@dxheroes/local-mcp-backend 0.9.2 → 0.10.0

package/src/modules/auth/mcp-oauth.utils.ts

@@ -0,0 +1,80 @@
+import type { ConfigService } from '@nestjs/config';
+
+const DEFAULT_BACKEND_PORT = '3001';
+const DEFAULT_FRONTEND_PORT = '3000';
+
+function trimTrailingSlash(value: string): string {
+  return value.replace(/\/+$/, '');
+}
+
+function swapPort(origin: string, fromPort: string, toPort: string): string {
+  const url = new URL(origin);
+  if (url.port === fromPort) {
+    url.port = toPort;
+  }
+  return trimTrailingSlash(url.origin);
+}
+
+export function resolvePublicBackendOrigin(configService: ConfigService): string {
+  const configuredUrl = configService.get<string>('BETTER_AUTH_URL');
+  if (configuredUrl) {
+    return trimTrailingSlash(new URL(configuredUrl).origin);
+  }
+
+  const port = configService.get<number>('app.port') || Number(DEFAULT_BACKEND_PORT);
+  return `http://localhost:${port}`;
+}
+
+export function resolvePublicAuthBaseUrl(configService: ConfigService): string {
+  return `${resolvePublicBackendOrigin(configService)}/api/auth`;
+}
+
+export function resolveFrontendOrigin(configService: ConfigService): string {
+  const configuredUrl = configService.get<string>('FRONTEND_URL');
+  if (configuredUrl) {
+    return trimTrailingSlash(new URL(configuredUrl).origin);
+  }
+
+  const backendOrigin = resolvePublicBackendOrigin(configService);
+  const backendUrl = new URL(backendOrigin);
+
+  if (backendUrl.port === '9631') {
+    return swapPort(backendOrigin, '9631', '9630');
+  }
+
+  if (backendUrl.port === DEFAULT_BACKEND_PORT) {
+    return swapPort(backendOrigin, DEFAULT_BACKEND_PORT, DEFAULT_FRONTEND_PORT);
+  }
+
+  return trimTrailingSlash(backendUrl.origin);
+}
+
+export function resolveMcpLoginPageUrl(configService: ConfigService): string {
+  return `${resolveFrontendOrigin(configService)}/sign-in`;
+}
+
+export function createMcpProtectedResourceMetadata(configService: ConfigService) {
+  const backendOrigin = resolvePublicBackendOrigin(configService);
+  const authBaseUrl = resolvePublicAuthBaseUrl(configService);
+
+  return {
+    resource: `${backendOrigin}/api/mcp`,
+    authorization_servers: [backendOrigin],
+    bearer_methods_supported: ['header'],
+    scopes_supported: ['openid', 'profile', 'email', 'offline_access'],
+    jwks_uri: `${authBaseUrl}/mcp/jwks`,
+    resource_signing_alg_values_supported: ['RS256', 'none'],
+  };
+}
+
+export function createMcpWwwAuthenticateHeader(configService: ConfigService): string {
+  const resourceMetadataUrl = `${resolvePublicBackendOrigin(
+    configService
+  )}/.well-known/oauth-protected-resource`;
+
+  return [
+    'Bearer',
+    `resource_metadata="${resourceMetadataUrl}"`,
+    `resource_metadata_uri="${resourceMetadataUrl}"`,
+  ].join(' ');
+}

package/src/modules/mcp/mcp.service.ts

@@ -254,11 +254,11 @@ export class McpService {
 
     // For remote_http servers, connect and fetch tools
     if (server.type === 'remote_http') {
-      const config = this.parseConfig(server.config) as { url: string };
+      const config = this.parseConfig(server.config) as { url: string; headers?: Record<string, string> };
       const apiKeyConfig = server.apiKeyConfig ? JSON.parse(server.apiKeyConfig as string) : null;
 
       const remoteServer = new RemoteHttpMcpServer(
-        { url: config.url, transport: 'http' },
+        { url: config.url, transport: 'http', headers: config.headers },
         null,
         apiKeyConfig
       );
@@ -269,11 +269,11 @@ export class McpService {
 
