mcp-auth 0.1.0

data/lib/mcp/auth/services/authorization_service.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+module Mcp
+  module Auth
+    module Services
+      class AuthorizationService
+        class << self
+          # Generate authorization code with PKCE support
+          def generate_authorization_code(params, user:, org:)
+            code = SecureRandom.hex(32)
+
+            # Use provided scope or default to all registered scopes
+            scope = params[:scope].presence || Mcp::Auth::ScopeRegistry.default_scope_string
+
+            authorization_code = Mcp::Auth::AuthorizationCode.create!(
+              code: code,
+              client_id: params[:client_id],
+              redirect_uri: params[:redirect_uri],
+              code_challenge: params[:code_challenge],
+              code_challenge_method: params[:code_challenge_method],
+              resource: params[:resource],
+              scope: scope,
+              user: user,
+              org: org,
+              expires_at: authorization_code_lifetime.minutes.from_now
+            )
+
+            Rails.logger.info "[AuthorizationService] Authorization code generated for user #{user.id}"
+            authorization_code.code
+          rescue ActiveRecord::RecordInvalid => e
+            Rails.logger.error "[AuthorizationService] Failed to create authorization code: #{e.message}"
+            nil
+          end
+
+          # Validate authorization code without consuming it
+          def validate_authorization_code(code)
+            return nil if code.blank?
+
+            authorization_code = Mcp::Auth::AuthorizationCode.active.find_by(code: code)
+            return nil unless authorization_code
+
+            {
+              client_id: authorization_code.client_id,
+              redirect_uri: authorization_code.redirect_uri,
+              code_challenge: authorization_code.code_challenge,
+              code_challenge_method: authorization_code.code_challenge_method,
+              resource: authorization_code.resource,
+              scope: authorization_code.scope,
+              user_id: authorization_code.user_id,
+              org_id: authorization_code.org_id,
+              created_at: authorization_code.created_at.to_i
+            }
+          end
+
+          # Consume authorization code (one-time use)
+          def consume_authorization_code(code)
+            authorization_code = Mcp::Auth::AuthorizationCode.find_by(code: code)
+            return nil unless authorization_code
+
+            code_data = {
+              client_id: authorization_code.client_id,
+              redirect_uri: authorization_code.redirect_uri,
+              code_challenge: authorization_code.code_challenge,
+              code_challenge_method: authorization_code.code_challenge_method,
+              resource: authorization_code.resource,
+              scope: authorization_code.scope,
+              user_id: authorization_code.user_id,
+              org_id: authorization_code.org_id,
+              created_at: authorization_code.created_at.to_i
+            }
+
+            authorization_code.destroy
+            Rails.logger.info "[AuthorizationService] Authorization code consumed"
+            code_data
+          end
+
+          # Validate PKCE challenge (RFC 7636)
+          def validate_pkce?(code_challenge, code_verifier)
+            return false if code_verifier.blank? || code_challenge.blank?
+
+            # S256 method: BASE64URL(SHA256(code_verifier))
+            computed_challenge = Base64.urlsafe_encode64(
+              Digest::SHA256.digest(code_verifier),
+              padding: false
+            )
+
+            ActiveSupport::SecurityUtils.secure_compare(computed_challenge, code_challenge)
+          rescue StandardError => e
+            Rails.logger.error "[AuthorizationService] PKCE validation error: #{e.message}"
+            false
+          end
+
+          private
+
+          def authorization_code_lifetime
+            Rails.application.config.mcp_auth.authorization_code_lifetime || 30
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mcp/auth/services/token_service.rb

@@ -0,0 +1,230 @@
+# frozen_string_literal: true
+
+module Mcp
+  module Auth
+    module Services
+      class TokenService
+        class << self
+          # Validate access token with optional resource verification (RFC 8707)
+          def validate_access_token(token, resource: nil)
+            return nil if token.blank?
+
+            begin
+              payload = JWT.decode(token, oauth_secret, true, { algorithm: 'HS256' }).first
+
+              # Check expiration manually to ensure proper handling
+              if payload['exp']
+                return nil if payload['exp'] <= Time.current.to_i
+              end
+
+              # Validate audience if resource provided (RFC 8707 compliance)
+              if resource && payload['aud'].present?
