actionmcp 0.72.0 → 0.80.0

data/app/models/action_mcp/oauth_client.rb

@@ -1,159 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  # OAuth 2.0 Client model for storing registered clients
-  # == Schema Information
-  #
-  # Table name: action_mcp_oauth_clients
-  #
-  #  id                         :integer          not null, primary key
-  #  active                     :boolean          default(TRUE)
-  #  client_id_issued_at        :integer
-  #  client_name                :string
-  #  client_secret              :string
-  #  client_secret_expires_at   :integer
-  #  grant_types                :json
-  #  metadata                   :json
-  #  redirect_uris              :json
-  #  registration_access_token  :string
-  #  response_types             :json
-  #  scope                      :text
-  #  token_endpoint_auth_method :string           default("client_secret_basic")
-  #  created_at                 :datetime         not null
-  #  updated_at                 :datetime         not null
-  #  client_id                  :string           not null
-  #
-  # Indexes
-  #
-  #  index_action_mcp_oauth_clients_on_active               (active)
-  #  index_action_mcp_oauth_clients_on_client_id            (client_id) UNIQUE
-  #  index_action_mcp_oauth_clients_on_client_id_issued_at  (client_id_issued_at)
-  #
-  # Implements RFC 7591 Dynamic Client Registration
-  class OAuthClient < ApplicationRecord
-    self.table_name = "action_mcp_oauth_clients"
-
-    # Validations
-    validates :client_id, presence: true, uniqueness: true
-    validates :token_endpoint_auth_method, inclusion: {
-      in: %w[none client_secret_basic client_secret_post client_secret_jwt private_key_jwt]
-    }
-
-    # Scopes
-    scope :active, -> { where(active: true) }
-    scope :expired, lambda {
-      where("client_secret_expires_at < ?", Time.current.to_i).where.not(client_secret_expires_at: [ nil, 0 ])
-    }
-
-    # Callbacks
-    before_create :set_issued_at
-
-    # Check if client secret is expired
-    def secret_expired?
-      return false if client_secret_expires_at.nil? || client_secret_expires_at.zero?
-
-      Time.current.to_i > client_secret_expires_at
-    end
-
-    # Check if client is public (no authentication required)
-    def public_client?
-      token_endpoint_auth_method == "none"
-    end
-
-    # Check if client is confidential (authentication required)
-    def confidential_client?
-      !public_client?
-    end
-
-    # Validate redirect URI against registered URIs
-    def valid_redirect_uri?(uri)
-      return false if redirect_uris.blank?
-
-      redirect_uris.include?(uri)
-    end
-
-    # Check if grant type is supported by this client
-    def supports_grant_type?(grant_type)
-      grant_types.include?(grant_type)
-    end
-
-    # Check if response type is supported by this client
-    def supports_response_type?(response_type)
-      response_types.include?(response_type)
-    end
-
-    # Check if scope is allowed for this client
-    def valid_scope?(requested_scope)
-      return true if scope.blank? # No scope restrictions
-
-      requested_scopes = requested_scope.split(" ")
-      allowed_scopes = scope.split(" ")
-
-      # All requested scopes must be in allowed scopes
-      (requested_scopes - allowed_scopes).empty?
-    end
-
-    # Convert to hash for API responses
-    def to_api_response
-      response = {
-        client_id: client_id,
-        client_id_issued_at: client_id_issued_at
-      }
-
-      # Include client secret for confidential clients
-      if client_secret.present?
-        response[:client_secret] = client_secret
-        response[:client_secret_expires_at] = client_secret_expires_at || 0
-      end
-
-      # Include metadata fields
-      %w[
-        client_name redirect_uris grant_types response_types
-        token_endpoint_auth_method scope
-      ].each do |field|
-        value = send(field)
-        response[field.to_sym] = value if value.present?
-      end
-
-      # Include additional metadata
-      response.merge!(metadata) if metadata.present?
-
-      response
-    end
-
-    # Create from registration request
-    def self.create_from_registration(client_metadata)
-      client = new
-
-      # Set basic fields
-      client.client_id = "mcp_#{SecureRandom.hex(16)}"
-
-      # Set metadata fields
-      %w[
-        client_name redirect_uris grant_types response_types
-        token_endpoint_auth_method scope
-      ].each do |field|
-        client.send("#{field}=", client_metadata[field]) if client_metadata[field]
-      end
-
-      # Generate client secret for confidential clients
-      client.client_secret = SecureRandom.urlsafe_base64(32) if client.confidential_client?
-
-      # Store any additional metadata
-      known_fields = %w[
-        client_name redirect_uris grant_types response_types
-        token_endpoint_auth_method scope
-      ]
-      additional_metadata = client_metadata.except(*known_fields)
-      client.metadata = additional_metadata if additional_metadata.present?
-
-      client
-    end
-
-    private
-
-    def set_issued_at
-      self.client_id_issued_at ||= Time.current.to_i
-    end
-  end
-end

