npm - @ai-sdk/mcp - Versions diffs - 2.0.0-beta.2 → 2.0.0-beta.3 - Mend

@ai-sdk/mcp 2.0.0-beta.2 → 2.0.0-beta.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,11 @@
 # @ai-sdk/mcp
+## 2.0.0-beta.3
+### Patch Changes
+- b9b3899: changeset for #13384
 ## 2.0.0-beta.2
 ### Patch Changes

package/dist/index.d.mts CHANGED Viewed

@@ -182,6 +182,8 @@ interface OAuthClientProvider {
     clientInformation(): OAuthClientInformation | undefined | Promise<OAuthClientInformation | undefined>;
     saveClientInformation?(clientInformation: OAuthClientInformation): void | Promise<void>;
     state?(): string | Promise<string>;
+    saveState?(state: string): void | Promise<void>;
+    storedState?(): string | undefined | Promise<string | undefined>;
     validateResourceURL?(serverUrl: string | URL, resource?: string): Promise<URL | undefined>;
 }
 declare class UnauthorizedError extends Error {
@@ -190,6 +192,7 @@ declare class UnauthorizedError extends Error {
 declare function auth(provider: OAuthClientProvider, options: {
     serverUrl: string | URL;
     authorizationCode?: string;
+    callbackState?: string;
     scope?: string;
     resourceMetadataUrl?: URL;
     fetchFn?: FetchFunction;

package/dist/index.d.ts CHANGED Viewed

@@ -182,6 +182,8 @@ interface OAuthClientProvider {
     clientInformation(): OAuthClientInformation | undefined | Promise<OAuthClientInformation | undefined>;
     saveClientInformation?(clientInformation: OAuthClientInformation): void | Promise<void>;
     state?(): string | Promise<string>;
+    saveState?(state: string): void | Promise<void>;
+    storedState?(): string | undefined | Promise<string | undefined>;
     validateResourceURL?(serverUrl: string | URL, resource?: string): Promise<URL | undefined>;
 }
 declare class UnauthorizedError extends Error {
@@ -190,6 +192,7 @@ declare class UnauthorizedError extends Error {
 declare function auth(provider: OAuthClientProvider, options: {
     serverUrl: string | URL;
     authorizationCode?: string;
+    callbackState?: string;
     scope?: string;
     resourceMetadataUrl?: URL;
     fetchFn?: FetchFunction;

package/dist/index.js CHANGED Viewed

@@ -949,6 +949,7 @@ async function selectResourceURL(serverUrl, provider, resourceMetadata) {
 async function authInternal(provider, {
   serverUrl,
   authorizationCode,
+  callbackState,
   scope,
   resourceMetadataUrl,
   fetchFn
@@ -1001,6 +1002,14 @@ async function authInternal(provider, {
     clientInformation = fullInformation;
   }
   if (authorizationCode !== void 0) {
+    if (provider.storedState) {
+      const expectedState = await provider.storedState();
+      if (expectedState !== void 0 && expectedState !== callbackState) {
+        throw new Error(
+          "OAuth state parameter mismatch - possible CSRF attack"
+        );
+      }
+    }
     const codeVerifier2 = await provider.codeVerifier();
     const tokens2 = await exchangeAuthorization(authorizationServerUrl, {
       metadata,
@@ -1039,6 +1048,9 @@ async function authInternal(provider, {
     }
   }
   const state = provider.state ? await provider.state() : void 0;
+  if (state && provider.saveState) {
+    await provider.saveState(state);
+  }
   const { authorizationUrl, codeVerifier } = await startAuthorization(
     authorizationServerUrl,
     {