     // For remote_sse servers, connect and fetch tools
     if (server.type === 'remote_sse') {
-      const config = this.parseConfig(server.config) as { url: string };
+      const config = this.parseConfig(server.config) as { url: string; headers?: Record<string, string> };
       const apiKeyConfig = server.apiKeyConfig ? JSON.parse(server.apiKeyConfig as string) : null;
 
       const remoteServer = new RemoteSseMcpServer(
-        { url: config.url, transport: 'sse' },
+        { url: config.url, transport: 'sse', headers: config.headers },
         null,
         apiKeyConfig
       );
@@ -410,14 +410,30 @@ export class McpService {
     }
 
     // For remote_http servers, validate by connecting
+    let oauthRequired = false;
     if (server.type === 'remote_http' && status === 'unknown') {
-      const config = this.parseConfig(server.config) as { url: string };
+      const config = this.parseConfig(server.config) as { url: string; headers?: Record<string, string> };
       const apiKeyConfig = server.apiKeyConfig ? JSON.parse(server.apiKeyConfig as string) : null;
 
+      // Get OAuth token if available, mapping Prisma types to core OAuthToken
+      const oauthToken = server.oauthToken
+        ? {
+            id: server.oauthToken.id,
+            mcpServerId: server.oauthToken.mcpServerId,
+            accessToken: server.oauthToken.accessToken,
+            tokenType: server.oauthToken.tokenType,
+            refreshToken: server.oauthToken.refreshToken ?? undefined,
+            scope: server.oauthToken.scope ?? undefined,
+            expiresAt: server.oauthToken.expiresAt?.getTime(),
+            createdAt: server.oauthToken.createdAt.getTime(),
+            updatedAt: server.oauthToken.updatedAt.getTime(),
+          }
+        : null;
+
       try {
         const remoteServer = new RemoteHttpMcpServer(
-          { url: config.url, transport: 'http' },
-          null,
+          { url: config.url, transport: 'http', headers: config.headers },
+          oauthToken,
           apiKeyConfig
         );
         await remoteServer.initialize();
@@ -427,19 +443,39 @@ export class McpService {
       } catch (error) {
         status = 'error';
         validationError = error instanceof Error ? error.message : 'Unknown error';
-        validationDetails = `Connection failed: ${validationError}`;
+        if (validationError.includes('OAUTH_REQUIRED')) {
+          oauthRequired = true;
+          validationDetails = 'OAuth authentication required. Click "Login with OAuth" to authorize.';
+        } else {
+          validationDetails = `Connection failed: ${validationError}`;
+        }
       }
     }
 
     // For remote_sse servers, validate by connecting
     if (server.type === 'remote_sse' && status === 'unknown') {
-      const config = this.parseConfig(server.config) as { url: string };
+      const config = this.parseConfig(server.config) as { url: string; headers?: Record<string, string> };
       const apiKeyConfig = server.apiKeyConfig ? JSON.parse(server.apiKeyConfig as string) : null;
 
+      // Get OAuth token if available, mapping Prisma types to core OAuthToken
+      const oauthToken = server.oauthToken
+        ? {
+            id: server.oauthToken.id,
+            mcpServerId: server.oauthToken.mcpServerId,
+            accessToken: server.oauthToken.accessToken,
+            tokenType: server.oauthToken.tokenType,
+            refreshToken: server.oauthToken.refreshToken ?? undefined,
+            scope: server.oauthToken.scope ?? undefined,
+            expiresAt: server.oauthToken.expiresAt?.getTime(),
+            createdAt: server.oauthToken.createdAt.getTime(),
+            updatedAt: server.oauthToken.updatedAt.getTime(),
+          }
+        : null;
+
       try {
         const remoteServer = new RemoteSseMcpServer(
-          { url: config.url, transport: 'sse' },
-          null,
+          { url: config.url, transport: 'sse', headers: config.headers },
+          oauthToken,
           apiKeyConfig
         );
         await remoteServer.initialize();
@@ -449,7 +485,12 @@ export class McpService {
       } catch (error) {
         status = 'error';
         validationError = error instanceof Error ? error.message : 'Unknown error';
-        validationDetails = `Connection failed: ${validationError}`;
+        if (validationError.includes('OAUTH_REQUIRED')) {
+          oauthRequired = true;
+          validationDetails = 'OAuth authentication required. Click "Login with OAuth" to authorize.';
+        } else {
+          validationDetails = `Connection failed: ${validationError}`;
+        }
       }
     }
 
