@mcp-weave/nestjs 0.1.1 → 0.3.0

package/dist/index.mjs

@@ -1,7 +1,10 @@
 import 'reflect-metadata';
 import { METADATA_KEYS, extractMetadata } from '@mcp-weave/core';
 export { METADATA_KEYS, extractMetadata } from '@mcp-weave/core';
+import crypto from 'crypto';
+import { createServer } from 'http';
 import { Server } from '@modelcontextprotocol/sdk/server/index.js';
+import { SSEServerTransport } from '@modelcontextprotocol/sdk/server/sse.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 
 // src/index.ts
@@ -125,16 +128,161 @@ function getParamsMetadata(target) {
   return Reflect.getMetadata(METADATA_KEYS.PARAMS, target) ?? [];
 }
 
+// src/auth/index.ts
+function normalizeApiKeys(keys) {
+  if (!keys) return [];
+  if (typeof keys === "string") {
+    return [{ key: keys, name: "default" }];
+  }
+  return keys.map((k, index) => {
+    if (typeof k === "string") {
+      return { key: k, name: `key-${index + 1}` };
+    }
+    return k;
+  });
+}
+function extractApiKey(req, headerName = "x-api-key", queryParamName = "api_key") {
+  const headerKey = req.headers[headerName.toLowerCase()];
+  if (headerKey) {
+    return Array.isArray(headerKey) ? headerKey[0] : headerKey;
+  }
+  const authHeader = req.headers["authorization"];
+  if (authHeader && authHeader.startsWith("Bearer ")) {
+    return authHeader.slice(7);
+  }
+  const url = req.url ?? "";
+  const queryIndex = url.indexOf("?");
+  if (queryIndex !== -1) {
+    const searchParams = new URLSearchParams(url.slice(queryIndex + 1));
+    const queryKey = searchParams.get(queryParamName);
+    if (queryKey) return queryKey;
+  }
+  return void 0;
+}
+function validateApiKey(token, apiKeys) {
+  if (!token) {
+    return {
+      success: false,
+      error: "No API key provided"
+    };
+  }
+  const matchedKey = apiKeys.find((k) => k.key === token);
+  if (!matchedKey) {
+    return {
+      success: false,
+      error: "Invalid API key"
+    };
+  }
+  return {
+    success: true,
+    clientId: hashToken(token),
+    clientName: matchedKey.name,
+    scopes: matchedKey.scopes,
+    metadata: matchedKey.metadata
+  };
+}
+function hashToken(token) {
+  if (token.length <= 8) {
+    return "****";
+  }
+  return `${token.slice(0, 4)}...${token.slice(-4)}`;
+}
+function generateRequestId() {
+  return `req_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
+}
+function createAuthMiddleware(options = {}) {
+  const {
+    enabled = false,
+    apiKeys,
+    headerName = "x-api-key",
+    queryParamName = "api_key",
+    authenticate,
+    onAuthFailure,
+    onAuthSuccess
+  } = options;
+  const normalizedKeys = normalizeApiKeys(apiKeys);
+  return async (req, res) => {
+    const requestId = generateRequestId();
+    const timestamp = /* @__PURE__ */ new Date();
+    if (!enabled) {
+      return {
+        request: req,
+        auth: { success: true, clientId: "anonymous" },
+        requestId,
+        timestamp
+      };
+    }
+    const token = extractApiKey(req, headerName, queryParamName);
+    let result;
+    if (authenticate) {
+      const authResult = await authenticate(token, req);
+      if (typeof authResult === "boolean") {
+        result = {
+          success: authResult,
+          clientId: authResult ? hashToken(token ?? "unknown") : void 0,
+          error: authResult ? void 0 : "Authentication failed"
+        };
+      } else {
+        result = authResult;
+      }
+    } else {
+      result = validateApiKey(token, normalizedKeys);
+    }
+    if (!result.success) {
+      onAuthFailure?.(req, result.error ?? "Unknown error");
+      res.writeHead(401, { "Content-Type": "application/json" });
+      res.end(
+        JSON.stringify({
+          error: "Unauthorized",
+          message: result.error ?? "Authentication required",
+          requestId
+        })
+      );
+      return null;
+    }
+    const authRequest = {
+      request: req,
+      auth: result,
+      requestId,
+      timestamp
+    };
+    onAuthSuccess?.(req, result);
+    return authRequest;
+  };
+}
+function sendUnauthorized(res, message = "Unauthorized", requestId) {
+  res.writeHead(401, { "Content-Type": "application/json" });
+  res.end(
+    JSON.stringify({
+      error: "Unauthorized",
+      message,
+      requestId
+    })
+  );
+}
+function generateApiKey(prefix = "mcp") {
