mirrors/mcphub
1
0
Fork 0
mirror of https://github.com/samanhappy/mcphub.git synced 2026-01-01 04:08:52 -05:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: mirrors:main
Branches Tags
mirrors:main mirrors:copilot/add-oauth-oidc-support mirrors:copilot/add-activity-log-page mirrors:copilot/add-oauth2-oidc-login-support mirrors:copilot/implement-compression-mechanism mirrors:copilot/set-nonstream-response mirrors:copilot/fix-access-token-refresh-issue mirrors:copilot/fix-json-schema-export-import mirrors:cluster mirrors:copilot/upgrade-glob-to-10-5-0 mirrors:copilot/fix-password-change-issue mirrors:copilot/fix-servers-page-description mirrors:copilot/fix-path-matching-issue mirrors:copilot/fix-security-dependency-issue mirrors:copilot/fix-excessive-api-calls mirrors:copilot/create-authentication-bypass-tests mirrors:copilot/fix-authentication-bypass-issue mirrors:copilot/fix-login-issue-with-base-path mirrors:copilot/fix-2755122-957825149-90b80786-8395-4845-bd6d-1c18c49b8c86 mirrors:copilot/fix-mcp-pdf-reader-error mirrors:copilot/add-one-click-install-button mirrors:copilot/fix-server-status-update mirrors:copilot/fix-jira-cloud-connection mirrors:copilot/add-cluster-functionality mirrors:codex/implement-cluster-functionality-for-mcphub mirrors:copilot/fix-playwright-parallel-execution mirrors:copilot/fix-group-adding-issue
mirrors:v0.11.10 mirrors:v0.11.9 mirrors:v0.11.8 mirrors:v0.11.7 mirrors:v0.11.6 mirrors:v0.11.5 mirrors:v0.11.4 mirrors:v0.11.3 mirrors:v0.11.2 mirrors:v0.11.1 mirrors:v0.11.0 mirrors:v0.10.6 mirrors:v0.10.5 mirrors:v0.10.4 mirrors:v0.10.3 mirrors:v0.10.2 mirrors:v0.10.1 mirrors:v0.10.0 mirrors:v0.9.16 mirrors:v0.9.15 mirrors:v0.9.14 mirrors:v0.9.13 mirrors:v0.9.12 mirrors:v0.9.11 mirrors:v0.9.10 mirrors:v0.9.9 mirrors:v0.9.8 mirrors:v0.9.7 mirrors:v0.9.6 mirrors:v0.9.5 mirrors:v0.9.4 mirrors:v0.9.3 mirrors:v0.9.2 mirrors:v0.9.1 mirrors:v0.9.0 mirrors:v0.8.7 mirrors:v0.8.6 mirrors:v0.8.5 mirrors:v0.8.4 mirrors:v0.8.3 mirrors:v0.8.2 mirrors:v0.8.1 mirrors:v0.8.0 mirrors:v0.7.7 mirrors:v0.7.6 mirrors:v0.7.5 mirrors:v0.7.4 mirrors:v0.7.3 mirrors:v0.7.2 mirrors:v0.7.1 mirrors:v0.7.0 mirrors:v0.6.2 mirrors:v0.6.1 mirrors:v0.6.0 mirrors:v0.5.4 mirrors:v0.5.3 mirrors:v0.5.2 mirrors:v0.5.1 mirrors:v0.5.0 mirrors:v0.4.3 mirrors:v0.4.2 mirrors:v0.4.1 mirrors:v0.4.0 mirrors:v0.3.8 mirrors:v0.3.7 mirrors:v0.3.6 mirrors:v0.3.5 mirrors:v0.3.4 mirrors:v0.3.3 mirrors:v0.3.2 mirrors:v0.3.1 mirrors:v0.3.0 mirrors:v0.2.0 mirrors:v0.1.1 mirrors:v0.1.0
..
compare: mirrors:copilot/add-oauth2-oidc-login-support
Branches Tags
mirrors:main mirrors:copilot/add-oauth-oidc-support mirrors:copilot/add-activity-log-page mirrors:copilot/add-oauth2-oidc-login-support mirrors:copilot/implement-compression-mechanism mirrors:copilot/set-nonstream-response mirrors:copilot/fix-access-token-refresh-issue mirrors:copilot/fix-json-schema-export-import mirrors:cluster mirrors:copilot/upgrade-glob-to-10-5-0 mirrors:copilot/fix-password-change-issue mirrors:copilot/fix-servers-page-description mirrors:copilot/fix-path-matching-issue mirrors:copilot/fix-security-dependency-issue mirrors:copilot/fix-excessive-api-calls mirrors:copilot/create-authentication-bypass-tests mirrors:copilot/fix-authentication-bypass-issue mirrors:copilot/fix-login-issue-with-base-path mirrors:copilot/fix-2755122-957825149-90b80786-8395-4845-bd6d-1c18c49b8c86 mirrors:copilot/fix-mcp-pdf-reader-error mirrors:copilot/add-one-click-install-button mirrors:copilot/fix-server-status-update mirrors:copilot/fix-jira-cloud-connection mirrors:copilot/add-cluster-functionality mirrors:codex/implement-cluster-functionality-for-mcphub mirrors:copilot/fix-playwright-parallel-execution mirrors:copilot/fix-group-adding-issue
mirrors:v0.11.10 mirrors:v0.11.9 mirrors:v0.11.8 mirrors:v0.11.7 mirrors:v0.11.6 mirrors:v0.11.5 mirrors:v0.11.4 mirrors:v0.11.3 mirrors:v0.11.2 mirrors:v0.11.1 mirrors:v0.11.0 mirrors:v0.10.6 mirrors:v0.10.5 mirrors:v0.10.4 mirrors:v0.10.3 mirrors:v0.10.2 mirrors:v0.10.1 mirrors:v0.10.0 mirrors:v0.9.16 mirrors:v0.9.15 mirrors:v0.9.14 mirrors:v0.9.13 mirrors:v0.9.12 mirrors:v0.9.11 mirrors:v0.9.10 mirrors:v0.9.9 mirrors:v0.9.8 mirrors:v0.9.7 mirrors:v0.9.6 mirrors:v0.9.5 mirrors:v0.9.4 mirrors:v0.9.3 mirrors:v0.9.2 mirrors:v0.9.1 mirrors:v0.9.0 mirrors:v0.8.7 mirrors:v0.8.6 mirrors:v0.8.5 mirrors:v0.8.4 mirrors:v0.8.3 mirrors:v0.8.2 mirrors:v0.8.1 mirrors:v0.8.0 mirrors:v0.7.7 mirrors:v0.7.6 mirrors:v0.7.5 mirrors:v0.7.4 mirrors:v0.7.3 mirrors:v0.7.2 mirrors:v0.7.1 mirrors:v0.7.0 mirrors:v0.6.2 mirrors:v0.6.1 mirrors:v0.6.0 mirrors:v0.5.4 mirrors:v0.5.3 mirrors:v0.5.2 mirrors:v0.5.1 mirrors:v0.5.0 mirrors:v0.4.3 mirrors:v0.4.2 mirrors:v0.4.1 mirrors:v0.4.0 mirrors:v0.3.8 mirrors:v0.3.7 mirrors:v0.3.6 mirrors:v0.3.5 mirrors:v0.3.4 mirrors:v0.3.3 mirrors:v0.3.2 mirrors:v0.3.1 mirrors:v0.3.0 mirrors:v0.2.0 mirrors:v0.1.1 mirrors:v0.1.0

3 Commits
main ... copilot/ad

Author SHA1 Message Date
copilot-swe-agent[bot]
f63c61db65 fix: Address code review feedback for OAuth SSO 
- Add proper lifecycle management for state cleanup interval
- Fix host header injection vulnerability by validating forwarded headers
- Add type safety for GitHub API responses
- Add stopStateCleanup function for test cleanup
- Document scaling limitations of in-memory state store

Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>
 2025-12-31 15:23:14 +00:00
copilot-swe-agent[bot]
7f1e4d5de1 feat: Add OAuth 2.0 / OIDC SSO login support 
- Add OAuth SSO provider configuration types (OAuthSsoProviderConfig, OAuthSsoConfig)
- Create OAuth SSO service with support for Google, Microsoft, GitHub, and custom OIDC providers
- Implement OAuth SSO controller with endpoints for SSO configuration, login initiation, and callback handling
- Add routes for /api/auth/sso/* endpoints
- Update User entity and DAOs to support OAuth-linked accounts (oauthProvider, oauthSubject, email, displayName, avatarUrl)
- Update SystemConfig entity to include oauthSso field
- Update migration utility to handle OAuth SSO configuration and user fields
- Add OAuth callback page for frontend token handling
- Update LoginPage with SSO provider buttons and hybrid auth support
- Add i18n translations for OAuth SSO (English and Chinese)
- Add comprehensive tests for OAuth SSO service (13 new tests)

Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>
 2025-12-31 15:17:07 +00:00
copilot-swe-agent[bot]
9319ea47e6 Initial plan 2025-12-31 14:57:01 +00:00
30 changed files with 1463 additions and 773 deletions
Expand all files Collapse all files

86
docs/configuration/mcp-settings.mdx
View File

@@ -259,92 +259,6 @@ MCPHub supports environment variable substitution using `${VAR_NAME}` syntax:
}
```
### Proxy Configuration (proxychains4)
MCPHub supports routing STDIO server network traffic through a proxy using **proxychains4**. This feature is available on **Linux and macOS only** (Windows is not supported).
<Note>
To use this feature, you must have `proxychains4` installed on your system:
- **Debian/Ubuntu**: `apt install proxychains4`
- **macOS**: `brew install proxychains-ng`
- **Arch Linux**: `pacman -S proxychains-ng`
</Note>
#### Basic Proxy Configuration
```json
{
"mcpServers": {
"fetch-via-proxy": {
"command": "uvx",
"args": ["mcp-server-fetch"],
"proxy": {
"enabled": true,
"type": "socks5",
"host": "127.0.0.1",
"port": 1080
}
}
}
}
```
#### Proxy Configuration Options
| Field | Type | Default | Description |
| ------------ | ------- | --------- | ------------------------------------------------ |
| `enabled` | boolean | `false` | Enable/disable proxy routing |
| `type` | string | `socks5` | Proxy protocol: `socks4`, `socks5`, or `http` |
| `host` | string | - | Proxy server hostname or IP address |
| `port` | number | - | Proxy server port |
| `username` | string | - | Proxy authentication username (optional) |
| `password` | string | - | Proxy authentication password (optional) |
| `configPath` | string | - | Path to custom proxychains4 config file |
#### Proxy with Authentication
```json
{
"mcpServers": {
"secure-server": {
"command": "npx",
"args": ["-y", "@example/mcp-server"],
"proxy": {
"enabled": true,
"type": "http",
"host": "proxy.example.com",
"port": 8080,
"username": "${PROXY_USER}",
"password": "${PROXY_PASSWORD}"
}
}
}
}
```
#### Using Custom proxychains4 Configuration
For advanced use cases, you can provide your own proxychains4 configuration file:
```json
{
"mcpServers": {
"custom-proxy-server": {
"command": "python",
"args": ["-m", "custom_mcp_server"],
"proxy": {
"enabled": true,
"configPath": "/etc/proxychains4/custom.conf"
}
}
}
}
```
<Tip>
When `configPath` is specified, all other proxy settings (`type`, `host`, `port`, etc.) are ignored, and the custom configuration file is used directly.
</Tip>
{/* ### Custom Server Scripts
#### Local Python Server

41
examples/mcp_settings_with_env_vars.json
View File

@@ -31,47 +31,6 @@
"DATABASE_URL": "${DATABASE_URL}"
}
},
"example-stdio-with-proxy": {
"type": "stdio",
"command": "uvx",
"args": [
"mcp-server-fetch"
],
"proxy": {
"enabled": true,
"type": "socks5",
"host": "${PROXY_HOST}",
"port": 1080
}
},
"example-stdio-with-auth-proxy": {
"type": "stdio",
"command": "npx",
"args": [
"-y",
"@example/mcp-server"
],
"proxy": {
"enabled": true,
"type": "http",
"host": "${HTTP_PROXY_HOST}",
"port": 8080,
"username": "${PROXY_USERNAME}",
"password": "${PROXY_PASSWORD}"
}
},
"example-stdio-with-custom-proxy-config": {
"type": "stdio",
"command": "python",
"args": [
"-m",
"custom_mcp_server"
],
"proxy": {
"enabled": true,
"configPath": "/etc/proxychains4/custom.conf"
}
},
"example-openapi-server": {
"type": "openapi",
"openapi": {

2
frontend/src/App.tsx
View File

@@ -8,6 +8,7 @@ import { SettingsProvider } from './contexts/SettingsContext';
import MainLayout from './layouts/MainLayout';
import ProtectedRoute from './components/ProtectedRoute';
import LoginPage from './pages/LoginPage';
import OAuthCallbackPage from './pages/OAuthCallbackPage';
import DashboardPage from './pages/Dashboard';
import ServersPage from './pages/ServersPage';
import GroupsPage from './pages/GroupsPage';
@@ -35,6 +36,7 @@ function App() {
<Routes>
{/* 公共路由 */}
<Route path="/login" element={<LoginPage />} />
<Route path="/oauth-callback" element={<OAuthCallbackPage />} />
{/* 受保护的路由,使用 MainLayout 作为布局容器 */}
<Route element={<ProtectedRoute />}>

18
frontend/src/components/ui/Pagination.tsx
View File

@@ -1,20 +1,16 @@
import React from 'react';
import { useTranslation } from 'react-i18next';
interface PaginationProps {
currentPage: number;
totalPages: number;
onPageChange: (page: number) => void;
disabled?: boolean;
}
const Pagination: React.FC<PaginationProps> = ({
currentPage,
totalPages,
onPageChange,
disabled = false
onPageChange
}) => {
const { t } = useTranslation();
// Generate page buttons
const getPageButtons = () => {
const buttons = [];
@@ -99,26 +95,26 @@ const Pagination: React.FC<PaginationProps> = ({
<div className="flex justify-center items-center my-6">
<button
onClick={() => onPageChange(Math.max(1, currentPage - 1))}
disabled={disabled || currentPage === 1}
className={`px-3 py-1 rounded mr-2 ${disabled || currentPage === 1
disabled={currentPage === 1}
className={`px-3 py-1 rounded mr-2 ${currentPage === 1
? 'bg-gray-100 text-gray-400 cursor-not-allowed'
: 'bg-gray-200 hover:bg-gray-300 text-gray-700 btn-secondary'
}`}
>
&laquo; {t('common.previous')}
&laquo; Prev
</button>
<div className="flex">{getPageButtons()}</div>
<button
onClick={() => onPageChange(Math.min(totalPages, currentPage + 1))}
disabled={disabled || currentPage === totalPages}
className={`px-3 py-1 rounded ml-2 ${disabled || currentPage === totalPages
disabled={currentPage === totalPages}
className={`px-3 py-1 rounded ml-2 ${currentPage === totalPages
? 'bg-gray-100 text-gray-400 cursor-not-allowed'
: 'bg-gray-200 hover:bg-gray-300 text-gray-700 btn-secondary'
}`}
>
{t('common.next')} &raquo;
Next &raquo;
</button>
</div>
);

67
frontend/src/contexts/ServerContext.tsx
View File

@@ -17,16 +17,6 @@ const CONFIG = {
},
};
// Pagination info type
interface PaginationInfo {
page: number;
limit: number;
total: number;
totalPages: number;
hasNextPage: boolean;
hasPrevPage: boolean;
}
// Context type definition
interface ServerContextType {
servers: Server[];
@@ -34,11 +24,6 @@ interface ServerContextType {
setError: (error: string | null) => void;
isLoading: boolean;
fetchAttempts: number;
pagination: PaginationInfo | null;
currentPage: number;
serversPerPage: number;
setCurrentPage: (page: number) => void;
setServersPerPage: (limit: number) => void;
triggerRefresh: () => void;
refreshIfNeeded: () => void; // Smart refresh with debounce
handleServerAdd: () => void;
@@ -60,9 +45,6 @@ export const ServerProvider: React.FC<{ children: React.ReactNode }> = ({ childr
const [refreshKey, setRefreshKey] = useState(0);
const [isInitialLoading, setIsInitialLoading] = useState(true);
const [fetchAttempts, setFetchAttempts] = useState(0);
const [pagination, setPagination] = useState<PaginationInfo | null>(null);
const [currentPage, setCurrentPage] = useState(1);
const [serversPerPage, setServersPerPage] = useState(10);
// Timer reference for polling
const intervalRef = useRef<NodeJS.Timeout | null>(null);
@@ -91,31 +73,18 @@ export const ServerProvider: React.FC<{ children: React.ReactNode }> = ({ childr
const fetchServers = async () => {
try {
console.log('[ServerContext] Fetching servers from API...');
// Build query parameters for pagination
const params = new URLSearchParams();
params.append('page', currentPage.toString());
params.append('limit', serversPerPage.toString());
const data = await apiGet(`/servers?${params.toString()}`);
const data = await apiGet('/servers');
// Update last fetch time
lastFetchTimeRef.current = Date.now();
if (data && data.success && Array.isArray(data.data)) {
setServers(data.data);
// Update pagination info if available
if (data.pagination) {
setPagination(data.pagination);
} else {
setPagination(null);
}
} else if (data && Array.isArray(data)) {
// Compatibility handling for non-paginated responses
setServers(data);
setPagination(null);
} else {
console.error('Invalid server data format:', data);
setServers([]);
setPagination(null);
}
// Reset error state
@@ -145,7 +114,7 @@ export const ServerProvider: React.FC<{ children: React.ReactNode }> = ({ childr
// Set up regular polling
intervalRef.current = setInterval(fetchServers, CONFIG.normal.pollingInterval);
},
[t, currentPage, serversPerPage],
[t],
);
// Watch for authentication status changes
@@ -181,11 +150,7 @@ export const ServerProvider: React.FC<{ children: React.ReactNode }> = ({ childr
const fetchInitialData = async () => {
try {
console.log('[ServerContext] Initial fetch - attempt', attemptsRef.current + 1);
// Build query parameters for pagination
const params = new URLSearchParams();
params.append('page', currentPage.toString());
params.append('limit', serversPerPage.toString());
const data = await apiGet(`/servers?${params.toString()}`);
const data = await apiGet('/servers');
// Update last fetch time
lastFetchTimeRef.current = Date.now();
@@ -193,12 +158,6 @@ export const ServerProvider: React.FC<{ children: React.ReactNode }> = ({ childr
// Handle API response wrapper object, extract data field
if (data && data.success && Array.isArray(data.data)) {
setServers(data.data);
// Update pagination info if available
if (data.pagination) {
setPagination(data.pagination);
} else {
setPagination(null);
}
setIsInitialLoading(false);
// Initialization successful, start normal polling (skip immediate to avoid duplicate fetch)
startNormalPolling({ immediate: false });
@@ -206,7 +165,6 @@ export const ServerProvider: React.FC<{ children: React.ReactNode }> = ({ childr
} else if (data && Array.isArray(data)) {
// Compatibility handling, if API directly returns array
setServers(data);
setPagination(null);
setIsInitialLoading(false);
// Initialization successful, start normal polling (skip immediate to avoid duplicate fetch)
startNormalPolling({ immediate: false });
@@ -215,7 +173,6 @@ export const ServerProvider: React.FC<{ children: React.ReactNode }> = ({ childr
// If data format is not as expected, set to empty array
console.error('Invalid server data format:', data);
setServers([]);
setPagination(null);
setIsInitialLoading(false);
// Initialization successful but data is empty, start normal polling (skip immediate)
startNormalPolling({ immediate: false });
@@ -270,7 +227,7 @@ export const ServerProvider: React.FC<{ children: React.ReactNode }> = ({ childr
return () => {
clearTimer();
};
}, [refreshKey, t, isInitialLoading, startNormalPolling, currentPage, serversPerPage]);
}, [refreshKey, t, isInitialLoading, startNormalPolling]);
// Manually trigger refresh (always refreshes)
const triggerRefresh = useCallback(() => {
@@ -426,28 +383,12 @@ export const ServerProvider: React.FC<{ children: React.ReactNode }> = ({ childr
[t, triggerRefresh],
);
// Handle page change
const handlePageChange = useCallback((page: number) => {
setCurrentPage(page);
}, []);
// Handle servers per page change
const handleServersPerPageChange = useCallback((limit: number) => {
setServersPerPage(limit);
setCurrentPage(1); // Reset to first page when changing page size
}, []);
const value: ServerContextType = {
servers,
error,
setError,
isLoading: isInitialLoading,
fetchAttempts,
pagination,
currentPage,
serversPerPage,
setCurrentPage: handlePageChange,
setServersPerPage: handleServersPerPageChange,
triggerRefresh,
refreshIfNeeded,
handleServerAdd,

202
frontend/src/pages/LoginPage.tsx
View File

@@ -1,11 +1,12 @@
import React, { useState, useMemo, useCallback } from 'react';
import React, { useState, useMemo, useCallback, useEffect } from 'react';
import { useLocation, useNavigate } from 'react-router-dom';
import { useTranslation } from 'react-i18next';
import { useAuth } from '../contexts/AuthContext';
import { getToken } from '../services/authService';
import { getToken, getOAuthSsoConfig, initiateOAuthSsoLogin } from '../services/authService';
import ThemeSwitch from '@/components/ui/ThemeSwitch';
import LanguageSwitch from '@/components/ui/LanguageSwitch';
import DefaultPasswordWarningModal from '@/components/ui/DefaultPasswordWarningModal';
import { OAuthSsoConfig, OAuthSsoProvider } from '../types';
const sanitizeReturnUrl = (value: string | null): string | null => {
if (!value) {
@@ -29,6 +30,44 @@ const sanitizeReturnUrl = (value: string | null): string | null => {
}
};
// Provider icon component
const ProviderIcon: React.FC<{ type: string; className?: string }> = ({ type, className = 'w-5 h-5' }) => {
switch (type) {
case 'google':
return (
<svg className={className} viewBox="0 0 24 24" fill="currentColor">
<path d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92c-.26 1.37-1.04 2.53-2.21 3.31v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.09z" fill="#4285F4"/>
<path d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z" fill="#34A853"/>
<path d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z" fill="#FBBC05"/>
<path d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z" fill="#EA4335"/>
</svg>
);
case 'microsoft':
return (
<svg className={className} viewBox="0 0 24 24" fill="currentColor">
<path d="M11.4 11.4H2V2h9.4v9.4z" fill="#F25022"/>
<path d="M22 11.4h-9.4V2H22v9.4z" fill="#7FBA00"/>
<path d="M11.4 22H2v-9.4h9.4V22z" fill="#00A4EF"/>
<path d="M22 22h-9.4v-9.4H22V22z" fill="#FFB900"/>
</svg>
);
case 'github':
return (
<svg className={className} viewBox="0 0 24 24" fill="currentColor">
<path fillRule="evenodd" clipRule="evenodd" d="M12 2C6.477 2 2 6.477 2 12c0 4.42 2.865 8.17 6.839 9.49.5.092.682-.217.682-.482 0-.237-.009-.866-.013-1.7-2.782.604-3.369-1.34-3.369-1.34-.454-1.156-1.11-1.464-1.11-1.464-.908-.62.069-.608.069-.608 1.003.07 1.531 1.03 1.531 1.03.892 1.529 2.341 1.087 2.91.831.092-.646.35-1.086.636-1.336-2.22-.253-4.555-1.11-4.555-4.943 0-1.091.39-1.984 1.029-2.683-.103-.253-.446-1.27.098-2.647 0 0 .84-.269 2.75 1.025A9.578 9.578 0 0112 6.836c.85.004 1.705.115 2.504.337 1.909-1.294 2.747-1.025 2.747-1.025.546 1.377.203 2.394.1 2.647.64.699 1.028 1.592 1.028 2.683 0 3.842-2.339 4.687-4.566 4.935.359.309.678.919.678 1.852 0 1.336-.012 2.415-.012 2.743 0 .267.18.579.688.481C19.137 20.167 22 16.418 22 12c0-5.523-4.477-10-10-10z"/>
</svg>
);
default:
return (
<svg className={className} viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
<path d="M15 3h4a2 2 0 0 1 2 2v14a2 2 0 0 1-2 2h-4"/>
<polyline points="10 17 15 12 10 7"/>
<line x1="15" y1="12" x2="3" y2="12"/>
</svg>
);
}
};
const LoginPage: React.FC = () => {
const { t } = useTranslation();
const [username, setUsername] = useState('');
@@ -36,6 +75,7 @@ const LoginPage: React.FC = () => {
const [error, setError] = useState<string | null>(null);
const [loading, setLoading] = useState(false);
const [showDefaultPasswordWarning, setShowDefaultPasswordWarning] = useState(false);
const [ssoConfig, setSsoConfig] = useState<OAuthSsoConfig | null>(null);
const { login } = useAuth();
const location = useLocation();
const navigate = useNavigate();
@@ -44,6 +84,25 @@ const LoginPage: React.FC = () => {
return sanitizeReturnUrl(params.get('returnUrl'));
}, [location.search]);
// Check for OAuth error in URL params
useEffect(() => {
const params = new URLSearchParams(location.search);
const oauthError = params.get('error');
const oauthMessage = params.get('message');
