Class: McpToolkit::Auth::Introspection::Result
- Inherits:
-
Struct
- Object
- Struct
- McpToolkit::Auth::Introspection::Result
- Defined in:
- lib/mcp_toolkit/auth/introspection.rb
Instance Attribute Summary collapse
-
#account_id ⇒ Object
Returns the value of attribute account_id.
-
#account_ids ⇒ Object
Returns the value of attribute account_ids.
-
#expires_at ⇒ Object
Returns the value of attribute expires_at.
-
#kind ⇒ Object
Returns the value of attribute kind.
-
#scopes ⇒ Object
Returns the value of attribute scopes.
-
#valid ⇒ Object
Returns the value of attribute valid.
Instance Method Summary collapse
- #accounts_user? ⇒ Boolean
-
#authorized_account_ids ⇒ Object
Account ids are STRING-normalized for comparison: the contract allows integer OR string/UUID ids, so coercing to_i would collapse every non-numeric id to 0 and let unrelated accounts match.
-
#authorized_for_scope?(required_scope) ⇒ Boolean
True when the token carries the EXACT
required_scope(e.g.notifications__read). -
#expired? ⇒ Boolean
True when
expires_atis present and now is at/after it. - #superuser? ⇒ Boolean
-
#valid? ⇒ Boolean
Locally enforce the authority's
expires_at(defense-in-depth): a token is only valid when the authority said so AND it has not lapsed.
Instance Attribute Details
#account_id ⇒ Object
Returns the value of attribute account_id
29 30 31 |
# File 'lib/mcp_toolkit/auth/introspection.rb', line 29 def account_id @account_id end |
#account_ids ⇒ Object
Returns the value of attribute account_ids
29 30 31 |
# File 'lib/mcp_toolkit/auth/introspection.rb', line 29 def account_ids @account_ids end |
#expires_at ⇒ Object
Returns the value of attribute expires_at
29 30 31 |
# File 'lib/mcp_toolkit/auth/introspection.rb', line 29 def expires_at @expires_at end |
#kind ⇒ Object
Returns the value of attribute kind
29 30 31 |
# File 'lib/mcp_toolkit/auth/introspection.rb', line 29 def kind @kind end |
#scopes ⇒ Object
Returns the value of attribute scopes
29 30 31 |
# File 'lib/mcp_toolkit/auth/introspection.rb', line 29 def scopes @scopes end |
#valid ⇒ Object
Returns the value of attribute valid
29 30 31 |
# File 'lib/mcp_toolkit/auth/introspection.rb', line 29 def valid @valid end |
Instance Method Details
#accounts_user? ⇒ Boolean
71 72 73 |
# File 'lib/mcp_toolkit/auth/introspection.rb', line 71 def accounts_user? kind.to_s == McpToolkit::TokenKinds::ACCOUNTS_USER end |
#authorized_account_ids ⇒ Object
Account ids are STRING-normalized for comparison: the contract allows
integer OR string/UUID ids, so coercing to_i would collapse every
non-numeric id to 0 and let unrelated accounts match. Strings compare
safely and the resolver's find_by(synced_id:) coerces back per-column.
95 96 97 |
# File 'lib/mcp_toolkit/auth/introspection.rb', line 95 def Array(account_ids).map(&:to_s) end |
#authorized_for_scope?(required_scope) ⇒ Boolean
True when the token carries the EXACT required_scope (e.g.
notifications__read). An empty required scope passes (a tool that
requires no scope is reachable by any valid token). A non-empty required
scope must be present in the token's scopes; empty token scopes are
therefore unrestricted ONLY for tools that require no scope.
84 85 86 87 88 89 |
# File 'lib/mcp_toolkit/auth/introspection.rb', line 84 def (required_scope) return true if required_scope.to_s.empty? scope_list = Array(scopes).map(&:to_s) scope_list.include?(required_scope.to_s) end |
#expired? ⇒ Boolean
True when expires_at is present and now is at/after it. Blank/nil means
the token has no expiry (=> not expired). An UNPARSEABLE expires_at is
treated as expired (fail-closed) rather than silently accepted. Kept public
for clarity/testability.
45 46 47 48 49 50 51 52 53 |
# File 'lib/mcp_toolkit/auth/introspection.rb', line 45 def expired? raw = expires_at return false if raw.nil? || raw.to_s.strip.empty? expiry = parse_expiry(raw) return true if expiry.nil? # unparseable => fail closed expiry <= Time.now end |
#superuser? ⇒ Boolean
75 76 77 |
# File 'lib/mcp_toolkit/auth/introspection.rb', line 75 def superuser? kind.to_s == McpToolkit::TokenKinds::USER end |
#valid? ⇒ Boolean
Locally enforce the authority's expires_at (defense-in-depth): a token is
only valid when the authority said so AND it has not lapsed. Without this,
validity would rest solely on the authority's valid: true boolean, so a
stale valid: true (e.g. a clock-skewed or buggy authority, or a cached
Result) with a past expires_at would be accepted indefinitely.
37 38 39 |
# File 'lib/mcp_toolkit/auth/introspection.rb', line 37 def valid? valid == true && !expired? end |