@crabeye-ai/crabeye-mcp-bridge 1.2.1 → 1.3.0

package/README.md

@@ -84,7 +84,7 @@ Alternatively, you can add the bridge alongside your existing `mcpServers` entri
 
 - **Discovery + search.** Two meta-tools (`search_tools`, `run_tool`) instead of N×M tool definitions in context. See [docs/how-it-works.md](docs/how-it-works.md).
 - **Configuration.** STDIO, HTTP, and SSE upstreams; categories; multi-source config keys. See [docs/configuration.md](docs/configuration.md).
-- **Authentication.** Encrypted credential store, OS-keychain-backed master key, `${credential:key}` templates. See [docs/auth.md](docs/auth.md).
+- **Authentication.** Encrypted credential store, OS-keychain-backed master key, `${credential:key}` templates, and a one-shot `auth <server>` OAuth flow for HTTP upstreams. See [docs/auth.md](docs/auth.md).
 - **Policies.** Per-tool / per-server / global tool policies (`always` / `prompt` / `never`), rate limiting, discovery modes. See [docs/policies.md](docs/policies.md).
 - **STDIO manager.** STDIO upstreams routed through a per-user manager process so multiple bridges share a single subprocess per upstream. See [docs/stdio-manager.md](docs/stdio-manager.md).
 - **CLI.** `init`, `restore`, `credential`, `daemon`, `--validate`. See [docs/cli.md](docs/cli.md).

package/dist/auth-EI4HPCPE.js

@@ -0,0 +1,610 @@
+import {
+  BridgeOAuthClientProvider,
+  ConfigError,
+  CredentialError,
+  CredentialStore,
+  OAuthError,
+  clientInfoKey,
+  clientSecretKey,
+  createKeychainAdapter,
+  findInlineClientSecrets,
+  loadConfig,
+  loadMergedConfig,
+  makeOriginPinningFetch,
+  oauthCredentialKey,
+  resolveClientSecret,
+  resolveConfigPath
+} from "./chunk-GDMDS6AA.js";
+import "./chunk-4P5BLKL7.js";
+import "./chunk-GZ6RB4AV.js";
+import {
+  APP_NAME,
+  isHttpServer,
+  resolveUpstreams
+} from "./chunk-S7FBI3BM.js";
+
+// src/commands/auth.ts
+import { timingSafeEqual } from "crypto";
+import { auth, discoverOAuthProtectedResourceMetadata } from "@modelcontextprotocol/sdk/client/auth.js";
+
+// src/oauth/callback-server.ts
+import { createServer } from "http";
+var SECURITY_HEADERS = Object.freeze({
+  "Content-Security-Policy": "default-src 'none'; style-src 'unsafe-inline'",
+  "Cross-Origin-Resource-Policy": "same-origin",
+  "Cross-Origin-Opener-Policy": "same-origin",
+  "X-Content-Type-Options": "nosniff",
+  "Referrer-Policy": "no-referrer",
+  "Cache-Control": "no-store"
+});
+function applySecurityHeaders(res) {
+  for (const [k, v] of Object.entries(SECURITY_HEADERS)) res.setHeader(k, v);
+}
+var DEFAULT_TIMEOUT_MS = 5 * 6e4;
+var MAX_CALLBACK_PARAM_LENGTH = 4096;
+function htmlEscape(s) {
+  return s.replace(
+    /[&<>"']/g,
+    (c) => c === "&" ? "&amp;" : c === "<" ? "&lt;" : c === ">" ? "&gt;" : c === '"' ? "&quot;" : "&#39;"
+  );
+}
+function truncate(value) {
+  if (value.length <= MAX_CALLBACK_PARAM_LENGTH) return value;
+  return value.slice(0, MAX_CALLBACK_PARAM_LENGTH) + "\u2026(truncated)";
+}
+function successPage(serverName) {
+  const who = serverName ? ` for <strong>${htmlEscape(serverName)}</strong>` : "";
+  return `<!doctype html><html><head><meta charset="utf-8"><title>Authorized</title>
+<style>body{font:14px system-ui;margin:48px auto;max-width:480px;text-align:center;color:#222}</style>
+</head><body><h2>Authorization complete${who}</h2>
+<p>You can close this window and return to your terminal.</p></body></html>`;
+}
+function errorPage(error, description) {
+  return `<!doctype html><html><head><meta charset="utf-8"><title>Authorization failed</title>
+<style>body{font:14px system-ui;margin:48px auto;max-width:480px;color:#222}h2{color:#c0392b}</style>
+</head><body><h2>Authorization failed</h2>
+<p><strong>${htmlEscape(error)}</strong></p>
+${description ? `<p>${htmlEscape(description)}</p>` : ""}
+<p>Return to your terminal for details.</p></body></html>`;
+}
+async function startCallbackServer(options = {}) {
+  const path = options.path ?? "/callback";
+  const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  let resolveResult;
+  let rejectResult;
+  const resultPromise = new Promise((resolve, reject) => {
+    resolveResult = resolve;
+    rejectResult = reject;
+  });
+  let settled = false;
+  let server;
+  let timeoutTimer;
+  let abortHandler;
+  let cleanupPromise;
+  const cleanup = () => {
+    if (cleanupPromise) return cleanupPromise;
+    cleanupPromise = (async () => {
+      if (timeoutTimer) {
+        clearTimeout(timeoutTimer);
+        timeoutTimer = void 0;
+      }
+      if (abortHandler && options.signal) {
+        options.signal.removeEventListener("abort", abortHandler);
+        abortHandler = void 0;
+      }
+      if (server) {
+        const s = server;
+        server = void 0;
+        await new Promise((resolve) => {
+          s.close(() => resolve());
+        });
+      }
+    })();
+    return cleanupPromise;
+  };
+  const settle = (err, value) => {
+    if (settled) return;
+    settled = true;
+    if (err) rejectResult(err);
+    else resolveResult(value);
+    void cleanup();
+  };
+  server = createServer((req, res) => {
+    applySecurityHeaders(res);
+    const expectedHost = `127.0.0.1:${req.socket.localPort}`;
+    if (req.headers.host !== expectedHost) {
+      res.statusCode = 421;
+      res.end();
+      return;
+    }
+    const url = new URL(req.url ?? "/", "http://127.0.0.1");
+    if (url.pathname !== path) {
+      res.statusCode = 404;
+      res.end("Not Found");
+      return;
+    }
+    if (req.method !== "GET") {
+      res.statusCode = 405;
+      res.setHeader("Allow", "GET");
+      res.end();
+      return;
+    }
+    const error = url.searchParams.get("error");
+    const errorDescription = url.searchParams.get("error_description") ?? void 0;
+    const code = url.searchParams.get("code");
+    const state = url.searchParams.get("state");
+    const sendError = (page, settleErr) => {
+      res.statusCode = 400;
+      res.setHeader("Content-Type", "text/html; charset=utf-8");
+      res.end(errorPage(page.error, page.description), () => settle(settleErr));
+    };
+    if (error) {
+      const safeError = truncate(error);
+      const safeDescription = errorDescription !== void 0 ? truncate(errorDescription) : void 0;
+      sendError(
+        { error: safeError, description: safeDescription },
+        new OAuthError(
+          "authorization_failed",
+          `Authorization provider returned error: ${safeError}${safeDescription ? ` \u2014 ${safeDescription}` : ""}`
+        )
+      );
+      return;
+    }
+    if (!code || !state) {
+      sendError(
+        { error: "invalid_response", description: "Missing code or state" },
+        new OAuthError(
+          "invalid_callback",
+          "Callback missing required parameters (code, state)"
+        )
+      );
+      return;
+    }
+    if (code.length > MAX_CALLBACK_PARAM_LENGTH || state.length > MAX_CALLBACK_PARAM_LENGTH) {
+      sendError(
+        { error: "invalid_response", description: "Callback parameters too long" },
+        new OAuthError(
+          "invalid_callback",
+          `Callback parameter exceeded ${MAX_CALLBACK_PARAM_LENGTH} bytes`
+        )
+      );
+      return;
+    }
+    res.statusCode = 200;
+    res.setHeader("Content-Type", "text/html; charset=utf-8");
