@decocms/runtime 1.0.0-alpha.5 → 1.0.0

package/src/mcp.ts

@@ -1,170 +1,11 @@
 /* oxlint-disable no-explicit-any */
-import { z } from "zod";
-import type { MCPConnection } from "./connection.ts";
-import { createMCPClientProxy } from "./proxy.ts";
 import type { ToolBinder } from "@decocms/bindings";
-
-export interface FetchOptions extends RequestInit {
-  path?: string;
-  segments?: string[];
-}
-
-const Timings = z.object({
-  sql_duration_ms: z.number().optional(),
-});
-
-const Meta = z.object({
-  changed_db: z.boolean().optional(),
-  changes: z.number().optional(),
-  duration: z.number().optional(),
-  last_row_id: z.number().optional(),
-  rows_read: z.number().optional(),
-  rows_written: z.number().optional(),
-  served_by_primary: z.boolean().optional(),
-  served_by_region: z
-    .enum(["WNAM", "ENAM", "WEUR", "EEUR", "APAC", "OC"])
-    .optional(),
-  size_after: z.number().optional(),
-  timings: Timings.optional(),
-});
-
-const QueryResult = z.object({
-  meta: Meta.optional(),
-  results: z.array(z.unknown()).optional(),
-  success: z.boolean().optional(),
-});
-
-export type QueryResult = z.infer<typeof QueryResult>;
-
-const workspaceTools = [
-  {
-    name: "INTEGRATIONS_GET" as const,
-    inputSchema: z.object({
-      id: z.string(),
-    }),
-    outputSchema: z.object({
-      connection: z.object({}),
-    }),
-  },
-  {
-    name: "DATABASES_RUN_SQL" as const,
-    inputSchema: z.object({
-      sql: z.string().describe("The SQL query to run"),
-      params: z
-        .array(z.string())
-        .describe("The parameters to pass to the SQL query"),
-    }),
-    outputSchema: z.object({
-      result: z.array(QueryResult),
-    }),
-  },
-] satisfies ToolBinder<string, unknown, object>[];
-
-// Default fetcher instance with API_SERVER_URL and API_HEADERS
-const global = createMCPFetchStub<[]>({});
-export const MCPClient = new Proxy(
-  {} as typeof global & {
-    forWorkspace: (
-      workspace: string,
-      token?: string,
-      decoCmsApiUrl?: string,
-    ) => MCPClientFetchStub<typeof workspaceTools>;
-    forConnection: <TDefinition extends readonly ToolBinder[]>(
-      connection: MCPConnectionProvider,
-      decoCmsApiUrl?: string,
-    ) => MCPClientFetchStub<TDefinition>;
-  },
-  {
-    get(_, name) {
-      if (name === "toJSON") {
-        return null;
-      }
-
-      if (name === "forWorkspace") {
-        return (workspace: string, token?: string, decoCmsApiUrl?: string) =>
-          createMCPFetchStub<[]>({
-            workspace,
-            token,
-            decoCmsApiUrl,
-          });
-      }
-      if (name === "forConnection") {
-        return <TDefinition extends readonly ToolBinder[]>(
-          connection: MCPConnectionProvider,
-          decoCmsApiUrl?: string,
-        ) =>
-          createMCPFetchStub<TDefinition>({
-            connection,
-            decoCmsApiUrl,
-          });
-      }
-      return global[name as keyof typeof global];
-    },
-  },
-);
+export {
+  createMCPFetchStub,
+  MCPClient,
+  type CreateStubAPIOptions,
+  type MCPClientFetchStub,
+  type MCPClientStub,
+} from "@decocms/bindings/client"; // Default fetcher instance with API_SERVER_URL and API_HEADERS
 
 export type { ToolBinder };
-
-export const isStreamableToolBinder = (
-  toolBinder: ToolBinder,
-): toolBinder is ToolBinder<string, any, any, true> => {
-  return toolBinder.streamable === true;
-};
-export type MCPClientStub<TDefinition extends readonly ToolBinder[]> = {
-  [K in TDefinition[number] as K["name"]]: K extends ToolBinder<
-    string,
-    infer TInput,
-    infer TReturn
-  >
-    ? (params: TInput, init?: RequestInit) => Promise<TReturn>
-    : never;
-};
-
-export type MCPClientFetchStub<TDefinition extends readonly ToolBinder[]> = {
-  [K in TDefinition[number] as K["name"]]: K["streamable"] extends true
-    ? K extends ToolBinder<string, infer TInput, any, true>
-      ? (params: TInput, init?: RequestInit) => Promise<Response>
-      : never
-    : K extends ToolBinder<string, infer TInput, infer TReturn, any>
-      ? (params: TInput, init?: RequestInit) => Promise<Awaited<TReturn>>
