From 3eaf23cd168839bf1d1d950d1cfe7f39b4ed40e2 Mon Sep 17 00:00:00 2001
From: Jesse <jesseneumann@gmail.com>
Date: Sun, 20 Jul 2025 18:19:30 -0600
Subject: [PATCH 1/2] fix: store resource in session storage

---
 client/src/lib/auth.ts                | 31 +++++++++++++++++++++++++++
 client/src/lib/constants.ts           |  1 +
 client/src/lib/oauth-state-machine.ts | 10 ++++++++-
 3 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/client/src/lib/auth.ts b/client/src/lib/auth.ts
index 3e3516e0b..690886f41 100644
--- a/client/src/lib/auth.ts
+++ b/client/src/lib/auth.ts
@@ -131,10 +131,41 @@ export class DebugInspectorOAuthClientProvider extends InspectorOAuthClientProvi
     return JSON.parse(metadata);
   }
 
+  /**
+   * Saves the resource URL to session storage to persist it across the redirect.
+   */
+  saveResource(resource: URL): void {
+    const key = getServerSpecificKey(
+      SESSION_KEYS.RESOURCE_URL,
+      this.serverUrl,
+    );
+    sessionStorage.setItem(key, resource.toString());
+  }
+
+  /**
+   * Retrieves the persisted resource URL from session storage.
+   */
+  getResource(): URL | undefined {
+    const key = getServerSpecificKey(
+      SESSION_KEYS.RESOURCE_URL,
+      this.serverUrl,
+    );
+    const urlString = sessionStorage.getItem(key);
+    if (!urlString) {
+      return undefined;
+    }
+    return new URL(urlString);
+  }
+
   clear() {
     super.clear();
     sessionStorage.removeItem(
       getServerSpecificKey(SESSION_KEYS.SERVER_METADATA, this.serverUrl),
     );
+
+    // Also clear the resource URL
+    sessionStorage.removeItem(
+      getServerSpecificKey(SESSION_KEYS.RESOURCE_URL, this.serverUrl),
+    );
   }
 }
diff --git a/client/src/lib/constants.ts b/client/src/lib/constants.ts
index 922f1943f..b6b001226 100644
--- a/client/src/lib/constants.ts
+++ b/client/src/lib/constants.ts
@@ -8,6 +8,7 @@ export const SESSION_KEYS = {
   CLIENT_INFORMATION: "mcp_client_information",
   SERVER_METADATA: "mcp_server_metadata",
   AUTH_DEBUGGER_STATE: "mcp_auth_debugger_state",
+  RESOURCE_URL: "mcp_resource_url",
 } as const;
 
 // Generate server-specific session storage keys
diff --git a/client/src/lib/oauth-state-machine.ts b/client/src/lib/oauth-state-machine.ts
index d87b3ecd6..fecf2b59d 100644
--- a/client/src/lib/oauth-state-machine.ts
+++ b/client/src/lib/oauth-state-machine.ts
@@ -56,6 +56,11 @@ export const oauthTransitions: Record<OAuthStep, StateTransition> = {
         resourceMetadata ?? undefined,
       );
 
+      // Persist the resource URL so it survives the redirect.
+      if (resource) {
+        context.provider.saveResource(resource);
+      }
+
       const metadata = await discoverOAuthMetadata(authServerUrl);
       if (!metadata) {
         throw new Error("Failed to discover OAuth metadata");
@@ -165,13 +170,16 @@ export const oauthTransitions: Record<OAuthStep, StateTransition> = {
       const metadata = context.provider.getServerMetadata()!;
       const clientInformation = (await context.provider.clientInformation())!;
 
+      // Retrieve the resource from persistent storage, not volatile state.
+      const resource = context.provider.getResource();
+
       const tokens = await exchangeAuthorization(context.serverUrl, {
         metadata,
         clientInformation,
         authorizationCode: context.state.authorizationCode,
         codeVerifier,
         redirectUri: context.provider.redirectUrl,
-        resource: context.state.resource ?? undefined,
+        resource: resource ?? undefined,
       });
 
       context.provider.saveTokens(tokens);

From 69b427f3945fdf529b996489ae714e150cb0722b Mon Sep 17 00:00:00 2001
From: Jesse <jesseneumann@gmail.com>
Date: Thu, 7 Aug 2025 21:02:38 -0600
Subject: [PATCH 2/2] style: run prettier --write for consistent formatting

---
 client/src/lib/auth.ts | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/client/src/lib/auth.ts b/client/src/lib/auth.ts
index 690886f41..a90f260db 100644
--- a/client/src/lib/auth.ts
+++ b/client/src/lib/auth.ts
@@ -135,10 +135,7 @@ export class DebugInspectorOAuthClientProvider extends InspectorOAuthClientProvi
    * Saves the resource URL to session storage to persist it across the redirect.
    */
   saveResource(resource: URL): void {
-    const key = getServerSpecificKey(
-      SESSION_KEYS.RESOURCE_URL,
-      this.serverUrl,
-    );
+    const key = getServerSpecificKey(SESSION_KEYS.RESOURCE_URL, this.serverUrl);
     sessionStorage.setItem(key, resource.toString());
   }
 
@@ -146,10 +143,7 @@ export class DebugInspectorOAuthClientProvider extends InspectorOAuthClientProvi
    * Retrieves the persisted resource URL from session storage.
    */
   getResource(): URL | undefined {
-    const key = getServerSpecificKey(
-      SESSION_KEYS.RESOURCE_URL,
-      this.serverUrl,
-    );
+    const key = getServerSpecificKey(SESSION_KEYS.RESOURCE_URL, this.serverUrl);
     const urlString = sessionStorage.getItem(key);
     if (!urlString) {
       return undefined;