@leanmcp/core 0.3.11 → 0.3.13

package/dist/index.js

@@ -41,6 +41,9 @@ function Tool(options = {}) {
     if (options.inputClass) {
       Reflect.defineMetadata("tool:inputClass", options.inputClass, descriptor.value);
     }
+    if (options.securitySchemes) {
+      Reflect.defineMetadata("tool:securitySchemes", options.securitySchemes, descriptor.value);
+    }
   };
 }
 function Prompt(options = {}) {
@@ -551,7 +554,8 @@ async function createHTTPServer(serverInput, options) {
       logging: serverOptions.logging,
       sessionTimeout: serverOptions.sessionTimeout,
       stateless: serverOptions.stateless,
-      dashboard: serverOptions.dashboard
+      dashboard: serverOptions.dashboard,
+      auth: serverOptions.auth
     };
   }
   const [express, { StreamableHTTPServerTransport }, cors] = await Promise.all([
@@ -713,6 +717,73 @@ async function createHTTPServer(serverInput, options) {
       uptime: process.uptime()
     });
   });
+  app.get("/.well-known/oauth-protected-resource", (req, res) => {
+    const host = req.headers.host || "localhost";
+    const protocol = req.headers["x-forwarded-proto"] || "http";
+    const resource = httpOptions.auth?.resource || `${protocol}://${host}`;
+    const authServers = httpOptions.auth?.authorizationServers || [
+      resource
+    ];
+    res.json({
+      resource,
+      authorization_servers: authServers,
+      scopes_supported: httpOptions.auth?.scopesSupported || [],
+      resource_documentation: httpOptions.auth?.documentationUrl
+    });
+  });
+  if (httpOptions.auth?.enableOAuthServer && httpOptions.auth?.oauthServerOptions) {
+    const authOpts = httpOptions.auth.oauthServerOptions;
+    app.get("/.well-known/oauth-authorization-server", (req, res) => {
+      const host = req.headers.host || "localhost";
+      const protocol = req.headers["x-forwarded-proto"] || "http";
+      const issuer = httpOptions.auth?.resource || `${protocol}://${host}`;
+      res.json({
+        issuer,
+        authorization_endpoint: `${issuer}/oauth/authorize`,
+        token_endpoint: `${issuer}/oauth/token`,
+        registration_endpoint: `${issuer}/oauth/register`,
+        scopes_supported: httpOptions.auth?.scopesSupported || [],
+        response_types_supported: [
+          "code"
+        ],
+        grant_types_supported: [
+          "authorization_code",
+          "refresh_token"
+        ],
+        code_challenge_methods_supported: [
+          "S256"
+        ],
+        token_endpoint_auth_methods_supported: [
+          "client_secret_post",
+          "client_secret_basic",
+          "none"
+        ]
+      });
+    });
+    (async () => {
+      try {
+        const authServerModule = await import(
+          /* webpackIgnore: true */
+          "@leanmcp/auth/server"
+        );
+        const { OAuthAuthorizationServer } = authServerModule;
+        const authServer = new OAuthAuthorizationServer({
+          issuer: httpOptions.auth?.resource || `http://localhost:${basePort}`,
+          sessionSecret: authOpts.sessionSecret,
+          jwtSigningSecret: authOpts.jwtSigningSecret,
+          jwtEncryptionSecret: authOpts.jwtEncryptionSecret,
+          tokenTTL: authOpts.tokenTTL,
+          upstreamProvider: authOpts.upstreamProvider,
+          scopesSupported: httpOptions.auth?.scopesSupported,
+          enableDCR: true
+        });
+        app.use(authServer.getRouter());
+        logger.info("OAuth authorization server mounted");
+      } catch (e) {
+        logger.warn("OAuth server requested but @leanmcp/auth/server not available");
+      }
+    })();
+  }
   const handleMCPRequestStateful = /* @__PURE__ */ __name(async (req, res) => {
     const sessionId = req.headers["mcp-session-id"];
     let transport;
@@ -728,6 +799,17 @@ async function createHTTPServer(serverInput, options) {
       logMessage += ` (session: ${sessionId.substring(0, 8)}...)`;
     }
     logger.info(logMessage);
