actionmcp 0.72.0 → 0.80.1

data/lib/action_mcp/oauth/active_record_storage.rb

@@ -1,183 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  module OAuth
-    # ActiveRecord storage for OAuth tokens and codes
-    # This is suitable for production multi-server environments
-    class ActiveRecordStorage
-      # Authorization code storage
-      def store_authorization_code(code, data)
-        OAuthToken.create!(
-          token: code,
-          token_type: OAuthToken::AUTHORIZATION_CODE,
-          client_id: data[:client_id],
-          user_id: data[:user_id],
-          redirect_uri: data[:redirect_uri],
-          scope: data[:scope],
-          code_challenge: data[:code_challenge],
-          code_challenge_method: data[:code_challenge_method],
-          expires_at: data[:expires_at],
-          metadata: data.except(:client_id, :user_id, :redirect_uri, :scope,
-                                :code_challenge, :code_challenge_method, :expires_at)
-        )
-      end
-
-      def retrieve_authorization_code(code)
-        token = OAuthToken.authorization_codes.active.find_by(token: code)
-        return nil unless token
-
-        {
-          client_id: token.client_id,
-          user_id: token.user_id,
-          redirect_uri: token.redirect_uri,
-          scope: token.scope,
-          code_challenge: token.code_challenge,
-          code_challenge_method: token.code_challenge_method,
-          expires_at: token.expires_at,
-          created_at: token.created_at
-        }.merge(token.metadata || {})
-      end
-
-      def remove_authorization_code(code)
-        OAuthToken.authorization_codes.where(token: code).destroy_all
-      end
-
-      # Access token storage
-      def store_access_token(token, data)
-        OAuthToken.create!(
-          token: token,
-          token_type: OAuthToken::ACCESS_TOKEN,
-          client_id: data[:client_id],
-          user_id: data[:user_id],
-          scope: data[:scope],
-          expires_at: data[:expires_at],
-          metadata: data.except(:client_id, :user_id, :scope, :expires_at)
-        )
-      end
-
-      def retrieve_access_token(token)
-        token_record = OAuthToken.access_tokens.find_by(token: token)
-        return nil unless token_record
-
-        {
-          client_id: token_record.client_id,
-          user_id: token_record.user_id,
-          scope: token_record.scope,
-          expires_at: token_record.expires_at,
-          created_at: token_record.created_at,
-          active: token_record.still_valid?
-        }.merge(token_record.metadata || {})
-      end
-
-      def remove_access_token(token)
-        OAuthToken.access_tokens.where(token: token).destroy_all
-      end
-
-      # Refresh token storage
-      def store_refresh_token(token, data)
-        OAuthToken.create!(
-          token: token,
-          token_type: OAuthToken::REFRESH_TOKEN,
-          client_id: data[:client_id],
-          user_id: data[:user_id],
-          scope: data[:scope],
-          access_token: data[:access_token],
-          expires_at: data[:expires_at],
-          metadata: data.except(:client_id, :user_id, :scope, :access_token, :expires_at)
-        )
-      end
-
-      def retrieve_refresh_token(token)
-        token_record = OAuthToken.refresh_tokens.active.find_by(token: token)
-        return nil unless token_record
-
-        {
-          client_id: token_record.client_id,
-          user_id: token_record.user_id,
-          scope: token_record.scope,
-          access_token: token_record.access_token,
-          expires_at: token_record.expires_at,
-          created_at: token_record.created_at
-        }.merge(token_record.metadata || {})
-      end
-
-      def update_refresh_token(token, new_access_token)
-        token_record = OAuthToken.refresh_tokens.find_by(token: token)
-        token_record&.update!(access_token: new_access_token)
-      end
-
-      def remove_refresh_token(token)
-        OAuthToken.refresh_tokens.where(token: token).destroy_all
-      end
-
-      # Client registration storage
-      def store_client_registration(client_id, data)
-        client = OAuthClient.new
-
-        # Map data fields to model attributes
-        client.client_id = client_id
-        client.client_secret = data[:client_secret]
-        client.client_id_issued_at = data[:client_id_issued_at]
-        client.registration_access_token = data[:registration_access_token]
-
-        # Handle client metadata
-        metadata = data[:client_metadata] || {}
-        %w[
-          client_name redirect_uris grant_types response_types
-          token_endpoint_auth_method scope
-        ].each do |field|
-          client.send("#{field}=", metadata[field]) if metadata.key?(field)
-        end
-
-        # Store any additional metadata
-        known_fields = %w[
-          client_name redirect_uris grant_types response_types
-          token_endpoint_auth_method scope
-        ]
-        additional_metadata = metadata.except(*known_fields)
-        client.metadata = additional_metadata if additional_metadata.present?
-
-        client.save!
-        data
-      end
-
-      def retrieve_client_registration(client_id)
-        client = OAuthClient.active.find_by(client_id: client_id)
-        return nil unless client
-
-        {
-          client_id: client.client_id,
-          client_secret: client.client_secret,
-          client_id_issued_at: client.client_id_issued_at,
-          registration_access_token: client.registration_access_token,
-          client_metadata: client.to_api_response
-        }
-      end
-
-      def remove_client_registration(client_id)
-        OAuthClient.where(client_id: client_id).destroy_all
-      end
-
-      # Cleanup expired tokens
-      def cleanup_expired
-        OAuthToken.cleanup_expired
-      end
-
-      # Statistics (for debugging/monitoring)
-      def stats
-        {
-          authorization_codes: OAuthToken.authorization_codes.active.count,
-          access_tokens: OAuthToken.access_tokens.active.count,
-          refresh_tokens: OAuthToken.refresh_tokens.active.count,
-          client_registrations: OAuthClient.active.count
-        }
-      end
-
-      # Clear all data (for testing)
-      def clear_all
-        OAuthToken.delete_all
-        OAuthClient.delete_all
-      end
-    end
-  end
-end

