actionmcp 0.71.1 → 0.80.0

data/db/migrate/20250708105226_create_action_mcp_oauth_tokens.rb

@@ -1,37 +0,0 @@
-class CreateActionMCPOAuthTokens < ActiveRecord::Migration[7.2]
-  def change
-    create_table :action_mcp_oauth_tokens do |t|
-      t.string :token, null: false, index: { unique: true }
-      t.string :token_type, null: false # 'access_token', 'refresh_token', 'authorization_code'
-      t.string :client_id, null: false
-      t.string :user_id
-      t.text :scope
-      t.datetime :expires_at
-      t.boolean :revoked, default: false
-
-      # For authorization codes
-      t.string :redirect_uri
-      t.string :code_challenge
-      t.string :code_challenge_method
-
-      # For refresh tokens
-      t.string :access_token # Reference to associated access token
-
-      # Additional data - use JSON for database compatibility
-      if connection.adapter_name.downcase.include?('postgresql')
-        t.jsonb :metadata, default: {}
-      else
-        t.json :metadata, default: {}
-      end
-
-      t.timestamps
-    end
-
-    add_index :action_mcp_oauth_tokens, :token_type
-    add_index :action_mcp_oauth_tokens, :client_id
-    add_index :action_mcp_oauth_tokens, :user_id
-    add_index :action_mcp_oauth_tokens, :expires_at
-    add_index :action_mcp_oauth_tokens, :revoked
-    add_index :action_mcp_oauth_tokens, [ :token_type, :expires_at ]
-  end
-end

data/lib/action_mcp/client/jwt_client_provider.rb

@@ -1,134 +0,0 @@
-# frozen_string_literal: true
-
-require "json"
-require "base64"
-
-module ActionMCP
-  module Client
-    # JWT client provider for MCP client authentication
-    # Provides clean JWT token management for ActionMCP client connections
-    class JwtClientProvider
-      class AuthenticationError < StandardError; end
-      class TokenExpiredError < StandardError; end
-
-      attr_reader :storage
-
-      def initialize(token: nil, storage: nil, logger: ActionMCP.logger)
-        @storage = storage || MemoryStorage.new
-        @logger = logger
-
-        # If token provided during initialization, store it
-        if token
-          save_token(token)
-        end
-      end
-
-      # Check if client has valid authentication
-      def authenticated?
-        token = current_token
-        return false unless token
-
-        !token_expired?(token)
-      end
-
-      # Get authorization headers for HTTP requests
-      def authorization_headers
-        token = current_token
-        return {} unless token
-
-        if token_expired?(token)
-          log_debug("JWT token expired")
-          clear_tokens!
-          return {}
-        end
-
-        { "Authorization" => "Bearer #{token}" }
-      end
-
-      # Set/update the JWT token
-      def set_token(token)
-        save_token(token)
-        log_debug("JWT token updated")
-      end
-
-      # Clear stored tokens (logout)
-      def clear_tokens!
-        @storage.clear_token
-        log_debug("Cleared JWT token")
-      end
-
-      # Get current valid token
-      def access_token
-        token = current_token
-        return nil unless token
-        return nil if token_expired?(token)
-        token
-      end
-
-      private
-
-      def current_token
-        @storage.load_token
-      end
-
-      def save_token(token)
-        @storage.save_token(token)
-      end
-
-      def token_expired?(token)
-        return false unless token
-
-        begin
-          payload = decode_jwt_payload(token)
-          exp = payload["exp"]
-          return false unless exp
-
-          # Add 30 second buffer for clock skew
-          Time.at(exp) <= Time.now + 30
-        rescue => e
-          log_debug("Error checking token expiration: #{e.message}")
-          true # Treat invalid tokens as expired
-        end
-      end
-
-      def decode_jwt_payload(token)
-        # Split JWT into parts
-        parts = token.split(".")
-        raise AuthenticationError, "Invalid JWT format" unless parts.length == 3
-
-        # Decode payload (second part)
-        payload_base64 = parts[1]
-        # Add padding if needed
-        payload_base64 += "=" * (4 - payload_base64.length % 4) if payload_base64.length % 4 != 0
-
-        payload_json = Base64.urlsafe_decode64(payload_base64)
-        JSON.parse(payload_json)
-      rescue => e
-        raise AuthenticationError, "Failed to decode JWT: #{e.message}"
-      end
-
-      def log_debug(message)
-        @logger.debug("[ActionMCP::JwtClientProvider] #{message}")
-      end
-
-      # Simple memory storage for JWT tokens
-      class MemoryStorage
-        def initialize
-          @token = nil
-        end
-
-        def save_token(token)
-          @token = token
-        end
-
-        def load_token
-          @token
-        end
-
-        def clear_token
-          @token = nil
-        end
-      end
-    end
-  end
-end

