actionmcp 0.72.0 → 0.80.0

data/app/controllers/action_mcp/oauth/endpoints_controller.rb

@@ -1,265 +0,0 @@
-# frozen_string_literal: true
-
-require "ostruct"
-
-module ActionMCP
-  module OAuth
-    # OAuth 2.1 endpoints controller
-    # Handles authorization, token, introspection, and revocation endpoints
-    class EndpointsController < ActionController::Base
-      protect_from_forgery with: :null_session
-      before_action :check_oauth_enabled
-
-      # GET /oauth/authorize
-      # Authorization endpoint for OAuth 2.1 authorization code flow
-      def authorize
-        # Extract parameters
-        client_id = params[:client_id]
-        redirect_uri = params[:redirect_uri]
-        response_type = params[:response_type]
-        scope = params[:scope]
-        state = params[:state]
-        code_challenge = params[:code_challenge]
-        code_challenge_method = params[:code_challenge_method]
-
-        # Validate required parameters
-        if client_id.blank? || redirect_uri.blank? || response_type.blank?
-          return render_error("invalid_request", "Missing required parameters")
-        end
-
-        # Validate response type
-        unless response_type == "code"
-          return render_error("unsupported_response_type", "Only authorization code flow supported")
-        end
-
-        # Validate PKCE if required
-        if oauth_config["pkce_required"] && code_challenge.blank?
-          return render_error("invalid_request", "PKCE required")
-        end
-
-        # In a real implementation, this would show a consent page
-        # For now, we'll auto-approve for configured clients
-        if auto_approve_client?(client_id)
-          # Generate authorization code
-          user_id = current_user&.id || "anonymous"
-
-          begin
-            code = ActionMCP::OAuth::Provider.generate_authorization_code(
-              client_id: client_id,
-              redirect_uri: redirect_uri,
-              scope: scope || default_scope,
-              code_challenge: code_challenge,
-              code_challenge_method: code_challenge_method,
-              user_id: user_id
-            )
-
-            # Redirect back to client with authorization code
-            redirect_params = { code: code }
-            redirect_params[:state] = state if state
-            redirect_to "#{redirect_uri}?#{redirect_params.to_query}", allow_other_host: true
-          rescue ActionMCP::OAuth::Error => e
-            render_error(e.oauth_error_code, e.message)
-          end
-        else
-          # In production, show consent page
-          render_consent_page(client_id, redirect_uri, scope, state, code_challenge, code_challenge_method)
-        end
-      end
-
-      # POST /oauth/token
-      # Token endpoint for exchanging authorization codes and refreshing tokens
-      def token
-        grant_type = params[:grant_type]
-
-        case grant_type
-        when "authorization_code"
-          handle_authorization_code_grant
-        when "refresh_token"
-          handle_refresh_token_grant
-        when "client_credentials"
-          handle_client_credentials_grant
-        else
-          render_token_error("unsupported_grant_type", "Unsupported grant type")
-        end
-      rescue ActionMCP::OAuth::Error => e
-        render_token_error(e.oauth_error_code, e.message)
-      end
-
-      # POST /oauth/introspect
-      # Token introspection endpoint (RFC 7662)
-      def introspect
-        token = params[:token]
-        return render_introspection_error unless token
-
-        # Authenticate client for introspection
-        client_id, = extract_client_credentials
-        return render_introspection_error unless client_id
-
-        begin
-          token_info = ActionMCP::OAuth::Provider.introspect_token(token)
-          render json: token_info
-        rescue ActionMCP::OAuth::Error
-          render json: { active: false }
-        end
-      end
-
-      # POST /oauth/revoke
-      # Token revocation endpoint (RFC 7009)
-      def revoke
-        token = params[:token]
-        token_type_hint = params[:token_type_hint]
-
-        return head :bad_request unless token
-
-        # Authenticate client
-        client_id, = extract_client_credentials
-        return head :unauthorized unless client_id
-
-        begin
-          ActionMCP::OAuth::Provider.revoke_token(token, token_type_hint: token_type_hint)
-          head :ok
-        rescue ActionMCP::OAuth::Error
-          head :bad_request
-        end
-      end
-
-      private
-
-      def check_oauth_enabled
-        auth_methods = ActionMCP.configuration.authentication_methods
-        return if auth_methods&.include?("oauth")
-
-        head :not_found
-      end
-
-      def oauth_config
-        @oauth_config ||= ActionMCP.configuration.oauth_config || {}
-      end
-
-      def handle_authorization_code_grant
-        code = params[:code]
-        client_id = params[:client_id]
-        client_secret = params[:client_secret]
-        redirect_uri = params[:redirect_uri]
-        code_verifier = params[:code_verifier]
-
-        # Extract client credentials from Authorization header if not in params
-        client_id, client_secret = extract_client_credentials if client_id.blank?
-
-        return render_token_error("invalid_request", "Missing required parameters") if code.blank? || client_id.blank?
-
-        token_response = ActionMCP::OAuth::Provider.exchange_code_for_token(
-          code: code,
-          client_id: client_id,
-          client_secret: client_secret,
-          redirect_uri: redirect_uri,
-          code_verifier: code_verifier
-        )
-
-        render json: token_response
-      end
-
-      def handle_refresh_token_grant
-        refresh_token = params[:refresh_token]
-        scope = params[:scope]
-
-        # Extract client credentials
-        client_id, client_secret = extract_client_credentials
-        client_id ||= params[:client_id]
-        client_secret ||= params[:client_secret]
-
-        if refresh_token.blank? || client_id.blank?
-          return render_token_error("invalid_request",
-                                    "Missing required parameters")
-        end
-
-        token_response = ActionMCP::OAuth::Provider.refresh_access_token(
-          refresh_token: refresh_token,
-          client_id: client_id,
-          client_secret: client_secret,
-          scope: scope
-        )
-
-        render json: token_response
-      end
-
-      def handle_client_credentials_grant
-        scope = params[:scope]
-
-        # Extract client credentials
-        client_id, client_secret = extract_client_credentials
-        client_id ||= params[:client_id]
-        client_secret ||= params[:client_secret]
-
-        return render_token_error("invalid_request", "Missing client credentials") if client_id.blank?
-
-        token_response = ActionMCP::OAuth::Provider.client_credentials_grant(
-          client_id: client_id,
-          client_secret: client_secret,
-          scope: scope
-        )
-
-        render json: token_response
-      end
-
-      def extract_client_credentials
-        auth_header = request.headers["Authorization"]
-        if auth_header&.start_with?("Basic ")
-          encoded = auth_header.split(" ", 2).last
-          decoded = Base64.decode64(encoded)
-          decoded.split(":", 2)
-        else
-          [ nil, nil ]
-        end
-      end
-
-      def auto_approve_client?(client_id)
-        # In development/testing, auto-approve known clients
-        # In production, this should check a proper client registry
-        Rails.env.development? || Rails.env.test? || oauth_config["auto_approve_clients"]&.include?(client_id)
-      end
-
-      def current_user
-        # This should be implemented by the application
-        # For now, return a default user for development
-        if Rails.env.development? || Rails.env.test?
-          OpenStruct.new(id: "dev_user", email: "dev@example.com")
-        else
-          # In production, this should integrate with your authentication system
-          nil
-        end
-      end
-
-      def default_scope
-        oauth_config["default_scope"] || "mcp:tools mcp:resources mcp:prompts"
-      end
-
-      def render_error(error_code, description)
-        render json: {
-          error: error_code,
-          error_description: description
-        }, status: :bad_request
-      end
-
-      def render_token_error(error_code, description)
-        render json: {
-          error: error_code,
-          error_description: description
-        }, status: :bad_request
-      end
-
-      def render_introspection_error
-        render json: { active: false }, status: :bad_request
-      end
-
-      def render_consent_page(_client_id, _redirect_uri, _scope, _state, _code_challenge, _code_challenge_method)
-        # In production, this would render a proper consent page
-        # For now, just auto-deny unknown clients
-        render json: {
-          error: "access_denied",
-          error_description: "User denied authorization"
-        }, status: :forbidden
-      end
-    end
-  end
-end

data/app/controllers/action_mcp/oauth/metadata_controller.rb

@@ -1,125 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  module OAuth
-    # Controller for OAuth 2.1 metadata endpoints
-    # Provides server discovery information as per RFC 8414
-    class MetadataController < ActionController::Base
-      before_action :check_oauth_enabled
-
-      # GET /.well-known/oauth-authorization-server
-      # Returns OAuth Authorization Server Metadata as per RFC 8414
-      def authorization_server
-        metadata = {
-          issuer: issuer_url,
-          authorization_endpoint: authorization_endpoint,
-          token_endpoint: token_endpoint,
-          introspection_endpoint: introspection_endpoint,
-          revocation_endpoint: revocation_endpoint,
-          response_types_supported: response_types_supported,
-          grant_types_supported: grant_types_supported,
-          token_endpoint_auth_methods_supported: token_endpoint_auth_methods_supported,
-          scopes_supported: scopes_supported,
-          code_challenge_methods_supported: code_challenge_methods_supported,
-          service_documentation: service_documentation
-        }
-
-        # Add optional fields based on configuration
-        metadata[:registration_endpoint] = registration_endpoint if oauth_config[:enable_dynamic_registration]
-
-        metadata[:jwks_uri] = oauth_config[:jwks_uri] if oauth_config[:jwks_uri]
-
-        render json: metadata
-      end
-
-      # GET /.well-known/oauth-protected-resource
-      # Returns Protected Resource Metadata as per RFC 8705
-      def protected_resource
-        metadata = {
-          resource: issuer_url,
-          authorization_servers: [ issuer_url ],
-          scopes_supported: scopes_supported,
-          bearer_methods_supported: [ "header" ],
-          resource_documentation: resource_documentation
-        }
-
-        render json: metadata
-      end
-
-      private
-
-      def check_oauth_enabled
-        auth_methods = ActionMCP.configuration.authentication_methods
-        return if auth_methods&.include?("oauth")
-
-        head :not_found
-      end
-
-      def oauth_config
-        @oauth_config ||= HashWithIndifferentAccess.new(ActionMCP.configuration.oauth_config || {})
-      end
-
-      def issuer_url
-        @issuer_url ||= oauth_config.fetch(:issuer_url, request.base_url)
-      end
-
-      def authorization_endpoint
-        "#{issuer_url}/oauth/authorize"
-      end
-
-      def token_endpoint
-        "#{issuer_url}/oauth/token"
-      end
-
-      def introspection_endpoint
-        "#{issuer_url}/oauth/introspect"
-      end
-
-      def revocation_endpoint
-        "#{issuer_url}/oauth/revoke"
-      end
-
-      def registration_endpoint
-        "#{issuer_url}/oauth/register"
-      end
-
-      def response_types_supported
-        [ "code" ]
-      end
-
-      def grant_types_supported
-        grants = [ "authorization_code" ]
-        grants << "refresh_token" if oauth_config[:enable_refresh_tokens]
-        grants << "client_credentials" if oauth_config[:enable_client_credentials]
-        grants
-      end
-
-      def token_endpoint_auth_methods_supported
-        methods = %w[client_secret_basic client_secret_post]
-        methods << "none" if oauth_config[:allow_public_clients]
-        methods
-      end
-
-      def scopes_supported
-        oauth_config.fetch(:scopes_supported, [ "mcp:tools", "mcp:resources", "mcp:prompts" ])
-      end
-
-      def code_challenge_methods_supported
-        methods = []
-        if oauth_config[:pkce_required] || oauth_config[:pkce_supported]
-          methods << "S256"
-          methods << "plain" if oauth_config[:allow_plain_pkce]
-        end
-        methods
-      end
-
-      def service_documentation
-        oauth_config.fetch(:service_documentation, "#{request.base_url}/docs")
-      end
-
-      def resource_documentation
-        oauth_config.fetch(:resource_documentation, "#{request.base_url}/docs/api")
-      end
-    end
-  end
-end

data/app/controllers/action_mcp/oauth/registration_controller.rb

@@ -1,201 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  module OAuth
-    # OAuth 2.0 Dynamic Client Registration Controller (RFC 7591)
-    # Allows clients to dynamically register with the authorization server
-    class RegistrationController < ActionController::Base
-      protect_from_forgery with: :null_session
-      before_action :check_oauth_enabled
-      before_action :check_registration_enabled
-
-      # POST /oauth/register
-      # Dynamic client registration endpoint as per RFC 7591
-      def create
-        # Parse client metadata from request body
-        client_metadata = parse_client_metadata
-
-        # Validate required fields
-        validate_client_metadata(client_metadata)
-
-        # Generate client credentials
-        client_id = generate_client_id
-        client_secret = nil # Public clients by default
-
-        # Generate client secret for confidential clients
-        client_secret = generate_client_secret if client_metadata["token_endpoint_auth_method"] != "none"
-
-        # Store client registration
-        client_info = {
-          client_id: client_id,
-          client_secret: client_secret,
-          client_id_issued_at: Time.current.to_i,
-          client_metadata: client_metadata,
-          created_at: Time.current
-        }
-
-        # Save client registration (delegated to provider)
-        ActionMCP::OAuth::Provider.register_client(client_info)
-
-        # Build response according to RFC 7591
-        response_data = {
-          client_id: client_id,
-          client_id_issued_at: client_info[:client_id_issued_at]
-        }
-
-        # Include client secret for confidential clients
-        if client_secret
-          response_data[:client_secret] = client_secret
-          response_data[:client_secret_expires_at] = 0 # Never expires
-        end
-
-        # Include all client metadata in response
-        response_data.merge!(client_metadata)
-
-        # Add registration management fields if enabled
-        if oauth_config[:enable_registration_management]
-          response_data[:registration_access_token] = generate_registration_access_token(client_id)
