chore: clarify token refresh comments

Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>
chore: simplify oauth token expiry helpers
2025-12-24 02:39:19 -05:00 · 2025-12-13 14:50:55 +00:00 · 2025-12-13 14:49:15 +00:00 · 2025-12-13 14:46:49 +00:00 · 2025-12-13 14:45:20 +00:00 · 2025-12-13 14:38:07 +00:00
5 changed files with 205 additions and 15 deletions
--- a/src/services/mcpOAuthProvider.ts
+++ b/src/services/mcpOAuthProvider.ts
@@ -26,6 +26,7 @@ import {
  getRegisteredClient,
  removeRegisteredClient,
  fetchScopesFromServer,
+  refreshAccessToken,
 } from './oauthClientRegistration.js';
 import {
  clearOAuthData,
@@ -40,6 +41,9 @@ import {
 // Import getServerByName to access ServerInfo
 import { getServerByName } from './mcpService.js';

+// Refresh tokens one minute before expiry to avoid sending requests with stale credentials.
+const ACCESS_TOKEN_REFRESH_THRESHOLD_MS = 60_000;
+
 /**
 * MCPHub OAuth Provider for server-side OAuth flows
 *
@@ -292,21 +296,8 @@ export class MCPHubOAuthProvider implements OAuthClientProvider {
  /**
   * Get stored OAuth tokens
   */
-  tokens(): OAuthTokens | undefined {
-    // Use cached config only (tokens are updated via saveTokens which updates cache)
-    const serverConfig = this.serverConfig;
-
-    if (!serverConfig?.oauth?.accessToken) {
-      return undefined;
-    }
-
-    return {
-      access_token: serverConfig.oauth.accessToken,
-      token_type: 'Bearer',
-      refresh_token: serverConfig.oauth.refreshToken,
-      // Note: expires_in is not typically stored, only the token itself
-      // The SDK will handle token refresh when needed
-    };
+  async tokens(): Promise<OAuthTokens | undefined> {
+    return this.getValidTokens();
  }

  /**
@@ -330,6 +321,7 @@ export class MCPHubOAuthProvider implements OAuthClientProvider {
    const updatedConfig = await persistTokens(this.serverName, {
      accessToken: tokens.access_token,
      refreshToken: refreshTokenProvided ? (tokens.refresh_token ?? null) : undefined,
+      expiresIn: tokens.expires_in,
      clearPendingAuthorization: hadPending,
    });

@@ -348,6 +340,89 @@ export class MCPHubOAuthProvider implements OAuthClientProvider {
    console.log(`Saved OAuth tokens for server: ${this.serverName}`);
  }

+  /**
+   * Returns tokens refreshed when expired or close to expiring.
+   * When an access token already exists and refresh fails, the existing token is returned.
+   */
+  private async getValidTokens(): Promise<OAuthTokens | undefined> {
+    const oauth = this.serverConfig.oauth;
+    if (!oauth) {
+      return undefined;
+    }
+
+    if (!oauth.accessToken) {
+      return this.refreshAccessTokenIfNeeded(oauth.refreshToken);
+    }
+
+    // Refresh if token is expired or about to expire
+    const expiresAt = this.getAccessTokenExpiryMs(oauth);
+    const now = Date.now();
+    if (expiresAt && expiresAt - now <= ACCESS_TOKEN_REFRESH_THRESHOLD_MS) {
+      const refreshed = await this.refreshAccessTokenIfNeeded(oauth.refreshToken);
+      if (refreshed) {
+        return refreshed;
+      }
+    }
+
+    return {
+      access_token: oauth.accessToken,
+      token_type: 'Bearer',
+      refresh_token: oauth.refreshToken,
+    };
+  }
+
+  private getAccessTokenExpiryMs(oauth: NonNullable<ServerConfig['oauth']>): number | undefined {
+    return oauth.accessTokenExpiresAt;
+  }
+
+  private async refreshAccessTokenIfNeeded(
+    refreshToken?: string | null,
+  ): Promise<OAuthTokens | undefined> {
+    if (!refreshToken) {
+      return undefined;
+    }
+
+    try {
+      const clientInfo = await initializeOAuthForServer(this.serverName, this.serverConfig);
+      if (!clientInfo) {
+        return undefined;
+      }
+
+      const tokens = await refreshAccessToken(
+        this.serverName,
+        this.serverConfig,
+        clientInfo,
+        refreshToken,
+      );
+
+      // Reload latest config to sync updated tokens/expiry
+      const updatedConfig = await loadServerConfig(this.serverName);
+      if (updatedConfig) {
+        this.serverConfig = updatedConfig;
+      }
+
+      const nextRefreshToken = tokens.refreshToken ?? refreshToken;
+      if (tokens.refreshToken === undefined) {
+        console.warn(
+          `Refresh response missing refresh_token for ${this.serverName}; reusing existing refresh token (some providers omit refresh_token on refresh)`,
+        );
+      }
+
+      return {
+        access_token: tokens.accessToken,
+        refresh_token: nextRefreshToken,
+        token_type: 'Bearer',
+        expires_in: tokens.expiresIn,
+      };
+    } catch (error) {
+      console.warn(
+        `Failed to auto-refresh OAuth token for server ${this.serverName}:`,
+        error instanceof Error ? error.message : error,
+      );
+      return undefined;
+    }
+  }
+
  /**
   * Redirect to authorization URL
   * In a server environment, we can't directly redirect the user
--- a/src/services/oauthClientRegistration.ts
+++ b/src/services/oauthClientRegistration.ts
@@ -397,6 +397,7 @@ export const exchangeCodeForToken = async (
    await persistTokens(serverName, {
      accessToken: tokens.access_token,
      refreshToken: tokens.refresh_token ?? undefined,
+      expiresIn: tokens.expires_in,
    });

