simstudioai · waleedlatif1 · May 5, 2026 · May 5, 2026 · May 5, 2026 · May 5, 2026
diff --git a/apps/sim/app/api/mcp/oauth/callback/route.ts b/apps/sim/app/api/mcp/oauth/callback/route.ts
@@ -0,0 +1,118 @@
+import { auth as mcpAuth } from '@modelcontextprotocol/sdk/client/auth.js'
+import { db } from '@sim/db'
+import { mcpServers } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { toError } from '@sim/utils/errors'
+import { and, eq, isNull } from 'drizzle-orm'
+import type { NextRequest } from 'next/server'
+import { NextResponse } from 'next/server'
+import { getSession } from '@/lib/auth'
+import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
+import {
+  clearState,
+  clearVerifier,
+  loadOauthRowByState,
+  loadPreregisteredClient,
+  SimMcpOauthProvider,
+} from '@/lib/mcp/oauth'
+import { mcpService } from '@/lib/mcp/service'
+
+const logger = createLogger('McpOauthCallbackAPI')
+
+export const dynamic = 'force-dynamic'
+
+function escapeHtml(value: string): string {
+  return value
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;')
+}
+
+function htmlClose(message: string, ok: boolean, serverId?: string): NextResponse {
+  const safeMessage = escapeHtml(message)
+  const title = ok ? 'Connected' : 'Connection failed'
+  const serverIdLiteral = serverId ? JSON.stringify(serverId) : 'undefined'
+  const body = `<!doctype html><html><head><meta charset="utf-8"><title>${title}</title></head><body style="font-family: system-ui; padding: 24px"><p>${safeMessage}</p><script>
+    try { window.opener && window.opener.postMessage({ type: 'mcp-oauth', ok: ${ok ? 'true' : 'false'}, serverId: ${serverIdLiteral} }, window.location.origin) } catch (e) {}
+    setTimeout(function () { window.close() }, 800)
+  </script></body></html>`
+  return new NextResponse(body, {
+    headers: { 'Content-Type': 'text/html; charset=utf-8' },
+  })
+}
+
+export const GET = withRouteHandler(async (request: NextRequest) => {
+  const url = new URL(request.url)
+  const state = url.searchParams.get('state')
+  const code = url.searchParams.get('code')
+  const errorParam = url.searchParams.get('error')
+
+  if (errorParam) {
+    logger.warn(`MCP OAuth callback received error: ${errorParam}`)
+    return htmlClose(`Authorization failed: ${errorParam}`, false)
+  }
+  if (!state || !code) {
+    return htmlClose('Missing state or code in callback URL.', false)
+  }
+
+  let serverId: string | undefined
+  try {
+    const session = await getSession()
+    if (!session?.user?.id) {
+      return htmlClose('You must be signed in to complete authorization.', false)
+    }
+
+    const row = await loadOauthRowByState(state)
+    if (!row) {
+      return htmlClose('Invalid or expired authorization state.', false)
+    }
+    serverId = row.mcpServerId
+
+    if (session.user.id !== row.userId) {
+      return htmlClose(
+        'You must be signed in as the same user that initiated the flow.',
+        false,
+        serverId
+      )
+    }
+
+    const [server] = await db
+      .select({ id: mcpServers.id, url: mcpServers.url, workspaceId: mcpServers.workspaceId })
+      .from(mcpServers)
+      .where(and(eq(mcpServers.id, row.mcpServerId), isNull(mcpServers.deletedAt)))
+      .limit(1)
+    if (!server || !server.url) {
+      return htmlClose('Server no longer exists.', false, serverId)
+    }
+
+    // Burn state before token exchange so a replayed callback cannot reuse it.
+    await clearState(row.id)
+
+    const preregistered = await loadPreregisteredClient(server.id)
+    const provider = new SimMcpOauthProvider({ row, preregistered })
+    const result = await mcpAuth(provider, {
+      serverUrl: server.url,
+      authorizationCode: code,
+    })
+
+    await clearVerifier(row.id)
+
+    if (result !== 'AUTHORIZED') {
+      return htmlClose('Authorization did not complete.', false, server.id)
+    }
+
+    try {
+      await mcpService.clearCache(server.workspaceId)
+      await mcpService.discoverServerTools(row.userId, server.id, server.workspaceId)
+    } catch (e) {
+      logger.warn('Post-auth tools refresh failed', toError(e).message)
+    }
+
+    return htmlClose('Connected. You can close this window.', true, server.id)
+  } catch (error) {
