ebay-mcp-remote-edition 1.0.0

package/build/auth/multi-user-store.js

@@ -0,0 +1,120 @@
+import { randomUUID } from 'crypto';
+import { CloudflareKVStore } from '../auth/kv-store.js';
+export class MultiUserAuthStore {
+    kv = new CloudflareKVStore();
+    stateKey(state) {
+        return `oauth_state:${state}`;
+    }
+    userTokenKey(userId, environment) {
+        return `user:${userId}:env:${environment}:tokens`;
+    }
+    sessionKey(sessionToken) {
+        return `session:${sessionToken}`;
+    }
+    async createOAuthState(environment, returnTo, mcpContext) {
+        const state = randomUUID();
+        const record = {
+            state,
+            environment,
+            createdAt: new Date().toISOString(),
+            returnTo,
+            ...mcpContext,
+        };
+        await this.kv.put(this.stateKey(state), record, 15 * 60);
+        return record;
+    }
+    async consumeOAuthState(state) {
+        const key = this.stateKey(state);
+        const record = await this.kv.get(key);
+        if (record) {
+            await this.kv.delete(key);
+        }
+        return record;
+    }
+    async saveUserTokens(userId, environment, tokenData) {
+        const record = {
+            userId,
+            environment,
+            tokenData,
+            updatedAt: new Date().toISOString(),
+        };
+        await this.kv.put(this.userTokenKey(userId, environment), record);
+    }
+    async getUserTokens(userId, environment) {
+        return await this.kv.get(this.userTokenKey(userId, environment));
+    }
+    async createSession(userId, environment) {
+        const sessionToken = randomUUID() + randomUUID();
+        const now = new Date().toISOString();
+        const record = {
+            sessionToken,
+            userId,
+            environment,
+            createdAt: now,
+            lastUsedAt: now,
+        };
+        await this.kv.put(this.sessionKey(sessionToken), record);
+        return record;
+    }
+    async getSession(sessionToken) {
+        return await this.kv.get(this.sessionKey(sessionToken));
+    }
+    async touchSession(sessionToken) {
+        const record = await this.getSession(sessionToken);
+        if (!record || record.revokedAt) {
+            return;
+        }
+        record.lastUsedAt = new Date().toISOString();
+        await this.kv.put(this.sessionKey(sessionToken), record);
+    }
+    async revokeSession(sessionToken) {
+        const record = await this.getSession(sessionToken);
+        if (!record) {
+            return;
+        }
+        record.revokedAt = new Date().toISOString();
+        await this.kv.put(this.sessionKey(sessionToken), record);
+    }
+    async deleteSession(sessionToken) {
+        await this.kv.delete(this.sessionKey(sessionToken));
+    }
+    // ── RFC 7591 Dynamic Client Registration ──────────────────────────────────
+    async registerClient(redirectUris, clientName) {
+        const clientId = randomUUID();
+        const record = {
+            clientId,
+            redirectUris,
+            clientName,
+            createdAt: new Date().toISOString(),
+        };
+        await this.kv.put(`client:${clientId}`, record);
+        return record;
+    }
+    async getClient(clientId) {
+        return await this.kv.get(`client:${clientId}`);
+    }
+    // ── MCP Authorization Code (short-lived, PKCE-protected) ─────────────────
+    async createAuthCode(clientId, redirectUri, codeChallenge, codeChallengeMethod, userId, environment) {
+        const code = randomUUID() + randomUUID();
+        const record = {
+            code,
+            clientId,
+            redirectUri,
+            codeChallenge,
+            codeChallengeMethod,
+            userId,
+            environment,
+            createdAt: new Date().toISOString(),
+        };
+        await this.kv.put(`auth_code:${code}`, record, 10 * 60); // 10 min TTL
+        return record;
+    }
+    async consumeAuthCode(code) {
+        const key = `auth_code:${code}`;
+        const record = await this.kv.get(key);
+        if (record) {
+            await this.kv.delete(key);
+        }
+        return record;
+    }
+}

