Skip to content

Filter deprecated OAuth discovery scopes#66

Merged
ChiragAgg5k merged 1 commit into
mainfrom
fix/filter-deprecated-oauth-scopes
Jul 7, 2026
Merged

Filter deprecated OAuth discovery scopes#66
ChiragAgg5k merged 1 commit into
mainfrom
fix/filter-deprecated-oauth-scopes

Conversation

@ChiragAgg5k

Copy link
Copy Markdown
Member

Summary

  • keep OAuth discovery as the source of supported scopes
  • fetch Cloud public project/organization scope catalogs to identify deprecated scopes
  • filter deprecated project:* and organization:* scopes from protected-resource metadata and 401 scope hints
  • fail open if the catalog lookup is unavailable

Test Plan

  • uv run --group dev ruff check src tests
  • uv run --group dev black --check src tests
  • uv run --group dev pyright
  • uv run python -m unittest discover -s tests/unit -v
  • live checked https://cloud.appwrite.io/v1/console/scopes/project and /organization response shapes and filtering behavior

@ChiragAgg5k ChiragAgg5k force-pushed the fix/filter-deprecated-oauth-scopes branch from 7f3ed67 to fdbe717 Compare July 7, 2026 21:18
@greptile-apps

greptile-apps Bot commented Jul 7, 2026

Copy link
Copy Markdown

Greptile Summary

This PR adds a deprecated-scope filtering pass to the OAuth discovery layer: after fetching the OIDC scopes_supported list, it consults Appwrite Cloud's public /console/scopes/project and /organization catalogs to drop any scopes marked deprecated: true, then applies a TTL-backed in-memory cache and a fail-open exception handler so a catalog outage never breaks OAuth discovery.

  • _filter_deprecated_scopes / _load_deprecated_scopes: new async helpers that fetch, cache, and apply the deprecated-scope catalogs; project:all and organization:all are explicitly guarded against accidental filtering.
  • protected_resource_metadata: now routes its scope list through _filter_deprecated_scopes before building the RFC 9728 document, affecting both the /.well-known endpoint and 401 scope= hints.
  • Tests: four new unit tests cover normal filtering, fail-open on catalog error, cache-bypass (no HTTP client created), and the *:all protection; existing tests updated with an empty-catalog mock to remain isolated.

Confidence Score: 5/5

Safe to merge — the new filtering path is additive, fail-open on any catalog error, and all three changed files are well-covered by tests.

The logic is correct across all code paths: caches are checked before creating an HTTP client, project:all / organization:all are double-guarded against accidental removal, and a module-level try/except ensures a catalog outage returns the original unfiltered scope list. Four targeted new tests cover the happy path, fail-open, cache-bypass, and the *:all edge case. No unbound variables, no resource leaks, and no security concerns introduced.

No files require special attention.

Important Files Changed

Filename Overview
src/mcp_server_appwrite/auth.py Adds _filter_deprecated_scopes async function and supporting cache helpers to drop deprecated Cloud scopes from OAuth discovery; correct fail-open design, no logic bugs found.
tests/unit/test_auth.py Adds four new test cases covering filtering, fail-open, cache-bypass, and *:all protection; cache cleared in setUp/tearDown to avoid cross-test pollution.
tests/unit/test_http_app.py Existing 401-challenge tests updated to inject an empty catalog mock so they are isolated from the new scope-filtering path.

Reviews (2): Last reviewed commit: "Filter deprecated OAuth discovery scopes" | Re-trigger Greptile

Comment thread src/mcp_server_appwrite/auth.py
Comment thread src/mcp_server_appwrite/auth.py
@ChiragAgg5k ChiragAgg5k force-pushed the fix/filter-deprecated-oauth-scopes branch from fdbe717 to 5d0d01e Compare July 7, 2026 21:25
@ChiragAgg5k ChiragAgg5k merged commit 64ac98d into main Jul 7, 2026
5 checks passed
@ChiragAgg5k ChiragAgg5k deleted the fix/filter-deprecated-oauth-scopes branch July 7, 2026 21:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant