wip - move things into EE and also improve authorization page

Author: brendan-kellam

packages/db/prisma/migrations/20260304212808_add_oauth_client_logo_uri/migration.sql

@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "OAuthClient" ADD COLUMN     "logoUri" TEXT;

packages/db/prisma/schema.prisma

@@ -497,6 +497,7 @@ model ChatAccess {
 model OAuthClient {
   id           String   @id @default(cuid())
   name         String
+  logoUri      String?
   redirectUris String[]
   createdAt    DateTime @default(now())
 

packages/shared/src/entitlements.ts

@@ -40,7 +40,8 @@ const entitlements = [
     "permission-syncing",
     "github-app",
     "chat-sharing",
-    "org-management"
+    "org-management",
+    "oauth",
 ] as const;
 export type Entitlement = (typeof entitlements)[number];
 
@@ -58,6 +59,7 @@ const entitlementsByPlan: Record<Plan, Entitlement[]> = {
         "github-app",
         "chat-sharing",
         "org-management",
+        "oauth",
     ],
     "self-hosted:enterprise-unlimited": [
         "anonymous-access",
@@ -70,6 +72,7 @@ const entitlementsByPlan: Record<Plan, Entitlement[]> = {
         "github-app",
         "chat-sharing",
         "org-management",
+        "oauth",
     ],
 } as const;
 

packages/web/next.config.mjs

@@ -24,15 +24,18 @@ const nextConfig = {
                 source: "/ingest/decide",
                 destination: `https://us.i.posthog.com/decide`,
             },
-            // Expose OAuth discovery documents at canonical RFC paths (without /api prefix)
+            // Expose OAuth discovery documents at canonical RFC paths (without /api/ee prefix)
             // so MCP clients and OAuth tools can find them via standard discovery.
+            //
+            // RFC 8414: /.well-known/oauth-authorization-server
             {
                 source: "/.well-known/oauth-authorization-server",
-                destination: "/api/.well-known/oauth-authorization-server",
+                destination: "/api/ee/.well-known/oauth-authorization-server",
             },
+            // RFC 9728: path-specific form /.well-known/oauth-protected-resource/{resource-path}
             {
-                source: "/.well-known/oauth-protected-resource",
-                destination: "/api/.well-known/oauth-protected-resource",
+                source: "/.well-known/oauth-protected-resource/:path*",
+                destination: "/api/ee/.well-known/oauth-protected-resource/:path*",
             },
         ];
     },

packages/web/src/app/api/(server)/.well-known/oauth-protected-resource/route.ts

@@ -2,19 +2,21 @@ import { apiHandler } from '@/lib/apiHandler';
 import { env } from '@sourcebot/shared';
 
 // RFC 8414: OAuth 2.0 Authorization Server Metadata
+// @note: we do not gate on entitlements here. That is handled in the /register,
+// /token, and /revoke routes.
 // @see: https://datatracker.ietf.org/doc/html/rfc8414
 export const GET = apiHandler(async () => {
     const issuer = env.AUTH_URL.replace(/\/$/, '');
 
     return Response.json({
         issuer,
         authorization_endpoint: `${issuer}/oauth/authorize`,
-        token_endpoint: `${issuer}/api/oauth/token`,
-        registration_endpoint: `${issuer}/api/oauth/register`,
-        revocation_endpoint: `${issuer}/api/oauth/revoke`,
+        token_endpoint: `${issuer}/api/ee/oauth/token`,
+        registration_endpoint: `${issuer}/api/ee/oauth/register`,
+        revocation_endpoint: `${issuer}/api/ee/oauth/revoke`,
         response_types_supported: ['code'],
         grant_types_supported: ['authorization_code'],
         code_challenge_methods_supported: ['S256'],
         token_endpoint_auth_methods_supported: ['none'],
     });
-}, { track: false });
+});

…nown/oauth-authorization-server/route.ts …nown/oauth-authorization-server/route.tspackages/web/src/app/api/(server)/.well-known/oauth-authorization-server/route.ts renamed to packages/web/src/app/api/(server)/ee/.well-known/oauth-authorization-server/route.ts packages/web/src/app/api/(server)/.well-known/oauth-authorization-server/route.ts renamed to packages/web/src/app/api/(server)/ee/.well-known/oauth-authorization-server/route.ts

@@ -0,0 +1,33 @@
+import { apiHandler } from '@/lib/apiHandler';
+import { env } from '@sourcebot/shared';
+import { NextRequest } from 'next/server';
+
+// RFC 9728: OAuth 2.0 Protected Resource Metadata (path-specific form)
+// For a resource at /api/mcp, the well-known URI is /.well-known/oauth-protected-resource/api/mcp.
+// @note: we do not gate on entitlements here. That is handled in the /register,
+// /token, and /revoke routes.
+// @see: https://datatracker.ietf.org/doc/html/rfc9728#section-3
+const PROTECTED_RESOURCES = new Set([
+    'api/mcp'
+]);
+
+export const GET = apiHandler(async (_request: NextRequest, { params }: { params: Promise<{ path: string[] }> }) => {
+    const { path } = await params;
+    const resourcePath = path.join('/');
+
+    if (!PROTECTED_RESOURCES.has(resourcePath)) {
+        return Response.json(
+            { error: 'not_found', error_description: `No protected resource metadata found for path: ${resourcePath}` },
+            { status: 404 }
+        );
+    }
+
+    const issuer = env.AUTH_URL.replace(/\/$/, '');
+
+    return Response.json({
+        resource: `${issuer}/${resourcePath}`,
+        authorization_servers: [
+            issuer
+        ],
+    });
+});

packages/web/src/app/api/(server)/ee/.well-known/oauth-protected-resource/[...path]/route.ts

