mcp-auth 0.1.0

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require 'bundler/setup'
+
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/app/controllers/mcp/auth/oauth_controller.rb

@@ -0,0 +1,494 @@
+# frozen_string_literal: true
+
+module Mcp
+  module Auth
+    class OauthController < ApplicationController
+      skip_before_action :verify_authenticity_token, only: %i[token register revoke introspect userinfo]
+      before_action :set_cors_headers
+      before_action :handle_options_request
+      before_action :require_https, only: %i[authorize token]
+
+      # OAuth 2.1 Authorization endpoint (GET/POST)
+      def authorize
+        Rails.logger.info "[OAuth] Authorization request: #{params.inspect}"
+
+        unless valid_authorization_params?
+          return render_error('invalid_request', 'Missing or invalid required parameters')
+        end
+
+        if user_signed_in?
+          handle_signed_in_user
+        else
+          redirect_to_login
+        end
+      end
+
+      # Consent approval endpoint
+      def approve
+        unless user_signed_in?
+          return redirect_to main_app.new_user_session_path
+        end
+
+        unless valid_authorization_params?
+          return render_error('invalid_request', 'Missing required parameters')
+        end
+
+        if params[:approved] == 'true'
+          # Get selected scopes from checkboxes
+          selected_scopes = Array(params[:scopes]).compact.reject(&:blank?)
+
+          Rails.logger.info "[OAuth] User selected scopes: #{selected_scopes.inspect}"
+
+          # Validate selected scopes
+          if selected_scopes.blank?
+            Rails.logger.warn "[OAuth] No scopes selected"
+            return render_error('invalid_request', 'At least one scope must be selected')
+          end
+
+          # Get originally requested scopes
+          requested_scopes = params[:scope]&.split || []
+
+          # Get required scopes from the requested list
+          required_scopes = get_required_scopes(requested_scopes)
+
+          # Check all required scopes are selected
+          missing_required = required_scopes - selected_scopes
+          if missing_required.any?
+            Rails.logger.warn "[OAuth] Missing required scopes: #{missing_required.join(', ')}"
+            return render_error('invalid_request', 'Required scopes must be selected')
+          end
+          approved_scopes = Mcp::Auth::ScopeRegistry.validate_scopes(selected_scopes)
+          # Generate authorization code with ONLY approved scopes
+          approved_scope_string = approved_scopes.join(' ')
+          generate_and_redirect_with_code(approved_scope_string)
+        else
+          redirect_with_error('access_denied', 'User denied the request')
+        end
+      end
+
+      # OAuth 2.1 Token endpoint
+      def token
+        case params[:grant_type]
+        when 'authorization_code'
+          handle_authorization_code_grant
+        when 'refresh_token'
+          handle_refresh_token_grant
+        else
+          render_error('unsupported_grant_type', 'Grant type not supported')
+        end
+      end
+
+      # RFC 7591: Dynamic Client Registration
+      def register
+        Rails.logger.info "[OAuth] Client registration request"
+
+        begin
+          client_data = build_client_registration
+          oauth_client = Mcp::Auth::OauthClient.create!(client_data)
+
+          Rails.logger.info "[OAuth] Client registered: #{oauth_client.client_id}"
+          render json: format_client_response(oauth_client), content_type: 'application/json'
+        rescue ActiveRecord::RecordInvalid => e
+          render_error('invalid_client_metadata', e.message)
+        rescue ArgumentError => e
+          render_error('invalid_request', e.message)
+        rescue StandardError => e
+          Rails.logger.error "[OAuth] Registration error: #{e.message}"
+          render_error('server_error', 'An unexpected error occurred')
+        end
+      end
+
+      # RFC 7009: Token Revocation
+      def revoke
+        token = params[:token]
+
+        if token.blank?
+          return render_error('invalid_request', 'Token parameter is required')
+        end
+
+        # Try refresh token first
+        revoked = Services::TokenService.revoke_refresh_token(token)
+
+        # Try access token if not found
+        unless revoked
+          access_token = Mcp::Auth::AccessToken.find_by(token: token)
+          if access_token
+            access_token.destroy
+            revoked = true
+          end
+        end
+
+        # RFC 7009: Always return 200 OK
+        Rails.logger.info "[OAuth] Token revocation: #{revoked ? 'success' : 'not found'}"
+        head :ok
+      end
+
+      # RFC 7662: Token Introspection
+      def introspect
+        token = params[:token]
+
+        if token.blank?
