Add MCP authorization and settings

[appflowy]

Description

Adds MCP authorization and workspace MCP settings support to AppFlowy Web. This includes a new /mcp/authorize flow, MCP API/domain wiring, runtime MCP environment configuration, proactive token refresh handling, and sign-in test coverage for external login redirects.

---

Checklist

General

• I've included relevant documentation or comments for the changes introduced.
• I've tested the changes in multiple environments (e.g., different browsers, operating systems).

Testing

• I've added or updated tests to validate the changes introduced for AppFlowy Web.

Feature-Specific

• For feature additions, I've added a preview (video, screenshot, or demo) in the Feature Preview section.
• I've verified that this feature integrates seamlessly with existing functionality.

Summary by Sourcery

Add MCP OAuth authorization flow, workspace-level MCP administration UI, and runtime configuration wiring for MCP endpoints, along with safer redirect handling for OAuth login flows.

New Features:

• Introduce an MCP OAuth consent page that lets authenticated users authorize or deny MCP clients per workspace and handles owner-only client approval flows.
• Add workspace MCP settings modal allowing owners to manage approval policy, approved clients, and active MCP connections from the workspace menu.

Bug Fixes:

• Preserve nested OAuth query encoding when resolving stored redirect URLs to avoid corrupting encoded parameters during login redirects.

Enhancements:

• Extend workspace fetching to include user role information to drive owner-only MCP controls in the UI.
• Improve post-auth and login redirect logic by centralizing redirect URL resolution and reuse across flows.

Build:

• Add APPFLOWY_MCP_BASE_URL to Docker entrypoints and injected runtime config so MCP API requests can be directed to a configurable base URL.

CI:

• Update web CI workflow to set and verify APPFLOWY_MCP_BASE_URL in the built HTML config for test environments.

Deployment:

• Serve the new MCP OAuth authorize path through the deployment router as a marketing/static route.

Tests:

• Add unit tests covering redirect URL resolution for nested OAuth queries and MCP authorize redirect behavior.

[sourcery-ai]

Reviewer's Guide

Implements end-to-end MCP OAuth authorization and workspace-level MCP administration for AppFlowy Web, including a dedicated /oauth/mcp/authorize consent page, workspace MCP settings UI, HTTP/domain services, runtime configuration, and safe redirect handling for nested OAuth query parameters.

Sequence diagram for MCP OAuth consent and authorization code issuance

sequenceDiagram
  actor User
  participant BrowserApp as AppFlowyWeb
  participant MCPAuthorizePage
  participant McpService
  participant Token as getTokenParsed
  participant GoTrue as refreshToken
  participant McpServer as MCP_API

  User->>BrowserApp: Click "Allow access"
  BrowserApp->>MCPAuthorizePage: onAllow()
  MCPAuthorizePage->>McpService: createAuthorizationCode(req)
  activate McpService
  McpService->>Token: getTokenParsed()
  Token-->>McpService: token
  alt token expired
    McpService->>GoTrue: refreshToken(refresh_token)
    GoTrue-->>McpService: new session
    McpService->>Token: getTokenParsed()
    Token-->>McpService: refreshed token
  end
  McpService->>McpServer: POST /api/mcp/authorize/code
  McpServer-->>McpService: { redirect_url }
  deactivate McpService
  McpService-->>MCPAuthorizePage: redirect_url
  MCPAuthorizePage->>BrowserApp: window.location.href = redirect_url

