delegate-sf-mcp 0.2.0

package/src/auth/oauth.js

@@ -0,0 +1,417 @@
+import express from 'express';
+import { createServer } from 'http';
+import open from 'open';
+import crypto from 'crypto';
+import { logger } from '../utils/debug.js';
+
+// Ensure fetch is available - use built-in fetch (Node.js 18+) or import node-fetch
+const getFetch = async () => {
+  if (typeof globalThis.fetch !== 'undefined') {
+    return globalThis.fetch;
+  }
+  
+  try {
+    const { default: nodeFetch } = await import('node-fetch');
+    return nodeFetch;
+  } catch (error) {
+    throw new Error('fetch is not available. Please use Node.js 18+ or install node-fetch package.');
+  }
+};
+
+export class OAuthFlow {
+  constructor(clientId, clientSecret, instanceUrl, callbackPort = null) {
+    this.clientId = clientId;
+    this.clientSecret = clientSecret;
+    this.instanceUrl = instanceUrl.replace(/\/$/, ''); // Remove trailing slash
+    this.callbackPort = callbackPort || this.getPreferredPort();
+    this.state = null; // Will be generated fresh for each auth attempt
+    this.stateExpiration = null;
+    this.server = null;
+    this.retryCount = 0;
+    this.maxRetries = 3;
+  }
+
+  /**
+   * Get preferred port (8080 first, then random if not available)
+   */
+  getPreferredPort() {
+    // Always try to use port 8080 first (matches most Connected App configurations)
+    return 8080;
+  }
+
+  /**
+   * Generate a random port between 8000-9000 as fallback
+   */
+  getRandomPort() {
+    return Math.floor(Math.random() * 1000) + 8000;
+  }
+
+  /**
+   * Build the OAuth authorization URL with cache busting
+   */
+  getAuthorizationUrl() {
+    const params = new URLSearchParams({
+      response_type: 'code',
+      client_id: this.clientId,
+      redirect_uri: `http://localhost:${this.callbackPort}/callback`,
+      scope: 'api refresh_token',
+      state: this.state,
+      prompt: 'login',
+      // Add cache busting parameter to prevent browser caching issues
+      t: Date.now().toString()
+    });
+
+    return `${this.instanceUrl}/services/oauth2/authorize?${params.toString()}`;
+  }
+
+  /**
+   * Validate state with expiration check
+   */
+  isValidState(receivedState) {
+    if (Date.now() > this.stateExpiration) {
+      logger.log('⏰ OAuth state expired');
+      return { valid: false, reason: 'State expired - authentication session timed out (10 minutes). Please start a new authentication.' };
+    }
+
+    if (receivedState !== this.state) {
+      logger.log('🚨 OAuth state mismatch:', {
+        received: receivedState?.substring(0, 16) + '...',
+        expected: this.state?.substring(0, 16) + '...'
+      });
+      return { valid: false, reason: 'Invalid state parameter - possible CSRF attack or browser cache issue' };
+    }
+
+    return { valid: true };
+  }
+
+  /**
+   * Exchange authorization code for tokens
+   */
+  async exchangeCodeForTokens(code) {
+    const fetch = await getFetch();
+    const tokenUrl = `${this.instanceUrl}/services/oauth2/token`;
+    
+    const params = new URLSearchParams({
+      grant_type: 'authorization_code',
+      client_id: this.clientId,
+      client_secret: this.clientSecret,
+      redirect_uri: `http://localhost:${this.callbackPort}/callback`,
+      code: code
+    });
+
+    try {
+      const response = await fetch(tokenUrl, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded',
+          'Accept': 'application/json'
+        },
+        body: params.toString()
+      });
+
+      if (!response.ok) {
+        const error = await response.text();
+        throw new Error(`Token exchange failed: ${response.status} ${error}`);
+      }
+
+      const tokens = await response.json();
+      
+      // Calculate expiration time
+      const expiresAt = tokens.expires_in 
+        ? Date.now() + (tokens.expires_in * 1000)
+        : null;
+
+      return {
+        access_token: tokens.access_token,
+        refresh_token: tokens.refresh_token,
+        instance_url: tokens.instance_url || this.instanceUrl,
+        expires_at: expiresAt,
