strapi-oauth-mcp-manager 0.1.2 → 0.1.4

package/dist/server/index.js

@@ -1,7 +1,8 @@
 "use strict";
 const node_crypto = require("node:crypto");
 const PLUGIN_ID = "strapi-oauth-mcp-manager";
-const PLUGIN_UID$3 = `plugin::${PLUGIN_ID}`;
+const PLUGIN_UID$2 = `plugin::${PLUGIN_ID}`;
+const MCP_ENDPOINT_PATTERN = /^\/api\/[^/]+\/mcp(\/.*)?$/;
 function extractBearerToken(authHeader) {
   if (!authHeader?.startsWith("Bearer ")) {
     return null;
@@ -21,7 +22,7 @@ function buildWwwAuthenticateHeader(ctx, strapi) {
 }
 async function validateOAuthToken(token, strapi) {
   try {
-    const tokenRecord = await strapi.documents(`${PLUGIN_UID$3}.mcp-oauth-token`).findFirst({
+    const tokenRecord = await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-token`).findFirst({
       filters: { accessToken: token, revoked: false }
     });
     if (!tokenRecord) {
@@ -30,7 +31,7 @@ async function validateOAuthToken(token, strapi) {
     if (new Date(tokenRecord.expiresAt) < /* @__PURE__ */ new Date()) {
       return { valid: false, error: "Token expired" };
     }
-    const client = await strapi.documents(`${PLUGIN_UID$3}.mcp-oauth-client`).findFirst({
+    const client = await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-client`).findFirst({
       filters: { clientId: tokenRecord.clientId }
     });
     if (!client) {
@@ -45,32 +46,15 @@ async function validateOAuthToken(token, strapi) {
     return { valid: false, error: "Token validation failed" };
   }
 }
+function isMcpEndpoint(path) {
+  return MCP_ENDPOINT_PATTERN.test(path);
+}
 const mcpOauthMiddleware = (config2, { strapi }) => {
-  let endpointCache = [];
-  let lastCacheUpdate = 0;
-  const CACHE_TTL = 6e4;
-  async function refreshEndpointCache() {
-    const now = Date.now();
-    if (now - lastCacheUpdate > CACHE_TTL) {
-      try {
-        const endpoints = await strapi.documents(`${PLUGIN_UID$3}.mcp-endpoint`).findMany({
-          filters: { active: true }
-        });
-        endpointCache = endpoints.map((e) => e.path);
-        lastCacheUpdate = now;
-      } catch (error) {
-        strapi.log.error(`[${PLUGIN_ID}] Error refreshing endpoint cache`, { error });
-      }
-    }
-  }
-  function isProtectedPath(path) {
-    return endpointCache.some((endpoint) => path.includes(endpoint));
-  }
   return async (ctx, next) => {
-    await refreshEndpointCache();
-    if (!isProtectedPath(ctx.path)) {
+    if (!isMcpEndpoint(ctx.path)) {
       return next();
     }
+    strapi.log.debug(`[${PLUGIN_ID}] Protecting MCP endpoint: ${ctx.path}`);
     const authHeader = ctx.request.headers.authorization;
     const token = extractBearerToken(authHeader);
     if (!token) {
@@ -109,18 +93,18 @@ const config = {
   validator() {
   }
 };
-const kind$3 = "collectionType";
-const collectionName$3 = "mcp_oauth_clients";
-const info$3 = {
+const kind$2 = "collectionType";
+const collectionName$2 = "mcp_oauth_clients";
+const info$2 = {
   singularName: "mcp-oauth-client",
   pluralName: "mcp-oauth-clients",
   displayName: "MCP OAuth Client",
   description: "OAuth 2.0 clients for MCP authentication"
 };
-const options$3 = {
+const options$2 = {
   draftAndPublish: false
 };
-const pluginOptions$3 = {
+const pluginOptions$2 = {
   "content-manager": {
     visible: true
   },
@@ -128,7 +112,7 @@ const pluginOptions$3 = {
     visible: true
   }
 };
-const attributes$3 = {
+const attributes$2 = {
   name: {
     type: "string",
     required: true
@@ -161,25 +145,25 @@ const attributes$3 = {
   }
 };
 const mcpOauthClient = {
-  kind: kind$3,
-  collectionName: collectionName$3,
-  info: info$3,
-  options: options$3,
-  pluginOptions: pluginOptions$3,
-  attributes: attributes$3
+  kind: kind$2,
+  collectionName: collectionName$2,
+  info: info$2,
+  options: options$2,
+  pluginOptions: pluginOptions$2,
+  attributes: attributes$2
 };
-const kind$2 = "collectionType";
-const collectionName$2 = "mcp_oauth_codes";
-const info$2 = {
+const kind$1 = "collectionType";
+const collectionName$1 = "mcp_oauth_codes";
+const info$1 = {
   singularName: "mcp-oauth-code",
   pluralName: "mcp-oauth-codes",
   displayName: "MCP OAuth Code",
   description: "OAuth 2.0 authorization codes"
 };
-const options$2 = {
+const options$1 = {
   draftAndPublish: false
 };
-const pluginOptions$2 = {
+const pluginOptions$1 = {
   "content-manager": {
