Feature/mcp oauth layer#115
Draft
MathieuLamiot wants to merge 6 commits into
Draft
Conversation
…ords Adds a self-contained MCP authentication layer (src/MCP/Auth/) that lets Claude / MCP clients authenticate via short-lived JWTs while Application Passwords never leave the server. - SecretManager: generates and rotates the 256-bit HMAC signing secret - JWT: pure HS256 encode/decode with no external dependencies - DiscoveryEndpoints: RFC 9728 / RFC 8414 well-known documents - ClientRegistration: RFC 7591 dynamic client registration (POST /oauth/register) - AuthorizeEndpoint: PKCE S256 authorization request (GET /oauth/authorize) - AuthorizeCallback: post-login code issuance (GET /oauth/authorize-callback) - TokenEndpoint: authorization_code + refresh_token grants (POST /oauth/token) - RequestValidator: Bearer JWT middleware for MCP REST routes - AdminPage: MCP Sessions settings page with per-session and bulk revocation - McpAuth: single bootstrap entry point wired into class-sybgo.php All classes namespaced under Sybgo\MCP\Auth with a README documenting extraction steps for use in other plugins. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ogging - Add Mcp_Logger class: structured [MCP][SCOPE] logging with header/body redaction across all OAuth and MCP request handlers - Fix RequestValidator: call wp_set_current_user() before returning WP_User so HttpSessionValidator::create_session() gets the correct user ID - Fix Ability_Manager: bind registration to wp_abilities_api_categories_init and wp_abilities_api_init (WP 6.9 enforces these; calling outside the hooks silently drops the ability) - Fix AI_Module + Event_Module: register abilities into the cache in boot() rather than on init@5, so the cache is populated before wp_abilities_api_init fires - Add McpAuth: rest_pre_dispatch returns 401 + WWW-Authenticate for unauthenticated MCP requests; rest_post_dispatch logs final response Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…n fixes Documents the full hook sequence, why abilities must be registered in boot() rather than init@5, wp_set_current_user() requirement, and all past failures with their root causes and fixes. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…_DEBUG Add Mcp_Logger::is_debug_enabled() and a $debug_only parameter to log(). Happy-path traces (per-request header dumps, per-ability registration details, rest_pre_dispatch on success, rest_post_dispatch on success) are now silent in production and fire only when WP_DEBUG or SYBGO_MCP_DEBUG is true. Auth failures, JWT rejections, and JSON-RPC errors always log regardless. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Self-standing HTML reference covering the full OAuth 2.1 + PKCE JWT façade: flow steps, class map, three bypasses, WP Abilities API hook timing rules, JWT lifecycle, debug guide, known pitfalls, and four open questions with suggestions for the team to follow-up on. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes:
Explain how this code impacts users.
Type of change
Detailed scenario
What was tested
Describe the scenarios that you tested, and specify if it is automated or manual. For manual scenarios, provide a screenshot of the results.
How to test
Describe how the PR can be tested so that the validator can be autonomous: environment, dependencies, specific setup, steps to perform, API requests, etc.
Affected Features & Quality Assurance Scope
Please specify which existing features or modules are impacted by the changes in this Pull Request. This information is crucial for the QA team to properly define the testing scope and ensure comprehensive test coverage.
Technical description
Documentation
Explain how this code works. Diagrams & drawings are welcome.
New dependencies
List any new dependencies that are required for this change.
Risks
List possible performance & security issues or risks, and explain how they have been mitigated.
Mandatory Checklist
Code validation
Code style
Unticked items justification
If some mandatory items are not relevant, explain why in this section.
Additional Checks