diff --git a/.gitignore b/.gitignore index 031ff86cc..71d8a3525 100644 --- a/.gitignore +++ b/.gitignore @@ -143,3 +143,6 @@ plugins/**/.creds.json plugins/**/creds.json plugins/**/.parameters.json src/handlers/tests/.creds.json + +data/**/*.json +.cursor/* \ No newline at end of file diff --git a/data/servers.example.json b/data/servers.example.json new file mode 100644 index 000000000..050f05d32 --- /dev/null +++ b/data/servers.example.json @@ -0,0 +1,11 @@ +{ + "servers": { + "default/deepwiki": { + "name": "DeepWiki MCP Server", + "url": "https://mcp.deepwiki.com/mcp", + "description": "GitHub repository documentation and Q&A", + "auth_type": "none", + "type": "http" + } + } +} diff --git a/docs/logging-config.md b/docs/logging-config.md new file mode 100644 index 000000000..eea1a3ff3 --- /dev/null +++ b/docs/logging-config.md @@ -0,0 +1,133 @@ +# Logging Configuration + +The MCP Gateway uses a configurable logging system optimized for production environments. + +## Production Default + +**In production (`NODE_ENV=production`), only ERROR and CRITICAL logs are shown by default.** + +## Configuration + +Logging can be configured through environment variables: + +### `LOG_LEVEL` +Controls the verbosity of logs. Available levels: +- `ERROR` (0) - Only errors (default in production) +- `CRITICAL` (1) - Critical information and errors +- `WARN` (2) - Warnings, critical info, and errors +- `INFO` (3) - General info, warnings, critical, and errors (default in development) +- `DEBUG` (4) - All logs including debug information + +### `NODE_ENV` +When set to `production`: +- Default log level is `ERROR` +- Colors are disabled by default +- Only critical information is logged + +Example: +```bash +# Production mode - minimal logging +NODE_ENV=production npm start + +# Development mode with debug logs +LOG_LEVEL=DEBUG npm start + +# Production with critical info +NODE_ENV=production LOG_LEVEL=CRITICAL npm start +``` + +### `LOG_TIMESTAMP` +Controls whether timestamps are included in logs. +- Default: `true` +- Set to `false` to disable timestamps + +Example: +```bash +LOG_TIMESTAMP=false npm start +``` + +### `LOG_COLORS` +Controls whether logs are colorized. +- Default: `true` +- Set to `false` to disable colors (useful for log files) + +Example: +```bash +LOG_COLORS=false npm start > logs.txt +``` + +## Log Format + +Logs follow this format: +``` +[timestamp] [prefix] [level] message +``` + +Example: +``` +[2024-01-20T10:30:45.123Z] [MCP-Gateway] [INFO] Creating new session for server: linear +[2024-01-20T10:30:45.456Z] [Session:abc12345] [INFO] Connected to upstream with sse transport +``` + +## Log Levels Guide + +### ERROR +- Connection failures +- Critical errors that prevent operation +- Unhandled exceptions +- Session initialization failures + +### CRITICAL +- Server startup/shutdown events +- Session recovery status +- Important lifecycle events that should always be logged + +### WARN +- Session not found +- Rate limiting triggered +- Invalid requests +- Non-critical failures + +### INFO +- Session creation/restoration +- Transport connections established +- Tool filtering applied +- General operational events + +### DEBUG +- Request/response details +- Transport state changes +- Detailed operation flow +- Capability discovery + +## Usage in Code + +The logger is automatically created with appropriate prefixes: +- `MCP-Gateway` - Main gateway operations +- `Session:{id}` - Session-specific operations (truncated ID for readability) + +## Production Recommendations + +For production environments (automatic minimal logging): +```bash +NODE_ENV=production npm start +# Only shows errors by default +``` + +For production with critical events: +```bash +NODE_ENV=production LOG_LEVEL=CRITICAL npm start +# Shows errors + critical lifecycle events +``` + +For debugging in development: +```bash +LOG_LEVEL=DEBUG npm start +# Shows everything +``` + +For debugging in production (temporary): +```bash +NODE_ENV=production LOG_LEVEL=INFO npm start +# Override production defaults for troubleshooting +``` diff --git a/docs/security/session-hijacking-mitigation.md b/docs/security/session-hijacking-mitigation.md new file mode 100644 index 000000000..866659df9 --- /dev/null +++ b/docs/security/session-hijacking-mitigation.md @@ -0,0 +1,407 @@ +# Session Hijacking Mitigation in MCP Gateway + +## Executive Summary + +This document outlines session hijacking vulnerabilities identified in the Model Context Protocol (MCP) Gateway and the security controls implemented to mitigate these risks. The gateway employs a defense-in-depth strategy centered on OAuth 2.1 authentication with enhanced session lifecycle management. + +**Risk Level**: Medium → Low (Post-mitigation) +**Primary Mitigation**: OAuth 2.1 enforcement with token-aligned session expiration +**Secondary Controls**: Session lifecycle management, security monitoring, audit logging + +--- + +## Threat Analysis + +### 1. Session Hijacking Attack Vectors + +#### 1.1 Session ID Theft and Reuse +**Threat**: Attackers obtain valid session IDs through various means and attempt to impersonate legitimate users. + +**Attack Scenarios**: +- Network interception of session IDs in headers (`mcp-session-id`) +- Log file exposure containing session identifiers +- Browser developer tools or debugging information leakage +- Man-in-the-middle attacks on unencrypted connections + +**Impact**: Unauthorized access to MCP servers, tool execution, and data exfiltration + +#### 1.2 Session Fixation +**Threat**: Attackers force users to use predetermined session IDs, then hijack the session after authentication. + +**Attack Flow**: +``` +1. Attacker generates session ID +2. Tricks user into using attacker's session ID +3. User authenticates with attacker's session +4. Attacker uses known session ID to access user's resources +``` + +#### 1.3 Cross-User Session Access +**Threat**: Users accessing sessions belonging to other users due to insufficient session validation. + +**Risk Factors**: +- Predictable session ID generation +- Lack of user-session binding validation +- Session persistence beyond authentication lifecycle + +### 2. MCP-Specific Attack Vectors + +#### 2.1 SSE Message Injection +**Threat**: Attackers inject malicious messages into Server-Sent Event streams using hijacked session IDs. + +**Attack Flow**: +```mermaid +sequenceDiagram + participant V as Victim + participant A as Attacker + participant G as Gateway + participant S as MCP Server + + V->>G: Establish SSE connection (session: abc123) + A->>G: POST /messages?sessionId=abc123 (malicious payload) + G->>S: Forward malicious message + S->>V: Deliver malicious response via SSE +``` + +#### 2.2 Tool Execution Hijacking +**Threat**: Unauthorized tool execution through hijacked MCP sessions. + +**Impact**: +- Data exfiltration through tool calls +- Unauthorized system modifications +- Privilege escalation within connected systems + +--- + +## Security Architecture + +### 1. Primary Security Boundary: OAuth 2.1 + +The MCP Gateway implements OAuth 2.1 as the primary security control, ensuring all requests are authenticated and authorized before session access. + +#### 1.1 Authentication Flow +```mermaid +sequenceDiagram + participant C as Client + participant G as Gateway + participant AS as Auth Server + participant MCP as MCP Server + + C->>AS: Authenticate & get token + AS->>C: Access token (with expiration) + C->>G: Request with Bearer token + session ID + G->>AS: Validate token (introspection) + AS->>G: Token valid + user info + G->>MCP: Forward authenticated request +``` + +#### 1.2 Token Validation +- **Token Introspection**: Every request validates token with authorization server +- **Scope Verification**: Ensures token has required MCP scopes (`mcp:servers:*`) +- **Expiration Checking**: Rejects expired tokens immediately +- **Client Validation**: Verifies token was issued to expected client + +### 2. Session Security Controls + +#### 2.1 Token-Aligned Session Lifecycle +Sessions are bound to OAuth token lifecycle, preventing session reuse after token expiration. + +```typescript +// Session expiration tied to token +session.setTokenExpiration(tokenInfo); + +// Automatic session cleanup +if (session.isTokenExpired()) { + sessionStore.delete(sessionId); + return 401; // Force re-authentication +} +``` + +#### 2.2 Secure Session Generation +- **Cryptographically Secure IDs**: Uses `crypto.randomUUID()` for session generation +- **Non-Predictable**: 128-bit entropy prevents session guessing attacks +- **Unique Per Request**: New sessions created for each authentication flow + +#### 2.3 Session Validation Pipeline +```typescript +// Middleware execution order (security-first) +app.all('/:serverId/mcp', + oauthMiddleware({required: true}), // 1. OAuth validation + hydrateContext, // 2. Load server config + sessionMiddleware(sessionStore), // 3. Session management + handleMCPRequest // 4. Business logic +); +``` + +--- + +## Mitigation Controls + +### 1. Authentication Controls + +| Control | Implementation | Risk Mitigation | +|---------|---------------|-----------------| +| **Mandatory OAuth** | `OAUTH_REQUIRED = true` | Prevents unauthenticated session access | +| **Token Introspection** | Real-time token validation | Blocks revoked/expired tokens | +| **Scope Enforcement** | `mcp:servers:*` required | Limits access to authorized resources | +| **Client Validation** | Client ID verification | Prevents token misuse across clients | + +### 2. Session Controls + +| Control | Implementation | Risk Mitigation | +|---------|---------------|-----------------| +| **Token-Bound Expiration** | `session.setTokenExpiration()` | Sessions expire with tokens | +| **Automatic Cleanup** | Periodic expired session removal | Prevents stale session reuse | +| **Secure ID Generation** | `crypto.randomUUID()` | Prevents session prediction | +| **Transport Security** | HTTPS enforcement | Protects session IDs in transit | + +### 3. Monitoring Controls + +| Control | Implementation | Risk Mitigation | +|---------|---------------|-----------------| +| **Session Reconnaissance Detection** | Log invalid session access | Identifies attack attempts | +| **Token Expiration Logging** | Track expired session usage | Monitors token lifecycle | +| **Authentication Failures** | OAuth rejection logging | Detects credential attacks | +| **Audit Trail** | Comprehensive request logging | Enables incident investigation | + +--- + +## Security Monitoring + +### 1. Key Security Events + +#### 1.1 Authentication Events +```json +{ + "event": "oauth_token_rejected", + "reason": "expired", + "client_id": "client-123", + "requested_scopes": ["mcp:servers:linear"], + "timestamp": "2024-01-15T10:30:00Z" +} +``` + +#### 1.2 Session Events +```json +{ + "event": "session_expired", + "session_id": "abc123", + "expiry_reason": "token_expired", + "last_activity": "2024-01-15T10:25:00Z", + "timestamp": "2024-01-15T10:30:00Z" +} +``` + +#### 1.3 Security Events +```json +{ + "event": "session_reconnaissance", + "session_id": "invalid-123", + "user_id": "user-456", + "client_id": "client-789", + "request_path": "/server1/mcp", + "ip_address": "192.168.1.100", + "timestamp": "2024-01-15T10:30:00Z" +} +``` + +### 2. Security Metrics + +#### 2.1 Key Performance Indicators +- **Authentication Success Rate**: `successful_auths / total_auth_attempts` +- **Session Hijacking Attempts**: Count of invalid session access attempts +- **Token Expiration Rate**: Frequency of expired token usage +- **Session Cleanup Efficiency**: Percentage of expired sessions removed + +#### 2.2 Alert Thresholds +- **High**: >10 invalid session attempts per minute from single IP +- **Medium**: >5% authentication failure rate +- **Low**: Unusual session access patterns + +--- + +## Compliance and Standards + +### 1. Security Standards Alignment + +| Standard | Requirement | Implementation | +|----------|-------------|----------------| +| **OAuth 2.1** | Secure token handling | Full OAuth 2.1 compliance | +| **RFC 9700** | OAuth security best practices | Token introspection, secure scopes | +| **OWASP ASVS** | Session management | Secure session lifecycle | +| **NIST Cybersecurity** | Authentication controls | Multi-factor authentication support | + +### 2. MCP Security Best Practices + +Following [MCP Security Best Practices](https://spec.modelcontextprotocol.io/specification/draft/security/): + +- ✅ **No Token Passthrough**: All tokens validated by gateway +- ✅ **Request Validation**: Every request authenticated +- ✅ **Session Security**: No session-based authentication +- ✅ **Audit Logging**: Comprehensive security event logging + +--- + +## Incident Response + +### 1. Session Hijacking Detection + +#### 1.1 Indicators of Compromise +- Multiple failed session validations from single user +- Session access from unusual IP addresses or locations +- High volume of expired session usage attempts +- Unusual tool execution patterns + +#### 1.2 Response Procedures +1. **Immediate**: Block suspicious IP addresses +2. **Short-term**: Revoke affected user tokens +3. **Medium-term**: Force re-authentication for affected users +4. **Long-term**: Review and enhance monitoring rules + +### 2. Forensic Capabilities + +#### 2.1 Available Logs +- OAuth token validation events +- Session creation and expiration events +- Request-level audit trails with user context +- Security event logs with IP and user agent data + +#### 2.2 Investigation Queries +```bash +# Find session hijacking attempts +grep "session_reconnaissance" /var/log/mcp-gateway.log + +# Track user session activity +grep "user-456" /var/log/mcp-gateway.log | grep "session" + +# Identify authentication failures +grep "oauth_token_rejected" /var/log/mcp-gateway.log +``` + +--- + +## Risk Assessment + +### 1. Residual Risks + +| Risk | Likelihood | Impact | Mitigation Status | +|------|------------|--------|-------------------| +| **Token Theft + Session ID Theft** | Low | Medium | ✅ Mitigated by token expiration | +| **OAuth Server Compromise** | Very Low | High | ⚠️ External dependency risk | +| **TLS/HTTPS Bypass** | Low | High | ✅ Mitigated by transport security | +| **Insider Threat** | Low | Medium | ✅ Mitigated by audit logging | + +### 2. Recommendations + +#### 2.1 Immediate Actions +- ✅ Enforce OAuth on all endpoints +- ✅ Implement token-bound session expiration +- ✅ Deploy comprehensive security logging + +#### 2.2 Future Enhancements +- [ ] Implement IP-based session binding +- [ ] Add geographic anomaly detection +- [ ] Deploy automated threat response +- [ ] Integrate with SIEM systems + +--- + +## Testing and Validation + +### 1. Security Test Cases + +#### 1.1 Session Hijacking Tests +```bash +# Test 1: Expired token with valid session +curl -H "Authorization: Bearer expired_token" \ + -H "mcp-session-id: valid_session" \ + https://gateway/server1/mcp +# Expected: 401 Unauthorized + +# Test 2: Valid token with invalid session +curl -H "Authorization: Bearer valid_token" \ + -H "mcp-session-id: invalid_session" \ + https://gateway/server1/mcp +# Expected: New session created + +# Test 3: No authentication with session +curl -H "mcp-session-id: valid_session" \ + https://gateway/server1/mcp +# Expected: 401 Unauthorized +``` + +#### 1.2 Automated Security Testing +- **OWASP ZAP**: Web application security scanning +- **Burp Suite**: Manual penetration testing +- **Custom Scripts**: Session hijacking simulation + +### 2. Penetration Testing Results + +| Test Scenario | Result | Notes | +|---------------|--------|-------| +| Session ID Prediction | ✅ Pass | Cryptographically secure generation | +| Token Bypass | ✅ Pass | OAuth enforcement prevents bypass | +| Session Fixation | ✅ Pass | New sessions created per auth flow | +| Cross-User Access | ✅ Pass | OAuth scopes prevent unauthorized access | + +--- + +## Conclusion + +The MCP Gateway implements a robust security architecture that effectively mitigates session hijacking risks through: + +1. **Primary Defense**: Mandatory OAuth 2.1 authentication on all requests +2. **Session Security**: Token-aligned session lifecycle management +3. **Monitoring**: Comprehensive security event logging and alerting +4. **Compliance**: Adherence to industry security standards + +The simplified security model relies on proven OAuth mechanisms rather than complex session validation, providing better security with reduced complexity and maintenance overhead. + +**Security Posture**: Strong defense against session hijacking attacks with comprehensive monitoring and incident response capabilities. + +--- + +## Appendix + +### A. Configuration Examples + +#### A.1 OAuth Configuration +```typescript +// Enforce OAuth on all MCP endpoints +const OAUTH_REQUIRED = true; + +app.all('/:serverId/mcp', + oauthMiddleware({ + required: true, + scopes: ['mcp:servers:read'], + }), + // ... other middleware +); +``` + +#### A.2 Session Configuration +```typescript +// Session store with token-aware cleanup +const sessionStore = new SessionStore({ + maxAge: 60 * 60 * 1000, // 1 hour max age + persistInterval: 30 * 1000, // Save every 30 seconds + tokenExpirationCheck: true, // Enable token expiration cleanup +}); +``` + +### B. Security Checklist + +- [ ] OAuth 2.1 properly configured and enforced +- [ ] Session IDs generated with cryptographic randomness +- [ ] Token expiration aligned with session lifecycle +- [ ] HTTPS enforced on all endpoints +- [ ] Security logging enabled and monitored +- [ ] Incident response procedures documented +- [ ] Regular security testing performed +- [ ] Compliance requirements validated + +--- + +*Document Version: 1.0* +*Last Updated: 2024-01-15* +*Classification: Internal Security Documentation* diff --git a/docs/security/token-passthrough-prevention.md b/docs/security/token-passthrough-prevention.md new file mode 100644 index 000000000..7b90ceb25 --- /dev/null +++ b/docs/security/token-passthrough-prevention.md @@ -0,0 +1,68 @@ +# Token Passthrough Prevention + +## Overview + +The MCP Gateway implements proper security boundaries that prevent Token Passthrough attacks as defined in the [MCP Security Best Practices](https://spec.modelcontextprotocol.io/specification/draft/security/best-practices/#token-passthrough). + +## Architecture + +### Separate Authentication Boundaries + +The gateway maintains distinct authentication mechanisms for different connection types: + +1. **Client → Gateway Authentication**: OAuth 2.1 tokens validated via token introspection +2. **Gateway → Upstream Server Authentication**: Static credentials configured per server + +### No Token Forwarding + +**Client tokens are never passed to upstream MCP servers.** The gateway acts as a proper authentication proxy: + +```typescript +// Client authentication (OAuth token) +const introspection = await introspectToken(clientToken, controlPlaneUrl); + +// Upstream authentication (static headers from config) +const upstreamTransport = new StreamableHTTPClientTransport(upstreamUrl, { + requestInit: { + headers: this.config.headers, // Static server credentials only + }, +}); +``` + +### Configuration-Based Upstream Authentication + +Upstream server authentication is configured statically in `servers.json`: + +```json +{ + "servers": { + "example-server": { + "url": "https://mcp.example.com", + "default_headers": { + "Authorization": "Bearer static-server-token" + } + } + } +} +``` + +## Security Benefits + +This architecture prevents the Token Passthrough risks outlined in the MCP specification: + +- **Security Control Circumvention**: Upstream servers receive consistent authentication regardless of client +- **Accountability**: Gateway maintains full audit trail of client actions +- **Trust Boundary Integrity**: Each service validates tokens issued specifically for it +- **Future Compatibility**: Architecture supports adding security controls without breaking existing flows + +## Verification + +The gateway's token isolation can be verified by: + +1. Examining `src/services/mcpSession.ts` - upstream connections use only `config.headers` +2. Checking `src/middlewares/oauth/index.ts` - client tokens are validated but not forwarded +3. Reviewing `src/middlewares/mcp/hydrateContext.ts` - server configs use static headers only + +## Status + +✅ **COMPLIANT** - The MCP Gateway properly prevents Token Passthrough attacks through architectural design. diff --git a/docs/session-persistence.md b/docs/session-persistence.md new file mode 100644 index 000000000..4d178e1a5 --- /dev/null +++ b/docs/session-persistence.md @@ -0,0 +1,80 @@ +# Session Persistence + +The MCP Gateway now supports persistent session storage to prevent session loss during server restarts. + +## Features + +- **JSON File Storage**: Sessions are stored in a JSON file by default +- **Redis Ready**: Interface designed for easy migration to Redis +- **Automatic Recovery**: Sessions are restored on server startup +- **Graceful Shutdown**: Sessions saved on SIGINT/SIGTERM +- **Periodic Persistence**: Sessions saved every 30 seconds + +## Configuration + +Environment variables: +- `SESSION_DATA_DIR`: Directory for session storage (default: `./data`) + +## Session Data Structure + +```json +{ + "id": "session-uuid", + "serverId": "linear", + "createdAt": 1234567890, + "lastActivity": 1234567890, + "isInitialized": true, + "clientTransportType": "sse", + "transportCapabilities": { + "clientTransport": "sse", + "upstreamTransport": "http" + }, + "metrics": { + "requests": 10, + "toolCalls": 5, + "errors": 0 + }, + "config": { + "serverId": "linear", + "url": "https://mcp.linear.app/sse", + "headers": {...} + } +} +``` + +## Migration to Redis + +To migrate to Redis, configure the cache service in `src/services/cache/index.ts`: + +```typescript +export function getSessionCache(): CacheService { + if (!sessionCache) { + sessionCache = new CacheService({ + backend: 'redis', + redisUrl: 'redis://redis.example.com:6379', + defaultTtl: 24 * 60 * 60 * 1000, // 1 day + }); + } + return sessionCache; +} +``` + +## Benefits + +1. **No Session Loss**: Client connections survive server restarts +2. **Better Reliability**: Sessions persist across deployments +3. **Automatic Recovery**: Sessions are automatically reinitialized on restoration +4. **Initialization State**: Tracks whether sessions are properly initialized +5. **Monitoring**: Session metrics are preserved +6. **Scalability**: Easy migration path to Redis for multi-instance deployments + +## Session Initialization + +The system now tracks session initialization state: + +- **New Sessions**: Created and initialized when clients connect +- **Restored Sessions**: Automatically reinitialize transport connections +- **Failed Restoration**: Sessions that can't be restored are marked as uninitialized +- **Cleanup**: Uninitialized sessions are removed when accessed + +This prevents the "Session not initialized" errors that occurred with simple session restoration. diff --git a/package-lock.json b/package-lock.json index 06eed0b57..4af802800 100644 --- a/package-lock.json +++ b/package-lock.json @@ -14,13 +14,17 @@ "@cfworker/json-schema": "^4.0.3", "@hono/node-server": "^1.3.3", "@hono/node-ws": "^1.2.0", + "@modelcontextprotocol/sdk": "^1.17.3", "@portkey-ai/mustache": "^2.1.3", "@smithy/signature-v4": "^2.1.1", "@types/mustache": "^4.2.5", "async-retry": "^1.3.3", "avsc": "^5.7.7", "hono": "^4.6.10", + "ioredis": "^5.7.0", "jose": "^6.0.11", + "minimist": "^1.2.8", + "openid-client": "^6.7.1", "patch-package": "^8.0.0", "ws": "^8.18.0", "zod": "^3.22.4" @@ -35,6 +39,7 @@ "@rollup/plugin-typescript": "^11.1.5", "@types/async-retry": "^1.4.5", "@types/jest": "^29.5.12", + "@types/minimist": "^1.2.5", "@types/node": "20.8.3", "@types/ws": "^8.5.12", "husky": "^9.1.4", @@ -1270,24 +1275,6 @@ "url": "https://opencollective.com/eslint" } }, - "node_modules/@eslint/eslintrc/node_modules/ajv": { - "version": "6.12.6", - "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz", - "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==", - "dev": true, - "license": "MIT", - "peer": true, - "dependencies": { - "fast-deep-equal": "^3.1.1", - "fast-json-stable-stringify": "^2.0.0", - "json-schema-traverse": "^0.4.1", - "uri-js": "^4.2.2" - }, - "funding": { - "type": "github", - "url": "https://github.com/sponsors/epoberezkin" - } - }, "node_modules/@eslint/eslintrc/node_modules/argparse": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz", @@ -1321,14 +1308,6 @@ "js-yaml": "bin/js-yaml.js" } }, - "node_modules/@eslint/eslintrc/node_modules/json-schema-traverse": { - "version": "0.4.1", - "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", - "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==", - "dev": true, - "license": "MIT", - "peer": true - }, "node_modules/@eslint/js": { "version": "9.9.0", "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.9.0.tgz", @@ -1414,6 +1393,12 @@ "url": "https://github.com/sponsors/nzakas" } }, + "node_modules/@ioredis/commands": { + "version": "1.3.1", + "resolved": "https://registry.npmjs.org/@ioredis/commands/-/commands-1.3.1.tgz", + "integrity": "sha512-bYtU8avhGIcje3IhvF9aSjsa5URMZBHnwKtOvXsT4sfYy9gppW11gLPT/9oNqlJZD47yPKveQFTAFWpHjKvUoQ==", + "license": "MIT" + }, "node_modules/@istanbuljs/load-nyc-config": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/@istanbuljs/load-nyc-config/-/load-nyc-config-1.1.0.tgz", @@ -1775,6 +1760,29 @@ "@jridgewell/sourcemap-codec": "^1.4.14" } }, + "node_modules/@modelcontextprotocol/sdk": { + "version": "1.17.5", + "resolved": "https://registry.npmjs.org/@modelcontextprotocol/sdk/-/sdk-1.17.5.tgz", + "integrity": "sha512-QakrKIGniGuRVfWBdMsDea/dx1PNE739QJ7gCM41s9q+qaCYTHCdsIBXQVVXry3mfWAiaM9kT22Hyz53Uw8mfg==", + "license": "MIT", + "dependencies": { + "ajv": "^6.12.6", + "content-type": "^1.0.5", + "cors": "^2.8.5", + "cross-spawn": "^7.0.5", + "eventsource": "^3.0.2", + "eventsource-parser": "^3.0.0", + "express": "^5.0.1", + "express-rate-limit": "^7.5.0", + "pkce-challenge": "^5.0.0", + "raw-body": "^3.0.0", + "zod": "^3.23.8", + "zod-to-json-schema": "^3.24.1" + }, + "engines": { + "node": ">=18" + } + }, "node_modules/@nodelib/fs.scandir": { "version": "2.1.5", "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz", @@ -2418,6 +2426,13 @@ "dev": true, "license": "MIT" }, + "node_modules/@types/minimist": { + "version": "1.2.5", + "resolved": "https://registry.npmjs.org/@types/minimist/-/minimist-1.2.5.tgz", + "integrity": "sha512-hov8bUuiLiyFPGyFPE1lwWhmzYbirOXQNNo40+y3zow8aFVTeyn3VWL0VFFfdNddA8S4Vf0Tc062rzyNr7Paag==", + "dev": true, + "license": "MIT" + }, "node_modules/@types/mustache": { "version": "4.2.5", "resolved": "https://registry.npmjs.org/@types/mustache/-/mustache-4.2.5.tgz", @@ -2427,7 +2442,8 @@ "version": "20.8.3", "resolved": "https://registry.npmjs.org/@types/node/-/node-20.8.3.tgz", "integrity": "sha512-jxiZQFpb+NlH5kjW49vXxvxTjeeqlbsnTAdBTKpzEdPs9itay7MscYXz3Fo9VYFEsfQ6LJFitHad3faerLAjCw==", - "dev": true + "dev": true, + "license": "MIT" }, "node_modules/@types/node-fetch": { "version": "2.6.12", @@ -2711,6 +2727,40 @@ "node": ">=6.5" } }, + "node_modules/accepts": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/accepts/-/accepts-2.0.0.tgz", + "integrity": "sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng==", + "license": "MIT", + "dependencies": { + "mime-types": "^3.0.0", + "negotiator": "^1.0.0" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/accepts/node_modules/mime-db": { + "version": "1.54.0", + "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz", + "integrity": "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/accepts/node_modules/mime-types": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-3.0.1.tgz", + "integrity": "sha512-xRc4oEhT6eaBpU1XF7AjpOFD+xQmXNB5OVKwp4tqCuBpHLS/ZbBDrc07mYTDqVMg6PfxUjjNp85O6Cd2Z/5HWA==", + "license": "MIT", + "dependencies": { + "mime-db": "^1.54.0" + }, + "engines": { + "node": ">= 0.6" + } + }, "node_modules/acorn": { "version": "8.12.1", "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.12.1.tgz", @@ -2758,6 +2808,22 @@ "node": ">= 8.0.0" } }, + "node_modules/ajv": { + "version": "6.12.6", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz", + "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==", + "license": "MIT", + "dependencies": { + "fast-deep-equal": "^3.1.1", + "fast-json-stable-stringify": "^2.0.0", + "json-schema-traverse": "^0.4.1", + "uri-js": "^4.2.2" + }, + "funding": { + "type": "github", + "url": "https://github.com/sponsors/epoberezkin" + } + }, "node_modules/ansi-escapes": { "version": "4.3.2", "resolved": "https://registry.npmjs.org/ansi-escapes/-/ansi-escapes-4.3.2.tgz", @@ -2992,6 +3058,26 @@ "integrity": "sha512-F1+K8EbfOZE49dtoPtmxUQrpXaBIl3ICvasLh+nJta0xkz+9kF/7uet9fLnwKqhDrmj6g+6K3Tw9yQPUg2ka5g==", "dev": true }, + "node_modules/body-parser": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-2.2.0.tgz", + "integrity": "sha512-02qvAaxv8tp7fBa/mw1ga98OGm+eCbqzJOKoRt70sLmfEEi+jyBYVTDGfCL/k06/4EMk/z01gCe7HoCH/f2LTg==", + "license": "MIT", + "dependencies": { + "bytes": "^3.1.2", + "content-type": "^1.0.5", + "debug": "^4.4.0", + "http-errors": "^2.0.0", + "iconv-lite": "^0.6.3", + "on-finished": "^2.4.1", + "qs": "^6.14.0", + "raw-body": "^3.0.0", + "type-is": "^2.0.0" + }, + "engines": { + "node": ">=18" + } + }, "node_modules/brace-expansion": { "version": "1.1.11", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", @@ -3071,6 +3157,15 @@ "integrity": "sha512-E+XQCRwSbaaiChtv6k6Dwgc+bx+Bs6vuKJHHl5kox/BaKbhiXzqQOwK4cO22yElGp2OCmjwVhT3HmxgyPGnJfQ==", "dev": true }, + "node_modules/bytes": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz", + "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, "node_modules/call-bind": { "version": "1.0.8", "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.8.tgz", @@ -3241,6 +3336,15 @@ "node": ">=12" } }, + "node_modules/cluster-key-slot": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/cluster-key-slot/-/cluster-key-slot-1.1.2.tgz", + "integrity": "sha512-RMr0FhtfXemyinomL4hrWcYJxmX6deFdCxpJzhDttxgO1+bcCnkk+9drydLVDmAMG7NE6aN/fl4F7ucU/90gAA==", + "license": "Apache-2.0", + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/co": { "version": "4.6.0", "resolved": "https://registry.npmjs.org/co/-/co-4.6.0.tgz", @@ -3303,6 +3407,27 @@ "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==" }, + "node_modules/content-disposition": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-1.0.0.tgz", + "integrity": "sha512-Au9nRL8VNUut/XSzbQA38+M78dzP4D+eqg3gfJHMIHHYa3bg067xj1KxMUWj+VULbiZMowKngFFbKczUrNJ1mg==", + "license": "MIT", + "dependencies": { + "safe-buffer": "5.2.1" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/content-type": { + "version": "1.0.5", + "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz", + "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, "node_modules/convert-source-map": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-2.0.0.tgz", @@ -3313,12 +3438,33 @@ "version": "0.7.2", "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz", "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==", - "dev": true, "license": "MIT", "engines": { "node": ">= 0.6" } }, + "node_modules/cookie-signature": { + "version": "1.2.2", + "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.2.2.tgz", + "integrity": "sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg==", + "license": "MIT", + "engines": { + "node": ">=6.6.0" + } + }, + "node_modules/cors": { + "version": "2.8.5", + "resolved": "https://registry.npmjs.org/cors/-/cors-2.8.5.tgz", + "integrity": "sha512-KIHbLJqu73RGr/hnbrO9uBeixNGuvSQjul/jdFvS/KFSIH1hWVd1ng7zOHx+YrEfInLG7q4n6GHQ9cDtxv/P6g==", + "license": "MIT", + "dependencies": { + "object-assign": "^4", + "vary": "^1" + }, + "engines": { + "node": ">= 0.10" + } + }, "node_modules/create-jest": { "version": "29.7.0", "resolved": "https://registry.npmjs.org/create-jest/-/create-jest-29.7.0.tgz", @@ -3372,12 +3518,12 @@ } }, "node_modules/debug": { - "version": "4.3.4", - "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz", - "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==", - "dev": true, + "version": "4.4.1", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.1.tgz", + "integrity": "sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ==", + "license": "MIT", "dependencies": { - "ms": "2.1.2" + "ms": "^2.1.3" }, "engines": { "node": ">=6.0" @@ -3451,6 +3597,24 @@ "node": ">=0.4.0" } }, + "node_modules/denque": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/denque/-/denque-2.1.0.tgz", + "integrity": "sha512-HVQE3AAb/pxF8fQAoiqpvg9i3evqug3hoiwakOyZAwJm+6vZehbkYXZ0l4JxS+I3QxM97v5aaRNhj8v5oBhekw==", + "license": "Apache-2.0", + "engines": { + "node": ">=0.10" + } + }, + "node_modules/depd": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz", + "integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, "node_modules/detect-newline": { "version": "3.1.0", "resolved": "https://registry.npmjs.org/detect-newline/-/detect-newline-3.1.0.tgz", @@ -3507,6 +3671,12 @@ "node": ">= 0.4" } }, + "node_modules/ee-first": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz", + "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==", + "license": "MIT" + }, "node_modules/ejs": { "version": "3.1.10", "resolved": "https://registry.npmjs.org/ejs/-/ejs-3.1.10.tgz", @@ -3546,6 +3716,15 @@ "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", "dev": true }, + "node_modules/encodeurl": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz", + "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, "node_modules/error-ex": { "version": "1.3.2", "resolved": "https://registry.npmjs.org/error-ex/-/error-ex-1.3.2.tgz", @@ -3646,6 +3825,12 @@ "node": ">=6" } }, + "node_modules/escape-html": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz", + "integrity": "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==", + "license": "MIT" + }, "node_modules/escape-string-regexp": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-4.0.0.tgz", @@ -3747,24 +3932,6 @@ "url": "https://opencollective.com/eslint" } }, - "node_modules/eslint/node_modules/ajv": { - "version": "6.12.6", - "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz", - "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==", - "dev": true, - "license": "MIT", - "peer": true, - "dependencies": { - "fast-deep-equal": "^3.1.1", - "fast-json-stable-stringify": "^2.0.0", - "json-schema-traverse": "^0.4.1", - "uri-js": "^4.2.2" - }, - "funding": { - "type": "github", - "url": "https://github.com/sponsors/epoberezkin" - } - }, "node_modules/eslint/node_modules/eslint-visitor-keys": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-4.0.0.tgz", @@ -3808,14 +3975,6 @@ "node": ">=10.13.0" } }, - "node_modules/eslint/node_modules/json-schema-traverse": { - "version": "0.4.1", - "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", - "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==", - "dev": true, - "license": "MIT", - "peer": true - }, "node_modules/eslint/node_modules/locate-path": { "version": "6.0.0", "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-6.0.0.tgz", @@ -3944,6 +4103,15 @@ "node": ">=0.10.0" } }, + "node_modules/etag": { + "version": "1.8.1", + "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz", + "integrity": "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, "node_modules/event-target-shim": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/event-target-shim/-/event-target-shim-5.0.1.tgz", @@ -3953,6 +4121,27 @@ "node": ">=6" } }, + "node_modules/eventsource": { + "version": "3.0.7", + "resolved": "https://registry.npmjs.org/eventsource/-/eventsource-3.0.7.tgz", + "integrity": "sha512-CRT1WTyuQoD771GW56XEZFQ/ZoSfWid1alKGDYMmkt2yl8UXrVR4pspqWNEcqKvVIzg6PAltWjxcSSPrboA4iA==", + "license": "MIT", + "dependencies": { + "eventsource-parser": "^3.0.1" + }, + "engines": { + "node": ">=18.0.0" + } + }, + "node_modules/eventsource-parser": { + "version": "3.0.6", + "resolved": "https://registry.npmjs.org/eventsource-parser/-/eventsource-parser-3.0.6.tgz", + "integrity": "sha512-Vo1ab+QXPzZ4tCa8SwIHJFaSzy4R6SHf7BY79rFBDf0idraZWAkYrDjDj8uWaSm3S2TK+hJ7/t1CEmZ7jXw+pg==", + "license": "MIT", + "engines": { + "node": ">=18.0.0" + } + }, "node_modules/execa": { "version": "5.1.1", "resolved": "https://registry.npmjs.org/execa/-/execa-5.1.1.tgz", @@ -4014,12 +4203,88 @@ "node": "^14.15.0 || ^16.10.0 || >=18.0.0" } }, + "node_modules/express": { + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/express/-/express-5.1.0.tgz", + "integrity": "sha512-DT9ck5YIRU+8GYzzU5kT3eHGA5iL+1Zd0EutOmTE9Dtk+Tvuzd23VBU+ec7HPNSTxXYO55gPV/hq4pSBJDjFpA==", + "license": "MIT", + "dependencies": { + "accepts": "^2.0.0", + "body-parser": "^2.2.0", + "content-disposition": "^1.0.0", + "content-type": "^1.0.5", + "cookie": "^0.7.1", + "cookie-signature": "^1.2.1", + "debug": "^4.4.0", + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "etag": "^1.8.1", + "finalhandler": "^2.1.0", + "fresh": "^2.0.0", + "http-errors": "^2.0.0", + "merge-descriptors": "^2.0.0", + "mime-types": "^3.0.0", + "on-finished": "^2.4.1", + "once": "^1.4.0", + "parseurl": "^1.3.3", + "proxy-addr": "^2.0.7", + "qs": "^6.14.0", + "range-parser": "^1.2.1", + "router": "^2.2.0", + "send": "^1.1.0", + "serve-static": "^2.2.0", + "statuses": "^2.0.1", + "type-is": "^2.0.1", + "vary": "^1.1.2" + }, + "engines": { + "node": ">= 18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/express-rate-limit": { + "version": "7.5.1", + "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-7.5.1.tgz", + "integrity": "sha512-7iN8iPMDzOMHPUYllBEsQdWVB6fPDMPqwjBaFrgr4Jgr/+okjvzAy+UHlYYL/Vs0OsOrMkwS6PJDkFlJwoxUnw==", + "license": "MIT", + "engines": { + "node": ">= 16" + }, + "funding": { + "url": "https://github.com/sponsors/express-rate-limit" + }, + "peerDependencies": { + "express": ">= 4.11" + } + }, + "node_modules/express/node_modules/mime-db": { + "version": "1.54.0", + "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz", + "integrity": "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/express/node_modules/mime-types": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-3.0.1.tgz", + "integrity": "sha512-xRc4oEhT6eaBpU1XF7AjpOFD+xQmXNB5OVKwp4tqCuBpHLS/ZbBDrc07mYTDqVMg6PfxUjjNp85O6Cd2Z/5HWA==", + "license": "MIT", + "dependencies": { + "mime-db": "^1.54.0" + }, + "engines": { + "node": ">= 0.6" + } + }, "node_modules/fast-deep-equal": { "version": "3.1.3", "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", - "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==", - "dev": true, - "peer": true + "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==" }, "node_modules/fast-glob": { "version": "3.3.2", @@ -4040,8 +4305,7 @@ "node_modules/fast-json-stable-stringify": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz", - "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==", - "dev": true + "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==" }, "node_modules/fast-levenshtein": { "version": "2.0.6", @@ -4122,6 +4386,23 @@ "node": ">=8" } }, + "node_modules/finalhandler": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-2.1.0.tgz", + "integrity": "sha512-/t88Ty3d5JWQbWYgaOGCCYfXRwV1+be02WqYYlL6h0lEiUAMPM8o8qKGO01YIkOHzka2up08wvgYD0mDiI+q3Q==", + "license": "MIT", + "dependencies": { + "debug": "^4.4.0", + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "on-finished": "^2.4.1", + "parseurl": "^1.3.3", + "statuses": "^2.0.1" + }, + "engines": { + "node": ">= 0.8" + } + }, "node_modules/find-up": { "version": "4.1.0", "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz", @@ -4200,6 +4481,24 @@ "node": ">= 12.20" } }, + "node_modules/forwarded": { + "version": "0.2.0", + "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz", + "integrity": "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/fresh": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/fresh/-/fresh-2.0.0.tgz", + "integrity": "sha512-Rx/WycZ60HOaqLKAi6cHRKKI7zxWbJ31MhntmtwMoaTeF7XFH9hhBp8vITaMidfljRQ6eYWCKkaTK+ykVJHP2A==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, "node_modules/fs-extra": { "version": "8.1.0", "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-8.1.0.tgz", @@ -4505,13 +4804,38 @@ "integrity": "sha512-H2iMtd0I4Mt5eYiapRdIDjp+XzelXQ0tFE4JS7YFwFevXXMmOp9myNrUvCg0D6ws8iqkRPBfKHgbwig1SmlLfg==", "dev": true }, - "node_modules/human-signals": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/human-signals/-/human-signals-2.1.0.tgz", - "integrity": "sha512-B4FFZ6q/T2jhhksgkbEW3HBvWIfDW85snkQgawt07S7J5QXTk6BkNV+0yAeZrM5QpMAdYlocGoljn0sJ/WQkFw==", - "dev": true, + "node_modules/http-errors": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.0.tgz", + "integrity": "sha512-FtwrG/euBzaEjYeRqOgly7G0qviiXoJWnvEH2Z1plBdXgbyjv34pHTSb9zoeHMyDy33+DWy5Wt9Wo+TURtOYSQ==", + "license": "MIT", + "dependencies": { + "depd": "2.0.0", + "inherits": "2.0.4", + "setprototypeof": "1.2.0", + "statuses": "2.0.1", + "toidentifier": "1.0.1" + }, "engines": { - "node": ">=10.17.0" + "node": ">= 0.8" + } + }, + "node_modules/http-errors/node_modules/statuses": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.1.tgz", + "integrity": "sha512-RwNA9Z/7PrK06rYLIzFMlaF+l73iwpzsqRIFgbMLbTcLD6cOao82TaWefPXQvB2fOC4AjuYSEndS7N/mTCbkdQ==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/human-signals": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/human-signals/-/human-signals-2.1.0.tgz", + "integrity": "sha512-B4FFZ6q/T2jhhksgkbEW3HBvWIfDW85snkQgawt07S7J5QXTk6BkNV+0yAeZrM5QpMAdYlocGoljn0sJ/WQkFw==", + "dev": true, + "engines": { + "node": ">=10.17.0" } }, "node_modules/humanize-ms": { @@ -4538,6 +4862,18 @@ "url": "https://github.com/sponsors/typicode" } }, + "node_modules/iconv-lite": { + "version": "0.6.3", + "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.6.3.tgz", + "integrity": "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==", + "license": "MIT", + "dependencies": { + "safer-buffer": ">= 2.1.2 < 3.0.0" + }, + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/ignore": { "version": "5.3.2", "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.2.tgz", @@ -4616,6 +4952,39 @@ "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" }, + "node_modules/ioredis": { + "version": "5.7.0", + "resolved": "https://registry.npmjs.org/ioredis/-/ioredis-5.7.0.tgz", + "integrity": "sha512-NUcA93i1lukyXU+riqEyPtSEkyFq8tX90uL659J+qpCZ3rEdViB/APC58oAhIh3+bJln2hzdlZbBZsGNrlsR8g==", + "license": "MIT", + "dependencies": { + "@ioredis/commands": "^1.3.0", + "cluster-key-slot": "^1.1.0", + "debug": "^4.3.4", + "denque": "^2.1.0", + "lodash.defaults": "^4.2.0", + "lodash.isarguments": "^3.1.0", + "redis-errors": "^1.2.0", + "redis-parser": "^3.0.0", + "standard-as-callback": "^2.1.0" + }, + "engines": { + "node": ">=12.22.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/ioredis" + } + }, + "node_modules/ipaddr.js": { + "version": "1.9.1", + "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz", + "integrity": "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==", + "license": "MIT", + "engines": { + "node": ">= 0.10" + } + }, "node_modules/is-arrayish": { "version": "0.2.1", "resolved": "https://registry.npmjs.org/is-arrayish/-/is-arrayish-0.2.1.tgz", @@ -4716,6 +5085,12 @@ "node": ">=0.10.0" } }, + "node_modules/is-promise": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/is-promise/-/is-promise-4.0.0.tgz", + "integrity": "sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ==", + "license": "MIT" + }, "node_modules/is-stream": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-2.0.1.tgz", @@ -5432,9 +5807,10 @@ } }, "node_modules/jose": { - "version": "6.0.11", - "resolved": "https://registry.npmjs.org/jose/-/jose-6.0.11.tgz", - "integrity": "sha512-QxG7EaliDARm1O1S8BGakqncGT9s25bKL1WSf6/oa17Tkqwi8D2ZNglqCF+DsYF88/rV66Q/Q2mFAy697E1DUg==", + "version": "6.1.0", + "resolved": "https://registry.npmjs.org/jose/-/jose-6.1.0.tgz", + "integrity": "sha512-TTQJyoEoKcC1lscpVDCSsVgYzUDg/0Bt3WE//WiTPK6uOCQC2KZS4MpugbMWt/zyjkopgZoXhZuCi00gLudfUA==", + "license": "MIT", "funding": { "url": "https://github.com/sponsors/panva" } @@ -5483,6 +5859,12 @@ "integrity": "sha512-xyFwyhro/JEof6Ghe2iz2NcXoj2sloNsWr/XsERDK/oiPCfaNhl5ONfp+jQdAZRQQ0IJWNzH9zIZF7li91kh2w==", "dev": true }, + "node_modules/json-schema-traverse": { + "version": "0.4.1", + "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", + "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==", + "license": "MIT" + }, "node_modules/json-stable-stringify": { "version": "1.2.1", "resolved": "https://registry.npmjs.org/json-stable-stringify/-/json-stable-stringify-1.2.1.tgz", @@ -5609,6 +5991,18 @@ "node": ">=8" } }, + "node_modules/lodash.defaults": { + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/lodash.defaults/-/lodash.defaults-4.2.0.tgz", + "integrity": "sha512-qjxPLHd3r5DnsdGacqOMU6pb/avJzdh9tFX2ymgoZE27BmjXrNy/y4LoaiTeAb+O3gL8AfpJGtqfX/ae2leYYQ==", + "license": "MIT" + }, + "node_modules/lodash.isarguments": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/lodash.isarguments/-/lodash.isarguments-3.1.0.tgz", + "integrity": "sha512-chi4NHZlZqZD18a0imDHnZPrDeBbTtVN7GXMwuGdRH9qotxAjYs3aVLKc7zNOG9eddR5Ksd8rvFEBc9SsggPpg==", + "license": "MIT" + }, "node_modules/lodash.memoize": { "version": "4.1.2", "resolved": "https://registry.npmjs.org/lodash.memoize/-/lodash.memoize-4.1.2.tgz", @@ -5691,6 +6085,27 @@ "node": ">= 0.4" } }, + "node_modules/media-typer": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-1.1.0.tgz", + "integrity": "sha512-aisnrDP4GNe06UcKFnV5bfMNPBUw4jsLGaWwWfnH3v02GnBuXX2MCVn5RbrWo0j3pczUilYblq7fQ7Nw2t5XKw==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/merge-descriptors": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-2.0.0.tgz", + "integrity": "sha512-Snk314V5ayFLhp3fkUREub6WtjBfPdCPY1Ln8/8munuLuiYhsABgBVWsozAG+MWMbVEvcdcpbi9R7ww22l9Q3g==", + "license": "MIT", + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, "node_modules/merge-stream": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/merge-stream/-/merge-stream-2.0.0.tgz", @@ -5822,10 +6237,10 @@ } }, "node_modules/ms": { - "version": "2.1.2", - "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", - "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==", - "dev": true + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", + "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==", + "license": "MIT" }, "node_modules/mustache": { "version": "4.2.0", @@ -5861,6 +6276,15 @@ "integrity": "sha512-OWND8ei3VtNC9h7V60qff3SVobHr996CTwgxubgyQYEpg290h9J0buyECNNJexkFm5sOajh5G116RYA1c8ZMSw==", "dev": true }, + "node_modules/negotiator": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-1.0.0.tgz", + "integrity": "sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, "node_modules/node-domexception": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/node-domexception/-/node-domexception-1.0.0.tgz", @@ -5943,6 +6367,36 @@ "node": ">=8" } }, + "node_modules/oauth4webapi": { + "version": "3.8.1", + "resolved": "https://registry.npmjs.org/oauth4webapi/-/oauth4webapi-3.8.1.tgz", + "integrity": "sha512-olkZDELNycOWQf9LrsELFq8n05LwJgV8UkrS0cburk6FOwf8GvLam+YB+Uj5Qvryee+vwWOfQVeI5Vm0MVg7SA==", + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/panva" + } + }, + "node_modules/object-assign": { + "version": "4.1.1", + "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz", + "integrity": "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==", + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/object-inspect": { + "version": "1.13.4", + "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz", + "integrity": "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, "node_modules/object-keys": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/object-keys/-/object-keys-1.1.1.tgz", @@ -5959,6 +6413,18 @@ "dev": true, "license": "MIT" }, + "node_modules/on-finished": { + "version": "2.4.1", + "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.4.1.tgz", + "integrity": "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==", + "license": "MIT", + "dependencies": { + "ee-first": "1.1.1" + }, + "engines": { + "node": ">= 0.8" + } + }, "node_modules/once": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", @@ -6037,6 +6503,19 @@ "undici-types": "~5.26.4" } }, + "node_modules/openid-client": { + "version": "6.7.1", + "resolved": "https://registry.npmjs.org/openid-client/-/openid-client-6.7.1.tgz", + "integrity": "sha512-kOiE4q0kNogr90hXsxPrKeEDuY+V0kkZazvZScOwZkYept9slsaQ3usXTaKkm6I04vLNuw5caBoX7UfrwC6x8w==", + "license": "MIT", + "dependencies": { + "jose": "^6.1.0", + "oauth4webapi": "^3.8.0" + }, + "funding": { + "url": "https://github.com/sponsors/panva" + } + }, "node_modules/optionator": { "version": "0.9.4", "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.4.tgz", @@ -6146,6 +6625,15 @@ "url": "https://github.com/sponsors/sindresorhus" } }, + "node_modules/parseurl": { + "version": "1.3.3", + "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz", + "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, "node_modules/patch-package": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/patch-package/-/patch-package-8.0.0.tgz", @@ -6313,6 +6801,15 @@ "node": ">= 6" } }, + "node_modules/pkce-challenge": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/pkce-challenge/-/pkce-challenge-5.0.0.tgz", + "integrity": "sha512-ueGLflrrnvwB3xuo/uGob5pd5FN7l0MsLf0Z87o/UQmRtwjvfylfc9MurIxRAWywCYTgrvpXBcqjV4OfCYGCIQ==", + "license": "MIT", + "engines": { + "node": ">=16.20.0" + } + }, "node_modules/pkg-dir": { "version": "4.2.0", "resolved": "https://registry.npmjs.org/pkg-dir/-/pkg-dir-4.2.0.tgz", @@ -6408,13 +6905,24 @@ "node": ">= 6" } }, + "node_modules/proxy-addr": { + "version": "2.0.7", + "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz", + "integrity": "sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==", + "license": "MIT", + "dependencies": { + "forwarded": "0.2.0", + "ipaddr.js": "1.9.1" + }, + "engines": { + "node": ">= 0.10" + } + }, "node_modules/punycode": { "version": "2.3.1", "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz", "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==", - "dev": true, "license": "MIT", - "peer": true, "engines": { "node": ">=6" } @@ -6435,6 +6943,21 @@ } ] }, + "node_modules/qs": { + "version": "6.14.0", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.0.tgz", + "integrity": "sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==", + "license": "BSD-3-Clause", + "dependencies": { + "side-channel": "^1.1.0" + }, + "engines": { + "node": ">=0.6" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, "node_modules/queue-microtask": { "version": "1.2.3", "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz", @@ -6464,6 +6987,30 @@ "safe-buffer": "^5.1.0" } }, + "node_modules/range-parser": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz", + "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/raw-body": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-3.0.0.tgz", + "integrity": "sha512-RmkhL8CAyCRPXCE28MMH0z2PNWQBNk2Q09ZdxM9IOOXwxwZbN+qbWaatPkdkWIKL2ZVDImrN/pK5HTRz2PcS4g==", + "license": "MIT", + "dependencies": { + "bytes": "3.1.2", + "http-errors": "2.0.0", + "iconv-lite": "0.6.3", + "unpipe": "1.0.0" + }, + "engines": { + "node": ">= 0.8" + } + }, "node_modules/react-is": { "version": "18.3.1", "resolved": "https://registry.npmjs.org/react-is/-/react-is-18.3.1.tgz", @@ -6484,6 +7031,27 @@ "url": "https://paulmillr.com/funding/" } }, + "node_modules/redis-errors": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/redis-errors/-/redis-errors-1.2.0.tgz", + "integrity": "sha512-1qny3OExCf0UvUV/5wpYKf2YwPcOqXzkwKKSmKHiE6ZMQs5heeE/c8eXK+PNllPvmjgAbfnsbpkGZWy8cBpn9w==", + "license": "MIT", + "engines": { + "node": ">=4" + } + }, + "node_modules/redis-parser": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/redis-parser/-/redis-parser-3.0.0.tgz", + "integrity": "sha512-DJnGAeenTdpMEH6uAJRK/uiyEIH9WVsUmoLwzudwGJUwZPp80PDBWPHXSAGNPwNvIXAbe7MSUB1zQFugFml66A==", + "license": "MIT", + "dependencies": { + "redis-errors": "^1.0.0" + }, + "engines": { + "node": ">=4" + } + }, "node_modules/require-directory": { "version": "2.1.1", "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz", @@ -6685,6 +7253,32 @@ "estree-walker": "^0.6.1" } }, + "node_modules/router": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/router/-/router-2.2.0.tgz", + "integrity": "sha512-nLTrUKm2UyiL7rlhapu/Zl45FwNgkZGaCpZbIHajDYgwlJCOzLSk+cIPAnsEqV955GjILJnKbdQC1nVPz+gAYQ==", + "license": "MIT", + "dependencies": { + "debug": "^4.4.0", + "depd": "^2.0.0", + "is-promise": "^4.0.0", + "parseurl": "^1.3.3", + "path-to-regexp": "^8.0.0" + }, + "engines": { + "node": ">= 18" + } + }, + "node_modules/router/node_modules/path-to-regexp": { + "version": "8.3.0", + "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.3.0.tgz", + "integrity": "sha512-7jdwVIRtsP8MYpdXSwOS0YdD0Du+qOoF/AEPIt88PcCFrZCzx41oxku1jD88hZBwbNUIEfpqvuhjFaMAqMTWnA==", + "license": "MIT", + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, "node_modules/run-parallel": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz", @@ -6712,7 +7306,6 @@ "version": "5.2.1", "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz", "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==", - "dev": true, "funding": [ { "type": "github", @@ -6728,6 +7321,12 @@ } ] }, + "node_modules/safer-buffer": { + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", + "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==", + "license": "MIT" + }, "node_modules/selfsigned": { "version": "2.1.1", "resolved": "https://registry.npmjs.org/selfsigned/-/selfsigned-2.1.1.tgz", @@ -6749,6 +7348,49 @@ "semver": "bin/semver.js" } }, + "node_modules/send": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/send/-/send-1.2.0.tgz", + "integrity": "sha512-uaW0WwXKpL9blXE2o0bRhoL2EGXIrZxQ2ZQ4mgcfoBxdFmQold+qWsD2jLrfZ0trjKL6vOw0j//eAwcALFjKSw==", + "license": "MIT", + "dependencies": { + "debug": "^4.3.5", + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "etag": "^1.8.1", + "fresh": "^2.0.0", + "http-errors": "^2.0.0", + "mime-types": "^3.0.1", + "ms": "^2.1.3", + "on-finished": "^2.4.1", + "range-parser": "^1.2.1", + "statuses": "^2.0.1" + }, + "engines": { + "node": ">= 18" + } + }, + "node_modules/send/node_modules/mime-db": { + "version": "1.54.0", + "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz", + "integrity": "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/send/node_modules/mime-types": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-3.0.1.tgz", + "integrity": "sha512-xRc4oEhT6eaBpU1XF7AjpOFD+xQmXNB5OVKwp4tqCuBpHLS/ZbBDrc07mYTDqVMg6PfxUjjNp85O6Cd2Z/5HWA==", + "license": "MIT", + "dependencies": { + "mime-db": "^1.54.0" + }, + "engines": { + "node": ">= 0.6" + } + }, "node_modules/serialize-javascript": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.1.tgz", @@ -6758,6 +7400,21 @@ "randombytes": "^2.1.0" } }, + "node_modules/serve-static": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-2.2.0.tgz", + "integrity": "sha512-61g9pCh0Vnh7IutZjtLGGpTA355+OPn2TyDv/6ivP2h/AdAVX9azsoxmg2/M6nZeQZNYBEwIcsne1mJd9oQItQ==", + "license": "MIT", + "dependencies": { + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "parseurl": "^1.3.3", + "send": "^1.2.0" + }, + "engines": { + "node": ">= 18" + } + }, "node_modules/set-function-length": { "version": "1.2.2", "resolved": "https://registry.npmjs.org/set-function-length/-/set-function-length-1.2.2.tgz", @@ -6775,6 +7432,12 @@ "node": ">= 0.4" } }, + "node_modules/setprototypeof": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.2.0.tgz", + "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==", + "license": "ISC" + }, "node_modules/shebang-command": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz", @@ -6794,6 +7457,78 @@ "node": ">=8" } }, + "node_modules/side-channel": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.0.tgz", + "integrity": "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==", + "license": "MIT", + "dependencies": { + "es-errors": "^1.3.0", + "object-inspect": "^1.13.3", + "side-channel-list": "^1.0.0", + "side-channel-map": "^1.0.1", + "side-channel-weakmap": "^1.0.2" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/side-channel-list": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.0.tgz", + "integrity": "sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA==", + "license": "MIT", + "dependencies": { + "es-errors": "^1.3.0", + "object-inspect": "^1.13.3" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/side-channel-map": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/side-channel-map/-/side-channel-map-1.0.1.tgz", + "integrity": "sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA==", + "license": "MIT", + "dependencies": { + "call-bound": "^1.0.2", + "es-errors": "^1.3.0", + "get-intrinsic": "^1.2.5", + "object-inspect": "^1.13.3" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/side-channel-weakmap": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz", + "integrity": "sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A==", + "license": "MIT", + "dependencies": { + "call-bound": "^1.0.2", + "es-errors": "^1.3.0", + "get-intrinsic": "^1.2.5", + "object-inspect": "^1.13.3", + "side-channel-map": "^1.0.1" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, "node_modules/signal-exit": { "version": "3.0.7", "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.7.tgz", @@ -6885,6 +7620,21 @@ "get-source": "^2.0.12" } }, + "node_modules/standard-as-callback": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/standard-as-callback/-/standard-as-callback-2.1.0.tgz", + "integrity": "sha512-qoRRSyROncaz1z0mvYqIE4lCd9p2R90i6GxW3uZv5ucSu8tU7B5HXUP1gG8pVZsYNVaXjk8ClXHPttLyxAL48A==", + "license": "MIT" + }, + "node_modules/statuses": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz", + "integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, "node_modules/stoppable": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/stoppable/-/stoppable-1.1.0.tgz", @@ -7065,6 +7815,15 @@ "node": ">=8.0" } }, + "node_modules/toidentifier": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz", + "integrity": "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==", + "license": "MIT", + "engines": { + "node": ">=0.6" + } + }, "node_modules/tr46": { "version": "0.0.3", "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz", @@ -7591,6 +8350,41 @@ "url": "https://github.com/sponsors/sindresorhus" } }, + "node_modules/type-is": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/type-is/-/type-is-2.0.1.tgz", + "integrity": "sha512-OZs6gsjF4vMp32qrCbiVSkrFmXtG/AZhY3t0iAMrMBiAZyV9oALtXO8hsrHbMXF9x6L3grlFuwW2oAz7cav+Gw==", + "license": "MIT", + "dependencies": { + "content-type": "^1.0.5", + "media-typer": "^1.1.0", + "mime-types": "^3.0.0" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/type-is/node_modules/mime-db": { + "version": "1.54.0", + "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz", + "integrity": "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/type-is/node_modules/mime-types": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-3.0.1.tgz", + "integrity": "sha512-xRc4oEhT6eaBpU1XF7AjpOFD+xQmXNB5OVKwp4tqCuBpHLS/ZbBDrc07mYTDqVMg6PfxUjjNp85O6Cd2Z/5HWA==", + "license": "MIT", + "dependencies": { + "mime-db": "^1.54.0" + }, + "engines": { + "node": ">= 0.6" + } + }, "node_modules/typescript": { "version": "5.3.3", "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.3.3.tgz", @@ -7665,6 +8459,15 @@ "node": ">= 4.0.0" } }, + "node_modules/unpipe": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz", + "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, "node_modules/update-browserslist-db": { "version": "1.0.15", "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.0.15.tgz", @@ -7699,9 +8502,7 @@ "version": "4.4.1", "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz", "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==", - "dev": true, "license": "BSD-2-Clause", - "peer": true, "dependencies": { "punycode": "^2.1.0" } @@ -7720,6 +8521,15 @@ "node": ">=10.12.0" } }, + "node_modules/vary": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz", + "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, "node_modules/walker": { "version": "1.0.8", "resolved": "https://registry.npmjs.org/walker/-/walker-1.0.8.tgz", @@ -7989,6 +8799,15 @@ "funding": { "url": "https://github.com/sponsors/colinhacks" } + }, + "node_modules/zod-to-json-schema": { + "version": "3.24.6", + "resolved": "https://registry.npmjs.org/zod-to-json-schema/-/zod-to-json-schema-3.24.6.tgz", + "integrity": "sha512-h/z3PKvcTcTetyjl1fkj79MHNEjm+HpD6NXheWjzOekY7kV+lwDYnHw+ivHkijnCSMz1yJaWBD9vu/Fcmk+vEg==", + "license": "ISC", + "peerDependencies": { + "zod": "^3.24.1" + } } } } diff --git a/package.json b/package.json index 69d0736b0..f0b59090c 100644 --- a/package.json +++ b/package.json @@ -44,6 +44,7 @@ "@aws-crypto/sha256-js": "^5.2.0", "@cfworker/json-schema": "^4.0.3", "@hono/node-server": "^1.3.3", + "@modelcontextprotocol/sdk": "^1.17.3", "@hono/node-ws": "^1.2.0", "@portkey-ai/mustache": "^2.1.3", "@smithy/signature-v4": "^2.1.1", @@ -51,7 +52,10 @@ "async-retry": "^1.3.3", "avsc": "^5.7.7", "hono": "^4.6.10", + "ioredis": "^5.7.0", "jose": "^6.0.11", + "minimist": "^1.2.8", + "openid-client": "^6.7.1", "patch-package": "^8.0.0", "ws": "^8.18.0", "zod": "^3.22.4" @@ -63,6 +67,7 @@ "@rollup/plugin-typescript": "^11.1.5", "@types/async-retry": "^1.4.5", "@types/jest": "^29.5.12", + "@types/minimist": "^1.2.5", "@types/node": "20.8.3", "@types/ws": "^8.5.12", "husky": "^9.1.4", diff --git a/src/mcp/constants/mcp.ts b/src/mcp/constants/mcp.ts new file mode 100644 index 000000000..c362d99b1 --- /dev/null +++ b/src/mcp/constants/mcp.ts @@ -0,0 +1,12 @@ +/** + * @file src/constants/mcp.ts + * Centralized constants for MCP flows + */ + +// Header names +export const HEADER_MCP_SESSION_ID = 'mcp-session-id'; +export const HEADER_SSE_SESSION_ID = 'X-Session-Id'; + +// Cache namespaces +export const NS_SESSIONS = 'sessions'; +export const NS_AUTHORIZATION_CODES = 'authorization_codes'; diff --git a/src/mcp/handlers/mcpHandler.ts b/src/mcp/handlers/mcpHandler.ts new file mode 100644 index 000000000..141f29046 --- /dev/null +++ b/src/mcp/handlers/mcpHandler.ts @@ -0,0 +1,344 @@ +/** + * @file src/handlers/mcpHandler.ts + * MCP (Model Context Protocol) request handler + * + * Performance-optimized handler functions for MCP requests + */ + +import { Context } from 'hono'; +import { RESPONSE_ALREADY_SENT } from '@hono/node-server/utils/response'; +import { SSEServerTransport } from '@modelcontextprotocol/sdk/server/sse'; + +import { ServerConfig } from '../types/mcp'; +import { MCPSession, TransportType } from '../services/mcpSession'; +import { getSessionStore } from '../services/sessionStore'; +import { createLogger } from '../../shared/utils/logger'; +import { ControlPlane } from '../middleware/controlPlane'; +import { revokeAllClientTokens } from '../utils/oauthTokenRevocation'; + +const logger = createLogger('MCP-Handler'); + +type Env = { + Variables: { + serverConfig: ServerConfig; + session?: MCPSession; + tokenInfo?: any; // Token introspection response + isAuthenticated?: boolean; + controlPlane?: ControlPlane; + }; + Bindings: { + ALBUS_BASEPATH?: string; + }; +}; + +/** + * Error response factory + */ +const ErrorResponse = { + create(code: number, message: string, id: any = null, data?: any) { + return { + jsonrpc: '2.0', + error: { code, message, ...(data && { data }) }, + id, + }; + }, + + serverConfigNotFound: (id?: any) => + ErrorResponse.create(-32001, 'Server config not found', id), + + sessionNotFound: (id?: any) => + ErrorResponse.create(-32001, 'Session not found', id), + + invalidRequest: (id?: any) => + ErrorResponse.create(-32600, 'Invalid Request', id), + + sessionNotInitialized: (id?: any) => + ErrorResponse.create(-32000, 'Session not properly initialized', id), + + sessionRestoreFailed: (id?: any) => + ErrorResponse.create( + -32000, + 'Failed to restore session. Please reinitialize.', + id + ), + + sessionExpired: (id?: any) => + ErrorResponse.create(-32001, 'Session expired', id), + + missingSessionId: (id?: any) => + ErrorResponse.create(-32000, 'Session ID required in query parameter', id), + + authorizationRequired( + id: any, + error: { workspaceId: string; serverId: string; authorizationUrl: string } + ) { + return ErrorResponse.create( + -32000, + `Authorization required for ${error.workspaceId}/${error.serverId}. Complete it here: ${error.authorizationUrl}`, + id, + { type: 'oauth_required', authorizationUrl: error.authorizationUrl } + ); + }, +}; + +/** + * Detect transport type from request + */ +function detectTransportType( + c: Context, + session?: MCPSession +): TransportType { + if (session?.getClientTransportType()) { + return session.getClientTransportType()!; + } + + const acceptHeader = c.req.header('Accept'); + return c.req.method === 'GET' && acceptHeader?.includes('text/event-stream') + ? 'sse' + : 'http'; +} + +async function purgeOauthTokens( + tokenInfo: any, + controlPlane?: ControlPlane | null +) { + if (!tokenInfo?.client_id) { + logger.debug('No client_id in tokenInfo, skipping OAuth token purge'); + return; + } + + // Use the utility function to revoke all tokens for this client + await revokeAllClientTokens(tokenInfo, controlPlane); +} + +/** + * Create new session + */ +async function createSession( + config: ServerConfig, + tokenInfo?: any, + context?: Context, + transportType?: TransportType +): Promise { + const session = new MCPSession({ + config, + gatewayToken: tokenInfo, + context, + }); + + if (transportType) { + try { + await session.initializeOrRestore(transportType); + logger.debug(`Session ${session.id} initialized with ${transportType}`); + } catch (error) { + const controlPlane = context?.get('controlPlane'); + await purgeOauthTokens(tokenInfo, controlPlane); + logger.error( + `Failed to initialize session (createSession) ${session.id}`, + error + ); + throw error; + } + } + + await setSession(session.id, session); + return session; +} + +/** + * Handle initialization request + * - If session is undefined, a new MCPSession is created with the server config and gateway token + * - `session.initializeOrRestore` is then called to initialize or restore the session + * - If initialize fails, the session is deleted from the store and the error is re-thrown + */ +export async function handleClientRequest( + c: Context, + session: MCPSession | undefined +) { + const { serverConfig, tokenInfo } = c.var; + const { workspaceId, serverId } = serverConfig; + + if (!session) { + logger.debug(`Creating new session for: ${workspaceId}/${serverId}`); + session = await createSession(serverConfig, tokenInfo, c, 'http'); + } + + try { + await session.initializeOrRestore('http'); + session.handleRequest(); + return RESPONSE_ALREADY_SENT; + } catch (error: any) { + const bodyId = ((await c.req.json()) as any)?.id; + await deleteSession(session.id); + + // Check if this is an OAuth authorization error + if (error.authorizationUrl && error.serverId) { + const controlPlane = c.get('controlPlane'); + await purgeOauthTokens(tokenInfo, controlPlane); + return c.json(ErrorResponse.authorizationRequired(bodyId, error), 401); + } + + // Other errors + logger.error( + `Failed to initialize session (handleClientRequest) ${session.id}`, + error + ); + return c.json(ErrorResponse.sessionRestoreFailed(bodyId), 500); + } +} + +/** + * Handle GET request for established session + */ +export async function handleEstablishedSessionGET( + c: Context, + session: MCPSession +): Promise { + // Ensure session is active or can be restored + try { + await session.initializeOrRestore(); + logger.debug(`Session ${session.id} ready`); + } catch (error: any) { + logger.error(`Failed to prepare session ${session.id}`, error); + await deleteSession(session.id); + if (error.needsAuthorization) { + return c.json(ErrorResponse.authorizationRequired(null, error), 401); + } + return c.json(ErrorResponse.sessionRestoreFailed(), 500); + } + + // Route based on transport type + if (session.getClientTransportType() === 'sse') { + const transport = session.initializeSSETransport(); + await setSession(transport.sessionId, session); + await transport.start(); + } else { + await session.handleRequest(); + } + return RESPONSE_ALREADY_SENT; +} + +async function setSession(sessionId: string, session: MCPSession) { + const sessionStore = getSessionStore(); + await sessionStore.set(sessionId, session); +} + +async function deleteSession(sessionId: string) { + const sessionStore = getSessionStore(); + await sessionStore.delete(sessionId); +} + +/** + * Prepare session for request handling + * Returns true if session is ready, false if failed + */ +export async function prepareSessionForRequest( + c: Context, + session: MCPSession +): Promise { + try { + const transportType = detectTransportType(c, session); + await session.initializeOrRestore(transportType); + logger.debug(`Session ${session.id} ready for request handling`); + return true; + } catch (error) { + logger.error(`Failed to prepare session ${session.id}`, error); + await deleteSession(session.id); + return false; + } +} + +/** + * Main MCP request handler + * This is the optimized entry point that delegates to specific handlers + */ +export async function handleMCPRequest(c: Context) { + const { serverConfig } = c.var; + if (!serverConfig) return c.json(ErrorResponse.serverConfigNotFound(), 500); + + let session: MCPSession | undefined = c.var.session; + let method = c.req.method; + + // Handle GET requests for established sessions + if (method === 'GET' && session) { + return handleEstablishedSessionGET(c, session); + } + + return handleClientRequest(c, session); +} + +export async function handleSSERequest(c: Context) { + const { serverConfig } = c.var; + if (!serverConfig) return c.json(ErrorResponse.serverConfigNotFound(), 500); + + let session: MCPSession | undefined = c.var.session; + const isSSE = c.req.header('Accept') === 'text/event-stream'; + + if (!isSSE) { + return c.json(ErrorResponse.invalidRequest(), 400); + } + + if (!session) { + return c.json(ErrorResponse.sessionNotFound(), 404); + } + + try { + await session.handleRequest(); + } catch (error: any) { + logger.error(`Error handling SSE request for session ${session.id}`, error); + await deleteSession(session.id); + return c.json(ErrorResponse.sessionRestoreFailed(), 500); + } + return RESPONSE_ALREADY_SENT; +} + +/** + * Handle SSE messages endpoint + */ +export async function handleSSEMessages(c: Context) { + const sessionStore = getSessionStore(); + logger.debug(`POST ${c.req.url}`); + const sessionId = c.req.query('sessionId'); + + if (!sessionId) { + logger.warn('POST /messages: Missing session ID in query'); + return c.json(ErrorResponse.missingSessionId(), 400); + } + + const session = await sessionStore.get(sessionId); + if (!session) { + logger.warn(`POST /messages: Session ${sessionId} not found`); + return c.json(ErrorResponse.sessionNotFound(), 404); + } + + // Check if session is expired + if (session.isTokenExpired()) { + logger.debug(`SSE session ${sessionId} expired, removing`); + await deleteSession(sessionId); + return c.json(ErrorResponse.sessionExpired(), 401); + } + + // Ensure session is ready for SSE messages + try { + const transportType = 'sse'; + await session.initializeOrRestore(transportType); + logger.debug(`Session ${sessionId} ready for SSE messages`); + } catch (error) { + logger.error( + `Failed to prepare session ${sessionId} for SSE messages`, + error + ); + await deleteSession(sessionId); + return c.json(ErrorResponse.sessionRestoreFailed(), 500); + } + + const body = await c.req.json(); + + logger.debug(`Session ${sessionId}: Processing ${body.method} message`); + + const { incoming: req, outgoing: res } = c.env as any; + const transport = session.getDownstreamTransport() as SSEServerTransport; + await transport.handlePostMessage(req, res, body); + + return RESPONSE_ALREADY_SENT; +} diff --git a/src/mcp/mcp-index.ts b/src/mcp/mcp-index.ts new file mode 100644 index 000000000..20e0a22b3 --- /dev/null +++ b/src/mcp/mcp-index.ts @@ -0,0 +1,215 @@ +/** + * @file src/mcp-index.ts + * Portkey MCP Gateway + * + * Run this on something like mcp.portkey.ai or mcp.yourdomain.com + * and route to any MCP server with full confidence. + */ + +import { Hono } from 'hono'; +import { cors } from 'hono/cors'; + +import { ServerConfig } from './types/mcp'; +import { MCPSession } from './services/mcpSession'; +import { getSessionStore } from './services/sessionStore'; +import { createLogger } from '../shared/utils/logger'; +import { + handleMCPRequest, + handleSSEMessages, + handleSSERequest, +} from './handlers/mcpHandler'; +import { oauthMiddleware } from './middleware/oauth'; +import { hydrateContext } from './middleware/hydrateContext'; +import { oauthRoutes } from './routes/oauth'; +import { wellKnownRoutes } from './routes/wellknown'; +import { adminRoutes } from './routes/admin'; +import { controlPlaneMiddleware } from './middleware/controlPlane'; +import { cacheBackendMiddleware } from './middleware/cacheBackend'; +import { HTTPException } from 'hono/http-exception'; +import { getRuntimeKey } from 'hono/adapter'; +import { + createCacheBackendsLocal, + createCacheBackendsRedis, +} from '../shared/services/cache'; +import { getBaseUrl } from './utils/mcp-utils'; + +const logger = createLogger('MCP-Gateway'); + +type Env = { + Variables: { + serverConfig: ServerConfig; + session?: MCPSession; + tokenInfo?: any; + isAuthenticated?: boolean; + }; + Bindings: { + ALBUS_BASEPATH?: string; + CLIENT_ID?: string; + }; +}; + +// OAuth configuration - always required for security +const OAUTH_REQUIRED = true; // Force OAuth for all requests + +const app = new Hono(); + +// CORS setup for browser clients +app.use( + '*', + cors({ + origin: '*', // Configure appropriately for production + allowHeaders: [ + 'Content-Type', + 'Authorization', + 'mcp-session-id', + 'mcp-protocol-version', + ], + exposeHeaders: ['mcp-session-id', 'WWW-Authenticate'], + credentials: true, // Allow cookies and authorization headers + }) +); + +app.use(controlPlaneMiddleware); + +if (getRuntimeKey() === 'workerd') { + app.use(cacheBackendMiddleware); +} else if (getRuntimeKey() === 'node' && process.env.REDIS_CONNECTION_STRING) { + createCacheBackendsRedis(process.env.REDIS_CONNECTION_STRING); +} else { + createCacheBackendsLocal(); +} + +// Mount route groups +app.route('/oauth', oauthRoutes); +app.route('/.well-known', wellKnownRoutes); +app.route('/admin', adminRoutes); + +/** + * Global error handler. + * If error is instance of HTTPException, returns the custom response. + * Otherwise, logs the error and returns a JSON response with status code 500. + */ +app.onError((err, c) => { + console.error('Global Error Handler: ', err.message, err.cause, err.stack); + if (err instanceof HTTPException) { + return err.getResponse(); + } + if (err.cause && 'needsAuth' in (err.cause as any)) { + const wid = (err.cause as any).workspaceId; + const sid = (err.cause as any).serverId; + return c.json( + { + error: 'unauthorized', + error_description: + 'The upstream access token is invalid or has expired', + }, + 401, + { + 'WWW-Authenticate': `Bearer resource_metadata="${getBaseUrl(c).origin}/.well-known/oauth-protected-resource/${wid}/${sid}/mcp`, + } + ); + } + c.status(500); + return c.json({ status: 'failure', message: err.message }); +}); + +app.get('/', (c) => { + logger.debug('Root endpoint accessed'); + return c.json({ + gateway: 'Portkey MCP Gateway', + version: '0.1.0', + endpoints: { + mcp: ':workspaceId/:serverId/mcp', + health: '/health', + oauth: { + discovery: '/.well-known/oauth-authorization-server', + resource: '/.well-known/oauth-protected-resource', + }, + }, + }); +}); + +/** + * Main MCP endpoint with transport detection + */ +app.all( + '/:workspaceId/:serverId/mcp', + oauthMiddleware({ + required: OAUTH_REQUIRED, + skipPaths: ['/oauth', '/.well-known'], + }), + hydrateContext, + async (c) => { + return handleMCPRequest(c); + } +); + +/** + * SSE endpoint - simple redirect to main MCP endpoint + * The main /mcp endpoint already handles SSE through transport detection + */ +app.get( + '/:workspaceId/:serverId/sse', + oauthMiddleware({ + required: OAUTH_REQUIRED, + skipPaths: ['/oauth', '/.well-known'], + }), + hydrateContext, + async (c) => { + return handleSSERequest(c); + } +); + +/** + * POST endpoint for SSE message handling + * Handles messages from SSE clients + */ +app.post( + '/:workspaceId/:serverId/messages', + oauthMiddleware({ + required: OAUTH_REQUIRED, + scopes: ['mcp:servers:*', 'mcp:*'], + skipPaths: ['/oauth', '/.well-known'], + }), + hydrateContext, + async (c) => { + return handleSSEMessages(c); + } +); + +/** + * Health check endpoint + */ +app.get('/health', async (c) => { + // Get the singleton session store instance + const sessionStore = getSessionStore(); + const stats = await sessionStore.getStats(); + logger.debug('Health check accessed'); + + return c.json({ + status: 'healthy', + timestamp: new Date().toISOString(), + }); +}); + +// Catch-all route for all other requests +app.all('*', (c) => { + logger.info(`Unhandled route: ${c.req.method} ${c.req.url}`); + return c.json({ status: 'not found' }, 404); +}); + +async function shutdown() { + logger.critical('Shutting down gracefully...'); + process.exit(0); +} + +// Graceful shutdown handlers +process.on('SIGINT', async () => { + await shutdown(); +}); + +process.on('SIGTERM', async () => { + await shutdown(); +}); + +export default app; diff --git a/src/mcp/middleware/cacheBackend/index.ts b/src/mcp/middleware/cacheBackend/index.ts new file mode 100644 index 000000000..4218c35b2 --- /dev/null +++ b/src/mcp/middleware/cacheBackend/index.ts @@ -0,0 +1,11 @@ +import { Context } from 'hono'; +import { env } from 'hono/adapter'; +import { createMiddleware } from 'hono/factory'; +import { createCacheBackendsCF } from '../../../shared/services/cache'; + +export const cacheBackendMiddleware = createMiddleware( + async (c: Context, next) => { + createCacheBackendsCF(env(c)); + return next(); + } +); diff --git a/src/mcp/middleware/controlPlane/index.ts b/src/mcp/middleware/controlPlane/index.ts new file mode 100644 index 000000000..3dbae728a --- /dev/null +++ b/src/mcp/middleware/controlPlane/index.ts @@ -0,0 +1,147 @@ +import { Context } from 'hono'; +import { env } from 'hono/adapter'; +import { createMiddleware } from 'hono/factory'; +import { createLogger } from '../../../shared/utils/logger'; + +const logger = createLogger('mcp/controlPlaneMiddleware'); + +export class ControlPlane { + private controlPlaneUrl: string; + private defaultHeaders: Record; + + constructor(private c: Context) { + this.controlPlaneUrl = env(c).ALBUS_BASEPATH; + + this.defaultHeaders = { + 'User-Agent': 'Portkey-MCP-Gateway/0.1.0', + 'Content-Type': 'application/json', + }; + + if (env(c).CLIENT_ID) { + this.defaultHeaders['x-client-id-mcp-gateway'] = `${env(c).CLIENT_ID}`; + } else if (env(c).PORTKEY_CLIENT_AUTH) { + this.defaultHeaders['Authorization'] = `${env(c).PORTKEY_CLIENT_AUTH}`; + } + } + + async fetch( + path: string, + method: string = 'GET', + headers: any = {}, + body: any = {} + ) { + const reqURL = `${this.controlPlaneUrl}/v2${path}`; + if (this.c.get('tokenInfo')?.token) { + headers['x-portkey-api-key'] = `Bearer ${this.c.get('tokenInfo').token}`; + } + const options: RequestInit = { + method, + headers: { + ...this.defaultHeaders, + ...headers, + }, + }; + + if (method === 'POST' || method === 'PUT') { + options.body = body; + } + + logger.debug('Making a request to control plane', { reqURL, options }); + + const response = await fetch(reqURL, options); + return response.json(); + } + + getMCPServer(workspaceId: string, serverId: string) { + return this.fetch(`/mcp-servers/${serverId}?workspace_id=${workspaceId}`); + } + + getMCPServerClientInfo(workspaceId: string, serverId: string) { + return this.fetch(`/mcp-servers/${serverId}/client-info`); + } + + getMCPServerTokens(workspaceId: string, serverId: string) { + // Picks workspace_id from the access token we send. + return this.fetch( + `/mcp-servers/${serverId}/tokens?workspace_id=${workspaceId}` + ); + } + + saveMCPServerTokens(workspaceId: string, serverId: string, tokens: any) { + return this.fetch( + `/mcp-servers/${serverId}/tokens`, + 'PUT', + {}, + JSON.stringify({ + ...tokens, + workspace_id: workspaceId, + }) + ); + } + + deleteMCPServerTokens(workspaceId: string, serverId: string) { + return this.fetch( + `/mcp-servers/${serverId}/tokens?workspace_id=${workspaceId}`, + 'DELETE' + ); + } + + async introspect( + token: string, + token_type_hint: 'access_token' | 'refresh_token' | '' + ) { + const result: any = await this.fetch( + `/oauth/introspect`, + 'POST', + {}, + JSON.stringify({ + token: token, + token_type_hint: token_type_hint, + }) + ); + + // TODO: we do this since we use `username` instead of `sub` + // We should change