Class: RailsAiBridge::Mcp::Auth::Strategies::Jwt

Inherits:
BaseStrategy
  • Object
show all
Defined in:
lib/rails_ai_bridge/mcp/auth/strategies/jwt.rb

Overview

Authenticates HTTP MCP requests by decoding a Bearer JWT via a host-provided lambda. No JWT gem is required by this gem — the host application supplies its own decoding logic.

Examples:

Using the +jwt+ gem

config.mcp_jwt_decoder = ->(token) do
  JWT.decode(token, Rails.application.credentials.jwt_secret, true, algorithm: "HS256").first
rescue JWT::DecodeError
  nil
end

Instance Method Summary collapse

Methods inherited from BaseStrategy

#extract_bearer

Constructor Details

#initialize(decoder:) ⇒ Jwt

Returns a new instance of Jwt.

Parameters:

  • decoder (#call, nil)

    callable receiving the raw Bearer string and returning a truthy payload (Hash recommended), +nil+ (token rejected), or +false+ (explicitly denied). Passing +nil+ is allowed (produces +:misconfigured+ at authenticate-time). Passing a non-callable value raises immediately.

Raises:

  • (ArgumentError)

    when +decoder+ is not +nil+ and does not respond to +#call+



23
24
25
26
27
28
 
# File 'lib/rails_ai_bridge/mcp/auth/strategies/jwt.rb', line 23

def initialize(decoder:)
  super()
  raise ArgumentError, "decoder must respond to #call (got #{decoder.class})" if !decoder.nil? && !decoder.respond_to?(:call)

  @decoder = decoder
end

Instance Method Details

#authenticate(request) ⇒ AuthResult

Authenticates the incoming request.

Parameters:

  • request (Rack::Request)

Returns:



34
35
36
37
38
39
40
41
42
43
44
 
# File 'lib/rails_ai_bridge/mcp/auth/strategies/jwt.rb', line 34

def authenticate(request)
  token = extract_bearer(request)
  return AuthResult.fail(:missing_token) if token.blank?
  return AuthResult.fail(:misconfigured) if @decoder.nil?

  payload, err = decode_token(token)
  return AuthResult.fail(err) if err
  return AuthResult.fail(:unauthorized) if payload.nil? || payload == false

  AuthResult.ok(payload)
end