@ai-sdk/mcp 2.0.0-beta.0 → 2.0.0-beta.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (18) hide show
  1. package/CHANGELOG.md +78 -8
  2. package/dist/index.d.mts +10 -0
  3. package/dist/index.d.ts +10 -0
  4. package/dist/index.js +33 -11
  5. package/dist/index.js.map +1 -1
  6. package/dist/index.mjs +30 -8
  7. package/dist/index.mjs.map +1 -1
  8. package/dist/mcp-stdio/index.js +3 -3
  9. package/dist/mcp-stdio/index.js.map +1 -1
  10. package/dist/mcp-stdio/index.mjs +1 -1
  11. package/dist/mcp-stdio/index.mjs.map +1 -1
  12. package/package.json +6 -8
  13. package/src/tool/mcp-http-transport.ts +7 -0
  14. package/src/tool/mcp-sse-transport.ts +6 -0
  15. package/src/tool/mcp-transport.ts +8 -0
  16. package/src/tool/mock-mcp-transport.ts +2 -1
  17. package/src/tool/oauth.ts +17 -0
  18. package/src/tool/types.ts +2 -1
package/dist/index.mjs CHANGED
@@ -44,9 +44,10 @@ import { z as z2 } from "zod/v4";
44
44
 
45
45
  // src/tool/types.ts
46
46
  import { z } from "zod/v4";
47
- var LATEST_PROTOCOL_VERSION = "2025-06-18";
47
+ var LATEST_PROTOCOL_VERSION = "2025-11-25";
48
48
  var SUPPORTED_PROTOCOL_VERSIONS = [
49
49
  LATEST_PROTOCOL_VERSION,
50
+ "2025-06-18",
50
51
  "2025-03-26",
51
52
  "2024-11-05"
52
53
  ];
@@ -918,6 +919,7 @@ async function selectResourceURL(serverUrl, provider, resourceMetadata) {
918
919
  async function authInternal(provider, {
919
920
  serverUrl,
920
921
  authorizationCode,
922
+ callbackState,
921
923
  scope,
922
924
  resourceMetadataUrl,
923
925
  fetchFn
@@ -970,6 +972,14 @@ async function authInternal(provider, {
970
972
  clientInformation = fullInformation;
971
973
  }
972
974
  if (authorizationCode !== void 0) {
975
+ if (provider.storedState) {
976
+ const expectedState = await provider.storedState();
977
+ if (expectedState !== void 0 && expectedState !== callbackState) {
978
+ throw new Error(
979
+ "OAuth state parameter mismatch - possible CSRF attack"
980
+ );
981
+ }
982
+ }
973
983
  const codeVerifier2 = await provider.codeVerifier();
974
984
  const tokens2 = await exchangeAuthorization(authorizationServerUrl, {
975
985
  metadata,
@@ -1008,6 +1018,9 @@ async function authInternal(provider, {
1008
1018
  }
1009
1019
  }
1010
1020
  const state = provider.state ? await provider.state() : void 0;
1021
+ if (state && provider.saveState) {
1022
+ await provider.saveState(state);
1023
+ }
1011
1024
  const { authorizationUrl, codeVerifier } = await startAuthorization(
1012
1025
  authorizationServerUrl,
1013
1026
  {
@@ -1029,12 +1042,14 @@ var SseMCPTransport = class {
1029
1042
  constructor({
1030
1043
  url,
1031
1044
  headers,
1032
- authProvider
1045
+ authProvider,
1046
+ redirect = "error"
1033
1047
  }) {
1034
1048
  this.connected = false;
1035
1049
  this.url = new URL(url);
1036
1050
  this.headers = headers;
1037
1051
  this.authProvider = authProvider;
1052
+ this.redirectMode = redirect;
1038
1053
  }
1039
1054
  async commonHeaders(base) {
1040
1055
  const headers = {
@@ -1068,7 +1083,8 @@ var SseMCPTransport = class {
1068
1083
  });
1069
1084
  const response = await fetch(this.url.href, {
1070
1085
  headers,
1071
- signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal
1086
+ signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal,
1087
+ redirect: this.redirectMode
1072
1088
  });
1073
1089
  if (response.status === 401 && this.authProvider && !triedAuth) {
1074
1090
  this.resourceMetadataUrl = extractResourceMetadataUrl(response);
@@ -1187,7 +1203,8 @@ var SseMCPTransport = class {
1187
1203
  method: "POST",
1188
1204
  headers,
1189
1205
  body: JSON.stringify(message),
1190
- signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal
1206
+ signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal,
1207
+ redirect: this.redirectMode
1191
1208
  };
1192
1209
  const response = await fetch(endpoint, init);
1193
1210
  if (response.status === 401 && this.authProvider && !triedAuth) {
@@ -1235,7 +1252,8 @@ var HttpMCPTransport = class {
1235
1252
  constructor({
1236
1253
  url,
1237
1254
  headers,
1238
- authProvider
1255
+ authProvider,
1256
+ redirect = "error"
1239
1257
  }) {
1240
1258
  this.inboundReconnectAttempts = 0;
1241
1259
  this.reconnectionOptions = {
@@ -1247,6 +1265,7 @@ var HttpMCPTransport = class {
1247
1265
  this.url = new URL(url);
1248
1266
  this.headers = headers;
1249
1267
  this.authProvider = authProvider;
1268
+ this.redirectMode = redirect;
1250
1269
  }
1251
1270
  async commonHeaders(base) {
1252
1271
  const headers = {
@@ -1287,7 +1306,8 @@ var HttpMCPTransport = class {
1287
1306
  await fetch(this.url, {
1288
1307
  method: "DELETE",
1289
1308
  headers,
1290
- signal: this.abortController.signal
1309
+ signal: this.abortController.signal,
1310
+ redirect: this.redirectMode
1291
1311
  }).catch(() => void 0);
1292
1312
  }
1293
1313
  } catch (e) {
@@ -1307,7 +1327,8 @@ var HttpMCPTransport = class {
1307
1327
  method: "POST",
1308
1328
  headers,
1309
1329
  body: JSON.stringify(message),
1310
- signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal
1330
+ signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal,
1331
+ redirect: this.redirectMode
1311
1332
  };
1312
1333
  const response = await fetch(this.url, init);
1313
1334
  const sessionId = response.headers.get("mcp-session-id");
@@ -1456,7 +1477,8 @@ var HttpMCPTransport = class {
1456
1477
  const response = await fetch(this.url.href, {
1457
1478
  method: "GET",
1458
1479
  headers,
1459
- signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal
1480
+ signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal,
1481
+ redirect: this.redirectMode
1460
1482
  });
1461
1483
  const sessionId = response.headers.get("mcp-session-id");
1462
1484
  if (sessionId) {