github-webhook-mcp 0.6.0 → 0.7.1

package/manifest.json

@@ -27,13 +27,14 @@
       ],
       "env": {
         "WEBHOOK_WORKER_URL": "${user_config.worker_url}",
-        "WEBHOOK_CHANNEL": "${user_config.channel_enabled}"
+        "WEBHOOK_CHANNEL": "${user_config.channel_enabled}",
+        "WEBHOOK_AUTH_TOKEN": "${user_config.auth_token}"
       }
     }
   },
   "user_config": {
     "worker_url": {
-      "description": "URL of the Cloudflare Worker endpoint (e.g. https://github-webhook-mcp.example.workers.dev)",
+      "description": "URL of the Cloudflare Worker endpoint (e.g. https://github-webhook-mcp.example.workers.dev). Authentication is handled automatically via OAuth.",
       "type": "string",
       "required": true,
       "title": "Worker URL"
@@ -44,6 +45,13 @@
       "required": false,
       "title": "Channel Notifications",
       "default": "0"
+    },
+    "auth_token": {
+      "description": "Legacy Bearer token for self-hosted workers without OAuth. Leave empty to use OAuth authentication (recommended).",
+      "type": "string",
+      "required": false,
+      "title": "Auth Token (Legacy)",
+      "default": ""
     }
   },
   "tools": [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "github-webhook-mcp",
-  "version": "0.6.0",
+  "version": "0.7.1",
   "description": "MCP server bridging GitHub webhooks via Cloudflare Worker",
   "type": "module",
   "bin": {

package/server/index.js

@@ -5,6 +5,7 @@
  * Thin stdio MCP server that proxies tool calls to a remote
  * Cloudflare Worker + Durable Object backend via Streamable HTTP.
  * Optionally listens to SSE for real-time channel notifications.
+ * Authenticates via OAuth 2.1 with PKCE (localhost callback).
  *
  * Discord MCP pattern: data lives in the cloud, local MCP is a thin bridge.
  */
@@ -14,11 +15,337 @@ import {
   ListToolsRequestSchema,
   CallToolRequestSchema,
 } from "@modelcontextprotocol/sdk/types.js";
+import { createServer } from "node:http";
+import { randomBytes, createHash } from "node:crypto";
+import { readFile, writeFile, mkdir } from "node:fs/promises";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { exec } from "node:child_process";
 
