From 41f1dd9ce56ef5974af88e38ec7be6fa705eaf85 Mon Sep 17 00:00:00 2001 From: jubnl Date: Thu, 9 Apr 2026 23:59:01 +0200 Subject: [PATCH] fix(oauth): select ot.user_id instead of u.id in getUserByAccessToken u.id was returned by SQLite as `id` but the code read `row.user_id`, which was undefined. This caused all MCP calls to resolve userId as undefined, making list_trips return empty and canAccessTrip deny all access when authenticated via OAuth 2.1. --- server/src/services/oauthService.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/src/services/oauthService.ts b/server/src/services/oauthService.ts index a9a34244..e6502fbf 100644 --- a/server/src/services/oauthService.ts +++ b/server/src/services/oauthService.ts @@ -276,7 +276,7 @@ export function getUserByAccessToken(rawToken: string): OAuthTokenInfo | null { const hash = hashToken(rawToken); const row = db.prepare(` SELECT ot.scopes, ot.revoked_at, ot.access_token_expires_at, - u.id, u.username, u.email, u.role + ot.user_id, u.username, u.email, u.role FROM oauth_tokens ot JOIN users u ON ot.user_id = u.id WHERE ot.access_token_hash = ?