-      : never;
-};
-
-export type MCPConnectionProvider = MCPConnection;
-
-export interface MCPClientRaw {
-  callTool: (tool: string, args: unknown) => Promise<unknown>;
-  listTools: () => Promise<
-    {
-      name: string;
-      inputSchema: any;
-      outputSchema?: any;
-      description: string;
-    }[]
-  >;
-}
-export type JSONSchemaToZodConverter = (jsonSchema: any) => z.ZodTypeAny;
-export interface CreateStubAPIOptions {
-  mcpPath?: string;
-  decoCmsApiUrl?: string;
-  workspace?: string;
-  token?: string;
-  connection?: MCPConnectionProvider;
-  streamable?: Record<string, boolean>;
-  debugId?: () => string;
-  getErrorByStatusCode?: (
-    statusCode: number,
-    message?: string,
-    traceId?: string,
-    errorObject?: unknown,
-  ) => Error;
-  supportsToolName?: boolean;
-}
-
-export function createMCPFetchStub<TDefinition extends readonly ToolBinder[]>(
-  options?: CreateStubAPIOptions,
-): MCPClientFetchStub<TDefinition> {
-  return createMCPClientProxy<MCPClientFetchStub<TDefinition>>({
-    ...(options ?? {}),
-  });
-}

package/src/oauth.ts

@@ -0,0 +1,495 @@
+import type { OAuthClient, OAuthConfig, OAuthParams } from "./tools.ts";
+
+/**
+ * Generate a cryptographically secure random token
+ */
+function generateRandomToken(length = 32): string {
+  const chars =
+    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+  const array = new Uint8Array(length);
+  crypto.getRandomValues(array);
+  return Array.from(array, (byte) => chars[byte % chars.length]).join("");
+}
+
+/**
+ * Validate redirect URI format per OAuth 2.1
+ */
+function isValidRedirectUri(uri: string): boolean {
+  try {
+    const url = new URL(uri);
+    return (
+      url.protocol === "https:" ||
+      url.hostname === "localhost" ||
+      url.hostname === "127.0.0.1" ||
+      // Allow custom schemes for native apps (e.g., cursor://, vscode://)
+      !url.protocol.startsWith("http")
+    );
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Encode data as base64url JSON
+ */
+function encodeState<T>(data: T): string {
+  return btoa(JSON.stringify(data))
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=+$/, "");
+}
+
+/**
+ * Decode base64url JSON data
+ */
+function decodeState<T>(encoded: string): T | null {
+  try {
+    const base64 = encoded.replace(/-/g, "+").replace(/_/g, "/");
+    return JSON.parse(atob(base64)) as T;
+  } catch {
+    return null;
+  }
+}
+
+interface PendingAuthState {
+  redirectUri: string;
+  clientState?: string;
+  codeChallenge?: string;
+  codeChallengeMethod?: string;
+}
+
+interface CodePayload {
+  accessToken: string;
+  tokenType: string;
+  codeChallenge?: string;
+  codeChallengeMethod?: string;
+}
+
+const forceHttps = (url: URL) => {
+  const isLocal = url.hostname === "localhost" || url.hostname === "127.0.0.1";
+  if (!isLocal) {
+    // force http if not local
+    url.protocol = "https:";
+  }
+  return url;
+};
+
+/**
+ * Create OAuth endpoint handlers for MCP servers
+ * The MCP server acts as an OAuth Authorization Server proxy
+ * Stateless implementation - no persistence required
+ * Per MCP Authorization spec: https://modelcontextprotocol.io/specification/draft/basic/authorization
+ */
+export function createOAuthHandlers(oauth: OAuthConfig) {
+  /**
+   * Build OAuth 2.0 Protected Resource Metadata (RFC9728)
+   * Points to THIS server as the authorization server
+   */
+  const handleProtectedResourceMetadata = (req: Request): Response => {
+    const url = forceHttps(new URL(req.url));
+    const resourceUrl = `${url.origin}/mcp`;
+
+    return Response.json({
+      resource: resourceUrl,
+      // Point to ourselves - we are the authorization server proxy
+      authorization_servers: [url.origin],
+      scopes_supported: ["*"],
+      bearer_methods_supported: ["header"],
+      resource_signing_alg_values_supported: ["RS256", "none"],
+    });
+  };
+
+  /**
+   * Build OAuth 2.0 Authorization Server Metadata (RFC8414)
+   * Exposes our endpoints for authorization, token exchange, and registration
+   */
+  const handleAuthorizationServerMetadata = (req: Request): Response => {
