@mcp-z/client 1.0.4 → 1.0.5

package/dist/cjs/auth/capability-discovery.js

@@ -11,6 +11,7 @@ Object.defineProperty(exports, "probeAuthCapabilities", {
         return probeAuthCapabilities;
     }
 });
+var _urlutilsts = require("../lib/url-utils.js");
 var _rfc9728discoveryts = require("./rfc9728-discovery.js");
 function asyncGeneratorStep(gen, resolve, reject, _next, _throw, key, arg) {
     try {
@@ -222,7 +223,7 @@ function resolveCapabilitiesFromAuthorizationServer(authServerUrl, scopes) {
 }
 function probeAuthCapabilities(baseUrl) {
     return _async_to_generator(function() {
-        var resourceMetadata, authServerUrl, capabilities, issuer, issuerCapabilities, issuer1, issuerCapabilities1, origin, originCapabilities, _error;
+        var normalizedBaseUrl, resourceMetadata, authServerUrl, capabilities, issuer, issuerCapabilities, issuer1, issuerCapabilities1, origin, originCapabilities, _error;
         return _ts_generator(this, function(_state) {
             switch(_state.label){
                 case 0:
@@ -232,9 +233,10 @@ function probeAuthCapabilities(baseUrl) {
                         ,
                         11
                     ]);
+                    normalizedBaseUrl = (0, _urlutilsts.normalizeUrl)(baseUrl);
                     return [
                         4,
-                        (0, _rfc9728discoveryts.discoverProtectedResourceMetadata)(baseUrl)
+                        (0, _rfc9728discoveryts.discoverProtectedResourceMetadata)(normalizedBaseUrl)
                     ];
                 case 1:
                     resourceMetadata = _state.sent();
@@ -290,7 +292,7 @@ function probeAuthCapabilities(baseUrl) {
                 case 5:
                     return [
                         4,
-                        (0, _rfc9728discoveryts.discoverAuthorizationServerIssuer)(baseUrl)
+                        (0, _rfc9728discoveryts.discoverAuthorizationServerIssuer)(normalizedBaseUrl)
                     ];
                 case 6:
                     issuer1 = _state.sent();
@@ -312,7 +314,7 @@ function probeAuthCapabilities(baseUrl) {
                 case 8:
                     // Strategy 2: Fall back to direct RFC 8414 discovery at resource origin
                     // This handles same-domain OAuth (traditional setup)
-                    origin = getOrigin(baseUrl);
+                    origin = getOrigin(normalizedBaseUrl);
                     return [
                         4,
                         resolveCapabilitiesFromAuthorizationServer(origin)

package/dist/cjs/auth/capability-discovery.js.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/client/src/auth/capability-discovery.ts"],"sourcesContent":["/**\n * OAuth Server Capability Discovery\n * Probes RFC 9728 (Protected Resource) and RFC 8414 (Authorization Server) metadata\n */\n\nimport { discoverAuthorizationServerIssuer, discoverAuthorizationServerMetadata, discoverProtectedResourceMetadata } from './rfc9728-discovery.ts';\nimport type { AuthCapabilities, AuthorizationServerMetadata } from './types.ts';\n\n/**\n * Extract origin (protocol + host) from a URL\n * @param url - Full URL that may include a path\n * @returns Origin (e.g., \"https://example.com\") or original string if invalid URL\n *\n * @example\n * getOrigin('https://example.com/mcp') // → 'https://example.com'\n * getOrigin('http://localhost:9999/api/v1/mcp') // → 'http://localhost:9999'\n */\nfunction getOrigin(url: string): string {\n  try {\n    return new URL(url).origin;\n  } catch {\n    // Invalid URL - return as-is for graceful degradation\n    return url;\n  }\n}\n\n/**\n * Probe OAuth server capabilities using RFC 9728 → RFC 8414 discovery chain\n * Returns capabilities including DCR support detection\n *\n * Discovery Strategy:\n * 1. Try RFC 9728 Protected Resource Metadata (supports cross-domain OAuth)\n * 2. If found, use first authorization_server to discover RFC 8414 Authorization Server Metadata\n * 3. Fall back to direct RFC 8414 discovery at resource origin\n *\n * @param baseUrl - Base URL of the protected resource (e.g., https://ai.todoist.net/mcp)\n * @returns AuthCapabilities object with discovered endpoints and features\n *\n * @example\n * // Todoist case: MCP at ai.todoist.net/mcp, OAuth at todoist.com\n * const caps = await probeAuthCapabilities('https://ai.todoist.net/mcp');\n * if (caps.supportsDcr) {\n *   console.log('Registration endpoint:', caps.registrationEndpoint);\n * }\n */\nfunction buildCapabilities(metadata: AuthorizationServerMetadata, scopes?: string[]): AuthCapabilities {\n  const supportsDcr = !!metadata.registration_endpoint;\n  const capabilities: AuthCapabilities = { supportsDcr };\n\n  if (metadata.registration_endpoint) {\n    capabilities.registrationEndpoint = metadata.registration_endpoint;\n  }\n  if (metadata.authorization_endpoint) {\n    capabilities.authorizationEndpoint = metadata.authorization_endpoint;\n  }\n  if (metadata.token_endpoint) capabilities.tokenEndpoint = metadata.token_endpoint;\n  if (metadata.introspection_endpoint) {\n    capabilities.introspectionEndpoint = metadata.introspection_endpoint;\n  }\n\n  if (scopes && scopes.length > 0) {\n    capabilities.scopes = scopes;\n  } else if (metadata.scopes_supported) {\n    capabilities.scopes = metadata.scopes_supported;\n  }\n\n  return capabilities;\n}\n\nasync function resolveCapabilitiesFromAuthorizationServer(authServerUrl: string, scopes?: string[]): Promise<AuthCapabilities | null> {\n  const metadata = await discoverAuthorizationServerMetadata(authServerUrl);\n  if (!metadata) return null;\n  return buildCapabilities(metadata, scopes);\n}\n\nexport async function probeAuthCapabilities(baseUrl: string): Promise<AuthCapabilities> {\n  try {\n    // Strategy 1: Try RFC 9728 Protected Resource Metadata discovery\n    // This handles cross-domain OAuth (e.g., Todoist: ai.todoist.net/mcp → todoist.com)\n    const resourceMetadata = await discoverProtectedResourceMetadata(baseUrl);\n\n    if (resourceMetadata && resourceMetadata.authorization_servers.length > 0) {\n      // Found protected resource metadata with authorization servers\n      // Discover the authorization server's metadata (RFC 8414)\n      const authServerUrl = resourceMetadata.authorization_servers[0];\n      if (!authServerUrl) {\n        // Array has length > 0 but first element is undefined/null - skip this path\n        return { supportsDcr: false };\n      }\n      const capabilities = await resolveCapabilitiesFromAuthorizationServer(authServerUrl, resourceMetadata.scopes_supported);\n      if (capabilities) {\n        return capabilities;\n      }\n\n      const issuer = await discoverAuthorizationServerIssuer(baseUrl);\n      if (issuer) {\n        const issuerCapabilities = await resolveCapabilitiesFromAuthorizationServer(issuer, resourceMetadata.scopes_supported);\n        if (issuerCapabilities) return issuerCapabilities;\n      }\n    }\n\n    const issuer = await discoverAuthorizationServerIssuer(baseUrl);\n    if (issuer) {\n      const issuerCapabilities = await resolveCapabilitiesFromAuthorizationServer(issuer);\n      if (issuerCapabilities) return issuerCapabilities;\n    }\n\n    // Strategy 2: Fall back to direct RFC 8414 discovery at resource origin\n    // This handles same-domain OAuth (traditional setup)\n    const origin = getOrigin(baseUrl);\n    const originCapabilities = await resolveCapabilitiesFromAuthorizationServer(origin);\n    if (originCapabilities) return originCapabilities;\n\n    // No OAuth metadata found\n    return { supportsDcr: false };\n  } catch (_error) {\n    // Network error, invalid JSON, or other fetch failure\n    // Gracefully degrade - assume no DCR support\n    return { supportsDcr: false };\n  }\n}\n"],"names":["probeAuthCapabilities","getOrigin","url","URL","origin","buildCapabilities","metadata","scopes","supportsDcr","registration_endpoint","capabilities","registrationEndpoint","authorization_endpoint","authorizationEndpoint","token_endpoint","tokenEndpoint","introspection_endpoint","introspectionEndpoint","length","scopes_supported","resolveCapabilitiesFromAuthorizationServer","authServerUrl","discoverAuthorizationServerMetadata","baseUrl","resourceMetadata","issuer","issuerCapabilities","originCapabilities","_error","discoverProtectedResourceMetadata","authorization_servers","discoverAuthorizationServerIssuer"],"mappings":"AAAA;;;CAGC;;;;+BAwEqBA;;;eAAAA;;;kCAtEoG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAG1H;;;;;;;;CAQC,GACD,SAASC,UAAUC,GAAW;IAC5B,IAAI;QACF,OAAO,IAAIC,IAAID,KAAKE,MAAM;IAC5B,EAAE,eAAM;QACN,sDAAsD;QACtD,OAAOF;IACT;AACF;AAEA;;;;;;;;;;;;;;;;;;CAkBC,GACD,SAASG,kBAAkBC,QAAqC,EAAEC,MAAiB;IACjF,IAAMC,cAAc,CAAC,CAACF,SAASG,qBAAqB;IACpD,IAAMC,eAAiC;QAAEF,aAAAA;IAAY;IAErD,IAAIF,SAASG,qBAAqB,EAAE;QAClCC,aAAaC,oBAAoB,GAAGL,SAASG,qBAAqB;IACpE;IACA,IAAIH,SAASM,sBAAsB,EAAE;QACnCF,aAAaG,qBAAqB,GAAGP,SAASM,sBAAsB;IACtE;IACA,IAAIN,SAASQ,cAAc,EAAEJ,aAAaK,aAAa,GAAGT,SAASQ,cAAc;IACjF,IAAIR,SAASU,sBAAsB,EAAE;QACnCN,aAAaO,qBAAqB,GAAGX,SAASU,sBAAsB;IACtE;IAEA,IAAIT,UAAUA,OAAOW,MAAM,GAAG,GAAG;QAC/BR,aAAaH,MAAM,GAAGA;IACxB,OAAO,IAAID,SAASa,gBAAgB,EAAE;QACpCT,aAAaH,MAAM,GAAGD,SAASa,gBAAgB;IACjD;IAEA,OAAOT;AACT;AAEA,SAAeU,2CAA2CC,aAAqB,EAAEd,MAAiB;;YAC1FD;;;;oBAAW;;wBAAMgB,IAAAA,uDAAmC,EAACD;;;oBAArDf,WAAW;oBACjB,IAAI,CAACA,UAAU;;wBAAO;;oBACtB;;wBAAOD,kBAAkBC,UAAUC;;;;IACrC;;AAEO,SAAeP,sBAAsBuB,OAAe;;YAIjDC,kBAKEH,eAKAX,cAKAe,QAEEC,oBAKJD,SAEEC,qBAMFtB,QACAuB,oBAKCC;;;;;;;;;;oBApCkB;;wBAAMC,IAAAA,qDAAiC,EAACN;;;oBAA3DC,mBAAmB;yBAErBA,CAAAA,oBAAoBA,iBAAiBM,qBAAqB,CAACZ,MAAM,GAAG,CAAA,GAApEM;;;;oBACF,+DAA+D;oBAC/D,0DAA0D;oBACpDH,gBAAgBG,iBAAiBM,qBAAqB,CAAC,EAAE;oBAC/D,IAAI,CAACT,eAAe;wBAClB,4EAA4E;wBAC5E;;4BAAO;gCAAEb,aAAa;4BAAM;;oBAC9B;oBACqB;;wBAAMY,2CAA2CC,eAAeG,iBAAiBL,gBAAgB;;;oBAAhHT,eAAe;oBACrB,IAAIA,cAAc;wBAChB;;4BAAOA;;oBACT;oBAEe;;wBAAMqB,IAAAA,qDAAiC,EAACR;;;oBAAjDE,SAAS;yBACXA,QAAAA;;;;oBACyB;;wBAAML,2CAA2CK,QAAQD,iBAAiBL,gBAAgB;;;oBAA/GO,qBAAqB;oBAC3B,IAAIA,oBAAoB;;wBAAOA;;;;oBAIpB;;wBAAMK,IAAAA,qDAAiC,EAACR;;;oBAAjDE,UAAS;yBACXA,SAAAA;;;;oBACyB;;wBAAML,2CAA2CK;;;oBAAtEC,sBAAqB;oBAC3B,IAAIA,qBAAoB;;wBAAOA;;;;oBAGjC,wEAAwE;oBACxE,qDAAqD;oBAC/CtB,SAASH,UAAUsB;oBACE;;wBAAMH,2CAA2ChB;;;oBAAtEuB,qBAAqB;oBAC3B,IAAIA,oBAAoB;;wBAAOA;;oBAE/B,0BAA0B;oBAC1B;;wBAAO;4BAAEnB,aAAa;wBAAM;;;oBACrBoB;oBACP,sDAAsD;oBACtD,6CAA6C;oBAC7C;;wBAAO;4BAAEpB,aAAa;wBAAM;;;;;;;;IAEhC"}
+{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/client/src/auth/capability-discovery.ts"],"sourcesContent":["/**\n * OAuth Server Capability Discovery\n * Probes RFC 9728 (Protected Resource) and RFC 8414 (Authorization Server) metadata\n */\n\nimport { normalizeUrl } from '../lib/url-utils.ts';\nimport { discoverAuthorizationServerIssuer, discoverAuthorizationServerMetadata, discoverProtectedResourceMetadata } from './rfc9728-discovery.ts';\nimport type { AuthCapabilities, AuthorizationServerMetadata } from './types.ts';\n\n/**\n * Extract origin (protocol + host) from a URL\n * @param url - Full URL that may include a path\n * @returns Origin (e.g., \"https://example.com\") or original string if invalid URL\n *\n * @example\n * getOrigin('https://example.com/mcp') // → 'https://example.com'\n * getOrigin('http://localhost:9999/api/v1/mcp') // → 'http://localhost:9999'\n */\nfunction getOrigin(url: string): string {\n  try {\n    return new URL(url).origin;\n  } catch {\n    // Invalid URL - return as-is for graceful degradation\n    return url;\n  }\n}\n\n/**\n * Probe OAuth server capabilities using RFC 9728 → RFC 8414 discovery chain\n * Returns capabilities including DCR support detection\n *\n * Discovery Strategy:\n * 1. Try RFC 9728 Protected Resource Metadata (supports cross-domain OAuth)\n * 2. If found, use first authorization_server to discover RFC 8414 Authorization Server Metadata\n * 3. Fall back to direct RFC 8414 discovery at resource origin\n *\n * @param baseUrl - Base URL of the protected resource (e.g., https://ai.todoist.net/mcp)\n * @returns AuthCapabilities object with discovered endpoints and features\n *\n * @example\n * // Todoist case: MCP at ai.todoist.net/mcp, OAuth at todoist.com\n * const caps = await probeAuthCapabilities('https://ai.todoist.net/mcp');\n * if (caps.supportsDcr) {\n *   console.log('Registration endpoint:', caps.registrationEndpoint);\n * }\n */\nfunction buildCapabilities(metadata: AuthorizationServerMetadata, scopes?: string[]): AuthCapabilities {\n  const supportsDcr = !!metadata.registration_endpoint;\n  const capabilities: AuthCapabilities = { supportsDcr };\n\n  if (metadata.registration_endpoint) {\n    capabilities.registrationEndpoint = metadata.registration_endpoint;\n  }\n  if (metadata.authorization_endpoint) {\n    capabilities.authorizationEndpoint = metadata.authorization_endpoint;\n  }\n  if (metadata.token_endpoint) capabilities.tokenEndpoint = metadata.token_endpoint;\n  if (metadata.introspection_endpoint) {\n    capabilities.introspectionEndpoint = metadata.introspection_endpoint;\n  }\n\n  if (scopes && scopes.length > 0) {\n    capabilities.scopes = scopes;\n  } else if (metadata.scopes_supported) {\n    capabilities.scopes = metadata.scopes_supported;\n  }\n\n  return capabilities;\n}\n\nasync function resolveCapabilitiesFromAuthorizationServer(authServerUrl: string, scopes?: string[]): Promise<AuthCapabilities | null> {\n  const metadata = await discoverAuthorizationServerMetadata(authServerUrl);\n  if (!metadata) return null;\n  return buildCapabilities(metadata, scopes);\n}\n\nexport async function probeAuthCapabilities(baseUrl: string): Promise<AuthCapabilities> {\n  try {\n    const normalizedBaseUrl = normalizeUrl(baseUrl);\n    // Strategy 1: Try RFC 9728 Protected Resource Metadata discovery\n    // This handles cross-domain OAuth (e.g., Todoist: ai.todoist.net/mcp → todoist.com)\n    const resourceMetadata = await discoverProtectedResourceMetadata(normalizedBaseUrl);\n\n    if (resourceMetadata && resourceMetadata.authorization_servers.length > 0) {\n      // Found protected resource metadata with authorization servers\n      // Discover the authorization server's metadata (RFC 8414)\n      const authServerUrl = resourceMetadata.authorization_servers[0];\n      if (!authServerUrl) {\n        // Array has length > 0 but first element is undefined/null - skip this path\n        return { supportsDcr: false };\n      }\n      const capabilities = await resolveCapabilitiesFromAuthorizationServer(authServerUrl, resourceMetadata.scopes_supported);\n      if (capabilities) {\n        return capabilities;\n      }\n\n      const issuer = await discoverAuthorizationServerIssuer(baseUrl);\n      if (issuer) {\n        const issuerCapabilities = await resolveCapabilitiesFromAuthorizationServer(issuer, resourceMetadata.scopes_supported);\n        if (issuerCapabilities) return issuerCapabilities;\n      }\n    }\n\n    const issuer = await discoverAuthorizationServerIssuer(normalizedBaseUrl);\n    if (issuer) {\n      const issuerCapabilities = await resolveCapabilitiesFromAuthorizationServer(issuer);\n      if (issuerCapabilities) return issuerCapabilities;\n    }\n\n    // Strategy 2: Fall back to direct RFC 8414 discovery at resource origin\n    // This handles same-domain OAuth (traditional setup)\n    const origin = getOrigin(normalizedBaseUrl);\n    const originCapabilities = await resolveCapabilitiesFromAuthorizationServer(origin);\n    if (originCapabilities) return originCapabilities;\n\n    // No OAuth metadata found\n    return { supportsDcr: false };\n  } catch (_error) {\n    // Network error, invalid JSON, or other fetch failure\n    // Gracefully degrade - assume no DCR support\n    return { supportsDcr: false };\n  }\n}\n"],"names":["probeAuthCapabilities","getOrigin","url","URL","origin","buildCapabilities","metadata","scopes","supportsDcr","registration_endpoint","capabilities","registrationEndpoint","authorization_endpoint","authorizationEndpoint","token_endpoint","tokenEndpoint","introspection_endpoint","introspectionEndpoint","length","scopes_supported","resolveCapabilitiesFromAuthorizationServer","authServerUrl","discoverAuthorizationServerMetadata","baseUrl","normalizedBaseUrl","resourceMetadata","issuer","issuerCapabilities","originCapabilities","_error","normalizeUrl","discoverProtectedResourceMetadata","authorization_servers","discoverAuthorizationServerIssuer"],"mappings":"AAAA;;;CAGC;;;;+BAyEqBA;;;eAAAA;;;0BAvEO;kCAC6F;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAG1H;;;;;;;;CAQC,GACD,SAASC,UAAUC,GAAW;IAC5B,IAAI;QACF,OAAO,IAAIC,IAAID,KAAKE,MAAM;IAC5B,EAAE,eAAM;QACN,sDAAsD;QACtD,OAAOF;IACT;AACF;AAEA;;;;;;;;;;;;;;;;;;CAkBC,GACD,SAASG,kBAAkBC,QAAqC,EAAEC,MAAiB;IACjF,IAAMC,cAAc,CAAC,CAACF,SAASG,qBAAqB;IACpD,IAAMC,eAAiC;QAAEF,aAAAA;IAAY;IAErD,IAAIF,SAASG,qBAAqB,EAAE;QAClCC,aAAaC,oBAAoB,GAAGL,SAASG,qBAAqB;IACpE;IACA,IAAIH,SAASM,sBAAsB,EAAE;QACnCF,aAAaG,qBAAqB,GAAGP,SAASM,sBAAsB;IACtE;IACA,IAAIN,SAASQ,cAAc,EAAEJ,aAAaK,aAAa,GAAGT,SAASQ,cAAc;IACjF,IAAIR,SAASU,sBAAsB,EAAE;QACnCN,aAAaO,qBAAqB,GAAGX,SAASU,sBAAsB;IACtE;IAEA,IAAIT,UAAUA,OAAOW,MAAM,GAAG,GAAG;QAC/BR,aAAaH,MAAM,GAAGA;IACxB,OAAO,IAAID,SAASa,gBAAgB,EAAE;QACpCT,aAAaH,MAAM,GAAGD,SAASa,gBAAgB;IACjD;IAEA,OAAOT;AACT;AAEA,SAAeU,2CAA2CC,aAAqB,EAAEd,MAAiB;;YAC1FD;;;;oBAAW;;wBAAMgB,IAAAA,uDAAmC,EAACD;;;oBAArDf,WAAW;oBACjB,IAAI,CAACA,UAAU;;wBAAO;;oBACtB;;wBAAOD,kBAAkBC,UAAUC;;;;IACrC;;AAEO,SAAeP,sBAAsBuB,OAAe;;YAEjDC,mBAGAC,kBAKEJ,eAKAX,cAKAgB,QAEEC,oBAKJD,SAEEC,qBAMFvB,QACAwB,oBAKCC;;;;;;;;;;oBAvCDL,oBAAoBM,IAAAA,wBAAY,EAACP;oBAGd;;wBAAMQ,IAAAA,qDAAiC,EAACP;;;oBAA3DC,mBAAmB;yBAErBA,CAAAA,oBAAoBA,iBAAiBO,qBAAqB,CAACd,MAAM,GAAG,CAAA,GAApEO;;;;oBACF,+DAA+D;oBAC/D,0DAA0D;oBACpDJ,gBAAgBI,iBAAiBO,qBAAqB,CAAC,EAAE;oBAC/D,IAAI,CAACX,eAAe;wBAClB,4EAA4E;wBAC5E;;4BAAO;gCAAEb,aAAa;4BAAM;;oBAC9B;oBACqB;;wBAAMY,2CAA2CC,eAAeI,iBAAiBN,gBAAgB;;;oBAAhHT,eAAe;oBACrB,IAAIA,cAAc;wBAChB;;4BAAOA;;oBACT;oBAEe;;wBAAMuB,IAAAA,qDAAiC,EAACV;;;oBAAjDG,SAAS;yBACXA,QAAAA;;;;oBACyB;;wBAAMN,2CAA2CM,QAAQD,iBAAiBN,gBAAgB;;;oBAA/GQ,qBAAqB;oBAC3B,IAAIA,oBAAoB;;wBAAOA;;;;oBAIpB;;wBAAMM,IAAAA,qDAAiC,EAACT;;;oBAAjDE,UAAS;yBACXA,SAAAA;;;;oBACyB;;wBAAMN,2CAA2CM;;;oBAAtEC,sBAAqB;oBAC3B,IAAIA,qBAAoB;;wBAAOA;;;;oBAGjC,wEAAwE;oBACxE,qDAAqD;oBAC/CvB,SAASH,UAAUuB;oBACE;;wBAAMJ,2CAA2ChB;;;oBAAtEwB,qBAAqB;oBAC3B,IAAIA,oBAAoB;;wBAAOA;;oBAE/B,0BAA0B;oBAC1B;;wBAAO;4BAAEpB,aAAa;wBAAM;;;oBACrBqB;oBACP,sDAAsD;oBACtD,6CAA6C;oBAC7C;;wBAAO;4BAAErB,aAAa;wBAAM;;;;;;;;IAEhC"}

