@dxheroes/local-mcp-backend 0.9.2 → 0.11.0

package/src/modules/oauth/oauth.service.ts

@@ -4,7 +4,8 @@
  * Manages OAuth tokens for MCP servers.
  */
 
-import { BadRequestException, Injectable, NotFoundException } from '@nestjs/common';
+import { OAuthDiscoveryService } from '@dxheroes/local-mcp-core';
+import { BadRequestException, Injectable, Logger, NotFoundException } from '@nestjs/common';
 import { PrismaService } from '../database/prisma.service.js';
 
 interface StartOAuthFlowDto {
@@ -35,8 +36,10 @@ interface StoreTokenDto {
 
 @Injectable()
 export class OAuthService {
+  private readonly logger = new Logger(OAuthService.name);
   // In-memory storage for PKCE verifiers (in production, use Redis or similar)
   private pkceVerifiers = new Map<string, { verifier: string; expiresAt: number }>();
+  private readonly discoveryService = new OAuthDiscoveryService();
 
   constructor(private readonly prisma: PrismaService) {}
 
@@ -183,6 +186,220 @@ export class OAuthService {
     });
   }
 
+  /**
+   * Discover OAuth configuration and build an authorization URL for a server.
+   * Uses RFC 9728 / 8414 / 7591 auto-discovery and optional DCR.
+   * Returns an authorization URL the browser should be redirected to.
+   */
+  async discoverAndAuthorize(serverId: string, callbackUrl: string): Promise<string> {
+    const server = await this.prisma.mcpServer.findUnique({ where: { id: serverId } });
+    if (!server) {
+      throw new NotFoundException(`MCP server ${serverId} not found`);
+    }
+
+    // Parse server URL from config
+    const config = typeof server.config === 'string' ? JSON.parse(server.config) : server.config;
+    const serverUrl = config?.url as string | undefined;
+    if (!serverUrl) {
+      throw new BadRequestException('Server has no URL configured');
+    }
+
+    // Parse existing oauthConfig if any (may have manual clientId)
+    const existingOAuthConfig = server.oauthConfig
+      ? typeof server.oauthConfig === 'string'
+        ? JSON.parse(server.oauthConfig)
+        : server.oauthConfig
+      : null;
+
+    // Step 1: Discover OAuth endpoints via RFC 9728 + 8414
+    this.logger.log(`Discovering OAuth for server ${serverId} at ${serverUrl}`);
+    const discovery = await this.discoveryService.discoverFromServerUrl(serverUrl);
+
+    // Step 2: Get or register client
+    let clientId: string;
+
+    if (existingOAuthConfig?.clientId) {
+      // Use manually configured clientId
+      clientId = existingOAuthConfig.clientId;
+    } else {
+      // Check for existing DCR registration
+      const existingReg = await this.prisma.oAuthClientRegistration.findUnique({
+        where: {
+          mcpServerId_authorizationServerUrl: {
+            mcpServerId: serverId,
+            authorizationServerUrl: discovery.authorizationServerUrl,
+          },
+        },
+      });
+
+      if (existingReg) {
+        // Delete stale registration — redirect_uri may have changed
+        await this.prisma.oAuthClientRegistration.delete({
+          where: { id: existingReg.id },
+        });
+        this.logger.log(`Deleted stale DCR registration for ${serverId}, will re-register`);
+      }
+
+      if (discovery.registrationEndpoint) {
+        // Perform Dynamic Client Registration (RFC 7591)
+        this.logger.log(`Performing DCR at ${discovery.registrationEndpoint}`);
+        const registration = await this.discoveryService.registerClient(
+          discovery.registrationEndpoint,
+          callbackUrl,
+          discovery.scopes
+        );
+        clientId = registration.clientId;
+
+        // Store registration
+        await this.prisma.oAuthClientRegistration.create({
+          data: {
+            mcpServerId: serverId,
+            authorizationServerUrl: discovery.authorizationServerUrl,
+            clientId: registration.clientId,
+            clientSecret: registration.clientSecret,
+            registrationAccessToken: registration.registrationAccessToken,
+          },
+        });
+      } else {
+        throw new BadRequestException(
+          'No clientId configured and server does not support Dynamic Client Registration. ' +
+            'Please configure a clientId manually in the OAuth settings.'
+        );
+      }
+    }
+
+    // Step 3: Store discovery result in oauthConfig on the server
+    await this.prisma.mcpServer.update({
+      where: { id: serverId },
+      data: {
+        oauthConfig: JSON.stringify({
+          authorizationServerUrl: discovery.authorizationServerUrl,
+          authorizationEndpoint: discovery.authorizationEndpoint,
+          tokenEndpoint: discovery.tokenEndpoint,
+          registrationEndpoint: discovery.registrationEndpoint,
+          resource: discovery.resource,
+          scopes: discovery.scopes,
+          clientId,
+          requiresOAuth: true,
+        }),
+      },
+    });
+
+    // Step 4: Generate PKCE
+    const codeVerifier = this.generateCodeVerifier();
+    const codeChallenge = await this.generateCodeChallenge(codeVerifier);
+
+    // Store verifier (expires in 10 minutes)
+    this.pkceVerifiers.set(serverId, {
+      verifier: codeVerifier,
+      expiresAt: Date.now() + 10 * 60 * 1000,
+    });
+
+    // Step 5: Build authorization URL
+    const params = new URLSearchParams({
+      response_type: 'code',
+      client_id: clientId,
+      redirect_uri: callbackUrl,
+      code_challenge: codeChallenge,
+      code_challenge_method: 'S256',
+      state: serverId, // Use serverId as state for callback routing
+    });
+
+    if (discovery.scopes.length > 0) {
+      params.set('scope', discovery.scopes.join(' '));
+    }
+
+    if (discovery.resource) {
+      params.set('resource', discovery.resource);
+    }
+
+    return `${discovery.authorizationEndpoint}?${params.toString()}`;
+  }
+
+  /**
+   * Handle OAuth callback: exchange authorization code for tokens.
+   */
+  async handleCallback(
+    serverId: string,
+    code: string,
+    callbackUrl: string
+  ): Promise<{ success: boolean; error?: string }> {
+    const server = await this.prisma.mcpServer.findUnique({ where: { id: serverId } });
+    if (!server) {
+      return { success: false, error: `MCP server ${serverId} not found` };
+    }
+
+    // Retrieve PKCE verifier
+    const pkceEntry = this.pkceVerifiers.get(serverId);
+    if (!pkceEntry) {
+      return { success: false, error: 'PKCE verifier not found or expired' };
+    }
+    if (pkceEntry.expiresAt < Date.now()) {
+      this.pkceVerifiers.delete(serverId);
+      return { success: false, error: 'PKCE verifier expired' };
+    }
+    const codeVerifier = pkceEntry.verifier;
+    this.pkceVerifiers.delete(serverId);
+
+    // Get oauthConfig for token endpoint and clientId
+    const oauthConfig = server.oauthConfig
+      ? typeof server.oauthConfig === 'string'
+        ? JSON.parse(server.oauthConfig)
+        : server.oauthConfig
+      : null;
+
+    if (!oauthConfig?.tokenEndpoint || !oauthConfig?.clientId) {
+      return { success: false, error: 'OAuth configuration incomplete (missing tokenEndpoint or clientId)' };
+    }
+
+    try {
+      // Exchange code for tokens
+      const response = await fetch(oauthConfig.tokenEndpoint, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+          grant_type: 'authorization_code',
+          code,
+          redirect_uri: callbackUrl,
+          client_id: oauthConfig.clientId,
+          code_verifier: codeVerifier,
+        }),
+      });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        return { success: false, error: `Token exchange failed: ${errorText}` };
+      }
+
+      const tokenData = (await response.json()) as {
+        access_token: string;
+        refresh_token?: string;
+        token_type?: string;
+        scope?: string;
+        expires_in?: number;
+      };
+
+      const expiresAt = tokenData.expires_in
+        ? new Date(Date.now() + tokenData.expires_in * 1000)
+        : null;
+
+      // Store token
+      await this.storeToken({
+        mcpServerId: serverId,
+        accessToken: tokenData.access_token,
+        refreshToken: tokenData.refresh_token,
+        tokenType: tokenData.token_type || 'Bearer',
+        scope: tokenData.scope,
+        expiresAt,
+      });
+
+      return { success: true };
+    } catch (error) {
+      const message = error instanceof Error ? error.message : 'Unknown error';
+      return { success: false, error: message };
+    }
+  }
+
   /**
    * Generate a random code verifier for PKCE
    */

package/src/modules/proxy/proxy.controller.ts

@@ -19,46 +19,33 @@ import {
   Post,
   Req,
   Res,
-  UnauthorizedException,
+  UseGuards,
 } from '@nestjs/common';
 import { EventEmitter2 } from '@nestjs/event-emitter';
 import type { Request, Response } from 'express';
 import { fromEvent, map } from 'rxjs';
-import { AuthService } from '../auth/auth.service.js';
 import { Public } from '../auth/decorators/public.decorator.js';
+import { McpOAuthGuard } from '../auth/mcp-oauth.guard.js';
 import { GATEWAY_PROFILE_CHANGED, SettingsService } from '../settings/settings.service.js';
 import type { McpRequest, McpResponse } from './proxy.service.js';
 import { ProxyService } from './proxy.service.js';
 
 @Public()
+@UseGuards(McpOAuthGuard)
 @Controller('mcp')
 export class ProxyController {
   constructor(
     private readonly proxyService: ProxyService,
     private readonly settingsService: SettingsService,
-    private readonly eventEmitter: EventEmitter2,
-    private readonly authService: AuthService
+    private readonly eventEmitter: EventEmitter2
   ) {}
 
   /**
-   * Resolve user from Bearer token (MCP OAuth).
-   * When no token is provided, returns unauthenticated sentinel so
-   * system profiles (organizationId=null) still work for unauthenticated MCP clients.
+   * Resolve user from request.
+   * McpOAuthGuard always validates and attaches user before this is called.
    */
-  private async resolveUser(req: Request): Promise<{ id: string }> {
-    const authHeader = req.headers.authorization;
-    if (!authHeader?.startsWith('Bearer ')) {
-      // No token — unauthenticated MCP client, can only access system profiles
-      return { id: '__unauthenticated__' };
-    }
-
-    const token = authHeader.slice(7);
-    const user = await this.authService.validateMcpToken(token);
-    if (!user) {
-      throw new UnauthorizedException('Invalid or expired MCP OAuth token');
-    }
-
-    return user;
+  private resolveUser(req: Request): { id: string } {
+    return req.user!;
   }
 
   // =========================================
@@ -90,7 +77,7 @@ export class ProxyController {
    */
   @Get('gateway/info')
   async getGatewayInfo(@Req() req: Request) {
-    const user = await this.resolveUser(req);
+    const user = this.resolveUser(req);
     const profileName = await this.settingsService.getDefaultGatewayProfile();
 
     try {
@@ -121,7 +108,7 @@ export class ProxyController {
       return this.streamGatewayEvents(req, res);
     }
 
-    const user = await this.resolveUser(req);
+    const user = this.resolveUser(req);
     const profileName = await this.settingsService.getDefaultGatewayProfile();
 
     try {
@@ -195,7 +182,7 @@ export class ProxyController {
     @Req() req: Request,
     @Body() request: McpRequest
   ): Promise<McpResponse> {
-    const user = await this.resolveUser(req);
+    const user = this.resolveUser(req);
     const profileName = await this.settingsService.getDefaultGatewayProfile();
 
     try {
@@ -210,6 +197,114 @@ export class ProxyController {
     }
   }
 
+  // =========================================
+  // Org-scoped Gateway Endpoints: /api/mcp/:orgSlug/gateway
+  // (must come BEFORE :orgSlug/:profileName to avoid "gateway" matching :profileName)
+  // =========================================
+
+  /**
+   * SSE endpoint for org-scoped gateway
+   */
+  @Get(':orgSlug/gateway/sse')
+  async streamOrgGatewaySse(
+    @Param('orgSlug') orgSlug: string,
+    @Req() req: Request,
+    @Res() res: Response
+  ) {
+    const profileName = await this.settingsService.getDefaultGatewayProfile();
+    await this.proxyService.getProfileInfoByOrgSlug(profileName, orgSlug);
+    return this.streamGatewayEvents(req, res);
+  }
+
+  /**
+   * POST handler for org-scoped gateway SSE
+   */
+  @Post(':orgSlug/gateway/sse')
+  @HttpCode(HttpStatus.OK)
+  async handleOrgGatewaySseRequest(
+    @Req() req: Request,
+    @Param('orgSlug') orgSlug: string,
+    @Body() request: McpRequest
+  ): Promise<McpResponse> {
+    const user = this.resolveUser(req);
+    const profileName = await this.settingsService.getDefaultGatewayProfile();
+    return this.proxyService.handleRequestByOrgSlug(profileName, orgSlug, request, user.id);
+  }
+
+  /**
+   * Get org-scoped gateway info
+   */
+  @Get(':orgSlug/gateway/info')
+  async getOrgGatewayInfo(@Param('orgSlug') orgSlug: string) {
+    const profileName = await this.settingsService.getDefaultGatewayProfile();
+    const info = await this.proxyService.getProfileInfoByOrgSlug(profileName, orgSlug);
+    return {
+      ...info,
+      gateway: {
+        activeProfile: profileName,
+      },
+    };
+  }
+
+  /**
+   * GET handler for org-scoped gateway endpoint
+   */
+  @Get(':orgSlug/gateway')
+  async getOrgGatewayEndpoint(
+    @Param('orgSlug') orgSlug: string,
+    @Req() req: Request,
+    @Res() res: Response
+  ) {
+    const acceptHeader = req.headers.accept || '';
+    if (acceptHeader.includes('text/event-stream')) {
+      const profileName = await this.settingsService.getDefaultGatewayProfile();
+      await this.proxyService.getProfileInfoByOrgSlug(profileName, orgSlug);
+      return this.streamGatewayEvents(req, res);
+    }
+
+    const profileName = await this.settingsService.getDefaultGatewayProfile();
+    const info = await this.proxyService.getProfileInfoByOrgSlug(profileName, orgSlug);
+
+    return res.json({
+      message: 'This is the MCP Gateway endpoint. Use POST for JSON-RPC requests.',
+      usage: {
+        method: 'POST',
+        contentType: 'application/json',
+        body: { jsonrpc: '2.0', method: 'tools/list', id: 1 },
+      },
+      endpoints: {
+        sse: `/api/mcp/${orgSlug}/gateway/sse`,
+        http: `/api/mcp/${orgSlug}/gateway`,
+      },
+      gateway: {
+        activeProfile: profileName,
+        settingsEndpoint: '/api/settings/default-gateway-profile',
+      },
+      profile: {
+        name: profileName,
+        toolCount: info.tools.length,
+        serverCount: info.serverStatus.total,
+        connectedServers: info.serverStatus.connected,
+      },
+      infoEndpoint: `/api/mcp/${orgSlug}/gateway/info`,
+    });
+  }
+
+  /**
+   * MCP JSON-RPC endpoint for org-scoped gateway
+   */
+  @Post(':orgSlug/gateway')
+  @HttpCode(HttpStatus.OK)
+  async handleOrgGatewayRequest(
+    @Req() req: Request,
+    @Param('orgSlug') orgSlug: string,
+    @Body() request: McpRequest
+  ): Promise<McpResponse> {
+    const user = this.resolveUser(req);
+    const profileName = await this.settingsService.getDefaultGatewayProfile();
+    return this.proxyService.handleRequestByOrgSlug(profileName, orgSlug, request, user.id);
+  }
+
   // =========================================
   // Org-scoped Profile Endpoints: /api/mcp/:orgSlug/:profileName
   // =========================================
@@ -302,7 +397,7 @@ export class ProxyController {
     @Param('profileName') profileName: string,
     @Body() request: McpRequest
   ): Promise<McpResponse> {
-    const user = await this.resolveUser(req);
+    const user = this.resolveUser(req);
     return this.proxyService.handleRequestByOrgSlug(profileName, orgSlug, request, user.id);
   }
 }

