toolchest 0.3.5 → 0.3.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/LLMS.txt +3 -0
- data/README.md +13 -0
- data/app/controllers/toolchest/oauth/authorizations_controller.rb +20 -0
- data/lib/toolchest/configuration.rb +14 -0
- data/lib/toolchest/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c73baf6206cfd9d1f744867f2b3e35e6094a2f4304dec858ce0350c1d54c03ba
|
|
4
|
+
data.tar.gz: 82c480aa62bdcb7c19df80a1aebeb4a7cf4dbb4ec8a199b25fb4a8abe6da69a1
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 82bcf0c2b9ee5c5d0e9365641dcd7e2e6119be86e66dadee37b1bfaa44582511b2c3e7a5f2cbf31b0164dd31d4c3823090900bb4dd9bf18ea9f215babeaa2e47
|
|
7
|
+
data.tar.gz: f0e79e3d5cd3ad4bd09fe68975e129a3528f78f5f5ec7eaa822bf37c85631a295df2d0e10acbaf483ee62fa243ce563bd1a264688e3f3b90e1884a96d5173e1c
|
data/LLMS.txt
CHANGED
|
@@ -374,6 +374,9 @@ config.required_scopes = ["orders:read"] # always granted, can't uncheck
|
|
|
374
374
|
config.allowed_scopes_for do |user, requested| # per-user gating (default: show all)
|
|
375
375
|
user.admin? ? requested : requested - ["admin:write"]
|
|
376
376
|
end
|
|
377
|
+
config.authorize_link do |user| # block user from linking (OAuth only, default: allow all)
|
|
378
|
+
!user.banned?
|
|
379
|
+
end
|
|
377
380
|
```
|
|
378
381
|
|
|
379
382
|
## Resources and prompts
|
data/README.md
CHANGED
|
@@ -523,10 +523,23 @@ config.required_scopes = ["orders:read"]
|
|
|
523
523
|
config.allowed_scopes_for do |user, requested_scopes|
|
|
524
524
|
user.admin? ? requested_scopes : requested_scopes - ["admin:write"]
|
|
525
525
|
end
|
|
526
|
+
|
|
526
527
|
```
|
|
527
528
|
|
|
528
529
|
Scopes hidden by `allowed_scopes_for` never appear on the consent screen and can't be granted even if the POST is tampered with.
|
|
529
530
|
|
|
531
|
+
### Blocking users from linking
|
|
532
|
+
|
|
533
|
+
Gate who can link an MCP client to their account with `authorize_link`. If it returns falsy, the user is redirected with `access_denied` before they ever see a consent screen.
|
|
534
|
+
|
|
535
|
+
```ruby
|
|
536
|
+
config.authorize_link do |user|
|
|
537
|
+
!user.banned?
|
|
538
|
+
end
|
|
539
|
+
```
|
|
540
|
+
|
|
541
|
+
Only applies when using `auth: :oauth`. For `auth: :token` or custom strategies, gate access in your own authentication layer.
|
|
542
|
+
|
|
530
543
|
## Multi-mount
|
|
531
544
|
|
|
532
545
|
Separate MCP endpoints, different auth, different toolboxes:
|
|
@@ -11,6 +11,16 @@ module Toolchest
|
|
|
11
11
|
@optional = toolchest_config.optional_scopes
|
|
12
12
|
@original_scope = requested_scopes.join(" ")
|
|
13
13
|
|
|
14
|
+
unless toolchest_config.authorize_link?(@current_resource_owner)
|
|
15
|
+
redirect_url = build_redirect(params[:redirect_uri],
|
|
16
|
+
error: "access_denied",
|
|
17
|
+
error_description: "User is not authorized to connect",
|
|
18
|
+
state: params[:state]
|
|
19
|
+
)
|
|
20
|
+
redirect_to redirect_url, allow_other_host: true
|
|
21
|
+
return
|
|
22
|
+
end
|
|
23
|
+
|
|
14
24
|
requested = requested_scopes
|
|
15
25
|
allowed = toolchest_config.resolve_allowed_scopes(@current_resource_owner, requested)
|
|
16
26
|
known = toolchest_config.scopes.keys
|
|
@@ -36,6 +46,16 @@ module Toolchest
|
|
|
36
46
|
|
|
37
47
|
# POST /mcp/oauth/authorize — approve and redirect with code
|
|
38
48
|
def create
|
|
49
|
+
unless toolchest_config.authorize_link?(@current_resource_owner)
|
|
50
|
+
redirect_url = build_redirect(params[:redirect_uri],
|
|
51
|
+
error: "access_denied",
|
|
52
|
+
error_description: "User is not authorized to connect",
|
|
53
|
+
state: params[:state]
|
|
54
|
+
)
|
|
55
|
+
redirect_to redirect_url, allow_other_host: true
|
|
56
|
+
return
|
|
57
|
+
end
|
|
58
|
+
|
|
39
59
|
requested = original_requested_scopes
|
|
40
60
|
allowed = toolchest_config.resolve_allowed_scopes(@current_resource_owner, requested)
|
|
41
61
|
known = toolchest_config.scopes.keys
|
|
@@ -23,6 +23,7 @@ module Toolchest
|
|
|
23
23
|
@optional_scopes = false
|
|
24
24
|
@required_scopes = []
|
|
25
25
|
@allowed_scopes_for_block = nil
|
|
26
|
+
@authorize_link_block = nil
|
|
26
27
|
@additional_view_paths = []
|
|
27
28
|
@access_token_expires_in = 7200
|
|
28
29
|
@toolboxes = nil
|
|
@@ -52,6 +53,19 @@ module Toolchest
|
|
|
52
53
|
@authenticate_block.call(token)
|
|
53
54
|
end
|
|
54
55
|
|
|
56
|
+
def authorize_link(&block)
|
|
57
|
+
if block
|
|
58
|
+
@authorize_link_block = block
|
|
59
|
+
else
|
|
60
|
+
@authorize_link_block
|
|
61
|
+
end
|
|
62
|
+
end
|
|
63
|
+
|
|
64
|
+
def authorize_link?(user)
|
|
65
|
+
return true unless @authorize_link_block
|
|
66
|
+
@authorize_link_block.call(user)
|
|
67
|
+
end
|
|
68
|
+
|
|
55
69
|
def allowed_scopes_for(&block)
|
|
56
70
|
if block
|
|
57
71
|
@allowed_scopes_for_block = block
|
data/lib/toolchest/version.rb
CHANGED