+                unless audience_matches?(payload['aud'], resource)
+                  Rails.logger.warn "[TokenService] Token audience mismatch: expected #{resource}, got #{payload['aud']}"
+                  return nil
+                end
+              end
+
+              payload.symbolize_keys
+            rescue JWT::DecodeError, JWT::ExpiredSignature => e
+              Rails.logger.debug "[TokenService] Token validation failed: #{e.message}"
+              nil
+            rescue StandardError => e
+              Rails.logger.error "[TokenService] Token validation error: #{e.message}"
+              nil
+            end
+          end
+
+          # Generate JWT access token with proper audience binding
+          def generate_access_token(data, base_url:)
+            user_data = fetch_user_data(data)
+
+            # RFC 8707: Use provided resource or default to MCP API endpoint
+            audience = normalize_resource_uri(data[:resource].presence || "#{base_url}/mcp")
+
+            # Calculate expiration time
+            exp_time = data[:expires_at] ? data[:expires_at].to_i : (Time.current.to_i + token_lifetime)
+
+            payload = {
+              iss: base_url,
+              aud: audience,
+              sub: data[:user_id].to_s,
+              org: data[:org_id]&.to_s,
+              client_id: data[:client_id],
+              email: user_data[:email],
+              scope: data[:scope],
+              api_key_id: user_data[:api_key_id],
+              api_key_secret: user_data[:api_key_secret],
+              iat: Time.current.to_i,
+              exp: exp_time
+            }
+
+            token = JWT.encode(payload, oauth_secret, 'HS256')
+
+            # Store token in database for revocation support
+            store_access_token(token, data, audience)
+
+            token
+          rescue StandardError => e
+            Rails.logger.error "[TokenService] Failed to generate access token: #{e.message}"
+            raise
+          end
+
+          # Generate refresh token
+          def generate_refresh_token(data)
+            refresh_token = SecureRandom.hex(32)
+
+            # Use provided expires_at or default
+            expires_at = data[:expires_at] || refresh_token_lifetime.seconds.from_now
+
+            begin
+              Mcp::Auth::RefreshToken.create!(
+                token: refresh_token,
+                client_id: data[:client_id],
+                scope: data[:scope],
+                user_id: data[:user_id],
+                org_id: data[:org_id],
+                expires_at: expires_at
+              )
+
+              Rails.logger.info "[TokenService] Refresh token created for user #{data[:user_id]}"
+              refresh_token
+            rescue ActiveRecord::RecordInvalid => e
+              Rails.logger.error "[TokenService] Failed to create refresh token: #{e.message}"
+              nil
+            end
+          end
+
+          # Validate refresh token
+          def validate_refresh_token(refresh_token)
+            return nil if refresh_token.blank?
+
+            token_record = Mcp::Auth::RefreshToken.find_by(token: refresh_token)
+            return nil unless token_record
+
+            # Check if token is expired
+            return nil if token_record.expires_at < Time.current
+
+            Rails.logger.info "[TokenService] Refresh token validated for user #{token_record.user_id}"
+            {
+              client_id: token_record.client_id,
+              scope: token_record.scope,
+              user_id: token_record.user_id,
+              org_id: token_record.org_id
+            }
+          end
+
+          # Revoke refresh token (RFC 7009)
+          def revoke_refresh_token(refresh_token)
+            return false if refresh_token.blank?
+
+            token_record = Mcp::Auth::RefreshToken.find_by(token: refresh_token)
+            return false unless token_record
+
+            token_record.destroy
+            Rails.logger.info "[TokenService] Refresh token revoked"
+            true
+          end
+
+          # Generate complete token response
+          def generate_token_response(data, base_url:)
+            access_token = generate_access_token(data, base_url: base_url)
+            refresh_token = generate_refresh_token(data)
+
+            response = {
+              access_token: access_token,
+              token_type: 'Bearer',
+              expires_in: token_lifetime,
+              scope: data[:scope]
+            }
+
+            response[:refresh_token] = refresh_token if refresh_token
+            response
+          rescue StandardError => e
+            Rails.logger.error "[TokenService] Failed to generate token response: #{e.message}"
+            raise
+          end
+
+          private
+
+          def oauth_secret
+            secret = Mcp::Auth.configuration&.oauth_secret
+            secret.presence || Rails.application.secret_key_base
+          end
+
+          def token_lifetime
+            Mcp::Auth.configuration&.access_token_lifetime || 3600
+          end
+
+          def refresh_token_lifetime
+            Mcp::Auth.configuration&.refresh_token_lifetime || 2_592_000
+          end
+
+          # RFC 8707: Normalize resource URI (remove trailing slash, lowercase scheme/host)
+          def normalize_resource_uri(uri)
+            parsed = URI.parse(uri)
+            normalized = "#{parsed.scheme.downcase}://#{parsed.host.downcase}"
+            normalized += ":#{parsed.port}" if parsed.port && !default_port?(parsed)
+            normalized += parsed.path.chomp('/') if parsed.path.present? && parsed.path != '/'
+            normalized
+          rescue URI::InvalidURIError => e
+            Rails.logger.warn "[TokenService] Invalid resource URI: #{uri} - #{e.message}"
+            uri
+          end
+
+          def default_port?(parsed_uri)
+            (parsed_uri.scheme == 'http' && parsed_uri.port == 80) ||
+              (parsed_uri.scheme == 'https' && parsed_uri.port == 443)
+          end
+
+          # RFC 8707: Check if token audience matches requested resource
+          def audience_matches?(token_audience, resource)
+            normalized_audience = normalize_resource_uri(token_audience)
+            normalized_resource = normalize_resource_uri(resource)
+
+            # Exact match or audience is a prefix of resource
+            normalized_audience == normalized_resource ||
+              normalized_resource.start_with?(normalized_audience)
+          end
+
+          def store_access_token(token, data, audience)
+            # Use provided expires_at or default
+            expires_at = data[:expires_at] || token_lifetime.seconds.from_now
+
+            Mcp::Auth::AccessToken.create!(
+              token: token,
+              client_id: data[:client_id],
+              resource: audience,
+              scope: data[:scope],
+              user_id: data[:user_id],
+              org_id: data[:org_id],
+              expires_at: expires_at
+            )
+            Rails.logger.info "[TokenService] Access token stored for user #{data[:user_id]}"
+          rescue ActiveRecord::RecordInvalid => e
+            Rails.logger.error "[TokenService] Failed to store access token: #{e.message}"
+          end
+
+          def fetch_user_data(data)
+            if Mcp::Auth.configuration&.fetch_user_data
+              Mcp::Auth.configuration.fetch_user_data.call(data)
+            else
+              default_fetch_user_data(data[:user_id])
+            end
+          end
+
+          def default_fetch_user_data(user_id)
+            user = User.find(user_id)
+            {
+              email: user.email,
+              api_key_id: nil,
+              api_key_secret: nil
+            }
+          rescue ActiveRecord::RecordNotFound
+            { email: 'unknown@example.com', api_key_id: nil, api_key_secret: nil }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mcp/auth/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Mcp
+  module Auth
+    VERSION = "0.1.0"
+  end
+end

data/lib/mcp/auth.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+require 'mcp/auth/version'
+require 'mcp/auth/engine'
+require 'mcp/auth/services/token_service'
+require 'mcp/auth/services/authorization_service'
+
+module Mcp
+  module Auth
+    class Error < StandardError; end
+
+    class << self
+      attr_accessor :configuration
+    end
+
+    def self.configure
+      self.configuration ||= Configuration.new
+      yield(configuration)
+
+      # Also set on Rails.application.config for controllers to access
+      Rails.application.config.mcp_auth = configuration if defined?(Rails)
+    end
+
+    class Configuration
+      attr_accessor :oauth_secret,
+                    :authorization_server_url,
+                    :access_token_lifetime,
+                    :refresh_token_lifetime,
+                    :authorization_code_lifetime,
+                    :fetch_user_data,
+                    :current_user_method,
+                    :current_org_method,
+                    :consent_view_path,
+                    :use_custom_consent_view,
+                    :mcp_server_path,
+                    :mcp_docs_url,
+                    :validate_scope_for_user
+
+      def initialize
+        @oauth_secret = nil
+        @authorization_server_url = nil
+        @access_token_lifetime = 3600 # 1 hour
+        @refresh_token_lifetime = 2_592_000 # 30 days
+        @authorization_code_lifetime = 1800 # 30 minutes
+        @fetch_user_data = nil
+        @current_user_method = :current_user
+        @current_org_method = nil
+        @consent_view_path = 'mcp/auth/consent'
+        @use_custom_consent_view = false
+        @mcp_server_path = '/mcp'
+        @mcp_docs_url = nil
+        @validate_scope_for_user = nil
+      end
+
+      # Register a custom scope for your application
+      def register_scope(scope_key, name:, description:, required: false)
+        Mcp::Auth::ScopeRegistry.register_scope(
+          scope_key,
+          name: name,
+          description: description,
+          required: required
+        )
+      end
+
+      # Get MCP documentation URL
+      def documentation_url(base_url = nil)
+        return @mcp_docs_url if @mcp_docs_url.present? && @mcp_docs_url.start_with?('http')
+
+        docs_path = @mcp_docs_url.presence || "#{@mcp_server_path}/docs"
+        base_url ? "#{base_url}#{docs_path}" : docs_path
+      end
+    end
+
+    # Helper methods for controllers
+    module ControllerHelpers
+      def mcp_user_id
+        request.env['mcp.user_id']
+      end
+
+      def mcp_org_id
+        request.env['mcp.org_id']
+      end
+
+      def mcp_email
+        request.env['mcp.email']
+      end
+
+      def mcp_token
+        request.env['mcp.token']
+      end
+
+      def mcp_scope
+        request.env['mcp.scope']
+      end
+
+      def mcp_api_key
+        request.env['mcp.api_key']
+      end
+
+      def mcp_authenticated?
+        mcp_user_id.present?
+      end
+    end
+  end
+end
+
+require 'mcp/auth/scope_registry'
+require 'mcp/auth/services/token_service'
+require 'mcp/auth/services/authorization_service'

data/lib/tasks/mcp_auth_tasks.rake

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+namespace :mcp_auth do
+  desc "Clean up expired tokens and authorization codes"
+  task cleanup: :environment do
+    puts "Cleaning up expired MCP Auth tokens..."
+
+    expired_auth_codes = Mcp::Auth::AuthorizationCode.cleanup_expired
+    puts "  - Removed #{expired_auth_codes} expired authorization codes"
+
+    expired_access_tokens = Mcp::Auth::AccessToken.cleanup_expired
+    puts "  - Removed #{expired_access_tokens} expired access tokens"
+
+    expired_refresh_tokens = Mcp::Auth::RefreshToken.cleanup_expired
+    puts "  - Removed #{expired_refresh_tokens} expired refresh tokens"
+
+    puts "Cleanup complete!"
+  end
+
+  desc "Show MCP Auth statistics"
+  task stats: :environment do
+    puts "\nMCP Auth Statistics"
+    puts "=" * 50
+
+    puts "\nOAuth Clients:"
+    puts "  Total: #{Mcp::Auth::OauthClient.count}"
+
+    puts "\nAuthorization Codes:"
+    puts "  Active: #{Mcp::Auth::AuthorizationCode.active.count}"
+    puts "  Expired: #{Mcp::Auth::AuthorizationCode.expired.count}"
+    puts "  Total: #{Mcp::Auth::AuthorizationCode.count}"
+
+    puts "\nAccess Tokens:"
+    puts "  Active: #{Mcp::Auth::AccessToken.active.count}"
+    puts "  Expired: #{Mcp::Auth::AccessToken.expired.count}"
+    puts "  Total: #{Mcp::Auth::AccessToken.count}"
+
+    puts "\nRefresh Tokens:"
+    puts "  Active: #{Mcp::Auth::RefreshToken.active.count}"
+    puts "  Expired: #{Mcp::Auth::RefreshToken.expired.count}"
+    puts "  Total: #{Mcp::Auth::RefreshToken.count}"
+
+    puts "\n" + "=" * 50
+  end
+
+  desc "Revoke all tokens for a specific client"
+  task :revoke_client_tokens, [:client_id] => :environment do |_t, args|
+    client_id = args[:client_id]
+
+    if client_id.blank?
+      puts "Error: Please provide a client_id"
+      puts "Usage: rake mcp_auth:revoke_client_tokens[CLIENT_ID]"
+      exit 1
+    end
+
+    puts "Revoking all tokens for client: #{client_id}"
+
+    auth_codes = Mcp::Auth::AuthorizationCode.where(client_id: client_id).delete_all
+    access_tokens = Mcp::Auth::AccessToken.where(client_id: client_id).delete_all
+    refresh_tokens = Mcp::Auth::RefreshToken.where(client_id: client_id).delete_all
+
+    puts "  - Removed #{auth_codes} authorization codes"
+    puts "  - Removed #{access_tokens} access tokens"
+    puts "  - Removed #{refresh_tokens} refresh tokens"
+    puts "Complete!"
+  end
+
+  desc "Revoke all tokens for a specific user"
+  task :revoke_user_tokens, [:user_id] => :environment do |_t, args|
+    user_id = args[:user_id]
+
+    if user_id.blank?
+      puts "Error: Please provide a user_id"
+      puts "Usage: rake mcp_auth:revoke_user_tokens[USER_ID]"
+      exit 1
+    end
+
+    puts "Revoking all tokens for user: #{user_id}"
+
+    auth_codes = Mcp::Auth::AuthorizationCode.where(user_id: user_id).delete_all
+    access_tokens = Mcp::Auth::AccessToken.where(user_id: user_id).delete_all
+    refresh_tokens = Mcp::Auth::RefreshToken.where(user_id: user_id).delete_all
+
+    puts "  - Removed #{auth_codes} authorization codes"
+    puts "  - Removed #{access_tokens} access tokens"
+    puts "  - Removed #{refresh_tokens} refresh tokens"
+    puts "Complete!"
+  end
+end