if (oauthError === 'oauth_failed' && oauthMessage) {
setError(oauthMessage);
}
}, [location.search]);
// Load OAuth SSO configuration
useEffect(() => {
const loadSsoConfig = async () => {
const config = await getOAuthSsoConfig();
setSsoConfig(config);
};
loadSsoConfig();
}, []);
const isServerUnavailableError = useCallback((message?: string) => {
if (!message) return false;
const normalized = message.toLowerCase();
@@ -137,11 +196,18 @@ const LoginPage: React.FC = () => {
}
};
const handleSsoLogin = (provider: OAuthSsoProvider) => {
initiateOAuthSsoLogin(provider.id, returnUrl || undefined);
};
const handleCloseWarning = () => {
setShowDefaultPasswordWarning(false);
redirectAfterLogin();
};
const showLocalAuth = !ssoConfig?.enabled || ssoConfig.localAuthAllowed;
const showSsoProviders = ssoConfig?.enabled && ssoConfig.providers.length > 0;
return (
<div className="relative min-h-screen w-full overflow-hidden bg-gray-50 dark:bg-gray-950">
{/* Top-right controls */}
@@ -193,58 +259,100 @@ const LoginPage: React.FC = () => {
<div className="login-card relative w-full rounded-2xl border border-white/10 bg-white/60 p-8 shadow-xl backdrop-blur-md transition dark:border-white/10 dark:bg-gray-900/60">
<div className="absolute -top-24 right-12 h-40 w-40 -translate-y-6 rounded-full bg-indigo-500/30 blur-3xl" />
<div className="absolute -bottom-24 -left-12 h-40 w-40 translate-y-6 rounded-full bg-cyan-500/20 blur-3xl" />
<form className="mt-4 space-y-4" onSubmit={handleSubmit}>
<div className="space-y-4">
<div>
<label htmlFor="username" className="sr-only">
{t('auth.username')}
</label>
<input
id="username"
name="username"
type="text"
autoComplete="username"
required
className="login-input appearance-none relative block w-full rounded-md border border-gray-300/60 bg-white/70 px-3 py-3 text-gray-900 shadow-sm outline-none ring-0 transition-all placeholder:text-gray-500 focus:border-indigo-500 focus:ring-2 focus:ring-indigo-500 dark:border-gray-700/60 dark:bg-gray-800/70 dark:text-white dark:placeholder:text-gray-400"
placeholder={t('auth.username')}
value={username}
onChange={(e) => setUsername(e.target.value)}
/>
{/* SSO Providers */}
{showSsoProviders && (
<div className="mt-4 space-y-3">
{ssoConfig.providers.map((provider) => (
<button
key={provider.id}
type="button"
onClick={() => handleSsoLogin(provider)}
className="group relative flex w-full items-center justify-center gap-3 rounded-md border border-gray-300/60 bg-white/80 px-4 py-3 text-sm font-medium text-gray-700 shadow-sm transition-all hover:bg-gray-50 hover:shadow focus:outline-none focus:ring-2 focus:ring-indigo-500 focus:ring-offset-2 dark:border-gray-600/60 dark:bg-gray-800/80 dark:text-gray-200 dark:hover:bg-gray-700/80"
>
<ProviderIcon type={provider.icon || provider.type} />
<span>{provider.buttonText || t('oauthSso.signInWith', { provider: provider.name })}</span>
</button>
))}
</div>
)}
{/* Divider between SSO and local auth */}
{showSsoProviders && showLocalAuth && (
<div className="relative my-6">
<div className="absolute inset-0 flex items-center">
<div className="w-full border-t border-gray-300/60 dark:border-gray-600/60" />
</div>
<div>
<label htmlFor="password" className="sr-only">
{t('auth.password')}
</label>
<input
id="password"
name="password"
type="password"
autoComplete="current-password"
required
className="login-input appearance-none relative block w-full rounded-md border border-gray-300/60 bg-white/70 px-3 py-3 text-gray-900 shadow-sm outline-none ring-0 transition-all placeholder:text-gray-500 focus:border-indigo-500 focus:ring-2 focus:ring-indigo-500 dark:border-gray-700/60 dark:bg-gray-800/70 dark:text-white dark:placeholder:text-gray-400"
placeholder={t('auth.password')}
value={password}
onChange={(e) => setPassword(e.target.value)}
/>
<div className="relative flex justify-center text-sm">
<span className="bg-white/60 px-4 text-gray-500 dark:bg-gray-900/60 dark:text-gray-400">
{t('oauthSso.orContinueWith')}
</span>
</div>
</div>
)}
{error && (
<div className="error-box rounded border border-red-500/20 bg-red-500/10 p-2 text-center text-sm text-red-600 dark:text-red-400">
{error}
{/* Local auth form */}
{showLocalAuth && (
<form className="mt-4 space-y-4" onSubmit={handleSubmit}>
<div className="space-y-4">
<div>
<label htmlFor="username" className="sr-only">
{t('auth.username')}
</label>
<input
id="username"
name="username"
type="text"
autoComplete="username"
required
className="login-input appearance-none relative block w-full rounded-md border border-gray-300/60 bg-white/70 px-3 py-3 text-gray-900 shadow-sm outline-none ring-0 transition-all placeholder:text-gray-500 focus:border-indigo-500 focus:ring-2 focus:ring-indigo-500 dark:border-gray-700/60 dark:bg-gray-800/70 dark:text-white dark:placeholder:text-gray-400"
placeholder={t('auth.username')}
value={username}
onChange={(e) => setUsername(e.target.value)}
/>
</div>
<div>
<label htmlFor="password" className="sr-only">
{t('auth.password')}
</label>
<input
id="password"
name="password"
type="password"
autoComplete="current-password"
required
className="login-input appearance-none relative block w-full rounded-md border border-gray-300/60 bg-white/70 px-3 py-3 text-gray-900 shadow-sm outline-none ring-0 transition-all placeholder:text-gray-500 focus:border-indigo-500 focus:ring-2 focus:ring-indigo-500 dark:border-gray-700/60 dark:bg-gray-800/70 dark:text-white dark:placeholder:text-gray-400"
placeholder={t('auth.password')}
value={password}
onChange={(e) => setPassword(e.target.value)}
/>
</div>
</div>
)}
<div>
<button
type="submit"
disabled={loading}
className="login-button btn-primary group relative flex w-full items-center justify-center rounded-md border border-transparent bg-indigo-600 px-4 py-2 text-sm font-medium text-white transition-all hover:bg-indigo-700 focus:outline-none focus:ring-2 focus:ring-indigo-500 focus:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-70"
>
{loading ? t('auth.loggingIn') : t('auth.login')}
</button>
{error && (
<div className="error-box rounded border border-red-500/20 bg-red-500/10 p-2 text-center text-sm text-red-600 dark:text-red-400">
{error}
</div>
)}
<div>
<button
type="submit"
disabled={loading}
className="login-button btn-primary group relative flex w-full items-center justify-center rounded-md border border-transparent bg-indigo-600 px-4 py-2 text-sm font-medium text-white transition-all hover:bg-indigo-700 focus:outline-none focus:ring-2 focus:ring-indigo-500 focus:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-70"
>
{loading ? t('auth.loggingIn') : t('auth.login')}
</button>
</div>
</form>
)}
{/* Error display for SSO-only mode */}
{!showLocalAuth && error && (
<div className="mt-4 error-box rounded border border-red-500/20 bg-red-500/10 p-2 text-center text-sm text-red-600 dark:text-red-400">
{error}
</div>
</form>
)}
</div>
</div>
</div>

42
frontend/src/pages/OAuthCallbackPage.tsx Normal file
View File

@@ -0,0 +1,42 @@
import React, { useEffect } from 'react';
import { useNavigate, useSearchParams } from 'react-router-dom';
import { setToken } from '../services/authService';
/**
* OAuth Callback Page
*
* This page handles the callback from OAuth SSO providers.
* It receives the JWT token as a query parameter, stores it, and redirects to the app.
*/
const OAuthCallbackPage: React.FC = () => {
const navigate = useNavigate();
const [searchParams] = useSearchParams();
useEffect(() => {
const token = searchParams.get('token');
const returnUrl = searchParams.get('returnUrl') || '/';
if (token) {
// Store the token
setToken(token);
// Redirect to the return URL
navigate(returnUrl, { replace: true });
} else {
// No token - redirect to login with error
navigate('/login?error=oauth_failed&message=No+token+received', { replace: true });
}
}, [searchParams, navigate]);
// Show loading state while processing
return (
<div className="min-h-screen flex items-center justify-center bg-gray-50 dark:bg-gray-950">
<div className="text-center">
<div className="animate-spin rounded-full h-12 w-12 border-t-2 border-b-2 border-indigo-500 mx-auto"></div>
<p className="mt-4 text-gray-600 dark:text-gray-400">Completing authentication...</p>
</div>
</div>
);
};
export default OAuthCallbackPage;

79
frontend/src/pages/ServersPage.tsx
View File

@@ -8,7 +8,6 @@ import EditServerForm from '@/components/EditServerForm';
import { useServerData } from '@/hooks/useServerData';
import DxtUploadForm from '@/components/DxtUploadForm';
import JSONImportForm from '@/components/JSONImportForm';
import Pagination from '@/components/ui/Pagination';
const ServersPage: React.FC = () => {
const { t } = useTranslation();
@@ -18,11 +17,6 @@ const ServersPage: React.FC = () => {
error,
setError,
isLoading,
pagination,
currentPage,
serversPerPage,
setCurrentPage,
setServersPerPage,
handleServerAdd,
handleServerEdit,
handleServerRemove,
@@ -157,66 +151,19 @@ const ServersPage: React.FC = () => {
<p className="text-gray-600">{t('app.noServers')}</p>
</div>
) : (
<>
<div className="space-y-6">
{servers.map((server, index) => (
<ServerCard
key={index}
server={server}
onRemove={handleServerRemove}
onEdit={handleEditClick}
onToggle={handleServerToggle}
onRefresh={triggerRefresh}
onReload={handleServerReload}
/>
))}
</div>
<div className="flex items-center mb-4">
<div className="flex-[2] text-sm text-gray-500">
{pagination ? (
t('common.showing', {
start: (pagination.page - 1) * pagination.limit + 1,
end: Math.min(pagination.page * pagination.limit, pagination.total),
total: pagination.total
})
) : (
t('common.showing', {
start: 1,
end: servers.length,
total: servers.length
})
)}
</div>
<div className="flex-[4] flex justify-center">
{pagination && pagination.totalPages > 1 && (
<Pagination
currentPage={currentPage}
totalPages={pagination.totalPages}
onPageChange={setCurrentPage}
disabled={isLoading}
/>
)}
</div>
<div className="flex-[2] flex items-center justify-end space-x-2">
<label htmlFor="perPage" className="text-sm text-gray-600">
{t('common.itemsPerPage')}:
</label>
<select
id="perPage"
value={serversPerPage}
onChange={(e) => setServersPerPage(Number(e.target.value))}
disabled={isLoading}
className="border rounded p-1 text-sm btn-secondary outline-none disabled:opacity-50 disabled:cursor-not-allowed"
>
<option value={5}>5</option>
<option value={10}>10</option>
<option value={20}>20</option>
<option value={50}>50</option>
</select>
</div>
</div>
</>
<div className="space-y-6">
{servers.map((server, index) => (
<ServerCard
key={index}
server={server}
onRemove={handleServerRemove}
onEdit={handleEditClick}
onToggle={handleServerToggle}
onRefresh={triggerRefresh}
onReload={handleServerReload}
/>
))}
</div>
)}
{editingServer && (

25
frontend/src/services/authService.ts
View File

@@ -3,6 +3,7 @@ import {
LoginCredentials,
RegisterCredentials,
ChangePasswordCredentials,
OAuthSsoConfig,
} from '../types';
import { apiPost, apiGet } from '../utils/fetchInterceptor';
import { getToken, setToken, removeToken } from '../utils/interceptors';
@@ -105,6 +106,30 @@ export const changePassword = async (
}
};
// Get OAuth SSO configuration
export const getOAuthSsoConfig = async (): Promise<OAuthSsoConfig | null> => {
try {
const response = await apiGet<{ success: boolean; data: OAuthSsoConfig }>('/auth/sso/config');
if (response.success && response.data) {
return response.data;
}
return null;
} catch (error) {
console.error('Get OAuth SSO config error:', error);
return null;
}
};
// Initiate OAuth SSO login (redirects to provider)
export const initiateOAuthSsoLogin = (providerId: string, returnUrl?: string): void => {
const basePath = import.meta.env.VITE_BASE_PATH || '';
let url = `${basePath}/api/auth/sso/${providerId}`;
if (returnUrl) {
url += `?returnUrl=${encodeURIComponent(returnUrl)}`;
}
window.location.href = url;
};
// Logout user
export const logout = (): void => {
removeToken();

28
frontend/src/types/index.ts
View File

@@ -105,17 +105,6 @@ export interface Prompt {
enabled?: boolean;
}
// Proxychains4 configuration for STDIO servers (Linux/macOS only)
export interface ProxychainsConfig {
enabled?: boolean; // Enable/disable proxychains4 proxy routing
type?: 'socks4' | 'socks5' | 'http'; // Proxy protocol type
host?: string; // Proxy server hostname or IP address
port?: number; // Proxy server port
username?: string; // Proxy authentication username (optional)
password?: string; // Proxy authentication password (optional)
configPath?: string; // Path to custom proxychains4 configuration file (optional)
}
// Server config types
export interface ServerConfig {
type?: 'stdio' | 'sse' | 'streamable-http' | 'openapi';
@@ -134,8 +123,6 @@ export interface ServerConfig {