package/dist/cjs/auth/rfc9728-discovery.d.cts

@@ -3,6 +3,9 @@
  * Probes .well-known/oauth-protected-resource endpoint
  */
 import type { AuthorizationServerMetadata, ProtectedResourceMetadata } from './types.js';
+/**
+ * Normalize a resource URL by stripping query/hash and trailing slashes.
+ */
 /**
  * Discover OAuth 2.0 Protected Resource Metadata (RFC 9728)
  * Probes .well-known/oauth-protected-resource endpoint

package/dist/cjs/auth/rfc9728-discovery.d.ts

@@ -3,6 +3,9 @@
  * Probes .well-known/oauth-protected-resource endpoint
  */
 import type { AuthorizationServerMetadata, ProtectedResourceMetadata } from './types.js';
+/**
+ * Normalize a resource URL by stripping query/hash and trailing slashes.
+ */
 /**
  * Discover OAuth 2.0 Protected Resource Metadata (RFC 9728)
  * Probes .well-known/oauth-protected-resource endpoint

package/dist/cjs/auth/rfc9728-discovery.js

@@ -22,6 +22,7 @@ _export(exports, {
         return discoverProtectedResourceMetadata;
     }
 });
+var _urlutilsts = require("../lib/url-utils.js");
 function asyncGeneratorStep(gen, resolve, reject, _next, _throw, key, arg) {
     try {
         var info = gen[key](arg);
@@ -181,19 +182,20 @@ function _ts_generator(thisArg, body) {
 }
 function discoverProtectedResourceMetadata(resourceUrl) {
     return _async_to_generator(function() {
-        var headerMetadata, origin, path, rootUrl, response, metadata, rootMetadata, subPathUrl, subPathResponse, unused, unused1, subPathUrl1, response1, unused2, _error;
+        var normalizedResourceUrl, headerMetadata, localWellKnownUrl, response, unused, origin, path, rootUrl, response1, metadata, rootMetadata, subPathUrl, subPathResponse, unused1, unused2, subPathUrl1, response2, unused3, _error;
         return _ts_generator(this, function(_state) {
             switch(_state.label){
                 case 0:
                     _state.trys.push([
                         0,
-                        20,
+                        26,
                         ,
-                        21
+                        27
                     ]);
+                    normalizedResourceUrl = (0, _urlutilsts.normalizeUrl)(resourceUrl);
                     return [
                         4,
-                        discoverProtectedResourceMetadataFromHeader(resourceUrl)
+                        discoverProtectedResourceMetadataFromHeader(normalizedResourceUrl)
                     ];
                 case 1:
                     headerMetadata = _state.sent();
@@ -201,21 +203,19 @@ function discoverProtectedResourceMetadata(resourceUrl) {
                         2,
                         headerMetadata
                     ];
-                    origin = getOrigin(resourceUrl);
-                    path = getPath(resourceUrl);
-                    // Strategy 1: Try root location (REQUIRED by RFC 9728)
-                    rootUrl = "".concat(origin, "/.well-known/oauth-protected-resource");
+                    // Strategy 0: Try path-local well-known (supports path-prefixed deployments like /outlook)
+                    localWellKnownUrl = (0, _urlutilsts.joinWellKnown)(normalizedResourceUrl, '/.well-known/oauth-protected-resource');
                     _state.label = 2;
                 case 2:
                     _state.trys.push([
                         2,
-                        12,
+                        6,
                         ,
-                        13
+                        7
                     ]);
                     return [
                         4,
-                        fetch(rootUrl, {
+                        fetch(localWellKnownUrl, {
                             method: 'GET',
                             headers: {
                                 Accept: 'application/json',
@@ -227,16 +227,65 @@ function discoverProtectedResourceMetadata(resourceUrl) {
                     response = _state.sent();
                     if (!response.ok) return [
                         3,
-                        11
+                        5
                     ];
                     return [
                         4,
                         response.json()
                     ];
                 case 4:
+                    return [
+                        2,
+                        _state.sent()
+                    ];
+                case 5:
+                    return [
+                        3,
+                        7
+                    ];
+                case 6:
+                    unused = _state.sent();
+                    return [
+                        3,
+                        7
+                    ];
+                case 7:
+                    origin = getOrigin(normalizedResourceUrl);
+                    path = getPath(normalizedResourceUrl);
+                    // Strategy 1: Try root location (REQUIRED by RFC 9728)
+                    rootUrl = "".concat(origin, "/.well-known/oauth-protected-resource");
+                    _state.label = 8;
+                case 8:
+                    _state.trys.push([
+                        8,
+                        18,
+                        ,
+                        19
+                    ]);
+                    return [
+                        4,
+                        fetch(rootUrl, {
+                            method: 'GET',
+                            headers: {
+                                Accept: 'application/json',
+                                Connection: 'close'
+                            }
+                        })
+                    ];
+                case 9:
+                    response1 = _state.sent();
+                    if (!response1.ok) return [
+                        3,
+                        17
+                    ];
+                    return [
+                        4,
+                        response1.json()
+                    ];
+                case 10:
                     metadata = _state.sent();
                     // Check if the discovered resource matches what we're looking for
-                    if (metadata.resource === resourceUrl) {
+                    if (metadata.resource === normalizedResourceUrl) {
                         return [
                             2,
                             metadata
@@ -250,22 +299,22 @@ function discoverProtectedResourceMetadata(resourceUrl) {
                             metadata
                         ];
                     }
-                    if (!resourceUrl.startsWith(metadata.resource)) return [
+                    if (!normalizedResourceUrl.startsWith(metadata.resource)) return [
                         3,
-                        11
+                        17
                     ];
                     // Still try sub-path location to see if there's more specific metadata
                     // But save root metadata as fallback
                     rootMetadata = metadata;
                     // Try sub-path location for more specific metadata
                     subPathUrl = "".concat(origin, "/.well-known/oauth-protected-resource").concat(path);
-                    _state.label = 5;
-                case 5:
+                    _state.label = 11;
+                case 11:
                     _state.trys.push([
-                        5,
-                        9,
+                        11,
+                        15,
                         ,
-                        10
+                        16
                     ]);
                     return [
                         4,
@@ -277,62 +326,62 @@ function discoverProtectedResourceMetadata(resourceUrl) {
                             }
                         })
                     ];
-                case 6:
+                case 12:
                     subPathResponse = _state.sent();
                     if (!subPathResponse.ok) return [
                         3,
-                        8
+                        14
                     ];
                     return [
                         4,
                         subPathResponse.json()
                     ];
-                case 7:
+                case 13:
                     return [
                         2,
                         _state.sent()
                     ];
-                case 8:
+                case 14:
                     return [
                         3,
-                        10
+                        16
                     ];
-                case 9:
-                    unused = _state.sent();
+                case 15:
+                    unused1 = _state.sent();
                     return [
                         3,
-                        10
+                        16
                     ];
-                case 10:
+                case 16:
                     // Return root metadata as it applies to this resource
                     return [
                         2,
                         rootMetadata
                     ];
-                case 11:
+                case 17:
                     return [
                         3,
-                        13
+                        19
                     ];
-                case 12:
-                    unused1 = _state.sent();
+                case 18:
+                    unused2 = _state.sent();
                     return [
                         3,
-                        13
+                        19
                     ];
-                case 13:
+                case 19:
                     if (!path) return [
                         3,
-                        19
+                        25
                     ];
                     subPathUrl1 = "".concat(origin, "/.well-known/oauth-protected-resource").concat(path);
-                    _state.label = 14;
-                case 14:
+                    _state.label = 20;
+                case 20:
                     _state.trys.push([
-                        14,
-                        18,
+                        20,
+                        24,
                         ,
-                        19
+                        25
                     ]);
                     return [
                         4,
@@ -344,46 +393,46 @@ function discoverProtectedResourceMetadata(resourceUrl) {
                             }
                         })
                     ];
-                case 15:
-                    response1 = _state.sent();
-                    if (!response1.ok) return [
+                case 21:
+                    response2 = _state.sent();
+                    if (!response2.ok) return [
                         3,
-                        17
+                        23
                     ];
                     return [
                         4,
-                        response1.json()
+                        response2.json()
                     ];
-                case 16:
+                case 22:
                     return [
                         2,
                         _state.sent()
                     ];
-                case 17:
+                case 23:
                     return [
                         3,
-                        19
+                        25
                     ];
-                case 18:
-                    unused2 = _state.sent();
+                case 24:
+                    unused3 = _state.sent();
                     return [
                         3,
-                        19
+                        25
                     ];
-                case 19:
+                case 25:
                     // Neither location found or resource didn't match
                     return [
                         2,
                         null
                     ];
-                case 20:
+                case 26:
                     _error = _state.sent();
                     // Network error, invalid URL, or other failure
                     return [
                         2,
                         null
                     ];
-                case 21:
+                case 27:
                     return [
                         2
                     ];
@@ -490,17 +539,45 @@ function discoverProtectedResourceMetadataFromHeader(resourceUrl) {
 }
 function discoverAuthorizationServerMetadata(authServerUrl) {
     return _async_to_generator(function() {
-        var origin, wellKnownUrl, response, _error;
+        var normalizedAuthServerUrl, localWellKnownUrl, localResponse, origin, wellKnownUrl, response, _error;
         return _ts_generator(this, function(_state) {
             switch(_state.label){
                 case 0:
                     _state.trys.push([
                         0,
-                        3,
+                        6,
                         ,
-                        4
+                        7
                     ]);
-                    origin = getOrigin(authServerUrl);
+                    normalizedAuthServerUrl = (0, _urlutilsts.normalizeUrl)(authServerUrl);
+                    localWellKnownUrl = (0, _urlutilsts.joinWellKnown)(normalizedAuthServerUrl, '/.well-known/oauth-authorization-server');
+                    return [
+                        4,
+                        fetch(localWellKnownUrl, {
+                            method: 'GET',
+                            headers: {
+                                Accept: 'application/json',
+                                Connection: 'close'
+                            }
+                        })
+                    ];
+                case 1:
+                    localResponse = _state.sent();
+                    if (!localResponse.ok) return [
+                        3,
+                        3
+                    ];
+                    return [
+                        4,
+                        localResponse.json()
+                    ];
+                case 2:
+                    return [
+                        2,
+                        _state.sent()
+                    ];
+                case 3:
+                    origin = getOrigin(normalizedAuthServerUrl);
                     wellKnownUrl = "".concat(origin, "/.well-known/oauth-authorization-server");
                     return [
                         4,
@@ -512,7 +589,7 @@ function discoverAuthorizationServerMetadata(authServerUrl) {
                             }
                         })
                     ];
-                case 1:
+                case 4:
                     response = _state.sent();
                     if (!response.ok) {
                         return [
@@ -524,18 +601,18 @@ function discoverAuthorizationServerMetadata(authServerUrl) {
                         4,
                         response.json()
                     ];
-                case 2:
+                case 5:
                     return [
                         2,
                         _state.sent()
                     ];
-                case 3:
+                case 6:
                     _error = _state.sent();
                     return [
                         2,
                         null
                     ];
-                case 4:
+                case 7:
                     return [
                         2
                     ];

