feat(mcp): granular OAuth scopes and per-client rate limiting

- Split `media:read` into `geo:read` and `weather:read` scopes - Add dedicated `atlas:read/write` scopes (previously under `places`) - Add dedicated `todos:read/write` scopes (previously under `collab`) - Rate limiting now keyed by userId+clientId instead of userId alone - Bind MCP sessions to the OAuth client that created them - Log MCP tool calls to audit log with clientId - Invalidate all MCP sessions on addon state change - Reduce session sweep interval from 10min to 1min - Update all translations with new scope labels
2026-06-21 22:31:46 +00:00 · 2026-04-11 02:06:09 +02:00
parent 4670d4914c
commit 535c06bb3f
39 changed files with 1930 additions and 237 deletions
@@ -2,7 +2,7 @@ import { broadcast } from '../../websocket';

 export function safeBroadcast(tripId: number, event: string, payload: Record<string, unknown>): void {
  try {
-    broadcast(tripId, event, payload);
+    broadcast(tripId, event, { ...payload, _source: 'mcp' });
  } catch (err) {
    console.error(`[MCP] broadcast failed for ${event}:`, err?.message ?? err);
  }
@@ -111,6 +111,8 @@ export function registerAssignmentTools(server: McpServer, userId: number, scope
    async ({ tripId, assignmentId, newDayId, oldDayId, orderIndex }) => {
      if (isDemoUser(userId)) return demoDenied();
      if (!canAccessTrip(tripId, userId)) return noAccess();
+      if (!getAssignmentForTrip(assignmentId, tripId)) return { content: [{ type: 'text' as const, text: 'Assignment not found.' }], isError: true };
+      if (!getDay(newDayId, tripId)) return { content: [{ type: 'text' as const, text: 'Day not found.' }], isError: true };
      const result = moveAssignment(assignmentId, newDayId, orderIndex ?? 0, oldDayId);
      safeBroadcast(tripId, 'assignment:moved', { assignment: result.assignment, oldDayId: result.oldDayId });
      return ok({ assignment: result.assignment });
@@ -129,6 +131,7 @@ export function registerAssignmentTools(server: McpServer, userId: number, scope
    },
    async ({ tripId, assignmentId }) => {
      if (!canAccessTrip(tripId, userId)) return noAccess();
+      if (!getAssignmentForTrip(assignmentId, tripId)) return { content: [{ type: 'text' as const, text: 'Assignment not found.' }], isError: true };
      const participants = getAssignmentParticipants(assignmentId);
      return ok({ participants });
    }
@@ -148,6 +151,7 @@ export function registerAssignmentTools(server: McpServer, userId: number, scope
    async ({ tripId, assignmentId, userIds }) => {
      if (isDemoUser(userId)) return demoDenied();
      if (!canAccessTrip(tripId, userId)) return noAccess();
+      if (!getAssignmentForTrip(assignmentId, tripId)) return { content: [{ type: 'text' as const, text: 'Assignment not found.' }], isError: true };
      const participants = setAssignmentParticipants(assignmentId, userIds);
      safeBroadcast(tripId, 'assignment:participants', { assignmentId, participants });
      return ok({ participants });
@@ -16,8 +16,8 @@ import {
 import { canRead, canWrite } from '../scopes';

 export function registerAtlasTools(server: McpServer, userId: number, scopes: string[] | null): void {
-  const R = canRead(scopes, 'places');
-  const W = canWrite(scopes, 'places');
+  const R = canRead(scopes, 'atlas');
+  const W = canWrite(scopes, 'atlas');

  if (!isAddonEnabled(ADDON_IDS.ATLAS)) return;

@@ -78,6 +78,7 @@ export function registerDayTools(server: McpServer, userId: number, scopes: stri
    async ({ tripId, dayId }) => {
      if (isDemoUser(userId)) return demoDenied();
      if (!canAccessTrip(tripId, userId)) return noAccess();
+      if (!getDay(dayId, tripId)) return { content: [{ type: 'text' as const, text: 'Day not found.' }], isError: true };
      deleteDay(dayId);
      safeBroadcast(tripId, 'day:deleted', { id: dayId });
      return ok({ success: true });
@@ -152,6 +153,7 @@ export function registerDayTools(server: McpServer, userId: number, scopes: stri
    async ({ tripId, accommodationId }) => {
      if (isDemoUser(userId)) return demoDenied();
      if (!canAccessTrip(tripId, userId)) return noAccess();
+      if (!getAccommodation(accommodationId, tripId)) return { content: [{ type: 'text' as const, text: 'Accommodation not found.' }], isError: true };
      const { linkedReservationId } = deleteAccommodation(accommodationId);
      safeBroadcast(tripId, 'accommodation:deleted', { id: accommodationId, linkedReservationId });
      return ok({ success: true, linkedReservationId });
@@ -9,11 +9,12 @@ import {
 import { canRead } from '../scopes';

 export function registerMapsWeatherTools(server: McpServer, userId: number, scopes: string[] | null): void {
-  if (!canRead(scopes, 'media')) return;
+  const canGeo     = canRead(scopes, 'geo');
+  const canWeather = canRead(scopes, 'weather');

  // --- MAPS EXTRAS ---

-  server.registerTool(
+  if (canGeo) server.registerTool(
    'get_place_details',
    {
      description: 'Fetch detailed information about a place by its Google Place ID.',
@@ -30,7 +31,7 @@ export function registerMapsWeatherTools(server: McpServer, userId: number, scop
    }
  );

-  server.registerTool(
+  if (canGeo) server.registerTool(
    'reverse_geocode',
    {
      description: 'Get a human-readable address for given coordinates.',
@@ -48,7 +49,7 @@ export function registerMapsWeatherTools(server: McpServer, userId: number, scop
    }
  );

-  server.registerTool(
+  if (canGeo) server.registerTool(
    'resolve_maps_url',
    {
      description: 'Resolve a Google Maps share URL to coordinates and place name.',
@@ -66,7 +67,7 @@ export function registerMapsWeatherTools(server: McpServer, userId: number, scop

  // --- WEATHER ---

-  server.registerTool(
+  if (canWeather) server.registerTool(
    'get_weather',
    {
      description: 'Get weather forecast for a location and date.',
@@ -88,7 +89,7 @@ export function registerMapsWeatherTools(server: McpServer, userId: number, scop
    }
  );

-  server.registerTool(
+  if (canWeather) server.registerTool(
    'get_detailed_weather',
    {
      description: 'Get hourly/detailed weather forecast for a location and date.',
@@ -1,7 +1,7 @@
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp';
 import { z } from 'zod';
 import { isDemoUser } from '../../services/authService';
-import { listTags, createTag, updateTag, deleteTag } from '../../services/tagService';
+import { listTags, createTag, getTagByIdAndUser, updateTag, deleteTag } from '../../services/tagService';
 import {
  TOOL_ANNOTATIONS_READONLY, TOOL_ANNOTATIONS_WRITE,
  TOOL_ANNOTATIONS_DELETE, TOOL_ANNOTATIONS_NON_IDEMPOTENT,
@@ -58,6 +58,7 @@ export function registerTagTools(server: McpServer, userId: number, scopes: stri
    },
    async ({ tagId, name, color }) => {
      if (isDemoUser(userId)) return demoDenied();
+      if (!getTagByIdAndUser(tagId, userId)) return { content: [{ type: 'text' as const, text: 'Tag not found.' }], isError: true };
      const tag = updateTag(tagId, name, color);
      if (!tag) return { content: [{ type: 'text' as const, text: 'Tag not found.' }], isError: true };
      return ok({ tag });
@@ -75,6 +76,7 @@ export function registerTagTools(server: McpServer, userId: number, scopes: stri
    },
    async ({ tagId }) => {
      if (isDemoUser(userId)) return demoDenied();
+      if (!getTagByIdAndUser(tagId, userId)) return { content: [{ type: 'text' as const, text: 'Tag not found.' }], isError: true };
      deleteTag(tagId);
      return ok({ success: true });
    }
@@ -17,8 +17,8 @@ import { isAddonEnabled } from '../../services/adminService';
 import { ADDON_IDS } from '../../addons';

 export function registerTodoTools(server: McpServer, userId: number, scopes: string[] | null): void {
-  const R = canRead(scopes, 'collab');
-  const W = canWrite(scopes, 'collab');
+  const R = canRead(scopes, 'todos');
+  const W = canWrite(scopes, 'todos');

  if (!isAddonEnabled(ADDON_IDS.PACKING)) return;

@@ -167,8 +167,9 @@ export function registerTripTools(server: McpServer, userId: number, scopes: str
      const canReadBudget  = budgetEnabled  && canRead(scopes, 'budget');
      const canReadPacking = packingEnabled && canRead(scopes, 'packing');
      const canReadCollab  = collabEnabled  && canRead(scopes, 'collab');
+      const canReadTodos   = packingEnabled && canRead(scopes, 'todos');
      const canReadRes     = canRead(scopes, 'reservations');
-      const todos = canReadPacking ? listTodoItems(tripId) : [];
+      const todos = canReadTodos ? listTodoItems(tripId) : [];
      let pollCount = 0;
      let messageCount = 0;
      if (canReadCollab) {