fix(web): stop advertising MCP OAuth without entitlement

brianphillips · brianphillips · commit 10020a0a6ae7 · 2026-03-06T10:58:27.000-06:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+- Avoid advertising OAuth support on MCP endpoints if that entitlment is not actually configured.
+
 ## [4.15.1] - 2026-03-06
 
 ### Fixed
diff --git a/packages/web/src/app/api/(server)/ee/.well-known/oauth-authorization-server/route.ts b/packages/web/src/app/api/(server)/ee/.well-known/oauth-authorization-server/route.ts
@@ -1,11 +1,16 @@
 import { apiHandler } from '@/lib/apiHandler';
-import { env } from '@sourcebot/shared';
+import { env, hasEntitlement } from '@sourcebot/shared';
 
 // RFC 8414: OAuth 2.0 Authorization Server Metadata
-// @note: we do not gate on entitlements here. That is handled in the /register,
-// /token, and /revoke routes.
 // @see: https://datatracker.ietf.org/doc/html/rfc8414
 export const GET = apiHandler(async () => {
+    if (!hasEntitlement('oauth')) {
+        return Response.json(
+            { error: 'not_found', error_description: 'OAuth authorization server metadata is not available on this plan.' },
+            { status: 404 }
+        );
+    }
+
     const issuer = env.AUTH_URL.replace(/\/$/, '');
 
     return Response.json({
diff --git a/packages/web/src/app/api/(server)/ee/.well-known/oauth-protected-resource/[...path]/route.ts b/packages/web/src/app/api/(server)/ee/.well-known/oauth-protected-resource/[...path]/route.ts
@@ -1,17 +1,22 @@
 import { apiHandler } from '@/lib/apiHandler';
-import { env } from '@sourcebot/shared';
+import { env, hasEntitlement } from '@sourcebot/shared';
 import { NextRequest } from 'next/server';
 
 // RFC 9728: OAuth 2.0 Protected Resource Metadata (path-specific form)
 // For a resource at /api/mcp, the well-known URI is /.well-known/oauth-protected-resource/api/mcp.
-// @note: we do not gate on entitlements here. That is handled in the /register,
-// /token, and /revoke routes.
 // @see: https://datatracker.ietf.org/doc/html/rfc9728#section-3
 const PROTECTED_RESOURCES = new Set([
     'api/mcp'
 ]);
 
 export const GET = apiHandler(async (_request: NextRequest, { params }: { params: Promise<{ path: string[] }> }) => {
+    if (!hasEntitlement('oauth')) {
+        return Response.json(
+            { error: 'not_found', error_description: 'OAuth protected resource metadata is not available on this plan.' },
+            { status: 404 }
+        );
+    }
+
     const { path } = await params;
     const resourcePath = path.join('/');
 
diff --git a/packages/web/src/app/api/(server)/ee/.well-known/oauth-protected-resource/route.ts b/packages/web/src/app/api/(server)/ee/.well-known/oauth-protected-resource/route.ts
@@ -1,10 +1,17 @@
 import { apiHandler } from '@/lib/apiHandler';
-import { env } from '@sourcebot/shared';
+import { env, hasEntitlement } from '@sourcebot/shared';
 
 // RFC 9728: OAuth 2.0 Protected Resource Metadata
 // Tells OAuth clients which authorization server protects this resource.
 // @see: https://datatracker.ietf.org/doc/html/rfc9728
 export const GET = apiHandler(async () => {
+    if (!hasEntitlement('oauth')) {
+        return Response.json(
+            { error: 'not_found', error_description: 'OAuth protected resource metadata is not available on this plan.' },
+            { status: 404 }
+        );
+    }
+
     const issuer = env.AUTH_URL.replace(/\/$/, '');
 
     return Response.json({
diff --git a/packages/web/src/app/api/(server)/mcp/route.ts b/packages/web/src/app/api/(server)/mcp/route.ts
@@ -9,7 +9,7 @@ import { StatusCodes } from 'http-status-codes';
 import { NextRequest } from 'next/server';
 import { sew } from '@/actions';
 import { apiHandler } from '@/lib/apiHandler';
-import { env } from '@sourcebot/shared';
+import { env, hasEntitlement } from '@sourcebot/shared';
 
 // On 401, tell MCP clients where to find the OAuth protected resource metadata (RFC 9728)
 // so they can discover the authorization server and initiate the authorization code flow.
@@ -18,7 +18,7 @@ import { env } from '@sourcebot/shared';
 // @see: https://datatracker.ietf.org/doc/html/rfc9728
 function mcpErrorResponse(error: ServiceError): Response {
     const response = serviceErrorResponse(error);
-    if (error.statusCode === StatusCodes.UNAUTHORIZED) {
+    if (error.statusCode === StatusCodes.UNAUTHORIZED && hasEntitlement('oauth')) {
         const issuer = env.AUTH_URL.replace(/\/$/, '');
         response.headers.set(
             'WWW-Authenticate',
