import {
Injectable,
CanActivate,
ExecutionContext,
UnauthorizedException,
Inject,
Optional,
} from '@nestjs/common';
import { ModuleRef } from '@nestjs/core';
import { Request } from 'express';
import { JwtPayload, JwtTokenService } from '../services/jwt-token.service';
import type { IOAuthStore } from '../stores/oauth-store.interface';
import type { McpOptions } from '../../mcp';
export interface AuthenticatedRequest extends Request {
user: JwtPayload;
}
@Injectable()
export class McpAuthJwtGuard implements CanActivate {
constructor(
@Optional() private readonly jwtTokenService: JwtTokenService | null,
@Optional()
@Inject('IOAuthStore')
private readonly store: IOAuthStore | null,
private readonly moduleRef: ModuleRef,
@Optional()
@Inject('MCP_OPTIONS')
private readonly options?: McpOptions,
) {}
async canActivate(context: ExecutionContext): Promise<boolean> {
const request = context.switchToHttp().getRequest<AuthenticatedRequest>();
const token = this.extractTokenFromHeader(request);
// Check if unauthenticated access is allowed
const allowUnauthenticated =
this.options?.allowUnauthenticatedAccess ?? false;
if (!token) {
if (allowUnauthenticated) {
// Allow unauthenticated sessions
// Per-tool authorization will decide what's accessible (@PublicTool() tools only)
return true;
} else {
// Standard OAuth flow: Reject and trigger authorization
throw new UnauthorizedException('Access token required');
}
}
// Resolve services dynamically if not injected directly
const jwtTokenService =
this.jwtTokenService ||
this.moduleRef.get(JwtTokenService, { strict: false });
const store =
this.store ||
this.moduleRef.get<IOAuthStore>('IOAuthStore', { strict: false });
if (!jwtTokenService || !store) {
throw new UnauthorizedException('Authentication service not available');
}
// If a token is provided, it must be valid
const payload = jwtTokenService.validateToken(token);
if (!payload) {
throw new UnauthorizedException('Invalid or expired access token');
}
// Enrich request.user with friendly fields for tools
const enriched: any = { ...payload };
try {
if (!enriched.user_data && enriched.user_profile_id) {
const profile = await store.getUserProfileById(
enriched.user_profile_id,
);
if (profile) {
enriched.user_data = profile;
}
}
const ud = enriched.user_data || {};
// Provide convenient top-level fields commonly used by tools
enriched.username =
enriched.username || ud.username || ud.id || enriched.sub;
enriched.email = enriched.email || ud.email;
enriched.displayName = enriched.displayName || ud.displayName;
enriched.avatarUrl = enriched.avatarUrl || ud.avatarUrl;
enriched.name =
enriched.name ||
ud.displayName ||
ud.username ||
ud.email ||
enriched.sub;
// Parse scopes: OAuth 2.0 standard is space-delimited string in 'scope' field
if (enriched.scope && typeof enriched.scope === 'string') {
enriched.scopes = enriched.scope
.split(' ')
.filter((s: string) => s.length > 0);
} else if (!enriched.scopes) {
enriched.scopes = [];
}
// Extract roles from user_data if present
if (!enriched.roles && ud.roles && Array.isArray(ud.roles)) {
enriched.roles = ud.roles;
} else if (!enriched.roles) {
enriched.roles = [];
}
} catch {
// Non-fatal; proceed with raw payload
}
request.user = enriched as JwtPayload;
return true;
}
private extractTokenFromHeader(request: Request): string | undefined {
const authHeader = request.headers.authorization;
if (!authHeader) {
return undefined;
}
const [type, token] = authHeader.split(' ');
return type === 'Bearer' ? token : undefined;
}
}
