@gavdi/cap-mcp 1.5.0 → 1.5.1

package/lib/auth/utils.js

@@ -282,16 +282,25 @@ function registerOAuthEndpoints(expressApp, credentials, kind) {
             registration_endpoint_auth_methods_supported: ["client_secret_basic"],
         });
     });
+    // BUG: This element has been commented out as a part of a hotfix for authorization flows.
+    // It should not be included again until further investigation has been done, but a patch will have to be released to remedy this.
+    // This is likely related to the fact that most MCP clients do not include application/json as their preferred response time when authenticating,
+    // causing issues when targeting SAP's XSUAA service, that will default to HTML.
+    //
     // RFC 9728: OAuth 2.0 Protected Resource Metadata endpoint
-    expressApp.get("/.well-known/oauth-protected-resource", (req, res) => {
-        const baseUrl = (0, host_resolver_1.buildPublicBaseUrl)(req);
-        res.json({
-            resource: baseUrl,
-            authorization_servers: [credentials.url],
-            bearer_methods_supported: ["header"],
-            resource_documentation: `${baseUrl}/mcp/health`,
-        });
-    });
+    // expressApp.get(
+    //   "/.well-known/oauth-protected-resource",
+    //   (req: Request, res: Response): void => {
+    //     const baseUrl = buildPublicBaseUrl(req);
+    //
+    //     res.json({
+    //       resource: baseUrl,
+    //       authorization_servers: [credentials.url],
+    //       bearer_methods_supported: ["header"],
+    //       resource_documentation: `${baseUrl}/mcp/health`,
+    //     });
+    //   },
+    // );
     // OAuth Dynamic Client Registration discovery endpoint (GET)
     expressApp.get("/oauth/register", async (req, res) => {
         const baseUrl = (0, host_resolver_1.buildPublicBaseUrl)(req);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gavdi/cap-mcp",
-  "version": "1.5.0",
+  "version": "1.5.1",
   "description": "MCP Plugin for CAP",
   "keywords": [
     "MCP",