feat(astrolabe): add Nextcloud PHP app for MCP server management

Adds a native Nextcloud app "Astroglobe" that provides:
- Personal settings: OAuth authorization for background MCP access
- Admin settings: Server status and vector sync monitoring
- API endpoints for MCP server communication

The app uses PKCE OAuth flow to obtain tokens for the MCP server,
enabling features like background vector sync per ADR-018.

Includes:
- PHP app structure (controllers, services, settings)
- Vue.js frontend components
- Docker compose mount configuration
- Installation hook for development testing
- ADR-018 documentation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Chris Coutinho
2025-12-14 20:11:21 +01:00
parent a58a14111b
commit 21817543ad
72 changed files with 27253 additions and 0 deletions
+25
View File
@@ -0,0 +1,25 @@
<?php
declare(strict_types=1);
namespace OCA\Astroglobe\AppInfo;
use OCP\AppFramework\App;
use OCP\AppFramework\Bootstrap\IBootContext;
use OCP\AppFramework\Bootstrap\IBootstrap;
use OCP\AppFramework\Bootstrap\IRegistrationContext;
class Application extends App implements IBootstrap {
public const APP_ID = 'astroglobe';
/** @psalm-suppress PossiblyUnusedMethod */
public function __construct() {
parent::__construct(self::APP_ID);
}
public function register(IRegistrationContext $context): void {
}
public function boot(IBootContext $context): void {
}
}
+210
View File
@@ -0,0 +1,210 @@
<?php
declare(strict_types=1);
namespace OCA\Astroglobe\Controller;
use OCA\Astroglobe\Service\McpServerClient;
use OCA\Astroglobe\Service\McpTokenStorage;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\Attribute\NoAdminRequired;
use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\Http\RedirectResponse;
use OCP\IRequest;
use OCP\IURLGenerator;
use OCP\IUserSession;
use Psr\Log\LoggerInterface;
/**
* API controller for MCP Server UI.
*
* Handles form submissions and AJAX requests from settings panels.
*/
class ApiController extends Controller {
private $client;
private $userSession;
private $urlGenerator;
private $logger;
private $tokenStorage;
public function __construct(
string $appName,
IRequest $request,
McpServerClient $client,
IUserSession $userSession,
IURLGenerator $urlGenerator,
LoggerInterface $logger,
McpTokenStorage $tokenStorage
) {
parent::__construct($appName, $request);
$this->client = $client;
$this->userSession = $userSession;
$this->urlGenerator = $urlGenerator;
$this->logger = $logger;
$this->tokenStorage = $tokenStorage;
}
/**
* Revoke user's background access (delete refresh token).
*
* Called from personal settings form POST.
* Redirects back to personal settings after completion.
*
* @return RedirectResponse
*/
#[NoAdminRequired]
public function revokeAccess(): RedirectResponse {
$user = $this->userSession->getUser();
if (!$user) {
// Should not happen (NoAdminRequired ensures user is logged in)
$this->logger->error('Revoke access called without authenticated user');
return new RedirectResponse(
$this->urlGenerator->linkToRoute('settings.PersonalSettings.index', ['section' => 'mcp'])
);
}
$userId = $user->getUID();
// Get user's OAuth token
$token = $this->tokenStorage->getUserToken($userId);
if (!$token) {
$this->logger->error("Cannot revoke access: No token found for user $userId");
return new RedirectResponse(
$this->urlGenerator->linkToRoute('settings.PersonalSettings.index', ['section' => 'mcp'])
);
}
$accessToken = $token['access_token'];
// Call MCP server API to revoke access
$result = $this->client->revokeUserAccess($userId, $accessToken);
if (isset($result['error'])) {
$this->logger->error("Failed to revoke access for user $userId", [
'error' => $result['error']
]);
// TODO: Add flash message/notification for user feedback
} else {
$this->logger->info("Successfully revoked background access for user $userId");
// TODO: Add success flash message/notification
}
// Redirect back to personal settings
return new RedirectResponse(
$this->urlGenerator->linkToRoute('settings.PersonalSettings.index', ['section' => 'mcp'])
);
}
/**
* Execute semantic search via MCP server.
*
* AJAX endpoint for vector search UI in app page.
* Uses user's OAuth token for authentication.
*
* @param string $query Search query
* @param string $algorithm Search algorithm (semantic, bm25, hybrid)
* @param int $limit Number of results (max 50)
* @param string $doc_types Comma-separated document types (e.g., "note,file")
* @return JSONResponse
*/
#[NoAdminRequired]
public function search(
string $query = '',
string $algorithm = 'hybrid',
int $limit = 10,
string $doc_types = ''
): JSONResponse {
if (empty($query)) {
return new JSONResponse([
'success' => false,
'error' => 'Missing required parameter: query'
], Http::STATUS_BAD_REQUEST);
}
// Get current user
$user = $this->userSession->getUser();
if (!$user) {
return new JSONResponse([
'success' => false,
'error' => 'User not authenticated'
], Http::STATUS_UNAUTHORIZED);
}
$userId = $user->getUID();
// Get user's OAuth token for MCP server
$accessToken = $this->tokenStorage->getAccessToken($userId);
if (!$accessToken) {
return new JSONResponse([
'success' => false,
'error' => 'MCP server authorization required. Please authorize the app first.'
