Better oauth verification flow

Author: Drummersbrother

src/mcp_importer/api.py

@@ -1,11 +1,14 @@
 # pyright: reportMissingImports=false, reportUnknownVariableType=false, reportUnknownMemberType=false, reportUnknownArgumentType=false, reportUnknownParameterType=false
 import asyncio
-from collections.abc import Awaitable
+import contextlib
 from enum import Enum
 from pathlib import Path
 from typing import Any
 
+from fastmcp import Client as FastMCPClient
 from fastmcp import FastMCP
+from fastmcp.client.auth import OAuth
+from fastmcp.client.auth.oauth import FileTokenStorage
 from loguru import logger as log
 
 from src.config import Config, MCPServerConfig, get_config_json_path
@@ -22,7 +25,7 @@
     import_from_vscode,
 )
 from src.mcp_importer.merge import MergePolicy, merge_servers
-from src.oauth_manager import get_oauth_manager
+from src.oauth_manager import OAuthStatus, get_oauth_manager
 
 
 class CLIENT(str, Enum):
@@ -37,15 +40,16 @@ def __repr__(self) -> str:
         return str(self)
 
 
-def detect_clients() -> set[CLIENT]:
-    detected: set[CLIENT] = set()
+def detect_clients() -> list[CLIENT]:
+    detected: list[CLIENT] = []
     if _paths.detect_cursor_config_path() is not None:
-        detected.add(CLIENT.CURSOR)
+        detected.append(CLIENT.CURSOR)
     if _paths.detect_vscode_config_path() is not None:
-        detected.add(CLIENT.VSCODE)
+        detected.append(CLIENT.VSCODE)
     if _paths.detect_claude_code_config_path() is not None:
-        detected.add(CLIENT.CLAUDE_CODE)
-    return detected
+        detected.append(CLIENT.CLAUDE_CODE)
+    # Return clients sorted alphabetically by identifier
+    return sorted(detected, key=lambda c: c.value)
 
 
 def import_from(client: CLIENT) -> list[MCPServerConfig]:
@@ -136,8 +140,105 @@ def verify_mcp_server(server: MCPServerConfig) -> bool:  # noqa
     async def _verify_async() -> bool:
         if not server.command.strip():
             return False
+        oauth_info = None
 
-        # Inline backend config and capability listing (no extra helpers)
+        # If this is a remote server, consult OAuth requirement first. Only skip
+        # verification when OAuth is actually required and no tokens are present.
+        try:
+            if server.is_remote_server():
+                remote_url: str | None = server.get_remote_url()
+                if remote_url:
+                    oauth_info = await get_oauth_manager().check_oauth_requirement(
+                        server.name, remote_url
+                    )
+                    if oauth_info.status != OAuthStatus.NOT_REQUIRED:
+                        # Token presence check
+                        storage = FileTokenStorage(
+                            server_url=remote_url, cache_dir=get_oauth_manager().cache_dir
+                        )
+                        tokens = await storage.get_tokens()
+                        no_tokens: bool = not tokens or (
+                            not getattr(tokens, "access_token", None)
+                            and not getattr(tokens, "refresh_token", None)
+                        )
+                        # Detect if inline headers are present in args (translated from config)
+                        has_inline_headers: bool = any(
+                            (a == "--header" or a.startswith("--header")) for a in server.args
+                        )
+                        if (
+                            oauth_info.status == OAuthStatus.NEEDS_AUTH
+                            and no_tokens
+                            and not has_inline_headers
+                        ):
+                            log.info(
+                                "Skipping verification for remote server '{}' pending OAuth",
+                                server.name,
+                            )
+                            return True
+        except Exception:
+            # If token inspection fails, continue with normal verification path
+            pass
+
+        # Remote servers
+        if server.is_remote_server():
+            remote_url = server.get_remote_url()
+            if remote_url:
+                # If inline headers are specified (e.g., API key), verify via proxy to honor headers
+                has_inline_headers: bool = any(
+                    (a == "--header" or a.startswith("--header")) for a in server.args
+                )
+                if has_inline_headers:
+                    backend_cfg: dict[str, Any] = {
+                        "mcpServers": {
+                            server.name: {
+                                "command": server.command,
+                                "args": server.args,
+                                "env": server.env or {},
+                                **({"roots": server.roots} if server.roots else {}),
+                            }
+                        }
+                    }
+                    proxy: FastMCP[Any] | None = None
+                    host: FastMCP[Any] | None = None
+                    try:
+                        proxy = FastMCP.as_proxy(backend_cfg)
+                        host = FastMCP(name=f"open-edison-verify-host-{server.name}")
+                        host.mount(proxy, prefix=server.name)
+
+                        async def _list_tools_only() -> Any:
+                            return await host._tool_manager.list_tools()  # type: ignore[attr-defined]
+
+                        await asyncio.wait_for(_list_tools_only(), timeout=10.0)
+                        return True
+                    except Exception as e:
+                        log.error(
+                            "MCP remote (headers) verification failed for '{}': {}", server.name, e
+                        )
+                        return False
+                    finally:
+                        for obj in (host, proxy):
+                            if isinstance(obj, FastMCP):
+                                with contextlib.suppress(Exception):
+                                    result = obj.shutdown()  # type: ignore[attr-defined]
+                                    await asyncio.wait_for(result, timeout=2.0)  # type: ignore[func-returns-value]
+                # Otherwise, avoid triggering OAuth flows during verification
+                try:
+                    if oauth_info is None:
+                        oauth_info = await get_oauth_manager().check_oauth_requirement(
+                            server.name, remote_url
+                        )
+                    # If OAuth is needed or we are already authenticated, don't initiate browser flows here
+                    if oauth_info.status in (OAuthStatus.NEEDS_AUTH, OAuthStatus.AUTHENTICATED):
+                        return True
+                    # NOT_REQUIRED: quick unauthenticated ping
+                    async with FastMCPClient(remote_url, auth=None) as client:  # type: ignore
+                        await asyncio.wait_for(client.ping(), timeout=10.0)
+                    return True
+                except Exception as e:  # noqa: BLE001
+                    log.error("MCP remote verification failed for '{}': {}", server.name, e)
+                    return False
+
+        # Local/stdio servers: mount via proxy and perform a single light operation (tools only)
         backend_cfg: dict[str, Any] = {
             "mcpServers": {
                 server.name: {
@@ -156,36 +257,20 @@ async def _verify_async() -> bool:
             host = FastMCP(name=f"open-edison-verify-host-{server.name}")
             host.mount(proxy, prefix=server.name)
 
