@@ -11,6 +11,7 @@ import {
11
11
} from "./utils" ;
12
12
import type { OAuthHelpers } from "@cloudflare/workers-oauth-provider" ;
13
13
import { handleValidateUserRequest } from "../../src/tools/validateUser" ;
14
+ import { decodeJWT } from "../../src/utils/util" ;
14
15
15
16
export type Bindings = Env & {
16
17
OAUTH_PROVIDER : OAuthHelpers ;
@@ -100,65 +101,78 @@ async function handleApprove(c: any) {
100
101
) ;
101
102
}
102
103
104
+ // Helper function to render authorization rejection response
105
+ async function renderAuthorizationRejection ( c : any , redirectUri : string ) {
106
+ return c . html (
107
+ layout (
108
+ await renderAuthorizationRejectedContent ( redirectUri ) ,
109
+ "DoiT MCP Remote - Authorization Status"
110
+ )
111
+ ) ;
112
+ }
113
+
103
114
app . post ( "/customer-context" , async ( c ) => {
104
115
const { action, oauthReqInfo, apiKey } = await parseApproveFormBody (
105
116
await c . req . parseBody ( )
106
117
) ;
107
118
108
- let isDoitUser = false ;
109
- const validatePromises = [
110
- handleValidateUserRequest ( { } , apiKey ) ,
111
- handleValidateUserRequest (
112
- { customerContext : "EE8CtpzYiKp0dVAESVrB" } , // Validate doers
113
- apiKey
114
- ) ,
115
- ] ;
119
+ try {
120
+ const jwtInfo = decodeJWT ( apiKey ) ;
121
+ const payload = jwtInfo ?. payload ;
116
122
117
- return Promise . allSettled ( validatePromises )
118
- . then ( async ( results ) => {
119
- let allFailed = true ;
120
- for ( const res of results ) {
121
- if ( res . status === "fulfilled" ) {
122
- const result = res . value ;
123
- if ( result . content [ 0 ] . text . includes ( "Domain: doit.com" ) ) {
124
- isDoitUser = true ;
125
- }
126
- if ( ! result . content [ 0 ] . text . includes ( "Failed" ) ) {
127
- allFailed = false ;
128
- }
129
- }
130
- }
131
- if ( allFailed ) {
132
- return c . html (
133
- layout (
134
- await renderAuthorizationRejectedContent (
135
- oauthReqInfo ?. redirectUri || "/"
136
- ) ,
137
- "MCP Remote Auth Demo - Authorization Status"
138
- )
123
+ if ( ! jwtInfo || ! payload ) {
124
+ // If the JWT is invalid, reject the authorization request
125
+ return await renderAuthorizationRejection (
126
+ c ,
127
+ oauthReqInfo ?. redirectUri || "/"
128
+ ) ;
129
+ }
130
+
131
+ if ( ! payload . DoitEmployee ) {
132
+ // request validation for non-doit employees
133
+ const validatePromise = await handleValidateUserRequest ( { } , apiKey ) ;
134
+ const result = validatePromise . content [ 0 ] . text ;
135
+
136
+ if ( ! result . toLowerCase ( ) . includes ( payload . sub ) ) {
137
+ return await renderAuthorizationRejection (
138
+ c ,
139
+ oauthReqInfo ?. redirectUri || "/"
139
140
) ;
140
141
}
141
- if ( ! isDoitUser ) {
142
- // Forward to approve logic
143
- return await handleApprove ( c ) ;
144
- }
145
- const content = await renderCustomerContextScreen (
146
- action ,
147
- oauthReqInfo ,
148
- apiKey
149
- ) ;
150
- return c . html ( layout ( content , "DoiT MCP Remote - Customer Context" ) ) ;
151
- } )
152
- . catch ( async ( error ) => {
153
- return c . html (
154
- layout (
155
- await renderAuthorizationRejectedContent (
156
- oauthReqInfo ?. redirectUri || "/"
157
- ) ,
158
- "MCP Remote Auth Demo - Authorization Status"
159
- )
142
+
143
+ return await handleApprove ( c ) ;
144
+ }
145
+
146
+ // request validation for doit employees
147
+ const validatePromise = await handleValidateUserRequest (
148
+ {
149
+ customerContext : "EE8CtpzYiKp0dVAESVrB" ,
150
+ } ,
151
+ apiKey
152
+ ) ;
153
+
154
+ const result = validatePromise . content [ 0 ] . text ;
155
+
156
+ if ( ! result . toLowerCase ( ) . includes ( payload . sub ) ) {
157
+ return await renderAuthorizationRejection (
158
+ c ,
159
+ oauthReqInfo ?. redirectUri || "/"
160
160
) ;
161
- } ) ;
161
+ }
162
+
163
+ const content = await renderCustomerContextScreen (
164
+ action ,
165
+ oauthReqInfo ,
166
+ apiKey
167
+ ) ;
168
+ return c . html ( layout ( content , "DoiT MCP Remote - Customer Context" ) ) ;
169
+ } catch ( error ) {
170
+ console . error ( "Error decoding JWT:" , error ) ;
171
+ return await renderAuthorizationRejection (
172
+ c ,
173
+ oauthReqInfo ?. redirectUri || "/"
174
+ ) ;
175
+ }
162
176
} ) ;
163
177
164
178
// The /authorize page has a form that will POST to /approve
0 commit comments