npm - @ai-sdk/mcp - Versions diffs - 2.0.0-beta.2 → 2.0.0-beta.21 - Mend

@ai-sdk/mcp 2.0.0-beta.2 → 2.0.0-beta.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/CHANGELOG.md +149 -8
package/dist/index.d.mts +16 -0
package/dist/index.d.ts +16 -0
package/dist/index.js +64 -22
package/dist/index.js.map +1 -1
package/dist/index.mjs +61 -19
package/dist/index.mjs.map +1 -1
package/dist/mcp-stdio/index.js +3 -3
package/dist/mcp-stdio/index.mjs +1 -1
package/package.json +6 -8
package/src/tool/mcp-client.ts +6 -2
package/src/tool/mcp-http-transport.ts +17 -3
package/src/tool/mcp-sse-transport.ts +15 -2
package/src/tool/mcp-transport.ts +16 -0
package/src/tool/oauth.ts +24 -3
package/src/util/oauth-util.ts +13 -0

package/dist/index.mjs CHANGED Viewed

@@ -438,6 +438,13 @@ function resourceUrlFromServerUrl(url) {
   resourceURL.hash = "";
   return resourceURL;
 }
+function resourceUrlStripSlash(resource) {
+  const href = resource.href;
+  if (resource.pathname === "/" && href.endsWith("/")) {
+    return href.slice(0, -1);
+  }
+  return href;
+}
 function checkResourceAllowed({
   requestedResource,
   configuredResource
@@ -676,7 +683,10 @@ async function startAuthorization(authorizationServerUrl, {
     authorizationUrl.searchParams.append("prompt", "consent");
   }
   if (resource) {
-    authorizationUrl.searchParams.set("resource", resource.href);
+    authorizationUrl.searchParams.set(
+      "resource",
+      resourceUrlStripSlash(resource)
+    );
   }
   return { authorizationUrl, codeVerifier };
 }
@@ -785,7 +795,7 @@ async function exchangeAuthorization(authorizationServerUrl, {
     applyClientAuthentication(authMethod, clientInformation, headers, params);
   }
   if (resource) {
-    params.set("resource", resource.href);
+    params.set("resource", resourceUrlStripSlash(resource));
   }
   const response = await (fetchFn != null ? fetchFn : fetch)(tokenUrl, {
     method: "POST",
@@ -837,7 +847,7 @@ async function refreshAuthorization(authorizationServerUrl, {
     applyClientAuthentication(authMethod, clientInformation, headers, params);
   }
   if (resource) {
-    params.set("resource", resource.href);
+    params.set("resource", resourceUrlStripSlash(resource));
   }
   const response = await (fetchFn != null ? fetchFn : fetch)(tokenUrl, {
     method: "POST",
@@ -919,6 +929,7 @@ async function selectResourceURL(serverUrl, provider, resourceMetadata) {
 async function authInternal(provider, {
   serverUrl,
   authorizationCode,
+  callbackState,
   scope,
   resourceMetadataUrl,
   fetchFn
@@ -971,6 +982,14 @@ async function authInternal(provider, {
     clientInformation = fullInformation;
   }
   if (authorizationCode !== void 0) {
+    if (provider.storedState) {
+      const expectedState = await provider.storedState();
+      if (expectedState !== void 0 && expectedState !== callbackState) {
+        throw new Error(
+          "OAuth state parameter mismatch - possible CSRF attack"
+        );
+      }
+    }
     const codeVerifier2 = await provider.codeVerifier();
     const tokens2 = await exchangeAuthorization(authorizationServerUrl, {
       metadata,
@@ -1009,6 +1028,9 @@ async function authInternal(provider, {
     }
   }
   const state = provider.state ? await provider.state() : void 0;
+  if (state && provider.saveState) {
+    await provider.saveState(state);
+  }
   const { authorizationUrl, codeVerifier } = await startAuthorization(
     authorizationServerUrl,
     {
@@ -1030,12 +1052,16 @@ var SseMCPTransport = class {
   constructor({
     url,
     headers,
-    authProvider
+    authProvider,
+    redirect = "error",
+    fetch: fetchFn
   }) {
     this.connected = false;
     this.url = new URL(url);
     this.headers = headers;
     this.authProvider = authProvider;
+    this.redirectMode = redirect;
+    this.fetchFn = fetchFn != null ? fetchFn : globalThis.fetch;
   }
   async commonHeaders(base) {
     const headers = {
@@ -1067,16 +1093,18 @@ var SseMCPTransport = class {
           const headers = await this.commonHeaders({
             Accept: "text/event-stream"
           });
-          const response = await fetch(this.url.href, {
+          const response = await this.fetchFn(this.url.href, {
             headers,
-            signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal
+            signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal,
+            redirect: this.redirectMode
           });
           if (response.status === 401 && this.authProvider && !triedAuth) {
             this.resourceMetadataUrl = extractResourceMetadataUrl(response);
             try {
               const result = await auth(this.authProvider, {
                 serverUrl: this.url,
-                resourceMetadataUrl: this.resourceMetadataUrl
