fix: address critical code review issues (4 fixes)

This commit addresses 4 critical issues identified in code review:

1. **Token Rotation Race Condition** (token_broker.py)
   - Added per-user locking mechanism to prevent concurrent refresh token corruption
   - Implemented double-check pattern for cache after acquiring lock
   - Users can now safely refresh concurrently without token desync

2. **Hardcoded OAuth Client ID** (PHP files)
   - Made client ID configurable via `astroglobe_client_id` in system config
   - Updated McpServerClient to provide getClientId() method
   - Injected McpServerClient into IdpTokenRefresher and OAuthController
   - Updated admin settings UI to display client ID configuration status
   - App gracefully handles missing client ID with warnings in admin UI

3. **Missing Cache Invalidation** (management.py:revoke_user_access)
   - Added cache.invalidate() call when revoking user access
   - Ensures both storage AND cache are cleared atomically
   - Prevents stale cached tokens from being used after revocation

4. **Error Message Exposure** (management.py)
   - Created _sanitize_error_for_client() helper function
   - Updated all error handlers to log detailed errors internally
   - Returns generic messages to clients to prevent information leakage
   - Protects against exposing database paths, API URLs, tokens, etc.

All changes are backward compatible and preserve existing functionality.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Chris Coutinho
2025-12-15 22:30:57 +01:00
parent 619c62d89a
commit 44391d3d1d
8 changed files with 172 additions and 51 deletions
+6 -2
View File
@@ -4,6 +4,7 @@ declare(strict_types=1);
namespace OCA\Astroglobe\Controller;
use OCA\Astroglobe\Service\McpServerClient;
use OCA\Astroglobe\Service\McpTokenStorage;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http;
@@ -36,6 +37,7 @@ class OAuthController extends Controller {
private $logger;
private $l;
private $httpClient;
private $client;
public function __construct(
string $appName,
@@ -48,6 +50,7 @@ class OAuthController extends Controller {
LoggerInterface $logger,
IL10N $l,
IClientService $clientService,
McpServerClient $client,
) {
parent::__construct($appName, $request);
$this->config = $config;
@@ -58,6 +61,7 @@ class OAuthController extends Controller {
$this->logger = $logger;
$this->l = $l;
$this->httpClient = $clientService->newClient();
$this->client = $client;
}
/**
@@ -395,7 +399,7 @@ class OAuthController extends Controller {
// Build authorization URL parameters
$params = [
'client_id' => 'nextcloudMcpServerUIPublicClient', // Client ID (32+ chars required by NC OIDC)
'client_id' => $this->client->getClientId(),
'redirect_uri' => $redirectUri,
'response_type' => 'code',
'scope' => 'openid profile email offline_access', // Request MCP scopes
@@ -487,7 +491,7 @@ class OAuthController extends Controller {
'grant_type' => 'authorization_code',
'code' => $code,
'redirect_uri' => $redirectUri,
'client_id' => 'nextcloudMcpServerUIPublicClient', // Client ID (32+ chars required by NC OIDC)
'client_id' => $this->client->getClientId(),
];
// Add client authentication based on client type