Class: McpToolkit::Auth::Introspection::Result

Inherits:
Struct
  • Object
show all
Defined in:
lib/mcp_toolkit/auth/introspection.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#account_idObject

Returns the value of attribute account_id

Returns:

  • (Object)

    the current value of account_id



29
30
31
# File 'lib/mcp_toolkit/auth/introspection.rb', line 29

def 
  @account_id
end

#account_idsObject

Returns the value of attribute account_ids

Returns:

  • (Object)

    the current value of account_ids



29
30
31
# File 'lib/mcp_toolkit/auth/introspection.rb', line 29

def 
  @account_ids
end

#expires_atObject

Returns the value of attribute expires_at

Returns:

  • (Object)

    the current value of expires_at



29
30
31
# File 'lib/mcp_toolkit/auth/introspection.rb', line 29

def expires_at
  @expires_at
end

#kindObject

Returns the value of attribute kind

Returns:

  • (Object)

    the current value of kind



29
30
31
# File 'lib/mcp_toolkit/auth/introspection.rb', line 29

def kind
  @kind
end

#scopesObject

Returns the value of attribute scopes

Returns:

  • (Object)

    the current value of scopes



29
30
31
# File 'lib/mcp_toolkit/auth/introspection.rb', line 29

def scopes
  @scopes
end

#validObject

Returns the value of attribute valid

Returns:

  • (Object)

    the current value of valid



29
30
31
# File 'lib/mcp_toolkit/auth/introspection.rb', line 29

def valid
  @valid
end

Instance Method Details

#accounts_user?Boolean

Returns:

  • (Boolean)


71
72
73
# File 'lib/mcp_toolkit/auth/introspection.rb', line 71

def accounts_user?
  kind.to_s == McpToolkit::TokenKinds::ACCOUNTS_USER
end

#authorized_account_idsObject

Account ids are STRING-normalized for comparison: the contract allows integer OR string/UUID ids, so coercing to_i would collapse every non-numeric id to 0 and let unrelated accounts match. Strings compare safely and the resolver's find_by(synced_id:) coerces back per-column.



95
96
97
# File 'lib/mcp_toolkit/auth/introspection.rb', line 95

def 
  Array().map(&:to_s)
end

#authorized_for_scope?(required_scope) ⇒ Boolean

True when the token carries the EXACT required_scope (e.g. notifications__read). An empty required scope passes (a tool that requires no scope is reachable by any valid token). A non-empty required scope must be present in the token's scopes; empty token scopes are therefore unrestricted ONLY for tools that require no scope.

Returns:

  • (Boolean)


84
85
86
87
88
89
# File 'lib/mcp_toolkit/auth/introspection.rb', line 84

def authorized_for_scope?(required_scope)
  return true if required_scope.to_s.empty?

  scope_list = Array(scopes).map(&:to_s)
  scope_list.include?(required_scope.to_s)
end

#expired?Boolean

True when expires_at is present and now is at/after it. Blank/nil means the token has no expiry (=> not expired). An UNPARSEABLE expires_at is treated as expired (fail-closed) rather than silently accepted. Kept public for clarity/testability.

Returns:

  • (Boolean)


45
46
47
48
49
50
51
52
53
# File 'lib/mcp_toolkit/auth/introspection.rb', line 45

def expired?
  raw = expires_at
  return false if raw.nil? || raw.to_s.strip.empty?

  expiry = parse_expiry(raw)
  return true if expiry.nil? # unparseable => fail closed

  expiry <= Time.now
end

#superuser?Boolean

Returns:

  • (Boolean)


75
76
77
# File 'lib/mcp_toolkit/auth/introspection.rb', line 75

def superuser?
  kind.to_s == McpToolkit::TokenKinds::USER
end

#valid?Boolean

Locally enforce the authority's expires_at (defense-in-depth): a token is only valid when the authority said so AND it has not lapsed. Without this, validity would rest solely on the authority's valid: true boolean, so a stale valid: true (e.g. a clock-skewed or buggy authority, or a cached Result) with a past expires_at would be accepted indefinitely.

Returns:

  • (Boolean)


37
38
39
# File 'lib/mcp_toolkit/auth/introspection.rb', line 37

def valid?
  valid == true && !expired?
end