@mcp-ts/sdk 1.3.9 → 1.4.0

package/dist/server/index.mjs

@@ -7,6 +7,7 @@ import { ListToolsResultSchema, CallToolResultSchema, ListPromptsResultSchema, G
 import * as fs2 from 'fs';
 import { promises } from 'fs';
 import * as path from 'path';
+import { createDecipheriv, randomBytes, createCipheriv } from 'crypto';
 
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
@@ -707,6 +708,72 @@ var SqliteStorage = class {
     }
   }
 };
+var ALGORITHM = "aes-256-gcm";
+var IV_LENGTH = 12;
+var ENCRYPTION_PREFIX = "enc:1:";
+var warningLogged = false;
+function getKey() {
+  const keyString = process.env.STORAGE_ENCRYPTION_KEY;
+  if (!keyString) return null;
+  if (keyString.length === 64) {
+    return Buffer.from(keyString, "hex");
+  } else {
+    const keyBuffer = Buffer.alloc(32);
+    keyBuffer.write(keyString, 0, 32, "utf-8");
+    return keyBuffer;
+  }
+}
+function encryptObject(data) {
+  if (data === void 0 || data === null) return data;
+  const key = getKey();
+  if (!key) {
+    if (!warningLogged) {
+      console.warn("[mcp-ts][Storage] WARNING: STORAGE_ENCRYPTION_KEY is not set. Saving sensitive data in plain-text.");
+      warningLogged = true;
+    }
+    return data;
+  }
+  try {
+    const text = JSON.stringify(data);
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, key, iv);
+    let encrypted = cipher.update(text, "utf-8", "hex");
+    encrypted += cipher.final("hex");
+    const authTag = cipher.getAuthTag().toString("hex");
+    return `${ENCRYPTION_PREFIX}${iv.toString("hex")}:${authTag}:${encrypted}`;
+  } catch (e) {
+    console.error("[mcp-ts][Storage] Encryption failed, falling back to plain-text.", e);
+    return data;
+  }
+}
+function decryptObject(data) {
+  if (data === void 0 || data === null) return data;
+  if (typeof data !== "string" || !data.startsWith(ENCRYPTION_PREFIX)) {
+    return data;
+  }
+  const key = getKey();
+  if (!key) {
+    console.warn("[mcp-ts][Storage] WARNING: Found encrypted data but STORAGE_ENCRYPTION_KEY is missing. Returning raw encrypted string.");
+    return data;
+  }
+  try {
+    const parts = data.split(":");
+    if (parts.length !== 5) {
+      return data;
+    }
+    const iv = Buffer.from(parts[2], "hex");
+    const authTag = Buffer.from(parts[3], "hex");
+    const encryptedText = parts[4];
+    const decipher = createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(encryptedText, "hex", "utf-8");
+    decrypted += decipher.final("utf-8");
+    return JSON.parse(decrypted);
+  } catch (e) {
+    console.error("[mcp-ts][Storage] Decryption failed.", e);
+    return data;
+  }
+}
 
 // src/server/storage/supabase-backend.ts
 var SupabaseStorageBackend = class {
@@ -739,10 +806,10 @@ var SupabaseStorageBackend = class {
       callbackUrl: row.callback_url,
       createdAt: new Date(row.created_at).getTime(),
       identity: row.identity,
-      headers: row.headers,
+      headers: decryptObject(row.headers),
       active: row.active,
       clientInformation: row.client_information,
-      tokens: row.tokens,
+      tokens: decryptObject(row.tokens),
       codeVerifier: row.code_verifier,
       clientId: row.client_id
     };
@@ -763,10 +830,10 @@ var SupabaseStorageBackend = class {
       callback_url: session.callbackUrl,
       created_at: new Date(session.createdAt || Date.now()).toISOString(),
       identity,
-      headers: session.headers,
+      headers: encryptObject(session.headers),
       active: session.active ?? false,
       client_information: session.clientInformation,
-      tokens: session.tokens,
+      tokens: encryptObject(session.tokens),
       code_verifier: session.codeVerifier,
       client_id: session.clientId,
       expires_at: expiresAt
@@ -791,9 +858,9 @@ var SupabaseStorageBackend = class {
     if ("transportType" in data) updateData.transport_type = data.transportType;
     if ("callbackUrl" in data) updateData.callback_url = data.callbackUrl;
     if ("active" in data) updateData.active = data.active;
-    if ("headers" in data) updateData.headers = data.headers;
+    if ("headers" in data) updateData.headers = encryptObject(data.headers);
     if ("clientInformation" in data) updateData.client_information = data.clientInformation;
-    if ("tokens" in data) updateData.tokens = data.tokens;
+    if ("tokens" in data) updateData.tokens = encryptObject(data.tokens);
     if ("codeVerifier" in data) updateData.code_verifier = data.codeVerifier;
     if ("clientId" in data) updateData.client_id = data.clientId;
     const { data: updatedRows, error } = await this.supabase.from("mcp_sessions").update(updateData).eq("identity", identity).eq("session_id", sessionId).select("id");
@@ -1587,13 +1654,24 @@ var MCPClient = class _MCPClient {
       }
     } catch (error) {
       if (error instanceof UnauthorizedError$1 || error instanceof Error && error.message.toLowerCase().includes("unauthorized")) {
-        this.emitStateChange("AUTHENTICATING");
-        console.log(`[MCPClient] Saving session ${this.sessionId} with 10min TTL (OAuth pending)`);
-        await this.saveSession(Math.floor(STATE_EXPIRATION_MS / 1e3), false);
         let authUrl = "";
         if (this.oauthProvider) {
-          authUrl = this.oauthProvider.authUrl || "";
+          authUrl = (this.oauthProvider.authUrl || "").trim();
         }
+        if (!authUrl) {
+          const detail = error instanceof Error && error.message.trim().length > 0 ? error.message.trim() : "Unauthorized";
+          const message = detail.toLowerCase() === "unauthorized" ? "OAuth authorization URL not available" : `OAuth authorization URL not available: ${detail}`;
+          this.emitError(message, "auth");
+          this.emitStateChange("FAILED");
+          try {
+            await storage.removeSession(this.identity, this.sessionId);
+          } catch {
+          }
+          throw new Error(message);
+        }
+        this.emitStateChange("AUTHENTICATING");
+        console.log(`[MCPClient] Saving session ${this.sessionId} with 10min TTL (OAuth pending)`);
+        await this.saveSession(Math.floor(STATE_EXPIRATION_MS / 1e3), false);
         if (this.serverId) {
           this._onConnectionEvent.fire({
             type: "auth_required",