1use anyhow::{Context, Result, anyhow, bail};
4use base64::Engine;
5use base64::engine::general_purpose::URL_SAFE_NO_PAD;
6use reqwest::{Client, Url};
7use ring::rand::{SecureRandom, SystemRandom};
8use serde::{Deserialize, Serialize};
9use std::collections::BTreeMap;
10
11use crate::credentials::{AuthCredentialsStoreMode, CredentialStorage};
12use crate::pkce::{PkceChallenge, generate_pkce_challenge};
13
14const DEFAULT_CALLBACK_PORT: u16 = 8768;
15const DEFAULT_FLOW_TIMEOUT_SECS: u64 = 300;
16const REFRESH_SKEW_SECS: u64 = 60;
17
18#[derive(Debug, Clone, Serialize, Deserialize)]
20#[cfg_attr(feature = "schema", derive(schemars::JsonSchema))]
21#[serde(default)]
22pub struct McpOAuthConfig {
23 pub authorization_url: String,
25 pub token_url: String,
27 pub client_id: String,
29 #[serde(default)]
31 pub scopes: Vec<String>,
32 #[serde(default)]
34 pub audience: Option<String>,
35 pub callback_port: u16,
37 pub flow_timeout_secs: u64,
39 #[serde(default)]
41 pub credentials_store_mode: AuthCredentialsStoreMode,
42 #[serde(default)]
44 pub extra_auth_params: BTreeMap<String, String>,
45 #[serde(default)]
47 pub extra_token_params: BTreeMap<String, String>,
48}
49
50impl Default for McpOAuthConfig {
51 fn default() -> Self {
52 Self {
53 authorization_url: String::new(),
54 token_url: String::new(),
55 client_id: String::new(),
56 scopes: Vec::new(),
57 audience: None,
58 callback_port: DEFAULT_CALLBACK_PORT,
59 flow_timeout_secs: DEFAULT_FLOW_TIMEOUT_SECS,
60 credentials_store_mode: AuthCredentialsStoreMode::default(),
61 extra_auth_params: BTreeMap::new(),
62 extra_token_params: BTreeMap::new(),
63 }
64 }
65}
66
67impl McpOAuthConfig {
68 pub fn validate(&self, provider_name: &str) -> Result<()> {
69 if self.authorization_url.trim().is_empty() {
70 bail!("MCP provider '{provider_name}' is missing oauth.authorization_url");
71 }
72 if self.token_url.trim().is_empty() {
73 bail!("MCP provider '{provider_name}' is missing oauth.token_url");
74 }
75 if self.client_id.trim().is_empty() {
76 bail!("MCP provider '{provider_name}' is missing oauth.client_id");
77 }
78 Ok(())
79 }
80
81 fn callback_url(&self) -> String {
82 format!("http://localhost:{}/auth/callback", self.callback_port)
83 }
84}
85
86#[derive(Debug, Clone, Serialize, Deserialize)]
88pub struct McpOAuthToken {
89 pub access_token: String,
90 pub refresh_token: Option<String>,
91 pub token_type: Option<String>,
92 pub scope: Option<String>,
93 pub obtained_at: u64,
94 pub expires_at: Option<u64>,
95}
96
97impl McpOAuthToken {
98 pub fn is_refresh_due(&self) -> bool {
99 self.expires_at
100 .is_some_and(|expires_at| now_secs().saturating_add(REFRESH_SKEW_SECS) >= expires_at)
101 }
102}
103
104#[derive(Debug, Clone)]
106pub enum McpOAuthStatus {
107 Authenticated {
108 age_seconds: u64,
109 expires_in: Option<u64>,
110 },
111 NotAuthenticated,
112}
113
114#[derive(Debug, Clone)]
116pub struct McpOAuthPreparedLogin {
117 pub auth_url: String,
118 pub callback_port: u16,
119 pub timeout_secs: u64,
120 pkce: PkceChallenge,
121 state: String,
122}
123
124impl McpOAuthPreparedLogin {
125 #[must_use]
126 pub fn expected_state(&self) -> &str {
127 &self.state
128 }
129}
130
131#[derive(Debug, Clone, PartialEq, Eq)]
133pub struct McpOAuthLoginCompletion {
134 pub name: String,
135 pub success: bool,
136 pub error: Option<String>,
137}
138
139#[derive(Debug, Clone, Default)]
141pub struct McpOAuthService;
142
143impl McpOAuthService {
144 #[must_use]
145 pub fn new() -> Self {
146 Self
147 }
148
149 pub fn prepare_login(
150 &self,
151 provider_name: &str,
152 config: &McpOAuthConfig,
153 ) -> Result<McpOAuthPreparedLogin> {
154 config.validate(provider_name)?;
155 let pkce = generate_pkce_challenge()?;
156 let state = generate_state()?;
157 let auth_url = build_auth_url(config, &pkce, &state)?;
158 Ok(McpOAuthPreparedLogin {
159 auth_url,
160 callback_port: config.callback_port,
161 timeout_secs: config.flow_timeout_secs,
162 pkce,
