mcp-auth-wrapper 1.0.0

package/dist/server.js

@@ -0,0 +1,268 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createApp = void 0;
+/* eslint-disable @typescript-eslint/no-deprecated -- Using low-level Server to proxy JSON Schema without Zod conversion */
+const index_js_1 = require("@modelcontextprotocol/sdk/server/index.js");
+const streamableHttp_js_1 = require("@modelcontextprotocol/sdk/server/streamableHttp.js");
+const types_js_1 = require("@modelcontextprotocol/sdk/types.js");
+const router_js_1 = require("@modelcontextprotocol/sdk/server/auth/router.js");
+const bearerAuth_js_1 = require("@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js");
+const express_1 = __importDefault(require("express"));
+const pages_js_1 = require("./pages.js");
+const reconfigure_tool_js_1 = require("./reconfigure-tool.js");
+/** Safely extract a string from a parsed form body (may be string, array, or undefined) */
+const getString = (value) => typeof value === 'string' ? value : undefined;
+const createProxyServer = (pool, store, userId, config, baseUrl, accessToken) => {
+    const server = new index_js_1.Server({ name: 'mcp-auth-wrapper', version: '1.0.0' }, { capabilities: { tools: {}, resources: {}, prompts: {} } });
+    const envPerUser = config.envPerUser ?? [];
+    const hasParams = envPerUser.length > 0;
+    const reconfigureUrl = `${baseUrl}/reconfigure?token=${accessToken}`;
+    server.setRequestHandler(types_js_1.ListToolsRequestSchema, async () => {
+        const client = await pool.getClient(userId);
+        const result = await client.listTools();
+        if (hasParams) {
+            result.tools.push((0, reconfigure_tool_js_1.getReconfigureTool)(reconfigureUrl, envPerUser));
+        }
+        return result;
+    });
+    server.setRequestHandler(types_js_1.CallToolRequestSchema, async (request) => {
+        if (hasParams && request.params.name === reconfigure_tool_js_1.RECONFIGURE_TOOL_NAME) {
+            return (0, reconfigure_tool_js_1.handleReconfigureCall)(request.params.arguments ?? {}, {
+                store, pool, userId, envPerUser, reconfigureUrl,
+            });
+        }
+        const client = await pool.getClient(userId);
+        return client.callTool({
+            name: request.params.name,
+            arguments: request.params.arguments,
+        });
+    });
+    server.setRequestHandler(types_js_1.ListResourcesRequestSchema, async () => {
+        const client = await pool.getClient(userId);
+        return client.listResources();
+    });
+    server.setRequestHandler(types_js_1.ReadResourceRequestSchema, async (request) => {
+        const client = await pool.getClient(userId);
+        return client.readResource({
+            uri: request.params.uri,
+        });
+    });
+    server.setRequestHandler(types_js_1.ListPromptsRequestSchema, async () => {
+        const client = await pool.getClient(userId);
+        return client.listPrompts();
+    });
+    server.setRequestHandler(types_js_1.GetPromptRequestSchema, async (request) => {
+        const client = await pool.getClient(userId);
+        return client.getPrompt({
+            name: request.params.name,
+            arguments: request.params.arguments,
+        });
+    });
+    return server;
+};
+const createApp = (config, pool, provider, oidcClient, store) => {
+    const app = (0, express_1.default)();
+    const baseUrl = config.issuerUrl ?? `http://localhost:${config.port ?? 3000}`;
+    const issuerUrl = new URL(baseUrl);
+    const mcpUrl = new URL('/mcp', issuerUrl);
+    // Custom /authorize handler — accepts any client_id and redirect_uri without
+    // requiring prior registration. The SDK's built-in handler validates these against
+    // a client registry, which we don't need. PKCE is still enforced.
+    app.all('/authorize', (req, res) => {
+        const params = req.method === 'POST' ? req.body : req.query;
+        const clientId = getString(params.client_id);
+        const redirectUri = getString(params.redirect_uri);
+        const codeChallenge = getString(params.code_challenge);
+        const codeChallengeMethod = getString(params.code_challenge_method);
+        const scope = getString(params.scope);
+        const state = getString(params.state);
+        if (!clientId || !redirectUri || !codeChallenge) {
+            res.status(400).json({ error: 'invalid_request', error_description: 'Missing client_id, redirect_uri, or code_challenge' });
+            return;
+        }
+        if (codeChallengeMethod && codeChallengeMethod !== 'S256') {
+            res.status(400).json({ error: 'invalid_request', error_description: 'code_challenge_method must be S256' });
+            return;
+        }
+        const client = { client_id: clientId, redirect_uris: [redirectUri] };
+        const authParams = {
+            scopes: scope ? scope.split(' ') : [],
+            redirectUri,
+            codeChallenge,
+        };
+        if (state) {
+            authParams.state = state;
+        }
+        void provider.authorize(client, authParams, res).catch((err) => {
+            console.error('Authorize error:', err);
+            if (!res.headersSent) {
+                res.status(500).json({ error: 'server_error', error_description: 'Failed to initiate authorization. See server logs for more details.' });
+            }
+        });
+    });
+    // OAuth routes (discovery, token, register, revoke — /authorize is handled above)
+    app.use((0, router_js_1.mcpAuthRouter)({
+        provider,
+        issuerUrl,
+        baseUrl: issuerUrl,
+        resourceServerUrl: mcpUrl,
+    }));
+    // Upstream OIDC callback
+    app.get('/callback', async (req, res) => {
+        try {
+            const code = getString(req.query.code);
+            const sealedState = getString(req.query.state);
+            if (!code || !sealedState) {
+                res.status(400).send('Missing code or state parameter');
+                return;
+            }
+            const pending = provider.unsealState(sealedState);
+            if (!pending) {
+                res.status(400).send('Invalid or expired authorization session');
+                return;
+            }
+            const callbackUrl = `${baseUrl}/callback`;
+            const { userId } = await oidcClient.exchangeCode(code, callbackUrl, pending.upstreamCodeVerifier);
+            // Check if user needs params
+            const existingParams = store.getUser(userId);
+            const needsParams = config.envPerUser
+                && config.envPerUser.length > 0
+                && (!existingParams || config.envPerUser.some((p) => !existingParams[p.name]));
+            if (needsParams) {
+                // Re-seal with userId attached so /params can use it
+                pending.userId = userId;
+                const newSealedState = provider.sealState(pending);
+                res.redirect(`${baseUrl}/params?session=${newSealedState}`);
+                return;
+            }
+            // User is fully configured — if not in store yet, create empty entry
+            if (!existingParams) {
+                store.upsertUser(userId, {});
+            }
+            const { redirectUrl } = provider.completeAuthorization(pending, userId);
+            res.redirect(redirectUrl);
+        }
+        catch (err) {
+            console.error('Callback error:', err);
+            res.status(500).send('Authentication failed');
+        }
+    });
+    // Params form
+    app.get('/params', (req, res) => {
+        const sealedSession = getString(req.query.session);
+        if (!sealedSession) {
+            res.status(400).send('Missing session parameter');
+            return;
+        }
+        const pending = provider.unsealState(sealedSession);
+        if (!pending?.userId) {
+            res.status(400).send('Invalid or expired session');
+            return;
+        }
+        const existingValues = store.getUser(pending.userId);
+        res.send((0, pages_js_1.renderParamsForm)(config.envPerUser ?? [], sealedSession, existingValues));
+    });
+    app.post('/params', express_1.default.urlencoded({ extended: false }), (req, res) => {
+        const sealedSession = getString(req.body.session);
+        if (!sealedSession) {
+            res.status(400).send('Missing session parameter');
+            return;
+        }
+        const pending = provider.unsealState(sealedSession);
+        if (!pending?.userId) {
+            res.status(400).send('Invalid or expired session');
+            return;
+        }
+        const params = {};
+        for (const p of config.envPerUser ?? []) {
+            const value = getString(req.body[p.name]);
+            if (value) {
+                params[p.name] = value;
+            }
+        }
+        store.upsertUser(pending.userId, params);
+        pool.invalidateUser(pending.userId);
+        const { redirectUrl } = provider.completeAuthorization(pending, pending.userId);
+        res.redirect(redirectUrl);
+    });
+    // Reconfigure page (auth via access token in URL)
+    app.get('/reconfigure', async (req, res) => {
+        const token = getString(req.query.token);
+        if (!token) {
+            res.status(401).send('Missing token');
+            return;
+        }
+        try {
+            const authInfo = await provider.verifyAccessToken(token);
+            const userId = getString(authInfo.extra?.userId);
+            if (!userId) {
+                res.status(401).send('Missing user identity');
+                return;
+            }
+            const existingValues = store.getUser(userId) ?? {};
+            res.send((0, pages_js_1.renderReconfigurePage)(config.envPerUser ?? [], token, existingValues));
+        }
+        catch {
+            res.status(401).send('Invalid or expired token');
+        }
+    });
+    app.post('/reconfigure', express_1.default.urlencoded({ extended: false }), async (req, res) => {
+        const token = getString(req.body.token);
+        if (!token) {
+            res.status(401).send('Missing token');
+            return;
+        }
+        try {
+            const authInfo = await provider.verifyAccessToken(token);
+            const userId = getString(authInfo.extra?.userId);
+            if (!userId) {
+                res.status(401).send('Missing user identity');
+                return;
+            }
+            const params = {};
+            for (const p of config.envPerUser ?? []) {
+                const value = getString(req.body[p.name]);
+                if (value) {
+                    params[p.name] = value;
+                }
+            }
+            store.upsertUser(userId, params);
+            pool.invalidateUser(userId);
+            res.send((0, pages_js_1.renderReconfigurePage)(config.envPerUser ?? [], token, params, true));
+        }
+        catch {
+            res.status(401).send('Invalid or expired token');
+        }
+    });
+    // Protected MCP endpoint
+    const bearerAuth = (0, bearerAuth_js_1.requireBearerAuth)({
+        verifier: provider,
+        resourceMetadataUrl: (0, router_js_1.getOAuthProtectedResourceMetadataUrl)(mcpUrl),
+    });
+    app.all('/mcp', bearerAuth, async (req, res) => {
+        const userId = getString(req.auth?.extra?.userId);
+        if (!userId) {
+            res.status(401).json({ error: 'Missing user identity' });
+            return;
+        }
+        const accessToken = req.auth.token;
+        // Check if user has params configured
+        const userParams = store.getUser(userId);
+        if (!userParams) {
+            res.status(403).json({ error: 'User not configured. Please reconfigure via the reconfigure tool.' });
+            return;
+        }
+        // Stateless: fresh transport and proxy server per request (no session tracking)
+        const transport = new streamableHttp_js_1.StreamableHTTPServerTransport({
+            enableJsonResponse: true,
+        });
+        const server = createProxyServer(pool, store, userId, config, baseUrl, accessToken);
+        await server.connect(transport);
+        await transport.handleRequest(req, res);
+    });
+    return app;
+};
+exports.createApp = createApp;

