npm - @ai-sdk/mcp - Versions diffs - 2.0.0-canary.58 → 2.0.0-canary.60 - Mend

@ai-sdk/mcp 2.0.0-canary.58 → 2.0.0-canary.60

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,19 @@
 # @ai-sdk/mcp
+## 2.0.0-canary.60
+### Patch Changes
+- f0c6770: fix(mcp): prevent mcp oauth credential exfiltration during rediscovery
+## 2.0.0-canary.59
+### Patch Changes
+- Updated dependencies [ce769dd]
+  - @ai-sdk/provider@4.0.0-canary.18
+  - @ai-sdk/provider-utils@5.0.0-canary.46
 ## 2.0.0-canary.58
 ### Patch Changes

package/dist/index.d.ts CHANGED Viewed

@@ -77,6 +77,8 @@ declare const OAuthTokensSchema: z.ZodObject<{
     expires_in: z.ZodOptional<z.ZodNumber>;
     scope: z.ZodOptional<z.ZodString>;
     refresh_token: z.ZodOptional<z.ZodString>;
+    authorization_server: z.ZodOptional<z.ZodString>;
+    token_endpoint: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 declare const OAuthMetadataSchema: z.ZodObject<{
     issuer: z.ZodString;
@@ -116,6 +118,8 @@ declare const OAuthClientInformationSchema: z.ZodObject<{
     client_secret: z.ZodOptional<z.ZodString>;
     client_id_issued_at: z.ZodOptional<z.ZodNumber>;
     client_secret_expires_at: z.ZodOptional<z.ZodNumber>;
+    authorization_server: z.ZodOptional<z.ZodString>;
+    token_endpoint: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 declare const OAuthClientMetadataSchema: z.ZodObject<{
     redirect_uris: z.ZodArray<z.ZodString>;
@@ -143,6 +147,10 @@ type AuthorizationServerMetadata = OAuthMetadata | OpenIdProviderDiscoveryMetada
 type OAuthClientMetadata = z.infer<typeof OAuthClientMetadataSchema>;
 type AuthResult = 'AUTHORIZED' | 'REDIRECT';
+interface OAuthAuthorizationServerInformation {
+    authorizationServerUrl: string;
+    tokenEndpoint: string;
+}
 interface OAuthClientProvider {
     /**
      * Returns current access token if present; undefined otherwise.
@@ -181,6 +189,8 @@ interface OAuthClientProvider {
     get clientMetadata(): OAuthClientMetadata;
     clientInformation(): OAuthClientInformation | undefined | Promise<OAuthClientInformation | undefined>;
     saveClientInformation?(clientInformation: OAuthClientInformation): void | Promise<void>;
+    authorizationServerInformation?(): OAuthAuthorizationServerInformation | undefined | Promise<OAuthAuthorizationServerInformation | undefined>;
+    saveAuthorizationServerInformation?(authorizationServerInformation: OAuthAuthorizationServerInformation): void | Promise<void>;
     state?(): string | Promise<string>;
     saveState?(state: string): void | Promise<void>;
     storedState?(): string | undefined | Promise<string | undefined>;
@@ -632,4 +642,4 @@ declare function readMCPAppResource({ client, uri, options, }: {
     options?: RequestOptions;
 }): Promise<MCPAppResource>;
-export { type CallToolResult, type Configuration, type ElicitResult, ElicitResultSchema, type ElicitationRequest, ElicitationRequestSchema, type JSONRPCError, type JSONRPCMessage, type JSONRPCNotification, type JSONRPCRequest, type JSONRPCResponse, type ListToolsResult, type MCPAppResource, type MCPAppResourceCSP, type MCPAppResourceMeta, type MCPClient, type ClientCapabilities as MCPClientCapabilities, type MCPClientConfig, type MCPTransport, MCP_APP_MIME_TYPE, type McpProviderMetadata, type OAuthClientInformation, type OAuthClientMetadata, type OAuthClientProvider, type OAuthTokens, UnauthorizedError, auth, createMCPClient, type MCPClient as experimental_MCPClient, type ClientCapabilities as experimental_MCPClientCapabilities, type MCPClientConfig as experimental_MCPClientConfig, createMCPClient as experimental_createMCPClient, mcpAppClientCapabilities, readMCPAppResource, splitMCPAppTools };
