actionmcp 0.72.0 → 0.80.1

data/lib/action_mcp/gateway_identifiers/request_env_identifier.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  module GatewayIdentifiers
+    # Example Gateway identifier for custom request environment-based authentication.
+    #
+    # This identifier looks for user information in custom request headers or environment
+    # variables. Useful for authentication set up by upstream proxies, API gateways,
+    # or custom middleware.
+    #
+    # @example Usage in ApplicationGateway
+    #   class ApplicationGateway < ActionMCP::Gateway
+    #     identified_by ActionMCP::GatewayIdentifiers::RequestEnvIdentifier
+    #   end
+    #
+    # @example Configuration
+    #   # config/mcp.yml
+    #   authentication_methods: ["request_env"]
+    #
+    # @example Nginx/Proxy setup
+    #   # Your proxy/gateway might set headers like:
+    #   # X-User-ID: 123
+    #   # X-User-Email: user@example.com
+    #   # X-User-Roles: admin,user
+    class RequestEnvIdentifier < ActionMCP::GatewayIdentifier
+      identifier :user
+      authenticates :request_env
+
+      def resolve
+        user_id = @request.env["HTTP_X_USER_ID"]
+        raise Unauthorized, "User ID header missing" unless user_id
+
+        # You might also want to get additional user info from headers
+        email = @request.env["HTTP_X_USER_EMAIL"]
+        roles = @request.env["HTTP_X_USER_ROLES"]&.split(",") || []
+
+        # Option 1: Find user in database
+        begin
+          user = User.find(user_id)
+          # Optional: verify email matches if provided
+          if email && user.email != email
+            raise Unauthorized, "User email mismatch"
+          end
+          user
+        rescue ActiveRecord::RecordNotFound
+          raise Unauthorized, "Invalid user"
+        end
+
+        # Option 2: Create a simple user object from headers (if you don't want DB lookup)
+        # OpenStruct.new(
+        #   id: user_id,
+        #   email: email,
+        #   roles: roles
+        # )
+      end
+    end
+  end
+end

data/lib/action_mcp/gateway_identifiers/warden_identifier.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  module GatewayIdentifiers
+    # Example Gateway identifier for Warden-based authentication.
+    #
+    # This identifier works with Warden middleware which is commonly used by Devise.
+    # Warden sets the authenticated user in request.env['warden.user'] after successful authentication.
+    #
+    # @example Usage in ApplicationGateway
+    #   class ApplicationGateway < ActionMCP::Gateway
+    #     identified_by ActionMCP::GatewayIdentifiers::WardenIdentifier
+    #   end
+    #
+    # @example Configuration
+    #   # config/mcp.yml
+    #   authentication_methods: ["warden"]
+    #
+    # @example With Devise
+    #   # In your controller or middleware, ensure Warden is configured:
+    #   # devise_for :users
+    #   # authenticate_user! # This sets up Warden env
+    class WardenIdentifier < ActionMCP::GatewayIdentifier
+      identifier :user
+      authenticates :warden
+
+      def resolve
+        warden = @request.env["warden"]
+        raise Unauthorized, "Warden not available" unless warden
+
+        user = warden.user
+        raise Unauthorized, "Not authenticated" unless user
+
+        user
+      end
+    end
+  end
+end

data/lib/action_mcp/gateway_identifiers.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  # Example Gateway identifiers for common authentication patterns.
+  #
+  # These identifiers provide ready-to-use implementations for popular
+  # Rails authentication patterns. You can use them directly or as
+  # templates for your own custom identifiers.
+  #
+  # @example Using in ApplicationGateway
+  #   class ApplicationGateway < ActionMCP::Gateway
+  #     # Use multiple identifiers (tried in order)
+  #     identified_by ActionMCP::GatewayIdentifiers::WardenIdentifier,
+  #                   ActionMCP::GatewayIdentifiers::ApiKeyIdentifier
+  #   end
+  #
+  # @example Configuration
+  #   # config/mcp.yml
+  #   authentication_methods: ["warden", "api_key"]
+  module GatewayIdentifiers
+    autoload :WardenIdentifier, "action_mcp/gateway_identifiers/warden_identifier"
+    autoload :DeviseIdentifier, "action_mcp/gateway_identifiers/devise_identifier"
+    autoload :RequestEnvIdentifier, "action_mcp/gateway_identifiers/request_env_identifier"
+    autoload :ApiKeyIdentifier, "action_mcp/gateway_identifiers/api_key_identifier"
+  end
+end

