refactor: mcp secrets and polling logic into a dedicated hooks (#868)

* refactor: move to util secrets functions

* refactor: create common useCheckServerStatus replacing the polling logic in all custom hooks

* refactor: handle secrets logic in a custom hook

* fix: comments after review

* fix: remote mcp client_secret

* fix: remote fields with oauth

* leftover

* refactor: form remote auth fields

Author: peppescg

renderer/src/common/hooks/__tests__/use-mcp-secrets.test.ts

@@ -0,0 +1,89 @@
+import { useCallback, useRef } from 'react'
+import { useQueryClient } from '@tanstack/react-query'
+import { pollServerStatus } from '@/common/lib/polling'
+import {
+  getApiV1BetaWorkloadsByNameStatusOptions,
+  getApiV1BetaWorkloadsQueryKey,
+} from '@api/@tanstack/react-query.gen'
+import { toast } from 'sonner'
+import { Button } from '../components/ui/button'
+import { Link } from '@tanstack/react-router'
+
+/**
+ * Custom hook for checking server status after creation/startup.
+ * Returns a function that polls server status and invalidates queries when ready.
+ */
+export function useCheckServerStatus() {
+  const toastIdRef = useRef(new Date(Date.now()).toISOString())
+
+  const queryClient = useQueryClient()
+
+  const checkServerStatus = useCallback(
+    async ({
+      serverName,
+      isEditing = false,
+    }: {
+      serverName: string
+      isEditing?: boolean
+    }): Promise<boolean> => {
+      toast.loading(
+        `${isEditing ? 'Updating' : 'Starting'} "${serverName}"...`,
+        {
+          duration: 30_000,
+          id: toastIdRef.current,
+        }
+      )
+
+      const isServerReady = await pollServerStatus(
+        () =>
+          queryClient.fetchQuery(
+            getApiV1BetaWorkloadsByNameStatusOptions({
+              path: { name: serverName },
+            })
+          ),
+        'running'
+      )
+
+      if (isServerReady) {
+        await queryClient.invalidateQueries({
+          queryKey: getApiV1BetaWorkloadsQueryKey({ query: { all: true } }),
+        })
+
+        toast.success(
+          `"${serverName}" ${isEditing ? 'updated' : 'started'} successfully.`,
+          {
+            id: toastIdRef.current,
+            duration: 5_000, // slightly longer than default
+            action: (
+              <Button asChild>
+                <Link
+                  to="/group/$groupName"
+                  params={{ groupName: 'default' }}
+                  search={{ newServerName: serverName }}
+                  onClick={() => toast.dismiss(toastIdRef.current)}
+                  viewTransition={{ types: ['slide-left'] }}
+                  className="ml-auto"
+                >
+                  View
+                </Link>
+              </Button>
+            ),
+          }
+        )
+      } else {
+        toast.warning(
+          `Server "${serverName}" was ${isEditing ? 'updated' : 'created'} but may still be starting up. Check the servers list to monitor its status.`,
+          {
+            id: toastIdRef.current,
+            duration: 5_000,
+          }
+        )
+      }
+
+      return isServerReady
+    },
+    [queryClient]
+  )
+
+  return { checkServerStatus }
+}

renderer/src/common/hooks/use-check-server-status.tsx

@@ -0,0 +1,233 @@
+import { useMutation } from '@tanstack/react-query'
+import { postApiV1BetaSecretsDefaultKeysMutation } from '@api/@tanstack/react-query.gen'
+import { getApiV1BetaSecretsDefaultKeys } from '@api/sdk.gen'
+import type {
+  PostApiV1BetaSecretsDefaultKeysData,
+  SecretsSecretParameter,
+  V1CreateSecretResponse,
+} from '@api/types.gen'
+import type { Options } from '@api/client'
+import { prepareSecretsWithoutNamingCollision } from '@/common/lib/secrets/prepare-secrets-without-naming-collision'
+import type { DefinedSecret, PreparedSecret } from '@/common/types/secrets'
+import type { FormSchemaLocalMcp } from '@/features/mcp-servers/lib/form-schema-local-mcp'
+import type { FormSchemaRemoteMcp } from '@/features/mcp-servers/lib/form-schema-remote-mcp'
+import type { FormSchemaRegistryMcp } from '@/features/registry-servers/lib/form-schema-registry-mcp'
+import type { UseMutateAsyncFunction } from '@tanstack/react-query'
+
+type SaveSecretFn = UseMutateAsyncFunction<
+  V1CreateSecretResponse,
+  string,
+  Options<PostApiV1BetaSecretsDefaultKeysData>,
+  unknown
+>
+
+/**
+ * Takes all of the secrets from the form and saves them serially to the
+ * secret store. Accepts a `toastId`, which it uses to provide feedback on the
+ * progress of the operation.
+ * // NOTE: We add a short, arbitrary delay to allow the `toast` message that
+ * displays progress to show up-to-date progress.
+ */
+export async function saveMCPSecrets(
+  secrets: PreparedSecret[],
+  saveSecret: SaveSecretFn,
+  onSecretSuccess: (completedCount: number, secretsCount: number) => void,
+  onSecretError: (
+    error: string,
+    variables: Options<PostApiV1BetaSecretsDefaultKeysData>
+  ) => void
+): Promise<SecretsSecretParameter[]> {
+  const secretsCount: number = secrets.length
+  let completedCount: number = 0
+  const createdSecrets: SecretsSecretParameter[] = []
+
+  for (const { secretStoreKey, target, value } of secrets) {
+    const { key: createdKey } = await saveSecret(
+      {
+        body: { key: secretStoreKey, value },
+      },
+      {
+        onError: (error, variables) => {
+          onSecretError(error, variables)
+        },
+        onSuccess: () => {
+          completedCount++
+          onSecretSuccess(completedCount, secretsCount)
+        },
+      }
+    )
+
+    if (!createdKey) {
+      throw new Error(`Failed to create secret for key "${secretStoreKey}"`)
+    }
+
+    // The arbitrary delay a UX/UI affordance to allow the user to see the progress
+    // of the operation. This is not strictly necessary, but it helps to avoid
+    // confusion when many secrets are being created in quick succession.
+    // The delay is between 100 and 500ms
+    await new Promise((resolve) =>
+      setTimeout(
+        resolve,
+        process.env.NODE_ENV === 'test'
+          ? 0
+          : Math.floor(Math.random() * 401) + 100
+      )
+    )
+    createdSecrets.push({
+      /** The name of the secret in the secret store */
+      name: createdKey,
+      /** The property in the MCP server's config that we are mapping the secret to */
+      target: target,
+    })
+  }
+
+  return createdSecrets
+}
+
+/**
+ * A utility function to filter out secrets that are not defined.
+ */
+export function getMCPDefinedSecrets(
+  secrets:
+    | FormSchemaRemoteMcp['secrets']
+    | FormSchemaLocalMcp['secrets']
+    | FormSchemaRegistryMcp['secrets']
+): DefinedSecret[] {
+  return secrets.reduce<DefinedSecret[]>((acc, { name, value }) => {
+    if (name && value.secret) {
+      acc.push({
+        name,
+        value: {
+          secret: value.secret,
+          isFromStore: value.isFromStore ?? false,
+        },
+      })
+    }
+    return acc
+  }, [])
+}
+
+/**
+ * Groups secrets into two categories: new secrets (not from the registry) and
+ * existing secrets (from the registry). We need this separation to know which
+ * secrets need to be encrypted and stored before creating the server workload.
+ */
+export function groupMCPDefinedSecrets(secrets: DefinedSecret[]): {
+  newSecrets: DefinedSecret[]
+  existingSecrets: DefinedSecret[]
+} {
+  return secrets.reduce<{
+    newSecrets: DefinedSecret[]
+    existingSecrets: DefinedSecret[]
+  }>(
+    (acc, secret) => {
+      if (secret.value.isFromStore) {
+        acc.existingSecrets.push(secret)
+      } else {
+        acc.newSecrets.push(secret)
+      }
+      return acc
+    },
+    { newSecrets: [], existingSecrets: [] }
+  )
+}
+
+interface UseMCPSecretsParams {
+  onSecretSuccess: (completedCount: number, secretsCount: number) => void
+  onSecretError: (
+    error: string,
+    variables: Options<PostApiV1BetaSecretsDefaultKeysData>
+  ) => void
+}
+
+interface MCPSecretsResult {
+  newlyCreatedSecrets: SecretsSecretParameter[]
+  existingSecrets: DefinedSecret[]
+}
+
+interface UseMCPSecretsReturn {
+  handleSecrets: (secrets: DefinedSecret[]) => Promise<MCPSecretsResult>
+  isPendingSecrets: boolean
+  isErrorSecrets: boolean
+}
+
+/**
+ * Custom hook for handling MCP secrets processing.
+ *
+ * This hook encapsulates the complete workflow for processing MCP secrets:
+ * 1. Groups secrets into new and existing categories
+ * 2. Fetches current secrets to handle naming collisions
+ * 3. Prepares new secrets with unique names
+ * 4. Encrypts and saves new secrets to the secret store
+ *
+ * @param params - Configuration object with success and error callbacks
+ * @returns Object with handleSecrets function and loading/error states
+ */
+export function useMCPSecrets({
+  onSecretSuccess = () => {},
+  onSecretError = () => {},
+}: UseMCPSecretsParams): UseMCPSecretsReturn {
+  const { mutateAsync: saveSecret } = useMutation({
+    ...postApiV1BetaSecretsDefaultKeysMutation(),
+  })
+
+  const {
+    mutateAsync: handleSecrets,
+    isPending: isPendingSecrets,
+    isError: isErrorSecrets,
+  } = useMutation({
+    mutationFn: async (
+      secrets:
+        | FormSchemaRemoteMcp['secrets']
+        | FormSchemaLocalMcp['secrets']
+        | FormSchemaRegistryMcp['secrets']
+    ): Promise<MCPSecretsResult> => {
+      let newlyCreatedSecrets: SecretsSecretParameter[] = []
+
+      // Step 1: Group secrets into new and existing
+      // We need to know which secrets are new (not from the registry) and which are
+      // existing (already stored). This helps us handle the encryption and storage
+      // of secrets correctly.
+      const { existingSecrets, newSecrets } = groupMCPDefinedSecrets(
+        getMCPDefinedSecrets(secrets)
+      )
+
+      // Step 2: Fetch existing secrets & handle naming collisions
+      // We need an up-to-date list of secrets so we can handle any existing keys
+      // safely & correctly. This is done with a manual fetch call to avoid freshness issues /
+      // side-effects from the `useQuery` hook.
+      // In the event of a naming collision, we will append an incrementing number
+      // to the secret name, e.g. `MY_API_TOKEN` -> `MY_API_TOKEN_2`
+      const { data: fetchedSecrets } = await getApiV1BetaSecretsDefaultKeys({
+        throwOnError: true,
+      })
+      const preparedNewSecrets = prepareSecretsWithoutNamingCollision(
+        newSecrets,
+        fetchedSecrets
+      )
+
+      // Step 3: Encrypt secrets
+      // If there are secrets with values, create them in the secret store first.
+      // We need the data returned by the API to pass along with the "run workload" request.
+      if (preparedNewSecrets.length > 0) {
+        newlyCreatedSecrets = await saveMCPSecrets(
+          preparedNewSecrets,
+          saveSecret,
+          onSecretSuccess,
+          onSecretError
+        )
+      }
+
+      return {
+        newlyCreatedSecrets,
+        existingSecrets,
+      }
+    },
+  })
+
+  return {
+    handleSecrets,
+    isPendingSecrets,
+    isErrorSecrets,
+  }
+}

renderer/src/common/hooks/use-mcp-secrets.ts

@@ -157,7 +157,7 @@ const createRegistrySecretsSchema = (
     .object({
       name: secretNameSchema,
       value: z.object({
-        secret: z.string().optional(),
+        secret: z.string(),
         isFromStore: z.boolean(),
       }),
     })
@@ -291,7 +291,7 @@ const remoteMcpOauthConfigSchema = z.object({
   client_secret: z.string().optional(),
   issuer: z.string().optional(),
   oauth_params: z.record(z.string(), z.string()).optional(),
-  scopes: z.array(z.string()).optional(),
+  scopes: z.string().optional(),
   skip_browser: z.boolean(),
   token_url: z.string().optional(),
   use_pkce: z.boolean(),