fix: address PR review issues for Login Flow v2
- Fix circular dependency in scope_authorization: auth tools requiring only identity scopes (openid/profile/email) now bypass the login flow provisioning check, so unprovisioned users can call provisioning tools - Fix no-op detection in nc_auth_update_scopes: NULL scopes (legacy "all") now correctly map to ALL_SUPPORTED_SCOPES instead of empty set - Fix get_app_password_with_scopes swallowing exceptions: re-raise instead of returning None, matching sibling methods - Add missing audit logging to update_app_password_scopes, delete_login_flow_session, and delete_expired_login_flow_sessions - Pin setup-uv to v7.3.1 in CI unit-test job (was v7.3.0) - Add FastMCP type annotation to register_auth_tools parameter - Log warning when user accepts elicitation without checking acknowledged box Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -14,6 +14,13 @@ from nextcloud_mcp_server.config import get_settings
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
# Scopes that only assert identity (OIDC standard claims).
|
||||
# Tools requiring *only* these scopes (e.g. auth provisioning tools) must
|
||||
# bypass the Login Flow v2 "is the user provisioned?" check — otherwise the
|
||||
# very tools that *create* app passwords would be blocked for unprovisioned
|
||||
# users, creating a circular dependency.
|
||||
IDENTITY_ONLY_SCOPES: frozenset[str] = frozenset({"openid", "profile", "email"})
|
||||
|
||||
|
||||
class ScopeAuthorizationError(Exception):
|
||||
"""Raised when a request lacks required scopes."""
|
||||
@@ -141,7 +148,9 @@ def require_scopes(*required_scopes: str):
|
||||
# In Login Flow v2 multi-user mode, OAuth tokens provide MCP session
|
||||
# identity only. Nextcloud API access uses stored app passwords.
|
||||
# Check if the user has a stored app password with appropriate scopes.
|
||||
if get_settings().enable_login_flow:
|
||||
if get_settings().enable_login_flow and not set(required_scopes).issubset(
|
||||
IDENTITY_ONLY_SCOPES
|
||||
):
|
||||
from nextcloud_mcp_server.server.oauth_tools import ( # noqa: PLC0415
|
||||
extract_user_id_from_token,
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user