@mcp-ts/sdk 2.3.3 → 2.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -265,18 +265,6 @@ declare class MCPClient {
265
265
  * @throws {Error} When client is not connected
266
266
  */
267
267
  readResource(uri: string): Promise<ReadResourceResult>;
268
- /**
269
- * Refreshes the OAuth access token using the refresh token
270
- * Discovers OAuth metadata from server and exchanges refresh token for new access token
271
- * @returns True if refresh was successful, false otherwise
272
- */
273
- refreshToken(): Promise<boolean>;
274
- /**
275
- * Ensures OAuth tokens are valid, refreshing them if expired
276
- * Called automatically by connect() - rarely needs to be called manually
277
- * @returns True if valid tokens are available, false otherwise
278
- */
279
- getValidTokens(): Promise<boolean>;
280
268
  /**
281
269
  * Reconnects to MCP server using existing OAuth provider from Redis
282
270
  * Used for session restoration in serverless environments
@@ -336,10 +324,14 @@ declare class MCPClient {
336
324
  getSessionId(): string;
337
325
  /**
338
326
  * Gets MCP server configuration for all active user sessions
339
- * Loads sessions from Redis, validates OAuth tokens, refreshes if expired
340
- * Returns ready-to-use configuration with valid auth headers
327
+ * Loads sessions from storage and returns server connection metadata.
328
+ * OAuth refresh is handled by SDK transports through their authProvider.
329
+ * @deprecated This returns legacy connection metadata only and does not
330
+ * include OAuth tokens or generated Authorization headers. Prefer
331
+ * MultiSessionClient or explicit MCPClient instances so SDK transports can
332
+ * own OAuth refresh and reauthorization.
341
333
  * @param userId - User ID to fetch sessions for
342
- * @returns Object keyed by sanitized server labels containing transport, url, headers, etc.
334
+ * @returns Object keyed by sanitized server labels containing transport and url.
343
335
  * @static
344
336
  */
345
337
  static getMcpServerConfig(userId: string): Promise<Record<string, any>>;
@@ -265,18 +265,6 @@ declare class MCPClient {
265
265
  * @throws {Error} When client is not connected
266
266
  */
267
267
  readResource(uri: string): Promise<ReadResourceResult>;
268
- /**
269
- * Refreshes the OAuth access token using the refresh token
270
- * Discovers OAuth metadata from server and exchanges refresh token for new access token
271
- * @returns True if refresh was successful, false otherwise
272
- */
273
- refreshToken(): Promise<boolean>;
274
- /**
275
- * Ensures OAuth tokens are valid, refreshing them if expired
276
- * Called automatically by connect() - rarely needs to be called manually
277
- * @returns True if valid tokens are available, false otherwise
278
- */
279
- getValidTokens(): Promise<boolean>;
280
268
  /**
281
269
  * Reconnects to MCP server using existing OAuth provider from Redis
282
270
  * Used for session restoration in serverless environments
@@ -336,10 +324,14 @@ declare class MCPClient {
336
324
  getSessionId(): string;
337
325
  /**
338
326
  * Gets MCP server configuration for all active user sessions
339
- * Loads sessions from Redis, validates OAuth tokens, refreshes if expired
340
- * Returns ready-to-use configuration with valid auth headers
327
+ * Loads sessions from storage and returns server connection metadata.
328
+ * OAuth refresh is handled by SDK transports through their authProvider.
329
+ * @deprecated This returns legacy connection metadata only and does not
330
+ * include OAuth tokens or generated Authorization headers. Prefer
331
+ * MultiSessionClient or explicit MCPClient instances so SDK transports can
332
+ * own OAuth refresh and reauthorization.
341
333
  * @param userId - User ID to fetch sessions for
342
- * @returns Object keyed by sanitized server labels containing transport, url, headers, etc.
334
+ * @returns Object keyed by sanitized server labels containing transport and url.
