simstudioai
diff --git a/‎apps/sim/app/api/mcp/oauth/callback/route.ts‎
Lines changed: 111 additions & 0 deletions b/‎apps/sim/app/api/mcp/oauth/callback/route.ts‎
Lines changed: 111 additions & 0 deletions
diff --git a/‎apps/sim/app/api/mcp/oauth/start/route.ts‎
Lines changed: 95 additions & 0 deletions b/‎apps/sim/app/api/mcp/oauth/start/route.ts‎
Lines changed: 95 additions & 0 deletions
diff --git a/‎apps/sim/app/api/mcp/servers/[id]/route.ts‎
Lines changed: 22 additions & 5 deletions b/‎apps/sim/app/api/mcp/servers/[id]/route.ts‎
Lines changed: 22 additions & 5 deletions
diff --git a/‎apps/sim/app/api/mcp/servers/route.ts‎
Lines changed: 42 additions & 7 deletions b/‎apps/sim/app/api/mcp/servers/route.ts‎
Lines changed: 42 additions & 7 deletions
@@ -0,0 +1,111 @@
+import { auth as mcpAuth } from '@modelcontextprotocol/sdk/client/auth.js'
+import { db } from '@sim/db'
+import { mcpServers } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { toError } from '@sim/utils/errors'
+import { eq } from 'drizzle-orm'
+import type { NextRequest } from 'next/server'
+import { NextResponse } from 'next/server'
+import { getSession } from '@/lib/auth'
+import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
+import {
+  clearState,
+  clearVerifier,
+  loadOauthRowByState,
+  loadPreregisteredClient,
+  SimMcpOauthProvider,
+} from '@/lib/mcp/oauth'
+import { mcpService } from '@/lib/mcp/service'
+
+const logger = createLogger('McpOauthCallbackAPI')
+
+export const dynamic = 'force-dynamic'
+
+function escapeHtml(value: string): string {
+  return value
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;')
+}
+
+function htmlClose(message: string, ok: boolean): NextResponse {
+  const safeMessage = escapeHtml(message)
+  const title = ok ? 'Connected' : 'Connection failed'
+  const body = `<!doctype html><html><head><meta charset="utf-8"><title>${title}</title></head><body style="font-family: system-ui; padding: 24px"><p>${safeMessage}</p><script>
+    try { window.opener && window.opener.postMessage({ type: 'mcp-oauth', ok: ${ok ? 'true' : 'false'} }, window.location.origin) } catch (e) {}
+    setTimeout(function () { window.close() }, 800)
+  </script></body></html>`
+  return new NextResponse(body, {
+    headers: { 'Content-Type': 'text/html; charset=utf-8' },
+  })
+}
+
+export const GET = withRouteHandler(async (request: NextRequest) => {
+  const url = new URL(request.url)
+  const state = url.searchParams.get('state')
+  const code = url.searchParams.get('code')
+  const errorParam = url.searchParams.get('error')
+
+  if (errorParam) {
+    logger.warn(`MCP OAuth callback received error: ${errorParam}`)
+    return htmlClose(`Authorization failed: ${errorParam}`, false)
+  }
+  if (!state || !code) {
+    return htmlClose('Missing state or code in callback URL.', false)
+  }
+
+  try {
+    const session = await getSession()
+    if (!session?.user?.id) {
+      return htmlClose('You must be signed in to complete authorization.', false)
+    }
+
+    const row = await loadOauthRowByState(state)
+    if (!row) {
+      return htmlClose('Invalid or expired authorization state.', false)
+    }
+
+    if (session.user.id !== row.userId) {
+      return htmlClose('You must be signed in as the same user that initiated the flow.', false)
+    }
+
+    const [server] = await db
+      .select({ id: mcpServers.id, url: mcpServers.url, workspaceId: mcpServers.workspaceId })
+      .from(mcpServers)
+      .where(eq(mcpServers.id, row.mcpServerId))
+      .limit(1)
+    if (!server || !server.url) {
+      return htmlClose('Server no longer exists.', false)
+    }
+
+    // Burn state before token exchange so a replayed callback cannot reuse it.
+    await clearState(row.id)
+
+    const preregistered = await loadPreregisteredClient(server.id)
+    const provider = new SimMcpOauthProvider({ row, preregistered })
+    const result = await mcpAuth(provider, {
+      serverUrl: server.url,
+      authorizationCode: code,
+    })
+
+    await clearVerifier(row.id)
+
+    if (result !== 'AUTHORIZED') {
+      return htmlClose('Authorization did not complete.', false)
+    }
+
+    try {
+      await mcpService.clearCache(server.workspaceId)
+      await mcpService.discoverServerTools(row.userId, server.id, server.workspaceId)
