fastmcp 2.14.4__py3-none-any.whl → 3.0.0b1__py3-none-any.whl

fastmcp/server/auth/oauth_proxy/ui.py

@@ -0,0 +1,277 @@
+"""OAuth Proxy UI Generation Functions.
+
+This module contains HTML generation functions for consent and error pages.
+"""
+
+from __future__ import annotations
+
+from urllib.parse import urlparse
+
+from fastmcp.utilities.ui import (
+    BUTTON_STYLES,
+    DETAIL_BOX_STYLES,
+    DETAILS_STYLES,
+    INFO_BOX_STYLES,
+    REDIRECT_SECTION_STYLES,
+    TOOLTIP_STYLES,
+    create_logo,
+    create_page,
+)
+
+
+def create_consent_html(
+    client_id: str,
+    redirect_uri: str,
+    scopes: list[str],
+    txn_id: str,
+    csrf_token: str,
+    client_name: str | None = None,
+    title: str = "Application Access Request",
+    server_name: str | None = None,
+    server_icon_url: str | None = None,
+    server_website_url: str | None = None,
+    client_website_url: str | None = None,
+    csp_policy: str | None = None,
+) -> str:
+    """Create a styled HTML consent page for OAuth authorization requests.
+
+    Args:
+        csp_policy: Content Security Policy override.
+            If None, uses the built-in CSP policy with appropriate directives.
+            If empty string "", disables CSP entirely (no meta tag is rendered).
+            If a non-empty string, uses that as the CSP policy value.
+    """
+    import html as html_module
+
+    client_display = html_module.escape(client_name or client_id)
+    server_name_escaped = html_module.escape(server_name or "FastMCP")
+
+    # Make server name a hyperlink if website URL is available
+    if server_website_url:
+        website_url_escaped = html_module.escape(server_website_url)
+        server_display = f'<a href="{website_url_escaped}" target="_blank" rel="noopener noreferrer" class="server-name-link">{server_name_escaped}</a>'
+    else:
+        server_display = server_name_escaped
+
+    # Build intro box with call-to-action
+    intro_box = f"""
+        <div class="info-box">
+            <p>The application <strong>{client_display}</strong> wants to access the MCP server <strong>{server_display}</strong>. Please ensure you recognize the callback address below.</p>
+        </div>
+    """
+
+    # Build redirect URI section (yellow box, centered)
+    redirect_uri_escaped = html_module.escape(redirect_uri)
+    redirect_section = f"""
+        <div class="redirect-section">
+            <span class="label">Credentials will be sent to:</span>
+            <div class="value">{redirect_uri_escaped}</div>
+        </div>
+    """
+
+    # Build advanced details with collapsible section
+    detail_rows = [
+        ("Application Name", html_module.escape(client_name or client_id)),
+        ("Application Website", html_module.escape(client_website_url or "N/A")),
+        ("Application ID", client_id),
+        ("Redirect URI", redirect_uri_escaped),
+        (
+            "Requested Scopes",
+            ", ".join(html_module.escape(s) for s in scopes) if scopes else "None",
+        ),
+    ]
+
+    detail_rows_html = "\n".join(
+        [
+            f"""
+        <div class="detail-row">
+            <div class="detail-label">{label}:</div>
+            <div class="detail-value">{value}</div>
+        </div>
+        """
+            for label, value in detail_rows
+        ]
+    )
+
+    advanced_details = f"""
+        <details>
+            <summary>Advanced Details</summary>
+            <div class="detail-box">
+                {detail_rows_html}
+            </div>
+        </details>
+    """
+
+    # Build form with buttons
+    # Use empty action to submit to current URL (/consent or /mcp/consent)
+    # The POST handler is registered at the same path as GET
+    form = f"""
+        <form id="consentForm" method="POST" action="">
+            <input type="hidden" name="txn_id" value="{txn_id}" />
+            <input type="hidden" name="csrf_token" value="{csrf_token}" />
+            <input type="hidden" name="submit" value="true" />
+            <div class="button-group">
+                <button type="submit" name="action" value="approve" class="btn-approve">Allow Access</button>
+                <button type="submit" name="action" value="deny" class="btn-deny">Deny</button>
+            </div>
+        </form>
+    """
+
+    # Build help link with tooltip (identical to current implementation)
+    help_link = """
+        <div class="help-link-container">
+            <span class="help-link">
+                Why am I seeing this?
+                <span class="tooltip">
+                    This FastMCP server requires your consent to allow a new client
+                    to connect. This protects you from <a
+                    href="https://modelcontextprotocol.io/specification/2025-06-18/basic/security_best_practices#confused-deputy-problem"
+                    target="_blank" class="tooltip-link">confused deputy
+                    attacks</a>, where malicious clients could impersonate you
+                    and steal access.<br><br>
+                    <a
+                    href="https://gofastmcp.com/servers/auth/oauth-proxy#confused-deputy-attacks"
+                    target="_blank" class="tooltip-link">Learn more about
+                    FastMCP security →</a>
+                </span>
+            </span>
+        </div>
+    """
+
+    # Build the page content
+    content = f"""
+        <div class="container">
+            {create_logo(icon_url=server_icon_url, alt_text=server_name or "FastMCP")}
+            <h1>Application Access Request</h1>
+            {intro_box}
+            {redirect_section}
+            {advanced_details}
+            {form}
+        </div>
+        {help_link}
+    """
+
+    # Additional styles needed for this page
+    additional_styles = (
+        INFO_BOX_STYLES
+        + REDIRECT_SECTION_STYLES
+        + DETAILS_STYLES
+        + DETAIL_BOX_STYLES
+        + BUTTON_STYLES
+        + TOOLTIP_STYLES
+    )
+
+    # Determine CSP policy to use
+    # If csp_policy is None, build the default CSP policy
+    # If csp_policy is empty string, CSP will be disabled entirely in create_page
+    # If csp_policy is a non-empty string, use it as-is
+    if csp_policy is None:
+        # Need to allow form-action for form submission
+        # Chrome requires explicit scheme declarations in CSP form-action when redirect chains
+        # end in custom protocol schemes (e.g., cursor://). Parse redirect_uri to include its scheme.
+        parsed_redirect = urlparse(redirect_uri)
+        redirect_scheme = parsed_redirect.scheme.lower()
+
+        # Build form-action directive with standard schemes plus custom protocol if present
+        form_action_schemes = ["https:", "http:"]
+        if redirect_scheme and redirect_scheme not in ("http", "https"):
+            # Custom protocol scheme (e.g., cursor:, vscode:, etc.)
+            form_action_schemes.append(f"{redirect_scheme}:")
+
+        form_action_directive = " ".join(form_action_schemes)
+        csp_policy = f"default-src 'none'; style-src 'unsafe-inline'; img-src https: data:; base-uri 'none'; form-action {form_action_directive}"
+
+    return create_page(
+        content=content,
+        title=title,
+        additional_styles=additional_styles,
+        csp_policy=csp_policy,
+    )
+
+
+def create_error_html(
+    error_title: str,
+    error_message: str,
+    error_details: dict[str, str] | None = None,
+    server_name: str | None = None,
+    server_icon_url: str | None = None,
+) -> str:
+    """Create a styled HTML error page for OAuth errors.
+
+    Args:
+        error_title: The error title (e.g., "OAuth Error", "Authorization Failed")
+        error_message: The main error message to display
+        error_details: Optional dictionary of error details to show (e.g., `{"Error Code": "invalid_client"}`)
+        server_name: Optional server name to display
+        server_icon_url: Optional URL to server icon/logo
+
+    Returns:
+        Complete HTML page as a string
+    """
+    import html as html_module
+
+    error_message_escaped = html_module.escape(error_message)
+
+    # Build error message box
+    error_box = f"""
+        <div class="info-box error">
+            <p>{error_message_escaped}</p>
+        </div>
+    """
+
+    # Build error details section if provided
+    details_section = ""
+    if error_details:
+        detail_rows_html = "\n".join(
+            [
+                f"""
+            <div class="detail-row">
+                <div class="detail-label">{html_module.escape(label)}:</div>
+                <div class="detail-value">{html_module.escape(value)}</div>
+            </div>
+            """
+                for label, value in error_details.items()
+            ]
+        )
+
+        details_section = f"""
+            <details>
+                <summary>Error Details</summary>
+                <div class="detail-box">
+                    {detail_rows_html}
+                </div>
+            </details>
+        """
+
+    # Build the page content
+    content = f"""
+        <div class="container">
+            {create_logo(icon_url=server_icon_url, alt_text=server_name or "FastMCP")}
+            <h1>{html_module.escape(error_title)}</h1>
+            {error_box}
+            {details_section}
+        </div>
+    """
+
+    # Additional styles needed for this page
+    # Override .info-box.error to use normal text color instead of red
+    additional_styles = (
+        INFO_BOX_STYLES
+        + DETAILS_STYLES
+        + DETAIL_BOX_STYLES
+        + """
+        .info-box.error {
+            color: #111827;
+        }
+        """
+    )
+
+    # Simple CSP policy for error pages (no forms needed)
+    csp_policy = "default-src 'none'; style-src 'unsafe-inline'; img-src https: data:; base-uri 'none'"
+
+    return create_page(
+        content=content,
+        title=error_title,
+        additional_styles=additional_styles,
+        csp_policy=csp_policy,
+    )

