@lobu/gateway 3.0.7 → 3.0.9

package/src/routes/internal/device-auth.ts

@@ -1,4 +1,9 @@
-import { createLogger, decrypt, encrypt } from "@lobu/core";
+import {
+  type McpOAuthConfig,
+  createLogger,
+  decrypt,
+  encrypt,
+} from "@lobu/core";
 import { Hono } from "hono";
 import type Redis from "ioredis";
 import { GenericDeviceCodeClient } from "../../auth/external/device-code-client";
@@ -18,6 +23,8 @@ interface StoredCredential {
   clientId: string;
   clientSecret?: string;
   tokenUrl: string;
+  /** RFC 8707 resource indicator, included in refresh requests. */
+  resource?: string;
 }
 
 interface StoredDeviceAuth {
@@ -29,6 +36,12 @@ interface StoredDeviceAuth {
   expiresAt: number;
   tokenUrl: string;
   issuer: string;
+  /** Stored so poll/complete can reconstruct the client without re-deriving. */
+  deviceAuthorizationUrl?: string;
+  /** RFC 8707 resource indicator. */
+  resource?: string;
+  /** Custom scopes from oauth config. */
+  scope?: string;
 }
 
 interface StoredClient {
@@ -41,6 +54,17 @@ export interface DeviceAuthConfig {
   mcpConfigService: McpConfigService;
 }
 
+interface ResolvedOAuthEndpoints {
+  registrationUrl: string;
+  deviceAuthorizationUrl: string;
+  tokenUrl: string;
+  verificationUri: string;
+  scope: string;
+  clientId?: string;
+  clientSecret?: string;
+  resource?: string;
+}
+
 function credentialKey(agentId: string, userId: string, mcpId: string): string {
   return `auth:credential:${agentId}:${userId}:${mcpId}`;
 }
@@ -61,6 +85,36 @@ function refreshLockKey(
   return `auth:refresh-lock:${agentId}:${userId}:${mcpId}`;
 }
 
+function deriveOAuthBaseUrl(upstreamUrl: string): string {
+  const url = new URL(upstreamUrl);
+  url.pathname = "/";
+  url.search = "";
+  url.hash = "";
+  return url.toString().replace(/\/$/, "");
+}
+
+/**
+ * Resolve OAuth endpoints from explicit config, falling back to
+ * auto-derived endpoints from the MCP server's URL origin.
+ */
+function resolveOAuthEndpoints(
+  upstreamUrl: string,
+  oauth?: McpOAuthConfig
+): ResolvedOAuthEndpoints {
+  const issuer = deriveOAuthBaseUrl(upstreamUrl);
+  return {
+    registrationUrl: oauth?.registrationUrl ?? `${issuer}/oauth/register`,
+    deviceAuthorizationUrl:
+      oauth?.deviceAuthorizationUrl ?? `${issuer}/oauth/device_authorization`,
+    tokenUrl: oauth?.tokenUrl ?? `${issuer}/oauth/token`,
+    verificationUri: oauth?.authUrl ?? `${issuer}/oauth/device`,
+    scope: oauth?.scopes?.join(" ") || DEFAULT_MCP_SCOPE,
+    clientId: oauth?.clientId,
+    clientSecret: oauth?.clientSecret,
+    resource: oauth?.resource,
+  };
+}
+
 export async function getStoredCredential(
   redis: Redis,
   agentId: string,
@@ -120,6 +174,9 @@ export async function refreshCredential(
     if (credential.clientSecret) {
       body.client_secret = credential.clientSecret;
     }
+    if (credential.resource) {
+      body.resource = credential.resource;
+    }
 
     const response = await fetch(credential.tokenUrl, {
       method: "POST",
@@ -156,6 +213,7 @@ export async function refreshCredential(
       clientId: credential.clientId,
       clientSecret: credential.clientSecret,
       tokenUrl: credential.tokenUrl,
+      resource: credential.resource,
     };
 
