Add OAuth token storage support

Author: dgellow

internal/server/mcp_handler.go

@@ -295,24 +295,36 @@ func (h *MCPHandler) getUserTokenIfAvailable(ctx context.Context, userEmail stri
 		return "", fmt.Errorf("storage not configured")
 	}
 
-	token, err := h.storage.GetUserToken(ctx, userEmail, h.serverName)
+	storedToken, err := h.storage.GetUserToken(ctx, userEmail, h.serverName)
 	if err != nil {
 		return "", err
 	}
 
-	// Validate token format if configured
+	// Extract the actual token string based on type
+	var tokenString string
+	switch storedToken.Type {
+	case storage.TokenTypeManual:
+		tokenString = storedToken.Value
+	case storage.TokenTypeOAuth:
+		if storedToken.OAuthData != nil {
+			tokenString = storedToken.OAuthData.AccessToken
+		}
+	}
+
+	// Validate token format if configured (only for manual tokens)
 	if h.serverConfig.UserAuthentication != nil &&
 		h.serverConfig.UserAuthentication.Type == config.UserAuthTypeManual &&
-		h.serverConfig.UserAuthentication.ValidationRegex != nil {
-		if !h.serverConfig.UserAuthentication.ValidationRegex.MatchString(token) {
+		h.serverConfig.UserAuthentication.ValidationRegex != nil &&
+		storedToken.Type == storage.TokenTypeManual {
+		if !h.serverConfig.UserAuthentication.ValidationRegex.MatchString(tokenString) {
 			log.LogWarnWithFields("mcp", "User token doesn't match expected format", map[string]any{
 				"user":    userEmail,
 				"service": h.serverName,
 			})
 		}
 	}
 
-	return token, nil
+	return tokenString, nil
 }
 
 func (h *MCPHandler) forwardMessageToBackend(ctx context.Context, w http.ResponseWriter, r *http.Request, config *config.MCPClientConfig) {

internal/server/mcp_handler_test.go

@@ -32,10 +32,13 @@ type mockStorage struct {
 }
 
 // Override only the methods we want to mock
-func (m *mockStorage) GetUserToken(ctx context.Context, userEmail, service string) (string, error) {
+func (m *mockStorage) GetUserToken(ctx context.Context, userEmail, service string) (*storage.StoredToken, error) {
 	if m.Mock.ExpectedCalls != nil {
 		args := m.Called(ctx, userEmail, service)
-		return args.String(0), args.Error(1)
+		if args.Get(0) == nil {
+			return nil, args.Error(1)
+		}
+		return args.Get(0).(*storage.StoredToken), args.Error(1)
 	}
 	return m.MemoryStorage.GetUserToken(ctx, userEmail, service)
 }

internal/server/token_handlers.go

@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"strings"
 	"sync"
+	"time"
 
 	"github.com/dgellow/mcp-front/internal/config"
 	"github.com/dgellow/mcp-front/internal/crypto"
@@ -226,7 +227,14 @@ func (h *TokenHandlers) SetTokenHandler(w http.ResponseWriter, r *http.Request)
 		}
 	}
 
-	if err := h.tokenStore.SetUserToken(r.Context(), userEmail, serviceName, token); err != nil {
+	// Create StoredToken for manual entry
+	storedToken := &storage.StoredToken{
+		Type:      storage.TokenTypeManual,
+		Value:     token,
+		UpdatedAt: time.Now(),
+	}
+
+	if err := h.tokenStore.SetUserToken(r.Context(), userEmail, serviceName, storedToken); err != nil {
 		log.LogErrorWithFields("token", "Failed to store token", map[string]interface{}{
 			"error":   err.Error(),
 			"user":    userEmail,

internal/storage/firestore.go

@@ -34,10 +34,12 @@ var _ fosite.Storage = (*FirestoreStorage)(nil)
 
