@baref00t/mcp-server 0.4.0 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +18 -14
- package/dist/auth.d.ts +13 -1
- package/dist/auth.d.ts.map +1 -1
- package/dist/auth.js +80 -2
- package/dist/auth.js.map +1 -1
- package/dist/env.d.ts +12 -0
- package/dist/env.d.ts.map +1 -1
- package/dist/env.js +13 -0
- package/dist/env.js.map +1 -1
- package/dist/server.js +50 -0
- package/dist/server.js.map +1 -1
- package/package.json +13 -2
package/README.md
CHANGED
|
@@ -11,9 +11,17 @@ Hosted multi-tenant Model Context Protocol (MCP) server that exposes the [baref0
|
|
|
11
11
|
| Production | `https://mcp.baref00t.io/mcp` |
|
|
12
12
|
| Staging | `https://mcp.sandbox.baref00t.io/mcp` |
|
|
13
13
|
|
|
14
|
-
## Quick start (
|
|
14
|
+
## Quick start — OAuth (recommended for AI clients)
|
|
15
15
|
|
|
16
|
-
|
|
16
|
+
Connect Claude Desktop, Claude.ai web Connectors, Cursor, or ChatGPT remote MCP using the standard OAuth flow — no API key to copy around.
|
|
17
|
+
|
|
18
|
+
**Claude Desktop / Claude.ai / ChatGPT:** Add a custom MCP server with URL `https://mcp.baref00t.io/mcp`. The client auto-discovers `/.well-known/oauth-protected-resource`, registers itself via Dynamic Client Registration (RFC 7591), and pops a browser window to sign in via Microsoft. After consent, you'll be signed in — no JSON, no token paste.
|
|
19
|
+
|
|
20
|
+
**Manage authorized apps** at https://www.baref00t.io/portal/developer/connected-apps. Revoke any app at any time; the affected session stops working immediately.
|
|
21
|
+
|
|
22
|
+
## Quick start — API key (server-to-server)
|
|
23
|
+
|
|
24
|
+
For headless integrations (SDK, CI, your own backend) the long-standing API-key path is unchanged. `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) or `%APPDATA%\Claude\claude_desktop_config.json` (Windows):
|
|
17
25
|
|
|
18
26
|
```json
|
|
19
27
|
{
|
|
@@ -28,21 +36,17 @@ Hosted multi-tenant Model Context Protocol (MCP) server that exposes the [baref0
|
|
|
28
36
|
}
|
|
29
37
|
```
|
|
30
38
|
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
## Authentication
|
|
39
|
+
Get an API key at https://www.baref00t.io/portal/developer/api-keys.
|
|
34
40
|
|
|
35
|
-
|
|
41
|
+
## Authentication summary
|
|
36
42
|
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
Key prefix routes to the right scope. Partner keys see partner tools, distributor keys see distributor tools.
|
|
43
|
+
| Path | Header | Best for |
|
|
44
|
+
|---|---|---|
|
|
45
|
+
| OAuth | `Authorization: Bearer <JWT issued by mcp.baref00t.io>` | Interactive AI clients with a human user (Claude Desktop, Cursor, ChatGPT) |
|
|
46
|
+
| API key (Bearer) | `Authorization: Bearer pk_live_…` (or `dk_live_…`) | Server-to-server, CI, scripted integrations |
|
|
47
|
+
| API key (X-header) | `X-Partner-Key: pk_live_…` / `X-Distributor-Key: dk_live_…` | Same as Bearer, alternative header form |
|
|
44
48
|
|
|
45
|
-
|
|
49
|
+
Key prefix routes to the right scope. Partner keys see partner tools; distributor keys see distributor tools. JWTs carry the scope in their claims and are similarly routed.
|
|
46
50
|
|
|
47
51
|
## Tool catalogue
|
|
48
52
|
|
package/dist/auth.d.ts
CHANGED
|
@@ -1,10 +1,16 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Per-request key extraction + scope routing.
|
|
3
3
|
*
|
|
4
|
-
* Accepts either:
|
|
4
|
+
* Accepts either of:
|
|
5
5
|
* Authorization: Bearer pk_live_… (or dk_live_…)
|
|
6
6
|
* X-Partner-Key: pk_live_…
|
|
7
7
|
* X-Distributor-Key: dk_live_…
|
|
8
|
+
* Authorization: Bearer <JWT> (#374 OAuth Phase 4)
|
|
9
|
+
*
|
|
10
|
+
* JWT path: lazy-loads @baref00t/mcp-oauth (hosted-only, optional peer
|
|
11
|
+
* dep), verifies the JWT, returns a synthetic apiKey carrying the
|
|
12
|
+
* partner/distributor id so downstream tool dispatch + audit log keep
|
|
13
|
+
* working without per-handler awareness of the auth source.