fastmcp/server/auth/oidc_proxy.py

@@ -249,8 +249,8 @@ class OIDCProxy(OAuthProxy):
             redirect_path: Redirect path configured in upstream OAuth app (defaults to "/auth/callback")
             allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients.
                 Patterns support wildcards (e.g., "http://localhost:*", "https://*.example.com/*").
-                If None (default), only localhost redirect URIs are allowed.
-                If empty list, all redirect URIs are allowed (not recommended for production).
+                If None (default), all redirect URIs are allowed (for DCR compatibility).
+                If empty list, no redirect URIs are allowed.
                 These are for MCP clients performing loopback redirects, NOT for the upstream OAuth app.
             client_storage: Storage backend for OAuth state (client registrations, encrypted tokens).
                 If None, a DiskStore will be created in the data directory (derived from `platformdirs`). The

fastmcp/server/auth/providers/auth0.py

@@ -22,44 +22,15 @@ Example:
 """
 
 from key_value.aio.protocols import AsyncKeyValue
-from pydantic import AnyHttpUrl, SecretStr, field_validator
-from pydantic_settings import BaseSettings, SettingsConfigDict
+from pydantic import AnyHttpUrl
 
 from fastmcp.server.auth.oidc_proxy import OIDCProxy
-from fastmcp.settings import ENV_FILE
 from fastmcp.utilities.auth import parse_scopes
 from fastmcp.utilities.logging import get_logger
-from fastmcp.utilities.types import NotSet, NotSetT
 
 logger = get_logger(__name__)
 
 
-class Auth0ProviderSettings(BaseSettings):
-    """Settings for Auth0 OIDC provider."""
-
-    model_config = SettingsConfigDict(
-        env_prefix="FASTMCP_SERVER_AUTH_AUTH0_",
-        env_file=ENV_FILE,
-        extra="ignore",
-    )
-
-    config_url: AnyHttpUrl | None = None
-    client_id: str | None = None
-    client_secret: SecretStr | None = None
-    audience: str | None = None
-    base_url: AnyHttpUrl | None = None
-    issuer_url: AnyHttpUrl | None = None
-    redirect_path: str | None = None
-    required_scopes: list[str] | None = None
-    allowed_client_redirect_uris: list[str] | None = None
-    jwt_signing_key: str | None = None
-
-    @field_validator("required_scopes", mode="before")
-    @classmethod
-    def _parse_scopes(cls, v):
-        return parse_scopes(v)
-
-
 class Auth0Provider(OIDCProxy):
     """An Auth0 provider implementation for FastMCP.
 
@@ -87,17 +58,17 @@ class Auth0Provider(OIDCProxy):
     def __init__(
         self,
         *,
-        config_url: AnyHttpUrl | str | NotSetT = NotSet,
-        client_id: str | NotSetT = NotSet,
-        client_secret: str | NotSetT = NotSet,
-        audience: str | NotSetT = NotSet,
-        base_url: AnyHttpUrl | str | NotSetT = NotSet,
-        issuer_url: AnyHttpUrl | str | NotSetT = NotSet,
-        required_scopes: list[str] | NotSetT = NotSet,
-        redirect_path: str | NotSetT = NotSet,
-        allowed_client_redirect_uris: list[str] | NotSetT = NotSet,
+        config_url: AnyHttpUrl | str,
+        client_id: str,
+        client_secret: str,
+        audience: str,
+        base_url: AnyHttpUrl | str,
+        issuer_url: AnyHttpUrl | str | None = None,
+        required_scopes: list[str] | None = None,
+        redirect_path: str | None = None,
+        allowed_client_redirect_uris: list[str] | None = None,
         client_storage: AsyncKeyValue | None = None,
-        jwt_signing_key: str | bytes | NotSetT = NotSet,
+        jwt_signing_key: str | bytes | None = None,
         require_authorization_consent: bool = True,
     ) -> None:
         """Initialize Auth0 OAuth provider.
@@ -125,69 +96,28 @@ class Auth0Provider(OIDCProxy):
                 When False, authorization proceeds directly without user confirmation.
                 SECURITY WARNING: Only disable for local development or testing environments.
         """
-        settings = Auth0ProviderSettings.model_validate(
-            {
-                k: v
-                for k, v in {
-                    "config_url": config_url,
-                    "client_id": client_id,
-                    "client_secret": client_secret,
-                    "audience": audience,
-                    "base_url": base_url,
-                    "issuer_url": issuer_url,
-                    "required_scopes": required_scopes,
-                    "redirect_path": redirect_path,
-                    "allowed_client_redirect_uris": allowed_client_redirect_uris,
-                    "jwt_signing_key": jwt_signing_key,
-                }.items()
-                if v is not NotSet
-            }
+        # Parse scopes if provided as string
+        auth0_required_scopes = (
+            parse_scopes(required_scopes) if required_scopes is not None else ["openid"]
         )
 
-        if not settings.config_url:
-            raise ValueError(
-                "config_url is required - set via parameter or FASTMCP_SERVER_AUTH_AUTH0_CONFIG_URL"
-            )
-
-        if not settings.client_id:
-            raise ValueError(
-                "client_id is required - set via parameter or FASTMCP_SERVER_AUTH_AUTH0_CLIENT_ID"
-            )
-
-        if not settings.client_secret:
-            raise ValueError(
-                "client_secret is required - set via parameter or FASTMCP_SERVER_AUTH_AUTH0_CLIENT_SECRET"
-            )
-
-        if not settings.audience:
-            raise ValueError(
-                "audience is required - set via parameter or FASTMCP_SERVER_AUTH_AUTH0_AUDIENCE"
-            )
-
-        if not settings.base_url:
-            raise ValueError(
-                "base_url is required - set via parameter or FASTMCP_SERVER_AUTH_AUTH0_BASE_URL"
-            )
-
-        auth0_required_scopes = settings.required_scopes or ["openid"]
-
         super().__init__(
-            config_url=settings.config_url,
-            client_id=settings.client_id,
-            client_secret=settings.client_secret.get_secret_value(),
-            audience=settings.audience,
-            base_url=settings.base_url,
-            issuer_url=settings.issuer_url,
-            redirect_path=settings.redirect_path,
+            config_url=config_url,
+            client_id=client_id,
+            client_secret=client_secret,
+            audience=audience,
+            base_url=base_url,
+            issuer_url=issuer_url,
+            redirect_path=redirect_path,
             required_scopes=auth0_required_scopes,
-            allowed_client_redirect_uris=settings.allowed_client_redirect_uris,
+            allowed_client_redirect_uris=allowed_client_redirect_uris,
             client_storage=client_storage,
-            jwt_signing_key=settings.jwt_signing_key,
+            jwt_signing_key=jwt_signing_key,
             require_authorization_consent=require_authorization_consent,
         )
 
         logger.debug(
             "Initialized Auth0 OAuth provider for client %s with scopes: %s",
-            settings.client_id,
+            client_id,
             auth0_required_scopes,
         )

fastmcp/server/auth/providers/aws.py

@@ -24,47 +24,18 @@ Example:
 from __future__ import annotations
 
 from key_value.aio.protocols import AsyncKeyValue
-from pydantic import AnyHttpUrl, SecretStr, field_validator
-from pydantic_settings import BaseSettings, SettingsConfigDict
+from pydantic import AnyHttpUrl
 
 from fastmcp.server.auth import TokenVerifier
 from fastmcp.server.auth.auth import AccessToken
 from fastmcp.server.auth.oidc_proxy import OIDCProxy
 from fastmcp.server.auth.providers.jwt import JWTVerifier
-from fastmcp.settings import ENV_FILE
 from fastmcp.utilities.auth import parse_scopes
 from fastmcp.utilities.logging import get_logger
-from fastmcp.utilities.types import NotSet, NotSetT
 
 logger = get_logger(__name__)
 
 
-class AWSCognitoProviderSettings(BaseSettings):
-    """Settings for AWS Cognito OAuth provider."""
-
-    model_config = SettingsConfigDict(
-        env_prefix="FASTMCP_SERVER_AUTH_AWS_COGNITO_",
-        env_file=ENV_FILE,
-        extra="ignore",
-    )
-
-    user_pool_id: str | None = None
-    aws_region: str | None = None
-    client_id: str | None = None
-    client_secret: SecretStr | None = None
-    base_url: AnyHttpUrl | str | None = None
-    issuer_url: AnyHttpUrl | str | None = None
-    redirect_path: str | None = None
-    required_scopes: list[str] | None = None
-    allowed_client_redirect_uris: list[str] | None = None
-    jwt_signing_key: str | None = None
-
-    @field_validator("required_scopes", mode="before")
-    @classmethod
-    def _parse_scopes(cls, v):
-        return parse_scopes(v)
-
-
 class AWSCognitoTokenVerifier(JWTVerifier):
     """Token verifier that filters claims to Cognito-specific subset."""
 
@@ -126,27 +97,27 @@ class AWSCognitoProvider(OIDCProxy):
     def __init__(
         self,
         *,
-        user_pool_id: str | NotSetT = NotSet,
-        aws_region: str | NotSetT = NotSet,
-        client_id: str | NotSetT = NotSet,
-        client_secret: str | NotSetT = NotSet,
-        base_url: AnyHttpUrl | str | NotSetT = NotSet,
-        issuer_url: AnyHttpUrl | str | NotSetT = NotSet,
-        redirect_path: str | NotSetT = NotSet,
-        required_scopes: list[str] | NotSetT = NotSet,
-        allowed_client_redirect_uris: list[str] | NotSetT = NotSet,
+        user_pool_id: str,
+        client_id: str,
+        client_secret: str,
+        base_url: AnyHttpUrl | str,
+        aws_region: str = "eu-central-1",
+        issuer_url: AnyHttpUrl | str | None = None,
+        redirect_path: str = "/auth/callback",
+        required_scopes: list[str] | None = None,
+        allowed_client_redirect_uris: list[str] | None = None,
         client_storage: AsyncKeyValue | None = None,
-        jwt_signing_key: str | bytes | NotSetT = NotSet,
+        jwt_signing_key: str | bytes | None = None,
         require_authorization_consent: bool = True,
     ):
         """Initialize AWS Cognito OAuth provider.
 
