feat(mcp): 'Clear sign-in data' recovery for stuck MCP auth #2189
+214
−6
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,117 @@ | ||
| import { afterEach, describe, expect, test } from "bun:test"; | ||
| import { mkdir, mkdtemp, readFile, rm, writeFile } from "node:fs/promises"; | ||
| import { tmpdir } from "node:os"; | ||
| import { join } from "node:path"; | ||
|
|
||
| import { startServer } from "./server.js"; | ||
| import type { ServerConfig } from "./types.js"; | ||
|
|
||
| type Served = { port: number; stop: (closeActiveConnections?: boolean) => void | Promise<void> }; | ||
|
|
||
| const stops: Array<() => void | Promise<void>> = []; | ||
| const roots: string[] = []; | ||
| let previousEnv: Record<string, string | undefined> = {}; | ||
|
|
||
| afterEach(async () => { | ||
| while (stops.length) await stops.pop()?.(); | ||
| while (roots.length) await rm(roots.pop()!, { recursive: true, force: true }); | ||
| for (const [key, value] of Object.entries(previousEnv)) { | ||
| if (value === undefined) delete process.env[key]; | ||
| else process.env[key] = value; | ||
| } | ||
| previousEnv = {}; | ||
| }); | ||
|
|
||
| function setEnv(key: string, value: string) { | ||
| if (!(key in previousEnv)) previousEnv[key] = process.env[key]; | ||
| process.env[key] = value; | ||
| } | ||
|
|
||
| async function setup() { | ||
| const root = await mkdtemp(join(tmpdir(), "openwork-mcp-auth-clear-")); | ||
| roots.push(root); | ||
| setEnv("OPENWORK_RUNTIME_DB", join(root, "runtime.sqlite")); | ||
|
|
||
| // Point the engine data dir resolution at a temp store with a stale entry. | ||
| const dataHome = join(root, "xdg-data"); | ||
| setEnv("XDG_DATA_HOME", dataHome); | ||
| const authStorePath = join(dataHome, "opencode", "mcp-auth.json"); | ||
| await mkdir(join(dataHome, "opencode"), { recursive: true }); | ||
| await writeFile( | ||
| authStorePath, | ||
| JSON.stringify({ | ||
| posthog: { | ||
| serverUrl: "https://mcp.us.posthog.com/mcp", | ||
| tokens: { access_token: "stale" }, | ||
| clientInfo: { client_id: "poisoned-client" }, | ||
| oauthState: "stale-state", | ||
| }, | ||
| linear: { serverUrl: "https://mcp.linear.app/mcp", tokens: { access_token: "good" } }, | ||
| }, null, 2), | ||
| "utf8", | ||
| ); | ||
|
|
||
| const config: ServerConfig = { | ||
| host: "127.0.0.1", | ||
| port: 0, | ||
| token: "owt_test_token", | ||
| hostToken: "owt_host_token", | ||
| approval: { mode: "auto", timeoutMs: 1000 }, | ||
| corsOrigins: ["*"], | ||
| workspaces: [ | ||
| { | ||
| id: "ws_1", | ||
| name: "Workspace", | ||
| path: root, | ||
| preset: "starter", | ||
| workspaceType: "local", | ||
| // Unreachable engine: forces the file-level recovery fallback. | ||
| baseUrl: "http://127.0.0.1:9", | ||
| }, | ||
| ], | ||
| authorizedRoots: [root], | ||
| readOnly: false, | ||
| startedAt: Date.now(), | ||
| tokenSource: "cli", | ||
| hostTokenSource: "cli", | ||
| logFormat: "pretty", | ||
| logRequests: false, | ||
| }; | ||
| const server = await startServer(config) as Served; | ||
| stops.push(() => server.stop(true)); | ||
| return { | ||
| base: `http://127.0.0.1:${server.port}`, | ||
| headers: { Authorization: "Bearer owt_test_token" }, | ||
| authStorePath, | ||
| }; | ||
| } | ||
|
|
||
| describe("MCP auth clear recovery", () => { | ||
| test("clears a stale auth entry even when the engine is unreachable", async () => { | ||
| const { base, headers, authStorePath } = await setup(); | ||
|
|
||
| const response = await fetch(`${base}/workspace/ws_1/mcp/posthog/auth`, { | ||
| method: "DELETE", | ||
| headers, | ||
| }); | ||
| expect(response.status).toBe(200); | ||
|
|
||
| const store = JSON.parse(await readFile(authStorePath, "utf8")) as Record<string, unknown>; | ||
| expect(store.posthog).toBeUndefined(); | ||
| // Other entries are untouched. | ||
| expect(store.linear).toBeDefined(); | ||
| }); | ||
|
