@mcp-ts/sdk 1.3.3 → 1.3.5

package/src/server/mcp/oauth-client.ts

@@ -28,15 +28,18 @@ import {
   ReadResourceResult,
   ReadResourceResultSchema,
 } from '@modelcontextprotocol/sdk/types.js';
-import type { OAuthClientMetadata, OAuthTokens, OAuthClientInformationFull } from '@modelcontextprotocol/sdk/shared/auth.js';
+import type { OAuthTokens, OAuthClientInformationFull } from '@modelcontextprotocol/sdk/shared/auth.js';
 import { StorageOAuthClientProvider, type AgentsOAuthProvider } from './storage-oauth-provider.js';
 import { sanitizeServerLabel } from '../../shared/utils.js';
 import { Emitter, type McpConnectionEvent, type McpObservabilityEvent, type McpConnectionState } from '../../shared/events.js';
 import { UnauthorizedError } from '../../shared/errors.js';
 import { storage } from '../storage/index.js';
-import { SESSION_TTL_SECONDS, STATE_EXPIRATION_MS } from '../../shared/constants.js';
-
-
+import {
+  MCP_CLIENT_NAME,
+  MCP_CLIENT_VERSION,
+  SESSION_TTL_SECONDS,
+  STATE_EXPIRATION_MS,
+} from '../../shared/constants.js';
 
 /**
  * Supported MCP transport types
@@ -300,49 +303,34 @@ export class MCPClient {
       throw new Error('Missing required connection metadata');
     }
 
-    const clientMetadata: OAuthClientMetadata = {
-      client_name: this.clientName || 'MCP Assistant',
-      redirect_uris: [this.callbackUrl],
-      grant_types: ['authorization_code', 'refresh_token'],
-      response_types: ['code'],
-      token_endpoint_auth_method: this.clientSecret ? 'client_secret_basic' : 'none',
-      client_uri: this.clientUri || 'https://mcp-assistant.in',
-      logo_uri: this.logoUri || 'https://mcp-assistant.in/logo.png',
-      policy_uri: this.policyUri || 'https://mcp-assistant.in/privacy',
-      software_id: '@mcp-ts',
-      software_version: '1.0.0-beta.4',
-      ...(this.clientId ? { client_id: this.clientId } : {}),
-      ...(this.clientSecret ? { client_secret: this.clientSecret } : {}),
-    };
-
     if (!this.oauthProvider) {
       if (!this.serverId) {
         throw new Error('serverId required for OAuth provider initialization');
       }
-
-      this.oauthProvider = new StorageOAuthClientProvider(
-        this.identity,
-        this.serverId,
-        this.sessionId,
-        clientMetadata.client_name ?? 'MCP Assistant',
-        this.callbackUrl,
-        (redirectUrl: string) => {
+      this.oauthProvider = new StorageOAuthClientProvider({
+        identity: this.identity,
+        serverId: this.serverId,
+        sessionId: this.sessionId,
+        redirectUrl: this.callbackUrl!,
+        clientName: this.clientName,
+        clientUri: this.clientUri,
+        logoUri: this.logoUri,
+        policyUri: this.policyUri,
+        clientId: this.clientId,
+        clientSecret: this.clientSecret,
+        onRedirect: (redirectUrl: string) => {
           if (this.onRedirect) {
             this.onRedirect(redirectUrl);
           }
         }
-      );
-
-      if (this.clientId && this.oauthProvider) {
-        this.oauthProvider.clientId = this.clientId;
-      }
+      });
     }
 
