@mcp-ts/sdk 1.3.7 → 1.3.10

package/src/server/mcp/storage-oauth-provider.ts

@@ -1,272 +1,272 @@
-import type { OAuthClientProvider } from "@modelcontextprotocol/sdk/client/auth.js";
-import type {
-    OAuthClientInformationFull,
-    OAuthClientInformationMixed,
-    OAuthClientMetadata,
-    OAuthTokens
-} from "@modelcontextprotocol/sdk/shared/auth.js";
-import { storage, SessionData } from "../storage/index.js";
-import {
-    DEFAULT_CLIENT_NAME,
-    DEFAULT_CLIENT_URI,
-    DEFAULT_LOGO_URI,
-    DEFAULT_POLICY_URI,
-    SOFTWARE_ID,
-    SOFTWARE_VERSION,
-    TOKEN_EXPIRY_BUFFER_MS,
-} from '../../shared/constants.js';
-
-/**
- * Extension of OAuthClientProvider interface with additional methods
- * Enables server-specific tracking and state management
- */
-export interface AgentsOAuthProvider extends OAuthClientProvider {
-    authUrl: string | undefined;
-    clientId: string | undefined;
-    serverId: string | undefined;
-    checkState(
-        state: string
-    ): Promise<{ valid: boolean; serverId?: string; error?: string }>;
-    consumeState(state: string): Promise<void>;
-    deleteCodeVerifier(): Promise<void>;
-    isTokenExpired(): boolean;
-    setTokenExpiresAt(expiresAt: number): void;
-}
-
-export interface StorageOAuthClientProviderOptions {
-    identity: string;
-    serverId: string;
-    sessionId: string;
-    redirectUrl: string;
-    clientName?: string;
-    clientUri?: string;
-    logoUri?: string;
-    policyUri?: string;
-    clientId?: string;
-    clientSecret?: string;
-    onRedirect?: (url: string) => void;
-}
-
-/**
- * Storage-backed OAuth provider implementation for MCP
- * Stores OAuth tokens, client information, and PKCE verifiers using the configured StorageBackend
- */
-export class StorageOAuthClientProvider implements AgentsOAuthProvider {
-    public readonly identity: string;
-    public readonly serverId: string;
-    public readonly sessionId: string;
-    public readonly redirectUrl: string;
-
-    private readonly clientName?: string;
-    private readonly clientUri?: string;
-    private readonly logoUri?: string;
-    private readonly policyUri?: string;
-    private readonly clientSecret?: string;
-
-    private _authUrl: string | undefined;
-    private _clientId: string | undefined;
-    private onRedirectCallback?: (url: string) => void;
-    private tokenExpiresAt?: number;
-
-    /**
-     * Creates a new storage-backed OAuth provider
-     * @param options - Provider configuration
-     */
-    constructor(options: StorageOAuthClientProviderOptions) {
-        this.identity = options.identity;
-        this.serverId = options.serverId;
-        this.sessionId = options.sessionId;
-        this.redirectUrl = options.redirectUrl;
-        this.clientName = options.clientName;
-        this.clientUri = options.clientUri;
-        this.logoUri = options.logoUri;
-        this.policyUri = options.policyUri;
-        this._clientId = options.clientId;
-        this.clientSecret = options.clientSecret;
-        this.onRedirectCallback = options.onRedirect;
-    }
-
-    get clientMetadata(): OAuthClientMetadata {
-        return {
-            client_name: this.clientName || DEFAULT_CLIENT_NAME,
-            client_uri: this.clientUri || DEFAULT_CLIENT_URI,
-            logo_uri: this.logoUri || DEFAULT_LOGO_URI,
-            policy_uri: this.policyUri || DEFAULT_POLICY_URI,
-            grant_types: ["authorization_code", "refresh_token"],
-            redirect_uris: [this.redirectUrl],
-            response_types: ["code"],
-            token_endpoint_auth_method: this.clientSecret ? "client_secret_basic" : "none",
-            software_id: SOFTWARE_ID,
-            software_version: SOFTWARE_VERSION,
-        };
-    }
-
-    get clientId() {
-        return this._clientId;
-    }
-
-    set clientId(clientId_: string | undefined) {
-        this._clientId = clientId_;
-    }
-
-    /**
-     * Loads OAuth data from storage session
-     * @private
-     */
-    private async getSessionData(): Promise<SessionData> {
