fix(oauth): inject stored OAuth token for authorization_code gateway manual refresh

Signed-off-by: Olivier Gintrand <olivier.gintrand@forterro.com>

Author: Olivier Gintrand

.env.example

@@ -2136,6 +2136,11 @@ OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317
 # TOOL_CONCURRENT_LIMIT=10
 # GATEWAY_TOOL_NAME_SEPARATOR=-
 
+# Maximum length of response text returned for non-JSON REST API responses
+# Longer responses are truncated to prevent exposing excessive sensitive data
+# Default: 5000 characters, Range: 1000-100000
+# REST_RESPONSE_TEXT_MAX_LENGTH=5000
+
 # Prompt Configuration
 # PROMPT_CACHE_SIZE=100
 # MAX_PROMPT_SIZE=102400

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline|package-lock.json|Cargo.lock|scripts/sign_image.sh|scripts/zap|sonar-project.properties|uv.lock|go.sum|mcpgateway/sri_hashes.json|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2026-04-14T13:09:46Z",
+  "generated_at": "2026-04-14T14:08:10Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -4830,7 +4830,7 @@
         "hashed_secret": "ff37a98a9963d347e9749a5c1b3936a4a245a6ff",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 2228,
+        "line_number": 2236,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -8624,39 +8624,39 @@
         "hashed_secret": "ee977806d7286510da8b9a7492ba58e2484c0ecc",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 6376,
+        "line_number": 6907,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "f2e7745f43b0ef0e2c2faf61d6c6a28be2965750",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 6868,
+        "line_number": 7399,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "4a249743d4d2241bd2ae085b4fe654d089488295",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 8215,
+        "line_number": 8746,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "0c8d051d3c7eada5d31b53d9936fce6bcc232ae2",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 8357,
+        "line_number": 8888,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "f2b14f68eb995facb3a1c35287b778d5bd785511",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 8733,
+        "line_number": 9264,
         "type": "Secret Keyword",
         "verified_result": null
       }

mcpgateway/services/gateway_service.py

@@ -5226,6 +5226,32 @@ async def refresh_gateway_manually(
             if request_headers:
                 pre_auth_headers = get_passthrough_headers(request_headers, {}, db, gateway)
 
+            # For Authorization Code OAuth gateways, retrieve the stored user token
+            # so that _initialize_gateway() can connect instead of early-returning.
+            if (
+                user_email
+                and gateway.auth_type == "oauth"
+                and isinstance(gateway.oauth_config, dict)
+                and gateway.oauth_config.get("grant_type") == "authorization_code"
+                and "Authorization" not in pre_auth_headers
+            ):
+                from mcpgateway.services.token_storage_service import TokenStorageService  # pylint: disable=import-outside-toplevel
+
+                token_service = TokenStorageService(db)
+                access_token = await token_service.get_user_token(gateway_id, user_email)
+                if access_token:
+                    pre_auth_headers["Authorization"] = f"Bearer {access_token}"
+                    logger.debug(
+                        "Injected stored OAuth token for auth_code gateway %s (user %s)",
+                        gateway_name, user_email,
+                    )
+                else:
+                    logger.info(
+                        "No stored OAuth token for auth_code gateway %s (user %s) — "
+                        "refresh will return empty; user must complete /oauth/authorize/%s first",
+                        gateway_name, user_email, gateway_id,
+                    )
+
         lock = self._get_refresh_lock(gateway_id)
 
         # Check if lock is already held (concurrent refresh in progress)