Fix OAuth signature generation in validateRestApiAccess

[Mwalek]

Summary

• Fix OAuth 1.0a signature generation in validateRestApiAccess function
• Resolve "REST API validation failed: undefined" error when using HTTP connections

Problem

The validateRestApiAccess function was calling getAuthHeaders() without the required URL parameter for OAuth 1.0a signature generation. This caused authentication failures when using HTTP connections (which fall back to OAuth instead of Basic Auth).

Steps to Reproduce

1. Clone and configure GravityMCP with HTTP base URL:

   git clone https://github.com/GravityKit/GravityMCP.git
   cd GravityMCP
   npm install
   cp .env.example .env
   # Configure .env with HTTP URL (e.g., http://localhost:31337)

2. Add to Claude Code:

   claude mcp add gravitymcp --scope user -- node /path/to/GravityMCP/src/index.js

3. Check MCP server status:

   claude mcp list

4. Expected: gravitymcp shows "✓ Connected"

5. Actual: gravitymcp shows "✗ Failed to connect" with error "REST API validation failed: undefined"

Solution

• Get baseURL from httpClient.defaults.baseURL
• Construct full URL for each endpoint being validated
• Pass proper parameters (method, url, params) to getAuthHeaders()

Test plan

• Verified fix with npm run check-env on HTTP localhost connection
• All 3 endpoints (forms, entries, feeds) now validate successfully with OAuth
• Confirmed claude mcp list shows gravitymcp as connected after fix

Summary by CodeRabbit

• Bug Fixes

  • OAuth signing now uses the full request URL derived from the client's base URL, improving signature accuracy and ensuring authenticated API calls validate correctly.
  • Validation now surfaces an error when a base URL is unavailable, preventing ambiguous requests and improving reliability of endpoint access.

• Tests

  • Test helpers now initialize a default mock client base URL for more consistent test behavior.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

validateRestApiAccess now reads baseURL from httpClient.defaults.baseURL, constructs full endpoint URLs, and passes each full URL plus method and query params to getAuthHeaders when generating OAuth headers for endpoints.

Changes

Cohort / File(s)	Summary
OAuth signature update src/config/auth.js	validateRestApiAccess now derives baseURL from httpClient.defaults.baseURL, builds full URLs for each endpoint, and calls getAuthHeaders('GET', fullUrl, { per_page: 1 }) instead of calling getAuthHeaders() with no args.
Test helper defaults src/tests/helpers.js	MockHttpClient constructor now initializes a defaults property: this.defaults = { baseURL: 'https://test.example.com' }.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title directly describes the main fix: correcting OAuth signature generation in the validateRestApiAccess function by passing the required URL parameter.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 75dccf1 and 8911c9f.

📒 Files selected for processing (1)

• src/tests/helpers.js

🔇 Additional comments (1)

src/tests/helpers.js (1)

182-182: LGTM! Supports OAuth signature generation testing.

The addition of defaults.baseURL correctly mirrors the axios structure used in production. The production code in src/config/auth.js reads httpClient.defaults.baseURL for OAuth signature generation, and the test URL is appropriate for the mock environment.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 958811a and 9b9247e.

📒 Files selected for processing (1)

• src/config/auth.js

🧰 Additional context used

🧬 Code graph analysis (1)

src/config/auth.js (2)

scripts/check-env.js (1)

• httpClient (109-112)

src/tests/authentication.test.js (2)

• headers (46-46)
• headers (113-113)

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9b9247e and 75dccf1.

📒 Files selected for processing (1)

• src/config/auth.js

🧰 Additional context used

🧬 Code graph analysis (1)

src/config/auth.js (2)

scripts/check-env.js (2)

• httpClient (109-112)
• authManager (106-106)

src/tests/authentication.test.js (2)

• headers (46-46)
• headers (113-113)

🔇 Additional comments (1)

src/config/auth.js (1)

330-332: LGTM! OAuth signature generation fix is correct.

The fix properly constructs the full URL and passes it to getAuthHeaders along with the HTTP method and query parameters. This ensures OAuth1Handler can generate valid signatures for API requests.

The implementation is consistent with OAuth1Handler.testConnection (lines 159-160) and correctly addresses the authentication failures described in the PR objectives.