o iG@sddlZddlZddlmZddlmZddlmZmZm Z ddl m Z ddl m Z mZmZddlmZmZGdd d e ZGd d d eZGd d d ZdS)N)Any) AnyHttpUrl)AuthCredentialsAuthenticationBackend SimpleUser)HTTPConnection)ReceiveScopeSend) AccessToken TokenVerifiercs&eZdZdZdeffdd ZZS)AuthenticatedUserzUser with authentication info. auth_infocs t|j||_|j|_dSN)super__init__Z client_idZ access_tokenscopes)selfr __class__]/home/app/Keep/.python/lib/python3.10/site-packages/mcp/server/auth/middleware/bearer_auth.pyrs zAuthenticatedUser.__init__)__name__ __module__ __qualname____doc__r r __classcell__rrrrr sr c@s,eZdZdZdefddZdefddZdS) BearerAuthBackendzT Authentication backend that validates Bearer tokens using a TokenVerifier. token_verifiercCs ||_dSr)r)rrrrrrs zBearerAuthBackend.__init__conncstfddjDd}|r|dsdS|dd}|j|IdH}|s,dS|jr:|jttkr:dSt |j t |fS)Nc3s(|]}|dkrj|VqdS) authorizationN)lowerheadersget).0keyrrr s&z1BearerAuthBackend.authenticate..zbearer ) nextr"r! startswithrZ verify_tokenZ expires_atinttimerrr )rr auth_headertokenrrr&r authenticates zBearerAuthBackend.authenticateN)rrrrr rrr/rrrrrsrc @sjeZdZdZ ddedeededBfddZde d e d e d dfd d Z d e de deded df ddZdS)RequireAuthMiddlewarez Middleware that requires a valid Bearer token in the Authorization header. This will validate the token with the auth provider and store the resulting auth info in the request state. Napprequired_scopesresource_metadata_urlcCs||_||_||_dS)a  Initialize the middleware. Args: app: ASGI application required_scopes: List of scopes that the token must have resource_metadata_url: Optional protected resource metadata URL for WWW-Authenticate header N)r1r2r3)rr1r2r3rrrr<s zRequireAuthMiddleware.__init__scopereceivesendreturncs|d}t|ts|j|ddddIdHdS|d}|jD]}|dus,||jvr>|j|ddd |dIdHdSq!||||IdHdS) NuseriZ invalid_tokenzAuthentication required) status_codeerror descriptionauthiZinsufficient_scopezRequired scope: )r# isinstancer _send_auth_errorr2rr1)rr4r5r6Z auth_userZauth_credentialsZrequired_scoperrr__call__Ns       zRequireAuthMiddleware.__call__r9r:r;c sd|dd|dg}|jr|d|jddd|}||d}t|}|d|d d tt|fd |fgd Id H|d|dId Hd S)zCSend an authentication error response with WWW-Authenticate header.zerror=""zerror_description="zresource_metadata="zBearer z, )r:Zerror_descriptionzhttp.response.start)s content-typesapplication/jsonscontent-lengthswww-authenticate)typestatusr"Nzhttp.response.body)rAbody)r3appendjoinjsondumpsencodestrlen) rr6r9r:r;Zwww_auth_partsZwww_authenticaterCZ body_bytesrrrr>bs*    z&RequireAuthMiddleware._send_auth_errorr)rrrrrlistrIrrr rr r?r+r>rrrrr04s  "r0)rFr,typingrZpydanticrZstarlette.authenticationrrrZstarlette.requestsrZstarlette.typesrr r Zmcp.server.auth.providerr r r rr0rrrrs