data/lib/action_mcp/resource_template.rb

@@ -274,6 +274,7 @@ module ActionMCP
           else
             @response.add_content(result)
           end
+          @response
         end
       rescue StandardError => e
         @response.mark_as_resolution_failed!("template://#{self.class.name}", e.message)

data/lib/action_mcp/server/base_session.rb

@@ -147,7 +147,9 @@ module ActionMCP
 
       def cleanup_old_sse_events(max_age = 15.minutes)
         cutoff_time = Time.current - max_age
+        original_size = @sse_events.size
         @sse_events.delete_if { |e| e[:created_at] < cutoff_time }
+        original_size - @sse_events.size
       end
 
       def max_stored_sse_events

data/lib/action_mcp/server/resources.rb

@@ -45,10 +45,11 @@ module ActionMCP
       # @example Output:
       #   # Sends: {"jsonrpc":"2.0","id":"req-789","result":{"contents":[{"uri":"file:///example.txt","text":"Example content"}]}}
       def send_resource_read(id, params)
-        template = ResourceTemplatesRegistry.find_template_for_uri(params[:uri])
+        uri = params["uri"]
+        template = ResourceTemplatesRegistry.find_template_for_uri(uri)
 
         unless template
-          send_jsonrpc_error(id, :resource_not_found, "No resource template found for URI: #{params[:uri]}")
+          send_jsonrpc_error(id, :method_not_found, "No resource template found for URI: '#{uri}'")
           return
         end
 
@@ -65,21 +66,21 @@ module ActionMCP
 
         begin
           # Create template instance and set execution context
-          record = template.process(params[:uri])
+          record = template.process(uri)
           record.with_context({ session: session })
 
           response = record.call
 
           if response.error?
-            # Convert ResourceResponse errors to JSON-RPC errors
-            error_info = response.to_h
-            send_jsonrpc_error(id, error_info[:code], error_info[:message], error_info[:data])
+            # response.to_h works properly when error? is true:
+            send_jsonrpc_response(id, error: response.to_h)
           else
             # Handle successful response - ResourceResponse.contents is already an array
             send_jsonrpc_response(id, result: { contents: response.contents.map(&:to_h) })
           end
         rescue StandardError => e
-          log_error(e, { resource_uri: params[:uri], template: template.name })
+          # Should rather `ErrorHandling` module be included here? Then we could use `log_error(e)` directly.
+          Rails.logger.error "[MCP Error] #{e.class}: #{e.message}"
           send_jsonrpc_error(id, :internal_error, "Failed to read resource: #{e.message}")
         end
       end

data/lib/action_mcp/version.rb

@@ -2,7 +2,7 @@
 
 require_relative "gem_version"
 module ActionMCP
-  VERSION = "0.72.0"
+  VERSION = "0.80.1"
 
   class << self
     alias version gem_version

data/lib/action_mcp.rb

@@ -13,9 +13,6 @@ require "action_mcp/log_subscriber"
 require "action_mcp/engine"
 require "zeitwerk"
 
-# OAuth 2.1 support via Omniauth
-require "omniauth"
-require "omniauth-oauth2"
 
 lib = File.dirname(__FILE__)
 
@@ -29,8 +26,6 @@ Zeitwerk::Loader.for_gem.tap do |loader|
 
   loader.inflector.inflect("action_mcp" => "ActionMCP")
   loader.inflector.inflect("sse_listener" => "SSEListener")
-  loader.inflector.inflect("oauth" => "OAuth")
-  loader.inflector.inflect("mcp_strategy" => "MCPStrategy")
 end.setup
 
 module ActionMCP
@@ -40,7 +35,7 @@ module ActionMCP
 
   # Protocol version constants
   SUPPORTED_VERSIONS = [
-    "2025-06-18", # Dr. Identity McBouncer - OAuth 2.1, elicitation, structured output, resource links
+    "2025-06-18", # Dr. Identity McBouncer - elicitation, structured output, resource links
     "2025-03-26"  # The Persistent Negotiator - StreamableHTTP, resumability, audio support
   ].freeze
 

data/lib/generators/action_mcp/identifier/identifier_generator.rb

@@ -0,0 +1,189 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  module Generators
+    class IdentifierGenerator < Rails::Generators::Base
+      namespace "action_mcp:identifier"
+      source_root File.expand_path("templates", __dir__)
+      desc "Creates a Gateway Identifier for authentication patterns"
+
+      argument :name, type: :string, required: true, banner: "IdentifierName"
+
+      class_option :auth_method, type: :string, required: true,
+                   desc: "Authentication method name (e.g., 'api_key', 'session', 'custom')"
+      class_option :identity, type: :string, default: "user",
+                   desc: "Identity type this identifier provides (e.g., 'user', 'admin')"
+      class_option :lookup_method, type: :string, default: "database",
+                   desc: "How to resolve identity: 'database', 'middleware', 'headers', 'custom'"
+
+      def create_identifier_file
+        template "identifier.rb.erb", "app/mcp/identifiers/#{file_name}.rb"
+      end
+
+      def show_usage_instructions
+        say "\nIdentifier generated successfully!", :green
+        say "\nNext steps:", :blue
+        say "1. Configure authentication methods in config/mcp.yml:"
+        say "   authentication_methods: [\"#{auth_method}\"]", :yellow
+        say "\n2. Register in ApplicationGateway:"
+        say "   identified_by #{class_name}", :yellow
+        say "\n3. Customize the resolve method in app/mcp/identifiers/#{file_name}.rb"
+
+        if lookup_method == "database"
+          say "\n4. Ensure your #{identity.capitalize} model has the required fields/methods", :cyan
+        elsif lookup_method == "middleware"
+          say "\n4. Ensure your middleware sets the required request.env keys", :cyan
+        end
+      end
+
+      private
+
+      def class_name
+        "#{name.camelize}#{name.camelize.end_with?('Identifier') ? '' : 'Identifier'}"
+      end
+
+      def file_name
+        base = name.underscore
+        base.end_with?("_identifier") ? base : "#{base}_identifier"
+      end
+
+      def auth_method
+        options[:auth_method]
+      end
+
+      def identity
+        options[:identity]
+      end
+
+      def lookup_method
+        options[:lookup_method]
+      end
+
+      def resolve_implementation
+        case lookup_method
+        when "database"
+          database_lookup_implementation
+        when "middleware"
+          middleware_lookup_implementation
+        when "headers"
+          headers_lookup_implementation
+        else
+          custom_lookup_implementation
+        end
+      end
+
+      def database_lookup_implementation
+        case auth_method
+        when /api_key|token/
+          api_key_database_lookup
+        when /session/
+          session_database_lookup
+        else
+          generic_database_lookup
+        end
+      end
+
+      def api_key_database_lookup
+        <<~RUBY.indent(4)
+          # Extract API key from various sources
+          api_key = extract_api_key
+          raise Unauthorized, "Missing API key" unless api_key
+
+          # Look up #{identity} by API key
+          #{identity} = #{identity.capitalize}.find_by(api_key: api_key)
+          raise Unauthorized, "Invalid API key" unless #{identity}
+
+          # Optional: Add additional validation
+          # raise Unauthorized, "#{identity.capitalize} account inactive" unless #{identity}.active?
+
+          #{identity}
+        RUBY
+      end
+
+      def session_database_lookup
+        <<~RUBY.indent(4)
+          # Get #{identity} ID from session
+          #{identity}_id = session&.[]('#{identity}_id')
+          raise Unauthorized, "No #{identity} session" unless #{identity}_id
+
+          # Look up #{identity} in database
+          #{identity} = #{identity.capitalize}.find_by(id: #{identity}_id)
+          raise Unauthorized, "Invalid session" unless #{identity}
+
+          #{identity}
+        RUBY
+      end
+
+      def generic_database_lookup
+        <<~RUBY.indent(4)
+          # TODO: Extract identifier from request (headers, params, etc.)
+          identifier = nil # Implement your extraction logic here
+          raise Unauthorized, "Missing authentication identifier" unless identifier
+
+          # Look up #{identity} in database
+          #{identity} = #{identity.capitalize}.find_by(some_field: identifier)
+          raise Unauthorized, "Authentication failed" unless #{identity}
+
+          #{identity}
+        RUBY
+      end
+
+      def middleware_lookup_implementation
+        <<~RUBY.indent(4)
+          # Get #{identity} from middleware (Warden, Devise, etc.)
+          #{identity} = user_from_middleware
+          raise Unauthorized, "No authenticated #{identity} found" unless #{identity}
+
+          # Optional: Add additional validation
+          # raise Unauthorized, "#{identity.capitalize} access denied" unless #{identity}.can_access_mcp?
+
+          #{identity}
+        RUBY
+      end
+
+      def headers_lookup_implementation
+        <<~RUBY.indent(4)
+          # Extract #{identity} info from request headers
+          #{identity}_id = @request.env['HTTP_X_#{identity.upcase}_ID']
+          raise Unauthorized, "#{identity.capitalize} ID header missing" unless #{identity}_id
+
+          # Optional: Get additional info from headers
+          email = @request.env['HTTP_X_#{identity.upcase}_EMAIL']
+          roles = @request.env['HTTP_X_#{identity.upcase}_ROLES']&.split(',') || []
+
+          # Option 1: Look up in database
+          #{identity} = #{identity.capitalize}.find(#{identity}_id)
+        #{'  '}
+          # Option 2: Create simple object from headers (no DB lookup)
+          # #{identity} = OpenStruct.new(
+          #   id: #{identity}_id,
+          #   email: email,
+          #   roles: roles
+          # )
+
+          #{identity}
+        rescue ActiveRecord::RecordNotFound
+          raise Unauthorized, "Invalid #{identity}"
+        RUBY
+      end
+
+      def custom_lookup_implementation
+        <<~RUBY.indent(4)
+          # TODO: Implement your custom authentication logic here
+
+          # Example patterns:
+          # 1. Extract credentials from request
+          # credentials = extract_credentials_from_request
+
+          # 2. Validate credentials (API call, database lookup, etc.)
+          # #{identity} = validate_credentials(credentials)
+
+          # 3. Return the authenticated #{identity} or raise Unauthorized
+          # raise Unauthorized, "Authentication failed" unless #{identity}
+
+          raise NotImplementedError, "Custom authentication logic not implemented"
+        RUBY
+      end
+    end
+  end
+end

