@nado-language/mcp 0.1.3 → 0.1.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -0
- package/dist/nado-mcp-auth.mjs +34 -10
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -54,6 +54,8 @@ NADO_MCP_REFRESH_TOKEN='supabase-user-refresh-token'
|
|
|
54
54
|
|
|
55
55
|
By default this uses the existing Azure Static Web Apps production site as a static OAuth relay. It does not require a new Azure Function, App Service, database, or paid runtime. The local helper still receives the final callback on `127.0.0.1`; Azure only serves the static relay page.
|
|
56
56
|
|
|
57
|
+
The installed CLI opens the Nado relay page first. The relay stores the local callback in browser session storage, then sends Supabase a fixed redirect URL. This avoids Supabase rejecting a dynamic `redirect_to` URL with `local_callback` query parameters and falling back to the normal Nado web site.
|
|
58
|
+
|
|
57
59
|
The MCP server refreshes expired access tokens with `NADO_MCP_REFRESH_TOKEN` and updates the auth file when Supabase rotates the refresh token.
|
|
58
60
|
|
|
59
61
|
Supported local browser providers are `google`, `kakao`, and `apple`. Naver login is not available in the local MCP flow yet because the current Naver Edge Function uses fixed web/native redirect URLs.
|
|
@@ -64,6 +66,8 @@ Supabase Auth must allow the Azure relay redirect URL:
|
|
|
64
66
|
https://language.nado.ai.kr/auth/mcp-callback
|
|
65
67
|
```
|
|
66
68
|
|
|
69
|
+
Register the exact URL above. Do not include `local_callback`, `provider`, or other query parameters in the Supabase allow list.
|
|
70
|
+
|
|
67
71
|
For direct local callback mode, run with `--redirect-mode local` and allow:
|
|
68
72
|
|
|
69
73
|
```text
|
package/dist/nado-mcp-auth.mjs
CHANGED
|
@@ -183,19 +183,18 @@ async function login(options) {
|
|
|
183
183
|
|
|
184
184
|
const localCallbackUrl = new URL(`http://127.0.0.1:${address.port}/callback`);
|
|
185
185
|
localCallbackUrl.searchParams.set('state', state);
|
|
186
|
-
const
|
|
187
|
-
|
|
188
|
-
supabaseUrl: options.supabaseUrl,
|
|
186
|
+
const browserUrl = buildBrowserLoginUrl({
|
|
187
|
+
options,
|
|
189
188
|
provider,
|
|
190
|
-
|
|
189
|
+
localCallbackUrl: localCallbackUrl.toString(),
|
|
191
190
|
codeChallenge,
|
|
192
191
|
});
|
|
193
192
|
|
|
194
193
|
console.log(`Opening browser for Nado MCP login (${provider}).`);
|
|
195
194
|
console.log(`Local callback: ${localCallbackUrl.toString()}`);
|
|
196
195
|
if (options.redirectMode === 'azure') console.log(`Azure relay: ${options.relayUrl}`);
|
|
197
|
-
if (!options.noOpen) openBrowser(
|
|
198
|
-
console.log(`If the browser did not open, visit:\n${
|
|
196
|
+
if (!options.noOpen) openBrowser(browserUrl);
|
|
197
|
+
console.log(`If the browser did not open, visit:\n${browserUrl}`);
|
|
199
198
|
|
|
200
199
|
let timeoutId;
|
|
201
200
|
const timeout = new Promise((_, reject) => {
|
|
@@ -217,18 +216,39 @@ function loginTimeoutError(options) {
|
|
|
217
216
|
'Timed out waiting for browser login.',
|
|
218
217
|
`Rerun \`nado-mcp login --provider ${options.provider} --timeout-ms 900000\` and keep the terminal open until the browser says login completed.`,
|
|
219
218
|
'If the browser did not open, copy the printed URL into the same desktop browser where you can sign in.',
|
|
220
|
-
'If
|
|
219
|
+
'If Google login succeeds but the browser lands on the normal Nado site, upgrade @nado-language/mcp and confirm Supabase Auth allows the exact relay URL without query parameters.',
|
|
220
|
+
'If it still times out after the relay page says it is returning to the local helper, check that the browser can reach the printed 127.0.0.1 local callback URL.',
|
|
221
221
|
].join(' '));
|
|
222
222
|
}
|
|
223
223
|
|
|
224
|
-
function
|
|
225
|
-
if (options.redirectMode === 'local')
|
|
224
|
+
function buildBrowserLoginUrl({ options, provider, localCallbackUrl, codeChallenge }) {
|
|
225
|
+
if (options.redirectMode === 'local') {
|
|
226
|
+
return buildAuthorizeUrl({
|
|
227
|
+
supabaseUrl: options.supabaseUrl,
|
|
228
|
+
provider,
|
|
229
|
+
redirectTo: localCallbackUrl,
|
|
230
|
+
codeChallenge,
|
|
231
|
+
});
|
|
232
|
+
}
|
|
233
|
+
|
|
234
|
+
return buildRelayStartUrl({
|
|
235
|
+
relayUrl: options.relayUrl,
|
|
236
|
+
localCallbackUrl,
|
|
237
|
+
provider,
|
|
238
|
+
supabaseUrl: options.supabaseUrl,
|
|
239
|
+
codeChallenge,
|
|
240
|
+
});
|
|
241
|
+
}
|
|
226
242
|
|
|
227
|
-
|
|
243
|
+
function buildRelayStartUrl({ relayUrl: value, localCallbackUrl, provider, supabaseUrl, codeChallenge }) {
|
|
244
|
+
const relayUrl = new URL(value);
|
|
228
245
|
if (relayUrl.protocol !== 'https:') {
|
|
229
246
|
throw new Error('--relay-url must be an HTTPS URL when --redirect-mode azure is used.');
|
|
230
247
|
}
|
|
231
248
|
relayUrl.searchParams.set('local_callback', localCallbackUrl);
|
|
249
|
+
relayUrl.searchParams.set('provider', provider);
|
|
250
|
+
relayUrl.searchParams.set('supabase_url', supabaseUrl);
|
|
251
|
+
relayUrl.searchParams.set('code_challenge', codeChallenge);
|
|
232
252
|
return relayUrl.toString();
|
|
233
253
|
}
|
|
234
254
|
|
|
@@ -498,6 +518,10 @@ Default mode uses the existing Azure Static Web Apps site as a zero-new-resource
|
|
|
498
518
|
OAuth relay. Supabase Auth must allow this redirect URL:
|
|
499
519
|
${DEFAULT_RELAY_URL}
|
|
500
520
|
|
|
521
|
+
The relay starts login with local state in browser sessionStorage, then sends
|
|
522
|
+
Supabase the fixed redirect URL above. Do not add local_callback query strings
|
|
523
|
+
to the Supabase allow list.
|
|
524
|
+
|
|
501
525
|
The optional local mode requires Supabase Auth to allow:
|
|
502
526
|
http://127.0.0.1:*/callback
|
|
503
527
|
`);
|