Skip to content

feat(wds-mcp): refresh token 지원 및 Firestore 영속 저장 #526

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Sh031224 merged 4 commits into from
Mar 25, 2026
+149 −5
Merged

feat(wds-mcp): refresh token 지원 및 Firestore 영속 저장 #526

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
90b2e13
feat(wds-mcp): refresh token 지원 및 Firestore 영속 저장
Sh031224 Mar 25, 2026
b7d4f94
fix(wds-mcp): google refresh token rotation 대응
Sh031224 Mar 25, 2026
461f74c
fix(wds-mcp): 일시적 오류 시 refresh token 삭제 방지
Sh031224 Mar 25, 2026
dc0001d
fix(wds-mcp): refresh token을 발급 client에 바인딩
Sh031224 Mar 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
153 changes: 148 additions & 5 deletions packages/wds-mcp/src/auth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ import crypto from 'node:crypto';

import { cert, initializeApp } from 'firebase-admin/app';
import { getAuth } from 'firebase-admin/auth';
import { getFirestore } from 'firebase-admin/firestore';

import type {
AuthorizationParams,
Expand Down Expand Up @@ -32,6 +33,8 @@ const firebaseApp = initializeApp(
);

const firebaseAuth = getAuth(firebaseApp);
const firestore = getFirestore(firebaseApp, 'montage-storage');
const refreshTokensCollection = firestore.collection('refreshTokens');

interface PendingAuth {
clientId: string;
Expand Down Expand Up @@ -81,6 +84,36 @@ const registeredClients = new TtlMap<string, OAuthClientInformationFull>();
const pendingAuths = new TtlMap<string, PendingAuth>();
const authCodes = new TtlMap<string, StoredAuthCode>();

interface StoredRefreshToken {
clientId: string;
googleRefreshToken: string;
}

const refreshTokenStore = {
async set(mcpToken: string, value: StoredRefreshToken) {
await refreshTokensCollection.doc(mcpToken).set({
clientId: value.clientId,
googleRefreshToken: value.googleRefreshToken,
});
},

async get(mcpToken: string, clientId: string): Promise<string | undefined> {
const doc = await refreshTokensCollection.doc(mcpToken).get();

if (!doc.exists) return undefined;

const data = doc.data() as StoredRefreshToken;

if (data.clientId !== clientId) return undefined;

return data.googleRefreshToken;
},

async delete(mcpToken: string) {
await refreshTokensCollection.doc(mcpToken).delete();
},
};

export const getServerUrl = () =>
process.env.MCP_SERVER_URL || 'http://localhost:3000';

Expand Down Expand Up @@ -179,6 +212,7 @@ export const createOAuthProvider = (): OAuthServerProvider => ({
access_token: string;
id_token: string;
expires_in: number;
refresh_token?: string;
};

// Exchange Google ID token for Firebase ID token via REST API
Expand Down Expand Up @@ -219,17 +253,126 @@ export const createOAuthProvider = (): OAuthServerProvider => ({

authCodes.delete(authorizationCode);

// Return the Firebase ID token — verifiable statelessly via firebaseAuth.verifyIdToken()
return {
// Store Google refresh token for later token renewal
const tokens: OAuthTokens = {
access_token: firebaseTokens.idToken,
token_type: 'bearer',
expires_in: Number(firebaseTokens.expiresIn),
scope: 'openid email profile',
} as OAuthTokens;
};

if (googleTokens.refresh_token) {
const mcpRefreshToken = crypto.randomUUID();
await refreshTokenStore.set(mcpRefreshToken, {
clientId: client.client_id,
googleRefreshToken: googleTokens.refresh_token,
});
tokens.refresh_token = mcpRefreshToken;
}

return tokens;
},

async exchangeRefreshToken() {
throw new Error('Refresh tokens not supported');
async exchangeRefreshToken(
client: OAuthClientInformationFull,
refreshToken: string,
) {
const googleRefreshToken = await refreshTokenStore.get(
refreshToken,
client.client_id,
);

if (!googleRefreshToken) {
throw new Error('Invalid or expired refresh token');
}

// Use Google refresh token to get new tokens
const tokenResponse = await fetch('https://oauth2.googleapis.com/token', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
refresh_token: googleRefreshToken,
client_id: GOOGLE_CLIENT_ID,
client_secret: GOOGLE_CLIENT_SECRET,
grant_type: 'refresh_token',
}),
signal: AbortSignal.timeout(FETCH_TIMEOUT_MS),
}).catch((error) => {
if (error instanceof DOMException && error.name === 'TimeoutError') {
throw new Error('Google token refresh timed out');
}
throw error;
});

if (!tokenResponse.ok) {
const error = await tokenResponse.text();

// Only delete on permanent failures (token revoked/invalid)
if (tokenResponse.status === 400 || tokenResponse.status === 401) {
await refreshTokenStore.delete(refreshToken);
}

throw new Error(`Failed to refresh Google token: ${error}`);
}

const googleTokens = (await tokenResponse.json()) as {
access_token: string;
id_token: string;
expires_in: number;
refresh_token?: string;
};

// Google may rotate refresh tokens
if (googleTokens.refresh_token) {
await refreshTokenStore.set(refreshToken, {
clientId: client.client_id,
googleRefreshToken: googleTokens.refresh_token,
});
}

// Exchange new Google ID token for Firebase ID token
const firebaseResponse = await fetch(
`https://identitytoolkit.googleapis.com/v1/accounts:signInWithIdp?key=${FIREBASE_API_KEY}`,
{
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
postBody: `id_token=${googleTokens.id_token}&providerId=google.com`,
requestUri: getServerUrl(),
returnIdToken: true,
returnSecureToken: true,
}),
signal: AbortSignal.timeout(FETCH_TIMEOUT_MS),
},
).catch((error) => {
if (error instanceof DOMException && error.name === 'TimeoutError') {
throw new Error('Firebase sign-in timed out');
}
throw error;
});

if (!firebaseResponse.ok) {
const error = await firebaseResponse.text();
throw new Error(`Firebase sign-in failed: ${error}`);
}

const firebaseTokens = (await firebaseResponse.json()) as {
idToken: string;
expiresIn: string;
email?: string;
};

if (!firebaseTokens.email?.endsWith(`@${ALLOWED_DOMAIN}`)) {
throw new Error(`Access restricted to @${ALLOWED_DOMAIN} accounts`);
}

return {
access_token: firebaseTokens.idToken,
token_type: 'bearer',
expires_in: Number(firebaseTokens.expiresIn),
scope: 'openid email profile',
refresh_token: refreshToken,
} as OAuthTokens;
},

async verifyAccessToken(token: string): Promise<AuthInfo> {
Expand Down
1 change: 1 addition & 0 deletions packages/wds-mcp/src/http.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ const PORT = parseInt(process.env.PORT ?? '3000', 10);

const app = express();

app.set('trust proxy', 2);
app.use(express.json());

const provider = createOAuthProvider();
Expand Down
Loading