Replace TokenSetup with UserAuthentication config

Support both manual tokens and OAuth flows. Add Secret type for sensitive fields.

Author: dgellow

internal/client/client.go

@@ -162,7 +162,7 @@ func (c *Client) addToolsToServer(
 	tokenStore storage.UserTokenStore,
 	serverName string,
 	setupBaseURL string,
-	tokenSetup *config.TokenSetupConfig,
+	userAuth *config.UserAuthentication,
 	session server.ClientSession,
 ) error {
 	toolsRequest := mcp.ListToolsRequest{}
@@ -251,7 +251,7 @@ func (c *Client) addToolsToServer(
 						userEmail,
 						serverName,
 						setupBaseURL,
-						tokenSetup,
+						userAuth,
 					)
 				} else {
 					handler = c.client.CallTool
@@ -412,7 +412,7 @@ func (c *Client) wrapToolHandler(
 	userEmail string,
 	serverName string,
 	setupBaseURL string,
-	tokenSetup *config.TokenSetupConfig,
+	userAuth *config.UserAuthentication,
 ) func(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) {
 	return func(toolCtx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) {
 		// Log tool invocation
@@ -435,7 +435,7 @@ func (c *Client) wrapToolHandler(
 				errorData := createTokenRequiredError(
 					serverName,
 					setupBaseURL,
-					tokenSetup,
+					userAuth,
 					"configuration error: this service requires user tokens but OAuth is not properly configured.",
 				)
 
@@ -449,14 +449,14 @@ func (c *Client) wrapToolHandler(
 				tokenSetupURL := fmt.Sprintf("%s/my/tokens", setupBaseURL)
 
 				var errorMessage string
-				if tokenSetup != nil {
+				if userAuth != nil {
 					errorMessage = fmt.Sprintf(
 						"token required: %s requires a user token to access the API. "+
 							"please visit %s to set up your %s token. %s",
-						tokenSetup.DisplayName,
+						userAuth.DisplayName,
 						tokenSetupURL,
-						tokenSetup.DisplayName,
-						tokenSetup.Instructions,
+						userAuth.DisplayName,
+						userAuth.Instructions,
 					)
 				} else {
 					errorMessage = fmt.Sprintf(
@@ -469,7 +469,7 @@ func (c *Client) wrapToolHandler(
 				errorData := createTokenRequiredError(
 					serverName,
 					setupBaseURL,
-					tokenSetup,
+					userAuth,
 					errorMessage,
 				)
 
@@ -509,7 +509,7 @@ func (c *Client) Close() error {
 }
 
 // createTokenRequiredError creates the structured error for missing user tokens
-func createTokenRequiredError(serverName, setupBaseURL string, tokenSetup *config.TokenSetupConfig, message string) map[string]interface{} {
+func createTokenRequiredError(serverName, setupBaseURL string, userAuth *config.UserAuthentication, message string) map[string]interface{} {
 	tokenSetupURL := fmt.Sprintf("%s/my/tokens", setupBaseURL)
 
 	return map[string]interface{}{

internal/client/session_manager.go

@@ -251,7 +251,7 @@ func (s *StdioSession) DiscoverAndRegisterCapabilities(
 	tokenStore storage.UserTokenStore,
 	serverName string,
 	setupBaseURL string,
-	tokenSetup *config.TokenSetupConfig,
+	userAuth *config.UserAuthentication,
 	session server.ClientSession,
 ) error {
 	// Initialize the client
@@ -289,11 +289,11 @@ func (s *StdioSession) DiscoverAndRegisterCapabilities(
 		"sessionID":         session.SessionID(),
 		"userEmail":         userEmail,
 		"requiresUserToken": requiresToken,
-		"hasTokenSetup":     tokenSetup != nil,
+		"hasTokenSetup":     userAuth != nil,
 	})
 
 	// Discover and register tools
-	if err := s.client.addToolsToServer(ctx, mcpServer, userEmail, requiresToken, tokenStore, serverName, setupBaseURL, tokenSetup, session); err != nil {
+	if err := s.client.addToolsToServer(ctx, mcpServer, userEmail, requiresToken, tokenStore, serverName, setupBaseURL, userAuth, session); err != nil {
 		return err
 	}
 

internal/config/load.go

@@ -204,9 +204,9 @@ func validateMCPServer(name string, server *MCPClientConfig) error {
 		return fmt.Errorf("server %s has invalid transportType: %s", name, server.TransportType)
 	}
 
