@connexa/mcp-oauth-firebase-middleware 1.0.0 → 1.0.2

package/lib/authorize.js

@@ -6,6 +6,7 @@
 const { generateSecureToken } = require('./pkce');
 const { authenticateUser } = require('./firebase-client');
 const storage = require('./storage');
+const tokenCache = require('./token-cache');
 
 /**
  * Create authorization endpoint handler
@@ -52,16 +53,29 @@ function createAuthorizeHandler(config) {
       const email = config.clientEmail || client_id;
       const password = config.clientSecret;
 
+      console.log('[DEBUG] Authorize endpoint - email:', email, 'has password:', !!password);
+
       if (!password) {
         return sendError(res, 'server_error', 'Client authentication configuration missing');
       }
 
       let authResult;
-      try {
-        authResult = await authenticateUser(email, password);
-      } catch (error) {
-        console.error('Firebase auth error in authorize:', error.message);
-        return sendError(res, 'access_denied', 'Authentication failed');
+      
+      // Check token cache first to avoid hitting Firebase quota
+      const cachedAuth = tokenCache.get(email);
+      if (cachedAuth) {
+        console.log('[DEBUG] Using cached token for:', email);
+        authResult = cachedAuth;
+      } else {
+        console.log('[DEBUG] No cached token, authenticating with Firebase for:', email);
+        try {
+          authResult = await authenticateUser(email, password);
+          // Cache the result for future requests
+          tokenCache.set(email, authResult);
+        } catch (error) {
+          console.error('Firebase auth error in authorize:', error.message, error.code);
+          return sendError(res, 'access_denied', 'Authentication failed');
+        }
       }
 
       // Generate authorization code

package/lib/firebase-client.js

@@ -3,6 +3,7 @@
  * Handles Firebase Auth operations for OAuth flows
  */
 
+const path = require('path');
 const { initializeApp } = require('firebase/app');
 const { getAuth, signInWithEmailAndPassword } = require('firebase/auth');
 const admin = require('firebase-admin');
@@ -35,8 +36,11 @@ function initializeFirebaseAdmin(config) {
     if (process.env.K_SERVICE) {
       admin.initializeApp();
     } else if (config.serviceAccountPath) {
-      // Use service account file
-      const serviceAccount = require(config.serviceAccountPath);
+      // Use service account file - resolve relative paths from project root
+      const absolutePath = path.isAbsolute(config.serviceAccountPath) 
+        ? config.serviceAccountPath 
+        : path.resolve(process.cwd(), config.serviceAccountPath);
+      const serviceAccount = require(absolutePath);
       admin.initializeApp({
         credential: admin.credential.cert(serviceAccount),
         projectId: config.projectId

package/lib/token-cache.js

@@ -0,0 +1,148 @@
+/**
+ * Token Cache
+ * Caches Firebase ID tokens by user email to reduce authentication calls
+ * Helps avoid hitting Firebase quota limits during testing
+ * Uses file-based storage for cross-process sharing
+ */
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+class TokenCache {
+  constructor() {
+    this.cache = new Map();
+    this.cacheFile = path.join(os.tmpdir(), 'firebase-token-cache.json');
+    this.loadFromFile();
+  }
+
+  /**
+   * Load cache from file (for cross-process sharing)
+   */
+  loadFromFile() {
+    try {
+      if (fs.existsSync(this.cacheFile)) {
+        const data = fs.readFileSync(this.cacheFile, 'utf8');
+        const parsed = JSON.parse(data);
+        
+        // Clear existing cache and load from file (file is source of truth)
+        this.cache.clear();
+        
+        // Restore Map from object
+        Object.keys(parsed).forEach(email => {
+          // Check if not expired
+          if (Date.now() < parsed[email].expiresAt) {
+            this.cache.set(email, parsed[email]);
+          }
+        });
+      } else {
+        // No file exists, start with empty cache
+        this.cache.clear();
+      }
+    } catch (error) {
+      // Ignore errors, will create new cache
+      console.warn('Failed to load token cache from file:', error.message);
+    }
+  }
+
+  /**
+   * Save cache to file (for cross-process sharing)
+   */
+  saveToFile() {
+    try {
+      const obj = {};
+      this.cache.forEach((value, key) => {
+        obj[key] = value;
+      });
+      fs.writeFileSync(this.cacheFile, JSON.stringify(obj), 'utf8');
+    } catch (error) {
+      console.warn('Failed to save token cache to file:', error.message);
+    }
+  }
+
+  /**
+   * Store Firebase authentication result
+   * @param {string} email - User email
+   * @param {Object} authResult - Firebase auth result
+   * @param {string} authResult.idToken - Firebase ID token
+   * @param {string} authResult.refreshToken - Firebase refresh token
+   * @param {Object} authResult.user - User object with uid, email
+   * @param {number} ttl - Time to live in milliseconds (default 50 minutes, tokens expire in 1 hour)
+   */
+  set(email, authResult, ttl = 50 * 60 * 1000) {
+    this.cache.set(email, {
+      idToken: authResult.idToken,
+      refreshToken: authResult.refreshToken,
+      user: authResult.user,
+      expiresAt: Date.now() + ttl
+    });
+    this.saveToFile(); // Persist to file for cross-process sharing
+  }
+
+  /**
+   * Retrieve cached authentication result
+   * @param {string} email - User email
+   * @returns {Object|null} - Cached auth result or null if not found/expired
+   */
+  get(email) {
+    // Reload from file to get latest from other processes
+    this.loadFromFile();
+    
+    const cached = this.cache.get(email);
+    
+    if (!cached) {
+      console.log(`[CACHE] No cached token found for: ${email}`);
+      return null;
+    }
+
+    // Check if expired
+    if (Date.now() > cached.expiresAt) {
+      console.log(`[CACHE] Cached token expired for: ${email}`);
+      this.cache.delete(email);
+      this.saveToFile();
+      return null;
+    }
+
+    console.log(`[CACHE] Returning cached token for: ${email} (expires: ${new Date(cached.expiresAt).toISOString()})`);
+    return cached;
+  }
+
+  /**
+   * Clear cached token for a user
+   * @param {string} email - User email
+   */
+  clear(email) {
+    console.log(`[CACHE] Clearing token for: ${email}`);
+    this.cache.delete(email);
+    this.saveToFile();
+    console.log(`[CACHE] Token cleared and file saved. Cache size: ${this.cache.size}`);
+  }
+
+  /**
+   * Clear all cached tokens
+   */
+  clearAll() {
+    this.cache.clear();
+    try {
+      if (fs.existsSync(this.cacheFile)) {
+        fs.unlinkSync(this.cacheFile);
+      }
+    } catch (error) {
+      console.warn('Failed to delete cache file:', error.message);
+    }
+  }
+
+  /**
+   * Check if token exists and is valid
+   * @param {string} email - User email
+   * @returns {boolean}
+   */
+  has(email) {
+    return this.get(email) !== null;
+  }
+}
+
+// Singleton instance
+const tokenCache = new TokenCache();
+
+module.exports = tokenCache;

package/lib/token.js

@@ -6,6 +6,7 @@
 const { validatePKCE } = require('./pkce');
 const { authenticateUser, refreshTokens } = require('./firebase-client');
 const storage = require('./storage');
+const tokenCache = require('./token-cache');
 
 /**
  * Create token endpoint handler
@@ -13,6 +14,7 @@ const storage = require('./storage');
 function createTokenHandler(config) {
   return async (req, res) => {
     try {
+      console.log('[DEBUG] Token endpoint called with body:', JSON.stringify(req.body, null, 2));
       const { grant_type } = req.body;
 
       if (!grant_type) {
@@ -45,30 +47,43 @@ async function handleAuthorizationCodeGrant(req, res, config) {
     redirect_uri
   } = req.body;
 
+  console.log('[DEBUG] Token exchange request:', { 
+    has_code: !!code, 
+    has_client_id: !!client_id, 
+    has_code_verifier: !!code_verifier, 
+    has_redirect_uri: !!redirect_uri 
+  });
+
   // Validate required parameters
   if (!code || !client_id || !code_verifier || !redirect_uri) {
+    console.log('[DEBUG] Missing parameters:', { code: !!code, client_id: !!client_id, code_verifier: !!code_verifier, redirect_uri: !!redirect_uri });
     return sendError(res, 400, 'invalid_request', 'Missing required parameters');
   }
 
   // Retrieve and consume authorization code
   const codeData = storage.consume(code);
+  console.log('[DEBUG] Code data retrieved:', { found: !!codeData, data: codeData ? { ...codeData, codeChallenge: '***' } : null });
 
   if (!codeData) {
+    console.log('[DEBUG] Code not found or expired');
     return sendError(res, 400, 'invalid_grant', 'Invalid or expired authorization code');
   }
 
   // Validate client_id matches
   if (codeData.clientId !== client_id) {
+    console.log('[DEBUG] client_id mismatch:', { expected: codeData.clientId, received: client_id });
     return sendError(res, 400, 'invalid_grant', 'client_id mismatch');
   }
 
   // Validate redirect_uri matches
   if (codeData.redirectUri !== redirect_uri) {
+    console.log('[DEBUG] redirect_uri mismatch:', { expected: codeData.redirectUri, received: redirect_uri });
     return sendError(res, 400, 'invalid_grant', 'redirect_uri mismatch');
   }
 
   // Validate PKCE
   try {
+    console.log('[DEBUG] Validating PKCE with method:', codeData.codeChallengeMethod);
     const isValid = validatePKCE(
       code_verifier,
       codeData.codeChallenge,
@@ -76,9 +91,12 @@ async function handleAuthorizationCodeGrant(req, res, config) {
     );
 
     if (!isValid) {
+      console.log('[DEBUG] PKCE validation returned false');
       return sendError(res, 400, 'invalid_grant', 'PKCE validation failed');
     }
+    console.log('[DEBUG] PKCE validation passed');
   } catch (error) {
+    console.log('[DEBUG] PKCE validation error:', error.message);
     return sendError(res, 400, 'invalid_grant', error.message);
   }
 
