fix(oauth): pause proxy and release OAuth callback ports

Skip auto-proxy during desktop auth login, stop proxy before Codex/Claude OAuth, clean stale clovapi listeners on ports 1455/53692, and improve callback server shutdown.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: joohw

core/cmd/proxy_cmd.go

@@ -238,6 +238,9 @@ func shouldSkipAutoProxy(cmd *cobra.Command) bool {
 		cmd.Parent().Parent().Name() == "desktop" {
 		return true
 	}
+	if isDesktopAuthCommand(cmd) {
+		return true
+	}
 	for c := cmd; c != nil; c = c.Parent() {
 		switch c.Name() {
 		case "__proxy-daemon", "update", "version":
@@ -247,6 +250,25 @@ func shouldSkipAutoProxy(cmd *cobra.Command) bool {
 	return false
 }
 
+func isDesktopAuthCommand(cmd *cobra.Command) bool {
+	if cmd == nil {
+		return false
+	}
+	auth := cmd
+	for auth != nil && auth.Name() != "auth" {
+		auth = auth.Parent()
+	}
+	if auth == nil || auth.Parent() == nil || auth.Parent().Name() != "desktop" {
+		return false
+	}
+	switch cmd.Name() {
+	case "login", "logout", "status":
+		return true
+	default:
+		return false
+	}
+}
+
 func cmdHiddenProxyDaemon() *cobra.Command {
 	var host string
 	var port int

core/cmd/proxy_cmd_test.go

@@ -54,3 +54,15 @@ func TestShouldSkipAutoProxyForDesktopProfilesTest(t *testing.T) {
 		t.Fatal("desktop profiles test should manage proxy startup itself")
 	}
 }
+
+func TestShouldSkipAutoProxyForDesktopAuthLogin(t *testing.T) {
+	desktop := &cobra.Command{Use: "desktop"}
+	auth := &cobra.Command{Use: "auth"}
+	login := &cobra.Command{Use: "login"}
+	desktop.AddCommand(auth)
+	auth.AddCommand(login)
+
+	if !shouldSkipAutoProxy(login) {
+		t.Fatal("desktop auth login should not auto-start proxy during OAuth")
+	}
+}

core/internal/buildinfo/buildinfo.go

@@ -4,7 +4,7 @@ import "strings"
 
 // Set at link time via -ldflags (see .goreleaser.yaml).
 var (
-	Version = "dev0.1.60"
+	Version = "dev0.1.41"
 	Commit  = "none"
 	Date    = "unknown"
 )

core/internal/desktop/auth_login.go

@@ -3,11 +3,14 @@ package desktop
 import (
 	"context"
 
+	"github.com/clovapi/switcher/internal/proxycontrol"
 	"github.com/clovapi/switcher/internal/subscriptionauth"
 )
 
 type AuthLoginResult = subscriptionauth.LoginResult
 
 func AuthLogin(ctx context.Context, providerID string) AuthLoginResult {
+	// Pause local proxy so OAuth callback ports and cancel/stop flows do not race the daemon.
+	_ = proxycontrol.PauseIfRunning()
 	return subscriptionauth.Login(ctx, providerID, true)
 }

core/internal/proxycontrol/pause.go

@@ -0,0 +1,99 @@
+package proxycontrol
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/clovapi/switcher/internal/profile"
+)
+
+// PauseIfRunning stops the local clovapi proxy when it is healthy.
+// Returns true when a running proxy was stopped (caller may restart later).
+func PauseIfRunning() bool {
+	s, err := profile.Load()
+	if err != nil || !s.Proxy.Enabled {
+		return false
+	}
+	cfg := s.Proxy
+	ok, err := probeHealth(cfg)
+	if err != nil || !ok {
+		return false
+	}
+	_ = shutdownViaHTTP(cfg)
+	_ = waitDown(cfg, 5*time.Second)
+	return true
+}
+
+func probeHealth(cfg profile.ProxyConfig) (bool, error) {
+	client := http.Client{Timeout: 2 * time.Second}
+	resp, err := client.Get(healthURL(cfg))
+	if err != nil {
+		return false, nil
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return false, nil
+	}
+	var body map[string]any
+	if err := json.NewDecoder(resp.Body).Decode(&body); err != nil {
+		return false, nil
+	}
+	ok, _ := body["ok"].(bool)
+	service, _ := body["service"].(string)
+	return ok && strings.Contains(service, "clovapi-core-proxy"), nil
+}
+
+func shutdownViaHTTP(cfg profile.ProxyConfig) bool {
+	req, err := http.NewRequest(http.MethodPost, baseURL(cfg)+"/__debug/shutdown", nil)
+	if err != nil {
+		return false
+	}
+	client := http.Client{Timeout: 2 * time.Second}
+	resp, err := client.Do(req)
+	if err != nil {
+		return false
+	}
+	defer resp.Body.Close()
+	return resp.StatusCode == http.StatusOK
+}
+
+func waitDown(cfg profile.ProxyConfig, deadline time.Duration) error {
+	deadlineAt := time.Now().Add(deadline)
+	for time.Now().Before(deadlineAt) {
+		ok, err := probeHealth(cfg)
+		if err != nil {
+			return err
+		}
+		if !ok {
+			return nil
+		}
+		time.Sleep(100 * time.Millisecond)
+	}
+	return fmt.Errorf("proxy still healthy at %s", healthURL(cfg))
+}
+
+func healthClientHost(bindHost string) string {
+	host := strings.TrimSpace(bindHost)
+	if host == "" {
+		return "127.0.0.1"
+	}
+	switch strings.ToLower(host) {
+	case "0.0.0.0", "::", "::ffff:0.0.0.0":
+		return "127.0.0.1"
+	default:
+		return host
+	}
+}
+
+func healthURL(cfg profile.ProxyConfig) string {
+	host := healthClientHost(cfg.Host)
+	return fmt.Sprintf("http://%s:%d/health", host, cfg.Port)
+}
+
+func baseURL(cfg profile.ProxyConfig) string {
+	host := healthClientHost(cfg.Host)
+	return fmt.Sprintf("http://%s:%d", host, cfg.Port)
+}

core/internal/subscriptionauth/callback.go

@@ -9,6 +9,7 @@ import (
 	"net/url"
 	"strings"
 	"sync"
+	"time"
 )
 
 type callbackData struct {
@@ -30,6 +31,7 @@ type callbackOptions struct {
 
 type callbackServer struct {
 	server *http.Server
+	ln     net.Listener
 	done   chan callbackResult
 	once   sync.Once
 }
@@ -64,14 +66,18 @@ func startCallbackServer(ctx context.Context, opts callbackOptions) (*callbackSe
 	})
 	cs.server = &http.Server{Handler: mux}
 
+	if err := prepareCallbackPort(opts.Port); err != nil {
+		return nil, err
+	}
 	ln, err := net.Listen("tcp", fmt.Sprintf("127.0.0.1:%d", opts.Port))
 	if err != nil {
 		return nil, err
 	}
+	cs.ln = ln
 	go func() {
 		<-ctx.Done()
 		cs.complete(callbackResult{err: errCallbackCancelled})
-		_ = cs.server.Close()
+		cs.close()
 	}()
 	go func() {
 		if err := cs.server.Serve(ln); err != nil && err != http.ErrServerClosed {
@@ -91,7 +97,16 @@ func (s *callbackServer) Wait(ctx context.Context) (callbackData, error) {
 }
 
 func (s *callbackServer) Close() {
-	_ = s.server.Close()
+	s.close()
+}
+
+func (s *callbackServer) close() {
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+	_ = s.server.Shutdown(ctx)
+	if s.ln != nil {
+		_ = s.ln.Close()
+	}
 }
 
 func (s *callbackServer) complete(result callbackResult) {

core/internal/subscriptionauth/callback_test.go

@@ -0,0 +1,94 @@
+package subscriptionauth
+
+import (
+	"context"
+	"net"
+	"net/http"
+	"net/url"
+	"strconv"
+	"testing"
+	"time"
+)
+
+func TestPrepareCallbackPortAllowsReuseAfterClose(t *testing.T) {
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	port := ln.Addr().(*net.TCPAddr).Port
+	if err := prepareCallbackPort(port); err == nil {
+		t.Fatal("expected occupied port to fail prepare")
+	}
+	if err := ln.Close(); err != nil {
+		t.Fatal(err)
+	}
+	if err := prepareCallbackPort(port); err != nil {
+		t.Fatalf("expected port to be free after close: %v", err)
+	}
+}
+
+func TestCallbackServerReleasesPortOnCancel(t *testing.T) {
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	port := ln.Addr().(*net.TCPAddr).Port
+	_ = ln.Close()
+
+	ctx, cancel := context.WithCancel(context.Background())
+	server, err := startCallbackServer(ctx, callbackOptions{
+		Port: port,
+		Path: "/callback",
+		Validate: func(values url.Values) (callbackData, callbackError) {
+			return callbackData{Code: values.Get("code")}, callbackError{}
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	cancel()
+	deadline := time.Now().Add(2 * time.Second)
+	for time.Now().Before(deadline) {
+		if err := tryListenCallbackPort(port); err == nil {
+			server.Close()
+			return
+		}
+		time.Sleep(50 * time.Millisecond)
+	}
+	server.Close()
+	t.Fatalf("callback port %d still occupied after cancel", port)
+}
+
+func TestCallbackServerReleasesPortAfterSuccess(t *testing.T) {
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	port := ln.Addr().(*net.TCPAddr).Port
+	_ = ln.Close()
+
+	ctx := context.Background()
+	server, err := startCallbackServer(ctx, callbackOptions{
+		Port: port,
+		Path: "/done",
+		Validate: func(values url.Values) (callbackData, callbackError) {
+			return callbackData{Code: "ok"}, callbackError{}
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer server.Close()
+
+	go func() {
+		time.Sleep(100 * time.Millisecond)
+		_, _ = http.Get("http://127.0.0.1:" + strconv.Itoa(port) + "/done")
+	}()
+	if _, err := server.Wait(ctx); err != nil {
+		t.Fatalf("wait: %v", err)
+	}
+	server.Close()
+	if err := tryListenCallbackPort(port); err != nil {
+		t.Fatalf("expected port released after close: %v", err)
+	}
+}