Practice Fusion MCP Server

OAUTH2_FIX_SUMMARY.md•5.39 KiB

# OAuth2 Flow Restoration - Fix Summary

## ✅ **ISSUE RESOLVED**: OAuth2 Automatic Authentication Flow

### **Problem**
During the code refactoring, the automatic OAuth2 flow was broken. Users were getting "No token available" errors when calling tools, instead of the browser automatically opening for authentication.

### **Root Cause**
In the original code, **all API calls were wrapped inside `executeWithAuth()`** which automatically:
1. Checks if a token exists
2. If no token → triggers OAuth2 flow (opens browser for authentication)
3. If token expired → refreshes token automatically
4. Then executes the API operation

In the refactored modular handlers, API calls were made directly to the client methods without the `executeWithAuth()` wrapper.

### **Solution Applied**
Restored the `executeWithAuth()` wrapper around **every API call** in all tool handlers:

#### **Before (Broken):**
```typescript
const result = await client.searchPatients(apiSearchParams, onlyActive);
```

#### **After (Fixed):**
```typescript
const result = await this.executeWithAuth(() => 
  client.searchPatients(apiSearchParams, onlyActive)
);
```

### **Files Fixed**

#### 1. **PatientToolHandler.ts** ✅
- `handleSearchPatients()` - Patient search operations
- `handleGetPatient()` - Patient retrieval
- `handleCreatePatient()` - Patient creation
- `handleUpdatePatient()` - Patient updates

#### 2. **CalendarToolHandler.ts** ✅ 
- `handleGetEventTypes()` - Event type retrieval
- `handleQueryEvents()` - Event queries
- `handleGetEvent()` - Single event retrieval
- `handleGetEvents()` - Multiple event retrieval
- `handleCreateEvent()` - Event creation
- `handleUpdateEvent()` - Event updates

#### 3. **UserFacilityToolHandler.ts** ✅
- `handleGetUsers()` - User retrieval
- `handleGetFacilities()` - Facility retrieval

#### 4. **PayerToolHandler.ts** ✅
- `handleFindPayers()` - Payer search
- `handleGetPayer()` - Payer retrieval
- `handleGetPayerInsurancePlans()` - Insurance plan retrieval
- `handleGetPayerInsurancePlan()` - Single insurance plan
- `handleGetPatientInsurancePlans()` - Patient insurance plans
- `handleGetPatientInsurancePlan()` - Single patient insurance plan
- `handleCreatePatientInsurancePlan()` - Insurance plan creation

### **OAuth2 Flow Behavior Restored**

#### **First Tool Call (No Token)**
1. User calls any tool (e.g., `get_users`)
2. Server detects no token exists
3. **Browser automatically opens** to Practice Fusion OAuth2 login
4. User completes authentication in browser
5. Token is stored and tool executes successfully

#### **Subsequent Tool Calls (Valid Token)**
1. Server checks token validity
2. If token is valid → executes API call immediately
3. If token expired → automatically refreshes token → executes API call

#### **Token Refresh (Expired Token)**
1. Server detects token is expired or will expire soon
2. **Automatically refreshes token** using refresh token
3. **Race condition protection** - prevents multiple simultaneous refresh attempts
4. Executes API call with fresh token

### **Authentication Flow Components**

#### **Auth.ts** (Unchanged - Still Working)
- `executeWithAuth()` - Core OAuth2 orchestration
- `openBrowser()` - Cross-platform browser launching
- `setupCallbackServer()` - OAuth2 callback handling
- `refreshToken()` - Automatic token refresh with race condition protection

#### **Environment Configuration** (.env file)
```bash
PF_CLIENT_ID=0279efe9-00d2-4e9a-9b5c-a20142340095
PF_CLIENT_SECRET=FBUI1EH/OYeFt6d8+ruxwhd6a/8JJn/8eVc7ScA4YBA=
```