resetTimeoutOnProgress?: boolean; // Reset timeout on progress notifications
maxTotalTimeout?: number; // Maximum total timeout in milliseconds
}; // MCP request options configuration
// Proxychains4 proxy configuration for STDIO servers (Linux/macOS only, Windows not supported)
proxy?: ProxychainsConfig;
// OAuth authentication for upstream MCP servers
oauth?: {
clientId?: string; // OAuth client ID
@@ -394,6 +381,21 @@ export interface AuthResponse {
isUsingDefaultPassword?: boolean;
}
// OAuth SSO types
export interface OAuthSsoProvider {
id: string;
name: string;
type: string;
icon?: string;
buttonText?: string;
}
export interface OAuthSsoConfig {
enabled: boolean;
providers: OAuthSsoProvider[];
localAuthAllowed: boolean;
}
// Official Registry types (from registry.modelcontextprotocol.io)
export interface RegistryVariable {
choices?: string[];

24
locales/en.json
View File

@@ -248,10 +248,6 @@
"wechat": "WeChat",
"discord": "Discord",
"required": "Required",
"itemsPerPage": "Items per page",
"showing": "Showing {{start}}-{{end}} of {{total}}",
"previous": "Previous",
"next": "Next",
"secret": "Secret",
"default": "Default",
"value": "Value",
@@ -844,5 +840,25 @@
"internalError": "Internal Error",
"internalErrorMessage": "An unexpected error occurred while processing the OAuth callback.",
"closeWindow": "Close Window"
},
"oauthSso": {
"errors": {
"providerIdRequired": "Provider ID is required",
"providerNotFound": "OAuth provider not found",
"missingState": "Missing OAuth state parameter",
"missingCode": "Missing authorization code",
"invalidState": "Invalid or expired OAuth state",
"authFailed": "OAuth authentication failed",
"userNotProvisioned": "User not found and auto-provisioning is disabled"
},
"signInWith": "Sign in with {{provider}}",
"orContinueWith": "Or continue with",
"continueWithProvider": "Continue with {{provider}}",
"loginWithSso": "Login with SSO",
"providers": {
"google": "Google",
"microsoft": "Microsoft",
"github": "GitHub"
}
}
}

4
locales/fr.json
View File

@@ -248,10 +248,6 @@
"github": "GitHub",
"wechat": "WeChat",
"discord": "Discord",
"itemsPerPage": "Éléments par page",
"showing": "Affichage de {{start}}-{{end}} sur {{total}}",
"previous": "Précédent",
"next": "Suivant",
"required": "Requis",
"secret": "Secret",
"default": "Défaut",

4
locales/tr.json
View File

@@ -248,10 +248,6 @@
"github": "GitHub",
"wechat": "WeChat",
"discord": "Discord",
"itemsPerPage": "Sayfa başına öğe",
"showing": "{{total}} öğeden {{start}}-{{end}} gösteriliyor",
"previous": "Önceki",
"next": "Sonraki",
"required": "Gerekli",
"secret": "Gizli",
"default": "Varsayılan",

24
locales/zh.json
View File

@@ -248,10 +248,6 @@
"dismiss": "忽略",
"github": "GitHub",
"wechat": "微信",
"itemsPerPage": "每页显示",
"showing": "显示第 {{start}}-{{end}} 条,共 {{total}} 条",
"previous": "上一页",
"next": "下一页",
"discord": "Discord",
"required": "必填",
"secret": "敏感",
@@ -846,5 +842,25 @@
"internalError": "内部错误",
"internalErrorMessage": "处理 OAuth 回调时发生意外错误。",
"closeWindow": "关闭窗口"
},
"oauthSso": {
"errors": {
"providerIdRequired": "需要提供身份验证提供商 ID",
"providerNotFound": "未找到 OAuth 身份验证提供商",
"missingState": "缺少 OAuth 状态参数",
"missingCode": "缺少授权码",
"invalidState": "OAuth 状态无效或已过期",
"authFailed": "OAuth 身份验证失败",
"userNotProvisioned": "用户未找到且自动创建用户已禁用"
},
"signInWith": "使用 {{provider}} 登录",
"orContinueWith": "或使用以下方式继续",
"continueWithProvider": "使用 {{provider}} 继续",
"loginWithSso": "使用 SSO 登录",
"providers": {
"google": "Google",
"microsoft": "Microsoft",
"github": "GitHub"
}
}
}

245
src/controllers/oauthSsoController.ts Normal file
View File

@@ -0,0 +1,245 @@
/**
* OAuth SSO Controller
*
* Handles OAuth SSO authentication endpoints.
*/
import { Request, Response } from 'express';
import jwt from 'jsonwebtoken';
import {
generateAuthorizationUrl,
handleCallback,
getPublicProviderInfo,
isLocalAuthAllowed,
isOAuthSsoEnabled,
getOAuthSsoConfig as getSsoConfigFromService,
} from '../services/oauthSsoService.js';
import { JWT_SECRET } from '../config/jwt.js';
import config from '../config/index.js';
const TOKEN_EXPIRY = '24h';
/**
* Get the base URL for OAuth callbacks
* Uses configured callbackBaseUrl if available, otherwise derives from request
* This approach is more secure than blindly trusting forwarded headers
*/
async function getCallbackBaseUrl(req: Request): Promise<string> {
// First, check if a callback base URL is configured (most secure option)
const ssoConfig = await getSsoConfigFromService();
if (ssoConfig?.callbackBaseUrl) {
return ssoConfig.callbackBaseUrl;
}
// Fall back to deriving from request (less secure, but works in simpler setups)
// Only trust forwarded headers if app is configured to trust proxy
if (req.app.get('trust proxy') && req.headers['x-forwarded-proto'] && req.headers['x-forwarded-host']) {
const proto = Array.isArray(req.headers['x-forwarded-proto'])
? req.headers['x-forwarded-proto'][0]
: req.headers['x-forwarded-proto'];
const host = Array.isArray(req.headers['x-forwarded-host'])
? req.headers['x-forwarded-host'][0]
: req.headers['x-forwarded-host'];
return `${proto}://${host}`;
}
return `${req.protocol}://${req.get('host')}`;
}
/**
* Get OAuth SSO configuration for frontend
* Returns enabled providers and whether local auth is allowed
*/
export const getOAuthSsoConfig = async (req: Request, res: Response): Promise<void> => {
try {
const enabled = await isOAuthSsoEnabled();
const providers = await getPublicProviderInfo();
const localAuthAllowed = await isLocalAuthAllowed();
res.json({
success: true,
data: {
enabled,
providers,
localAuthAllowed,
},
});
} catch (error) {
console.error('Error getting OAuth SSO config:', error);
res.status(500).json({
success: false,
message: 'Failed to get OAuth SSO configuration',
});
}
};
/**
* Initiate OAuth SSO login
* Redirects user to the OAuth provider's authorization page
*/
export const initiateOAuthLogin = async (req: Request, res: Response): Promise<void> => {
const t = (req as any).t || ((key: string) => key);
try {
const { providerId } = req.params;
const { returnUrl } = req.query;
if (!providerId) {
res.status(400).json({
success: false,
message: t('oauthSso.errors.providerIdRequired'),
});
return;
}
// Build callback URL
// Note: Use configured callback base URL from oauthSso config if available
// This avoids relying on potentially untrusted forwarded headers
const baseUrl = await getCallbackBaseUrl(req);
const callbackUrl = `${baseUrl}${config.basePath}/api/auth/sso/${providerId}/callback`;
// Generate authorization URL
const { url } = await generateAuthorizationUrl(
providerId,
callbackUrl,
typeof returnUrl === 'string' ? returnUrl : undefined,
);
// Redirect to OAuth provider
res.redirect(url);
} catch (error) {
console.error('Error initiating OAuth login:', error);
const errorMessage = error instanceof Error ? error.message : 'Failed to initiate OAuth login';
res.status(500).json({
success: false,
message: errorMessage,
});
}
};
/**
* Handle OAuth callback from provider
* Exchanges code for tokens and creates/updates user
*/
export const handleOAuthCallback = async (req: Request, res: Response): Promise<void> => {
const t = (req as any).t || ((key: string) => key);
try {
const { providerId } = req.params;
const { code, state, error, error_description } = req.query;
// Handle OAuth errors
if (error) {
console.error(`OAuth error from provider ${providerId}:`, error, error_description);
const errorUrl = buildErrorRedirectUrl(String(error_description || error), req);
return res.redirect(errorUrl);
}
// Validate required parameters
if (!state) {
const errorUrl = buildErrorRedirectUrl(t('oauthSso.errors.missingState'), req);
return res.redirect(errorUrl);
}
if (!code) {
const errorUrl = buildErrorRedirectUrl(t('oauthSso.errors.missingCode'), req);
return res.redirect(errorUrl);
}
// Build callback URL (same as used in initiate)
const baseUrl = await getCallbackBaseUrl(req);
const callbackUrl = `${baseUrl}${config.basePath}/api/auth/sso/${providerId}/callback`;
// Full current URL with query params
const currentUrl = `${callbackUrl}?${new URLSearchParams(req.query as Record<string, string>).toString()}`;
// Exchange code for tokens and get user
const { user, returnUrl } = await handleCallback(
callbackUrl,
currentUrl,
String(state),
);
// Generate JWT token
const payload = {
user: {
username: user.username,
isAdmin: user.isAdmin || false,
},
};
const token = jwt.sign(payload, JWT_SECRET, { expiresIn: TOKEN_EXPIRY });
// Redirect to frontend with token
const redirectUrl = buildSuccessRedirectUrl(token, returnUrl, req);
res.redirect(redirectUrl);
} catch (error) {
console.error('Error handling OAuth callback:', error);
const errorMessage =
error instanceof Error ? error.message : 'Authentication failed';
const errorUrl = buildErrorRedirectUrl(errorMessage, req);
res.redirect(errorUrl);
}
};
/**
* Get list of available OAuth providers
*/
export const listOAuthProviders = async (req: Request, res: Response): Promise<void> => {
try {
const providers = await getPublicProviderInfo();
res.json({
success: true,
data: providers,
});
} catch (error) {
console.error('Error listing OAuth providers:', error);
res.status(500).json({
success: false,
message: 'Failed to list OAuth providers',
});
}
};
/**
* Build redirect URL for successful authentication
*/
function buildSuccessRedirectUrl(token: string, returnUrl: string | undefined, req: Request): string {
const baseUrl = getBaseUrl(req);
const targetPath = returnUrl || '/';
// Use a special OAuth callback page that stores the token
const callbackPath = `${config.basePath}/oauth-callback`;
const params = new URLSearchParams({
token,
returnUrl: targetPath,
});
return `${baseUrl}${callbackPath}?${params.toString()}`;
}
/**
* Build redirect URL for authentication errors
*/
function buildErrorRedirectUrl(error: string, req: Request): string {
const baseUrl = getBaseUrl(req);
const loginPath = `${config.basePath}/login`;
const params = new URLSearchParams({
error: 'oauth_failed',
message: error,
});
return `${baseUrl}${loginPath}?${params.toString()}`;
}
/**
* Get base URL from request
*/
function getBaseUrl(req: Request): string {
if (req.headers['x-forwarded-proto'] && req.headers['x-forwarded-host']) {
return `${req.headers['x-forwarded-proto']}://${req.headers['x-forwarded-host']}`;
}
return `${req.protocol}://${req.get('host')}`;
}

61
src/controllers/serverController.ts
View File

@@ -7,7 +7,6 @@ import {
BatchCreateServersResponse,
BatchServerResult,
ServerConfig,
ServerInfo,
} from '../types/index.js';
import {
getServersInfo,
@@ -25,66 +24,13 @@ import { createSafeJSON } from '../utils/serialization.js';
import { cloneDefaultOAuthServerConfig } from '../constants/oauthServerDefaults.js';
import { getServerDao, getGroupDao, getSystemConfigDao } from '../dao/DaoFactory.js';
import { getBearerKeyDao } from '../dao/DaoFactory.js';
import { UserContextService } from '../services/userContextService.js';
export const getAllServers = async (req: Request, res: Response): Promise<void> => {
export const getAllServers = async (_: Request, res: Response): Promise<void> => {
try {
// Parse pagination parameters from query string
const page = req.query.page ? parseInt(req.query.page as string, 10) : 1;
const limit = req.query.limit ? parseInt(req.query.limit as string, 10) : undefined;
// Validate pagination parameters
if (page < 1) {
res.status(400).json({
success: false,
message: 'Page number must be greater than 0',
});
return;
}
if (limit !== undefined && (limit < 1 || limit > 1000)) {
res.status(400).json({
success: false,
message: 'Limit must be between 1 and 1000',
});
return;
}
// Get current user for filtering
const currentUser = UserContextService.getInstance().getCurrentUser();
const isAdmin = !currentUser || currentUser.isAdmin;
// Get servers info with pagination if limit is specified
let serversInfo: Omit<ServerInfo, 'client' | 'transport'>[];
let pagination = undefined;
if (limit !== undefined) {
// Use DAO layer pagination with proper filtering
const serverDao = getServerDao();
const paginatedResult = isAdmin
? await serverDao.findAllPaginated(page, limit)
: await serverDao.findByOwnerPaginated(currentUser!.username, page, limit);
// Get runtime info for paginated servers
serversInfo = await getServersInfo(page, limit, currentUser);
pagination = {
page: paginatedResult.page,
limit: paginatedResult.limit,
total: paginatedResult.total,
totalPages: paginatedResult.totalPages,
hasNextPage: paginatedResult.page < paginatedResult.totalPages,
hasPrevPage: paginatedResult.page > 1,
};
} else {
// No pagination, get all servers (will be filtered by mcpService)
serversInfo = await getServersInfo();
}
const serversInfo = await getServersInfo();
const response: ApiResponse = {
success: true,
data: createSafeJSON(serversInfo),
...(pagination && { pagination }),
};
res.json(response);
} catch (error) {
@@ -618,9 +564,10 @@ export const updateServer = async (req: Request, res: Response): Promise<void> =
});
}
} catch (error) {
console.error('Failed to update server:', error);
res.status(500).json({
success: false,
message: 'Internal server error',
message: error instanceof Error ? error.message : 'Internal server error',
});
}
};

76
src/dao/ServerDao.ts
View File

@@ -2,31 +2,10 @@ import { ServerConfig } from '../types/index.js';
import { BaseDao } from './base/BaseDao.js';
import { JsonFileBaseDao } from './base/JsonFileBaseDao.js';
/**
* Pagination result interface
*/
export interface PaginatedResult<T> {
data: T[];
total: number;
page: number;
limit: number;
totalPages: number;
}
/**
* Server DAO interface with server-specific operations
*/
export interface ServerDao extends BaseDao<ServerConfigWithName, string> {
/**
* Find all servers with pagination
*/
findAllPaginated(page: number, limit: number): Promise<PaginatedResult<ServerConfigWithName>>;
/**
* Find servers by owner with pagination
*/
findByOwnerPaginated(owner: string, page: number, limit: number): Promise<PaginatedResult<ServerConfigWithName>>;
/**
* Find servers by owner
*/
@@ -197,61 +176,6 @@ export class ServerDaoImpl extends JsonFileBaseDao implements ServerDao {
return servers.length;
}
async findAllPaginated(page: number, limit: number): Promise<PaginatedResult<ServerConfigWithName>> {
const allServers = await this.getAll();
// Sort: enabled servers first, then by creation time
const sortedServers = allServers.sort((a, b) => {
const aEnabled = a.enabled !== false;
const bEnabled = b.enabled !== false;
if (aEnabled !== bEnabled) {
return aEnabled ? -1 : 1;
}
return 0; // Keep original order for same enabled status
});
const total = sortedServers.length;
const totalPages = Math.ceil(total / limit);
const startIndex = (page - 1) * limit;
const endIndex = startIndex + limit;
const data = sortedServers.slice(startIndex, endIndex);
return {
data,
total,
page,
limit,
totalPages,
};
}
async findByOwnerPaginated(owner: string, page: number, limit: number): Promise<PaginatedResult<ServerConfigWithName>> {
const allServers = await this.getAll();
const filteredServers = allServers.filter((server) => server.owner === owner);
// Sort: enabled servers first, then by creation time
const sortedServers = filteredServers.sort((a, b) => {
const aEnabled = a.enabled !== false;
const bEnabled = b.enabled !== false;
if (aEnabled !== bEnabled) {
return aEnabled ? -1 : 1;
}
return 0; // Keep original order for same enabled status
});
const total = sortedServers.length;
const totalPages = Math.ceil(total / limit);
const startIndex = (page - 1) * limit;
const endIndex = startIndex + limit;
const data = sortedServers.slice(startIndex, endIndex);
return {
data,
total,
page,
limit,
totalPages,
};
}
async findByOwner(owner: string): Promise<ServerConfigWithName[]> {
const servers = await this.getAll();
return servers.filter((server) => server.owner === owner);

32
src/dao/ServerDaoDbImpl.ts
View File

@@ -1,4 +1,4 @@
import { ServerDao, ServerConfigWithName, PaginatedResult } from './index.js';
import { ServerDao, ServerConfigWithName } from './index.js';
import { ServerRepository } from '../db/repositories/ServerRepository.js';
/**
@@ -16,32 +16,6 @@ export class ServerDaoDbImpl implements ServerDao {
return servers.map((s) => this.mapToServerConfig(s));
}
async findAllPaginated(page: number, limit: number): Promise<PaginatedResult<ServerConfigWithName>> {
const { data, total } = await this.repository.findAllPaginated(page, limit);
const totalPages = Math.ceil(total / limit);
return {
data: data.map((s) => this.mapToServerConfig(s)),
total,
page,
limit,
totalPages,
};
}
async findByOwnerPaginated(owner: string, page: number, limit: number): Promise<PaginatedResult<ServerConfigWithName>> {
const { data, total } = await this.repository.findByOwnerPaginated(owner, page, limit);
const totalPages = Math.ceil(total / limit);
return {
data: data.map((s) => this.mapToServerConfig(s)),
total,
page,
limit,
totalPages,
};
}
async findById(name: string): Promise<ServerConfigWithName | null> {
const server = await this.repository.findByName(name);
return server ? this.mapToServerConfig(server) : null;
@@ -64,7 +38,6 @@ export class ServerDaoDbImpl implements ServerDao {
prompts: entity.prompts,
options: entity.options,
oauth: entity.oauth,
proxy: entity.proxy,
openapi: entity.openapi,
});
return this.mapToServerConfig(server);
@@ -89,7 +62,6 @@ export class ServerDaoDbImpl implements ServerDao {
prompts: entity.prompts,
options: entity.options,
oauth: entity.oauth,
proxy: entity.proxy,
openapi: entity.openapi,
});
return server ? this.mapToServerConfig(server) : null;
@@ -168,7 +140,6 @@ export class ServerDaoDbImpl implements ServerDao {
prompts?: Record<string, { enabled: boolean; description?: string }>;
options?: Record<string, any>;
oauth?: Record<string, any>;
proxy?: Record<string, any>;
openapi?: Record<string, any>;
}): ServerConfigWithName {
return {
@@ -187,7 +158,6 @@ export class ServerDaoDbImpl implements ServerDao {
prompts: server.prompts,
options: server.options,
oauth: server.oauth,
proxy: server.proxy,
openapi: server.openapi,
};
}

3
src/dao/SystemConfigDaoDbImpl.ts
View File

@@ -22,6 +22,7 @@ export class SystemConfigDaoDbImpl implements SystemConfigDao {
nameSeparator: config.nameSeparator,
oauth: config.oauth as any,
oauthServer: config.oauthServer as any,
oauthSso: config.oauthSso as any,
enableSessionRebuild: config.enableSessionRebuild,
};
}
@@ -36,6 +37,7 @@ export class SystemConfigDaoDbImpl implements SystemConfigDao {
nameSeparator: updated.nameSeparator,
oauth: updated.oauth as any,
oauthServer: updated.oauthServer as any,
oauthSso: updated.oauthSso as any,
enableSessionRebuild: updated.enableSessionRebuild,
};
}
@@ -50,6 +52,7 @@ export class SystemConfigDaoDbImpl implements SystemConfigDao {
nameSeparator: config.nameSeparator,
oauth: config.oauth as any,
oauthServer: config.oauthServer as any,
oauthSso: config.oauthSso as any,
enableSessionRebuild: config.enableSessionRebuild,
};
}

51
src/dao/UserDaoDbImpl.ts
View File

@@ -13,23 +13,28 @@ export class UserDaoDbImpl implements UserDao {
this.repository = new UserRepository();
}
async findAll(): Promise<IUser[]> {
const users = await this.repository.findAll();
return users.map((u) => ({
private mapToIUser(u: any): IUser {
return {
username: u.username,
password: u.password,
isAdmin: u.isAdmin,
}));
oauthProvider: u.oauthProvider,
oauthSubject: u.oauthSubject,
email: u.email,
displayName: u.displayName,
avatarUrl: u.avatarUrl,
};
}
async findAll(): Promise<IUser[]> {
const users = await this.repository.findAll();
return users.map(this.mapToIUser);
}
async findById(username: string): Promise<IUser | null> {
const user = await this.repository.findByUsername(username);
if (!user) return null;
return {
username: user.username,
password: user.password,
isAdmin: user.isAdmin,
};
return this.mapToIUser(user);
}
async findByUsername(username: string): Promise<IUser | null> {
@@ -41,12 +46,13 @@ export class UserDaoDbImpl implements UserDao {
username: entity.username,
password: entity.password,
isAdmin: entity.isAdmin || false,
oauthProvider: entity.oauthProvider,
oauthSubject: entity.oauthSubject,
email: entity.email,
displayName: entity.displayName,
avatarUrl: entity.avatarUrl,
});
return {
username: user.username,
password: user.password,
isAdmin: user.isAdmin,
};
return this.mapToIUser(user);
}
async createWithHashedPassword(
@@ -62,13 +68,14 @@ export class UserDaoDbImpl implements UserDao {
const user = await this.repository.update(username, {
password: entity.password,
isAdmin: entity.isAdmin,
oauthProvider: entity.oauthProvider,
oauthSubject: entity.oauthSubject,
email: entity.email,
displayName: entity.displayName,
avatarUrl: entity.avatarUrl,
});
if (!user) return null;
return {
username: user.username,
password: user.password,
isAdmin: user.isAdmin,
};
return this.mapToIUser(user);
}
async delete(username: string): Promise<boolean> {
@@ -99,10 +106,6 @@ export class UserDaoDbImpl implements UserDao {
async findAdmins(): Promise<IUser[]> {
const users = await this.repository.findAdmins();
return users.map((u) => ({
username: u.username,
password: u.password,
isAdmin: u.isAdmin,
}));
return users.map(this.mapToIUser);
}
}

3
src/db/entities/Server.ts
View File

@@ -59,9 +59,6 @@ export class Server {
@Column({ type: 'simple-json', nullable: true })
oauth?: Record<string, any>;
@Column({ type: 'simple-json', nullable: true })
proxy?: Record<string, any>;
@Column({ type: 'simple-json', nullable: true })
openapi?: Record<string, any>;

3
src/db/entities/SystemConfig.ts
View File

@@ -30,6 +30,9 @@ export class SystemConfig {
@Column({ type: 'simple-json', nullable: true })
oauthServer?: Record<string, any>;
@Column({ name: 'oauth_sso', type: 'simple-json', nullable: true })
oauthSso?: Record<string, any>;
@Column({ type: 'boolean', nullable: true })
enableSessionRebuild?: boolean;

16
src/db/entities/User.ts
View File

@@ -23,6 +23,22 @@ export class User {
@Column({ type: 'boolean', default: false })
isAdmin: boolean;
// OAuth SSO fields
@Column({ name: 'oauth_provider', type: 'varchar', length: 100, nullable: true })
oauthProvider?: string;
@Column({ name: 'oauth_subject', type: 'varchar', length: 255, nullable: true })
oauthSubject?: string;
@Column({ type: 'varchar', length: 255, nullable: true })
email?: string;
@Column({ name: 'display_name', type: 'varchar', length: 255, nullable: true })
displayName?: string;
@Column({ name: 'avatar_url', type: 'text', nullable: true })
avatarUrl?: string;
@CreateDateColumn({ name: 'created_at', type: 'timestamp' })
createdAt: Date;

35
src/db/repositories/ServerRepository.ts
View File

@@ -69,41 +69,6 @@ export class ServerRepository {
return await this.repository.count();
}
/**
* Find servers with pagination
*/
async findAllPaginated(page: number, limit: number): Promise<{ data: Server[]; total: number }> {
const skip = (page - 1) * limit;
const [data, total] = await this.repository.findAndCount({
order: {
enabled: 'DESC', // Enabled servers first
createdAt: 'ASC' // Then by creation time
},
skip,
take: limit,
});
return { data, total };
}
/**
* Find servers by owner with pagination
*/
async findByOwnerPaginated(owner: string, page: number, limit: number): Promise<{ data: Server[]; total: number }> {
const skip = (page - 1) * limit;
const [data, total] = await this.repository.findAndCount({
where: { owner },
order: {
enabled: 'DESC', // Enabled servers first
createdAt: 'ASC' // Then by creation time
},
skip,
take: limit,
});
return { data, total };
}
/**
* Find servers by owner
*/

12
src/routes/index.ts
View File

@@ -112,6 +112,12 @@ import {
updateBearerKey,
deleteBearerKey,
} from '../controllers/bearerKeyController.js';
import {
getOAuthSsoConfig,
initiateOAuthLogin,
handleOAuthCallback as handleOAuthSsoCallback,
listOAuthProviders,
} from '../controllers/oauthSsoController.js';
import { auth } from '../middlewares/auth.js';
const router = express.Router();
@@ -273,6 +279,12 @@ export const initRoutes = (app: express.Application): void => {
changePassword,
);
// OAuth SSO routes (no auth required - these are for logging in)
router.get('/auth/sso/config', getOAuthSsoConfig);
router.get('/auth/sso/providers', listOAuthProviders);
router.get('/auth/sso/:providerId', initiateOAuthLogin);
router.get('/auth/sso/:providerId/callback', handleOAuthSsoCallback);
// Runtime configuration endpoint (no auth required for frontend initialization)
app.get(`${config.basePath}/config`, getRuntimeConfig);

209
src/services/mcpService.ts
View File

@@ -1,6 +1,4 @@
import os from 'os';
import path from 'path';
import fs from 'fs';
import { Server } from '@modelcontextprotocol/sdk/server/index.js';
import {
CallToolRequestSchema,
@@ -17,7 +15,7 @@ import {
StreamableHTTPClientTransportOptions,
} from '@modelcontextprotocol/sdk/client/streamableHttp.js';
import { createFetchWithProxy, getProxyConfigFromEnv } from './proxy.js';
import { ServerInfo, ServerConfig, Tool, ProxychainsConfig } from '../types/index.js';
import { ServerInfo, ServerConfig, Tool } from '../types/index.js';
import { expandEnvVars, replaceEnvVars, getNameSeparator } from '../config/index.js';
import config from '../config/index.js';
import { getGroup } from './sseService.js';
@@ -34,150 +32,6 @@ const servers: { [sessionId: string]: Server } = {};
import { setupClientKeepAlive } from './keepAliveService.js';
/**
* Check if proxychains4 is available on the system (Linux/macOS only).
