@mcp-ts/sdk 1.6.2 → 2.0.0

package/src/server/mcp/storage-oauth-provider.ts

@@ -5,7 +5,7 @@ import type {
     OAuthClientMetadata,
     OAuthTokens
 } from "@modelcontextprotocol/sdk/shared/auth.js";
-import { storage, SessionData } from "../storage/index.js";
+import { sessions, type Session } from "../storage/index.js";
 import {
     DEFAULT_CLIENT_NAME,
     DEFAULT_CLIENT_URI,
@@ -34,7 +34,7 @@ export interface AgentsOAuthProvider extends OAuthClientProvider {
 }
 
 export interface StorageOAuthClientProviderOptions {
-    identity: string;
+    userId: string;
     serverId: string;
     sessionId: string;
     redirectUrl: string;
@@ -49,10 +49,10 @@ export interface StorageOAuthClientProviderOptions {
 
 /**
  * Storage-backed OAuth provider implementation for MCP
- * Stores OAuth tokens, client information, and PKCE verifiers using the configured StorageBackend
+ * Stores OAuth tokens, client information, and PKCE verifiers using the configured SessionStore
  */
 export class StorageOAuthClientProvider implements AgentsOAuthProvider {
-    public readonly identity: string;
+    public readonly userId: string;
     public readonly serverId: string;
     public readonly sessionId: string;
     public readonly redirectUrl: string;
@@ -69,11 +69,11 @@ export class StorageOAuthClientProvider implements AgentsOAuthProvider {
     private tokenExpiresAt?: number;
 
     /**
-     * Creates a new storage-backed OAuth provider
+     * Creates a new session-backed OAuth provider
      * @param options - Provider configuration
      */
     constructor(options: StorageOAuthClientProviderOptions) {
-        this.identity = options.identity;
+        this.userId = options.userId;
         this.serverId = options.serverId;
         this.sessionId = options.sessionId;
         this.redirectUrl = options.redirectUrl;
@@ -110,25 +110,25 @@ export class StorageOAuthClientProvider implements AgentsOAuthProvider {
     }
 
     /**
-     * Loads OAuth data from storage session
+     * Loads OAuth data from the session store
      * @private
      */
-    private async getSessionData(): Promise<SessionData> {
-        const data = await storage.getSession(this.identity, this.sessionId);
+    private async getSessionData(): Promise<Session> {
+        const data = await sessions.get(this.userId, this.sessionId);
         if (!data) {
-            return {} as SessionData;
+            return {} as Session;
         }
         return data;
     }
 
     /**
-     * Saves OAuth data to storage
+     * Saves OAuth data to the session store
      * @param data - Partial OAuth data to save
      * @private
      * @throws Error if session doesn't exist (session must be created by controller layer)
      */
-    private async saveSessionData(data: Partial<SessionData>): Promise<void> {
-        await storage.updateSession(this.identity, this.sessionId, data);
+    private async saveSessionData(data: Partial<Session>): Promise<void> {
+        await sessions.update(this.userId, this.sessionId, data);
     }
 
     /**
@@ -170,7 +170,7 @@ export class StorageOAuthClientProvider implements AgentsOAuthProvider {
      * Stores OAuth tokens
      */
     async saveTokens(tokens: OAuthTokens): Promise<void> {
-        const data: Partial<SessionData> = { tokens };
+        const data: Partial<Session> = { tokens };
 
         if (tokens.expires_in) {
             this.tokenExpiresAt = Date.now() + (tokens.expires_in * 1000) - TOKEN_EXPIRY_BUFFER_MS;
@@ -188,7 +188,7 @@ export class StorageOAuthClientProvider implements AgentsOAuthProvider {
     }
 
     async checkState(_state: string): Promise<{ valid: boolean; serverId?: string; error?: string }> {
-        const data = await storage.getSession(this.identity, this.sessionId);
+        const data = await sessions.get(this.userId, this.sessionId);
 
         if (!data) {
             return { valid: false, error: "Session not found" };
@@ -212,9 +212,9 @@ export class StorageOAuthClientProvider implements AgentsOAuthProvider {
         scope: "all" | "client" | "tokens" | "verifier"
     ): Promise<void> {
         if (scope === "all") {
-            await storage.removeSession(this.identity, this.sessionId);
+            await sessions.delete(this.userId, this.sessionId);
         } else {
-            const updates: Partial<SessionData> = {};
+            const updates: Partial<Session> = {};
 
             if (scope === "client") {
                 updates.clientInformation = undefined;

package/src/server/storage/file-backend.ts

@@ -1,15 +1,15 @@
 import { promises as fs } from 'fs';
 import * as path from 'path';
-import { StorageBackend, SessionData, SetClientOptions } from './types.js';
+import type { SessionStore, Session, SetClientOptions } from './types.js';
 import { generateSessionId } from '../../shared/utils.js';
 