-        const data = await storage.getSession(this.identity, this.sessionId);
-        if (!data) {
-            return {} as SessionData;
-        }
-        return data;
-    }
-
-    /**
-     * Saves OAuth data to storage
-     * @param data - Partial OAuth data to save
-     * @private
-     * @throws Error if session doesn't exist (session must be created by controller layer)
-     */
-    private async saveSessionData(data: Partial<SessionData>): Promise<void> {
-        await storage.updateSession(this.identity, this.sessionId, data);
-    }
-
-    /**
-     * Retrieves stored OAuth client information
-     */
-    async clientInformation(): Promise<OAuthClientInformationMixed | undefined> {
-        const data = await this.getSessionData();
-
-        if (data.clientId && !this._clientId) {
-            this._clientId = data.clientId;
-        }
-
-        if (data.clientInformation) {
-            return data.clientInformation;
-        }
-
-        if (!this._clientId) {
-            return undefined;
-        }
-
-        return {
-            client_id: this._clientId,
-            ...(this.clientSecret ? { client_secret: this.clientSecret } : {}),
-        };
-    }
-
-    /**
-     * Stores OAuth client information
-     */
-    async saveClientInformation(clientInformation: OAuthClientInformationFull): Promise<void> {
-        await this.saveSessionData({
-            clientInformation,
-            clientId: clientInformation.client_id
-        });
-        this.clientId = clientInformation.client_id;
-    }
-
-    /**
-     * Stores OAuth tokens
-     */
-    async saveTokens(tokens: OAuthTokens): Promise<void> {
-        const data: Partial<SessionData> = { tokens };
-
-        if (tokens.expires_in) {
-            this.tokenExpiresAt = Date.now() + (tokens.expires_in * 1000) - TOKEN_EXPIRY_BUFFER_MS;
-        }
-
-        await this.saveSessionData(data);
-    }
-
-    get authUrl() {
-        return this._authUrl;
-    }
-
-    async state(): Promise<string> {
-        return this.sessionId;
-    }
-
-    async checkState(_state: string): Promise<{ valid: boolean; serverId?: string; error?: string }> {
-        const data = await storage.getSession(this.identity, this.sessionId);
-
-        if (!data) {
-            return { valid: false, error: "Session not found" };
-        }
-
-        return { valid: true, serverId: this.serverId };
-    }
-
-    async consumeState(_state: string): Promise<void> {
-        // No-op
-    }
-
-    async redirectToAuthorization(authUrl: URL): Promise<void> {
-        this._authUrl = authUrl.toString();
-        if (this.onRedirectCallback) {
-            this.onRedirectCallback(authUrl.toString());
-        }
-    }
-
-    async invalidateCredentials(
-        scope: "all" | "client" | "tokens" | "verifier"
-    ): Promise<void> {
-        if (scope === "all") {
-            await storage.removeSession(this.identity, this.sessionId);
-        } else {
-            const updates: Partial<SessionData> = {};
-
-            if (scope === "client") {
-                updates.clientInformation = undefined;
-                updates.clientId = undefined;
-            } else if (scope === "tokens") {
-                updates.tokens = undefined;
-            } else if (scope === "verifier") {
-                updates.codeVerifier = undefined;
-            }
-            await this.saveSessionData(updates);
-        }
-    }
-
-    async saveCodeVerifier(verifier: string): Promise<void> {
-        await this.saveSessionData({ codeVerifier: verifier });
-    }
-
-    async codeVerifier(): Promise<string> {
-        const data = await this.getSessionData();
-
-        if (data.clientId && !this._clientId) {
-            this._clientId = data.clientId;
-        }
-
-        if (!data.codeVerifier) {
-            throw new Error("No code verifier found");
-        }
-        return data.codeVerifier;
-    }
-
-    async deleteCodeVerifier(): Promise<void> {
-        await this.saveSessionData({ codeVerifier: undefined });
-    }
-
