@aiwerk/mcp-bridge 2.5.2 → 2.5.3

package/dist/src/oauth2-token-manager.js

@@ -4,8 +4,11 @@ export class OAuth2TokenManager {
     logger;
     tokenCache = new Map();
     inflight = new Map();
-    constructor(logger) {
+    authCodeInflight = new Map();
+    tokenStore;
+    constructor(logger, tokenStore) {
         this.logger = logger;
+        this.tokenStore = tokenStore;
     }
     async getToken(config) {
         const key = this.makeKey(config.tokenUrl, config.clientId);
@@ -38,6 +41,92 @@ export class OAuth2TokenManager {
         this.tokenCache.clear();
         this.inflight.clear();
     }
+    /**
+     * Get a token for an authorization_code flow server.
+     * Checks TokenStore, refreshes if expired, throws if unavailable.
+     */
+    async getTokenForAuthCode(serverName, config) {
+        if (!this.tokenStore) {
+            throw new Error(`Authentication required for server "${serverName}". Run: mcp-bridge auth login ${serverName}`);
+        }
+        const stored = this.tokenStore.load(serverName);
+        if (!stored) {
+            const err = new Error(`Authentication required for server "${serverName}". Run: mcp-bridge auth login ${serverName}`);
+            err.code = -32007;
+            throw err;
+        }
+        const now = Date.now();
+        if (stored.expiresAt > now) {
+            return stored.accessToken;
+        }
+        // Token expired — try refresh with inflight dedup to avoid
+        // concurrent requests both trying to refresh the same token
+        // (the second refresh would fail because the first invalidated the refresh_token)
+        const existingInflight = this.authCodeInflight.get(serverName);
+        if (existingInflight) {
+            return existingInflight;
+        }
+        const refreshPromise = this.doAuthCodeRefresh(serverName, stored, config);
+        this.authCodeInflight.set(serverName, refreshPromise);
+        try {
+            return await refreshPromise;
+        }
+        finally {
+            this.authCodeInflight.delete(serverName);
+        }
+    }
+    async doAuthCodeRefresh(serverName, stored, config) {
+        if (stored.refreshToken) {
+            try {
+                const refreshed = await this.refreshAuthCodeToken(stored, config);
+                this.tokenStore.save(serverName, refreshed);
+                return refreshed.accessToken;
+            }
+            catch (err) {
+                this.logger.warn("[mcp-bridge] Auth code token refresh failed:", err);
+            }
+        }
+        // Refresh failed or no refresh token
+        this.tokenStore.remove(serverName);
+        const error = new Error(`Authentication expired for server "${serverName}". Run: mcp-bridge auth login ${serverName}`);
+        error.code = -32006;
+        throw error;
+    }
+    async refreshAuthCodeToken(stored, config) {
+        const formData = new URLSearchParams();
+        formData.set("grant_type", "refresh_token");
+        formData.set("refresh_token", stored.refreshToken);
+        if (config.clientId)
+            formData.set("client_id", config.clientId);
+        if (config.clientSecret)
+            formData.set("client_secret", config.clientSecret);
+        if (config.scopes?.length)
+            formData.set("scope", config.scopes.join(" "));
+        const response = await fetch(stored.tokenUrl, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: formData.toString(),
+        });
+        if (!response.ok) {
+            throw new Error(`OAuth2 refresh token exchange failed: HTTP ${response.status}`);
+        }
+        const payload = (await response.json());
+        if (!payload.access_token) {
+            throw new Error("OAuth2 refresh response missing access_token");
+        }
+        const expiresIn = Number.isFinite(payload.expires_in)
+            ? Number(payload.expires_in)
+            : DEFAULT_EXPIRES_IN_SECONDS;
+        const expiresAt = Date.now() + Math.max(0, expiresIn - EXPIRY_BUFFER_SECONDS) * 1000;
+        return {
+            accessToken: payload.access_token,
+            refreshToken: payload.refresh_token ?? stored.refreshToken,
+            expiresAt,
+            tokenUrl: stored.tokenUrl,
+            clientId: config.clientId,
+            scopes: config.scopes,
+        };
+    }
     makeKey(tokenUrl, clientId) {
         return `${tokenUrl}::${clientId}`;
     }

package/dist/src/security.d.ts

@@ -16,6 +16,10 @@ export declare function isToolAllowed(toolName: string, serverConfig: McpServerC
 /**
  * Apply max result size truncation.
  * Returns the result as-is or a truncation wrapper.
+ *
+ * Uses JSON-aware truncation: tries to produce valid JSON by truncating
+ * at the object/array level rather than slicing raw JSON strings
+ * (which produces invalid JSON that LLMs may hallucinate around).
  */
 export declare function applyMaxResultSize(result: any, serverConfig: McpServerConfig, clientConfig: McpClientConfig): any;
 /**

package/dist/src/security.js

@@ -87,6 +87,10 @@ export function isToolAllowed(toolName, serverConfig) {
 /**
  * Apply max result size truncation.
  * Returns the result as-is or a truncation wrapper.
+ *
+ * Uses JSON-aware truncation: tries to produce valid JSON by truncating
+ * at the object/array level rather than slicing raw JSON strings
+ * (which produces invalid JSON that LLMs may hallucinate around).
  */
 export function applyMaxResultSize(result, serverConfig, clientConfig) {
     const limit = serverConfig.maxResultChars ?? clientConfig.maxResultChars;
@@ -95,12 +99,95 @@ export function applyMaxResultSize(result, serverConfig, clientConfig) {
     const serialized = JSON.stringify(result);
     if (serialized.length <= limit)
         return result;
+    // Try JSON-aware truncation: if the result is an array, take fewer elements;
+    // if it's an object with a nested array, truncate the largest array.
+    const truncated = truncateJsonAware(result, limit);
+    if (truncated !== null) {
+        return {
+            _truncated: true,
+            _originalLength: serialized.length,
+            result: truncated,
+        };
+    }
+    // Fallback: stringify and cut at a safe boundary, then wrap as a string
+    // to ensure the consumer always gets valid JSON
+    let cutPoint = Math.min(limit, serialized.length);
+    // Try to cut at the last complete JSON token boundary (comma, closing bracket, or newline)
+    const lastSafe = Math.max(serialized.lastIndexOf(",", cutPoint), serialized.lastIndexOf("}", cutPoint), serialized.lastIndexOf("]", cutPoint), serialized.lastIndexOf("\n", cutPoint));
+    if (lastSafe > cutPoint * 0.5) {
+        cutPoint = lastSafe + 1;
+    }
     return {
         _truncated: true,
         _originalLength: serialized.length,
-        result: serialized.slice(0, limit),
+        result: serialized.slice(0, cutPoint) + "…",
+        _note: "Result truncated. Original response exceeded size limit.",
     };
 }
+/**
+ * JSON-aware truncation: reduce array sizes to fit within the char limit.
+ * Returns the truncated value or null if not applicable.
+ */
+function truncateJsonAware(value, limit) {
+    if (Array.isArray(value)) {
+        return truncateArray(value, limit);
+    }
+    if (value !== null && typeof value === "object") {
+        // Find the largest array field and truncate it
+        let largestKey = null;
+        let largestLen = 0;
+        for (const [k, v] of Object.entries(value)) {
+            if (Array.isArray(v) && v.length > largestLen) {
+                largestKey = k;
+                largestLen = v.length;
+            }
+        }
+        if (largestKey && largestLen > 1) {
+            const copy = { ...value };
+            copy[largestKey] = truncateArray(value[largestKey], limit);
+            if (JSON.stringify(copy).length <= limit) {
+                return copy;
+            }
+            // Still too large — try with fewer elements
+            return truncateObjectWithArrays(value, limit);
+        }
+    }
+    return null;
+}
+function truncateArray(arr, limit) {
+    // Binary search for the number of elements that fit
+    let lo = 0;
+    let hi = arr.length;
+    while (lo < hi) {
+        const mid = (lo + hi + 1) >>> 1;
+        const slice = arr.slice(0, mid);
+        if (JSON.stringify(slice).length <= limit) {
+            lo = mid;
+        }
+        else {
+            hi = mid - 1;
+        }
+    }
+    return arr.slice(0, Math.max(1, lo));
+}
+function truncateObjectWithArrays(obj, limit) {
+    const copy = { ...obj };
+    // Progressively halve all arrays until it fits
+    for (let attempt = 0; attempt < 10; attempt++) {
+        let changed = false;
+        for (const [k, v] of Object.entries(copy)) {
+            if (Array.isArray(v) && v.length > 1) {
+                copy[k] = v.slice(0, Math.max(1, Math.ceil(v.length / 2)));
+                changed = true;
+            }
+        }
+        if (JSON.stringify(copy).length <= limit)
+            return copy;
+        if (!changed)
+            break;
+    }
+    return null;
+}
 /**
  * Apply trust level wrapping/sanitization.
  */

package/dist/src/standalone-server.js

@@ -6,6 +6,7 @@ import { SseTransport } from "./transport-sse.js";
 import { StdioTransport } from "./transport-stdio.js";
 import { StreamableHttpTransport } from "./transport-streamable-http.js";
 import { OAuth2TokenManager } from "./oauth2-token-manager.js";
+import { FileTokenStore } from "./token-store.js";
 /**
  * Standalone MCP server that wraps the router.
  * Implements the MCP protocol (initialize, tools/list, tools/call)
@@ -25,7 +26,7 @@ export class StandaloneServer {
     constructor(config, logger) {
         this.config = config;
         this.logger = logger;
-        this.tokenManager = new OAuth2TokenManager(logger);
+        this.tokenManager = new OAuth2TokenManager(logger, new FileTokenStore());
         if (this.isRouterMode()) {
             this.router = new McpRouter(config.servers || {}, config, logger);
         }
@@ -408,11 +409,11 @@ export class StandaloneServer {
         };
         switch (serverConfig.transport) {
             case "sse":
-                return new SseTransport(serverConfig, this.config, this.logger, onReconnected, this.tokenManager, () => this.nextRequestId());
+                return new SseTransport(serverConfig, this.config, this.logger, onReconnected, this.tokenManager, () => this.nextRequestId(), serverName);
             case "stdio":
                 return new StdioTransport(serverConfig, this.config, this.logger, onReconnected, () => this.nextRequestId());
             case "streamable-http":
-                return new StreamableHttpTransport(serverConfig, this.config, this.logger, onReconnected, this.tokenManager, () => this.nextRequestId());
+                return new StreamableHttpTransport(serverConfig, this.config, this.logger, onReconnected, this.tokenManager, () => this.nextRequestId(), serverName);
             default:
                 throw new Error(`Unsupported transport: ${serverConfig.transport}`);
         }

package/dist/src/token-store.d.ts

@@ -0,0 +1,30 @@
+export interface StoredToken {
+    accessToken: string;
+    refreshToken?: string;
+    expiresAt: number;
+    tokenUrl: string;
+    clientId?: string;
+    scopes?: string[];
+}
+export interface TokenStore {
+    load(serverName: string): StoredToken | null;
+    save(serverName: string, token: StoredToken): void;
+    remove(serverName: string): void;
+    list(): {
+        serverName: string;
+        token: StoredToken;
+    }[];
+}
+export declare class FileTokenStore implements TokenStore {
+    private readonly tokensDir;
+    constructor(tokensDir?: string);
+    load(serverName: string): StoredToken | null;
+    save(serverName: string, token: StoredToken): void;
+    remove(serverName: string): void;
+    list(): {
+        serverName: string;
+        token: StoredToken;
+    }[];
+    private tokenPath;
+    private ensureDir;
+}

