unless token_info["active"]
@@ -137,36 +135,24 @@ module ActionMCP
         return unless oauth_config.is_a?(Hash)
 
         # Set client options from MCP config
-        if oauth_config["issuer_url"]
-          options.client_options[:site] = oauth_config["issuer_url"]
-        end
+        options.client_options[:site] = oauth_config["issuer_url"] if oauth_config["issuer_url"]
 
-        if oauth_config["client_id"]
-          options.client_id = oauth_config["client_id"]
-        end
+        options.client_id = oauth_config["client_id"] if oauth_config["client_id"]
 
-        if oauth_config["client_secret"]
-          options.client_secret = oauth_config["client_secret"]
-        end
+        options.client_secret = oauth_config["client_secret"] if oauth_config["client_secret"]
 
-        if oauth_config["scopes_supported"]
-          options.scope = Array(oauth_config["scopes_supported"]).join(" ")
-        end
+        options.scope = Array(oauth_config["scopes_supported"]).join(" ") if oauth_config["scopes_supported"]
 
         # Enable PKCE if required (OAuth 2.1 compliance)
-        if oauth_config["pkce_required"]
-          options.pkce = true
-        end
+        options.pkce = true if oauth_config["pkce_required"]
 
         # Set userinfo endpoint if provided
-        if oauth_config["userinfo_endpoint"]
-          options.userinfo_url = oauth_config["userinfo_endpoint"]
-        end
+        options.userinfo_url = oauth_config["userinfo_endpoint"] if oauth_config["userinfo_endpoint"]
 
         # Set token introspection endpoint
-        if oauth_config["introspection_endpoint"]
-          options.introspection_url = oauth_config["introspection_endpoint"]
-        end
+        return unless oauth_config["introspection_endpoint"]
+
+        options.introspection_url = oauth_config["introspection_endpoint"]
       end
     end
   end

data/lib/action_mcp/prompt.rb

@@ -28,6 +28,7 @@ module ActionMCP
     # @return [String] The default prompt name.
     def self.default_prompt_name
       return "" if name.nil?
+
       name.demodulize.underscore.sub(/_prompt$/, "")
     end
 
@@ -55,6 +56,7 @@ module ActionMCP
       def meta(data = nil)
         if data
           raise ArgumentError, "_meta must be a hash" unless data.is_a?(Hash)
+
           self._meta = _meta.merge(data)
         else
           _meta

data/lib/action_mcp/renderable.rb

@@ -49,7 +49,7 @@ module ActionMCP
     #
     def render_resource_link(uri:, name: nil, description: nil, mime_type: nil, annotations: nil)
       Content::ResourceLink.new(uri, name: name, description: description,
-                                mime_type: mime_type, annotations: annotations)
+                                     mime_type: mime_type, annotations: annotations)
     end
   end
 end

data/lib/action_mcp/resource_template.rb

@@ -27,7 +27,9 @@ module ActionMCP
       def abstract!
         @abstract = true
         # Unregister from the appropriate registry if already registered
-        ActionMCP::ResourceTemplatesRegistry.unregister(self) if ActionMCP::ResourceTemplatesRegistry.items.values.include?(self)
+        return unless ActionMCP::ResourceTemplatesRegistry.items.values.include?(self)
+
+        ActionMCP::ResourceTemplatesRegistry.unregister(self)
       end
 
       def inherited(subclass)
@@ -92,6 +94,7 @@ module ActionMCP
       def meta(data = nil)
         if data
           raise ArgumentError, "_meta must be a hash" unless data.is_a?(Hash)
+
           @_meta ||= {}
           @_meta = @_meta.merge(data)
         else
@@ -110,13 +113,14 @@ module ActionMCP
         }.compact
 
         # Add _meta if present
-        result[:_meta] = @_meta if @_meta && @_meta.any?
+        result[:_meta] = @_meta if @_meta&.any?
 
         result
       end
 
       def capability_name
         return "" if name.nil?
+
         @capability_name ||= name.demodulize.underscore.sub(/_template$/, "")
       end