@ai-sdk/mcp 1.0.49 → 1.0.51
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +12 -0
- package/dist/index.js +35 -11
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +35 -11
- package/dist/index.mjs.map +1 -1
- package/package.json +1 -1
- package/src/tool/mcp-http-transport.ts +6 -2
- package/src/tool/mcp-sse-transport.ts +5 -1
- package/src/tool/oauth.ts +30 -4
package/dist/index.mjs
CHANGED
|
@@ -692,15 +692,18 @@ async function discoverOAuthProtectedResourceMetadata(serverUrl, opts, fetchFn =
|
|
|
692
692
|
function buildDiscoveryUrls(authorizationServerUrl) {
|
|
693
693
|
const url = typeof authorizationServerUrl === "string" ? new URL(authorizationServerUrl) : authorizationServerUrl;
|
|
694
694
|
const hasPath = url.pathname !== "/";
|
|
695
|
+
const rootIssuer = url.origin;
|
|
695
696
|
const urlsToTry = [];
|
|
696
697
|
if (!hasPath) {
|
|
697
698
|
urlsToTry.push({
|
|
698
699
|
url: new URL("/.well-known/oauth-authorization-server", url.origin),
|
|
699
|
-
type: "oauth"
|
|
700
|
+
type: "oauth",
|
|
701
|
+
expectedIssuer: rootIssuer
|
|
700
702
|
});
|
|
701
703
|
urlsToTry.push({
|
|
702
704
|
url: new URL("/.well-known/openid-configuration", url.origin),
|
|
703
|
-
type: "oidc"
|
|
705
|
+
type: "oidc",
|
|
706
|
+
expectedIssuer: rootIssuer
|
|
704
707
|
});
|
|
705
708
|
return urlsToTry;
|
|
706
709
|
}
|
|
@@ -708,27 +711,39 @@ function buildDiscoveryUrls(authorizationServerUrl) {
|
|
|
708
711
|
if (pathname.endsWith("/")) {
|
|
709
712
|
pathname = pathname.slice(0, -1);
|
|
710
713
|
}
|
|
714
|
+
const pathIssuer = `${url.origin}${pathname}`;
|
|
711
715
|
urlsToTry.push({
|
|
712
716
|
url: new URL(
|
|
713
717
|
`/.well-known/oauth-authorization-server${pathname}`,
|
|
714
718
|
url.origin
|
|
715
719
|
),
|
|
716
|
-
type: "oauth"
|
|
720
|
+
type: "oauth",
|
|
721
|
+
expectedIssuer: pathIssuer
|
|
717
722
|
});
|
|
718
723
|
urlsToTry.push({
|
|
719
724
|
url: new URL("/.well-known/oauth-authorization-server", url.origin),
|
|
720
|
-
type: "oauth"
|
|
725
|
+
type: "oauth",
|
|
726
|
+
expectedIssuer: rootIssuer
|
|
721
727
|
});
|
|
722
728
|
urlsToTry.push({
|
|
723
729
|
url: new URL(`/.well-known/openid-configuration${pathname}`, url.origin),
|
|
724
|
-
type: "oidc"
|
|
730
|
+
type: "oidc",
|
|
731
|
+
expectedIssuer: pathIssuer
|
|
725
732
|
});
|
|
726
733
|
urlsToTry.push({
|
|
727
734
|
url: new URL(`${pathname}/.well-known/openid-configuration`, url.origin),
|
|
728
|
-
type: "oidc"
|
|
735
|
+
type: "oidc",
|
|
736
|
+
expectedIssuer: pathIssuer
|
|
729
737
|
});
|
|
730
738
|
return urlsToTry;
|
|
731
739
|
}
|
|
740
|
+
function assertMetadataIssuerMatches(metadata, expectedIssuer) {
|
|
741
|
+
if (metadata.issuer !== expectedIssuer) {
|
|
742
|
+
throw new MCPClientOAuthError({
|
|
743
|
+
message: `OAuth authorization server metadata issuer ${metadata.issuer} does not match expected issuer ${expectedIssuer}`
|
|
744
|
+
});
|
|
745
|
+
}
|
|
746
|
+
}
|
|
732
747
|
async function discoverAuthorizationServerMetadata(authorizationServerUrl, {
|
|
733
748
|
fetchFn = fetch,
|
|
734
749
|
protocolVersion = LATEST_PROTOCOL_VERSION
|
|
@@ -736,7 +751,7 @@ async function discoverAuthorizationServerMetadata(authorizationServerUrl, {
|
|
|
736
751
|
var _a3;
|
|
737
752
|
