coder
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 5 additions & 2 deletions b/‎coderd/apidoc/docs.go
Lines changed: 5 additions & 2 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 5 additions & 2 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 5 additions & 2 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 5 additions & 2 deletions b/‎coderd/coderd.go
Lines changed: 5 additions & 2 deletions
diff --git a/‎coderd/httpmw/experiments.go
Lines changed: 44 additions & 6 deletions b/‎coderd/httpmw/experiments.go
Lines changed: 44 additions & 6 deletions
diff --git a/‎coderd/oauth2.go
Lines changed: 0 additions & 14 deletions b/‎coderd/oauth2.go
Lines changed: 0 additions & 14 deletions
diff --git a/‎codersdk/deployment.go
Lines changed: 25 additions & 7 deletions b/‎codersdk/deployment.go
Lines changed: 25 additions & 7 deletions
diff --git a/‎docs/reference/api/schemas.md
Lines changed: 1 addition & 0 deletions b/‎docs/reference/api/schemas.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎site/src/api/typesGenerated.ts
Lines changed: 2 additions & 0 deletions b/‎site/src/api/typesGenerated.ts
Lines changed: 2 additions & 0 deletions
@@ -922,7 +922,7 @@ func New(options *Options) *API {
 	// logging into Coder with an external OAuth2 provider.
 	r.Route("/oauth2", func(r chi.Router) {
 		r.Use(
-			api.oAuth2ProviderMiddleware,
+			httpmw.RequireExperimentWithDevBypass(api.Experiments, codersdk.ExperimentOAuth2),
 		)
 		r.Route("/authorize", func(r chi.Router) {
 			r.Use(
@@ -973,6 +973,9 @@ func New(options *Options) *API {
 			r.Get("/prompts", api.aiTasksPrompts)
 		})
 		r.Route("/mcp", func(r chi.Router) {
+			r.Use(
+				httpmw.RequireExperimentWithDevBypass(api.Experiments, codersdk.ExperimentOAuth2, codersdk.ExperimentMCPServerHTTP),
+			)
 			// MCP HTTP transport endpoint with mandatory authentication
 			r.Mount("/http", api.mcpHTTPHandler())
 		})
@@ -1473,7 +1476,7 @@ func New(options *Options) *API {
 		r.Route("/oauth2-provider", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
-				api.oAuth2ProviderMiddleware,
+				httpmw.RequireExperimentWithDevBypass(api.Experiments, codersdk.ExperimentOAuth2),
 			)
 			r.Route("/apps", func(r chi.Router) {
 				r.Get("/", api.oAuth2ProviderApps)
 
@@ -3,21 +3,59 @@ package httpmw
 import (
 	"fmt"
 	"net/http"
+	"strings"
 
+	"github.com/coder/coder/v2/buildinfo"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/codersdk"
 )
 
-func RequireExperiment(experiments codersdk.Experiments, experiment codersdk.Experiment) func(next http.Handler) http.Handler {
+// RequireExperiment returns middleware that checks if all required experiments are enabled.
+// If any experiment is disabled, it returns a 403 Forbidden response with details about the missing experiments.
+func RequireExperiment(experiments codersdk.Experiments, requiredExperiments ...codersdk.Experiment) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			if !experiments.Enabled(experiment) {
-				httpapi.Write(r.Context(), w, http.StatusForbidden, codersdk.Response{
-					Message: fmt.Sprintf("Experiment '%s' is required but not enabled", experiment),
-				})
-				return
+			for _, experiment := range requiredExperiments {
+				if !experiments.Enabled(experiment) {
+					var experimentNames []string
+					for _, exp := range requiredExperiments {
+						experimentNames = append(experimentNames, string(exp))
+					}
+
+					// Print a message that includes the experiment names
+					// even if some experiments are already enabled.
+					var message string
+					if len(requiredExperiments) == 1 {
+						message = fmt.Sprintf("%s functionality requires enabling the '%s' experiment.",
+							requiredExperiments[0].DisplayName(), requiredExperiments[0])
+					} else {
+						message = fmt.Sprintf("This functionality requires enabling the following experiments: %s",
+							strings.Join(experimentNames, ", "))
+					}
+
+					httpapi.Write(r.Context(), w, http.StatusForbidden, codersdk.Response{
+						Message: message,
+					})
+					return
+				}
 			}
+
 			next.ServeHTTP(w, r)
 		})
 	}
 }
+
+// RequireExperimentWithDevBypass checks if ALL the given experiments are enabled,
+// but bypasses the check in development mode (buildinfo.IsDev()).
+func RequireExperimentWithDevBypass(experiments codersdk.Experiments, requiredExperiments ...codersdk.Experiment) func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if buildinfo.IsDev() {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			RequireExperiment(experiments, requiredExperiments...)(next).ServeHTTP(w, r)
+		})
+	}
+}
@@ -16,7 +16,6 @@ import (
 
