Spaces:
Sleeping
Sleeping
File size: 14,719 Bytes
07af8f3 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 |
/**
* OAuth Callback Controller
*
* Handles OAuth 2.0 authorization callbacks for upstream MCP servers.
*
* This controller implements a simplified callback flow that relies on the MCP SDK
* to handle the complete OAuth token exchange:
*
* 1. Extract authorization code from callback URL
* 2. Find the corresponding server using the state parameter
* 3. Store the authorization code temporarily
* 4. Reconnect the server - SDK's auth() function will:
* - Automatically discover OAuth endpoints
* - Exchange the code for tokens using PKCE
* - Save tokens via our OAuthClientProvider.saveTokens()
*/
import { Request, Response } from 'express';
import {
getServerByName,
getServerByOAuthState,
createTransportFromConfig,
} from '../services/mcpService.js';
import { getNameSeparator, loadSettings } from '../config/index.js';
import type { ServerInfo } from '../types/index.js';
/**
* Generate HTML response page with i18n support
*/
const generateHtmlResponse = (
type: 'error' | 'success',
title: string,
message: string,
details?: { label: string; value: string }[],
autoClose: boolean = false,
): string => {
const backgroundColor = type === 'error' ? '#fee' : '#efe';
const borderColor = type === 'error' ? '#fcc' : '#cfc';
const titleColor = type === 'error' ? '#c33' : '#3c3';
const buttonColor = type === 'error' ? '#c33' : '#3c3';
return `
<!DOCTYPE html>
<html>
<head>
<title>${title}</title>
<style>
body { font-family: Arial, sans-serif; max-width: 600px; margin: 50px auto; padding: 20px; }
.container { background-color: ${backgroundColor}; border: 1px solid ${borderColor}; padding: 20px; border-radius: 8px; }
h1 { color: ${titleColor}; margin-top: 0; }
.detail { margin-top: 10px; padding: 10px; background: #f9f9f9; border-radius: 4px; ${type === 'error' ? 'font-family: monospace; font-size: 12px; white-space: pre-wrap;' : ''} }
.close-btn { margin-top: 20px; padding: 10px 20px; background: ${buttonColor}; color: white; border: none; border-radius: 4px; cursor: pointer; }
</style>
${autoClose ? '<script>setTimeout(() => { window.close(); }, 3000);</script>' : ''}
</head>
<body>
<div class="container">
<h1>${type === 'success' ? '✓ ' : ''}${title}</h1>
${details ? details.map((d) => `<div class="detail"><strong>${d.label}:</strong> ${d.value}</div>`).join('') : ''}
<p>${message}</p>
${autoClose ? '<p>This window will close automatically in 3 seconds...</p>' : ''}
<button class="close-btn" onclick="window.close()">${autoClose ? 'Close Now' : 'Close Window'}</button>
</div>
</body>
</html>
`;
};
const normalizeQueryParam = (value: unknown): string | undefined => {
if (typeof value === 'string') {
return value;
}
if (Array.isArray(value) && value.length > 0) {
const [first] = value;
return typeof first === 'string' ? first : undefined;
}
return undefined;
};
const extractServerNameFromState = (stateValue: string): string | undefined => {
try {
const normalized = stateValue.replace(/-/g, '+').replace(/_/g, '/');
const padding = (4 - (normalized.length % 4)) % 4;
const base64 = normalized + '='.repeat(padding);
const decoded = Buffer.from(base64, 'base64').toString('utf8');
const payload = JSON.parse(decoded);
if (payload && typeof payload.server === 'string') {
return payload.server;
}
} catch (error) {
// Ignore decoding errors and fall back to delimiter-based parsing
}
const separatorIndex = stateValue.indexOf(':');
if (separatorIndex > 0) {
return stateValue.slice(0, separatorIndex);
}
return undefined;
};
/**
* Handle OAuth callback after user authorization
*
* This endpoint receives the authorization code from the OAuth provider
* and initiates the server reconnection process.
*
* Expected query parameters:
* - code: Authorization code from OAuth provider
* - state: Encoded server identifier used for OAuth session validation
* - error: Optional error code if authorization failed
* - error_description: Optional error description
*/
export const handleOAuthCallback = async (req: Request, res: Response) => {
try {
const { code, state, error, error_description } = req.query;
const codeParam = normalizeQueryParam(code);
const stateParam = normalizeQueryParam(state);
// Get translation function from request (set by i18n middleware)
const t = (req as any).t || ((key: string) => key);
// Check for authorization errors
if (error) {
console.error(`OAuth authorization failed: ${error} - ${error_description || ''}`);
return res.status(400).send(
generateHtmlResponse('error', t('oauthCallback.authorizationFailed'), '', [
{ label: t('oauthCallback.authorizationFailedError'), value: String(error) },
...(error_description
? [
{
label: t('oauthCallback.authorizationFailedDetails'),
value: String(error_description),
},
]
: []),
]),
);
}
// Validate required parameters
if (!stateParam) {
console.error('OAuth callback missing state parameter');
return res
.status(400)
.send(
generateHtmlResponse(
'error',
t('oauthCallback.invalidRequest'),
t('oauthCallback.missingStateParameter'),
),
);
}
if (!codeParam) {
console.error('OAuth callback missing authorization code');
return res
.status(400)
.send(
generateHtmlResponse(
'error',
t('oauthCallback.invalidRequest'),
t('oauthCallback.missingCodeParameter'),
),
);
}
console.log(`OAuth callback received - code: present, state: ${stateParam}`);
// Find server by state parameter
let serverInfo: ServerInfo | undefined;
serverInfo = getServerByOAuthState(stateParam);
let decodedServerName: string | undefined;
if (!serverInfo) {
decodedServerName = extractServerNameFromState(stateParam);
if (decodedServerName) {
console.log(`State lookup failed; decoding server name from state: ${decodedServerName}`);
serverInfo = getServerByName(decodedServerName);
}
}
if (!serverInfo) {
console.error(
`No server found for OAuth callback. State: ${stateParam}${
decodedServerName ? `, decoded server: ${decodedServerName}` : ''
}`,
);
return res
.status(400)
.send(
generateHtmlResponse(
'error',
t('oauthCallback.serverNotFound'),
`${t('oauthCallback.serverNotFoundMessage')}\n${t('oauthCallback.sessionExpiredMessage')}`,
),
);
}
// Optional: Validate state parameter for additional security
if (serverInfo.oauth?.state && serverInfo.oauth.state !== stateParam) {
console.warn(
`State mismatch for server ${serverInfo.name}. Expected: ${serverInfo.oauth.state}, Got: ${stateParam}`,
);
// Note: We log a warning but don't fail the request since we have server name as primary identifier
}
console.log(`Processing OAuth callback for server: ${serverInfo.name}`);
// For StreamableHTTPClientTransport, we need to call finishAuth() on the transport
// This will exchange the authorization code for tokens automatically
if (serverInfo.transport && 'finishAuth' in serverInfo.transport) {
try {
console.log(`Calling transport.finishAuth() for server: ${serverInfo.name}`);
const currentTransport = serverInfo.transport as any;
await currentTransport.finishAuth(codeParam);
console.log(`Successfully exchanged authorization code for tokens: ${serverInfo.name}`);
// Refresh server configuration from disk to ensure we pick up newly saved tokens
const settings = loadSettings();
const storedConfig = settings.mcpServers?.[serverInfo.name];
const effectiveConfig = storedConfig || serverInfo.config;
if (!effectiveConfig) {
throw new Error(
`Missing server configuration for ${serverInfo.name} after OAuth callback`,
);
}
// Keep latest configuration cached on serverInfo
serverInfo.config = effectiveConfig;
// Ensure we have up-to-date request options for the reconnect attempt
if (!serverInfo.options) {
const requestConfig = effectiveConfig.options || {};
serverInfo.options = {
timeout: requestConfig.timeout || 60000,
resetTimeoutOnProgress: requestConfig.resetTimeoutOnProgress || false,
maxTotalTimeout: requestConfig.maxTotalTimeout,
};
}
// Replace the existing transport instance to avoid reusing a closed/aborted transport
try {
if (serverInfo.transport && 'close' in serverInfo.transport) {
await (serverInfo.transport as any).close();
}
} catch (closeError) {
console.warn(`Failed to close existing transport for ${serverInfo.name}:`, closeError);
}
console.log(
`Rebuilding transport with refreshed credentials for server: ${serverInfo.name}`,
);
const refreshedTransport = await createTransportFromConfig(
serverInfo.name,
effectiveConfig,
);
serverInfo.transport = refreshedTransport;
// Update server status to indicate OAuth is complete
serverInfo.status = 'connected';
if (serverInfo.oauth) {
serverInfo.oauth.authorizationUrl = undefined;
serverInfo.oauth.state = undefined;
serverInfo.oauth.codeVerifier = undefined;
}
// Check if client needs to be connected
const isClientConnected = serverInfo.client && serverInfo.client.getServerCapabilities();
if (!isClientConnected) {
// Client is not connected yet, connect it
if (serverInfo.client && serverInfo.transport) {
console.log(`Connecting client with refreshed transport for: ${serverInfo.name}`);
try {
await serverInfo.client.connect(serverInfo.transport, serverInfo.options);
console.log(`Client connected successfully for: ${serverInfo.name}`);
// List tools after successful connection
const capabilities = serverInfo.client.getServerCapabilities();
console.log(
`Server capabilities for ${serverInfo.name}:`,
JSON.stringify(capabilities),
);
if (capabilities?.tools) {
console.log(`Listing tools for server: ${serverInfo.name}`);
const toolsResult = await serverInfo.client.listTools({}, serverInfo.options);
const separator = getNameSeparator();
serverInfo.tools = toolsResult.tools.map((tool) => ({
name: `${serverInfo.name}${separator}${tool.name}`,
description: tool.description || '',
inputSchema: tool.inputSchema || {},
}));
console.log(
`Listed ${serverInfo.tools.length} tools for server: ${serverInfo.name}`,
);
} else {
console.log(`Server ${serverInfo.name} does not support tools capability`);
}
} catch (connectError) {
console.error(`Error connecting client for ${serverInfo.name}:`, connectError);
if (connectError instanceof Error) {
console.error(
`Connect error details for ${serverInfo.name}: ${connectError.message}`,
connectError.stack,
);
}
// Even if connection fails, mark OAuth as complete
// The user can try reconnecting from the dashboard
}
} else {
console.log(
`Cannot connect client for ${serverInfo.name}: client or transport missing`,
);
}
} else {
console.log(`Client already connected for server: ${serverInfo.name}`);
}
console.log(`Successfully completed OAuth flow for server: ${serverInfo.name}`);
// Return success page
return res.status(200).send(
generateHtmlResponse(
'success',
t('oauthCallback.authorizationSuccessful'),
`${t('oauthCallback.successMessage')}\n${t('oauthCallback.autoCloseMessage')}`,
[
{ label: t('oauthCallback.server'), value: serverInfo.name },
{ label: t('oauthCallback.status'), value: t('oauthCallback.connected') },
],
true, // auto-close
),
);
} catch (error) {
console.error(`Failed to complete OAuth flow for server ${serverInfo.name}:`, error);
console.error(`Error type: ${typeof error}, Error name: ${error?.constructor?.name}`);
console.error(`Error message: ${error instanceof Error ? error.message : String(error)}`);
console.error(`Error stack:`, error instanceof Error ? error.stack : 'No stack trace');
return res
.status(500)
.send(
generateHtmlResponse(
'error',
t('oauthCallback.connectionError'),
`${t('oauthCallback.connectionErrorMessage')}\n${t('oauthCallback.reconnectMessage')}`,
[{ label: '', value: error instanceof Error ? error.message : String(error) }],
),
);
}
} else {
// No transport available or transport doesn't support finishAuth
console.error(`Transport for server ${serverInfo.name} does not support finishAuth()`);
return res
.status(500)
.send(
generateHtmlResponse(
'error',
t('oauthCallback.configurationError'),
t('oauthCallback.configurationErrorMessage'),
),
);
}
} catch (error) {
console.error('Unexpected error handling OAuth callback:', error);
// Get translation function from request (set by i18n middleware)
const t = (req as any).t || ((key: string) => key);
return res
.status(500)
.send(
generateHtmlResponse(
'error',
t('oauthCallback.internalError'),
t('oauthCallback.internalErrorMessage'),
),
);
}
};
|