 const WORKER_URL =
   process.env.WEBHOOK_WORKER_URL ||
   "https://github-webhook-mcp.liplus.workers.dev";
 const CHANNEL_ENABLED = process.env.WEBHOOK_CHANNEL !== "0";
+// Legacy auth support: if WEBHOOK_AUTH_TOKEN is set, use Bearer token directly
+const LEGACY_AUTH_TOKEN = process.env.WEBHOOK_AUTH_TOKEN || "";
+
+// ── OAuth Token Storage ──────────────────────────────────────────────────────
+
+const TOKEN_DIR = join(homedir(), ".github-webhook-mcp");
+const TOKEN_FILE = join(TOKEN_DIR, "oauth-tokens.json");
+const CLIENT_REG_FILE = join(TOKEN_DIR, "oauth-client.json");
+
+async function loadTokens() {
+  try {
+    const data = await readFile(TOKEN_FILE, "utf-8");
+    return JSON.parse(data);
+  } catch {
+    return null;
+  }
+}
+
+async function saveTokens(tokens) {
+  await mkdir(TOKEN_DIR, { recursive: true });
+  await writeFile(TOKEN_FILE, JSON.stringify(tokens, null, 2), { mode: 0o600 });
+}
+
+let _cachedTokens = null;
+
+// ── PKCE Utilities ───────────────────────────────────────────────────────────
+
+function generateCodeVerifier() {
+  return randomBytes(32).toString("base64url");
+}
+
+function generateCodeChallenge(verifier) {
+  return createHash("sha256").update(verifier).digest("base64url");
+}
+
+// ── OAuth Discovery & Registration ───────────────────────────────────────────
+
+async function discoverOAuthMetadata() {
+  const res = await fetch(`${WORKER_URL}/.well-known/oauth-authorization-server`);
+  if (!res.ok) {
+    throw new Error(`OAuth discovery failed: ${res.status}`);
+  }
+  return await res.json();
+}
+
+async function loadClientRegistration() {
+  try {
+    const data = await readFile(CLIENT_REG_FILE, "utf-8");
+    return JSON.parse(data);
+  } catch {
+    return null;
+  }
+}
+
+async function saveClientRegistration(reg) {
+  await mkdir(TOKEN_DIR, { recursive: true });
+  await writeFile(CLIENT_REG_FILE, JSON.stringify(reg, null, 2), { mode: 0o600 });
+}
+
+async function ensureClientRegistration(metadata, redirectUris) {
+  const existing = await loadClientRegistration();
+  if (existing) return existing;
+
+  if (!metadata.registration_endpoint) {
+    throw new Error("OAuth server does not support dynamic client registration");
+  }
+
+  const res = await fetch(metadata.registration_endpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      client_name: "github-webhook-mcp-cli",
+      redirect_uris: redirectUris,
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"],
+      token_endpoint_auth_method: "none",
+    }),
+  });
+
+  if (!res.ok) {
+    throw new Error(`Client registration failed: ${res.status} ${await res.text()}`);
+  }
+
+  const reg = await res.json();
+  await saveClientRegistration(reg);
+  return reg;
+}
+
+// ── OAuth Localhost Callback Flow ────────────────────────────────────────────
+
+// Pending OAuth state: kept alive across tool calls so the callback server
+// can receive the authorization code even if the first tool call returns early.
+let _pendingOAuth = null;
+
+class OAuthPendingError extends Error {
+  constructor(authUrl) {
+    super("OAuth authentication required");
+    this.authUrl = authUrl;
+  }
+}
+
+function openBrowser(url) {
+  if (process.platform === "win32") {
+    // Windows `start` treats the first quoted arg as a window title.
+    // Pass an empty title so the URL is opened correctly.
+    exec(`start "" "${url}"`);
+  } else {
+    const openCmd = process.platform === "darwin" ? "open" : "xdg-open";
+    exec(`${openCmd} "${url}"`);
+  }
+}
+
+async function startOAuthFlow() {
+  const metadata = await discoverOAuthMetadata();
+
+  const callbackServer = createServer();
+  await new Promise((resolve) => {
+    callbackServer.listen(0, "127.0.0.1", () => resolve());
+  });
+  const port = callbackServer.address().port;
+  const redirectUri = `http://127.0.0.1:${port}/callback`;
+
+  const client = await ensureClientRegistration(metadata, [
+    redirectUri,
+    `http://localhost:${port}/callback`,
+  ]);
+
+  const codeVerifier = generateCodeVerifier();
+  const codeChallenge = generateCodeChallenge(codeVerifier);
+  const state = randomBytes(16).toString("hex");
+
+  const authUrl = new URL(metadata.authorization_endpoint);
+  authUrl.searchParams.set("response_type", "code");
+  authUrl.searchParams.set("client_id", client.client_id);
+  authUrl.searchParams.set("redirect_uri", redirectUri);
+  authUrl.searchParams.set("state", state);
+  authUrl.searchParams.set("code_challenge", codeChallenge);
+  authUrl.searchParams.set("code_challenge_method", "S256");
+
+  // Promise that resolves when the callback is received
+  const tokenPromise = new Promise((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      callbackServer.close();
+      _pendingOAuth = null;
+      reject(new Error("OAuth callback timed out after 5 minutes"));
+    }, 5 * 60 * 1000);
+
+    callbackServer.on("request", async (req, res) => {
+      const url = new URL(req.url || "/", `http://127.0.0.1:${port}`);
+      if (url.pathname !== "/callback") {
+        res.writeHead(404);
+        res.end("Not found");
+        return;
