Add auth prepare support to notion-mcp, too.

Author: hynek-urban

src/services/notion-mcp.ts

@@ -5,6 +5,7 @@
  * This is separate from the existing Notion service which uses internal integration tokens.
  */
 
+import { z } from 'zod';
 import type { Browser, BrowserContext, Response } from 'playwright';
 import { type ApiCredentials, OAuthCredentials } from '../apiCredentials/base.js';
 import { runCaptured } from '../curl.js';
@@ -20,9 +21,24 @@ import {
   ServiceSession,
   LoginFailedError,
   LoginCancelledError,
+  buildPreparedCredentials,
   isBrowserClosedError,
 } from './core/base.js';
 
+/**
+ * JSON accepted by `latchkey auth prepare notion-mcp`: the OAuth client id to
+ * reuse instead of registering a new client dynamically at mcp.notion.com.
+ * Notion MCP is a public client, so no secret is needed. `.strict()` rejects
+ * unknown keys so typos are reported instead of silently ignored.
+ */
+export const NotionMcpPrepareInputSchema = z
+  .object({
+    clientId: z.string().min(1),
+  })
+  .strict();
+
+export type NotionMcpPrepareInput = z.infer<typeof NotionMcpPrepareInputSchema>;
+
 const TOKEN_ENDPOINT = 'https://mcp.notion.com/token';
 const REGISTRATION_ENDPOINT = 'https://mcp.notion.com/register';
 const AUTHORIZATION_ENDPOINT = 'https://mcp.notion.com/authorize';
@@ -204,6 +220,20 @@ export class NotionMcp extends Service {
     return `latchkey auth set ${serviceName} -H "Authorization: Bearer <token>"`;
   }
 
+  /**
+   * Notion MCP accepts an OAuth client id prepared in advance via
+   * `latchkey auth prepare`, stored as token-less OAuth credentials until login.
+   * The login flow reuses this client id instead of registering a new client.
+   */
+  override prepareFromJson(parsedJson: unknown): ApiCredentials {
+    return buildPreparedCredentials(
+      this.name,
+      NotionMcpPrepareInputSchema,
+      parsedJson,
+      ({ clientId }) => new OAuthCredentials(clientId, '')
+    );
+  }
+
   override getSession(appNamePrefix: string): NotionMcpSession {
     return new NotionMcpSession(this, appNamePrefix);
   }

tests/sharedOperations.test.ts

@@ -13,6 +13,7 @@ import {
   Service,
 } from '../src/services/core/base.js';
 import { GOOGLE_GMAIL } from '../src/services/google/gmail.js';
+import { NOTION_MCP } from '../src/services/notion-mcp.js';
 import { RegisteredService } from '../src/services/core/registered.js';
 import { ServiceRegistry } from '../src/serviceRegistry.js';
 import { Config } from '../src/config.js';
@@ -443,5 +444,51 @@ describe('operations', () => {
         )
       ).toThrow(PrepareInputInvalidError);
     });
+
+    it('stores a token-less OAuth client id for notion-mcp (public client, no secret)', () => {
+      const registry = new ServiceRegistry([NOTION_MCP]);
+      const store = createApiCredentialStore();
+
+      const result = prepareService(
+        registry,
+        store,
+        'notion-mcp',
+        JSON.stringify({ clientId: 'notion-client-id' })
+      );
+
+      expect(result).toEqual({ serviceName: 'notion-mcp', credentialType: 'oauth' });
+      const stored = store.get('notion-mcp');
+      expect(stored).toBeInstanceOf(OAuthCredentials);
+      const oauth = stored as OAuthCredentials;
+      expect(oauth.clientId).toBe('notion-client-id');
+      expect(oauth.clientSecret).toBe('');
+      expect(oauth.accessToken).toBeUndefined();
+      expect(oauth.refreshToken).toBeUndefined();
+    });
+
+    it('rejects a notion-mcp clientSecret (unknown key, strict schema)', () => {
+      const registry = new ServiceRegistry([NOTION_MCP]);
+      const store = createApiCredentialStore();
+
+      expect(() =>
+        prepareService(
+          registry,
+          store,
+          'notion-mcp',
+          JSON.stringify({ clientId: 'a', clientSecret: 'b' })
+        )
+      ).toThrow(PrepareInputInvalidError);
+      expect(store.get('notion-mcp')).toBeNull();
+    });
+
+    it('rejects notion-mcp input missing clientId', () => {
+      const registry = new ServiceRegistry([NOTION_MCP]);
+      const store = createApiCredentialStore();
+
+      expect(() => prepareService(registry, store, 'notion-mcp', '{}')).toThrow(
+        PrepareInputInvalidError
+      );
+      expect(store.get('notion-mcp')).toBeNull();
+    });
   });
 });