fix-user-oauth

Author: AllyW

mcpproxy/mcp_profile.go

@@ -64,13 +64,21 @@ func saveMcpProfile(profile *McpProfile) error {
 		return fmt.Errorf("failed to create config directory %q: %w", dir, err)
 	}
 
+	// log.Printf("saveMcpProfile: Before marshaling - RefreshToken length=%d, RefreshToken empty=%v",
+	// 	len(profile.MCPOAuthRefreshToken), profile.MCPOAuthRefreshToken == "")
+
 	tempFile := mcpConfigPath + ".tmp"
 
 	bytes, err := json.MarshalIndent(profile, "", "\t")
 	if err != nil {
 		return fmt.Errorf("failed to marshal profile: %w", err)
 	}
 
+	// jsonStr := string(bytes)
+	// hasRefreshToken := strings.Contains(jsonStr, "mcp_oauth_refresh_token")
+	// log.Printf("saveMcpProfile: After marshaling - JSON contains 'mcp_oauth_refresh_token'=%v, JSON length=%d",
+	// 	hasRefreshToken, len(jsonStr))
+
 	if err := os.WriteFile(tempFile, bytes, 0600); err != nil {
 		return fmt.Errorf("failed to write temp file %q: %w", tempFile, err)
 	}
@@ -80,64 +88,121 @@ func saveMcpProfile(profile *McpProfile) error {
 		_ = os.Remove(tempFile)
 		return fmt.Errorf("failed to rename temp file to %q: %w", mcpConfigPath, err)
 	}
+
+	log.Printf("saveMcpProfile: Successfully saved MCP profile")
 	return nil
 }
 
+// loadExistingMCPProfile 加载并验证已有的 MCP profile，如果有效则返回，避免重复拉起 OAuth
+func loadExistingMCPProfile(ctx *cli.Context, profile config.Profile, opts ProxyConfig, desiredAppName string) *McpProfile {
+	mcpConfigPath := getMCPConfigPath()
+	bytes, err := os.ReadFile(mcpConfigPath)
+	if err != nil {
+		return nil
+	}
+	mcpProfile, err := NewMcpProfileFromBytes(bytes)
+	if err != nil {
+		return nil
+	}
+
+	if mcpProfile.MCPOAuthSiteType != string(opts.RegionType) {
+		log.Printf("Region type mismatch: saved=%s, requested=%s, ignoring local profile", mcpProfile.MCPOAuthSiteType, string(opts.RegionType))
+		return nil
+	}
+
+	if mcpProfile.MCPOAuthAppName != desiredAppName {
+		log.Printf("App name mismatch: saved=%s, requested=%s, ignoring local profile", mcpProfile.MCPOAuthAppName, desiredAppName)
+		return nil
+	}
+
+	if mcpProfile.MCPOAuthAppId == "" {
+		log.Printf("MCP profile with AppId is empty, ignoring local profile")
+		return nil
+	}
+
+	if mcpProfile.MCPOAuthRefreshToken == "" {
+		log.Printf("MCP profile with RefreshToken is empty, ignoring local profile")
+		return nil
+	}
+
+	if mcpProfile.MCPOAuthRefreshTokenExpire <= util.GetCurrentUnixTime() {
+		log.Printf("MCP profile with RefreshTokenExpire is expired, ignoring local profile")
+		return nil
+	}
+
+	app, err := findOAuthApplicationById(ctx, profile, mcpProfile.MCPOAuthAppId, opts.RegionType)
+	if err != nil {
+		log.Printf("Failed to reuse existing MCP profile (app: %s): %v, ignoring local profile", mcpProfile.MCPOAuthAppName, err)
+		return nil
+	}
+	if app == nil {
+		log.Printf("OAuth application with AppId '%s' not found, ignoring local profile", mcpProfile.MCPOAuthAppId)
+		return nil
+	}
+
+	if err := validateOAuthApplication(app, opts.Scope, opts.Host, opts.Port); err != nil {
+		log.Printf("Reused existing MCP profile validation failed: %v, ignoring local profile", err)
+		return nil
+	}
+
+	// 根据远端 app 信息更新 mcp profile 中的相关字段，其他字段（如 token）保持不变
+	mcpProfile.MCPOAuthAppName = app.AppName
+	mcpProfile.MCPOAuthAppId = app.ApplicationId
+	mcpProfile.MCPOAuthAccessTokenValidity = app.AccessTokenValidity
+	mcpProfile.MCPOAuthRefreshTokenValidity = app.RefreshTokenValidity
+
+	log.Printf("Reused existing MCP profile with app '%s' (AppId: %s)", app.AppName, app.ApplicationId)
+
+	return mcpProfile
+}
+
 func getOrCreateMCPProfile(ctx *cli.Context, opts ProxyConfig) (*McpProfile, error) {
 	profile, err := config.LoadProfileWithContext(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("failed to load profile: %w", err)
 	}
 
