turbomcp-auth 3.0.12

OAuth 2.1 and authentication for TurboMCP with MCP protocol compliance
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295

//! RFC 8707 Resource Indicators for OAuth 2.0
//!
//! This module implements resource indicator support as required by the MCP specification.
//! Resource indicators bind access tokens to specific resource servers, preventing token
//! misuse across service boundaries.
//!
//! # MCP Requirements
//!
//! Per MCP specification:
//! - Clients MUST include the `resource` parameter in authorization and token requests
//! - The resource parameter MUST identify the MCP server canonical URI
//! - Servers MUST validate tokens were issued specifically for them
//!
//! # RFC 8707 Compliance
//!
//! This implementation follows RFC 8707 Section 2 for resource identifiers:
//! - Uses absolute URIs (https://api.example.com/path)
//! - Normalizes scheme and host to lowercase
//! - Removes fragments (forbidden by spec)
//! - Removes query parameters (normalized form)
//! - Preserves port numbers when non-default

use turbomcp_protocol::{Error as McpError, Result as McpResult};
use url::Url;

/// Validate and normalize a resource URI per RFC 8707
///
/// This function ensures the resource identifier meets RFC 8707 requirements
/// and returns it in canonical form for consistency.
///
/// # Requirements
///
/// - MUST be an absolute URI (scheme + host + path)
/// - MUST use http or https scheme
/// - MUST NOT contain fragments (#)
/// - SHOULD use lowercase scheme and host
/// - SHOULD omit trailing slash unless semantically significant
///
/// # Arguments
///
/// * `uri` - The resource URI to validate (e.g., "https://api.example.com/mcp")
///
/// # Returns
///
/// Canonical form of the URI suitable for use as a resource parameter
///
/// # Errors
///
/// Returns error if:
/// - URI is not a valid absolute URI
/// - Scheme is not http or https
/// - URI contains a fragment
/// - Host is missing
///
/// # Examples
///
/// ```rust
/// use turbomcp_auth::oauth2::validate_resource_uri;
///
/// // Valid URIs
/// assert_eq!(
///     validate_resource_uri("https://api.example.com/mcp").unwrap(),
///     "https://api.example.com/mcp"
/// );
///
/// // Normalizes scheme and host to lowercase
/// assert_eq!(
///     validate_resource_uri("HTTPS://API.EXAMPLE.COM/mcp").unwrap(),
///     "https://api.example.com/mcp"
/// );
///
/// // Preserves non-default ports
/// assert_eq!(
///     validate_resource_uri("https://api.example.com:8443/mcp").unwrap(),
///     "https://api.example.com:8443/mcp"
/// );
///
/// // Removes fragments (forbidden)
/// let result = validate_resource_uri("https://api.example.com#fragment");
/// assert!(result.is_err());
/// ```
pub fn validate_resource_uri(uri: &str) -> McpResult<String> {
    // Parse URL
    let url = Url::parse(uri)
        .map_err(|e| McpError::invalid_params(format!("Invalid resource URI format: {e}")))?;

    // Validate scheme (MCP requires https, but allow http for localhost development)
    match url.scheme() {
        "https" => {}
        "http" => {
            // Only allow http for localhost/127.0.0.1 (development only)
            if let Some(host) = url.host_str() {
                let is_localhost = host == "localhost"
                    || host == "127.0.0.1"
                    || host == "0.0.0.0"
                    || host == "[::1]"; // IPv6 localhost

                if !is_localhost {
                    return Err(McpError::invalid_params(
                        "Resource URI must use https scheme (http only allowed for localhost)"
                            .to_string(),
                    ));
                }
            }
        }
        scheme => {
            return Err(McpError::invalid_params(format!(
                "Resource URI must use http or https scheme, got: {scheme}"
            )));
        }
    }

    // Validate host is present
    let host = url.host_str().ok_or_else(|| {
        McpError::invalid_params("Resource URI must have a valid host".to_string())
    })?;

    // Reject fragments (RFC 8707 requirement)
    if url.fragment().is_some() {
        return Err(McpError::invalid_params(
            "Resource URI must not contain fragment (#)".to_string(),
        ));
    }

    // Build canonical URI
    // RFC 8707: normalize scheme and host to lowercase, preserve path
    let canonical = build_canonical_uri(&url, host)?;

    Ok(canonical)
}

/// Build canonical URI form per RFC 8707
fn build_canonical_uri(url: &Url, host: &str) -> McpResult<String> {
    let scheme = url.scheme().to_lowercase();
    let host_lower = host.to_lowercase();

    // Handle port (only include if non-default)
    let port_str = match url.port() {
        Some(port) => {
            // Check if it's the default port for the scheme
            let is_default = (scheme == "https" && port == 443) || (scheme == "http" && port == 80);

            if is_default {
                String::new()
            } else {
                format!(":{port}")
            }
        }
        None => String::new(),
    };

    // Get path, removing trailing slash unless it's just "/"
    let path = url.path();
    let normalized_path = if path == "/" {
        path.to_string()
    } else {
        path.trim_end_matches('/').to_string()
    };

    // Assemble canonical URI (scheme + host + port + path, no query or fragment)
    Ok(format!(
        "{scheme}://{host_lower}{port_str}{normalized_path}"
    ))
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_valid_https_uri() {
        let uri = "https://api.example.com/mcp";
        let result = validate_resource_uri(uri).unwrap();
        assert_eq!(result, "https://api.example.com/mcp");
    }

    #[test]
    fn test_uri_normalization() {
        // Uppercase scheme and host should be normalized
        let uri = "HTTPS://API.EXAMPLE.COM/MCP";
        let result = validate_resource_uri(uri).unwrap();
        assert_eq!(result, "https://api.example.com/MCP"); // Path preserves case
    }

    #[test]
    fn test_trailing_slash_removal() {
        let uri = "https://api.example.com/mcp/";
        let result = validate_resource_uri(uri).unwrap();
        assert_eq!(result, "https://api.example.com/mcp");

        // Root path preserves slash
        let uri2 = "https://api.example.com/";
        let result2 = validate_resource_uri(uri2).unwrap();
        assert_eq!(result2, "https://api.example.com/");
    }

    #[test]
    fn test_port_handling() {
        // Non-default port preserved
        let uri = "https://api.example.com:8443/mcp";
        let result = validate_resource_uri(uri).unwrap();
        assert_eq!(result, "https://api.example.com:8443/mcp");

        // Default HTTPS port (443) omitted
        let uri2 = "https://api.example.com:443/mcp";
        let result2 = validate_resource_uri(uri2).unwrap();
        assert_eq!(result2, "https://api.example.com/mcp");

        // Default HTTP port (80) omitted
        let uri3 = "http://localhost:80/mcp";
        let result3 = validate_resource_uri(uri3).unwrap();
        assert_eq!(result3, "http://localhost/mcp");
    }

    #[test]
    fn test_localhost_http_allowed() {
        let uris = vec![
            "http://localhost/mcp",
            "http://127.0.0.1/mcp",
            "http://0.0.0.0/mcp",
            "http://[::1]/mcp",
        ];

        for uri in uris {
            let result = validate_resource_uri(uri);
            assert!(result.is_ok(), "Should allow http for {uri}");
        }
    }

    #[test]
    fn test_http_non_localhost_rejected() {
        let uri = "http://api.example.com/mcp";
        let result = validate_resource_uri(uri);
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("https scheme"));
    }

    #[test]
    fn test_fragment_rejected() {
        let uri = "https://api.example.com/mcp#fragment";
        let result = validate_resource_uri(uri);
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("fragment"));
    }

    #[test]
    fn test_invalid_scheme_rejected() {
        let uri = "ftp://api.example.com/mcp";
        let result = validate_resource_uri(uri);
        assert!(result.is_err());
    }

    #[test]
    fn test_missing_host_rejected() {
        // Invalid URI with missing host
        let uri = "https://";
        let result = validate_resource_uri(uri);
        assert!(result.is_err());

        // Relative URI (not absolute)
        let uri2 = "/path/to/resource";
        let result2 = validate_resource_uri(uri2);
        assert!(result2.is_err());
    }

    #[test]
    fn test_query_parameters_removed() {
        // Query parameters are stripped in canonical form
        let uri = "https://api.example.com/mcp?param=value";
        let result = validate_resource_uri(uri).unwrap();
        assert_eq!(result, "https://api.example.com/mcp");
    }

    #[test]
    fn test_mcp_examples() {
        // Examples from MCP specification
        let examples = vec![
            ("https://mcp.example.com/mcp", "https://mcp.example.com/mcp"),
            ("https://mcp.example.com", "https://mcp.example.com/"),
            (
                "https://mcp.example.com:8443",
                "https://mcp.example.com:8443/",
            ),
            (
                "https://mcp.example.com/server/mcp",
                "https://mcp.example.com/server/mcp",
            ),
        ];

        for (input, expected) in examples {
            let result = validate_resource_uri(input).unwrap();
            assert_eq!(result, expected, "Failed for input: {input}");
        }
    }
}