ai-workspace-services/opencode
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(mcp): bind oauth callback to IPv4 loopback (#30022)

Browse Source
This commit is contained in:
Yufeng He 2026-06-24 12:20:29 +08:00 committed by GitHub
parent 5303ab09f8
commit af31e97493
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 45 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
packages/opencode/src/mcp/oauth-callback.ts
View File

@ -3,6 +3,8 @@ import { createServer } from "http"
import { escapeHtml } from "@/util/html"
import { OAUTH_CALLBACK_PORT, OAUTH_CALLBACK_PATH, parseRedirectUri } from "./oauth-provider"
const OAUTH_CALLBACK_HOST = "127.0.0.1"
// Current callback server configuration (may differ from defaults if custom redirectUri is used)
let currentPort = OAUTH_CALLBACK_PORT
let currentPath = OAUTH_CALLBACK_PATH
@ -162,7 +164,7 @@ export async function ensureRunning(redirectUri?: string): Promise<void> {
server = createServer(handleRequest)
await new Promise<void>((resolve, reject) => {
server!.listen(currentPort, () => {
server!.listen(currentPort, OAUTH_CALLBACK_HOST, () => {
resolve()
})
server!.on("error", reject)

42
packages/opencode/test/mcp/oauth-callback.test.ts
View File

@ -1,7 +1,41 @@
import { test, expect, describe, afterEach } from "bun:test"
import { createConnection, createServer as createNetServer } from "net"
import { McpOAuthCallback } from "../../src/mcp/oauth-callback"
import { parseRedirectUri } from "../../src/mcp/oauth-provider"
async function getFreeLoopbackPort(): Promise<number> {
return new Promise((resolve, reject) => {
const probe = createNetServer()
probe.once("error", reject)
probe.listen(0, "127.0.0.1", () => {
const address = probe.address()
probe.close(() => {
if (typeof address === "object" && address) {
resolve(address.port)
return
}
reject(new Error("Could not allocate a loopback port"))
})
})
})
}
async function canConnect(host: string, port: number): Promise<boolean> {
return new Promise((resolve) => {
const socket = createConnection({ host, port })
const done = (ok: boolean) => {
socket.removeAllListeners()
socket.destroy()
resolve(ok)
}
socket.setTimeout(500)
socket.once("connect", () => done(true))
socket.once("error", () => done(false))
socket.once("timeout", () => done(false))
})
}
describe("parseRedirectUri", () => {
test("returns defaults when no URI provided", () => {
const result = parseRedirectUri()
@ -69,4 +103,12 @@ describe("McpOAuthCallback.ensureRunning", () => {
expect(await response.text()).toContain('<div class="error">The user denied access</div>')
})
test("binds the callback server to IPv4 loopback", async () => {
const port = await getFreeLoopbackPort()
await McpOAuthCallback.ensureRunning(`http://127.0.0.1:${port}/custom/callback`)
expect(await canConnect("127.0.0.1", port)).toBe(true)
expect(await canConnect("::1", port)).toBe(false)
})
})