], Http::STATUS_UNAUTHORIZED);
}
// Validate algorithm
$validAlgorithms = ['semantic', 'bm25', 'hybrid'];
if (!in_array($algorithm, $validAlgorithms)) {
$algorithm = 'hybrid';
}
// Enforce limit bounds
$limit = max(1, min($limit, 50));
// Parse doc_types filter
$docTypesArray = null;
if (!empty($doc_types)) {
$validDocTypes = ['note', 'file', 'deck_card', 'calendar', 'contact', 'news_item'];
$docTypesArray = array_filter(
explode(',', $doc_types),
fn($t) => in_array(trim($t), $validDocTypes)
);
$docTypesArray = array_map('trim', $docTypesArray);
if (empty($docTypesArray)) {
$docTypesArray = null;
}
}
// Execute search via MCP server with OAuth token
$result = $this->client->search($query, $algorithm, $limit, false, $docTypesArray, $accessToken);
if (isset($result['error'])) {
return new JSONResponse([
'success' => false,
'error' => $result['error']
], Http::STATUS_INTERNAL_SERVER_ERROR);
}
return new JSONResponse([
'success' => true,
'results' => $result['results'] ?? [],
'algorithm_used' => $result['algorithm_used'] ?? $algorithm,
'total_documents' => $result['total_documents'] ?? 0,
]);
}
/**
* Get vector sync status from MCP server.
*
* AJAX endpoint for status refresh in personal settings.
*
* @return JSONResponse
*/
#[NoAdminRequired]
public function vectorStatus(): JSONResponse {
$status = $this->client->getVectorSyncStatus();
if (isset($status['error'])) {
return new JSONResponse([
'success' => false,
'error' => $status['error']
], Http::STATUS_INTERNAL_SERVER_ERROR);
}
return new JSONResponse([
'success' => true,
'status' => $status
]);
}
}
@@ -0,0 +1,495 @@
<?php
declare(strict_types=1);
namespace OCA\Astroglobe\Controller;
use OCA\Astroglobe\Service\McpTokenStorage;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\Attribute\NoAdminRequired;
use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
use OCP\AppFramework\Http\RedirectResponse;
use OCP\AppFramework\Http\TemplateResponse;
use OCP\Http\Client\IClientService;
use OCP\IConfig;
use OCP\IL10N;
use OCP\IRequest;
use OCP\ISession;
use OCP\IURLGenerator;
use OCP\IUserSession;
use Psr\Log\LoggerInterface;
/**
* OAuth controller for MCP Server UI.
*
* Implements OAuth 2.0 Authorization Code flow with PKCE (Public Client).
* Does not require client secret, suitable for Nextcloud's public client model.
*/
class OAuthController extends Controller {
private $config;
private $session;
private $userSession;
private $urlGenerator;
private $tokenStorage;
private $logger;
private $l;
private $httpClient;
public function __construct(
string $appName,
IRequest $request,
IConfig $config,
ISession $session,
IUserSession $userSession,
IURLGenerator $urlGenerator,
McpTokenStorage $tokenStorage,
LoggerInterface $logger,
IL10N $l,
IClientService $clientService
) {
parent::__construct($appName, $request);
$this->config = $config;
$this->session = $session;
$this->userSession = $userSession;
$this->urlGenerator = $urlGenerator;
$this->tokenStorage = $tokenStorage;
$this->logger = $logger;
$this->l = $l;
$this->httpClient = $clientService->newClient();
}
/**
* Initiate OAuth authorization flow with PKCE.
*
* Generates PKCE code verifier and challenge, stores state in session,
* then redirects user to IdP authorization endpoint.
*
* @return RedirectResponse|TemplateResponse
*/
#[NoAdminRequired]
#[NoCSRFRequired]
public function initiateOAuth() {
$this->logger->info("initiateOAuth called");
$user = $this->userSession->getUser();
if (!$user) {
$this->logger->error("initiateOAuth: User not authenticated");
return new TemplateResponse(
'astroglobe',
'settings/error',
['error' => $this->l->t('User not authenticated')]
);
}
$this->logger->info("initiateOAuth: User authenticated: " . $user->getUID());
try {
// Get MCP server configuration
$mcpServerUrl = $this->config->getSystemValue('mcp_server_url', '');
if (empty($mcpServerUrl)) {
throw new \Exception('MCP server URL not configured');
}
// Generate PKCE values
$codeVerifier = bin2hex(random_bytes(32));
$codeChallenge = $this->base64UrlEncode(hash('sha256', $codeVerifier, true));
// Generate state for CSRF protection
$state = bin2hex(random_bytes(16));
// Store PKCE values and state in session
$this->session->set('mcp_oauth_code_verifier', $codeVerifier);
$this->session->set('mcp_oauth_state', $state);
$this->session->set('mcp_oauth_user_id', $user->getUID());
// Build OAuth authorization URL
$authUrl = $this->buildAuthorizationUrl(
$mcpServerUrl,
$state,
$codeChallenge
);
$this->logger->info("Initiating OAuth flow for user: " . $user->getUID());
return new RedirectResponse($authUrl);
} catch (\Exception $e) {
$this->logger->error('Failed to initiate OAuth flow', [
'error' => $e->getMessage()
]);
return new TemplateResponse(
'astroglobe',
'settings/error',
['error' => $this->l->t('Failed to initiate OAuth: %s', [$e->getMessage()])]
);
}
}
/**
* Handle OAuth callback after user authorization.
*
* Validates state, exchanges authorization code for access token using PKCE,
* and stores tokens for the user.