package/dist/cjs/auth/rfc9728-discovery.js.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/client/src/auth/rfc9728-discovery.ts"],"sourcesContent":["/**\n * RFC 9728 Protected Resource Metadata Discovery\n * Probes .well-known/oauth-protected-resource endpoint\n */\n\nimport type { AuthorizationServerMetadata, ProtectedResourceMetadata } from './types.ts';\n\n/**\n * Extract origin (protocol + host) from a URL\n * @param url - Full URL that may include a path\n * @returns Origin (e.g., \"https://example.com\") or original string if invalid URL\n *\n * @example\n * getOrigin('https://example.com/mcp') // → 'https://example.com'\n * getOrigin('http://localhost:9999/api/v1/mcp') // → 'http://localhost:9999'\n */\nfunction getOrigin(url: string): string {\n  try {\n    return new URL(url).origin;\n  } catch {\n    // Invalid URL - return as-is for graceful degradation\n    return url;\n  }\n}\n\n/**\n * Extract path from a URL (without origin)\n * @param url - Full URL\n * @returns Path component (e.g., \"/mcp\", \"/api/v1/mcp\") or empty string if no path\n */\nfunction getPath(url: string): string {\n  try {\n    const parsed = new URL(url);\n    // pathname includes leading slash, e.g., \"/mcp\"\n    return parsed.pathname === '/' ? '' : parsed.pathname;\n  } catch {\n    return '';\n  }\n}\n\n/**\n * Discover OAuth 2.0 Protected Resource Metadata (RFC 9728)\n * Probes .well-known/oauth-protected-resource endpoint\n *\n * Discovery Strategy:\n * 1. Try origin root: {origin}/.well-known/oauth-protected-resource\n * 2. If 404, try sub-path: {origin}/.well-known/oauth-protected-resource{path}\n *\n * @param resourceUrl - URL of the protected resource (e.g., https://ai.todoist.net/mcp)\n * @returns ProtectedResourceMetadata if discovered, null otherwise\n *\n * @example\n * // Todoist case: MCP at ai.todoist.net/mcp, OAuth at todoist.com\n * const metadata = await discoverProtectedResourceMetadata('https://ai.todoist.net/mcp');\n * // Returns: { resource: \"https://ai.todoist.net/mcp\", authorization_servers: [\"https://todoist.com\"] }\n */\nexport async function discoverProtectedResourceMetadata(resourceUrl: string): Promise<ProtectedResourceMetadata | null> {\n  try {\n    const headerMetadata = await discoverProtectedResourceMetadataFromHeader(resourceUrl);\n    if (headerMetadata) return headerMetadata;\n\n    const origin = getOrigin(resourceUrl);\n    const path = getPath(resourceUrl);\n\n    // Strategy 1: Try root location (REQUIRED by RFC 9728)\n    const rootUrl = `${origin}/.well-known/oauth-protected-resource`;\n\n    try {\n      const response = await fetch(rootUrl, {\n        method: 'GET',\n        headers: { Accept: 'application/json', Connection: 'close' },\n      });\n\n      if (response.ok) {\n        const metadata = (await response.json()) as ProtectedResourceMetadata;\n        // Check if the discovered resource matches what we're looking for\n        if (metadata.resource === resourceUrl) {\n          return metadata;\n        }\n        // If there's no path component, return root metadata\n        // (e.g., looking for http://example.com and found it)\n        if (!path) {\n          return metadata;\n        }\n        // If requested URL starts with metadata.resource, the root metadata applies to sub-paths\n        // (e.g., looking for http://example.com/api/v1/mcp, found http://example.com)\n        if (resourceUrl.startsWith(metadata.resource)) {\n          // Still try sub-path location to see if there's more specific metadata\n          // But save root metadata as fallback\n          const rootMetadata = metadata;\n\n          // Try sub-path location for more specific metadata\n          const subPathUrl = `${origin}/.well-known/oauth-protected-resource${path}`;\n          try {\n            const subPathResponse = await fetch(subPathUrl, {\n              method: 'GET',\n              headers: { Accept: 'application/json', Connection: 'close' },\n            });\n            if (subPathResponse.ok) {\n              return (await subPathResponse.json()) as ProtectedResourceMetadata;\n            }\n          } catch {\n            // Sub-path failed, use root metadata\n          }\n\n          // Return root metadata as it applies to this resource\n          return rootMetadata;\n        }\n        // Otherwise, try sub-path location before giving up\n      }\n    } catch {\n      // Continue to sub-path location\n    }\n\n    // Strategy 2: Try sub-path location (MCP spec extension)\n    // Only try if there's a path component\n    if (path) {\n      const subPathUrl = `${origin}/.well-known/oauth-protected-resource${path}`;\n\n      try {\n        const response = await fetch(subPathUrl, {\n          method: 'GET',\n          headers: { Accept: 'application/json', Connection: 'close' },\n        });\n\n        if (response.ok) {\n          return (await response.json()) as ProtectedResourceMetadata;\n        }\n      } catch {\n        // Fall through to return null\n      }\n    }\n\n    // Neither location found or resource didn't match\n    return null;\n  } catch (_error) {\n    // Network error, invalid URL, or other failure\n    return null;\n  }\n}\n\nasync function discoverProtectedResourceMetadataFromHeader(resourceUrl: string): Promise<ProtectedResourceMetadata | null> {\n  try {\n    const response = await fetch(resourceUrl, {\n      method: 'GET',\n      headers: { Accept: 'application/json', Connection: 'close' },\n    });\n\n    let header = response.headers.get('www-authenticate');\n    if (!header) {\n      const postResponse = await fetch(resourceUrl, {\n        method: 'POST',\n        headers: { Accept: 'application/json', Connection: 'close', 'Content-Type': 'application/json' },\n        body: '{}',\n      });\n      header = postResponse.headers.get('www-authenticate');\n    }\n\n    if (!header) return null;\n\n    const match = header.match(/resource_metadata=\"([^\"]+)\"/i);\n    if (!match || !match[1]) return null;\n\n    const metadataUrl = match[1];\n    const metadataResponse = await fetch(metadataUrl, {\n      method: 'GET',\n      headers: { Accept: 'application/json', Connection: 'close' },\n    });\n\n    if (!metadataResponse.ok) {\n      return null;\n    }\n\n    return (await metadataResponse.json()) as ProtectedResourceMetadata;\n  } catch (_error) {\n    return null;\n  }\n}\n\n/**\n * Discover OAuth 2.0 Authorization Server Metadata (RFC 8414)\n * Probes .well-known/oauth-authorization-server endpoint\n *\n * @param authServerUrl - URL of the authorization server (typically from RFC 9728 discovery)\n * @returns AuthorizationServerMetadata if discovered, null otherwise\n *\n * @example\n * const metadata = await discoverAuthorizationServerMetadata('https://todoist.com');\n * // Returns: { issuer: \"https://todoist.com\", authorization_endpoint: \"...\", ... }\n */\nexport async function discoverAuthorizationServerMetadata(authServerUrl: string): Promise<AuthorizationServerMetadata | null> {\n  try {\n    const origin = getOrigin(authServerUrl);\n    const wellKnownUrl = `${origin}/.well-known/oauth-authorization-server`;\n\n    const response = await fetch(wellKnownUrl, {\n      method: 'GET',\n      headers: { Accept: 'application/json', Connection: 'close' },\n    });\n\n    if (!response.ok) {\n      return null;\n    }\n\n    return (await response.json()) as AuthorizationServerMetadata;\n  } catch (_error) {\n    return null;\n  }\n}\n\n/**\n * Discover OAuth Authorization Server Issuer from resource response (RFC 9207)\n *\n * @param resourceUrl - URL of the protected resource\n * @returns Issuer URL if present in WWW-Authenticate header, null otherwise\n */\nexport async function discoverAuthorizationServerIssuer(resourceUrl: string): Promise<string | null> {\n  try {\n    const response = await fetch(resourceUrl, {\n      method: 'GET',\n      headers: { Accept: 'application/json', Connection: 'close' },\n    });\n\n    const header = response.headers.get('www-authenticate');\n    if (!header) return null;\n\n    const match = header.match(/(?:authorization_server|issuer)=\"([^\"]+)\"/i);\n    if (!match) return null;\n\n    return match[1] ?? null;\n  } catch (_error) {\n    return null;\n  }\n}\n"],"names":["discoverAuthorizationServerIssuer","discoverAuthorizationServerMetadata","discoverProtectedResourceMetadata","getOrigin","url","URL","origin","getPath","parsed","pathname","resourceUrl","headerMetadata","path","rootUrl","response","metadata","rootMetadata","subPathUrl","subPathResponse","_error","discoverProtectedResourceMetadataFromHeader","fetch","method","headers","Accept","Connection","ok","json","resource","startsWith","header","postResponse","match","metadataUrl","metadataResponse","get","body","authServerUrl","wellKnownUrl"],"mappings":"AAAA;;;CAGC;;;;;;;;;;;QAqNqBA;eAAAA;;QA1BAC;eAAAA;;QAtIAC;eAAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAjDtB;;;;;;;;CAQC,GACD,SAASC,UAAUC,GAAW;IAC5B,IAAI;QACF,OAAO,IAAIC,IAAID,KAAKE,MAAM;IAC5B,EAAE,eAAM;QACN,sDAAsD;QACtD,OAAOF;IACT;AACF;AAEA;;;;CAIC,GACD,SAASG,QAAQH,GAAW;IAC1B,IAAI;QACF,IAAMI,SAAS,IAAIH,IAAID;QACvB,gDAAgD;QAChD,OAAOI,OAAOC,QAAQ,KAAK,MAAM,KAAKD,OAAOC,QAAQ;IACvD,EAAE,eAAM;QACN,OAAO;IACT;AACF;AAkBO,SAAeP,kCAAkCQ,WAAmB;;YAEjEC,gBAGAL,QACAM,MAGAC,SAGEC,UAMEC,UAeEC,cAGAC,YAEEC,kCAuBND,aAGEH,oBAeHK;;;;;;;;;;oBA7EgB;;wBAAMC,4CAA4CV;;;oBAAnEC,iBAAiB;oBACvB,IAAIA,gBAAgB;;wBAAOA;;oBAErBL,SAASH,UAAUO;oBACnBE,OAAOL,QAAQG;oBAErB,uDAAuD;oBACjDG,UAAU,AAAC,GAAS,OAAPP,QAAO;;;;;;;;;oBAGP;;wBAAMe,MAAMR,SAAS;4BACpCS,QAAQ;4BACRC,SAAS;gCAAEC,QAAQ;gCAAoBC,YAAY;4BAAQ;wBAC7D;;;oBAHMX,WAAW;yBAKbA,SAASY,EAAE,EAAXZ;;;;oBACgB;;wBAAMA,SAASa,IAAI;;;oBAA/BZ,WAAY;oBAClB,kEAAkE;oBAClE,IAAIA,SAASa,QAAQ,KAAKlB,aAAa;wBACrC;;4BAAOK;;oBACT;oBACA,qDAAqD;oBACrD,sDAAsD;oBACtD,IAAI,CAACH,MAAM;wBACT;;4BAAOG;;oBACT;yBAGIL,YAAYmB,UAAU,CAACd,SAASa,QAAQ,GAAxClB;;;;oBACF,uEAAuE;oBACvE,qCAAqC;oBAC/BM,eAAeD;oBAErB,mDAAmD;oBAC7CE,aAAa,AAAC,GAAgDL,OAA9CN,QAAO,yCAA4C,OAALM;;;;;;;;;oBAE1C;;wBAAMS,MAAMJ,YAAY;4BAC9CK,QAAQ;4BACRC,SAAS;gCAAEC,QAAQ;gCAAoBC,YAAY;4BAAQ;wBAC7D;;;oBAHMP,kBAAkB;yBAIpBA,gBAAgBQ,EAAE,EAAlBR;;;;oBACM;;wBAAMA,gBAAgBS,IAAI;;;oBAAlC;;wBAAQ;;;;;;;;;;;;;;oBAMZ,sDAAsD;oBACtD;;wBAAOX;;;;;;;;;;;;;;yBAUTJ,MAAAA;;;;oBACIK,cAAa,AAAC,GAAgDL,OAA9CN,QAAO,yCAA4C,OAALM;;;;;;;;;oBAGjD;;wBAAMS,MAAMJ,aAAY;4BACvCK,QAAQ;4BACRC,SAAS;gCAAEC,QAAQ;gCAAoBC,YAAY;4BAAQ;wBAC7D;;;oBAHMX,YAAW;yBAKbA,UAASY,EAAE,EAAXZ;;;;oBACM;;wBAAMA,UAASa,IAAI;;;oBAA3B;;wBAAQ;;;;;;;;;;;;;;oBAOd,kDAAkD;oBAClD;;wBAAO;;;oBACAR;oBACP,+CAA+C;oBAC/C;;wBAAO;;;;;;;;IAEX;;AAEA,SAAeC,4CAA4CV,WAAmB;;YAEpEI,UAKFgB,QAEIC,cAUFC,OAGAC,aACAC,kBAUCf;;;;;;;;;;oBA/BU;;wBAAME,MAAMX,aAAa;4BACxCY,QAAQ;4BACRC,SAAS;gCAAEC,QAAQ;gCAAoBC,YAAY;4BAAQ;wBAC7D;;;oBAHMX,WAAW;oBAKbgB,SAAShB,SAASS,OAAO,CAACY,GAAG,CAAC;yBAC9B,CAACL,QAAD;;;;oBACmB;;wBAAMT,MAAMX,aAAa;4BAC5CY,QAAQ;4BACRC,SAAS;gCAAEC,QAAQ;gCAAoBC,YAAY;gCAAS,gBAAgB;4BAAmB;4BAC/FW,MAAM;wBACR;;;oBAJML,eAAe;oBAKrBD,SAASC,aAAaR,OAAO,CAACY,GAAG,CAAC;;;oBAGpC,IAAI,CAACL,QAAQ;;wBAAO;;oBAEdE,QAAQF,OAAOE,KAAK,CAAC;oBAC3B,IAAI,CAACA,SAAS,CAACA,KAAK,CAAC,EAAE,EAAE;;wBAAO;;oBAE1BC,cAAcD,KAAK,CAAC,EAAE;oBACH;;wBAAMX,MAAMY,aAAa;4BAChDX,QAAQ;4BACRC,SAAS;gCAAEC,QAAQ;gCAAoBC,YAAY;4BAAQ;wBAC7D;;;oBAHMS,mBAAmB;oBAKzB,IAAI,CAACA,iBAAiBR,EAAE,EAAE;wBACxB;;4BAAO;;oBACT;oBAEQ;;wBAAMQ,iBAAiBP,IAAI;;;oBAAnC;;wBAAQ;;;oBACDR;oBACP;;wBAAO;;;;;;;;IAEX;;AAaO,SAAelB,oCAAoCoC,aAAqB;;YAErE/B,QACAgC,cAEAxB,UAUCK;;;;;;;;;;oBAbDb,SAASH,UAAUkC;oBACnBC,eAAe,AAAC,GAAS,OAAPhC,QAAO;oBAEd;;wBAAMe,MAAMiB,cAAc;4BACzChB,QAAQ;4BACRC,SAAS;gCAAEC,QAAQ;gCAAoBC,YAAY;4BAAQ;wBAC7D;;;oBAHMX,WAAW;oBAKjB,IAAI,CAACA,SAASY,EAAE,EAAE;wBAChB;;4BAAO;;oBACT;oBAEQ;;wBAAMZ,SAASa,IAAI;;;oBAA3B;;wBAAQ;;;oBACDR;oBACP;;wBAAO;;;;;;;;IAEX;;AAQO,SAAenB,kCAAkCU,WAAmB;;YAahEsB,SAXDlB,UAKAgB,QAGAE,OAICb;;;;;;;;;;oBAZU;;wBAAME,MAAMX,aAAa;4BACxCY,QAAQ;4BACRC,SAAS;gCAAEC,QAAQ;gCAAoBC,YAAY;4BAAQ;wBAC7D;;;oBAHMX,WAAW;oBAKXgB,SAAShB,SAASS,OAAO,CAACY,GAAG,CAAC;oBACpC,IAAI,CAACL,QAAQ;;wBAAO;;oBAEdE,QAAQF,OAAOE,KAAK,CAAC;oBAC3B,IAAI,CAACA,OAAO;;wBAAO;;oBAEnB;;yBAAOA,UAAAA,KAAK,CAAC,EAAE,cAARA,qBAAAA,UAAY;;;oBACZb;oBACP;;wBAAO;;;;;;;;IAEX"}
