@gmag11/nodered-mcp-server 1.0.1

package/src/auth/oauth-clients-store.js

@@ -0,0 +1,107 @@
+/**
+ * JSON file-backed OAuth client registry.
+ *
+ * Implements the SDK's client store interface:
+ * - getClient(clientId): retrieves a registered client
+ * - registerClient(clientData): registers a new OAuth client
+ *
+ * Uses atomic writes (temp file + rename) to prevent corruption.
+ */
+
+import { readFile, writeFile, rename } from 'node:fs/promises';
+import { randomUUID, randomBytes } from 'node:crypto';
+import path from 'node:path';
+
+/** Default clients store path when MCP_OAUTH_CLIENTS_FILE is not set. */
+const DEFAULT_CLIENTS_PATH = 'oauth-clients.json';
+
+/**
+ * Creates a JSON file-backed OAuth client registry.
+ *
+ * @param {string|null} filePath - Path to the JSON clients file (null = use default)
+ * @returns {Promise<ClientsStore>}
+ */
+export async function createClientsStore(filePath) {
+  const resolvedPath = path.resolve(filePath || DEFAULT_CLIENTS_PATH);
+  const clients = await loadClients(resolvedPath);
+
+  return {
+    /**
+     * Retrieve a registered OAuth client by ID.
+     *
+     * @param {string} clientId
+     * @returns {Promise<object|null>} The client object or null if not found
+     */
+    async getClient(clientId) {
+      return clients[clientId] || null;
+    },
+
+    /**
+     * Register a new OAuth client (Dynamic Client Registration).
+     *
+     * Generates client_id and client_secret cryptographically.
+     *
+     * @param {object} clientData
+     * @param {string} clientData.client_name
+     * @param {string[]} clientData.redirect_uris
+     * @returns {Promise<object>} The registered client
+     */
+    async registerClient(clientData) {
+      const clientId = randomUUID();
+      const clientSecret = randomBytes(32).toString('hex');
+
+      const client = {
+        client_id: clientId,
+        client_secret: clientSecret,
+        client_name: clientData.client_name,
+        redirect_uris: clientData.redirect_uris,
+        client_id_issued_at: Math.floor(Date.now() / 1000),
+      };
+
+      clients[clientId] = client;
+      await saveClients(resolvedPath, clients);
+
+      return client;
+    },
+  };
+}
+
+/**
+ * Load clients from the JSON file, or return empty object if the file
+ * does not exist.
+ *
+ * @param {string} filePath
+ * @returns {Promise<Record<string, object>>}
+ */
+async function loadClients(filePath) {
+  try {
+    const data = await readFile(filePath, 'utf-8');
+    return JSON.parse(data);
+  } catch (err) {
+    if (err.code === 'ENOENT') {
+      return {};
+    }
+    throw err;
+  }
+}
+
+/**
+ * Atomically save clients to the JSON file.
+ *
+ * Writes to a temp file first, then renames it over the target.
+ *
+ * @param {string} filePath
+ * @param {Record<string, object>} clients
+ * @returns {Promise<void>}
+ */
+async function saveClients(filePath, clients) {
+  const tmpPath = filePath + '.tmp';
+  await writeFile(tmpPath, JSON.stringify(clients, null, 2), 'utf-8');
+  await rename(tmpPath, filePath);
+}
+
+/**
+ * @typedef {object} ClientsStore
+ * @property {(clientId: string) => Promise<object|null>} getClient
+ * @property {(clientData: object) => Promise<object>} registerClient
+ */

package/src/auth/oauth-provider.js

@@ -0,0 +1,149 @@
+/**
+ * OAuth 2.0 server provider implementing the MCP SDK's OAuthServerProvider interface.
+ *
+ * Coordinates between:
+ * - ClientsStore: registered OAuth clients
+ * - TokenStore: authorization codes, access/refresh tokens
+ *
+ * Supports authorization code flow with PKCE (S256).
+ */
+
+import { InvalidGrantError, InvalidClientError } from '@modelcontextprotocol/sdk/server/auth/errors.js';
+import { randomBytes } from 'node:crypto';
+
+/**
+ * Creates an OAuth server provider compatible with the SDK's mcpAuthRouter().
+ *
+ * @param {object} opts
+ * @param {import('./oauth-clients-store.js').ClientsStore} opts.clientsStore
+ * @param {import('./oauth-token-store.js').OAuthTokenStore} opts.tokenStore
+ * @returns {import('@modelcontextprotocol/sdk/server/auth/provider.js').OAuthServerProvider}
+ */
+export function createOAuthProvider({ clientsStore, tokenStore }) {
+  return {
+    // Expose clientsStore as required by the interface
+    get clientsStore() {
+      return clientsStore;
+    },
+
+    /**
+     * Begin the authorization flow.