*
* @param string $code Authorization code
* @param string $state State parameter for CSRF protection
* @param string|null $error Error from IdP
* @param string|null $error_description Error description from IdP
* @return RedirectResponse
*/
#[NoAdminRequired]
#[NoCSRFRequired]
public function oauthCallback(
string $code = '',
string $state = '',
?string $error = null,
?string $error_description = null
): RedirectResponse {
try {
// Check for errors from IdP
if ($error) {
throw new \Exception("OAuth error: $error - " . ($error_description ?? ''));
}
// Validate state to prevent CSRF
$storedState = $this->session->get('mcp_oauth_state');
if (empty($storedState) || $state !== $storedState) {
throw new \Exception('Invalid state parameter (CSRF protection)');
}
// Get stored PKCE verifier
$codeVerifier = $this->session->get('mcp_oauth_code_verifier');
if (empty($codeVerifier)) {
throw new \Exception('Code verifier not found in session');
}
// Get user ID from session
$userId = $this->session->get('mcp_oauth_user_id');
if (empty($userId)) {
throw new \Exception('User ID not found in session');
}
// Get MCP server configuration
$mcpServerUrl = $this->config->getSystemValue('mcp_server_url', '');
if (empty($mcpServerUrl)) {
throw new \Exception('MCP server URL not configured');
}
// Exchange authorization code for tokens
$tokenData = $this->exchangeCodeForToken(
$mcpServerUrl,
$code,
$codeVerifier
);
// Store tokens for user
$this->tokenStorage->storeUserToken(
$userId,
$tokenData['access_token'],
$tokenData['refresh_token'] ?? '',
time() + ($tokenData['expires_in'] ?? 3600)
);
// Clean up session
$this->session->remove('mcp_oauth_code_verifier');
$this->session->remove('mcp_oauth_state');
$this->session->remove('mcp_oauth_user_id');
$this->logger->info("OAuth flow completed successfully for user: $userId");
// Redirect back to personal settings
return new RedirectResponse(
$this->urlGenerator->linkToRoute('settings.PersonalSettings.index', ['section' => 'mcp'])
);
} catch (\Exception $e) {
$this->logger->error('OAuth callback failed', [
'error' => $e->getMessage()
]);
// Clean up session
$this->session->remove('mcp_oauth_code_verifier');
$this->session->remove('mcp_oauth_state');
$this->session->remove('mcp_oauth_user_id');
// Redirect to settings with error
return new RedirectResponse(
$this->urlGenerator->linkToRoute('settings.PersonalSettings.index', [
'section' => 'mcp',
'error' => urlencode($e->getMessage())
])
);
}
}
/**
* Disconnect user's MCP OAuth tokens.
*
* Deletes stored tokens from Nextcloud. Note: Does not revoke tokens on IdP side.
*
* @return RedirectResponse
*/
#[NoAdminRequired]
public function disconnect(): RedirectResponse {
$user = $this->userSession->getUser();
if (!$user) {
return new RedirectResponse(
$this->urlGenerator->linkToRoute('settings.PersonalSettings.index', ['section' => 'mcp'])
);
}
$userId = $user->getUID();
try {
$this->tokenStorage->deleteUserToken($userId);
$this->logger->info("Disconnected MCP OAuth for user: $userId");
} catch (\Exception $e) {
$this->logger->error("Failed to disconnect MCP OAuth for user $userId", [
'error' => $e->getMessage()
]);
}
return new RedirectResponse(
$this->urlGenerator->linkToRoute('settings.PersonalSettings.index', ['section' => 'mcp'])
);
}
/**
* Build OAuth authorization URL with PKCE.
*
* Queries MCP server for IdP configuration, then performs OIDC discovery
* to find the authorization endpoint. Supports both Nextcloud OIDC and
* external IdPs like Keycloak.
*
* @param string $mcpServerUrl Base URL of MCP server
* @param string $state CSRF state parameter
* @param string $codeChallenge PKCE code challenge
* @return string Authorization URL
* @throws \Exception if OIDC discovery fails
*/
private function buildAuthorizationUrl(
string $mcpServerUrl,
string $state,
string $codeChallenge
): string {
// First, query MCP server to discover which IdP it's configured to use
$this->logger->info('buildAuthorizationUrl: Starting', [
'mcp_server_url' => $mcpServerUrl,
]);
try {
$statusUrl = $mcpServerUrl . '/api/v1/status';
$this->logger->info('buildAuthorizationUrl: Fetching MCP server status', [
'url' => $statusUrl,
]);
$statusResponse = $this->httpClient->get($statusUrl);
$statusData = json_decode($statusResponse->getBody(), true);
if (json_last_error() !== JSON_ERROR_NONE) {
throw new \RuntimeException('Invalid JSON in status response: ' . json_last_error_msg());
}
$this->logger->info('buildAuthorizationUrl: MCP server status received', [
'auth_mode' => $statusData['auth_mode'] ?? 'unknown',
'has_oidc' => isset($statusData['oidc']),
'oidc_discovery_url' => $statusData['oidc']['discovery_url'] ?? 'not_set',
]);
} catch (\Exception $e) {
$this->logger->error('buildAuthorizationUrl: Failed to fetch MCP server status', [
'url' => $mcpServerUrl . '/api/v1/status',
'error' => $e->getMessage(),
'trace' => $e->getTraceAsString(),
]);
throw new \Exception('Cannot connect to MCP server: ' . $e->getMessage());
}
// Determine OIDC discovery URL
// Priority: 1) MCP server's configured discovery URL, 2) Nextcloud OIDC app
if (isset($statusData['oidc']['discovery_url'])) {
// MCP server has external IdP configured (e.g., Keycloak)
$discoveryUrl = $statusData['oidc']['discovery_url'];
$this->logger->info('Using IdP from MCP server configuration', [
'discovery_url' => $discoveryUrl,
]);
} else {
// Fall back to Nextcloud's OIDC app
// Use internal localhost URL for HTTP request (always accessible from inside container)
// The OIDC discovery response will contain proper external URLs based on overwrite.cli.url
$discoveryUrl = 'http://localhost/.well-known/openid-configuration';
$this->logger->info('Using Nextcloud OIDC app as IdP (internal request)', [
'discovery_url' => $discoveryUrl,
]);
}
// Perform OIDC discovery
$this->logger->info('buildAuthorizationUrl: Starting OIDC discovery', [
'discovery_url' => $discoveryUrl,
]);
try {
$response = $this->httpClient->get($discoveryUrl);
$responseBody = $response->getBody();
$this->logger->info('buildAuthorizationUrl: Got OIDC discovery response', [
'status_code' => $response->getStatusCode(),
'body_length' => strlen($responseBody),
]);
$discovery = json_decode($responseBody, true);
if (json_last_error() !== JSON_ERROR_NONE) {
throw new \RuntimeException('Invalid JSON in OIDC discovery: ' . json_last_error_msg());
}
if (!isset($discovery['authorization_endpoint'])) {
throw new \RuntimeException('Missing authorization_endpoint in OIDC discovery');
}
$authEndpoint = $discovery['authorization_endpoint'];
$this->logger->info('buildAuthorizationUrl: OIDC discovery succeeded', [
'auth_endpoint' => $authEndpoint,
'token_endpoint' => $discovery['token_endpoint'] ?? 'not_set',
]);
} catch (\Exception $e) {
$this->logger->error('buildAuthorizationUrl: OIDC discovery failed', [
'discovery_url' => $discoveryUrl,
'error' => $e->getMessage(),
'trace' => $e->getTraceAsString(),
]);
throw new \Exception('Failed to discover OAuth endpoints: ' . $e->getMessage());
}
// Build callback URL
$redirectUri = $this->urlGenerator->linkToRouteAbsolute(
'astroglobe.oauth.oauthCallback'
);
// Build authorization URL with PKCE
$params = [
'client_id' => 'nextcloudMcpServerUIPublicClient', // Public client ID (32+ chars required by NC OIDC)
'redirect_uri' => $redirectUri,
'response_type' => 'code',
'scope' => 'openid profile email mcp:read mcp:write', // Request MCP scopes
'state' => $state,
'code_challenge' => $codeChallenge,
'code_challenge_method' => 'S256',
];
return $authEndpoint . '?' . http_build_query($params);
}
/**
* Exchange authorization code for access token using PKCE.
*
* Queries MCP server for IdP configuration, then performs OIDC discovery
* to find the token endpoint. Supports both Nextcloud OIDC and external IdPs.
*
* @param string $mcpServerUrl Base URL of MCP server
* @param string $code Authorization code
* @param string $codeVerifier PKCE code verifier
* @return array Token data containing access_token, refresh_token, expires_in
* @throws \Exception on HTTP or token error
*/
private function exchangeCodeForToken(
string $mcpServerUrl,
string $code,
string $codeVerifier
): array {
// Query MCP server to discover which IdP it's configured to use
try {
$statusResponse = $this->httpClient->get($mcpServerUrl . '/api/v1/status');
$statusData = json_decode($statusResponse->getBody(), true);
if (json_last_error() !== JSON_ERROR_NONE) {
throw new \RuntimeException('Invalid status response from MCP server');
}
} catch (\Exception $e) {
$this->logger->error('Failed to fetch MCP server status during token exchange', [
'error' => $e->getMessage(),
]);
throw new \Exception('Cannot connect to MCP server: ' . $e->getMessage());
}
// Determine OIDC discovery URL and token endpoint
$useInternalNextcloud = !isset($statusData['oidc']['discovery_url']);
if (!$useInternalNextcloud) {
// External IdP configured - use discovery
$discoveryUrl = $statusData['oidc']['discovery_url'];
try {
$response = $this->httpClient->get($discoveryUrl);
$discovery = json_decode($response->getBody(), true);
if (json_last_error() !== JSON_ERROR_NONE || !isset($discovery['token_endpoint'])) {
throw new \RuntimeException('Invalid OIDC discovery response');
}
$tokenEndpoint = $discovery['token_endpoint'];
} catch (\Exception $e) {
$this->logger->error('OIDC discovery failed during token exchange', [
'discovery_url' => $discoveryUrl,
'error' => $e->getMessage(),
]);
throw new \Exception('Failed to discover token endpoint: ' . $e->getMessage());
}
} else {
// Nextcloud's OIDC app - use internal URL directly (no HTTP request needed)
// This avoids network issues when overwritehost includes external port
$tokenEndpoint = 'http://localhost/apps/oidc/token';
}
$redirectUri = $this->urlGenerator->linkToRouteAbsolute(
'astroglobe.oauth.oauthCallback'
);
$postData = [
'grant_type' => 'authorization_code',
'code' => $code,
'redirect_uri' => $redirectUri,
'client_id' => 'nextcloudMcpServerUIPublicClient', // Public client (32+ chars required by NC OIDC)
'code_verifier' => $codeVerifier, // PKCE proof
];
// Use Nextcloud's HTTP client for token request
try {
$response = $this->httpClient->post($tokenEndpoint, [
'body' => http_build_query($postData),
'headers' => [
'Content-Type' => 'application/x-www-form-urlencoded',
'Accept' => 'application/json',
],
]);
$tokenData = json_decode($response->getBody(), true);
if (json_last_error() !== JSON_ERROR_NONE || !isset($tokenData['access_token'])) {
throw new \RuntimeException('Invalid token response from server');
}
return $tokenData;
} catch (\Exception $e) {
$this->logger->error('Token exchange failed', [
'error' => $e->getMessage(),
'token_endpoint' => $tokenEndpoint,
]);
throw new \Exception('Token exchange failed: ' . $e->getMessage());
}
}
/**
* Base64 URL-safe encoding (for PKCE).
