fix(mcp): make hookdeck_login non-blocking so browser URL is shown immediately

claude · claude · commit 03a1e2e3245e · 2026-03-10T13:39:36.000Z
Previously, handleLogin blocked for up to 4 minutes while polling for the user to complete browser auth. The browser URL was only returned in the tool result after polling finished, meaning the user never saw it — they just saw a spinner with no way to authenticate. Now the handler returns the browser URL immediately and polls in a background goroutine. Subsequent calls to hookdeck_login report "in progress" (with the URL) or the final result. Once auth completes, the background goroutine updates the shared client and removes the login tool. https://claude.ai/code/session_01Y2eJZgKG78nDyN6Uw2tWQx
diff --git a/pkg/gateway/mcp/server_test.go b/pkg/gateway/mcp/server_test.go
@@ -1056,6 +1056,85 @@ func TestLoginTool_AlreadyAuthenticated(t *testing.T) {
 	_ = client // suppress unused warning
 }
 
+func TestLoginTool_ReturnsURLImmediately(t *testing.T) {
+	// Mock the /cli-auth endpoint to return a browser URL and a poll URL
+	// that never completes (simulates user not yet opening browser).
+	authCalled := false
+	api := mockAPI(t, map[string]http.HandlerFunc{
+		"/2025-07-01/cli-auth": func(w http.ResponseWriter, r *http.Request) {
+			authCalled = true
+			json.NewEncoder(w).Encode(map[string]any{
+				"browser_url": "https://hookdeck.com/auth?code=abc123",
+				"poll_url":    "http://" + r.Host + "/2025-07-01/cli-auth/poll?key=abc123",
+			})
+		},
+		"/2025-07-01/cli-auth/poll": func(w http.ResponseWriter, r *http.Request) {
+			// Never claimed &mdash; user hasn't opened the browser yet.
+			json.NewEncoder(w).Encode(map[string]any{"claimed": false})
+		},
+	})
+
+	unauthClient := newTestClient(api.URL, "")
+	cfg := &config.Config{APIBaseURL: api.URL}
+	srv := NewServer(unauthClient, cfg)
+
+	serverTransport, clientTransport := mcpsdk.NewInMemoryTransports()
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
+	go func() { _ = srv.mcpServer.Run(ctx, serverTransport) }()
+
+	mcpClient := mcpsdk.NewClient(&mcpsdk.Implementation{Name: "test", Version: "0.0.1"}, nil)
+	session, err := mcpClient.Connect(ctx, clientTransport, nil)
+	require.NoError(t, err)
+	t.Cleanup(func() { _ = session.Close() })
+
+	// The call should return immediately (not block for 4 minutes).
+	result := callTool(t, session, "hookdeck_login", map[string]any{})
+	assert.True(t, authCalled, "should have called /cli-auth")
+	assert.False(t, result.IsError)
+	text := textContent(t, result)
+	assert.Contains(t, text, "https://hookdeck.com/auth?code=abc123")
+	assert.Contains(t, text, "browser")
+}
+
+func TestLoginTool_InProgressShowsURL(t *testing.T) {
+	api := mockAPI(t, map[string]http.HandlerFunc{
+		"/2025-07-01/cli-auth": func(w http.ResponseWriter, r *http.Request) {
+			json.NewEncoder(w).Encode(map[string]any{
+				"browser_url": "https://hookdeck.com/auth?code=xyz",
+				"poll_url":    "http://" + r.Host + "/2025-07-01/cli-auth/poll?key=xyz",
+			})
+		},
+		"/2025-07-01/cli-auth/poll": func(w http.ResponseWriter, r *http.Request) {
+			json.NewEncoder(w).Encode(map[string]any{"claimed": false})
+		},
+	})
+
+	unauthClient := newTestClient(api.URL, "")
+	cfg := &config.Config{APIBaseURL: api.URL}
+	srv := NewServer(unauthClient, cfg)
+
+	serverTransport, clientTransport := mcpsdk.NewInMemoryTransports()
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
+	go func() { _ = srv.mcpServer.Run(ctx, serverTransport) }()
+
+	mcpClient := mcpsdk.NewClient(&mcpsdk.Implementation{Name: "test", Version: "0.0.1"}, nil)
+	session, err := mcpClient.Connect(ctx, clientTransport, nil)
+	require.NoError(t, err)
+	t.Cleanup(func() { _ = session.Close() })
+
+	// First call starts the flow.
+	_ = callTool(t, session, "hookdeck_login", map[string]any{})
+
+	// Second call should report "in progress" with the URL.
+	result := callTool(t, session, "hookdeck_login", map[string]any{})
+	assert.False(t, result.IsError)
+	text := textContent(t, result)
+	assert.Contains(t, text, "already in progress")
+	assert.Contains(t, text, "https://hookdeck.com/auth?code=xyz")
+}
+
 // ---------------------------------------------------------------------------
 // API error scenarios (shared across tools)
 // ---------------------------------------------------------------------------
diff --git a/pkg/gateway/mcp/tool_login.go b/pkg/gateway/mcp/tool_login.go
@@ -5,8 +5,11 @@ import (
 	"fmt"
 	"net/url"
 	"os"
+	"sync"
 	"time"
 
+	log "github.com/sirupsen/logrus"
+
 	mcpsdk "github.com/modelcontextprotocol/go-sdk/mcp"
 
 	"github.com/hookdeck/hookdeck-cli/pkg/config"
@@ -19,13 +22,49 @@ const (
 	loginMaxAttempts  = 120 // ~4 minutes
 )
 
+// loginState tracks a background login poll so that repeated calls to
+// hookdeck_login don't start duplicate auth flows.
+type loginState struct {
+	mu         sync.Mutex
+	browserURL string        // URL the user must open
+	done       chan struct{} // closed when polling finishes
+	err        error         // non-nil if polling failed
+}
+
 func handleLogin(client *hookdeck.Client, cfg *config.Config, mcpServer *mcpsdk.Server) mcpsdk.ToolHandler {
+	var state *loginState
+
 	return func(ctx context.Context, req *mcpsdk.CallToolRequest) (*mcpsdk.CallToolResult, error) {
-		// If already authenticated, let the caller know.
+		// Already authenticated &mdash; nothing to do.
 		if client.APIKey != "" {
 			return TextResult("Already authenticated. All Hookdeck tools are available."), nil
 		}
 
+		// If a login flow is already in progress, check its status.
+		if state != nil {
+			select {
+			case <-state.done:
+				// Polling finished &mdash; check result.
+				if state.err != nil {
+					errMsg := state.err.Error()
+					browserURL := state.browserURL
+					state = nil // allow a fresh retry
+					return ErrorResult(fmt.Sprintf(
+						"Authentication failed: %s\n\nPlease call hookdeck_login again to retry.\nThe user needs to open this URL in their browser:\n\n%s",
+						errMsg, browserURL,
+					)), nil
+				}
+				// Success was already handled by the goroutine (client.APIKey set).
+				return TextResult("Already authenticated. All Hookdeck tools are available."), nil
+			default:
+				// Still polling &mdash; remind the agent about the URL.
+				return TextResult(fmt.Sprintf(
+					"Login is already in progress. Waiting for the user to complete authentication.\n\nThe user needs to open this URL in their browser:\n\n%s\n\nCall hookdeck_login again to check status.",
+					state.browserURL,
+				)), nil
+			}
+		}
+
 		parsedBaseURL, err := url.Parse(cfg.APIBaseURL)
 		if err != nil {
 			return ErrorResult(fmt.Sprintf("Invalid API base URL: %s", err)), nil
@@ -40,49 +79,62 @@ func handleLogin(client *hookdeck.Client, cfg *config.Config, mcpServer *mcpsdk.
 			return ErrorResult(fmt.Sprintf("Failed to start login: %s", err)), nil
 		}
 
-		// Poll until the user completes login or we time out.
-		response, err := session.WaitForAPIKey(loginPollInterval, loginMaxAttempts)
-		if err != nil {
-			return &mcpsdk.CallToolResult{
-				Content: []mcpsdk.Content{
-					&mcpsdk.TextContent{Text: fmt.Sprintf(
-						"Authentication timed out or failed: %s\n\nPlease try again by calling hookdeck_login.\nTo authenticate, the user needs to open this URL in their browser:\n\n%s",
-						err, session.BrowserURL,
-					)},
-				},
-				IsError: true,
-			}, nil
+		// Set up background polling state.
+		state = &loginState{
+			browserURL: session.BrowserURL,
+			done:       make(chan struct{}),
 		}
 
-		if err := validators.APIKey(response.APIKey); err != nil {
-			return ErrorResult(fmt.Sprintf("Received invalid API key: %s", err)), nil
-		}
+		// Poll in the background so we return the URL to the agent immediately.
+		go func(s *loginState) {
+			defer close(s.done)
 
-		// Persist credentials so future MCP sessions start authenticated.
-		cfg.Profile.APIKey = response.APIKey
-		cfg.Profile.ProjectId = response.ProjectID
-		cfg.Profile.ProjectMode = response.ProjectMode
-		cfg.Profile.GuestURL = "" // Clear guest URL for permanent accounts.
+			response, err := session.WaitForAPIKey(loginPollInterval, loginMaxAttempts)
+			if err != nil {
+				s.mu.Lock()
+				s.err = err
+				s.mu.Unlock()
+				log.WithError(err).Debug("Login polling failed")
+				return
+			}
 
-		if err := cfg.Profile.SaveProfile(); err != nil {
-			return ErrorResult(fmt.Sprintf("Login succeeded but failed to save profile: %s", err)), nil
-		}
-		if err := cfg.Profile.UseProfile(); err != nil {
-			return ErrorResult(fmt.Sprintf("Login succeeded but failed to activate profile: %s", err)), nil
-		}
+			if err := validators.APIKey(response.APIKey); err != nil {
+				s.mu.Lock()
+				s.err = fmt.Errorf("received invalid API key: %s", err)
+				s.mu.Unlock()
+				return
+			}
+
+			// Persist credentials so future MCP sessions start authenticated.
+			cfg.Profile.APIKey = response.APIKey
+			cfg.Profile.ProjectId = response.ProjectID
+			cfg.Profile.ProjectMode = response.ProjectMode
+			cfg.Profile.GuestURL = ""
+
+			if err := cfg.Profile.SaveProfile(); err != nil {
+				log.WithError(err).Error("Login succeeded but failed to save profile")
+			}
+			if err := cfg.Profile.UseProfile(); err != nil {
+				log.WithError(err).Error("Login succeeded but failed to activate profile")
+			}
+
+			// Update the shared client so all resource tools start working.
+			client.APIKey = response.APIKey
+			client.ProjectID = response.ProjectID
 
-		// Update the shared client so all resource tools start working.
-		client.APIKey = response.APIKey
-		client.ProjectID = response.ProjectID
+			// Remove the login tool now that auth is complete.
+			mcpServer.RemoveTools("hookdeck_login")
 
-		// Remove the login tool now that auth is complete. This sends
-		// notifications/tools/list_changed to clients that support it.
-		mcpServer.RemoveTools("hookdeck_login")
+			log.WithFields(log.Fields{
+				"user":    response.UserName,
+				"project": response.ProjectName,
+			}).Info("MCP login completed successfully")
+		}(state)
 
+		// Return the URL immediately so the agent can show it to the user.
 		return TextResult(fmt.Sprintf(
-			"Successfully authenticated as %s (%s).\nActive project: %s in organization %s.\nAll Hookdeck tools are now available.",
-			response.UserName, response.UserEmail,
-			response.ProjectName, response.OrganizationName,
+			"Login initiated. The user must open the following URL in their browser to authenticate:\n\n%s\n\nOnce the user completes authentication in the browser, all Hookdeck tools will become available.\nCall hookdeck_login again to check if authentication has completed.",
+			session.BrowserURL,
 		)), nil
 	}
 }