-	// Validate token setup if required
-	if server.RequiresUserToken && server.TokenSetup == nil {
-		return fmt.Errorf("server %s requires user token but has no tokenSetup", name)
+	// Validate user authentication if required
+	if server.RequiresUserToken && server.UserAuthentication == nil {
+		return fmt.Errorf("server %s requires user token but has no userAuthentication", name)
 	}
 
 	return nil

internal/config/load_test.go

@@ -25,7 +25,8 @@ func TestValidateConfig_UserTokensRequireOAuth(t *testing.T) {
 						TransportType:     MCPClientTypeSSE,
 						URL:               "https://notion.example.com",
 						RequiresUserToken: true,
-						TokenSetup: &TokenSetupConfig{
+						UserAuthentication: &UserAuthentication{
+							Type:        UserAuthTypeManual,
 							DisplayName: "Notion",
 						},
 					},
@@ -56,7 +57,8 @@ func TestValidateConfig_UserTokensRequireOAuth(t *testing.T) {
 						TransportType:     MCPClientTypeSSE,
 						URL:               "https://notion.example.com",
 						RequiresUserToken: true,
-						TokenSetup: &TokenSetupConfig{
+						UserAuthentication: &UserAuthentication{
+							Type:        UserAuthTypeManual,
 							DisplayName: "Notion",
 						},
 					},

internal/config/secret_test.go

@@ -0,0 +1,112 @@
+package config
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+	"testing"
+)
+
+func TestSecretRedaction(t *testing.T) {
+	tests := []struct {
+		name   string
+		secret Secret
+		want   string
+	}{
+		{
+			name:   "non-empty secret",
+			secret: Secret("super-secret-password"),
+			want:   "***",
+		},
+		{
+			name:   "empty secret",
+			secret: Secret(""),
+			want:   "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Test String() method
+			if got := tt.secret.String(); got != tt.want {
+				t.Errorf("Secret.String() = %v, want %v", got, tt.want)
+			}
+
+			// Test fmt.Sprintf behavior
+			formatted := fmt.Sprintf("value: %s", tt.secret)
+			expectedFormatted := "value: " + tt.want
+			if formatted != expectedFormatted {
+				t.Errorf("fmt.Sprintf = %v, want %v", formatted, expectedFormatted)
+			}
+
+			// Test fmt.Printf (capture output)
+			output := fmt.Sprintf("password: %v", tt.secret)
+			if tt.secret != "" && strings.Contains(output, string(tt.secret)) {
+				t.Errorf("fmt.Printf leaked secret: %v", output)
+			}
+		})
+	}
+}
+
+func TestSecretJSONMarshal(t *testing.T) {
+	type configWithSecrets struct {
+		Username string `json:"username"`
+		Password Secret `json:"password"`
+		APIKey   Secret `json:"apiKey"`
+	}
+
+	cfg := configWithSecrets{
+		Username: "admin",
+		Password: Secret("super-secret-password"),
+		APIKey:   Secret("sk-1234567890abcdef"),
+	}
+
+	data, err := json.Marshal(cfg)
+	if err != nil {
+		t.Fatalf("json.Marshal failed: %v", err)
+	}
+
+	jsonStr := string(data)
+
+	// Check that secrets are redacted
+	if strings.Contains(jsonStr, "super-secret-password") {
+		t.Errorf("JSON contains unredacted password: %s", jsonStr)
+	}
+	if strings.Contains(jsonStr, "sk-1234567890abcdef") {
+		t.Errorf("JSON contains unredacted API key: %s", jsonStr)
+	}
+
+	// Check that username is not redacted
+	if !strings.Contains(jsonStr, "admin") {
+		t.Errorf("JSON doesn't contain username: %s", jsonStr)
+	}
+
+	// Check expected JSON structure
+	expected := `{"username":"admin","password":"***","apiKey":"***"}`
+	if jsonStr != expected {
+		t.Errorf("JSON = %s, want %s", jsonStr, expected)
+	}
+}
+
+func TestSecretInStruct(t *testing.T) {
+	auth := ServiceAuth{
+		Type:           ServiceAuthTypeBasic,
+		Username:       "testuser",
+		HashedPassword: Secret("$2a$10$abcdef..."),
+		UserToken:      Secret("token-12345"),
+	}
+
+	// Test struct string representation
+	str := fmt.Sprintf("%+v", auth)
+	if strings.Contains(str, "$2a$10$abcdef") {
+		t.Errorf("Struct representation leaked hashed password: %s", str)
+	}
+	if strings.Contains(str, "token-12345") {
+		t.Errorf("Struct representation leaked token: %s", str)
+	}
+
+	// Individual field access should still redact
+	if auth.HashedPassword.String() != "***" {
+		t.Errorf("HashedPassword.String() = %v, want ***", auth.HashedPassword.String())
+	}
+}

internal/config/types.go

@@ -8,6 +8,25 @@ import (
 	"time"
 )
 
+// Secret is a string type that redacts itself when printed
+type Secret string
+
+// String implements fmt.Stringer to redact the secret
+func (s Secret) String() string {
+	if s == "" {
+		return ""
+	}
+	return "***"
+}
+
+// MarshalJSON implements json.Marshaler to prevent secrets in JSON logs
+func (s Secret) MarshalJSON() ([]byte, error) {
+	if s == "" {
+		return json.Marshal("")
+	}
+	return json.Marshal("***")
+}
+
 // MCPClientType represents the transport type for MCP clients
 type MCPClientType string
 
@@ -46,15 +65,6 @@ type Options struct {
 	ToolFilter     *ToolFilterConfig `json:"toolFilter,omitempty"`
 }
 
