actionmcp 0.71.1 → 0.80.0

data/app/controllers/action_mcp/oauth/metadata_controller.rb

@@ -1,129 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  module OAuth
-    # Controller for OAuth 2.1 metadata endpoints
-    # Provides server discovery information as per RFC 8414
-    class MetadataController < ActionController::Base
-      before_action :check_oauth_enabled
-
-      # GET /.well-known/oauth-authorization-server
-      # Returns OAuth Authorization Server Metadata as per RFC 8414
-      def authorization_server
-        metadata = {
-          issuer: issuer_url,
-          authorization_endpoint: authorization_endpoint,
-          token_endpoint: token_endpoint,
-          introspection_endpoint: introspection_endpoint,
-          revocation_endpoint: revocation_endpoint,
-          response_types_supported: response_types_supported,
-          grant_types_supported: grant_types_supported,
-          token_endpoint_auth_methods_supported: token_endpoint_auth_methods_supported,
-          scopes_supported: scopes_supported,
-          code_challenge_methods_supported: code_challenge_methods_supported,
-          service_documentation: service_documentation
-        }
-
-        # Add optional fields based on configuration
-        if oauth_config[:enable_dynamic_registration]
-          metadata[:registration_endpoint] = registration_endpoint
-        end
-
-        if oauth_config[:jwks_uri]
-          metadata[:jwks_uri] = oauth_config[:jwks_uri]
-        end
-
-        render json: metadata
-      end
-
-      # GET /.well-known/oauth-protected-resource
-      # Returns Protected Resource Metadata as per RFC 8705
-      def protected_resource
-        metadata = {
-          resource: issuer_url,
-          authorization_servers: [ issuer_url ],
-          scopes_supported: scopes_supported,
-          bearer_methods_supported: [ "header" ],
-          resource_documentation: resource_documentation
-        }
-
-        render json: metadata
-      end
-
-      private
-
-      def check_oauth_enabled
-        auth_methods = ActionMCP.configuration.authentication_methods
-        unless auth_methods&.include?("oauth")
-          head :not_found
-        end
-      end
-
-      def oauth_config
-        @oauth_config ||= HashWithIndifferentAccess.new(ActionMCP.configuration.oauth_config || {})
-      end
-
-      def issuer_url
-        @issuer_url ||= oauth_config.fetch(:issuer_url, request.base_url)
-      end
-
-      def authorization_endpoint
-        "#{issuer_url}/oauth/authorize"
-      end
-
-      def token_endpoint
-        "#{issuer_url}/oauth/token"
-      end
-
-      def introspection_endpoint
-        "#{issuer_url}/oauth/introspect"
-      end
-
-      def revocation_endpoint
-        "#{issuer_url}/oauth/revoke"
-      end
-
-      def registration_endpoint
-        "#{issuer_url}/oauth/register"
-      end
-
-      def response_types_supported
-        [ "code" ]
-      end
-
-      def grant_types_supported
-        grants = [ "authorization_code" ]
-        grants << "refresh_token" if oauth_config[:enable_refresh_tokens]
-        grants << "client_credentials" if oauth_config[:enable_client_credentials]
-        grants
-      end
-
-      def token_endpoint_auth_methods_supported
-        methods = [ "client_secret_basic", "client_secret_post" ]
-        methods << "none" if oauth_config[:allow_public_clients]
-        methods
-      end
-
-      def scopes_supported
-        oauth_config.fetch(:scopes_supported, [ "mcp:tools", "mcp:resources", "mcp:prompts" ])
-      end
-
-      def code_challenge_methods_supported
-        methods = []
-        if oauth_config[:pkce_required] || oauth_config[:pkce_supported]
-          methods << "S256"
-          methods << "plain" if oauth_config[:allow_plain_pkce]
-        end
-        methods
-      end
-
-      def service_documentation
-        oauth_config.fetch(:service_documentation, "#{request.base_url}/docs")
-      end
-
-      def resource_documentation
-        oauth_config.fetch(:resource_documentation, "#{request.base_url}/docs/api")
-      end
-    end
-  end
-end