package/src/modules/proxy/proxy.service.ts

@@ -41,6 +41,7 @@ export interface McpResponse {
 interface ServerConfig {
   builtinId?: string;
   url?: string;
+  headers?: Record<string, string>;
   // External server config
   command?: string;
   args?: string[];
@@ -488,11 +489,32 @@ export class ProxyService {
       }
     }
 
+    // For remote_http and remote_sse servers, look up OAuth token
+    let oauthToken = null;
+    if (server.type === 'remote_http' || server.type === 'remote_sse') {
+      const tokenRecord = await this.prisma.oAuthToken.findUnique({
+        where: { mcpServerId: server.id },
+      });
+      if (tokenRecord) {
+        oauthToken = {
+          id: tokenRecord.id,
+          mcpServerId: tokenRecord.mcpServerId,
+          accessToken: tokenRecord.accessToken,
+          tokenType: tokenRecord.tokenType,
+          refreshToken: tokenRecord.refreshToken ?? undefined,
+          scope: tokenRecord.scope ?? undefined,
+          expiresAt: tokenRecord.expiresAt?.getTime(),
+          createdAt: tokenRecord.createdAt.getTime(),
+          updatedAt: tokenRecord.updatedAt.getTime(),
+        };
+      }
+    }
+
     // For remote_http servers, create RemoteHttpMcpServer
     if (server.type === 'remote_http' && config?.url) {
       const remoteServer = new RemoteHttpMcpServer(
-        { url: config.url, transport: 'http' },
-        null,
+        { url: config.url, transport: 'http', headers: config.headers as Record<string, string> },
+        oauthToken,
         apiKeyConfig
       );
       await remoteServer.initialize();
@@ -503,8 +525,8 @@ export class ProxyService {
     // For remote_sse servers, create RemoteSseMcpServer
     if (server.type === 'remote_sse' && config?.url) {
       const remoteServer = new RemoteSseMcpServer(
-        { url: config.url, transport: 'sse' },
-        null,
+        { url: config.url, transport: 'sse', headers: config.headers as Record<string, string> },
+        oauthToken,
         apiKeyConfig
       );
       await remoteServer.initialize();

package/vitest.config.ts

@@ -1,10 +1,11 @@
 import { createVitestConfig } from '@dxheroes/local-mcp-config/vitest';
-import { defineConfig, mergeConfig } from 'vitest/config';
+import { configDefaults, defineConfig, mergeConfig } from 'vitest/config';
 
 export default mergeConfig(
   createVitestConfig(),
   defineConfig({
     test: {
+      exclude: [...configDefaults.exclude, 'dist/**', '**/dist/**'],
       root: '.',
       coverage: {
         provider: 'v8',