@netpad/mcp-server-remote 1.2.0 → 1.5.0

package/api/mcp.ts

@@ -2,12 +2,20 @@ import type { VercelRequest, VercelResponse } from '@vercel/node';
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
 import { IncomingMessage, ServerResponse } from 'node:http';
 import { createNetPadMcpServer } from '@netpad/mcp-server';
+import { validateAccessToken } from './lib/oauth.js';
+import {
+  recordMetric,
+  startMetricsContext,
+  getDuration,
+  extractToolFromBody,
+  flushMetrics,
+} from './lib/metrics.js';
 
 // Store transports by session ID for reconnection
 const transports = new Map<string, StreamableHTTPServerTransport>();
 
 // ============================================================================
-// API KEY AUTHENTICATION
+// AUTHENTICATION (Supports both OAuth tokens and API keys)
 // ============================================================================
 
 // Cache validated API keys for 5 minutes to reduce API calls
@@ -16,28 +24,46 @@ const CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
 
 /**
  * Get the NetPad API base URL from environment or default
+ * Note: Using www.netpad.io because netpad.io redirects to www with 307
  */
 function getNetPadApiUrl(): string {
-  return process.env.NETPAD_API_URL || 'https://netpad.io';
+  return process.env.NETPAD_API_URL || 'https://www.netpad.io';
 }
 
 /**
- * Validate the API key by calling the NetPad API.
- * Uses the existing NetPad API key validation system.
- *
- * API keys should be in the format: np_live_xxx or np_test_xxx
+ * Authentication result
+ */
+interface AuthResult {
+  valid: boolean;
+  userId?: string;
+  organizationId?: string;
+  scope?: string;
+  error?: {
+    status: number;
+    error: string;
+    code: string;
+  };
+}
+
+/**
+ * Validate the request using either OAuth token or API key
  *
- * @returns null if valid, or an error response object if invalid
+ * Supports:
+ * 1. OAuth access tokens (JWT-like tokens from /token endpoint)
+ * 2. NetPad API keys (np_live_xxx or np_test_xxx)
  */
-async function validateApiKey(req: VercelRequest): Promise<{ status: number; error: string; code: string } | null> {
+async function validateRequest(req: VercelRequest): Promise<AuthResult> {
   const authHeader = req.headers['authorization'];
 
   // Check if Authorization header is present
   if (!authHeader) {
     return {
-      status: 401,
-      error: 'Missing Authorization header. Use: Authorization: Bearer np_live_xxx',
-      code: 'MISSING_API_KEY',
+      valid: false,
+      error: {
+        status: 401,
+        error: 'Missing Authorization header. Use: Authorization: Bearer <token>',
+        code: 'MISSING_AUTH',
+      },
     };
   }
 
@@ -45,41 +71,94 @@ async function validateApiKey(req: VercelRequest): Promise<{ status: number; err
   const parts = authHeader.split(' ');
   if (parts.length !== 2 || parts[0].toLowerCase() !== 'bearer') {
     return {
-      status: 401,
-      error: 'Invalid Authorization header format. Use: Authorization: Bearer np_live_xxx',
-      code: 'INVALID_AUTH_FORMAT',
+      valid: false,
+      error: {
+        status: 401,
+        error: 'Invalid Authorization header format. Use: Authorization: Bearer <token>',
+        code: 'INVALID_AUTH_FORMAT',
+      },
     };
   }
 
-  const apiKey = parts[1].trim();
+  const token = parts[1].trim();
 
-  if (!apiKey) {
+  if (!token) {
     return {
-      status: 401,
-      error: 'API key is empty',
-      code: 'EMPTY_API_KEY',
+      valid: false,
+      error: {
+        status: 401,
+        error: 'Token is empty',
+        code: 'EMPTY_TOKEN',
+      },
     };
   }
 
