mirror of
https://github.com/mauriceboe/TREK.git
synced 2026-06-22 06:41:46 +00:00
feat(mcp): introduce OAuth 2.1 auth and enforce addon gating
OAuth 2.1 authentication for MCP:
- Add OAuth 2.1 authorization server with PKCE support (routes/oauth.ts)
- Add OAuth service for client CRUD, auth-code flow, and token management (services/oauthService.ts)
- Add typed scope definitions and enforcement helpers (mcp/scopes.ts)
- Add OAuth consent UI page (OAuthAuthorizePage.tsx)
- Add client-side scope labels and descriptions (api/oauthScopes.ts)
- Integrate OAuth token auth into MCP handler alongside existing static tokens
- All OAuth endpoints gated on `mcp` addon
Addon gating across MCP tools, resources, and prompts:
- Add typed ADDON_IDS constant (server/src/addons.ts) replacing all string literals
- Gate budget tools and resources (trip-budget, per-person, settlement) on `budget` addon
- Gate packing tools and resources (trip-packing, trip-packing-bags, trip-todos) on `packing` addon
- Gate todos tools on `packing` addon (mirrors web UI Lists tab behavior)
- Expand atlas gate to cover full tool body (bucket-list + country tools no longer leak)
- Expand collab gate to cover full tool body (collab notes no longer leak)
- Gate packing-list and budget-overview MCP prompts on their respective addons
- Gate get_trip_summary sections per addon; blank packing/budget/collab_notes/todos when disabled
- Remove trip-files resource and files field from get_trip_summary
- Replace all isAddonEnabled('literal') calls with ADDON_IDS constants
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
jubnl
@@ -270,6 +270,47 @@ const en: Record<string, string | { name: string; category: string }[]> = {
|
||||
'settings.mcp.toast.createError': 'Failed to create token',
|
||||
'settings.mcp.toast.deleted': 'Token deleted',
|
||||
'settings.mcp.toast.deleteError': 'Failed to delete token',
|
||||
'settings.mcp.apiTokensDeprecated': 'API Tokens are deprecated and will be removed in a future release. Please use OAuth 2.1 Clients instead.',
|
||||
'settings.oauth.clients': 'OAuth 2.1 Clients',
|
||||
'settings.oauth.clientsHint': 'Register OAuth 2.1 clients to let third-party MCP applications (Claude Web, Cursor, etc.) connect without static tokens.',
|
||||
'settings.oauth.createClient': 'New Client',
|
||||
'settings.oauth.noClients': 'No OAuth clients registered.',
|
||||
'settings.oauth.clientId': 'Client ID',
|
||||
'settings.oauth.clientSecret': 'Client Secret',
|
||||
'settings.oauth.deleteClient': 'Delete Client',
|
||||
'settings.oauth.deleteClientMessage': 'This client and all active sessions will be permanently removed. Any application using it will lose access immediately.',
|
||||
'settings.oauth.rotateSecret': 'Rotate Secret',
|
||||
'settings.oauth.rotateSecretMessage': 'A new client secret will be generated and all existing sessions will be invalidated immediately. Update your application before closing this dialog.',
|
||||
'settings.oauth.rotateSecretConfirm': 'Rotate',
|
||||
'settings.oauth.rotateSecretConfirming': 'Rotating…',
|
||||
'settings.oauth.rotateSecretDoneTitle': 'New Secret Generated',
|
||||
'settings.oauth.rotateSecretDoneWarning': 'This secret is shown only once. Copy it now and update your application — all previous sessions have been invalidated.',
|
||||
'settings.oauth.activeSessions': 'Active OAuth Sessions',
|
||||
'settings.oauth.sessionScopes': 'Scopes',
|
||||
'settings.oauth.sessionExpires': 'Expires',
|
||||
'settings.oauth.revoke': 'Revoke',
|
||||
'settings.oauth.revokeSession': 'Revoke Session',
|
||||
'settings.oauth.revokeSessionMessage': 'This will immediately revoke access for this OAuth session.',
|
||||
'settings.oauth.modal.createTitle': 'Register OAuth Client',
|
||||
'settings.oauth.modal.presets': 'Quick presets',
|
||||
'settings.oauth.modal.clientName': 'Application Name',
|
||||
'settings.oauth.modal.clientNamePlaceholder': 'e.g. Claude Web, My MCP App',
|
||||
'settings.oauth.modal.redirectUris': 'Redirect URIs',
|
||||
'settings.oauth.modal.redirectUrisPlaceholder': 'https://your-app.com/callback\nhttps://your-app.com/auth',
|
||||
'settings.oauth.modal.redirectUrisHint': 'One URI per line. HTTPS required (localhost exempt). Exact match enforced.',
|
||||
'settings.oauth.modal.scopes': 'Allowed Scopes',
|
||||
'settings.oauth.modal.selectAll': 'Select all',
|
||||
'settings.oauth.modal.deselectAll': 'Deselect all',
|
||||
'settings.oauth.modal.creating': 'Registering…',
|
||||
'settings.oauth.modal.create': 'Register Client',
|
||||
'settings.oauth.modal.createdTitle': 'Client Registered',
|
||||
'settings.oauth.modal.createdWarning': 'The client secret is shown only once. Copy it now — it cannot be recovered.',
|
||||
'settings.oauth.toast.createError': 'Failed to register OAuth client',
|
||||
'settings.oauth.toast.deleted': 'OAuth client deleted',
|
||||
'settings.oauth.toast.deleteError': 'Failed to delete OAuth client',
|
||||
'settings.oauth.toast.revoked': 'Session revoked',
|
||||
'settings.oauth.toast.revokeError': 'Failed to revoke session',
|
||||
'settings.oauth.toast.rotateError': 'Failed to rotate client secret',
|
||||
'settings.account': 'Account',
|
||||
'settings.about': 'About',
|
||||
'settings.about.reportBug': 'Report a Bug',
|
||||
|
||||
Reference in New Issue
Block a user