+    } catch (e) {
+      logger.warn('Post-auth tools refresh failed', toError(e).message)
+    }
+
+    return htmlClose('Connected. You can close this window.', true)
+  } catch (error) {
+    logger.error('MCP OAuth callback failed', error)
+    return htmlClose(`Authorization failed: ${toError(error).message}`, false)
+  }
+})
@@ -0,0 +1,95 @@
+import { auth as mcpAuth } from '@modelcontextprotocol/sdk/client/auth.js'
+import { db } from '@sim/db'
+import { mcpServers } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { toError } from '@sim/utils/errors'
+import { and, eq, isNull } from 'drizzle-orm'
+import type { NextRequest } from 'next/server'
+import { NextResponse } from 'next/server'
+import { startMcpOauthQuerySchema } from '@/lib/api/contracts/mcp'
+import { validationErrorResponse } from '@/lib/api/server'
+import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
+import { withMcpAuth } from '@/lib/mcp/middleware'
+import {
+  getOrCreateOauthRow,
+  loadPreregisteredClient,
+  McpOauthRedirectRequired,
+  SimMcpOauthProvider,
+} from '@/lib/mcp/oauth'
+import { createMcpErrorResponse } from '@/lib/mcp/utils'
+
+const logger = createLogger('McpOauthStartAPI')
+
+export const dynamic = 'force-dynamic'
+
+export const GET = withRouteHandler(
+  withMcpAuth('write')(async (request: NextRequest, { userId, workspaceId, requestId }) => {
+    try {
+      const queryResult = startMcpOauthQuerySchema.safeParse(
+        Object.fromEntries(new URL(request.url).searchParams)
+      )
+      if (!queryResult.success) {
+        return validationErrorResponse(queryResult.error)
+      }
+      const { serverId } = queryResult.data
+
+      const [server] = await db
+        .select()
+        .from(mcpServers)
+        .where(
+          and(
+            eq(mcpServers.id, serverId),
+            eq(mcpServers.workspaceId, workspaceId),
+            isNull(mcpServers.deletedAt)
+          )
+        )
+        .limit(1)
+
+      if (!server) {
+        return createMcpErrorResponse(new Error('Server not found'), 'Server not found', 404)
+      }
+      if (server.authType !== 'oauth') {
+        return createMcpErrorResponse(
+          new Error(`Server authType is "${server.authType}", not oauth`),
+          'Server is not configured for OAuth',
+          400
+        )
+      }
+      if (!server.url) {
+        return createMcpErrorResponse(new Error('Server has no URL'), 'Missing server URL', 400)
+      }
+
+      const row = await getOrCreateOauthRow({
+        mcpServerId: server.id,
+        userId,
+        workspaceId,
+      })
+      const preregistered = await loadPreregisteredClient(server.id)
+      const provider = new SimMcpOauthProvider({ row, preregistered })
+
+      try {
+        const result = await mcpAuth(provider, { serverUrl: server.url })
+        if (result === 'AUTHORIZED') {
+          return NextResponse.json({ status: 'already_authorized' })
+        }
+        return createMcpErrorResponse(
+          new Error('Provider did not capture redirect URL'),
+          'Failed to start OAuth flow',
+          500
+        )
+      } catch (e) {
+        if (e instanceof McpOauthRedirectRequired) {
+          logger.info(`[${requestId}] OAuth redirect for server ${serverId}`)
+          return NextResponse.json({
+            status: 'redirect',
+            authorizationUrl: e.authorizationUrl,
+          })
+        }
+        throw e
+      }
+    } catch (error) {
+      logger.error(`[${requestId}] Error starting MCP OAuth flow:`, error)
+      return createMcpErrorResponse(toError(error), 'Failed to start OAuth flow', 500)
+    }
+  })
+)
@@ -1,11 +1,12 @@
 import { AuditAction, AuditResourceType, recordAudit } from '@sim/audit'
 import { db } from '@sim/db'
-import { mcpServers } from '@sim/db/schema'
+import { mcpServerOauth, mcpServers } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { toError } from '@sim/utils/errors'
 import { and, eq, isNull } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { updateMcpServerBodySchema } from '@/lib/api/contracts/mcp'
+import { encryptSecret } from '@/lib/core/security/encryption'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import {
   McpDnsResolutionError,
@@ -53,7 +54,13 @@ export const PATCH = withRouteHandler(
         )
 
         // Remove workspaceId from body to prevent it from being updated
-        const { workspaceId: _, ...updateData } = body
+        const { workspaceId: _, oauthClientSecret, ...updateData } = body
+        const finalUpdateData: Record<string, unknown> = { ...updateData }
+        if (oauthClientSecret !== undefined) {
+          finalUpdateData.oauthClientSecret = oauthClientSecret
+            ? (await encryptSecret(oauthClientSecret)).encrypted
+            : null
+        }
 
         if (updateData.url) {
           try {
@@ -94,7 +101,7 @@ export const PATCH = withRouteHandler(
         const [updatedServer] = await db
           .update(mcpServers)
           .set({
-            ...updateData,
+            ...finalUpdateData,
             updatedAt: new Date(),
           })
           .where(
@@ -114,8 +121,17 @@ export const PATCH = withRouteHandler(
           )
         }
 
+        const urlChanged = body.url !== undefined && currentServer?.url !== body.url
+
+        if (urlChanged) {
+          await db.delete(mcpServerOauth).where(eq(mcpServerOauth.mcpServerId, serverId))
+          logger.info(
+            `[${requestId}] Cleared OAuth credentials for server ${serverId} due to URL change`
+          )
+        }
+
         const shouldClearCache =
-          (body.url !== undefined && currentServer?.url !== body.url) ||
+          urlChanged ||
           body.enabled !== undefined ||
           body.headers !== undefined ||
           body.timeout !== undefined ||
@@ -149,7 +165,8 @@ export const PATCH = withRouteHandler(
           request,
         })
 
-        return createMcpSuccessResponse({ server: updatedServer })
+        const { oauthClientSecret: _secret, ...safeServer } = updatedServer
+        return createMcpSuccessResponse({ server: safeServer })
       } catch (error) {
         logger.error(`[${requestId}] Error updating MCP server:`, error)
         return createMcpErrorResponse(toError(error), 'Failed to update MCP server', 500)
 
@@ -8,6 +8,7 @@ import { and, eq, isNull } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { createMcpServerBodySchema, deleteMcpServerByQuerySchema } from '@/lib/api/contracts/mcp'
 import { validationErrorResponse } from '@/lib/api/server'
+import { encryptSecret } from '@/lib/core/security/encryption'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import {
   McpDnsResolutionError,
@@ -17,6 +18,7 @@ import {
   validateMcpServerSsrf,
 } from '@/lib/mcp/domain-check'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
+import { detectMcpAuthType } from '@/lib/mcp/oauth'
 import { mcpService } from '@/lib/mcp/service'
 import {
   createMcpErrorResponse,
@@ -37,11 +39,16 @@ export const GET = withRouteHandler(
     try {
       logger.info(`[${requestId}] Listing MCP servers for workspace ${workspaceId}`)
 
