@zereight/mcp-gitlab 1.0.75 → 2.0.0-beta.0

package/build/src/argon2wrapper.js

@@ -0,0 +1,68 @@
+import { argon2id } from '@noble/hashes/argon2';
+import { bytesToHex, hexToBytes, utf8ToBytes } from '@noble/hashes/utils';
+import { randomBytes } from 'crypto';
+// Default options similar to @node-rs/argon2
+const DEFAULT_OPTIONS = {
+    t: 3, // iterations
+    m: 65536, // 64MB memory
+    p: 4, // parallelism
+    maxmem: 2 ** 32 - 1
+};
+/**
+ * Hash a password using argon2id
+ */
+export async function hash(password, options) {
+    const salt = options?.salt || randomBytes(16);
+    const passwordBytes = utf8ToBytes(password);
+    const hashBytes = argon2id(passwordBytes, salt, DEFAULT_OPTIONS);
+    // Store salt and hash together for verification later
+    // Format: salt:hash (both as hex)
+    return `${bytesToHex(salt)}:${bytesToHex(hashBytes)}`;
+}
+/**
+ * Synchronous version of hash
+ */
+export function hashSync(password, options) {
+    const salt = options?.salt || randomBytes(16);
+    const passwordBytes = utf8ToBytes(password);
+    const hashBytes = argon2id(passwordBytes, salt, DEFAULT_OPTIONS);
+    // Store salt and hash together for verification later
+    // Format: salt:hash (both as hex)
+    return `${bytesToHex(salt)}:${bytesToHex(hashBytes)}`;
+}
+/**
+ * Verify a password against a hash
+ */
+export async function verify(storedHash, password, options) {
+    try {
+        // If options.salt is provided, it means we're using the old format
+        // where salt was provided separately
+        if (options?.salt) {
+            const passwordBytes = utf8ToBytes(password);
+            const hashBytes = argon2id(passwordBytes, options.salt, DEFAULT_OPTIONS);
+            const newHash = bytesToHex(hashBytes);
+            // storedHash might be just the hash part without salt prefix
+            const hashPart = storedHash.includes(':') ? storedHash.split(':')[1] : storedHash;
+            return newHash === hashPart;
+        }
+        // New format: salt:hash
+        const [saltHex, hashHex] = storedHash.split(':');
+        if (!saltHex || !hashHex) {
+            return false;
+        }
+        const salt = hexToBytes(saltHex);
+        const passwordBytes = utf8ToBytes(password);
+        const computedHashBytes = argon2id(passwordBytes, salt, DEFAULT_OPTIONS);
+        const computedHashHex = bytesToHex(computedHashBytes);
+        return computedHashHex === hashHex;
+    }
+    catch (error) {
+        return false;
+    }
+}
+// Export as default object to match @node-rs/argon2 interface
+export default {
+    hash,
+    hashSync,
+    verify
+};