+     *
+     * Generates an authorization code bound to the PKCE challenge,
+     * then redirects the client with the code and state.
+     *
+     * This is a programmatic authorization — no consent screen.
+     * For production, you may want to add a consent UI here.
+     */
+    async authorize(client, params, res) {
+      // Validate client
+      if (!client) {
+        throw new InvalidClientError('Unknown client');
+      }
+
+      const state = params.state;
+      const scopes = params.scopes || ['*'];
+      const codeChallenge = params.codeChallenge;
+      const redirectUri = params.redirectUri;
+
+      // Generate authorization code
+      const code = randomBytes(32).toString('hex');
+
+      // Store code with challenge for later verification
+      await tokenStore.saveAuthorizationCode(
+        code,
+        client.client_id,
+        codeChallenge,
+        redirectUri,
+        scopes,
+      );
+
+      // Build redirect URL with authorization code
+      const redirectUrl = new URL(redirectUri);
+      redirectUrl.searchParams.set('code', code);
+      if (state) {
+        redirectUrl.searchParams.set('state', state);
+      }
+
+      res.redirect(302, redirectUrl.href);
+    },
+
+    /**
+     * Retrieve the PKCE code challenge for an authorization code.
+     * Does NOT consume the code — the SDK calls this before exchangeAuthorizationCode.
+     */
+    async challengeForAuthorizationCode(_client, authorizationCode) {
+      const challenge = await tokenStore.getCodeChallenge(authorizationCode);
+      if (!challenge) {
+        throw new InvalidGrantError('Authorization code is invalid or expired');
+      }
+      return challenge;
+    },
+
+    /**
+     * Exchange an authorization code for access and refresh tokens.
+     */
+    async exchangeAuthorizationCode(client, authorizationCode, codeVerifier, redirectUri) {
+      // Consume the authorization code
+      const entry = await tokenStore.consumeAuthorizationCode(authorizationCode);
+      if (!entry) {
+        throw new InvalidGrantError('Authorization code is invalid or expired');
+      }
+
+      // Validate client matches
+      if (entry.clientId !== client.client_id) {
+        throw new InvalidGrantError('Authorization code was issued to a different client');
+      }
+
+      // Validate redirect URI if provided
+      if (redirectUri && entry.redirectUri !== redirectUri) {
+        throw new InvalidGrantError('Redirect URI mismatch');
+      }
+
+      // Issue tokens
+      const tokens = await tokenStore.issueTokens(client.client_id, entry.scopes);
+
+      return {
+        access_token: tokens.accessToken,
+        token_type: 'bearer',
+        expires_in: tokens.expiresIn,
+        refresh_token: tokens.refreshToken,
+        scope: entry.scopes.join(' '),
+      };
+    },
+
+    /**
+     * Exchange a refresh token for new tokens.
+     */
+    async exchangeRefreshToken(client, refreshToken, scopes) {
+      const result = await tokenStore.exchangeRefreshToken(refreshToken);
+      if (!result) {
+        throw new InvalidGrantError('Refresh token is invalid or expired');
+      }
+
+      const effectiveScopes = scopes && scopes.length > 0 ? scopes : ['*'];
+
+      return {
+        access_token: result.accessToken,
+        token_type: 'bearer',
+        expires_in: result.expiresIn,
+        refresh_token: result.refreshToken,
+        scope: effectiveScopes.join(' '),
+      };
+    },
+
+    /**
+     * Verify an access token. Delegates to token store.
+     */
+    async verifyAccessToken(token) {
+      return tokenStore.verifyAccessToken(token);
+    },
+
+    /**
+     * Revoke an access or refresh token.
+     */
+    async revokeToken(_client, request) {
+      await tokenStore.revokeToken(request.token);
+    },
+  };
+}

package/src/auth/oauth-token-store.js

@@ -0,0 +1,312 @@
+/**
+ * JSON file-backed OAuth token and authorization code store.
+ *
+ * Handles:
+ * - Authorization codes (temporary, with PKCE challenge)
+ * - Access tokens (with clientId, scopes, expiry)
+ * - Refresh tokens
+ * - Token revocation
+ *
+ * Uses atomic writes (temp file + rename) to prevent corruption.
+ */
+
+import { readFile, writeFile, rename } from 'node:fs/promises';
+import { randomBytes } from 'node:crypto';
+import path from 'node:path';
+import { InvalidTokenError } from '@modelcontextprotocol/sdk/server/auth/errors.js';
+
+/** Default token store path when MCP_OAUTH_TOKENS_FILE is not set. */
+const DEFAULT_TOKENS_PATH = 'oauth-tokens.json';
+
+/** Access token lifetime: 1 hour */
+const ACCESS_TOKEN_TTL_SEC = 3600;
+
+/** Refresh token lifetime: 30 days */
+const REFRESH_TOKEN_TTL_SEC = 30 * 24 * 3600;
+
+/** Authorization code lifetime: 10 minutes */
+const AUTH_CODE_TTL_SEC = 600;
+
+/**
+ * Creates a JSON file-backed OAuth token store.
