npm - @ai-sdk/mcp - Versions diffs - 1.0.45 → 1.0.47 - Mend

@ai-sdk/mcp 1.0.45 → 1.0.47

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/index.mjs CHANGED Viewed

@@ -312,15 +312,6 @@ import pkceChallenge from "pkce-challenge";
 // src/tool/oauth-types.ts
 import { z as z3 } from "zod/v4";
-var OAuthTokensSchema = z3.object({
-  access_token: z3.string(),
-  id_token: z3.string().optional(),
-  // Optional for OAuth 2.1, but necessary in OpenID Connect
-  token_type: z3.string(),
-  expires_in: z3.number().optional(),
-  scope: z3.string().optional(),
-  refresh_token: z3.string().optional()
-}).strip();
 var SafeUrlSchema = z3.string().url().superRefine((val, ctx) => {
   if (!URL.canParse(val)) {
     ctx.addIssue({
@@ -337,6 +328,17 @@ var SafeUrlSchema = z3.string().url().superRefine((val, ctx) => {
   },
   { message: "URL cannot use javascript:, data:, or vbscript: scheme" }
 );
+var OAuthTokensSchema = z3.object({
+  access_token: z3.string(),
+  id_token: z3.string().optional(),
+  // Optional for OAuth 2.1, but necessary in OpenID Connect
+  token_type: z3.string(),
+  expires_in: z3.number().optional(),
+  scope: z3.string().optional(),
+  refresh_token: z3.string().optional(),
+  authorization_server: SafeUrlSchema.optional(),
+  token_endpoint: SafeUrlSchema.optional()
+}).strip();
 var OAuthProtectedResourceMetadataSchema = z3.object({
   resource: z3.string().url(),
   authorization_servers: z3.array(SafeUrlSchema).optional(),
@@ -389,7 +391,9 @@ var OAuthClientInformationSchema = z3.object({
   client_id: z3.string(),
   client_secret: z3.string().optional(),
   client_id_issued_at: z3.number().optional(),
-  client_secret_expires_at: z3.number().optional()
+  client_secret_expires_at: z3.number().optional(),
+  authorization_server: SafeUrlSchema.optional(),
+  token_endpoint: SafeUrlSchema.optional()
 }).strip();
 var OAuthClientMetadataSchema = z3.object({
   redirect_uris: z3.array(SafeUrlSchema),
@@ -494,6 +498,106 @@ var UnauthorizedError = class extends Error {
     this.name = "UnauthorizedError";
   }
 };
+function normalizeUrl(url) {
+  return new URL(url).href;
+}
+function createAuthorizationServerInformation(authorizationServerUrl, metadata) {
+  return {
+    authorizationServerUrl: normalizeUrl(authorizationServerUrl),
+    tokenEndpoint: normalizeUrl(
+      (metadata == null ? void 0 : metadata.token_endpoint) ? new URL(metadata.token_endpoint) : new URL("/token", authorizationServerUrl)
+    )
+  };
+}
+function addAuthorizationServerInformationToTokens(tokens, authorizationServerInformation) {
+  return {
+    ...tokens,
+    authorization_server: authorizationServerInformation.authorizationServerUrl,
+    token_endpoint: authorizationServerInformation.tokenEndpoint
+  };
+}
+function addAuthorizationServerInformationToClientInformation(clientInformation, authorizationServerInformation) {
+  return {
+    ...clientInformation,
+    authorization_server: authorizationServerInformation.authorizationServerUrl,
+    token_endpoint: authorizationServerInformation.tokenEndpoint
+  };
+}
+function getAuthorizationServerInformationFromCredentials(credentials) {
+  if (!(credentials == null ? void 0 : credentials.authorization_server) || !credentials.token_endpoint) {
+    return void 0;
+  }
+  return {
+    authorizationServerUrl: normalizeUrl(credentials.authorization_server),
+    tokenEndpoint: normalizeUrl(credentials.token_endpoint)
+  };
+}
+async function getStoredAuthorizationServerInformation({
+  provider,
+  clientInformation,
+  tokens
+}) {
+  var _a3;
+  const tokenAuthorizationServerInformation = getAuthorizationServerInformationFromCredentials(tokens);
+  if (tokenAuthorizationServerInformation) {
+    return tokenAuthorizationServerInformation;
+  }
+  const providerAuthorizationServerInformation = await ((_a3 = provider.authorizationServerInformation) == null ? void 0 : _a3.call(provider));
+  if (providerAuthorizationServerInformation) {
+    return {
+      authorizationServerUrl: normalizeUrl(
+        providerAuthorizationServerInformation.authorizationServerUrl
+      ),
+      tokenEndpoint: normalizeUrl(
+        providerAuthorizationServerInformation.tokenEndpoint
+      )
+    };
+  }
+  return getAuthorizationServerInformationFromCredentials(clientInformation);
+}
+async function saveAuthorizationServerInformation({
+  provider,
+  clientInformation,
+  authorizationServerInformation
+}) {
+  if (provider.saveAuthorizationServerInformation) {
+    await provider.saveAuthorizationServerInformation(
+      authorizationServerInformation
+    );
+    return true;
+  }
+  if (provider.saveClientInformation) {
+    await provider.saveClientInformation(
+      addAuthorizationServerInformationToClientInformation(
+        clientInformation,
+        authorizationServerInformation
+      )
+    );
+    return true;
+  }
+  return false;
+}
+function assertResourceMetadataUrlSameOrigin(serverUrl, resourceMetadataUrl) {
+  if (!resourceMetadataUrl) {
+    return;
+  }
+  const expectedOrigin = new URL(serverUrl).origin;
+  if (resourceMetadataUrl.origin !== expectedOrigin) {
+    throw new MCPClientOAuthError({
+      message: `OAuth protected resource metadata URL ${resourceMetadataUrl.href} must have the same origin as the MCP server URL ${expectedOrigin}`
+    });
+  }
+}
+function assertAuthorizationServerInformationMatches({
+  storedAuthorizationServerInformation,
+  currentAuthorizationServerInformation
+}) {
+  if (storedAuthorizationServerInformation.authorizationServerUrl !== currentAuthorizationServerInformation.authorizationServerUrl || storedAuthorizationServerInformation.tokenEndpoint !== currentAuthorizationServerInformation.tokenEndpoint) {
+    throw new MCPClientOAuthError({
+      message: "OAuth authorization server metadata does not match the metadata that issued the stored credentials"
+    });
+  }
+}
 function extractResourceMetadataUrl(response) {
   var _a3;
   const header = (_a3 = response.headers.get("www-authenticate")) != null ? _a3 : response.headers.get("WWW-Authenticate");
@@ -812,7 +916,12 @@ async function exchangeAuthorization(authorizationServerUrl, {
     redirect_uri: String(redirectUri)
   });
   if (addClientAuthentication) {
-    addClientAuthentication(headers, params, authorizationServerUrl, metadata);
+    await addClientAuthentication(
+      headers,
+      params,
+      authorizationServerUrl,
+      metadata
+    );
   } else {
     const supportedMethods = (_a3 = metadata == null ? void 0 : metadata.token_endpoint_auth_methods_supported) != null ? _a3 : [];
     const authMethod = selectClientAuthMethod(
@@ -864,7 +973,12 @@ async function refreshAuthorization(authorizationServerUrl, {
     refresh_token: refreshToken
   });
   if (addClientAuthentication) {
-    addClientAuthentication(headers, params, authorizationServerUrl, metadata);
+    await addClientAuthentication(
+      headers,
+      params,
+      authorizationServerUrl,
+      metadata
+    );
   } else {
     const supportedMethods = (_a3 = metadata == null ? void 0 : metadata.token_endpoint_auth_methods_supported) != null ? _a3 : [];
     const authMethod = selectClientAuthMethod(
@@ -961,8 +1075,10 @@ async function authInternal(provider, {
   resourceMetadataUrl,
   fetchFn
 }) {
+  var _a3;
   let resourceMetadata;
   let authorizationServerUrl;
+  assertResourceMetadataUrlSameOrigin(serverUrl, resourceMetadataUrl);
   try {
     resourceMetadata = await discoverOAuthProtectedResourceMetadata(
       serverUrl,
@@ -988,6 +1104,7 @@ async function authInternal(provider, {
       fetchFn
     }
   );
+  const currentAuthorizationServerInformation = createAuthorizationServerInformation(authorizationServerUrl, metadata);
   let clientInformation = await Promise.resolve(provider.clientInformation());
   if (!clientInformation) {
     if (authorizationCode !== void 0) {
@@ -1005,8 +1122,11 @@ async function authInternal(provider, {
       clientMetadata: provider.clientMetadata,
       fetchFn
     });
-    await provider.saveClientInformation(fullInformation);
-    clientInformation = fullInformation;
+    clientInformation = addAuthorizationServerInformationToClientInformation(
+      fullInformation,
+      currentAuthorizationServerInformation
+    );
+    await provider.saveClientInformation(clientInformation);
   }
   if (authorizationCode !== void 0) {
     if (provider.storedState) {
@@ -1017,6 +1137,19 @@ async function authInternal(provider, {
         );
       }
     }
+    const storedAuthorizationServerInformation = await getStoredAuthorizationServerInformation({
+      provider,
+      clientInformation
+    });
+    if (!storedAuthorizationServerInformation) {
+      throw new MCPClientOAuthError({
+        message: "Stored OAuth authorization server metadata is required when exchanging an authorization code"
+      });
+    }
+    assertAuthorizationServerInformationMatches({
+      storedAuthorizationServerInformation,
+      currentAuthorizationServerInformation
+    });
     const codeVerifier2 = await provider.codeVerifier();
     const tokens2 = await exchangeAuthorization(authorizationServerUrl, {
       metadata,
@@ -1028,22 +1161,47 @@ async function authInternal(provider, {
       addClientAuthentication: provider.addClientAuthentication,
       fetchFn
     });
-    await provider.saveTokens(tokens2);
+    await provider.saveTokens(
+      addAuthorizationServerInformationToTokens(
+        tokens2,
+        currentAuthorizationServerInformation
+      )
+    );
     return "AUTHORIZED";
   }
   const tokens = await provider.tokens();
   if (tokens == null ? void 0 : tokens.refresh_token) {
-    try {
-      const newTokens = await refreshAuthorization(authorizationServerUrl, {
-        metadata,
-        clientInformation,
-        refreshToken: tokens.refresh_token,
-        resource,
-        addClientAuthentication: provider.addClientAuthentication,
-        fetchFn
+    const storedAuthorizationServerInformation = await getStoredAuthorizationServerInformation({
+      provider,
+      clientInformation,
+      tokens
+    });
+    if (storedAuthorizationServerInformation) {
+      assertAuthorizationServerInformationMatches({
+        storedAuthorizationServerInformation,
+        currentAuthorizationServerInformation
       });
-      await provider.saveTokens(newTokens);
-      return "AUTHORIZED";
+    } else {
+      await ((_a3 = provider.invalidateCredentials) == null ? void 0 : _a3.call(provider, "tokens"));
+    }
+    try {
+      if (storedAuthorizationServerInformation) {
+        const newTokens = await refreshAuthorization(authorizationServerUrl, {
+          metadata,
+          clientInformation,
+          refreshToken: tokens.refresh_token,
+          resource,
+          addClientAuthentication: provider.addClientAuthentication,
+          fetchFn
+        });
+        await provider.saveTokens(
+          addAuthorizationServerInformationToTokens(
+            newTokens,
+            currentAuthorizationServerInformation
+          )
+        );
+        return "AUTHORIZED";
+      }
     } catch (error) {
       if (
         // If this is a ServerError, or an unknown type, log it out and try to continue. Otherwise, escalate so we can fix things and retry.
@@ -1069,6 +1227,16 @@ async function authInternal(provider, {
       resource
     }
   );
+  const savedAuthorizationServerInformation = await saveAuthorizationServerInformation({
+    provider,
+    clientInformation,
+    authorizationServerInformation: currentAuthorizationServerInformation
+  });
+  if (!savedAuthorizationServerInformation) {
+    throw new MCPClientOAuthError({
+      message: "OAuth authorization server metadata must be saveable before starting authorization"
+    });
+  }
   await provider.saveCodeVerifier(codeVerifier);
   await provider.redirectToAuthorization(authorizationUrl);
   return "REDIRECT";