@mcp-abap-adt/auth-broker 1.0.5 → 1.0.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +5 -0
- package/README.md +1 -0
- package/dist/AuthBroker.d.ts.map +1 -1
- package/dist/AuthBroker.js +25 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -11,6 +11,11 @@ Thank you to all contributors! See [CONTRIBUTORS.md](CONTRIBUTORS.md) for the co
|
|
|
11
11
|
|
|
12
12
|
## [Unreleased]
|
|
13
13
|
|
|
14
|
+
## [1.0.6] - 2026-06-02
|
|
15
|
+
|
|
16
|
+
### Fixed
|
|
17
|
+
- `getToken`: no longer retries via the `serviceKey` strategy after the `session` strategy fails with an *interactive* browser-login error (timeout / `BROWSER_AUTH_ERROR`). Both strategies call the same `tokenProvider.getTokens()`, so the retry could not succeed and merely started a duplicate browser login on the same redirect port — surfacing a misleading `Port <n> is already in use` instead of the real cause. Transient/non-interactive session failures still fall through to the `serviceKey` attempt.
|
|
18
|
+
|
|
14
19
|
## [1.0.5] - 2026-02-12
|
|
15
20
|
|
|
16
21
|
### Added
|
package/README.md
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
# @mcp-abap-adt/auth-broker
|
|
2
|
+
[](https://stand-with-ukraine.pp.ua)
|
|
2
3
|
|
|
3
4
|
JWT authentication broker for MCP ABAP ADT server. Manages authentication tokens based on destination headers, automatically loading tokens from `.env` files and refreshing them using service keys when needed.
|
|
4
5
|
|
package/dist/AuthBroker.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"AuthBroker.d.ts","sourceRoot":"","sources":["../src/AuthBroker.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,KAAK,OAAO,EACZ,KAAK,eAAe,EAGrB,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,KAAK,EACV,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,aAAa,EACd,MAAM,qBAAqB,CAAC;
|
|
1
|
+
{"version":3,"file":"AuthBroker.d.ts","sourceRoot":"","sources":["../src/AuthBroker.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,KAAK,OAAO,EACZ,KAAK,eAAe,EAGrB,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,KAAK,EACV,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,aAAa,EACd,MAAM,qBAAqB,CAAC;AA8D7B;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,mEAAmE;IACnE,YAAY,EAAE,aAAa,CAAC;IAC5B,uEAAuE;IACvE,eAAe,CAAC,EAAE,gBAAgB,CAAC;IACnC,4IAA4I;IAC5I,aAAa,EAAE,cAAc,CAAC;IAC9B;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED;;GAEG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,OAAO,CAAqB;IACpC,OAAO,CAAC,MAAM,CAAU;IACxB,OAAO,CAAC,eAAe,CAA+B;IACtD,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,aAAa,CAAiB;IACtC,OAAO,CAAC,gBAAgB,CAAU;IAElC;;;;;;;;;;;OAWG;gBACS,MAAM,EAAE,gBAAgB,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO;IAsFxE;;OAEG;YACW,eAAe;IA0D7B;;OAEG;YACW,aAAa;IAoD3B;;OAEG;YACW,oCAAoC;IA4ClD;;OAEG;YACW,kBAAkB;YA4ClB,aAAa;YA0Db,kBAAkB;IAkDhC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAuCG;IACG,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAsLpD;;;;;OAKG;IACG,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IASxD;;;;OAIG;IACG,sBAAsB,CAC1B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IAoEvC;;;;OAIG;IACG,mBAAmB,CACvB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;IAuEpC;;;;;;;;;;;;;;;;OAgBG;IACH,oBAAoB,CAAC,WAAW,EAAE,MAAM,GAAG,eAAe;CAqB3D"}
|
package/dist/AuthBroker.js
CHANGED
|
@@ -32,6 +32,20 @@ function hasErrorCode(error) {
|
|
|
32
32
|
function getErrorMessage(error) {
|
|
33
33
|
return error instanceof Error ? error.message : String(error);
|
|
34
34
|
}
|
|
35
|
+
/**
|
|
36
|
+
* Whether an error represents a failed *interactive* browser login (the user
|
|
37
|
+
* did not complete the OAuth flow / it timed out), as opposed to a transient or
|
|
38
|
+
* configuration error. Such failures must not be retried via a second
|
|
39
|
+
* provider.getTokens() — that would start a duplicate browser login on the same
|
|
40
|
+
* redirect port and mask the real cause with a "Port in use" error.
|
|
41
|
+
*/
|
|
42
|
+
function isInteractiveAuthFailure(error) {
|
|
43
|
+
if (hasErrorCode(error) && error.code === 'BROWSER_AUTH_ERROR') {
|
|
44
|
+
return true;
|
|
45
|
+
}
|
|
46
|
+
const message = getErrorMessage(error);
|
|
47
|
+
return /authentication timeout|browser authentication|already in use/i.test(message);
|
|
48
|
+
}
|
|
35
49
|
/**
|
|
36
50
|
* AuthBroker manages JWT authentication tokens for destinations
|
|
37
51
|
*/
|
|
@@ -454,6 +468,17 @@ class AuthBroker {
|
|
|
454
468
|
}
|
|
455
469
|
throw new Error(`Authorization config not found for ${destination}. Session has no auth config and serviceKeyStore is not available.`);
|
|
456
470
|
}
|
|
471
|
+
// If the session attempt already performed an *interactive* browser login
|
|
472
|
+
// and it failed (the user didn't complete it / it timed out), the serviceKey
|
|
473
|
+
// strategy would call the SAME provider.getTokens() again and start a
|
|
474
|
+
// duplicate browser login on the same redirect port — surfacing a misleading
|
|
475
|
+
// "Port in use" instead of the real cause. Don't retry interactive failures;
|
|
476
|
+
// propagate the original error. Transient/non-interactive session failures
|
|
477
|
+
// still fall through to the serviceKey attempt below.
|
|
478
|
+
if (lastError && isInteractiveAuthFailure(lastError)) {
|
|
479
|
+
this.logger?.debug(`Step 2: session login failed interactively for ${destination}; not retrying via service key (${getErrorMessage(lastError)})`);
|
|
480
|
+
throw lastError;
|
|
481
|
+
}
|
|
457
482
|
const serviceKeyAuthConfig = await this.getAuthorizationConfigFromServiceKey(destination);
|
|
458
483
|
const tokenResult = await this.requestTokens(destination, 'serviceKey');
|
|
459
484
|
await this.persistTokenResult(destination, serviceUrl, connConfig, serviceKeyAuthConfig, tokenResult);
|
package/package.json
CHANGED