-	// 如果传入了 oauth-app-name，先验证该应用是否存在且合法
-	// 如果已经验证过 oauth-app-name，直接使用验证过的 app；否则查找或创建默认的 OAuth 应用
-	var validatedApp *OAuthApplication
-	if opts.OAuthAppName != "" {
-		app, err := findOAuthApplicationByName(ctx, profile, opts.RegionType, opts.OAuthAppName)
-		if err != nil {
-			return nil, fmt.Errorf("failed to find OAuth application '%s': %w", opts.OAuthAppName, err)
-		}
-		if app == nil {
-			return nil, fmt.Errorf("OAuth application '%s' not found", opts.OAuthAppName)
-		}
+	// 如果未显式指定 app name，则使用默认的 MCPOAuthAppName，便于复用本地 profile
+	desiredAppName := opts.OAuthAppName
+	if desiredAppName == "" {
+		desiredAppName = MCPOAuthAppName
+	}
 
-		// 验证 Scopes 和 Callback URI
-		requiredRedirectURI := buildRedirectUri(opts.Host, opts.Port)
-		if err := validateOAuthApplication(app, opts.Scope, requiredRedirectURI); err != nil {
-			return nil, fmt.Errorf("OAuth application validation failed: %w", err)
+	existingMcpProfile := loadExistingMCPProfile(ctx, profile, opts, desiredAppName)
+	if existingMcpProfile != nil {
+		// mcpprofile might change, save it again to ensure the latest state is saved
+		if err := saveMcpProfile(existingMcpProfile); err != nil {
+			return nil, fmt.Errorf("failed to save mcp profile: %w", err)
 		}
+		return existingMcpProfile, nil
+	}
 
-		validatedApp = app
-		cli.Printf(ctx.Stdout(), "Using existing OAuth application '%s' (AppId: %s)\n", app.AppName, app.ApplicationId)
-	} else {
-		// 查找或创建默认的 OAuth 应用
-		mcpConfigPath := getMCPConfigPath()
-		if bytes, err := os.ReadFile(mcpConfigPath); err == nil {
-			if mcpProfile, err := NewMcpProfileFromBytes(bytes); err == nil {
-				log.Println("MCP Profile loaded from file", mcpProfile.Name, "app id", mcpProfile.MCPOAuthAppId)
-
-				// 检查 region type 是否匹配，因为国内和国际站的 OAuth 地址不同, Region type 不匹配则重新创建 profile
-				if mcpProfile.MCPOAuthSiteType != string(opts.RegionType) {
-					log.Printf("Region type mismatch: saved=%s, requested=%s, recreating profile", mcpProfile.MCPOAuthSiteType, string(opts.RegionType))
-				} else {
-					err = findOAuthApplicationById(ctx, profile, mcpProfile, opts.RegionType)
-					if err == nil {
-						return mcpProfile, nil
-					} else {
-						log.Println("Failed to find existing OAuth application", err.Error())
-					}
-				}
-			}
+	app, err := findOAuthApplicationByName(ctx, profile, opts.RegionType, desiredAppName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to find OAuth application '%s': %w", desiredAppName, err)
+	}
+
+	if app == nil {
+		if opts.OAuthAppName != "" {
+			// if user provide app name, but not found, return error
+			return nil, fmt.Errorf("OAuth application '%s' not found", opts.OAuthAppName)
 		}
-		app, err := getOrCreateMCPOAuthApplication(ctx, profile, opts.RegionType, opts.Host, opts.Port, opts.Scope)
+		cli.Printf(ctx.Stdout(), "Creating new default MCP profile '%s'...\n", DefaultMcpProfileName)
+		app, err = createDefaultMCPOauthApplication(ctx, profile, opts.RegionType, opts.Host, opts.Port, opts.Scope)
 		if err != nil {
-			return nil, fmt.Errorf("failed to get or create OAuth application: %w", err)
+			return nil, fmt.Errorf("failed to create default OAuth application: %w", err)
 		}
-		validatedApp = app
+		cli.Printf(ctx.Stdout(), "Created new default OAuth application '%s' (AppId: %s)\n", app.AppName, app.ApplicationId)
+	} else {
+		cli.Printf(ctx.Stdout(), "Using existing OAuth application '%s' (AppId: %s)\n", app.AppName, app.ApplicationId)
 	}
 
