actionmcp 0.72.0 → 0.80.1

data/lib/action_mcp/client/streamable_http_transport.rb

@@ -15,12 +15,9 @@ module ActionMCP
 
       attr_reader :session_id, :last_event_id, :protocol_version
 
-      def initialize(url, session_store:, session_id: nil, oauth_provider: nil, jwt_provider: nil,
-                     protocol_version: nil, **options)
+      def initialize(url, session_store:, session_id: nil, protocol_version: nil, **options)
         super(url, session_store: session_store, **options)
         @session_id = session_id
-        @oauth_provider = oauth_provider
-        @jwt_provider = jwt_provider
         @protocol_version = protocol_version || ActionMCP::DEFAULT_PROTOCOL_VERSION
         @negotiated_protocol_version = nil
         @last_event_id = nil
@@ -105,8 +102,6 @@ module ActionMCP
         # Add MCP-Protocol-Version header for GET requests when we have a negotiated version
         headers["MCP-Protocol-Version"] = @negotiated_protocol_version if @negotiated_protocol_version
 
-        headers.merge!(oauth_headers)
-        headers.merge!(jwt_headers)
         log_debug("Final GET headers: #{headers}")
         headers
       end
@@ -122,8 +117,6 @@ module ActionMCP
         # Only include when we have a negotiated version from previous handshake
         headers["MCP-Protocol-Version"] = @negotiated_protocol_version if @negotiated_protocol_version
 
-        headers.merge!(oauth_headers)
-        headers.merge!(jwt_headers)
         log_debug("Final POST headers: #{headers}")
         headers
       end
@@ -208,7 +201,6 @@ module ActionMCP
           # Accepted - message received, no immediate response
           log_debug("Message accepted (202)")
         when 401
-          handle_authentication_error(response)
           raise AuthenticationError, "Authentication required"
         when 405
           # Method not allowed - server doesn't support this operation
@@ -305,43 +297,6 @@ module ActionMCP
         log_debug("Saved session state")
       end
 
-      def oauth_headers
-        return {} unless @oauth_provider&.authenticated?
-
-        headers = @oauth_provider.authorization_headers
-        log_debug("OAuth headers: #{headers}") unless headers.empty?
-        headers
-      rescue StandardError => e
-        log_error("Failed to get OAuth headers: #{e.message}")
-        {}
-      end
-
-      def jwt_headers
-        return {} unless @jwt_provider&.authenticated?
-
-        headers = @jwt_provider.authorization_headers
-        log_debug("JWT headers: #{headers}") unless headers.empty?
-        headers
-      rescue StandardError => e
-        log_error("Failed to get JWT headers: #{e.message}")
-        {}
-      end
-
-      def handle_authentication_error(response)
-        # Check for OAuth challenge in WWW-Authenticate header
-        www_auth = response.headers["www-authenticate"]
-        return unless www_auth&.include?("Bearer")
-
-        if @oauth_provider
-          log_debug("Received OAuth challenge, clearing OAuth tokens")
-          @oauth_provider.clear_tokens!
-        end
-
-        return unless @jwt_provider
-
-        log_debug("Received Bearer challenge, clearing JWT tokens")
-        @jwt_provider.clear_tokens!
-      end
 
       def user_agent
         "ActionMCP-StreamableHTTP/#{ActionMCP.gem_version}"

data/lib/action_mcp/client.rb

@@ -3,8 +3,6 @@
 require_relative "client/transport"
 require_relative "client/session_store"
 require_relative "client/streamable_http_transport"
-require_relative "client/oauth_client_provider"
-require_relative "client/jwt_client_provider"
 