+  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+  let key = "";
+  for (let i = 0; i < 32; i++) {
+    key += chars.charAt(Math.floor(Math.random() * chars.length));
+  }
+  return `${prefix}_${key}`;
+}
+
 // src/runtime/server.ts
 var McpRuntimeServer = class {
   server;
   instance;
   metadata;
-  constructor(target, _options = {}) {
+  authOptions;
+  authMiddleware;
+  constructor(target, options = {}) {
     this.metadata = extractMetadata(target);
     if (!this.metadata.server) {
       throw new Error(`Class ${target.name} is not decorated with @McpServer`);
     }
+    this.authOptions = options.auth ?? {};
+    this.authMiddleware = createAuthMiddleware(this.authOptions);
     this.server = new Server(
       {
         name: this.metadata.server.name,
@@ -325,29 +473,461 @@ var McpRuntimeServer = class {
     return params;
   }
   /**
-   * Start the MCP server
+   * Start the MCP server with stdio transport
    */
   async start() {
     const transport = new StdioServerTransport();
     await this.server.connect(transport);
     console.error(`MCP server '${this.metadata.server?.name}' started on stdio`);
   }
+  /**
+   * Start the MCP server with SSE transport
+   */
+  async startSSE(options = {}) {
+    const port = options.port ?? 3e3;
+    const endpoint = options.endpoint ?? "/sse";
+    const httpServer = createServer(async (req, res) => {
+      res.setHeader("Access-Control-Allow-Origin", "*");
+      res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+      res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Api-Key");
+      if (req.method === "OPTIONS") {
+        res.writeHead(200);
+        res.end();
+        return;
+      }
+      const authResult = await this.authMiddleware(req, res);
+      if (!authResult) return;
+      const url = new URL(req.url ?? "/", `http://localhost:${port}`);
+      if (this.authOptions.enabled) {
+        console.error(
+          `[${authResult.requestId}] ${authResult.auth.clientName ?? authResult.auth.clientId} - ${req.method} ${url.pathname}`
+        );
+      }
+      if (url.pathname === endpoint && req.method === "GET") {
+        const transport = new SSEServerTransport(endpoint, res);
+        await this.server.connect(transport);
+        return;
+      }
+      if (url.pathname === `${endpoint}/message` && req.method === "POST") {
+        let _body = "";
+        req.on("data", (chunk) => {
+          _body += chunk.toString();
+        });
+        req.on("end", () => {
+          res.writeHead(200, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ received: true }));
+        });
+        return;
+      }
+      if (url.pathname === "/health") {
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(
+          JSON.stringify({
+            status: "ok",
+            server: this.metadata.server?.name,
+            version: this.metadata.server?.version
+          })
+        );
+        return;
+      }
+      res.writeHead(404, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Not found" }));
+    });
+    return new Promise((resolve, reject) => {
+      httpServer.on("error", reject);
+      httpServer.listen(port, () => {
+        console.error(
+          `MCP server '${this.metadata.server?.name}' started on http://localhost:${port}${endpoint}`
+        );
+        resolve(httpServer);
+      });
+    });
+  }
   /**
    * Get the underlying MCP server instance
    */
   getServer() {
     return this.server;
   }
+  /**
+   * Start the MCP server with WebSocket transport
+   */
+  async startWebSocket(options = {}) {
+    const port = options.port ?? 8080;
+    const endpoint = options.endpoint ?? "/ws";
+    const httpServer = createServer(async (req, res) => {
+      res.setHeader("Access-Control-Allow-Origin", "*");
+      res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+      res.setHeader(
+        "Access-Control-Allow-Headers",
+        "Content-Type, Upgrade, Connection, Authorization, X-Api-Key"
+      );
+      if (req.method === "OPTIONS") {
+        res.writeHead(200);
+        res.end();
+        return;
+      }
+      if (req.url === "/health") {
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(
+          JSON.stringify({
+            status: "ok",
+            server: this.metadata.server?.name,
+            version: this.metadata.server?.version,