package/build/src/authentication.js

@@ -0,0 +1,78 @@
+import { requireBearerAuth } from '@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js';
+import { config } from './config.js';
+import { createGitLabOAuthProvider } from './oauth.js';
+import { logger } from './logger.js';
+/**
+ * Configure authentication middleware based on the configuration
+ * Supports OAuth2, PAT passthrough, and static PAT modes
+ */
+export async function configureAuthentication(app) {
+    // Default middleware that does nothing
+    let authMiddleware = undefined;
+    // OAuth2 mode
+    if (config.GITLAB_OAUTH2_CLIENT_ID) {
+        logger.warn("Configuring GitLab OAuth2 proxy authentication");
+        logger.warn("Please note that GitLab OAuth2 proxy authentication is not yet fully supported. Use this feature at your own risk");
+        // Create the provider
+        const provider = await createGitLabOAuthProvider();
+        // Add the callback handler route BEFORE the OAuth router
+        app.get("/callback", (req, res) => provider.handleOAuthCallback(req, res));
+        // Set up OAuth2 proxy router
+        const oauth2Router = provider.createOAuth2Router();
+        app.use(oauth2Router);
+        // Create token verifier and bearer auth middleware
+        const tokenVerifier = provider.createTokenVerifier();
+        const bearerAuthMiddleware = requireBearerAuth({
+            verifier: tokenVerifier,
+            resourceMetadataUrl: `${config.GITLAB_OAUTH2_BASE_URL}/.well-known/oauth-protected-resource`
+        });
+        authMiddleware = (req, res, next) => {
+            // Ensure GitLab-Token header is not set in OAuth2 mode
+            const gitlabToken = req.headers["gitlab-token"];
+            if (gitlabToken) {
+                res.status(401).send("Gitlab-Token header must not be set when MCP is running in OAuth2 mode");
+                return;
+            }
+            bearerAuthMiddleware(req, res, next);
+        };
+    }
+    // PAT passthrough mode
+    else if (config.GITLAB_PAT_PASSTHROUGH) {
+        logger.info("Configuring GitLab PAT passthrough authentication. Users must set the Gitlab-Token header in their requests");
+        authMiddleware = (req, res, next) => {
+            // Check the Gitlab-Token header
+            const token = req.headers["gitlab-token"];
+            if (!token) {
+                res.status(401).send("Please set a Gitlab-Token header in your request");
+                return;
+            }
+            if (typeof token !== "string") {
+                res.status(401).send("Gitlab-Token must only be set once");
+                return;
+            }
+            req.auth = {
+                token: token,
+                clientId: "!passthrough",
+                scopes: [],
+            };
+            next();
+        };
+    }
+    // Static PAT mode
+    else if (config.GITLAB_PERSONAL_ACCESS_TOKEN) {
+        logger.info("Configuring static GitLab Personal Access Token authentication");
+        const accessToken = config.GITLAB_PERSONAL_ACCESS_TOKEN;
+        authMiddleware = (req, res, next) => {
+            req.auth = {
+                token: accessToken,
+                clientId: "!global",
+                scopes: [],
+            };
+            next();
+        };
+    }
+    if (authMiddleware === undefined) {
+        throw new Error("No authMiddleware configured. This is a bug. Please report it.");
+    }
+    return authMiddleware;
+}

package/build/src/authhelpers.js

@@ -0,0 +1,44 @@
+import { config } from "./config.js";
+import { CookieJar, parse as parseCookie } from "tough-cookie";
+import fs from "fs";
+import path from "path";
+// Create cookie jar with clean Netscape file parsing
+export const createCookieJar = () => {
+    if (!config.GITLAB_AUTH_COOKIE_PATH)
+        return undefined;
+    try {
+        const cookiePath = config.GITLAB_AUTH_COOKIE_PATH.startsWith("~/")
+            ? path.join(process.env.HOME || "", config.GITLAB_AUTH_COOKIE_PATH.slice(2))
+            : config.GITLAB_AUTH_COOKIE_PATH;
+        const jar = new CookieJar();
+        const cookieContent = fs.readFileSync(cookiePath, "utf8");
+        cookieContent.split("\n").forEach(line => {
+            // Handle #HttpOnly_ prefix
+            if (line.startsWith("#HttpOnly_")) {
+                line = line.slice(10);
+            }
+            // Skip comments and empty lines
+            if (line.startsWith("#") || !line.trim()) {
+                return;
+            }
+            // Parse Netscape format: domain, flag, path, secure, expires, name, value
+            const parts = line.split("\t");
+            if (parts.length >= 7) {
+                const [domain, , path, secure, expires, name, value] = parts;
+                // Build cookie string in standard format
+                const cookieStr = `${name}=${value}; Domain=${domain}; Path=${path}${secure === "TRUE" ? "; Secure" : ""}${expires !== "0" ? `; Expires=${new Date(parseInt(expires) * 1000).toUTCString()}` : ""}`;
+                // Use tough-cookie's parse function for robust parsing
+                const cookie = parseCookie(cookieStr);
+                if (cookie) {
+                    const url = `${secure === "TRUE" ? "https" : "http"}://${domain.startsWith(".") ? domain.slice(1) : domain}`;
+                    jar.setCookieSync(cookie, url);
+                }
+            }
+        });
+        return jar;
+    }
+    catch (error) {
+        console.error("Error loading cookie file:", error);
+        return undefined;
+    }
+};

