Description
The OAuth callback server on port 19876 remains running indefinitely after authenticate() completes. When multiple opencode TUI instances are running, this causes CSRF state validation failures because:
- Instance A starts callback server on port 19876 during OAuth flow
- Instance A completes authentication — callback server stays running, port stays occupied
- Instance B starts, triggers OAuth —
ensureRunning() detects port in use, skips server start
- Instance B registers its OAuth state in its own process-local
pendingAuths Map
- Browser callback arrives at Instance A's server — Instance A's
pendingAuths is empty
- Result:
"Invalid or expired state parameter - potential CSRF attack"
Root cause
McpOAuthCallback.stop() is never called after authenticate() completes. The callback server is ephemeral by nature (only needed during the active waitForCallback() window), but it persists for the lifetime of the process.
In oauth-callback.ts, stop() exists but is only called internally when port/path changes during ensureRunning(). No external caller invokes it after auth completion.
Steps to reproduce
- Open opencode TUI instance A — it authenticates with a remote OAuth MCP server (callback server starts on port 19876)
- Open opencode TUI instance B in another terminal
- Instance B attempts OAuth for the same MCP server
- Browser opens, user approves — callback goes to Instance A
- Instance A logs:
oauth callback with invalid state { state: "...", pendingStates: [] }
- Instance B times out after 5 minutes
Proposed fix
Add a stopIfIdle() function that stops the callback server only when no pending auth flows remain:
// oauth-callback.ts
export async function stopIfIdle(): Promise<void> {
if (pendingAuths.size === 0) {
await stop()
}
}Call it after authenticate() resolves (success or failure) in index.ts. This is safe for concurrent auth flows — the server only stops when all pending auths are resolved.
OpenCode version
1.14.19
Operating System
macOS
Description
The OAuth callback server on port 19876 remains running indefinitely after
authenticate()completes. When multiple opencode TUI instances are running, this causes CSRF state validation failures because:ensureRunning()detects port in use, skips server startpendingAuthsMappendingAuthsis empty"Invalid or expired state parameter - potential CSRF attack"Root cause
McpOAuthCallback.stop()is never called afterauthenticate()completes. The callback server is ephemeral by nature (only needed during the activewaitForCallback()window), but it persists for the lifetime of the process.In
oauth-callback.ts,stop()exists but is only called internally when port/path changes duringensureRunning(). No external caller invokes it after auth completion.Steps to reproduce
oauth callback with invalid state { state: "...", pendingStates: [] }Proposed fix
Add a
stopIfIdle()function that stops the callback server only when no pending auth flows remain:Call it after
authenticate()resolves (success or failure) inindex.ts. This is safe for concurrent auth flows — the server only stops when all pending auths are resolved.OpenCode version
1.14.19
Operating System
macOS