docuseal

Commit Graph

Author	SHA1	Message	Date
Ortes	104684f163	fix(oauth): plaintext_token in specs, allow loopback redirect, fix throttle test Three issues surfaced running the suite in docker: - hash_token_secrets stores the access token hashed; specs must use access_token.plaintext_token (not .token) when posing as a client - Doorkeeper's Application model rejects non-HTTPS redirect_uri by default; add force_ssl_in_redirect_uri to allow loopback per OAuth 2.1 - test env uses :null_store, so Rails.cache.increment returned nil and the DCR throttle never fired — stub a real MemoryStore in that spec Also slim Dockerfile.test: drop chromium + chromium-chromedriver (unused by OAuth specs, added ~4min to the build). Add a comment pointing at the apk line to re-enable them for system specs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2 weeks ago
Ortes	21d0b6bf3e	feat(mcp): OAuth 2.1 authorization for the /mcp endpoint Adds Doorkeeper-backed OAuth 2.1 (PKCE, public clients, RFC 7591 DCR) so Claude connectors can authorize against DocuSeal without a pre-shared token. The existing McpToken bearer stays as a fallback. - Mount Doorkeeper at /oauth/* plus root aliases (/authorize, /token, /register) for clients that strip paths - Serve RFC 8414 + RFC 9728 discovery at /.well-known/oauth-* - /register implements RFC 7591 DCR for public clients with an IP throttle; redirect_uri restricted to https + loopback - McpController now resolves current_user from a Doorkeeper access token first, emits the RFC 9728 WWW-Authenticate header on 401 - Weekly sweeper for abandoned DCR applications (external cron) - Link Connected apps from MCP settings Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2 weeks ago

Author

SHA1

Message

Date

Ortes

104684f163

fix(oauth): plaintext_token in specs, allow loopback redirect, fix throttle test

Three issues surfaced running the suite in docker:

- hash_token_secrets stores the access token hashed; specs must use
  access_token.plaintext_token (not .token) when posing as a client
- Doorkeeper's Application model rejects non-HTTPS redirect_uri by
  default; add force_ssl_in_redirect_uri to allow loopback per OAuth 2.1
- test env uses :null_store, so Rails.cache.increment returned nil and
  the DCR throttle never fired — stub a real MemoryStore in that spec

Also slim Dockerfile.test: drop chromium + chromium-chromedriver
(unused by OAuth specs, added ~4min to the build). Add a comment
pointing at the apk line to re-enable them for system specs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Ortes

21d0b6bf3e

feat(mcp): OAuth 2.1 authorization for the /mcp endpoint

Adds Doorkeeper-backed OAuth 2.1 (PKCE, public clients, RFC 7591 DCR)
so Claude connectors can authorize against DocuSeal without a
pre-shared token. The existing McpToken bearer stays as a fallback.

- Mount Doorkeeper at /oauth/* plus root aliases (/authorize, /token,
  /register) for clients that strip paths
- Serve RFC 8414 + RFC 9728 discovery at /.well-known/oauth-*
- /register implements RFC 7591 DCR for public clients with an IP
  throttle; redirect_uri restricted to https + loopback
- McpController now resolves current_user from a Doorkeeper access
  token first, emits the RFC 9728 WWW-Authenticate header on 401
- Weekly sweeper for abandoned DCR applications (external cron)
- Link Connected apps from MCP settings

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2 Commits (104684f163c48dc24d16bc051b86054ba433b8d7)