343
335
  * @static
344
336
  */
345
337
  static getMcpServerConfig(userId: string): Promise<Record<string, any>>;
@@ -1,4 +1,4 @@
1
- export { M as MCPClient, a as MultiSessionClient, S as StorageOAuthClientProvider } from '../multi-session-client-DYNe6az3.mjs';
1
+ export { M as MCPClient, a as MultiSessionClient, S as StorageOAuthClientProvider } from '../multi-session-client-C7hGqzgM.mjs';
2
2
  export { U as UnauthorizedError, s as sanitizeServerLabel } from '../utils-DELRKQPU.mjs';
3
3
  import { OAuthClientInformationMixed, OAuthTokens } from '@modelcontextprotocol/sdk/shared/auth.js';
4
4
  export { OAuthClientInformation, OAuthClientInformationFull, OAuthClientMetadata, OAuthTokens } from '@modelcontextprotocol/sdk/shared/auth.js';
@@ -1,4 +1,4 @@
1
- export { M as MCPClient, a as MultiSessionClient, S as StorageOAuthClientProvider } from '../multi-session-client-BYtguGJm.js';
1
+ export { M as MCPClient, a as MultiSessionClient, S as StorageOAuthClientProvider } from '../multi-session-client-C_kPHpD5.js';
2
2
  export { U as UnauthorizedError, s as sanitizeServerLabel } from '../utils-DELRKQPU.js';
3
3
  import { OAuthClientInformationMixed, OAuthTokens } from '@modelcontextprotocol/sdk/shared/auth.js';
4
4
  export { OAuthClientInformation, OAuthClientInformationFull, OAuthClientMetadata, OAuthTokens } from '@modelcontextprotocol/sdk/shared/auth.js';
@@ -920,7 +920,7 @@ var SupabaseStorageBackend = class {
920
920
  if ("active" in data) updateData.active = data.active;
921
921
  if ("headers" in data) updateData.headers = encryptObject(data.headers);
922
922
  if ("clientInformation" in data) updateData.client_information = data.clientInformation;
923
- if ("tokens" in data) updateData.tokens = encryptObject(data.tokens);
923
+ if ("tokens" in data) updateData.tokens = data.tokens === void 0 ? null : encryptObject(data.tokens);
924
924
  if ("codeVerifier" in data) updateData.code_verifier = data.codeVerifier;
925
925
  if ("clientId" in data) updateData.client_id = data.clientId;
926
926
  const { data: updatedRows, error } = await this.supabase.from("mcp_sessions").update(updateData).eq("user_id", userId).eq("session_id", sessionId).select("id");
@@ -1123,7 +1123,7 @@ var NeonStorageBackend = class {
1123
1123
  updatedSession.active ?? false,
1124
1124
  encryptObject(updatedSession.headers),
1125
1125
  updatedSession.clientInformation,
1126
- encryptObject(updatedSession.tokens),
1126
+ updatedSession.tokens === void 0 ? null : encryptObject(updatedSession.tokens),
1127
1127
  updatedSession.codeVerifier,
1128
1128
  updatedSession.clientId,
1129
1129
  expiresAt,
@@ -1709,14 +1709,7 @@ var RpcErrorCodes = {
1709
1709
  EXECUTION_ERROR: "EXECUTION_ERROR"};
1710
1710
 
1711
1711
  // src/server/mcp/oauth-client.ts
1712
- function isInvalidRefreshTokenError(error) {
1713
- if (!(error instanceof Error)) {
1714
- return false;
1715
- }
1716
- const text = `${error.name} ${error.message}`.toLowerCase();
1717
- return text.includes("invalidgrant") || text.includes("invalid_grant") || text.includes("invalid refresh token") || /refresh\s+token\s+(?:is\s+)?(?:invalid|expired|revoked)/i.test(text);
1718
- }
1719
- var MCPClient = class _MCPClient {
1712
+ var MCPClient = class {
1720
1713
  /**
1721
1714
  * Creates a new MCP client instance
1722
1715
  * Can be initialized with minimal options (userId + sessionId) for session restoration
@@ -2050,8 +2043,6 @@ var MCPClient = class _MCPClient {
2050
2043
  throw new Error(error);
2051
2044
  }
2052
2045
  try {
2053
- this.emitProgress("Validating OAuth tokens...");
2054
- await this.getValidTokens();
2055
2046
  this.emitStateChange("CONNECTING");
2056
2047
  const { transportType } = await this.tryConnect();
2057
2048
  this.transportType = transportType;
@@ -2376,67 +2367,6 @@ var MCPClient = class _MCPClient {
2376
2367
  };
2377
2368
  return await this.client.request(request, types_js.ReadResourceResultSchema);
2378
2369
  }
2379
- /**
2380
- * Refreshes the OAuth access token using the refresh token
2381
- * Discovers OAuth metadata from server and exchanges refresh token for new access token
2382
- * @returns True if refresh was successful, false otherwise
2383
- */
2384
- async refreshToken() {
2385
- await this.initialize();
2386
- if (!this.oauthProvider) {
2387
- return false;
2388
- }
2389
- const tokens = await this.oauthProvider.tokens();
2390
- if (!tokens || !tokens.refresh_token) {
2391
- return false;
2392
- }
2393
- const clientInformation = await this.oauthProvider.clientInformation();
2394
- if (!clientInformation) {
2395
- return false;
2396
- }
2397
- try {
2398
- const resourceMetadata = await auth_js.discoverOAuthProtectedResourceMetadata(this.serverUrl);
2399
- const authServerUrl = resourceMetadata?.authorization_servers?.[0] || this.serverUrl;
2400
- const authMetadata = await auth_js.discoverAuthorizationServerMetadata(authServerUrl);
2401
- const newTokens = await auth_js.refreshAuthorization(authServerUrl, {
2402
- metadata: authMetadata,
2403
- clientInformation,
2404
- refreshToken: tokens.refresh_token
2405
- });
2406
- await this.oauthProvider.saveTokens(newTokens);
2407
- return true;
2408
- } catch (error) {
2409
- console.error("[OAuth] Token refresh failed:", error);
2410
- if (isInvalidRefreshTokenError(error)) {
2411
- try {
2412
- await this.oauthProvider.invalidateCredentials?.("tokens");
2413
- this.emitProgress("OAuth refresh token is invalid; requesting reauthorization...");
2414
- } catch (invalidateError) {
2415
- console.warn("[OAuth] Failed to invalidate stale refresh token credentials:", invalidateError);
2416
- }
2417
- }
2418
- return false;
2419
- }
2420
- }
2421
- /**
2422
- * Ensures OAuth tokens are valid, refreshing them if expired
2423
- * Called automatically by connect() - rarely needs to be called manually
2424
- * @returns True if valid tokens are available, false otherwise
2425
- */
2426
- async getValidTokens() {
2427
- await this.initialize();
2428
- if (!this.oauthProvider) {
2429
- return false;
2430
- }
2431
- const tokens = await this.oauthProvider.tokens();
2432
- if (!tokens) {
2433
- return false;
2434
- }
2435
- if (this.oauthProvider.isTokenExpired()) {
2436
- return await this.refreshToken();
2437
- }
2438
- return true;
2439
- }
2440
2370
  /**
2441
2371
  * Reconnects to MCP server using existing OAuth provider from Redis
2442
2372
  * Used for session restoration in serverless environments
@@ -2568,10 +2498,14 @@ var MCPClient = class _MCPClient {
2568
2498
  }
2569
2499
  /**
2570
2500
  * Gets MCP server configuration for all active user sessions
2571
- * Loads sessions from Redis, validates OAuth tokens, refreshes if expired
2572
- * Returns ready-to-use configuration with valid auth headers
2501
+ * Loads sessions from storage and returns server connection metadata.
2502
+ * OAuth refresh is handled by SDK transports through their authProvider.
2503
+ * @deprecated This returns legacy connection metadata only and does not
2504
+ * include OAuth tokens or generated Authorization headers. Prefer
2505
+ * MultiSessionClient or explicit MCPClient instances so SDK transports can
2506
+ * own OAuth refresh and reauthorization.
2573
2507
  * @param userId - User ID to fetch sessions for
2574
- * @returns Object keyed by sanitized server labels containing transport, url, headers, etc.
2508
+ * @returns Object keyed by sanitized server labels containing transport and url.
2575
2509
  * @static
2576
2510
  */
2577
2511
  static async getMcpServerConfig(userId) {
@@ -2585,29 +2519,6 @@ var MCPClient = class _MCPClient {
2585
2519
  await sessions.delete(userId, sessionId);
2586
2520
  return;
2587
2521
  }
2588
- let headers;
2589
- try {
2590
- const client = new _MCPClient({
2591
- userId,
2592
- sessionId,
2593
- serverId: sessionData.serverId,
2594
- serverUrl: sessionData.serverUrl,
2595
- callbackUrl: sessionData.callbackUrl,
2596
- serverName: sessionData.serverName,
2597
- transportType: sessionData.transportType,
2598
- headers: sessionData.headers
2599
- });
2600
- await client.initialize();
2601
- const hasValidTokens = await client.getValidTokens();
2602
- if (hasValidTokens && client.oauthProvider) {
2603
- const tokens = await client.oauthProvider.tokens();
2604
- if (tokens?.access_token) {
2605
- headers = { Authorization: `Bearer ${tokens.access_token}` };
2606
- }
2607
- }
2608
- } catch (error) {
2609
- console.warn(`[MCP] Failed to get OAuth tokens for ${sessionId}:`, error);
2610
- }
2611
2522
  const label = sanitizeServerLabel(
2612
2523
  sessionData.serverName || sessionData.serverId || "server"
2613
2524
  );
@@ -2617,8 +2528,7 @@ var MCPClient = class _MCPClient {
2617
2528
  ...sessionData.serverName && {
2618
2529
  serverName: sessionData.serverName,
2619
2530
  serverLabel: label
2620
- },
2621
- ...headers && { headers }
2531
+ }
2622
2532
  };
2623
2533
  } catch (error) {
2624
2534
  await sessions.delete(userId, sessionId);