+    const url = forceHttps(new URL(req.url));
+    const baseUrl = url.origin;
+
+    return Response.json({
+      issuer: baseUrl,
+      authorization_endpoint: `${baseUrl}/authorize`,
+      token_endpoint: `${baseUrl}/token`,
+      registration_endpoint: `${baseUrl}/register`,
+      scopes_supported: ["*"],
+      response_types_supported: ["code"],
+      response_modes_supported: ["query"],
+      grant_types_supported: ["authorization_code", "refresh_token"],
+      token_endpoint_auth_methods_supported: ["none", "client_secret_post"],
+      code_challenge_methods_supported: ["S256", "plain"],
+    });
+  };
+
+  /**
+   * Handle authorization request - redirects to external OAuth provider
+   * Stateless: encodes all needed info in the state parameter
+   */
+  const handleAuthorize = (req: Request): Response => {
+    const url = forceHttps(new URL(req.url));
+    const redirectUri = url.searchParams.get("redirect_uri");
+    const responseType = url.searchParams.get("response_type");
+    const clientState = url.searchParams.get("state");
+    const codeChallenge = url.searchParams.get("code_challenge");
+    const codeChallengeMethod = url.searchParams.get("code_challenge_method");
+
+    // Validate required params
+    if (!redirectUri) {
+      return Response.json(
+        {
+          error: "invalid_request",
+          error_description: "redirect_uri required",
+        },
+        { status: 400 },
+      );
+    }
+
+    if (responseType !== "code") {
+      return Response.json(
+        {
+          error: "unsupported_response_type",
+          error_description: "Only 'code' is supported",
+        },
+        { status: 400 },
+      );
+    }
+
+    // Encode pending auth state
+    const pendingState: PendingAuthState = {
+      redirectUri,
+      clientState: clientState ?? undefined,
+      codeChallenge: codeChallenge ?? undefined,
+      codeChallengeMethod: codeChallengeMethod ?? undefined,
+    };
+    const encodedState = encodeState(pendingState);
+
+    // Build callback URL pointing to our internal callback
+    const callbackUrl = forceHttps(new URL(`${url.origin}/oauth/callback`));
+    callbackUrl.searchParams.set("state", encodedState);
+
+    // Get the external authorization URL from the config
+    const externalAuthUrl = oauth.authorizationUrl(callbackUrl.toString());
+
+    // Redirect to external OAuth provider
+    return Response.redirect(externalAuthUrl, 302);
+  };
+
+  /**
+   * Handle OAuth callback from external provider
+   * Stateless: decodes state to get redirect info, encodes token in code
+   */
+  const handleOAuthCallback = async (req: Request): Promise<Response> => {
+    const url = forceHttps(new URL(req.url));
+    const code = url.searchParams.get("code");
+    const encodedState = url.searchParams.get("state");
+    const error = url.searchParams.get("error");
+
+    // Decode state
+    const pending = encodedState
+      ? decodeState<PendingAuthState>(encodedState)
+      : null;
+
+    if (error) {
+      const errorDescription =
+        url.searchParams.get("error_description") ?? "Authorization failed";
+      if (pending?.redirectUri) {
+        const redirectUrl = forceHttps(new URL(pending.redirectUri));
+        redirectUrl.searchParams.set("error", error);
+        redirectUrl.searchParams.set("error_description", errorDescription);
+        if (pending.clientState)
+          redirectUrl.searchParams.set("state", pending.clientState);
+        return Response.redirect(redirectUrl.toString(), 302);
+      }
+      return Response.json(
+        { error, error_description: errorDescription },
+        { status: 400 },
+      );
+    }
+
+    if (!code || !pending) {
+      return Response.json(
+        {
+          error: "invalid_request",
+          error_description: "Missing code or state",
+        },
+        { status: 400 },
+      );
+    }
+
+    try {
+      // Exchange code with external provider
+      const oauthParams: OAuthParams = { code };
+      const tokenResponse = await oauth.exchangeCode(oauthParams);
+
+      // Encode the token in our own code (stateless)
