[wip] better-auth OAuth

app/.well-known/oauth-authorization-server/route.ts

@@ -0,0 +1,9 @@
+import { auth } from "../../../lib/auth";
+
+export async function GET(request: Request) {
+  const a = await auth.api.getOpenIdConfig({
+    asResponse: true,
+  });
+
+  return a;
+}

app/[transport]/route.ts

@@ -1,32 +1,38 @@
+import { withMcpAuth } from "@/lib/withMcpAuth";
 import { createMcpHandler } from "@vercel/mcp-adapter";
 import { z } from "zod";
 
-const handler = createMcpHandler(
-  (server) => {
-    server.tool(
-      "echo",
-      "Echo a message",
-      { message: z.string() },
-      async ({ message }) => ({
-        content: [{ type: "text", text: `Tool echo: ${message}` }],
-      })
-    );
-  },
-  {
-    capabilities: {
-      tools: {
-        echo: {
-          description: "Echo a message",
+const handler = withMcpAuth(
+  createMcpHandler(
+    (server) => {
+      server.tool(
+        "roll_dice",
+        "Rolls an N-sided die",
+        { sides: z.number().int().min(2) },
+        async ({ sides }) => {
+          const value = 1 + Math.floor(Math.random() * sides);
+          return {
+            content: [{ type: "text", text: `🎲 You rolled a ${value}!` }],
+          };
+        }
+      );
+    },
+    {
+      capabilities: {
+        tools: {
+          roll_dice: {
+            description: "Roll a dice",
+          },
         },
       },
     },
-  },
-  {
-    redisUrl: process.env.REDIS_URL,
-    basePath: "",
-    verboseLogs: true,
-    maxDuration: 60,
-  }
+    {
+      redisUrl: process.env.REDIS_URL,
+      basePath: "",
+      verboseLogs: true,
+      maxDuration: 60,
+    }
+  )
 );
 
 export { handler as GET, handler as POST, handler as DELETE };

app/api/auth/[...all]/route.ts

@@ -0,0 +1,4 @@
+import { auth } from "@/lib/auth";
+import { toNextJsHandler } from "better-auth/next-js";
+
+export const { POST, GET } = toNextJsHandler(auth);

app/authorize/login/route.ts

@@ -0,0 +1,3 @@
+import { auth } from "@/lib/auth";
+
+export async function GET(request: Request) {}

lib/auth.ts

@@ -0,0 +1,18 @@
+import { betterAuth } from "better-auth";
+import { oidcProvider } from "better-auth/plugins";
+import Database from "better-sqlite3";
+
+export const auth = betterAuth({
+  database: new Database("./sqlite.db"),
+
+  emailAndPassword: {
+    enabled: true,
+  },
+  plugins: [
+    oidcProvider({
+      allowDynamicClientRegistration: true,
+      loginPage: "/sign-in", // path to the login page
+      // ...other options
+    }),
+  ],
+});

lib/authClient.ts

@@ -0,0 +1,7 @@
+import { createAuthClient } from "better-auth/client";
+import { oidcClient } from "better-auth/client/plugins";
+const authClient = createAuthClient({
+  plugins: [oidcClient()],
+});
+
+export default authClient;

lib/client.ts

@@ -0,0 +1,7 @@
+import authClient from "./authClient";
+
+const application = await authClient.oauth2.register({
+  redirect_uris: ["http://localhost:3000/callback"],
+});
+
+export default application;

lib/withMcpAuth.ts

@@ -0,0 +1,29 @@
+import { createMcpHandler } from "@vercel/mcp-adapter";
+import { cookies } from "next/headers";
+
+import { auth } from "@/lib/auth";
+// Wrapper function for MCP handler with auth
+export const withMcpAuth = (handler: (req: Request) => Promise<Response>) => {
+  return async (req: Request) => {
+    const session = await auth.api.getSession({
+      headers: req.headers,
+    });
+
+    const wwwAuthenticateValue =
+      "Bearer resource_metadata=http://localhost:3000/.well-known/oauth-authorization-server";
+
+    if (!session) {
+      // Redirect to login page if no valid token or session
+      return new Response(null, {
+        status: 401,
+        headers: {
+          Location: "/api/auth/authorize",
+          "WWW-Authenticate": wwwAuthenticateValue,
+        },
+      });
+    }
+
+    // If authenticated, proceed with the MCP handler
+    return handler(req);
+  };
+};

package.json

@@ -10,11 +10,14 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.11.1",
     "@vercel/mcp-adapter": "0.3.1",
+    "better-auth": "^1.2.7",
+    "better-sqlite3": "^11.10.0",
     "next": "15.2.4",
     "redis": "^4.7.0",
     "zod": "^3.24.2"
   },
   "devDependencies": {
+    "@types/better-sqlite3": "^7.6.13",
     "@types/node": "^20",
     "@types/react": "^19",
     "typescript": "^5"