@connexa/mcp-oauth-firebase-middleware 1.0.0

package/lib/token.js

@@ -0,0 +1,150 @@
+/**
+ * OAuth Token Endpoint
+ * Handles token exchange and refresh flows
+ */
+
+const { validatePKCE } = require('./pkce');
+const { authenticateUser, refreshTokens } = require('./firebase-client');
+const storage = require('./storage');
+
+/**
+ * Create token endpoint handler
+ */
+function createTokenHandler(config) {
+  return async (req, res) => {
+    try {
+      const { grant_type } = req.body;
+
+      if (!grant_type) {
+        return sendError(res, 400, 'invalid_request', 'Missing grant_type');
+      }
+
+      if (grant_type === 'authorization_code') {
+        return handleAuthorizationCodeGrant(req, res, config);
+      } else if (grant_type === 'refresh_token') {
+        return handleRefreshTokenGrant(req, res, config);
+      } else {
+        return sendError(res, 400, 'unsupported_grant_type', `Grant type ${grant_type} not supported`);
+      }
+
+    } catch (error) {
+      console.error('Token endpoint error:', error);
+      return sendError(res, 500, 'server_error', 'Internal server error');
+    }
+  };
+}
+
+/**
+ * Handle authorization code grant
+ */
+async function handleAuthorizationCodeGrant(req, res, config) {
+  const {
+    code,
+    client_id,
+    code_verifier,
+    redirect_uri
+  } = req.body;
+
+  // Validate required parameters
+  if (!code || !client_id || !code_verifier || !redirect_uri) {
+    return sendError(res, 400, 'invalid_request', 'Missing required parameters');
+  }
+
+  // Retrieve and consume authorization code
+  const codeData = storage.consume(code);
+
+  if (!codeData) {
+    return sendError(res, 400, 'invalid_grant', 'Invalid or expired authorization code');
+  }
+
+  // Validate client_id matches
+  if (codeData.clientId !== client_id) {
+    return sendError(res, 400, 'invalid_grant', 'client_id mismatch');
+  }
+
+  // Validate redirect_uri matches
+  if (codeData.redirectUri !== redirect_uri) {
+    return sendError(res, 400, 'invalid_grant', 'redirect_uri mismatch');
+  }
+
+  // Validate PKCE
+  try {
+    const isValid = validatePKCE(
+      code_verifier,
+      codeData.codeChallenge,
+      codeData.codeChallengeMethod
+    );
+
+    if (!isValid) {
+      return sendError(res, 400, 'invalid_grant', 'PKCE validation failed');
+    }
+  } catch (error) {
+    return sendError(res, 400, 'invalid_grant', error.message);
+  }
+
+  // Re-authenticate with Firebase to get fresh tokens
+  // Use stored user credentials
+  const email = codeData.userEmail;
+  const password = config.clientSecret;
+
+  let authResult;
+  try {
+    authResult = await authenticateUser(email, password);
+  } catch (error) {
+    console.error('Firebase auth error in token exchange:', error.message);
+    return sendError(res, 400, 'invalid_grant', 'Failed to issue tokens');
+  }
+
+  // Return tokens
+  res.json({
+    access_token: authResult.idToken,
+    token_type: 'Bearer',
+    expires_in: 3600,
+    refresh_token: authResult.refreshToken,
+    scope: codeData.scope
+  });
+}
+
+/**
+ * Handle refresh token grant
+ */
+async function handleRefreshTokenGrant(req, res, config) {
+  const {
+    refresh_token,
+    client_id
+  } = req.body;
+
+  // Validate required parameters
+  if (!refresh_token || !client_id) {
+    return sendError(res, 400, 'invalid_request', 'Missing required parameters');
+  }
+
+  // Refresh Firebase tokens
+  let tokens;
+  try {
+    tokens = await refreshTokens(refresh_token);
+  } catch (error) {
+    console.error('Token refresh error:', error.message);
+    return sendError(res, 400, 'invalid_grant', 'Invalid refresh token');
+  }
+
+  // Return new tokens
+  res.json({
+    access_token: tokens.idToken,
+    token_type: 'Bearer',
+    expires_in: tokens.expiresIn,
+    refresh_token: tokens.refreshToken
+  });
+}
+
+/**
+ * Send error response
+ */
+function sendError(res, statusCode, error, errorDescription) {
+  res.status(statusCode).json({
+    error,
+    error_description: errorDescription
+  });
+}
+
+module.exports = { createTokenHandler };

