kontext_dev_core/

lib.rs

use serde::Deserialize;
use serde::Serialize;
use url::Url;

pub const DEFAULT_SCOPE: &str = "";
pub const DEFAULT_SERVER_NAME: &str = "kontext-dev";
pub const DEFAULT_RESOURCE: &str = "mcp-gateway";
pub const DEFAULT_AUTH_TIMEOUT_SECONDS: i64 = 300;
pub const DEFAULT_REDIRECT_URI: &str = "http://localhost:3333/callback";

fn default_scope() -> String {
    DEFAULT_SCOPE.to_string()
}

fn default_server_name() -> String {
    DEFAULT_SERVER_NAME.to_string()
}

fn default_resource() -> String {
    DEFAULT_RESOURCE.to_string()
}

fn default_open_connect_page_on_login() -> bool {
    true
}

fn default_auth_timeout_seconds() -> i64 {
    DEFAULT_AUTH_TIMEOUT_SECONDS
}

fn default_redirect_uri() -> String {
    DEFAULT_REDIRECT_URI.to_string()
}

fn default_token_type() -> String {
    "Bearer".to_string()
}

/// Configuration for the Kontext-Dev Rust SDK.
///
/// New-style runtime configuration uses `server` with PKCE + token exchange.
/// Legacy fields (`mcp_url`, `token_url`, `client_secret`) are still accepted
/// for backward compatibility and migration.
#[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Eq)]
pub struct KontextDevConfig {
    /// Base API origin (for example: https://api.kontext.dev).
    ///
    /// If not set, the SDK falls back to deriving the origin from `mcp_url`
    /// or `token_url`.
    #[serde(default)]
    pub server: Option<String>,

    /// Optional explicit MCP gateway URL.
    /// Legacy field that is still supported.
    #[serde(default)]
    pub mcp_url: Option<String>,

    /// Optional explicit OAuth token endpoint URL.
    /// Legacy field that is still supported.
    #[serde(default)]
    pub token_url: Option<String>,

    /// OAuth client id.
    pub client_id: String,

    /// Optional OAuth client secret (for confidential clients).
    #[serde(default)]
    pub client_secret: Option<String>,

    /// Optional OAuth scopes for authorization (space-delimited).
    ///
    /// Empty by default to avoid requesting scopes that are not allowed
    /// for a given OAuth client configuration.
    #[serde(default = "default_scope")]
    pub scope: String,

    /// Name used when registering this server in clients.
    #[serde(default = "default_server_name")]
    pub server_name: String,

    /// Default resource identifier for RFC 8693 token exchange.
    #[serde(default = "default_resource")]
    pub resource: String,

    /// Optional hosted connect UI URL (for example: https://app.kontext.dev).
    #[serde(default)]
    pub integration_ui_url: Option<String>,

    /// Optional return URL for per-integration OAuth flows.
    #[serde(default)]
    pub integration_return_to: Option<String>,

    /// If true, SDK consumers may open the connect page after login.
    #[serde(default = "default_open_connect_page_on_login")]
    pub open_connect_page_on_login: bool,

    /// OAuth callback wait timeout in seconds.
    #[serde(default = "default_auth_timeout_seconds")]
    pub auth_timeout_seconds: i64,

    /// Optional token cache path for persisted login state.
    #[serde(default)]
    pub token_cache_path: Option<String>,

    /// OAuth redirect URI used by PKCE browser login.
    ///
    /// Must match one of the application's pre-registered redirect URIs.
    #[serde(default = "default_redirect_uri")]
    pub redirect_uri: String,
}

#[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Eq)]
pub struct AccessToken {
    pub access_token: String,
    #[serde(default = "default_token_type")]
    pub token_type: String,
    #[serde(default)]
    pub expires_in: Option<i64>,
    #[serde(default)]
    pub refresh_token: Option<String>,
    #[serde(default)]
    pub scope: Option<String>,
}

#[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Eq)]
pub struct TokenExchangeToken {
    pub access_token: String,
    pub issued_token_type: String,
    pub token_type: String,
    #[serde(default)]
    pub expires_in: Option<i64>,
    #[serde(default)]
    pub scope: Option<String>,
    #[serde(default)]
    pub refresh_token: Option<String>,
}

#[derive(Debug, thiserror::Error)]
pub enum KontextDevCoreError {
    #[error("Kontext-Dev server URL is missing. Set `server` or legacy `mcp_url`/`token_url`.")]
    MissingServerUrl,
    #[error("Kontext-Dev access token is empty")]
    EmptyAccessToken,
    #[error("failed to parse URL `{url}`")]
    InvalidUrl {
        url: String,
        source: url::ParseError,
    },
}

pub fn normalize_server_url(server: &str) -> String {
    let mut url = server.trim().trim_end_matches('/').to_string();

    if let Some(stripped) = url.strip_suffix("/api/v1") {
        url = stripped.to_string();
    }

    if let Some(stripped) = url.strip_suffix("/mcp") {
        url = stripped.to_string();
    }

    url.trim_end_matches('/').to_string()
}

fn parse_url(raw: &str) -> Result<Url, KontextDevCoreError> {
    Url::parse(raw).map_err(|source| KontextDevCoreError::InvalidUrl {
        url: raw.to_string(),
        source,
    })
}

fn derive_server_from_token_url(token_url: &str) -> Option<String> {
    let normalized = token_url.trim().trim_end_matches('/');
    normalized
        .strip_suffix("/oauth2/token")
        .map(ToString::to_string)
}

pub fn resolve_server_base_url(config: &KontextDevConfig) -> Result<String, KontextDevCoreError> {
    let candidate = if let Some(server) = &config.server {
        normalize_server_url(server)
    } else if let Some(mcp_url) = &config.mcp_url {
        normalize_server_url(mcp_url)
    } else if let Some(token_url) = &config.token_url {
        derive_server_from_token_url(token_url)
            .map(|s| normalize_server_url(&s))
            .unwrap_or_else(|| normalize_server_url(token_url))
    } else {
        return Err(KontextDevCoreError::MissingServerUrl);
    };

    let parsed = parse_url(&candidate)?;
    Ok(parsed.to_string().trim_end_matches('/').to_string())
}

fn join_url(base: &str, suffix: &str) -> Result<String, KontextDevCoreError> {
    let base = format!("{}/", base.trim_end_matches('/'));
    let base_url = parse_url(&base)?;
    let joined = base_url
        .join(suffix.trim_start_matches('/'))
        .map_err(|source| KontextDevCoreError::InvalidUrl {
            url: format!("{base}{suffix}"),
            source,
        })?;
    Ok(joined.to_string())
}

pub fn resolve_mcp_url(config: &KontextDevConfig) -> Result<String, KontextDevCoreError> {
    if let Some(mcp_url) = &config.mcp_url {
        let parsed = parse_url(mcp_url)?;
        return Ok(parsed.to_string());
    }

    let base = resolve_server_base_url(config)?;
    join_url(&base, "mcp")
}

pub fn resolve_token_url(config: &KontextDevConfig) -> Result<String, KontextDevCoreError> {
    if let Some(token_url) = &config.token_url {
        let parsed = parse_url(token_url)?;
        return Ok(parsed.to_string());
    }

    let base = resolve_server_base_url(config)?;
    join_url(&base, "oauth2/token")
}

pub fn resolve_authorize_url(config: &KontextDevConfig) -> Result<String, KontextDevCoreError> {
    let base = resolve_server_base_url(config)?;
    join_url(&base, "oauth2/authorize")
}

pub fn resolve_connect_session_url(
    config: &KontextDevConfig,
) -> Result<String, KontextDevCoreError> {
    let base = resolve_server_base_url(config)?;
    join_url(&base, "mcp/connect-session")
}

pub fn resolve_integration_oauth_init_url(
    config: &KontextDevConfig,
    integration_id: &str,
) -> Result<String, KontextDevCoreError> {
    let base = resolve_server_base_url(config)?;
    join_url(
        &base,
        &format!("mcp/integrations/{integration_id}/oauth/init"),
    )
}

pub fn resolve_integration_connection_url(
    config: &KontextDevConfig,
    integration_id: &str,
) -> Result<String, KontextDevCoreError> {
    let base = resolve_server_base_url(config)?;
    join_url(
        &base,
        &format!("mcp/integrations/{integration_id}/oauth/connection"),
    )
}

/// Legacy helper that appends `access_key` query parameter to the MCP URL.
///
/// Prefer bearer tokens with `resolve_mcp_url` + Authorization header for new integrations.
pub fn build_mcp_url(
    config: &KontextDevConfig,
    access_token: &str,
) -> Result<String, KontextDevCoreError> {
    if access_token.is_empty() {
        return Err(KontextDevCoreError::EmptyAccessToken);
    }

    let mcp_url = resolve_mcp_url(config)?;
    let mut url = parse_url(&mcp_url)?;
    url.query_pairs_mut()
        .append_pair("access_key", access_token);
    Ok(url.to_string())
}

#[cfg(test)]
mod tests {
    use super::*;
    use pretty_assertions::assert_eq;

    fn config() -> KontextDevConfig {
        KontextDevConfig {
            server: Some("http://localhost:4000".to_string()),
            mcp_url: None,
            token_url: None,
            client_id: "client".to_string(),
            client_secret: None,
            scope: default_scope(),
            server_name: default_server_name(),
            resource: default_resource(),
            integration_ui_url: None,
            integration_return_to: None,
            open_connect_page_on_login: default_open_connect_page_on_login(),
            auth_timeout_seconds: default_auth_timeout_seconds(),
            token_cache_path: None,
            redirect_uri: default_redirect_uri(),
        }
    }

    #[test]
    fn normalize_server_url_strips_api_and_mcp() {
        assert_eq!(
            normalize_server_url("http://localhost:4000"),
            "http://localhost:4000"
        );
        assert_eq!(
            normalize_server_url("http://localhost:4000/api/v1"),
            "http://localhost:4000"
        );
        assert_eq!(
            normalize_server_url("http://localhost:4000/mcp"),
            "http://localhost:4000"
        );
    }

    #[test]
    fn default_scope_is_empty() {
        assert_eq!(DEFAULT_SCOPE, "");
        assert_eq!(default_scope(), "");
    }

    #[test]
    fn resolve_urls_from_server() {
        let cfg = config();
        assert_eq!(
            resolve_mcp_url(&cfg).expect("mcp"),
            "http://localhost:4000/mcp"
        );
        assert_eq!(
            resolve_token_url(&cfg).expect("token"),
            "http://localhost:4000/oauth2/token"
        );
        assert_eq!(
            resolve_authorize_url(&cfg).expect("authorize"),
            "http://localhost:4000/oauth2/authorize"
        );
    }

    #[test]
    fn resolve_server_from_legacy_mcp_url() {
        let mut cfg = config();
        cfg.server = None;
        cfg.mcp_url = Some("http://localhost:4000/mcp".to_string());
        assert_eq!(
            resolve_server_base_url(&cfg).expect("base"),
            "http://localhost:4000"
        );
    }

    #[test]
    fn resolve_server_from_legacy_token_url() {
        let mut cfg = config();
        cfg.server = None;
        cfg.token_url = Some("http://localhost:4000/oauth2/token".to_string());
        assert_eq!(
            resolve_server_base_url(&cfg).expect("base"),
            "http://localhost:4000"
        );
    }

    #[test]
    fn build_mcp_url_appends_access_key() {
        let cfg = config();
        let url = build_mcp_url(&cfg, "token").expect("build_mcp_url failed");
        assert_eq!(url, "http://localhost:4000/mcp?access_key=token");
    }
}