feat: MCP OAuth (#178)

* feat: MCP OAuth * fix: redirect url and oauth
2026-04-25 07:00:48 +09:00 · 2026-03-04 00:41:05 +08:00
parent f0517a3a1f
commit 64609c2101
33 changed files with 4037 additions and 97 deletions
@@ -12,9 +12,9 @@ import (
 )

 const createMCPConnection = `-- name: CreateMCPConnection :one
-INSERT INTO mcp_connections (bot_id, name, type, config, is_active)
-VALUES ($1, $2, $3, $4, $5)
-RETURNING id, bot_id, name, type, config, is_active, created_at, updated_at
+INSERT INTO mcp_connections (bot_id, name, type, config, is_active, auth_type)
+VALUES ($1, $2, $3, $4, $5, $6)
+RETURNING id, bot_id, name, type, config, is_active, status, tools_cache, last_probed_at, status_message, auth_type, created_at, updated_at
 `

 type CreateMCPConnectionParams struct {
@@ -23,6 +23,7 @@ type CreateMCPConnectionParams struct {
 	Type     string      `json:"type"`
 	Config   []byte      `json:"config"`
 	IsActive bool        `json:"is_active"`
+	AuthType string      `json:"auth_type"`
 }

 func (q *Queries) CreateMCPConnection(ctx context.Context, arg CreateMCPConnectionParams) (McpConnection, error) {
@@ -32,6 +33,7 @@ func (q *Queries) CreateMCPConnection(ctx context.Context, arg CreateMCPConnecti
 		arg.Type,
 		arg.Config,
 		arg.IsActive,
+		arg.AuthType,
 	)
 	var i McpConnection
 	err := row.Scan(
@@ -41,6 +43,11 @@ func (q *Queries) CreateMCPConnection(ctx context.Context, arg CreateMCPConnecti
 		&i.Type,
 		&i.Config,
 		&i.IsActive,
+		&i.Status,
+		&i.ToolsCache,
+		&i.LastProbedAt,
+		&i.StatusMessage,
+		&i.AuthType,
 		&i.CreatedAt,
 		&i.UpdatedAt,
 	)
@@ -63,7 +70,7 @@ func (q *Queries) DeleteMCPConnection(ctx context.Context, arg DeleteMCPConnecti
 }

 const getMCPConnectionByID = `-- name: GetMCPConnectionByID :one
-SELECT id, bot_id, name, type, config, is_active, created_at, updated_at
+SELECT id, bot_id, name, type, config, is_active, status, tools_cache, last_probed_at, status_message, auth_type, created_at, updated_at
 FROM mcp_connections
 WHERE bot_id = $1 AND id = $2
 LIMIT 1
@@ -84,6 +91,11 @@ func (q *Queries) GetMCPConnectionByID(ctx context.Context, arg GetMCPConnection
 		&i.Type,
 		&i.Config,
 		&i.IsActive,
+		&i.Status,
+		&i.ToolsCache,
+		&i.LastProbedAt,
+		&i.StatusMessage,
+		&i.AuthType,
 		&i.CreatedAt,
 		&i.UpdatedAt,
 	)
@@ -91,7 +103,7 @@ func (q *Queries) GetMCPConnectionByID(ctx context.Context, arg GetMCPConnection
 }

 const listMCPConnectionsByBotID = `-- name: ListMCPConnectionsByBotID :many
-SELECT id, bot_id, name, type, config, is_active, created_at, updated_at
+SELECT id, bot_id, name, type, config, is_active, status, tools_cache, last_probed_at, status_message, auth_type, created_at, updated_at
 FROM mcp_connections
 WHERE bot_id = $1
 ORDER BY created_at DESC
@@ -113,6 +125,11 @@ func (q *Queries) ListMCPConnectionsByBotID(ctx context.Context, botID pgtype.UU
 			&i.Type,
 			&i.Config,
 			&i.IsActive,
+			&i.Status,
+			&i.ToolsCache,
+			&i.LastProbedAt,
+			&i.StatusMessage,
+			&i.AuthType,
 			&i.CreatedAt,
 			&i.UpdatedAt,
 		); err != nil {
@@ -132,9 +149,10 @@ SET name = $3,
    type = $4,
    config = $5,
    is_active = $6,
+    auth_type = $7,
    updated_at = now()
 WHERE bot_id = $1 AND id = $2
-RETURNING id, bot_id, name, type, config, is_active, created_at, updated_at
+RETURNING id, bot_id, name, type, config, is_active, status, tools_cache, last_probed_at, status_message, auth_type, created_at, updated_at
 `