|
|
8
14
|
*
|
|
9
15
|
* Validates the prefix against the runtime-configurable allow-list
|
|
10
16
|
* (`MCPAllowedKeyPrefixes` in KV). Unknown prefix → 401.
|
|
@@ -14,6 +20,12 @@ export type Scope = 'partner' | 'distributor';
|
|
|
14
20
|
export interface ExtractedKey {
|
|
15
21
|
scope: Scope;
|
|
16
22
|
apiKey: string;
|
|
23
|
+
/** Set when auth came from a JWT (OAuth path). Useful for audit. */
|
|
24
|
+
oauthGrant?: {
|
|
25
|
+
grantId: string;
|
|
26
|
+
memberEmailHash: string;
|
|
27
|
+
clientId: string;
|
|
28
|
+
};
|
|
17
29
|
}
|
|
18
30
|
export interface AuthError {
|
|
19
31
|
status: number;
|
package/dist/auth.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,WAAW,CAAA;AAKhD,MAAM,MAAM,KAAK,GAAG,SAAS,GAAG,aAAa,CAAA;AAE7C,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,KAAK,CAAA;IACZ,MAAM,EAAE,MAAM,CAAA;IACd,oEAAoE;IACpE,UAAU,CAAC,EAAE;QACX,OAAO,EAAE,MAAM,CAAA;QACf,eAAe,EAAE,MAAM,CAAA;QACvB,QAAQ,EAAE,MAAM,CAAA;KACjB,CAAA;CACF;AAED,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE;QAAE,KAAK,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,CAAA;CACnD;AA+BD,wBAAsB,UAAU,CAC9B,GAAG,EAAE,eAAe,GACnB,OAAO,CAAC,YAAY,GAAG,SAAS,CAAC,CA6FnC"}
|
package/dist/auth.js
CHANGED
|
@@ -1,15 +1,51 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Per-request key extraction + scope routing.
|
|
3
3
|
*
|
|
4
|
-
* Accepts either:
|
|
4
|
+
* Accepts either of:
|
|
5
5
|
* Authorization: Bearer pk_live_… (or dk_live_…)
|
|
6
6
|
* X-Partner-Key: pk_live_…
|
|
7
7
|
* X-Distributor-Key: dk_live_…
|
|
8
|
+
* Authorization: Bearer <JWT> (#374 OAuth Phase 4)
|
|
9
|
+
*
|
|
10
|
+
* JWT path: lazy-loads @baref00t/mcp-oauth (hosted-only, optional peer
|
|
11
|
+
* dep), verifies the JWT, returns a synthetic apiKey carrying the
|
|
12
|
+
* partner/distributor id so downstream tool dispatch + audit log keep
|
|
13
|
+
* working without per-handler awareness of the auth source.
|
|
8
14
|
*
|
|
9
15
|
* Validates the prefix against the runtime-configurable allow-list
|
|
10
16
|
* (`MCPAllowedKeyPrefixes` in KV). Unknown prefix → 401.
|
|
11
17
|
*/
|
|
12
18
|
import { getConfig } from './config.js';
|
|
19
|
+
import { env } from './env.js';
|
|
20
|
+
import { logger } from './logger.js';
|
|
21
|
+
function looksLikeJwt(raw) {
|
|
22
|
+
return raw.split('.').length === 3 && raw.length > 50;
|
|
23
|
+
}
|
|
24
|
+
let _oauthVerifyLoaded = null;
|
|
25
|
+
async function tryLoadOAuth() {
|
|
26
|
+
if (_oauthVerifyLoaded === 'unavailable')
|
|
27
|
+
return null;
|
|
28
|
+
if (_oauthVerifyLoaded)
|
|
29
|
+
return _oauthVerifyLoaded;
|
|
30
|
+
try {
|
|
31
|
+
const mod = await import('@baref00t/mcp-oauth');
|
|
32
|
+
// initOAuthConfig is idempotent. server.ts calls it on the metadata
|
|
33
|
+
// path; if a JWT-authed request arrives first, we init here too.
|
|
34
|
+
mod.initOAuthConfig({
|
|
35
|
+
issuer: env().MCP_OAUTH_ISSUER,
|
|
36
|
+
kvName: env().KV_NAME ?? null,
|
|
37
|
+
entraClientId: process.env['AZURE_AD_CLIENT_ID'],
|
|
38
|
+
entraClientSecret: process.env['AZURE_AD_CLIENT_SECRET'],
|
|
39
|
+
entraTenantId: process.env['BAREF00T_ENTRA_TENANT_ID'] ?? 'common',
|
|
40
|
+
});
|
|
41
|
+
_oauthVerifyLoaded = mod;
|
|
42
|
+
return mod;
|
|
43
|
+
}
|
|
44
|
+
catch {
|
|
45
|
+
_oauthVerifyLoaded = 'unavailable';
|
|
46
|
+
return null;
|
|
47
|
+
}
|
|
48
|
+
}
|
|
13
49
|
export async function extractKey(req) {
|
|
14
50
|
const auth = req.headers['authorization'];
|
|
15
51
|
const partnerHdr = req.headers['x-partner-key'];
|
|
@@ -35,7 +71,49 @@ export async function extractKey(req) {
|
|
|
35
71
|
},
|
|
36
72
|
};
|
|
37
73
|
}
|
|
38
|
-
//
|
|
74
|
+
// ── OAuth JWT path (#374 Phase 4) ─────────────────────────────────────
|
|
75
|
+
// Tried before the prefix check — JWTs don't have a pk_/dk_ prefix and
|
|
76
|
+
// would otherwise fail the allow-list. Only when the OAuth module is
|
|
77
|
+
// available (hosted deployment) AND the feature flag is on do we try.
|
|
78
|
+
if (looksLikeJwt(raw)) {
|
|
79
|
+
const config = await getConfig();
|
|
80
|
+
if (config.featureFlags['MCPOAuthEnabled'] === true) {
|
|
81
|
+
const oauth = await tryLoadOAuth();
|
|
82
|
+
if (oauth) {
|
|
83
|
+
try {
|
|
84
|
+
const claims = await oauth.verifyMcpJwt(raw, `${env().MCP_OAUTH_ISSUER}/mcp`);
|
|
85
|
+
const scope = claims.scope.includes('mcp:distributor') ? 'distributor' : 'partner';
|
|
86
|
+
return {
|
|
87
|
+
scope,
|
|
88
|
+
// Synthetic apiKey carrying partner/distributor id — downstream
|
|
89
|
+
// code that hashes the apiKey (audit, rate-limit) keeps working;
|
|
90
|
+
// tool handlers don't care about its actual value.
|
|
91
|
+
apiKey: `__oauth__${claims.partnerId}__${claims.grantId}`,
|
|
92
|
+
oauthGrant: {
|
|
93
|
+
grantId: claims.grantId,
|
|
94
|
+
memberEmailHash: claims.memberEmailHash,
|
|
95
|
+
clientId: claims.clientId,
|
|
96
|
+
},
|
|
97
|
+
};
|
|
98
|
+
}
|
|
99
|
+
catch (err) {
|
|
100
|
+
logger().debug({ err: err instanceof Error ? err.message : String(err) }, 'extractKey: JWT verification failed');
|
|
101
|
+
return {
|
|
102
|
+
status: 401,
|
|
103
|
+
body: {
|
|
104
|
+
error: {
|
|
105
|
+
code: 'INVALID_TOKEN',
|
|
106
|
+
message: 'Bearer token is not a valid baref00t-issued JWT (signature/exp/grant check failed).',
|
|
107
|
+
},
|
|
108
|
+
},
|
|
109
|
+
};
|
|
110
|
+
}
|
|
111
|
+
}
|
|
112
|
+
}
|
|
113
|
+
// OAuth disabled or module unavailable — fall through. The token
|
|
114
|
+
// doesn't match any pk_/dk_ prefix so we'll reject below.
|
|
115
|
+
}
|
|
116
|
+
// ── Existing API-key prefix path ─────────────────────────────────────
|
|
39
117
|
const config = await getConfig();
|
|
40
118
|
const lower = raw.toLowerCase();
|
|
41
119
|
const allowed = config.allowedKeyPrefixes.find((p) => lower.startsWith(p));
|
package/dist/auth.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AACvC,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAA;AAC9B,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAoBpC,SAAS,YAAY,CAAC,GAAW;IAC/B,OAAO,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE,CAAA;AACvD,CAAC;AAGD,IAAI,kBAAkB,GAAoC,IAAI,CAAA;AAE9D,KAAK,UAAU,YAAY;IACzB,IAAI,kBAAkB,KAAK,aAAa;QAAE,OAAO,IAAI,CAAA;IACrD,IAAI,kBAAkB;QAAE,OAAO,kBAAkB,CAAA;IACjD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAA;QAC/C,oEAAoE;QACpE,iEAAiE;QACjE,GAAG,CAAC,eAAe,CAAC;YAClB,MAAM,EAAE,GAAG,EAAE,CAAC,gBAAgB;YAC9B,MAAM,EAAE,GAAG,EAAE,CAAC,OAAO,IAAI,IAAI;YAC7B,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;YAChD,iBAAiB,EAAE,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;YACxD,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,IAAI,QAAQ;SACnE,CAAC,CAAA;QACF,kBAAkB,GAAG,GAAG,CAAA;QACxB,OAAO,GAAG,CAAA;IACZ,CAAC;IAAC,MAAM,CAAC;QACP,kBAAkB,GAAG,aAAa,CAAA;QAClC,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,GAAoB;IAEpB,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAA;IACzC,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAA;IAC/C,MAAM,cAAc,GAAG,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAA;IAEvD,IAAI,GAAuB,CAAA;IAC3B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACzE,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;IAC5B,CAAC;SAAM,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;QAC1C,GAAG,GAAG,UAAU,CAAC,IAAI,EAAE,CAAA;IACzB,CAAC;SAAM,IAAI,OAAO,cAAc,KAAK,QAAQ,EAAE,CAAC;QAC9C,GAAG,GAAG,cAAc,CAAC,IAAI,EAAE,CAAA;IAC7B,CAAC;IAED,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO;YACL,MAAM,EAAE,GAAG;YACX,IAAI,EAAE;gBACJ,KAAK,EAAE;oBACL,IAAI,EAAE,cAAc;oBACpB,OAAO,EACL,8GAA8G;iBACjH;aACF;SACF,CAAA;IACH,CAAC;IAED,yEAAyE;IACzE,uEAAuE;IACvE,qEAAqE;IACrE,sEAAsE;IACtE,IAAI,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;QACtB,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAA;QAChC,IAAI,MAAM,CAAC,YAAY,CAAC,iBAAiB,CAAC,KAAK,IAAI,EAAE,CAAC;YACpD,MAAM,KAAK,GAAG,MAAM,YAAY,EAAE,CAAA;YAClC,IAAI,KAAK,EAAE,CAAC;gBACV,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,GAAG,EAAE,GAAG,GAAG,EAAE,CAAC,gBAAgB,MAAM,CAAC,CAAA;oBAC7E,MAAM,KAAK,GAAU,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAA;oBACzF,OAAO;wBACL,KAAK;wBACL,gEAAgE;wBAChE,iEAAiE;wBACjE,mDAAmD;wBACnD,MAAM,EAAE,YAAY,MAAM,CAAC,SAAS,KAAK,MAAM,CAAC,OAAO,EAAE;wBACzD,UAAU,EAAE;4BACV,OAAO,EAAE,MAAM,CAAC,OAAO;4BACvB,eAAe,EAAE,MAAM,CAAC,eAAe;4BACvC,QAAQ,EAAE,MAAM,CAAC,QAAQ;yBAC1B;qBACF,CAAA;gBACH,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,MAAM,EAAE,CAAC,KAAK,CACZ,EAAE,GAAG,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EACzD,qCAAqC,CACtC,CAAA;oBACD,OAAO;wBACL,MAAM,EAAE,GAAG;wBACX,IAAI,EAAE;4BACJ,KAAK,EAAE;gCACL,IAAI,EAAE,eAAe;gCACrB,OAAO,EAAE,qFAAqF;6BAC/F;yBACF;qBACF,CAAA;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QACD,iEAAiE;QACjE,0DAA0D;IAC5D,CAAC;IAED,wEAAwE;IACxE,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAA;IAChC,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAA;IAC/B,MAAM,OAAO,GAAG,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAA;IAC1E,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO;YACL,MAAM,EAAE,GAAG;YACX,IAAI,EAAE;gBACJ,KAAK,EAAE;oBACL,IAAI,EAAE,yBAAyB;oBAC/B,OAAO,EACL,4DAA4D;wBAC5D,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;iBACvC;aACF;SACF,CAAA;IACH,CAAC;IAED,kEAAkE;IAClE,MAAM,KAAK,GAAU,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,aAAa,CAAA;IAC1E,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,CAAA;AAC/B,CAAC"}
|
package/dist/env.d.ts
CHANGED
|
@@ -17,11 +17,22 @@ declare const envSchema: z.ZodObject<{
|
|
|
17
17
|
KV_NAME: z.ZodOptional<z.ZodString>;
|
|
18
18
|
APPLICATIONINSIGHTS_CONNECTION_STRING: z.ZodOptional<z.ZodString>;
|
|
19
19
|
BAREF00T_API_BASE: z.ZodDefault<z.ZodString>;
|
|
20
|
+
/**
|
|
21
|
+
* OAuth issuer URL — appears verbatim in JWT `iss` claim, AS metadata's
|
|
22
|
+
* `issuer`, and the JWKS URI base. RFC 8414 requires identical-string
|
|
23
|
+
* comparison so this MUST match across environments (no trailing slash;
|
|
24
|
+
* no path component).
