@kadoa/mcp 0.3.7-rc.1 → 0.3.7-rc.3

package/dist/index.js

@@ -49154,6 +49154,15 @@ async function refreshSupabaseJwt(ctx) {
     ctx.supabaseJwt = data.access_token;
     ctx.supabaseRefreshToken = data.refresh_token;
     ctx.client.setBearerToken(data.access_token);
+    try {
+      await ctx.persist?.({
+        supabaseJwt: ctx.supabaseJwt,
+        supabaseRefreshToken: ctx.supabaseRefreshToken,
+        teamId: ctx.teamId
+      });
+    } catch (e) {
+      console.error("[JWT_REFRESH] WARN: persist failed, tokens updated in-memory only:", e);
+    }
     console.error(`[JWT_REFRESH] OK: token refreshed (team=${ctx.teamId ?? "unknown"}, newRefreshToken=${data.refresh_token.slice(0, 12)}...)`);
     return data.access_token;
   } catch (error48) {
@@ -49990,11 +49999,11 @@ function registerTools(server, ctx) {
       return errorResult(`Team not found: "${identifier}". Available teams: ${teams.map((t) => t.name).join(", ")}`);
     }
     await ctx.client.setActiveTeam(match.id);
+    ctx.teamId = match.id;
     const newJwt = await refreshSupabaseJwt(ctx);
     if (!newJwt) {
       return errorResult("Failed to refresh session after team switch");
     }
-    ctx.teamId = match.id;
     const config2 = loadConfig2();
     config2.teamId = match.id;
     config2.teamName = match.name;
@@ -54060,7 +54069,11 @@ async function refreshSupabaseToken(supabaseRefreshToken, context) {
 function jwtClaims(jwt2) {
   try {
     const payload = JSON.parse(Buffer.from(jwt2.split(".")[1], "base64url").toString());
-    return { email: payload.email, sub: payload.sub };
+    return {
+      email: payload.email,
+      sub: payload.sub,
+      activeTeamId: payload.app_metadata?.active_team_id
+    };
   } catch {
     return {};
   }
@@ -54367,20 +54380,22 @@ class KadoaOAuthProvider {
     } else {
       console.error(`[AUTH] REFRESH_WARN: using stale Supabase JWT as fallback (${context})`);
     }
+    const freshClaims = jwtClaims(supabaseJwt);
+    const teamId = freshClaims.activeTeamId ?? entry.teamId;
     const newAccessToken = randomToken();
     const newRefreshToken = randomToken();
     const expiresAt = Date.now() + ACCESS_TOKEN_TTL * 1000;
     await this.store.set("access_tokens", newAccessToken, {
       supabaseJwt,
       supabaseRefreshToken,
-      teamId: entry.teamId,
+      teamId,
       clientId: entry.clientId,
       expiresAt
     }, ACCESS_TOKEN_TTL);
     await this.store.set("refresh_tokens", newRefreshToken, {
       supabaseJwt,
       supabaseRefreshToken,
-      teamId: entry.teamId,
+      teamId,
       clientId: entry.clientId
     }, 2592000);
     return {
@@ -55075,17 +55090,18 @@ function resolveAuth(req) {
       jwt: extra.supabaseJwt,
       refreshToken: extra.supabaseRefreshToken ?? "",
       teamId: extra.teamId ?? "",
-      userId
+      userId,
+      mcpToken: req.auth.token
     };
   }
   console.error(`[AUTH_RESOLVE] FAIL: no apiKey or supabaseJwt in extra (keys: ${Object.keys(extra).join(", ")})`);
   return;
 }
-async function startHttpServer() {
+async function startHttpServer(options) {
   const port = parseInt(process.env.PORT || "3000", 10);
   const app = createMcpExpressApp({ host: "0.0.0.0" });
   app.set("trust proxy", 1);
-  const store = new RedisTokenStore;
+  const store = options?.store ?? new RedisTokenStore;
   const provider = new KadoaOAuthProvider(store);
   const serverUrl = process.env.MCP_SERVER_URL || `http://localhost:${port}`;
   app.use(mcpAuthRouter({
@@ -55137,7 +55153,27 @@ async function startHttpServer() {
       const server = auth.kind === "jwt" ? createServer({
         jwt: auth.jwt,
         refreshToken: auth.refreshToken,
-        teamId: auth.teamId
+        teamId: auth.teamId,
+        persist: async (state) => {
+          const entry = await store.get("access_tokens", auth.mcpToken);
+          if (!entry) {
+            console.error(`[PERSIST] WARN: access token gone from store (token=${auth.mcpToken.slice(0, 12)}...)`);
+            return;
+          }
+          const remainingMs = entry.expiresAt - Date.now();
+          if (remainingMs <= 0) {
+            console.error(`[PERSIST] WARN: access token already expired, skipping persist`);
+            return;
+          }
+          const ttlSeconds = Math.ceil(remainingMs / 1000);
+          await store.set("access_tokens", auth.mcpToken, {
+            ...entry,
+            supabaseJwt: state.supabaseJwt ?? entry.supabaseJwt,
+            supabaseRefreshToken: state.supabaseRefreshToken ?? entry.supabaseRefreshToken,
+            teamId: state.teamId ?? entry.teamId
+          }, ttlSeconds);
+          console.error(`[PERSIST] OK: updated access token in store (token=${auth.mcpToken.slice(0, 12)}..., team=${state.teamId ?? "unchanged"}, ttl=${ttlSeconds}s)`);
+        }
       }) : createServer({ apiKey: auth.apiKey });
       await server.connect(transport);
       await transport.handleRequest(req, res, req.body);
@@ -55197,7 +55233,8 @@ function createServer(auth) {
       client: createKadoaClient({ jwt: auth.jwt }),
       supabaseJwt: auth.jwt,
       supabaseRefreshToken: auth.refreshToken,
-      teamId: auth.teamId
+      teamId: auth.teamId,
+      persist: auth.persist
     };
   } else if (typeof auth === "object" && auth !== null && "apiKey" in auth) {
     ctx = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kadoa/mcp",
-  "version": "0.3.7-rc.1",
+  "version": "0.3.7-rc.3",
   "description": "Kadoa MCP Server — manage workflows from Claude Desktop, Cursor, and other MCP clients",
   "type": "module",
   "main": "dist/index.js",