+          return render json: { active: false }, content_type: 'application/json'
+        end
+
+        # Try as JWT access token
+        payload = Services::TokenService.validate_access_token(token)
+
+        response = if payload
+                     build_access_token_introspection(payload)
+                   else
+                     # Try as refresh token
+                     refresh_data = Services::TokenService.validate_refresh_token(token)
+                     refresh_data ? build_refresh_token_introspection(refresh_data) : { active: false }
+                   end
+
+        render json: response, content_type: 'application/json'
+      end
+
+      # OpenID Connect UserInfo Endpoint
+      def userinfo
+        auth_header = request.headers['Authorization']
+
+        unless auth_header&.start_with?('Bearer ')
+          return render json: { error: 'invalid_token' }, status: :unauthorized
+        end
+
+        token = auth_header.split(' ', 2).last
+        payload = Services::TokenService.validate_access_token(token)
+
+        unless payload
+          return render json: { error: 'invalid_token' }, status: :unauthorized
+        end
+
+        user_info = {
+          sub: payload[:sub],
+          email: payload[:email],
+          email_verified: true,
+          name: payload[:email],
+          preferred_username: payload[:email]
+        }
+        user_info[:org] = payload[:org] if payload[:org]
+
+        render json: user_info, content_type: 'application/json'
+      end
+
+      private
+
+      # === Validation ===
+
+      def valid_authorization_params?
+        params[:response_type] == 'code' &&
+          params[:client_id].present? &&
+          params[:redirect_uri].present? &&
+          params[:code_challenge].present? &&
+          params[:code_challenge_method] == 'S256'
+      end
+
+      # === Authorization Flow ===
+
+      def handle_signed_in_user
+        if params[:approved] == 'true'
+          generate_and_redirect_with_code
+        else
+          show_consent_screen
+        end
+      end
+
+      def redirect_to_login
+        session[:oauth_params] = request.query_parameters
+        redirect_to main_app.new_user_session_path
+      end
+
+      def generate_and_redirect_with_code(approved_scope = nil)
+        # Use approved scopes if provided, otherwise use requested scopes,
+        # otherwise use all registered scopes
+        final_scope = approved_scope.presence ||
+                      params[:scope].presence ||
+                      Mcp::Auth::ScopeRegistry.default_scope_string
+
+        Rails.logger.info "[OAuth] Generating auth code with scope: #{final_scope}"
+
+        # Create a new params hash with the final scope
+        auth_params = params.to_unsafe_h.merge(scope: final_scope)
+
+        # Pass the params with approved scope to authorization service
+        code = Services::AuthorizationService.generate_authorization_code(
+          auth_params,
+          user: current_user,
+          org: current_org
+        )
+
+        unless code
+          return render_error('server_error', 'Failed to generate authorization code')
+        end
+
+        redirect_with_code(code)
+      end
+
+      def redirect_with_code(code)
+        redirect_uri = URI.parse(params[:redirect_uri])
+        query_params = { code: code }
+        query_params[:state] = params[:state] if params[:state]
+        query_params[:iss] = authorization_server_url # OAuth 2.1
+
+        redirect_uri.query = URI.encode_www_form(query_params)
+        redirect_to redirect_uri.to_s, allow_other_host: true
+      end
+
+      def redirect_with_error(error, description)
+        redirect_uri = URI.parse(params[:redirect_uri])
+        query_params = { error: error, error_description: description }
+        query_params[:state] = params[:state] if params[:state]
+
+        redirect_uri.query = URI.encode_www_form(query_params)
+        redirect_to redirect_uri.to_s, allow_other_host: true
+      end
+
+      # === Token Grants ===
+
+      def handle_authorization_code_grant
+        code_data = Services::AuthorizationService.validate_authorization_code(params[:code])
+
+        unless code_data
+          return render_error('invalid_grant', 'Authorization code is invalid or expired')
+        end
+
+        # Validate PKCE
+        unless Services::AuthorizationService.validate_pkce?(code_data[:code_challenge], params[:code_verifier])
