UNPKG

@grebyn/toolflow-mcp-server

Version:

MCP server for managing other MCP servers - discover, install, organize into bundles, and automate with workflows. Uses StreamableHTTP transport with dual OAuth/API key authentication.

toolflow.dev

toolflow/toolflow-mcp

108 lines 4.18 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
/** * Token Pass-through Handler * * This handler does NOT validate JWTs locally. * It simply extracts the token and passes it to the backend API * where validation happens with the actual JWT secret. */ export class TokenPassthrough { apiEndpoint; constructor(apiEndpoint) { this.apiEndpoint = apiEndpoint; } /** * Extract token from request and validate with backend API */ async extractToken(req) { const authHeader = req.headers.authorization; // No authorization header - anonymous request if (!authHeader || !authHeader.startsWith('Bearer ')) { return { isAuthenticated: false }; } const token = authHeader.substring(7); // Remove "Bearer " prefix // Check for common OAuth implementation bugs if (token.startsWith('ac_')) { return { isAuthenticated: false, error: 'Authorization code received instead of JWT token. Client must exchange the authorization code for an access token first.' }; } // Validate token with backend API to get full user context try { const response = await fetch(`${this.apiEndpoint}/proxy`, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${token}` }, body: JSON.stringify({ operation: 'validateOAuthToken', params: {} }) }); if (!response.ok) { const errorText = await response.text(); return { isAuthenticated: false, error: `Token validation failed: ${errorText}` }; } const result = await response.json(); if (result.is_valid) { return { isAuthenticated: true, token: token, userId: result.user_id, email: result.email, organizationId: result.organization_id, sessionId: result.session_id, tokenJti: result.token_jti }; } else { return { isAuthenticated: false, error: 'Invalid or expired OAuth token' }; } } catch (error) { return { isAuthenticated: false, error: `Token validation error: ${error.message}` }; } } /** * Send unauthorized response when API rejects the token */ sendUnauthorizedResponse(req, res, error) { const host = req.headers.host; const protocol = req.headers['x-forwarded-proto'] || 'http'; const baseUrl = `${protocol}://${host}`; const protectedResourceMetadataUrl = `${baseUrl}/.well-known/oauth-protected-resource`; const authorizationServerMetadataUrl = `${baseUrl}/.well-known/oauth-authorization-server`; const errorResponse = { error: 'unauthorized', error_description: error ? error.message : 'OAuth authentication required', resource: protectedResourceMetadataUrl }; // MCP-compliant WWW-Authenticate header format const wwwAuthenticate = [ 'Bearer', `realm="MCP Server"`, `resource_metadata_uri="${protectedResourceMetadataUrl}"`, `authorization_uri="${baseUrl}/api/oauth/authorize"`, `discovery_uri="${authorizationServerMetadataUrl}"` ].join(', '); res.writeHead(401, { 'WWW-Authenticate': wwwAuthenticate, 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*', 'Access-Control-Allow-Methods': 'GET, POST, OPTIONS', 'Access-Control-Allow-Headers': 'Content-Type, Authorization, mcp-protocol-version', }); res.end(JSON.stringify(errorResponse)); } } //# sourceMappingURL=token-passthrough.js.map