strapi-mcp-server 0.1.1

package/server/src/content-types/oauth-consent/schema.json

@@ -0,0 +1,21 @@
+{
+  "kind": "collectionType",
+  "collectionName": "mcp_oauth_consents",
+  "info": {
+    "singularName": "oauth-consent",
+    "pluralName": "oauth-consents",
+    "displayName": "MCP OAuth Consent"
+  },
+  "options": { "draftAndPublish": false },
+  "pluginOptions": {
+    "content-manager": { "visible": false },
+    "content-type-builder": { "visible": false }
+  },
+  "attributes": {
+    "clientId": { "type": "string", "required": true, "maxLength": 128 },
+    "adminUserId": { "type": "string", "required": true, "maxLength": 64 },
+    "scope": { "type": "string", "required": true, "maxLength": 512 },
+    "grantedAt": { "type": "datetime", "required": true },
+    "expiresAt": { "type": "datetime", "required": true }
+  }
+}

package/server/src/content-types/oauth-refresh-token/index.ts

@@ -0,0 +1,3 @@
+'use strict';
+import schema from './schema.json';
+export default { schema };

package/server/src/content-types/oauth-refresh-token/schema.json

@@ -0,0 +1,25 @@
+{
+  "kind": "collectionType",
+  "collectionName": "mcp_oauth_refresh_tokens",
+  "info": {
+    "singularName": "oauth-refresh-token",
+    "pluralName": "oauth-refresh-tokens",
+    "displayName": "MCP OAuth Refresh Token"
+  },
+  "options": { "draftAndPublish": false },
+  "pluginOptions": {
+    "content-manager": { "visible": false },
+    "content-type-builder": { "visible": false }
+  },
+  "attributes": {
+    "tokenHash": { "type": "string", "required": true, "maxLength": 128, "private": true },
+    "familyId": { "type": "string", "required": true, "maxLength": 64 },
+    "parentJti": { "type": "string", "maxLength": 64 },
+    "clientId": { "type": "string", "required": true, "maxLength": 128 },
+    "adminUserId": { "type": "string", "required": true, "maxLength": 64 },
+    "scope": { "type": "string", "required": true, "maxLength": 512 },
+    "rotatedTo": { "type": "string", "maxLength": 128 },
+    "revoked": { "type": "boolean", "default": false, "required": true },
+    "expiresAt": { "type": "datetime", "required": true }
+  }
+}

package/server/src/content-types/oauth-revocation/index.ts

@@ -0,0 +1,3 @@
+'use strict';
+import schema from './schema.json';
+export default { schema };

package/server/src/content-types/oauth-revocation/schema.json

@@ -0,0 +1,18 @@
+{
+  "kind": "collectionType",
+  "collectionName": "mcp_oauth_revocations",
+  "info": {
+    "singularName": "oauth-revocation",
+    "pluralName": "oauth-revocations",
+    "displayName": "MCP OAuth Revoked JTI"
+  },
+  "options": { "draftAndPublish": false },
+  "pluginOptions": {
+    "content-manager": { "visible": false },
+    "content-type-builder": { "visible": false }
+  },
+  "attributes": {
+    "jti": { "type": "string", "required": true, "unique": true, "maxLength": 64 },
+    "expiresAt": { "type": "datetime", "required": true }
+  }
+}

package/server/src/content-types/oauth-signing-key/index.ts

@@ -0,0 +1,3 @@
+'use strict';
+import schema from './schema.json';
+export default { schema };

package/server/src/content-types/oauth-signing-key/schema.json

@@ -0,0 +1,21 @@
+{
+  "kind": "collectionType",
+  "collectionName": "mcp_oauth_signing_keys",
+  "info": {
+    "singularName": "oauth-signing-key",
+    "pluralName": "oauth-signing-keys",
+    "displayName": "MCP OAuth Signing Key"
+  },
+  "options": { "draftAndPublish": false },
+  "pluginOptions": {
+    "content-manager": { "visible": false },
+    "content-type-builder": { "visible": false }
+  },
+  "attributes": {
+    "kid": { "type": "string", "required": true, "unique": true, "maxLength": 64 },
+    "alg": { "type": "string", "required": true, "default": "RS256", "maxLength": 16 },
+    "publicJwk": { "type": "json", "required": true },
+    "privateJwkEncrypted": { "type": "text", "required": true, "private": true },
+    "retiredAt": { "type": "datetime" }
+  }
+}

package/server/src/controllers/admin/audit.ts

@@ -0,0 +1,30 @@
+'use strict';
+
+import type { Core } from '@strapi/strapi';
+import type { Context } from 'koa';
+
+export default ({ strapi }: { strapi: Core.Strapi }) => ({
+  async list(ctx: Context): Promise<void> {
+    const query = ctx.query as {
+      limit?: string;
+      tool?: string;
+      principalId?: string;
+      status?: string;
+    };
+    const limit = Math.min(500, Math.max(1, Number(query.limit ?? '50')));
+    const filters: Record<string, unknown> = {};
+    if (query.tool) filters.tool = query.tool;
+    if (query.principalId) filters.principalId = query.principalId;
+    if (query.status) filters.resultStatus = query.status;
+    const auditSvc = strapi.plugin('mcp-server').service('audit');
+    const entries = await auditSvc.recent(limit, filters);
+    const enrichments = await auditSvc.enrich(entries);
+    ctx.body = {
+      entries: entries.map((e: Record<string, unknown>, i: number) => ({
+        ...e,
+        principalAdmin: enrichments[i].principalAdmin,
+        client: enrichments[i].client,
+      })),
+    };
+  },
+});

package/server/src/controllers/admin/clients.ts

@@ -0,0 +1,148 @@
+'use strict';
+
+import type { Core } from '@strapi/strapi';
+import type { Context } from 'koa';
+import { parseScope } from '../../services/oauth/scopes';
+
+interface AdminUserRow {
+  id: number;
+  email?: string;
+  firstname?: string;
+  lastname?: string;
+  username?: string;
+}
+
+/**
+ * Batch-resolve admin user info for both ownerAdminId (consent grantor) and
+ * createdByAdminId (table appearance). One DB query feeds both fields. A
+ * deleted admin user just shows null on its column.
+ */
+async function enrichWithUsers(
+  strapi: Core.Strapi,
+  clients: Array<{ ownerAdminId: string | null; createdByAdminId: string | null }>
+): Promise<Array<{ ownerAdmin: AdminUserRow | null; createdByAdmin: AdminUserRow | null }>> {
+  const ids = Array.from(
+    new Set(
+      clients
+        .flatMap((c) => [c.ownerAdminId, c.createdByAdminId])
+        .filter((v): v is string => typeof v === 'string' && v.length > 0)
+        .map((s) => Number(s))
+        .filter((n) => Number.isFinite(n))
+    )
+  );
+  if (ids.length === 0) {
+    return clients.map(() => ({ ownerAdmin: null, createdByAdmin: null }));
+  }
+  const users = (await strapi.db
+    .query('admin::user')
+    .findMany({
+      where: { id: { $in: ids } },
+      select: ['id', 'email', 'firstname', 'lastname', 'username'],
+    })) as AdminUserRow[];
+  const byId = new Map(users.map((u) => [String(u.id), u]));
+  return clients.map((c) => ({
+    ownerAdmin: c.ownerAdminId ? byId.get(c.ownerAdminId) ?? null : null,
+    createdByAdmin: c.createdByAdminId ? byId.get(c.createdByAdminId) ?? null : null,
+  }));
+}
+
+export default ({ strapi }: { strapi: Core.Strapi }) => ({
+  async list(ctx: Context): Promise<void> {
+    const clients = await strapi.plugin('mcp-server').service('clients').list();
+    const enriched = await enrichWithUsers(strapi, clients);
+    ctx.body = {
+      clients: clients.map((c: Record<string, unknown>, i: number) => ({
+        ...c,
+        ownerAdmin: enriched[i].ownerAdmin,
+        createdByAdmin: enriched[i].createdByAdmin,
+      })),
+    };
+  },
+
+  async create(ctx: Context): Promise<void> {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const body = ((ctx.request as any).body ?? {}) as {
+      clientName?: string;
+      redirectUris?: string[];
+      scopes?: string | string[];
+      isConfidential?: boolean;
+    };
+    if (!body.clientName || !Array.isArray(body.redirectUris)) {
+      ctx.status = 400;
+      ctx.body = { error: 'missing fields' };
+      return;
+    }
+    const adminUser = ctx.state.user as { id: number | string } | undefined;
+    const authCredentials =
+      (ctx.state.auth as { credentials?: { id?: number | string } } | undefined)?.credentials;
+    // Prefer ctx.state.user; fall back to auth.credentials in case the admin
+    // strategy populated only the latter.
+    const createdByAdminId =
+      adminUser?.id !== undefined
+        ? String(adminUser.id)
+        : authCredentials?.id !== undefined
+          ? String(authCredentials.id)
+          : undefined;
+    const scopes = parseScope(
+      Array.isArray(body.scopes) ? body.scopes.join(' ') : body.scopes ?? ''
+    );
+    try {
+      // ownerAdminId is intentionally not set here — it represents the consent
+      // grantor and stays null until the first /oauth/authorize approval.
+      const result = await strapi.plugin('mcp-server').service('clients').create({
+        clientName: body.clientName,
+        redirectUris: body.redirectUris,
+        scopes,
+        isConfidential: !!body.isConfidential,
+        createdByAdminId,
+      });
+      ctx.body = result; // client_secret returned once
+    } catch (err) {
+      ctx.status = 400;
+      ctx.body = { error: (err as Error).message };
+    }
+  },
+
+  async update(ctx: Context): Promise<void> {
+    const { clientId } = ctx.params;
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const body = ((ctx.request as any).body ?? {}) as Record<string, unknown>;
+    const patch: Record<string, unknown> = {};
+    if (typeof body.clientName === 'string') patch.clientName = body.clientName;
+    if (Array.isArray(body.redirectUris)) patch.redirectUris = body.redirectUris;
+    if (typeof body.disabled === 'boolean') patch.disabled = body.disabled;
+    if (body.scopes !== undefined) {
+      patch.scopes = parseScope(
+        Array.isArray(body.scopes) ? body.scopes.join(' ') : String(body.scopes)
+      );
+    }
+    const updated = await strapi.plugin('mcp-server').service('clients').update(clientId, patch);
+    if (!updated) ctx.throw(404, 'not found');
+    ctx.body = updated;
+  },
+
+  async findOne(ctx: Context): Promise<void> {
+    const { clientId } = ctx.params;
+    const client = await strapi.plugin('mcp-server').service('clients').findActive(clientId);
+    if (!client) {
+      // findActive only returns enabled clients; fall back to a raw lookup so
+      // the admin can see and re-enable disabled clients.
+      const row = await strapi.db
+        .query('plugin::mcp-server.oauth-client')
+        .findOne({ where: { clientId } });
+      if (!row) {
+        ctx.throw(404, 'not found');
+      }
+      ctx.body = row;
+      return;
+    }
+    ctx.body = client;
+  },
+
+  async destroy(ctx: Context): Promise<void> {
+    const { clientId } = ctx.params;
+    const deleted = await strapi.plugin('mcp-server').service('clients').delete(clientId);
+    if (!deleted) ctx.throw(404, 'not found');
+    ctx.status = 204;
+  },
+});

