@studiometa/productive-mcp 0.8.5 → 0.9.1

package/dist/oauth.js

@@ -1,264 +1,290 @@
-import { defineEventHandler, setResponseHeader, readBody, getQuery, sendRedirect } from "h3";
-import { createHash } from "node:crypto";
 import { createAuthToken } from "./auth.js";
 import { createAuthCode, decodeAuthCode } from "./crypto.js";
+import { defineEventHandler, getQuery, readBody, sendRedirect, setResponseHeader } from "h3";
+import { createHash } from "node:crypto";
+/**
+* OAuth 2.0 endpoints for Claude Desktop integration
+*
+* Implements OAuth 2.1 with PKCE as specified in the MCP authorization spec.
+* Uses stateless encrypted tokens - no server-side storage required.
+*
+* Spec: https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization
+*
+* Flow:
+* 1. Claude redirects user to /authorize with OAuth params (including PKCE)
+* 2. User enters Productive credentials in login form
+* 3. Server encrypts credentials + PKCE challenge into authorization code
+* 4. Redirects back to Claude with the code
+* 5. Claude exchanges code for access token via /token (with code_verifier)
+* 6. Server validates PKCE and returns access token
+*/
+/**
+* OAuth metadata for discovery (RFC 8414)
+* GET /.well-known/oauth-authorization-server
+*
+* MCP clients MUST check this endpoint first for server capabilities.
+*/
 const oauthMetadataHandler = defineEventHandler((event) => {
-  const host = event.node.req.headers.host || "localhost:3000";
-  const protocol = event.node.req.headers["x-forwarded-proto"] || "http";
-  const baseUrl = `${protocol}://${host}`;
-  setResponseHeader(event, "Content-Type", "application/json");
-  setResponseHeader(event, "Cache-Control", "public, max-age=3600");
-  return {
-    // Required fields per RFC 8414
-    issuer: baseUrl,
-    authorization_endpoint: `${baseUrl}/authorize`,
-    token_endpoint: `${baseUrl}/token`,
-    response_types_supported: ["code"],
-    // OAuth 2.1 / MCP requirements
-    grant_types_supported: ["authorization_code", "refresh_token"],
-    code_challenge_methods_supported: ["S256"],
-    token_endpoint_auth_methods_supported: ["none"],
-    // Public client
-    // Optional but useful
-    registration_endpoint: `${baseUrl}/register`,
-    scopes_supported: ["productive"],
-    service_documentation: "https://github.com/studiometa/productive-tools"
-  };
+	const host = event.node.req.headers.host || "localhost:3000";
+	const baseUrl = `${event.node.req.headers["x-forwarded-proto"] || "http"}://${host}`;
+	setResponseHeader(event, "Content-Type", "application/json");
+	setResponseHeader(event, "Cache-Control", "public, max-age=3600");
+	return {
+		issuer: baseUrl,
+		authorization_endpoint: `${baseUrl}/authorize`,
+		token_endpoint: `${baseUrl}/token`,
+		response_types_supported: ["code"],
+		grant_types_supported: ["authorization_code", "refresh_token"],
+		code_challenge_methods_supported: ["S256"],
+		token_endpoint_auth_methods_supported: ["none"],
+		registration_endpoint: `${baseUrl}/register`,
+		scopes_supported: ["productive"],
+		service_documentation: "https://github.com/studiometa/productive-tools"
+	};
 });
+/**
+* Dynamic Client Registration endpoint (RFC 7591)
+* POST /register
+*
+* MCP servers SHOULD support DCR to allow clients to register automatically.
+* Since we use stateless tokens, we accept any registration and return
+* a generated client_id.
