feat(auth): Refactor authentication flow and integrate OAuth provider

- Simplified the authentication initialization process by removing the OAuthProvider from the `initializeAuth` function.
- Enhanced the `createAuthenticationMiddleware` to conditionally use the OAuthProvider for full mode.
- Introduced a new `createOAuthProviderAuthMiddleware` for handling authentication with the external OAuth provider.
- Added a new `oauth-model.ts` file to manage OAuth-related data and operations, including token and authorization code handling.
- Updated the `OAuthProvider` class to store external token information and manage authorization codes with PKCE support.
- Implemented a new token exchange flow in the `createCallbackHandler` to handle authorization code exchanges with the external provider.
- Enhanced error handling and logging throughout the OAuth flow.
- Updated configuration validation to ensure required OAuth parameters are set for full mode.
- Registered new OAuth routes and discovery endpoints in the main application setup.

Author: nickytonline

src/auth/discovery.ts

@@ -1,10 +1,13 @@
 import type { Request, Response } from "express";
+import OAuth2Server from '@node-oauth/oauth2-server';
 import { getConfig } from "../config.ts";
 import { logger } from "../logger.ts";
 
 /**
  * OAuth 2.0 Authorization Server Metadata endpoint
  * RFC 8414: https://tools.ietf.org/html/rfc8414
+ * 
+ * For AUTH_MODE=full, this describes our OAuth client proxy endpoints
  */
 export function createAuthorizationServerMetadataHandler() {
   return (req: Request, res: Response) => {
@@ -19,14 +22,12 @@ export function createAuthorizationServerMetadataHandler() {
         response_types_supported: ["code"],
         grant_types_supported: ["authorization_code"],
         code_challenge_methods_supported: ["S256"],
-        scopes_supported: ["openid", "profile", "email", "read", "write"],
-        token_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
-        revocation_endpoint: `${baseUrl}/oauth/revoke`,
-        introspection_endpoint: `${baseUrl}/oauth/introspect`,
+        scopes_supported: ["read", "write", "mcp"],
+        token_endpoint_auth_methods_supported: ["none"]
       };
 
       logger.info("OAuth authorization server metadata requested", { 
-        issuer: metadata.issuer 
+        issuer: metadata.issuer
       });
 
       res.json(metadata);
@@ -45,6 +46,8 @@ export function createAuthorizationServerMetadataHandler() {
 /**
  * OAuth 2.0 Protected Resource Metadata endpoint
  * RFC 8705: https://tools.ietf.org/html/rfc8705
+ * 
+ * For AUTH_MODE=full, this describes our resource server capabilities
  */
 export function createProtectedResourceMetadataHandler() {
   return (req: Request, res: Response) => {
@@ -55,13 +58,13 @@ export function createProtectedResourceMetadataHandler() {
       const metadata = {
         resource: baseUrl,
         authorization_servers: [baseUrl],
-        scopes_supported: ["read", "write"],
+        scopes_supported: ["read", "write", "mcp"],
         bearer_methods_supported: ["header"],
-        resource_documentation: `${baseUrl}/docs`,
+        resource_documentation: `${baseUrl}/docs`
       };
 
       logger.info("OAuth protected resource metadata requested", { 
-        resource: metadata.resource 
+        resource: metadata.resource
       });
 
       res.json(metadata);
@@ -78,145 +81,189 @@ export function createProtectedResourceMetadataHandler() {
 }
 
 /**
- * OAuth 2.1 token endpoint - proxies token requests to external OAuth provider
+ * OAuth 2.0 Authorization endpoint
  */
-export function createTokenHandler(oauthProvider: any) {
+export function createAuthorizeHandler(oauthServer: OAuth2Server) {
   return async (req: Request, res: Response) => {
     try {
-      const config = getConfig();
-      const { grant_type, code, redirect_uri, client_id, code_verifier } = req.body;
+      logger.debug("Authorization request received", { 
+        query: req.query,
+        method: req.method 
+      });
 
-      // Validate required parameters
-      if (grant_type !== "authorization_code") {
-        return res.status(400).json({
-          error: "unsupported_grant_type",
-          error_description: "Only 'authorization_code' grant type is supported"
+      // Real OAuth implementation: Check for authenticated user
+      // In a real implementation, this would:
+      // 1. Check if user has valid session/cookie
+      // 2. If not authenticated, redirect to login page
+      // 3. After login, show consent page
+      // 4. Only then proceed with authorization
+      
+      // For now, this implementation requires external authentication
+      // The user must be authenticated before reaching this endpoint
+      const userId = req.headers['x-user-id'] as string;
+      const username = req.headers['x-username'] as string;
+      
+      if (!userId || !username) {
+        logger.warn("Missing user authentication headers");
+        return res.status(401).json({
+          error: "access_denied",
+          error_description: "User must be authenticated before authorization"
         });
       }
+      
+      const user = {
+        id: userId,
+        username: username
+      };
 
-      if (!code || !redirect_uri || !client_id || !code_verifier) {
-        return res.status(400).json({
-          error: "invalid_request",
-          error_description: "Missing required parameters: code, redirect_uri, client_id, code_verifier"
-        });
-      }
+      logger.debug("User authenticated, proceeding with authorization", { userId: user.id });
 
-      // Proxy token request to external OAuth provider
-      const tokenParams = new URLSearchParams({
-        grant_type: "authorization_code",
-        code,
-        redirect_uri: `${config.BASE_URL || "http://localhost:3000"}/oauth/callback`,
-        client_id: config.OAUTH_CLIENT_ID!,
-        client_secret: config.OAUTH_CLIENT_SECRET!,
-        code_verifier
+      // Use the OAuth2Server authorize method
+      const request = new (OAuth2Server as any).Request(req);
+      const response = new (OAuth2Server as any).Response(res);
+      
+      const authorizationCode = await oauthServer.authorize(request, response, {
+        authenticateHandler: {
+          handle: async () => {
+            logger.debug("Authenticate handler called");
+            return user;
+          }
+        }
       });
 
-      const tokenResponse = await fetch(`${config.OAUTH_ISSUER}/oauth/token`, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/x-www-form-urlencoded",
-        },
-        body: tokenParams
+      logger.info("Authorization code granted", { 
+        clientId: authorizationCode.client.id,
+        userId: user.id,
+        code: authorizationCode.authorizationCode.substring(0, 8) + "..."
       });
 
-      if (!tokenResponse.ok) {
-        logger.warn("External OAuth token exchange failed", { 
-          status: tokenResponse.status,
-          statusText: tokenResponse.statusText 
-        });
-        return res.status(400).json({
-          error: "invalid_grant",
-          error_description: "Authorization code exchange failed"
+      // Redirect back to client with authorization code
+      const redirectUri = req.query.redirect_uri as string;
+      const state = req.query.state as string;
+      
+      if (redirectUri) {
+        const url = new URL(redirectUri);
+        url.searchParams.set('code', authorizationCode.authorizationCode);
+        if (state) url.searchParams.set('state', state);
+        
+        logger.info("Redirecting to client", { redirectUrl: url.toString() });
+        res.redirect(url.toString());
+      } else {
+        // Fallback - return as JSON
+        res.json({ 
+          authorization_code: authorizationCode.authorizationCode,
+          state 
         });
       }
 
-      const tokenData = await tokenResponse.json();
+    } catch (error) {
+      logger.error("Authorization endpoint error", { 
+        error: error instanceof Error ? error.message : error,
+        stack: error instanceof Error ? error.stack : undefined
+      });
+      
+      res.status(400).json({
+        error: "server_error",
+        error_description: error instanceof Error ? error.message : "Failed to process authorization request"
+      });
+    }
+  };
+}
+
+/**
+ * OAuth 2.0 Token endpoint
+ */
+export function createTokenHandler(oauthServer: OAuth2Server) {
+  return async (req: Request, res: Response) => {
+    try {
+      const request = new (OAuth2Server as any).Request(req);
+      const response = new (OAuth2Server as any).Response(res);
+      
+      const token = await oauthServer.token(request, response);
 
-      logger.info("Token exchange successful via external provider", { 
-        client_id,
-        scope: tokenData.scope 
+      logger.info("Access token granted", { 
+        clientId: token.client.id,
+        userId: token.user?.id,
+        scope: token.scope 
       });
 
-      // Return tokens (optionally transform or wrap them)
       res.json({
-        access_token: tokenData.access_token,
-        token_type: tokenData.token_type || "Bearer",
-        expires_in: tokenData.expires_in,
-        scope: tokenData.scope,
-        refresh_token: tokenData.refresh_token
+        access_token: token.accessToken,
+        token_type: "Bearer",
+        expires_in: Math.floor((token.accessTokenExpiresAt!.getTime() - Date.now()) / 1000),
+        scope: Array.isArray(token.scope) ? token.scope.join(' ') : token.scope,
+        refresh_token: token.refreshToken
       });
 
     } catch (error) {
-      logger.error("Token endpoint proxy error", { 
+      logger.error("Token endpoint error", { 
         error: error instanceof Error ? error.message : error 
       });
 
-      res.status(500).json({
-        error: "server_error",
-        error_description: "Failed to process token request"
+      res.status(400).json({
+        error: "invalid_request",
+        error_description: error instanceof Error ? error.message : "Token request failed"
       });
     }
   };
 }
 
 /**
- * Token introspection endpoint - simplified for OAuth proxy pattern
+ * Token introspection endpoint
  */
-export function createIntrospectionHandler(oauthProvider?: any) {
+export function createIntrospectionHandler(oauthServer: OAuth2Server) {
   return async (req: Request, res: Response) => {
     try {
-      const { token } = req.body;
-
-      if (!token) {
-        return res.status(400).json({
-          error: "invalid_request",
-          error_description: "Missing token parameter"
-        });
-      }
-
-      logger.info("Token introspection requested", { token: token.substring(0, 10) + "..." });
+      const request = new (OAuth2Server as any).Request(req);
+      const response = new (OAuth2Server as any).Response(res);
 
-      // Return inactive for OAuth proxy pattern - external IdP handles actual validation
-      res.json({ active: false });
+      const token = await oauthServer.authenticate(request, response);
+      
+      logger.info("Token introspection successful", { 
+        clientId: token.client.id,
+        userId: token.user?.id,
+        scope: token.scope 
+      });
+
+      res.json({
+        active: true,
+        scope: Array.isArray(token.scope) ? token.scope.join(' ') : token.scope,
+        client_id: token.client.id,
+        username: token.user?.username,
+        sub: token.user?.id,
+        exp: Math.floor((token.accessTokenExpiresAt?.getTime() || 0) / 1000)
+      });
 
     } catch (error) {
-      logger.error("Token introspection error", { 
+      logger.debug("Token introspection failed", { 
         error: error instanceof Error ? error.message : error 
       });
-      res.status(500).json({
-        error: "server_error",
-        error_description: "Failed to introspect token"
-      });
+      
+      res.json({ active: false });
     }
   };
 }
 
 /**
  * Token revocation endpoint
  */
-export function createRevocationHandler() {
+export function createRevocationHandler(oauthServer: OAuth2Server) {
   return async (req: Request, res: Response) => {
     try {
-      const { token } = req.body;
-
-      if (!token) {
-        return res.status(400).json({
-          error: "invalid_request",
-          error_description: "Missing token parameter"
-        });
-      }
-
-      // TODO: Implement actual token revocation
-      logger.info("Token revocation requested", { token: token.substring(0, 10) + "..." });
-
-      res.status(200).send(); // Success response
+      const request = new (OAuth2Server as any).Request(req);
+      const response = new (OAuth2Server as any).Response(res);
+      
+      await oauthServer.revoke(request, response);
+      
+      logger.info("Token revoked successfully");
+      res.status(200).send();
 
     } catch (error) {
       logger.error("Token revocation error", { 
         error: error instanceof Error ? error.message : error 
       });
-      res.status(500).json({
-        error: "server_error",
+      res.status(400).json({
+        error: "invalid_request",
         error_description: "Failed to revoke token"
       });
     }