feat: setup-dot-and-metadata-endpoint

[Zaimwa9]

Thanks for submitting a PR! Please check the boxes below:

• I have read the Contributing Guide.
• I have added information to docs/ if required so people know about the feature.
• I have filled in the "Changes" section below.
• I have filled in the "How did you test this code" section below.

Changes

Contributes to #7032

• Add django-oauth-toolkit as a dependency
• Add oauth2_provider to INSTALLED_APPS and OAuth2Authentication to DRF authentication classes
• Configure OAUTH2_PROVIDER settings: 15min access tokens, 30-day rotating refresh tokens, PKCE S256 mandatory, mcp scope
• Add FLAGSMITH_API_URL and FLAGSMITH_FRONTEND_URL environment variables (for self-hosted)
• Expose DOT endpoints under /o/ (authorize, token, revoke, introspect)
• Add GET /.well-known/oauth-authorization-server metadata endpoint (RFC 8414)
• Add daily cleartokens recurring task to clear expired OAuth2 tokens

🟢 Includes a Node.js test server (node auth2_test_server.mjs) to test e2e => http://localhost:3000

How did you test this code?

• New tests
• curl http://localhost:8000/.well-known/oauth-authorization-server
• Manual e2e using node oauth2_test_server.mjs :
  a. Create a public OAuth application in Django admin at /admin/oauth2_provider/application/add_/
  (Authorization: code grant, redirect URI: http://localhost:3000/oauth/callback)
  b. Update CLIENT_ID in oauth2_test_server.mjs with the generated client ID
  c. Run the server and open http://localhost:3000
  d. Approve the authorisation, token is exchanged automatically
  You should receive a payload like:

{
  "access_token": "gC1lOUXpMv22K4L5mQipQE6SKzwBqA",
  "expires_in": 900,
  "token_type": "Bearer",
  "scope": "mcp",
  "refresh_token": "iRpml11oIDiuQXbNmkXE2jKB03bkal"
}

[claude]

⚠️ Code review skipped — your organization's overage spend limit has been reached.

Code review is billed via overage credits. To resume reviews, an organization admin can raise the monthly limit at claude.ai/admin-settings/claude-code.

Once credits are available, reopen this pull request to trigger a review.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

3 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
docs	Ignored	Preview	Mar 27, 2026 4:51pm
flagsmith-frontend-preview	Ignored	Preview	Mar 27, 2026 4:51pm
flagsmith-frontend-staging	Ignored	Preview	Mar 27, 2026 4:51pm

[github-actions]

Docker builds report

Image	Build Status	Security report
ghcr.io/flagsmith/flagsmith-e2e:pr-7057	Finished ✅	Skipped
ghcr.io/flagsmith/flagsmith-api-test:pr-7057	Finished ✅	Skipped
ghcr.io/flagsmith/flagsmith-api:pr-7057	Finished ✅	Results ✅
ghcr.io/flagsmith/flagsmith-private-cloud:pr-7057	Finished ✅	Results ✅
ghcr.io/flagsmith/flagsmith:pr-7057	Finished ✅	Results ✅

[Zaimwa9]

Reminder

[github-actions]

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 41.2 seconds
 eeb1584
 🔄 Run: #15519 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 28 seconds
 eeb1584
 🔄 Run: #15519 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 52.1 seconds
 e190637
 🔄 Run: #15518 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 23.6 seconds
 e330174
 🔄 Run: #15520 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

 2 passed

Details

 2 tests across 2 suites
 45 seconds
 e190637
 🔄 Run: #15518 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

 2 passed

Details

 2 tests across 2 suites
 1 minute, 1 second
 e190637
 🔄 Run: #15518 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

 2 passed

Details

 2 tests across 2 suites
 52.2 seconds
 e330174
 🔄 Run: #15520 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

 2 passed

Details

 2 tests across 2 suites
 58.9 seconds
 e330174
 🔄 Run: #15520 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 47.1 seconds
 ccd5ffd
 🔄 Run: #15521 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 52 seconds
 ccd5ffd
 🔄 Run: #15521 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

 2 passed

Details

 2 tests across 2 suites
 55.8 seconds
 ccd5ffd
 🔄 Run: #15521 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

 2 passed

Details

 2 tests across 2 suites
 1 minute, 2 seconds
 ccd5ffd
 🔄 Run: #15521 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 42.4 seconds
 262ebda
 🔄 Run: #15522 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 24.6 seconds
 1f0d84e
 🔄 Run: #15523 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 46.7 seconds
 262ebda
 🔄 Run: #15522 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 53.1 seconds
 1f0d84e
 🔄 Run: #15523 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

 2 passed

Details

 2 tests across 2 suites
 45 seconds
 262ebda
 🔄 Run: #15522 (attempt 1)

[github-actions]

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 42 seconds
 e190637
 🔄 Run: #15518 (attempt 1)

[codecov]

Codecov Report

❌ Patch coverage is 97.72727% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 98.25%. Comparing base (3f71f16) to head (1f0d84e).
⚠️ Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
api/oauth2_metadata/authentication.py	87.50%	1 Missing ⚠️
api/oauth2_metadata/tasks.py	83.33%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7057      +/-   ##
==========================================
- Coverage   98.33%   98.25%   -0.09%     
==========================================
  Files        1337     1342       +5     
  Lines       50010    49936      -74     
==========================================
- Hits        49178    49064     -114     
- Misses        832      872      +40     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.