dcda8769cc
* feat(mcp-oauth): add oauth field to ClaudeCodeMcpServer schema Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * feat(mcp-oauth): add RFC 7591 Dynamic Client Registration * feat(mcp-oauth): add RFC 9728 PRM + RFC 8414 AS discovery * feat(mcp-oauth): add secure token storage with {host}/{resource} key format * feat(mcp-oauth): add dynamic port OAuth callback server * feat(mcp-oauth): add RFC 8707 Resource Indicators * feat(mcp-oauth): implement full-spec McpOAuthProvider * feat(mcp-oauth): add step-up authorization handler * feat(mcp-oauth): integrate authProvider into SkillMcpManager * feat(doctor): add MCP OAuth token status check * feat(cli): add mcp oauth subcommand structure * feat(cli): implement mcp oauth login command * fix(mcp-oauth): address cubic review — security, correctness, and test issues - Remove @ts-nocheck from provider.ts, storage.ts, provider.test.ts - Fix server resource leak on missing code/state (close + reject) - Fix command injection in openBrowser (spawn array args, cross-platform) - Mock McpOAuthProvider in login.test.ts for deterministic CI - Recreate auth provider with merged scopes in step-up flow - Add listAllTokens() for global status listing - Fix logout to accept --server-url for correct token deletion - Support both quoted and unquoted WWW-Authenticate params (RFC 2617) - Save/restore OPENCODE_CONFIG_DIR in storage.test.ts - Fix index.test.ts: vitest → bun:test * fix(mcp-oauth): use explorer instead of cmd /c start on Windows to prevent shell injection * fix(mcp-oauth): address remaining cubic review issues - Add 5-minute timeout to provider callback server to prevent indefinite hangs - Persist client registration from token storage across process restarts - Require --server-url for logout to match token storage key format - Use listTokensByHost for server-specific status lookups - Fix callback-server test to handle promise rejection ordering - Fix provider test port expectations (8912 → 19877) - Fix cli-guide.md duplicate Section 7 numbering - Fix manager test for login-on-missing-tokens behavior * fix(mcp-oauth): address final review issues - P1: Redact token values in status.ts output to prevent credential leakage - P2: Read OAuth error response body before throwing in token exchange - Test: Fix mcp-oauth doctor test to use epoch seconds (not milliseconds) --------- Co-authored-by: justsisyphus <justsisyphus@users.noreply.github.com> Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
81 lines
2.1 KiB
TypeScript
81 lines
2.1 KiB
TypeScript
import type { CheckResult, CheckDefinition } from "../types"
|
|
import { CHECK_IDS, CHECK_NAMES } from "../constants"
|
|
import { getMcpOauthStoragePath } from "../../../features/mcp-oauth/storage"
|
|
import { existsSync, readFileSync } from "node:fs"
|
|
|
|
interface OAuthTokenData {
|
|
accessToken: string
|
|
refreshToken?: string
|
|
expiresAt?: number
|
|
clientInfo?: {
|
|
clientId: string
|
|
clientSecret?: string
|
|
}
|
|
}
|
|
|
|
type TokenStore = Record<string, OAuthTokenData>
|
|
|
|
export function readTokenStore(): TokenStore | null {
|
|
const filePath = getMcpOauthStoragePath()
|
|
if (!existsSync(filePath)) {
|
|
return null
|
|
}
|
|
|
|
try {
|
|
const content = readFileSync(filePath, "utf-8")
|
|
return JSON.parse(content) as TokenStore
|
|
} catch {
|
|
return null
|
|
}
|
|
}
|
|
|
|
export async function checkMcpOAuthTokens(): Promise<CheckResult> {
|
|
const store = readTokenStore()
|
|
|
|
if (!store || Object.keys(store).length === 0) {
|
|
return {
|
|
name: CHECK_NAMES[CHECK_IDS.MCP_OAUTH_TOKENS],
|
|
status: "skip",
|
|
message: "No OAuth tokens configured",
|
|
details: ["Optional: Configure OAuth tokens for MCP servers"],
|
|
}
|
|
}
|
|
|
|
const now = Math.floor(Date.now() / 1000)
|
|
const tokens = Object.entries(store)
|
|
const expiredTokens = tokens.filter(
|
|
([, token]) => token.expiresAt && token.expiresAt < now
|
|
)
|
|
|
|
if (expiredTokens.length > 0) {
|
|
return {
|
|
name: CHECK_NAMES[CHECK_IDS.MCP_OAUTH_TOKENS],
|
|
status: "warn",
|
|
message: `${expiredTokens.length} of ${tokens.length} token(s) expired`,
|
|
details: [
|
|
...tokens
|
|
.filter(([, token]) => !token.expiresAt || token.expiresAt >= now)
|
|
.map(([key]) => `Valid: ${key}`),
|
|
...expiredTokens.map(([key]) => `Expired: ${key}`),
|
|
],
|
|
}
|
|
}
|
|
|
|
return {
|
|
name: CHECK_NAMES[CHECK_IDS.MCP_OAUTH_TOKENS],
|
|
status: "pass",
|
|
message: `${tokens.length} OAuth token(s) valid`,
|
|
details: tokens.map(([key]) => `Configured: ${key}`),
|
|
}
|
|
}
|
|
|
|
export function getMcpOAuthCheckDefinition(): CheckDefinition {
|
|
return {
|
|
id: CHECK_IDS.MCP_OAUTH_TOKENS,
|
|
name: CHECK_NAMES[CHECK_IDS.MCP_OAUTH_TOKENS],
|
|
category: "tools",
|
|
check: checkMcpOAuthTokens,
|
|
critical: false,
|
|
}
|
|
}
|