package/dist/src/token-store.js

@@ -0,0 +1,69 @@
+import { readFileSync, writeFileSync, unlinkSync, readdirSync, existsSync, mkdirSync, chmodSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+const DEFAULT_TOKENS_DIR = join(homedir(), ".mcp-bridge", "tokens");
+export class FileTokenStore {
+    tokensDir;
+    constructor(tokensDir) {
+        this.tokensDir = tokensDir ?? DEFAULT_TOKENS_DIR;
+    }
+    load(serverName) {
+        const filePath = this.tokenPath(serverName);
+        if (!existsSync(filePath))
+            return null;
+        try {
+            const raw = JSON.parse(readFileSync(filePath, "utf-8"));
+            if (!raw.accessToken || !raw.tokenUrl || typeof raw.expiresAt !== "number") {
+                return null;
+            }
+            return raw;
+        }
+        catch {
+            return null;
+        }
+    }
+    save(serverName, token) {
+        this.ensureDir();
+        const filePath = this.tokenPath(serverName);
+        writeFileSync(filePath, JSON.stringify(token, null, 2) + "\n", "utf-8");
+        try {
+            chmodSync(filePath, 0o600);
+        }
+        catch { /* Windows doesn't support chmod */ }
+    }
+    remove(serverName) {
+        const filePath = this.tokenPath(serverName);
+        if (existsSync(filePath)) {
+            unlinkSync(filePath);
+        }
+    }
+    list() {
+        if (!existsSync(this.tokensDir))
+            return [];
+        const results = [];
+        for (const file of readdirSync(this.tokensDir)) {
+            if (!file.endsWith(".json"))
+                continue;
+            const serverName = file.slice(0, -5);
+            const token = this.load(serverName);
+            if (token) {
+                results.push({ serverName, token });
+            }
+        }
+        return results;
+    }
+    tokenPath(serverName) {
+        // Sanitize server name to prevent path traversal
+        const safe = serverName.replace(/[^a-zA-Z0-9_-]/g, "_");
+        return join(this.tokensDir, `${safe}.json`);
+    }
+    ensureDir() {
+        if (!existsSync(this.tokensDir)) {
+            mkdirSync(this.tokensDir, { recursive: true });
+            try {
+                chmodSync(this.tokensDir, 0o700);
+            }
+            catch { /* Windows */ }
+        }
+    }
+}

package/dist/src/transport-base.d.ts

@@ -1,5 +1,5 @@
 import { McpTransport, McpRequest, McpResponse, McpServerConfig, McpClientConfig, Logger, JsonRpcMessage, RequestIdGenerator } from "./types.js";
-import type { OAuth2Config, OAuth2TokenManager } from "./oauth2-token-manager.js";
+import type { OAuth2Config, AuthCodeOAuth2Config, OAuth2TokenManager } from "./oauth2-token-manager.js";
 export type PendingRequest = {
     resolve: (value: McpResponse) => void;
     reject: (reason: Error) => void;
@@ -78,13 +78,19 @@ export declare function resolveArgs(args: string[], extraEnv?: Record<string, st
  * Resolve auth config into HTTP headers.
  */
 export declare function resolveAuthHeaders(config: McpServerConfig, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>): Record<string, string>;
+/** Check whether an oauth2 auth config uses the authorization_code grant type. */
+export declare function isAuthCodeOAuth2(auth: {
+    type: "oauth2";
+    grantType?: string;
+}): boolean;
 export declare function resolveOAuth2Config(config: McpServerConfig, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>): OAuth2Config;
-export declare function resolveAuthHeadersAsync(config: McpServerConfig, tokenManager: OAuth2TokenManager, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>): Promise<Record<string, string>>;
+export declare function resolveAuthCodeOAuth2Config(config: McpServerConfig, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>): AuthCodeOAuth2Config;
+export declare function resolveAuthHeadersAsync(config: McpServerConfig, tokenManager: OAuth2TokenManager, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>, serverName?: string): Promise<Record<string, string>>;
 /**
  * Resolve server headers and merge auth headers (auth takes precedence).
  */
 export declare function resolveServerHeaders(config: McpServerConfig, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>): Record<string, string>;
-export declare function resolveServerHeadersAsync(config: McpServerConfig, tokenManager: OAuth2TokenManager, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>): Promise<Record<string, string>>;
+export declare function resolveServerHeadersAsync(config: McpServerConfig, tokenManager: OAuth2TokenManager, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>, serverName?: string): Promise<Record<string, string>>;
 /**
  * Warn if a URL uses non-TLS HTTP to a remote (non-localhost) host.
  */

package/dist/src/transport-base.js

@@ -181,25 +181,54 @@ export function resolveAuthHeaders(config, extraEnv, envFallback) {
     }
     throw new Error("[mcp-bridge] OAuth2 auth requires async header resolution via resolveAuthHeadersAsync");
 }
+/** Check whether an oauth2 auth config uses the authorization_code grant type. */
+export function isAuthCodeOAuth2(auth) {
+    return auth.grantType === "authorization_code";
+}
 export function resolveOAuth2Config(config, extraEnv, envFallback) {
     if (!config.auth || config.auth.type !== "oauth2") {
         throw new Error("[mcp-bridge] resolveOAuth2Config called for non-oauth2 auth config");
     }
+    if (isAuthCodeOAuth2(config.auth)) {
+        throw new Error("[mcp-bridge] resolveOAuth2Config called for authorization_code config — use resolveAuthCodeOAuth2Config instead");
+    }
     const scopes = config.auth.scopes?.map((scope, index) => resolveEnvVars(scope, `oauth2 scope[${index}]`, extraEnv, envFallback));
     return {
         clientId: resolveEnvVars(config.auth.clientId, "oauth2 clientId", extraEnv, envFallback),
         clientSecret: resolveEnvVars(config.auth.clientSecret, "oauth2 clientSecret", extraEnv, envFallback),
         tokenUrl: resolveEnvVars(config.auth.tokenUrl, "oauth2 tokenUrl", extraEnv, envFallback),
         ...(scopes && scopes.length > 0 ? { scopes } : {}),
-        ...(config.auth.audience
+        ...("audience" in config.auth && config.auth.audience
             ? { audience: resolveEnvVars(config.auth.audience, "oauth2 audience", extraEnv, envFallback) }
             : {}),
     };
 }
-export async function resolveAuthHeadersAsync(config, tokenManager, extraEnv, envFallback) {
+export function resolveAuthCodeOAuth2Config(config, extraEnv, envFallback) {
+    if (!config.auth || config.auth.type !== "oauth2" || !isAuthCodeOAuth2(config.auth)) {
+        throw new Error("[mcp-bridge] resolveAuthCodeOAuth2Config called for non-authorization_code auth config");
+    }
+    const auth = config.auth;
+    const scopes = auth.scopes?.map((scope, index) => resolveEnvVars(scope, `oauth2 scope[${index}]`, extraEnv, envFallback));
+    return {
+        grantType: "authorization_code",
+        tokenUrl: resolveEnvVars(auth.tokenUrl, "oauth2 tokenUrl", extraEnv, envFallback),
+        ...(auth.clientId ? { clientId: resolveEnvVars(auth.clientId, "oauth2 clientId", extraEnv, envFallback) } : {}),
+        ...(auth.clientSecret ? { clientSecret: resolveEnvVars(auth.clientSecret, "oauth2 clientSecret", extraEnv, envFallback) } : {}),
+        ...(scopes && scopes.length > 0 ? { scopes } : {}),
+    };
+}
+export async function resolveAuthHeadersAsync(config, tokenManager, extraEnv, envFallback, serverName) {
     if (!config.auth)
         return {};
     if (config.auth.type === "oauth2") {
+        if (isAuthCodeOAuth2(config.auth)) {
+            if (!serverName) {
+                throw new Error("[mcp-bridge] serverName is required for authorization_code OAuth2 flow");
+            }
+            const authCodeConfig = resolveAuthCodeOAuth2Config(config, extraEnv, envFallback);
+            const token = await tokenManager.getTokenForAuthCode(serverName, authCodeConfig);
+            return { Authorization: `Bearer ${token}` };
+        }
         const oauth2Config = resolveOAuth2Config(config, extraEnv, envFallback);
         const token = await tokenManager.getToken(oauth2Config);
         return { Authorization: `Bearer ${token}` };
@@ -214,9 +243,9 @@ export function resolveServerHeaders(config, extraEnv, envFallback) {
     const auth = resolveAuthHeaders(config, extraEnv, envFallback);
     return { ...base, ...auth };
 }
-export async function resolveServerHeadersAsync(config, tokenManager, extraEnv, envFallback) {
+export async function resolveServerHeadersAsync(config, tokenManager, extraEnv, envFallback, serverName) {
     const base = resolveEnvRecord(config.headers || {}, "header", extraEnv, envFallback);
-    const auth = await resolveAuthHeadersAsync(config, tokenManager, extraEnv, envFallback);
+    const auth = await resolveAuthHeadersAsync(config, tokenManager, extraEnv, envFallback, serverName);
     return { ...base, ...auth };
 }
 /**

