Skip to content

fix(mcp): stop oauth callback server#24866

Open
Hona wants to merge 1 commit intoanomalyco:devfrom
Hona:fix/mcp-oauth-callback-stop
Open

fix(mcp): stop oauth callback server#24866
Hona wants to merge 1 commit intoanomalyco:devfrom
Hona:fix/mcp-oauth-callback-stop

Conversation

@Hona
Copy link
Copy Markdown
Member

@Hona Hona commented Apr 28, 2026

Summary

  • Stop the MCP OAuth callback HTTP server when OAuth auth completes, is removed, or the MCP service is finalized.
  • Keeps the existing callback server behavior while avoiding a live server handle after the auth flow is done.

Repro

I reproduced the leak with a temporary Bun script that starts the same callback server repeatedly:

for (let i = 0; i < 1000; i++) {
  await McpOAuthCallback.ensureRunning(`http://127.0.0.1:${port}/callback`)
}
console.log(McpOAuthCallback.isRunning())

Without McpOAuthCallback.stop(), this prints true and the process stays alive until killed by the 3s command timeout.

With McpOAuthCallback.stop(), the server closes and the same repro exits in ~1.3s.

User-Facing Impact

This is not unbounded memory growth. It is a live HTTP server handle leak.

Action If the callback server is started Possible symptom before this fix
opencode mcp auth <server> OAuth completes, fails, times out, or is cancelled process can keep running after auth is otherwise done
MCP auth API startAuth / finishAuth callback server was started for the flow callback server can remain listening after completion
MCP service disposal pending auth flow exists callback server can remain open until process exit

Verification

  • Focused no-stop repro: server remains running and command hangs until killed after 3s
  • Focused stop repro: server closes and process exits in ~1.3s
  • bun typecheck from packages/opencode
  • pre-push hook: bun turbo typecheck

Copilot AI review requested due to automatic review settings April 28, 2026 23:43
Copilot AI reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Stops the MCP OAuth callback HTTP server once OAuth is completed/removed or when the MCP service is finalized, preventing the callback server from keeping the process alive after auth flows.

Changes:

  • Introduces a shared stopOAuthCallback Effect that closes the callback server (errors ignored).
  • Stops the callback server in the MCP service finalizer and after authenticate() / finishAuth() via Effect.ensuring(...).
  • Stops the callback server when OAuth credentials are removed (removeAuth).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/opencode/src/mcp/index.ts

type Transport = StdioClientTransport | StreamableHTTPClientTransport | SSEClientTransport

const stopOAuthCallback = Effect.tryPromise(() => McpOAuthCallback.stop()).pipe(Effect.ignore)
Comment thread packages/opencode/src/mcp/index.ts
Comment on lines +835 to 836
}).pipe(Effect.ensuring(stopOAuthCallback))
})
@github-actions github-actions Bot mentioned this pull request Apr 29, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Hona