fix: separate retry flags for GET-SSE vs POST; forward send() options on retry

felixweinberger · felixweinberger · commit ccf5470d5660 · 2026-03-20T13:27:59.000Z
Two fixes from claude[bot] round-6 review:

1. Shared _authRetryInFlight between _startOrAuthSse() and send()
   created a race: if the fire-and-forget GET SSE gets 401 and sets
   the flag while awaiting onUnauthorized(), a concurrent POST send()
   that also gets 401 would see flag=true and throw ClientHttpAuthentication
   without ever attempting its own re-auth. The old _hasCompletedAuthFlow
   was only set in send() — I introduced the regression when adding
   401 handling to _startOrAuthSse. Split into _authRetryInFlight
   (send path) and _sseAuthRetryInFlight (GET-SSE path).

2. Pre-existing: send() 401/403 retries called this.send(message)
   without forwarding the options parameter, dropping onresumptiontoken
   on the retried request. Added options to both call sites.
diff --git a/packages/client/src/client/streamableHttp.ts b/packages/client/src/client/streamableHttp.ts
@@ -141,7 +141,8 @@ export class StreamableHTTPClientTransport implements Transport {
     private _sessionId?: string;
     private _reconnectionOptions: StreamableHTTPReconnectionOptions;
     private _protocolVersion?: string;
-    private _authRetryInFlight = false; // Circuit breaker: single retry per operation on 401
+    private _authRetryInFlight = false; // Circuit breaker for send() 401 retry
+    private _sseAuthRetryInFlight = false; // Circuit breaker for _startOrAuthSse() 401 retry — separate so concurrent GET/POST 401s don't interfere
     private _lastUpscopingHeader?: string; // Track last upscoping header to prevent infinite upscoping.
     private _serverRetryMs?: number; // Server-provided retry delay from SSE retry field
     private _reconnectionTimeout?: ReturnType<typeof setTimeout>;
@@ -218,8 +219,8 @@ export class StreamableHTTPClientTransport implements Transport {
                         this._scope = scope;
                     }
 
-                    if (this._authProvider.onUnauthorized && !this._authRetryInFlight) {
-                        this._authRetryInFlight = true;
+                    if (this._authProvider.onUnauthorized && !this._sseAuthRetryInFlight) {
+                        this._sseAuthRetryInFlight = true;
                         await this._authProvider.onUnauthorized({
                             response,
                             serverUrl: this._url,
@@ -230,7 +231,7 @@ export class StreamableHTTPClientTransport implements Transport {
                         return this._startOrAuthSse(options);
                     }
                     await response.text?.().catch(() => {});
-                    if (this._authRetryInFlight) {
+                    if (this._sseAuthRetryInFlight) {
                         throw new SdkError(SdkErrorCode.ClientHttpAuthentication, 'Server returned 401 after re-authentication', {
                             status: 401
                         });
@@ -243,7 +244,7 @@ export class StreamableHTTPClientTransport implements Transport {
                 // 405 indicates that the server does not offer an SSE stream at GET endpoint
                 // This is an expected case that should not trigger an error
                 if (response.status === 405) {
-                    this._authRetryInFlight = false;
+                    this._sseAuthRetryInFlight = false;
                     return;
                 }
 
@@ -253,10 +254,10 @@ export class StreamableHTTPClientTransport implements Transport {
                 });
             }
 
-            this._authRetryInFlight = false;
+            this._sseAuthRetryInFlight = false;
             this._handleSseStream(response.body, options, true);
         } catch (error) {
-            this._authRetryInFlight = false;
+            this._sseAuthRetryInFlight = false;
             this.onerror?.(error as Error);
             throw error;
         }
@@ -516,7 +517,7 @@ export class StreamableHTTPClientTransport implements Transport {
                         });
                         await response.text?.().catch(() => {});
                         // Purposely _not_ awaited, so we don't call onerror twice
-                        return this.send(message);
+                        return this.send(message, options);
                     }
                     await response.text?.().catch(() => {});
                     if (this._authRetryInFlight) {
@@ -564,7 +565,7 @@ export class StreamableHTTPClientTransport implements Transport {
                             throw new UnauthorizedError();
                         }
 
-                        return this.send(message);
+                        return this.send(message, options);
                     }
                 }
 
