fa-mcp-sdk 0.4.27 → 0.4.30

package/dist/core/web/static/token-gen/script.js

@@ -5,7 +5,8 @@ let keyValuePairCount = 0;
 // ===========================
 
 const AUTH_TOKEN_KEY = 'adminAuthToken';
-let requiresBearerToken = false;
+let requiresFrontendAuth = false;
+let authMethods = []; // ['token', 'basic']
 
 // Get stored auth token from sessionStorage
 function getStoredToken () {
@@ -22,53 +23,114 @@ function clearStoredToken () {
   sessionStorage.removeItem(AUTH_TOKEN_KEY);
 }
 
-// Show token authentication modal
-function showTokenModal (errorMessage = null) {
+// Show authentication modal
+function showAuthModal (errorMessage = null) {
   const modal = document.getElementById('tokenModal');
-  const errorDiv = document.getElementById('tokenAuthError');
+
+  // Clear errors on both forms
+  const tokenError = document.getElementById('tokenAuthError');
+  const basicError = document.getElementById('basicAuthError');
+  tokenError.style.display = 'none';
+  basicError.style.display = 'none';
 
   if (errorMessage) {
-    errorDiv.innerHTML = `<strong>Error:</strong> ${errorMessage}`;
-    errorDiv.style.display = 'block';
-  } else {
-    errorDiv.style.display = 'none';
+    // Show error in the active form
+    const activeError = document.getElementById('basicAuthForm').style.display !== 'none'
+      ? basicError : tokenError;
+    activeError.innerHTML = `<strong>Error:</strong> ${errorMessage}`;
+    activeError.style.display = 'block';
   }
 
   modal.style.display = 'flex';
 }
 
-// Hide token authentication modal
-function hideTokenModal () {
+// Hide authentication modal
+function hideAuthModal () {
   const modal = document.getElementById('tokenModal');
   modal.style.display = 'none';
 }
 
-// Authenticated fetch wrapper - adds Authorization header if token auth is required
+// Setup auth tabs and forms based on available methods
+function setupAuthForms (methods) {
+  const hasToken = methods.includes('token');
+  const hasBasic = methods.includes('basic');
+
+  const tabs = document.getElementById('adminAuthTabs');
+  const tokenForm = document.getElementById('tokenAuthForm');
+  const basicForm = document.getElementById('basicAuthForm');
+
+  if (hasToken && hasBasic) {
+    // Show tabs, default to token
+    tabs.style.display = 'flex';
+    tokenForm.style.display = 'block';
+    basicForm.style.display = 'none';
+    bindAuthTabs();
+  } else if (hasBasic) {
+    // Basic only
+    tabs.style.display = 'none';
+    tokenForm.style.display = 'none';
+    basicForm.style.display = 'block';
+  } else {
+    // Token only (default)
+    tabs.style.display = 'none';
+    tokenForm.style.display = 'block';
+    basicForm.style.display = 'none';
+  }
+}
+
+// Bind tab click handlers
+function bindAuthTabs () {
+  const tabButtons = document.querySelectorAll('.admin-auth-tab');
+  const tokenForm = document.getElementById('tokenAuthForm');
+  const basicForm = document.getElementById('basicAuthForm');
+
+  tabButtons.forEach((btn) => {
+    btn.addEventListener('click', () => {
+      // Update active tab
+      tabButtons.forEach((b) => b.classList.remove('active'));
+      btn.classList.add('active');
+
+      // Hide errors
+      document.getElementById('tokenAuthError').style.display = 'none';
+      document.getElementById('basicAuthError').style.display = 'none';
+
+      // Toggle forms
+      const tab = btn.getAttribute('data-tab');
+      if (tab === 'basic') {
+        tokenForm.style.display = 'none';
+        basicForm.style.display = 'block';
+      } else {
+        tokenForm.style.display = 'block';
+        basicForm.style.display = 'none';
+      }
+    });
+  });
+}
+
+// Authenticated fetch wrapper - adds Authorization header
 async function authFetch (url, options = {}) {
   const token = getStoredToken();
 
-  if (requiresBearerToken && token) {
+  if (requiresFrontendAuth && token) {
     options.headers = {
       ...options.headers,
-      'Authorization': `Bearer ${token}`,
+      'Authorization': token,
     };
   }
 
   const response = await fetch(url, options);
 
-  // Handle 401 Unauthorized - show token modal if available
-  if (response.status === 401 && requiresBearerToken) {
+  // Handle 401 Unauthorized
+  if (response.status === 401 && requiresFrontendAuth) {
     clearStoredToken();
     const errorData = await response.json().catch(() => ({}));
     const errorMessage = errorData.error || 'Authentication failed';
 
