d25d482dc2
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
180 lines
5.3 KiB
TypeScript
180 lines
5.3 KiB
TypeScript
import type { OAuthClientProvider } from '@modelcontextprotocol/sdk/client/auth.js'
|
|
import type {
|
|
OAuthClientInformationMixed,
|
|
OAuthClientMetadata,
|
|
OAuthTokens,
|
|
} from '@modelcontextprotocol/sdk/shared/auth.js'
|
|
import { db } from '@sim/db'
|
|
import { mcpServers } from '@sim/db/schema'
|
|
import { createLogger } from '@sim/logger'
|
|
import { toError } from '@sim/utils/errors'
|
|
import { generateId } from '@sim/utils/id'
|
|
import { eq } from 'drizzle-orm'
|
|
import { decryptSecret } from '@/lib/core/security/encryption'
|
|
import { getBaseUrl } from '@/lib/core/utils/urls'
|
|
import {
|
|
clearClient,
|
|
clearState,
|
|
clearTokens,
|
|
clearVerifier,
|
|
type McpOauthRow,
|
|
saveClientInformation as saveClientInformationDb,
|
|
saveCodeVerifier as saveCodeVerifierDb,
|
|
saveState,
|
|
saveTokens as saveTokensDb,
|
|
} from '@/lib/mcp/oauth/storage'
|
|
|
|
const logger = createLogger('SimMcpOauthProvider')
|
|
|
|
export class McpOauthRedirectRequired extends Error {
|
|
constructor(public readonly authorizationUrl: string) {
|
|
super('MCP OAuth redirect required')
|
|
this.name = 'McpOauthRedirectRequired'
|
|
}
|
|
}
|
|
|
|
export interface PreregisteredClient {
|
|
clientId: string
|
|
clientSecret?: string
|
|
}
|
|
|
|
interface SimMcpOauthProviderInit {
|
|
row: McpOauthRow
|
|
scope?: string
|
|
/**
|
|
* Optional user-supplied client credentials. When provided, the SDK skips
|
|
* Dynamic Client Registration and uses these for the auth/token exchange.
|
|
*/
|
|
preregistered?: PreregisteredClient
|
|
}
|
|
|
|
export class SimMcpOauthProvider implements OAuthClientProvider {
|
|
private row: McpOauthRow
|
|
private readonly scope?: string
|
|
private readonly preregistered?: PreregisteredClient
|
|
|
|
constructor({ row, scope, preregistered }: SimMcpOauthProviderInit) {
|
|
this.row = row
|
|
this.scope = scope
|
|
this.preregistered = preregistered
|
|
}
|
|
|
|
get redirectUrl(): string {
|
|
return `${getBaseUrl().replace(/\/$/, '')}/api/mcp/oauth/callback`
|
|
}
|
|
|
|
get clientMetadata(): OAuthClientMetadata {
|
|
const meta: OAuthClientMetadata = {
|
|
client_name: 'Sim',
|
|
redirect_uris: [this.redirectUrl],
|
|
grant_types: ['authorization_code', 'refresh_token'],
|
|
response_types: ['code'],
|
|
token_endpoint_auth_method: this.preregistered?.clientSecret ? 'client_secret_post' : 'none',
|
|
}
|
|
if (this.scope) meta.scope = this.scope
|
|
return meta
|
|
}
|
|
|
|
async state(): Promise<string> {
|
|
const state = generateId()
|
|
await saveState(this.row.id, state)
|
|
return state
|
|
}
|
|
|
|
clientInformation(): OAuthClientInformationMixed | undefined {
|
|
if (this.row.clientInformation) return this.row.clientInformation
|
|
if (this.preregistered) {
|
|
return {
|
|
client_id: this.preregistered.clientId,
|
|
client_secret: this.preregistered.clientSecret,
|
|
redirect_uris: [this.redirectUrl],
|
|
grant_types: ['authorization_code', 'refresh_token'],
|
|
response_types: ['code'],
|
|
token_endpoint_auth_method: this.preregistered.clientSecret ? 'client_secret_post' : 'none',
|
|
}
|
|
}
|
|
return undefined
|
|
}
|
|
|
|
async saveClientInformation(info: OAuthClientInformationMixed): Promise<void> {
|
|
if (this.preregistered) return
|
|
await saveClientInformationDb(this.row.id, info)
|
|
this.row.clientInformation = info
|
|
}
|
|
|
|
tokens(): OAuthTokens | undefined {
|
|
return this.row.tokens ?? undefined
|
|
}
|
|
|
|
async saveTokens(tokens: OAuthTokens): Promise<void> {
|
|
await saveTokensDb(this.row.id, tokens)
|
|
this.row.tokens = tokens
|
|
}
|
|
|
|
async redirectToAuthorization(authorizationUrl: URL): Promise<void> {
|
|
throw new McpOauthRedirectRequired(authorizationUrl.toString())
|
|
}
|
|
|
|
async saveCodeVerifier(codeVerifier: string): Promise<void> {
|
|
await saveCodeVerifierDb(this.row.id, codeVerifier)
|
|
this.row.codeVerifier = codeVerifier
|
|
}
|
|
|
|
async codeVerifier(): Promise<string> {
|
|
if (!this.row.codeVerifier) {
|
|
throw new Error('No PKCE code verifier saved for this MCP OAuth session')
|
|
}
|
|
return this.row.codeVerifier
|
|
}
|
|
|
|
async invalidateCredentials(
|
|
scope: 'all' | 'client' | 'tokens' | 'verifier' | 'discovery'
|
|
): Promise<void> {
|
|
if (scope === 'all' || scope === 'client') {
|
|
await clearClient(this.row.id)
|
|
this.row.clientInformation = null
|
|
}
|
|
if (scope === 'all' || scope === 'tokens') {
|
|
await clearTokens(this.row.id)
|
|
this.row.tokens = null
|
|
}
|
|
if (scope === 'all' || scope === 'verifier') {
|
|
await clearVerifier(this.row.id)
|
|
await clearState(this.row.id)
|
|
this.row.codeVerifier = null
|
|
}
|
|
}
|
|
|
|
get rowId(): string {
|
|
return this.row.id
|
|
}
|
|
}
|
|
|
|
export async function loadPreregisteredClient(
|
|
serverId: string
|
|
): Promise<PreregisteredClient | undefined> {
|
|
const [row] = await db
|
|
.select({
|
|
clientId: mcpServers.oauthClientId,
|
|
clientSecret: mcpServers.oauthClientSecret,
|
|
})
|
|
.from(mcpServers)
|
|
.where(eq(mcpServers.id, serverId))
|
|
.limit(1)
|
|
if (!row?.clientId) return undefined
|
|
let clientSecret: string | undefined
|
|
if (row.clientSecret) {
|
|
try {
|
|
const { decrypted } = await decryptSecret(row.clientSecret)
|
|
clientSecret = decrypted
|
|
} catch (error) {
|
|
logger.error('Failed to decrypt preregistered MCP OAuth client secret', {
|
|
serverId,
|
|
error: toError(error).message,
|
|
})
|
|
throw new Error('Failed to decrypt preregistered MCP OAuth client secret')
|
|
}
|
|
}
|
|
return { clientId: row.clientId, clientSecret }
|
|
}
|