data/app/controllers/action_mcp/oauth/registration_controller.rb

@@ -1,206 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  module OAuth
-    # OAuth 2.0 Dynamic Client Registration Controller (RFC 7591)
-    # Allows clients to dynamically register with the authorization server
-    class RegistrationController < ActionController::Base
-      protect_from_forgery with: :null_session
-      before_action :check_oauth_enabled
-      before_action :check_registration_enabled
-
-      # POST /oauth/register
-      # Dynamic client registration endpoint as per RFC 7591
-      def create
-        # Parse client metadata from request body
-        client_metadata = parse_client_metadata
-
-        # Validate required fields
-        validate_client_metadata(client_metadata)
-
-        # Generate client credentials
-        client_id = generate_client_id
-        client_secret = nil # Public clients by default
-
-        # Generate client secret for confidential clients
-        if client_metadata["token_endpoint_auth_method"] != "none"
-          client_secret = generate_client_secret
-        end
-
-        # Store client registration
-        client_info = {
-          client_id: client_id,
-          client_secret: client_secret,
-          client_id_issued_at: Time.current.to_i,
-          client_metadata: client_metadata,
-          created_at: Time.current
-        }
-
-        # Save client registration (delegated to provider)
-        ActionMCP::OAuth::Provider.register_client(client_info)
-
-        # Build response according to RFC 7591
-        response_data = {
-          client_id: client_id,
-          client_id_issued_at: client_info[:client_id_issued_at]
-        }
-
-        # Include client secret for confidential clients
-        if client_secret
-          response_data[:client_secret] = client_secret
-          response_data[:client_secret_expires_at] = 0 # Never expires
-        end
-
-        # Include all client metadata in response
-        response_data.merge!(client_metadata)
-
-        # Add registration management fields if enabled
-        if oauth_config[:enable_registration_management]
-          response_data[:registration_access_token] = generate_registration_access_token(client_id)
-          response_data[:registration_client_uri] = registration_client_url(client_id)
-        end
-
-        render json: response_data, status: :created
-      rescue ActionMCP::OAuth::Error => e
-        render_registration_error(e.oauth_error_code, e.message)
-      rescue StandardError => e
-        Rails.logger.error "Registration error: #{e.message}"
-        render_registration_error("invalid_client_metadata", "Invalid client metadata")
-      end
-
-      private
-
-      def check_oauth_enabled
-        auth_methods = ActionMCP.configuration.authentication_methods
-        unless auth_methods&.include?("oauth")
-          head :not_found
-        end
-      end
-
-      def check_registration_enabled
-        unless oauth_config[:enable_dynamic_registration]
-          head :not_found
-        end
-      end
-
-      def oauth_config
-        @oauth_config ||= HashWithIndifferentAccess.new(ActionMCP.configuration.oauth_config || {})
-      end
-
-      def parse_client_metadata
-        # RFC 7591 requires JSON request body
-        unless request.content_type&.include?("application/json")
-          raise ActionMCP::OAuth::InvalidRequestError, "Content-Type must be application/json"
-        end
-
-        JSON.parse(request.body.read)
-      rescue JSON::ParserError
-        raise ActionMCP::OAuth::InvalidRequestError, "Invalid JSON"
-      end
-
-      def validate_client_metadata(metadata)