163 state,
164 })
165 }
166
167 pub async fn complete_login(
168 &self,
169 provider_name: &str,
170 config: &McpOAuthConfig,
171 prepared: &McpOAuthPreparedLogin,
172 code: &str,
173 ) -> Result<McpOAuthLoginCompletion> {
174 config.validate(provider_name)?;
175 let token = exchange_code_for_token(config, code, &prepared.pkce).await?;
176 save_token(provider_name, &token, config.credentials_store_mode)?;
177 Ok(McpOAuthLoginCompletion {
178 name: provider_name.to_string(),
179 success: true,
180 error: None,
181 })
182 }
183
184 pub fn status(
185 &self,
186 provider_name: &str,
187 storage_mode: AuthCredentialsStoreMode,
188 ) -> Result<McpOAuthStatus> {
189 let Some(token) = load_token(provider_name, storage_mode)? else {
190 return Ok(McpOAuthStatus::NotAuthenticated);
191 };
192 let now = now_secs();
193 Ok(McpOAuthStatus::Authenticated {
194 age_seconds: now.saturating_sub(token.obtained_at),
195 expires_in: token.expires_at.map(|expires_at| expires_at.saturating_sub(now)),
196 })
197 }
198
199 pub fn load_token(
200 &self,
201 provider_name: &str,
202 storage_mode: AuthCredentialsStoreMode,
203 ) -> Result<Option<McpOAuthToken>> {
204 load_token(provider_name, storage_mode)
205 }
206
207 pub async fn resolve_access_token(
208 &self,
209 provider_name: &str,
210 config: &McpOAuthConfig,
211 ) -> Result<Option<String>> {
212 let Some(mut token) = load_token(provider_name, config.credentials_store_mode)? else {
213 return Ok(None);
214 };
215
216 if token.is_refresh_due() {
217 if token.refresh_token.is_some() {
218 token = refresh_token(config, &token).await?;
219 save_token(provider_name, &token, config.credentials_store_mode)?;
220 } else {
221 bail!(
222 "Stored MCP OAuth token for '{provider_name}' expired and cannot be refreshed. Run `vtcode mcp login {provider_name}` again."
223 );
224 }
225 }
226
227 Ok(Some(token.access_token))
228 }
229
230 pub fn logout(
231 &self,
232 provider_name: &str,
233 storage_mode: AuthCredentialsStoreMode,
234 ) -> Result<McpOAuthLoginCompletion> {
235 clear_token(provider_name, storage_mode)?;
236 Ok(McpOAuthLoginCompletion {
237 name: provider_name.to_string(),
238 success: true,
239 error: None,
240 })
241 }
242}
243
244fn build_auth_url(
245 config: &McpOAuthConfig,
246 challenge: &PkceChallenge,
247 state: &str,
248) -> Result<String> {
249 let mut url =
250 Url::parse(&config.authorization_url).context("invalid oauth.authorization_url")?;
251 {
252 let mut query = url.query_pairs_mut();
253 query.append_pair("response_type", "code");
254 query.append_pair("client_id", &config.client_id);
255 query.append_pair("redirect_uri", &config.callback_url());
256 query.append_pair("code_challenge", &challenge.code_challenge);
257 query.append_pair("code_challenge_method", &challenge.code_challenge_method);
258 query.append_pair("state", state);
259 if !config.scopes.is_empty() {
260 query.append_pair("scope", &config.scopes.join(" "));
261 }
262 if let Some(audience) = config.audience.as_deref()
263 && !audience.trim().is_empty()
264 {
265 query.append_pair("audience", audience);
266 }
267 for (key, value) in &config.extra_auth_params {
268 if !key.trim().is_empty() {
269 query.append_pair(key, value);
270 }
271 }
272 }
273 Ok(url.to_string())
274}
275
276async fn exchange_code_for_token(
277 config: &McpOAuthConfig,
278 code: &str,
279 challenge: &PkceChallenge,
280) -> Result<McpOAuthToken> {
281 let mut form = vec![
282 ("grant_type".to_string(), "authorization_code".to_string()),
283 ("client_id".to_string(), config.client_id.clone()),
284 ("code".to_string(), code.to_string()),
285 ("redirect_uri".to_string(), config.callback_url()),
286 ("code_verifier".to_string(), challenge.code_verifier.to_string()),
287 ];
288 if let Some(audience) = config.audience.as_deref()
289 && !audience.trim().is_empty()
290 {
291 form.push(("audience".to_string(), audience.to_string()));
292 }
293 form.extend(
294 config
295 .extra_token_params
296 .iter()
297 .map(|(key, value)| (key.clone(), value.clone())),
298 );
299 send_token_request(&config.token_url, &form).await
300}
301
302async fn refresh_token(config: &McpOAuthConfig, current: &McpOAuthToken) -> Result<McpOAuthToken> {
303 let refresh_token =
304 current
305 .refresh_token
306 .as_deref()
307 .filter(|value| !value.trim().is_empty())
308 .ok_or_else(|| anyhow!("Stored MCP OAuth token does not include a refresh token"))?;
309 let mut form = vec![
310 ("grant_type".to_string(), "refresh_token".to_string()),
311 ("client_id".to_string(), config.client_id.clone()),
312 ("refresh_token".to_string(), refresh_token.to_string()),
313 ];
314 if let Some(audience) = config.audience.as_deref()
315 && !audience.trim().is_empty()
316 {
317 form.push(("audience".to_string(), audience.to_string()));
318 }
319 form.extend(
320 config
321 .extra_token_params
322 .iter()
323 .map(|(key, value)| (key.clone(), value.clone())),
324 );
325
326 let refreshed = send_token_request(&config.token_url, &form).await?;
327 Ok(McpOAuthToken {
328 refresh_token: refreshed.refresh_token.or_else(|| current.refresh_token.clone()),
329 ..refreshed
330 })
331}
332
333async fn send_token_request(token_url: &str, form: &[(String, String)]) -> Result<McpOAuthToken> {
334 let response = Client::new()
335 .post(token_url)
336 .header("Content-Type", "application/x-www-form-urlencoded")
337 .form(form)
338 .send()
339 .await
340 .with_context(|| format!("failed to send MCP OAuth request to {token_url}"))?;
341 let status = response.status();
342 let body = response.text().await.context("failed to read MCP OAuth response body")?;
343
344 if !status.is_success() {
345 bail!("MCP OAuth request failed (HTTP {status}): {body}");
346 }
347
348 let payload: TokenResponse =
349 serde_json::from_str(&body).context("failed to parse MCP OAuth token response")?;
350 let now = now_secs();
351 Ok(McpOAuthToken {
352 access_token: payload.access_token,
353 refresh_token: payload.refresh_token,
354 token_type: payload.token_type,
355 scope: payload.scope,
356 obtained_at: now,
357 expires_at: payload.expires_in.map(|secs| now.saturating_add(secs)),
358 })
359}
360
361#[derive(Debug, Deserialize)]
362struct TokenResponse {
363 access_token: String,
364 #[serde(default)]
365 refresh_token: Option<String>,
366 #[serde(default)]
367 token_type: Option<String>,
368 #[serde(default)]
369 scope: Option<String>,
370 #[serde(default)]
371 expires_in: Option<u64>,
372}
373
374fn generate_state() -> Result<String> {
375 let mut state_bytes = [0_u8; 32];
376 SystemRandom::new()
377 .fill(&mut state_bytes)
378 .map_err(|_| anyhow!("failed to generate MCP OAuth state"))?;
379 Ok(URL_SAFE_NO_PAD.encode(state_bytes))
380}
381
382fn save_token(
383 provider_name: &str,
384 token: &McpOAuthToken,
385 storage_mode: AuthCredentialsStoreMode,
386) -> Result<()> {
387 let serialized = serde_json::to_string(token).context("failed to serialize MCP OAuth token")?;
388 token_storage(provider_name).store_with_mode(&serialized, storage_mode)
389}
390
391fn load_token(
392 provider_name: &str,
393 storage_mode: AuthCredentialsStoreMode,
394) -> Result<Option<McpOAuthToken>> {
395 let Some(serialized) = token_storage(provider_name).load_with_mode(storage_mode)? else {
396 return Ok(None);
397 };
398 serde_json::from_str(&serialized)
399 .context("failed to parse stored MCP OAuth token")
400 .map(Some)
401}
402
403fn clear_token(provider_name: &str, storage_mode: AuthCredentialsStoreMode) -> Result<()> {
404 token_storage(provider_name).clear_with_mode(storage_mode)
405}
406
407fn token_storage(provider_name: &str) -> CredentialStorage {
408 let normalized_provider = provider_name
409 .chars()
410 .map(|ch| {
411 if ch.is_ascii_alphanumeric() || ch == '-' || ch == '_' {
412 ch
413 } else {
414 '_'
415 }
416 })
417 .collect::<String>();
418 CredentialStorage::new("vtcode", format!("mcp_oauth_{normalized_provider}"))
419}
420
421fn now_secs() -> u64 {
422 std::time::SystemTime::now()
423 .duration_since(std::time::UNIX_EPOCH)
424 .map(|duration| duration.as_secs())
425 .unwrap_or(0)
426}
427
428#[cfg(test)]
429mod tests {
430 use super::*;
431 use assert_fs::TempDir;
432 use serial_test::serial;
433 use std::path::PathBuf;
434
435 struct TestAuthDirGuard {
436 previous: Option<PathBuf>,
437 temp_dir: Option<TempDir>,
438 }
439
440 impl TestAuthDirGuard {
441 fn new() -> Self {
442 let temp_dir = TempDir::new().expect("temp dir");
443 let previous = crate::storage_paths::auth_storage_dir_override_for_tests()
444 .expect("read previous auth dir override");
445 crate::storage_paths::set_auth_storage_dir_override_for_tests(Some(
446 temp_dir.path().to_path_buf(),
447 ))
448 .expect("set auth dir override");
449 Self { previous, temp_dir: Some(temp_dir) }
450 }
451 }
452
453 impl Drop for TestAuthDirGuard {
454 fn drop(&mut self) {
455 crate::storage_paths::set_auth_storage_dir_override_for_tests(self.previous.clone())
456 .expect("restore auth dir override");
457 if let Some(temp_dir) = self.temp_dir.take() {
458 let _ = temp_dir.close();
459 }
460 }
461 }
462
463 fn sample_config() -> McpOAuthConfig {
464 McpOAuthConfig {
465 authorization_url: "https://example.com/oauth/authorize".to_string(),
466 token_url: "https://example.com/oauth/token".to_string(),
467 client_id: "client-123".to_string(),
468 scopes: vec!["mcp:read".to_string(), "mcp:write".to_string()],
469 audience: Some("mcp-api".to_string()),
470 callback_port: 8123,
471 flow_timeout_secs: 120,
472 credentials_store_mode: AuthCredentialsStoreMode::File,
473 extra_auth_params: BTreeMap::from([("prompt".to_string(), "consent".to_string())]),
474 extra_token_params: BTreeMap::new(),
475 }
476 }
477
478 #[test]
479 fn prepare_login_builds_expected_auth_url() {
480 let service = McpOAuthService::new();
481 let prepared = service.prepare_login("demo", &sample_config()).expect("prepare login");
482
483 assert!(prepared.auth_url.contains("response_type=code"));
484 assert!(prepared.auth_url.contains("client_id=client-123"));
485 assert!(prepared.auth_url.contains("scope=mcp%3Aread+mcp%3Awrite"));
486 assert!(prepared.auth_url.contains("audience=mcp-api"));
487 assert!(prepared.auth_url.contains("prompt=consent"));
488 assert!(prepared.auth_url.contains("code_challenge="));
489 assert!(prepared.auth_url.contains("state="));
490 assert_eq!(prepared.callback_port, 8123);
491 assert_eq!(prepared.timeout_secs, 120);
492 }
493
494 #[test]
495 #[serial]
496 fn status_reflects_stored_token() {
497 let _guard = TestAuthDirGuard::new();
498 let service = McpOAuthService::new();
499 let storage_mode = AuthCredentialsStoreMode::File;
500 assert!(matches!(
501 service.status("demo", storage_mode).expect("status"),
502 McpOAuthStatus::NotAuthenticated
503 ));
504
505 save_token(
506 "demo",
507 &McpOAuthToken {
508 access_token: "access".to_string(),
509 refresh_token: Some("refresh".to_string()),
510 token_type: Some("Bearer".to_string()),
511 scope: Some("mcp:read".to_string()),
512 obtained_at: now_secs(),
513 expires_at: Some(now_secs() + 3600),
514 },
515 storage_mode,
516 )
517 .expect("save token");
518
519 let status = service.status("demo", storage_mode).expect("status");
520 assert!(matches!(status, McpOAuthStatus::Authenticated { expires_in: Some(_), .. }));
521 }
522
523 #[test]
524 #[serial]
525 fn logout_clears_stored_token() {
526 let _guard = TestAuthDirGuard::new();
527 let service = McpOAuthService::new();
528 let storage_mode = AuthCredentialsStoreMode::File;
529 save_token(
530 "demo",
531 &McpOAuthToken {
532 access_token: "access".to_string(),
533 refresh_token: None,
534 token_type: Some("Bearer".to_string()),
535 scope: None,
536 obtained_at: now_secs(),
537 expires_at: None,
538 },
539 storage_mode,
540 )
541 .expect("save token");
542
543 service.logout("demo", storage_mode).expect("logout");
544 assert!(load_token("demo", storage_mode).expect("load").is_none());
545 }
546}