leash-sdk 0.2.1 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 326ce87e27b0aec22d2cf9175c3ed7b170b493a7e7eb86b55fc115806b5c84a1
-  data.tar.gz: a4cced54f08f447c0dc703524c6ce84fcd07173f685f6a8ee0e76dc3dda1065a
+  metadata.gz: 3ccdeebdeeb2eea92794836b7ae51f02cc1c048a3912483c8c410e662184c5f4
+  data.tar.gz: 9626c0261ec8d76cd14323b290c558be5df6707b0c7cdb6a7cc780feaeeee079
 SHA512:
-  metadata.gz: fba497998357aaaa579aec3d3c3539f73c1a2871b8dfc9922dc9ce7e7d238f3587bd12c4a6ccf50e0cf9a149e1926915218aa270f775091d39cb6c2d9025d059
-  data.tar.gz: db78fcf8d0e38fc9f575dc03d0612d2e3ce228dbc0869e23d609e18604f1b634929e3215ac66c480f0730c50e2c8c666203b67eb31dd960d461eadb7ccc66a03
+  metadata.gz: 03d22fe090135500591a41e86aadb0fe90409a0b572f43d9671362ce989737e9f238a987d4665e6a32a0d1197c1e9fb21b97039e836cfc2d1d28cea9cf4938a3
+  data.tar.gz: 5a0c39178994eff5875f52793d772b52cc0f0304d0c17bd63e6f7fce742909b8ff373ec2545a121f30c4762d0712bb5bcbb09e23e7147c43f43e77294af00485

data/Gemfile

@@ -3,3 +3,5 @@
 source "https://rubygems.org"
 
 gemspec
+
+gem "minitest", ">= 5.0"

data/README.md

@@ -49,6 +49,25 @@ end
 - custom integration calls
 - app env fetch and caching
 
+## Server Auth
+
+The SDK includes helpers for authenticating users on the server side by reading
+the `leash-auth` cookie set by the Leash platform.
+
+```ruby
+# Rails / Sinatra
+user = Leash::Auth.get_user(request)
+# => #<Leash::User id="usr_123" email="alice@example.com" name="Alice">
+```
+
+## MCP Calls
+
+Execute MCP-backed tools through the platform:
+
+```ruby
+result = client.run_mcp(package: "@some/mcp-package", tool: "tool-name", args: { key: "value" })
+```
+
 ## Notes
 
 - `auth_token` should be a valid Leash platform JWT

data/leash-sdk.gemspec

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require_relative "lib/leash"
+require_relative "lib/leash/version"
 
 Gem::Specification.new do |spec|
   spec.name          = "leash-sdk"
@@ -21,5 +21,5 @@ Gem::Specification.new do |spec|
   spec.files = Dir["lib/**/*.rb"] + ["leash-sdk.gemspec", "Gemfile", "README.md", "LICENSE"]
   spec.require_paths = ["lib"]
 
-  # No runtime dependencies -- stdlib only (net/http, json, uri).
+  spec.add_dependency "jwt", ">= 2.7"
 end

data/lib/leash/auth.rb

@@ -0,0 +1,141 @@
+# frozen_string_literal: true
+
+require "jwt"
+require_relative "errors"
+
+module Leash
+  # Raised when authentication fails (missing cookie, invalid/expired token, etc.)
+  class AuthError < Error
+    def initialize(message = "Authentication failed")
+      super(message, code: "auth_error")
+    end
+  end
+
+  # Simple value object representing an authenticated Leash user.
+  class User
+    attr_reader :id, :email, :name, :picture
+
+    # @param id [String]
+    # @param email [String]
+    # @param name [String, nil]
+    # @param picture [String, nil]
+    def initialize(id:, email:, name: nil, picture: nil)
+      @id = id
+      @email = email
+      @name = name
+      @picture = picture
+    end
+
+    def ==(other)
+      other.is_a?(User) &&
+        id == other.id &&
+        email == other.email &&
+        name == other.name &&
+        picture == other.picture
+    end
+  end
+
+  # Framework-agnostic server auth helper.
+  #
+  # Works with any request object that exposes either:
+  #   - request.cookies (Hash) — Rack / Rails / Sinatra
+  #   - request.env['HTTP_COOKIE'] or request.get_header('HTTP_COOKIE') — raw Rack env
+  #
+  # Does NOT require rails, sinatra, or rack.
+  module Auth
+    COOKIE_NAME = "leash-auth"
+
+    module_function
+
+    # Read the leash-auth JWT from the request, decode it, and return a {Leash::User}.
+    #
+    # @param request [#cookies, #env, #get_header] any Rack-like request object
+    # @return [Leash::User]
+    # @raise [Leash::AuthError] when the cookie is missing or the token is invalid/expired
+    def get_user(request)
+      token = extract_token(request)
+      raise AuthError, "Missing leash-auth cookie" if token.nil? || token.empty?
+
+      payload = decode_token(token)
+      build_user(payload)
+    end
+
+    # Check whether the request carries a valid leash-auth cookie.
+    #
+    # @param request [#cookies, #env, #get_header]
+    # @return [Boolean]
+    def authenticated?(request)
+      get_user(request)
+      true
+    rescue AuthError
+      false
+    end
+
+    # @api private
+    def extract_token(request)
+      # Strategy 1: request.cookies hash (Rack / Rails / Sinatra)
+      if request.respond_to?(:cookies)
+        cookies = request.cookies
+        if cookies.is_a?(Hash)
+          value = cookies[COOKIE_NAME] || cookies[COOKIE_NAME.to_sym]
+          return value if value
+        end
+      end
+
+      # Strategy 2: raw Cookie header from env or get_header
+      raw = nil
+      if request.respond_to?(:env) && request.env.is_a?(Hash)
+        raw = request.env["HTTP_COOKIE"]
+      end
+      if raw.nil? && request.respond_to?(:get_header)
+        begin
+          raw = request.get_header("HTTP_COOKIE")
+        rescue StandardError
+          nil
+        end
+      end
+
+      parse_cookie_header(raw) if raw
+    end
+
+    # @api private
+    def parse_cookie_header(header)
+      return nil if header.nil?
+
+      header.split(";").each do |pair|
+        key, value = pair.strip.split("=", 2)
+        return value if key == COOKIE_NAME
+      end
+      nil
+    end
+
+    # @api private
+    def decode_token(token)
+      secret = ENV["LEASH_JWT_SECRET"]
+      if secret && !secret.empty?
+        decoded = JWT.decode(token, secret, true, algorithms: ["HS256"])
+      else
+        decoded = JWT.decode(token, nil, false)
+      end
+      decoded.first
+    rescue JWT::ExpiredSignature
+      raise AuthError, "Token has expired"
+    rescue JWT::DecodeError => e
+      raise AuthError, "Invalid token: #{e.message}"
+    end
+
+    # @api private
+    def build_user(payload)
+      id = payload["id"] || payload["sub"]
+      email = payload["email"]
+      raise AuthError, "Token payload missing required fields (id/sub, email)" unless id && email
+
+      User.new(
+        id: id,
+        email: email,
+        name: payload["name"],
+        picture: payload["picture"]
+      )
+    end
+  end
+end

