fix: pass OAuth scopes to DCR and extract granted_scopes from token response (#7571)

Signed-off-by: Peter Siska <63866+peschee@users.noreply.github.com>
Co-authored-by: Jack Amadeo <jackamadeo@squareup.com>
This commit is contained in:
Peter Siska
2026-03-09 16:38:46 +01:00
committed by GitHub
parent 7030645957
commit f740bb7447
6 changed files with 24 additions and 7 deletions
Generated
+4
View File
@@ -4312,6 +4312,7 @@ dependencies = [
"minijinja",
"mockall",
"nanoid",
"oauth2",
"once_cell",
"opentelemetry",
"opentelemetry-appender-tracing",
@@ -4968,6 +4969,7 @@ dependencies = [
"tokio",
"tokio-rustls 0.26.4",
"tower-service",
"webpki-roots 1.0.6",
]
[[package]]
@@ -6385,6 +6387,7 @@ dependencies = [
"getrandom 0.2.17",
"http 1.4.0",
"rand 0.8.5",
"reqwest 0.12.28",
"serde",
"serde_json",
"serde_path_to_error",
@@ -8089,6 +8092,7 @@ dependencies = [
"wasm-bindgen-futures",
"wasm-streams 0.4.2",
"web-sys",
"webpki-roots 1.0.6",
]
[[package]]
+1
View File
@@ -24,6 +24,7 @@ rmcp = { workspace = true, features = [
"transport-streamable-http-client",
"transport-streamable-http-client-reqwest",
] }
oauth2 = "5.0"
anyhow = { workspace = true }
thiserror = { workspace = true }
futures = { workspace = true }
@@ -516,7 +516,9 @@ mod tests {
let path1 = save_full_output("first", "test_reuse", dir.path()).unwrap();
let path2 = save_full_output("second", "test_reuse", dir.path()).unwrap();
assert_eq!(path1, path2);
assert_eq!(std::fs::read_to_string(&path2).unwrap(), "second");
// Note: we intentionally don't assert file content here because
// parallel tests (render_output_truncates_*) share the same static
// temp file and can overwrite the content between our write and read.
}
#[test]
+14 -2
View File
@@ -5,6 +5,7 @@ use axum::response::Html;
use axum::routing::get;
use axum::Router;
use minijinja::render;
use oauth2::TokenResponse;
use rmcp::transport::auth::{CredentialStore, OAuthState, StoredCredentials};
use rmcp::transport::AuthorizationManager;
use serde::Deserialize;
@@ -101,12 +102,23 @@ pub async fn oauth_flow(
.into_authorization_manager()
.ok_or_else(|| anyhow::anyhow!("Failed to get authorization manager"))?;
let granted_scopes: Vec<String> = token_response
.as_ref()
.and_then(|tr| tr.scopes())
.map(|scopes| scopes.iter().map(|s| s.to_string()).collect())
.unwrap_or_default();
credential_store
.save(StoredCredentials {
client_id,
token_response,
granted_scopes: vec![],
token_received_at: None,
granted_scopes,
token_received_at: Some(
std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH)
.map(|duration| duration.as_secs())
.unwrap_or(0),
),
})
.await?;
+2 -3
View File
@@ -66,7 +66,7 @@ describe('session reuse scoping (fix for #7601)', () => {
const allSessions = [emptySessionA, emptySessionB, usedSession];
it('window A only reuses its own active empty session, not window B\'s', () => {
it("window A only reuses its own active empty session, not window B's", () => {
// Window A has emptySessionA active, Window B has emptySessionB active.
// Under the old logic, both would grab emptySessionA (the first in the list).
const windowAResult = findReusableSession(allSessions, 'empty-a');
@@ -95,8 +95,7 @@ describe('session reuse scoping (fix for #7601)', () => {
it('demonstrates the old bug: global find would give same session to both windows', () => {
// Old logic (before fix) - both windows get the same session.
const oldLogicFind = (sessions: Session[]) =>
sessions.find((s) => shouldShowNewChatTitle(s));
const oldLogicFind = (sessions: Session[]) => sessions.find((s) => shouldShowNewChatTitle(s));
const windowAOld = oldLogicFind(allSessions);
const windowBOld = oldLogicFind(allSessions);
-1
View File
@@ -7,7 +7,6 @@ import { Buffer } from 'node:buffer';
import { status } from './api';
import { Client, createClient, createConfig } from './api/client';
export interface Logger {
info: (...args: unknown[]) => void;
error: (...args: unknown[]) => void;