 /**
- * File system implementation of StorageBackend
+ * File system implementation of SessionStore
  * Persists sessions to a JSON file
  */
-export class FileStorageBackend implements StorageBackend {
+export class FileStorageBackend implements SessionStore {
     private filePath: string;
-    private memoryCache: Map<string, SessionData> | null = null;
+    private memoryCache: Map<string, Session> | null = null;
     private initialized = false;
 
     /**
@@ -36,8 +36,8 @@ export class FileStorageBackend implements StorageBackend {
 
             this.memoryCache = new Map();
             if (Array.isArray(json)) {
-                json.forEach((s: SessionData) => {
-                    this.memoryCache!.set(this.getSessionKey(s.identity || 'unknown', s.sessionId), s);
+                json.forEach((s: Session) => {
+                    this.memoryCache!.set(this.getSessionKey(s.userId || 'unknown', s.sessionId), s);
                 });
             }
         } catch (error: any) {
@@ -65,20 +65,20 @@ export class FileStorageBackend implements StorageBackend {
         await fs.writeFile(this.filePath, JSON.stringify(sessions, null, 2), 'utf-8');
     }
 
-    private getSessionKey(identity: string, sessionId: string): string {
-        return `${identity}:${sessionId}`;
+    private getSessionKey(userId: string, sessionId: string): string {
+        return `${userId}:${sessionId}`;
     }
 
     generateSessionId(): string {
         return generateSessionId();
     }
 
-    async createSession(session: SessionData, ttl?: number): Promise<void> {
+    async create(session: Session, ttl?: number): Promise<void> {
         await this.ensureInitialized();
-        const { sessionId, identity } = session;
-        if (!sessionId || !identity) throw new Error('identity and sessionId required');
+        const { sessionId, userId } = session;
+        if (!sessionId || !userId) throw new Error('userId and sessionId required');
 
-        const sessionKey = this.getSessionKey(identity, sessionId);
+        const sessionKey = this.getSessionKey(userId, sessionId);
         if (this.memoryCache!.has(sessionKey)) {
             throw new Error(`Session ${sessionId} already exists`);
         }
@@ -88,11 +88,11 @@ export class FileStorageBackend implements StorageBackend {
         // Note: TTL is ignored in file backend - sessions don't auto-expire
     }
 
-    async updateSession(identity: string, sessionId: string, data: Partial<SessionData>, ttl?: number): Promise<void> {
+    async update(userId: string, sessionId: string, data: Partial<Session>, ttl?: number): Promise<void> {
         await this.ensureInitialized();
-        if (!identity || !sessionId) throw new Error('identity and sessionId required');
+        if (!userId || !sessionId) throw new Error('userId and sessionId required');
 
-        const sessionKey = this.getSessionKey(identity, sessionId);
+        const sessionKey = this.getSessionKey(userId, sessionId);
         const current = this.memoryCache!.get(sessionKey);
 
         if (!current) {
@@ -109,33 +109,33 @@ export class FileStorageBackend implements StorageBackend {
         // Note: TTL is ignored in file backend - sessions don't auto-expire
     }
 
-    async getSession(identity: string, sessionId: string): Promise<SessionData | null> {
+    async get(userId: string, sessionId: string): Promise<Session | null> {
         await this.ensureInitialized();
-        const sessionKey = this.getSessionKey(identity, sessionId);
+        const sessionKey = this.getSessionKey(userId, sessionId);
         return this.memoryCache!.get(sessionKey) || null;
     }
 
-    async getIdentitySessionsData(identity: string): Promise<SessionData[]> {
+    async list(userId: string): Promise<Session[]> {
         await this.ensureInitialized();
-        return Array.from(this.memoryCache!.values()).filter(s => s.identity === identity);
+        return Array.from(this.memoryCache!.values()).filter(s => s.userId === userId);
     }
 
