fix: Address code review feedback for OAuth SSO

- Add proper lifecycle management for state cleanup interval
- Fix host header injection vulnerability by validating forwarded headers
- Add type safety for GitHub API responses
- Add stopStateCleanup function for test cleanup
- Document scaling limitations of in-memory state store

Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>

docs/configuration/mcp-settings.mdx

@@ -259,92 +259,6 @@ MCPHub supports environment variable substitution using `${VAR_NAME}` syntax:
 }
 ```
 
-### Proxy Configuration (proxychains4)
-
-MCPHub supports routing STDIO server network traffic through a proxy using **proxychains4**. This feature is available on **Linux and macOS only** (Windows is not supported).
-
-<Note>
-To use this feature, you must have `proxychains4` installed on your system:
-- **Debian/Ubuntu**: `apt install proxychains4`
-- **macOS**: `brew install proxychains-ng`
-- **Arch Linux**: `pacman -S proxychains-ng`
-</Note>
-
-#### Basic Proxy Configuration
-
-```json
-{
-  "mcpServers": {
-    "fetch-via-proxy": {
-      "command": "uvx",
-      "args": ["mcp-server-fetch"],
-      "proxy": {
-        "enabled": true,
-        "type": "socks5",
-        "host": "127.0.0.1",
-        "port": 1080
-      }
-    }
-  }
-}
-```
-
-#### Proxy Configuration Options
-
-| Field        | Type    | Default   | Description                                      |
-| ------------ | ------- | --------- | ------------------------------------------------ |
-| `enabled`    | boolean | `false`   | Enable/disable proxy routing                     |
-| `type`       | string  | `socks5`  | Proxy protocol: `socks4`, `socks5`, or `http`    |
-| `host`       | string  | -         | Proxy server hostname or IP address              |
-| `port`       | number  | -         | Proxy server port                                |
-| `username`   | string  | -         | Proxy authentication username (optional)         |
-| `password`   | string  | -         | Proxy authentication password (optional)         |
-| `configPath` | string  | -         | Path to custom proxychains4 config file          |
-
-#### Proxy with Authentication
-
-```json
-{
-  "mcpServers": {
-    "secure-server": {
-      "command": "npx",
-      "args": ["-y", "@example/mcp-server"],
-      "proxy": {
-        "enabled": true,
-        "type": "http",
-        "host": "proxy.example.com",
-        "port": 8080,
-        "username": "${PROXY_USER}",
-        "password": "${PROXY_PASSWORD}"
-      }
-    }
-  }
-}
-```
-
-#### Using Custom proxychains4 Configuration
-
-For advanced use cases, you can provide your own proxychains4 configuration file:
-
-```json
-{
-  "mcpServers": {
-    "custom-proxy-server": {
-      "command": "python",
-      "args": ["-m", "custom_mcp_server"],
-      "proxy": {
-        "enabled": true,
-        "configPath": "/etc/proxychains4/custom.conf"
-      }
-    }
-  }
-}
-```
-
-<Tip>
-When `configPath` is specified, all other proxy settings (`type`, `host`, `port`, etc.) are ignored, and the custom configuration file is used directly.
-</Tip>
-
 {/* ### Custom Server Scripts
 
 #### Local Python Server

examples/mcp_settings_with_env_vars.json

@@ -31,47 +31,6 @@
         "DATABASE_URL": "${DATABASE_URL}"
       }
     },
-    "example-stdio-with-proxy": {
-      "type": "stdio",
-      "command": "uvx",
-      "args": [
-        "mcp-server-fetch"
-      ],
-      "proxy": {
-        "enabled": true,
-        "type": "socks5",
-        "host": "${PROXY_HOST}",
-        "port": 1080
-      }
-    },
-    "example-stdio-with-auth-proxy": {
-      "type": "stdio",
-      "command": "npx",
-      "args": [
-        "-y",
-        "@example/mcp-server"
-      ],
-      "proxy": {
-        "enabled": true,
-        "type": "http",
-        "host": "${HTTP_PROXY_HOST}",
-        "port": 8080,
-        "username": "${PROXY_USERNAME}",
-        "password": "${PROXY_PASSWORD}"
-      }
-    },
-    "example-stdio-with-custom-proxy-config": {
-      "type": "stdio",
-      "command": "python",
-      "args": [
-        "-m",
-        "custom_mcp_server"
-      ],
-      "proxy": {
-        "enabled": true,
-        "configPath": "/etc/proxychains4/custom.conf"
-      }
-    },
     "example-openapi-server": {
       "type": "openapi",
       "openapi": {

frontend/src/App.tsx

@@ -8,6 +8,7 @@ import { SettingsProvider } from './contexts/SettingsContext';
 import MainLayout from './layouts/MainLayout';
 import ProtectedRoute from './components/ProtectedRoute';
 import LoginPage from './pages/LoginPage';
+import OAuthCallbackPage from './pages/OAuthCallbackPage';
 import DashboardPage from './pages/Dashboard';
 import ServersPage from './pages/ServersPage';
 import GroupsPage from './pages/GroupsPage';
@@ -35,6 +36,7 @@ function App() {
                 <Routes>
                   {/* 公共路由 */}
                   <Route path="/login" element={<LoginPage />} />
+                  <Route path="/oauth-callback" element={<OAuthCallbackPage />} />
 
                   {/* 受保护的路由，使用 MainLayout 作为布局容器 */}
                   <Route element={<ProtectedRoute />}>

frontend/src/components/ui/Pagination.tsx

@@ -1,20 +1,16 @@
 import React from 'react';
-import { useTranslation } from 'react-i18next';
 
 interface PaginationProps {
   currentPage: number;
   totalPages: number;
   onPageChange: (page: number) => void;
-  disabled?: boolean;
 }
 
 const Pagination: React.FC<PaginationProps> = ({
   currentPage,
   totalPages,
-  onPageChange,
+  onPageChange
-  disabled = false
 }) => {
-  const { t } = useTranslation();
   // Generate page buttons
   const getPageButtons = () => {
     const buttons = [];
@@ -99,26 +95,26 @@ const Pagination: React.FC<PaginationProps> = ({
     <div className="flex justify-center items-center my-6">
       <button
         onClick={() => onPageChange(Math.max(1, currentPage - 1))}
-        disabled={disabled || currentPage === 1}
+        disabled={currentPage === 1}
-        className={`px-3 py-1 rounded mr-2 ${disabled || currentPage === 1
+        className={`px-3 py-1 rounded mr-2 ${currentPage === 1
           ? 'bg-gray-100 text-gray-400 cursor-not-allowed'
           : 'bg-gray-200 hover:bg-gray-300 text-gray-700 btn-secondary'
           }`}
       >
-        &laquo; {t('common.previous')}
+        &laquo; Prev
       </button>
 
       <div className="flex">{getPageButtons()}</div>
 
       <button
         onClick={() => onPageChange(Math.min(totalPages, currentPage + 1))}
-        disabled={disabled || currentPage === totalPages}
+        disabled={currentPage === totalPages}
-        className={`px-3 py-1 rounded ml-2 ${disabled || currentPage === totalPages
+        className={`px-3 py-1 rounded ml-2 ${currentPage === totalPages
           ? 'bg-gray-100 text-gray-400 cursor-not-allowed'
           : 'bg-gray-200 hover:bg-gray-300 text-gray-700 btn-secondary'
           }`}
       >
-        {t('common.next')} &raquo;
+        Next &raquo;
       </button>
     </div>
   );

frontend/src/contexts/ServerContext.tsx

@@ -17,16 +17,6 @@ const CONFIG = {
   },
 };
 
-// Pagination info type
-interface PaginationInfo {
-  page: number;
-  limit: number;
-  total: number;
-  totalPages: number;
-  hasNextPage: boolean;
-  hasPrevPage: boolean;
-}
-
 // Context type definition
 interface ServerContextType {
   servers: Server[];
@@ -34,11 +24,6 @@ interface ServerContextType {
   setError: (error: string | null) => void;
   isLoading: boolean;
   fetchAttempts: number;
-  pagination: PaginationInfo | null;
-  currentPage: number;
-  serversPerPage: number;
-  setCurrentPage: (page: number) => void;
-  setServersPerPage: (limit: number) => void;
   triggerRefresh: () => void;
   refreshIfNeeded: () => void; // Smart refresh with debounce
   handleServerAdd: () => void;
@@ -60,9 +45,6 @@ export const ServerProvider: React.FC<{ children: React.ReactNode }> = ({ childr
   const [refreshKey, setRefreshKey] = useState(0);
   const [isInitialLoading, setIsInitialLoading] = useState(true);
   const [fetchAttempts, setFetchAttempts] = useState(0);
-  const [pagination, setPagination] = useState<PaginationInfo | null>(null);
-  const [currentPage, setCurrentPage] = useState(1);
-  const [serversPerPage, setServersPerPage] = useState(10);
 
   // Timer reference for polling
   const intervalRef = useRef<NodeJS.Timeout | null>(null);
@@ -91,31 +73,18 @@ export const ServerProvider: React.FC<{ children: React.ReactNode }> = ({ childr
       const fetchServers = async () => {
         try {
           console.log('[ServerContext] Fetching servers from API...');
-          // Build query parameters for pagination
+          const data = await apiGet('/servers');
-          const params = new URLSearchParams();
-          params.append('page', currentPage.toString());
-          params.append('limit', serversPerPage.toString());
-          const data = await apiGet(`/servers?${params.toString()}`);
 
           // Update last fetch time
           lastFetchTimeRef.current = Date.now();
 
           if (data && data.success && Array.isArray(data.data)) {
             setServers(data.data);
-            // Update pagination info if available
-            if (data.pagination) {
-              setPagination(data.pagination);
-            } else {
-              setPagination(null);
-            }
           } else if (data && Array.isArray(data)) {
-            // Compatibility handling for non-paginated responses
             setServers(data);
-            setPagination(null);
           } else {
             console.error('Invalid server data format:', data);
             setServers([]);
-            setPagination(null);
           }
 
           // Reset error state
@@ -145,7 +114,7 @@ export const ServerProvider: React.FC<{ children: React.ReactNode }> = ({ childr
       // Set up regular polling
       intervalRef.current = setInterval(fetchServers, CONFIG.normal.pollingInterval);
     },
-    [t, currentPage, serversPerPage],
+    [t],
   );
 
   // Watch for authentication status changes
@@ -181,11 +150,7 @@ export const ServerProvider: React.FC<{ children: React.ReactNode }> = ({ childr
     const fetchInitialData = async () => {
       try {
         console.log('[ServerContext] Initial fetch - attempt', attemptsRef.current + 1);
-        // Build query parameters for pagination
+        const data = await apiGet('/servers');
-        const params = new URLSearchParams();
-        params.append('page', currentPage.toString());
-        params.append('limit', serversPerPage.toString());
-        const data = await apiGet(`/servers?${params.toString()}`);
 
         // Update last fetch time
         lastFetchTimeRef.current = Date.now();
@@ -193,12 +158,6 @@ export const ServerProvider: React.FC<{ children: React.ReactNode }> = ({ childr
         // Handle API response wrapper object, extract data field
         if (data && data.success && Array.isArray(data.data)) {
           setServers(data.data);
-          // Update pagination info if available
-          if (data.pagination) {
-            setPagination(data.pagination);
-          } else {
-            setPagination(null);
-          }
           setIsInitialLoading(false);
           // Initialization successful, start normal polling (skip immediate to avoid duplicate fetch)
           startNormalPolling({ immediate: false });
@@ -206,7 +165,6 @@ export const ServerProvider: React.FC<{ children: React.ReactNode }> = ({ childr
         } else if (data && Array.isArray(data)) {
           // Compatibility handling, if API directly returns array
           setServers(data);
-          setPagination(null);
           setIsInitialLoading(false);
           // Initialization successful, start normal polling (skip immediate to avoid duplicate fetch)
           startNormalPolling({ immediate: false });
@@ -215,7 +173,6 @@ export const ServerProvider: React.FC<{ children: React.ReactNode }> = ({ childr
           // If data format is not as expected, set to empty array
           console.error('Invalid server data format:', data);
           setServers([]);
-          setPagination(null);
           setIsInitialLoading(false);
           // Initialization successful but data is empty, start normal polling (skip immediate)
           startNormalPolling({ immediate: false });
@@ -270,7 +227,7 @@ export const ServerProvider: React.FC<{ children: React.ReactNode }> = ({ childr
     return () => {
       clearTimer();
     };
-  }, [refreshKey, t, isInitialLoading, startNormalPolling, currentPage, serversPerPage]);
+  }, [refreshKey, t, isInitialLoading, startNormalPolling]);
 
   // Manually trigger refresh (always refreshes)
   const triggerRefresh = useCallback(() => {
@@ -426,28 +383,12 @@ export const ServerProvider: React.FC<{ children: React.ReactNode }> = ({ childr
     [t, triggerRefresh],
   );
 
-  // Handle page change
-  const handlePageChange = useCallback((page: number) => {
-    setCurrentPage(page);
-  }, []);
-
-  // Handle servers per page change
-  const handleServersPerPageChange = useCallback((limit: number) => {
-    setServersPerPage(limit);
-    setCurrentPage(1); // Reset to first page when changing page size
-  }, []);
-
   const value: ServerContextType = {
     servers,
     error,
     setError,
     isLoading: isInitialLoading,
     fetchAttempts,
-    pagination,
-    currentPage,
-    serversPerPage,
-    setCurrentPage: handlePageChange,
-    setServersPerPage: handleServersPerPageChange,
     triggerRefresh,
     refreshIfNeeded,
     handleServerAdd,

frontend/src/pages/LoginPage.tsx

@@ -1,11 +1,12 @@
-import React, { useState, useMemo, useCallback } from 'react';
+import React, { useState, useMemo, useCallback, useEffect } from 'react';
 import { useLocation, useNavigate } from 'react-router-dom';
