feat(auth): login self-heal, logout, status, OAuth best practices#73
feat(auth): login self-heal, logout, status, OAuth best practices#73sVIKs wants to merge 1 commit into
Conversation
login now self-diagnoses before opening a browser: it verifies ACCOUNT_URL against the gateway's public config (saUrl — works for cloud and on-prem) and self-heals .env when a sibling tool sharing the file overwrote it, reporting what was fixed. OAuth failures explain what to check and include the authorization URL for a manual retry; the callback wait honours client cancellation. New tools: logout (removes ACCESS_TOKEN with a .env.bak backup first, warns about the shared .env) and status (no-side-effect diagnosis of environment, token state and .env path; probe=true checks ACCOUNT_URL against the gateway). OAuth hardening per OAuth 2.1 / RFC 8414 / RFC 8252: endpoint discovery via /.well-known/oauth-authorization-server with a conventional-path fallback, silent refresh_token renewal validated by one authenticated papi call before being trusted, ACCOUNT_URL scheme validation, bounded token requests, standard access_token accepted, and token-endpoint bodies never echoed into error messages. Tests run in a sandboxed SIMULATOR_WORK_DIR via TestMain so a suite run can never touch a real .env.
AI ReviewAdds OAuth 2.1/RFC 8414 hardening to the simulator MCP server: Checklist
Issues found[error] U4 — Wrong base branch [warning] U6 — tr := &http.Transport{}
if insecure {
tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
}
resp, err := (&http.Client{Timeout: 15 * time.Second, Transport: tr}).Do(req)This duplicates [warning] S3 — [warning] S6 —
This review was generated automatically. A human maintainer should still make the merge decision. |
What
Self-diagnosing, self-healing auth for the simulator MCP server, plus OAuth 2.1 / RFC 8414 / RFC 8252 alignment. Sibling PR on the corezoid plugin: sVIKs/corezoid-ai-plugin PR #69 (shared
.envsemantics are coordinated).login self-heals ACCOUNT_URL
The
.envkeys are shared with the corezoid plugin; a sibling tool can overwriteACCOUNT_URLwith a host that serves no OAuth endpoints (field incident: the browser opened the admin dashboard and login died silently).loginnow asks the chosen gateway's public config for its declared account service (saUrl— works for cloud and on-prem) before opening a browser, corrects.envon mismatch, and reports what was fixed. Failures explain what to check and show the consent URL that was used.New tools
logout— removesACCESS_TOKEN/REFRESH_TOKENwith a.env.bakbackup first (backup failure aborts), warns about the shared.env.status— no-side-effect diagnosis: environment, token state,.envpath;probe=trueverifiesACCOUNT_URLagainst the gateway.OAuth hardening (verified against the live account service)
/.well-known/oauth-authorization-server(the service publishes it — verified) with a conventional-path fallback for older on-prem installs.refresh_tokengrant before any browser round-trip. The service currently answers that grant with a session-scoped token papi rejects (verified live), so a refreshed token is trusted only after one authenticated papi call succeeds; otherwise the flow falls back to the browser, respecting refresh-token rotation and dropping a useless stored token.ACCOUNT_URLscheme validation (https, or http for loopback only) before the browser opens; ctx-aware, timeout-bounded token exchange honouring--insecure; token-endpoint bodies never echoed into errors (field names only).Test hygiene
TestMainpinsSIMULATOR_WORK_DIRto a sandbox for the whole suite — a test that forgetst.Setenvcan no longer touch a real.env.Testing
go build ./...,go vet ./...,go test -race ./...green; +20 tests (self-heal, discovery, refresh rotation/validation, redaction, logout roundtrip, ctx cancel)..envon the real mw gateway; full OAuth login through the real consent flow; logout backup/idempotence; refresh grant + papi rejection verified with real tokens.🤖 Generated with Claude Code