@kya-os/mcp-i 1.6.10 → 1.6.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -9,6 +9,7 @@ const auth_handshake_1 = require("../auth-handshake");
|
|
|
9
9
|
const session_1 = require("../session");
|
|
10
10
|
const request_context_1 = require("../request-context");
|
|
11
11
|
const proof_batch_queue_1 = require("../proof-batch-queue");
|
|
12
|
+
const mcp_i_core_1 = require("@kya-os/mcp-i-core");
|
|
12
13
|
const rawRuntimeConfigPath = typeof RUNTIME_CONFIG_PATH !== "undefined" ? RUNTIME_CONFIG_PATH : undefined;
|
|
13
14
|
// Single-parse to match single-stringify from webpack DefinePlugin
|
|
14
15
|
const runtimeConfigPath = rawRuntimeConfigPath
|
|
@@ -510,27 +511,45 @@ async function addToolsToServer(server, toolModules, identityConfig) {
|
|
|
510
511
|
}
|
|
511
512
|
// Check if authorization method matches current tool requirements
|
|
512
513
|
// This prevents stale delegations from working after tool auth method changes
|
|
514
|
+
// NOTE: Authorization validation only applies when credential is present (AgentShield API verifier).
|
|
515
|
+
// KV/Memory verifiers don't return credential data, so we skip auth method validation for them.
|
|
513
516
|
if (verifyResult.authorized &&
|
|
514
|
-
|
|
515
|
-
|
|
516
|
-
const delegationAuth = verifyResult.credential.authorization;
|
|
517
|
+
toolProtection.authorization &&
|
|
518
|
+
verifyResult.credential) {
|
|
517
519
|
const toolAuth = toolProtection.authorization;
|
|
518
|
-
|
|
519
|
-
|
|
520
|
-
//
|
|
521
|
-
if (
|
|
522
|
-
|
|
523
|
-
|
|
524
|
-
|
|
525
|
-
|
|
526
|
-
|
|
527
|
-
|
|
528
|
-
|
|
529
|
-
|
|
530
|
-
|
|
531
|
-
|
|
520
|
+
const delegationAuth = verifyResult.credential.authorization;
|
|
521
|
+
// If tool requires authorization but credential doesn't have auth data, reject
|
|
522
|
+
// This prevents bypassing auth checks with incomplete credential data
|
|
523
|
+
if (!delegationAuth) {
|
|
524
|
+
if (identityConfig?.debug) {
|
|
525
|
+
console.error(`[MCPI] Tool "${name}" blocked - credential missing authorization data`);
|
|
526
|
+
}
|
|
527
|
+
// Build authorization URL for re-authorization
|
|
528
|
+
const authUrl = new URL(authConfig.bouncer.authorizationUrl);
|
|
529
|
+
authUrl.searchParams.set("agent_did", agentDid);
|
|
530
|
+
authUrl.searchParams.set("scopes", (toolProtection.requiredScopes || []).join(","));
|
|
531
|
+
authUrl.searchParams.set("tool", name);
|
|
532
|
+
return {
|
|
533
|
+
content: [
|
|
534
|
+
{
|
|
535
|
+
type: "text",
|
|
536
|
+
text: JSON.stringify({
|
|
537
|
+
error: "authorization_data_missing",
|
|
538
|
+
message: `Tool "${name}" requires authorization method ${toolAuth.type}` +
|
|
539
|
+
`${toolAuth.provider ? `:${toolAuth.provider}` : ""}` +
|
|
540
|
+
`${toolAuth.credentialType ? `:${toolAuth.credentialType}` : ""} ` +
|
|
541
|
+
`but delegation credential does not contain authorization data. Please re-authorize.`,
|
|
542
|
+
authorizationUrl: authUrl.toString(),
|
|
543
|
+
scopes: toolProtection.requiredScopes || [],
|
|
544
|
+
requiredAuth: toolAuth,
|
|
545
|
+
}),
|
|
546
|
+
},
|
|
547
|
+
],
|
|
548
|
+
isError: true,
|
|
549
|
+
};
|
|
532
550
|
}
|
|
533
|
-
|
|
551
|
+
// Compare authorization types using the helper function
|
|
552
|
+
if (!(0, mcp_i_core_1.authorizationMatches)(delegationAuth, toolAuth)) {
|
|
534
553
|
if (identityConfig?.debug) {
|
|
535
554
|
console.error(`[MCPI] Tool "${name}" blocked - authorization method mismatch`);
|
|
536
555
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@kya-os/mcp-i",
|
|
3
|
-
"version": "1.6.
|
|
3
|
+
"version": "1.6.12",
|
|
4
4
|
"description": "The TypeScript MCP framework with identity features built-in",
|
|
5
5
|
"type": "commonjs",
|
|
6
6
|
"main": "dist/index.js",
|
|
@@ -63,8 +63,8 @@
|
|
|
63
63
|
"model-context-protocol"
|
|
64
64
|
],
|
|
65
65
|
"dependencies": {
|
|
66
|
-
"@kya-os/contracts": "^1.6.
|
|
67
|
-
"@kya-os/mcp-i-core": "^1.3.
|
|
66
|
+
"@kya-os/contracts": "^1.6.15",
|
|
67
|
+
"@kya-os/mcp-i-core": "^1.3.22",
|
|
68
68
|
"@modelcontextprotocol/sdk": "^1.11.4",
|
|
69
69
|
"@swc/core": "^1.11.24",
|
|
70
70
|
"@types/express": "^5.0.1",
|