@aexol/spectral 0.2.5 → 0.2.7

package/dist/mcp/mcp-callback-server.js

@@ -0,0 +1,225 @@
+/**
+ * MCP OAuth Callback Server
+ *
+ * HTTP server that handles OAuth callbacks from the authorization server.
+ * Uses Node.js http module for compatibility.
+ */
+import { createServer } from "http";
+import { OAUTH_CALLBACK_PATH, getConfiguredOAuthCallbackPort, getOAuthCallbackPort, setOAuthCallbackPort, } from "./mcp-oauth-provider.js";
+// HTML templates for callback responses
+const HTML_SUCCESS = `<!DOCTYPE html>
+<html>
+<head>
+  <title>Pi - Authorization Successful</title>
+  <style>
+    body { font-family: system-ui, -apple-system, sans-serif; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; background: #1a1a2e; color: #eee; }
+    .container { text-align: center; padding: 2rem; }
+    h1 { color: #4ade80; margin-bottom: 1rem; }
+    p { color: #aaa; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <h1>Authorization Successful</h1>
+    <p>You can close this window and return to Pi.</p>
+  </div>
+  <script>setTimeout(() => window.close(), 2000);</script>
+</body>
+</html>`;
+const HTML_ERROR = (error) => `<!DOCTYPE html>
+<html>
+<head>
+  <title>Pi - Authorization Failed</title>
+  <style>
+    body { font-family: system-ui, -apple-system, sans-serif; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; background: #1a1a2e; color: #eee; }
+    .container { text-align: center; padding: 2rem; }
+    h1 { color: #f87171; margin-bottom: 1rem; }
+    p { color: #aaa; }
+    .error { color: #fca5a5; font-family: monospace; margin-top: 1rem; padding: 1rem; background: rgba(248,113,113,0.1); border-radius: 0.5rem; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <h1>Authorization Failed</h1>
+    <p>An error occurred during authorization.</p>
+    <div class="error">${error}</div>
+  </div>
+</body>
+</html>`;
+/** Server singleton state */
+let server;
+const pendingAuths = new Map();
+/** Timeout for callback completion (5 minutes) */
+const CALLBACK_TIMEOUT_MS = 5 * 60 * 1000;
+const MAX_PORT_SCAN_ATTEMPTS = 25;
+/**
+ * Handle incoming HTTP requests to the callback server.
+ */
+function handleRequest(req, res) {
+    const url = new URL(req.url || "/", `http://${req.headers.host}`);
+    // Only handle the callback path
+    if (url.pathname !== OAUTH_CALLBACK_PATH) {
+        res.writeHead(404, { "Content-Type": "text/plain" });
+        res.end("Not found");
+        return;
+    }
+    const code = url.searchParams.get("code");
+    const state = url.searchParams.get("state");
+    const error = url.searchParams.get("error");
+    const errorDescription = url.searchParams.get("error_description");
+    // Enforce state parameter presence for CSRF protection
+    if (!state) {
+        const errorMsg = "Missing required state parameter - potential CSRF attack";
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(HTML_ERROR(errorMsg));
+        return;
+    }
+    // Handle OAuth errors
+    if (error) {
+        const errorMsg = errorDescription || error;
+        // Send HTTP response first before rejecting promise
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(HTML_ERROR(errorMsg));
+        // Reject promise after response is sent (defer to allow test to attach handler)
+        if (pendingAuths.has(state)) {
+            const pending = pendingAuths.get(state);
+            clearTimeout(pending.timeout);
+            pendingAuths.delete(state);
+            setTimeout(() => pending.reject(new Error(errorMsg)), 0);
+        }
+        return;
+    }
+    // Require authorization code
+    if (!code) {
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(HTML_ERROR("No authorization code provided"));
+        return;
+    }
+    // Validate state parameter
+    if (!pendingAuths.has(state)) {
+        const errorMsg = "Invalid or expired state parameter - potential CSRF attack";
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(HTML_ERROR(errorMsg));
+        return;
+    }
+    const pending = pendingAuths.get(state);
+    // Clear timeout and resolve the pending promise
+    clearTimeout(pending.timeout);
+    pendingAuths.delete(state);
+    pending.resolve(code);
+    res.writeHead(200, { "Content-Type": "text/html" });
+    res.end(HTML_SUCCESS);
+}
+/**
+ * Ensure the callback server is running.
+ * If strictPort is true, requires binding on the configured callback port.
+ * If strictPort is false, scans forward for an available local port.