Loading

File-Level Changes

Change	Details	Files
Add MCP OAuth authorization consent flow and routing, including safe handling of redirect_uri and nested OAuth query parameters.	Introduce MCPAuthorizePage at /oauth/mcp/authorize to drive the OAuth consent flow, including parameter validation, workspace selection, and allow/deny handling. Implement safeHttpUrl and redirect_uri validation to prevent non-http(s) schemes and unsafe client metadata links on the consent page. Wire the new route into the main app router and ensure the /oauth/mcp/ path is treated as a marketing/static route during deployment. Add resolveStoredRedirectUrl helper and update login/afterAuth flows to preserve nested percent-encoded OAuth query parameters while still validating redirect targets. Extend tests to cover the new resolveStoredRedirectUrl behavior and MCP OAuth redirect preservation.	src/pages/MCPAuthorizePage.tsx src/components/main/App.tsx deploy/routes.ts src/application/session/sign_in.ts src/application/session/__tests__/sign_in.test.ts src/pages/LoginPage.tsx
Introduce workspace-level MCP admin settings UI and wiring to backend MCP APIs.	Add lazy-loaded MCPSettings modal to Workspaces with owner-only entrypoint from the workspace menu. Implement MCPSettings UI to toggle blocking of unapproved clients, approve/revoke clients, and view/disconnect active MCP connections, including error handling and loading state management. Use i18n keys for MCP settings labels and ensure workspace ownership is respected when modifying MCP-related settings.	src/components/app/workspaces/Workspaces.tsx src/components/app/workspaces/MCPSettings.tsx
Add MCP HTTP API client and domain service wrapper including proactive token refresh for authorization-code creation.	Create mcp-api HTTP module that defines MCP-related types and functions for workspace settings, client approvals, connection management, client info lookup, and authorization-code creation, including McpOAuthError for typed error handling. Implement getMcpBaseUrl using APPFLOWY_MCP_BASE_URL with fallback to APPFLOWY_BASE_URL and helper mcpUrl/requireAxios utilities. Implement createMcpAuthorizationCode with proactive access-token refresh to keep the forwarded refresh_token/expires_at in sync with the access token, and with robust Axios error translation into McpOAuthError. Expose MCP HTTP functions and types via a new McpService domain module for use by UI components.	src/application/services/js-services/http/mcp-api.ts src/application/services/domains/mcp.ts src/application/services/domains/index.ts src/application/services/js-services/http/index.ts
Extend runtime configuration, Docker entrypoints, and CI to support MCP base URL and verify injection into the client config.	Add APPFLOWY_MCP_BASE_URL to runtime config typings and test mocks. Update Docker entrypoint scripts (SSR and client-only) to default APPFLOWY_MCP_BASE_URL to APPFLOWY_BASE_URL, inject it into window.APP_CONFIG, export it to the environment, and log it. Update web_ci GitHub Actions workflow to pass APPFLOWY_MCP_BASE_URL into the test container and assert it is correctly injected and structured in the rendered HTML config script.	src/utils/runtime-config.ts src/__mocks__/runtime-config.ts docker/entrypoint-ssr.sh docker/entrypoint.sh .github/workflows/web_ci.yaml
Enrich workspace API calls to include role data required for MCP settings authorization decisions.	Update getWorkspaces HTTP call to request include_role=true so the client can determine whether the current user is a workspace owner for MCP admin operations.	src/application/services/js-services/http/workspace-api.ts

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• In deploy/routes.ts, MARKETING_PATHS adds '/oauth/mcp/' while the React route is '/oauth/mcp/authorize'; if the router comparison is exact (as with the other entries), this path won’t match and the MCP authorize page may not be served correctly—consider aligning the string to the exact route or updating the matching logic to be prefix-based.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `deploy/routes.ts`, `MARKETING_PATHS` adds `'/oauth/mcp/'` while the React route is `'/oauth/mcp/authorize'`; if the router comparison is exact (as with the other entries), this path won’t match and the MCP authorize page may not be served correctly—consider aligning the string to the exact route or updating the matching logic to be prefix-based.

## Individual Comments

### Comment 1
<location path="src/pages/MCPAuthorizePage.tsx" line_range="42" />
<code_context>
+  scope?: string;
+}
+
+function readParams(search: URLSearchParams): OAuthParams | { error: string } {
+  const required = [
+    'client_id',
</code_context>
<issue_to_address>
**issue (complexity):** Consider extracting the pure helper functions and the state/effect logic into dedicated utility and hook modules so the page component remains a lean, declarative UI layer.

You can keep all functionality but reduce cognitive load by separating orchestration/state from rendering and by moving pure helpers out of the component file.

### 1. Move pure helpers into a small module

`readParams`, `safeHttpUrl`, `isOwner` don’t depend on React and can live in a small utility file. This shortens the main page file and makes it easier to test them in isolation.

```ts
// mcpAuthorize.utils.ts
import { Role, Workspace } from '@/application/types';

export interface OAuthParams {
  client_id: string;
  redirect_uri: string;
  response_type: string;
  code_challenge: string;
  code_challenge_method: string;
  state?: string;
  scope?: string;
}

export function readParams(search: URLSearchParams): OAuthParams | { error: string } {
  // ... existing implementation ...
}

export function safeHttpUrl(value: string | null | undefined): string | undefined {
  // ... existing implementation ...
}

export function isOwner(workspace: Workspace | undefined, userUid: string | undefined): boolean {
  // ... existing implementation ...
}
```

Then in the page:

```ts
import { readParams, safeHttpUrl, isOwner, type OAuthParams } from './mcpAuthorize.utils';
```

### 2. Extract a `useMcpAuthorize` hook for the state machine

You can encapsulate the effects and callbacks (`onAllow`, `onApproveAndAllow`, `onDeny`, workspace fetching, client info fetching) into a hook so `MCPAuthorizePage` becomes mostly UI wiring.

