From 42020c3ae2290a211801bbc15ccc8a5632eda420 Mon Sep 17 00:00:00 2001
From: Waleed <walif6@gmail.com>
Date: Sat, 21 Feb 2026 01:57:07 -0800
Subject: [PATCH] fix(mcp): use getBaseUrl for OAuth discovery metadata URLs
 (#3283)

* fix(mcp): use getBaseUrl for OAuth discovery metadata URLs

* fix(mcp): remove unused request params from discovery route handlers
---
 .../[...issuer]/route.ts                          |  6 +++---
 .../api/mcp/copilot/route.ts                      |  6 +++---
 .../oauth-authorization-server/route.ts           |  6 +++---
 .../api/mcp/copilot/route.ts                      |  6 +++---
 .../.well-known/oauth-protected-resource/route.ts |  6 +++---
 .../oauth-authorization-server/route.ts           |  6 +++---
 .../.well-known/oauth-protected-resource/route.ts |  6 +++---
 apps/sim/app/api/mcp/copilot/route.ts             |  4 +++-
 apps/sim/lib/mcp/oauth-discovery.ts               | 15 ++++++++-------
 9 files changed, 32 insertions(+), 29 deletions(-)

diff --git a/apps/sim/app/.well-known/oauth-authorization-server/[...issuer]/route.ts b/apps/sim/app/.well-known/oauth-authorization-server/[...issuer]/route.ts
index 9dd3d6bd4c..d862fe277f 100644
--- a/apps/sim/app/.well-known/oauth-authorization-server/[...issuer]/route.ts
+++ b/apps/sim/app/.well-known/oauth-authorization-server/[...issuer]/route.ts
@@ -1,6 +1,6 @@
-import type { NextRequest, NextResponse } from 'next/server'
+import type { NextResponse } from 'next/server'
 import { createMcpAuthorizationServerMetadataResponse } from '@/lib/mcp/oauth-discovery'
 
-export async function GET(request: NextRequest): Promise<NextResponse> {
-  return createMcpAuthorizationServerMetadataResponse(request)
+export async function GET(): Promise<NextResponse> {
+  return createMcpAuthorizationServerMetadataResponse()
 }
diff --git a/apps/sim/app/.well-known/oauth-authorization-server/api/mcp/copilot/route.ts b/apps/sim/app/.well-known/oauth-authorization-server/api/mcp/copilot/route.ts
index 9dd3d6bd4c..d862fe277f 100644
--- a/apps/sim/app/.well-known/oauth-authorization-server/api/mcp/copilot/route.ts
+++ b/apps/sim/app/.well-known/oauth-authorization-server/api/mcp/copilot/route.ts
@@ -1,6 +1,6 @@
-import type { NextRequest, NextResponse } from 'next/server'
+import type { NextResponse } from 'next/server'
 import { createMcpAuthorizationServerMetadataResponse } from '@/lib/mcp/oauth-discovery'
 
-export async function GET(request: NextRequest): Promise<NextResponse> {
-  return createMcpAuthorizationServerMetadataResponse(request)
+export async function GET(): Promise<NextResponse> {
+  return createMcpAuthorizationServerMetadataResponse()
 }
diff --git a/apps/sim/app/.well-known/oauth-authorization-server/route.ts b/apps/sim/app/.well-known/oauth-authorization-server/route.ts
index 9dd3d6bd4c..d862fe277f 100644
--- a/apps/sim/app/.well-known/oauth-authorization-server/route.ts
+++ b/apps/sim/app/.well-known/oauth-authorization-server/route.ts
@@ -1,6 +1,6 @@
-import type { NextRequest, NextResponse } from 'next/server'
+import type { NextResponse } from 'next/server'
 import { createMcpAuthorizationServerMetadataResponse } from '@/lib/mcp/oauth-discovery'
 
-export async function GET(request: NextRequest): Promise<NextResponse> {
-  return createMcpAuthorizationServerMetadataResponse(request)
+export async function GET(): Promise<NextResponse> {
+  return createMcpAuthorizationServerMetadataResponse()
 }
diff --git a/apps/sim/app/.well-known/oauth-protected-resource/api/mcp/copilot/route.ts b/apps/sim/app/.well-known/oauth-protected-resource/api/mcp/copilot/route.ts
index d1136b555c..a419ebda32 100644
--- a/apps/sim/app/.well-known/oauth-protected-resource/api/mcp/copilot/route.ts
+++ b/apps/sim/app/.well-known/oauth-protected-resource/api/mcp/copilot/route.ts
@@ -1,6 +1,6 @@
-import type { NextRequest, NextResponse } from 'next/server'
+import type { NextResponse } from 'next/server'
 import { createMcpProtectedResourceMetadataResponse } from '@/lib/mcp/oauth-discovery'
 
-export async function GET(request: NextRequest): Promise<NextResponse> {
-  return createMcpProtectedResourceMetadataResponse(request)
+export async function GET(): Promise<NextResponse> {
+  return createMcpProtectedResourceMetadataResponse()
 }
diff --git a/apps/sim/app/.well-known/oauth-protected-resource/route.ts b/apps/sim/app/.well-known/oauth-protected-resource/route.ts
index d1136b555c..a419ebda32 100644
--- a/apps/sim/app/.well-known/oauth-protected-resource/route.ts
+++ b/apps/sim/app/.well-known/oauth-protected-resource/route.ts
@@ -1,6 +1,6 @@
-import type { NextRequest, NextResponse } from 'next/server'
+import type { NextResponse } from 'next/server'
 import { createMcpProtectedResourceMetadataResponse } from '@/lib/mcp/oauth-discovery'
 
-export async function GET(request: NextRequest): Promise<NextResponse> {
-  return createMcpProtectedResourceMetadataResponse(request)
+export async function GET(): Promise<NextResponse> {
+  return createMcpProtectedResourceMetadataResponse()
 }
diff --git a/apps/sim/app/api/mcp/copilot/.well-known/oauth-authorization-server/route.ts b/apps/sim/app/api/mcp/copilot/.well-known/oauth-authorization-server/route.ts
index 9dd3d6bd4c..d862fe277f 100644
--- a/apps/sim/app/api/mcp/copilot/.well-known/oauth-authorization-server/route.ts
+++ b/apps/sim/app/api/mcp/copilot/.well-known/oauth-authorization-server/route.ts
@@ -1,6 +1,6 @@
-import type { NextRequest, NextResponse } from 'next/server'
+import type { NextResponse } from 'next/server'
 import { createMcpAuthorizationServerMetadataResponse } from '@/lib/mcp/oauth-discovery'
 
-export async function GET(request: NextRequest): Promise<NextResponse> {
-  return createMcpAuthorizationServerMetadataResponse(request)
+export async function GET(): Promise<NextResponse> {
+  return createMcpAuthorizationServerMetadataResponse()
 }
diff --git a/apps/sim/app/api/mcp/copilot/.well-known/oauth-protected-resource/route.ts b/apps/sim/app/api/mcp/copilot/.well-known/oauth-protected-resource/route.ts
index d1136b555c..a419ebda32 100644
--- a/apps/sim/app/api/mcp/copilot/.well-known/oauth-protected-resource/route.ts
+++ b/apps/sim/app/api/mcp/copilot/.well-known/oauth-protected-resource/route.ts
@@ -1,6 +1,6 @@
-import type { NextRequest, NextResponse } from 'next/server'
+import type { NextResponse } from 'next/server'
 import { createMcpProtectedResourceMetadataResponse } from '@/lib/mcp/oauth-discovery'
 
-export async function GET(request: NextRequest): Promise<NextResponse> {
-  return createMcpProtectedResourceMetadataResponse(request)
+export async function GET(): Promise<NextResponse> {
+  return createMcpProtectedResourceMetadataResponse()
 }
diff --git a/apps/sim/app/api/mcp/copilot/route.ts b/apps/sim/app/api/mcp/copilot/route.ts
index 57f2ac0da6..8fdb166ae4 100644
--- a/apps/sim/app/api/mcp/copilot/route.ts
+++ b/apps/sim/app/api/mcp/copilot/route.ts
@@ -32,6 +32,7 @@ import {
 import { DIRECT_TOOL_DEFS, SUBAGENT_TOOL_DEFS } from '@/lib/copilot/tools/mcp/definitions'
 import { env } from '@/lib/core/config/env'
 import { RateLimiter } from '@/lib/core/rate-limiter'
+import { getBaseUrl } from '@/lib/core/utils/urls'
 import {
   authorizeWorkflowByWorkspacePermission,
   resolveWorkflowIdForUser,
@@ -542,7 +543,8 @@ export async function POST(request: NextRequest) {
   const hasAuth = request.headers.has('authorization') || request.headers.has('x-api-key')
 
   if (!hasAuth) {
-    const resourceMetadataUrl = `${request.nextUrl.origin}/.well-known/oauth-protected-resource/api/mcp/copilot`
+    const origin = getBaseUrl().replace(/\/$/, '')
+    const resourceMetadataUrl = `${origin}/.well-known/oauth-protected-resource/api/mcp/copilot`
     return new NextResponse(JSON.stringify({ error: 'unauthorized' }), {
       status: 401,
       headers: {
diff --git a/apps/sim/lib/mcp/oauth-discovery.ts b/apps/sim/lib/mcp/oauth-discovery.ts
index 166cb7d1ae..a98bca405f 100644
--- a/apps/sim/lib/mcp/oauth-discovery.ts
+++ b/apps/sim/lib/mcp/oauth-discovery.ts
@@ -1,11 +1,12 @@
-import { type NextRequest, NextResponse } from 'next/server'
+import { NextResponse } from 'next/server'
+import { getBaseUrl } from '@/lib/core/utils/urls'
 
-function getOrigin(request: NextRequest): string {
-  return request.nextUrl.origin
+function getOrigin(): string {
+  return getBaseUrl().replace(/\/$/, '')
 }
 
-export function createMcpAuthorizationServerMetadataResponse(request: NextRequest): NextResponse {
-  const origin = getOrigin(request)
+export function createMcpAuthorizationServerMetadataResponse(): NextResponse {
+  const origin = getOrigin()
   const resource = `${origin}/api/mcp/copilot`
 
   return NextResponse.json(
@@ -34,8 +35,8 @@ export function createMcpAuthorizationServerMetadataResponse(request: NextReques
   )
 }
 
-export function createMcpProtectedResourceMetadataResponse(request: NextRequest): NextResponse {
-  const origin = getOrigin(request)
+export function createMcpProtectedResourceMetadataResponse(): NextResponse {
+  const origin = getOrigin()
   const resource = `${origin}/api/mcp/copilot`
   const authorizationServerIssuer = origin