+*/
 const registerHandler = defineEventHandler(async (event) => {
-  setResponseHeader(event, "Content-Type", "application/json");
-  let body;
-  try {
-    body = await readBody(event);
-  } catch {
-    event.node.res.statusCode = 400;
-    return {
-      error: "invalid_request",
-      error_description: "Invalid JSON body"
-    };
-  }
-  const clientName = body.client_name || "MCP Client";
-  const redirectUris = body.redirect_uris || [];
-  const clientId = Buffer.from(
-    JSON.stringify({
-      name: clientName,
-      ts: Date.now()
-    })
-  ).toString("base64url");
-  event.node.res.statusCode = 201;
-  return {
-    client_id: clientId,
-    client_name: clientName,
-    redirect_uris: redirectUris,
-    token_endpoint_auth_method: "none",
-    grant_types: ["authorization_code", "refresh_token"],
-    response_types: ["code"]
-  };
+	setResponseHeader(event, "Content-Type", "application/json");
+	let body;
+	try {
+		body = await readBody(event);
+	} catch {
+		event.node.res.statusCode = 400;
+		return {
+			error: "invalid_request",
+			error_description: "Invalid JSON body"
+		};
+	}
+	const clientName = body.client_name || "MCP Client";
+	const redirectUris = body.redirect_uris || [];
+	const clientId = Buffer.from(JSON.stringify({
+		name: clientName,
+		ts: Date.now()
+	})).toString("base64url");
+	event.node.res.statusCode = 201;
+	return {
+		client_id: clientId,
+		client_name: clientName,
+		redirect_uris: redirectUris,
+		token_endpoint_auth_method: "none",
+		grant_types: ["authorization_code", "refresh_token"],
+		response_types: ["code"]
+	};
 });
+/**
+* Authorization endpoint - shows login form
+* GET /authorize
+*/
 const authorizeGetHandler = defineEventHandler((event) => {
-  const query = getQuery(event);
-  query.client_id;
-  const redirectUri = query.redirect_uri;
-  const state = query.state;
-  const codeChallenge = query.code_challenge;
-  const codeChallengeMethod = query.code_challenge_method;
-  query.scope;
-  if (!redirectUri) {
-    setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
-    event.node.res.statusCode = 400;
-    return renderErrorPage("Missing required parameter: redirect_uri");
-  }
-  if (!codeChallenge) {
-    const errorUrl = new URL(redirectUri);
-    errorUrl.searchParams.set("error", "invalid_request");
-    errorUrl.searchParams.set("error_description", "code_challenge is required");
-    if (state) errorUrl.searchParams.set("state", state);
-    return sendRedirect(event, errorUrl.toString());
-  }
-  if (codeChallengeMethod && codeChallengeMethod !== "S256") {
-    const errorUrl = new URL(redirectUri);
-    errorUrl.searchParams.set("error", "invalid_request");
-    errorUrl.searchParams.set("error_description", "Only S256 code_challenge_method is supported");
-    if (state) errorUrl.searchParams.set("state", state);
-    return sendRedirect(event, errorUrl.toString());
-  }
-  setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
-  return renderLoginForm({
-    redirectUri,
-    state,
-    codeChallenge,
-    codeChallengeMethod: codeChallengeMethod || "S256"
-  });
+	const query = getQuery(event);
+	const clientId = query.client_id;
+	const redirectUri = query.redirect_uri;
+	const state = query.state;
+	const codeChallenge = query.code_challenge;
+	const codeChallengeMethod = query.code_challenge_method;
+	const scope = query.scope;
+	if (!redirectUri) {
+		setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
+		event.node.res.statusCode = 400;
+		return renderErrorPage("Missing required parameter: redirect_uri");
+	}
+	if (!codeChallenge) {
+		const errorUrl = new URL(redirectUri);
+		errorUrl.searchParams.set("error", "invalid_request");
+		errorUrl.searchParams.set("error_description", "code_challenge is required");
+		if (state) errorUrl.searchParams.set("state", state);
+		return sendRedirect(event, errorUrl.toString());
+	}
