feat(mcp): add /api/me/mcp-connections list + revoke endpoints

GET returns all OAuth consents for the current user with client name,
scopes, connectedAt, and last-used timestamp. DELETE transactionally
revokes consent, access tokens, and refresh tokens for a given client;
idempotent (returns revoked: false if no consent existed).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Ripwords

apps/dashboard/server/api/me/mcp-connections.get.ts

@@ -0,0 +1,53 @@
+import { defineEventHandler } from "h3"
+import { eq, desc } from "drizzle-orm"
+import { db } from "../../db"
+import { oauthConsent, oauthClient, oauthAccessToken } from "../../db/schema/auth-schema"
+import { requireSession } from "../../lib/permissions"
+
+/**
+ * Returns the OAuth consents (= connected MCP apps) for the current user.
+ * Each entry includes the client name (from RFC 7591 registration), connected
+ * date, last-used timestamp, and the scopes granted.
+ */
+export default defineEventHandler(async (event) => {
+  const session = await requireSession(event)
+
+  const consents = await db
+    .select({
+      clientId: oauthConsent.clientId,
+      scopes: oauthConsent.scopes,
+      createdAt: oauthConsent.createdAt,
+      clientName: oauthClient.name,
+    })
+    .from(oauthConsent)
+    .innerJoin(oauthClient, eq(oauthClient.clientId, oauthConsent.clientId))
+    .where(eq(oauthConsent.userId, session.userId))
+    .orderBy(desc(oauthConsent.createdAt))
+
+  // Last-used per client = latest access token's createdAt for that (user, client) pair.
+  const lastUsedByClient = new Map<string, Date>()
+  const lastUsedResults = await Promise.all(
+    consents.map((c) =>
+      db
+        .select({ createdAt: oauthAccessToken.createdAt })
+        .from(oauthAccessToken)
+        .where(eq(oauthAccessToken.clientId, c.clientId))
+        .orderBy(desc(oauthAccessToken.createdAt))
+        .limit(1)
+        .then((rows) => ({ clientId: c.clientId, createdAt: rows[0]?.createdAt ?? null })),
+    ),
+  )
+  for (const r of lastUsedResults) {
+    if (r.createdAt) lastUsedByClient.set(r.clientId, r.createdAt)
+  }
+
+  return {
+    connections: consents.map((c) => ({
+      clientId: c.clientId,
+      clientName: c.clientName ?? "Unknown",
+      scopes: c.scopes ?? [],
+      connectedAt: c.createdAt,
+      lastUsedAt: lastUsedByClient.get(c.clientId) ?? null,
+    })),
+  }
+})

apps/dashboard/server/api/me/mcp-connections/[clientId].delete.ts

@@ -0,0 +1,39 @@
+import { createError, defineEventHandler, getRouterParam } from "h3"
+import { and, eq } from "drizzle-orm"
+import { db } from "../../../db"
+import { oauthConsent, oauthAccessToken, oauthRefreshToken } from "../../../db/schema/auth-schema"
+import { requireSession } from "../../../lib/permissions"
+
+/**
+ * Revoke an MCP client's access for the current user. Deletes:
+ *   1. The consent grant (so future authorize attempts will re-prompt)
+ *   2. All access tokens for this (user, client) pair
+ *   3. All refresh tokens for this (user, client) pair
+ *
+ * Idempotent — returns { revoked: false } if no consent existed.
+ */
+export default defineEventHandler(async (event) => {
+  const session = await requireSession(event)
+  const clientId = getRouterParam(event, "clientId")
+  if (!clientId) throw createError({ statusCode: 400, statusMessage: "missing clientId" })
+
+  return await db.transaction(async (tx) => {
+    const deleted = await tx
+      .delete(oauthConsent)
+      .where(and(eq(oauthConsent.userId, session.userId), eq(oauthConsent.clientId, clientId)))
+      .returning({ clientId: oauthConsent.clientId })
+    if (deleted.length === 0) return { revoked: false }
+
+    await tx
+      .delete(oauthAccessToken)
+      .where(
+        and(eq(oauthAccessToken.userId, session.userId), eq(oauthAccessToken.clientId, clientId)),
+      )
+    await tx
+      .delete(oauthRefreshToken)
+      .where(
+        and(eq(oauthRefreshToken.userId, session.userId), eq(oauthRefreshToken.clientId, clientId)),
+      )
+    return { revoked: true }
+  })
+})