turbomcp-auth 3.0.12

OAuth 2.1 and authentication for TurboMCP with MCP protocol compliance
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173

//! API Key Authentication Provider
//!
//! Simple API key-based authentication for service-to-service communication.
//!
//! ## Security
//!
//! This provider uses constant-time comparison to prevent timing attacks on API keys.
//! See [`crate::api_key_validation`] for implementation details.

use std::collections::HashMap;
use std::future::Future;
use std::pin::Pin;
use std::sync::Arc;

use tokio::sync::RwLock;

use super::super::api_key_validation::validate_api_key;
use super::super::config::AuthProviderType;
use super::super::context::AuthContext;
use super::super::types::{AuthCredentials, AuthProvider, TokenInfo, UserInfo};
use turbomcp_protocol::{Error as McpError, Result as McpResult};

/// API Key authentication provider
#[derive(Debug)]
pub struct ApiKeyProvider {
    /// Provider name
    name: String,
    /// Valid API keys with associated user info
    api_keys: Arc<RwLock<HashMap<String, UserInfo>>>,
}

impl ApiKeyProvider {
    /// Create a new API key provider
    #[must_use]
    pub fn new(name: String) -> Self {
        Self {
            name,
            api_keys: Arc::new(RwLock::new(HashMap::new())),
        }
    }

    /// Add an API key
    pub async fn add_api_key(&self, key: String, user_info: UserInfo) {
        self.api_keys.write().await.insert(key, user_info);
    }

    /// Remove an API key
    pub async fn remove_api_key(&self, key: &str) -> bool {
        self.api_keys.write().await.remove(key).is_some()
    }

    /// List all API keys (returns keys only, not full info for security)
    pub async fn list_api_keys(&self) -> Vec<String> {
        self.api_keys.read().await.keys().cloned().collect()
    }
}

impl AuthProvider for ApiKeyProvider {
    fn name(&self) -> &str {
        &self.name
    }

    fn provider_type(&self) -> AuthProviderType {
        AuthProviderType::ApiKey
    }

    fn authenticate(
        &self,
        credentials: AuthCredentials,
    ) -> Pin<Box<dyn Future<Output = McpResult<AuthContext>> + Send + '_>> {
        Box::pin(async move {
            match credentials {
                AuthCredentials::ApiKey { key } => {
                    let api_keys = self.api_keys.read().await;

                    // Use constant-time comparison to prevent timing attacks
                    // Instead of HashMap::get (which uses string equality), we iterate
                    // and use secure comparison for each key
                    let mut matched_user_info: Option<UserInfo> = None;

                    for (stored_key, user_info) in api_keys.iter() {
                        if validate_api_key(&key, stored_key) {
                            matched_user_info = Some(user_info.clone());
                            break;
                        }
                    }

                    if let Some(user_info) = matched_user_info {
                        let token = TokenInfo {
                            access_token: key,
                            token_type: "ApiKey".to_string(),
                            refresh_token: None,
                            expires_in: None,
                            scope: None,
                        };

                        AuthContext::builder()
                            .subject(user_info.id.clone())
                            .user(user_info.clone())
                            .roles(vec!["api_user".to_string()])
                            .permissions(vec!["api_access".to_string()])
                            .request_id(uuid::Uuid::new_v4().to_string())
                            .token(token)
                            .provider(self.name.clone())
                            .build()
                            .map_err(|e| McpError::internal(e.to_string()))
                    } else {
                        Err(McpError::internal("Invalid API key".to_string()))
                    }
                }
                _ => Err(McpError::internal(
                    "Invalid credentials for API key provider".to_string(),
                )),
            }
        })
    }

    fn validate_token(
        &self,
        token: &str,
    ) -> Pin<Box<dyn Future<Output = McpResult<AuthContext>> + Send + '_>> {
        let token = token.to_string();
        Box::pin(async move {
            self.authenticate(AuthCredentials::ApiKey { key: token })
                .await
        })
    }

    fn refresh_token(
        &self,
        _refresh_token: &str,
    ) -> Pin<Box<dyn Future<Output = McpResult<TokenInfo>> + Send + '_>> {
        Box::pin(async {
            Err(McpError::internal(
                "API keys do not support token refresh".to_string(),
            ))
        })
    }

    fn revoke_token(
        &self,
        token: &str,
    ) -> Pin<Box<dyn Future<Output = McpResult<()>> + Send + '_>> {
        let token = token.to_string();
        Box::pin(async move {
            let removed = self.remove_api_key(&token).await;
            if removed {
                Ok(())
            } else {
                Err(McpError::internal("API key not found".to_string()))
            }
        })
    }

    fn get_user_info(
        &self,
        token: &str,
    ) -> Pin<Box<dyn Future<Output = McpResult<UserInfo>> + Send + '_>> {
        let token = token.to_string();
        Box::pin(async move {
            let api_keys = self.api_keys.read().await;

            // Use constant-time comparison to prevent timing attacks
            for (stored_key, user_info) in api_keys.iter() {
                if validate_api_key(&token, stored_key) {
                    return Ok(user_info.clone());
                }
            }

            Err(McpError::internal("Invalid API key".to_string()))
        })
    }
}