Skip to content

🤖 fix: support HTTP-transport MCP servers in OAuth probe (Figma)#2610

Open
jaaydenh wants to merge 7 commits intomainfrom
fix/mcp-oauth-figma-probe
Open

🤖 fix: support HTTP-transport MCP servers in OAuth probe (Figma)#2610
jaaydenh wants to merge 7 commits intomainfrom
fix/mcp-oauth-figma-probe

Conversation

@jaaydenh
Copy link
Contributor

@jaaydenh jaaydenh commented Feb 25, 2026
edited
Loading

Summary

Improve the OAuth login UX for Figma’s remote MCP server by replacing the confusing 403 “Invalid OAuth error response” message with actionable guidance.

Background

Figma’s remote MCP requires an approved client. When an unapproved client attempts OAuth registration, the auth server returns a plain‑text 403 Forbidden, which the SDK surfaces as:

Invalid OAuth error response … Raw body: Forbidden

This is technically correct but unhelpful. Users need clear direction about the approval requirement and the desktop MCP fallback.

Implementation

  • Added a small formatter in MCPSettingsSection that detects the Figma remote MCP URL + the 403 Forbidden error signature and replaces it with a user‑friendly message.
  • Plumbed the server URL into the OAuth login hook so the formatter can target Figma specifically without affecting other providers.

Validation

  • make static-check

Risks

  • Low. Only affects the rendered error message for a specific 403/Forbidden case.

Generated with mux • Model: openai:gpt-5.2-codex • Thinking: xhigh • Cost: $13.64

@jaaydenh
fix: probe WWW-Authenticate via POST fallback and surface minimal OAu…
42dc253 
…th challenge

- probeWwwAuthenticateHeader: try POST after GET so servers that return
  405 on GET (e.g. Figma's HTTP-transport endpoint) still surface the
  WWW-Authenticate header.

- extractBearerOauthChallenge: return {} instead of null when the header
  is missing or unparseable on 401/403. This lets the UI show the OAuth
  banner; the login flow discovers endpoints via .well-known independently.

- Tests: POST-fallback extraction, minimal challenge on bare 401.
@jaaydenh
fix(mcp-oauth): try POST after GET in probe, add well-known fallback
9d87b69 
probeServerForBearerChallenge now tries GET first, then POST. This
handles HTTP-transport MCP servers (like Figma) that return 405 on
GET but 401+WWW-Authenticate on POST.

New probeWellKnownResourceMetadata helper directly probes
/.well-known/oauth-protected-resource. Both startDesktopFlow and
startServerFlow use it as a fallback when the bearer challenge probe
doesn't extract a resourceMetadataUrl, letting the SDK discover the
correct auth server via RFC 9728.
@jaaydenh
fix: use ??= for nullish coalescing assignment (lint)
02898ed
@jaaydenh
Copy link
Contributor Author

jaaydenh commented Feb 25, 2026

@codex review

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Feb 25, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 02898ed0de

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@jaaydenh
Copy link
Contributor Author

jaaydenh commented Feb 25, 2026

@codex review

Addressed both comments:

  1. P1: extractBearerOauthChallenge now returns null (not {}) when the header exists but isn't Bearer — non-Bearer auth (Basic, etc.) won't misclassify as OAuth.
  2. P2: probeWellKnownResourceMetadata now tries both the origin-root well-known URL and a path-relative variant for servers mounted under sub-paths.

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Feb 25, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: be7e330439

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@jaaydenh
Copy link
Contributor Author

jaaydenh commented Feb 25, 2026

@codex review

Fixed P2: sub-path well-known URL now built from base.pathname + base.origin instead of base.href, so query strings don't corrupt the resolved path.

@chatgpt-codex-connector
Copy link

chatgpt-codex-connector bot commented Feb 25, 2026

Codex Review: Didn't find any major issues. You're on a roll.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@jaaydenh
Copy link
Contributor Author

jaaydenh commented Feb 25, 2026

@codex review

Paired back the PR to a minimal UX-only change: a targeted, user-friendly error message for Figma’s remote MCP 403 “Forbidden” registration failure.

@chatgpt-codex-connector
Copy link

chatgpt-codex-connector bot commented Feb 25, 2026

Codex Review: Didn't find any major issues. Bravo.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@jaaydenh
Copy link
Contributor Author

jaaydenh commented Feb 25, 2026

@codex review

Follow-up: ensure the Figma 403 guidance is also shown in the remote OAuth status panel (Login error path).

@chatgpt-codex-connector
Copy link

chatgpt-codex-connector bot commented Feb 25, 2026

Codex Review: Didn't find any major issues. 🎉

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jaaydenh