/**
* postgres-mcp - OAuth Resource Server
*
* RFC 9728 Protected Resource Metadata implementation.
*/
import type {
ResourceServerConfig,
ProtectedResourceMetadata,
} from "./types.js";
/**
* OAuth 2.0 Resource Server (RFC 9728)
*/
export class OAuthResourceServer {
private readonly config: ResourceServerConfig;
constructor(config: ResourceServerConfig) {
this.config = {
...config,
bearerMethodsSupported: config.bearerMethodsSupported ?? ["header"],
};
}
/**
* Get protected resource metadata (RFC 9728)
*/
getMetadata(): ProtectedResourceMetadata {
const metadata: ProtectedResourceMetadata = {
resource: this.config.resource,
authorization_servers: this.config.authorizationServers,
scopes_supported: this.config.scopesSupported,
resource_documentation: `${this.config.resource}/docs`,
resource_signing_alg_values_supported: ["RS256", "ES256"],
};
if (this.config.bearerMethodsSupported) {
metadata.bearer_methods_supported = this.config.bearerMethodsSupported;
}
return metadata;
}
/**
* Get the well-known endpoint path for protected resource metadata
*/
getWellKnownPath(): string {
return "/.well-known/oauth-protected-resource";
}
/**
* Verify that a scope is supported by this resource
*/
isScopeSupported(scope: string): boolean {
// Check if in explicit list
if (this.config.scopesSupported.includes(scope)) {
return true;
}
// Check for PostgreSQL-specific scope patterns
if (
scope.startsWith("db:") ||
scope.startsWith("schema:") ||
scope.startsWith("table:")
) {
return true;
}
return false;
}
/**
* Get the resource identifier
*/
getResourceId(): string {
return this.config.resource;
}
/**
* Get all supported scopes
*/
getSupportedScopes(): string[] {
return [...this.config.scopesSupported];
}
/**
* Get authorization servers
*/
getAuthorizationServers(): string[] {
return [...this.config.authorizationServers];
}
}
/**
* Create an OAuth resource server instance
*/
export function createOAuthResourceServer(
config: ResourceServerConfig,
): OAuthResourceServer {
return new OAuthResourceServer(config);
}