 module ActionMCP
   # Creates a client appropriate for the given endpoint.
@@ -13,8 +11,6 @@ module ActionMCP
   # @param transport [Symbol] The transport type to use (:streamable_http, :sse for legacy)
   # @param session_store [Symbol] The session store type (:memory, :active_record)
   # @param session_id [String] Optional session ID for resuming connections
-  # @param oauth_provider [ActionMCP::Client::OauthClientProvider] Optional OAuth provider for authentication
-  # @param jwt_provider [ActionMCP::Client::JwtClientProvider] Optional JWT provider for authentication
   # @param protocol_version [String] The MCP protocol version to use (defaults to ActionMCP::DEFAULT_PROTOCOL_VERSION)
   # @param logger [Logger] The logger to use. Default is Logger.new($stdout).
   # @param options [Hash] Additional options to pass to the client constructor.
@@ -39,27 +35,8 @@ module ActionMCP
   #     session_store: :memory
   #   )
   #
-  # @example With OAuth authentication
-  #   oauth_provider = ActionMCP::Client::OauthClientProvider.new(
-  #     authorization_server_url: "https://oauth.example.com",
-  #     redirect_url: "http://localhost:3000/callback",
-  #     client_metadata: { client_name: "My App" }
-  #   )
-  #   client = ActionMCP.create_client(
-  #     "http://127.0.0.1:3001/action_mcp",
-  #     oauth_provider: oauth_provider
-  #   )
-  #
-  # @example With JWT authentication
-  #   jwt_provider = ActionMCP::Client::JwtClientProvider.new(
-  #     token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."
-  #   )
-  #   client = ActionMCP.create_client(
-  #     "http://127.0.0.1:3001/action_mcp",
-  #     jwt_provider: jwt_provider
-  #   )
   def self.create_client(endpoint, transport: :streamable_http, session_store: nil, session_id: nil,
-                         oauth_provider: nil, jwt_provider: nil, protocol_version: nil, logger: Logger.new($stdout), **options)
+                         protocol_version: nil, logger: Logger.new($stdout), **options)
     unless endpoint =~ %r{\Ahttps?://}
       raise ArgumentError, "Only HTTP(S) endpoints are supported. STDIO and other transports are not supported."
     end
@@ -69,7 +46,7 @@ module ActionMCP
 
     # Create transport
     transport_instance = create_transport(transport, endpoint, session_store: store, session_id: session_id,
-                                                               oauth_provider: oauth_provider, jwt_provider: jwt_provider, protocol_version: protocol_version, logger: logger, **options)
+                                                               protocol_version: protocol_version, logger: logger, **options)
 
     logger.info("Creating #{transport} client for endpoint: #{endpoint}")
     # Pass session_id and protocol_version to the client

data/lib/action_mcp/configuration.rb

@@ -29,7 +29,6 @@ module ActionMCP
                   :verbose_logging,
                   # --- Authentication Options ---
                   :authentication_methods,
-                  :oauth_config,
                   # --- Transport Options ---
                   :sse_heartbeat_interval,
                   :post_response_preference, # :json or :sse
@@ -61,9 +60,8 @@ module ActionMCP
       @active_profile = :primary
       @profiles = default_profiles
 
-      # Authentication defaults
-      @authentication_methods = Rails.env.production? ? [ "jwt" ] : [ "none" ]
-      @oauth_config = HashWithIndifferentAccess.new
+      # Authentication defaults - empty means all configured identifiers will be tried
+      @authentication_methods = []
 
       @sse_heartbeat_interval = 30
       @post_response_preference = :json
@@ -110,6 +108,9 @@ module ActionMCP
       # First load defaults from the gem
       @profiles = default_profiles
 
+      # Preserve any settings that were already set via Rails config
+      preserved_name = @name
+
       # Try to load from config/mcp.yml in the Rails app using Rails.config_for
       begin
         app_config = Rails.application.config_for(:mcp)
@@ -117,16 +118,28 @@ module ActionMCP
         raise "Invalid MCP config file" unless app_config.is_a?(Hash)
 
         # Extract authentication configuration if present
-        @authentication_methods = Array(app_config["authentication"]) if app_config["authentication"]
-
-        # Extract OAuth configuration if present
-        @oauth_config = HashWithIndifferentAccess.new(app_config["oauth"]) if app_config["oauth"]
+        # Handle both symbol and string keys
+        @authentication_methods = Array(app_config[:authentication] || app_config["authentication"]) if app_config[:authentication] || app_config["authentication"]
 
