sub-bridge 1.0.0

package/src/oauth/authorize.ts

@@ -0,0 +1,270 @@
+/**
+ * OAuth Authorization Endpoint
+ *
+ * Handles the /oauth/authorize endpoint. When an MCP client redirects here,
+ * we redirect to the landing page with OAuth params. After the user authenticates
+ * with Claude/ChatGPT, the frontend calls /oauth/code to get an authorization code.
+ */
+import crypto from 'node:crypto'
+import { generateAuthCode } from './crypto'
+import { getClient, validateRedirectUri } from './dcr'
+
+// ============================================================================
+// Types
+// ============================================================================
+
+export interface AuthorizationRequest {
+  client_id: string
+  redirect_uri: string
+  response_type: string
+  state?: string
+  scope?: string
+  code_challenge?: string
+  code_challenge_method?: string
+}
+
+export interface PendingAuthorization {
+  clientId: string
+  redirectUri: string
+  state?: string
+  scope?: string
+  codeChallenge?: string
+  codeChallengeMethod?: string
+  createdAt: number
+}
+
+export interface AuthorizationCode {
+  code: string
+  clientId: string
+  redirectUri: string
+  userId: string
+  providers: {
+    claude?: {
+      access_token: string
+      refresh_token?: string
+      expires_at?: number
+    }
+    chatgpt?: {
+      access_token: string
+      account_id: string
+    }
+  }
+  codeChallenge?: string
+  codeChallengeMethod?: string
+  createdAt: number
+  expiresAt: number
+}
+
+// ============================================================================
+// Storage (In-Memory)
+// ============================================================================
+
+const AUTH_CODE_TTL_MS = 10 * 60 * 1000 // 10 minutes
+
+// Pending authorizations waiting for user to complete auth
+const pendingAuthorizations = new Map<string, PendingAuthorization>()
+
+// Issued authorization codes waiting for token exchange
+const authorizationCodes = new Map<string, AuthorizationCode>()
+
+// Cleanup expired entries periodically
+setInterval(() => {
+  const now = Date.now()
+  for (const [id, pending] of pendingAuthorizations.entries()) {
+    if (now - pending.createdAt > AUTH_CODE_TTL_MS) {
+      pendingAuthorizations.delete(id)
+    }
+  }
+  for (const [code, auth] of authorizationCodes.entries()) {
+    if (now > auth.expiresAt) {
+      authorizationCodes.delete(code)
+    }
+  }
+}, 60 * 1000)
+
+// ============================================================================
+// Authorization Functions
+// ============================================================================
+
+/**
+ * Validate and process an authorization request.
+ * Returns a pending authorization ID if valid, or an error.
+ */
+export function startAuthorization(
+  request: AuthorizationRequest
+): { pendingId: string } | { error: string; errorDescription: string } {
+  // Validate response_type
+  if (request.response_type !== 'code') {
+    return {
+      error: 'unsupported_response_type',
+      errorDescription: 'Only "code" response type is supported',
+    }
+  }
+
+  // Validate client exists
+  const client = getClient(request.client_id)
+  if (!client) {
+    return {
+      error: 'invalid_client',
+      errorDescription: 'Client not registered. Use /oauth/register first.',
+    }
+  }
+
+  // Validate redirect_uri
+  if (!validateRedirectUri(request.client_id, request.redirect_uri)) {
+    return {
+      error: 'invalid_redirect_uri',
+      errorDescription: 'Redirect URI not registered for this client',
+    }
+  }
+
+  // Create pending authorization
+  const pendingId = crypto.randomBytes(16).toString('hex')
+  pendingAuthorizations.set(pendingId, {
+    clientId: request.client_id,
+    redirectUri: request.redirect_uri,