package/build/auth/oauth-metadata.js

@@ -0,0 +1,59 @@
+/**
+ * OAuth metadata endpoints for MCP server
+ * Implements RFC 9728 Protected Resource Metadata
+ */
+import { Router as createRouter } from 'express';
+/**
+ * Create Express router with OAuth metadata endpoints
+ */
+export function createMetadataRouter(config) {
+    const router = createRouter();
+    // RFC 9728: Protected Resource Metadata endpoint
+    // Path: /.well-known/oauth-protected-resource
+    router.get('/.well-known/oauth-protected-resource', (req, res) => {
+        const authServers = typeof config.authServerMetadata === 'string'
+            ? [config.authServerMetadata]
+            : [config.authServerMetadata.issuer];
+        const metadata = {
+            resource: config.resourceServerUrl,
+            authorization_servers: authServers,
+            scopes_supported: config.scopesSupported,
+        };
+        if (config.resourceDocumentation) {
+            metadata.resource_documentation = config.resourceDocumentation;
+        }
+        res.json(metadata);
+    });
+    // Optional: Server info endpoint for debugging
+    router.get('/.well-known/mcp-server-info', (req, res) => {
+        const serverInfo = {
+            name: config.resourceName || 'MCP Resource Server',
+            version: '1.0.0',
+            resource_url: config.resourceServerUrl,
+            authorization_required: true,
+            scopes_supported: config.scopesSupported,
+            documentation: config.resourceDocumentation,
+        };
+        // Add eBay-specific information if provided
+        if (config.ebayEnvironment) {
+            serverInfo.ebay = {
+                environment: config.ebayEnvironment,
+                base_url: config.ebayEnvironment === 'production'
+                    ? 'https://api.ebay.com'
+                    : 'https://api.sandbox.ebay.com',
+                scopes: config.ebayScopes || [],
+                note: 'MCP OAuth scopes (scopes_supported) are separate from eBay API OAuth scopes (ebay.scopes)',
+            };
+        }
+        res.json(serverInfo);
+    });
+    return router;
+}
+/**
+ * Helper to get Protected Resource Metadata URL from server URL
+ */
+export function getProtectedResourceMetadataUrl(serverUrl) {
+    const url = new URL(serverUrl);
+    url.pathname = '/.well-known/oauth-protected-resource';
+    return url.toString();
+}

