feat(registry): handle authentication for registry server api

[peppescg]

Summary

Kapture.2026-03-26.at.19.22.38.mp4

Adds OAuth configuration support for Registry Server API and handles structured backend errors (registry_auth_required, registry_unavailable) with actionable UI feedback.

OAuth fields for Registry Server API

• Show Client ID and Issuer URL fields when Registry Server API is selected
• Submit both as the auth object in PUT /api/v1beta/registry/default
• Pre-populate saved values when the user opens settings
• Login/logout flow after saving api_url with auth credentials

Error handling — registry_auth_required (HTTP 401)

• Detect code: "registry_auth_required" from GET /api/v1beta/registry
• Auto-select Registry Server API type and show field-level errors:
  • Empty auth fields → red borders + general OIDC message in the OAuth box
  • Populated fields → specific error on Client ID field
• Dedicated full-page error with "Resolve issues" link to settings

Error handling — registry_unavailable (HTTP 503)

• Detect code: "registry_unavailable" from GET /api/v1beta/registry
• Auto-select Registry Server API type and show user-friendly error on source field
• Pre-fill the source field with the misconfigured URL extracted from the error
• Dedicated full-page error with "Resolve issues" link to settings

Submit error handling

• OIDC discovery failure → error on Issuer URL field
• Auth login failure → error on Client ID field, logout cleanup
• Missing auth fields → error on both Client ID and Issuer URL
• Source URL preserved after login failure (keepDirtyValues)

Refactoring

• Extract useRegistryData and useRegistryForm hooks from registry tab
• Extract applySubmitFieldErrors with switch-based error mapping
• Replace string literals with REGISTRY_FORM_TYPE constants
• Simplify errorMsg toast callback with set-based known message lookup
• Extract OAuthField component and OAUTH_FIELDS config
• Deduplicate onValueChange logic in registry type dropdown
• Extract complex inline conditions into named variables

Test plan

• Select Registry Server API → Client ID and Issuer URL fields appear
• Save with OAuth fields → PUT includes auth object
• Save without OAuth fields → PUT omits auth, no login attempt
• GET returns registry_auth_required with no config → red borders + OIDC message
• GET returns registry_auth_required with existing config → error on Client ID
• GET returns registry_unavailable → error on source field with pre-filled URL
• Login failure → error on Client ID, logout called, source URL preserved
• OIDC discovery failure → error on Issuer URL field
• Missing auth fields → error on both fields
• Switching registry type clears previous errors
• Invalid API URL / Issuer URL format → validation errors
• Full-page error for auth_required and unavailable with "Resolve issues" button

Closes #1760

[peppescg]

@claude succinct review

[claude]

Claude finished @peppescg's task in 1m 3s —— View job

---

Code Review

• Gathering context
• Reading key files
• Review complete

---

Overall this is well-structured — the hook extraction is clean and the error-handling logic is clearly separated. A few things worth addressing:

Bugs / Correctness

1. buildRegistryAuth called twice — use-registry-update-mutation.ts:119-122 computes auth a second time after buildRegistryBody already called it internally. The result is only used to gate the login call, so it's harmless but redundant. Consider reusing the value from buildRegistryBody or extracting it once.

2. allow_private_ip: true hardcoded — use-registry-update-mutation.ts:109. This is silently sent for every api_url save. If the existing value is false, saving will flip it. Should this preserve the current value or be a user-controlled field? Fix this →

3. Unsafe auth_config cast — utils.ts:40-41. auth_config is cast as Record<string, string> with no runtime check. If the shape ever differs, client_id/issuer_url will silently be undefined without surfacing an error. Worth a type guard or using optional chaining on a properly typed field.

UX / State

4. formSource priority is surprising — use-registry-form.ts:71-74:

   defaultRegistry?.source ?? (isUnavailableError ? registryUnavailableUrl : undefined) ?? ''

   If the registry has a saved source and an unavailable error, the saved source wins. But the error URL extracted from the 503 message may differ from the stored source — the user might not see what's actually broken. Consider showing registryUnavailableUrl when isUnavailableError is true regardless of whether a stored source exists.

5. Empty-string error messages — use-registry-form.ts:97-99 sets source, client_id, and issuer_url errors with message: '' to trigger red borders without text. This works but feels fragile; a future UI component that only renders the border conditionally on !!error.message would silently regress. Consider a sentinel message like ' ' (non-breaking space) or a dedicated hasError prop.

Schema

6. api_url accepts HTTP — schema.ts:67-82 only validates that the URL parses, not that it's HTTPS. The url type enforces HTTPS; consistency would prevent accidental plaintext credential transmission. Fix this →

Minor

7. delay(500) in mutation — use-registry-update-mutation.ts:124. Artificial delay in the happy path feels like a debug leftover. Is this intentional?

8. resolveRegistryListLoadErrorMessage — registry-list-error.ts:80-91 takes registryType from the form but the function is also imported in registry-api-oauth-fields.tsx which already knows the type is api_url (it returns null otherwise). The function's fallback branch for non-api_url types is dead code in its only call site.

[Copilot]

Pull request overview

Adds OAuth configuration and improved error handling for Registry Server API usage in the Registry Settings UI, including startup redirection when ToolHive indicates registry authentication is required.

Changes:

• Add Registry Server API OAuth fields (Client ID, Issuer URL), submit as auth, and trigger login/logout flows.
• Handle structured backend errors (registry_auth_required, registry_unavailable) with targeted UI messaging (settings + full-page error state).
• Refactor registry settings logic into useRegistryData / useRegistryForm, plus expanded MSW fixtures and test coverage.

Reviewed changes

Copilot reviewed 24 out of 24 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
renderer/src/routes/__root.tsx	Redirects to registry settings + persistent toast when ToolHive reports registry auth required at startup.
renderer/src/routes/(registry)/registry.tsx	Passes route error into RegistryError for structured rendering.
renderer/src/common/mocks/fixtures/registry_auth_logout/post.ts	Adds MSW fixture for registry auth logout endpoint.
renderer/src/common/mocks/fixtures/registry_auth_login/post.ts	Adds MSW fixture for registry auth login endpoint (+ error scenario).
renderer/src/common/mocks/fixtures/registry/get.ts	Adds MSW fixture for GET registry list endpoint (+ error scenario).
renderer/src/common/hooks/use-toast-mutation.ts	Extends toast mutation hook to support functional loading/error messages.
renderer/src/common/components/settings/tabs/tests/registry-tab.test.tsx	Adds extensive tests for OAuth fields, auth/unavailable errors, and submission error mappings.
renderer/src/common/components/settings/registry/utils.ts	Adds REGISTRY_FORM_TYPE constants and helper to extract auth config from registry info.
renderer/src/common/components/settings/registry/use-registry-update-mutation.ts	Centralizes PUT + auth login/logout flow, cache updates, and toast/error mapping.
renderer/src/common/components/settings/registry/use-registry-form.ts	Centralizes form state, submit/reset handlers, and field-error application.
renderer/src/common/components/settings/registry/use-registry-data.ts	Centralizes registry query + update mutation state and structured error detection.
renderer/src/common/components/settings/registry/schema.ts	Adds client/issuer fields + issuer URL validation; improves required-source validation copy for API URL.
renderer/src/common/components/settings/registry/registry-type-field.tsx	Clears errors and restores/clears dependent fields when switching registry type.
renderer/src/common/components/settings/registry/registry-tab.tsx	Refactors tab to use extracted hooks and pass richer props to RegistryForm.
renderer/src/common/components/settings/registry/registry-source-field.tsx	Improves per-error messaging (auth-required vs unavailable) and when to mark the source field errored.
renderer/src/common/components/settings/registry/registry-form.tsx	Adds OAuth fields section + reset button + improved submit labels/spinner behavior.
renderer/src/common/components/settings/registry/registry-errors-message.ts	Adds shared constants and helpers for structured registry errors and user-facing copy.
renderer/src/common/components/settings/registry/registry-api-oauth-fields.tsx	New OAuth fields component rendered only for Registry Server API type.
renderer/src/common/components/error/registry-error.tsx	Renders dedicated full-page states for auth-required/unavailable registry errors.
renderer/src/common/components/error/tests/registry-error.test.tsx	Adds tests for the new full-page registry error variants.
preload/src/api/toolhive.ts	Adds getToolhiveStatus() to the renderer-facing Electron API.
main/src/toolhive-manager.ts	Tracks a processError for registry-auth-required based on ToolHive stderr output.
main/src/ipc-handlers/toolhive.ts	Exposes get-toolhive-status IPC handler.
common/types/toolhive-status.ts	Adds shared ToolhiveStatus / ToolhiveProcessError types.

[samuv]

I didn’t test it, but the code looks good. I just added a note about __root, but it’s independent of the main focus of this PR

[samuv]

Nice, thank you for the refactoring

[samuv]