@platf/bridge 0.0.16 → 0.0.17

package/src/lib/express.ts

@@ -0,0 +1,82 @@
+/**
+ * Shared Express application factory.
+ *
+ * Creates and configures the common Express setup used by both
+ * stateful and stateless bridges.
+ */
+
+import express, { type Express, type Response } from 'express'
+import cors, { type CorsOptions } from 'cors'
+import type { AuthConfig, Logger } from '../types.js'
+import { serializeCorsOrigin } from './cors.js'
+import { createDiscoveryRouter } from './discoveryRoutes.js'
+import { createOAuthProxyRouter } from './oauthProxy.js'
+import { createAuthMiddleware } from './authMiddleware.js'
+
+export interface CreateAppOptions {
+  logger: Logger
+  corsOrigin: CorsOptions['origin']
+  healthEndpoints: string[]
+  headers: Record<string, string>
+  auth: AuthConfig | null
+  /** Path for the MCP endpoint (used to apply auth middleware) */
+  mcpPath: string
+}
+
+/** Set custom response headers */
+export const setResponseHeaders = (res: Response, headers: Record<string, string>) =>
+  Object.entries(headers).forEach(([key, value]) => res.setHeader(key, value))
+
+/**
+ * Create and configure an Express application with shared middleware.
+ * 
+ * Sets up:
+ * - JSON body parser
+ * - Trust proxy (for X-Forwarded-* headers)
+ * - CORS (if configured)
+ * - Health endpoints
+ * - OAuth discovery routes (if auth enabled)
+ * - OAuth proxy routes (if auth enabled)
+ * - Auth middleware on mcpPath (if auth enabled)
+ */
+export function createApp(options: CreateAppOptions): Express {
+  const { logger, corsOrigin, healthEndpoints, headers, auth, mcpPath } = options
+
+  const app = express()
+  app.set('trust proxy', true)
+  app.use(express.json())
+
+  // CORS
+  if (corsOrigin) {
+    app.use(cors({ origin: corsOrigin, exposedHeaders: ['Mcp-Session-Id'] }))
+    logger.info(`  - CORS: enabled (${serializeCorsOrigin(corsOrigin)})`)
+  } else {
+    logger.info('  - CORS: disabled')
+  }
+
+  // Health endpoints
+  for (const ep of healthEndpoints) {
+    app.get(ep, (_req, res) => {
+      setResponseHeaders(res, headers)
+      res.send('ok')
+    })
+  }
+  if (healthEndpoints.length) {
+    logger.info(`  - Health endpoints: ${healthEndpoints.join(', ')}`)
+  }
+
+  // OAuth (when auth is enabled)
+  if (auth) {
+    // Discovery routes (PRM, AS metadata, pseudo-DCR)
+    app.use(createDiscoveryRouter(auth, logger))
+    // OAuth proxy routes (authorize redirect, token proxy, JWKS proxy)
+    app.use(createOAuthProxyRouter(auth, logger))
+    // Auth middleware on MCP path
+    app.use(mcpPath, createAuthMiddleware(auth, logger))
+    logger.info(`  - Auth: enabled (issuer=${auth.issuer})`)
+  } else {
+    logger.info('  - Auth: disabled')
+  }
+
+  return app
+}

package/src/lib/getLogger.ts

@@ -1,5 +1,5 @@
 import util from 'node:util'
-import type { Logger } from '../types.js'
+import type { Logger, LogLevel } from '../types.js'
 
 const defaultFormatArgs = (args: unknown[]) => args
 
@@ -40,10 +40,11 @@ const debugLogger: Logger = {
   error: logStderr({ formatArgs: debugFormatArgs }),
 }
 
-export type LogLevel = 'none' | 'info' | 'debug'
-
 export function getLogger(logLevel: LogLevel): Logger {
   if (logLevel === 'none') return noneLogger
   if (logLevel === 'debug') return debugLogger
   return infoLogger
 }
+
+// Re-export LogLevel for backward compatibility
+export type { LogLevel }

package/src/lib/mcpMessages.ts

@@ -0,0 +1,42 @@
+/**
+ * MCP message helpers for auto-initialization and protocol handling.
+ */
+
+import type { JSONRPCMessage } from '@modelcontextprotocol/sdk/types.js'
+import { VERSION, SERVER_NAME } from './config.js'
+
+/** Create a synthetic MCP initialize request */
+export function createInitializeRequest(
+  id: string | number,
+  protocolVersion: string,
+): JSONRPCMessage {
+  return {
+    jsonrpc: '2.0',
+    id,
+    method: 'initialize',
+    params: {
+      protocolVersion,
+      capabilities: {
+        roots: { listChanged: true },
+        sampling: {},
+      },
+      clientInfo: {
+        name: SERVER_NAME,
+        version: VERSION,
+      },
+    },
+  }
+}
+
+/** Create an initialized notification */
+export function createInitializedNotification(): JSONRPCMessage {
+  return {
+    jsonrpc: '2.0',
+    method: 'notifications/initialized',
+  }
+}
+
+/** Generate a unique ID for auto-init requests */
+export function generateAutoInitId(): string {
+  return `init_${Date.now()}_${Math.random().toString(36).slice(2, 11)}`
+}

package/src/lib/oauthProxy.ts

@@ -0,0 +1,86 @@
+/**
+ * OAuth 2.0 proxy routes for the bridge.
+ *
+ * These routes proxy OAuth endpoints to the upstream authorization server:
+ *  - GET  /oauth/authorize  → Redirect to upstream (preserves query params)
+ *  - POST /oauth/token      → Proxy to upstream
+ *  - GET  /jwks             → Proxy JWKS for token verification
+ *
+ * This separation allows the bridge to advertise itself as the authorization
+ * server while delegating actual auth operations to the upstream issuer.
+ */
+
+import { Router, type Request, type Response } from 'express'
+import type { AuthConfig, Logger } from '../types.js'
+
+export function createOAuthProxyRouter(auth: AuthConfig, logger: Logger): Router {
+  const router = Router()
+
+  /**
+   * OAuth Authorization Endpoint — Redirect to upstream
+   *
+   * Since the bridge advertises itself as the authorization_server,
+   * clients will attempt to call /oauth/authorize here. We redirect
+   * to the upstream auth server, preserving all query parameters.
+   */
+  router.get('/oauth/authorize', (req: Request, res: Response) => {
+    const upstreamUrl = new URL(`${auth.issuer}/oauth/authorize`)
+    // Copy all query params to upstream
+    for (const [key, value] of Object.entries(req.query)) {
+      if (typeof value === 'string') {
+        upstreamUrl.searchParams.set(key, value)
+      }
+    }
+    logger.info(`[oauth-proxy] Redirecting /oauth/authorize to upstream`)
+    res.redirect(upstreamUrl.toString())
+  })
+
+  /**
+   * OAuth Token Endpoint — Proxy to upstream
+   *
+   * Proxies token exchange requests to the upstream auth server.
+   */
+  router.post('/oauth/token', async (req: Request, res: Response) => {
+    try {
+      const upstreamUrl = `${auth.issuer}/oauth/token`
+      logger.info('[oauth-proxy] Proxying /oauth/token to upstream')
+
+      const upstreamRes = await fetch(upstreamUrl, {
+        method: 'POST',
+        headers: {
+          'Content-Type': req.get('Content-Type') || 'application/x-www-form-urlencoded',
+        },
+        body: req.get('Content-Type')?.includes('application/json')
+          ? JSON.stringify(req.body)
+          : new URLSearchParams(req.body as Record<string, string>).toString(),
+      })
+
+      const data = await upstreamRes.text()
+      res.status(upstreamRes.status)
+      res.set('Content-Type', upstreamRes.headers.get('Content-Type') || 'application/json')
+      res.send(data)
+    } catch (err: any) {
+      logger.error('[oauth-proxy] Error proxying /oauth/token:', err.message ?? err)
+      res.status(502).json({ error: 'upstream_error' })
+    }
+  })
+
+  /**
+   * JWKS Endpoint — Proxy to upstream
+   *
+   * Proxies JSON Web Key Set requests for token verification.
+   */
+  router.get('/jwks', async (_req: Request, res: Response) => {
+    try {
+      const upstreamUrl = `${auth.issuer}/jwks`
+      const upstreamRes = await fetch(upstreamUrl)
+      const data = await upstreamRes.json()
+      res.json(data)
+    } catch (err: any) {
+      logger.error('[oauth-proxy] Error proxying /jwks:', err.message ?? err)
+      res.status(502).json({ error: 'upstream_error' })
+    }
+  })
+
+  return router
+}

package/src/types.ts

@@ -1,8 +1,12 @@
+/** Logger interface for structured logging */
 export interface Logger {
   info: (...args: unknown[]) => void
   error: (...args: unknown[]) => void
 }
 
+/** Log level for the logger */
+export type LogLevel = 'none' | 'info' | 'debug'
+
 /** OAuth auth config passed when --authIssuer is set */
 export interface AuthConfig {
   /** OAuth issuer URL (e.g. https://auth.platf.ai) */