+    state: request.state,
+    scope: request.scope,
+    codeChallenge: request.code_challenge,
+    codeChallengeMethod: request.code_challenge_method,
+    createdAt: Date.now(),
+  })
+
+  return { pendingId }
+}
+
+/**
+ * Get pending authorization by ID.
+ */
+export function getPendingAuthorization(pendingId: string): PendingAuthorization | null {
+  const pending = pendingAuthorizations.get(pendingId)
+  if (!pending) return null
+  if (Date.now() - pending.createdAt > AUTH_CODE_TTL_MS) {
+    pendingAuthorizations.delete(pendingId)
+    return null
+  }
+  return pending
+}
+
+/**
+ * Complete authorization and generate an authorization code.
+ * Called after user successfully authenticates with Claude/ChatGPT.
+ */
+export function completeAuthorization(
+  pendingId: string,
+  userId: string,
+  providers: AuthorizationCode['providers']
+): { code: string; redirectUri: string; state?: string } | { error: string } {
+  const pending = pendingAuthorizations.get(pendingId)
+  if (!pending) {
+    return { error: 'Authorization session expired or not found' }
+  }
+
+  // Generate authorization code
+  const code = generateAuthCode()
+  const now = Date.now()
+
+  authorizationCodes.set(code, {
+    code,
+    clientId: pending.clientId,
+    redirectUri: pending.redirectUri,
+    userId,
+    providers,
+    codeChallenge: pending.codeChallenge,
+    codeChallengeMethod: pending.codeChallengeMethod,
+    createdAt: now,
+    expiresAt: now + AUTH_CODE_TTL_MS,
+  })
+
+  // Clean up pending authorization
+  pendingAuthorizations.delete(pendingId)
+
+  return {
+    code,
+    redirectUri: pending.redirectUri,
+    state: pending.state,
+  }
+}
+
+/**
+ * Exchange authorization code for token data.
+ * Validates and consumes the code (one-time use).
+ */
+export function exchangeAuthorizationCode(
+  code: string,
+  clientId: string,
+  redirectUri: string,
+  codeVerifier?: string
+): AuthorizationCode | { error: string; errorDescription: string } {
+  const authCode = authorizationCodes.get(code)
+
+  if (!authCode) {
+    return {
+      error: 'invalid_grant',
+      errorDescription: 'Authorization code not found or expired',
+    }
+  }
+
+  // Validate client_id matches
+  if (authCode.clientId !== clientId) {
+    authorizationCodes.delete(code)
+    return {
+      error: 'invalid_grant',
+      errorDescription: 'Client ID mismatch',
+    }
+  }
+
+  // Validate redirect_uri matches
+  if (authCode.redirectUri !== redirectUri) {
+    authorizationCodes.delete(code)
+    return {
+      error: 'invalid_grant',
+      errorDescription: 'Redirect URI mismatch',
+    }
+  }
+
+  // Validate PKCE if code challenge was provided
+  if (authCode.codeChallenge) {
+    if (!codeVerifier) {
+      authorizationCodes.delete(code)
+      return {
+        error: 'invalid_grant',
+        errorDescription: 'Code verifier required',
+      }
+    }
+
+    const method = authCode.codeChallengeMethod || 'plain'
+    let expectedChallenge: string
+
+    if (method === 'S256') {
+      expectedChallenge = crypto
+        .createHash('sha256')
+        .update(codeVerifier)
+        .digest('base64url')
+    } else {
+      expectedChallenge = codeVerifier
+    }
+
+    if (expectedChallenge !== authCode.codeChallenge) {
+      authorizationCodes.delete(code)
+      return {
+        error: 'invalid_grant',
+        errorDescription: 'Code verifier mismatch',
+      }
+    }
+  }
+
+  // Check expiration
+  if (Date.now() > authCode.expiresAt) {
+    authorizationCodes.delete(code)
+    return {
+      error: 'invalid_grant',
+      errorDescription: 'Authorization code expired',
+    }
+  }
+
+  // Consume the code (one-time use)
+  authorizationCodes.delete(code)
+
+  return authCode
+}