package/build/auth/oauth-middleware.js

@@ -0,0 +1,99 @@
+/**
+ * OAuth 2.1 middleware for Express
+ * Implements RFC 6750 Bearer Token authentication
+ */
+/**
+ * Create Bearer token authentication middleware
+ */
+export function createBearerAuthMiddleware(config) {
+    const realm = config.realm || 'mcp';
+    return async (req, res, next) => {
+        try {
+            // Extract token from Authorization header
+            const authHeader = req.headers.authorization;
+            if (!authHeader) {
+                sendUnauthorized(res, realm, config.resourceMetadataUrl, {
+                    error: 'invalid_token',
+                    error_description: 'No authorization header provided',
+                });
+                return;
+            }
+            // Check Bearer scheme
+            const parts = authHeader.split(' ');
+            if (parts.length !== 2 || parts[0] !== 'Bearer') {
+                sendUnauthorized(res, realm, config.resourceMetadataUrl, {
+                    error: 'invalid_token',
+                    error_description: 'Invalid authorization header format. Expected: Bearer <token>',
+                });
+                return;
+            }
+            const token = parts[1];
+            // Verify token
+            try {
+                const verifiedToken = await config.verifier.verifyToken(token);
+                req.auth = verifiedToken;
+                next();
+            }
+            catch (error) {
+                const errorMessage = error instanceof Error ? error.message : 'Token verification failed';
+                sendUnauthorized(res, realm, config.resourceMetadataUrl, {
+                    error: 'invalid_token',
+                    error_description: errorMessage,
+                });
+            }
+        }
+        catch (error) {
+            console.error('OAuth middleware error:', error);
+            res.status(500).json({
+                error: 'server_error',
+                error_description: 'Internal server error during authentication',
+            });
+        }
+    };
+}
+/**
+ * Send 401 Unauthorized response with RFC 6750 compliant WWW-Authenticate header
+ */
+function sendUnauthorized(res, realm, resourceMetadataUrl, challenge) {
+    // Build WWW-Authenticate header per RFC 6750
+    let authenticateValue = `Bearer realm="${realm}", resource_metadata="${resourceMetadataUrl}"`;
+    if (challenge.error) {
+        authenticateValue += `, error="${challenge.error}"`;
+    }
+    if (challenge.error_description) {
+        authenticateValue += `, error_description="${challenge.error_description}"`;
+    }
+    if (challenge.scope) {
+        authenticateValue += `, scope="${challenge.scope}"`;
+    }
+    res.setHeader('WWW-Authenticate', authenticateValue);
+    res.status(401).json({
+        error: challenge.error || 'unauthorized',
+        error_description: challenge.error_description || 'Authorization required',
+    });
+}
+/**
+ * Optional middleware to check specific scopes
+ */
+export function requireScopes(requiredScopes) {
+    return (req, res, next) => {
+        if (!req.auth) {
+            res.status(401).json({
+                error: 'unauthorized',
+                error_description: 'No authentication information found',
+            });
+            return;
+        }
+        const hasRequiredScopes = requiredScopes.every((scope) => req.auth.scopes.includes(scope));
+        if (!hasRequiredScopes) {
+            res.status(403).json({
+                error: 'insufficient_scope',
+                error_description: `Missing required scopes: ${requiredScopes.join(', ')}`,
+                required_scopes: requiredScopes,
+                provided_scopes: req.auth.scopes,
+            });
+            return;
+        }
+        next();
+    };
+}

package/build/auth/oauth-types.js

@@ -0,0 +1,4 @@
+/**
+ * OAuth 2.1 types for MCP server authorization
+ */
+export {};

package/build/auth/oauth.js

@@ -0,0 +1,235 @@
+import axios from 'axios';
+import { getBaseUrl } from '../config/environment.js';
+import { MultiUserAuthStore } from '../auth/multi-user-store.js';
+export class EbayOAuthClient {
+    config;
+    context;
+    appAccessToken = null;
+    appAccessTokenExpiry = 0;
+    userTokens = null;
+    authStore = new MultiUserAuthStore();
+    constructor(config, context) {
+        this.config = config;
+        this.context = context;
+    }
+    async initialize() {
+        if (this.context?.userId && this.context.environment) {
+            const stored = await this.authStore.getUserTokens(this.context.userId, this.context.environment);
+            if (stored?.tokenData) {
+                this.userTokens = stored.tokenData;
+                return;
+            }
+        }
+        // Fallback: load from EBAY_USER_REFRESH_TOKEN environment variable
+        const envRefreshToken = process.env.EBAY_USER_REFRESH_TOKEN;
+        if (envRefreshToken) {
+            try {
+                const authUrl = `${getBaseUrl(this.config.environment)}/identity/v1/oauth2/token`;
+                const credentials = Buffer.from(`${this.config.clientId}:${this.config.clientSecret}`).toString('base64');
+                const response = await axios.post(authUrl, new URLSearchParams({
+                    grant_type: 'refresh_token',
+                    refresh_token: envRefreshToken,
+                }).toString(), {
+                    headers: {
+                        'Content-Type': 'application/x-www-form-urlencoded',
+                        Authorization: `Basic ${credentials}`,
+                    },
+                });
+                const tokenData = response.data;
+                const now = Date.now();
+                this.userTokens = {
+                    clientId: this.config.clientId,
+                    clientSecret: this.config.clientSecret,
+                    redirectUri: this.config.redirectUri,
+                    userAccessToken: tokenData.access_token,
+                    userRefreshToken: tokenData.refresh_token || envRefreshToken,
+                    tokenType: tokenData.token_type,
+                    userAccessTokenExpiry: now + tokenData.expires_in * 1000,
+                    userRefreshTokenExpiry: tokenData.refresh_token_expires_in
+                        ? now + tokenData.refresh_token_expires_in * 1000
+                        : now + 18 * 30 * 24 * 60 * 60 * 1000,
+                    scope: tokenData.scope,
+                };
+            }
+            catch {
+                // If refresh fails, leave userTokens as null
+            }
+        }
+    }
+    hasUserTokens() {
+        return this.userTokens !== null;
+    }
+    isUserAccessTokenExpired(tokens) {
+        return tokens.userAccessTokenExpiry ? Date.now() >= tokens.userAccessTokenExpiry : true;
+    }
+    isUserRefreshTokenExpired(tokens) {
+        return tokens.userRefreshTokenExpiry ? Date.now() >= tokens.userRefreshTokenExpiry : true;
+    }
+    async persistUserTokens() {
+        if (this.context?.userId && this.context.environment && this.userTokens) {
+            await this.authStore.saveUserTokens(this.context.userId, this.context.environment, this.userTokens);
+        }
+    }
+    async getAccessToken() {
+        if (this.userTokens) {
+            if (!this.isUserAccessTokenExpired(this.userTokens)) {
+                return this.userTokens.userAccessToken;
+            }
+            if (!this.isUserRefreshTokenExpired(this.userTokens)) {
+                await this.refreshUserToken();
+                return this.userTokens.userAccessToken;
+            }
+            throw new Error('User authorization expired. Re-authorize through browser OAuth and update your MCP connection token.');
+        }
+        if (this.appAccessToken && Date.now() < this.appAccessTokenExpiry) {
+            return this.appAccessToken;
+        }
+        await this.getOrRefreshAppAccessToken();
+        return this.appAccessToken;
+    }
+    async setUserTokens(accessToken, refreshToken, accessTokenExpiry, refreshTokenExpiry) {
+        const now = Date.now();
+        this.userTokens = {
+            clientId: this.config.clientId,
+            clientSecret: this.config.clientSecret,
+            redirectUri: this.config.redirectUri,
+            userAccessToken: accessToken,
+            userRefreshToken: refreshToken,
+            tokenType: 'Bearer',
+            userAccessTokenExpiry: accessTokenExpiry ?? now + 7200 * 1000,
+            userRefreshTokenExpiry: refreshTokenExpiry ?? now + 18 * 30 * 24 * 60 * 60 * 1000,
+        };
+        await this.persistUserTokens();
+    }
+    async getOrRefreshAppAccessToken() {
+        if (this.appAccessToken && Date.now() < this.appAccessTokenExpiry) {
+            return this.appAccessToken;
+        }
+        const authUrl = `${getBaseUrl(this.config.environment)}/identity/v1/oauth2/token`;
+        const credentials = Buffer.from(`${this.config.clientId}:${this.config.clientSecret}`).toString('base64');
+        const response = await axios.post(authUrl, new URLSearchParams({
+            grant_type: 'client_credentials',
