o i#@sddlmZmZddlmZddlmZddlmZddl m Z ddl m Z ddl mZddlmZmZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddl m!Z!ddl"m#Z#m$Z$ddl%m&Z&ddl'm(Z(defddZ)dZ*dZ+dZ,dZ-dee geeeBfde.e/defddZ0 d4d!e!eeefd"ed#ed Bd$e#d Bd%e$d Bde.ef d&d'Z1d"ed#ed Bd$e#d%e$de(f d(d)Z2d*edefd+d,Z3 d4d-ed.e.ed/e.e/d Bd0e/d Bd1ed Bde.ef d2d3Z4d S)5) AwaitableCallable)Any)urlparse) AnyHttpUrl)CORSMiddleware)Request)Response)Routerequest_response)ASGIApp)AuthorizationHandler)MetadataHandler)RegistrationHandler)RevocationHandler) TokenHandler)ClientAuthenticator) OAuthAuthorizationServerProvider)ClientRegistrationOptionsRevocationOptions)MCP_PROTOCOL_VERSION_HEADER) OAuthMetadataurlcCsR|jdkr|jdkr|jdur|jdstd|jr td|jr'tddS)z Validate that the issuer URL meets OAuth 2.0 requirements. Args: url: The issuer URL to validate Raises: ValueError: If the issuer URL is invalid https localhostNz 127.0.0.1zIssuer URL must be HTTPSz#Issuer URL must not have a fragmentz'Issuer URL must not have a query string)schemehost startswith ValueErrorfragmentquery)rr!M/home/app/Keep/.python/lib/python3.10/site-packages/mcp/server/auth/routes.pyvalidate_issuer_urls r#z /authorizez/tokenz /registerz/revokehandler allow_methodsreturncCstt|d|tgd}|S)N*)appZ allow_originsr%Z allow_headers)rr r)r$r%Zcors_appr!r!r"cors_middleware8sr)Nprovider issuer_urlservice_documentation_urlclient_registration_optionsrevocation_optionsc Cst||pt}|p t}t||||}t|}tdtt|jddgddgdtt t |jddgdtt tt ||jddgddgdg}|j rbt||d}|ttt|jddgddgd|j r|t||} |ttt| jddgddgd|S)Nz'/.well-known/oauth-authorization-serverGETOPTIONSZendpointmethodsPOST)options)r#rrbuild_metadatarr r)rhandleAUTHORIZATION_PATHr TOKEN_PATHrenabledrappendREGISTRATION_PATHrREVOCATION_PATH) r*r+r,r-r.metadataZclient_authenticatorZroutesZregistration_handlerZrevocation_handlerr!r!r"create_auth_routesEsx     r>cCstt|dt}tt|dt}t||||jdgdddgddgd|dddddgd}|jr?tt|dt|_ |jrStt|dt |_ ddg|_ |S) N/codeZauthorization_codeZ refresh_tokenZclient_secret_postZclient_secret_basicZS256)ZissuerZauthorization_endpointZtoken_endpointscopes_supportedZresponse_types_supportedZresponse_modes_supportedZgrant_types_supportedZ%token_endpoint_auth_methods_supportedZ0token_endpoint_auth_signing_alg_values_supportedZservice_documentationZui_locales_supportedZ op_policy_uriZ op_tos_uriZintrospection_endpointZ code_challenge_methods_supported) rstrrstripr7r8rZ valid_scopesr9r;Zregistration_endpointr<Zrevocation_endpointZ*revocation_endpoint_auth_methods_supported)r+r,r-r.Zauthorization_urlZ token_urlr=r!r!r"r5s2 r5resource_server_urlcCs<tt|}|jdkr|jnd}t|jd|jd|S)u Build RFC 9728 compliant protected resource metadata URL. Inserts /.well-known/oauth-protected-resource between host and resource path as specified in RFC 9728 §3.1. Args: resource_server_url: The resource server URL (e.g., https://example.com/mcp) Returns: The metadata URL (e.g., https://example.com/.well-known/oauth-protected-resource/mcp) r?z://z%/.well-known/oauth-protected-resource)rrBpathrrnetloc)rDparsed resource_pathr!r!r"build_resource_metadata_urls rJ resource_urlauthorization_serversrA resource_nameresource_documentationc Cslddlm}ddlm}||||||d}||}t|} tt| } | j} t| t |j ddgddgdgS)a} Create routes for OAuth 2.0 Protected Resource Metadata (RFC 9728). Args: resource_url: The URL of this resource server authorization_servers: List of authorization servers that can issue tokens scopes_supported: Optional list of scopes supported by this resource Returns: List of Starlette routes for protected resource metadata r) ProtectedResourceMetadataHandler)ProtectedResourceMetadata)resourcerLrArMrNr/r0r1) !mcp.server.auth.handlers.metadatarOmcp.shared.authrPrJrrBrFr r)r6) rKrLrArMrNrOrPr=r$Z metadata_urlrHZwell_known_pathr!r!r" create_protected_resource_routess&    rT)NNN)5collections.abcrrtypingr urllib.parserZpydanticrZstarlette.middleware.corsrZstarlette.requestsrZstarlette.responsesr Zstarlette.routingr r Zstarlette.typesr Z"mcp.server.auth.handlers.authorizer rRrZ!mcp.server.auth.handlers.registerrZmcp.server.auth.handlers.revokerZmcp.server.auth.handlers.tokenrZ&mcp.server.auth.middleware.client_authrZmcp.server.auth.providerrZmcp.server.auth.settingsrrZmcp.server.streamable_httprrSrr#r7r8r;r<listrBr)r>r5rJrTr!r!r!r"s                   Q (