mcp-auth-step-by-step/test_step6.sh at main · christian-posta/mcp-auth-step-by-step · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
#!/bin/bash

# Test script for Step 6: JWT Token Validation
echo "🧪 Testing Step 6: JWT Token Validation"
echo "========================================"

# Function to cleanup background processes
cleanup() {
    echo "🧹 Cleaning up..."
    if [ ! -z "$SERVER_PID" ]; then
        kill $SERVER_PID 2>/dev/null
        wait $SERVER_PID 2>/dev/null
    fi
    exit 0
}

# Set trap to cleanup on script exit
trap cleanup EXIT INT TERM

# Check if public key exists, if not generate one
if [ ! -f "mcp_public_key.pem" ]; then
    echo "🔑 No public key found, generating key pair..."
    uv run python generate_token.py --generate-keys
    if [ $? -ne 0 ]; then
        echo "❌ Failed to generate key pair"
        exit 1
    fi
fi

# Generate test tokens
echo "🔑 Generating test tokens..."
uv run python generate_token.py --username alice --scopes mcp:read,mcp:tools
uv run python generate_token.py --username admin --scopes mcp:read,mcp:tools,mcp:prompts

# Extract tokens from generated files
ALICE_TOKEN=$(python -c "import json; print(json.load(open('token_alice.json'))['token'])")
ADMIN_TOKEN=$(python -c "import json; print(json.load(open('token_admin.json'))['token'])")

if [ -z "$ALICE_TOKEN" ] || [ -z "$ADMIN_TOKEN" ]; then
    echo "❌ Failed to extract tokens"
    exit 1
fi

echo "✅ Test tokens generated successfully"

# Start the server in background
echo "🚀 Starting Step 6 server..."
uv run step6 &
SERVER_PID=$!

# Wait for server to start
echo "⏳ Waiting for server to start..."
sleep 3

# Test health endpoint
echo "🔍 Testing health endpoint..."
HEALTH_RESPONSE=$(curl -s http://localhost:9000/health)

if [ $? -eq 0 ]; then
    echo "✅ Health endpoint test passed!"
    echo "📄 Response: $HEALTH_RESPONSE"

    # Check if auth is required
    if echo "$HEALTH_RESPONSE" | grep -q '"auth_required":true'; then
        echo "✅ Authentication is required!"
    else
        echo "❌ Authentication requirement not indicated"
        exit 1
    fi
else
    echo "❌ Health endpoint test failed!"
    exit 1
fi

# Test JWKS endpoint
echo "🔍 Testing JWKS endpoint..."
JWKS_RESPONSE=$(curl -s http://localhost:9000/.well-known/jwks.json)

if [ $? -eq 0 ]; then
    echo "✅ JWKS endpoint test passed!"
    echo "📄 Response: $JWKS_RESPONSE"

    # Check if JWKS contains keys
    if echo "$JWKS_RESPONSE" | grep -q '"keys"'; then
        echo "✅ JWKS contains public key!"
    else
        echo "❌ JWKS does not contain keys"
        exit 1
    fi
else
    echo "❌ JWKS endpoint test failed!"
    exit 1
fi

# Test unauthenticated MCP request (should fail)
echo "🔍 Testing unauthenticated MCP request..."
UNAUTH_RESPONSE=$(curl -s -X POST http://localhost:9000/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc": "2.0", "id": 1, "method": "initialize"}')

if [ $? -eq 0 ]; then
    echo "✅ Unauthenticated request test passed!"
    echo "📄 Response: $UNAUTH_RESPONSE"

    # Check if response contains 401 error
    if echo "$UNAUTH_RESPONSE" | grep -q '"detail":"Authorization header missing"'; then
        echo "✅ Properly rejects unauthenticated requests!"
    else
        echo "❌ Did not properly reject unauthenticated request"
        exit 1
    fi
else
    echo "❌ Unauthenticated request test failed!"
    exit 1
fi

# Test authenticated MCP initialize with Alice token
echo "🔍 Testing authenticated MCP initialize (Alice)..."
AUTH_INIT_RESPONSE=$(curl -s -X POST http://localhost:9000/mcp \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $ALICE_TOKEN" \
  -d '{"jsonrpc": "2.0", "id": 1, "method": "initialize"}')

if [ $? -eq 0 ]; then
    echo "✅ Authenticated initialize test passed!"
    echo "📄 Response: $AUTH_INIT_RESPONSE"

    # Check if response contains user info
    if echo "$AUTH_INIT_RESPONSE" | grep -q '"authenticatedUser":"alice"'; then
        echo "✅ Initialize response includes authenticated user!"
    else
        echo "❌ Initialize response missing authenticated user"
        exit 1
    fi
else
    echo "❌ Authenticated initialize test failed!"
    exit 1
fi

# Test authenticated tools/list with Alice token
echo "🔍 Testing authenticated tools/list (Alice)..."
AUTH_TOOLS_RESPONSE=$(curl -s -X POST http://localhost:9000/mcp \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $ALICE_TOKEN" \
  -d '{"jsonrpc": "2.0", "id": 2, "method": "tools/list"}')

if [ $? -eq 0 ]; then
    echo "✅ Authenticated tools/list test passed!"
    echo "📄 Response: $AUTH_TOOLS_RESPONSE"

    # Check if response contains tools
    if echo "$AUTH_TOOLS_RESPONSE" | grep -q '"name":"echo"'; then
        echo "✅ Echo tool is listed correctly for authenticated user!"
    else
        echo "❌ Echo tool not found in authenticated response!"
        exit 1
    fi
else
    echo "❌ Authenticated tools/list test failed!"
    exit 1
fi

# Test authenticated tools/call with Alice token
echo "🔍 Testing authenticated tools/call (Alice)..."
AUTH_CALL_RESPONSE=$(curl -s -X POST http://localhost:9000/mcp \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $ALICE_TOKEN" \
  -d '{"jsonrpc": "2.0", "id": 3, "method": "tools/call", "params": {"name": "echo", "arguments": {"message": "Hello Alice", "repeat_count": 2}}}')

if [ $? -eq 0 ]; then
    echo "✅ Authenticated tools/call test passed!"
    echo "📄 Response: $AUTH_CALL_RESPONSE"

    # Check if response contains the echoed message
    if echo "$AUTH_CALL_RESPONSE" | grep -q 'Hello AliceHello Alice'; then
        echo "✅ Echo tool works correctly for authenticated user!"
    else
        echo "❌ Echo tool response is incorrect for authenticated user!"
        exit 1
    fi
else
    echo "❌ Authenticated tools/call test failed!"
    exit 1
fi

# Test authenticated ping with Alice token
echo "🔍 Testing authenticated ping (Alice)..."
AUTH_PING_RESPONSE=$(curl -s -X POST http://localhost:9000/mcp \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $ALICE_TOKEN" \
  -d '{"jsonrpc": "2.0", "id": 4, "method": "ping"}')

if [ $? -eq 0 ]; then
    echo "✅ Authenticated ping test passed!"
    echo "📄 Response: $AUTH_PING_RESPONSE"

    # Check if response contains user info
    if echo "$AUTH_PING_RESPONSE" | grep -q '"user":"alice"' && echo "$AUTH_PING_RESPONSE" | grep -q '"authenticated":true'; then
        echo "✅ Ping response includes authenticated user info!"
    else
        echo "❌ Ping response missing authenticated user info"
        exit 1
    fi
else
    echo "❌ Authenticated ping test failed!"
    exit 1
fi

# Test authenticated request with Admin token
echo "🔍 Testing authenticated request (Admin)..."
ADMIN_RESPONSE=$(curl -s -X POST http://localhost:9000/mcp \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -d '{"jsonrpc": "2.0", "id": 5, "method": "initialize"}')

if [ $? -eq 0 ]; then
    echo "✅ Admin authenticated request test passed!"
    echo "📄 Response: $ADMIN_RESPONSE"

    # Check if response contains admin user info
    if echo "$ADMIN_RESPONSE" | grep -q '"authenticatedUser":"admin"'; then
        echo "✅ Admin user is properly authenticated!"
    else
        echo "❌ Admin user not properly authenticated"
        exit 1
    fi
else
    echo "❌ Admin authenticated request test failed!"
    exit 1
fi

# Test invalid token (should fail)
echo "🔍 Testing invalid token..."
INVALID_RESPONSE=$(curl -s -X POST http://localhost:9000/mcp \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer invalid.token.here" \
  -d '{"jsonrpc": "2.0", "id": 6, "method": "initialize"}')

if [ $? -eq 0 ]; then
    echo "✅ Invalid token test passed!"
    echo "📄 Response: $INVALID_RESPONSE"

    # Check if response contains error
    if echo "$INVALID_RESPONSE" | grep -q '"detail":"Invalid token"'; then
        echo "✅ Properly rejects invalid tokens!"
    else
        echo "❌ Did not properly reject invalid token"
        exit 1
    fi
else
    echo "❌ Invalid token test failed!"
    exit 1
fi

echo ""
echo "🎉 Step 6 tests completed successfully!"
echo "✅ JWT token validation is working"
echo "✅ Authentication is enforced for MCP requests"
echo "✅ Authenticated users can access all MCP functionality"
echo "✅ User context is included in responses"
echo "✅ Invalid tokens are properly rejected"
echo "✅ WWW-Authenticate headers are set correctly"
echo "✅ Ready for next step: OAuth 2.0 metadata"