+ */
+export async function ensureCallbackServer(options = {}) {
+    const configuredPort = getConfiguredOAuthCallbackPort();
+    const strictPort = options.strictPort === true;
+    if (server) {
+        if (!strictPort || getOAuthCallbackPort() === configuredPort)
+            return;
+        if (pendingAuths.size > 0) {
+            throw new Error(`OAuth callback server is running on port ${getOAuthCallbackPort()}, but strict callback port ${configuredPort} is required and cannot be switched while authorizations are pending`);
+        }
+        await stopCallbackServer();
+    }
+    const preferredPort = configuredPort;
+    const maxAttempts = strictPort ? 1 : MAX_PORT_SCAN_ATTEMPTS;
+    let lastError;
+    for (let offset = 0; offset < maxAttempts; offset++) {
+        const candidatePort = preferredPort + offset;
+        const candidateServer = createServer(handleRequest);
+        try {
+            await new Promise((resolve, reject) => {
+                candidateServer.once("error", (err) => {
+                    reject(err);
+                });
+                candidateServer.listen(candidatePort, "localhost", () => {
+                    resolve();
+                });
+            });
+            server = candidateServer;
+            server.unref();
+            setOAuthCallbackPort(candidatePort);
+            return;
+        }
+        catch (error) {
+            const nodeError = error;
+            await new Promise((resolve) => {
+                candidateServer.close(() => resolve());
+            });
+            if (nodeError.code !== "EADDRINUSE") {
+                throw error;
+            }
+            lastError = error instanceof Error ? error : new Error(String(error));
+        }
+    }
+    if (strictPort) {
+        throw new Error(`OAuth callback port ${preferredPort} is already in use. Pre-registered OAuth clients require an exact redirect URI; set MCP_OAUTH_CALLBACK_PORT to your registered port or free port ${preferredPort}`, { cause: lastError });
+    }
+    throw new Error(`OAuth callback port ${preferredPort} is already in use and no free port was found in range ${preferredPort}-${preferredPort + MAX_PORT_SCAN_ATTEMPTS - 1}`, { cause: lastError });
+}
+/**
+ * Wait for a callback with the given OAuth state.
+ * Returns a promise that resolves with the authorization code.
+ */
+export function waitForCallback(oauthState) {
+    return new Promise((resolve, reject) => {
+        const timeout = setTimeout(() => {
+            if (pendingAuths.has(oauthState)) {
+                pendingAuths.delete(oauthState);
+                reject(new Error("OAuth callback timeout - authorization took too long"));
+            }
+        }, CALLBACK_TIMEOUT_MS);
+        pendingAuths.set(oauthState, { resolve, reject, timeout });
+    });
+}
+/**
+ * Cancel a pending authorization by state.
+ */
+export function cancelPendingCallback(oauthState) {
+    const pending = pendingAuths.get(oauthState);
+    if (pending) {
+        clearTimeout(pending.timeout);
+        pendingAuths.delete(oauthState);
+        pending.reject(new Error("Authorization cancelled"));
+    }
+}
+/**
+ * Stop the callback server and reject all pending authorizations.
+ */
+export async function stopCallbackServer() {
+    if (server) {
+        await new Promise((resolve) => {
+            server.close(() => {
+                resolve();
+            });
+        });
+        server = undefined;
+    }
+    setOAuthCallbackPort(getConfiguredOAuthCallbackPort());
+    // Reject all pending auths (defer to allow any pending operations to complete)
+    const pendingList = Array.from(pendingAuths.entries());
+    pendingAuths.clear();
+    setTimeout(() => {
+        for (const [, pending] of pendingList) {
+            clearTimeout(pending.timeout);
+            pending.reject(new Error("OAuth callback server stopped"));
+        }
+    }, 0);
+}
+/**
+ * Check if the callback server is running.
+ */
+export function isCallbackServerRunning() {
+    return server !== undefined;
+}
+/**
+ * Get the number of pending authorizations.
+ */
+export function getPendingAuthCount() {
+    return pendingAuths.size;
+}

package/dist/mcp/mcp-oauth-provider.js

@@ -0,0 +1,243 @@
+/**
+ * MCP OAuth Provider
+ *
+ * Implementation of the MCP SDK's OAuthClientProvider interface.
+ * Handles OAuth client registration, token storage, and authorization redirection.