+{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/client/src/auth/rfc9728-discovery.ts"],"sourcesContent":["/**\n * RFC 9728 Protected Resource Metadata Discovery\n * Probes .well-known/oauth-protected-resource endpoint\n */\n\nimport { joinWellKnown, normalizeUrl } from '../lib/url-utils.ts';\nimport type { AuthorizationServerMetadata, ProtectedResourceMetadata } from './types.ts';\n\n/**\n * Extract origin (protocol + host) from a URL\n * @param url - Full URL that may include a path\n * @returns Origin (e.g., \"https://example.com\") or original string if invalid URL\n *\n * @example\n * getOrigin('https://example.com/mcp') // → 'https://example.com'\n * getOrigin('http://localhost:9999/api/v1/mcp') // → 'http://localhost:9999'\n */\nfunction getOrigin(url: string): string {\n  try {\n    return new URL(url).origin;\n  } catch {\n    // Invalid URL - return as-is for graceful degradation\n    return url;\n  }\n}\n\n/**\n * Extract path from a URL (without origin)\n * @param url - Full URL\n * @returns Path component (e.g., \"/mcp\", \"/api/v1/mcp\") or empty string if no path\n */\nfunction getPath(url: string): string {\n  try {\n    const parsed = new URL(url);\n    // pathname includes leading slash, e.g., \"/mcp\"\n    return parsed.pathname === '/' ? '' : parsed.pathname;\n  } catch {\n    return '';\n  }\n}\n\n/**\n * Normalize a resource URL by stripping query/hash and trailing slashes.\n */\n/**\n * Discover OAuth 2.0 Protected Resource Metadata (RFC 9728)\n * Probes .well-known/oauth-protected-resource endpoint\n *\n * Discovery Strategy:\n * 1. Try origin root: {origin}/.well-known/oauth-protected-resource\n * 2. If 404, try sub-path: {origin}/.well-known/oauth-protected-resource{path}\n *\n * @param resourceUrl - URL of the protected resource (e.g., https://ai.todoist.net/mcp)\n * @returns ProtectedResourceMetadata if discovered, null otherwise\n *\n * @example\n * // Todoist case: MCP at ai.todoist.net/mcp, OAuth at todoist.com\n * const metadata = await discoverProtectedResourceMetadata('https://ai.todoist.net/mcp');\n * // Returns: { resource: \"https://ai.todoist.net/mcp\", authorization_servers: [\"https://todoist.com\"] }\n */\nexport async function discoverProtectedResourceMetadata(resourceUrl: string): Promise<ProtectedResourceMetadata | null> {\n  try {\n    const normalizedResourceUrl = normalizeUrl(resourceUrl);\n    const headerMetadata = await discoverProtectedResourceMetadataFromHeader(normalizedResourceUrl);\n    if (headerMetadata) return headerMetadata;\n\n    // Strategy 0: Try path-local well-known (supports path-prefixed deployments like /outlook)\n    const localWellKnownUrl = joinWellKnown(normalizedResourceUrl, '/.well-known/oauth-protected-resource');\n    try {\n      const response = await fetch(localWellKnownUrl, {\n        method: 'GET',\n        headers: { Accept: 'application/json', Connection: 'close' },\n      });\n      if (response.ok) {\n        return (await response.json()) as ProtectedResourceMetadata;\n      }\n    } catch {\n      // Continue to origin-based discovery\n    }\n\n    const origin = getOrigin(normalizedResourceUrl);\n    const path = getPath(normalizedResourceUrl);\n\n    // Strategy 1: Try root location (REQUIRED by RFC 9728)\n    const rootUrl = `${origin}/.well-known/oauth-protected-resource`;\n\n    try {\n      const response = await fetch(rootUrl, {\n        method: 'GET',\n        headers: { Accept: 'application/json', Connection: 'close' },\n      });\n\n      if (response.ok) {\n        const metadata = (await response.json()) as ProtectedResourceMetadata;\n        // Check if the discovered resource matches what we're looking for\n        if (metadata.resource === normalizedResourceUrl) {\n          return metadata;\n        }\n        // If there's no path component, return root metadata\n        // (e.g., looking for http://example.com and found it)\n        if (!path) {\n          return metadata;\n        }\n        // If requested URL starts with metadata.resource, the root metadata applies to sub-paths\n        // (e.g., looking for http://example.com/api/v1/mcp, found http://example.com)\n        if (normalizedResourceUrl.startsWith(metadata.resource)) {\n          // Still try sub-path location to see if there's more specific metadata\n          // But save root metadata as fallback\n          const rootMetadata = metadata;\n\n          // Try sub-path location for more specific metadata\n          const subPathUrl = `${origin}/.well-known/oauth-protected-resource${path}`;\n          try {\n            const subPathResponse = await fetch(subPathUrl, {\n              method: 'GET',\n              headers: { Accept: 'application/json', Connection: 'close' },\n            });\n            if (subPathResponse.ok) {\n              return (await subPathResponse.json()) as ProtectedResourceMetadata;\n            }\n          } catch {\n            // Sub-path failed, use root metadata\n          }\n\n          // Return root metadata as it applies to this resource\n          return rootMetadata;\n        }\n        // Otherwise, try sub-path location before giving up\n      }\n    } catch {\n      // Continue to sub-path location\n    }\n\n    // Strategy 2: Try sub-path location (MCP spec extension)\n    // Only try if there's a path component\n    if (path) {\n      const subPathUrl = `${origin}/.well-known/oauth-protected-resource${path}`;\n\n      try {\n        const response = await fetch(subPathUrl, {\n          method: 'GET',\n          headers: { Accept: 'application/json', Connection: 'close' },\n        });\n\n        if (response.ok) {\n          return (await response.json()) as ProtectedResourceMetadata;\n        }\n      } catch {\n        // Fall through to return null\n      }\n    }\n\n    // Neither location found or resource didn't match\n    return null;\n  } catch (_error) {\n    // Network error, invalid URL, or other failure\n    return null;\n  }\n}\n\nasync function discoverProtectedResourceMetadataFromHeader(resourceUrl: string): Promise<ProtectedResourceMetadata | null> {\n  try {\n    const response = await fetch(resourceUrl, {\n      method: 'GET',\n      headers: { Accept: 'application/json', Connection: 'close' },\n    });\n\n    let header = response.headers.get('www-authenticate');\n    if (!header) {\n      const postResponse = await fetch(resourceUrl, {\n        method: 'POST',\n        headers: { Accept: 'application/json', Connection: 'close', 'Content-Type': 'application/json' },\n        body: '{}',\n      });\n      header = postResponse.headers.get('www-authenticate');\n    }\n\n    if (!header) return null;\n\n    const match = header.match(/resource_metadata=\"([^\"]+)\"/i);\n    if (!match || !match[1]) return null;\n\n    const metadataUrl = match[1];\n    const metadataResponse = await fetch(metadataUrl, {\n      method: 'GET',\n      headers: { Accept: 'application/json', Connection: 'close' },\n    });\n\n    if (!metadataResponse.ok) {\n      return null;\n    }\n\n    return (await metadataResponse.json()) as ProtectedResourceMetadata;\n  } catch (_error) {\n    return null;\n  }\n}\n\n/**\n * Discover OAuth 2.0 Authorization Server Metadata (RFC 8414)\n * Probes .well-known/oauth-authorization-server endpoint\n *\n * @param authServerUrl - URL of the authorization server (typically from RFC 9728 discovery)\n * @returns AuthorizationServerMetadata if discovered, null otherwise\n *\n * @example\n * const metadata = await discoverAuthorizationServerMetadata('https://todoist.com');\n * // Returns: { issuer: \"https://todoist.com\", authorization_endpoint: \"...\", ... }\n */\nexport async function discoverAuthorizationServerMetadata(authServerUrl: string): Promise<AuthorizationServerMetadata | null> {\n  try {\n    const normalizedAuthServerUrl = normalizeUrl(authServerUrl);\n    const localWellKnownUrl = joinWellKnown(normalizedAuthServerUrl, '/.well-known/oauth-authorization-server');\n    const localResponse = await fetch(localWellKnownUrl, {\n      method: 'GET',\n      headers: { Accept: 'application/json', Connection: 'close' },\n    });\n\n    if (localResponse.ok) {\n      return (await localResponse.json()) as AuthorizationServerMetadata;\n    }\n\n    const origin = getOrigin(normalizedAuthServerUrl);\n    const wellKnownUrl = `${origin}/.well-known/oauth-authorization-server`;\n\n    const response = await fetch(wellKnownUrl, {\n      method: 'GET',\n      headers: { Accept: 'application/json', Connection: 'close' },\n    });\n\n    if (!response.ok) {\n      return null;\n    }\n\n    return (await response.json()) as AuthorizationServerMetadata;\n  } catch (_error) {\n    return null;\n  }\n}\n\n/**\n * Discover OAuth Authorization Server Issuer from resource response (RFC 9207)\n *\n * @param resourceUrl - URL of the protected resource\n * @returns Issuer URL if present in WWW-Authenticate header, null otherwise\n */\nexport async function discoverAuthorizationServerIssuer(resourceUrl: string): Promise<string | null> {\n  try {\n    const response = await fetch(resourceUrl, {\n      method: 'GET',\n      headers: { Accept: 'application/json', Connection: 'close' },\n    });\n\n    const header = response.headers.get('www-authenticate');\n    if (!header) return null;\n\n    const match = header.match(/(?:authorization_server|issuer)=\"([^\"]+)\"/i);\n    if (!match) return null;\n\n    return match[1] ?? null;\n  } catch (_error) {\n    return null;\n  }\n}\n"],"names":["discoverAuthorizationServerIssuer","discoverAuthorizationServerMetadata","discoverProtectedResourceMetadata","getOrigin","url","URL","origin","getPath","parsed","pathname","resourceUrl","normalizedResourceUrl","headerMetadata","localWellKnownUrl","response","path","rootUrl","metadata","rootMetadata","subPathUrl","subPathResponse","_error","normalizeUrl","discoverProtectedResourceMetadataFromHeader","joinWellKnown","fetch","method","headers","Accept","Connection","ok","json","resource","startsWith","header","postResponse","match","metadataUrl","metadataResponse","get","body","authServerUrl","normalizedAuthServerUrl","localResponse","wellKnownUrl"],"mappings":"AAAA;;;CAGC;;;;;;;;;;;QAmPqBA;eAAAA;;QArCAC;eAAAA;;QArJAC;eAAAA;;;0BAvDsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAG5C;;;;;;;;CAQC,GACD,SAASC,UAAUC,GAAW;IAC5B,IAAI;QACF,OAAO,IAAIC,IAAID,KAAKE,MAAM;IAC5B,EAAE,eAAM;QACN,sDAAsD;QACtD,OAAOF;IACT;AACF;AAEA;;;;CAIC,GACD,SAASG,QAAQH,GAAW;IAC1B,IAAI;QACF,IAAMI,SAAS,IAAIH,IAAID;QACvB,gDAAgD;QAChD,OAAOI,OAAOC,QAAQ,KAAK,MAAM,KAAKD,OAAOC,QAAQ;IACvD,EAAE,eAAM;QACN,OAAO;IACT;AACF;AAqBO,SAAeP,kCAAkCQ,WAAmB;;YAEjEC,uBACAC,gBAIAC,mBAEEC,kBAWFR,QACAS,MAGAC,SAGEF,WAMEG,UAeEC,cAGAC,YAEEC,mCAuBND,aAGEL,oBAeHO;;;;;;;;;;oBA5FDV,wBAAwBW,IAAAA,wBAAY,EAACZ;oBACpB;;wBAAMa,4CAA4CZ;;;oBAAnEC,iBAAiB;oBACvB,IAAIA,gBAAgB;;wBAAOA;;oBAE3B,2FAA2F;oBACrFC,oBAAoBW,IAAAA,yBAAa,EAACb,uBAAuB;;;;;;;;;oBAE5C;;wBAAMc,MAAMZ,mBAAmB;4BAC9Ca,QAAQ;4BACRC,SAAS;gCAAEC,QAAQ;gCAAoBC,YAAY;4BAAQ;wBAC7D;;;oBAHMf,WAAW;yBAIbA,SAASgB,EAAE,EAAXhB;;;;oBACM;;wBAAMA,SAASiB,IAAI;;;oBAA3B;;wBAAQ;;;;;;;;;;;;;;oBAMNzB,SAASH,UAAUQ;oBACnBI,OAAOR,QAAQI;oBAErB,uDAAuD;oBACjDK,UAAU,AAAC,GAAS,OAAPV,QAAO;;;;;;;;;oBAGP;;wBAAMmB,MAAMT,SAAS;4BACpCU,QAAQ;4BACRC,SAAS;gCAAEC,QAAQ;gCAAoBC,YAAY;4BAAQ;wBAC7D;;;oBAHMf,YAAW;yBAKbA,UAASgB,EAAE,EAAXhB;;;;oBACgB;;wBAAMA,UAASiB,IAAI;;;oBAA/Bd,WAAY;oBAClB,kEAAkE;oBAClE,IAAIA,SAASe,QAAQ,KAAKrB,uBAAuB;wBAC/C;;4BAAOM;;oBACT;oBACA,qDAAqD;oBACrD,sDAAsD;oBACtD,IAAI,CAACF,MAAM;wBACT;;4BAAOE;;oBACT;yBAGIN,sBAAsBsB,UAAU,CAAChB,SAASe,QAAQ,GAAlDrB;;;;oBACF,uEAAuE;oBACvE,qCAAqC;oBAC/BO,eAAeD;oBAErB,mDAAmD;oBAC7CE,aAAa,AAAC,GAAgDJ,OAA9CT,QAAO,yCAA4C,OAALS;;;;;;;;;oBAE1C;;wBAAMU,MAAMN,YAAY;4BAC9CO,QAAQ;4BACRC,SAAS;gCAAEC,QAAQ;gCAAoBC,YAAY;4BAAQ;wBAC7D;;;oBAHMT,kBAAkB;yBAIpBA,gBAAgBU,EAAE,EAAlBV;;;;oBACM;;wBAAMA,gBAAgBW,IAAI;;;oBAAlC;;wBAAQ;;;;;;;;;;;;;;oBAMZ,sDAAsD;oBACtD;;wBAAOb;;;;;;;;;;;;;;yBAUTH,MAAAA;;;;oBACII,cAAa,AAAC,GAAgDJ,OAA9CT,QAAO,yCAA4C,OAALS;;;;;;;;;oBAGjD;;wBAAMU,MAAMN,aAAY;4BACvCO,QAAQ;4BACRC,SAAS;gCAAEC,QAAQ;gCAAoBC,YAAY;4BAAQ;wBAC7D;;;oBAHMf,YAAW;yBAKbA,UAASgB,EAAE,EAAXhB;;;;oBACM;;wBAAMA,UAASiB,IAAI;;;oBAA3B;;wBAAQ;;;;;;;;;;;;;;oBAOd,kDAAkD;oBAClD;;wBAAO;;;oBACAV;oBACP,+CAA+C;oBAC/C;;wBAAO;;;;;;;;IAEX;;AAEA,SAAeE,4CAA4Cb,WAAmB;;YAEpEI,UAKFoB,QAEIC,cAUFC,OAGAC,aACAC,kBAUCjB;;;;;;;;;;oBA/BU;;wBAAMI,MAAMf,aAAa;4BACxCgB,QAAQ;4BACRC,SAAS;gCAAEC,QAAQ;gCAAoBC,YAAY;4BAAQ;wBAC7D;;;oBAHMf,WAAW;oBAKboB,SAASpB,SAASa,OAAO,CAACY,GAAG,CAAC;yBAC9B,CAACL,QAAD;;;;oBACmB;;wBAAMT,MAAMf,aAAa;4BAC5CgB,QAAQ;4BACRC,SAAS;gCAAEC,QAAQ;gCAAoBC,YAAY;gCAAS,gBAAgB;4BAAmB;4BAC/FW,MAAM;wBACR;;;oBAJML,eAAe;oBAKrBD,SAASC,aAAaR,OAAO,CAACY,GAAG,CAAC;;;oBAGpC,IAAI,CAACL,QAAQ;;wBAAO;;oBAEdE,QAAQF,OAAOE,KAAK,CAAC;oBAC3B,IAAI,CAACA,SAAS,CAACA,KAAK,CAAC,EAAE,EAAE;;wBAAO;;oBAE1BC,cAAcD,KAAK,CAAC,EAAE;oBACH;;wBAAMX,MAAMY,aAAa;4BAChDX,QAAQ;4BACRC,SAAS;gCAAEC,QAAQ;gCAAoBC,YAAY;4BAAQ;wBAC7D;;;oBAHMS,mBAAmB;oBAKzB,IAAI,CAACA,iBAAiBR,EAAE,EAAE;wBACxB;;4BAAO;;oBACT;oBAEQ;;wBAAMQ,iBAAiBP,IAAI;;;oBAAnC;;wBAAQ;;;oBACDV;oBACP;;wBAAO;;;;;;;;IAEX;;AAaO,SAAepB,oCAAoCwC,aAAqB;;YAErEC,yBACA7B,mBACA8B,eASArC,QACAsC,cAEA9B,UAUCO;;;;;;;;;;oBAxBDqB,0BAA0BpB,IAAAA,wBAAY,EAACmB;oBACvC5B,oBAAoBW,IAAAA,yBAAa,EAACkB,yBAAyB;oBAC3C;;wBAAMjB,MAAMZ,mBAAmB;4BACnDa,QAAQ;4BACRC,SAAS;gCAAEC,QAAQ;gCAAoBC,YAAY;4BAAQ;wBAC7D;;;oBAHMc,gBAAgB;yBAKlBA,cAAcb,EAAE,EAAhBa;;;;oBACM;;wBAAMA,cAAcZ,IAAI;;;oBAAhC;;wBAAQ;;;oBAGJzB,SAASH,UAAUuC;oBACnBE,eAAe,AAAC,GAAS,OAAPtC,QAAO;oBAEd;;wBAAMmB,MAAMmB,cAAc;4BACzClB,QAAQ;4BACRC,SAAS;gCAAEC,QAAQ;gCAAoBC,YAAY;4BAAQ;wBAC7D;;;oBAHMf,WAAW;oBAKjB,IAAI,CAACA,SAASgB,EAAE,EAAE;wBAChB;;4BAAO;;oBACT;oBAEQ;;wBAAMhB,SAASiB,IAAI;;;oBAA3B;;wBAAQ;;;oBACDV;oBACP;;wBAAO;;;;;;;;IAEX;;AAQO,SAAerB,kCAAkCU,WAAmB;;YAahE0B,SAXDtB,UAKAoB,QAGAE,OAICf;;;;;;;;;;oBAZU;;wBAAMI,MAAMf,aAAa;4BACxCgB,QAAQ;4BACRC,SAAS;gCAAEC,QAAQ;gCAAoBC,YAAY;4BAAQ;wBAC7D;;;oBAHMf,WAAW;oBAKXoB,SAASpB,SAASa,OAAO,CAACY,GAAG,CAAC;oBACpC,IAAI,CAACL,QAAQ;;wBAAO;;oBAEdE,QAAQF,OAAOE,KAAK,CAAC;oBAC3B,IAAI,CAACA,OAAO;;wBAAO;;oBAEnB;;yBAAOA,UAAAA,KAAK,CAAC,EAAE,cAARA,qBAAAA,UAAY;;;oBACZf;oBACP;;wBAAO;;;;;;;;IAEX"}