@@ -1,6 +1,7 @@
 import { apiHandler } from '@/lib/apiHandler';
 import { requestBodySchemaValidationError, serviceErrorResponse } from '@/lib/serviceError';
 import { prisma } from '@/prisma';
+import { hasEntitlement } from '@sourcebot/shared';
 import { NextRequest } from 'next/server';
 import { z } from 'zod';
 
@@ -9,17 +10,25 @@ import { z } from 'zod';
 const registerRequestSchema = z.object({
     client_name: z.string().min(1),
     redirect_uris: z.array(z.string().url()).min(1),
+    logo_uri: z.string().nullish(),
 });
 
 export const POST = apiHandler(async (request: NextRequest) => {
+    if (!hasEntitlement('oauth')) {
+        return Response.json(
+            { error: 'access_denied', error_description: 'OAuth is not available on this plan.' },
+            { status: 403 }
+        );
+    }
+
     const body = await request.json();
     const parsed = registerRequestSchema.safeParse(body);
 
     if (!parsed.success) {
         return serviceErrorResponse(requestBodySchemaValidationError(parsed.error));
     }
 
-    const { client_name, redirect_uris } = parsed.data;
+    const { client_name, redirect_uris, logo_uri } = parsed.data;
 
     // Reject wildcard redirect URIs per security best practices
     if (redirect_uris.some((uri) => uri.includes('*'))) {
@@ -32,6 +41,7 @@ export const POST = apiHandler(async (request: NextRequest) => {
     const client = await prisma.oAuthClient.create({
         data: {
             name: client_name,
+            logoUri: logo_uri ?? null,
             redirectUris: redirect_uris,
         },
     });
@@ -40,6 +50,7 @@ export const POST = apiHandler(async (request: NextRequest) => {
         {
             client_id: client.id,
             client_name: client.name,
+            ...(client.logoUri && { logo_uri: client.logoUri }),
             redirect_uris: client.redirectUris,
         },
         { status: 201 }

…app/api/(server)/oauth/register/route.ts …/api/(server)/ee/oauth/register/route.tspackages/web/src/app/api/(server)/oauth/register/route.ts renamed to packages/web/src/app/api/(server)/ee/oauth/register/route.ts packages/web/src/app/api/(server)/oauth/register/route.ts renamed to packages/web/src/app/api/(server)/ee/oauth/register/route.ts

@@ -1,11 +1,19 @@
 import { revokeToken } from '@/features/oauth/server';
 import { apiHandler } from '@/lib/apiHandler';
+import { hasEntitlement } from '@sourcebot/shared';
 import { NextRequest } from 'next/server';
 
 // RFC 7009: OAuth 2.0 Token Revocation
 // Always returns 200 regardless of whether the token existed.
 // @see: https://datatracker.ietf.org/doc/html/rfc7009
 export const POST = apiHandler(async (request: NextRequest) => {
+    if (!hasEntitlement('oauth')) {
+        return Response.json(
+            { error: 'access_denied', error_description: 'OAuth is not available on this plan.' },
+            { status: 403 }
+        );
+    }
+
     const formData = await request.formData();
     const token = formData.get('token');
 

…c/app/api/(server)/oauth/revoke/route.ts …pp/api/(server)/ee/oauth/revoke/route.tspackages/web/src/app/api/(server)/oauth/revoke/route.ts renamed to packages/web/src/app/api/(server)/ee/oauth/revoke/route.ts packages/web/src/app/api/(server)/oauth/revoke/route.ts renamed to packages/web/src/app/api/(server)/ee/oauth/revoke/route.ts

@@ -1,11 +1,19 @@
 import { verifyAndExchangeCode, ACCESS_TOKEN_TTL_SECONDS } from '@/features/oauth/server';
 import { apiHandler } from '@/lib/apiHandler';
+import { hasEntitlement } from '@sourcebot/shared';
 import { NextRequest } from 'next/server';
 
 // OAuth 2.0 Token Endpoint
 // Supports grant_type=authorization_code with PKCE (RFC 7636).
 // @see: https://datatracker.ietf.org/doc/html/rfc6749#section-3.2
 export const POST = apiHandler(async (request: NextRequest) => {
+    if (!hasEntitlement('oauth')) {
+        return Response.json(
+            { error: 'access_denied', error_description: 'OAuth is not available on this plan.' },
+            { status: 403 }
+        );
+    }
+
     const formData = await request.formData();
 
     const grantType = formData.get('grant_type');