+    logger.info(logMessage);
+    if (req.headers.authorization) {
+      if (!req.body.params) req.body.params = {};
+      if (!req.body.params._meta) req.body.params._meta = {};
+      const authHeader = req.headers.authorization;
+      if (authHeader.startsWith("Bearer ")) {
+        req.body.params._meta.authToken = authHeader.substring(7);
+      } else {
+        req.body.params._meta.authToken = authHeader;
+      }
+    }
     try {
       if (sessionId && transports[sessionId]) {
         transport = transports[sessionId];
@@ -784,7 +866,18 @@ async function createHTTPServer(serverInput, options) {
     if (params?.name) logMessage += ` [${params.name}]`;
     else if (params?.uri) logMessage += ` [${params.uri}]`;
     logger.info(logMessage);
+    logger.info(logMessage);
     try {
+      if (req.headers.authorization) {
+        if (!req.body.params) req.body.params = {};
+        if (!req.body.params._meta) req.body.params._meta = {};
+        const authHeader = req.headers.authorization;
+        if (authHeader.startsWith("Bearer ")) {
+          req.body.params._meta.authToken = authHeader.substring(7);
+        } else {
+          req.body.params._meta.authToken = authHeader;
+        }
+      }
       const freshServer = await statelessServerFactory();
       if (freshServer && typeof freshServer.waitForInit === "function") {
         await freshServer.waitForInit();
@@ -941,6 +1034,56 @@ var init_http_server = __esm({
   }
 });
 
+// src/auth-helpers.ts
+function createAuthError(message, options) {
+  const error = options.error || "invalid_token";
+  const errorDescription = options.errorDescription || message;
+  const wwwAuth = `Bearer resource_metadata="${options.resourceMetadataUrl}", error="${error}", error_description="${errorDescription}"`;
+  return {
+    content: [
+      {
+        type: "text",
+        text: message
+      }
+    ],
+    _meta: {
+      "mcp/www_authenticate": [
+        wwwAuth
+      ]
+    },
+    isError: true
+  };
+}
+function isAuthError(result) {
+  if (!result || typeof result !== "object") return false;
+  const r = result;
+  return r.isError === true && r._meta !== void 0 && typeof r._meta === "object" && r._meta !== null && "mcp/www_authenticate" in r._meta;
+}
+function extractBearerToken(authHeader) {
+  if (!authHeader) return null;
+  if (!authHeader.startsWith("Bearer ")) return null;
+  return authHeader.slice(7);
+}
+function createProtectedResourceMetadata(options) {
+  return {
+    resource: options.resource,
+    authorization_servers: options.authorizationServers || [
+      options.resource
+    ],
+    scopes_supported: options.scopesSupported,
+    resource_documentation: options.documentationUrl
+  };
+}
+var init_auth_helpers = __esm({
+  "src/auth-helpers.ts"() {
+    "use strict";
+    __name(createAuthError, "createAuthError");
+    __name(isAuthError, "isAuthError");
+    __name(extractBearerToken, "extractBearerToken");
+    __name(createProtectedResourceMetadata, "createProtectedResourceMetadata");
+  }
+});
+
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
@@ -960,10 +1103,14 @@ __export(index_exports, {
   UserEnvs: () => UserEnvs,
   classToJsonSchema: () => classToJsonSchema,
   classToJsonSchemaWithConstraints: () => classToJsonSchemaWithConstraints,
+  createAuthError: () => createAuthError,
   createHTTPServer: () => createHTTPServer,
+  createProtectedResourceMetadata: () => createProtectedResourceMetadata,
   defaultLogger: () => defaultLogger,
+  extractBearerToken: () => extractBearerToken,
   getDecoratedMethods: () => getDecoratedMethods,
   getMethodMetadata: () => getMethodMetadata,
+  isAuthError: () => isAuthError,
   startMCPServer: () => startMCPServer,
   validateNonEmpty: () => validateNonEmpty,
   validatePath: () => validatePath,
@@ -993,6 +1140,7 @@ var init_index = __esm({
     init_http_server();
     init_logger();
     init_validation();
+    init_auth_helpers();
     init_decorators();
     init_schema_generator();
     init_logger();
@@ -1161,10 +1309,27 @@ var init_index = __esm({
             const meta = request.params._meta;
             const result = await tool.method.call(tool.instance, request.params.arguments, meta);
             let formattedResult = result;
+            let structuredContent = void 0;
             if (methodMeta.renderFormat === "markdown" && typeof result === "string") {
               formattedResult = result;
-            } else if (methodMeta.renderFormat === "json" || typeof result === "object") {
-              formattedResult = JSON.stringify(result, null, 2);
+            } else if (typeof result === "object" && result !== null) {
+              if ("structuredContent" in result && Object.keys(result).length === 1) {
+                structuredContent = result.structuredContent;
+                formattedResult = JSON.stringify(structuredContent, null, 2);
+              } else if ("content" in result && Array.isArray(result.content)) {
+                const textItem = result.content.find((c) => c.type === "text");
+                if (textItem?.text) {
+                  try {
+                    structuredContent = JSON.parse(textItem.text);
+                  } catch {
+                    structuredContent = textItem.text;
+                  }
+                }
+                formattedResult = JSON.stringify(result, null, 2);
+              } else {
+                structuredContent = result;
+                formattedResult = JSON.stringify(result, null, 2);
+              }
             } else {
               formattedResult = String(result);
             }
@@ -1176,6 +1341,12 @@ var init_index = __esm({
                 }
               ]
             };
+            if (structuredContent) {
+              response.structuredContent = structuredContent;
+              if (this.logger) {
+                this.logger.debug(`[MCPServer] Setting structuredContent: ${JSON.stringify(structuredContent).slice(0, 100)}...`);
+              }
+            }
             if (tool._meta && Object.keys(tool._meta).length > 0) {
               response._meta = tool._meta;
             }
@@ -1987,10 +2158,14 @@ init_index();
   UserEnvs,
   classToJsonSchema,
   classToJsonSchemaWithConstraints,
+  createAuthError,
   createHTTPServer,
+  createProtectedResourceMetadata,
   defaultLogger,
+  extractBearerToken,
   getDecoratedMethods,
   getMethodMetadata,
+  isAuthError,
   startMCPServer,
   validateNonEmpty,
   validatePath,

package/dist/index.mjs

@@ -22,6 +22,9 @@ function Tool(options = {}) {
     if (options.inputClass) {
       Reflect.defineMetadata("tool:inputClass", options.inputClass, descriptor.value);
     }
+    if (options.securitySchemes) {
+      Reflect.defineMetadata("tool:securitySchemes", options.securitySchemes, descriptor.value);
+    }
   };
 }
 __name(Tool, "Tool");
@@ -513,7 +516,8 @@ async function createHTTPServer(serverInput, options) {
       logging: serverOptions.logging,
       sessionTimeout: serverOptions.sessionTimeout,
       stateless: serverOptions.stateless,
-      dashboard: serverOptions.dashboard
+      dashboard: serverOptions.dashboard,
+      auth: serverOptions.auth
     };
   }
   const [express, { StreamableHTTPServerTransport }, cors] = await Promise.all([
@@ -675,6 +679,73 @@ async function createHTTPServer(serverInput, options) {
       uptime: process.uptime()
     });
   });
+  app.get("/.well-known/oauth-protected-resource", (req, res) => {
+    const host = req.headers.host || "localhost";
+    const protocol = req.headers["x-forwarded-proto"] || "http";
+    const resource = httpOptions.auth?.resource || `${protocol}://${host}`;
+    const authServers = httpOptions.auth?.authorizationServers || [
+      resource
+    ];
+    res.json({
+      resource,
+      authorization_servers: authServers,
+      scopes_supported: httpOptions.auth?.scopesSupported || [],
+      resource_documentation: httpOptions.auth?.documentationUrl
+    });
+  });
+  if (httpOptions.auth?.enableOAuthServer && httpOptions.auth?.oauthServerOptions) {
+    const authOpts = httpOptions.auth.oauthServerOptions;
+    app.get("/.well-known/oauth-authorization-server", (req, res) => {
+      const host = req.headers.host || "localhost";
+      const protocol = req.headers["x-forwarded-proto"] || "http";
+      const issuer = httpOptions.auth?.resource || `${protocol}://${host}`;
+      res.json({
+        issuer,
+        authorization_endpoint: `${issuer}/oauth/authorize`,
+        token_endpoint: `${issuer}/oauth/token`,
+        registration_endpoint: `${issuer}/oauth/register`,
+        scopes_supported: httpOptions.auth?.scopesSupported || [],
+        response_types_supported: [
+          "code"
+        ],
+        grant_types_supported: [
+          "authorization_code",
+          "refresh_token"
+        ],
+        code_challenge_methods_supported: [
+          "S256"
+        ],
+        token_endpoint_auth_methods_supported: [
+          "client_secret_post",
+          "client_secret_basic",
+          "none"
+        ]
+      });
+    });
+    (async () => {
+      try {
+        const authServerModule = await import(
+          /* webpackIgnore: true */
+          "@leanmcp/auth/server"
+        );
+        const { OAuthAuthorizationServer } = authServerModule;
+        const authServer = new OAuthAuthorizationServer({
+          issuer: httpOptions.auth?.resource || `http://localhost:${basePort}`,
+          sessionSecret: authOpts.sessionSecret,
+          jwtSigningSecret: authOpts.jwtSigningSecret,
+          jwtEncryptionSecret: authOpts.jwtEncryptionSecret,
+          tokenTTL: authOpts.tokenTTL,
+          upstreamProvider: authOpts.upstreamProvider,
+          scopesSupported: httpOptions.auth?.scopesSupported,
+          enableDCR: true
+        });
+        app.use(authServer.getRouter());
+        logger.info("OAuth authorization server mounted");
+      } catch (e) {
+        logger.warn("OAuth server requested but @leanmcp/auth/server not available");
+      }
+    })();
+  }
   const handleMCPRequestStateful = /* @__PURE__ */ __name(async (req, res) => {
     const sessionId = req.headers["mcp-session-id"];
     let transport;
@@ -690,6 +761,17 @@ async function createHTTPServer(serverInput, options) {
       logMessage += ` (session: ${sessionId.substring(0, 8)}...)`;
     }
     logger.info(logMessage);
+    logger.info(logMessage);
+    if (req.headers.authorization) {
+      if (!req.body.params) req.body.params = {};
+      if (!req.body.params._meta) req.body.params._meta = {};
+      const authHeader = req.headers.authorization;
+      if (authHeader.startsWith("Bearer ")) {
+        req.body.params._meta.authToken = authHeader.substring(7);
+      } else {
+        req.body.params._meta.authToken = authHeader;
+      }
+    }
     try {
       if (sessionId && transports[sessionId]) {
         transport = transports[sessionId];
@@ -746,7 +828,18 @@ async function createHTTPServer(serverInput, options) {
     if (params?.name) logMessage += ` [${params.name}]`;
     else if (params?.uri) logMessage += ` [${params.uri}]`;
     logger.info(logMessage);
+    logger.info(logMessage);
     try {
+      if (req.headers.authorization) {
+        if (!req.body.params) req.body.params = {};
+        if (!req.body.params._meta) req.body.params._meta = {};
+        const authHeader = req.headers.authorization;
+        if (authHeader.startsWith("Bearer ")) {
+          req.body.params._meta.authToken = authHeader.substring(7);
+        } else {
+          req.body.params._meta.authToken = authHeader;
+        }
+      }
       const freshServer = await statelessServerFactory();
       if (freshServer && typeof freshServer.waitForInit === "function") {
         await freshServer.waitForInit();