+      }
+
+      const code = url.searchParams.get("code");
+      const returnedState = url.searchParams.get("state");
+      const error = url.searchParams.get("error");
+
+      if (error) {
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end("<html><body><h1>Authorization failed</h1><p>You can close this tab.</p></body></html>");
+        clearTimeout(timeout);
+        callbackServer.close();
+        _pendingOAuth = null;
+        reject(new Error(`OAuth authorization failed: ${error}`));
+        return;
+      }
+
+      if (!code || returnedState !== state) {
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end("<html><body><h1>Invalid callback</h1></body></html>");
+        return;
+      }
+
+      res.writeHead(200, { "Content-Type": "text/html" });
+      res.end("<html><body><h1>Authorization successful</h1><p>You can close this tab.</p></body></html>");
+      clearTimeout(timeout);
+      callbackServer.close();
+
+      try {
+        const tokenRes = await fetch(metadata.token_endpoint, {
+          method: "POST",
+          headers: { "Content-Type": "application/x-www-form-urlencoded" },
+          body: new URLSearchParams({
+            grant_type: "authorization_code",
+            code,
+            redirect_uri: redirectUri,
+            client_id: client.client_id,
+            code_verifier: codeVerifier,
+          }),
+        });
+
+        if (!tokenRes.ok) {
+          _pendingOAuth = null;
+          reject(new Error(`Token exchange failed: ${tokenRes.status} ${await tokenRes.text()}`));
+          return;
+        }
+
+        const tokenData = await tokenRes.json();
+        const tokens = {
+          access_token: tokenData.access_token,
+          refresh_token: tokenData.refresh_token,
+          expires_at: tokenData.expires_in
+            ? Date.now() + tokenData.expires_in * 1000
+            : undefined,
+        };
+
+        await saveTokens(tokens);
+        _pendingOAuth = null;
+        resolve(tokens);
+      } catch (err) {
+        _pendingOAuth = null;
+        reject(err);
+      }
+    });
+  });
+
+  // Try to open the browser
+  openBrowser(authUrl.toString());
+  process.stderr.write(
+    `\n[github-webhook-mcp] Open this URL to authenticate:\n${authUrl.toString()}\n\n`,
+  );
+
+  // Store pending state so subsequent tool calls can await or re-surface the URL
+  _pendingOAuth = { authUrl: authUrl.toString(), tokenPromise };
+
+  return _pendingOAuth;
+}
+
+async function performOAuthFlow() {
+  // If an OAuth flow is already in progress, check if it completed
+  if (_pendingOAuth) {
+    // Race: either the token is ready or we return the URL again
+    const result = await Promise.race([
+      _pendingOAuth.tokenPromise,
+      new Promise((resolve) => setTimeout(() => resolve(null), 2000)),
+    ]);
+    if (result && result.access_token) return result;
+    throw new OAuthPendingError(_pendingOAuth.authUrl);
+  }
+
+  // Start a new OAuth flow
+  const pending = await startOAuthFlow();
+
+  // Wait briefly for the browser-opened flow to complete (e.g. auto-open worked)
+  const result = await Promise.race([
+    pending.tokenPromise,
+    new Promise((resolve) => setTimeout(() => resolve(null), 3000)),
+  ]);
+  if (result && result.access_token) return result;
+
+  // Browser likely didn't open or user hasn't authenticated yet — surface the URL
+  throw new OAuthPendingError(pending.authUrl);
+}
+
+async function refreshAccessToken(refreshToken) {
+  const metadata = await discoverOAuthMetadata();
+  const client = await loadClientRegistration();
+  if (!client) throw new Error("No client registration found");
+
+  const res = await fetch(metadata.token_endpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      client_id: client.client_id,
+    }),
+  });
+
+  if (!res.ok) {
+    throw new Error(`Token refresh failed: ${res.status}`);
+  }
+
+  const data = await res.json();
+
+  const tokens = {
+    access_token: data.access_token,
+    refresh_token: data.refresh_token || refreshToken,
+    expires_at: data.expires_in ? Date.now() + data.expires_in * 1000 : undefined,
+  };
+
+  await saveTokens(tokens);
+  return tokens;
+}
+
+async function getAccessToken() {
+  if (LEGACY_AUTH_TOKEN) return LEGACY_AUTH_TOKEN;
+
+  if (!_cachedTokens) {
+    _cachedTokens = await loadTokens();
+  }
+
+  if (_cachedTokens) {
+    if (!_cachedTokens.expires_at || _cachedTokens.expires_at > Date.now() + 60_000) {
+      return _cachedTokens.access_token;
+    }
+
+    if (_cachedTokens.refresh_token) {
+      try {
+        _cachedTokens = await refreshAccessToken(_cachedTokens.refresh_token);
+        return _cachedTokens.access_token;
+      } catch {
+        // Refresh failed, fall through to full OAuth flow
+      }
+    }
+  }
+
+  _cachedTokens = await performOAuthFlow();
+  return _cachedTokens.access_token;
+}
+
+/** Build common headers with OAuth Bearer auth */
+async function authHeaders(extra) {
+  const h = { ...extra };
+  const token = await getAccessToken();
+  if (token) h["Authorization"] = `Bearer ${token}`;
+  return h;
+}
 