    return {
@@ -437,6 +438,7 @@ export const refreshAccessToken = async (
    await persistTokens(serverName, {
      accessToken: tokens.access_token,
      refreshToken: tokens.refresh_token ?? undefined,
+      expiresIn: tokens.expires_in,
    });

    return {
--- a/src/services/oauthSettingsStore.ts
+++ b/src/services/oauthSettingsStore.ts
@@ -100,12 +100,17 @@ export const persistTokens = async (
  tokens: {
    accessToken: string;
    refreshToken?: string | null;
+    expiresIn?: number;
    clearPendingAuthorization?: boolean;
  },
 ): Promise<ServerConfigWithOAuth | undefined> => {
  return mutateOAuthSettings(serverName, ({ oauth }) => {
    oauth.accessToken = tokens.accessToken;

+    if (tokens.expiresIn !== undefined) {
+      oauth.accessTokenExpiresAt = Date.now() + tokens.expiresIn * 1000;
+    }
+
    if (tokens.refreshToken !== undefined) {
      if (tokens.refreshToken) {
        oauth.refreshToken = tokens.refreshToken;
@@ -147,6 +152,7 @@ export const clearOAuthData = async (
    if (scope === 'tokens' || scope === 'all') {
      delete oauth.accessToken;
      delete oauth.refreshToken;
+      delete oauth.accessTokenExpiresAt;
    }

    if (scope === 'client' || scope === 'all') {
--- a/src/types/index.ts
+++ b/src/types/index.ts
@@ -293,6 +293,7 @@ export interface ServerConfig {
    scopes?: string[]; // Required OAuth scopes
    accessToken?: string; // Pre-obtained access token (if available)
    refreshToken?: string; // Refresh token for renewing access
+    accessTokenExpiresAt?: number; // Access token expiration timestamp (ms since epoch)