-      const servers = await db
+      const rows = await db
         .select()
         .from(mcpServers)
         .where(and(eq(mcpServers.workspaceId, workspaceId), isNull(mcpServers.deletedAt)))
 
+      const servers = rows.map(({ oauthClientSecret: _secret, ...rest }) => ({
+        ...rest,
+        hasOauthClientSecret: !!_secret,
+      }))
+
       logger.info(
         `[${requestId}] Listed ${servers.length} MCP servers for workspace ${workspaceId}`
       )
@@ -105,6 +112,25 @@ export const POST = withRouteHandler(
 
         const serverId = body.url ? generateMcpServerId(workspaceId, body.url) : generateId()
 
+        let resolvedAuthType: 'none' | 'headers' | 'oauth' = body.authType ?? 'headers'
+        if (!body.authType && body.url && !body.headers) {
+          try {
+            resolvedAuthType = await detectMcpAuthType(body.url)
+            logger.info(`[${requestId}] Probed ${body.url}: authType=${resolvedAuthType}`)
+          } catch (e) {
+            logger.warn(`[${requestId}] Probe failed for ${body.url}, defaulting to headers`, e)
+            resolvedAuthType = 'headers'
+          }
+        }
+
+        // User-supplied client credentials imply OAuth; pin authType regardless of probe.
+        if (body.oauthClientId) resolvedAuthType = 'oauth'
+
+        const oauthClientSecretEncrypted = body.oauthClientSecret
+          ? (await encryptSecret(body.oauthClientSecret)).encrypted
+          : null
+        const oauthClientId = body.oauthClientId || null
+
         const [existingServer] = await db
           .select({ id: mcpServers.id, deletedAt: mcpServers.deletedAt })
           .from(mcpServers)
@@ -123,12 +149,15 @@ export const POST = withRouteHandler(
               description: body.description,
               transport: body.transport,
               url: body.url,
+              authType: resolvedAuthType,
+              oauthClientId,
+              oauthClientSecret: oauthClientSecretEncrypted,
               headers: body.headers || {},
               timeout: body.timeout || 30000,
               retries: body.retries || 3,
               enabled: body.enabled !== false,
-              connectionStatus: 'connected',
-              lastConnected: new Date(),
+              connectionStatus: resolvedAuthType === 'oauth' ? 'disconnected' : 'connected',
+              lastConnected: resolvedAuthType === 'oauth' ? null : new Date(),
               updatedAt: new Date(),
               deletedAt: null,
             })
@@ -140,7 +169,10 @@ export const POST = withRouteHandler(
             `[${requestId}] Successfully updated MCP server: ${body.name} (ID: ${serverId})`
           )
 
-          return createMcpSuccessResponse({ serverId, updated: true }, 200)
+          return createMcpSuccessResponse(
+            { serverId, updated: true, authType: resolvedAuthType },
+            200
+          )
         }
 
         await db
@@ -153,12 +185,15 @@ export const POST = withRouteHandler(
             description: body.description,
             transport: body.transport,
             url: body.url,
+            authType: resolvedAuthType,
+            oauthClientId,
+            oauthClientSecret: oauthClientSecretEncrypted,
             headers: body.headers || {},
             timeout: body.timeout || 30000,
             retries: body.retries || 3,
             enabled: body.enabled !== false,
-            connectionStatus: 'connected',
-            lastConnected: new Date(),
+            connectionStatus: resolvedAuthType === 'oauth' ? 'disconnected' : 'connected',
+            lastConnected: resolvedAuthType === 'oauth' ? null : new Date(),
             createdAt: new Date(),
             updatedAt: new Date(),
           })
@@ -217,7 +252,7 @@ export const POST = withRouteHandler(
           request,
         })
 
-        return createMcpSuccessResponse({ serverId }, 201)
+        return createMcpSuccessResponse({ serverId, authType: resolvedAuthType }, 201)
       } catch (error) {
         logger.error(`[${requestId}] Error registering MCP server:`, error)
         return createMcpErrorResponse(toError(error), 'Failed to register MCP server', 500)