*
* @param string $data Data to encode
* @return string Base64 URL-encoded string
*/
private function base64UrlEncode(string $data): string {
return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
}
}
@@ -0,0 +1,29 @@
<?php
declare(strict_types=1);
namespace OCA\Astroglobe\Controller;
use OCA\Astroglobe\AppInfo\Application;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\Attribute\FrontpageRoute;
use OCP\AppFramework\Http\Attribute\NoAdminRequired;
use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
use OCP\AppFramework\Http\Attribute\OpenAPI;
use OCP\AppFramework\Http\TemplateResponse;
/**
* @psalm-suppress UnusedClass
*/
class PageController extends Controller {
#[NoCSRFRequired]
#[NoAdminRequired]
#[OpenAPI(OpenAPI::SCOPE_IGNORE)]
#[FrontpageRoute(verb: 'GET', url: '/')]
public function index(): TemplateResponse {
return new TemplateResponse(
Application::APP_ID,
'index',
);
}
}
+280
View File
@@ -0,0 +1,280 @@
<?php
declare(strict_types=1);
namespace OCA\Astroglobe\Service;
use OCP\Http\Client\IClientService;
use OCP\IConfig;
use Psr\Log\LoggerInterface;
/**
* HTTP client for communicating with the MCP server's management API.
*
* This service wraps the MCP server's REST API endpoints defined in ADR-018.
* It handles authentication via OAuth bearer tokens and provides typed methods
* for all management operations.
*/
class McpServerClient {
private $httpClient;
private $config;
private $logger;
private $baseUrl;
public function __construct(
IClientService $clientService,
IConfig $config,
LoggerInterface $logger
) {
$this->httpClient = $clientService->newClient();
$this->config = $config;
$this->logger = $logger;
// Get MCP server configuration from Nextcloud config
$this->baseUrl = $this->config->getSystemValue('mcp_server_url', 'http://localhost:8000');
}
/**
* Get server status (version, auth mode, features).
*
* Public endpoint - no authentication required.
*
* @return array{
* version?: string,
* auth_mode?: string,
* vector_sync_enabled?: bool,
* uptime_seconds?: int,
* management_api_version?: string,
* error?: string
* }
*/
public function getStatus(): array {
try {
$response = $this->httpClient->get($this->baseUrl . '/api/v1/status');
$data = json_decode($response->getBody(), true);
if (json_last_error() !== JSON_ERROR_NONE) {
throw new \RuntimeException('Invalid JSON response from server');
}
return $data;
} catch (\Exception $e) {
$this->logger->error('Failed to get MCP server status', [
'error' => $e->getMessage(),
'server_url' => $this->baseUrl,
]);
return ['error' => $e->getMessage()];
}
}
/**
* Get user session details.
*
* Requires authentication via OAuth bearer token.
*
* @param string $userId The user ID to query
* @param string $token OAuth bearer token
* @return array{
* session_id?: string,
* background_access_granted?: bool,
* background_access_details?: array,
* idp_profile?: array,
* error?: string
* }
*/
public function getUserSession(string $userId, string $token): array {
try {
$response = $this->httpClient->get(
$this->baseUrl . "/api/v1/users/" . urlencode($userId) . "/session",
[
'headers' => [
'Authorization' => 'Bearer ' . $token
]
]
);
$data = json_decode($response->getBody(), true);
if (json_last_error() !== JSON_ERROR_NONE) {
throw new \RuntimeException('Invalid JSON response from server');
}
return $data;
} catch (\Exception $e) {
$this->logger->error("Failed to get session for user $userId", [
'error' => $e->getMessage(),
'user_id' => $userId,
]);
return ['error' => $e->getMessage()];
}
}
/**
* Revoke user's background access (delete refresh token).
*
* Requires authentication via OAuth bearer token.
*
* @param string $userId The user ID whose access to revoke
* @param string $token OAuth bearer token
* @return array{success?: bool, message?: string, error?: string}
*/
public function revokeUserAccess(string $userId, string $token): array {
try {
$response = $this->httpClient->post(
$this->baseUrl . "/api/v1/users/" . urlencode($userId) . "/revoke",
[
'headers' => [
'Authorization' => 'Bearer ' . $token
]
]
);
$data = json_decode($response->getBody(), true);
if (json_last_error() !== JSON_ERROR_NONE) {
throw new \RuntimeException('Invalid JSON response from server');
}
return $data;
} catch (\Exception $e) {
$this->logger->error("Failed to revoke access for user $userId", [
'error' => $e->getMessage(),
'user_id' => $userId,
]);
return ['error' => $e->getMessage()];
}
}
/**
* Get vector sync status (indexing metrics).
*
* Public endpoint - no authentication required.
* Only available if VECTOR_SYNC_ENABLED=true on server.
*
* @return array{
* status?: string,
* indexed_documents?: int,
* pending_documents?: int,
* last_sync_time?: string,
* documents_per_second?: float,
* errors_24h?: int,
* error?: string
* }
*/
public function getVectorSyncStatus(): array {
try {
$response = $this->httpClient->get($this->baseUrl . '/api/v1/vector-sync/status');
$data = json_decode($response->getBody(), true);
if (json_last_error() !== JSON_ERROR_NONE) {
throw new \RuntimeException('Invalid JSON response from server');
}
return $data;
} catch (\Exception $e) {
$this->logger->error('Failed to get vector sync status', [
'error' => $e->getMessage(),
]);
return ['error' => $e->getMessage()];
}
}
/**
* Execute semantic search for vector visualization.
