yt-transcript-strapi-plugin 0.0.26 → 0.0.27-oauth.0

package/dist/server/index.js

@@ -868,17 +868,17 @@ const config = {
     }
   }
 };
-const kind = "collectionType";
-const collectionName = "transcript";
-const info = {
+const kind$3 = "collectionType";
+const collectionName$3 = "transcript";
+const info$3 = {
   singularName: "transcript",
   pluralName: "transcripts",
   displayName: "Transcript"
 };
-const options = {
+const options$3 = {
   draftAndPublish: false
 };
-const pluginOptions = {
+const pluginOptions$3 = {
   "content-manager": {
     visible: true
   },
@@ -886,7 +886,7 @@ const pluginOptions = {
     visible: true
   }
 };
-const attributes = {
+const attributes$3 = {
   title: {
     type: "string"
   },
@@ -900,6 +900,174 @@ const attributes = {
     type: "json"
   }
 };
+const schema$3 = {
+  kind: kind$3,
+  collectionName: collectionName$3,
+  info: info$3,
+  options: options$3,
+  pluginOptions: pluginOptions$3,
+  attributes: attributes$3
+};
+const transcript = {
+  schema: schema$3
+};
+const kind$2 = "collectionType";
+const collectionName$2 = "oauth_clients";
+const info$2 = {
+  singularName: "oauth-client",
+  pluralName: "oauth-clients",
+  displayName: "OAuth Client",
+  description: "OAuth 2.0 clients for MCP authentication"
+};
+const options$2 = {
+  draftAndPublish: false
+};
+const pluginOptions$2 = {
+  "content-manager": {
+    visible: true
+  },
+  "content-type-builder": {
+    visible: false
+  }
+};
+const attributes$2 = {
+  clientId: {
+    type: "string",
+    required: true,
+    unique: true
+  },
+  clientSecret: {
+    type: "string",
+    required: true,
+    "private": true
+  },
+  name: {
+    type: "string",
+    required: true
+  },
+  redirectUris: {
+    type: "json",
+    required: true
+  },
+  strapiApiToken: {
+    type: "string",
+    required: true,
+    "private": true
+  },
+  active: {
+    type: "boolean",
+    "default": true
+  }
+};
+const schema$2 = {
+  kind: kind$2,
+  collectionName: collectionName$2,
+  info: info$2,
+  options: options$2,
+  pluginOptions: pluginOptions$2,
+  attributes: attributes$2
+};
+const oauthClient = {
+  schema: schema$2
+};
+const kind$1 = "collectionType";
+const collectionName$1 = "oauth_codes";
+const info$1 = {
+  singularName: "oauth-code",
+  pluralName: "oauth-codes",
+  displayName: "OAuth Code",
+  description: "OAuth 2.0 authorization codes (temporary)"
+};
+const options$1 = {
+  draftAndPublish: false
+};
+const pluginOptions$1 = {
+  "content-manager": {
+    visible: false
+  },
+  "content-type-builder": {
+    visible: false
+  }
+};
+const attributes$1 = {
+  code: {
+    type: "string",
+    required: true,
+    unique: true
+  },
+  clientId: {
+    type: "string",
+    required: true
+  },
+  redirectUri: {
+    type: "string",
+    required: true
+  },
+  expiresAt: {
+    type: "datetime",
+    required: true
+  },
+  used: {
+    type: "boolean",
+    "default": false
+  }
+};
+const schema$1 = {
+  kind: kind$1,
+  collectionName: collectionName$1,
+  info: info$1,
+  options: options$1,
+  pluginOptions: pluginOptions$1,
+  attributes: attributes$1
+};
+const oauthCode = {
+  schema: schema$1
+};
+const kind = "collectionType";
+const collectionName = "oauth_tokens";
+const info = {
+  singularName: "oauth-token",
+  pluralName: "oauth-tokens",
+  displayName: "OAuth Token",
+  description: "OAuth 2.0 access tokens"
+};
+const options = {
+  draftAndPublish: false
+};
+const pluginOptions = {
+  "content-manager": {
+    visible: false
+  },
+  "content-type-builder": {
+    visible: false
+  }
+};
+const attributes = {
+  accessToken: {
+    type: "string",
+    required: true,
+    unique: true
+  },
+  refreshToken: {
+    type: "string",
+    unique: true
+  },
+  clientId: {
+    type: "string",
+    required: true
+  },
+  expiresAt: {
+    type: "datetime",
+    required: true
+  },
+  refreshExpiresAt: {
+    type: "datetime"
+  },
+  revoked: {
+    type: "boolean",
+    "default": false
+  }
+};
 const schema = {
   kind,
   collectionName,
@@ -908,11 +1076,14 @@ const schema = {
   pluginOptions,
   attributes
 };
-const transcript = {
+const oauthToken = {
   schema
 };
 const contentTypes = {
-  transcript
+  transcript,
+  "oauth-client": oauthClient,
+  "oauth-code": oauthCode,
+  "oauth-token": oauthToken
 };
 const controller = ({ strapi }) => ({
   async getTranscript(ctx) {
@@ -935,9 +1106,29 @@ const controller = ({ strapi }) => ({
     ctx.body = { data: transcript2 };
   }
 });
+function extractBearerToken(authHeader) {
+  if (!authHeader?.startsWith("Bearer ")) {
+    return null;
+  }
+  return authHeader.slice(7);
+}
+async function authenticateRequest(ctx, plugin) {
+  const authHeader = ctx.request.headers.authorization;
+  const token = extractBearerToken(authHeader);
+  if (!token) {
+    return { authenticated: false, error: "No authorization token provided" };
+  }
+  const oauthService2 = plugin.service("oauth");
+  const oauthResult = await oauthService2.validateAccessToken(token);
+  if (oauthResult.valid) {
+    return { authenticated: true, strapiToken: oauthResult.strapiApiToken };
+  }
+  return { authenticated: true, strapiToken: token };
+}
 const mcpController = ({ strapi }) => ({
   /**
    * Handle MCP requests (POST, GET, DELETE)
+   * Supports dual authentication: OAuth tokens and Strapi API tokens
    * Creates a new server+transport per session for proper isolation
    */
   async handle(ctx) {
@@ -950,6 +1141,15 @@ const mcpController = ({ strapi }) => ({
       };
       return;
     }
+    const authResult = await authenticateRequest(ctx, plugin);
+    if (!authResult.authenticated) {
+      ctx.status = 401;
+      ctx.body = {
+        error: "Unauthorized",
+        message: authResult.error || "Authentication required"
+      };
+      return;
+    }
     try {
       const sessionId = ctx.request.headers["mcp-session-id"] || node_crypto.randomUUID();
       let session = plugin.sessions.get(sessionId);
@@ -959,7 +1159,7 @@ const mcpController = ({ strapi }) => ({
           sessionIdGenerator: () => sessionId
         });
         await server.connect(transport);
-        session = { server, transport, createdAt: Date.now() };
+        session = { server, transport, createdAt: Date.now(), strapiToken: authResult.strapiToken };
         plugin.sessions.set(sessionId, session);
         strapi.log.debug(`[yt-transcript-mcp] New session created: ${sessionId}`);
       }
@@ -981,9 +1181,213 @@ const mcpController = ({ strapi }) => ({
     }
   }
 });
+const PLUGIN_ID$1 = "plugin::yt-transcript-strapi-plugin";
+const oauthController = ({ strapi }) => ({
+  /**
+   * OAuth 2.0 Authorization Server Metadata (RFC 8414)
+   * GET /.well-known/oauth-authorization-server
+   */
+  async discovery(ctx) {
+    const baseUrl = strapi.config.get("server.url") || `${ctx.protocol}://${ctx.host}`;
+    const pluginPath = "/api/yt-transcript-strapi-plugin";
+    ctx.body = {
+      issuer: baseUrl,
+      authorization_endpoint: `${baseUrl}${pluginPath}/oauth/authorize`,
+      token_endpoint: `${baseUrl}${pluginPath}/oauth/token`,
