npm - @mcp-abap-adt/auth-broker - Versions diffs - 1.0.5 → 1.0.7 - Mend

@mcp-abap-adt/auth-broker 1.0.5 → 1.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -11,6 +11,16 @@ Thank you to all contributors! See [CONTRIBUTORS.md](CONTRIBUTORS.md) for the co
 ## [Unreleased]
+## [1.0.7] - 2026-06-08
+### Fixed
+- Moved `tsx` from `dependencies` to `devDependencies`. `tsx` is only used by the `generate-env` dev script; it is never imported by the shipped `dist/` code (the `mcp-auth`/`mcp-sso` bins run compiled JS via node). Having it in `dependencies` pulled `tsx → esbuild → @esbuild/<platform>` into every consumer's production and global install, triggering an `allow-scripts`/ignored-build-script prompt for esbuild's postinstall on Windows/macOS package managers. Consumers no longer install esbuild.
+## [1.0.6] - 2026-06-02
+### Fixed
+- `getToken`: no longer retries via the `serviceKey` strategy after the `session` strategy fails with an *interactive* browser-login error (timeout / `BROWSER_AUTH_ERROR`). Both strategies call the same `tokenProvider.getTokens()`, so the retry could not succeed and merely started a duplicate browser login on the same redirect port — surfacing a misleading `Port <n> is already in use` instead of the real cause. Transient/non-interactive session failures still fall through to the `serviceKey` attempt.
 ## [1.0.5] - 2026-02-12
 ### Added

package/README.md CHANGED Viewed

@@ -1,4 +1,5 @@
 # @mcp-abap-adt/auth-broker
+[![Stand With Ukraine](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/badges/StandWithUkraine.svg)](https://stand-with-ukraine.pp.ua)
 JWT authentication broker for MCP ABAP ADT server. Manages authentication tokens based on destination headers, automatically loading tokens from `.env` files and refreshing them using service keys when needed.

package/dist/AuthBroker.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"AuthBroker.d.ts","sourceRoot":"","sources":["../src/AuthBroker.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,KAAK,OAAO,EACZ,KAAK,eAAe,EAGrB,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,KAAK,EACV,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,aAAa,EACd,MAAM,qBAAqB,CAAC;~~AA6C7B~~;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,mEAAmE;IACnE,YAAY,EAAE,aAAa,CAAC;IAC5B,uEAAuE;IACvE,eAAe,CAAC,EAAE,gBAAgB,CAAC;IACnC,4IAA4I;IAC5I,aAAa,EAAE,cAAc,CAAC;IAC9B;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED;;GAEG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,OAAO,CAAqB;IACpC,OAAO,CAAC,MAAM,CAAU;IACxB,OAAO,CAAC,eAAe,CAA+B;IACtD,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,aAAa,CAAiB;IACtC,OAAO,CAAC,gBAAgB,CAAU;IAElC;;;;;;;;;;;OAWG;gBACS,MAAM,EAAE,gBAAgB,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO;IAsFxE;;OAEG;YACW,eAAe;IA0D7B;;OAEG;YACW,aAAa;IAoD3B;;OAEG;YACW,oCAAoC;IA4ClD;;OAEG;YACW,kBAAkB;YA4ClB,aAAa;YA0Db,kBAAkB;IAkDhC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAuCG;IACG,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;~~IAwKpD~~;;;;;OAKG;IACG,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IASxD;;;;OAIG;IACG,sBAAsB,CAC1B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IAoEvC;;;;OAIG;IACG,mBAAmB,CACvB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;IAuEpC;;;;;;;;;;;;;;;;OAgBG;IACH,oBAAoB,CAAC,WAAW,EAAE,MAAM,GAAG,eAAe;CAqB3D"}
1	+ {"version":3,"file":"AuthBroker.d.ts","sourceRoot":"","sources":["../src/AuthBroker.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,KAAK,OAAO,EACZ,KAAK,eAAe,EAGrB,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,KAAK,EACV,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,aAAa,EACd,MAAM,qBAAqB,CAAC;AA8D7B;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,mEAAmE;IACnE,YAAY,EAAE,aAAa,CAAC;IAC5B,uEAAuE;IACvE,eAAe,CAAC,EAAE,gBAAgB,CAAC;IACnC,4IAA4I;IAC5I,aAAa,EAAE,cAAc,CAAC;IAC9B;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED;;GAEG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,OAAO,CAAqB;IACpC,OAAO,CAAC,MAAM,CAAU;IACxB,OAAO,CAAC,eAAe,CAA+B;IACtD,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,aAAa,CAAiB;IACtC,OAAO,CAAC,gBAAgB,CAAU;IAElC;;;;;;;;;;;OAWG;gBACS,MAAM,EAAE,gBAAgB,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO;IAsFxE;;OAEG;YACW,eAAe;IA0D7B;;OAEG;YACW,aAAa;IAoD3B;;OAEG;YACW,oCAAoC;IA4ClD;;OAEG;YACW,kBAAkB;YA4ClB,aAAa;YA0Db,kBAAkB;IAkDhC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAuCG;IACG,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAsLpD;;;;;OAKG;IACG,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IASxD;;;;OAIG;IACG,sBAAsB,CAC1B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IAoEvC;;;;OAIG;IACG,mBAAmB,CACvB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;IAuEpC;;;;;;;;;;;;;;;;OAgBG;IACH,oBAAoB,CAAC,WAAW,EAAE,MAAM,GAAG,eAAe;CAqB3D"}

