refactor: replace _authRetryInFlight class field with isAuthRetry parameter

felixweinberger · felixweinberger · commit 71a926013916 · 2026-03-24T21:03:32.000Z
Stops the 10-comment whack-a-mole around flag lifecycle. A mutable
boolean class field is the wrong primitive for 'retry once per
operation' when operations are concurrent and recursive — every
reset point creates a race, every missed reset creates a stuck flag.

Now all four 401 paths use parameter-passed isAuthRetry:

- StreamableHTTP _startOrAuthSse(options, isAuthRetry = false):
  recursion passes true. No class field, no reset sites.
- StreamableHTTP send() delegates to private _send(message, options,
  isAuthRetry). Recursion passes true. No class field.
- SSE _startOrAuth(isAuthRetry = false): onerror callback captures
  isAuthRetry from closure; retry calls _startOrAuth(true).
- SSE send() delegates to private _send(message, isAuthRetry).

Per-operation state dies with the stack frame. Concurrent operations
cannot observe each other's retry state. 12 reset sites deleted.

Also makes SSE onerror fallback consistent with other paths — throws
SdkError(ClientHttpAuthentication) for the circuit-breaker case
instead of plain UnauthorizedError.

Not addressed (noted for auth() cleanup): concurrent 401s still each
call onUnauthorized() independently. Deduplicating that (in-flight
promise pattern) would be a behavior change.
diff --git a/packages/client/src/client/sse.ts b/packages/client/src/client/sse.ts
@@ -98,7 +98,6 @@ export class SSEClientTransport implements Transport {
         this._fetchWithInit = createFetchWithInit(opts?.fetch, opts?.requestInit);
     }
 
-    private _authRetryInFlight = false;
     private _last401Response?: Response;
 
     private async _commonHeaders(): Promise<Headers> {
@@ -119,7 +118,7 @@ export class SSEClientTransport implements Transport {
         });
     }
 
-    private _startOrAuth(): Promise<void> {
+    private _startOrAuth(isAuthRetry = false): Promise<void> {
         const fetchImpl = (this?._eventSourceInit?.fetch ?? this._fetch ?? fetch) as typeof fetch;
         return new Promise((resolve, reject) => {
             this._eventSource = new EventSource(this._url.href, {
@@ -148,22 +147,22 @@ export class SSEClientTransport implements Transport {
 
             this._eventSource.onerror = event => {
                 if (event.code === 401 && this._authProvider) {
-                    if (this._authProvider.onUnauthorized && this._last401Response && !this._authRetryInFlight) {
-                        this._authRetryInFlight = true;
+                    if (this._authProvider.onUnauthorized && this._last401Response && !isAuthRetry) {
                         const response = this._last401Response;
                         this._authProvider
                             .onUnauthorized({ response, serverUrl: this._url, fetchFn: this._fetchWithInit })
-                            .then(() => this._startOrAuth())
+                            .then(() => this._startOrAuth(true))
                             .then(resolve, error => {
                                 this.onerror?.(error);
                                 reject(error);
-                            })
-                            .finally(() => {
-                                this._authRetryInFlight = false;
                             });
                         return;
                     }
-                    const error = new UnauthorizedError();
+                    const error = isAuthRetry
+                        ? new SdkError(SdkErrorCode.ClientHttpAuthentication, 'Server returned 401 after re-authentication', {
+                              status: 401
+                          })
+                        : new UnauthorizedError();
                     reject(error);
                     this.onerror?.(error);
                     return;
@@ -247,6 +246,10 @@ export class SSEClientTransport implements Transport {
     }
 
     async send(message: JSONRPCMessage): Promise<void> {
+        return this._send(message, false);
+    }
+
+    private async _send(message: JSONRPCMessage, isAuthRetry: boolean): Promise<void> {
         if (!this._endpoint) {
             throw new SdkError(SdkErrorCode.NotConnected, 'Not connected');
         }
@@ -271,19 +274,18 @@ export class SSEClientTransport implements Transport {
                         this._scope = scope;
                     }
 
-                    if (this._authProvider.onUnauthorized && !this._authRetryInFlight) {
-                        this._authRetryInFlight = true;
+                    if (this._authProvider.onUnauthorized && !isAuthRetry) {
                         await this._authProvider.onUnauthorized({
                             response,
                             serverUrl: this._url,
                             fetchFn: this._fetchWithInit
                         });
                         await response.text?.().catch(() => {});
                         // Purposely _not_ awaited, so we don't call onerror twice
-                        return this.send(message);
+                        return this._send(message, true);
                     }
                     await response.text?.().catch(() => {});
-                    if (this._authRetryInFlight) {
+                    if (isAuthRetry) {
                         throw new SdkError(SdkErrorCode.ClientHttpAuthentication, 'Server returned 401 after re-authentication', {
                             status: 401
                         });
@@ -295,12 +297,9 @@ export class SSEClientTransport implements Transport {
                 throw new Error(`Error POSTing to endpoint (HTTP ${response.status}): ${text}`);
             }
 
-            this._authRetryInFlight = false;
-
             // Release connection - POST responses don't have content we need
             await response.text?.().catch(() => {});
         } catch (error) {
-            this._authRetryInFlight = false;
             this.onerror?.(error as Error);
             throw error;
         }
diff --git a/packages/client/src/client/streamableHttp.ts b/packages/client/src/client/streamableHttp.ts
@@ -148,8 +148,6 @@ export class StreamableHTTPClientTransport implements Transport {
     private _sessionId?: string;
     private _reconnectionOptions: StreamableHTTPReconnectionOptions;
     private _protocolVersion?: string;
-    private _authRetryInFlight = false; // Circuit breaker for send() 401 retry
-    private _sseAuthRetryInFlight = false; // Circuit breaker for _startOrAuthSse() 401 retry — separate so concurrent GET/POST 401s don't interfere
     private _lastUpscopingHeader?: string; // Track last upscoping header to prevent infinite upscoping.
     private _serverRetryMs?: number; // Server-provided retry delay from SSE retry field
     private _reconnectionTimeout?: ReturnType<typeof setTimeout>;
@@ -198,7 +196,7 @@ export class StreamableHTTPClientTransport implements Transport {
         });
     }
 
-    private async _startOrAuthSse(options: StartSSEOptions): Promise<void> {
+    private async _startOrAuthSse(options: StartSSEOptions, isAuthRetry = false): Promise<void> {
         const { resumptionToken } = options;
 
         try {
@@ -227,19 +225,18 @@ export class StreamableHTTPClientTransport implements Transport {
                         this._scope = scope;
                     }
 
-                    if (this._authProvider.onUnauthorized && !this._sseAuthRetryInFlight) {
-                        this._sseAuthRetryInFlight = true;
+                    if (this._authProvider.onUnauthorized && !isAuthRetry) {
                         await this._authProvider.onUnauthorized({
                             response,
                             serverUrl: this._url,
                             fetchFn: this._fetchWithInit
                         });
                         await response.text?.().catch(() => {});
                         // Purposely _not_ awaited, so we don't call onerror twice
-                        return this._startOrAuthSse(options);
+                        return this._startOrAuthSse(options, true);
                     }
                     await response.text?.().catch(() => {});
-                    if (this._sseAuthRetryInFlight) {
+                    if (isAuthRetry) {
                         throw new SdkError(SdkErrorCode.ClientHttpAuthentication, 'Server returned 401 after re-authentication', {
                             status: 401
                         });
@@ -252,7 +249,6 @@ export class StreamableHTTPClientTransport implements Transport {
                 // 405 indicates that the server does not offer an SSE stream at GET endpoint
                 // This is an expected case that should not trigger an error
                 if (response.status === 405) {
-                    this._sseAuthRetryInFlight = false;
                     return;
                 }
 
@@ -262,10 +258,8 @@ export class StreamableHTTPClientTransport implements Transport {
                 });
             }
 
-            this._sseAuthRetryInFlight = false;
             this._handleSseStream(response.body, options, true);
         } catch (error) {
-            this._sseAuthRetryInFlight = false;
             this.onerror?.(error as Error);
             throw error;
         }
@@ -475,6 +469,14 @@ export class StreamableHTTPClientTransport implements Transport {
     async send(
         message: JSONRPCMessage | JSONRPCMessage[],
         options?: { resumptionToken?: string; onresumptiontoken?: (token: string) => void }
+    ): Promise<void> {
+        return this._send(message, options, false);
+    }
+
+    private async _send(
+        message: JSONRPCMessage | JSONRPCMessage[],
+        options: { resumptionToken?: string; onresumptiontoken?: (token: string) => void } | undefined,
+        isAuthRetry: boolean
     ): Promise<void> {
         try {
             const { resumptionToken, onresumptiontoken } = options || {};
@@ -516,19 +518,18 @@ export class StreamableHTTPClientTransport implements Transport {
                         this._scope = scope;
                     }
 
-                    if (this._authProvider.onUnauthorized && !this._authRetryInFlight) {
-                        this._authRetryInFlight = true;
+                    if (this._authProvider.onUnauthorized && !isAuthRetry) {
                         await this._authProvider.onUnauthorized({
                             response,
                             serverUrl: this._url,
                             fetchFn: this._fetchWithInit
                         });
                         await response.text?.().catch(() => {});
                         // Purposely _not_ awaited, so we don't call onerror twice
-                        return this.send(message, options);
+                        return this._send(message, options, true);
                     }
                     await response.text?.().catch(() => {});
-                    if (this._authRetryInFlight) {
+                    if (isAuthRetry) {
                         throw new SdkError(SdkErrorCode.ClientHttpAuthentication, 'Server returned 401 after re-authentication', {
                             status: 401
                         });
@@ -573,7 +574,7 @@ export class StreamableHTTPClientTransport implements Transport {
                             throw new UnauthorizedError();
                         }
 
-                        return this.send(message, options);
+                        return this._send(message, options, isAuthRetry);
                     }
                 }
 
@@ -583,8 +584,6 @@ export class StreamableHTTPClientTransport implements Transport {
                 });
             }
 
-            // Reset auth loop flag on successful response
-            this._authRetryInFlight = false;
             this._lastUpscopingHeader = undefined;
 
             // If the response is 202 Accepted, there's no body to process
@@ -634,7 +633,6 @@ export class StreamableHTTPClientTransport implements Transport {
                 await response.text?.().catch(() => {});
             }
         } catch (error) {
-            this._authRetryInFlight = false;
             this.onerror?.(error as Error);
             throw error;
         }
