RubyGems - mcp-auth - Versions diffs - 0.1.0 - Mend

mcp-auth 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

checksums.yaml +7 -0
data/CHANGELOG.md +43 -0
data/CONTRIBUTING.md +107 -0
data/LICENSE.txt +21 -0
data/README.md +869 -0
data/Rakefile +8 -0
data/app/controllers/mcp/auth/oauth_controller.rb +494 -0
data/app/controllers/mcp/auth/well_known_controller.rb +147 -0
data/app/models/mcp/auth/access_token.rb +30 -0
data/app/models/mcp/auth/authorization_code.rb +33 -0
data/app/models/mcp/auth/oauth_client.rb +60 -0
data/app/models/mcp/auth/refresh_token.rb +32 -0
data/app/views/mcp/auth/consent.html.erb +527 -0
data/config/routes.rb +43 -0
data/lib/generators/mcp/auth/install_generator.rb +80 -0
data/lib/generators/mcp/auth/templates/README +114 -0
data/lib/generators/mcp/auth/templates/create_access_tokens.rb.erb +23 -0
data/lib/generators/mcp/auth/templates/create_authorization_codes.rb.erb +26 -0
data/lib/generators/mcp/auth/templates/create_oauth_clients.rb.erb +22 -0
data/lib/generators/mcp/auth/templates/create_refresh_tokens.rb.erb +22 -0
data/lib/generators/mcp/auth/templates/initializer.rb +199 -0
data/lib/generators/mcp/auth/templates/views/consent.html.erb +527 -0
data/lib/mcp/auth/engine.rb +32 -0
data/lib/mcp/auth/scope_registry.rb +113 -0
data/lib/mcp/auth/services/authorization_service.rb +102 -0
data/lib/mcp/auth/services/token_service.rb +230 -0
data/lib/mcp/auth/version.rb +7 -0
data/lib/mcp/auth.rb +109 -0
data/lib/tasks/mcp_auth_tasks.rake +89 -0
metadata +254 -0

data/app/models/mcp/auth/authorization_code.rb ADDED Viewed

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+module Mcp
+  module Auth
+    class AuthorizationCode < ActiveRecord::Base
+      self.table_name = "mcp_auth_authorization_codes"
+      belongs_to :user
+      belongs_to :org, optional: true
+      belongs_to :oauth_client,
+                 class_name: "Mcp::Auth::OauthClient",
+                 foreign_key: :client_id,
+                 primary_key: :client_id,
+                 optional: true
+      validates :code, presence: true, uniqueness: true
+      validates :client_id, presence: true
+      validates :redirect_uri, presence: true
+      validates :expires_at, presence: true
+      scope :active, -> { where('expires_at > ?', Time.current) }
+      scope :expired, -> { where('expires_at <= ?', Time.current) }
+      def expired?
+        expires_at <= Time.current
+      end
+      def self.cleanup_expired
+        expired.delete_all
+      end
+    end
+  end
+end

data/app/models/mcp/auth/oauth_client.rb ADDED Viewed

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+module Mcp
+  module Auth
+    class OauthClient < ActiveRecord::Base
+      self.table_name = "mcp_auth_oauth_clients"
+      self.primary_key = "client_id"
+      # Set defaults BEFORE validation
+      before_validation :set_defaults, on: :create
+      validates :client_id, presence: true, uniqueness: true
+      validates :client_secret, presence: true
+      serialize :redirect_uris, coder: JSON
+      serialize :grant_types, coder: JSON
+      serialize :response_types, coder: JSON
+      has_many :authorization_codes,
+               class_name: "Mcp::Auth::AuthorizationCode",
+               foreign_key: :client_id,
+               primary_key: :client_id,
+               dependent: :destroy
+      has_many :access_tokens,
+               class_name: "Mcp::Auth::AccessToken",
+               foreign_key: :client_id,
+               primary_key: :client_id,
+               dependent: :destroy
+      has_many :refresh_tokens,
+               class_name: "Mcp::Auth::RefreshToken",
+               foreign_key: :client_id,
+               primary_key: :client_id,
+               dependent: :destroy
+      def self.find_by_client_id(client_id)
+        find_by(client_id: client_id)
+      end
+      def valid_redirect_uri?(uri)
+        redirect_uris&.include?(uri)
+      end
+      def supports_grant_type?(grant_type)
+        grant_types&.include?(grant_type)
+      end
+      private
+      def set_defaults
+        self.client_id ||= SecureRandom.uuid
+        self.client_secret ||= SecureRandom.hex(32)
+        self.grant_types ||= %w[authorization_code refresh_token]
+        self.response_types ||= %w[code]
+        self.scope ||= Mcp::Auth::ScopeRegistry.default_scope_string
+      end
+    end
+  end
+end

data/app/models/mcp/auth/refresh_token.rb ADDED Viewed

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+module Mcp
+  module Auth
+    class RefreshToken < ActiveRecord::Base
+      self.table_name = "mcp_auth_refresh_tokens"
+      belongs_to :user
+      belongs_to :org, optional: true
+      belongs_to :oauth_client,
+                 class_name: "Mcp::Auth::OauthClient",
+                 foreign_key: :client_id,
+                 primary_key: :client_id,
+                 optional: true
+      validates :token, presence: true, uniqueness: true
+      validates :client_id, presence: true
+      validates :expires_at, presence: true
+      scope :active, -> { where('expires_at > ?', Time.current) }
+      scope :expired, -> { where('expires_at <= ?', Time.current) }
+      def expired?
+        expires_at <= Time.current
+      end
+      def self.cleanup_expired
+        expired.delete_all
+      end
+    end
+  end
+end

data/app/views/mcp/auth/consent.html.erb ADDED Viewed

@@ -0,0 +1,527 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Authorization Request</title>
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <%= csrf_meta_tags %>
+  <style>
+      * {
+          margin: 0;
+          padding: 0;
+          box-sizing: border-box;
+      }
+      body {
+          font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
+          background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+          min-height: 100vh;
+          display: flex;
+          align-items: center;
+          justify-content: center;
+          padding: 20px;
+      }
+      .container {
+          background: white;
+          border-radius: 12px;
+          box-shadow: 0 20px 60px rgba(0, 0, 0, 0.3);
+          max-width: 480px;
+          width: 100%;
+          overflow: hidden;
+      }
+      .header {
+          background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+          color: white;
+          padding: 30px;
+          text-align: center;
+      }
+      .header h1 {
+          font-size: 24px;
+          font-weight: 600;
+          margin-bottom: 8px;
+      }
+      .header p {
+          font-size: 14px;
+          opacity: 0.9;
+      }
+      .content {
+          padding: 30px;
+      }
+      .client-info {
+          background: #f7fafc;
+          border-radius: 8px;
+          padding: 20px;
+          margin-bottom: 24px;
+          border-left: 4px solid #667eea;
+      }
+      .client-info strong {
+          display: block;
+          color: #2d3748;
+          font-size: 16px;
+          margin-bottom: 4px;
+      }
+      .client-info p {
+          color: #718096;
+          font-size: 14px;
+      }
+      .scopes {
+          margin-bottom: 24px;
+      }
+      .scopes h3 {
+          color: #2d3748;
+          font-size: 16px;
+          margin-bottom: 16px;
+          font-weight: 600;
+      }
+      .scope-item {
+          display: flex;
+          align-items: flex-start;
+          padding: 14px 16px;
+          margin-bottom: 10px;
+          background: #f7fafc;
+          border: 1px solid #e2e8f0;
+          border-radius: 8px;
+          transition: all 0.2s;
+          cursor: pointer;
+      }
+      .scope-item:hover:not(.required) {
+          background: #edf2f7;
+          border-color: #667eea;
+      }
+      .scope-item.required {
+          border-left: 3px solid #f59e0b;
+          cursor: default;
+      }
+      .scope-item.selected {
+          background: #f0f4ff;
+          border-color: #667eea;
+      }
+      .scope-checkbox {
+          flex-shrink: 0;
+          width: 20px;
+          height: 20px;
+          margin-right: 12px;
+          margin-top: 2px;
+          cursor: pointer;
+          accent-color: #667eea;
+      }
+      .scope-checkbox:disabled {
+          cursor: not-allowed;
+          opacity: 0.5;
+      }
+      .scope-content {
+          flex: 1;
+      }
+      .scope-header {
+          display: flex;
+          align-items: center;
+          gap: 8px;
+          margin-bottom: 4px;
+      }
+      .scope-name {
+          color: #2d3748;
+          font-size: 14px;
+          font-weight: 600;
+      }
+      .scope-badge {
+          font-size: 10px;
+          background: #f59e0b;
+          color: white;
+          padding: 3px 8px;
+          border-radius: 12px;
+          text-transform: uppercase;
+          font-weight: 600;
+          letter-spacing: 1px;
+      }
+      .scope-description {
+          color: #718096;
+          font-size: 13px;
+          line-height: 1.5;
+      }
+      .warning-box {
+          background: #fef3c7;
+          border: 1px solid #fbbf24;
+          border-radius: 8px;
+          padding: 14px;
+          margin-bottom: 24px;
+          display: flex;
+          align-items: start;
+          gap: 10px;
+      }
+      .warning-icon {
+          color: #f59e0b;
+          font-size: 18px;
+          flex-shrink: 0;
+      }
+      .warning-text {
+          font-size: 13px;
+          color: #78350f;
+          line-height: 1.5;
+      }
+      .select-all-container {
+          margin-bottom: 16px;
+          padding: 12px;
+          background: #f0fdf4;
+          border: 1px solid #86efac;
+          border-radius: 8px;
+          display: flex;
+          align-items: center;
+          gap: 10px;
+      }
+      .select-all-checkbox {
+          width: 18px;
+          height: 18px;
