@ttoss/http-server-mcp 0.16.0 → 0.16.1

package/dist/index.mjs

@@ -2,452 +2,13 @@
 import { AsyncLocalStorage } from "node:async_hooks";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 import { Router } from "@ttoss/http-server";
+import { oauthVerify } from "@ttoss/http-server-oauth";
 import { z, z as z$1 } from "zod";
-import { CognitoJwtVerifier } from "@ttoss/auth-core/amazon-cognito";
-import { createHash, randomBytes } from "node:crypto";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 
-//#region src/auth.ts
+//#region src/index.ts
 /** MCP lifecycle/discovery methods reachable before a client authenticates. */
 var DEFAULT_PUBLIC_METHODS = ["initialize", "tools/list"];
-/**
-* Builds the token verifier from the auth options, preferring an explicit
-* `verifyToken` and otherwise creating a `CognitoJwtVerifier`.
-*/
-var buildTokenVerifier = auth => {
-  if (auth.cognitoUserPool) {
-    const v = CognitoJwtVerifier.create({
-      tokenUse: "access",
-      ...auth.cognitoUserPool
-    });
-    return t => {
-      return v.verify(t);
-    };
-  }
-  if (auth.verifyToken) return auth.verifyToken;
-  throw new Error("McpAuthOptions requires either cognitoUserPool or verifyToken");
-};
-/** Returns true when the identity carries every required scope (or none are required). */
-var hasRequiredScopes = (requiredScopes, identity) => {
-  if (!requiredScopes?.length) return true;
-  const tokenScopes = (identity?.scope ?? "").split(" ");
-  return requiredScopes.every(s => {
-    return tokenScopes.includes(s);
-  });
-};
-/**
-* Registers the token-verification middleware (with public-method bypass and
-* RFC 9728 discovery) and, when configured, the OAuth protected-resource
-* metadata endpoint on the given router.
-*/
-var registerAuthRoutes = (router, path, auth, tokenVerifier) => {
-  const publicMethods = new Set(auth.publicMethods ?? DEFAULT_PUBLIC_METHODS);
-  const unauthorizedHeader = auth.resourceMetadataUrl ? `Bearer resource_metadata="${auth.resourceMetadataUrl}"` : "Bearer";
-  router.use(path, async (ctx, next) => {
-    const method = ctx.request.body?.method;
-    if (publicMethods.has(method ?? "")) {
-      await next();
-      return;
-    }
-    const authHeader = ctx.headers.authorization;
-    const token = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : "";
-    let identity;
-    try {
-      identity = await tokenVerifier(token);
-    } catch {
-      ctx.status = 401;
-      ctx.set("WWW-Authenticate", unauthorizedHeader);
-      ctx.body = "Unauthorized";
-      return;
-    }
-    if (!hasRequiredScopes(auth.requiredScopes, identity)) {
-      ctx.status = 403;
-      ctx.body = "Forbidden";
-      return;
-    }
-    ctx.state.identity = identity;
-    await next();
-  });
-  if (auth.resourceServerUrl && auth.authorizationServerUrl) router.get("/.well-known/oauth-protected-resource", ctx => {
-    ctx.body = {
-      resource: auth.resourceServerUrl,
-      authorization_servers: [auth.authorizationServerUrl]
-    };
-  });
-};
-
-//#endregion
-//#region src/authServerHandlers.ts
-var base64UrlEncode = buffer => {
-  return buffer.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-};
-/** Generates a URL-safe random token of the given byte length. */
-var generateToken = (bytes = 32) => {
-  return base64UrlEncode(randomBytes(bytes));
-};
-var sha256Base64Url = input => {
-  return base64UrlEncode(createHash("sha256").update(input).digest());
-};
-/** Verifies a PKCE `code_verifier` against a stored S256 `code_challenge`. */
-var verifyPkce = (codeVerifier, codeChallenge) => {
-  return sha256Base64Url(codeVerifier) === codeChallenge;
-};
-/** Joins an issuer base URL with a path, collapsing any duplicate slash. */
-var joinUrl = (issuer, path) => {
-  return `${issuer.replace(/\/$/, "")}${path}`;
-};
-/** Returns the value if it is a string, otherwise `undefined`. */
-var asString = value => {
-  return typeof value === "string" ? value : void 0;
-};
-var parseScopes = scope => {
-  const value = asString(scope);
-  return value ? value.split(" ").filter(Boolean) : [];
-};
-/** Writes a spec-compliant OAuth error response (RFC 6749 §5.2). */
-var sendOAuthError = (ctx, status, error, description) => {
-  ctx.status = status;
-  ctx.body = {
-    error,
-    error_description: description
-  };
-};
-var buildTokenResponse = (tokens, scopes) => {
-  return {
-    access_token: tokens.accessToken,
-    token_type: "Bearer",
-    ...(tokens.expiresIn !== void 0 ? {
-      expires_in: tokens.expiresIn
-    } : {}),
-    ...(tokens.refreshToken !== void 0 ? {
-      refresh_token: tokens.refreshToken
-    } : {}),
-    scope: tokens.scope ?? scopes.join(" ")
-  };
-};
-/**
-* Authenticates the client at the token endpoint via `client_secret_basic`
-* (Authorization header), `client_secret_post` (body), or `none` (public,
-* PKCE-only). Returns the client, or `undefined` when authentication fails.
