Description
The OAuth callback server on port 19876 remains running after authenticate() completes. When multiple TUI instances are running, this causes CSRF state validation failures:
- Instance A authenticates → callback server starts on port 19876 → auth succeeds → server stays running
- Instance B starts, triggers OAuth →
ensureRunning() detects port in use, skips server start
- Instance B registers state in its own process-local
pendingAuths Map
- Browser callback arrives at Instance A's server →
pendingStates=[] → CSRF error
Steps to reproduce
- Start opencode TUI (Instance A) with a remote OAuth MCP server
- Complete OAuth authentication
- Start another opencode TUI (Instance B)
- Instance B attempts OAuth → browser opens → callback fails with "Invalid or expired state parameter"
Expected behavior
Callback server should stop after authentication completes (when no other flows are pending), releasing port 19876.
Root cause
McpOAuthCallback.stop() is never called after authenticate(). The only callers are internal reconfiguration in ensureRunning() and test cleanup.
OpenCode version
1.14.19
Operating System
macOS
Description
The OAuth callback server on port 19876 remains running after
authenticate()completes. When multiple TUI instances are running, this causes CSRF state validation failures:ensureRunning()detects port in use, skips server startpendingAuthsMappendingStates=[]→ CSRF errorSteps to reproduce
Expected behavior
Callback server should stop after authentication completes (when no other flows are pending), releasing port 19876.
Root cause
McpOAuthCallback.stop()is never called afterauthenticate(). The only callers are internal reconfiguration inensureRunning()and test cleanup.OpenCode version
1.14.19
Operating System
macOS