fix: address critical code review issues (4 fixes)
This commit addresses 4 critical issues identified in code review: 1. **Token Rotation Race Condition** (token_broker.py) - Added per-user locking mechanism to prevent concurrent refresh token corruption - Implemented double-check pattern for cache after acquiring lock - Users can now safely refresh concurrently without token desync 2. **Hardcoded OAuth Client ID** (PHP files) - Made client ID configurable via `astroglobe_client_id` in system config - Updated McpServerClient to provide getClientId() method - Injected McpServerClient into IdpTokenRefresher and OAuthController - Updated admin settings UI to display client ID configuration status - App gracefully handles missing client ID with warnings in admin UI 3. **Missing Cache Invalidation** (management.py:revoke_user_access) - Added cache.invalidate() call when revoking user access - Ensures both storage AND cache are cleared atomically - Prevents stale cached tokens from being used after revocation 4. **Error Message Exposure** (management.py) - Created _sanitize_error_for_client() helper function - Updated all error handlers to log detailed errors internally - Returns generic messages to clients to prevent information leakage - Protects against exposing database paths, API URLs, tokens, etc. All changes are backward compatible and preserve existing functionality. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -4,6 +4,7 @@ declare(strict_types=1);
|
||||
|
||||
namespace OCA\Astroglobe\Controller;
|
||||
|
||||
use OCA\Astroglobe\Service\McpServerClient;
|
||||
use OCA\Astroglobe\Service\McpTokenStorage;
|
||||
use OCP\AppFramework\Controller;
|
||||
use OCP\AppFramework\Http;
|
||||
@@ -36,6 +37,7 @@ class OAuthController extends Controller {
|
||||
private $logger;
|
||||
private $l;
|
||||
private $httpClient;
|
||||
private $client;
|
||||
|
||||
public function __construct(
|
||||
string $appName,
|
||||
@@ -48,6 +50,7 @@ class OAuthController extends Controller {
|
||||
LoggerInterface $logger,
|
||||
IL10N $l,
|
||||
IClientService $clientService,
|
||||
McpServerClient $client,
|
||||
) {
|
||||
parent::__construct($appName, $request);
|
||||
$this->config = $config;
|
||||
@@ -58,6 +61,7 @@ class OAuthController extends Controller {
|
||||
$this->logger = $logger;
|
||||
$this->l = $l;
|
||||
$this->httpClient = $clientService->newClient();
|
||||
$this->client = $client;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -395,7 +399,7 @@ class OAuthController extends Controller {
|
||||
|
||||
// Build authorization URL parameters
|
||||
$params = [
|
||||
'client_id' => 'nextcloudMcpServerUIPublicClient', // Client ID (32+ chars required by NC OIDC)
|
||||
'client_id' => $this->client->getClientId(),
|
||||
'redirect_uri' => $redirectUri,
|
||||
'response_type' => 'code',
|
||||
'scope' => 'openid profile email offline_access', // Request MCP scopes
|
||||
@@ -487,7 +491,7 @@ class OAuthController extends Controller {
|
||||
'grant_type' => 'authorization_code',
|
||||
'code' => $code,
|
||||
'redirect_uri' => $redirectUri,
|
||||
'client_id' => 'nextcloudMcpServerUIPublicClient', // Client ID (32+ chars required by NC OIDC)
|
||||
'client_id' => $this->client->getClientId(),
|
||||
];
|
||||
|
||||
// Add client authentication based on client type
|
||||
|
||||
Reference in New Issue
Block a user