+ *
+ * @param {string|null} filePath - Path to the JSON tokens file (null = use default)
+ * @returns {Promise<OAuthTokenStore>}
+ */
+export async function createTokenStore(filePath) {
+  const resolvedPath = path.resolve(filePath || DEFAULT_TOKENS_PATH);
+  const data = await loadTokens(resolvedPath);
+
+  return {
+    // ── Authorization codes ──────────────────────────────────────
+
+    /**
+     * Store an authorization code with its PKCE challenge.
+     *
+     * @param {string} code
+     * @param {string} clientId
+     * @param {string} codeChallenge
+     * @param {string} redirectUri
+     * @param {string[]} scopes
+     */
+    async saveAuthorizationCode(code, clientId, codeChallenge, redirectUri, scopes) {
+      data.codes = data.codes || {};
+      data.codes[code] = {
+        clientId,
+        codeChallenge,
+        redirectUri,
+        scopes,
+        expiresAt: Math.floor(Date.now() / 1000) + AUTH_CODE_TTL_SEC,
+      };
+      await saveTokens(resolvedPath, data);
+    },
+
+    /**
+     * Look up the PKCE challenge for an authorization code WITHOUT consuming it.
+     * Returns null if the code is unknown or expired.
+     *
+     * @param {string} code
+     * @returns {Promise<string|null>}
+     */
+    async getCodeChallenge(code) {
+      data.codes = data.codes || {};
+      const entry = data.codes[code];
+      if (!entry) return null;
+      if (entry.expiresAt < Math.floor(Date.now() / 1000)) {
+        delete data.codes[code];
+        await saveTokens(resolvedPath, data);
+        return null;
+      }
+      return entry.codeChallenge;
+    },
+
+    /**
+     * Retrieve and consume an authorization code.
+     * Returns null if the code is unknown or expired.
+     *
+     * @param {string} code
+     * @returns {Promise<object|null>}
+     */
+    async consumeAuthorizationCode(code) {
+      data.codes = data.codes || {};
+      const entry = data.codes[code];
+      if (!entry) return null;
+
+      // Check expiry
+      if (entry.expiresAt < Math.floor(Date.now() / 1000)) {
+        delete data.codes[code];
+        await saveTokens(resolvedPath, data);
+        return null;
+      }
+
+      // Consume the code (single-use)
+      delete data.codes[code];
+      await saveTokens(resolvedPath, data);
+
+      return entry;
+    },
+
+    // ── Access tokens ─────────────────────────────────────────────
+
+    /**
+     * Issue a new access token (and optional refresh token).
+     *
+     * @param {string} clientId
+     * @param {string[]} scopes
+     * @returns {Promise<{ accessToken: string, refreshToken?: string, expiresIn: number }>}
+     */
+    async issueTokens(clientId, scopes) {
+      data.tokens = data.tokens || {};
+
+      const accessToken = randomBytes(32).toString('hex');
+      const refreshToken = randomBytes(32).toString('hex');
+      const nowSec = Math.floor(Date.now() / 1000);
+
+      data.tokens[accessToken] = {
+        clientId,
+        scopes,
+        expiresAt: nowSec + ACCESS_TOKEN_TTL_SEC,
+      };
+
+      // Store refresh token mapping
+      data.refreshTokens = data.refreshTokens || {};
+      data.refreshTokens[refreshToken] = {
+        accessToken,
+        clientId,
+        scopes,
+        expiresAt: nowSec + REFRESH_TOKEN_TTL_SEC,
+      };
+
+      await saveTokens(resolvedPath, data);
+
+      return {
+        accessToken,
+        refreshToken,
+        expiresIn: ACCESS_TOKEN_TTL_SEC,
+      };
+    },
+
+    /**
+     * Verify an access token. Returns the AuthInfo on success.
+     *
+     * @param {string} token
+     * @returns {Promise<import('./types.js').AuthInfo>}
+     * @throws {import('@modelcontextprotocol/sdk/server/auth/errors.js').InvalidTokenError}
+     */
+    async verifyAccessToken(token) {
+      data.tokens = data.tokens || {};
+      const entry = data.tokens[token];
+
+      if (!entry) {
+        throw new InvalidTokenError('Token not found');
+      }
+
+      if (entry.expiresAt < Math.floor(Date.now() / 1000)) {
+        throw new InvalidTokenError('Token has expired');
+      }
+
+      return {
+        token,
+        clientId: entry.clientId,
+        scopes: entry.scopes,
+        expiresAt: entry.expiresAt,
+      };
+    },
+
+    // ── Refresh tokens ────────────────────────────────────────────
+
+    /**
+     * Exchange a refresh token for a new access token.
+     * The old access token is revoked and the refresh token is rotated.
+     *
+     * @param {string} refreshToken
+     * @returns {Promise<{ accessToken: string, refreshToken: string, expiresIn: number }|null>}
+     */
+    async exchangeRefreshToken(refreshToken) {
+      data.refreshTokens = data.refreshTokens || {};
+      data.tokens = data.tokens || {};
+
+      const rtEntry = data.refreshTokens[refreshToken];
+      if (!rtEntry) return null;
+
+      // Check refresh token expiry
+      if (rtEntry.expiresAt < Math.floor(Date.now() / 1000)) {
+        delete data.refreshTokens[refreshToken];
+        await saveTokens(resolvedPath, data);
+        return null;
+      }
+
+      // Revoke old access token
+      const oldAccessToken = rtEntry.accessToken;
+      if (oldAccessToken && data.tokens[oldAccessToken]) {
+        delete data.tokens[oldAccessToken];
+      }
+
+      // Issue new tokens
+      const newAccessToken = randomBytes(32).toString('hex');
+      const newRefreshToken = randomBytes(32).toString('hex');
+      const nowSec = Math.floor(Date.now() / 1000);
+
+      data.tokens[newAccessToken] = {
+        clientId: rtEntry.clientId,
+        scopes: rtEntry.scopes,
+        expiresAt: nowSec + ACCESS_TOKEN_TTL_SEC,
+      };
+
+      // Rotate refresh token
+      delete data.refreshTokens[refreshToken];
+      data.refreshTokens[newRefreshToken] = {
+        accessToken: newAccessToken,
+        clientId: rtEntry.clientId,
+        scopes: rtEntry.scopes,
+        expiresAt: nowSec + REFRESH_TOKEN_TTL_SEC,
+      };
+
+      await saveTokens(resolvedPath, data);
+
+      return {
+        accessToken: newAccessToken,
+        refreshToken: newRefreshToken,
+        expiresIn: ACCESS_TOKEN_TTL_SEC,
+      };
+    },
+
+    // ── Revocation ────────────────────────────────────────────────
+
+    /**
+     * Revoke an access token or refresh token.
+     * Does nothing if the token is already unknown.
+     *
+     * @param {string} token
+     * @returns {Promise<void>}
+     */
+    async revokeToken(token) {
+      let changed = false;
+
+      // Check access tokens
+      data.tokens = data.tokens || {};
+      if (data.tokens[token]) {
+        delete data.tokens[token];
+        changed = true;
+      }
+
+      // Check refresh tokens
+      data.refreshTokens = data.refreshTokens || {};
+      if (data.refreshTokens[token]) {
+        const rtEntry = data.refreshTokens[token];
+        // Also revoke the associated access token
+        if (rtEntry.accessToken && data.tokens[rtEntry.accessToken]) {
+          delete data.tokens[rtEntry.accessToken];
+        }
+        delete data.refreshTokens[token];
+        changed = true;
+      }
+
+      if (changed) {
+        await saveTokens(resolvedPath, data);
+      }
+    },
+  };
+}
+
+/**
+ * Load token data from the JSON file, or return empty structure
+ * if the file does not exist.
+ *
+ * @param {string} filePath
+ * @returns {Promise<object>}
+ */
+async function loadTokens(filePath) {
+  try {
+    const raw = await readFile(filePath, 'utf-8');
+    return JSON.parse(raw);
+  } catch (err) {
+    if (err.code === 'ENOENT') {
+      return {};
+    }
+    throw err;
+  }
+}
+
+/**
+ * Atomically save token data to the JSON file.
+ *
+ * @param {string} filePath
+ * @param {object} data
+ * @returns {Promise<void>}
+ */
+async function saveTokens(filePath, data) {
+  const tmpPath = filePath + '.tmp';
+  await writeFile(tmpPath, JSON.stringify(data, null, 2), 'utf-8');
+  await rename(tmpPath, filePath);
+}
+
+/**
+ * @typedef {object} OAuthTokenStore
+ * @property {(code: string, clientId: string, codeChallenge: string, redirectUri: string, scopes: string[]) => Promise<void>} saveAuthorizationCode
+ * @property {(code: string) => Promise<object|null>} consumeAuthorizationCode
+ * @property {(clientId: string, scopes: string[]) => Promise<{ accessToken: string, refreshToken?: string, expiresIn: number }>} issueTokens
+ * @property {(token: string) => Promise<import('./types.js').AuthInfo>} verifyAccessToken
+ * @property {(refreshToken: string) => Promise<{ accessToken: string, refreshToken: string, expiresIn: number }|null>} exchangeRefreshToken
+ * @property {(token: string) => Promise<void>} revokeToken
+ */