feat(mcp): introduce OAuth 2.1 auth and enforce addon gating

OAuth 2.1 authentication for MCP: - Add OAuth 2.1 authorization server with PKCE support (routes/oauth.ts) - Add OAuth service for client CRUD, auth-code flow, and token management (services/oauthService.ts) - Add typed scope definitions and enforcement helpers (mcp/scopes.ts) - Add OAuth consent UI page (OAuthAuthorizePage.tsx) - Add client-side scope labels and descriptions (api/oauthScopes.ts) - Integrate OAuth token auth into MCP handler alongside existing static tokens - All OAuth endpoints gated on `mcp` addon Addon gating across MCP tools, resources, and prompts: - Add typed ADDON_IDS constant (server/src/addons.ts) replacing all string literals - Gate budget tools and resources (trip-budget, per-person, settlement) on `budget` addon - Gate packing tools and resources (trip-packing, trip-packing-bags, trip-todos) on `packing` addon - Gate todos tools on `packing` addon (mirrors web UI Lists tab behavior) - Expand atlas gate to cover full tool body (bucket-list + country tools no longer leak) - Expand collab gate to cover full tool body (collab notes no longer leak) - Gate packing-list and budget-overview MCP prompts on their respective addons - Gate get_trip_summary sections per addon; blank packing/budget/collab_notes/todos when disabled - Remove trip-files resource and files field from get_trip_summary - Replace all isAddonEnabled('literal') calls with ADDON_IDS constants Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-19 13:21:46 +00:00 · 2026-04-09 22:25:58 +02:00
parent 5c0d819fc1
commit 830f6c0706
32 changed files with 2589 additions and 669 deletions
@@ -72,6 +72,43 @@ export const authApi = {
  },
 }

+export const oauthApi = {
+  /** Validate OAuth authorize params — called by consent page on load */
+  validate: (params: {
+    response_type: string
+    client_id: string
+    redirect_uri: string
+    scope: string
+    state?: string
+    code_challenge: string
+    code_challenge_method: string
+  }) => apiClient.get('/oauth/authorize/validate', { params }).then(r => r.data),
+
+  /** Submit user consent (approve or deny) */
+  authorize: (body: {
+    client_id: string
+    redirect_uri: string
+    scope: string
+    state?: string
+    code_challenge: string
+    code_challenge_method: string
+    approved: boolean
+  }) => apiClient.post('/oauth/authorize', body).then(r => r.data),
+
+  clients: {
+    list: () => apiClient.get('/oauth/clients').then(r => r.data),
+    create: (data: { name: string; redirect_uris: string[]; allowed_scopes: string[] }) =>
+      apiClient.post('/oauth/clients', data).then(r => r.data),
+    rotate: (id: string) => apiClient.post(`/oauth/clients/${id}/rotate`).then(r => r.data),
+    delete: (id: string) => apiClient.delete(`/oauth/clients/${id}`).then(r => r.data),
+  },
+
+  sessions: {
+    list: () => apiClient.get('/oauth/sessions').then(r => r.data),
+    revoke: (id: number) => apiClient.delete(`/oauth/sessions/${id}`).then(r => r.data),
+  },
+}
+
 export const tripsApi = {
  list: (params?: Record<string, unknown>) => apiClient.get('/trips', { params }).then(r => r.data),
  create: (data: Record<string, unknown>) => apiClient.post('/trips', data).then(r => r.data),