You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Follow-up split out of #1514 (Auth cleanup), completed by #1531.
#1531 removed guided auth and added connect-time OAuth, install-level CIMD, per-server OAuth clear, and keychain rehydration for TUI/CLI. The remaining piece of #1514's "migrate web client auth store to /store API" scope is still open:
Migrate the web client's OAuth storage to the shared /store API (RemoteOAuthStorage) so it reads/writes the same oauth.json as the TUI/CLI file-based store, giving web ⇄ TUI ⇄ CLI parity.
Scope & context (added post-hoc — this issue is the Wave-1 home for PR #1510's web-OAuth-storage migration)
This pre-existing issue was terse and cited no files, but it stands in as the Wave-1 owner of the RemoteOAuthStorage + async-hydration work from the #1510 decomposition (see tracking #1579). Delivered by PR #1592 onto the Wave-1 rollup branch 1579-wave-1 (reference implementation: #1510 head 33fac3f). The concrete scope:
Behavior
Web OAuth store migrates from BrowserOAuthStorage (sessionStorage) to backend-backed RemoteOAuthStorage (~/.mcp-inspector/storage/oauth.json), shared with TUI/CLI on the same host.
Introduces a single async hydration gate (ready() / getHydrationError()); all post-redirect reads and all saves await it. Clears run hydration-safe (defer until hydrated, never clobber the on-disk blob).
getCodeVerifier / getServerMetadata become async across the interface, propagated through the provider and consumers.
clients/web/src/lib/environmentFactory.ts — the load-bearing swap: wires web to RemoteOAuthStorage via the memoized getRemoteOAuthStorage(...) accessor
clients/web/src/lib/remoteOAuthStorage.ts — new memoized RemoteOAuthStorage accessor
clients/web/src/App.tsx — async hydration in the OAuth-callback flow
Verification: exhaustive @claude review to clean, coverage gate ≥90 on all four dims for the gated files, and an independent smoke/audit (backend round-trip through /api/storage/oauth, oauth.json shape matches TUI/CLI, clear-before-hydration preserves sibling tokens) — see the audit on this issue and the rollup verification in #1600.
Follow-up split out of #1514 (Auth cleanup), completed by #1531.
#1531 removed guided auth and added connect-time OAuth, install-level CIMD, per-server OAuth clear, and keychain rehydration for TUI/CLI. The remaining piece of #1514's "migrate web client auth store to /store API" scope is still open:
/storeAPI (RemoteOAuthStorage) so it reads/writes the sameoauth.jsonas the TUI/CLI file-based store, giving web ⇄ TUI ⇄ CLI parity.Target branch: v2/main.
Scope & context (added post-hoc — this issue is the Wave-1 home for PR #1510's web-OAuth-storage migration)
This pre-existing issue was terse and cited no files, but it stands in as the Wave-1 owner of the
RemoteOAuthStorage+ async-hydration work from the #1510 decomposition (see tracking #1579). Delivered by PR #1592 onto the Wave-1 rollup branch1579-wave-1(reference implementation: #1510 head33fac3f). The concrete scope:Behavior
BrowserOAuthStorage(sessionStorage) to backend-backedRemoteOAuthStorage(~/.mcp-inspector/storage/oauth.json), shared with TUI/CLI on the same host.ready()/getHydrationError()); all post-redirect reads and all saves await it. Clears run hydration-safe (defer until hydrated, never clobber the on-disk blob).getCodeVerifier/getServerMetadatabecome async across the interface, propagated through the provider and consumers.Files changed (delivered on
1579-wave-1)core/auth/storage.ts—ready()+ async hydration gate; asyncgetCodeVerifier/getServerMetadatasignaturescore/auth/oauth-storage.ts—OAuthStorageBasehydration + hydration-safeclear*core/auth/providers.ts— asynccodeVerifier/getServerMetadatacore/auth/store.ts—skipHydration+normalizeServerUrlkeying + raw-key migrationcore/auth/connection-state.ts— awaitsgetServerMetadata(this is feat(web/apps): spec-conformant Apps host + CLI/deep-link path for programmatic review #1510'score/auth/state-machine.ts, renamed on current v2/main)core/auth/node/storage-node.ts— honorsMCP_INSPECTOR_OAUTH_STATE_PATHcore/storage/adapters/remote-storage.ts—keepalivePOSTs + surfaces persist failuresclients/web/src/lib/environmentFactory.ts— the load-bearing swap: wires web toRemoteOAuthStoragevia the memoizedgetRemoteOAuthStorage(...)accessorclients/web/src/lib/remoteOAuthStorage.ts— new memoizedRemoteOAuthStorageaccessorclients/web/src/App.tsx— async hydration in the OAuth-callback flowoauth-storage/storage-browser/storage-remote/oauthManager(async mocks) + integrationauth/node/storageandstorage/adaptersVerification: exhaustive
@claudereview to clean, coverage gate ≥90 on all four dims for the gated files, and an independent smoke/audit (backend round-trip through/api/storage/oauth,oauth.jsonshape matches TUI/CLI, clear-before-hydration preserves sibling tokens) — see the audit on this issue and the rollup verification in #1600.