@mhingston5/conduit 1.1.6 → 1.1.7

package/README.md

@@ -66,6 +66,20 @@ upstreams:
   - id: github
     type: http
     url: "http://localhost:3000/mcp"
+
+  # Remote MCP servers that use Streamable HTTP (preferred) / SSE:
+  - id: atlassian
+    type: streamableHttp
+    url: "https://mcp.atlassian.com/v1/sse"
+    credentials:
+      type: oauth2
+      clientId: ${ATLASSIAN_CLIENT_ID}
+      clientSecret: ${ATLASSIAN_CLIENT_SECRET}
+      tokenUrl: "https://auth.atlassian.com/oauth/token"
+      refreshToken: ${ATLASSIAN_REFRESH_TOKEN}
+      # Atlassian expects JSON token requests:
+      tokenRequestFormat: json
+
   - id: slack
     type: http
     url: "https://your-mcp-server/mcp"
@@ -75,7 +89,8 @@ upstreams:
       clientSecret: ${SLACK_CLIENT_SECRET}
       tokenUrl: "https://slack.com/api/oauth.v2.access"
       refreshToken: ${SLACK_REFRESH_TOKEN}
-    # Or use local stdio for testing:
+
+  # Or use local stdio for testing:
   - id: filesystem
     type: stdio
     command: npx
@@ -93,10 +108,23 @@ npx conduit auth \
   --auth-url <url> \
   --token-url <url> \
   --scopes <scopes>
+
+For Atlassian (3LO), include `offline_access` and set the audience:
+
+```bash
+npx conduit auth \
+  --client-id <id> \
+  --client-secret <secret> \
+  --auth-url "https://auth.atlassian.com/authorize?audience=api.atlassian.com&prompt=consent" \
+  --token-url "https://auth.atlassian.com/oauth/token" \
+  --scopes "offline_access,read:me"
+```
 ```
 
 This will start a temporary local server, open your browser for authorization, and print the generated `credentials` block for your `conduit.yaml`.
 
+Note: some providers (including Atlassian) use rotating refresh tokens. Conduit will cache the latest refresh token in-memory while running, but it does not currently persist the rotated token back into `conduit.yaml`. If you restart Conduit and your old refresh token has expired/rotated, re-run `conduit auth` and update your config.
+
 For GitHub MCP (remote server OAuth), you can auto-discover endpoints and use PKCE:
 
 ```bash

package/dist/index.js

@@ -29,6 +29,8 @@ var UpstreamCredentialsSchema = z.object({
   tokenUrl: z.string().optional(),
   refreshToken: z.string().optional(),
   scopes: z.array(z.string()).optional(),
+  tokenRequestFormat: z.enum(["form", "json"]).optional(),
+  tokenParams: z.record(z.string(), z.string()).optional(),
   apiKey: z.string().optional(),
   bearerToken: z.string().optional(),
   headerName: z.string().optional()
@@ -39,6 +41,18 @@ var HttpUpstreamSchema = z.object({
   url: z.string(),
   credentials: UpstreamCredentialsSchema.optional()
 });
+var StreamableHttpUpstreamSchema = z.object({
+  id: z.string(),
+  type: z.literal("streamableHttp"),
+  url: z.string(),
+  credentials: UpstreamCredentialsSchema.optional()
+});
+var SseUpstreamSchema = z.object({
+  id: z.string(),
+  type: z.literal("sse"),
+  url: z.string(),
+  credentials: UpstreamCredentialsSchema.optional()
+});
 var StdioUpstreamSchema = z.object({
   id: z.string(),
   type: z.literal("stdio"),
@@ -46,7 +60,12 @@ var StdioUpstreamSchema = z.object({
   args: z.array(z.string()).optional(),
   env: z.record(z.string(), z.string()).optional()
 });
-var UpstreamInfoSchema = z.union([HttpUpstreamSchema, StdioUpstreamSchema]);
+var UpstreamInfoSchema = z.union([
+  HttpUpstreamSchema,
+  StreamableHttpUpstreamSchema,
+  SseUpstreamSchema,
+  StdioUpstreamSchema
+]);
 var ConfigSchema = z.object({
   port: z.union([z.string(), z.number()]).default("3000").transform((v) => Number(v)),
   nodeEnv: z.enum(["development", "production", "test"]).default("development"),
@@ -1061,6 +1080,8 @@ var RequestController = class {
 import axios2 from "axios";
 import { Client } from "@modelcontextprotocol/sdk/client/index.js";
 import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
+import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
+import { SSEClientTransport } from "@modelcontextprotocol/sdk/client/sse.js";
 import { z as z2 } from "zod";
 var UpstreamClient = class {
   logger;
@@ -1092,11 +1113,60 @@ var UpstreamClient = class {
       }, {
         capabilities: {}
       });
+      return;
+    }
+    if (this.info.type === "streamableHttp") {
+      this.transport = new StreamableHTTPClientTransport(new URL(this.info.url), {
+        fetch: this.createAuthedFetch()
+      });
+      this.mcpClient = new Client({
+        name: "conduit-gateway",
+        version: "1.0.0"
+      }, {
+        capabilities: {}
+      });
+      return;
+    }
+    if (this.info.type === "sse") {
+      this.mcpClient = new Client({
+        name: "conduit-gateway",
+        version: "1.0.0"
+      }, {
+        capabilities: {}
+      });
     }
   }
+  createAuthedFetch() {
+    const creds = this.info.credentials;
+    if (!creds) return fetch;
+    return async (input, init = {}) => {
+      const headers = new Headers(init.headers || {});
+      const authHeaders = await this.authService.getAuthHeaders(creds);
+      for (const [k, v] of Object.entries(authHeaders)) {
+        headers.set(k, v);
+      }
+      return fetch(input, { ...init, headers });
+    };
+  }
   async ensureConnected() {
-    if (!this.mcpClient || !this.transport) return;
+    if (!this.mcpClient) return;
+    if (!this.transport && this.info.type === "sse") {
+      const authHeaders = this.info.credentials ? await this.authService.getAuthHeaders(this.info.credentials) : {};
+      this.transport = new SSEClientTransport(new URL(this.info.url), {
+        fetch: this.createAuthedFetch(),
+        eventSourceInit: { headers: authHeaders },
+        requestInit: { headers: authHeaders }
+      });
+    }
+    if (!this.transport) return;
     if (this.connected) return;
+    if (this.info.type === "streamableHttp" || this.info.type === "sse") {
+      const securityResult = await this.urlValidator.validateUrl(this.info.url);
+      if (!securityResult.valid) {
+        this.logger.error({ url: this.info.url }, "Blocked upstream URL (SSRF)");
+        throw new Error(securityResult.message || "Forbidden URL");
+      }
+    }
     try {
       this.logger.debug("Connecting to upstream transport...");
       await this.mcpClient.connect(this.transport);
@@ -1108,16 +1178,15 @@ var UpstreamClient = class {
     }
   }
   async call(request, context) {
-    const isStdio = (info) => info.type === "stdio";
-    if (isStdio(this.info)) {
-      return this.callStdio(request);
-    } else {
-      return this.callHttp(request, context);
+    const usesMcpClientTransport = (info) => info.type === "stdio" || info.type === "streamableHttp" || info.type === "sse";
+    if (usesMcpClientTransport(this.info)) {
+      return this.callMcpClient(request);
     }
+    return this.callHttp(request, context);
   }
-  async callStdio(request) {
+  async callMcpClient(request) {
     if (!this.mcpClient) {
-      return { jsonrpc: "2.0", id: request.id, error: { code: -32603, message: "Stdio client not initialized" } };
+      return { jsonrpc: "2.0", id: request.id, error: { code: -32603, message: "MCP client not initialized" } };
     }
     try {
       await this.ensureConnected();
@@ -1157,19 +1226,21 @@ var UpstreamClient = class {
         };
       }
     } catch (error) {
-      this.logger.error({ err: error }, "Stdio call failed");
+      this.logger.error({ err: error }, "MCP call failed");
       return {
         jsonrpc: "2.0",
         id: request.id,
         error: {
           code: error.code || -32603,
-          message: error.message || "Internal error in stdio transport"
+          message: error.message || "Internal error in MCP transport"
         }
       };
     }
   }
   async callHttp(request, context) {
-    if (this.info.type === "stdio") throw new Error("Unreachable");
+    if (this.info.type === "stdio" || this.info.type === "streamableHttp" || this.info.type === "sse") {
+      throw new Error("Unreachable");
+    }
     const url = this.info.url;
     const headers = {
       "Content-Type": "application/json",
@@ -1218,7 +1289,7 @@ var UpstreamClient = class {
     }
   }
   async getManifest(context) {
-    if (this.info.type !== "http") return null;
+    if (this.info.type && this.info.type !== "http") return null;
     try {
       const baseUrl = this.info.url.replace(/\/$/, "");
       const manifestUrl = `${baseUrl}/conduit.manifest.json`;
@@ -1258,6 +1329,8 @@ var AuthService = class {
   logger;
   // Cache tokens separately from credentials to avoid mutation
   tokenCache = /* @__PURE__ */ new Map();
+  // Keep the latest refresh token in-memory (rotating tokens)
+  refreshTokenCache = /* @__PURE__ */ new Map();
   // Prevent concurrent refresh requests for the same client
   refreshLocks = /* @__PURE__ */ new Map();
   constructor(logger) {
@@ -1302,25 +1375,53 @@ var AuthService = class {
     }
     this.logger.info({ tokenUrl: creds.tokenUrl, clientId: creds.clientId }, "Refreshing OAuth2 token");
     try {
-      const body = new URLSearchParams();
-      body.set("grant_type", "refresh_token");
-      body.set("refresh_token", creds.refreshToken);
-      body.set("client_id", creds.clientId);
+      const tokenUrl = creds.tokenUrl;
+      const cachedRefreshToken = this.refreshTokenCache.get(cacheKey);
+      const refreshToken = cachedRefreshToken || creds.refreshToken;
+      if (!refreshToken) {
+        throw new Error("OAuth2 credentials missing required fields for refresh");
+      }
+      const payload = {
+        grant_type: "refresh_token",
+        refresh_token: refreshToken,
+        client_id: creds.clientId
+      };
       if (creds.clientSecret) {
-        body.set("client_secret", creds.clientSecret);
+        payload.client_secret = creds.clientSecret;
       }
-      const response = await axios3.post(creds.tokenUrl, body, {
+      if (creds.tokenParams) {
+        Object.assign(payload, creds.tokenParams);
+      }
+      const requestFormat = (() => {
+        if (creds.tokenRequestFormat) return creds.tokenRequestFormat;
+        try {
+          const hostname = new URL(tokenUrl).hostname;
+          if (hostname === "auth.atlassian.com") return "json";
+        } catch {
+        }
+        return "form";
+      })();
+      const response = requestFormat === "json" ? await axios3.post(tokenUrl, payload, {
+        headers: {
+          "Content-Type": "application/json",
+          "Accept": "application/json"
+        }
+      }) : await axios3.post(tokenUrl, new URLSearchParams(payload), {
         headers: {
           "Content-Type": "application/x-www-form-urlencoded",
           "Accept": "application/json"
         }
       });
-      const { access_token, expires_in } = response.data;
-      const expiresInSeconds = Number(expires_in) || 3600;
+      const { access_token, expires_in, refresh_token } = response.data;
+      const expiresInRaw = Number(expires_in);
+      const expiresInSeconds = Number.isFinite(expiresInRaw) ? expiresInRaw : 3600;
       this.tokenCache.set(cacheKey, {
         accessToken: access_token,
         expiresAt: Date.now() + expiresInSeconds * 1e3
       });
+      if (typeof refresh_token === "string" && refresh_token.length > 0) {
+        this.refreshTokenCache.set(cacheKey, refresh_token);
+      }
       return `Bearer ${access_token}`;
     } catch (err) {
       const errorMsg = err.response?.data?.error_description || err.response?.data?.error || err.message;
@@ -1545,11 +1646,18 @@ var GatewayService = class {
     }
     let tools = this.schemaCache.get(packageId);
     if (!tools) {
-      try {
-        const manifest = await client.getManifest(context);
-        if (manifest && manifest.tools) {
-          tools = manifest.tools;
-        } else {
+      if (typeof client.getManifest === "function") {
+        try {
+          const manifest = await client.getManifest(context);
+          if (manifest && manifest.tools) {
+            tools = manifest.tools;
+          }
+        } catch (e) {
+          this.logger.debug({ upstreamId: packageId, err: e.message }, "Manifest fetch failed (will fallback)");
+        }
+      }
+      if (!tools) {
+        try {
           if (typeof client.listTools === "function") {
             tools = await client.listTools();
           } else {
@@ -1564,13 +1672,13 @@ var GatewayService = class {
               this.logger.warn({ upstreamId: packageId, error: response.error }, "Failed to discover tools via RPC");
             }
           }
+        } catch (e) {
+          this.logger.error({ upstreamId: packageId, err: e.message }, "Error during tool discovery");
         }
-        if (tools && tools.length > 0) {
-          this.schemaCache.set(packageId, tools);
-          this.logger.info({ upstreamId: packageId, toolCount: tools.length }, "Discovered tools from upstream");
-        }
-      } catch (e) {
-        this.logger.error({ upstreamId: packageId, err: e.message }, "Error during tool discovery");
+      }
+      if (tools && tools.length > 0) {
+        this.schemaCache.set(packageId, tools);
+        this.logger.info({ upstreamId: packageId, toolCount: tools.length }, "Discovered tools from upstream");
       }
     }
     if (!tools) tools = [];
@@ -3446,21 +3554,29 @@ async function handleAuth(options) {
         return;
       }
       try {
-        const body = new URLSearchParams();
-        body.set("grant_type", "authorization_code");
-        body.set("code", code);
-        body.set("redirect_uri", redirectUri);
-        body.set("client_id", options.clientId);
+        const payload = {
+          grant_type: "authorization_code",
+          code,
+          redirect_uri: redirectUri,
+          client_id: options.clientId
+        };
         if (options.clientSecret) {
-          body.set("client_secret", options.clientSecret);
+          payload.client_secret = options.clientSecret;
         }
         if (codeVerifier) {
-          body.set("code_verifier", codeVerifier);
+          payload.code_verifier = codeVerifier;
         }
         if (resolvedResource) {
-          body.set("resource", resolvedResource);
+          payload.resource = resolvedResource;
         }
-        const response = await axios4.post(resolvedTokenUrl, body, {
+        const tokenHostname = new URL(resolvedTokenUrl).hostname;
+        const useJson = tokenHostname === "auth.atlassian.com";
+        const response = useJson ? await axios4.post(resolvedTokenUrl, payload, {
+          headers: {
+            "Content-Type": "application/json",
+            "Accept": "application/json"
+          }
+        }) : await axios4.post(resolvedTokenUrl, new URLSearchParams(payload), {
           headers: {
             "Content-Type": "application/x-www-form-urlencoded",
             "Accept": "application/json"