Yargı MCP

""" ASGI application for Yargı MCP Server This module provides ASGI/HTTP access to the Yargı MCP server, allowing it to be deployed as a web service with FastAPI wrapper for OAuth integration and proper middleware support. Usage: uvicorn asgi_app:app --host 0.0.0.0 --port 8000 """ import os import time import logging import json from datetime import datetime, timedelta from fastapi import FastAPI, Request, HTTPException, Query from fastapi.responses import JSONResponse, HTMLResponse, Response from fastapi.exception_handlers import http_exception_handler from starlette.middleware import Middleware from starlette.middleware.cors import CORSMiddleware from starlette.middleware.base import BaseHTTPMiddleware # Import the proper create_app function that includes all middleware from mcp_server_main import create_app # Import Stripe webhook router from stripe_webhook import router as stripe_router # Import simplified MCP Auth HTTP adapter from mcp_auth_http_simple import router as mcp_auth_router # OAuth configuration from environment variables CLERK_ISSUER = os.getenv("CLERK_ISSUER", "https://clerk.yargimcp.com") BASE_URL = os.getenv("BASE_URL", "https://api.yargimcp.com") CLERK_SECRET_KEY = os.getenv("CLERK_SECRET_KEY") CLERK_PUBLISHABLE_KEY = os.getenv("CLERK_PUBLISHABLE_KEY") # Setup logging logger = logging.getLogger(__name__) # Configure CORS and Auth middleware cors_origins = os.getenv("ALLOWED_ORIGINS", "*").split(",") # Import FastMCP Bearer Auth Provider from fastmcp.server.auth import BearerAuthProvider from fastmcp.server.auth.providers.bearer import RSAKeyPair # Import Clerk SDK at module level for performance try: from clerk_backend_api import Clerk CLERK_SDK_AVAILABLE = True except ImportError: CLERK_SDK_AVAILABLE = False logger.warning("Clerk SDK not available - falling back to development mode") # Configure Bearer token authentication based on ENABLE_AUTH auth_enabled = os.getenv("ENABLE_AUTH", "false").lower() == "true" bearer_auth = None if CLERK_SECRET_KEY and CLERK_ISSUER: # Production: Use Clerk JWKS endpoint for token validation bearer_auth = BearerAuthProvider( jwks_uri=f"{CLERK_ISSUER}/.well-known/jwks.json", issuer=None, # Disable issuer validation - Clerk uses different issuer format algorithm="RS256", audience=None, # Disable audience validation - Clerk uses different audience format required_scopes=[] # Disable scope validation - Clerk JWT has ['read', 'search'] ) logger.info(f"Bearer auth configured with Clerk JWKS: {CLERK_ISSUER}/.well-known/jwks.json") else: # Development: Generate RSA key pair for testing logger.warning("No Clerk credentials found - using development RSA key pair") dev_key_pair = RSAKeyPair.generate() bearer_auth = BearerAuthProvider( public_key=dev_key_pair.public_key, issuer="https://dev.yargimcp.com", audience="dev-mcp-server", required_scopes=["yargi.read"] ) # Generate a test token for development dev_token = dev_key_pair.create_token( subject="dev-user", issuer="https://dev.yargimcp.com", audience="dev-mcp-server", scopes=["yargi.read", "yargi.search"], expires_in_seconds=3600 * 24 # 24 hours for development ) logger.info(f"Development Bearer token: {dev_token}") # Create MCP app with Bearer authentication mcp_server = create_app(auth=bearer_auth if auth_enabled else None) # Create MCP Starlette sub-application with root path - mount will add /mcp prefix mcp_app = mcp_server.http_app(path="/") logger.info(f"MCP Starlette app created - type: {type(mcp_app)}, has routes: {hasattr(mcp_app, 'routes')}") # Debug FastMCP routes if hasattr(mcp_app, 'routes'): logger.info(f"MCP app route count: {len(mcp_app.routes)}") for i, route in enumerate(mcp_app.routes): logger.info(f"Route {i}: {route.path if hasattr(route, 'path') else 'unknown'} - {type(route)}") else: logger.warning("MCP app has no routes attribute") # Configure JSON encoder for proper Turkish character support class UTF8JSONResponse(JSONResponse): def __init__(self, content=None, status_code=200, headers=None, **kwargs): if headers is None: headers = {} headers["Content-Type"] = "application/json; charset=utf-8" super().__init__(content, status_code, headers, **kwargs) def render(self, content) -> bytes: return json.dumps( content, ensure_ascii=False, allow_nan=False, indent=None, separators=(",", ":"), ).encode("utf-8") custom_middleware = [ Middleware( CORSMiddleware, allow_origins=cors_origins, allow_credentials=True, allow_methods=["GET", "POST", "OPTIONS", "DELETE"], allow_headers=["Content-Type", "Authorization", "X-Request-ID", "X-Session-ID"], ), ] # Create FastAPI wrapper application app = FastAPI( title="Yargı MCP Server", description="MCP server for Turkish legal databases with OAuth authentication", version="0.1.0", middleware=custom_middleware, default_response_class=UTF8JSONResponse, # Use UTF-8 JSON encoder redirect_slashes=False # Disable to prevent 307 redirects on /mcp endpoint ) # Add Stripe webhook router to FastAPI app.include_router(stripe_router, prefix="/api/stripe") # Add MCP Auth HTTP adapter to FastAPI (handles OAuth endpoints) app.include_router(mcp_auth_router) # Custom 401 exception handler for MCP spec compliance @app.exception_handler(401) async def custom_401_handler(request: Request, exc: HTTPException): """Custom 401 handler that adds WWW-Authenticate header as required by MCP spec""" response = await http_exception_handler(request, exc) # Add WWW-Authenticate header pointing to protected resource metadata # as required by RFC 9728 Section 5.1 and MCP Authorization spec response.headers["WWW-Authenticate"] = ( 'Bearer ' 'error="invalid_token", ' 'error_description="The access token is missing or invalid", ' f'resource="{BASE_URL}/.well-known/oauth-protected-resource"' ) return response # FastAPI health check endpoint - BEFORE mounting MCP app @app.get("/health") async def health_check(): """Health check endpoint for monitoring""" return { "status": "healthy", "service": "Yargı MCP Server", "version": "0.1.0", "tools_count": len(mcp_server._tool_manager._tools), "auth_enabled": os.getenv("ENABLE_AUTH", "false").lower() == "true" } # Add explicit redirect for /mcp to /mcp/ with method preservation @app.api_route("/mcp", methods=["GET", "POST", "HEAD", "OPTIONS"]) async def redirect_to_slash(request: Request): """Redirect /mcp to /mcp/ preserving HTTP method with 308""" from fastapi.responses import RedirectResponse return RedirectResponse(url="/mcp/", status_code=308) # MCP mount at /mcp handles path routing correctly # IMPORTANT: Add FastAPI endpoints BEFORE mounting MCP app # Otherwise mount at root will catch all requests # Debug endpoint to test routing @app.get("/debug/test") async def debug_test(): """Debug endpoint to test if FastAPI routes work""" return {"message": "FastAPI routes working", "debug": True} # Clerk CORS proxy endpoints @app.api_route("/clerk-proxy/{path:path}", methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"]) async def clerk_cors_proxy(request: Request, path: str): """ Proxy requests to Clerk to bypass CORS restrictions. Forwards requests from Claude AI to clerk.yargimcp.com with proper CORS headers. """ import httpx # Build target URL clerk_url = f"https://clerk.yargimcp.com/{path}" # Forward query parameters if request.url.query: clerk_url += f"?{request.url.query}" # Copy headers (exclude host/origin) headers = dict(request.headers) headers.pop('host', None) headers.pop('origin', None) headers['origin'] = 'https://yargimcp.com' # Use our frontend domain try: async with httpx.AsyncClient() as client: # Forward the request to Clerk if request.method == "OPTIONS": # Handle preflight response = await client.request( method=request.method, url=clerk_url, headers=headers ) else: # Forward body for POST/PUT requests body = None if request.method in ["POST", "PUT", "PATCH"]: body = await request.body() response = await client.request( method=request.method, url=clerk_url, headers=headers, content=body ) # Create response with CORS headers response_headers = dict(response.headers) response_headers.update({ "Access-Control-Allow-Origin": "*", "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS", "Access-Control-Allow-Headers": "Content-Type, Authorization, Accept, Origin, X-Requested-With", "Access-Control-Allow-Credentials": "true", "Access-Control-Max-Age": "86400" }) return Response( content=response.content, status_code=response.status_code, headers=response_headers, media_type=response.headers.get("content-type") ) except Exception as e: logger.error(f"Clerk proxy error: {e}") return JSONResponse( {"error": "proxy_error", "message": str(e)}, status_code=500, headers={"Access-Control-Allow-Origin": "*"} ) # FastAPI root endpoint @app.get("/") async def root(): """Root endpoint with service information""" return { "service": "Yargı MCP Server", "description": "MCP server for Turkish legal databases with OAuth authentication", "endpoints": { "mcp": "/mcp", "health": "/health", "status": "/status", "stripe_webhook": "/api/stripe/webhook", "oauth_login": "/auth/login", "oauth_callback": "/auth/callback", "oauth_google": "/auth/google/login", "user_info": "/auth/user" }, "transports": { "http": "/mcp" }, "supported_databases": [ "Yargıtay (Court of Cassation)", "Danıştay (Council of State)", "Emsal (Precedent)", "Uyuşmazlık Mahkemesi (Court of Jurisdictional Disputes)", "Anayasa Mahkemesi (Constitutional Court)", "Kamu İhale Kurulu (Public Procurement Authority)", "Rekabet Kurumu (Competition Authority)", "Sayıştay (Court of Accounts)", "KVKK (Personal Data Protection Authority)", "BDDK (Banking Regulation and Supervision Agency)", "Bedesten API (Multiple courts)" ], "authentication": { "enabled": os.getenv("ENABLE_AUTH", "false").lower() == "true", "type": "OAuth 2.0 via Clerk", "issuer": CLERK_ISSUER, "providers": ["google"], "flow": "authorization_code" } } # OAuth 2.0 Authorization Server Metadata - MCP standard location @app.get("/.well-known/oauth-authorization-server") async def oauth_authorization_server_root(): """OAuth 2.0 Authorization Server Metadata - root level for compatibility""" return { "issuer": BASE_URL, # Use BASE_URL as issuer for MCP integration "authorization_endpoint": f"{BASE_URL}/auth/login", "token_endpoint": f"{BASE_URL}/token", "jwks_uri": f"{CLERK_ISSUER}/.well-known/jwks.json", "response_types_supported": ["code"], "grant_types_supported": ["authorization_code", "refresh_token"], "token_endpoint_auth_methods_supported": ["client_secret_basic", "none"], "scopes_supported": ["read", "search", "openid", "profile", "email"], "subject_types_supported": ["public"], "id_token_signing_alg_values_supported": ["RS256"], "claims_supported": ["sub", "iss", "aud", "exp", "iat", "email", "name"], "code_challenge_methods_supported": ["S256"], "service_documentation": f"{BASE_URL}/mcp", "registration_endpoint": f"{BASE_URL}/register", "resource_documentation": f"{BASE_URL}/mcp" } # Claude AI MCP specific endpoint format - suffix versions @app.get("/.well-known/oauth-authorization-server/mcp") async def oauth_authorization_server_mcp_suffix(): """OAuth 2.0 Authorization Server Metadata - Claude AI MCP specific format""" return { "issuer": BASE_URL, # Use BASE_URL as issuer for MCP integration "authorization_endpoint": f"{BASE_URL}/auth/login", "token_endpoint": f"{BASE_URL}/token", "jwks_uri": f"{CLERK_ISSUER}/.well-known/jwks.json", "response_types_supported": ["code"], "grant_types_supported": ["authorization_code", "refresh_token"], "token_endpoint_auth_methods_supported": ["client_secret_basic", "none"], "scopes_supported": ["read", "search", "openid", "profile", "email"], "subject_types_supported": ["public"], "id_token_signing_alg_values_supported": ["RS256"], "claims_supported": ["sub", "iss", "aud", "exp", "iat", "email", "name"], "code_challenge_methods_supported": ["S256"], "service_documentation": f"{BASE_URL}/mcp", "registration_endpoint": f"{BASE_URL}/register", "resource_documentation": f"{BASE_URL}/mcp" } @app.get("/.well-known/oauth-protected-resource/mcp") async def oauth_protected_resource_mcp_suffix(): """OAuth 2.0 Protected Resource Metadata - Claude AI MCP specific format""" return { "resource": BASE_URL, "authorization_servers": [ BASE_URL ], "scopes_supported": ["read", "search"], "bearer_methods_supported": ["header"], "resource_documentation": f"{BASE_URL}/mcp", "resource_policy_uri": f"{BASE_URL}/privacy" } # OAuth 2.0 Protected Resource Metadata (RFC 9728) - MCP Spec Required @app.get("/.well-known/oauth-protected-resource") async def oauth_protected_resource(): """OAuth 2.0 Protected Resource Metadata as required by MCP spec""" return { "resource": BASE_URL, "authorization_servers": [ BASE_URL ], "scopes_supported": ["read", "search"], "bearer_methods_supported": ["header"], "resource_documentation": f"{BASE_URL}/mcp", "resource_policy_uri": f"{BASE_URL}/privacy" } # Standard well-known discovery endpoint @app.get("/.well-known/mcp") async def well_known_mcp(): """Standard MCP discovery endpoint""" return { "mcp_server": { "name": "Yargı MCP Server", "version": "0.1.0", "endpoint": f"{BASE_URL}/mcp", "authentication": { "type": "oauth2", "authorization_url": f"{BASE_URL}/auth/login", "scopes": ["read", "search"] }, "capabilities": ["tools", "resources"], "tools_count": len(mcp_server._tool_manager._tools) } } # MCP Discovery endpoint for ChatGPT integration @app.get("/mcp/discovery") async def mcp_discovery(): """MCP Discovery endpoint for ChatGPT and other MCP clients""" return { "name": "Yargı MCP Server", "description": "MCP server for Turkish legal databases", "version": "0.1.0", "protocol": "mcp", "transport": "http", "endpoint": "/mcp", "authentication": { "type": "oauth2", "authorization_url": "/auth/login", "token_url": "/token", "scopes": ["read", "search"], "provider": "clerk" }, "capabilities": { "tools": True, "resources": True, "prompts": False }, "tools_count": len(mcp_server._tool_manager._tools), "contact": { "url": BASE_URL, "email": "support@yargi-mcp.dev" } } # FastAPI status endpoint @app.get("/status") async def status(): """Status endpoint with detailed information""" tools = [] for tool in mcp_server._tool_manager._tools.values(): tools.append({ "name": tool.name, "description": tool.description[:100] + "..." if len(tool.description) > 100 else tool.description }) return { "status": "operational", "tools": tools, "total_tools": len(tools), "transport": "streamable_http", "architecture": "FastAPI wrapper + MCP Starlette sub-app", "auth_status": "enabled" if os.getenv("ENABLE_AUTH", "false").lower() == "true" else "disabled" } # Simplified OAuth session validation for callback endpoints only async def validate_clerk_session_for_oauth(request: Request, clerk_token: str = None) -> str: """Validate Clerk session for OAuth callback endpoints only (not for MCP endpoints)""" logger.info(f"OAuth callback session validation - token provided: {bool(clerk_token)}") try: # Use Clerk SDK if available if not CLERK_SDK_AVAILABLE: raise ImportError("Clerk SDK not available") clerk = Clerk(bearer_auth=CLERK_SECRET_KEY) # Try JWT token first (from URL parameter) if clerk_token: logger.info("Validating Clerk JWT token for OAuth callback") try: # Trust OAuth flow redirect - FastMCP handles full JWT validation for MCP endpoints logger.info("OAuth JWT token accepted for callback") return "oauth_user_from_token" except Exception as e: logger.error(f"OAuth JWT token validation failed: {str(e)}") # Fall through to cookie validation # Fallback to cookie validation logger.info("Attempting cookie-based session validation for OAuth") clerk_session = request.cookies.get("__session") if not clerk_session: logger.error("No Clerk session cookie found") raise HTTPException(status_code=401, detail="No Clerk session found") # Validate session with Clerk session = clerk.sessions.verify_session(clerk_session) logger.info(f"OAuth cookie session validation successful - user_id: {session.user_id}") return session.user_id except ImportError: # Fallback for development without Clerk SDK logger.warning("Clerk SDK not available - using development fallback for OAuth") return "dev_user_123" except Exception as e: logger.error(f"OAuth session validation failed: {str(e)}") raise HTTPException(status_code=401, detail=f"OAuth session validation failed: {str(e)}") # MCP OAuth Callback Endpoint @app.get("/auth/mcp-callback") async def mcp_oauth_callback(request: Request, clerk_token: str = Query(None)): """Handle OAuth callback for MCP token generation""" logger.info(f"MCP OAuth callback - clerk_token provided: {bool(clerk_token)}") try: # Validate Clerk session with JWT token support user_id = await validate_clerk_session_for_oauth(request, clerk_token) logger.info(f"User authenticated successfully - user_id: {user_id}") # Use the Clerk JWT token directly (no need to generate custom token) logger.info("User authenticated successfully via Clerk") # Return success response return HTMLResponse(f""" <html> <head> <title>MCP Connection Successful</title> <style> body {{ font-family: Arial, sans-serif; text-align: center; padding: 50px; }} .success {{ color: #28a745; }} .token {{ background: #f8f9fa; padding: 15px; border-radius: 5px; margin: 20px 0; word-break: break-all; }} </style> </head> <body> <h1 class="success">✅ MCP Connection Successful!</h1> <p>Your Yargı MCP integration is now active.</p> <div class="token"> <strong>Authentication:</strong><br> <code>Use your Clerk JWT token directly with Bearer authentication</code> </div> <p>You can now close this window and return to your MCP client.</p> <script> // Try to close the popup if opened as such if (window.opener) {{ window.opener.postMessage({{ type: 'MCP_AUTH_SUCCESS', token: 'use_clerk_jwt_token' }}, '*'); setTimeout(() => window.close(), 3000); }} </script> </body> </html> """) except HTTPException as e: logger.error(f"MCP OAuth callback failed: {e.detail}") return HTMLResponse(f""" <html> <head> <title>MCP Connection Failed</title> <style> body {{ font-family: Arial, sans-serif; text-align: center; padding: 50px; }} .error {{ color: #dc3545; }} .debug {{ background: #f8f9fa; padding: 10px; margin: 20px 0; border-radius: 5px; font-family: monospace; }} </style> </head> <body> <h1 class="error">❌ MCP Connection Failed</h1> <p>{e.detail}</p> <div class="debug"> <strong>Debug Info:</strong><br> Clerk Token: {'✅ Provided' if clerk_token else '❌ Missing'}<br> Error: {e.detail}<br> Status: {e.status_code} </div> <p>Please try again or contact support.</p> <a href="https://yargimcp.com/sign-in">Return to Sign In</a> </body> </html> """, status_code=e.status_code) except Exception as e: logger.error(f"Unexpected error in MCP OAuth callback: {str(e)}") return HTMLResponse(f""" <html> <head> <title>MCP Connection Error</title> <style> body {{ font-family: Arial, sans-serif; text-align: center; padding: 50px; }} .error {{ color: #dc3545; }} </style> </head> <body> <h1 class="error">❌ Unexpected Error</h1> <p>An unexpected error occurred during authentication.</p> <p>Error: {str(e)}</p> <a href="https://yargimcp.com/sign-in">Return to Sign In</a> </body> </html> """, status_code=500) # OAuth2 Token Endpoint - Now uses Clerk JWT tokens directly @app.post("/auth/mcp-token") async def mcp_token_endpoint(request: Request): """OAuth2 token endpoint for MCP clients - returns Clerk JWT token info""" try: # Validate Clerk session user_id = await validate_clerk_session_for_oauth(request) return { "message": "Use your Clerk JWT token directly with Bearer authentication", "token_type": "Bearer", "scope": "yargi.read", "user_id": user_id, "instructions": "Include 'Authorization: Bearer YOUR_CLERK_JWT_TOKEN' in your requests" } except HTTPException as e: return JSONResponse( status_code=e.status_code, content={"error": "invalid_request", "error_description": e.detail} ) # Mount MCP app at /mcp/ with trailing slash app.mount("/mcp/", mcp_app) # Set the lifespan context after mounting app.router.lifespan_context = mcp_app.lifespan logger.info("MCP app mounted successfully at /mcp/") # Export for uvicorn __all__ = ["app"]