added tests, made oauth mcp servers workspace scoped

Author: waleedlatif1

apps/sim/app/api/mcp/oauth/callback/route.ts

@@ -94,20 +94,23 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
 
     const preregistered = await loadPreregisteredClient(server.id)
     const provider = new SimMcpOauthProvider({ row, preregistered })
-    const result = await mcpAuth(provider, {
-      serverUrl: server.url,
-      authorizationCode: code,
-    })
-
-    await clearVerifier(row.id)
+    let result: Awaited<ReturnType<typeof mcpAuth>>
+    try {
+      result = await mcpAuth(provider, {
+        serverUrl: server.url,
+        authorizationCode: code,
+      })
+    } finally {
+      await clearVerifier(row.id)
+    }
 
     if (result !== 'AUTHORIZED') {
       return htmlClose('Authorization did not complete.', false, server.id)
     }
 
     try {
       await mcpService.clearCache(server.workspaceId)
-      await mcpService.discoverServerTools(row.userId, server.id, server.workspaceId)
+      await mcpService.discoverServerTools(session.user.id, server.id, server.workspaceId)
     } catch (e) {
       logger.warn('Post-auth tools refresh failed', toError(e).message)
     }

apps/sim/app/api/mcp/oauth/start/route.test.ts

@@ -0,0 +1,152 @@
+/**
+ * @vitest-environment node
+ */
+import {
+  dbChainMock,
+  dbChainMockFns,
+  hybridAuthMock,
+  hybridAuthMockFns,
+  permissionsMock,
+  permissionsMockFns,
+  resetDbChainMock,
+  schemaMock,
+} from '@sim/testing'
+import { NextRequest } from 'next/server'
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+
+const {
+  mockMcpAuth,
+  mockGetOrCreateOauthRow,
+  mockLoadPreregisteredClient,
+  mockSetOauthRowUser,
+  MockMcpOauthRedirectRequired,
+} = vi.hoisted(() => ({
+  mockMcpAuth: vi.fn(),
+  mockGetOrCreateOauthRow: vi.fn(),
+  mockLoadPreregisteredClient: vi.fn(),
+  mockSetOauthRowUser: vi.fn(),
+  MockMcpOauthRedirectRequired: class MockMcpOauthRedirectRequired extends Error {
+    constructor(public readonly authorizationUrl: string) {
+      super('redirect required')
+    }
+  },
+}))
+
+vi.mock('@sim/db', () => dbChainMock)
+vi.mock('@sim/db/schema', () => schemaMock)
+vi.mock('drizzle-orm', () => ({
+  and: vi.fn(),
+  eq: vi.fn(),
+  isNull: vi.fn(),
+}))
+vi.mock('@modelcontextprotocol/sdk/client/auth.js', () => ({
+  auth: mockMcpAuth,
+}))
+vi.mock('@/lib/auth/hybrid', () => hybridAuthMock)
+vi.mock('@/lib/workspaces/permissions/utils', () => permissionsMock)
+vi.mock('@/lib/mcp/oauth', () => ({
+  getOrCreateOauthRow: mockGetOrCreateOauthRow,
+  loadPreregisteredClient: mockLoadPreregisteredClient,
+  McpOauthRedirectRequired: MockMcpOauthRedirectRequired,
+  setOauthRowUser: mockSetOauthRowUser,
+  SimMcpOauthProvider: vi.fn().mockImplementation((value) => value),
+}))
+
+import { GET } from './route'
+
+describe('MCP OAuth start route', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+    resetDbChainMock()
+    hybridAuthMockFns.mockCheckSessionOrInternalAuth.mockResolvedValue({
+      success: true,
+      userId: 'user-2',
+      userName: 'User Two',
+      userEmail: 'user2@example.com',
+      authType: 'session',
+    })
+    permissionsMockFns.mockGetUserEntityPermissions.mockResolvedValue('write')
+    dbChainMockFns.limit.mockResolvedValue([
+      {
+        id: 'server-1',
+        name: 'Exa',
+        url: 'https://mcp.exa.ai/mcp',
+        workspaceId: 'workspace-1',
+        authType: 'oauth',
+        deletedAt: null,
+      },
+    ])
+    mockGetOrCreateOauthRow.mockResolvedValue({
+      id: 'oauth-row-1',
+      mcpServerId: 'server-1',
+      userId: 'user-1',
+      workspaceId: 'workspace-1',
+      clientInformation: null,
+      tokens: null,
+      codeVerifier: null,
+      state: null,
+      updatedAt: new Date(),
+    })
+    mockLoadPreregisteredClient.mockResolvedValue(undefined)
+    mockMcpAuth.mockRejectedValue(new MockMcpOauthRedirectRequired('https://mcp.exa.ai/authorize'))
+  })
+
+  it('requires workspace write permission via MCP auth middleware', async () => {
+    const request = new NextRequest(
+      'http://localhost:3000/api/mcp/oauth/start?workspaceId=workspace-1&serverId=server-1'
+    )
+
+    await GET(request)
+
+    expect(permissionsMockFns.mockGetUserEntityPermissions).toHaveBeenCalledWith(
+      'user-2',
+      'workspace',
+      'workspace-1'
+    )
+  })
+
+  it('uses a workspace-scoped OAuth row and stamps the latest authorizing user', async () => {
+    const request = new NextRequest(
+      'http://localhost:3000/api/mcp/oauth/start?workspaceId=workspace-1&serverId=server-1'
+    )
+
+    const response = await GET(request)
+    const body = await response.json()
+
+    expect(response.status).toBe(200)
+    expect(body).toEqual({
+      status: 'redirect',
+      authorizationUrl: 'https://mcp.exa.ai/authorize',
+    })
+    expect(mockGetOrCreateOauthRow).toHaveBeenCalledWith({
+      mcpServerId: 'server-1',
+      userId: 'user-2',
+      workspaceId: 'workspace-1',
+    })
+    expect(mockSetOauthRowUser).toHaveBeenCalledWith('oauth-row-1', 'user-2')
+  })
+
+  it('rejects a second user starting OAuth while another authorization is active', async () => {
+    mockGetOrCreateOauthRow.mockResolvedValueOnce({
+      id: 'oauth-row-1',
+      mcpServerId: 'server-1',
+      userId: 'user-1',
+      workspaceId: 'workspace-1',
+      clientInformation: null,
+      tokens: null,
+      codeVerifier: null,
+      state: 'hashed-active-state',
+      updatedAt: new Date(),
+    })
+    const request = new NextRequest(
+      'http://localhost:3000/api/mcp/oauth/start?workspaceId=workspace-1&serverId=server-1'
+    )
+
+    const response = await GET(request)
+    const body = await response.json()
+
+    expect(response.status).toBe(409)
+    expect(body.error).toBe('OAuth authorization already in progress for this server')
+    expect(mockMcpAuth).not.toHaveBeenCalled()
+  })
+})

apps/sim/app/api/mcp/oauth/start/route.ts

@@ -15,10 +15,12 @@ import {
   loadPreregisteredClient,
   McpOauthRedirectRequired,
   SimMcpOauthProvider,
+  setOauthRowUser,
 } from '@/lib/mcp/oauth'
 import { createMcpErrorResponse } from '@/lib/mcp/utils'
 
 const logger = createLogger('McpOauthStartAPI')
+const OAUTH_START_TTL_MS = 10 * 60 * 1000
 
 export const dynamic = 'force-dynamic'
 
