mcp-auth 0.1.0

data/lib/generators/mcp/auth/templates/views/consent.html.erb

@@ -0,0 +1,527 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Authorization Request</title>
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <%%= csrf_meta_tags %>
+
+  <style>
+      * {
+          margin: 0;
+          padding: 0;
+          box-sizing: border-box;
+      }
+
+      body {
+          font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
+          background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+          min-height: 100vh;
+          display: flex;
+          align-items: center;
+          justify-content: center;
+          padding: 20px;
+      }
+
+      .container {
+          background: white;
+          border-radius: 12px;
+          box-shadow: 0 20px 60px rgba(0, 0, 0, 0.3);
+          max-width: 480px;
+          width: 100%;
+          overflow: hidden;
+      }
+
+      .header {
+          background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+          color: white;
+          padding: 30px;
+          text-align: center;
+      }
+
+      .header h1 {
+          font-size: 24px;
+          font-weight: 600;
+          margin-bottom: 8px;
+      }
+
+      .header p {
+          font-size: 14px;
+          opacity: 0.9;
+      }
+
+      .content {
+          padding: 30px;
+      }
+
+      .client-info {
+          background: #f7fafc;
+          border-radius: 8px;
+          padding: 20px;
+          margin-bottom: 24px;
+          border-left: 4px solid #667eea;
+      }
+
+      .client-info strong {
+          display: block;
+          color: #2d3748;
+          font-size: 16px;
+          margin-bottom: 4px;
+      }
+
+      .client-info p {
+          color: #718096;
+          font-size: 14px;
+      }
+
+      .scopes {
+          margin-bottom: 24px;
+      }
+
+      .scopes h3 {
+          color: #2d3748;
+          font-size: 16px;
+          margin-bottom: 16px;
+          font-weight: 600;
+      }
+
+      .scope-item {
+          display: flex;
+          align-items: flex-start;
+          padding: 14px 16px;
+          margin-bottom: 10px;
+          background: #f7fafc;
+          border: 1px solid #e2e8f0;
+          border-radius: 8px;
+          transition: all 0.2s;
+          cursor: pointer;
+      }
+
+      .scope-item:hover:not(.required) {
+          background: #edf2f7;
+          border-color: #667eea;
+      }
+
+      .scope-item.required {
+          border-left: 3px solid #f59e0b;
+          cursor: default;
+      }
+
+      .scope-item.selected {
+          background: #f0f4ff;
+          border-color: #667eea;
+      }
+
+      .scope-checkbox {
+          flex-shrink: 0;
+          width: 20px;
+          height: 20px;
+          margin-right: 12px;
+          margin-top: 2px;
+          cursor: pointer;
+          accent-color: #667eea;
+      }
+
+      .scope-checkbox:disabled {
+          cursor: not-allowed;
+          opacity: 0.5;
+      }
+
+      .scope-content {
+          flex: 1;
+      }
+
+      .scope-header {
+          display: flex;
+          align-items: center;
+          gap: 8px;
+          margin-bottom: 4px;
+      }
+
+      .scope-name {
+          color: #2d3748;
+          font-size: 14px;
+          font-weight: 600;
+      }
+
+      .scope-badge {
+          font-size: 10px;
+          background: #f59e0b;
+          color: white;
+          padding: 3px 8px;
+          border-radius: 12px;
+          text-transform: uppercase;
+          font-weight: 600;
+          letter-spacing: 0.5px;
+      }
+
+      .scope-description {