     if (!this.client) {
       this.client = new Client(
         {
-          name: 'mcp-ts-oauth-client',
-          version: '2.0',
+          name: MCP_CLIENT_NAME,
+          version: MCP_CLIENT_VERSION,
         },
         {
           capabilities: {
@@ -363,34 +351,34 @@ export class MCPClient {
     if (!existingSession && this.serverId && this.serverUrl && this.callbackUrl) {
       this.createdAt = Date.now();
       console.log(`[MCPClient] Creating initial session ${this.sessionId} for OAuth flow`);
-      await storage.createSession({
-        sessionId: this.sessionId,
-        identity: this.identity,
-        serverId: this.serverId,
-        serverName: this.serverName,
-        serverUrl: this.serverUrl,
-        callbackUrl: this.callbackUrl,
-        transportType: this.transportType || 'streamable_http',
-        createdAt: this.createdAt,
-        active: false,
-      }, Math.floor(STATE_EXPIRATION_MS / 1000)); // Short TTL until connection succeeds
-    }
-  }
+      await storage.createSession({
+        sessionId: this.sessionId,
+        identity: this.identity,
+        serverId: this.serverId,
+        serverName: this.serverName,
+        serverUrl: this.serverUrl,
+        callbackUrl: this.callbackUrl,
+        transportType: this.transportType || 'streamable_http',
+        createdAt: this.createdAt,
+        active: false,
+      }, Math.floor(STATE_EXPIRATION_MS / 1000)); // Short TTL until connection succeeds
+    }
+  }
 
   /**
    * Saves current session state to storage
    * Creates new session if it doesn't exist, updates if it does
-   * @param ttl - Time-to-live in seconds (defaults to 12hr for connected sessions)
-   * @param active - Session status marker used to avoid unnecessary TTL rewrites
-   * @private
-   */
-  private async saveSession(
-    ttl: number = SESSION_TTL_SECONDS,
-    active: boolean = true
-  ): Promise<void> {
-    if (!this.sessionId || !this.serverId || !this.serverUrl || !this.callbackUrl) {
-      return;
-    }
+   * @param ttl - Time-to-live in seconds (defaults to 12hr for connected sessions)
+   * @param active - Session status marker used to avoid unnecessary TTL rewrites
+   * @private
+   */
+  private async saveSession(
+    ttl: number = SESSION_TTL_SECONDS,
+    active: boolean = true
+  ): Promise<void> {
+    if (!this.sessionId || !this.serverId || !this.serverUrl || !this.callbackUrl) {
+      return;
+    }
 
     const sessionData = {
       sessionId: this.sessionId,
@@ -398,11 +386,11 @@ export class MCPClient {
       serverId: this.serverId,
       serverName: this.serverName,
       serverUrl: this.serverUrl,
-      callbackUrl: this.callbackUrl,
-      transportType: (this.transportType || 'streamable_http') as TransportType,
-      createdAt: this.createdAt || Date.now(),
-      active,
-    };
+      callbackUrl: this.callbackUrl,
+      transportType: (this.transportType || 'streamable_http') as TransportType,
+      createdAt: this.createdAt || Date.now(),
+      active,
+    };
 
     // Try to update first, create if doesn't exist
     const existingSession = await storage.getSession(this.identity, this.sessionId);
@@ -512,16 +500,16 @@ export class MCPClient {
       this.emitStateChange('CONNECTED');
       this.emitProgress('Connected successfully');
 
-      // Promote short-lived OAuth-pending session TTL to long-lived active TTL once.
-      // Also persist when transport negotiation changed the effective transport.
-      const existingSession = await storage.getSession(this.identity, this.sessionId);
-      const needsTransportUpdate = !existingSession || existingSession.transportType !== this.transportType;
-      const needsTtlPromotion = !existingSession || existingSession.active !== true;
-
-      if (needsTransportUpdate || needsTtlPromotion) {
-        console.log(`[MCPClient] Saving session ${this.sessionId} with 12hr TTL (connect success)`);
-        await this.saveSession(SESSION_TTL_SECONDS, true);
-      }
+      // Promote short-lived OAuth-pending session TTL to long-lived active TTL once.
+      // Also persist when transport negotiation changed the effective transport.
+      const existingSession = await storage.getSession(this.identity, this.sessionId);
+      const needsTransportUpdate = !existingSession || existingSession.transportType !== this.transportType;
+      const needsTtlPromotion = !existingSession || existingSession.active !== true;
+
+      if (needsTransportUpdate || needsTtlPromotion) {
+        console.log(`[MCPClient] Saving session ${this.sessionId} with 12hr TTL (connect success)`);
+        await this.saveSession(SESSION_TTL_SECONDS, true);
+      }
     } catch (error) {
       /** Handle Authentication Errors */
       if (
@@ -531,7 +519,7 @@ export class MCPClient {
         this.emitStateChange('AUTHENTICATING');
         // Save session with 10min TTL for OAuth pending state
         console.log(`[MCPClient] Saving session ${this.sessionId} with 10min TTL (OAuth pending)`);
-        await this.saveSession(Math.floor(STATE_EXPIRATION_MS / 1000), false);
+        await this.saveSession(Math.floor(STATE_EXPIRATION_MS / 1000), false);
 
         /** Get OAuth authorization URL if available */
         let authUrl = '';
@@ -620,8 +608,8 @@ export class MCPClient {
 
         this.client = new Client(
           {
-            name: 'mcp-ts-oauth-client',
-            version: '2.0',
+            name: MCP_CLIENT_NAME,
+            version: MCP_CLIENT_VERSION,
           },
           {
             capabilities: {
@@ -642,7 +630,7 @@ export class MCPClient {
         this.emitStateChange('CONNECTED');
         // Update session with 12hr TTL after successful OAuth
         console.log(`[MCPClient] Updating session ${this.sessionId} to 12hr TTL (OAuth complete)`);
-        await this.saveSession(SESSION_TTL_SECONDS, true);
+        await this.saveSession(SESSION_TTL_SECONDS, true);
 
         return; // Success, exit function
 
@@ -980,8 +968,8 @@ export class MCPClient {
 
     this.client = new Client(
       {
-        name: 'mcp-ts-oauth-client',
-        version: '2.0',
+        name: MCP_CLIENT_NAME,
+        version: MCP_CLIENT_VERSION,
       },
       { capabilities: {} }
     );

package/src/server/mcp/storage-oauth-provider.ts

@@ -1,13 +1,20 @@
-
 import type { OAuthClientProvider } from "@modelcontextprotocol/sdk/client/auth.js";
 import type {
-    OAuthClientInformation,
     OAuthClientInformationFull,
+    OAuthClientInformationMixed,
     OAuthClientMetadata,
     OAuthTokens
 } from "@modelcontextprotocol/sdk/shared/auth.js";
 import { storage, SessionData } from "../storage/index.js";
-import { TOKEN_EXPIRY_BUFFER_MS } from '../../shared/constants.js';
+import {
+    DEFAULT_CLIENT_NAME,
+    DEFAULT_CLIENT_URI,
+    DEFAULT_LOGO_URI,
+    DEFAULT_POLICY_URI,
+    SOFTWARE_ID,
+    SOFTWARE_VERSION,
+    TOKEN_EXPIRY_BUFFER_MS,
+} from '../../shared/constants.js';
 
 /**
  * Extension of OAuthClientProvider interface with additional methods
@@ -26,56 +33,74 @@ export interface AgentsOAuthProvider extends OAuthClientProvider {
     setTokenExpiresAt(expiresAt: number): void;
 }
 
+export interface StorageOAuthClientProviderOptions {
+    identity: string;
+    serverId: string;
+    sessionId: string;
+    redirectUrl: string;
+    clientName?: string;
+    clientUri?: string;
+    logoUri?: string;
+    policyUri?: string;
+    clientId?: string;
+    clientSecret?: string;
+    onRedirect?: (url: string) => void;
+}
+
 /**
  * Storage-backed OAuth provider implementation for MCP
  * Stores OAuth tokens, client information, and PKCE verifiers using the configured StorageBackend
  */
 export class StorageOAuthClientProvider implements AgentsOAuthProvider {
+    public readonly identity: string;
+    public readonly serverId: string;
+    public readonly sessionId: string;
+    public readonly redirectUrl: string;
+
+    private readonly clientName?: string;
+    private readonly clientUri?: string;
+    private readonly logoUri?: string;
+    private readonly policyUri?: string;
+    private readonly clientSecret?: string;
+
     private _authUrl: string | undefined;
     private _clientId: string | undefined;
     private onRedirectCallback?: (url: string) => void;
     private tokenExpiresAt?: number;
 
