sigbit · hrntknr · Aug 20, 2025 · Aug 20, 2025 · Copilot · Aug 20, 2025
diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
@@ -20,6 +20,7 @@ type AuthRouter struct {
 	providers            []Provider
 	loginTemplate        *template.Template
 	unauthorizedTemplate *template.Template
+	errorTemplate        *template.Template
 }
 
 func NewAuthRouter(passwordHash []string, providers ...Provider) (*AuthRouter, error) {
@@ -33,11 +34,17 @@ func NewAuthRouter(passwordHash []string, providers ...Provider) (*AuthRouter, e
 		return nil, err
 	}
 
+	errorTmpl, err := template.ParseFS(templateFS, "templates/error.html")
+	if err != nil {
+		return nil, err
+	}
+
 	return &AuthRouter{
 		passwordHash:         passwordHash,
 		providers:            providers,
 		loginTemplate:        tmpl,
 		unauthorizedTemplate: unauthorizedTmpl,
+		errorTemplate:        errorTmpl,
 	}, nil
 }
 
@@ -69,22 +76,22 @@ func (a *AuthRouter) SetupRoutes(router gin.IRouter) {
 			session := sessions.Default(c)
 			state := session.Get(SessionKeyOAuthState)
 			if state == nil {
-				c.Error(errors.New("OAuth state is missing"))
+				a.renderError(c, errors.New("OAuth state is missing"))
 				return
 			}
 			token, err := provider.Exchange(c, state.(string))
 			if err != nil {
-				c.Error(err)
+				a.renderError(c, err)
 				return
 			}
 			userID, err := provider.GetUserID(c, token)
 			if err != nil {
-				c.Error(err)
+				a.renderError(c, err)
 				return
 			}
 			ok, err := provider.Authorization(userID)
 			if err != nil {
-				c.Error(err)
+				a.renderError(c, err)
 				return
 			}
 			if !ok {
@@ -97,7 +104,10 @@ func (a *AuthRouter) SetupRoutes(router gin.IRouter) {
 			if redirectURL != nil {
 				session.Delete(SessionKeyRedirectURL)
 			}
-			session.Save()
+			if err := session.Save(); err != nil {
+				a.renderError(c, err)
+				return
+			}
 
 			if redirectURL == nil {
 				c.Redirect(http.StatusFound, "/")
@@ -111,16 +121,19 @@ func (a *AuthRouter) SetupRoutes(router gin.IRouter) {
 
 			state, err := utils.GenerateState()
 			if err != nil {
-				c.Error(err)
+				a.renderError(c, err)
 				return
 			}
 			url, err := provider.AuthCodeURL(c, state)
 			if err != nil {
-				c.Error(err)
+				a.renderError(c, err)
 				return
 			}
 			session.Set(SessionKeyOAuthState, state)
-			session.Save()
+			if err := session.Save(); err != nil {
+				a.renderError(c, err)
+				return
+			}
 			c.Redirect(http.StatusFound, url)
 		})
 	}
@@ -176,7 +189,10 @@ func (a *AuthRouter) handleLoginPost(c *gin.Context) {
 	if redirectURL != nil {
 		session.Delete(SessionKeyRedirectURL)
 	}
-	session.Save()
+	if err := session.Save(); err != nil {
+		a.renderError(c, err)
+		return
+	}
 
 	if redirectURL == nil {
 		c.Redirect(http.StatusFound, "/")
@@ -189,7 +205,10 @@ func (a *AuthRouter) handleLogout(c *gin.Context) {
 	session := sessions.Default(c)
 	session.Delete(SessionKeyProvider)
 	session.Delete(SessionKeyUserID)
-	session.Save()
+	if err := session.Save(); err != nil {
+		a.renderError(c, err)
+		return
+	}
 	c.Redirect(http.StatusFound, LoginEndpoint)
 }
 
@@ -200,7 +219,10 @@ func (a *AuthRouter) RequireAuth() gin.HandlerFunc {
 		userID := session.Get(SessionKeyUserID)
 		if providerName == nil || userID == nil {
 			session.Set(SessionKeyRedirectURL, c.Request.URL.String())
-			session.Save()
+			if err := session.Save(); err != nil {
+				a.renderError(c, err)
+				return
+			}
 			c.Redirect(http.StatusFound, LoginEndpoint)
 			return
 		}
@@ -241,6 +263,10 @@ type unauthorizedTemplateData struct {
 	Provider string
 }
 
+type errorTemplateData struct {
+	ErrorMessage string
+}
+
 func (a *AuthRouter) renderLogin(c *gin.Context, passwordError string) {
 	data := loginTemplateData{
 		Providers:     a.providers,
@@ -271,3 +297,16 @@ func (a *AuthRouter) renderUnauthorized(c *gin.Context, userID, providerName str
 		return
 	}
 }
+
+func (a *AuthRouter) renderError(c *gin.Context, err error) {
+	data := errorTemplateData{
+		ErrorMessage: err.Error(),
+	}
+	c.Header("Content-Type", "text/html; charset=utf-8")
+	c.Status(http.StatusInternalServerError)
+	if templateErr := a.errorTemplate.Execute(c.Writer, data); templateErr != nil {
+		c.AbortWithError(http.StatusInternalServerError, templateErr)
-		c.AbortWithError(http.StatusInternalServerError, templateErr)
+		c.String(http.StatusInternalServerError, "Internal Server Error")
-		c.AbortWithError(http.StatusInternalServerError, templateErr)
+		c.String(http.StatusInternalServerError, "Internal Server Error")
+		return
+	}
+	c.Abort()
-	c.Abort()
-	c.Abort()
+}
diff --git a/pkg/auth/templates/error.html b/pkg/auth/templates/error.html
@@ -0,0 +1,73 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Error - MCP Auth Proxy</title>
+    <style>
+      body {
+        font-family: "Segoe UI", Tahoma, Geneva, Verdana, sans-serif;
+        background: linear-gradient(135deg, #f8f9fa 0%, #e9ecef 100%);
+        margin: 0;
+        padding: 0;
+        min-height: 100vh;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+      }
+      .error-container {
+        background: white;
+        padding: 2.5rem;
+        border-radius: 12px;
+        box-shadow: 0 8px 32px rgba(0, 0, 0, 0.12);
+        text-align: center;
+        min-width: 350px;
+        max-width: 500px;
+        width: 100%;
+      }
+      .error-icon {
+        font-size: 4rem;
+        color: #e74c3c;
+        margin-bottom: 1rem;
+      }
+      h1 {
+        color: #333;
+        margin-bottom: 1.5rem;
+        font-size: 2rem;
+        font-weight: 600;
+      }
+      .error-message {
+        color: #666;
+        margin-bottom: 2rem;
+        font-size: 1.1rem;
+        line-height: 1.6;
+      }
+      .error-details {
+        background: #f8f9fa;
+        border: 1px solid #e9ecef;
+        border-radius: 8px;
+        padding: 1rem;
+        margin-bottom: 2rem;
+        font-family: monospace;
+        color: #e74c3c;
+        font-size: 0.9rem;
+        text-align: left;
+        word-wrap: break-word;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="error-container">
+      <div class="error-icon">⚠️</div>
+      <h1>Error</h1>
+      <div class="error-message">
+        An error occurred while processing your request.
+      </div>
+      {{if .ErrorMessage}}
+      <div class="error-details">
+        {{.ErrorMessage}}
+      </div>
+      {{end}}
+    </div>
+  </body>
+</html>
diff --git a/pkg/mcp-proxy/main.go b/pkg/mcp-proxy/main.go
@@ -207,10 +207,6 @@ func Run(
 	router.Use(ginzap.Ginzap(logger, time.RFC3339, true))
 	router.Use(ginzap.RecoveryWithZap(logger, true))
 	store := cookie.NewStore(secret)
-	store.Options(sessions.Options{
-		MaxAge:   3600,
-		HttpOnly: true,
-	})
 	router.Use(sessions.Sessions("session", store))
 	authRouter.SetupRoutes(router)
 	idpRouter.SetupRoutes(router)