package/dist/src/transport-sse.d.ts

@@ -7,8 +7,9 @@ export declare class SseTransport extends BaseTransport {
     private resolvedHeaders;
     private pendingRequestControllers;
     private readonly tokenManager;
+    private readonly serverName?;
     protected get transportName(): string;
-    constructor(config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, tokenManager?: OAuth2TokenManager, requestIdGenerator?: RequestIdGenerator);
+    constructor(config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, tokenManager?: OAuth2TokenManager, requestIdGenerator?: RequestIdGenerator, serverName?: string);
     connect(): Promise<void>;
     private _onEndpointReceived;
     private getBaseHeaders;

package/dist/src/transport-sse.js

@@ -1,15 +1,17 @@
 import { OAuth2TokenManager } from "./oauth2-token-manager.js";
-import { BaseTransport, resolveOAuth2Config, resolveServerHeaders, resolveServerHeadersAsync, warnIfNonTlsRemoteUrl, } from "./transport-base.js";
+import { BaseTransport, isAuthCodeOAuth2, resolveOAuth2Config, resolveServerHeaders, resolveServerHeadersAsync, warnIfNonTlsRemoteUrl, } from "./transport-base.js";
 export class SseTransport extends BaseTransport {
     endpointUrl = null;
     sseAbortController = null;
     resolvedHeaders = null;
     pendingRequestControllers = new Map();
     tokenManager;
+    serverName;
     get transportName() { return "SSE"; }
-    constructor(config, clientConfig, logger, onReconnected, tokenManager, requestIdGenerator) {
+    constructor(config, clientConfig, logger, onReconnected, tokenManager, requestIdGenerator, serverName) {
         super(config, clientConfig, logger, onReconnected, requestIdGenerator);
         this.tokenManager = tokenManager ?? new OAuth2TokenManager(logger);
+        this.serverName = serverName;
     }
     async connect() {
         if (!this.config.url) {
@@ -52,7 +54,7 @@ export class SseTransport extends BaseTransport {
     }
     async refreshResolvedHeaders() {
         if (this.config.auth?.type === "oauth2") {
-            this.resolvedHeaders = await resolveServerHeadersAsync(this.config, this.tokenManager, undefined, this.clientConfig.envFallback);
+            this.resolvedHeaders = await resolveServerHeadersAsync(this.config, this.tokenManager, undefined, this.clientConfig.envFallback, this.serverName);
         }
         else {
             this.resolvedHeaders = resolveServerHeaders(this.config, undefined, this.clientConfig.envFallback);
@@ -63,6 +65,9 @@ export class SseTransport extends BaseTransport {
         if (this.config.auth?.type !== "oauth2") {
             return;
         }
+        if (isAuthCodeOAuth2(this.config.auth)) {
+            return;
+        }
         const oauth2Config = resolveOAuth2Config(this.config, undefined, this.clientConfig.envFallback);
         this.tokenManager.invalidate(oauth2Config.tokenUrl, oauth2Config.clientId);
     }

