actionmcp 0.72.0 → 0.80.0

data/lib/action_mcp/client/oauth_client_provider.rb

@@ -1,234 +0,0 @@
-# frozen_string_literal: true
-
-require "faraday"
-require "pkce_challenge"
-require "securerandom"
-require "uri"
-require "json"
-
-module ActionMCP
-  module Client
-    # OAuth client provider for MCP client authentication
-    # Implements OAuth 2.1 authorization code flow with PKCE
-    class OauthClientProvider
-      class AuthenticationError < StandardError; end
-      class TokenExpiredError < StandardError; end
-      attr_reader :redirect_url, :client_metadata, :authorization_server_url
-
-      def initialize(
-        authorization_server_url:,
-        redirect_url:,
-        client_metadata: {},
-        storage: nil,
-        logger: ActionMCP.logger
-      )
-        @authorization_server_url = URI(authorization_server_url)
-        @redirect_url = URI(redirect_url)
-        @client_metadata = default_client_metadata.merge(client_metadata)
-        @storage = storage || MemoryStorage.new
-        @logger = logger
-        @http_client = build_http_client
-      end
-
-      # Get current access token for authorization headers
-      def access_token
-        tokens = current_tokens
-        return nil unless tokens
-
-        if token_expired?(tokens)
-          refresh_tokens! if tokens[:refresh_token]
-          tokens = current_tokens
-        end
-
-        tokens&.dig(:access_token)
-      end
-
-      # Check if client has valid authentication
-      def authenticated?
-        !access_token.nil?
-      end
-
-      # Start OAuth authorization flow
-      def start_authorization_flow(scope: nil, state: nil)
-        # Generate PKCE challenge
-        pkce = PkceChallenge.challenge
-        code_verifier = pkce.code_verifier
-        code_challenge = pkce.code_challenge
-        @storage.save_code_verifier(code_verifier)
-
-        # Build authorization URL
-        auth_params = {
-          response_type: "code",
-          client_id: client_id,
-          redirect_uri: @redirect_url.to_s,
-          code_challenge: code_challenge,
-          code_challenge_method: "S256"
-        }
-        auth_params[:scope] = scope if scope
-        auth_params[:state] = state if state
-
-        authorization_url = build_url(server_metadata[:authorization_endpoint], auth_params)
-
-        log_debug("Starting OAuth flow: #{authorization_url}")
-        authorization_url
-      end
-
-      # Complete OAuth flow with authorization code
-      def complete_authorization_flow(authorization_code, state: nil)
-        code_verifier = @storage.load_code_verifier
-        raise AuthenticationError, "No code verifier found" unless code_verifier
-
-        # Exchange code for tokens
-        token_params = {
-          grant_type: "authorization_code",
-          code: authorization_code,
-          redirect_uri: @redirect_url.to_s,
-          code_verifier: code_verifier,
-          client_id: client_id
-        }
-
-        response = @http_client.post(server_metadata[:token_endpoint]) do |req|
-          req.headers["Content-Type"] = "application/x-www-form-urlencoded"
-          req.headers["Accept"] = "application/json"
-          req.body = URI.encode_www_form(token_params)
-        end
-
-        handle_token_response(response)
-      end
-
-      # Refresh access token using refresh token
-      def refresh_tokens!
-        tokens = current_tokens
-        refresh_token = tokens&.dig(:refresh_token)
-        raise TokenExpiredError, "No refresh token available" unless refresh_token
-
-        token_params = {
-          grant_type: "refresh_token",
-          refresh_token: refresh_token,
-          client_id: client_id
-        }
-
-        response = @http_client.post(server_metadata[:token_endpoint]) do |req|
-          req.headers["Content-Type"] = "application/x-www-form-urlencoded"
-          req.headers["Accept"] = "application/json"
-          req.body = URI.encode_www_form(token_params)
-        end
-
-        handle_token_response(response)
-      end
-
-      # Clear stored tokens (logout)
-      def clear_tokens!
-        @storage.clear_tokens
-        @storage.clear_code_verifier if @storage.respond_to?(:clear_code_verifier)
-        log_debug("Cleared OAuth tokens and code verifier")
-      end
-
-      # Get client information for registration
-      def client_information
-        @storage.load_client_information
-      end
-
-      # Save client information after registration
-      def save_client_information(client_info)
-        @storage.save_client_information(client_info)
-      end
-
-      # Get authorization headers for HTTP requests
-      def authorization_headers
-        token = access_token
-        return {} unless token
-
-        { "Authorization" => "Bearer #{token}" }
-      end
-
-      private
-
-      def current_tokens
-        @storage.load_tokens
-      end
-
-      def save_tokens(tokens)
-        @storage.save_tokens(tokens)
-      end
-
-      def token_expired?(tokens)
-        expires_at = tokens[:expires_at]
-        return false unless expires_at
-
-        Time.at(expires_at) <= Time.now + 30 # 30 second buffer
-      end
-
-      def client_id
-        client_info = client_information
-        client_info&.dig(:client_id) || @client_metadata[:client_id]
-      end
-
-      def server_metadata
-        @server_metadata ||= fetch_server_metadata
-      end
-
-      def fetch_server_metadata
-        well_known_url = @authorization_server_url.dup
-        well_known_url.path = "/.well-known/oauth-authorization-server"
-
-        response = @http_client.get(well_known_url)
-        raise AuthenticationError, "Failed to fetch server metadata: #{response.status}" unless response.success?
-
-        JSON.parse(response.body, symbolize_names: true)
-      end
-
-      def handle_token_response(response)
-        unless response.success?
-          error_body = begin
-            JSON.parse(response.body)
-          rescue StandardError
-            {}
-          end
-          error_msg = error_body["error_description"] || error_body["error"] || "Token request failed"
-          raise AuthenticationError, "#{error_msg} (#{response.status})"
-        end
-
-        token_data = JSON.parse(response.body, symbolize_names: true)
-
-        # Calculate token expiration
-        token_data[:expires_at] = Time.now.to_i + token_data[:expires_in].to_i if token_data[:expires_in]
-
-        save_tokens(token_data)
-        log_debug("OAuth tokens obtained successfully")
-        token_data
-      end
-
-      def build_url(base_url, params)
-        uri = URI(base_url)
-        uri.query = URI.encode_www_form(params)
-        uri.to_s
-      end
-
-      def build_http_client
-        Faraday.new do |f|
-          f.headers["User-Agent"] = "ActionMCP-OAuth/#{ActionMCP.gem_version}"
-          f.options.timeout = 30
-          f.options.open_timeout = 10
-          f.adapter :net_http
-        end
-      end
-
-      def default_client_metadata
-        {
-          client_name: "ActionMCP Client",
-          client_uri: "https://github.com/anthropics/action_mcp",
-          redirect_uris: [ @redirect_url.to_s ],
-          grant_types: %w[authorization_code refresh_token],
-          response_types: [ "code" ],
-          token_endpoint_auth_method: "none", # Public client
-          code_challenge_methods_supported: [ "S256" ]
-        }
-      end
-
-      def log_debug(message)
-        @logger.debug("[ActionMCP::OAuthClientProvider] #{message}")
-      end
-    end
-  end
-end

