mcp.conf
1 year ago
mcp.js
1 year ago
mcp.md
1 year ago
mcp.php
1 year ago
mcp_core.php
1 year ago
mcp_rest.php
1 year ago
oauth.php
1 year ago
realtime.php
1 year ago
oauth.php
387 lines
| 1 | <?php |
| 2 | |
| 3 | class Meow_MWAI_Labs_OAuth { |
| 4 | private $core = null; |
| 5 | private $namespace = 'mcp/oauth'; |
| 6 | private $codes_option = 'mwai_oauth_codes'; |
| 7 | private $tokens_option = 'mwai_oauth_tokens'; |
| 8 | private $code_lifetime = 600; // 10 minutes |
| 9 | private $token_lifetime = 3600; // 1 hour |
| 10 | private $logging = false; |
| 11 | |
| 12 | public function __construct( $core, $logging = false ) { |
| 13 | $this->core = $core; |
| 14 | $this->logging = $logging; |
| 15 | |
| 16 | add_action( 'rest_api_init', [ $this, 'rest_api_init' ] ); |
| 17 | add_action( 'init', [ $this, 'handle_well_known' ] ); |
| 18 | } |
| 19 | |
| 20 | public function rest_api_init() { |
| 21 | // Authorization endpoint |
| 22 | register_rest_route( $this->namespace, '/authorize', [ |
| 23 | 'methods' => 'GET', |
| 24 | 'callback' => [ $this, 'handle_authorize' ], |
| 25 | 'permission_callback' => '__return_true', |
| 26 | ] ); |
| 27 | |
| 28 | // Token endpoint |
| 29 | register_rest_route( $this->namespace, '/token', [ |
| 30 | 'methods' => 'POST', |
| 31 | 'callback' => [ $this, 'handle_token' ], |
| 32 | 'permission_callback' => '__return_true', |
| 33 | ] ); |
| 34 | } |
| 35 | |
| 36 | // Handle .well-known/oauth-authorization-server |
| 37 | public function handle_well_known() { |
| 38 | if ( $_SERVER['REQUEST_URI'] === '/.well-known/oauth-authorization-server' ) { |
| 39 | if ( $this->logging ) { |
| 40 | error_log( '[OAuth] 🌐 Discovery endpoint requested.' ); |
| 41 | } |
| 42 | header( 'Content-Type: application/json' ); |
| 43 | $base_url = get_site_url(); |
| 44 | $discovery = [ |
| 45 | 'issuer' => $base_url, |
| 46 | 'authorization_endpoint' => $base_url . '/wp-json/mcp/oauth/authorize', |
| 47 | 'token_endpoint' => $base_url . '/wp-json/mcp/oauth/token', |
| 48 | 'scopes_supported' => [ 'mcp' ], |
| 49 | 'response_types_supported' => [ 'code' ], |
| 50 | 'grant_types_supported' => [ 'authorization_code' ], |
| 51 | 'token_endpoint_auth_methods_supported' => [ 'none' ], |
| 52 | 'code_challenge_methods_supported' => [ 'S256' ] |
| 53 | ]; |
| 54 | echo json_encode( $discovery, JSON_PRETTY_PRINT ); |
| 55 | exit; |
| 56 | } |
| 57 | } |
| 58 | |
| 59 | // Authorization endpoint |
| 60 | public function handle_authorize( $request ) { |
| 61 | if ( $this->logging ) { |
| 62 | error_log( '[OAuth] 🔐 Authorize: ' . $request->get_param( 'client_id' ) ); |
| 63 | } |
| 64 | |
| 65 | $response_type = $request->get_param( 'response_type' ); |
| 66 | $client_id = $request->get_param( 'client_id' ); |
| 67 | $redirect_uri = $request->get_param( 'redirect_uri' ); |
| 68 | $state = $request->get_param( 'state' ); |
| 69 | $code_challenge = $request->get_param( 'code_challenge' ); |
| 70 | $code_challenge_method = $request->get_param( 'code_challenge_method' ); |
| 71 | $scope = $request->get_param( 'scope' ); |
| 72 | |
| 73 | // Validate request |
| 74 | if ( $response_type !== 'code' ) { |
| 75 | return new WP_Error( 'invalid_request', 'Invalid response_type' ); |
| 76 | } |
| 77 | |
| 78 | if ( empty( $client_id ) || empty( $redirect_uri ) || empty( $code_challenge ) ) { |
| 79 | return new WP_Error( 'invalid_request', 'Missing required parameters' ); |
| 80 | } |
| 81 | |
| 82 | if ( $code_challenge_method && $code_challenge_method !== 'S256' ) { |
| 83 | return new WP_Error( 'invalid_request', 'Only S256 code challenge method is supported' ); |
| 84 | } |
| 85 | |
| 86 | // Check if user is logged in |
| 87 | if ( ! is_user_logged_in() ) { |
| 88 | // Store OAuth params in session/transient |
| 89 | $session_key = 'oauth_' . wp_generate_password( 16, false ); |
| 90 | set_transient( $session_key, [ |
| 91 | 'client_id' => $client_id, |
| 92 | 'redirect_uri' => $redirect_uri, |
| 93 | 'state' => $state, |
| 94 | 'code_challenge' => $code_challenge, |
| 95 | 'scope' => $scope ?: 'mcp' |
| 96 | ], 600 ); |
| 97 | |
| 98 | // Show login form |
| 99 | $this->show_login_form( $session_key ); |
| 100 | exit; |
| 101 | } |
| 102 | |
| 103 | // User is logged in, generate authorization code |
| 104 | $code = $this->generate_authorization_code( |
| 105 | get_current_user_id(), |
| 106 | $client_id, |
| 107 | $redirect_uri, |
| 108 | $code_challenge, |
| 109 | $scope ?: 'mcp' |
| 110 | ); |
| 111 | |
| 112 | // Redirect back with code |
| 113 | $redirect_params = [ |
| 114 | 'code' => $code, |
| 115 | 'state' => $state |
| 116 | ]; |
| 117 | |
| 118 | $redirect_url = add_query_arg( $redirect_params, $redirect_uri ); |
| 119 | wp_redirect( $redirect_url ); |
| 120 | exit; |
| 121 | } |
| 122 | |
| 123 | // Token endpoint |
| 124 | public function handle_token( $request ) { |
| 125 | if ( $this->logging ) { |
| 126 | $params = $request->get_params(); |
| 127 | // Don't log sensitive data like code_verifier |
| 128 | $safe_params = $params; |
| 129 | if ( isset( $safe_params['code_verifier'] ) ) { |
| 130 | $safe_params['code_verifier'] = '[REDACTED]'; |
| 131 | } |
| 132 | error_log( '[OAuth] 🎫 Token exchange for client: ' . $request->get_param( 'client_id' ) ); |
| 133 | } |
| 134 | |
| 135 | $grant_type = $request->get_param( 'grant_type' ); |
| 136 | $code = $request->get_param( 'code' ); |
| 137 | $client_id = $request->get_param( 'client_id' ); |
| 138 | $redirect_uri = $request->get_param( 'redirect_uri' ); |
| 139 | $code_verifier = $request->get_param( 'code_verifier' ); |
| 140 | |
| 141 | // Validate grant type |
| 142 | if ( $grant_type !== 'authorization_code' ) { |
| 143 | return new WP_Error( 'unsupported_grant_type', 'Only authorization_code grant type is supported', [ 'status' => 400 ] ); |
| 144 | } |
| 145 | |
| 146 | // Validate required parameters |
| 147 | if ( empty( $code ) || empty( $client_id ) || empty( $redirect_uri ) || empty( $code_verifier ) ) { |
| 148 | return new WP_Error( 'invalid_request', 'Missing required parameters', [ 'status' => 400 ] ); |
| 149 | } |
| 150 | |
| 151 | // Validate authorization code |
| 152 | $codes = get_option( $this->codes_option, [] ); |
| 153 | if ( ! isset( $codes[ $code ] ) ) { |
| 154 | return new WP_Error( 'invalid_grant', 'Invalid authorization code', [ 'status' => 400 ] ); |
| 155 | } |
| 156 | |
| 157 | $code_data = $codes[ $code ]; |
| 158 | |
| 159 | // Check if code is expired |
| 160 | if ( time() > $code_data['expires'] ) { |
| 161 | unset( $codes[ $code ] ); |
| 162 | update_option( $this->codes_option, $codes ); |
| 163 | return new WP_Error( 'invalid_grant', 'Authorization code has expired', [ 'status' => 400 ] ); |
| 164 | } |
| 165 | |
| 166 | // Validate client_id and redirect_uri |
| 167 | if ( $code_data['client_id'] !== $client_id || $code_data['redirect_uri'] !== $redirect_uri ) { |
| 168 | return new WP_Error( 'invalid_grant', 'Invalid client_id or redirect_uri', [ 'status' => 400 ] ); |
| 169 | } |
| 170 | |
| 171 | // Verify PKCE |
| 172 | $verifier_hash = base64_encode( hash( 'sha256', $code_verifier, true ) ); |
| 173 | $verifier_hash = rtrim( strtr( $verifier_hash, '+/', '-_' ), '=' ); // Base64 URL encoding |
| 174 | |
| 175 | if ( $verifier_hash !== $code_data['code_challenge'] ) { |
| 176 | return new WP_Error( 'invalid_grant', 'Invalid code_verifier', [ 'status' => 400 ] ); |
| 177 | } |
| 178 | |
| 179 | // Code is valid, remove it (one-time use) |
| 180 | unset( $codes[ $code ] ); |
| 181 | update_option( $this->codes_option, $codes ); |
| 182 | |
| 183 | // Generate access token |
| 184 | $access_token = $this->generate_access_token( $code_data['user_id'], $code_data['scope'] ); |
| 185 | |
| 186 | // Return token response |
| 187 | return [ |
| 188 | 'access_token' => $access_token, |
| 189 | 'token_type' => 'Bearer', |
| 190 | 'expires_in' => $this->token_lifetime, |
| 191 | 'scope' => $code_data['scope'] |
| 192 | ]; |
| 193 | } |
| 194 | |
| 195 | // Generate authorization code |
| 196 | private function generate_authorization_code( $user_id, $client_id, $redirect_uri, $code_challenge, $scope ) { |
| 197 | if ( $this->logging ) { |
| 198 | error_log( '[OAuth] � |
| 199 | Auth code generated for user ' . $user_id . '.' ); |
| 200 | } |
| 201 | |
| 202 | $code = wp_generate_password( 32, false ); |
| 203 | |
| 204 | $codes = get_option( $this->codes_option, [] ); |
| 205 | $codes[ $code ] = [ |
| 206 | 'user_id' => $user_id, |
| 207 | 'client_id' => $client_id, |
| 208 | 'redirect_uri' => $redirect_uri, |
| 209 | 'code_challenge' => $code_challenge, |
| 210 | 'scope' => $scope, |
| 211 | 'expires' => time() + $this->code_lifetime |
| 212 | ]; |
| 213 | |
| 214 | update_option( $this->codes_option, $codes ); |
| 215 | |
| 216 | return $code; |
| 217 | } |
| 218 | |
| 219 | // Generate access token |
| 220 | private function generate_access_token( $user_id, $scope ) { |
| 221 | if ( $this->logging ) { |
| 222 | error_log( '[OAuth] � |
| 223 | Access token generated for user ' . $user_id . '.' ); |
| 224 | } |
| 225 | |
| 226 | $token = wp_generate_password( 40, false ); |
| 227 | |
| 228 | $tokens = get_option( $this->tokens_option, [] ); |
| 229 | $tokens[ $token ] = [ |
| 230 | 'user_id' => $user_id, |
| 231 | 'scope' => $scope, |
| 232 | 'expires' => time() + $this->token_lifetime |
| 233 | ]; |
| 234 | |
| 235 | update_option( $this->tokens_option, $tokens ); |
| 236 | |
| 237 | return $token; |
| 238 | } |
| 239 | |
| 240 | // Validate access token |
| 241 | public function validate_token( $token ) { |
| 242 | $tokens = get_option( $this->tokens_option, [] ); |
| 243 | |
| 244 | if ( ! isset( $tokens[ $token ] ) ) { |
| 245 | return false; |
| 246 | } |
| 247 | |
| 248 | $token_data = $tokens[ $token ]; |
| 249 | |
| 250 | // Check if expired |
| 251 | if ( time() > $token_data['expires'] ) { |
| 252 | if ( $this->logging ) { |
| 253 | error_log( '[OAuth] ❌ Token validation failed: expired.' ); |
| 254 | } |
| 255 | unset( $tokens[ $token ] ); |
| 256 | update_option( $this->tokens_option, $tokens ); |
| 257 | return false; |
| 258 | } |
| 259 | |
| 260 | if ( $this->logging ) { |
| 261 | error_log( '[OAuth] � |
| 262 | Token valid for user ' . $token_data['user_id'] . '.' ); |
| 263 | } |
| 264 | |
| 265 | return $token_data; |
| 266 | } |
| 267 | |
| 268 | // Show login form |
| 269 | private function show_login_form( $session_key ) { |
| 270 | $login_url = wp_login_url( add_query_arg( 'oauth_session', $session_key, $_SERVER['REQUEST_URI'] ) ); |
| 271 | ?> |
| 272 | <!DOCTYPE html> |
| 273 | <html> |
| 274 | <head> |
| 275 | <title>Login Required</title> |
| 276 | <style> |
| 277 | body { |
| 278 | font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif; |
| 279 | display: flex; |
| 280 | justify-content: center; |
| 281 | align-items: center; |
| 282 | height: 100vh; |
| 283 | margin: 0; |
| 284 | background: #f5f5f5; |
| 285 | } |
| 286 | .login-container { |
| 287 | background: white; |
| 288 | padding: 40px; |
| 289 | border-radius: 8px; |
| 290 | box-shadow: 0 2px 4px rgba(0,0,0,0.1); |
| 291 | text-align: center; |
| 292 | max-width: 400px; |
| 293 | } |
| 294 | h2 { |
| 295 | margin-top: 0; |
| 296 | color: #333; |
| 297 | } |
| 298 | p { |
| 299 | color: #666; |
| 300 | margin-bottom: 30px; |
| 301 | } |
| 302 | .login-button { |
| 303 | display: inline-block; |
| 304 | background: #0073aa; |
| 305 | color: white; |
| 306 | padding: 12px 24px; |
| 307 | text-decoration: none; |
| 308 | border-radius: 4px; |
| 309 | font-weight: 500; |
| 310 | } |
| 311 | .login-button:hover { |
| 312 | background: #005a87; |
| 313 | } |
| 314 | </style> |
| 315 | </head> |
| 316 | <body> |
| 317 | <div class="login-container"> |
| 318 | <h2>Authorization Required</h2> |
| 319 | <p>Please log in to authorize access to your MCP connector.</p> |
| 320 | <a href="<?php echo esc_url( $login_url ); ?>" class="login-button">Log In</a> |
| 321 | </div> |
| 322 | </body> |
| 323 | </html> |
| 324 | <?php |
| 325 | } |
| 326 | |
| 327 | // Handle OAuth callback after login |
| 328 | public function handle_oauth_callback() { |
| 329 | if ( isset( $_GET['oauth_session'] ) && is_user_logged_in() ) { |
| 330 | if ( $this->logging ) { |
| 331 | error_log( '[OAuth] 🔄 Callback handling for session.' ); |
| 332 | } |
| 333 | $session_key = sanitize_text_field( $_GET['oauth_session'] ); |
| 334 | $oauth_params = get_transient( $session_key ); |
| 335 | |
| 336 | if ( $oauth_params ) { |
| 337 | delete_transient( $session_key ); |
| 338 | |
| 339 | // Generate authorization code |
| 340 | $code = $this->generate_authorization_code( |
| 341 | get_current_user_id(), |
| 342 | $oauth_params['client_id'], |
| 343 | $oauth_params['redirect_uri'], |
| 344 | $oauth_params['code_challenge'], |
| 345 | $oauth_params['scope'] |
| 346 | ); |
| 347 | |
| 348 | // Redirect back with code |
| 349 | $redirect_params = [ |
| 350 | 'code' => $code, |
| 351 | 'state' => $oauth_params['state'] |
| 352 | ]; |
| 353 | |
| 354 | $redirect_url = add_query_arg( $redirect_params, $oauth_params['redirect_uri'] ); |
| 355 | wp_redirect( $redirect_url ); |
| 356 | exit; |
| 357 | } |
| 358 | } |
| 359 | } |
| 360 | |
| 361 | // Clean up expired tokens and codes |
| 362 | public function cleanup_expired() { |
| 363 | if ( $this->logging ) { |
| 364 | error_log( '[OAuth] 🧹 Cleaning expired tokens.' ); |
| 365 | } |
| 366 | |
| 367 | $now = time(); |
| 368 | |
| 369 | // Clean codes |
| 370 | $codes = get_option( $this->codes_option, [] ); |
| 371 | foreach ( $codes as $code => $data ) { |
| 372 | if ( $now > $data['expires'] ) { |
| 373 | unset( $codes[ $code ] ); |
| 374 | } |
| 375 | } |
| 376 | update_option( $this->codes_option, $codes ); |
| 377 | |
| 378 | // Clean tokens |
| 379 | $tokens = get_option( $this->tokens_option, [] ); |
| 380 | foreach ( $tokens as $token => $data ) { |
| 381 | if ( $now > $data['expires'] ) { |
| 382 | unset( $tokens[ $token ] ); |
| 383 | } |
| 384 | } |
| 385 | update_option( $this->tokens_option, $tokens ); |
| 386 | } |
| 387 | } |