vrr/qwen-code
2
0
Fork 0
mirror of https://github.com/QwenLM/qwen-code.git synced 2026-05-02 21:50:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

fix(mcp): clear OAuth callback timeout on all completion paths

Browse source 
The 5-minute timeout set in startCallbackServer was never cleared when
the OAuth flow completed. The timer would fire later, calling reject()
on a settled promise and server.close() on an already-closed server.
Now clears the timeout before every resolve() and reject() call.
This commit is contained in:
chinesepowered 2026-04-04 14:50:02 -07:00
parent 3bce84d5da
commit 86447064ca
1 changed files with 16 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

16
packages/core/src/mcp/oauth-provider.ts
View file

@ -261,6 +261,10 @@ export class MCPOAuthProvider {
</html>
`);
activeCallbackServer = null;
if (activeCallbackTimeout) {
clearTimeout(activeCallbackTimeout);
activeCallbackTimeout = null;
}
server.close();
reject(new Error(`OAuth error: ${error}`));
return;
@ -276,6 +280,10 @@ export class MCPOAuthProvider {
res.writeHead(400);
res.end('Invalid state parameter');
activeCallbackServer = null;
if (activeCallbackTimeout) {
clearTimeout(activeCallbackTimeout);
activeCallbackTimeout = null;
}
server.close();
reject(new Error('State mismatch - possible CSRF attack'));
return;
@ -294,10 +302,18 @@ export class MCPOAuthProvider {
`);
activeCallbackServer = null;
if (activeCallbackTimeout) {
clearTimeout(activeCallbackTimeout);
activeCallbackTimeout = null;
}
server.close();
resolve({ code, state });
} catch (error) {
activeCallbackServer = null;
if (activeCallbackTimeout) {
clearTimeout(activeCallbackTimeout);
activeCallbackTimeout = null;
}
server.close();
reject(error);
}