@softtechai/quickmcp 1.0.16 → 1.1.0

package/src/web/public/authorization.html

@@ -0,0 +1,868 @@
+<!DOCTYPE html>
+<html lang="en" class="h-full">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>QuickMCP - Authorization</title>
+
+    <link rel="icon" type="image/png" href="/images/favicon.png">
+  <script src="https://cdn.tailwindcss.com"></script>
+  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.5.1/css/all.min.css">
+  <link rel="stylesheet" href="quickmcp-styles.css">
+</head>
+<body class="h-screen flex flex-col bg-gradient-to-br from-slate-50 to-slate-100 overflow-hidden text-slate-900">
+  <header class="backdrop-blur-sm bg-white/80 border-b border-slate-200/60 shadow-sm relative z-50 h-16 flex-shrink-0 flex items-center justify-between px-6 py-3">
+    <div class="flex items-center gap-3">
+      <div class="w-9 h-9 rounded-lg bg-blue-600 text-white flex items-center justify-center shadow-lg shadow-blue-500/25">
+        <i class="fas fa-rocket text-lg"></i>
+      </div>
+      <div>
+        <h1 class="text-xl font-bold gradient-text leading-tight">QuickMCP</h1>
+        <p class="text-xs text-slate-500 font-medium">Authorization</p>
+      </div>
+    </div>
+    <div class="flex items-center gap-3">
+      <div class="w-8 h-8 rounded-full bg-gradient-to-tr from-blue-500 to-purple-500 text-white flex items-center justify-center text-sm font-bold shadow-md" data-user-avatar>G</div>
+      <button id="openSidebar" class="lg:hidden p-2 rounded-lg hover:bg-slate-100 transition-colors text-slate-500">
+        <i class="fas fa-bars"></i>
+      </button>
+    </div>
+  </header>
+
+  <div class="app-main-layout flex flex-1 overflow-x-hidden">
+    <div id="sidebar" class="w-72 bg-white/95 backdrop-blur-sm border-r border-slate-200/60 flex flex-col flex-shrink-0 z-[60] fixed inset-y-0 left-0 transform -translate-x-full lg:translate-x-0 lg:top-0 lg:h-screen transition-transform duration-300 ease-in-out h-full pt-16 lg:pt-0"></div>
+    <div id="sidebarOverlay" class="fixed inset-0 bg-slate-900/50 backdrop-blur-sm z-30 lg:hidden opacity-0 invisible transition-all duration-300"></div>
+
+    <main class="flex-1 overflow-y-auto p-8">
+      <div class="max-w-6xl mx-auto space-y-6">
+        <div class="text-center mb-10">
+          <h2 class="text-3xl font-bold text-slate-900">MCP Authorization</h2>
+          <p id="authSummary" class="text-slate-600 mt-1"></p>
+        </div>
+
+        <section class="card p-0 overflow-hidden">
+          <div class="border-b border-slate-200 bg-slate-50/80">
+            <div class="px-5 pt-4">
+              <nav class="flex items-end gap-1" aria-label="Authorization tabs">
+                <button id="tabToken" class="px-4 py-2.5 rounded-t-lg text-sm font-semibold border border-slate-200 border-b-white bg-white text-slate-900 -mb-px">Token</button>
+                <button id="tabPolicy" class="px-4 py-2.5 rounded-t-lg text-sm font-semibold border border-transparent text-slate-600 hover:text-blue-700 hover:bg-white/70">Policy</button>
+              </nav>
+            </div>
+          </div>
+
+          <div id="tokenTabPanel" class="p-5 space-y-6">
+          <section class="card p-6 space-y-5">
+            <div class="flex items-center justify-between">
+              <h3 class="text-lg font-semibold text-slate-900">Generate Token</h3>
+              <button id="generateTokenBtn" class="bg-blue-600 hover:bg-blue-700 text-white rounded-lg px-4 py-2 text-sm font-medium">Generate Token</button>
+            </div>
+
+            <div>
+              <label class="block text-sm text-slate-700 mb-1">Token Name</label>
+              <div class="relative">
+                <i class="fas fa-tag absolute left-3 top-1/2 -translate-y-1/2 text-slate-400 text-xs"></i>
+                <input id="tokenName" class="input w-full pl-9" placeholder="e.g. Claude Desktop, Cursor, Windsurf" maxlength="120" required>
+              </div>
+            </div>
+
+            <div class="grid grid-cols-1 md:grid-cols-2 gap-4">
+              <div>
+                <label class="block text-sm text-slate-700 mb-1">User</label>
+                <div class="relative">
+                  <i class="fas fa-user absolute left-3 top-1/2 -translate-y-1/2 text-slate-400 text-xs"></i>
+                  <select id="subjectUserSelect" class="input w-full pl-9 pr-9 appearance-none bg-white border-slate-200 hover:border-slate-300 focus:border-blue-400 shadow-sm"></select>
+                  <i class="fas fa-chevron-down absolute right-3 top-1/2 -translate-y-1/2 text-slate-400 text-xs pointer-events-none"></i>
+                </div>
+              </div>
+              <div>
+                <label class="block text-sm text-slate-700 mb-1">Token Expiration</label>
+                <div class="relative">
+                  <i class="fas fa-clock absolute left-3 top-1/2 -translate-y-1/2 text-slate-400 text-xs"></i>
+                  <select id="tokenTtlPreset" class="input w-full pl-9 pr-9 appearance-none bg-white border-slate-200 hover:border-slate-300 focus:border-blue-400 shadow-sm">
+                    <option value="never" selected>Never expires</option>
+                    <option value="1m">1 minute</option>
+                    <option value="5m">5 minutes</option>
+                    <option value="15m">15 minutes</option>
+                    <option value="30m">30 minutes</option>