     visible: false
   },
@@ -187,7 +171,7 @@ const pluginOptions$2 = {
     visible: false
   }
 };
-const attributes$2 = {
+const attributes$1 = {
   code: {
     type: "string",
     required: true,
@@ -217,25 +201,25 @@ const attributes$2 = {
   }
 };
 const mcpOauthCode = {
-  kind: kind$2,
-  collectionName: collectionName$2,
-  info: info$2,
-  options: options$2,
-  pluginOptions: pluginOptions$2,
-  attributes: attributes$2
+  kind: kind$1,
+  collectionName: collectionName$1,
+  info: info$1,
+  options: options$1,
+  pluginOptions: pluginOptions$1,
+  attributes: attributes$1
 };
-const kind$1 = "collectionType";
-const collectionName$1 = "mcp_oauth_tokens";
-const info$1 = {
+const kind = "collectionType";
+const collectionName = "mcp_oauth_tokens";
+const info = {
   singularName: "mcp-oauth-token",
   pluralName: "mcp-oauth-tokens",
   displayName: "MCP OAuth Token",
   description: "OAuth 2.0 access and refresh tokens"
 };
-const options$1 = {
+const options = {
   draftAndPublish: false
 };
-const pluginOptions$1 = {
+const pluginOptions = {
   "content-manager": {
     visible: false
   },
@@ -243,7 +227,7 @@ const pluginOptions$1 = {
     visible: false
   }
 };
-const attributes$1 = {
+const attributes = {
   accessToken: {
     type: "string",
     required: true,
@@ -274,55 +258,6 @@ const attributes$1 = {
   }
 };
 const mcpOauthToken = {
-  kind: kind$1,
-  collectionName: collectionName$1,
-  info: info$1,
-  options: options$1,
-  pluginOptions: pluginOptions$1,
-  attributes: attributes$1
-};
-const kind = "collectionType";
-const collectionName = "mcp_endpoints";
-const info = {
-  singularName: "mcp-endpoint",
-  pluralName: "mcp-endpoints",
-  displayName: "MCP Endpoint",
-  description: "Registered MCP endpoints protected by OAuth"
-};
-const options = {
-  draftAndPublish: false
-};
-const pluginOptions = {
-  "content-manager": {
-    visible: true
-  },
-  "content-type-builder": {
-    visible: true
-  }
-};
-const attributes = {
-  name: {
-    type: "string",
-    required: true
-  },
-  pluginId: {
-    type: "string",
-    required: true
-  },
-  path: {
-    type: "string",
-    required: true,
-    unique: true
-  },
-  description: {
-    type: "text"
-  },
-  active: {
-    type: "boolean",
-    "default": true
-  }
-};
-const mcpEndpoint = {
   kind,
   collectionName,
   info,
@@ -333,10 +268,9 @@ const mcpEndpoint = {
 const contentTypes = {
   "mcp-oauth-client": { schema: mcpOauthClient },
   "mcp-oauth-code": { schema: mcpOauthCode },
-  "mcp-oauth-token": { schema: mcpOauthToken },
-  "mcp-endpoint": { schema: mcpEndpoint }
+  "mcp-oauth-token": { schema: mcpOauthToken }
 };
-const PLUGIN_UID$2 = `plugin::${PLUGIN_ID}`;
+const PLUGIN_UID$1 = `plugin::${PLUGIN_ID}`;
 function getBaseUrl(ctx, strapi) {
   const forwardedProto = ctx.request.headers["x-forwarded-proto"] || ctx.protocol;
   const forwardedHost = ctx.request.headers["x-forwarded-host"] || ctx.request.headers["host"];
@@ -373,17 +307,15 @@ const oauthController = ({ strapi }) => ({
   /**
    * OAuth 2.0 Protected Resource Metadata (RFC 9728)
    * GET /.well-known/oauth-protected-resource
+   *
+   * Convention-based protection: all /api/{plugin}/mcp endpoints are protected.
    */
   async protectedResource(ctx) {
     const baseUrl = getBaseUrl(ctx, strapi);
     const pluginPath = `/api/${PLUGIN_ID}`;
     const authServer = `${baseUrl}${pluginPath}`;
-    const endpoints = await strapi.documents(`${PLUGIN_UID$2}.mcp-endpoint`).findMany({
-      filters: { active: true }
-    });
-    const resources = endpoints.map((e) => `${baseUrl}${e.path}`);
     ctx.body = {
-      resource: resources.length === 1 ? resources[0] : resources,
+      resource: `${baseUrl}/api`,
       authorization_servers: [authServer],
       bearer_methods_supported: ["header"]
     };
@@ -409,7 +341,7 @@ const oauthController = ({ strapi }) => ({
       ctx.body = { error: "unsupported_response_type", error_description: "Only code response type is supported" };
       return;
     }
-    const client = await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-client`).findFirst({
+    const client = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-client`).findFirst({
       filters: { clientId: client_id, active: true }
     });
     if (!client) {
@@ -438,7 +370,7 @@ const oauthController = ({ strapi }) => ({