Example skeleton (keep logic the same, just move it):

```ts
// useMcpAuthorize.ts
import { useEffect, useMemo, useState } from 'react';
import { useSearchParams, useNavigate } from 'react-router-dom';
import { McpService } from '@/application/services/domains';
import { getWorkspaces } from '@/application/services/js-services/http/workspace-api';
import { useCurrentUserOptional, useIsAuthenticatedOptional } from '@/components/main/app.hooks';
import type { Workspace, Role } from '@/application/types';
import type { OAuthParams } from './mcpAuthorize.utils';
import { readParams, safeHttpUrl, isOwner } from './mcpAuthorize.utils';

export function useMcpAuthorize() {
  const [search] = useSearchParams();
  const navigate = useNavigate();
  const isAuthenticated = useIsAuthenticatedOptional();
  const currentUser = useCurrentUserOptional();

  const parsed = useMemo(() => readParams(search), [search]);
  const params = 'error' in parsed ? null : parsed;
  const paramError = 'error' in parsed ? parsed.error : null;

  const [workspaces, setWorkspaces] = useState<Workspace[] | null>(null);
  const [selectedWorkspace, setSelectedWorkspace] = useState('');
  const [submitting, setSubmitting] = useState(false);
  const [approvingClient, setApprovingClient] = useState(false);
  const [submitError, setSubmitError] = useState<string | null>(null);
  const [clientInfo, setClientInfo] = useState<McpClientInfo>({});
  const [approvalNeeded, setApprovalNeeded] = useState(false);

  // ... move existing useEffects and callbacks here ...
  // expose only what the component needs:

  const selectedWorkspaceInfo = workspaces?.find((w) => w.id === selectedWorkspace);
  const canApproveSelectedWorkspace = isOwner(selectedWorkspaceInfo, currentUser?.uid);
  const usePicker = (workspaces?.length ?? 0) > 1;

  return {
    params,
    paramError,
    isAuthenticated,
    workspaces,
    selectedWorkspace,
    submitting,
    approvingClient,
    submitError,
    clientInfo,
    approvalNeeded,
    canApproveSelectedWorkspace,
    usePicker,
    onAllow,
    onApproveAndAllow,
    onDeny,
    onSelectWorkspace,
  };
}
```

Then the page component becomes mostly declarative:

```tsx
// MCPAuthorizePage.tsx
import { useMcpAuthorize } from './useMcpAuthorize';

function MCPAuthorizePage() {
  const {
    params,
    paramError,
    isAuthenticated,
    workspaces,
    selectedWorkspace,
    submitting,
    approvingClient,
    submitError,
    clientInfo,
    approvalNeeded,
    canApproveSelectedWorkspace,
    usePicker,
    onAllow,
    onApproveAndAllow,
    onDeny,
    onSelectWorkspace,
  } = useMcpAuthorize();

  if (!params) {
    return <ErrorPanel title='Invalid request' message={paramError ?? 'Invalid authorization request.'} />;
  }

  if (!isAuthenticated) {
    return <Centered>Redirecting to sign in…</Centered>;
  }

  if (workspaces === null) {
    return <Centered>Loading…</Centered>;
  }

  if (workspaces.length === 0) {
    return (
      <ErrorPanel
        title='No workspace'
        message='Your account has no workspaces. Create one in AppFlowy first, then retry.'
      />
    );
  }

  // ... existing JSX, now with much less embedded logic ...
}
```

This keeps all behavior and API calls intact, but:

- Localizes side-effects and state transitions inside `useMcpAuthorize`.
- Makes `MCPAuthorizePage` read as a simple flow: guard clauses + JSX.
- Allows you to test the hook’s logic separately from the UI.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (complexity): Consider extracting the pure helper functions and the state/effect logic into dedicated utility and hook modules so the page component remains a lean, declarative UI layer.

You can keep all functionality but reduce cognitive load by separating orchestration/state from rendering and by moving pure helpers out of the component file.

1. Move pure helpers into a small module

readParams, safeHttpUrl, isOwner don’t depend on React and can live in a small utility file. This shortens the main page file and makes it easier to test them in isolation.

