@netpad/mcp-server-remote 1.2.0 → 1.4.2

package/api/.well-known/oauth-authorization-server.ts

@@ -0,0 +1,71 @@
+/**
+ * OAuth 2.0 Authorization Server Metadata
+ *
+ * GET /.well-known/oauth-authorization-server
+ *
+ * This endpoint returns metadata about the OAuth server according to RFC 8414.
+ * Claude.ai and other OAuth clients can use this to discover endpoints.
+ */
+
+import type { VercelRequest, VercelResponse } from '@vercel/node';
+import { OAUTH_CONFIG } from '../lib/oauth.js';
+
+export default function handler(req: VercelRequest, res: VercelResponse) {
+  if (req.method !== 'GET') {
+    res.status(405).json({ error: 'Method not allowed' });
+    return;
+  }
+
+  const issuer = OAUTH_CONFIG.issuer;
+
+  // OAuth 2.0 Authorization Server Metadata (RFC 8414)
+  const metadata = {
+    // REQUIRED: Issuer identifier
+    issuer: issuer,
+
+    // REQUIRED: Authorization endpoint
+    authorization_endpoint: `${issuer}/authorize`,
+
+    // REQUIRED: Token endpoint
+    token_endpoint: `${issuer}/token`,
+
+    // OPTIONAL: Registration endpoint (not implemented)
+    // registration_endpoint: `${issuer}/register`,
+
+    // OPTIONAL: Scopes supported
+    scopes_supported: Object.keys(OAUTH_CONFIG.scopes),
+
+    // REQUIRED: Response types supported
+    response_types_supported: ['code'],
+
+    // OPTIONAL: Response modes supported
+    response_modes_supported: ['query'],
+
+    // OPTIONAL: Grant types supported
+    grant_types_supported: ['authorization_code', 'refresh_token'],
+
+    // OPTIONAL: Token endpoint authentication methods
+    token_endpoint_auth_methods_supported: ['none'],
+
+    // OPTIONAL: PKCE code challenge methods (RFC 7636)
+    code_challenge_methods_supported: ['S256', 'plain'],
+
+    // OPTIONAL: Service documentation
+    service_documentation: 'https://docs.netpad.io/docs/developer/mcp-server',
+
+    // OPTIONAL: MCP-specific metadata
+    mcp_endpoint: `${issuer}/mcp`,
+
+    // Custom: NetPad-specific info
+    netpad: {
+      name: 'NetPad MCP Server',
+      version: '1.2.0',
+      tools_count: '80+',
+      api_key_url: 'https://netpad.io/settings',
+    },
+  };
+
+  res.setHeader('Content-Type', 'application/json');
+  res.setHeader('Cache-Control', 'public, max-age=3600'); // Cache for 1 hour
+  res.status(200).json(metadata);
+}

package/api/authorize.ts

@@ -0,0 +1,538 @@
+/**
+ * OAuth 2.0 Authorization Endpoint
+ *
+ * GET /authorize - Initiates the OAuth flow
+ *
+ * This endpoint:
+ * 1. Validates the OAuth client and redirect URI
+ * 2. Redirects to NetPad login if user is not authenticated
+ * 3. Shows consent screen (or auto-approves for trusted clients)
+ * 4. Redirects back to Claude.ai with an authorization code
+ */
+
+import type { VercelRequest, VercelResponse } from '@vercel/node';
+import {
+  OAUTH_CONFIG,
+  validateClient,
+  validateScopes,
+  generateAuthorizationCode,
+} from './lib/oauth.js';
+
+/**
+ * Generate the HTML for the authorization page
+ */
+function generateAuthorizationPage(params: {
+  clientId: string;
+  redirectUri: string;
+  scope: string;
+  state: string;
+  codeChallenge: string;
+  codeChallengeMethod: string;
+  error?: string;
+}): string {
+  const netpadUrl = OAUTH_CONFIG.netpadApiUrl;
+  const scopes = params.scope.split(' ').filter(Boolean);
+
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Authorize NetPad - Claude.ai</title>
+  <style>
+    * {
+      box-sizing: border-box;
+      margin: 0;
+      padding: 0;
+    }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif;
+      background: linear-gradient(135deg, #1a1a2e 0%, #16213e 100%);
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      padding: 20px;
+    }
+    .container {
+      background: white;
+      border-radius: 16px;
+      box-shadow: 0 20px 60px rgba(0, 0, 0, 0.3);
+      max-width: 420px;
+      width: 100%;
+      overflow: hidden;
+    }
+    .header {
+      background: linear-gradient(135deg, #00d9a5 0%, #00b894 100%);
+      padding: 32px;
+      text-align: center;
+    }
+    .logo {
+      width: 200px;
+      height: 200px;
+      margin: 0 auto 12px;
+    }
+    .logo img {
+      width: 100%;
+      height: 100%;
+      object-fit: contain;
+    }
+    .header h1 {
+      color: white;
+      font-size: 24px;
+      font-weight: 600;
+    }
+    .header p {
+      color: rgba(255, 255, 255, 0.9);
+      margin-top: 8px;
+      font-size: 14px;
+    }
+    .content {
+      padding: 32px;
+    }
+    .app-info {
+      display: flex;
+      align-items: center;
+      gap: 16px;
+      padding: 16px;
+      background: #f8f9fa;
+      border-radius: 12px;
+      margin-bottom: 24px;
+    }
+    .app-icon {
+      width: 48px;
+      height: 48px;
+      background: #5436da;
+      border-radius: 10px;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      color: white;
+      font-weight: bold;
+      font-size: 18px;
+    }
+    .app-details h3 {
+      font-size: 16px;
+      color: #333;
+    }
+    .app-details p {
+      font-size: 13px;
+      color: #666;
+      margin-top: 2px;
+    }
+    .permissions {
+      margin-bottom: 24px;
+    }
+    .permissions h4 {
+      font-size: 14px;
+      color: #333;
+      margin-bottom: 12px;
+    }
+    .permission-item {
+      display: flex;
+      align-items: center;
+      gap: 12px;
+      padding: 12px;
+      background: #f8f9fa;
+      border-radius: 8px;
+      margin-bottom: 8px;
+    }
+    .permission-icon {
+      width: 32px;
+      height: 32px;
+      background: #e8f5e9;
+      border-radius: 50%;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      color: #4caf50;
+    }
+    .permission-text {
+      font-size: 14px;
+      color: #333;
+    }
+    .error-message {
+      background: #ffebee;
+      color: #c62828;
+      padding: 12px 16px;
+      border-radius: 8px;
+      margin-bottom: 16px;
+      font-size: 14px;
+    }
+    .form-group {
+      margin-bottom: 16px;
+    }
+    .form-group label {
+      display: block;
+      font-size: 14px;
+      color: #333;
+      margin-bottom: 8px;
+      font-weight: 500;
+    }
+    .form-group input {
+      width: 100%;
+      padding: 12px 16px;
+      border: 2px solid #e0e0e0;
+      border-radius: 8px;
+      font-size: 16px;
+      transition: border-color 0.2s;
+    }
+    .form-group input:focus {
+      outline: none;
+      border-color: #00b894;
+    }
+    .buttons {
+      display: flex;
+      gap: 12px;
+      margin-top: 24px;
+    }
+    .btn {
+      flex: 1;
+      padding: 14px 24px;
+      border: none;
+      border-radius: 8px;
+      font-size: 16px;
+      font-weight: 600;
+      cursor: pointer;
+      transition: all 0.2s;
+    }
+    .btn-primary {
+      background: #00b894;
+      color: white;
+    }
+    .btn-primary:hover {
+      background: #00a383;
+    }
+    .btn-secondary {
+      background: #f5f5f5;
+      color: #666;
+    }
+    .btn-secondary:hover {
+      background: #e0e0e0;
+    }
+    .footer {
+      text-align: center;
+      padding: 16px 32px 32px;
+      font-size: 12px;
+      color: #999;
+    }
+    .footer a {
+      color: #00b894;
+      text-decoration: none;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="header">
+      <div class="logo">
+        <img src="${netpadUrl}/micro-mark-black-trans.png" alt="NetPad" onerror="this.parentElement.innerHTML='NP'">
+      </div>
+      <h1>Connect to NetPad</h1>
+      <p>Authorize Claude.ai to access your NetPad workspace</p>
+    </div>
+    <div class="content">
+      ${params.error ? `<div class="error-message">${params.error}</div>` : ''}
+
+      <div class="app-info">
+        <div class="app-icon">C</div>
+        <div class="app-details">
+          <h3>Claude.ai</h3>
+          <p>wants to access your NetPad account</p>
+        </div>
+      </div>
+
+      <div class="permissions">
+        <h4>This will allow Claude.ai to:</h4>