+                    <option value="1h">1 hour</option>
+                    <option value="4h">4 hours</option>
+                    <option value="12h">12 hours</option>
+                    <option value="24h">24 hours</option>
+                    <option value="1w">1 week</option>
+                    <option value="2w">2 weeks</option>
+                    <option value="1mo">1 month</option>
+                    <option value="3mo">3 months</option>
+                    <option value="6mo">6 months</option>
+                  </select>
+                  <i class="fas fa-chevron-down absolute right-3 top-1/2 -translate-y-1/2 text-slate-400 text-xs pointer-events-none"></i>
+                </div>
+              </div>
+            </div>
+
+            <div id="treeSection">
+              <h4 class="font-medium text-slate-900 mb-2">MCP Access Tree</h4>
+              <p class="text-xs text-slate-500 mb-2">Use 3-state policy for each item: Inherit, Allow, Deny.</p>
+              <div id="mcpTree" class="max-h-[28rem] overflow-auto border border-slate-200 rounded-lg p-3 space-y-3 bg-white"></div>
+            </div>
+
+            <div class="relative">
+              <textarea id="generatedToken" rows="4" class="input w-full font-mono text-xs resize-none pr-12 pt-3" placeholder="Generated token will appear here." readonly></textarea>
+              <button
+                id="copyTokenBtn"
+                type="button"
+                class="absolute right-3 top-3 h-8 w-8 rounded-md border border-slate-200 text-slate-600 hover:border-blue-400 hover:text-blue-600 disabled:opacity-50 disabled:cursor-not-allowed"
+                title="Copy token"
+                aria-label="Copy token"
+                disabled
+              >
+                <i class="fas fa-copy text-sm"></i>
+              </button>
+            </div>
+            <p id="tokenMeta" class="text-xs text-slate-500"></p>
+          </section>
+
+          <section class="card p-6">
+            <div class="flex items-center justify-between mb-4">
+              <h3 class="text-lg font-semibold text-slate-900">Existing Tokens</h3>
+              <button id="refreshTokensBtn" class="px-3 py-2 rounded-lg border border-slate-200 text-slate-700 hover:border-blue-400 hover:text-blue-600 text-sm">Refresh</button>
+            </div>
+            <div id="tokenTableWrap" class="overflow-x-auto"></div>
+          </section>
+          </div>
+
+          <div id="policyTabPanel" class="p-5 space-y-6 hidden">
+            <section class="card p-6 space-y-5">
+            <div class="flex items-center justify-between">
+              <h3 class="text-lg font-semibold text-slate-900">Token Requirement Policy</h3>
+              <button id="saveTokenPolicyBtn" class="bg-blue-600 hover:bg-blue-700 text-white rounded-lg px-4 py-2 text-sm font-medium">Save Policy</button>
+            </div>
+            <p class="text-xs text-slate-500">Configure where token is required: Application, User, MCP Server, and Tool level.</p>
+            <div id="tokenPolicyTree" class="max-h-[28rem] overflow-auto border border-slate-200 rounded-lg p-3 space-y-3 bg-white"></div>
+            </section>
+          </div>
+        </div>
+        </section>
+      </div>
+    </main>
+  </div>
+
+  <div id="tokenModalOverlay" class="fixed inset-0 bg-slate-900/50 backdrop-blur-sm z-[70] hidden"></div>
+  <div id="tokenModal" class="fixed inset-0 z-[80] hidden flex items-center justify-center p-4">
+    <div class="w-full max-w-2xl bg-white rounded-xl border border-slate-200 shadow-2xl">
+      <div class="px-5 py-4 border-b border-slate-200 flex items-center justify-between">
+        <h3 class="text-base font-semibold text-slate-900">Token</h3>
+        <button id="closeTokenModalBtn" class="h-8 w-8 inline-flex items-center justify-center rounded-md border border-slate-200 text-slate-600 hover:border-slate-300 hover:text-slate-800" title="Close">
+          <i class="fas fa-times text-sm"></i>
+        </button>
+      </div>
+      <div class="p-5 space-y-3">
+        <div class="relative">
+          <textarea id="tokenModalValue" rows="5" class="input w-full font-mono text-xs resize-none pr-24 pt-3" readonly></textarea>
+          <div class="absolute right-3 top-3 flex items-center gap-2">
+            <button id="toggleTokenMaskBtn" class="h-8 w-8 rounded-md border border-slate-200 text-slate-600 hover:border-blue-400 hover:text-blue-600" title="Show / Hide Token">
+              <i id="toggleTokenMaskIcon" class="fas fa-eye text-sm"></i>
+            </button>
+            <button id="copyTokenModalBtn" class="h-8 w-8 rounded-md border border-slate-200 text-slate-600 hover:border-blue-400 hover:text-blue-600" title="Copy Token">
+              <i class="fas fa-copy text-sm"></i>
+            </button>
+          </div>
+        </div>
+        <p id="tokenModalMeta" class="text-xs text-slate-500"></p>
+      </div>
+    </div>
+  </div>
+
+  <script src="logger.js"></script>
+  <script src="shared.js"></script>
+  <script src="sidebar.js"></script>
+  <script>
+    let authContext = { users: [], servers: [] };
+    let tokenPolicyState = {
+      globalRequireMcpToken: true,
+      userRules: {},
+      serverRules: {},
+      toolRules: {}
+    };
+    let tokenModalRawValue = '';
+    let tokenModalMasked = true;
+    let isSaasMode = false;
+
+    function byId(id) { return document.getElementById(id); }
+    function setAuthorizationTab(tab) {
+      if (isSaasMode && tab === 'policy') {
+        tab = 'token';
+      }
+      const isToken = tab === 'token';
+      byId('tokenTabPanel')?.classList.toggle('hidden', !isToken);
+      byId('policyTabPanel')?.classList.toggle('hidden', isToken);
+
+      const tabToken = byId('tabToken');
+      const tabPolicy = byId('tabPolicy');
+      if (tabToken) {
+        tabToken.className = isToken
+        ? 'px-4 py-2.5 rounded-t-lg text-sm font-semibold border border-slate-200 border-b-white bg-white text-slate-900 -mb-px'
+        : 'px-4 py-2.5 rounded-t-lg text-sm font-semibold border border-transparent text-slate-600 hover:text-blue-700 hover:bg-white/70';
+      }
+      if (tabPolicy && !isSaasMode) {
+        tabPolicy.className = !isToken
+          ? 'px-4 py-2.5 rounded-t-lg text-sm font-semibold border border-slate-200 border-b-white bg-white text-slate-900 -mb-px'
+          : 'px-4 py-2.5 rounded-t-lg text-sm font-semibold border border-transparent text-slate-600 hover:text-blue-700 hover:bg-white/70';
+      }
+    }
+
+    function applyAuthorizationMode(configData) {
+      const deployMode = String(configData?.deployMode || '').trim().toUpperCase();
+      isSaasMode = configData?.isSaasMode === true;
+      const tabPolicy = byId('tabPolicy');
+      const policyPanel = byId('policyTabPanel');
+      if (isSaasMode) {
+        tabPolicy?.classList.add('hidden');
+        policyPanel?.classList.add('hidden');
+        setAuthorizationTab('token');
+      } else {
+        tabPolicy?.classList.remove('hidden');
+      }
+    }
+
+    function refreshCopyButtonState() {
+      const btn = byId('copyTokenBtn');
+      const token = byId('generatedToken').value.trim();
+      btn.disabled = token.length === 0;
+    }
+
+    function normalizeTriStateValue(value) {
+      if (value === 'allow') return true;
+      if (value === 'deny') return false;
+      return null;
+    }
+
+    function maskTokenValue(token) {
+      const value = String(token || '');
+      if (!value) return '';
+      if (value.length <= 8) return '•'.repeat(value.length);
+      return `${value.slice(0, 4)}${'•'.repeat(Math.max(8, value.length - 8))}${value.slice(-4)}`;
+    }
+
+    function renderTokenModalValue() {
+      byId('tokenModalValue').value = tokenModalMasked ? maskTokenValue(tokenModalRawValue) : tokenModalRawValue;
+      byId('toggleTokenMaskIcon').className = tokenModalMasked ? 'fas fa-eye text-sm' : 'fas fa-eye-slash text-sm';
+    }
+
+    function openTokenModal(token, metaText = '') {
+      tokenModalRawValue = String(token || '');
+      tokenModalMasked = true;
+      renderTokenModalValue();
+      byId('tokenModalMeta').textContent = metaText || '';
+      byId('tokenModalOverlay').classList.remove('hidden');
+      byId('tokenModal').classList.remove('hidden');
+    }
+
+    function closeTokenModal() {
+      byId('tokenModalOverlay').classList.add('hidden');
+      byId('tokenModal').classList.add('hidden');
+    }
+
+    function collectTriStateRules(selector, attrName) {
+      const out = {};
+      document.querySelectorAll(selector).forEach((el) => {
+        const id = el.getAttribute(attrName);
+        if (!id) return;
+        out[id] = normalizeTriStateValue(el.value);
+      });
+      return out;
+    }
+
+    function triFromValue(value) {
+      if (value === 'allow') return true;
+      if (value === 'deny') return false;
+      return null;
+    }
+
+    function resolveTriValue(...values) {
+      for (const value of values) {
+        if (value === true || value === false) return value;
+      }
+      return null;
+    }
+
+    function serverOwnerFromId(serverId) {
+      const idx = String(serverId || '').indexOf('__');
+      if (idx <= 0) return '';
+      return String(serverId).slice(0, idx);
+    }
+
+    function getMcpDisplayName(server) {
+      const id = String(server?.id || '');
+      const rawName = String(server?.name || id || '');
+      const owner = serverOwnerFromId(id);
+      if (owner && rawName.startsWith(`${owner}__`)) return rawName.slice(owner.length + 2);
+      if (rawName.includes('__')) return rawName.split('__').slice(-1)[0];
+      return rawName;
+    }
+
+    function getMcpTypeIcon(type) {
+      const t = String(type || '').toLowerCase();
+      if (['mysql', 'postgresql', 'postgres', 'mssql', 'oracle', 'sqlite', 'mongodb', 'database'].includes(t)) return 'fa-database';
+      if (t === 'webpage' || t === 'webhook') return 'fa-rocket';
+      if (['rest', 'graphql', 'soap', 'rss', 'curl'].includes(t)) return 'fa-globe';
+      if (['docker', 'kubernetes', 'openshift', 'elasticsearch', 'opensearch', 'prometheus', 'grafana'].includes(t)) return 'fa-cubes';
+      if (['slack', 'discord', 'telegram', 'whatsappbusiness', 'x', 'facebook', 'instagram', 'tiktok', 'linkedin', 'reddit', 'youtube', 'threads'].includes(t)) return 'fa-comments';
+      if (['openai', 'claude', 'gemini', 'grok', 'falai', 'huggingface', 'llama', 'deepseek', 'azureopenai', 'mistral', 'cohere', 'perplexity', 'together', 'fireworks', 'groq', 'openrouter'].includes(t)) return 'fa-brain';
+      if (t === 'ftp' || t === 'localfs') return 'fa-folder-open';
+      return 'fa-server';
+    }
+
+    function renderUsers() {
+      const select = byId('subjectUserSelect');
+      const prev = select.value;