     }
     const code = node_crypto.randomBytes(32).toString("hex");
     const expiresAt = new Date(Date.now() + 10 * 60 * 1e3);
-    await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-code`).create({
+    await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-code`).create({
       data: {
         code,
         clientId: client_id,
@@ -476,7 +408,7 @@ const oauthController = ({ strapi }) => ({
       ctx.body = { error: "invalid_client", error_description: "Client authentication required" };
       return;
     }
-    const client = await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-client`).findFirst({
+    const client = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-client`).findFirst({
       filters: { clientId: authClientId, active: true }
     });
     if (!client || authClientSecret && client.clientSecret !== authClientSecret) {
@@ -500,7 +432,7 @@ async function handleAuthorizationCodeGrant(ctx, strapi, client, code, redirect_
     ctx.body = { error: "invalid_request", error_description: "code is required" };
     return;
   }
-  const authCode = await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-code`).findFirst({
+  const authCode = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-code`).findFirst({
     filters: { code, clientId: client.clientId, used: false }
   });
   if (!authCode) {
@@ -518,7 +450,7 @@ async function handleAuthorizationCodeGrant(ctx, strapi, client, code, redirect_
     ctx.body = { error: "invalid_grant", error_description: "redirect_uri mismatch" };
     return;
   }
-  await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-code`).update({
+  await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-code`).update({
     documentId: authCode.documentId,
     data: { used: true }
   });
@@ -526,7 +458,7 @@ async function handleAuthorizationCodeGrant(ctx, strapi, client, code, redirect_
   const refreshToken = node_crypto.randomBytes(32).toString("hex");
   const expiresIn = 3600;
   const refreshExpiresIn = 30 * 24 * 3600;
-  await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-token`).create({
+  await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).create({
     data: {
       accessToken,
       refreshToken,
@@ -549,7 +481,7 @@ async function handleRefreshTokenGrant(ctx, strapi, client, refreshToken) {
     ctx.body = { error: "invalid_request", error_description: "refresh_token is required" };
     return;
   }
-  const token = await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-token`).findFirst({
+  const token = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).findFirst({
     filters: { refreshToken, clientId: client.clientId, revoked: false }
   });
   if (!token) {
@@ -562,7 +494,7 @@ async function handleRefreshTokenGrant(ctx, strapi, client, refreshToken) {
     ctx.body = { error: "invalid_grant", error_description: "Refresh token expired" };
     return;
   }
-  await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-token`).update({
+  await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).update({
     documentId: token.documentId,
     data: { revoked: true }
   });
@@ -570,7 +502,7 @@ async function handleRefreshTokenGrant(ctx, strapi, client, refreshToken) {
   const newRefreshToken = node_crypto.randomBytes(32).toString("hex");
   const expiresIn = 3600;
   const refreshExpiresIn = 30 * 24 * 3600;
-  await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-token`).create({
+  await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).create({
     data: {
       accessToken: newAccessToken,
       refreshToken: newRefreshToken,
@@ -647,14 +579,14 @@ const routes = {
     routes: [...admin]
   }
 };
-const PLUGIN_UID$1 = `plugin::${PLUGIN_ID}`;
+const PLUGIN_UID = `plugin::${PLUGIN_ID}`;
 const oauthService = ({ strapi }) => ({
   /**
    * Validate an OAuth access token
    */
   async validateToken(accessToken) {
     try {
-      const tokenRecord = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).findFirst({
+      const tokenRecord = await strapi.documents(`${PLUGIN_UID}.mcp-oauth-token`).findFirst({
         filters: { accessToken, revoked: false }
       });
       if (!tokenRecord) {
@@ -663,7 +595,7 @@ const oauthService = ({ strapi }) => ({
       if (new Date(tokenRecord.expiresAt) < /* @__PURE__ */ new Date()) {
         return { valid: false, error: "Token expired" };
       }
-      const client = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-client`).findFirst({
+      const client = await strapi.documents(`${PLUGIN_UID}.mcp-oauth-client`).findFirst({
         filters: { clientId: tokenRecord.clientId }
       });
       if (!client) {
@@ -683,11 +615,11 @@ const oauthService = ({ strapi }) => ({
    * Revoke all tokens for a client
    */
   async revokeClientTokens(clientId) {
-    const tokens = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).findMany({
+    const tokens = await strapi.documents(`${PLUGIN_UID}.mcp-oauth-token`).findMany({
       filters: { clientId, revoked: false }
     });
     for (const token of tokens) {
-      await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).update({
+      await strapi.documents(`${PLUGIN_UID}.mcp-oauth-token`).update({
         documentId: token.documentId,
         data: { revoked: true }
       });
@@ -699,19 +631,19 @@ const oauthService = ({ strapi }) => ({
    */
   async cleanupExpired() {
     const now = (/* @__PURE__ */ new Date()).toISOString();
-    const expiredCodes = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-code`).findMany({
+    const expiredCodes = await strapi.documents(`${PLUGIN_UID}.mcp-oauth-code`).findMany({
       filters: { expiresAt: { $lt: now } }
     });
     for (const code of expiredCodes) {
-      await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-code`).delete({
+      await strapi.documents(`${PLUGIN_UID}.mcp-oauth-code`).delete({
         documentId: code.documentId
       });
     }
-    const expiredTokens = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).findMany({
+    const expiredTokens = await strapi.documents(`${PLUGIN_UID}.mcp-oauth-token`).findMany({
       filters: { refreshExpiresAt: { $lt: now } }
     });
     for (const token of expiredTokens) {
-      await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).delete({
+      await strapi.documents(`${PLUGIN_UID}.mcp-oauth-token`).delete({
         documentId: token.documentId
       });
     }
@@ -721,80 +653,8 @@ const oauthService = ({ strapi }) => ({
     };
   }
 });
-const PLUGIN_UID = `plugin::${PLUGIN_ID}`;
-const endpointService = ({ strapi }) => ({
-  /**
-   * Register an MCP endpoint for OAuth protection
-   */
-  async register(endpoint) {
-    const existing = await strapi.documents(`${PLUGIN_UID}.mcp-endpoint`).findFirst({
-      filters: { path: endpoint.path }
-    });
-    if (existing) {
-      return strapi.documents(`${PLUGIN_UID}.mcp-endpoint`).update({
-        documentId: existing.documentId,
-        data: {
-          name: endpoint.name,
-          pluginId: endpoint.pluginId,
-          description: endpoint.description,
-          active: true
-        }
-      });
-    }
-    return strapi.documents(`${PLUGIN_UID}.mcp-endpoint`).create({
-      data: {
-        name: endpoint.name,
-        pluginId: endpoint.pluginId,
-        path: endpoint.path,
-        description: endpoint.description,
-        active: true
-      }
-    });
-  },
-  /**
-   * Unregister an MCP endpoint
-   */
-  async unregister(path) {
-    const endpoint = await strapi.documents(`${PLUGIN_UID}.mcp-endpoint`).findFirst({
-      filters: { path }
-    });
-    if (!endpoint) {
-      return false;
-    }
-    await strapi.documents(`${PLUGIN_UID}.mcp-endpoint`).update({
-      documentId: endpoint.documentId,
-      data: { active: false }
-    });
-    return true;
-  },
-  /**
-   * Get all registered endpoints
-   */
-  async getAll(activeOnly = true) {
-    const filters = activeOnly ? { active: true } : {};
-    return strapi.documents(`${PLUGIN_UID}.mcp-endpoint`).findMany({ filters });
-  },
-  /**
-   * Get endpoints for a specific plugin
-   */
-  async getByPlugin(pluginId, activeOnly = true) {
-    const filters = { pluginId };
-    if (activeOnly) {
-      filters.active = true;
-    }
-    return strapi.documents(`${PLUGIN_UID}.mcp-endpoint`).findMany({ filters });
-  },
-  /**
-   * Check if a path is a protected endpoint
-   */
-  async isProtected(path) {
-    const endpoints = await this.getAll(true);
-    return endpoints.some((e) => path.includes(e.path));
-  }
-});
 const services = {
-  oauth: oauthService,
-  endpoint: endpointService
+  oauth: oauthService
 };
 const index = {
   register,

