@ai-sdk/mcp 1.0.48 → 1.0.50

package/CHANGELOG.md

@@ -1,5 +1,30 @@
 # @ai-sdk/mcp
 
+## 1.0.50
+
+### Patch Changes
+
+- ac40275: fix(mcp): validate oauth metadata issuer during discovery
+
+## 1.0.49
+
+### Patch Changes
+
+- 3e8d9ba: fix(mcp): lock first sse endpoint received via event
+- 4fa7354: fix(mcp): prevent prototype-named tools from bypassing the `schemas` allowlist
+
+  When using `client.tools({ schemas })` to expose only an explicitly allowed
+  subset of an MCP server's tools, the allowlist check used the `in` operator,
+  which also matches inherited `Object.prototype` properties. A server-advertised
+  tool named `constructor`, `toString`, `__proto__`, etc. would pass the check
+  even though the developer never defined it in `schemas`, and was then exposed to
+  the model and executable. The check now uses `Object.hasOwn`, so only
+  explicitly defined tools are returned.
+
+- Updated dependencies [bfa5864]
+- Updated dependencies [f42aa79]
+  - @ai-sdk/provider-utils@4.0.29
+
 ## 1.0.48
 
 ### Patch Changes

package/dist/index.js

@@ -722,15 +722,18 @@ async function discoverOAuthProtectedResourceMetadata(serverUrl, opts, fetchFn =
 function buildDiscoveryUrls(authorizationServerUrl) {
   const url = typeof authorizationServerUrl === "string" ? new URL(authorizationServerUrl) : authorizationServerUrl;
   const hasPath = url.pathname !== "/";
+  const rootIssuer = url.origin;
   const urlsToTry = [];
   if (!hasPath) {
     urlsToTry.push({
       url: new URL("/.well-known/oauth-authorization-server", url.origin),
-      type: "oauth"
+      type: "oauth",
+      expectedIssuer: rootIssuer
     });
     urlsToTry.push({
       url: new URL("/.well-known/openid-configuration", url.origin),
-      type: "oidc"
+      type: "oidc",
+      expectedIssuer: rootIssuer
     });
     return urlsToTry;
   }
@@ -738,27 +741,39 @@ function buildDiscoveryUrls(authorizationServerUrl) {
   if (pathname.endsWith("/")) {
     pathname = pathname.slice(0, -1);
   }
+  const pathIssuer = `${url.origin}${pathname}`;
   urlsToTry.push({
     url: new URL(
       `/.well-known/oauth-authorization-server${pathname}`,
       url.origin
     ),
-    type: "oauth"
+    type: "oauth",
+    expectedIssuer: pathIssuer
   });
   urlsToTry.push({
     url: new URL("/.well-known/oauth-authorization-server", url.origin),
-    type: "oauth"
+    type: "oauth",
+    expectedIssuer: rootIssuer
   });
   urlsToTry.push({
     url: new URL(`/.well-known/openid-configuration${pathname}`, url.origin),
-    type: "oidc"
+    type: "oidc",
+    expectedIssuer: pathIssuer
   });
   urlsToTry.push({
     url: new URL(`${pathname}/.well-known/openid-configuration`, url.origin),
-    type: "oidc"
+    type: "oidc",
+    expectedIssuer: pathIssuer
   });
   return urlsToTry;
 }
+function assertMetadataIssuerMatches(metadata, expectedIssuer) {
+  if (metadata.issuer !== expectedIssuer) {
+    throw new MCPClientOAuthError({
+      message: `OAuth authorization server metadata issuer ${metadata.issuer} does not match expected issuer ${expectedIssuer}`
+    });
+  }
+}
 async function discoverAuthorizationServerMetadata(authorizationServerUrl, {
   fetchFn = fetch,
   protocolVersion = LATEST_PROTOCOL_VERSION
@@ -766,7 +781,7 @@ async function discoverAuthorizationServerMetadata(authorizationServerUrl, {
   var _a3;
   const headers = { "MCP-Protocol-Version": protocolVersion };
   const urlsToTry = buildDiscoveryUrls(authorizationServerUrl);
-  for (const { url: endpointUrl, type } of urlsToTry) {
+  for (const { url: endpointUrl, type, expectedIssuer } of urlsToTry) {
     const response = await fetchWithCorsRetry(endpointUrl, headers, fetchFn);
     if (!response) {
       continue;
@@ -780,11 +795,14 @@ async function discoverAuthorizationServerMetadata(authorizationServerUrl, {
       );
     }
     if (type === "oauth") {
-      return OAuthMetadataSchema.parse(await response.json());
+      const metadata = OAuthMetadataSchema.parse(await response.json());
+      assertMetadataIssuerMatches(metadata, expectedIssuer);
+      return metadata;
     } else {
       const metadata = OpenIdProviderDiscoveryMetadataSchema.parse(
         await response.json()
       );
+      assertMetadataIssuerMatches(metadata, expectedIssuer);
       if (!((_a3 = metadata.code_challenge_methods_supported) == null ? void 0 : _a3.includes("S256"))) {
         throw new Error(
           `Incompatible OIDC provider at ${endpointUrl}: does not support S256 code challenge method required by MCP specification`
@@ -1365,7 +1383,7 @@ var SseMCPTransport = class {
           const stream = response.body.pipeThrough(new TextDecoderStream()).pipeThrough(new import_provider_utils3.EventSourceParserStream());
           const reader = stream.getReader();
           const processEvents = async () => {
-            var _a4, _b4, _c2;
+            var _a4, _b4, _c2, _d2, _e2;
             try {
               while (true) {
                 const { done, value } = await reader.read();
@@ -1380,24 +1398,32 @@ var SseMCPTransport = class {
                 }
                 const { event, data } = value;
                 if (event === "endpoint") {
-                  this.endpoint = new URL(data, this.url);
-                  if (this.endpoint.origin !== this.url.origin) {
+                  if (this.endpoint) {
+                    continue;
+                  }
+                  const endpoint = new URL(data, this.url);
+                  if (endpoint.origin !== this.url.origin) {
+                    this.connected = false;
+                    this.endpoint = void 0;
+                    (_a4 = this.sseConnection) == null ? void 0 : _a4.close();
+                    (_b4 = this.abortController) == null ? void 0 : _b4.abort();
                     throw new MCPClientError({
-                      message: `MCP SSE Transport Error: Endpoint origin does not match connection origin: ${this.endpoint.origin}`
+                      message: `MCP SSE Transport Error: Endpoint origin does not match connection origin: ${endpoint.origin}`
                     });
                   }
+                  this.endpoint = endpoint;
                   this.connected = true;
                   resolve();
                 } else if (event === "message") {
                   try {
                     const message = await parseJSONRPCMessage(data);
-                    (_a4 = this.onmessage) == null ? void 0 : _a4.call(this, message);
+                    (_c2 = this.onmessage) == null ? void 0 : _c2.call(this, message);
                   } catch (error) {
                     const e = new MCPClientError({
                       message: "MCP SSE Transport Error: Failed to parse message",
                       cause: error
                     });
-                    (_b4 = this.onerror) == null ? void 0 : _b4.call(this, e);
+                    (_d2 = this.onerror) == null ? void 0 : _d2.call(this, e);
                   }
                 }
               }
@@ -1405,7 +1431,7 @@ var SseMCPTransport = class {
               if (error instanceof Error && error.name === "AbortError") {
                 return;
               }
-              (_c2 = this.onerror) == null ? void 0 : _c2.call(this, error);
+              (_e2 = this.onerror) == null ? void 0 : _e2.call(this, error);
               reject(error);
             }
           };
@@ -1427,6 +1453,7 @@ var SseMCPTransport = class {
   async close() {
     var _a3, _b3, _c;
     this.connected = false;
+    this.endpoint = void 0;
     (_a3 = this.sseConnection) == null ? void 0 : _a3.close();
     (_b3 = this.abortController) == null ? void 0 : _b3.abort();
     (_c = this.onclose) == null ? void 0 : _c.call(this);
@@ -2199,7 +2226,7 @@ var DefaultMCPClient = class {
       _meta
     } of definitions.tools) {
       const resolvedTitle = title != null ? title : annotations == null ? void 0 : annotations.title;
-      if (schemas !== "automatic" && !(name3 in schemas)) {
+      if (schemas !== "automatic" && !Object.prototype.hasOwnProperty.call(schemas, name3)) {
         continue;
       }
       const self = this;