package/dist/src/transport-stdio.js

@@ -63,7 +63,7 @@ export class StdioTransport extends BaseTransport {
         this.process.stdout.on("data", (data) => {
             this.stdoutBuffer = Buffer.concat([this.stdoutBuffer, data]);
             // Safety limit: prevent unbounded buffer growth from misbehaving servers
-            const MAX_BUFFER = 50 * 1024 * 1024; // 50MB
+            const MAX_BUFFER = 10 * 1024 * 1024; // 10MB
             if (this.stdoutBuffer.length > MAX_BUFFER) {
                 this.logger.error(`[mcp-bridge] Stdio buffer exceeded ${MAX_BUFFER} bytes, killing process`);
                 this.process?.kill();

package/dist/src/transport-streamable-http.d.ts

@@ -6,8 +6,9 @@ export declare class StreamableHttpTransport extends BaseTransport {
     private resolvedHeaders;
     private pendingRequestControllers;
     private readonly tokenManager;
+    private readonly serverName?;
     protected get transportName(): string;
-    constructor(config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, tokenManager?: OAuth2TokenManager, requestIdGenerator?: RequestIdGenerator);
+    constructor(config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, tokenManager?: OAuth2TokenManager, requestIdGenerator?: RequestIdGenerator, serverName?: string);
     connect(): Promise<void>;
     private getBaseHeaders;
     private refreshResolvedHeaders;