package/dist/cjs/lib/url-utils.d.cts

@@ -0,0 +1,2 @@
+export declare function normalizeUrl(input: string): string;
+export declare function joinWellKnown(baseUrl: string, suffix: string): string;

package/dist/cjs/lib/url-utils.d.ts

@@ -0,0 +1,2 @@
+export declare function normalizeUrl(input: string): string;
+export declare function joinWellKnown(baseUrl: string, suffix: string): string;

package/dist/cjs/lib/url-utils.js

@@ -0,0 +1,33 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+function _export(target, all) {
+    for(var name in all)Object.defineProperty(target, name, {
+        enumerable: true,
+        get: Object.getOwnPropertyDescriptor(all, name).get
+    });
+}
+_export(exports, {
+    get joinWellKnown () {
+        return joinWellKnown;
+    },
+    get normalizeUrl () {
+        return normalizeUrl;
+    }
+});
+function normalizeUrl(input) {
+    try {
+        var url = new URL(input);
+        url.search = '';
+        url.hash = '';
+        url.pathname = url.pathname.replace(/\/+$/, '');
+        return url.origin + url.pathname;
+    } catch (unused) {
+        return input.replace(/\/+$/, '');
+    }
+}
+function joinWellKnown(baseUrl, suffix) {
+    return "".concat(normalizeUrl(baseUrl)).concat(suffix);
+}
+/* CJS INTEROP */ if (exports.__esModule && exports.default) { try { Object.defineProperty(exports.default, '__esModule', { value: true }); for (var key in exports) { exports.default[key] = exports[key]; } } catch (_) {}; module.exports = exports.default; }

package/dist/cjs/lib/url-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/client/src/lib/url-utils.ts"],"sourcesContent":["export function normalizeUrl(input: string): string {\n  try {\n    const url = new URL(input);\n    url.search = '';\n    url.hash = '';\n    url.pathname = url.pathname.replace(/\\/+$/, '');\n    return url.origin + url.pathname;\n  } catch {\n    return input.replace(/\\/+$/, '');\n  }\n}\n\nexport function joinWellKnown(baseUrl: string, suffix: string): string {\n  return `${normalizeUrl(baseUrl)}${suffix}`;\n}\n"],"names":["joinWellKnown","normalizeUrl","input","url","URL","search","hash","pathname","replace","origin","baseUrl","suffix"],"mappings":";;;;;;;;;;;QAYgBA;eAAAA;;QAZAC;eAAAA;;;AAAT,SAASA,aAAaC,KAAa;IACxC,IAAI;QACF,IAAMC,MAAM,IAAIC,IAAIF;QACpBC,IAAIE,MAAM,GAAG;QACbF,IAAIG,IAAI,GAAG;QACXH,IAAII,QAAQ,GAAGJ,IAAII,QAAQ,CAACC,OAAO,CAAC,QAAQ;QAC5C,OAAOL,IAAIM,MAAM,GAAGN,IAAII,QAAQ;IAClC,EAAE,eAAM;QACN,OAAOL,MAAMM,OAAO,CAAC,QAAQ;IAC/B;AACF;AAEO,SAASR,cAAcU,OAAe,EAAEC,MAAc;IAC3D,OAAO,AAAC,GAA0BA,OAAxBV,aAAaS,UAAkB,OAAPC;AACpC"}

package/dist/esm/auth/capability-discovery.js

@@ -1,7 +1,8 @@
 /**
  * OAuth Server Capability Discovery
  * Probes RFC 9728 (Protected Resource) and RFC 8414 (Authorization Server) metadata
- */ import { discoverAuthorizationServerIssuer, discoverAuthorizationServerMetadata, discoverProtectedResourceMetadata } from './rfc9728-discovery.js';
+ */ import { normalizeUrl } from '../lib/url-utils.js';
+import { discoverAuthorizationServerIssuer, discoverAuthorizationServerMetadata, discoverProtectedResourceMetadata } from './rfc9728-discovery.js';
 /**
  * Extract origin (protocol + host) from a URL
  * @param url - Full URL that may include a path
@@ -65,9 +66,10 @@ async function resolveCapabilitiesFromAuthorizationServer(authServerUrl, scopes)
 }
 export async function probeAuthCapabilities(baseUrl) {
     try {
+        const normalizedBaseUrl = normalizeUrl(baseUrl);
         // Strategy 1: Try RFC 9728 Protected Resource Metadata discovery
         // This handles cross-domain OAuth (e.g., Todoist: ai.todoist.net/mcp → todoist.com)
-        const resourceMetadata = await discoverProtectedResourceMetadata(baseUrl);
+        const resourceMetadata = await discoverProtectedResourceMetadata(normalizedBaseUrl);
         if (resourceMetadata && resourceMetadata.authorization_servers.length > 0) {
             // Found protected resource metadata with authorization servers
             // Discover the authorization server's metadata (RFC 8414)
@@ -88,14 +90,14 @@ export async function probeAuthCapabilities(baseUrl) {
                 if (issuerCapabilities) return issuerCapabilities;
             }
         }
-        const issuer = await discoverAuthorizationServerIssuer(baseUrl);
+        const issuer = await discoverAuthorizationServerIssuer(normalizedBaseUrl);
         if (issuer) {
             const issuerCapabilities = await resolveCapabilitiesFromAuthorizationServer(issuer);
             if (issuerCapabilities) return issuerCapabilities;
         }
         // Strategy 2: Fall back to direct RFC 8414 discovery at resource origin
         // This handles same-domain OAuth (traditional setup)
-        const origin = getOrigin(baseUrl);
+        const origin = getOrigin(normalizedBaseUrl);
         const originCapabilities = await resolveCapabilitiesFromAuthorizationServer(origin);
         if (originCapabilities) return originCapabilities;
         // No OAuth metadata found

package/dist/esm/auth/capability-discovery.js.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/client/src/auth/capability-discovery.ts"],"sourcesContent":["/**\n * OAuth Server Capability Discovery\n * Probes RFC 9728 (Protected Resource) and RFC 8414 (Authorization Server) metadata\n */\n\nimport { discoverAuthorizationServerIssuer, discoverAuthorizationServerMetadata, discoverProtectedResourceMetadata } from './rfc9728-discovery.ts';\nimport type { AuthCapabilities, AuthorizationServerMetadata } from './types.ts';\n\n/**\n * Extract origin (protocol + host) from a URL\n * @param url - Full URL that may include a path\n * @returns Origin (e.g., \"https://example.com\") or original string if invalid URL\n *\n * @example\n * getOrigin('https://example.com/mcp') // → 'https://example.com'\n * getOrigin('http://localhost:9999/api/v1/mcp') // → 'http://localhost:9999'\n */\nfunction getOrigin(url: string): string {\n  try {\n    return new URL(url).origin;\n  } catch {\n    // Invalid URL - return as-is for graceful degradation\n    return url;\n  }\n}\n\n/**\n * Probe OAuth server capabilities using RFC 9728 → RFC 8414 discovery chain\n * Returns capabilities including DCR support detection\n *\n * Discovery Strategy:\n * 1. Try RFC 9728 Protected Resource Metadata (supports cross-domain OAuth)\n * 2. If found, use first authorization_server to discover RFC 8414 Authorization Server Metadata\n * 3. Fall back to direct RFC 8414 discovery at resource origin\n *\n * @param baseUrl - Base URL of the protected resource (e.g., https://ai.todoist.net/mcp)\n * @returns AuthCapabilities object with discovered endpoints and features\n *\n * @example\n * // Todoist case: MCP at ai.todoist.net/mcp, OAuth at todoist.com\n * const caps = await probeAuthCapabilities('https://ai.todoist.net/mcp');\n * if (caps.supportsDcr) {\n *   console.log('Registration endpoint:', caps.registrationEndpoint);\n * }\n */\nfunction buildCapabilities(metadata: AuthorizationServerMetadata, scopes?: string[]): AuthCapabilities {\n  const supportsDcr = !!metadata.registration_endpoint;\n  const capabilities: AuthCapabilities = { supportsDcr };\n\n  if (metadata.registration_endpoint) {\n    capabilities.registrationEndpoint = metadata.registration_endpoint;\n  }\n  if (metadata.authorization_endpoint) {\n    capabilities.authorizationEndpoint = metadata.authorization_endpoint;\n  }\n  if (metadata.token_endpoint) capabilities.tokenEndpoint = metadata.token_endpoint;\n  if (metadata.introspection_endpoint) {\n    capabilities.introspectionEndpoint = metadata.introspection_endpoint;\n  }\n\n  if (scopes && scopes.length > 0) {\n    capabilities.scopes = scopes;\n  } else if (metadata.scopes_supported) {\n    capabilities.scopes = metadata.scopes_supported;\n  }\n\n  return capabilities;\n}\n\nasync function resolveCapabilitiesFromAuthorizationServer(authServerUrl: string, scopes?: string[]): Promise<AuthCapabilities | null> {\n  const metadata = await discoverAuthorizationServerMetadata(authServerUrl);\n  if (!metadata) return null;\n  return buildCapabilities(metadata, scopes);\n}\n\nexport async function probeAuthCapabilities(baseUrl: string): Promise<AuthCapabilities> {\n  try {\n    // Strategy 1: Try RFC 9728 Protected Resource Metadata discovery\n    // This handles cross-domain OAuth (e.g., Todoist: ai.todoist.net/mcp → todoist.com)\n    const resourceMetadata = await discoverProtectedResourceMetadata(baseUrl);\n\n    if (resourceMetadata && resourceMetadata.authorization_servers.length > 0) {\n      // Found protected resource metadata with authorization servers\n      // Discover the authorization server's metadata (RFC 8414)\n      const authServerUrl = resourceMetadata.authorization_servers[0];\n      if (!authServerUrl) {\n        // Array has length > 0 but first element is undefined/null - skip this path\n        return { supportsDcr: false };\n      }\n      const capabilities = await resolveCapabilitiesFromAuthorizationServer(authServerUrl, resourceMetadata.scopes_supported);\n      if (capabilities) {\n        return capabilities;\n      }\n\n      const issuer = await discoverAuthorizationServerIssuer(baseUrl);\n      if (issuer) {\n        const issuerCapabilities = await resolveCapabilitiesFromAuthorizationServer(issuer, resourceMetadata.scopes_supported);\n        if (issuerCapabilities) return issuerCapabilities;\n      }\n    }\n\n    const issuer = await discoverAuthorizationServerIssuer(baseUrl);\n    if (issuer) {\n      const issuerCapabilities = await resolveCapabilitiesFromAuthorizationServer(issuer);\n      if (issuerCapabilities) return issuerCapabilities;\n    }\n\n    // Strategy 2: Fall back to direct RFC 8414 discovery at resource origin\n    // This handles same-domain OAuth (traditional setup)\n    const origin = getOrigin(baseUrl);\n    const originCapabilities = await resolveCapabilitiesFromAuthorizationServer(origin);\n    if (originCapabilities) return originCapabilities;\n\n    // No OAuth metadata found\n    return { supportsDcr: false };\n  } catch (_error) {\n    // Network error, invalid JSON, or other fetch failure\n    // Gracefully degrade - assume no DCR support\n    return { supportsDcr: false };\n  }\n}\n"],"names":["discoverAuthorizationServerIssuer","discoverAuthorizationServerMetadata","discoverProtectedResourceMetadata","getOrigin","url","URL","origin","buildCapabilities","metadata","scopes","supportsDcr","registration_endpoint","capabilities","registrationEndpoint","authorization_endpoint","authorizationEndpoint","token_endpoint","tokenEndpoint","introspection_endpoint","introspectionEndpoint","length","scopes_supported","resolveCapabilitiesFromAuthorizationServer","authServerUrl","probeAuthCapabilities","baseUrl","resourceMetadata","authorization_servers","issuer","issuerCapabilities","originCapabilities","_error"],"mappings":"AAAA;;;CAGC,GAED,SAASA,iCAAiC,EAAEC,mCAAmC,EAAEC,iCAAiC,QAAQ,yBAAyB;AAGnJ;;;;;;;;CAQC,GACD,SAASC,UAAUC,GAAW;IAC5B,IAAI;QACF,OAAO,IAAIC,IAAID,KAAKE,MAAM;IAC5B,EAAE,OAAM;QACN,sDAAsD;QACtD,OAAOF;IACT;AACF;AAEA;;;;;;;;;;;;;;;;;;CAkBC,GACD,SAASG,kBAAkBC,QAAqC,EAAEC,MAAiB;IACjF,MAAMC,cAAc,CAAC,CAACF,SAASG,qBAAqB;IACpD,MAAMC,eAAiC;QAAEF;IAAY;IAErD,IAAIF,SAASG,qBAAqB,EAAE;QAClCC,aAAaC,oBAAoB,GAAGL,SAASG,qBAAqB;IACpE;IACA,IAAIH,SAASM,sBAAsB,EAAE;QACnCF,aAAaG,qBAAqB,GAAGP,SAASM,sBAAsB;IACtE;IACA,IAAIN,SAASQ,cAAc,EAAEJ,aAAaK,aAAa,GAAGT,SAASQ,cAAc;IACjF,IAAIR,SAASU,sBAAsB,EAAE;QACnCN,aAAaO,qBAAqB,GAAGX,SAASU,sBAAsB;IACtE;IAEA,IAAIT,UAAUA,OAAOW,MAAM,GAAG,GAAG;QAC/BR,aAAaH,MAAM,GAAGA;IACxB,OAAO,IAAID,SAASa,gBAAgB,EAAE;QACpCT,aAAaH,MAAM,GAAGD,SAASa,gBAAgB;IACjD;IAEA,OAAOT;AACT;AAEA,eAAeU,2CAA2CC,aAAqB,EAAEd,MAAiB;IAChG,MAAMD,WAAW,MAAMP,oCAAoCsB;IAC3D,IAAI,CAACf,UAAU,OAAO;IACtB,OAAOD,kBAAkBC,UAAUC;AACrC;AAEA,OAAO,eAAee,sBAAsBC,OAAe;IACzD,IAAI;QACF,iEAAiE;QACjE,oFAAoF;QACpF,MAAMC,mBAAmB,MAAMxB,kCAAkCuB;QAEjE,IAAIC,oBAAoBA,iBAAiBC,qBAAqB,CAACP,MAAM,GAAG,GAAG;YACzE,+DAA+D;YAC/D,0DAA0D;YAC1D,MAAMG,gBAAgBG,iBAAiBC,qBAAqB,CAAC,EAAE;YAC/D,IAAI,CAACJ,eAAe;gBAClB,4EAA4E;gBAC5E,OAAO;oBAAEb,aAAa;gBAAM;YAC9B;YACA,MAAME,eAAe,MAAMU,2CAA2CC,eAAeG,iBAAiBL,gBAAgB;YACtH,IAAIT,cAAc;gBAChB,OAAOA;YACT;YAEA,MAAMgB,SAAS,MAAM5B,kCAAkCyB;YACvD,IAAIG,QAAQ;gBACV,MAAMC,qBAAqB,MAAMP,2CAA2CM,QAAQF,iBAAiBL,gBAAgB;gBACrH,IAAIQ,oBAAoB,OAAOA;YACjC;QACF;QAEA,MAAMD,SAAS,MAAM5B,kCAAkCyB;QACvD,IAAIG,QAAQ;YACV,MAAMC,qBAAqB,MAAMP,2CAA2CM;YAC5E,IAAIC,oBAAoB,OAAOA;QACjC;QAEA,wEAAwE;QACxE,qDAAqD;QACrD,MAAMvB,SAASH,UAAUsB;QACzB,MAAMK,qBAAqB,MAAMR,2CAA2ChB;QAC5E,IAAIwB,oBAAoB,OAAOA;QAE/B,0BAA0B;QAC1B,OAAO;YAAEpB,aAAa;QAAM;IAC9B,EAAE,OAAOqB,QAAQ;QACf,sDAAsD;QACtD,6CAA6C;QAC7C,OAAO;YAAErB,aAAa;QAAM;IAC9B;AACF"}
+{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/client/src/auth/capability-discovery.ts"],"sourcesContent":["/**\n * OAuth Server Capability Discovery\n * Probes RFC 9728 (Protected Resource) and RFC 8414 (Authorization Server) metadata\n */\n\nimport { normalizeUrl } from '../lib/url-utils.ts';\nimport { discoverAuthorizationServerIssuer, discoverAuthorizationServerMetadata, discoverProtectedResourceMetadata } from './rfc9728-discovery.ts';\nimport type { AuthCapabilities, AuthorizationServerMetadata } from './types.ts';\n\n/**\n * Extract origin (protocol + host) from a URL\n * @param url - Full URL that may include a path\n * @returns Origin (e.g., \"https://example.com\") or original string if invalid URL\n *\n * @example\n * getOrigin('https://example.com/mcp') // → 'https://example.com'\n * getOrigin('http://localhost:9999/api/v1/mcp') // → 'http://localhost:9999'\n */\nfunction getOrigin(url: string): string {\n  try {\n    return new URL(url).origin;\n  } catch {\n    // Invalid URL - return as-is for graceful degradation\n    return url;\n  }\n}\n\n/**\n * Probe OAuth server capabilities using RFC 9728 → RFC 8414 discovery chain\n * Returns capabilities including DCR support detection\n *\n * Discovery Strategy:\n * 1. Try RFC 9728 Protected Resource Metadata (supports cross-domain OAuth)\n * 2. If found, use first authorization_server to discover RFC 8414 Authorization Server Metadata\n * 3. Fall back to direct RFC 8414 discovery at resource origin\n *\n * @param baseUrl - Base URL of the protected resource (e.g., https://ai.todoist.net/mcp)\n * @returns AuthCapabilities object with discovered endpoints and features\n *\n * @example\n * // Todoist case: MCP at ai.todoist.net/mcp, OAuth at todoist.com\n * const caps = await probeAuthCapabilities('https://ai.todoist.net/mcp');\n * if (caps.supportsDcr) {\n *   console.log('Registration endpoint:', caps.registrationEndpoint);\n * }\n */\nfunction buildCapabilities(metadata: AuthorizationServerMetadata, scopes?: string[]): AuthCapabilities {\n  const supportsDcr = !!metadata.registration_endpoint;\n  const capabilities: AuthCapabilities = { supportsDcr };\n\n  if (metadata.registration_endpoint) {\n    capabilities.registrationEndpoint = metadata.registration_endpoint;\n  }\n  if (metadata.authorization_endpoint) {\n    capabilities.authorizationEndpoint = metadata.authorization_endpoint;\n  }\n  if (metadata.token_endpoint) capabilities.tokenEndpoint = metadata.token_endpoint;\n  if (metadata.introspection_endpoint) {\n    capabilities.introspectionEndpoint = metadata.introspection_endpoint;\n  }\n\n  if (scopes && scopes.length > 0) {\n    capabilities.scopes = scopes;\n  } else if (metadata.scopes_supported) {\n    capabilities.scopes = metadata.scopes_supported;\n  }\n\n  return capabilities;\n}\n\nasync function resolveCapabilitiesFromAuthorizationServer(authServerUrl: string, scopes?: string[]): Promise<AuthCapabilities | null> {\n  const metadata = await discoverAuthorizationServerMetadata(authServerUrl);\n  if (!metadata) return null;\n  return buildCapabilities(metadata, scopes);\n}\n\nexport async function probeAuthCapabilities(baseUrl: string): Promise<AuthCapabilities> {\n  try {\n    const normalizedBaseUrl = normalizeUrl(baseUrl);\n    // Strategy 1: Try RFC 9728 Protected Resource Metadata discovery\n    // This handles cross-domain OAuth (e.g., Todoist: ai.todoist.net/mcp → todoist.com)\n    const resourceMetadata = await discoverProtectedResourceMetadata(normalizedBaseUrl);\n\n    if (resourceMetadata && resourceMetadata.authorization_servers.length > 0) {\n      // Found protected resource metadata with authorization servers\n      // Discover the authorization server's metadata (RFC 8414)\n      const authServerUrl = resourceMetadata.authorization_servers[0];\n      if (!authServerUrl) {\n        // Array has length > 0 but first element is undefined/null - skip this path\n        return { supportsDcr: false };\n      }\n      const capabilities = await resolveCapabilitiesFromAuthorizationServer(authServerUrl, resourceMetadata.scopes_supported);\n      if (capabilities) {\n        return capabilities;\n      }\n\n      const issuer = await discoverAuthorizationServerIssuer(baseUrl);\n      if (issuer) {\n        const issuerCapabilities = await resolveCapabilitiesFromAuthorizationServer(issuer, resourceMetadata.scopes_supported);\n        if (issuerCapabilities) return issuerCapabilities;\n      }\n    }\n\n    const issuer = await discoverAuthorizationServerIssuer(normalizedBaseUrl);\n    if (issuer) {\n      const issuerCapabilities = await resolveCapabilitiesFromAuthorizationServer(issuer);\n      if (issuerCapabilities) return issuerCapabilities;\n    }\n\n    // Strategy 2: Fall back to direct RFC 8414 discovery at resource origin\n    // This handles same-domain OAuth (traditional setup)\n    const origin = getOrigin(normalizedBaseUrl);\n    const originCapabilities = await resolveCapabilitiesFromAuthorizationServer(origin);\n    if (originCapabilities) return originCapabilities;\n\n    // No OAuth metadata found\n    return { supportsDcr: false };\n  } catch (_error) {\n    // Network error, invalid JSON, or other fetch failure\n    // Gracefully degrade - assume no DCR support\n    return { supportsDcr: false };\n  }\n}\n"],"names":["normalizeUrl","discoverAuthorizationServerIssuer","discoverAuthorizationServerMetadata","discoverProtectedResourceMetadata","getOrigin","url","URL","origin","buildCapabilities","metadata","scopes","supportsDcr","registration_endpoint","capabilities","registrationEndpoint","authorization_endpoint","authorizationEndpoint","token_endpoint","tokenEndpoint","introspection_endpoint","introspectionEndpoint","length","scopes_supported","resolveCapabilitiesFromAuthorizationServer","authServerUrl","probeAuthCapabilities","baseUrl","normalizedBaseUrl","resourceMetadata","authorization_servers","issuer","issuerCapabilities","originCapabilities","_error"],"mappings":"AAAA;;;CAGC,GAED,SAASA,YAAY,QAAQ,sBAAsB;AACnD,SAASC,iCAAiC,EAAEC,mCAAmC,EAAEC,iCAAiC,QAAQ,yBAAyB;AAGnJ;;;;;;;;CAQC,GACD,SAASC,UAAUC,GAAW;IAC5B,IAAI;QACF,OAAO,IAAIC,IAAID,KAAKE,MAAM;IAC5B,EAAE,OAAM;QACN,sDAAsD;QACtD,OAAOF;IACT;AACF;AAEA;;;;;;;;;;;;;;;;;;CAkBC,GACD,SAASG,kBAAkBC,QAAqC,EAAEC,MAAiB;IACjF,MAAMC,cAAc,CAAC,CAACF,SAASG,qBAAqB;IACpD,MAAMC,eAAiC;QAAEF;IAAY;IAErD,IAAIF,SAASG,qBAAqB,EAAE;QAClCC,aAAaC,oBAAoB,GAAGL,SAASG,qBAAqB;IACpE;IACA,IAAIH,SAASM,sBAAsB,EAAE;QACnCF,aAAaG,qBAAqB,GAAGP,SAASM,sBAAsB;IACtE;IACA,IAAIN,SAASQ,cAAc,EAAEJ,aAAaK,aAAa,GAAGT,SAASQ,cAAc;IACjF,IAAIR,SAASU,sBAAsB,EAAE;QACnCN,aAAaO,qBAAqB,GAAGX,SAASU,sBAAsB;IACtE;IAEA,IAAIT,UAAUA,OAAOW,MAAM,GAAG,GAAG;QAC/BR,aAAaH,MAAM,GAAGA;IACxB,OAAO,IAAID,SAASa,gBAAgB,EAAE;QACpCT,aAAaH,MAAM,GAAGD,SAASa,gBAAgB;IACjD;IAEA,OAAOT;AACT;AAEA,eAAeU,2CAA2CC,aAAqB,EAAEd,MAAiB;IAChG,MAAMD,WAAW,MAAMP,oCAAoCsB;IAC3D,IAAI,CAACf,UAAU,OAAO;IACtB,OAAOD,kBAAkBC,UAAUC;AACrC;AAEA,OAAO,eAAee,sBAAsBC,OAAe;IACzD,IAAI;QACF,MAAMC,oBAAoB3B,aAAa0B;QACvC,iEAAiE;QACjE,oFAAoF;QACpF,MAAME,mBAAmB,MAAMzB,kCAAkCwB;QAEjE,IAAIC,oBAAoBA,iBAAiBC,qBAAqB,CAACR,MAAM,GAAG,GAAG;YACzE,+DAA+D;YAC/D,0DAA0D;YAC1D,MAAMG,gBAAgBI,iBAAiBC,qBAAqB,CAAC,EAAE;YAC/D,IAAI,CAACL,eAAe;gBAClB,4EAA4E;gBAC5E,OAAO;oBAAEb,aAAa;gBAAM;YAC9B;YACA,MAAME,eAAe,MAAMU,2CAA2CC,eAAeI,iBAAiBN,gBAAgB;YACtH,IAAIT,cAAc;gBAChB,OAAOA;YACT;YAEA,MAAMiB,SAAS,MAAM7B,kCAAkCyB;YACvD,IAAII,QAAQ;gBACV,MAAMC,qBAAqB,MAAMR,2CAA2CO,QAAQF,iBAAiBN,gBAAgB;gBACrH,IAAIS,oBAAoB,OAAOA;YACjC;QACF;QAEA,MAAMD,SAAS,MAAM7B,kCAAkC0B;QACvD,IAAIG,QAAQ;YACV,MAAMC,qBAAqB,MAAMR,2CAA2CO;YAC5E,IAAIC,oBAAoB,OAAOA;QACjC;QAEA,wEAAwE;QACxE,qDAAqD;QACrD,MAAMxB,SAASH,UAAUuB;QACzB,MAAMK,qBAAqB,MAAMT,2CAA2ChB;QAC5E,IAAIyB,oBAAoB,OAAOA;QAE/B,0BAA0B;QAC1B,OAAO;YAAErB,aAAa;QAAM;IAC9B,EAAE,OAAOsB,QAAQ;QACf,sDAAsD;QACtD,6CAA6C;QAC7C,OAAO;YAAEtB,aAAa;QAAM;IAC9B;AACF"}

package/dist/esm/auth/rfc9728-discovery.d.ts

@@ -3,6 +3,9 @@
  * Probes .well-known/oauth-protected-resource endpoint
  */
 import type { AuthorizationServerMetadata, ProtectedResourceMetadata } from './types.js';
+/**
+ * Normalize a resource URL by stripping query/hash and trailing slashes.
+ */
 /**
  * Discover OAuth 2.0 Protected Resource Metadata (RFC 9728)
  * Probes .well-known/oauth-protected-resource endpoint

package/dist/esm/auth/rfc9728-discovery.js

@@ -1,7 +1,8 @@
 /**
  * RFC 9728 Protected Resource Metadata Discovery
  * Probes .well-known/oauth-protected-resource endpoint
- */ /**
+ */ import { joinWellKnown, normalizeUrl } from '../lib/url-utils.js';
+/**
  * Extract origin (protocol + host) from a URL
  * @param url - Full URL that may include a path
  * @returns Origin (e.g., "https://example.com") or original string if invalid URL
@@ -31,6 +32,8 @@
     }
 }
 /**
+ * Normalize a resource URL by stripping query/hash and trailing slashes.
+ */ /**
  * Discover OAuth 2.0 Protected Resource Metadata (RFC 9728)
  * Probes .well-known/oauth-protected-resource endpoint
  *
@@ -47,10 +50,27 @@
  * // Returns: { resource: "https://ai.todoist.net/mcp", authorization_servers: ["https://todoist.com"] }
  */ export async function discoverProtectedResourceMetadata(resourceUrl) {
     try {
-        const headerMetadata = await discoverProtectedResourceMetadataFromHeader(resourceUrl);
+        const normalizedResourceUrl = normalizeUrl(resourceUrl);
+        const headerMetadata = await discoverProtectedResourceMetadataFromHeader(normalizedResourceUrl);
         if (headerMetadata) return headerMetadata;
-        const origin = getOrigin(resourceUrl);
-        const path = getPath(resourceUrl);
+        // Strategy 0: Try path-local well-known (supports path-prefixed deployments like /outlook)
+        const localWellKnownUrl = joinWellKnown(normalizedResourceUrl, '/.well-known/oauth-protected-resource');
+        try {
+            const response = await fetch(localWellKnownUrl, {
+                method: 'GET',
+                headers: {
+                    Accept: 'application/json',
+                    Connection: 'close'
+                }
+            });
+            if (response.ok) {
+                return await response.json();
+            }
+        } catch  {
+        // Continue to origin-based discovery
+        }
+        const origin = getOrigin(normalizedResourceUrl);
+        const path = getPath(normalizedResourceUrl);
         // Strategy 1: Try root location (REQUIRED by RFC 9728)
         const rootUrl = `${origin}/.well-known/oauth-protected-resource`;
         try {
@@ -64,7 +84,7 @@
             if (response.ok) {
                 const metadata = await response.json();
                 // Check if the discovered resource matches what we're looking for
-                if (metadata.resource === resourceUrl) {
+                if (metadata.resource === normalizedResourceUrl) {
                     return metadata;
                 }
                 // If there's no path component, return root metadata
@@ -74,7 +94,7 @@
                 }
                 // If requested URL starts with metadata.resource, the root metadata applies to sub-paths
                 // (e.g., looking for http://example.com/api/v1/mcp, found http://example.com)
-                if (resourceUrl.startsWith(metadata.resource)) {
+                if (normalizedResourceUrl.startsWith(metadata.resource)) {
                     // Still try sub-path location to see if there's more specific metadata
                     // But save root metadata as fallback
                     const rootMetadata = metadata;
@@ -181,7 +201,19 @@ async function discoverProtectedResourceMetadataFromHeader(resourceUrl) {
  * // Returns: { issuer: "https://todoist.com", authorization_endpoint: "...", ... }
  */ export async function discoverAuthorizationServerMetadata(authServerUrl) {
     try {
-        const origin = getOrigin(authServerUrl);
+        const normalizedAuthServerUrl = normalizeUrl(authServerUrl);
+        const localWellKnownUrl = joinWellKnown(normalizedAuthServerUrl, '/.well-known/oauth-authorization-server');
+        const localResponse = await fetch(localWellKnownUrl, {
+            method: 'GET',
+            headers: {
+                Accept: 'application/json',
+                Connection: 'close'
+            }
+        });
+        if (localResponse.ok) {
+            return await localResponse.json();
+        }
+        const origin = getOrigin(normalizedAuthServerUrl);
         const wellKnownUrl = `${origin}/.well-known/oauth-authorization-server`;
         const response = await fetch(wellKnownUrl, {
             method: 'GET',

package/dist/esm/auth/rfc9728-discovery.js.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/client/src/auth/rfc9728-discovery.ts"],"sourcesContent":["/**\n * RFC 9728 Protected Resource Metadata Discovery\n * Probes .well-known/oauth-protected-resource endpoint\n */\n\nimport type { AuthorizationServerMetadata, ProtectedResourceMetadata } from './types.ts';\n\n/**\n * Extract origin (protocol + host) from a URL\n * @param url - Full URL that may include a path\n * @returns Origin (e.g., \"https://example.com\") or original string if invalid URL\n *\n * @example\n * getOrigin('https://example.com/mcp') // → 'https://example.com'\n * getOrigin('http://localhost:9999/api/v1/mcp') // → 'http://localhost:9999'\n */\nfunction getOrigin(url: string): string {\n  try {\n    return new URL(url).origin;\n  } catch {\n    // Invalid URL - return as-is for graceful degradation\n    return url;\n  }\n}\n\n/**\n * Extract path from a URL (without origin)\n * @param url - Full URL\n * @returns Path component (e.g., \"/mcp\", \"/api/v1/mcp\") or empty string if no path\n */\nfunction getPath(url: string): string {\n  try {\n    const parsed = new URL(url);\n    // pathname includes leading slash, e.g., \"/mcp\"\n    return parsed.pathname === '/' ? '' : parsed.pathname;\n  } catch {\n    return '';\n  }\n}\n\n/**\n * Discover OAuth 2.0 Protected Resource Metadata (RFC 9728)\n * Probes .well-known/oauth-protected-resource endpoint\n *\n * Discovery Strategy:\n * 1. Try origin root: {origin}/.well-known/oauth-protected-resource\n * 2. If 404, try sub-path: {origin}/.well-known/oauth-protected-resource{path}\n *\n * @param resourceUrl - URL of the protected resource (e.g., https://ai.todoist.net/mcp)\n * @returns ProtectedResourceMetadata if discovered, null otherwise\n *\n * @example\n * // Todoist case: MCP at ai.todoist.net/mcp, OAuth at todoist.com\n * const metadata = await discoverProtectedResourceMetadata('https://ai.todoist.net/mcp');\n * // Returns: { resource: \"https://ai.todoist.net/mcp\", authorization_servers: [\"https://todoist.com\"] }\n */\nexport async function discoverProtectedResourceMetadata(resourceUrl: string): Promise<ProtectedResourceMetadata | null> {\n  try {\n    const headerMetadata = await discoverProtectedResourceMetadataFromHeader(resourceUrl);\n    if (headerMetadata) return headerMetadata;\n\n    const origin = getOrigin(resourceUrl);\n    const path = getPath(resourceUrl);\n\n    // Strategy 1: Try root location (REQUIRED by RFC 9728)\n    const rootUrl = `${origin}/.well-known/oauth-protected-resource`;\n\n    try {\n      const response = await fetch(rootUrl, {\n        method: 'GET',\n        headers: { Accept: 'application/json', Connection: 'close' },\n      });\n\n      if (response.ok) {\n        const metadata = (await response.json()) as ProtectedResourceMetadata;\n        // Check if the discovered resource matches what we're looking for\n        if (metadata.resource === resourceUrl) {\n          return metadata;\n        }\n        // If there's no path component, return root metadata\n        // (e.g., looking for http://example.com and found it)\n        if (!path) {\n          return metadata;\n        }\n        // If requested URL starts with metadata.resource, the root metadata applies to sub-paths\n        // (e.g., looking for http://example.com/api/v1/mcp, found http://example.com)\n        if (resourceUrl.startsWith(metadata.resource)) {\n          // Still try sub-path location to see if there's more specific metadata\n          // But save root metadata as fallback\n          const rootMetadata = metadata;\n\n          // Try sub-path location for more specific metadata\n          const subPathUrl = `${origin}/.well-known/oauth-protected-resource${path}`;\n          try {\n            const subPathResponse = await fetch(subPathUrl, {\n              method: 'GET',\n              headers: { Accept: 'application/json', Connection: 'close' },\n            });\n            if (subPathResponse.ok) {\n              return (await subPathResponse.json()) as ProtectedResourceMetadata;\n            }\n          } catch {\n            // Sub-path failed, use root metadata\n          }\n\n          // Return root metadata as it applies to this resource\n          return rootMetadata;\n        }\n        // Otherwise, try sub-path location before giving up\n      }\n    } catch {\n      // Continue to sub-path location\n    }\n\n    // Strategy 2: Try sub-path location (MCP spec extension)\n    // Only try if there's a path component\n    if (path) {\n      const subPathUrl = `${origin}/.well-known/oauth-protected-resource${path}`;\n\n      try {\n        const response = await fetch(subPathUrl, {\n          method: 'GET',\n          headers: { Accept: 'application/json', Connection: 'close' },\n        });\n\n        if (response.ok) {\n          return (await response.json()) as ProtectedResourceMetadata;\n        }\n      } catch {\n        // Fall through to return null\n      }\n    }\n\n    // Neither location found or resource didn't match\n    return null;\n  } catch (_error) {\n    // Network error, invalid URL, or other failure\n    return null;\n  }\n}\n\nasync function discoverProtectedResourceMetadataFromHeader(resourceUrl: string): Promise<ProtectedResourceMetadata | null> {\n  try {\n    const response = await fetch(resourceUrl, {\n      method: 'GET',\n      headers: { Accept: 'application/json', Connection: 'close' },\n    });\n\n    let header = response.headers.get('www-authenticate');\n    if (!header) {\n      const postResponse = await fetch(resourceUrl, {\n        method: 'POST',\n        headers: { Accept: 'application/json', Connection: 'close', 'Content-Type': 'application/json' },\n        body: '{}',\n      });\n      header = postResponse.headers.get('www-authenticate');\n    }\n\n    if (!header) return null;\n\n    const match = header.match(/resource_metadata=\"([^\"]+)\"/i);\n    if (!match || !match[1]) return null;\n\n    const metadataUrl = match[1];\n    const metadataResponse = await fetch(metadataUrl, {\n      method: 'GET',\n      headers: { Accept: 'application/json', Connection: 'close' },\n    });\n\n    if (!metadataResponse.ok) {\n      return null;\n    }\n\n    return (await metadataResponse.json()) as ProtectedResourceMetadata;\n  } catch (_error) {\n    return null;\n  }\n}\n\n/**\n * Discover OAuth 2.0 Authorization Server Metadata (RFC 8414)\n * Probes .well-known/oauth-authorization-server endpoint\n *\n * @param authServerUrl - URL of the authorization server (typically from RFC 9728 discovery)\n * @returns AuthorizationServerMetadata if discovered, null otherwise\n *\n * @example\n * const metadata = await discoverAuthorizationServerMetadata('https://todoist.com');\n * // Returns: { issuer: \"https://todoist.com\", authorization_endpoint: \"...\", ... }\n */\nexport async function discoverAuthorizationServerMetadata(authServerUrl: string): Promise<AuthorizationServerMetadata | null> {\n  try {\n    const origin = getOrigin(authServerUrl);\n    const wellKnownUrl = `${origin}/.well-known/oauth-authorization-server`;\n\n    const response = await fetch(wellKnownUrl, {\n      method: 'GET',\n      headers: { Accept: 'application/json', Connection: 'close' },\n    });\n\n    if (!response.ok) {\n      return null;\n    }\n\n    return (await response.json()) as AuthorizationServerMetadata;\n  } catch (_error) {\n    return null;\n  }\n}\n\n/**\n * Discover OAuth Authorization Server Issuer from resource response (RFC 9207)\n *\n * @param resourceUrl - URL of the protected resource\n * @returns Issuer URL if present in WWW-Authenticate header, null otherwise\n */\nexport async function discoverAuthorizationServerIssuer(resourceUrl: string): Promise<string | null> {\n  try {\n    const response = await fetch(resourceUrl, {\n      method: 'GET',\n      headers: { Accept: 'application/json', Connection: 'close' },\n    });\n\n    const header = response.headers.get('www-authenticate');\n    if (!header) return null;\n\n    const match = header.match(/(?:authorization_server|issuer)=\"([^\"]+)\"/i);\n    if (!match) return null;\n\n    return match[1] ?? null;\n  } catch (_error) {\n    return null;\n  }\n}\n"],"names":["getOrigin","url","URL","origin","getPath","parsed","pathname","discoverProtectedResourceMetadata","resourceUrl","headerMetadata","discoverProtectedResourceMetadataFromHeader","path","rootUrl","response","fetch","method","headers","Accept","Connection","ok","metadata","json","resource","startsWith","rootMetadata","subPathUrl","subPathResponse","_error","header","get","postResponse","body","match","metadataUrl","metadataResponse","discoverAuthorizationServerMetadata","authServerUrl","wellKnownUrl","discoverAuthorizationServerIssuer"],"mappings":"AAAA;;;CAGC,GAID;;;;;;;;CAQC,GACD,SAASA,UAAUC,GAAW;IAC5B,IAAI;QACF,OAAO,IAAIC,IAAID,KAAKE,MAAM;IAC5B,EAAE,OAAM;QACN,sDAAsD;QACtD,OAAOF;IACT;AACF;AAEA;;;;CAIC,GACD,SAASG,QAAQH,GAAW;IAC1B,IAAI;QACF,MAAMI,SAAS,IAAIH,IAAID;QACvB,gDAAgD;QAChD,OAAOI,OAAOC,QAAQ,KAAK,MAAM,KAAKD,OAAOC,QAAQ;IACvD,EAAE,OAAM;QACN,OAAO;IACT;AACF;AAEA;;;;;;;;;;;;;;;CAeC,GACD,OAAO,eAAeC,kCAAkCC,WAAmB;IACzE,IAAI;QACF,MAAMC,iBAAiB,MAAMC,4CAA4CF;QACzE,IAAIC,gBAAgB,OAAOA;QAE3B,MAAMN,SAASH,UAAUQ;QACzB,MAAMG,OAAOP,QAAQI;QAErB,uDAAuD;QACvD,MAAMI,UAAU,GAAGT,OAAO,qCAAqC,CAAC;QAEhE,IAAI;YACF,MAAMU,WAAW,MAAMC,MAAMF,SAAS;gBACpCG,QAAQ;gBACRC,SAAS;oBAAEC,QAAQ;oBAAoBC,YAAY;gBAAQ;YAC7D;YAEA,IAAIL,SAASM,EAAE,EAAE;gBACf,MAAMC,WAAY,MAAMP,SAASQ,IAAI;gBACrC,kEAAkE;gBAClE,IAAID,SAASE,QAAQ,KAAKd,aAAa;oBACrC,OAAOY;gBACT;gBACA,qDAAqD;gBACrD,sDAAsD;gBACtD,IAAI,CAACT,MAAM;oBACT,OAAOS;gBACT;gBACA,yFAAyF;gBACzF,8EAA8E;gBAC9E,IAAIZ,YAAYe,UAAU,CAACH,SAASE,QAAQ,GAAG;oBAC7C,uEAAuE;oBACvE,qCAAqC;oBACrC,MAAME,eAAeJ;oBAErB,mDAAmD;oBACnD,MAAMK,aAAa,GAAGtB,OAAO,qCAAqC,EAAEQ,MAAM;oBAC1E,IAAI;wBACF,MAAMe,kBAAkB,MAAMZ,MAAMW,YAAY;4BAC9CV,QAAQ;4BACRC,SAAS;gCAAEC,QAAQ;gCAAoBC,YAAY;4BAAQ;wBAC7D;wBACA,IAAIQ,gBAAgBP,EAAE,EAAE;4BACtB,OAAQ,MAAMO,gBAAgBL,IAAI;wBACpC;oBACF,EAAE,OAAM;oBACN,qCAAqC;oBACvC;oBAEA,sDAAsD;oBACtD,OAAOG;gBACT;YACA,oDAAoD;YACtD;QACF,EAAE,OAAM;QACN,gCAAgC;QAClC;QAEA,yDAAyD;QACzD,uCAAuC;QACvC,IAAIb,MAAM;YACR,MAAMc,aAAa,GAAGtB,OAAO,qCAAqC,EAAEQ,MAAM;YAE1E,IAAI;gBACF,MAAME,WAAW,MAAMC,MAAMW,YAAY;oBACvCV,QAAQ;oBACRC,SAAS;wBAAEC,QAAQ;wBAAoBC,YAAY;oBAAQ;gBAC7D;gBAEA,IAAIL,SAASM,EAAE,EAAE;oBACf,OAAQ,MAAMN,SAASQ,IAAI;gBAC7B;YACF,EAAE,OAAM;YACN,8BAA8B;YAChC;QACF;QAEA,kDAAkD;QAClD,OAAO;IACT,EAAE,OAAOM,QAAQ;QACf,+CAA+C;QAC/C,OAAO;IACT;AACF;AAEA,eAAejB,4CAA4CF,WAAmB;IAC5E,IAAI;QACF,MAAMK,WAAW,MAAMC,MAAMN,aAAa;YACxCO,QAAQ;YACRC,SAAS;gBAAEC,QAAQ;gBAAoBC,YAAY;YAAQ;QAC7D;QAEA,IAAIU,SAASf,SAASG,OAAO,CAACa,GAAG,CAAC;QAClC,IAAI,CAACD,QAAQ;YACX,MAAME,eAAe,MAAMhB,MAAMN,aAAa;gBAC5CO,QAAQ;gBACRC,SAAS;oBAAEC,QAAQ;oBAAoBC,YAAY;oBAAS,gBAAgB;gBAAmB;gBAC/Fa,MAAM;YACR;YACAH,SAASE,aAAad,OAAO,CAACa,GAAG,CAAC;QACpC;QAEA,IAAI,CAACD,QAAQ,OAAO;QAEpB,MAAMI,QAAQJ,OAAOI,KAAK,CAAC;QAC3B,IAAI,CAACA,SAAS,CAACA,KAAK,CAAC,EAAE,EAAE,OAAO;QAEhC,MAAMC,cAAcD,KAAK,CAAC,EAAE;QAC5B,MAAME,mBAAmB,MAAMpB,MAAMmB,aAAa;YAChDlB,QAAQ;YACRC,SAAS;gBAAEC,QAAQ;gBAAoBC,YAAY;YAAQ;QAC7D;QAEA,IAAI,CAACgB,iBAAiBf,EAAE,EAAE;YACxB,OAAO;QACT;QAEA,OAAQ,MAAMe,iBAAiBb,IAAI;IACrC,EAAE,OAAOM,QAAQ;QACf,OAAO;IACT;AACF;AAEA;;;;;;;;;;CAUC,GACD,OAAO,eAAeQ,oCAAoCC,aAAqB;IAC7E,IAAI;QACF,MAAMjC,SAASH,UAAUoC;QACzB,MAAMC,eAAe,GAAGlC,OAAO,uCAAuC,CAAC;QAEvE,MAAMU,WAAW,MAAMC,MAAMuB,cAAc;YACzCtB,QAAQ;YACRC,SAAS;gBAAEC,QAAQ;gBAAoBC,YAAY;YAAQ;QAC7D;QAEA,IAAI,CAACL,SAASM,EAAE,EAAE;YAChB,OAAO;QACT;QAEA,OAAQ,MAAMN,SAASQ,IAAI;IAC7B,EAAE,OAAOM,QAAQ;QACf,OAAO;IACT;AACF;AAEA;;;;;CAKC,GACD,OAAO,eAAeW,kCAAkC9B,WAAmB;IACzE,IAAI;YAYKwB;QAXP,MAAMnB,WAAW,MAAMC,MAAMN,aAAa;YACxCO,QAAQ;YACRC,SAAS;gBAAEC,QAAQ;gBAAoBC,YAAY;YAAQ;QAC7D;QAEA,MAAMU,SAASf,SAASG,OAAO,CAACa,GAAG,CAAC;QACpC,IAAI,CAACD,QAAQ,OAAO;QAEpB,MAAMI,QAAQJ,OAAOI,KAAK,CAAC;QAC3B,IAAI,CAACA,OAAO,OAAO;QAEnB,QAAOA,UAAAA,KAAK,CAAC,EAAE,cAARA,qBAAAA,UAAY;IACrB,EAAE,OAAOL,QAAQ;QACf,OAAO;IACT;AACF"}
+{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/client/src/auth/rfc9728-discovery.ts"],"sourcesContent":["/**\n * RFC 9728 Protected Resource Metadata Discovery\n * Probes .well-known/oauth-protected-resource endpoint\n */\n\nimport { joinWellKnown, normalizeUrl } from '../lib/url-utils.ts';\nimport type { AuthorizationServerMetadata, ProtectedResourceMetadata } from './types.ts';\n\n/**\n * Extract origin (protocol + host) from a URL\n * @param url - Full URL that may include a path\n * @returns Origin (e.g., \"https://example.com\") or original string if invalid URL\n *\n * @example\n * getOrigin('https://example.com/mcp') // → 'https://example.com'\n * getOrigin('http://localhost:9999/api/v1/mcp') // → 'http://localhost:9999'\n */\nfunction getOrigin(url: string): string {\n  try {\n    return new URL(url).origin;\n  } catch {\n    // Invalid URL - return as-is for graceful degradation\n    return url;\n  }\n}\n\n/**\n * Extract path from a URL (without origin)\n * @param url - Full URL\n * @returns Path component (e.g., \"/mcp\", \"/api/v1/mcp\") or empty string if no path\n */\nfunction getPath(url: string): string {\n  try {\n    const parsed = new URL(url);\n    // pathname includes leading slash, e.g., \"/mcp\"\n    return parsed.pathname === '/' ? '' : parsed.pathname;\n  } catch {\n    return '';\n  }\n}\n\n/**\n * Normalize a resource URL by stripping query/hash and trailing slashes.\n */\n/**\n * Discover OAuth 2.0 Protected Resource Metadata (RFC 9728)\n * Probes .well-known/oauth-protected-resource endpoint\n *\n * Discovery Strategy:\n * 1. Try origin root: {origin}/.well-known/oauth-protected-resource\n * 2. If 404, try sub-path: {origin}/.well-known/oauth-protected-resource{path}\n *\n * @param resourceUrl - URL of the protected resource (e.g., https://ai.todoist.net/mcp)\n * @returns ProtectedResourceMetadata if discovered, null otherwise\n *\n * @example\n * // Todoist case: MCP at ai.todoist.net/mcp, OAuth at todoist.com\n * const metadata = await discoverProtectedResourceMetadata('https://ai.todoist.net/mcp');\n * // Returns: { resource: \"https://ai.todoist.net/mcp\", authorization_servers: [\"https://todoist.com\"] }\n */\nexport async function discoverProtectedResourceMetadata(resourceUrl: string): Promise<ProtectedResourceMetadata | null> {\n  try {\n    const normalizedResourceUrl = normalizeUrl(resourceUrl);\n    const headerMetadata = await discoverProtectedResourceMetadataFromHeader(normalizedResourceUrl);\n    if (headerMetadata) return headerMetadata;\n\n    // Strategy 0: Try path-local well-known (supports path-prefixed deployments like /outlook)\n    const localWellKnownUrl = joinWellKnown(normalizedResourceUrl, '/.well-known/oauth-protected-resource');\n    try {\n      const response = await fetch(localWellKnownUrl, {\n        method: 'GET',\n        headers: { Accept: 'application/json', Connection: 'close' },\n      });\n      if (response.ok) {\n        return (await response.json()) as ProtectedResourceMetadata;\n      }\n    } catch {\n      // Continue to origin-based discovery\n    }\n\n    const origin = getOrigin(normalizedResourceUrl);\n    const path = getPath(normalizedResourceUrl);\n\n    // Strategy 1: Try root location (REQUIRED by RFC 9728)\n    const rootUrl = `${origin}/.well-known/oauth-protected-resource`;\n\n    try {\n      const response = await fetch(rootUrl, {\n        method: 'GET',\n        headers: { Accept: 'application/json', Connection: 'close' },\n      });\n\n      if (response.ok) {\n        const metadata = (await response.json()) as ProtectedResourceMetadata;\n        // Check if the discovered resource matches what we're looking for\n        if (metadata.resource === normalizedResourceUrl) {\n          return metadata;\n        }\n        // If there's no path component, return root metadata\n        // (e.g., looking for http://example.com and found it)\n        if (!path) {\n          return metadata;\n        }\n        // If requested URL starts with metadata.resource, the root metadata applies to sub-paths\n        // (e.g., looking for http://example.com/api/v1/mcp, found http://example.com)\n        if (normalizedResourceUrl.startsWith(metadata.resource)) {\n          // Still try sub-path location to see if there's more specific metadata\n          // But save root metadata as fallback\n          const rootMetadata = metadata;\n\n          // Try sub-path location for more specific metadata\n          const subPathUrl = `${origin}/.well-known/oauth-protected-resource${path}`;\n          try {\n            const subPathResponse = await fetch(subPathUrl, {\n              method: 'GET',\n              headers: { Accept: 'application/json', Connection: 'close' },\n            });\n            if (subPathResponse.ok) {\n              return (await subPathResponse.json()) as ProtectedResourceMetadata;\n            }\n          } catch {\n            // Sub-path failed, use root metadata\n          }\n\n          // Return root metadata as it applies to this resource\n          return rootMetadata;\n        }\n        // Otherwise, try sub-path location before giving up\n      }\n    } catch {\n      // Continue to sub-path location\n    }\n\n    // Strategy 2: Try sub-path location (MCP spec extension)\n    // Only try if there's a path component\n    if (path) {\n      const subPathUrl = `${origin}/.well-known/oauth-protected-resource${path}`;\n\n      try {\n        const response = await fetch(subPathUrl, {\n          method: 'GET',\n          headers: { Accept: 'application/json', Connection: 'close' },\n        });\n\n        if (response.ok) {\n          return (await response.json()) as ProtectedResourceMetadata;\n        }\n      } catch {\n        // Fall through to return null\n      }\n    }\n\n    // Neither location found or resource didn't match\n    return null;\n  } catch (_error) {\n    // Network error, invalid URL, or other failure\n    return null;\n  }\n}\n\nasync function discoverProtectedResourceMetadataFromHeader(resourceUrl: string): Promise<ProtectedResourceMetadata | null> {\n  try {\n    const response = await fetch(resourceUrl, {\n      method: 'GET',\n      headers: { Accept: 'application/json', Connection: 'close' },\n    });\n\n    let header = response.headers.get('www-authenticate');\n    if (!header) {\n      const postResponse = await fetch(resourceUrl, {\n        method: 'POST',\n        headers: { Accept: 'application/json', Connection: 'close', 'Content-Type': 'application/json' },\n        body: '{}',\n      });\n      header = postResponse.headers.get('www-authenticate');\n    }\n\n    if (!header) return null;\n\n    const match = header.match(/resource_metadata=\"([^\"]+)\"/i);\n    if (!match || !match[1]) return null;\n\n    const metadataUrl = match[1];\n    const metadataResponse = await fetch(metadataUrl, {\n      method: 'GET',\n      headers: { Accept: 'application/json', Connection: 'close' },\n    });\n\n    if (!metadataResponse.ok) {\n      return null;\n    }\n\n    return (await metadataResponse.json()) as ProtectedResourceMetadata;\n  } catch (_error) {\n    return null;\n  }\n}\n\n/**\n * Discover OAuth 2.0 Authorization Server Metadata (RFC 8414)\n * Probes .well-known/oauth-authorization-server endpoint\n *\n * @param authServerUrl - URL of the authorization server (typically from RFC 9728 discovery)\n * @returns AuthorizationServerMetadata if discovered, null otherwise\n *\n * @example\n * const metadata = await discoverAuthorizationServerMetadata('https://todoist.com');\n * // Returns: { issuer: \"https://todoist.com\", authorization_endpoint: \"...\", ... }\n */\nexport async function discoverAuthorizationServerMetadata(authServerUrl: string): Promise<AuthorizationServerMetadata | null> {\n  try {\n    const normalizedAuthServerUrl = normalizeUrl(authServerUrl);\n    const localWellKnownUrl = joinWellKnown(normalizedAuthServerUrl, '/.well-known/oauth-authorization-server');\n    const localResponse = await fetch(localWellKnownUrl, {\n      method: 'GET',\n      headers: { Accept: 'application/json', Connection: 'close' },\n    });\n\n    if (localResponse.ok) {\n      return (await localResponse.json()) as AuthorizationServerMetadata;\n    }\n\n    const origin = getOrigin(normalizedAuthServerUrl);\n    const wellKnownUrl = `${origin}/.well-known/oauth-authorization-server`;\n\n    const response = await fetch(wellKnownUrl, {\n      method: 'GET',\n      headers: { Accept: 'application/json', Connection: 'close' },\n    });\n\n    if (!response.ok) {\n      return null;\n    }\n\n    return (await response.json()) as AuthorizationServerMetadata;\n  } catch (_error) {\n    return null;\n  }\n}\n\n/**\n * Discover OAuth Authorization Server Issuer from resource response (RFC 9207)\n *\n * @param resourceUrl - URL of the protected resource\n * @returns Issuer URL if present in WWW-Authenticate header, null otherwise\n */\nexport async function discoverAuthorizationServerIssuer(resourceUrl: string): Promise<string | null> {\n  try {\n    const response = await fetch(resourceUrl, {\n      method: 'GET',\n      headers: { Accept: 'application/json', Connection: 'close' },\n    });\n\n    const header = response.headers.get('www-authenticate');\n    if (!header) return null;\n\n    const match = header.match(/(?:authorization_server|issuer)=\"([^\"]+)\"/i);\n    if (!match) return null;\n\n    return match[1] ?? null;\n  } catch (_error) {\n    return null;\n  }\n}\n"],"names":["joinWellKnown","normalizeUrl","getOrigin","url","URL","origin","getPath","parsed","pathname","discoverProtectedResourceMetadata","resourceUrl","normalizedResourceUrl","headerMetadata","discoverProtectedResourceMetadataFromHeader","localWellKnownUrl","response","fetch","method","headers","Accept","Connection","ok","json","path","rootUrl","metadata","resource","startsWith","rootMetadata","subPathUrl","subPathResponse","_error","header","get","postResponse","body","match","metadataUrl","metadataResponse","discoverAuthorizationServerMetadata","authServerUrl","normalizedAuthServerUrl","localResponse","wellKnownUrl","discoverAuthorizationServerIssuer"],"mappings":"AAAA;;;CAGC,GAED,SAASA,aAAa,EAAEC,YAAY,QAAQ,sBAAsB;AAGlE;;;;;;;;CAQC,GACD,SAASC,UAAUC,GAAW;IAC5B,IAAI;QACF,OAAO,IAAIC,IAAID,KAAKE,MAAM;IAC5B,EAAE,OAAM;QACN,sDAAsD;QACtD,OAAOF;IACT;AACF;AAEA;;;;CAIC,GACD,SAASG,QAAQH,GAAW;IAC1B,IAAI;QACF,MAAMI,SAAS,IAAIH,IAAID;QACvB,gDAAgD;QAChD,OAAOI,OAAOC,QAAQ,KAAK,MAAM,KAAKD,OAAOC,QAAQ;IACvD,EAAE,OAAM;QACN,OAAO;IACT;AACF;AAEA;;CAEC,GACD;;;;;;;;;;;;;;;CAeC,GACD,OAAO,eAAeC,kCAAkCC,WAAmB;IACzE,IAAI;QACF,MAAMC,wBAAwBV,aAAaS;QAC3C,MAAME,iBAAiB,MAAMC,4CAA4CF;QACzE,IAAIC,gBAAgB,OAAOA;QAE3B,2FAA2F;QAC3F,MAAME,oBAAoBd,cAAcW,uBAAuB;QAC/D,IAAI;YACF,MAAMI,WAAW,MAAMC,MAAMF,mBAAmB;gBAC9CG,QAAQ;gBACRC,SAAS;oBAAEC,QAAQ;oBAAoBC,YAAY;gBAAQ;YAC7D;YACA,IAAIL,SAASM,EAAE,EAAE;gBACf,OAAQ,MAAMN,SAASO,IAAI;YAC7B;QACF,EAAE,OAAM;QACN,qCAAqC;QACvC;QAEA,MAAMjB,SAASH,UAAUS;QACzB,MAAMY,OAAOjB,QAAQK;QAErB,uDAAuD;QACvD,MAAMa,UAAU,GAAGnB,OAAO,qCAAqC,CAAC;QAEhE,IAAI;YACF,MAAMU,WAAW,MAAMC,MAAMQ,SAAS;gBACpCP,QAAQ;gBACRC,SAAS;oBAAEC,QAAQ;oBAAoBC,YAAY;gBAAQ;YAC7D;YAEA,IAAIL,SAASM,EAAE,EAAE;gBACf,MAAMI,WAAY,MAAMV,SAASO,IAAI;gBACrC,kEAAkE;gBAClE,IAAIG,SAASC,QAAQ,KAAKf,uBAAuB;oBAC/C,OAAOc;gBACT;gBACA,qDAAqD;gBACrD,sDAAsD;gBACtD,IAAI,CAACF,MAAM;oBACT,OAAOE;gBACT;gBACA,yFAAyF;gBACzF,8EAA8E;gBAC9E,IAAId,sBAAsBgB,UAAU,CAACF,SAASC,QAAQ,GAAG;oBACvD,uEAAuE;oBACvE,qCAAqC;oBACrC,MAAME,eAAeH;oBAErB,mDAAmD;oBACnD,MAAMI,aAAa,GAAGxB,OAAO,qCAAqC,EAAEkB,MAAM;oBAC1E,IAAI;wBACF,MAAMO,kBAAkB,MAAMd,MAAMa,YAAY;4BAC9CZ,QAAQ;4BACRC,SAAS;gCAAEC,QAAQ;gCAAoBC,YAAY;4BAAQ;wBAC7D;wBACA,IAAIU,gBAAgBT,EAAE,EAAE;4BACtB,OAAQ,MAAMS,gBAAgBR,IAAI;wBACpC;oBACF,EAAE,OAAM;oBACN,qCAAqC;oBACvC;oBAEA,sDAAsD;oBACtD,OAAOM;gBACT;YACA,oDAAoD;YACtD;QACF,EAAE,OAAM;QACN,gCAAgC;QAClC;QAEA,yDAAyD;QACzD,uCAAuC;QACvC,IAAIL,MAAM;YACR,MAAMM,aAAa,GAAGxB,OAAO,qCAAqC,EAAEkB,MAAM;YAE1E,IAAI;gBACF,MAAMR,WAAW,MAAMC,MAAMa,YAAY;oBACvCZ,QAAQ;oBACRC,SAAS;wBAAEC,QAAQ;wBAAoBC,YAAY;oBAAQ;gBAC7D;gBAEA,IAAIL,SAASM,EAAE,EAAE;oBACf,OAAQ,MAAMN,SAASO,IAAI;gBAC7B;YACF,EAAE,OAAM;YACN,8BAA8B;YAChC;QACF;QAEA,kDAAkD;QAClD,OAAO;IACT,EAAE,OAAOS,QAAQ;QACf,+CAA+C;QAC/C,OAAO;IACT;AACF;AAEA,eAAelB,4CAA4CH,WAAmB;IAC5E,IAAI;QACF,MAAMK,WAAW,MAAMC,MAAMN,aAAa;YACxCO,QAAQ;YACRC,SAAS;gBAAEC,QAAQ;gBAAoBC,YAAY;YAAQ;QAC7D;QAEA,IAAIY,SAASjB,SAASG,OAAO,CAACe,GAAG,CAAC;QAClC,IAAI,CAACD,QAAQ;YACX,MAAME,eAAe,MAAMlB,MAAMN,aAAa;gBAC5CO,QAAQ;gBACRC,SAAS;oBAAEC,QAAQ;oBAAoBC,YAAY;oBAAS,gBAAgB;gBAAmB;gBAC/Fe,MAAM;YACR;YACAH,SAASE,aAAahB,OAAO,CAACe,GAAG,CAAC;QACpC;QAEA,IAAI,CAACD,QAAQ,OAAO;QAEpB,MAAMI,QAAQJ,OAAOI,KAAK,CAAC;QAC3B,IAAI,CAACA,SAAS,CAACA,KAAK,CAAC,EAAE,EAAE,OAAO;QAEhC,MAAMC,cAAcD,KAAK,CAAC,EAAE;QAC5B,MAAME,mBAAmB,MAAMtB,MAAMqB,aAAa;YAChDpB,QAAQ;YACRC,SAAS;gBAAEC,QAAQ;gBAAoBC,YAAY;YAAQ;QAC7D;QAEA,IAAI,CAACkB,iBAAiBjB,EAAE,EAAE;YACxB,OAAO;QACT;QAEA,OAAQ,MAAMiB,iBAAiBhB,IAAI;IACrC,EAAE,OAAOS,QAAQ;QACf,OAAO;IACT;AACF;AAEA;;;;;;;;;;CAUC,GACD,OAAO,eAAeQ,oCAAoCC,aAAqB;IAC7E,IAAI;QACF,MAAMC,0BAA0BxC,aAAauC;QAC7C,MAAM1B,oBAAoBd,cAAcyC,yBAAyB;QACjE,MAAMC,gBAAgB,MAAM1B,MAAMF,mBAAmB;YACnDG,QAAQ;YACRC,SAAS;gBAAEC,QAAQ;gBAAoBC,YAAY;YAAQ;QAC7D;QAEA,IAAIsB,cAAcrB,EAAE,EAAE;YACpB,OAAQ,MAAMqB,cAAcpB,IAAI;QAClC;QAEA,MAAMjB,SAASH,UAAUuC;QACzB,MAAME,eAAe,GAAGtC,OAAO,uCAAuC,CAAC;QAEvE,MAAMU,WAAW,MAAMC,MAAM2B,cAAc;YACzC1B,QAAQ;YACRC,SAAS;gBAAEC,QAAQ;gBAAoBC,YAAY;YAAQ;QAC7D;QAEA,IAAI,CAACL,SAASM,EAAE,EAAE;YAChB,OAAO;QACT;QAEA,OAAQ,MAAMN,SAASO,IAAI;IAC7B,EAAE,OAAOS,QAAQ;QACf,OAAO;IACT;AACF;AAEA;;;;;CAKC,GACD,OAAO,eAAea,kCAAkClC,WAAmB;IACzE,IAAI;YAYK0B;QAXP,MAAMrB,WAAW,MAAMC,MAAMN,aAAa;YACxCO,QAAQ;YACRC,SAAS;gBAAEC,QAAQ;gBAAoBC,YAAY;YAAQ;QAC7D;QAEA,MAAMY,SAASjB,SAASG,OAAO,CAACe,GAAG,CAAC;QACpC,IAAI,CAACD,QAAQ,OAAO;QAEpB,MAAMI,QAAQJ,OAAOI,KAAK,CAAC;QAC3B,IAAI,CAACA,OAAO,OAAO;QAEnB,QAAOA,UAAAA,KAAK,CAAC,EAAE,cAARA,qBAAAA,UAAY;IACrB,EAAE,OAAOL,QAAQ;QACf,OAAO;IACT;AACF"}

