feat(15-02): update MCP OAuth and MCP middleware for OIDC

- Replace verifyPassword with getAuth in OAuth authorize routes
- Replace login form with consent-only form (no credential fields)
- Remove getUserCount bypass from MCP auth middleware
- GET/POST /authorize redirect to /login if no OIDC session
This commit is contained in:
2026-04-04 20:46:23 +02:00
parent 1b6a65b4d5
commit c0e6db5aa6
2 changed files with 28 additions and 41 deletions

View File

@@ -3,7 +3,7 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
import { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
import { Hono } from "hono";
import { db as prodDb } from "../../db/index.ts";
import { getUserCount, verifyApiKey } from "../services/auth.service.ts";
import { verifyApiKey } from "../services/auth.service.ts";
import { verifyAccessToken } from "../services/oauth.service.ts";
import { getCollectionSummary } from "./resources/collection.ts";
import {
@@ -90,11 +90,6 @@ export const mcpRoutes = new Hono();
mcpRoutes.use("/*", async (c, next) => {
const db = c.get("db") ?? prodDb;
// Skip auth if no users exist
if (getUserCount(db) <= 0) {
return next();
}
// Try Bearer token first (OAuth)
const authHeader = c.req.header("Authorization");
if (authHeader?.startsWith("Bearer ")) {
@@ -105,7 +100,7 @@ mcpRoutes.use("/*", async (c, next) => {
return c.json({ error: "invalid_token" }, 401);
}
// Try API key (existing flow)
// Try API key
const apiKey = c.req.header("X-API-Key");
if (apiKey) {
const valid = await verifyApiKey(db, apiKey);