@mastra/mcp 1.0.0-beta.8 → 1.0.0

package/dist/index.cjs

@@ -24,6 +24,7 @@ var index_js$1 = require('@modelcontextprotocol/sdk/server/index.js');
 var sse_js$1 = require('@modelcontextprotocol/sdk/server/sse.js');
 var stdio_js$1 = require('@modelcontextprotocol/sdk/server/stdio.js');
 var streamableHttp_js$1 = require('@modelcontextprotocol/sdk/server/streamableHttp.js');
+var auth_js = require('@modelcontextprotocol/sdk/client/auth.js');
 
 function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
 
@@ -584,7 +585,7 @@ var InternalMastraMCPClient = class extends base.MastraBase {
     }
   }
   async connectHttp(url) {
-    const { requestInit, eventSourceInit, authProvider, connectTimeout, fetch } = this.serverConfig;
+    const { requestInit, eventSourceInit, authProvider, connectTimeout, fetch: fetch2 } = this.serverConfig;
     this.log("debug", `Attempting to connect to URL: ${url}`);
     let shouldTrySSE = url.pathname.endsWith(`/sse`);
     if (!shouldTrySSE) {
@@ -594,7 +595,7 @@ var InternalMastraMCPClient = class extends base.MastraBase {
           requestInit,
           reconnectionOptions: this.serverConfig.reconnectionOptions,
           authProvider,
-          fetch
+          fetch: fetch2
         });
         await this.client.connect(streamableTransport, {
           timeout: connectTimeout ?? DEFAULT_SERVER_CONNECT_TIMEOUT_MSEC
@@ -613,12 +614,12 @@ var InternalMastraMCPClient = class extends base.MastraBase {
     if (shouldTrySSE) {
       this.log("debug", "Falling back to deprecated HTTP+SSE transport...");
       try {
-        const sseEventSourceInit = fetch ? { ...eventSourceInit, fetch } : eventSourceInit;
+        const sseEventSourceInit = fetch2 ? { ...eventSourceInit, fetch: fetch2 } : eventSourceInit;
         const sseTransport = new sse_js.SSEClientTransport(url, {
           requestInit,
           eventSourceInit: sseEventSourceInit,
           authProvider,
-          fetch
+          fetch: fetch2
         });
         await this.client.connect(sseTransport, { timeout: this.serverConfig.timeout ?? this.timeout });
         this.transport = sseTransport;
@@ -1821,6 +1822,190 @@ To fix this you have three different options:
   }
 };
 
+// src/client/oauth-provider.ts
+var InMemoryOAuthStorage = class {
+  data = /* @__PURE__ */ new Map();
+  set(key, value) {
+    this.data.set(key, value);
+  }
+  get(key) {
+    return this.data.get(key);
+  }
+  delete(key) {
+    this.data.delete(key);
+  }
+  clear() {
+    this.data.clear();
+  }
+};
+var MCPOAuthClientProvider = class {
+  _redirectUrl;
+  _clientMetadata;
+  storage;
+  onRedirect;
+  generateState;
+  _clientInfo;
+  constructor(options) {
+    this._redirectUrl = options.redirectUrl;
+    this._clientMetadata = options.clientMetadata;
+    this._clientInfo = options.clientInformation;
+    this.storage = options.storage ?? new InMemoryOAuthStorage();
+    this.onRedirect = options.onRedirectToAuthorization;
+    this.generateState = options.stateGenerator ?? (() => crypto.randomUUID());
+  }
+  /**
+   * The URL to redirect the user agent to after authorization.
+   */
+  get redirectUrl() {
+    return this._redirectUrl;
+  }
+  /**
+   * Metadata about this OAuth client.
+   */
+  get clientMetadata() {
+    return this._clientMetadata;
+  }
+  /**
+   * Returns a OAuth2 state parameter.
+   */
+  async state() {
+    return this.generateState();
+  }
+  /**
+   * Loads information about this OAuth client.
+   */
+  async clientInformation() {
+    if (this._clientInfo) {
+      return this._clientInfo;
+    }
+    const stored = await this.storage.get("client_info");
+    if (stored) {
+      try {
+        return JSON.parse(stored);
+      } catch {
+      }
+    }
+    return void 0;
+  }
+  /**
+   * Saves dynamically registered client information.
+   */
+  async saveClientInformation(clientInformation) {
+    this._clientInfo = clientInformation;
+    await this.storage.set("client_info", JSON.stringify(clientInformation));
+  }
+  /**
+   * Loads existing OAuth tokens.
+   */
+  async tokens() {
+    const stored = await this.storage.get("tokens");
+    if (stored) {
+      try {
+        return JSON.parse(stored);
+      } catch {
+      }
+    }
+    return void 0;
+  }
+  /**
+   * Stores new OAuth tokens after successful authorization.
+   */
+  async saveTokens(tokens) {
+    await this.storage.set("tokens", JSON.stringify(tokens));
+  }
+  /**
+   * Invoked to redirect the user agent to the authorization URL.
+   */
+  async redirectToAuthorization(authorizationUrl) {
+    if (this.onRedirect) {
+      await this.onRedirect(authorizationUrl);
+    } else {
+      console.info(`Authorization required. Please visit: ${authorizationUrl.toString()}`);
+    }
+  }
+  /**
+   * Saves a PKCE code verifier before redirecting to authorization.
+   */
+  async saveCodeVerifier(codeVerifier) {
+    await this.storage.set("code_verifier", codeVerifier);
+  }
+  /**
+   * Loads the PKCE code verifier for validating authorization result.
+   */
+  async codeVerifier() {
+    const verifier = await this.storage.get("code_verifier");
+    if (!verifier) {
+      throw new Error("No code verifier found. Authorization flow may not have started properly.");
+    }
+    return verifier;
+  }
+  /**
+   * Optional: Custom client authentication for token requests.
+   * Uses default behavior if not implemented.
+   */
+  async addClientAuthentication(_headers, _params, _url, _metadata) {
+  }
+  /**
+   * Invalidate credentials when server indicates they're no longer valid.
+   */
+  async invalidateCredentials(scope) {
+    switch (scope) {
+      case "all":
+        await this.storage.delete("tokens");
+        await this.storage.delete("client_info");
+        await this.storage.delete("code_verifier");
+        this._clientInfo = void 0;
+        break;
+      case "client":
+        await this.storage.delete("client_info");
+        this._clientInfo = void 0;
+        break;
+      case "tokens":
+        await this.storage.delete("tokens");
+        break;
+      case "verifier":
+        await this.storage.delete("code_verifier");
+        break;
+    }
+  }
+  /**
+   * Clear all stored OAuth data.
+   * Useful for logging out or resetting state.
+   */
+  async clear() {
+    await this.invalidateCredentials("all");
+  }
+  /**
+   * Check if the provider has valid (non-expired) tokens.
+   */
+  async hasValidTokens() {
+    const currentTokens = await this.tokens();
+    if (!currentTokens) return false;
+    if (!currentTokens.access_token) return false;
+    return true;
+  }
+};
+function createSimpleTokenProvider(accessToken, options) {
+  const tokens = {
+    access_token: accessToken,
+    token_type: options.tokenType ?? "Bearer",
+    refresh_token: options.refreshToken,
+    expires_in: options.expiresIn,
+    scope: options.scope
+  };
+  const storage = new InMemoryOAuthStorage();
+  storage.set("tokens", JSON.stringify(tokens));
+  if (options.clientInformation) {
+    storage.set("client_info", JSON.stringify(options.clientInformation));
+  }
+  return new MCPOAuthClientProvider({
+    redirectUrl: options.redirectUrl,
+    clientMetadata: options.clientMetadata,
+    clientInformation: options.clientInformation,
+    storage
+  });
+}
+
 // ../../node_modules/.pnpm/hono@4.11.3/node_modules/hono/dist/utils/stream.js
 var StreamingApi = class {
   writer;
@@ -2524,6 +2709,12 @@ var MCPServer = class extends mcp.MCPServerBase {
           if (tool.outputSchema) {
             toolSpec.outputSchema = tool.outputSchema.jsonSchema;
           }
+          if (tool.mcp?.annotations) {
+            toolSpec.annotations = tool.mcp.annotations;
+          }
+          if (tool.mcp?._meta) {
+            toolSpec._meta = tool.mcp._meta;
+          }
           return toolSpec;
         })
       };
@@ -3895,9 +4086,273 @@ Provided arguments: ${JSON.stringify(args, null, 2)}`,
     }
   }
 };
+function escapeHeaderValue(value) {
+  return value.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
+}
+function generateWWWAuthenticateHeader(options = {}) {
+  const params = [];
+  if (options.resourceMetadataUrl) {
+    params.push(`resource_metadata="${escapeHeaderValue(options.resourceMetadataUrl)}"`);
+  }
+  if (options.additionalParams) {
+    for (const [key, value] of Object.entries(options.additionalParams)) {
+      params.push(`${key}="${escapeHeaderValue(value)}"`);
+    }
+  }
+  if (params.length === 0) {
+    return "Bearer";
+  }
+  return `Bearer ${params.join(", ")}`;
+}
+function generateProtectedResourceMetadata(config) {
+  return {
+    resource: config.resource,
+    authorization_servers: config.authorizationServers,
+    scopes_supported: config.scopesSupported ?? ["mcp:read", "mcp:write"],
+    bearer_methods_supported: ["header"],
+    ...config.resourceName && { resource_name: config.resourceName },
