@context-engine-bridge/context-engine-mcp-bridge 0.0.86 → 0.0.87

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/oauthHandler.js +18 -20
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@context-engine-bridge/context-engine-mcp-bridge",
3
- "version": "0.0.86",
3
+ "version": "0.0.87",
4
4
  "description": "Context Engine MCP bridge (http/stdio proxy combining indexer + memory servers)",
5
5
  "bin": {
6
6
  "ctxce": "bin/ctxce.js",
package/src/oauthHandler.js CHANGED
@@ -560,8 +560,7 @@ export function handleOAuthToken(req, res) {
560
560
  const code = data.get("code");
561
561
  const redirectUri = data.get("redirect_uri");
562
562
  const clientId = data.get("client_id");
563
- // PKCE code_verifier - extracted but not validated yet (local bridge, trusted)
564
- data.get("code_verifier");
563
+ const codeVerifier = data.get("code_verifier");
565
564
  const grantType = data.get("grant_type");
566
565
 
567
566
  res.setHeader("Content-Type", "application/json");
@@ -605,24 +604,23 @@ export function handleOAuthToken(req, res) {
605
604
  return;
606
605
  }
607
606
 
608
- // TODO: PKCE validation - disabled for now, no clients implement it yet
609
- // if (pendingData.codeChallenge && pendingData.codeChallengeMethod === "S256") {
610
- // const codeVerifier = data.get("code_verifier");
611
- // if (!codeVerifier) {
612
- // pendingCodes.delete(code);
613
- // res.statusCode = 400;
614
- // res.end(JSON.stringify({ error: "invalid_grant", error_description: "code_verifier required for PKCE" }));
615
- // return;
616
- // }
617
- // const crypto = await import("node:crypto");
618
- // const expectedChallenge = crypto.createHash("sha256").update(codeVerifier).digest("base64url");
619
- // if (expectedChallenge !== pendingData.codeChallenge) {
620
- // pendingCodes.delete(code);
621
- // res.statusCode = 400;
622
- // res.end(JSON.stringify({ error: "invalid_grant", error_description: "code_verifier validation failed" }));
623
- // return;
624
- // }
625
- // }
607
+ // PKCE validation (RFC 7636)
608
+ if (pendingData.codeChallenge && pendingData.codeChallengeMethod === "S256") {
609
+ if (!codeVerifier) {
610
+ pendingCodes.delete(code);
611
+ res.statusCode = 400;
612
+ res.end(JSON.stringify({ error: "invalid_grant", error_description: "code_verifier required for PKCE" }));
613
+ return;
614
+ }
615
+ const crypto = await import("node:crypto");
616
+ const expectedChallenge = crypto.createHash("sha256").update(codeVerifier).digest("base64url");
617
+ if (expectedChallenge !== pendingData.codeChallenge) {
618
+ pendingCodes.delete(code);
619
+ res.statusCode = 400;
620
+ res.end(JSON.stringify({ error: "invalid_grant", error_description: "code_verifier validation failed" }));
621
+ return;
622
+ }
623
+ }
626
624
 
627
625
  // Clean up expired tokens periodically to prevent unbounded growth
628
626
  cleanupExpiredTokens();