Feat(security) - Make the OAuthTokenStorage non static (#7716)

Co-authored-by: Shi Shu <shii@google.com>
2026-04-27 13:34:15 -07:00 · 2025-09-04 16:42:47 -04:00
parent e088c06a9a
commit 35a841f71a
7 changed files with 188 additions and 149 deletions
@@ -365,11 +365,8 @@ async function handleAutomaticOAuth(
    console.log(
      `Starting OAuth authentication for server '${mcpServerName}'...`,
    );
-    await MCPOAuthProvider.authenticate(
-      mcpServerName,
-      oauthAuthConfig,
-      serverUrl,
-    );
+    const authProvider = new MCPOAuthProvider(new MCPOAuthTokenStorage());
+    await authProvider.authenticate(mcpServerName, oauthAuthConfig, serverUrl);

    console.log(
      `OAuth authentication successful for server '${mcpServerName}'`,
@@ -899,9 +896,11 @@ export async function connectToMcpServer(

      if (!shouldTriggerOAuth) {
        // For SSE servers without explicit OAuth config, if a token was found but rejected, report it accurately.
-        const credentials = await MCPOAuthTokenStorage.getToken(mcpServerName);
+        const tokenStorage = new MCPOAuthTokenStorage();
+        const credentials = await tokenStorage.getToken(mcpServerName);
        if (credentials) {
-          const hasStoredTokens = await MCPOAuthProvider.getValidToken(
+          const authProvider = new MCPOAuthProvider(tokenStorage);
+          const hasStoredTokens = await authProvider.getValidToken(
            mcpServerName,
            {
              // Pass client ID if available
@@ -982,10 +981,11 @@ export async function connectToMcpServer(

          // Get the valid token - we need to create a proper OAuth config
          // The token should already be available from the authentication process
-          const credentials =
-            await MCPOAuthTokenStorage.getToken(mcpServerName);
+          const tokenStorage = new MCPOAuthTokenStorage();
+          const credentials = await tokenStorage.getToken(mcpServerName);
          if (credentials) {
-            const accessToken = await MCPOAuthProvider.getValidToken(
+            const authProvider = new MCPOAuthProvider(tokenStorage);
+            const accessToken = await authProvider.getValidToken(
              mcpServerName,
              {
                // Pass client ID if available
@@ -1056,10 +1056,11 @@ export async function connectToMcpServer(
          mcpServerConfig.httpUrl || mcpServerConfig.oauth?.enabled;

        if (!shouldTryDiscovery) {
-          const credentials =
-            await MCPOAuthTokenStorage.getToken(mcpServerName);
+          const tokenStorage = new MCPOAuthTokenStorage();
+          const credentials = await tokenStorage.getToken(mcpServerName);
          if (credentials) {
-            const hasStoredTokens = await MCPOAuthProvider.getValidToken(
+            const authProvider = new MCPOAuthProvider(tokenStorage);
+            const hasStoredTokens = await authProvider.getValidToken(
              mcpServerName,
              {
                // Pass client ID if available
@@ -1116,17 +1117,21 @@ export async function connectToMcpServer(
              console.log(
                `Starting OAuth authentication for server '${mcpServerName}'...`,
              );
-              await MCPOAuthProvider.authenticate(
+              const authProvider = new MCPOAuthProvider(
+                new MCPOAuthTokenStorage(),
+              );
+              await authProvider.authenticate(
                mcpServerName,
                oauthAuthConfig,
                authServerUrl,
              );

              // Retry connection with OAuth token
-              const credentials =
-                await MCPOAuthTokenStorage.getToken(mcpServerName);
+              const tokenStorage = new MCPOAuthTokenStorage();
+              const credentials = await tokenStorage.getToken(mcpServerName);
              if (credentials) {
-                const accessToken = await MCPOAuthProvider.getValidToken(
+                const authProvider = new MCPOAuthProvider(tokenStorage);
+                const accessToken = await authProvider.getValidToken(
                  mcpServerName,
                  {
                    // Pass client ID if available
@@ -1261,7 +1266,9 @@ export async function createTransport(
  let hasOAuthConfig = mcpServerConfig.oauth?.enabled;

  if (hasOAuthConfig && mcpServerConfig.oauth) {
-    accessToken = await MCPOAuthProvider.getValidToken(
+    const tokenStorage = new MCPOAuthTokenStorage();
+    const authProvider = new MCPOAuthProvider(tokenStorage);
+    accessToken = await authProvider.getValidToken(
      mcpServerName,
      mcpServerConfig.oauth,
    );
@@ -1278,9 +1285,11 @@ export async function createTransport(
    }
  } else {
    // Check if we have stored OAuth tokens for this server (from previous authentication)
-    const credentials = await MCPOAuthTokenStorage.getToken(mcpServerName);
+    const tokenStorage = new MCPOAuthTokenStorage();
+    const credentials = await tokenStorage.getToken(mcpServerName);
    if (credentials) {
-      accessToken = await MCPOAuthProvider.getValidToken(mcpServerName, {
+      const authProvider = new MCPOAuthProvider(tokenStorage);
+      accessToken = await authProvider.getValidToken(mcpServerName, {
        // Pass client ID if available
        clientId: credentials.clientId,
      });