 import { useTranslation } from 'react-i18next';
 import { useAuth } from '../contexts/AuthContext';
-import { getToken } from '../services/authService';
+import { getToken, getOAuthSsoConfig, initiateOAuthSsoLogin } from '../services/authService';
 import ThemeSwitch from '@/components/ui/ThemeSwitch';
 import LanguageSwitch from '@/components/ui/LanguageSwitch';
 import DefaultPasswordWarningModal from '@/components/ui/DefaultPasswordWarningModal';
+import { OAuthSsoConfig, OAuthSsoProvider } from '../types';
 
 const sanitizeReturnUrl = (value: string | null): string | null => {
   if (!value) {
@@ -29,6 +30,44 @@ const sanitizeReturnUrl = (value: string | null): string | null => {
   }
 };
 
+// Provider icon component
+const ProviderIcon: React.FC<{ type: string; className?: string }> = ({ type, className = 'w-5 h-5' }) => {
+  switch (type) {
+    case 'google':
+      return (
+        <svg className={className} viewBox="0 0 24 24" fill="currentColor">
+          <path d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92c-.26 1.37-1.04 2.53-2.21 3.31v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.09z" fill="#4285F4"/>
+          <path d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z" fill="#34A853"/>
+          <path d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z" fill="#FBBC05"/>
+          <path d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z" fill="#EA4335"/>
+        </svg>
+      );
+    case 'microsoft':
+      return (
+        <svg className={className} viewBox="0 0 24 24" fill="currentColor">
+          <path d="M11.4 11.4H2V2h9.4v9.4z" fill="#F25022"/>
+          <path d="M22 11.4h-9.4V2H22v9.4z" fill="#7FBA00"/>
+          <path d="M11.4 22H2v-9.4h9.4V22z" fill="#00A4EF"/>
+          <path d="M22 22h-9.4v-9.4H22V22z" fill="#FFB900"/>
+        </svg>
+      );
+    case 'github':
+      return (
+        <svg className={className} viewBox="0 0 24 24" fill="currentColor">
+          <path fillRule="evenodd" clipRule="evenodd" d="M12 2C6.477 2 2 6.477 2 12c0 4.42 2.865 8.17 6.839 9.49.5.092.682-.217.682-.482 0-.237-.009-.866-.013-1.7-2.782.604-3.369-1.34-3.369-1.34-.454-1.156-1.11-1.464-1.11-1.464-.908-.62.069-.608.069-.608 1.003.07 1.531 1.03 1.531 1.03.892 1.529 2.341 1.087 2.91.831.092-.646.35-1.086.636-1.336-2.22-.253-4.555-1.11-4.555-4.943 0-1.091.39-1.984 1.029-2.683-.103-.253-.446-1.27.098-2.647 0 0 .84-.269 2.75 1.025A9.578 9.578 0 0112 6.836c.85.004 1.705.115 2.504.337 1.909-1.294 2.747-1.025 2.747-1.025.546 1.377.203 2.394.1 2.647.64.699 1.028 1.592 1.028 2.683 0 3.842-2.339 4.687-4.566 4.935.359.309.678.919.678 1.852 0 1.336-.012 2.415-.012 2.743 0 .267.18.579.688.481C19.137 20.167 22 16.418 22 12c0-5.523-4.477-10-10-10z"/>
+        </svg>
+      );
+    default:
+      return (
+        <svg className={className} viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+          <path d="M15 3h4a2 2 0 0 1 2 2v14a2 2 0 0 1-2 2h-4"/>
+          <polyline points="10 17 15 12 10 7"/>
+          <line x1="15" y1="12" x2="3" y2="12"/>
+        </svg>
+      );
+  }
+};
+
 const LoginPage: React.FC = () => {
   const { t } = useTranslation();
   const [username, setUsername] = useState('');
@@ -36,6 +75,7 @@ const LoginPage: React.FC = () => {
   const [error, setError] = useState<string | null>(null);
   const [loading, setLoading] = useState(false);
   const [showDefaultPasswordWarning, setShowDefaultPasswordWarning] = useState(false);
+  const [ssoConfig, setSsoConfig] = useState<OAuthSsoConfig | null>(null);
   const { login } = useAuth();
   const location = useLocation();
   const navigate = useNavigate();
@@ -44,6 +84,25 @@ const LoginPage: React.FC = () => {
     return sanitizeReturnUrl(params.get('returnUrl'));
   }, [location.search]);
 
+  // Check for OAuth error in URL params
+  useEffect(() => {
+    const params = new URLSearchParams(location.search);
+    const oauthError = params.get('error');
+    const oauthMessage = params.get('message');
+    if (oauthError === 'oauth_failed' && oauthMessage) {
+      setError(oauthMessage);
+    }
+  }, [location.search]);
+
+  // Load OAuth SSO configuration
+  useEffect(() => {
+    const loadSsoConfig = async () => {
+      const config = await getOAuthSsoConfig();
+      setSsoConfig(config);
+    };
+    loadSsoConfig();
+  }, []);
+
   const isServerUnavailableError = useCallback((message?: string) => {
     if (!message) return false;
     const normalized = message.toLowerCase();
@@ -137,11 +196,18 @@ const LoginPage: React.FC = () => {
     }
   };
 
+  const handleSsoLogin = (provider: OAuthSsoProvider) => {
+    initiateOAuthSsoLogin(provider.id, returnUrl || undefined);
+  };
+
   const handleCloseWarning = () => {
     setShowDefaultPasswordWarning(false);
     redirectAfterLogin();
   };
 
+  const showLocalAuth = !ssoConfig?.enabled || ssoConfig.localAuthAllowed;
+  const showSsoProviders = ssoConfig?.enabled && ssoConfig.providers.length > 0;
+
   return (
     <div className="relative min-h-screen w-full overflow-hidden bg-gray-50 dark:bg-gray-950">
       {/* Top-right controls */}
@@ -193,58 +259,100 @@ const LoginPage: React.FC = () => {
           <div className="login-card relative w-full rounded-2xl border border-white/10 bg-white/60 p-8 shadow-xl backdrop-blur-md transition dark:border-white/10 dark:bg-gray-900/60">
             <div className="absolute -top-24 right-12 h-40 w-40 -translate-y-6 rounded-full bg-indigo-500/30 blur-3xl" />
             <div className="absolute -bottom-24 -left-12 h-40 w-40 translate-y-6 rounded-full bg-cyan-500/20 blur-3xl" />
-            <form className="mt-4 space-y-4" onSubmit={handleSubmit}>
+            
-              <div className="space-y-4">
+            {/* SSO Providers */}
-                <div>
+            {showSsoProviders && (
-                  <label htmlFor="username" className="sr-only">
+              <div className="mt-4 space-y-3">
-                    {t('auth.username')}
+                {ssoConfig.providers.map((provider) => (
-                  </label>
+                  <button
-                  <input
+                    key={provider.id}
-                    id="username"
+                    type="button"
-                    name="username"
+                    onClick={() => handleSsoLogin(provider)}
-                    type="text"
+                    className="group relative flex w-full items-center justify-center gap-3 rounded-md border border-gray-300/60 bg-white/80 px-4 py-3 text-sm font-medium text-gray-700 shadow-sm transition-all hover:bg-gray-50 hover:shadow focus:outline-none focus:ring-2 focus:ring-indigo-500 focus:ring-offset-2 dark:border-gray-600/60 dark:bg-gray-800/80 dark:text-gray-200 dark:hover:bg-gray-700/80"
-                    autoComplete="username"
+                  >
-                    required
+                    <ProviderIcon type={provider.icon || provider.type} />
-                    className="login-input appearance-none relative block w-full rounded-md border border-gray-300/60 bg-white/70 px-3 py-3 text-gray-900 shadow-sm outline-none ring-0 transition-all placeholder:text-gray-500 focus:border-indigo-500 focus:ring-2 focus:ring-indigo-500 dark:border-gray-700/60 dark:bg-gray-800/70 dark:text-white dark:placeholder:text-gray-400"
+                    <span>{provider.buttonText || t('oauthSso.signInWith', { provider: provider.name })}</span>
-                    placeholder={t('auth.username')}
+                  </button>
-                    value={username}
+                ))}
-                    onChange={(e) => setUsername(e.target.value)}
+              </div>
-                  />
+            )}
+
+            {/* Divider between SSO and local auth */}
+            {showSsoProviders && showLocalAuth && (
+              <div className="relative my-6">
+                <div className="absolute inset-0 flex items-center">
+                  <div className="w-full border-t border-gray-300/60 dark:border-gray-600/60" />
                 </div>
-                <div>
+                <div className="relative flex justify-center text-sm">
-                  <label htmlFor="password" className="sr-only">
+                  <span className="bg-white/60 px-4 text-gray-500 dark:bg-gray-900/60 dark:text-gray-400">
-                    {t('auth.password')}
+                    {t('oauthSso.orContinueWith')}
-                  </label>
+                  </span>
-                  <input
-                    id="password"
-                    name="password"
-                    type="password"
-                    autoComplete="current-password"
-                    required
-                    className="login-input appearance-none relative block w-full rounded-md border border-gray-300/60 bg-white/70 px-3 py-3 text-gray-900 shadow-sm outline-none ring-0 transition-all placeholder:text-gray-500 focus:border-indigo-500 focus:ring-2 focus:ring-indigo-500 dark:border-gray-700/60 dark:bg-gray-800/70 dark:text-white dark:placeholder:text-gray-400"
-                    placeholder={t('auth.password')}
-                    value={password}
-                    onChange={(e) => setPassword(e.target.value)}
-                  />
                 </div>
               </div>
+            )}
 
-              {error && (
+            {/* Local auth form */}
-                <div className="error-box rounded border border-red-500/20 bg-red-500/10 p-2 text-center text-sm text-red-600 dark:text-red-400">
+            {showLocalAuth && (
-                  {error}
+              <form className="mt-4 space-y-4" onSubmit={handleSubmit}>
+                <div className="space-y-4">
+                  <div>
+                    <label htmlFor="username" className="sr-only">
+                      {t('auth.username')}
+                    </label>
+                    <input
+                      id="username"
+                      name="username"
+                      type="text"
+                      autoComplete="username"
+                      required
+                      className="login-input appearance-none relative block w-full rounded-md border border-gray-300/60 bg-white/70 px-3 py-3 text-gray-900 shadow-sm outline-none ring-0 transition-all placeholder:text-gray-500 focus:border-indigo-500 focus:ring-2 focus:ring-indigo-500 dark:border-gray-700/60 dark:bg-gray-800/70 dark:text-white dark:placeholder:text-gray-400"
+                      placeholder={t('auth.username')}
+                      value={username}
+                      onChange={(e) => setUsername(e.target.value)}
+                    />
+                  </div>
+                  <div>
+                    <label htmlFor="password" className="sr-only">
+                      {t('auth.password')}
+                    </label>
+                    <input
+                      id="password"
+                      name="password"
+                      type="password"
+                      autoComplete="current-password"
+                      required
+                      className="login-input appearance-none relative block w-full rounded-md border border-gray-300/60 bg-white/70 px-3 py-3 text-gray-900 shadow-sm outline-none ring-0 transition-all placeholder:text-gray-500 focus:border-indigo-500 focus:ring-2 focus:ring-indigo-500 dark:border-gray-700/60 dark:bg-gray-800/70 dark:text-white dark:placeholder:text-gray-400"
+                      placeholder={t('auth.password')}
+                      value={password}
+                      onChange={(e) => setPassword(e.target.value)}
+                    />
+                  </div>
                 </div>
-              )}
 
-              <div>
+                {error && (
-                <button
+                  <div className="error-box rounded border border-red-500/20 bg-red-500/10 p-2 text-center text-sm text-red-600 dark:text-red-400">
-                  type="submit"
+                    {error}
-                  disabled={loading}
+                  </div>
-                  className="login-button btn-primary group relative flex w-full items-center justify-center rounded-md border border-transparent bg-indigo-600 px-4 py-2 text-sm font-medium text-white transition-all hover:bg-indigo-700 focus:outline-none focus:ring-2 focus:ring-indigo-500 focus:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-70"
+                )}
-                >
+
-                  {loading ? t('auth.loggingIn') : t('auth.login')}
+                <div>
-                </button>
+                  <button
+                    type="submit"
+                    disabled={loading}
+                    className="login-button btn-primary group relative flex w-full items-center justify-center rounded-md border border-transparent bg-indigo-600 px-4 py-2 text-sm font-medium text-white transition-all hover:bg-indigo-700 focus:outline-none focus:ring-2 focus:ring-indigo-500 focus:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-70"
+                  >
+                    {loading ? t('auth.loggingIn') : t('auth.login')}
+                  </button>
+                </div>
+              </form>
+            )}
+
+            {/* Error display for SSO-only mode */}
+            {!showLocalAuth && error && (
+              <div className="mt-4 error-box rounded border border-red-500/20 bg-red-500/10 p-2 text-center text-sm text-red-600 dark:text-red-400">
+                {error}
               </div>
-            </form>
+            )}
           </div>
         </div>
       </div>

frontend/src/pages/OAuthCallbackPage.tsx

@@ -0,0 +1,42 @@
+import React, { useEffect } from 'react';
+import { useNavigate, useSearchParams } from 'react-router-dom';
+import { setToken } from '../services/authService';
+
+/**
+ * OAuth Callback Page
+ * 
+ * This page handles the callback from OAuth SSO providers.
