ExMCP.Authorization.Validator (ex_mcp v0.9.2)

Validation functions for OAuth 2.1 parameters and endpoints.

This module contains all validation logic extracted from the main Authorization module, focusing on security and compliance checks.

Summary

Validates that client credentials are properly formed.

Validates OAuth grant type parameters.

Validates that an endpoint URL uses HTTPS (except localhost).

Validates that a redirect URI is properly formed and secure.

Validates resource parameters according to RFC 8707.

Validates that scopes are properly formatted.

@spec validate_client_credentials(String.t(), String.t() | nil) ::
  :ok | {:error, term()}

Validates that client credentials are properly formed.

Ensures client IDs and secrets meet security requirements.

@spec validate_grant_params(String.t(), map()) :: :ok | {:error, term()}

Validates OAuth grant type parameters.

Ensures all required parameters are present for the specific grant type.

@spec validate_https_endpoint(String.t()) :: :ok | {:error, term()}

Validates that an endpoint URL uses HTTPS (except localhost).

OAuth 2.1 requires HTTPS for all authorization endpoints except localhost for development purposes.

@spec validate_redirect_uri(String.t()) :: :ok | {:error, term()}

Validates that a redirect URI is properly formed and secure.

Prevents open redirect vulnerabilities by ensuring redirect URIs are properly validated.

@spec validate_resource_parameters(map()) :: :ok | {:error, term()}

Validates resource parameters according to RFC 8707.

Resource parameters must be valid URIs without fragments.

@spec validate_scopes([String.t()]) :: :ok | {:error, term()}

Validates that scopes are properly formatted.

Scopes must be space-separated strings according to OAuth 2.1.