Skip to content

fix: sanitize OAuth client store keys for URL-based client_ids#84

Merged
RadCod3 merged 1 commit into
mainfrom
fix/goose-oauth
Jun 10, 2026
Merged

fix: sanitize OAuth client store keys for URL-based client_ids#84
RadCod3 merged 1 commit into
mainfrom
fix/goose-oauth

Conversation

@RadCod3

@RadCod3 RadCod3 commented Jun 10, 2026

Copy link
Copy Markdown
Owner

Goose authenticates via a Client ID Metadata Document (CIMD), so its OAuth client_id is a URL (e.g.
https://goose-docs.ai/oauth/client-metadata.json). FastMCP's OAuth proxy persists clients in the FileTreeStore keyed by client_id, and FileTreeStore defaults to PassthroughStrategy which does not sanitize keys. The slashes in the URL were treated as path separators, pointing at directories that were never created, causing a FileNotFoundError and a 500 on /authorize.

Pass FileTreeV1KeySanitizationStrategy and
FileTreeV1CollectionSanitizationStrategy to FileTreeStore so URL-shaped client_ids collapse to flat, filesystem-safe filenames. DCR clients (Claude, ChatGPT) were unaffected because their client_ids are opaque and slash-free.

@RadCod3
fix: sanitize OAuth client store keys for URL-based client_ids
da47663 
Goose authenticates via a Client ID Metadata Document (CIMD), so its
OAuth client_id is a URL (e.g.
https://goose-docs.ai/oauth/client-metadata.json).
FastMCP's OAuth proxy persists clients in the FileTreeStore keyed by
client_id, and FileTreeStore defaults to PassthroughStrategy which does
not sanitize keys. The slashes in the URL were treated as path
separators, pointing at directories that were never created, causing a
FileNotFoundError and a 500 on /authorize.

Pass FileTreeV1KeySanitizationStrategy and
FileTreeV1CollectionSanitizationStrategy to FileTreeStore so URL-shaped
client_ids collapse to flat, filesystem-safe filenames. DCR clients
(Claude, ChatGPT) were unaffected because their client_ids are opaque
and slash-free.
@coderabbitai

coderabbitai Bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d3ab2fc5-0ee6-435d-9703-3de0f80d8d76

📥 Commits

Reviewing files that changed from the base of the PR and between 8f1b53a and da47663.

📒 Files selected for processing (2)
  • src/lampyrid/server.py
  • tests/unit/test_server.py
📝 Walkthrough

Summary by CodeRabbit

Release Notes

  • Bug Fixes
    • Improved OAuth token storage to reliably handle special characters in client identifiers, preventing filesystem errors during authentication initialization.

Walkthrough

This PR adds explicit file-tree sanitization strategies to OAuth token persistence in the server, preventing URL-based client IDs (containing slashes) from being misinterpreted as nested directory paths. The server imports and configures sanitization strategies in FileTreeStore, and corresponding unit tests validate that these strategies are instantiated correctly with the configured storage directory.

Changes

OAuth Token Storage Sanitization

Layer / File(s) Summary
Server sanitization strategy configuration
src/lampyrid/server.py		 FileTreeStore imports FileTreeV1KeySanitizationStrategy and FileTreeV1CollectionSanitizationStrategy, then explicitly configures them with the OAuth storage directory to prevent slashed client IDs from triggering nested directory creation and FileNotFoundError.
Test validation of sanitization strategies
tests/unit/test_server.py		 Token persistence tests patch sanitization strategy classes, verify they are instantiated with the configured oauth_storage_path, and confirm the storage initialization receives non-None client storage.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A rabbit hops through OAuth's maze,
Where client IDs slash through folders' haze,
Now sanitized with strategy so fine,
No nested paths will break the line! 🐰✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: adding key sanitization for OAuth client stores to handle URL-based client IDs, which is exactly what the PR addresses.
Description check ✅ Passed The description provides context about the bug (Goose's URL-shaped client_id), the root cause (FileTreeStore's PassthroughStrategy not sanitizing keys), and the solution (using sanitization strategies), all of which align with the changeset.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/goose-oauth

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov-commenter

codecov-commenter commented Jun 10, 2026

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.59%. Comparing base (8f1b53a) to head (da47663).
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main      #84   +/-   ##
=======================================
  Coverage   97.59%   97.59%           
=======================================
  Files          22       22           
  Lines        3499     3499           
=======================================
  Hits         3415     3415           
  Misses         84       84
Flag Coverage Δ
integration 97.59% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@RadCod3 RadCod3 merged commit 5b829bb into main Jun 10, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RadCod3 @codecov-commenter