fix(backend/mcp): Add defensive validation for OAuth callback and token refresh

- Validate frontend_base_url in mcp_oauth_callback (matching login route)
- Validate mcp_token_url metadata before attempting token refresh

autogpt_platform/backend/backend/api/features/mcp/routes.py

@@ -309,6 +309,11 @@ async def mcp_oauth_callback(
 
     meta = valid_state.state_metadata
     frontend_base_url = settings.config.frontend_base_url
+    if not frontend_base_url:
+        raise fastapi.HTTPException(
+            status_code=500,
+            detail="Frontend base URL is not configured.",
+        )
     redirect_uri = f"{frontend_base_url}/auth/integrations/mcp_callback"
 
     handler = MCPOAuthHandler(

autogpt_platform/backend/backend/integrations/creds_manager.py

@@ -256,11 +256,17 @@ def create_mcp_oauth_handler(
     from backend.blocks.mcp.oauth import MCPOAuthHandler
 
     meta = credentials.metadata or {}
+    token_url = meta.get("mcp_token_url", "")
+    if not token_url:
+        raise ValueError(
+            f"MCP credential {credentials.id} is missing 'mcp_token_url' metadata; "
+            "cannot refresh tokens"
+        )
     return MCPOAuthHandler(
         client_id=meta.get("mcp_client_id", ""),
         client_secret=meta.get("mcp_client_secret", ""),
         redirect_uri="",  # Not needed for token refresh
         authorize_url="",  # Not needed for token refresh
-        token_url=meta.get("mcp_token_url", ""),
+        token_url=token_url,
         resource_url=meta.get("mcp_resource_url"),
     )