Christian Pojoni b4aaf9712f feat(mcp): add OAuth 2.1 for claude.ai MCP connector (#2829)
* feat(mcp): add OAuth 2.1 authentication for claude.ai MCP connector

Enable OAuth 2.1 (RFC 8414 + RFC 7591) for the MCP endpoint using
better-auth's MCP plugin. This allows claude.ai and other MCP clients
to authenticate via Dynamic Client Registration and Authorization Code
flow with PKCE, using the existing login page.

- Add `mcp()` plugin to better-auth config with login page redirect
- Add `.well-known/oauth-authorization-server` discovery endpoint
- Add `.well-known/oauth-protected-resource` metadata endpoint
- Update MCP handler to accept Bearer tokens via `getMcpSession`
- Retain `x-api-key` fallback for backward compatibility
- Return proper HTTP 401 + WWW-Authenticate header for unauthed requests
- Add `oauthApplication`, `oauthAccessToken`, `oauthConsent` tables

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(mcp): use typed AuthError and suppress noisy verifyApiKey throws

- Replace string-matching error detection with instanceof AuthError
- Wrap verifyApiKey in try-catch to avoid logging malformed key errors
- Move console.error below auth check so 401s don't pollute logs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat(mcp): add database migration for OAuth tables

Creates oauth_application, oauth_access_token, and oauth_consent tables
required for MCP OAuth 2.1 Dynamic Client Registration flow.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(mcp): resolve OAuth Bearer token auth for oRPC tool calls

The oRPC context only checked session cookies and API keys, causing
MCP tool calls from OAuth clients (claude.ai) to fail with Unauthorized
even though the MCP endpoint itself authenticated successfully.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(mcp): look up user by userId from OAuth access token

getMcpSession returns OAuthAccessToken (with userId), not a session
object with a user property. Must query the user table by userId.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* refactor(mcp): migrate from deprecated mcp() plugin to @better-auth/oauth-provider

The better-auth MCP plugin is marked for deprecation in favor of the
OAuth Provider plugin. This refactors the entire OAuth 2.1 flow to use
@better-auth/oauth-provider with JWT-based token verification, replacing
the opaque token lookup via getMcpSession().

Key changes:
- Replace mcp() with jwt() + oauthProvider() in auth config
- Replace getMcpSession() with verifyAccessToken() (JWT/JWKS)
- Replace oauthApplication table with oauthClient (RFC 7591 compliant)
- Add oauthRefreshToken table and jwks table for JWT signing keys
- Extract shared authBaseUrl and verifyOAuthToken helper
- Hoist McpServer to module scope (avoid per-request reconstruction)
- Update .well-known discovery endpoints for OAuth Provider

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(mcp): resolve OAuth 2.1 flow for claude.ai MCP connector

Multiple fixes required to make the full MCP OAuth flow work with
claude.ai's implementation:

- Add RFC 8414 discovery route at /.well-known/oauth-authorization-server/api/auth
  (claude.ai appends the issuer path per spec)
- Add /auth/oauth server route to handle login/consent flow
  (generates auth codes directly, bypassing h3 cookie issues)
- Default token_endpoint_auth_method to "none" via onRequest plugin hook
  (claude.ai omits this field, causing confidential client rejection)
- Strip prompt=consent from authorize requests via onRequest hook
  (better-auth checks prompt before skipConsent, causing redirect loops)
- Add validAudiences for MCP resource URL
  (JWT aud claim contains the MCP URL, not the base URL)
- Disable CSRF check for cross-origin OAuth flows
- Log token endpoint errors for debugging
- Set skipConsent on OAuth clients via /auth/oauth route

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(mcp): harden OAuth security and enforce lock on delete

- Scope CSRF bypass to OAuth2 paths only instead of disabling globally
- Validate redirect_uri against registered client URIs (prevents code interception)
- Use pathname matching instead of fragile url.includes() for route guards
- Replace biased modulo code generation with crypto.randomBytes
- Enforce resume lock check on delete (previously silently ignored)
- Remove debug console.error logging of OAuth token response bodies
- Use Response.json() consistently for MCP 401 response

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Update dependencies, refine ignore patterns, and enhance documentation

- Updated various dependencies in package.json and pnpm-lock.yaml for improved stability and features.
- Adjusted ignore patterns in knip.json to include specific component directories.
- Enhanced documentation for the MCP server, clarifying authentication methods and configuration options.
- Made minor adjustments to VSCode settings for better code organization.

* fix(mcp): resolve OAuth client registration and stale token handling

Claude.ai sends token_endpoint_auth_method: "client_secret_post" without
a client_secret during Dynamic Client Registration, causing Better Auth to
reject it as an unauthenticated confidential client. Force to "none" for
unauthenticated registrations.

Also catch JWKS verification errors (e.g. key rotation after redeployment)
so stale Bearer tokens return 401 instead of 200 with an error body,
allowing clients to re-initiate the OAuth flow.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* reiterate on tests

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Amruth Pillai <im.amruth@gmail.com>
2026-03-24 11:03:56 +01:00
2026-03-18 22:03:24 +01:00
2026-03-18 22:03:24 +01:00
2026-03-18 22:03:24 +01:00
2026-03-18 22:03:24 +01:00
2026-03-18 22:03:24 +01:00
2026-01-19 23:31:54 +01:00
2026-03-18 09:54:10 +01:00
2026-03-18 22:03:24 +01:00
2026-03-18 22:03:24 +01:00
2026-03-18 22:03:24 +01:00
2026-01-21 23:44:48 +01:00
2026-03-18 22:03:24 +01:00
2026-03-18 22:03:24 +01:00

Reactive Resume

Reactive Resume

Reactive Resume is a free and open-source resume builder that simplifies the process of creating, updating, and sharing your resume.

Get Started · Learn More

Reactive Resume version GitHub Stars License Docker Pulls Discord Crowdin Sponsors Donations


Reactive Resume makes building resumes straightforward. Pick a template, fill in your details, and export to PDF—no account required for basic use. For those who want more control, the entire application can be self-hosted on your own infrastructure.

Built with privacy as a core principle, Reactive Resume gives you complete ownership of your data. The codebase is fully open-source under the MIT license, with no tracking, no ads, and no hidden costs.

Features

Resume Building

  • Real-time preview as you type
  • Multiple export formats (PDF, JSON)
  • Drag-and-drop section ordering
  • Custom sections for any content type
  • Rich text editor with formatting support

Templates

  • Professionally designed templates
  • A4 and Letter size support
  • Customizable colors, fonts, and spacing
  • Custom CSS for advanced styling

Privacy & Control

  • Self-host on your own infrastructure
  • No tracking or analytics by default
  • Full data export at any time
  • Delete your data permanently with one click

Extras

  • AI integration (OpenAI, Google Gemini, Anthropic Claude)
  • Multi-language support
  • Share resumes via unique links
  • Import from JSON Resume format
  • Dark mode support
  • Passkey and two-factor authentication

Templates

Azurill
Azurill
Bronzor
Bronzor
Chikorita
Chikorita
Ditto
Ditto
Gengar
Gengar
Glalie
Glalie
Kakuna
Kakuna
Lapras
Lapras
Leafish
Leafish
Onyx
Onyx
Pikachu
Pikachu
Rhyhorn
Rhyhorn
Ditgar
Ditgar

Quick Start

The quickest way to run Reactive Resume locally:

# Clone the repository
git clone https://github.com/amruthpillai/reactive-resume.git
cd reactive-resume

# Start all services
docker compose up -d

# Access the app
open http://localhost:3000

Build with Ona

For detailed setup instructions, environment configuration, and self-hosting guides, see the documentation.

Tech Stack

Category Technology
Framework TanStack Start (React 19, Vite)
Runtime Node.js
Language TypeScript
Database PostgreSQL with Drizzle ORM
API ORPC (Type-safe RPC)
Auth Better Auth
Styling Tailwind CSS
UI Components Radix UI
State Management Zustand + TanStack Query

Documentation

Comprehensive guides are available at docs.rxresu.me:

Guide Description
Getting Started First-time setup and basic usage
Self-Hosting Deploy on your own server
Development Setup Local development environment
Project Architecture Codebase structure and patterns
Exporting Your Resume PDF and JSON export options

Self-Hosting

Reactive Resume can be self-hosted using Docker. The stack includes:

  • PostgreSQL — Database for storing user data and resumes
  • Printer — Headless Chromium service for PDF and screenshot generation
  • SeaweedFS (optional) — S3-compatible storage for file uploads

Pull the latest image from Docker Hub or GitHub Container Registry:

# Docker Hub
docker pull amruthpillai/reactive-resume:latest

# GitHub Container Registry
docker pull ghcr.io/amruthpillai/reactive-resume:latest

See the self-hosting guide for complete instructions.

Support

Reactive Resume is and always will be free and open-source. If it has helped you land a job or saved you time, please consider supporting continued development:

GitHub Sponsors Open Collective

Other ways to support:

  • Star this repository
  • Report bugs and suggest features
  • Improve documentation
  • Help with translations

Star History

Star History Chart

Contributing

Contributions make open-source thrive. Whether fixing a typo or adding a feature, all contributions are welcome.

  1. Fork the repository
  2. Create a feature branch (git checkout -b feature/amazing-feature)
  3. Commit your changes (git commit -m 'Add amazing feature')
  4. Push to the branch (git push origin feature/amazing-feature)
  5. Open a Pull Request

See the development setup guide for detailed instructions on how to set up the project locally.

License

MIT — do whatever you want with it.

S
Description
A one-of-a-kind resume builder that keeps your privacy in mind. Completely secure, customizable, portable, open-source and free forever. Try it out today!
Readme MIT 304 MiB
Languages
TypeScript 99.5%
CSS 0.2%
JavaScript 0.1%