fix: handle elicitation cancellation in OAuth flows

SamMorrowDrums · SamMorrowDrums · commit 55bc660d422b · 2026-01-19T11:10:35.000+01:00
diff --git a/internal/oauth/manager.go b/internal/oauth/manager.go
@@ -114,25 +114,37 @@ func (m *Manager) startDeviceFlowWithElicitation(ctx context.Context, session *m
 		return fmt.Errorf("failed to get device authorization: %w", err)
 	}
 
+	// Create cancellable context for polling
+	pollCtx, cancelPoll := context.WithCancel(ctx)
+	defer cancelPoll()
+
 	// Use session elicitation if available to show the user the verification URL and code
 	if session != nil {
-		elicitID, err := generateRandomToken()
-		if err != nil {
-			// Log warning but continue - elicitation ID is for tracking only
-			elicitID = "fallback-id"
-		}
-		// Elicitation result is not critical - device flow polls independently
-		_, _ = session.Elicit(ctx, &mcp.ElicitParams{
-			Mode:          "url",
-			URL:           deviceAuth.VerificationURI,
-			ElicitationID: elicitID,
-			Message:       fmt.Sprintf("GitHub OAuth Device Authorization\n\nYour code: %s\n\nVisit the URL and enter this code to authenticate.", deviceAuth.UserCode),
-		})
+		// Run elicitation in goroutine - if cancelled, abort the device flow
+		go func() {
+			elicitID, err := generateRandomToken()
+			if err != nil {
+				elicitID = "fallback-id"
+			}
+			result, err := session.Elicit(ctx, &mcp.ElicitParams{
+				Mode:          "url",
+				URL:           deviceAuth.VerificationURI,
+				ElicitationID: elicitID,
+				Message:       fmt.Sprintf("GitHub OAuth Device Authorization\n\nYour code: %s\n\nVisit the URL and enter this code to authenticate.", deviceAuth.UserCode),
+			})
+			// If elicitation was cancelled or declined, abort the polling
+			if err != nil || result == nil || result.Action == "cancel" || result.Action == "decline" {
+				cancelPoll()
+			}
+		}()
 	}
 
-	// Poll for the token (blocking)
-	token, err := oauth2Cfg.DeviceAccessToken(ctx, deviceAuth)
+	// Poll for the token (blocking, but respects context cancellation)
+	token, err := oauth2Cfg.DeviceAccessToken(pollCtx, deviceAuth)
 	if err != nil {
+		if pollCtx.Err() != nil {
+			return fmt.Errorf("OAuth authorization was cancelled by user")
+		}
 		return fmt.Errorf("failed to get device access token: %w", err)
 	}
 
@@ -203,16 +215,29 @@ func (m *Manager) startPKCEFlowWithElicitation(ctx context.Context, session *mcp
 	// Try to open browser - if it works, no elicitation needed
 	browserErr := openBrowser(authURL)
 
+	// Channel to signal elicitation cancellation
+	elicitCancelChan := make(chan struct{}, 1)
+
 	// Only elicit if browser failed to open (e.g., headless environment)
 	// and we need to show the user the URL manually
 	if browserErr != nil && session != nil {
-		elicitID, _ := generateRandomToken()
-		_, _ = session.Elicit(ctx, &mcp.ElicitParams{
-			Mode:          "url",
-			URL:           authURL,
-			ElicitationID: elicitID,
-			Message:       "GitHub OAuth Authorization\n\nPlease visit the URL to authorize access.",
-		})
+		// Run elicitation in goroutine so we can monitor callback in parallel
+		go func() {
+			elicitID, _ := generateRandomToken()
+			result, err := session.Elicit(ctx, &mcp.ElicitParams{
+				Mode:          "url",
+				URL:           authURL,
+				ElicitationID: elicitID,
+				Message:       "GitHub OAuth Authorization\n\nPlease visit the URL to authorize access.",
+			})
+			// If elicitation was cancelled or declined, signal to abort
+			if err != nil || result == nil || result.Action == "cancel" || result.Action == "decline" {
+				select {
+				case elicitCancelChan <- struct{}{}:
+				default:
+				}
+			}
+		}()
 	}
 
 	// Wait for callback with timeout
@@ -239,6 +264,10 @@ func (m *Manager) startPKCEFlowWithElicitation(ctx context.Context, session *mcp
 		cleanup()
 		return fmt.Errorf("OAuth callback error: %w", err)
 
+	case <-elicitCancelChan:
+		cleanup()
+		return fmt.Errorf("OAuth authorization was cancelled by user")
+
 	case <-ctx.Done():
 		cleanup()
 		return ctx.Err()
diff --git a/internal/oauth/templates/error.html b/internal/oauth/templates/error.html
@@ -6,13 +6,14 @@
 <title>Authorization Failed</title>
 <link href="https://cdn.jsdelivr.net/npm/@primer/css@22/dist/primer.min.css" rel="stylesheet">
 <style>
-html, body { height: 100%; }
-body { display: flex; align-items: center; justify-content: center; }
+html, body { height: 100%; margin: 0; }
+body { display: flex; align-items: center; justify-content: center; min-height: 100vh; }
+.card { width: 500px; box-shadow: none !important; }
 </style>
 </head>
-<body class="color-bg-default">
-<div class="Box color-shadow-medium p-6 text-center" style="max-width: 480px;">
-  <svg class="octicon color-fg-default mb-4" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="64" height="64" fill="currentColor">
+<body class="color-bg-canvas">
+<div class="Box color-bg-default card p-6 text-center">
+  <svg class="octicon color-fg-default mb-4" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="80" height="80" fill="currentColor">
     <path d="M8 0c4.42 0 8 3.58 8 8a8.013 8.013 0 0 1-5.45 7.59c-.4.08-.55-.17-.55-.38 0-.27.01-1.13.01-2.2 0-.75-.25-1.23-.54-1.48 1.78-.2 3.65-.88 3.65-3.95 0-.88-.31-1.59-.82-2.15.08-.2.36-1.02-.08-2.12 0 0-.67-.22-2.2.82-.64-.18-1.32-.27-2-.27-.68 0-1.36.09-2 .27-1.53-1.03-2.2-.82-2.2-.82-.44 1.1-.16 1.92-.08 2.12-.51.56-.82 1.28-.82 2.15 0 3.06 1.86 3.75 3.64 3.95-.23.2-.44.55-.51 1.07-.46.21-1.61.55-2.33-.66-.15-.24-.6-.83-1.23-.82-.67.01-.27.38.01.53.34.19.73.9.82 1.13.16.45.68 1.31 2.69.94 0 .67.01 1.3.01 1.49 0 .21-.15.45-.55.38A7.995 7.995 0 0 1 0 8c0-4.42 3.58-8 8-8Z"></path>
   </svg>
   <h1 class="h2 color-fg-danger mb-3">Authorization Failed</h1>
diff --git a/internal/oauth/templates/success.html b/internal/oauth/templates/success.html
@@ -6,13 +6,14 @@
 <title>Authorization Successful</title>
 <link href="https://cdn.jsdelivr.net/npm/@primer/css@22/dist/primer.min.css" rel="stylesheet">
 <style>
-html, body { height: 100%; }
-body { display: flex; align-items: center; justify-content: center; }
+html, body { height: 100%; margin: 0; }
+body { display: flex; align-items: center; justify-content: center; min-height: 100vh; }
+.card { width: 500px; box-shadow: none !important; }
 </style>
 </head>
-<body class="color-bg-default">
-<div class="Box color-shadow-medium p-6 text-center" style="max-width: 480px;">
-  <svg class="octicon color-fg-default mb-4" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="64" height="64" fill="currentColor">
+<body class="color-bg-canvas">
+<div class="Box color-bg-default card p-6 text-center">
+  <svg class="octicon color-fg-default mb-4" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="80" height="80" fill="currentColor">
     <path d="M8 0c4.42 0 8 3.58 8 8a8.013 8.013 0 0 1-5.45 7.59c-.4.08-.55-.17-.55-.38 0-.27.01-1.13.01-2.2 0-.75-.25-1.23-.54-1.48 1.78-.2 3.65-.88 3.65-3.95 0-.88-.31-1.59-.82-2.15.08-.2.36-1.02-.08-2.12 0 0-.67-.22-2.2.82-.64-.18-1.32-.27-2-.27-.68 0-1.36.09-2 .27-1.53-1.03-2.2-.82-2.2-.82-.44 1.1-.16 1.92-.08 2.12-.51.56-.82 1.28-.82 2.15 0 3.06 1.86 3.75 3.64 3.95-.23.2-.44.55-.51 1.07-.46.21-1.61.55-2.33-.66-.15-.24-.6-.83-1.23-.82-.67.01-.27.38.01.53.34.19.73.9.82 1.13.16.45.68 1.31 2.69.94 0 .67.01 1.3.01 1.49 0 .21-.15.45-.55.38A7.995 7.995 0 0 1 0 8c0-4.42 3.58-8 8-8Z"></path>
   </svg>
   <h1 class="h2 color-fg-success mb-3">Authorization Successful</h1>