data/lib/action_mcp/jwt_decoder.rb

@@ -1,28 +0,0 @@
-# frozen_string_literal: true
-
-require "jwt"
-
-module ActionMCP
-  class JwtDecoder
-    class DecodeError < StandardError; end
-
-    # Configurable defaults
-    class << self
-      attr_accessor :secret, :algorithm
-
-      def decode(token)
-        payload, _header = JWT.decode(token, secret, true, { algorithm: algorithm })
-        payload
-      rescue JWT::ExpiredSignature
-        raise DecodeError, "Token has expired"
-      rescue JWT::DecodeError
-        # Simplify the error message for invalid tokens
-        raise DecodeError, "Invalid token"
-      end
-    end
-
-    # Defaults (can be overridden in an initializer)
-    self.secret = ENV.fetch("ACTION_MCP_JWT_SECRET", "change-me")
-    self.algorithm = "HS256"
-  end
-end

data/lib/action_mcp/jwt_identifier.rb

@@ -1,28 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  class JwtIdentifier < GatewayIdentifier
-    identifier :user
-    authenticates :jwt
-
-    def resolve
-      token = extract_bearer_token
-      raise Unauthorized, "Missing JWT" unless token
-
-      payload = ActionMCP::JwtDecoder.decode(token)
-      user = User.find_by(id: payload["sub"] || payload["user_id"])
-      return user if user
-
-      raise Unauthorized, "Invalid JWT user"
-    rescue ActionMCP::JwtDecoder::DecodeError => e
-      raise Unauthorized, "Invalid JWT token: #{e.message}"
-    end
-
-    private
-
-    def extract_bearer_token
-      header = @request.env["HTTP_AUTHORIZATION"] || ""
-      header[/\ABearer (.+)\z/, 1]
-    end
-  end
-end

