Merge pull request #232 from gleanwork/codex/hjdivad/add-error-for-missing-refresh-tokens

david-hamilton-glean · web-flow · commit 6f313a3c2800 · 2025-07-23T15:11:02.000-07:00
Add error when refresh token not issued
diff --git a/packages/configure-mcp-server/src/configure/client/index.ts b/packages/configure-mcp-server/src/configure/client/index.ts
@@ -12,7 +12,7 @@ import { RemoteMcpTargets } from '@gleanwork/mcp-server-utils/util';
 import { isOAuthEnabled } from '../../common/env.js';
 
 import connectMcpPackageJson from '@gleanwork/connect-mcp-server/package.json' with { type: 'json' };
-let connectMcpServerVersion = connectMcpPackageJson.version;
+const connectMcpServerVersion = connectMcpPackageJson.version;
 
 export interface MCPConfigPath {
   configDir: string;
diff --git a/packages/mcp-server-utils/src/auth/auth.ts b/packages/mcp-server-utils/src/auth/auth.ts
@@ -546,15 +546,28 @@ async function authorize(config: GleanOAuthConfig): Promise<Tokens | null> {
     ).catch((e) => {
       error('prompting user for verification page', e);
     });
-    const tokenResponse = await tokenPoller;
+    const polledTokenResponse = await tokenPoller;
 
     // Clean up the readline interface now that we have the token
     abortController.abort();
 
     if (cause !== undefined) {
       throw cause;
     }
-    return Tokens.buildFromTokenResponse(tokenResponse as TokenResponse);
+
+    // tokenResponse is void | TokenResponse because of the catch handler
+    // attached to pollForToken, which sets cause and resolves to void.  But
+    // right above here we throw if cause !== undefined so we can guarantee
+    // tokenResponse is TokenResponse and not void.
+    const tokenResponse = polledTokenResponse as TokenResponse;
+
+    if (tokenResponse.refresh_token === undefined) {
+      throw new AuthError(
+        `Your OAuth Authorization Server issued an access token but not a refresh token.  Please configure your OAuth application with id: ${config.clientId} to issue refresh tokens.`,
+        { code: AuthErrorCode.RefreshTokenNotIssued },
+      );
+    }
+    return Tokens.buildFromTokenResponse(tokenResponse);
   } catch (cause: any) {
     // Clean up the readline interface on error as well
     abortController.abort();
diff --git a/packages/mcp-server-utils/src/auth/error.ts b/packages/mcp-server-utils/src/auth/error.ts
@@ -45,6 +45,8 @@ export enum AuthErrorCode {
   MissingOAuthMetadata = 'ERR_A_21',
   /** Missing OAuth tokens required for MCP remote setup */
   MissingOAuthTokens = 'ERR_A_22',
+  /** Refresh token not issued by authorization server */
+  RefreshTokenNotIssued = 'ERR_A_23',
 }
 
 /**
diff --git a/packages/mcp-server-utils/src/test/auth/authorize.test.ts b/packages/mcp-server-utils/src/test/auth/authorize.test.ts
@@ -312,6 +312,62 @@ describe('authorize (device flow)', () => {
     );
   });
 
+  it('should error when no refresh token is issued', async () => {
+    const baseUrl = 'https://glean.example.com';
+    const issuer = 'https://auth.example.com';
+    const clientId = 'client-123';
+    const deviceAuthorizationEndpoint = 'https://auth.example.com/device';
+    const tokenEndpoint = 'https://auth.example.com/token';
+    const deviceCode = 'device-code-abc';
+    const userCode = 'user-code-xyz';
+    const verificationUri = 'https://auth.example.com/verify';
+    const interval = 5;
+    const expiresIn = 3600;
+    const accessToken = 'access-token-123';
+
+    server.use(
+      http.get(`${baseUrl}/.well-known/oauth-protected-resource`, () =>
+        HttpResponse.json({
+          authorization_servers: [issuer],
+          glean_device_flow_client_id: clientId,
+        }),
+      ),
+      http.get(`${issuer}/.well-known/openid-configuration`, () =>
+        HttpResponse.json({
+          device_authorization_endpoint: deviceAuthorizationEndpoint,
+          token_endpoint: tokenEndpoint,
+        }),
+      ),
+      http.post(deviceAuthorizationEndpoint, () =>
+        HttpResponse.json({
+          device_code: deviceCode,
+          user_code: userCode,
+          verification_uri: verificationUri,
+          expires_in: 600,
+          interval,
+        }),
+      ),
+      http.post(tokenEndpoint, async ({ request }) => {
+        const body = await request.text();
+        if (body.includes(`device_code=${deviceCode}`)) {
+          return HttpResponse.json({
+            token_type: 'Bearer',
+            access_token: accessToken,
+            expires_in: expiresIn,
+          });
+        }
+        return HttpResponse.json({
+          error: 'authorization_pending',
+          error_description: 'pending',
+        });
+      }),
+    );
+
+    await expect(forceAuthorize()).rejects.toThrowErrorMatchingInlineSnapshot(
+      `[AuthError: ERR_A_23: Your OAuth Authorization Server issued an access token but not a refresh token.  Please configure your OAuth application with id: client-123 to issue refresh tokens.]`,
+    );
+  });
+
   it('should poll until user enters code, respecting interval, then succeed', async () => {
     const baseUrl = 'https://glean.example.com';
     const issuer = 'https://auth.example.com';

Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,8 @@ export enum AuthErrorCode {`
`45`	`45`	`MissingOAuthMetadata = 'ERR_A_21',`
`46`	`46`	`/** Missing OAuth tokens required for MCP remote setup */`
`47`	`47`	`MissingOAuthTokens = 'ERR_A_22',`
	`48`	`+ /** Refresh token not issued by authorization server */`
	`49`	`+ RefreshTokenNotIssued = 'ERR_A_23',`
`48`	`50`	`}`
`49`	`51`
`50`	`52`	`/**`