+    ...config.resourceDocumentation && {
+      resource_documentation: config.resourceDocumentation
+    }
+  };
+}
+function extractBearerToken(authHeader) {
+  if (!authHeader) return void 0;
+  const prefix = "bearer ";
+  if (authHeader.length <= prefix.length) return void 0;
+  if (authHeader.slice(0, prefix.length).toLowerCase() !== prefix) return void 0;
+  const token = authHeader.slice(prefix.length).trim();
+  return token || void 0;
+}
+
+// src/server/oauth-middleware.ts
+function createOAuthMiddleware(options) {
+  const { oauth, mcpPath = "/mcp", logger } = options;
+  const protectedResourceMetadata = generateProtectedResourceMetadata(oauth);
+  const wellKnownPath = "/.well-known/oauth-protected-resource";
+  const resourceMetadataUrl = new URL(wellKnownPath, oauth.resource).toString();
+  return async function oauthMiddleware(req, res, url) {
+    logger?.debug?.(`OAuth middleware: ${req.method} ${url.pathname}`);
+    if (url.pathname === wellKnownPath && req.method === "GET") {
+      logger?.debug?.("OAuth middleware: Serving Protected Resource Metadata");
+      res.writeHead(200, {
+        "Content-Type": "application/json",
+        "Cache-Control": "max-age=3600",
+        "Access-Control-Allow-Origin": "*"
+      });
+      res.end(JSON.stringify(protectedResourceMetadata));
+      return { proceed: false, handled: true };
+    }
+    if (url.pathname === wellKnownPath && req.method === "OPTIONS") {
+      res.writeHead(204, {
+        "Access-Control-Allow-Origin": "*",
+        "Access-Control-Allow-Methods": "GET, OPTIONS",
+        "Access-Control-Allow-Headers": "Content-Type",
+        "Access-Control-Max-Age": "86400"
+      });
+      res.end();
+      return { proceed: false, handled: true };
+    }
+    if (!url.pathname.startsWith(mcpPath)) {
+      return { proceed: true, handled: false };
+    }
+    const authHeader = req.headers["authorization"];
+    const token = extractBearerToken(authHeader);
+    if (!token) {
+      logger?.debug?.("OAuth middleware: No bearer token provided");
+      res.writeHead(401, {
+        "Content-Type": "application/json",
+        "WWW-Authenticate": generateWWWAuthenticateHeader({ resourceMetadataUrl })
+      });
+      res.end(
+        JSON.stringify({
+          error: "unauthorized",
+          error_description: "Bearer token required"
+        })
+      );
+      return { proceed: false, handled: true };
+    }
+    if (oauth.validateToken) {
+      logger?.debug?.("OAuth middleware: Validating token");
+      const validationResult = await oauth.validateToken(token, oauth.resource);
+      if (!validationResult.valid) {
+        logger?.debug?.(`OAuth middleware: Token validation failed: ${validationResult.error}`);
+        res.writeHead(401, {
+          "Content-Type": "application/json",
+          "WWW-Authenticate": generateWWWAuthenticateHeader({
+            resourceMetadataUrl,
+            additionalParams: {
+              error: validationResult.error || "invalid_token",
+              ...validationResult.errorDescription && {
+                error_description: validationResult.errorDescription
+              }
+            }
+          })
+        });
+        res.end(
+          JSON.stringify({
+            error: validationResult.error || "invalid_token",
+            error_description: validationResult.errorDescription || "Token validation failed"
+          })
+        );
+        return { proceed: false, handled: true, tokenValidation: validationResult };
+      }
+      logger?.debug?.("OAuth middleware: Token validated successfully");
+      return { proceed: true, handled: false, tokenValidation: validationResult };
+    }
+    logger?.debug?.("OAuth middleware: No token validation configured, accepting token");
+    return {
+      proceed: true,
+      handled: false,
+      tokenValidation: { valid: true }
+    };
+  };
+}
+function createStaticTokenValidator(validTokens) {
+  const tokenSet = new Set(validTokens);
+  return async (token) => {
+    if (tokenSet.has(token)) {
+      return { valid: true, scopes: ["mcp:read", "mcp:write"] };
+    }
+    return {
+      valid: false,
+      error: "invalid_token",
+      errorDescription: "Token not recognized"
+    };
+  };
+}
+function createIntrospectionValidator(introspectionEndpoint, clientCredentials) {
+  return async (token, resource) => {
+    try {
+      const headers = {
+        "Content-Type": "application/x-www-form-urlencoded"
+      };