package/middleware/validate-token.js

@@ -0,0 +1,127 @@
+/**
+ * Token Validation Middleware
+ * Validates Firebase ID tokens for MCP endpoint protection
+ * Supports role-based and permission-based access control via custom claims
+ */
+
+const { verifyIdToken } = require('../lib/firebase-client');
+
+/**
+ * Middleware to validate Bearer token in Authorization header
+ * @param {Object} options - Optional validation options
+ * @param {string} options.role - Required role (checks custom claim)
+ * @param {string|string[]} options.permissions - Required permission(s) (checks custom claim)
+ * @param {Function} options.customCheck - Custom validation function(decodedToken) => boolean
+ */
+function validateToken(options = {}) {
+  // Support both validateToken() and validateToken(options)
+  return function(req, res, next) {
+    const authHeader = req.headers.authorization;
+
+    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+      return res.status(401).json({
+        error: 'unauthorized',
+        error_description: 'Missing or invalid Authorization header'
+      }).set('WWW-Authenticate', 'Bearer realm="MCP Server"');
+    }
+
+    const token = authHeader.substring(7); // Remove 'Bearer ' prefix
+
+    verifyIdToken(token)
+      .then(decodedToken => {
+        // Attach user info to request
+        req.user = {
+          uid: decodedToken.uid,
+          email: decodedToken.email,
+          emailVerified: decodedToken.email_verified,
+          role: decodedToken.role,
+          permissions: decodedToken.permissions || [],
+          customClaims: decodedToken
+        };
+
+        // Check role requirement
+        if (options.role && decodedToken.role !== options.role) {
+          return res.status(403).json({
+            error: 'insufficient_permissions',
+            error_description: `Required role: ${options.role}`
+          });
+        }
+
+        // Check permission requirement(s)
+        if (options.permissions) {
+          const userPermissions = decodedToken.permissions || [];
+          const requiredPermissions = Array.isArray(options.permissions) 
+            ? options.permissions 
+            : [options.permissions];
+
+          const hasAllPermissions = requiredPermissions.every(perm => 
+            userPermissions.includes(perm)
+          );
+
+          if (!hasAllPermissions) {
+            return res.status(403).json({
+              error: 'insufficient_permissions',
+              error_description: `Required permissions: ${requiredPermissions.join(', ')}`
+            });
+          }
+        }
+
+        // Custom validation check
+        if (options.customCheck && typeof options.customCheck === 'function') {
+          try {
+            const isValid = options.customCheck(decodedToken);
+            if (!isValid) {
+              return res.status(403).json({
+                error: 'insufficient_permissions',
+                error_description: 'Custom authorization check failed'
+              });
+            }
+          } catch (error) {
+            console.error('Custom check error:', error.message);
+            return res.status(403).json({
+              error: 'insufficient_permissions',
+              error_description: 'Authorization check failed'
+            });
+          }
+        }
+
+        next();
+      })
+      .catch(error => {
+        console.error('Token validation failed:', error.message);
+        return res.status(401).json({
+          error: 'invalid_token',
+          error_description: 'Token validation failed'
+        }).set('WWW-Authenticate', 'Bearer realm="MCP Server", error="invalid_token"');
+      });
+  };
+}
+
+/**
+ * Convenience middleware: Require specific role
+ * @param {string} role - Required role name
+ */
+function requireRole(role) {
+  return validateToken({ role });
+}
+
+/**
+ * Convenience middleware: Require one or more permissions
+ * @param {string|string[]} permissions - Required permission(s)
+ */
+function requirePermissions(permissions) {
+  return validateToken({ permissions });
+}
+
+/**
+ * Convenience middleware: Require admin role
+ */
+function requireAdmin() {
+  return validateToken({ role: 'admin' });
+}
+
+module.exports = validateToken;
+module.exports.validateToken = validateToken;
+module.exports.requireRole = requireRole;
+module.exports.requirePermissions = requirePermissions;
+module.exports.requireAdmin = requireAdmin;

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "@connexa/mcp-oauth-firebase-middleware",
+  "version": "1.0.0",
+  "description": "OAuth 2.0 middleware for MCP servers using Firebase Auth backend",
+  "private": false,
+  "main": "lib/index.js",
+  "scripts": {
+    "start": "node server.js",
+    "dev": "node server.js",
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "keywords": [
+    "oauth",
+    "oauth2",
+    "firebase",
+    "mcp",
+    "model-context-protocol",
+    "authentication",
+    "middleware",
+    "pkce"
+  ],
+  "author": "",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/yourusername/mcp-oauth-firebase-middleware"
+  },
+  "publishConfig": {
+    "access": "restricted"
+  },
+  "files": [
+    "lib/",
+    "middleware/",
+    "README.md"
+  ],
+  "dependencies": {
+    "firebase": "^10.7.1",
+    "firebase-admin": "^12.0.0"
+  },
+  "peerDependencies": {
+    "express": "^4.18.0"
+  },
+  "devDependencies": {
+    "express": "^4.18.2",
+    "dotenv": "^16.3.1",
+    "cors": "^2.8.5"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}