fix(mcp): use getBaseUrl for OAuth discovery metadata URLs

[waleedlatif1]

Summary

• OAuth discovery endpoints were returning internal EC2 hostnames instead of the public URL
• Use getBaseUrl() (reads NEXT_PUBLIC_APP_URL) instead of request.nextUrl.origin for metadata and WWW-Authenticate URLs

Type of Change

• Bug fix

Testing

Tested manually — verified discovery endpoints return correct public URLs

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Feb 21, 2026 9:56am

[greptile-apps]

Greptile Summary

This PR fixes OAuth discovery endpoints to return public URLs instead of internal EC2 hostnames by replacing request.nextUrl.origin with getBaseUrl() which reads from NEXT_PUBLIC_APP_URL.

• Changed getOrigin(request: NextRequest) to getOrigin() in oauth-discovery.ts to use getBaseUrl() instead of extracting origin from the request
• Updated WWW-Authenticate header in copilot/route.ts to construct resource metadata URL using public base URL
• Both files now consistently strip trailing slashes using .replace(/\/$/, '') before building OAuth endpoint URLs
• This ensures OAuth clients receive correct public endpoints for authorization and token exchange instead of internal network addresses

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The changes are straightforward and follow existing patterns in the codebase. The fix correctly addresses the issue of OAuth discovery endpoints returning internal hostnames by using the centralized getBaseUrl() utility, which is already widely used throughout the application for webhooks and callbacks. The trailing slash handling is consistent with patterns found elsewhere in the codebase.
• No files require special attention

Important Files Changed

Filename	Overview
apps/sim/lib/mcp/oauth-discovery.ts	Replaced request.nextUrl.origin with getBaseUrl() to return public URLs instead of internal EC2 hostnames in OAuth discovery endpoints
apps/sim/app/api/mcp/copilot/route.ts	Updated WWW-Authenticate header to use getBaseUrl() for resource metadata URL instead of request origin

_{Last reviewed commit: 1bae9d7}

[greptile-apps]

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR