toolchest 0.3.2

data/app/controllers/toolchest/oauth/authorizations_controller.rb

@@ -0,0 +1,152 @@
+module Toolchest
+  module Oauth
+    class AuthorizationsController < ::ApplicationController
+      before_action :authenticate_resource_owner!
+      before_action :validate_client!
+
+      # GET /mcp/oauth/authorize — consent screen
+      def new
+        @client_name = @application.name
+        @redirect_uri = params[:redirect_uri]
+        @optional = toolchest_config.optional_scopes
+        @original_scope = requested_scopes.join(" ")
+
+        requested = requested_scopes
+        allowed = toolchest_config.resolve_allowed_scopes(@current_resource_owner, requested)
+        known = toolchest_config.scopes.keys
+        allowed = allowed & known if known.any?
+        required = Array(toolchest_config.required_scopes) & known
+        visible = (allowed | required).uniq
+
+        @scope_list = visible.map { |s|
+          { name: s, description: toolchest_config.scopes[s] || s, required: required.include?(s) }
+        }
+        @oauth_params = oauth_hidden_params
+        @authorize_url = "#{request.script_name}/oauth/authorize"
+      end
+
+      # DELETE /mcp/oauth/authorize — user denied
+      def deny
+        redirect_url = build_redirect(params[:redirect_uri],
+          error: "access_denied",
+          state: params[:state]
+        )
+        redirect_to redirect_url, allow_other_host: true
+      end
+
+      # POST /mcp/oauth/authorize — approve and redirect with code
+      def create
+        requested = original_requested_scopes
+        allowed = toolchest_config.resolve_allowed_scopes(@current_resource_owner, requested)
+        known = toolchest_config.scopes.keys
+        allowed = allowed & known if known.any?
+        required = Array(toolchest_config.required_scopes) & known
+
+        granted = if toolchest_config.optional_scopes
+          submitted = Array(params[:scope])
+          (submitted & allowed) | required
+        else
+          allowed | required
+        end
+
+        grant = Toolchest::OauthAccessGrant.create_for(
+          application: @application,
+          resource_owner_id: current_resource_owner_id,
+          redirect_uri: params[:redirect_uri],
+          scopes: granted.join(" "),
+          mount_key: mount_key,
+          code_challenge: params[:code_challenge],
+          code_challenge_method: params[:code_challenge_method]
+        )
+
+        redirect_url = build_redirect(params[:redirect_uri],
+          code: grant.raw_code,
+          state: params[:state]
+        )
+        redirect_to redirect_url, allow_other_host: true
+      end
+
+      private
+
+      def toolchest_config = Toolchest.configuration(mount_key.to_sym)
+
+      def mount_key
+        # 1. From env (inside a mount — /admin-mcp/oauth/authorize)
+        return request.env["toolchest.mount_key"] if request.env["toolchest.mount_key"]
+
+        # 2. From resource param (RFC 8707 — CC always sends this)
+        if params[:resource].present?
+          resource_path = URI.parse(params[:resource]).path rescue nil
+          if resource_path
+            found = Toolchest.mount_keys.find { |k|
+              Toolchest.configuration(k).mount_path == resource_path
+            }
+            return found.to_s if found
+          end
+        end
+
+        "default"
+      end
+
+      def authenticate_resource_owner!
+        user = toolchest_config.resolve_current_user(request)
+        if user
+          @current_resource_owner = user
+        else
+          login_path = toolchest_config.login_path || "/login"
+          redirect_to "#{login_path}?return_to=#{CGI.escape(request.url)}", allow_other_host: true
+        end
+      end
+
+      def current_resource_owner_id
+        owner = @current_resource_owner
+        (owner.respond_to?(:id) ? owner.id : owner).to_s
+      end
+
+      def validate_client!
+        # Applications are global — look up by uid only (no mount_key filter)
+        @application = Toolchest::OauthApplication.find_by(uid: params[:client_id])
+        unless @application
+          render json: { error: "invalid_client", error_description: "Unknown client_id" }, status: :bad_request
+          return
+        end
+
+        if params[:redirect_uri].present? && !@application.redirect_uri_matches?(params[:redirect_uri])
+          render json: { error: "invalid_redirect_uri" }, status: :bad_request
+        end
+      end
+
+      def requested_scopes
+        scope = params[:scope]
+        case scope
+        when Array then scope.flat_map { |s| s.split(" ") }
+        when String then scope.split(" ")
+        else []
+        end
+      end
+
+      def oauth_hidden_params
+        params.to_unsafe_h.slice(
+          "client_id", "state", "redirect_uri", "response_type", "response_mode",
+          "access_type", "code_challenge", "code_challenge_method", "resource"
+        )
+      end
+
+      def original_requested_scopes
+        if params[:original_scope].present?
+          params[:original_scope].split(" ")
+        else
+          requested_scopes
+        end
+      end
+
+      def build_redirect(base_uri, query_params)
+        uri = URI.parse(base_uri)
+        existing = URI.decode_www_form(uri.query || "")
+        query_params.compact.each { |k, v| existing << [k.to_s, v.to_s] }
+        uri.query = URI.encode_www_form(existing)
+        uri.to_s
+      end
+    end
+  end
+end

data/app/controllers/toolchest/oauth/authorized_applications_controller.rb

@@ -0,0 +1,68 @@
+module Toolchest
+  module Oauth
+    class AuthorizedApplicationsController < ::ApplicationController
+      before_action :authenticate_resource_owner!
+
+      # GET /mcp/oauth/authorized_applications
+      def index = @applications = authorized_applications
+
+      # DELETE /mcp/oauth/authorized_applications/:id
+      def destroy
+        app = Toolchest::OauthApplication.find_by(id: params[:id])
+
+        unless app
+          redirect_to "#{request.script_name}/oauth/authorized_applications",
+            alert: "Application not found."
+          return
+        end
+
+        Toolchest::OauthAccessToken.revoke_all_for(app, current_resource_owner_id)
+        Toolchest::OauthAccessGrant.revoke_all_for(app, current_resource_owner_id)
+
+        redirect_to "#{request.script_name}/oauth/authorized_applications",
+          notice: "#{app.name} has been disconnected."
+      end
+
+      private
+
+      def toolchest_config = Toolchest.configuration(mount_key.to_sym)
+
+      def authenticate_resource_owner!
+        user = toolchest_config.resolve_current_user(request)
+        if user
+          @current_resource_owner = user
+        else
+          login_path = toolchest_config.login_path || "/login"
+          redirect_to "#{login_path}?return_to=#{CGI.escape(request.url)}", allow_other_host: true
+        end
+      end
+
+      def current_resource_owner_id
+        owner = @current_resource_owner
+        (owner.respond_to?(:id) ? owner.id : owner).to_s
+      end
+
+      def mount_key = request.env["toolchest.mount_key"] || "default"
+
+      def authorized_applications
+        tokens_scope = Toolchest::OauthAccessToken
+          .where(resource_owner_id: current_resource_owner_id, revoked_at: nil, mount_key: mount_key)
+
+        app_ids = tokens_scope.select(:application_id).distinct
+
+        Toolchest::OauthApplication.where(id: app_ids).map do |app|
+          tokens = tokens_scope.where(application: app)
+          latest = tokens.order(created_at: :desc).first
+          scopes = tokens.flat_map(&:scopes_array).uniq
+
+          {
+            application: app,
+            scopes: scopes,
+            connected_at: tokens.minimum(:created_at),
+            last_used_at: latest&.updated_at
+          }
+        end
+      end
+    end
+  end
+end

data/app/controllers/toolchest/oauth/metadata_controller.rb

@@ -0,0 +1,68 @@
+module Toolchest
+  module Oauth
+    class MetadataController < ::ApplicationController
+      # GET /.well-known/oauth-authorization-server(/*rest)
+      def authorization_server
+        mount_path, cfg = resolve_mount
+        return if performed?
+
+        render json: {
+          issuer: "#{request.base_url}#{mount_path}",
+          authorization_endpoint: "#{request.base_url}#{mount_path}/oauth/authorize",
+          token_endpoint: "#{request.base_url}#{mount_path}/oauth/token",
+          registration_endpoint: "#{request.base_url}#{mount_path}/oauth/register",
+          response_types_supported: ["code"],
+          grant_types_supported: ["authorization_code", "refresh_token"],
+          token_endpoint_auth_methods_supported: ["none"],
+          scopes_supported: cfg.scopes.keys,
+          code_challenge_methods_supported: ["S256"]
+        }
+      end
+
+      # GET /.well-known/oauth-protected-resource(/*rest)
+      def protected_resource
+        mount_path, cfg = resolve_mount
+        return if performed?
+
+        render json: {
+          resource: "#{request.base_url}#{mount_path}",
+          authorization_servers: ["#{request.base_url}#{mount_path}"],
+          scopes_supported: cfg.scopes.keys,
+          bearer_methods_supported: ["header"]
+        }
+      end
+
+      private
+
+      # Returns [mount_path, config] or renders 404 and returns [nil, nil].
+      def resolve_mount
+        if params[:rest].present?
+          # Suffixed path (RFC 8414) — must match a configured mount exactly.
+          path = "/#{params[:rest]}"
+          key = Toolchest.mount_keys.find { |k| Toolchest.configuration(k).mount_path == path }
+          unless key
+            head :not_found
+            return [nil, nil]
+          end
+          return [path, Toolchest.configuration(key)]
+        end
+
+        # No suffix (e.g. Cursor). Use default_oauth_mount if set.
+        if Toolchest.default_oauth_mount
+          cfg = Toolchest.configuration(Toolchest.default_oauth_mount)
+          return [cfg.mount_path || "/mcp", cfg]
+        end
+
+        # Auto-resolve when there's exactly one OAuth mount.
+        oauth_mounts = Toolchest.mount_keys.select { |k| Toolchest.configuration(k).auth == :oauth }
+        if oauth_mounts.size == 1
+          cfg = Toolchest.configuration(oauth_mounts.first)
+          return [cfg.mount_path || "/mcp", cfg]
+        end
+
+        head :not_found
+        [nil, nil]
+      end
+    end
+  end
+end

