makiolaj/GearBox
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases 10 Wiki Activity

Compare commits

base: makiolaj:v1.4.1
Branches Tags
makiolaj:Develop makiolaj:feature/catalog-enrichment-upsert makiolaj:feature/user-menu-dropdown makiolaj:feature/v1.4-collection-tools
makiolaj:v2.2 makiolaj:v1.4.3 makiolaj:v1.4.2 makiolaj:v1.4.1 makiolaj:v1.4.0 makiolaj:v1.3.2 makiolaj:v1.3.1 makiolaj:v1.3.0 makiolaj:v1.2 makiolaj:v1.2.0 makiolaj:v1.1.4 makiolaj:v1.1.3 makiolaj:v1.1.2 makiolaj:v1.1.1 makiolaj:v1.1 makiolaj:v1.0
..
compare: makiolaj:v1.4.3
Branches Tags
makiolaj:Develop makiolaj:feature/catalog-enrichment-upsert makiolaj:feature/user-menu-dropdown makiolaj:feature/v1.4-collection-tools
makiolaj:v2.2 makiolaj:v1.4.3 makiolaj:v1.4.2 makiolaj:v1.4.1 makiolaj:v1.4.0 makiolaj:v1.3.2 makiolaj:v1.3.1 makiolaj:v1.3.0 makiolaj:v1.2 makiolaj:v1.2.0 makiolaj:v1.1.4 makiolaj:v1.1.3 makiolaj:v1.1.2 makiolaj:v1.1.1 makiolaj:v1.1 makiolaj:v1.0

2 Commits
v1.4.1 ... v1.4.3

Author SHA1 Message Date
Jean-Luc Makiola
f7c9f3dc94 fix: add Protected Resource Metadata endpoint (RFC 9728)
All checks were successful
CI / ci (push) Successful in 29s
Details
CI / e2e (push) Successful in 1m1s
Details 
The MCP auth spec (2025-06-18+) requires /.well-known/oauth-protected-resource
in addition to /.well-known/oauth-authorization-server. Claude fetches
the protected resource metadata first after receiving a 401, then discovers
the authorization server from it. Also fixes WWW-Authenticate header to
use absolute URL pointing to the protected resource endpoint.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-04 11:17:21 +02:00
Jean-Luc Makiola
b71833ef79 fix: await verifyAccessToken in MCP middleware
All checks were successful
CI / ci (push) Successful in 31s
Details
CI / e2e (push) Successful in 1m4s
Details 
verifyAccessToken is async and returns a Promise. Without await,
the Promise object is always truthy, so any Bearer token (even
invalid ones) was accepted. This fixes MCP OAuth authentication.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-04 11:03:30 +02:00
3 changed files with 24 additions and 4 deletions
Expand all files Collapse all files

8
check-oauth.sh Executable file
View File

@@ -0,0 +1,8 @@
#!/bin/bash
docker exec gearbox bun -e "
const{Database}=require('bun:sqlite');
const db=new Database('./data/gearbox.db');
console.log('CLIENTS:', JSON.stringify(db.query('SELECT * FROM oauth_clients ORDER BY id DESC LIMIT 5').all(), null, 2));
console.log('CODES:', JSON.stringify(db.query('SELECT id,client_id,used,expires_at FROM oauth_codes ORDER BY id DESC LIMIT 5').all(), null, 2));
console.log('TOKENS:', JSON.stringify(db.query('SELECT id,client_id,expires_at FROM oauth_tokens ORDER BY id DESC LIMIT 5').all(), null, 2));
"

10
src/server/mcp/index.ts
View File

@@ -99,7 +99,7 @@ mcpRoutes.use("/*", async (c, next) => {
const authHeader = c.req.header("Authorization");
if (authHeader?.startsWith("Bearer ")) {
const token = authHeader.slice(7);
if (verifyAccessToken(db, token)) {
if (await verifyAccessToken(db, token)) {
return next();
}
return c.json({ error: "invalid_token" }, 401);
@@ -115,10 +115,12 @@ mcpRoutes.use("/*", async (c, next) => {
return c.json({ error: "Invalid API key" }, 401);
}
// No auth provided — return 401 with WWW-Authenticate to trigger OAuth flow
// No auth provided — return 401 with WWW-Authenticate to trigger OAuth flow (RFC 9728)
const baseUrl = (
process.env.GEARBOX_URL || new URL(c.req.url).origin
).replace(/\/$/, "");
return c.text("Unauthorized", 401, {
"WWW-Authenticate":
'Bearer resource_metadata="/.well-known/oauth-authorization-server"',
"WWW-Authenticate": `Bearer resource_metadata="${baseUrl}/.well-known/oauth-protected-resource"`,
});
});

10
src/server/routes/oauth.ts
View File

@@ -84,6 +84,16 @@ function renderLoginForm(params: {
export const wellKnownRoute = new Hono<Env>();
// Protected Resource Metadata (RFC 9728) — Claude fetches this first after 401
wellKnownRoute.get("/oauth-protected-resource", (c) => {
const baseUrl = getBaseUrl(c);
return c.json({
resource: `${baseUrl}/mcp`,
authorization_servers: [baseUrl],
});
});
// OAuth Authorization Server Metadata (RFC 8414) — Claude fetches this second
wellKnownRoute.get("/oauth-authorization-server", (c) => {
const baseUrl = getBaseUrl(c);
return c.json({