+          return render_error('invalid_grant', 'PKCE validation failed')
+        end
+
+        # Validate redirect URI
+        unless code_data[:redirect_uri] == params[:redirect_uri]
+          return render_error('invalid_grant', 'Redirect URI mismatch')
+        end
+
+        # Use the APPROVED scope from the authorization code, not the original request
+        Rails.logger.info "[OAuth] Token generation using scope from auth code: #{code_data[:scope]}"
+
+        # Generate tokens with the APPROVED scope from authorization code
+        token_data = code_data.merge(resource: code_data[:resource] || params[:resource])
+        token_response = Services::TokenService.generate_token_response(
+          token_data,  # This includes the approved :scope from authorization code
+          base_url: request.base_url
+        )
+
+        # Consume authorization code (one-time use)
+        Services::AuthorizationService.consume_authorization_code(params[:code])
+
+        render json: token_response, content_type: 'application/json'
+      end
+
+      def handle_refresh_token_grant
+        token_data = Services::TokenService.validate_refresh_token(params[:refresh_token])
+
+        unless token_data
+          return render_error('invalid_grant', 'Refresh token is invalid or expired')
+        end
+
+        # Include resource parameter if provided
+        token_data[:resource] = params[:resource] if params[:resource]
+
+        # Generate new tokens
+        token_response = Services::TokenService.generate_token_response(
+          token_data,
+          base_url: request.base_url
+        )
+
+        # Rotate refresh token (OAuth 2.1 requirement)
+        Services::TokenService.revoke_refresh_token(params[:refresh_token])
+
+        render json: token_response, content_type: 'application/json'
+      end
+
+      # === Client Registration ===
+
+      def build_client_registration
+        {
+          redirect_uris: extract_redirect_uris,
+          grant_types: params[:grant_types] || %w[authorization_code refresh_token],
+          response_types: params[:response_types] || %w[code],
+          scope: params[:scope] || Mcp::Auth::ScopeRegistry.default_scope_string,
+          client_name: params[:client_name] || 'MCP Client',
+          client_uri: params[:client_uri]
+        }
+      end
+
+      def extract_redirect_uris
+        uris = params[:redirect_uris] || []
+        Array(uris).uniq
+      end
+
+      def format_client_response(client)
+        {
+          client_id: client.client_id,
+          client_secret: client.client_secret,
+          client_id_issued_at: client.created_at.to_i,
+          client_secret_expires_at: 0,
+          redirect_uris: client.redirect_uris,
+          grant_types: client.grant_types,
+          response_types: client.response_types,
+          scope: client.scope,
+          token_endpoint_auth_method: 'client_secret_basic',
+          client_name: client.client_name,
+          client_uri: client.client_uri
+        }.compact
+      end
+
+      # === Token Introspection ===
+
+      def build_access_token_introspection(payload)
+        {
+          active: true,
+          client_id: payload[:client_id] || 'unknown',
+          username: payload[:email],
+          scope: payload[:scope],
+          exp: payload[:exp],
+          iat: payload[:iat],
+          sub: payload[:sub],
+          aud: payload[:aud],
+          iss: payload[:iss],
+          token_type: 'Bearer'
+        }
+      end
+
+      def build_refresh_token_introspection(data)
+        {
+          active: true,
+          client_id: data[:client_id],
+          scope: data[:scope],
+          token_type: 'refresh_token'
+        }
+      end
+
+      # === Consent Screen - ONLY ONE DEFINITION ===
+
+      def show_consent_screen
+        @client_name = get_client_name
+        @requested_scopes = parse_and_validate_scopes
+        @authorization_params = params.to_unsafe_h.slice(
+          :response_type, :client_id, :redirect_uri, :scope,
+          :state, :code_challenge, :code_challenge_method, :resource
+        )
+
+        if use_custom_consent_view?
+          render Rails.application.config.mcp_auth.consent_view_path, layout: 'application'
+        else
+          render 'mcp/auth/consent', layout: false
+        end
+      end
+
+      def use_custom_consent_view?