 type UpdateMCPConnectionParams struct {
@@ -144,6 +162,7 @@ type UpdateMCPConnectionParams struct {
 	Type     string      `json:"type"`
 	Config   []byte      `json:"config"`
 	IsActive bool        `json:"is_active"`
+	AuthType string      `json:"auth_type"`
 }

 func (q *Queries) UpdateMCPConnection(ctx context.Context, arg UpdateMCPConnectionParams) (McpConnection, error) {
@@ -154,6 +173,7 @@ func (q *Queries) UpdateMCPConnection(ctx context.Context, arg UpdateMCPConnecti
 		arg.Type,
 		arg.Config,
 		arg.IsActive,
+		arg.AuthType,
 	)
 	var i McpConnection
 	err := row.Scan(
@@ -163,12 +183,63 @@ func (q *Queries) UpdateMCPConnection(ctx context.Context, arg UpdateMCPConnecti
 		&i.Type,
 		&i.Config,
 		&i.IsActive,
+		&i.Status,
+		&i.ToolsCache,
+		&i.LastProbedAt,
+		&i.StatusMessage,
+		&i.AuthType,
 		&i.CreatedAt,
 		&i.UpdatedAt,
 	)
 	return i, err
 }

+const updateMCPConnectionAuthType = `-- name: UpdateMCPConnectionAuthType :exec
+UPDATE mcp_connections
+SET auth_type = $2,
+    updated_at = now()
+WHERE id = $1
+`
+
+type UpdateMCPConnectionAuthTypeParams struct {
+	ID       pgtype.UUID `json:"id"`
+	AuthType string      `json:"auth_type"`
+}
+
+func (q *Queries) UpdateMCPConnectionAuthType(ctx context.Context, arg UpdateMCPConnectionAuthTypeParams) error {
+	_, err := q.db.Exec(ctx, updateMCPConnectionAuthType, arg.ID, arg.AuthType)
+	return err
+}
+
+const updateMCPConnectionProbeResult = `-- name: UpdateMCPConnectionProbeResult :exec
+UPDATE mcp_connections
+SET status = $3,
+    tools_cache = $4,
+    last_probed_at = now(),
+    status_message = $5,
+    updated_at = now()
+WHERE bot_id = $1 AND id = $2
+`
+
+type UpdateMCPConnectionProbeResultParams struct {
+	BotID         pgtype.UUID `json:"bot_id"`
+	ID            pgtype.UUID `json:"id"`
+	Status        string      `json:"status"`
+	ToolsCache    []byte      `json:"tools_cache"`
+	StatusMessage string      `json:"status_message"`
+}
+
+func (q *Queries) UpdateMCPConnectionProbeResult(ctx context.Context, arg UpdateMCPConnectionProbeResultParams) error {
+	_, err := q.db.Exec(ctx, updateMCPConnectionProbeResult,
+		arg.BotID,
+		arg.ID,
+		arg.Status,
+		arg.ToolsCache,
+		arg.StatusMessage,
+	)
+	return err
+}
+
 const upsertMCPConnectionByName = `-- name: UpsertMCPConnectionByName :one
 INSERT INTO mcp_connections (bot_id, name, type, config)
 VALUES ($1, $2, $3, $4)
@@ -176,7 +247,7 @@ ON CONFLICT (bot_id, name)
 DO UPDATE SET type = EXCLUDED.type,
              config = EXCLUDED.config,
              updated_at = now()
-RETURNING id, bot_id, name, type, config, is_active, created_at, updated_at
+RETURNING id, bot_id, name, type, config, is_active, status, tools_cache, last_probed_at, status_message, auth_type, created_at, updated_at
 `