         # Extract other top-level configuration settings
         extract_top_level_settings(app_config)
 
-        # Extract profiles configuration
-        @profiles = app_config["profiles"] if app_config["profiles"]
+        # Extract profiles configuration - merge with defaults instead of replacing
+        # Rails.config_for returns OrderedOptions which uses symbol keys
+        if app_config[:profiles] || app_config["profiles"]
+          # Get profiles with either symbol or string key
+          app_profiles = app_config[:profiles] || app_config["profiles"]
+
+          # Convert to regular hash and deep symbolize keys
+          if app_profiles.is_a?(ActiveSupport::OrderedOptions)
+            app_profiles = app_profiles.to_h.deep_symbolize_keys
+          elsif app_profiles.respond_to?(:deep_symbolize_keys)
+            app_profiles = app_profiles.deep_symbolize_keys
+          end
+
+          Rails.logger.debug "[Configuration] Merging profiles: #{app_profiles.inspect}"
+          @profiles = @profiles.deep_merge(app_profiles)
+        end
       rescue StandardError => e
         # If the config file doesn't exist in the Rails app, just use the defaults
         Rails.logger.warn "[Configuration] Failed to load MCP config: #{e.class} - #{e.message}"
@@ -134,8 +147,13 @@ module ActionMCP
       end
 
       # Apply the active profile
+      Rails.logger.info "[ActionMCP] Loaded profiles: #{@profiles.keys.join(', ')}"
+      Rails.logger.info "[ActionMCP] Using profile: #{@active_profile}"
       use_profile(@active_profile)
 
+      # Restore preserved settings
+      @name = preserved_name if preserved_name
+
       self
     end
 
@@ -184,6 +202,9 @@ module ActionMCP
       capabilities = {}
       profile = @profiles[active_profile]
 
+      Rails.logger.debug "[ActionMCP] Generating capabilities for profile: #{active_profile}"
+      Rails.logger.debug "[ActionMCP] Profile config: #{profile.inspect}"
+
       # Check profile configuration instead of registry contents
       # If profile includes tools (either "all" or specific tools), advertise tools capability
       capabilities[:tools] = { listChanged: @list_changed } if profile && profile[:tools]&.any?
@@ -268,42 +289,48 @@ module ActionMCP
     end
 
     def extract_top_level_settings(app_config)
+      # Create a wrapper that handles both symbol and string keys
+      config = HashWithIndifferentAccess.new(app_config)
+
       # Extract adapter configuration
-      if app_config["adapter"]
+      if config["adapter"]
         # This will be handled by the pub/sub system, we just store it for now
-        @adapter = app_config["adapter"]
+        @adapter = config["adapter"]
       end
 
       # Extract thread pool settings
-      @min_threads = app_config["min_threads"] if app_config["min_threads"]
+      @min_threads = config["min_threads"] if config["min_threads"]
 
-      @max_threads = app_config["max_threads"] if app_config["max_threads"]
+      @max_threads = config["max_threads"] if config["max_threads"]
 
-      @max_queue = app_config["max_queue"] if app_config["max_queue"]
+      @max_queue = config["max_queue"] if config["max_queue"]
 
       # Extract polling interval for solid_cable
-      @polling_interval = app_config["polling_interval"] if app_config["polling_interval"]
+      @polling_interval = config["polling_interval"] if config["polling_interval"]
 
       # Extract connects_to setting
-      @connects_to = app_config["connects_to"] if app_config["connects_to"]
+      @connects_to = config["connects_to"] if config["connects_to"]
 
       # Extract verbose logging setting
-      @verbose_logging = app_config["verbose_logging"] if app_config.key?("verbose_logging")
+      @verbose_logging = config["verbose_logging"] if app_config.key?("verbose_logging")
 
       # Extract gateway class configuration
-      @gateway_class_name = app_config["gateway_class"] if app_config["gateway_class"]
+      @gateway_class_name = config["gateway_class"] if config["gateway_class"]
+
+      # Extract active profile setting
+      @active_profile = config["profile"].to_sym if config["profile"]
 
       # Extract session store configuration
-      @session_store_type = app_config["session_store_type"].to_sym if app_config["session_store_type"]
+      @session_store_type = config["session_store_type"].to_sym if config["session_store_type"]
 
       # Extract client and server session store types
-      if app_config["client_session_store_type"]
-        @client_session_store_type = app_config["client_session_store_type"].to_sym
+      if config["client_session_store_type"]
+        @client_session_store_type = config["client_session_store_type"].to_sym
       end
 
-      return unless app_config["server_session_store_type"]
+      return unless config["server_session_store_type"]
 
-      @server_session_store_type = app_config["server_session_store_type"].to_sym
+      @server_session_store_type = config["server_session_store_type"].to_sym
     end
 
     def should_include_all?(type)

data/lib/action_mcp/engine.rb

@@ -12,7 +12,6 @@ module ActionMCP
     ActiveSupport::Inflector.inflections(:en) do |inflect|
       inflect.acronym "SSE"
       inflect.acronym "MCP"
-      inflect.acronym "OAuth"
     end
 
     # Provide a configuration namespace for ActionMCP
@@ -54,12 +53,6 @@ module ActionMCP
       ActionMCP.configuration.load_profiles
     end
 
-    # Add OAuth middleware if OAuth is configured
-    initializer "action_mcp.oauth_middleware", after: "action_mcp.load_profiles" do
-      if ActionMCP.configuration.authentication_methods&.include?("oauth")
-        config.middleware.use ActionMCP::OAuth::Middleware
-      end
-    end
 
     # Configure autoloading for the mcp/tools directory and identifiers
     initializer "action_mcp.autoloading", before: :set_autoload_paths do |app|

data/lib/action_mcp/filtered_logger.rb

@@ -3,11 +3,7 @@
 module ActionMCP
   # Custom logger that filters out repetitive MCP requests
   class FilteredLogger < ActiveSupport::Logger
-    FILTERED_PATHS = [
-      "/oauth/authorize",
-      "/.well-known/oauth-protected-resource",
-      "/.well-known/oauth-authorization-server"
-    ].freeze
+    FILTERED_PATHS = [].freeze
 
     FILTERED_METHODS = [
       "notifications/initialized",
@@ -15,7 +11,7 @@ module ActionMCP
     ].freeze
 
     def add(severity, message = nil, progname = nil, &block)
-      # Filter out repetitive OAuth metadata requests
+      # Filter out specific paths
       if message.is_a?(String)
         return if FILTERED_PATHS.any? { |path| message.include?(path) && message.include?("200 OK") }
 

data/lib/action_mcp/gateway_identifier.rb

@@ -1,29 +1,213 @@
 # frozen_string_literal: true
 
 module ActionMCP
+  # Base class for Gateway authentication identifiers.
+  #
+  # Gateway identifiers provide a clean interface for authentication by reading
+  # from request.env keys set by upstream middleware (like Warden, Devise, or custom auth).
+  #
+  # @example Warden/Devise Integration
+  #   class WardenIdentifier < ActionMCP::GatewayIdentifier
+  #     identifier :user
+  #     authenticates :warden
+  #
+  #     def resolve
+  #       # Warden sets 'warden.user' in request.env after authentication
+  #       user = user_from_middleware
+  #       user || raise(Unauthorized, "No authenticated user found")
+  #     end
+  #   end
+  #
+  # @example API Key Authentication
+  #   class ApiKeyIdentifier < ActionMCP::GatewayIdentifier
+  #     identifier :user
+  #     authenticates :api_key
+  #
+  #     def resolve
+  #       # Check for API key in header or query param
+  #       api_key = @request.env['HTTP_X_API_KEY'] ||
+  #                 @request.params['api_key']
+  #       return raise(Unauthorized, "Missing API key") unless api_key
+  #
+  #       user = User.find_by(api_key: api_key)
+  #       user || raise(Unauthorized, "Invalid API key")
+  #     end
+  #   end
+  #
+  # @example Session-based Authentication
+  #   class SessionIdentifier < ActionMCP::GatewayIdentifier
+  #     identifier :user
+  #     authenticates :session
+  #
+  #     def resolve
+  #       user_id = session&.[]('user_id')
+  #       return raise(Unauthorized, "No user session") unless user_id
+  #
+  #       user = User.find_by(id: user_id)
+  #       user || raise(Unauthorized, "Invalid session")
+  #     end
+  #   end
+  #
+  # @example Multi-tenant with Organization
+  #   class TenantIdentifier < ActionMCP::GatewayIdentifier
+  #     identifier :user
+  #     authenticates :tenant
+  #
+  #     def resolve
+  #       # Get user from middleware
+  #       user = user_from_middleware
+  #       return raise(Unauthorized, "No user found") unless user
+  #
+  #       # Check tenant header
+  #       tenant_id = @request.env['HTTP_X_TENANT_ID']
+  #       return raise(Unauthorized, "Missing tenant") unless tenant_id
+  #
+  #       # Verify user has access to tenant
+  #       unless user.tenants.exists?(id: tenant_id)
+  #         raise Unauthorized, "Access denied for tenant"
+  #       end
+  #
+  #       # Set current tenant for the request
+  #       Current.tenant = Tenant.find(tenant_id)
+  #       user
+  #     end
+  #   end
+  #
+  # @example Development/Testing Bypass
+  #   class DevIdentifier < ActionMCP::GatewayIdentifier
+  #     identifier :user
+  #     authenticates :dev
+  #
+  #     def resolve
+  #       return raise(Unauthorized, "Dev auth disabled in production") unless development_env?
+  #
+  #       # Create or find dev user
+  #       User.find_or_create_by!(email: "dev@localhost") do |user|
+  #         user.name = "Development User"
+  #       end
+  #     end
+  #   end
   class GatewayIdentifier
     class Unauthorized < StandardError; end
 
     class << self
-      # e.g. JwtIdentifier.identifier_name => :user
-      attr_reader :identifier_name, :auth_method
+      # @return [Symbol] The name of the identity this identifier provides (e.g., :user, :admin)
+      attr_reader :identifier_name
 
+      # @return [String] The authentication method this identifier handles (e.g., "session", "api_key")
+      attr_reader :auth_method
+
+      # Declares what identity attribute this identifier provides.
+      # This becomes the accessor name on the Gateway instance.
+      #
+      # @param name [Symbol, String] The identity name (e.g., :user, :admin)
+      # @example
+      #   identifier :user
+      #   # Gateway instance will have gateway.user accessor
       def identifier(name)
         @identifier_name = name.to_sym
       end
 
+      # Declares what authentication method this identifier handles.
+      # This should match values in your authentication_methods configuration.
+      #
+      # @param method [Symbol, String] The auth method name (e.g., :session, :api_key)
+      # @example
+      #   authenticates :api_key
+      #   # Matches authentication_methods: ["api_key"] in config
       def authenticates(method)
         @auth_method = method.to_s
       end
     end
 
+    # @param request [ActionDispatch::Request] The request object containing env hash
     def initialize(request)
       @request = request
     end
 
-    # must return a truthy identity object, or raise Unauthorized
+    # Resolves the identity for this authentication method.
+    # Must return a truthy identity object, or raise Unauthorized.
+    #
+    # Common request.env keys set by popular auth middleware:
+    # - 'warden.user' - Warden (used by Devise)
+    # - 'devise.user' - Devise direct
+    # - 'rack.session' - Rack session hash
+    # - 'HTTP_AUTHORIZATION' - Authorization header
+    # - Custom keys set by your middleware
+    #
+    # @return [Object] The authenticated identity (User, Admin, etc.)
+    # @raise [Unauthorized] When authentication fails
+    # @abstract Subclasses must implement this method
     def resolve
       raise NotImplementedError, "#{self.class}#resolve must be implemented"
     end
+
+    protected
+
+    # Helper method to extract Bearer token from Authorization header
+    # @return [String, nil] The token without "Bearer " prefix
+    def extract_bearer_token
+      header = @request.env["HTTP_AUTHORIZATION"] || ""
+      header[/\ABearer (.+)\z/, 1]
+    end
+
+    # Helper method to extract Basic auth credentials from Authorization header
+    # @return [Array<String>, nil] [username, password] or nil if not Basic auth
+    def extract_basic_auth
+      header = @request.env["HTTP_AUTHORIZATION"] || ""
+      return nil unless header.start_with?("Basic ")
+
+      encoded = header[6..-1] # Remove "Basic " prefix
+      decoded = Base64.decode64(encoded)
+      decoded.split(":", 2) # Split on first colon only
+    rescue StandardError
+      nil
+    end
+
+    # Helper method to get user from common middleware env keys
+    # @return [Object, nil] User from Warden/Devise or nil
+    def user_from_middleware
+      @request.env["warden.user"] || @request.env["devise.user"]
+    end
+
+    # Helper method to get session hash
+    # @return [Hash, nil] Rack session hash or nil
+    def session
+      @request.env["rack.session"]
+    end
+
+    # Helper method to read custom env key with optional fallbacks
+    # @param keys [String, Array<String>] Primary key or array of keys to try
+    # @return [Object, nil] Value from request.env or nil
+    def env_value(*keys)
+      keys.flatten.each do |key|
+        value = @request.env[key]
+        return value if value
+      end
+      nil
+    end
+
+    # Helper method to extract API key from various common locations
+    # @param header_name [String] Custom header name (default: 'HTTP_X_API_KEY')
+    # @param param_name [String] Query/form parameter name (default: 'api_key')
+    # @return [String, nil] The API key or nil
+    def extract_api_key(header_name: "HTTP_X_API_KEY", param_name: "api_key")
+      # Try custom header first
+      api_key = @request.env[header_name]
+      return api_key if api_key
+
+      # Try Authorization header with "Bearer" prefix
+      bearer_token = extract_bearer_token
+      return bearer_token if bearer_token
+
+      # Try request parameters (query string or form data)
+      @request.params[param_name] if @request.respond_to?(:params)
+    end
+
+    # Helper method to check if user is in a development environment
+    # @return [Boolean] true if Rails.env.development?
+    def development_env?
+      Rails.env.development?
+    end
   end
 end