+            transport: "websocket",
+            authEnabled: this.authOptions.enabled ?? false
+          })
+        );
+        return;
+      }
+      const authResult = await this.authMiddleware(req, res);
+      if (!authResult) return;
+      if (req.url === "/" || req.url?.startsWith("/?")) {
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(
+          JSON.stringify({
+            name: this.metadata.server?.name,
+            version: this.metadata.server?.version,
+            websocket: `ws://localhost:${port}${endpoint}`,
+            tools: this.metadata.tools.length,
+            resources: this.metadata.resources.length,
+            prompts: this.metadata.prompts.length,
+            client: authResult.auth.clientName,
+            requestId: authResult.requestId
+          })
+        );
+        return;
+      }
+      res.writeHead(426, { "Content-Type": "application/json" });
+      res.end(
+        JSON.stringify({
+          error: "Upgrade Required",
+          message: `Connect via WebSocket at ${endpoint}`
+        })
+      );
+    });
+    httpServer.on("upgrade", async (req, socket, _head) => {
+      const url = new URL(req.url ?? "/", `http://localhost:${port}`);
+      if (url.pathname !== endpoint) {
+        socket.write("HTTP/1.1 404 Not Found\r\n\r\n");
+        socket.destroy();
+        return;
+      }
+      if (this.authOptions.enabled) {
+        const apiKeys = normalizeApiKeys(this.authOptions.apiKeys);
+        const token = extractApiKey(
+          req,
+          this.authOptions.headerName,
+          this.authOptions.queryParamName
+        );
+        const authResult = validateApiKey(token, apiKeys);
+        if (!authResult.success) {
+          socket.write("HTTP/1.1 401 Unauthorized\r\n\r\n");
+          socket.destroy();
+          this.authOptions.onAuthFailure?.(req, authResult.error ?? "Auth failed");
+          return;
+        }
+        console.error(
+          `[WebSocket] Client connected: ${authResult.clientName ?? authResult.clientId}`
+        );
+      }
+      const key = req.headers["sec-websocket-key"];
+      if (!key) {
+        socket.write("HTTP/1.1 400 Bad Request\r\n\r\n");
+        socket.destroy();
+        return;
+      }
+      const acceptKey = crypto.createHash("sha1").update(key + "258EAFA5-E914-47DA-95CA-C5AB0DC85B11").digest("base64");
+      socket.write(
+        `HTTP/1.1 101 Switching Protocols\r
+Upgrade: websocket\r
+Connection: Upgrade\r
+Sec-WebSocket-Accept: ${acceptKey}\r
+\r
+`
+      );
+      const sessions = /* @__PURE__ */ new Map();
+      const sessionId = crypto.randomUUID();
+      const encodeFrame = (data) => {
+        const payload = Buffer.from(data, "utf8");
+        const length = payload.length;
+        let frame;
+        if (length < 126) {
+          frame = Buffer.alloc(2 + length);
+          frame[0] = 129;
+          frame[1] = length;
+          payload.copy(frame, 2);
+        } else if (length < 65536) {
+          frame = Buffer.alloc(4 + length);
+          frame[0] = 129;
+          frame[1] = 126;
+          frame.writeUInt16BE(length, 2);
+          payload.copy(frame, 4);
+        } else {
+          frame = Buffer.alloc(10 + length);
+          frame[0] = 129;
+          frame[1] = 127;
+          frame.writeBigUInt64BE(BigInt(length), 2);
+          payload.copy(frame, 10);
+        }
+        return frame;
+      };
+      const decodeFrame = (buffer) => {
+        if (buffer.length < 2) return null;
+        const byte0 = buffer[0];
+        const byte1 = buffer[1];
+        const opcode = byte0 & 15;
+        const masked = (byte1 & 128) !== 0;
+        let payloadLength = byte1 & 127;
+        let offset = 2;
+        if (payloadLength === 126) {
+          if (buffer.length < 4) return null;
+          payloadLength = buffer.readUInt16BE(2);
+          offset = 4;
+        } else if (payloadLength === 127) {
+          if (buffer.length < 10) return null;
+          payloadLength = Number(buffer.readBigUInt64BE(2));
+          offset = 10;
+        }
+        if (masked) {
+          if (buffer.length < offset + 4 + payloadLength) return null;
+          const mask = buffer.slice(offset, offset + 4);
+          offset += 4;
+          const payload = buffer.slice(offset, offset + payloadLength);
+          for (let i = 0; i < payload.length; i++) {