|
|
25
|
+
* prod: https://mcp.baref00t.io
|
|
26
|
+
* staging: https://mcp.sandbox.baref00t.io
|
|
27
|
+
* local: http://localhost:8080
|
|
28
|
+
*/
|
|
29
|
+
MCP_OAUTH_ISSUER: z.ZodDefault<z.ZodString>;
|
|
20
30
|
ENVIRONMENT: z.ZodDefault<z.ZodString>;
|
|
21
31
|
}, "strip", z.ZodTypeAny, {
|
|
22
32
|
NODE_ENV: "development" | "production" | "test";
|
|
23
33
|
PORT: number;
|
|
24
34
|
BAREF00T_API_BASE: string;
|
|
35
|
+
MCP_OAUTH_ISSUER: string;
|
|
25
36
|
ENVIRONMENT: string;
|
|
26
37
|
AZURE_CLIENT_ID?: string | undefined;
|
|
27
38
|
KV_NAME?: string | undefined;
|
|
@@ -33,6 +44,7 @@ declare const envSchema: z.ZodObject<{
|
|
|
33
44
|
KV_NAME?: string | undefined;
|
|
34
45
|
APPLICATIONINSIGHTS_CONNECTION_STRING?: string | undefined;
|
|
35
46
|
BAREF00T_API_BASE?: string | undefined;
|
|
47
|
+
MCP_OAUTH_ISSUER?: string | undefined;
|
|
36
48
|
ENVIRONMENT?: string | undefined;
|
|
37
49
|
}>;
|
|
38
50
|
export type McpEnv = z.infer<typeof envSchema>;
|
package/dist/env.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../src/env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,QAAA,MAAM,SAAS
|
|
1
|
+
{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../src/env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,QAAA,MAAM,SAAS;;;;;;;IAcb;;;;;;;;OAQG;;;;;;;;;;;;;;;;;;;;;EAOH,CAAA;AAEF,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,SAAS,CAAC,CAAA;AAI9C,wBAAgB,GAAG,IAAI,MAAM,CAU5B"}
|
package/dist/env.js
CHANGED
|
@@ -20,6 +20,19 @@ const envSchema = z.object({
|
|
|
20
20
|
.string()
|
|
21
21
|
.url()
|
|
22
22
|
.default('https://api.baref00t.io'),
|
|
23
|
+
/**
|
|
24
|
+
* OAuth issuer URL — appears verbatim in JWT `iss` claim, AS metadata's
|
|
25
|
+
* `issuer`, and the JWKS URI base. RFC 8414 requires identical-string
|
|
26
|
+
* comparison so this MUST match across environments (no trailing slash;
|
|
27
|
+
* no path component).
|
|
28
|
+
* prod: https://mcp.baref00t.io
|
|
29
|
+
* staging: https://mcp.sandbox.baref00t.io
|
|
30
|
+
* local: http://localhost:8080
|
|
31
|
+
*/
|
|
32
|
+
MCP_OAUTH_ISSUER: z
|
|
33
|
+
.string()
|
|
34
|
+
.url()
|
|
35
|
+
.default('http://localhost:8080'),
|
|
23
36
|
ENVIRONMENT: z.string().default('local'),
|
|
24
37
|
});
|
|
25
38
|
let _env = null;
|
package/dist/env.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"env.js","sourceRoot":"","sources":["../src/env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC;IACzB,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC;IAC7E,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IAE7D,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,oCAAoC,CAAC;IACrF,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,yCAAyC,CAAC;IAEzF,qCAAqC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE5D,iBAAiB,EAAE,CAAC;SACjB,MAAM,EAAE;SACR,GAAG,EAAE;SACL,OAAO,CAAC,yBAAyB,CAAC;IAErC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;CACzC,CAAC,CAAA;AAIF,IAAI,IAAI,GAAkB,IAAI,CAAA;AAE9B,MAAM,UAAU,GAAG;IACjB,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAC/C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAA;YACrF,MAAM,IAAI,KAAK,CAAC,CAAC,yBAAyB,EAAE,GAAG,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;QACnE,CAAC;QACD,IAAI,GAAG,MAAM,CAAC,IAAI,CAAA;IACpB,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC"}
|
|
1
|
+