-*/
-var authenticateClient = async (ctx, body, clientStore) => {
-  let clientId = asString(body.client_id);
-  let clientSecret = asString(body.client_secret);
-  const authHeader = ctx.headers.authorization;
-  if (authHeader?.startsWith("Basic ")) {
-    const decoded = Buffer.from(authHeader.slice(6), "base64").toString();
-    const separatorIndex = decoded.indexOf(":");
-    if (separatorIndex !== -1) {
-      clientId = decodeURIComponent(decoded.slice(0, separatorIndex));
-      clientSecret = decodeURIComponent(decoded.slice(separatorIndex + 1));
-    }
-  }
-  if (!clientId) return;
-  const client = await clientStore.get(clientId);
-  if (!client) return;
-  if (client.client_secret && client.client_secret !== clientSecret) return;
-  return client;
-};
-/** Handles `grant_type=authorization_code` token requests (with PKCE verify). */
-var handleAuthorizationCodeGrant = async (ctx, body, options) => {
-  const {
-    clientStore,
-    authCodeStore,
-    issueTokens
-  } = options;
-  const client = await authenticateClient(ctx, body, clientStore);
-  if (!client) {
-    sendOAuthError(ctx, 401, "invalid_client", "client authentication failed");
-    return;
-  }
-  const code = asString(body.code);
-  if (!code) {
-    sendOAuthError(ctx, 400, "invalid_request", "code is required");
-    return;
-  }
-  const stored = await authCodeStore.get(code);
-  await authCodeStore.delete(code);
-  if (!stored) {
-    sendOAuthError(ctx, 400, "invalid_grant", "invalid or expired authorization code");
-    return;
-  }
-  if (stored.expiresAt < Date.now()) {
-    sendOAuthError(ctx, 400, "invalid_grant", "authorization code expired");
-    return;
-  }
-  if (stored.clientId !== client.client_id) {
-    sendOAuthError(ctx, 400, "invalid_grant", "authorization code was not issued to this client");
-    return;
-  }
-  if (stored.redirectUri !== asString(body.redirect_uri)) {
-    sendOAuthError(ctx, 400, "invalid_grant", "redirect_uri mismatch");
-    return;
-  }
-  const codeVerifier = asString(body.code_verifier);
-  if (!codeVerifier) {
-    sendOAuthError(ctx, 400, "invalid_request", "code_verifier is required");
-    return;
-  }
-  if (!verifyPkce(codeVerifier, stored.codeChallenge)) {
-    sendOAuthError(ctx, 400, "invalid_grant", "PKCE verification failed");
-    return;
-  }
-  ctx.body = buildTokenResponse(await issueTokens({
-    subject: stored.subject,
-    scopes: stored.scopes,
-    client
-  }), stored.scopes);
-};
-/** Handles `grant_type=refresh_token` token requests. */
-var handleRefreshTokenGrant = async (ctx, body, options) => {
-  const {
-    clientStore,
-    issueTokens,
-    onRefreshToken
-  } = options;
-  const client = await authenticateClient(ctx, body, clientStore);
-  if (!client) {
-    sendOAuthError(ctx, 401, "invalid_client", "client authentication failed");
-    return;
-  }
-  if (!onRefreshToken) {
-    sendOAuthError(ctx, 400, "unsupported_grant_type", "refresh_token grant is not supported");
-    return;
-  }
-  const refreshToken = asString(body.refresh_token);
-  if (!refreshToken) {
-    sendOAuthError(ctx, 400, "invalid_request", "refresh_token is required");
-    return;
-  }
-  const result = await onRefreshToken({
-    refreshToken,
-    client,
-    scopes: parseScopes(body.scope)
-  });
-  if (!result) {
-    sendOAuthError(ctx, 400, "invalid_grant", "invalid refresh token");
-    return;
-  }
-  ctx.body = buildTokenResponse(await issueTokens({
-    subject: result.subject,
-    scopes: result.scopes,
-    client
-  }), result.scopes);
-};
-/**
-* Handles the authorization request after `client_id` and `redirect_uri` have
-* been validated: enforces PKCE, runs the consent hook, and issues a code.
