deploystackio
diff --git a/‎services/backend/api-spec.json‎
Lines changed: 52 additions & 8 deletions b/‎services/backend/api-spec.json‎
Lines changed: 52 additions & 8 deletions
diff --git a/‎services/backend/api-spec.yaml‎
Lines changed: 44 additions & 8 deletions b/‎services/backend/api-spec.yaml‎
Lines changed: 44 additions & 8 deletions
diff --git a/‎services/backend/src/routes/mcp/categories/list.ts‎
Lines changed: 34 additions & 5 deletions b/‎services/backend/src/routes/mcp/categories/list.ts‎
Lines changed: 34 additions & 5 deletions
@@ -7528,10 +7528,13 @@
         "tags": [
           "Teams"
         ],
-        "description": "Retrieves all teams that the currently authenticated user belongs to, including their role, admin status, ownership status, and member count.",
+        "description": "Retrieves all teams that the currently authenticated user belongs to, including their role, admin status, ownership status, and member count. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires teams:read scope for OAuth2 access.",
         "security": [
           {
             "cookieAuth": []
+          },
+          {
+            "bearerAuth": []
           }
         ],
         "responses": {
@@ -7649,7 +7652,42 @@
               "application/json": {
                 "schema": {
                   "schema": {
-                    "description": "Unauthorized - Authentication required",
+                    "description": "Unauthorized - Authentication required or invalid token",
+                    "type": "object",
+                    "properties": {
+                      "success": {
+                        "default": false,
+                        "description": "Indicates if the operation was successful (false for errors)",
+                        "type": "boolean"
+                      },
+                      "error": {
+                        "description": "Error message",
+                        "type": "string"
+                      },
+                      "details": {
+                        "description": "Additional error details (validation errors)",
+                        "type": "array",
+                        "items": {}
+                      }
+                    },
+                    "required": [
+                      "success",
+                      "error"
+                    ],
+                    "additionalProperties": false
+                  },
+                  "components": {}
+                }
+              }
+            }
+          },
+          "403": {
+            "description": "Default Response",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "schema": {
+                    "description": "Forbidden - Insufficient permissions or scope",
                     "type": "object",
                     "properties": {
                       "success": {
@@ -7722,7 +7760,7 @@
         "tags": [
           "Teams"
         ],
-        "description": "Retrieves a specific team by its ID with the current user's role and permissions within that team. User must be a member of the team.",
+        "description": "Retrieves a specific team by its ID with the current user's role and permissions within that team. User must be a member of the team. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires teams:read scope for OAuth2 access.",
         "parameters": [
           {
             "schema": {
@@ -7736,6 +7774,9 @@
         "security": [
           {
             "cookieAuth": []
+          },
+          {
+            "bearerAuth": []
           }
         ],
         "responses": {
@@ -7850,7 +7891,7 @@
               "application/json": {
                 "schema": {
                   "schema": {
-                    "description": "Unauthorized - Authentication required",
+                    "description": "Unauthorized - Authentication required or invalid token",
                     "type": "object",
                     "properties": {
                       "success": {
@@ -7885,7 +7926,7 @@
               "application/json": {
                 "schema": {
                   "schema": {
-                    "description": "Forbidden - Insufficient permissions",
+                    "description": "Forbidden - Insufficient permissions or scope",
                     "type": "object",
                     "properties": {
                       "success": {
@@ -12223,10 +12264,13 @@
         "tags": [
           "MCP Categories"
         ],
-        "description": "Retrieve all available MCP server categories for organization. No Content-Type header required for this GET request.",
+        "description": "Retrieve all available MCP server categories for organization. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires mcp:categories:read scope for OAuth2 access. No Content-Type header required for this GET request.",
         "security": [
           {
             "cookieAuth": []
+          },
+          {
+            "bearerAuth": []
           }
         ],
         "responses": {
@@ -12308,7 +12352,7 @@
               "application/json": {
                 "schema": {
                   "schema": {
-                    "description": "Unauthorized - Authentication required",
+                    "description": "Unauthorized - Authentication required or invalid token",
                     "type": "object",
                     "properties": {
                       "success": {
@@ -12336,7 +12380,7 @@
               "application/json": {
                 "schema": {
                   "schema": {
-                    "description": "Forbidden - Insufficient permissions",
+                    "description": "Forbidden - Insufficient permissions or scope",
                     "type": "object",
                     "properties": {
                       "success": {
 
