Trek_CN/server
jubnl cb3aeda8e0
fix(oauth): add public RFC 7591 DCR endpoint at POST /oauth/register
Claude.ai's start-auth flow POSTs to the registration_endpoint advertised
in the discovery document, but no public handler existed at /oauth/register
(only /api/oauth/register with browser cookie auth). This caused a
start_error redirect immediately on every connect attempt.

- Add POST /oauth/register to oauthPublicRouter following RFC 7591
- Make oauth_clients.user_id nullable via a raw (no-transaction) migration
  so anonymous DCR clients can be created without a user context
- Update migration runner to support { raw: () => void } migrations for
  DDL that requires PRAGMA foreign_keys = OFF outside a transaction
- Update createOAuthClient to accept userId: number | null with a global
  cap (500) for anonymous DCR clients in place of the per-user limit
2026-04-10 05:42:18 +02:00
..
public chore(CRLF): normalize index.html line endings to LF 2026-04-05 04:35:17 +02:00
scripts feat: add encryption key migration script and document it in README 2026-04-01 09:35:32 +02:00
src fix(oauth): add public RFC 7591 DCR endpoint at POST /oauth/register 2026-04-10 05:42:18 +02:00
tests security(oauth): harden OAuth 2.1/MCP implementation (Critical + High + Medium findings) 2026-04-10 02:03:27 +02:00
.env.example feat(mcp): add MCP_MAX_SESSION_PER_USER env var and document it everywhere 2026-04-06 00:09:22 +02:00
package-lock.json feat(mcp): introduce OAuth 2.1 auth and enforce addon gating 2026-04-09 22:25:58 +02:00
package.json chore: bump version to 2.9.12 [skip ci] 2026-04-09 15:48:10 +00:00
reset-admin.js Stabilize core: better-sqlite3, versioned migrations, graceful shutdown 2026-03-22 17:52:24 +01:00
tsconfig.json some fixes 2026-03-30 06:59:24 +02:00
vitest.config.ts refactor(mcp): replace direct DB access with service layer calls 2026-04-04 18:12:53 +02:00