-// TokenSetupConfig provides information for users to set up their tokens
-type TokenSetupConfig struct {
-	DisplayName   string         `json:"displayName"`
-	Instructions  string         `json:"instructions"`
-	HelpURL       string         `json:"helpUrl,omitempty"`
-	TokenFormat   string         `json:"tokenFormat,omitempty"`
-	CompiledRegex *regexp.Regexp `json:"-"`
-}
-
 // ServiceAuthType represents the type of service authentication
 type ServiceAuthType string
 
@@ -63,23 +73,65 @@ const (
 	ServiceAuthTypeBasic  ServiceAuthType = "basic"
 )
 
+// UserAuthType represents the type of user authentication
+type UserAuthType string
+
+const (
+	// UserAuthTypeManual indicates that users manually provide API tokens/keys
+	// through the web UI. These tokens are stored encrypted and injected into
+	// MCP servers as configured.
+	UserAuthTypeManual UserAuthType = "manual"
+
+	// UserAuthTypeOAuth indicates OAuth 2.0 authorization code flow is used.
+	// Users click "Connect with X" and are redirected to the service's OAuth
+	// consent page. The resulting access tokens are stored, automatically
+	// refreshed, and injected into MCP servers.
+	UserAuthTypeOAuth UserAuthType = "oauth"
+)
+
 // ServiceAuth represents authentication method for service-to-service communication
 type ServiceAuth struct {
 	Type ServiceAuthType `json:"type"`
 
 	// For basic auth
-	Username string          `json:"username,omitempty"`
-	Password json.RawMessage `json:"password,omitempty"`
+	Username    string          `json:"username,omitempty"`
+	PasswordRaw json.RawMessage `json:"password,omitempty"`
 
 	// For bearer auth
 	Tokens []string `json:"tokens,omitempty"`
 
 	// User token to inject when requiresUserToken is true
-	UserToken json.RawMessage `json:"userToken,omitempty"`
+	UserTokenRaw json.RawMessage `json:"userToken,omitempty"`
+
+	// Computed fields
+	HashedPassword Secret `json:"-"` // bcrypt hash for basic auth
+	UserToken      Secret `json:"-"` // parsed user token
+}
+
+// UserAuthentication represents authentication configuration for end users
+type UserAuthentication struct {
+	Type        UserAuthType `json:"type"`
+	DisplayName string       `json:"displayName"`
+
+	// For OAuth
+	ClientIDRaw      json.RawMessage `json:"clientId,omitempty"`
+	ClientSecretRaw  json.RawMessage `json:"clientSecret,omitempty"`
+	AuthorizationURL string          `json:"authorizationUrl,omitempty"`
+	TokenURL         string          `json:"tokenUrl,omitempty"`
+	Scopes           []string        `json:"scopes,omitempty"`
+
+	// For Manual
+	Instructions string `json:"instructions,omitempty"`
+	HelpURL      string `json:"helpUrl,omitempty"`
+	Validation   string `json:"validation,omitempty"`
+
+	// Common
+	TokenFormat string `json:"tokenFormat,omitempty"`
 
 	// Computed fields
-	HashedPassword    string `json:"-"` // bcrypt hash for basic auth
-	ResolvedUserToken string `json:"-"` // resolved user token
+	ClientID        Secret         `json:"-"`
+	ClientSecret    Secret         `json:"-"`
+	ValidationRegex *regexp.Regexp `json:"-"`
 }
 
 // MCPClientConfig represents the configuration for an MCP client after parsing.
@@ -125,8 +177,8 @@ type MCPClientConfig struct {
 	Options *Options `json:"options,omitempty"`
 
 	// User token requirements
-	RequiresUserToken bool              `json:"requiresUserToken,omitempty"`
-	TokenSetup        *TokenSetupConfig `json:"tokenSetup,omitempty"`
+	RequiresUserToken  bool                `json:"requiresUserToken,omitempty"`
+	UserAuthentication *UserAuthentication `json:"userAuthentication,omitempty"`
 
 	// Service-to-service authentication
 	ServiceAuths []ServiceAuth `json:"serviceAuths,omitempty"`
@@ -160,10 +212,10 @@ type OAuthAuthConfig struct {
 	FirestoreDatabase   string   `json:"firestoreDatabase,omitempty"`   // Optional: Firestore database name
 	FirestoreCollection string   `json:"firestoreCollection,omitempty"` // Optional: Firestore collection name
 	GoogleClientID      string   `json:"googleClientId"`
-	GoogleClientSecret  string   `json:"googleClientSecret"`
+	GoogleClientSecret  Secret   `json:"googleClientSecret"`
 	GoogleRedirectURI   string   `json:"googleRedirectUri"`
-	JWTSecret           string   `json:"jwtSecret"`
-	EncryptionKey       string   `json:"encryptionKey"`
+	JWTSecret           Secret   `json:"jwtSecret"`
+	EncryptionKey       Secret   `json:"encryptionKey"`
 }
 
 // ProxyConfig represents the proxy configuration with resolved values