package/server/src/controllers/admin/dashboard.ts

@@ -0,0 +1,28 @@
+'use strict';
+
+import type { Core } from '@strapi/strapi';
+import type { Context } from 'koa';
+import { getConfig } from '../../config';
+
+export default ({ strapi }: { strapi: Core.Strapi }) => ({
+  async overview(ctx: Context): Promise<void> {
+    const cfg = getConfig(strapi);
+    const sessionStore = strapi.plugin('mcp-server').service('session-store');
+    const audit = strapi.plugin('mcp-server').service('audit');
+    const stats = sessionStore.stats();
+    const recent = await audit.recent(10);
+    const enrichments = await audit.enrich(recent);
+    ctx.body = {
+      enabled: cfg.enabled,
+      resourceUrl: cfg.resourceUrl,
+      allowedOrigins: cfg.allowedOrigins,
+      sessions: stats,
+      recentCalls: recent.map((e: Record<string, unknown>, i: number) => ({
+        ...e,
+        principalAdmin: enrichments[i].principalAdmin,
+        client: enrichments[i].client,
+      })),
+      oauth: { mode: cfg.oauth.mode, dcrEnabled: cfg.oauth.dcr.enabled },
+    };
+  },
+});

package/server/src/controllers/admin/index.ts

@@ -0,0 +1,15 @@
+'use strict';
+
+import dashboard from './dashboard';
+import clients from './clients';
+import audit from './audit';
+import settings from './settings';
+import tools from './tools';
+
+export default {
+  dashboard,
+  clients,
+  audit,
+  settings,
+  tools,
+};

