@gavdi/cap-mcp 0.10.1 → 1.0.0

package/README.md

@@ -3,8 +3,6 @@
 > This implementation is based on the Model Context Protocol (MCP) put forward by Anthropic.
 > For more information on MCP, please have a look at their [official documentation.](https://modelcontextprotocol.io/introduction)
 
-> 🔧 **In active development - 1.0 release scheduled for September 2025**
-
 # CAP-MCP Plugin
 
 A CAP (Cloud Application Programming) plugin that automatically generates Model Context Protocol (MCP) servers from your CAP services using simple annotations.
@@ -21,13 +19,6 @@ By integrating MCP with your CAP applications, you unlock:
 - **Developer Productivity**: Allow AI assistants to help developers understand, query, and work with your CAP data models
 - **Business Intelligence**: Transform your structured business data into AI-queryable resources for insights and analysis
 
-## ⚠️ Development Status
-
-**This plugin is currently in active development and approaching production readiness.**
-APIs and annotations may change in future releases. Authentication and security features are implemented and tested.
-
-Version 1.0 of the plugin is scheduled for release in Summer 2025 after final stability testing and documentation completion.
-
 ## 🚀 Quick Setup
 
 ### Prerequisites
@@ -379,9 +370,10 @@ Disables authentication completely:
 
 #### Authentication Flow
 1. MCP client connects to `/mcp` endpoint
-2. CAP authentication middleware validates credentials (if `auth: "inherit"`)
-3. MCP session established with authenticated user context
-4. All MCP operations (resources, tools, prompts) inherit the authenticated user's permissions
+2. If the authentication style used is OAuth, the OAuth flow will be executed
+3. CAP authentication middleware validates credentials (if `auth: "inherit"`)
+4. MCP session established with authenticated user context
+5. All MCP operations (resources, tools, prompts) inherit the authenticated user's permissions
 
 ### Automatic Features
 

package/lib/auth/{handler.js → factory.js}

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.authHandlerFactory = authHandlerFactory;
 exports.errorHandlerFactory = errorHandlerFactory;
+const xsuaa_service_1 = require("./xsuaa-service");
 /** JSON-RPC 2.0 error code for unauthorized requests */
 const RPC_UNAUTHORIZED = 10;
 /* @ts-ignore */
@@ -32,7 +33,8 @@ const cds = global.cds || require("@sap/cds"); // This is a work around for miss
  */
 function authHandlerFactory() {
     const authKind = cds.env.requires.auth.kind;
-    return (req, res, next) => {
+    const xsuaaService = new xsuaa_service_1.XSUAAService();
+    return async (req, res, next) => {
         if (!req.headers.authorization && authKind !== "dummy") {
             res.status(401).json({
                 jsonrpc: "2.0",
@@ -44,6 +46,25 @@ function authHandlerFactory() {
             });
             return;
         }
+        // For XSUAA/JWT auth types, use @sap/xssec for validation
+        if ((authKind === "jwt" || authKind === "xsuaa") &&
+            xsuaaService.isConfigured()) {
+            const securityContext = await xsuaaService.createSecurityContext(req);
+            if (!securityContext) {
+                res.status(401).json({
+                    jsonrpc: "2.0",
+                    error: {
+                        code: RPC_UNAUTHORIZED,
+                        message: "Invalid or expired token",
+                        id: null,
+                    },
+                });
+                return;
+            }
+            // Add security context to request for later use
+            req.securityContext = securityContext;
+        }
+        // Continue with existing CAP context validation
         const ctx = cds.context;
         if (!ctx) {
             res.status(500).json({