const headers = { "MCP-Protocol-Version": protocolVersion };
|
|
738
753
|
const urlsToTry = buildDiscoveryUrls(authorizationServerUrl);
|
|
739
|
-
for (const { url: endpointUrl, type } of urlsToTry) {
|
|
754
|
+
for (const { url: endpointUrl, type, expectedIssuer } of urlsToTry) {
|
|
740
755
|
const response = await fetchWithCorsRetry(endpointUrl, headers, fetchFn);
|
|
741
756
|
if (!response) {
|
|
742
757
|
continue;
|
|
@@ -750,11 +765,14 @@ async function discoverAuthorizationServerMetadata(authorizationServerUrl, {
|
|
|
750
765
|
);
|
|
751
766
|
}
|
|
752
767
|
if (type === "oauth") {
|
|
753
|
-
|
|
768
|
+
const metadata = OAuthMetadataSchema.parse(await response.json());
|
|
769
|
+
assertMetadataIssuerMatches(metadata, expectedIssuer);
|
|
770
|
+
return metadata;
|
|
754
771
|
} else {
|
|
755
772
|
const metadata = OpenIdProviderDiscoveryMetadataSchema.parse(
|
|
756
773
|
await response.json()
|
|
757
774
|
);
|
|
775
|
+
assertMetadataIssuerMatches(metadata, expectedIssuer);
|
|
758
776
|
if (!((_a3 = metadata.code_challenge_methods_supported) == null ? void 0 : _a3.includes("S256"))) {
|
|
759
777
|
throw new Error(
|
|
760
778
|
`Incompatible OIDC provider at ${endpointUrl}: does not support S256 code challenge method required by MCP specification`
|
|
@@ -1248,6 +1266,9 @@ async function authInternal(provider, {
|
|
|
1248
1266
|
}
|
|
1249
1267
|
|
|
1250
1268
|
// src/tool/mcp-sse-transport.ts
|
|
1269
|
+
function isMessageEvent(event) {
|
|
1270
|
+
return event === void 0 || event === "message";
|
|
1271
|
+
}
|
|
1251
1272
|
var SseMCPTransport = class {
|
|
1252
1273
|
constructor({
|
|
1253
1274
|
url,
|
|
@@ -1366,7 +1387,7 @@ var SseMCPTransport = class {
|
|
|
1366
1387
|
this.endpoint = endpoint;
|
|
1367
1388
|
this.connected = true;
|
|
1368
1389
|
resolve();
|
|
1369
|
-
} else if (event
|
|
1390
|
+
} else if (isMessageEvent(event)) {
|
|
1370
1391
|
try {
|
|
1371
1392
|
const message = await parseJSONRPCMessage(data);
|
|
1372
1393
|
(_c2 = this.onmessage) == null ? void 0 : _c2.call(this, message);
|
|
@@ -1473,6 +1494,9 @@ import {
|
|
|
1473
1494
|
withUserAgentSuffix as withUserAgentSuffix2,
|
|
1474
1495
|
getRuntimeEnvironmentUserAgent as getRuntimeEnvironmentUserAgent2
|
|
1475
1496
|
} from "@ai-sdk/provider-utils";
|
|
1497
|
+
function isMessageEvent2(event) {
|
|
1498
|
+
return event === void 0 || event === "message";
|
|
1499
|
+
}
|
|
1476
1500
|
var HttpMCPTransport = class {
|
|
1477
1501
|
constructor({
|
|
1478
1502
|
url,
|
|
@@ -1649,7 +1673,7 @@ var HttpMCPTransport = class {
|
|
|
1649
1673
|
const { done, value } = await reader.read();
|
|
1650
1674
|
if (done) return;
|
|
1651
1675
|
const { event, data } = value;
|
|
1652
|
-
if (event
|
|
1676
|
+
if (isMessageEvent2(event)) {
|
|
1653
1677
|
try {
|
|
1654
1678
|
const msg = await parseJSONRPCMessage(data);
|
|
1655
1679
|
(_a4 = this.onmessage) == null ? void 0 : _a4.call(this, msg);
|
|
@@ -1776,7 +1800,7 @@ var HttpMCPTransport = class {
|
|
|
1776
1800
|
if (id) {
|
|
1777
1801
|
this.lastInboundEventId = id;
|
|
1778
1802
|
}
|
|
1779
|
-
if (event
|
|
1803
|
+
if (isMessageEvent2(event)) {
|
|
1780
1804
|
try {
|
|
1781
1805
|
const msg = await parseJSONRPCMessage(data);
|
|
1782
1806
|
(_a4 = this.onmessage) == null ? void 0 : _a4.call(this, msg);
|