-          response_data[:registration_client_uri] = registration_client_url(client_id)
-        end
-
-        render json: response_data, status: :created
-      rescue ActionMCP::OAuth::Error => e
-        render_registration_error(e.oauth_error_code, e.message)
-      rescue StandardError => e
-        Rails.logger.error "Registration error: #{e.message}"
-        render_registration_error("invalid_client_metadata", "Invalid client metadata")
-      end
-
-      private
-
-      def check_oauth_enabled
-        auth_methods = ActionMCP.configuration.authentication_methods
-        return if auth_methods&.include?("oauth")
-
-        head :not_found
-      end
-
-      def check_registration_enabled
-        return if oauth_config[:enable_dynamic_registration]
-
-        head :not_found
-      end
-
-      def oauth_config
-        @oauth_config ||= HashWithIndifferentAccess.new(ActionMCP.configuration.oauth_config || {})
-      end
-
-      def parse_client_metadata
-        # RFC 7591 requires JSON request body
-        unless request.content_type&.include?("application/json")
-          raise ActionMCP::OAuth::InvalidRequestError, "Content-Type must be application/json"
-        end
-
-        JSON.parse(request.body.read)
-      rescue JSON::ParserError
-        raise ActionMCP::OAuth::InvalidRequestError, "Invalid JSON"
-      end
-
-      def validate_client_metadata(metadata)
-        # Validate redirect URIs (required for authorization code flow)
-        if metadata["grant_types"]&.include?("authorization_code") ||
-           metadata["response_types"]&.include?("code")
-          unless metadata["redirect_uris"].is_a?(Array) && metadata["redirect_uris"].any?
-            raise ActionMCP::OAuth::InvalidClientMetadataError, "redirect_uris required for authorization code flow"
-          end
-
-          # Validate redirect URI format
-          metadata["redirect_uris"].each do |uri|
-            validate_redirect_uri(uri)
-          end
-        end
-
-        # Validate grant types
-        if metadata["grant_types"]
-          unsupported = metadata["grant_types"] - supported_grant_types
-          if unsupported.any?
-            raise ActionMCP::OAuth::InvalidClientMetadataError, "Unsupported grant types: #{unsupported.join(', ')}"
-          end
-        end
-
-        # Validate response types
-        if metadata["response_types"]
-          unsupported = metadata["response_types"] - supported_response_types
-          if unsupported.any?
-            raise ActionMCP::OAuth::InvalidClientMetadataError, "Unsupported response types: #{unsupported.join(', ')}"
-          end
-        end
-
-        # Validate token endpoint auth method
-        return unless metadata["token_endpoint_auth_method"]
-        return if supported_auth_methods.include?(metadata["token_endpoint_auth_method"])
-
-        raise ActionMCP::OAuth::InvalidClientMetadataError, "Unsupported token endpoint auth method"
-      end
-
-      def validate_redirect_uri(uri)
-        parsed = URI.parse(uri)
-
-        # Must be absolute URI
-        raise ActionMCP::OAuth::InvalidClientMetadataError, "Redirect URI must be absolute" unless parsed.absolute?
-
-        # For non-localhost, must use HTTPS
-        unless [ "localhost", "127.0.0.1" ].include?(parsed.host) || parsed.scheme == "https"
-          raise ActionMCP::OAuth::InvalidClientMetadataError, "Redirect URI must use HTTPS"
-        end
-      rescue URI::InvalidURIError
-        raise ActionMCP::OAuth::InvalidClientMetadataError, "Invalid redirect URI format"
-      end
-
-      def generate_client_id
-        # Generate a unique client identifier
-        "mcp_#{SecureRandom.hex(16)}"
-      end
-
-      def generate_client_secret
-        # Generate a secure client secret
-        SecureRandom.urlsafe_base64(32)
-      end
-
-      def generate_registration_access_token(_client_id)
-        # Generate a token for managing this registration
-        SecureRandom.urlsafe_base64(32)
-      end
-
-      def registration_client_url(client_id)
-        "#{request.base_url}/oauth/register/#{client_id}"
-      end
-
-      def supported_grant_types
-        grants = [ "authorization_code" ]
-        grants << "refresh_token" if oauth_config[:enable_refresh_tokens]
-        grants << "client_credentials" if oauth_config[:enable_client_credentials]
-        grants
-      end
-
-      def supported_response_types
-        [ "code" ]
-      end
-
-      def supported_auth_methods
-        methods = %w[client_secret_basic client_secret_post]
-        methods << "none" if oauth_config.fetch(:allow_public_clients, true)
-        methods
-      end
-
-      def render_registration_error(error_code, description)
-        render json: {
-          error: error_code,
-          error_description: description
-        }, status: :bad_request
-      end
-    end
-
-    # Custom error for invalid client metadata
-    class InvalidClientMetadataError < Error
-      def initialize(message = "Invalid client metadata")
-        super(message, "invalid_client_metadata")
-      end
-    end
-  end
-end