+      const codePayload: CodePayload = {
+        accessToken: tokenResponse.access_token,
+        tokenType: tokenResponse.token_type,
+        codeChallenge: pending.codeChallenge,
+        codeChallengeMethod: pending.codeChallengeMethod,
+      };
+      const ourCode = encodeState(codePayload);
+
+      // Redirect back to client with our code
+      const redirectUrl = forceHttps(new URL(pending.redirectUri));
+      redirectUrl.searchParams.set("code", ourCode);
+      if (pending.clientState) {
+        redirectUrl.searchParams.set("state", pending.clientState);
+      }
+
+      return Response.redirect(redirectUrl.toString(), 302);
+    } catch (err) {
+      console.error("OAuth callback error:", err);
+
+      // Redirect back to client with error
+      const redirectUrl = forceHttps(new URL(pending.redirectUri));
+      redirectUrl.searchParams.set("error", "server_error");
+      redirectUrl.searchParams.set(
+        "error_description",
+        "Failed to exchange authorization code",
+      );
+      if (pending.clientState)
+        redirectUrl.searchParams.set("state", pending.clientState);
+
+      return Response.redirect(redirectUrl.toString(), 302);
+    }
+  };
+
+  /**
+   * Handle token exchange - decodes our code to get the actual token
+   * Stateless: token is encoded in the code
+   */
+  const handleToken = async (req: Request): Promise<Response> => {
+    try {
+      const contentType = req.headers.get("content-type") ?? "";
+      let body: Record<string, string>;
+
+      if (contentType.includes("application/x-www-form-urlencoded")) {
+        const formData = await req.formData();
+        body = Object.fromEntries(formData.entries()) as Record<string, string>;
+      } else {
+        body = await req.json();
+      }
+
+      const { code, code_verifier, grant_type } = body;
+
+      if (grant_type !== "authorization_code") {
+        return Response.json(
+          {
+            error: "unsupported_grant_type",
+            error_description: "Only authorization_code supported",
+          },
+          { status: 400 },
+        );
+      }
+
+      if (!code) {
+        return Response.json(
+          { error: "invalid_request", error_description: "code is required" },
+          { status: 400 },
+        );
+      }
+
+      // Decode the code to get the token
+      const payload = decodeState<CodePayload>(code);
+      if (!payload || !payload.accessToken) {
+        return Response.json(
+          {
+            error: "invalid_grant",
+            error_description: "Invalid or expired code",
+          },
+          { status: 400 },
+        );
+      }
+
+      // Verify PKCE if code challenge was provided
+      if (payload.codeChallenge) {
+        if (!code_verifier) {
+          return Response.json(
+            {
+              error: "invalid_grant",
+              error_description: "code_verifier required",
+            },
+            { status: 400 },
+          );
+        }
+
+        // Verify the code verifier
+        let computedChallenge: string;
+        if (payload.codeChallengeMethod === "S256") {
+          const encoder = new TextEncoder();
+          const data = encoder.encode(code_verifier);
+          const hash = await crypto.subtle.digest("SHA-256", data);
+          computedChallenge = btoa(String.fromCharCode(...new Uint8Array(hash)))
+            .replace(/\+/g, "-")
+            .replace(/\//g, "_")
+            .replace(/=+$/, "");
+        } else {
+          computedChallenge = code_verifier;
+        }
+
+        if (computedChallenge !== payload.codeChallenge) {
+          return Response.json(
+            {
+              error: "invalid_grant",
+              error_description: "Invalid code_verifier",
+            },
+            { status: 400 },
+          );
+        }
+      }
+
+      // Return the actual token
+      return Response.json(
+        {
+          access_token: payload.accessToken,
+          token_type: payload.tokenType,
+        },
+        {
+          headers: {
+            "Cache-Control": "no-store",
+            Pragma: "no-cache",
+          },
+        },
+      );