+    logger.error('MCP OAuth callback failed', error)
+    return htmlClose('Authorization failed. Please try again.', false, serverId)
+  }
+})
diff --git a/apps/sim/app/api/mcp/oauth/start/route.ts b/apps/sim/app/api/mcp/oauth/start/route.ts
@@ -0,0 +1,95 @@
+import { auth as mcpAuth } from '@modelcontextprotocol/sdk/client/auth.js'
+import { db } from '@sim/db'
+import { mcpServers } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { toError } from '@sim/utils/errors'
+import { and, eq, isNull } from 'drizzle-orm'
+import type { NextRequest } from 'next/server'
+import { NextResponse } from 'next/server'
+import { startMcpOauthQuerySchema } from '@/lib/api/contracts/mcp'
+import { validationErrorResponse } from '@/lib/api/server'
+import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
+import { withMcpAuth } from '@/lib/mcp/middleware'
+import {
+  getOrCreateOauthRow,
+  loadPreregisteredClient,
+  McpOauthRedirectRequired,
+  SimMcpOauthProvider,
+} from '@/lib/mcp/oauth'
+import { createMcpErrorResponse } from '@/lib/mcp/utils'
+
+const logger = createLogger('McpOauthStartAPI')
+
+export const dynamic = 'force-dynamic'
+
+export const GET = withRouteHandler(
+  withMcpAuth('write')(async (request: NextRequest, { userId, workspaceId, requestId }) => {
+    try {
+      const queryResult = startMcpOauthQuerySchema.safeParse(
+        Object.fromEntries(new URL(request.url).searchParams)
+      )
+      if (!queryResult.success) {
+        return validationErrorResponse(queryResult.error)
+      }
+      const { serverId } = queryResult.data
+
+      const [server] = await db
+        .select()
+        .from(mcpServers)
+        .where(
+          and(
+            eq(mcpServers.id, serverId),
+            eq(mcpServers.workspaceId, workspaceId),
+            isNull(mcpServers.deletedAt)
+          )
+        )
+        .limit(1)
+
+      if (!server) {
+        return createMcpErrorResponse(new Error('Server not found'), 'Server not found', 404)
+      }
+      if (server.authType !== 'oauth') {
+        return createMcpErrorResponse(
+          new Error(`Server authType is "${server.authType}", not oauth`),
+          'Server is not configured for OAuth',
+          400
+        )
+      }
+      if (!server.url) {
+        return createMcpErrorResponse(new Error('Server has no URL'), 'Missing server URL', 400)
+      }
+
+      const row = await getOrCreateOauthRow({
+        mcpServerId: server.id,
+        userId,
+        workspaceId,
+      })
+      const preregistered = await loadPreregisteredClient(server.id)
+      const provider = new SimMcpOauthProvider({ row, preregistered })
+
+      try {
+        const result = await mcpAuth(provider, { serverUrl: server.url })
+        if (result === 'AUTHORIZED') {
+          return NextResponse.json({ status: 'already_authorized' })
+        }
+        return createMcpErrorResponse(
+          new Error('Provider did not capture redirect URL'),
+          'Failed to start OAuth flow',
+          500
+        )
+      } catch (e) {
+        if (e instanceof McpOauthRedirectRequired) {
+          logger.info(`[${requestId}] OAuth redirect for server ${serverId}`)
+          return NextResponse.json({
+            status: 'redirect',
+            authorizationUrl: e.authorizationUrl,
+          })
+        }
+        throw e
+      }
+    } catch (error) {
+      logger.error(`[${requestId}] Error starting MCP OAuth flow:`, error)
+      return createMcpErrorResponse(toError(error), 'Failed to start OAuth flow', 500)
+    }
+  })
+)
diff --git a/apps/sim/app/api/mcp/servers/[id]/route.ts b/apps/sim/app/api/mcp/servers/[id]/route.ts
@@ -1,11 +1,12 @@
 import { AuditAction, AuditResourceType, recordAudit } from '@sim/audit'
 import { db } from '@sim/db'
-import { mcpServers } from '@sim/db/schema'
+import { mcpServerOauth, mcpServers } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { toError } from '@sim/utils/errors'
 import { and, eq, isNull } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { updateMcpServerBodySchema } from '@/lib/api/contracts/mcp'
+import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import {
   McpDnsResolutionError,
@@ -52,8 +53,16 @@ export const PATCH = withRouteHandler(
           }
         )
 