-*/
-var handleAuthorize = async (ctx, options, redirectUri) => {
-  const {
-    clientStore,
-    authCodeStore,
-    onAuthorize
-  } = options;
-  const ttl = options.authorizationCodeTtl ?? 600;
-  const clientId = asString(ctx.query.client_id);
-  const client = await clientStore.get(clientId);
-  const state = asString(ctx.query.state);
-  const redirectError = (error, description) => {
-    const url = new URL(redirectUri);
-    url.searchParams.set("error", error);
-    url.searchParams.set("error_description", description);
-    if (state) url.searchParams.set("state", state);
-    ctx.redirect(url.toString());
-  };
-  if (asString(ctx.query.response_type) !== "code") {
-    redirectError("unsupported_response_type", "response_type must be code");
-    return;
-  }
-  const codeChallenge = asString(ctx.query.code_challenge);
-  if (!codeChallenge) {
-    redirectError("invalid_request", "code_challenge is required (PKCE)");
-    return;
-  }
-  const codeChallengeMethod = asString(ctx.query.code_challenge_method) ?? "plain";
-  if (codeChallengeMethod !== "S256") {
-    redirectError("invalid_request", "code_challenge_method must be S256");
-    return;
-  }
-  const scopes = parseScopes(ctx.query.scope);
-  const result = await onAuthorize({
-    ctx,
-    client,
-    request: {
-      clientId,
-      redirectUri,
-      scopes,
-      state,
-      codeChallenge,
-      codeChallengeMethod
-    }
-  });
-  if (!result.approved) return;
-  const grantedScopes = result.scopes ?? scopes;
-  const code = generateToken();
-  await authCodeStore.save({
-    code,
-    clientId,
-    redirectUri,
-    codeChallenge,
-    scopes: grantedScopes,
-    subject: result.subject,
-    expiresAt: Date.now() + ttl * 1e3
-  });
-  const url = new URL(redirectUri);
-  url.searchParams.set("code", code);
-  if (state) url.searchParams.set("state", state);
-  ctx.redirect(url.toString());
-};
-/** Handles Dynamic Client Registration (RFC 7591) requests. */
-var handleRegister = async (ctx, clientStore) => {
-  const metadata = ctx.request.body ?? {};
-  const redirectUris = metadata.redirect_uris;
-  if (!Array.isArray(redirectUris) || redirectUris.length === 0 || !redirectUris.every(uri => {
-    return typeof uri === "string";
-  })) {
-    sendOAuthError(ctx, 400, "invalid_redirect_uri", "redirect_uris is required and must be an array of strings");
-    return;
-  }
-  const tokenAuthMethod = asString(metadata.token_endpoint_auth_method) ?? "client_secret_basic";
-  const isPublic = tokenAuthMethod === "none";
-  const client = {
-    ...metadata,
-    client_id: generateToken(16),
-    redirect_uris: redirectUris,
-    token_endpoint_auth_method: tokenAuthMethod,
-    grant_types: metadata.grant_types ?? ["authorization_code", "refresh_token"],
-    response_types: metadata.response_types ?? ["code"],
-    client_id_issued_at: Math.floor(Date.now() / 1e3)
-  };
-  if (!isPublic) {
-    client.client_secret = generateToken(32);
-    client.client_secret_expires_at = 0;
-  }
-  await clientStore.register(client);
-  ctx.status = 201;
-  ctx.body = client;
-};
-
-//#endregion
-//#region src/authServer.ts
-/**
-* Creates transport-agnostic OAuth 2.1 Authorization Server primitives for MCP.
