chore: revoke access tokens on server shutdown [MCP-53] (#352)

fmenezes · web-flow · commit c40eeab1980c · 2025-07-10T16:38:36.000+01:00
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -4,6 +4,15 @@
   // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
   "version": "0.2.0",
   "configurations": [
+    {
+      "type": "node",
+      "request": "launch",
+      "name": "Launch Tests",
+      "runtimeExecutable": "npm",
+      "runtimeArgs": ["test"],
+      "cwd": "${workspaceFolder}",
+      "envFile": "${workspaceFolder}/.env"
+    },
     {
       "type": "node",
       "request": "launch",
diff --git a/src/common/atlas/apiClient.ts b/src/common/atlas/apiClient.ts
@@ -5,6 +5,7 @@ import { ApiClientError } from "./apiClientError.js";
 import { paths, operations } from "./openapi.js";
 import { CommonProperties, TelemetryEvent } from "../../telemetry/types.js";
 import { packageInfo } from "../../helpers/packageInfo.js";
+import logger, { LogId } from "../../logger.js";
 
 const ATLAS_API_VERSION = "2025-03-12";
 
@@ -34,9 +35,7 @@ export class ApiClient {
 
     private getAccessToken = async () => {
         if (this.oauth2Client && (!this.accessToken || this.accessToken.expired())) {
-            this.accessToken = await this.oauth2Client.getToken({
-                agent: this.options.userAgent,
-            });
+            this.accessToken = await this.oauth2Client.getToken({});
         }
         return this.accessToken?.token.access_token as string | undefined;
     };
@@ -49,7 +48,9 @@ export class ApiClient {
 
             try {
                 const accessToken = await this.getAccessToken();
-                request.headers.set("Authorization", `Bearer ${accessToken}`);
+                if (accessToken) {
+                    request.headers.set("Authorization", `Bearer ${accessToken}`);
+                }
                 return request;
             } catch {
                 // ignore not availble tokens, API will return 401
@@ -81,20 +82,38 @@ export class ApiClient {
                 auth: {
                     tokenHost: this.options.baseUrl,
                     tokenPath: "/api/oauth/token",
+                    revokePath: "/api/oauth/revoke",
+                },
+                http: {
+                    headers: {
+                        "User-Agent": this.options.userAgent,
+                    },
                 },
             });
             this.client.use(this.authMiddleware);
         }
     }
 
     public hasCredentials(): boolean {
-        return !!(this.oauth2Client && this.accessToken);
+        return !!this.oauth2Client;
     }
 
     public async validateAccessToken(): Promise<void> {
         await this.getAccessToken();
     }
 
+    public async close(): Promise<void> {
+        if (this.accessToken) {
+            try {
+                await this.accessToken.revoke("access_token");
+            } catch (error: unknown) {
+                const err = error instanceof Error ? error : new Error(String(error));
+                logger.error(LogId.atlasApiRevokeFailure, "apiClient", `Failed to revoke access token: ${err.message}`);
+            }
+            this.accessToken = undefined;
+        }
+    }
+
     public async getIpInfo(): Promise<{
         currentIpv4Address: string;
     }> {
diff --git a/src/logger.ts b/src/logger.ts
@@ -19,6 +19,7 @@ export const LogId = {
     atlasInspectFailure: mongoLogId(1_001_004),
     atlasConnectAttempt: mongoLogId(1_001_005),
     atlasConnectSucceeded: mongoLogId(1_001_006),
+    atlasApiRevokeFailure: mongoLogId(1_001_007),
 
     telemetryDisabled: mongoLogId(1_002_001),
     telemetryEmitFailure: mongoLogId(1_002_002),
diff --git a/src/session.ts b/src/session.ts
@@ -93,6 +93,7 @@ export class Session extends EventEmitter<{
 
     async close(): Promise<void> {
         await this.disconnect();
+        await this.apiClient.close();
         this.emit("close");
     }
 
diff --git a/src/tools/mongodb/metadata/connect.ts b/src/tools/mongodb/metadata/connect.ts
@@ -46,7 +46,7 @@ export class ConnectTool extends MongoDBToolBase {
 
     constructor(session: Session, config: UserConfig, telemetry: Telemetry) {
         super(session, config, telemetry);
-        session.on("close", () => {
+        session.on("disconnect", () => {
             this.updateMetadata();
         });
     }
diff --git a/tests/integration/helpers.ts b/tests/integration/helpers.ts
@@ -84,8 +84,8 @@ export function setupIntegrationTest(getUserConfig: () => UserConfig): Integrati
     });
 
     afterEach(async () => {
-        if (mcpServer) {
-            await mcpServer.session.close();
+        if (mcpServer && !mcpServer.session.connectedAtlasCluster) {
+            await mcpServer.session.disconnect();
         }
     });
 

Original file line number	Diff line number	Diff line change
`@@ -93,6 +93,7 @@ export class Session extends EventEmitter<{`
`93`	`93`
`94`	`94`	`async close(): Promise<void> {`
`95`	`95`	`await this.disconnect();`
	`96`	`+ await this.apiClient.close();`
`96`	`97`	`this.emit("close");`
`97`	`98`	`}`
`98`	`99`
Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ export class ConnectTool extends MongoDBToolBase {`
`46`	`46`
`47`	`47`	`constructor(session: Session, config: UserConfig, telemetry: Telemetry) {`
`48`	`48`	`super(session, config, telemetry);`
`49`		`- session.on("close", () => {`
	`49`	`+ session.on("disconnect", () => {`
`50`	`50`	`this.updateMetadata();`
`51`	`51`	`});`
`52`	`52`	`}`
Original file line number	Diff line number	Diff line change
`@@ -84,8 +84,8 @@ export function setupIntegrationTest(getUserConfig: () => UserConfig): Integrati`
`84`	`84`	`});`
`85`	`85`
`86`	`86`	`afterEach(async () => {`
`87`		`- if (mcpServer) {`
`88`		`- await mcpServer.session.close();`
	`87`	`+ if (mcpServer && !mcpServer.session.connectedAtlasCluster) {`
	`88`	`+ await mcpServer.session.disconnect();`
`89`	`89`	`}`
`90`	`90`	`});`
`91`	`91`