@mcp-ts/sdk 1.3.9 → 1.4.0

package/src/client/utils/app-host-utils.ts

@@ -0,0 +1,62 @@
+import { APP_HOST_DEFAULTS, SANDBOX_PROXY_READY_METHOD } from '../core/constants.js';
+
+const DEFAULT_SANDBOX_TIMEOUT_MS = APP_HOST_DEFAULTS.SANDBOX_TIMEOUT_MS;
+
+export async function setupSandboxProxyIframe(
+  iframe: HTMLIFrameElement,
+  sandboxProxyUrl: URL
+): Promise<{
+  onReady: Promise<void>;
+}> {
+  iframe.style.width = '100%';
+  iframe.style.height = '100%';
+  iframe.style.border = 'none';
+  iframe.style.backgroundColor = 'transparent';
+  iframe.setAttribute('sandbox', 'allow-scripts allow-same-origin allow-forms allow-modals allow-popups allow-downloads');
+
+  const onReady = new Promise<void>((resolve, reject) => {
+    let settled = false;
+
+    const cleanup = () => {
+      window.removeEventListener('message', messageListener);
+      iframe.removeEventListener('error', errorListener);
+    };
+
+    const timeoutId = setTimeout(() => {
+      if (!settled) {
+        settled = true;
+        cleanup();
+        reject(new Error('Timed out waiting for sandbox proxy iframe to be ready'));
+      }
+    }, DEFAULT_SANDBOX_TIMEOUT_MS);
+
+    const messageListener = (event: MessageEvent) => {
+      if (event.source === iframe.contentWindow) {
+        if (event.data?.method === SANDBOX_PROXY_READY_METHOD) {
+          if (!settled) {
+            settled = true;
+            clearTimeout(timeoutId);
+            cleanup();
+            resolve();
+          }
+        }
+      }
+    };
+
+    const errorListener = () => {
+      if (!settled) {
+        settled = true;
+        clearTimeout(timeoutId);
+        cleanup();
+        reject(new Error('Failed to load sandbox proxy iframe'));
+      }
+    };
+
+    window.addEventListener('message', messageListener);
+    iframe.addEventListener('error', errorListener);
+  });
+
+  iframe.src = sandboxProxyUrl.href;
+
+  return { onReady };
+}

package/src/client/vue/use-mcp.ts

@@ -285,22 +285,33 @@ export function useMcp(options: UseMcpOptions): McpClient {
             }
 
             case 'auth_required': {
-                // Handle OAuth redirect
-                if (event.authUrl) {
-                    onLog?.('info', `OAuth required - redirecting to ${event.authUrl}`, { authUrl: event.authUrl });
-
-                    // Suppress redirects/popups for background auto-restore on page load.
-                    if (!suppressAuthRedirectSessions.value.has(event.sessionId)) {
-                        if (onRedirect) {
-                            onRedirect(event.authUrl);
-                        } else if (typeof window !== 'undefined') {
-                            window.location.href = event.authUrl;
-                        }
+                const url = (event.authUrl || '').trim();
+                if (!url) {
+                    onLog?.('error', 'OAuth required but authorization URL is missing', { sessionId: event.sessionId });
+                    const index = connections.value.findIndex((c) => c.sessionId === event.sessionId);
+                    if (index !== -1) {
+                        connections.value[index] = {
+                            ...connections.value[index],
+                            state: 'FAILED',
+                            error: 'OAuth authorization URL not available',
+                            authUrl: undefined,
+                        };
+                    }
+                    break;
+                }
+                onLog?.('info', `OAuth required - redirecting to ${url}`, { authUrl: url });
+
+                // Suppress redirects/popups for background auto-restore on page load.
+                if (!suppressAuthRedirectSessions.value.has(event.sessionId)) {
+                    if (onRedirect) {
+                        onRedirect(url);
+                    } else if (typeof window !== 'undefined') {
+                        window.location.href = url;
                     }
                 }
                 const index = connections.value.findIndex((c) => c.sessionId === event.sessionId);
                 if (index !== -1) {
-                    connections.value[index] = { ...connections.value[index], state: 'AUTHENTICATING', authUrl: event.authUrl };
+                    connections.value[index] = { ...connections.value[index], state: 'AUTHENTICATING', authUrl: url };
                 }
                 break;
             }

package/src/server/mcp/oauth-client.ts

@@ -51,12 +51,12 @@ export type TransportType = 'sse' | 'streamable_http';
  */
 import type { ClientCapabilities } from '@modelcontextprotocol/sdk/types.js';
 