data/lib/action_mcp/oauth/error.rb

@@ -1,79 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  module OAuth
-    # Base OAuth error class
-    class Error < StandardError
-      attr_reader :oauth_error_code
-
-      def initialize(message, oauth_error_code = "invalid_request")
-        super(message)
-        @oauth_error_code = oauth_error_code
-      end
-    end
-
-    # OAuth 2.1 standard error types
-    class InvalidRequestError < Error
-      def initialize(message = "Invalid request")
-        super(message, "invalid_request")
-      end
-    end
-
-    class InvalidClientError < Error
-      def initialize(message = "Invalid client")
-        super(message, "invalid_client")
-      end
-    end
-
-    class InvalidGrantError < Error
-      def initialize(message = "Invalid grant")
-        super(message, "invalid_grant")
-      end
-    end
-
-    class UnauthorizedClientError < Error
-      def initialize(message = "Unauthorized client")
-        super(message, "unauthorized_client")
-      end
-    end
-
-    class UnsupportedGrantTypeError < Error
-      def initialize(message = "Unsupported grant type")
-        super(message, "unsupported_grant_type")
-      end
-    end
-
-    class InvalidScopeError < Error
-      def initialize(message = "Invalid scope")
-        super(message, "invalid_scope")
-      end
-    end
-
-    class InvalidTokenError < Error
-      def initialize(message = "Invalid token")
-        super(message, "invalid_token")
-      end
-    end
-
-    class InsufficientScopeError < Error
-      attr_reader :required_scope
-
-      def initialize(message = "Insufficient scope", required_scope = nil)
-        super(message, "insufficient_scope")
-        @required_scope = required_scope
-      end
-    end
-
-    class ServerError < Error
-      def initialize(message = "Server error")
-        super(message, "server_error")
-      end
-    end
-
-    class TemporarilyUnavailableError < Error
-      def initialize(message = "Temporarily unavailable")
-        super(message, "temporarily_unavailable")
-      end
-    end
-  end
-end

data/lib/action_mcp/oauth/memory_storage.rb

@@ -1,132 +0,0 @@
-# frozen_string_literal: true
-
-module ActionMCP
-  module OAuth
-    # In-memory storage for OAuth tokens and codes
-    # This is suitable for development and testing, but not for production
-    class MemoryStorage
-      def initialize
-        @authorization_codes = {}
-        @access_tokens = {}
-        @refresh_tokens = {}
-        @client_registrations = {}
-        @mutex = Mutex.new
-      end
-
-      # Authorization code storage
-      def store_authorization_code(code, data)
-        @mutex.synchronize do
-          @authorization_codes[code] = data
-        end
-      end
-
-      def retrieve_authorization_code(code)
-        @mutex.synchronize do
-          @authorization_codes[code]
-        end
-      end
-
-      def remove_authorization_code(code)
-        @mutex.synchronize do
-          @authorization_codes.delete(code)
-        end
-      end
-
-      # Access token storage
-      def store_access_token(token, data)
-        @mutex.synchronize do
-          @access_tokens[token] = data
-        end
-      end
-
-      def retrieve_access_token(token)
-        @mutex.synchronize do
-          @access_tokens[token]
-        end
-      end
-
-      def remove_access_token(token)
-        @mutex.synchronize do
-          @access_tokens.delete(token)
-        end
-      end
-
-      # Refresh token storage
-      def store_refresh_token(token, data)
-        @mutex.synchronize do
-          @refresh_tokens[token] = data
-        end
-      end
-
-      def retrieve_refresh_token(token)
-        @mutex.synchronize do
-          @refresh_tokens[token]
-        end
-      end
-
-      def update_refresh_token(token, new_access_token)
-        @mutex.synchronize do
-          @refresh_tokens[token][:access_token] = new_access_token if @refresh_tokens[token]
-        end
-      end
-
-      def remove_refresh_token(token)
-        @mutex.synchronize do
-          @refresh_tokens.delete(token)
-        end
-      end
-
-      # Client registration storage
-      def store_client_registration(client_id, data)
-        @mutex.synchronize do
-          @client_registrations[client_id] = data
-        end
-      end
-
-      def retrieve_client_registration(client_id)
-        @mutex.synchronize do
-          @client_registrations[client_id]
-        end
-      end
-
-      def remove_client_registration(client_id)
-        @mutex.synchronize do
-          @client_registrations.delete(client_id)
-        end
-      end
-
-      # Cleanup expired tokens (optional utility method)
-      def cleanup_expired
-        current_time = Time.current
-
-        @mutex.synchronize do
-          @authorization_codes.reject! { |_, data| data[:expires_at] < current_time }
-          @access_tokens.reject! { |_, data| data[:expires_at] < current_time }
-          @refresh_tokens.reject! { |_, data| data[:expires_at] < current_time }
-        end
-      end
-
-      # Statistics (for debugging/monitoring)
-      def stats
-        @mutex.synchronize do
-          {
-            authorization_codes: @authorization_codes.size,
-            access_tokens: @access_tokens.size,
-            refresh_tokens: @refresh_tokens.size,
-            client_registrations: @client_registrations.size
-          }
-        end
-      end
-
-      # Clear all data (for testing)
-      def clear_all
-        @mutex.synchronize do
-          @authorization_codes.clear
-          @access_tokens.clear
-          @refresh_tokens.clear
-          @client_registrations.clear
-        end
-      end
-    end
-  end
-end

