feat: add auth

Author: QuantGeekDev

README.md

@@ -1,6 +1,6 @@
 {
   "name": "mcp-framework",
-"version": "0.1.21-beta.9",
+  "version": "0.1.21-beta.12",
   "description": "Framework for building Model Context Protocol (MCP) servers in Typescript",
   "type": "module",
   "author": "Alex Andru <alex@andru.codes>",
@@ -40,13 +40,16 @@
     "commander": "^12.1.0",
     "execa": "^9.5.2",
     "find-up": "^7.0.0",
+    "jsonwebtoken": "^9.0.2",
     "prompts": "^2.4.2",
     "typescript": "^5.3.3",
     "zod": "^3.23.8"
   },
   "devDependencies": {
     "@modelcontextprotocol/sdk": "^0.6.0",
+    "@types/content-type": "^1.1.8",
     "@types/jest": "^29.5.12",
+    "@types/jsonwebtoken": "^9.0.8",
     "@types/node": "^20.11.24",
     "jest": "^29.7.0",
     "ts-jest": "^29.1.2"

package-lock.json

@@ -0,0 +1,7 @@
+export * from "./types.js";
+export * from "./providers/jwt.js";
+export * from "./providers/apikey.js";
+
+export type { AuthProvider, AuthConfig, AuthResult } from "./types.js";
+export type { JWTConfig } from "./providers/jwt.js";
+export type { APIKeyConfig } from "./providers/apikey.js";

package.json

@@ -0,0 +1,108 @@
+import { IncomingMessage } from "node:http";
+import { logger } from "../../core/Logger.js";
+import { AuthProvider, AuthResult, DEFAULT_AUTH_ERROR } from "../types.js";
+
+/**
+ * Configuration options for API key authentication
+ */
+export interface APIKeyConfig {
+  /**
+   * Valid API keys
+   */
+  keys: string[];
+
+  /**
+   * Name of the header containing the API key
+   * @default "X-API-Key"
+   */
+  headerName?: string;
+}
+
+/**
+ * API key-based authentication provider
+ */
+export class APIKeyAuthProvider implements AuthProvider {
+  private config: Required<APIKeyConfig>;
+
+  constructor(config: APIKeyConfig) {
+    this.config = {
+      headerName: "X-API-Key",
+      ...config
+    };
+
+    if (!this.config.keys?.length) {
+      throw new Error("At least one API key is required");
+    }
+  }
+
+  /**
+   * Get the number of configured API keys
+   */
+  getKeyCount(): number {
+    return this.config.keys.length;
+  }
+
+  /**
+   * Get the configured header name
+   */
+  getHeaderName(): string {
+    return this.config.headerName;
+  }
+
+  async authenticate(req: IncomingMessage): Promise<boolean | AuthResult> {
+    logger.debug(`API Key auth attempt from ${req.socket.remoteAddress}`);
+    
+    logger.debug(`All request headers: ${JSON.stringify(req.headers, null, 2)}`);
+    
+    const headerVariations = [
+      this.config.headerName,
+      this.config.headerName.toLowerCase(),
+      this.config.headerName.toUpperCase(),
+      'x-api-key',
+      'X-API-KEY',
+      'X-Api-Key'
+    ];
+    
+    logger.debug(`Looking for header variations: ${headerVariations.join(', ')}`);
+    
+    let apiKey: string | undefined;
+    let matchedHeader: string | undefined;
+
+    for (const [key, value] of Object.entries(req.headers)) {
+      const lowerKey = key.toLowerCase();
+      if (headerVariations.some(h => h.toLowerCase() === lowerKey)) {
+        apiKey = Array.isArray(value) ? value[0] : value;
+        matchedHeader = key;
+        break;
+      }
+    }
+    
+    if (!apiKey) {
+      logger.debug(`API Key header missing. Checked variations: ${headerVariations.join(', ')}`);
+      logger.debug(`Available headers: ${Object.keys(req.headers).join(', ')}`);
+      return false;
+    }
+
+    logger.debug(`Found API key in header: ${matchedHeader}`);
+    logger.debug(`Comparing provided key: ${apiKey.substring(0, 3)}... with ${this.config.keys.length} configured keys`);
+    
+    for (const validKey of this.config.keys) {
+      logger.debug(`Comparing with key: ${validKey.substring(0, 3)}...`);
+      if (apiKey === validKey) {
+        logger.debug(`API Key authentication successful - matched key starting with ${validKey.substring(0, 3)}...`);
+        return true;
+      }
+    }
+
+    logger.debug(`Invalid API Key provided: ${apiKey.substring(0, 3)}...`);
+    logger.debug(`Expected one of: ${this.config.keys.map(k => k.substring(0, 3) + '...').join(', ')}`);
+    return false;
+  }
+
+  getAuthError() {
+    return {
+      ...DEFAULT_AUTH_ERROR,
+      message: "Invalid API key"
+    };
+  }
+}

src/auth/index.ts

@@ -0,0 +1,86 @@
+import { IncomingMessage } from "node:http";
+import jwt, { Algorithm } from "jsonwebtoken";
+import { AuthProvider, AuthResult, DEFAULT_AUTH_ERROR } from "../types.js";
+
+/**
+ * Configuration options for JWT authentication
+ */
+export interface JWTConfig {
+  /**
+   * Secret key for verifying JWT tokens
+   */
+  secret: string;
+
+  /**
+   * Allowed JWT algorithms
+   * @default ["HS256"]
+   */
+  algorithms?: Algorithm[];
+
+  /**
+   * Name of the header containing the JWT token
+   * @default "Authorization"
+   */
+  headerName?: string;
+
+  /**
+   * Whether to require "Bearer" prefix in Authorization header
+   * @default true
+   */
+  requireBearer?: boolean;
+}
+
+/**
+ * JWT-based authentication provider
+ */
+export class JWTAuthProvider implements AuthProvider {
+  private config: Required<JWTConfig>;
+
+  constructor(config: JWTConfig) {
+    this.config = {
+      algorithms: ["HS256"],
+      headerName: "Authorization",
+      requireBearer: true,
+      ...config
+    };
+
+    if (!this.config.secret) {
+      throw new Error("JWT secret is required");
+    }
+  }
+
+  async authenticate(req: IncomingMessage): Promise<boolean | AuthResult> {
+    const authHeader = req.headers[this.config.headerName.toLowerCase()];
+    
+    if (!authHeader || typeof authHeader !== "string") {
+      return false;
+    }
+
+    let token = authHeader;
+    if (this.config.requireBearer) {
+      if (!authHeader.startsWith("Bearer ")) {
+        return false;
+      }
+      token = authHeader.split(" ")[1];
+    }
+
+    try {
+      const decoded = jwt.verify(token, this.config.secret, {
+        algorithms: this.config.algorithms
+      });
+
+      return {
+        data: typeof decoded === "object" ? decoded : { sub: decoded }
+      };
+    } catch (err) {
+      return false;
+    }
+  }
+
+  getAuthError() {
+    return {
+      ...DEFAULT_AUTH_ERROR,
+      message: "Invalid or expired JWT token"
+    };
+  }
+}

src/auth/providers/apikey.ts

@@ -0,0 +1,63 @@
+import { IncomingMessage } from "node:http";
+
+/**
+ * Result of successful authentication
+ */
+export interface AuthResult {
+  /**
+   * User or token data from authentication
+   */
+  data?: Record<string, any>;
+}
+
+/**
+ * Base interface for authentication providers
+ */
+export interface AuthProvider {
+  /**
+   * Authenticate an incoming request
+   * @param req The incoming HTTP request
+   * @returns Promise resolving to boolean or AuthResult
+   */
+  authenticate(req: IncomingMessage): Promise<boolean | AuthResult>;
+
+  /**
+   * Get error details for failed authentication
+   */
+  getAuthError?(): { status: number; message: string };
+}
+
+/**
+ * Authentication configuration for transport
+ */
+export interface AuthConfig {
+  /**
+   * Authentication provider implementation
+   */
+  provider: AuthProvider;
+
+  /**
+   * Per-endpoint authentication configuration
+   */
+  endpoints?: {
+    /**
+     * Whether to authenticate SSE connection endpoint
+     * @default false
+     */
+    sse?: boolean;
+
+    /**
+     * Whether to authenticate message endpoint
+     * @default true
+     */
+    messages?: boolean;
+  };
+}
+
+/**
+ * Default authentication error
+ */
+export const DEFAULT_AUTH_ERROR = {
+  status: 401,
+  message: "Unauthorized"
+};