dividing ui-enabled server from non ui enabled

Author: eli6

Dockerfile

@@ -15,7 +15,7 @@ COPY src ./src
 EXPOSE 3000
 
 # Explicitly disable auth by default in this image (can override at runtime)
-ENV DISABLE_AUTH=true
+#ENV DISABLE_AUTH=false
 
 # Start the MCP server (uses devDependency tsx)
-CMD ["npm", "run", "start"]
+CMD ["npm", "run", "start:ui"]

README.md

@@ -31,8 +31,9 @@ Start the OAuth demo (port 3001):
 npm run dev:oauth
 ```
 
-Start the MCP server (port 3000). By default, local runs use opaque tokens via the demo OAuth server (introspection mode). Place your env in `.env` and run dev for hot reload:
+## Development modes
 
+**Pure MCP (default):**
 ```bash
 # .env (local opaque token default)
 # OAUTH_SERVER_URL defaults to http://localhost:3001
@@ -44,6 +45,14 @@ AUTH_TOKEN_MODE=introspection
 npm run dev
 ```
 
+**MCP + UI Components:**
+```bash
+# Same .env as above
+npm run dev:ui
+```
+
+The pure MCP mode focuses on core MCP functionality (auth, tools, endpoints). The UI mode adds rich component experiences with interactive forms and visual feedback.
+
 Tip: If you want to run MCP without auth locally, set the explicit flag (in env or inline):
 
 ```bash
@@ -196,6 +205,10 @@ curl -i -X POST http://localhost:3000/mcp \
   -d '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"greet","arguments":{"name":"Elin"}}}'
 ```
 
+**UI Mode:** The `greet` tool renders a simple component with an input field. In rich-UI clients, it is associated with the template `ui://widget/greet.html` and can initiate tool calls from the iframe when supported. The tool also returns `structuredContent` with `{ name, greeting }` so the component can hydrate initial UI state.
+
+**Pure MCP Mode:** The `greet` tool returns simple text responses without UI components, perfect for learning MCP fundamentals.
+
 Call `count`:
 
 ```bash

package.json

@@ -4,8 +4,10 @@
   "main": "index.js",
   "scripts": {
     "dev": "tsx --watch src/start.ts",
+    "dev:ui": "tsx --watch src/server-with-ui.ts",
     "dev:oauth": "tsx --watch src/oauth.ts",
     "start": "tsx src/start.ts",
+    "start:ui": "tsx src/server-with-ui.ts",
     "start:oauth": "tsx src/oauth.ts",
     "docker:build": "docker build -t mcp-pluggdax-bare:dev .",
     "docker:run": "docker run --rm -p 3000:3000 --name mcp-pluggdax mcp-pluggdax-bare:dev",

src/lib/auth.ts

@@ -0,0 +1,108 @@
+import { createRemoteJWKSet, jwtVerify, JWTPayload } from "jose";
+
+export interface AuthConfig {
+  DISABLE_AUTH: boolean;
+  AUTH_TOKEN_MODE: "introspection" | "jwt";
+  OAUTH_INTROSPECT_URL: string;
+  JWT_ISSUER?: string;
+  JWT_AUDIENCE?: string;
+  JWT_JWKS_URL?: string;
+}
+
+export interface AuthResult {
+  clientId: string;
+  scopes: string[];
+  expiresAt: number;
+}
+
+// Bearer auth supporting either introspection (opaque tokens) or JWT validation (JWKS)
+export async function verifyAccessToken(token: string, config: AuthConfig, expectedResource?: string): Promise<AuthResult> {
+  if (!config.DISABLE_AUTH) return { clientId: "dev", scopes: [], expiresAt: Math.floor(Date.now() / 1000) + 3600 };
+
+  if (config.AUTH_TOKEN_MODE === "jwt") {
+    if (!config.JWT_JWKS_URL) throw new Error("JWT_JWKS_URL or JWT_ISSUER required for JWT mode");
+    const JWKS = createRemoteJWKSet(new URL(config.JWT_JWKS_URL));
+    const { payload } = await jwtVerify(token, JWKS, {
+      issuer: config.JWT_ISSUER,
+      audience: config.JWT_AUDIENCE,
+      algorithms: ["RS256"]
+    });
+
+    const scopes = parseScopes(payload);
+    const exp = typeof payload.exp === "number" ? payload.exp : Math.floor(Date.now() / 1000) + 3600;
+    if (expectedResource && payload.aud && typeof payload.aud === "string" && payload.aud !== expectedResource) {
+      console.warn(`[auth] audience mismatch: token.aud="${payload.aud}" expected="${expectedResource}"`);
+      throw new Error("Token not intended for this resource");
+    }
+    return {
+      clientId: (payload.client_id as string) || (payload.sub as string) || "unknown",
+      scopes,
+      expiresAt: exp,
+    };
+  } else {
+    // Use external introspection (opaque tokens)
+    const res = await fetch(config.OAUTH_INTROSPECT_URL, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({ token }).toString()
+    });
+    if (!res.ok) throw new Error(`Introspection failed: ${res.status}`);
+    const data = await res.json();
+    if (!data.active) throw new Error("Token inactive");
+
+    if (expectedResource && data.aud && data.aud !== expectedResource) {
+      console.warn(`[auth] audience mismatch: token.aud="${data.aud}" expected="${expectedResource}"`);
+      throw new Error("Token not intended for this resource");
+    }
+    return {
+      clientId: data.client_id ?? "unknown",
+      scopes: (data.scope ? String(data.scope).split(" ") : []) as string[],
+      expiresAt: typeof data.exp === "number" ? data.exp : Math.floor(Date.now() / 1000) + 3600
+    };
+  }
+}
+
+export function parseScopes(payload: JWTPayload): string[] {
+  const raw = (payload.scope as string) || (payload.scp as string) || undefined;
+  if (!raw) return [];
+  return String(raw).split(" ").filter(Boolean);
+}
+
+export function createAuthMiddleware(config: AuthConfig) {
+  return async (req: any, res: any, next: any) => {
+    if (config.DISABLE_AUTH) return next();
+    
+    const baseUrl = `${req.protocol}://${req.get('host')}`;
+    // Prefer configured audience to avoid http/https host-derived mismatches
+    const expectedResource = config.JWT_AUDIENCE || `${baseUrl}/mcp`;
+    const resourceMetadataUrl = `${baseUrl}/.well-known/oauth-protected-resource`;
+    
+    try {
+      const auth = req.headers.authorization;
+      if (!auth) {
+        console.warn(`[auth] missing authorization for ${req.method} ${req.originalUrl}`);
+        res.set('WWW-Authenticate', `Bearer resource_metadata="${resourceMetadataUrl}", scope="mcp:tools"`);
+        return res.status(401).json({ error: "missing_authorization" });
+      }
+      const [type, token] = auth.split(" ");
+      if (!token || type.toLowerCase() !== "bearer") {
+        console.warn(`[auth] invalid authorization header for ${req.method} ${req.originalUrl}: ${auth}`);
+        res.set('WWW-Authenticate', `Bearer resource_metadata="${resourceMetadataUrl}", scope="mcp:tools"`);
+        return res.status(401).json({ error: "invalid_authorization" });
+      }
+      const info = await verifyAccessToken(token, config, expectedResource);
+      if (info.expiresAt < Math.floor(Date.now() / 1000)) {
+        console.warn(`[auth] token expired for client ${info.clientId}`);
+        res.set('WWW-Authenticate', `Bearer resource_metadata="${resourceMetadataUrl}", scope="mcp:tools"`);
+        return res.status(401).json({ error: "token_expired" });
+      }
+      req.auth = info;
+      next();
+    } catch (e: any) {
+      console.warn(`[auth] invalid_token on ${req.method} ${req.originalUrl}: ${e?.message || e}`);
+      res.set('WWW-Authenticate', `Bearer resource_metadata="${resourceMetadataUrl}", scope="mcp:tools"`);
+      return res.status(401).json({ error: "invalid_token", message: String(e?.message ?? e) });
+    }
+  };
+}
+

src/lib/oauth-metadata.ts

@@ -0,0 +1,24 @@
+import { Express } from "express";
+
+export interface OAuthConfig {
+  OAUTH_SERVER_URL: string;
+  SCOPES_SUPPORTED: string[];
+}
+
+export function registerOAuthEndpoints(app: Express, config: OAuthConfig) {
+  // OAuth Protected Resource metadata endpoint (MUST be public - no auth required)
+  // Note: The oauth-authorization-server endpoint is provided by the OAuth server itself
+  // (e.g., Auth0 exposes it at https://your-tenant.auth0.com/.well-known/oauth-authorization-server)
+  app.get("/.well-known/oauth-protected-resource", (req, res) => {
+    const baseUrl = `${req.protocol}://${req.get('host')}`;
+    
+    res.json({
+      resource: `${baseUrl}`, // Your MCP server is the protected resource
+      authorization_servers: [config.OAUTH_SERVER_URL], // Where to get tokens
+      scopes_supported: config.SCOPES_SUPPORTED,
+      bearer_methods_supported: ["header"],
+      introspection_endpoint: `${config.OAUTH_SERVER_URL}/introspect`
+    });
+  });
+}
+