data/lib/action_mcp/client/oauth_client_provider/memory_storage.rb

@@ -1,47 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  module Client
-    class OauthClientProvider
-      # Simple in-memory storage for development
-      # In production, use persistent storage
-      class MemoryStorage
-        def initialize
-          @data = {}
-        end
-
-        def save_tokens(tokens)
-          @data[:tokens] = tokens
-        end
-
-        def load_tokens
-          @data[:tokens]
-        end
-
-        def clear_tokens
-          @data.delete(:tokens)
-        end
-
-        def save_code_verifier(verifier)
-          @data[:code_verifier] = verifier
-        end
-
-        def load_code_verifier
-          @data[:code_verifier]
-        end
-
-        def clear_code_verifier
-          @data.delete(:code_verifier)
-        end
-
-        def save_client_information(info)
-          @data[:client_information] = info
-        end
-
-        def load_client_information
-          @data[:client_information]
-        end
-      end
-    end
-  end
-end

data/lib/action_mcp/client/oauth_client_provider.rb

@@ -1,234 +0,0 @@
-# frozen_string_literal: true
-
-require "faraday"
-require "pkce_challenge"
-require "securerandom"
-require "uri"
-require "json"
-
-module ActionMCP
-  module Client
-    # OAuth client provider for MCP client authentication
-    # Implements OAuth 2.1 authorization code flow with PKCE
-    class OauthClientProvider
-      class AuthenticationError < StandardError; end
-      class TokenExpiredError < StandardError; end
-      attr_reader :redirect_url, :client_metadata, :authorization_server_url
-
-      def initialize(
-        authorization_server_url:,
-        redirect_url:,
-        client_metadata: {},
-        storage: nil,
-        logger: ActionMCP.logger
-      )
-        @authorization_server_url = URI(authorization_server_url)
-        @redirect_url = URI(redirect_url)
-        @client_metadata = default_client_metadata.merge(client_metadata)
-        @storage = storage || MemoryStorage.new
-        @logger = logger
-        @http_client = build_http_client
-      end
-
-      # Get current access token for authorization headers
-      def access_token
-        tokens = current_tokens
-        return nil unless tokens
-
-        if token_expired?(tokens)
-          refresh_tokens! if tokens[:refresh_token]
-          tokens = current_tokens
-        end
-
-        tokens&.dig(:access_token)
-      end
-
-      # Check if client has valid authentication
-      def authenticated?
-        !access_token.nil?
-      end
-
-      # Start OAuth authorization flow
-      def start_authorization_flow(scope: nil, state: nil)
-        # Generate PKCE challenge
-        pkce = PkceChallenge.challenge
-        code_verifier = pkce.code_verifier
-        code_challenge = pkce.code_challenge
-        @storage.save_code_verifier(code_verifier)
-
-        # Build authorization URL
-        auth_params = {
-          response_type: "code",
-          client_id: client_id,
-          redirect_uri: @redirect_url.to_s,
-          code_challenge: code_challenge,
-          code_challenge_method: "S256"
-        }
-        auth_params[:scope] = scope if scope
-        auth_params[:state] = state if state
-
-        authorization_url = build_url(server_metadata[:authorization_endpoint], auth_params)
-
-        log_debug("Starting OAuth flow: #{authorization_url}")
-        authorization_url
-      end
-
-      # Complete OAuth flow with authorization code
-      def complete_authorization_flow(authorization_code, state: nil)
-        code_verifier = @storage.load_code_verifier
-        raise AuthenticationError, "No code verifier found" unless code_verifier
-
-        # Exchange code for tokens
-        token_params = {
-          grant_type: "authorization_code",
-          code: authorization_code,
-          redirect_uri: @redirect_url.to_s,
-          code_verifier: code_verifier,
-          client_id: client_id
-        }
-
-        response = @http_client.post(server_metadata[:token_endpoint]) do |req|
-          req.headers["Content-Type"] = "application/x-www-form-urlencoded"
-          req.headers["Accept"] = "application/json"
-          req.body = URI.encode_www_form(token_params)
-        end
