Merge branch 'rc-v1' into 'v1'

Rc v1

See merge request subtype/subspace-api!4

Author: subtype

README.md

@@ -27,4 +27,7 @@ npm run build && npm run start
 |---------|--------|
 | PORT | Defaults to 9595. The port for the API and MCP server to listen on. |
 | LOG_LEVEL | Defaults to 'info'. Set the logging level |
-| ACTIVE_VERSION | Defaults to 'v1', currently not implemented fully. |
+| ACTIVE_VERSION | Defaults to 'v1', currently not implemented fully. |
+| WMATA_PRIMARY_KEY | The API key to use for obtaining WMATA status. |
+| JWT_SECRET | This is the secret key that is used for encrypting and decrypting JWT tokens. |
+| TZ | (Optional) Lets the container/logger format log messages with the machine's local time zone. |

package-lock.json

@@ -22,6 +22,7 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.9.0",
     "express-rate-limit": "^7.5.0",
+    "jose": "^6.0.10",
     "prettier": "3.5.3",
     "yahoo-finance2": "^2.13.3",
     "zod": "^3.24.2"

package.json

@@ -10,7 +10,7 @@ import helmet from 'helmet'
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js'
 import { SSEServerTransport } from '@modelcontextprotocol/sdk/server/sse.js'
 import { registerTools } from './v1/mcp/registerTools.js'
-import { validateJWT } from './utils/auth.js'
+import { validateJWT, authRequired } from './utils/auth.js'
 
 
 logger.info('Initializing MCP server...')
@@ -33,31 +33,21 @@ logger.info('Registering tools with MCP server...')
 registerTools(mcpServer)
 
 // Discovery endpoint
-server.get('/sse', async (req: Request, res: Response) => {
-  if (!validateJWT(req)) {
-    logger.warn('Incoming request has invalid or missing authorization', req.headers.authorization)
-    res.status(401).send({ message: 'Unauthorized' })
-    return
-  }
+server.get('/sse', authRequired, async (req: Request, res: Response) => {
 
   const transport = new SSEServerTransport('/messages', res)
   transports[transport.sessionId] = transport
   logger.info('New MCP session created:', transport.sessionId)
   res.on('close', () => {
-    logger.info('Closing session')
+    logger.info('Closing session', transports[transport.sessionId])
     delete transports[transport.sessionId]
   })
   await mcpServer.connect(transport)
 })
 
 // MCP Handler
-server.post('/messages', async (req: Request, res: Response) => {
+server.post('/messages', authRequired, async (req: Request, res: Response) => {
   const sessionId = req.query.sessionId as string
-  if (!validateJWT(req)) {
-    logger.warn('Incoming request failed JWT validation')
-    res.status(401).send({ message: 'Unauthorized' })
-    return
-  }
 
   if (typeof sessionId != 'string') {
     logger.error('Bad sessionId', sessionId)

src/server.ts

@@ -1,28 +1,38 @@
-import { Request } from 'express'
+import { Request, Response, NextFunction } from 'express'
 import { logger } from './logger.js'
 import jwt, { Secret } from 'jsonwebtoken'
 
-export function validateJWT(req: Request): boolean {
+export function validateJWT(req: Request) {
   const secret = process.env.JWT_SECRET
   if (!secret) {
     logger.error('JWT secret is not defined in the environment!')
-    return false
+    return null
   }
   const authHeader = req.headers.authorization
   logger.debug('Incoming headers:', req.headers)
   if (!authHeader?.startsWith('Bearer ')) {
     logger.error('No auth header!')
-    return false
+    return null
   }
   // Get token from auth header since it'd look like "Bearer <token>"
   const token = authHeader.split(' ')[1]
   logger.debug('Inspecting token', token)
 
   try {
-    jwt.verify(token, secret as Secret)
-    return true
+    const decodedToken = jwt.verify(token, secret as Secret)
+    return decodedToken
   } catch (error) {
     logger.warn('JWT validation failed', error)
-    return false
+    return null
   }
 }
+
+export async function authRequired(req: Request, res: Response, next: NextFunction) {
+  const user = validateJWT(req)
+  if (!user) {
+    logger.warn('Incoming request failed JWT validation')
+    res.status(401).send({ message: 'Unauthorized' })
+  }
+  // handle user logic way way way later
+  next()
+}

src/utils/auth.ts

@@ -1,5 +1,2 @@
 import dotenv from 'dotenv'
-import path from 'path'
-const currentDir = path.dirname(new URL(import.meta.url).pathname)
-const envPath = path.resolve(currentDir, '../../.env')
-dotenv.config({ path: envPath })
+dotenv.config({ path: '.env' })

src/utils/env.ts

@@ -0,0 +1,19 @@
+import { jwtVerify, createRemoteJWKSet } from 'jose'
+
+const auth_server_url = process.env.AUTH_SERVER_URL
+
+const JWKS = createRemoteJWKSet(new URL(auth_server_url!))
+
+export async function verifyToken(token: string) {
+  try {
+    const { payload } = await jwtVerify(token, JWKS, {
+      issuer: "https://auth.subtype.space/realms/subspace",
+      audience: "account" // or your expected audience if customized
+    })
+
+    return payload // this will include `sub`, `azp`, `scope`, `client_id`, etc.
+  } catch (err) {
+    console.error("Token verification failed:", err)
+    return null
+  }
+}