refactor(auth): replace AUTH_MODE with ENABLE_AUTH for streamlined authentication logic

Author: nickytonline

src/auth/index.ts

@@ -4,45 +4,29 @@ import { getConfig } from "../config.ts";
 import { logger } from "../logger.ts";
 
 /**
- * Initialize authentication based on AUTH_MODE
+ * Initialize authentication based on ENABLE_AUTH
  */
 export function initializeAuth() {
   const config = getConfig();
 
-  if (config.AUTH_MODE === "none") {
+  if (!config.ENABLE_AUTH) {
     logger.info("Authentication is disabled");
     return { tokenValidator: null };
   }
 
-  if (config.AUTH_MODE === "resource_server") {
-    logger.info("Initializing OAuth resource server mode");
-    
-    // Resource server mode: only validate tokens from external OAuth provider
-    const tokenValidator = new OAuthTokenValidator(
-      config.OAUTH_ISSUER!,
-      config.OAUTH_AUDIENCE
-    );
-    
-    return { tokenValidator };
-  }
-
-  if (config.AUTH_MODE === "full") {
-    logger.info("Initializing OAuth full mode with external IdP delegation", {
-      issuer: config.OAUTH_ISSUER,
-      audience: config.OAUTH_AUDIENCE,
-      clientId: config.OAUTH_CLIENT_ID
-    });
-    
-    // Full mode: OAuth client that delegates to external IdP + resource server capabilities
-    // For MCP API token validation, we need to validate OUR tokens, not external IdP tokens
-    // The tokens we issue to MCP clients are from our OAuthProvider, not the external IdP
-    
-    // We'll create a custom validator that validates our own issued tokens
-    // This needs to be handled differently - we'll return null and handle it in the middleware
-    return { tokenValidator: null };
-  }
-
-  throw new Error(`Unknown AUTH_MODE: ${config.AUTH_MODE}`);
+  logger.info("Initializing OAuth 2.1 authentication with token validation", {
+    issuer: config.OAUTH_ISSUER,
+    audience: config.OAUTH_AUDIENCE,
+    clientId: config.OAUTH_CLIENT_ID
+  });
+  
+  // Create token validator for OAuth 2.1 token validation
+  const tokenValidator = new OAuthTokenValidator(
+    config.OAUTH_ISSUER!,
+    config.OAUTH_AUDIENCE
+  );
+  
+  return { tokenValidator };
 }
 
 /**
@@ -55,6 +39,5 @@ export function createAuthenticationMiddleware() {
     return (_req: any, _res: any, next: any) => next();
   }
 
-  // For full and resource_server modes, use token validator
   return createAuthMiddleware(tokenValidator);
 }

src/config.ts

@@ -10,9 +10,13 @@ const configSchema = z.object({
   LOG_LEVEL: z.enum(["error", "warn", "info", "debug"]).default("info"),
 
   BASE_URL: z.string().optional(),
-  AUTH_MODE: z.enum(["none", "full", "resource_server"]).default("none"),
+  ENABLE_AUTH: z
+    .string()
+    .optional()
+    .default("false")
+    .transform((val) => val === "true"),
 
-  // OAuth configuration for external IdP integration
+  // OAuth configuration - required when ENABLE_AUTH=true
   OAUTH_ISSUER: z.string().optional(),
   OAUTH_CLIENT_ID: z.string().optional(),
   OAUTH_CLIENT_SECRET: z.string().optional(),
@@ -36,55 +40,43 @@ export function getConfig(): Config {
         parsed.BASE_URL = `http://localhost:${parsed.PORT}`;
       }
 
-      // Full mode validation - OAuth Authorization Server with external IdP
-      if (parsed.AUTH_MODE === "full") {
+      // Log authentication status for clarity
+      console.log(`🔐 Authentication: ${parsed.ENABLE_AUTH ? 'ENABLED' : 'DISABLED'}`);
+
+      // OAuth validation when authentication is enabled
+      if (parsed.ENABLE_AUTH) {
         const requiredVars = [];
         if (!parsed.OAUTH_ISSUER) requiredVars.push("OAUTH_ISSUER");
         if (!parsed.OAUTH_CLIENT_ID) requiredVars.push("OAUTH_CLIENT_ID");
         if (!parsed.OAUTH_CLIENT_SECRET)
           requiredVars.push("OAUTH_CLIENT_SECRET");
 
-        // Provide default for OAUTH_REDIRECT_URI if not set
-        if (!parsed.OAUTH_REDIRECT_URI) {
-          const callbackUrl = new URL("/callback", parsed.BASE_URL);
-          parsed.OAUTH_REDIRECT_URI = callbackUrl.toString();
-          console.log(
-            `⚠️  OAUTH_REDIRECT_URI not set, using default: ${parsed.OAUTH_REDIRECT_URI}`,
-          );
-        }
-
         if (requiredVars.length > 0) {
           throw new Error(
-            `AUTH_MODE=full requires OAuth configuration. Missing: ${requiredVars.join(", ")}\n` +
+            `ENABLE_AUTH=true requires OAuth configuration. Missing: ${requiredVars.join(", ")}\n` +
               "Example configuration:\n" +
+              "ENABLE_AUTH=true\n" +
               "OAUTH_ISSUER=https://your-domain.auth0.com\n" +
               "OAUTH_CLIENT_ID=your-client-id\n" +
               "OAUTH_CLIENT_SECRET=your-client-secret\n" +
-              "OAUTH_REDIRECT_URI=http://localhost:3000/callback  # Optional, defaults to BASE_URL/callback or http://localhost:PORT/callback\n" +
-              "OAUTH_AUDIENCE=your-api-identifier  # Optional but recommended",
+              "OAUTH_AUDIENCE=your-api-identifier  # Optional but recommended for production",
           );
         }
 
-        // OAUTH_AUDIENCE is optional but recommended when a resource server is used
-        if (!parsed.OAUTH_AUDIENCE) {
-          console.warn(
-            "⚠️  OAUTH_AUDIENCE not set for full mode. Token validation will not check audience.\n" +
-              "   For production deployments, consider setting OAUTH_AUDIENCE to your API identifier",
+        // Provide default for OAUTH_REDIRECT_URI if not set
+        if (!parsed.OAUTH_REDIRECT_URI) {
+          const callbackUrl = new URL("/callback", parsed.BASE_URL);
+          parsed.OAUTH_REDIRECT_URI = callbackUrl.toString();
+          console.log(
+            `ℹ️  OAUTH_REDIRECT_URI not set, using default: ${parsed.OAUTH_REDIRECT_URI}`,
           );
         }
-      }
-
-      if (parsed.AUTH_MODE === "resource_server") {
-        const requiredVars = [];
-        if (!parsed.OAUTH_ISSUER) requiredVars.push("OAUTH_ISSUER");
-        if (!parsed.OAUTH_AUDIENCE) requiredVars.push("OAUTH_AUDIENCE");
 
-        if (requiredVars.length > 0) {
-          throw new Error(
-            `AUTH_MODE=resource_server requires OAuth configuration. Missing: ${requiredVars.join(", ")}\n` +
-              "Example configuration:\n" +
-              "OAUTH_ISSUER=https://your-domain.auth0.com\n" +
-              "OAUTH_AUDIENCE=your-api-identifier",
+        // OAUTH_AUDIENCE is optional but recommended for production
+        if (!parsed.OAUTH_AUDIENCE) {
+          console.warn(
+            "⚠️  OAUTH_AUDIENCE not set. Token validation will not check audience.\n" +
+            "   For production deployments, consider setting OAUTH_AUDIENCE to your API identifier",
           );
         }
       }

src/index.ts

@@ -102,7 +102,7 @@ const mcpHandler = async (req: express.Request, res: express.Response) => {
       const config = getConfig();
       const capabilities = ["tools"];
 
-      if (config.AUTH_MODE !== "none") {
+      if (config.ENABLE_AUTH) {
         capabilities.push("oauth");
       }
 
@@ -111,7 +111,7 @@ const mcpHandler = async (req: express.Request, res: express.Response) => {
         version: config.SERVER_VERSION,
         description: "TypeScript template for building MCP servers",
         capabilities,
-        ...(config.AUTH_MODE !== "none" && {
+        ...(config.ENABLE_AUTH && {
           oauth: {
             authorization_server: new URL("/.well-known/oauth-authorization-server", config.BASE_URL).toString(),
             protected_resource: new URL("/.well-known/oauth-protected-resource", config.BASE_URL).toString(),
@@ -132,7 +132,8 @@ const mcpHandler = async (req: express.Request, res: express.Response) => {
 const config = getConfig();
 let oauthProvider: OAuthProvider | null = null;
 
-if (config.AUTH_MODE === "full") {
+// Setup OAuth endpoints and provider when authentication is enabled
+if (config.ENABLE_AUTH) {
   const baseUrl = config.BASE_URL;
   oauthProvider = new OAuthProvider({
     clientId: "mcp-client",
@@ -154,24 +155,28 @@ if (config.AUTH_MODE === "full") {
   app.get(redirectPath, createCallbackHandler(oauthProvider));
   app.post("/oauth/token", express.urlencoded({ extended: true }), createTokenHandler(oauthProvider));
 
-  logger.info("OAuth 2.1 client delegation endpoints registered for full auth mode", { 
+  logger.info("OAuth 2.1 endpoints registered", { 
     discovery: [
       "/.well-known/oauth-authorization-server", 
       "/.well-known/oauth-protected-resource",
       "/.well-known/openid_configuration"
     ],
     endpoints: ["/oauth/authorize", redirectPath, "/oauth/token"],
-    externalIdP: config.OAUTH_ISSUER
+    issuer: config.OAUTH_ISSUER
   });
 }
 
+// Setup authentication middleware
 let authMiddleware;
-if (config.AUTH_MODE === "full" && oauthProvider) {
+if (config.ENABLE_AUTH && oauthProvider) {
   authMiddleware = createOAuthProviderAuthMiddleware(oauthProvider);
-  logger.info("Using OAuthProvider authentication for MCP endpoints");
-} else {
+  logger.info("Using OAuth 2.1 authentication for MCP endpoints");
+} else if (config.ENABLE_AUTH) {
   authMiddleware = createAuthenticationMiddleware();
-  logger.info("Using standard authentication for MCP endpoints");
+  logger.info("Using OAuth 2.1 token validation for MCP endpoints");
+} else {
+  authMiddleware = (_req: any, _res: any, next: any) => next();
+  logger.info("Authentication disabled - MCP endpoints are public");
 }
 
 app.get("/mcp", mcpHandler);