* Returns the path to proxychains4 if found, null otherwise.
*/
const findProxychains4 = (): string | null => {
// Windows is not supported
if (process.platform === 'win32') {
return null;
}
// Common proxychains4 binary paths
const possiblePaths = [
'/usr/bin/proxychains4',
'/usr/local/bin/proxychains4',
'/opt/homebrew/bin/proxychains4', // macOS Homebrew ARM
'/usr/local/Cellar/proxychains-ng/*/bin/proxychains4', // macOS Homebrew Intel
];
for (const p of possiblePaths) {
if (fs.existsSync(p)) {
return p;
}
}
// Try to find in PATH
const pathEnv = process.env.PATH || '';
const pathDirs = pathEnv.split(path.delimiter);
for (const dir of pathDirs) {
const fullPath = path.join(dir, 'proxychains4');
if (fs.existsSync(fullPath)) {
return fullPath;
}
}
return null;
};
/**
* Generate a temporary proxychains4 configuration file.
* Returns the path to the generated config file.
*/
const generateProxychainsConfig = (
serverName: string,
proxyConfig: ProxychainsConfig,
): string | null => {
// If a custom config path is provided, use it directly
if (proxyConfig.configPath) {
if (fs.existsSync(proxyConfig.configPath)) {
return proxyConfig.configPath;
}
console.warn(
`[${serverName}] Custom proxychains config not found: ${proxyConfig.configPath}`,
);
return null;
}
// Validate required fields
if (!proxyConfig.host || !proxyConfig.port) {
console.warn(`[${serverName}] Proxy host and port are required for proxychains4`);
return null;
}
const proxyType = proxyConfig.type || 'socks5';
const proxyLine = proxyConfig.username && proxyConfig.password
? `${proxyType} ${proxyConfig.host} ${proxyConfig.port} ${proxyConfig.username} ${proxyConfig.password}`
: `${proxyType} ${proxyConfig.host} ${proxyConfig.port}`;
const configContent = `# Proxychains4 configuration for MCP server: ${serverName}
# Generated by MCPHub
strict_chain
proxy_dns
remote_dns_subnet 224
tcp_read_time_out 15000
tcp_connect_time_out 8000
[ProxyList]
${proxyLine}
`;
// Create temp directory if needed
const tempDir = path.join(os.tmpdir(), 'mcphub-proxychains');
if (!fs.existsSync(tempDir)) {
fs.mkdirSync(tempDir, { recursive: true });
}
// Write config file
const configPath = path.join(tempDir, `${serverName.replace(/[^a-zA-Z0-9-_]/g, '_')}.conf`);
fs.writeFileSync(configPath, configContent, 'utf-8');
console.log(`[${serverName}] Generated proxychains4 config: ${configPath}`);
return configPath;
};
/**
* Wrap a command with proxychains4 if proxy is configured and available.
* Returns modified command and args if proxychains4 is used, original values otherwise.
*/
const wrapWithProxychains = (
serverName: string,
command: string,
args: string[],
proxyConfig?: ProxychainsConfig,
): { command: string; args: string[] } => {
// Skip if proxy is not enabled or not configured
if (!proxyConfig?.enabled) {
return { command, args };
}
// Check platform - Windows is not supported
if (process.platform === 'win32') {
console.warn(
`[${serverName}] proxychains4 proxy is not supported on Windows, ignoring proxy configuration`,
);
return { command, args };
}
// Find proxychains4 binary
const proxychains4Path = findProxychains4();
if (!proxychains4Path) {
console.warn(
`[${serverName}] proxychains4 not found on system, install it with: apt install proxychains4 (Debian/Ubuntu) or brew install proxychains-ng (macOS)`,
);
return { command, args };
}
// Generate or get config file
const configPath = generateProxychainsConfig(serverName, proxyConfig);
if (!configPath) {
console.warn(`[${serverName}] Failed to setup proxychains4 configuration, skipping proxy`);
return { command, args };
}
// Wrap command with proxychains4
console.log(
`[${serverName}] Using proxychains4 proxy: ${proxyConfig.type || 'socks5'}://${proxyConfig.host}:${proxyConfig.port}`,
);
return {
command: proxychains4Path,
args: ['-f', configPath, command, ...args],
};
};
export const initUpstreamServers = async (): Promise<void> => {
// Initialize OAuth clients for servers with dynamic registration
await initializeAllOAuthClients();
@@ -355,19 +209,11 @@ export const createTransportFromConfig = async (name: string, conf: ServerConfig
env['npm_config_registry'] = systemConfig.install.npmRegistry;
}
// Apply proxychains4 wrapper if proxy is configured (Linux/macOS only)
const { command: finalCommand, args: finalArgs } = wrapWithProxychains(
name,
conf.command,
replaceEnvVars(conf.args) as string[],
conf.proxy,
);
// Create STDIO transport with potentially wrapped command
// Expand environment variables in command
transport = new StdioClientTransport({
cwd: os.homedir(),
command: finalCommand,
args: finalArgs,
command: conf.command,
args: replaceEnvVars(conf.args) as string[],
env: env,
stderr: 'pipe',
});
@@ -772,19 +618,9 @@ export const registerAllTools = async (isInit: boolean, serverName?: string): Pr
};
// Get all server information
export const getServersInfo = async (
page?: number,
limit?: number,
user?: any,
): Promise<Omit<ServerInfo, 'client' | 'transport'>[]> => {
export const getServersInfo = async (): Promise<Omit<ServerInfo, 'client' | 'transport'>[]> => {
const allServers: ServerConfigWithName[] = await getServerDao().findAll();
const dataService = getDataService();
// Get paginated or all server configurations from DAO
// If pagination is used with a non-admin user, filtering is already done at DAO level
const isPaginated = limit !== undefined && page !== undefined;
const allServers: ServerConfigWithName[] = isPaginated
? (await getServerDao().findAllPaginated(page, limit)).data
: await getServerDao().findAll();
// Ensure that servers recently added via DAO but not yet initialized in serverInfos
// are still visible in the servers list. This avoids a race condition where
@@ -793,19 +629,10 @@ export const getServersInfo = async (
const combinedServerInfos: ServerInfo[] = [...serverInfos];
const existingNames = new Set(combinedServerInfos.map((s) => s.name));
// Create a set of server names we're interested in (for pagination)
const requestedServerNames = new Set(allServers.map((s) => s.name));
// Filter serverInfos to only include requested servers if pagination is used
const filteredServerInfos = isPaginated
? combinedServerInfos.filter((s) => requestedServerNames.has(s.name))
: combinedServerInfos;
// Add servers from DAO that don't have runtime info yet
for (const server of allServers) {
if (!existingNames.has(server.name)) {
const isEnabled = server.enabled === undefined ? true : server.enabled;
filteredServerInfos.push({
combinedServerInfos.push({
name: server.name,
owner: server.owner,
// Newly created servers that are enabled should appear as "connecting"
@@ -821,16 +648,12 @@ export const getServersInfo = async (
}
}
// Apply user filtering only when NOT using pagination (pagination already filtered at DAO level)
// Or when no pagination parameters provided (backward compatibility)
const shouldApplyUserFilter = !isPaginated;
const filterServerInfos: ServerInfo[] = shouldApplyUserFilter && dataService.filterData
? dataService.filterData(filteredServerInfos, user)
: filteredServerInfos;
const filterServerInfos: ServerInfo[] = dataService.filterData
? dataService.filterData(combinedServerInfos)
: combinedServerInfos;
const infos = filterServerInfos
.filter((info) => requestedServerNames.has(info.name)) // Only include requested servers
.map(({ name, status, tools, prompts, createTime, error, oauth }) => {
const infos = filterServerInfos.map(
({ name, status, tools, prompts, createTime, error, oauth }) => {
const serverConfig = allServers.find((server) => server.name === name);
const enabled = serverConfig ? serverConfig.enabled !== false : true;
@@ -869,8 +692,12 @@ export const getServersInfo = async (
}
: undefined,
};
});
// Sorting is now handled at DAO layer for consistent pagination results
},
);
infos.sort((a, b) => {
if (a.enabled === b.enabled) return 0;
return a.enabled ? -1 : 1;
});
return infos;
};

546
src/services/oauthSsoService.ts Normal file
View File

@@ -0,0 +1,546 @@
/**
* OAuth SSO Service
*
* Handles OAuth 2.0 / OIDC SSO authentication for user login.
* Supports Google, Microsoft, GitHub, and custom OIDC providers.
*/
import * as client from 'openid-client';
import crypto from 'crypto';
import { getSystemConfigDao, getUserDao } from '../dao/index.js';
import { IUser, OAuthSsoProviderConfig, OAuthSsoConfig } from '../types/index.js';
// In-memory store for OAuth state (code verifier, state, etc.)
// NOTE: This implementation uses in-memory storage which is suitable for single-instance deployments.