-    async tokens(): Promise<OAuthTokens | undefined> {
-        const data = await this.getSessionData();
-
-        if (data.clientId && !this._clientId) {
-            this._clientId = data.clientId;
-        }
-
-        return data.tokens;
-    }
-
-    isTokenExpired(): boolean {
-        if (!this.tokenExpiresAt) {
-            return false;
-        }
-        return Date.now() >= this.tokenExpiresAt;
-    }
-
-    setTokenExpiresAt(expiresAt: number): void {
-        this.tokenExpiresAt = expiresAt;
-    }
-}
+import type { OAuthClientProvider } from "@modelcontextprotocol/sdk/client/auth.js";
+import type {
+    OAuthClientInformationFull,
+    OAuthClientInformationMixed,
+    OAuthClientMetadata,
+    OAuthTokens
+} from "@modelcontextprotocol/sdk/shared/auth.js";
+import { storage, SessionData } from "../storage/index.js";
+import {
+    DEFAULT_CLIENT_NAME,
+    DEFAULT_CLIENT_URI,
+    DEFAULT_LOGO_URI,
+    DEFAULT_POLICY_URI,
+    SOFTWARE_ID,
+    SOFTWARE_VERSION,
+    TOKEN_EXPIRY_BUFFER_MS,
+} from '../../shared/constants.js';
+
+/**
+ * Extension of OAuthClientProvider interface with additional methods
+ * Enables server-specific tracking and state management
+ */
+export interface AgentsOAuthProvider extends OAuthClientProvider {
+    authUrl: string | undefined;
+    clientId: string | undefined;
+    serverId: string | undefined;
+    checkState(
+        state: string
+    ): Promise<{ valid: boolean; serverId?: string; error?: string }>;
+    consumeState(state: string): Promise<void>;
+    deleteCodeVerifier(): Promise<void>;
+    isTokenExpired(): boolean;
+    setTokenExpiresAt(expiresAt: number): void;
+}
+
+export interface StorageOAuthClientProviderOptions {
+    identity: string;
+    serverId: string;
+    sessionId: string;
+    redirectUrl: string;
+    clientName?: string;
+    clientUri?: string;
+    logoUri?: string;
+    policyUri?: string;
+    clientId?: string;
+    clientSecret?: string;
+    onRedirect?: (url: string) => void;
+}
+
+/**
+ * Storage-backed OAuth provider implementation for MCP
+ * Stores OAuth tokens, client information, and PKCE verifiers using the configured StorageBackend
+ */
+export class StorageOAuthClientProvider implements AgentsOAuthProvider {
+    public readonly identity: string;
+    public readonly serverId: string;
+    public readonly sessionId: string;
+    public readonly redirectUrl: string;
+
+    private readonly clientName?: string;
+    private readonly clientUri?: string;
+    private readonly logoUri?: string;
+    private readonly policyUri?: string;
+    private readonly clientSecret?: string;
+
+    private _authUrl: string | undefined;
+    private _clientId: string | undefined;
+    private onRedirectCallback?: (url: string) => void;
+    private tokenExpiresAt?: number;
+
+    /**
+     * Creates a new storage-backed OAuth provider
+     * @param options - Provider configuration
+     */
+    constructor(options: StorageOAuthClientProviderOptions) {
+        this.identity = options.identity;
+        this.serverId = options.serverId;
+        this.sessionId = options.sessionId;
+        this.redirectUrl = options.redirectUrl;
+        this.clientName = options.clientName;
+        this.clientUri = options.clientUri;
+        this.logoUri = options.logoUri;
+        this.policyUri = options.policyUri;
+        this._clientId = options.clientId;
+        this.clientSecret = options.clientSecret;
+        this.onRedirectCallback = options.onRedirect;
+    }
+
+    get clientMetadata(): OAuthClientMetadata {
+        return {
+            client_name: this.clientName || DEFAULT_CLIENT_NAME,
+            client_uri: this.clientUri || DEFAULT_CLIENT_URI,
+            logo_uri: this.logoUri || DEFAULT_LOGO_URI,
+            policy_uri: this.policyUri || DEFAULT_POLICY_URI,
+            grant_types: ["authorization_code", "refresh_token"],
+            redirect_uris: [this.redirectUrl],
+            response_types: ["code"],
+            token_endpoint_auth_method: this.clientSecret ? "client_secret_basic" : "none",
+            software_id: SOFTWARE_ID,
+            software_version: SOFTWARE_VERSION,
+        };
+    }
+
+    get clientId() {
+        return this._clientId;
+    }
+
+    set clientId(clientId_: string | undefined) {
+        this._clientId = clientId_;
+    }
+
+    /**
+     * Loads OAuth data from storage session
+     * @private
+     */
+    private async getSessionData(): Promise<SessionData> {
+        const data = await storage.getSession(this.identity, this.sessionId);
+        if (!data) {
+            return {} as SessionData;
+        }
+        return data;
+    }
+
+    /**
+     * Saves OAuth data to storage
+     * @param data - Partial OAuth data to save
+     * @private
+     * @throws Error if session doesn't exist (session must be created by controller layer)
+     */
+    private async saveSessionData(data: Partial<SessionData>): Promise<void> {
+        await storage.updateSession(this.identity, this.sessionId, data);
+    }
+
+    /**
+     * Retrieves stored OAuth client information
+     */
+    async clientInformation(): Promise<OAuthClientInformationMixed | undefined> {
+        const data = await this.getSessionData();
+
+        if (data.clientId && !this._clientId) {
+            this._clientId = data.clientId;
+        }
+
+        if (data.clientInformation) {
+            return data.clientInformation;
+        }
+
+        if (!this._clientId) {
+            return undefined;
+        }
+
+        return {
+            client_id: this._clientId,
+            ...(this.clientSecret ? { client_secret: this.clientSecret } : {}),
+        };
+    }
+
+    /**
+     * Stores OAuth client information
+     */
+    async saveClientInformation(clientInformation: OAuthClientInformationFull): Promise<void> {
+        await this.saveSessionData({
+            clientInformation,
+            clientId: clientInformation.client_id
+        });
+        this.clientId = clientInformation.client_id;
+    }
+
+    /**
+     * Stores OAuth tokens
+     */
+    async saveTokens(tokens: OAuthTokens): Promise<void> {
+        const data: Partial<SessionData> = { tokens };
+
+        if (tokens.expires_in) {
+            this.tokenExpiresAt = Date.now() + (tokens.expires_in * 1000) - TOKEN_EXPIRY_BUFFER_MS;
+        }
+
+        await this.saveSessionData(data);
+    }
+
+    get authUrl() {
+        return this._authUrl;
+    }
+
+    async state(): Promise<string> {
+        return this.sessionId;
+    }
+
+    async checkState(_state: string): Promise<{ valid: boolean; serverId?: string; error?: string }> {
+        const data = await storage.getSession(this.identity, this.sessionId);
+
+        if (!data) {
+            return { valid: false, error: "Session not found" };
+        }
+
+        return { valid: true, serverId: this.serverId };
+    }
+
+    async consumeState(_state: string): Promise<void> {
+        // No-op
+    }
+
+    async redirectToAuthorization(authUrl: URL): Promise<void> {
+        this._authUrl = authUrl.toString();
+        if (this.onRedirectCallback) {
+            this.onRedirectCallback(authUrl.toString());
+        }
+    }
+
+    async invalidateCredentials(
+        scope: "all" | "client" | "tokens" | "verifier"
+    ): Promise<void> {
+        if (scope === "all") {
+            await storage.removeSession(this.identity, this.sessionId);
+        } else {
+            const updates: Partial<SessionData> = {};
+
+            if (scope === "client") {
+                updates.clientInformation = undefined;
+                updates.clientId = undefined;
+            } else if (scope === "tokens") {
+                updates.tokens = undefined;
+            } else if (scope === "verifier") {
+                updates.codeVerifier = undefined;
+            }
+            await this.saveSessionData(updates);
+        }
+    }
+
+    async saveCodeVerifier(verifier: string): Promise<void> {
+        await this.saveSessionData({ codeVerifier: verifier });
+    }
+
+    async codeVerifier(): Promise<string> {
+        const data = await this.getSessionData();
+
+        if (data.clientId && !this._clientId) {
+            this._clientId = data.clientId;
+        }
+
+        if (!data.codeVerifier) {
+            throw new Error("No code verifier found");
+        }
+        return data.codeVerifier;
+    }
+
+    async deleteCodeVerifier(): Promise<void> {
+        await this.saveSessionData({ codeVerifier: undefined });
+    }
+
+    async tokens(): Promise<OAuthTokens | undefined> {
+        const data = await this.getSessionData();
+
+        if (data.clientId && !this._clientId) {
+            this._clientId = data.clientId;
+        }
+
+        return data.tokens;
+    }
+
+    isTokenExpired(): boolean {
+        if (!this.tokenExpiresAt) {
+            return false;
+        }
+        return Date.now() >= this.tokenExpiresAt;
+    }
+
+    setTokenExpiresAt(expiresAt: number): void {
+        this.tokenExpiresAt = expiresAt;
+    }
+}

package/src/server/storage/crypto.ts

@@ -0,0 +1,92 @@
+import { randomBytes, createCipheriv, createDecipheriv } from 'node:crypto';
+
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12;
+const ENCRYPTION_PREFIX = 'enc:1:';
+
+let warningLogged = false;
+
+function getKey(): Buffer | null {
+    const keyString = process.env.STORAGE_ENCRYPTION_KEY;
+    if (!keyString) return null;
+    
+    // Ensure key is 32 bytes (256 bits)
+    if (keyString.length === 64) {
+        return Buffer.from(keyString, 'hex');
+    } else {
+        const keyBuffer = Buffer.alloc(32);
+        keyBuffer.write(keyString, 0, 32, 'utf-8');
+        return keyBuffer;
+    }
+}
+
+/**
+ * Encrypts an object into a secure string.
+ * Falls back to returning the original object if the encryption key is missing or encryption fails.
+ */
+export function encryptObject(data: any): any {
+    if (data === undefined || data === null) return data;
+    
+    const key = getKey();
+    if (!key) {
+        if (!warningLogged) {
+            console.warn('[mcp-ts][Storage] WARNING: STORAGE_ENCRYPTION_KEY is not set. Saving sensitive data in plain-text.');
+            warningLogged = true;
+        }
+        return data; // Fallback to plain-text
+    }
+
+    try {
+        const text = JSON.stringify(data);
+        const iv = randomBytes(IV_LENGTH);
+        const cipher = createCipheriv(ALGORITHM, key, iv);
+        
+        let encrypted = cipher.update(text, 'utf-8', 'hex');
+        encrypted += cipher.final('hex');
+        const authTag = cipher.getAuthTag().toString('hex');
+        
+        return `${ENCRYPTION_PREFIX}${iv.toString('hex')}:${authTag}:${encrypted}`;
+    } catch (e) {
+        console.error('[mcp-ts][Storage] Encryption failed, falling back to plain-text.', e);
+        return data;
+    }
+}
+
+/**
+ * Decrypts a secure string back into an object.
+ * Returns the original data if it is unencrypted or if decryption fails.
+ */
+export function decryptObject(data: any): any {
+    if (data === undefined || data === null) return data;
+    if (typeof data !== 'string' || !data.startsWith(ENCRYPTION_PREFIX)) {
+        return data; // Already unencrypted or old plain-text data
+    }
+
+    const key = getKey();
+    if (!key) {
+        console.warn('[mcp-ts][Storage] WARNING: Found encrypted data but STORAGE_ENCRYPTION_KEY is missing. Returning raw encrypted string.');
+        return data;
+    }
+
+    try {
+        const parts = data.split(':');
+        if (parts.length !== 5) {
+            return data;
+        }
+
+        const iv = Buffer.from(parts[2], 'hex');
+        const authTag = Buffer.from(parts[3], 'hex');
+        const encryptedText = parts[4];
+
+        const decipher = createDecipheriv(ALGORITHM, key, iv);
+        decipher.setAuthTag(authTag);
+
+        let decrypted = decipher.update(encryptedText, 'hex', 'utf-8');
+        decrypted += decipher.final('utf-8');
+
+        return JSON.parse(decrypted);
+    } catch (e) {
+        console.error('[mcp-ts][Storage] Decryption failed.', e);
+        return data;
+    }
+}