+        ${scopes.map(scope => {
+          const descriptions: Record<string, string> = {
+            'claudeai': 'Connect via Claude.ai interface',
+            'mcp': 'Use NetPad MCP tools (80+ tools)',
+            'read': 'View your forms, workflows, and data',
+            'write': 'Create and modify forms and workflows',
+          };
+          return `
+            <div class="permission-item">
+              <div class="permission-icon">&#10003;</div>
+              <span class="permission-text">${descriptions[scope] || scope}</span>
+            </div>
+          `;
+        }).join('')}
+      </div>
+
+      <form method="POST" action="/api/authorize">
+        <input type="hidden" name="client_id" value="${params.clientId}">
+        <input type="hidden" name="redirect_uri" value="${params.redirectUri}">
+        <input type="hidden" name="scope" value="${params.scope}">
+        <input type="hidden" name="state" value="${params.state}">
+        <input type="hidden" name="code_challenge" value="${params.codeChallenge}">
+        <input type="hidden" name="code_challenge_method" value="${params.codeChallengeMethod}">
+
+        <div class="form-group">
+          <label for="api_key">Your NetPad API Key</label>
+          <input
+            type="password"
+            id="api_key"
+            name="api_key"
+            placeholder="np_live_xxxxx or np_test_xxxxx"
+            required
+            autocomplete="off"
+          >
+        </div>
+
+        <p style="font-size: 13px; color: #666; margin-bottom: 16px;">
+          Don't have an API key? <a href="${netpadUrl}/settings" target="_blank" style="color: #00b894;">Create one in NetPad Settings</a>
+        </p>
+
+        <div class="buttons">
+          <button type="button" class="btn btn-secondary" onclick="handleDeny()">Deny</button>
+          <button type="submit" class="btn btn-primary">Authorize</button>
+        </div>
+      </form>
+    </div>
+    <div class="footer">
+      By authorizing, you agree to NetPad's <a href="${netpadUrl}/terms">Terms of Service</a>
+      and <a href="${netpadUrl}/privacy">Privacy Policy</a>.
+    </div>
+  </div>
+
+  <script>
+    function handleDeny() {
+      const redirectUri = new URL('${params.redirectUri}');
+      redirectUri.searchParams.set('error', 'access_denied');
+      redirectUri.searchParams.set('error_description', 'User denied the authorization request');
+      ${params.state ? `redirectUri.searchParams.set('state', '${params.state}');` : ''}
+      window.location.href = redirectUri.toString();
+    }
+  </script>
+</body>
+</html>`;
+}
+
+export default async function handler(req: VercelRequest, res: VercelResponse) {
+  // Handle both GET (show form) and POST (process authorization)
+
+  if (req.method === 'GET') {
+    // ========================================================================
+    // GET /authorize - Show authorization page
+    // ========================================================================
+
+    const {
+      response_type,
+      client_id,
+      redirect_uri,
+      code_challenge,
+      code_challenge_method,
+      state,
+      scope,
+    } = req.query;
+
+    // Validate required parameters
+    if (response_type !== 'code') {
+      res.status(400).json({
+        error: 'unsupported_response_type',
+        error_description: 'Only "code" response_type is supported',
+      });
+      return;
+    }
+
+    if (!client_id || typeof client_id !== 'string') {
+      res.status(400).json({
+        error: 'invalid_request',
+        error_description: 'client_id is required',
+      });
+      return;
+    }
+
+    if (!redirect_uri || typeof redirect_uri !== 'string') {
+      res.status(400).json({
+        error: 'invalid_request',
+        error_description: 'redirect_uri is required',
+      });
+      return;
+    }
+
+    // Validate client and redirect URI
+    const clientValidation = validateClient(client_id, redirect_uri);
