Skip to content

Pass in type user_token in props during oauth flow #184

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 10, 2025
Merged

Pass in type user_token in props during oauth flow #184

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changeset/shaggy-llamas-shop.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@repo/mcp-common': patch
---

Pass in type user_token in props during oauth flow
3 changes: 2 additions & 1 deletion apps/sandbox-container/server/containerManager.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,11 @@ export class ContainerManager extends DurableObject<Env> {

// 15m timeout for container lifetime
if (now.valueOf() - time.valueOf() > 15 * 60 * 1000) {
await this.killContainer(id)
// TODO: Figure out why we were running in to invalid durable object id the id does not match this durable object class error
const doId = this.env.USER_CONTAINER.idFromString(id)
const stub = this.env.USER_CONTAINER.get(doId)
await stub.destroyContainer()
await this.killContainer(id)
}
}
}
Expand Down
18 changes: 14 additions & 4 deletions packages/mcp-common/src/cloudflare-oauth-handler.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ const UserAuthProps = z.object({
accessToken: z.string(),
user: UserSchema,
accounts: AccountsSchema,
refreshToken: z.string().optional(),
})
export type AuthProps = z.infer<typeof AuthProps>
const AuthProps = z.discriminatedUnion('type', [AccountAuthProps, UserAuthProps])
Expand Down Expand Up @@ -153,6 +154,15 @@ export async function handleTokenExchangeCallback(
): Promise<TokenExchangeCallbackResult | undefined> {
// options.props contains the current props
if (options.grantType === 'refresh_token') {
const props = AuthProps.parse(options.props)
if (props.type === 'account_token') {
// Refreshing an account_token should not be possible, as we only do this for user tokens
throw new McpError('Internal Server Error', 500)
}
if (!props.refreshToken) {
throw new McpError('Missing refreshToken', 500)
}

// handle token refreshes
const {
access_token: accessToken,
Expand All @@ -161,15 +171,15 @@ export async function handleTokenExchangeCallback(
} = await refreshAuthToken({
client_id: clientId,
client_secret: clientSecret,
refresh_token: options.props.refreshToken,
refresh_token: props.refreshToken,
})

return {
newProps: {
...options.props,
accessToken,
refreshToken,
},
} satisfies AuthProps,
accessTokenTTL: expires_in,
}
}
Expand Down Expand Up @@ -279,13 +289,13 @@ export function createAuthHandlers({
label: user.email,
},
scope: oauthReqInfo.scope,
// This will be available on this.props inside CASBMCP
props: {
type: 'user_token',
user,
accounts,
accessToken,
refreshToken,
},
} satisfies AuthProps,
})

metrics.logEvent(
Expand Down