that in the future + return { + active: result.active, + scope: result.scope || '', + client_id: result.client_id, + username: result.sub, + exp: result.exp, + iat: result.iat, + }; + } + + async revoke( + token: string, + token_type_hint?: 'access_token' | 'refresh_token', + client_id?: string + ): Promise { + await this.fetch( + `/oauth/revoke`, + 'POST', + {}, + JSON.stringify({ + token: token, + token_type_hint: token_type_hint, + client_id: client_id, + }) + ); + } + + get url() { + return this.controlPlaneUrl; + } +} + +/** + * Fetches a session from the session store if it exists. + * If the session is found, it is set in the context. + */ +export const controlPlaneMiddleware = createMiddleware(async (c, next) => { + if (env(c).ALBUS_BASEPATH) { + c.set('controlPlane', new ControlPlane(c)); + } + + return next(); +}); diff --git a/src/mcp/middleware/hydrateContext.ts b/src/mcp/middleware/hydrateContext.ts new file mode 100644 index 000000000..c734ac0be --- /dev/null +++ b/src/mcp/middleware/hydrateContext.ts @@ -0,0 +1,162 @@ +import { createMiddleware } from 'hono/factory'; +import { ServerConfig } from '../types/mcp'; +import { createLogger } from '../../shared/utils/logger'; +import { CacheService, getConfigCache } from '../../shared/services/cache'; +import { ControlPlane } from './controlPlane'; +import { Context, Next } from 'hono'; + +const logger = createLogger('mcp/hydrateContext'); + +const TTL = 5 * 60 * 1000; + +let LOCAL_CONFIGS_LOADED: boolean = false; + +type Env = { + Variables: { + serverConfig: ServerConfig; + session?: any; + tokenInfo?: any; + isAuthenticated?: boolean; + controlPlane?: ControlPlane; + }; + Bindings: { + ALBUS_BASEPATH?: string; + }; +}; + +/** + * Load and cache all local server configurations + */ +const loadLocalServerConfigs = async ( + configCache: CacheService +): Promise => { + if (LOCAL_CONFIGS_LOADED) return true; + + try { + const serverConfigPath = + process.env.SERVERS_CONFIG_PATH || './data/servers.json'; + + const fs = await import('fs'); + const path = await import('path'); + + const configPath = path.resolve(serverConfigPath); + const configData = await fs.promises.readFile(configPath, 'utf-8'); + const config = JSON.parse(configData); + + const serverConfigs = config.servers || {}; + + Object.keys(serverConfigs).forEach((id: string) => { + const serverConfig = serverConfigs[id]; + configCache.set(id, { + ...serverConfig, + workspaceId: id.split('/')[0], + serverId: id.split('/')[1], + }); + }); + + logger.info(`Loaded ${Object.keys(serverConfigs).length} server configs`); + LOCAL_CONFIGS_LOADED = true; + return true; + } catch (error) { + logger.warn('Failed to load local server configurations:', error); + throw error; + } +}; + +const getFromCP = async ( + cp: ControlPlane, + workspaceId: string, + serverId: string +) => { + try { + logger.debug(`Fetching server from control plane`); + + const serverInfo: any = await cp.getMCPServer(workspaceId, serverId); + + if (serverInfo) { + return { + serverId, + workspaceId, + url: serverInfo.mcp_integration_details?.url, + headers: + serverInfo.mcp_integration_details?.configurations?.headers || + serverInfo.default_headers || + {}, + auth_type: serverInfo.mcp_integration_details?.auth_type || 'none', + type: serverInfo.mcp_integration_details?.transport || 'http', + } as ServerConfig; + } + } catch (error) { + logger.warn( + `Failed to fetch server ${workspaceId}/${serverId} from control plane` + ); + return null; + } +}; + +const success = (c: Context, serverInfo: ServerConfig, next: Next) => { + c.set('serverConfig', serverInfo); + return next(); +}; + +const error = (c: Context, workspaceId: string, serverId: string) => { + logger.error( + `Server configuration not found for: ${workspaceId}/${serverId}` + ); + return c.json( + { + error: 'not_found', + error_description: `Server '${workspaceId}/${serverId}' not found`, + }, + 404 + ); +}; + +/** + * Get server configuration by ID, trying control plane first if available + */ +export const getServerConfig = async ( + workspaceId: string, + serverId: string, + c: any +): Promise => { + const configCache = getConfigCache(); + const cacheKey = `${workspaceId}/${serverId}`; + + const cached = await configCache.get(cacheKey); + if (cached) return cached; + + const CP = c.get('controlPlane'); + if (CP) { + const serverInfo = await getFromCP(CP, workspaceId, serverId); + if (serverInfo) { + await configCache.set( + cacheKey, + { ...serverInfo, workspaceId, serverId }, + { ttl: TTL } + ); + } + return serverInfo; // Return null if not found in CP - don't fallback + } else { + // Only use local configs when no Control Plane is available + if (!LOCAL_CONFIGS_LOADED) { + await loadLocalServerConfigs(configCache); + } + return await configCache.get(cacheKey); + } +}; + +export const hydrateContext = createMiddleware(async (c, next) => { + const serverId = c.req.param('serverId'); + const workspaceId = c.req.param('workspaceId'); + + if (!serverId || !workspaceId) { + return next(); + } + + // Check cache for server config + const serverInfo = await getServerConfig(workspaceId, serverId, c); + if (serverInfo) return success(c, serverInfo, next); + + return error(c, workspaceId, serverId); +}); diff --git a/src/mcp/middleware/oauth/index.ts b/src/mcp/middleware/oauth/index.ts new file mode 100644 index 000000000..29d2d26dc --- /dev/null +++ b/src/mcp/middleware/oauth/index.ts @@ -0,0 +1,163 @@ +/** + * @file src/middlewares/oauth/index.ts + * OAuth 2.1 validation middleware for MCP Gateway + * + * Implements RFC 9728 (Protected Resource Metadata) and RFC 8414 (Authorization Server Metadata) + * for MCP server authentication per the Model Context Protocol specification. + */ + +import { createMiddleware } from 'hono/factory'; +import { createLogger } from '../../../shared/utils/logger'; +import { + OAuthGateway, + TokenIntrospectionResponse, +} from '../../services/oauthGateway'; +import { getTokenCache } from '../../../shared/services/cache/index'; +import { Context } from 'hono'; +import { getBaseUrl } from '../../utils/mcp-utils'; + +type Env = { + Variables: { + serverConfig?: any; + session?: any; + tokenInfo?: any; + isAuthenticated?: boolean; + }; + Bindings: { + ALBUS_BASEPATH?: string; + CLIENT_ID?: string; + }; +}; + +const logger = createLogger('OAuth-Middleware'); + +interface OAuthConfig { + required?: boolean; // Whether OAuth is required for this route + scopes?: string[]; // Required scopes for this route + skipPaths?: string[]; // Paths to skip OAuth validation +} + +/** + * Extract Bearer token from Authorization header + */ +function extractBearerToken(authorization: string | undefined): string | null { + if (!authorization) return null; + + const match = authorization.match(/^(?:Bearer\s+)?(.+)$/i); + return match ? match[1] : null; +} + +/** + * Create WWW-Authenticate header value per RFC 9728 + */ +function createWWWAuthenticateHeader(baseUrl: string, path: string): string { + let header = `Bearer resource_metadata="${baseUrl}/.well-known/oauth-protected-resource${path}"`; + + return header; +} + +/** + * Introspect token with the control plane or local service + */ +async function introspectToken( + token: string, + c: Context +): Promise { + // Check persistent cache first + const cache = getTokenCache(); + const cached = await cache.get(token, 'introspection'); + if (cached) { + logger.debug('Token found in persistent cache'); + return cached; + } + + try { + const gateway = new OAuthGateway(c); + const result = await gateway.introspectToken(token, 'access_token'); + + // Cache the result for 5 minutes or until token expiry + if (result.active) { + const expiresIn = result.exp + ? Math.min(result.exp * 1000 - Date.now(), 5 * 60 * 1000) + : 5 * 60 * 1000; + + await cache.set(token, result, { + ttl: expiresIn, + namespace: 'introspection', + }); + } + + return result; + } catch (error) { + logger.error('Failed to introspect token', error); + return { active: false }; + } +} + +/** + * OAuth validation middleware factory + */ +export function oauthMiddleware(config: OAuthConfig = {}) { + return createMiddleware(async (c, next) => { + const path = c.req.path; + + // Skip OAuth for certain paths + if (config.skipPaths?.some((skip) => path.startsWith(skip))) { + return next(); + } + + const baseUrl = getBaseUrl(c).origin; + const authorization = + c.req.header('Authorization') || c.req.header('x-portkey-api-key'); + const token = extractBearerToken(authorization); + + // If no token and OAuth is not required, continue + // NOTE: For production security, OAuth should always be required + if (!token && !config.required) { + logger.warn( + `No token provided for ${path}, continuing without auth - SECURITY RISK` + ); + return next(); + } + + // If no token and OAuth is required, return 401 + if (!token && config.required) { + logger.warn(`No token provided for protected resource ${path}`); + return c.json( + { + error: 'unauthorized', + error_description: 'Authentication required to access this resource', + }, + 401, + { + 'WWW-Authenticate': createWWWAuthenticateHeader(baseUrl, path), + } + ); + } + + // Introspect the token (works with both control plane and local service) + const introspection: any = await introspectToken(token!, c); + + introspection.token = token; + + if (!introspection.active) { + logger.warn(`Invalid or expired token for ${path}`); + return c.json( + { + error: 'unauthorized', + error_description: 'The access token is invalid or has expired', + }, + 401, + { + 'WWW-Authenticate': createWWWAuthenticateHeader(baseUrl, path), + } + ); + } + + // Store token info in context for downstream use + c.set('tokenInfo', introspection); + c.set('isAuthenticated', true); + + return next(); + }); +} diff --git a/src/mcp/middleware/sessionMiddleware.ts b/src/mcp/middleware/sessionMiddleware.ts new file mode 100644 index 000000000..dbdf7836c --- /dev/null +++ b/src/mcp/middleware/sessionMiddleware.ts @@ -0,0 +1,60 @@ +import { createMiddleware } from 'hono/factory'; +import { MCPSession } from '../services/mcpSession'; +import { getSessionStore } from '../services/sessionStore'; +import { createLogger } from '../../shared/utils/logger'; +import { HEADER_MCP_SESSION_ID } from '../../mcp/constants/mcp'; +import { ControlPlane } from './controlPlane'; + +const logger = createLogger('mcp/sessionMiddleware'); + +type Env = { + Variables: { + session?: MCPSession; + controlPlane?: ControlPlane; + }; +}; + +/** + * Fetches a session from the session store if it exists. + * If the session is found, it is set in the context. + */ +export const sessionMiddleware = createMiddleware(async (c, next) => { + const sessionStore = getSessionStore(); + const headerSessionId = c.req.header(HEADER_MCP_SESSION_ID); + const querySessionId = c.req.query('sessionId'); + const sessionId = headerSessionId || querySessionId; + + if (sessionId) { + const session = await sessionStore.get(sessionId, c); + + if (session) { + // Check if session is expired based on token expiration + if (session.isTokenExpired()) { + logger.debug( + `Session ${sessionId} expired due to token expiration, removing` + ); + await sessionStore.delete(sessionId); + } else { + logger.debug( + `Session ${sessionId} found, initialized: ${session.isInitialized}` + ); + c.set('session', session); + } + } else { + logger.debug(`Session ID ${sessionId} provided but not found in store`); + return c.json( + { + jsonrpc: '2.0', + error: { + code: -32001, + message: 'Session not found', + }, + id: null, + }, + 404 + ); + } + } + + await next(); +}); diff --git a/src/mcp/routes/admin.ts b/src/mcp/routes/admin.ts new file mode 100644 index 000000000..e8b251fdf --- /dev/null +++ b/src/mcp/routes/admin.ts @@ -0,0 +1,424 @@ +/** + * @file src/routes/admin.ts + * Admin routes for managing MCP servers and cache + */ + +import { Hono } from 'hono'; +import { createLogger } from '../../shared/utils/logger'; +import { + getConfigCache, + getSessionCache, + getMcpServersCache, + getDefaultCache, + getTokenCache, + getOauthStore, +} from '../../shared/services/cache'; +import { ServerConfig } from '../types/mcp'; + +const logger = createLogger('AdminRoutes'); + +type Env = { + Variables: { + controlPlane?: any; + }; +}; + +const adminRoutes = new Hono(); + +// MCP Server Management Routes + +/** + * Get all MCP servers + */ +adminRoutes.get('/mcp/servers', async (c) => { + try { + const configCache = getConfigCache(); + const allKeys = await configCache.keys(); + const servers: any[] = []; + + for (const key of allKeys) { + const config = await configCache.get(key); + if (config) { + servers.push({ + id: key, + ...config, + cached: true, + }); + } + } + + return c.json({ servers }); + } catch (error) { + logger.error('Failed to get MCP servers:', error); + return c.json({ error: 'Failed to get MCP servers' }, 500); + } +}); + +/** + * Get specific MCP server + */ +adminRoutes.get('/mcp/servers/:id', async (c) => { + try { + const serverId = c.req.param('id'); + const configCache = getConfigCache(); + const config = await configCache.get(serverId); + + if (!config) { + return c.json({ error: 'Server not found' }, 404); + } + + return c.json({ server: config }); + } catch (error) { + logger.error('Failed to get MCP server:', error); + return c.json({ error: 'Failed to get MCP server' }, 500); + } +}); + +/** + * Create or update MCP server + */ +adminRoutes.post('/mcp/servers', async (c) => { + try { + const serverConfig: ServerConfig = await c.req.json(); + const serverId = `${serverConfig.workspaceId}/${serverConfig.serverId}`; + + const configCache = getConfigCache(); + await configCache.set(serverId, serverConfig); + + return c.json({ + message: 'Server saved successfully', + server: { id: serverId, ...serverConfig }, + }); + } catch (error) { + logger.error('Failed to save MCP server:', error); + return c.json({ error: 'Failed to save MCP server' }, 500); + } +}); + +/** + * Delete MCP server + */ +adminRoutes.delete('/mcp/servers/:id', async (c) => { + try { + const serverId = c.req.param('id'); + const configCache = getConfigCache(); + + // Remove from cache + await configCache.delete(serverId); + + return c.json({ message: 'Server deleted successfully' }); + } catch (error) { + logger.error('Failed to delete MCP server:', error); + return c.json({ error: 'Failed to delete MCP server' }, 500); + } +}); + +// Cache Management Routes + +/** + * Get cache statistics with optional namespace filtering + */ +adminRoutes.get('/cache/stats', async (c) => { + try { + const namespaceFilter = c.req.query('namespace'); // Optional namespace filter + const backendFilter = c.req.query('backend'); // Optional backend filter + + const caches = { + config: getConfigCache(), + session: getSessionCache(), + mcpServers: getMcpServersCache(), + default: getDefaultCache(), + token: getTokenCache(), + oauth: getOauthStore(), + }; + + const stats: any = {}; + + for (const [name, cache] of Object.entries(caches)) { + // Skip if backend filter is specified and doesn't match + if (backendFilter && name !== backendFilter) { + continue; + } + + try { + let cacheStats; + let keys; + + if (namespaceFilter) { + // Get stats for specific namespace + cacheStats = await cache.getStats(namespaceFilter); + keys = await cache.keys(namespaceFilter); + + stats[name] = { + ...cacheStats, + keyCount: keys.length, + namespace: namespaceFilter, + keys: keys.slice(0, 10), // Show first 10 keys as preview + }; + } else { + // Get all stats with namespace breakdown + cacheStats = await cache.getStats(); + const allKeys = await cache.keys(); + + // Get namespace breakdown + const namespaceBreakdown: any = {}; + const namespacedKeys = allKeys.filter((k) => k.includes(':')); + const nonNamespacedKeys = allKeys.filter((k) => !k.includes(':')); + + // Group namespaced keys + namespacedKeys.forEach((key) => { + const namespace = key.split(':')[0]; + if (!namespaceBreakdown[namespace]) { + namespaceBreakdown[namespace] = 0; + } + namespaceBreakdown[namespace]++; + }); + + stats[name] = { + ...cacheStats, + keyCount: allKeys.length, + nonNamespacedKeyCount: nonNamespacedKeys.length, + namespaceBreakdown, + keys: allKeys.slice(0, 10), // Show first 10 keys as preview + }; + } + } catch (error: any) { + stats[name] = { error: error.message }; + } + } + + return c.json({ cacheStats: stats }); + } catch (error: any) { + logger.error('Failed to get cache stats:', error); + return c.json({ error: 'Failed to get cache stats' }, 500); + } +}); + +/** + * Get cache statistics for a specific backend/namespace combination + */ +adminRoutes.get('/cache/:type/stats', async (c) => { + try { + const cacheType = c.req.param('type'); + const namespace = c.req.query('namespace'); // Optional namespace filter + + let cache; + switch (cacheType) { + case 'config': + cache = getConfigCache(); + break; + case 'session': + cache = getSessionCache(); + break; + case 'mcpServers': + cache = getMcpServersCache(); + break; + case 'default': + cache = getDefaultCache(); + break; + case 'token': + cache = getTokenCache(); + break; + case 'oauth': + cache = getOauthStore(); + break; + default: + return c.json({ error: 'Invalid cache type' }, 400); + } + + const cacheStats = await cache.getStats(namespace); + const keys = await cache.keys(namespace); + + return c.json({ + stats: { + ...cacheStats, + keyCount: keys.length, + namespace: namespace || null, + backend: cacheType, + }, + }); + } catch (error: any) { + logger.error('Failed to get cache stats:', error); + return c.json({ error: 'Failed to get cache stats' }, 500); + } +}); + +/** + * Get cache entries by cache type + */ +adminRoutes.get('/cache/:type', async (c) => { + try { + const cacheType = c.req.param('type'); + const limit = parseInt(c.req.query('limit') || '50'); + const offset = parseInt(c.req.query('offset') || '0'); + const namespaceFilter = c.req.query('namespace'); // Optional namespace filter + + let cache; + switch (cacheType) { + case 'config': + cache = getConfigCache(); + break; + case 'session': + cache = getSessionCache(); + break; + case 'mcpServers': + cache = getMcpServersCache(); + break; + case 'default': + cache = getDefaultCache(); + break; + case 'token': + cache = getTokenCache(); + break; + case 'oauth': + cache = getOauthStore(); + break; + default: + return c.json({ error: 'Invalid cache type' }, 400); + } + + const keys = await cache.keys(namespaceFilter); + + const paginatedKeys = keys.slice(offset, offset + limit); + const entries = []; + + for (const key of paginatedKeys) { + try { + let value = await cache.get(key, namespaceFilter); + + entries.push({ + key, + value, + }); + } catch (error: any) { + logger.warn(`Failed to get cache entry for key ${key}:`, error); + entries.push({ + key, + value: null, + metadata: null, + createdAt: null, + expiresAt: null, + error: error.message, + }); + } + } + + // Extract available namespaces from the keys + const availableNamespaces = [ + ...new Set( + keys.filter((k) => k.includes(':')).map((k) => k.split(':')[0]) + ), + ]; + + return c.json({ + entries, + total: keys.length, + offset, + limit, + availableNamespaces, + }); + } catch (error) { + logger.error('Failed to get cache entries:', error); + return c.json({ error: 'Failed to get cache entries' }, 500); + } +}); + +/** + * Delete cache entry + */ +adminRoutes.delete('/cache/:type/:key', async (c) => { + try { + const cacheType = c.req.param('type'); + const key = decodeURIComponent(c.req.param('key')); + + let cache; + switch (cacheType) { + case 'config': + cache = getConfigCache(); + break; + case 'session': + cache = getSessionCache(); + break; + case 'mcpServers': + cache = getMcpServersCache(); + break; + case 'default': + cache = getDefaultCache(); + break; + case 'token': + cache = getTokenCache(); + break; + case 'oauth': + cache = getOauthStore(); + break; + default: + return c.json({ error: 'Invalid cache type' }, 400); + } + + // Check if key is namespaced (contains colon) + if (key.includes(':')) { + const [keyNamespace, actualKey] = key.split(':', 2); + await cache.delete(actualKey, keyNamespace); + } else { + // Non-namespaced key + await cache.delete(key); + } + + return c.json({ message: 'Cache entry deleted successfully' }); + } catch (error) { + logger.error('Failed to delete cache entry:', error); + return c.json({ error: 'Failed to delete cache entry' }, 500); + } +}); + +/** + * Clear entire cache + */ +adminRoutes.delete('/cache/:type', async (c) => { + try { + const cacheType = c.req.param('type'); + + let cache; + switch (cacheType) { + case 'config': + cache = getConfigCache(); + break; + case 'session': + cache = getSessionCache(); + break; + case 'mcpServers': + cache = getMcpServersCache(); + break; + case 'default': + cache = getDefaultCache(); + break; + case 'token': + cache = getTokenCache(); + break; + case 'oauth': + cache = getOauthStore(); + break; + default: + return c.json({ error: 'Invalid cache type' }, 400); + } + + const namespace = c.req.query('namespace'); // Optional namespace to clear + + if (namespace) { + // Clear specific namespace + await cache.clear(namespace); + return c.json({ + message: `${cacheType} cache namespace '${namespace}' cleared successfully`, + }); + } else { + // Clear entire cache + await cache.clear(); + return c.json({ message: `${cacheType} cache cleared successfully` }); + } + } catch (error: any) { + logger.error('Failed to clear cache:', error); + return c.json({ error: 'Failed to clear cache' }, 500); + } +}); + +export { adminRoutes }; diff --git a/src/mcp/routes/oauth.ts b/src/mcp/routes/oauth.ts new file mode 100644 index 000000000..c12893693 --- /dev/null +++ b/src/mcp/routes/oauth.ts @@ -0,0 +1,287 @@ +// routes/oauth.ts + +import { Hono } from 'hono'; + +import { createLogger } from '../../shared/utils/logger'; +import { OAuthGateway } from '../services/oauthGateway'; + +const logger = createLogger('oauth-routes'); + +type Env = { + Bindings: { + ALBUS_BASEPATH?: string; + }; + Variables: { + gateway: OAuthGateway; + controlPlane?: any; + }; +}; + +const oauthRoutes = new Hono(); + +/** + * Parse the body of the request to a URLSearchParams + * @param c + * @returns + */ +async function parseBodyToParams(c: any): Promise { + const contentType = c.req.header('Content-Type') || ''; + if (contentType.includes('application/x-www-form-urlencoded')) { + const body = await c.req.text(); + return new URLSearchParams(body); + } + if (contentType.includes('application/json')) { + const json = await c.req.json(); + return new URLSearchParams(json as any); + } + return new URLSearchParams(); +} + +const jsonError = ( + c: any, + status: number, + error: string, + error_description?: string +) => + c.json( + { error, ...(error_description ? { error_description } : {}) }, + status + ); + +/** + * Middleware: attach a configured gateway to the context + */ +oauthRoutes.use('*', async (c, next) => { + if (c.get('controlPlane')) { + return c.json({ error: 'Not implemented' }, 501); + } + c.set('gateway', new OAuthGateway(c)); + await next(); +}); + +const gw = (c: any) => c.get('gateway') as OAuthGateway; + +/** + * OAuth 2.1 Dynamic Client Registration + * Registers new OAuth clients + */ +oauthRoutes.post('/register', async (c) => { + try { + const clientData = (await c.req.json()) as any; + logger.debug('register client', { url: c.req.url, clientData }); + + const result = await gw(c).registerClient(clientData); + return c.json(result, 201); + } catch (error) { + logger.error('Failed to handle registration request', error); + return jsonError(c, 500, 'server_error', 'Registration failed'); + } +}); + +/** + * OAuth 2.1 Authorization Endpoint + * Handles browser-based authorization flow + */ +oauthRoutes.get('/authorize', async (c) => { + logger.debug('oauth/authorize GET', { url: c.req.url }); + return await gw(c).startAuthorization(); +}); + +/** + * OAuth 2.1 Authorization Endpoint (POST) + * Handles consent form submission + */ +oauthRoutes.post('/authorize', async (c) => { + return gw(c).completeAuthorization(); +}); + +/** + * OAuth 2.1 Token Endpoint Proxy + * Forwards token requests to the control plane + */ +oauthRoutes.post('/token', async (c) => { + try { + const params = await parseBodyToParams(c); + if (params.toString() === '') { + return jsonError(c, 400, 'invalid_request', 'Unsupported content type'); + } + + const result = await gw(c).handleTokenRequest(params, c.req.raw.headers); + + if (result.error && result.error === 'invalid_grant') { + return c.json( + { + error: 'unauthorized', + error_description: result.error_description ?? 'invalid grant', + }, + 401, + { + 'WWW-Authenticate': `Bearer realm="Portkey", error="invalid_token", error_description="${result.error_description ?? 'invalid grant'}"`, + } + ); + } + + return c.json(result, result.error ? 400 : 200); + } catch (error) { + logger.error('Failed to handle token request', error); + return jsonError(c, 502, 'server_error', 'Token request failed'); + } +}); + +/** + * OAuth 2.1 Token Introspection Endpoint Proxy + * Forwards introspection requests to the control plane + */ +oauthRoutes.post('/introspect', async (c) => { + try { + const params = await parseBodyToParams(c); + if (params.toString() === '') { + return c.json({ active: false }, 400); + } + + const token = params.get('token') || ''; + const token_type_hint = (params.get('token_type_hint') || '') as + | 'refresh_token' + | 'access_token' + | ''; + + const result = await gw(c).introspectToken(token, token_type_hint); + return c.json(result, result.active ? 200 : 400); + } catch (error) { + logger.error('Failed to handle introspection request', error); + return c.json({ active: false }, 502); + } +}); + +/** + * OAuth 2.1 Token Revocation + * Revokes access tokens + */ +oauthRoutes.post('/revoke', async (c) => { + try { + const params = await parseBodyToParams(c); + if (params.toString() === '') { + return c.text('', 200); + } + + const token = params.get('token') || ''; + const token_type_hint = params.get('token_type_hint') || ''; + const client_id = params.get('client_id') || ''; + const authHeader = c.req.header('Authorization'); + + await gw(c).revokeToken(token, token_type_hint, client_id, authHeader); + + // Per RFC 7009, always return 200 OK + return c.text('', 200); + } catch (error) { + logger.error('Failed to handle revocation request', error); + // Per RFC 7009, errors should still return 200 + return c.text('', 200); + } +}); + +/** + * Handle OAuth callback from upstream servers + * This receives the authorization code from upstream servers and redirects back to consent + */ +oauthRoutes.get('/upstream-callback', async (c) => { + const code = c.req.query('code'); + const state = c.req.query('state'); + const error = c.req.query('error'); + + logger.debug('Received upstream OAuth callback', { + hasCode: code, + hasState: state, + error, + url: c.req.url, + }); + + if (!state) { + return c.html('Invalid state in upstream callback', 400); + } + + const result = await gw(c).completeUpstreamAuth(); + + if (result.error) { + return c.html(` + + Authorization Failed + +