+      if (clientCredentials) {
+        if (clientCredentials.clientId.includes(":")) {
+          return {
+            valid: false,
+            error: "invalid_request",
+            errorDescription: "clientId cannot contain a colon character per RFC 7617"
+          };
+        }
+        const credentials = Buffer.from(`${clientCredentials.clientId}:${clientCredentials.clientSecret}`).toString(
+          "base64"
+        );
+        headers["Authorization"] = `Basic ${credentials}`;
+      }
+      const response = await fetch(introspectionEndpoint, {
+        method: "POST",
+        headers,
+        body: new URLSearchParams({
+          token,
+          token_type_hint: "access_token"
+        })
+      });
+      if (!response.ok) {
+        return {
+          valid: false,
+          error: "server_error",
+          errorDescription: `Introspection failed: ${response.status}`
+        };
+      }
+      const data = await response.json();
+      if (!data.active) {
+        return {
+          valid: false,
+          error: "invalid_token",
+          errorDescription: "Token is not active"
+        };
+      }
+      if (data.aud) {
+        const audiences = Array.isArray(data.aud) ? data.aud : [data.aud];
+        if (!audiences.includes(resource)) {
+          return {
+            valid: false,
+            error: "invalid_token",
+            errorDescription: "Token audience does not match this resource"
+          };
+        }
+      }
+      return {
+        valid: true,
+        scopes: data.scope?.trim().split(" ").filter((s) => s !== "") || [],
+        subject: data.sub,
+        expiresAt: data.exp,
+        claims: data
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        error: "server_error",
+        errorDescription: error instanceof Error ? error.message : "Introspection failed"
+      };
+    }
+  };
+}
 
+Object.defineProperty(exports, "UnauthorizedError", {
+  enumerable: true,
+  get: function () { return auth_js.UnauthorizedError; }
+});
+Object.defineProperty(exports, "auth", {
+  enumerable: true,
+  get: function () { return auth_js.auth; }
+});
+Object.defineProperty(exports, "buildDiscoveryUrls", {
+  enumerable: true,
+  get: function () { return auth_js.buildDiscoveryUrls; }
+});
+Object.defineProperty(exports, "discoverAuthorizationServerMetadata", {
+  enumerable: true,
+  get: function () { return auth_js.discoverAuthorizationServerMetadata; }
+});
+Object.defineProperty(exports, "discoverOAuthMetadata", {
+  enumerable: true,
+  get: function () { return auth_js.discoverOAuthMetadata; }
+});
+Object.defineProperty(exports, "discoverOAuthProtectedResourceMetadata", {
+  enumerable: true,
+  get: function () { return auth_js.discoverOAuthProtectedResourceMetadata; }
+});
+Object.defineProperty(exports, "exchangeAuthorization", {
+  enumerable: true,
+  get: function () { return auth_js.exchangeAuthorization; }
+});
+Object.defineProperty(exports, "extractResourceMetadataUrl", {
+  enumerable: true,
+  get: function () { return auth_js.extractResourceMetadataUrl; }
+});
+Object.defineProperty(exports, "parseErrorResponse", {
+  enumerable: true,
+  get: function () { return auth_js.parseErrorResponse; }
+});
+Object.defineProperty(exports, "refreshAuthorization", {
+  enumerable: true,
+  get: function () { return auth_js.refreshAuthorization; }
+});
+Object.defineProperty(exports, "registerClient", {
+  enumerable: true,
+  get: function () { return auth_js.registerClient; }
+});
+Object.defineProperty(exports, "selectResourceURL", {
+  enumerable: true,
+  get: function () { return auth_js.selectResourceURL; }
+});
+Object.defineProperty(exports, "startAuthorization", {
+  enumerable: true,
+  get: function () { return auth_js.startAuthorization; }
+});
+exports.InMemoryOAuthStorage = InMemoryOAuthStorage;
 exports.InternalMastraMCPClient = InternalMastraMCPClient;
 exports.MCPClient = MCPClient;
+exports.MCPOAuthClientProvider = MCPOAuthClientProvider;
 exports.MCPServer = MCPServer;
+exports.createIntrospectionValidator = createIntrospectionValidator;
+exports.createOAuthMiddleware = createOAuthMiddleware;
+exports.createSimpleTokenProvider = createSimpleTokenProvider;
+exports.createStaticTokenValidator = createStaticTokenValidator;
+exports.extractBearerToken = extractBearerToken;
+exports.generateProtectedResourceMetadata = generateProtectedResourceMetadata;
+exports.generateWWWAuthenticateHeader = generateWWWAuthenticateHeader;
 //# sourceMappingURL=index.cjs.map
 //# sourceMappingURL=index.cjs.map