@@ -64,6 +66,18 @@ export const GET = withRouteHandler(
         userId,
         workspaceId,
       })
+      const hasActiveFlow = !!row.state && row.updatedAt.getTime() > Date.now() - OAUTH_START_TTL_MS
+      if (hasActiveFlow && row.userId && row.userId !== userId) {
+        return createMcpErrorResponse(
+          new Error('OAuth authorization already in progress'),
+          'OAuth authorization already in progress for this server',
+          409
+        )
+      }
+      if (row.userId !== userId) {
+        await setOauthRowUser(row.id, userId)
+        row.userId = userId
+      }
       const preregistered = await loadPreregisteredClient(server.id)
       const provider = new SimMcpOauthProvider({ row, preregistered })
 

apps/sim/app/api/mcp/tools/discover/route.ts

@@ -1,11 +1,12 @@
+import { UnauthorizedError } from '@modelcontextprotocol/sdk/client/auth.js'
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
 import { mcpToolDiscoveryQuerySchema, refreshMcpToolsBodySchema } from '@/lib/api/contracts/mcp'
 import { validationErrorResponse } from '@/lib/api/server'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
 import { mcpService } from '@/lib/mcp/service'
-import type { McpToolDiscoveryResponse } from '@/lib/mcp/types'
+import { McpOauthAuthorizationRequiredError, type McpToolDiscoveryResponse } from '@/lib/mcp/types'
 import { categorizeError, createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
 
 const logger = createLogger('McpToolDiscoveryAPI')
@@ -46,6 +47,12 @@ export const GET = withRouteHandler(
       )
       return createMcpSuccessResponse(responseData)
     } catch (error) {
+      if (
+        error instanceof McpOauthAuthorizationRequiredError ||
+        error instanceof UnauthorizedError
+      ) {
+        return createMcpErrorResponse(error, 'OAuth re-authorization required', 401)
+      }
       logger.error(`[${requestId}] Error discovering MCP tools:`, error)
       const { message, status } = categorizeError(error)
       return createMcpErrorResponse(new Error(message), 'Failed to discover MCP tools', status)
@@ -100,6 +107,12 @@ export const POST = withRouteHandler(
         },
       })
     } catch (error) {
+      if (
+        error instanceof McpOauthAuthorizationRequiredError ||
+        error instanceof UnauthorizedError
+      ) {
+        return createMcpErrorResponse(error, 'OAuth re-authorization required', 401)
+      }
       logger.error(`[${requestId}] Error refreshing tool discovery:`, error)
       const { message, status } = categorizeError(error)
       return createMcpErrorResponse(new Error(message), 'Failed to refresh tool discovery', status)

apps/sim/app/workspace/[workspaceId]/settings/components/mcp/components/form-field/form-field.tsx

@@ -9,7 +9,7 @@ interface FormFieldProps {
 export function FormField({ label, children, optional }: FormFieldProps) {
   return (
     <div className='flex items-center justify-between gap-3'>
-      <Label className='w-[100px] shrink-0 font-medium text-[var(--text-secondary)] text-sm'>
+      <Label className='w-[116px] shrink-0 font-medium text-[var(--text-secondary)] text-sm'>
         {label}
         {optional && (
           <span className='ml-1 font-normal text-[var(--text-muted)] text-xs'>(optional)</span>

apps/sim/app/workspace/[workspaceId]/settings/components/mcp/components/mcp-server-form-modal/mcp-server-form-modal.tsx

@@ -12,6 +12,7 @@ import {
   ModalContent,
   ModalFooter,
   ModalHeader,
+  SecretInput,
   Textarea,
 } from '@/components/emcn'
 import { cn } from '@/lib/core/utils/cn'
@@ -617,9 +618,9 @@ export function McpServerFormModal({
 
