feat(backend): update user configuration routes and scopes for OAuth2 access

Lasim · Lasim · commit fae0557f9c6f · 2025-08-20T21:17:34.000+02:00
diff --git a/services/backend/api-spec.json b/services/backend/api-spec.json
@@ -19400,7 +19400,7 @@
         "tags": [
           "MCP User Configurations"
         ],
-        "description": "Retrieves all user-specific configurations for an MCP server installation belonging to the authenticated user. No Content-Type header required for this GET request. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires mcp:read scope for OAuth2 access.",
+        "description": "Retrieves all user-specific configurations for an MCP server installation belonging to the authenticated user. No Content-Type header required for this GET request. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires mcp:user-configs:read scope for OAuth2 access.",
         "parameters": [
           {
             "schema": {
@@ -19654,6 +19654,11 @@
     },
     "/api/teams/{teamId}/mcp/installations/{installationId}/user-configs/{configId}": {
       "get": {
+        "summary": "Get user configuration by ID",
+        "tags": [
+          "MCP User Configurations"
+        ],
+        "description": "Retrieves a specific user configuration for an MCP server installation. No Content-Type header required for this GET request. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires mcp:user-configs:read scope for OAuth2 access.",
         "parameters": [
           {
             "schema": {
@@ -19696,7 +19701,7 @@
         ],
         "responses": {
           "200": {
-            "description": "Default Response",
+            "description": "User configuration retrieved successfully",
             "content": {
               "application/json": {
                 "schema": {
@@ -19773,7 +19778,8 @@
                     "success",
                     "data"
                   ],
-                  "additionalProperties": false
+                  "additionalProperties": false,
+                  "description": "User configuration retrieved successfully"
                 }
               }
             }
diff --git a/services/backend/api-spec.yaml b/services/backend/api-spec.yaml
@@ -13360,7 +13360,7 @@ paths:
         installation belonging to the authenticated user. No Content-Type header
         required for this GET request. Supports both cookie-based authentication
         (for web users) and OAuth2 Bearer token authentication (for CLI users).
-        Requires mcp:read scope for OAuth2 access.
+        Requires mcp:user-configs:read scope for OAuth2 access.
       parameters:
         - schema:
             type: string
@@ -13536,6 +13536,14 @@ paths:
                 description: Internal Server Error
   /api/teams/{teamId}/mcp/installations/{installationId}/user-configs/{configId}:
     get:
+      summary: Get user configuration by ID
+      tags:
+        - MCP User Configurations
+      description: Retrieves a specific user configuration for an MCP server
+        installation. No Content-Type header required for this GET request.
+        Supports both cookie-based authentication (for web users) and OAuth2
+        Bearer token authentication (for CLI users). Requires
+        mcp:user-configs:read scope for OAuth2 access.
       parameters:
         - schema:
             type: string
@@ -13563,7 +13571,7 @@ paths:
         - bearerAuth: []
       responses:
         "200":
-          description: Default Response
+          description: User configuration retrieved successfully
           content:
             application/json:
               schema:
@@ -13623,6 +13631,7 @@ paths:
                   - success
                   - data
                 additionalProperties: false
+                description: User configuration retrieved successfully
         "400":
           description: Bad Request
           content:
diff --git a/services/backend/src/routes/mcp/user-configurations/get.ts b/services/backend/src/routes/mcp/user-configurations/get.ts
@@ -1,50 +1,130 @@
-import { FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';
-import { getUserConfigurationByIdSchema, GetUserConfigurationByIdRequest, formatUserConfigResponse } from './schemas';
-import { mcpUserConfigurationService } from '../../../services/mcpUserConfigurationService';
-import { authHook } from '../../../hooks/authHook';
-
-export default async function getUserConfigurationRoute(fastify: FastifyInstance) {
-  fastify.get<GetUserConfigurationByIdRequest>(
-    '/teams/:teamId/mcp/installations/:installationId/user-configs/:configId',
-    {
-      schema: getUserConfigurationByIdSchema,
-      preHandler: [authHook]
-    },
-    async (request: FastifyRequest<GetUserConfigurationByIdRequest>, reply: FastifyReply) => {
-      const { teamId, installationId, configId } = request.params;
-      const userId = request.user!.id;
-
-      try {
-        // Get the user configuration
-        const userConfig = await mcpUserConfigurationService.getUserConfigurationById(
-          configId,
-          userId,
-          teamId
-        );
-
-        if (!userConfig) {
-          return reply.status(404).send({
-            error: 'User configuration not found'
-          });
-        }
-
-        // Format and return the response
-        const response = formatUserConfigResponse(userConfig);
-        return reply.send(response);
-
-      } catch (error) {
-        fastify.log.error({
-          operation: 'get_user_configuration',
-          error,
+import { type FastifyInstance } from 'fastify';
+import { requireAuthenticationAny, requireOAuthScope } from '../../../middleware/oauthMiddleware';
+import { requireTeamPermission } from '../../../middleware/roleMiddleware';
+import { McpUserConfigurationService } from '../../../services/mcpUserConfigurationService';