 // UserTokenDoc represents a user token document in Firestore
 type UserTokenDoc struct {
-	UserEmail string    `firestore:"user_email"`
-	Service   string    `firestore:"service"`
-	Token     string    `firestore:"token"` // Encrypted
-	UpdatedAt time.Time `firestore:"updated_at"`
+	UserEmail string          `firestore:"user_email"`
+	Service   string          `firestore:"service"`
+	Type      TokenType       `firestore:"type"`
+	Value     string          `firestore:"value,omitempty"`      // Encrypted manual token
+	OAuthData *OAuthTokenData `firestore:"oauth_data,omitempty"` // OAuth metadata (tokens encrypted)
+	UpdatedAt time.Time       `firestore:"updated_at"`
 }
 
 // OAuthClientEntity represents the structure stored in Firestore
@@ -361,47 +363,121 @@ func (s *FirestoreStorage) makeUserTokenDocID(userEmail, service string) string
 }
 
 // GetUserToken retrieves a user's token for a specific service
-func (s *FirestoreStorage) GetUserToken(ctx context.Context, userEmail, service string) (string, error) {
+func (s *FirestoreStorage) GetUserToken(ctx context.Context, userEmail, service string) (*StoredToken, error) {
 	docID := s.makeUserTokenDocID(userEmail, service)
 	doc, err := s.client.Collection(s.tokenCollection).Doc(docID).Get(ctx)
 	if err != nil {
 		if status.Code(err) == codes.NotFound {
-			return "", ErrUserTokenNotFound
+			return nil, ErrUserTokenNotFound
 		}
-		return "", fmt.Errorf("failed to get token from Firestore: %w", err)
+		return nil, fmt.Errorf("failed to get token from Firestore: %w", err)
 	}
 
 	var tokenDoc UserTokenDoc
 	if err := doc.DataTo(&tokenDoc); err != nil {
-		return "", fmt.Errorf("failed to unmarshal token: %w", err)
+		return nil, fmt.Errorf("failed to unmarshal token: %w", err)
 	}
 
-	// Decrypt the token
-	decrypted, err := s.encryptor.Decrypt(tokenDoc.Token)
-	if err != nil {
-		return "", fmt.Errorf("failed to decrypt token: %w", err)
+	// Build StoredToken
+	storedToken := &StoredToken{
+		Type:      tokenDoc.Type,
+		UpdatedAt: tokenDoc.UpdatedAt,
+	}
+
+	// Decrypt based on type
+	switch tokenDoc.Type {
+	case TokenTypeManual:
+		if tokenDoc.Value != "" {
+			decrypted, err := s.encryptor.Decrypt(tokenDoc.Value)
+			if err != nil {
+				return nil, fmt.Errorf("failed to decrypt manual token: %w", err)
+			}
+			storedToken.Value = decrypted
+		}
+	case TokenTypeOAuth:
+		if tokenDoc.OAuthData != nil {
+			// Decrypt OAuth tokens
+			decryptedAccess, err := s.encryptor.Decrypt(tokenDoc.OAuthData.AccessToken)
+			if err != nil {
+				return nil, fmt.Errorf("failed to decrypt access token: %w", err)
+			}
+
+			oauthData := &OAuthTokenData{
+				AccessToken: decryptedAccess,
+				TokenType:   tokenDoc.OAuthData.TokenType,
+				ExpiresAt:   tokenDoc.OAuthData.ExpiresAt,
+				Scopes:      tokenDoc.OAuthData.Scopes,
+			}
+
+			if tokenDoc.OAuthData.RefreshToken != "" {
+				decryptedRefresh, err := s.encryptor.Decrypt(tokenDoc.OAuthData.RefreshToken)
+				if err != nil {
+					return nil, fmt.Errorf("failed to decrypt refresh token: %w", err)
+				}
+				oauthData.RefreshToken = decryptedRefresh
+			}
+
+			storedToken.OAuthData = oauthData
+		}
 	}
 
