feat(15-02): update MCP OAuth and MCP middleware for OIDC

- Replace verifyPassword with getAuth in OAuth authorize routes
- Replace login form with consent-only form (no credential fields)
- Remove getUserCount bypass from MCP auth middleware
- GET/POST /authorize redirect to /login if no OIDC session
This commit is contained in:
2026-04-04 20:46:23 +02:00
parent 1b6a65b4d5
commit c0e6db5aa6
2 changed files with 28 additions and 41 deletions

View File

@@ -3,7 +3,7 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
import { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js"; import { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
import { Hono } from "hono"; import { Hono } from "hono";
import { db as prodDb } from "../../db/index.ts"; import { db as prodDb } from "../../db/index.ts";
import { getUserCount, verifyApiKey } from "../services/auth.service.ts"; import { verifyApiKey } from "../services/auth.service.ts";
import { verifyAccessToken } from "../services/oauth.service.ts"; import { verifyAccessToken } from "../services/oauth.service.ts";
import { getCollectionSummary } from "./resources/collection.ts"; import { getCollectionSummary } from "./resources/collection.ts";
import { import {
@@ -90,11 +90,6 @@ export const mcpRoutes = new Hono();
mcpRoutes.use("/*", async (c, next) => { mcpRoutes.use("/*", async (c, next) => {
const db = c.get("db") ?? prodDb; const db = c.get("db") ?? prodDb;
// Skip auth if no users exist
if (getUserCount(db) <= 0) {
return next();
}
// Try Bearer token first (OAuth) // Try Bearer token first (OAuth)
const authHeader = c.req.header("Authorization"); const authHeader = c.req.header("Authorization");
if (authHeader?.startsWith("Bearer ")) { if (authHeader?.startsWith("Bearer ")) {
@@ -105,7 +100,7 @@ mcpRoutes.use("/*", async (c, next) => {
return c.json({ error: "invalid_token" }, 401); return c.json({ error: "invalid_token" }, 401);
} }
// Try API key (existing flow) // Try API key
const apiKey = c.req.header("X-API-Key"); const apiKey = c.req.header("X-API-Key");
if (apiKey) { if (apiKey) {
const valid = await verifyApiKey(db, apiKey); const valid = await verifyApiKey(db, apiKey);

