Class: KairosMcp::Auth::Authenticator

Inherits:

Object

• Object
• KairosMcp::Auth::Authenticator

Defined in:

lib/kairos_mcp/auth/authenticator.rb

Overview

Authenticator: Verifies HTTP requests using Bearer tokens

Extracts the Bearer token from the Authorization header, verifies it against the TokenStore, and returns user context.

Usage:

auth = Authenticator.new(token_store)
user_context = auth.authenticate(env)
# => { user: "masa", role: "owner", ... } or nil

Instance Method Summary

• #authenticate(env) ⇒ Hash^?

  Authenticate a Rack request.

• #authenticate!(env) ⇒ AuthResult

  Authenticate and return a result object with error details.

• #initialize(token_store) ⇒ Authenticator constructor

  A new instance of Authenticator.

Constructor Details

#initialize(token_store) ⇒ Authenticator

Returns a new instance of Authenticator.

Parameters:

• token_store (TokenStore) —

  Token store instance

# File 'lib/kairos_mcp/auth/authenticator.rb', line 19

def initialize(token_store)
  @token_store = token_store
end

Instance Method Details

#authenticate(env) ⇒ Hash^?

Authenticate a Rack request

Parameters:

• env (Hash) —

  Rack environment hash

Returns:

• (Hash, nil) —

  User context if authenticated, nil otherwise

# File 'lib/kairos_mcp/auth/authenticator.rb', line 27

def authenticate(env)
  raw_token = extract_bearer_token(env)
  return nil unless raw_token

  @token_store.verify(raw_token)
end

#authenticate!(env) ⇒ AuthResult

Authenticate and return a result object with error details

Parameters:

• env (Hash) —

  Rack environment hash

Returns:

• (AuthResult) —

  Result with success/failure details

# File 'lib/kairos_mcp/auth/authenticator.rb', line 38

def authenticate!(env)
  # Local dev mode: when no tokens are configured, allow unauthenticated
  # access with a default owner context. This makes local testing seamless.
  if @token_store.empty?
    return AuthResult.new(
      success: true,
      user_context: { user: 'local', role: 'owner', local_dev: true }
    )
  end

  raw_token = extract_bearer_token(env)

  unless raw_token
    return AuthResult.new(
      success: false,
      error: 'missing_token',
      message: 'Authorization header with Bearer token is required'
    )
  end

  user_context = @token_store.verify(raw_token)

  if user_context
    AuthResult.new(success: true, user_context: user_context)
  else
    AuthResult.new(
      success: false,
      error: 'invalid_token',
      message: 'Invalid, expired, or revoked token'
    )
  end
end