package/dist/src/transport-streamable-http.js

@@ -1,14 +1,16 @@
 import { OAuth2TokenManager } from "./oauth2-token-manager.js";
-import { BaseTransport, resolveOAuth2Config, resolveServerHeaders, resolveServerHeadersAsync, warnIfNonTlsRemoteUrl, } from "./transport-base.js";
+import { BaseTransport, isAuthCodeOAuth2, resolveOAuth2Config, resolveServerHeaders, resolveServerHeadersAsync, warnIfNonTlsRemoteUrl, } from "./transport-base.js";
 export class StreamableHttpTransport extends BaseTransport {
     sessionId;
     resolvedHeaders = null;
     pendingRequestControllers = new Map();
     tokenManager;
+    serverName;
     get transportName() { return "streamable-http"; }
-    constructor(config, clientConfig, logger, onReconnected, tokenManager, requestIdGenerator) {
+    constructor(config, clientConfig, logger, onReconnected, tokenManager, requestIdGenerator, serverName) {
         super(config, clientConfig, logger, onReconnected, requestIdGenerator);
         this.tokenManager = tokenManager ?? new OAuth2TokenManager(logger);
+        this.serverName = serverName;
     }
     async connect() {
         if (!this.config.url) {
@@ -35,7 +37,7 @@ export class StreamableHttpTransport extends BaseTransport {
     }
     async refreshResolvedHeaders() {
         if (this.config.auth?.type === "oauth2") {
-            this.resolvedHeaders = await resolveServerHeadersAsync(this.config, this.tokenManager, undefined, this.clientConfig.envFallback);
+            this.resolvedHeaders = await resolveServerHeadersAsync(this.config, this.tokenManager, undefined, this.clientConfig.envFallback, this.serverName);
         }
         else {
             this.resolvedHeaders = resolveServerHeaders(this.config, undefined, this.clientConfig.envFallback);
@@ -46,6 +48,10 @@ export class StreamableHttpTransport extends BaseTransport {
         if (this.config.auth?.type !== "oauth2") {
             return;
         }
+        // authorization_code tokens are managed via TokenStore, not the in-memory cache
+        if (isAuthCodeOAuth2(this.config.auth)) {
+            return;
+        }
         const oauth2Config = resolveOAuth2Config(this.config, undefined, this.clientConfig.envFallback);
         this.tokenManager.invalidate(oauth2Config.tokenUrl, oauth2Config.clientId);
     }
@@ -111,10 +117,17 @@ export class StreamableHttpTransport extends BaseTransport {
                     try {
                         const contentType = response.headers.get("content-type") || "";
                         if (contentType.includes("text/event-stream")) {
-                            const text = await response.text();
-                            const lines = text.split("\n");
-                            // SSE event boundary parsing: collect data lines, dispatch on empty line
+                            // Stream SSE response incrementally using ReadableStream
+                            // (previous implementation used response.text() which blocked until
+                            // the entire response was received, causing timeouts on long-running calls)
+                            if (!response.body) {
+                                throw new Error("SSE response has no body stream");
+                            }
+                            const reader = response.body.getReader();
+                            const decoder = new TextDecoder();
+                            let partial = "";
                             let dataBuffer = [];
+                            let hasData = false;
                             const dispatch = () => {
                                 if (dataBuffer.length === 0)
                                     return;
@@ -127,19 +140,37 @@ export class StreamableHttpTransport extends BaseTransport {
                                     // skip malformed events
                                 }
                             };
-                            let hasData = false;
-                            for (const line of lines) {
-                                const trimmed = line.trim();
-                                if (trimmed.startsWith("data:")) {
-                                    dataBuffer.push(trimmed.substring(5).trimStart());
-                                    hasData = true;
+                            try {
+                                while (true) {
+                                    const { done, value } = await reader.read();
+                                    if (done)
+                                        break;
+                                    partial += decoder.decode(value, { stream: true });
+                                    const lines = partial.split("\n");
+                                    // Keep the last (potentially incomplete) line in partial
+                                    partial = lines.pop() || "";
+                                    for (const line of lines) {
+                                        const trimmed = line.trim();
+                                        if (trimmed.startsWith("data:")) {
+                                            dataBuffer.push(trimmed.substring(5).trimStart());
+                                            hasData = true;
+                                        }
+                                        else if (trimmed === "" && dataBuffer.length > 0) {
+                                            dispatch();
+                                        }
+                                    }
                                 }
-                                else if (trimmed === "" && dataBuffer.length > 0) {
-                                    dispatch();
+                                // Process any remaining partial line
+                                if (partial.trim().startsWith("data:")) {
+                                    dataBuffer.push(partial.trim().substring(5).trimStart());
+                                    hasData = true;
                                 }
+                                // Dispatch any trailing data (server may omit final empty line)
+                                dispatch();
+                            }
+                            finally {
+                                reader.releaseLock();
                             }
-                            // Dispatch any trailing data (server may omit final empty line)
-                            dispatch();
                             if (!hasData) {
                                 throw new Error("No data lines in SSE response");
                             }

package/dist/src/types.d.ts

@@ -17,6 +17,15 @@ export type HttpAuthConfig = {
     tokenUrl: string;
     scopes?: string[];
     audience?: string;
+} | {
+    type: "oauth2";
+    grantType: "authorization_code";
+    authorizationUrl: string;
+    tokenUrl: string;
+    clientId?: string;
+    clientSecret?: string;
+    scopes?: string[];
+    callbackPort?: number;
 };
 export interface RetryConfig {
     maxAttempts?: number;