package/dist/store.d.ts

@@ -0,0 +1,9 @@
+import type { WrapperConfig } from './types.js';
+export declare class Store {
+    private readonly db;
+    private readonly readOnly;
+    constructor(config: WrapperConfig);
+    getUser(userId: string): Record<string, string> | undefined;
+    upsertUser(userId: string, params: Record<string, string>): void;
+    close(): void;
+}

package/dist/store.js

@@ -0,0 +1,44 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Store = void 0;
+const node_sqlite_1 = require("node:sqlite");
+class Store {
+    db;
+    readOnly;
+    constructor(config) {
+        const inlineUsers = typeof config.storage === 'object' ? config.storage : undefined;
+        const storagePath = typeof config.storage === 'string' ? config.storage : undefined;
+        const isFile = storagePath && storagePath !== 'memory';
+        this.db = new node_sqlite_1.DatabaseSync(isFile ? storagePath : ':memory:');
+        this.readOnly = inlineUsers !== undefined;
+        this.db.exec(`
+			CREATE TABLE IF NOT EXISTS users (
+				user_id TEXT PRIMARY KEY,
+				params TEXT NOT NULL DEFAULT '{}'
+			)
+		`);
+        if (inlineUsers) {
+            const insert = this.db.prepare('INSERT OR REPLACE INTO users (user_id, params) VALUES (?, ?)');
+            for (const [userId, params] of Object.entries(inlineUsers)) {
+                insert.run(userId, JSON.stringify(params));
+            }
+        }
+    }
+    getUser(userId) {
+        const row = this.db.prepare('SELECT params FROM users WHERE user_id = ?').get(userId);
+        if (!row) {
+            return undefined;
+        }
+        return JSON.parse(row.params);
+    }
+    upsertUser(userId, params) {
+        if (this.readOnly) {
+            throw new Error('Cannot modify users in inline storage mode');
+        }
+        this.db.prepare('INSERT INTO users (user_id, params) VALUES (?, ?) ON CONFLICT(user_id) DO UPDATE SET params = excluded.params').run(userId, JSON.stringify(params));
+    }
+    close() {
+        this.db.close();
+    }
+}
+exports.Store = Store;

package/dist/types.d.ts

@@ -0,0 +1,25 @@
+export type EnvParam = {
+    name: string;
+    label: string;
+    description?: string;
+    secret?: boolean;
+};
+export type AuthConfig = {
+    issuer: string;
+    clientId: string;
+    clientSecret?: string;
+    scopes?: string[];
+    userClaim?: string;
+};
+export type WrapperConfig = {
+    command: string[];
+    auth: AuthConfig;
+    /** `"memory"`, a file path for SQLite, or an inline user map (read-only). Defaults to `"memory"`. */
+    storage: string | Record<string, Record<string, string>>;
+    envBase?: Record<string, string>;
+    envPerUser?: EnvParam[];
+    port?: number;
+    host?: string;
+    issuerUrl?: string;
+    secret?: string;
+};

package/dist/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/package.json

@@ -0,0 +1,42 @@
+{
+  "name": "mcp-auth-wrapper",
+  "version": "1.0.0",
+  "description": "Wrap any stdio MCP server with per-user auth, exposing it as a streamable HTTP endpoint.",
+  "license": "MIT",
+  "author": "Adam Jones (domdomegg)",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/domdomegg/mcp-auth-wrapper.git"
+  },
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "bin": {
+    "mcp-auth-wrapper": "dist/index.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "test": "vitest run",
+    "test:watch": "vitest --watch",
+    "lint": "eslint",
+    "clean": "rm -rf dist",
+    "build": "tsc --project tsconfig.build.json",
+    "prepublishOnly": "npm run clean && npm run build"
+  },
+  "devDependencies": {
+    "@tsconfig/node-lts": "^22.0.2",
+    "@types/express": "^5.0.6",
+    "eslint": "^9.32.0",
+    "eslint-config-domdomegg": "^2.0.9",
+    "tsconfig-domdomegg": "^1.0.0",
+    "typescript": "^5.8.3",
+    "vitest": "^3.2.4",
+    "zod": "^4.3.6"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.26.0",
+    "express": "^5.2.1",
+    "jose": "^6.1.3"
+  }
+}