+    if (!clientValidation.valid) {
+      res.status(400).json({
+        error: clientValidation.error,
+        error_description: 'Invalid client_id or redirect_uri',
+      });
+      return;
+    }
+
+    // PKCE is required
+    if (!code_challenge || typeof code_challenge !== 'string') {
+      res.status(400).json({
+        error: 'invalid_request',
+        error_description: 'code_challenge is required (PKCE)',
+      });
+      return;
+    }
+
+    const challengeMethod = (code_challenge_method as string) || 'S256';
+    if (challengeMethod !== 'S256' && challengeMethod !== 'plain') {
+      res.status(400).json({
+        error: 'invalid_request',
+        error_description: 'code_challenge_method must be S256 or plain',
+      });
+      return;
+    }
+
+    // Generate and serve the authorization page
+    const html = generateAuthorizationPage({
+      clientId: client_id,
+      redirectUri: redirect_uri,
+      scope: (scope as string) || 'mcp',
+      state: (state as string) || '',
+      codeChallenge: code_challenge,
+      codeChallengeMethod: challengeMethod,
+    });
+
+    res.setHeader('Content-Type', 'text/html');
+    res.status(200).send(html);
+    return;
+  }
+
+  if (req.method === 'POST') {
+    // ========================================================================
+    // POST /authorize - Process authorization (user submitted the form)
+    // ========================================================================
+
+    const {
+      client_id,
+      redirect_uri,
+      scope,
+      state,
+      code_challenge,
+      code_challenge_method,
+      api_key,
+    } = req.body;
+
+    // Validate the API key against NetPad
+    if (!api_key || typeof api_key !== 'string') {
+      const html = generateAuthorizationPage({
+        clientId: client_id,
+        redirectUri: redirect_uri,
+        scope: scope || 'mcp',
+        state: state || '',
+        codeChallenge: code_challenge,
+        codeChallengeMethod: code_challenge_method || 'S256',
+        error: 'Please enter your NetPad API key',
+      });
+      res.setHeader('Content-Type', 'text/html');
+      res.status(400).send(html);
+      return;
+    }
+
+    // Validate API key format
+    if (!api_key.startsWith('np_live_') && !api_key.startsWith('np_test_')) {
+      const html = generateAuthorizationPage({
+        clientId: client_id,
+        redirectUri: redirect_uri,
+        scope: scope || 'mcp',
+        state: state || '',
+        codeChallenge: code_challenge,
+        codeChallengeMethod: code_challenge_method || 'S256',
+        error: 'Invalid API key format. Keys should start with np_live_ or np_test_',
+      });
+      res.setHeader('Content-Type', 'text/html');
+      res.status(400).send(html);
+      return;
+    }
+
+    // Validate the API key against NetPad API
+    try {
+      const netpadUrl = OAUTH_CONFIG.netpadApiUrl;
+      console.log(`[OAuth] Validating API key against ${netpadUrl}/api/v1/auth/validate`);
+      console.log(`[OAuth] Key prefix: ${api_key.substring(0, 16)}...`);
+
+      const response = await fetch(`${netpadUrl}/api/v1/auth/validate`, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Authorization': `Bearer ${api_key}`,
+        },
+        body: JSON.stringify({ source: 'mcp-server-remote-oauth' }),
+      });
+
+      console.log(`[OAuth] Validation response status: ${response.status}`);
+
+      if (!response.ok) {
+        const errorBody = await response.text();
+        console.log(`[OAuth] Validation error response: ${errorBody}`);
+
+        let errorMessage = 'Invalid or expired API key. Please check your key and try again.';
+        try {
+          const errorJson = JSON.parse(errorBody);
+          if (errorJson.error?.message) {
+            errorMessage = errorJson.error.message;
+          }
+        } catch {
+          // Keep default error message
+        }
+