+        token_type: tokens.token_type || 'Bearer'
+      };
+    } catch (error) {
+      throw new Error(`Failed to exchange authorization code: ${error.message}`);
+    }
+  }
+
+  /**
+   * Start the OAuth flow with automatic port fallback
+   */
+  async startFlow() {
+    // Clean up any existing server
+    if (this.server) {
+      try {
+        this.server.close();
+        logger.log('🧹 Closed existing OAuth server');
+      } catch (error) {
+        logger.log('⚠️ Error closing existing server:', error.message);
+      }
+    }
+    
+    // Generate fresh state for this auth attempt
+    this.state = crypto.randomBytes(32).toString('hex');
+    this.stateExpiration = Date.now() + (10 * 60 * 1000);
+    
+    logger.log(`🔐 Generated fresh OAuth state: ${this.state.substring(0, 16)}...`);
+    
+    return new Promise((resolve, reject) => {
+      const app = express();
+      let resolved = false;
+
+      // Callback endpoint
+      app.get('/callback', async (req, res) => {
+        try {
+          const { code, state, error } = req.query;
+
+          logger.log('📥 OAuth callback received:', {
+            hasCode: !!code,
+            hasState: !!state,
+            hasError: !!error,
+            receivedState: state?.substring(0, 16) + '...',
+            expectedState: this.state?.substring(0, 16) + '...',
+            statesMatch: state === this.state
+          });
+
+          if (error) {
+            const errorMsg = `OAuth error: ${error}`;
+            logger.error('❌ OAuth error received:', errorMsg);
+            res.status(400).send(`<h1>Authentication Failed</h1><p>${errorMsg}</p>`);
+            if (!resolved) {
+              resolved = true;
+              reject(new Error(errorMsg));
+            }
+            return;
+          }
+
+          if (state !== this.state) {
+            // Use enhanced state validation
+            const validation = this.isValidState(state);
+            const errorMsg = validation.reason;
+            
+            logger.error('🚨 CSRF protection triggered:', {
+              receivedState: state,
+              expectedState: this.state,
+              receivedLength: state?.length,
+              expectedLength: this.state?.length,
+              validation: validation
+            });
+            
+            res.status(400).send(`
+              <h1>🔐 Authentication Security Error</h1>
+              <p><strong>${errorMsg}</strong></p>
+              <details>
+                <summary>🔍 Debug Information (Click to expand)</summary>
+                <p><strong>Expected state:</strong> ${this.state?.substring(0, 16)}...</p>
+                <p><strong>Received state:</strong> ${state?.substring(0, 16)}...</p>
+                <p><strong>State expired:</strong> ${Date.now() > this.stateExpiration ? 'Yes' : 'No'}</p>
+                <p><strong>Time remaining:</strong> ${Math.max(0, Math.floor((this.stateExpiration - Date.now()) / 1000))} seconds</p>
+                <hr>
+                <p><strong>💡 Common causes and solutions:</strong></p>
+                <ul>
+                  <li>🔄 <strong>Browser caching:</strong> Clear browser cache and try again</li>
+                  <li>⏰ <strong>Session timeout:</strong> Authentication must complete within 10 minutes</li>
+                  <li>🔀 <strong>Multiple attempts:</strong> Only one authentication session at a time</li>
+                  <li>🔄 <strong>Server restart:</strong> Restart the MCP server and try again</li>
+                </ul>
+                <p><strong>🔧 Quick fix:</strong> Close this tab, restart the authentication, and complete it quickly.</p>
+              </details>
+              <br>
+              <button onclick="window.close()">Close Window</button>
+            `);
+            if (!resolved) {
+              resolved = true;
+              reject(new Error(errorMsg));
+            }
+            return;
+          }
+
+          if (!code) {
+            const errorMsg = 'Authorization code not received';
+            res.status(400).send(`<h1>Authentication Failed</h1><p>${errorMsg}</p>`);
+            if (!resolved) {
+              resolved = true;
+              reject(new Error(errorMsg));
+            }
+            return;
+          }
+
+          // Exchange code for tokens
+          const tokens = await this.exchangeCodeForTokens(code);
+
+          res.send(`
+            <h1>✅ Authentication Successful!</h1>
+            <p>You can now close this window and return to your terminal.</p>
+            <script>setTimeout(() => window.close(), 3000);</script>
+          `);
+
+          if (!resolved) {
+            resolved = true;
+            resolve(tokens);
+          }
+        } catch (error) {
+          res.status(500).send(`<h1>Error</h1><p>${error.message}</p>`);
+          if (!resolved) {
+            resolved = true;
+            reject(error);
+          }
+        }
+      });
+
+      // Health check endpoint
+      app.get('/health', (req, res) => {
+        res.json({ status: 'ready', port: this.callbackPort });
+      });
+
+      // Create server
+      this.server = createServer(app);
+      
+      // Try to start server with automatic port fallback
+      this.tryStartServer(this.server, this.callbackPort, resolve, reject);
+
+      // Handle server errors
+      this.server.on('error', (error) => {
+        if (error.code === 'EADDRINUSE' && !resolved) {
+          this.callbackPort = this.getRandomPort();
+          // Create new server instance for the new port
+          this.server = createServer(app);
+          this.tryStartServer(this.server, this.callbackPort, resolve, reject);
+        } else if (!resolved) {
+          resolved = true;
+          reject(new Error(`Server error: ${error.message}`));
+        }
+      });
+
+      // Timeout after 5 minutes
+      setTimeout(() => {
+        if (!resolved) {
+          resolved = true;
+          reject(new Error('OAuth flow timed out after 5 minutes'));
+        }
+      }, 5 * 60 * 1000);
+    }).finally(() => {
+      // Clean up server
+      if (this.server) {
+        this.server.close();
+      }
+    });
+  }
+
+  /**
+   * Try to start server on specified port
+   */
+  tryStartServer(server, port, resolve, reject) {
+    server.listen(port, (err) => {
+      if (err) {
+        if (err.code === 'EADDRINUSE') {
+          // Port is busy, will be handled by error event
+          return;
+        }
+        reject(new Error(`Failed to start callback server: ${err.message}`));
+        return;
+      }
+
+      
+      // Open browser for authentication (unless disabled for testing)
+      const authUrl = this.getAuthorizationUrl();
+      logger.log(`🌐 Authentication URL: ${authUrl}`);
+      
+      // Check if browser opening is disabled (for testing)
+      if (process.env.NODE_ENV !== 'test' && process.env.DISABLE_BROWSER_OPEN !== 'true') {
+        logger.log('🌐 Opening browser for authentication...');
+        open(authUrl).catch(error => {
+          logger.warn('⚠️ Failed to open browser automatically:', error.message);
+          logger.log('💡 Please open the following URL manually:', authUrl);
+        });
+      } else {
+        logger.log('🚫 Browser opening disabled (test mode or DISABLE_BROWSER_OPEN=true)');
+        logger.log('💡 If this were not a test, would open:', authUrl);
+      }
+    });
+  }
+
+  /**
+   * Refresh access token using refresh token
+   */
+  async refreshAccessToken(refreshToken) {
+    const fetch = await getFetch();
+    const tokenUrl = `${this.instanceUrl}/services/oauth2/token`;
+    
+    const params = new URLSearchParams({
+      grant_type: 'refresh_token',
+      client_id: this.clientId,
+      client_secret: this.clientSecret,
+      refresh_token: refreshToken
+    });
+
+    try {
+      const response = await fetch(tokenUrl, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded',
+          'Accept': 'application/json'
+        },
+        body: params.toString()
+      });
+
+      if (!response.ok) {
+        const error = await response.text();
+        throw new Error(`Token refresh failed: ${response.status} ${error}`);
+      }
+
+      const tokens = await response.json();
+      
+      // Calculate expiration time
+      const expiresAt = tokens.expires_in 
+        ? Date.now() + (tokens.expires_in * 1000)
+        : null;
+
+      return {
+        access_token: tokens.access_token,
+        expires_at: expiresAt,
+        token_type: tokens.token_type || 'Bearer'
+      };
+    } catch (error) {
+      throw new Error(`Failed to refresh access token: ${error.message}`);
+    }
+  }
+
+  /**
+   * Enhanced authentication with retry logic and state regeneration
+   */
+  async authenticateWithRetry() {
+    for (let attempt = 1; attempt <= this.maxRetries; attempt++) {
+      try {
+        logger.log(`🔄 Authentication attempt ${attempt}/${this.maxRetries}`);
+        
+        // Reset state and expiration for each attempt to avoid CSRF issues
+        this.state = crypto.randomBytes(32).toString('hex');
+        this.stateExpiration = Date.now() + (10 * 60 * 1000);
+        
+        logger.log(`   📝 New state generated: ${this.state.substring(0, 16)}...`);
+        logger.log(`   ⏰ Expires at: ${new Date(this.stateExpiration).toISOString()}`);
+        
+        const tokens = await this.startFlow();
+        logger.log('✅ Authentication successful');
+        return tokens;
+        
+      } catch (error) {
+        logger.log(`❌ Attempt ${attempt} failed:`, error.message);
+        
+        if (attempt === this.maxRetries) {
+          throw new Error(`Authentication failed after ${this.maxRetries} attempts: ${error.message}`);
+        }
+        
+        // Wait before retry (exponential backoff)
+        const waitTime = 1000 * Math.pow(2, attempt - 1);
+        logger.log(`   ⏳ Waiting ${waitTime}ms before retry...`);
+        await new Promise(resolve => setTimeout(resolve, waitTime));
+      }
+    }
+  }
+
+  /**
+   * Main authenticate method - uses retry logic by default
+   */
+  async authenticate() {
+    return this.authenticateWithRetry();
+  }
+}

package/src/auth/token-manager.js

@@ -0,0 +1,207 @@
+import { FileStorageManager } from './file-storage.js';
+import { OAuthFlow } from './oauth.js';
+import { logger } from '../utils/debug.js';
+
+// Ensure fetch is available - use built-in fetch (Node.js 18+) or import node-fetch
+const getFetch = async () => {
+  if (typeof globalThis.fetch !== 'undefined') {
+    return globalThis.fetch;
+  }
+  
+  try {
+    const { default: nodeFetch } = await import('node-fetch');
+    return nodeFetch;
+  } catch (error) {
+    throw new Error('fetch is not available. Please use Node.js 18+ or install node-fetch package.');
+  }
+};
+
+export class TokenManager {
+  constructor(clientId, clientSecret, instanceUrl) {
+    this.clientId = clientId;
+    this.clientSecret = clientSecret;
+    this.instanceUrl = instanceUrl;
+    this.storage = new FileStorageManager();
+    this.currentTokens = null;
+    this.refreshPromise = null; // Prevent concurrent refresh attempts
+  }
+
+  /**
+   * Initialize token manager and load existing tokens
+   */
+  async initialize() {
+    try {
+      this.currentTokens = await this.storage.getTokens();
+      if (this.currentTokens) {
+        logger.log('📋 Existing tokens loaded from storage');
+        // Check if tokens need refresh
+        if (await this.needsRefresh()) {
+          await this.refreshTokens();
+        }
+        return true;
+      } else {
+        return false;
+      }
+    } catch (error) {
+      return false;
+    }
+  }
+
+  /**
+   * Get valid access token, refreshing if necessary
+   */
+  async getValidAccessToken() {
+    // If no tokens, throw error
+    if (!this.currentTokens) {
+      throw new Error('No authentication tokens available. Please run setup first.');
+    }
+
+    // Check if token needs refresh
+    if (await this.needsRefresh()) {
+      await this.refreshTokens();
+    }
+
+    return this.currentTokens.access_token;
+  }
+
+  /**
+   * Check if token needs refresh (refresh 5 minutes before expiry)
+   */
+  async needsRefresh() {
+    if (!this.currentTokens || !this.currentTokens.expires_at) {