@@ -493,6 +534,7 @@ export class McpService {
       hasOAuth,
       requiresApiKey,
       requiresOAuth,
+      oauthRequired,
       isReady,
       status,
       error: validationError,

package/src/modules/oauth/oauth.controller.ts

@@ -4,7 +4,21 @@
  * REST API endpoints for OAuth token management.
  */
 
-import { Body, Controller, Delete, Get, HttpCode, HttpStatus, Param, Post } from '@nestjs/common';
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  HttpCode,
+  HttpStatus,
+  Logger,
+  Param,
+  Post,
+  Query,
+  Req,
+  Res,
+} from '@nestjs/common';
+import type { Request, Response } from 'express';
 import { SkipOrgCheck } from '../auth/decorators/skip-org-check.decorator.js';
 import { OAuthService } from './oauth.service.js';
 
@@ -36,8 +50,77 @@ interface StoreTokenDto {
 @SkipOrgCheck()
 @Controller('oauth')
 export class OAuthController {
+  private readonly logger = new Logger(OAuthController.name);
+
   constructor(private readonly oauthService: OAuthService) {}
 
+  /**
+   * Start OAuth auto-discovery flow for an MCP server.
+   * Discovers OAuth endpoints via RFC 9728/8414, performs DCR if needed,
+   * and redirects the browser to the authorization server.
+   */
+  @Get('authorize/:serverId')
+  async authorize(
+    @Param('serverId') serverId: string,
+    @Req() req: Request,
+    @Res() res: Response
+  ) {
+    try {
+      const callbackUrl = `${req.protocol}://${req.get('host')}/api/oauth/callback`;
+      const authorizationUrl = await this.oauthService.discoverAndAuthorize(serverId, callbackUrl);
+      res.redirect(authorizationUrl);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : 'Unknown error';
+      this.logger.error(`OAuth authorize failed for ${serverId}: ${message}`);
+      res.status(400).send(this.renderCallbackPage(false, message));
+    }
+  }
+
+  /**
+   * OAuth callback endpoint. Receives authorization code, exchanges for tokens,
+   * and returns an HTML page that notifies the opener window.
+   */
+  @Get('callback')
+  async callback(
+    @Query('code') code: string,
+    @Query('state') state: string,
+    @Req() req: Request,
+    @Res() res: Response
+  ) {
+    if (!code || !state) {
+      res.status(400).send(this.renderCallbackPage(false, 'Missing code or state parameter'));
+      return;
+    }
+
+    const serverId = state;
+    const callbackUrl = `${req.protocol}://${req.get('host')}/api/oauth/callback`;
+
+    const result = await this.oauthService.handleCallback(serverId, code, callbackUrl);
+    res.status(200).send(this.renderCallbackPage(result.success, result.error));
+  }
+
+  /**
+   * Render an HTML page that posts a message to the opener window and closes itself.
+   */
+  private renderCallbackPage(success: boolean, error?: string): string {
+    const message = JSON.stringify({
+      type: 'oauth-callback',
+      success,
+      error: error || null,
+    });
+    return `<!DOCTYPE html>
+<html><head><title>OAuth ${success ? 'Success' : 'Error'}</title></head>
+<body>
+<p>${success ? 'Authorization successful! This window will close.' : `Error: ${error}`}</p>
+<script>
+  if (window.opener) {
+    window.opener.postMessage(${message}, '*');
+  }
+  setTimeout(function() { window.close(); }, 2000);
+</script>
+</body></html>`;
+  }
+
   /**
    * Start OAuth flow for an MCP server
    */

package/src/modules/oauth/oauth.service.ts

@@ -4,7 +4,8 @@
  * Manages OAuth tokens for MCP servers.
  */
 
-import { BadRequestException, Injectable, NotFoundException } from '@nestjs/common';
+import { OAuthDiscoveryService } from '@dxheroes/local-mcp-core';
+import { BadRequestException, Injectable, Logger, NotFoundException } from '@nestjs/common';
 import { PrismaService } from '../database/prisma.service.js';
 