+ */
+import { UnauthorizedError } from "@modelcontextprotocol/sdk/client/auth.js";
+import { getAuthEntry, getAuthForUrl, updateTokens, updateClientInfo, updateCodeVerifier, updateOAuthState, clearAllCredentials, clearClientInfo, clearTokens, } from "./mcp-auth.js";
+// Callback server configuration
+const DEFAULT_OAUTH_CALLBACK_PORT = 19876;
+const OAUTH_CALLBACK_PATH = "/callback";
+let configuredOAuthCallbackPort = DEFAULT_OAUTH_CALLBACK_PORT;
+if (process.env.MCP_OAUTH_CALLBACK_PORT) {
+    const parsedPort = Number.parseInt(process.env.MCP_OAUTH_CALLBACK_PORT, 10);
+    if (Number.isInteger(parsedPort) && parsedPort > 0 && parsedPort <= 65535) {
+        configuredOAuthCallbackPort = parsedPort;
+    }
+}
+let oauthCallbackPort = configuredOAuthCallbackPort;
+export function getConfiguredOAuthCallbackPort() {
+    return configuredOAuthCallbackPort;
+}
+export function getOAuthCallbackPort() {
+    return oauthCallbackPort;
+}
+export function setOAuthCallbackPort(port) {
+    oauthCallbackPort = port;
+}
+/**
+ * OAuth provider implementation for MCP servers.
+ * Implements the OAuthClientProvider interface from the MCP SDK.
+ */
+export class McpOAuthProvider {
+    serverName;
+    serverUrl;
+    config;
+    callbacks;
+    constructor(serverName, serverUrl, config, callbacks) {
+        this.serverName = serverName;
+        this.serverUrl = serverUrl;
+        this.config = config;
+        this.callbacks = callbacks;
+    }
+    get usesClientCredentials() {
+        return this.config.grantType === "client_credentials";
+    }
+    /**
+     * The redirect URL for OAuth callbacks.
+     * This must match the redirect_uri in client metadata.
+     */
+    get redirectUrl() {
+        if (this.usesClientCredentials)
+            return undefined;
+        return `http://localhost:${getOAuthCallbackPort()}${OAUTH_CALLBACK_PATH}`;
+    }
+    /**
+     * Client metadata for dynamic registration.
+     * Describes this client to the OAuth authorization server.
+     */
+    get clientMetadata() {
+        if (this.usesClientCredentials) {
+            return {
+                client_name: "Pi Coding Agent",
+                redirect_uris: [],
+                grant_types: ["client_credentials"],
+                token_endpoint_auth_method: this.config.clientSecret ? "client_secret_post" : "none",
+            };
+        }
+        const redirectUrl = this.redirectUrl;
+        if (!redirectUrl) {
+            throw new Error("redirectUrl is required for authorization_code flow");
+        }
+        return {
+            redirect_uris: [redirectUrl],
+            client_name: "Pi Coding Agent",
+            client_uri: "https://github.com/nicobailon/pi-mcp-adapter",
+            grant_types: ["authorization_code", "refresh_token"],
+            response_types: ["code"],
+            token_endpoint_auth_method: this.config.clientSecret ? "client_secret_post" : "none",
+        };
+    }
+    /**
+     * Get client information (for pre-registered or dynamically registered clients).
+     * Returns undefined if no client info exists or if the server URL has changed.
+     */
+    async clientInformation() {
+        // Check config first (pre-registered client)
+        if (this.config.clientId) {
+            return {
+                client_id: this.config.clientId,
+                client_secret: this.config.clientSecret,
+            };
+        }
+        // Check stored client info (from dynamic registration)
+        // Use getAuthForUrl to validate credentials are for the current server URL
+        const entry = await getAuthForUrl(this.serverName, this.serverUrl);
+        if (entry?.clientInfo) {
+            // Check if client secret has expired
+            if (entry.clientInfo.clientSecretExpiresAt && entry.clientInfo.clientSecretExpiresAt < Date.now() / 1000) {
+                return undefined;
+            }
+            return {
+                client_id: entry.clientInfo.clientId,
+                client_secret: entry.clientInfo.clientSecret,
+            };
+        }
+        // No client info or URL changed - will trigger dynamic registration
+        return undefined;
+    }
+    /**
+     * Save client information from dynamic registration.
+     */
+    async saveClientInformation(info) {
+        const clientInfo = {
+            clientId: info.client_id,
+            clientSecret: info.client_secret,
+            clientIdIssuedAt: info.client_id_issued_at,
+            clientSecretExpiresAt: info.client_secret_expires_at,
+        };
+        updateClientInfo(this.serverName, clientInfo, this.serverUrl);
+    }
+    /**
+     * Get stored OAuth tokens.
