Fix: Prevent Stale Tool/Resource/Prompt Deletion During OAuth Authorization Code Flow#2537
Merged
crivetimihai merged 1 commit intomainfrom Jan 28, 2026
Merged
Fix: Prevent Stale Tool/Resource/Prompt Deletion During OAuth Authorization Code Flow#2537crivetimihai merged 1 commit intomainfrom
crivetimihai merged 1 commit intomainfrom
Conversation
During gateway activation with OAuth Authorization Code flow, `_initialize_gateway` returns empty lists because the user hasn't completed authorization yet. Health checks then treat these empty responses as legitimate and delete all existing tools/resources/prompts. This change adds an `oauth_auto_fetch_tool_flag` parameter to `_initialize_gateway` that: - When False (default): Returns empty lists for auth_code gateways during health checks, preserving existing tools - When True (activation): Skips the early return for auth_code gateways, allowing activation to proceed The existing check in `_refresh_gateway_tools_resources_prompts` at lines 4724-4729 prevents stale deletion for auth_code gateways with empty responses. Fixed issues from original PR: - Corrected typo: oath -> oauth in parameter name - Removed duplicate docstring entry - Fixed logic bug that incorrectly skipped token fetch for client_credentials flow when flag was True Co-authored-by: rakdutta <rakhibiswas@yahoo.com> Closes #2272 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
2d66b75 to
c0e9751
Compare
Member
Review & Fixes AppliedI've reviewed and fixed this PR. Here's a summary of the changes: Issues Found and Fixed
Updated Logic Structureif grant_type == "authorization_code":
if not oauth_auto_fetch_tool_flag:
# Health checks: return empty, preserve existing tools
return {}, [], [], []
# Activation: skip early return, try to connect
elif grant_type == "client_credentials":
# Always fetch token (unaffected by flag)
access_token = await self.oauth_manager.get_access_token(oauth_config)Verification
The commits have been squashed into a single properly signed commit with co-author attribution preserved. |
crivetimihai
approved these changes
Jan 28, 2026
hughhennelly
pushed a commit
to hughhennelly/mcp-context-forge
that referenced
this pull request
Feb 8, 2026
…BM#2537) During gateway activation with OAuth Authorization Code flow, `_initialize_gateway` returns empty lists because the user hasn't completed authorization yet. Health checks then treat these empty responses as legitimate and delete all existing tools/resources/prompts. This change adds an `oauth_auto_fetch_tool_flag` parameter to `_initialize_gateway` that: - When False (default): Returns empty lists for auth_code gateways during health checks, preserving existing tools - When True (activation): Skips the early return for auth_code gateways, allowing activation to proceed The existing check in `_refresh_gateway_tools_resources_prompts` at lines 4724-4729 prevents stale deletion for auth_code gateways with empty responses. Fixed issues from original PR: - Corrected typo: oath -> oauth in parameter name - Removed duplicate docstring entry - Fixed logic bug that incorrectly skipped token fetch for client_credentials flow when flag was True Closes IBM#2272 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: hughhennnelly <hughhennelly06@gmail.com>
kcostell06
pushed a commit
to kcostell06/mcp-context-forge
that referenced
this pull request
Feb 24, 2026
…BM#2537) During gateway activation with OAuth Authorization Code flow, `_initialize_gateway` returns empty lists because the user hasn't completed authorization yet. Health checks then treat these empty responses as legitimate and delete all existing tools/resources/prompts. This change adds an `oauth_auto_fetch_tool_flag` parameter to `_initialize_gateway` that: - When False (default): Returns empty lists for auth_code gateways during health checks, preserving existing tools - When True (activation): Skips the early return for auth_code gateways, allowing activation to proceed The existing check in `_refresh_gateway_tools_resources_prompts` at lines 4724-4729 prevents stale deletion for auth_code gateways with empty responses. Fixed issues from original PR: - Corrected typo: oath -> oauth in parameter name - Removed duplicate docstring entry - Fixed logic bug that incorrectly skipped token fetch for client_credentials flow when flag was True Closes IBM#2272 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
7 tasks
kimsehwan96
added a commit
to kimsehwan96/mcp-context-forge
that referenced
this pull request
Mar 23, 2026
When an OAuth authorization_code gateway transitions from offline to online, set_gateway_state re-initializes without a valid token, receives empty results, and deletes all existing tools/resources/prompts as stale. Add the same auth_code guard that _refresh_gateway_tools_resources_prompts already has (PR IBM#2537): skip stale cleanup when the response is empty for authorization_code gateways. Signed-off-by: kimsehwan96 <sktpghks138@gmail.com>
crivetimihai
pushed a commit
to kimsehwan96/mcp-context-forge
that referenced
this pull request
Mar 23, 2026
When an OAuth authorization_code gateway transitions from offline to online, set_gateway_state re-initializes without a valid token, receives empty results, and deletes all existing tools/resources/prompts as stale. Add the same auth_code guard that _refresh_gateway_tools_resources_prompts already has (PR IBM#2537): skip stale cleanup when the response is empty for authorization_code gateways. Signed-off-by: kimsehwan96 <sktpghks138@gmail.com>
crivetimihai
added a commit
that referenced
this pull request
Mar 23, 2026
* fix: prevent tool deletion on auth_code gateway reactivation When an OAuth authorization_code gateway transitions from offline to online, set_gateway_state re-initializes without a valid token, receives empty results, and deletes all existing tools/resources/prompts as stale. Add the same auth_code guard that _refresh_gateway_tools_resources_prompts already has (PR #2537): skip stale cleanup when the response is empty for authorization_code gateways. Signed-off-by: kimsehwan96 <sktpghks138@gmail.com> * test: align assert style with existing conventions Replace string-parsing assert with call_count check to match the existing test patterns in test_gateway_service.py. Signed-off-by: kimsehwan96 <sktpghks138@gmail.com> * fix: also guard in-memory list reassignment and improve test coverage Skip gateway.tools/resources/prompts list filtering when stale cleanup is skipped, and verify all existing tools are preserved by id. Signed-off-by: kimsehwan96 <sktpghks138@gmail.com> * style: align variable naming with existing convention Rename _is_auth_code_gw to is_auth_code_gateway and _skip_stale_cleanup to skip_stale_cleanup to match _refresh_gateway_tools_resources_prompts naming. Signed-off-by: kimsehwan96 <sktpghks138@gmail.com> * test: add negative and resource/prompt coverage for auth_code guard Add two tests for set_gateway_state auth_code guard: - Non-auth_code gateway with empty results still runs stale cleanup - Auth_code guard preserves resources and prompts (not just tools) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * test: add partial-results coverage for auth_code guard Verify that an authorization_code gateway returning partial results (some tools) still runs stale cleanup, ensuring the guard only activates when all three collections are empty. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix(sdist): include infra/s390x/Containerfile in MANIFEST.in Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: kimsehwan96 <sktpghks138@gmail.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
closes issue #2272
Problem
During gateway activation with OAuth Authorization Code flow,
_initialize_gatewayreturns empty lists for capabilities, tools, resources, and prompts because the user hasn't completed authorization yet. Health checks then treat these empty responses as legitimate and delete all existing tools/resources/prompts as "stale", causing data loss.Solution
Added
oath_auto_fetch_tool_flagparameter to_initialize_gatewaymethod (line 3792)False(default): Skips OAuth token fetch and returns empty lists for Authorization Code flow (line 3852, 3865)True: Forces tool/resource/prompt fetch even during OAuth flows (used during gateway activation, line 2459)Added early return check in
_refresh_gateway_tools_resources_prompts(lines 4724-4729)Changes
oath_auto_fetch_tool_flagcontrols whether to fetch tools during OAuth initializationTrueto force tool fetch (line 2459)Falseto skip incomplete OAuth flows (line 4726-4729)