@kya-os/mcp-i 1.6.10 → 1.6.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -510,25 +510,59 @@ async function addToolsToServer(server, toolModules, identityConfig) {
|
|
|
510
510
|
}
|
|
511
511
|
// Check if authorization method matches current tool requirements
|
|
512
512
|
// This prevents stale delegations from working after tool auth method changes
|
|
513
|
-
if (verifyResult.authorized &&
|
|
514
|
-
verifyResult.credential?.authorization &&
|
|
515
|
-
toolProtection.authorization) {
|
|
516
|
-
const delegationAuth = verifyResult.credential.authorization;
|
|
513
|
+
if (verifyResult.authorized && toolProtection.authorization) {
|
|
517
514
|
const toolAuth = toolProtection.authorization;
|
|
515
|
+
const delegationAuth = verifyResult.credential?.authorization;
|
|
516
|
+
// If tool requires authorization but credential doesn't have auth data, reject
|
|
517
|
+
// This prevents bypassing auth checks with incomplete credential data
|
|
518
|
+
if (!delegationAuth) {
|
|
519
|
+
if (identityConfig?.debug) {
|
|
520
|
+
console.error(`[MCPI] Tool "${name}" blocked - credential missing authorization data`);
|
|
521
|
+
}
|
|
522
|
+
// Build authorization URL for re-authorization
|
|
523
|
+
const authUrl = new URL(authConfig.bouncer.authorizationUrl);
|
|
524
|
+
authUrl.searchParams.set("agent_did", agentDid);
|
|
525
|
+
authUrl.searchParams.set("scopes", (toolProtection.requiredScopes || []).join(","));
|
|
526
|
+
authUrl.searchParams.set("tool", name);
|
|
527
|
+
return {
|
|
528
|
+
content: [
|
|
529
|
+
{
|
|
530
|
+
type: "text",
|
|
531
|
+
text: JSON.stringify({
|
|
532
|
+
error: "authorization_data_missing",
|
|
533
|
+
message: `Tool "${name}" requires authorization method ${toolAuth.type}` +
|
|
534
|
+
`${toolAuth.provider ? `:${toolAuth.provider}` : ""}` +
|
|
535
|
+
`${toolAuth.credentialType ? `:${toolAuth.credentialType}` : ""} ` +
|
|
536
|
+
`but delegation credential does not contain authorization data. Please re-authorize.`,
|
|
537
|
+
authorizationUrl: authUrl.toString(),
|
|
538
|
+
scopes: toolProtection.requiredScopes || [],
|
|
539
|
+
requiredAuth: toolAuth,
|
|
540
|
+
}),
|
|
541
|
+
},
|
|
542
|
+
],
|
|
543
|
+
isError: true,
|
|
544
|
+
};
|
|
545
|
+
}
|
|
518
546
|
// Compare authorization types
|
|
519
547
|
let authMatches = delegationAuth.type === toolAuth.type;
|
|
520
|
-
// For OAuth, also compare provider
|
|
548
|
+
// For OAuth, also compare provider (undefined in toolAuth means "any provider acceptable")
|
|
521
549
|
if (authMatches &&
|
|
522
550
|
delegationAuth.type === "oauth" &&
|
|
523
551
|
toolAuth.type === "oauth") {
|
|
524
|
-
|
|
552
|
+
// If tool doesn't specify a provider, any provider is acceptable
|
|
553
|
+
if (toolAuth.provider) {
|
|
554
|
+
authMatches = delegationAuth.provider === toolAuth.provider;
|
|
555
|
+
}
|
|
525
556
|
}
|
|
526
|
-
// For credential, also compare credentialType
|
|
557
|
+
// For credential, also compare credentialType (undefined in toolAuth means "any type acceptable")
|
|
527
558
|
if (authMatches &&
|
|
528
559
|
delegationAuth.type === "credential" &&
|
|
529
560
|
toolAuth.type === "credential") {
|
|
530
|
-
|
|
531
|
-
|
|
561
|
+
// If tool doesn't specify a credential type, any type is acceptable
|
|
562
|
+
if (toolAuth.credentialType) {
|
|
563
|
+
authMatches =
|
|
564
|
+
delegationAuth.credentialType === toolAuth.credentialType;
|
|
565
|
+
}
|
|
532
566
|
}
|
|
533
567
|
if (!authMatches) {
|
|
534
568
|
if (identityConfig?.debug) {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@kya-os/mcp-i",
|
|
3
|
-
"version": "1.6.
|
|
3
|
+
"version": "1.6.11",
|
|
4
4
|
"description": "The TypeScript MCP framework with identity features built-in",
|
|
5
5
|
"type": "commonjs",
|
|
6
6
|
"main": "dist/index.js",
|
|
@@ -63,8 +63,8 @@
|
|
|
63
63
|
"model-context-protocol"
|
|
64
64
|
],
|
|
65
65
|
"dependencies": {
|
|
66
|
-
"@kya-os/contracts": "^1.6.
|
|
67
|
-
"@kya-os/mcp-i-core": "^1.3.
|
|
66
|
+
"@kya-os/contracts": "^1.6.15",
|
|
67
|
+
"@kya-os/mcp-i-core": "^1.3.22",
|
|
68
68
|
"@modelcontextprotocol/sdk": "^1.11.4",
|
|
69
69
|
"@swc/core": "^1.11.24",
|
|
70
70
|
"@types/express": "^5.0.1",
|