package/lib/auth/handlers.js

@@ -0,0 +1,53 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handleTokenRequest = handleTokenRequest;
+const logger_1 = require("../logger");
+/**
+ * Reusable OAuth token handler function
+ * Handles both GET and POST requests by extracting parameters from both query and body
+ * This unified approach follows lemaiwo's successful pattern and works around MCP SDK inconsistencies
+ */
+async function handleTokenRequest(req, res, xsuaaService) {
+    try {
+        const params = { ...req.query, ...req.body };
+        const { grant_type, code, redirect_uri, refresh_token } = params;
+        if (grant_type === "authorization_code") {
+            if (!code || !redirect_uri) {
+                res.status(400).json({
+                    error: "invalid_request",
+                    error_description: "Missing code or redirect_uri",
+                });
+                return;
+            }
+            const tokenData = await xsuaaService.exchangeCodeForToken(code, redirect_uri);
+            logger_1.LOGGER.debug("[AUTH] Token exchange successful");
+            res.json(tokenData);
+        }
+        else if (grant_type === "refresh_token") {
+            if (!refresh_token) {
+                res.status(400).json({
+                    error: "invalid_request",
+                    error_description: "Missing refresh_token",
+                });
+                return;
+            }
+            const tokenData = await xsuaaService.refreshAccessToken(refresh_token);
+            logger_1.LOGGER.debug("[AUTH] Token refresh successful");
+            res.json(tokenData);
+        }
+        else {
+            res.status(400).json({
+                error: "unsupported_grant_type",
+                error_description: "Only authorization_code and refresh_token are supported",
+            });
+        }
+    }
+    catch (error) {
+        logger_1.LOGGER.error("OAuth token error:", error);
+        const errorMessage = error instanceof Error ? error.message : "Unknown error";
+        res.status(400).json({
+            error: "invalid_grant",
+            error_description: errorMessage,
+        });
+    }
+}