-
-        handle_token_response(response)
-      end
-
-      # Refresh access token using refresh token
-      def refresh_tokens!
-        tokens = current_tokens
-        refresh_token = tokens&.dig(:refresh_token)
-        raise TokenExpiredError, "No refresh token available" unless refresh_token
-
-        token_params = {
-          grant_type: "refresh_token",
-          refresh_token: refresh_token,
-          client_id: client_id
-        }
-
-        response = @http_client.post(server_metadata[:token_endpoint]) do |req|
-          req.headers["Content-Type"] = "application/x-www-form-urlencoded"
-          req.headers["Accept"] = "application/json"
-          req.body = URI.encode_www_form(token_params)
-        end
-
-        handle_token_response(response)
-      end
-
-      # Clear stored tokens (logout)
-      def clear_tokens!
-        @storage.clear_tokens
-        @storage.clear_code_verifier if @storage.respond_to?(:clear_code_verifier)
-        log_debug("Cleared OAuth tokens and code verifier")
-      end
-
-      # Get client information for registration
-      def client_information
-        @storage.load_client_information
-      end
-
-      # Save client information after registration
-      def save_client_information(client_info)
-        @storage.save_client_information(client_info)
-      end
-
-      # Get authorization headers for HTTP requests
-      def authorization_headers
-        token = access_token
-        return {} unless token
-
-        { "Authorization" => "Bearer #{token}" }
-      end
-
-      private
-
-      def current_tokens
-        @storage.load_tokens
-      end
-
-      def save_tokens(tokens)
-        @storage.save_tokens(tokens)
-      end
-
-      def token_expired?(tokens)
-        expires_at = tokens[:expires_at]
-        return false unless expires_at
-
-        Time.at(expires_at) <= Time.now + 30 # 30 second buffer
-      end
-
-      def client_id
-        client_info = client_information
-        client_info&.dig(:client_id) || @client_metadata[:client_id]
-      end
-
-      def server_metadata
-        @server_metadata ||= fetch_server_metadata
-      end
-
-      def fetch_server_metadata
-        well_known_url = @authorization_server_url.dup
-        well_known_url.path = "/.well-known/oauth-authorization-server"
-
-        response = @http_client.get(well_known_url)
-        unless response.success?
-          raise AuthenticationError, "Failed to fetch server metadata: #{response.status}"
-        end
-
-        JSON.parse(response.body, symbolize_names: true)
-      end
-
-      def handle_token_response(response)
-        unless response.success?
-          error_body = JSON.parse(response.body) rescue {}
-          error_msg = error_body["error_description"] || error_body["error"] || "Token request failed"
-          raise AuthenticationError, "#{error_msg} (#{response.status})"
-        end
-
-        token_data = JSON.parse(response.body, symbolize_names: true)
-
-        # Calculate token expiration
-        if token_data[:expires_in]
-          token_data[:expires_at] = Time.now.to_i + token_data[:expires_in].to_i
-        end
-
-        save_tokens(token_data)
-        log_debug("OAuth tokens obtained successfully")
-        token_data
-      end
-
-      def build_url(base_url, params)
-        uri = URI(base_url)
-        uri.query = URI.encode_www_form(params)
-        uri.to_s
-      end
-
-      def build_http_client
-        Faraday.new do |f|
-          f.headers["User-Agent"] = "ActionMCP-OAuth/#{ActionMCP.gem_version}"
-          f.options.timeout = 30
-          f.options.open_timeout = 10
-          f.adapter :net_http
-        end
-      end
-
-      def default_client_metadata
-        {
-          client_name: "ActionMCP Client",
-          client_uri: "https://github.com/anthropics/action_mcp",
-          redirect_uris: [ @redirect_url.to_s ],
-          grant_types: [ "authorization_code", "refresh_token" ],
-          response_types: [ "code" ],
-          token_endpoint_auth_method: "none", # Public client
-          code_challenge_methods_supported: [ "S256" ]
-        }
-      end
-
-      def log_debug(message)
-        @logger.debug("[ActionMCP::OAuthClientProvider] #{message}")
-      end
-    end
-  end
-end

