fix(oauth): cover Python 3.10/3.11 partial-branch coverage gap

peisuke · peisuke · commit 4f5e8e34fcff · 2026-05-27T13:11:54.000Z
Python 3.10/3.11 で coverage.py (sys.settrace backend) が
async_auth_flow の以下 4 行で `if` の False 分岐を partial として誤認識し、
fail_under=100 を満たせず CI が落ちていた:
  - line 536: `if not is_token_valid() and can_refresh_token():`  (Phase 1)
  - line 546: 同 (Phase 2 double-check inside refresh_lock)
  - line 548: `if refresh_request is not None:`  (re-check skip path)
  - line 553: `if not await _handle_refresh_response(...):`  (refresh success path)

Python 3.12+ (sys.monitoring) では同コードで 100% に到達するため、
4 行に `# pragma: no branch` を付けて legacy backend 用 workaround とする
(行頭に意図を 5 行のコメントブロックで明記)。

加えて、4 branch をテストで踏んでいることを担保する unit test を 2 件追加:
  - test_phase1_skips_refresh_when_token_valid:
      Phase 1 で `is_token_valid=True` のため Phase 2 をスキップする経路
  - test_refresh_success_proceeds_to_phase3_without_resetting_initialized:
      `_handle_refresh_response` が True (=200) を返し `_initialized` リセットを
      スキップして Phase 3 に進む success path

ローカル検証 (Python 3.10):
  pytest tests/client/test_auth.py -n auto + coverage report
  → 99.43% (旧 98.30%, BrPart 1, Missing は test 範囲外の line 206 のみ)
  全 test 走行で 100% を期待。
diff --git a/src/mcp/client/auth/oauth2.py b/src/mcp/client/auth/oauth2.py
@@ -533,7 +533,12 @@ async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx.
             # Capture protocol version from request headers
             self.context.protocol_version = request.headers.get(MCP_PROTOCOL_VERSION)
 
-            if not self.context.is_token_valid() and self.context.can_refresh_token():
+            # pragma: no branch — coverage.py on Python 3.10/3.11 (sys.settrace
+            # backend) cannot reliably track both arms of compound boolean
+            # predicates inside an ``async with`` block in an async generator.
+            # Python 3.12+ (sys.monitoring) handles this correctly; the pragmas
+            # below are workarounds for the legacy backend only.
+            if not self.context.is_token_valid() and self.context.can_refresh_token():  # pragma: no branch
                 needs_refresh = True
 
         # === Phase 2: single-flight token refresh (yield outside context.lock) ===
@@ -543,14 +548,14 @@ async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx.
                 # refreshed while we were waiting on refresh_lock.
                 refresh_request: httpx.Request | None = None
                 async with self.context.lock:
-                    if not self.context.is_token_valid() and self.context.can_refresh_token():
+                    if not self.context.is_token_valid() and self.context.can_refresh_token():  # pragma: no branch
                         refresh_request = await self._refresh_token()
-                if refresh_request is not None:
+                if refresh_request is not None:  # pragma: no branch
                     # yield runs outside any lock so a long network round trip
                     # does not block unrelated concurrent requests.
                     refresh_response = yield refresh_request
                     async with self.context.lock:
-                        if not await self._handle_refresh_response(refresh_response):
+                        if not await self._handle_refresh_response(refresh_response):  # pragma: no branch
                             # Refresh failed; fall through to 401 handling below.
                             self._initialized = False
 
diff --git a/tests/client/test_auth.py b/tests/client/test_auth.py
@@ -2818,3 +2818,72 @@ def fake_is_token_valid(self: object) -> bool:
             await flow.asend(httpx.Response(200, request=yielded))
     finally:
         monkeypatch.setattr(oauth_provider.context.__class__, "is_token_valid", original_is_valid)
+
+
+@pytest.mark.anyio
+async def test_phase1_skips_refresh_when_token_valid(
+    oauth_provider: OAuthClientProvider, valid_tokens: OAuthToken
+):
+    """Phase 1 branch where ``is_token_valid()`` is True so ``needs_refresh`` stays
+    False and Phase 2 is skipped entirely (covers oauth2.py 536->540).
+    """
+    oauth_provider.context.current_tokens = valid_tokens
+    oauth_provider.context.token_expiry_time = time.time() + 3600  # valid
+    oauth_provider.context.client_info = OAuthClientInformationFull(
+        client_id="test_client_id",
+        client_secret="test_client_secret",
+        redirect_uris=[AnyUrl("http://localhost:3030/callback")],
+    )
+    oauth_provider._initialized = True
+
+    request = httpx.Request("POST", "https://api.example.com/v1/mcp")
+    flow = oauth_provider.async_auth_flow(request)
+    # No refresh yield: Phase 1 sees valid token, skips Phase 2 (536->540 False branch).
+    yielded = await flow.__anext__()
+    assert yielded.method == "POST"
+    assert yielded.headers.get("Authorization") == "Bearer test_access_token"
+    with contextlib.suppress(StopAsyncIteration):
+        await flow.asend(httpx.Response(200, request=yielded))
+
+
+@pytest.mark.anyio
+async def test_refresh_success_proceeds_to_phase3_without_resetting_initialized(
+    oauth_provider: OAuthClientProvider, valid_tokens: OAuthToken
+):
+    """After a successful refresh, ``_handle_refresh_response`` returns True so the
+    ``_initialized = False`` reset is skipped and Phase 3 proceeds with the fresh
+    token (covers oauth2.py 553->558 branch where the False arm is taken).
+    """
+    oauth_provider.context.current_tokens = valid_tokens
+    oauth_provider.context.token_expiry_time = time.time() - 100  # expired
+    oauth_provider.context.client_info = OAuthClientInformationFull(
+        client_id="test_client_id",
+        client_secret="test_client_secret",
+        redirect_uris=[AnyUrl("http://localhost:3030/callback")],
+    )
+    oauth_provider._initialized = True
+
+    request = httpx.Request("POST", "https://api.example.com/v1/mcp")
+    flow = oauth_provider.async_auth_flow(request)
+    # Phase 2 yields the refresh request.
+    refresh_request = await flow.__anext__()
+    assert "grant_type=refresh_token" in refresh_request.read().decode()
+
+    # 200 OK with a parseable token body → _handle_refresh_response returns True.
+    refresh_response = httpx.Response(
+        200,
+        content=(
+            b'{"access_token": "fresh_access_token", "token_type": "Bearer", '
+            b'"expires_in": 3600, "refresh_token": "fresh_refresh_token"}'
+        ),
+        request=refresh_request,
+    )
+    actual_request = await flow.asend(refresh_response)
+    # Phase 3 yields the *original* request with the fresh Authorization header.
+    assert actual_request.method == "POST"
+    assert actual_request.headers.get("Authorization") == "Bearer fresh_access_token"
+    # _initialized must NOT have been reset (the True branch of _handle_refresh_response).
+    assert oauth_provider._initialized is True
+
+    with contextlib.suppress(StopAsyncIteration):
+        await flow.asend(httpx.Response(200, request=actual_request))