+          cursor: pointer;
+          accent-color: #667eea;
+      }
+      .select-all-label {
+          color: #166534;
+          font-size: 14px;
+          font-weight: 500;
+          cursor: pointer;
+          user-select: none;
+      }
+      .actions {
+          display: flex;
+          gap: 12px;
+          margin-top: 24px;
+      }
+      button {
+          flex: 1;
+          padding: 14px 24px;
+          border: none;
+          border-radius: 6px;
+          font-size: 15px;
+          font-weight: 600;
+          cursor: pointer;
+          transition: all 0.2s;
+          text-transform: none;
+      }
+      button:disabled {
+          opacity: 0.5;
+          cursor: not-allowed;
+      }
+      .btn-approve {
+          background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+          color: white;
+      }
+      .btn-approve:hover:not(:disabled) {
+          transform: translateY(-2px);
+          box-shadow: 0 4px 12px rgba(102, 126, 234, 0.4);
+      }
+      .btn-deny {
+          background: #e2e8f0;
+          color: #4a5568;
+      }
+      .btn-deny:hover {
+          background: #cbd5e0;
+      }
+      .security-note {
+          margin-top: 24px;
+          padding: 16px;
+          background: #f0fdf4;
+          border: 1px solid #86efac;
+          border-radius: 6px;
+          font-size: 13px;
+          color: #166534;
+          line-height: 1.5;
+      }
+      .security-note strong {
+          display: block;
+          margin-bottom: 4px;
+      }
+      .selected-count {
+          margin-top: 16px;
+          padding: 10px;
+          background: #eff6ff;
+          border: 1px solid #93c5fd;
+          border-radius: 6px;
+          text-align: center;
+          font-size: 13px;
+          color: #1e40af;
+      }
+      @media (max-width: 600px) {
+          .container { margin: 10px; }
+          .header { padding: 24px; }
+          .content { padding: 24px; }
+          .actions { flex-direction: column-reverse; }
+      }
+  </style>
+</head>
+<body>
+<div class="container">
+  <div class="header">
+    <h1>🔐 Authorization Request</h1>
+    <p>Review and select the permissions you want to grant</p>
+  </div>
+  <div class="content">
+    <div class="client-info">
+      <strong><%= @client_name %></strong>
+      <p>wants to access your MCP server</p>
+    </div>
+    <% if @requested_scopes.any? { |s| s[:required] } %>
+    <div class="warning-box">
+      <div class="warning-icon">⚠️</div>
+      <div class="warning-text">
+        Some permissions are required for the application to function properly and cannot be deselected.
+      </div>
+    </div>
+    <% end %>
+    <div class="scopes">
+      <h3>Select permissions to grant:</h3>
+      <% optional_scopes = @requested_scopes.reject { |s| s[:required] } %>
+      <% if optional_scopes.any? %>
+      <div class="select-all-container">
+        <input type="checkbox" id="selectAll" class="select-all-checkbox" checked>
+        <label for="selectAll" class="select-all-label">Select all optional permissions</label>
+      </div>
+      <% end %>
+      <%= form_with url: oauth_approve_path, method: :post, local: true, id: 'consentForm' do |f| %>
+      <% @authorization_params.each do |key, value| %>
+      <%= f.hidden_field key, value: value, id: nil %>
+      <% end %>
+<!--        Add hidden fields for required scopes since disabled checkboxes don't submit-->
+      <% @requested_scopes.select { |s| s[:required] }.each do |scope| %>
+      <%= hidden_field_tag 'scopes[]', scope[:key] %>
+      <% end %>
+      <% @requested_scopes.each_with_index do |scope, index| %>
+      <div class="scope-item <%= 'required selected' if scope[:required] %> <%= 'selected' if scope[:pre_selected] && !scope[:required] %>"
+           data-scope-key="<%= scope[:key] %>"
+           data-required="<%= scope[:required] %>"
+           data-pre-selected="<%= scope[:pre_selected] %>">
+        <% if scope[:required] %>
+<!--          Required scope: show disabled checkbox for UI, value submitted via hidden field abov-->
+        <input type="checkbox"
+               class="scope-checkbox"
+               id="scope_<%= index %>"
+               checked="checked"
+               disabled="disabled" />
+        <% else %>
+<!--          Optional scope: checkbox value will be submitted, JS will handle pre-selection-->
+        <input type="checkbox"
+               name="scopes[]"
+               value="<%= scope[:key] %>"
+               class="scope-checkbox"
+               id="scope_<%= index %>" />
+        <% end %>
+        <div class="scope-content">
+          <div class="scope-header">
+            <label for="scope_<%= index %>" class="scope-name"><%= scope[:name] %></label>
+            <% if scope[:required] %>
+            <span class="scope-badge">Required</span>
+            <% end %>
+          </div>
+          <div class="scope-description">
+            <%= scope[:description] %>
+          </div>
+        </div>
+      </div>
+      <% end %>
+      <div class="selected-count" id="selectedCount">
+        <span id="countText"></span>
+      </div>
+      <div class="actions">
+        <%= f.button 'Deny', type: 'button', class: 'btn-deny', onclick: 'denyAccess()' %>
+        <%= f.button 'Authorize', type: 'submit', name: 'approved', value: 'true', class: 'btn-approve', id: 'approveBtn' %>
+      </div>