package/build/src/config.js

@@ -0,0 +1,99 @@
+export const unsafeDefaultArgon2Salt = "change-me-in-production";
+export const config = {
+    HOST: process.env.HOST || '127.0.0.1',
+    PORT: process.env.PORT || 3002,
+    SSE: process.env.SSE === "true",
+    STREAMABLE_HTTP: process.env.STREAMABLE_HTTP === "true",
+    IS_OLD: process.env.GITLAB_IS_OLD === "true",
+    GITLAB_READ_ONLY_MODE: process.env.GITLAB_READ_ONLY_MODE === "true",
+    USE_GITLAB_WIKI: process.env.USE_GITLAB_WIKI === "true",
+    USE_MILESTONE: process.env.USE_MILESTONE === "true",
+    USE_PIPELINE: process.env.USE_PIPELINE === "true",
+    // Add proxy configuration
+    HTTP_PROXY: process.env.HTTP_PROXY,
+    HTTPS_PROXY: process.env.HTTPS_PROXY,
+    NODE_TLS_REJECT_UNAUTHORIZED: process.env.NODE_TLS_REJECT_UNAUTHORIZED,
+    GITLAB_CA_CERT_PATH: process.env.GITLAB_CA_CERT_PATH,
+    // Use the normalizeGitLabApiUrl function to handle various URL formats
+    GITLAB_API_URL: normalizeGitLabApiUrl(process.env.GITLAB_API_URL || undefined),
+    GITLAB_PROJECT_ID: process.env.GITLAB_PROJECT_ID,
+    ARGON2_SALT: process.env.ARGON2_SALT || unsafeDefaultArgon2Salt,
+    // Configure cookie auth path, for gitlab instances which require it
+    // TODO: investigate the consequences of this with oauth2 and pat passthrough. should it only be used in PAT mode and not passthrough?
+    GITLAB_AUTH_COOKIE_PATH: process.env.GITLAB_AUTH_COOKIE_PATH,
+    // only one of GITLAB_PERSONAL_ACCESS_TOKEN, GITLAB_OAUTH2_CLIENT_ID, GITLAB_PAT_PASSTHROUGH
+    // Gitlab PAT configuration. use this PAT to authenticate all requests
+    GITLAB_PERSONAL_ACCESS_TOKEN: process.env.GITLAB_PERSONAL_ACCESS_TOKEN,
+    // Gitlab PAT passthrough. pass through the PRIVATE-TOKEN header to make the request to the Gitlab API
+    // should be "true" to enable
+    GITLAB_PAT_PASSTHROUGH: process.env.GITLAB_PAT_PASSTHROUGH === "true",
+    // GitLab OAuth2 configuration
+    GITLAB_OAUTH2_CLIENT_ID: process.env.GITLAB_OAUTH2_CLIENT_ID,
+    GITLAB_OAUTH2_CLIENT_SECRET: process.env.GITLAB_OAUTH2_CLIENT_SECRET,
+    GITLAB_OAUTH2_REDIRECT_URL: process.env.GITLAB_OAUTH2_REDIRECT_URL,
+    // we need a database in order for the oauth2 provider to persist clients across restarts.
+    GITLAB_OAUTH2_DB_PATH: process.env.GITLAB_OAUTH2_DB_PATH || ":memory:",
+    // base url matters for the redirect url, i think?
+    GITLAB_OAUTH2_BASE_URL: process.env.GITLAB_OAUTH2_BASE_URL, // http://localhost:3002
+    // TODO: maybe thse can be formed based off of the ISSUER_URL? im not sure... (could introduce problems if gitlab ever changes these endpoints, though i doubt they will)
+    GITLAB_OAUTH2_TOKEN_URL: process.env.GITLAB_OAUTH2_TOKEN_URL, // https://gitlab.com/oauth/token
+    GITLAB_OAUTH2_AUTHORIZATION_URL: process.env.GITLAB_OAUTH2_AUTHORIZATION_URL, // https://gitlab.com/oauth/authorize
+    GITLAB_OAUTH2_REVOCATION_URL: process.env.GITLAB_OAUTH2_REVOCATION_URL, // https://gitlab.com/oauth/revoke
+    GITLAB_OAUTH2_INTROSPECTION_URL: process.env.GITLAB_OAUTH2_INTROSPECTION_URL, // https://gitlab.com/oauth/introspect
+    GITLAB_OAUTH2_REGISTRATION_URL: process.env.GITLAB_OAUTH2_REGISTRATION_URL, // ?