+import { getDb } from '../../../db';
+import {
+  TEAM_AND_INSTALLATION_AND_CONFIG_PARAMS_SCHEMA,
+  USER_CONFIG_SUCCESS_RESPONSE_SCHEMA,
+  COMMON_ERROR_RESPONSES,
+  DUAL_AUTH_SECURITY,
+  formatUserConfigResponse,
+  type TeamAndInstallationAndConfigParams,
+  type UserConfigSuccessResponse,
+  type ErrorResponse
+} from './schemas';
+
+export default async function getUserConfigurationRoute(server: FastifyInstance) {
+  server.get<{
+    Params: TeamAndInstallationAndConfigParams;
+  }>('/teams/:teamId/mcp/installations/:installationId/user-configs/:configId', {
+    preValidation: [
+      requireAuthenticationAny(),
+      requireOAuthScope('mcp:user-configs:read'),
+      requireTeamPermission('mcp.installations.view')
+    ],
+    schema: {
+      tags: ['MCP User Configurations'],
+      summary: 'Get user configuration by ID',
+      description: 'Retrieves a specific user configuration for an MCP server installation. No Content-Type header required for this GET request. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires mcp:user-configs:read scope for OAuth2 access.',
+      security: DUAL_AUTH_SECURITY,
+      
+      // Fastify validation schema
+      params: TEAM_AND_INSTALLATION_AND_CONFIG_PARAMS_SCHEMA,
+      
+      response: {
+        200: {
+          ...USER_CONFIG_SUCCESS_RESPONSE_SCHEMA,
+          description: 'User configuration retrieved successfully'
+        },
+        ...COMMON_ERROR_RESPONSES
+      }
+    }
+  }, async (request, reply) => {
+    const { teamId, installationId, configId } = request.params;
+    const userId = request.user!.id;
+    const authType = request.tokenPayload ? 'oauth2' : 'cookie';
+
+    request.log.debug({
+      operation: 'mcp_user_config_operation',
+      userId,
+      authType,
+      clientId: request.tokenPayload?.clientId,
+      scope: request.tokenPayload?.scope,
+      endpoint: request.url
+    }, 'Authentication method determined for MCP user configuration operation');
+
+    request.log.info({
+      operation: 'get_mcp_user_config',
+      teamId,
+      installationId,
+      configId,
+      userId,
+      authType
+    }, 'Getting MCP user configuration');
+
+    try {
+      const db = getDb();
+      const userConfigService = new McpUserConfigurationService(db, request.log);
+      
+      const userConfig = await userConfigService.getUserConfigurationById(
+        configId,
+        userId,
+        teamId
+      );
+
+      if (!userConfig) {
+        request.log.warn({
+          operation: 'get_mcp_user_config',
           teamId,
           installationId,
           configId,
-          userId
-        }, 'Error getting user configuration');
-        return reply.status(500).send({
-          error: 'Internal server error'
-        });
+          userId,
+          found: false
+        }, 'MCP user configuration not found');
+
+        const errorResponse: ErrorResponse = {
+          success: false,
+          error: 'User configuration not found'
+        };
+        const jsonString = JSON.stringify(errorResponse);
+        return reply.status(404).type('application/json').send(jsonString);
       }
+
+      request.log.info({
+        operation: 'get_mcp_user_config',
+        teamId,
+        installationId,
+        configId,
+        userId,
+        authType
+      }, 'Successfully retrieved MCP user configuration');
+
+      const successResponse: UserConfigSuccessResponse = {
+        success: true,
+        data: formatUserConfigResponse(userConfig)
+      };
+      const jsonString = JSON.stringify(successResponse);
+      return reply.status(200).type('application/json').send(jsonString);
+
+    } catch (error) {
+      request.log.error({
+        operation: 'get_mcp_user_config',
+        error,
+        teamId,
+        installationId,
+        configId,
+        userId
+      }, 'Failed to retrieve MCP user configuration');
+
+      const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
+      
+      const errorResponse: ErrorResponse = {
+        success: false,
+        error: errorMessage
+      };
+      const jsonString = JSON.stringify(errorResponse);
+      return reply.status(500).type('application/json').send(jsonString);
     }
-  );
+  });
 }
diff --git a/services/backend/src/routes/mcp/user-configurations/list.ts b/services/backend/src/routes/mcp/user-configurations/list.ts
@@ -20,13 +20,13 @@ export default async function listUserConfigsRoute(server: FastifyInstance) {
   }>('/teams/:teamId/mcp/installations/:installationId/user-configs', {
     preValidation: [
       requireAuthenticationAny(),
-      requireOAuthScope('mcp:read'),
+      requireOAuthScope('mcp:user-configs:read'),
       requireTeamPermission('mcp.installations.view')
     ],
     schema: {
       tags: ['MCP User Configurations'],
       summary: 'List user configurations for MCP installation',
-      description: 'Retrieves all user-specific configurations for an MCP server installation belonging to the authenticated user. No Content-Type header required for this GET request. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires mcp:read scope for OAuth2 access.',
+      description: 'Retrieves all user-specific configurations for an MCP server installation belonging to the authenticated user. No Content-Type header required for this GET request. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires mcp:user-configs:read scope for OAuth2 access.',
       security: DUAL_AUTH_SECURITY,
       
       // Fastify validation schema
diff --git a/services/backend/src/services/oauth/authorizationService.ts b/services/backend/src/services/oauth/authorizationService.ts
@@ -64,6 +64,7 @@ export class AuthorizationService {
     const allowedScopes = [
       'mcp:read',
       'mcp:categories:read',
+      'mcp:user-configs:read',
       'account:read',
       'user:read',
       'teams:read',
