fix(mcp): include serverId in OAuth postMessage; honor stored secret in edit modal

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/mcp/oauth/callback/route.ts

@@ -30,11 +30,12 @@ function escapeHtml(value: string): string {
     .replace(/'/g, ''')
 }
 
-function htmlClose(message: string, ok: boolean): NextResponse {
+function htmlClose(message: string, ok: boolean, serverId?: string): NextResponse {
   const safeMessage = escapeHtml(message)
   const title = ok ? 'Connected' : 'Connection failed'
+  const serverIdLiteral = serverId ? JSON.stringify(serverId) : 'undefined'
   const body = `<!doctype html><html><head><meta charset="utf-8"><title>${title}</title></head><body style="font-family: system-ui; padding: 24px"><p>${safeMessage}</p><script>
-    try { window.opener && window.opener.postMessage({ type: 'mcp-oauth', ok: ${ok ? 'true' : 'false'} }, window.location.origin) } catch (e) {}
+    try { window.opener && window.opener.postMessage({ type: 'mcp-oauth', ok: ${ok ? 'true' : 'false'}, serverId: ${serverIdLiteral} }, window.location.origin) } catch (e) {}
     setTimeout(function () { window.close() }, 800)
   </script></body></html>`
   return new NextResponse(body, {
@@ -93,7 +94,7 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
     await clearVerifier(row.id)
 
     if (result !== 'AUTHORIZED') {
-      return htmlClose('Authorization did not complete.', false)
+      return htmlClose('Authorization did not complete.', false, server.id)
     }
 
     try {
@@ -103,7 +104,7 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
       logger.warn('Post-auth tools refresh failed', toError(e).message)
     }
 
-    return htmlClose('Connected. You can close this window.', true)
+    return htmlClose('Connected. You can close this window.', true, server.id)
   } catch (error) {
     logger.error('MCP OAuth callback failed', error)
     return htmlClose('Authorization failed. Please try again.', false)

apps/sim/app/workspace/[workspaceId]/settings/components/mcp/components/mcp-server-form-modal/mcp-server-form-modal.tsx

@@ -39,6 +39,7 @@ interface McpServerFormData {
   headers?: HeaderEntry[]
   oauthClientId?: string
   oauthClientSecret?: string
+  hasOauthClientSecret?: boolean
 }
 
 export interface McpServerFormConfig {
@@ -346,7 +347,7 @@ export function McpServerFormModal({
     setActiveHeaderIndex(null)
     setUrlScrollLeft(0)
     setHeaderScrollLeft({})
-    setShowAdvanced(!!(data.oauthClientId || data.oauthClientSecret))
+    setShowAdvanced(!!(data.oauthClientId || data.oauthClientSecret || data.hasOauthClientSecret))
     setOauthClientSecretTouched(false)
   }
   if (open !== prevOpen) {

apps/sim/app/workspace/[workspaceId]/settings/components/mcp/mcp.tsx

@@ -171,6 +171,7 @@ export function MCP({ initialServerId }: MCPProps) {
         timeout?: number
         headers?: { key: string; value: string }[]
         oauthClientId?: string
+        hasOauthClientSecret?: boolean
       }
     | undefined
   >(undefined)
@@ -205,8 +206,22 @@ export function MCP({ initialServerId }: MCPProps) {
   useEffect(() => {
     function onMessage(event: MessageEvent) {
       if (event.origin !== window.location.origin) return
-      const data = event.data as { type?: string; ok?: boolean } | null
+      const data = event.data as { type?: string; ok?: boolean; serverId?: string } | null
       if (data?.type !== 'mcp-oauth') return
+      if (data.serverId) {
+        const serverId = data.serverId
+        const interval = oauthPopupIntervalsRef.current.get(serverId)
+        if (interval !== undefined) {
+          window.clearInterval(interval)
+          oauthPopupIntervalsRef.current.delete(serverId)
+        }
+        setConnectingOauthServers((prev) => {
+          if (!prev.has(serverId)) return prev
+          const next = new Set(prev)
+          next.delete(serverId)
+          return next
+        })
+      }
       if (data.ok) {
         queryClient.invalidateQueries({ queryKey: mcpKeys.serversList(workspaceId) })
         queryClient.invalidateQueries({ queryKey: mcpKeys.toolsList(workspaceId) })
@@ -393,6 +408,7 @@ export function MCP({ initialServerId }: MCPProps) {
       timeout: 30000,
       headers,
       oauthClientId: server.oauthClientId || undefined,
+      hasOauthClientSecret: server.hasOauthClientSecret === true,
     })
     setShowEditModal(true)
   }