code cleanup and reorg

Author: aarora79

.gitignore

@@ -187,3 +187,5 @@ logs/
 # Agent testing
 agents/test_results/
 agents/.env.user
+ssl_data/
+agents/.env.agent

agents/agent_w_auth.py

@@ -143,22 +143,25 @@ def load_env_config(use_session_cookie: bool) -> Dict[str, Optional[str]]:
 
     # Choose .env file based on authentication mode
     env_file_name = '.env.user' if use_session_cookie else '.env.agent'
-    
+    logger.info(f"Using .env file: {env_file_name}")
     if DOTENV_AVAILABLE:
         file_found = False
         file_path = None
 
         # Try to load from .env file in the current directory
         env_file = os.path.join(os.path.dirname(__file__), env_file_name)
         if os.path.exists(env_file):
+            logger.info(f"Found .env file: {env_file}")
             load_dotenv(env_file)
             file_found = True
             file_path = env_file
             logger.info(f"Loading environment variables from {env_file}")
+            logger.info(f"user pool id {os.environ.get('COGNITO_USER_POOL_ID')}")
         else:
             # Try to load from .env file in the parent directory
             env_file = os.path.join(os.path.dirname(__file__), '..', env_file_name)
             if os.path.exists(env_file):
+                logger.info(f"Found .env file in parent directory: {env_file}")
                 load_dotenv(env_file)
                 file_found = True
                 file_path = env_file
@@ -167,6 +170,7 @@ def load_env_config(use_session_cookie: bool) -> Dict[str, Optional[str]]:
                 # Try to load from current working directory
                 env_file = os.path.join(os.getcwd(), env_file_name)
                 if os.path.exists(env_file):
+                    logger.info(f"Found .env file in current working directory: {env_file}")
                     load_dotenv(env_file)
                     file_found = True
                     file_path = env_file
@@ -201,14 +205,15 @@ def parse_arguments() -> argparse.Namespace:
     """
     # First, determine authentication mode to choose correct .env file
     use_session_cookie = get_auth_mode_from_args()
+    logger.info(f"Using session cookie authentication: {use_session_cookie}")
 
     # Load environment configuration using the appropriate .env file
     env_config = load_env_config(use_session_cookie)
 
     parser = argparse.ArgumentParser(description='LangGraph MCP Client with Cognito Authentication')
 
     # Server connection arguments
-    parser.add_argument('--mcp-registry-url', type=str, default='http://ec2-54-146-182-47.compute-1.amazonaws.com/mcpgw/sse',
+    parser.add_argument('--mcp-registry-url', type=str, default='https://mcpgateway.ddns.net/mcpgw/sse',
                         help='Hostname of the MCP Registry')
 
     # Model arguments
@@ -514,6 +519,7 @@ async def main():
     """
     # Parse command line arguments
     args = parse_arguments()
+    logger.info(f"Parsed command line arguments successfully, args={args}")
 
     # Display configuration
     server_url = args.mcp_registry_url
@@ -540,6 +546,7 @@ async def main():
     else:
         # Generate Cognito M2M authentication token
         logger.info(f"Cognito User Pool ID: {redact_sensitive_value(args.user_pool_id)}")
+        logger.info(f"Cognito User Pool ID: {args.user_pool_id}")
         logger.info(f"Cognito Client ID: {redact_sensitive_value(args.client_id)}")
         logger.info(f"AWS Region: {args.region}")
 

auth_server/server.py

@@ -986,22 +986,34 @@ async def oauth2_login(provider: str, request: Request, redirect_uri: str = None
         # Create temporary session for OAuth2 flow
         temp_session = signer.dumps(session_data)
 
-        # Build authorization URL with dynamic auth server URL
-        host = request.headers.get("host", "localhost:8888")
-        scheme = "https" if request.headers.get("x-forwarded-proto") == "https" or request.url.scheme == "https" else "http"
-        
-        # Special case for localhost to include port
-        if "localhost" in host and ":" not in host:
-            auth_server_url = f"{scheme}://localhost:8888"
+        # Use configured external URL or build dynamically
+        auth_server_external_url = os.environ.get('AUTH_SERVER_EXTERNAL_URL')
+        if auth_server_external_url:
+            # Use configured external URL (recommended for production)
+            auth_server_url = auth_server_external_url.rstrip('/')
+            logger.info(f"Using configured AUTH_SERVER_EXTERNAL_URL: {auth_server_url}")
         else:
-            auth_server_url = f"{scheme}://{host}"
+            # Fall back to dynamic construction (for development)
+            host = request.headers.get("host", "localhost:8888")
+            scheme = "https" if request.headers.get("x-forwarded-proto") == "https" or request.url.scheme == "https" else "http"
+            
+            # Special case for localhost to include port
+            if "localhost" in host and ":" not in host:
+                auth_server_url = f"{scheme}://localhost:8888"
+            else:
+                auth_server_url = f"{scheme}://{host}"
+            
+            logger.warning(f"AUTH_SERVER_EXTERNAL_URL not set, using dynamic URL: {auth_server_url}")
+        
+        callback_uri = f"{auth_server_url}/oauth2/callback/{provider}"
+        logger.info(f"OAuth2 callback URI: {callback_uri}")
 
         auth_params = {
             "client_id": provider_config["client_id"],
             "response_type": provider_config["response_type"],
             "scope": " ".join(provider_config["scopes"]),
             "state": state,
-            "redirect_uri": f"{auth_server_url}/oauth2/callback/{provider}"
+            "redirect_uri": callback_uri
         }
 
         auth_url = f"{provider_config['auth_url']}?{urllib.parse.urlencode(auth_params)}"
@@ -1062,15 +1074,24 @@ async def oauth2_callback(
         provider_config = OAUTH2_CONFIG["providers"][provider]
 
         # Exchange authorization code for access token
-        # Build dynamic auth server URL for token exchange
-        host = request.headers.get("host", "localhost:8888")
-        scheme = "https" if request.headers.get("x-forwarded-proto") == "https" or request.url.scheme == "https" else "http"
-        
-        # Special case for localhost to include port
-        if "localhost" in host and ":" not in host:
-            auth_server_url = f"{scheme}://localhost:8888"
+        # Use configured external URL or build dynamically
+        auth_server_external_url = os.environ.get('AUTH_SERVER_EXTERNAL_URL')
+        if auth_server_external_url:
+            # Use configured external URL (recommended for production)
+            auth_server_url = auth_server_external_url.rstrip('/')
+            logger.info(f"Using configured AUTH_SERVER_EXTERNAL_URL for token exchange: {auth_server_url}")
         else:
-            auth_server_url = f"{scheme}://{host}"
+            # Fall back to dynamic construction (for development)
+            host = request.headers.get("host", "localhost:8888")
+            scheme = "https" if request.headers.get("x-forwarded-proto") == "https" or request.url.scheme == "https" else "http"
+            
+            # Special case for localhost to include port
+            if "localhost" in host and ":" not in host:
+                auth_server_url = f"{scheme}://localhost:8888"
+            else:
+                auth_server_url = f"{scheme}://{host}"
+            
+            logger.warning(f"AUTH_SERVER_EXTERNAL_URL not set, using dynamic URL for token exchange: {auth_server_url}")
 
         token_data = await exchange_code_for_token(provider, code, provider_config, auth_server_url)
         logger.info(f"Token data keys: {list(token_data.keys())}")
@@ -1159,7 +1180,7 @@ async def oauth2_callback(
         logger.error(f"Error in OAuth2 callback for {provider}: {e}")
         error_url = OAUTH2_CONFIG.get("registry", {}).get("error_redirect", "/login")
         return RedirectResponse(url=f"{error_url}?error=oauth2_callback_failed", status_code=302)
-
+    
 async def exchange_code_for_token(provider: str, code: str, provider_config: dict, auth_server_url: str = None) -> dict:
     """Exchange authorization code for access token"""
     if auth_server_url is None:

docker-compose.yml

@@ -10,8 +10,8 @@ services:
       - SECRET_KEY=${SECRET_KEY}
       - ADMIN_USER=${ADMIN_USER:-admin}
       - ADMIN_PASSWORD=${ADMIN_PASSWORD}
-      - AUTH_SERVER_URL=http://auth-server:8888
-      - AUTH_SERVER_EXTERNAL_URL=http://localhost:8888
+      - AUTH_SERVER_URL=${AUTH_SERVER_URL}
+      - AUTH_SERVER_EXTERNAL_URL=${AUTH_SERVER_EXTERNAL_URL}
       - GITHUB_CLIENT_ID=${GITHUB_CLIENT_ID}
       - GITHUB_CLIENT_SECRET=${GITHUB_CLIENT_SECRET}
       - COGNITO_CLIENT_ID=${COGNITO_CLIENT_ID}
@@ -25,7 +25,7 @@ services:
     volumes:
       - /opt/mcp-gateway/servers:/app/registry/servers
       - /opt/mcp-gateway/models:/app/registry/models
-      - ssl_data:/etc/ssl
+      - /home/ubuntu/ssl_data:/etc/ssl
       - /var/log/mcp-gateway:/app/logs
     depends_on:
       - auth-server
@@ -37,6 +37,7 @@ services:
       context: .
       dockerfile: docker/Dockerfile.auth
     environment:
+      - REGISTRY_URL=${REGISTRY_URL}
       - SECRET_KEY=${SECRET_KEY}
       - GITHUB_CLIENT_ID=${GITHUB_CLIENT_ID}
       - GITHUB_CLIENT_SECRET=${GITHUB_CLIENT_SECRET}

docker/nginx_rev_proxy.conf

@@ -55,6 +55,30 @@ server {
         proxy_pass_request_body on;
     }
 
+    # OAuth2 Cognito login endpoint  
+    location /oauth2/login/cognito {
+        proxy_pass http://auth-server:8888/oauth2/login/cognito;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        # Pass through query parameters and headers
+        proxy_pass_request_headers on;
+    }
+
+    # OAuth2 Cognito logout endpoint
+    location /oauth2/logout/ {
+    proxy_pass http://auth-server:8888/oauth2/logout/;
+    proxy_http_version 1.1;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_pass_request_headers on;
+    }
+
     # REMOVE HARDCODED /mcpgw
     # location /mcpgw/ {
     #     proxy_pass http://127.0.0.1:8003/;
@@ -184,6 +208,30 @@ server {
         proxy_pass_request_body on;
     }
 
+    # OAuth2 Cognito login endpoint  
+    location /oauth2/login/cognito {
+        proxy_pass http://auth-server:8888/oauth2/login/cognito;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        # Pass through query parameters and headers
+        proxy_pass_request_headers on;
+    }
+
+    # OAuth2 Cognito logout endpoint
+    location /oauth2/logout/ {
+    proxy_pass http://auth-server:8888/oauth2/logout/;
+    proxy_http_version 1.1;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_pass_request_headers on;
+    }
+
     # Duplicate the same location blocks for HTTPS access
     location / {
         proxy_pass http://127.0.0.1:7860/;

registry/auth/routes.py

@@ -53,7 +53,7 @@ async def oauth2_login_redirect(provider: str, request: Request):
         registry_url = str(request.base_url).rstrip('/')
         auth_external_url = settings.auth_server_external_url
         auth_url = f"{auth_external_url}/oauth2/login/{provider}?redirect_uri={registry_url}/"
-        
+        logger.info(f"request.base_url: {request.base_url}, registry_url: {registry_url}, auth_external_url: {auth_external_url}, auth_url: {auth_url}")
         logger.info(f"Redirecting to OAuth2 login for provider {provider}: {auth_url}")
         return RedirectResponse(url=auth_url, status_code=302)