npm - @ai-sdk/mcp - Versions diffs - 1.0.49 → 1.0.50 - Mend

@ai-sdk/mcp 1.0.49 → 1.0.50

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.mjs CHANGED Viewed

@@ -692,15 +692,18 @@ async function discoverOAuthProtectedResourceMetadata(serverUrl, opts, fetchFn =
 function buildDiscoveryUrls(authorizationServerUrl) {
   const url = typeof authorizationServerUrl === "string" ? new URL(authorizationServerUrl) : authorizationServerUrl;
   const hasPath = url.pathname !== "/";
+  const rootIssuer = url.origin;
   const urlsToTry = [];
   if (!hasPath) {
     urlsToTry.push({
       url: new URL("/.well-known/oauth-authorization-server", url.origin),
-      type: "oauth"
+      type: "oauth",
+      expectedIssuer: rootIssuer
     });
     urlsToTry.push({
       url: new URL("/.well-known/openid-configuration", url.origin),
-      type: "oidc"
+      type: "oidc",
+      expectedIssuer: rootIssuer
     });
     return urlsToTry;
   }
@@ -708,27 +711,39 @@ function buildDiscoveryUrls(authorizationServerUrl) {
   if (pathname.endsWith("/")) {
     pathname = pathname.slice(0, -1);
   }
+  const pathIssuer = `${url.origin}${pathname}`;
   urlsToTry.push({
     url: new URL(
       `/.well-known/oauth-authorization-server${pathname}`,
       url.origin
     ),
-    type: "oauth"
+    type: "oauth",
+    expectedIssuer: pathIssuer
   });
   urlsToTry.push({
     url: new URL("/.well-known/oauth-authorization-server", url.origin),
-    type: "oauth"
+    type: "oauth",
+    expectedIssuer: rootIssuer
   });
   urlsToTry.push({
     url: new URL(`/.well-known/openid-configuration${pathname}`, url.origin),
-    type: "oidc"
+    type: "oidc",
+    expectedIssuer: pathIssuer
   });
   urlsToTry.push({
     url: new URL(`${pathname}/.well-known/openid-configuration`, url.origin),
-    type: "oidc"
+    type: "oidc",
+    expectedIssuer: pathIssuer
   });
   return urlsToTry;
 }
+function assertMetadataIssuerMatches(metadata, expectedIssuer) {
+  if (metadata.issuer !== expectedIssuer) {
+    throw new MCPClientOAuthError({
+      message: `OAuth authorization server metadata issuer ${metadata.issuer} does not match expected issuer ${expectedIssuer}`
+    });
+  }
+}
 async function discoverAuthorizationServerMetadata(authorizationServerUrl, {
   fetchFn = fetch,
   protocolVersion = LATEST_PROTOCOL_VERSION
@@ -736,7 +751,7 @@ async function discoverAuthorizationServerMetadata(authorizationServerUrl, {
   var _a3;
   const headers = { "MCP-Protocol-Version": protocolVersion };
   const urlsToTry = buildDiscoveryUrls(authorizationServerUrl);
-  for (const { url: endpointUrl, type } of urlsToTry) {
+  for (const { url: endpointUrl, type, expectedIssuer } of urlsToTry) {
     const response = await fetchWithCorsRetry(endpointUrl, headers, fetchFn);
     if (!response) {
       continue;
@@ -750,11 +765,14 @@ async function discoverAuthorizationServerMetadata(authorizationServerUrl, {
       );
     }
     if (type === "oauth") {
-      return OAuthMetadataSchema.parse(await response.json());
+      const metadata = OAuthMetadataSchema.parse(await response.json());
+      assertMetadataIssuerMatches(metadata, expectedIssuer);
+      return metadata;
     } else {
       const metadata = OpenIdProviderDiscoveryMetadataSchema.parse(
         await response.json()
       );
+      assertMetadataIssuerMatches(metadata, expectedIssuer);
       if (!((_a3 = metadata.code_challenge_methods_supported) == null ? void 0 : _a3.includes("S256"))) {
         throw new Error(
           `Incompatible OIDC provider at ${endpointUrl}: does not support S256 code challenge method required by MCP specification`