-            async def _call_list(kind: str) -> Any:
-                manager_name = {
-                    "tools": "_tool_manager",
-                    "resources": "_resource_manager",
-                    "prompts": "_prompt_manager",
-                }[kind]
-                manager = getattr(host, manager_name)
-                return await getattr(manager, f"list_{kind}")()
-
-            await asyncio.wait_for(
-                asyncio.gather(
-                    _call_list("tools"),
-                    _call_list("resources"),
-                    _call_list("prompts"),
-                ),
-                timeout=30.0,
-            )
+            async def _list_tools_only() -> Any:
+                return await host._tool_manager.list_tools()  # type: ignore[attr-defined]
+
+            await asyncio.wait_for(_list_tools_only(), timeout=10.0)
             return True
         except Exception as e:
             log.error("MCP verification failed for '{}': {}", server.name, e)
             return False
         finally:
-            try:
-                for obj in (host, proxy):
-                    if isinstance(obj, FastMCP):
+            for obj in (host, proxy):
+                if isinstance(obj, FastMCP):
+                    with contextlib.suppress(Exception):
                         result = obj.shutdown()  # type: ignore[attr-defined]
-                        if isinstance(result, Awaitable):
-                            await result  # type: ignore[func-returns-value]
-            except Exception:
-                pass
+                        await asyncio.wait_for(result, timeout=2.0)  # type: ignore[func-returns-value]
 
     return asyncio.run(_verify_async())
 
@@ -209,10 +294,6 @@ async def _authorize_async() -> bool:
         oauth_manager = get_oauth_manager()
 
         try:
-            # Import lazily to avoid import-time side effects
-            from fastmcp import Client as FastMCPClient  # type: ignore
-            from fastmcp.client.auth import OAuth  # type: ignore
-
             # Debug info prior to starting OAuth
             print(
                 "[OAuth] Starting authorization",
@@ -244,8 +325,6 @@ async def _authorize_async() -> bool:
 
             # Post-authorization token inspection (no secrets printed)
             try:
-                from fastmcp.client.auth.oauth import FileTokenStorage  # type: ignore
-
                 storage = FileTokenStorage(server_url=remote_url, cache_dir=oauth_manager.cache_dir)
                 tokens = await storage.get_tokens()
                 access_present = bool(getattr(tokens, "access_token", None)) if tokens else False
@@ -286,8 +365,6 @@ async def _check_async() -> bool:
             return False
 
         try:
-            from fastmcp.client.auth.oauth import FileTokenStorage  # type: ignore
-
             storage = FileTokenStorage(
                 server_url=remote_url, cache_dir=get_oauth_manager().cache_dir
             )

src/mcp_importer/export_cli.py

@@ -5,8 +5,10 @@
 
 from .exporters import ExportError, export_to_claude_code, export_to_cursor, export_to_vscode
 from .paths import (
+    detect_claude_code_config_path,
     detect_cursor_config_path,
     detect_vscode_config_path,
+    get_default_claude_code_config_path,
     get_default_cursor_config_path,
     get_default_vscode_config_path,
 )
@@ -135,8 +137,6 @@ def _handle_vscode(args: argparse.Namespace) -> int:
 
 
 def _handle_claude_code(args: argparse.Namespace) -> int:
-    from .paths import detect_claude_code_config_path, get_default_claude_code_config_path
-
     detected = detect_claude_code_config_path()
     target_path: Path = detected if detected else get_default_claude_code_config_path()
 

src/mcp_importer/parsers.py

@@ -1,6 +1,7 @@
 # pyright: reportUnknownArgumentType=false, reportUnknownVariableType=false, reportMissingImports=false, reportUnknownMemberType=false
 
 import json
+import shlex
 from pathlib import Path
 from typing import Any, cast
 
