Skip to content

fix(mcp): deduplicate auth refresh on http transport#15518

Merged
gr2m merged 2 commits into
mainfrom
aayush/mcp-dedupe-auth
May 21, 2026
Merged

fix(mcp): deduplicate auth refresh on http transport#15518
gr2m merged 2 commits into
mainfrom
aayush/mcp-dedupe-auth

Conversation

@aayush-kapoor
Copy link
Copy Markdown
Collaborator

@aayush-kapoor aayush-kapoor commented May 21, 2026

Background

#15465

Before, both 401 paths in the transport independently called auth():

  • send() handles POST /mcp initialize 401.
  • openInboundSse() handles background GET /mcp 401.

that meant if one request is already refreshing tokens, any other concurrent 401 recovery would start its own recovery. this could lead to a race condition in the refresh and return invalid auth / force re auth.

Summary

  • introduce a new function authorizeOnce() that runs a single OAuth recovery flow for concurrent 401 responses

Manual Verification

verified in the reproduction in the unit tests

Checklist

  • All commits are signed (PRs with unsigned commits cannot be merged)
  • Tests have been added / updated (for bug fixes / features)
  • Documentation has been added / updated (for bug fixes / features)
  • A patch changeset for relevant packages has been added (for bug fixes / features - run pnpm changeset in the project root)
  • I have reviewed this pull request (self-review)

Related Issues

fixes #15465

@aayush-kapoor aayush-kapoor mentioned this pull request May 21, 2026
Closed
@aayush-kapoor aayush-kapoor added the backport Admins only: add this label to a pull request in order to backport it to the prior version label May 21, 2026
@gr2m gr2m merged commit 6c17a9f into main May 21, 2026
51 checks passed
@gr2m gr2m deleted the aayush/mcp-dedupe-auth branch May 21, 2026 19:55
@aayush-kapoor aayush-kapoor added backport Admins only: add this label to a pull request in order to backport it to the prior version and removed backport Admins only: add this label to a pull request in order to backport it to the prior version labels May 21, 2026
github-actions Bot added a commit that referenced this pull request May 21, 2026
@github-actions
Backport conflicts for PR #15518 to release-v6.0
2432753
@github-actions github-actions Bot mentioned this pull request May 21, 2026
Merged
@github-actions github-actions Bot removed the backport Admins only: add this label to a pull request in order to backport it to the prior version label May 21, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 21, 2026

⚠️ Backport to release-v6.0 created but has conflicts: #15528

aayush-kapoor added a commit that referenced this pull request May 21, 2026
@github-actions @aayush-kapoor
Backport: fix(mcp): deduplicate auth refresh on http transport (#15528)
e2b923f 
This is an automated backport of #15518 to the release-v6.0 branch. FYI
@aayush-kapoor
This backport has conflicts that need to be resolved manually.

### `git cherry-pick` output

```
Auto-merging packages/mcp/src/tool/mcp-http-transport.test.ts
CONFLICT (content): Merge conflict in packages/mcp/src/tool/mcp-http-transport.test.ts
Auto-merging packages/mcp/src/tool/mcp-http-transport.ts
error: could not apply 6c17a9f... fix(mcp): deduplicate auth refresh on http transport (#15518)
hint: After resolving the conflicts, mark them with
hint: "git add/rm <pathspec>", then run
hint: "git cherry-pick --continue".
hint: You can instead skip this commit with "git cherry-pick --skip".
hint: To abort and get back to the state before "git cherry-pick",
hint: run "git cherry-pick --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
```

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Aayush Kapoor <aayushkapoor34@gmail.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 21, 2026

🚀 Published in:

Package Version
@ai-sdk/black-forest-labs 2.0.0-canary.45 github npm
@ai-sdk/google 4.0.0-canary.72 github npm
@ai-sdk/google-vertex 5.0.0-canary.91 github npm
@ai-sdk/mcp 2.0.0-canary.53 github npm
@ai-sdk/react 4.0.0-canary.152 github npm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gr2m gr2m gr2m approved these changes

Assignees

@aayush-kapoor aayush-kapoor

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug(@ai-sdk/mcp): Streamable HTTP can refresh OAuth tokens twice when initial SSE GET and POST both get 401

2 participants

@aayush-kapoor @gr2m