Na}{

File Content: `oauth.php`

<?php
// NOTE: This OAuth implementation is currently disabled in MCP due to
// security issues (unvalidated redirect URIs). The class remains for
// reference but is not loaded anywhere. Do not rely on this code until
// proper client registration and redirect URI validation is implemented.

class Meow_MWAI_Labs_OAuth {
  private $core = null;
  private $namespace = 'mcp/oauth';
  private $codes_option = 'mwai_oauth_codes';
  private $tokens_option = 'mwai_oauth_tokens';
  private $code_lifetime = 600; // 10 minutes
  private $token_lifetime = 3600; // 1 hour
  private $logging = false;

  public function __construct( $core, $logging = false ) {
    $this->core = $core;
    $this->logging = $logging;

    add_action( 'rest_api_init', [ $this, 'rest_api_init' ] );
    add_action( 'init', [ $this, 'handle_well_known' ] );

    // Cleanup expired authorization codes and access tokens on a schedule.
    // When OAuth is enabled, this ensures tokens don't accumulate forever.
    add_action( 'mwai_cleanup_oauth', [ $this, 'cleanup_expired' ] );
    if ( !wp_next_scheduled( 'mwai_cleanup_oauth' ) ) {
      wp_schedule_event( time(), 'hourly', 'mwai_cleanup_oauth' );
    }
  }

  public function rest_api_init() {
    // Authorization endpoint
    register_rest_route( $this->namespace, '/authorize', [
      'methods' => 'GET',
      'callback' => [ $this, 'handle_authorize' ],
      'permission_callback' => '__return_true',
    ] );

    // Token endpoint
    register_rest_route( $this->namespace, '/token', [
      'methods' => 'POST',
      'callback' => [ $this, 'handle_token' ],
      'permission_callback' => '__return_true',
    ] );
  }

  // Handle .well-known/oauth-authorization-server
  public function handle_well_known() {
    if ( $_SERVER['REQUEST_URI'] === '/.well-known/oauth-authorization-server' ) {
      if ( $this->logging ) {
        error_log( '[OAuth] 🌐 Discovery endpoint requested.' );
      }
      header( 'Content-Type: application/json' );
      $base_url = get_site_url();
      $discovery = [
        'issuer' => $base_url,
        'authorization_endpoint' => $base_url . '/wp-json/mcp/oauth/authorize',
        'token_endpoint' => $base_url . '/wp-json/mcp/oauth/token',
        'scopes_supported' => [ 'mcp' ],
        'response_types_supported' => [ 'code' ],
        'grant_types_supported' => [ 'authorization_code' ],
        'token_endpoint_auth_methods_supported' => [ 'none' ],
        'code_challenge_methods_supported' => [ 'S256' ]
      ];
      echo json_encode( $discovery, JSON_PRETTY_PRINT );
      exit;
    }
  }

  // Authorization endpoint
  public function handle_authorize( $request ) {
    if ( $this->logging ) {
      error_log( '[OAuth] 🔐 Authorize: ' . $request->get_param( 'client_id' ) );
    }

    $response_type = $request->get_param( 'response_type' );
    $client_id = $request->get_param( 'client_id' );
    $redirect_uri = $request->get_param( 'redirect_uri' );
    $state = $request->get_param( 'state' );
    $code_challenge = $request->get_param( 'code_challenge' );
    $code_challenge_method = $request->get_param( 'code_challenge_method' );
    $scope = $request->get_param( 'scope' );

    // Validate request
    if ( $response_type !== 'code' ) {
      return new WP_Error( 'invalid_request', 'Invalid response_type' );
    }

    if ( empty( $client_id ) || empty( $redirect_uri ) || empty( $code_challenge ) ) {
      return new WP_Error( 'invalid_request', 'Missing required parameters' );
    }

    if ( $code_challenge_method && $code_challenge_method !== 'S256' ) {
      return new WP_Error( 'invalid_request', 'Only S256 code challenge method is supported' );
    }

    // Check if user is logged in
    if ( !is_user_logged_in() ) {
      // Store OAuth params in session/transient
      $session_key = 'oauth_' . wp_generate_password( 16, false );
      set_transient( $session_key, [
        'client_id' => $client_id,
        'redirect_uri' => $redirect_uri,
        'state' => $state,
        'code_challenge' => $code_challenge,
        'scope' => $scope ?: 'mcp'
      ], 600 );

      // Show login form
      $this->show_login_form( $session_key );
      exit;
    }

    // User is logged in, generate authorization code
    $code = $this->generate_authorization_code(
      get_current_user_id(),
      $client_id,
      $redirect_uri,
      $code_challenge,
      $scope ?: 'mcp'
    );

    // Redirect back with code
    $redirect_params = [
      'code' => $code,
      'state' => $state
    ];

    $redirect_url = add_query_arg( $redirect_params, $redirect_uri );
    wp_redirect( $redirect_url );
    exit;
  }

  // Token endpoint
  public function handle_token( $request ) {
    if ( $this->logging ) {
      $params = $request->get_params();
      // Don't log sensitive data like code_verifier
      $safe_params = $params;
      if ( isset( $safe_params['code_verifier'] ) ) {
        $safe_params['code_verifier'] = '[REDACTED]';
      }
      error_log( '[OAuth] 🎫 Token exchange for client: ' . $request->get_param( 'client_id' ) );
    }

    $grant_type = $request->get_param( 'grant_type' );
    $code = $request->get_param( 'code' );
    $client_id = $request->get_param( 'client_id' );
    $redirect_uri = $request->get_param( 'redirect_uri' );
    $code_verifier = $request->get_param( 'code_verifier' );

    // Validate grant type
    if ( $grant_type !== 'authorization_code' ) {
      return new WP_Error( 'unsupported_grant_type', 'Only authorization_code grant type is supported', [ 'status' => 400 ] );
    }

    // Validate required parameters
    if ( empty( $code ) || empty( $client_id ) || empty( $redirect_uri ) || empty( $code_verifier ) ) {
      return new WP_Error( 'invalid_request', 'Missing required parameters', [ 'status' => 400 ] );
    }

    // Validate authorization code
    $codes = get_option( $this->codes_option, [] );
    if ( !isset( $codes[ $code ] ) ) {
      return new WP_Error( 'invalid_grant', 'Invalid authorization code', [ 'status' => 400 ] );
    }

    $code_data = $codes[ $code ];

    // Check if code is expired
    if ( time() > $code_data['expires'] ) {
      unset( $codes[ $code ] );
      update_option( $this->codes_option, $codes );
      return new WP_Error( 'invalid_grant', 'Authorization code has expired', [ 'status' => 400 ] );
    }

    // Validate client_id and redirect_uri
    if ( $code_data['client_id'] !== $client_id || $code_data['redirect_uri'] !== $redirect_uri ) {
      return new WP_Error( 'invalid_grant', 'Invalid client_id or redirect_uri', [ 'status' => 400 ] );
    }

    // Verify PKCE
    $verifier_hash = base64_encode( hash( 'sha256', $code_verifier, true ) );
    $verifier_hash = rtrim( strtr( $verifier_hash, '+/', '-_' ), '=' ); // Base64 URL encoding

    if ( $verifier_hash !== $code_data['code_challenge'] ) {
      return new WP_Error( 'invalid_grant', 'Invalid code_verifier', [ 'status' => 400 ] );
    }

    // Code is valid, remove it (one-time use)
    unset( $codes[ $code ] );
    update_option( $this->codes_option, $codes );

    // Generate access token
    $access_token = $this->generate_access_token( $code_data['user_id'], $code_data['scope'] );

    // Return token response
    return [
      'access_token' => $access_token,
      'token_type' => 'Bearer',
      'expires_in' => $this->token_lifetime,
      'scope' => $code_data['scope']
    ];
  }

  // Generate authorization code
  private function generate_authorization_code( $user_id, $client_id, $redirect_uri, $code_challenge, $scope ) {
    if ( $this->logging ) {
      error_log( '[OAuth] ✅ Auth code generated for user ' . $user_id . '.' );
    }

    $code = wp_generate_password( 32, false );

    $codes = get_option( $this->codes_option, [] );
    $codes[ $code ] = [
      'user_id' => $user_id,
      'client_id' => $client_id,
      'redirect_uri' => $redirect_uri,
      'code_challenge' => $code_challenge,
      'scope' => $scope,
      'expires' => time() + $this->code_lifetime
    ];

    update_option( $this->codes_option, $codes );

    return $code;
  }

  // Generate access token
  private function generate_access_token( $user_id, $scope ) {
    if ( $this->logging ) {
      error_log( '[OAuth] ✅ Access token generated for user ' . $user_id . '.' );
    }

    $token = wp_generate_password( 40, false );

    $tokens = get_option( $this->tokens_option, [] );
    $tokens[ $token ] = [
      'user_id' => $user_id,
      'scope' => $scope,
      'expires' => time() + $this->token_lifetime
    ];

    update_option( $this->tokens_option, $tokens );

    return $token;
  }

  // Validate access token
  public function validate_token( $token ) {
    $tokens = get_option( $this->tokens_option, [] );

    if ( !isset( $tokens[ $token ] ) ) {
      return false;
    }

    $token_data = $tokens[ $token ];

    // Check if expired
    if ( time() > $token_data['expires'] ) {
      if ( $this->logging ) {
        error_log( '[OAuth] ❌ Token validation failed: expired.' );
      }
      unset( $tokens[ $token ] );
      update_option( $this->tokens_option, $tokens );
      return false;
    }

    if ( $this->logging ) {
      error_log( '[OAuth] ✅ Token valid for user ' . $token_data['user_id'] . '.' );
    }

    return $token_data;
  }

  // Show login form
  private function show_login_form( $session_key ) {
    $login_url = wp_login_url( add_query_arg( 'oauth_session', $session_key, $_SERVER['REQUEST_URI'] ) );
    ?>
                                                                                                                                                                                                                                <!DOCTYPE html>
                                                                                                                                                                                                                                <html>
                                                                                                                                                                                                                                <head>
                                                                                                                                                                                                                                <title>Login Required</title>
                                                                                                                                                                                                                                <style>
                                                                                                                                                                                                                                body {
                                                                                                                                                                                                                                  font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
                                                                                                                                                                                                                                  display: flex;
                                                                                                                                                                                                                                  justify-content: center;
                                                                                                                                                                                                                                  align-items: center;
                                                                                                                                                                                                                                  height: 100vh;
                                                                                                                                                                                                                                  margin: 0;
                                                                                                                                                                                                                                  background: #f5f5f5;
                                                                                                                                                                                                                                }
                                                                                                                                                                                                                              .login-container {
                                                                                                                                                                                                                                background: white;
                                                                                                                                                                                                                                padding: 40px;
                                                                                                                                                                                                                                border-radius: 8px;
                                                                                                                                                                                                                                box-shadow: 0 2px 4px rgba(0,0,0,0.1);
                                                                                                                                                                                                                                  text-align: center;
                                                                                                                                                                                                                                  max-width: 400px;
                                                                                                                                                                                                                                }
                                                                                                                                                                                                                              h2 {
                                                                                                                                                                                                                                margin-top: 0;
                                                                                                                                                                                                                                color: #333;
                                                                                                                                                                                                                              }
                                                                                                                                                                                                                            p {
                                                                                                                                                                                                                              color: #666;
                                                                                                                                                                                                                              margin-bottom: 30px;
                                                                                                                                                                                                                            }
                                                                                                                                                                                                                          .login-button {
                                                                                                                                                                                                                            display: inline-block;
                                                                                                                                                                                                                            background: #0073aa;
                                                                                                                                                                                                                            color: white;
                                                                                                                                                                                                                            padding: 12px 24px;
                                                                                                                                                                                                                            text-decoration: none;
                                                                                                                                                                                                                            border-radius: 4px;
                                                                                                                                                                                                                            font-weight: 500;
                                                                                                                                                                                                                          }
                                                                                                                                                                                                                        .login-button:hover {
                                                                                                                                                                                                                          background: #005a87;
                                                                                                                                                                                                                        }
                                                                                                                                                                                                                      </style>
                                                                                                                                                                                                                      </head>
                                                                                                                                                                                                                      <body>
                                                                                                                                                                                                                      <div class="login-container">
                                                                                                                                                                                                                      <h2>Authorization Required</h2>
                                                                                                                                                                                                                      <p>Please log in to authorize access to your MCP connector.</p>
                                                                                                                                                                                                                      <a href="<?php echo esc_url( $login_url ); ?>" class="login-button">Log In</a>
                                                                                                                                                                                                                      </div>
                                                                                                                                                                                                                      </body>
                                                                                                                                                                                                                      </html>
                                                                                                                                                                                                                      <?php
  }

  // Handle OAuth callback after login
  public function handle_oauth_callback() {
    if ( isset( $_GET['oauth_session'] ) && is_user_logged_in() ) {
      if ( $this->logging ) {
        error_log( '[OAuth] 🔄 Callback handling for session.' );
      }
      $session_key = sanitize_text_field( $_GET['oauth_session'] );
      $oauth_params = get_transient( $session_key );

      if ( $oauth_params ) {
        delete_transient( $session_key );

        // Generate authorization code
        $code = $this->generate_authorization_code(
          get_current_user_id(),
          $oauth_params['client_id'],
          $oauth_params['redirect_uri'],
          $oauth_params['code_challenge'],
          $oauth_params['scope']
        );

        // Redirect back with code
        $redirect_params = [
          'code' => $code,
          'state' => $oauth_params['state']
        ];

        $redirect_url = add_query_arg( $redirect_params, $oauth_params['redirect_uri'] );
        wp_redirect( $redirect_url );
        exit;
      }
    }
  }

  // Clean up expired tokens and codes
  public function cleanup_expired() {
    if ( $this->logging ) {
      error_log( '[OAuth] 🧹 Cleaning expired tokens.' );
    }

    $now = time();

    // Clean codes
    $codes = get_option( $this->codes_option, [] );
    foreach ( $codes as $code => $data ) {
      if ( $now > $data['expires'] ) {
        unset( $codes[ $code ] );
      }
    }
    update_option( $this->codes_option, $codes );

    // Clean tokens
    $tokens = get_option( $this->tokens_option, [] );
    foreach ( $tokens as $token => $data ) {
      if ( $now > $data['expires'] ) {
        unset( $tokens[ $token ] );
      }
    }
    update_option( $this->tokens_option, $tokens );
  }
}
Name	Size	Permission
mcp-core.php	53662 bytes	0644
mcp-rest.php	7139 bytes	0644
mcp.conf	89 bytes	0644
mcp.js	23466 bytes	0644
mcp.md	9375 bytes	0644
mcp.php	33967 bytes	0644
oauth.php	23906 bytes	0644
realtime.php	3553 bytes	0644
File Content: oauth.php

File Content: `oauth.php`