-  // Validate key format (must start with np_live_ or np_test_)
-  if (!apiKey.startsWith('np_live_') && !apiKey.startsWith('np_test_')) {
+  // ============================================================================
+  // Try OAuth token first (JWT-like format with dots)
+  // ============================================================================
+  if (token.includes('.')) {
+    console.log('[MCP] Attempting OAuth token validation...');
+    const payload = validateAccessToken(token);
+    if (payload) {
+      console.log('[MCP] OAuth token valid:', { userId: payload.sub, org: payload.org });
+      return {
+        valid: true,
+        userId: payload.sub,
+        organizationId: payload.org,
+        scope: payload.scope,
+      };
+    }
+    // If it looks like a JWT but failed validation, return error
+    // (don't fall through to API key validation)
+    console.log('[MCP] OAuth token validation failed');
     return {
-      status: 401,
-      error: 'Invalid API key format. Keys should start with np_live_ or np_test_. Generate one at netpad.io/settings',
-      code: 'INVALID_API_KEY_FORMAT',
+      valid: false,
+      error: {
+        status: 401,
+        error: 'Invalid or expired OAuth token',
+        code: 'INVALID_OAUTH_TOKEN',
+      },
     };
   }
 
+  // ============================================================================
+  // Try API key (np_live_xxx or np_test_xxx format)
+  // ============================================================================
+  if (token.startsWith('np_live_') || token.startsWith('np_test_')) {
+    return validateApiKey(token);
+  }
+
+  // Unknown token format
+  return {
+    valid: false,
+    error: {
+      status: 401,
+      error: 'Invalid token format. Use an OAuth token or NetPad API key (np_live_xxx)',
+      code: 'INVALID_TOKEN_FORMAT',
+    },
+  };
+}
+
+/**
+ * Validate a NetPad API key
+ */
+async function validateApiKey(apiKey: string): Promise<AuthResult> {
   // Check cache first
   const cached = apiKeyCache.get(apiKey);
   if (cached && cached.expiresAt > Date.now()) {
     if (cached.valid) {
-      return null; // Valid key from cache
+      return {
+        valid: true,
+        organizationId: cached.organizationId,
+      };
     }
     return {
-      status: 401,
-      error: 'Invalid or expired API key',
-      code: 'INVALID_API_KEY',
+      valid: false,
+      error: {
+        status: 401,
+        error: 'Invalid or expired API key',
+        code: 'INVALID_API_KEY',
+      },
     };
   }
 
@@ -96,14 +175,18 @@ async function validateApiKey(req: VercelRequest): Promise<{ status: number; err
     });
 
     if (response.ok) {
-      const data = await response.json();
+      const data = await response.json() as { userId?: string; organizationId?: string };
       // Cache the valid result
       apiKeyCache.set(apiKey, {
         valid: true,
         organizationId: data.organizationId,
         expiresAt: Date.now() + CACHE_TTL_MS,
       });
-      return null; // Valid key
+      return {
+        valid: true,
+        userId: data.userId,
+        organizationId: data.organizationId,
+      };
     }
 
     // Key is invalid - cache the negative result too (shorter TTL)
@@ -113,11 +196,14 @@ async function validateApiKey(req: VercelRequest): Promise<{ status: number; err
     });
 
     // Parse error response
-    const errorData = await response.json().catch(() => ({}));
+    const errorData = await response.json().catch(() => ({})) as { error?: { message?: string; code?: string } };
     return {
-      status: response.status,
-      error: errorData.error?.message || 'Invalid or expired API key',
-      code: errorData.error?.code || 'INVALID_API_KEY',
+      valid: false,
+      error: {
+        status: response.status,
+        error: errorData.error?.message || 'Invalid or expired API key',
+        code: errorData.error?.code || 'INVALID_API_KEY',
+      },
     };
   } catch (error) {
     console.error('Error validating API key against NetPad:', error);
@@ -126,12 +212,14 @@ async function validateApiKey(req: VercelRequest): Promise<{ status: number; err
     // This allows the MCP server to work even if NetPad API is temporarily unavailable
     // but only accepts properly formatted keys
     console.warn('NetPad API unavailable, accepting key based on format validation only');
-    return null;
+    return { valid: true };
   }
 }
 
 // Main handler
 export default async function handler(req: VercelRequest, res: VercelResponse) {
+  const metricsContext = startMetricsContext();
+
   // Handle CORS preflight
   if (req.method === 'OPTIONS') {
     res.status(200).end();
@@ -141,16 +229,41 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
   // ============================================================================
   // AUTHENTICATE REQUEST
   // ============================================================================
-  const authError = await validateApiKey(req);
-  if (authError) {
-    res.status(authError.status).json({
-      error: authError.error,
-      code: authError.code,
-      hint: 'Generate an API key at netpad.io/settings and add it to Claude\'s connector settings under "Advanced settings".',
+  const authResult = await validateRequest(req);
+  if (!authResult.valid) {
+    // Record failed auth metric
+    recordMetric({
+      method: req.method as 'GET' | 'POST',
+      authMethod: 'none',
+      authSuccess: false,
+      durationMs: getDuration(metricsContext),
+      statusCode: authResult.error?.status || 401,
+      errorCode: authResult.error?.code,
+    });
+
+    // Flush metrics (serverless: memory is ephemeral)
+    flushMetrics().catch(() => {});
+
+    // Per MCP spec and RFC 9728, include WWW-Authenticate header with resource_metadata
+    // This tells OAuth clients where to find the authorization server
+    const resourceMetadataUrl = 'https://mcp.netpad.io/.well-known/oauth-protected-resource';
+    res.setHeader(
+      'WWW-Authenticate',
+      `Bearer resource_metadata="${resourceMetadataUrl}", scope="mcp read write"`
+    );
+    res.status(authResult.error?.status || 401).json({
+      error: authResult.error?.error || 'Authentication failed',
+      code: authResult.error?.code || 'AUTH_FAILED',
+      hint: 'Connect via Claude.ai Settings > Connectors, or use an API key from netpad.io/settings',
     });
     return;
   }
 
+  // Determine auth method for metrics
+  const authHeader = req.headers['authorization'] || '';
+  const token = authHeader.split(' ')[1] || '';
+  const authMethod: 'oauth' | 'api_key' = token.includes('.') ? 'oauth' : 'api_key';
+
   // Get session ID from headers
   const sessionId = req.headers['mcp-session-id'] as string | undefined;
 
@@ -164,7 +277,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
     // Create the full NetPad MCP server with all 80+ tools
     const server = createNetPadMcpServer({
       name: '@netpad/mcp-server-remote',
-      version: '1.1.0',
+      version: '1.2.0',
     });
     await server.connect(transport);
 
@@ -173,6 +286,21 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
       transports.set(transport.sessionId, transport);
     }
 
+    // Record successful SSE connection metric
+    recordMetric({
+      method: 'GET',
+      organizationId: authResult.organizationId,
+      userId: authResult.userId,
+      authMethod,
+      authSuccess: true,
+      durationMs: getDuration(metricsContext),
+      statusCode: 200,
+      sessionId: transport.sessionId,
+    });
+
+    // Flush metrics (serverless: memory is ephemeral)
+    flushMetrics().catch(() => {});
+
     await transport.handleRequest(
       req as unknown as IncomingMessage,
       res as unknown as ServerResponse
@@ -182,6 +310,9 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
 
   // Handle POST requests
   if (req.method === 'POST') {
+    // Extract tool name from request body for metrics
+    const tool = extractToolFromBody(req.body);
+
     // Try to reuse existing transport for this session
     let transport = sessionId ? transports.get(sessionId) : undefined;
 
@@ -194,7 +325,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
       // Create the full NetPad MCP server with all 80+ tools
       const server = createNetPadMcpServer({
         name: '@netpad/mcp-server-remote',
-        version: '1.1.0',
+        version: '1.2.0',
       });
       await server.connect(transport);
 
@@ -208,9 +339,34 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
       res as unknown as ServerResponse,
       req.body
     );
+
+    // Record POST request metric
+    recordMetric({
+      method: 'POST',
+      organizationId: authResult.organizationId,
+      userId: authResult.userId,
+      tool,
+      authMethod,
+      authSuccess: true,
+      durationMs: getDuration(metricsContext),
+      statusCode: 200,
+      sessionId: sessionId || transport.sessionId,
+    });
+
+    // Opportunistically flush metrics (non-blocking)
+    flushMetrics().catch(() => {});
     return;
   }
 