package/src/oauth/crypto.ts

@@ -0,0 +1,198 @@
+/**
+ * Cryptographic utilities for MCP OAuth token encryption
+ *
+ * Uses AES-256-GCM for authenticated encryption of upstream credentials.
+ * Server secret is generated on first run and stored locally.
+ */
+import crypto from 'node:crypto'
+import fs from 'node:fs'
+import path from 'node:path'
+import os from 'node:os'
+
+// ============================================================================
+// Configuration
+// ============================================================================
+
+const SECRET_DIR = path.join(os.homedir(), '.sub-bridge')
+const SECRET_FILE = path.join(SECRET_DIR, 'secret.key')
+const ALGORITHM = 'aes-256-gcm'
+const IV_LENGTH = 12 // GCM recommended IV length
+const TAG_LENGTH = 16 // GCM auth tag length
+
+// ============================================================================
+// Server Secret Management
+// ============================================================================
+
+let cachedSecret: Buffer | null = null
+
+/**
+ * Get or generate the server encryption secret.
+ * Secret is 32 bytes (256 bits) for AES-256.
+ */
+export function getServerSecret(): Buffer {
+  if (cachedSecret) return cachedSecret
+
+  // Try to read existing secret
+  try {
+    if (fs.existsSync(SECRET_FILE)) {
+      const secret = fs.readFileSync(SECRET_FILE)
+      if (secret.length === 32) {
+        cachedSecret = secret
+        return cachedSecret
+      }
+    }
+  } catch {
+    // Will generate new secret
+  }
+
+  // Generate new secret
+  const secret = crypto.randomBytes(32)
+
+  // Ensure directory exists
+  if (!fs.existsSync(SECRET_DIR)) {
+    fs.mkdirSync(SECRET_DIR, { recursive: true, mode: 0o700 })
+  }
+
+  // Write secret with restrictive permissions
+  fs.writeFileSync(SECRET_FILE, secret, { mode: 0o600 })
+  cachedSecret = secret
+  return cachedSecret
+}
+
+// ============================================================================
+// Encryption / Decryption
+// ============================================================================
+
+/**
+ * Encrypt data using AES-256-GCM.
+ * Returns base64url-encoded string: IV + ciphertext + authTag
+ */
+export function encrypt(data: string): string {
+  const secret = getServerSecret()
+  const iv = crypto.randomBytes(IV_LENGTH)
+
+  const cipher = crypto.createCipheriv(ALGORITHM, secret, iv)
+  const encrypted = Buffer.concat([
+    cipher.update(data, 'utf8'),
+    cipher.final()
+  ])
+  const authTag = cipher.getAuthTag()
+
+  // Combine: IV (12) + encrypted + authTag (16)
+  const combined = Buffer.concat([iv, encrypted, authTag])
+  return combined.toString('base64url')
+}
+
+/**
+ * Decrypt data encrypted with encrypt().
+ * Throws on invalid/tampered data.
+ */
+export function decrypt(encryptedData: string): string {
+  const secret = getServerSecret()
+  const combined = Buffer.from(encryptedData, 'base64url')
+
+  if (combined.length < IV_LENGTH + TAG_LENGTH) {
+    throw new Error('Invalid encrypted data: too short')
+  }
+
+  const iv = combined.subarray(0, IV_LENGTH)
+  const authTag = combined.subarray(combined.length - TAG_LENGTH)
+  const encrypted = combined.subarray(IV_LENGTH, combined.length - TAG_LENGTH)
+
+  const decipher = crypto.createDecipheriv(ALGORITHM, secret, iv)
+  decipher.setAuthTag(authTag)
+
+  try {
+    const decrypted = Buffer.concat([
+      decipher.update(encrypted),
+      decipher.final()
+    ])
+    return decrypted.toString('utf8')
+  } catch {
+    throw new Error('Decryption failed: invalid or tampered data')
+  }
+}
+
+// ============================================================================
+// JWT-like Token Operations
+// ============================================================================
+
+export interface SubBridgeTokenPayload {
+  iss: 'sub-bridge'
+  sub: string // User identifier
+  aud: string // Client ID
+  exp: number // Expiration timestamp
+  iat: number // Issued at timestamp
+  providers: {
+    claude?: {
+      access_token: string
+      refresh_token?: string
+      expires_at?: number
+    }
+    chatgpt?: {
+      access_token: string
+      account_id: string
+    }
+  }
+}
+
+/**
+ * Create an encrypted access token containing upstream credentials.
+ * Format: sb1.<encrypted_payload>
+ *
+ * The "sb1" prefix identifies this as a Sub Bridge v1 token.
+ */
+export function createAccessToken(payload: SubBridgeTokenPayload): string {
+  const json = JSON.stringify(payload)
+  const encrypted = encrypt(json)
+  return `sb1.${encrypted}`
+}
+
+/**
+ * Decode and validate an access token.
+ * Returns null if token is invalid or expired.
+ */
+export function decodeAccessToken(token: string): SubBridgeTokenPayload | null {
+  if (!token.startsWith('sb1.')) {
+    return null
+  }
+
+  try {
+    const encrypted = token.slice(4) // Remove "sb1." prefix
+    const json = decrypt(encrypted)
+    const payload = JSON.parse(json) as SubBridgeTokenPayload
+
+    // Validate required fields
+    if (payload.iss !== 'sub-bridge') return null
+    if (!payload.sub || !payload.aud) return null
+    if (!payload.exp || !payload.iat) return null
+
+    // Check expiration
+    if (Date.now() > payload.exp * 1000) return null
+
+    return payload
+  } catch {
+    return null
+  }
+}
+
+/**
+ * Generate a random authorization code.
+ */
+export function generateAuthCode(): string {
+  return crypto.randomBytes(32).toString('base64url')
+}
+
+/**
+ * Generate a random client ID for DCR.
+ */
+export function generateClientId(): string {
+  return `sb_${crypto.randomBytes(16).toString('hex')}`
+}
+
+/**
+ * Generate a random client secret for DCR.
+ */
+export function generateClientSecret(): string {
+  return crypto.randomBytes(32).toString('base64url')
+}

package/src/oauth/dcr.ts

@@ -0,0 +1,129 @@
+/**
+ * Dynamic Client Registration (RFC 7591)
+ *
+ * Allows MCP clients to register themselves without manual setup.
+ * Client registrations are stored in-memory (local-only deployment).
+ */
+import { generateClientId, generateClientSecret } from './crypto'
+
+// ============================================================================
+// Types
+// ============================================================================
+
+export interface ClientRegistration {
+  client_id: string
+  client_secret?: string
+  client_name?: string
+  redirect_uris: string[]
+  grant_types: string[]
+  response_types: string[]
+  token_endpoint_auth_method: string
+  created_at: number
+}
+
+export interface RegistrationRequest {
+  client_name?: string
+  redirect_uris?: string[]
+  grant_types?: string[]
+  response_types?: string[]
+  token_endpoint_auth_method?: string
+}
+
+export interface RegistrationResponse {
+  client_id: string
+  client_secret?: string
+  client_name?: string
+  redirect_uris: string[]
+  grant_types: string[]
+  response_types: string[]
+  token_endpoint_auth_method: string
+  client_id_issued_at: number
+}
+
+// ============================================================================
+// Client Storage (In-Memory)
+// ============================================================================
+
+const clients = new Map<string, ClientRegistration>()
+
+/**
+ * Register a new OAuth client.
+ */
+export function registerClient(request: RegistrationRequest): RegistrationResponse {
+  const clientId = generateClientId()
+  const clientSecret = request.token_endpoint_auth_method === 'none'
+    ? undefined
+    : generateClientSecret()
+
+  const now = Math.floor(Date.now() / 1000)
+
+  const registration: ClientRegistration = {
+    client_id: clientId,
+    client_secret: clientSecret,
+    client_name: request.client_name,
+    redirect_uris: request.redirect_uris || [],
+    grant_types: request.grant_types || ['authorization_code'],
+    response_types: request.response_types || ['code'],
+    token_endpoint_auth_method: request.token_endpoint_auth_method || 'client_secret_post',
+    created_at: now,
+  }
+
+  clients.set(clientId, registration)
+
+  return {
+    client_id: clientId,
+    client_secret: clientSecret,
+    client_name: registration.client_name,
+    redirect_uris: registration.redirect_uris,
+    grant_types: registration.grant_types,
+    response_types: registration.response_types,
+    token_endpoint_auth_method: registration.token_endpoint_auth_method,
+    client_id_issued_at: now,
+  }
+}
+
+/**
+ * Get a registered client by ID.
+ */
+export function getClient(clientId: string): ClientRegistration | undefined {
+  return clients.get(clientId)
+}
+
+/**
+ * Validate client credentials for token endpoint.
+ */
+export function validateClient(
+  clientId: string,
+  clientSecret?: string
+): ClientRegistration | null {
+  const client = clients.get(clientId)
+  if (!client) return null
+
+  // For public clients (no secret required)
+  if (client.token_endpoint_auth_method === 'none') {
+    return client
+  }
+
+  // For confidential clients, verify secret
+  if (client.client_secret && client.client_secret === clientSecret) {
+    return client
+  }
+
+  return null
+}
+
+/**
+ * Validate redirect URI against registered URIs.
+ */
+export function validateRedirectUri(
+  clientId: string,
+  redirectUri: string
+): boolean {
+  const client = clients.get(clientId)
+  if (!client) return false
+
+  // If no redirect URIs registered, allow any (for development)
+  if (client.redirect_uris.length === 0) return true
+
+  return client.redirect_uris.includes(redirectUri)
+}

package/src/oauth/metadata.ts

@@ -0,0 +1,40 @@
+/**
+ * OAuth 2.0 Authorization Server Metadata (RFC 8414)
+ *
+ * Provides the /.well-known/oauth-authorization-server endpoint
+ * that MCP clients use to discover OAuth endpoints.
+ */
+
+export interface OAuthMetadata {
+  issuer: string
+  authorization_endpoint: string
+  token_endpoint: string
+  registration_endpoint?: string
+  scopes_supported: string[]
+  response_types_supported: string[]
+  grant_types_supported: string[]
+  token_endpoint_auth_methods_supported: string[]
+  code_challenge_methods_supported: string[]
+  service_documentation?: string
+}
+
+/**
+ * Generate OAuth metadata for the given issuer URL.
+ */
+export function getOAuthMetadata(issuerUrl: string): OAuthMetadata {
+  // Ensure no trailing slash
+  const baseUrl = issuerUrl.replace(/\/$/, '')
+
+  return {
+    issuer: baseUrl,
+    authorization_endpoint: `${baseUrl}/oauth/authorize`,
+    token_endpoint: `${baseUrl}/oauth/token`,
+    registration_endpoint: `${baseUrl}/oauth/register`,
+    scopes_supported: ['openid', 'profile', 'offline_access'],
+    response_types_supported: ['code'],
+    grant_types_supported: ['authorization_code', 'refresh_token'],
+    token_endpoint_auth_methods_supported: ['client_secret_post', 'none'],
+    code_challenge_methods_supported: ['S256', 'plain'],
+    service_documentation: 'https://github.com/anthropics/sub-bridge',
+  }
+}