feat(oauth-proxy): add Deco Store OAuth helpers and MCP detection (#2129)

viktormarinho · web-flow · commit 080eef155c95 · 2026-01-02T14:54:11.000-03:00
* feat(oauth-proxy): add Deco Store OAuth helpers and MCP detection

- Implemented `getDecoStoreProjectLocator` to retrieve project locators from the Deco Store registry.
- Added `buildDecoOAuthParams` to construct OAuth query parameters for deco-hosted MCPs.
- Enhanced the main app logic to include smart OAuth parameters for deco-hosted MCPs.
- Introduced `isDecoHostedMcp` function to identify deco-hosted MCP URLs.
- Updated tests to validate the new functionality and ensure correct behavior for deco-hosted MCP detection.

* fix

* rm log

* handle possible error
diff --git a/apps/mesh/src/api/app.ts b/apps/mesh/src/api/app.ts
@@ -30,10 +30,59 @@ import oauthProxyRoutes, {
   fetchProtectedResourceMetadata,
 } from "./routes/oauth-proxy";
 import proxyRoutes from "./routes/proxy";
+import { isDecoHostedMcp, DECO_STORE_URL } from "../core/well-known-mcp";
+import type { MeshContext } from "../core/mesh-context";
 
 // Track current event bus instance for cleanup during HMR
 let currentEventBus: EventBus | null = null;
 
+// ============================================================================
+// Deco Store OAuth Helpers
+// ============================================================================
+
+/**
+ * Get project_locator from the Deco Store registry connection.
+ * Returns the locator string or null if not found/configured.
+ *
+ * @param ctx - The mesh context
+ * @param organizationId - The organization ID to search for the registry connection
+ */
+async function getDecoStoreProjectLocator(
+  ctx: MeshContext,
+  organizationId: string,
+): Promise<string | null> {
+  // Find registry connection by URL within the organization
+  const connections = await ctx.storage.connections.list(organizationId);
+  const registryConn = connections.find((c) =>
+    c.connection_url?.startsWith(DECO_STORE_URL),
+  );
+
+  if (!registryConn?.configuration_state) {
+    return null;
+  }
+
+  return (registryConn.configuration_state as Record<string, unknown>)
+    .project_locator as string | null;
+}
+
+/**
+ * Build OAuth query params for deco-hosted MCPs.
+ * Uses project_locator from Deco Store registry or falls back to auto_personal.
+ */
+function buildDecoOAuthParams(projectLocator: string | null): URLSearchParams {
+  const params = new URLSearchParams();
+
+  if (projectLocator) {
+    const [org, project] = projectLocator.split("/");
+    if (org) params.set("workspace_hint", org);
+    if (project) params.set("project_hint", project);
+  } else {
+    params.set("auto_personal", "true");
+  }
+
+  return params;
+}
+
 // Create serializer for Prometheus text format (shared across instances)
 const prometheusSerializer = new PrometheusSerializer();
 
@@ -281,6 +330,27 @@ export function createApp(options: CreateAppOptions = {}) {
       if (targetUrl.searchParams.has("resource")) {
         targetUrl.searchParams.set("resource", connection.connection_url);
       }
+
+      // Add smart OAuth params for deco-hosted MCPs to skip org/project selection
+      // Wrapped in try-catch to ensure OAuth redirect proceeds even if smart params fail
+      if (isDecoHostedMcp(connection.connection_url)) {
+        try {
+          const projectLocator = await getDecoStoreProjectLocator(
+            ctx,
+            connection.organization_id,
+          );
+          const smartParams = buildDecoOAuthParams(projectLocator);
+          for (const [key, value] of smartParams) {
+            targetUrl.searchParams.set(key, value);
+          }
+        } catch (error) {
+          console.warn(
+            "[oauth-proxy] Failed to get smart OAuth params, proceeding without:",
+            error,
+          );
+        }
+      }
+
       return c.redirect(targetUrl.toString(), 302);
     }
 
