fix(mcp): throw instead of falling open when refresh lock wait exceeds deadline

waleedlatif1 · waleedlatif1 · commit 4c05f6307f4b · 2026-05-22T10:10:17.000-07:00
When the Redis refresh lock can't be acquired within REFRESH_MAX_WAIT_MS
the previous code ran fn() uncoordinated — but another process can still
be holding the lock (watchdog-extended) and refreshing the same OAuth
row, recreating the exact race the lock prevents.

Throw on deadline. The caller can retry; the Redis-down branch remains
the only path that runs fn() uncoordinated (no coordination is possible
there).
diff --git a/apps/sim/lib/mcp/oauth/storage.test.ts b/apps/sim/lib/mcp/oauth/storage.test.ts
@@ -202,6 +202,25 @@ describe('withMcpOauthRefreshLock', () => {
     expect(keys).toContain('mcp:oauth:refresh:row-b')
   })
 
+  it('throws when the lock is held longer than the max wait (does not race)', async () => {
+    vi.useFakeTimers()
+    try {
+      // Acquire always fails — another process holds the lock with watchdog extension.
+      mockAcquireLock.mockResolvedValue(false)
+      const fn = vi.fn(async () => 'should-not-run')
+
+      const pending = withMcpOauthRefreshLock('row-deadline', fn)
+      // Attach the rejection expectation before draining so Vitest doesn't see
+      // an unhandled rejection while timers advance.
+      const assertion = expect(pending).rejects.toThrow(/held longer than/)
+      await vi.advanceTimersByTimeAsync(31_000)
+      await assertion
+      expect(fn).not.toHaveBeenCalled()
+    } finally {
+      vi.useRealTimers()
+    }
+  })
+
   it('extends the lock TTL while fn() is running so long refreshes do not lose the lock', async () => {
     vi.useFakeTimers()
     try {
diff --git a/apps/sim/lib/mcp/oauth/storage.ts b/apps/sim/lib/mcp/oauth/storage.ts
@@ -308,8 +308,14 @@ async function runWithRedisMutex<T>(
     }
 
     if (Date.now() >= deadline) {
-      logger.warn('Refresh lock wait timed out, running uncoordinated', { rowId })
-      return fn()
+      // Lock still held by another process AND its watchdog is keeping it
+      // alive — falling open would let us refresh concurrently and race the
+      // rotating refresh token. Throw and let the caller decide whether to
+      // retry; the Redis-down path remains the only branch that runs `fn()`
+      // uncoordinated (no coordination available there).
+      throw new Error(
+        `MCP OAuth refresh lock for ${rowId} held longer than ${REFRESH_MAX_WAIT_MS}ms`
+      )
     }
     await sleep(REFRESH_POLL_INTERVAL_MS)
   }

Original file line number	Diff line number	Diff line change
`@@ -308,8 +308,14 @@ async function runWithRedisMutex<T>(`
`308`	`308`	`}`
`309`	`309`
`310`	`310`	`if (Date.now() >= deadline) {`
`311`		`- logger.warn('Refresh lock wait timed out, running uncoordinated', { rowId })`
`312`		`- return fn()`
	`311`	`+ // Lock still held by another process AND its watchdog is keeping it`
	`312`	`+ // alive — falling open would let us refresh concurrently and race the`
	`313`	`+ // rotating refresh token. Throw and let the caller decide whether to`
	`314`	+ // retry; the Redis-down path remains the only branch that runs `fn()`
	`315`	`+ // uncoordinated (no coordination available there).`
	`316`	`+ throw new Error(`
	`317`	+ `MCP OAuth refresh lock for ${rowId} held longer than ${REFRESH_MAX_WAIT_MS}ms`
	`318`	`+ )`
`313`	`319`	`}`
`314`	`320`	`await sleep(REFRESH_POLL_INTERVAL_MS)`
`315`	`321`	`}`