-        # Validate redirect URIs (required for authorization code flow)
-        if metadata["grant_types"]&.include?("authorization_code") ||
-           metadata["response_types"]&.include?("code")
-          unless metadata["redirect_uris"].is_a?(Array) && metadata["redirect_uris"].any?
-            raise ActionMCP::OAuth::InvalidClientMetadataError, "redirect_uris required for authorization code flow"
-          end
-
-          # Validate redirect URI format
-          metadata["redirect_uris"].each do |uri|
-            validate_redirect_uri(uri)
-          end
-        end
-
-        # Validate grant types
-        if metadata["grant_types"]
-          unsupported = metadata["grant_types"] - supported_grant_types
-          if unsupported.any?
-            raise ActionMCP::OAuth::InvalidClientMetadataError, "Unsupported grant types: #{unsupported.join(', ')}"
-          end
-        end
-
-        # Validate response types
-        if metadata["response_types"]
-          unsupported = metadata["response_types"] - supported_response_types
-          if unsupported.any?
-            raise ActionMCP::OAuth::InvalidClientMetadataError, "Unsupported response types: #{unsupported.join(', ')}"
-          end
-        end
-
-        # Validate token endpoint auth method
-        if metadata["token_endpoint_auth_method"]
-          unless supported_auth_methods.include?(metadata["token_endpoint_auth_method"])
-            raise ActionMCP::OAuth::InvalidClientMetadataError, "Unsupported token endpoint auth method"
-          end
-        end
-      end
-
-      def validate_redirect_uri(uri)
-        parsed = URI.parse(uri)
-
-        # Must be absolute URI
-        unless parsed.absolute?
-          raise ActionMCP::OAuth::InvalidClientMetadataError, "Redirect URI must be absolute"
-        end
-
-        # For non-localhost, must use HTTPS
-        unless parsed.host == "localhost" || parsed.host == "127.0.0.1" || parsed.scheme == "https"
-          raise ActionMCP::OAuth::InvalidClientMetadataError, "Redirect URI must use HTTPS"
-        end
-      rescue URI::InvalidURIError
-        raise ActionMCP::OAuth::InvalidClientMetadataError, "Invalid redirect URI format"
-      end
-
-      def generate_client_id
-        # Generate a unique client identifier
-        "mcp_#{SecureRandom.hex(16)}"
-      end
-
-      def generate_client_secret
-        # Generate a secure client secret
-        SecureRandom.urlsafe_base64(32)
-      end
-
-      def generate_registration_access_token(client_id)
-        # Generate a token for managing this registration
-        SecureRandom.urlsafe_base64(32)
-      end
-
-      def registration_client_url(client_id)
-        "#{request.base_url}/oauth/register/#{client_id}"
-      end
-
-      def supported_grant_types
-        grants = [ "authorization_code" ]
-        grants << "refresh_token" if oauth_config[:enable_refresh_tokens]
-        grants << "client_credentials" if oauth_config[:enable_client_credentials]
-        grants
-      end
-
-      def supported_response_types
-        [ "code" ]
-      end
-
-      def supported_auth_methods
-        methods = [ "client_secret_basic", "client_secret_post" ]
-        methods << "none" if oauth_config.fetch(:allow_public_clients, true)
-        methods
-      end
-
-      def render_registration_error(error_code, description)
-        render json: {
-          error: error_code,
-          error_description: description
-        }, status: :bad_request
-      end
-    end
-
-    # Custom error for invalid client metadata
-    class InvalidClientMetadataError < Error
-      def initialize(message = "Invalid client metadata")
-        super(message, "invalid_client_metadata")
-      end
-    end
-  end
-end

data/app/models/action_mcp/oauth_client.rb

@@ -1,157 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  # OAuth 2.0 Client model for storing registered clients
-  # == Schema Information
-  #
-  # Table name: action_mcp_oauth_clients
-  #
-  #  id                         :integer          not null, primary key
-  #  active                     :boolean          default(TRUE)
-  #  client_id_issued_at        :integer
-  #  client_name                :string
-  #  client_secret              :string
-  #  client_secret_expires_at   :integer
-  #  grant_types                :json
-  #  metadata                   :json
-  #  redirect_uris              :json
-  #  registration_access_token  :string
-  #  response_types             :json
-  #  scope                      :text
-  #  token_endpoint_auth_method :string           default("client_secret_basic")
-  #  created_at                 :datetime         not null
-  #  updated_at                 :datetime         not null
-  #  client_id                  :string           not null
-  #
-  # Indexes
-  #
-  #  index_action_mcp_oauth_clients_on_active               (active)
-  #  index_action_mcp_oauth_clients_on_client_id            (client_id) UNIQUE
-  #  index_action_mcp_oauth_clients_on_client_id_issued_at  (client_id_issued_at)
-  #
-  # Implements RFC 7591 Dynamic Client Registration
-  class OAuthClient < ApplicationRecord
-    self.table_name = "action_mcp_oauth_clients"
-
-    # Validations
-    validates :client_id, presence: true, uniqueness: true
-    validates :token_endpoint_auth_method, inclusion: {
-      in: %w[none client_secret_basic client_secret_post client_secret_jwt private_key_jwt]
-    }
-
-    # Scopes
-    scope :active, -> { where(active: true) }
-    scope :expired, -> { where("client_secret_expires_at < ?", Time.current.to_i).where.not(client_secret_expires_at: [ nil, 0 ]) }
-
-    # Callbacks
-    before_create :set_issued_at
-
-    # Check if client secret is expired
-    def secret_expired?
-      return false if client_secret_expires_at.nil? || client_secret_expires_at == 0
-      Time.current.to_i > client_secret_expires_at
-    end
-
-    # Check if client is public (no authentication required)
-    def public_client?
-      token_endpoint_auth_method == "none"
-    end
-
-    # Check if client is confidential (authentication required)
-    def confidential_client?
-      !public_client?
-    end
-
-    # Validate redirect URI against registered URIs
-    def valid_redirect_uri?(uri)
-      return false if redirect_uris.blank?
-      redirect_uris.include?(uri)
-    end
-
-    # Check if grant type is supported by this client
-    def supports_grant_type?(grant_type)
-      grant_types.include?(grant_type)
-    end
-
-    # Check if response type is supported by this client
-    def supports_response_type?(response_type)
-      response_types.include?(response_type)
-    end
-
-    # Check if scope is allowed for this client
-    def valid_scope?(requested_scope)
-      return true if scope.blank? # No scope restrictions
-
-      requested_scopes = requested_scope.split(" ")
-      allowed_scopes = scope.split(" ")
-
-      # All requested scopes must be in allowed scopes
-      (requested_scopes - allowed_scopes).empty?
-    end
-
-    # Convert to hash for API responses
-    def to_api_response
-      response = {
-        client_id: client_id,
-        client_id_issued_at: client_id_issued_at
-      }
-
-      # Include client secret for confidential clients
-      if client_secret.present?
-        response[:client_secret] = client_secret
-        response[:client_secret_expires_at] = client_secret_expires_at || 0
-      end
-
-      # Include metadata fields
-      %w[
-        client_name redirect_uris grant_types response_types
-        token_endpoint_auth_method scope
-      ].each do |field|
-        value = send(field)
-        response[field.to_sym] = value if value.present?
-      end
-
-      # Include additional metadata
-      response.merge!(metadata) if metadata.present?
-
-      response
-    end
-
-    # Create from registration request
-    def self.create_from_registration(client_metadata)
-      client = new
-
-      # Set basic fields
-      client.client_id = "mcp_#{SecureRandom.hex(16)}"
-
-      # Set metadata fields
-      %w[
-        client_name redirect_uris grant_types response_types
-        token_endpoint_auth_method scope
-      ].each do |field|
-        client.send("#{field}=", client_metadata[field]) if client_metadata[field]
-      end
-
-      # Generate client secret for confidential clients
-      if client.confidential_client?
-        client.client_secret = SecureRandom.urlsafe_base64(32)
-      end
-
-      # Store any additional metadata
-      known_fields = %w[
-        client_name redirect_uris grant_types response_types
-        token_endpoint_auth_method scope
-      ]
-      additional_metadata = client_metadata.except(*known_fields)
-      client.metadata = additional_metadata if additional_metadata.present?
-
-      client
-    end
-
-    private
-
-    def set_issued_at
-      self.client_id_issued_at ||= Time.current.to_i
-    end
-  end
-end