*
* Requires OAuth bearer token for user-filtered search.
* Only available if VECTOR_SYNC_ENABLED=true on server.
*
* @param string $query Search query string
* @param string $algorithm Search algorithm: "semantic", "bm25", or "hybrid"
* @param int $limit Number of results (max 50)
* @param bool $includePca Whether to include PCA coordinates for 2D plot
* @param array|null $docTypes Document types to filter (e.g., ['note', 'file'])
* @param string|null $token OAuth bearer token for authentication
* @return array{
* results?: array,
* pca_coordinates?: array,
* algorithm_used?: string,
* total_documents?: int,
* error?: string
* }
*/
public function search(
string $query,
string $algorithm = 'hybrid',
int $limit = 10,
bool $includePca = true,
?array $docTypes = null,
?string $token = null
): array {
try {
$requestBody = [
'query' => $query,
'algorithm' => $algorithm,
'limit' => min($limit, 50), // Enforce max limit
'include_pca' => $includePca,
];
// Add doc_types filter if specified
if ($docTypes !== null && count($docTypes) > 0) {
$requestBody['doc_types'] = $docTypes;
}
$options = ['json' => $requestBody];
// Add authorization header if token provided
if ($token !== null) {
$options['headers'] = [
'Authorization' => 'Bearer ' . $token
];
}
$response = $this->httpClient->post(
$this->baseUrl . '/api/v1/vector-viz/search',
$options
);
$data = json_decode($response->getBody(), true);
if (json_last_error() !== JSON_ERROR_NONE) {
throw new \RuntimeException('Invalid JSON response from server');
}
return $data;
} catch (\Exception $e) {
$this->logger->error('Failed to execute search', [
'error' => $e->getMessage(),
'query' => $query,
'algorithm' => $algorithm,
]);
return ['error' => $e->getMessage()];
}
}
/**
* Check if the MCP server is reachable and API key is valid.
*
* @return bool True if server is reachable and healthy
*/
public function isServerReachable(): bool {
$status = $this->getStatus();
return !isset($status['error']);
}
/**
* Get the configured MCP server internal URL (for API calls).
*
* @return string The internal base URL
*/
public function getServerUrl(): string {
return $this->baseUrl;
}
/**
* Get the public MCP server URL (for display, OAuth audience).
*
* Falls back to internal URL if public URL not configured.
*
* @return string The public URL users/browsers see
*/
public function getPublicServerUrl(): string {
return $this->config->getSystemValue('mcp_server_public_url', $this->baseUrl);
}
}
+204
View File
@@ -0,0 +1,204 @@
<?php
declare(strict_types=1);
namespace OCA\Astroglobe\Service;
use OCP\IConfig;
use OCP\Security\ICrypto;
use Psr\Log\LoggerInterface;
/**
* Storage service for per-user MCP OAuth tokens.
*
* Stores encrypted access and refresh tokens in user preferences.
* Handles token expiration checking and refresh logic.
*/
class McpTokenStorage {
private $config;
private $crypto;
private $logger;
public function __construct(
IConfig $config,
ICrypto $crypto,
LoggerInterface $logger
) {
$this->config = $config;
$this->crypto = $crypto;
$this->logger = $logger;
}
/**
* Store MCP OAuth tokens for a user.
*
* Tokens are encrypted before storage to protect user credentials.
*
* @param string $userId User ID
* @param string $accessToken OAuth access token
* @param string $refreshToken OAuth refresh token
* @param int $expiresAt Unix timestamp when token expires
*/
public function storeUserToken(
string $userId,
string $accessToken,
string $refreshToken,
int $expiresAt
): void {
try {
$tokenData = [
'access_token' => $accessToken,
'refresh_token' => $refreshToken,
'expires_at' => $expiresAt,
];
// Encrypt token data before storage
$encrypted = $this->crypto->encrypt(json_encode($tokenData));
// Store in user preferences
$this->config->setUserValue(
$userId,
'astroglobe',
'oauth_tokens',
$encrypted
);
$this->logger->info("Stored MCP OAuth tokens for user: $userId");
} catch (\Exception $e) {
$this->logger->error("Failed to store MCP tokens for user $userId", [
'error' => $e->getMessage()
]);
throw $e;
}
}
/**
* Get MCP OAuth tokens for a user.
*
* @param string $userId User ID
* @return array|null Token data array with keys: access_token, refresh_token, expires_at
*/
public function getUserToken(string $userId): ?array {
try {
$encrypted = $this->config->getUserValue(
$userId,
'astroglobe',
'oauth_tokens',
''
);
if (empty($encrypted)) {
return null;
}
// Decrypt and parse token data
$decrypted = $this->crypto->decrypt($encrypted);
$tokenData = json_decode($decrypted, true);
if (!$tokenData || !isset($tokenData['access_token'])) {
$this->logger->warning("Invalid token data for user: $userId");
return null;
}
return $tokenData;
} catch (\Exception $e) {
$this->logger->error("Failed to retrieve MCP tokens for user $userId", [
'error' => $e->getMessage()
]);
return null;
}
}
/**
* Check if a token is expired or about to expire.
*
* Uses a 60-second buffer to refresh tokens before they actually expire.
*
* @param array $token Token data array
* @return bool True if expired or about to expire
*/
public function isExpired(array $token): bool {
if (!isset($token['expires_at'])) {
return true;
}
// Expire 60 seconds early to avoid race conditions
return time() >= ($token['expires_at'] - 60);
}
/**
* Delete stored tokens for a user.