     /**
-     * Creates a new Storage-backed OAuth provider
-     * @param identity - User/Client identifier
-     * @param serverId - Server identifier (for tracking which server this OAuth session belongs to)
-     * @param sessionId - Session identifier (used as OAuth state)
-     * @param clientName - OAuth client name
-     * @param baseRedirectUrl - OAuth callback URL
-     * @param onRedirect - Optional callback when redirect to authorization is needed
+     * Creates a new storage-backed OAuth provider
+     * @param options - Provider configuration
      */
-    constructor(
-        public identity: string,
-        public serverId: string,
-        public sessionId: string,
-        public clientName: string,
-        public baseRedirectUrl: string,
-        onRedirect?: (url: string) => void
-    ) {
-        this.onRedirectCallback = onRedirect;
+    constructor(options: StorageOAuthClientProviderOptions) {
+        this.identity = options.identity;
+        this.serverId = options.serverId;
+        this.sessionId = options.sessionId;
+        this.redirectUrl = options.redirectUrl;
+        this.clientName = options.clientName;
+        this.clientUri = options.clientUri;
+        this.logoUri = options.logoUri;
+        this.policyUri = options.policyUri;
+        this._clientId = options.clientId;
+        this.clientSecret = options.clientSecret;
+        this.onRedirectCallback = options.onRedirect;
     }
 
     get clientMetadata(): OAuthClientMetadata {
         return {
-            client_name: this.clientName,
-            client_uri: this.clientUri,
+            client_name: this.clientName || DEFAULT_CLIENT_NAME,
+            client_uri: this.clientUri || DEFAULT_CLIENT_URI,
+            logo_uri: this.logoUri || DEFAULT_LOGO_URI,
+            policy_uri: this.policyUri || DEFAULT_POLICY_URI,
             grant_types: ["authorization_code", "refresh_token"],
             redirect_uris: [this.redirectUrl],
             response_types: ["code"],
-            token_endpoint_auth_method: "none",
-            ...(this._clientId ? { client_id: this._clientId } : {})
+            token_endpoint_auth_method: this.clientSecret ? "client_secret_basic" : "none",
+            software_id: SOFTWARE_ID,
+            software_version: SOFTWARE_VERSION,
         };
     }
 
-    get clientUri() {
-        return new URL(this.redirectUrl).origin;
-    }
-
-    get redirectUrl() {
-        return this.baseRedirectUrl;
-    }
-
     get clientId() {
         return this._clientId;
     }
@@ -91,7 +116,6 @@ export class StorageOAuthClientProvider implements AgentsOAuthProvider {
     private async getSessionData(): Promise<SessionData> {
         const data = await storage.getSession(this.identity, this.sessionId);
         if (!data) {
-            // Return empty/partial object if not found
             return {} as SessionData;
         }
         return data;
@@ -110,14 +134,25 @@ export class StorageOAuthClientProvider implements AgentsOAuthProvider {
     /**
      * Retrieves stored OAuth client information
      */
-    async clientInformation(): Promise<OAuthClientInformation | undefined> {
+    async clientInformation(): Promise<OAuthClientInformationMixed | undefined> {
         const data = await this.getSessionData();
 
         if (data.clientId && !this._clientId) {
             this._clientId = data.clientId;
         }
 
-        return data.clientInformation;
+        if (data.clientInformation) {
+            return data.clientInformation;
+        }
+
+        if (!this._clientId) {
+            return undefined;
+        }
+
+        return {
+            client_id: this._clientId,
+            ...(this.clientSecret ? { client_secret: this.clientSecret } : {}),
+        };
     }
 