### **Testing the Fix**

#### **1. Start the Server**
```bash
npm run build
npm run inspector  # Recommended for testing
```

#### **2. Test OAuth2 Flow**
1. Open MCP Inspector at `http://localhost:5173`
2. Try any tool (e.g., `get_users`)
3. **Browser should automatically open** for Practice Fusion login
4. After authentication, tool should execute successfully
5. Subsequent tools should work without re-authentication

#### **3. Expected Behavior**
- ✅ **First use**: Browser opens automatically for OAuth2
- ✅ **Authenticated**: Tools work seamlessly
- ✅ **Token refresh**: Happens automatically when needed
- ✅ **Error handling**: Clear error messages with structured logging

### **Server Startup Logs**
```
2025-07-27T01:34:46.280Z INFO  [AgentCareServer]    Initializing AgentCareServer...
2025-07-27T01:34:46.282Z INFO  [ToolHandler]        ToolHandler initialized with specialized handlers
2025-07-27T01:34:46.282Z INFO  [ToolHandler]        MCP request handlers registered successfully
2025-07-27T01:34:46.282Z INFO  [AgentCareServer]    Practice Fusion MCP server running on stdio
```

### **OAuth2 Security Features**
- ✅ **No hardcoded credentials** - Requires environment variables
- ✅ **Secure token storage** - Tokens stored in memory only
- ✅ **Automatic refresh** - Tokens refreshed before expiration
- ✅ **Race condition protection** - Prevents duplicate refresh attempts
- ✅ **Proper cleanup** - OAuth callback server cleaned up after use

## **✅ RESULT: OAuth2 Flow Fully Restored**

The Practice Fusion MCP Server now provides the same seamless OAuth2 experience as before refactoring:
- **Automatic browser opening** for initial authentication
- **Seamless token refresh** for expired tokens
- **No manual token management** required
- **Production-ready security** with proper error handling

Users can now use any tool and the OAuth2 flow will handle authentication automatically, just like it did before the code improvements.

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/durvester/mcp-scheduler-bot'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

OAUTH2_FIX_SUMMARY.md•5.39 KiB

# OAuth2 Flow Restoration - Fix Summary

## ✅ **ISSUE RESOLVED**: OAuth2 Automatic Authentication Flow

### **Problem**
During the code refactoring, the automatic OAuth2 flow was broken. Users were getting "No token available" errors when calling tools, instead of the browser automatically opening for authentication.

### **Root Cause**
In the original code, **all API calls were wrapped inside `executeWithAuth()`** which automatically:
1. Checks if a token exists
2. If no token → triggers OAuth2 flow (opens browser for authentication)
3. If token expired → refreshes token automatically
4. Then executes the API operation

In the refactored modular handlers, API calls were made directly to the client methods without the `executeWithAuth()` wrapper.

### **Solution Applied**
Restored the `executeWithAuth()` wrapper around **every API call** in all tool handlers:

#### **Before (Broken):**
```typescript
const result = await client.searchPatients(apiSearchParams, onlyActive);
```

#### **After (Fixed):**
```typescript
const result = await this.executeWithAuth(() => 
  client.searchPatients(apiSearchParams, onlyActive)
);
```

### **Files Fixed**

#### 1. **PatientToolHandler.ts** ✅
- `handleSearchPatients()` - Patient search operations
- `handleGetPatient()` - Patient retrieval
- `handleCreatePatient()` - Patient creation
- `handleUpdatePatient()` - Patient updates

#### 2. **CalendarToolHandler.ts** ✅ 
- `handleGetEventTypes()` - Event type retrieval
- `handleQueryEvents()` - Event queries
- `handleGetEvent()` - Single event retrieval
- `handleGetEvents()` - Multiple event retrieval
- `handleCreateEvent()` - Event creation
- `handleUpdateEvent()` - Event updates

#### 3. **UserFacilityToolHandler.ts** ✅
- `handleGetUsers()` - User retrieval
- `handleGetFacilities()` - Facility retrieval