+      const options = (authContext.users || []).map((u) => `<option value="${u.username}">${u.username} (${u.role})</option>`);
+      select.innerHTML = options.join('');
+      if (prev && Array.from(select.options).some((o) => o.value === prev)) {
+        select.value = prev;
+      }
+    }
+
+    function renderTree() {
+      const root = byId('mcpTree');
+      const selectedSubjectUser = byId('subjectUserSelect').value || '';
+      const users = authContext.users || [];
+      const servers = authContext.servers || [];
+      const grouped = users.map((u) => ({
+        username: u.username,
+        role: u.role,
+        servers: servers.filter((s) => serverOwnerFromId(s.id) === u.username)
+      }));
+      const matchedCount = grouped.reduce((acc, item) => acc + (item.servers || []).length, 0);
+      if (matchedCount === 0 && selectedSubjectUser) {
+        const idx = grouped.findIndex((g) => g.username === selectedSubjectUser);
+        if (idx >= 0) grouped[idx].servers = servers;
+      }
+
+      root.innerHTML = `
+        <div class="border border-slate-200 rounded-lg bg-slate-50/50">
+          <div class="px-3 py-2 border-b border-slate-200 text-sm font-semibold text-slate-800 flex items-center gap-2">
+            <select id="rootMcpRule" class="h-7 text-xs border border-slate-300 rounded px-1 bg-white">
+              <option value="inherit" selected>Inherit</option>
+              <option value="allow">Allow</option>
+              <option value="deny">Deny</option>
+            </select>
+            <span class="flex items-center gap-2">
+              <i class="fas fa-sitemap text-slate-500"></i>
+              <span>MCP Servers</span>
+            </span>
+          </div>
+          <div class="p-2 space-y-2">
+            ${grouped.map((g) => `
+              <details class="border border-slate-200 rounded-md bg-white" open>
+                <summary class="cursor-pointer px-3 py-2 text-sm font-medium text-slate-800 flex items-center gap-2">
+                  <select data-user-rule="${g.username}" class="h-7 text-xs border border-slate-300 rounded px-1 bg-white">
+                    <option value="inherit" selected>Inherit</option>
+                    <option value="allow">Allow</option>
+                    <option value="deny">Deny</option>
+                  </select>
+                  <span class="flex items-center gap-2">
+                    <i class="fas fa-user text-slate-500"></i>
+                    <span>${g.username}</span>
+                    <span class="text-[11px] text-slate-500">(${g.role})</span>
+                  </span>
+                </summary>
+                <div class="px-3 pb-3 space-y-2">
+                  ${(g.servers || []).map((s) => `
+                    <details class="border border-slate-200 rounded-md bg-slate-50/50">
+                      <summary class="cursor-pointer px-3 py-2 text-sm font-medium text-slate-800 flex items-center gap-2">
+                        <select data-server-rule="${s.id}" data-owner="${g.username}" class="h-7 text-xs border border-slate-300 rounded px-1 bg-white mr-1">
+                          <option value="inherit" selected>Inherit</option>
+                          <option value="allow">Allow</option>
+                          <option value="deny">Deny</option>
+                        </select>
+                        <span class="inline-flex items-center gap-2">
+                          <i class="fas ${getMcpTypeIcon(s.type)} text-slate-500"></i>
+                          <span>${getMcpDisplayName(s)}</span>
+                        </span>
+                      </summary>
+                      <div class="px-3 pb-3 grid grid-cols-1 md:grid-cols-2 gap-3">
+                        <div>
+                          <div class="text-xs font-semibold text-slate-600 mb-2">Tools</div>
+                          <div class="space-y-1 max-h-40 overflow-auto">
+                            ${(s.tools || []).map((id) => `
+                              <label class="inline-flex items-center gap-2 text-xs text-slate-700 w-full justify-between">
+                                <span class="font-mono truncate">${id.split('__').slice(-1)[0]}</span>
+                                <select data-tool-rule="${id}" data-server-id="${s.id}" class="h-6 text-[11px] border border-slate-300 rounded px-1 bg-white">
+                                  <option value="inherit" selected>Inherit</option>
+                                  <option value="allow">Allow</option>
+                                  <option value="deny">Deny</option>
+                                </select>
+                              </label>
+                            `).join('') || '<p class="text-xs text-slate-400">No tools</p>'}
+                          </div>
+                        </div>
+                        <div>
+                          <div class="text-xs font-semibold text-slate-600 mb-2">Resources</div>
+                          <div class="space-y-1 max-h-40 overflow-auto">
+                            ${(s.resources || []).map((id) => `
+                              <label class="inline-flex items-center gap-2 text-xs text-slate-700 w-full justify-between">
+                                <span class="font-mono truncate">${id.split('__').slice(-1)[0]}</span>
+                                <select data-resource-rule="${id}" data-server-id="${s.id}" class="h-6 text-[11px] border border-slate-300 rounded px-1 bg-white">