+    res.end(successPage(), () => settle(null, { code, state }));
+  });
+  await new Promise((resolve, reject) => {
+    server.once("error", reject);
+    server.listen(
+      { port: options.port ?? 0, host: "127.0.0.1", exclusive: true },
+      () => {
+        server.removeListener("error", reject);
+        resolve();
+      }
+    );
+  });
+  const addr = server.address();
+  const port = addr.port;
+  const redirectUri = `http://127.0.0.1:${port}${path}`;
+  if (timeoutMs > 0) {
+    timeoutTimer = setTimeout(() => {
+      settle(
+        new OAuthError(
+          "timeout",
+          `Authorization timed out after ${Math.round(timeoutMs / 1e3)}s \u2014 no callback received`
+        )
+      );
+    }, timeoutMs);
+    timeoutTimer.unref?.();
+  }
+  if (options.signal) {
+    if (options.signal.aborted) {
+      settle(new OAuthError("aborted", "Authorization aborted"));
+    } else {
+      abortHandler = () => {
+        settle(new OAuthError("aborted", "Authorization aborted"));
+      };
+      options.signal.addEventListener("abort", abortHandler, { once: true });
+    }
+  }
+  return {
+    redirectUri,
+    port,
+    result: resultPromise,
+    close: cleanup
+  };
+}
+
+// src/oauth/browser.ts
+import { spawn } from "child_process";
+import { platform } from "os";
+function isSafeLaunchUrl(url) {
+  try {
+    const u = new URL(url);
+    if (u.protocol !== "https:" && u.protocol !== "http:") return false;
+    if (u.username !== "" || u.password !== "") return false;
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function openBrowser(url, options = {}) {
+  if (!isSafeLaunchUrl(url)) return false;
+  const os = options._platform ?? platform();
+  let command;
+  let args;
+  switch (os) {
+    case "darwin":
+      command = "open";
+      args = [url];
+      break;
+    case "win32":
+      command = "powershell";
+      args = ["-NoProfile", "-Command", "Start-Process", url];
+      break;
+    default:
+      command = "xdg-open";
+      args = [url];
+      break;
+  }
+  return new Promise((resolve) => {
+    let settled = false;
+    const finish = (value) => {
+      if (settled) return;
+      settled = true;
+      resolve(value);
+    };
+    try {
+      const child = spawn(command, args, {
+        stdio: "ignore",
+        detached: true
+      });
+      child.once("error", () => finish(false));
+      child.once("spawn", () => {
+        child.unref?.();
+        finish(true);
+      });
+    } catch {
+      finish(false);
+    }
+  });
+}
+
+// src/commands/auth.ts
+var USAGE = `Usage:
+  ${APP_NAME} auth <server>            run OAuth flow for a server
+  ${APP_NAME} auth --list              show auth status for all servers (default)
+  ${APP_NAME} auth --remove <server>   delete stored credentials for a server
+  ${APP_NAME} auth help                show this help
+
+Options:
+  --list                show auth status for all servers (default for bare invocation)
+  --remove <server>     delete the stored \`oauth:<server>\` credential (local only)
+  -h, --help            show this help
+`;
+var DISCOVERY_PROBE_TIMEOUT_MS = 3e3;
+function defaultPrint(line) {
+  process.stdout.write(line + "\n");
+}
+function defaultErrPrint(line) {
+  process.stderr.write(line + "\n");
+}
+async function loadConfigForAuth(explicitPath) {
+  if (explicitPath) {
+    const configPath = resolveConfigPath({ configPath: explicitPath });
+    return loadConfig({ configPath });
+  }
+  const envPath = process.env.MCP_BRIDGE_CONFIG;
+  if (envPath) return loadConfig({ configPath: envPath });
+  const merged = await loadMergedConfig();
