fix(mcp): anchor OAuth state TTL to dedicated stateCreatedAt column

hasActiveFlow and loadOauthRowByState both gated on updatedAt, but
saveTokens bumps updatedAt on every refresh. An abandoned state column
from one user combined with another user's tool calls (which trigger
background token refreshes) could indefinitely extend the state TTL,
producing permanent 409 "OAuth authorization already in progress"
responses and a wider state-replay window.

Add a stateCreatedAt column set only by saveState (and cleared by
clearState). Both TTL checks now anchor to it, so token refreshes no
longer interfere with state expiry.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/mcp/oauth/start/route.ts

@@ -76,7 +76,10 @@ export const GET = withRouteHandler(
         userId,
         workspaceId,
       })
-      const hasActiveFlow = !!row.state && row.updatedAt.getTime() > Date.now() - OAUTH_START_TTL_MS
+      const hasActiveFlow =
+        !!row.state &&
+        !!row.stateCreatedAt &&
+        row.stateCreatedAt.getTime() > Date.now() - OAUTH_START_TTL_MS
       if (hasActiveFlow && row.userId && row.userId !== userId) {
         return createMcpErrorResponse(
           new Error('OAuth authorization already in progress'),

apps/sim/lib/mcp/oauth/storage.ts

@@ -28,6 +28,7 @@ export interface McpOauthRow {
   tokens: OAuthTokens | null
   codeVerifier: string | null
   state: string | null
+  stateCreatedAt: Date | null
   updatedAt: Date
 }
 
@@ -97,6 +98,7 @@ export async function getOrCreateOauthRow(params: {
     tokens: null,
     codeVerifier: null,
     state: null,
+    stateCreatedAt: null,
     updatedAt: new Date(),
   }
 }
@@ -124,6 +126,7 @@ async function mapOauthRow(row: RawOauthRow): Promise<McpOauthRow> {
       ? await safeDecrypt(row.id, 'codeVerifier', row.codeVerifier, (d) => d)
       : null,
     state: row.state,
+    stateCreatedAt: row.stateCreatedAt,
     updatedAt: row.updatedAt,
   }
 }
@@ -152,7 +155,7 @@ export async function loadOauthRowByState(state: string): Promise<McpOauthRow |
     .where(
       and(
         eq(mcpServerOauth.state, hashState(state)),
-        gt(mcpServerOauth.updatedAt, new Date(Date.now() - STATE_TTL_MS))
+        gt(mcpServerOauth.stateCreatedAt, new Date(Date.now() - STATE_TTL_MS))
       )
     )
     .limit(1)
@@ -188,9 +191,10 @@ export async function saveCodeVerifier(rowId: string, verifier: string): Promise
 }
 
 export async function saveState(rowId: string, state: string): Promise<void> {
+  const now = new Date()
   await db
     .update(mcpServerOauth)
-    .set({ state: hashState(state), updatedAt: new Date() })
+    .set({ state: hashState(state), stateCreatedAt: now, updatedAt: now })
     .where(eq(mcpServerOauth.id, rowId))
 }
 
@@ -218,7 +222,7 @@ export async function clearVerifier(rowId: string): Promise<void> {
 export async function clearState(rowId: string): Promise<void> {
   await db
     .update(mcpServerOauth)
-    .set({ state: null, updatedAt: new Date() })
+    .set({ state: null, stateCreatedAt: null, updatedAt: new Date() })
     .where(eq(mcpServerOauth.id, rowId))
 }
 

packages/db/migrations/0208_mcp_oauth_state_created_at.sql

@@ -0,0 +1 @@
+ALTER TABLE "mcp_server_oauth" ADD COLUMN "state_created_at" timestamp;