package/dist/server/index.mjs

@@ -1,6 +1,7 @@
 import { randomBytes } from "node:crypto";
 const PLUGIN_ID = "strapi-oauth-mcp-manager";
-const PLUGIN_UID$3 = `plugin::${PLUGIN_ID}`;
+const PLUGIN_UID$2 = `plugin::${PLUGIN_ID}`;
+const MCP_ENDPOINT_PATTERN = /^\/api\/[^/]+\/mcp(\/.*)?$/;
 function extractBearerToken(authHeader) {
   if (!authHeader?.startsWith("Bearer ")) {
     return null;
@@ -20,7 +21,7 @@ function buildWwwAuthenticateHeader(ctx, strapi) {
 }
 async function validateOAuthToken(token, strapi) {
   try {
-    const tokenRecord = await strapi.documents(`${PLUGIN_UID$3}.mcp-oauth-token`).findFirst({
+    const tokenRecord = await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-token`).findFirst({
       filters: { accessToken: token, revoked: false }
     });
     if (!tokenRecord) {
@@ -29,7 +30,7 @@ async function validateOAuthToken(token, strapi) {
     if (new Date(tokenRecord.expiresAt) < /* @__PURE__ */ new Date()) {
       return { valid: false, error: "Token expired" };
     }
-    const client = await strapi.documents(`${PLUGIN_UID$3}.mcp-oauth-client`).findFirst({
+    const client = await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-client`).findFirst({
       filters: { clientId: tokenRecord.clientId }
     });
     if (!client) {
@@ -44,32 +45,15 @@ async function validateOAuthToken(token, strapi) {
     return { valid: false, error: "Token validation failed" };
   }
 }
+function isMcpEndpoint(path) {
+  return MCP_ENDPOINT_PATTERN.test(path);
+}
 const mcpOauthMiddleware = (config2, { strapi }) => {
-  let endpointCache = [];
-  let lastCacheUpdate = 0;
-  const CACHE_TTL = 6e4;
-  async function refreshEndpointCache() {
-    const now = Date.now();
-    if (now - lastCacheUpdate > CACHE_TTL) {
-      try {
-        const endpoints = await strapi.documents(`${PLUGIN_UID$3}.mcp-endpoint`).findMany({
-          filters: { active: true }
-        });
-        endpointCache = endpoints.map((e) => e.path);
-        lastCacheUpdate = now;
-      } catch (error) {
-        strapi.log.error(`[${PLUGIN_ID}] Error refreshing endpoint cache`, { error });
-      }
-    }
-  }
-  function isProtectedPath(path) {
-    return endpointCache.some((endpoint) => path.includes(endpoint));
-  }
   return async (ctx, next) => {
-    await refreshEndpointCache();
-    if (!isProtectedPath(ctx.path)) {
+    if (!isMcpEndpoint(ctx.path)) {
       return next();
     }
+    strapi.log.debug(`[${PLUGIN_ID}] Protecting MCP endpoint: ${ctx.path}`);
     const authHeader = ctx.request.headers.authorization;
     const token = extractBearerToken(authHeader);
     if (!token) {
@@ -108,18 +92,18 @@ const config = {
   validator() {
   }
 };
-const kind$3 = "collectionType";
-const collectionName$3 = "mcp_oauth_clients";
-const info$3 = {
+const kind$2 = "collectionType";
+const collectionName$2 = "mcp_oauth_clients";
+const info$2 = {
   singularName: "mcp-oauth-client",
   pluralName: "mcp-oauth-clients",
   displayName: "MCP OAuth Client",
   description: "OAuth 2.0 clients for MCP authentication"
 };
-const options$3 = {
+const options$2 = {
   draftAndPublish: false
 };
-const pluginOptions$3 = {
+const pluginOptions$2 = {
   "content-manager": {
     visible: true
   },
@@ -127,7 +111,7 @@ const pluginOptions$3 = {
     visible: true
   }
 };
-const attributes$3 = {
+const attributes$2 = {
   name: {
     type: "string",
     required: true
@@ -160,25 +144,25 @@ const attributes$3 = {
   }
 };
 const mcpOauthClient = {
-  kind: kind$3,
-  collectionName: collectionName$3,
-  info: info$3,
-  options: options$3,
-  pluginOptions: pluginOptions$3,
-  attributes: attributes$3
+  kind: kind$2,
+  collectionName: collectionName$2,
+  info: info$2,
+  options: options$2,
+  pluginOptions: pluginOptions$2,
+  attributes: attributes$2
 };
-const kind$2 = "collectionType";
-const collectionName$2 = "mcp_oauth_codes";
-const info$2 = {
+const kind$1 = "collectionType";
+const collectionName$1 = "mcp_oauth_codes";
+const info$1 = {
   singularName: "mcp-oauth-code",
   pluralName: "mcp-oauth-codes",
   displayName: "MCP OAuth Code",
   description: "OAuth 2.0 authorization codes"
 };
-const options$2 = {
+const options$1 = {
   draftAndPublish: false
 };
-const pluginOptions$2 = {
+const pluginOptions$1 = {
   "content-manager": {
     visible: false
   },
@@ -186,7 +170,7 @@ const pluginOptions$2 = {
     visible: false
   }
 };
-const attributes$2 = {
+const attributes$1 = {
   code: {
     type: "string",
     required: true,
@@ -216,25 +200,25 @@ const attributes$2 = {
   }
 };
 const mcpOauthCode = {
-  kind: kind$2,
-  collectionName: collectionName$2,
-  info: info$2,
-  options: options$2,
-  pluginOptions: pluginOptions$2,
-  attributes: attributes$2
+  kind: kind$1,
+  collectionName: collectionName$1,
+  info: info$1,
+  options: options$1,
+  pluginOptions: pluginOptions$1,
+  attributes: attributes$1
 };
-const kind$1 = "collectionType";
-const collectionName$1 = "mcp_oauth_tokens";
-const info$1 = {
+const kind = "collectionType";
+const collectionName = "mcp_oauth_tokens";
+const info = {
   singularName: "mcp-oauth-token",
   pluralName: "mcp-oauth-tokens",
   displayName: "MCP OAuth Token",
   description: "OAuth 2.0 access and refresh tokens"
 };
-const options$1 = {
+const options = {
   draftAndPublish: false
 };
-const pluginOptions$1 = {
+const pluginOptions = {
   "content-manager": {
     visible: false
   },
@@ -242,7 +226,7 @@ const pluginOptions$1 = {
     visible: false
   }
 };
-const attributes$1 = {
+const attributes = {
   accessToken: {
     type: "string",
     required: true,
@@ -273,55 +257,6 @@ const attributes$1 = {
   }
 };
 const mcpOauthToken = {
-  kind: kind$1,
-  collectionName: collectionName$1,
-  info: info$1,
-  options: options$1,
-  pluginOptions: pluginOptions$1,
-  attributes: attributes$1
-};
-const kind = "collectionType";
-const collectionName = "mcp_endpoints";
-const info = {
-  singularName: "mcp-endpoint",
-  pluralName: "mcp-endpoints",
-  displayName: "MCP Endpoint",
-  description: "Registered MCP endpoints protected by OAuth"
-};
-const options = {
-  draftAndPublish: false
-};
-const pluginOptions = {
-  "content-manager": {
-    visible: true
-  },
-  "content-type-builder": {
-    visible: true
-  }
-};
-const attributes = {
-  name: {
-    type: "string",
-    required: true
-  },
-  pluginId: {
-    type: "string",
-    required: true
-  },
-  path: {
-    type: "string",
-    required: true,
-    unique: true
-  },
-  description: {
-    type: "text"
-  },
-  active: {
-    type: "boolean",
-    "default": true
-  }
-};
-const mcpEndpoint = {
   kind,
   collectionName,
   info,
@@ -332,10 +267,9 @@ const mcpEndpoint = {
 const contentTypes = {
   "mcp-oauth-client": { schema: mcpOauthClient },
   "mcp-oauth-code": { schema: mcpOauthCode },
-  "mcp-oauth-token": { schema: mcpOauthToken },
-  "mcp-endpoint": { schema: mcpEndpoint }
+  "mcp-oauth-token": { schema: mcpOauthToken }
 };
-const PLUGIN_UID$2 = `plugin::${PLUGIN_ID}`;
+const PLUGIN_UID$1 = `plugin::${PLUGIN_ID}`;
 function getBaseUrl(ctx, strapi) {
   const forwardedProto = ctx.request.headers["x-forwarded-proto"] || ctx.protocol;
   const forwardedHost = ctx.request.headers["x-forwarded-host"] || ctx.request.headers["host"];
@@ -372,17 +306,15 @@ const oauthController = ({ strapi }) => ({
   /**
    * OAuth 2.0 Protected Resource Metadata (RFC 9728)
    * GET /.well-known/oauth-protected-resource
+   *
+   * Convention-based protection: all /api/{plugin}/mcp endpoints are protected.
    */
   async protectedResource(ctx) {
     const baseUrl = getBaseUrl(ctx, strapi);
     const pluginPath = `/api/${PLUGIN_ID}`;
     const authServer = `${baseUrl}${pluginPath}`;
-    const endpoints = await strapi.documents(`${PLUGIN_UID$2}.mcp-endpoint`).findMany({
-      filters: { active: true }
-    });
-    const resources = endpoints.map((e) => `${baseUrl}${e.path}`);
     ctx.body = {
-      resource: resources.length === 1 ? resources[0] : resources,
+      resource: `${baseUrl}/api`,
       authorization_servers: [authServer],
       bearer_methods_supported: ["header"]
     };
@@ -408,7 +340,7 @@ const oauthController = ({ strapi }) => ({
       ctx.body = { error: "unsupported_response_type", error_description: "Only code response type is supported" };
       return;
     }
-    const client = await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-client`).findFirst({
+    const client = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-client`).findFirst({
       filters: { clientId: client_id, active: true }
     });
     if (!client) {
@@ -437,7 +369,7 @@ const oauthController = ({ strapi }) => ({
     }
     const code = randomBytes(32).toString("hex");
     const expiresAt = new Date(Date.now() + 10 * 60 * 1e3);
-    await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-code`).create({
+    await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-code`).create({
       data: {
         code,
         clientId: client_id,
@@ -475,7 +407,7 @@ const oauthController = ({ strapi }) => ({
       ctx.body = { error: "invalid_client", error_description: "Client authentication required" };
       return;
     }
-    const client = await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-client`).findFirst({
+    const client = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-client`).findFirst({
       filters: { clientId: authClientId, active: true }
     });
     if (!client || authClientSecret && client.clientSecret !== authClientSecret) {
@@ -499,7 +431,7 @@ async function handleAuthorizationCodeGrant(ctx, strapi, client, code, redirect_
     ctx.body = { error: "invalid_request", error_description: "code is required" };
     return;
   }
-  const authCode = await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-code`).findFirst({
+  const authCode = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-code`).findFirst({
     filters: { code, clientId: client.clientId, used: false }
   });
   if (!authCode) {
@@ -517,7 +449,7 @@ async function handleAuthorizationCodeGrant(ctx, strapi, client, code, redirect_
     ctx.body = { error: "invalid_grant", error_description: "redirect_uri mismatch" };
     return;
   }
-  await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-code`).update({
+  await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-code`).update({
     documentId: authCode.documentId,
     data: { used: true }
   });
@@ -525,7 +457,7 @@ async function handleAuthorizationCodeGrant(ctx, strapi, client, code, redirect_
   const refreshToken = randomBytes(32).toString("hex");
   const expiresIn = 3600;
   const refreshExpiresIn = 30 * 24 * 3600;
-  await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-token`).create({
+  await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).create({
     data: {
       accessToken,
       refreshToken,
@@ -548,7 +480,7 @@ async function handleRefreshTokenGrant(ctx, strapi, client, refreshToken) {
     ctx.body = { error: "invalid_request", error_description: "refresh_token is required" };
     return;
   }
-  const token = await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-token`).findFirst({
+  const token = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).findFirst({
     filters: { refreshToken, clientId: client.clientId, revoked: false }
   });
   if (!token) {
@@ -561,7 +493,7 @@ async function handleRefreshTokenGrant(ctx, strapi, client, refreshToken) {
     ctx.body = { error: "invalid_grant", error_description: "Refresh token expired" };
