fix: multiple fixes on auth flow edge cases

Author: bywang56

server/aws-lsp-codewhisperer/src/language-server/agenticChat/tools/mcp/mcpEventHandler.ts

@@ -87,6 +87,7 @@ export class McpEventHandler {
      * Handles the list MCP servers event
      */
     async onListMcpServers(params: ListMcpServersParams) {
+        this.#isProgrammaticChange = false
         this.#currentEditingServerName = undefined
         const mcpManager = McpManager.instance
 
@@ -797,7 +798,7 @@ export class McpEventHandler {
             command: selectedTransport === TransportType.STDIO ? params.optionsValues.command : undefined,
             url: selectedTransport === TransportType.HTTP ? params.optionsValues.url : undefined,
             enabled: true,
-            numTools: McpManager.instance.getAllToolsWithPermissions(serverName).length,
+            numTools: McpManager.instance.getAllToolsWithPermissions(sanitizedServerName).length,
             scope: params.optionsValues['scope'] === 'global' ? 'global' : 'workspace',
             transportType: selectedTransport,
             languageServerVersion: this.#features.runtime.serverInfo.version,
@@ -1430,7 +1431,8 @@ export class McpEventHandler {
      */
     #getServerStatusError(serverName: string): { title: string; icon: string; status: Status } | undefined {
         const serverStates = McpManager.instance.getAllServerStates()
-        const serverState = serverStates.get(serverName)
+        const key = serverName ? sanitizeName(serverName) : serverName
+        const serverState = key ? serverStates.get(key) : undefined
 
         if (!serverState) {
             return undefined
@@ -1494,7 +1496,6 @@ export class McpEventHandler {
                 if (!this.#lastProgrammaticState) {
                     await this.#handleRefreshMCPList({ id: 'refresh-mcp-list' })
                 } else {
-                    this.#isProgrammaticChange = false
                     this.#features.logging.debug('Skipping refresh due to programmatic change')
                 }
                 this.#debounceTimer = null

server/aws-lsp-codewhisperer/src/language-server/agenticChat/tools/mcp/mcpManager.ts

@@ -170,7 +170,7 @@ export class McpManager {
     /**
      * Load configurations and initialize each enabled server.
      */
-    private async discoverAllServers(authIntent: AuthIntent = AuthIntent.Silent): Promise<void> {
+    private async discoverAllServers(): Promise<void> {
         // Load agent config
         const result = await loadAgentConfig(this.features.workspace, this.features.logging, this.agentPaths)
 
@@ -221,7 +221,7 @@ export class McpManager {
             // Process servers in batches
             for (let i = 0; i < totalServers; i += MAX_CONCURRENT_SERVERS) {
                 const batch = serversToInit.slice(i, i + MAX_CONCURRENT_SERVERS)
-                const batchPromises = batch.map(([name, cfg]) => this.initOneServer(name, cfg, authIntent))
+                const batchPromises = batch.map(([name, cfg]) => this.initOneServer(name, cfg, AuthIntent.Silent))
 
                 this.features.logging.debug(
                     `MCP: initializing batch of ${batch.length} servers (${i + 1}-${Math.min(i + MAX_CONCURRENT_SERVERS, totalServers)} of ${totalServers})`
@@ -373,19 +373,29 @@ export class McpManager {
 
                         if (needsOAuth) {
                             OAuthClient.initialize(this.features.workspace, this.features.logging)
-                            const bearer = await OAuthClient.getValidAccessToken(base, {
-                                interactive: authIntent === 'interactive',
-                            })
-                            // add authorization header if we are able to obtain a bearer token
-                            if (bearer) {
-                                headers = { ...headers, Authorization: `Bearer ${bearer}` }
-                            } else if (authIntent === 'silent') {
-                                // In silent mode we never launch a browser. If we cannot obtain a token
-                                // from cache/refresh, surface a clear auth-required error and stop here.
-                                throw new AgenticChatError(
-                                    `MCP: server '${serverName}' requires OAuth. Open "Edit MCP Server" and save to sign in.`,
-                                    'MCPServerAuthFailed'
-                                )
+                            try {
+                                const bearer = await OAuthClient.getValidAccessToken(base, {
+                                    interactive: authIntent === AuthIntent.Interactive,
+                                })
+                                if (bearer) {
+                                    headers = { ...headers, Authorization: `Bearer ${bearer}` }
+                                } else if (authIntent === AuthIntent.Silent) {
+                                    throw new AgenticChatError(
+                                        `MCP: server '${serverName}' requires OAuth. Open "Edit MCP Server" and save to sign in.`,
+                                        'MCPServerAuthFailed'
+                                    )
+                                }
+                            } catch (e: any) {
+                                const msg = e?.message || ''
+                                const short = /authorization_timed_out/i.test(msg)
+                                    ? 'Sign-in timed out. Please try again.'
+                                    : /Authorization error|PKCE|access_denied|login|consent|token exchange failed/i.test(
+                                            msg
+                                        )
+                                      ? 'Sign-in was cancelled or failed. Please try again.'
+                                      : `OAuth failed: ${msg}`
+
+                                throw new AgenticChatError(`MCP: ${short}`, 'MCPServerAuthFailed')
                             }
                         }
 
