@agentmailbox/mcp-auth 1.0.4 → 1.0.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/index.js +12 -11
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -62,13 +62,13 @@ Replace:
|
|
|
62
62
|
## How It Works
|
|
63
63
|
|
|
64
64
|
1. Fetches an OAuth2 access token using the Client Credentials flow
|
|
65
|
-
2. Passes the token to
|
|
65
|
+
2. Passes the token to `mcp-remote` via environment variable
|
|
66
66
|
3. Forwards all MCP communication to the AgentMailbox server
|
|
67
67
|
|
|
68
68
|
## Requirements
|
|
69
69
|
|
|
70
70
|
- Node.js 18 or later
|
|
71
|
-
-
|
|
71
|
+
- `mcp-remote` (installed automatically via npx)
|
|
72
72
|
|
|
73
73
|
## License
|
|
74
74
|
|
package/index.js
CHANGED
|
@@ -19,7 +19,7 @@
|
|
|
19
19
|
* ],
|
|
20
20
|
* "env": {
|
|
21
21
|
* "MCP_OAUTH_CLIENT_ID": "your-client-id",
|
|
22
|
-
* "MCP_OAUTH_CLIENT_SECRET": "your-client-secret"
|
|
22
|
+
* "MCP_OAUTH_CLIENT_SECRET": "your-client-secret" // pragma: allowlist secret
|
|
23
23
|
* }
|
|
24
24
|
* }
|
|
25
25
|
* }
|
|
@@ -50,26 +50,25 @@ if (!mcpUrl || !tokenEndpoint || !clientId || !clientSecret) {
|
|
|
50
50
|
}
|
|
51
51
|
|
|
52
52
|
/**
|
|
53
|
-
* Build a minimal environment for the child process.
|
|
54
|
-
* Only
|
|
53
|
+
* Build a minimal allow-list environment for the child process.
|
|
54
|
+
* Only includes necessary system variables, avoiding exposure of ambient secrets.
|
|
55
55
|
*/
|
|
56
56
|
function buildChildEnv(env) {
|
|
57
57
|
const allowList = [
|
|
58
|
-
// Essential
|
|
58
|
+
// Essential system paths
|
|
59
59
|
'PATH', 'HOME', 'USERPROFILE',
|
|
60
60
|
// Temp directories
|
|
61
61
|
'TMP', 'TEMP', 'TMPDIR',
|
|
62
|
-
// Windows
|
|
62
|
+
// Windows system variables
|
|
63
63
|
'SystemRoot', 'ComSpec', 'WINDIR', 'PATHEXT',
|
|
64
|
-
// Proxy
|
|
64
|
+
// Proxy configuration
|
|
65
65
|
'HTTP_PROXY', 'HTTPS_PROXY', 'NO_PROXY',
|
|
66
66
|
'http_proxy', 'https_proxy', 'no_proxy',
|
|
67
67
|
// Node.js configuration
|
|
68
68
|
'NODE_EXTRA_CA_CERTS', 'NODE_OPTIONS',
|
|
69
|
-
//
|
|
69
|
+
// mcp-remote configuration directory
|
|
70
70
|
'MCP_REMOTE_CONFIG_DIR',
|
|
71
71
|
];
|
|
72
|
-
|
|
73
72
|
return Object.fromEntries(
|
|
74
73
|
allowList.flatMap((key) => (env[key] ? [[key, env[key]]] : []))
|
|
75
74
|
);
|
|
@@ -121,15 +120,17 @@ async function main() {
|
|
|
121
120
|
try {
|
|
122
121
|
const token = await getAccessToken();
|
|
123
122
|
|
|
124
|
-
// Build minimal environment with only necessary variables
|
|
123
|
+
// Build minimal environment with only necessary variables
|
|
125
124
|
const childEnv = buildChildEnv(process.env);
|
|
126
|
-
childEnv.AUTH_TOKEN = token;
|
|
127
125
|
|
|
128
|
-
// Launch mcp-remote with
|
|
126
|
+
// Launch mcp-remote with Authorization header via --header flag
|
|
127
|
+
// Note: Token appears briefly in process args, but this is acceptable for MCP client usage
|
|
129
128
|
const child = spawn('npx', [
|
|
130
129
|
'-y',
|
|
131
130
|
'mcp-remote',
|
|
132
131
|
mcpUrl,
|
|
132
|
+
'--header',
|
|
133
|
+
`Authorization:Bearer ${token}`,
|
|
133
134
|
], {
|
|
134
135
|
stdio: 'inherit',
|
|
135
136
|
env: childEnv,
|