cxxmcp/api/server_2include_2cxxmcp_2server_2auth_8hpp_source.html

// Copyright (c) 2025 [caomengxuan666]


#pragma once


#include <cctype>

#include <optional>

#include <string>

#include <string_view>

#include <unordered_map>

#include <utility>

#include <vector>


#include "cxxmcp/core/result.hpp"

#include "cxxmcp/protocol/types.hpp"


namespace mcp::server {


namespace detail {


inline bool ascii_iequals(std::string_view lhs, std::string_view rhs) {

  if (lhs.size() != rhs.size()) {

    return false;

  }

  for (std::size_t index = 0; index < lhs.size(); ++index) {

    const auto left = static_cast<unsigned char>(lhs[index]);

    const auto right = static_cast<unsigned char>(rhs[index]);

    if (std::tolower(left) != std::tolower(right)) {

      return false;

    }

  }

  return true;

}


inline bool constant_time_string_equal(std::string_view lhs,

                                       std::string_view rhs) {

  const auto max_size = lhs.size() > rhs.size() ? lhs.size() : rhs.size();

  unsigned char diff = static_cast<unsigned char>(lhs.size() ^ rhs.size());

  for (std::size_t index = 0; index < max_size; ++index) {

    const auto left =

        index < lhs.size() ? static_cast<unsigned char>(lhs[index]) : 0;

    const auto right =

        index < rhs.size() ? static_cast<unsigned char>(rhs[index]) : 0;

    diff = static_cast<unsigned char>(diff | (left ^ right));

  }

  return diff == 0;

}


inline std::string_view trim_ascii(std::string_view value) {

  while (!value.empty() &&

         std::isspace(static_cast<unsigned char>(value.front())) != 0) {

    value.remove_prefix(1);

  }

  while (!value.empty() &&

         std::isspace(static_cast<unsigned char>(value.back())) != 0) {

    value.remove_suffix(1);

  }

  return value;

}


inline std::string_view bearer_token_from_authorization(

    std::string_view authorization) {

  authorization = trim_ascii(authorization);

  constexpr std::string_view kBearer = "Bearer";

  if (authorization.size() <= kBearer.size() ||

      !ascii_iequals(authorization.substr(0, kBearer.size()), kBearer) ||

      std::isspace(static_cast<unsigned char>(authorization[kBearer.size()])) ==

          0) {

    return {};

  }

  authorization.remove_prefix(kBearer.size());

  authorization = trim_ascii(authorization);

  return authorization;

}


}  // namespace detail


inline constexpr std::string_view AuthErrorCategory = "auth";


inline constexpr std::string_view DefaultAuthChallenge = "Bearer";


struct AuthRequest {

  std::unordered_map<std::string, std::string> headers;

  std::string remote_address;

  std::optional<std::string> http_method;

  std::optional<std::string> http_url;

};


struct AuthIdentity {

  std::string subject;

  std::unordered_map<std::string, std::string> claims;

};


class AuthProvider {

 public:

  virtual ~AuthProvider() = default;


  virtual core::Result<AuthIdentity> authenticate(

      const AuthRequest& request) = 0;

};


inline core::Error make_auth_error(std::string message,

                                   std::string detail = {}) {

  return core::Error{

      static_cast<int>(protocol::ErrorCode::PermissionDenied),

      std::move(message),

      std::move(detail),

      std::string(AuthErrorCategory),

  };

}


class StaticBearerAuthProvider final : public AuthProvider {

 public:


  struct Entry {

    std::string token;

    AuthIdentity identity;

  };


  StaticBearerAuthProvider() = default;

  explicit StaticBearerAuthProvider(std::vector<Entry> entries)

      : entries_(std::move(entries)) {}


  void add_token(std::string token, AuthIdentity identity) {

    entries_.push_back(Entry{std::move(token), std::move(identity)});

  }


  core::Result<AuthIdentity> authenticate(const AuthRequest& request) override {

    const auto token = bearer_token(request);

    if (token.empty()) {

      return mcp::core::unexpected(

          make_auth_error("missing or invalid bearer token"));

    }


    for (const auto& entry : entries_) {

      if (detail::constant_time_string_equal(token, entry.token)) {

        return entry.identity;

      }

    }

    return mcp::core::unexpected(

        make_auth_error("missing or invalid bearer token"));

  }


 private:

  static std::string_view bearer_token(const AuthRequest& request) {

    for (const auto& header : request.headers) {

      if (detail::ascii_iequals(header.first, "Authorization")) {

        return detail::bearer_token_from_authorization(header.second);

      }

    }

    return {};

  }


  std::vector<Entry> entries_;

};


}  // namespace mcp::server

mcp::server::AuthProvider
Abstract authentication provider used by server integrations.
Definition auth.hpp:117

mcp::server::AuthProvider::authenticate
virtual core::Result< AuthIdentity > authenticate(const AuthRequest &request)=0
Authenticate a transport request.

mcp::server::StaticBearerAuthProvider
Static bearer-token AuthProvider for small embedded deployments and tests.
Definition auth.hpp:149

mcp::server::StaticBearerAuthProvider::authenticate
core::Result< AuthIdentity > authenticate(const AuthRequest &request) override
Authenticate a transport request.
Definition auth.hpp:164

mcp::auth::constant_time_string_equal
bool constant_time_string_equal(std::string_view lhs, std::string_view rhs) noexcept
Compare two strings without data-dependent early exit.
Definition constant_time.hpp:17

types.hpp
Shared JSON, JSON-RPC, error, cancellation, and progress model types.

result.hpp
Shared result and error primitives used by the public cxxmcp SDK.

mcp::core::Result
tl::expected< T, Error > Result
Alias for the SDK result type.
Definition result.hpp:64

mcp::server::DefaultAuthChallenge
constexpr std::string_view DefaultAuthChallenge
Default HTTP challenge used when a transport has no custom policy.
Definition auth.hpp:84

mcp::server::make_auth_error
core::Error make_auth_error(std::string message, std::string detail={})
Build a structured authentication failure for transports.
Definition auth.hpp:132

mcp::core::Error
Structured error returned by fallible SDK operations.
Definition result.hpp:35

mcp::server::AuthIdentity
Authenticated principal and associated claims.
Definition auth.hpp:103

mcp::server::AuthIdentity::subject
std::string subject
Stable principal identifier, such as a user id, service account, or token subject.
Definition auth.hpp:106

mcp::server::AuthIdentity::claims
std::unordered_map< std::string, std::string > claims
Provider-specific claims copied by value into the identity.
Definition auth.hpp:108

mcp::server::AuthRequest
Transport-neutral authentication input.
Definition auth.hpp:91

mcp::server::AuthRequest::remote_address
std::string remote_address
Best-effort remote address for audit and policy decisions.
Definition auth.hpp:95

mcp::server::AuthRequest::headers
std::unordered_map< std::string, std::string > headers
Request headers or metadata supplied by the transport.
Definition auth.hpp:93

mcp::server::AuthRequest::http_url
std::optional< std::string > http_url
Absolute HTTP request URL when supplied by an HTTP-based transport.
Definition auth.hpp:99

mcp::server::AuthRequest::http_method
std::optional< std::string > http_method
HTTP request method when supplied by an HTTP-based transport.
Definition auth.hpp:97

mcp::server::StaticBearerAuthProvider::Entry
Definition auth.hpp:151