+  return merged.config;
+}
+function formatExpiry(expiresAt) {
+  if (expiresAt === void 0) return "\u2014";
+  return new Date(expiresAt * 1e3).toLocaleString();
+}
+function isExpired(expiresAt) {
+  if (expiresAt === void 0) return false;
+  return expiresAt * 1e3 <= Date.now();
+}
+async function buildStatusRows(config, store, discover) {
+  const upstreams = resolveUpstreams(config);
+  const rowPromises = Object.entries(upstreams).map(
+    async ([name, server]) => {
+      const oauthCfg = server._bridge?.auth;
+      if (oauthCfg && oauthCfg.type === "oauth2") {
+        return rowFromConfig(name, oauthCfg.scopes ?? [], store);
+      }
+      if (!isHttpServer(server)) return void 0;
+      const [advertises, stored] = await Promise.all([
+        probeOAuthAdvertised(server, discover),
+        store.get(oauthCredentialKey(name))
+      ]);
+      if (stored && stored.type === "oauth2") {
+        return rowFromStoredCredential(name, stored, "discovery");
+      }
+      if (!advertises) return void 0;
+      return {
+        name,
+        status: "advertises-oauth",
+        expiresAt: void 0,
+        scopes: [],
+        source: "discovery"
+      };
+    }
+  );
+  const rows = (await Promise.all(rowPromises)).filter(
+    (r) => r !== void 0
+  );
+  return rows.sort((a, b) => a.name.localeCompare(b.name));
+}
+async function probeOAuthAdvertised(server, discover) {
+  const signal = AbortSignal.timeout(DISCOVERY_PROBE_TIMEOUT_MS);
+  const fetchWithTimeout = (input, init) => fetch(input, { ...init, signal });
+  try {
+    const meta = await discover(server.url, void 0, fetchWithTimeout);
+    return meta !== void 0;
+  } catch {
+    return false;
+  }
+}
+async function rowFromConfig(name, scopes, store) {
+  const cred = await store.get(oauthCredentialKey(name));
+  if (!cred || cred.type !== "oauth2") {
+    return {
+      name,
+      status: "auth-required",
+      expiresAt: void 0,
+      scopes,
+      source: "config"
+    };
+  }
+  return rowFromStoredCredential(name, cred, "config", scopes);
+}
+function rowFromStoredCredential(name, cred, source, configuredScopes = []) {
+  const hasRefresh = typeof cred.refresh_token === "string" && cred.refresh_token.length > 0;
+  const status = isExpired(cred.expires_at) && !hasRefresh ? "auth-required" : "authenticated";
+  return {
+    name,
+    status,
+    expiresAt: cred.expires_at,
+    scopes: configuredScopes,
+    source
+  };
+}
+function renderRows(rows) {
+  if (rows.length === 0) {
+    return "No servers with OAuth configuration or advertised OAuth metadata.";
+  }
+  const headers = ["SERVER", "STATUS", "EXPIRES", "SCOPES", "SOURCE"];
+  const data = rows.map((r) => [
+    r.name,
+    r.status,
+    formatExpiry(r.expiresAt),
+    r.scopes.length > 0 ? r.scopes.join(" ") : "\u2014",
+    r.source
+  ]);
+  const widths = headers.map(
+    (h, i) => Math.max(h.length, ...data.map((row) => row[i].length))
+  );
+  const fmt = (cells) => cells.map((c, i) => c.padEnd(widths[i])).join("  ").trimEnd();
+  return [fmt(headers), ...data.map(fmt)].join("\n");
+}
+async function runAuthList(opts, deps = {}) {
+  const print = deps.print ?? defaultPrint;
+  const errPrint = deps.errPrint ?? defaultErrPrint;
+  try {
+    const config = deps.loadConfig ? await deps.loadConfig() : await loadConfigForAuth(opts.configPath);
+    warnInlineClientSecrets(config, errPrint);
+    const store = deps.store ?? new CredentialStore({ keychain: createKeychainAdapter() });
+    const discover = deps.discoverProtectedResource ?? discoverOAuthProtectedResourceMetadata;
+    const rows = await buildStatusRows(config, store, discover);
