finish exercise 4 instructions

Author: kentcdodds

exercises/04.user/01.problem.token/README.mdx

@@ -1 +1,57 @@
 # Client Token
+
+👨‍💼 When we make requests using `this.db` (our db client), we need to include the user's authentication token so that the server knows who the user is and what they're allowed to access.
+
+Right now the db client doesn't accept a token, so you need to update it to do so.
+
+```ts
+// Create a client that knows who the user is
+const db = getClient(userOAuthToken)
+const entries = await db.getEntries() // Only gets THIS user's entries
+```
+
+<callout-warning class="important">
+	If there's no authentication token, we shouldn't even try to create a database
+	connection. The user needs to be properly authenticated first!
+</callout-warning>
+
+```mermaid
+sequenceDiagram
+    MCP Client->>MCP Server: Requests journal entries
+    MCP Server->>Auth: Validates OAuth token
+    Auth-->>MCP Server: Returns user identity
+    MCP Server->>MCP Server: Create client with token
+    MCP Server->>DB: get entries (with token)
+    DB-->>MCP Server: Returns user's entries only
+    MCP Server-->>MCP Client: Shows personal journal entries
+```
+
+<callout-muted>
+	📜 For more details on OAuth tokens and authentication flows, see the [OAuth
+	2.0 specification](https://tools.ietf.org/html/rfc6749).
+</callout-muted>
+
+The tricky part of this is how to get the auth info we get from the request into `EpicMeMCP` (our instance of the `McpAgent`). To do this with Cloudflare, we set the `ctx.props`:
+
+```ts lines=1-3,5,15
+type State = {}
+type Props = { greeting: string }
+export class MyMCP extends McpAgent<Env, State, Props> {
+	async init() {
+		console.log(this.props?.greeting)
+	}
+}
+
+export default {
+	fetch: async (request, env, ctx) => {
+		// ...
+		const url = new URL(request.url)
+		const mcp = MyMCP.serve('/mcp')
+
+		ctx.props.greeting = 'Hello, world!'
+		return mcp.fetch(request, env, ctx)
+	},
+} satisfies ExportedHandler<Env>
+```
+
+Note, out of an abundance of caution, the types for `this.props` is `Props | undefined`. This means you need to check if it's undefined before using it. I recommend using the `invariant` function to throw an error if it's `undefined` because that should really never happen.

exercises/04.user/01.solution.token/README.mdx

@@ -1 +1,3 @@
 # Client Token
+
+👨‍💼 Excellent work! We've successfully implemented user-specific database access by passing authentication tokens to our database client. This is a crucial step in securing our MCP server. It ensures each user only sees their own data.

exercises/04.user/02.problem.user/README.mdx

@@ -1 +1,9 @@
 # Require User
+
+👨‍💼 Now that we have the client authenticated with the token, let's make a utility to get the user and also provide tools and resources to retrieve the user data.
+
+🧝‍♀️ I created a resource and a tool for you, all you need to do is implement the `requireUser` utility then use that in the tool and resource. Feel free to <PrevDiffLink>check out my changes</PrevDiffLink> if you want.
+
+👨‍💼 Great! Ok, so the goal is to make user data accessible throughout our MCP server while maintaining security and providing a seamless, personalized experience for every journaling session.
+
+Now, implement the `requireUser` utility so our tools and resources can provide users with their personalized journaling experience.

exercises/04.user/02.solution.user/README.mdx

@@ -1 +1,3 @@
 # Require User
+
+👨‍💼 Excellent work! Now clients can retrieve information about the currently logged in user.

exercises/04.user/FINISHED.mdx

@@ -1 +1,7 @@
 # Using the User
+
+Congratulations! You've successfully implemented user-specific functionality in your MCP server. You've moved from a generic MCP server into a personalized, secure system that knows who each user is and ensures they only access their own data.
+
+You also now understand how to pass authentication information through Cloudflare's context system using `ctx.props`, and then using that information to create user-specific database clients and utility functions to access it in the tools, resources, and prompts.
+
+Let's keep moving to continue building on this foundation with scope-based permissions.

exercises/05.scopes/03.solution.scope-hints/src/resources.ts

@@ -14,7 +14,10 @@ export async function initializeResources(agent: EpicMeMCP) {
 					contents: [
 						{
 							mimeType: 'application/json',
-							text: JSON.stringify(user),
+							text: JSON.stringify({
+								user,
+								scopes: agent.requireAuthInfo().scopes,
+							}),
 							uri: uri.toString(),
 						},
 					],

exercises/05.scopes/03.solution.scope-hints/src/tools.ts

@@ -40,7 +40,16 @@ export async function initializeTools(agent: EpicMeMCP) {
 				}
 				return {
 					structuredContent,
-					content: [createText(structuredContent)],
+					content: [
+						{
+							type: 'resource_link',
+							uri: 'epicme://users/current',
+							name: 'Current User',
+							description: 'Info on the currently logged in user',
+							mimeType: 'application/json',
+						},
+						createText(structuredContent),
+					],
 				}
 			},
 		)