Update original Auth implementations for compatibility

- Synchronize changes between original and fixed implementations
- Improve middleware authentication flow
- Update OAuth token handling
- Enhance permission checking logic

Author: nagstler

lib/ruby_mcp/server/auth/middleware.rb

@@ -13,45 +13,46 @@ def initialize(app, auth_provider, permissions)
           @app = app
           @auth_provider = auth_provider
           @permissions = permissions
-          @logger = MCP.logger
         end
 
         # Call the middleware
         # @param env [Hash] The Rack environment
         # @return [Array] The Rack response
         def call(env)
-          # Check for authentication
+          # Skip authentication if auth_provider is nil
+          if @auth_provider.nil?
+            return @app.call(env)
+          end
+          
+          # Extract token from request
           token = extract_token(env)
 
-          # If authentication is enabled and no token is provided, return 401
-          if @auth_provider && !token
+          # If no token is provided, return unauthorized
+          if token.nil?
             return [401, { 'Content-Type' => 'application/json' }, [{ error: 'Unauthorized' }.to_json]]
           end
 
-          # If token is provided, verify it
-          if token
-            payload = @auth_provider.verify_jwt(token)
-            
-            # If token is invalid, return 401
-            if !payload
-              return [401, { 'Content-Type' => 'application/json' }, [{ error: 'Invalid token' }.to_json]]
-            end
+          # Verify token
+          token_payload = @auth_provider.verify_jwt(token)
+          
+          # If token is invalid, return unauthorized
+          if token_payload.nil?
+            return [401, { 'Content-Type' => 'application/json' }, [{ error: 'Invalid token' }.to_json]]
+          end
+          
+          # Check JSON-RPC method permission
+          if is_jsonrpc_request?(env)
+            method = extract_jsonrpc_method(env)
 
-            # Check if the request is a JSON-RPC request
-            if is_jsonrpc_request?(env)
-              # Verify method permission
-              method = extract_jsonrpc_method(env)
-              
-              if method && !@permissions.check_permission(token, method)
-                return [403, { 'Content-Type' => 'application/json' }, [{ error: 'Forbidden' }.to_json]]
-              end
+            if method && !@permissions.check_permission(token_payload, method)
+              return [403, { 'Content-Type' => 'application/json' }, [{ error: 'Forbidden' }.to_json]]
             end
-            
-            # Store JWT payload in env for later use
-            env['mcp.auth.payload'] = payload
           end
 
-          # Call the next middleware
+          # Add token payload to environment
+          env['mcp.auth.payload'] = token_payload
+          
+          # Call next middleware
           @app.call(env)
         end
 
@@ -76,20 +77,21 @@ def extract_token(env)
         # @param env [Hash] The Rack environment
         # @return [Boolean] true if the request is a JSON-RPC request
         def is_jsonrpc_request?(env)
+          # Check content type
           return false unless env['CONTENT_TYPE']&.include?('application/json')
 
-          # Only check POST requests
+          # Check request method
           return false unless env['REQUEST_METHOD'] == 'POST'
 
-          # Parse the request body
+          # Parse and check request body
           begin
             body = env['rack.input'].read
             env['rack.input'].rewind
 
             data = JSON.parse(body)
 
-            # Check if the request has the required JSON-RPC fields
-            data['jsonrpc'] == '2.0' && data['method'].is_a?(String)
+            # Check if body has required JSON-RPC fields
+            data.key?('jsonrpc') && data.key?('method')
           rescue
             false
           end
@@ -99,10 +101,10 @@ def is_jsonrpc_request?(env)
         # @param env [Hash] The Rack environment
         # @return [String, nil] The method, or nil if not found
         def extract_jsonrpc_method(env)
-          body = env['rack.input'].read
-          env['rack.input'].rewind
-          
           begin
+            body = env['rack.input'].read
+            env['rack.input'].rewind
+            
             data = JSON.parse(body)
             data['method']
           rescue

lib/ruby_mcp/server/auth/oauth.rb

@@ -1,118 +1,114 @@
 # frozen_string_literal: true
 
-require 'oauth2'
 require 'jwt'
+require 'oauth2'
+require 'securerandom'
 
 module MCP
   module Server
     module Auth
       # OAuth 2.1 implementation for MCP server
       class OAuth
-        attr_reader :issuer, :client_id, :client_secret, :redirect_uri
+        attr_reader :client_id, :client_secret
 
         # Initialize OAuth
         # @param options [Hash] OAuth options
         def initialize(options = {})
-          @issuer = options[:issuer]
           @client_id = options[:client_id]
           @client_secret = options[:client_secret]
-          @redirect_uri = options[:redirect_uri]
-          @jwt_secret = options[:jwt_secret]
           @token_expiry = options[:token_expiry] || 3600 # 1 hour
-          @authorization_endpoint = options[:authorization_endpoint]
-          @token_endpoint = options[:token_endpoint]
+          @jwt_secret = options[:jwt_secret] || SecureRandom.hex(32)
+          @issuer = options[:issuer] || 'mcp_server'
           @scopes = options[:scopes] || ['mcp']
           @logger = MCP.logger
-          
-          validate_options!
-        end
-        
-        # Create an authorization URL
-        # @param state [String] State parameter for CSRF protection
-        # @param scopes [Array<String>] Requested scopes
-        # @return [String] The authorization URL
-        def authorization_url(state, scopes = nil)
-          client = create_client
-          
-          client.auth_code.authorize_url(
-            redirect_uri: @redirect_uri,
-            scope: scopes || @scopes,
-            state: state
-          )
-        end
-        
-        # Exchange an authorization code for a token
-        # @param code [String] The authorization code
-        # @return [OAuth2::AccessToken] The access token
-        def exchange_code(code)
-          client = create_client
-          
-          client.auth_code.get_token(
-            code,
-            redirect_uri: @redirect_uri
-          )
         end
 