 type UpsertMCPConnectionByNameParams struct {
@@ -201,6 +272,11 @@ func (q *Queries) UpsertMCPConnectionByName(ctx context.Context, arg UpsertMCPCo
 		&i.Type,
 		&i.Config,
 		&i.IsActive,
+		&i.Status,
+		&i.ToolsCache,
+		&i.LastProbedAt,
+		&i.StatusMessage,
+		&i.AuthType,
 		&i.CreatedAt,
 		&i.UpdatedAt,
 	)
@@ -0,0 +1,270 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.30.0
+// source: mcp_oauth.sql
+
+package sqlc
+
+import (
+	"context"
+
+	"github.com/jackc/pgx/v5/pgtype"
+)
+
+const clearMCPOAuthTokens = `-- name: ClearMCPOAuthTokens :exec
+UPDATE mcp_oauth_tokens
+SET access_token = '',
+    refresh_token = '',
+    expires_at = NULL,
+    scope = '',
+    pkce_code_verifier = '',
+    state_param = '',
+    redirect_uri = '',
+    updated_at = now()
+WHERE connection_id = $1
+`
+
+func (q *Queries) ClearMCPOAuthTokens(ctx context.Context, connectionID pgtype.UUID) error {
+	_, err := q.db.Exec(ctx, clearMCPOAuthTokens, connectionID)
+	return err
+}
+
+const deleteMCPOAuthToken = `-- name: DeleteMCPOAuthToken :exec
+DELETE FROM mcp_oauth_tokens
+WHERE connection_id = $1
+`
+
+func (q *Queries) DeleteMCPOAuthToken(ctx context.Context, connectionID pgtype.UUID) error {
+	_, err := q.db.Exec(ctx, deleteMCPOAuthToken, connectionID)
+	return err
+}
+
+const getMCPOAuthToken = `-- name: GetMCPOAuthToken :one
+SELECT id, connection_id, resource_metadata_url, authorization_server_url,
+       authorization_endpoint, token_endpoint, registration_endpoint,
+       scopes_supported, client_id, client_secret, access_token, refresh_token,
+       token_type, expires_at, scope, pkce_code_verifier, state_param,
+       resource_uri, redirect_uri, created_at, updated_at
+FROM mcp_oauth_tokens
+WHERE connection_id = $1
+LIMIT 1
+`
+
+func (q *Queries) GetMCPOAuthToken(ctx context.Context, connectionID pgtype.UUID) (McpOauthToken, error) {
+	row := q.db.QueryRow(ctx, getMCPOAuthToken, connectionID)
+	var i McpOauthToken
+	err := row.Scan(
+		&i.ID,
+		&i.ConnectionID,
+		&i.ResourceMetadataUrl,
+		&i.AuthorizationServerUrl,
+		&i.AuthorizationEndpoint,
+		&i.TokenEndpoint,
+		&i.RegistrationEndpoint,
+		&i.ScopesSupported,
+		&i.ClientID,
+		&i.ClientSecret,
+		&i.AccessToken,
+		&i.RefreshToken,
+		&i.TokenType,
+		&i.ExpiresAt,
+		&i.Scope,
+		&i.PkceCodeVerifier,
+		&i.StateParam,
+		&i.ResourceUri,
+		&i.RedirectUri,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const getMCPOAuthTokenByState = `-- name: GetMCPOAuthTokenByState :one
+SELECT id, connection_id, resource_metadata_url, authorization_server_url,
+       authorization_endpoint, token_endpoint, registration_endpoint,
+       scopes_supported, client_id, client_secret, access_token, refresh_token,
+       token_type, expires_at, scope, pkce_code_verifier, state_param,
+       resource_uri, redirect_uri, created_at, updated_at
+FROM mcp_oauth_tokens
+WHERE state_param = $1
+LIMIT 1
+`
+
+func (q *Queries) GetMCPOAuthTokenByState(ctx context.Context, stateParam string) (McpOauthToken, error) {
+	row := q.db.QueryRow(ctx, getMCPOAuthTokenByState, stateParam)
+	var i McpOauthToken
+	err := row.Scan(
+		&i.ID,
+		&i.ConnectionID,
+		&i.ResourceMetadataUrl,
+		&i.AuthorizationServerUrl,
+		&i.AuthorizationEndpoint,
+		&i.TokenEndpoint,
+		&i.RegistrationEndpoint,
+		&i.ScopesSupported,
+		&i.ClientID,
+		&i.ClientSecret,
+		&i.AccessToken,
+		&i.RefreshToken,
+		&i.TokenType,
+		&i.ExpiresAt,
+		&i.Scope,
+		&i.PkceCodeVerifier,
+		&i.StateParam,
+		&i.ResourceUri,
+		&i.RedirectUri,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const updateMCPOAuthClientSecret = `-- name: UpdateMCPOAuthClientSecret :exec
+UPDATE mcp_oauth_tokens
+SET client_secret = $2,
+    updated_at = now()
+WHERE connection_id = $1
+`
+
+type UpdateMCPOAuthClientSecretParams struct {
+	ConnectionID pgtype.UUID `json:"connection_id"`
+	ClientSecret string      `json:"client_secret"`
+}
+
+func (q *Queries) UpdateMCPOAuthClientSecret(ctx context.Context, arg UpdateMCPOAuthClientSecretParams) error {
+	_, err := q.db.Exec(ctx, updateMCPOAuthClientSecret, arg.ConnectionID, arg.ClientSecret)
+	return err
+}
+
+const updateMCPOAuthPKCEState = `-- name: UpdateMCPOAuthPKCEState :exec
+UPDATE mcp_oauth_tokens
+SET pkce_code_verifier = $2,
+    state_param = $3,
+    client_id = $4,
+    redirect_uri = $5,
+    updated_at = now()
+WHERE connection_id = $1
+`
+
+type UpdateMCPOAuthPKCEStateParams struct {
+	ConnectionID     pgtype.UUID `json:"connection_id"`
+	PkceCodeVerifier string      `json:"pkce_code_verifier"`
+	StateParam       string      `json:"state_param"`
+	ClientID         string      `json:"client_id"`
+	RedirectUri      string      `json:"redirect_uri"`
+}
+
+func (q *Queries) UpdateMCPOAuthPKCEState(ctx context.Context, arg UpdateMCPOAuthPKCEStateParams) error {
+	_, err := q.db.Exec(ctx, updateMCPOAuthPKCEState,
+		arg.ConnectionID,
+		arg.PkceCodeVerifier,
+		arg.StateParam,
+		arg.ClientID,
+		arg.RedirectUri,
+	)
+	return err
+}
+
+const updateMCPOAuthTokens = `-- name: UpdateMCPOAuthTokens :exec
+UPDATE mcp_oauth_tokens
+SET access_token = $2,
+    refresh_token = $3,
+    token_type = $4,
+    expires_at = $5,
+    scope = $6,
+    pkce_code_verifier = '',
+    state_param = '',
+    updated_at = now()
+WHERE connection_id = $1
+`
+
+type UpdateMCPOAuthTokensParams struct {
+	ConnectionID pgtype.UUID        `json:"connection_id"`
+	AccessToken  string             `json:"access_token"`
+	RefreshToken string             `json:"refresh_token"`
+	TokenType    string             `json:"token_type"`
+	ExpiresAt    pgtype.Timestamptz `json:"expires_at"`
+	Scope        string             `json:"scope"`
+}
+
+func (q *Queries) UpdateMCPOAuthTokens(ctx context.Context, arg UpdateMCPOAuthTokensParams) error {
+	_, err := q.db.Exec(ctx, updateMCPOAuthTokens,
+		arg.ConnectionID,
+		arg.AccessToken,
+		arg.RefreshToken,
+		arg.TokenType,
+		arg.ExpiresAt,
+		arg.Scope,
+	)
+	return err
+}
+
+const upsertMCPOAuthDiscovery = `-- name: UpsertMCPOAuthDiscovery :one
+INSERT INTO mcp_oauth_tokens (connection_id, resource_metadata_url, authorization_server_url,
+    authorization_endpoint, token_endpoint, registration_endpoint, scopes_supported,
+    resource_uri)
+VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
+ON CONFLICT (connection_id)
+DO UPDATE SET resource_metadata_url = EXCLUDED.resource_metadata_url,
+              authorization_server_url = EXCLUDED.authorization_server_url,
+              authorization_endpoint = EXCLUDED.authorization_endpoint,
+              token_endpoint = EXCLUDED.token_endpoint,
+              registration_endpoint = EXCLUDED.registration_endpoint,
+              scopes_supported = EXCLUDED.scopes_supported,
+              resource_uri = EXCLUDED.resource_uri,
+              updated_at = now()
+RETURNING id, connection_id, resource_metadata_url, authorization_server_url,
+          authorization_endpoint, token_endpoint, registration_endpoint,
+          scopes_supported, client_id, client_secret, access_token, refresh_token,
+          token_type, expires_at, scope, pkce_code_verifier, state_param,
+          resource_uri, redirect_uri, created_at, updated_at
+`
+
+type UpsertMCPOAuthDiscoveryParams struct {
+	ConnectionID           pgtype.UUID `json:"connection_id"`
+	ResourceMetadataUrl    string      `json:"resource_metadata_url"`
+	AuthorizationServerUrl string      `json:"authorization_server_url"`
+	AuthorizationEndpoint  string      `json:"authorization_endpoint"`
+	TokenEndpoint          string      `json:"token_endpoint"`
+	RegistrationEndpoint   string      `json:"registration_endpoint"`
+	ScopesSupported        []string    `json:"scopes_supported"`
+	ResourceUri            string      `json:"resource_uri"`
+}
+
+func (q *Queries) UpsertMCPOAuthDiscovery(ctx context.Context, arg UpsertMCPOAuthDiscoveryParams) (McpOauthToken, error) {
+	row := q.db.QueryRow(ctx, upsertMCPOAuthDiscovery,
+		arg.ConnectionID,
+		arg.ResourceMetadataUrl,
+		arg.AuthorizationServerUrl,
+		arg.AuthorizationEndpoint,
+		arg.TokenEndpoint,
+		arg.RegistrationEndpoint,
+		arg.ScopesSupported,
+		arg.ResourceUri,
+	)
+	var i McpOauthToken
+	err := row.Scan(
+		&i.ID,
+		&i.ConnectionID,
+		&i.ResourceMetadataUrl,
+		&i.AuthorizationServerUrl,
+		&i.AuthorizationEndpoint,
+		&i.TokenEndpoint,
+		&i.RegistrationEndpoint,
+		&i.ScopesSupported,
+		&i.ClientID,
+		&i.ClientSecret,
+		&i.AccessToken,
+		&i.RefreshToken,
+		&i.TokenType,
+		&i.ExpiresAt,
+		&i.Scope,
+		&i.PkceCodeVerifier,
+		&i.StateParam,
+		&i.ResourceUri,
+		&i.RedirectUri,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
@@ -246,14 +246,43 @@ type LlmProvider struct {
 }

 type McpConnection struct {
-	ID        pgtype.UUID        `json:"id"`
-	BotID     pgtype.UUID        `json:"bot_id"`
-	Name      string             `json:"name"`
-	Type      string             `json:"type"`
-	Config    []byte             `json:"config"`
-	IsActive  bool               `json:"is_active"`
-	CreatedAt pgtype.Timestamptz `json:"created_at"`
-	UpdatedAt pgtype.Timestamptz `json:"updated_at"`
+	ID            pgtype.UUID        `json:"id"`
+	BotID         pgtype.UUID        `json:"bot_id"`
+	Name          string             `json:"name"`
+	Type          string             `json:"type"`
+	Config        []byte             `json:"config"`
+	IsActive      bool               `json:"is_active"`
+	Status        string             `json:"status"`
+	ToolsCache    []byte             `json:"tools_cache"`
+	LastProbedAt  pgtype.Timestamptz `json:"last_probed_at"`
+	StatusMessage string             `json:"status_message"`
+	AuthType      string             `json:"auth_type"`
+	CreatedAt     pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt     pgtype.Timestamptz `json:"updated_at"`
+}
+
+type McpOauthToken struct {
+	ID                     pgtype.UUID        `json:"id"`
+	ConnectionID           pgtype.UUID        `json:"connection_id"`
+	ResourceMetadataUrl    string             `json:"resource_metadata_url"`
+	AuthorizationServerUrl string             `json:"authorization_server_url"`
+	AuthorizationEndpoint  string             `json:"authorization_endpoint"`
+	TokenEndpoint          string             `json:"token_endpoint"`
+	RegistrationEndpoint   string             `json:"registration_endpoint"`
+	ScopesSupported        []string           `json:"scopes_supported"`
+	ClientID               string             `json:"client_id"`
+	ClientSecret           string             `json:"client_secret"`
+	AccessToken            string             `json:"access_token"`
+	RefreshToken           string             `json:"refresh_token"`
+	TokenType              string             `json:"token_type"`
+	ExpiresAt              pgtype.Timestamptz `json:"expires_at"`
+	Scope                  string             `json:"scope"`
+	PkceCodeVerifier       string             `json:"pkce_code_verifier"`
+	StateParam             string             `json:"state_param"`
+	ResourceUri            string             `json:"resource_uri"`
+	RedirectUri            string             `json:"redirect_uri"`
+	CreatedAt              pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt              pgtype.Timestamptz `json:"updated_at"`
 }

 type MediaAsset struct {