feat: MCP OAuth (#178)

* feat: MCP OAuth * fix: redirect url and oauth
2026-04-27 07:16:19 +09:00 · 2026-03-04 00:41:05 +08:00
parent f0517a3a1f
commit 64609c2101
33 changed files with 4037 additions and 97 deletions
@@ -194,6 +194,7 @@ func runServe() {

 			// containerd handler & tool gateway
 			provideContainerdHandler,
+			provideFederationGateway,
 			provideToolGatewayService,

 			// http handlers (group:"server_handlers")
@@ -220,6 +221,8 @@ func runServe() {
 			provideServerHandler(handlers.NewEmailOutboxHandler),
 			provideServerHandler(handlers.NewEmailWebhookHandler),
 			provideServerHandler(handlers.NewMCPHandler),
+			provideServerHandler(handlers.NewMCPOAuthHandler),
+			provideOAuthService,
 			provideServerHandler(handlers.NewInboxHandler),
 			provideServerHandler(handlers.NewTokenUsageHandler),
 			provideServerHandler(provideCLIHandler),
@@ -430,7 +433,23 @@ func provideContainerdHandler(log *slog.Logger, service ctr.Service, manager *mc
 	return handlers.NewContainerdHandler(log, service, manager, cfg.MCP, cfg.Containerd.Namespace, rc.ContainerBackend, botService, accountService, policyService, queries)
 }

-func provideToolGatewayService(log *slog.Logger, cfg config.Config, channelManager *channel.Manager, registry *channel.Registry, routeService *route.DBService, scheduleService *schedule.Service, chatService *conversation.Service, accountService *accounts.Service, settingsService *settings.Service, searchProviderService *searchproviders.Service, manager *mcp.Manager, containerdHandler *handlers.ContainerdHandler, mcpConnService *mcp.ConnectionService, mediaService *media.Service, inboxService *inbox.Service, memoryRegistry *memprovider.Registry, emailService *emailpkg.Service, emailManager *emailpkg.Manager) *mcp.ToolGatewayService {
+func provideFederationGateway(log *slog.Logger, containerdHandler *handlers.ContainerdHandler) *handlers.MCPFederationGateway {
+	return handlers.NewMCPFederationGateway(log, containerdHandler)
+}
+func provideOAuthService(log *slog.Logger, queries *dbsqlc.Queries, cfg config.Config) *mcp.OAuthService {
+	addr := strings.TrimSpace(cfg.Server.Addr)
+	if addr == "" {
+		addr = ":8080"
+	}
+	host := addr
+	if strings.HasPrefix(host, ":") {
+		host = "localhost" + host
+	}
+	callbackURL := "http://" + host + "/api/oauth/mcp/callback"
+	return mcp.NewOAuthService(log, queries, callbackURL)
+}
+func provideToolGatewayService(log *slog.Logger, cfg config.Config, channelManager *channel.Manager, registry *channel.Registry, routeService *route.DBService, scheduleService *schedule.Service, chatService *conversation.Service, accountService *accounts.Service, settingsService *settings.Service, searchProviderService *searchproviders.Service, manager *mcp.Manager, containerdHandler *handlers.ContainerdHandler, mcpConnService *mcp.ConnectionService, mediaService *media.Service, inboxService *inbox.Service, memoryRegistry *memprovider.Registry, emailService *emailpkg.Service, emailManager *emailpkg.Manager, fedGateway *handlers.MCPFederationGateway, oauthService *mcp.OAuthService) *mcp.ToolGatewayService {
+	fedGateway.SetOAuthService(oauthService)
 	var assetResolver mcpmessage.AssetResolver
 	if mediaService != nil {
 		assetResolver = &mediaAssetResolverAdapter{media: mediaService}
@@ -442,10 +461,7 @@ func provideToolGatewayService(log *slog.Logger, cfg config.Config, channelManag
 	webExec := mcpweb.NewExecutor(log, settingsService, searchProviderService)
 	inboxExec := mcpinbox.NewExecutor(log, inboxService)
 	fsExec := mcpcontainer.NewExecutor(log, manager, config.DefaultDataMount)
-
-	fedGateway := handlers.NewMCPFederationGateway(log, containerdHandler)
 	fedSource := mcpfederation.NewSource(log, fedGateway, mcpConnService)
-
 	emailExec := mcpemail.NewExecutor(log, emailService, emailManager)

 	svc := mcp.NewToolGatewayService(