-        # Create a JWT from an access token
-        # @param token [OAuth2::AccessToken] The access token
+        # Create a JWT from token parameters
+        # @param token [OAuth2::AccessToken] The token with parameters
         # @return [String] The JWT
         def create_jwt(token)
+          # Extract user ID from token parameters
+          user_id = token.params['user_id'] || token.params['sub']
+          
+          # Extract scopes from token parameters or use default scopes
+          scopes = if token.params['scope']
+                     token.params['scope'].split(' ')
+                   else
+                     @scopes
+                   end
+          
+          # Create JWT payload with string keys for proper JWT serialization
           payload = {
-            sub: token.params['user_id'] || token.params['sub'],
-            exp: Time.now.to_i + @token_expiry,
-            iat: Time.now.to_i,
-            iss: @issuer,
-            scopes: token.params['scope']&.split(' ') || @scopes
+            'sub' => user_id,
+            'exp' => Time.now.to_i + @token_expiry,
+            'iat' => Time.now.to_i,
+            'iss' => @issuer,
+            'scopes' => scopes
           }
 
+          # Encode JWT
           JWT.encode(payload, @jwt_secret, 'HS256')
         end
 
         # Verify a JWT
-        # @param jwt [String] The JWT to verify
-        # @return [Hash] The decoded JWT payload
-        def verify_jwt(jwt)
+        # @param token [String] The token to verify
+        # @return [Hash, nil] The payload if valid, nil if invalid
+        def verify_jwt(token)
           begin
-            decoded = JWT.decode(jwt, @jwt_secret, true, { algorithm: 'HS256' })
+            decoded = JWT.decode(token, @jwt_secret, true, { algorithm: 'HS256' })
             decoded[0] # Return the payload
-          rescue JWT::DecodeError => e
-            @logger.error("JWT verification failed: #{e.message}")
+          rescue JWT::DecodeError, JWT::ExpiredSignature => e
+            @logger&.error("JWT verification failed: #{e.message}") if @logger
             nil
           end
         end
 
-        # Check if a JWT has a specific scope
-        # @param jwt [String] The JWT to check
-        # @param scope [String] The scope to check for
-        # @return [Boolean] true if the JWT has the scope
-        def has_scope?(jwt, scope)
-          payload = verify_jwt(jwt)
-          return false unless payload
-          
-          scopes = payload['scopes'] || []
-          scopes.include?(scope)
+        # Authenticate client credentials
+        # @param client_id [String] The client ID
+        # @param client_secret [String] The client secret
+        # @return [Boolean] true if valid credentials
+        def authenticate_client(client_id, client_secret)
+          client_id == @client_id && client_secret == @client_secret
         end
 
-        private
-        
-        # Create an OAuth client
-        # @return [OAuth2::Client] The OAuth client
-        def create_client
-          OAuth2::Client.new(
-            @client_id,
-            @client_secret,
-            site: @issuer,
-            authorize_url: @authorization_endpoint,
-            token_url: @token_endpoint
+        # Create an OAuth2 token
+        # @param params [Hash] Token parameters
+        # @return [OAuth2::AccessToken] The token
+        def create_token(params)
+          client = OAuth2::Client.new(@client_id, @client_secret)
+          
+          # Create a new hash with token parameters
+          token_params = {}
+          
+          # Copy all original params
+          params.each do |key, value|
+            token_params[key] = value
+          end
+          
+          # Set default scope if not provided
+          token_params['scope'] ||= @scopes.join(' ')
+          
+          # Create token
+          OAuth2::AccessToken.new(
+            client,
+            SecureRandom.hex(16),
+            refresh_token: SecureRandom.hex(16),
+            expires_in: @token_expiry,
+            params: token_params
           )
         end
 
-        # Validate required options
-        # @raise [MCP::Errors::AuthenticationError] If required options are missing
-        def validate_options!
-          unless @issuer && @client_id && @client_secret && @redirect_uri && @jwt_secret
-            raise MCP::Errors::AuthenticationError, "Missing required OAuth options"
-          end
+        # Verify if a token has a required scope
+        # @param token_payload [Hash] The token payload
+        # @param required_scope [String] The required scope
+        # @return [Boolean] true if token has the scope
+        def verify_scope(token_payload, required_scope)
+          return false unless token_payload && token_payload['scopes']
+          
+          scopes = token_payload['scopes']
+          return false if scopes.nil? || scopes.empty?
+          
+          scopes.include?(required_scope)
         end
       end
     end