data/app/models/action_mcp/oauth_token.rb

@@ -1,142 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  # == Schema Information
-  #
-  # Table name: action_mcp_oauth_tokens
-  #
-  #  id                    :integer          not null, primary key
-  #  access_token          :string
-  #  code_challenge        :string
-  #  code_challenge_method :string
-  #  expires_at            :datetime
-  #  metadata              :json
-  #  redirect_uri          :string
-  #  revoked               :boolean          default(FALSE)
-  #  scope                 :text
-  #  token                 :string           not null
-  #  token_type            :string           not null
-  #  created_at            :datetime         not null
-  #  updated_at            :datetime         not null
-  #  client_id             :string           not null
-  #  user_id               :string
-  #
-  # Indexes
-  #
-  #  index_action_mcp_oauth_tokens_on_client_id                  (client_id)
-  #  index_action_mcp_oauth_tokens_on_expires_at                 (expires_at)
-  #  index_action_mcp_oauth_tokens_on_revoked                    (revoked)
-  #  index_action_mcp_oauth_tokens_on_token                      (token) UNIQUE
-  #  index_action_mcp_oauth_tokens_on_token_type                 (token_type)
-  #  index_action_mcp_oauth_tokens_on_token_type_and_expires_at  (token_type,expires_at)
-  #  index_action_mcp_oauth_tokens_on_user_id                    (user_id)
-  #
-  # OAuth 2.0 Token model for storing access tokens, refresh tokens, and authorization codes
-  class OAuthToken < ApplicationRecord
-    self.table_name = "action_mcp_oauth_tokens"
-
-    # Token types
-    ACCESS_TOKEN = "access_token"
-    REFRESH_TOKEN = "refresh_token"
-    AUTHORIZATION_CODE = "authorization_code"
-
-    # Validations
-    validates :token, presence: true, uniqueness: true
-    validates :token_type, presence: true, inclusion: { in: [ ACCESS_TOKEN, REFRESH_TOKEN, AUTHORIZATION_CODE ] }
-    validates :client_id, presence: true
-    validates :expires_at, presence: true
-
-    # Scopes
-    scope :active, -> { where(revoked: false).where("expires_at > ?", Time.current) }
-    scope :expired, -> { where("expires_at <= ?", Time.current) }
-    scope :access_tokens, -> { where(token_type: ACCESS_TOKEN) }
-    scope :refresh_tokens, -> { where(token_type: REFRESH_TOKEN) }
-    scope :authorization_codes, -> { where(token_type: AUTHORIZATION_CODE) }
-
-    # Check if token is still valid
-    def still_valid?
-      !revoked? && !expired?
-    end
-
-    # Check if token is expired
-    def expired?
-      expires_at <= Time.current
-    end
-
-    # Revoke the token
-    def revoke!
-      update!(revoked: true)
-    end
-
-    # Convert to introspection response
-    def to_introspection_response
-      if still_valid?
-        {
-          active: true,
-          scope: scope,
-          client_id: client_id,
-          username: user_id,
-          token_type: token_type == ACCESS_TOKEN ? "Bearer" : token_type,
-          exp: expires_at.to_i,
-          iat: created_at.to_i,
-          nbf: created_at.to_i,
-          sub: user_id,
-          aud: client_id,
-          iss: ActionMCP.configuration.oauth_config&.dig("issuer_url")
-        }.compact
-      else
-        { active: false }
-      end
-    end
-
-    # Create authorization code
-    def self.create_authorization_code(client_id:, user_id:, redirect_uri:, scope:, code_challenge: nil,
-                                       code_challenge_method: nil)
-      create!(
-        token: SecureRandom.urlsafe_base64(32),
-        token_type: AUTHORIZATION_CODE,
-        client_id: client_id,
-        user_id: user_id,
-        redirect_uri: redirect_uri,
-        scope: scope,
-        code_challenge: code_challenge,
-        code_challenge_method: code_challenge_method,
-        expires_at: 10.minutes.from_now
-      )
-    end
-
-    # Create access token
-    def self.create_access_token(client_id:, user_id:, scope:)
-      expires_in = ActionMCP.configuration.oauth_config&.dig("access_token_expires_in") || 3600
-
-      create!(
-        token: SecureRandom.urlsafe_base64(32),
-        token_type: ACCESS_TOKEN,
-        client_id: client_id,
-        user_id: user_id,
-        scope: scope,
-        expires_at: expires_in.seconds.from_now
-      )
-    end
-
-    # Create refresh token
-    def self.create_refresh_token(client_id:, user_id:, scope:, access_token:)
-      expires_in = ActionMCP.configuration.oauth_config&.dig("refresh_token_expires_in") || 7.days.to_i
-
-      create!(
-        token: SecureRandom.urlsafe_base64(32),
-        token_type: REFRESH_TOKEN,
-        client_id: client_id,
-        user_id: user_id,
-        scope: scope,
-        access_token: access_token,
-        expires_at: expires_in.seconds.from_now
-      )
-    end
-
-    # Clean up expired tokens
-    def self.cleanup_expired
-      expired.delete_all
-    end
-  end
-end

data/db/migrate/20250608112101_add_oauth_to_sessions.rb

@@ -1,28 +0,0 @@
-# frozen_string_literal: true
-
-class AddOAuthToSessions < ActiveRecord::Migration[8.0]
-  def change
-    # Use json for all databases (PostgreSQL, SQLite3, MySQL) for consistency
-    json_type = :json
-
-    add_column :action_mcp_sessions, :oauth_access_token, :string unless column_exists?(:action_mcp_sessions,
-                                                                                        :oauth_access_token)
-    add_column :action_mcp_sessions, :oauth_refresh_token, :string unless column_exists?(:action_mcp_sessions,
-                                                                                         :oauth_refresh_token)
-    add_column :action_mcp_sessions, :oauth_token_expires_at, :datetime unless column_exists?(:action_mcp_sessions,
-                                                                                              :oauth_token_expires_at)
-    add_column :action_mcp_sessions, :oauth_user_context, json_type unless column_exists?(:action_mcp_sessions,
-                                                                                          :oauth_user_context)
-    add_column :action_mcp_sessions, :authentication_method, :string, default: 'none' unless column_exists?(
-      :action_mcp_sessions, :authentication_method
-    )
-
-    # Add indexes for performance
-    add_index :action_mcp_sessions, :oauth_access_token, unique: true unless index_exists?(:action_mcp_sessions,
-                                                                                           :oauth_access_token)
-    add_index :action_mcp_sessions, :oauth_token_expires_at unless index_exists?(:action_mcp_sessions,
-                                                                                 :oauth_token_expires_at)
-    add_index :action_mcp_sessions, :authentication_method unless index_exists?(:action_mcp_sessions,
-                                                                                :authentication_method)
-  end
-end

data/db/migrate/20250708105124_create_action_mcp_oauth_clients.rb

@@ -1,44 +0,0 @@
-# frozen_string_literal: true
-
-class CreateActionMCPOAuthClients < ActiveRecord::Migration[7.2]
-  def change
-    create_table :action_mcp_oauth_clients do |t|
-      t.string :client_id, null: false, index: { unique: true }
-      t.string :client_secret
-      t.string :client_name
-
-      # Store arrays as JSON for database compatibility
-      if connection.adapter_name.downcase.include?('postgresql')
-        t.text :redirect_uris, array: true, default: []
-        t.text :grant_types, array: true, default: [ 'authorization_code' ]
-        t.text :response_types, array: true, default: [ 'code' ]
-      else
-        # For SQLite and other databases, use JSON
-        t.json :redirect_uris, default: []
-        t.json :grant_types, default: [ 'authorization_code' ]
-        t.json :response_types, default: [ 'code' ]
-      end
-
-      t.string :token_endpoint_auth_method, default: 'client_secret_basic'
-      t.text :scope
-      t.boolean :active, default: true
-
-      # Registration metadata
-      t.integer :client_id_issued_at
-      t.integer :client_secret_expires_at
-      t.string :registration_access_token # OAuth 2.1 Dynamic Client Registration
-
-      # Additional metadata as JSON for database compatibility
-      if connection.adapter_name.downcase.include?('postgresql')
-        t.jsonb :metadata, default: {}
-      else
-        t.json :metadata, default: {}
-      end
-
-      t.timestamps
-    end
-
-    add_index :action_mcp_oauth_clients, :active
-    add_index :action_mcp_oauth_clients, :client_id_issued_at
-  end
-end

data/db/migrate/20250708105226_create_action_mcp_oauth_tokens.rb

@@ -1,39 +0,0 @@
-# frozen_string_literal: true
-
-class CreateActionMCPOAuthTokens < ActiveRecord::Migration[7.2]
-  def change
-    create_table :action_mcp_oauth_tokens do |t|
-      t.string :token, null: false, index: { unique: true }
-      t.string :token_type, null: false # 'access_token', 'refresh_token', 'authorization_code'
-      t.string :client_id, null: false
-      t.string :user_id
-      t.text :scope
-      t.datetime :expires_at
-      t.boolean :revoked, default: false
-
-      # For authorization codes
-      t.string :redirect_uri
-      t.string :code_challenge
-      t.string :code_challenge_method
-
-      # For refresh tokens
-      t.string :access_token # Reference to associated access token
-
-      # Additional data - use JSON for database compatibility
-      if connection.adapter_name.downcase.include?('postgresql')
-        t.jsonb :metadata, default: {}
-      else
-        t.json :metadata, default: {}
-      end
-
-      t.timestamps
-    end
-
-    add_index :action_mcp_oauth_tokens, :token_type
-    add_index :action_mcp_oauth_tokens, :client_id
-    add_index :action_mcp_oauth_tokens, :user_id
-    add_index :action_mcp_oauth_tokens, :expires_at
-    add_index :action_mcp_oauth_tokens, :revoked
-    add_index :action_mcp_oauth_tokens, %i[token_type expires_at]
-  end
-end