+    print(renderRows(rows));
+    return 0;
+  } catch (err) {
+    errPrint(`Error: ${formatErr(err)}`);
+    return 1;
+  }
+}
+function warnInlineClientSecrets(config, errPrint) {
+  const offenders = findInlineClientSecrets(config);
+  for (const name of offenders) {
+    errPrint(
+      `warning: clientSecret for "${name}" is an inline string in config. Prefer the credential store (\`credential set ${clientSecretKey(name)} <value>\`) or a \${ENV_VAR} reference so secrets stay out of shared config files.`
+    );
+  }
+}
+async function runAuthRemove(serverName, opts = {}, deps = {}) {
+  const print = deps.print ?? defaultPrint;
+  const errPrint = deps.errPrint ?? defaultErrPrint;
+  try {
+    const store = deps.store ?? new CredentialStore({ keychain: createKeychainAdapter() });
+    let canonical = serverName;
+    try {
+      const config = deps.loadConfig ? await deps.loadConfig() : await loadConfigForAuth(opts.configPath);
+      const resolved = findUpstreamName(resolveUpstreams(config), serverName);
+      if (resolved) canonical = resolved;
+    } catch {
+    }
+    const tokenKey = oauthCredentialKey(canonical);
+    const secretKey = clientSecretKey(canonical);
+    const clientKey = clientInfoKey(canonical);
+    const removed = await store.deleteMany([tokenKey, secretKey, clientKey]);
+    if (removed.length === 0) {
+      errPrint(`No stored credentials for "${serverName}"`);
+      return 1;
+    }
+    const parts = [];
+    if (removed.includes(tokenKey)) parts.push("token");
+    if (removed.includes(secretKey)) parts.push("client secret");
+    if (removed.includes(clientKey)) parts.push("registered client");
+    print(`Removed local ${parts.join(" + ")} for "${canonical}"`);
+    return 0;
+  } catch (err) {
+    errPrint(`Error: ${formatErr(err)}`);
+    return 1;
+  }
+}
+function findUpstreamName(upstreams, typed) {
+  if (Object.hasOwn(upstreams, typed)) return typed;
+  const lower = typed.toLowerCase();
+  for (const name of Object.keys(upstreams)) {
+    if (name.toLowerCase() === lower) return name;
+  }
+  return void 0;
+}
+function getUpstream(config, name) {
+  const upstreams = resolveUpstreams(config);
+  const canonicalName = findUpstreamName(upstreams, name);
+  if (canonicalName === void 0) return void 0;
+  const server = upstreams[canonicalName];
+  if (!isHttpServer(server)) return void 0;
+  return { canonicalName, server, authConfig: server._bridge?.auth };
+}
+function assertSafeAuthorizationUrl(authUrl) {
+  if (authUrl.username !== "" || authUrl.password !== "") {
+    throw new OAuthError(
+      "insecure_authorization_url",
+      `Authorization URL must not embed userinfo (got ${authUrl.protocol}//${authUrl.host}).`
+    );
+  }
+  if (authUrl.protocol === "https:") return;
+  const loopback = /* @__PURE__ */ new Set(["localhost", "127.0.0.1", "::1"]);
+  if (loopback.has(authUrl.hostname)) return;
+  throw new OAuthError(
+    "insecure_authorization_url",
+    `Authorization endpoint must use https (got ${authUrl.protocol}//${authUrl.host}). Refusing to open the browser at an insecure URL.`
+  );
+}
+async function runAuthLogin(opts, deps = {}) {
+  const print = deps.print ?? defaultPrint;
+  const errPrint = deps.errPrint ?? defaultErrPrint;
+  let handle;
+  try {
+    const config = deps.loadConfig ? await deps.loadConfig() : await loadConfigForAuth(opts.configPath);
+    warnInlineClientSecrets(config, errPrint);
+    const upstream = getUpstream(config, opts.serverName);
+    if (!upstream) {
+      errPrint(
+        `Error: server "${opts.serverName}" is not configured or is not an HTTP upstream.