@@ -88,11 +106,22 @@ async function handleAuthorizationCodeGrant(req, res, config) {
   const password = config.clientSecret;
 
   let authResult;
-  try {
-    authResult = await authenticateUser(email, password);
-  } catch (error) {
-    console.error('Firebase auth error in token exchange:', error.message);
-    return sendError(res, 400, 'invalid_grant', 'Failed to issue tokens');
+  
+  // Check token cache first to avoid hitting Firebase quota
+  const cachedAuth = tokenCache.get(email);
+  if (cachedAuth) {
+    console.log('[DEBUG] Token endpoint: Using cached token for:', email);
+    authResult = cachedAuth;
+  } else {
+    console.log('[DEBUG] Token endpoint: No cached token, authenticating with Firebase for:', email);
+    try {
+      authResult = await authenticateUser(email, password);
+      // Cache the result for future requests
+      tokenCache.set(email, authResult);
+    } catch (error) {
+      console.error('Firebase auth error in token exchange:', error.message);
+      return sendError(res, 400, 'invalid_grant', 'Failed to issue tokens');
+    }
   }
 
   // Return tokens
@@ -141,6 +170,7 @@ async function handleRefreshTokenGrant(req, res, config) {
  * Send error response
  */
 function sendError(res, statusCode, error, errorDescription) {
+  console.error(`[TOKEN ERROR] ${statusCode} - ${error}: ${errorDescription}`);
   res.status(statusCode).json({
     error,
     error_description: errorDescription

package/middleware/validate-token.js

@@ -19,10 +19,11 @@ function validateToken(options = {}) {
     const authHeader = req.headers.authorization;
 
     if (!authHeader || !authHeader.startsWith('Bearer ')) {
+      res.set('WWW-Authenticate', 'Bearer realm="MCP Server"');
       return res.status(401).json({
         error: 'unauthorized',
         error_description: 'Missing or invalid Authorization header'
-      }).set('WWW-Authenticate', 'Bearer realm="MCP Server"');
+      });
     }
 
     const token = authHeader.substring(7); // Remove 'Bearer ' prefix
@@ -89,10 +90,11 @@ function validateToken(options = {}) {
       })
       .catch(error => {
         console.error('Token validation failed:', error.message);
+        res.set('WWW-Authenticate', 'Bearer realm="MCP Server", error="invalid_token"');
         return res.status(401).json({
           error: 'invalid_token',
           error_description: 'Token validation failed'
-        }).set('WWW-Authenticate', 'Bearer realm="MCP Server", error="invalid_token"');
+        });
       });
   };
 }

package/package.json

@@ -1,13 +1,16 @@
 {
   "name": "@connexa/mcp-oauth-firebase-middleware",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "OAuth 2.0 middleware for MCP servers using Firebase Auth backend",
   "private": false,
   "main": "lib/index.js",
   "scripts": {
     "start": "node server.js",
     "dev": "node server.js",
-    "test": "echo \"Error: no test specified\" && exit 1"
+    "test": "jest --runInBand --verbose",
+    "test:watch": "jest --watch",
+    "test:coverage": "jest --coverage",
+    "test:server": "node test/mcp-test-server.js"
   },
   "keywords": [
     "oauth",
@@ -19,14 +22,14 @@
     "middleware",
     "pkce"
   ],
-  "author": "",
+  "author": "Connexa",
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://github.com/yourusername/mcp-oauth-firebase-middleware"
+    "url": "git+https://github.com/connexa/mcp-oauth-firebase-middleware.git"
   },
   "publishConfig": {
-    "access": "restricted"
+    "access": "public"
   },
   "files": [
     "lib/",
@@ -38,12 +41,28 @@
     "firebase-admin": "^12.0.0"
   },
   "peerDependencies": {
-    "express": "^4.18.0"
+    "express": "^4.18.0 || ^5.0.0"
   },
   "devDependencies": {
-    "express": "^4.18.2",
+    "@modelcontextprotocol/sdk": "^1.0.0",
+    "axios": "^1.13.2",
+    "cors": "^2.8.5",
     "dotenv": "^16.3.1",
-    "cors": "^2.8.5"
+    "express": "^4.18.2",
+    "jest": "^29.7.0"
+  },
+  "jest": {
+    "testEnvironment": "node",
+    "testTimeout": 10000,
+    "testMatch": [
+      "**/test/integration/**/*.test.js"
+    ],
+    "setupFilesAfterEnv": [
+      "<rootDir>/test/setup/jest.setup.js"
+    ],
+    "verbose": true,
+    "forceExit": true,
+    "detectOpenHandles": true
   },
   "engines": {
     "node": ">=18.0.0"