 interface StartOAuthFlowDto {
@@ -35,8 +36,10 @@ interface StoreTokenDto {
 
 @Injectable()
 export class OAuthService {
+  private readonly logger = new Logger(OAuthService.name);
   // In-memory storage for PKCE verifiers (in production, use Redis or similar)
   private pkceVerifiers = new Map<string, { verifier: string; expiresAt: number }>();
+  private readonly discoveryService = new OAuthDiscoveryService();
 
   constructor(private readonly prisma: PrismaService) {}
 
@@ -183,6 +186,220 @@ export class OAuthService {
     });
   }
 
+  /**
+   * Discover OAuth configuration and build an authorization URL for a server.
+   * Uses RFC 9728 / 8414 / 7591 auto-discovery and optional DCR.
+   * Returns an authorization URL the browser should be redirected to.
+   */
+  async discoverAndAuthorize(serverId: string, callbackUrl: string): Promise<string> {
+    const server = await this.prisma.mcpServer.findUnique({ where: { id: serverId } });
+    if (!server) {
+      throw new NotFoundException(`MCP server ${serverId} not found`);
+    }
+
+    // Parse server URL from config
+    const config = typeof server.config === 'string' ? JSON.parse(server.config) : server.config;
+    const serverUrl = config?.url as string | undefined;
+    if (!serverUrl) {
+      throw new BadRequestException('Server has no URL configured');
+    }
+
+    // Parse existing oauthConfig if any (may have manual clientId)
+    const existingOAuthConfig = server.oauthConfig
+      ? typeof server.oauthConfig === 'string'
+        ? JSON.parse(server.oauthConfig)
+        : server.oauthConfig
+      : null;
+
+    // Step 1: Discover OAuth endpoints via RFC 9728 + 8414
+    this.logger.log(`Discovering OAuth for server ${serverId} at ${serverUrl}`);
+    const discovery = await this.discoveryService.discoverFromServerUrl(serverUrl);
+
+    // Step 2: Get or register client
+    let clientId: string;
+
+    if (existingOAuthConfig?.clientId) {
+      // Use manually configured clientId
+      clientId = existingOAuthConfig.clientId;
+    } else {
+      // Check for existing DCR registration
+      const existingReg = await this.prisma.oAuthClientRegistration.findUnique({
+        where: {
+          mcpServerId_authorizationServerUrl: {
+            mcpServerId: serverId,
+            authorizationServerUrl: discovery.authorizationServerUrl,
+          },
+        },
+      });
+
+      if (existingReg) {
+        // Delete stale registration — redirect_uri may have changed
+        await this.prisma.oAuthClientRegistration.delete({
+          where: { id: existingReg.id },
+        });
+        this.logger.log(`Deleted stale DCR registration for ${serverId}, will re-register`);
+      }
+
+      if (discovery.registrationEndpoint) {
+        // Perform Dynamic Client Registration (RFC 7591)
+        this.logger.log(`Performing DCR at ${discovery.registrationEndpoint}`);
+        const registration = await this.discoveryService.registerClient(
+          discovery.registrationEndpoint,
+          callbackUrl,
+          discovery.scopes
+        );
+        clientId = registration.clientId;
+
+        // Store registration
+        await this.prisma.oAuthClientRegistration.create({
+          data: {
+            mcpServerId: serverId,
+            authorizationServerUrl: discovery.authorizationServerUrl,
+            clientId: registration.clientId,
+            clientSecret: registration.clientSecret,
+            registrationAccessToken: registration.registrationAccessToken,
+          },
+        });
+      } else {
+        throw new BadRequestException(
+          'No clientId configured and server does not support Dynamic Client Registration. ' +
+            'Please configure a clientId manually in the OAuth settings.'
+        );
+      }
+    }
+
+    // Step 3: Store discovery result in oauthConfig on the server
+    await this.prisma.mcpServer.update({
+      where: { id: serverId },
+      data: {
+        oauthConfig: JSON.stringify({
+          authorizationServerUrl: discovery.authorizationServerUrl,