+      <% end %>
+      <%= form_with url: oauth_approve_path, method: :post, local: true, id: 'denyForm' do |f| %>
+      <% @authorization_params.each do |key, value| %>
+      <%= f.hidden_field key, value: value, id: nil %>
+      <% end %>
+      <%= f.hidden_field :approved, value: 'false' %>
+      <% end %>
+    </div>
+    <div class="security-note">
+      <strong>Security Notice</strong>
+      You can select which permissions to grant. Only selected permissions will be authorized. Required permissions are pre-selected and cannot be changed. You can revoke access at any time from your account settings.
+    </div>
+  </div>
+</div>
+<script>
+  // Handle clicking on scope item (not checkbox)
+  document.addEventListener('DOMContentLoaded', function() {
+    // Pre-select checkboxes based on data-pre-selected attribute
+    const scopeItems = document.querySelectorAll('.scope-item');
+    scopeItems.forEach(item => {
+      const preSelected = item.getAttribute('data-pre-selected') === 'true';
+      const checkbox = item.querySelector('.scope-checkbox');
+      if (checkbox && !checkbox.disabled && preSelected) {
+        checkbox.checked = true;
+        item.classList.add('selected');
+      }
+    });
+    // Handle scope item clicks
+    scopeItems.forEach(item => {
+      item.addEventListener('click', function(e) {
+        // Don't toggle if clicking directly on checkbox or label
+        if (e.target.type === 'checkbox' || e.target.tagName === 'LABEL') {
+          return;
+        }
+        const checkbox = this.querySelector('.scope-checkbox');
+        if (checkbox && !checkbox.disabled) {
+          checkbox.checked = !checkbox.checked;
+          updateScopeItem(this, checkbox.checked);
+          updateSelectAll();
+          updateSelectedCount();
+        }
+      });
+    });
+    // Handle checkbox changes
+    const checkboxes = document.querySelectorAll('.scope-checkbox');
+    checkboxes.forEach(checkbox => {
+      checkbox.addEventListener('change', function() {
+        const scopeItem = this.closest('.scope-item');
+        updateScopeItem(scopeItem, this.checked);
+        updateSelectAll();
+        updateSelectedCount();
+      });
+    });
+    // Select all functionality
+    const selectAllCheckbox = document.getElementById('selectAll');
+    if (selectAllCheckbox) {
+      selectAllCheckbox.addEventListener('change', function() {
+        const optionalCheckboxes = document.querySelectorAll('.scope-checkbox:not(:disabled)');
+        optionalCheckboxes.forEach(checkbox => {
+          checkbox.checked = this.checked;
+          const scopeItem = checkbox.closest('.scope-item');
+          updateScopeItem(scopeItem, checkbox.checked);
+        });
+        updateSelectedCount();
+      });
+    }
+    // Initialize
+    updateSelectAll();
+    updateSelectedCount();
+  });
+  // Update visual state of scope item
+  function updateScopeItem(element, checked) {
+    if (checked) {
+      element.classList.add('selected');
+    } else {
+      element.classList.remove('selected');
+    }
+  }
+  // Update "Select All" checkbox state
+  function updateSelectAll() {
+    const selectAllCheckbox = document.getElementById('selectAll');
+    if (!selectAllCheckbox) return;
+    const optionalCheckboxes = Array.from(document.querySelectorAll('.scope-checkbox:not(:disabled)'));
+    const checkedOptional = optionalCheckboxes.filter(cb => cb.checked);
+    if (checkedOptional.length === 0) {
+      selectAllCheckbox.checked = false;
+      selectAllCheckbox.indeterminate = false;
+    } else if (checkedOptional.length === optionalCheckboxes.length) {
+      selectAllCheckbox.checked = true;
+      selectAllCheckbox.indeterminate = false;
+    } else {
+      selectAllCheckbox.checked = false;
+      selectAllCheckbox.indeterminate = true;
+    }
+  }
+  // Update selected count display
+  function updateSelectedCount() {
+    const checkboxes = document.querySelectorAll('.scope-checkbox:checked');
+    const total = document.querySelectorAll('.scope-checkbox').length;
+    const selected = checkboxes.length;
+    const required = document.querySelectorAll('.scope-checkbox:checked:disabled').length;
+    const optional = selected - required;
+    const countText = document.getElementById('countText');
+    const approveBtn = document.getElementById('approveBtn');
+    if (selected === 0) {
+      countText.textContent = 'No permissions selected. Please select at least the required permissions to continue.';
+      approveBtn.disabled = true;
+    } else {
+      let text = `${selected} of ${total} permission${total !== 1 ? 's' : ''} selected`;
+      if (required > 0) {
+        text += ` (${required} required`;
+        if (optional > 0) {
+          text += `, ${optional} optional`;
+        }
+        text += ')';
+      }
+      countText.textContent = text;
+      approveBtn.disabled = false;
+    }
+  }
+  // Handle deny button
+  function denyAccess() {
+    document.getElementById('denyForm').submit();
+  }
+  // Validate form before submission
+  document.getElementById('consentForm').addEventListener('submit', function(e) {
+    const selectedScopes = document.querySelectorAll('.scope-checkbox:checked');
+    if (selectedScopes.length === 0) {
+      e.preventDefault();
+      alert('Please select at least one permission to authorize.');
+      return false;
+    }
+  });
+</script>
+</body>
+</html>