+	if (codeChallengeMethod && codeChallengeMethod !== "S256") {
+		const errorUrl = new URL(redirectUri);
+		errorUrl.searchParams.set("error", "invalid_request");
+		errorUrl.searchParams.set("error_description", "Only S256 code_challenge_method is supported");
+		if (state) errorUrl.searchParams.set("state", state);
+		return sendRedirect(event, errorUrl.toString());
+	}
+	setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
+	return renderLoginForm({
+		clientId,
+		redirectUri,
+		state,
+		codeChallenge,
+		codeChallengeMethod: codeChallengeMethod || "S256",
+		scope
+	});
 });
+/**
+* Authorization endpoint - process login
+* POST /authorize
+*/
 const authorizePostHandler = defineEventHandler(async (event) => {
-  const body = await readBody(event);
-  const { orgId, apiToken, userId, redirectUri, state, codeChallenge, codeChallengeMethod } = body;
-  if (!redirectUri) {
-    setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
-    event.node.res.statusCode = 400;
-    return renderErrorPage("Missing redirect_uri parameter");
-  }
-  try {
-    const uri = new URL(redirectUri);
-    const isLocalhost = uri.hostname === "localhost" || uri.hostname === "127.0.0.1";
-    const isHttps = uri.protocol === "https:";
-    if (!isLocalhost && !isHttps) {
-      event.node.res.statusCode = 400;
-      return renderErrorPage("redirect_uri must be HTTPS or localhost");
-    }
-  } catch {
-    event.node.res.statusCode = 400;
-    return renderErrorPage("Invalid redirect_uri format");
-  }
-  if (!orgId || !apiToken) {
-    setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
-    return renderLoginForm({
-      redirectUri,
-      state,
-      codeChallenge,
-      codeChallengeMethod,
-      error: "Organization ID and API Token are required"
-    });
-  }
-  const code = createAuthCode({
-    orgId,
-    apiToken,
-    userId: userId || void 0,
-    codeChallenge,
-    codeChallengeMethod: codeChallengeMethod || "S256"
-  });
-  const redirectUrl = new URL(redirectUri);
-  redirectUrl.searchParams.set("code", code);
-  if (state) {
-    redirectUrl.searchParams.set("state", state);
-  }
-  setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
-  return renderSuccessPage(redirectUrl.toString());
+	const { orgId, apiToken, userId, redirectUri, state, codeChallenge, codeChallengeMethod } = await readBody(event);
+	if (!redirectUri) {
+		setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
+		event.node.res.statusCode = 400;
+		return renderErrorPage("Missing redirect_uri parameter");
+	}
+	try {
+		const uri = new URL(redirectUri);
+		const isLocalhost = uri.hostname === "localhost" || uri.hostname === "127.0.0.1";
+		const isHttps = uri.protocol === "https:";
+		if (!isLocalhost && !isHttps) {
+			event.node.res.statusCode = 400;
+			return renderErrorPage("redirect_uri must be HTTPS or localhost");
+		}
+	} catch {
+		event.node.res.statusCode = 400;
+		return renderErrorPage("Invalid redirect_uri format");
+	}
+	if (!orgId || !apiToken) {
+		setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
+		return renderLoginForm({
+			redirectUri,
+			state,
+			codeChallenge,
+			codeChallengeMethod,
+			error: "Organization ID and API Token are required"
+		});
+	}
+	const code = createAuthCode({
+		orgId,
+		apiToken,
+		userId: userId || void 0,
+		codeChallenge,
+		codeChallengeMethod: codeChallengeMethod || "S256"
+	});
+	const redirectUrl = new URL(redirectUri);
+	redirectUrl.searchParams.set("code", code);
+	if (state) redirectUrl.searchParams.set("state", state);
+	setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
+	return renderSuccessPage(redirectUrl.toString());
 });
+/**
+* Token endpoint - exchange code for access token
+* POST /token
+*
+* Supports:
+* - authorization_code grant (with PKCE validation)
+* - refresh_token grant
+*/
 const tokenHandler = defineEventHandler(async (event) => {
-  setResponseHeader(event, "Content-Type", "application/json");