@@ -67,12 +68,35 @@ def _coerce_server_entry(name: str, node: dict[str, Any], default_enabled: bool)
 
     args: list[str] = [str(a) for a in args_raw]
 
+    # If command is provided as a full string with flags, split into program + args
+    if command and (" " in command or command.endswith(("\t", "\n"))):
+        try:
+            parts = shlex.split(command)
+            if parts:
+                command = parts[0]
+                # Prepend split args before any provided args to preserve order
+                args = parts[1:] + args
+        except Exception:
+            # If shlex fails, keep original command/args
+            pass
+
     env_raw = node.get("env") or node.get("environment") or {}
     env: dict[str, str] = {}
     if isinstance(env_raw, dict):
         for k, v in env_raw.items():
             env[str(k)] = str(v)
 
+    # Support Cursor-style remote config: { "url": "...", "headers": {...} }
+    # Translate to `npx mcp-remote <url> [--header Key: Value]*` so downstream verification works.
+    url_val = node.get("url")
+    if isinstance(url_val, str) and url_val:
+        command = "npx"
+        args = ["-y", "mcp-remote", url_val]
+        headers_raw = node.get("headers")
+        if isinstance(headers_raw, dict):
+            for hk, hv in headers_raw.items():
+                args.extend(["--header", f"{str(hk)}: {str(hv)}"])
+
     enabled = bool(node.get("enabled", default_enabled))
 
     roots_raw = node.get("roots") or node.get("rootPaths") or []

src/server.py

@@ -24,7 +24,9 @@
 )
 from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
 from fastapi.staticfiles import StaticFiles
+from fastmcp import Client as FastMCPClient
 from fastmcp import FastMCP
+from fastmcp.client.auth import OAuth
 from loguru import logger as log
 from pydantic import BaseModel, Field
 
@@ -952,10 +954,6 @@ async def oauth_test_connection(
 
             log.info(f"🔗 Testing connection to {server_name} at {remote_url}")
 
-            # Import FastMCP client for testing
-            from fastmcp import Client as FastMCPClient
-            from fastmcp.client.auth import OAuth
-
             # Create OAuth auth object
             oauth = OAuth(
                 mcp_url=remote_url,

src/setup_tui/main.py

@@ -1,4 +1,5 @@
 import argparse
+import asyncio
 
 import questionary
 
@@ -13,6 +14,7 @@
     save_imported_servers,
     verify_mcp_server,
 )
+from src.oauth_manager import OAuthStatus, get_oauth_manager
 
 
 def show_welcome_screen(*, dry_run: bool = False) -> None:
@@ -54,30 +56,43 @@ def handle_mcp_source(
         print(f"Verifying the configuration for {config.name}... ")
         result = verify_mcp_server(config)
         if result:
-            # If this is a remote server, check OAuth status and optionally authorize
+            # For remote servers, only prompt if OAuth is actually required
             if config.is_remote_server():
-                # Always check token presence; if absent, prompt for OAuth unless skipped
-                tokens_present: bool = has_oauth_tokens(config)
-                if not tokens_present:
-                    if skip_oauth:
-                        print(
-                            f"Skipping OAuth for {config.name} due to --skip-oauth (no tokens present). This server will not be imported."
+                # Heuristic: if inline headers are present (e.g., API key), treat as not requiring OAuth
+                has_inline_headers: bool = any(
+                    (a == "--header" or a.startswith("--header")) for a in config.args
+                )
+                if not has_inline_headers:
+                    # Prefer cached result from verification; only check if missing
+                    oauth_mgr = get_oauth_manager()
+                    info = oauth_mgr.get_server_info(config.name)
+                    if info is None:
+                        info = asyncio.run(
+                            oauth_mgr.check_oauth_requirement(config.name, config.get_remote_url())
                         )
-                        continue
-
-                    if questionary.confirm(
-                        f"{config.name} is a remote server and no OAuth credentials were found. Obtain credentials now?",
-                        default=True,
-                    ).ask():
-                        success = authorize_server_oauth(config)
-                        if not success:
-                            print(
-                                f"Failed to obtain OAuth credentials for {config.name}. Skipping this server."
-                            )
-                            continue
-                    else:
-                        print(f"Skipping {config.name} per user choice.")
-                        continue
+
+                    if info.status == OAuthStatus.NEEDS_AUTH:
+                        tokens_present: bool = has_oauth_tokens(config)
+                        if not tokens_present:
+                            if skip_oauth:
+                                print(
+                                    f"Skipping OAuth for {config.name} due to --skip-oauth (OAuth required, no tokens). This server will not be imported."
+                                )
+                                continue
+
+                            if questionary.confirm(
+                                f"{config.name} requires OAuth and no credentials were found. Obtain credentials now?",
+                                default=True,
+                            ).ask():
+                                success = authorize_server_oauth(config)
+                                if not success:
+                                    print(
+                                        f"Failed to obtain OAuth credentials for {config.name}. Skipping this server."
+                                    )
+                                    continue
+                            else:
+                                print(f"Skipping {config.name} per user choice.")
+                                continue
 
             verified_configs.append(config)
         else: