feat(15-02): update MCP OAuth and MCP middleware for OIDC
- Replace verifyPassword with getAuth in OAuth authorize routes - Replace login form with consent-only form (no credential fields) - Remove getUserCount bypass from MCP auth middleware - GET/POST /authorize redirect to /login if no OIDC session
This commit is contained in:
@@ -3,7 +3,7 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
|
||||
import { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
|
||||
import { Hono } from "hono";
|
||||
import { db as prodDb } from "../../db/index.ts";
|
||||
import { getUserCount, verifyApiKey } from "../services/auth.service.ts";
|
||||
import { verifyApiKey } from "../services/auth.service.ts";
|
||||
import { verifyAccessToken } from "../services/oauth.service.ts";
|
||||
import { getCollectionSummary } from "./resources/collection.ts";
|
||||
import {
|
||||
@@ -90,11 +90,6 @@ export const mcpRoutes = new Hono();
|
||||
mcpRoutes.use("/*", async (c, next) => {
|
||||
const db = c.get("db") ?? prodDb;
|
||||
|
||||
// Skip auth if no users exist
|
||||
if (getUserCount(db) <= 0) {
|
||||
return next();
|
||||
}
|
||||
|
||||
// Try Bearer token first (OAuth)
|
||||
const authHeader = c.req.header("Authorization");
|
||||
if (authHeader?.startsWith("Bearer ")) {
|
||||
@@ -105,7 +100,7 @@ mcpRoutes.use("/*", async (c, next) => {
|
||||
return c.json({ error: "invalid_token" }, 401);
|
||||
}
|
||||
|
||||
// Try API key (existing flow)
|
||||
// Try API key
|
||||
const apiKey = c.req.header("X-API-Key");
|
||||
if (apiKey) {
|
||||
const valid = await verifyApiKey(db, apiKey);
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
import { getAuth } from "@hono/oidc-auth";
|
||||
import { Hono } from "hono";
|
||||
import { db as prodDb } from "../../db/index.ts";
|
||||
import { verifyPassword } from "../services/auth.service.ts";
|
||||
import {
|
||||
cleanExpiredOAuthData,
|
||||
createAuthorizationCode,
|
||||
@@ -27,19 +27,14 @@ function getBaseUrl(c: any): string {
|
||||
return new URL(c.req.url).origin;
|
||||
}
|
||||
|
||||
function renderLoginForm(params: {
|
||||
function renderConsentForm(params: {
|
||||
clientName: string;
|
||||
clientId: string;
|
||||
redirectUri: string;
|
||||
codeChallenge: string;
|
||||
codeChallengeMethod: string;
|
||||
state: string;
|
||||
error?: string;
|
||||
}): string {
|
||||
const errorHtml = params.error
|
||||
? `<div style="background:#fef2f2;border:1px solid #fca5a5;color:#dc2626;padding:12px;border-radius:8px;margin-bottom:16px;font-size:14px;">${escapeHtml(params.error)}</div>`
|
||||
: "";
|
||||
|
||||
return `<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
@@ -52,8 +47,6 @@ function renderLoginForm(params: {
|
||||
.card { background: #fff; border-radius: 12px; box-shadow: 0 1px 3px rgba(0,0,0,0.1); padding: 32px; width: 100%; max-width: 400px; }
|
||||
h1 { font-size: 24px; font-weight: 700; text-align: center; margin-bottom: 8px; }
|
||||
.subtitle { text-align: center; color: #6b7280; margin-bottom: 24px; font-size: 14px; }
|
||||
label { display: block; font-size: 14px; font-weight: 500; margin-bottom: 4px; color: #374151; }
|
||||
input[type="text"], input[type="password"] { width: 100%; padding: 10px 12px; border: 1px solid #d1d5db; border-radius: 8px; font-size: 14px; margin-bottom: 16px; }
|
||||
button { width: 100%; padding: 10px; background: #2563eb; color: #fff; border: none; border-radius: 8px; font-size: 14px; font-weight: 600; cursor: pointer; }
|
||||
button:hover { background: #1d4ed8; }
|
||||
