mcpico 0.1.2 → 0.2.0

package/src/discoverer.ts

@@ -2,6 +2,9 @@ import { Client } from "@modelcontextprotocol/sdk/client/index.js";
 import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
 import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
 import type { TransportConfig } from "./config.js";
+import type { ResolvedUpstreamAuth } from "./auth-types.js";
+import { upstreamAuthHeaders } from "./auth.js";
+import { createClientCredentialsProvider } from "./oauth-provider.js";
 
 /**
  * Tool metadata from an upstream MCP server.
@@ -51,7 +54,8 @@ export interface DiscoveredServer {
 export async function discoverServer(
   name: string,
   transportConfig: TransportConfig,
-  connectTimeoutMs: number = 30_000
+  connectTimeoutMs: number = 30_000,
+  auth?: ResolvedUpstreamAuth
 ): Promise<DiscoveredServer> {
   let transport;
 
@@ -63,15 +67,31 @@ export async function discoverServer(
       cwd: transportConfig.cwd,
     });
   } else if (transportConfig.type === "sse") {
-    transport = new StreamableHTTPClientTransport(
-      new URL(transportConfig.url)
-    );
+    const url = new URL(transportConfig.url);
+    const opts: {
+      requestInit?: { headers: Record<string, string> };
+      authProvider?: ReturnType<typeof createClientCredentialsProvider>;
+    } = {};
+
+    if (auth) {
+      if (auth.type === "oauth") {
+        opts.authProvider = createClientCredentialsProvider(
+          auth.client_id,
+          auth.client_secret,
+          transportConfig.url
+        );
+      } else {
+        opts.requestInit = { headers: upstreamAuthHeaders(auth) };
+      }
+    }
+
+    transport = new StreamableHTTPClientTransport(url, opts);
   } else {
     throw new Error(`Unsupported transport type: ${(transportConfig as TransportConfig).type}`);
   }
 
   const client = new Client(
-    { name: `MCPico-${name}`, version: "0.1.0" },
+    { name: `MCPico-${name}`, version: "0.2.0" },
     { capabilities: {} }
   );
 

package/src/index.ts

@@ -24,7 +24,7 @@ async function main(): Promise<void> {
       configPath = args[i + 1] || configPath;
       i++;
     } else if (args[i] === "--version" || args[i] === "-v") {
-      console.log("MCPico v0.1.0");
+      console.log("MCPico v0.2.0");
       process.exit(0);
     } else if (args[i] === "--help" || args[i] === "-h") {
       console.log(`

package/src/oauth-provider.ts

@@ -0,0 +1,110 @@
+/**
+ * OAuth client_credentials provider for MCPico.
+ *
+ * Implements the MCP SDK's OAuthClientProvider interface so that
+ * StreamableHTTPClientTransport handles auth discovery, token exchange,
+ * and refresh automatically.
+ */
+import type {
+  OAuthClientProvider,
+} from "@modelcontextprotocol/sdk/client/auth.js";
+import type {
+  OAuthClientMetadata,
+  OAuthClientInformationMixed,
+  OAuthTokens,
+} from "@modelcontextprotocol/sdk/shared/auth.js";
+import { loadTokens, saveTokens, clearTokens } from "./token-store.js";
+
+/**
+ * Create an OAuthClientProvider for client_credentials grant.
+ *
+ * Uses a fixed server URL for token storage key and provides
+ * client metadata from config. The MCP SDK handles:
+ *  - RFC 9728 resource metadata discovery
+ *  - RFC 8414 authorization server metadata discovery
+ *  - Token exchange
+ *  - Token refresh via refreshAuthorization()
+ */
+export function createClientCredentialsProvider(
+  clientId: string,
+  clientSecret: string,
+  serverUrl: string,
+): OAuthClientProvider {
+  return new ClientCredentialsProvider(clientId, clientSecret, serverUrl);
+}
+
+class ClientCredentialsProvider implements OAuthClientProvider {
+  private _tokens: OAuthTokens | undefined;
+
+  constructor(
+    private clientId: string,
+    private clientSecret: string,
+    private serverUrl: string,
+  ) {
+    // Load any cached tokens on creation
+    this._tokens = loadTokens(serverUrl);
+  }
+
+  get redirectUrl(): string | URL | undefined {
+    // client_credentials is non-interactive — no redirect URL
+    return undefined;
+  }
+
+  get clientMetadata(): OAuthClientMetadata {
+    return {
+      redirect_uris: ["http://localhost:0/mcplico-callback"],
+      grant_types: ["client_credentials"],
+      client_name: "MCPico",
+    };
+  }
+
+  // Client information for token exchange
+  clientInformation(): OAuthClientInformationMixed | undefined {
+    return {
+      client_id: this.clientId,
+      client_secret: this.clientSecret,
+      client_secret_expires_at: 0, // Never expires
+    };
+  }
+
+  // Return cached tokens (or undefined for initial auth)
+  tokens(): OAuthTokens | undefined {
+    return this._tokens;
+  }
+
+  // Persist tokens after successful auth/refresh
+  saveTokens(tokens: OAuthTokens): void {
+    this._tokens = tokens;
+    saveTokens(this.serverUrl, tokens);
+  }
+
+  // No redirect needed for client_credentials
+  redirectToAuthorization(_authorizationUrl: URL): void {
+    // Non-interactive — no redirect
+  }
+
+  // PKCE not needed for client_credentials
+  saveCodeVerifier(_codeVerifier: string): void {
+    // No-op for client_credentials
+  }
+
+  codeVerifier(): string {
+    return "";
+  }
+
+  // Use client_credentials grant
+  prepareTokenRequest(
+    _scope?: string,
+  ): URLSearchParams | undefined {
+    const params = new URLSearchParams({
+      grant_type: "client_credentials",
+    });
+    return params;
+  }
+
+  // Clear tokens on invalidation
+  invalidateCredentials(_scope: "all" | "client" | "tokens" | "verifier" | "discovery"): void {
+    this._tokens = undefined;
+    clearTokens(this.serverUrl);
+  }
+}

package/src/server.ts

@@ -15,6 +15,8 @@ import { groupTools, type ToolGroup } from "./grouper.js";
 import { parseCommand } from "./parser.js";
 import { generateHelpText } from "./help.js";
 import { forwardToolCall } from "./proxy.js";
+import type { ResolvedListenAuth } from "./auth-types.js";
+import { resolveUpstreamAuth, resolveListenAuth, extractBearerToken, validateBearerToken, sendUnauthorized } from "./auth.js";
 
 /** Helper: create a simple text content result */
 export function textResult(text: string): CallToolResult {
@@ -168,10 +170,14 @@ export async function startServer(config: MCPicoConfig): Promise<void> {
           ? serverConfig.transport.url
           : serverConfig.transport.command;
       console.error(`  Connecting to "${serverConfig.name}" (${serverConfig.transport.type}: ${transportLabel})...`);
+      const resolvedAuth = serverConfig.auth
+        ? resolveUpstreamAuth(serverConfig.auth)
+        : undefined;
       const discovered = await discoverServer(
         serverConfig.name,
         serverConfig.transport,
-        serverConfig.connectTimeoutMs
+        serverConfig.connectTimeoutMs,
+        resolvedAuth
       );
       servers.push(discovered);
 
@@ -205,7 +211,7 @@ export async function startServer(config: MCPicoConfig): Promise<void> {
 
   // Create the MCPico server
   const server = new McpServer(
-    { name: "MCPico", version: "0.1.0" },
+    { name: "MCPico", version: "0.2.0" },
     {
       capabilities: { tools: {}, resources: {}, prompts: {} },
       instructions:
@@ -326,8 +332,23 @@ export async function startServer(config: MCPicoConfig): Promise<void> {
   const listenConfig = config.listen || { type: "stdio" };
 
   if (listenConfig.type === "sse") {
+    // Resolve listen auth
+    let listenAuth: ResolvedListenAuth | undefined;
+    if (listenConfig.auth) {
+      listenAuth = resolveListenAuth(listenConfig.auth);
+    }
+
     const transport = new StreamableHTTPServerTransport();
     const httpServer = createServer(async (req, res) => {
+      // Auth check
+      if (listenAuth) {
+        const providedToken = extractBearerToken(req);
+        if (!validateBearerToken(providedToken, listenAuth.token)) {
+          sendUnauthorized(res);
+          return;
+        }
+      }
+
       // Collect body for handleRequest
       const chunks: Buffer[] = [];
       for await (const chunk of req) {

