@netpad/mcp-server-remote 1.2.0 → 1.4.2

package/api/oauth-metadata.ts

@@ -0,0 +1,71 @@
+/**
+ * OAuth 2.0 Authorization Server Metadata
+ *
+ * GET /.well-known/oauth-authorization-server
+ *
+ * This endpoint returns metadata about the OAuth server according to RFC 8414.
+ * Claude.ai and other OAuth clients can use this to discover endpoints.
+ */
+
+import type { VercelRequest, VercelResponse } from '@vercel/node';
+import { OAUTH_CONFIG } from './lib/oauth.js';
+
+export default function handler(req: VercelRequest, res: VercelResponse) {
+  if (req.method !== 'GET') {
+    res.status(405).json({ error: 'Method not allowed' });
+    return;
+  }
+
+  const issuer = OAUTH_CONFIG.issuer;
+
+  // OAuth 2.0 Authorization Server Metadata (RFC 8414)
+  const metadata = {
+    // REQUIRED: Issuer identifier
+    issuer: issuer,
+
+    // REQUIRED: Authorization endpoint
+    authorization_endpoint: `${issuer}/authorize`,
+
+    // REQUIRED: Token endpoint
+    token_endpoint: `${issuer}/token`,
+
+    // OPTIONAL: Registration endpoint (not implemented)
+    // registration_endpoint: `${issuer}/register`,
+
+    // OPTIONAL: Scopes supported
+    scopes_supported: Object.keys(OAUTH_CONFIG.scopes),
+
+    // REQUIRED: Response types supported
+    response_types_supported: ['code'],
+
+    // OPTIONAL: Response modes supported
+    response_modes_supported: ['query'],
+
+    // OPTIONAL: Grant types supported
+    grant_types_supported: ['authorization_code', 'refresh_token'],
+
+    // OPTIONAL: Token endpoint authentication methods
+    token_endpoint_auth_methods_supported: ['none'],
+
+    // OPTIONAL: PKCE code challenge methods (RFC 7636)
+    code_challenge_methods_supported: ['S256', 'plain'],
+
+    // OPTIONAL: Service documentation
+    service_documentation: 'https://docs.netpad.io/docs/developer/mcp-server',
+
+    // OPTIONAL: MCP-specific metadata
+    mcp_endpoint: `${issuer}/mcp`,
+
+    // Custom: NetPad-specific info
+    netpad: {
+      name: 'NetPad MCP Server',
+      version: '1.2.0',
+      tools_count: '80+',
+      api_key_url: 'https://netpad.io/settings',
+    },
+  };
+
+  res.setHeader('Content-Type', 'application/json');
+  res.setHeader('Cache-Control', 'public, max-age=3600'); // Cache for 1 hour
+  res.status(200).json(metadata);
+}

package/api/oauth-protected-resource.ts

@@ -0,0 +1,40 @@
+/**
+ * OAuth 2.0 Protected Resource Metadata
+ *
+ * GET /.well-known/oauth-protected-resource
+ *
+ * This endpoint tells Claude.ai where to find the OAuth authorization server.
+ * Claude.ai queries this endpoint FIRST before initiating the OAuth flow.
+ */
+
+import type { VercelRequest, VercelResponse } from '@vercel/node';
+import { OAUTH_CONFIG } from './lib/oauth.js';
+
+export default function handler(req: VercelRequest, res: VercelResponse) {
+  if (req.method !== 'GET') {
+    res.status(405).json({ error: 'Method not allowed' });
+    return;
+  }
+
+  const issuer = OAUTH_CONFIG.issuer;
+
+  // OAuth 2.0 Protected Resource Metadata (RFC 9728)
+  // This tells clients where to find the authorization server
+  const metadata = {
+    // The resource server (this MCP server)
+    resource: issuer,
+
+    // Where to find the authorization server(s)
+    authorization_servers: [issuer],
+
+    // Bearer token is the only supported method
+    bearer_methods_supported: ['header'],
+
+    // Scopes required to access this resource
+    scopes_supported: Object.keys(OAUTH_CONFIG.scopes),
+  };
+
+  res.setHeader('Content-Type', 'application/json');
+  res.setHeader('Cache-Control', 'public, max-age=3600'); // Cache for 1 hour
+  res.status(200).json(metadata);
+}

package/api/token.ts

@@ -0,0 +1,213 @@
+/**
+ * OAuth 2.0 Token Endpoint
+ *
+ * POST /token - Exchange authorization code for tokens
+ *
+ * This endpoint:
+ * 1. Validates the authorization code
+ * 2. Verifies the PKCE code_verifier
+ * 3. Issues access_token and refresh_token
+ */
+
+import type { VercelRequest, VercelResponse } from '@vercel/node';
+import {
+  OAUTH_CONFIG,
+  consumeAuthorizationCode,
+  verifyPkceChallenge,
+  generateAccessToken,
+  generateRefreshToken,
+  exchangeRefreshToken,
+} from './lib/oauth.js';
+
+export default async function handler(req: VercelRequest, res: VercelResponse) {
+  // Set CORS headers for token endpoint
+  res.setHeader('Access-Control-Allow-Origin', '*');
+  res.setHeader('Access-Control-Allow-Methods', 'POST, OPTIONS');
+  res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+  res.setHeader('Cache-Control', 'no-store');
+  res.setHeader('Pragma', 'no-cache');
+
+  // Handle OPTIONS preflight
+  if (req.method === 'OPTIONS') {
+    res.status(200).end();
+    return;
+  }
+
+  // Only POST is allowed
+  if (req.method !== 'POST') {
+    res.status(405).json({ error: 'method_not_allowed' });
+    return;
+  }
+
+  // Parse body (support both JSON and form-urlencoded)
+  let body = req.body;
+  if (typeof body === 'string') {
+    try {
+      body = JSON.parse(body);
+    } catch {
+      // Try parsing as form-urlencoded
+      body = Object.fromEntries(new URLSearchParams(body));
+    }
+  }
+
+  const { grant_type, code, redirect_uri, code_verifier, refresh_token, client_id } = body;
+
+  console.log('[Token] Request received:', {
+    grant_type,
+    code: code ? `${code.substring(0, 30)}...` : undefined,
+    redirect_uri,
+    code_verifier: code_verifier ? `${code_verifier.substring(0, 20)}...` : undefined,
+    client_id,
+  });
+
+  // ============================================================================
+  // Authorization Code Grant
+  // ============================================================================
+  if (grant_type === 'authorization_code') {
+    // Validate required parameters
+    if (!code) {
+      res.status(400).json({
+        error: 'invalid_request',
+        error_description: 'code is required',
+      });
+      return;
+    }
+
+    if (!redirect_uri) {
+      res.status(400).json({
+        error: 'invalid_request',
+        error_description: 'redirect_uri is required',
+      });
+      return;
+    }
+
+    if (!code_verifier) {
+      res.status(400).json({
+        error: 'invalid_request',
+        error_description: 'code_verifier is required (PKCE)',
+      });
+      return;
+    }
+
+    // Consume the authorization code (one-time use)
+    console.log('[Token] Attempting to consume auth code...');
+    const authCode = consumeAuthorizationCode(code);
+
+    if (!authCode) {
+      console.log('[Token] Auth code validation failed');
+      res.status(400).json({
+        error: 'invalid_grant',
+        error_description: 'Authorization code is invalid, expired, or already used',
+      });
+      return;
+    }
+
+    console.log('[Token] Auth code valid:', {
+      clientId: authCode.clientId,
+      userId: authCode.userId,
+      scope: authCode.scope,
+    });
+
+    // Validate redirect_uri matches
+    if (authCode.redirectUri !== redirect_uri) {
+      console.log('[Token] redirect_uri mismatch:', {
+        expected: authCode.redirectUri,
+        received: redirect_uri,
+      });
+      res.status(400).json({
+        error: 'invalid_grant',
+        error_description: 'redirect_uri does not match',
+      });
+      return;
+    }
+
+    console.log('[Token] redirect_uri validated OK');
+
+    // Verify PKCE
+    console.log('[Token] Verifying PKCE...');
+    const pkceValid = verifyPkceChallenge(
