@ai-sdk/mcp 1.0.27 → 1.0.28
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +6 -0
- package/dist/index.d.mts +3 -0
- package/dist/index.d.ts +3 -0
- package/dist/index.js +12 -0
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +12 -0
- package/dist/index.mjs.map +1 -1
- package/package.json +1 -1
- package/src/tool/oauth.ts +17 -0
package/package.json
CHANGED
package/src/tool/oauth.ts
CHANGED
|
@@ -83,6 +83,8 @@ export interface OAuthClientProvider {
|
|
|
83
83
|
clientInformation: OAuthClientInformation,
|
|
84
84
|
): void | Promise<void>;
|
|
85
85
|
state?(): string | Promise<string>;
|
|
86
|
+
saveState?(state: string): void | Promise<void>;
|
|
87
|
+
storedState?(): string | undefined | Promise<string | undefined>;
|
|
86
88
|
validateResourceURL?(
|
|
87
89
|
serverUrl: string | URL,
|
|
88
90
|
resource?: string,
|
|
@@ -827,6 +829,7 @@ export async function auth(
|
|
|
827
829
|
options: {
|
|
828
830
|
serverUrl: string | URL;
|
|
829
831
|
authorizationCode?: string;
|
|
832
|
+
callbackState?: string;
|
|
830
833
|
scope?: string;
|
|
831
834
|
resourceMetadataUrl?: URL;
|
|
832
835
|
fetchFn?: FetchFunction;
|
|
@@ -886,12 +889,14 @@ async function authInternal(
|
|
|
886
889
|
{
|
|
887
890
|
serverUrl,
|
|
888
891
|
authorizationCode,
|
|
892
|
+
callbackState,
|
|
889
893
|
scope,
|
|
890
894
|
resourceMetadataUrl,
|
|
891
895
|
fetchFn,
|
|
892
896
|
}: {
|
|
893
897
|
serverUrl: string | URL;
|
|
894
898
|
authorizationCode?: string;
|
|
899
|
+
callbackState?: string;
|
|
895
900
|
scope?: string;
|
|
896
901
|
resourceMetadataUrl?: URL;
|
|
897
902
|
fetchFn?: FetchFunction;
|
|
@@ -960,6 +965,15 @@ async function authInternal(
|
|
|
960
965
|
|
|
961
966
|
// Exchange authorization code for tokens
|
|
962
967
|
if (authorizationCode !== undefined) {
|
|
968
|
+
if (provider.storedState) {
|
|
969
|
+
const expectedState = await provider.storedState();
|
|
970
|
+
if (expectedState !== undefined && expectedState !== callbackState) {
|
|
971
|
+
throw new Error(
|
|
972
|
+
'OAuth state parameter mismatch - possible CSRF attack',
|
|
973
|
+
);
|
|
974
|
+
}
|
|
975
|
+
}
|
|
976
|
+
|
|
963
977
|
const codeVerifier = await provider.codeVerifier();
|
|
964
978
|
const tokens = await exchangeAuthorization(authorizationServerUrl, {
|
|
965
979
|
metadata,
|
|
@@ -1008,6 +1022,9 @@ async function authInternal(
|
|
|
1008
1022
|
}
|
|
1009
1023
|
|
|
1010
1024
|
const state = provider.state ? await provider.state() : undefined;
|
|
1025
|
+
if (state && provider.saveState) {
|
|
1026
|
+
await provider.saveState(state);
|
|
1027
|
+
}
|
|
1011
1028
|
|
|
1012
1029
|
// Start new authorization flow
|
|
1013
1030
|
const { authorizationUrl, codeVerifier } = await startAuthorization(
|