Fix several bugs in the OAuth implementation#7
Merged
Conversation
This is already validated in `OAuthClient.buildAuthenticationURL`
This is a developer tool, so we can afford to be less secure by default to simplify the process of testing local servers during development
Explanation from Claude:
1. Root Cause: When showing the authentication sheet for token refresh, ServerFeature
was only retrieving the token but not the associated clientID from the keychain. This
caused it to use the default clientID ("com.indragie.Context") instead of the
dynamically registered one.
2. The Fix:
- Modified ServerFeature to retrieve the full StoredOAuthToken (which includes both
token and clientID)
- Updated the showAuthenticationSheet action to include the clientID parameter
- Modified AuthenticationFeature.State initializer to accept and use the stored
clientID
This ensures that during token refresh, the app uses the same clientID that was
registered during the initial authentication, preventing the "invalid_client: Client
not found" error.
The app now properly handles OAuth servers that use dynamic client registration and
should successfully refresh tokens when they expire.
When the background token refresh timer fails to refresh an OAuth token, the user was not notified and the authentication UI was not presented. This commit adds a callback mechanism that allows MCPClientManager to notify ServerFeature when token refresh fails, triggering the authentication modal to allow the user to re-authenticate. Changes: - Add tokenRefreshFailureCallbacks to MCPClientManager for notification - Register/unregister callbacks in ServerFeature lifecycle - Show authentication UI when automatic refresh fails - Properly handle Swift 6 @sendable requirements 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
When creating a new client connection, if an expired token with a refresh token is detected, the system now attempts to refresh the token automatically before throwing an authentication error. This provides a better user experience by avoiding unnecessary re-authentication when a valid refresh token exists. Changes: - Modified createClient to attempt token refresh on authentication errors - Updated createTransport to not delete expired tokens immediately - Token refresh is now attempted before propagating authentication errors 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
|
Claude finished @indragiek's task —— View job Pull Request Review: OAuth Bug FixesI've completed a comprehensive review of the OAuth bug fixes. Here's my detailed analysis: Review Checklist:
🔒 Security Analysis✅ Strengths
|
Addresses PR review feedback by reducing sensitive information in logs: - Changed token-specific log messages to use generic "authentication" terminology - Reduced log levels from info to debug for routine authentication operations - Avoided logging during silent token refresh to prevent information leaks - Kept authorization code validation as-is since OAuth 2.0 spec doesn't define format This improves security by preventing sensitive token information from appearing in logs while maintaining useful debugging capabilities. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Addresses PR review feedback: 1. Generic Error Messages: Replaced generic crypto failure messages with more specific error descriptions that help users understand the issue - Added proper error type checking for OAuthClientError - Provided specific message for randomGenerationFailed indicating potential system security issue - Added fallback for unexpected errors with their descriptions 2. Keychain Failures: Added proper error handling for keychain access - Wrapped keychain access in do-catch blocks instead of using try? - Log errors but continue with authentication flow - User can still authenticate even if old token retrieval fails This improves user experience by providing clearer error messages and prevents authentication flow from being blocked by non-critical keychain failures. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
|
Claude finished @indragiek's task —— View job I'll provide a comprehensive review of the OAuth bug fixes. Let me analyze the changes systematically. Review Progress
🔒 Security Analysis✅ Excellent Security Practices
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.