-*
-* Mounts the authorization endpoint (`/authorize`, PKCE S256 required), token
-* endpoint (`/token`, `authorization_code` + `refresh_token` grants), Dynamic
-* Client Registration (`/register`, RFC 7591), and AS metadata discovery
-* (`/.well-known/oauth-authorization-server`, RFC 8414). When `resource` is
-* set, it also serves the protected-resource metadata (RFC 9728).
-*
-* ttoss owns only the protocol mechanics — the app supplies its own stores,
-* token signing/verification, and login/consent UI through the option hooks, so
-* the user model, JWT/IAM, and authentication never leave the consuming app.
-*
-* @param options - Authorization server configuration and pluggable hooks.
-* @returns A Koa `Router` exposing `routes()` / `allowedMethods()`.
-*
-* @example
-* ```typescript
-* import { App, bodyParser } from '@ttoss/http-server';
-* import { createMcpAuthServer } from '@ttoss/http-server-mcp';
-*
-* const authServer = createMcpAuthServer({
-*   issuer: 'https://api.soat.dev',
-*   clientStore,
-*   authCodeStore,
-*   issueTokens: async ({ subject, scopes }) => ({
-*     accessToken: signJwt({ sub: subject, scope: scopes.join(' ') }),
-*     refreshToken: createRefreshToken(subject),
-*     expiresIn: 3600,
-*   }),
-*   onAuthorize: async ({ ctx }) => {
-*     const session = await getSession(ctx);
-*     if (!session) {
-*       ctx.redirect('/login');
-*       return { approved: false };
-*     }
-*     return { approved: true, subject: session.userId };
-*   },
-*   scopesSupported: ['mcp:access'],
-* });
-*
-* const app = new App();
-* app.use(bodyParser());
-* app.use(authServer.routes());
-* ```
-*/
-var createMcpAuthServer = options => {
-  const {
-    issuer,
-    clientStore,
-    scopesSupported,
-    resource
-  } = options;
-  const authorizePath = options.endpoints?.authorize ?? "/authorize";
-  const tokenPath = options.endpoints?.token ?? "/token";
-  const registerPath = options.endpoints?.register ?? "/register";
-  const router = new Router();
-  router.get("/.well-known/oauth-authorization-server", ctx => {
-    ctx.body = {
-      issuer,
-      authorization_endpoint: joinUrl(issuer, authorizePath),
-      token_endpoint: joinUrl(issuer, tokenPath),
-      registration_endpoint: joinUrl(issuer, registerPath),
-      response_types_supported: ["code"],
-      grant_types_supported: ["authorization_code", "refresh_token"],
-      code_challenge_methods_supported: ["S256"],
-      token_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post", "none"],
-      ...(scopesSupported ? {
-        scopes_supported: scopesSupported
-      } : {})
-    };
-  });
-  if (resource) router.get("/.well-known/oauth-protected-resource", ctx => {
-    ctx.body = {
-      resource,
-      authorization_servers: [issuer]
-    };
-  });
-  router.get(authorizePath, async ctx => {
-    const clientId = asString(ctx.query.client_id);
-    if (!clientId) {
-      sendOAuthError(ctx, 400, "invalid_request", "client_id is required");
-      return;
-    }
-    const client = await clientStore.get(clientId);
-    if (!client) {
-      sendOAuthError(ctx, 400, "invalid_client", "unknown client_id");
-      return;
-    }
-    const redirectUri = asString(ctx.query.redirect_uri);
-    if (!redirectUri || !client.redirect_uris.includes(redirectUri)) {
-      sendOAuthError(ctx, 400, "invalid_request", "redirect_uri is missing or not registered for this client");
-      return;
-    }
-    await handleAuthorize(ctx, options, redirectUri);
-  });
-  router.post(tokenPath, async ctx => {
-    const body = ctx.request.body ?? {};
-    const grantType = asString(body.grant_type);
-    if (grantType === "authorization_code") {
-      await handleAuthorizationCodeGrant(ctx, body, options);
-      return;
-    }
-    if (grantType === "refresh_token") {
-      await handleRefreshTokenGrant(ctx, body, options);
-      return;
-    }
-    sendOAuthError(ctx, 400, "unsupported_grant_type", "grant_type must be authorization_code or refresh_token");
-  });
-  router.post(registerPath, async ctx => {
-    await handleRegister(ctx, clientStore);
-  });
-  return router;
-};
-
-//#endregion
-//#region src/index.ts
 var requestContextStore = new AsyncLocalStorage();
 /**
 * Generic HTTP helper for use inside MCP tool handlers.
