actionmcp 0.72.0 → 0.80.0

data/lib/action_mcp/oauth/memory_storage.rb

@@ -1,132 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  module OAuth
-    # In-memory storage for OAuth tokens and codes
-    # This is suitable for development and testing, but not for production
-    class MemoryStorage
-      def initialize
-        @authorization_codes = {}
-        @access_tokens = {}
-        @refresh_tokens = {}
-        @client_registrations = {}
-        @mutex = Mutex.new
-      end
-
-      # Authorization code storage
-      def store_authorization_code(code, data)
-        @mutex.synchronize do
-          @authorization_codes[code] = data
-        end
-      end
-
-      def retrieve_authorization_code(code)
-        @mutex.synchronize do
-          @authorization_codes[code]
-        end
-      end
-
-      def remove_authorization_code(code)
-        @mutex.synchronize do
-          @authorization_codes.delete(code)
-        end
-      end
-
-      # Access token storage
-      def store_access_token(token, data)
-        @mutex.synchronize do
-          @access_tokens[token] = data
-        end
-      end
-
-      def retrieve_access_token(token)
-        @mutex.synchronize do
-          @access_tokens[token]
-        end
-      end
-
-      def remove_access_token(token)
-        @mutex.synchronize do
-          @access_tokens.delete(token)
-        end
-      end
-
-      # Refresh token storage
-      def store_refresh_token(token, data)
-        @mutex.synchronize do
-          @refresh_tokens[token] = data
-        end
-      end
-
-      def retrieve_refresh_token(token)
-        @mutex.synchronize do
-          @refresh_tokens[token]
-        end
-      end
-
-      def update_refresh_token(token, new_access_token)
-        @mutex.synchronize do
-          @refresh_tokens[token][:access_token] = new_access_token if @refresh_tokens[token]
-        end
-      end
-
-      def remove_refresh_token(token)
-        @mutex.synchronize do
-          @refresh_tokens.delete(token)
-        end
-      end
-
-      # Client registration storage
-      def store_client_registration(client_id, data)
-        @mutex.synchronize do
-          @client_registrations[client_id] = data
-        end
-      end
-
-      def retrieve_client_registration(client_id)
-        @mutex.synchronize do
-          @client_registrations[client_id]
-        end
-      end
-
-      def remove_client_registration(client_id)
-        @mutex.synchronize do
-          @client_registrations.delete(client_id)
-        end
-      end
-
-      # Cleanup expired tokens (optional utility method)
-      def cleanup_expired
-        current_time = Time.current
-
-        @mutex.synchronize do
-          @authorization_codes.reject! { |_, data| data[:expires_at] < current_time }
-          @access_tokens.reject! { |_, data| data[:expires_at] < current_time }
-          @refresh_tokens.reject! { |_, data| data[:expires_at] < current_time }
-        end
-      end
-
-      # Statistics (for debugging/monitoring)
-      def stats
-        @mutex.synchronize do
-          {
-            authorization_codes: @authorization_codes.size,
-            access_tokens: @access_tokens.size,
-            refresh_tokens: @refresh_tokens.size,
-            client_registrations: @client_registrations.size
-          }
-        end
-      end
-
-      # Clear all data (for testing)
-      def clear_all
-        @mutex.synchronize do
-          @authorization_codes.clear
-          @access_tokens.clear
-          @refresh_tokens.clear
-          @client_registrations.clear
-        end
-      end
-    end
-  end
-end

data/lib/action_mcp/oauth/middleware.rb

@@ -1,128 +0,0 @@
-# frozen_string_literal: true
-
-require_relative "error"
-
-module ActionMCP
-  module OAuth
-    # OAuth middleware that integrates with Omniauth for request authentication
-    # Handles Bearer token validation for API requests
-    class Middleware
-      def initialize(app)
-        @app = app
-      end
-
-      def call(env)
-        request = ActionDispatch::Request.new(env)
-
-        # Skip OAuth processing for non-MCP requests or if OAuth not configured
-        return @app.call(env) unless should_process_oauth?(request)
-
-        # Skip OAuth processing for metadata endpoints
-        return @app.call(env) if request.path.start_with?("/.well-known/") || request.path.start_with?("/oauth/")
-
-        # Skip OAuth processing for initialization-related requests
-        return @app.call(env) if initialization_related_request?(request)
-
-        # Validate Bearer token for API requests
-        if (bearer_token = extract_bearer_token(request))
-          validate_oauth_token(request, bearer_token)
-        end
-
-        @app.call(env)
-      rescue ActionMCP::OAuth::Error => e
-        oauth_error_response(e)
-      end
-
-      private
-
-      def should_process_oauth?(_request)
-        # Check if OAuth is enabled in configuration
-        auth_methods = ActionMCP.configuration.authentication_methods
-        return false unless auth_methods&.include?("oauth")
-
-        # Process all MCP requests (ActionMCP serves at root "/") and OAuth-related paths
-        true
-      end
-
-      def initialization_related_request?(request)
-        # Only check JSON-RPC POST requests to MCP endpoints
-        # The path might include the mount path (e.g., /action_mcp/ or just /)
-        return false unless request.post? && request.content_type&.include?("application/json")
-
-        # Check if this is an MCP endpoint (ends with / or is the root)
-        path = request.path
-        return false unless path == "/" || path.match?(%r{/action_mcp/?$})
-
-        # Read and parse the request body
-        body = request.body.read
-        request.body.rewind # Reset for subsequent reads
-
-        json = JSON.parse(body)
-        method = json["method"]
-
-        # Check if it's an initialization-related method
-        %w[initialize notifications/initialized].include?(method)
-      rescue JSON::ParserError, StandardError
-        false
-      end
-
-      def extract_bearer_token(request)
-        auth_header = request.headers["Authorization"] || request.headers["authorization"]
-        return nil unless auth_header&.start_with?("Bearer ")
-
-        auth_header.split(" ", 2).last
-      end
-
-      def validate_oauth_token(request, token)
-        # Use the OAuth provider for token introspection
-        token_info = ActionMCP::OAuth::Provider.introspect_token(token)
-
-        unless token_info && token_info[:active]
-          raise ActionMCP::OAuth::InvalidTokenError, "Invalid or expired OAuth token"
-        end
-
-        # Store OAuth token info in request environment for Gateway
-        request.env["action_mcp.oauth_token_info"] = token_info
-        request.env["action_mcp.oauth_token"] = token
-      end
-
-      def oauth_error_response(error)
-        status = case error
-        when ActionMCP::OAuth::InvalidTokenError
-                   401
-        when ActionMCP::OAuth::InsufficientScopeError
-                   403
-        else
-                   400
-        end
-
-        headers = {
-          "Content-Type" => "application/json",
-          "WWW-Authenticate" => www_authenticate_header(error)
-        }
-
-        body = {
-          error: error.oauth_error_code,
-          error_description: error.message
-        }.to_json
-
-        [ status, headers, [ body ] ]
-      end
-
-      def www_authenticate_header(error)
-        params = []
-        params << 'realm="MCP API"'
-
-        case error
-        when ActionMCP::OAuth::InvalidTokenError
-          params << 'error="invalid_token"'
-        when ActionMCP::OAuth::InsufficientScopeError
-          params << 'error="insufficient_scope"'
-          params << "scope=\"#{error.required_scope}\"" if error.required_scope
-        end
-
-        "Bearer #{params.join(', ')}"
-      end
-    end
-  end
-end

data/lib/action_mcp/oauth/provider.rb

@@ -1,406 +0,0 @@
-# frozen_string_literal: true
-
-require "securerandom"
-require "digest"
-require "base64"
-
-module ActionMCP
-  module OAuth
-    # OAuth 2.1 Provider implementation
-    # Handles authorization codes, access tokens, refresh tokens, and token validation
-    class Provider
-      class << self
-        # Generate authorization code for OAuth flow
-        # @param client_id [String] OAuth client identifier
-        # @param redirect_uri [String] Client redirect URI
-        # @param scope [String] Requested scope
-        # @param code_challenge [String] PKCE code challenge
-        # @param code_challenge_method [String] PKCE challenge method (S256, plain)
-        # @param user_id [String] User identifier
-        # @return [String] Authorization code
-        def generate_authorization_code(client_id:, redirect_uri:, scope:, user_id:, code_challenge: nil,
-                                        code_challenge_method: nil)
-          # Validate scope
-          validate_scope(scope) if scope
-
-          code = SecureRandom.urlsafe_base64(32)
-
-          # Store authorization code with metadata
-          store_authorization_code(code, {
-                                     client_id: client_id,
-                                     redirect_uri: redirect_uri,
-                                     scope: scope,
-                                     code_challenge: code_challenge,
-                                     code_challenge_method: code_challenge_method,
-                                     user_id: user_id,
-                                     created_at: Time.current,
-                                     expires_at: 10.minutes.from_now
-                                   })
-
-          code
-        end
-
-        # Exchange authorization code for access token
-        # @param code [String] Authorization code
-        # @param client_id [String] OAuth client identifier
-        # @param client_secret [String] OAuth client secret (optional for public clients)
-        # @param redirect_uri [String] Client redirect URI
-        # @param code_verifier [String] PKCE code verifier
-        # @return [Hash] Token response with access_token, token_type, expires_in, scope
-        def exchange_code_for_token(code:, client_id:, redirect_uri:, client_secret: nil, code_verifier: nil)
-          # Retrieve and validate authorization code
-          code_data = retrieve_authorization_code(code)
-          raise InvalidGrantError, "Invalid authorization code" unless code_data
-          raise InvalidGrantError, "Authorization code expired" if code_data[:expires_at] < Time.current
-
-          # Validate client
-          validate_client(client_id, client_secret)
-
-          # Validate redirect URI matches
-          raise InvalidGrantError, "Redirect URI mismatch" unless code_data[:redirect_uri] == redirect_uri
-
-          # Validate client ID matches
-          raise InvalidGrantError, "Client ID mismatch" unless code_data[:client_id] == client_id
-
-          # Validate PKCE if challenge was provided during authorization
-          if code_data[:code_challenge]
-            validate_pkce(code_data[:code_challenge], code_data[:code_challenge_method], code_verifier)
-          end
-
-          # Generate access token
-          access_token = generate_access_token(
-            client_id: client_id,
-            scope: code_data[:scope],
-            user_id: code_data[:user_id]
-          )
-
-          # Generate refresh token if enabled
-          refresh_token = nil
-          if oauth_config[:enable_refresh_tokens]
-            refresh_token = generate_refresh_token(
-              client_id: client_id,
-              scope: code_data[:scope],
-              user_id: code_data[:user_id],
-              access_token: access_token
-            )
-          end
-
-          # Remove used authorization code
-          remove_authorization_code(code)
-
-          # Return token response
-          response = {
-            access_token: access_token,
-            token_type: "Bearer",
-            expires_in: token_expires_in,
-            scope: code_data[:scope]
-          }
-          response[:refresh_token] = refresh_token if refresh_token
-          response
-        end
-
-        # Refresh access token using refresh token
-        # @param refresh_token [String] Refresh token
-        # @param client_id [String] OAuth client identifier
-        # @param client_secret [String] OAuth client secret
-        # @param scope [String] Requested scope (optional, must be subset of original)
-        # @return [Hash] New token response
-        def refresh_access_token(refresh_token:, client_id:, client_secret: nil, scope: nil)
-          # Retrieve refresh token data
-          token_data = retrieve_refresh_token(refresh_token)
-          raise InvalidGrantError, "Invalid refresh token" unless token_data
-          raise InvalidGrantError, "Refresh token expired" if token_data[:expires_at] < Time.current
-
-          # Validate client
-          validate_client(client_id, client_secret)
-
-          # Validate client ID matches
-          raise InvalidGrantError, "Client ID mismatch" unless token_data[:client_id] == client_id
-
-          # Validate scope if provided
-          if scope
-            requested_scopes = scope.split(" ")
-            original_scopes = token_data[:scope].split(" ")
-            unless (requested_scopes - original_scopes).empty?
-              raise InvalidScopeError, "Requested scope exceeds original scope"
-            end
-          else
-            scope = token_data[:scope]
-          end
-
-          # Revoke old access token
-          revoke_access_token(token_data[:access_token]) if token_data[:access_token]
-
-          # Generate new access token
-          access_token = generate_access_token(
-            client_id: client_id,
-            scope: scope,
-            user_id: token_data[:user_id]
-          )
-
-          # Update refresh token with new access token
-          update_refresh_token(refresh_token, access_token)
-
-          {
-            access_token: access_token,
-            token_type: "Bearer",
-            expires_in: token_expires_in,
-            scope: scope
-          }
-        end
-
-        # Validate access token and return token info
-        # @param access_token [String] Access token to validate
-        # @return [Hash] Token info with active, client_id, scope, user_id, exp
-        def introspect_token(access_token)
-          token_data = retrieve_access_token(access_token)
-
-          return { active: false } unless token_data
-
-          if token_data[:expires_at] < Time.current
-            remove_access_token(access_token)
-            return { active: false }
-          end
-
-          {
-            active: true,
-            client_id: token_data[:client_id],
-            scope: token_data[:scope],
-            user_id: token_data[:user_id],
-            exp: token_data[:expires_at].to_i,
-            iat: token_data[:created_at].to_i,
-            token_type: "Bearer"
-          }
-        end
-
-        # Revoke access or refresh token
-        # @param token [String] Token to revoke
-        # @param token_type_hint [String] Type hint: "access_token" or "refresh_token"
-        # @return [Boolean] True if token was revoked
-        def revoke_token(token, token_type_hint: nil)
-          revoked = false
-
-          # Try access token first if hint suggests it or no hint provided
-          if (token_type_hint == "access_token" || token_type_hint.nil?) && retrieve_access_token(token)
-            revoke_access_token(token)
-            revoked = true
-          end
-
-          # Try refresh token if not revoked yet
-          if !revoked && (token_type_hint == "refresh_token" || token_type_hint.nil?) && retrieve_refresh_token(token)
-            revoke_refresh_token(token)
-            revoked = true
-          end
-
-          revoked
-        end
-
-        # Register a new OAuth client (Dynamic Client Registration)
-        # @param client_info [Hash] Client registration information
-        # @return [Hash] Registered client information
-        def register_client(client_info)
-          # Store client registration
-          storage.store_client_registration(client_info[:client_id], client_info)
-          client_info
-        end
-
-        # Retrieve registered client information
-        # @param client_id [String] OAuth client identifier
-        # @return [Hash, nil] Client information or nil if not found
-        def get_client(client_id)
-          storage.retrieve_client_registration(client_id)
-        end
-
-        # Client Credentials Grant (for server-to-server)
-        # @param client_id [String] OAuth client identifier
-        # @param client_secret [String] OAuth client secret
-        # @param scope [String] Requested scope
-        # @return [Hash] Token response
-        def client_credentials_grant(client_id:, client_secret:, scope: nil)
-          unless oauth_config[:enable_client_credentials]
-            raise UnsupportedGrantTypeError, "Client credentials grant not supported"
-          end
-
-          # Validate client credentials
-          validate_client(client_id, client_secret, require_secret: true)
-
-          # Validate scope
-          if scope
-            validate_scope(scope)
-          else
-            scope = default_scope
-          end
-
-          # Generate access token (no user context for client credentials)
-          access_token = generate_access_token(
-            client_id: client_id,
-            scope: scope,
-            user_id: nil
-          )
-
-          {
-            access_token: access_token,
-            token_type: "Bearer",
-            expires_in: token_expires_in,
-            scope: scope
-          }
-        end
-
-        private
-
-        def oauth_config
-          @oauth_config ||= HashWithIndifferentAccess.new(ActionMCP.configuration.oauth_config || {})
-        end
-
-        def validate_client(client_id, client_secret, require_secret: false)
-          # First check if client is registered via dynamic registration
-          client_info = get_client(client_id)
-          if client_info
-            # Validate client secret for confidential clients
-            if client_info[:client_secret]
-              raise InvalidClientError, "Invalid client credentials" unless client_secret == client_info[:client_secret]
-            elsif require_secret
-              raise InvalidClientError, "Client authentication required"
-            end
-            return true
-          end
-
-          # Fall back to custom provider validation
-          provider_class = oauth_config[:provider]
-          if provider_class.respond_to?(:validate_client)
-            provider_class.validate_client(client_id, client_secret)
-          elsif require_secret && client_secret.nil?
