fix(mcp): tighten 401 detection, hash OAuth state at rest

- Use word-boundary regex for 401 match in form auth heuristic
- SHA-256 hash OAuth state in DB; lookup by hash to prevent replay if DB read leaks

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/workspace/[workspaceId]/settings/components/mcp/components/mcp-server-form-modal/mcp-server-form-modal.tsx

@@ -520,7 +520,7 @@ export function McpServerFormModal({
       if (!connectionResult.success) {
         const errorText = (connectionResult.error || '').toLowerCase()
         const looksLikeAuthRequired =
-          errorText.includes('401') ||
+          /\b401\b/.test(errorText) ||
           errorText.includes('unauthorized') ||
           errorText.includes('oauth') ||
           errorText.includes('authentication')

apps/sim/lib/mcp/oauth/storage.ts

@@ -1,3 +1,4 @@
+import { createHash } from 'node:crypto'
 import type {
   OAuthClientInformationMixed,
   OAuthTokens,
@@ -8,6 +9,10 @@ import { generateId } from '@sim/utils/id'
 import { and, eq } from 'drizzle-orm'
 import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
 
+function hashState(state: string): string {
+  return createHash('sha256').update(state).digest('hex')
+}
+
 export interface McpOauthRow {
   id: string
   mcpServerId: string
@@ -107,7 +112,7 @@ export async function loadOauthRowByState(state: string): Promise<McpOauthRow |
   const [row] = await db
     .select()
     .from(mcpServerOauth)
-    .where(eq(mcpServerOauth.state, state))
+    .where(eq(mcpServerOauth.state, hashState(state)))
     .limit(1)
   if (!row) return null
   return {
@@ -154,7 +159,7 @@ export async function saveCodeVerifier(rowId: string, verifier: string): Promise
 export async function saveState(rowId: string, state: string): Promise<void> {
   await db
     .update(mcpServerOauth)
-    .set({ state, updatedAt: new Date() })
+    .set({ state: hashState(state), updatedAt: new Date() })
     .where(eq(mcpServerOauth.id, rowId))
 }