package/src/token-store.test.ts

@@ -0,0 +1,154 @@
+/**
+ * Tests for token store.
+ */
+import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
+import { existsSync, mkdirSync, writeFileSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { homedir } from "node:os";
+import {
+  storageKey,
+  saveTokens,
+  loadTokens,
+  clearTokens,
+  isTokenValid,
+} from "./token-store.js";
+
+const TEST_CREDENTIALS_DIR = join(homedir(), ".mcplico");
+const TEST_CREDENTIALS_FILE = join(TEST_CREDENTIALS_DIR, "credentials.json");
+
+// Mock homedir to a temp location for test isolation
+const realHomedir = homedir;
+
+describe("token-store", () => {
+  beforeEach(() => {
+    // Clean up between tests
+    try {
+      rmSync(TEST_CREDENTIALS_FILE, { force: true });
+    } catch {}
+  });
+
+  afterEach(() => {
+    try {
+      rmSync(TEST_CREDENTIALS_FILE, { force: true });
+    } catch {}
+  });
+
+  describe("storageKey", () => {
+    it("derives key from URL hostname and path", () => {
+      expect(storageKey("https://auth.example.com/token")).toBe(
+        "auth.example.com/token"
+      );
+    });
+
+    it("uses hostname only for root path", () => {
+      expect(storageKey("https://auth.example.com")).toBe("auth.example.com");
+    });
+
+    it("handles non-URL strings gracefully", () => {
+      const key = storageKey("not-a-url");
+      expect(key).toBe("not_a_url");
+    });
+  });
+
+  describe("saveTokens and loadTokens", () => {
+    it("saves and loads tokens", () => {
+      const serverUrl = "https://api.example.com/mcp";
+      saveTokens(serverUrl, {
+        access_token: "access-123",
+        token_type: "Bearer",
+        expires_in: 3600,
+        refresh_token: "refresh-456",
+      });
+
+      const tokens = loadTokens(serverUrl);
+      expect(tokens).toBeDefined();
+      expect(tokens!.access_token).toBe("access-123");
+      expect(tokens!.token_type).toBe("Bearer");
+      expect(tokens!.refresh_token).toBe("refresh-456");
+      expect(tokens!.expires_in).toBeGreaterThan(0);
+      expect(tokens!.expires_in).toBeLessThanOrEqual(3600);
+    });
+
+    it("returns undefined for unknown server", () => {
+      expect(loadTokens("https://unknown.example.com")).toBeUndefined();
+    });
+
+    it("defaults token_type to Bearer if not stored", () => {
+      const serverUrl = "https://api.example.com";
+      saveTokens(serverUrl, {
+        access_token: "at",
+        token_type: "Bearer",
+      } as any);
+
+      // Manually strip token_type from the store
+      const fs = require("node:fs");
+      const raw = fs.readFileSync(TEST_CREDENTIALS_FILE, "utf-8");
+      const store = JSON.parse(raw);
+      const key = storageKey(serverUrl);
+      delete store[key].token_type;
+      fs.writeFileSync(TEST_CREDENTIALS_FILE, JSON.stringify(store));
+
+      const tokens = loadTokens(serverUrl);
+      expect(tokens!.token_type).toBe("Bearer");
+    });
+  });
+
+  describe("clearTokens", () => {
+    it("removes tokens for a server", () => {
+      const serverUrl = "https://api.example.com";
+      saveTokens(serverUrl, {
+        access_token: "at",
+        token_type: "Bearer",
+      });
+      expect(loadTokens(serverUrl)).toBeDefined();
+
+      clearTokens(serverUrl);
+      expect(loadTokens(serverUrl)).toBeUndefined();
+    });
+  });
+
+  describe("isTokenValid", () => {
+    it("returns false when no tokens stored", () => {
+      expect(isTokenValid("https://nonexistent.example.com")).toBe(false);
+    });
+
+    it("returns true for a freshly saved token", () => {
+      const serverUrl = "https://api.example.com";
+      saveTokens(serverUrl, {
+        access_token: "at",
+        token_type: "Bearer",
+        expires_in: 3600,
+      });
+      expect(isTokenValid(serverUrl)).toBe(true);
+    });
+
+    it("returns true for token without expiry info", () => {
+      const serverUrl = "https://api.example.com";
+      saveTokens(serverUrl, {
+        access_token: "at",
+        token_type: "Bearer",
+      });
+      expect(isTokenValid(serverUrl)).toBe(true);
+    });
+
+    it("returns false for expired token", () => {
+      const serverUrl = "https://api.example.com";
+      // Save token with expires_at in the past
+      const fs = require("node:fs");
+      saveTokens(serverUrl, {
+        access_token: "at",
+        token_type: "Bearer",
+        expires_in: 3600,
+      });
+
+      // Manually set expires_at to 1 hour ago
+      const raw = fs.readFileSync(TEST_CREDENTIALS_FILE, "utf-8");
+      const store = JSON.parse(raw);
+      const key = storageKey(serverUrl);
+      store[key].expires_at = Date.now() - 3600_000;
+      fs.writeFileSync(TEST_CREDENTIALS_FILE, JSON.stringify(store));
+
+      expect(isTokenValid(serverUrl)).toBe(false);
+    });
+  });
+});

package/src/token-store.ts

@@ -0,0 +1,109 @@
+/**
+ * Token store: persist OAuth tokens to ~/.mcplico/credentials.json
+ */
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import type { OAuthTokens } from "@modelcontextprotocol/sdk/shared/auth.js";
+
+const CREDENTIALS_DIR = join(homedir(), ".mcplico");
+const CREDENTIALS_FILE = join(CREDENTIALS_DIR, "credentials.json");
+
+interface StoredToken {
+  access_token: string;
+  refresh_token?: string;
+  token_type?: string;
+  expires_at?: number; // Unix timestamp (ms)
+  scope?: string;
+}
+
+interface CredentialsStore {
+  [key: string]: StoredToken;
+}
+
+function ensureDir(): void {
+  if (!existsSync(CREDENTIALS_DIR)) {
+    mkdirSync(CREDENTIALS_DIR, { recursive: true, mode: 0o700 });
+  }
+}
+
+function readStore(): CredentialsStore {
+  try {
+    if (!existsSync(CREDENTIALS_FILE)) return {};
+    const raw = readFileSync(CREDENTIALS_FILE, "utf-8");
+    return JSON.parse(raw) as CredentialsStore;
+  } catch {
+    return {};
+  }
+}
+
+function writeStore(store: CredentialsStore): void {
+  ensureDir();
+  writeFileSync(CREDENTIALS_FILE, JSON.stringify(store, null, 2), {
+    mode: 0o600,
+  });
+}
+
+/** Derive a storage key from server URL */
+export function storageKey(serverUrl: string): string {
+  try {
+    const url = new URL(serverUrl);
+    // Use hostname + pathname to distinguish different servers
+    return `${url.hostname}${url.pathname === "/" ? "" : url.pathname}`;
+  } catch {
+    // Fallback for non-URL values
+    return serverUrl.replace(/[^a-zA-Z0-9]/g, "_");
+  }
+}
+
+/** Persist OAuth tokens for a server */
+export function saveTokens(serverUrl: string, tokens: OAuthTokens): void {
+  const store = readStore();
+  const key = storageKey(serverUrl);
+  store[key] = {
+    access_token: tokens.access_token,
+    refresh_token: tokens.refresh_token,
+    token_type: tokens.token_type,
+    expires_at: tokens.expires_in
+      ? Date.now() + tokens.expires_in * 1000
+      : undefined,
+    scope: tokens.scope,
+  };
+  writeStore(store);
+}
+
+/** Load persisted OAuth tokens for a server */
+export function loadTokens(serverUrl: string): OAuthTokens | undefined {
+  const store = readStore();
+  const key = storageKey(serverUrl);
+  const stored = store[key];
+  if (!stored) return undefined;
+  return {
+    access_token: stored.access_token,
+    refresh_token: stored.refresh_token,
+    token_type: stored.token_type || "Bearer",
+    expires_in: stored.expires_at
+      ? Math.max(0, Math.floor((stored.expires_at - Date.now()) / 1000)) || undefined
+      : undefined,
+    scope: stored.scope,
+  };
+}
+
+/** Clear stored tokens (e.g., when invalidated) */
+export function clearTokens(serverUrl: string): void {
+  const store = readStore();
+  const key = storageKey(serverUrl);
+  delete store[key];
+  writeStore(store);
+}
+
+/** Check if a stored token is still valid (not expired, with 60s buffer) */
+export function isTokenValid(serverUrl: string): boolean {
+  const store = readStore();
+  const key = storageKey(serverUrl);
+  const stored = store[key];
+  if (!stored || !stored.access_token) return false;
+  if (!stored.expires_at) return true; // No expiry info — assume valid
+  // Refresh with 60 second buffer
+  return Date.now() < stored.expires_at - 60_000;
+}