fix(mcp): address PR review — shared OAuth popup hook, PATCH symmetry, callback escape

- Extract useMcpOauthPopup hook so the tool-input "add server" flow gets the
  same postMessage/popup-poll lifecycle as the settings page.
- PATCH /mcp/servers/:id now returns hasOauthClientSecret to mirror GET.
- Escape '<' / '>' inside the JSON-stringified serverId emitted in the
  callback's <script> tag for defense-in-depth.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/mcp/oauth/callback/route.ts

@@ -33,7 +33,9 @@ function escapeHtml(value: string): string {
 function htmlClose(message: string, ok: boolean, serverId?: string): NextResponse {
   const safeMessage = escapeHtml(message)
   const title = ok ? 'Connected' : 'Connection failed'
-  const serverIdLiteral = serverId ? JSON.stringify(serverId) : 'undefined'
+  const serverIdLiteral = serverId
+    ? JSON.stringify(serverId).replace(/</g, '\\u003c').replace(/>/g, '\\u003e')
+    : 'undefined'
   const body = `<!doctype html><html><head><meta charset="utf-8"><title>${title}</title></head><body style="font-family: system-ui; padding: 24px"><p>${safeMessage}</p><script>
     try { window.opener && window.opener.postMessage({ type: 'mcp-oauth', ok: ${ok ? 'true' : 'false'}, serverId: ${serverIdLiteral} }, window.location.origin) } catch (e) {}
     setTimeout(function () { window.close() }, 800)

apps/sim/app/api/mcp/servers/[id]/route.ts

@@ -209,8 +209,10 @@ export const PATCH = withRouteHandler(
           request,
         })
 
-        const { oauthClientSecret: _secret, ...safeServer } = updatedServer
-        return createMcpSuccessResponse({ server: safeServer })
+        const { oauthClientSecret: _secret, ...rest } = updatedServer
+        return createMcpSuccessResponse({
+          server: { ...rest, hasOauthClientSecret: !!_secret },
+        })
       } catch (error) {
         logger.error(`[${requestId}] Error updating MCP server:`, error)
         return createMcpErrorResponse(toError(error), 'Failed to update MCP server', 500)

apps/sim/app/workspace/[workspaceId]/settings/components/mcp/mcp.tsx

@@ -1,9 +1,7 @@
 'use client'
 
-import { useEffect, useRef, useState } from 'react'
+import { useEffect, useState } from 'react'
 import { createLogger } from '@sim/logger'
-import { toError } from '@sim/utils/errors'
-import { useQueryClient } from '@tanstack/react-query'
 import { ChevronDown, Plus, Search } from 'lucide-react'
 import { useParams } from 'next/navigation'
 import {
@@ -15,7 +13,6 @@ import {
   ModalFooter,
   ModalHeader,
   Tooltip,
-  toast,
 } from '@/components/emcn'
 import { Input } from '@/components/ui'
 import { requestJson } from '@/lib/api/client/request'
@@ -28,18 +25,17 @@ import {
   type McpToolIssue,
 } from '@/lib/mcp/tool-validation'
 import type { McpTransport } from '@/lib/mcp/types'
+import { useMcpOauthPopup } from '@/hooks/mcp/use-mcp-oauth-popup'
 import {
   type McpServer,
   type McpTool,
-  mcpKeys,
   useAllowedMcpDomains,
   useCreateMcpServer,
   useDeleteMcpServer,
   useForceRefreshMcpTools,
   useMcpServers,
   useMcpToolsQuery,
   useRefreshMcpServer,
-  useStartMcpOauth,
   useStoredMcpTools,
   useUpdateMcpServer,
 } from '@/hooks/queries/mcp'
@@ -155,7 +151,6 @@ interface MCPProps {
 export function MCP({ initialServerId }: MCPProps) {
   const params = useParams()
   const workspaceId = params.workspaceId as string
-  const queryClient = useQueryClient()
 
   const {
     data: servers = [],
@@ -175,7 +170,6 @@ export function MCP({ initialServerId }: MCPProps) {
   const deleteServerMutation = useDeleteMcpServer()
   const refreshServerMutation = useRefreshMcpServer()
   const updateServerMutation = useUpdateMcpServer()
-  const startOauthMutation = useStartMcpOauth()
   const availableEnvVars = useAvailableEnvVarKeys(workspaceId)
   const { data: allowedMcpDomains = null } = useAllowedMcpDomains()
 
@@ -184,16 +178,9 @@ export function MCP({ initialServerId }: MCPProps) {
 
   const [searchTerm, setSearchTerm] = useState('')
   const [deletingServers, setDeletingServers] = useState<Set<string>>(() => new Set())
-  const [connectingOauthServers, setConnectingOauthServers] = useState<Set<string>>(() => new Set())
-  const oauthPopupIntervalsRef = useRef<Map<string, number>>(new Map())
-
-  useEffect(() => {
-    const intervals = oauthPopupIntervalsRef.current
-    return () => {
-      for (const id of intervals.values()) window.clearInterval(id)
-      intervals.clear()
-    }
-  }, [])
+  const { connectingServers: connectingOauthServers, startOauthForServer } = useMcpOauthPopup({
+    workspaceId,
+  })
 
   const [serverToDeleteId, setServerToDeleteId] = useState<string | null>(null)
   const showDeleteDialog = serverToDeleteId !== null
@@ -209,72 +196,8 @@ export function MCP({ initialServerId }: MCPProps) {
     }
   }, [])
 
-  useEffect(() => {
-    function onMessage(event: MessageEvent) {
-      if (event.origin !== window.location.origin) return
-      const data = event.data as { type?: string; ok?: boolean; serverId?: string } | null
-      if (data?.type !== 'mcp-oauth') return
-      if (data.serverId) {
-        const serverId = data.serverId
-        const interval = oauthPopupIntervalsRef.current.get(serverId)
-        if (interval !== undefined) {
-          window.clearInterval(interval)
-          oauthPopupIntervalsRef.current.delete(serverId)
-        }
-        setConnectingOauthServers((prev) => {
-          if (!prev.has(serverId)) return prev
-          const next = new Set(prev)
-          next.delete(serverId)
-          return next
-        })
-      }
-      if (data.ok) {
-        queryClient.invalidateQueries({ queryKey: mcpKeys.serversList(workspaceId) })
-        queryClient.invalidateQueries({ queryKey: mcpKeys.toolsList(workspaceId) })
-        queryClient.invalidateQueries({ queryKey: mcpKeys.storedToolsList(workspaceId) })
-        toast.success('Server authorized')
-      } else {
-        toast.error('Authorization failed. Please try again.')
-      }
-    }
-    window.addEventListener('message', onMessage)
-    return () => window.removeEventListener('message', onMessage)
-  }, [queryClient, workspaceId])
-
   const [expandedTools, setExpandedTools] = useState<Set<string>>(() => new Set())
 
-  const startOauthForServer = async (serverId: string) => {
-    setConnectingOauthServers((prev) => new Set(prev).add(serverId))
-    const clear = () => {
-      const existing = oauthPopupIntervalsRef.current.get(serverId)
-      if (existing !== undefined) {
-        window.clearInterval(existing)
-        oauthPopupIntervalsRef.current.delete(serverId)
-      }
-      setConnectingOauthServers((prev) => {
-        const next = new Set(prev)
-        next.delete(serverId)
-        return next
-      })
-    }
-    try {
-      const result = await startOauthMutation.mutateAsync({ serverId, workspaceId })
-      if (result.status === 'already_authorized') {
-        clear()
-        return
-      }
-      const { popup } = result
-      const interval = window.setInterval(() => {
-        if (popup.closed) clear()
-      }, 500)
-      oauthPopupIntervalsRef.current.set(serverId, interval)
-    } catch (e) {
-      clear()
-      logger.error('Failed to start MCP OAuth', e)
-      toast.error(toError(e).message || 'Failed to start authorization')
-    }
-  }
-
   const handleRemoveServer = (serverId: string) => {
     setServerToDeleteId(serverId)
   }

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/tool-input.tsx

@@ -51,6 +51,7 @@ import type { WandControlHandlers } from '@/app/workspace/[workspaceId]/w/[workf
 import { getAllBlocks } from '@/blocks'
 import type { SubBlockConfig as BlockSubBlockConfig } from '@/blocks/types'
 import { BUILT_IN_TOOL_TYPES } from '@/blocks/utils'
+import { useMcpOauthPopup } from '@/hooks/mcp/use-mcp-oauth-popup'
 import { useMcpTools } from '@/hooks/mcp/use-mcp-tools'
 import { useWorkspaceCredential } from '@/hooks/queries/credentials'
 import {
@@ -64,7 +65,6 @@ import {
   useForceRefreshMcpTools,
   useMcpServers,
   useMcpToolsEvents,
-  useStartMcpOauth,
   useStoredMcpTools,
 } from '@/hooks/queries/mcp'
 import { useWorkflowState, useWorkflows } from '@/hooks/queries/workflows'
@@ -537,7 +537,7 @@ export const ToolInput = memo(function ToolInput({
   useMcpToolsEvents(workspaceId)
   const { navigateToSettings } = useSettingsNavigation()
   const createMcpServer = useCreateMcpServer()
-  const startMcpOauth = useStartMcpOauth()
+  const { startOauthForServer } = useMcpOauthPopup({ workspaceId })
   const { data: allowedMcpDomains = null } = useAllowedMcpDomains()
   const availableEnvVars = useAvailableEnvVarKeys(workspaceId)
   const mcpDataLoading = mcpLoading || mcpServersLoading
@@ -2142,7 +2142,7 @@ export const ToolInput = memo(function ToolInput({
             config: { ...config, enabled: true },
           })
           if (result.authType === 'oauth') {
-            await startMcpOauth.mutateAsync({ serverId: result.id, workspaceId })
+            await startOauthForServer(result.id)
           }
         }}
         workspaceId={workspaceId}

apps/sim/hooks/mcp/use-mcp-oauth-popup.ts

@@ -0,0 +1,99 @@
+'use client'
+
+import { useCallback, useEffect, useRef, useState } from 'react'
+import { createLogger } from '@sim/logger'
+import { toError } from '@sim/utils/errors'
+import { useQueryClient } from '@tanstack/react-query'
+import { toast } from '@/components/emcn'
+import { mcpKeys, useStartMcpOauth } from '@/hooks/queries/mcp'
+
+const logger = createLogger('useMcpOauthPopup')
+
+interface UseMcpOauthPopupProps {
+  workspaceId: string
+}
+
+export function useMcpOauthPopup({ workspaceId }: UseMcpOauthPopupProps) {
+  const queryClient = useQueryClient()
+  const startOauthMutation = useStartMcpOauth()
+
+  const [connectingServers, setConnectingServers] = useState<Set<string>>(() => new Set())
+  const popupIntervalsRef = useRef<Map<string, number>>(new Map())
+
+  useEffect(() => {
+    const intervals = popupIntervalsRef.current
+    return () => {
+      for (const id of intervals.values()) window.clearInterval(id)
+      intervals.clear()
+    }
+  }, [])
+
+  useEffect(() => {
+    function onMessage(event: MessageEvent) {
+      if (event.origin !== window.location.origin) return
+      const data = event.data as { type?: string; ok?: boolean; serverId?: string } | null
+      if (data?.type !== 'mcp-oauth') return
+      if (data.serverId) {
+        const serverId = data.serverId
+        const interval = popupIntervalsRef.current.get(serverId)
+        if (interval !== undefined) {
+          window.clearInterval(interval)
+          popupIntervalsRef.current.delete(serverId)
+        }
+        setConnectingServers((prev) => {
+          if (!prev.has(serverId)) return prev
+          const next = new Set(prev)
+          next.delete(serverId)
+          return next
+        })
+      }
+      if (data.ok) {
+        queryClient.invalidateQueries({ queryKey: mcpKeys.serversList(workspaceId) })
+        queryClient.invalidateQueries({ queryKey: mcpKeys.toolsList(workspaceId) })
+        queryClient.invalidateQueries({ queryKey: mcpKeys.storedToolsList(workspaceId) })
+        toast.success('Server authorized')
+      } else {
+        toast.error('Authorization failed. Please try again.')
+      }
+    }
+    window.addEventListener('message', onMessage)
+    return () => window.removeEventListener('message', onMessage)
+  }, [queryClient, workspaceId])
+
+  const startOauthForServer = useCallback(
+    async (serverId: string) => {
+      setConnectingServers((prev) => new Set(prev).add(serverId))
+      const clear = () => {
+        const existing = popupIntervalsRef.current.get(serverId)
+        if (existing !== undefined) {
+          window.clearInterval(existing)
+          popupIntervalsRef.current.delete(serverId)
+        }
+        setConnectingServers((prev) => {
+          const next = new Set(prev)
+          next.delete(serverId)
+          return next
+        })
+      }
+      try {
+        const result = await startOauthMutation.mutateAsync({ serverId, workspaceId })
+        if (result.status === 'already_authorized') {
+          clear()
+          return
+        }
+        const { popup } = result
+        const interval = window.setInterval(() => {
+          if (popup.closed) clear()
+        }, 500)
+        popupIntervalsRef.current.set(serverId, interval)
+      } catch (e) {
+        clear()
+        logger.error('Failed to start MCP OAuth', e)
+        toast.error(toError(e).message || 'Failed to start authorization')
+      }
+    },
+    [startOauthMutation, workspaceId]
+  )
+
+  return { connectingServers, startOauthForServer }
+}