+        const html = generateAuthorizationPage({
+          clientId: client_id,
+          redirectUri: redirect_uri,
+          scope: scope || 'mcp',
+          state: state || '',
+          codeChallenge: code_challenge,
+          codeChallengeMethod: code_challenge_method || 'S256',
+          error: errorMessage,
+        });
+        res.setHeader('Content-Type', 'text/html');
+        res.status(400).send(html);
+        return;
+      }
+
+      const userData = await response.json();
+      const userId = userData.userId || userData.user?.id || 'unknown';
+      const organizationId = userData.organizationId || userData.organization?.id || 'unknown';
+
+      // Validate scopes
+      const validatedScopes = validateScopes(scope || 'mcp', client_id);
+
+      // Generate authorization code
+      const authCode = generateAuthorizationCode({
+        clientId: client_id,
+        redirectUri: redirect_uri,
+        scope: validatedScopes.join(' '),
+        codeChallenge: code_challenge,
+        codeChallengeMethod: code_challenge_method || 'S256',
+        userId,
+        organizationId,
+      });
+
+      // Build redirect URL with authorization code
+      const redirectUrl = new URL(redirect_uri);
+      redirectUrl.searchParams.set('code', authCode);
+      if (state) {
+        redirectUrl.searchParams.set('state', state);
+      }
+
+      // Redirect back to Claude.ai
+      res.redirect(302, redirectUrl.toString());
+      return;
+    } catch (error) {
+      console.error('Error validating API key:', error);
+
+      const html = generateAuthorizationPage({
+        clientId: client_id,
+        redirectUri: redirect_uri,
+        scope: scope || 'mcp',
+        state: state || '',
+        codeChallenge: code_challenge,
+        codeChallengeMethod: code_challenge_method || 'S256',
+        error: 'Unable to validate API key. Please try again.',
+      });
+      res.setHeader('Content-Type', 'text/html');
+      res.status(500).send(html);
+      return;
+    }
+  }
+
+  // Method not allowed
+  res.status(405).json({ error: 'Method not allowed' });
+}

package/api/index.ts

@@ -1,13 +1,18 @@
 import type { VercelRequest, VercelResponse } from '@vercel/node';
 
 export default function handler(req: VercelRequest, res: VercelResponse) {
+  const baseUrl = process.env.OAUTH_ISSUER || 'https://mcp.netpad.io';
+
   res.status(200).json({
     name: '@netpad/mcp-server-remote',
-    version: '1.1.0',
+    version: '1.2.0',
     description: 'NetPad MCP Server - Remote API for Claude Custom Connectors. Includes all 80+ tools from @netpad/mcp-server.',
     endpoints: {
       mcp: '/mcp',
       health: '/health',
+      authorize: '/authorize',
+      token: '/token',
+      oauth_metadata: '/.well-known/oauth-authorization-server',
     },
     features: {
       tools: '80+ tools',
@@ -25,9 +30,27 @@ export default function handler(req: VercelRequest, res: VercelResponse) {
       ],
     },
     authentication: {
-      type: 'Bearer token',
-      format: 'Authorization: Bearer np_live_xxx',
-      generateAt: 'https://netpad.io/settings',
+      methods: ['oauth2', 'api_key'],
+      oauth2: {
+        type: 'OAuth 2.0 + PKCE',
+        authorization_endpoint: `${baseUrl}/authorize`,
+        token_endpoint: `${baseUrl}/token`,
+        metadata_endpoint: `${baseUrl}/.well-known/oauth-authorization-server`,
+      },
+      api_key: {
+        type: 'Bearer token',
+        format: 'Authorization: Bearer np_live_xxx',
+        generateAt: 'https://netpad.io/settings',
+      },
+    },
+    claude_ai_setup: {
+      instructions: [
+        '1. Go to Claude.ai Settings > Connectors',
+        '2. Click "Add custom connector"',
+        `3. Enter URL: ${baseUrl}/mcp`,
+        '4. Click "Connect" to authorize with your NetPad account',
+        '5. Enable the connector in your conversations',
+      ],
     },
     documentation: 'https://docs.netpad.io/docs/developer/mcp-server',
   });