fix(mcp): pass SSRF-guarded fetch into OAuth start flow, matching probe/revoke#5398
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
PR SummaryLow Risk Overview A unit test mocks Reviewed by Cursor Bugbot for commit 079f073. Configure here. |
|
Good catch on the callback route — that's being addressed in a separate PR against |
…be/revoke Discovery and registration during the MCP OAuth start flow were using the default global fetch. probe.ts and revoke.ts already route these calls through createSsrfGuardedMcpFetch(); this brings the start route in line with the same pattern.
73be918 to
079f073
Compare
|
@greptile review |
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 079f073. Configure here.
Summary
mcpAuth()without afetchFn, so discovery/registration requests used the default global fetchprobe.tsandrevoke.tsalready passcreateSsrfGuardedMcpFetch()into their equivalent calls — this brings the start route in line with the same patternmcpAuthType of Change
Testing
apps/sim/app/api/mcp/oauth/start/route.test.ts(all passing)bun run check:api-validationpassesChecklist