+      response_types_supported: ["code"],
+      grant_types_supported: ["authorization_code", "refresh_token"],
+      token_endpoint_auth_methods_supported: ["client_secret_post", "client_secret_basic"],
+      code_challenge_methods_supported: ["S256"]
+    };
+  },
+  /**
+   * OAuth 2.0 Authorization Endpoint
+   * GET /oauth/authorize
+   */
+  async authorize(ctx) {
+    const { client_id, redirect_uri, response_type, state, scope } = ctx.query;
+    if (!client_id) {
+      ctx.status = 400;
+      ctx.body = { error: "invalid_request", error_description: "client_id is required" };
+      return;
+    }
+    if (!redirect_uri) {
+      ctx.status = 400;
+      ctx.body = { error: "invalid_request", error_description: "redirect_uri is required" };
+      return;
+    }
+    if (response_type !== "code") {
+      ctx.status = 400;
+      ctx.body = { error: "unsupported_response_type", error_description: "Only code response type is supported" };
+      return;
+    }
+    const client = await strapi.documents(`${PLUGIN_ID$1}.oauth-client`).findFirst({
+      filters: { clientId: client_id, active: true }
+    });
+    if (!client) {
+      ctx.status = 400;
+      ctx.body = { error: "invalid_client", error_description: "Unknown client_id" };
+      return;
+    }
+    const allowedRedirects = client.redirectUris;
+    if (!allowedRedirects.includes(redirect_uri)) {
+      ctx.status = 400;
+      ctx.body = { error: "invalid_request", error_description: "Invalid redirect_uri" };
+      return;
+    }
+    const code = node_crypto.randomBytes(32).toString("hex");
+    const expiresAt = new Date(Date.now() + 10 * 60 * 1e3);
+    await strapi.documents(`${PLUGIN_ID$1}.oauth-code`).create({
+      data: {
+        code,
+        clientId: client_id,
+        redirectUri: redirect_uri,
+        expiresAt: expiresAt.toISOString(),
+        used: false
+      }
+    });
+    const redirectUrl = new URL(redirect_uri);
+    redirectUrl.searchParams.set("code", code);
+    if (state) {
+      redirectUrl.searchParams.set("state", state);
+    }
+    ctx.redirect(redirectUrl.toString());
+  },
+  /**
+   * OAuth 2.0 Token Endpoint
+   * POST /oauth/token
+   */
+  async token(ctx) {
+    const { grant_type, code, redirect_uri, client_id, client_secret, refresh_token } = ctx.request.body;
+    let authClientId = client_id;
+    let authClientSecret = client_secret;
+    const authHeader = ctx.request.headers.authorization;
+    if (authHeader && authHeader.startsWith("Basic ")) {
+      const credentials = Buffer.from(authHeader.slice(6), "base64").toString();
+      const [id, secret] = credentials.split(":");
+      authClientId = authClientId || id;
+      authClientSecret = authClientSecret || secret;
+    }
+    if (!authClientId || !authClientSecret) {
+      ctx.status = 401;
+      ctx.body = { error: "invalid_client", error_description: "Client authentication required" };
+      return;
+    }
+    const client = await strapi.documents(`${PLUGIN_ID$1}.oauth-client`).findFirst({
+      filters: { clientId: authClientId, active: true }
+    });
+    if (!client || client.clientSecret !== authClientSecret) {
+      ctx.status = 401;
+      ctx.body = { error: "invalid_client", error_description: "Invalid client credentials" };
+      return;
+    }
+    if (grant_type === "authorization_code") {
+      return await handleAuthorizationCodeGrant(ctx, strapi, client, code, redirect_uri);
+    } else if (grant_type === "refresh_token") {
+      return await handleRefreshTokenGrant(ctx, strapi, client, refresh_token);
+    } else {
+      ctx.status = 400;
+      ctx.body = { error: "unsupported_grant_type", error_description: "Unsupported grant type" };
+    }
+  }
+});
+async function handleAuthorizationCodeGrant(ctx, strapi, client, code, redirect_uri) {
+  if (!code) {
+    ctx.status = 400;
+    ctx.body = { error: "invalid_request", error_description: "code is required" };
+    return;
+  }
+  const authCode = await strapi.documents(`${PLUGIN_ID$1}.oauth-code`).findFirst({
+    filters: { code, clientId: client.clientId, used: false }
+  });
+  if (!authCode) {
+    ctx.status = 400;
+    ctx.body = { error: "invalid_grant", error_description: "Invalid authorization code" };
+    return;
+  }
+  if (new Date(authCode.expiresAt) < /* @__PURE__ */ new Date()) {
+    ctx.status = 400;
+    ctx.body = { error: "invalid_grant", error_description: "Authorization code expired" };
+    return;
+  }
+  if (authCode.redirectUri !== redirect_uri) {
+    ctx.status = 400;
+    ctx.body = { error: "invalid_grant", error_description: "redirect_uri mismatch" };
+    return;
+  }
+  await strapi.documents(`${PLUGIN_ID$1}.oauth-code`).update({
+    documentId: authCode.documentId,
+    data: { used: true }
+  });
+  const accessToken = node_crypto.randomBytes(32).toString("hex");
+  const refreshToken = node_crypto.randomBytes(32).toString("hex");
+  const expiresIn = 3600;
+  const refreshExpiresIn = 30 * 24 * 3600;
+  await strapi.documents(`${PLUGIN_ID$1}.oauth-token`).create({
+    data: {
+      accessToken,
+      refreshToken,
+      clientId: client.clientId,
+      expiresAt: new Date(Date.now() + expiresIn * 1e3).toISOString(),
+      refreshExpiresAt: new Date(Date.now() + refreshExpiresIn * 1e3).toISOString(),
+      revoked: false
+    }
+  });
+  ctx.body = {
+    access_token: accessToken,
+    token_type: "Bearer",
+    expires_in: expiresIn,
+    refresh_token: refreshToken
+  };
+}
+async function handleRefreshTokenGrant(ctx, strapi, client, refreshToken) {
+  if (!refreshToken) {
+    ctx.status = 400;
+    ctx.body = { error: "invalid_request", error_description: "refresh_token is required" };
+    return;
+  }
+  const token = await strapi.documents(`${PLUGIN_ID$1}.oauth-token`).findFirst({
+    filters: { refreshToken, clientId: client.clientId, revoked: false }
+  });
+  if (!token) {
+    ctx.status = 400;
+    ctx.body = { error: "invalid_grant", error_description: "Invalid refresh token" };
+    return;
+  }
+  if (new Date(token.refreshExpiresAt) < /* @__PURE__ */ new Date()) {
+    ctx.status = 400;
+    ctx.body = { error: "invalid_grant", error_description: "Refresh token expired" };
+    return;
+  }
+  await strapi.documents(`${PLUGIN_ID$1}.oauth-token`).update({
+    documentId: token.documentId,
+    data: { revoked: true }
+  });
+  const newAccessToken = node_crypto.randomBytes(32).toString("hex");
+  const newRefreshToken = node_crypto.randomBytes(32).toString("hex");
+  const expiresIn = 3600;
+  const refreshExpiresIn = 30 * 24 * 3600;
+  await strapi.documents(`${PLUGIN_ID$1}.oauth-token`).create({
+    data: {
+      accessToken: newAccessToken,
+      refreshToken: newRefreshToken,
+      clientId: client.clientId,
+      expiresAt: new Date(Date.now() + expiresIn * 1e3).toISOString(),
+      refreshExpiresAt: new Date(Date.now() + refreshExpiresIn * 1e3).toISOString(),
+      revoked: false
+    }
+  });
+  ctx.body = {
+    access_token: newAccessToken,
+    token_type: "Bearer",
+    expires_in: expiresIn,
+    refresh_token: newRefreshToken