-	cli.Printf(ctx.Stdout(), "Setting up MCPOAuth profile '%s'...\n", DefaultMcpProfileName)
+	if err := validateOAuthApplication(app, opts.Scope, opts.Host, opts.Port); err != nil {
+		return nil, fmt.Errorf("OAuth application validation failed: %w", err)
+	}
+	validatedApp := app
 
+	cli.Printf(ctx.Stdout(), "Setting up MCPOAuth profile '%s'...\n", DefaultMcpProfileName)
 	mcpProfile := NewMcpProfile(DefaultMcpProfileName)
 	mcpProfile.MCPOAuthSiteType = string(opts.RegionType)
 	mcpProfile.MCPOAuthAppId = validatedApp.ApplicationId
@@ -153,9 +218,20 @@ func getOrCreateMCPProfile(ctx *cli.Context, opts ProxyConfig) (*McpProfile, err
 	if err != nil {
 		return nil, fmt.Errorf("OAuth login failed: %w", err)
 	}
+
+	log.Printf("OAuth flow completed: AccessToken length=%d, RefreshToken length=%d, AccessTokenExpire=%d",
+		len(tokenResult.AccessToken), len(tokenResult.RefreshToken), tokenResult.AccessTokenExpire)
+	if tokenResult.RefreshToken == "" {
+		return nil, fmt.Errorf("OAuth flow returned empty RefreshToken (Region=%s, AppId=%s). "+
+			"Please delete this application and let the system create a new NativeApp, or manually create a NativeApp",
+			opts.RegionType, mcpProfile.MCPOAuthAppId)
+	}
+
 	mcpProfile.MCPOAuthAccessToken = tokenResult.AccessToken
 	mcpProfile.MCPOAuthRefreshToken = tokenResult.RefreshToken
 	mcpProfile.MCPOAuthAccessTokenExpire = tokenResult.AccessTokenExpire
+	// refresh token will be updated each time latest access token is refreshed,
+	// however the validity and expiration time is the same as the original when finishing oauth flow
 	mcpProfile.MCPOAuthRefreshTokenExpire = currentTime + int64(validatedApp.RefreshTokenValidity)
 
 	if err = saveMcpProfile(mcpProfile); err != nil {

mcpproxy/mcp_server.go

@@ -89,9 +89,11 @@ type RuntimeStats struct {
 	ErrorRequests   int64
 	ActiveRequests  int64
 
-	TokenRefreshes     int64
-	TokenRefreshErrors int64
-	LastTokenRefresh   int64
+	TokenRefreshes      int64
+	TokenRefreshErrors  int64
+	LastTokenRefresh    int64
+	HealthCheckCounter  int64 // 用于定期输出健康检查日志
+	LastHealthCheckTime int64
 
 	// 启动时的内存状态
 	InitialMemStats runtime.MemStats
@@ -691,6 +693,8 @@ func (r *TokenRefresher) Stop() {
 func (r *TokenRefresher) checkAndRefresh() {
 	r.mu.RLock()
 	currentTime := util.GetCurrentUnixTime()
+	accessTokenRemaining := r.profile.MCPOAuthAccessTokenExpire - currentTime
+	refreshTokenRemaining := r.profile.MCPOAuthRefreshTokenExpire - currentTime
 	needRefresh := false
 	needReauth := false
 
@@ -704,14 +708,32 @@ func (r *TokenRefresher) checkAndRefresh() {
 	}
 	r.mu.RUnlock()
 
+	// 定期输出健康检查日志（每 120 次检查，即每小时）
+	checkCount := atomic.AddInt64(&r.stats.HealthCheckCounter, 1)
+	if checkCount%120 == 0 {
+		log.Printf("Token health check #%d: access_token_remaining=%dm (%.1fh), refresh_token_remaining=%dh (%.1fd), need_refresh=%v, need_reauth=%v",
+			checkCount,
+			accessTokenRemaining/60,
+			float64(accessTokenRemaining)/3600,
+			refreshTokenRemaining/3600,
+			float64(refreshTokenRemaining)/86400,
+			needRefresh,
+			needReauth)
+		atomic.StoreInt64(&r.stats.LastHealthCheckTime, currentTime)
+	}
+
 	if needReauth {
+		log.Printf("Token check: refresh token expiring soon (remaining: %dm), triggering re-authorization", refreshTokenRemaining/60)
 		if err := r.reauthorizeWithProxy(); err != nil {
-			r.reportFatalError(fmt.Errorf("re-authorization failed: %v. Please restart aliyun mcp-proxy", err))
+			log.Printf("MCP Proxy token refresher re-authorization failed: %v", err)
+			r.reportFatalError(fmt.Errorf("re-authorization failed: %w", err))
 			return
 		}
 	} else if needRefresh {
+		log.Printf("Token check: access token expiring soon (remaining: %dm), triggering refresh access token", accessTokenRemaining/60)
 		if err := r.refreshAccessToken(); err != nil {
-			r.reportFatalError(fmt.Errorf("refresh access token failed. Please restart aliyun mcp-proxy"))
+			log.Printf("MCP Proxy token refresher refresh access token failed: %v", err)
+			r.reportFatalError(fmt.Errorf("refresh access token failed: %w", err))
 			return
 		}
 	}
@@ -736,28 +758,89 @@ func (r *TokenRefresher) refreshAccessToken() error {
 	endpoint := EndpointMap[r.regionType].OAuth
 	clientId := r.profile.MCPOAuthAppId
 	refreshToken := r.profile.MCPOAuthRefreshToken
+	accessTokenExpire := r.profile.MCPOAuthAccessTokenExpire
 	r.mu.Unlock()
 
 	// 执行网络请求（不持有锁，避免阻塞）
 	data := url.Values{}
 	data.Set("grant_type", "refresh_token")
 	data.Set("client_id", clientId)
 	data.Set("refresh_token", refreshToken)
-	// fmt.Println("refresh access token data", data.Encode())
-	// fmt.Println("refresh access token endpoint", endpoint)
-	// fmt.Println("refresh access token clientId", clientId)
-	// fmt.Println("refresh access token refreshToken", refreshToken)
 
-	newTokens, err := oauthRefresh(endpoint, data)
+	// 重试逻辑：最多重试 3 次，使用指数退避，避免因为临时网络问题导致服务直接关闭
+	var newTokens *OAuthTokenResponse
+	var err error
+	maxRetries := 3
+	successAttempt := 0
+
+	for attempt := 1; attempt <= maxRetries; attempt++ {
+		if attempt > 1 {
+			backoffDuration := time.Duration(1<<uint(attempt-1)) * time.Second
+			log.Printf("OAuth refresh retry attempt %d/%d after %v backoff", attempt, maxRetries, backoffDuration)
+			time.Sleep(backoffDuration)
+		}
+
+		newTokens, err = oauthRefresh(endpoint, data)
+		if err == nil {
+			successAttempt = attempt
+			break
+		}
+
+		log.Printf("OAuth refresh attempt %d/%d failed: %v", attempt, maxRetries, err)
+
+		// 检查是否是永久性错误（不可重试）
+		if IsPermanentError(err) {
+			log.Printf("Detected permanent OAuth error, stopping retry immediately")
+			break
+		}
+
+		// 如果还没达到最大重试次数，记录日志并继续
+		if attempt < maxRetries {
+			currentTime := util.GetCurrentUnixTime()
+			accessTimeRemaining := accessTokenExpire - currentTime
+			log.Printf("Temporary error, will retry (access_token_remaining: %ds)", accessTimeRemaining)
+		}
+	}
+
 	if err != nil {
 		r.mu.Lock()
 		r.refreshing = false
+		currentAccessTokenExpire := r.profile.MCPOAuthAccessTokenExpire
+		currentRefreshTokenExpire := r.profile.MCPOAuthRefreshTokenExpire
 		r.mu.Unlock()
+
 		atomic.AddInt64(&r.stats.TokenRefreshErrors, 1)
-		return fmt.Errorf("oauth refresh failed: %w", err)
+
+		currentTime := util.GetCurrentUnixTime()
+		accessTimeRemaining := currentAccessTokenExpire - currentTime
+		refreshTimeRemaining := currentRefreshTokenExpire - currentTime
+
+		log.Printf("OAuth refresh failed after %d attempts at %s: %v (access_token_remaining: %ds, refresh_token_remaining: %dh)",
+			maxRetries, time.Now().Format(time.RFC3339), err,
+			accessTimeRemaining, refreshTimeRemaining/3600)
+
+		// 检查是否是永久性错误（如 refresh token 失效、OAuth 应用被删除等）
+		if IsPermanentError(err) {
+			log.Printf("Detected permanent OAuth error (invalid_grant/invalid_client), refresh token is no longer valid")
+			log.Printf("This typically means: 1) OAuth app was deleted, 2) Refresh token was revoked, 3) App credentials changed")
+			log.Printf("Reporting fatal error - service requires re-authorization")
+			return fmt.Errorf("oauth permanent error, re-authorization required: %w", err)
+		}
+
+		// 如果 access token 还有效（提前刷新失败），继续使用当前 token
+		if accessTimeRemaining > 0 {
+			log.Printf("Temporary refresh failure, access token still valid for %ds, continuing to use current token (will retry on next check in 30s)", accessTimeRemaining)
+			return nil
+		}
+
+		// Access token 已经失效，报告致命错误
+		log.Printf("Access token expired and refresh failed, service is unavailable")
+		log.Printf("Reporting fatal error - service requires restart or re-authorization")
+		return fmt.Errorf("oauth refresh failed and access token expired: %w", err)
 	}
 
-	log.Println("Access token refresh request successfully")
+	log.Printf("Access token refresh request successfully after %d attempt(s), access token length=%d, refresh token length=%d, new access token expires in %d seconds",
+		successAttempt, len(newTokens.AccessToken), len(newTokens.RefreshToken), newTokens.ExpiresIn)
 
 	r.mu.Lock()
 	currentTime := util.GetCurrentUnixTime()
@@ -935,9 +1018,11 @@ func (r *TokenRefresher) reauthorizeWithProxy() error {
 		r.reauthorizing = false
 		r.mu.Unlock()
 		atomic.AddInt64(&r.stats.TokenRefreshErrors, 1)
+		log.Printf("OAuth re-authorization request failed: %v", err)
 		return err
 	}
-	log.Println("OAuth re-authorization request successfully")
+	log.Printf("OAuth re-authorization request successfully: AccessToken length=%d, RefreshToken length=%d, ExpiresIn=%d",
+		len(tokenResult.AccessToken), len(tokenResult.RefreshToken), refreshTokenValidity)
 
 	r.mu.Lock()
 	currentTime := util.GetCurrentUnixTime()