+                                  <option value="inherit" selected>Inherit</option>
+                                  <option value="allow">Allow</option>
+                                  <option value="deny">Deny</option>
+                                </select>
+                              </label>
+                            `).join('') || '<p class="text-xs text-slate-400">No resources</p>'}
+                          </div>
+                        </div>
+                      </div>
+                    </details>
+                  `).join('') || '<p class="text-xs text-slate-400 px-1 py-2">No servers for this user</p>'}
+                </div>
+              </details>
+            `).join('')}
+          </div>
+        </div>
+      `;
+
+      root.querySelectorAll('select[data-user-rule]').forEach((el) => {
+        el.addEventListener('change', (event) => {
+          const username = event.target.getAttribute('data-user-rule');
+          const value = event.target.value;
+          root.querySelectorAll(`select[data-server-rule][data-owner="${username}"]`).forEach((item) => {
+            if (item.value === 'inherit') item.value = value;
+          });
+        });
+      });
+
+      root.querySelectorAll('select[data-server-rule]').forEach((el) => {
+        el.addEventListener('change', (event) => {
+          const serverId = event.target.getAttribute('data-server-rule');
+          const value = event.target.value;
+          root.querySelectorAll(`select[data-tool-rule][data-server-id="${serverId}"], select[data-resource-rule][data-server-id="${serverId}"]`).forEach((item) => {
+            if (item.value === 'inherit') item.value = value;
+          });
+        });
+      });
+
+      const rootRule = byId('rootMcpRule');
+      if (rootRule) {
+        rootRule.addEventListener('change', (event) => {
+          const value = event.target.value;
+          root.querySelectorAll('select[data-user-rule], select[data-server-rule], select[data-tool-rule], select[data-resource-rule]').forEach((item) => {
+            if (item.value === 'inherit') item.value = value;
+          });
+        });
+      }
+    }
+
+    function computeEffectiveRules() {
+      const tree = byId('mcpTree');
+      const rootRule = triFromValue(byId('rootMcpRule')?.value || 'inherit');
+      const userRuleMap = {};
+
+      tree.querySelectorAll('select[data-user-rule]').forEach((el) => {
+        const username = el.getAttribute('data-user-rule');
+        if (!username) return;
+        userRuleMap[username] = triFromValue(el.value);
+      });
+
+      const serverRules = {};
+      tree.querySelectorAll('select[data-server-rule]').forEach((el) => {
+        const serverId = el.getAttribute('data-server-rule');
+        if (!serverId) return;
+        const owner = el.getAttribute('data-owner') || serverOwnerFromId(serverId);
+        const local = triFromValue(el.value);
+        serverRules[serverId] = resolveTriValue(local, userRuleMap[owner], rootRule);
+      });
+
+      const toolRules = {};
+      tree.querySelectorAll('select[data-tool-rule]').forEach((el) => {
+        const id = el.getAttribute('data-tool-rule');
+        if (!id) return;
+        const serverId = el.getAttribute('data-server-id') || '';
+        const owner = serverOwnerFromId(serverId);
+        const local = triFromValue(el.value);
+        toolRules[id] = resolveTriValue(local, serverRules[serverId], userRuleMap[owner], rootRule);
+      });
+
+      const resourceRules = {};
+      tree.querySelectorAll('select[data-resource-rule]').forEach((el) => {
+        const id = el.getAttribute('data-resource-rule');
+        if (!id) return;
+        const serverId = el.getAttribute('data-server-id') || '';
+        const owner = serverOwnerFromId(serverId);
+        const local = triFromValue(el.value);
+        resourceRules[id] = resolveTriValue(local, serverRules[serverId], userRuleMap[owner], rootRule);
+      });
+
+      return { serverRules, toolRules, resourceRules };
+    }
+
+    function renderServers() {
+      renderTree();
+    }
+
+    function policyValueToSelect(value) {
+      if (value === true) return 'require';
+      if (value === false) return 'no-token';
+      return 'inherit';
+    }
+
+    function selectToPolicyValue(value) {
+      if (value === 'require') return true;
+      if (value === 'no-token') return false;
+      return null;
+    }
+
+    function renderTokenPolicyTree() {
+      const root = byId('tokenPolicyTree');
+      const users = authContext.users || [];
+      const servers = authContext.servers || [];
+      const grouped = users.map((u) => ({
+        username: u.username,
+        role: u.role,
+        servers: servers.filter((s) => serverOwnerFromId(s.id) === u.username)
+      }));
+
+      root.innerHTML = `
+        <div class="border border-slate-200 rounded-lg bg-slate-50/50">
+          <div class="px-3 py-2 border-b border-slate-200 text-sm font-semibold text-slate-800 flex items-center gap-2">
+            <select id="policyRootRule" class="h-7 text-xs border border-slate-300 rounded px-1 bg-white">
+              <option value="require" ${tokenPolicyState.globalRequireMcpToken ? 'selected' : ''}>Require Token</option>
+              <option value="no-token" ${tokenPolicyState.globalRequireMcpToken ? '' : 'selected'}>No Token</option>