+  };
+}
 const controllers = {
   controller,
-  mcp: mcpController
+  mcp: mcpController,
+  oauth: oauthController
 };
 const middlewares = {};
 const policies = {};
@@ -1033,10 +1437,42 @@ const admin = [
     }
   }
 ];
+const oauth = [
+  // OAuth 2.0 Authorization Server Metadata
+  {
+    method: "GET",
+    path: "/.well-known/oauth-authorization-server",
+    handler: "oauth.discovery",
+    config: {
+      auth: false,
+      policies: []
+    }
+  },
+  // OAuth 2.0 Authorization Endpoint
+  {
+    method: "GET",
+    path: "/oauth/authorize",
+    handler: "oauth.authorize",
+    config: {
+      auth: false,
+      policies: []
+    }
+  },
+  // OAuth 2.0 Token Endpoint
+  {
+    method: "POST",
+    path: "/oauth/token",
+    handler: "oauth.token",
+    config: {
+      auth: false,
+      policies: []
+    }
+  }
+];
 const routes = {
   "content-api": {
     type: "content-api",
-    routes: [...contentApi]
+    routes: [...oauth, ...contentApi]
   },
   admin: {
     type: "admin",
@@ -1217,8 +1653,81 @@ const service = ({ strapi }) => ({
     return transcriptData;
   }
 });
+const PLUGIN_ID = "plugin::yt-transcript-strapi-plugin";
+const oauthService = ({ strapi }) => ({
+  /**
+   * Validate an OAuth access token and return the associated Strapi API token
+   */
+  async validateAccessToken(accessToken) {
+    if (!accessToken) {
+      return { valid: false, error: "No access token provided" };
+    }
+    try {
+      const token = await strapi.documents(`${PLUGIN_ID}.oauth-token`).findFirst({
+        filters: { accessToken, revoked: false }
+      });
+      if (!token) {
+        return { valid: false, error: "Invalid access token" };
+      }
+      if (new Date(token.expiresAt) < /* @__PURE__ */ new Date()) {
+        return { valid: false, error: "Access token expired" };
+      }
+      const client = await strapi.documents(`${PLUGIN_ID}.oauth-client`).findFirst({
+        filters: { clientId: token.clientId, active: true }
+      });
+      if (!client) {
+        return { valid: false, error: "OAuth client not found or inactive" };
+      }
+      return {
+        valid: true,
+        clientId: token.clientId,
+        strapiApiToken: client.strapiApiToken
+      };
+    } catch (error) {
+      strapi.log.error("[oauth] Error validating access token:", error);
+      return { valid: false, error: "Token validation failed" };
+    }
+  },
+  /**
+   * Clean up expired codes and tokens (call periodically)
+   */
+  async cleanupExpiredTokens() {
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const expiredCodes = await strapi.documents(`${PLUGIN_ID}.oauth-code`).findMany({
+      filters: {
+        $or: [
+          { expiresAt: { $lt: now } },
+          { used: true }
+        ]
+      }
+    });
+    for (const code of expiredCodes) {
+      await strapi.documents(`${PLUGIN_ID}.oauth-code`).delete({
+        documentId: code.documentId
+      });
+    }
+    const expiredTokens = await strapi.documents(`${PLUGIN_ID}.oauth-token`).findMany({
+      filters: {
+        $or: [
+          { refreshExpiresAt: { $lt: now } },
+          { revoked: true }
+        ]
+      }
+    });
+    for (const token of expiredTokens) {
+      await strapi.documents(`${PLUGIN_ID}.oauth-token`).delete({
+        documentId: token.documentId
+      });
+    }
+    return {
+      deletedCodes: expiredCodes.length,
+      deletedTokens: expiredTokens.length
+    };
+  }
+});
 const services = {
-  service
+  service,
+  oauth: oauthService
 };
 const index = {
   register,