fix(mcp): scope auth status to server URL (#33924)

This commit is contained in:
Aiden Cline 2026-06-25 16:26:00 -05:00 committed by GitHub
parent 21c0e03a70
commit 3fbc005f26
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 49 additions and 21 deletions

View file

@ -669,14 +669,20 @@ export const McpDebugCommand = effectCmd({
const config = yield* Config.Service.use((cfg) => cfg.get())
const mcp = yield* MCP.Service
const auth = yield* McpAuth.Service
const serverConfig = config.mcp?.[args.name]
const authInfo =
serverConfig && isMcpRemote(serverConfig) && serverConfig.oauth !== false
? yield* Effect.all({
authStatus: mcp.getAuthStatus(args.name),
entry: auth.get(args.name),
})
: undefined
yield* Effect.promise(async () => {
UI.empty()
prompts.intro("MCP OAuth Debug")
const mcpServers = config.mcp ?? {}
const serverName = args.name
const serverConfig = mcpServers[serverName]
if (!serverConfig) {
prompts.log.error(`MCP server not found: ${serverName}`)
prompts.outro("Done")
@ -698,13 +704,7 @@ export const McpDebugCommand = effectCmd({
prompts.log.info(`Server: ${serverName}`)
prompts.log.info(`URL: ${serverConfig.url}`)
// Check stored auth status — services already in hand, run inline.
const { authStatus, entry } = await Effect.runPromise(
Effect.all({
authStatus: mcp.getAuthStatus(serverName),
entry: auth.get(serverName),
}),
)
const { authStatus, entry } = authInfo!
prompts.log.info(`Auth status: ${getAuthStatusIcon(authStatus)} ${getAuthStatusText(authStatus)}`)
if (entry?.tokens) {

View file

@ -50,7 +50,6 @@ export interface Interface {
readonly updateOAuthState: (mcpName: string, oauthState: string) => Effect.Effect<void>
readonly getOAuthState: (mcpName: string) => Effect.Effect<string | undefined>
readonly clearOAuthState: (mcpName: string) => Effect.Effect<void>
readonly isTokenExpired: (mcpName: string) => Effect.Effect<boolean | null>
}
export class Service extends Context.Service<Service, Interface>()("@opencode/McpAuth") {}
@ -142,13 +141,6 @@ export const layer = Layer.effect(
return entry?.oauthState
})
const isTokenExpired = Effect.fn("McpAuth.isTokenExpired")(function* (mcpName: string) {
const entry = yield* get(mcpName)
if (!entry?.tokens) return null
if (!entry.tokens.expiresAt) return false
return entry.tokens.expiresAt < Date.now() / 1000
})
return Service.of({
all,
get,
@ -162,7 +154,6 @@ export const layer = Layer.effect(
updateOAuthState,
getOAuthState,
clearOAuthState,
isTokenExpired,
})
}),
)

View file

@ -963,10 +963,15 @@ export const layer = Layer.effect(
})
const getAuthStatus = Effect.fn("MCP.getAuthStatus")(function* (mcpName: string) {
const entry = yield* auth.get(mcpName)
const runtimeConfig = (yield* InstanceState.has(state))
? (yield* InstanceState.get(state)).config[mcpName]
: undefined
const mcpConfig = runtimeConfig ?? (yield* cfgSvc.get()).mcp?.[mcpName]
if (!mcpConfig || !isMcpConfigured(mcpConfig) || mcpConfig.type !== "remote") return "not_authenticated"
const entry = yield* auth.getForUrl(mcpName, mcpConfig.url)
if (!entry?.tokens) return "not_authenticated"
const expired = yield* auth.isTokenExpired(mcpName)
return expired ? "expired" : "authenticated"
if (entry.tokens.expiresAt && entry.tokens.expiresAt < Date.now() / 1000) return "expired"
return "authenticated"
})
return Service.of({

View file

@ -227,6 +227,38 @@ mcpTest.instance("state() returns existing state when one is saved", () =>
}),
)
mcpTest.instance(
"auth status only reports credentials stored for the configured server URL",
() =>
Effect.gen(function* () {
const mcp = yield* MCP.Service
expect(transportCalls).toHaveLength(0)
yield* McpAuth.use.updateTokens(
"test-status-url",
{ accessToken: "old-token" },
"https://old.example.com/mcp",
)
expect(yield* mcp.getAuthStatus("test-status-url")).toBe("not_authenticated")
yield* McpAuth.use.updateTokens(
"test-status-url",
{ accessToken: "current-token" },
"https://example.com/mcp",
)
expect(yield* mcp.getAuthStatus("test-status-url")).toBe("authenticated")
yield* McpAuth.use.updateTokens(
"test-status-url",
{ accessToken: "expired-token", expiresAt: 1 },
"https://example.com/mcp",
)
expect(yield* mcp.getAuthStatus("test-status-url")).toBe("expired")
expect(transportCalls).toHaveLength(0)
}),
{ config: config("test-status-url") },
)
mcpTest.instance(
"authenticate() stores a connected client when auth completes without redirect",
() =>