mirror of
https://github.com/danny-avila/LibreChat.git
synced 2025-12-16 16:30:15 +01:00
🔒 feat: Idempotency Check for OAuth Flow Completion (#10468)
* 🔒 feat: Implement idempotency check for OAuth flow completion
- Added a check to prevent duplicate token exchanges if the OAuth flow has already been completed.
- Updated the OAuth callback route to redirect appropriately when a completed flow is detected.
- Refactored token storage logic to use original flow state credentials instead of updated ones.
- Enhanced tests to cover the new idempotency behavior and ensure correct handling of OAuth flow states.
* chore: add back scope for logging
* refactor: Add isFlowStale method to FlowStateManager for stale flow detection
- Implemented a new method to check if a flow is stale based on its age and status.
- Updated MCPConnectionFactory to utilize the isFlowStale method for cleaning up stale OAuth flows.
- Enhanced logging to provide more informative messages regarding flow status and age during cleanup.
* test: Add unit tests for isFlowStale method in FlowStateManager
- Implemented comprehensive tests for the isFlowStale method to verify its behavior across various flow statuses (PENDING, COMPLETED, FAILED) and age thresholds.
- Ensured correct handling of edge cases, including flows with missing timestamps and custom stale thresholds.
- Enhanced test coverage to validate the logic for determining flow staleness based on createdAt, completedAt, and failedAt timestamps.
This commit is contained in:
Danny Avila
GitHub
parent
a49c509ebc
commit
dd35f42073
6 changed files with 380 additions and 72 deletions
|
|
@ -134,14 +134,21 @@ router.get('/:serverName/oauth/callback', async (req, res) => {
|
|||
hasCodeVerifier: !!flowState.codeVerifier,
|
||||
});
|
||||
|
||||
/** Check if this flow has already been completed (idempotency protection) */
|
||||
const currentFlowState = await flowManager.getFlowState(flowId, 'mcp_oauth');
|
||||
if (currentFlowState?.status === 'COMPLETED') {
|
||||
logger.warn('[MCP OAuth] Flow already completed, preventing duplicate token exchange', {
|
||||
flowId,
|
||||
serverName,
|
||||
});
|
||||
return res.redirect(`/oauth/success?serverName=${encodeURIComponent(serverName)}`);
|
||||
}
|
||||
|
||||
logger.debug('[MCP OAuth] Completing OAuth flow');
|
||||
const oauthHeaders = await getOAuthHeaders(serverName, flowState.userId);
|
||||
const tokens = await MCPOAuthHandler.completeOAuthFlow(flowId, code, flowManager, oauthHeaders);
|
||||
logger.info('[MCP OAuth] OAuth flow completed, tokens received in callback route');
|
||||
|
||||
// Re-fetch flow state after completeOAuthFlow to capture any DCR updates
|
||||
const updatedFlowState = await MCPOAuthHandler.getFlowState(flowId, flowManager);
|
||||
|
||||
/** Persist tokens immediately so reconnection uses fresh credentials */
|
||||
if (flowState?.userId && tokens) {
|
||||
try {
|
||||
|
|
@ -152,8 +159,8 @@ router.get('/:serverName/oauth/callback', async (req, res) => {
|
|||
createToken,
|
||||
updateToken,
|
||||
findToken,
|
||||
clientInfo: updatedFlowState?.clientInfo || flowState.clientInfo,
|
||||
metadata: updatedFlowState?.metadata || flowState.metadata,
|
||||
clientInfo: flowState.clientInfo,
|
||||
metadata: flowState.metadata,
|
||||
});
|
||||
logger.debug('[MCP OAuth] Stored OAuth tokens prior to reconnection', {
|
||||
serverName,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue