refactor: enhance MCP categories API with security and error handling

Lasim · Lasim · commit 0aefaa834fb5 · 2025-07-20T17:57:07.000+02:00
diff --git a/services/backend/api-spec.json b/services/backend/api-spec.json
@@ -12170,6 +12170,11 @@
           "MCP Categories"
         ],
         "description": "Retrieve all available MCP server categories for organization. No Content-Type header required for this GET request.",
+        "security": [
+          {
+            "cookieAuth": []
+          }
+        ],
         "responses": {
           "200": {
             "description": "Default Response",
@@ -12243,6 +12248,62 @@
               }
             }
           },
+          "401": {
+            "description": "Default Response",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "schema": {
+                    "description": "Unauthorized - Authentication required",
+                    "type": "object",
+                    "properties": {
+                      "success": {
+                        "default": false,
+                        "type": "boolean"
+                      },
+                      "error": {
+                        "type": "string"
+                      }
+                    },
+                    "required": [
+                      "success",
+                      "error"
+                    ],
+                    "additionalProperties": false
+                  },
+                  "components": {}
+                }
+              }
+            }
+          },
+          "403": {
+            "description": "Default Response",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "schema": {
+                    "description": "Forbidden - Insufficient permissions",
+                    "type": "object",
+                    "properties": {
+                      "success": {
+                        "default": false,
+                        "type": "boolean"
+                      },
+                      "error": {
+                        "type": "string"
+                      }
+                    },
+                    "required": [
+                      "success",
+                      "error"
+                    ],
+                    "additionalProperties": false
+                  },
+                  "components": {}
+                }
+              }
+            }
+          },
           "500": {
             "description": "Default Response",
             "content": {
diff --git a/services/backend/api-spec.yaml b/services/backend/api-spec.yaml
@@ -8389,6 +8389,8 @@ paths:
         - MCP Categories
       description: Retrieve all available MCP server categories for organization. No
         Content-Type header required for this GET request.
+      security:
+        - cookieAuth: []
       responses:
         "200":
           description: Default Response
@@ -8434,6 +8436,44 @@ paths:
                     - data
                   additionalProperties: false
                 components: {}
+        "401":
+          description: Default Response
+          content:
+            application/json:
+              schema:
+                schema:
+                  description: Unauthorized - Authentication required
+                  type: object
+                  properties:
+                    success:
+                      default: false
+                      type: boolean
+                    error:
+                      type: string
+                  required:
+                    - success
+                    - error
+                  additionalProperties: false
+                components: {}
+        "403":
+          description: Default Response
+          content:
+            application/json:
+              schema:
+                schema:
+                  description: Forbidden - Insufficient permissions
+                  type: object
+                  properties:
+                    success:
+                      default: false
+                      type: boolean
+                    error:
+                      type: string
+                  required:
+                    - success
+                    - error
+                  additionalProperties: false
+                components: {}
         "500":
           description: Default Response
           content:
diff --git a/services/backend/src/permissions/index.ts b/services/backend/src/permissions/index.ts
@@ -51,6 +51,7 @@ export const ROLE_DEFINITIONS = {
     'teams.delete',
     'team.members.view',
     'mcp.servers.read',
+    'mcp.categories.view',
   ],
   team_admin: [
     'teams.view',
diff --git a/services/backend/src/routes/mcp/categories/list.ts b/services/backend/src/routes/mcp/categories/list.ts
@@ -3,6 +3,7 @@ import { z } from 'zod';
 import { createSchema } from 'zod-openapi';
 import { McpCategoriesService } from '../../../services/mcpCategoriesService';
 import { getDb } from '../../../db';
+import { requirePermission } from '../../../middleware/roleMiddleware';
 
 // Response schema
 const categorySchema = z.object({
@@ -30,11 +31,15 @@ export default async function listCategories(server: FastifyInstance) {
       tags: ['MCP Categories'],
       summary: 'List all MCP server categories',
       description: 'Retrieve all available MCP server categories for organization. No Content-Type header required for this GET request.',
+      security: [{ cookieAuth: [] }],
       response: {
         200: createSchema(listCategoriesResponseSchema),
+        401: createSchema(errorResponseSchema.describe('Unauthorized - Authentication required')),
+        403: createSchema(errorResponseSchema.describe('Forbidden - Insufficient permissions')),
         500: createSchema(errorResponseSchema)
       }
-    }
+    },
+    preValidation: requirePermission('mcp.categories.view')
   }, async (request, reply) => {
     try {
       const db = getDb();