@@ -892,6 +985,51 @@ async function createHTTPServer(serverInput, options) {
 }
 __name(createHTTPServer, "createHTTPServer");
 
+// src/auth-helpers.ts
+function createAuthError(message, options) {
+  const error = options.error || "invalid_token";
+  const errorDescription = options.errorDescription || message;
+  const wwwAuth = `Bearer resource_metadata="${options.resourceMetadataUrl}", error="${error}", error_description="${errorDescription}"`;
+  return {
+    content: [
+      {
+        type: "text",
+        text: message
+      }
+    ],
+    _meta: {
+      "mcp/www_authenticate": [
+        wwwAuth
+      ]
+    },
+    isError: true
+  };
+}
+__name(createAuthError, "createAuthError");
+function isAuthError(result) {
+  if (!result || typeof result !== "object") return false;
+  const r = result;
+  return r.isError === true && r._meta !== void 0 && typeof r._meta === "object" && r._meta !== null && "mcp/www_authenticate" in r._meta;
+}
+__name(isAuthError, "isAuthError");
+function extractBearerToken(authHeader) {
+  if (!authHeader) return null;
+  if (!authHeader.startsWith("Bearer ")) return null;
+  return authHeader.slice(7);
+}
+__name(extractBearerToken, "extractBearerToken");
+function createProtectedResourceMetadata(options) {
+  return {
+    resource: options.resource,
+    authorization_servers: options.authorizationServers || [
+      options.resource
+    ],
+    scopes_supported: options.scopesSupported,
+    resource_documentation: options.documentationUrl
+  };
+}
+__name(createProtectedResourceMetadata, "createProtectedResourceMetadata");
+
 // src/index.ts
 var ajv = new Ajv();
 var MCPServer = class {
@@ -1058,10 +1196,27 @@ var MCPServer = class {
         const meta = request.params._meta;
         const result = await tool.method.call(tool.instance, request.params.arguments, meta);
         let formattedResult = result;
+        let structuredContent = void 0;
         if (methodMeta.renderFormat === "markdown" && typeof result === "string") {
           formattedResult = result;
-        } else if (methodMeta.renderFormat === "json" || typeof result === "object") {
-          formattedResult = JSON.stringify(result, null, 2);
+        } else if (typeof result === "object" && result !== null) {
+          if ("structuredContent" in result && Object.keys(result).length === 1) {
+            structuredContent = result.structuredContent;
+            formattedResult = JSON.stringify(structuredContent, null, 2);
+          } else if ("content" in result && Array.isArray(result.content)) {
+            const textItem = result.content.find((c) => c.type === "text");
+            if (textItem?.text) {
+              try {
+                structuredContent = JSON.parse(textItem.text);
+              } catch {
+                structuredContent = textItem.text;
+              }
+            }
+            formattedResult = JSON.stringify(result, null, 2);
+          } else {
+            structuredContent = result;
+            formattedResult = JSON.stringify(result, null, 2);
+          }
         } else {
           formattedResult = String(result);
         }
@@ -1073,6 +1228,12 @@ var MCPServer = class {
             }
           ]
         };
+        if (structuredContent) {
+          response.structuredContent = structuredContent;
+          if (this.logger) {
+            this.logger.debug(`[MCPServer] Setting structuredContent: ${JSON.stringify(structuredContent).slice(0, 100)}...`);
+          }
+        }
         if (tool._meta && Object.keys(tool._meta).length > 0) {
           response._meta = tool._meta;
         }
@@ -1885,10 +2046,14 @@ export {
   UserEnvs,
   classToJsonSchema,
   classToJsonSchemaWithConstraints,
+  createAuthError,
   createHTTPServer,
+  createProtectedResourceMetadata,
   defaultLogger,
+  extractBearerToken,
   getDecoratedMethods,
   getMethodMetadata,
+  isAuthError,
   startMCPServer,
   validateNonEmpty,
   validatePath,