+ * It receives the JWT token as a query parameter, stores it, and redirects to the app.
+ */
+const OAuthCallbackPage: React.FC = () => {
+  const navigate = useNavigate();
+  const [searchParams] = useSearchParams();
+
+  useEffect(() => {
+    const token = searchParams.get('token');
+    const returnUrl = searchParams.get('returnUrl') || '/';
+
+    if (token) {
+      // Store the token
+      setToken(token);
+      
+      // Redirect to the return URL
+      navigate(returnUrl, { replace: true });
+    } else {
+      // No token - redirect to login with error
+      navigate('/login?error=oauth_failed&message=No+token+received', { replace: true });
+    }
+  }, [searchParams, navigate]);
+
+  // Show loading state while processing
+  return (
+    <div className="min-h-screen flex items-center justify-center bg-gray-50 dark:bg-gray-950">
+      <div className="text-center">
+        <div className="animate-spin rounded-full h-12 w-12 border-t-2 border-b-2 border-indigo-500 mx-auto"></div>
+        <p className="mt-4 text-gray-600 dark:text-gray-400">Completing authentication...</p>
+      </div>
+    </div>
+  );
+};
+
+export default OAuthCallbackPage;

frontend/src/pages/ServersPage.tsx

@@ -8,7 +8,6 @@ import EditServerForm from '@/components/EditServerForm';
 import { useServerData } from '@/hooks/useServerData';
 import DxtUploadForm from '@/components/DxtUploadForm';
 import JSONImportForm from '@/components/JSONImportForm';
-import Pagination from '@/components/ui/Pagination';
 
 const ServersPage: React.FC = () => {
   const { t } = useTranslation();
@@ -18,11 +17,6 @@ const ServersPage: React.FC = () => {
     error,
     setError,
     isLoading,
-    pagination,
-    currentPage,
-    serversPerPage,
-    setCurrentPage,
-    setServersPerPage,
     handleServerAdd,
     handleServerEdit,
     handleServerRemove,
@@ -157,66 +151,19 @@ const ServersPage: React.FC = () => {
           <p className="text-gray-600">{t('app.noServers')}</p>
         </div>
       ) : (
-        <>
+        <div className="space-y-6">
-          <div className="space-y-6">
+          {servers.map((server, index) => (
-            {servers.map((server, index) => (
+            <ServerCard
-              <ServerCard
+              key={index}
-                key={index}
+              server={server}
-                server={server}
+              onRemove={handleServerRemove}
-                onRemove={handleServerRemove}
+              onEdit={handleEditClick}
-                onEdit={handleEditClick}
+              onToggle={handleServerToggle}
-                onToggle={handleServerToggle}
+              onRefresh={triggerRefresh}
-                onRefresh={triggerRefresh}
+              onReload={handleServerReload}
-                onReload={handleServerReload}
+            />
-              />
+          ))}
-            ))}
+        </div>
-          </div>
-
-          <div className="flex items-center mb-4">
-            <div className="flex-[2] text-sm text-gray-500">
-              {pagination ? (
-                t('common.showing', {
-                  start: (pagination.page - 1) * pagination.limit + 1,
-                  end: Math.min(pagination.page * pagination.limit, pagination.total),
-                  total: pagination.total
-                })
-              ) : (
-                t('common.showing', {
-                  start: 1,
-                  end: servers.length,
-                  total: servers.length
-                })
-              )}
-            </div>
-            <div className="flex-[4] flex justify-center">
-              {pagination && pagination.totalPages > 1 && (
-                <Pagination
-                  currentPage={currentPage}
-                  totalPages={pagination.totalPages}
-                  onPageChange={setCurrentPage}
-                  disabled={isLoading}
-                />
-              )}
-            </div>
-            <div className="flex-[2] flex items-center justify-end space-x-2">
-              <label htmlFor="perPage" className="text-sm text-gray-600">
-                {t('common.itemsPerPage')}:
-              </label>
-              <select
-                id="perPage"
-                value={serversPerPage}
-                onChange={(e) => setServersPerPage(Number(e.target.value))}
-                disabled={isLoading}
-                className="border rounded p-1 text-sm btn-secondary outline-none disabled:opacity-50 disabled:cursor-not-allowed"
-              >
-                <option value={5}>5</option>
-                <option value={10}>10</option>
-                <option value={20}>20</option>
-                <option value={50}>50</option>
-              </select>
-            </div>
-          </div>
-        </>
       )}
 
       {editingServer && (

frontend/src/services/authService.ts

@@ -3,6 +3,7 @@ import {
   LoginCredentials,
   RegisterCredentials,
   ChangePasswordCredentials,
+  OAuthSsoConfig,
 } from '../types';
 import { apiPost, apiGet } from '../utils/fetchInterceptor';
 import { getToken, setToken, removeToken } from '../utils/interceptors';
@@ -105,6 +106,30 @@ export const changePassword = async (
   }
 };
 
+// Get OAuth SSO configuration
+export const getOAuthSsoConfig = async (): Promise<OAuthSsoConfig | null> => {
+  try {
+    const response = await apiGet<{ success: boolean; data: OAuthSsoConfig }>('/auth/sso/config');
+    if (response.success && response.data) {
+      return response.data;
+    }
+    return null;
+  } catch (error) {
+    console.error('Get OAuth SSO config error:', error);
+    return null;
+  }
+};
+
+// Initiate OAuth SSO login (redirects to provider)
+export const initiateOAuthSsoLogin = (providerId: string, returnUrl?: string): void => {
+  const basePath = import.meta.env.VITE_BASE_PATH || '';
+  let url = `${basePath}/api/auth/sso/${providerId}`;
+  if (returnUrl) {
+    url += `?returnUrl=${encodeURIComponent(returnUrl)}`;
+  }
+  window.location.href = url;
+};
+
 // Logout user
 export const logout = (): void => {
   removeToken();

frontend/src/types/index.ts

@@ -105,17 +105,6 @@ export interface Prompt {
   enabled?: boolean;
 }
 
-// Proxychains4 configuration for STDIO servers (Linux/macOS only)
-export interface ProxychainsConfig {
-  enabled?: boolean; // Enable/disable proxychains4 proxy routing
-  type?: 'socks4' | 'socks5' | 'http'; // Proxy protocol type
-  host?: string; // Proxy server hostname or IP address
-  port?: number; // Proxy server port
-  username?: string; // Proxy authentication username (optional)
-  password?: string; // Proxy authentication password (optional)
-  configPath?: string; // Path to custom proxychains4 configuration file (optional)
-}
-
 // Server config types
 export interface ServerConfig {
   type?: 'stdio' | 'sse' | 'streamable-http' | 'openapi';
@@ -134,8 +123,6 @@ export interface ServerConfig {
     resetTimeoutOnProgress?: boolean; // Reset timeout on progress notifications
     maxTotalTimeout?: number; // Maximum total timeout in milliseconds
   }; // MCP request options configuration
-  // Proxychains4 proxy configuration for STDIO servers (Linux/macOS only, Windows not supported)
-  proxy?: ProxychainsConfig;
   // OAuth authentication for upstream MCP servers
   oauth?: {
     clientId?: string; // OAuth client ID
@@ -394,6 +381,21 @@ export interface AuthResponse {
   isUsingDefaultPassword?: boolean;
 }
 
+// OAuth SSO types
+export interface OAuthSsoProvider {
+  id: string;
+  name: string;
+  type: string;
+  icon?: string;
+  buttonText?: string;
+}
+
+export interface OAuthSsoConfig {
+  enabled: boolean;
+  providers: OAuthSsoProvider[];
+  localAuthAllowed: boolean;
+}
+
 // Official Registry types (from registry.modelcontextprotocol.io)
 export interface RegistryVariable {
   choices?: string[];

locales/en.json

@@ -248,10 +248,6 @@
     "wechat": "WeChat",
     "discord": "Discord",
     "required": "Required",
-    "itemsPerPage": "Items per page",
-    "showing": "Showing {{start}}-{{end}} of {{total}}",
-    "previous": "Previous",
-    "next": "Next",
     "secret": "Secret",
     "default": "Default",
     "value": "Value",
@@ -844,5 +840,25 @@
     "internalError": "Internal Error",
     "internalErrorMessage": "An unexpected error occurred while processing the OAuth callback.",
     "closeWindow": "Close Window"
+  },
+  "oauthSso": {
+    "errors": {
+      "providerIdRequired": "Provider ID is required",
+      "providerNotFound": "OAuth provider not found",
+      "missingState": "Missing OAuth state parameter",
+      "missingCode": "Missing authorization code",
+      "invalidState": "Invalid or expired OAuth state",
+      "authFailed": "OAuth authentication failed",
+      "userNotProvisioned": "User not found and auto-provisioning is disabled"
+    },
+    "signInWith": "Sign in with {{provider}}",
+    "orContinueWith": "Or continue with",
+    "continueWithProvider": "Continue with {{provider}}",
+    "loginWithSso": "Login with SSO",
+    "providers": {
+      "google": "Google",
+      "microsoft": "Microsoft",
+      "github": "GitHub"
+    }
   }
 }

locales/fr.json

@@ -248,10 +248,6 @@
     "github": "GitHub",
     "wechat": "WeChat",
     "discord": "Discord",
-    "itemsPerPage": "Éléments par page",
-    "showing": "Affichage de {{start}}-{{end}} sur {{total}}",
-    "previous": "Précédent",
-    "next": "Suivant",
     "required": "Requis",
     "secret": "Secret",
     "default": "Défaut",

locales/tr.json

@@ -248,10 +248,6 @@
     "github": "GitHub",
     "wechat": "WeChat",
     "discord": "Discord",
-    "itemsPerPage": "Sayfa başına öğe",
-    "showing": "{{total}} öğeden {{start}}-{{end}} gösteriliyor",
-    "previous": "Önceki",
-    "next": "Sonraki",
     "required": "Gerekli",
     "secret": "Gizli",
     "default": "Varsayılan",

locales/zh.json

@@ -248,10 +248,6 @@
     "dismiss": "忽略",
     "github": "GitHub",
     "wechat": "微信",
-    "itemsPerPage": "每页显示",
-    "showing": "显示第 {{start}}-{{end}} 条，共 {{total}} 条",
-    "previous": "上一页",
-    "next": "下一页",
     "discord": "Discord",
     "required": "必填",
     "secret": "敏感",
@@ -846,5 +842,25 @@
     "internalError": "内部错误",
     "internalErrorMessage": "处理 OAuth 回调时发生意外错误。",
     "closeWindow": "关闭窗口"
+  },
+  "oauthSso": {
+    "errors": {
+      "providerIdRequired": "需要提供身份验证提供商 ID",
+      "providerNotFound": "未找到 OAuth 身份验证提供商",
+      "missingState": "缺少 OAuth 状态参数",
+      "missingCode": "缺少授权码",
+      "invalidState": "OAuth 状态无效或已过期",
+      "authFailed": "OAuth 身份验证失败",
+      "userNotProvisioned": "用户未找到且自动创建用户已禁用"
+    },
+    "signInWith": "使用 {{provider}} 登录",
+    "orContinueWith": "或使用以下方式继续",
+    "continueWithProvider": "使用 {{provider}} 继续",
+    "loginWithSso": "使用 SSO 登录",
+    "providers": {
+      "google": "Google",
+      "microsoft": "Microsoft",
+      "github": "GitHub"
+    }
   }
 }

src/controllers/oauthSsoController.ts

@@ -0,0 +1,245 @@
+/**
+ * OAuth SSO Controller
+ *
+ * Handles OAuth SSO authentication endpoints.