+  OAuth via \`auth <server>\` requires an HTTP/streamable-http server.`
+      );
+      return 1;
+    }
+    const store = deps.store ?? new CredentialStore({ keychain: createKeychainAdapter() });
+    const authConfig = upstream.authConfig;
+    const serverName = upstream.canonicalName;
+    const clientSecret = await resolveClientSecret(
+      serverName,
+      authConfig?.clientSecret,
+      store
+    );
+    const startFn = deps.startCallbackServer ?? startCallbackServer;
+    const openFn = deps.openBrowser ?? openBrowser;
+    const authFn = deps.auth ?? auth;
+    handle = await startFn({
+      port: authConfig?.redirectPort,
+      signal: deps.signal
+    });
+    const provider = new BridgeOAuthClientProvider({
+      serverName,
+      store,
+      redirectUrl: handle.redirectUri,
+      clientId: authConfig?.clientId,
+      clientSecret,
+      scopes: authConfig?.scopes,
+      onRedirect: async (url) => {
+        assertSafeAuthorizationUrl(url);
+        errPrint(`Opening authorization URL for "${serverName}":`);
+        errPrint(`  ${url}`);
+        errPrint(`Listening on ${handle.redirectUri} (Ctrl-C to cancel)`);
+        void openFn(String(url)).catch(() => void 0);
+      }
+    });
+    const pinningFetch = makeOriginPinningFetch();
+    const first = await authFn(provider, {
+      serverUrl: upstream.server.url,
+      fetchFn: pinningFetch
+    });
+    if (first === "AUTHORIZED") {
+      print(`Already authenticated as "${serverName}"`);
+      return 0;
+    }
+    const callback = await handle.result;
+    const expected = provider.expectedState();
+    if (expected === void 0) {
+      errPrint(
+        `Error: OAuth flow did not initialize state \u2014 internal error.
+  Re-run \`${APP_NAME} auth ${serverName}\`.`
+      );
+      return 1;
+    }
+    if (!constantTimeEquals(expected, callback.state)) {
+      errPrint(
+        `Error: OAuth state mismatch \u2014 refusing to exchange the callback code.
+  This usually means the authorization flow was interrupted or a stale
+  callback arrived. Re-run \`${APP_NAME} auth ${serverName}\`.`
+      );
+      return 1;
+    }
+    const result = await authFn(provider, {
+      serverUrl: upstream.server.url,
+      authorizationCode: callback.code,
+      fetchFn: pinningFetch
+    });
+    if (result !== "AUTHORIZED") {
+      errPrint("Error: authorization did not complete");
+      return 1;
+    }
+    const stored = await provider.tokens();
+    print(`Authenticated "${serverName}"`);
+    if (stored?.scope) print(`  Scopes: ${stored.scope}`);
+    if (stored?.expires_in !== void 0) {
+      const expiresAt = Math.floor(Date.now() / 1e3) + stored.expires_in;
+      print(`  Expires: ${formatExpiry(expiresAt)}`);
+    }
+    return 0;
+  } catch (err) {
+    errPrint(`Error: ${formatErr(err)}`);
+    return 1;
+  } finally {
+    if (handle) {
+      try {
+        await handle.close();
+      } catch (closeErr) {
+        const message = closeErr instanceof Error ? closeErr.message : String(closeErr);
+        errPrint(`warning: failed to close callback listener: ${message}`);
+      }
+    }
+  }
+}
+function constantTimeEquals(a, b) {
+  const bufA = Buffer.from(a, "utf8");
+  const bufB = Buffer.from(b, "utf8");
+  if (bufA.length !== bufB.length) return false;
+  return timingSafeEqual(bufA, bufB);
+}
+function formatErr(err) {
+  if (err instanceof ConfigError) {
+    let msg = err.message;
+    for (const issue of err.issues) msg += `
+  ${issue.path}: ${issue.message}`;
+    return msg;
+  }
+  if (err instanceof CredentialError || err instanceof OAuthError) return err.message;
+  if (err instanceof Error) {
+    const errorCode = err.errorCode;
+    if (typeof errorCode === "string") {
+      return `[${errorCode}] ${err.message}`;
+    }
+  }
+  return err instanceof Error ? err.message : String(err);
+}
+export {
+  USAGE as authUsage,
+  runAuthList,
+  runAuthLogin,
+  runAuthRemove
+};
+//# sourceMappingURL=auth-EI4HPCPE.js.map