// mcpAuthorize.utils.ts
import { Role, Workspace } from '@/application/types';

export interface OAuthParams {
  client_id: string;
  redirect_uri: string;
  response_type: string;
  code_challenge: string;
  code_challenge_method: string;
  state?: string;
  scope?: string;
}

export function readParams(search: URLSearchParams): OAuthParams | { error: string } {
  // ... existing implementation ...
}

export function safeHttpUrl(value: string | null | undefined): string | undefined {
  // ... existing implementation ...
}

export function isOwner(workspace: Workspace | undefined, userUid: string | undefined): boolean {
  // ... existing implementation ...
}

Then in the page:

import { readParams, safeHttpUrl, isOwner, type OAuthParams } from './mcpAuthorize.utils';

2. Extract a useMcpAuthorize hook for the state machine

You can encapsulate the effects and callbacks (onAllow, onApproveAndAllow, onDeny, workspace fetching, client info fetching) into a hook so MCPAuthorizePage becomes mostly UI wiring.

Example skeleton (keep logic the same, just move it):

// useMcpAuthorize.ts
import { useEffect, useMemo, useState } from 'react';
import { useSearchParams, useNavigate } from 'react-router-dom';
import { McpService } from '@/application/services/domains';
import { getWorkspaces } from '@/application/services/js-services/http/workspace-api';
import { useCurrentUserOptional, useIsAuthenticatedOptional } from '@/components/main/app.hooks';
import type { Workspace, Role } from '@/application/types';
import type { OAuthParams } from './mcpAuthorize.utils';
import { readParams, safeHttpUrl, isOwner } from './mcpAuthorize.utils';

export function useMcpAuthorize() {
  const [search] = useSearchParams();
  const navigate = useNavigate();
  const isAuthenticated = useIsAuthenticatedOptional();
  const currentUser = useCurrentUserOptional();

  const parsed = useMemo(() => readParams(search), [search]);
  const params = 'error' in parsed ? null : parsed;
  const paramError = 'error' in parsed ? parsed.error : null;

  const [workspaces, setWorkspaces] = useState<Workspace[] | null>(null);
  const [selectedWorkspace, setSelectedWorkspace] = useState('');
  const [submitting, setSubmitting] = useState(false);
  const [approvingClient, setApprovingClient] = useState(false);
  const [submitError, setSubmitError] = useState<string | null>(null);
  const [clientInfo, setClientInfo] = useState<McpClientInfo>({});
  const [approvalNeeded, setApprovalNeeded] = useState(false);

  // ... move existing useEffects and callbacks here ...
  // expose only what the component needs:

  const selectedWorkspaceInfo = workspaces?.find((w) => w.id === selectedWorkspace);
  const canApproveSelectedWorkspace = isOwner(selectedWorkspaceInfo, currentUser?.uid);
  const usePicker = (workspaces?.length ?? 0) > 1;

  return {
    params,
    paramError,
    isAuthenticated,
    workspaces,
    selectedWorkspace,
    submitting,
    approvingClient,
    submitError,
    clientInfo,
    approvalNeeded,
    canApproveSelectedWorkspace,
    usePicker,
    onAllow,
    onApproveAndAllow,
    onDeny,
    onSelectWorkspace,
  };
}

Then the page component becomes mostly declarative:

// MCPAuthorizePage.tsx
import { useMcpAuthorize } from './useMcpAuthorize';

function MCPAuthorizePage() {
  const {
    params,
    paramError,
    isAuthenticated,
    workspaces,
    selectedWorkspace,
    submitting,
    approvingClient,
    submitError,
    clientInfo,
    approvalNeeded,
    canApproveSelectedWorkspace,
    usePicker,
    onAllow,
    onApproveAndAllow,
    onDeny,
    onSelectWorkspace,
  } = useMcpAuthorize();

  if (!params) {
    return <ErrorPanel title='Invalid request' message={paramError ?? 'Invalid authorization request.'} />;
  }

  if (!isAuthenticated) {
    return <Centered>Redirecting to sign in…</Centered>;
  }

  if (workspaces === null) {
    return <Centered>Loading…</Centered>;
  }

  if (workspaces.length === 0) {
    return (
      <ErrorPanel
        title='No workspace'
        message='Your account has no workspaces. Create one in AppFlowy first, then retry.'
      />
    );
  }

  // ... existing JSX, now with much less embedded logic ...
}

This keeps all behavior and API calls intact, but:

• Localizes side-effects and state transitions inside useMcpAuthorize.
• Makes MCPAuthorizePage read as a simple flow: guard clauses + JSX.
• Allows you to test the hook’s logic separately from the UI.