package/dist/AuthBroker.js CHANGED Viewed

@@ -32,6 +32,20 @@ function hasErrorCode(error) {
 function getErrorMessage(error) {
     return error instanceof Error ? error.message : String(error);
 }
+/**
+ * Whether an error represents a failed *interactive* browser login (the user
+ * did not complete the OAuth flow / it timed out), as opposed to a transient or
+ * configuration error. Such failures must not be retried via a second
+ * provider.getTokens() — that would start a duplicate browser login on the same
+ * redirect port and mask the real cause with a "Port in use" error.
+ */
+function isInteractiveAuthFailure(error) {
+    if (hasErrorCode(error) && error.code === 'BROWSER_AUTH_ERROR') {
+        return true;
+    }
+    const message = getErrorMessage(error);
+    return /authentication timeout|browser authentication|already in use/i.test(message);
+}
 /**
  * AuthBroker manages JWT authentication tokens for destinations
  */
@@ -454,6 +468,17 @@ class AuthBroker {
             }
             throw new Error(`Authorization config not found for ${destination}. Session has no auth config and serviceKeyStore is not available.`);
         }
+        // If the session attempt already performed an *interactive* browser login
+        // and it failed (the user didn't complete it / it timed out), the serviceKey
+        // strategy would call the SAME provider.getTokens() again and start a
+        // duplicate browser login on the same redirect port — surfacing a misleading
+        // "Port in use" instead of the real cause. Don't retry interactive failures;
+        // propagate the original error. Transient/non-interactive session failures
+        // still fall through to the serviceKey attempt below.
+        if (lastError && isInteractiveAuthFailure(lastError)) {
+            this.logger?.debug(`Step 2: session login failed interactively for ${destination}; not retrying via service key (${getErrorMessage(lastError)})`);
+            throw lastError;
+        }
         const serviceKeyAuthConfig = await this.getAuthorizationConfigFromServiceKey(destination);
         const tokenResult = await this.requestTokens(destination, 'serviceKey');
         await this.persistTokenResult(destination, serviceUrl, connConfig, serviceKeyAuthConfig, tokenResult);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@mcp-abap-adt/auth-broker",
-  "version": "1.0.5",
+  "version": "1.0.7",
   "description": "JWT authentication broker for MCP ABAP ADT - manages tokens based on destination headers",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,11 +65,11 @@
     "@mcp-abap-adt/auth-providers": "^1.0.5",
     "@mcp-abap-adt/auth-stores": "^1.0.2",
     "@mcp-abap-adt/interfaces": "^2.3.0",
-    "axios": "^1.13.5",
-    "tsx": "^4.21.0"
+    "axios": "^1.13.5"
   },
   "devDependencies": {
     "@biomejs/biome": "^2.3.14",
+    "tsx": "^4.21.0",
     "@mcp-abap-adt/logger": "^0.1.4",
     "@types/express": "^5.0.5",
     "@types/jest": "^30.0.0",