-    async getIdentityMcpSessions(identity: string): Promise<string[]> {
+    async listIds(userId: string): Promise<string[]> {
         await this.ensureInitialized();
         return Array.from(this.memoryCache!.values())
-            .filter(s => s.identity === identity)
+            .filter(s => s.userId === userId)
             .map(s => s.sessionId);
     }
 
-    async removeSession(identity: string, sessionId: string): Promise<void> {
+    async delete(userId: string, sessionId: string): Promise<void> {
         await this.ensureInitialized();
-        const sessionKey = this.getSessionKey(identity, sessionId);
+        const sessionKey = this.getSessionKey(userId, sessionId);
         if (this.memoryCache!.delete(sessionKey)) {
             await this.flush();
         }
     }
 
-    async getAllSessionIds(): Promise<string[]> {
+    async listAllIds(): Promise<string[]> {
         await this.ensureInitialized();
         return Array.from(this.memoryCache!.values()).map(s => s.sessionId);
     }
@@ -146,7 +146,7 @@ export class FileStorageBackend implements StorageBackend {
         await this.flush();
     }
 
-    async cleanupExpiredSessions(): Promise<void> {
+    async cleanupExpired(): Promise<void> {
         // Could implement TTL check here using createdAt
         await this.ensureInitialized();
     }

package/src/server/storage/index.ts

@@ -4,28 +4,53 @@ import { MemoryStorageBackend } from './memory-backend';
 import { FileStorageBackend } from './file-backend';
 import { SqliteStorage } from './sqlite-backend.js';
 import { SupabaseStorageBackend } from './supabase-backend.js';
-import type { StorageBackend } from './types.js';
+import { NeonStorageBackend, type NeonStorageOptions } from './neon-backend.js';
+import type { SessionStore } from './types.js';
 
 // Re-export types
 export * from './types.js';
 export { generateSessionId } from '../../shared/utils.js';
-export { RedisStorageBackend, MemoryStorageBackend, FileStorageBackend, SqliteStorage, SupabaseStorageBackend };
+export { RedisStorageBackend, MemoryStorageBackend, FileStorageBackend, SqliteStorage, SupabaseStorageBackend, NeonStorageBackend };
 
 export function createSupabaseStorageBackend(client: any): SupabaseStorageBackend {
     return new SupabaseStorageBackend(client);
 }
 
-let storageInstance: StorageBackend | null = null;
-let storagePromise: Promise<StorageBackend> | null = null;
+export function createNeonStorageBackend(sql: any, options?: NeonStorageOptions): NeonStorageBackend {
+    return new NeonStorageBackend(sql, options);
+}
+
+function warnIfNeonConnectionStringIsInsecure(connectionString: string): void {
+    try {
+        const url = new URL(connectionString);
+        const sslMode = url.searchParams.get('sslmode');
+        const channelBinding = url.searchParams.get('channel_binding');
+
+        if (!sslMode) {
+            console.warn('[mcp-ts][Storage] Neon connection string does not include sslmode. Neon recommends sslmode=verify-full for the strongest certificate verification.');
+        } else if (!['verify-full', 'require'].includes(sslMode)) {
+            console.warn(`[mcp-ts][Storage] Neon connection string uses sslmode=${sslMode}. Use sslmode=verify-full or sslmode=require for secure connections.`);
+        }
+
+        if (!channelBinding) {
+            console.warn('[mcp-ts][Storage] Neon connection string does not include channel_binding=require. Add it when supported by your runtime and connection path.');
+        }
+    } catch {
+        console.warn('[mcp-ts][Storage] Neon connection string could not be parsed for SSL checks.');
+    }
+}
+
+let storageInstance: SessionStore | null = null;
+let storagePromise: Promise<SessionStore> | null = null;
 
-async function initializeStorage<T extends StorageBackend>(store: T): Promise<T> {
+async function initializeStorage<T extends SessionStore>(store: T): Promise<T> {
     if (typeof store.init === 'function') {
         await store.init();
     }
     return store;
 }
 
-async function createStorage(): Promise<StorageBackend> {
+async function createStorage(): Promise<SessionStore> {
     const type = process.env.MCP_TS_STORAGE_TYPE?.toLowerCase();
 
     // Explicit selection
@@ -80,6 +105,26 @@ async function createStorage(): Promise<StorageBackend> {
         }
     }
 
+    if (type === 'neon') {
+        const connectionString = process.env.NEON_DATABASE_URL || process.env.DATABASE_URL;
+
+        if (!connectionString) {
+            console.warn('[mcp-ts][Storage] Explicit selection "neon" requires NEON_DATABASE_URL or DATABASE_URL.');
+        } else {
+            try {
+                const { neon } = await import('@neondatabase/serverless');
+                warnIfNeonConnectionStringIsInsecure(connectionString);
+                const sql = neon(connectionString);
+                console.log('[mcp-ts][Storage] Explicit selection: "neon"');
+                return await initializeStorage(new NeonStorageBackend(sql));
+            } catch (error: any) {
+                console.error('[mcp-ts][Storage] Failed to initialize Neon:', error.message);
+                console.log('[mcp-ts][Storage] Falling back to In-Memory storage');
+                return await initializeStorage(new MemoryStorageBackend());
+            }
+        }
+    }
+
     if (type === 'memory') {
         console.log('[mcp-ts][Storage] Explicit selection: "memory"');
         return await initializeStorage(new MemoryStorageBackend());
@@ -126,11 +171,23 @@ async function createStorage(): Promise<StorageBackend> {
         }
     }
 
+    if (process.env.NEON_DATABASE_URL) {
+        try {
+            const { neon } = await import('@neondatabase/serverless');
+            warnIfNeonConnectionStringIsInsecure(process.env.NEON_DATABASE_URL);
+            const sql = neon(process.env.NEON_DATABASE_URL);
+            console.log('[mcp-ts][Storage] Auto-detection: "neon" (via NEON_DATABASE_URL)');
+            return await initializeStorage(new NeonStorageBackend(sql));
+        } catch (error: any) {
+            console.error('[mcp-ts][Storage] Neon auto-detection failed:', error.message);
+        }
+    }
+
     console.log('[mcp-ts][Storage] Defaulting to: "memory"');
     return await initializeStorage(new MemoryStorageBackend());
 }
 
-async function getStorage(): Promise<StorageBackend> {
+async function getStorage(): Promise<SessionStore> {
     if (storageInstance) {
         return storageInstance;
     }
@@ -149,9 +206,9 @@ async function getStorage(): Promise<StorageBackend> {
 /**
  * Set the storage instance (for testing)
  * @internal
- * @param instance - StorageBackend instance or null to reset
+ * @param instance - SessionStore instance or null to reset
  */
-export function _setStorageInstanceForTesting(instance: StorageBackend | null): void {
+export function _setStorageInstanceForTesting(instance: SessionStore | null): void {
     storageInstance = instance;
     if (!instance) {
         storagePromise = null;
@@ -162,7 +219,7 @@ export function _setStorageInstanceForTesting(instance: StorageBackend | null):
  * Global session store instance
  * Uses lazy initialization with a Proxy to handle async setup transparently
  */
-export const storage: StorageBackend = new Proxy({} as StorageBackend, {
+export const sessions: SessionStore = new Proxy({} as SessionStore, {
     get(_target, prop) {
         return async (...args: any[]) => {
             const instance = await getStorage();

package/src/server/storage/memory-backend.ts

@@ -1,16 +1,16 @@
-import { StorageBackend, SessionData, SetClientOptions } from './types.js';
+import type { SessionStore, Session, SetClientOptions } from './types.js';
 import { generateSessionId } from '../../shared/utils.js';
 
 /**
- * In-memory implementation of StorageBackend
+ * In-memory implementation of SessionStore
  * Useful for local development or testing
  */
-export class MemoryStorageBackend implements StorageBackend {
-    // Map<identity:sessionId, SessionData>
-    private sessions = new Map<string, SessionData>();
+export class MemoryStorageBackend implements SessionStore {
+    // Map<userId:sessionId, Session>
+    private sessions = new Map<string, Session>();
 
-    // Map<identity, Set<sessionId>>
-    private identitySessions = new Map<string, Set<string>>();
+    // Map<userId, Set<sessionId>>
+    private userIdSessions = new Map<string, Set<string>>();
 
     constructor() { }
 
@@ -18,19 +18,19 @@ export class MemoryStorageBackend implements StorageBackend {
         console.log('[mcp-ts][Storage] Memory: ✓ internal memory store active.');
     }
 