data/lib/action_mcp/oauth/middleware.rb

@@ -1,128 +0,0 @@
-# frozen_string_literal: true
-
-require_relative "error"
-
-module ActionMCP
-  module OAuth
-    # OAuth middleware that integrates with Omniauth for request authentication
-    # Handles Bearer token validation for API requests
-    class Middleware
-      def initialize(app)
-        @app = app
-      end
-
-      def call(env)
-        request = ActionDispatch::Request.new(env)
-
-        # Skip OAuth processing for non-MCP requests or if OAuth not configured
-        return @app.call(env) unless should_process_oauth?(request)
-
-        # Skip OAuth processing for metadata endpoints
-        return @app.call(env) if request.path.start_with?("/.well-known/") || request.path.start_with?("/oauth/")
-
-        # Skip OAuth processing for initialization-related requests
-        return @app.call(env) if initialization_related_request?(request)
-
-        # Validate Bearer token for API requests
-        if (bearer_token = extract_bearer_token(request))
-          validate_oauth_token(request, bearer_token)
-        end
-
-        @app.call(env)
-      rescue ActionMCP::OAuth::Error => e
-        oauth_error_response(e)
-      end
-
-      private
-
-      def should_process_oauth?(_request)
-        # Check if OAuth is enabled in configuration
-        auth_methods = ActionMCP.configuration.authentication_methods
-        return false unless auth_methods&.include?("oauth")
-
-        # Process all MCP requests (ActionMCP serves at root "/") and OAuth-related paths
-        true
-      end
-
-      def initialization_related_request?(request)
-        # Only check JSON-RPC POST requests to MCP endpoints
-        # The path might include the mount path (e.g., /action_mcp/ or just /)
-        return false unless request.post? && request.content_type&.include?("application/json")
-
-        # Check if this is an MCP endpoint (ends with / or is the root)
-        path = request.path
-        return false unless path == "/" || path.match?(%r{/action_mcp/?$})
-
-        # Read and parse the request body
-        body = request.body.read
-        request.body.rewind # Reset for subsequent reads
-
-        json = JSON.parse(body)
-        method = json["method"]
-
-        # Check if it's an initialization-related method
-        %w[initialize notifications/initialized].include?(method)
-      rescue JSON::ParserError, StandardError
-        false
-      end
-
-      def extract_bearer_token(request)
-        auth_header = request.headers["Authorization"] || request.headers["authorization"]
-        return nil unless auth_header&.start_with?("Bearer ")
-
-        auth_header.split(" ", 2).last
-      end
-
-      def validate_oauth_token(request, token)
-        # Use the OAuth provider for token introspection
-        token_info = ActionMCP::OAuth::Provider.introspect_token(token)
-
-        unless token_info && token_info[:active]
-          raise ActionMCP::OAuth::InvalidTokenError, "Invalid or expired OAuth token"
-        end
-
-        # Store OAuth token info in request environment for Gateway
-        request.env["action_mcp.oauth_token_info"] = token_info
-        request.env["action_mcp.oauth_token"] = token
-      end
-
-      def oauth_error_response(error)
-        status = case error
-        when ActionMCP::OAuth::InvalidTokenError
-                   401
-        when ActionMCP::OAuth::InsufficientScopeError
-                   403
-        else
-                   400
-        end
-
-        headers = {
-          "Content-Type" => "application/json",
-          "WWW-Authenticate" => www_authenticate_header(error)
-        }
-
-        body = {
-          error: error.oauth_error_code,
-          error_description: error.message
-        }.to_json
-
-        [ status, headers, [ body ] ]
-      end
-
-      def www_authenticate_header(error)
-        params = []
-        params << 'realm="MCP API"'
-
-        case error
-        when ActionMCP::OAuth::InvalidTokenError
-          params << 'error="invalid_token"'
-        when ActionMCP::OAuth::InsufficientScopeError
-          params << 'error="insufficient_scope"'
-          params << "scope=\"#{error.required_scope}\"" if error.required_scope
-        end
-
-        "Bearer #{params.join(', ')}"
-      end
-    end
-  end
-end