fix(auth): add expiry check, credentials, MCP CORS, and scope in WWW-Authenticate

waleedlatif1 · waleedlatif1 · commit 28e13b7e6fab · 2026-02-20T14:00:14.000-08:00
diff --git a/apps/sim/app/(auth)/oauth/consent/page.tsx b/apps/sim/app/(auth)/oauth/consent/page.tsx
@@ -102,7 +102,9 @@ export default function OAuthConsentPage() {
   const handleSwitchAccount = useCallback(async () => {
     if (!consentCode) return
 
-    const res = await fetch(`/api/auth/oauth2/authorize-params?consent_code=${consentCode}`)
+    const res = await fetch(`/api/auth/oauth2/authorize-params?consent_code=${consentCode}`, {
+      credentials: 'include',
+    })
     if (!res.ok) {
       setError('Unable to switch accounts. Please re-initiate the connection.')
       return
diff --git a/apps/sim/app/api/auth/oauth2/authorize-params/route.ts b/apps/sim/app/api/auth/oauth2/authorize-params/route.ts
@@ -1,6 +1,6 @@
 import { db } from '@sim/db'
 import { verification } from '@sim/db/schema'
-import { eq } from 'drizzle-orm'
+import { and, eq, gt } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
@@ -24,7 +24,7 @@ export async function GET(request: NextRequest) {
   const [record] = await db
     .select({ value: verification.value })
     .from(verification)
-    .where(eq(verification.identifier, consentCode))
+    .where(and(eq(verification.identifier, consentCode), gt(verification.expiresAt, new Date())))
     .limit(1)
 
   if (!record) {
diff --git a/apps/sim/app/api/mcp/copilot/route.ts b/apps/sim/app/api/mcp/copilot/route.ts
@@ -544,7 +544,7 @@ export async function POST(request: NextRequest) {
     return new NextResponse(JSON.stringify({ error: 'unauthorized' }), {
       status: 401,
       headers: {
-        'WWW-Authenticate': `Bearer resource_metadata="${resourceMetadataUrl}"`,
+        'WWW-Authenticate': `Bearer resource_metadata="${resourceMetadataUrl}", scope="mcp:tools"`,
         'Content-Type': 'application/json',
       },
     })
diff --git a/apps/sim/next.config.ts b/apps/sim/next.config.ts
@@ -179,6 +179,21 @@ const nextConfig: NextConfig = {
           { key: 'Access-Control-Allow-Headers', value: 'Content-Type, Accept' },
         ],
       },
+      {
+        source: '/api/mcp/copilot',
+        headers: [
+          { key: 'Access-Control-Allow-Credentials', value: 'false' },
+          { key: 'Access-Control-Allow-Origin', value: '*' },
+          {
+            key: 'Access-Control-Allow-Methods',
+            value: 'GET, POST, OPTIONS, DELETE',
+          },
+          {
+            key: 'Access-Control-Allow-Headers',
+            value: 'Content-Type, Authorization, X-API-Key, X-Requested-With, Accept',
+          },
+        ],
+      },
       // For workflow execution API endpoints
       {
         source: '/api/workflows/:id/execute',