package/lib/auth/utils.js

@@ -1,13 +1,19 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.isAuthEnabled = isAuthEnabled;
 exports.getAccessRights = getAccessRights;
 exports.registerAuthMiddleware = registerAuthMiddleware;
 exports.hasToolOperationAccess = hasToolOperationAccess;
 exports.getWrapAccesses = getWrapAccesses;
-const handler_1 = require("./handler");
-const proxyProvider_js_1 = require("@modelcontextprotocol/sdk/server/auth/providers/proxyProvider.js");
-const router_js_1 = require("@modelcontextprotocol/sdk/server/auth/router.js");
+const express_1 = __importDefault(require("express"));
+const helmet_1 = __importDefault(require("helmet"));
+const factory_1 = require("./factory");
+const xsuaa_service_1 = require("./xsuaa-service");
+const handlers_1 = require("./handlers");
+const logger_1 = require("../logger");
 /**
  * @fileoverview Authentication utilities for MCP-CAP integration.
  *
@@ -119,7 +125,7 @@ function getAccessRights(authEnabled) {
 function registerAuthMiddleware(expressApp) {
     const middlewares = cds.middlewares.before; // No types exists for this part of the CDS library
     // Build array of auth middleware to apply
-    const authMiddleware = [];
+    const authMiddleware = []; // Required any as a workaround for untyped cds middleware
     // Add CAP middleware
     middlewares.forEach((mw) => {
         const process = mw.factory();
@@ -128,12 +134,12 @@ function registerAuthMiddleware(expressApp) {
         }
     });
     // Add MCP auth middleware
-    authMiddleware.push((0, handler_1.errorHandlerFactory)());
-    authMiddleware.push((0, handler_1.authHandlerFactory)());
+    authMiddleware.push((0, factory_1.errorHandlerFactory)());
+    authMiddleware.push((0, factory_1.authHandlerFactory)());
+    // If we require OAuth then we should also apply for that
+    configureOAuthProxy(expressApp);
     // Apply auth middleware to all /mcp routes EXCEPT health
     expressApp?.use(/^\/mcp(?!\/health).*/, ...authMiddleware);
-    // Then finally we add the oauth proxy to the xsuaa instance
-    configureOAuthProxy(expressApp);
 }
 /**
  * Configures OAuth proxy middleware for enterprise authentication scenarios.
@@ -175,42 +181,214 @@ function configureOAuthProxy(expressApp) {
     const config = cds.env.requires.auth;
     const kind = config.kind;
     const credentials = config.credentials;
-    // Safety guard - skip OAuth proxy for basic auth types
+    // PRESERVE existing logic - skip OAuth proxy for basic auth types
     if (kind === "dummy" || kind === "mocked" || kind === "basic")
         return;
-    else if (!credentials ||
+    // PRESERVE existing validation
+    if (!credentials ||
         !credentials.clientid ||
         !credentials.clientsecret ||
         !credentials.url) {
         throw new Error("Invalid security credentials");
     }
-    const proxyProvider = new proxyProvider_js_1.ProxyOAuthServerProvider({
-        endpoints: {
-            authorizationUrl: `${credentials.url}/oauth/authorize`,
-            tokenUrl: `${credentials.url}/oauth/token`,
-            revocationUrl: `${credentials.url}/oauth/revoke`,
+    registerOAuthEndpoints(expressApp, credentials);
+}
+/**
+ * Determines the correct protocol (HTTP/HTTPS) for URL construction.
+ * Accounts for reverse proxy headers and production environment defaults.
+ *
+ * @param req - Express request object
+ * @returns Protocol string ('http' or 'https')
+ */
+function getProtocol(req) {
+    // Check for reverse proxy header first (most reliable)
+    if (req.headers["x-forwarded-proto"]) {
+        return req.headers["x-forwarded-proto"];
+    }
+    // Default to HTTPS in production environments
+    const isProduction = process.env.NODE_ENV === "production" || process.env.VCAP_APPLICATION;
+    return isProduction ? "https" : req.protocol;
+}
+/**
+ * Registers OAuth endpoints for XSUAA integration
+ * Only called for jwt/xsuaa/ias auth types with valid credentials
+ */
+function registerOAuthEndpoints(expressApp, credentials) {
+    const xsuaaService = new xsuaa_service_1.XSUAAService();
+    // Add JSON and URL-encoded body parsing for OAuth endpoints
+    expressApp.use("/oauth", express_1.default.json());
+    expressApp.use("/oauth", express_1.default.urlencoded({ extended: true }));
+    // Apply helmet security middleware only to OAuth routes
+    expressApp.use("/oauth", (0, helmet_1.default)({
+        contentSecurityPolicy: {
+            directives: {
+                defaultSrc: ["'self'"],
+                styleSrc: ["'self'", "'unsafe-inline'"],
+                scriptSrc: ["'self'"],
+                imgSrc: ["'self'", "data:", "https:"],
+            },
         },
-        verifyAccessToken: async (token) => {
-            return {
-                token,
-                clientId: credentials.clientid,
-                scopes: ["uaa.resource"],
+    }));
+    // OAuth Authorization endpoint - stateless redirect to XSUAA
+    expressApp.get("/oauth/authorize", (req, res) => {
+        const { state, redirect_uri } = req.query;
+        // Client validation and redirect URI validation is handled by XSUAA
+        // We delegate all client management to XSUAA's built-in OAuth server
+        const protocol = getProtocol(req);
+        const redirectUri = redirect_uri || `${protocol}://${req.get("host")}/oauth/callback`;
+        const authUrl = xsuaaService.getAuthorizationUrl(redirectUri, state);
+        res.redirect(authUrl);
+    });
+    // OAuth Callback endpoint - stateless token exchange
+    expressApp.get("/oauth/callback", async (req, res) => {
+        const { code, state, error, error_description, redirect_uri } = req.query;
+        logger_1.LOGGER.debug("[AUTH] Callback received", code, state);
+        if (error) {
+            res.status(400).json({
+                error: "authorization_failed",
+                error_description: error_description || error,
+            });
+            return;
+        }
+        if (!code) {
+            res.status(400).json({
+                error: "invalid_request",
+                error_description: "Missing authorization code",
+            });
+            return;
+        }
+        try {
+            const protocol = getProtocol(req);
+            const url = redirect_uri || `${protocol}://${req.get("host")}/oauth/callback`;
+            const tokenData = await xsuaaService.exchangeCodeForToken(code, url);
+            res.json(tokenData);
+        }
+        catch (error) {
+            logger_1.LOGGER.error("OAuth callback error:", error);
+            const errorMessage = error instanceof Error ? error.message : "Unknown error";