data/app/models/action_mcp/oauth_token.rb

@@ -1,141 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  # == Schema Information
-  #
-  # Table name: action_mcp_oauth_tokens
-  #
-  #  id                    :integer          not null, primary key
-  #  access_token          :string
-  #  code_challenge        :string
-  #  code_challenge_method :string
-  #  expires_at            :datetime
-  #  metadata              :json
-  #  redirect_uri          :string
-  #  revoked               :boolean          default(FALSE)
-  #  scope                 :text
-  #  token                 :string           not null
-  #  token_type            :string           not null
-  #  created_at            :datetime         not null
-  #  updated_at            :datetime         not null
-  #  client_id             :string           not null
-  #  user_id               :string
-  #
-  # Indexes
-  #
-  #  index_action_mcp_oauth_tokens_on_client_id                  (client_id)
-  #  index_action_mcp_oauth_tokens_on_expires_at                 (expires_at)
-  #  index_action_mcp_oauth_tokens_on_revoked                    (revoked)
-  #  index_action_mcp_oauth_tokens_on_token                      (token) UNIQUE
-  #  index_action_mcp_oauth_tokens_on_token_type                 (token_type)
-  #  index_action_mcp_oauth_tokens_on_token_type_and_expires_at  (token_type,expires_at)
-  #  index_action_mcp_oauth_tokens_on_user_id                    (user_id)
-  #
-  # OAuth 2.0 Token model for storing access tokens, refresh tokens, and authorization codes
-  class OAuthToken < ApplicationRecord
-    self.table_name = "action_mcp_oauth_tokens"
-
-    # Token types
-    ACCESS_TOKEN = "access_token"
-    REFRESH_TOKEN = "refresh_token"
-    AUTHORIZATION_CODE = "authorization_code"
-
-    # Validations
-    validates :token, presence: true, uniqueness: true
-    validates :token_type, presence: true, inclusion: { in: [ ACCESS_TOKEN, REFRESH_TOKEN, AUTHORIZATION_CODE ] }
-    validates :client_id, presence: true
-    validates :expires_at, presence: true
-
-    # Scopes
-    scope :active, -> { where(revoked: false).where("expires_at > ?", Time.current) }
-    scope :expired, -> { where("expires_at <= ?", Time.current) }
-    scope :access_tokens, -> { where(token_type: ACCESS_TOKEN) }
-    scope :refresh_tokens, -> { where(token_type: REFRESH_TOKEN) }
-    scope :authorization_codes, -> { where(token_type: AUTHORIZATION_CODE) }
-
-    # Check if token is still valid
-    def still_valid?
-      !revoked? && !expired?
-    end
-
-    # Check if token is expired
-    def expired?
-      expires_at <= Time.current
-    end
-
-    # Revoke the token
-    def revoke!
-      update!(revoked: true)
-    end
-
-    # Convert to introspection response
-    def to_introspection_response
-      if still_valid?
-        {
-          active: true,
-          scope: scope,
-          client_id: client_id,
-          username: user_id,
-          token_type: token_type == ACCESS_TOKEN ? "Bearer" : token_type,
-          exp: expires_at.to_i,
-          iat: created_at.to_i,
-          nbf: created_at.to_i,
-          sub: user_id,
-          aud: client_id,
-          iss: ActionMCP.configuration.oauth_config&.dig("issuer_url")
-        }.compact
-      else
-        { active: false }
-      end
-    end
-
-    # Create authorization code
-    def self.create_authorization_code(client_id:, user_id:, redirect_uri:, scope:, code_challenge: nil, code_challenge_method: nil)
-      create!(
-        token: SecureRandom.urlsafe_base64(32),
-        token_type: AUTHORIZATION_CODE,
-        client_id: client_id,
-        user_id: user_id,
-        redirect_uri: redirect_uri,
-        scope: scope,
-        code_challenge: code_challenge,
-        code_challenge_method: code_challenge_method,
-        expires_at: 10.minutes.from_now
-      )
-    end
-
-    # Create access token
-    def self.create_access_token(client_id:, user_id:, scope:)
-      expires_in = ActionMCP.configuration.oauth_config&.dig("access_token_expires_in") || 3600
-
-      create!(
-        token: SecureRandom.urlsafe_base64(32),
-        token_type: ACCESS_TOKEN,
-        client_id: client_id,
-        user_id: user_id,
-        scope: scope,
-        expires_at: expires_in.seconds.from_now
-      )
-    end
-
-    # Create refresh token
-    def self.create_refresh_token(client_id:, user_id:, scope:, access_token:)
-      expires_in = ActionMCP.configuration.oauth_config&.dig("refresh_token_expires_in") || 7.days.to_i
-
-      create!(
-        token: SecureRandom.urlsafe_base64(32),
-        token_type: REFRESH_TOKEN,
-        client_id: client_id,
-        user_id: user_id,
-        scope: scope,
-        access_token: access_token,
-        expires_at: expires_in.seconds.from_now
-      )
-    end
-
-    # Clean up expired tokens
-    def self.cleanup_expired
-      expired.delete_all
-    end
-  end
-end

