@ai-sdk/mcp 1.0.27 → 1.0.29

package/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @ai-sdk/mcp
 
+## 1.0.29
+
+### Patch Changes
+
+- cc8b506: feat(mcp): add `redirect` option to `MCPTransportConfig` for controlling HTTP redirect behavior
+
+## 1.0.28
+
+### Patch Changes
+
+- 0c86a13: fix(mcp): validate state param in oauth flow
+
 ## 1.0.27
 
 ### Patch Changes

package/dist/index.d.mts

@@ -182,6 +182,8 @@ interface OAuthClientProvider {
     clientInformation(): OAuthClientInformation | undefined | Promise<OAuthClientInformation | undefined>;
     saveClientInformation?(clientInformation: OAuthClientInformation): void | Promise<void>;
     state?(): string | Promise<string>;
+    saveState?(state: string): void | Promise<void>;
+    storedState?(): string | undefined | Promise<string | undefined>;
     validateResourceURL?(serverUrl: string | URL, resource?: string): Promise<URL | undefined>;
 }
 declare class UnauthorizedError extends Error {
@@ -190,6 +192,7 @@ declare class UnauthorizedError extends Error {
 declare function auth(provider: OAuthClientProvider, options: {
     serverUrl: string | URL;
     authorizationCode?: string;
+    callbackState?: string;
     scope?: string;
     resourceMetadataUrl?: URL;
     fetchFn?: FetchFunction;
@@ -240,6 +243,13 @@ type MCPTransportConfig = {
      * An optional OAuth client provider to use for authentication for MCP servers.
      */
     authProvider?: OAuthClientProvider;
+    /**
+     * Controls how HTTP redirects are handled for transport requests.
+     * - `'follow'`: Follow redirects automatically (standard fetch behavior).
+     * - `'error'`: Reject any redirect response with an error.
+     * @default 'follow'
+     */
+    redirect?: 'follow' | 'error';
 };
 
 /** MCP tool metadata - keys should follow MCP _meta key format specification */

package/dist/index.d.ts

@@ -182,6 +182,8 @@ interface OAuthClientProvider {
     clientInformation(): OAuthClientInformation | undefined | Promise<OAuthClientInformation | undefined>;
     saveClientInformation?(clientInformation: OAuthClientInformation): void | Promise<void>;
     state?(): string | Promise<string>;
+    saveState?(state: string): void | Promise<void>;
+    storedState?(): string | undefined | Promise<string | undefined>;
     validateResourceURL?(serverUrl: string | URL, resource?: string): Promise<URL | undefined>;
 }
 declare class UnauthorizedError extends Error {
@@ -190,6 +192,7 @@ declare class UnauthorizedError extends Error {
 declare function auth(provider: OAuthClientProvider, options: {
     serverUrl: string | URL;
     authorizationCode?: string;
+    callbackState?: string;
     scope?: string;
     resourceMetadataUrl?: URL;
     fetchFn?: FetchFunction;
@@ -240,6 +243,13 @@ type MCPTransportConfig = {
      * An optional OAuth client provider to use for authentication for MCP servers.
      */
     authProvider?: OAuthClientProvider;
+    /**
+     * Controls how HTTP redirects are handled for transport requests.
+     * - `'follow'`: Follow redirects automatically (standard fetch behavior).
+     * - `'error'`: Reject any redirect response with an error.
+     * @default 'follow'
+     */
+    redirect?: 'follow' | 'error';
 };
 
 /** MCP tool metadata - keys should follow MCP _meta key format specification */

package/dist/index.js

@@ -28,8 +28,8 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
-var src_exports = {};
-__export(src_exports, {
+var index_exports = {};
+__export(index_exports, {
   ElicitResultSchema: () => ElicitResultSchema,
   ElicitationRequestSchema: () => ElicitationRequestSchema,
   UnauthorizedError: () => UnauthorizedError,
@@ -37,7 +37,7 @@ __export(src_exports, {
   createMCPClient: () => createMCPClient,
   experimental_createMCPClient: () => createMCPClient
 });
-module.exports = __toCommonJS(src_exports);
+module.exports = __toCommonJS(index_exports);
 
 // src/tool/mcp-client.ts
 var import_provider_utils3 = require("@ai-sdk/provider-utils");
@@ -949,6 +949,7 @@ async function selectResourceURL(serverUrl, provider, resourceMetadata) {
 async function authInternal(provider, {
   serverUrl,
   authorizationCode,
+  callbackState,
   scope,
   resourceMetadataUrl,
   fetchFn
@@ -1001,6 +1002,14 @@ async function authInternal(provider, {
     clientInformation = fullInformation;
   }
   if (authorizationCode !== void 0) {
+    if (provider.storedState) {
+      const expectedState = await provider.storedState();
+      if (expectedState !== void 0 && expectedState !== callbackState) {
+        throw new Error(
+          "OAuth state parameter mismatch - possible CSRF attack"
+        );
+      }
+    }
     const codeVerifier2 = await provider.codeVerifier();
     const tokens2 = await exchangeAuthorization(authorizationServerUrl, {
       metadata,
@@ -1039,6 +1048,9 @@ async function authInternal(provider, {
     }
   }
   const state = provider.state ? await provider.state() : void 0;
+  if (state && provider.saveState) {
+    await provider.saveState(state);
+  }
   const { authorizationUrl, codeVerifier } = await startAuthorization(
     authorizationServerUrl,
     {
@@ -1060,12 +1072,14 @@ var SseMCPTransport = class {
   constructor({
     url,
     headers,
-    authProvider
+    authProvider,
+    redirect = "follow"
   }) {
     this.connected = false;
     this.url = new URL(url);
     this.headers = headers;
     this.authProvider = authProvider;
+    this.redirectMode = redirect;
   }
   async commonHeaders(base) {
     const headers = {
@@ -1099,7 +1113,8 @@ var SseMCPTransport = class {
           });
           const response = await fetch(this.url.href, {
             headers,
-            signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal
+            signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal,
+            redirect: this.redirectMode
           });
           if (response.status === 401 && this.authProvider && !triedAuth) {
             this.resourceMetadataUrl = extractResourceMetadataUrl(response);
@@ -1218,7 +1233,8 @@ var SseMCPTransport = class {
           method: "POST",
           headers,
           body: JSON.stringify(message),
-          signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal
+          signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal,
+          redirect: this.redirectMode
         };
         const response = await fetch(endpoint, init);
         if (response.status === 401 && this.authProvider && !triedAuth) {
@@ -1262,7 +1278,8 @@ var HttpMCPTransport = class {
   constructor({
     url,
     headers,
-    authProvider
+    authProvider,
+    redirect = "follow"
   }) {
     this.inboundReconnectAttempts = 0;
     this.reconnectionOptions = {
@@ -1274,6 +1291,7 @@ var HttpMCPTransport = class {
     this.url = new URL(url);
     this.headers = headers;
     this.authProvider = authProvider;
+    this.redirectMode = redirect;
   }
   async commonHeaders(base) {
     const headers = {
@@ -1314,7 +1332,8 @@ var HttpMCPTransport = class {
         await fetch(this.url, {
           method: "DELETE",
           headers,
-          signal: this.abortController.signal
+          signal: this.abortController.signal,
+          redirect: this.redirectMode
         }).catch(() => void 0);
       }
     } catch (e) {
@@ -1334,7 +1353,8 @@ var HttpMCPTransport = class {
           method: "POST",
           headers,
           body: JSON.stringify(message),
-          signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal
+          signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal,
+          redirect: this.redirectMode
         };
         const response = await fetch(this.url, init);
         const sessionId = response.headers.get("mcp-session-id");
@@ -1483,7 +1503,8 @@ var HttpMCPTransport = class {
       const response = await fetch(this.url.href, {
         method: "GET",
         headers,
-        signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal
+        signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal,
+        redirect: this.redirectMode
       });
       const sessionId = response.headers.get("mcp-session-id");
       if (sessionId) {