fix(mcp): stop OAuth callback server after authentication completes

Author: hchangjae

packages/opencode/src/mcp/index.ts

@@ -808,41 +808,45 @@ export const layer = Layer.effect(
         return yield* storeClient(s, mcpName, client, listed, mcpConfig.timeout)
       }
 
-      log.info("opening browser for oauth", { mcpName, url: result.authorizationUrl, state: result.oauthState })
+      return yield* Effect.gen(function* () {
+        log.info("opening browser for oauth", { mcpName, url: result.authorizationUrl, state: result.oauthState })
 
-      const callbackPromise = McpOAuthCallback.waitForCallback(result.oauthState, mcpName)
+        const callbackPromise = McpOAuthCallback.waitForCallback(result.oauthState, mcpName)
 
-      yield* Effect.tryPromise(() => open(result.authorizationUrl)).pipe(
-        Effect.flatMap((subprocess) =>
-          Effect.callback<void, Error>((resume) => {
-            const timer = setTimeout(() => resume(Effect.void), 500)
-            subprocess.on("error", (err) => {
-              clearTimeout(timer)
-              resume(Effect.fail(err))
-            })
-            subprocess.on("exit", (code) => {
-              if (code !== null && code !== 0) {
+        yield* Effect.tryPromise(() => open(result.authorizationUrl)).pipe(
+          Effect.flatMap((subprocess) =>
+            Effect.callback<void, Error>((resume) => {
+              const timer = setTimeout(() => resume(Effect.void), 500)
+              subprocess.on("error", (err) => {
                 clearTimeout(timer)
-                resume(Effect.fail(new Error(`Browser open failed with exit code ${code}`)))
-              }
-            })
+                resume(Effect.fail(err))
+              })
+              subprocess.on("exit", (code) => {
+                if (code !== null && code !== 0) {
+                  clearTimeout(timer)
+                  resume(Effect.fail(new Error(`Browser open failed with exit code ${code}`)))
+                }
+              })
+            }),
+          ),
+          Effect.catch(() => {
+            log.warn("failed to open browser, user must open URL manually", { mcpName })
+            return bus.publish(BrowserOpenFailed, { mcpName, url: result.authorizationUrl }).pipe(Effect.ignore)
           }),
-        ),
-        Effect.catch(() => {
-          log.warn("failed to open browser, user must open URL manually", { mcpName })
-          return bus.publish(BrowserOpenFailed, { mcpName, url: result.authorizationUrl }).pipe(Effect.ignore)
-        }),
-      )
+        )
 
-      const code = yield* Effect.promise(() => callbackPromise)
+        const code = yield* Effect.promise(() => callbackPromise)
 
-      const storedState = yield* auth.getOAuthState(mcpName)
-      if (storedState !== result.oauthState) {
+        const storedState = yield* auth.getOAuthState(mcpName)
+        if (storedState !== result.oauthState) {
+          yield* auth.clearOAuthState(mcpName)
+          throw new Error("OAuth state mismatch - potential CSRF attack")
+        }
         yield* auth.clearOAuthState(mcpName)
-        throw new Error("OAuth state mismatch - potential CSRF attack")
-      }
-      yield* auth.clearOAuthState(mcpName)
-      return yield* finishAuth(mcpName, code)
+        return yield* finishAuth(mcpName, code)
+      }).pipe(
+        Effect.ensuring(Effect.tryPromise(() => McpOAuthCallback.stopIfIdle()).pipe(Effect.ignore)),
+      )
     })
 
     const finishAuth = Effect.fn("MCP.finishAuth")(function* (mcpName: string, authorizationCode: string) {

packages/opencode/src/mcp/oauth-callback.ts

@@ -225,6 +225,12 @@ export async function stop(): Promise<void> {
   mcpNameToState.clear()
 }
 
+export async function stopIfIdle(): Promise<void> {
+  if (pendingAuths.size === 0) {
+    await stop()
+  }
+}
+
 export function isRunning(): boolean {
   return server !== undefined
 }