+          color: #718096;
+          font-size: 13px;
+          line-height: 1.5;
+      }
+
+      .warning-box {
+          background: #fef3c7;
+          border: 1px solid #fbbf24;
+          border-radius: 8px;
+          padding: 14px;
+          margin-bottom: 24px;
+          display: flex;
+          align-items: start;
+          gap: 10px;
+      }
+
+      .warning-icon {
+          color: #f59e0b;
+          font-size: 18px;
+          flex-shrink: 0;
+      }
+
+      .warning-text {
+          font-size: 13px;
+          color: #78350f;
+          line-height: 1.5;
+      }
+
+      .select-all-container {
+          margin-bottom: 16px;
+          padding: 12px;
+          background: #f0fdf4;
+          border: 1px solid #86efac;
+          border-radius: 8px;
+          display: flex;
+          align-items: center;
+          gap: 10px;
+      }
+
+      .select-all-checkbox {
+          width: 18px;
+          height: 18px;
+          cursor: pointer;
+          accent-color: #667eea;
+      }
+
+      .select-all-label {
+          color: #166534;
+          font-size: 14px;
+          font-weight: 500;
+          cursor: pointer;
+          user-select: none;
+      }
+
+      .actions {
+          display: flex;
+          gap: 12px;
+          margin-top: 24px;
+      }
+
+      button {
+          flex: 1;
+          padding: 14px 24px;
+          border: none;
+          border-radius: 6px;
+          font-size: 15px;
+          font-weight: 600;
+          cursor: pointer;
+          transition: all 0.2s;
+          text-transform: none;
+      }
+
+      button:disabled {
+          opacity: 0.5;
+          cursor: not-allowed;
+      }
+
+      .btn-approve {
+          background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+          color: white;
+      }
+
+      .btn-approve:hover:not(:disabled) {
+          transform: translateY(-2px);
+          box-shadow: 0 4px 12px rgba(102, 126, 234, 0.4);
+      }
+
+      .btn-deny {
+          background: #e2e8f0;
+          color: #4a5568;
+      }
+
+      .btn-deny:hover {
+          background: #cbd5e0;
+      }
+
+      .security-note {
+          margin-top: 24px;
+          padding: 16px;
+          background: #f0fdf4;
+          border: 1px solid #86efac;
+          border-radius: 6px;
+          font-size: 13px;
+          color: #166534;
+          line-height: 1.5;
+      }
+
+      .security-note strong {
+          display: block;
+          margin-bottom: 4px;
+      }
+
+      .selected-count {
+          margin-top: 16px;
+          padding: 10px;
+          background: #eff6ff;
+          border: 1px solid #93c5fd;
+          border-radius: 6px;
+          text-align: center;
+          font-size: 13px;
+          color: #1e40af;
+      }
+
+      @media (max-width: 600px) {
+          .container { margin: 10px; }
+          .header { padding: 24px; }
+          .content { padding: 24px; }
+          .actions { flex-direction: column-reverse; }
+      }
+  </style>
+</head>
+<body>
+<div class="container">
+  <div class="header">
+    <h1>🔐 Authorization Request</h1>
+    <p>Review and select the permissions you want to grant</p>
+  </div>
+
+  <div class="content">
+    <div class="client-info">
+      <strong><%%= @client_name %></strong>
+      <p>wants to access your MCP server</p>
+    </div>
+
+    <%% if @requested_scopes.any? { |s| s[:required] } %>
+    <div class="warning-box">
+      <div class="warning-icon">⚠️</div>
+      <div class="warning-text">
+        Some permissions are required for the application to function properly and cannot be deselected.
