@anton.andrusenko/shopify-mcp-admin 2.1.2 → 2.2.1

package/dist/chunk-PQKNBYJN.js

@@ -0,0 +1,254 @@
+import {
+  log
+} from "./chunk-5QMYOO4B.js";
+
+// src/middleware/mcp-auth.ts
+import { createHash } from "crypto";
+var ACCESS_TOKEN_PREFIX = "mcp_access_";
+var MCP_AUTH_ERROR_CODES = {
+  AUTH_REQUIRED: -32001,
+  // Missing authentication
+  AUTH_INVALID: -32002,
+  // Invalid API key format or key
+  AUTH_REVOKED: -32003,
+  // API key has been revoked
+  AUTH_FORBIDDEN: -32004
+  // Tenant suspended or no access
+};
+function createJsonRpcError(code, message, hint) {
+  const error = {
+    jsonrpc: "2.0",
+    error: {
+      code,
+      message
+    },
+    id: null
+  };
+  if (hint) {
+    error.error.data = { hint };
+  }
+  return error;
+}
+function parseBearerToken(authHeader) {
+  if (!authHeader) {
+    return null;
+  }
+  const parts = authHeader.split(" ");
+  if (parts.length !== 2 || parts[0].toLowerCase() !== "bearer") {
+    return null;
+  }
+  const token = parts[1];
+  if (!token || token.trim() === "") {
+    return null;
+  }
+  return token;
+}
+async function validateMcpApiKey(authHeader, apiKeyService, prisma) {
+  const token = parseBearerToken(authHeader);
+  if (!token) {
+    return {
+      valid: false,
+      error: "Authentication required",
+      httpStatus: 401
+    };
+  }
+  const validationResult = await apiKeyService.validate(token);
+  if (!validationResult.valid) {
+    const isRevoked = validationResult.error?.includes("revoked");
+    return {
+      valid: false,
+      error: validationResult.error || "Invalid API key",
+      httpStatus: isRevoked ? 403 : 401
+    };
+  }
+  if (validationResult.apiKeyId) {
+    if (typeof apiKeyService.recordUsage === "function") {
+      apiKeyService.recordUsage(
+        validationResult.apiKeyId
+      );
+    }
+  }
+  const tenant = validationResult.tenant;
+  const tenantShops = await prisma.tenantShop.findMany({
+    where: {
+      tenantId: tenant.tenantId,
+      uninstalledAt: null
+      // Only active shops
+    },
+    select: {
+      shopDomain: true,
+      scopes: true
+    }
+  });
+  const allowedShops = tenantShops.map((shop) => shop.shopDomain);
+  let defaultShop = validationResult.shop;
+  if (!defaultShop && tenantShops.length === 1) {
+    defaultShop = {
+      domain: tenantShops[0].shopDomain,
+      scopes: tenantShops[0].scopes
+    };
+    log.debug("[mcp-auth] API key: no defaultShopId set, falling back to the only connected shop");
+  }
+  const mcpTenantContext = {
+    tenantId: tenant.tenantId,
+    email: tenant.email,
+    apiKeyId: validationResult.apiKeyId,
+    defaultShop,
+    allowedShops
+  };
+  return {
+    valid: true,
+    tenant: mcpTenantContext
+  };
+}
+function hashToken(token) {
+  return createHash("sha256").update(token).digest("hex");
+}
+function isOAuthAccessToken(token) {
+  return token.startsWith(ACCESS_TOKEN_PREFIX);
+}
+async function validateOAuthAccessToken(token, prisma) {
+  const tokenHash = hashToken(token);
+  const accessToken = await prisma.oAuthAccessToken.findUnique({
+    where: { tokenHash },
+    include: {
+      tenant: true,
+      shop: true,
+      client: true
+    }
+  });
+  if (!accessToken) {
+    log.debug("[mcp-auth] OAuth access token not found");
+    return {
+      valid: false,
+      error: "Invalid access token",
+      httpStatus: 401
+    };
+  }
+  if (/* @__PURE__ */ new Date() > accessToken.expiresAt) {
+    log.debug("[mcp-auth] OAuth access token expired");
+    return {
+      valid: false,
+      error: "Access token expired",
+      httpStatus: 401
+    };
+  }
+  if (accessToken.tenant.status !== "ACTIVE") {
+    log.debug("[mcp-auth] Tenant inactive for OAuth token");
+    return {
+      valid: false,
+      error: "Tenant account is suspended",
+      httpStatus: 403
+    };
+  }
+  const tenantShops = await prisma.tenantShop.findMany({
+    where: {
+      tenantId: accessToken.tenantId,
+      uninstalledAt: null
+      // Only active shops
+    },
+    select: {
+      shopDomain: true,
+      scopes: true
+    }
+  });
+  const allowedShops = tenantShops.map((shop) => shop.shopDomain);
+  let defaultShop;
+  if (accessToken.shop) {
+    defaultShop = {
+      domain: accessToken.shop.shopDomain,
+      scopes: accessToken.shop.scopes || []
+    };
+  } else if (tenantShops.length > 0) {
+    defaultShop = {
+      domain: tenantShops[0].shopDomain,
+      scopes: tenantShops[0].scopes || []
+    };
+  }
+  const mcpTenantContext = {
+    tenantId: accessToken.tenantId,
+    email: accessToken.tenant.email,
+    // No apiKeyId for OAuth tokens
+    defaultShop,
+    allowedShops
+  };
+  log.debug(
+    `[mcp-auth] OAuth access token validated for tenant: ${accessToken.tenantId.substring(0, 8)}...`
+  );
+  return {
+    valid: true,
+    tenant: mcpTenantContext
+  };
+}
+async function validateMcpBearerToken(authHeader, apiKeyService, prisma) {
+  const token = parseBearerToken(authHeader);
+  if (!token) {
+    return {
+      valid: false,
+      error: "Authentication required",
+      httpStatus: 401
+    };
+  }
+  if (isOAuthAccessToken(token)) {
+    log.debug("[mcp-auth] Token identified as OAuth access token");
+    return validateOAuthAccessToken(token, prisma);
+  }
+  log.debug("[mcp-auth] Token identified as API key");
+  return validateMcpApiKey(authHeader, apiKeyService, prisma);
+}
+function getWwwAuthenticateHeader(baseUrl, error, errorDescription) {
+  let header = `Bearer resource_metadata="${baseUrl}/.well-known/oauth-protected-resource"`;
+  if (error) {
+    header += `, error="${error}"`;
+  }
+  if (errorDescription) {
+    header += `, error_description="${errorDescription}"`;
+  }
+  return header;
+}
+function createMcpAuthMiddleware(options) {
+  const { apiKeyService, prisma, isRemote, baseUrl } = options;
+  return async (req, res, next) => {
+    if (!isRemote) {
+      log.debug("[mcp-auth] Local mode: skipping API key validation");
+      next();
+      return;
+    }
+    const authResult = await validateMcpApiKey(req.headers.authorization, apiKeyService, prisma);
+    if (!authResult.valid) {
+      log.debug(`[mcp-auth] Auth failed: ${authResult.error}`);
+      let errorCode;
+      let hint;
+      if (authResult.httpStatus === 401) {
+        errorCode = authResult.error === "Authentication required" ? MCP_AUTH_ERROR_CODES.AUTH_REQUIRED : MCP_AUTH_ERROR_CODES.AUTH_INVALID;
+        hint = "Include Authorization: Bearer sk_live_xxx header";
+        if (baseUrl) {
+          res.setHeader("WWW-Authenticate", getWwwAuthenticateHeader(baseUrl));
+        }
+      } else {
+        errorCode = authResult.error?.includes("revoked") ? MCP_AUTH_ERROR_CODES.AUTH_REVOKED : MCP_AUTH_ERROR_CODES.AUTH_FORBIDDEN;
+        hint = "API key has been revoked or tenant is inactive";
+      }
+      res.status(authResult.httpStatus || 401).json(createJsonRpcError(errorCode, authResult.error || "Authentication failed", hint));
+      return;
+    }
+    req.mcpTenantContext = authResult.tenant;
+    log.debug(
+      `[mcp-auth] Auth successful for tenant: ${authResult.tenant?.tenantId?.substring(0, 8)}...`
+    );
+    next();
+  };
+}
+var MCP_AUTH_ERRORS = MCP_AUTH_ERROR_CODES;
+
+export {
+  createJsonRpcError,
+  parseBearerToken,
+  validateMcpApiKey,
+  isOAuthAccessToken,
+  validateOAuthAccessToken,
+  validateMcpBearerToken,
+  getWwwAuthenticateHeader,
+  createMcpAuthMiddleware,
+  MCP_AUTH_ERRORS
+};