@gavdi/cap-mcp 0.9.3 → 0.9.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/auth/utils.js +81 -0
- package/package.json +2 -2
package/lib/auth/utils.js
CHANGED
|
@@ -4,6 +4,8 @@ exports.isAuthEnabled = isAuthEnabled;
|
|
|
4
4
|
exports.getAccessRights = getAccessRights;
|
|
5
5
|
exports.registerAuthMiddleware = registerAuthMiddleware;
|
|
6
6
|
const handler_1 = require("./handler");
|
|
7
|
+
const proxyProvider_js_1 = require("@modelcontextprotocol/sdk/server/auth/providers/proxyProvider.js");
|
|
8
|
+
const router_js_1 = require("@modelcontextprotocol/sdk/server/auth/router.js");
|
|
7
9
|
/**
|
|
8
10
|
* @fileoverview Authentication utilities for MCP-CAP integration.
|
|
9
11
|
*
|
|
@@ -128,4 +130,83 @@ function registerAuthMiddleware(expressApp) {
|
|
|
128
130
|
authMiddleware.push((0, handler_1.authHandlerFactory)());
|
|
129
131
|
// Apply auth middleware to all /mcp routes EXCEPT health
|
|
130
132
|
expressApp?.use(/^\/mcp(?!\/health).*/, ...authMiddleware);
|
|
133
|
+
// Then finally we add the oauth proxy to the xsuaa instance
|
|
134
|
+
configureOAuthProxy(expressApp);
|
|
135
|
+
}
|
|
136
|
+
/**
|
|
137
|
+
* Configures OAuth proxy middleware for enterprise authentication scenarios.
|
|
138
|
+
*
|
|
139
|
+
* This function sets up a proxy OAuth provider that integrates with SAP BTP
|
|
140
|
+
* authentication services (XSUAA/IAS) to enable MCP clients to authenticate
|
|
141
|
+
* through standard OAuth2 flows. The proxy handles:
|
|
142
|
+
*
|
|
143
|
+
* - OAuth2 authorization and token endpoints
|
|
144
|
+
* - Access token verification and validation
|
|
145
|
+
* - Client credential management
|
|
146
|
+
* - Integration with CAP authentication configuration
|
|
147
|
+
*
|
|
148
|
+
* The OAuth proxy is only configured for enterprise authentication types
|
|
149
|
+
* (jwt, xsuaa, ias) and skips configuration for basic auth types.
|
|
150
|
+
*
|
|
151
|
+
* @param expressApp - Express application instance to register OAuth routes on
|
|
152
|
+
*
|
|
153
|
+
* @throws {Error} When required OAuth credentials are missing or invalid
|
|
154
|
+
*
|
|
155
|
+
* @example
|
|
156
|
+
* ```typescript
|
|
157
|
+
* // Automatically called by registerAuthMiddleware()
|
|
158
|
+
* // Requires CAP auth configuration:
|
|
159
|
+
* // cds.env.requires.auth = {
|
|
160
|
+
* // kind: 'xsuaa',
|
|
161
|
+
* // credentials: {
|
|
162
|
+
* // clientid: 'your-client-id',
|
|
163
|
+
* // clientsecret: 'your-client-secret',
|
|
164
|
+
* // url: 'https://your-tenant.authentication.sap.hana.ondemand.com'
|
|
165
|
+
* // }
|
|
166
|
+
* // }
|
|
167
|
+
* ```
|
|
168
|
+
*
|
|
169
|
+
* @internal This function is called internally by registerAuthMiddleware()
|
|
170
|
+
* @since 1.0.0
|
|
171
|
+
*/
|
|
172
|
+
function configureOAuthProxy(expressApp) {
|
|
173
|
+
const config = cds.env.requires.auth;
|
|
174
|
+
const kind = config.kind;
|
|
175
|
+
const credentials = config.credentials;
|
|
176
|
+
// Safety guard - skip OAuth proxy for basic auth types
|
|
177
|
+
if (kind === "dummy" || kind === "mocked" || kind === "basic")
|
|
178
|
+
return;
|
|
179
|
+
else if (!credentials ||
|
|
180
|
+
!credentials.clientid ||
|
|
181
|
+
!credentials.clientsecret ||
|
|
182
|
+
!credentials.url) {
|
|
183
|
+
throw new Error("Invalid security credentials");
|
|
184
|
+
}
|
|
185
|
+
const proxyProvider = new proxyProvider_js_1.ProxyOAuthServerProvider({
|
|
186
|
+
endpoints: {
|
|
187
|
+
authorizationUrl: `${credentials.url}/oauth/authorize`,
|
|
188
|
+
tokenUrl: `${credentials.url}/oauth/token`,
|
|
189
|
+
revocationUrl: `${credentials.url}/oauth/revoke`,
|
|
190
|
+
},
|
|
191
|
+
verifyAccessToken: async (token) => {
|
|
192
|
+
return {
|
|
193
|
+
token,
|
|
194
|
+
clientId: credentials.clientid,
|
|
195
|
+
scopes: ["uaa.resource"],
|
|
196
|
+
};
|
|
197
|
+
},
|
|
198
|
+
getClient: async (client_id) => {
|
|
199
|
+
return {
|
|
200
|
+
client_secret: credentials.clientsecret,
|
|
201
|
+
client_id,
|
|
202
|
+
redirect_uris: ["http://localhost:3000/callback"], // Temporary value for now
|
|
203
|
+
};
|
|
204
|
+
},
|
|
205
|
+
});
|
|
206
|
+
expressApp.use((0, router_js_1.mcpAuthRouter)({
|
|
207
|
+
provider: proxyProvider,
|
|
208
|
+
issuerUrl: new URL(credentials.url),
|
|
209
|
+
//baseUrl: new URL(""), // I have left this out for the time being due to the defaulting to issuer
|
|
210
|
+
serviceDocumentationUrl: new URL("https://docs.cloudfoundry.org/api/uaa/version/77.34.0/index.html#authorization"),
|
|
211
|
+
}));
|
|
131
212
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@gavdi/cap-mcp",
|
|
3
|
-
"version": "0.9.
|
|
3
|
+
"version": "0.9.4",
|
|
4
4
|
"description": "MCP Pluging for CAP",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"MCP",
|
|
@@ -37,7 +37,7 @@
|
|
|
37
37
|
"express": "^4"
|
|
38
38
|
},
|
|
39
39
|
"dependencies": {
|
|
40
|
-
"@modelcontextprotocol/sdk": "^1.
|
|
40
|
+
"@modelcontextprotocol/sdk": "^1.17.1",
|
|
41
41
|
"zod": "^3.25.67",
|
|
42
42
|
"zod-to-json-schema": "^3.24.5"
|
|
43
43
|
},
|