+      return false; // No expiry info, assume it's valid
+    }
+
+    const bufferTime = 5 * 60 * 1000; // 5 minutes in milliseconds
+    return Date.now() >= (this.currentTokens.expires_at - bufferTime);
+  }
+
+  /**
+   * Refresh access token using refresh token
+   */
+  async refreshTokens() {
+    // Prevent concurrent refresh attempts
+    if (this.refreshPromise) {
+      return this.refreshPromise;
+    }
+
+    this.refreshPromise = this._performRefresh();
+    
+    try {
+      await this.refreshPromise;
+    } finally {
+      this.refreshPromise = null;
+    }
+  }
+
+  /**
+   * Internal method to perform token refresh
+   */
+  async _performRefresh() {
+    if (!this.currentTokens || !this.currentTokens.refresh_token) {
+      throw new Error('No refresh token available. Please re-authenticate.');
+    }
+
+    try {
+      const oauth = new OAuthFlow(this.clientId, this.clientSecret, this.instanceUrl);
+      const newTokens = await oauth.refreshAccessToken(this.currentTokens.refresh_token);
+
+      // Update tokens while preserving refresh token
+      this.currentTokens = {
+        ...this.currentTokens,
+        access_token: newTokens.access_token,
+        expires_at: newTokens.expires_at,
+        updated_at: new Date().toISOString()
+      };
+
+      // Store updated tokens in file storage
+      await this.storage.storeTokens(this.currentTokens);
+      logger.log('🔄 Tokens refreshed successfully');
+      
+    } catch (error) {
+      logger.error('❌ Token refresh failed:', error.message);
+      // If refresh fails, clear tokens and require re-authentication
+      await this.clearTokens();
+      throw new Error(`Token refresh failed: ${error.message}. Please run setup again.`);
+    }
+  }
+
+  /**
+   * Perform initial OAuth flow with enhanced retry mechanism
+   */
+  async authenticateWithOAuth() {
+    try {
+      logger.log('🚀 Starting enhanced OAuth authentication...');
+      const oauth = new OAuthFlow(this.clientId, this.clientSecret, this.instanceUrl);
+      
+      // Use the enhanced authentication with retry logic
+      const tokens = await oauth.authenticateWithRetry();
+      
+      logger.log('💾 Storing tokens securely...');
+      // Store tokens securely
+      await this.storage.storeTokens(tokens);
+      this.currentTokens = tokens;
+      
+      logger.log('✅ OAuth authentication completed successfully');
+      return tokens;
+    } catch (error) {
+      logger.error('❌ OAuth authentication failed:', error.message);
+      throw error;
+    }
+  }
+
+  /**
+   * Clear all stored tokens
+   */
+  async clearTokens() {
+    await this.storage.clearTokens();
+    this.currentTokens = null;
+  }
+
+  /**
+   * Get current token info for debugging
+   */
+  getTokenInfo() {
+    if (!this.currentTokens) {
+      return { authenticated: false };
+    }
+
+    return {
+      authenticated: true,
+      instance_url: this.currentTokens.instance_url,
+      expires_at: this.currentTokens.expires_at,
+      expires_in_minutes: this.currentTokens.expires_at 
+        ? Math.round((this.currentTokens.expires_at - Date.now()) / (1000 * 60))
+        : null,
+      stored_at: this.currentTokens.stored_at,
+      updated_at: this.currentTokens.updated_at
+    };
+  }
+
+  /**
+   * Test if current tokens are valid by making a test API call
+   */
+  async testTokens() {
+    try {
+      const fetch = await getFetch();
+      const accessToken = await this.getValidAccessToken();
+      
+      // Make a simple API call to verify token validity
+      const response = await fetch(`${this.currentTokens.instance_url}/services/data/`, {
+        headers: {
+          'Authorization': `Bearer ${accessToken}`,
+          'Accept': 'application/json'
+        }
+      });
+
+      if (response.ok) {
+        const data = await response.json();
+        return { valid: true, apiVersions: data.length };
+      } else {
+        return { valid: false, error: response.status };
+      }
+    } catch (error) {
+      return { valid: false, error: error.message };
+    }
+  }
+}