strapi-mcp-server 0.1.1

package/server/src/services/oauth/signing-keys.ts

@@ -0,0 +1,166 @@
+'use strict';
+
+import { generateKeyPair, exportJWK, importJWK, type JWK, type KeyLike } from 'jose';
+import {
+  createCipheriv,
+  createDecipheriv,
+  hkdfSync,
+  randomBytes,
+} from 'crypto';
+import type { Core } from '@strapi/strapi';
+
+const UID = 'plugin::mcp-server.oauth-signing-key';
+
+export interface ActiveKey {
+  kid: string;
+  alg: string;
+  publicJwk: JWK;
+  privateKey: KeyLike;
+}
+
+interface KeyRow {
+  id: number;
+  kid: string;
+  alg: string;
+  publicJwk: JWK;
+  privateJwkEncrypted: string;
+  retiredAt: string | null;
+}
+
+let cached: ActiveKey | null = null;
+
+export default ({ strapi }: { strapi: Core.Strapi }) => ({
+  /**
+   * Generate-on-first-boot. Idempotent: if an active (non-retired) key exists
+   * AND can be decrypted, load and cache it. If a row exists but can't be
+   * decrypted (e.g. legacy null/garbled value from a prior boot before this
+   * fix), the row is dropped and a new key is minted in its place.
+   */
+  async ensureActiveKey(): Promise<ActiveKey> {
+    if (cached) return cached;
+
+    const existing = (await strapi.db.query(UID).findOne({
+      where: { retiredAt: { $null: true } },
+      orderBy: { id: 'desc' },
+    })) as KeyRow | null;
+
+    if (existing) {
+      try {
+        const decrypted = decryptBlob(strapi, existing.privateJwkEncrypted);
+        const jwk = JSON.parse(decrypted) as JWK;
+        const privateKey = (await importJWK(jwk, existing.alg)) as KeyLike;
+        cached = {
+          kid: existing.kid,
+          alg: existing.alg,
+          publicJwk: { ...existing.publicJwk, kid: existing.kid, alg: existing.alg, use: 'sig' },
+          privateKey,
+        };
+        return cached;
+      } catch (err) {
+        strapi.log.warn(
+          `[mcp-server] existing signing key kid=${existing.kid} could not be decrypted (${
+            (err as Error).message
+          }); discarding and regenerating`
+        );
+        await strapi.db.query(UID).delete({ where: { id: existing.id } });
+      }
+    }
+
+    const { publicKey, privateKey } = await generateKeyPair('RS256', { modulusLength: 2048 });
+    const publicJwk = await exportJWK(publicKey);
+    const privateJwk = await exportJWK(privateKey);
+    const kid = randomBytes(16).toString('hex');
+    publicJwk.kid = kid;
+    publicJwk.alg = 'RS256';
+    publicJwk.use = 'sig';
+
+    const encrypted = encryptBlob(strapi, JSON.stringify(privateJwk));
+    await strapi.db.query(UID).create({
+      data: {
+        kid,
+        alg: 'RS256',
+        publicJwk,
+        privateJwkEncrypted: encrypted,
+      },
+    });
+
+    cached = { kid, alg: 'RS256', publicJwk, privateKey };
+    strapi.log.info(`[mcp-server] minted OAuth signing key kid=${kid}`);
+    return cached;
+  },
+
+  async getActiveKey(): Promise<ActiveKey> {
+    return cached ?? this.ensureActiveKey();
+  },
+
+  /** JWKS endpoint payload — public keys only, includes retired-but-not-purged. */
+  async publicJwks(): Promise<{ keys: JWK[] }> {
+    const rows = (await strapi.db.query(UID).findMany({
+      orderBy: { id: 'desc' },
+      limit: 10,
+    })) as KeyRow[];
+    return {
+      keys: rows.map((r) => ({ ...r.publicJwk, kid: r.kid, alg: r.alg, use: 'sig' })),
+    };
+  },
+
+  invalidateCache(): void {
+    cached = null;
+  },
+});
+
+/**
+ * Derive a 32-byte AES-256 key from APP_KEYS + ADMIN_JWT_SECRET via HKDF.
+ * This is self-contained — we don't rely on Strapi's admin encryption service,
+ * which requires extra config and is silently nullable in some setups.
+ *
+ * Threat model: rotating APP_KEYS invalidates stored signing keys; we handle
+ * that by regenerating on decrypt failure (see ensureActiveKey above).
+ */
+function deriveKey(strapi: Core.Strapi): Buffer {
+  const appKeys = (strapi.config.get('app.keys') as string[] | undefined) ?? [];
+  const adminSecret =
+    (strapi.config.get('admin.auth.secret') as string | undefined) ?? '';
+  const material = `${appKeys.join('|')}|${adminSecret}`;
+  if (material === '|') {
+    throw new Error(
+      '[mcp-server] APP_KEYS and ADMIN_JWT_SECRET must be configured for signing-key encryption'
+    );
+  }
+  return Buffer.from(
+    hkdfSync('sha256', material, 'strapi-mcp-server-salt', 'oauth-signing-key:v1', 32)
+  );
+}
+
+function encryptBlob(strapi: Core.Strapi, plaintext: string): string {
+  const key = deriveKey(strapi);
+  const iv = randomBytes(12);
+  const cipher = createCipheriv('aes-256-gcm', key, iv);
+  const enc = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return `v1:${iv.toString('base64url')}:${tag.toString('base64url')}:${enc.toString('base64url')}`;
+}
+
+function decryptBlob(strapi: Core.Strapi, blob: string): string {
+  if (!blob || typeof blob !== 'string') {
+    throw new Error('encrypted blob is null or non-string');
+  }
+  const parts = blob.split(':');
+  if (parts.length !== 4 || parts[0] !== 'v1') {
+    throw new Error('unrecognized blob format');
+  }
+  const key = deriveKey(strapi);
+  const iv = Buffer.from(parts[1], 'base64url');
+  const tag = Buffer.from(parts[2], 'base64url');
+  const enc = Buffer.from(parts[3], 'base64url');
+  // Pin authTagLength to 16 bytes (GCM's full 128-bit tag) so an attacker who
+  // can forge the stored blob can't downgrade to a shorter tag and brute-force
+  // it. encryptBlob always emits a 16-byte tag via getAuthTag(); reject any
+  // blob that doesn't match before handing it to setAuthTag.
+  if (tag.length !== 16) {
+    throw new Error('GCM auth tag has unexpected length');
+  }
+  const decipher = createDecipheriv('aes-256-gcm', key, iv, { authTagLength: 16 });
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(enc), decipher.final()]).toString('utf8');
+}

package/server/src/services/oauth/tokens.ts

@@ -0,0 +1,324 @@
+'use strict';
+
+import {
+  SignJWT,
+  jwtVerify,
+  type JWTPayload,
+  createLocalJWKSet,
+  createRemoteJWKSet,
+  type JWTVerifyGetKey,
+} from 'jose';
+import { createHash, randomBytes } from 'crypto';
+import type { Core } from '@strapi/strapi';
+import { getConfig } from '../../config';
+import { authorizationServerUrl, canonicalResourceUrl } from './audience';
+import { ALL_SCOPES, scopeString, parseScope, type Scope } from './scopes';
+
+// Remote-JWKS cache for external AS mode. jose's createRemoteJWKSet has its
+// own internal HTTP cache (~10 min default); we just avoid recreating the
+// callable on every request.
+let externalJwksCache: { uri: string; jwks: JWTVerifyGetKey } | null = null;
+function getExternalJwks(uri: string): JWTVerifyGetKey {
+  if (!externalJwksCache || externalJwksCache.uri !== uri) {
+    externalJwksCache = { uri, jwks: createRemoteJWKSet(new URL(uri)) };
+  }
+  return externalJwksCache.jwks;
+}
+
+const REFRESH_UID = 'plugin::mcp-server.oauth-refresh-token';
+const REVOKE_UID = 'plugin::mcp-server.oauth-revocation';
+
+export interface MintResult {
+  accessToken: string;
+  refreshToken: string;
+  accessTokenExpiresAt: Date;
+  refreshTokenExpiresAt: Date;
+  jti: string;
+  familyId: string;
+}
+
+export interface VerifiedClaims {
+  sub: string;
+  scope: Scope[];
+  clientId: string;
+  jti: string;
+  exp: number;
+}
+
+export interface RefreshRow {
+  id: number;
+  tokenHash: string;
+  familyId: string;
+  parentJti: string | null;
+  clientId: string;
+  adminUserId: string;
+  scope: string;
+  rotatedTo: string | null;
+  revoked: boolean;
+  expiresAt: string;
+}
+
+export default ({ strapi }: { strapi: Core.Strapi }) => {
+  const sha256 = (s: string) => createHash('sha256').update(s).digest('hex');
+
+  return {
+    /**
+     * Mint a fresh access+refresh pair. New family — caller passes a stable
+     * familyId if this is a refresh rotation.
