fix(mcp): forward serverId on callback failure; allow loopback http

waleedlatif1 · claude · waleedlatif1 · commit fc33e0374bb7 · 2026-05-05T18:09:03.000-07:00
- hoist serverId from try-block const into outer scope so the catch's htmlClose carries it through to postMessage. Without it, parent's onMessage couldn't clear connectingOauthServers and the UI button stayed stuck on "Connecting…" until popup close. - relax https-only authorization URL check to permit http://localhost, http://127.0.0.1, and http://[::1] per OAuth 2.1 loopback exemption, unblocking local OAuth-protected MCP server development. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
diff --git a/apps/sim/app/api/mcp/oauth/callback/route.ts b/apps/sim/app/api/mcp/oauth/callback/route.ts
@@ -57,6 +57,7 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
     return htmlClose('Missing state or code in callback URL.', false)
   }
 
+  let serverId: string | undefined
   try {
     const session = await getSession()
     if (!session?.user?.id) {
@@ -67,9 +68,14 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
     if (!row) {
       return htmlClose('Invalid or expired authorization state.', false)
     }
+    serverId = row.mcpServerId
 
     if (session.user.id !== row.userId) {
-      return htmlClose('You must be signed in as the same user that initiated the flow.', false)
+      return htmlClose(
+        'You must be signed in as the same user that initiated the flow.',
+        false,
+        serverId
+      )
     }
 
     const [server] = await db
@@ -78,7 +84,7 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
       .where(and(eq(mcpServers.id, row.mcpServerId), isNull(mcpServers.deletedAt)))
       .limit(1)
     if (!server || !server.url) {
-      return htmlClose('Server no longer exists.', false)
+      return htmlClose('Server no longer exists.', false, serverId)
     }
 
     // Burn state before token exchange so a replayed callback cannot reuse it.
@@ -107,6 +113,6 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
     return htmlClose('Connected. You can close this window.', true, server.id)
   } catch (error) {
     logger.error('MCP OAuth callback failed', error)
-    return htmlClose('Authorization failed. Please try again.', false)
+    return htmlClose('Authorization failed. Please try again.', false, serverId)
   }
 })
diff --git a/apps/sim/hooks/queries/mcp.ts b/apps/sim/hooks/queries/mcp.ts
@@ -188,7 +188,12 @@ export function useStartMcpOauth() {
         if (result.status === 'already_authorized') return { status: 'already_authorized' }
 
         const parsedUrl = new URL(result.authorizationUrl)
-        if (parsedUrl.protocol !== 'https:') {
+        const isLoopbackHttp =
+          parsedUrl.protocol === 'http:' &&
+          (parsedUrl.hostname === 'localhost' ||
+            parsedUrl.hostname === '127.0.0.1' ||
+            parsedUrl.hostname === '[::1]')
+        if (parsedUrl.protocol !== 'https:' && !isLoopbackHttp) {
           throw new Error('Authorization URL must use HTTPS')
         }
         const popup = window.open(