   return (
     <Modal open={open} onOpenChange={onOpenChange}>
-      <ModalContent>
-        <ModalHeader>{title}</ModalHeader>
-        <ModalBody>
+      <ModalContent size='lg' className='max-h-[82vh]'>
+        <ModalHeader className='border-[var(--border)] border-b pb-3'>{title}</ModalHeader>
+        <ModalBody className='min-h-0 px-4 pt-4 pb-4'>
           {formMode === 'json' ? (
             <div className='flex flex-col gap-2'>
               <Textarea
@@ -631,12 +632,28 @@ export function McpServerFormModal({
                   if (testResult) clearTestResult()
                   if (submitError) setSubmitError(null)
                 }}
-                className='min-h-[200px] font-mono text-small'
+                className='min-h-[280px] font-mono text-small leading-5'
               />
               {jsonError && <p className='text-[var(--text-error)] text-caption'>{jsonError}</p>}
             </div>
           ) : (
-            <div className='flex flex-col gap-2'>
+            <div className='flex flex-col gap-3'>
+              <input
+                type='text'
+                name='fakeusernameremembered'
+                autoComplete='username'
+                style={{ position: 'absolute', left: '-9999px', opacity: 0, pointerEvents: 'none' }}
+                tabIndex={-1}
+                readOnly
+              />
+              <input
+                type='password'
+                name='fakepasswordremembered'
+                autoComplete='current-password'
+                style={{ position: 'absolute', left: '-9999px', opacity: 0, pointerEvents: 'none' }}
+                tabIndex={-1}
+                readOnly
+              />
               <FormField label='Server Name'>
                 <EmcnInput
                   placeholder='e.g., My MCP Server'
@@ -675,8 +692,7 @@ export function McpServerFormModal({
                 )}
               </FormField>
 
-              <div className='flex flex-col gap-2'>
-                <span className='font-medium text-[var(--text-secondary)] text-small'>Headers</span>
+              <FormField label='Headers'>
                 <div className='flex max-h-[140px] flex-col gap-2 overflow-y-auto'>
                   {(formData.headers || []).map((header, index) => (
                     <HeaderRow
@@ -698,7 +714,7 @@ export function McpServerFormModal({
                     />
                   ))}
                 </div>
-              </div>
+              </FormField>
 
               <Button
                 type='button'
@@ -715,10 +731,16 @@ export function McpServerFormModal({
               </Button>
               {showAdvanced && (
                 <div className='flex flex-col gap-2'>
-                  <FormField label='OAuth Client ID (optional)'>
+                  <FormField label='Client ID'>
                     <EmcnInput
-                      placeholder='Pre-registered client ID'
+                      placeholder='OAuth Client ID (optional)'
                       value={formData.oauthClientId || ''}
+                      name='mcp_oauth_client_id'
+                      autoComplete='off'
+                      autoCorrect='off'
+                      autoCapitalize='off'
+                      data-lpignore='true'
+                      data-form-type='other'
                       onChange={(e) => {
                         if (testResult) clearTestResult()
                         if (submitError) setSubmitError(null)
@@ -727,16 +749,21 @@ export function McpServerFormModal({
                       className='h-9'
                     />
                   </FormField>
-                  <FormField label='OAuth Client Secret (optional)'>
-                    <EmcnInput
-                      type='password'
-                      placeholder='Pre-registered client secret'
+                  <FormField label='Client Secret'>
+                    <SecretInput
+                      placeholder='OAuth Client Secret (optional)'
                       value={formData.oauthClientSecret || ''}
-                      onChange={(e) => {
+                      name='mcp_oauth_client_secret'
+                      autoComplete='new-password'
+                      autoCorrect='off'
+                      autoCapitalize='off'
+                      data-lpignore='true'
+                      data-form-type='other'
+                      onChange={(value) => {
                         if (testResult) clearTestResult()
                         if (submitError) setSubmitError(null)
                         setOauthClientSecretTouched(true)
-                        setFormData((prev) => ({ ...prev, oauthClientSecret: e.target.value }))
+                        setFormData((prev) => ({ ...prev, oauthClientSecret: value }))
                       }}
                       className='h-9'
                     />
@@ -749,9 +776,9 @@ export function McpServerFormModal({
             </div>
           )}
         </ModalBody>
-        <ModalFooter>
+        <ModalFooter className='flex-col items-stretch gap-2'>
           {submitError && (
-            <p className='mb-2 w-full text-[var(--text-error)] text-small'>{submitError}</p>
+            <p className='w-full text-[var(--text-error)] text-small'>{submitError}</p>
           )}
           <div className='flex w-full items-center justify-between'>
             <div className='flex items-center gap-2'>