+            scope: 'https://api.ebay.com/oauth/api_scope',
+        }).toString(), {
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                Authorization: `Basic ${credentials}`,
+            },
+        });
+        this.appAccessToken = response.data.access_token;
+        this.appAccessTokenExpiry = Date.now() + (response.data.expires_in - 60) * 1000;
+        return this.appAccessToken;
+    }
+    async exchangeCodeForToken(code) {
+        if (!this.config.redirectUri) {
+            throw new Error('Redirect URI is required for authorization code exchange');
+        }
+        const tokenUrl = `${getBaseUrl(this.config.environment)}/identity/v1/oauth2/token`;
+        const credentials = Buffer.from(`${this.config.clientId}:${this.config.clientSecret}`).toString('base64');
+        try {
+            const response = await axios.post(tokenUrl, new URLSearchParams({
+                grant_type: 'authorization_code',
+                code,
+                redirect_uri: this.config.redirectUri,
+            }).toString(), {
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                    Authorization: `Basic ${credentials}`,
+                },
+            });
+            const tokenData = response.data;
+            const now = Date.now();
+            this.userTokens = {
+                clientId: this.config.clientId,
+                clientSecret: this.config.clientSecret,
+                redirectUri: this.config.redirectUri,
+                userAccessToken: tokenData.access_token,
+                userRefreshToken: tokenData.refresh_token,
+                tokenType: tokenData.token_type,
+                userAccessTokenExpiry: now + tokenData.expires_in * 1000,
+                userRefreshTokenExpiry: now + tokenData.refresh_token_expires_in * 1000,
+                scope: tokenData.scope,
+            };
+            await this.persistUserTokens();
+            return tokenData;
+        }
+        catch (error) {
+            if (axios.isAxiosError(error) && error.response?.data) {
+                const data = error.response.data;
+                if (data.error_description) {
+                    throw new Error(data.error_description);
+                }
+                if (data.error) {
+                    throw new Error(data.error);
+                }
+            }
+            throw error;
+        }
+    }
+    async refreshUserToken() {
+        if (!this.userTokens) {
+            throw new Error('No user tokens available to refresh');
+        }
+        const authUrl = `${getBaseUrl(this.config.environment)}/identity/v1/oauth2/token`;
+        const credentials = Buffer.from(`${this.config.clientId}:${this.config.clientSecret}`).toString('base64');
+        const response = await axios.post(authUrl, new URLSearchParams({
+            grant_type: 'refresh_token',
+            refresh_token: this.userTokens.userRefreshToken,
+        }).toString(), {
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                Authorization: `Basic ${credentials}`,
+            },
+        });
+        const tokenData = response.data;
+        const now = Date.now();
+        this.userTokens = {
+            clientId: this.config.clientId,
+            clientSecret: this.config.clientSecret,
+            redirectUri: this.config.redirectUri,
+            userAccessToken: tokenData.access_token,
+            userRefreshToken: tokenData.refresh_token || this.userTokens.userRefreshToken,
+            tokenType: tokenData.token_type,
+            userAccessTokenExpiry: now + tokenData.expires_in * 1000,
+            userRefreshTokenExpiry: tokenData.refresh_token_expires_in
+                ? now + tokenData.refresh_token_expires_in * 1000
+                : this.userTokens.userRefreshTokenExpiry,
+            scope: tokenData.scope || this.userTokens.scope,
+        };
+        await this.persistUserTokens();
+    }
+    isAuthenticated() {
+        if (this.userTokens && !this.isUserAccessTokenExpired(this.userTokens)) {
+            return true;
+        }
+        return this.appAccessToken !== null && Date.now() < this.appAccessTokenExpiry;
+    }
+    clearAllTokens() {
+        this.appAccessToken = null;
+        this.appAccessTokenExpiry = 0;
+        this.userTokens = null;
+    }
+    getTokenInfo() {
+        const info = {
+            hasUserToken: this.userTokens !== null && !this.isUserAccessTokenExpired(this.userTokens),
+            hasAppAccessToken: this.appAccessToken !== null && Date.now() < this.appAccessTokenExpiry,
+        };
+        if (this.userTokens?.scope) {
+            const tokenScopes = this.userTokens.scope.split(' ');
+            const environmentScopes = ['https://api.ebay.com/oauth/api_scope'];
+            const tokenScopeSet = new Set(tokenScopes);
+            const missingScopes = environmentScopes.filter((scope) => !tokenScopeSet.has(scope));
+            info.scopeInfo = { tokenScopes, environmentScopes, missingScopes };
+        }
+        return info;
+    }
+    getUserTokens() {
+        return this.userTokens;
+    }
+    getCachedAppAccessToken() {
+        return this.appAccessToken;
+    }
+    getCachedAppAccessTokenExpiry() {
+        return this.appAccessTokenExpiry;
+    }
+}