data/lib/action_mcp/jwt_decoder.rb

@@ -1,26 +0,0 @@
-require "jwt"
-
-module ActionMCP
-  class JwtDecoder
-    class DecodeError < StandardError; end
-
-    # Configurable defaults
-    class << self
-      attr_accessor :secret, :algorithm
-
-      def decode(token)
-        payload, _header = JWT.decode(token, secret, true, { algorithm: algorithm })
-        payload
-      rescue JWT::ExpiredSignature
-        raise DecodeError, "Token has expired"
-      rescue JWT::DecodeError => e
-        # Simplify the error message for invalid tokens
-        raise DecodeError, "Invalid token"
-      end
-    end
-
-    # Defaults (can be overridden in an initializer)
-    self.secret = ENV.fetch("ACTION_MCP_JWT_SECRET") { "change-me" }
-    self.algorithm = "HS256"
-  end
-end

data/lib/action_mcp/jwt_identifier.rb

@@ -1,28 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  class JwtIdentifier < GatewayIdentifier
-    identifier :user
-    authenticates :jwt
-
-    def resolve
-      token = extract_bearer_token
-      raise Unauthorized, "Missing JWT" unless token
-
-      payload = ActionMCP::JwtDecoder.decode(token)
-      user = User.find_by(id: payload["sub"] || payload["user_id"])
-      return user if user
-
-      raise Unauthorized, "Invalid JWT user"
-    rescue ActionMCP::JwtDecoder::DecodeError => e
-      raise Unauthorized, "Invalid JWT token: #{e.message}"
-    end
-
-    private
-
-    def extract_bearer_token
-      header = @request.env["HTTP_AUTHORIZATION"] || ""
-      header[/\ABearer (.+)\z/, 1]
-    end
-  end
-end

data/lib/action_mcp/none_identifier.rb

@@ -1,19 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  class NoneIdentifier < GatewayIdentifier
-    identifier :user
-    authenticates :none
-
-    def resolve
-      Rails.env.production? &&
-        raise(Unauthorized, "No auth allowed in production")
-
-      return "anonymous_user" unless defined?(User)
-
-      User.find_or_create_by!(email: "dev@localhost") do |user|
-        user.name = "Development User" if user.respond_to?(:name=)
-      end
-    end
-  end
-end

data/lib/action_mcp/o_auth_identifier.rb

@@ -1,34 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  class OAuthIdentifier < GatewayIdentifier
-    identifier :user
-    authenticates :oauth
-
-    def resolve
-      info = @request.env["action_mcp.oauth_token_info"] or
-        raise Unauthorized, "Missing OAuth info"
-
-      uid = info["user_id"] || info["sub"] || info[:user_id]
-      raise Unauthorized, "Invalid OAuth info" unless uid
-
-      # Try to find existing user or create one for demo purposes
-      user = User.find_by(email: uid) ||
-             User.find_by(email: "#{uid}@example.com") ||
-             create_oauth_user(uid)
-
-      user || raise(Unauthorized, "Unable to resolve OAuth user")
-    end
-
-    private
-
-    def create_oauth_user(uid)
-      return nil unless defined?(User)
-
-      email = uid.include?("@") ? uid : "#{uid}@example.com"
-      User.create!(email: email)
-    rescue ActiveRecord::RecordInvalid
-      nil
-    end
-  end
-end