*
* Used when user disconnects or revokes access.
*
* @param string $userId User ID
*/
public function deleteUserToken(string $userId): void {
try {
$this->config->deleteUserValue(
$userId,
'astroglobe',
'oauth_tokens'
);
$this->logger->info("Deleted MCP OAuth tokens for user: $userId");
} catch (\Exception $e) {
$this->logger->error("Failed to delete MCP tokens for user $userId", [
'error' => $e->getMessage()
]);
throw $e;
}
}
/**
* Get the access token for a user, handling expiration and refresh.
*
* This is a convenience method that combines token retrieval,
* expiration checking, and automatic refresh if needed.
*
* @param string $userId User ID
* @param callable|null $refreshCallback Callback to refresh token if expired
* Should accept (refreshToken) and return new token data
* @return string|null Access token, or null if not available
*/
public function getAccessToken(string $userId, ?callable $refreshCallback = null): ?string {
$token = $this->getUserToken($userId);
if (!$token) {
return null;
}
// Check if token is expired
if ($this->isExpired($token)) {
// Try to refresh if callback provided
if ($refreshCallback && isset($token['refresh_token'])) {
try {
$newTokenData = $refreshCallback($token['refresh_token']);
if ($newTokenData && isset($newTokenData['access_token'])) {
// Store refreshed token
$this->storeUserToken(
$userId,
$newTokenData['access_token'],
$token['refresh_token'], // Keep same refresh token
time() + ($newTokenData['expires_in'] ?? 3600)
);
return $newTokenData['access_token'];
}
} catch (\Exception $e) {
$this->logger->error("Failed to refresh token for user $userId", [
'error' => $e->getMessage()
]);
// Fall through to return null
}
}
// Token expired and no refresh available
$this->logger->info("Token expired for user $userId, no refresh available");
return null;
}
return $token['access_token'];
}
}
+101
View File
@@ -0,0 +1,101 @@
<?php
declare(strict_types=1);
namespace OCA\Astroglobe\Settings;
use OCA\Astroglobe\AppInfo\Application;
use OCA\Astroglobe\Service\McpServerClient;
use OCP\AppFramework\Http\TemplateResponse;
use OCP\AppFramework\Services\IInitialState;
use OCP\IConfig;
use OCP\Settings\ISettings;
/**
* Admin settings panel for MCP Server.
*
* Displays server status, vector sync metrics, configuration,
* and provides administrative controls.
*/
class Admin implements ISettings {
private $client;
private $config;
private $initialState;
public function __construct(
McpServerClient $client,
IConfig $config,
IInitialState $initialState
) {
$this->client = $client;
$this->config = $config;
$this->initialState = $initialState;
}
/**
* @return TemplateResponse
*/
public function getForm(): TemplateResponse {
// Fetch data from MCP server
$serverStatus = $this->client->getStatus();
$vectorSyncStatus = $this->client->getVectorSyncStatus();
// Get configuration from config.php
$serverUrl = $this->config->getSystemValue('mcp_server_url', '');
$apiKeyConfigured = !empty($this->config->getSystemValue('mcp_server_api_key', ''));
// Check for server connection error
if (isset($serverStatus['error'])) {
return new TemplateResponse(
Application::APP_ID,
'settings/error',
[
'error' => 'Cannot connect to MCP server',
'details' => $serverStatus['error'],
'server_url' => $serverUrl,
'help_text' => 'Ensure MCP server is running and accessible. Check config.php for correct mcp_server_url.',
],
TemplateResponse::RENDER_AS_BLANK
);
}
// Provide initial state for Vue.js frontend (if needed)
$this->initialState->provideInitialState('server-data', [
'serverStatus' => $serverStatus,
'vectorSyncStatus' => $vectorSyncStatus,
'config' => [
'serverUrl' => $serverUrl,
'apiKeyConfigured' => $apiKeyConfigured,
],
]);
$parameters = [
'serverStatus' => $serverStatus,
'vectorSyncStatus' => $vectorSyncStatus,
'serverUrl' => $serverUrl,
'apiKeyConfigured' => $apiKeyConfigured,
'vectorSyncEnabled' => $serverStatus['vector_sync_enabled'] ?? false,
];
return new TemplateResponse(
Application::APP_ID,
'settings/admin',
$parameters,
TemplateResponse::RENDER_AS_BLANK
);
}
/**
* @return string The section ID
*/
public function getSection(): string {
return 'mcp';
}
/**
* @return int Priority (lower = higher up)
*/
public function getPriority(): int {
return 10;
}
}
+52
View File
@@ -0,0 +1,52 @@
<?php
declare(strict_types=1);
namespace OCA\Astroglobe\Settings;
use OCP\IL10N;
use OCP\IURLGenerator;
use OCP\Settings\IIconSection;
/**
* Admin settings section for MCP Server.
*
* Creates a dedicated section in admin settings for MCP-related configuration.
