mcp: check ctx.Err() instead of Authorize error for cancellation

The cancellation check in streamableClientConn.Write inspected the
error returned by OAuthHandler.Authorize to decide whether the caller
abandoned the request. This failed for real-world handlers that return
a custom error rather than wrapping context.Canceled (e.g.
fmt.Errorf("oauth flow interrupted")).

Check ctx.Err() directly — it is the authoritative source for whether
the caller's context was cancelled, regardless of what Authorize
returns.

Update the regression test mock to return a non-wrapping error so it
exercises the real-world path. Verified: test fails (got 2 Authorize
calls) with the old errors.Is(err, ...) check, passes with ctx.Err().

Thanks to @smlx for identifying the bug and suggesting the fix.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ravyg

mcp/streamable.go

@@ -1807,7 +1807,14 @@ func (c *streamableClientConn) Write(ctx context.Context, msg jsonrpc.Message) e
 			// sends in response to ctx cancellation) short-circuit instead of
 			// re-invoking the OAuth handler. Otherwise the user gets prompted
 			// to authorize a request they have already abandoned. See #882.
-			if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
+			//
+			// We check ctx.Err() rather than the error returned by Authorize,
+			// because the handler is user-implemented and may return an error
+			// that does not wrap context.Canceled (e.g. a custom sentinel or
+			// a fmt.Errorf with %v). The context itself is the authoritative
+			// source for whether the caller abandoned the request.
+			ctxErr := ctx.Err()
+			if errors.Is(ctxErr, context.Canceled) || errors.Is(ctxErr, context.DeadlineExceeded) {
 				c.fail(fmt.Errorf("%s: authorization cancelled: %w", requestSummary, err))
 			}
 			// Wrap with ErrRejected so the jsonrpc2 connection doesn't set writeErr

mcp/streamable_client_test.go

@@ -1017,9 +1017,12 @@ func TestStreamableClientOAuth_401(t *testing.T) {
 }
 
 // blockingCountingOAuthHandler is an OAuthHandler that blocks inside
-// Authorize until the caller's context is cancelled, then returns ctx.Err().
-// It records how many times Authorize is invoked. Used by the regression
-// test for #882.
+// Authorize until the caller's context is cancelled, then returns a custom
+// error that does NOT wrap context.Canceled. This mirrors real-world OAuth
+// handlers that catch the cancellation internally and surface their own
+// error type. The fix for #882 checks ctx.Err() directly rather than
+// relying on the error from Authorize, so this must still trigger c.fail().
+// It records how many times Authorize is invoked.
 type blockingCountingOAuthHandler struct {
 	mu        sync.Mutex
 	callCount int
@@ -1036,7 +1039,10 @@ func (h *blockingCountingOAuthHandler) Authorize(ctx context.Context, req *http.
 	// Block until the caller's context is cancelled, mirroring an
 	// interactive OAuth flow that the user has abandoned.
 	<-ctx.Done()
-	return ctx.Err()
+	// Return a custom error that does not wrap context.Canceled, as a
+	// real-world handler might. The code under test must check ctx.Err()
+	// to detect the cancellation, not this error.
+	return fmt.Errorf("oauth flow interrupted")
 }
 
 func (h *blockingCountingOAuthHandler) Calls() int {