mcp4openapi 0.3.0 → 0.3.1

package/dist/src/oauth-provider.d.ts

@@ -0,0 +1,131 @@
+/**
+ * OAuth 2.0 Provider Adapter
+ *
+ * Implements MCP SDK OAuthServerProvider interface to integrate with external
+ * OAuth 2.0 authorization servers (e.g., GitLab, GitHub, etc.)
+ *
+ * Architecture:
+ * - This server acts as an OAuth client to the external provider (Proxy/Gateway)
+ * - Implements "Callback Mode":
+ *   1. Client -> MCP (Authorize) -> MCP redirects to Provider (with MCP callback URL)
+ *   2. Provider -> MCP (Callback) -> MCP exchanges code for tokens
+ *   3. MCP redirects to Client (with Internal Code)
+ *   4. Client -> MCP (Token) -> MCP returns stored tokens
+ */
+import { Request, Response } from 'express';
+import type { OAuthServerProvider, AuthorizationParams } from '@modelcontextprotocol/sdk/server/auth/provider.js';
+import type { OAuthRegisteredClientsStore } from '@modelcontextprotocol/sdk/server/auth/clients.js';
+import type { OAuthClientInformationFull, OAuthTokens, OAuthTokenRevocationRequest } from '@modelcontextprotocol/sdk/shared/auth.js';
+import type { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';
+import type { OAuthConfig } from './types/profile.js';
+import type { Logger } from './logger.js';
+/**
+ * In-memory store for OAuth client registrations
+ */
+export declare class InMemoryClientsStore implements OAuthRegisteredClientsStore {
+    private clients;
+    getClient(clientId: string): Promise<OAuthClientInformationFull | undefined>;
+    registerClient(clientMetadata: OAuthClientInformationFull): Promise<OAuthClientInformationFull>;
+}
+/**
+ * OAuth Provider Adapter for external OAuth servers
+ */
+export declare class ExternalOAuthProvider implements OAuthServerProvider {
+    private config;
+    private logger;
+    private _clientsStore;
+    private authorizationCodes;
+    private accessTokens;
+    private stateStore;
+    private endpointsInitialized;
+    private initializationPromise;
+    constructor(config: OAuthConfig, logger: Logger);
+    /**
+     * Lazy initialization of OAuth endpoints (async)
+     * Public method to allow HttpTransport to ensure initialization before client validation
+     */
+    ensureEndpointsInitialized(): Promise<void>;
+    get clientsStore(): OAuthRegisteredClientsStore;
+    get authorizationEndpoint(): string | undefined;
+    get redirectUri(): string | undefined;
+    get scopes(): string[];
+    /**
+     * Fetch OAuth Authorization Server Metadata (RFC 8414)
+     */
+    private fetchOAuthMetadata;
+    /**
+     * Resolve environment variable references in OAuth config
+     */
+    private resolveEnvVars;
+    /**
+     * Derive OAuth endpoints from issuer if needed
+     */
+    private deriveEndpointsFromIssuer;
+    /**
+     * Check if redirect URI host is allowed
+     * Prevents open redirect vulnerabilities (CWE-601)
+     */
+    private isAllowedRedirectHost;
+    /**
+     * Match hostname against allowlist entry
+     *
+     * Supports:
+     * - Exact hostnames
+     * - Wildcard subdomains (*.example.com)
+     * - IPv4 exact matches
+     * - IPv4 CIDR ranges (e.g., 10.0.0.0/8)
+     * - IPv6 exact matches
+     * - IPv6 CIDR ranges (e.g., 2001:db8::/32)
+     */
+    private matchRedirectHost;
+    /**
+     * Check if IP address is within CIDR range
+     *
+     * Example: '192.168.1.50' matches '192.168.1.0/24'
+     *          '2001:db8::1' matches '2001:db8::/32'
+     */
+    private matchCIDR;
+    /**
+     * Convert IPv4 address to 32-bit integer
+     */
+    private ipv4ToInt;
+    /**
+     * Convert IPv6 address to 128-bit BigInt
+     */
+    private ipv6ToBigInt;
+    private ipv6Mask;
+    private stripIpv6Brackets;
+    /**
+     * Begin authorization flow
+     * Stores state and redirects to External Provider with MCP Callback URI
+     */
+    authorize(client: OAuthClientInformationFull, params: AuthorizationParams, res: Response): Promise<void>;
+    /**
+     * Handle callback from External Provider
+     * Exchanges code for tokens and redirects to Client with Internal Code
+     */
+    handleCallback(req: Request, res: Response): Promise<void>;
+    /**
+     * Get code challenge for authorization code (Internal)
+     */
+    challengeForAuthorizationCode(client: OAuthClientInformationFull, authorizationCode: string): Promise<string>;
+    /**
+     * Exchange authorization code for access token (Internal)
+     */
+    exchangeAuthorizationCode(client: OAuthClientInformationFull, authorizationCode: string, codeVerifier?: string, redirectUri?: string, resource?: URL): Promise<OAuthTokens>;
+    /**
+     * Exchange authorization code with external OAuth provider
+     */
+    private exchangeCodeWithProvider;
+    exchangeRefreshToken(client: OAuthClientInformationFull, refreshToken: string, scopes?: string[], resource?: URL): Promise<OAuthTokens>;
+    verifyAccessToken(token: string): Promise<AuthInfo>;
+    private introspectToken;
+    revokeToken(client: OAuthClientInformationFull, request: OAuthTokenRevocationRequest): Promise<void>;
+    private revokeTokenWithProvider;
+    /**
+     * Cleanup expired states, codes, and tokens
+     * Called periodically by HttpTransport
+     */
+    cleanup(): void;
+}
+//# sourceMappingURL=oauth-provider.d.ts.map

package/dist/src/oauth-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-provider.d.ts","sourceRoot":"","sources":["../../src/oauth-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,KAAK,EACV,mBAAmB,EACnB,mBAAmB,EACpB,MAAM,mDAAmD,CAAC;AAC3D,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,kDAAkD,CAAC;AACpG,OAAO,KAAK,EACV,0BAA0B,EAC1B,WAAW,EACX,2BAA2B,EAC5B,MAAM,0CAA0C,CAAC;AAClD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gDAAgD,CAAC;AAC/E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAI1C;;GAEG;AACH,qBAAa,oBAAqB,YAAW,2BAA2B;IACtE,OAAO,CAAC,OAAO,CAAiD;IAE1D,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,GAAG,SAAS,CAAC;IAI5E,cAAc,CAAC,cAAc,EAAE,0BAA0B,GAAG,OAAO,CAAC,0BAA0B,CAAC;CAItG;AAmCD;;GAEG;AACH,qBAAa,qBAAsB,YAAW,mBAAmB;IAC/D,OAAO,CAAC,MAAM,CAAc;IAC5B,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,aAAa,CAAuB;IAG5C,OAAO,CAAC,kBAAkB,CAA4C;IACtE,OAAO,CAAC,YAAY,CAAsC;IAC1D,OAAO,CAAC,UAAU,CAAyC;IAE3D,OAAO,CAAC,oBAAoB,CAAkB;IAC9C,OAAO,CAAC,qBAAqB,CAA8B;gBAE/C,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM;IAuB/C;;;OAGG;IACU,0BAA0B,IAAI,OAAO,CAAC,IAAI,CAAC;IA6DxD,IAAI,YAAY,IAAI,2BAA2B,CAE9C;IAED,IAAI,qBAAqB,IAAI,MAAM,GAAG,SAAS,CAI9C;IAED,IAAI,WAAW,IAAI,MAAM,GAAG,SAAS,CAEpC;IAED,IAAI,MAAM,IAAI,MAAM,EAAE,CAErB;IAED;;OAEG;YACW,kBAAkB;IAwBhC;;OAEG;IACH,OAAO,CAAC,cAAc;IA8BtB;;OAEG;YACW,yBAAyB;IAyCvC;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IAqB7B;;;;;;;;;;OAUG;IACH,OAAO,CAAC,iBAAiB;IAoBzB;;;;;OAKG;IACH,OAAO,CAAC,SAAS;IA+CjB;;OAEG;IACH,OAAO,CAAC,SAAS;IAmBjB;;OAEG;IACH,OAAO,CAAC,YAAY;IA6EpB,OAAO,CAAC,QAAQ;IAQhB,OAAO,CAAC,iBAAiB;IAIzB;;;OAGG;IACG,SAAS,CACb,MAAM,EAAE,0BAA0B,EAClC,MAAM,EAAE,mBAAmB,EAC3B,GAAG,EAAE,QAAQ,GACZ,OAAO,CAAC,IAAI,CAAC;IAyEhB;;;OAGG;IACG,cAAc,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IA8GhE;;OAEG;IACG,6BAA6B,CACjC,MAAM,EAAE,0BAA0B,EAClC,iBAAiB,EAAE,MAAM,GACxB,OAAO,CAAC,MAAM,CAAC;IAclB;;OAEG;IACG,yBAAyB,CAC7B,MAAM,EAAE,0BAA0B,EAClC,iBAAiB,EAAE,MAAM,EACzB,YAAY,CAAC,EAAE,MAAM,EACrB,WAAW,CAAC,EAAE,MAAM,EACpB,QAAQ,CAAC,EAAE,GAAG,GACb,OAAO,CAAC,WAAW,CAAC;IA6DvB;;OAEG;YACW,wBAAwB;IAkDhC,oBAAoB,CACxB,MAAM,EAAE,0BAA0B,EAClC,YAAY,EAAE,MAAM,EACpB,MAAM,CAAC,EAAE,MAAM,EAAE,EACjB,QAAQ,CAAC,EAAE,GAAG,GACb,OAAO,CAAC,WAAW,CAAC;IA2DjB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;YAwB3C,eAAe;IAmDvB,WAAW,CACf,MAAM,EAAE,0BAA0B,EAClC,OAAO,EAAE,2BAA2B,GACnC,OAAO,CAAC,IAAI,CAAC;YAQF,uBAAuB;IA2BrC;;;OAGG;IACI,OAAO,IAAI,IAAI;CA0BvB"}