+    GITLAB_OAUTH2_ISSUER_URL: process.env.GITLAB_OAUTH2_ISSUER_URL, // https://gitlab.com
+};
+export const validateConfiguration = () => {
+    // Check if using default ARGON2_SALT
+    if (config.ARGON2_SALT === unsafeDefaultArgon2Salt) {
+        console.error('\n' + '='.repeat(80));
+        console.error('⚠️  WARNING: USING DEFAULT ARGON2_SALT VALUE!');
+        console.error('='.repeat(80));
+        console.error('');
+        console.error('You are using the default ARGON2_SALT value which is INSECURE.');
+        console.error('This salt is publicly known and makes your password hashes vulnerable.');
+        console.error('');
+        console.error('Please set the ARGON2_SALT environment variable to a unique, random value:');
+        console.error('  export ARGON2_SALT="your-unique-random-salt-here"');
+        console.error('');
+        console.error('You can generate a secure salt with:');
+        console.error('  openssl rand -base64 32');
+        console.error('');
+        console.error('='.repeat(80) + '\n');
+    }
+    // check that only one of GITLAB_PERSONAL_ACCESS_TOKEN, GITLAB_OAUTH2_CLIENT_ID, GITLAB_PAT_PASSTHROUGH is set
+    const onlyOnOf = [
+        config.GITLAB_PERSONAL_ACCESS_TOKEN,
+        config.GITLAB_OAUTH2_CLIENT_ID,
+        config.GITLAB_PAT_PASSTHROUGH
+    ];
+    const countOfSet = onlyOnOf.filter(x => !!x).length;
+    const allVariableNames = "GITLAB_PERSONAL_ACCESS_TOKEN, GITLAB_OAUTH2_CLIENT_ID, GITLAB_PAT_PASSTHROUGH";
+    if (countOfSet == 0) {
+        console.error(`One of the following variables must be set: ${allVariableNames}`);
+        process.exit(1);
+    }
+    if (countOfSet > 1) {
+        console.error(`Only one of the following variables can be set: ${allVariableNames}`);
+        process.exit(1);
+    }
+};
+/**
+ * Smart URL handling for GitLab API
+ *
+ * @param {string | undefined} url - Input GitLab API URL
+ * @returns {string} Normalized GitLab API URL with /api/v4 path
+ */
+function normalizeGitLabApiUrl(url) {
+    if (!url) {
+        return "https://gitlab.com/api/v4";
+    }
+    // Remove trailing slash if present
+    let normalizedUrl = url.endsWith("/") ? url.slice(0, -1) : url;
+    // Check if URL already has /api/v4
+    if (!normalizedUrl.endsWith("/api/v4") && !normalizedUrl.endsWith("/api/v4/")) {
+        // Append /api/v4 if not already present
+        normalizedUrl = `${normalizedUrl}/api/v4`;
+    }
+    return normalizedUrl;
+}

package/build/src/customSchemas.js

@@ -0,0 +1,21 @@
+import { z } from "zod";
+import { pino } from 'pino';
+const DEFAULT_NULL = process.env.DEFAULT_NULL === "true";
+export const logger = pino({
+    level: process.env.LOG_LEVEL || 'info',
+    transport: {
+        target: 'pino-pretty',
+        options: {
+            colorize: true,
+            levelFirst: true,
+            destination: 2,
+        },
+    },
+});
+export const flexibleBoolean = z.preprocess((val) => {
+    if (typeof val === 'string') {
+        return val.toLowerCase() === 'true';
+    }
+    return val;
+}, z.boolean());
+export const flexibleBooleanNullable = DEFAULT_NULL ? flexibleBoolean.nullable().default(null) : flexibleBoolean.nullable();