v0.4.252: MCP course-scoping + OAuth hardening#704
Merged
Conversation
Confine MCP agents to their enrolled courses and close the deferred
audit-hardening items.
Course-scoping:
- ToolContext.authorizeCourseAccess: admins act globally; every other
subject must be enrolled in the target course (else notAuthorized).
Wired into list_assignments and update_assignment_title.
- Admin MCP tab course picker (enroll/unenroll, audited via
mcp.account_{en,un}rolled). mcp-role accounts are excluded from the
instructor and admin course roster views, so rosters/counts are
unaffected (students' access is untouched).
Hardening:
- MCPOAuthRateLimitMiddleware: per-IP limit on /oauth/{token,revoke,
register}; register() caps redirect_uris/client and total clients.
- Consent screen shows the redirect host + a first-approval warning.
- /oauth/token refresh re-checks isInstructor and revokes the grant on
downgrade.
- Empty MCP_ALLOWED_ORIGINS now means "allow any" (Origin guard fix).
- MCPOAuthReaperService periodically deletes expired auth codes and
revoked/expired grants (registered only when MCP is enabled).
Full suite green (1446 tests); swift-format + SwiftLint --strict clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Confines MCP agents to the courses their account is enrolled in (the feature requested after the audit), and closes the deferred OAuth-hardening items. Builds on the Phase-2 OAuth flow (#701–#703).
Course-scoping
ToolContext.authorizeCourseAccess— admins act globally; every other subject (instructor browser-flow tokens andmcpservice accounts) must be enrolled in the target course, else the tool returns anot authorized … not enrolledresult. Wired intolist_assignmentsandupdate_assignment_title.mcp.account_enrolled/mcp.account_unenrolled).mcp-role accounts are excluded from the instructor and admin course roster views, so existing rosters/counts are unaffected. Students' access is untouched — gated by their own enrollment + session +RoleMiddleware, none of which changed; the unenroll path is hard-pinned tomcp-role accounts.Hardening
/oauth/{token,revoke,register}; caps redirect-URIs/client and total registered clients. Env:MCP_OAUTH_RATE_LIMIT_PER_MIN(30),MCP_MAX_REGISTERED_CLIENTS(1000),MCP_MAX_REDIRECT_URIS(5)./oauth/tokenrefresh re-checksisInstructor; a downgraded account's grant is revoked.MCP_ALLOWED_ORIGINSnow means "allow any" (matching the Host guard / docs).Test plan
swift test— full suite green (1446 tests / 129 suites)swift-format lint --strict— clean--strict— 0 violations (411 files)🤖 Generated with Claude Code