-  let body;
-  const contentType = event.node.req.headers["content-type"] || "";
-  if (contentType.includes("application/x-www-form-urlencoded")) {
-    const rawBody = await readBody(event);
-    if (typeof rawBody === "string") {
-      body = Object.fromEntries(new URLSearchParams(rawBody));
-    } else {
-      body = rawBody;
-    }
-  } else {
-    body = await readBody(event);
-  }
-  const { grant_type, code, code_verifier, refresh_token } = body;
-  if (grant_type === "refresh_token") {
-    return handleRefreshToken(event, refresh_token);
-  }
-  if (grant_type !== "authorization_code") {
-    event.node.res.statusCode = 400;
-    return {
-      error: "unsupported_grant_type",
-      error_description: "Supported grant types: authorization_code, refresh_token"
-    };
-  }
-  if (!code) {
-    event.node.res.statusCode = 400;
-    return {
-      error: "invalid_request",
-      error_description: "Missing authorization code"
-    };
-  }
-  if (!code_verifier) {
-    event.node.res.statusCode = 400;
-    return {
-      error: "invalid_request",
-      error_description: "Missing code_verifier (PKCE required)"
-    };
-  }
-  try {
-    const payload = decodeAuthCode(code);
-    if (payload.codeChallenge) {
-      const expectedChallenge = createS256Challenge(code_verifier);
-      if (expectedChallenge !== payload.codeChallenge) {
-        event.node.res.statusCode = 400;
-        return {
-          error: "invalid_grant",
-          error_description: "Invalid code_verifier"
-        };
-      }
-    }
-    const accessToken = createAuthToken({
-      organizationId: payload.orgId,
-      apiToken: payload.apiToken,
-      userId: payload.userId
-    });
-    const refreshToken = createAuthCode(
-      {
-        orgId: payload.orgId,
-        apiToken: payload.apiToken,
-        userId: payload.userId
-      },
-      86400 * 30
-      // 30 days
-    );
-    return {
-      access_token: accessToken,
-      token_type: "Bearer",
-      expires_in: 3600,
-      // 1 hour (access tokens should be short-lived)
-      refresh_token: refreshToken
-    };
-  } catch (error) {
-    event.node.res.statusCode = 400;
-    return {
-      error: "invalid_grant",
-      error_description: error instanceof Error ? error.message : "Invalid authorization code"
-    };
-  }
+	setResponseHeader(event, "Content-Type", "application/json");
+	let body;
+	if ((event.node.req.headers["content-type"] || "").includes("application/x-www-form-urlencoded")) {
+		const rawBody = await readBody(event);
+		if (typeof rawBody === "string") body = Object.fromEntries(new URLSearchParams(rawBody));
+		else body = rawBody;
+	} else body = await readBody(event);
+	const { grant_type, code, code_verifier, refresh_token } = body;
+	if (grant_type === "refresh_token") return handleRefreshToken(event, refresh_token);
+	if (grant_type !== "authorization_code") {
+		event.node.res.statusCode = 400;
+		return {
+			error: "unsupported_grant_type",
+			error_description: "Supported grant types: authorization_code, refresh_token"
+		};
+	}
+	if (!code) {
+		event.node.res.statusCode = 400;
+		return {
+			error: "invalid_request",
+			error_description: "Missing authorization code"
+		};
+	}
+	if (!code_verifier) {
+		event.node.res.statusCode = 400;
+		return {
+			error: "invalid_request",
+			error_description: "Missing code_verifier (PKCE required)"
+		};
+	}
+	try {
+		const payload = decodeAuthCode(code);
+		if (payload.codeChallenge) {
+			if (createS256Challenge(code_verifier) !== payload.codeChallenge) {
+				event.node.res.statusCode = 400;
+				return {
+					error: "invalid_grant",
+					error_description: "Invalid code_verifier"
+				};
+			}
+		}
+		return {
+			access_token: createAuthToken({
+				organizationId: payload.orgId,
+				apiToken: payload.apiToken,
+				userId: payload.userId
+			}),
+			token_type: "Bearer",
+			expires_in: 3600,