-            raise InvalidClientError, "Client authentication required"
-          else
-            # In development, allow unregistered clients if configured
-            return true if Rails.env.development? && oauth_config[:allow_unregistered_clients] != false
-
-            raise InvalidClientError, "Unknown client"
-          end
-        end
-
-        def validate_pkce(code_challenge, method, code_verifier)
-          raise InvalidGrantError, "Code verifier required" unless code_verifier
-
-          case method
-          when "S256"
-            expected_challenge = Base64.urlsafe_encode64(
-              Digest::SHA256.digest(code_verifier), padding: false
-            )
-            raise InvalidGrantError, "Invalid code verifier" unless code_challenge == expected_challenge
-          when "plain"
-            raise InvalidGrantError, "Plain PKCE not allowed" unless oauth_config[:allow_plain_pkce]
-            raise InvalidGrantError, "Invalid code verifier" unless code_challenge == code_verifier
-          else
-            raise InvalidGrantError, "Unsupported code challenge method"
-          end
-        end
-
-        def validate_scope(scope)
-          supported_scopes = oauth_config.fetch(:scopes_supported, [ "mcp:tools", "mcp:resources", "mcp:prompts" ])
-          requested_scopes = scope.split(" ")
-          unsupported = requested_scopes - supported_scopes
-          return unless unsupported.any?
-
-          raise InvalidScopeError, "Unsupported scopes: #{unsupported.join(', ')}"
-        end
-
-        def default_scope
-          oauth_config.fetch(:default_scope, "mcp:tools mcp:resources mcp:prompts")
-        end
-
-        def generate_access_token(client_id:, scope:, user_id:)
-          token = SecureRandom.urlsafe_base64(32)
-
-          store_access_token(token, {
-                               client_id: client_id,
-                               scope: scope,
-                               user_id: user_id,
-                               created_at: Time.current,
-                               expires_at: token_expires_in.seconds.from_now
-                             })
-
-          token
-        end
-
-        def generate_refresh_token(client_id:, scope:, user_id:, access_token:)
-          token = SecureRandom.urlsafe_base64(32)
-
-          store_refresh_token(token, {
-                                client_id: client_id,
-                                scope: scope,
-                                user_id: user_id,
-                                access_token: access_token,
-                                created_at: Time.current,
-                                expires_at: refresh_token_expires_in.seconds.from_now
-                              })
-
-          token
-        end
-
-        def token_expires_in
-          oauth_config.fetch(:access_token_expires_in, 3600) # 1 hour
-        end
-
-        def refresh_token_expires_in
-          oauth_config.fetch(:refresh_token_expires_in, 7.days.to_i) # 1 week
-        end
-
-        # Storage methods - these delegate to a configurable storage backend
-        def storage
-          @storage ||= begin
-            # Default to ActiveRecord storage for production, memory for test
-            default_storage = Rails.env.test? ? "ActionMCP::OAuth::MemoryStorage" : "ActionMCP::OAuth::ActiveRecordStorage"
-            storage_class = oauth_config.fetch(:storage, default_storage)
-            storage_class = storage_class.constantize if storage_class.is_a?(String)
-            storage_class.new
-          end
-        end
-
-        def store_authorization_code(code, data)
-          storage.store_authorization_code(code, data)
-        end
-
-        def retrieve_authorization_code(code)
-          storage.retrieve_authorization_code(code)
-        end
-
-        def remove_authorization_code(code)
-          storage.remove_authorization_code(code)
-        end
-
-        def store_access_token(token, data)
-          storage.store_access_token(token, data)
-        end
-
-        def retrieve_access_token(token)
-          storage.retrieve_access_token(token)
-        end
-
-        def remove_access_token(token)
-          storage.remove_access_token(token)
-        end
-
-        def revoke_access_token(token)
-          storage.remove_access_token(token)
-        end
-
-        def store_refresh_token(token, data)
-          storage.store_refresh_token(token, data)
-        end
-
-        def retrieve_refresh_token(token)
-          storage.retrieve_refresh_token(token)
-        end
-
-        def update_refresh_token(token, new_access_token)
-          storage.update_refresh_token(token, new_access_token)
-        end
-
-        def revoke_refresh_token(token)
-          storage.remove_refresh_token(token)
-        end
-      end
-    end
-  end
-end

data/lib/action_mcp/oauth.rb

@@ -1,12 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  module OAuth
-    # Load OAuth components
-    autoload :Error, "action_mcp/oauth/error"
-    autoload :Provider, "action_mcp/oauth/provider"
-    autoload :Middleware, "action_mcp/oauth/middleware"
-    autoload :MemoryStorage, "action_mcp/oauth/memory_storage"
-    autoload :ActiveRecordStorage, "action_mcp/oauth/active_record_storage"
-  end
-end