Skip to content

overpod/mcp-telegram

v1.28.1 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 1mo MCP SaaS Integrations
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ai-tools claude gramjs mcp mcp-server model-context-protocol
+4 more
mtproto telegram typescript userbot

Affected surfaces

auth

Summary

AI summary

telegram-logout fully revokes Telegram sessions and aborts in‑progress QR logins.

Full changelog

New tool: telegram-logout

Fully logs out from Telegram:

  1. Calls auth.LogOut on Telegram servers → session disappears from Settings → Devices
  2. Destroys the GramJS client
  3. Deletes the local session file
  4. Clears in-memory state

Annotations: DESTRUCTIVE (marked as irreversible for MCP clients)
Parameters: none
Behavior matrix:

| State | Result |
|---|---|
| Connected | Server revoke + local wipe → ok |
| Session file exists but disconnected | Local wipe only → ok with "server revoke was not performed" notice |
| No session, no file | fail — "Not logged in" |
| auth.LogOut throws | Local wipe still happens → fail with "check Settings → Devices manually" hint |
| Local file removal fails (read-only FS, perms) | fail — never falsely claims "removed locally" |

TelegramService.logOut() hardening

Rewritten to be correct in edge cases:

  • Split server-revoke from client-destroy: if auth.LogOut succeeds but client.destroy() throws, method now correctly returns true (revoked). Previously reported "not confirmed" for successful revokes.
  • Local wipe is definitive: clearSession() is verified post-unlink — if the file is still on disk, method throws instead of silently returning. Prevents falsely reporting "logged out" when the session file survives (e.g. read-only Docker mount).
  • File removal happens even when server-revoke fails (network error, AUTH_KEY_UNREGISTERED): local state always ends clean.

Master: logout cancels active QR login

If a second MCP client requests telegram-logout while client A is in an in-progress QR login flow, master now calls activeLogin.abort.abort() before acquiring globalLock. Without this fix, logout would queue behind the login for up to 5 minutes (until QR token expiry).

Tests: 322 total (+10 vs v1.28.0)

  • hasLocalSession() × 2
  • logOut() × 7 (connected / disconnected+file / disconnected+nofile / network error / idempotency / FS-throws / destroy-throws-but-revoke-succeeds)
  • Master integration: telegram-logout aborts active login (via real unix socket)

Known limitation

In a 3-client FIFO scenario — A holds globalLock via login, B queues a normal tool call, C requests logout — logout correctly aborts A, but B still runs before logout because FIFO order is preserved. Priority-aware queue is deferred to a future release.

Docs

  • README + docs/tools/reference.md (EN/RU/ZH) updated with telegram-logout in the Auth category

Upgrading

npm install -g @overpod/[email protected]

After upgrading, restart your MCP host (Claude Code / Claude Desktop) so the old master daemon is replaced — IPC wire format is compatible with v1.28.0.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track overpod/mcp-telegram

Get notified when new releases ship.

Sign up free

About overpod/mcp-telegram

Telegram MCP server via MTProto/GramJS — 20 tools for reading chats, searching messages, downloading media, managing contacts. QR code login, npx zero-install. Hosted version at mcp-telegram.com.

All releases →

Related context

Beta — feedback welcome: [email protected]