     /**
@@ -152,7 +187,7 @@ export class StorageOAuthClientProvider implements AgentsOAuthProvider {
         return this.sessionId;
     }
 
-    async checkState(state: string): Promise<{ valid: boolean; serverId?: string; error?: string }> {
+    async checkState(_state: string): Promise<{ valid: boolean; serverId?: string; error?: string }> {
         const data = await storage.getSession(this.identity, this.sessionId);
 
         if (!data) {
@@ -162,7 +197,7 @@ export class StorageOAuthClientProvider implements AgentsOAuthProvider {
         return { valid: true, serverId: this.serverId };
     }
 
-    async consumeState(state: string): Promise<void> {
+    async consumeState(_state: string): Promise<void> {
         // No-op
     }
 
@@ -179,8 +214,6 @@ export class StorageOAuthClientProvider implements AgentsOAuthProvider {
         if (scope === "all") {
             await storage.removeSession(this.identity, this.sessionId);
         } else {
-            const data = await this.getSessionData();
-            // Create a copy to modify
             const updates: Partial<SessionData> = {};
 
             if (scope === "client") {

package/src/server/storage/index.ts

@@ -12,6 +12,13 @@ export { RedisStorageBackend, MemoryStorageBackend, FileStorageBackend, SqliteSt
 let storageInstance: StorageBackend | null = null;
 let storagePromise: Promise<StorageBackend> | null = null;
 
+async function initializeStorage<T extends StorageBackend>(store: T): Promise<T> {
+    if (typeof store.init === 'function') {
+        await store.init();
+    }
+    return store;
+}
+
 async function createStorage(): Promise<StorageBackend> {
     const type = process.env.MCP_TS_STORAGE_TYPE?.toLowerCase();
 
@@ -38,17 +45,13 @@ async function createStorage(): Promise<StorageBackend> {
             console.warn('[Storage] MCP_TS_STORAGE_TYPE is "file" but MCP_TS_STORAGE_FILE is missing');
         }
         console.log(`[Storage] Using File storage (${filePath}) (Explicit)`);
-        const store = new FileStorageBackend({ path: filePath });
-        store.init().catch(err => console.error('[Storage] Failed to initialize file storage:', err));
-        return store;
+        return await initializeStorage(new FileStorageBackend({ path: filePath }));
     }
 
     if (type === 'sqlite') {
         const dbPath = process.env.MCP_TS_STORAGE_SQLITE_PATH;
         console.log(`[Storage] Using SQLite storage (${dbPath || 'default'}) (Explicit)`);
-        const store = new SqliteStorage({ path: dbPath });
-        store.init().catch(err => console.error('[Storage] Failed to initialize SQLite storage:', err));
-        return store;
+        return await initializeStorage(new SqliteStorage({ path: dbPath }));
     }
 
     if (type === 'memory') {
@@ -72,16 +75,12 @@ async function createStorage(): Promise<StorageBackend> {
 
     if (process.env.MCP_TS_STORAGE_FILE) {
         console.log(`[Storage] Auto-detected MCP_TS_STORAGE_FILE. Using File storage (${process.env.MCP_TS_STORAGE_FILE}).`);
-        const store = new FileStorageBackend({ path: process.env.MCP_TS_STORAGE_FILE });
-        store.init().catch(err => console.error('[Storage] Failed to initialize file storage:', err));
-        return store;
+        return await initializeStorage(new FileStorageBackend({ path: process.env.MCP_TS_STORAGE_FILE }));
     }
 
     if (process.env.MCP_TS_STORAGE_SQLITE_PATH) {
         console.log(`[Storage] Auto-detected MCP_TS_STORAGE_SQLITE_PATH. Using SQLite storage (${process.env.MCP_TS_STORAGE_SQLITE_PATH}).`);
-        const store = new SqliteStorage({ path: process.env.MCP_TS_STORAGE_SQLITE_PATH });
-        store.init().catch(err => console.error('[Storage] Failed to initialize SQLite storage:', err));
-        return store;
+        return await initializeStorage(new SqliteStorage({ path: process.env.MCP_TS_STORAGE_SQLITE_PATH }));
     }
 
     console.log('[Storage] No storage configured. Using In-Memory storage (Default).');
@@ -94,7 +93,10 @@ async function getStorage(): Promise<StorageBackend> {
     }
 
     if (!storagePromise) {
-        storagePromise = createStorage();
+        storagePromise = createStorage().catch((error) => {
+            storagePromise = null;
+            throw error;
+        });
     }
 
     storageInstance = await storagePromise;

package/src/server/storage/redis-backend.ts

@@ -1,7 +1,7 @@
 
 import type { Redis } from 'ioredis';
 import { customAlphabet } from 'nanoid';
-import { StorageBackend, SessionData, SetClientOptions } from './types';
+import { StorageBackend, SessionData } from './types';
 import { SESSION_TTL_SECONDS } from '../../shared/constants.js';
 
 /** first char: letters only (required by OpenAI) */
@@ -22,6 +22,8 @@ const rest = customAlphabet(
 export class RedisStorageBackend implements StorageBackend {
     private readonly DEFAULT_TTL = SESSION_TTL_SECONDS;
     private readonly KEY_PREFIX = 'mcp:session:';
+    private readonly IDENTITY_KEY_PREFIX = 'mcp:identity:';
+    private readonly IDENTITY_KEY_SUFFIX = ':sessions';
 
     constructor(private redis: Redis) { }
 
@@ -38,7 +40,42 @@ export class RedisStorageBackend implements StorageBackend {
      * @private
      */
     private getIdentityKey(identity: string): string {
-        return `mcp:identity:${identity}:sessions`;
+        return `${this.IDENTITY_KEY_PREFIX}${identity}${this.IDENTITY_KEY_SUFFIX}`;
+    }
+
+    private parseIdentityFromKey(identityKey: string): string {
+        return identityKey.slice(
+            this.IDENTITY_KEY_PREFIX.length,
+            identityKey.length - this.IDENTITY_KEY_SUFFIX.length
+        );
+    }
+
+    private async scanKeys(pattern: string): Promise<string[]> {
+        const redis = this.redis as Redis & {
+            scan?: (cursor: string, ...args: Array<string | number>) => Promise<[string, string[]]>;
+        };
+
+        if (typeof redis.scan !== 'function') {
+            return await this.redis.keys(pattern);
+        }
+
+        const keys = new Set<string>();
+        let cursor = '0';
+
+        try {
+            do {
+                const [nextCursor, batch] = await redis.scan(cursor, 'MATCH', pattern, 'COUNT', 100);
+                cursor = nextCursor;
+                for (const key of batch) {
+                    keys.add(key);
+                }
+            } while (cursor !== '0');
+        } catch (error) {
+            console.warn('[RedisStorage] SCAN failed, falling back to KEYS:', error);
+            return await this.redis.keys(pattern);
+        }
+
+        return Array.from(keys);
     }
 
     generateSessionId(): string {
@@ -121,18 +158,14 @@ export class RedisStorageBackend implements StorageBackend {
     }
 
     async getIdentityMcpSessions(identity: string): Promise<string[]> {
-        const identityKey = this.getIdentityKey(identity);
-        try {
-            return await this.redis.smembers(identityKey);
-        } catch (error) {
-            console.error(`[RedisStorage] Failed to get sessions for ${identity}:`, error);
-            return [];
-        }
+        const sessions = await this.getIdentitySessionsData(identity);
+        return sessions.map((session) => session.sessionId);
     }
 
     async getIdentitySessionsData(identity: string): Promise<SessionData[]> {
         try {
-            const sessionIds = await this.redis.smembers(this.getIdentityKey(identity));
+            const identityKey = this.getIdentityKey(identity);
+            const sessionIds = await this.redis.smembers(identityKey);
             if (sessionIds.length === 0) return [];
 
             const results = await Promise.all(
@@ -142,6 +175,11 @@ export class RedisStorageBackend implements StorageBackend {
                 })
             );
 
