feat: add mcp server#246
Merged
Merged
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
Antoni-Czaplicki
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces OAuth 2.0/CIMD-backed authentication for the new MCP server endpoint and adds MCP toolsets that let authenticated agents read/write quiz content, run study flows, and fetch user profile/settings. It also refactors settings/admin wiring to include the new OAuth + MCP apps and adds documentation for connecting MCP clients.
Changes:
- Adds OAuth2 authorization server enhancements (CIMD client bootstrap + per-scope consent UI) and exposes discovery metadata endpoints.
- Adds MCP server endpoint (
/api/mcp) and tool implementations for user + quizzes/study/progress/folders, reusing existing DRF serializers. - Extends the quiz domain with
Quiz.is_ai_generatedand surfaces it via serializers/admin for labeling AI-created content.
Reviewed changes
Copilot reviewed 22 out of 26 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| users/mcp.py | Adds MCP tools for user profile/settings guarded by OAuth scopes. |
| users/admin.py | Re-registers oauth-toolkit + JWT blacklist models with Unfold styling. |
| testownik_core/urls.py | Adds MCP endpoint route and OAuth discovery/management routes. |
| testownik_core/settings.py | Enables oauth2_provider + mcp_server apps and configures OAuth/MCP settings. |
| testownik_core/settings_configs/init.py | Introduces grouped settings module package. |
| testownik_core/settings_configs/unfold.py | Extracts UNFOLD configuration into a helper. |
| testownik_core/settings_configs/spectacular.py | Extracts drf-spectacular settings into a helper. |
| testownik_core/settings_configs/mcp.py | Adds MCP global server config and auth class settings. |
| testownik_core/mcp_auth.py | Adds shared require_scope() helper for MCP tool scope enforcement. |
| templates/oauth2_provider/authorize.html | Adds a custom per-scope consent screen template. |
| requirements.txt | Adds django-mcp-server and django-oauth-toolkit dependencies. |
| quizzes/models.py | Adds Quiz.is_ai_generated field. |
| quizzes/migrations/0031_quiz_is_ai_generated.py | Migrates the new is_ai_generated quiz field. |
| quizzes/serializers.py | Exposes is_ai_generated on quiz serializers (read-only in metadata serializer). |
| quizzes/admin.py | Adds is_ai_generated to quiz admin list display/filter. |
| quizzes/mcp.py | Implements MCP toolsets for quizzes/study/progress/folders with serializer reuse. |
| oauth_integrations/apps.py | Adds the oauth_integrations Django app config. |
| oauth_integrations/models.py | Adds persisted CIMD metadata model linked to OAuth Application. |
| oauth_integrations/migrations/0001_initial.py | Creates the CIMD metadata table. |
| oauth_integrations/migrations/init.py | Migration package init. |
| oauth_integrations/admin.py | Adds admin registration for CIMD metadata (Unfold styling). |
| oauth_integrations/oauth_cimd.py | Implements CIMD metadata fetching/validation and custom OAuth2 validator. |
| oauth_integrations/views.py | Adds scoped consent view and OAuth metadata + authorized-apps endpoints. |
| oauth_integrations/tests/init.py | Test package init for oauth_integrations. |
| oauth_integrations/init.py | Package init for oauth_integrations. |
| docs/MCP.md | Adds documentation for MCP endpoint, OAuth/CIMD flow, and tool catalog. |
Avoid DNS lookups for caller-supplied hostnames that are not on the allowlist by moving the allowlist gate ahead of getaddrinfo. The private-address resolution check is kept as defense-in-depth for allowlisted hosts.
This was referenced Jun 5, 2026
This was
linked to
issues
Jun 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed
Why
The quiz MCP implementation had started to duplicate serializer behavior and validation. Reusing serializers keeps the REST and MCP contracts closer together, avoids partial update bugs, and prevents malformed closed questions with no correct answer.
Validation
python3 -m ruff checkpython3 manage.py checkpython3 manage.py test quizzes.tests.test_question_crud quizzes.tests.test_quiz_crud users.tests.test_oauthpython3 manage.py test