 // ── Remote MCP Session (lazy, reused) ────────────────────────────────────────
 
@@ -29,10 +356,10 @@ async function getSessionId() {
 
   const res = await fetch(`${WORKER_URL}/mcp`, {
     method: "POST",
-    headers: {
+    headers: await authHeaders({
       "Content-Type": "application/json",
       Accept: "application/json, text/event-stream",
-    },
+    }),
     body: JSON.stringify({
       jsonrpc: "2.0",
       method: "initialize",
@@ -54,11 +381,11 @@ async function callRemoteTool(name, args) {
 
   const res = await fetch(`${WORKER_URL}/mcp`, {
     method: "POST",
-    headers: {
+    headers: await authHeaders({
       "Content-Type": "application/json",
       Accept: "application/json, text/event-stream",
       "mcp-session-id": sessionId,
-    },
+    }),
     body: JSON.stringify({
       jsonrpc: "2.0",
       method: "tools/call",
@@ -67,6 +394,13 @@ async function callRemoteTool(name, args) {
     }),
   });
 
+  // 401 = token expired or revoked, re-authenticate and retry
+  if (res.status === 401) {
+    _cachedTokens = null;
+    _sessionId = null;
+    return callRemoteTool(name, args);
+  }
+
   const text = await res.text();
 
   // Streamable HTTP may return SSE format
@@ -192,6 +526,17 @@ server.setRequestHandler(CallToolRequestSchema, async (req) => {
   try {
     return await callRemoteTool(name, args ?? {});
   } catch (err) {
+    if (err instanceof OAuthPendingError) {
+      return {
+        content: [
+          {
+            type: "text",
+            text: `Authentication required. Please open this URL to authorize:\n${err.authUrl}\n\nAfter authorizing in the browser, retry the tool call.`,
+          },
+        ],
+        isError: true,
+      };
+    }
     return {
       content: [{ type: "text", text: `Failed to reach worker: ${err}` }],
       isError: true,
@@ -210,7 +555,11 @@ async function connectSSE() {
     return;
   }
 
-  const es = new EventSourceImpl(`${WORKER_URL}/events`);
+  const token = await getAccessToken();
+  const sseUrl = token
+    ? `${WORKER_URL}/events?token=${encodeURIComponent(token)}`
+    : `${WORKER_URL}/events`;
+  const es = new EventSourceImpl(sseUrl);
 
   es.onmessage = (event) => {
     try {