-interface McpAppClientCapabilities extends ClientCapabilities {
+interface McpAppClientCapabilities extends Omit<ClientCapabilities, 'extensions'> {
   extensions?: {
     'io.modelcontextprotocol/ui'?: {
       mimeTypes: string[];
     };
-    [key: string]: unknown;
+    [key: string]: any;
   };
 }
 
@@ -516,17 +516,40 @@ export class MCPClient {
         error instanceof SDKUnauthorizedError ||
         (error instanceof Error && error.message.toLowerCase().includes('unauthorized'))
       ) {
+        /** Set when the SDK calls redirectToAuthorization on the OAuth provider */
+        let authUrl = '';
+        if (this.oauthProvider) {
+          authUrl = (this.oauthProvider.authUrl || '').trim();
+        }
+
+        /**
+         * 401 without a usable URL means metadata/DCR failed or the server never started
+         * an interactive OAuth flow — not recoverable as "pending OAuth".
+         */
+        if (!authUrl) {
+          const detail =
+            error instanceof Error && error.message.trim().length > 0
+              ? error.message.trim()
+              : 'Unauthorized';
+          const message =
+            detail.toLowerCase() === 'unauthorized'
+              ? 'OAuth authorization URL not available'
+              : `OAuth authorization URL not available: ${detail}`;
+          this.emitError(message, 'auth');
+          this.emitStateChange('FAILED');
+          try {
+            await storage.removeSession(this.identity, this.sessionId);
+          } catch {
+            // best-effort cleanup
+          }
+          throw new Error(message);
+        }
+
         this.emitStateChange('AUTHENTICATING');
         // Save session with 10min TTL for OAuth pending state
         console.log(`[MCPClient] Saving session ${this.sessionId} with 10min TTL (OAuth pending)`);
         await this.saveSession(Math.floor(STATE_EXPIRATION_MS / 1000), false);
 
-        /** Get OAuth authorization URL if available */
-        let authUrl = '';
-        if (this.oauthProvider) {
-          authUrl = this.oauthProvider.authUrl || '';
-        }
-
         if (this.serverId) {
           this._onConnectionEvent.fire({
             type: 'auth_required',

package/src/server/storage/crypto.ts

@@ -0,0 +1,92 @@
+import { randomBytes, createCipheriv, createDecipheriv } from 'node:crypto';
+
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12;
+const ENCRYPTION_PREFIX = 'enc:1:';
+
+let warningLogged = false;
+
+function getKey(): Buffer | null {
+    const keyString = process.env.STORAGE_ENCRYPTION_KEY;
+    if (!keyString) return null;
+    
+    // Ensure key is 32 bytes (256 bits)
+    if (keyString.length === 64) {
+        return Buffer.from(keyString, 'hex');
+    } else {
+        const keyBuffer = Buffer.alloc(32);
+        keyBuffer.write(keyString, 0, 32, 'utf-8');
+        return keyBuffer;
+    }
+}
+
+/**
+ * Encrypts an object into a secure string.
+ * Falls back to returning the original object if the encryption key is missing or encryption fails.
+ */
+export function encryptObject(data: any): any {
+    if (data === undefined || data === null) return data;
+    
+    const key = getKey();
+    if (!key) {
+        if (!warningLogged) {
+            console.warn('[mcp-ts][Storage] WARNING: STORAGE_ENCRYPTION_KEY is not set. Saving sensitive data in plain-text.');
+            warningLogged = true;
+        }
+        return data; // Fallback to plain-text
+    }
+
+    try {
+        const text = JSON.stringify(data);
+        const iv = randomBytes(IV_LENGTH);
+        const cipher = createCipheriv(ALGORITHM, key, iv);
+        
+        let encrypted = cipher.update(text, 'utf-8', 'hex');
+        encrypted += cipher.final('hex');
+        const authTag = cipher.getAuthTag().toString('hex');
+        
+        return `${ENCRYPTION_PREFIX}${iv.toString('hex')}:${authTag}:${encrypted}`;
+    } catch (e) {
+        console.error('[mcp-ts][Storage] Encryption failed, falling back to plain-text.', e);
+        return data;
+    }
+}
+
+/**
+ * Decrypts a secure string back into an object.
+ * Returns the original data if it is unencrypted or if decryption fails.
+ */
+export function decryptObject(data: any): any {
+    if (data === undefined || data === null) return data;
+    if (typeof data !== 'string' || !data.startsWith(ENCRYPTION_PREFIX)) {
+        return data; // Already unencrypted or old plain-text data
+    }
+
+    const key = getKey();
+    if (!key) {
+        console.warn('[mcp-ts][Storage] WARNING: Found encrypted data but STORAGE_ENCRYPTION_KEY is missing. Returning raw encrypted string.');
+        return data;
+    }
+
+    try {
+        const parts = data.split(':');
+        if (parts.length !== 5) {
+            return data;
+        }
+
+        const iv = Buffer.from(parts[2], 'hex');
+        const authTag = Buffer.from(parts[3], 'hex');
+        const encryptedText = parts[4];
+
+        const decipher = createDecipheriv(ALGORITHM, key, iv);
+        decipher.setAuthTag(authTag);
+
+        let decrypted = decipher.update(encryptedText, 'hex', 'utf-8');
+        decrypted += decipher.final('utf-8');
+
+        return JSON.parse(decrypted);
+    } catch (e) {
+        console.error('[mcp-ts][Storage] Decryption failed.', e);
+        return data;
+    }
+}

package/src/server/storage/supabase-backend.ts

@@ -2,6 +2,7 @@ import type { SupabaseClient } from '@supabase/supabase-js';
 import { StorageBackend, SessionData } from './types.js';
 import { SESSION_TTL_SECONDS } from '../../shared/constants.js';
 import { generateSessionId } from '../../shared/utils.js';
+import { encryptObject, decryptObject } from './crypto.js';
 
 export class SupabaseStorageBackend implements StorageBackend {
     private readonly DEFAULT_TTL = SESSION_TTL_SECONDS;
@@ -43,10 +44,10 @@ export class SupabaseStorageBackend implements StorageBackend {
             callbackUrl: row.callback_url,
             createdAt: new Date(row.created_at).getTime(),
             identity: row.identity,
-            headers: row.headers,
+            headers: decryptObject(row.headers),
             active: row.active,
             clientInformation: row.client_information,
-            tokens: row.tokens,
+            tokens: decryptObject(row.tokens),
             codeVerifier: row.code_verifier,
             clientId: row.client_id,
         };
@@ -71,10 +72,10 @@ export class SupabaseStorageBackend implements StorageBackend {
                 callback_url: session.callbackUrl,
                 created_at: new Date(session.createdAt || Date.now()).toISOString(),
                 identity: identity,
-                headers: session.headers,
+                headers: encryptObject(session.headers),
                 active: session.active ?? false,
                 client_information: session.clientInformation,
-                tokens: session.tokens,
+                tokens: encryptObject(session.tokens),
                 code_verifier: session.codeVerifier,
                 client_id: session.clientId,
                 expires_at: expiresAt
@@ -105,9 +106,9 @@ export class SupabaseStorageBackend implements StorageBackend {
         if ('transportType' in data) updateData.transport_type = data.transportType;
         if ('callbackUrl' in data) updateData.callback_url = data.callbackUrl;
         if ('active' in data) updateData.active = data.active;
-        if ('headers' in data) updateData.headers = data.headers;
+        if ('headers' in data) updateData.headers = encryptObject(data.headers);
         if ('clientInformation' in data) updateData.client_information = data.clientInformation;
-        if ('tokens' in data) updateData.tokens = data.tokens;
+        if ('tokens' in data) updateData.tokens = encryptObject(data.tokens);
         if ('codeVerifier' in data) updateData.code_verifier = data.codeVerifier;
         if ('clientId' in data) updateData.client_id = data.clientId;