-    private getSessionKey(identity: string, sessionId: string): string {
-        return `${identity}:${sessionId}`;
+    private getSessionKey(userId: string, sessionId: string): string {
+        return `${userId}:${sessionId}`;
     }
 
     generateSessionId(): string {
         return generateSessionId();
     }
 
-    async createSession(session: SessionData, ttl?: number): Promise<void> {
-        const { sessionId, identity } = session;
-        if (!sessionId || !identity) throw new Error('identity and sessionId required');
+    async create(session: Session, ttl?: number): Promise<void> {
+        const { sessionId, userId } = session;
+        if (!sessionId || !userId) throw new Error('userId and sessionId required');
 
-        const sessionKey = this.getSessionKey(identity, sessionId);
+        const sessionKey = this.getSessionKey(userId, sessionId);
         if (this.sessions.has(sessionKey)) {
             throw new Error(`Session ${sessionId} already exists`);
         }
@@ -38,17 +38,17 @@ export class MemoryStorageBackend implements StorageBackend {
         this.sessions.set(sessionKey, session);
 
         // Update index
-        if (!this.identitySessions.has(identity)) {
-            this.identitySessions.set(identity, new Set());
+        if (!this.userIdSessions.has(userId)) {
+            this.userIdSessions.set(userId, new Set());
         }
-        this.identitySessions.get(identity)!.add(sessionId);
+        this.userIdSessions.get(userId)!.add(sessionId);
         // Note: TTL is ignored in memory backend - sessions don't auto-expire
     }
 
-    async updateSession(identity: string, sessionId: string, data: Partial<SessionData>, ttl?: number): Promise<void> {
-        if (!identity || !sessionId) throw new Error('identity and sessionId required');
+    async update(userId: string, sessionId: string, data: Partial<Session>, ttl?: number): Promise<void> {
+        if (!userId || !sessionId) throw new Error('userId and sessionId required');
 
-        const sessionKey = this.getSessionKey(identity, sessionId);
+        const sessionKey = this.getSessionKey(userId, sessionId);
         const current = this.sessions.get(sessionKey);
 
         if (!current) {
@@ -65,23 +65,23 @@ export class MemoryStorageBackend implements StorageBackend {
     }
 
 
-    async getSession(identity: string, sessionId: string): Promise<SessionData | null> {
-        const sessionKey = this.getSessionKey(identity, sessionId);
+    async get(userId: string, sessionId: string): Promise<Session | null> {
+        const sessionKey = this.getSessionKey(userId, sessionId);
         return this.sessions.get(sessionKey) || null;
     }
 
-    async getIdentityMcpSessions(identity: string): Promise<string[]> {
-        const set = this.identitySessions.get(identity);
+    async listIds(userId: string): Promise<string[]> {
+        const set = this.userIdSessions.get(userId);
         return set ? Array.from(set) : [];
     }
 
-    async getIdentitySessionsData(identity: string): Promise<SessionData[]> {
-        const set = this.identitySessions.get(identity);
+    async list(userId: string): Promise<Session[]> {
+        const set = this.userIdSessions.get(userId);
         if (!set) return [];
 
-        const results: SessionData[] = [];
+        const results: Session[] = [];
         for (const sessionId of set) {
-            const session = this.sessions.get(this.getSessionKey(identity, sessionId));
+            const session = this.sessions.get(this.getSessionKey(userId, sessionId));
             if (session) {
                 results.push(session);
             }
@@ -89,29 +89,29 @@ export class MemoryStorageBackend implements StorageBackend {
         return results;
     }
 
-    async removeSession(identity: string, sessionId: string): Promise<void> {
-        const sessionKey = this.getSessionKey(identity, sessionId);
+    async delete(userId: string, sessionId: string): Promise<void> {
+        const sessionKey = this.getSessionKey(userId, sessionId);
         this.sessions.delete(sessionKey);
 
-        const set = this.identitySessions.get(identity);
+        const set = this.userIdSessions.get(userId);
         if (set) {
             set.delete(sessionId);
             if (set.size === 0) {
-                this.identitySessions.delete(identity);
+                this.userIdSessions.delete(userId);
             }
         }
     }
 
-    async getAllSessionIds(): Promise<string[]> {
+    async listAllIds(): Promise<string[]> {
         return Array.from(this.sessions.values()).map(s => s.sessionId);
     }
 
     async clearAll(): Promise<void> {
         this.sessions.clear();
-        this.identitySessions.clear();
+        this.userIdSessions.clear();
     }
 
-    async cleanupExpiredSessions(): Promise<void> {
+    async cleanupExpired(): Promise<void> {
         // In-memory doesn't implement TTL automatically, 
         // but we could check createdAt + TTL here if needed.
         // For now, no-op.