</style>
|
||||
@@ -62,12 +55,7 @@ function renderLoginForm(params: {
|
||||
<div class="card">
|
||||
<h1>GearBox</h1>
|
||||
<p class="subtitle">Authorize ${escapeHtml(params.clientName)} to access your data</p>
|
||||
${errorHtml}
|
||||
<form method="POST" action="/oauth/authorize">
|
||||
<label for="username">Username</label>
|
||||
<input type="text" id="username" name="username" required>
|
||||
<label for="password">Password</label>
|
||||
<input type="password" id="password" name="password" required>
|
||||
<input type="hidden" name="client_id" value="${escapeHtml(params.clientId)}">
|
||||
<input type="hidden" name="redirect_uri" value="${escapeHtml(params.redirectUri)}">
|
||||
<input type="hidden" name="code_challenge" value="${escapeHtml(params.codeChallenge)}">
|
||||
@@ -141,10 +129,15 @@ oauthRoutes.post("/register", async (c) => {
|
||||
);
|
||||
});
|
||||
|
||||
// GET /authorize — Show HTML login form
|
||||
// GET /authorize — Show consent form (requires OIDC session)
|
||||
oauthRoutes.get("/authorize", async (c) => {
|
||||
const db = c.get("db") ?? prodDb;
|
||||
|
||||
const auth = await getAuth(c);
|
||||
if (!auth) {
|
||||
return c.redirect(`/login?redirect=${encodeURIComponent(c.req.url)}`);
|
||||
}
|
||||
|
||||
const responseType = c.req.query("response_type");
|
||||
const clientId = c.req.query("client_id");
|
||||
const redirectUri = c.req.query("redirect_uri");
|
||||
@@ -170,7 +163,7 @@ oauthRoutes.get("/authorize", async (c) => {
|
||||
}
|
||||
|
||||
return c.html(
|
||||
renderLoginForm({
|
||||
renderConsentForm({
|
||||
clientName: client.clientName,
|
||||
clientId,
|
||||
redirectUri,
|
||||
@@ -181,33 +174,32 @@ oauthRoutes.get("/authorize", async (c) => {
|
||||
);
|
||||
});
|
||||
|
||||
// POST /authorize — Process login form
|
||||
// POST /authorize — Process consent (requires OIDC session)
|
||||
oauthRoutes.post("/authorize", async (c) => {
|
||||
const db = c.get("db") ?? prodDb;
|
||||
const body = await c.req.parseBody();
|
||||
|
||||
const username = body.username as string;
|
||||
const password = body.password as string;
|
||||
// Check for OIDC session instead of username/password
|
||||
const auth = await getAuth(c);
|
||||
if (!auth) {
|
||||
const currentUrl = c.req.url;
|
||||
return c.redirect(`/login?redirect=${encodeURIComponent(currentUrl)}`);
|
||||
}
|
||||
|
||||
const body = await c.req.parseBody();
|
||||
const clientId = body.client_id as string;
|
||||
const redirectUri = body.redirect_uri as string;
|
||||
const codeChallenge = body.code_challenge as string;
|
||||
const codeChallengeMethod = body.code_challenge_method as string;
|
||||
const state = (body.state as string) ?? "";
|
||||
|
||||
const user = await verifyPassword(db, username, password);
|
||||
if (!user) {
|
||||
const client = getClient(db, clientId);
|
||||
return c.html(
|
||||
renderLoginForm({
|
||||
clientName: client?.clientName ?? "Unknown",
|
||||
clientId,
|
||||
redirectUri,
|
||||
codeChallenge,
|
||||
codeChallengeMethod,
|
||||
state,
|
||||
error: "Invalid username or password",
|
||||
}),
|
||||
);
|
||||
const client = getClient(db, clientId);
|
||||
if (!client) {
|
||||
return c.json({ error: "Unknown client_id" }, 400);
|
||||
}
|
||||
|
||||
const allowedUris: string[] = JSON.parse(client.redirectUris);
|
||||
if (!allowedUris.includes(redirectUri)) {
|
||||
return c.json({ error: "redirect_uri not allowed" }, 400);
|
||||
}
|
||||
|
||||
const { code } = createAuthorizationCode(
|
||||
|
||||
Reference in New Issue
Block a user