View File

@@ -1,6 +1,6 @@
import { getAuth } from "@hono/oidc-auth";
import { Hono } from "hono"; import { Hono } from "hono";
import { db as prodDb } from "../../db/index.ts"; import { db as prodDb } from "../../db/index.ts";
import { verifyPassword } from "../services/auth.service.ts";
import { import {
cleanExpiredOAuthData, cleanExpiredOAuthData,
createAuthorizationCode, createAuthorizationCode,
@@ -27,19 +27,14 @@ function getBaseUrl(c: any): string {
return new URL(c.req.url).origin; return new URL(c.req.url).origin;
} }
function renderLoginForm(params: { function renderConsentForm(params: {
clientName: string; clientName: string;
clientId: string; clientId: string;
redirectUri: string; redirectUri: string;
codeChallenge: string; codeChallenge: string;
codeChallengeMethod: string; codeChallengeMethod: string;
state: string; state: string;
error?: string;
}): string { }): string {
const errorHtml = params.error
? `<div style="background:#fef2f2;border:1px solid #fca5a5;color:#dc2626;padding:12px;border-radius:8px;margin-bottom:16px;font-size:14px;">${escapeHtml(params.error)}</div>`
: "";
return `<!DOCTYPE html> return `<!DOCTYPE html>
<html lang="en"> <html lang="en">
<head> <head>
@@ -52,8 +47,6 @@ function renderLoginForm(params: {
.card { background: #fff; border-radius: 12px; box-shadow: 0 1px 3px rgba(0,0,0,0.1); padding: 32px; width: 100%; max-width: 400px; } .card { background: #fff; border-radius: 12px; box-shadow: 0 1px 3px rgba(0,0,0,0.1); padding: 32px; width: 100%; max-width: 400px; }
h1 { font-size: 24px; font-weight: 700; text-align: center; margin-bottom: 8px; } h1 { font-size: 24px; font-weight: 700; text-align: center; margin-bottom: 8px; }
.subtitle { text-align: center; color: #6b7280; margin-bottom: 24px; font-size: 14px; } .subtitle { text-align: center; color: #6b7280; margin-bottom: 24px; font-size: 14px; }
label { display: block; font-size: 14px; font-weight: 500; margin-bottom: 4px; color: #374151; }
input[type="text"], input[type="password"] { width: 100%; padding: 10px 12px; border: 1px solid #d1d5db; border-radius: 8px; font-size: 14px; margin-bottom: 16px; }
button { width: 100%; padding: 10px; background: #2563eb; color: #fff; border: none; border-radius: 8px; font-size: 14px; font-weight: 600; cursor: pointer; } button { width: 100%; padding: 10px; background: #2563eb; color: #fff; border: none; border-radius: 8px; font-size: 14px; font-weight: 600; cursor: pointer; }
button:hover { background: #1d4ed8; } button:hover { background: #1d4ed8; }
</style> </style>
@@ -62,12 +55,7 @@ function renderLoginForm(params: {
<div class="card"> <div class="card">
<h1>GearBox</h1> <h1>GearBox</h1>
<p class="subtitle">Authorize ${escapeHtml(params.clientName)} to access your data</p> <p class="subtitle">Authorize ${escapeHtml(params.clientName)} to access your data</p>
${errorHtml}
<form method="POST" action="/oauth/authorize"> <form method="POST" action="/oauth/authorize">
<label for="username">Username</label>
<input type="text" id="username" name="username" required>
<label for="password">Password</label>
<input type="password" id="password" name="password" required>
<input type="hidden" name="client_id" value="${escapeHtml(params.clientId)}"> <input type="hidden" name="client_id" value="${escapeHtml(params.clientId)}">
<input type="hidden" name="redirect_uri" value="${escapeHtml(params.redirectUri)}"> <input type="hidden" name="redirect_uri" value="${escapeHtml(params.redirectUri)}">
<input type="hidden" name="code_challenge" value="${escapeHtml(params.codeChallenge)}"> <input type="hidden" name="code_challenge" value="${escapeHtml(params.codeChallenge)}">
@@ -141,10 +129,15 @@ oauthRoutes.post("/register", async (c) => {
); );
}); });
// GET /authorize — Show HTML login form // GET /authorize — Show consent form (requires OIDC session)
oauthRoutes.get("/authorize", async (c) => { oauthRoutes.get("/authorize", async (c) => {
const db = c.get("db") ?? prodDb; const db = c.get("db") ?? prodDb;
const auth = await getAuth(c);
if (!auth) {
return c.redirect(`/login?redirect=${encodeURIComponent(c.req.url)}`);
}
const responseType = c.req.query("response_type"); const responseType = c.req.query("response_type");
const clientId = c.req.query("client_id"); const clientId = c.req.query("client_id");
const redirectUri = c.req.query("redirect_uri"); const redirectUri = c.req.query("redirect_uri");
@@ -170,7 +163,7 @@ oauthRoutes.get("/authorize", async (c) => {
} }
return c.html( return c.html(
renderLoginForm({ renderConsentForm({
clientName: client.clientName, clientName: client.clientName,
clientId, clientId,
redirectUri, redirectUri,
@@ -181,33 +174,32 @@ oauthRoutes.get("/authorize", async (c) => {
); );
}); });
// POST /authorize — Process login form // POST /authorize — Process consent (requires OIDC session)
oauthRoutes.post("/authorize", async (c) => { oauthRoutes.post("/authorize", async (c) => {
const db = c.get("db") ?? prodDb; const db = c.get("db") ?? prodDb;
const body = await c.req.parseBody();
const username = body.username as string; // Check for OIDC session instead of username/password
const password = body.password as string; const auth = await getAuth(c);
if (!auth) {
const currentUrl = c.req.url;
return c.redirect(`/login?redirect=${encodeURIComponent(currentUrl)}`);
}
const body = await c.req.parseBody();
const clientId = body.client_id as string; const clientId = body.client_id as string;
const redirectUri = body.redirect_uri as string; const redirectUri = body.redirect_uri as string;
const codeChallenge = body.code_challenge as string; const codeChallenge = body.code_challenge as string;
const codeChallengeMethod = body.code_challenge_method as string; const codeChallengeMethod = body.code_challenge_method as string;
const state = (body.state as string) ?? ""; const state = (body.state as string) ?? "";
const user = await verifyPassword(db, username, password);
if (!user) {
const client = getClient(db, clientId); const client = getClient(db, clientId);
return c.html( if (!client) {
renderLoginForm({ return c.json({ error: "Unknown client_id" }, 400);
clientName: client?.clientName ?? "Unknown", }
clientId,
redirectUri, const allowedUris: string[] = JSON.parse(client.redirectUris);
codeChallenge, if (!allowedUris.includes(redirectUri)) {
codeChallengeMethod, return c.json({ error: "redirect_uri not allowed" }, 400);
state,
error: "Invalid username or password",
}),
);
} }
const { code } = createAuthorizationCode( const { code } = createAuthorizationCode(