+            const maskByte = mask[i % 4] ?? 0;
+            payload[i] = (payload[i] ?? 0) ^ maskByte;
+          }
+          return { opcode, payload: payload.toString("utf8") };
+        } else {
+          if (buffer.length < offset + payloadLength) return null;
+          return { opcode, payload: buffer.slice(offset, offset + payloadLength).toString("utf8") };
+        }
+      };
+      const send = (data) => {
+        try {
+          socket.write(encodeFrame(data));
+        } catch {
+        }
+      };
+      sessions.set(sessionId, { send });
+      send(
+        JSON.stringify({
+          jsonrpc: "2.0",
+          method: "connection/established",
+          params: { sessionId, server: this.metadata.server?.name }
+        })
+      );
+      let messageBuffer = Buffer.alloc(0);
+      socket.on("data", async (chunk) => {
+        messageBuffer = Buffer.concat([messageBuffer, chunk]);
+        while (messageBuffer.length > 0) {
+          const frame = decodeFrame(messageBuffer);
+          if (!frame) break;
+          let frameSize = 2;
+          const byte1 = messageBuffer[1] ?? 0;
+          const payloadLength = byte1 & 127;
+          if (payloadLength === 126) frameSize = 4;
+          else if (payloadLength === 127) frameSize = 10;
+          if ((byte1 & 128) !== 0) frameSize += 4;
+          frameSize += frame.payload.length;
+          messageBuffer = messageBuffer.slice(frameSize);
+          if (frame.opcode === 8) {
+            socket.end();
+            return;
+          }
+          if (frame.opcode === 9) {
+            socket.write(Buffer.from([138, 0]));
+            continue;
+          }
+          if (frame.opcode === 1) {
+            try {
+              const message = JSON.parse(frame.payload);
+              const response = await this.handleWebSocketMessage(message);
+              if (response) {
+                send(JSON.stringify(response));
+              }
+            } catch (error) {
+              send(
+                JSON.stringify({
+                  jsonrpc: "2.0",
+                  error: { code: -32700, message: "Parse error" },
+                  id: null
+                })
+              );
+            }
+          }
+        }
+      });
+      socket.on("close", () => {
+        sessions.delete(sessionId);
+      });
+      socket.on("error", () => {
+        sessions.delete(sessionId);
+      });
+    });
+    return new Promise((resolve, reject) => {
+      httpServer.on("error", reject);
+      httpServer.listen(port, () => {
+        console.error(
+          `MCP server '${this.metadata.server?.name}' started on ws://localhost:${port}${endpoint}`
+        );
+        resolve(httpServer);
+      });
+    });
+  }
+  /**
+   * Handle WebSocket JSON-RPC messages
+   */
+  async handleWebSocketMessage(message) {
+    if (!message || typeof message !== "object") {
+      return { jsonrpc: "2.0", error: { code: -32600, message: "Invalid Request" }, id: null };
+    }
+    const req = message;
+    if (req.jsonrpc !== "2.0" || !req.method) {
+      return {
+        jsonrpc: "2.0",
+        error: { code: -32600, message: "Invalid Request" },
+        id: req.id ?? null
+      };
+    }
+    try {
+      let result;
+      switch (req.method) {
+        case "initialize":
+          result = {
+            protocolVersion: "2024-11-05",
+            serverInfo: {
+              name: this.metadata.server?.name,
+              version: this.metadata.server?.version ?? "1.0.0"
+            },
+            capabilities: {
+              tools: this.metadata.tools.length > 0 ? {} : void 0,
+              resources: this.metadata.resources.length > 0 ? {} : void 0,
+              prompts: this.metadata.prompts.length > 0 ? {} : void 0
+            }
+          };
+          break;
+        case "tools/list":
+          result = {
+            tools: this.metadata.tools.map((t) => ({
+              name: t.name,
+              description: t.description,
+              inputSchema: t.inputSchema ?? { type: "object", properties: {} }
+            }))
+          };
+          break;
+        case "tools/call": {
+          const toolParams = req.params;
+          const tool = this.metadata.tools.find((t) => t.name === toolParams.name);
+          if (!tool) {
+            return {
+              jsonrpc: "2.0",