data/app/controllers/toolchest/oauth/registrations_controller.rb

@@ -0,0 +1,53 @@
+module Toolchest
+  module Oauth
+    class RegistrationsController < ::ApplicationController
+      skip_forgery_protection
+      wrap_parameters false
+
+      # POST /register — Dynamic Client Registration (RFC 7591)
+      # Applications are global (not mount-scoped). Mount scoping happens
+      # at authorization time via the resource param.
+      def create
+        name = (params[:client_name] || "MCP Client").truncate(255)
+        uris = Array(params[:redirect_uris])
+
+        if uris.size > 10
+          return render json: {
+            error: "invalid_client_metadata",
+            error_description: "Too many redirect URIs (max 10)"
+          }, status: :bad_request
+        end
+
+        if uris.any? { |u| u.to_s.length > 2048 }
+          return render json: {
+            error: "invalid_client_metadata",
+            error_description: "Redirect URI too long (max 2048 characters)"
+          }, status: :bad_request
+        end
+
+        application = Toolchest::OauthApplication.new(
+          name: name,
+          redirect_uri: uris.join("\n"),
+          confidential: false
+        )
+
+        if application.save
+          render json: {
+            client_name: application.name,
+            client_id: application.uid,
+            client_id_issued_at: application.created_at.to_i,
+            redirect_uris: application.redirect_uris,
+            grant_types: params[:grant_types] || ["authorization_code"],
+            response_types: params[:response_types] || ["code"],
+            token_endpoint_auth_method: params[:token_endpoint_auth_method] || "none"
+          }, status: :created
+        else
+          render json: {
+            error: "invalid_client_metadata",
+            error_description: application.errors.full_messages.join(", ")
+          }, status: :bad_request
+        end
+      end
+    end
+  end
+end

data/app/controllers/toolchest/oauth/tokens_controller.rb

@@ -0,0 +1,98 @@
+module Toolchest
+  module Oauth
+    class TokensController < ::ApplicationController
+      skip_forgery_protection
+
+      # POST /mcp/oauth/token
+      def create
+        case params[:grant_type]
+        when "authorization_code"
+          handle_authorization_code
+        when "refresh_token"
+          handle_refresh_token
+        else
+          error_response("unsupported_grant_type", "Grant type '#{params[:grant_type]}' is not supported")
+        end
+      end
+
+      private
+
+      def mount_key = request.env["toolchest.mount_key"] || "default"
+
+      def toolchest_config = Toolchest.configuration(mount_key.to_sym)
+
+      def handle_authorization_code
+        grant = Toolchest::OauthAccessGrant.find_by_code(params[:code])
+
+        unless grant
+          return error_response("invalid_grant", "Authorization code not found or expired")
+        end
+
+        app = grant.application
+
+        if params[:client_id].present? && app.uid != params[:client_id]
+          return error_response("invalid_client", "Client ID mismatch")
+        end
+
+        if grant.redirect_uri.present? && grant.redirect_uri != params[:redirect_uri]
+          return error_response("invalid_grant", "Redirect URI mismatch")
+        end
+
+        if !grant.uses_pkce? && !app.confidential?
+          return error_response("invalid_request", "PKCE required for public clients")
+        end
+
+        unless grant.verify_pkce(params[:code_verifier])
+          return error_response("invalid_grant", "PKCE verification failed")
+        end
+
+        grant.revoke!
+
+        token = Toolchest::OauthAccessToken.create_for(
+          application: app,
+          resource_owner_id: grant.resource_owner_id,
+          scopes: grant.scopes,
+          mount_key: grant.mount_key,
+          expires_in: toolchest_config.access_token_expires_in
+        )
+
+        render json: token_response(token)
+      end
+
+      def handle_refresh_token
+        old_token = Toolchest::OauthAccessToken.find_by_refresh_token(
+          params[:refresh_token], mount_key: mount_key
+        )
+
+        unless old_token
+          return error_response("invalid_grant", "Refresh token invalid or expired")
+        end
+
+        old_token.revoke!
+
+        token = Toolchest::OauthAccessToken.create_for(
+          application: old_token.application,
+          resource_owner_id: old_token.resource_owner_id,
+          scopes: old_token.scopes,
+          mount_key: old_token.mount_key,
+          expires_in: toolchest_config.access_token_expires_in
+        )
+
+        render json: token_response(token)
+      end
+
+      def token_response(token)
+        response = {
+          access_token: token.raw_token,
+          token_type: "bearer"
+        }
+        response[:expires_in] = (token.expires_at - Time.current).to_i if token.expires_at
+        response[:refresh_token] = token.raw_refresh_token if token.raw_refresh_token
+        response[:scope] = token.scopes if token.scopes.present?
+        response
+      end
+
+      def error_response(error, description) = render json: { error: error, error_description: description }, status: :bad_request
+    end
+  end
+end

data/app/models/toolchest/oauth_access_grant.rb

@@ -0,0 +1,66 @@
+require "securerandom"
+require "digest"
+require "base64"
+
+module Toolchest
+  class OauthAccessGrant < ActiveRecord::Base
+    self.table_name = "toolchest_oauth_access_grants"
+
+    belongs_to :application, class_name: "Toolchest::OauthApplication"
+
+    def self.revoke_all_for(application, resource_owner_id)
+      where(application: application, resource_owner_id: resource_owner_id.to_s, revoked_at: nil)
+        .update_all(revoked_at: Time.current)
+    end
+
+    scope :active, -> {
+      where(revoked_at: nil)
+        .where("expires_at > ?", Time.current)
+    }
+
+    def expired? = expires_at < Time.current
+
+    def revoked? = revoked_at.present?
+
+    def revoke! = update!(revoked_at: Time.current)
+
+    def uses_pkce? = code_challenge.present?
+
+    def verify_pkce(code_verifier)
+      return true unless uses_pkce?
+      return false if code_verifier.blank?
+
+      generated = Base64.urlsafe_encode64(
+        Digest::SHA256.digest(code_verifier),
+        padding: false
+      )
+      ActiveSupport::SecurityUtils.secure_compare(generated, code_challenge)
+    end
+
+    class << self
+      def create_for(application:, resource_owner_id:, redirect_uri:, scopes:, mount_key: "default",
+                     expires_in: 300, code_challenge: nil, code_challenge_method: nil)
+        raw_code = SecureRandom.urlsafe_base64(32)
+
+        grant = create!(
+          application: application,
+          resource_owner_id: resource_owner_id,
+          token_digest: Digest::SHA256.hexdigest(raw_code),
+          redirect_uri: redirect_uri,
+          scopes: scopes,
+          mount_key: mount_key,
+          expires_at: Time.current + expires_in.seconds,
+          code_challenge: code_challenge,
+          code_challenge_method: code_challenge_method
+        )
+
+        grant.instance_variable_set(:@raw_code, raw_code)
+        grant
+      end
+
+      def find_by_code(raw_code) = active.find_by(token_digest: Digest::SHA256.hexdigest(raw_code))
+    end
+
+    def raw_code = @raw_code
+  end
+end