@@ -5172,9 +5172,12 @@ paths:
         - Teams
       description: Retrieves all teams that the currently authenticated user belongs
         to, including their role, admin status, ownership status, and member
-        count.
+        count. Supports both cookie-based authentication (for web users) and
+        OAuth2 Bearer token authentication (for CLI users). Requires teams:read
+        scope for OAuth2 access.
       security:
         - cookieAuth: []
+        - bearerAuth: []
       responses:
         "200":
           description: Default Response
@@ -5260,7 +5263,32 @@ paths:
             application/json:
               schema:
                 schema:
-                  description: Unauthorized - Authentication required
+                  description: Unauthorized - Authentication required or invalid token
+                  type: object
+                  properties:
+                    success:
+                      default: false
+                      description: Indicates if the operation was successful (false for errors)
+                      type: boolean
+                    error:
+                      description: Error message
+                      type: string
+                    details:
+                      description: Additional error details (validation errors)
+                      type: array
+                      items: {}
+                  required:
+                    - success
+                    - error
+                  additionalProperties: false
+                components: {}
+        "403":
+          description: Default Response
+          content:
+            application/json:
+              schema:
+                schema:
+                  description: Forbidden - Insufficient permissions or scope
                   type: object
                   properties:
                     success:
@@ -5311,6 +5339,9 @@ paths:
         - Teams
       description: Retrieves a specific team by its ID with the current user's role
         and permissions within that team. User must be a member of the team.
+        Supports both cookie-based authentication (for web users) and OAuth2
+        Bearer token authentication (for CLI users). Requires teams:read scope
+        for OAuth2 access.
       parameters:
         - schema:
             type: string
@@ -5319,6 +5350,7 @@ paths:
           required: true
       security:
         - cookieAuth: []
+        - bearerAuth: []
       responses:
         "200":
           description: Default Response
@@ -5402,7 +5434,7 @@ paths:
             application/json:
               schema:
                 schema:
-                  description: Unauthorized - Authentication required
+                  description: Unauthorized - Authentication required or invalid token
                   type: object
                   properties:
                     success:
@@ -5427,7 +5459,7 @@ paths:
             application/json:
               schema:
                 schema:
-                  description: Forbidden - Insufficient permissions
+                  description: Forbidden - Insufficient permissions or scope
                   type: object
                   properties:
                     success:
@@ -8427,10 +8459,14 @@ paths:
       summary: List all MCP server categories
       tags:
         - MCP Categories
-      description: Retrieve all available MCP server categories for organization. No
-        Content-Type header required for this GET request.
+      description: Retrieve all available MCP server categories for organization.
+        Supports both cookie-based authentication (for web users) and OAuth2
+        Bearer token authentication (for CLI users). Requires
+        mcp:categories:read scope for OAuth2 access. No Content-Type header
+        required for this GET request.
       security:
         - cookieAuth: []
+        - bearerAuth: []
       responses:
         "200":
           description: Default Response
@@ -8482,7 +8518,7 @@ paths:
             application/json:
               schema:
                 schema:
-                  description: Unauthorized - Authentication required
+                  description: Unauthorized - Authentication required or invalid token
                   type: object
                   properties:
                     success:
@@ -8501,7 +8537,7 @@ paths:
             application/json:
               schema:
                 schema:
-                  description: Forbidden - Insufficient permissions
+                  description: Forbidden - Insufficient permissions or scope
                   type: object
                   properties:
                     success:
 
@@ -4,6 +4,7 @@ import { createSchema } from 'zod-openapi';
 import { McpCategoriesService } from '../../../services/mcpCategoriesService';
 import { getDb } from '../../../db';
 import { requirePermission } from '../../../middleware/roleMiddleware';
+import { requireAuthenticationAny, requireOAuthScope } from '../../../middleware/oauthMiddleware';
 
 // Response schema
 const categorySchema = z.object({
@@ -30,18 +31,46 @@ export default async function listCategories(server: FastifyInstance) {
     schema: {
       tags: ['MCP Categories'],
       summary: 'List all MCP server categories',
-      description: 'Retrieve all available MCP server categories for organization. No Content-Type header required for this GET request.',
-      security: [{ cookieAuth: [] }],
+      description: 'Retrieve all available MCP server categories for organization. Supports both cookie-based authentication (for web users) and OAuth2 Bearer token authentication (for CLI users). Requires mcp:categories:read scope for OAuth2 access. No Content-Type header required for this GET request.',
+      security: [
+        { cookieAuth: [] },
+        { bearerAuth: [] }
+      ],
       response: {
         200: createSchema(listCategoriesResponseSchema),
-        401: createSchema(errorResponseSchema.describe('Unauthorized - Authentication required')),
-        403: createSchema(errorResponseSchema.describe('Forbidden - Insufficient permissions')),
+        401: createSchema(errorResponseSchema.describe('Unauthorized - Authentication required or invalid token')),
+        403: createSchema(errorResponseSchema.describe('Forbidden - Insufficient permissions or scope')),
         500: createSchema(errorResponseSchema)
       }
     },
-    preValidation: requirePermission('mcp.categories.view')
+    preValidation: [
+      requireAuthenticationAny(),
+      requireOAuthScope('mcp:categories:read'),
+      requirePermission('mcp.categories.view')
+    ]
   }, async (request, reply) => {
     try {
+      if (!request.user) {
+        const errorResponse = {
+          success: false,
+          error: 'Authentication required'
+        };
+        const jsonString = JSON.stringify(errorResponse);
+        return reply.status(401).type('application/json').send(jsonString);
+      }
+
+      const authType = request.tokenPayload ? 'oauth2' : 'cookie';
+      const userId = request.user.id;
+
+      request.log.debug({
+        operation: 'list_mcp_categories',
+        userId,
+        authType,
+        clientId: request.tokenPayload?.clientId,
+        scope: request.tokenPayload?.scope,
+        endpoint: request.url
+      }, 'Authentication method determined for MCP categories listing');
+
       const db = getDb();
       const categoriesService = new McpCategoriesService(db, server.log);
       const categories = await categoriesService.getAllCategories();