+            res.status(400).json({
+                error: "token_exchange_failed",
+                error_description: errorMessage,
+            });
+        }
+    });
+    // OAuth Token endpoint - POST (standard OAuth 2.0)
+    expressApp.post("/oauth/token", async (req, res) => {
+        await (0, handlers_1.handleTokenRequest)(req, res, xsuaaService);
+    });
+    // OAuth Discovery endpoint
+    expressApp.get("/.well-known/oauth-authorization-server", (req, res) => {
+        const protocol = getProtocol(req);
+        const baseUrl = `${protocol}://${req.get("host")}`;
+        res.json({
+            issuer: credentials.url,
+            authorization_endpoint: `${baseUrl}/oauth/authorize`,
+            token_endpoint: `${baseUrl}/oauth/token`,
+            registration_endpoint: `${baseUrl}/oauth/register`,
+            response_types_supported: ["code"],
+            grant_types_supported: ["authorization_code", "refresh_token"],
+            code_challenge_methods_supported: ["S256"],
+            // scopes_supported: ["uaa.resource"],
+            token_endpoint_auth_methods_supported: ["client_secret_post"],
+            registration_endpoint_auth_methods_supported: ["client_secret_basic"],
+        });
+    });
+    // OAuth Dynamic Client Registration discovery endpoint (GET)
+    expressApp.get("/oauth/register", async (req, res) => {
+        try {
+            // Simple proxy for discovery - no CSRF needed
+            const response = await fetch(`${credentials.url}/oauth/register`, {
+                method: "GET",
+                headers: {
+                    Authorization: `Basic ${Buffer.from(`${credentials.clientid}:${credentials.clientsecret}`).toString("base64")}`,
+                    Accept: "application/json",
+                },
+            });
+            const xsuaaData = await response.json();
+            // Add missing required fields that MCP client expects
+            const protocol = getProtocol(req);
+            const enhancedResponse = {
+                ...xsuaaData, // Keep all XSUAA fields
+                client_id: credentials.clientid, // Add our CAP app's client ID
+                redirect_uris: [`${protocol}://${req.get("host")}/oauth/callback`], // Add our callback URL for discovery
             };
-        },
-        getClient: async (client_id) => {
-            return {
-                client_secret: credentials.clientsecret,
-                client_id,
-                redirect_uris: ["http://localhost:3000/callback"], // Temporary value for now
+            res.status(response.status).json(enhancedResponse);
+        }
+        catch (error) {
+            logger_1.LOGGER.error("OAuth registration discovery error:", error);
+            res.status(500).json({
+                error: "server_error",
+                error_description: error instanceof Error ? error.message : "Unknown error",
+            });
+        }
+    });
+    // OAuth Dynamic Client Registration endpoint (POST) with CSRF handling
+    expressApp.post("/oauth/register", async (req, res) => {
+        try {
+            // Step 1: Fetch CSRF token from XSUAA
+            const csrfResponse = await fetch(`${credentials.url}/oauth/register`, {
+                method: "GET",
+                headers: {
+                    "X-CSRF-Token": "Fetch",
+                    Authorization: `Basic ${Buffer.from(`${credentials.clientid}:${credentials.clientsecret}`).toString("base64")}`,
+                    Accept: "application/json",
+                },
+            });
+            if (!csrfResponse.ok) {
+                throw new Error(`CSRF fetch failed: ${csrfResponse.status}`);
+            }
+            // Step 2: Extract CSRF token and session cookie
+            const setCookieHeader = csrfResponse.headers.get("set-cookie") || "";
+            const csrfToken = extractCsrfFromCookie(setCookieHeader);
+            if (!csrfToken) {
+                throw new Error("Could not extract CSRF token from XSUAA response");
+            }
+            // Step 3: Make actual registration POST with CSRF token
+            const registrationResponse = await fetch(`${credentials.url}/oauth/register`, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                    "X-CSRF-Token": csrfToken,
+                    Cookie: setCookieHeader,
+                    Authorization: `Basic ${Buffer.from(`${credentials.clientid}:${credentials.clientsecret}`).toString("base64")}`,
+                    Accept: "application/json",
+                },
+                body: JSON.stringify(req.body),
+            });
+            const xsuaaData = await registrationResponse.json();
+            // Add missing required fields that MCP client expects
+            const protocol = getProtocol(req);
+            const enhancedResponse = {
+                ...xsuaaData, // Keep all XSUAA fields
+                client_id: credentials.clientid, // Add our CAP app's client ID
+                client_secret: credentials.clientsecret, // CAP app's client secret
+                redirect_uris: req.body.redirect_uris || [
+                    `${protocol}://${req.get("host")}/oauth/callback`,
+                ], // Use client's redirect URIs
             };
-        },
+            logger_1.LOGGER.debug("[AUTH] Register POST response", enhancedResponse);
+            res.status(registrationResponse.status).json(enhancedResponse);
+        }
+        catch (error) {
+            logger_1.LOGGER.error("OAuth registration error:", error);
+            res.status(500).json({
+                error: "server_error",
+                error_description: error instanceof Error ? error.message : "Unknown error",
+            });
+        }
     });
-    expressApp.use((0, router_js_1.mcpAuthRouter)({
-        provider: proxyProvider,
-        issuerUrl: new URL(credentials.url),
-        //baseUrl: new URL(""), // I have left this out for the time being due to the defaulting to issuer
-        serviceDocumentationUrl: new URL("https://docs.cloudfoundry.org/api/uaa/version/77.34.0/index.html#authorization"),
-    }));
+    logger_1.LOGGER.debug("OAuth endpoints registered for XSUAA integration");
+}
+/**
+ * Extracts CSRF token from XSUAA Set-Cookie header
+ * Looks for "X-Uaa-Csrf=<token>" pattern in the cookie string
+ */
+function extractCsrfFromCookie(setCookieHeader) {
+    if (!setCookieHeader)
+        return null;
+    // Match X-Uaa-Csrf=<token> pattern
+    const csrfMatch = setCookieHeader.match(/X-Uaa-Csrf=([^;,]+)/i);
+    return csrfMatch ? csrfMatch[1] : null;
 }
 /**
  * Checks whether the requesting user's access matches that of the roles required

package/lib/auth/xsuaa-service.js

@@ -0,0 +1,190 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.XSUAAService = void 0;
+const xssec = __importStar(require("@sap/xssec"));
+const logger_1 = require("../logger");
+/* @ts-ignore */
+const cds = global.cds || require("@sap/cds");
+/**
+ * XSUAA service using official @sap/xssec library
+ * Leverages SAP's official authentication and validation mechanisms
+ */
+class XSUAAService {
+    credentials;
+    xsuaaService;
+    constructor() {
+        this.credentials = cds.env.requires.auth.credentials;
+        // Initialize XSUAA service from @sap/xssec
+        this.xsuaaService = new xssec.XsuaaService(this.credentials);
+    }
+    isConfigured() {
+        return !!(this.credentials?.clientid &&
+            this.credentials?.clientsecret &&
+            this.credentials?.url);
+    }
+    /**
+     * Generates authorization URL using @sap/xssec
+     */
+    getAuthorizationUrl(redirectUri, state) {
+        const params = new URLSearchParams({
+            response_type: "code",
+            client_id: this.credentials.clientid,
+            redirect_uri: redirectUri,
+            // scope: "uaa.resource",
+        });
+        if (state) {
+            params.append("state", state);
+        }
+        return `${this.credentials.url}/oauth/authorize?${params.toString()}`;
+    }
+    /**
+     * Exchange authorization code for token using @sap/xssec
+     */
+    async exchangeCodeForToken(code, redirectUri) {
+        try {
+            const tokenOptions = {
+                grant_type: "authorization_code",
+                code,
+                redirect_uri: redirectUri,
+            };
+            // Use direct XSUAA token endpoint for authorization code exchange
+            const response = await fetch(`${this.credentials.url}/oauth/token`, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/x-www-form-urlencoded",
+                    Authorization: `Basic ${Buffer.from(`${this.credentials.clientid}:${this.credentials.clientsecret}`).toString("base64")}`,
+                },
+                body: new URLSearchParams(tokenOptions),
+            });
+            if (!response.ok) {
+                const errorData = (await response.json());
+                throw new Error(`Token exchange failed: ${response.status} ${errorData.error_description || errorData.error}`);
+            }
+            return response.json();
+        }
+        catch (error) {
+            if (error instanceof Error) {
+                throw error;
+            }
+            throw new Error(`Token exchange failed: ${String(error)}`);
+        }
+    }
+    /**
+     * Refresh access token using @sap/xssec
+     */
+    async refreshAccessToken(refreshToken) {
+        try {
+            const response = await fetch(`${this.credentials.url}/oauth/token`, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/x-www-form-urlencoded",
+                    Authorization: `Basic ${Buffer.from(`${this.credentials.clientid}:${this.credentials.clientsecret}`).toString("base64")}`,
+                },
+                body: new URLSearchParams({
+                    grant_type: "refresh_token",
+                    refresh_token: refreshToken,
+                }),
+            });
+            if (!response.ok) {
+                const errorData = (await response.json());
+                throw new Error(`Token refresh failed: ${response.status} ${errorData.error_description || errorData.error}`);
+            }
+            return response.json();
+        }
+        catch (error) {
+            if (error instanceof Error) {
+                throw error;
+            }
+            throw new Error(`Token refresh failed: ${String(error)}`);
+        }
+    }
+    /**
+     * Validate JWT token using @sap/xssec SecurityContext
+     * This is the proper way to validate tokens with XSUAA
+     */
+    async validateToken(accessToken, req) {
+        try {
+            // Create security context using @sap/xssec
+            const securityContext = await xssec.createSecurityContext(this.xsuaaService, {
+                req: req || { headers: { authorization: `Bearer ${accessToken}` } },
+                token: accessToken,
+            });
+            // If security context is created successfully, token is valid
+            return !!securityContext;
+        }
+        catch (error) {
+            // Log validation errors for debugging
+            if (error instanceof xssec.errors.TokenValidationError) {
+                logger_1.LOGGER.warn("Token validation failed:", error.message);
+            }
+            else if (error instanceof Error) {
+                logger_1.LOGGER.warn("Token validation failed:", error.message);
+            }
+            return false;
+        }
+    }
+    /**
+     * Create security context for authenticated requests
+     * Returns null if token is invalid
+     */
+    async createSecurityContext(req) {
+        try {
+            const authHeader = req.headers.authorization;
+            if (!authHeader || !authHeader.startsWith("Bearer ")) {
+                return null;
+            }
+            const token = authHeader.substring(7);
+            const securityContext = await xssec.createSecurityContext(this.xsuaaService, { req, token: token });
+            return securityContext;
+        }
+        catch (error) {
+            if (error instanceof xssec.errors.TokenValidationError) {
+                logger_1.LOGGER.warn("Security context creation failed:", error.message);
+            }
+            else if (error instanceof Error) {
+                logger_1.LOGGER.warn("Security context creation failed:", error.message);
+            }
+            return null;
+        }
+    }
+    /**
+     * Get XSUAA service instance for advanced operations
+     */
+    getXsuaaService() {
+        return this.xsuaaService;
+    }
+}
+exports.XSUAAService = XSUAAService;