data/lib/action_mcp/client/jwt_client_provider.rb

@@ -1,135 +0,0 @@
-# frozen_string_literal: true
-
-require "json"
-require "base64"
-
-module ActionMCP
-  module Client
-    # JWT client provider for MCP client authentication
-    # Provides clean JWT token management for ActionMCP client connections
-    class JwtClientProvider
-      class AuthenticationError < StandardError; end
-      class TokenExpiredError < StandardError; end
-
-      attr_reader :storage
-
-      def initialize(token: nil, storage: nil, logger: ActionMCP.logger)
-        @storage = storage || MemoryStorage.new
-        @logger = logger
-
-        # If token provided during initialization, store it
-        return unless token
-
-        save_token(token)
-      end
-
-      # Check if client has valid authentication
-      def authenticated?
-        token = current_token
-        return false unless token
-
-        !token_expired?(token)
-      end
-
-      # Get authorization headers for HTTP requests
-      def authorization_headers
-        token = current_token
-        return {} unless token
-
-        if token_expired?(token)
-          log_debug("JWT token expired")
-          clear_tokens!
-          return {}
-        end
-
-        { "Authorization" => "Bearer #{token}" }
-      end
-
-      # Set/update the JWT token
-      def set_token(token)
-        save_token(token)
-        log_debug("JWT token updated")
-      end
-
-      # Clear stored tokens (logout)
-      def clear_tokens!
-        @storage.clear_token
-        log_debug("Cleared JWT token")
-      end
-
-      # Get current valid token
-      def access_token
-        token = current_token
-        return nil unless token
-        return nil if token_expired?(token)
-
-        token
-      end
-
-      private
-
-      def current_token
-        @storage.load_token
-      end
-
-      def save_token(token)
-        @storage.save_token(token)
-      end
-
-      def token_expired?(token)
-        return false unless token
-
-        begin
-          payload = decode_jwt_payload(token)
-          exp = payload["exp"]
-          return false unless exp
-
-          # Add 30 second buffer for clock skew
-          Time.at(exp) <= Time.now + 30
-        rescue StandardError => e
-          log_debug("Error checking token expiration: #{e.message}")
-          true # Treat invalid tokens as expired
-        end
-      end
-
-      def decode_jwt_payload(token)
-        # Split JWT into parts
-        parts = token.split(".")
-        raise AuthenticationError, "Invalid JWT format" unless parts.length == 3
-
-        # Decode payload (second part)
-        payload_base64 = parts[1]
-        # Add padding if needed
-        payload_base64 += "=" * (4 - payload_base64.length % 4) if payload_base64.length % 4 != 0
-
-        payload_json = Base64.urlsafe_decode64(payload_base64)
-        JSON.parse(payload_json)
-      rescue StandardError => e
-        raise AuthenticationError, "Failed to decode JWT: #{e.message}"
-      end
-
-      def log_debug(message)
-        @logger.debug("[ActionMCP::JwtClientProvider] #{message}")
-      end
-
-      # Simple memory storage for JWT tokens
-      class MemoryStorage
-        def initialize
-          @token = nil
-        end
-
-        def save_token(token)
-          @token = token
-        end
-
-        def load_token
-          @token
-        end
-
-        def clear_token
-          @token = nil
-        end
-      end
-    end
-  end
-end

data/lib/action_mcp/client/oauth_client_provider/memory_storage.rb

@@ -1,47 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  module Client
-    class OauthClientProvider
-      # Simple in-memory storage for development
-      # In production, use persistent storage
-      class MemoryStorage
-        def initialize
-          @data = {}
-        end
-
-        def save_tokens(tokens)
-          @data[:tokens] = tokens
-        end
-
-        def load_tokens
-          @data[:tokens]
-        end
-
-        def clear_tokens
-          @data.delete(:tokens)
-        end
-
-        def save_code_verifier(verifier)
-          @data[:code_verifier] = verifier
-        end
-
-        def load_code_verifier
-          @data[:code_verifier]
-        end
-
-        def clear_code_verifier
-          @data.delete(:code_verifier)
-        end
-
-        def save_client_information(info)
-          @data[:client_information] = info
-        end
-
-        def load_client_information
-          @data[:client_information]
-        end
-      end
-    end
-  end
-end