test(oauth): Complete headless MCP auth fixture#847
Draft
dcramer wants to merge 4 commits into
Draft
Conversation
Exercise registered client identity, browser-issued PKCE grants, rotating refresh families, scope boundaries, and interleaved flows through the shared MSW integration server. Keep captured protocol diagnostics secret-free and require callback tests to traverse the real authorization endpoint. Refs #838 Co-Authored-By: GPT-5 Codex <noreply@openai.com>
Route generic and MCP callback pages through one response policy that disables caching and referrers and applies restrictive CSP and content-type protections. Preserve the existing success guidance without duplicating callback copy. Refs #842 Co-Authored-By: GPT-5 Codex <noreply@openai.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit ca97bb8. Configure here.
This reverts commit ca97bb8. Reason: Keep the OAuth test-foundation PR headless and test-only. Track callback response hardening separately from the mock authorization server. Co-Authored-By: GPT-5 Codex <noreply@openai.com>
Keep the shared OAuth fixture focused on product integration behavior. Remove the harness-only integration suite and unused concurrency and refresh machinery while retaining headless DCR, state, PKCE, code exchange, and callback coverage. Refs #838 Co-Authored-By: GPT-5 Codex <noreply@openai.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

Extends the existing MCP OAuth MSW fixture just enough for Junior's product integrations to stop injecting a magic authorization code. The fixture now performs a headless DCR and authorization transition, preserves state, validates the exact callback URI and S256 PKCE verifier, and issues the token consumed by the resumed MCP request.
The existing callback and Slack runtime integrations traverse that fixture directly. There is no separate test suite for the fixture, no production OAuth code, and no refresh or concurrency simulation until a production behavior test requires it.
Refs #838