npm - @context-engine-bridge/context-engine-mcp-bridge - Versions diffs - 0.0.85 → 0.0.87 - Mend

@context-engine-bridge/context-engine-mcp-bridge 0.0.85 → 0.0.87

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@context-engine-bridge/context-engine-mcp-bridge",
-  "version": "0.0.85",
+  "version": "0.0.87",
   "description": "Context Engine MCP bridge (http/stdio proxy combining indexer + memory servers)",
   "bin": {
     "ctxce": "bin/ctxce.js",

package/src/mcpServer.js CHANGED Viewed

@@ -13,7 +13,6 @@ import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/
 import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js";
 import {
   clearResolvedCollection,
-  loadAnyAuthEntry,
   loadAuthEntry,
   loadResolvedCollection,
   readConfig,
@@ -649,15 +648,8 @@ function resolveAuthBackendContext(indexerUrl, memoryUrl) {
     }
   }
-  try {
-    const any = loadAnyAuthEntry();
-    const stored = normalizeBackendUrl(any?.backendUrl || "");
-    if (stored) {
-      return { backendUrl: stored, source: "auth_entry" };
-    }
-  } catch {
-    // ignore auth config read failures
-  }
+  // Fail-closed: do NOT fall back to loadAnyAuthEntry() here.
+  // Borrowing a session from an unrelated backend is a cross-account leak.
   return { backendUrl: "", source: "" };
 }
@@ -1120,10 +1112,20 @@ async function createBridgeServer(options) {
   let sessionId = explicitSession;
   function sessionFromEntry(entry) {
-    if (!entry || typeof entry.sessionId !== "string" || !entry.sessionId) {
+    if (!entry || typeof entry !== "object") {
+      return "";
+    }
+    // Support both camelCase (sessionId/expiresAt) and snake_case (session_id/expires_at)
+    const sid = (typeof entry.sessionId === "string" && entry.sessionId)
+      ? entry.sessionId
+      : (typeof entry.session_id === "string" && entry.session_id)
+        ? entry.session_id
+        : "";
+    if (!sid) {
       return "";
     }
-    const expiresAt = entry.expiresAt;
+    const expiresAt = (typeof entry.expiresAt === "number") ? entry.expiresAt
+      : (typeof entry.expires_at === "number") ? entry.expires_at : undefined;
     if (
       typeof expiresAt === "number" &&
       Number.isFinite(expiresAt) &&
@@ -1136,9 +1138,9 @@ async function createBridgeServer(options) {
         return "";
       }
       debugLog("[ctxce] Session expired but within 5min grace period; using it (server will validate).");
-      return entry.sessionId;
+      return sid;
     }
-    return entry.sessionId;
+    return sid;
   }
   function findSavedSession(backends) {
@@ -1158,16 +1160,8 @@ async function createBridgeServer(options) {
         // ignore lookup failures
       }
     }
-    try {
-      const any = loadAnyAuthEntry();
-      const session = any ? sessionFromEntry(any.entry) : "";
-      if (session && any?.backendUrl) {
-        backendHint = any.backendUrl;
-        return session;
-      }
-    } catch {
-      // ignore lookup failures
-    }
+    // Fail-closed: do NOT fall back to loadAnyAuthEntry().
+    // Borrowing an unrelated account's session is a cross-account leak.
     return "";
   }

package/src/oauthHandler.js CHANGED Viewed

@@ -560,8 +560,7 @@ export function handleOAuthToken(req, res) {
       const code = data.get("code");
       const redirectUri = data.get("redirect_uri");
       const clientId = data.get("client_id");
-      // PKCE code_verifier - extracted but not validated yet (local bridge, trusted)
-      data.get("code_verifier");
+      const codeVerifier = data.get("code_verifier");
       const grantType = data.get("grant_type");
       res.setHeader("Content-Type", "application/json");
@@ -605,24 +604,23 @@ export function handleOAuthToken(req, res) {
         return;
       }
-      // TODO: PKCE validation - disabled for now, no clients implement it yet
-      // if (pendingData.codeChallenge && pendingData.codeChallengeMethod === "S256") {
-      //   const codeVerifier = data.get("code_verifier");
-      //   if (!codeVerifier) {
-      //     pendingCodes.delete(code);
-      //     res.statusCode = 400;
-      //     res.end(JSON.stringify({ error: "invalid_grant", error_description: "code_verifier required for PKCE" }));
-      //     return;
-      //   }
-      //   const crypto = await import("node:crypto");
-      //   const expectedChallenge = crypto.createHash("sha256").update(codeVerifier).digest("base64url");
-      //   if (expectedChallenge !== pendingData.codeChallenge) {
-      //     pendingCodes.delete(code);
-      //     res.statusCode = 400;
-      //     res.end(JSON.stringify({ error: "invalid_grant", error_description: "code_verifier validation failed" }));
-      //     return;
-      //   }
-      // }
+      // PKCE validation (RFC 7636)
+      if (pendingData.codeChallenge && pendingData.codeChallengeMethod === "S256") {
+        if (!codeVerifier) {
+          pendingCodes.delete(code);
+          res.statusCode = 400;
+          res.end(JSON.stringify({ error: "invalid_grant", error_description: "code_verifier required for PKCE" }));
+          return;
+        }
+        const crypto = await import("node:crypto");
+        const expectedChallenge = crypto.createHash("sha256").update(codeVerifier).digest("base64url");
+        if (expectedChallenge !== pendingData.codeChallenge) {
+          pendingCodes.delete(code);
+          res.statusCode = 400;
+          res.end(JSON.stringify({ error: "invalid_grant", error_description: "code_verifier validation failed" }));
+          return;
+        }
+      }
       // Clean up expired tokens periodically to prevent unbounded growth
       cleanupExpiredTokens();