+export { type CallToolResult, type Configuration, type ElicitResult, ElicitResultSchema, type ElicitationRequest, ElicitationRequestSchema, type JSONRPCError, type JSONRPCMessage, type JSONRPCNotification, type JSONRPCRequest, type JSONRPCResponse, type ListToolsResult, type MCPAppResource, type MCPAppResourceCSP, type MCPAppResourceMeta, type MCPClient, type ClientCapabilities as MCPClientCapabilities, type MCPClientConfig, type MCPTransport, MCP_APP_MIME_TYPE, type McpProviderMetadata, type OAuthAuthorizationServerInformation, type OAuthClientInformation, type OAuthClientMetadata, type OAuthClientProvider, type OAuthTokens, UnauthorizedError, auth, createMCPClient, type MCPClient as experimental_MCPClient, type ClientCapabilities as experimental_MCPClientCapabilities, type MCPClientConfig as experimental_MCPClientConfig, createMCPClient as experimental_createMCPClient, mcpAppClientCapabilities, readMCPAppResource, splitMCPAppTools };

package/dist/index.js CHANGED Viewed

@@ -312,15 +312,6 @@ import pkceChallenge from "pkce-challenge";
 // src/tool/oauth-types.ts
 import { z as z3 } from "zod/v4";
-var OAuthTokensSchema = z3.object({
-  access_token: z3.string(),
-  id_token: z3.string().optional(),
-  // Optional for OAuth 2.1, but necessary in OpenID Connect
-  token_type: z3.string(),
-  expires_in: z3.number().optional(),
-  scope: z3.string().optional(),
-  refresh_token: z3.string().optional()
-}).strip();
 var SafeUrlSchema = z3.string().url().superRefine((val, ctx) => {
   if (!URL.canParse(val)) {
     ctx.addIssue({
@@ -337,6 +328,17 @@ var SafeUrlSchema = z3.string().url().superRefine((val, ctx) => {
   },
   { message: "URL cannot use javascript:, data:, or vbscript: scheme" }
 );
+var OAuthTokensSchema = z3.object({
+  access_token: z3.string(),
+  id_token: z3.string().optional(),
+  // Optional for OAuth 2.1, but necessary in OpenID Connect
+  token_type: z3.string(),
+  expires_in: z3.number().optional(),
+  scope: z3.string().optional(),
+  refresh_token: z3.string().optional(),
+  authorization_server: SafeUrlSchema.optional(),
+  token_endpoint: SafeUrlSchema.optional()
+}).strip();
 var OAuthProtectedResourceMetadataSchema = z3.object({
   resource: z3.string().url(),
   authorization_servers: z3.array(SafeUrlSchema).optional(),
@@ -389,7 +391,9 @@ var OAuthClientInformationSchema = z3.object({
   client_id: z3.string(),
   client_secret: z3.string().optional(),
   client_id_issued_at: z3.number().optional(),
-  client_secret_expires_at: z3.number().optional()
+  client_secret_expires_at: z3.number().optional(),
+  authorization_server: SafeUrlSchema.optional(),
+  token_endpoint: SafeUrlSchema.optional()
 }).strip();
 var OAuthClientMetadataSchema = z3.object({
   redirect_uris: z3.array(SafeUrlSchema),
@@ -494,6 +498,106 @@ var UnauthorizedError = class extends Error {
     this.name = "UnauthorizedError";
   }
 };
+function normalizeUrl(url) {
+  return new URL(url).href;
+}
+function createAuthorizationServerInformation(authorizationServerUrl, metadata) {
+  return {
+    authorizationServerUrl: normalizeUrl(authorizationServerUrl),
+    tokenEndpoint: normalizeUrl(
+      (metadata == null ? void 0 : metadata.token_endpoint) ? new URL(metadata.token_endpoint) : new URL("/token", authorizationServerUrl)
+    )
+  };
+}
+function addAuthorizationServerInformationToTokens(tokens, authorizationServerInformation) {
+  return {
+    ...tokens,
+    authorization_server: authorizationServerInformation.authorizationServerUrl,
+    token_endpoint: authorizationServerInformation.tokenEndpoint
+  };
+}
+function addAuthorizationServerInformationToClientInformation(clientInformation, authorizationServerInformation) {
+  return {
+    ...clientInformation,
+    authorization_server: authorizationServerInformation.authorizationServerUrl,
+    token_endpoint: authorizationServerInformation.tokenEndpoint
+  };
+}
+function getAuthorizationServerInformationFromCredentials(credentials) {
+  if (!(credentials == null ? void 0 : credentials.authorization_server) || !credentials.token_endpoint) {
+    return void 0;
+  }
+  return {
+    authorizationServerUrl: normalizeUrl(credentials.authorization_server),
+    tokenEndpoint: normalizeUrl(credentials.token_endpoint)
+  };
+}
+async function getStoredAuthorizationServerInformation({
+  provider,
+  clientInformation,
+  tokens
+}) {
+  var _a3;
+  const tokenAuthorizationServerInformation = getAuthorizationServerInformationFromCredentials(tokens);
+  if (tokenAuthorizationServerInformation) {
+    return tokenAuthorizationServerInformation;
+  }
+  const providerAuthorizationServerInformation = await ((_a3 = provider.authorizationServerInformation) == null ? void 0 : _a3.call(provider));
+  if (providerAuthorizationServerInformation) {
+    return {
+      authorizationServerUrl: normalizeUrl(
+        providerAuthorizationServerInformation.authorizationServerUrl
+      ),
+      tokenEndpoint: normalizeUrl(
+        providerAuthorizationServerInformation.tokenEndpoint
+      )
+    };
+  }
+  return getAuthorizationServerInformationFromCredentials(clientInformation);
+}
+async function saveAuthorizationServerInformation({
+  provider,
+  clientInformation,
+  authorizationServerInformation
+}) {
+  if (provider.saveAuthorizationServerInformation) {
+    await provider.saveAuthorizationServerInformation(
+      authorizationServerInformation
+    );
+    return true;
+  }
+  if (provider.saveClientInformation) {
+    await provider.saveClientInformation(
+      addAuthorizationServerInformationToClientInformation(
+        clientInformation,
+        authorizationServerInformation
+      )
+    );
+    return true;
+  }
+  return false;
+}
+function assertResourceMetadataUrlSameOrigin(serverUrl, resourceMetadataUrl) {
+  if (!resourceMetadataUrl) {
+    return;
+  }
+  const expectedOrigin = new URL(serverUrl).origin;
+  if (resourceMetadataUrl.origin !== expectedOrigin) {
+    throw new MCPClientOAuthError({
+      message: `OAuth protected resource metadata URL ${resourceMetadataUrl.href} must have the same origin as the MCP server URL ${expectedOrigin}`
+    });
+  }
+}
+function assertAuthorizationServerInformationMatches({
+  storedAuthorizationServerInformation,
+  currentAuthorizationServerInformation
+}) {
+  if (storedAuthorizationServerInformation.authorizationServerUrl !== currentAuthorizationServerInformation.authorizationServerUrl || storedAuthorizationServerInformation.tokenEndpoint !== currentAuthorizationServerInformation.tokenEndpoint) {
+    throw new MCPClientOAuthError({
+      message: "OAuth authorization server metadata does not match the metadata that issued the stored credentials"
+    });
+  }
+}
 function extractResourceMetadataUrl(response) {
   var _a3;
   const header = (_a3 = response.headers.get("www-authenticate")) != null ? _a3 : response.headers.get("WWW-Authenticate");
@@ -971,8 +1075,10 @@ async function authInternal(provider, {
   resourceMetadataUrl,
   fetchFn
 }) {
+  var _a3;
   let resourceMetadata;
   let authorizationServerUrl;
+  assertResourceMetadataUrlSameOrigin(serverUrl, resourceMetadataUrl);
   try {
     resourceMetadata = await discoverOAuthProtectedResourceMetadata(
       serverUrl,
@@ -998,6 +1104,7 @@ async function authInternal(provider, {
       fetchFn
     }
   );
+  const currentAuthorizationServerInformation = createAuthorizationServerInformation(authorizationServerUrl, metadata);
   let clientInformation = await Promise.resolve(provider.clientInformation());
   if (!clientInformation) {
     if (authorizationCode !== void 0) {
@@ -1015,8 +1122,11 @@ async function authInternal(provider, {
       clientMetadata: provider.clientMetadata,
       fetchFn
     });
-    await provider.saveClientInformation(fullInformation);
-    clientInformation = fullInformation;
+    clientInformation = addAuthorizationServerInformationToClientInformation(
+      fullInformation,
+      currentAuthorizationServerInformation
+    );
+    await provider.saveClientInformation(clientInformation);
   }
   if (authorizationCode !== void 0) {
     if (provider.storedState) {
@@ -1027,6 +1137,19 @@ async function authInternal(provider, {
         );
       }
     }
+    const storedAuthorizationServerInformation = await getStoredAuthorizationServerInformation({
+      provider,
+      clientInformation
+    });
+    if (!storedAuthorizationServerInformation) {
+      throw new MCPClientOAuthError({
+        message: "Stored OAuth authorization server metadata is required when exchanging an authorization code"
+      });
+    }
+    assertAuthorizationServerInformationMatches({
+      storedAuthorizationServerInformation,
+      currentAuthorizationServerInformation
+    });
     const codeVerifier2 = await provider.codeVerifier();
     const tokens2 = await exchangeAuthorization(authorizationServerUrl, {
       metadata,
@@ -1038,22 +1161,47 @@ async function authInternal(provider, {
       addClientAuthentication: provider.addClientAuthentication,
       fetchFn
     });
-    await provider.saveTokens(tokens2);
+    await provider.saveTokens(
+      addAuthorizationServerInformationToTokens(
+        tokens2,
+        currentAuthorizationServerInformation
+      )
+    );
     return "AUTHORIZED";
   }
   const tokens = await provider.tokens();
   if (tokens == null ? void 0 : tokens.refresh_token) {
-    try {
-      const newTokens = await refreshAuthorization(authorizationServerUrl, {
-        metadata,
-        clientInformation,
-        refreshToken: tokens.refresh_token,
-        resource,
-        addClientAuthentication: provider.addClientAuthentication,
-        fetchFn
+    const storedAuthorizationServerInformation = await getStoredAuthorizationServerInformation({
+      provider,
+      clientInformation,
+      tokens
+    });
+    if (storedAuthorizationServerInformation) {
+      assertAuthorizationServerInformationMatches({
+        storedAuthorizationServerInformation,
+        currentAuthorizationServerInformation
       });
-      await provider.saveTokens(newTokens);
-      return "AUTHORIZED";
+    } else {
+      await ((_a3 = provider.invalidateCredentials) == null ? void 0 : _a3.call(provider, "tokens"));
+    }
+    try {
+      if (storedAuthorizationServerInformation) {
+        const newTokens = await refreshAuthorization(authorizationServerUrl, {
+          metadata,
+          clientInformation,
+          refreshToken: tokens.refresh_token,
+          resource,
+          addClientAuthentication: provider.addClientAuthentication,
+          fetchFn
+        });
+        await provider.saveTokens(
+          addAuthorizationServerInformationToTokens(
+            newTokens,
+            currentAuthorizationServerInformation
+          )
+        );
+        return "AUTHORIZED";
+      }
     } catch (error) {
       if (
         // If this is a ServerError, or an unknown type, log it out and try to continue. Otherwise, escalate so we can fix things and retry.
@@ -1079,6 +1227,16 @@ async function authInternal(provider, {
       resource
     }
   );
+  const savedAuthorizationServerInformation = await saveAuthorizationServerInformation({
+    provider,
+    clientInformation,
+    authorizationServerInformation: currentAuthorizationServerInformation
+  });
+  if (!savedAuthorizationServerInformation) {
+    throw new MCPClientOAuthError({
+      message: "OAuth authorization server metadata must be saveable before starting authorization"
+    });
+  }
   await provider.saveCodeVerifier(codeVerifier);
   await provider.redirectToAuthorization(authorizationUrl);
   return "REDIRECT";