package/lib/mcp.js

@@ -12,6 +12,7 @@ const constants_1 = require("./mcp/constants");
 const loader_1 = require("./config/loader");
 const session_manager_1 = require("./mcp/session-manager");
 const utils_2 = require("./auth/utils");
+const helmet_1 = __importDefault(require("helmet"));
 /* @ts-ignore */
 const cds = global.cds; // Use hosting app's CDS instance exclusively
 /**
@@ -40,6 +41,17 @@ class McpPlugin {
         logger_1.LOGGER.debug("Event received for 'bootstrap'");
         this.expressApp = app;
         this.expressApp.use("/mcp", express_1.default.json());
+        // Apply helmet security middleware only to MCP routes
+        this.expressApp.use("/mcp", (0, helmet_1.default)({
+            contentSecurityPolicy: {
+                directives: {
+                    defaultSrc: ["'self'"],
+                    styleSrc: ["'self'", "'unsafe-inline'"],
+                    scriptSrc: ["'self'"],
+                    imgSrc: ["'self'", "data:", "https:"],
+                },
+            },
+        }));
         if (this.config.auth === "inherit") {
             (0, utils_2.registerAuthMiddleware)(this.expressApp);
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gavdi/cap-mcp",
-  "version": "0.10.1",
+  "version": "1.0.0",
   "description": "MCP Pluging for CAP",
   "keywords": [
     "MCP",
@@ -23,9 +23,9 @@
   "scripts": {
     "mock": "npm run start --workspace=test/demo",
     "mock:watch": "npm run build && npm run watch --workspace=test/demo",
-    "test": "NODE_ENV=test jest --silent",
-    "test:unit": "NODE_ENV=test jest --silent test/unit",
-    "test:integration": "NODE_ENV=test jest --silent test/integration",
+    "test": "NODE_ENV=test jest --silent --testTimeout=30000",
+    "test:unit": "NODE_ENV=test jest --silent test/unit --testTimeout=30000",
+    "test:integration": "NODE_ENV=test jest --silent test/integration --testTimeout=30000",
     "build": "tsc",
     "inspect": "npx @modelcontextprotocol/inspector",
     "prepare": "husky",
@@ -42,6 +42,8 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.17.3",
+    "@sap/xssec": "^4.9.1",
+    "helmet": "^8.1.0",
     "zod": "^3.25.67",
     "zod-to-json-schema": "^3.24.5"
   },