data/lib/leash/integrations.rb

@@ -139,6 +139,67 @@ module Leash
       url
     end
 
+    # Get the user's current access token for a provider -- built-in or
+    # org-registered (LEA-142). Lets you call third-party APIs directly
+    # without proxying every request through Leash. Refresh-on-expiry
+    # happens transparently on the platform side.
+    #
+    # @param provider [String] the provider slug (e.g. "slack", "gmail")
+    # @return [String] the access token
+    # @raise [Leash::NotConnectedError] if the user hasn't completed the OAuth flow
+    # @raise [Leash::TokenExpiredError] if the token is expired and cannot be refreshed
+    # @raise [Leash::Error] if the platform returns a non-success response
+    def get_access_token(provider)
+      uri = URI("#{@platform_url}/api/integrations/token")
+
+      request = Net::HTTP::Post.new(uri)
+      request["Content-Type"] = "application/json"
+      request["Authorization"] = "Bearer #{@auth_token}" if @auth_token
+      request["X-API-Key"] = @api_key if @api_key
+      request.body = { provider: provider }.to_json
+
+      response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == "https") do |http|
+        http.request(request)
+      end
+
+      data = JSON.parse(response.body)
+
+      unless data["success"]
+        raise_error(data)
+      end
+
+      data["data"]["accessToken"]
+    end
+
+    # Get the resolved config for a customer-registered MCP server (LEA-143).
+    # Returns the customer's MCP URL plus auth headers (e.g. +Authorization:
+    # Bearer ...+ for bearer-auth servers) -- feed this directly into your
+    # MCP client. Leash isn't on the MCP request path.
+    #
+    # @param slug [String] the MCP server slug
+    # @return [Hash] hash with "slug", "displayName", "url", and "headers"
+    # @raise [Leash::Error] if the platform returns a non-success response
+    #   (e.g. code +unknown_mcp_server+)
+    def get_custom_mcp_config(slug)
+      uri = URI("#{@platform_url}/api/integrations/mcp-config/#{URI.encode_www_form_component(slug)}")
+
+      request = Net::HTTP::Get.new(uri)
+      request["Authorization"] = "Bearer #{@auth_token}" if @auth_token
+      request["X-API-Key"] = @api_key if @api_key
+
+      response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == "https") do |http|
+        http.request(request)
+      end
+
+      data = JSON.parse(response.body)
+
+      unless data["success"]
+        raise_error(data)
+      end
+
+      data["data"]
+    end
+
     # Call any MCP server tool directly.
     #
     # @param package_name [String] the npm package name of the MCP server

data/lib/leash/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Leash
+  VERSION = "0.3.1"
+end

data/lib/leash.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
+require_relative "leash/version"
 require_relative "leash/integrations"
-
-module Leash
-  VERSION = "0.2.1"
-end
+require_relative "leash/auth"

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: leash-sdk
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.3.1
 platform: ruby
 authors:
 - Leash
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2026-04-19 00:00:00.000000000 Z
-dependencies: []
+date: 2026-05-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.7'
 description: Access Gmail, Google Calendar, Google Drive, and more through the Leash
   platform proxy. No API keys needed -- uses your Leash auth token.
 email:
@@ -23,12 +37,14 @@ files:
 - README.md
 - leash-sdk.gemspec
 - lib/leash.rb
+- lib/leash/auth.rb
 - lib/leash/calendar.rb
 - lib/leash/custom_integration.rb
 - lib/leash/drive.rb
 - lib/leash/errors.rb
 - lib/leash/gmail.rb
 - lib/leash/integrations.rb
+- lib/leash/version.rb
 homepage: https://github.com/leash-build/leash-sdk-ruby
 licenses:
 - Apache-2.0