Skip to content

Handle invalid OAUth state #833

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
threepointone merged 3 commits into from
Feb 3, 2026
Merged

Handle invalid OAUth state #833

threepointone merged 3 commits into from
Feb 3, 2026
+32 −9

Conversation

@tarushnagpal
Copy link
Contributor

@tarushnagpal tarushnagpal commented Feb 3, 2026

Issue

OAuth callbacks with expired or missing state were throwing an error but leaving the MCP connection stuck in AUTHENTICATING with auth_url still set in storage. This prevented retries and caused the connection to remain in a broken state across restarts.

Fix

On invalid OAuth state:

  • Clear auth_url in storage
  • Set the MCP connection state to FAILED

A small edge case

If duplicate callbacks arrive for the same auth, one callback can consume the state and clear auth_url. If the other callback does not reach completeAuthorization in time, it will fail validation and now mark the connection as FAILED.

@changeset-bot
Copy link

changeset-bot bot commented Feb 3, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 1a21dce

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
agents Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@pkg-pr-new
Copy link

pkg-pr-new bot commented Feb 3, 2026
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/cloudflare/agents@833

commit: 1a21dce

@mattzcarey
Update OAuth state validation tests to check error responses instead …
1a21dce 
…of exceptions

Replace `.rejects.toThrow()` assertions with checks for `authSuccess: false` and `authError` fields in handleCallbackRequest results. Configure JSON error handlers in OAuth2 tests and verify error responses via `response.json()` instead of `response.text()` for state reuse, expiration, and serverId mismatch scenarios.
@threepointone threepointone merged commit 6c80022 into cloudflare:main Feb 3, 2026
5 of 9 checks passed
@github-actions github-actions bot mentioned this pull request Feb 3, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattzcarey mattzcarey mattzcarey approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tarushnagpal @mattzcarey @threepointone