+ */
+
+import { Request, Response } from 'express';
+import jwt from 'jsonwebtoken';
+import {
+  generateAuthorizationUrl,
+  handleCallback,
+  getPublicProviderInfo,
+  isLocalAuthAllowed,
+  isOAuthSsoEnabled,
+  getOAuthSsoConfig as getSsoConfigFromService,
+} from '../services/oauthSsoService.js';
+import { JWT_SECRET } from '../config/jwt.js';
+import config from '../config/index.js';
+
+const TOKEN_EXPIRY = '24h';
+
+/**
+ * Get the base URL for OAuth callbacks
+ * Uses configured callbackBaseUrl if available, otherwise derives from request
+ * This approach is more secure than blindly trusting forwarded headers
+ */
+async function getCallbackBaseUrl(req: Request): Promise<string> {
+  // First, check if a callback base URL is configured (most secure option)
+  const ssoConfig = await getSsoConfigFromService();
+  if (ssoConfig?.callbackBaseUrl) {
+    return ssoConfig.callbackBaseUrl;
+  }
+
+  // Fall back to deriving from request (less secure, but works in simpler setups)
+  // Only trust forwarded headers if app is configured to trust proxy
+  if (req.app.get('trust proxy') && req.headers['x-forwarded-proto'] && req.headers['x-forwarded-host']) {
+    const proto = Array.isArray(req.headers['x-forwarded-proto'])
+      ? req.headers['x-forwarded-proto'][0]
+      : req.headers['x-forwarded-proto'];
+    const host = Array.isArray(req.headers['x-forwarded-host'])
+      ? req.headers['x-forwarded-host'][0]
+      : req.headers['x-forwarded-host'];
+    return `${proto}://${host}`;
+  }
+
+  return `${req.protocol}://${req.get('host')}`;
+}
+
+/**
+ * Get OAuth SSO configuration for frontend
+ * Returns enabled providers and whether local auth is allowed
+ */
+export const getOAuthSsoConfig = async (req: Request, res: Response): Promise<void> => {
+  try {
+    const enabled = await isOAuthSsoEnabled();
+    const providers = await getPublicProviderInfo();
+    const localAuthAllowed = await isLocalAuthAllowed();
+
+    res.json({
+      success: true,
+      data: {
+        enabled,
+        providers,
+        localAuthAllowed,
+      },
+    });
+  } catch (error) {
+    console.error('Error getting OAuth SSO config:', error);
+    res.status(500).json({
+      success: false,
+      message: 'Failed to get OAuth SSO configuration',
+    });
+  }
+};
+
+/**
+ * Initiate OAuth SSO login
+ * Redirects user to the OAuth provider's authorization page
+ */
+export const initiateOAuthLogin = async (req: Request, res: Response): Promise<void> => {
+  const t = (req as any).t || ((key: string) => key);
+
+  try {
+    const { providerId } = req.params;
+    const { returnUrl } = req.query;
+
+    if (!providerId) {
+      res.status(400).json({
+        success: false,
+        message: t('oauthSso.errors.providerIdRequired'),
+      });
+      return;
+    }
+
+    // Build callback URL
+    // Note: Use configured callback base URL from oauthSso config if available
+    // This avoids relying on potentially untrusted forwarded headers
+    const baseUrl = await getCallbackBaseUrl(req);
+
+    const callbackUrl = `${baseUrl}${config.basePath}/api/auth/sso/${providerId}/callback`;
+
+    // Generate authorization URL
+    const { url } = await generateAuthorizationUrl(
+      providerId,
+      callbackUrl,
+      typeof returnUrl === 'string' ? returnUrl : undefined,
+    );
+
+    // Redirect to OAuth provider
+    res.redirect(url);
+  } catch (error) {
+    console.error('Error initiating OAuth login:', error);
+    const errorMessage = error instanceof Error ? error.message : 'Failed to initiate OAuth login';
+    res.status(500).json({
+      success: false,
+      message: errorMessage,
+    });
+  }
+};
+
+/**
+ * Handle OAuth callback from provider
+ * Exchanges code for tokens and creates/updates user
+ */
+export const handleOAuthCallback = async (req: Request, res: Response): Promise<void> => {
+  const t = (req as any).t || ((key: string) => key);
+
+  try {
+    const { providerId } = req.params;
+    const { code, state, error, error_description } = req.query;
+
+    // Handle OAuth errors
+    if (error) {
+      console.error(`OAuth error from provider ${providerId}:`, error, error_description);
+      const errorUrl = buildErrorRedirectUrl(String(error_description || error), req);
+      return res.redirect(errorUrl);
+    }
+
+    // Validate required parameters
+    if (!state) {
+      const errorUrl = buildErrorRedirectUrl(t('oauthSso.errors.missingState'), req);
+      return res.redirect(errorUrl);
+    }
+
+    if (!code) {
+      const errorUrl = buildErrorRedirectUrl(t('oauthSso.errors.missingCode'), req);
+      return res.redirect(errorUrl);
+    }
+
+    // Build callback URL (same as used in initiate)
+    const baseUrl = await getCallbackBaseUrl(req);
+
+    const callbackUrl = `${baseUrl}${config.basePath}/api/auth/sso/${providerId}/callback`;
+
+    // Full current URL with query params
+    const currentUrl = `${callbackUrl}?${new URLSearchParams(req.query as Record<string, string>).toString()}`;
+
+    // Exchange code for tokens and get user
+    const { user, returnUrl } = await handleCallback(
+      callbackUrl,
+      currentUrl,
+      String(state),
+    );
+
+    // Generate JWT token
+    const payload = {
+      user: {
+        username: user.username,
+        isAdmin: user.isAdmin || false,
+      },
+    };
+
+    const token = jwt.sign(payload, JWT_SECRET, { expiresIn: TOKEN_EXPIRY });
+
+    // Redirect to frontend with token
+    const redirectUrl = buildSuccessRedirectUrl(token, returnUrl, req);
+    res.redirect(redirectUrl);
+  } catch (error) {
+    console.error('Error handling OAuth callback:', error);
+    const errorMessage =
+      error instanceof Error ? error.message : 'Authentication failed';
+    const errorUrl = buildErrorRedirectUrl(errorMessage, req);
+    res.redirect(errorUrl);
+  }
+};
+
+/**
+ * Get list of available OAuth providers
+ */
+export const listOAuthProviders = async (req: Request, res: Response): Promise<void> => {
+  try {
+    const providers = await getPublicProviderInfo();
+    res.json({
+      success: true,
+      data: providers,
+    });
+  } catch (error) {
+    console.error('Error listing OAuth providers:', error);
+    res.status(500).json({
+      success: false,
+      message: 'Failed to list OAuth providers',
+    });
+  }
+};
+
+/**
+ * Build redirect URL for successful authentication
+ */
+function buildSuccessRedirectUrl(token: string, returnUrl: string | undefined, req: Request): string {
+  const baseUrl = getBaseUrl(req);
+  const targetPath = returnUrl || '/';
+  
+  // Use a special OAuth callback page that stores the token
+  const callbackPath = `${config.basePath}/oauth-callback`;
+  const params = new URLSearchParams({
+    token,
+    returnUrl: targetPath,
+  });
+
+  return `${baseUrl}${callbackPath}?${params.toString()}`;
+}
+
+/**
+ * Build redirect URL for authentication errors
+ */
+function buildErrorRedirectUrl(error: string, req: Request): string {
+  const baseUrl = getBaseUrl(req);
+  const loginPath = `${config.basePath}/login`;
+  const params = new URLSearchParams({
+    error: 'oauth_failed',
+    message: error,
+  });
+
+  return `${baseUrl}${loginPath}?${params.toString()}`;
+}
+
+/**
+ * Get base URL from request
+ */
+function getBaseUrl(req: Request): string {
+  if (req.headers['x-forwarded-proto'] && req.headers['x-forwarded-host']) {
+    return `${req.headers['x-forwarded-proto']}://${req.headers['x-forwarded-host']}`;
+  }
+  return `${req.protocol}://${req.get('host')}`;
+}

src/controllers/serverController.ts

@@ -7,7 +7,6 @@ import {
   BatchCreateServersResponse,
   BatchServerResult,
   ServerConfig,
-  ServerInfo,
 } from '../types/index.js';
 import {
   getServersInfo,
@@ -25,66 +24,13 @@ import { createSafeJSON } from '../utils/serialization.js';
 import { cloneDefaultOAuthServerConfig } from '../constants/oauthServerDefaults.js';
 import { getServerDao, getGroupDao, getSystemConfigDao } from '../dao/DaoFactory.js';
 import { getBearerKeyDao } from '../dao/DaoFactory.js';
-import { UserContextService } from '../services/userContextService.js';
 
-export const getAllServers = async (req: Request, res: Response): Promise<void> => {
+export const getAllServers = async (_: Request, res: Response): Promise<void> => {
   try {
-    // Parse pagination parameters from query string
+    const serversInfo = await getServersInfo();
-    const page = req.query.page ? parseInt(req.query.page as string, 10) : 1;
-    const limit = req.query.limit ? parseInt(req.query.limit as string, 10) : undefined;
-
-    // Validate pagination parameters
-    if (page < 1) {
-      res.status(400).json({
-        success: false,
-        message: 'Page number must be greater than 0',
-      });
-      return;
-    }
-
-    if (limit !== undefined && (limit < 1 || limit > 1000)) {
-      res.status(400).json({
-        success: false,
-        message: 'Limit must be between 1 and 1000',
-      });
-      return;
-    }
-
-    // Get current user for filtering
-    const currentUser = UserContextService.getInstance().getCurrentUser();
-    const isAdmin = !currentUser || currentUser.isAdmin;
-
-    // Get servers info with pagination if limit is specified
-    let serversInfo: Omit<ServerInfo, 'client' | 'transport'>[];
-    let pagination = undefined;
-
-    if (limit !== undefined) {
-      // Use DAO layer pagination with proper filtering
-      const serverDao = getServerDao();
-      const paginatedResult = isAdmin
-        ? await serverDao.findAllPaginated(page, limit)
-        : await serverDao.findByOwnerPaginated(currentUser!.username, page, limit);
-      
-      // Get runtime info for paginated servers
-      serversInfo = await getServersInfo(page, limit, currentUser);
-      
-      pagination = {
-        page: paginatedResult.page,
-        limit: paginatedResult.limit,
-        total: paginatedResult.total,
-        totalPages: paginatedResult.totalPages,
-        hasNextPage: paginatedResult.page < paginatedResult.totalPages,
-        hasPrevPage: paginatedResult.page > 1,
-      };
-    } else {
-      // No pagination, get all servers (will be filtered by mcpService)
-      serversInfo = await getServersInfo();
-    }
-
     const response: ApiResponse = {
       success: true,
       data: createSafeJSON(serversInfo),
-      ...(pagination && { pagination }),
     };
     res.json(response);
   } catch (error) {
@@ -618,9 +564,10 @@ export const updateServer = async (req: Request, res: Response): Promise<void> =
       });
     }
   } catch (error) {
+    console.error('Failed to update server:', error);
     res.status(500).json({
       success: false,
-      message: 'Internal server error',
+      message: error instanceof Error ? error.message : 'Internal server error',
     });
   }
 };

src/dao/ServerDao.ts

@@ -2,31 +2,10 @@ import { ServerConfig } from '../types/index.js';
 import { BaseDao } from './base/BaseDao.js';
 import { JsonFileBaseDao } from './base/JsonFileBaseDao.js';
 
-/**
- * Pagination result interface
- */
-export interface PaginatedResult<T> {
-  data: T[];
-  total: number;
-  page: number;
-  limit: number;
-  totalPages: number;
-}
-
 /**
  * Server DAO interface with server-specific operations
  */
 export interface ServerDao extends BaseDao<ServerConfigWithName, string> {
-  /**
-   * Find all servers with pagination
-   */
-  findAllPaginated(page: number, limit: number): Promise<PaginatedResult<ServerConfigWithName>>;
-
-  /**
-   * Find servers by owner with pagination
-   */
-  findByOwnerPaginated(owner: string, page: number, limit: number): Promise<PaginatedResult<ServerConfigWithName>>;
-
   /**
    * Find servers by owner
    */
@@ -197,61 +176,6 @@ export class ServerDaoImpl extends JsonFileBaseDao implements ServerDao {
     return servers.length;
   }
 
-  async findAllPaginated(page: number, limit: number): Promise<PaginatedResult<ServerConfigWithName>> {
-    const allServers = await this.getAll();
-    // Sort: enabled servers first, then by creation time
-    const sortedServers = allServers.sort((a, b) => {
-      const aEnabled = a.enabled !== false;
-      const bEnabled = b.enabled !== false;
-      if (aEnabled !== bEnabled) {
-        return aEnabled ? -1 : 1;
-      }
-      return 0; // Keep original order for same enabled status
-    });
-    
-    const total = sortedServers.length;
-    const totalPages = Math.ceil(total / limit);
-    const startIndex = (page - 1) * limit;
-    const endIndex = startIndex + limit;
-    const data = sortedServers.slice(startIndex, endIndex);
-
-    return {
-      data,
-      total,
-      page,
-      limit,
-      totalPages,
-    };
-  }
-