+      code_verifier,
+      authCode.codeChallenge,
+      authCode.codeChallengeMethod
+    );
+
+    if (!pkceValid) {
+      console.log('[Token] PKCE verification failed:', {
+        verifier: code_verifier?.substring(0, 20) + '...',
+        challenge: authCode.codeChallenge?.substring(0, 20) + '...',
+        method: authCode.codeChallengeMethod,
+      });
+      res.status(400).json({
+        error: 'invalid_grant',
+        error_description: 'PKCE verification failed',
+      });
+      return;
+    }
+
+    console.log('[Token] PKCE verified OK, generating tokens...');
+
+    // Generate tokens
+    const accessToken = generateAccessToken({
+      userId: authCode.userId,
+      organizationId: authCode.organizationId,
+      scope: authCode.scope,
+    });
+
+    const refreshToken = generateRefreshToken({
+      userId: authCode.userId,
+      organizationId: authCode.organizationId,
+      scope: authCode.scope,
+    });
+
+    // Return token response
+    console.log('[Token] SUCCESS - returning tokens');
+    res.status(200).json({
+      access_token: accessToken,
+      token_type: 'Bearer',
+      expires_in: OAUTH_CONFIG.accessTokenTtlSeconds,
+      refresh_token: refreshToken,
+      scope: authCode.scope,
+    });
+    return;
+  }
+
+  // ============================================================================
+  // Refresh Token Grant
+  // ============================================================================
+  if (grant_type === 'refresh_token') {
+    if (!refresh_token) {
+      res.status(400).json({
+        error: 'invalid_request',
+        error_description: 'refresh_token is required',
+      });
+      return;
+    }
+
+    const newTokens = exchangeRefreshToken(refresh_token);
+
+    if (!newTokens) {
+      res.status(400).json({
+        error: 'invalid_grant',
+        error_description: 'Refresh token is invalid or expired',
+      });
+      return;
+    }
+
+    res.status(200).json({
+      access_token: newTokens.accessToken,
+      token_type: 'Bearer',
+      expires_in: newTokens.expiresIn,
+      refresh_token: newTokens.refreshToken,
+      scope: newTokens.scope,
+    });
+    return;
+  }
+
+  // ============================================================================
+  // Unsupported Grant Type
+  // ============================================================================
+  res.status(400).json({
+    error: 'unsupported_grant_type',
+    error_description: 'Only authorization_code and refresh_token grants are supported',
+  });
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@netpad/mcp-server-remote",
-  "version": "1.2.0",
+  "version": "1.4.2",
   "description": "Remote MCP server for NetPad - deployable to Vercel for Claude custom connectors. Includes all 80+ tools from @netpad/mcp-server.",
   "author": "Michael Lynn",
   "license": "Apache-2.0",
@@ -12,7 +12,7 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.0.0",
-    "@netpad/mcp-server": "file:../mcp-server",
+    "@netpad/mcp-server": "^2.3.0",
     "zod": "^3.23.0"
   },
   "devDependencies": {

package/vercel.json

@@ -9,6 +9,26 @@
       "source": "/health",
       "destination": "/api/health"
     },
+    {
+      "source": "/authorize",
+      "destination": "/api/authorize"
+    },
+    {
+      "source": "/token",
+      "destination": "/api/token"
+    },
+    {
+      "source": "/.well-known/oauth-authorization-server",
+      "destination": "/api/oauth-metadata"
+    },
+    {
+      "source": "/.well-known/oauth-protected-resource",
+      "destination": "/api/oauth-protected-resource"
+    },
+    {
+      "source": "/oauth-metadata",
+      "destination": "/api/oauth-metadata"
+    },
     {
       "source": "/",
       "destination": "/api/index"