 	"github.com/sqlc-dev/pqtype"
 
-	"github.com/coder/coder/v2/buildinfo"
 	"github.com/coder/coder/v2/coderd/audit"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/db2sdk"
@@ -37,19 +36,6 @@ const (
 	displaySecretLength = 6  // Length of visible part in UI (last 6 characters)
 )
 
-func (api *API) oAuth2ProviderMiddleware(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		if !api.Experiments.Enabled(codersdk.ExperimentOAuth2) && !buildinfo.IsDev() {
-			httpapi.Write(r.Context(), rw, http.StatusForbidden, codersdk.Response{
-				Message: "OAuth2 provider functionality requires enabling the 'oauth2' experiment.",
-			})
-			return
-		}
-
-		next.ServeHTTP(rw, r)
-	})
-}
-
 // @Summary Get OAuth2 applications.
 // @ID get-oauth2-applications
 // @Security CoderSessionToken
 
@@ -3342,8 +3342,30 @@ const (
 	ExperimentWorkspaceUsage     Experiment = "workspace-usage"      // Enables the new workspace usage tracking.
 	ExperimentWebPush            Experiment = "web-push"             // Enables web push notifications through the browser.
 	ExperimentOAuth2             Experiment = "oauth2"               // Enables OAuth2 provider functionality.
+	ExperimentMCPServerHTTP      Experiment = "mcp-server-http"      // Enables the MCP HTTP server functionality.
 )
 
+func (e Experiment) DisplayName() string {
+	switch e {
+	case ExperimentExample:
+		return "Example Experiment"
+	case ExperimentAutoFillParameters:
+		return "Auto-fill Template Parameters"
+	case ExperimentNotifications:
+		return "SMTP and Webhook Notifications"
+	case ExperimentWorkspaceUsage:
+		return "Workspace Usage Tracking"
+	case ExperimentWebPush:
+		return "Browser Push Notifications"
+	case ExperimentOAuth2:
+		return "OAuth2 Provider Functionality"
+	case ExperimentMCPServerHTTP:
+		return "MCP HTTP Server Functionality"
+	default:
+		return string(e)
+	}
+}
+
 // ExperimentsKnown should include all experiments defined above.
 var ExperimentsKnown = Experiments{
 	ExperimentExample,
@@ -3352,6 +3374,7 @@ var ExperimentsKnown = Experiments{
 	ExperimentWorkspaceUsage,
 	ExperimentWebPush,
 	ExperimentOAuth2,
+	ExperimentMCPServerHTTP,
 }
 
 // ExperimentsSafe should include all experiments that are safe for
@@ -3369,14 +3392,9 @@ var ExperimentsSafe = Experiments{}
 // @typescript-ignore Experiments
 type Experiments []Experiment
 
-// Returns a list of experiments that are enabled for the deployment.
+// Enabled returns a list of experiments that are enabled for the deployment.
 func (e Experiments) Enabled(ex Experiment) bool {
-	for _, v := range e {
-		if v == ex {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(e, ex)
 }
 
 func (c *Client) Experiments(ctx context.Context) (Experiments, error) {