-    // Try to show modal, but if it's not available, throw with descriptive error
     const modal = document.getElementById('tokenModal');
     if (modal) {
-      showTokenModal(errorMessage + '. Please enter a valid token.');
+      showAuthModal(errorMessage + '. Please authenticate again.');
     }
 
-    // Throw error with status code for form error handling
     const error = new Error(`401 Unauthorized: ${errorMessage}`);
     error.status = 401;
     throw error;
@@ -84,13 +146,15 @@ async function initializeAuth () {
     const response = await fetch('/admin/api/auth-config');
     const config = await response.json();
 
-    if (config.success && config.requiresBearerToken) {
-      requiresBearerToken = true;
+    if (config.success && config.requiresFrontendAuth) {
+      requiresFrontendAuth = true;
+      authMethods = config.methods || [];
+      setupAuthForms(authMethods);
 
       // Check if we have a stored token
       const storedToken = getStoredToken();
       if (!storedToken) {
-        showTokenModal();
+        showAuthModal();
         return false;
       }
 
@@ -101,13 +165,36 @@ async function initializeAuth () {
 
         if (!verifyData.success || !verifyData.isAuthenticated) {
           clearStoredToken();
-          showTokenModal('Token is invalid or expired.');
+          showAuthModal('Token is invalid or expired.');
           return false;
         }
       } catch {
         // authFetch already handles 401 and shows modal
         return false;
       }
+    } else if (config.success && config.requiresBearerToken) {
+      // Backward compat: old-style bearer-only
+      requiresFrontendAuth = true;
+      authMethods = ['token'];
+      setupAuthForms(authMethods);
+
+      const storedToken = getStoredToken();
+      if (!storedToken) {
+        showAuthModal();
+        return false;
+      }
+
+      try {
+        const verifyResponse = await authFetch('/admin/api/auth-status');
+        const verifyData = await verifyResponse.json();
+        if (!verifyData.success || !verifyData.isAuthenticated) {
+          clearStoredToken();
+          showAuthModal('Token is invalid or expired.');
+          return false;
+        }
+      } catch {
+        return false;
+      }
     }
 
     return true;
@@ -129,32 +216,81 @@ function setupTokenAuthForm () {
     const token = tokenInput.value.trim();
 
     if (!token) {
-      showTokenModal('Please enter a token.');
+      showAuthModal('Please enter a token.');
       return;
     }
 
-    // Store token and try to authenticate
-    storeToken(token);
+    // Store as Bearer token
+    storeToken(`Bearer ${token}`);
 
     try {
       const response = await authFetch('/admin/api/auth-status');
       const data = await response.json();
 
       if (data.success && data.isAuthenticated) {
-        hideTokenModal();
+        hideAuthModal();
         tokenInput.value = '';
-        // Reload auth status and initialize form
         loadAuthStatus();
         initializeForm();
       } else {
         clearStoredToken();
-        showTokenModal(data.error || 'Invalid token.');
+        showAuthModal(data.error || 'Invalid token.');
       }
     } catch (error) {
-      // Error already handled in authFetch
       if (error.message !== 'Unauthorized') {
         clearStoredToken();
-        showTokenModal('Authentication failed: ' + error.message);
+        showAuthModal('Authentication failed: ' + error.message);
+      }
+    }
+  });
+}
+
+// Handle basic authentication form submission
+function setupBasicAuthForm () {
+  const form = document.getElementById('basicAuthForm');
+  if (!form) {return;}
+
+  form.addEventListener('submit', async (e) => {
+    e.preventDefault();
+
+    const usernameInput = document.getElementById('authUsername');
+    const passwordInput = document.getElementById('authPassword');
+    const username = usernameInput.value.trim();
+    const password = passwordInput.value;
+
+    if (!username || !password) {
+      const errorDiv = document.getElementById('basicAuthError');
+      errorDiv.innerHTML = '<strong>Error:</strong> Please enter username and password.';
+      errorDiv.style.display = 'block';
+      return;
+    }
+
+    // Store as Basic auth header
+    const encoded = btoa(`${username}:${password}`);
+    storeToken(`Basic ${encoded}`);
+
+    try {
+      const response = await authFetch('/admin/api/auth-status');
+      const data = await response.json();
+
+      if (data.success && data.isAuthenticated) {
+        hideAuthModal();
+        usernameInput.value = '';
+        passwordInput.value = '';
+        loadAuthStatus();
+        initializeForm();
+      } else {
+        clearStoredToken();
+        const errorDiv = document.getElementById('basicAuthError');
+        errorDiv.innerHTML = `<strong>Error:</strong> ${data.error || 'Invalid credentials.'}`;
+        errorDiv.style.display = 'block';
+      }
+    } catch (error) {
+      if (error.status !== 401) {
+        clearStoredToken();
+        const errorDiv = document.getElementById('basicAuthError');
+        errorDiv.innerHTML = `<strong>Error:</strong> Authentication failed: ${error.message}`;
+        errorDiv.style.display = 'block';
       }
     }
   });
@@ -514,10 +650,10 @@ async function initializeForm () {
 // eslint-disable-next-line unused-imports/no-unused-vars
 async function logout () {
   try {
-    // For token-based auth, just clear the stored token
-    if (requiresBearerToken) {
+    // For frontend auth, clear the stored credentials
+    if (requiresFrontendAuth) {
       clearStoredToken();
-      showTokenModal();
+      showAuthModal();
       // Clear auth status display
       const container = document.getElementById('authStatusContainer');
       if (container) {
@@ -547,8 +683,9 @@ async function logout () {
 
 // Initialization on page load
 document.addEventListener('DOMContentLoaded', async () => {
-  // Setup token auth form handler
+  // Setup auth form handlers
   setupTokenAuthForm();
+  setupBasicAuthForm();
 
   // Initialize authentication (check if token is needed and valid)
   const authOk = await initializeAuth();

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "fa-mcp-sdk",
   "productName": "FA MCP SDK",
-  "version": "0.4.27",
+  "version": "0.4.30",
   "description": "Core infrastructure and templates for building Model Context Protocol (MCP) servers with TypeScript",
   "type": "module",
   "main": "dist/core/index.js",

package/scripts/generate-jwt.js

@@ -0,0 +1,191 @@
+#!/usr/bin/env node
+/**
+ * Generate JWT token for MCP server authentication.
+ *
+ * Usage:
+ *   node scripts/generate-jwt.js -u <username> -ttl <duration> [-s <service>] [-p <params>]
+ *
+ * Options:
+ *   -u,   --username       Username (required). ENV: JWT_PAYLOAD_USERNAME
+ *   -ttl                   Token lifetime: <N>s | <N>m | <N>d | <N>y (required). ENV: JWT_TTL
+ *   -s,   --service-name   Service name (optional). ENV: JWT_PAYLOAD_SERVICE_NAME
+ *   -p,   --params         Extra payload "key=value;key=value" (optional). ENV: JWT_PAYLOAD_PARAMS
+ *
+ * The encryptKey is read from config: webServer.auth.jwtToken.encryptKey
+ */
+
+import crypto from 'crypto';
+import { readFileSync } from 'fs';
+import { fileURLToPath } from 'url';
+import { dirname, resolve } from 'path';
+import configModule from 'config';
+
+// ── CLI argument parsing ────────────────────────────────────────────
+
+function getArg (shortFlag, longFlag) {
+  const args = process.argv.slice(2);
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === shortFlag || args[i] === longFlag) {
+      return args[i + 1] || '';
+    }
+  }
+  return undefined;
+}
+
+const username = getArg('-u', '--username') ?? process.env.JWT_PAYLOAD_USERNAME;
+const ttlRaw = getArg('-ttl', '-ttl') ?? process.env.JWT_TTL;
+const service = getArg('-s', '--service-name') ?? process.env.JWT_PAYLOAD_SERVICE_NAME;
+const paramsRaw = getArg('-p', '--params') ?? process.env.JWT_PAYLOAD_PARAMS;
+
+// ── Validation ──────────────────────────────────────────────────────
+
+if (!username || !username.trim()) {
+  console.error('Error: username is required (-u / --username or ENV JWT_PAYLOAD_USERNAME)');
+  process.exit(1);
+}
+
+if (!ttlRaw || !ttlRaw.trim()) {
+  console.error('Error: TTL is required (-ttl or ENV JWT_TTL). Format: <N>s | <N>m | <N>d | <N>y');
+  process.exit(1);
+}
+
+const ttlMatch = /^(\d+)([smdy])$/.exec(ttlRaw.trim());
+if (!ttlMatch) {
+  console.error(`Error: invalid TTL format "${ttlRaw}". Expected: <N>s | <N>m | <N>d | <N>y`);
+  process.exit(1);
+}
+
+const ttlValue = parseInt(ttlMatch[1], 10);
+const ttlUnit = ttlMatch[2];
+
+if (ttlValue <= 0) {
+  console.error('Error: TTL value must be greater than 0');
+  process.exit(1);
+}
+
+const TTL_MULTIPLIERS = { s: 1, m: 60, d: 86400, y: 31536000 };
+const liveTimeSec = ttlValue * TTL_MULTIPLIERS[ttlUnit];
+
+// ── Config ──────────────────────────────────────────────────────────
+
+let encryptKey;
+try {
+  encryptKey = configModule.get('webServer.auth.jwtToken.encryptKey');
+} catch {
+  // config key not found
+}
+
+if (!encryptKey || String(encryptKey).trim() === '' || encryptKey === '***') {
+  console.error('Error: webServer.auth.jwtToken.encryptKey is not configured or has a placeholder value.');
+  console.error('Set it in config/local.yaml or via ENV WS_TOKEN_ENCRYPT_KEY');
+  process.exit(1);
+}
+
+// ── Encryption (mirrors src/core/auth/jwt.ts) ───────────────────────
+
+const ALGORITHM = 'aes-256-ctr';
+const KEY = crypto
+  .createHash('sha256')
+  .update(String(encryptKey))
+  .digest('base64')
+  .substring(0, 32);
+
+function encrypt (text) {
+  const buffer = Buffer.from(text);
+  const iv = crypto.randomBytes(16);
+  const cipher = crypto.createCipheriv(ALGORITHM, KEY, iv);
+  const encryptedBuf = Buffer.concat([iv, cipher.update(buffer), cipher.final()]);
+  return encryptedBuf.toString('hex');
+}
+
+// ── Auto-detect service name if checkMCPName is enabled ─────────────
+
+let effectiveService = service;
+
+if ((!effectiveService || !effectiveService.trim())) {
+  let checkMCPName = false;
+  try {
+    checkMCPName = configModule.get('webServer.auth.jwtToken.checkMCPName');
+  } catch {
+    // config key not found
+  }
+  if (checkMCPName) {
+    // 1) Try SERVICE_NAME from .env
+    if (process.env.SERVICE_NAME && process.env.SERVICE_NAME.trim()) {
+      effectiveService = process.env.SERVICE_NAME.trim();
+    } else {
+      // 2) Fallback to package.json name
+      try {
+        const __filename = fileURLToPath(import.meta.url);
+        const __dirname = dirname(__filename);
+        const pkgPath = resolve(__dirname, '..', 'package.json');
+        const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+        if (pkg.name) {
+          effectiveService = pkg.name;
+        }
+      } catch {
+        // package.json not found or unreadable
+      }
+    }
+  }
+}
+
+// ── Build payload ───────────────────────────────────────────────────
+
+const payload = {};
+payload.user = username.trim().toLowerCase();
+
+if (effectiveService && effectiveService.trim()) {
+  payload.service = effectiveService.trim();
+}
+
+// Parse extra params: "key1=value1;key2=value2"
+if (paramsRaw && paramsRaw.trim()) {
+  const pairs = paramsRaw.trim().split(';');
+  for (const pair of pairs) {
+    const eqIdx = pair.indexOf('=');
+    if (eqIdx <= 0) {
+      console.error(`Error: invalid param format "${pair}". Expected "key=value"`);
+      process.exit(1);
+    }
+    const key = pair.substring(0, eqIdx).trim();
+    const value = pair.substring(eqIdx + 1).trim();
+    if (!key) {
+      console.error(`Error: empty key in param "${pair}"`);
+      process.exit(1);
+    }
+    payload[key] = value;
+  }
+}
+
+const expire = Date.now() + (liveTimeSec * 1000);
+payload.expire = expire;
+payload.iat = new Date().toISOString();
+
+// ── Generate token ──────────────────────────────────────────────────
+
+const token = `${expire}.${encrypt(JSON.stringify(payload))}`;
+
+console.log('');
+console.log('JWT Token generated successfully');
+console.log('─'.repeat(50));
+console.log(`  User:      ${payload.user}`);
+if (payload.service) {
+  console.log(`  Service:   ${payload.service}`);
+}
+console.log(`  TTL:       ${ttlRaw} (${liveTimeSec} seconds)`);
+console.log(`  Expires:   ${new Date(expire).toISOString()}`);
+if (Object.keys(payload).filter((k) => !['user', 'service', 'expire', 'iat'].includes(k)).length) {
+  const extra = Object.entries(payload)
+    .filter(([k]) => !['user', 'service', 'expire', 'iat'].includes(k))
+    .map(([k, v]) => `${k}=${v}`)
+    .join('; ');
+  console.log(`  Params:    ${extra}`);
+}
+console.log('─'.repeat(50));
+console.log('');
+console.log(token);
+console.log('');
+console.log('__PAYLOAD_JSON__');
+console.log(JSON.stringify({ ...payload, ttl: ttlRaw, expire_iso: new Date(expire).toISOString() }));
+console.log('__END_PAYLOAD_JSON__');