// For multi-instance/scaled deployments, implement Redis or database-backed state storage
// to ensure OAuth callbacks reach the correct instance where the state was stored.
interface OAuthStateEntry {
codeVerifier: string;
providerId: string;
returnUrl?: string;
createdAt: number;
}
const stateStore = new Map<string, OAuthStateEntry>();
const STATE_TTL_MS = 10 * 60 * 1000; // 10 minutes
// Cleanup old state entries periodically
let cleanupInterval: ReturnType<typeof setInterval> | null = null;
function startStateCleanup(): void {
if (cleanupInterval) return;
cleanupInterval = setInterval(() => {
const now = Date.now();
for (const [state, entry] of stateStore.entries()) {
if (now - entry.createdAt > STATE_TTL_MS) {
stateStore.delete(state);
}
}
}, 60 * 1000); // Cleanup every minute
}
// Start cleanup on module load
startStateCleanup();
/**
* Stop the state cleanup interval (useful for tests and graceful shutdown)
*/
export function stopStateCleanup(): void {
if (cleanupInterval) {
clearInterval(cleanupInterval);
cleanupInterval = null;
}
}
// GitHub API response types for type safety
interface GitHubUserResponse {
id: number;
login: string;
name?: string;
email?: string;
avatar_url?: string;
}
interface GitHubEmailResponse {
email: string;
primary: boolean;
verified: boolean;
visibility?: string;
}
// Provider configurations cache
const providerConfigsCache = new Map<
string,
{
config: client.Configuration;
provider: OAuthSsoProviderConfig;
}
>();
/**
* Get OAuth SSO configuration from system config
*/
export async function getOAuthSsoConfig(): Promise<OAuthSsoConfig | undefined> {
const systemConfigDao = getSystemConfigDao();
const systemConfig = await systemConfigDao.get();
return systemConfig?.oauthSso;
}
/**
* Check if OAuth SSO is enabled
*/
export async function isOAuthSsoEnabled(): Promise<boolean> {
const config = await getOAuthSsoConfig();
return config?.enabled === true && (config.providers?.length ?? 0) > 0;
}
/**
* Get enabled OAuth SSO providers
*/
export async function getEnabledProviders(): Promise<OAuthSsoProviderConfig[]> {
const config = await getOAuthSsoConfig();
if (!config?.enabled || !config.providers) {
return [];
}
return config.providers.filter((p) => p.enabled !== false);
}
/**
* Get a specific provider by ID
*/
export async function getProviderById(providerId: string): Promise<OAuthSsoProviderConfig | undefined> {
const providers = await getEnabledProviders();
return providers.find((p) => p.id === providerId);
}
/**
* Get default scopes for a provider type
*/
function getDefaultScopes(type: OAuthSsoProviderConfig['type']): string[] {
switch (type) {
case 'google':
return ['openid', 'email', 'profile'];
case 'microsoft':
return ['openid', 'email', 'profile', 'User.Read'];
case 'github':
return ['read:user', 'user:email'];
case 'oidc':
default:
return ['openid', 'email', 'profile'];
}
}
/**
* Get provider discovery URL
*/
function getDiscoveryUrl(provider: OAuthSsoProviderConfig): string | undefined {
if (provider.issuerUrl) {
return provider.issuerUrl;
}
switch (provider.type) {
case 'google':
return 'https://accounts.google.com';
case 'microsoft':
// Using common endpoint for multi-tenant
return 'https://login.microsoftonline.com/common/v2.0';
case 'github':
// GitHub doesn't support OIDC discovery, we'll use explicit endpoints
return undefined;
default:
return undefined;
}
}
/**
* Get explicit OAuth endpoints for providers without OIDC discovery
*/
function getExplicitEndpoints(provider: OAuthSsoProviderConfig): {
authorizationUrl: string;
tokenUrl: string;
userInfoUrl: string;
} | undefined {
if (provider.type === 'github') {
return {
authorizationUrl: provider.authorizationUrl || 'https://github.com/login/oauth/authorize',
tokenUrl: provider.tokenUrl || 'https://github.com/login/oauth/access_token',
userInfoUrl: provider.userInfoUrl || 'https://api.github.com/user',
};
}
// For custom providers with explicit endpoints
if (provider.authorizationUrl && provider.tokenUrl && provider.userInfoUrl) {
return {
authorizationUrl: provider.authorizationUrl,
tokenUrl: provider.tokenUrl,
userInfoUrl: provider.userInfoUrl,
};
}
return undefined;
}
/**
* Initialize and cache openid-client configuration for a provider
*/
async function getClientConfig(
provider: OAuthSsoProviderConfig,
_callbackUrl: string,
): Promise<client.Configuration> {
const cacheKey = provider.id;
const cached = providerConfigsCache.get(cacheKey);
if (cached) {
return cached.config;
}
let config: client.Configuration;
const discoveryUrl = getDiscoveryUrl(provider);
if (discoveryUrl) {
// Use OIDC discovery
config = await client.discovery(new URL(discoveryUrl), provider.clientId, provider.clientSecret);
} else {
// Use explicit endpoints for providers like GitHub
const endpoints = getExplicitEndpoints(provider);
if (!endpoints) {
throw new Error(
`Provider ${provider.id} requires either issuerUrl for OIDC discovery or explicit endpoints`,
);
}
// Create a manual server metadata configuration
const serverMetadata: client.ServerMetadata = {
issuer: provider.issuerUrl || `https://${provider.type}.oauth`,
authorization_endpoint: endpoints.authorizationUrl,
token_endpoint: endpoints.tokenUrl,
userinfo_endpoint: endpoints.userInfoUrl,
};
config = new client.Configuration(serverMetadata, provider.clientId, provider.clientSecret);
}
providerConfigsCache.set(cacheKey, { config, provider });
return config;
}
/**
* Generate the authorization URL for a provider
*/
export async function generateAuthorizationUrl(
providerId: string,
callbackUrl: string,
returnUrl?: string,
): Promise<{ url: string; state: string }> {
const provider = await getProviderById(providerId);
if (!provider) {
throw new Error(`OAuth SSO provider not found: ${providerId}`);
}
const config = await getClientConfig(provider, callbackUrl);
const scopes = provider.scopes || getDefaultScopes(provider.type);
// Generate PKCE code verifier and challenge
const codeVerifier = client.randomPKCECodeVerifier();
const codeChallenge = await client.calculatePKCECodeChallenge(codeVerifier);
// Generate state
const state = crypto.randomBytes(32).toString('base64url');
// Store state for callback verification
stateStore.set(state, {
codeVerifier,
providerId,
returnUrl,
createdAt: Date.now(),
});
// Build authorization URL parameters
const parameters: Record<string, string> = {
redirect_uri: callbackUrl,
scope: scopes.join(' '),
state,
code_challenge: codeChallenge,
code_challenge_method: 'S256',
};
// GitHub-specific: request user email access
if (provider.type === 'github') {
// GitHub doesn't use PKCE, but we'll still store the state
delete parameters.code_challenge;
delete parameters.code_challenge_method;
}
const url = client.buildAuthorizationUrl(config, parameters);
return { url: url.toString(), state };
}
/**
* Exchange authorization code for tokens and user info
*/
export async function handleCallback(
callbackUrl: string,
currentUrl: string,
state: string,
): Promise<{
user: IUser;
isNewUser: boolean;
returnUrl?: string;
}> {
// Verify and retrieve state
const stateEntry = stateStore.get(state);
if (!stateEntry) {
throw new Error('Invalid or expired OAuth state');
}
// Remove used state
stateStore.delete(state);
const provider = await getProviderById(stateEntry.providerId);
if (!provider) {
throw new Error(`OAuth SSO provider not found: ${stateEntry.providerId}`);
}
const config = await getClientConfig(provider, callbackUrl);
// Exchange code for tokens
let tokens: client.TokenEndpointResponse;
if (provider.type === 'github') {
// GitHub doesn't use PKCE
tokens = await client.authorizationCodeGrant(config, new URL(currentUrl), {
expectedState: state,
});
} else {
// OIDC providers with PKCE
tokens = await client.authorizationCodeGrant(config, new URL(currentUrl), {
pkceCodeVerifier: stateEntry.codeVerifier,
expectedState: state,
});
}
// Get user info
const userInfo = await getUserInfo(provider, config, tokens);
// Find or create user
const { user, isNewUser } = await findOrCreateUser(provider, userInfo);
return {
user,
isNewUser,
returnUrl: stateEntry.returnUrl,
};
}
/**
* Fetch user info from the provider
*/
async function getUserInfo(
provider: OAuthSsoProviderConfig,
config: client.Configuration,
tokens: client.TokenEndpointResponse,
): Promise<{
sub: string;
email?: string;
name?: string;
picture?: string;
groups?: string[];
roles?: string[];
[key: string]: unknown;
}> {
if (provider.type === 'github') {
// GitHub uses a different API for user info
const response = await fetch('https://api.github.com/user', {
headers: {
Authorization: `Bearer ${tokens.access_token}`,
Accept: 'application/json',
},
});
if (!response.ok) {
throw new Error(`Failed to fetch GitHub user info: ${response.statusText}`);
}
const data = (await response.json()) as GitHubUserResponse;
// Fetch email separately if not public
let email = data.email;
if (!email) {
const emailResponse = await fetch('https://api.github.com/user/emails', {
headers: {
Authorization: `Bearer ${tokens.access_token}`,
Accept: 'application/json',
},
});
if (emailResponse.ok) {
const emails = (await emailResponse.json()) as GitHubEmailResponse[];
const primaryEmail = emails.find((e) => e.primary);
email = primaryEmail?.email || emails[0]?.email;
}
}
return {
sub: String(data.id),
email,
name: data.name || data.login,
picture: data.avatar_url,
};
}
// Standard OIDC userinfo endpoint
const userInfoResponse = await client.fetchUserInfo(config, tokens.access_token!, client.skipSubjectCheck);
return {
sub: userInfoResponse.sub,
email: userInfoResponse.email as string | undefined,
name: userInfoResponse.name as string | undefined,
picture: userInfoResponse.picture as string | undefined,
groups: userInfoResponse.groups as string[] | undefined,
roles: userInfoResponse.roles as string[] | undefined,
};
}
/**
* Find existing user or create new one based on OAuth profile
*/
async function findOrCreateUser(
provider: OAuthSsoProviderConfig,
userInfo: {
sub: string;
email?: string;
name?: string;
picture?: string;
groups?: string[];
roles?: string[];
[key: string]: unknown;
},
): Promise<{ user: IUser; isNewUser: boolean }> {
const userDao = getUserDao();
// Generate a unique username based on provider and subject
const oauthUsername = `${provider.id}:${userInfo.sub}`;
// Try to find existing user by OAuth identity
let user = await userDao.findByUsername(oauthUsername);
if (user) {
// Update user info if changed
const updates: Partial<IUser> = {};
if (userInfo.email && userInfo.email !== user.email) {
updates.email = userInfo.email;
}
if (userInfo.name && userInfo.name !== user.displayName) {
updates.displayName = userInfo.name;
}
if (userInfo.picture && userInfo.picture !== user.avatarUrl) {
updates.avatarUrl = userInfo.picture;
}
// Check admin status based on claims
const isAdmin = checkAdminClaim(provider, userInfo);
if (isAdmin !== user.isAdmin) {
updates.isAdmin = isAdmin;
}
if (Object.keys(updates).length > 0) {
await userDao.update(oauthUsername, updates);
user = { ...user, ...updates };
}
return { user, isNewUser: false };
}
// Check if auto-provisioning is enabled
if (provider.autoProvision === false) {
throw new Error(
`User not found and auto-provisioning is disabled for provider: ${provider.name}`,
);
}
// Create new user
const isAdmin = checkAdminClaim(provider, userInfo) || provider.defaultAdmin === true;
// Generate a random password for OAuth users (they won't use it)
const randomPassword = crypto.randomBytes(32).toString('hex');
const newUser = await userDao.createWithHashedPassword(oauthUsername, randomPassword, isAdmin);
// Update with OAuth-specific fields
const updatedUser = await userDao.update(oauthUsername, {
oauthProvider: provider.id,
oauthSubject: userInfo.sub,
email: userInfo.email,
displayName: userInfo.name,
avatarUrl: userInfo.picture,
});
return { user: updatedUser || newUser, isNewUser: true };
}
/**
* Check if user should be granted admin based on provider claims
*/
function checkAdminClaim(
provider: OAuthSsoProviderConfig,
userInfo: { groups?: string[]; roles?: string[]; [key: string]: unknown },
): boolean {
if (!provider.adminClaim || !provider.adminClaimValues?.length) {
return false;
}
const claimValue = userInfo[provider.adminClaim];
if (!claimValue) {
return false;
}
// Handle array claims (groups, roles)
if (Array.isArray(claimValue)) {
return claimValue.some((v) => provider.adminClaimValues!.includes(String(v)));
}
// Handle string claims
return provider.adminClaimValues.includes(String(claimValue));
}
/**
* Get public provider info for frontend