    // Dynamic client registration (RFC7591)
    // If not explicitly configured, will auto-detect via WWW-Authenticate header on 401 responses
--- a/tests/services/mcpOAuthProvider.test.ts
+++ b/tests/services/mcpOAuthProvider.test.ts
@@ -0,0 +1,106 @@
+jest.mock('../../src/services/oauthClientRegistration.js', () => ({
+  initializeOAuthForServer: jest.fn(),
+  getRegisteredClient: jest.fn(),
+  removeRegisteredClient: jest.fn(),
+  fetchScopesFromServer: jest.fn(),
+  refreshAccessToken: jest.fn(),
+}));
+
+jest.mock('../../src/services/oauthSettingsStore.js', () => ({
+  loadServerConfig: jest.fn(),
+  mutateOAuthSettings: jest.fn(),
+  persistTokens: jest.fn(),
+  updatePendingAuthorization: jest.fn(),
+}));
+
+jest.mock('../../src/services/mcpService.js', () => ({
+  getServerByName: jest.fn(),
+}));
+
+jest.mock('../../src/dao/index.js', () => ({
+  getSystemConfigDao: jest.fn(() => ({ get: jest.fn() })),
+}));
+
+import { MCPHubOAuthProvider } from '../../src/services/mcpOAuthProvider.js';
+import * as oauthRegistration from '../../src/services/oauthClientRegistration.js';
+import * as oauthSettingsStore from '../../src/services/oauthSettingsStore.js';
+import type { ServerConfig } from '../../src/types/index.js';
+
+describe('MCPHubOAuthProvider token refresh', () => {
+  const NOW = 1_700_000_000_000;
+  const TEN_MINUTES_MS = 10 * 60 * 1_000;
+  let nowSpy: jest.SpyInstance<number, []>;
+
+  beforeEach(() => {
+    nowSpy = jest.spyOn(Date, 'now').mockReturnValue(NOW);
+    jest.clearAllMocks();
+  });
+
+  afterEach(() => {
+    nowSpy.mockRestore();
+  });
+
+  const baseConfig: ServerConfig = {
+    url: 'https://example.com/v1/sse',
+    oauth: {
+      clientId: 'client-id',
+      accessToken: 'old-access',
+      refreshToken: 'refresh-token',
+    },
+  };
+
+  it('refreshes access token when expired', async () => {
+    const expiredConfig: ServerConfig = {
+      ...baseConfig,
+      oauth: {
+        ...baseConfig.oauth,
+        accessTokenExpiresAt: NOW - 1_000,
+      },
+    };
+
+    const refreshedConfig: ServerConfig = {
+      ...expiredConfig,
+      oauth: {
+        ...expiredConfig.oauth,
+        accessToken: 'new-access',
+        refreshToken: 'new-refresh',
+        accessTokenExpiresAt: NOW + 3_600_000,
+      },
+    };
+
+    (oauthRegistration.initializeOAuthForServer as jest.Mock).mockResolvedValue({
+      config: {},
+    });
+    (oauthRegistration.refreshAccessToken as jest.Mock).mockResolvedValue({
+      accessToken: 'new-access',
+      refreshToken: 'new-refresh',
+      expiresIn: 3600,
+    });
+    (oauthSettingsStore.loadServerConfig as jest.Mock).mockResolvedValue(refreshedConfig);
+
+    const provider = new MCPHubOAuthProvider('atlassian-work', expiredConfig);
+
+    const tokens = await provider.tokens();
+
+    expect(oauthRegistration.refreshAccessToken).toHaveBeenCalledTimes(1);
+    expect(oauthSettingsStore.loadServerConfig).toHaveBeenCalledTimes(1);
+    expect(tokens?.access_token).toBe('new-access');
+    expect(tokens?.refresh_token).toBe('new-refresh');
+  });
+
+  it('returns cached token when not expired', async () => {
+    const freshConfig: ServerConfig = {
+      ...baseConfig,
+      oauth: {
+        ...baseConfig.oauth,
+        accessTokenExpiresAt: NOW + TEN_MINUTES_MS,
+      },
+    };
+
+    const provider = new MCPHubOAuthProvider('atlassian-work', freshConfig);
+    const tokens = await provider.tokens();
+
+    expect(tokens?.access_token).toBe('old-access');
+    expect(oauthRegistration.refreshAccessToken).not.toHaveBeenCalled();
+  });
+});
Author	SHA1	Message	Date
copilot-swe-agent[bot]	1a7d8083ef	chore: clarify token refresh comments Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>	2025-12-13 14:50:55 +00:00
copilot-swe-agent[bot]	58a73b6688	chore: simplify oauth token expiry helpers Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>	2025-12-13 14:49:15 +00:00
copilot-swe-agent[bot]	6fc0bd6a49	chore: finalize oauth token refresh tweaks Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>	2025-12-13 14:46:49 +00:00
copilot-swe-agent[bot]	375be863b8	chore: refine oauth token tests and warnings Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>	2025-12-13 14:45:20 +00:00
copilot-swe-agent[bot]	a4a08d68b9	chore: apply review suggestions Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>	2025-12-13 14:38:07 +00:00
copilot-swe-agent[bot]	914ac36f23	chore: address review feedback for oauth refresh Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>	2025-12-13 14:36:16 +00:00
copilot-swe-agent[bot]	b98180c870	chore: refine oauth token expiry handling Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>	2025-12-13 14:33:49 +00:00
copilot-swe-agent[bot]	2ab60bf7a9	feat: auto-refresh oauth tokens for upstream servers Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>	2025-12-13 14:31:39 +00:00
copilot-swe-agent[bot]	af44eac40c	Initial plan	2025-12-13 14:17:13 +00:00