Merge pull request #8758 from continuedev/dallin/mcp-oauth-cli

feat(cli): continue oauth for cli MCPs

Author: RomneyDa

extensions/cli/src/__mocks__/auth/workos.ts

@@ -1,7 +1,6 @@
 import { vi } from "vitest";
-import type { AuthConfig } from "../../auth/workos.js";
 
-export const isAuthenticated = vi.fn(() => false);
+export const isAuthenticated = vi.fn(() => Promise.resolve(false));
 export const isAuthenticatedConfig = vi.fn(() => false);
 export const isEnvironmentAuthConfig = vi.fn(() => false);
 export const loadAuthConfig = vi.fn(() => null);

extensions/cli/src/auth/ensureAuth.ts

@@ -9,7 +9,7 @@ import { isAuthenticated, login } from "./workos.js";
 export async function ensureAuthenticated(
   requireAuth: boolean = true,
 ): Promise<boolean> {
-  if (isAuthenticated()) {
+  if (await isAuthenticated()) {
     return true;
   }
 

extensions/cli/src/auth/orgSelection.test.ts

@@ -6,7 +6,7 @@ import {
   autoSelectOrganizationAndConfig,
   createUpdatedAuthConfig,
 } from "./orgSelection.js";
-import type { AuthenticatedConfig } from "./workos.js";
+import { AuthenticatedConfig } from "./workos-types.js";
 
 // Mock dependencies
 vi.mock("fs");

extensions/cli/src/auth/orgSelection.ts

@@ -3,11 +3,13 @@ import * as path from "path";
 
 import chalk from "chalk";
 
-import type { AuthConfig, AuthenticatedConfig } from "../auth/workos.js";
+import type { AuthConfig } from "../auth/workos.js";
 import { saveAuthConfig } from "../auth/workos.js";
 import { getApiClient } from "../config.js";
 import { env } from "../env.js";
 
+import { AuthenticatedConfig } from "./workos-types.js";
+
 /**
  * Creates an updated AuthenticatedConfig with a new organization ID and optional config URI
  */

extensions/cli/src/auth/workos-org.test.ts

@@ -1,10 +1,10 @@
 import chalk from "chalk";
-import { describe, expect, test, beforeEach, vi } from "vitest";
+import { beforeEach, describe, expect, test, vi } from "vitest";
 
 import { getApiClient } from "../config.js";
 
+import { AuthenticatedConfig, EnvironmentAuthConfig } from "./workos-types.js";
 import { ensureOrganization } from "./workos.js";
-import type { AuthenticatedConfig, EnvironmentAuthConfig } from "./workos.js";
 
 // Mock dependencies
 vi.mock("../config.js", () => ({

extensions/cli/src/auth/workos-types.ts

@@ -0,0 +1,38 @@
+/**
+ * Device authorization response from WorkOS
+ */
+export interface DeviceAuthorizationResponse {
+  device_code: string;
+  user_code: string;
+  verification_uri: string;
+  verification_uri_complete: string;
+  expires_in: number;
+  interval: number;
+}
+
+// Represents an authenticated user's configuration
+export interface AuthenticatedConfig {
+  userId: string;
+  userEmail: string;
+  accessToken: string;
+  refreshToken: string;
+  expiresAt: number;
+  organizationId: string | null | undefined; // null means personal organization, undefined triggers auto-selection
+  configUri?: string; // Optional config URI (file:// or slug://owner/slug)
+  modelName?: string; // Name of the selected model
+}
+
+// Represents configuration when using environment variable auth
+export interface EnvironmentAuthConfig {
+  /**
+   * This userId?: undefined; field a trick to help TypeScript differentiate between
+   * AuthenticatedConfig and EnvironmentAuthConfig. Otherwise AuthenticatedConfig is
+   * a possible subtype of EnvironmentAuthConfig and TypeScript gets confused where
+   * type guards are involved.
+   */
+  userId?: undefined;
+  accessToken: string;
+  organizationId: string | null; // Can be set via --org flag in headless mode
+  configUri?: string; // Optional config URI (file:// or slug://owner/slug)
+  modelName?: string; // Name of the selected model
+}

extensions/cli/src/auth/workos.helpers.ts

@@ -4,11 +4,8 @@ import { getApiClient } from "../config.js";
 import { safeStderr } from "../init.js";
 import { gracefulExit } from "../util/exit.js";
 
-import type {
-  AuthConfig,
-  AuthenticatedConfig,
-  EnvironmentAuthConfig,
-} from "./workos.js";
+import { AuthenticatedConfig, EnvironmentAuthConfig } from "./workos-types.js";
+import type { AuthConfig } from "./workos.js";
 import { saveAuthConfig } from "./workos.js";
 
 /**

extensions/cli/src/auth/workos.test.ts

@@ -1,7 +1,6 @@
 import { slugToUri } from "./uriUtils.js";
+import { AuthenticatedConfig, EnvironmentAuthConfig } from "./workos-types.js";
 import {
-  AuthenticatedConfig,
-  EnvironmentAuthConfig,
   getAccessToken,
   getAssistantSlug,
   getOrganizationId,

extensions/cli/src/auth/workos.ts

@@ -3,13 +3,15 @@ import * as os from "os";
 import * as path from "path";
 
 import chalk from "chalk";
-// Polyfill fetch for Node < 18
 import nodeFetch from "node-fetch";
 import open from "open";
 
+import { logger } from "src/util/logger.js";
+
 import { getApiClient } from "../config.js";
 // eslint-disable-next-line import/order
 import { env } from "../env.js";
+
 if (!globalThis.fetch) {
   globalThis.fetch = nodeFetch as unknown as typeof globalThis.fetch;
 }
@@ -21,33 +23,6 @@ function getAuthConfigPath() {
   return path.join(continueHome, "auth.json");
 }
 
-// Represents an authenticated user's configuration
-export interface AuthenticatedConfig {
-  userId: string;
-  userEmail: string;
-  accessToken: string;
-  refreshToken: string;
-  expiresAt: number;
-  organizationId: string | null | undefined; // null means personal organization, undefined triggers auto-selection
-  configUri?: string; // Optional config URI (file:// or slug://owner/slug)
-  modelName?: string; // Name of the selected model
-}
-
-// Represents configuration when using environment variable auth
-export interface EnvironmentAuthConfig {
-  /**
-   * This userId?: undefined; field a trick to help TypeScript differentiate between
-   * AuthenticatedConfig and EnvironmentAuthConfig. Otherwise AuthenticatedConfig is
-   * a possible subtype of EnvironmentAuthConfig and TypeScript gets confused where
-   * type guards are involved.
-   */
-  userId?: undefined;
-  accessToken: string;
-  organizationId: string | null; // Can be set via --org flag in headless mode
-  configUri?: string; // Optional config URI (file:// or slug://owner/slug)
-  modelName?: string; // Name of the selected model
-}
-
 // Union type representing the possible authentication states
 export type AuthConfig = AuthenticatedConfig | EnvironmentAuthConfig | null;
 
@@ -117,6 +92,11 @@ import {
 
 import { autoSelectOrganizationAndConfig } from "./orgSelection.js";
 import { pathToUri, slugToUri, uriToPath, uriToSlug } from "./uriUtils.js";
+import {
+  AuthenticatedConfig,
+  DeviceAuthorizationResponse,
+  EnvironmentAuthConfig,
+} from "./workos-types.js";
 import {
   handleCliOrgForAuthenticatedConfig,
   handleCliOrgForEnvironmentAuth,
@@ -266,46 +246,30 @@ export function updateLocalConfigPath(localConfigPath: string | null): void {
 /**
  * Checks if the user is authenticated and the token is valid
  */
-export function isAuthenticated(): boolean {
+export async function isAuthenticated(): Promise<boolean> {
   const config = loadAuthConfig();
 
   if (config === null) {
     return false;
   }
 
-  // Environment auth is always valid
   if (isEnvironmentAuthConfig(config)) {
     return true;
   }
 
-  /**
-   * THIS CODE DOESN'T WORK.
-   * .catch() will never return in a non-async function.
-   * It's a hallucination.
-   **/
   if (Date.now() > config.expiresAt) {
-    // Try refreshing the token
-    refreshToken(config.refreshToken).catch(() => {
-      // If refresh fails, we're not authenticated
+    try {
+      const refreshed = await refreshToken(config.refreshToken);
+      return isAuthenticatedConfig(refreshed);
+    } catch (e) {
+      logger.error("Failed to refresh auto token", e);
       return false;
-    });
+    }
   }
 
   return true;
 }
 
-/**
- * Device authorization response from WorkOS
- */
-interface DeviceAuthorizationResponse {
-  device_code: string;
-  user_code: string;
-  verification_uri: string;
-  verification_uri_complete: string;
-  expires_in: number;
-  interval: number;
-}
-
 /**
  * Request device authorization from WorkOS
  */

extensions/cli/src/infoScreen.ts

@@ -26,7 +26,7 @@ export async function handleInfoSlashCommand() {
   );
 
   // Auth info
-  if (isAuthenticated()) {
+  if (await isAuthenticated()) {
     const config = loadAuthConfig();
     if (config && isAuthenticatedConfig(config)) {
       const email = config.userEmail || config.userId;