add memory and disk storage backends, readme

2025-12-27 12:06:20 -08:00
parent 321d9eaef0
commit b95a87e15a
5 changed files with 1158 additions and 908 deletions
--- a/core/server.py
+++ b/core/server.py
@@ -112,9 +112,12 @@ def configure_server_for_http():
            )
            storage_backend = os.getenv(
                "WORKSPACE_MCP_OAUTH_PROXY_STORAGE_BACKEND", ""
-            ).strip()
+            ).strip().lower()
            valkey_host = os.getenv("WORKSPACE_MCP_OAUTH_PROXY_VALKEY_HOST", "").strip()
-            use_valkey = storage_backend.lower() == "valkey" or bool(valkey_host)
+
+            # Determine storage backend: valkey, disk, memory (default)
+            use_valkey = storage_backend == "valkey" or bool(valkey_host)
+            use_disk = storage_backend == "disk"

            if use_valkey:
                try:
@@ -275,6 +278,62 @@ def configure_server_for_http():
                        "OAuth 2.1: Invalid Valkey configuration; falling back to default storage (%s).",
                        exc,
                    )
+            elif use_disk:
+                try:
+                    from key_value.aio.stores.disk import DiskStore
+                    from key_value.aio.wrappers.encryption import FernetEncryptionWrapper
+                    from cryptography.fernet import Fernet
+                    from fastmcp.server.auth.jwt_issuer import derive_jwt_key
+
+                    disk_directory = os.getenv(
+                        "WORKSPACE_MCP_OAUTH_PROXY_DISK_DIRECTORY", ""
+                    ).strip()
+                    if not disk_directory:
+                        # Default to FASTMCP_HOME/oauth-proxy or ~/.fastmcp/oauth-proxy
+                        fastmcp_home = os.getenv("FASTMCP_HOME", "").strip()
+                        if fastmcp_home:
+                            disk_directory = os.path.join(fastmcp_home, "oauth-proxy")
+                        else:
+                            disk_directory = os.path.expanduser("~/.fastmcp/oauth-proxy")
+
+                    client_storage = DiskStore(directory=disk_directory)
+
+                    # Derive encryption key
+                    if jwt_signing_key_override:
+                        jwt_signing_key = derive_jwt_key(
+                            low_entropy_material=jwt_signing_key_override,
+                            salt="fastmcp-jwt-signing-key",
+                        )
+                    else:
+                        jwt_signing_key = derive_jwt_key(
+                            high_entropy_material=config.client_secret,
+                            salt="fastmcp-jwt-signing-key",
+                        )
+
+                    storage_encryption_key = derive_jwt_key(
+                        high_entropy_material=jwt_signing_key.decode(),
+                        salt="fastmcp-storage-encryption-key",
+                    )
+
+                    client_storage = FernetEncryptionWrapper(
+                        key_value=client_storage,
+                        fernet=Fernet(key=storage_encryption_key),
+                    )
+                    logger.info(
+                        "OAuth 2.1: Using DiskStore for FastMCP OAuth proxy client_storage (directory=%s)",
+                        disk_directory,
+                    )
+                except ImportError as exc:
+                    logger.warning(
+                        "OAuth 2.1: Disk storage requested but dependencies not available (%s). "
+                        "Falling back to default storage.",
+                        exc,
+                    )
+            elif storage_backend == "memory":
+                from key_value.aio.stores.memory import MemoryStore
+                client_storage = MemoryStore()
+                logger.info("OAuth 2.1: Using MemoryStore for FastMCP OAuth proxy client_storage")
+            # else: client_storage remains None, FastMCP uses its default

            # Check if external OAuth provider is configured
            if config.is_external_oauth21_provider():