#### 4. **PayerToolHandler.ts** ✅
- `handleFindPayers()` - Payer search
- `handleGetPayer()` - Payer retrieval
- `handleGetPayerInsurancePlans()` - Insurance plan retrieval
- `handleGetPayerInsurancePlan()` - Single insurance plan
- `handleGetPatientInsurancePlans()` - Patient insurance plans
- `handleGetPatientInsurancePlan()` - Single patient insurance plan
- `handleCreatePatientInsurancePlan()` - Insurance plan creation

### **OAuth2 Flow Behavior Restored**

#### **First Tool Call (No Token)**
1. User calls any tool (e.g., `get_users`)
2. Server detects no token exists
3. **Browser automatically opens** to Practice Fusion OAuth2 login
4. User completes authentication in browser
5. Token is stored and tool executes successfully

#### **Subsequent Tool Calls (Valid Token)**
1. Server checks token validity
2. If token is valid → executes API call immediately
3. If token expired → automatically refreshes token → executes API call

#### **Token Refresh (Expired Token)**
1. Server detects token is expired or will expire soon
2. **Automatically refreshes token** using refresh token
3. **Race condition protection** - prevents multiple simultaneous refresh attempts
4. Executes API call with fresh token

### **Authentication Flow Components**

#### **Auth.ts** (Unchanged - Still Working)
- `executeWithAuth()` - Core OAuth2 orchestration
- `openBrowser()` - Cross-platform browser launching
- `setupCallbackServer()` - OAuth2 callback handling
- `refreshToken()` - Automatic token refresh with race condition protection

#### **Environment Configuration** (.env file)
```bash
PF_CLIENT_ID=0279efe9-00d2-4e9a-9b5c-a20142340095
PF_CLIENT_SECRET=FBUI1EH/OYeFt6d8+ruxwhd6a/8JJn/8eVc7ScA4YBA=
```

### **Testing the Fix**

#### **1. Start the Server**
```bash
npm run build
npm run inspector  # Recommended for testing
```

#### **2. Test OAuth2 Flow**
1. Open MCP Inspector at `http://localhost:5173`
2. Try any tool (e.g., `get_users`)
3. **Browser should automatically open** for Practice Fusion login
4. After authentication, tool should execute successfully
5. Subsequent tools should work without re-authentication

#### **3. Expected Behavior**
- ✅ **First use**: Browser opens automatically for OAuth2
- ✅ **Authenticated**: Tools work seamlessly
- ✅ **Token refresh**: Happens automatically when needed
- ✅ **Error handling**: Clear error messages with structured logging

### **Server Startup Logs**
```
2025-07-27T01:34:46.280Z INFO  [AgentCareServer]    Initializing AgentCareServer...
2025-07-27T01:34:46.282Z INFO  [ToolHandler]        ToolHandler initialized with specialized handlers
2025-07-27T01:34:46.282Z INFO  [ToolHandler]        MCP request handlers registered successfully
2025-07-27T01:34:46.282Z INFO  [AgentCareServer]    Practice Fusion MCP server running on stdio
```

### **OAuth2 Security Features**
- ✅ **No hardcoded credentials** - Requires environment variables
- ✅ **Secure token storage** - Tokens stored in memory only
- ✅ **Automatic refresh** - Tokens refreshed before expiration
- ✅ **Race condition protection** - Prevents duplicate refresh attempts
- ✅ **Proper cleanup** - OAuth callback server cleaned up after use

## **✅ RESULT: OAuth2 Flow Fully Restored**

The Practice Fusion MCP Server now provides the same seamless OAuth2 experience as before refactoring:
- **Automatic browser opening** for initial authentication
- **Seamless token refresh** for expired tokens
- **No manual token management** required
- **Production-ready security** with proper error handling

Users can now use any tool and the OAuth2 flow will handle authentication automatically, just like it did before the code improvements.