package/server/src/controllers/admin/settings.ts

@@ -0,0 +1,38 @@
+'use strict';
+
+import type { Core } from '@strapi/strapi';
+import type { Context } from 'koa';
+import { getConfig } from '../../config';
+
+/**
+ * Read-only view of the merged config. Mutations to security-critical settings
+ * happen in config/plugins.ts (env-driven) — exposing a runtime mutation surface
+ * would let admins weaken security from the UI without an audit trail.
+ *
+ * Secrets (redis.internalSecret, password in redis.url) are masked. The UI
+ * surfaces whether they're set, not what they're set to.
+ */
+export default ({ strapi }: { strapi: Core.Strapi }) => ({
+  async get(ctx: Context): Promise<void> {
+    const cfg = getConfig(strapi);
+    const redis = cfg.redis
+      ? {
+          ...cfg.redis,
+          url: maskRedisUrl(cfg.redis.url),
+          internalSecret: cfg.redis.internalSecret ? '••••••' : '',
+        }
+      : undefined;
+    ctx.body = { ...cfg, redis };
+  },
+});
+
+function maskRedisUrl(url: string | undefined): string {
+  if (!url) return '';
+  try {
+    const u = new URL(url);
+    if (u.password) u.password = '••••••';
+    return u.toString();
+  } catch {
+    return url;
+  }
+}

package/server/src/controllers/admin/tools.ts

@@ -0,0 +1,23 @@
+'use strict';
+
+import type { Core } from '@strapi/strapi';
+import type { Context } from 'koa';
+import { ALL_SCOPES } from '../../services/oauth/scopes';
+
+const TOOLS = [
+  { name: 'strapi.content.list_types', scope: 'strapi:content:read' as const },
+  { name: 'strapi.content.get_schema', scope: 'strapi:content:read' as const },
+  { name: 'strapi.content.list_entries', scope: 'strapi:content:read' as const },
+  { name: 'strapi.content.get_entry', scope: 'strapi:content:read' as const },
+  { name: 'strapi.content.create_entry', scope: 'strapi:content:write' as const },
+  { name: 'strapi.content.update_entry', scope: 'strapi:content:write' as const },
+  { name: 'strapi.media.list', scope: 'strapi:media:read' as const },
+  { name: 'strapi.media.upload', scope: 'strapi:media:write' as const },
+];
+
+export default ({ strapi: _strapi }: { strapi: Core.Strapi }) => ({
+  list(ctx: Context): void {
+    void _strapi;
+    ctx.body = { tools: TOOLS, scopes: ALL_SCOPES };
+  },
+});

package/server/src/controllers/index.ts

@@ -0,0 +1,13 @@
+'use strict';
+
+import mcp from './mcp';
+import oauth from './oauth';
+import admin from './admin';
+import proxy from './proxy';
+
+export default {
+  mcp,
+  proxy,
+  ...oauth,
+  ...admin,
+};

package/server/src/controllers/mcp.ts

@@ -0,0 +1,168 @@
+'use strict';
+
+import type { Core } from '@strapi/strapi';
+import type { Context } from 'koa';
+import { bearerChallenge } from '../services/oauth/errors';
+
+const SESSION_HEADER = 'mcp-session-id';
+
+export default ({ strapi }: { strapi: Core.Strapi }) => ({
+  /**
+   * Single handler for POST + GET on /mcp. POST initialize creates a new
+   * session; subsequent POSTs and GETs lookup by Mcp-Session-Id.
+   *
+   * When Redis-backed session routing is enabled and the session lives on
+   * a different instance, this request is proxied to the owning instance
+   * over HTTP. The original client never sees the difference.
+   */
+  async handle(ctx: Context): Promise<void> {
+    const mcpAuth = ctx.state.mcpAuth as {
+      principal: { user: { id: string | number }; permissions: unknown[]; isSuperAdmin: boolean };
+      scopes: string[];
+      clientId: string;
+      jti: string;
+      adminUserId: string;
+    };
+    if (!mcpAuth) {
+      ctx.throw(401, 'missing auth context');
+    }
+
+    const sessionStore = strapi.plugin('mcp-server').service('session-store');
+    const sessionIdHeader = (ctx.request.header[SESSION_HEADER] as string | undefined)?.trim();
+
+    if (sessionIdHeader) {
+      const location = await sessionStore.locate(sessionIdHeader);
+      if (!location) {
+        ctx.status = 404;
+        ctx.body = { error: 'session_not_found' };
+        return;
+      }
+      if (location.principal && location.principal.adminUserId !== mcpAuth.adminUserId) {
+        // Token swap mid-session — refuse rather than allow privilege transfer.
+        ctx.set(
+          'WWW-Authenticate',
+          bearerChallenge(strapi, {
+            error: 'invalid_token',
+            error_description: 'session principal mismatch',
+          })
+        );
+        ctx.throw(401, 'session principal mismatch');
+      }
+      if (location.kind === 'remote') {
+        try {
+          await strapi
+            .plugin('mcp-server')
+            .service('proxy-client')
+            .forward(ctx, location.address, sessionIdHeader);
+        } catch (err) {
+          strapi.log.warn(
+            `[mcp-server] proxy to ${location.address} failed: ${(err as Error).message}`
+          );
+          if (!ctx.res.headersSent) {
+            ctx.res.statusCode = 502;
+            ctx.res.end(JSON.stringify({ error: 'session_owner_unreachable' }));
+          }
+        }
+        return;
+      }
+      if (location.session.principal.adminUserId !== mcpAuth.adminUserId) {
+        ctx.set(
+          'WWW-Authenticate',
+          bearerChallenge(strapi, {
+            error: 'invalid_token',
+            error_description: 'session principal mismatch',
+          })
+        );
+        ctx.throw(401, 'session principal mismatch');
+      }
+      await dispatchLocal(strapi, ctx, location.session.transport);
+      return;
+    }
+
+    if (ctx.method !== 'POST') {
+      ctx.status = 400;
+      ctx.body = { error: 'missing_session_id' };
+      return;
+    }
+
+    const principal = {
+      adminUserId: mcpAuth.adminUserId,
+      clientId: mcpAuth.clientId,
+      jti: mcpAuth.jti,
+    };
+    if (!(await sessionStore.canCreate(principal))) {
+      ctx.status = 503;
+      ctx.body = { error: 'session_capacity_reached' };
+      return;
+    }
+
+    const factory = strapi.plugin('mcp-server').service('mcp-server');
+    const created = await factory.create({
+      principal: mcpAuth.principal,
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      scopes: mcpAuth.scopes as any,
+      clientId: mcpAuth.clientId,
+      jti: mcpAuth.jti,
+    });
+    const now = Date.now();
+    const session = {
+      id: created.sessionId,
+      transport: created.transport,
+      mcpServer: created.mcpServer,
+      principal,
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      scopes: mcpAuth.scopes as any,
+      createdAt: now,
+      lastSeenAt: now,
+    };
+    await sessionStore.put(session);
+    await dispatchLocal(strapi, ctx, session.transport);
+  },
+
+  async end(ctx: Context): Promise<void> {
+    const id = (ctx.request.header[SESSION_HEADER] as string | undefined)?.trim();
+    if (!id) {
+      ctx.status = 400;
+      ctx.body = { error: 'missing_session_id' };
+      return;
+    }
+    const sessionStore = strapi.plugin('mcp-server').service('session-store');
+    // Owner instance handles close; for remote sessions, proxy the DELETE.
+    const location = await sessionStore.locate(id);
+    if (location?.kind === 'remote') {
+      try {
+        await strapi
+          .plugin('mcp-server')
+          .service('proxy-client')
+          .forward(ctx, location.address, id);
+      } catch {
+        // best-effort — owner may already be gone; consider closed
+        ctx.status = 204;
+      }
+      return;
+    }
+    await sessionStore.close(id);
+    ctx.status = 204;
+  },
+});
+
+async function dispatchLocal(
+  strapi: Core.Strapi,
+  ctx: Context,
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  transport: any
+): Promise<void> {
+  ctx.respond = false;
+  ctx.req.socket.setTimeout(0);
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  const body = (ctx.request as any).body;
+  try {
+    await transport.handleRequest(ctx.req, ctx.res, body);
+  } catch (err) {
+    strapi.log.error('[mcp-server] transport.handleRequest failed', err as Error);
+    if (!ctx.res.headersSent) {
+      ctx.res.statusCode = 500;
+      ctx.res.end(JSON.stringify({ error: 'internal_error' }));
+    }
+  }
+}