-        // Remove workspaceId from body to prevent it from being updated
-        const { workspaceId: _, ...updateData } = body
+        const { workspaceId: _, oauthClientSecret, ...updateData } = body
+        const finalUpdateData: Record<string, unknown> = { ...updateData }
+        if (oauthClientSecret !== undefined) {
+          finalUpdateData.oauthClientSecret = oauthClientSecret
+            ? (await encryptSecret(oauthClientSecret)).encrypted
+            : null
+        }
+        if (updateData.oauthClientId !== undefined) {
+          finalUpdateData.oauthClientId = updateData.oauthClientId || null
+        }
 
         if (updateData.url) {
           try {
@@ -78,9 +87,13 @@ export const PATCH = withRouteHandler(
           }
         }
 
-        // Get the current server to check if URL is changing
         const [currentServer] = await db
-          .select({ url: mcpServers.url })
+          .select({
+            url: mcpServers.url,
+            authType: mcpServers.authType,
+            oauthClientId: mcpServers.oauthClientId,
+            oauthClientSecret: mcpServers.oauthClientSecret,
+          })
           .from(mcpServers)
           .where(
             and(
@@ -91,20 +104,60 @@ export const PATCH = withRouteHandler(
           )
           .limit(1)
 
-        const [updatedServer] = await db
-          .update(mcpServers)
-          .set({
-            ...updateData,
-            updatedAt: new Date(),
-          })
-          .where(
-            and(
-              eq(mcpServers.id, serverId),
-              eq(mcpServers.workspaceId, workspaceId),
-              isNull(mcpServers.deletedAt)
+        // Adding OAuth client credentials to a non-OAuth server promotes it
+        // to OAuth so the connect-with-OAuth UI becomes reachable.
+        if (
+          body.oauthClientId &&
+          currentServer &&
+          currentServer.authType !== 'oauth' &&
+          finalUpdateData.authType === undefined
+        ) {
+          finalUpdateData.authType = 'oauth'
+        }
+
+        const urlChanged = body.url !== undefined && currentServer?.url !== body.url
+        const clientIdChanged =
+          body.oauthClientId !== undefined &&
+          (body.oauthClientId || null) !== (currentServer?.oauthClientId ?? null)
+        let clientSecretChanged = false
+        if (oauthClientSecret !== undefined) {
+          if (!oauthClientSecret) {
+            clientSecretChanged = currentServer?.oauthClientSecret != null
+          } else if (!currentServer?.oauthClientSecret) {
+            clientSecretChanged = true
+          } else {
+            const currentPlaintext = (await decryptSecret(currentServer.oauthClientSecret))
+              .decrypted
+            clientSecretChanged = currentPlaintext !== oauthClientSecret
+          }
+        }
+        const oauthCredsChanged = clientIdChanged || clientSecretChanged
+        const shouldClearOauth = urlChanged || oauthCredsChanged
+
+        const updatedServer = await db.transaction(async (tx) => {
+          const [updated] = await tx
+            .update(mcpServers)
+            .set({
+              ...finalUpdateData,
+              updatedAt: new Date(),
+            })
+            .where(
+              and(
+                eq(mcpServers.id, serverId),
+                eq(mcpServers.workspaceId, workspaceId),
+                isNull(mcpServers.deletedAt)
+              )
             )
-          )
-          .returning()
+            .returning()
+
+          if (!updated) return null
+
+          if (shouldClearOauth) {
+            await tx.delete(mcpServerOauth).where(eq(mcpServerOauth.mcpServerId, serverId))
+          }
+
+          return updated
+        })
 
         if (!updatedServer) {
           return createMcpErrorResponse(
@@ -114,8 +167,15 @@ export const PATCH = withRouteHandler(
           )
         }
 
+        if (shouldClearOauth) {
+          logger.info(
+            `[${requestId}] Cleared OAuth credentials for server ${serverId} due to ${urlChanged ? 'URL' : 'OAuth credential'} change`
+          )
+        }
+
         const shouldClearCache =
-          (body.url !== undefined && currentServer?.url !== body.url) ||
+          urlChanged ||
+          oauthCredsChanged ||
           body.enabled !== undefined ||
           body.headers !== undefined ||
           body.timeout !== undefined ||
@@ -149,7 +209,8 @@ export const PATCH = withRouteHandler(
           request,
         })
 
-        return createMcpSuccessResponse({ server: updatedServer })
+        const { oauthClientSecret: _secret, ...safeServer } = updatedServer
+        return createMcpSuccessResponse({ server: safeServer })
       } catch (error) {
         logger.error(`[${requestId}] Error updating MCP server:`, error)
         return createMcpErrorResponse(toError(error), 'Failed to update MCP server', 500)