fix: address round-4 review comments on 401 handling

Four fixes from claude[bot] review on the AuthProvider approach:

1. Drain 401 response body after onUnauthorized() succeeds, before the
   retry. Unconsumed bodies block socket recycling in undici. All three
   401 sites now drain before return.

2. _startOrAuthSse() 401 retry was return await, causing onerror to
   fire twice (recursive call's catch + outer catch both fire). Changed
   to return (not awaited) matching the send() pattern. Removed the
   try/finally, added flag reset to success path + outer catch instead.

3. Migration docs still referenced SdkErrorCode.ClientHttpAuthentication
   for the 401-after-auth case, but that throw site was replaced by
   _authRetryInFlight which throws UnauthorizedError. Updated both
   migration.md and migration-SKILL.md.

4. Pre-existing: 403 upscoping auth() call passed this._fetch instead
   of this._fetchWithInit, dropping custom requestInit options during
   token requests. All other auth() calls in this transport already
   used _fetchWithInit.

Author: felixweinberger

docs/migration-SKILL.md

@@ -116,7 +116,7 @@ Two error classes now exist:
 | Invalid params (server response) | `McpError` with `ErrorCode.InvalidParams`    | `ProtocolError` with `ProtocolErrorCode.InvalidParams`            |
 | HTTP transport error             | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttp*`                        |
 | Failed to open SSE stream        | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttpFailedToOpenStream`       |
-| 401 after auth flow              | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttpAuthentication`           |
+| 401 after auth flow              | `StreamableHTTPError`                        | `UnauthorizedError`                                               |
 | 403 after upscoping              | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttpForbidden`                |
 | Unexpected content type          | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttpUnexpectedContent`        |
 | Session termination failed       | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttpFailedToTerminateSession` |
@@ -131,7 +131,6 @@ New `SdkErrorCode` enum values:
 - `SdkErrorCode.ConnectionClosed` = `'CONNECTION_CLOSED'`
 - `SdkErrorCode.SendFailed` = `'SEND_FAILED'`
 - `SdkErrorCode.ClientHttpNotImplemented` = `'CLIENT_HTTP_NOT_IMPLEMENTED'`
-- `SdkErrorCode.ClientHttpAuthentication` = `'CLIENT_HTTP_AUTHENTICATION'`
 - `SdkErrorCode.ClientHttpForbidden` = `'CLIENT_HTTP_FORBIDDEN'`
 - `SdkErrorCode.ClientHttpUnexpectedContent` = `'CLIENT_HTTP_UNEXPECTED_CONTENT'`
 - `SdkErrorCode.ClientHttpFailedToOpenStream` = `'CLIENT_HTTP_FAILED_TO_OPEN_STREAM'`

docs/migration.md

@@ -585,7 +585,7 @@ The new `SdkErrorCode` enum contains string-valued codes for local SDK errors:
 | `SdkErrorCode.ConnectionClosed`                   | Connection was closed                      |
 | `SdkErrorCode.SendFailed`                         | Failed to send message                     |
 | `SdkErrorCode.ClientHttpNotImplemented`           | HTTP POST request failed                   |
-| `SdkErrorCode.ClientHttpAuthentication`           | Server returned 401 after successful auth  |
+| `UnauthorizedError` (thrown, not `SdkError`)      | Server returned 401 after re-auth attempt  |
 | `SdkErrorCode.ClientHttpForbidden`                | Server returned 403 after trying upscoping |
 | `SdkErrorCode.ClientHttpUnexpectedContent`        | Unexpected content type in HTTP response   |
 | `SdkErrorCode.ClientHttpFailedToOpenStream`       | Failed to open SSE stream                  |
@@ -617,11 +617,10 @@ import { SdkError, SdkErrorCode } from '@modelcontextprotocol/core';
 try {
     await transport.send(message);
 } catch (error) {
-    if (error instanceof SdkError) {
+    if (error instanceof UnauthorizedError) {
+        console.log('Token rejected — reconnect with fresh credentials');
+    } else if (error instanceof SdkError) {
         switch (error.code) {
-            case SdkErrorCode.ClientHttpAuthentication:
-                console.log('Auth failed after completing auth flow');
-                break;
             case SdkErrorCode.ClientHttpForbidden:
                 console.log('Forbidden after upscoping attempt');
                 break;

packages/client/src/client/sse.ts

@@ -275,6 +275,7 @@ export class SSEClientTransport implements Transport {
                             serverUrl: this._url,
                             fetchFn: this._fetchWithInit
                         });
+                        await response.text?.().catch(() => {});
                         // Purposely _not_ awaited, so we don't call onerror twice
                         return this.send(message);
                     }

packages/client/src/client/streamableHttp.ts

@@ -220,16 +220,14 @@ export class StreamableHTTPClientTransport implements Transport {
 
                     if (this._authProvider?.onUnauthorized && !this._authRetryInFlight) {
                         this._authRetryInFlight = true;
-                        try {
-                            await this._authProvider.onUnauthorized({
-                                response,
-                                serverUrl: this._url,
-                                fetchFn: this._fetchWithInit
-                            });
-                            return await this._startOrAuthSse(options);
-                        } finally {
-                            this._authRetryInFlight = false;
-                        }
+                        await this._authProvider.onUnauthorized({
+                            response,
+                            serverUrl: this._url,
+                            fetchFn: this._fetchWithInit
+                        });
+                        await response.text?.().catch(() => {});
+                        // Purposely _not_ awaited, so we don't call onerror twice
+                        return this._startOrAuthSse(options);
                     }
                     if (this._authProvider) {
                         await response.text?.().catch(() => {});
@@ -251,8 +249,10 @@ export class StreamableHTTPClientTransport implements Transport {
                 });
             }
 
+            this._authRetryInFlight = false;
             this._handleSseStream(response.body, options, true);
         } catch (error) {
+            this._authRetryInFlight = false;
             this.onerror?.(error as Error);
             throw error;
         }
@@ -510,6 +510,7 @@ export class StreamableHTTPClientTransport implements Transport {
                             serverUrl: this._url,
                             fetchFn: this._fetchWithInit
                         });
+                        await response.text?.().catch(() => {});
                         // Purposely _not_ awaited, so we don't call onerror twice
                         return this.send(message);
                     }
@@ -549,7 +550,7 @@ export class StreamableHTTPClientTransport implements Transport {
                             serverUrl: this._url,
                             resourceMetadataUrl: this._resourceMetadataUrl,
                             scope: this._scope,
-                            fetchFn: this._fetch
+                            fetchFn: this._fetchWithInit
                         });
 
                         if (result !== 'AUTHORIZED') {