data/lib/action_mcp/none_identifier.rb

@@ -1,19 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  class NoneIdentifier < GatewayIdentifier
-    identifier :user
-    authenticates :none
-
-    def resolve
-      Rails.env.production? &&
-        raise(Unauthorized, "No auth allowed in production")
-
-      return "anonymous_user" unless defined?(User)
-
-      User.find_or_create_by!(email: "dev@localhost") do |user|
-        user.name = "Development User" if user.respond_to?(:name=)
-      end
-    end
-  end
-end

data/lib/action_mcp/o_auth_identifier.rb

@@ -1,34 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  class OAuthIdentifier < GatewayIdentifier
-    identifier :user
-    authenticates :oauth
-
-    def resolve
-      info = @request.env["action_mcp.oauth_token_info"] or
-        raise Unauthorized, "Missing OAuth info"
-
-      uid = info["user_id"] || info["sub"] || info[:user_id]
-      raise Unauthorized, "Invalid OAuth info" unless uid
-
-      # Try to find existing user or create one for demo purposes
-      user = User.find_by(email: uid) ||
-             User.find_by(email: "#{uid}@example.com") ||
-             create_oauth_user(uid)
-
-      user || raise(Unauthorized, "Unable to resolve OAuth user")
-    end
-
-    private
-
-    def create_oauth_user(uid)
-      return nil unless defined?(User)
-
-      email = uid.include?("@") ? uid : "#{uid}@example.com"
-      User.create!(email: email)
-    rescue ActiveRecord::RecordInvalid
-      nil
-    end
-  end
-end

data/lib/action_mcp/oauth/active_record_storage.rb

@@ -1,183 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  module OAuth
-    # ActiveRecord storage for OAuth tokens and codes
-    # This is suitable for production multi-server environments
-    class ActiveRecordStorage
-      # Authorization code storage
-      def store_authorization_code(code, data)
-        OAuthToken.create!(
-          token: code,
-          token_type: OAuthToken::AUTHORIZATION_CODE,
-          client_id: data[:client_id],
-          user_id: data[:user_id],
-          redirect_uri: data[:redirect_uri],
-          scope: data[:scope],
-          code_challenge: data[:code_challenge],
-          code_challenge_method: data[:code_challenge_method],
-          expires_at: data[:expires_at],
-          metadata: data.except(:client_id, :user_id, :redirect_uri, :scope,
-                                :code_challenge, :code_challenge_method, :expires_at)
-        )
-      end
-
-      def retrieve_authorization_code(code)
-        token = OAuthToken.authorization_codes.active.find_by(token: code)
-        return nil unless token
-
-        {
-          client_id: token.client_id,
-          user_id: token.user_id,
-          redirect_uri: token.redirect_uri,
-          scope: token.scope,
-          code_challenge: token.code_challenge,
-          code_challenge_method: token.code_challenge_method,
-          expires_at: token.expires_at,
-          created_at: token.created_at
-        }.merge(token.metadata || {})
-      end
-
-      def remove_authorization_code(code)
-        OAuthToken.authorization_codes.where(token: code).destroy_all
-      end
-
-      # Access token storage
-      def store_access_token(token, data)
-        OAuthToken.create!(
-          token: token,
-          token_type: OAuthToken::ACCESS_TOKEN,
-          client_id: data[:client_id],
-          user_id: data[:user_id],
-          scope: data[:scope],
-          expires_at: data[:expires_at],
-          metadata: data.except(:client_id, :user_id, :scope, :expires_at)
-        )
-      end
-
-      def retrieve_access_token(token)
-        token_record = OAuthToken.access_tokens.find_by(token: token)
-        return nil unless token_record
-
-        {
-          client_id: token_record.client_id,
-          user_id: token_record.user_id,
-          scope: token_record.scope,
-          expires_at: token_record.expires_at,
-          created_at: token_record.created_at,
-          active: token_record.still_valid?
-        }.merge(token_record.metadata || {})
-      end
-
-      def remove_access_token(token)
-        OAuthToken.access_tokens.where(token: token).destroy_all
-      end
-
-      # Refresh token storage
-      def store_refresh_token(token, data)
-        OAuthToken.create!(
-          token: token,
-          token_type: OAuthToken::REFRESH_TOKEN,
-          client_id: data[:client_id],
-          user_id: data[:user_id],
-          scope: data[:scope],
-          access_token: data[:access_token],
-          expires_at: data[:expires_at],
-          metadata: data.except(:client_id, :user_id, :scope, :access_token, :expires_at)
-        )
-      end
-
-      def retrieve_refresh_token(token)
-        token_record = OAuthToken.refresh_tokens.active.find_by(token: token)
-        return nil unless token_record
-
-        {
-          client_id: token_record.client_id,
-          user_id: token_record.user_id,
-          scope: token_record.scope,
-          access_token: token_record.access_token,
-          expires_at: token_record.expires_at,
-          created_at: token_record.created_at
-        }.merge(token_record.metadata || {})
-      end
-
-      def update_refresh_token(token, new_access_token)
-        token_record = OAuthToken.refresh_tokens.find_by(token: token)
-        token_record&.update!(access_token: new_access_token)
-      end
-
-      def remove_refresh_token(token)
-        OAuthToken.refresh_tokens.where(token: token).destroy_all
-      end
-
-      # Client registration storage
-      def store_client_registration(client_id, data)
-        client = OAuthClient.new
-
-        # Map data fields to model attributes
-        client.client_id = client_id
-        client.client_secret = data[:client_secret]
-        client.client_id_issued_at = data[:client_id_issued_at]
-        client.registration_access_token = data[:registration_access_token]
-
-        # Handle client metadata
-        metadata = data[:client_metadata] || {}
-        %w[
-          client_name redirect_uris grant_types response_types
-          token_endpoint_auth_method scope
-        ].each do |field|
-          client.send("#{field}=", metadata[field]) if metadata.key?(field)
-        end
-
-        # Store any additional metadata
-        known_fields = %w[
-          client_name redirect_uris grant_types response_types
-          token_endpoint_auth_method scope
-        ]
-        additional_metadata = metadata.except(*known_fields)
-        client.metadata = additional_metadata if additional_metadata.present?
-
-        client.save!
-        data
-      end
-
-      def retrieve_client_registration(client_id)
-        client = OAuthClient.active.find_by(client_id: client_id)
-        return nil unless client
-
-        {
-          client_id: client.client_id,
-          client_secret: client.client_secret,
-          client_id_issued_at: client.client_id_issued_at,
-          registration_access_token: client.registration_access_token,
-          client_metadata: client.to_api_response
-        }
-      end
-
-      def remove_client_registration(client_id)
-        OAuthClient.where(client_id: client_id).destroy_all
-      end
-
-      # Cleanup expired tokens
-      def cleanup_expired
-        OAuthToken.cleanup_expired
-      end
-
-      # Statistics (for debugging/monitoring)
-      def stats
-        {
-          authorization_codes: OAuthToken.authorization_codes.active.count,
-          access_tokens: OAuthToken.access_tokens.active.count,
-          refresh_tokens: OAuthToken.refresh_tokens.active.count,
-          client_registrations: OAuthClient.active.count
-        }
-      end
-
-      # Clear all data (for testing)
-      def clear_all
-        OAuthToken.delete_all
-        OAuthClient.delete_all
-      end
-    end
-  end
-end

data/lib/action_mcp/oauth/error.rb

@@ -1,79 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  module OAuth
-    # Base OAuth error class
-    class Error < StandardError
-      attr_reader :oauth_error_code
-
-      def initialize(message, oauth_error_code = "invalid_request")
-        super(message)
-        @oauth_error_code = oauth_error_code
-      end
-    end
-
-    # OAuth 2.1 standard error types
-    class InvalidRequestError < Error
-      def initialize(message = "Invalid request")
-        super(message, "invalid_request")
-      end
-    end
-
-    class InvalidClientError < Error
-      def initialize(message = "Invalid client")
-        super(message, "invalid_client")
-      end
-    end
-
-    class InvalidGrantError < Error
-      def initialize(message = "Invalid grant")
-        super(message, "invalid_grant")
-      end
-    end
-
-    class UnauthorizedClientError < Error
-      def initialize(message = "Unauthorized client")
-        super(message, "unauthorized_client")
-      end
-    end
-
-    class UnsupportedGrantTypeError < Error
-      def initialize(message = "Unsupported grant type")
-        super(message, "unsupported_grant_type")
-      end
-    end
-
-    class InvalidScopeError < Error
-      def initialize(message = "Invalid scope")
-        super(message, "invalid_scope")
-      end
-    end
-
-    class InvalidTokenError < Error
-      def initialize(message = "Invalid token")
-        super(message, "invalid_token")
-      end
-    end
-
-    class InsufficientScopeError < Error
-      attr_reader :required_scope
-
-      def initialize(message = "Insufficient scope", required_scope = nil)
-        super(message, "insufficient_scope")
-        @required_scope = required_scope
-      end
-    end
-
-    class ServerError < Error
-      def initialize(message = "Server error")
-        super(message, "server_error")
-      end
-    end
-
-    class TemporarilyUnavailableError < Error
-      def initialize(message = "Temporarily unavailable")
-        super(message, "temporarily_unavailable")
-      end
-    end
-  end
-end