         Args:
             user_pool_id: Your Cognito User Pool ID (e.g., "eu-central-1_XXXXXXXXX")
-            aws_region: AWS region where your User Pool is located (defaults to "eu-central-1")
             client_id: Cognito app client ID
             client_secret: Cognito app client secret
             base_url: Public URL where OAuth endpoints will be accessible (includes any mount path)
+            aws_region: AWS region where your User Pool is located (defaults to "eu-central-1")
             issuer_url: Issuer URL for OAuth metadata (defaults to base_url). Use root-level URL
                 to avoid 404s during discovery when mounting under a path.
             redirect_path: Redirect path configured in Cognito app (defaults to "/auth/callback")
@@ -164,77 +135,37 @@ class AWSCognitoProvider(OIDCProxy):
                 When False, authorization proceeds directly without user confirmation.
                 SECURITY WARNING: Only disable for local development or testing environments.
         """
-
-        settings = AWSCognitoProviderSettings.model_validate(
-            {
-                k: v
-                for k, v in {
-                    "user_pool_id": user_pool_id,
-                    "aws_region": aws_region,
-                    "client_id": client_id,
-                    "client_secret": client_secret,
-                    "base_url": base_url,
-                    "issuer_url": issuer_url,
-                    "redirect_path": redirect_path,
-                    "required_scopes": required_scopes,
-                    "allowed_client_redirect_uris": allowed_client_redirect_uris,
-                    "jwt_signing_key": jwt_signing_key,
-                }.items()
-                if v is not NotSet
-            }
+        # Parse scopes if provided as string
+        required_scopes_final = (
+            parse_scopes(required_scopes) if required_scopes is not None else ["openid"]
         )
 
-        # Validate required settings
-        if not settings.user_pool_id:
-            raise ValueError(
-                "user_pool_id is required - set via parameter or FASTMCP_SERVER_AUTH_AWS_COGNITO_USER_POOL_ID"
-            )
-        if not settings.client_id:
-            raise ValueError(
-                "client_id is required - set via parameter or FASTMCP_SERVER_AUTH_AWS_COGNITO_CLIENT_ID"
-            )
-        if not settings.client_secret:
-            raise ValueError(
-                "client_secret is required - set via parameter or FASTMCP_SERVER_AUTH_AWS_COGNITO_CLIENT_SECRET"
-            )
-
-        # Apply defaults
-        required_scopes_final = settings.required_scopes or ["openid"]
-        allowed_client_redirect_uris_final = settings.allowed_client_redirect_uris
-        aws_region_final = settings.aws_region or "eu-central-1"
-        redirect_path_final = settings.redirect_path or "/auth/callback"
-
         # Construct OIDC discovery URL
-        config_url = f"https://cognito-idp.{aws_region_final}.amazonaws.com/{settings.user_pool_id}/.well-known/openid-configuration"
-
-        # Extract secret string from SecretStr
-        client_secret_str = (
-            settings.client_secret.get_secret_value() if settings.client_secret else ""
-        )
+        config_url = f"https://cognito-idp.{aws_region}.amazonaws.com/{user_pool_id}/.well-known/openid-configuration"
 
         # Store Cognito-specific info for claim filtering
-        self.user_pool_id = settings.user_pool_id
-        self.aws_region = aws_region_final
+        self.user_pool_id = user_pool_id
+        self.aws_region = aws_region
 
         # Initialize OIDC proxy with Cognito discovery
         super().__init__(
             config_url=config_url,
-            client_id=settings.client_id,
-            client_secret=client_secret_str,
+            client_id=client_id,
+            client_secret=client_secret,
             algorithm="RS256",
             required_scopes=required_scopes_final,
-            base_url=settings.base_url,
-            issuer_url=settings.issuer_url,
-            redirect_path=redirect_path_final,
-            allowed_client_redirect_uris=allowed_client_redirect_uris_final,
+            base_url=base_url,
+            issuer_url=issuer_url,
+            redirect_path=redirect_path,
+            allowed_client_redirect_uris=allowed_client_redirect_uris,
             client_storage=client_storage,
-            jwt_signing_key=settings.jwt_signing_key,
+            jwt_signing_key=jwt_signing_key,
             require_authorization_consent=require_authorization_consent,
         )
 
         logger.debug(
             "Initialized AWS Cognito OAuth provider for client %s with scopes: %s",
-            settings.client_id,
+            client_id,
             required_scopes_final,
         )