+     * Returns undefined if no tokens exist or if the server URL has changed.
+     */
+    async tokens() {
+        // Use getAuthForUrl to validate tokens are for the current server URL
+        const entry = await getAuthForUrl(this.serverName, this.serverUrl);
+        if (!entry?.tokens)
+            return undefined;
+        return {
+            access_token: entry.tokens.accessToken,
+            token_type: "Bearer",
+            refresh_token: entry.tokens.refreshToken,
+            expires_in: entry.tokens.expiresAt
+                ? Math.max(0, Math.floor(entry.tokens.expiresAt - Date.now() / 1000))
+                : undefined,
+            scope: entry.tokens.scope,
+        };
+    }
+    /**
+     * Save OAuth tokens.
+     */
+    async saveTokens(tokens) {
+        const storedTokens = {
+            accessToken: tokens.access_token,
+            refreshToken: tokens.refresh_token,
+            expiresAt: tokens.expires_in ? Date.now() / 1000 + tokens.expires_in : undefined,
+            scope: tokens.scope,
+        };
+        updateTokens(this.serverName, storedTokens, this.serverUrl);
+    }
+    /**
+     * Redirect the user to the authorization URL.
+     * This opens the browser for the user to authenticate.
+     *
+     * Throws UnauthorizedError when called outside of a user-initiated flow
+     * (no oauthState saved by startAuth). That path is reached when the SDK
+     * falls through from a failed refresh into a fresh authorization_code
+     * flow, which library hosts cannot complete in-process.
+     */
+    async redirectToAuthorization(authorizationUrl) {
+        if (this.usesClientCredentials) {
+            throw new Error("redirectToAuthorization is not used for client_credentials flow");
+        }
+        // No saved oauthState means we're on the post-refresh authorize fallback.
+        const entry = await getAuthEntry(this.serverName);
+        if (!entry?.oauthState) {
+            throw new UnauthorizedError(`Re-authentication required for MCP server: ${this.serverName}`);
+        }
+        // URL is passed to callback, not logged (may contain sensitive params)
+        await this.callbacks.onRedirect(authorizationUrl);
+    }
+    /**
+     * Save the PKCE code verifier.
+     */
+    async saveCodeVerifier(codeVerifier) {
+        updateCodeVerifier(this.serverName, codeVerifier);
+    }
+    /**
+     * Get the stored PKCE code verifier.
+     * @throws Error if no code verifier is stored
+     */
+    async codeVerifier() {
+        if (this.usesClientCredentials) {
+            throw new Error("codeVerifier is not used for client_credentials flow");
+        }
+        const entry = await getAuthEntry(this.serverName);
+        if (!entry?.codeVerifier) {
+            throw new Error(`No code verifier saved for MCP server: ${this.serverName}`);
+        }
+        return entry.codeVerifier;
+    }
+    /**
+     * Save the OAuth state parameter for CSRF protection.
+     */
+    async saveState(state) {
+        updateOAuthState(this.serverName, state);
+    }
+    /**
+     * Get the stored OAuth state parameter.
+     * @throws UnauthorizedError if no flow is in progress (see redirectToAuthorization)
+     */
+    async state() {
+        if (this.usesClientCredentials) {
+            throw new Error("state is not used for client_credentials flow");
+        }
+        const entry = await getAuthEntry(this.serverName);
+        if (!entry?.oauthState) {
+            throw new UnauthorizedError(`Re-authentication required for MCP server: ${this.serverName}`);
+        }
+        return entry.oauthState;
+    }
+    /**
+     * Invalidate credentials when authentication fails.
+     * Clears tokens, client info, or all credentials based on the type.
+     */
+    async invalidateCredentials(type) {
+        switch (type) {
+            case "all":
+                clearAllCredentials(this.serverName);
+                break;
+            case "client":
+                clearClientInfo(this.serverName);
+                break;
+            case "tokens":
+                clearTokens(this.serverName);
+                break;
+        }
+    }
+    prepareTokenRequest(scope) {
+        if (!this.usesClientCredentials) {
+            return undefined;
+        }
+        const params = new URLSearchParams({ grant_type: "client_credentials" });
+        const requestedScope = scope ?? this.config.scope;
+        if (requestedScope) {
+            params.set("scope", requestedScope);
+        }
+        return params;
+    }
+}
+export { DEFAULT_OAUTH_CALLBACK_PORT, OAUTH_CALLBACK_PATH };