+            </select>
+            <span class="flex items-center gap-2">
+              <i class="fas fa-globe text-slate-500"></i>
+              <span>Application (All MCP)</span>
+            </span>
+          </div>
+          <div class="p-2 space-y-2">
+            ${grouped.map((g) => `
+              <details class="border border-slate-200 rounded-md bg-white" open>
+                <summary class="cursor-pointer px-3 py-2 text-sm font-medium text-slate-800 flex items-center gap-2">
+                  <select data-policy-user="${g.username}" class="h-7 text-xs border border-slate-300 rounded px-1 bg-white">
+                    <option value="inherit" ${policyValueToSelect(tokenPolicyState.userRules[g.username]) === 'inherit' ? 'selected' : ''}>Inherit</option>
+                    <option value="require" ${policyValueToSelect(tokenPolicyState.userRules[g.username]) === 'require' ? 'selected' : ''}>Require Token</option>
+                    <option value="no-token" ${policyValueToSelect(tokenPolicyState.userRules[g.username]) === 'no-token' ? 'selected' : ''}>No Token</option>
+                  </select>
+                  <span class="flex items-center gap-2">
+                    <i class="fas fa-user text-slate-500"></i>
+                    <span>${g.username}</span>
+                    <span class="text-[11px] text-slate-500">(${g.role})</span>
+                  </span>
+                </summary>
+                <div class="px-3 pb-3 space-y-2">
+                  ${(g.servers || []).map((s) => `
+                    <details class="border border-slate-200 rounded-md bg-slate-50/50">
+                      <summary class="cursor-pointer px-3 py-2 text-sm font-medium text-slate-800 flex items-center gap-2">
+                        <select data-policy-server="${s.id}" data-owner="${g.username}" class="h-7 text-xs border border-slate-300 rounded px-1 bg-white mr-1">
+                          <option value="inherit" ${policyValueToSelect(tokenPolicyState.serverRules[s.id]) === 'inherit' ? 'selected' : ''}>Inherit</option>
+                          <option value="require" ${policyValueToSelect(tokenPolicyState.serverRules[s.id]) === 'require' ? 'selected' : ''}>Require Token</option>
+                          <option value="no-token" ${policyValueToSelect(tokenPolicyState.serverRules[s.id]) === 'no-token' ? 'selected' : ''}>No Token</option>
+                        </select>
+                        <span class="inline-flex items-center gap-2">
+                          <i class="fas ${getMcpTypeIcon(s.type)} text-slate-500"></i>
+                          <span>${getMcpDisplayName(s)}</span>
+                        </span>
+                      </summary>
+                      <div class="px-3 pb-3">
+                        <div class="text-xs font-semibold text-slate-600 mb-2">Tools</div>
+                        <div class="space-y-1 max-h-40 overflow-auto">
+                          ${(s.tools || []).map((id) => `
+                            <label class="inline-flex items-center gap-2 text-xs text-slate-700 w-full justify-between">
+                              <span class="font-mono truncate">${id.split('__').slice(-1)[0]}</span>
+                              <select data-policy-tool="${id}" data-server-id="${s.id}" class="h-6 text-[11px] border border-slate-300 rounded px-1 bg-white">
+                                <option value="inherit" ${policyValueToSelect(tokenPolicyState.toolRules[id]) === 'inherit' ? 'selected' : ''}>Inherit</option>
+                                <option value="require" ${policyValueToSelect(tokenPolicyState.toolRules[id]) === 'require' ? 'selected' : ''}>Require Token</option>
+                                <option value="no-token" ${policyValueToSelect(tokenPolicyState.toolRules[id]) === 'no-token' ? 'selected' : ''}>No Token</option>
+                              </select>
+                            </label>
+                          `).join('') || '<p class="text-xs text-slate-400">No tools</p>'}
+                        </div>
+                      </div>
+                    </details>
+                  `).join('') || '<p class="text-xs text-slate-400 px-1 py-2">No servers for this user</p>'}
+                </div>
+              </details>
+            `).join('')}
+          </div>
+        </div>
+      `;
+
+      root.querySelectorAll('select[data-policy-user]').forEach((el) => {
+        el.addEventListener('change', (event) => {
+          const username = event.target.getAttribute('data-policy-user');
+          const value = event.target.value;
+          root.querySelectorAll(`select[data-policy-server][data-owner="${username}"]`).forEach((item) => {
+            if (item.value === 'inherit') item.value = value;
+          });
+        });
+      });
+
+      root.querySelectorAll('select[data-policy-server]').forEach((el) => {
+        el.addEventListener('change', (event) => {
+          const serverId = event.target.getAttribute('data-policy-server');
+          const value = event.target.value;
+          root.querySelectorAll(`select[data-policy-tool][data-server-id="${serverId}"]`).forEach((item) => {
+            if (item.value === 'inherit') item.value = value;
+          });
+        });
+      });
+    }
+
+    function collectTokenPolicyPayload() {
+      const userRules = {};
+      const serverRules = {};
+      const toolRules = {};
+      const globalRequireMcpToken = byId('policyRootRule')?.value !== 'no-token';
+
+      byId('tokenPolicyTree').querySelectorAll('select[data-policy-user]').forEach((el) => {
+        const id = el.getAttribute('data-policy-user');
+        if (!id) return;
+        userRules[id] = selectToPolicyValue(el.value);
+      });
+      byId('tokenPolicyTree').querySelectorAll('select[data-policy-server]').forEach((el) => {
+        const id = el.getAttribute('data-policy-server');
+        if (!id) return;
+        serverRules[id] = selectToPolicyValue(el.value);
+      });
+      byId('tokenPolicyTree').querySelectorAll('select[data-policy-tool]').forEach((el) => {
+        const id = el.getAttribute('data-policy-tool');
+        if (!id) return;
+        toolRules[id] = selectToPolicyValue(el.value);
+      });
+
+      return { globalRequireMcpToken, userRules, serverRules, toolRules };
+    }
+
+    async function loadTokenPolicy() {
+      const res = await fetch('/api/authorization/token-policy');
+      if (!res.ok) throw new Error('Failed to load token policy');
+      const payload = await res.json();
+      tokenPolicyState = {
+        globalRequireMcpToken: payload?.data?.globalRequireMcpToken !== false,
+        userRules: payload?.data?.userRules || {},
+        serverRules: payload?.data?.serverRules || {},
+        toolRules: payload?.data?.toolRules || {}
+      };
+      renderTokenPolicyTree();
+    }
+
+    async function saveTokenPolicy() {
+      const body = collectTokenPolicyPayload();
+      const res = await fetch('/api/authorization/token-policy', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(body)
+      });
+      const payload = await res.json().catch(() => ({}));
+      if (!res.ok) throw new Error(payload?.error || 'Failed to save token policy');
+      tokenPolicyState = {
+        globalRequireMcpToken: payload?.data?.globalRequireMcpToken !== false,
+        userRules: payload?.data?.userRules || {},
+        serverRules: payload?.data?.serverRules || {},
+        toolRules: payload?.data?.toolRules || {}
+      };
+      renderTokenPolicyTree();
+    }
+
+    async function loadConfig() {
+      const res = await fetch('/api/authorization/config');
+      if (!res.ok) throw new Error('Failed to load config');
+      const payload = await res.json();
+      const data = payload?.data || {};
+      applyAuthorizationMode(data);
+      byId('authSummary').textContent = data.mcpTokenRequired
+        ? 'Create and manage access tokens to control which users can see and run MCP servers, tools, and resources.'
+        : 'You can optionally create access tokens to control who can use MCP servers, tools, and resources.';
+    }
+
+    async function loadContext() {
+      const res = await fetch('/api/authorization/context');
+      if (!res.ok) throw new Error('Failed to load context');
+      const payload = await res.json();
+      authContext = payload?.data || { users: [], servers: [] };
+      renderUsers();
+      renderServers();
+    }
+
+    async function loadTokens() {
+      const root = byId('tokenTableWrap');
+      root.innerHTML = '<p class="text-sm text-slate-500">Loading tokens...</p>';
+      const res = await fetch('/api/authorization/tokens');
+      if (!res.ok) throw new Error('Failed to load tokens');
+      const payload = await res.json();
+      const tokens = payload?.data?.tokens || [];
+      if (!tokens.length) {
+        root.innerHTML = '<p class="text-sm text-slate-500">No tokens found.</p>';
+        return;
+      }
+
+      root.innerHTML = `
+        <table class="min-w-full text-sm">
+          <thead><tr class="text-left border-b border-slate-200">
+            <th class="py-2 pr-4 font-semibold text-slate-700">Token Name</th>
+            <th class="py-2 pr-4 font-semibold text-slate-700">User</th>
+            <th class="py-2 pr-4 font-semibold text-slate-700">Created</th>
+            <th class="py-2 pr-4 font-semibold text-slate-700">Expires</th>
+            <th class="py-2 pr-4 font-semibold text-slate-700">Status</th>
+            <th class="py-2 pr-4 font-semibold text-slate-700">Action</th>
+          </tr></thead>
+          <tbody>
+            ${tokens.map((t) => `
+              <tr class="border-b border-slate-100">
+                <td class="py-2 pr-4">${t.tokenName || ''}</td>
+                <td class="py-2 pr-4">${t.subjectUsername}</td>
+                <td class="py-2 pr-4 text-slate-600">${t.createdAt || '-'}</td>
+                <td class="py-2 pr-4 text-slate-600">${t.neverExpires ? 'Never' : (t.expiresAt || '-')}</td>
+                <td class="py-2 pr-4">
+                  <span class="px-2 py-1 rounded-full text-xs font-semibold ${t.revokedAt ? 'bg-red-100 text-red-700' : 'bg-emerald-100 text-emerald-700'}">${t.revokedAt ? 'Revoked' : 'Active'}</span>
+                </td>
+                <td class="py-2 pr-4 space-x-2">
+                  <button class="show-token-btn px-2 py-1 rounded border border-slate-200 hover:border-blue-400 text-xs" data-id="${t.id}">Show Token</button>
+                  ${t.revokedAt ? '' : `<button class="revoke-token-btn px-2 py-1 rounded border border-red-200 text-red-700 hover:bg-red-50 text-xs" data-id="${t.id}">Revoke</button>`}
+                </td>
+              </tr>
+            `).join('')}
+          </tbody>
+        </table>
+      `;
+
+      root.querySelectorAll('.show-token-btn').forEach((btn) => {
+        btn.addEventListener('click', async (event) => {
+          const id = event.target.getAttribute('data-id');
+          const resp = await fetch(`/api/authorization/tokens/${encodeURIComponent(id)}`);
+          if (!resp.ok) throw new Error('Failed to load token');
+          const tokenPayload = await resp.json();
+          const data = tokenPayload?.data || {};
+          openTokenModal(
+            data.token || '',
+            data.neverExpires ? 'Never expires' : `Expires: ${data.expiresAt || '-'}`
+          );
+        });
+      });
+
+      root.querySelectorAll('.revoke-token-btn').forEach((btn) => {
+        btn.addEventListener('click', async (event) => {
+          const id = event.target.getAttribute('data-id');
+          const resp = await fetch(`/api/authorization/tokens/${encodeURIComponent(id)}`, { method: 'DELETE' });
+          if (!resp.ok) throw new Error('Failed to revoke token');
+          await loadTokens();
+          window.utils?.showToast?.('Token revoked', 'success');
+        });
+      });
+    }
+
+    async function generateToken() {
+      const subjectUsername = byId('subjectUserSelect').value;
+      const tokenName = byId('tokenName').value.trim();
+      if (!tokenName) {
+        throw new Error('Token name is required');
+      }
+      const ttlPreset = byId('tokenTtlPreset').value;
+      const neverExpires = ttlPreset === 'never';
+      const presetToHours = {
+        '1m': 1 / 60,
+        '5m': 5 / 60,
+        '15m': 15 / 60,
+        '30m': 30 / 60,
+        '1h': 1,
+        '4h': 4,
+        '12h': 12,
+        '24h': 24,
+        '1w': 24 * 7,
+        '2w': 24 * 14,
+        '1mo': 24 * 30,
+        '3mo': 24 * 90,
+        '6mo': 24 * 180
+      };
+      const ttlHours = neverExpires ? null : (presetToHours[ttlPreset] || 24 * 30);
+      const { serverRules, toolRules, resourceRules } = computeEffectiveRules();
+
+      const res = await fetch('/api/authorization/mcp-token', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          tokenName,
+          subjectUsername,
+          neverExpires,
+          ttlHours,
+          serverRules,
+          toolRules,
+          resourceRules
+        })
+      });
+      const payload = await res.json().catch(() => ({}));
+      if (!res.ok) throw new Error(payload?.error || 'Failed to generate token');
+
+      byId('generatedToken').value = payload?.data?.token || '';
+      byId('tokenMeta').textContent = payload?.data?.neverExpires
+        ? 'Never expires'
+        : `Expires: ${payload?.data?.expiresAt || '-'}`;
+      refreshCopyButtonState();
+      await loadTokens();
+    }
+
+    byId('generateTokenBtn').addEventListener('click', () => {
+      generateToken().catch((error) => window.utils?.showToast?.(error.message || 'Failed to generate token', 'error'));
+    });
+    byId('refreshTokensBtn').addEventListener('click', () => {
+      loadTokens().catch((error) => window.utils?.showToast?.(error.message || 'Failed to load tokens', 'error'));
+    });
+    byId('saveTokenPolicyBtn').addEventListener('click', () => {
+      saveTokenPolicy()
+        .then(() => window.utils?.showToast?.('Token policy saved', 'success'))
+        .catch((error) => window.utils?.showToast?.(error.message || 'Failed to save token policy', 'error'));
+    });
+    byId('tabToken').addEventListener('click', () => setAuthorizationTab('token'));
+    byId('tabPolicy')?.addEventListener('click', () => {
+      if (isSaasMode) return;
+      setAuthorizationTab('policy');
+    });
+    byId('subjectUserSelect').addEventListener('change', renderTree);
+    byId('copyTokenBtn').addEventListener('click', async () => {
+      const token = byId('generatedToken').value.trim();
+      if (!token) return;
+      try {
+        await navigator.clipboard.writeText(token);
+        window.utils?.showToast?.('Token copied', 'success');
+      } catch (_) {
+        window.utils?.showToast?.('Failed to copy token', 'error');
+      }
+    });
+    byId('closeTokenModalBtn').addEventListener('click', closeTokenModal);
+    byId('tokenModalOverlay').addEventListener('click', closeTokenModal);
+    byId('toggleTokenMaskBtn').addEventListener('click', () => {
+      tokenModalMasked = !tokenModalMasked;
+      renderTokenModalValue();
+    });
+    byId('copyTokenModalBtn').addEventListener('click', async () => {
+      const token = tokenModalRawValue.trim();
+      if (!token) return;
+      try {
+        await navigator.clipboard.writeText(token);
+        window.utils?.showToast?.('Token copied', 'success');
+      } catch (_) {
+        window.utils?.showToast?.('Failed to copy token', 'error');
+      }
+    });
+    document.addEventListener('keydown', (event) => {
+      if (event.key === 'Escape' && !byId('tokenModal').classList.contains('hidden')) {
+        closeTokenModal();
+      }
+    });
+
+    document.addEventListener('DOMContentLoaded', async () => {
+      try {
+        setAuthorizationTab('token');
+        await loadConfig();
+        await loadContext();
+        if (!isSaasMode) {
+          await loadTokenPolicy();
+        }
+        await loadTokens();
+        refreshCopyButtonState();
+      } catch (error) {
+        window.utils?.showToast?.(error.message || 'Authorization page failed to load', 'error');
+      }
+    });
+  </script>
+</body>
+</html>