{"version":3,"file":"env.js","sourceRoot":"","sources":["../src/env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC;IACzB,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC;IAC7E,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IAE7D,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,oCAAoC,CAAC;IACrF,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,yCAAyC,CAAC;IAEzF,qCAAqC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE5D,iBAAiB,EAAE,CAAC;SACjB,MAAM,EAAE;SACR,GAAG,EAAE;SACL,OAAO,CAAC,yBAAyB,CAAC;IAErC;;;;;;;;OAQG;IACH,gBAAgB,EAAE,CAAC;SAChB,MAAM,EAAE;SACR,GAAG,EAAE;SACL,OAAO,CAAC,uBAAuB,CAAC;IAEnC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;CACzC,CAAC,CAAA;AAIF,IAAI,IAAI,GAAkB,IAAI,CAAA;AAE9B,MAAM,UAAU,GAAG;IACjB,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAC/C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAA;YACrF,MAAM,IAAI,KAAK,CAAC,CAAC,yBAAyB,EAAE,GAAG,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;QACnE,CAAC;QACD,IAAI,GAAG,MAAM,CAAC,IAAI,CAAA;IACpB,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC"}
|
package/dist/server.js
CHANGED
|
@@ -32,9 +32,33 @@ import { env } from './env.js';
|
|
|
32
32
|
import { logger } from './logger.js';
|
|
33
33
|
import { initTelemetry } from './telemetry.js';
|
|
34
34
|
import { extractKey } from './auth.js';
|
|
35
|
+
import { getConfig } from './config.js';
|
|
35
36
|
import { keyHashShort } from './sdkCache.js';
|
|
36
37
|
import { callTool, listToolsForScope } from './registry.js';
|
|
37
38
|
import { registerAllTools } from './tools/index.js';
|
|
39
|
+
let _oauthModule = null;
|
|
40
|
+
async function loadOAuthModule() {
|
|
41
|
+
if (_oauthModule === 'unavailable')
|
|
42
|
+
return null;
|
|
43
|
+
if (_oauthModule)
|
|
44
|
+
return _oauthModule;
|
|
45
|
+
try {
|
|
46
|
+
_oauthModule = await import('@baref00t/mcp-oauth');
|
|
47
|
+
_oauthModule.initOAuthConfig({
|
|
48
|
+
issuer: env().MCP_OAUTH_ISSUER,
|
|
49
|
+
kvName: env().KV_NAME ?? null,
|
|
50
|
+
entraClientId: process.env['AZURE_AD_CLIENT_ID'],
|
|
51
|
+
entraClientSecret: process.env['AZURE_AD_CLIENT_SECRET'],
|
|
52
|
+
entraTenantId: process.env['BAREF00T_ENTRA_TENANT_ID'] ?? 'common',
|
|
53
|
+
});
|
|
54
|
+
return _oauthModule;
|
|
55
|
+
}
|
|
56
|
+
catch (err) {
|
|
57
|
+
logger().info({ err: err instanceof Error ? err.message : String(err) }, '@baref00t/mcp-oauth not available — OAuth disabled (header-key auth only)');
|
|
58
|
+
_oauthModule = 'unavailable';
|
|
59
|
+
return null;
|
|
60
|
+
}
|
|
61
|
+
}
|
|
38
62
|
const SDK_NAME = 'baref00t-mcp-server';
|
|
39
63
|
/**
|
|
40
64
|
* Read version dynamically from this package's package.json so the
|
|
@@ -104,6 +128,32 @@ async function handleRequest(req, res) {
|
|
|
104
128
|
res.end(JSON.stringify({ status: ok ? 'ready' : 'not_ready', tools: allTools().length }));
|
|
105
129
|
return;
|
|
106
130
|
}
|
|
131
|
+
// ── OAuth 2.1 (hosted-only, gated on MCPOAuthEnabled feature flag) ────────
|
|
132
|
+
// Delegates the entire OAuth surface to @baref00t/mcp-oauth. That package
|
|
133
|
+
// is private and only resolved at the hosted deployment via workspace link
|
|
134
|
+
// — self-hosters never load it, the dynamic import returns null, the
|
|
135
|
+
// routes return 404 / fall through.
|
|
136
|
+
const isOAuthPath = url.pathname.startsWith('/.well-known/oauth-') ||
|
|
137
|
+
url.pathname === '/.well-known/jwks.json' ||
|
|
138
|
+
url.pathname.startsWith('/oauth/');
|
|
139
|
+
if (isOAuthPath) {
|
|
140
|
+
const config = await getConfig();
|
|
141
|
+
if (config.featureFlags['MCPOAuthEnabled'] !== true) {
|
|
142
|
+
res.writeHead(404, { 'Content-Type': 'application/json' });
|
|
143
|
+
res.end(JSON.stringify({ error: { code: 'NOT_FOUND', message: 'OAuth not enabled' } }));
|
|
144
|
+
return;
|
|
145
|
+
}
|
|
146
|
+
const oauth = await loadOAuthModule();
|
|
147
|
+
if (!oauth) {
|
|
148
|
+
res.writeHead(503, { 'Content-Type': 'application/json' });
|
|
149
|
+
res.end(JSON.stringify({ error: { code: 'OAUTH_UNAVAILABLE', message: '@baref00t/mcp-oauth not installed' } }));
|
|
150
|
+
return;
|
|
151
|
+
}
|
|
152
|
+
const handled = await oauth.handleOAuthRequest(req, res, url);
|
|
153
|
+
if (handled)
|
|
154
|
+
return;
|
|
155
|
+
// The OAuth module didn't recognise it — fall through to 404 below.
