brainwires-mcp-server 0.9.0

MCP server framework with middleware pipeline for the Brainwires Agent Framework
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200

//! OAuth 2.1 JWT validation middleware for MCP servers.
//!
//! Validates `Authorization: Bearer <jwt>` tokens on incoming requests using
//! HMAC-SHA256 (HS256) shared-secret or RSA public-key (RS256) validation.
//!
//! # Token delivery
//! The MCP JSON-RPC layer does not carry HTTP headers, so this middleware
//! expects the raw JWT in `params._bearer_token`. Axum middleware should
//! copy the `Authorization: Bearer <token>` header value into that field
//! before handing the request to the MCP event loop.
//!
//! # Feature flag
//! Only compiled when the `oauth` feature is enabled.

use async_trait::async_trait;
use brainwires_mcp::{JsonRpcError, JsonRpcRequest};
use jsonwebtoken::{Algorithm, DecodingKey, Validation, decode};

use super::{Middleware, MiddlewareResult};
use crate::connection::RequestContext;

/// OAuth 2.1 JWT validation middleware.
///
/// Validates `Authorization: Bearer <token>` JWTs using the provided decoding
/// key. Optionally enforces `iss` (issuer) and `aud` (audience) claims.
pub struct OAuthMiddleware {
    decoding_key: DecodingKey,
    validation: Validation,
}

impl OAuthMiddleware {
    /// Create an HS256 middleware from a shared HMAC secret.
    pub fn with_secret(secret: &[u8]) -> Self {
        Self {
            decoding_key: DecodingKey::from_secret(secret),
            validation: Validation::new(Algorithm::HS256),
        }
    }

    /// Create an RS256 middleware from an RSA public key PEM string.
    pub fn with_rsa_pem(pem: &str) -> Result<Self, jsonwebtoken::errors::Error> {
        Ok(Self {
            decoding_key: DecodingKey::from_rsa_pem(pem.as_bytes())?,
            validation: Validation::new(Algorithm::RS256),
        })
    }

    /// Require `iss` claim to equal the given issuer.
    pub fn require_issuer(mut self, issuer: impl Into<String>) -> Self {
        self.validation.set_issuer(&[issuer.into()]);
        self
    }

    /// Require `aud` claim to contain the given audience.
    pub fn require_audience(mut self, audience: impl Into<String>) -> Self {
        self.validation.set_audience(&[audience.into()]);
        self
    }

    fn reject(msg: &str) -> MiddlewareResult {
        MiddlewareResult::Reject(JsonRpcError {
            code: -32003,
            message: format!("Unauthorized: {}", msg),
            data: None,
        })
    }
}

#[async_trait]
impl Middleware for OAuthMiddleware {
    async fn process_request(
        &self,
        request: &JsonRpcRequest,
        ctx: &mut RequestContext,
    ) -> MiddlewareResult {
        // `initialize` is unauthenticated per MCP spec
        if request.method == "initialize" {
            return MiddlewareResult::Continue;
        }

        // Fast path: token already validated this session
        if ctx.get_metadata("oauth_validated").is_some() {
            return MiddlewareResult::Continue;
        }

        // Extract bearer token from params._bearer_token
        let token = match request
            .params
            .as_ref()
            .and_then(|p| p.get("_bearer_token"))
            .and_then(|v| v.as_str())
        {
            Some(t) => t,
            None => return Self::reject("missing _bearer_token in params"),
        };

        // Validate signature, expiry, and any configured claims
        match decode::<serde_json::Value>(token, &self.decoding_key, &self.validation) {
            Ok(_) => {
                ctx.set_metadata("oauth_validated".to_string(), serde_json::Value::Bool(true));
                MiddlewareResult::Continue
            }
            Err(e) => Self::reject(&e.to_string()),
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use jsonwebtoken::{EncodingKey, Header, encode};
    use serde_json::json;

    fn make_token(secret: &[u8]) -> String {
        let claims = json!({ "sub": "test", "exp": 9999999999u64 });
        encode(
            &Header::default(),
            &claims,
            &EncodingKey::from_secret(secret),
        )
        .unwrap()
    }

    fn make_request(method: &str, token: Option<&str>) -> JsonRpcRequest {
        let params = token.map(|t| json!({ "_bearer_token": t }));
        JsonRpcRequest {
            jsonrpc: "2.0".to_string(),
            id: json!(1),
            method: method.to_string(),
            params,
        }
    }

    #[tokio::test]
    async fn valid_jwt_passes() {
        let secret = b"supersecret";
        let mw = OAuthMiddleware::with_secret(secret);
        let req = make_request("tools/call", Some(&make_token(secret)));
        let mut ctx = RequestContext::new(json!(1));
        assert!(matches!(
            mw.process_request(&req, &mut ctx).await,
            MiddlewareResult::Continue
        ));
    }

    #[tokio::test]
    async fn missing_token_rejects() {
        let mw = OAuthMiddleware::with_secret(b"secret");
        let req = make_request("tools/call", None);
        let mut ctx = RequestContext::new(json!(1));
        assert!(matches!(
            mw.process_request(&req, &mut ctx).await,
            MiddlewareResult::Reject(_)
        ));
    }

    #[tokio::test]
    async fn wrong_secret_rejects() {
        let token = make_token(b"correct_secret");
        let mw = OAuthMiddleware::with_secret(b"wrong_secret");
        let req = make_request("tools/call", Some(&token));
        let mut ctx = RequestContext::new(json!(1));
        assert!(matches!(
            mw.process_request(&req, &mut ctx).await,
            MiddlewareResult::Reject(_)
        ));
    }

    #[tokio::test]
    async fn initialize_skips_auth() {
        let mw = OAuthMiddleware::with_secret(b"secret");
        let req = make_request("initialize", None);
        let mut ctx = RequestContext::new(json!(1));
        assert!(matches!(
            mw.process_request(&req, &mut ctx).await,
            MiddlewareResult::Continue
        ));
    }

    #[tokio::test]
    async fn validated_token_cached_in_context() {
        let secret = b"supersecret";
        let mw = OAuthMiddleware::with_secret(secret);
        let mut ctx = RequestContext::new(json!(1));

        // First call validates and caches
        mw.process_request(
            &make_request("tools/call", Some(&make_token(secret))),
            &mut ctx,
        )
        .await;

        // Second call uses cached result — no token required
        assert!(matches!(
            mw.process_request(&make_request("tools/list", None), &mut ctx)
                .await,
            MiddlewareResult::Continue
        ));
    }
}