+     */
+    async mint(opts: {
+      adminUserId: string;
+      clientId: string;
+      scope: Scope[];
+      familyId?: string;
+      parentJti?: string;
+    }): Promise<MintResult> {
+      const cfg = getConfig(strapi);
+      const key = await strapi.plugin('mcp-server').service('signing-keys').getActiveKey();
+      const now = Math.floor(Date.now() / 1000);
+      const jti = randomBytes(16).toString('hex');
+      const issuer = authorizationServerUrl(strapi);
+      const audience = canonicalResourceUrl(strapi);
+
+      const payload: JWTPayload = {
+        scope: scopeString(opts.scope),
+        client_id: opts.clientId,
+        azp: opts.clientId,
+        jti,
+      };
+      const accessToken = await new SignJWT(payload)
+        .setProtectedHeader({ alg: key.alg, kid: key.kid, typ: 'at+jwt' })
+        .setIssuer(issuer)
+        .setSubject(opts.adminUserId)
+        .setAudience(audience)
+        .setIssuedAt(now)
+        .setExpirationTime(now + cfg.oauth.accessTokenTtlSec)
+        .sign(key.privateKey);
+
+      const refreshSecret = randomBytes(32).toString('base64url');
+      const familyId = opts.familyId ?? randomBytes(16).toString('hex');
+      const refreshExp = new Date((now + cfg.oauth.refreshTokenTtlSec) * 1000);
+
+      await strapi.db.query(REFRESH_UID).create({
+        data: {
+          tokenHash: sha256(refreshSecret),
+          familyId,
+          parentJti: opts.parentJti ?? null,
+          clientId: opts.clientId,
+          adminUserId: opts.adminUserId,
+          scope: scopeString(opts.scope),
+          revoked: false,
+          rotatedTo: null,
+          expiresAt: refreshExp,
+        },
+      });
+
+      return {
+        accessToken,
+        refreshToken: refreshSecret,
+        accessTokenExpiresAt: new Date((now + cfg.oauth.accessTokenTtlSec) * 1000),
+        refreshTokenExpiresAt: refreshExp,
+        jti,
+        familyId,
+      };
+    },
+
+    /**
+     * Verify an access JWT. Two modes, picked from `oauth.mode`:
+     *
+     *  - **embedded** (default): verify against the plugin's own JWKS, check
+     *    iss/aud/exp + revocation list. `sub` is already a Strapi admin user id.
+     *  - **external**: verify against the configured external AS's JWKS, check
+     *    iss/exp. Map the JWT's email-style claim back to a Strapi admin
+     *    user (the JWT's `sub` is the external identity, NOT a Strapi id, so
+     *    we resolve it server-side and present a Strapi admin id to callers).
+     *
+     * Throws Error('invalid_token' | 'expired') on failure.
+     */
+    async verifyAccessToken(token: string): Promise<VerifiedClaims> {
+      const cfg = getConfig(strapi);
+      if (cfg.oauth.mode === 'external') {
+        return verifyExternal(strapi, token);
+      }
+      return verifyEmbedded(strapi, token);
+    },
+
+    /**
+     * Atomically consume a refresh token: returns the previous row only if it
+     * was still rotatable. Reuse (rotatedTo set, or revoked) returns null AND
+     * triggers family-wide revocation.
+     */
+    async consumeRefresh(refreshSecret: string): Promise<RefreshRow | null> {
+      const hash = sha256(refreshSecret);
+      const row = (await strapi.db.query(REFRESH_UID).findOne({
+        where: { tokenHash: hash },
+      })) as RefreshRow | null;
+      if (!row) return null;
+
+      if (new Date(row.expiresAt).getTime() < Date.now()) {
+        return null;
+      }
+      if (row.revoked || row.rotatedTo) {
+        // Reuse detection: nuke the whole family.
+        await this.revokeFamily(row.familyId);
+        strapi.log.warn(
+          `[mcp-server] refresh-token reuse detected family=${row.familyId} client=${row.clientId} — family revoked`
+        );
+        return null;
+      }
+      return row;
+    },
+
+    async markRotated(parentRowId: number, newRefreshHash: string): Promise<void> {
+      await strapi.db
+        .query(REFRESH_UID)
+        .update({ where: { id: parentRowId }, data: { rotatedTo: newRefreshHash } });
+    },
+
+    async revokeFamily(familyId: string): Promise<void> {
+      await strapi.db.query(REFRESH_UID).updateMany({
+        where: { familyId },
+        data: { revoked: true },
+      });
+    },
+
+    async revokeRefresh(refreshSecret: string): Promise<void> {
+      const hash = sha256(refreshSecret);
+      const row = (await strapi.db
+        .query(REFRESH_UID)
+        .findOne({ where: { tokenHash: hash } })) as RefreshRow | null;
+      if (row) await this.revokeFamily(row.familyId);
+    },
+
+    async revokeAccessJti(jti: string, expiresAt: Date): Promise<void> {
+      try {
+        await strapi.db.query(REVOKE_UID).create({ data: { jti, expiresAt } });
+      } catch {
+        // unique constraint collision — already revoked, ignore
+      }
+    },
+
+    async revokeAllForUser(adminUserId: string): Promise<void> {
+      await strapi.db.query(REFRESH_UID).updateMany({
+        where: { adminUserId, revoked: false },
+        data: { revoked: true },
+      });
+    },
+
+    /** Daily purge — drops expired refresh tokens and revocation entries. */
+    async purgeExpired(): Promise<void> {
+      const now = new Date();
+      await strapi.db.query(REFRESH_UID).deleteMany({ where: { expiresAt: { $lt: now } } });
+      await strapi.db.query(REVOKE_UID).deleteMany({ where: { expiresAt: { $lt: now } } });
+      await strapi.db
+        .query('plugin::mcp-server.oauth-auth-code')
+        .deleteMany({ where: { expiresAt: { $lt: now } } });
+    },
+
+    hash(s: string): string {
+      return sha256(s);
+    },
+  };
+};
+
+async function verifyEmbedded(
+  strapi: Core.Strapi,
+  token: string
+): Promise<VerifiedClaims> {
+  const sk = strapi.plugin('mcp-server').service('signing-keys');
+  const jwks = createLocalJWKSet(await sk.publicJwks());
+  const issuer = authorizationServerUrl(strapi);
+  const audience = canonicalResourceUrl(strapi);
+
+  let claims: JWTPayload;
+  try {
+    const { payload } = await jwtVerify(token, jwks, { issuer, audience });
+    claims = payload;
+  } catch (err) {
+    const code = (err as { code?: string }).code;
+    if (code === 'ERR_JWT_EXPIRED') throw new Error('expired');
+    throw new Error('invalid_token');
+  }
+
+  const jti = typeof claims.jti === 'string' ? claims.jti : '';
+  if (!jti) throw new Error('invalid_token');
+
+  const revoked = await strapi.db.query(REVOKE_UID).findOne({ where: { jti } });
+  if (revoked) throw new Error('invalid_token');
+
+  const sub = typeof claims.sub === 'string' ? claims.sub : '';
+  const clientId = typeof claims.client_id === 'string' ? claims.client_id : '';
+  if (!sub || !clientId) throw new Error('invalid_token');
+
+  return {
+    sub,
+    scope: parseScope(claims.scope),
+    clientId,
+    jti,
+    exp: typeof claims.exp === 'number' ? claims.exp : 0,
+  };
+}
+
+async function verifyExternal(
+  strapi: Core.Strapi,
+  token: string
+): Promise<VerifiedClaims> {
+  const cfg = getConfig(strapi);
+  const ext = cfg.oauth.external;
+  if (!ext) throw new Error('invalid_token');
+  const jwks = getExternalJwks(ext.jwksUri);
+
+  let claims: JWTPayload;
+  try {
+    const { payload } = await jwtVerify(token, jwks, {
+      issuer: ext.issuer,
+      // No audience check in external mode — external AS owns aud.
+    });
+    claims = payload;
+  } catch (err) {
+    const code = (err as { code?: string }).code;
+    if (code === 'ERR_JWT_EXPIRED') throw new Error('expired');
+    throw new Error('invalid_token');
+  }
+
+  const lookupClaim = ext.adminLookupClaim ?? 'email';
+  const lookupValue = (claims as Record<string, unknown>)[lookupClaim];
+  if (typeof lookupValue !== 'string' || !lookupValue) {
+    throw new Error('invalid_token');
+  }
+  const adminWhere =
+    lookupClaim === 'email' ? { email: lookupValue } : { username: lookupValue };
+  const admin = (await strapi.db
+    .query('admin::user')
+    .findOne({ where: adminWhere })) as
+    | { id: number; isActive?: boolean; blocked?: boolean }
+    | null;
+  if (!admin || admin.isActive === false || admin.blocked) {
+    throw new Error('invalid_token');
+  }
+
+  const clientId =
+    typeof claims.azp === 'string'
+      ? claims.azp
+      : typeof claims.client_id === 'string'
+        ? claims.client_id
+        : 'external';
+
+  // Scope handling in external mode:
+  //  - enforceScopes: true  → require strapi:* scopes in the JWT (operator
+  //    must define them as Client Scopes in the IdP)
+  //  - enforceScopes: false (default) → grant the full surface, leaving
+  //    granular control to Strapi RBAC + per-tool toggles. Keeps setup
+  //    cross-IdP portable without per-vendor scope registration.
+  const scope: Scope[] = ext.enforceScopes
+    ? parseScope(claims.scope)
+    : [...ALL_SCOPES];
+
+  return {
+    sub: String(admin.id),
+    scope,
+    clientId,
+    jti: typeof claims.jti === 'string' ? claims.jti : '',
+    exp: typeof claims.exp === 'number' ? claims.exp : 0,
+  };
+}

package/server/src/services/permissions.ts

@@ -0,0 +1,87 @@
+'use strict';
+
+import type { Core } from '@strapi/strapi';
+
+const INTERNAL_UID = /^(admin::|strapi::|plugin::users-permissions\.(role|permission)|plugin::i18n\.locale|plugin::upload\.(folder|file)$|plugin::mcp-server\.)/;
+
+export interface PrincipalContext {
+  user: { id: number | string; isActive?: boolean };
+  permissions: unknown[];
+  isSuperAdmin: boolean;
+}
+
+export default ({ strapi }: { strapi: Core.Strapi }) => ({
+  /**
+   * Load an admin user and their permissions. Used both at JWT verification time
+   * (to confirm the principal still exists and is active) and at tool-call time
+   * for RBAC enforcement.
+   *
+   * We bypass `admin::user.findOne(...)` because its `populate: ['roles']` path
+   * triggered a Knex "Undefined binding" error in some Strapi installs. Going
+   * direct to `strapi.db.query` is more predictable and gives us exactly the
+   * shape we need (user with roles relation).
+   */
+  async loadPrincipal(adminUserId: string | number): Promise<PrincipalContext | null> {
+    const id = typeof adminUserId === 'string' ? Number(adminUserId) || adminUserId : adminUserId;
+
+    const user = await strapi.db.query('admin::user').findOne({
+      where: { id },
+      populate: { roles: true },
+    });
+    if (!user || user.isActive === false || user.blocked) return null;
+
+    const roleSvc = strapi.service('admin::role');
+    let isSuperAdmin = false;
+    try {
+      isSuperAdmin = (await roleSvc.hasSuperAdminRole(user)) === true;
+    } catch {
+      // Fallback: check role code locally.
+      isSuperAdmin =
+        Array.isArray(user.roles) &&
+        user.roles.some((r: { code?: string }) => r.code === 'strapi-super-admin');
+    }
+
+    const permSvc = strapi.service('admin::permission');
+    let permissions: unknown[] = [];
+    try {
+      permissions = await permSvc.findUserPermissions({ user });
+    } catch (err) {
+      strapi.log.warn('[mcp-server] findUserPermissions failed', err as Error);
+    }
+
+    return { user, permissions, isSuperAdmin };
+  },
+
+  /**
+   * Content-manager-equivalent RBAC check for a UID + action.
+   * action: 'read' | 'create' | 'update' | 'delete' | 'publish'
+   * Internal UIDs are denied outright regardless of role.
+   */
+  async canActionOnUid(
+    principal: PrincipalContext,
+    uid: string,
+    action: 'read' | 'create' | 'update' | 'delete' | 'publish'
+  ): Promise<boolean> {
+    if (INTERNAL_UID.test(uid)) return false;
+    if (principal.isSuperAdmin) return true;
+
+    const actionId = `plugin::content-manager.explorer.${action}`;
+    return (principal.permissions as Array<{ action: string; subject: string | null }>).some(
+      (p) => p.action === actionId && (p.subject === uid || p.subject === null)
+    );
+  },
+
+  isInternalUid(uid: string): boolean {
+    return INTERNAL_UID.test(uid);
+  },
+
+  /** Returns allowed UIDs (collectionType + singleType, minus the denylist). */
+  listAllowedUids(): string[] {
+    const cts = strapi.contentTypes as unknown as Record<string, { kind?: string }>;
+    return Object.keys(cts).filter(
+      (uid) =>
+        !INTERNAL_UID.test(uid) &&
+        (cts[uid].kind === 'collectionType' || cts[uid].kind === 'singleType')
+    );
+  },
+});