@decocms/runtime 1.0.0-alpha.27 → 1.0.0-alpha.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/index.ts +12 -1
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@decocms/runtime",
3
- "version": "1.0.0-alpha.27",
3
+ "version": "1.0.0-alpha.28",
4
4
  "type": "module",
5
5
  "dependencies": {
6
6
  "@cloudflare/workers-types": "^4.20250617.0",
package/src/index.ts CHANGED
@@ -310,7 +310,18 @@ export const withRuntime = <TEnv, TSchema extends z.ZodTypeAny = never>(
310
310
  if (url.pathname === "/mcp") {
311
311
  // If OAuth is configured, require authentication
312
312
  if (oauthHandlers && !oauthHandlers.hasAuth(req)) {
313
- return oauthHandlers.createUnauthorizedResponse(req);
313
+ // Clone request to check method without consuming the original body
314
+ const clonedReq = req.clone();
315
+ try {
316
+ const body = (await clonedReq.json()) as { method?: string };
317
+ // Allow tools/list to pass without auth
318
+ if (body?.method !== "tools/list") {
319
+ return oauthHandlers.createUnauthorizedResponse(req);
320
+ }
321
+ } catch {
322
+ // If body parsing fails, require auth
323
+ return oauthHandlers.createUnauthorizedResponse(req);
324
+ }
314
325
  }
315
326
 
316
327
  return server.fetch(req, env, ctx);