🪐 feat: MCP OAuth 2.0 Discovery Support (#7924)

* chore: Update @modelcontextprotocol/sdk to version 1.12.3 in package.json and package-lock.json

- Bump version of @modelcontextprotocol/sdk to 1.12.3 to incorporate recent updates.
- Update dependencies for ajv and cross-spawn to their latest versions.
- Add ajv as a new dependency in the sdk module.
- Include json-schema-traverse as a new dependency in the sdk module.

* feat: @librechat/auth

* feat: Add crypto module exports to auth package

- Introduced a new crypto module by creating index.ts in the crypto directory.
- Updated the main index.ts of the auth package to export from the new crypto module.

* feat: Update package dependencies and build scripts for auth package

- Added @librechat/auth as a dependency in package.json and package-lock.json.
- Updated build scripts to include the auth package in both frontend and bun build processes.
- Removed unused mongoose and openid-client dependencies from package-lock.json for cleaner dependency management.

* refactor: Migrate crypto utility functions to @librechat/auth

- Replaced local crypto utility imports with the new @librechat/auth package across multiple files.
- Removed the obsolete crypto.js file and its exports.
- Updated relevant services and models to utilize the new encryption and decryption methods from @librechat/auth.

* feat: Enhance OAuth token handling and update dependencies in auth package

* chore: Remove Token model and TokenService due to restructuring of OAuth handling

- Deleted the Token.js model and TokenService.js, which were responsible for managing OAuth tokens.
- This change is part of a broader refactor to streamline OAuth token management and improve code organization.

* refactor: imports from '@librechat/auth' to '@librechat/api' and add OAuth token handling functionality

* refactor: Simplify logger usage in MCP and FlowStateManager classes

* chore: fix imports

* feat: Add OAuth configuration schema to MCP with token exchange method support

* feat: FIRST PASS Implement MCP OAuth flow with token management and error handling

- Added a new route for handling OAuth callbacks and token retrieval.
- Integrated OAuth token storage and retrieval mechanisms.
- Enhanced MCP connection to support automatic OAuth flow initiation on 401 errors.
- Implemented dynamic client registration and metadata discovery for OAuth.
- Updated MCPManager to manage OAuth tokens and handle authentication requirements.
- Introduced comprehensive logging for OAuth processes and error handling.

* refactor: Update MCPConnection and MCPManager to utilize new URL handling

- Added a `url` property to MCPConnection for better URL management.
- Refactored MCPManager to use the new `url` property instead of a deprecated method for OAuth handling.
- Changed logging from info to debug level for flow manager and token methods initialization.
- Improved comments for clarity on existing tokens and OAuth event listener setup.

* refactor: Improve connection timeout error messages in MCPConnection and MCPManager and use initTimeout for connection

- Updated the connection timeout error messages to include the duration of the timeout.
- Introduced a configurable `connectTimeout` variable in both MCPConnection and MCPManager for better flexibility.

* chore: cleanup MCP OAuth Token exchange handling; fix: erroneous use of flowsCache and remove verbose logs

* refactor: Update MCPManager and MCPTokenStorage to use TokenMethods for token management

- Removed direct token storage handling in MCPManager and replaced it with TokenMethods for better abstraction.
- Refactored MCPTokenStorage methods to accept parameters for token operations, enhancing flexibility and readability.
- Improved logging messages related to token persistence and retrieval processes.

* refactor: Update MCP OAuth handling to use static methods and improve flow management

- Refactored MCPOAuthHandler to utilize static methods for initiating and completing OAuth flows, enhancing clarity and reducing instance dependencies.
- Updated MCPManager to pass flowManager explicitly to OAuth handling methods, improving flexibility in flow state management.
- Enhanced comments and logging for better understanding of OAuth processes and flow state retrieval.

* refactor: Integrate token methods into createMCPTool for enhanced token management

* refactor: Change logging from info to debug level in MCPOAuthHandler for improved log management

* chore: clean up logging

* feat: first pass, auth URL from MCP OAuth flow

* chore: Improve logging format for OAuth authentication URL display

* chore: cleanup mcp manager comments

* feat: add connection reconnection logic in MCPManager

* refactor: reorganize token storage handling in MCP

- Moved token storage logic from MCPManager to a new MCPTokenStorage class for better separation of concerns.
- Updated imports to reflect the new token storage structure.
- Enhanced methods for storing, retrieving, updating, and deleting OAuth tokens, improving overall token management.

* chore: update comment for SYSTEM_USER_ID in MCPManager for clarity

* feat: implement refresh token functionality in MCP

- Added refresh token handling in MCPManager to support token renewal for both app-level and user-specific connections.
- Introduced a refreshTokens function to facilitate token refresh logic.
- Enhanced MCPTokenStorage to manage client information and refresh token processes.
- Updated logging for better traceability during token operations.

* chore: cleanup @librechat/auth

* feat: implement MCP server initialization in a separate service

- Added a new service to handle the initialization of MCP servers, improving code organization and readability.
- Refactored the server startup logic to utilize the new initializeMCP function.
- Removed redundant MCP initialization code from the main server file.

* fix: don't log auth url for user connections

* feat: enhance OAuth flow with success and error handling components

- Updated OAuth callback routes to redirect to new success and error pages instead of sending status messages.
- Introduced `OAuthSuccess` and `OAuthError` components to provide user feedback during authentication.
- Added localization support for success and error messages in the translation files.
- Implemented countdown functionality in the success component for a better user experience.

* fix: refresh token handling for user connections, add missing URL and methods

- add standard enum for system user id and helper for determining app-lvel vs. user-level connections

* refactor: update token handling in MCPManager and MCPTokenStorage

* fix: improve error logging in OAuth authentication handler

* fix: concurrency issues for both login url emission and concurrency of oauth flows for shared flows (same user, same server, multiple calls for same server)

* fix: properly fail shared flows for concurrent server calls and prevent duplication of tokens

* chore: remove unused auth package directory from update configuration

* ci: fix mocks in samlStrategy tests

* ci: add mcpConfig to AppService test setup

* chore: remove obsolete MCP OAuth implementation documentation

* fix: update build script for API to use correct command

* chore: bump version of @librechat/api to 1.2.4

* fix: update abort signal handling in createMCPTool function

* fix: add optional clientInfo parameter to refreshTokensFunction metadata

* refactor: replace app.locals.availableTools with getCachedTools in multiple services and controllers for improved tool management

* fix: concurrent refresh token handling issue

* refactor: add signal parameter to getUserConnection method for improved abort handling

* chore: JSDoc typing for `loadEphemeralAgent`

* refactor: update isConnectionActive method to use destructured parameters for improved readability

* feat: implement caching for MCP tools to handle app-level disconnects for loading list of tools

* ci: fix agent test

api/server/services/MCP.js

@@ -1,27 +1,111 @@
 const { z } = require('zod');
 const { tool } = require('@langchain/core/tools');
-const { normalizeServerName } = require('@librechat/api');
-const { Constants: AgentConstants, Providers } = require('@librechat/agents');
+const { logger } = require('@librechat/data-schemas');
+const { Time, CacheKeys, StepTypes } = require('librechat-data-provider');
+const { sendEvent, normalizeServerName, MCPOAuthHandler } = require('@librechat/api');
+const { Constants: AgentConstants, Providers, GraphEvents } = require('@librechat/agents');
 const {
   Constants,
   ContentTypes,
   isAssistantsEndpoint,
   convertJsonSchemaToZod,
 } = require('librechat-data-provider');
-const { logger, getMCPManager } = require('~/config');
+const { getMCPManager, getFlowStateManager } = require('~/config');
+const { findToken, createToken, updateToken } = require('~/models');
+const { getCachedTools } = require('./Config');
+const { getLogStores } = require('~/cache');
+
+/**
+ * @param {object} params
+ * @param {ServerResponse} params.res - The Express response object for sending events.
+ * @param {string} params.stepId - The ID of the step in the flow.
+ * @param {ToolCallChunk} params.toolCall - The tool call object containing tool information.
+ * @param {string} params.loginFlowId - The ID of the login flow.
+ * @param {FlowStateManager<any>} params.flowManager - The flow manager instance.
+ */
+function createOAuthStart({ res, stepId, toolCall, loginFlowId, flowManager, signal }) {
+  /**
+   * Creates a function to handle OAuth login requests.
+   * @param {string} authURL - The URL to redirect the user for OAuth authentication.
+   * @returns {Promise<boolean>} Returns true to indicate the event was sent successfully.
+   */
+  return async function (authURL) {
+    /** @type {{ id: string; delta: AgentToolCallDelta }} */
+    const data = {
+      id: stepId,
+      delta: {
+        type: StepTypes.TOOL_CALLS,
+        tool_calls: [{ ...toolCall, args: '' }],
+        auth: authURL,
+        expires_at: Date.now() + Time.TWO_MINUTES,
+      },
+    };
+    /** Used to ensure the handler (use of `sendEvent`) is only invoked once */
+    await flowManager.createFlowWithHandler(
+      loginFlowId,
+      'oauth_login',
+      async () => {
+        sendEvent(res, { event: GraphEvents.ON_RUN_STEP_DELTA, data });
+        logger.debug('Sent OAuth login request to client');
+        return true;
+      },
+      signal,
+    );
+  };
+}
+
+/**
+ * @param {object} params
+ * @param {ServerResponse} params.res - The Express response object for sending events.
+ * @param {string} params.stepId - The ID of the step in the flow.
+ * @param {ToolCallChunk} params.toolCall - The tool call object containing tool information.
+ * @param {string} params.loginFlowId - The ID of the login flow.
+ * @param {FlowStateManager<any>} params.flowManager - The flow manager instance.
+ */
+function createOAuthEnd({ res, stepId, toolCall }) {
+  return async function () {
+    /** @type {{ id: string; delta: AgentToolCallDelta }} */
+    const data = {
+      id: stepId,
+      delta: {
+        type: StepTypes.TOOL_CALLS,
+        tool_calls: [{ ...toolCall }],
+      },
+    };
+    sendEvent(res, { event: GraphEvents.ON_RUN_STEP_DELTA, data });
+    logger.debug('Sent OAuth login success to client');
+  };
+}
+
+/**
+ * @param {object} params
+ * @param {string} params.userId - The ID of the user.
+ * @param {string} params.serverName - The name of the server.
+ * @param {string} params.toolName - The name of the tool.
+ * @param {FlowStateManager<any>} params.flowManager - The flow manager instance.
+ */
+function createAbortHandler({ userId, serverName, toolName, flowManager }) {
+  return function () {
+    logger.info(`[MCP][User: ${userId}][${serverName}][${toolName}] Tool call aborted`);
+    const flowId = MCPOAuthHandler.generateFlowId(userId, serverName);
+    flowManager.failFlow(flowId, 'mcp_oauth', new Error('Tool call aborted'));
+  };
+}
 
 /**
  * Creates a general tool for an entire action set.
  *
  * @param {Object} params - The parameters for loading action sets.
  * @param {ServerRequest} params.req - The Express request object, containing user/request info.
+ * @param {ServerResponse} params.res - The Express response object for sending events.
  * @param {string} params.toolKey - The toolKey for the tool.
  * @param {import('@librechat/agents').Providers | EModelEndpoint} params.provider - The provider for the tool.
  * @param {string} params.model - The model for the tool.
  * @returns { Promise<typeof tool | { _call: (toolInput: Object | string) => unknown}> } An object with `_call` method to execute the tool input.
  */
-async function createMCPTool({ req, toolKey, provider: _provider }) {
-  const toolDefinition = req.app.locals.availableTools[toolKey]?.function;
+async function createMCPTool({ req, res, toolKey, provider: _provider }) {
+  const availableTools = await getCachedTools({ includeGlobal: true });
+  const toolDefinition = availableTools?.[toolKey]?.function;
   if (!toolDefinition) {
     logger.error(`Tool ${toolKey} not found in available tools`);
     return null;
@@ -51,10 +135,39 @@ async function createMCPTool({ req, toolKey, provider: _provider }) {
   /** @type {(toolArguments: Object | string, config?: GraphRunnableConfig) => Promise<unknown>} */
   const _call = async (toolArguments, config) => {
     const userId = config?.configurable?.user?.id || config?.configurable?.user_id;
+    /** @type {ReturnType<typeof createAbortHandler>} */
+    let abortHandler = null;
+    /** @type {AbortSignal} */
+    let derivedSignal = null;
+
     try {
-      const derivedSignal = config?.signal ? AbortSignal.any([config.signal]) : undefined;
+      const flowsCache = getLogStores(CacheKeys.FLOWS);
+      const flowManager = getFlowStateManager(flowsCache);
+      derivedSignal = config?.signal ? AbortSignal.any([config.signal]) : undefined;
       const mcpManager = getMCPManager(userId);
       const provider = (config?.metadata?.provider || _provider)?.toLowerCase();
+
+      const { args: _args, stepId, ...toolCall } = config.toolCall ?? {};
+      const loginFlowId = `${serverName}:oauth_login:${config.metadata.thread_id}:${config.metadata.run_id}`;
+      const oauthStart = createOAuthStart({
+        res,
+        stepId,
+        toolCall,
+        loginFlowId,
+        flowManager,
+        signal: derivedSignal,
+      });
+      const oauthEnd = createOAuthEnd({
+        res,
+        stepId,
+        toolCall,
+      });
+
+      if (derivedSignal) {
+        abortHandler = createAbortHandler({ userId, serverName, toolName, flowManager });
+        derivedSignal.addEventListener('abort', abortHandler, { once: true });
+      }
+
       const result = await mcpManager.callTool({
         serverName,
         toolName,
@@ -64,6 +177,14 @@ async function createMCPTool({ req, toolKey, provider: _provider }) {
           signal: derivedSignal,
           user: config?.configurable?.user,
         },
+        flowManager,
+        tokenMethods: {
+          findToken,
+          createToken,
+          updateToken,
+        },
+        oauthStart,
+        oauthEnd,
       });
 
       if (isAssistantsEndpoint(provider) && Array.isArray(result)) {
@@ -78,9 +199,28 @@ async function createMCPTool({ req, toolKey, provider: _provider }) {
         `[MCP][User: ${userId}][${serverName}] Error calling "${toolName}" MCP tool:`,
         error,
       );
+
+      /** OAuth error, provide a helpful message */
+      const isOAuthError =
+        error.message?.includes('401') ||
+        error.message?.includes('OAuth') ||
+        error.message?.includes('authentication') ||
+        error.message?.includes('Non-200 status code (401)');
+
+      if (isOAuthError) {
+        throw new Error(
+          `OAuth authentication required for ${serverName}. Please check the server logs for the authentication URL.`,
+        );
+      }
+
       throw new Error(
         `"${toolKey}" tool call failed${error?.message ? `: ${error?.message}` : '.'}`,
       );
+    } finally {
+      // Clean up abort handler to prevent memory leaks
+      if (abortHandler && derivedSignal) {
+        derivedSignal.removeEventListener('abort', abortHandler);
+      }
     }
   };