+        config = Rails.application.config.mcp_auth
+        config.use_custom_consent_view &&
+          template_exists?(config.consent_view_path)
+      rescue
+        false
+      end
+
+      def template_exists?(path)
+        lookup_context.exists?(path, [], false)
+      rescue
+        false
+      end
+
+      def get_client_name
+        client = Mcp::Auth::OauthClient.find_by_client_id(params[:client_id])
+        client&.client_name || params[:client_name] || params[:client_id] || 'Unknown Application'
+      end
+
+      def parse_and_validate_scopes
+        # Get requested scopes, or default to all registered scopes
+        scope_string = params[:scope].presence || Mcp::Auth::ScopeRegistry.default_scope_string
+        requested = scope_string.split
+
+        # Get ALL available scopes (what the gem owner registered)
+        all_available = Mcp::Auth::ScopeRegistry.available_scopes.keys
+
+        # Filter by user permissions if configured
+        if Mcp::Auth.configuration.validate_scope_for_user
+          all_available = all_available.select do |scope|
+            Mcp::Auth.configuration.validate_scope_for_user.call(
+              current_user,
+              current_org,
+              scope
+            )
+          end
+        end
+
+        # Format all available scopes for display
+        # Mark as pre-selected if they were in the original request
+        all_scopes = Mcp::Auth::ScopeRegistry.format_for_display(all_available)
+
+        # Add a flag to indicate if scope was originally requested
+        all_scopes.map do |scope_data|
+          scope_data.merge(
+            pre_selected: requested.include?(scope_data[:key])
+          )
+        end
+      end
+
+      # Get required scopes from requested scopes list
+      def get_required_scopes(requested_scopes)
+        validated = Mcp::Auth::ScopeRegistry.validate_scopes(requested_scopes)
+
+        validated.select do |scope|
+          metadata = Mcp::Auth::ScopeRegistry.scope_metadata(scope)
+          metadata[:required]
+        end
+      end
+
+      # === Headers & Security ===
+
+      def set_cors_headers
+        response.headers['Access-Control-Allow-Origin'] = '*'
+        response.headers['Access-Control-Allow-Methods'] = 'GET, POST, OPTIONS'
+        response.headers['Access-Control-Allow-Headers'] = 'Authorization, Content-Type'
+      end
+
+      def handle_options_request
+        head :no_content if request.method == 'OPTIONS'
+      end
+
+      def require_https
+        return if request.ssl? || request.local? || Rails.env.development?
+
+        render_error('invalid_request', 'HTTPS required')
+      end
+
+      def authorization_server_url
+        config_url = Rails.application.config.mcp_auth.authorization_server_url
+        config_url.presence || "#{request.scheme}://#{request.host_with_port}"
+      end
+
+      # === Error Handling ===
+
+      def render_error(error, description)
+        error_response = {
+          error: error,
+          error_description: description
+        }
+
+        Rails.logger.error "[OAuth] Error: #{error_response.inspect}"
+        render json: error_response, status: :bad_request, content_type: 'application/json'
+      end
+
+      def current_org
+        # If current_org_method is nil in config, always return nil
+        return nil if Mcp::Auth.configuration.current_org_method.nil?
+
+        # Otherwise, call the configured method
+        method_name = Mcp::Auth.configuration.current_org_method
+
+        # If it's a proc, execute it in this controller's context
+        return instance_exec(&method_name) if method_name.respond_to?(:call)
+
+        # If it's a symbol/string, call it (from parent ApplicationController)
+        super if defined?(super)
+      rescue NoMethodError
+        # Method doesn't exist in parent, return nil
+        nil
+      end
+    end
+  end
+end

data/app/controllers/mcp/auth/well_known_controller.rb

@@ -0,0 +1,147 @@
+# frozen_string_literal: true
+
+module Mcp
+  module Auth
+    class WellKnownController < ActionController::Base
+      skip_before_action :verify_authenticity_token
+      before_action :set_cors_headers
+      before_action :handle_options_request
+
+      # RFC 9728: OAuth 2.0 Protected Resource Metadata
+      def protected_resource
+        resource_url = canonical_resource_url
+
+        metadata = {
+          resource: resource_url,
+          authorization_servers: [authorization_server_url],
+          scopes_supported: Mcp::Auth::ScopeRegistry.available_scopes.keys,
+          bearer_methods_supported: %w[header],
+          resource_documentation: mcp_documentation_url,
+          resource_parameter_supported: true, # RFC 8707 support
+          authorization_response_iss_parameter_supported: true # OAuth 2.1
+        }
+
+        render json: metadata, status: :ok, content_type: 'application/json'
+      end
+
+      # RFC 8414: OAuth 2.0 Authorization Server Metadata
+      def authorization_server
+        supported_scopes = Mcp::Auth::ScopeRegistry.available_scopes.keys
+
+        metadata = {
+          issuer: authorization_server_url,
+          authorization_endpoint: "#{authorization_server_url}/oauth/authorize",
+          token_endpoint: "#{authorization_server_url}/oauth/token",
+          registration_endpoint: "#{authorization_server_url}/oauth/register",
+          revocation_endpoint: "#{authorization_server_url}/oauth/revoke",
+          introspection_endpoint: "#{authorization_server_url}/oauth/introspect",
+
+          # Supported features
+          scopes_supported: supported_scopes.uniq,
+          response_types_supported: %w[code],
+          grant_types_supported: %w[authorization_code refresh_token],
+          code_challenge_methods_supported: %w[S256], # PKCE required
+          token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post none],
+
+          # RFC 8707: Resource Indicators
+          resource_parameter_supported: true,
+
+          # OAuth 2.1 features
+          authorization_response_iss_parameter_supported: true,
+          require_pushed_authorization_requests: false,
+          require_signed_request_object: false,
+
+          # Token revocation and introspection
+          revocation_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post none],
+          introspection_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post none]
+        }
+
+        render json: metadata, status: :ok, content_type: 'application/json'
+      end
+
+      # OpenID Connect Discovery
+      def openid_configuration
+        # Get all registered scopes plus openid, profile, email
+        supported_scopes = Mcp::Auth::ScopeRegistry.available_scopes.keys + %w[openid profile email]
+
+        metadata = {
+          issuer: authorization_server_url,
+          authorization_endpoint: "#{authorization_server_url}/oauth/authorize",
+          token_endpoint: "#{authorization_server_url}/oauth/token",
+          registration_endpoint: "#{authorization_server_url}/oauth/register",
+          jwks_uri: "#{authorization_server_url}/.well-known/jwks.json",
+          userinfo_endpoint: "#{authorization_server_url}/oauth/userinfo",
+
+          scopes_supported: supported_scopes.uniq,
+          response_types_supported: %w[code],
+          grant_types_supported: %w[authorization_code refresh_token],
+          code_challenge_methods_supported: %w[S256],
+          token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post none],
+          subject_types_supported: %w[public],
+          id_token_signing_alg_values_supported: %w[HS256]
+        }
+
+        render json: metadata, status: :ok, content_type: 'application/json'
+      end
+
+      # JWKS endpoint (empty for HMAC)
+      def jwks
+        keys = { keys: [] }
+        render json: keys, status: :ok, content_type: 'application/json'
+      end
+
+      private
+
+      def set_cors_headers
+        response.headers['Access-Control-Allow-Origin'] = '*'
+        response.headers['Access-Control-Allow-Methods'] = 'GET, OPTIONS'
+        response.headers['Access-Control-Allow-Headers'] = 'Authorization, Content-Type'
+        response.headers['Content-Type'] = 'application/json; charset=utf-8' unless request.method == 'OPTIONS'
+      end
+
+      def handle_options_request
+        head :no_content if request.method == 'OPTIONS'
+      end
+
+      def canonical_resource_url
+        # Use configured MCP server path
+        mcp_path = Mcp::Auth.configuration&.mcp_server_path || '/mcp'
+
+        # Ensure path starts with /
+        mcp_path = "/#{mcp_path}" unless mcp_path.start_with?('/')
+
+        # Remove trailing slash if present
+        mcp_path = mcp_path.chomp('/')
+
+        # Build the full resource URL
+        base_url = "#{request.scheme}://#{request.host_with_port}"
+        "#{base_url}#{mcp_path}"
+      end
+
+      def mcp_documentation_url
+        # Use configured docs URL, or generate default based on server path
+        docs_url = Mcp::Auth.configuration&.mcp_docs_url
+
+        if docs_url.present?
+          # If it's a full URL, use as-is
+          return docs_url if docs_url.start_with?('http://', 'https://')
+
+          # If it's a path, prepend base URL
+          return "#{request.base_url}#{docs_url}"
+        end
+
+        # Default: append /docs to the MCP server path
+        mcp_path = Mcp::Auth.configuration&.mcp_server_path || '/mcp'
+        mcp_path = "/#{mcp_path}" unless mcp_path.start_with?('/')
+        mcp_path = mcp_path.chomp('/')
+
+        "#{request.base_url}#{mcp_path}/docs"
+      end
+
+      def authorization_server_url
+        config_url = Mcp::Auth.configuration&.authorization_server_url
+        config_url.presence || "#{request.scheme}://#{request.host_with_port}"
+      end
+    end
+  end
+end

data/app/models/mcp/auth/access_token.rb

@@ -0,0 +1,30 @@
+module Mcp
+  module Auth
+    class AccessToken < ActiveRecord::Base
+      self.table_name = "mcp_auth_access_tokens"
+
+      belongs_to :user
+      belongs_to :org, optional: true
+      belongs_to :oauth_client,
+                 class_name: "Mcp::Auth::OauthClient",
+                 foreign_key: :client_id,
+                 primary_key: :client_id,
+                 optional: true
+
+      validates :token, presence: true, uniqueness: true
+      validates :client_id, presence: true
+      validates :expires_at, presence: true
+
+      scope :active, -> { where('expires_at > ?', Time.current) }
+      scope :expired, -> { where('expires_at <= ?', Time.current) }
+
+      def expired?
+        expires_at <= Time.current
+      end
+
+      def self.cleanup_expired
+        expired.delete_all
+      end
+    end
+  end
+end