*/
export async function getPublicProviderInfo(): Promise<
Array<{
id: string;
name: string;
type: string;
icon?: string;
buttonText?: string;
}>
> {
const providers = await getEnabledProviders();
return providers.map((p) => ({
id: p.id,
name: p.name,
type: p.type,
icon: p.icon || p.type,
buttonText: p.buttonText,
}));
}
/**
* Check if local auth is allowed
*/
export async function isLocalAuthAllowed(): Promise<boolean> {
const config = await getOAuthSsoConfig();
// Default to true if not configured or SSO is disabled
if (!config?.enabled) {
return true;
}
return config.allowLocalAuth !== false;
}
/**
* Clear provider configuration cache
*/
export function clearProviderCache(): void {
providerConfigsCache.clear();
}

57
src/types/index.ts
View File

@@ -10,6 +10,12 @@ export interface IUser {
username: string;
password: string;
isAdmin?: boolean;
// OAuth SSO fields
oauthProvider?: string; // OAuth provider ID (e.g., 'google', 'microsoft', 'github')
oauthSubject?: string; // OAuth subject (unique user ID from provider)
email?: string; // User email (from OAuth profile)
displayName?: string; // Display name (from OAuth profile)
avatarUrl?: string; // Avatar URL (from OAuth profile)
}
// Group interface for server grouping
@@ -124,6 +130,43 @@ export interface MCPRouterCallToolResponse {
isError: boolean;
}
// OAuth SSO Provider Configuration for user authentication
export type OAuthSsoProviderType = 'google' | 'microsoft' | 'github' | 'oidc';
export interface OAuthSsoProviderConfig {
id: string; // Unique identifier for this provider (e.g., 'google', 'my-company-sso')
type: OAuthSsoProviderType; // Provider type
name: string; // Display name (e.g., 'Google', 'Microsoft', 'Company SSO')
enabled?: boolean; // Whether this provider is enabled (default: true)
clientId: string; // OAuth client ID
clientSecret: string; // OAuth client secret
// For OIDC providers, discovery URL or explicit endpoints
issuerUrl?: string; // OIDC issuer URL for auto-discovery (e.g., 'https://accounts.google.com')
// Explicit endpoints (optional, can be auto-discovered for OIDC)
authorizationUrl?: string; // OAuth authorization endpoint
tokenUrl?: string; // OAuth token endpoint
userInfoUrl?: string; // OAuth userinfo endpoint
// Scope configuration
scopes?: string[]; // OAuth scopes to request (default varies by provider)
// Role/admin mapping
adminClaim?: string; // Claim name to check for admin role (e.g., 'groups', 'roles')
adminClaimValues?: string[]; // Values that grant admin access (e.g., ['admin', 'mcphub-admins'])
// Auto-provisioning options
autoProvision?: boolean; // Auto-create users on first login (default: true)
defaultAdmin?: boolean; // Whether auto-provisioned users are admins by default (default: false)
// UI options
icon?: string; // Icon identifier for UI (e.g., 'google', 'microsoft', 'github', 'key')
buttonText?: string; // Custom button text (e.g., 'Sign in with Google')
}
// OAuth SSO configuration in SystemConfig
export interface OAuthSsoConfig {
enabled?: boolean; // Enable/disable OAuth SSO globally
providers?: OAuthSsoProviderConfig[]; // List of configured SSO providers
allowLocalAuth?: boolean; // Allow local username/password auth alongside SSO (default: true)
callbackBaseUrl?: string; // Base URL for OAuth callbacks (auto-detected if not set)
}
// OAuth Provider Configuration for MCP Authorization Server
export interface OAuthProviderConfig {
enabled?: boolean; // Enable/disable OAuth provider
@@ -172,6 +215,7 @@ export interface SystemConfig {
nameSeparator?: string; // Separator used between server name and tool/prompt name (default: '-')
oauth?: OAuthProviderConfig; // OAuth provider configuration for upstream MCP servers
oauthServer?: OAuthServerConfig; // OAuth authorization server configuration for MCPHub itself
oauthSso?: OAuthSsoConfig; // OAuth SSO configuration for user authentication
enableSessionRebuild?: boolean; // Controls whether server session rebuild is enabled
}
@@ -270,17 +314,6 @@ export interface McpSettings {
bearerKeys?: BearerKey[]; // Bearer authentication keys (multi-key configuration)
}
// Proxychains4 configuration for STDIO servers (Linux/macOS only)
export interface ProxychainsConfig {
enabled?: boolean; // Enable/disable proxychains4 proxy routing
type?: 'socks4' | 'socks5' | 'http'; // Proxy protocol type
host?: string; // Proxy server hostname or IP address
port?: number; // Proxy server port
username?: string; // Proxy authentication username (optional)
password?: string; // Proxy authentication password (optional)
configPath?: string; // Path to custom proxychains4 configuration file (optional, overrides above settings)
}
// Configuration details for an individual server
export interface ServerConfig {
type?: 'stdio' | 'sse' | 'streamable-http' | 'openapi'; // Type of server
@@ -296,8 +329,6 @@ export interface ServerConfig {
tools?: Record<string, { enabled: boolean; description?: string }>; // Tool-specific configurations with enable/disable state and custom descriptions
prompts?: Record<string, { enabled: boolean; description?: string }>; // Prompt-specific configurations with enable/disable state and custom descriptions
options?: Partial<Pick<RequestOptions, 'timeout' | 'resetTimeoutOnProgress' | 'maxTotalTimeout'>>; // MCP request options configuration
// Proxychains4 proxy configuration for STDIO servers (Linux/macOS only, Windows not supported)
proxy?: ProxychainsConfig;
// OAuth authentication for upstream MCP servers
oauth?: {
// Static client configuration (traditional OAuth flow)

6
src/utils/migration.ts
View File

@@ -46,6 +46,11 @@ export async function migrateToDatabase(): Promise<boolean> {
username: user.username,
password: user.password,
isAdmin: user.isAdmin || false,
oauthProvider: user.oauthProvider,
oauthSubject: user.oauthSubject,
email: user.email,
displayName: user.displayName,
avatarUrl: user.avatarUrl,
});
console.log(` - Created user: ${user.username}`);
} else {
@@ -116,6 +121,7 @@ export async function migrateToDatabase(): Promise<boolean> {
nameSeparator: settings.systemConfig.nameSeparator,
oauth: settings.systemConfig.oauth || {},
oauthServer: settings.systemConfig.oauthServer || {},
oauthSso: settings.systemConfig.oauthSso || {},
enableSessionRebuild: settings.systemConfig.enableSessionRebuild,
};
await systemConfigRepo.update(systemConfig);

235
tests/services/oauthSsoService.test.ts Normal file
View File

@@ -0,0 +1,235 @@
// Mock openid-client before importing services
jest.mock('openid-client', () => ({
discovery: jest.fn(),
Configuration: jest.fn(),
randomPKCECodeVerifier: jest.fn(() => 'test-verifier'),
calculatePKCECodeChallenge: jest.fn(() => Promise.resolve('test-challenge')),
buildAuthorizationUrl: jest.fn(() => new URL('https://example.com/authorize')),
authorizationCodeGrant: jest.fn(),
fetchUserInfo: jest.fn(),
skipSubjectCheck: Symbol('skipSubjectCheck'),
}));
// Mock the DAO module
jest.mock('../../src/dao/index.js', () => ({
getSystemConfigDao: jest.fn(),
getUserDao: jest.fn(),
}));
import * as daoModule from '../../src/dao/index.js';
import {
isOAuthSsoEnabled,
getEnabledProviders,
getProviderById,
isLocalAuthAllowed,
getPublicProviderInfo,
clearProviderCache,
stopStateCleanup,
} from '../../src/services/oauthSsoService.js';
describe('OAuth SSO Service', () => {
const mockGetSystemConfigDao = daoModule.getSystemConfigDao as jest.MockedFunction<
typeof daoModule.getSystemConfigDao
>;
const mockGetUserDao = daoModule.getUserDao as jest.MockedFunction<typeof daoModule.getUserDao>;
// Stop the cleanup interval to prevent Jest from hanging
afterAll(() => {
stopStateCleanup();
});
const defaultSsoConfig = {
enabled: true,
allowLocalAuth: true,
providers: [
{
id: 'google',
type: 'google' as const,
name: 'Google',
enabled: true,
clientId: 'test-client-id',
clientSecret: 'test-client-secret',
scopes: ['openid', 'email', 'profile'],
},
{
id: 'github',
type: 'github' as const,
name: 'GitHub',
enabled: true,
clientId: 'test-github-client',
clientSecret: 'test-github-secret',
},
{
id: 'disabled-provider',
type: 'oidc' as const,
name: 'Disabled',
enabled: false,
clientId: 'disabled-client',
clientSecret: 'disabled-secret',
},
],
};
beforeEach(() => {
jest.clearAllMocks();
clearProviderCache();
mockGetSystemConfigDao.mockReturnValue({
get: jest.fn().mockResolvedValue({
oauthSso: defaultSsoConfig,
}),
} as any);
mockGetUserDao.mockReturnValue({
findByUsername: jest.fn().mockResolvedValue(null),
createWithHashedPassword: jest.fn().mockResolvedValue({
username: 'google:12345',
password: 'hashed',
isAdmin: false,
}),
update: jest.fn().mockImplementation((username: string, data: any) =>
Promise.resolve({
username,
password: 'hashed',
isAdmin: false,
...data,
})
),
} as any);
});
describe('isOAuthSsoEnabled', () => {
it('should return true when OAuth SSO is enabled with providers', async () => {
const enabled = await isOAuthSsoEnabled();
expect(enabled).toBe(true);
});
it('should return false when OAuth SSO is disabled', async () => {
mockGetSystemConfigDao.mockReturnValue({
get: jest.fn().mockResolvedValue({
oauthSso: { ...defaultSsoConfig, enabled: false },
}),
} as any);
const enabled = await isOAuthSsoEnabled();
expect(enabled).toBe(false);
});
it('should return false when no providers are configured', async () => {
mockGetSystemConfigDao.mockReturnValue({
get: jest.fn().mockResolvedValue({
oauthSso: { ...defaultSsoConfig, providers: [] },
}),
} as any);
const enabled = await isOAuthSsoEnabled();
expect(enabled).toBe(false);
});
});
describe('getEnabledProviders', () => {
it('should return only enabled providers', async () => {
const providers = await getEnabledProviders();
expect(providers).toHaveLength(2);
expect(providers.map((p) => p.id)).toContain('google');
expect(providers.map((p) => p.id)).toContain('github');
expect(providers.map((p) => p.id)).not.toContain('disabled-provider');
});
it('should return empty array when SSO is disabled', async () => {
mockGetSystemConfigDao.mockReturnValue({
get: jest.fn().mockResolvedValue({
oauthSso: { ...defaultSsoConfig, enabled: false },
}),
} as any);
const providers = await getEnabledProviders();
expect(providers).toHaveLength(0);
});
});
describe('getProviderById', () => {
it('should return the correct provider by ID', async () => {
const provider = await getProviderById('google');
expect(provider).toBeDefined();
expect(provider?.id).toBe('google');
expect(provider?.type).toBe('google');
expect(provider?.name).toBe('Google');
});
it('should return undefined for non-existent provider', async () => {
const provider = await getProviderById('non-existent');
expect(provider).toBeUndefined();
});
it('should return undefined for disabled provider', async () => {
const provider = await getProviderById('disabled-provider');
expect(provider).toBeUndefined();
});
});
describe('isLocalAuthAllowed', () => {
it('should return true when local auth is allowed', async () => {
const allowed = await isLocalAuthAllowed();
expect(allowed).toBe(true);
});
it('should return false when local auth is disabled', async () => {
mockGetSystemConfigDao.mockReturnValue({
get: jest.fn().mockResolvedValue({
oauthSso: { ...defaultSsoConfig, allowLocalAuth: false },
}),
} as any);
const allowed = await isLocalAuthAllowed();
expect(allowed).toBe(false);
});
it('should return true when SSO is disabled (fallback)', async () => {
mockGetSystemConfigDao.mockReturnValue({
get: jest.fn().mockResolvedValue({
oauthSso: undefined,
}),
} as any);
const allowed = await isLocalAuthAllowed();
expect(allowed).toBe(true);
});
});
describe('getPublicProviderInfo', () => {
it('should return public info for enabled providers only', async () => {
const info = await getPublicProviderInfo();
expect(info).toHaveLength(2);
const googleInfo = info.find((p) => p.id === 'google');
expect(googleInfo).toBeDefined();
expect(googleInfo?.name).toBe('Google');
expect(googleInfo?.type).toBe('google');
expect(googleInfo?.icon).toBe('google');
// Ensure sensitive data is not exposed
expect((googleInfo as any)?.clientSecret).toBeUndefined();
expect((googleInfo as any)?.clientId).toBeUndefined();
});
it('should include buttonText when specified', async () => {
mockGetSystemConfigDao.mockReturnValue({
get: jest.fn().mockResolvedValue({
oauthSso: {
...defaultSsoConfig,
providers: [
{
...defaultSsoConfig.providers[0],
buttonText: 'Login with Google',
},
],
},
}),
} as any);
const info = await getPublicProviderInfo();
expect(info[0].buttonText).toBe('Login with Google');
});
});
});