@@ -1156,15 +1166,16 @@ export class McpManager {
      */
     public async removeServerFromConfigFile(serverName: string): Promise<void> {
         try {
-            const cfg = this.mcpServers.get(serverName)
+            const sanitized = sanitizeName(serverName)
+            const cfg = this.mcpServers.get(sanitized)
             if (!cfg || !cfg.__configPath__) {
                 this.features.logging.warn(
                     `Cannot remove config for server '${serverName}': Config not found or missing path`
                 )
                 return
             }
 
-            const unsanitizedName = this.serverNameMapping.get(serverName) || serverName
+            const unsanitizedName = this.serverNameMapping.get(sanitized) || serverName
 
             // Remove from agent config
             if (unsanitizedName && this.agentConfig) {

server/aws-lsp-codewhisperer/src/language-server/agenticChat/tools/mcp/mcpOauthClient.ts

@@ -46,9 +46,9 @@ export class OAuthClient {
      */
     public static async getValidAccessToken(
         mcpBase: URL,
-        opts: { interactive?: boolean } = { interactive: true }
+        opts: { interactive?: boolean } = { interactive: false }
     ): Promise<string | undefined> {
-        const interactive = opts?.interactive !== false
+        const interactive = opts?.interactive === true
         const key = this.computeKey(mcpBase)
         const regPath = path.join(this.cacheDir, `${key}.registration.json`)
         const tokPath = path.join(this.cacheDir, `${key}.token.json`)
@@ -333,6 +333,7 @@ export class OAuthClient {
         redirectUri: string,
         server: http.Server
     ): Promise<Token> {
+        const DEFAULT_PKCE_TIMEOUT_MS = 20_000
         // a) generate PKCE params
         const verifier = this.b64url(crypto.randomBytes(32))
         const challenge = this.b64url(crypto.createHash('sha256').update(verifier).digest())
@@ -361,17 +362,26 @@ export class OAuthClient {
         void spawn(opener.cmd, opener.args, { detached: true, stdio: 'ignore' }).unref()
 
         // c) wait for code on our loopback
-        const { code, rxState, err } = await new Promise<{ code: string; rxState: string; err?: string }>(resolve => {
+        const waitForFlow = new Promise<{ code: string; rxState: string; err?: string; errDesc?: string }>(resolve => {
             server.on('request', (req, res) => {
                 const u = new URL(req.url || '/', redirectUri)
                 const c = u.searchParams.get('code') || ''
                 const s = u.searchParams.get('state') || ''
                 const e = u.searchParams.get('error') || undefined
+                const ed = u.searchParams.get('error_description') || undefined
                 res.writeHead(200, { 'content-type': 'text/html' }).end('<h2>You may close this tab.</h2>')
-                resolve({ code: c, rxState: s, err: e })
+                resolve({ code: c, rxState: s, err: e, errDesc: ed })
             })
         })
-        if (err) throw new Error(`Authorization error: ${err}`)
+        const { code, rxState, err, errDesc } = await Promise.race([
+            waitForFlow,
+            new Promise<never>((_, reject) =>
+                setTimeout(() => reject(new Error('authorization_timed_out')), DEFAULT_PKCE_TIMEOUT_MS)
+            ),
+        ])
+        if (err) {
+            throw new Error(`Authorization error: ${err}${errDesc ? ` - ${errDesc}` : ''}`)
+        }
         if (!code || rxState !== state) throw new Error('Invalid authorization response (state mismatch)')
 
         // d) exchange code for token