package/dist/esm/lib/url-utils.d.ts

@@ -0,0 +1,2 @@
+export declare function normalizeUrl(input: string): string;
+export declare function joinWellKnown(baseUrl: string, suffix: string): string;

package/dist/esm/lib/url-utils.js

@@ -0,0 +1,14 @@
+export function normalizeUrl(input) {
+    try {
+        const url = new URL(input);
+        url.search = '';
+        url.hash = '';
+        url.pathname = url.pathname.replace(/\/+$/, '');
+        return url.origin + url.pathname;
+    } catch  {
+        return input.replace(/\/+$/, '');
+    }
+}
+export function joinWellKnown(baseUrl, suffix) {
+    return `${normalizeUrl(baseUrl)}${suffix}`;
+}

package/dist/esm/lib/url-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/client/src/lib/url-utils.ts"],"sourcesContent":["export function normalizeUrl(input: string): string {\n  try {\n    const url = new URL(input);\n    url.search = '';\n    url.hash = '';\n    url.pathname = url.pathname.replace(/\\/+$/, '');\n    return url.origin + url.pathname;\n  } catch {\n    return input.replace(/\\/+$/, '');\n  }\n}\n\nexport function joinWellKnown(baseUrl: string, suffix: string): string {\n  return `${normalizeUrl(baseUrl)}${suffix}`;\n}\n"],"names":["normalizeUrl","input","url","URL","search","hash","pathname","replace","origin","joinWellKnown","baseUrl","suffix"],"mappings":"AAAA,OAAO,SAASA,aAAaC,KAAa;IACxC,IAAI;QACF,MAAMC,MAAM,IAAIC,IAAIF;QACpBC,IAAIE,MAAM,GAAG;QACbF,IAAIG,IAAI,GAAG;QACXH,IAAII,QAAQ,GAAGJ,IAAII,QAAQ,CAACC,OAAO,CAAC,QAAQ;QAC5C,OAAOL,IAAIM,MAAM,GAAGN,IAAII,QAAQ;IAClC,EAAE,OAAM;QACN,OAAOL,MAAMM,OAAO,CAAC,QAAQ;IAC/B;AACF;AAEA,OAAO,SAASE,cAAcC,OAAe,EAAEC,MAAc;IAC3D,OAAO,GAAGX,aAAaU,WAAWC,QAAQ;AAC5C"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mcp-z/client",
-  "version": "1.0.4",
+  "version": "1.0.5",
   "description": "Programmatic MCP client library for Node.js - connect, discover, and call tools on Model Context Protocol servers.",
   "keywords": [
     "mcp",