+      </div>
+    </div>
+    <%% end %>
+
+    <div class="scopes">
+      <h3>Select permissions to grant:</h3>
+
+      <%% optional_scopes = @requested_scopes.reject { |s| s[:required] } %>
+      <%% if optional_scopes.any? %>
+      <div class="select-all-container">
+        <input type="checkbox" id="selectAll" class="select-all-checkbox" checked>
+        <label for="selectAll" class="select-all-label">Select all optional permissions</label>
+      </div>
+      <%% end %>
+
+      <%%= form_with url: oauth_approve_path, method: :post, local: true, id: 'consentForm' do |f| %>
+      <%% @authorization_params.each do |key, value| %>
+      <%%= f.hidden_field key, value: value, id: nil %>
+      <%% end %>
+
+      <%% # Add hidden fields for required scopes since disabled checkboxes don't submit %>
+      <%% @requested_scopes.select { |s| s[:required] }.each do |scope| %>
+      <%%= hidden_field_tag 'scopes[]', scope[:key] %>
+      <%% end %>
+
+      <%% @requested_scopes.each_with_index do |scope, index| %>
+      <div class="scope-item <%%= 'required selected' if scope[:required] %> <%%= 'selected' if scope[:pre_selected] && !scope[:required] %>"
+           data-scope-key="<%%= scope[:key] %>"
+           data-required="<%%= scope[:required] %>"
+           data-pre-selected="<%%= scope[:pre_selected] %>">
+        <%% if scope[:required] %>
+        <%# Required scope: show disabled checkbox for UI, value submitted via hidden field above %>
+        <input type="checkbox"
+               class="scope-checkbox"
+               id="scope_<%%= index %>"
+               checked="checked"
+               disabled="disabled" />
+        <%% else %>
+        <%# Optional scope: checkbox value will be submitted, JS will handle pre-selection %>
+        <input type="checkbox"
+               name="scopes[]"
+               value="<%%= scope[:key] %>"
+               class="scope-checkbox"
+               id="scope_<%%= index %>" />
+        <%% end %>
+        <div class="scope-content">
+          <div class="scope-header">
+            <label for="scope_<%%= index %>" class="scope-name"><%%= scope[:name] %></label>
+            <%% if scope[:required] %>
+            <span class="scope-badge">Required</span>
+            <%% end %>
+          </div>
+          <div class="scope-description">
+            <%%= scope[:description] %>
+          </div>
+        </div>
+      </div>
+      <%% end %>
+
+      <div class="selected-count" id="selectedCount">
+        <span id="countText"></span>
+      </div>
+
+      <div class="actions">
+        <%%= f.button 'Deny', type: 'button', class: 'btn-deny', onclick: 'denyAccess()' %>
+        <%%= f.button 'Authorize', type: 'submit', name: 'approved', value: 'true', class: 'btn-approve', id: 'approveBtn' %>
+      </div>
+      <%% end %>
+
+      <%%= form_with url: oauth_approve_path, method: :post, local: true, id: 'denyForm' do |f| %>
+      <%% @authorization_params.each do |key, value| %>
+      <%%= f.hidden_field key, value: value, id: nil %>
+      <%% end %>
+      <%%= f.hidden_field :approved, value: 'false' %>
+      <%% end %>
+    </div>
+
+    <div class="security-note">
+      <strong>Security Notice</strong>
+      You can select which permissions to grant. Only selected permissions will be authorized. Required permissions are pre-selected and cannot be changed. You can revoke access at any time from your account settings.
+    </div>
+  </div>
+</div>
+
+<script>
+  // Handle clicking on scope item (not checkbox)
+  document.addEventListener('DOMContentLoaded', function() {
+    // Pre-select checkboxes based on data-pre-selected attribute
+    const scopeItems = document.querySelectorAll('.scope-item');
+    scopeItems.forEach(item => {
+      const preSelected = item.getAttribute('data-pre-selected') === 'true';
+      const checkbox = item.querySelector('.scope-checkbox');
+
+      if (checkbox && !checkbox.disabled && preSelected) {
+        checkbox.checked = true;
+        item.classList.add('selected');
+      }
+    });
+
+    // Handle scope item clicks
+    scopeItems.forEach(item => {
+      item.addEventListener('click', function(e) {
+        // Don't toggle if clicking directly on checkbox or label
+        if (e.target.type === 'checkbox' || e.target.tagName === 'LABEL') {
+          return;
+        }
+
+        const checkbox = this.querySelector('.scope-checkbox');
+        if (checkbox && !checkbox.disabled) {
+          checkbox.checked = !checkbox.checked;
+          updateScopeItem(this, checkbox.checked);
+          updateSelectAll();
+          updateSelectedCount();
+        }
+      });
+    });
+
+    // Handle checkbox changes
+    const checkboxes = document.querySelectorAll('.scope-checkbox');
+    checkboxes.forEach(checkbox => {
+      checkbox.addEventListener('change', function() {
+        const scopeItem = this.closest('.scope-item');
+        updateScopeItem(scopeItem, this.checked);
+        updateSelectAll();
+        updateSelectedCount();
+      });
+    });
+
+    // Select all functionality
+    const selectAllCheckbox = document.getElementById('selectAll');
+    if (selectAllCheckbox) {
+      selectAllCheckbox.addEventListener('change', function() {
+        const optionalCheckboxes = document.querySelectorAll('.scope-checkbox:not(:disabled)');
+        optionalCheckboxes.forEach(checkbox => {
+          checkbox.checked = this.checked;
+          const scopeItem = checkbox.closest('.scope-item');
+          updateScopeItem(scopeItem, checkbox.checked);
+        });
+        updateSelectedCount();
+      });
+    }
+
+    // Initialize
+    updateSelectAll();
+    updateSelectedCount();
+  });
+
+  // Update visual state of scope item
+  function updateScopeItem(element, checked) {
+    if (checked) {
+      element.classList.add('selected');
+    } else {
+      element.classList.remove('selected');
+    }
+  }
+
+  // Update "Select All" checkbox state
+  function updateSelectAll() {
+    const selectAllCheckbox = document.getElementById('selectAll');
+    if (!selectAllCheckbox) return;
+
+    const optionalCheckboxes = Array.from(document.querySelectorAll('.scope-checkbox:not(:disabled)'));
+    const checkedOptional = optionalCheckboxes.filter(cb => cb.checked);
+
+    if (checkedOptional.length === 0) {
+      selectAllCheckbox.checked = false;
+      selectAllCheckbox.indeterminate = false;
+    } else if (checkedOptional.length === optionalCheckboxes.length) {
+      selectAllCheckbox.checked = true;
+      selectAllCheckbox.indeterminate = false;
+    } else {
+      selectAllCheckbox.checked = false;
+      selectAllCheckbox.indeterminate = true;
+    }
+  }
+
+  // Update selected count display
+  function updateSelectedCount() {
+    const checkboxes = document.querySelectorAll('.scope-checkbox:checked');
+    const total = document.querySelectorAll('.scope-checkbox').length;
+    const selected = checkboxes.length;
+    const required = document.querySelectorAll('.scope-checkbox:checked:disabled').length;
+    const optional = selected - required;
+
+    const countText = document.getElementById('countText');
+    const approveBtn = document.getElementById('approveBtn');
+
+    if (selected === 0) {
+      countText.textContent = 'No permissions selected. Please select at least the required permissions to continue.';
+      approveBtn.disabled = true;
+    } else {
+      let text = `${selected} of ${total} permission${total !== 1 ? 's' : ''} selected`;
+      if (required > 0) {
+        text += ` (${required} required`;
+        if (optional > 0) {
+          text += `, ${optional} optional`;
+        }
+        text += ')';
+      }
+      countText.textContent = text;
+      approveBtn.disabled = false;
+    }
+  }
+
+  // Handle deny button
+  function denyAccess() {
+    document.getElementById('denyForm').submit();
+  }
+
+  // Validate form before submission
+  document.getElementById('consentForm').addEventListener('submit', function(e) {
+    const selectedScopes = document.querySelectorAll('.scope-checkbox:checked');
+    if (selectedScopes.length === 0) {
+      e.preventDefault();
+      alert('Please select at least one permission to authorize.');
+      return false;
+    }
+  });
+</script>
+</body>
+</html>

data/lib/mcp/auth/engine.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require "rails"
+require "jwt"
+
+module Mcp
+  module Auth
+    class Engine < ::Rails::Engine
+      isolate_namespace Mcp::Auth
+
+      config.generators do |g|
+        g.test_framework :rspec
+        g.fixture_replacement :factory_bot
+        g.factory_bot dir: 'spec/factories'
+      end
+
+      # Load dependencies before initializers
+      config.before_initialize do
+        require 'mcp/auth/scope_registry'
+      end
+
+      initializer "mcp_auth.configure" do
+        config.mcp_auth = ActiveSupport::OrderedOptions.new
+        config.mcp_auth.oauth_secret = ENV.fetch('MCP_OAUTH_PRIVATE_KEY', nil)
+        config.mcp_auth.authorization_server_url = ENV.fetch('MCP_AUTHORIZATION_SERVER_URL', nil)
+        config.mcp_auth.access_token_lifetime = 3600 # 1 hour
+        config.mcp_auth.refresh_token_lifetime = 2_592_000 # 30 days
+        config.mcp_auth.authorization_code_lifetime = 1800 # 30 minutes
+      end
+    end
+  end
+end

data/lib/mcp/auth/scope_registry.rb

@@ -0,0 +1,113 @@
+# frozen_string_literal: true
+
+module Mcp
+  module Auth
+    # ScopeRegistry manages OAuth scopes for MCP Auth
+    #
+    # By default, provides basic MCP scopes (mcp:read, mcp:write) automatically.
+    # Applications can register custom scopes which will replace the defaults.
+    #
+    # Example:
+    #   Mcp::Auth::ScopeRegistry.register_scope('mcp:tools',
+    #     name: 'Tool Execution',
+    #     description: 'Execute tools and actions',
+    #     required: false
+    #   )
+    class ScopeRegistry
+      class << self
+        # Custom scopes registered by the application
+        def custom_scopes
+          @custom_scopes ||= {}
+        end
+
+        # All available scopes
+        # If no scopes are registered, returns basic MCP scopes for backwards compatibility
+        def available_scopes
+          return custom_scopes unless custom_scopes.empty?
+
+          # Fallback: If no scopes registered, use basic MCP scopes
+          # This ensures backwards compatibility
+          {
+            'mcp:read' => {
+              name: 'Read Access',
+              description: 'Read your data and resources',
+              required: true
+            },
+            'mcp:write' => {
+              name: 'Write Access',
+              description: 'Create and modify data on your behalf',
+              required: false
+            }
+          }
+        end
+
+        # Register a custom scope
+        def register_scope(scope_key, name:, description:, required: false)
+          custom_scopes[scope_key.to_s] = {
+            name: name,
+            description: description,
+            required: required
+          }
+        end
+
+        # Clear all registered scopes (useful for testing)
+        def clear_scopes!
+          @custom_scopes = {}
+        end
+
+        # Check if a scope exists
+        def scope_exists?(scope)
+          available_scopes.key?(scope.to_s)
+        end
+
+        # Get scope metadata
+        def scope_metadata(scope)
+          available_scopes[scope.to_s] || {
+            name: scope,
+            description: scope,
+            required: false
+          }
+        end
+
+        # Validate and filter requested scopes
+        def validate_scopes(requested_scopes)
+          # If no scopes requested, return all required scopes
+          if requested_scopes.blank?
+            return available_scopes.select { |_, meta| meta[:required] }.keys
+          end
+
+          scopes = requested_scopes.is_a?(String) ? requested_scopes.split : requested_scopes
+
+          # Filter to only valid registered scopes
+          valid_scopes = scopes.select { |scope| scope_exists?(scope) }
+
+          # Always include required scopes
+          required_scopes = available_scopes.select { |_, meta| meta[:required] }.keys
+
+          (valid_scopes + required_scopes).uniq
+        end
+
+        # Format scopes for consent screen display
+        def format_for_display(requested_scopes)
+          scopes = requested_scopes.is_a?(String) ? requested_scopes.split : requested_scopes
+
+          scopes.map do |scope|
+            metadata = scope_metadata(scope)
+            {
+              key: scope,
+              name: metadata[:name],
+              description: metadata[:description],
+              required: metadata[:required]
+            }
+          end
+        end
+
+        # Get default scopes string for a client
+        def default_scope_string
+          # Return all registered scopes, or empty string if none
+          available_scopes.keys.join(' ')
+        end
+      end
+    end
+  end
+end