+          authorizationEndpoint: discovery.authorizationEndpoint,
+          tokenEndpoint: discovery.tokenEndpoint,
+          registrationEndpoint: discovery.registrationEndpoint,
+          resource: discovery.resource,
+          scopes: discovery.scopes,
+          clientId,
+          requiresOAuth: true,
+        }),
+      },
+    });
+
+    // Step 4: Generate PKCE
+    const codeVerifier = this.generateCodeVerifier();
+    const codeChallenge = await this.generateCodeChallenge(codeVerifier);
+
+    // Store verifier (expires in 10 minutes)
+    this.pkceVerifiers.set(serverId, {
+      verifier: codeVerifier,
+      expiresAt: Date.now() + 10 * 60 * 1000,
+    });
+
+    // Step 5: Build authorization URL
+    const params = new URLSearchParams({
+      response_type: 'code',
+      client_id: clientId,
+      redirect_uri: callbackUrl,
+      code_challenge: codeChallenge,
+      code_challenge_method: 'S256',
+      state: serverId, // Use serverId as state for callback routing
+    });
+
+    if (discovery.scopes.length > 0) {
+      params.set('scope', discovery.scopes.join(' '));
+    }
+
+    if (discovery.resource) {
+      params.set('resource', discovery.resource);
+    }
+
+    return `${discovery.authorizationEndpoint}?${params.toString()}`;
+  }
+
+  /**
+   * Handle OAuth callback: exchange authorization code for tokens.
+   */
+  async handleCallback(
+    serverId: string,
+    code: string,
+    callbackUrl: string
+  ): Promise<{ success: boolean; error?: string }> {
+    const server = await this.prisma.mcpServer.findUnique({ where: { id: serverId } });
+    if (!server) {
+      return { success: false, error: `MCP server ${serverId} not found` };
+    }
+
+    // Retrieve PKCE verifier
+    const pkceEntry = this.pkceVerifiers.get(serverId);
+    if (!pkceEntry) {
+      return { success: false, error: 'PKCE verifier not found or expired' };
+    }
+    if (pkceEntry.expiresAt < Date.now()) {
+      this.pkceVerifiers.delete(serverId);
+      return { success: false, error: 'PKCE verifier expired' };
+    }
+    const codeVerifier = pkceEntry.verifier;
+    this.pkceVerifiers.delete(serverId);
+
+    // Get oauthConfig for token endpoint and clientId
+    const oauthConfig = server.oauthConfig
+      ? typeof server.oauthConfig === 'string'
+        ? JSON.parse(server.oauthConfig)
+        : server.oauthConfig
+      : null;
+
+    if (!oauthConfig?.tokenEndpoint || !oauthConfig?.clientId) {
+      return { success: false, error: 'OAuth configuration incomplete (missing tokenEndpoint or clientId)' };
+    }
+
+    try {
+      // Exchange code for tokens
+      const response = await fetch(oauthConfig.tokenEndpoint, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+          grant_type: 'authorization_code',
+          code,
+          redirect_uri: callbackUrl,
+          client_id: oauthConfig.clientId,
+          code_verifier: codeVerifier,
+        }),
+      });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        return { success: false, error: `Token exchange failed: ${errorText}` };
+      }
+
+      const tokenData = (await response.json()) as {
+        access_token: string;
+        refresh_token?: string;
+        token_type?: string;
+        scope?: string;
+        expires_in?: number;
+      };
+
+      const expiresAt = tokenData.expires_in
+        ? new Date(Date.now() + tokenData.expires_in * 1000)
+        : null;
+
+      // Store token
+      await this.storeToken({
+        mcpServerId: serverId,
+        accessToken: tokenData.access_token,
+        refreshToken: tokenData.refresh_token,
+        tokenType: tokenData.token_type || 'Bearer',
+        scope: tokenData.scope,
+        expiresAt,
+      });
+
+      return { success: true };
+    } catch (error) {
+      const message = error instanceof Error ? error.message : 'Unknown error';
+      return { success: false, error: message };
+    }
+  }
+
   /**
    * Generate a random code verifier for PKCE
    */