fix: reset auth coordinator state to prevent stale auth code reuse

geelen · geelen · commit 2246c51517aa · 2025-05-29T13:26:55.000+10:00
The issue was that when invalid_client errors occurred during token exchange,
the auth restart was using cached auth coordinator state with stale auth codes.

Changes:
- Add resetAuth() method to AuthCoordinator interface
- Implement auth state reset in createLazyAuthCoordinator
- Call resetAuth() before restarting auth flow on invalid_client errors
- Close existing auth server during reset to prevent port conflicts

This ensures fresh browser auth with new auth codes instead of reusing
stale ones that have already failed token exchange.
diff --git a/DEFENSIVE_AUTH_CHANGES.md b/DEFENSIVE_AUTH_CHANGES.md
@@ -62,9 +62,10 @@ When the scenario occurs again:
 2. Classifies this as `invalid_client` error
 3. Logs clear message about client registration being deleted
 4. Clears ALL stored auth data (tokens, client_info.json, code_verifier.txt)
-5. **Immediately starts fresh auth flow** (no manual restart required)
-6. Opens browser for new client registration and authentication
-7. Completes with working connection automatically
+5. **Resets auth coordinator state** to force fresh browser auth (no stale auth codes)
+6. **Immediately starts fresh auth flow** (no manual restart required)
+7. Opens NEW browser window for new client registration and authentication
+8. Completes with working connection automatically
 
 ## Testing
 
diff --git a/src/client.ts b/src/client.ts
@@ -88,6 +88,7 @@ async function runClient(
     return {
       waitForAuthCode: authState.waitForAuthCode,
       skipBrowserAuth: authState.skipBrowserAuth,
+      resetAuth: () => authCoordinator.resetAuth(),
     }
   }
 
diff --git a/src/lib/coordination.ts b/src/lib/coordination.ts
@@ -8,6 +8,7 @@ import { log, debugLog, DEBUG, setupOAuthCallbackServerWithLongPoll } from './ut
 
 export type AuthCoordinator = {
   initializeAuth: () => Promise<{ server: Server; waitForAuthCode: () => Promise<string>; skipBrowserAuth: boolean }>
+  resetAuth: () => void
 }
 
 /**
@@ -152,6 +153,19 @@ export function createLazyAuthCoordinator(serverUrlHash: string, callbackPort: n
       if (DEBUG) debugLog('Auth coordination completed', { skipBrowserAuth: authState.skipBrowserAuth })
       return authState
     },
+    resetAuth: () => {
+      if (DEBUG) debugLog('Resetting auth coordinator state')
+      if (authState) {
+        // Close the existing server if it exists
+        try {
+          authState.server.close()
+          if (DEBUG) debugLog('Closed existing auth server during reset')
+        } catch (error) {
+          if (DEBUG) debugLog('Error closing auth server during reset', error)
+        }
+      }
+      authState = null
+    },
   }
 }
 
diff --git a/src/lib/utils.ts b/src/lib/utils.ts
@@ -273,6 +273,7 @@ export function mcpProxy({ transportToClient, transportToServer }: { transportTo
 export type AuthInitializer = () => Promise<{
   waitForAuthCode: () => Promise<string>
   skipBrowserAuth: boolean
+  resetAuth: () => void
 }>
 
 /**
@@ -429,6 +430,11 @@ export async function connectToRemoteServer(
           await extendedProvider.clearAllAuthData()
         }
 
+        // Reset auth coordinator state to force fresh browser auth
+        if (DEBUG) debugLog('Resetting auth coordinator to force fresh browser auth')
+        const { resetAuth } = await authInitializer()
+        resetAuth()
+
         // Reset retry state since we're starting fresh
         resetAuthRetryState(serverUrlHash)
       }
@@ -509,6 +515,11 @@ export async function connectToRemoteServer(
             await extendedProvider.clearAllAuthData()
           }
 
+          // Reset auth coordinator state to force fresh browser auth
+          if (DEBUG) debugLog('Resetting auth coordinator to force fresh browser auth')
+          const { resetAuth: resetAuthFirst } = await authInitializer()
+          resetAuthFirst()
+
           // Reset retry state since we're starting fresh
           resetAuthRetryState(serverUrlHash)
 
diff --git a/src/proxy.ts b/src/proxy.ts
@@ -80,6 +80,7 @@ async function runProxy(
     return {
       waitForAuthCode: authState.waitForAuthCode,
       skipBrowserAuth: authState.skipBrowserAuth,
+      resetAuth: () => authCoordinator.resetAuth(),
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -88,6 +88,7 @@ async function runClient(`
`88`	`88`	`return {`
`89`	`89`	`waitForAuthCode: authState.waitForAuthCode,`
`90`	`90`	`skipBrowserAuth: authState.skipBrowserAuth,`
	`91`	`+ resetAuth: () => authCoordinator.resetAuth(),`
`91`	`92`	`}`
`92`	`93`	`}`
`93`	`94`
Original file line number	Diff line number	Diff line change
`@@ -80,6 +80,7 @@ async function runProxy(`
`80`	`80`	`return {`
`81`	`81`	`waitForAuthCode: authState.waitForAuthCode,`
`82`	`82`	`skipBrowserAuth: authState.skipBrowserAuth,`
	`83`	`+ resetAuth: () => authCoordinator.resetAuth(),`
`83`	`84`	`}`
`84`	`85`	`}`
`85`	`86`