data/config/routes.rb ADDED Viewed

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+Mcp::Auth::Engine.routes.draw do
+  # RFC 9728: OAuth 2.0 Protected Resource Metadata
+  match '/.well-known/oauth-protected-resource',
+        to: 'well_known#protected_resource',
+        via: %i[get options]
+  match '/.well-known/oauth-protected-resource/*path',
+        to: 'well_known#protected_resource',
+        via: %i[get options]
+  # RFC 8414: OAuth 2.0 Authorization Server Metadata
+  match '/.well-known/oauth-authorization-server',
+        to: 'well_known#authorization_server',
+        via: %i[get options]
+  # OpenID Connect Discovery
+  match '/.well-known/openid-configuration',
+        to: 'well_known#openid_configuration',
+        via: %i[get options]
+  match '/.well-known/jwks.json',
+        to: 'well_known#jwks',
+        via: %i[get options]
+  # OAuth 2.1 endpoints
+  match '/oauth/authorize', to: 'oauth#authorize', via: %i[get post options]
+  post '/oauth/approve', to: 'oauth#approve'
+  match '/oauth/token', to: 'oauth#token', via: %i[post options]
+  # RFC 7591: Dynamic Client Registration
+  match '/oauth/register', to: 'oauth#register', via: %i[post options]
+  # RFC 7009: Token Revocation
+  match '/oauth/revoke', to: 'oauth#revoke', via: %i[post options]
+  # RFC 7662: Token Introspection
+  match '/oauth/introspect', to: 'oauth#introspect', via: %i[post options]
+  # OpenID Connect UserInfo
+  match '/oauth/userinfo', to: 'oauth#userinfo', via: %i[get options]
+end