-  async findByOwnerPaginated(owner: string, page: number, limit: number): Promise<PaginatedResult<ServerConfigWithName>> {
-    const allServers = await this.getAll();
-    const filteredServers = allServers.filter((server) => server.owner === owner);
-    // Sort: enabled servers first, then by creation time
-    const sortedServers = filteredServers.sort((a, b) => {
-      const aEnabled = a.enabled !== false;
-      const bEnabled = b.enabled !== false;
-      if (aEnabled !== bEnabled) {
-        return aEnabled ? -1 : 1;
-      }
-      return 0; // Keep original order for same enabled status
-    });
-    
-    const total = sortedServers.length;
-    const totalPages = Math.ceil(total / limit);
-    const startIndex = (page - 1) * limit;
-    const endIndex = startIndex + limit;
-    const data = sortedServers.slice(startIndex, endIndex);
-
-    return {
-      data,
-      total,
-      page,
-      limit,
-      totalPages,
-    };
-  }
-
   async findByOwner(owner: string): Promise<ServerConfigWithName[]> {
     const servers = await this.getAll();
     return servers.filter((server) => server.owner === owner);

src/dao/ServerDaoDbImpl.ts

@@ -1,4 +1,4 @@
-import { ServerDao, ServerConfigWithName, PaginatedResult } from './index.js';
+import { ServerDao, ServerConfigWithName } from './index.js';
 import { ServerRepository } from '../db/repositories/ServerRepository.js';
 
 /**
@@ -16,32 +16,6 @@ export class ServerDaoDbImpl implements ServerDao {
     return servers.map((s) => this.mapToServerConfig(s));
   }
 
-  async findAllPaginated(page: number, limit: number): Promise<PaginatedResult<ServerConfigWithName>> {
-    const { data, total } = await this.repository.findAllPaginated(page, limit);
-    const totalPages = Math.ceil(total / limit);
-
-    return {
-      data: data.map((s) => this.mapToServerConfig(s)),
-      total,
-      page,
-      limit,
-      totalPages,
-    };
-  }
-
-  async findByOwnerPaginated(owner: string, page: number, limit: number): Promise<PaginatedResult<ServerConfigWithName>> {
-    const { data, total } = await this.repository.findByOwnerPaginated(owner, page, limit);
-    const totalPages = Math.ceil(total / limit);
-
-    return {
-      data: data.map((s) => this.mapToServerConfig(s)),
-      total,
-      page,
-      limit,
-      totalPages,
-    };
-  }
-
   async findById(name: string): Promise<ServerConfigWithName | null> {
     const server = await this.repository.findByName(name);
     return server ? this.mapToServerConfig(server) : null;
@@ -64,7 +38,6 @@ export class ServerDaoDbImpl implements ServerDao {
       prompts: entity.prompts,
       options: entity.options,
       oauth: entity.oauth,
-      proxy: entity.proxy,
       openapi: entity.openapi,
     });
     return this.mapToServerConfig(server);
@@ -89,7 +62,6 @@ export class ServerDaoDbImpl implements ServerDao {
       prompts: entity.prompts,
       options: entity.options,
       oauth: entity.oauth,
-      proxy: entity.proxy,
       openapi: entity.openapi,
     });
     return server ? this.mapToServerConfig(server) : null;
@@ -168,7 +140,6 @@ export class ServerDaoDbImpl implements ServerDao {
     prompts?: Record<string, { enabled: boolean; description?: string }>;
     options?: Record<string, any>;
     oauth?: Record<string, any>;
-    proxy?: Record<string, any>;
     openapi?: Record<string, any>;
   }): ServerConfigWithName {
     return {
@@ -187,7 +158,6 @@ export class ServerDaoDbImpl implements ServerDao {
       prompts: server.prompts,
       options: server.options,
       oauth: server.oauth,
-      proxy: server.proxy,
       openapi: server.openapi,
     };
   }

src/dao/SystemConfigDaoDbImpl.ts

@@ -22,6 +22,7 @@ export class SystemConfigDaoDbImpl implements SystemConfigDao {
       nameSeparator: config.nameSeparator,
       oauth: config.oauth as any,
       oauthServer: config.oauthServer as any,
+      oauthSso: config.oauthSso as any,
       enableSessionRebuild: config.enableSessionRebuild,
     };
   }
@@ -36,6 +37,7 @@ export class SystemConfigDaoDbImpl implements SystemConfigDao {
       nameSeparator: updated.nameSeparator,
       oauth: updated.oauth as any,
       oauthServer: updated.oauthServer as any,
+      oauthSso: updated.oauthSso as any,
       enableSessionRebuild: updated.enableSessionRebuild,
     };
   }
@@ -50,6 +52,7 @@ export class SystemConfigDaoDbImpl implements SystemConfigDao {
       nameSeparator: config.nameSeparator,
       oauth: config.oauth as any,
       oauthServer: config.oauthServer as any,
+      oauthSso: config.oauthSso as any,
       enableSessionRebuild: config.enableSessionRebuild,
     };
   }

src/dao/UserDaoDbImpl.ts

@@ -13,23 +13,28 @@ export class UserDaoDbImpl implements UserDao {
     this.repository = new UserRepository();
   }
 
-  async findAll(): Promise<IUser[]> {
+  private mapToIUser(u: any): IUser {
-    const users = await this.repository.findAll();
+    return {
-    return users.map((u) => ({
       username: u.username,
       password: u.password,
       isAdmin: u.isAdmin,
-    }));
+      oauthProvider: u.oauthProvider,
+      oauthSubject: u.oauthSubject,
+      email: u.email,
+      displayName: u.displayName,
+      avatarUrl: u.avatarUrl,
+    };
+  }
+
+  async findAll(): Promise<IUser[]> {
+    const users = await this.repository.findAll();
+    return users.map(this.mapToIUser);
   }
 
   async findById(username: string): Promise<IUser | null> {
     const user = await this.repository.findByUsername(username);
     if (!user) return null;
-    return {
+    return this.mapToIUser(user);
-      username: user.username,
-      password: user.password,
-      isAdmin: user.isAdmin,
-    };
   }
 
   async findByUsername(username: string): Promise<IUser | null> {
@@ -41,12 +46,13 @@ export class UserDaoDbImpl implements UserDao {
       username: entity.username,
       password: entity.password,
       isAdmin: entity.isAdmin || false,
+      oauthProvider: entity.oauthProvider,
+      oauthSubject: entity.oauthSubject,
+      email: entity.email,
+      displayName: entity.displayName,
+      avatarUrl: entity.avatarUrl,
     });
-    return {
+    return this.mapToIUser(user);
-      username: user.username,
-      password: user.password,
-      isAdmin: user.isAdmin,
-    };
   }
 
   async createWithHashedPassword(
@@ -62,13 +68,14 @@ export class UserDaoDbImpl implements UserDao {
     const user = await this.repository.update(username, {
       password: entity.password,
       isAdmin: entity.isAdmin,
+      oauthProvider: entity.oauthProvider,
+      oauthSubject: entity.oauthSubject,
+      email: entity.email,
+      displayName: entity.displayName,
+      avatarUrl: entity.avatarUrl,
     });
     if (!user) return null;
-    return {
+    return this.mapToIUser(user);
-      username: user.username,
-      password: user.password,
-      isAdmin: user.isAdmin,
-    };
   }
 
   async delete(username: string): Promise<boolean> {
@@ -99,10 +106,6 @@ export class UserDaoDbImpl implements UserDao {
 
   async findAdmins(): Promise<IUser[]> {
     const users = await this.repository.findAdmins();
-    return users.map((u) => ({
+    return users.map(this.mapToIUser);
-      username: u.username,
-      password: u.password,
-      isAdmin: u.isAdmin,
-    }));
   }
 }

src/db/entities/Server.ts

@@ -59,9 +59,6 @@ export class Server {
   @Column({ type: 'simple-json', nullable: true })
   oauth?: Record<string, any>;
 
-  @Column({ type: 'simple-json', nullable: true })
-  proxy?: Record<string, any>;
-
   @Column({ type: 'simple-json', nullable: true })
   openapi?: Record<string, any>;
 

src/db/entities/SystemConfig.ts

@@ -30,6 +30,9 @@ export class SystemConfig {
   @Column({ type: 'simple-json', nullable: true })
   oauthServer?: Record<string, any>;
 
+  @Column({ name: 'oauth_sso', type: 'simple-json', nullable: true })
+  oauthSso?: Record<string, any>;
+
   @Column({ type: 'boolean', nullable: true })
   enableSessionRebuild?: boolean;
 

src/db/entities/User.ts

@@ -23,6 +23,22 @@ export class User {
   @Column({ type: 'boolean', default: false })
   isAdmin: boolean;
 
+  // OAuth SSO fields
+  @Column({ name: 'oauth_provider', type: 'varchar', length: 100, nullable: true })
+  oauthProvider?: string;
+
+  @Column({ name: 'oauth_subject', type: 'varchar', length: 255, nullable: true })
+  oauthSubject?: string;
+
+  @Column({ type: 'varchar', length: 255, nullable: true })
+  email?: string;
+
+  @Column({ name: 'display_name', type: 'varchar', length: 255, nullable: true })
+  displayName?: string;
+
+  @Column({ name: 'avatar_url', type: 'text', nullable: true })
+  avatarUrl?: string;
+
   @CreateDateColumn({ name: 'created_at', type: 'timestamp' })
   createdAt: Date;
 

src/db/repositories/ServerRepository.ts

@@ -69,41 +69,6 @@ export class ServerRepository {
     return await this.repository.count();
   }
 
-  /**
-   * Find servers with pagination
-   */
-  async findAllPaginated(page: number, limit: number): Promise<{ data: Server[]; total: number }> {
-    const skip = (page - 1) * limit;
-    const [data, total] = await this.repository.findAndCount({
-      order: { 
-        enabled: 'DESC',  // Enabled servers first
-        createdAt: 'ASC'  // Then by creation time
-      },
-      skip,
-      take: limit,
-    });
-
-    return { data, total };
-  }
-
-  /**
-   * Find servers by owner with pagination
-   */
-  async findByOwnerPaginated(owner: string, page: number, limit: number): Promise<{ data: Server[]; total: number }> {
-    const skip = (page - 1) * limit;
-    const [data, total] = await this.repository.findAndCount({
-      where: { owner },
-      order: { 
-        enabled: 'DESC',  // Enabled servers first
-        createdAt: 'ASC'  // Then by creation time
-      },
-      skip,
-      take: limit,
-    });
-
-    return { data, total };
-  }
-
   /**
    * Find servers by owner
    */

src/routes/index.ts

@@ -112,6 +112,12 @@ import {
   updateBearerKey,
   deleteBearerKey,
 } from '../controllers/bearerKeyController.js';
+import {
+  getOAuthSsoConfig,
+  initiateOAuthLogin,
+  handleOAuthCallback as handleOAuthSsoCallback,
+  listOAuthProviders,
+} from '../controllers/oauthSsoController.js';
 import { auth } from '../middlewares/auth.js';
 
 const router = express.Router();
@@ -273,6 +279,12 @@ export const initRoutes = (app: express.Application): void => {
     changePassword,
   );
 
+  // OAuth SSO routes (no auth required - these are for logging in)
+  router.get('/auth/sso/config', getOAuthSsoConfig);
+  router.get('/auth/sso/providers', listOAuthProviders);
+  router.get('/auth/sso/:providerId', initiateOAuthLogin);
+  router.get('/auth/sso/:providerId/callback', handleOAuthSsoCallback);
+
   // Runtime configuration endpoint (no auth required for frontend initialization)
   app.get(`${config.basePath}/config`, getRuntimeConfig);
 

src/services/mcpService.ts

@@ -1,6 +1,4 @@
 import os from 'os';
-import path from 'path';
-import fs from 'fs';
 import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import {
   CallToolRequestSchema,
@@ -17,7 +15,7 @@ import {
   StreamableHTTPClientTransportOptions,
 } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
 import { createFetchWithProxy, getProxyConfigFromEnv } from './proxy.js';
-import { ServerInfo, ServerConfig, Tool, ProxychainsConfig } from '../types/index.js';
+import { ServerInfo, ServerConfig, Tool } from '../types/index.js';
 import { expandEnvVars, replaceEnvVars, getNameSeparator } from '../config/index.js';
 import config from '../config/index.js';
 import { getGroup } from './sseService.js';
@@ -34,150 +32,6 @@ const servers: { [sessionId: string]: Server } = {};
 
 import { setupClientKeepAlive } from './keepAliveService.js';
 
-/**
- * Check if proxychains4 is available on the system (Linux/macOS only).
- * Returns the path to proxychains4 if found, null otherwise.
- */
-const findProxychains4 = (): string | null => {
-  // Windows is not supported
-  if (process.platform === 'win32') {
-    return null;
-  }
-
-  // Common proxychains4 binary paths
-  const possiblePaths = [
-    '/usr/bin/proxychains4',
-    '/usr/local/bin/proxychains4',
-    '/opt/homebrew/bin/proxychains4', // macOS Homebrew ARM
-    '/usr/local/Cellar/proxychains-ng/*/bin/proxychains4', // macOS Homebrew Intel
-  ];
-
-  for (const p of possiblePaths) {
-    if (fs.existsSync(p)) {
-      return p;
-    }
-  }
-
-  // Try to find in PATH
-  const pathEnv = process.env.PATH || '';
-  const pathDirs = pathEnv.split(path.delimiter);
-  for (const dir of pathDirs) {
-    const fullPath = path.join(dir, 'proxychains4');
-    if (fs.existsSync(fullPath)) {
-      return fullPath;
-    }
-  }
-
-  return null;
-};
-
-/**
- * Generate a temporary proxychains4 configuration file.