data/lib/action_mcp/gateway_identifiers/api_key_identifier.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  module GatewayIdentifiers
+    # Example Gateway identifier for API key-based authentication.
+    #
+    # This identifier looks for API keys in various locations:
+    # - Authorization header (Bearer token)
+    # - Custom X-API-Key header
+    # - Query parameters
+    #
+    # @example Usage in ApplicationGateway
+    #   class ApplicationGateway < ActionMCP::Gateway
+    #     identified_by ActionMCP::GatewayIdentifiers::ApiKeyIdentifier
+    #   end
+    #
+    # @example Configuration
+    #   # config/mcp.yml
+    #   authentication_methods: ["api_key"]
+    #
+    # @example API Key usage
+    #   # Via Authorization header:
+    #   # Authorization: Bearer your-api-key-here
+    #   #
+    #   # Via custom header:
+    #   # X-API-Key: your-api-key-here
+    #   #
+    #   # Via query parameter:
+    #   # ?api_key=your-api-key-here
+    class ApiKeyIdentifier < ActionMCP::GatewayIdentifier
+      identifier :user
+      authenticates :api_key
+
+      def resolve
+        api_key = extract_api_key
+        raise Unauthorized, "Missing API key" unless api_key
+
+        # Look up user by API key
+        # Assumes you have an api_key or api_token field on your User model
+        user = User.find_by(api_key: api_key) || User.find_by(api_token: api_key)
+        raise Unauthorized, "Invalid API key" unless user
+
+        # Optional: Check if API key is still valid (not expired, user active, etc.)
+        if user.respond_to?(:api_key_expired?) && user.api_key_expired?
+          raise Unauthorized, "API key expired"
+        end
+
+        if user.respond_to?(:active?) && !user.active?
+          raise Unauthorized, "User account inactive"
+        end
+
+        user
+      end
+    end
+  end
+end

data/lib/action_mcp/gateway_identifiers/devise_identifier.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  module GatewayIdentifiers
+    # Example Gateway identifier for direct Devise integration.
+    #
+    # This identifier looks for the user directly in request.env['devise.user'] which
+    # may be set by custom Devise middleware or helpers.
+    #
+    # @example Usage in ApplicationGateway
+    #   class ApplicationGateway < ActionMCP::Gateway
+    #     identified_by ActionMCP::GatewayIdentifiers::DeviseIdentifier
+    #   end
+    #
+    # @example Configuration
+    #   # config/mcp.yml
+    #   authentication_methods: ["devise"]
+    #
+    # @example Custom Devise middleware setup
+    #   # In your application, you might set this in a before_action:
+    #   # request.env['devise.user'] = current_user if user_signed_in?
+    class DeviseIdentifier < ActionMCP::GatewayIdentifier
+      identifier :user
+      authenticates :devise
+
+      def resolve
+        user = @request.env["devise.user"]
+        raise Unauthorized, "Not authenticated" unless user
+
+        user
+      end
+    end
+  end
+end