Authorization Failed

+

Error: ${result.error}

+

${result.error_description || ''}

+ + + + `); + } + + // Redirect back to consent form or close window + return c.html(` + + + Authorization Complete + + + +
+

✅ Authorization Complete

+

You have successfully authorized access to the upstream server.

+

You can now close this window and return to approve the gateway access.

+
+ + + + `); +}); + +export { oauthRoutes }; diff --git a/src/mcp/routes/wellknown.ts b/src/mcp/routes/wellknown.ts new file mode 100644 index 000000000..19ee3a1b3 --- /dev/null +++ b/src/mcp/routes/wellknown.ts @@ -0,0 +1,178 @@ +// routes/wellknown.ts +import { Hono } from 'hono'; +import { createLogger } from '../../shared/utils/logger'; +import { getBaseUrl } from '../utils/mcp-utils'; + +const logger = createLogger('wellknown-routes'); + +type Env = { + Variables: { + controlPlane?: any; + }; +}; + +const CACHE_MAX_AGE = 1; + +const wellKnownRoutes = new Hono(); +/** + * OAuth 2.1 Discovery Endpoint + * Returns the OAuth authorization server metadata for this gateway + */ +wellKnownRoutes.get('/oauth-authorization-server', async (c) => { + logger.debug('GET /.well-known/oauth-authorization-server'); + + let baseUrl = getBaseUrl(c).origin; + + if (c.get('controlPlane')) { + baseUrl = c.get('controlPlane').url; + } + + // OAuth 2.1 Authorization Server Metadata (RFC 8414) + // https://datatracker.ietf.org/doc/html/rfc8414 + const metadata = { + issuer: baseUrl, + authorization_endpoint: `${baseUrl}/oauth/authorize`, + token_endpoint: `${baseUrl}/oauth/token`, + token_endpoint_auth_signing_alg_values_supported: ['RS256'], + introspection_endpoint: `${baseUrl}/oauth/introspect`, + introspection_endpoint_auth_methods_supported: [ + 'client_secret_basic', + 'client_secret_post', + ], + revocation_endpoint: `${baseUrl}/oauth/revoke`, + revocation_endpoint_auth_methods_supported: [ + 'client_secret_basic', + 'client_secret_post', + ], + registration_endpoint: `${baseUrl}/oauth/register`, + scopes_supported: [ + 'mcp:servers:read', // List available MCP servers + 'mcp:servers:*', // Access specific MCP servers (e.g., mcp:servers:linear) + 'mcp:tools:list', // List tools on accessible servers + 'mcp:tools:call', // Execute tools on accessible servers + 'mcp:*', // Full access to all MCP operations + ], + response_types_supported: ['code'], + grant_types_supported: [ + 'authorization_code', + 'refresh_token', + 'client_credentials', + ], + response_modes_supported: ['query', 'fragment'], + token_endpoint_auth_methods_supported: [ + 'client_secret_basic', + 'client_secret_post', + 'none', // For public clients using PKCE + ], + code_challenge_methods_supported: ['S256'], // Required for MCP per RFC + service_documentation: 'https://portkey.ai/docs/mcp-gateway', + ui_locales_supported: ['en'], + }; + + return c.json(metadata, 200, { + 'Cache-Control': `public, max-age=${CACHE_MAX_AGE}`, // Cache for 1 hour + }); +}); + +wellKnownRoutes.get( + '/oauth-authorization-server/:workspaceId/:serverId/mcp', + async (c) => { + logger.debug( + 'GET /.well-known/oauth-authorization-server/:workspaceId/:serverId/mcp' + ); + + let baseUrl = getBaseUrl(c).origin; + + if (c.get('controlPlane')) { + baseUrl = c.get('controlPlane').url; + } + + const metadata = { + issuer: baseUrl, + }; + + return c.json(metadata, 200, { + 'Cache-Control': `public, max-age=${CACHE_MAX_AGE}`, // Cache for 1 hour + }); + } +); + +wellKnownRoutes.get( + '/oauth-protected-resource/:workspaceId/:serverId/mcp', + async (c) => { + logger.debug( + 'GET /.well-known/oauth-protected-resource/:workspaceId/:serverId/mcp', + { + workspaceId: c.req.param('workspaceId'), + serverId: c.req.param('serverId'), + } + ); + + let baseUrl = getBaseUrl(c).origin; + const resourceUrl = `${baseUrl}/${c.req.param('workspaceId')}/${c.req.param('serverId')}/mcp`; + + if (c.get('controlPlane')) { + baseUrl = c.get('controlPlane').url; + } + + const metadata = { + // This MCP gateway acts as a protected resource + resource: resourceUrl, + // Point to our authorization server (either this gateway or control plane) + authorization_servers: [baseUrl], + // Scopes required to access this resource + scopes_supported: [ + 'mcp:servers:read', + 'mcp:servers:*', + 'mcp:tools:list', + 'mcp:tools:call', + 'mcp:*', + ], + }; + + return c.json(metadata, 200, { + 'Cache-Control': `public, max-age=${CACHE_MAX_AGE}`, // Cache for 1 hour + }); + } +); + +wellKnownRoutes.get( + '/oauth-protected-resource/:workspaceId/:serverId/sse', + async (c) => { + logger.debug( + 'GET /.well-known/oauth-protected-resource/:workspaceId/:serverId/sse', + { + workspaceId: c.req.param('workspaceId'), + serverId: c.req.param('serverId'), + } + ); + + let baseUrl = getBaseUrl(c).origin; + const resourceUrl = `${baseUrl}/${c.req.param('workspaceId')}/${c.req.param('serverId')}/sse`; + + if (c.get('controlPlane')) { + baseUrl = c.get('controlPlane').url; + } + + const metadata = { + // This MCP gateway acts as a protected resource + resource: resourceUrl, + // Point to our authorization server (either this gateway or control plane) + authorization_servers: [baseUrl], + // Scopes required to access this resource + scopes_supported: [ + 'mcp:servers:read', + 'mcp:servers:*', + 'mcp:tools:list', + 'mcp:tools:call', + 'mcp:*', + ], + }; + + return c.json(metadata, 200, { + 'Cache-Control': `public, max-age=${CACHE_MAX_AGE}`, // Cache for 1 hour + }); + } +); + +export { wellKnownRoutes }; diff --git a/src/mcp/services/downstream.ts b/src/mcp/services/downstream.ts new file mode 100644 index 000000000..636d3e895 --- /dev/null +++ b/src/mcp/services/downstream.ts @@ -0,0 +1,121 @@ +import { SSEServerTransport } from '@modelcontextprotocol/sdk/server/sse.js'; +import { ServerTransport, TransportTypes } from '../types/mcp.js'; +import { createLogger } from '../../shared/utils/logger.js'; +import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js'; +import { RequestId } from '@modelcontextprotocol/sdk/types.js'; + +export class Downstream { + public connected: boolean = false; + public transport?: ServerTransport; + + private sessionId: string; + private logger; + private onMessageHandler: (message: any, extra: any) => Promise; + + private type: TransportTypes; + + constructor(options: { + sessionId: string; + onMessageHandler: (message: any, extra: any) => Promise; + }) { + this.sessionId = options.sessionId; // Only used in SSE transport + this.logger = createLogger(`Downstream`); + this.onMessageHandler = options.onMessageHandler; + this.type = 'http'; // to begin with + } + + create(type: TransportTypes): ServerTransport { + this.type = type; + this.logger.debug(`Creating ${this.type} downstream transport`); + + if (this.type === 'sse') { + this.transport = new SSEServerTransport( + `/messages?sessionId=${this.sessionId || crypto.randomUUID()}`, + null as any + ); + } else if (this.type === 'http') { + this.transport = new StreamableHTTPServerTransport({ + sessionIdGenerator: undefined, + }); + } else { + throw new Error('Invalid transport type'); + } + + this.transport.onmessage = this.onMessageHandler.bind(this); + + this.connected = true; + + return this.transport; + } + + sendResult(id: RequestId, result: any) { + if (!this.connected) { + throw new Error('Downstream not connected'); + } + return this.transport!.send({ + jsonrpc: '2.0', + id, + result, + }); + } + + sendError(id: RequestId, code: number, message: string, data?: any) { + if (!this.connected) { + throw new Error('Downstream not connected'); + } + return this.transport!.send({ + jsonrpc: '2.0', + id, + error: { code, message, data }, + }); + } + + sendAuthError(id: RequestId, data: any) { + if (!this.connected) { + throw new Error('Downstream not connected'); + } + return this.transport!.send({ + jsonrpc: '2.0', + id, + error: { + code: -32000, + message: 'Authorization required', + data, + }, + }); + } + + handleRequest(req: any, res: any, body?: any) { + if (!this.connected) { + throw new Error('Downstream not connected'); + } + if (this.type === 'sse' && req.method === 'POST' && body) { + return (this.transport as SSEServerTransport).handlePostMessage( + req, + res, + body + ); + } else if (this.type === 'http') { + return (this.transport as StreamableHTTPServerTransport).handleRequest( + req, + res, + body + ); + } else if (req.method === 'GET') { + res.writeHead(400).end('Invalid path.'); + return; + } else { + res.writeHead(405).end('Method not allowed'); + return; + } + } + + async close() { + if (!this.connected) { + throw new Error('Downstream not connected'); + } + this.connected = false; + await this.transport?.close(); + this.transport = undefined; + } +} diff --git a/src/mcp/services/mcpSession.ts b/src/mcp/services/mcpSession.ts new file mode 100644 index 000000000..f6163c463 --- /dev/null +++ b/src/mcp/services/mcpSession.ts @@ -0,0 +1,729 @@ +/** + * @file src/services/mcpSession.ts + * MCP session that bridges client and upstream server + */ + +import { Transport } from '@modelcontextprotocol/sdk/shared/transport.js'; +import { SSEServerTransport } from '@modelcontextprotocol/sdk/server/sse.js'; +import { + JSONRPCRequest, + CallToolRequest, + ListToolsRequest, + ErrorCode, + InitializeRequest, + InitializeResult, + Tool, + EmptyResultSchema, + isJSONRPCRequest, + isJSONRPCError, + isJSONRPCResponse, + isJSONRPCNotification, +} from '@modelcontextprotocol/sdk/types.js'; +import { ServerConfig, ServerTransport, TransportTypes } from '../types/mcp'; +import { createLogger } from '../../shared/utils/logger'; +import { Context } from 'hono'; +import { ConnectResult, Upstream } from './upstream'; +import { Downstream } from './downstream'; +import { emitLog } from '../utils/emitLog'; + +export type TransportType = 'http' | 'sse' | 'auth-required'; + +export interface TransportCapabilities { + clientTransport: TransportType; + upstreamTransport: TransportType; +} + +export enum SessionStatus { + New = 'new', + Initializing = 'initializing', + Initialized = 'initialized', + Dormant = 'dormant', + Closed = 'closed', +} + +export class MCPSession { + public id: string; + public createdAt: number; + public lastActivity: number; + + private transportCapabilities?: TransportCapabilities; + + private upstream: Upstream; + private downstream: Downstream; + + private logger; + + // Session expiration tied to token lifecycle + private tokenExpiresAt?: number; + + public readonly config: ServerConfig; + public readonly gatewayToken?: any; + public upstreamSessionId?: string; + + private context?: Context; + + private status: SessionStatus = SessionStatus.New; + + constructor(options: { + config: ServerConfig; + sessionId?: string; + gatewayToken?: any; + upstreamSessionId?: string; + context?: Context; + }) { + this.config = options.config; + this.gatewayToken = options.gatewayToken; + this.id = options.sessionId || crypto.randomUUID(); + this.createdAt = Date.now(); + this.lastActivity = Date.now(); + this.logger = createLogger(`Session:${this.id.substring(0, 8)}`); + this.upstreamSessionId = options.upstreamSessionId; + this.context = options.context; + this.upstream = new Upstream( + this.config, + this.gatewayToken?.username || '', + this.logger, + this.upstreamSessionId, + this.context?.get('controlPlane') + ); + this.downstream = new Downstream({ + sessionId: this.id, + onMessageHandler: this.handleClientMessage.bind(this), + }); + this.setTokenExpiration(options.gatewayToken); + } + + /** + * Simple state checks + */ + get isInitializing(): boolean { + return this.status === SessionStatus.Initializing; + } + + get isInitialized(): boolean { + return this.status === SessionStatus.Initialized; + } + + get isClosed(): boolean { + return this.status === SessionStatus.Closed; + } + + get isDormantSession(): boolean { + return this.status === SessionStatus.Dormant; + } + + set isDormantSession(value: boolean) { + if (value) { + this.status = SessionStatus.Dormant; + } else if (this.status === SessionStatus.Dormant) { + // Only change from dormant if we're currently dormant + this.status = SessionStatus.New; + } + } + + /** + * Initialize or restore session + */ + async initializeOrRestore( + clientTransportType?: TransportType + ): Promise { + if (this.isActive()) return this.downstream.transport!; + if (this.isClosed) throw new Error('Cannot initialize closed session'); + + // Handle initializing state + if (this.isInitializing) { + await this.waitForInitialization(); + if (!this.downstream.transport) + throw new Error('Session initialization failed'); + return this.downstream.transport; + } + + clientTransportType ??= this.getClientTransportType(); + return this.initialize(clientTransportType!); + } + + /** + * Initialize the session + */ + private async initialize( + clientTransportType: TransportType + ): Promise { + this.status = SessionStatus.Initializing; + + try { + const upstream: ConnectResult = await this.upstream.connect(); + + if (!upstream.ok) { + // Handle case when upstream needs authorization + throw new Error('Failed to connect to upstream', { cause: upstream }); + } + + // Store transport capabilities for translation + this.transportCapabilities = { + clientTransport: clientTransportType, + upstreamTransport: upstream.type, + }; + + this.upstreamSessionId = upstream.sessionId; + + this.logger.debug( + `Connected Upstream: ${clientTransportType} -> ${upstream.type}` + ); + + // Create downstream transport for client + const transport = this.createDownstreamTransport(clientTransportType); + + this.status = SessionStatus.Initialized; + this.logger.debug('Session initialization completed'); + return transport; + } catch (error) { + this.logger.error('Session initialization failed', error); + this.status = SessionStatus.New; // Reset to new state on failure + throw error; + } + } + + /** + * Wait for ongoing initialization + */ + private async waitForInitialization(timeout = 30000): Promise { + const startTime = Date.now(); + while (this.isInitializing && Date.now() - startTime < timeout) { + await new Promise((resolve) => setTimeout(resolve, 100)); + } + if (this.isInitializing) throw new Error('Session initialization timeout'); + } + + /** + * Create downstream transport + */ + private createDownstreamTransport(type: TransportType): ServerTransport { + this.logger.debug(`Creating ${type} downstream transport`); + return this.downstream.create(type as TransportTypes); + } + + /** + * Initialize SSE transport with response object + */ + initializeSSETransport(): SSEServerTransport { + this.downstream.create('sse'); + this.id = this.downstream.transport!.sessionId!; + return this.downstream.transport as SSEServerTransport; + } + + /** + * Get the transport capabilities (client and upstream) + */ + getTransportCapabilities = () => this.transportCapabilities; + + /** + * Get the client transport type + */ + getClientTransportType = () => this.transportCapabilities?.clientTransport; + + /** + * Get the upstream transport type + */ + getUpstreamTransportType = () => + this.transportCapabilities?.upstreamTransport; + + /** + * Get the downstream transport (for SSE message handling) + */ + getDownstreamTransport = () => this.downstream.transport; + + /** + * Check if session has upstream connection (needed for tool calls) + */ + hasUpstreamConnection(): boolean { + return this.upstream.connected; + } + + /** + * Check if session is dormant (has metadata but no active connections) + */ + isDormant(): boolean { + return ( + this.status === SessionStatus.Dormant || + (!!this.transportCapabilities && + !this.isInitialized && + !this.hasUpstreamConnection()) + ); + } + + /** + * Check if session is active + */ + isActive(): boolean { + return ( + this.upstream.connected && + this.status === SessionStatus.Initialized && + this.downstream.connected + ); + } + + /** + * Check if session needs upstream auth + */ + needsUpstreamAuth(): boolean { + return this.upstream.pendingAuthURL !== undefined; + } + + /** + * Check if a method requires upstream connection + */ + isUpstreamMethod(method: string): boolean { + // These methods can be handled locally without upstream + const localMethods = ['logs/list']; + return !localMethods.includes(method); + } + + /** + * Set token expiration for session lifecycle management + * Session will be considered expired when token expires + */ + setTokenExpiration(tokenInfo: any): void { + if (tokenInfo?.exp) { + // Token expiration is in seconds, convert to milliseconds + this.tokenExpiresAt = tokenInfo.exp * 1000; + } else if (tokenInfo?.expires_in) { + // Relative expiration in seconds + this.tokenExpiresAt = Date.now() + tokenInfo.expires_in * 1000; + } + } + + /** + * Check if session is expired based on token expiration + */ + isTokenExpired(): boolean { + if (!this.tokenExpiresAt) { + return false; // No expiration set, rely on session timeout + } + + const expired = Date.now() > this.tokenExpiresAt; + if (expired) { + this.logger.debug( + `Session ${this.id} token expired at ${new Date(this.tokenExpiresAt).toISOString()}` + ); + } + return expired; + } + + /** + * Get token expiration info for debugging + */ + getTokenExpiration(): { expiresAt?: number; isExpired: boolean } { + return { + expiresAt: this.tokenExpiresAt, + isExpired: this.isTokenExpired(), + }; + } + + /** + * Restore session from saved data - only restore basic data, defer full initialization + */ + async restoreFromData(data: { + id: string; + createdAt: number; + lastActivity: number; + transportCapabilities?: TransportCapabilities; + clientTransportType?: TransportType; + tokenExpiresAt?: number; + upstreamSessionId?: string; + }): Promise { + Object.assign(this, { + id: data.id, + createdAt: data.createdAt, + lastActivity: data.lastActivity, + upstreamSessionId: data.upstreamSessionId, + tokenExpiresAt: data.tokenExpiresAt, + transportCapabilities: data.transportCapabilities, + clientTransportType: data.clientTransportType, + status: SessionStatus.Dormant, + }); + } + + /** + * Ensure upstream connection is established + */ + async ensureUpstreamConnection(): Promise { + if (this.hasUpstreamConnection()) return; + + const upstream: ConnectResult = await this.upstream.connect(); + if (!upstream.ok) { + // TODO: handle case when upstream needs authorization + throw new Error('Failed to connect to upstream'); + } + this.upstreamSessionId = upstream.sessionId; + this.logger.debug('Upstream connection established'); + } + + /** + * Handle client message - optimized hot path. + * Comes here when there's a message on downstreamTransport + */ + private async handleClientMessage(message: any) { + this.lastActivity = Date.now(); + + try { + if (isJSONRPCRequest(message)) { + // It's a request - handle directly + await this.handleClientRequest(message); + } else if (isJSONRPCResponse(message) || isJSONRPCError(message)) { + // It's a response - forward directly + await this.upstream.send(message); + } else if (isJSONRPCNotification(message)) { + // It's a notification - forward directly + await this.upstream.notification(message); + } + } catch (error) { + // Send error response if this was a request + if (isJSONRPCRequest(message)) { + await this.downstream?.sendError( + message.id, + ErrorCode.InternalError, + error instanceof Error ? error.message : String(error) + ); + } + } + } + + /** + * Handle requests from the client - optimized with hot paths first + */ + private async handleClientRequest(request: any) { + // eslint-disable-line @typescript-eslint/no-unused-vars + const { method } = request; + + // Check if we need upstream auth for any upstream-dependent operations + if (this.needsUpstreamAuth() && this.isUpstreamMethod(method)) { + await this.downstream.sendAuthError(request.id, { + serverId: this.config.serverId, + workspaceId: this.config.workspaceId, + authorizationUrl: this.upstream.pendingAuthURL, + }); + return; + } + + // Route to appropriate handler + const handlers: Record Promise> = { + 'tools/call': () => this.handleToolCall(request), + 'tools/list': () => this.handleToolsList(request), + initialize: () => this.handleInitialize(request), + }; + + const handler = handlers[method]; + + // Direct method handling without switch overhead for hot paths + if (handler) { + await handler(); + } else if (this.upstream.isKnownRequest(method)) { + await this.handleKnownRequests(request); + } else { + await this.forwardRequest(request); + } + } + + /** + * Handle initialization request + */ + private async handleInitialize(request: InitializeRequest) { + this.logger.debug( + 'Processing initialize request', + this.upstream.serverCapabilities + ); + + const result: InitializeResult = { + protocolVersion: request.params.protocolVersion, + capabilities: this.upstream.serverCapabilities, + serverInfo: { + name: 'portkey-mcp-gateway', + version: '1.0.0', + }, + }; + + this.logger.debug( + `Sending initialize response with tools: ${!!result.capabilities.tools}` + ); + // Send gateway response + await this.downstream.sendResult((request as any).id, result); + } + + private validateToolAccess( + toolName: string + ): 'blocked' | 'not allowed' | 'invalid' | null { + const { allowed, blocked } = this.config.tools || {}; + + if (blocked?.includes(toolName)) { + return 'blocked'; + } + + if (allowed?.length && !allowed.includes(toolName)) { + return 'not allowed'; + } + + return null; // Tool is valid + } + + /** + * Filter tools based on config + */ + private filterTools(tools: Tool[]): Tool[] { + const { allowed, blocked } = this.config.tools || {}; + let filtered = tools; + + if (blocked?.length) { + filtered = filtered.filter((tool) => !blocked.includes(tool.name)); + } + + if (allowed?.length) { + filtered = filtered.filter((tool) => allowed.includes(tool.name)); + } + + return filtered; + } + + /** + * Handle `tools/list` with filtering + */ + private async handleToolsList(request: ListToolsRequest) { + this.logger.debug('Fetching upstream tools'); + + try { + await this.ensureUpstreamConnection(); + + const upstreamResult = await this.upstream.listTools(); + const tools = this.filterTools(upstreamResult.tools); + this.logger.debug(`Received ${tools.length} tools`); + + await this.downstream.sendResult((request as any).id, { tools }); + } catch (error) { + this.logger.error('Failed to get tools', error); + await this.downstream.sendError( + (request as any).id, + ErrorCode.InternalError, + `Failed to get tools: ${error instanceof Error ? error.message : String(error)}` + ); + return; + } + } + + /** + * Handle tools/call request with validation + */ + private async handleToolCall(request: CallToolRequest) { + const { name: toolName } = request.params; + + this.logger.debug(`Tool call: ${toolName}`); + + const validationError = this.validateToolAccess(toolName); + + if (validationError) { + await this.downstream.sendError( + (request as any).id, + ErrorCode.InvalidParams, + `Tool '${toolName}' is ${validationError}` + ); + return; + } + + try { + await this.ensureUpstreamConnection(); + + const result = await this.upstream.callTool(request.params); + + this.logger.debug(`Tool ${toolName} executed successfully`); + + // This is where the guardrails would come in. + await this.downstream.sendResult((request as any).id, result); + this.logResult(request, result); + } catch (error) { + // Handle upstream errors + this.logger.error(`Tool call failed: ${toolName}`, error); + + await this.downstream.sendError( + (request as any).id, + ErrorCode.InternalError, + `Tool execution failed: ${error instanceof Error ? error.message : String(error)}` + ); + } + } + + private async handleKnownRequests(request: JSONRPCRequest) { + try { + await this.ensureUpstreamConnection(); + + const methodHandlers: Record Promise> = { + ping: () => this.upstream.ping(), + 'completion/complete': () => this.upstream.complete(request.params), + 'logging/setLevel': () => this.upstream.setLoggingLevel(request.params), + 'prompts/get': () => this.upstream.getPrompt(request.params), + 'prompts/list': () => this.upstream.listPrompts(request.params), + 'resources/list': () => this.upstream.listResources(request.params), + 'resources/templates/list': () => + this.upstream.listResourceTemplates(request.params), + 'resources/read': () => this.upstream.readResource(request.params), + 'resources/subscribe': () => + this.upstream.subscribeResource(request.params), + 'resources/unsubscribe': () => + this.upstream.unsubscribeResource(request.params), + }; + + const handler = methodHandlers[request.method]; + + if (handler) { + const result = await handler(); + await this.downstream.sendResult((request as any).id, result); + } else { + await this.forwardRequest(request); + return; + } + } catch (error) { + await this.downstream.sendError( + request.id!, + ErrorCode.InternalError, + error instanceof Error ? error.message : String(error) + ); + } + } + + /** + * Forward a request directly to upstream + */ + private async forwardRequest(request: JSONRPCRequest) { + try { + // Ensure upstream connection is established + await this.ensureUpstreamConnection(); + + const result = await this.upstream.request( + request as any, + EmptyResultSchema + ); + + await this.downstream.sendResult((request as any).id, result); + } catch (error) { + await this.downstream.sendError( + request.id!, + ErrorCode.InternalError, + error instanceof Error ? error.message : String(error) + ); + } + } + + /** + * Handle HTTP request + */ + async handleRequest() { + this.lastActivity = Date.now(); + let body: any; + + const { incoming: req, outgoing: res } = this.context?.env as any; + + if (req.method === 'POST') { + body = await this.context?.req.json(); + } + + // if (res?.setHeader) res.setHeader(HEADER_MCP_SESSION_ID, this.id); + + await this.downstream.handleRequest(req, res, body); + } + + async logRequest(request?: JSONRPCRequest) { + try { + const method = request?.method ?? 'unknown'; + const isToolCall = method === 'tools/call'; + + const reqId = (request?.id ?? '').toString(); + const toolName = isToolCall + ? (request as any)?.params?.name ?? undefined + : undefined; + + const attrs: Record = { + 'mcp.server.id': this.config.serverId, + 'mcp.workspace.id': this.config.workspaceId, + + 'mcp.transport.client': this.getClientTransportType() ?? '', + 'mcp.transport.upstream': this.getUpstreamTransportType() ?? '', + + 'mcp.request.method': method, + 'mcp.request.id': reqId, + }; + + if (toolName) { + attrs['mcp.tool.name'] = toolName; + attrs['mcp.tool.params'] = JSON.stringify(request?.params ?? {}); + } + } catch (error) { + this.logger.error('Failed to log request', error); + } + } + + async logResult( + request: any, + result: unknown, + outcome?: { + ok: boolean; + error?: any; + durationMs?: number; + } + ) { + try { + const method = request?.method ?? 'unknown'; + const isToolCall = method === 'tools/call'; + + const reqId = (request?.id ?? '').toString(); + const toolName = isToolCall + ? (request as any)?.params?.name ?? undefined + : undefined; + + const attrs: Record = { + 'mcp.server.id': this.config.serverId, + 'mcp.workspace.id': this.config.workspaceId, + + 'mcp.transport.client': this.getClientTransportType() ?? '', + 'mcp.transport.upstream': this.getUpstreamTransportType() ?? '', + + 'mcp.request.method': method, + 'mcp.request.id': reqId, + }; + + if (toolName) { + attrs['mcp.tool.name'] = toolName; + console.log( + 'arguments', + typeof (request as CallToolRequest)?.params?.arguments, + (request as CallToolRequest)?.params?.arguments + ); + attrs['mcp.tool.params'] = + (request as CallToolRequest)?.params?.arguments ?? {}; + attrs['mcp.tool.result'] = result ?? {}; + } else { + attrs['mcp.result'] = result ?? {}; + } + + if (outcome?.ok) { + attrs['mcp.request.success'] = 'true'; + attrs['mcp.request.duration_ms'] = + outcome?.durationMs?.toString() ?? ''; + } else { + attrs['mcp.request.success'] = 'false'; + attrs['mcp.request.error'] = outcome?.error + ? (outcome.error as Error)?.message ?? 'Unknown error' + : 'Unknown error'; + } + + emitLog({ type: 'mcp.request' }, attrs); + } catch (error) { + this.logger.error('Failed to log result', error); + } + } + + /** + * Clean up the session + */ + async close() { + this.status = SessionStatus.Closed; + await this.upstream.close(); + await this.downstream.close(); + } +} diff --git a/src/mcp/services/oauthGateway.ts b/src/mcp/services/oauthGateway.ts new file mode 100644 index 000000000..c7e38b390 --- /dev/null +++ b/src/mcp/services/oauthGateway.ts @@ -0,0 +1,952 @@ +/** + * @file src/services/oauthGateway.ts + * Unified OAuth gateway service that handles both control plane and local OAuth operations + */ +import crypto from 'crypto'; +import { env } from 'hono/adapter'; +import { Context } from 'hono'; +import * as oidc from 'openid-client'; + +import { createLogger } from '../../shared/utils/logger'; +import { + CacheService, + getMcpServersCache, + getOauthStore, +} from '../../shared/services/cache'; +import { getServerConfig } from '../middleware/hydrateContext'; +import { GatewayOAuthProvider } from './upstreamOAuth'; +import { ControlPlane } from '../middleware/controlPlane'; +import { auth, AuthResult } from '@modelcontextprotocol/sdk/client/auth.js'; +import { revokeOAuthToken } from '../utils/oauthTokenRevocation'; + +const logger = createLogger('OAuthGateway'); + +const ACCESS_TOKEN_TTL_SECONDS = 3600; // 1 hour +const REFRESH_TOKEN_TTL_SECONDS = 30 * 24 * 3600; // 30 days + +const nowSec = () => Math.floor(Date.now() / 1000); + +async function verifyCodeChallenge( + codeVerifier: string, + codeChallenge: string, + method: string = 'S256' +): Promise { + if (!codeVerifier || !codeChallenge) return false; + if (method === 'plain') { + return codeVerifier === codeChallenge; + } + return ( + (await oidc.calculatePKCECodeChallenge(codeVerifier)) === codeChallenge + ); +} + +export type GrantType = + | 'authorization_code' + | 'refresh_token' + | 'client_credentials'; + +export interface TokenRequest { + grant_type: GrantType; + client_id?: string; + client_secret?: string; + code?: string; + redirect_uri?: string; + code_verifier?: string; + scope?: string; +} + +export type OAuthError = { + error: + | 'invalid_request' + | 'invalid_grant' + | 'invalid_client' + | 'server_error'; + error_description: string; +}; + +export interface TokenResponseSuccess { + access_token: string; + token_type: 'Bearer'; + expires_in: number; + scope?: string; + refresh_token?: string; +} + +export type TokenResponse = TokenResponseSuccess | OAuthError; + +export interface TokenIntrospectionResponse { + active: boolean; + scope?: string; + client_id?: string; + username?: string; + exp?: number; + iat?: number; +} + +export interface OAuthClient { + client_name: string; + scope?: string; + redirect_uris?: string[]; + grant_types?: GrantType[]; + token_endpoint_auth_method?: 'none' | 'client_secret_post'; + client_secret?: string; + client_uri?: string; + logo_uri?: string; + client_id?: string; +} + +// Cache shapes +interface StoredAccessToken { + client_id: string; + active: true; + scope?: string; + iat: number; + exp: number; + user_id?: string; + username?: string; + sub?: string; +} + +interface StoredRefreshToken { + client_id: string; + scope?: string; + iat: number; + exp: number; + access_tokens: string[]; + user_id?: string; + username?: string; + sub?: string; +} + +interface StoredAuthCode { + client_id: string; + redirect_uri: string; + scope?: string; + code_challenge?: string; + code_challenge_method?: 'S256' | 'plain'; + resource?: string; + user_id: string; + /** ms epoch */ + expires: number; +} + +let oauthStore: CacheService; +let mcpServerCache: CacheService; +// let localCache: CacheService = new CacheService({ +// backend: 'memory', +// defaultTtl: 30 * 1000, // 30 seconds +// cleanupInterval: 30 * 1000, // 30 seconds +// maxSize: 100, +// }); + +// Helper for caching OAuth data +// Maintain connections with cache store and control plane +// Control Plane <-> Persistent Cache <-> Memory Cache +const OAuthGatewayCache = { + get: async (key: string, namespace?: string): Promise => { + // Check in memory cache first + // const inMemory = await localCache.get(key, namespace); + // if (inMemory) { + // return inMemory; + // } + + // Then check persistent cache + const persistent = await oauthStore.get(key, namespace); + if (persistent) { + // Store in memory cache + return persistent; + } + + // TODO: Then check control plane + + return null as T; + }, + + set: async ( + key: string, + value: T, + namespace?: string + ): Promise => { + try { + await oauthStore.set(key, value, { namespace }); + } catch (e) { + logger.error('Error setting in oauthstore', e); + } + }, + + delete: async (key: string, namespace?: string): Promise => { + // TODO: If control plane exists, we should never get here + await oauthStore.delete(key, namespace); + }, +}; + +/** + * Unified OAuth gateway that routes requests to either control plane or local service + */ +export class OAuthGateway { + private controlPlaneUrl: string | null; + private c: Context; + constructor(c: Context) { + this.controlPlaneUrl = env(c).ALBUS_BASEPATH || null; + this.c = c; + + if (!oauthStore) { + oauthStore = getOauthStore(); + } + + if (!mcpServerCache) { + mcpServerCache = getMcpServersCache(); + } + } + + get controlPlane(): ControlPlane | null { + return this.c.get('controlPlane'); + } + + private parseClientCredentials( + headers: Headers, + params: URLSearchParams + ): { clientId: string; clientSecret: string } { + let clientId = ''; + let clientSecret = ''; + const authHeader = headers.get('Authorization'); + if (authHeader?.startsWith('Basic ')) { + const base64Credentials = authHeader.slice(6); + const credentials = Buffer.from(base64Credentials, 'base64').toString( + 'utf-8' + ); + [clientId, clientSecret] = credentials.split(':'); + } else { + clientId = params.get('client_id') || ''; + clientSecret = params.get('client_secret') || ''; + } + return { clientId, clientSecret }; + } + + private async storeAccessToken( + clientId: string, + scope?: string, + userId?: string + ): Promise<{ token: string; expiresIn: number; iat: number; exp: number }> { + const token = `mcp_${crypto.randomBytes(32).toString('hex')}`; + const iat = nowSec(); + const exp = iat + ACCESS_TOKEN_TTL_SECONDS; + await oauthStore.set( + token, + { + client_id: clientId, + active: true, + scope, + iat, + exp, + user_id: userId, + }, + { namespace: 'tokens' } + ); + return { + token, + expiresIn: ACCESS_TOKEN_TTL_SECONDS, + iat, + exp, + }; + } + + private async storeRefreshToken( + clientId: string, + scope: string | undefined, + initialAccessToken: string, + userId?: string + ): Promise<{ refreshToken: string; iat: number; exp: number }> { + const refreshToken = `mcp_refresh_${crypto.randomBytes(32).toString('hex')}`; + const iat = nowSec(); + const exp = iat + REFRESH_TOKEN_TTL_SECONDS; + await oauthStore.set( + refreshToken, + { + client_id: clientId, + scope, + iat, + exp, + access_tokens: [initialAccessToken], + user_id: userId, + }, + { namespace: 'refresh_tokens' } + ); + + // Also store this refresh token against a client_id for fast revocation + await oauthStore.set(clientId, refreshToken, { + namespace: 'clientid_refresh', + }); + return { refreshToken, iat, exp }; + } + + private errorInvalidRequest(error_description: string) { + return { error: 'invalid_request', error_description }; + } + + private errorInvalidGrant(error_description: string) { + return { error: 'invalid_grant', error_description }; + } + + private errorInvalidClient(error_description: string) { + return { error: 'invalid_client', error_description }; + } + + private isPublicClient(client: any): boolean { + return ( + client?.token_endpoint_auth_method === 'none' || !client?.client_secret + ); + } + + /** + * Check if using control plane or local OAuth + */ + get isUsingControlPlane(): boolean { + return !!this.controlPlaneUrl; + } + + /** + * Handle token request + */ + async handleTokenRequest( + params: URLSearchParams, + headers: Headers + ): Promise { + const { clientId, clientSecret } = this.parseClientCredentials( + headers, + params + ); + + const grantType = params.get('grant_type') as GrantType | null; + + if (grantType === 'authorization_code') { + const code = params.get('code'); + const redirectUri = params.get('redirect_uri'); + const codeVerifier = params.get('code_verifier'); + if (!code || !redirectUri) { + return this.errorInvalidRequest( + 'Missing required parameters: code and redirect_uri are required' + ); + } + + const authCodeData = await OAuthGatewayCache.get( + code, + 'authorization_codes' + ); + if (!authCodeData || authCodeData.expires < Date.now()) { + return this.errorInvalidGrant('Invalid or expired authorization code'); + } + + if ( + authCodeData.client_id !== clientId || + authCodeData.redirect_uri !== redirectUri + ) { + return this.errorInvalidGrant('Client or redirect_uri mismatch'); + } + + // Check if the client exists + const client = await OAuthGatewayCache.get( + clientId, + 'clients' + ); + if (!client) { + return this.errorInvalidClient('Client not found'); + } + + if (client.client_secret && client.client_secret !== clientSecret) { + return this.errorInvalidClient('Invalid client credentials'); + } + + if (this.isPublicClient(client) && !authCodeData.code_challenge) { + return this.errorInvalidRequest('PKCE required for public clients'); + } + + if (authCodeData.code_challenge) { + if (!codeVerifier) { + return { + error: 'invalid_request', + error_description: 'Code verifier required', + }; + } + if ( + !(await verifyCodeChallenge( + codeVerifier, + authCodeData.code_challenge, + authCodeData.code_challenge_method || 'S256' + )) + ) { + return this.errorInvalidGrant('Invalid code verifier'); + } + } + + // Delete the authorization code + await oauthStore.delete(code, 'authorization_codes'); + + if (!authCodeData.user_id) { + logger.warn('No user ID found in authCodeData'); + return this.errorInvalidGrant( + 'User ID not found in authorization code' + ); + } + + // Use the scope from the authorization code, or default to allowed scopes + const tokenScope = authCodeData.scope || client.scope; + + // Store access token + const access = await this.storeAccessToken( + clientId, + tokenScope, + authCodeData.user_id + ); + + // Store refresh token + const refresh = await this.storeRefreshToken( + clientId, + tokenScope, + access.token, + authCodeData.user_id + ); + + return { + access_token: access.token, + token_type: 'Bearer', + expires_in: access.expiresIn, + scope: tokenScope, + refresh_token: refresh.refreshToken, + }; + } + + if (grantType === 'refresh_token') { + const refreshToken = params.get('refresh_token'); + if (!refreshToken) { + return this.errorInvalidRequest('Missing refresh_token parameter'); + } + + const storedRefreshToken = + await OAuthGatewayCache.get( + refreshToken, + 'refresh_tokens' + ); + if (!storedRefreshToken || storedRefreshToken.exp < nowSec()) { + return this.errorInvalidGrant('Invalid or expired refresh token'); + } + + // Enforce client authentication/match for refresh_token grant + const client = await OAuthGatewayCache.get( + storedRefreshToken.client_id, + 'clients' + ); + if (!client) { + return this.errorInvalidClient('Client not found'); + } + const isPublic = client.token_endpoint_auth_method === 'none'; + if (!isPublic) { + if (!clientId || clientId !== storedRefreshToken.client_id) { + return this.errorInvalidClient('Client mismatch'); + } + if (client.client_secret && client.client_secret !== clientSecret) { + return this.errorInvalidClient('Invalid client credentials'); + } + } + + const access = await this.storeAccessToken( + storedRefreshToken.client_id, + storedRefreshToken.scope, + storedRefreshToken.user_id + ); + + storedRefreshToken.access_tokens.push(access.token); + await oauthStore.set( + refreshToken, + storedRefreshToken, + { + namespace: 'refresh_tokens', + } + ); + + return { + access_token: access.token, + token_type: 'Bearer', + expires_in: access.expiresIn, + scope: storedRefreshToken.scope, + refresh_token: refreshToken, + }; + } + + if (grantType === 'client_credentials') { + // Check if client exists + const client = await OAuthGatewayCache.get( + clientId, + 'clients' + ); + if (!client) { + return this.errorInvalidClient('Client not found'); + } + + if (client.client_secret && client.client_secret !== clientSecret) { + return this.errorInvalidClient('Invalid client credentials'); + } + + // Generate tokens + + // Store access token + const access = await this.storeAccessToken(clientId, client.scope); + + return { + access_token: access.token, + token_type: 'Bearer', + expires_in: access.expiresIn, + scope: client.scope, + }; + } + + return this.errorInvalidGrant('Unsupported grant type'); + } + + /** + * Introspect token + */ + async introspectToken( + token: string, + hint: 'access_token' | 'refresh_token' | '' + ): Promise { + if (!token) return { active: false }; + + const fromAccess = + !hint || hint === 'access_token' + ? await OAuthGatewayCache.get(token, 'tokens') + : null; + const fromRefresh = + !fromAccess && (!hint || hint === 'refresh_token') + ? await OAuthGatewayCache.get( + token, + 'refresh_tokens' + ) + : null; + let tok = (fromAccess || fromRefresh) as + | StoredAccessToken + | StoredRefreshToken + | null; + + if (!tok && this.isUsingControlPlane) { + const CP = this.c.get('controlPlane'); + if (CP) { + const cpTok = await CP.introspect(token, hint); + if (cpTok.active) { + tok = cpTok; + await OAuthGatewayCache.set( + token, + tok, + hint === 'refresh_token' ? 'refresh_tokens' : 'tokens' + ); + } + } + } + + if (!tok) return { active: false }; + + const exp = 'exp' in tok ? tok.exp : undefined; + if ((exp ?? 0) < nowSec()) return { active: false }; + + return { + active: true, + scope: tok.scope, + client_id: tok.client_id, + username: tok.user_id || tok.username || tok.sub, + exp: tok.exp, + iat: tok.iat, + }; + } + + /** + * Register client + */ + async registerClient( + clientData: OAuthClient, + clientId?: string + ): Promise { + logger.debug(`Registering client`, { clientData, clientId }); + + // Create a new client id if not provided by hashing clientData to avoid duplicates + if (!clientId) { + clientId = crypto + .createHash('sha256') + .update(JSON.stringify(clientData)) + .digest('hex'); + } + + const id = clientId; + + const existing = await OAuthGatewayCache.get(id, 'clients'); + if (existing) { + if (clientData.redirect_uris?.length) { + const merged = Array.from( + new Set([ + ...(existing.redirect_uris || []), + ...clientData.redirect_uris, + ]) + ); + await oauthStore.set( + id, + { ...existing, redirect_uris: merged }, + { namespace: 'clients' } + ); + } + + return (await OAuthGatewayCache.get(id, 'clients'))!; + } + + const isPublicClient = + clientData.token_endpoint_auth_method === 'none' || + (clientData.grant_types?.includes('authorization_code') && + !clientData.grant_types?.includes('client_credentials')); + + const newClient: OAuthClient = { + client_id: id, + client_name: clientData.client_name, + scope: clientData.scope, + redirect_uris: clientData.redirect_uris, + grant_types: clientData.grant_types || ['client_credentials'], + token_endpoint_auth_method: isPublicClient + ? 'none' + : 'client_secret_post', + client_secret: isPublicClient + ? undefined + : `mcp_secret_${crypto.randomBytes(32).toString('hex')}`, + client_uri: clientData.client_uri, + logo_uri: clientData.logo_uri, + }; + + await oauthStore.set(id, newClient, { + namespace: 'clients', + }); + logger.debug(`Registered client`, { id }); + return newClient; + } + + /** + * Revoke token + */ + async revokeToken( + token: string, + token_type_hint: string, + client_id: string, + authHeader?: string + ): Promise { + let clientId: string, clientSecret: string; + + if (authHeader?.startsWith('Basic ')) { + const base64Credentials = authHeader.slice(6); + const credentials = Buffer.from(base64Credentials, 'base64').toString( + 'utf-8' + ); + [clientId, clientSecret] = credentials.split(':'); + + const client = await OAuthGatewayCache.get( + clientId, + 'clients' + ); + if (!client || client.client_secret !== clientSecret) return; + } else if (client_id) { + clientId = client_id; + const client = await OAuthGatewayCache.get( + clientId, + 'clients' + ); + if (!client || client.token_endpoint_auth_method !== 'none') return; + } else { + return; + } + + if (!token) return; + + // Try control plane first if available + if (this.isUsingControlPlane && this.controlPlane) { + try { + await this.controlPlane.revoke( + token, + token_type_hint as 'access_token' | 'refresh_token' | undefined, + clientId + ); + } catch (error) { + logger.warn( + 'Control plane revocation failed, will continue with local', + error + ); + } + } + + // Always revoke locally (for cache cleanup) + await revokeOAuthToken( + token, + clientId, + token_type_hint as 'access_token' | 'refresh_token' | undefined + ); + } + + async startAuthorization(): Promise { + const params = this.c.req.query(); + const clientId = params.client_id; + const redirectUri = params.redirect_uri; + const state = params.state; + const scope = params.scope || 'mcp:*'; + const codeChallenge = params.code_challenge; + const codeChallengeMethod = params.code_challenge_method; + const resourceUrl = params.resource; + + if (!resourceUrl) { + return this.c.json( + this.errorInvalidRequest('Missing resource parameter'), + 400 + ); + } + + const client = await OAuthGatewayCache.get( + clientId, + 'clients' + ); + if (!client) + return this.c.json(this.errorInvalidClient('Client not found'), 400); + + const user_id = 'portkeydefaultuser'; + + let resourceAuthUrl = null; + const upstream = await this.checkUpstreamAuth(resourceUrl, user_id); + if (upstream.status === 'auth_needed') + resourceAuthUrl = upstream.authorizationUrl; + + const authorizationUrl = `/oauth/authorize`; + + return this.c.html(` + + +

Authorization Request

+

Requesting access to: ${Array.from(resourceUrl.split('/')).at(-2)}

+

Redirect URI: ${redirectUri}

+ ${resourceAuthUrl ? `

Auth to upstream MCP first: Click here to authorize

` : ''} +
+ + + + + + + + +
+ + +
+
+ + + `); + } + + async completeAuthorization(): Promise { + const formData = await this.c.req.formData(); + const action = formData.get('action'); + const clientId = formData.get('client_id') as string; + const redirectUri = formData.get('redirect_uri') as string; + const state = formData.get('state') as string; + const scope = (formData.get('scope') as string) || 'mcp:servers:read'; + const codeChallenge = formData.get('code_challenge') as string; + const codeChallengeMethod = formData.get('code_challenge_method') as + | 'S256' + | 'plain' + | undefined; + const resourceUrl = formData.get('resource') as string; + const user_id = formData.get('user_id') as string; + + if (action === 'deny') { + // User denied access + const denyUrl = new URL(redirectUri); + denyUrl.searchParams.set('error', 'access_denied'); + if (state) denyUrl.searchParams.set('state', state); + + // Always show intermediate page that triggers redirect and attempts to close + return this.c.html(` + + Redirecting... + +
+

Authorization denied. Redirecting...

+

You may need to allow the redirect in your browser. You can close window once you have approved the redirect.

+

This window will close automatically after redirect

+
+ + + + `); + } + + // Create authorization code + const authCode = `authz_${crypto.randomBytes(32).toString('hex')}`; + + // Store this authCode to cache mapped to client info + await oauthStore.set( + authCode, + { + client_id: clientId, + redirect_uri: redirectUri, + scope: scope, + code_challenge: codeChallenge, + code_challenge_method: codeChallengeMethod, + resource: resourceUrl, + user_id: user_id, + expires: Date.now() + 10 * 60 * 1000, // 10 minutes + }, + { namespace: 'authorization_codes', ttl: 10 * 60 * 1000 } + ); + + // User approved access + const ok = new URL(redirectUri); + ok.searchParams.set('code', authCode); + if (state) ok.searchParams.set('state', state); + + // Always show intermediate page that triggers redirect and attempts to close + return this.c.html(` + + Authorization Complete + +
+

✅ Authorization Complete

+

Redirecting...

+

If you're not redirected automatically, click here.

+

You can close this window once you have approved the redirect.

+
+ + + + `); + } + + async checkUpstreamAuth(resourceUrl: string, username: string): Promise { + const serverId = Array.from(resourceUrl.split('/')).at(-2); + const workspaceId = Array.from(resourceUrl.split('/')).at(-3); + if (!serverId || !workspaceId) return false; + + const serverConfig = await getServerConfig(workspaceId, serverId, this.c); + if (!serverConfig) return false; + + if (serverConfig.auth_type != 'oauth_auto') { + return { status: 'auth_not_needed' }; + } + + const provider = new GatewayOAuthProvider( + serverConfig, + username, + this.controlPlane ?? undefined + ); + + // Check if the server already has tokens for it + const tokens = await provider.tokens(); + if (tokens) return { status: 'auth_not_needed' }; + + try { + const result: AuthResult = await auth(provider, { + serverUrl: serverConfig.url, + }); + + logger.debug('Auth result', result); + return { status: 'auth_not_needed' }; + } catch (error: any) { + if (error.needsAuthorization && error.authorizationUrl) { + return { + status: 'auth_needed', + authorizationUrl: error.authorizationUrl, + }; + } + throw error; + } + } + + async completeUpstreamAuth(): Promise { + const code = this.c.req.query('code'); + const state = this.c.req.query('state'); + const error = this.c.req.query('error'); + + logger.debug('Received upstream OAuth callback', { + hasCode: code, + hasState: state, + error, + url: this.c.req.url, + }); + + if (!state) + return { + error: 'invalid_state', + error_description: 'Invalid state in upstream callback', + }; + + const [username, workspaceId, serverId] = state.split('::'); + if (!username || !workspaceId || !serverId) + return { + error: 'invalid_state', + error_description: 'Invalid state in upstream callback', + }; + + const serverConfig = await getServerConfig(workspaceId, serverId, this.c); + if (!serverConfig) + return { + error: 'invalid_state', + error_description: 'Server config not found', + }; + + const provider = new GatewayOAuthProvider( + serverConfig, + username, + this.controlPlane ?? undefined + ); + + try { + const result: AuthResult = await auth(provider, { + serverUrl: serverConfig.url, + authorizationCode: code, + }); + + logger.debug('Auth result', result); + + return { + status: result === 'AUTHORIZED' ? 'auth_completed' : 'auth_failed', + }; + } catch (e: any) { + if (e.cause && e.cause instanceof Response) { + try { + const errorBody = await e.cause.text(); + logger.error('Token exchange failed - Server Error', { + status: e.cause.status, + statusText: e.cause.statusText, + url: e.cause.url, + body: errorBody, // This should show the actual error message from the server + headers: Object.fromEntries(e.cause.headers.entries()), + }); + } catch (readError) { + logger.error('Could not read error response', { readError }); + } + } else { + logger.error('Token exchange failed', { + error: e.message, + code: e.code, + stack: e.stack, + }); + } + + return { + error: 'invalid_grant', + error_description: e.message || 'Failed to exchange authorization code', + }; + } + } +} diff --git a/src/mcp/services/sessionStore.ts b/src/mcp/services/sessionStore.ts new file mode 100644 index 000000000..1b5ada62d --- /dev/null +++ b/src/mcp/services/sessionStore.ts @@ -0,0 +1,264 @@ +/** + * @file src/services/sessionStore.ts + * Persistent session storage using unified cache service + * Supports both in-memory and file-based backends, ready for Redis + */ + +import { + MCPSession, + TransportType, + TransportCapabilities, +} from '../../mcp/services/mcpSession'; +import { ServerConfig } from '../types/mcp'; +import { createLogger } from '../../shared/utils/logger'; +import { CacheService, getSessionCache } from '../../shared/services/cache'; +import { Context } from 'hono'; + +const logger = createLogger('SessionStore'); +const SESSIONS_NAMESPACE = 'sessions'; + +export interface SessionData { + id: string; + serverId: string; + workspaceId: string; + createdAt: number; + lastActivity: number; + transportCapabilities?: TransportCapabilities; + isInitialized: boolean; + clientTransportType?: TransportType; + config: ServerConfig; + tokenExpiresAt?: number; + gatewayToken?: any; + upstreamSessionId?: string; +} + +export interface SessionStoreOptions { + maxAge?: number; // Max age for sessions (ms) +} + +export class SessionStore { + private cache: CacheService; + private activeSessions = new Map(); + + constructor() { + this.cache = getSessionCache(); + } + + /** + * Convert session to cacheable data + */ + private toSessionData(session: MCPSession): SessionData { + const { expiresAt } = session.getTokenExpiration(); + return { + id: session.id, + serverId: session.config.serverId, + workspaceId: session.config.workspaceId, + createdAt: session.createdAt, + lastActivity: session.lastActivity, + transportCapabilities: session.getTransportCapabilities(), + isInitialized: session.isInitialized, + clientTransportType: session.getClientTransportType(), + config: session.config, + tokenExpiresAt: expiresAt, + gatewayToken: session.gatewayToken, + upstreamSessionId: session.upstreamSessionId, + }; + } + + /** + * Save session to cache + */ + private async saveSession(session: MCPSession): Promise { + await this.cache.set(session.id, this.toSessionData(session), { + namespace: SESSIONS_NAMESPACE, + }); + } + + /** + * Restore session from cached data + */ + private async restoreSession( + sessionData: SessionData, + context?: Context + ): Promise { + const session = new MCPSession({ + config: sessionData.config, + sessionId: sessionData.id, + gatewayToken: sessionData.gatewayToken, + upstreamSessionId: sessionData.upstreamSessionId, + context, + }); + + await session.restoreFromData({ + id: sessionData.id, + createdAt: sessionData.createdAt, + lastActivity: Date.now(), + transportCapabilities: sessionData.transportCapabilities, + clientTransportType: sessionData.clientTransportType, + tokenExpiresAt: sessionData.tokenExpiresAt, + upstreamSessionId: sessionData.upstreamSessionId, + }); + + return session; + } + + /** + * Get session metadata without creating active session + */ + async getSessionMetadata(sessionId: string): Promise { + return await this.cache.get(sessionId, SESSIONS_NAMESPACE); + } + + /** + * Get or restore a session + */ + async get( + sessionId: string, + context?: Context + ): Promise { + // Check active sessions first + let session = this.activeSessions.get(sessionId); + + if (session) { + logger.debug(`Found active session ${sessionId}`); + session.lastActivity = Date.now(); + await this.saveSession(session); + return session; + } + + // Try to restore from cache + const sessionData = await this.getSessionMetadata(sessionId); + if (!sessionData) { + logger.debug(`Session ${sessionId} not found`); + return undefined; + } + + // Restore and activate session + logger.debug(`Restoring session ${sessionId} from cache`); + session = await this.restoreSession(sessionData, context); + + this.activeSessions.set(sessionId, session); + await this.saveSession(session); + + return session; + } + + /** + * Add or update a session + */ + async set(sessionId: string, session: MCPSession): Promise { + this.activeSessions.set(sessionId, session); + await this.saveSession(session); + logger.debug(`set(${sessionId}) - active: ${this.activeSessions.size}`); + } + + /** + * Remove a session + */ + async delete(sessionId: string): Promise { + const wasActive = this.activeSessions.delete(sessionId); + const wasInCache = await this.cache.delete(sessionId, SESSIONS_NAMESPACE); + return wasActive || wasInCache; + } + + /** + * Get all session IDs (active + cached) + */ + async keys(): Promise { + const cachedKeys = await this.cache.keys(SESSIONS_NAMESPACE); + const activeKeys = Array.from(this.activeSessions.keys()); + return [...new Set([...cachedKeys, ...activeKeys])]; + } + + /** + * Save all active sessions to cache + */ + async saveActiveSessions(): Promise { + try { + await Promise.all( + Array.from(this.activeSessions.values()).map((s) => this.saveSession(s)) + ); + logger.debug(`Saved ${this.activeSessions.size} active sessions`); + } catch (error) { + logger.error('Failed to save active sessions', error); + } + } + + /** + * Cleanup expired sessions + */ + async cleanup(): Promise { + const expired = Array.from(this.activeSessions.entries()).filter( + ([, session]) => session.isTokenExpired() + ); + + for (const [id, session] of expired) { + logger.debug(`Removing expired session: ${id}`); + try { + await session.close(); + } catch (error) { + logger.error(`Error closing session ${id}`, error); + } finally { + this.activeSessions.delete(id); + } + } + + if (expired.length > 0) { + logger.info(`Removed ${expired.length} expired sessions`); + } + } + + /** + * Gracefully stop the store + */ + async stop(): Promise { + await this.saveActiveSessions(); + + for (const session of this.activeSessions.values()) { + try { + await session.close(); + } catch (error) { + logger.error(`Error closing session ${session.id}`, error); + } + } + } + + /** + * Get store statistics + */ + async getStats() { + const cacheStats = await this.cache.getStats(SESSIONS_NAMESPACE); + const total = await this.getTotalSize(); + const active = this.activeSize; + + return { + sessions: { + total, + active, + dormant: total - active, + }, + cache: cacheStats, + }; + } + + // Simple getters + values = () => this.activeSessions.values(); + entries = () => this.activeSessions.entries(); + getActiveSessions = () => Array.from(this.activeSessions.values()); + get activeSize() { + return this.activeSessions.size; + } + async getTotalSize() { + return (await this.keys()).length; + } +} + +// Singleton instance +let instance: SessionStore | null = null; + +export function getSessionStore(): SessionStore { + if (!instance) { + instance = new SessionStore(); + } + return instance; +} diff --git a/src/mcp/services/upstream.ts b/src/mcp/services/upstream.ts new file mode 100644 index 000000000..18ae12380 --- /dev/null +++ b/src/mcp/services/upstream.ts @@ -0,0 +1,437 @@ +import { + ClientTransport, + ConnectionTypes, + ServerConfig, + TransportTypes, +} from '../types/mcp'; +import { createLogger } from '../../shared/utils/logger'; +import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js'; +import { SSEClientTransport } from '@modelcontextprotocol/sdk/client/sse.js'; +import { Client } from '@modelcontextprotocol/sdk/client/index.js'; +import { + CompleteRequestSchema, + CreateMessageRequestSchema, + ElicitRequestSchema, + Tool, +} from '@modelcontextprotocol/sdk/types.js'; +import { GatewayOAuthProvider } from './upstreamOAuth'; +import { ControlPlane } from '../middleware/controlPlane'; + +type ClientTransportTypes = + | typeof StreamableHTTPClientTransport + | typeof SSEClientTransport; + +export type ConnectResult = + | { ok: true; type: TransportTypes; sessionId?: string } + | { + ok: false; + needsAuth: true; + serverId: string; + workspaceId: string; + authorizationUrl?: string; + } + | { ok: false; error: Error }; + +export const ConnectionTypesToTransportType: Record< + ConnectionTypes, + { primary: ClientTransportTypes; secondary?: ClientTransportTypes } +> = { + 'http-sse': { + primary: StreamableHTTPClientTransport, + secondary: SSEClientTransport, + }, + 'sse-http': { + primary: SSEClientTransport, + secondary: StreamableHTTPClientTransport, + }, + http: { primary: StreamableHTTPClientTransport }, + sse: { primary: SSEClientTransport }, +} as const; + +export class Upstream { + public readonly client?: Client; + public connected: boolean = false; + public availableTools?: Tool[]; + public serverCapabilities?: any; + public pendingAuthURL?: string; + public authProvider?: GatewayOAuthProvider; + + constructor( + private serverConfig: ServerConfig, + private userId: string, + private logger = createLogger('UpstreamConnector'), + private upstreamSessionId?: string, + private controlPlane?: ControlPlane + ) { + // TODO: Might need to advertise capabilities + this.client = new Client( + { + name: `portkey-${this.serverConfig.serverId}-client`, + version: '1.0.0', + title: 'Portkey MCP Gateway', + }, + { + capabilities: { + tools: true, + prompts: true, + resources: true, + logging: true, + elicitation: {}, + sampling: {}, + completion: {}, + roots: { + listChanged: false, + }, + }, + } + ); + } + + private getTransportOptions() { + let options: any = {}; + switch (this.serverConfig.auth_type) { + case 'oauth_auto': + this.logger.debug('Using OAuth auto-discovery for authentication'); + if (!this.authProvider) { + this.authProvider = new GatewayOAuthProvider( + this.serverConfig, + this.userId, + this.controlPlane + ); + } + options = { + authProvider: this.authProvider, + }; + break; + + case 'oauth_client_credentials': + // TODO: Implement client credentials flow + this.logger.warn( + 'oauth_client_credentials not yet implemented, falling back to headers' + ); + options = { + requestInit: { + headers: this.serverConfig.headers, + }, + }; + break; + case 'headers': + default: + options = { + requestInit: { + headers: this.serverConfig.headers, + }, + }; + break; + } + if (this.upstreamSessionId) { + options.sessionId = this.upstreamSessionId; + } + return options; + } + + private makeTransport(transportType: ClientTransportTypes): ClientTransport { + const upstreamUrl = new URL(this.serverConfig.url); + return new transportType(upstreamUrl, this.getTransportOptions() as any); + } + + private async connectOne( + transportType: ClientTransportTypes + ): Promise { + try { + const transport = this.makeTransport(transportType); + await this.client!.connect(transport); + this.upstreamSessionId = (transport as any).sessionId || undefined; + + this.connected = true; + + await this.fetchCapabilities(); + + // Sample handlers + this.setElicitHandler(async (elicitation, extra) => { + console.log('===> TODO: handle elicitation', { elicitation, extra }); + }); + this.setSamplingHandler(async (sampling, extra) => { + console.log('===> TODO: handle sampling', { sampling, extra }); + }); + this.setCompletionHandler(async (completion, extra) => { + console.log('===> TODO: handle completion', { completion, extra }); + }); + this.setNotificationHandler(async (notification) => { + console.log('===> TODO: handle notification', { notification }); + }); + this.setRequestHandler(async (request, extra) => { + console.log('===> TODO: handle request', { request, extra }); + }); + + return { + ok: true, + sessionId: this.upstreamSessionId, + type: 'http', + }; + } catch (e: any) { + if (e?.needsAuthorization) { + this.authProvider?.invalidateCredentials('all'); + this.authProvider = undefined; + this.pendingAuthURL = e.authorizationUrl; + return { + ok: false, + needsAuth: true, + serverId: this.serverConfig.serverId, + workspaceId: this.serverConfig.workspaceId, + authorizationUrl: this.pendingAuthURL, + }; + } + throw e; + } + } + + async connect(): Promise { + // By default, try both transports + let transportsToTry: { + primary: typeof StreamableHTTPClientTransport | typeof SSEClientTransport; + secondary?: + | typeof StreamableHTTPClientTransport + | typeof SSEClientTransport; + } = ConnectionTypesToTransportType['http-sse']; + + if (this.serverConfig.type) + transportsToTry = ConnectionTypesToTransportType[this.serverConfig.type]; + + // First try the primary transport + try { + return this.connectOne(transportsToTry.primary); + } catch (e: any) { + // If the primary transport failed, try the secondary transport + if (transportsToTry.secondary) { + this.logger.debug('Primary transport failed, trying secondary', e); + try { + return this.connectOne(transportsToTry.secondary); + } catch (e2: any) { + this.logger.error('Secondary transport failed', e2); + throw e2; + } + } + throw e; + } + } + + /** + * Fetch upstream capabilities + */ + async fetchCapabilities(): Promise { + try { + this.logger.debug('Fetching upstream capabilities'); + // const toolsResult = await this.client!.listTools(); + // this.availableTools = toolsResult.tools; + + // Get server capabilities from the client + this.serverCapabilities = this.client!.getServerCapabilities(); + // this.logger.debug(`Found ${this.availableTools?.length} tools`); + } catch (error) { + this.logger.error('Failed to fetch upstream capabilities', error); + } + } + + get transport(): ClientTransport { + return this.client?.transport as ClientTransport; + } + + /** + * Send a message to upstream + */ + async send(message: any): Promise { + if (!this.transport) { + throw new Error('No upstream transport available'); + } + await this.transport.send(message); + } + + /** + * Send a notification to upstream + */ + async notification(message: any): Promise { + if (!this.client) { + throw new Error('No upstream client available'); + } + await this.client.notification(message); + } + + /** + * Forward a request to upstream + */ + async request(request: any, schema?: any): Promise { + if (!this.client) { + throw new Error('No upstream client available'); + } + return this.client.request(request, schema || {}); + } + + /** + * Call a tool on upstream + */ + async callTool(params: any): Promise { + if (!this.client) { + throw new Error('No upstream client available'); + } + return this.client.callTool(params); + } + + /** + * List tools from upstream + */ + async listTools(): Promise { + this.logger.debug('Listing tools from upstream'); + if (!this.client) { + throw new Error('No upstream client available'); + } + return this.client.listTools(); + } + + async ping(): Promise { + if (!this.client) { + throw new Error('No upstream client available'); + } + return this.client.ping(); + } + + async complete(params: any): Promise { + if (!this.client) { + throw new Error('No upstream client available'); + } + return this.client.complete(params); + } + + async setLoggingLevel(params: any): Promise { + if (!this.client) { + throw new Error('No upstream client available'); + } + return this.client.setLoggingLevel(params.level); + } + + async getPrompt(params: any): Promise { + if (!this.client) { + throw new Error('No upstream client available'); + } + return this.client.getPrompt(params); + } + + async listPrompts(params: any): Promise { + if (!this.client) { + throw new Error('No upstream client available'); + } + return this.client.listPrompts(params); + } + + async listResources(params: any): Promise { + if (!this.client) { + throw new Error('No upstream client available'); + } + return this.client.listResources(params); + } + + async listResourceTemplates(params: any): Promise { + if (!this.client) { + throw new Error('No upstream client available'); + } + return this.client.listResourceTemplates(params); + } + + async readResource(params: any): Promise { + if (!this.client) { + throw new Error('No upstream client available'); + } + return this.client.readResource(params); + } + + async subscribeResource(params: any): Promise { + if (!this.client) { + throw new Error('No upstream client available'); + } + return this.client.subscribeResource(params); + } + + async unsubscribeResource(params: any): Promise { + if (!this.client) { + throw new Error('No upstream client available'); + } + return this.client.unsubscribeResource(params); + } + + async setElicitHandler( + handler: (elicitation: any, extra: any) => Promise + ): Promise { + if (!this.client) { + throw new Error('No upstream client available'); + } + this.client.setRequestHandler(ElicitRequestSchema, handler); + } + + async setSamplingHandler( + handler: (sampling: any, extra: any) => Promise + ): Promise { + if (!this.client) { + throw new Error('No upstream client available'); + } + this.client.setRequestHandler(CreateMessageRequestSchema, handler); + } + + async setCompletionHandler( + handler: (completion: any, extra: any) => Promise + ): Promise { + if (!this.client) { + throw new Error('No upstream client available'); + } + this.client.setRequestHandler(CompleteRequestSchema, handler); + } + + /** + * Set a handler for ANY notification that doesn't have a specific handler + * This acts as a catch-all for all notifications from the upstream server + */ + async setNotificationHandler( + handler: (notification: any) => Promise + ): Promise { + if (!this.client) { + throw new Error('No upstream client available'); + } + // Use the fallback handler to catch ALL notifications + this.client.fallbackNotificationHandler = handler; + } + + /** + * Set a handler for ANY request that doesn't have a specific handler + * This acts as a catch-all for all requests from the upstream server + */ + async setRequestHandler( + handler: (request: any, extra: any) => Promise + ): Promise { + if (!this.client) { + throw new Error('No upstream client available'); + } + // Use the fallback handler to catch ALL requests + this.client.fallbackRequestHandler = handler; + } + + /** + * Close the upstream connection + */ + async close(): Promise { + await this.client?.close(); + } + + isKnownRequest(method: string): boolean { + return [ + 'ping', + 'completion/complete', + 'logging/setLevel', + 'prompts/get', + 'prompts/list', + 'resources/list', + 'resources/templates/list', + 'resources/read', + 'resources/subscribe', + 'resources/unsubscribe', + ].includes(method); + } +} diff --git a/src/mcp/services/upstreamOAuth.ts b/src/mcp/services/upstreamOAuth.ts new file mode 100644 index 000000000..471e23c55 --- /dev/null +++ b/src/mcp/services/upstreamOAuth.ts @@ -0,0 +1,201 @@ +/** + * @file src/services/upstreamOAuth.ts + * OAuth provider for upstream MCP server connections + */ + +import { OAuthClientProvider } from '@modelcontextprotocol/sdk/client/auth.js'; +import { + OAuthTokens, + OAuthClientInformationFull, + OAuthClientMetadata, +} from '@modelcontextprotocol/sdk/shared/auth.js'; +import { ServerConfig } from '../types/mcp'; +import { createLogger } from '../../shared/utils/logger'; +import { CacheService, getMcpServersCache } from '../../shared/services/cache'; +import { ControlPlane } from '../middleware/controlPlane'; + +const logger = createLogger('UpstreamOAuth'); + +export class GatewayOAuthProvider implements OAuthClientProvider { + private _clientInfo?: OAuthClientInformationFull; + private cache: CacheService; + private workspaceId: string; + private serverId: string; + + constructor( + config: ServerConfig, + private userId: string, + private controlPlane?: ControlPlane + ) { + this.cache = getMcpServersCache(); + this.workspaceId = config.workspaceId; + this.serverId = config.serverId; + } + + get redirectUrl(): string { + // Use our upstream callback handler + const baseUrl = + process.env.BASE_URL || `http://localhost:${process.env.PORT || 8788}`; + return `${baseUrl}/oauth/upstream-callback`; + } + + get clientMetadata(): OAuthClientMetadata { + return { + client_name: `Portkey (${this.workspaceId}/${this.serverId})`, + redirect_uris: [this.redirectUrl], + grant_types: ['authorization_code', 'refresh_token'], + response_types: ['code'], + token_endpoint_auth_method: 'none', + client_uri: 'https://portkey.ai', + logo_uri: 'https://cfassets.portkey.ai/logo%2Fdew-color.png', + software_id: 'ai.portkey.mcp', + }; + } + + private get cacheKey(): string { + return `${this.userId}::${this.workspaceId}::${this.serverId}`; + } + + async clientInformation(): Promise { + // First check if we have it in memory + if (this._clientInfo) return this._clientInfo; + + // Try to get from persistent storage + if (this.userId.length > 0 && this.serverId && this.workspaceId) { + let clientInfo = await this.cache.get(this.cacheKey, 'client_info'); + + if (!clientInfo && this.controlPlane) { + clientInfo = await this.controlPlane.getMCPServerClientInfo( + this.workspaceId, + this.serverId + ); + + if (clientInfo) { + await this.cache.set(this.cacheKey, clientInfo, { + namespace: 'client_info', + }); + } + } + + if (clientInfo) { + this._clientInfo = clientInfo; + return clientInfo; + } + } + + // For oauth_auto, we don't have pre-registered client info + // The SDK will handle dynamic client registration + logger.debug( + `No pre-registered client info for ${this.workspaceId}/${this.serverId}` + ); + return undefined; + } + + async saveClientInformation( + clientInfo: OAuthClientInformationFull + ): Promise { + // Store the client info for later use + this._clientInfo = clientInfo; + logger.debug( + `Saving client info for ${this.workspaceId}/${this.serverId}`, + clientInfo + ); + await this.cache.set(this.cacheKey, clientInfo, { + namespace: 'client_info', + }); + } + + async tokens(): Promise { + const tokens = + (await this.cache.get(this.cacheKey, 'tokens')) ?? undefined; + + if (!tokens && this.controlPlane) { + const cpTokens = await this.controlPlane.getMCPServerTokens( + this.workspaceId, + this.serverId + ); + if (cpTokens) { + await this.cache.set(this.cacheKey, cpTokens, { + namespace: 'tokens', + }); + return cpTokens as OAuthTokens; + } + } + return tokens; + } + + async saveTokens(tokens: OAuthTokens): Promise { + logger.debug(`Saving tokens for ${this.workspaceId}/${this.serverId}`); + + if (tokens && this.controlPlane) { + // Save tokens to control plane for persistence + await this.controlPlane.saveMCPServerTokens( + this.workspaceId, + this.serverId, + tokens + ); + } + + await this.cache.set(this.cacheKey, tokens, { namespace: 'tokens' }); + } + + async redirectToAuthorization(url: URL): Promise { + url.searchParams.set('state', this.cacheKey); + logger.info( + `Authorization redirect requested for ${this.workspaceId}/${this.serverId}: ${url}` + ); + + // Throw a specific error that mcpSession can catch + const error = new Error( + `Authorization required for ${this.workspaceId}/${this.serverId}` + ); + (error as any).needsAuthorization = true; + (error as any).authorizationUrl = url.toString(); + (error as any).serverId = this.workspaceId; + (error as any).workspaceId = this.workspaceId; + throw error; + } + + async saveCodeVerifier(verifier: string): Promise { + // For server-to-server, PKCE might not be needed, but we'll support it + logger.debug( + `Saving code verifier for ${this.workspaceId}/${this.serverId}` + ); + await this.cache.set(this.cacheKey, verifier, { + namespace: 'code_verifier', + }); + } + + async codeVerifier(): Promise { + const codeVerifier = await this.cache.get(this.cacheKey, 'code_verifier'); + return codeVerifier || ''; + } + + async invalidateCredentials( + scope: 'all' | 'client' | 'tokens' | 'verifier' + ): Promise { + logger.debug( + `Invalidating ${scope} credentials for ${this.workspaceId}/${this.serverId}` + ); + + switch (scope) { + case 'all': + if (this.controlPlane) { + await this.controlPlane.deleteMCPServerTokens( + this.workspaceId, + this.serverId + ); + } + await this.cache.delete(this.cacheKey, 'tokens'); + await this.cache.delete(this.cacheKey, 'code_verifier'); + break; + case 'tokens': + await this.cache.delete(this.cacheKey, 'tokens'); + break; + case 'verifier': + delete (this as any)._codeVerifier; + break; + // 'client' scope would need persistent storage to handle properly + } + } +} diff --git a/src/mcp/types/mcp.ts b/src/mcp/types/mcp.ts new file mode 100644 index 000000000..fbee7dfb6 --- /dev/null +++ b/src/mcp/types/mcp.ts @@ -0,0 +1,48 @@ +import { SSEClientTransport } from '@modelcontextprotocol/sdk/client/sse'; +import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp'; +import { SSEServerTransport } from '@modelcontextprotocol/sdk/server/sse'; +import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp'; + +export type ConnectionTypes = 'http-sse' | 'sse-http' | 'http' | 'sse'; + +export type ClientTransport = + | StreamableHTTPClientTransport + | SSEClientTransport; +export type ServerTransport = + | StreamableHTTPServerTransport + | SSEServerTransport; + +export type TransportTypes = 'http' | 'sse'; + +/** + * Server configuration for gateway + */ +export interface ServerConfig { + serverId: string; + workspaceId: string; + url: string; + headers: Record; + type?: ConnectionTypes; + + // Authentication configuration + auth_type?: 'oauth_auto' | 'oauth_client_credentials' | 'headers'; + + // Tool-specific policies + tools?: { + allowed?: string[]; // If specified, only these tools are allowed + blocked?: string[]; // These tools are always blocked + rateLimit?: { + requests: number; // Max requests per window + window: number; // Window in seconds + }; + logCalls?: boolean; // Log all tool calls for monitoring + }; + + // Transport configuration + transport?: { + // Preferred transport type for upstream connection + preferred?: 'http' | 'sse'; + // Whether to allow fallback to other transports + allowFallback?: boolean; + }; +} diff --git a/src/mcp/utils/emitLog.ts b/src/mcp/utils/emitLog.ts new file mode 100644 index 000000000..49939a29b --- /dev/null +++ b/src/mcp/utils/emitLog.ts @@ -0,0 +1,135 @@ +type OtlpKeyValue = { + key: string; + value: { + stringValue?: string; + boolValue?: boolean; + intValue?: string; + doubleValue?: number; + arrayValue?: any; + kvlistValue?: any; + }; +}; + +type OTLPRecord = { + timeUnixNano: string; + attributes: OtlpKeyValue[] | undefined; + traceId: string | undefined; + spanId: string | undefined; + status: { code: string }; + name: string; +}; + +const BATCH_MAX = 100; +const FLUSH_INTERVAL = 3000; // 3 seconds + +const buffer: OTLPRecord[] = []; +let timer: NodeJS.Timeout | null = null; + +export function emitLog( + body: string | Record, + attributes?: Record, + // optional trace context for correlation in backends + trace?: { traceId?: string; spanId?: string; flags?: number } +) { + try { + const nowNs = Date.now() * 1_000_000; + const record: OTLPRecord = { + timeUnixNano: String(nowNs), + attributes: toKv(attributes), + traceId: trace?.traceId ?? undefined, + spanId: trace?.spanId ?? undefined, + status: { + code: 'STATUS_CODE_OK', + }, + name: 'mcp.request', + }; + buffer.push(record); + if (buffer.length >= BATCH_MAX) void flush(); + else schedule(); + } catch { + /* never throw from logging */ + } +} + +function schedule() { + if (timer) return; + timer = setTimeout(() => { + timer = null; + void flush(); + }, FLUSH_INTERVAL); +} + +function flush() { + if (buffer.length === 0) return; + + const batch = buffer.splice(0, buffer.length); + const payload = buildPayload(batch); + + console.log( + 'TODO: flush logs. Length:', + JSON.stringify(payload, null, 2).length + ); + + // fetch('/v1/logs', { + // method: 'POST', + // body: JSON.stringify(payload), + // }); +} + +function toKv(attrs?: Record): OtlpKeyValue[] | undefined { + if (!attrs) return undefined; + const out: OtlpKeyValue[] = []; + for (const [k, v] of Object.entries(attrs)) { + out.push({ key: k, value: toAnyValue(v) }); + } + return out.length ? out : undefined; +} + +function toAnyValue(v: unknown): any { + try { + if (v == null) return { stringValue: '' }; + if (typeof v === 'string') return { stringValue: v }; + if (typeof v === 'number') { + return Number.isInteger(v) ? { intValue: String(v) } : { doubleValue: v }; + } + if (typeof v === 'boolean') return { boolValue: v }; + if (Array.isArray(v)) return { arrayValue: { values: v.map(toAnyValue) } }; + if (typeof v === 'object') { + console.log('object', v); + return { + kvlistValue: { + values: Object.entries(v as Record).map( + ([k, val]) => ({ key: k, value: toAnyValue(val) }) + ), + }, + }; + } + return { stringValue: String(v) }; + } catch { + return { stringValue: '[unserializable]' }; + } +} + +function buildPayload(logRecords: OTLPRecord[]) { + return { + resourceSpans: [ + { + resource: { + attributes: toKv({ + 'service.name': 'mcp-gateway', + }), + }, + scopeSpans: [ + { + scope: { + attributes: toKv({ + name: 'mcp', + }), + }, + spans: logRecords, + }, + ], + }, + ], + }; +} diff --git a/src/mcp/utils/mcp-utils.ts b/src/mcp/utils/mcp-utils.ts new file mode 100644 index 000000000..10d565253 --- /dev/null +++ b/src/mcp/utils/mcp-utils.ts @@ -0,0 +1,9 @@ +import { Context } from 'hono'; + +export function getBaseUrl(c: Context): URL { + const baseUrl = new URL(c.req.url); + if (c.req.header('x-forwarded-proto') === 'https') { + baseUrl.protocol = 'https'; + } + return baseUrl; +} diff --git a/src/mcp/utils/oauthTokenRevocation.ts b/src/mcp/utils/oauthTokenRevocation.ts new file mode 100644 index 000000000..ae7cfabb1 --- /dev/null +++ b/src/mcp/utils/oauthTokenRevocation.ts @@ -0,0 +1,138 @@ +/** + * @file src/utils/oauthTokenRevocation.ts + * Utility functions for OAuth token revocation + */ + +import { getOauthStore } from '../../shared/services/cache'; +import { createLogger } from '../../shared/utils/logger'; +import { ControlPlane } from '../middleware/controlPlane'; + +const logger = createLogger('OAuth-Token-Revocation'); + +interface StoredAccessToken { + client_id: string; + [key: string]: any; +} + +interface StoredRefreshToken { + client_id: string; + access_tokens?: string[]; + [key: string]: any; +} + +/** + * Revoke an OAuth token (access or refresh) + * @param token The token to revoke + * @param clientId The client ID that owns the token + * @param tokenTypeHint Optional hint about token type ('access_token' or 'refresh_token') + * @returns true if token was revoked, false if not found or not owned by client + */ +export async function revokeOAuthToken( + token: string, + clientId: string, + tokenTypeHint?: 'access_token' | 'refresh_token' +): Promise { + const oauthStore = getOauthStore(); + + const tryRevokeAccess = async (): Promise => { + const tokenData = await oauthStore.get(token, 'tokens'); + if (tokenData && tokenData.client_id === clientId) { + await oauthStore.delete(token, 'tokens'); + logger.debug(`Revoked access token for client_id ${clientId}`); + return true; + } + return false; + }; + + const tryRevokeRefresh = async (): Promise => { + const refresh = await oauthStore.get( + token, + 'refresh_tokens' + ); + if (refresh && refresh.client_id === clientId) { + // Revoke all associated access tokens + for (const at of refresh.access_tokens || []) { + await oauthStore.delete(at, 'tokens'); + } + // Revoke the refresh token itself + await oauthStore.delete(token, 'refresh_tokens'); + logger.debug( + `Revoked refresh token and associated access tokens for client_id ${clientId}` + ); + return true; + } + return false; + }; + + // Try based on hint, or try both + if (tokenTypeHint === 'access_token') { + return await tryRevokeAccess(); + } else if (tokenTypeHint === 'refresh_token') { + return await tryRevokeRefresh(); + } else { + // Try both, return true if either succeeds + return (await tryRevokeAccess()) || (await tryRevokeRefresh()); + } +} + +/** + * Revoke all OAuth tokens for a given client ID + * This finds the refresh token associated with the client and revokes it along with all access tokens + * @param clientId The client ID whose tokens should be revoked + * @param controlPlane Optional ControlPlane instance to use for revocation + */ +export async function revokeAllClientTokens( + tokenInfo: any, + controlPlane?: ControlPlane | null +): Promise { + logger.debug( + `Revoking all OAuth tokens for client_id ${tokenInfo.client_id}` + ); + const oauthStore = getOauthStore(); + + let refreshToken: string | null = null; + + if (tokenInfo.refresh_token) { + refreshToken = tokenInfo.refresh_token; + // Try control plane first if available + if (controlPlane) { + try { + await controlPlane.revoke( + refreshToken!, + 'refresh_token', + tokenInfo.client_id + ); + logger.debug( + `Revoked tokens via control plane for client_id ${tokenInfo.client_id}` + ); + } catch (error) { + logger.warn( + 'Control plane revocation failed, will continue with local', + error + ); + } + } + } else { + // Get the refresh token for this client_id + refreshToken = await oauthStore.get( + tokenInfo.client_id, + 'clientid_refresh' + ); + } + + logger.debug( + `Refresh token for client_id ${tokenInfo.client_id} is ${refreshToken}` + ); + + // Always revoke locally (for cache cleanup) + await revokeOAuthToken( + tokenInfo.refresh_token, + tokenInfo.client_id, + 'refresh_token' + ); + + await revokeOAuthToken(tokenInfo.token, tokenInfo.client_id, 'access_token'); + + // Clean up the clientid_refresh mapping + await oauthStore.delete(tokenInfo.client_id, 'clientid_refresh'); +} diff --git a/src/public/index.html b/src/public/index.html index 9bd7e77e2..f4df763c0 100644 --- a/src/public/index.html +++ b/src/public/index.html @@ -26,7 +26,7 @@ } .btn:hover { - background-color: rgba(24, 24, 27,0.9) + background-color: rgba(24, 24, 27, 0.9) } .btn-outline { @@ -120,9 +120,17 @@ } @keyframes blink { - 0% { opacity: 0; } - 50% { opacity: 1; } - 100% { opacity: 0; } + 0% { + opacity: 0; + } + + 50% { + opacity: 1; + } + + 100% { + opacity: 0; + } } .header-links { @@ -263,10 +271,12 @@ background-color: rgba(253, 224, 71, 0.2); transform: scale(1); } + 20% { background-color: rgba(253, 224, 71, 1); transform: scale(1.05); } + 100% { background-color: rgba(253, 224, 71, 0.2); transform: scale(1); @@ -431,6 +441,7 @@ margin-right: 8px; vertical-align: middle; } + @keyframes spin { to { transform: rotate(360deg); @@ -440,11 +451,13 @@ .new-row { animation: fadeInSlideDown 0.2s ease-out; } + @keyframes fadeInSlideDown { from { opacity: 0; transform: translateY(-20px); } + to { opacity: 1; transform: translateY(0); @@ -606,7 +619,7 @@ border-radius: 0.75rem; box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.1), 0 2px 4px -1px rgba(0, 0, 0, 0.06); padding: 1.5rem; - max-width: 600px; + max-width: 800px; margin: 0rem auto 2rem auto; } @@ -745,6 +758,7 @@ /* Responsive adjustments */ @media (max-width: 768px) { + .features-grid, .next-steps-grid { grid-template-columns: 1fr; @@ -854,11 +868,14 @@ - + @@ -869,8 +886,8 @@ - +
@@ -885,6 +902,7 @@ 1. Let's make a test request

2. Create a routing config

-
Gateway configs allow you to route requests to different providers and models. You can load balance, set fallbacks, and configure automatic retries & timeouts. Learn more
+
Gateway configs allow you to route requests to different providers and models. You + can load balance, set fallbacks, and configure automatic retries & timeouts. Learn more
Simple Config
Load Balancing
@@ -1091,6 +1110,80 @@

Real-time Logs

+
+
+

MCP (Model Context Protocol) Management

+
Manage MCP servers, view cache data, and monitor system health.
+ +
+
MCP Servers
+
Cache Management
+
+ + +
+
+

MCP Servers

+ +
+ +
+ + + + + + + + + + + + + + + + +
+ ID + Name + URL + Type + Status + Actions
+
+ Loading MCP servers... +
+
+
+ + +
+
+

Cache Management

+
+ + +
+
+ +
+ +
+
+
+
+ + + + + + + - + \ No newline at end of file diff --git a/src/shared/services/cache/backends/cloudflareKV.ts b/src/shared/services/cache/backends/cloudflareKV.ts new file mode 100644 index 000000000..820d461e9 --- /dev/null +++ b/src/shared/services/cache/backends/cloudflareKV.ts @@ -0,0 +1,228 @@ +/** + * @file src/services/cache/backends/cloudflareKV.ts + * Cloudflare KV cache backend implementation + */ + +import { CacheBackend, CacheEntry, CacheOptions, CacheStats } from '../types'; + +// Using console.log for now to avoid build issues +const logger = { + debug: (msg: string, ...args: any[]) => + console.debug(`[CloudflareKVCache] ${msg}`, ...args), + info: (msg: string, ...args: any[]) => + console.info(`[CloudflareKVCache] ${msg}`, ...args), + warn: (msg: string, ...args: any[]) => + console.warn(`[CloudflareKVCache] ${msg}`, ...args), + error: (msg: string, ...args: any[]) => + console.error(`[CloudflareKVCache] ${msg}`, ...args), +}; + +// Cloudflare KV client interface +interface ICloudflareKVClient { + get(key: string): Promise; + set(key: string, value: string, options?: CacheOptions): Promise; + del(key: string): Promise; + keys(prefix: string): Promise; +} + +export class CloudflareKVCacheBackend implements CacheBackend { + private client: ICloudflareKVClient; + private dbName: string; + + private stats: CacheStats = { + hits: 0, + misses: 0, + sets: 0, + deletes: 0, + size: 0, + expired: 0, + }; + + constructor(client: ICloudflareKVClient, dbName: string) { + this.client = client; + this.dbName = dbName; + } + + private getFullKey(key: string, namespace?: string): string { + return namespace + ? `${this.dbName}:${namespace}:${key}` + : `${this.dbName}:default:${key}`; + } + + private serializeEntry(entry: CacheEntry): string { + return JSON.stringify(entry); + } + + private deserializeEntry(data: string): CacheEntry { + return JSON.parse(data); + } + + async get( + key: string, + namespace?: string + ): Promise | null> { + try { + const fullKey = this.getFullKey(key, namespace); + const data = await this.client.get(fullKey); + + if (!data) { + this.stats.misses++; + return null; + } + + const entry = this.deserializeEntry(data); + + this.stats.hits++; + return entry; + } catch (error) { + logger.error('Redis get error:', error); + this.stats.misses++; + return null; + } + } + + async set( + key: string, + value: T, + options: CacheOptions = {} + ): Promise { + try { + const fullKey = this.getFullKey(key, options.namespace); + const now = Date.now(); + + const entry: CacheEntry = { + value, + createdAt: now, + expiresAt: options.ttl ? now + options.ttl : undefined, + metadata: options.metadata, + }; + + const serialized = this.serializeEntry(entry); + + this.client.set(fullKey, serialized, options); + + this.stats.sets++; + } catch (error) { + logger.error('Cloudflare KV set error:', error); + throw error; + } + } + + async delete(key: string, namespace?: string): Promise { + try { + const fullKey = this.getFullKey(key, namespace); + const deleted = await this.client.del(fullKey); + + if (deleted > 0) { + this.stats.deletes++; + return true; + } + + return false; + } catch (error) { + logger.error('Cloudflare KV delete error:', error); + return false; + } + } + + async clear(namespace?: string): Promise { + logger.debug('Cloudflare KV clear not implemented', namespace); + } + + async keys(namespace?: string): Promise { + try { + const prefix = namespace ? `cache:${namespace}:` : 'cache:default:'; + const fullKeys = await this.client.keys(prefix); + + return fullKeys.map((key) => key.substring(prefix.length)); + } catch (error) { + logger.error('Redis keys error:', error); + return []; + } + } + + async getStats(namespace?: string): Promise { + try { + const prefix = namespace ? `cache:${namespace}:` : 'cache:default:'; + const keys = await this.client.keys(prefix); + + return { + ...this.stats, + size: keys.length, + }; + } catch (error) { + logger.error('Redis getStats error:', error); + return { ...this.stats }; + } + } + + async has(key: string, namespace?: string): Promise { + logger.info('Cloudflare KV has not implemented', key, namespace); + return false; + } + + async cleanup(): Promise { + // Redis handles TTL automatically, so this is mostly a no-op + // We could scan for entries with manual expiration and clean them up + logger.debug('Redis cleanup - TTL handled automatically by Redis'); + } + + async close(): Promise { + logger.debug('Cloudflare KV close not implemented'); + } +} + +// Cloudflare KV client implementation +class CloudflareKVClient implements ICloudflareKVClient { + private KV: any; + + constructor(env: any, kvBindingName: string) { + this.KV = env[kvBindingName]; + } + + get = async (key: string): Promise => { + return await this.KV.get(key); + }; + + set = async ( + key: string, + value: string, + options?: CacheOptions + ): Promise => { + const kvOptions = { + expirationTtl: options?.ttl, + metadata: options?.metadata, + }; + try { + await this.KV.put(key, value, kvOptions); + return; + } catch (error) { + logger.error('Error setting key in Cloudflare KV:', error); + throw error; + } + }; + + del = async (key: string): Promise => { + try { + await this.KV.delete(key); + return 1; + } catch (error) { + logger.error('Error deleting key in Cloudflare KV:', error); + throw error; + } + }; + + keys = async (prefix: string): Promise => { + return await this.KV.list({ prefix }); + }; +} + +// Factory function to create Cloudflare KV backend +export function createCloudflareKVBackend( + env: any, + bindingName: string, + dbName: string +): CloudflareKVCacheBackend { + const client = new CloudflareKVClient(env, bindingName); + return new CloudflareKVCacheBackend(client, dbName); +} diff --git a/src/shared/services/cache/backends/file.ts b/src/shared/services/cache/backends/file.ts new file mode 100644 index 000000000..e517960ba --- /dev/null +++ b/src/shared/services/cache/backends/file.ts @@ -0,0 +1,321 @@ +/** + * @file src/services/cache/backends/file.ts + * File-based cache backend implementation + */ + +import { CacheBackend, CacheEntry, CacheOptions, CacheStats } from '../types'; +import * as fs from 'fs/promises'; +import * as path from 'path'; + +// Using console.log for now to avoid build issues +const logger = { + debug: (msg: string, ...args: any[]) => + console.debug(`[FileCache] ${msg}`, ...args), + info: (msg: string, ...args: any[]) => + console.info(`[FileCache] ${msg}`, ...args), + warn: (msg: string, ...args: any[]) => + console.warn(`[FileCache] ${msg}`, ...args), + error: (msg: string, ...args: any[]) => + console.error(`[FileCache] ${msg}`, ...args), +}; + +interface FileCacheData { + [namespace: string]: { + [key: string]: CacheEntry; + }; +} + +export class FileCacheBackend implements CacheBackend { + private cacheFile: string; + private data: FileCacheData = {}; + private saveTimer?: NodeJS.Timeout; + private cleanupInterval?: NodeJS.Timeout; + private loaded: boolean = false; + private loadPromise: Promise; + private stats: CacheStats = { + hits: 0, + misses: 0, + sets: 0, + deletes: 0, + size: 0, + expired: 0, + }; + private saveInterval: number; + constructor( + dataDir: string = 'data', + fileName: string = 'cache.json', + saveIntervalMs: number = 1000, + cleanupIntervalMs: number = 60000 + ) { + this.cacheFile = path.join(process.cwd(), dataDir, fileName); + this.saveInterval = saveIntervalMs; + this.loadPromise = this.loadCache(); + this.loadPromise.then(() => { + this.startCleanup(cleanupIntervalMs); + }); + } + + // Ensure cache is loaded before any operation + private async ensureLoaded(): Promise { + if (!this.loaded) { + await this.loadPromise; + } + } + + private async ensureDataDir(): Promise { + const dir = path.dirname(this.cacheFile); + try { + await fs.mkdir(dir, { recursive: true }); + } catch (error) { + logger.error('Failed to create cache directory:', error); + } + } + + private async loadCache(): Promise { + try { + const content = await fs.readFile(this.cacheFile, 'utf-8'); + this.data = JSON.parse(content); + this.updateStats(); + logger.debug('Loaded cache from disk', this.cacheFile); + this.loaded = true; + } catch (error) { + // File doesn't exist or is invalid, start with empty cache + this.data = {}; + logger.debug('Starting with empty cache'); + } + } + + private async saveCache(): Promise { + try { + await this.ensureDataDir(); + await fs.writeFile(this.cacheFile, JSON.stringify(this.data, null, 2)); + logger.debug('Saved cache to disk'); + } catch (error) { + logger.error('Failed to save cache:', error); + } + } + + private scheduleSave(): void { + if (this.saveTimer) { + clearTimeout(this.saveTimer); + } + + this.saveTimer = setTimeout(() => { + this.saveCache(); + this.saveTimer = undefined; + }, this.saveInterval); + } + + private startCleanup(intervalMs: number): void { + this.cleanupInterval = setInterval(() => { + this.cleanup(); + }, intervalMs); + } + + private isExpired(entry: CacheEntry): boolean { + return entry.expiresAt !== undefined && entry.expiresAt <= Date.now(); + } + + private updateStats(): void { + let totalSize = 0; + let totalExpired = 0; + + for (const namespace of Object.values(this.data)) { + for (const entry of Object.values(namespace)) { + totalSize++; + if (this.isExpired(entry)) { + totalExpired++; + } + } + } + + this.stats.size = totalSize; + this.stats.expired = totalExpired; + } + + private getNamespaceData( + namespace: string = 'default' + ): Record { + if (!this.data[namespace]) { + this.data[namespace] = {}; + } + return this.data[namespace]; + } + + async get( + key: string, + namespace?: string + ): Promise | null> { + await this.ensureLoaded(); // Wait for load to complete + + const namespaceData = this.getNamespaceData(namespace); + const entry = namespaceData[key]; + + if (!entry) { + this.stats.misses++; + return null; + } + + if (this.isExpired(entry)) { + delete namespaceData[key]; + this.stats.expired++; + this.stats.misses++; + this.scheduleSave(); + return null; + } + + this.stats.hits++; + return entry as CacheEntry; + } + + async set( + key: string, + value: T, + options: CacheOptions = {} + ): Promise { + await this.ensureLoaded(); // Wait for load to complete + + const namespace = options.namespace || 'default'; + const namespaceData = this.getNamespaceData(namespace); + const now = Date.now(); + + const entry: CacheEntry = { + value, + createdAt: now, + expiresAt: options.ttl ? now + options.ttl : undefined, + metadata: options.metadata, + }; + + namespaceData[key] = entry; + this.stats.sets++; + this.updateStats(); + this.scheduleSave(); + } + + async delete(key: string, namespace?: string): Promise { + const namespaceData = this.getNamespaceData(namespace); + const existed = key in namespaceData; + + if (existed) { + delete namespaceData[key]; + this.stats.deletes++; + this.updateStats(); + this.scheduleSave(); + } + + return existed; + } + + async clear(namespace?: string): Promise { + if (namespace) { + const namespaceData = this.getNamespaceData(namespace); + const count = Object.keys(namespaceData).length; + this.data[namespace] = {}; + this.stats.deletes += count; + } else { + const totalCount = Object.values(this.data).reduce( + (sum, ns) => sum + Object.keys(ns).length, + 0 + ); + this.data = {}; + this.stats.deletes += totalCount; + } + + this.updateStats(); + this.scheduleSave(); + } + + async has(key: string, namespace?: string): Promise { + const namespaceData = this.getNamespaceData(namespace); + const entry = namespaceData[key]; + + if (!entry) return false; + + if (this.isExpired(entry)) { + delete namespaceData[key]; + this.stats.expired++; + this.scheduleSave(); + return false; + } + + return true; + } + + async keys(namespace?: string): Promise { + if (namespace) { + const namespaceData = this.getNamespaceData(namespace); + return Object.keys(namespaceData); + } + + const allKeys: string[] = []; + for (const namespaceData of Object.values(this.data)) { + allKeys.push(...Object.keys(namespaceData)); + } + return allKeys; + } + + async getStats(namespace?: string): Promise { + if (namespace) { + const namespaceData = this.getNamespaceData(namespace); + const keys = Object.keys(namespaceData); + let expired = 0; + + for (const key of keys) { + const entry = namespaceData[key]; + if (this.isExpired(entry)) { + expired++; + } + } + + return { + ...this.stats, + size: keys.length, + expired, + }; + } + + this.updateStats(); + return { ...this.stats }; + } + + async cleanup(): Promise { + let expiredCount = 0; + let hasChanges = false; + + for (const [, namespaceData] of Object.entries(this.data)) { + for (const [key, entry] of Object.entries(namespaceData)) { + if (this.isExpired(entry)) { + delete namespaceData[key]; + expiredCount++; + hasChanges = true; + } + } + } + + if (hasChanges) { + this.stats.expired += expiredCount; + this.updateStats(); + this.scheduleSave(); + logger.debug(`Cleaned up ${expiredCount} expired entries`); + } + } + + // Add method to check if ready + async waitForReady(): Promise { + await this.loadPromise; + } + + async close(): Promise { + if (this.saveTimer) { + clearTimeout(this.saveTimer); + await this.saveCache(); // Final save + } + + if (this.cleanupInterval) { + clearInterval(this.cleanupInterval); + this.cleanupInterval = undefined; + } + + logger.debug('File cache backend closed'); + } +} diff --git a/src/shared/services/cache/backends/memory.ts b/src/shared/services/cache/backends/memory.ts new file mode 100644 index 000000000..f1e225da4 --- /dev/null +++ b/src/shared/services/cache/backends/memory.ts @@ -0,0 +1,220 @@ +/** + * @file src/services/cache/backends/memory.ts + * In-memory cache backend implementation + */ + +import { CacheBackend, CacheEntry, CacheOptions, CacheStats } from '../types'; +// Using console.log for now to avoid build issues +const logger = { + debug: (msg: string, ...args: any[]) => + console.debug(`[MemoryCache] ${msg}`, ...args), + info: (msg: string, ...args: any[]) => + console.info(`[MemoryCache] ${msg}`, ...args), + warn: (msg: string, ...args: any[]) => + console.warn(`[MemoryCache] ${msg}`, ...args), + error: (msg: string, ...args: any[]) => + console.error(`[MemoryCache] ${msg}`, ...args), +}; + +export class MemoryCacheBackend implements CacheBackend { + private cache = new Map(); + private stats: CacheStats = { + hits: 0, + misses: 0, + sets: 0, + deletes: 0, + size: 0, + expired: 0, + }; + private cleanupInterval?: NodeJS.Timeout; + private maxSize: number; + + constructor(maxSize: number = 10000, cleanupIntervalMs: number = 60000) { + this.maxSize = maxSize; + this.startCleanup(cleanupIntervalMs); + } + + private startCleanup(intervalMs: number): void { + this.cleanupInterval = setInterval(() => { + this.cleanup(); + }, intervalMs); + } + + private getFullKey(key: string, namespace?: string): string { + return namespace ? `${namespace}:${key}` : key; + } + + private isExpired(entry: CacheEntry): boolean { + return entry.expiresAt !== undefined && entry.expiresAt <= Date.now(); + } + + private evictIfNeeded(): void { + if (this.cache.size >= this.maxSize) { + // Simple LRU: remove oldest entries + const entries = Array.from(this.cache.entries()); + entries.sort((a, b) => a[1].createdAt - b[1].createdAt); + + const toRemove = Math.floor(this.maxSize * 0.1); // Remove 10% + for (let i = 0; i < toRemove && i < entries.length; i++) { + this.cache.delete(entries[i][0]); + } + + logger.debug(`Evicted ${toRemove} entries due to size limit`); + } + } + + async get( + key: string, + namespace?: string + ): Promise | null> { + const fullKey = this.getFullKey(key, namespace); + const entry = this.cache.get(fullKey); + + if (!entry) { + this.stats.misses++; + return null; + } + + if (this.isExpired(entry)) { + this.cache.delete(fullKey); + this.stats.expired++; + this.stats.misses++; + return null; + } + + this.stats.hits++; + return entry as CacheEntry; + } + + async set( + key: string, + value: T, + options: CacheOptions = {} + ): Promise { + const fullKey = this.getFullKey(key, options.namespace); + const now = Date.now(); + + const entry: CacheEntry = { + value, + createdAt: now, + expiresAt: options.ttl ? now + options.ttl : undefined, + metadata: options.metadata, + }; + + this.evictIfNeeded(); + this.cache.set(fullKey, entry); + this.stats.sets++; + this.stats.size = this.cache.size; + } + + async delete(key: string, namespace?: string): Promise { + const fullKey = this.getFullKey(key, namespace); + const deleted = this.cache.delete(fullKey); + + if (deleted) { + this.stats.deletes++; + this.stats.size = this.cache.size; + } + + return deleted; + } + + async clear(namespace?: string): Promise { + if (namespace) { + const prefix = `${namespace}:`; + const keysToDelete = Array.from(this.cache.keys()).filter((key) => + key.startsWith(prefix) + ); + + for (const key of keysToDelete) { + this.cache.delete(key); + } + + this.stats.deletes += keysToDelete.length; + } else { + this.stats.deletes += this.cache.size; + this.cache.clear(); + } + + this.stats.size = this.cache.size; + } + + async has(key: string, namespace?: string): Promise { + const fullKey = this.getFullKey(key, namespace); + const entry = this.cache.get(fullKey); + + if (!entry) return false; + + if (this.isExpired(entry)) { + this.cache.delete(fullKey); + this.stats.expired++; + return false; + } + + return true; + } + + async keys(namespace?: string): Promise { + const allKeys = Array.from(this.cache.keys()); + + if (namespace) { + const prefix = `${namespace}:`; + return allKeys + .filter((key) => key.startsWith(prefix)) + .map((key) => key.substring(prefix.length)); + } + + return allKeys; + } + + async getStats(namespace?: string): Promise { + if (namespace) { + const prefix = `${namespace}:`; + const namespaceKeys = Array.from(this.cache.keys()).filter((key) => + key.startsWith(prefix) + ); + + let expired = 0; + for (const key of namespaceKeys) { + const entry = this.cache.get(key); + if (entry && this.isExpired(entry)) { + expired++; + } + } + + return { + ...this.stats, + size: namespaceKeys.length, + expired, + }; + } + + return { ...this.stats }; + } + + async cleanup(): Promise { + let expiredCount = 0; + + for (const [key, entry] of this.cache.entries()) { + if (this.isExpired(entry)) { + this.cache.delete(key); + expiredCount++; + } + } + + if (expiredCount > 0) { + this.stats.expired += expiredCount; + this.stats.size = this.cache.size; + logger.debug(`Cleaned up ${expiredCount} expired entries`); + } + } + + async close(): Promise { + if (this.cleanupInterval) { + clearInterval(this.cleanupInterval); + this.cleanupInterval = undefined; + } + this.cache.clear(); + logger.debug('Memory cache backend closed'); + } +} diff --git a/src/shared/services/cache/backends/redis.ts b/src/shared/services/cache/backends/redis.ts new file mode 100644 index 000000000..732104b71 --- /dev/null +++ b/src/shared/services/cache/backends/redis.ts @@ -0,0 +1,252 @@ +/** + * @file src/services/cache/backends/redis.ts + * Redis cache backend implementation + */ +import Redis from 'ioredis'; + +import { CacheBackend, CacheEntry, CacheOptions, CacheStats } from '../types'; + +// Using console.log for now to avoid build issues +const logger = { + debug: (msg: string, ...args: any[]) => + console.debug(`[RedisCache] ${msg}`, ...args), + info: (msg: string, ...args: any[]) => + console.info(`[RedisCache] ${msg}`, ...args), + warn: (msg: string, ...args: any[]) => + console.warn(`[RedisCache] ${msg}`, ...args), + error: (msg: string, ...args: any[]) => + console.error(`[RedisCache] ${msg}`, ...args), +}; + +// Redis client interface matching ioredis +interface RedisClient { + get(key: string): Promise; + set( + key: string, + value: string, + expiryMode?: string | any, + time?: number | string + ): Promise<'OK' | null>; + del(...keys: string[]): Promise; + exists(...keys: string[]): Promise; + keys(pattern: string): Promise; + flushdb(): Promise<'OK'>; + quit(): Promise<'OK'>; +} + +export class RedisCacheBackend implements CacheBackend { + private client: RedisClient; + private dbName: string; + + private stats: CacheStats = { + hits: 0, + misses: 0, + sets: 0, + deletes: 0, + size: 0, + expired: 0, + }; + + constructor(client: RedisClient, dbName: string) { + this.client = client; + this.dbName = dbName; + } + + private getFullKey(key: string, namespace?: string): string { + return namespace + ? `${this.dbName}:${namespace}:${key}` + : `${this.dbName}:default:${key}`; + } + + private serializeEntry(entry: CacheEntry): string { + return JSON.stringify(entry); + } + + private deserializeEntry(data: string): CacheEntry { + return JSON.parse(data); + } + + private isExpired(entry: CacheEntry): boolean { + return entry.expiresAt !== undefined && entry.expiresAt <= Date.now(); + } + + async get( + key: string, + namespace?: string + ): Promise | null> { + try { + const fullKey = this.getFullKey(key, namespace); + const data = await this.client.get(fullKey); + + if (!data) { + this.stats.misses++; + return null; + } + + const entry = this.deserializeEntry(data); + + // Double-check expiration (Redis TTL should handle this, but just in case) + if (this.isExpired(entry)) { + await this.client.del(fullKey); + this.stats.expired++; + this.stats.misses++; + return null; + } + + this.stats.hits++; + return entry; + } catch (error) { + logger.error('Redis get error:', error); + this.stats.misses++; + return null; + } + } + + async set( + key: string, + value: T, + options: CacheOptions = {} + ): Promise { + try { + const fullKey = this.getFullKey(key, options.namespace); + const now = Date.now(); + + const entry: CacheEntry = { + value, + createdAt: now, + expiresAt: options.ttl ? now + options.ttl : undefined, + metadata: options.metadata, + }; + + const serialized = this.serializeEntry(entry); + + if (options.ttl) { + // Set with TTL in seconds + const ttlSeconds = Math.ceil(options.ttl / 1000); + await this.client.set(fullKey, serialized, 'EX', ttlSeconds); + } else { + await this.client.set(fullKey, serialized); + } + + this.stats.sets++; + } catch (error) { + logger.error('Redis set error:', error); + throw error; + } + } + + async delete(key: string, namespace?: string): Promise { + try { + const fullKey = this.getFullKey(key, namespace); + const deleted = await this.client.del(fullKey); + + if (deleted > 0) { + this.stats.deletes++; + return true; + } + + return false; + } catch (error) { + logger.error('Redis delete error:', error); + return false; + } + } + + async clear(namespace?: string): Promise { + try { + const pattern = namespace + ? `${this.dbName}:${namespace}:*` + : `${this.dbName}:*`; + const keys = await this.client.keys(pattern); + + if (keys.length > 0) { + // Use single del call with spread operator for better performance + await this.client.del(...keys); + this.stats.deletes += keys.length; + } + } catch (error) { + logger.error('Redis clear error:', error); + throw error; + } + } + + async has(key: string, namespace?: string): Promise { + try { + const fullKey = this.getFullKey(key, namespace); + const exists = await this.client.exists(fullKey); + return exists > 0; + } catch (error) { + logger.error('Redis has error:', error); + return false; + } + } + + async keys(namespace?: string): Promise { + try { + const pattern = namespace + ? `${this.dbName}:${namespace}:*` + : `${this.dbName}:default:*`; + const fullKeys = await this.client.keys(pattern); + + // Extract the actual key part (remove the prefix) + const prefix = namespace + ? `${this.dbName}:${namespace}:` + : `${this.dbName}:default:`; + return fullKeys.map((key) => key.substring(prefix.length)); + } catch (error) { + logger.error('Redis keys error:', error); + return []; + } + } + + async getStats(namespace?: string): Promise { + try { + const pattern = namespace + ? `${this.dbName}:${namespace}:*` + : `${this.dbName}:*`; + const keys = await this.client.keys(pattern); + + return { + ...this.stats, + size: keys.length, + }; + } catch (error) { + logger.error('Redis getStats error:', error); + return { ...this.stats }; + } + } + + async cleanup(): Promise { + // Redis handles TTL automatically, so this is mostly a no-op + // We could scan for entries with manual expiration and clean them up + logger.debug('Redis cleanup - TTL handled automatically by Redis'); + } + + async close(): Promise { + try { + await this.client.quit(); + logger.debug('Redis cache backend closed'); + } catch (error) { + logger.error('Error closing Redis connection:', error); + } + } +} + +// Factory function to create Redis backend with ioredis +export function createRedisBackend( + redisUrl: string, + options?: any +): RedisCacheBackend { + // Extract dbName from options or use 'cache' as default + const dbName = options?.dbName || 'cache'; + + // Create ioredis client with URL and any additional options + // ioredis supports Redis URL format: redis://[username:password@]host[:port][/db] + const client = new Redis(redisUrl, { + ...options, + // Remove dbName from options as it's not an ioredis option + dbName: undefined, + }); + + return new RedisCacheBackend(client as RedisClient, dbName); +} diff --git a/src/shared/services/cache/index.ts b/src/shared/services/cache/index.ts new file mode 100644 index 000000000..7faa3a0f7 --- /dev/null +++ b/src/shared/services/cache/index.ts @@ -0,0 +1,478 @@ +/** + * @file src/services/cache/index.ts + * Unified cache service with pluggable backends + */ + +import { + CacheBackend, + CacheEntry, + CacheOptions, + CacheStats, + CacheConfig, +} from './types'; +import { MemoryCacheBackend } from './backends/memory'; +import { FileCacheBackend } from './backends/file'; +import { createRedisBackend } from './backends/redis'; +import { createCloudflareKVBackend } from './backends/cloudflareKV'; +// Using console.log for now to avoid build issues +const logger = { + debug: (msg: string, ...args: any[]) => + console.debug(`[CacheService] ${msg}`, ...args), + info: (msg: string, ...args: any[]) => + console.info(`[CacheService] ${msg}`, ...args), + warn: (msg: string, ...args: any[]) => + console.warn(`[CacheService] ${msg}`, ...args), + error: (msg: string, ...args: any[]) => + console.error(`[CacheService] ${msg}`, ...args), +}; + +const MS = { + '1_MINUTE': 1 * 60 * 1000, + '5_MINUTES': 5 * 60 * 1000, + '10_MINUTES': 10 * 60 * 1000, + '30_MINUTES': 30 * 60 * 1000, + '1_HOUR': 60 * 60 * 1000, + '6_HOURS': 6 * 60 * 60 * 1000, + '12_HOURS': 12 * 60 * 60 * 1000, + '1_DAY': 24 * 60 * 60 * 1000, + '7_DAYS': 7 * 24 * 60 * 60 * 1000, + '30_DAYS': 30 * 24 * 60 * 60 * 1000, +}; + +export class CacheService { + private backend: CacheBackend; + private defaultTtl?: number; + + constructor(config: CacheConfig) { + this.defaultTtl = config.defaultTtl; + this.backend = this.createBackend(config); + } + + private createBackend(config: CacheConfig): CacheBackend { + switch (config.backend) { + case 'memory': + return new MemoryCacheBackend(config.maxSize, config.cleanupInterval); + + case 'file': + return new FileCacheBackend( + config.dataDir, + config.fileName, + config.saveInterval, + config.cleanupInterval + ); + + case 'redis': + if (!config.redisUrl) { + throw new Error('Redis URL is required for Redis backend'); + } + return createRedisBackend(config.redisUrl, { + ...config.redisOptions, + dbName: config.dbName || 'cache', + }); + + case 'cloudflareKV': + if (!config.kvBindingName || !config.dbName) { + throw new Error( + 'Cloudflare KV binding name and db name are required for Cloudflare KV backend' + ); + } + return createCloudflareKVBackend( + config.env, + config.kvBindingName, + config.dbName + ); + + default: + throw new Error(`Unsupported cache backend: ${config.backend}`); + } + } + + /** + * Get a value from the cache + */ + async get(key: string, namespace?: string): Promise { + const entry = await this.backend.get(key, namespace); + return entry ? entry.value : null; + } + + /** + * Get the full cache entry (with metadata) + */ + async getEntry( + key: string, + namespace?: string + ): Promise | null> { + return this.backend.get(key, namespace); + } + + /** + * Set a value in the cache + */ + async set( + key: string, + value: T, + options: CacheOptions = {} + ): Promise { + const finalOptions = { + ...options, + ttl: options.ttl ?? this.defaultTtl, + }; + + await this.backend.set(key, value, finalOptions); + } + + /** + * Set a value with TTL in seconds (convenience method) + */ + async setWithTtl( + key: string, + value: T, + ttlSeconds: number, + namespace?: string + ): Promise { + await this.set(key, value, { + ttl: ttlSeconds * 1000, + namespace, + }); + } + + /** + * Delete a value from the cache + */ + async delete(key: string, namespace?: string): Promise { + return this.backend.delete(key, namespace); + } + + /** + * Check if a key exists in the cache + */ + async has(key: string, namespace?: string): Promise { + return this.backend.has(key, namespace); + } + + /** + * Get all keys in a namespace + */ + async keys(namespace?: string): Promise { + return this.backend.keys(namespace); + } + + /** + * Clear all entries in a namespace (or all entries if no namespace) + */ + async clear(namespace?: string): Promise { + await this.backend.clear(namespace); + } + + /** + * Get cache statistics + */ + async getStats(namespace?: string): Promise { + return this.backend.getStats(namespace); + } + + /** + * Manually trigger cleanup of expired entries + */ + async cleanup(): Promise { + await this.backend.cleanup(); + } + + /** + * Wait for the backend to be ready + */ + async waitForReady(): Promise { + if ('waitForReady' in this.backend) { + await (this.backend as any).waitForReady(); + } + } + + /** + * Close the cache and cleanup resources + */ + async close(): Promise { + await this.backend.close(); + } + + /** + * Get or set pattern - get value, or compute and cache it if not found + */ + async getOrSet( + key: string, + factory: () => Promise | T, + options: CacheOptions = {} + ): Promise { + const existing = await this.get(key, options.namespace); + if (existing !== null) { + return existing; + } + + const value = await factory(); + await this.set(key, value, options); + return value; + } + + /** + * Increment a numeric value (atomic operation for supported backends) + */ + async increment( + key: string, + delta: number = 1, + options: CacheOptions = {} + ): Promise { + // For backends that don't support atomic increment, we simulate it + const current = (await this.get(key, options.namespace)) || 0; + const newValue = current + delta; + await this.set(key, newValue, options); + return newValue; + } + + /** + * Set multiple values at once + */ + async setMany( + entries: Array<{ key: string; value: T; options?: CacheOptions }>, + defaultOptions: CacheOptions = {} + ): Promise { + const promises = entries.map(({ key, value, options }) => + this.set(key, value, { ...defaultOptions, ...options }) + ); + await Promise.all(promises); + } + + /** + * Get multiple values at once + */ + async getMany( + keys: string[], + namespace?: string + ): Promise> { + const promises = keys.map(async (key) => ({ + key, + value: await this.get(key, namespace), + })); + return Promise.all(promises); + } +} + +// Default cache instances for different use cases +let defaultCache: CacheService | null = null; +let tokenCache: CacheService | null = null; +let sessionCache: CacheService | null = null; +let configCache: CacheService | null = null; +let oauthStore: CacheService | null = null; +let mcpServersCache: CacheService | null = null; +/** + * Get or create the default cache instance + */ +export function getDefaultCache(): CacheService { + if (!defaultCache) { + throw new Error('Default cache instance not found'); + } + return defaultCache; +} + +/** + * Get or create the token cache instance + */ +export function getTokenCache(): CacheService { + if (!tokenCache) { + throw new Error('Token cache instance not found'); + } + return tokenCache; +} + +/** + * Get or create the session cache instance + */ +export function getSessionCache(): CacheService { + if (!sessionCache) { + throw new Error('Session cache instance not found'); + } + return sessionCache; +} + +/** + * Get or create the token introspection cache instance + */ +export function getTokenIntrospectionCache(): CacheService { + // Use the same cache as tokens, just different namespace + return getTokenCache(); +} + +/** + * Get or create the config cache instance + */ +export function getConfigCache(): CacheService { + if (!configCache) { + throw new Error('Config cache instance not found'); + } + return configCache; +} + +/** + * Get or create the oauth store cache instance + */ +export function getOauthStore(): CacheService { + if (!oauthStore) { + throw new Error('Oauth store cache instance not found'); + } + return oauthStore; +} + +export function getMcpServersCache(): CacheService { + if (!mcpServersCache) { + throw new Error('Mcp servers cache instance not found'); + } + return mcpServersCache; +} + +/** + * Initialize cache with custom configuration + */ +export function initializeCache(config: CacheConfig): CacheService { + return new CacheService(config); +} + +export async function createCacheBackendsLocal(): Promise { + defaultCache = new CacheService({ + backend: 'memory', + defaultTtl: MS['5_MINUTES'], + cleanupInterval: MS['5_MINUTES'], + maxSize: 1000, + }); + + tokenCache = new CacheService({ + backend: 'memory', + defaultTtl: MS['5_MINUTES'], + saveInterval: 1000, // 1 second + cleanupInterval: MS['5_MINUTES'], + maxSize: 1000, + }); + + sessionCache = new CacheService({ + backend: 'file', + dataDir: 'data', + fileName: 'sessions-cache.json', + defaultTtl: MS['30_MINUTES'], + saveInterval: 1000, // 1 second + cleanupInterval: MS['5_MINUTES'], + }); + await sessionCache.waitForReady(); + + configCache = new CacheService({ + backend: 'memory', + defaultTtl: MS['30_DAYS'], + cleanupInterval: MS['5_MINUTES'], + maxSize: 100, + }); + + oauthStore = new CacheService({ + backend: 'file', + dataDir: 'data', + fileName: 'oauth-store.json', + saveInterval: 1000, // 1 second + cleanupInterval: MS['10_MINUTES'], + }); + await oauthStore.waitForReady(); + + mcpServersCache = new CacheService({ + backend: 'file', + dataDir: 'data', + fileName: 'mcp-servers-auth.json', + saveInterval: 1000, // 5 seconds + cleanupInterval: MS['5_MINUTES'], + }); + await mcpServersCache.waitForReady(); +} + +export function createCacheBackendsRedis(redisUrl: string): void { + logger.info('Creating cache backends with Redis', redisUrl); + let commonOptions: CacheConfig = { + backend: 'redis', + redisUrl: redisUrl, + defaultTtl: MS['5_MINUTES'], + cleanupInterval: MS['5_MINUTES'], + maxSize: 1000, + }; + + defaultCache = new CacheService({ + ...commonOptions, + dbName: 'default', + }); + + tokenCache = new CacheService({ + backend: 'memory', + defaultTtl: MS['1_MINUTE'], + cleanupInterval: MS['1_MINUTE'], + maxSize: 1000, + }); + + sessionCache = new CacheService({ + ...commonOptions, + dbName: 'session', + }); + + configCache = new CacheService({ + ...commonOptions, + dbName: 'config', + defaultTtl: undefined, + }); + + oauthStore = new CacheService({ + ...commonOptions, + dbName: 'oauth', + defaultTtl: undefined, + }); + + mcpServersCache = new CacheService({ + ...commonOptions, + dbName: 'mcp', + defaultTtl: undefined, + }); +} + +export function createCacheBackendsCF(env: any): void { + let commonOptions: CacheConfig = { + backend: 'cloudflareKV', + env: env, + kvBindingName: 'KV_STORE', + defaultTtl: MS['5_MINUTES'], + }; + defaultCache = new CacheService({ + ...commonOptions, + dbName: 'default', + }); + + tokenCache = new CacheService({ + ...commonOptions, + dbName: 'token', + defaultTtl: MS['10_MINUTES'], + }); + + sessionCache = new CacheService({ + ...commonOptions, + dbName: 'session', + }); + + configCache = new CacheService({ + ...commonOptions, + dbName: 'config', + defaultTtl: MS['30_DAYS'], + }); + + oauthStore = new CacheService({ + ...commonOptions, + dbName: 'oauth', + defaultTtl: undefined, + }); + + mcpServersCache = new CacheService({ + ...commonOptions, + dbName: 'mcp', + defaultTtl: undefined, + }); +} + +// Re-export types for convenience +export * from './types'; diff --git a/src/shared/services/cache/types.ts b/src/shared/services/cache/types.ts new file mode 100644 index 000000000..8875572bc --- /dev/null +++ b/src/shared/services/cache/types.ts @@ -0,0 +1,57 @@ +/** + * @file src/services/cache/types.ts + * Type definitions for the unified cache system + */ + +export interface CacheEntry { + value: T; + expiresAt?: number; + createdAt: number; + metadata?: Record; +} + +export interface CacheOptions { + ttl?: number; // Time to live in milliseconds + namespace?: string; // Cache namespace for organization + metadata?: Record; // Additional metadata +} + +export interface CacheStats { + hits: number; + misses: number; + sets: number; + deletes: number; + size: number; + expired: number; +} + +export interface CacheBackend { + get(key: string, namespace?: string): Promise | null>; + set(key: string, value: T, options?: CacheOptions): Promise; + delete(key: string, namespace?: string): Promise; + clear(namespace?: string): Promise; + has(key: string, namespace?: string): Promise; + keys(namespace?: string): Promise; + getStats(namespace?: string): Promise; + cleanup(): Promise; // Remove expired entries + close(): Promise; // Cleanup resources +} + +export interface CacheConfig { + backend: 'memory' | 'file' | 'redis' | 'cloudflareKV'; + defaultTtl?: number; // Default TTL in milliseconds + cleanupInterval?: number; // Cleanup interval in milliseconds + // File backend options + dataDir?: string; + fileName?: string; + saveInterval?: number; // Debounce save interval + // Redis backend options + redisUrl?: string; + redisOptions?: any; + // Memory backend options + maxSize?: number; // Maximum number of entries + // Cloudflare KV backend options + env?: any; + kvBindingName?: string; + dbName?: string; +} diff --git a/src/shared/utils/logger.ts b/src/shared/utils/logger.ts new file mode 100644 index 000000000..3ad80ee63 --- /dev/null +++ b/src/shared/utils/logger.ts @@ -0,0 +1,128 @@ +/** + * @file src/utils/logger.ts + * Configurable logger utility for MCP Gateway + */ + +export enum LogLevel { + ERROR = 0, + CRITICAL = 1, // New level for critical information + WARN = 2, + INFO = 3, + DEBUG = 4, +} + +export interface LoggerConfig { + level: LogLevel; + prefix?: string; + timestamp?: boolean; + colors?: boolean; +} + +class Logger { + private config: LoggerConfig; + private colors = { + error: '\x1b[31m', // red + critical: '\x1b[35m', // magenta + warn: '\x1b[33m', // yellow + info: '\x1b[36m', // cyan + debug: '\x1b[37m', // white + reset: '\x1b[0m', + }; + + constructor(config: LoggerConfig) { + this.config = { + timestamp: true, + colors: true, + ...config, + }; + } + + private formatMessage(level: string, message: string): string { + const parts: string[] = []; + + if (this.config.timestamp) { + parts.push(`[${new Date().toISOString()}]`); + } + + if (this.config.prefix) { + parts.push(`[${this.config.prefix}]`); + } + + parts.push(`[${level.toUpperCase()}]`); + parts.push(message); + + return parts.join(' '); + } + + private log(level: LogLevel, levelName: string, message: string, data?: any) { + if (level > this.config.level) return; + + const formattedMessage = this.formatMessage(levelName, message); + const color = this.config.colors + ? this.colors[levelName as keyof typeof this.colors] + : ''; + const reset = this.config.colors ? this.colors.reset : ''; + + if (data !== undefined) { + console.log(`${color}${formattedMessage}${reset}`, data); + } else { + console.log(`${color}${formattedMessage}${reset}`); + } + } + + error(message: string, error?: Error | any) { + if (error instanceof Error) { + this.log(LogLevel.ERROR, 'error', `${message}: ${error.message}`); + if (this.config.level >= LogLevel.DEBUG) { + console.error(error.stack); + } + } else if (error) { + this.log(LogLevel.ERROR, 'error', message, error); + } else { + this.log(LogLevel.ERROR, 'error', message); + } + } + + critical(message: string, data?: any) { + this.log(LogLevel.CRITICAL, 'critical', message, data); + } + + warn(message: string, data?: any) { + this.log(LogLevel.WARN, 'warn', message, data); + } + + info(message: string, data?: any) { + this.log(LogLevel.INFO, 'info', message, data); + } + + debug(message: string, data?: any) { + this.log(LogLevel.DEBUG, 'debug', message, data); + } + + createChild(prefix: string): Logger { + return new Logger({ + ...this.config, + prefix: this.config.prefix ? `${this.config.prefix}:${prefix}` : prefix, + }); + } +} + +// Create default logger instance +const defaultConfig: LoggerConfig = { + level: process.env.LOG_LEVEL + ? LogLevel[process.env.LOG_LEVEL.toUpperCase() as keyof typeof LogLevel] || + LogLevel.ERROR + : process.env.NODE_ENV === 'production' + ? LogLevel.ERROR + : LogLevel.INFO, + timestamp: process.env.LOG_TIMESTAMP !== 'false', + colors: + process.env.LOG_COLORS !== 'false' && process.env.NODE_ENV !== 'production', +}; + +export const logger = new Logger(defaultConfig); + +// Helper to create a logger for a specific component +export function createLogger(prefix: string): Logger { + return logger.createChild(prefix); +} diff --git a/src/start-server.ts b/src/start-server.ts index f58da4231..ea8e36188 100644 --- a/src/start-server.ts +++ b/src/start-server.ts @@ -1,21 +1,44 @@ #!/usr/bin/env node +import { Context } from 'hono'; +import { streamSSE } from 'hono/streaming'; import { serve } from '@hono/node-server'; +import { createNodeWebSocket } from '@hono/node-ws'; +import minimist from 'minimist'; import app from './index'; -import { streamSSE } from 'hono/streaming'; -import { Context } from 'hono'; -import { createNodeWebSocket } from '@hono/node-ws'; +import mcpApp from './mcp/mcp-index'; + import { realTimeHandlerNode } from './handlers/realtimeHandlerNode'; import { requestValidator } from './middlewares/requestValidator'; -// Extract the port number from the command line arguments +// Extract the port number and flags from command line arguments using minimist const defaultPort = 8787; -const args = process.argv.slice(2); -const portArg = args.find((arg) => arg.startsWith('--port=')); -const port = portArg ? parseInt(portArg.split('=')[1]) : defaultPort; +const defaultMCPPort = process.env.PORT || 8788; + +const argv = minimist(process.argv.slice(2), { + default: { + port: defaultPort, + 'mcp-port': defaultMCPPort, + }, + boolean: ['llm-node', 'mcp-node', 'llm-grpc', 'headless'], +}); + +const port = argv.port; +const mcpPort = argv['mcp-port']; -const isHeadless = args.includes('--headless'); +// Add flags to choose what all to start (llm-node, llm-grpc, mcp-node) +// Default starts both llm-node and mcp-node + +let llmNode = argv['llm-node']; +let mcpNode = argv['mcp-node']; +let llmGrpc = argv['llm-grpc']; + +if (!llmNode && !mcpNode && !llmGrpc) { + llmNode = true; +} + +const isHeadless = argv.headless; // Setup static file serving only if not in headless mode if ( @@ -42,6 +65,7 @@ if ( // Set up routes app.get('/public/logs', serveIndex); + app.get('/public/mcp', serveIndex); app.get('/public/', serveIndex); // Redirect `/public` to `/public/` @@ -135,23 +159,6 @@ if ( }); } -const { injectWebSocket, upgradeWebSocket } = createNodeWebSocket({ app }); - -app.get( - '/v1/realtime', - requestValidator, - upgradeWebSocket(realTimeHandlerNode) -); - -const server = serve({ - fetch: app.fetch, - port: port, -}); - -const url = `http://localhost:${port}`; - -injectWebSocket(server); - // Loading animation function async function showLoadingAnimation() { const frames = ['⠋', '⠙', '⠹', '⠸', '⠼', '⠴', '⠦', '⠧', '⠇', '⠏']; @@ -159,7 +166,7 @@ async function showLoadingAnimation() { return new Promise((resolve) => { const interval = setInterval(() => { - process.stdout.write(`\r${frames[i]} Starting AI Gateway...`); + process.stdout.write(`\r${frames[i]} Starting...`); i = (i + 1) % frames.length; }, 80); @@ -173,12 +180,40 @@ async function showLoadingAnimation() { } // Clear the console and show animation before main output -console.clear(); await showLoadingAnimation(); +console.clear(); + +if (mcpNode) { + const mcpUrl = `http://localhost:${mcpPort}`; + const mcpServer = serve({ + fetch: mcpApp.fetch, + port: mcpPort, + }); + + console.log('\x1b[1m%s\x1b[0m', '🤯 MCP Gateway is running at:'); + console.log(' ' + '\x1b[1;4;32m%s\x1b[0m', `${mcpUrl}`); +} + +const url = `http://localhost:${port}`; + +if (llmNode) { + const { injectWebSocket, upgradeWebSocket } = createNodeWebSocket({ app }); -// Main server information with minimal spacing -console.log('\x1b[1m%s\x1b[0m', '🚀 Your AI Gateway is running at:'); -console.log(' ' + '\x1b[1;4;32m%s\x1b[0m', `${url}`); + app.get( + '/v1/realtime', + requestValidator, + upgradeWebSocket(realTimeHandlerNode) + ); + + const server = serve({ + fetch: app.fetch, + port: port, + }); + + injectWebSocket(server); + console.log('\x1b[1m%s\x1b[0m', '🚀 AI Gateway is running at:'); + console.log(' ' + '\x1b[1;4;32m%s\x1b[0m', `${url}`); +} // Secondary information on single lines if (!isHeadless) { diff --git a/wrangler-mcp.toml b/wrangler-mcp.toml new file mode 100644 index 000000000..9a37532fc --- /dev/null +++ b/wrangler-mcp.toml @@ -0,0 +1,51 @@ +name = "mcp-gateway" +compatibility_date = "2024-12-05" +main = "src/mcp-index.ts" +compatibility_flags = [ "nodejs_compat" ] +kv_namespaces = [ + { binding = "KV_STORE", id = "2947280d728245118ef33819d484247a", preview_id = "2947280d728245118ef33819d484247a" } +] + +[vars] +ENVIRONMENT = 'dev' +CUSTOM_HEADERS_TO_IGNORE = [] +LOG_LEVEL = 'DEBUG' +ALBUS_BASEPATH = 'https://albus.portkeydev.com' +CLIENT_ID = 'rubeus_h.auvP@ggVu_E78Q4dAnzsm8p3H*WBhBXee9' + + +# +#Configuration for DEVELOPMENT environment +# +[env.staging] +name = "mcp-gateway-dev" +kv_namespaces = [ + { binding = "KV_STORE", id = "c8e2099a1b7f4b72b618508d6428e88a", preview_id = "c8e2099a1b7f4b72b618508d6428e88a" } +] +routes = [ + { pattern = "mcp.portkeydev.com/*", zone_name = "portkeydev.com" } +] + + +[env.staging.observability.logs] +enabled = true +invocation_logs = false + +[env.staging.vars] +ENVIRONMENT = 'staging' +CUSTOM_HEADERS_TO_IGNORE = [] +LOG_LEVEL = 'info' +ALBUS_BASEPATH = 'https://albus.portkeydev.com' +CLIENT_ID = 'rubeus_h.auvP@ggVu_E78Q4dAnzsm8p3H*WBhBXee9' + +# +#Configuration for PRODUCTION environment +# +[env.production] +name = "rubeus" +logpush=true + +[env.production.vars] +ENVIRONMENT = 'production' +CUSTOM_HEADERS_TO_IGNORE = [] +LOG_LEVEL = 'error' diff --git a/wrangler.toml b/wrangler.toml index 378496704..28150821a 100644 --- a/wrangler.toml +++ b/wrangler.toml @@ -6,6 +6,7 @@ compatibility_flags = [ "nodejs_compat" ] [vars] ENVIRONMENT = 'dev' CUSTOM_HEADERS_TO_IGNORE = [] +LOG_LEVEL = 'debug' # #Configuration for DEVELOPMENT environment @@ -16,6 +17,7 @@ name = "rubeus-dev" [env.staging.vars] ENVIRONMENT = 'staging' CUSTOM_HEADERS_TO_IGNORE = [] +LOG_LEVEL = 'info' # @@ -28,3 +30,4 @@ logpush=true [env.production.vars] ENVIRONMENT = 'production' CUSTOM_HEADERS_TO_IGNORE = [] +LOG_LEVEL = 'error'