@@ -627,7 +188,23 @@ var createMcpRouter = (server, options = {}) => {
     return result;
   };
   const router = new Router();
-  if (auth) registerAuthRoutes(router, path, auth, buildTokenVerifier(auth));
+  if (auth) {
+    const {
+      resourceServerUrl,
+      authorizationServerUrl,
+      ...verifyOptions
+    } = auth;
+    router.use(path, oauthVerify({
+      ...verifyOptions,
+      publicMethods: verifyOptions.publicMethods ?? DEFAULT_PUBLIC_METHODS
+    }));
+    if (resourceServerUrl && authorizationServerUrl) router.get("/.well-known/oauth-protected-resource", ctx => {
+      ctx.body = {
+        resource: resourceServerUrl,
+        authorization_servers: [authorizationServerUrl]
+      };
+    });
+  }
   const handleWithContext = async (ctx, body) => {
     const apiHeaders = getApiHeaders ? getApiHeaders(ctx) : {};
     const identity = ctx.state.identity;
@@ -772,62 +349,6 @@ var registerToolFromSchema = (server, params) => {
     });
   }
 };
-/**
-* Returns the `WWW-Authenticate` header value for a 401 response on a
-* protected resource, following the MCP auth spec requirement that
-* unauthorized responses advertise the resource metadata URL so MCP
-* clients can bootstrap OAuth discovery.
-*
-* Use this in your own auth middleware when you are not using the built-in
-* `auth` option on `createMcpRouter`.
-*
-* @example
-* ```typescript
-* import { getWwwAuthenticateHeader } from '@ttoss/http-server-mcp';
-*
-* // Inside a Koa middleware
-* ctx.status = 401;
-* ctx.set('WWW-Authenticate', getWwwAuthenticateHeader({ resource: 'https://mcp.example.com' }));
-* ```
-*/
-var getWwwAuthenticateHeader = args => {
-  return `Bearer resource_metadata="${`${args.resource.replace(/\/$/, "")}/.well-known/oauth-protected-resource`}"`;
-};
-/**
-* Creates a standalone Koa middleware that serves
-* `GET /.well-known/oauth-protected-resource` (RFC 9728) without requiring
-* the built-in `auth` option on `createMcpRouter`.
-*
-* Mount this **before** your own auth middleware so the discovery endpoint
-* remains unauthenticated (MCP clients fetch it before they have a token).
-*
-* @example
-* ```typescript
-* import Koa from 'koa';
-* import { createProtectedResourceMetadataMiddleware } from '@ttoss/http-server-mcp';
-*
-* const app = new Koa();
-* app.use(
-*   createProtectedResourceMetadataMiddleware({
-*     resource: 'https://mcp.example.com',
-*     authorizationServers: ['https://api.example.com'],
-*   })
-* );
-* app.use(myOwnAuthMiddleware);
-* ```
-*/
-var createProtectedResourceMetadataMiddleware = args => {
-  return async (ctx, next) => {
-    if (ctx.method === "GET" && ctx.path === "/.well-known/oauth-protected-resource") {
-      ctx.body = {
-        resource: args.resource,
-        authorization_servers: args.authorizationServers
-      };
-      return;
-    }
-    await next();
-  };
-};
 
 //#endregion
-export { McpServer, apiCall, checkScopes, createMcpAuthServer, createMcpRouter, createProtectedResourceMetadataMiddleware, getIdentity, getWwwAuthenticateHeader, registerToolFromSchema, z };
+export { McpServer, apiCall, checkScopes, createMcpRouter, getIdentity, registerToolFromSchema, z };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ttoss/http-server-mcp",
-  "version": "0.16.0",
+  "version": "0.16.1",
   "description": "Model Context Protocol (MCP) server integration for @ttoss/http-server",
   "keywords": [
     "ai",
@@ -35,8 +35,8 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.29.0",
     "zod": "^4.4.3",
-    "@ttoss/auth-core": "^0.6.0",
-    "@ttoss/http-server": "^0.6.1"
+    "@ttoss/http-server": "^0.7.0",
+    "@ttoss/http-server-oauth": "^0.1.1"
   },
   "devDependencies": {
     "@types/koa": "^3.0.3",