     return;
   }
-  await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-token`).update({
+  await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).update({
     documentId: token.documentId,
     data: { revoked: true }
   });
@@ -569,7 +501,7 @@ async function handleRefreshTokenGrant(ctx, strapi, client, refreshToken) {
   const newRefreshToken = randomBytes(32).toString("hex");
   const expiresIn = 3600;
   const refreshExpiresIn = 30 * 24 * 3600;
-  await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-token`).create({
+  await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).create({
     data: {
       accessToken: newAccessToken,
       refreshToken: newRefreshToken,
@@ -646,14 +578,14 @@ const routes = {
     routes: [...admin]
   }
 };
-const PLUGIN_UID$1 = `plugin::${PLUGIN_ID}`;
+const PLUGIN_UID = `plugin::${PLUGIN_ID}`;
 const oauthService = ({ strapi }) => ({
   /**
    * Validate an OAuth access token
    */
   async validateToken(accessToken) {
     try {
-      const tokenRecord = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).findFirst({
+      const tokenRecord = await strapi.documents(`${PLUGIN_UID}.mcp-oauth-token`).findFirst({
         filters: { accessToken, revoked: false }
       });
       if (!tokenRecord) {
@@ -662,7 +594,7 @@ const oauthService = ({ strapi }) => ({
       if (new Date(tokenRecord.expiresAt) < /* @__PURE__ */ new Date()) {
         return { valid: false, error: "Token expired" };
       }
-      const client = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-client`).findFirst({
+      const client = await strapi.documents(`${PLUGIN_UID}.mcp-oauth-client`).findFirst({
         filters: { clientId: tokenRecord.clientId }
       });
       if (!client) {
@@ -682,11 +614,11 @@ const oauthService = ({ strapi }) => ({
    * Revoke all tokens for a client
    */
   async revokeClientTokens(clientId) {
-    const tokens = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).findMany({
+    const tokens = await strapi.documents(`${PLUGIN_UID}.mcp-oauth-token`).findMany({
       filters: { clientId, revoked: false }
     });
     for (const token of tokens) {
-      await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).update({
+      await strapi.documents(`${PLUGIN_UID}.mcp-oauth-token`).update({
         documentId: token.documentId,
         data: { revoked: true }
       });
@@ -698,19 +630,19 @@ const oauthService = ({ strapi }) => ({
    */
   async cleanupExpired() {
     const now = (/* @__PURE__ */ new Date()).toISOString();
-    const expiredCodes = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-code`).findMany({
+    const expiredCodes = await strapi.documents(`${PLUGIN_UID}.mcp-oauth-code`).findMany({
       filters: { expiresAt: { $lt: now } }
     });
     for (const code of expiredCodes) {
-      await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-code`).delete({
+      await strapi.documents(`${PLUGIN_UID}.mcp-oauth-code`).delete({
         documentId: code.documentId
       });
     }
-    const expiredTokens = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).findMany({
+    const expiredTokens = await strapi.documents(`${PLUGIN_UID}.mcp-oauth-token`).findMany({
       filters: { refreshExpiresAt: { $lt: now } }
     });
     for (const token of expiredTokens) {
-      await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).delete({
+      await strapi.documents(`${PLUGIN_UID}.mcp-oauth-token`).delete({
         documentId: token.documentId
       });
     }
@@ -720,80 +652,8 @@ const oauthService = ({ strapi }) => ({
     };
   }
 });
-const PLUGIN_UID = `plugin::${PLUGIN_ID}`;
-const endpointService = ({ strapi }) => ({
-  /**
-   * Register an MCP endpoint for OAuth protection
-   */
-  async register(endpoint) {
-    const existing = await strapi.documents(`${PLUGIN_UID}.mcp-endpoint`).findFirst({
-      filters: { path: endpoint.path }
-    });
-    if (existing) {
-      return strapi.documents(`${PLUGIN_UID}.mcp-endpoint`).update({
-        documentId: existing.documentId,
-        data: {
-          name: endpoint.name,
-          pluginId: endpoint.pluginId,
-          description: endpoint.description,
-          active: true
-        }
-      });
-    }
-    return strapi.documents(`${PLUGIN_UID}.mcp-endpoint`).create({
-      data: {
-        name: endpoint.name,
-        pluginId: endpoint.pluginId,
-        path: endpoint.path,
-        description: endpoint.description,
-        active: true
-      }
-    });
-  },
-  /**
-   * Unregister an MCP endpoint
-   */
-  async unregister(path) {
-    const endpoint = await strapi.documents(`${PLUGIN_UID}.mcp-endpoint`).findFirst({
-      filters: { path }
-    });
-    if (!endpoint) {
-      return false;
-    }
-    await strapi.documents(`${PLUGIN_UID}.mcp-endpoint`).update({
-      documentId: endpoint.documentId,
-      data: { active: false }
-    });
-    return true;
-  },
-  /**
-   * Get all registered endpoints
-   */
-  async getAll(activeOnly = true) {
-    const filters = activeOnly ? { active: true } : {};
-    return strapi.documents(`${PLUGIN_UID}.mcp-endpoint`).findMany({ filters });
-  },
-  /**
-   * Get endpoints for a specific plugin
-   */
-  async getByPlugin(pluginId, activeOnly = true) {
-    const filters = { pluginId };
-    if (activeOnly) {
-      filters.active = true;
-    }
-    return strapi.documents(`${PLUGIN_UID}.mcp-endpoint`).findMany({ filters });
-  },
-  /**
-   * Check if a path is a protected endpoint
-   */
-  async isProtected(path) {
-    const endpoints = await this.getAll(true);
-    return endpoints.some((e) => path.includes(e.path));
-  }
-});
 const services = {
-  oauth: oauthService,
-  endpoint: endpointService
+  oauth: oauthService
 };
 const index = {
   register,