+                resourceMetadataUrl: this.resourceMetadataUrl,
+                fetchFn: this.fetchFn
               });
               if (result !== "AUTHORIZED") {
                 const error = new UnauthorizedError();
@@ -1188,15 +1216,17 @@ var SseMCPTransport = class {
           method: "POST",
           headers,
           body: JSON.stringify(message),
-          signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal
+          signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal,
+          redirect: this.redirectMode
         };
-        const response = await fetch(endpoint, init);
+        const response = await this.fetchFn(endpoint.href, init);
         if (response.status === 401 && this.authProvider && !triedAuth) {
           this.resourceMetadataUrl = extractResourceMetadataUrl(response);
           try {
             const result = await auth(this.authProvider, {
               serverUrl: this.url,
-              resourceMetadataUrl: this.resourceMetadataUrl
+              resourceMetadataUrl: this.resourceMetadataUrl,
+              fetchFn: this.fetchFn
             });
             if (result !== "AUTHORIZED") {
               const error = new UnauthorizedError();
@@ -1236,7 +1266,9 @@ var HttpMCPTransport = class {
   constructor({
     url,
     headers,
-    authProvider
+    authProvider,
+    redirect = "error",
+    fetch: fetchFn
   }) {
     this.inboundReconnectAttempts = 0;
     this.reconnectionOptions = {
@@ -1248,6 +1280,8 @@ var HttpMCPTransport = class {
     this.url = new URL(url);
     this.headers = headers;
     this.authProvider = authProvider;
+    this.redirectMode = redirect;
+    this.fetchFn = fetchFn != null ? fetchFn : globalThis.fetch;
   }
   async commonHeaders(base) {
     const headers = {
@@ -1285,10 +1319,11 @@ var HttpMCPTransport = class {
     try {
       if (this.sessionId && this.abortController && !this.abortController.signal.aborted) {
         const headers = await this.commonHeaders({});
-        await fetch(this.url, {
+        await this.fetchFn(this.url.href, {
           method: "DELETE",
           headers,
-          signal: this.abortController.signal
+          signal: this.abortController.signal,
+          redirect: this.redirectMode
         }).catch(() => void 0);
       }
     } catch (e) {
@@ -1308,9 +1343,10 @@ var HttpMCPTransport = class {
           method: "POST",
           headers,
           body: JSON.stringify(message),
-          signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal
+          signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal,
+          redirect: this.redirectMode
         };
-        const response = await fetch(this.url, init);
+        const response = await this.fetchFn(this.url.href, init);
         const sessionId = response.headers.get("mcp-session-id");
         if (sessionId) {
           this.sessionId = sessionId;
@@ -1320,7 +1356,8 @@ var HttpMCPTransport = class {
           try {
             const result = await auth(this.authProvider, {
               serverUrl: this.url,
-              resourceMetadataUrl: this.resourceMetadataUrl
+              resourceMetadataUrl: this.resourceMetadataUrl,
+              fetchFn: this.fetchFn
             });
             if (result !== "AUTHORIZED") {
               const error2 = new UnauthorizedError();
@@ -1454,10 +1491,11 @@ var HttpMCPTransport = class {
       if (resumeToken) {
         headers["last-event-id"] = resumeToken;
       }
-      const response = await fetch(this.url.href, {
+      const response = await this.fetchFn(this.url.href, {
         method: "GET",
         headers,
-        signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal
+        signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal,
+        redirect: this.redirectMode
       });
       const sessionId = response.headers.get("mcp-session-id");
       if (sessionId) {
@@ -1468,7 +1506,8 @@ var HttpMCPTransport = class {
         try {
           const result = await auth(this.authProvider, {
             serverUrl: this.url,
-            resourceMetadataUrl: this.resourceMetadataUrl
+            resourceMetadataUrl: this.resourceMetadataUrl,
+            fetchFn: this.fetchFn
           });
           if (result !== "AUTHORIZED") {
             const error = new UnauthorizedError();
@@ -1903,6 +1942,9 @@ var DefaultMCPClient = class {
         var _a4;
         (_a4 = options == null ? void 0 : options.abortSignal) == null ? void 0 : _a4.throwIfAborted();
         const result = await self.callTool({ name: name3, args, options });
+        if (result.isError) {
+          return result;
+        }
         if (outputSchema != null) {
           return self.extractStructuredContent(result, outputSchema, name3);
         }