+			refresh_token: createAuthCode({
+				orgId: payload.orgId,
+				apiToken: payload.apiToken,
+				userId: payload.userId
+			}, 86400 * 30)
+		};
+	} catch (error) {
+		event.node.res.statusCode = 400;
+		return {
+			error: "invalid_grant",
+			error_description: error instanceof Error ? error.message : "Invalid authorization code"
+		};
+	}
 });
+/**
+* Handle refresh token grant
+*/
 function handleRefreshToken(event, refreshToken) {
-  if (!refreshToken) {
-    event.node.res.statusCode = 400;
-    return {
-      error: "invalid_request",
-      error_description: "Missing refresh_token"
-    };
-  }
-  try {
-    const payload = decodeAuthCode(refreshToken);
-    const accessToken = createAuthToken({
-      organizationId: payload.orgId,
-      apiToken: payload.apiToken,
-      userId: payload.userId
-    });
-    const newRefreshToken = createAuthCode(
-      {
-        orgId: payload.orgId,
-        apiToken: payload.apiToken,
-        userId: payload.userId
-      },
-      86400 * 30
-      // 30 days
-    );
-    return {
-      access_token: accessToken,
-      token_type: "Bearer",
-      expires_in: 3600,
-      refresh_token: newRefreshToken
-    };
-  } catch (error) {
-    event.node.res.statusCode = 400;
-    return {
-      error: "invalid_grant",
-      error_description: error instanceof Error ? error.message : "Invalid refresh token"
-    };
-  }
+	if (!refreshToken) {
+		event.node.res.statusCode = 400;
+		return {
+			error: "invalid_request",
+			error_description: "Missing refresh_token"
+		};
+	}
+	try {
+		const payload = decodeAuthCode(refreshToken);
+		return {
+			access_token: createAuthToken({
+				organizationId: payload.orgId,
+				apiToken: payload.apiToken,
+				userId: payload.userId
+			}),
+			token_type: "Bearer",
+			expires_in: 3600,
+			refresh_token: createAuthCode({
+				orgId: payload.orgId,
+				apiToken: payload.apiToken,
+				userId: payload.userId
+			}, 86400 * 30)
+		};
+	} catch (error) {
+		event.node.res.statusCode = 400;
+		return {
+			error: "invalid_grant",
+			error_description: error instanceof Error ? error.message : "Invalid refresh token"
+		};
+	}
 }
+/**
+* Create S256 PKCE challenge from verifier
+* SHA256(code_verifier) encoded as base64url
+*/
 function createS256Challenge(codeVerifier) {
-  return createHash("sha256").update(codeVerifier).digest("base64url");
+	return createHash("sha256").update(codeVerifier).digest("base64url");
 }
+/**
+* Render the login form HTML
+*/
 function renderLoginForm(params) {
-  const { redirectUri, state, codeChallenge, codeChallengeMethod, error } = params;
-  return `<!DOCTYPE html>
+	const { redirectUri, state, codeChallenge, codeChallengeMethod, error } = params;
+	return `<!DOCTYPE html>
 <html lang="en">
 <head>
   <meta charset="UTF-8">
@@ -430,8 +456,11 @@ function renderLoginForm(params) {
 </body>
 </html>`;
 }
+/**
+* Render success page with auto-redirect
+*/
 function renderSuccessPage(redirectUrl) {
-  return `<!DOCTYPE html>
+	return `<!DOCTYPE html>
 <html lang="en">
 <head>
   <meta charset="UTF-8">
@@ -536,8 +565,11 @@ function renderSuccessPage(redirectUrl) {
 </body>
 </html>`;
 }
+/**
+* Render error page
+*/
 function renderErrorPage(message) {
-  return `<!DOCTYPE html>
+	return `<!DOCTYPE html>
 <html lang="en">
 <head>
   <meta charset="UTF-8">
@@ -578,14 +610,12 @@ function renderErrorPage(message) {
 </body>
 </html>`;
 }
+/**
+* Escape HTML special characters
+*/
 function escapeHtml(str) {
-  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+	return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
 }
-export {
-  authorizeGetHandler,
-  authorizePostHandler,
-  oauthMetadataHandler,
-  registerHandler,
-  tokenHandler
-};
-//# sourceMappingURL=oauth.js.map
+export { authorizeGetHandler, authorizePostHandler, oauthMetadataHandler, registerHandler, tokenHandler };
+
+//# sourceMappingURL=oauth.js.map