@ai-sdk/mcp 2.0.0-beta.2 → 2.0.0-beta.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/CHANGELOG.md +6 -0
  2. package/dist/index.d.mts +3 -0
  3. package/dist/index.d.ts +3 -0
  4. package/dist/index.js +12 -0
  5. package/dist/index.js.map +1 -1
  6. package/dist/index.mjs +12 -0
  7. package/dist/index.mjs.map +1 -1
  8. package/package.json +5 -5
  9. package/src/tool/oauth.ts +17 -0
package/dist/index.mjs CHANGED
@@ -919,6 +919,7 @@ async function selectResourceURL(serverUrl, provider, resourceMetadata) {
919
919
  async function authInternal(provider, {
920
920
  serverUrl,
921
921
  authorizationCode,
922
+ callbackState,
922
923
  scope,
923
924
  resourceMetadataUrl,
924
925
  fetchFn
@@ -971,6 +972,14 @@ async function authInternal(provider, {
971
972
  clientInformation = fullInformation;
972
973
  }
973
974
  if (authorizationCode !== void 0) {
975
+ if (provider.storedState) {
976
+ const expectedState = await provider.storedState();
977
+ if (expectedState !== void 0 && expectedState !== callbackState) {
978
+ throw new Error(
979
+ "OAuth state parameter mismatch - possible CSRF attack"
980
+ );
981
+ }
982
+ }
974
983
  const codeVerifier2 = await provider.codeVerifier();
975
984
  const tokens2 = await exchangeAuthorization(authorizationServerUrl, {
976
985
  metadata,
@@ -1009,6 +1018,9 @@ async function authInternal(provider, {
1009
1018
  }
1010
1019
  }
1011
1020
  const state = provider.state ? await provider.state() : void 0;
1021
+ if (state && provider.saveState) {
1022
+ await provider.saveState(state);
1023
+ }
1012
1024
  const { authorizationUrl, codeVerifier } = await startAuthorization(
1013
1025
  authorizationServerUrl,
1014
1026
  {