   // Method not allowed
+  recordMetric({
+    method: req.method as 'GET' | 'POST',
+    authMethod,
+    authSuccess: true,
+    durationMs: getDuration(metricsContext),
+    statusCode: 405,
+    errorCode: 'METHOD_NOT_ALLOWED',
+  });
+  flushMetrics().catch(() => {});
   res.status(405).json({ error: 'Method not allowed' });
 }

package/api/oauth-metadata.ts

@@ -0,0 +1,75 @@
+/**
+ * OAuth 2.0 Authorization Server Metadata
+ *
+ * GET /.well-known/oauth-authorization-server
+ *
+ * This endpoint returns metadata about the OAuth server according to RFC 8414.
+ * Claude.ai and other OAuth clients can use this to discover endpoints.
+ */
+
+import type { VercelRequest, VercelResponse } from '@vercel/node';
+import { OAUTH_CONFIG } from './lib/oauth.js';
+
+export default function handler(req: VercelRequest, res: VercelResponse) {
+  if (req.method !== 'GET') {
+    res.status(405).json({ error: 'Method not allowed' });
+    return;
+  }
+
+  const issuer = OAUTH_CONFIG.issuer;
+
+  // OAuth 2.0 Authorization Server Metadata (RFC 8414)
+  const metadata = {
+    // REQUIRED: Issuer identifier
+    issuer: issuer,
+
+    // REQUIRED: Authorization endpoint
+    authorization_endpoint: `${issuer}/authorize`,
+
+    // REQUIRED: Token endpoint
+    token_endpoint: `${issuer}/token`,
+
+    // OPTIONAL: Registration endpoint (not implemented)
+    // registration_endpoint: `${issuer}/register`,
+
+    // OPTIONAL: Scopes supported
+    scopes_supported: Object.keys(OAUTH_CONFIG.scopes),
+
+    // REQUIRED: Response types supported
+    response_types_supported: ['code'],
+
+    // OPTIONAL: Response modes supported
+    response_modes_supported: ['query'],
+
+    // OPTIONAL: Grant types supported
+    grant_types_supported: ['authorization_code', 'refresh_token'],
+
+    // OPTIONAL: Token endpoint authentication methods
+    token_endpoint_auth_methods_supported: ['none'],
+
+    // OPTIONAL: PKCE code challenge methods (RFC 7636)
+    code_challenge_methods_supported: ['S256', 'plain'],
+
+    // MCP REQUIRED: Support for Client ID Metadata Documents
+    // This allows Claude.ai to use its hosted client metadata
+    client_id_metadata_document_supported: true,
+
+    // OPTIONAL: Service documentation
+    service_documentation: 'https://docs.netpad.io/docs/developer/mcp-server',
+
+    // OPTIONAL: MCP-specific metadata
+    mcp_endpoint: `${issuer}/mcp`,
+
+    // Custom: NetPad-specific info
+    netpad: {
+      name: 'NetPad MCP Server',
+      version: '1.2.0',
+      tools_count: '80+',
+      api_key_url: 'https://netpad.io/settings',
+    },
+  };
+
+  res.setHeader('Content-Type', 'application/json');
+  res.setHeader('Cache-Control', 'public, max-age=3600'); // Cache for 1 hour
+  res.status(200).json(metadata);
+}

package/api/oauth-protected-resource.ts

@@ -0,0 +1,40 @@
+/**
+ * OAuth 2.0 Protected Resource Metadata
+ *
+ * GET /.well-known/oauth-protected-resource
+ *
+ * This endpoint tells Claude.ai where to find the OAuth authorization server.
+ * Claude.ai queries this endpoint FIRST before initiating the OAuth flow.
+ */
+
+import type { VercelRequest, VercelResponse } from '@vercel/node';
+import { OAUTH_CONFIG } from './lib/oauth.js';
+
+export default function handler(req: VercelRequest, res: VercelResponse) {
+  if (req.method !== 'GET') {
+    res.status(405).json({ error: 'Method not allowed' });
+    return;
+  }
+
+  const issuer = OAUTH_CONFIG.issuer;
+
+  // OAuth 2.0 Protected Resource Metadata (RFC 9728)
+  // This tells clients where to find the authorization server
+  const metadata = {
+    // The resource server (this MCP server)
+    resource: issuer,
+
+    // Where to find the authorization server(s)
+    authorization_servers: [issuer],
+
+    // Bearer token is the only supported method
+    bearer_methods_supported: ['header'],
+
+    // Scopes required to access this resource
+    scopes_supported: Object.keys(OAUTH_CONFIG.scopes),
+  };
+
+  res.setHeader('Content-Type', 'application/json');
+  res.setHeader('Cache-Control', 'public, max-age=3600'); // Cache for 1 hour
+  res.status(200).json(metadata);
+}