+    } catch (err) {
+      console.error("Token exchange error:", err);
+      return Response.json(
+        {
+          error: "server_error",
+          error_description: "Failed to process token request",
+        },
+        { status: 500 },
+      );
+    }
+  };
+
+  /**
+   * Handle dynamic client registration (RFC7591)
+   * Stateless: just generates a client_id and returns it, no storage needed
+   */
+  const handleClientRegistration = async (req: Request): Promise<Response> => {
+    try {
+      const body = (await req.json()) as {
+        redirect_uris?: string[];
+        client_name?: string;
+        grant_types?: string[];
+        response_types?: string[];
+        token_endpoint_auth_method?: string;
+        scope?: string;
+        client_uri?: string;
+      };
+
+      // Validate redirect URIs
+      if (!body.redirect_uris || body.redirect_uris.length === 0) {
+        return Response.json(
+          {
+            error: "invalid_redirect_uri",
+            error_description: "At least one redirect_uri is required",
+          },
+          { status: 400 },
+        );
+      }
+
+      for (const uri of body.redirect_uris) {
+        if (!isValidRedirectUri(uri)) {
+          return Response.json(
+            {
+              error: "invalid_redirect_uri",
+              error_description: `Invalid redirect URI: ${uri}`,
+            },
+            { status: 400 },
+          );
+        }
+      }
+
+      const clientId = generateRandomToken(32);
+      const clientSecret =
+        body.token_endpoint_auth_method !== "none"
+          ? generateRandomToken(32)
+          : undefined;
+      const now = Math.floor(Date.now() / 1000);
+
+      const client: OAuthClient = {
+        client_id: clientId,
+        client_secret: clientSecret,
+        client_name: body.client_name,
+        redirect_uris: body.redirect_uris,
+        grant_types: body.grant_types ?? ["authorization_code"],
+        response_types: body.response_types ?? ["code"],
+        token_endpoint_auth_method:
+          body.token_endpoint_auth_method ?? "client_secret_post",
+        scope: body.scope,
+        client_id_issued_at: now,
+        client_secret_expires_at: 0,
+      };
+
+      // Save client if persistence is provided
+      if (oauth.persistence) {
+        await oauth.persistence.saveClient(client);
+      }
+
+      return new Response(JSON.stringify(client), {
+        status: 201,
+        headers: {
+          "Content-Type": "application/json",
+          "Cache-Control": "no-store",
+          Pragma: "no-cache",
+        },
+      });
+    } catch (err) {
+      console.error("Client registration error:", err);
+      return Response.json(
+        {
+          error: "invalid_client_metadata",
+          error_description: "Invalid client registration request",
+        },
+        { status: 400 },
+      );
+    }
+  };
+
+  /**
+   * Return 401 with WWW-Authenticate header for unauthenticated MCP requests
+   * Per MCP spec: MUST include resource_metadata URL
+   */
+  const createUnauthorizedResponse = (req: Request): Response => {
+    const url = forceHttps(new URL(req.url));
+    const resourceMetadataUrl = `${url.origin}/.well-known/oauth-protected-resource`;
+    const wwwAuthenticateValue = `Bearer resource_metadata="${resourceMetadataUrl}", scope="*"`;
+
+    return Response.json(
+      {
+        jsonrpc: "2.0",
+        error: {
+          code: -32000,
+          message: "Unauthorized: Authentication required",
+        },
+        id: null,
+      },
+      {
+        status: 401,
+        headers: {
+          "WWW-Authenticate": wwwAuthenticateValue,
+          "Access-Control-Expose-Headers": "WWW-Authenticate",
+        },
+      },
+    );
+  };
+
+  /**
+   * Check if request has authentication token
+   */
+  const hasAuth = (req: Request) => req.headers.has("Authorization");
+
+  return {
+    handleProtectedResourceMetadata,
+    handleAuthorizationServerMetadata,
+    handleAuthorize,
+    handleOAuthCallback,
+    handleToken,
+    handleClientRegistration,
+    createUnauthorizedResponse,
+    hasAuth,
+  };
+}