+              error: { code: -32602, message: `Unknown tool: ${toolParams.name}` },
+              id: req.id
+            };
+          }
+          const method = Reflect.get(this.instance, tool.propertyKey);
+          const toolResult = await method.apply(this.instance, [toolParams.arguments ?? {}]);
+          result = {
+            content: [
+              {
+                type: "text",
+                text: typeof toolResult === "string" ? toolResult : JSON.stringify(toolResult)
+              }
+            ]
+          };
+          break;
+        }
+        case "resources/list":
+          result = {
+            resources: this.metadata.resources.map((r) => ({
+              uri: r.uri,
+              name: r.name,
+              description: r.description,
+              mimeType: r.mimeType
+            }))
+          };
+          break;
+        case "resources/read": {
+          const resParams = req.params;
+          for (const resource of this.metadata.resources) {
+            const uriParams = this.extractUriParams(resource.uri, resParams.uri);
+            if (uriParams) {
+              const resMethod = Reflect.get(this.instance, resource.propertyKey);
+              const args = this.resolveResourceArgs(resource.propertyKey, uriParams);
+              result = await resMethod.apply(this.instance, args);
+              break;
+            }
+          }
+          if (!result) {
+            return {
+              jsonrpc: "2.0",
+              error: { code: -32602, message: `Resource not found: ${resParams.uri}` },
+              id: req.id
+            };
+          }
+          break;
+        }
+        case "prompts/list":
+          result = {
+            prompts: this.metadata.prompts.map((p) => ({
+              name: p.name,
+              description: p.description,
+              arguments: p.arguments ?? []
+            }))
+          };
+          break;
+        case "prompts/get": {
+          const promptParams = req.params;
+          const prompt = this.metadata.prompts.find((p) => p.name === promptParams.name);
+          if (!prompt) {
+            return {
+              jsonrpc: "2.0",
+              error: { code: -32602, message: `Unknown prompt: ${promptParams.name}` },
+              id: req.id
+            };
+          }
+          const promptMethod = Reflect.get(this.instance, prompt.propertyKey);
+          const promptArgs = this.resolvePromptArgs(
+            prompt.propertyKey,
+            promptParams.arguments ?? {}
+          );
+          result = await promptMethod.apply(this.instance, promptArgs);
+          break;
+        }
+        default:
+          return {
+            jsonrpc: "2.0",
+            error: { code: -32601, message: `Method not found: ${req.method}` },
+            id: req.id
+          };
+      }
+      return { jsonrpc: "2.0", result, id: req.id };
+    } catch (error) {
+      return {
+        jsonrpc: "2.0",
+        error: { code: -32e3, message: error instanceof Error ? error.message : "Internal error" },
+        id: req.id
+      };
+    }
+  }
 };
-async function createMcpServer(target, options) {
+async function createMcpServer(target, options = {}) {
   const server = new McpRuntimeServer(target, options);
-  await server.start();
+  if (options.transport === "sse") {
+    await server.startSSE({ port: options.port, endpoint: options.endpoint });
+  } else if (options.transport === "websocket") {
+    await server.startWebSocket({ port: options.port, endpoint: options.endpoint });
+  } else {
+    await server.start();
+  }
   return server;
 }
 
 // src/index.ts
 var VERSION = "0.1.0";
 
-export { McpInput, McpParam, McpPrompt, McpPromptArg, McpResource, McpRuntimeServer, McpServer, McpTool, VERSION, createMcpServer, getMcpServers, getParamsMetadata, getPromptsMetadata, getResourcesMetadata, getServerMetadata, getToolsMetadata, isMcpServer };
+export { McpInput, McpParam, McpPrompt, McpPromptArg, McpResource, McpRuntimeServer, McpServer, McpTool, VERSION, createAuthMiddleware, createMcpServer, extractApiKey, generateApiKey, generateRequestId, getMcpServers, getParamsMetadata, getPromptsMetadata, getResourcesMetadata, getServerMetadata, getToolsMetadata, hashToken, isMcpServer, normalizeApiKeys, sendUnauthorized, validateApiKey };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map