data/db/migrate/20250608112101_add_oauth_to_sessions.rb

@@ -1,19 +0,0 @@
-# frozen_string_literal: true
-
-class AddOAuthToSessions < ActiveRecord::Migration[8.0]
-  def change
-    # Use json for all databases (PostgreSQL, SQLite3, MySQL) for consistency
-    json_type = :json
-
-    add_column :action_mcp_sessions, :oauth_access_token, :string unless column_exists?(:action_mcp_sessions, :oauth_access_token)
-    add_column :action_mcp_sessions, :oauth_refresh_token, :string unless column_exists?(:action_mcp_sessions, :oauth_refresh_token)
-    add_column :action_mcp_sessions, :oauth_token_expires_at, :datetime unless column_exists?(:action_mcp_sessions, :oauth_token_expires_at)
-    add_column :action_mcp_sessions, :oauth_user_context, json_type unless column_exists?(:action_mcp_sessions, :oauth_user_context)
-    add_column :action_mcp_sessions, :authentication_method, :string, default: "none" unless column_exists?(:action_mcp_sessions, :authentication_method)
-
-    # Add indexes for performance
-    add_index :action_mcp_sessions, :oauth_access_token, unique: true unless index_exists?(:action_mcp_sessions, :oauth_access_token)
-    add_index :action_mcp_sessions, :oauth_token_expires_at unless index_exists?(:action_mcp_sessions, :oauth_token_expires_at)
-    add_index :action_mcp_sessions, :authentication_method unless index_exists?(:action_mcp_sessions, :authentication_method)
-  end
-end

data/db/migrate/20250708105124_create_action_mcp_oauth_clients.rb

@@ -1,42 +0,0 @@
-class CreateActionMCPOAuthClients < ActiveRecord::Migration[7.2]
-  def change
-    create_table :action_mcp_oauth_clients do |t|
-      t.string :client_id, null: false, index: { unique: true }
-      t.string :client_secret
-      t.string :client_name
-
-      # Store arrays as JSON for database compatibility
-      if connection.adapter_name.downcase.include?('postgresql')
-        t.text :redirect_uris, array: true, default: []
-        t.text :grant_types, array: true, default: [ "authorization_code" ]
-        t.text :response_types, array: true, default: [ "code" ]
-      else
-        # For SQLite and other databases, use JSON
-        t.json :redirect_uris, default: []
-        t.json :grant_types, default: [ "authorization_code" ]
-        t.json :response_types, default: [ "code" ]
-      end
-
-      t.string :token_endpoint_auth_method, default: "client_secret_basic"
-      t.text :scope
-      t.boolean :active, default: true
-
-      # Registration metadata
-      t.integer :client_id_issued_at
-      t.integer :client_secret_expires_at
-      t.string :registration_access_token # OAuth 2.1 Dynamic Client Registration
-
-      # Additional metadata as JSON for database compatibility
-      if connection.adapter_name.downcase.include?('postgresql')
-        t.jsonb :metadata, default: {}
-      else
-        t.json :metadata, default: {}
-      end
-
-      t.timestamps
-    end
-
-    add_index :action_mcp_oauth_clients, :active
-    add_index :action_mcp_oauth_clients, :client_id_issued_at
-  end
-end