diff --git a/apps/mesh/src/api/routes/oauth-proxy.test.ts b/apps/mesh/src/api/routes/oauth-proxy.test.ts
@@ -10,6 +10,11 @@ import {
 import { Hono } from "hono";
 import oauthProxyRoutes from "./oauth-proxy";
 import { ContextFactory } from "../../core/context-factory";
+import {
+  isDecoHostedMcp,
+  DECO_STORE_URL,
+  DECO_CMS_API_HOST,
+} from "../../core/well-known-mcp";
 
 describe("OAuth Proxy Routes", () => {
   let app: Hono;
@@ -660,3 +665,46 @@ describe("OAuth URL Path Construction", () => {
     );
   });
 });
+
+describe("Deco-Hosted MCP Detection", () => {
+  test("DECO_CMS_API_HOST is correct", () => {
+    expect(DECO_CMS_API_HOST).toBe("api.decocms.com");
+  });
+
+  test("DECO_STORE_URL is correct", () => {
+    expect(DECO_STORE_URL).toBe("https://api.decocms.com/mcp/registry");
+  });
+
+  describe("isDecoHostedMcp", () => {
+    test("returns true for deco-hosted MCP URLs", () => {
+      expect(
+        isDecoHostedMcp("https://api.decocms.com/apps/deco/github/mcp"),
+      ).toBe(true);
+      expect(isDecoHostedMcp("https://api.decocms.com/mcp/some-app")).toBe(
+        true,
+      );
+      expect(isDecoHostedMcp("https://api.decocms.com/apps/xyz/abc/mcp")).toBe(
+        true,
+      );
+    });
+
+    test("returns false for Deco Store registry (public, no OAuth)", () => {
+      expect(isDecoHostedMcp(DECO_STORE_URL)).toBe(false);
+      expect(isDecoHostedMcp("https://api.decocms.com/mcp/registry")).toBe(
+        false,
+      );
+    });
+
+    test("returns false for non-deco-hosted URLs", () => {
+      expect(isDecoHostedMcp("https://stripe.mcp.run/mcp")).toBe(false);
+      expect(isDecoHostedMcp("https://mcp.example.com/api")).toBe(false);
+      expect(isDecoHostedMcp("https://other.decocms.com/mcp")).toBe(false);
+    });
+
+    test("returns false for null or invalid URLs", () => {
+      expect(isDecoHostedMcp(null)).toBe(false);
+      expect(isDecoHostedMcp("")).toBe(false);
+      expect(isDecoHostedMcp("not-a-url")).toBe(false);
+    });
+  });
+});
diff --git a/apps/mesh/src/core/well-known-mcp.ts b/apps/mesh/src/core/well-known-mcp.ts
@@ -1,5 +1,25 @@
 import type { ConnectionCreateData } from "@/tools/connection/schema";
 
+/** Deco CMS API host for detecting deco-hosted MCPs */
+export const DECO_CMS_API_HOST = "api.decocms.com";
+
+/** The Deco Store registry URL (public, no OAuth) */
+export const DECO_STORE_URL = "https://api.decocms.com/mcp/registry";
+
+/**
+ * Check if a connection URL is a deco-hosted MCP (excluding the registry itself).
+ * Used to determine if smart OAuth params should be added.
+ */
+export function isDecoHostedMcp(connectionUrl: string | null): boolean {
+  if (!connectionUrl) return false;
+  try {
+    const url = new URL(connectionUrl);
+    return url.host === DECO_CMS_API_HOST && connectionUrl !== DECO_STORE_URL;
+  } catch {
+    return false;
+  }
+}
+
 export const WellKnownMCPId = {
   SELF: "self",
   REGISTRY: "registry",
@@ -26,7 +46,7 @@ export function getWellKnownRegistryConnection(
     title: "Deco Store",
     description: "Official deco MCP registry with curated integrations",
     connection_type: "HTTP",
-    connection_url: "https://api.decocms.com/mcp/registry",
+    connection_url: DECO_STORE_URL,
     icon: "https://assets.decocache.com/decocms/00ccf6c3-9e13-4517-83b0-75ab84554bb9/596364c63320075ca58483660156b6d9de9b526e.png",
     app_name: "deco-registry",
     app_id: null,