|
||
| test("is idempotent: clearing an absent entry still succeeds", async () => { | ||
| const { base, headers, authStorePath } = await setup(); | ||
|
|
||
| const first = await fetch(`${base}/workspace/ws_1/mcp/posthog/auth`, { method: "DELETE", headers }); | ||
| expect(first.status).toBe(200); | ||
| const second = await fetch(`${base}/workspace/ws_1/mcp/posthog/auth`, { method: "DELETE", headers }); | ||
| expect(second.status).toBe(200); | ||
|
|
||
| const store = JSON.parse(await readFile(authStorePath, "utf8")) as Record<string, unknown>; | ||
| expect(store.posthog).toBeUndefined(); | ||
| expect(store.linear).toBeDefined(); | ||
| }); | ||
| }); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| /** | ||
| * Direct access to the opencode engine's MCP auth store (mcp-auth.json). | ||
| * | ||
| * The engine owns this file (Global.Path.data/mcp-auth.json) and exposes | ||
| * DELETE /mcp/:name/auth, which is the preferred path. This module is the | ||
| * recovery fallback for when the engine is unreachable or refuses: stale | ||
| * entries (tokens + clientInfo from a broken OAuth flow, e.g. PostHog's | ||
| * "Unable to determine region") can permanently block re-auth, and stuck | ||
| * users need a way out that doesn't involve hand-editing JSON. | ||
| */ | ||
| import { existsSync } from "node:fs"; | ||
| import { readFile, writeFile } from "node:fs/promises"; | ||
| import { homedir } from "node:os"; | ||
| import { join } from "node:path"; | ||
|
|
||
| function isRecord(value: unknown): value is Record<string, unknown> { | ||
| return Boolean(value) && typeof value === "object" && !Array.isArray(value); | ||
| } | ||
|
|
||
| // Mirrors opencode's Global.Path.data resolution (xdg-basedir), aligned with | ||
| // opencodeDataDirs() in opencode-db.ts. | ||
| function opencodeDataDirs(): string[] { | ||
| const dirs: string[] = []; | ||
| const xdg = process.env.XDG_DATA_HOME?.trim(); | ||
|
There was a problem hiding this comment. P2: MCP auth-store path resolution omits Prompt for AI agents |
||
| if (xdg) dirs.push(join(xdg, "opencode")); | ||
| dirs.push(join(homedir(), ".local", "share", "opencode")); | ||
| if (process.platform === "darwin") dirs.push(join(homedir(), "Library", "Application Support", "opencode")); | ||
| if (process.platform === "win32") { | ||
| const appData = process.env.APPDATA?.trim(); | ||
| if (appData) dirs.push(join(appData, "opencode")); | ||
| } | ||
| return Array.from(new Set(dirs)); | ||
| } | ||
|
|
||
| /** First existing mcp-auth.json, or the default location when none exists. */ | ||
| export function resolveMcpAuthStorePath(): string { | ||
| const candidates = opencodeDataDirs().map((dir) => join(dir, "mcp-auth.json")); | ||
| return candidates.find((candidate) => existsSync(candidate)) ?? candidates[0] | ||
| ?? join(homedir(), ".local", "share", "opencode", "mcp-auth.json"); | ||
| } | ||
|
|
||
| /** | ||
| * Remove an MCP's entry from the auth store file directly. Returns true when | ||
| * the entry is gone afterwards (deleted, or never existed — idempotent), and | ||
| * false only when the store could not be read or written. | ||
| */ | ||
| export async function removeMcpAuthEntryFromStore(name: string): Promise<boolean> { | ||
| const path = resolveMcpAuthStorePath(); | ||
| if (!existsSync(path)) return true; | ||
| try { | ||
| const parsed: unknown = JSON.parse(await readFile(path, "utf8")); | ||
| if (!isRecord(parsed)) return false; | ||
| if (!(name in parsed)) return true; | ||
| const next = { ...parsed }; | ||
| delete next[name]; | ||
| await writeFile(path, JSON.stringify(next, null, 2), { mode: 0o600 }); | ||
| return true; | ||
| } catch { | ||
| return false; | ||
| } | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
P3: New user-facing strings are hardcoded and bypass i18n, causing untranslated text in non-English locales.
Prompt for AI agents