data/app/models/toolchest/oauth_access_token.rb

@@ -0,0 +1,71 @@
+require "securerandom"
+require "digest"
+
+module Toolchest
+  class OauthAccessToken < ActiveRecord::Base
+    self.table_name = "toolchest_oauth_access_tokens"
+
+    belongs_to :application, class_name: "Toolchest::OauthApplication", optional: true
+
+    scope :active, -> {
+      where(revoked_at: nil)
+        .where("expires_at IS NULL OR expires_at > ?", Time.current)
+    }
+
+    def expired? = expires_at.present? && expires_at < Time.current
+
+    def revoked? = revoked_at.present?
+
+    def revoke! = update!(revoked_at: Time.current)
+
+    def accessible? = !revoked? && !expired?
+
+    def scopes_array = (scopes || "").split(" ").reject(&:empty?)
+
+    class << self
+      def revoke_all_for(application, resource_owner_id)
+        where(application: application, resource_owner_id: resource_owner_id.to_s, revoked_at: nil)
+          .update_all(revoked_at: Time.current)
+      end
+
+      def create_for(application:, resource_owner_id:, scopes:, mount_key: "default", expires_in: 7200)
+        raw_token = SecureRandom.urlsafe_base64(32)
+        raw_refresh = SecureRandom.urlsafe_base64(32)
+
+        token = create!(
+          application: application,
+          resource_owner_id: resource_owner_id,
+          token: Digest::SHA256.hexdigest(raw_token),
+          refresh_token: Digest::SHA256.hexdigest(raw_refresh),
+          scopes: scopes,
+          mount_key: mount_key,
+          expires_at: expires_in ? Time.current + expires_in.seconds : nil
+        )
+
+        token.instance_variable_set(:@raw_token, raw_token)
+        token.instance_variable_set(:@raw_refresh_token, raw_refresh)
+        token
+      end
+
+      # Timing-safe by design: we hash the raw token before lookup, so the
+      # database comparison runs against the hash (which the attacker doesn't
+      # know). No constant-time comparison needed here.
+      def find_by_token(raw_token, mount_key: nil)
+        scope = active.where(token: Digest::SHA256.hexdigest(raw_token))
+        scope = scope.where(mount_key: mount_key) if mount_key
+        scope.first
+      end
+
+      # See find_by_token for timing safety rationale.
+      def find_by_refresh_token(raw_refresh, mount_key: nil)
+        scope = active.where(refresh_token: Digest::SHA256.hexdigest(raw_refresh))
+        scope = scope.where(mount_key: mount_key) if mount_key
+        scope.first
+      end
+    end
+
+    def raw_token = @raw_token
+
+    def raw_refresh_token = @raw_refresh_token
+  end
+end

data/app/models/toolchest/oauth_application.rb

@@ -0,0 +1,26 @@
+require "securerandom"
+
+module Toolchest
+  class OauthApplication < ActiveRecord::Base
+    self.table_name = "toolchest_oauth_applications"
+
+    has_many :access_grants, class_name: "Toolchest::OauthAccessGrant",
+      foreign_key: :application_id, dependent: :delete_all
+    has_many :access_tokens, class_name: "Toolchest::OauthAccessToken",
+      foreign_key: :application_id, dependent: :delete_all
+
+    validates :name, :uid, presence: true
+    validates :uid, uniqueness: true
+    validates :redirect_uri, presence: true
+
+    before_validation :generate_uid, on: :create
+
+    def redirect_uris = redirect_uri&.split("\n")&.map(&:strip)&.reject(&:empty?) || []
+
+    def redirect_uri_matches?(uri) = redirect_uris.include?(uri)
+
+    private
+
+    def generate_uid = self.uid ||= SecureRandom.urlsafe_base64(32)
+  end
+end

data/app/models/toolchest/token.rb

@@ -0,0 +1,51 @@
+require "openssl"
+
+module Toolchest
+  class Token < ActiveRecord::Base
+    self.table_name = "toolchest_tokens"
+
+    scope :active, -> {
+      where(revoked_at: nil)
+        .where("expires_at IS NULL OR expires_at > ?", Time.current)
+    }
+
+    def expired? = expires_at.present? && expires_at < Time.current
+
+    def revoked? = revoked_at.present?
+
+    def accessible? = !revoked? && !expired?
+
+    def revoke! = update!(revoked_at: Time.current)
+
+    def scopes_array = (scopes || "").split(" ").reject(&:empty?)
+
+    class << self
+      def find_by_raw_token(raw_token)
+        digest = OpenSSL::Digest::SHA256.hexdigest(raw_token)
+        active.find_by(token_digest: digest)
+      end
+
+      def generate(owner: nil, name: nil, scopes: nil, namespace: "default", expires_at: nil)
+        raw = "tcht_#{SecureRandom.hex(24)}"
+        digest = OpenSSL::Digest::SHA256.hexdigest(raw)
+
+        owner_type, owner_id = owner&.split(":", 2)
+
+        token = create!(
+          token_digest: digest,
+          name: name,
+          owner_type: owner_type,
+          owner_id: owner_id,
+          scopes: scopes,
+          namespace: namespace,
+          expires_at: expires_at
+        )
+
+        token.instance_variable_set(:@raw_token, raw)
+        token
+      end
+    end
+
+    def raw_token = @raw_token
+  end
+end