package/dist/server/src/content-types/index.d.ts

@@ -159,50 +159,5 @@ declare const _default: {
             };
         };
     };
-    'mcp-endpoint': {
-        schema: {
-            kind: string;
-            collectionName: string;
-            info: {
-                singularName: string;
-                pluralName: string;
-                displayName: string;
-                description: string;
-            };
-            options: {
-                draftAndPublish: boolean;
-            };
-            pluginOptions: {
-                "content-manager": {
-                    visible: boolean;
-                };
-                "content-type-builder": {
-                    visible: boolean;
-                };
-            };
-            attributes: {
-                name: {
-                    type: string;
-                    required: boolean;
-                };
-                pluginId: {
-                    type: string;
-                    required: boolean;
-                };
-                path: {
-                    type: string;
-                    required: boolean;
-                    unique: boolean;
-                };
-                description: {
-                    type: string;
-                };
-                active: {
-                    type: string;
-                    default: boolean;
-                };
-            };
-        };
-    };
 };
 export default _default;

package/dist/server/src/controllers/oauth.d.ts

@@ -15,6 +15,8 @@ declare const oauthController: ({ strapi }: {
     /**
      * OAuth 2.0 Protected Resource Metadata (RFC 9728)
      * GET /.well-known/oauth-protected-resource
+     *
+     * Convention-based protection: all /api/{plugin}/mcp endpoints are protected.
      */
     protectedResource(ctx: any): Promise<void>;
     /**

package/dist/server/src/index.d.ts

@@ -51,15 +51,6 @@ declare const _default: {
                 codes: number;
             }>;
         };
-        endpoint: ({ strapi }: {
-            strapi: import("@strapi/types/dist/core").Strapi;
-        }) => {
-            register(endpoint: import("./services/endpoint").EndpointRegistration): Promise<any>;
-            unregister(path: string): Promise<boolean>;
-            getAll(activeOnly?: boolean): Promise<any[]>;
-            getByPlugin(pluginId: string, activeOnly?: boolean): Promise<any[]>;
-            isProtected(path: string): Promise<boolean>;
-        };
     };
     contentTypes: {
         'mcp-oauth-client': {
@@ -222,51 +213,6 @@ declare const _default: {
                 };
             };
         };
-        'mcp-endpoint': {
-            schema: {
-                kind: string;
-                collectionName: string;
-                info: {
-                    singularName: string;
-                    pluralName: string;
-                    displayName: string;
-                    description: string;
-                };
-                options: {
-                    draftAndPublish: boolean;
-                };
-                pluginOptions: {
-                    "content-manager": {
-                        visible: boolean;
-                    };
-                    "content-type-builder": {
-                        visible: boolean;
-                    };
-                };
-                attributes: {
-                    name: {
-                        type: string;
-                        required: boolean;
-                    };
-                    pluginId: {
-                        type: string;
-                        required: boolean;
-                    };
-                    path: {
-                        type: string;
-                        required: boolean;
-                        unique: boolean;
-                    };
-                    description: {
-                        type: string;
-                    };
-                    active: {
-                        type: string;
-                        default: boolean;
-                    };
-                };
-            };
-        };
     };
     policies: {};
     middlewares: {

package/dist/server/src/middlewares/mcp-oauth.d.ts

@@ -1,7 +1,9 @@
 /**
  * MCP OAuth Authentication Middleware
  *
- * This middleware provides OAuth 2.0 authentication for all registered MCP endpoints.
+ * This middleware provides OAuth 2.0 authentication for all MCP endpoints.
+ * Uses convention-based protection: any route matching /api/{plugin}/mcp is protected.
+ *
  * It supports dual authentication:
  * - OAuth 2.0 tokens (for ChatGPT and other OAuth clients)
  * - Direct Strapi API tokens (for Claude Desktop and scripts)

package/dist/server/src/services/index.d.ts

@@ -9,14 +9,5 @@ declare const _default: {
             codes: number;
         }>;
     };
-    endpoint: ({ strapi }: {
-        strapi: import("@strapi/types/dist/core").Strapi;
-    }) => {
-        register(endpoint: import("./endpoint").EndpointRegistration): Promise<any>;
-        unregister(path: string): Promise<boolean>;
-        getAll(activeOnly?: boolean): Promise<any[]>;
-        getByPlugin(pluginId: string, activeOnly?: boolean): Promise<any[]>;
-        isProtected(path: string): Promise<boolean>;
-    };
 };
 export default _default;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "strapi-oauth-mcp-manager",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "description": "Centralized OAuth 2.0 authentication manager for Strapi MCP plugins. Supports ChatGPT, Claude, and custom OAuth clients.",
   "keywords": [
     "strapi",

package/dist/server/src/services/endpoint.d.ts

@@ -1,37 +0,0 @@
-/**
- * Endpoint Registration Service
- *
- * Allows MCP plugins to register their endpoints for OAuth protection.
- */
-import type { Core } from '@strapi/strapi';
-export interface EndpointRegistration {
-    name: string;
-    pluginId: string;
-    path: string;
-    description?: string;
-}
-declare const endpointService: ({ strapi }: {
-    strapi: Core.Strapi;
-}) => {
-    /**
-     * Register an MCP endpoint for OAuth protection
-     */
-    register(endpoint: EndpointRegistration): Promise<any>;
-    /**
-     * Unregister an MCP endpoint
-     */
-    unregister(path: string): Promise<boolean>;
-    /**
-     * Get all registered endpoints
-     */
-    getAll(activeOnly?: boolean): Promise<any[]>;
-    /**
-     * Get endpoints for a specific plugin
-     */
-    getByPlugin(pluginId: string, activeOnly?: boolean): Promise<any[]>;
-    /**
-     * Check if a path is a protected endpoint
-     */
-    isProtected(path: string): Promise<boolean>;
-};
-export default endpointService;