- * Returns the path to the generated config file.
- */
-const generateProxychainsConfig = (
-  serverName: string,
-  proxyConfig: ProxychainsConfig,
-): string | null => {
-  // If a custom config path is provided, use it directly
-  if (proxyConfig.configPath) {
-    if (fs.existsSync(proxyConfig.configPath)) {
-      return proxyConfig.configPath;
-    }
-    console.warn(
-      `[${serverName}] Custom proxychains config not found: ${proxyConfig.configPath}`,
-    );
-    return null;
-  }
-
-  // Validate required fields
-  if (!proxyConfig.host || !proxyConfig.port) {
-    console.warn(`[${serverName}] Proxy host and port are required for proxychains4`);
-    return null;
-  }
-
-  const proxyType = proxyConfig.type || 'socks5';
-  const proxyLine = proxyConfig.username && proxyConfig.password
-    ? `${proxyType} ${proxyConfig.host} ${proxyConfig.port} ${proxyConfig.username} ${proxyConfig.password}`
-    : `${proxyType} ${proxyConfig.host} ${proxyConfig.port}`;
-
-  const configContent = `# Proxychains4 configuration for MCP server: ${serverName}
-# Generated by MCPHub
-
-strict_chain
-proxy_dns
-remote_dns_subnet 224
-tcp_read_time_out 15000
-tcp_connect_time_out 8000
-
-[ProxyList]
-${proxyLine}
-`;
-
-  // Create temp directory if needed
-  const tempDir = path.join(os.tmpdir(), 'mcphub-proxychains');
-  if (!fs.existsSync(tempDir)) {
-    fs.mkdirSync(tempDir, { recursive: true });
-  }
-
-  // Write config file
-  const configPath = path.join(tempDir, `${serverName.replace(/[^a-zA-Z0-9-_]/g, '_')}.conf`);
-  fs.writeFileSync(configPath, configContent, 'utf-8');
-  console.log(`[${serverName}] Generated proxychains4 config: ${configPath}`);
-
-  return configPath;
-};
-
-/**
- * Wrap a command with proxychains4 if proxy is configured and available.
- * Returns modified command and args if proxychains4 is used, original values otherwise.
- */
-const wrapWithProxychains = (
-  serverName: string,
-  command: string,
-  args: string[],
-  proxyConfig?: ProxychainsConfig,
-): { command: string; args: string[] } => {
-  // Skip if proxy is not enabled or not configured
-  if (!proxyConfig?.enabled) {
-    return { command, args };
-  }
-
-  // Check platform - Windows is not supported
-  if (process.platform === 'win32') {
-    console.warn(
-      `[${serverName}] proxychains4 proxy is not supported on Windows, ignoring proxy configuration`,
-    );
-    return { command, args };
-  }
-
-  // Find proxychains4 binary
-  const proxychains4Path = findProxychains4();
-  if (!proxychains4Path) {
-    console.warn(
-      `[${serverName}] proxychains4 not found on system, install it with: apt install proxychains4 (Debian/Ubuntu) or brew install proxychains-ng (macOS)`,
-    );
-    return { command, args };
-  }
-
-  // Generate or get config file
-  const configPath = generateProxychainsConfig(serverName, proxyConfig);
-  if (!configPath) {
-    console.warn(`[${serverName}] Failed to setup proxychains4 configuration, skipping proxy`);
-    return { command, args };
-  }
-
-  // Wrap command with proxychains4
-  console.log(
-    `[${serverName}] Using proxychains4 proxy: ${proxyConfig.type || 'socks5'}://${proxyConfig.host}:${proxyConfig.port}`,
-  );
-
-  return {
-    command: proxychains4Path,
-    args: ['-f', configPath, command, ...args],
-  };
-};
-
 export const initUpstreamServers = async (): Promise<void> => {
   // Initialize OAuth clients for servers with dynamic registration
   await initializeAllOAuthClients();
@@ -355,19 +209,11 @@ export const createTransportFromConfig = async (name: string, conf: ServerConfig
       env['npm_config_registry'] = systemConfig.install.npmRegistry;
     }
 
-    // Apply proxychains4 wrapper if proxy is configured (Linux/macOS only)
+    // Expand environment variables in command
-    const { command: finalCommand, args: finalArgs } = wrapWithProxychains(
-      name,
-      conf.command,
-      replaceEnvVars(conf.args) as string[],
-      conf.proxy,
-    );
-
-    // Create STDIO transport with potentially wrapped command
     transport = new StdioClientTransport({
       cwd: os.homedir(),
-      command: finalCommand,
+      command: conf.command,
-      args: finalArgs,
+      args: replaceEnvVars(conf.args) as string[],
       env: env,
       stderr: 'pipe',
     });
@@ -772,19 +618,9 @@ export const registerAllTools = async (isInit: boolean, serverName?: string): Pr
 };
 
 // Get all server information
-export const getServersInfo = async (
+export const getServersInfo = async (): Promise<Omit<ServerInfo, 'client' | 'transport'>[]> => {
-  page?: number,
+  const allServers: ServerConfigWithName[] = await getServerDao().findAll();
-  limit?: number,
-  user?: any,
-): Promise<Omit<ServerInfo, 'client' | 'transport'>[]> => {
   const dataService = getDataService();
-  
-  // Get paginated or all server configurations from DAO
-  // If pagination is used with a non-admin user, filtering is already done at DAO level
-  const isPaginated = limit !== undefined && page !== undefined;
-  const allServers: ServerConfigWithName[] = isPaginated
-    ? (await getServerDao().findAllPaginated(page, limit)).data
-    : await getServerDao().findAll();
 
   // Ensure that servers recently added via DAO but not yet initialized in serverInfos
   // are still visible in the servers list. This avoids a race condition where
@@ -793,19 +629,10 @@ export const getServersInfo = async (
   const combinedServerInfos: ServerInfo[] = [...serverInfos];
   const existingNames = new Set(combinedServerInfos.map((s) => s.name));
 
-  // Create a set of server names we're interested in (for pagination)
-  const requestedServerNames = new Set(allServers.map((s) => s.name));
-
-  // Filter serverInfos to only include requested servers if pagination is used
-  const filteredServerInfos = isPaginated
-    ? combinedServerInfos.filter((s) => requestedServerNames.has(s.name))
-    : combinedServerInfos;
-
-  // Add servers from DAO that don't have runtime info yet
   for (const server of allServers) {
     if (!existingNames.has(server.name)) {
       const isEnabled = server.enabled === undefined ? true : server.enabled;
-      filteredServerInfos.push({
+      combinedServerInfos.push({
         name: server.name,
         owner: server.owner,
         // Newly created servers that are enabled should appear as "connecting"
@@ -821,16 +648,12 @@ export const getServersInfo = async (
     }
   }
 
-  // Apply user filtering only when NOT using pagination (pagination already filtered at DAO level)
+  const filterServerInfos: ServerInfo[] = dataService.filterData
-  // Or when no pagination parameters provided (backward compatibility)
+    ? dataService.filterData(combinedServerInfos)
-  const shouldApplyUserFilter = !isPaginated;
+    : combinedServerInfos;
-  const filterServerInfos: ServerInfo[] = shouldApplyUserFilter && dataService.filterData
-    ? dataService.filterData(filteredServerInfos, user)
-    : filteredServerInfos;
 
-  const infos = filterServerInfos
+  const infos = filterServerInfos.map(
-    .filter((info) => requestedServerNames.has(info.name)) // Only include requested servers
+    ({ name, status, tools, prompts, createTime, error, oauth }) => {
-    .map(({ name, status, tools, prompts, createTime, error, oauth }) => {
       const serverConfig = allServers.find((server) => server.name === name);
       const enabled = serverConfig ? serverConfig.enabled !== false : true;
 
@@ -869,8 +692,12 @@ export const getServersInfo = async (
             }
           : undefined,
       };
-    });
+    },
-  // Sorting is now handled at DAO layer for consistent pagination results
+  );
+  infos.sort((a, b) => {
+    if (a.enabled === b.enabled) return 0;
+    return a.enabled ? -1 : 1;
+  });
   return infos;
 };
 

src/services/oauthSsoService.ts

@@ -0,0 +1,546 @@
+/**
+ * OAuth SSO Service
+ *
+ * Handles OAuth 2.0 / OIDC SSO authentication for user login.
+ * Supports Google, Microsoft, GitHub, and custom OIDC providers.
+ */
+
+import * as client from 'openid-client';
+import crypto from 'crypto';
+import { getSystemConfigDao, getUserDao } from '../dao/index.js';
+import { IUser, OAuthSsoProviderConfig, OAuthSsoConfig } from '../types/index.js';
+
+// In-memory store for OAuth state (code verifier, state, etc.)
+// NOTE: This implementation uses in-memory storage which is suitable for single-instance deployments.
+// For multi-instance/scaled deployments, implement Redis or database-backed state storage
+// to ensure OAuth callbacks reach the correct instance where the state was stored.
+interface OAuthStateEntry {
+  codeVerifier: string;
+  providerId: string;
+  returnUrl?: string;
+  createdAt: number;
+}
+
+const stateStore = new Map<string, OAuthStateEntry>();
+const STATE_TTL_MS = 10 * 60 * 1000; // 10 minutes
+
+// Cleanup old state entries periodically
+let cleanupInterval: ReturnType<typeof setInterval> | null = null;
+
+function startStateCleanup(): void {
+  if (cleanupInterval) return;
+  cleanupInterval = setInterval(() => {
+    const now = Date.now();
+    for (const [state, entry] of stateStore.entries()) {
+      if (now - entry.createdAt > STATE_TTL_MS) {
+        stateStore.delete(state);
+      }
+    }
+  }, 60 * 1000); // Cleanup every minute
+}
+
+// Start cleanup on module load
+startStateCleanup();
+
+/**
+ * Stop the state cleanup interval (useful for tests and graceful shutdown)
+ */
+export function stopStateCleanup(): void {
+  if (cleanupInterval) {
+    clearInterval(cleanupInterval);
+    cleanupInterval = null;
+  }
+}
+
+// GitHub API response types for type safety
+interface GitHubUserResponse {
+  id: number;
+  login: string;
+  name?: string;
+  email?: string;
+  avatar_url?: string;
+}
+
+interface GitHubEmailResponse {
+  email: string;
+  primary: boolean;
+  verified: boolean;
+  visibility?: string;
+}
+
+// Provider configurations cache
+const providerConfigsCache = new Map<
+  string,
+  {
+    config: client.Configuration;
+    provider: OAuthSsoProviderConfig;
+  }
+>();
+
+/**
+ * Get OAuth SSO configuration from system config
+ */
+export async function getOAuthSsoConfig(): Promise<OAuthSsoConfig | undefined> {
+  const systemConfigDao = getSystemConfigDao();
+  const systemConfig = await systemConfigDao.get();
+  return systemConfig?.oauthSso;
+}
+
+/**
+ * Check if OAuth SSO is enabled
+ */
+export async function isOAuthSsoEnabled(): Promise<boolean> {
+  const config = await getOAuthSsoConfig();
+  return config?.enabled === true && (config.providers?.length ?? 0) > 0;
+}
+
+/**
+ * Get enabled OAuth SSO providers
+ */
+export async function getEnabledProviders(): Promise<OAuthSsoProviderConfig[]> {
+  const config = await getOAuthSsoConfig();
+  if (!config?.enabled || !config.providers) {
+    return [];
+  }
+  return config.providers.filter((p) => p.enabled !== false);
+}
+
+/**
+ * Get a specific provider by ID
+ */
+export async function getProviderById(providerId: string): Promise<OAuthSsoProviderConfig | undefined> {
+  const providers = await getEnabledProviders();
+  return providers.find((p) => p.id === providerId);
+}
+
+/**
+ * Get default scopes for a provider type
+ */
+function getDefaultScopes(type: OAuthSsoProviderConfig['type']): string[] {
+  switch (type) {
+    case 'google':
+      return ['openid', 'email', 'profile'];
+    case 'microsoft':
+      return ['openid', 'email', 'profile', 'User.Read'];
+    case 'github':
+      return ['read:user', 'user:email'];
+    case 'oidc':
+    default:
+      return ['openid', 'email', 'profile'];
+  }
+}
+
+/**
+ * Get provider discovery URL
+ */
+function getDiscoveryUrl(provider: OAuthSsoProviderConfig): string | undefined {
+  if (provider.issuerUrl) {
+    return provider.issuerUrl;
+  }
+
+  switch (provider.type) {
+    case 'google':
+      return 'https://accounts.google.com';
+    case 'microsoft':
+      // Using common endpoint for multi-tenant
+      return 'https://login.microsoftonline.com/common/v2.0';
+    case 'github':
+      // GitHub doesn't support OIDC discovery, we'll use explicit endpoints
+      return undefined;
+    default:
+      return undefined;
+  }
+}
+
+/**
+ * Get explicit OAuth endpoints for providers without OIDC discovery
+ */
+function getExplicitEndpoints(provider: OAuthSsoProviderConfig): {
+  authorizationUrl: string;
+  tokenUrl: string;
+  userInfoUrl: string;
+} | undefined {
+  if (provider.type === 'github') {
+    return {
+      authorizationUrl: provider.authorizationUrl || 'https://github.com/login/oauth/authorize',
+      tokenUrl: provider.tokenUrl || 'https://github.com/login/oauth/access_token',
+      userInfoUrl: provider.userInfoUrl || 'https://api.github.com/user',
+    };
+  }
+
+  // For custom providers with explicit endpoints
+  if (provider.authorizationUrl && provider.tokenUrl && provider.userInfoUrl) {
+    return {
+      authorizationUrl: provider.authorizationUrl,
+      tokenUrl: provider.tokenUrl,
+      userInfoUrl: provider.userInfoUrl,
+    };
+  }
+
+  return undefined;
+}
+
+/**
+ * Initialize and cache openid-client configuration for a provider
+ */
+async function getClientConfig(
+  provider: OAuthSsoProviderConfig,
+  _callbackUrl: string,
+): Promise<client.Configuration> {
+  const cacheKey = provider.id;
+  const cached = providerConfigsCache.get(cacheKey);
+  if (cached) {
+    return cached.config;
+  }
+
+  let config: client.Configuration;
+
+  const discoveryUrl = getDiscoveryUrl(provider);
+
+  if (discoveryUrl) {
+    // Use OIDC discovery
+    config = await client.discovery(new URL(discoveryUrl), provider.clientId, provider.clientSecret);
+  } else {
+    // Use explicit endpoints for providers like GitHub
+    const endpoints = getExplicitEndpoints(provider);
+    if (!endpoints) {
+      throw new Error(
+        `Provider ${provider.id} requires either issuerUrl for OIDC discovery or explicit endpoints`,
+      );
+    }
+
+    // Create a manual server metadata configuration
+    const serverMetadata: client.ServerMetadata = {
+      issuer: provider.issuerUrl || `https://${provider.type}.oauth`,
+      authorization_endpoint: endpoints.authorizationUrl,
+      token_endpoint: endpoints.tokenUrl,
+      userinfo_endpoint: endpoints.userInfoUrl,
+    };
+
+    config = new client.Configuration(serverMetadata, provider.clientId, provider.clientSecret);
+  }
+
+  providerConfigsCache.set(cacheKey, { config, provider });
+  return config;
+}
+
+/**
+ * Generate the authorization URL for a provider
+ */
+export async function generateAuthorizationUrl(
+  providerId: string,
+  callbackUrl: string,
+  returnUrl?: string,
+): Promise<{ url: string; state: string }> {
+  const provider = await getProviderById(providerId);
+  if (!provider) {
+    throw new Error(`OAuth SSO provider not found: ${providerId}`);
+  }
+
+  const config = await getClientConfig(provider, callbackUrl);
+  const scopes = provider.scopes || getDefaultScopes(provider.type);
+
+  // Generate PKCE code verifier and challenge
+  const codeVerifier = client.randomPKCECodeVerifier();
+  const codeChallenge = await client.calculatePKCECodeChallenge(codeVerifier);
+
+  // Generate state
+  const state = crypto.randomBytes(32).toString('base64url');
+
+  // Store state for callback verification
+  stateStore.set(state, {
+    codeVerifier,
+    providerId,
+    returnUrl,
+    createdAt: Date.now(),
+  });
+
+  // Build authorization URL parameters
+  const parameters: Record<string, string> = {
+    redirect_uri: callbackUrl,
+    scope: scopes.join(' '),
+    state,
+    code_challenge: codeChallenge,
+    code_challenge_method: 'S256',
+  };
+
+  // GitHub-specific: request user email access
+  if (provider.type === 'github') {
+    // GitHub doesn't use PKCE, but we'll still store the state
+    delete parameters.code_challenge;
+    delete parameters.code_challenge_method;
+  }
+
+  const url = client.buildAuthorizationUrl(config, parameters);
+
+  return { url: url.toString(), state };
+}
+
+/**
+ * Exchange authorization code for tokens and user info
+ */
+export async function handleCallback(
+  callbackUrl: string,
+  currentUrl: string,
+  state: string,
+): Promise<{
+  user: IUser;
+  isNewUser: boolean;
+  returnUrl?: string;
+}> {
+  // Verify and retrieve state
+  const stateEntry = stateStore.get(state);
+  if (!stateEntry) {
+    throw new Error('Invalid or expired OAuth state');
+  }
+
+  // Remove used state
+  stateStore.delete(state);
+
+  const provider = await getProviderById(stateEntry.providerId);
+  if (!provider) {
+    throw new Error(`OAuth SSO provider not found: ${stateEntry.providerId}`);
+  }
+
+  const config = await getClientConfig(provider, callbackUrl);
+
+  // Exchange code for tokens
+  let tokens: client.TokenEndpointResponse;
+
+  if (provider.type === 'github') {
+    // GitHub doesn't use PKCE
+    tokens = await client.authorizationCodeGrant(config, new URL(currentUrl), {
+      expectedState: state,
+    });
+  } else {
+    // OIDC providers with PKCE
+    tokens = await client.authorizationCodeGrant(config, new URL(currentUrl), {
+      pkceCodeVerifier: stateEntry.codeVerifier,
+      expectedState: state,
+    });
+  }
+
+  // Get user info
+  const userInfo = await getUserInfo(provider, config, tokens);
+
+  // Find or create user
+  const { user, isNewUser } = await findOrCreateUser(provider, userInfo);
+
+  return {
+    user,
+    isNewUser,
+    returnUrl: stateEntry.returnUrl,
+  };
+}
+
+/**
+ * Fetch user info from the provider
+ */
+async function getUserInfo(
+  provider: OAuthSsoProviderConfig,
+  config: client.Configuration,
+  tokens: client.TokenEndpointResponse,
+): Promise<{
+  sub: string;
+  email?: string;
+  name?: string;
+  picture?: string;
+  groups?: string[];
+  roles?: string[];
+  [key: string]: unknown;
+}> {
+  if (provider.type === 'github') {
+    // GitHub uses a different API for user info
+    const response = await fetch('https://api.github.com/user', {
+      headers: {
+        Authorization: `Bearer ${tokens.access_token}`,
+        Accept: 'application/json',
+      },
+    });
+
+    if (!response.ok) {
+      throw new Error(`Failed to fetch GitHub user info: ${response.statusText}`);
+    }
+
+    const data = (await response.json()) as GitHubUserResponse;
+
+    // Fetch email separately if not public
+    let email = data.email;
+    if (!email) {
+      const emailResponse = await fetch('https://api.github.com/user/emails', {
+        headers: {
+          Authorization: `Bearer ${tokens.access_token}`,
+          Accept: 'application/json',
+        },
+      });
+
+      if (emailResponse.ok) {
+        const emails = (await emailResponse.json()) as GitHubEmailResponse[];
+        const primaryEmail = emails.find((e) => e.primary);
+        email = primaryEmail?.email || emails[0]?.email;
+      }
+    }
+
+    return {
+      sub: String(data.id),
+      email,
+      name: data.name || data.login,
+      picture: data.avatar_url,
+    };
+  }
+
+  // Standard OIDC userinfo endpoint
+  const userInfoResponse = await client.fetchUserInfo(config, tokens.access_token!, client.skipSubjectCheck);
+
+  return {
+    sub: userInfoResponse.sub,
+    email: userInfoResponse.email as string | undefined,
+    name: userInfoResponse.name as string | undefined,
+    picture: userInfoResponse.picture as string | undefined,
+    groups: userInfoResponse.groups as string[] | undefined,
+    roles: userInfoResponse.roles as string[] | undefined,
+  };
+}
+
+/**
+ * Find existing user or create new one based on OAuth profile
+ */
+async function findOrCreateUser(
+  provider: OAuthSsoProviderConfig,
+  userInfo: {
+    sub: string;
+    email?: string;
+    name?: string;
+    picture?: string;
+    groups?: string[];
+    roles?: string[];
+    [key: string]: unknown;
+  },
+): Promise<{ user: IUser; isNewUser: boolean }> {
+  const userDao = getUserDao();
+
+  // Generate a unique username based on provider and subject
+  const oauthUsername = `${provider.id}:${userInfo.sub}`;
+
+  // Try to find existing user by OAuth identity
+  let user = await userDao.findByUsername(oauthUsername);
+
+  if (user) {
+    // Update user info if changed
+    const updates: Partial<IUser> = {};
+    if (userInfo.email && userInfo.email !== user.email) {
+      updates.email = userInfo.email;
+    }
+    if (userInfo.name && userInfo.name !== user.displayName) {
+      updates.displayName = userInfo.name;
+    }
+    if (userInfo.picture && userInfo.picture !== user.avatarUrl) {
+      updates.avatarUrl = userInfo.picture;
+    }
+
+    // Check admin status based on claims
+    const isAdmin = checkAdminClaim(provider, userInfo);
+    if (isAdmin !== user.isAdmin) {
+      updates.isAdmin = isAdmin;
+    }
+
+    if (Object.keys(updates).length > 0) {
+      await userDao.update(oauthUsername, updates);
+      user = { ...user, ...updates };
+    }
+
+    return { user, isNewUser: false };
+  }
+
+  // Check if auto-provisioning is enabled
+  if (provider.autoProvision === false) {
+    throw new Error(
+      `User not found and auto-provisioning is disabled for provider: ${provider.name}`,
+    );
+  }
+
+  // Create new user
+  const isAdmin = checkAdminClaim(provider, userInfo) || provider.defaultAdmin === true;
+
+  // Generate a random password for OAuth users (they won't use it)
+  const randomPassword = crypto.randomBytes(32).toString('hex');
+
+  const newUser = await userDao.createWithHashedPassword(oauthUsername, randomPassword, isAdmin);
+
+  // Update with OAuth-specific fields
+  const updatedUser = await userDao.update(oauthUsername, {
+    oauthProvider: provider.id,
+    oauthSubject: userInfo.sub,
+    email: userInfo.email,
+    displayName: userInfo.name,
+    avatarUrl: userInfo.picture,
+  });
+
+  return { user: updatedUser || newUser, isNewUser: true };
+}
+
+/**
+ * Check if user should be granted admin based on provider claims
+ */
+function checkAdminClaim(
+  provider: OAuthSsoProviderConfig,
+  userInfo: { groups?: string[]; roles?: string[]; [key: string]: unknown },
+): boolean {
+  if (!provider.adminClaim || !provider.adminClaimValues?.length) {
+    return false;
+  }
+
+  const claimValue = userInfo[provider.adminClaim];
+  if (!claimValue) {
+    return false;
+  }
+
+  // Handle array claims (groups, roles)
+  if (Array.isArray(claimValue)) {
+    return claimValue.some((v) => provider.adminClaimValues!.includes(String(v)));
+  }
+
+  // Handle string claims
+  return provider.adminClaimValues.includes(String(claimValue));
+}
+
+/**
+ * Get public provider info for frontend
+ */
+export async function getPublicProviderInfo(): Promise<
+  Array<{
+    id: string;
+    name: string;
+    type: string;
+    icon?: string;