*/
class AdminSection implements IIconSection {
private $l;
private $urlGenerator;
public function __construct(IL10N $l, IURLGenerator $urlGenerator) {
$this->l = $l;
$this->urlGenerator = $urlGenerator;
}
/**
* @return string The section ID
*/
public function getID(): string {
return 'mcp';
}
/**
* @return string The translated section name
*/
public function getName(): string {
return $this->l->t('MCP Server');
}
/**
* @return int Priority (lower = higher up in list)
*/
public function getPriority(): int {
return 80;
}
/**
* @return string Section icon (SVG or image URL)
*/
public function getIcon(): string {
return $this->urlGenerator->imagePath('astroglobe', 'app.svg');
}
}
+158
View File
@@ -0,0 +1,158 @@
<?php
declare(strict_types=1);
namespace OCA\Astroglobe\Settings;
use OCA\Astroglobe\AppInfo\Application;
use OCA\Astroglobe\Service\McpServerClient;
use OCA\Astroglobe\Service\McpTokenStorage;
use OCP\AppFramework\Http\TemplateResponse;
use OCP\AppFramework\Services\IInitialState;
use OCP\IURLGenerator;
use OCP\IUserSession;
use OCP\Settings\ISettings;
/**
* Personal settings panel for MCP Server.
*
* Displays user session information, background access status,
* and provides controls for managing MCP server integration.
*
* Uses OAuth PKCE flow - each user must authorize access to MCP server.
*/
class Personal implements ISettings {
private $client;
private $userSession;
private $initialState;
private $tokenStorage;
private $urlGenerator;
public function __construct(
McpServerClient $client,
IUserSession $userSession,
IInitialState $initialState,
McpTokenStorage $tokenStorage,
IURLGenerator $urlGenerator
) {
$this->client = $client;
$this->userSession = $userSession;
$this->initialState = $initialState;
$this->tokenStorage = $tokenStorage;
$this->urlGenerator = $urlGenerator;
}
/**
* @return TemplateResponse
*/
public function getForm(): TemplateResponse {
$user = $this->userSession->getUser();
if (!$user) {
return new TemplateResponse(Application::APP_ID, 'settings/error', [
'error' => 'User not authenticated'
], TemplateResponse::RENDER_AS_BLANK);
}
$userId = $user->getUID();
// Check if user has MCP OAuth token
$token = $this->tokenStorage->getUserToken($userId);
// If no token or token is expired, show OAuth authorization UI
if (!$token || $this->tokenStorage->isExpired($token)) {
$oauthUrl = $this->urlGenerator->linkToRoute('astroglobe.oauth.initiateOAuth');
return new TemplateResponse(
Application::APP_ID,
'settings/oauth-required',
[
'oauth_url' => $oauthUrl,
'server_url' => $this->client->getPublicServerUrl(),
'has_expired' => ($token !== null), // true if token exists but expired
],
TemplateResponse::RENDER_AS_BLANK
);
}
// User has valid token - fetch data from MCP server
$accessToken = $token['access_token'];
// Fetch server status (public endpoint, no token needed)
$serverStatus = $this->client->getStatus();
// Fetch user session data (requires token)
$userSession = $this->client->getUserSession($userId, $accessToken);
// Check for server connection error
if (isset($serverStatus['error'])) {
return new TemplateResponse(
Application::APP_ID,
'settings/error',
[
'error' => 'Cannot connect to MCP server',
'details' => $serverStatus['error'],
'server_url' => $this->client->getPublicServerUrl(),
],
TemplateResponse::RENDER_AS_BLANK
);
}
// Check for authentication error (invalid/expired token)
if (isset($userSession['error'])) {
// Token might be invalid - delete it and show OAuth UI
$this->tokenStorage->deleteUserToken($userId);
$oauthUrl = $this->urlGenerator->linkToRoute('astroglobe.oauth.initiateOAuth');
return new TemplateResponse(
Application::APP_ID,
'settings/oauth-required',
[
'oauth_url' => $oauthUrl,
'server_url' => $this->client->getPublicServerUrl(),
'has_expired' => true,
'error_message' => 'Your session has expired. Please sign in again.',
],
TemplateResponse::RENDER_AS_BLANK
);
}
// Provide initial state for Vue.js frontend (if needed)
$this->initialState->provideInitialState('user-data', [
'userId' => $userId,
'serverStatus' => $serverStatus,
'session' => $userSession,
]);
$parameters = [
'userId' => $userId,
'serverStatus' => $serverStatus,
'session' => $userSession,
'vectorSyncEnabled' => $serverStatus['vector_sync_enabled'] ?? false,
'backgroundAccessGranted' => $userSession['background_access_granted'] ?? false,
'serverUrl' => $this->client->getPublicServerUrl(),
'hasToken' => true,
];
return new TemplateResponse(
Application::APP_ID,
'settings/personal',
$parameters,
TemplateResponse::RENDER_AS_BLANK
);
}
/**
* @return string The section ID
*/
public function getSection(): string {
return 'mcp';
}
/**
* @return int Priority (lower = higher up)
*/
public function getPriority(): int {
return 50;
}
}
+52
View File
@@ -0,0 +1,52 @@
<?php
declare(strict_types=1);
namespace OCA\Astroglobe\Settings;
use OCP\IL10N;
use OCP\IURLGenerator;
use OCP\Settings\IIconSection;
/**
* Personal settings section for MCP Server.
*
* Creates a dedicated section in personal settings for MCP-related configuration.
*/
class PersonalSection implements IIconSection {
private $l;
private $urlGenerator;
public function __construct(IL10N $l, IURLGenerator $urlGenerator) {
$this->l = $l;
$this->urlGenerator = $urlGenerator;
}
/**
* @return string The section ID (e.g. 'mcp')
*/
public function getID(): string {
return 'mcp';
}
/**
* @return string The translated section name
*/
public function getName(): string {
return $this->l->t('MCP Server');
}
/**
* @return int Priority (lower = higher up in list, 0-99)
*/
public function getPriority(): int {
return 80;
}
/**
* @return string Section icon (SVG or image URL)
*/
public function getIcon(): string {
return $this->urlGenerator->imagePath('astroglobe', 'app.svg');
}
}