fix: MS Teams OAuth on Windows uses cmd /c start instead of explorer.exe

nightq · nightq · commit c8d68107e806 · 2026-04-17T18:52:24.000+08:00
Fixes #67738 Root cause: explorer.exe <url> on Windows delegates to the running Explorer shell and exits with code 1, causing OAuth promise rejection even though the browser opened correctly. Fix: Use cmd /c start "" URL instead, which exits 0 on success. Also updates test assertions to handle all three platforms (darwin, win32, linux). Additionally adds .cdpUrl to sensitive URL config paths for security redaction.
diff --git a/extensions/msteams/src/setup-surface.test.ts b/extensions/msteams/src/setup-surface.test.ts
@@ -67,7 +67,15 @@ describe("msteams setup surface", () => {
     child.emit("exit", 0, null);
 
     await expect(result).resolves.toBeUndefined();
-    expect(spawn).toHaveBeenCalledWith(process.platform === "darwin" ? "open" : "xdg-open", [url], {
+    const expectedCmd =
+      process.platform === "darwin" ? "open" : process.platform === "win32" ? "cmd" : "xdg-open";
+    const expectedArgs =
+      process.platform === "darwin"
+        ? [url]
+        : process.platform === "win32"
+          ? ["/c", "start", '""', url]
+          : [url];
+    expect(spawn).toHaveBeenCalledWith(expectedCmd, expectedArgs, {
       stdio: "ignore",
       shell: false,
     });
diff --git a/extensions/msteams/src/setup-surface.ts b/extensions/msteams/src/setup-surface.ts
@@ -31,8 +31,13 @@ const setMSTeamsGroupPolicy = createTopLevelChannelGroupPolicySetter({
 
 export function openDelegatedOAuthUrl(url: string): Promise<void> {
   return new Promise<void>((resolve, reject) => {
-    const cmd = process.platform === "darwin" ? "open" : "xdg-open";
-    const child = spawn(cmd, [url], { stdio: "ignore", shell: false });
+    const [cmd, args]: [string, string[]] =
+      process.platform === "darwin"
+        ? ["open", [url]]
+        : process.platform === "win32"
+          ? ["cmd", ["/c", "start", '""', url]]
+          : ["xdg-open", [url]];
+    const child = spawn(cmd, args, { stdio: "ignore", shell: false });
     child.once("error", reject);
     child.once("exit", (code, signal) => {
       if (code === 0) {
diff --git a/src/shared/net/redact-sensitive-url.test.ts b/src/shared/net/redact-sensitive-url.test.ts
@@ -49,6 +49,8 @@ describe("sensitive URL config metadata", () => {
     expect(isSensitiveUrlConfigPath("models.providers.*.baseUrl")).toBe(true);
     expect(isSensitiveUrlConfigPath("mcp.servers.remote.url")).toBe(true);
     expect(isSensitiveUrlConfigPath("gateway.remote.url")).toBe(false);
+    expect(isSensitiveUrlConfigPath("browser.cdpUrl")).toBe(true);
+    expect(isSensitiveUrlConfigPath("browser.profiles.default.cdpUrl")).toBe(true);
   });
 
   it("uses an explicit url-secret hint tag", () => {
diff --git a/src/shared/net/redact-sensitive-url.ts b/src/shared/net/redact-sensitive-url.ts
@@ -28,6 +28,9 @@ export function isSensitiveUrlConfigPath(path: string): boolean {
   if (path.endsWith(".request.proxy.url")) {
     return true;
   }
+  if (path.endsWith(".cdpUrl")) {
+    return true;
+  }
   return /^mcp\.servers\.(?:\*|[^.]+)\.url$/.test(path);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,9 @@ export function isSensitiveUrlConfigPath(path: string): boolean {`
`28`	`28`	`if (path.endsWith(".request.proxy.url")) {`
`29`	`29`	`return true;`
`30`	`30`	`}`
	`31`	`+ if (path.endsWith(".cdpUrl")) {`
	`32`	`+ return true;`
	`33`	`+ }`
`31`	`34`	`return /^mcp\.servers\.(?:\*\|[^.]+)\.url$/.test(path);`
`32`	`35`	`}`
`33`	`36`