data/lib/generators/action_mcp/identifier/templates/identifier.rb.erb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+# <%= class_name %> - Gateway identifier for <%= auth_method %> authentication
+#
+# This identifier handles authentication using the "<%= auth_method %>" method
+# and provides access to the authenticated <%= identity %> object.
+#
+# Configuration:
+#   # config/mcp.yml
+#   authentication_methods: ["<%= auth_method %>"]
+#
+# Usage in ApplicationGateway:
+#   identified_by <%= class_name %>
+class <%= class_name %> < ActionMCP::GatewayIdentifier
+  identifier :<%= identity %>
+  authenticates :<%= auth_method %>
+
+  def resolve
+<%= resolve_implementation %>
+  end
+
+  private
+
+  # Add any custom helper methods here
+  # 
+  # Example helper methods:
+  # 
+  # def extract_credentials_from_request
+  #   # Custom extraction logic
+  # end
+  # 
+  # def validate_credentials(credentials)
+  #   # Custom validation logic
+  # end
+end

data/lib/generators/action_mcp/install/install_generator.rb

@@ -44,7 +44,7 @@ module ActionMCP
         say ""
         say "Configuration:"
         say "  The mcp.yml file contains authentication, profiles, and adapter settings."
-        say "  You can customize authentication methods, OAuth settings, and PubSub adapters."
+        say "  You can customize authentication methods and PubSub adapters."
         say ""
         say "Available adapters:"
         say "  - simple      : In-memory adapter for development"

data/lib/generators/action_mcp/install/templates/application_gateway.rb

@@ -1,41 +1,90 @@
 # frozen_string_literal: true
 
-class ApplicationGateway < ActionMCP::Gateway
-  # Specify what attributes identify a connection
-  # Multiple identifiers can be used (e.g., user, account, organization)
-  identified_by :user
-
-  protected
+# Application Gateway - configure your authentication identifiers here
+#
+# The Gateway reads from request.env keys set by upstream middleware
+# (like Warden, Devise, or custom auth middleware) through identifier classes.
+#
+# ActionMCP provides ready-to-use identifier examples for common authentication patterns.
+# You can use them directly or customize them for your needs.
 
-  # Override this method to implement your authentication logic
-  # Must return a hash with keys matching the identified_by attributes
-  # or raise ActionMCP::UnauthorizedError
-  def authenticate!
-    # Example using JWT:
-    token = extract_bearer_token
-    raise ActionMCP::UnauthorizedError, "Missing token" unless token
+class ApplicationGateway < ActionMCP::Gateway
+  # Register your identifier classes in order of preference
+  # The first successful identifier will be used
 
-    payload = ActionMCP::JwtDecoder.decode(token)
-    user = resolve_user(payload)
+  # Option 1: Use built-in identifiers (recommended for common patterns)
+  # identified_by ActionMCP::GatewayIdentifiers::WardenIdentifier  # For Warden/Devise
+  # identified_by ActionMCP::GatewayIdentifiers::ApiKeyIdentifier  # For API key auth
+  # identified_by ActionMCP::GatewayIdentifiers::RequestEnvIdentifier  # For custom headers
 