     await storeCredential(redis, agentId, userId, mcpId, refreshed);
@@ -201,8 +259,11 @@ export async function tryCompletePendingDeviceAuth(
       clientId: deviceState.clientId,
       clientSecret: deviceState.clientSecret,
       tokenUrl: deviceState.tokenUrl,
-      deviceAuthorizationUrl: `${deviceState.issuer}/oauth/device_authorization`,
-      scope: DEFAULT_MCP_SCOPE,
+      deviceAuthorizationUrl:
+        deviceState.deviceAuthorizationUrl ??
+        `${deviceState.issuer}/oauth/device_authorization`,
+      scope: deviceState.scope ?? DEFAULT_MCP_SCOPE,
+      resource: deviceState.resource,
       tokenEndpointAuthMethod: deviceState.clientSecret
         ? "client_secret_post"
         : "none",
@@ -231,6 +292,7 @@ export async function tryCompletePendingDeviceAuth(
       clientId: deviceState.clientId,
       clientSecret: deviceState.clientSecret,
       tokenUrl: deviceState.tokenUrl,
+      resource: deviceState.resource,
     };
 
     await storeCredential(redis, agentId, userId, mcpId, storedCred);
@@ -251,17 +313,12 @@ export async function tryCompletePendingDeviceAuth(
   }
 }
 
-function deriveOAuthBaseUrl(upstreamUrl: string): string {
-  const url = new URL(upstreamUrl);
-  url.pathname = "/";
-  url.search = "";
-  url.hash = "";
-  return url.toString().replace(/\/$/, "");
-}
-
 /**
  * Start device-code auth flow for a given MCP server.
  * Reusable by the MCP proxy to auto-initiate auth on "unauthorized" errors.
+ *
+ * When the MCP server's oauth config provides a clientId, dynamic client
+ * registration is skipped entirely.
  */
 export async function startDeviceAuth(
   redis: Redis,
@@ -269,7 +326,7 @@ export async function startDeviceAuth(
     getHttpServer: (
       id: string,
       agentId?: string
-    ) => Promise<{ upstreamUrl: string } | undefined>;
+    ) => Promise<{ upstreamUrl: string; oauth?: McpOAuthConfig } | undefined>;
   },
   mcpId: string,
   agentId: string,
@@ -290,7 +347,11 @@ export async function startDeviceAuth(
         const issuer = httpServer
           ? deriveOAuthBaseUrl(httpServer.upstreamUrl)
           : existing.issuer;
-        const verificationUri = `${issuer}/oauth/device`;
+        const endpoints = httpServer
+          ? resolveOAuthEndpoints(httpServer.upstreamUrl, httpServer.oauth)
+          : null;
+        const verificationUri =
+          endpoints?.verificationUri ?? `${issuer}/oauth/device`;
         logger.info("Reusing existing pending device auth", {
           mcpId,
           agentId,
@@ -316,53 +377,71 @@ export async function startDeviceAuth(
     return null;
   }
 
-  const issuer = deriveOAuthBaseUrl(httpServer.upstreamUrl);
+  const endpoints = resolveOAuthEndpoints(
+    httpServer.upstreamUrl,
+    httpServer.oauth
+  );
 
-  // Check cached client registration
+  // Resolve client: use explicit config clientId, or cached registration, or register new
   let client: StoredClient | null = null;
-  const cachedClient = await redis.get(clientCacheKey(mcpId));
-  if (cachedClient) {
-    try {
-      client = JSON.parse(cachedClient) as StoredClient;
-    } catch {
-      client = null;
-    }
-  }
 
-  // Register a new client if needed
-  if (!client) {
-    const regResponse = await fetch(`${issuer}/oauth/register`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({
-        grant_types: [DEVICE_CODE_GRANT_TYPE, "refresh_token"],
-        token_endpoint_auth_method: "none",
-        client_name: "Lobu Gateway Device Auth",
-        scope: DEFAULT_MCP_SCOPE,
-      }),
+  if (endpoints.clientId) {
+    // Config provides a pre-registered client — skip dynamic registration
+    client = {
+      clientId: endpoints.clientId,
+      clientSecret: endpoints.clientSecret,
+    };
+    logger.info("Using pre-registered OAuth client from config", {
+      mcpId,
+      clientId: endpoints.clientId,
     });
+  } else {
+    // Check cached client registration
+    const cachedClient = await redis.get(clientCacheKey(mcpId));
+    if (cachedClient) {
+      try {
+        client = JSON.parse(cachedClient) as StoredClient;
+      } catch {
+        client = null;
+      }
+    }
 
-    if (!regResponse.ok) return null;
+    // Register a new client if needed
+    if (!client) {
+      const regResponse = await fetch(endpoints.registrationUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          grant_types: [DEVICE_CODE_GRANT_TYPE, "refresh_token"],
+          token_endpoint_auth_method: "none",
+          client_name: "Lobu Gateway Device Auth",
+          scope: endpoints.scope,
+        }),
+      });
 
-    const registration = (await regResponse.json()) as {
-      client_id: string;
-      client_secret?: string;
-    };
+      if (!regResponse.ok) return null;
 
-    client = {
-      clientId: registration.client_id,
-      clientSecret: registration.client_secret,
-    };
+      const registration = (await regResponse.json()) as {
+        client_id: string;
+        client_secret?: string;
+      };
 
-    await redis.set(clientCacheKey(mcpId), JSON.stringify(client));
+      client = {
+        clientId: registration.client_id,
+        clientSecret: registration.client_secret,
+      };
+
+      await redis.set(clientCacheKey(mcpId), JSON.stringify(client));
+    }
   }
 
   const deviceCodeClient = new GenericDeviceCodeClient({
     clientId: client.clientId,
     clientSecret: client.clientSecret,
-    tokenUrl: `${issuer}/oauth/token`,
-    deviceAuthorizationUrl: `${issuer}/oauth/device_authorization`,
-    scope: DEFAULT_MCP_SCOPE,
+    tokenUrl: endpoints.tokenUrl,
+    deviceAuthorizationUrl: endpoints.deviceAuthorizationUrl,
+    scope: endpoints.scope,
+    resource: endpoints.resource,
     tokenEndpointAuthMethod: client.clientSecret
       ? "client_secret_post"
       : "none",
@@ -377,8 +456,11 @@ export async function startDeviceAuth(
     clientSecret: client.clientSecret,
     interval: started.interval,
     expiresAt: Date.now() + started.expiresIn * 1000,
-    tokenUrl: `${issuer}/oauth/token`,
-    issuer,
+    tokenUrl: endpoints.tokenUrl,
+    issuer: deriveOAuthBaseUrl(httpServer.upstreamUrl),
+    deviceAuthorizationUrl: endpoints.deviceAuthorizationUrl,
+    resource: endpoints.resource,
+    scope: endpoints.scope,
   };
 
   await redis.set(
@@ -483,8 +565,11 @@ export function createDeviceAuthRoutes(
         clientId: deviceState.clientId,
         clientSecret: deviceState.clientSecret,
         tokenUrl: deviceState.tokenUrl,
-        deviceAuthorizationUrl: `${deviceState.issuer}/oauth/device_authorization`,
-        scope: DEFAULT_MCP_SCOPE,
+        deviceAuthorizationUrl:
+          deviceState.deviceAuthorizationUrl ??
+          `${deviceState.issuer}/oauth/device_authorization`,
+        scope: deviceState.scope ?? DEFAULT_MCP_SCOPE,
+        resource: deviceState.resource,
         tokenEndpointAuthMethod: deviceState.clientSecret
           ? "client_secret_post"
           : "none",
@@ -530,6 +615,7 @@ export function createDeviceAuthRoutes(
         clientId: deviceState.clientId,
         clientSecret: deviceState.clientSecret,
         tokenUrl: deviceState.tokenUrl,
+        resource: deviceState.resource,
       };
 
       await storeCredential(redis, agentId, userId, mcpId, storedCred);

package/src/routes/public/cli-auth.ts

@@ -651,6 +651,19 @@ export function createCliAuthRoutes(config: CliAuthRoutesConfig): Hono {
     return c.json(refreshed);
   });
 
+  router.post("/logout", async (c) => {
+    const rawBody = (await c.req.json().catch(() => ({}))) as {
+      refreshToken?: string;
+    };
+    const refreshToken = rawBody.refreshToken?.trim();
+    if (!refreshToken) {
+      return c.json({ error: "Missing refreshToken" }, 400);
+    }
+
+    await tokenService.revokeSessionByRefreshToken(refreshToken);
+    return c.json({ ok: true });
+  });
+
   router.get("/whoami", async (c) => {
     const authHeader = c.req.header("authorization");
     if (!authHeader?.startsWith("Bearer ")) {

package/src/services/bedrock-model-catalog.ts

@@ -0,0 +1,217 @@
+import {
+  BedrockClient,
+  InferenceType,
+  ListFoundationModelsCommand,
+  ModelModality,
+  type FoundationModelSummary,
+} from "@aws-sdk/client-bedrock";
+import { getModels, type Model } from "@mariozechner/pi-ai";
+import { createLogger } from "@lobu/core";
+
+const logger = createLogger("bedrock-model-catalog");
+
+const CACHE_TTL_MS = 5 * 60 * 1000;
+
+export interface BedrockCatalogModel {
+  id: string;
+  label: string;
+  providerName?: string;
+  modelName?: string;
+  inputModalities?: string[];
+  outputModalities?: string[];
+}
+
+export interface BedrockModelCatalogOptions {
+  cacheTtlMs?: number;
+  loadModels?: () => Promise<BedrockCatalogModel[]>;
+}
+
+export function resolveAwsRegion(): string | undefined {
+  return process.env.AWS_REGION || process.env.AWS_DEFAULT_REGION || undefined;
+}
+
+function hasTextOutput(summary: FoundationModelSummary): boolean {
+  return (summary.outputModalities || []).includes(ModelModality.TEXT);
+}
+
+function hasTextInput(summary: FoundationModelSummary): boolean {
+  return (summary.inputModalities || []).includes(ModelModality.TEXT);
+}
+
+function supportsStreaming(summary: FoundationModelSummary): boolean {
+  return summary.responseStreamingSupported === true;
+}
+
+function supportsOnDemand(summary: FoundationModelSummary): boolean {
+  const inferenceTypes = summary.inferenceTypesSupported || [];
+  return (
+    inferenceTypes.length === 0 ||
+    inferenceTypes.includes(InferenceType.ON_DEMAND)
+  );
+}
+
+function buildModelLabel(model: {
+  providerName?: string;
+  modelName?: string;
+  id: string;
+}): string {
+  const provider = model.providerName?.trim();
+  const name = model.modelName?.trim();
+  if (provider && name) return `${provider} / ${name}`;
+  return name || model.id;
+}
+
+function normalizeFoundationModel(
+  summary: FoundationModelSummary
+): BedrockCatalogModel | null {
+  const id = summary.modelId?.trim();
+  if (!id) return null;
+  if (!hasTextOutput(summary) || !hasTextInput(summary)) return null;
+  if (!supportsStreaming(summary) || !supportsOnDemand(summary)) return null;
+
+  return {
+    id,
+    label: buildModelLabel({
+      providerName: summary.providerName,
+      modelName: summary.modelName,
+      id,
+    }),
+    providerName: summary.providerName,
+    modelName: summary.modelName,
+    inputModalities: summary.inputModalities,
+    outputModalities: summary.outputModalities,
+  };
+}
+
+function normalizeRegistryModel(model: Model<any>): BedrockCatalogModel {
+  return {
+    id: model.id,
+    label: model.name || model.id,
+    inputModalities: model.input.map((input) => input.toUpperCase()),
+    outputModalities: ["TEXT"],
+  };
+}
+
+function sortModels(a: BedrockCatalogModel, b: BedrockCatalogModel): number {
+  return a.label.localeCompare(b.label) || a.id.localeCompare(b.id);
+}
+
+export function buildDynamicBedrockModel(
+  modelId: string,
+  discovered?: Pick<
+    BedrockCatalogModel,
+    "inputModalities" | "modelName" | "providerName"
+  > | null
+): Model<"bedrock-converse-stream"> {
+  const staticModel = getModels("amazon-bedrock").find((m) => m.id === modelId);
+  if (staticModel) {
+    return staticModel as Model<"bedrock-converse-stream">;
+  }
+
+  const input = (discovered?.inputModalities || [])
+    .map((value) => value.toLowerCase())
+    .filter(
+      (value): value is "text" | "image" =>
+        value === "text" || value === "image"
+    );
+
+  return {
+    id: modelId,
+    name:
+      buildModelLabel({
+        providerName: discovered?.providerName,
+        modelName: discovered?.modelName,
+        id: modelId,
+      }) || modelId,
+    api: "bedrock-converse-stream",
+    provider: "amazon-bedrock",
+    baseUrl: "",
+    reasoning: false,
+    input: input.length > 0 ? input : ["text"],
+    contextWindow: 128000,
+    maxTokens: 8192,
+    cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+  };
+}
+
+async function loadBedrockModelsFromAws(): Promise<BedrockCatalogModel[]> {
+  const region = resolveAwsRegion();
+  if (!region) {
+    throw new Error("AWS region is not configured");
+  }
+
+  const client = new BedrockClient({ region });
+  const response = await client.send(
+    new ListFoundationModelsCommand({
+      byOutputModality: ModelModality.TEXT,
+    })
+  );
+
+  return (response.modelSummaries || [])
+    .map(normalizeFoundationModel)
+    .filter((model): model is BedrockCatalogModel => Boolean(model))
+    .sort(sortModels);
+}
+
+function loadFallbackRegistryModels(): BedrockCatalogModel[] {
+  return getModels("amazon-bedrock")
+    .map(normalizeRegistryModel)
+    .sort(sortModels);
+}
+
+export class BedrockModelCatalog {
+  private readonly cacheTtlMs: number;
+  private readonly loadModelsImpl: () => Promise<BedrockCatalogModel[]>;
+  private cachedModels:
+    | { expiresAt: number; models: BedrockCatalogModel[] }
+    | undefined;
+
+  constructor(options: BedrockModelCatalogOptions = {}) {
+    this.cacheTtlMs = options.cacheTtlMs ?? CACHE_TTL_MS;
+    this.loadModelsImpl = options.loadModels || loadBedrockModelsFromAws;
+  }
+
+  async listModels(): Promise<BedrockCatalogModel[]> {
+    const now = Date.now();
+    if (this.cachedModels && this.cachedModels.expiresAt > now) {
+      return this.cachedModels.models;
+    }
+
+    try {
+      const models = await this.loadModelsImpl();
+      this.cachedModels = {
+        expiresAt: now + this.cacheTtlMs,
+        models,
+      };
+      return models;
+    } catch (error) {
+      logger.warn(
+        {
+          error: error instanceof Error ? error.message : String(error),
+        },
+        "Falling back to static Bedrock model registry"
+      );
+      const fallback = loadFallbackRegistryModels();
+      this.cachedModels = {
+        expiresAt: now + this.cacheTtlMs,
+        models: fallback,
+      };
+      return fallback;
+    }
+  }
+
+  async listModelOptions(): Promise<Array<{ id: string; label: string }>> {
+    const models = await this.listModels();
+    return models.map((model) => ({
+      id: model.id,
+      label: model.label,
+    }));
+  }
+
+  async getModel(modelId: string): Promise<BedrockCatalogModel | null> {
+    const normalized = modelId.trim();
+    if (!normalized) return null;
+    const models = await this.listModels();
+    return models.find((model) => model.id === normalized) || null;
+  }
+}