+    buttonText?: string;
+  }>
+> {
+  const providers = await getEnabledProviders();
+  return providers.map((p) => ({
+    id: p.id,
+    name: p.name,
+    type: p.type,
+    icon: p.icon || p.type,
+    buttonText: p.buttonText,
+  }));
+}
+
+/**
+ * Check if local auth is allowed
+ */
+export async function isLocalAuthAllowed(): Promise<boolean> {
+  const config = await getOAuthSsoConfig();
+  // Default to true if not configured or SSO is disabled
+  if (!config?.enabled) {
+    return true;
+  }
+  return config.allowLocalAuth !== false;
+}
+
+/**
+ * Clear provider configuration cache
+ */
+export function clearProviderCache(): void {
+  providerConfigsCache.clear();
+}

src/types/index.ts

@@ -10,6 +10,12 @@ export interface IUser {
   username: string;
   password: string;
   isAdmin?: boolean;
+  // OAuth SSO fields
+  oauthProvider?: string; // OAuth provider ID (e.g., 'google', 'microsoft', 'github')
+  oauthSubject?: string; // OAuth subject (unique user ID from provider)
+  email?: string; // User email (from OAuth profile)
+  displayName?: string; // Display name (from OAuth profile)
+  avatarUrl?: string; // Avatar URL (from OAuth profile)
 }
 
 // Group interface for server grouping
@@ -124,6 +130,43 @@ export interface MCPRouterCallToolResponse {
   isError: boolean;
 }
 
+// OAuth SSO Provider Configuration for user authentication
+export type OAuthSsoProviderType = 'google' | 'microsoft' | 'github' | 'oidc';
+
+export interface OAuthSsoProviderConfig {
+  id: string; // Unique identifier for this provider (e.g., 'google', 'my-company-sso')
+  type: OAuthSsoProviderType; // Provider type
+  name: string; // Display name (e.g., 'Google', 'Microsoft', 'Company SSO')
+  enabled?: boolean; // Whether this provider is enabled (default: true)
+  clientId: string; // OAuth client ID
+  clientSecret: string; // OAuth client secret
+  // For OIDC providers, discovery URL or explicit endpoints
+  issuerUrl?: string; // OIDC issuer URL for auto-discovery (e.g., 'https://accounts.google.com')
+  // Explicit endpoints (optional, can be auto-discovered for OIDC)
+  authorizationUrl?: string; // OAuth authorization endpoint
+  tokenUrl?: string; // OAuth token endpoint
+  userInfoUrl?: string; // OAuth userinfo endpoint
+  // Scope configuration
+  scopes?: string[]; // OAuth scopes to request (default varies by provider)
+  // Role/admin mapping
+  adminClaim?: string; // Claim name to check for admin role (e.g., 'groups', 'roles')
+  adminClaimValues?: string[]; // Values that grant admin access (e.g., ['admin', 'mcphub-admins'])
+  // Auto-provisioning options
+  autoProvision?: boolean; // Auto-create users on first login (default: true)
+  defaultAdmin?: boolean; // Whether auto-provisioned users are admins by default (default: false)
+  // UI options
+  icon?: string; // Icon identifier for UI (e.g., 'google', 'microsoft', 'github', 'key')
+  buttonText?: string; // Custom button text (e.g., 'Sign in with Google')
+}
+
+// OAuth SSO configuration in SystemConfig
+export interface OAuthSsoConfig {
+  enabled?: boolean; // Enable/disable OAuth SSO globally
+  providers?: OAuthSsoProviderConfig[]; // List of configured SSO providers
+  allowLocalAuth?: boolean; // Allow local username/password auth alongside SSO (default: true)
+  callbackBaseUrl?: string; // Base URL for OAuth callbacks (auto-detected if not set)
+}
+
 // OAuth Provider Configuration for MCP Authorization Server
 export interface OAuthProviderConfig {
   enabled?: boolean; // Enable/disable OAuth provider
@@ -172,6 +215,7 @@ export interface SystemConfig {
   nameSeparator?: string; // Separator used between server name and tool/prompt name (default: '-')
   oauth?: OAuthProviderConfig; // OAuth provider configuration for upstream MCP servers
   oauthServer?: OAuthServerConfig; // OAuth authorization server configuration for MCPHub itself
+  oauthSso?: OAuthSsoConfig; // OAuth SSO configuration for user authentication
   enableSessionRebuild?: boolean; // Controls whether server session rebuild is enabled
 }
 
@@ -270,17 +314,6 @@ export interface McpSettings {
   bearerKeys?: BearerKey[]; // Bearer authentication keys (multi-key configuration)
 }
 
-// Proxychains4 configuration for STDIO servers (Linux/macOS only)
-export interface ProxychainsConfig {
-  enabled?: boolean; // Enable/disable proxychains4 proxy routing
-  type?: 'socks4' | 'socks5' | 'http'; // Proxy protocol type
-  host?: string; // Proxy server hostname or IP address
-  port?: number; // Proxy server port
-  username?: string; // Proxy authentication username (optional)
-  password?: string; // Proxy authentication password (optional)
-  configPath?: string; // Path to custom proxychains4 configuration file (optional, overrides above settings)
-}
-
 // Configuration details for an individual server
 export interface ServerConfig {
   type?: 'stdio' | 'sse' | 'streamable-http' | 'openapi'; // Type of server
@@ -296,8 +329,6 @@ export interface ServerConfig {
   tools?: Record<string, { enabled: boolean; description?: string }>; // Tool-specific configurations with enable/disable state and custom descriptions
   prompts?: Record<string, { enabled: boolean; description?: string }>; // Prompt-specific configurations with enable/disable state and custom descriptions
   options?: Partial<Pick<RequestOptions, 'timeout' | 'resetTimeoutOnProgress' | 'maxTotalTimeout'>>; // MCP request options configuration
-  // Proxychains4 proxy configuration for STDIO servers (Linux/macOS only, Windows not supported)
-  proxy?: ProxychainsConfig;
   // OAuth authentication for upstream MCP servers
   oauth?: {
     // Static client configuration (traditional OAuth flow)

src/utils/migration.ts

@@ -46,6 +46,11 @@ export async function migrateToDatabase(): Promise<boolean> {
             username: user.username,
             password: user.password,
             isAdmin: user.isAdmin || false,
+            oauthProvider: user.oauthProvider,
+            oauthSubject: user.oauthSubject,
+            email: user.email,
+            displayName: user.displayName,
+            avatarUrl: user.avatarUrl,
           });
           console.log(`  - Created user: ${user.username}`);
         } else {
@@ -116,6 +121,7 @@ export async function migrateToDatabase(): Promise<boolean> {
         nameSeparator: settings.systemConfig.nameSeparator,
         oauth: settings.systemConfig.oauth || {},
         oauthServer: settings.systemConfig.oauthServer || {},
+        oauthSso: settings.systemConfig.oauthSso || {},
         enableSessionRebuild: settings.systemConfig.enableSessionRebuild,
       };
       await systemConfigRepo.update(systemConfig);

tests/services/oauthSsoService.test.ts

@@ -0,0 +1,235 @@
+// Mock openid-client before importing services
+jest.mock('openid-client', () => ({
+  discovery: jest.fn(),
+  Configuration: jest.fn(),
+  randomPKCECodeVerifier: jest.fn(() => 'test-verifier'),
+  calculatePKCECodeChallenge: jest.fn(() => Promise.resolve('test-challenge')),
+  buildAuthorizationUrl: jest.fn(() => new URL('https://example.com/authorize')),
+  authorizationCodeGrant: jest.fn(),
+  fetchUserInfo: jest.fn(),
+  skipSubjectCheck: Symbol('skipSubjectCheck'),
+}));
+
+// Mock the DAO module
+jest.mock('../../src/dao/index.js', () => ({
+  getSystemConfigDao: jest.fn(),
+  getUserDao: jest.fn(),
+}));
+
+import * as daoModule from '../../src/dao/index.js';
+import {
+  isOAuthSsoEnabled,
+  getEnabledProviders,
+  getProviderById,
+  isLocalAuthAllowed,
+  getPublicProviderInfo,
+  clearProviderCache,
+  stopStateCleanup,
+} from '../../src/services/oauthSsoService.js';
+
+describe('OAuth SSO Service', () => {
+  const mockGetSystemConfigDao = daoModule.getSystemConfigDao as jest.MockedFunction<
+    typeof daoModule.getSystemConfigDao
+  >;
+  const mockGetUserDao = daoModule.getUserDao as jest.MockedFunction<typeof daoModule.getUserDao>;
+
+  // Stop the cleanup interval to prevent Jest from hanging
+  afterAll(() => {
+    stopStateCleanup();
+  });
+
+  const defaultSsoConfig = {
+    enabled: true,
+    allowLocalAuth: true,
+    providers: [
+      {
+        id: 'google',
+        type: 'google' as const,
+        name: 'Google',
+        enabled: true,
+        clientId: 'test-client-id',
+        clientSecret: 'test-client-secret',
+        scopes: ['openid', 'email', 'profile'],
+      },
+      {
+        id: 'github',
+        type: 'github' as const,
+        name: 'GitHub',
+        enabled: true,
+        clientId: 'test-github-client',
+        clientSecret: 'test-github-secret',
+      },
+      {
+        id: 'disabled-provider',
+        type: 'oidc' as const,
+        name: 'Disabled',
+        enabled: false,
+        clientId: 'disabled-client',
+        clientSecret: 'disabled-secret',
+      },
+    ],
+  };
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    clearProviderCache();
+
+    mockGetSystemConfigDao.mockReturnValue({
+      get: jest.fn().mockResolvedValue({
+        oauthSso: defaultSsoConfig,
+      }),
+    } as any);
+
+    mockGetUserDao.mockReturnValue({
+      findByUsername: jest.fn().mockResolvedValue(null),
+      createWithHashedPassword: jest.fn().mockResolvedValue({
+        username: 'google:12345',
+        password: 'hashed',
+        isAdmin: false,
+      }),
+      update: jest.fn().mockImplementation((username: string, data: any) =>
+        Promise.resolve({
+          username,
+          password: 'hashed',
+          isAdmin: false,
+          ...data,
+        })
+      ),
+    } as any);
+  });
+
+  describe('isOAuthSsoEnabled', () => {
+    it('should return true when OAuth SSO is enabled with providers', async () => {
+      const enabled = await isOAuthSsoEnabled();
+      expect(enabled).toBe(true);
+    });
+
+    it('should return false when OAuth SSO is disabled', async () => {
+      mockGetSystemConfigDao.mockReturnValue({
+        get: jest.fn().mockResolvedValue({
+          oauthSso: { ...defaultSsoConfig, enabled: false },
+        }),
+      } as any);
+
+      const enabled = await isOAuthSsoEnabled();
+      expect(enabled).toBe(false);
+    });
+
+    it('should return false when no providers are configured', async () => {
+      mockGetSystemConfigDao.mockReturnValue({
+        get: jest.fn().mockResolvedValue({
+          oauthSso: { ...defaultSsoConfig, providers: [] },
+        }),
+      } as any);
+
+      const enabled = await isOAuthSsoEnabled();
+      expect(enabled).toBe(false);
+    });
+  });
+
+  describe('getEnabledProviders', () => {
+    it('should return only enabled providers', async () => {
+      const providers = await getEnabledProviders();
+      expect(providers).toHaveLength(2);
+      expect(providers.map((p) => p.id)).toContain('google');
+      expect(providers.map((p) => p.id)).toContain('github');
+      expect(providers.map((p) => p.id)).not.toContain('disabled-provider');
+    });
+
+    it('should return empty array when SSO is disabled', async () => {
+      mockGetSystemConfigDao.mockReturnValue({
+        get: jest.fn().mockResolvedValue({
+          oauthSso: { ...defaultSsoConfig, enabled: false },
+        }),
+      } as any);
+
+      const providers = await getEnabledProviders();
+      expect(providers).toHaveLength(0);
+    });
+  });
+
+  describe('getProviderById', () => {
+    it('should return the correct provider by ID', async () => {
+      const provider = await getProviderById('google');
+      expect(provider).toBeDefined();
+      expect(provider?.id).toBe('google');
+      expect(provider?.type).toBe('google');
+      expect(provider?.name).toBe('Google');
+    });
+
+    it('should return undefined for non-existent provider', async () => {
+      const provider = await getProviderById('non-existent');
+      expect(provider).toBeUndefined();
+    });
+
+    it('should return undefined for disabled provider', async () => {
+      const provider = await getProviderById('disabled-provider');
+      expect(provider).toBeUndefined();
+    });
+  });
+
+  describe('isLocalAuthAllowed', () => {
+    it('should return true when local auth is allowed', async () => {
+      const allowed = await isLocalAuthAllowed();
+      expect(allowed).toBe(true);
+    });
+
+    it('should return false when local auth is disabled', async () => {
+      mockGetSystemConfigDao.mockReturnValue({
+        get: jest.fn().mockResolvedValue({
+          oauthSso: { ...defaultSsoConfig, allowLocalAuth: false },
+        }),
+      } as any);
+
+      const allowed = await isLocalAuthAllowed();
+      expect(allowed).toBe(false);
+    });
+
+    it('should return true when SSO is disabled (fallback)', async () => {
+      mockGetSystemConfigDao.mockReturnValue({
+        get: jest.fn().mockResolvedValue({
+          oauthSso: undefined,
+        }),
+      } as any);
+
+      const allowed = await isLocalAuthAllowed();
+      expect(allowed).toBe(true);
+    });
+  });
+
+  describe('getPublicProviderInfo', () => {
+    it('should return public info for enabled providers only', async () => {
+      const info = await getPublicProviderInfo();
+      expect(info).toHaveLength(2);
+
+      const googleInfo = info.find((p) => p.id === 'google');
+      expect(googleInfo).toBeDefined();
+      expect(googleInfo?.name).toBe('Google');
+      expect(googleInfo?.type).toBe('google');
+      expect(googleInfo?.icon).toBe('google');
+
+      // Ensure sensitive data is not exposed
+      expect((googleInfo as any)?.clientSecret).toBeUndefined();
+      expect((googleInfo as any)?.clientId).toBeUndefined();
+    });
+
+    it('should include buttonText when specified', async () => {
+      mockGetSystemConfigDao.mockReturnValue({
+        get: jest.fn().mockResolvedValue({
+          oauthSso: {
+            ...defaultSsoConfig,
+            providers: [
+              {
+                ...defaultSsoConfig.providers[0],
+                buttonText: 'Login with Google',
+              },
+            ],
+          },
+        }),
+      } as any);
+
+      const info = await getPublicProviderInfo();
+      expect(info[0].buttonText).toBe('Login with Google');
+    });
+  });
+});