-    raise ActionMCP::UnauthorizedError, "Unauthorized" unless user
+  # Option 2: Use multiple auth methods (tries in order)
+  # identified_by ActionMCP::GatewayIdentifiers::WardenIdentifier,
+  #               ActionMCP::GatewayIdentifiers::ApiKeyIdentifier
 
-    # Return a hash with all identified_by attributes
-    { user: user }
-  rescue ActionMCP::JwtDecoder::DecodeError => e
-    raise ActionMCP::UnauthorizedError, e.message
-  end
+  # Option 3: Create custom identifiers (see examples below)
+  # identified_by CustomUserIdentifier, CustomAdminIdentifier
+end
 
-  private
+# Custom identifier examples - uncomment and customize as needed:
 
-  # Example method to resolve user from JWT payload
-  def resolve_user(payload)
-    return nil unless payload.is_a?(Hash)
+# Example: Custom Warden/Devise identifier
+# class CustomUserIdentifier < ActionMCP::GatewayIdentifier
+#   identifier :user
+#   authenticates :custom_warden
+#
+#   def resolve
+#     user = user_from_middleware
+#     raise Unauthorized, "No authenticated user found" unless user
+#
+#     # Add custom validation
+#     raise Unauthorized, "User account suspended" if user.suspended?
+#
+#     user
+#   end
+# end
 
-    user_id = payload["user_id"] || payload["sub"]
-    return nil unless user_id
+# Example: Custom API Key identifier with rate limiting
+# class CustomApiKeyIdentifier < ActionMCP::GatewayIdentifier
+#   identifier :user
+#   authenticates :custom_api_key
+#
+#   def resolve
+#     api_key = extract_api_key
+#     raise Unauthorized, "Missing API key" unless api_key
+#
+#     user = User.find_by(api_key: api_key)
+#     raise Unauthorized, "Invalid API key" unless user
+#
+#     # Add rate limiting check
+#     if rate_limited?(user)
+#       raise Unauthorized, "Rate limit exceeded"
+#     end
+#
+#     user
+#   end
+#
+#   private
+#
+#   def rate_limited?(user)
+#     # Implement your rate limiting logic
+#     false
+#   end
+# end
 
-    # Replace with your User model lookup
-    User.find_by(id: user_id)
-  end
-end
+# Example: Admin-only identifier
+# class AdminIdentifier < ActionMCP::GatewayIdentifier
+#   identifier :admin
+#   authenticates :admin_token
+#
+#   def resolve
+#     token = extract_bearer_token
+#     raise Unauthorized, "Missing admin token" unless token
+#
+#     admin = Admin.find_by(access_token: token)
+#     raise Unauthorized, "Invalid admin token" unless admin
+#
+#     raise Unauthorized, "Admin access revoked" unless admin.active?
+#
+#     admin
+#   end
+# end

data/lib/generators/action_mcp/install/templates/mcp.yml

@@ -16,14 +16,6 @@ shared:
   # Server-specific session store type (falls back to session_store_type if not specified)
   # server_session_store_type: active_record
 
-  # OAuth configuration (if using OAuth authentication)
-  # oauth:
-  #   provider: "demo_oauth_provider"
-  #   scopes_supported: ["mcp:tools", "mcp:resources", "mcp:prompts"]
-  #   enable_dynamic_registration: true
-  #   enable_token_revocation: true
-  #   pkce_required: true
-  #   issuer_url: https://yourapp.com
 
   # MCP capability profiles
   profiles:
@@ -67,8 +59,8 @@ development:
 
 # Test environment
 test:
-  # JWT authentication for testing environment
-  authentication: ["jwt"]
+  # No authentication for testing environment
+  authentication: ["none"]
 
   # Test adapter for testing
   adapter: test
@@ -78,17 +70,8 @@ test:
 
 # Production environment
 production:
-  # Multiple authentication methods - try OAuth first, fallback to JWT
-  authentication: ["oauth", "jwt"]
-
-  # OAuth configuration for production
-  oauth:
-    provider: "application_oauth_provider"  # Your custom provider class
-    scopes_supported: ["mcp:tools", "mcp:resources", "mcp:prompts"]
-    enable_dynamic_registration: true
-    enable_token_revocation: true
-    pkce_required: true
-    issuer_url: https://yourapp.com
+  # Configure authentication methods for production (customize as needed)
+  authentication: ["none"]
 
   # Additional production profiles for external clients
   profiles: