@ai-sdk/mcp 1.0.46 → 1.0.48

package/dist/index.mjs

@@ -312,15 +312,6 @@ import pkceChallenge from "pkce-challenge";
 
 // src/tool/oauth-types.ts
 import { z as z3 } from "zod/v4";
-var OAuthTokensSchema = z3.object({
-  access_token: z3.string(),
-  id_token: z3.string().optional(),
-  // Optional for OAuth 2.1, but necessary in OpenID Connect
-  token_type: z3.string(),
-  expires_in: z3.number().optional(),
-  scope: z3.string().optional(),
-  refresh_token: z3.string().optional()
-}).strip();
 var SafeUrlSchema = z3.string().url().superRefine((val, ctx) => {
   if (!URL.canParse(val)) {
     ctx.addIssue({
@@ -337,6 +328,17 @@ var SafeUrlSchema = z3.string().url().superRefine((val, ctx) => {
   },
   { message: "URL cannot use javascript:, data:, or vbscript: scheme" }
 );
+var OAuthTokensSchema = z3.object({
+  access_token: z3.string(),
+  id_token: z3.string().optional(),
+  // Optional for OAuth 2.1, but necessary in OpenID Connect
+  token_type: z3.string(),
+  expires_in: z3.number().optional(),
+  scope: z3.string().optional(),
+  refresh_token: z3.string().optional(),
+  authorization_server: SafeUrlSchema.optional(),
+  token_endpoint: SafeUrlSchema.optional()
+}).strip();
 var OAuthProtectedResourceMetadataSchema = z3.object({
   resource: z3.string().url(),
   authorization_servers: z3.array(SafeUrlSchema).optional(),
@@ -389,7 +391,9 @@ var OAuthClientInformationSchema = z3.object({
   client_id: z3.string(),
   client_secret: z3.string().optional(),
   client_id_issued_at: z3.number().optional(),
-  client_secret_expires_at: z3.number().optional()
+  client_secret_expires_at: z3.number().optional(),
+  authorization_server: SafeUrlSchema.optional(),
+  token_endpoint: SafeUrlSchema.optional()
 }).strip();
 var OAuthClientMetadataSchema = z3.object({
   redirect_uris: z3.array(SafeUrlSchema),
@@ -494,6 +498,106 @@ var UnauthorizedError = class extends Error {
     this.name = "UnauthorizedError";
   }
 };
+function normalizeUrl(url) {
+  return new URL(url).href;
+}
+function createAuthorizationServerInformation(authorizationServerUrl, metadata) {
+  return {
+    authorizationServerUrl: normalizeUrl(authorizationServerUrl),
+    tokenEndpoint: normalizeUrl(
+      (metadata == null ? void 0 : metadata.token_endpoint) ? new URL(metadata.token_endpoint) : new URL("/token", authorizationServerUrl)
+    )
+  };
+}
+function addAuthorizationServerInformationToTokens(tokens, authorizationServerInformation) {
+  return {
+    ...tokens,
+    authorization_server: authorizationServerInformation.authorizationServerUrl,
+    token_endpoint: authorizationServerInformation.tokenEndpoint
+  };
+}
+function addAuthorizationServerInformationToClientInformation(clientInformation, authorizationServerInformation) {
+  return {
+    ...clientInformation,
+    authorization_server: authorizationServerInformation.authorizationServerUrl,
+    token_endpoint: authorizationServerInformation.tokenEndpoint
+  };
+}
+function getAuthorizationServerInformationFromCredentials(credentials) {
+  if (!(credentials == null ? void 0 : credentials.authorization_server) || !credentials.token_endpoint) {
+    return void 0;
+  }
+  return {
+    authorizationServerUrl: normalizeUrl(credentials.authorization_server),
+    tokenEndpoint: normalizeUrl(credentials.token_endpoint)
+  };
+}
+async function getStoredAuthorizationServerInformation({
+  provider,
+  clientInformation,
+  tokens
+}) {
+  var _a3;
+  const tokenAuthorizationServerInformation = getAuthorizationServerInformationFromCredentials(tokens);
+  if (tokenAuthorizationServerInformation) {
+    return tokenAuthorizationServerInformation;
+  }
+  const providerAuthorizationServerInformation = await ((_a3 = provider.authorizationServerInformation) == null ? void 0 : _a3.call(provider));
+  if (providerAuthorizationServerInformation) {
+    return {
+      authorizationServerUrl: normalizeUrl(
+        providerAuthorizationServerInformation.authorizationServerUrl
+      ),
+      tokenEndpoint: normalizeUrl(
+        providerAuthorizationServerInformation.tokenEndpoint
+      )
+    };
+  }
+  return getAuthorizationServerInformationFromCredentials(clientInformation);
+}
+async function saveAuthorizationServerInformation({
+  provider,
+  clientInformation,
+  authorizationServerInformation
+}) {
+  if (provider.saveAuthorizationServerInformation) {
+    await provider.saveAuthorizationServerInformation(
+      authorizationServerInformation
+    );
+    return true;
+  }
+  if (provider.saveClientInformation) {
+    await provider.saveClientInformation(
+      addAuthorizationServerInformationToClientInformation(
+        clientInformation,
+        authorizationServerInformation
+      )
+    );
+    return true;
+  }
+  return false;
+}
+function assertResourceMetadataUrlSameOrigin(serverUrl, resourceMetadataUrl) {
+  if (!resourceMetadataUrl) {
+    return;
+  }
+  const expectedOrigin = new URL(serverUrl).origin;
+  if (resourceMetadataUrl.origin !== expectedOrigin) {
+    throw new MCPClientOAuthError({
+      message: `OAuth protected resource metadata URL ${resourceMetadataUrl.href} must have the same origin as the MCP server URL ${expectedOrigin}`
+    });
+  }
+}
+function assertAuthorizationServerInformationMatches({
+  storedAuthorizationServerInformation,
+  currentAuthorizationServerInformation
+}) {
+  if (storedAuthorizationServerInformation.authorizationServerUrl !== currentAuthorizationServerInformation.authorizationServerUrl || storedAuthorizationServerInformation.tokenEndpoint !== currentAuthorizationServerInformation.tokenEndpoint) {
+    throw new MCPClientOAuthError({
+      message: "OAuth authorization server metadata does not match the metadata that issued the stored credentials"
+    });
+  }
+}
 function extractResourceMetadataUrl(response) {
   var _a3;
   const header = (_a3 = response.headers.get("www-authenticate")) != null ? _a3 : response.headers.get("WWW-Authenticate");
@@ -971,8 +1075,10 @@ async function authInternal(provider, {
   resourceMetadataUrl,
   fetchFn
 }) {
+  var _a3, _b3;
   let resourceMetadata;
   let authorizationServerUrl;
+  assertResourceMetadataUrlSameOrigin(serverUrl, resourceMetadataUrl);
   try {
     resourceMetadata = await discoverOAuthProtectedResourceMetadata(
       serverUrl,
@@ -992,12 +1098,18 @@ async function authInternal(provider, {
     provider,
     resourceMetadata
   );
+  await ((_a3 = provider.validateAuthorizationServerURL) == null ? void 0 : _a3.call(
+    provider,
+    serverUrl,
+    authorizationServerUrl
+  ));
   const metadata = await discoverAuthorizationServerMetadata(
     authorizationServerUrl,
     {
       fetchFn
     }
   );
+  const currentAuthorizationServerInformation = createAuthorizationServerInformation(authorizationServerUrl, metadata);
   let clientInformation = await Promise.resolve(provider.clientInformation());
   if (!clientInformation) {
     if (authorizationCode !== void 0) {
@@ -1015,8 +1127,11 @@ async function authInternal(provider, {
       clientMetadata: provider.clientMetadata,
       fetchFn
     });
-    await provider.saveClientInformation(fullInformation);
-    clientInformation = fullInformation;
+    clientInformation = addAuthorizationServerInformationToClientInformation(
+      fullInformation,
+      currentAuthorizationServerInformation
+    );
+    await provider.saveClientInformation(clientInformation);
   }
   if (authorizationCode !== void 0) {
     if (provider.storedState) {
@@ -1027,6 +1142,19 @@ async function authInternal(provider, {
         );
       }
     }
+    const storedAuthorizationServerInformation = await getStoredAuthorizationServerInformation({
+      provider,
+      clientInformation
+    });
+    if (!storedAuthorizationServerInformation) {
+      throw new MCPClientOAuthError({
+        message: "Stored OAuth authorization server metadata is required when exchanging an authorization code"
+      });
+    }
+    assertAuthorizationServerInformationMatches({
+      storedAuthorizationServerInformation,
+      currentAuthorizationServerInformation
+    });
     const codeVerifier2 = await provider.codeVerifier();
     const tokens2 = await exchangeAuthorization(authorizationServerUrl, {
       metadata,
@@ -1038,22 +1166,47 @@ async function authInternal(provider, {
       addClientAuthentication: provider.addClientAuthentication,
       fetchFn
     });
-    await provider.saveTokens(tokens2);
+    await provider.saveTokens(
+      addAuthorizationServerInformationToTokens(
+        tokens2,
+        currentAuthorizationServerInformation
+      )
+    );
     return "AUTHORIZED";
   }
   const tokens = await provider.tokens();
   if (tokens == null ? void 0 : tokens.refresh_token) {
-    try {
-      const newTokens = await refreshAuthorization(authorizationServerUrl, {
-        metadata,
-        clientInformation,
-        refreshToken: tokens.refresh_token,
-        resource,
-        addClientAuthentication: provider.addClientAuthentication,
-        fetchFn
+    const storedAuthorizationServerInformation = await getStoredAuthorizationServerInformation({
+      provider,
+      clientInformation,
+      tokens
+    });
+    if (storedAuthorizationServerInformation) {
+      assertAuthorizationServerInformationMatches({
+        storedAuthorizationServerInformation,
+        currentAuthorizationServerInformation
       });
-      await provider.saveTokens(newTokens);
-      return "AUTHORIZED";
+    } else {
+      await ((_b3 = provider.invalidateCredentials) == null ? void 0 : _b3.call(provider, "tokens"));
+    }
+    try {
+      if (storedAuthorizationServerInformation) {
+        const newTokens = await refreshAuthorization(authorizationServerUrl, {
+          metadata,
+          clientInformation,
+          refreshToken: tokens.refresh_token,
+          resource,
+          addClientAuthentication: provider.addClientAuthentication,
+          fetchFn
+        });
+        await provider.saveTokens(
+          addAuthorizationServerInformationToTokens(
+            newTokens,
+            currentAuthorizationServerInformation
+          )
+        );
+        return "AUTHORIZED";
+      }
     } catch (error) {
       if (
         // If this is a ServerError, or an unknown type, log it out and try to continue. Otherwise, escalate so we can fix things and retry.
@@ -1079,6 +1232,16 @@ async function authInternal(provider, {
       resource
     }
   );
+  const savedAuthorizationServerInformation = await saveAuthorizationServerInformation({
+    provider,
+    clientInformation,
+    authorizationServerInformation: currentAuthorizationServerInformation
+  });
+  if (!savedAuthorizationServerInformation) {
+    throw new MCPClientOAuthError({
+      message: "OAuth authorization server metadata must be saveable before starting authorization"
+    });
+  }
   await provider.saveCodeVerifier(codeVerifier);
   await provider.redirectToAuthorization(authorizationUrl);
   return "REDIRECT";
@@ -1100,6 +1263,9 @@ var SseMCPTransport = class {
     this.redirectMode = redirect;
     this.fetchFn = fetchFn != null ? fetchFn : globalThis.fetch;
   }
+  setProtocolVersion(version) {
+    this.protocolVersion = version;
+  }
   async commonHeaders(base) {
     var _a3;
     const headers = {
@@ -1319,6 +1485,9 @@ var HttpMCPTransport = class {
     this.redirectMode = redirect;
     this.fetchFn = fetchFn != null ? fetchFn : globalThis.fetch;
   }
+  setProtocolVersion(version) {
+    this.protocolVersion = version;
+  }
   async commonHeaders(base) {
     var _a3;
     const headers = {
@@ -1762,8 +1931,12 @@ var DefaultMCPClient = class {
       }
       this.serverCapabilities = result.capabilities;
       this._serverInfo = result.serverInfo;
+      if (this.transport.setProtocolVersion) {
+        this.transport.setProtocolVersion(result.protocolVersion);
+      } else {
+        this.transport.protocolVersion = result.protocolVersion;
+      }
       this._serverInstructions = result.instructions;
-      this.transport.protocolVersion = result.protocolVersion;
       await this.notification({
         method: "notifications/initialized"
       });