|
|
156
|
+
}
|
|
107
157
|
if (url.pathname !== '/mcp') {
|
|
108
158
|
res.writeHead(404, { 'Content-Type': 'application/json' });
|
|
109
159
|
res.end(JSON.stringify({ error: { code: 'NOT_FOUND', message: 'POST /mcp' } }));
|
package/dist/server.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EAAE,YAAY,EAA6C,MAAM,WAAW,CAAA;AACnF,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAA;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AACxC,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAA;AAClE,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAA;AAClG,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,oCAAoC,CAAA;AAC3C,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAA;AAC9B,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AACpC,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAA;AACtC,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAA;AAC5C,OAAO,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAA;AAC3D,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAA;
|
|
1
|
+
{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EAAE,YAAY,EAA6C,MAAM,WAAW,CAAA;AACnF,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAA;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AACxC,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAA;AAClE,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAA;AAClG,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,oCAAoC,CAAA;AAC3C,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAA;AAC9B,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AACpC,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAA;AACtC,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AACvC,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAA;AAC5C,OAAO,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAA;AAC3D,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAA;AAYnD,IAAI,YAAY,GAAuC,IAAI,CAAA;AAE3D,KAAK,UAAU,eAAe;IAC5B,IAAI,YAAY,KAAK,aAAa;QAAE,OAAO,IAAI,CAAA;IAC/C,IAAI,YAAY;QAAE,OAAO,YAAY,CAAA;IACrC,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAA;QAClD,YAAY,CAAC,eAAe,CAAC;YAC3B,MAAM,EAAE,GAAG,EAAE,CAAC,gBAAgB;YAC9B,MAAM,EAAE,GAAG,EAAE,CAAC,OAAO,IAAI,IAAI;YAC7B,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;YAChD,iBAAiB,EAAE,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;YACxD,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,IAAI,QAAQ;SACnE,CAAC,CAAA;QACF,OAAO,YAAY,CAAA;IACrB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,EAAE,CAAC,IAAI,CACX,EAAE,GAAG,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EACzD,2EAA2E,CAC5E,CAAA;QACD,YAAY,GAAG,aAAa,CAAA;QAC5B,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED,MAAM,QAAQ,GAAG,qBAAqB,CAAA;AACtC;;;;;;;;;;GAUG;AACH,SAAS,cAAc;IACrB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,GAAG,CAAC,iBAAiB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;QAC1E,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAyB,CAAA;QAC7E,OAAO,GAAG,CAAC,OAAO,IAAI,eAAe,CAAA;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,eAAe,CAAA;IACxB,CAAC;AACH,CAAC;AACD,MAAM,WAAW,GAAG,cAAc,EAAE,CAAA;AAEpC,KAAK,UAAU,IAAI;IACjB,MAAM,CAAC,GAAG,GAAG,EAAE,CAAA;IACf,MAAM,GAAG,GAAG,MAAM,EAAE,CAAA;IAEpB,MAAM,aAAa,EAAE,CAAA;IACrB,gBAAgB,EAAE,CAAA;IAElB,MAAM,MAAM,GAAG,YAAY,CAAC,aAAa,CAAC,CAAA;IAE1C,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE;QACzB,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE,EAAE,sBAAsB,CAAC,CAAA;IACxE,CAAC,CAAC,CAAA;IAEF,MAAM,QAAQ,GAAG,CAAC,MAAc,EAAE,EAAE;QAClC,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE,+BAA+B,CAAC,CAAA;QACrD,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAA;QACnC,UAAU,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,KAAK,EAAE,CAAA;IACnD,CAAC,CAAA;IACD,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAA;IAChD,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAA;AAChD,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,GAAoB,EAAE,GAAmB;IACpE,MAAM,SAAS,GAAG,UAAU,EAAE,CAAA;IAC9B,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,SAAS,CAAC,CAAA;IAExC,uEAAuE;IACvE,2CAA2C;IAC3C,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC7B,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;YACjB,6BAA6B,EAAE,GAAG;YAClC,8BAA8B,EAAE,oBAAoB;YACpD,8BAA8B,EAC5B,+EAA+E;YACjF,wBAAwB,EAAE,OAAO;SAClC,CAAC,CAAA;QACF,GAAG,CAAC,GAAG,EAAE,CAAA;QACT,OAAM;IACR,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,WAAW,EAAE,CAAC,CAAA;IAEhF,IAAI,GAAG,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;QAChC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAA;QAC1D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC,CAAA;QAClF,OAAM;IACR,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC/B,8EAA8E;QAC9E,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAA;QAClD,MAAM,EAAE,GAAG,QAAQ,EAAE,CAAC,MAAM,GAAG,CAAC,CAAA;QAChC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAA;QACrE,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,CAAA;QACzF,OAAM;IACR,CAAC;IAED,6EAA6E;IAC7E,0EAA0E;IAC1E,2EAA2E;IAC3E,qEAAqE;IACrE,oCAAoC;IACpC,MAAM,WAAW,GACf,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,qBAAqB,CAAC;QAC9C,GAAG,CAAC,QAAQ,KAAK,wBAAwB;QACzC,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,CAAA;IACpC,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAA;QAChC,IAAI,MAAM,CAAC,YAAY,CAAC,iBAAiB,CAAC,KAAK,IAAI,EAAE,CAAC;YACpD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAA;YAC1D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,mBAAmB,EAAE,EAAE,CAAC,CAAC,CAAA;YACvF,OAAM;QACR,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,eAAe,EAAE,CAAA;QACrC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAA;YAC1D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,mBAAmB,EAAE,OAAO,EAAE,mCAAmC,EAAE,EAAE,CAAC,CAAC,CAAA;YAC/G,OAAM;QACR,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,kBAAkB,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;QAC7D,IAAI,OAAO;YAAE,OAAM;QACnB,oEAAoE;IACtE,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;QAC5B,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAA;QAC1D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,WAAW,EAAE,EAAE,CAAC,CAAC,CAAA;QAC/E,OAAM;IACR,CAAC;IAED,wBAAwB;IACxB,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,GAAG,CAAC,CAAA;IACjC,IAAI,QAAQ,IAAI,GAAG,EAAE,CAAC;QACpB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAA;QACjE,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAA;QACjC,OAAM;IACR,CAAC;IAED,uEAAuE;IACvE,MAAM,GAAG,GAAG,IAAI,MAAM,CACpB,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,EACxC,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,CAChC,CAAA;IAED,8DAA8D;IAC9D,GAAG,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,KAAK,GAAG,MAAM,iBAAiB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QAChD,OAAO,EAAE,KAAK,EAAE,CAAA;IAClB,CAAC,CAAC,CAAA;IAEF,0EAA0E;IAC1E,GAAG,CAAC,iBAAiB,CAAC,qBAAqB,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE;QACxD,MAAM,GAAG,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,SAAS,EAAE,CAAA;QACpC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,CAAA;YACvE,OAAO;gBACL,OAAO,EAAE;oBACP,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;iBACxD;aACF,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;YAChE,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;aAC3C,CAAA;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,sEAAsE;IACtE,mEAAmE;IACnE,mEAAmE;IACnE,wEAAwE;IACxE,mEAAmE;IACnE,yDAAyD;IACzD,MAAM,SAAS,GAAG,IAAI,6BAA6B,CAAC;QAClD,kBAAkB,EAAE,SAAS;QAC7B,kBAAkB,EAAE,IAAI;KACzB,CAAC,CAAA;IACF,MAAM,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAA;IAE5B,MAAM,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;IAEvC,MAAM,EAAE,CAAC,KAAK,CACZ;QACE,SAAS;QACT,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,OAAO,EAAE,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC;KAClC,EACD,qBAAqB,CACtB,CAAA;AACH,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;IAC5B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC,CAAA"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@baref00t/mcp-server",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.5.0",
|
|
4
4
|
"description": "Hosted multi-tenant MCP (Model Context Protocol) server for the baref00t Partner + Distributor APIs",
|
|
5
5
|
"license": "Apache-2.0",
|
|
6
6
|
"homepage": "https://github.com/becloudsmart-com/baref00t/tree/main/packages/mcp-server",
|
|
@@ -39,6 +39,7 @@
|
|
|
39
39
|
"@azure/monitor-opentelemetry": "^1.9.0",
|
|
40
40
|
"@baref00t/sdk": "^0.7.0",
|
|
41
41
|
"@modelcontextprotocol/sdk": "1.29.0",
|
|
42
|
+
"jose": "^5.9.6",
|
|
42
43
|
"lru-cache": "^11.0.2",
|
|
43
44
|
"pino": "^9.5.0",
|
|
44
45
|
"zod": "^3.23.8",
|
|
@@ -49,7 +50,17 @@
|
|
|
49
50
|
"tsx": "^4.19.2",
|
|
50
51
|
"typescript": "^5.6.3",
|
|
51
52
|
"vitest": "^2.1.5",
|
|
52
|
-
"eslint": "^9.15.0"
|
|
53
|
+
"eslint": "^9.15.0",
|
|
54
|
+
"@baref00t/mcp-oauth": "2.0.0-dev"
|
|
55
|
+
},
|
|
56
|
+
"//peerDependencies-note": "OAuth is hosted-only. The published @baref00t/mcp-server does not pull @baref00t/mcp-oauth (private package). Self-hosters get header-key auth only. Hosted mcp.baref00t.io resolves it via the monorepo workspace link, dynamic import below succeeds, OAuth lights up.",
|
|
57
|
+
"peerDependencies": {
|
|
58
|
+
"@baref00t/mcp-oauth": "*"
|
|
59
|
+
},
|
|
60
|
+
"peerDependenciesMeta": {
|
|
61
|
+
"@baref00t/mcp-oauth": {
|
|
62
|
+
"optional": true
|
|
63
|
+
}
|
|
53
64
|
},
|
|
54
65
|
"scripts": {
|
|
55
66
|
"dev": "tsx watch src/server.ts",
|