+            const staleSessionIds = sessionIds.filter((_, index) => results[index] === null);
+            if (staleSessionIds.length > 0) {
+                await this.redis.srem(identityKey, ...staleSessionIds);
+            }
+
             return results.filter((session): session is SessionData => session !== null);
         } catch (error) {
             console.error(`[RedisStorage] Failed to get session data for ${identity}:`, error);
@@ -163,9 +201,24 @@ export class RedisStorageBackend implements StorageBackend {
 
     async getAllSessionIds(): Promise<string[]> {
         try {
-            const pattern = `${this.KEY_PREFIX}*`;
-            const keys = await this.redis.keys(pattern);
-            return keys.map((key) => key.replace(this.KEY_PREFIX, ''));
+            const keys = await this.scanKeys(`${this.KEY_PREFIX}*`);
+            const sessions = await Promise.all(
+                keys.map(async (key) => {
+                    const data = await this.redis.get(key);
+                    if (!data) {
+                        return null;
+                    }
+
+                    try {
+                        return (JSON.parse(data) as SessionData).sessionId;
+                    } catch (error) {
+                        console.error('[RedisStorage] Failed to parse session while listing all session IDs:', error);
+                        return null;
+                    }
+                })
+            );
+
+            return sessions.filter((sessionId): sessionId is string => sessionId !== null);
         } catch (error) {
             console.error('[RedisStorage] Failed to get all sessions:', error);
             return [];
@@ -174,10 +227,11 @@ export class RedisStorageBackend implements StorageBackend {
 
     async clearAll(): Promise<void> {
         try {
-            const pattern = `${this.KEY_PREFIX}*`;
-            const keys = await this.redis.keys(pattern);
-            if (keys.length > 0) {
-                await this.redis.del(...keys);
+            const keys = await this.scanKeys(`${this.KEY_PREFIX}*`);
+            const identityKeys = await this.scanKeys(`${this.IDENTITY_KEY_PREFIX}*${this.IDENTITY_KEY_SUFFIX}`);
+            const allKeys = [...keys, ...identityKeys];
+            if (allKeys.length > 0) {
+                await this.redis.del(...allKeys);
             }
         } catch (error) {
             console.error('[RedisStorage] Failed to clear sessions:', error);
@@ -186,13 +240,29 @@ export class RedisStorageBackend implements StorageBackend {
 
     async cleanupExpiredSessions(): Promise<void> {
         try {
-            const pattern = `${this.KEY_PREFIX}*`;
-            const keys = await this.redis.keys(pattern);
+            const identityKeys = await this.scanKeys(`${this.IDENTITY_KEY_PREFIX}*${this.IDENTITY_KEY_SUFFIX}`);
+
+            for (const identityKey of identityKeys) {
+                const identity = this.parseIdentityFromKey(identityKey);
+                const sessionIds = await this.redis.smembers(identityKey);
+
+                if (sessionIds.length === 0) {
+                    await this.redis.del(identityKey);
+                    continue;
+                }
+
+                const existenceChecks = await Promise.all(
+                    sessionIds.map((sessionId) => this.redis.exists(this.getSessionKey(identity, sessionId)))
+                );
+
+                const staleSessionIds = sessionIds.filter((_, index) => existenceChecks[index] === 0);
+                if (staleSessionIds.length > 0) {
+                    await this.redis.srem(identityKey, ...staleSessionIds);
+                }
 
-            for (const key of keys) {
-                const ttl = await this.redis.ttl(key);
-                if (ttl <= 0) {
-                    await this.redis.del(key);
+                const remainingCount = await this.redis.scard(identityKey);
+                if (remainingCount === 0) {
+                    await this.redis.del(identityKey);
                 }
             }
         } catch (error) {