-	return decrypted, nil
+	return storedToken, nil
 }
 
 // SetUserToken stores or updates a user's token for a specific service
-func (s *FirestoreStorage) SetUserToken(ctx context.Context, userEmail, service, token string) error {
-	// Encrypt the token before storing
-	encrypted, err := s.encryptor.Encrypt(token)
-	if err != nil {
-		return fmt.Errorf("failed to encrypt token: %w", err)
+func (s *FirestoreStorage) SetUserToken(ctx context.Context, userEmail, service string, token *StoredToken) error {
+	if token == nil {
+		return fmt.Errorf("token cannot be nil")
 	}
 
 	docID := s.makeUserTokenDocID(userEmail, service)
 	tokenDoc := UserTokenDoc{
 		UserEmail: userEmail,
 		Service:   service,
-		Token:     encrypted,
+		Type:      token.Type,
 		UpdatedAt: time.Now(),
 	}
 
-	_, err = s.client.Collection(s.tokenCollection).Doc(docID).Set(ctx, tokenDoc)
+	// Encrypt based on type
+	switch token.Type {
+	case TokenTypeManual:
+		if token.Value != "" {
+			encrypted, err := s.encryptor.Encrypt(token.Value)
+			if err != nil {
+				return fmt.Errorf("failed to encrypt manual token: %w", err)
+			}
+			tokenDoc.Value = encrypted
+		}
+	case TokenTypeOAuth:
+		if token.OAuthData != nil {
+			// Encrypt OAuth tokens
+			encryptedAccess, err := s.encryptor.Encrypt(token.OAuthData.AccessToken)
+			if err != nil {
+				return fmt.Errorf("failed to encrypt access token: %w", err)
+			}
+
+			oauthData := &OAuthTokenData{
+				AccessToken: encryptedAccess,
+				TokenType:   token.OAuthData.TokenType,
+				ExpiresAt:   token.OAuthData.ExpiresAt,
+				Scopes:      token.OAuthData.Scopes,
+			}
+
+			if token.OAuthData.RefreshToken != "" {
+				encryptedRefresh, err := s.encryptor.Encrypt(token.OAuthData.RefreshToken)
+				if err != nil {
+					return fmt.Errorf("failed to encrypt refresh token: %w", err)
+				}
+				oauthData.RefreshToken = encryptedRefresh
+			}
+
+			tokenDoc.OAuthData = oauthData
+		}
+	default:
+		return fmt.Errorf("unknown token type: %s", token.Type)
+	}
+
+	_, err := s.client.Collection(s.tokenCollection).Doc(docID).Set(ctx, tokenDoc)
 	if err != nil {
 		return fmt.Errorf("failed to store token in Firestore: %w", err)
 	}

internal/storage/memory.go

@@ -2,6 +2,7 @@ package storage
 
 import (
 	"context"
+	"fmt"
 	"strings"
 	"sync"
 	"time"
@@ -19,9 +20,9 @@ var _ fosite.Storage = (*MemoryStorage)(nil)
 // It extends the MemoryStore with thread-safe client management
 type MemoryStorage struct {
 	*storage.MemoryStore
-	stateCache      sync.Map          // map[string]fosite.AuthorizeRequester
-	clientsMutex    sync.RWMutex      // For thread-safe client access
-	userTokens      map[string]string // map["email:service"] = token
+	stateCache      sync.Map                // map[string]fosite.AuthorizeRequester
+	clientsMutex    sync.RWMutex            // For thread-safe client access
+	userTokens      map[string]*StoredToken // map["email:service"] = token
 	userTokensMutex sync.RWMutex
 	users           map[string]*UserInfo // map[email] = UserInfo
 	usersMutex      sync.RWMutex
@@ -33,7 +34,7 @@ type MemoryStorage struct {
 func NewMemoryStorage() *MemoryStorage {
 	return &MemoryStorage{
 		MemoryStore: storage.NewMemoryStore(),
-		userTokens:  make(map[string]string),
+		userTokens:  make(map[string]*StoredToken),
 		users:       make(map[string]*UserInfo),
 		sessions:    make(map[string]*ActiveSession),
 	}
@@ -140,20 +141,24 @@ func (s *MemoryStorage) makeUserTokenKey(userEmail, service string) string {
 }
 
 // GetUserToken retrieves a user's token for a specific service
-func (s *MemoryStorage) GetUserToken(ctx context.Context, userEmail, service string) (string, error) {
+func (s *MemoryStorage) GetUserToken(ctx context.Context, userEmail, service string) (*StoredToken, error) {
 	s.userTokensMutex.RLock()
 	defer s.userTokensMutex.RUnlock()
 
 	key := s.makeUserTokenKey(userEmail, service)
 	token, exists := s.userTokens[key]
 	if !exists {
-		return "", ErrUserTokenNotFound
+		return nil, ErrUserTokenNotFound
 	}
 	return token, nil
 }
 
 // SetUserToken stores or updates a user's token for a specific service
-func (s *MemoryStorage) SetUserToken(ctx context.Context, userEmail, service, token string) error {
+func (s *MemoryStorage) SetUserToken(ctx context.Context, userEmail, service string, token *StoredToken) error {
+	if token == nil {
+		return fmt.Errorf("token cannot be nil")
+	}
+
 	s.userTokensMutex.Lock()
 	defer s.userTokensMutex.Unlock()
 

internal/storage/storage.go

@@ -27,6 +27,31 @@ type UserInfo struct {
 	IsAdmin   bool      `json:"is_admin"`
 }
 
+// TokenType represents the type of stored token
+type TokenType string
+
+const (
+	TokenTypeManual TokenType = "manual"
+	TokenTypeOAuth  TokenType = "oauth"
+)
+
+// OAuthTokenData represents OAuth token metadata
+type OAuthTokenData struct {
+	AccessToken  string    `json:"access_token"`
+	RefreshToken string    `json:"refresh_token,omitempty"`
+	TokenType    string    `json:"token_type,omitempty"`
+	ExpiresAt    time.Time `json:"expires_at,omitempty"`
+	Scopes       []string  `json:"scopes,omitempty"`
+}
+
+// StoredToken represents a token with its metadata
+type StoredToken struct {
+	Type      TokenType       `json:"type"`
+	Value     string          `json:"value,omitempty"` // For manual tokens
+	OAuthData *OAuthTokenData `json:"oauth,omitempty"` // For OAuth tokens
+	UpdatedAt time.Time       `json:"updated_at"`
+}
+
 // ActiveSession represents an active MCP session
 type ActiveSession struct {
 	SessionID  string    `json:"session_id"`
@@ -40,8 +65,8 @@ type ActiveSession struct {
 // This interface is used by handlers that need to access user-specific tokens
 // for external services (e.g., Notion, GitHub).
 type UserTokenStore interface {
-	GetUserToken(ctx context.Context, userEmail, service string) (string, error)
-	SetUserToken(ctx context.Context, userEmail, service, token string) error
+	GetUserToken(ctx context.Context, userEmail, service string) (*StoredToken, error)
+	SetUserToken(ctx context.Context, userEmail, service string, token *StoredToken) error
 	DeleteUserToken(ctx context.Context, userEmail, service string) error
 	ListUserServices(ctx context.Context, userEmail string) ([]string, error)
 }

internal/testutil/mocks.go

@@ -3,6 +3,7 @@ package testutil
 import (
 	"context"
 
+	"github.com/dgellow/mcp-front/internal/storage"
 	"github.com/mark3labs/mcp-go/mcp"
 	"github.com/mark3labs/mcp-go/server"
 	"github.com/stretchr/testify/mock"
@@ -157,12 +158,15 @@ type MockUserTokenStore struct {
 	mock.Mock
 }
 
-func (m *MockUserTokenStore) GetUserToken(ctx context.Context, userEmail, serverName string) (string, error) {
+func (m *MockUserTokenStore) GetUserToken(ctx context.Context, userEmail, serverName string) (*storage.StoredToken, error) {
 	args := m.Called(ctx, userEmail, serverName)
-	return args.String(0), args.Error(1)
+	if args.Get(0) == nil {
+		return nil, args.Error(1)
+	}
+	return args.Get(0).(*storage.StoredToken), args.Error(1)
 }
 
-func (m *MockUserTokenStore) SetUserToken(ctx context.Context, userEmail, serverName, token string) error {
+func (m *MockUserTokenStore) SetUserToken(ctx context.Context, userEmail, serverName string, token *storage.StoredToken) error {
 	args := m.Called(ctx, userEmail, serverName, token)
 	return args.Error(0)
 }