🔐 fix: Reuse MCP OAuth Authorization URL

[danny-avila]

Summary

I fixed the MCP OAuth initiate route so it preserves the PKCE verifier/challenge pair created when the flow starts, and hardened the route against foreign or malformed flow IDs.

• Reuse the stored authorizationUrl for a fresh pending MCP OAuth flow instead of generating a second authorization request.
• Reject stale, completed, or mismatched flow state before redirecting from /oauth/initiate.
• Validate userId and flowId query values before loading flow state, and require flowId to match the authenticated user and server.
• Persist regenerated OAuth metadata in the legacy fallback path so any newly generated authorization URL has matching callback state.
• Added route regression coverage for stored URL reuse, completed-flow rejection, flow ID validation, and fallback metadata persistence.

Change Type

• Bug fix (non-breaking change which fixes an issue)

Testing

• Ran npm run build:data-provider && npm run build:data-schemas && npm run build:api.
• Ran npx eslint api/server/routes/mcp.js api/server/routes/__tests__/mcp.spec.js.
• Ran cd api && npx jest server/routes/__tests__/mcp.spec.js --runInBand.
• Ran cd packages/api && npx jest src/mcp/__tests__/MCPConnectionFactory.test.ts --runInBand --coverage=false.

Test Configuration:

• Node.js v24.16.0
• npm 11.16.0
• Local MongoDB memory server through Jest route tests

Checklist

• My code adheres to this project's style guidelines
• I have performed a self-review of my own code
• My changes do not introduce new warnings
• I have written tests demonstrating that my changes are effective or that my feature works
• Local unit tests pass with my changes

[danny-avila]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Already looking forward to the next diff.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Copilot]

Pull request overview

This PR fixes MCP OAuth initiation so the original PKCE verifier/challenge (and corresponding authorization request) is preserved by reusing a previously generated authorizationUrl for still-pending flows, and by persisting regenerated OAuth metadata when the route falls back to generating a new authorization request.

Changes:

• Reuse a stored authorizationUrl for fresh PENDING flows and reject stale/completed/mismatched flow states before redirecting.
• Persist regenerated OAuth flow metadata (including the new authorizationUrl) and clean up old state mappings when a new authorization request is generated.
• Add route-level regression tests for stored URL reuse, completed-flow rejection, and metadata persistence/state mapping cleanup.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
api/server/routes/mcp.js	Reworks /oauth/initiate flow validation and persists/reuses authorization URLs + state mappings.
api/server/routes/tests/mcp.spec.js	Adds coverage for stored authorization URL reuse and regenerated metadata/state-mapping behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[danny-avila]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. More of your lovely PRs please.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[github-actions]

GitNexus: 🚀 deployed

The LibreChat-pr-13532 index is now live on the MCP server.
Deploy run