npm - @nado-language/mcp - Versions diffs - 0.1.5 → 0.1.6 - Mend

@nado-language/mcp 0.1.5 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md +8 -7
package/dist/nado-language-server.mjs +1 -1
package/dist/nado-mcp-auth.mjs +108 -16
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -42,25 +42,25 @@ nado-mcp login
 Source checkout alias:
 ```bash
-npm run mcp:nado:auth -- --provider google
+npm run mcp:nado:auth
 ```
-This opens the provider login page, relays the Supabase OAuth callback through the existing Azure Static Web Apps site, receives the final callback on `127.0.0.1`, and writes ignored local tokens to the user's OS config directory for package installs or `.env.mcp.local` in a repo checkout:
+This opens the Nado web connect page. The user signs in there with any login method already supported by Nado, then the page sends the browser session to the local `127.0.0.1` helper and writes ignored local tokens to the user's OS config directory for package installs or `.env.mcp.local` in a repo checkout:
 ```bash
 NADO_MCP_ACCESS_TOKEN='supabase-user-access-token'
 NADO_MCP_REFRESH_TOKEN='supabase-user-refresh-token'
 ```
-By default this uses the existing Azure Static Web Apps production site as a static OAuth relay. It does not require a new Azure Function, App Service, database, or paid runtime. The local helper still receives the final callback on `127.0.0.1`; Azure only serves the static relay page.
+By default this uses the existing Azure Static Web Apps production site as a provider-neutral connect page. It does not require a new Azure Function, App Service, database, or paid runtime. The browser posts the session directly to the local helper; tokens are not placed in the browser URL.
-The installed CLI opens the Nado relay page first. The relay stores the local callback in browser session storage, then sends Supabase a fixed redirect URL. This avoids Supabase rejecting a dynamic `redirect_to` URL with `local_callback` query parameters and falling back to the normal Nado web site.
+Legacy direct OAuth remains available with `nado-mcp login --provider google|kakao|apple`, but normal users should omit `--provider`.
 The MCP server refreshes expired access tokens with `NADO_MCP_REFRESH_TOKEN` and updates the auth file when Supabase rotates the refresh token.
-Supported local browser providers are `google`, `kakao`, and `apple`. Naver login is not available in the local MCP flow yet because the current Naver Edge Function uses fixed web/native redirect URLs.
+Supported web login methods are the same as Nado web login, including Google, Kakao, Naver, and Apple.
-Supabase Auth must allow the Azure relay redirect URL:
+Legacy direct OAuth provider mode requires Supabase Auth to allow the Azure relay redirect URL:
 ```text
 https://language.nado.ai.kr/auth/mcp-callback
@@ -94,7 +94,7 @@ If the browser shows an error about an old, incomplete, truncated, or invalid PK
 ```bash
 npm install --global @nado-language/mcp@latest
 nado-mcp --version
-nado-mcp login --provider google
+nado-mcp login
 ```
 Manual access-token option:
@@ -128,6 +128,7 @@ Optional environment:
 ```bash
 export NADO_MCP_SUPABASE_URL='https://ptbwzhxifxdnfmqsiugi.supabase.co'
 export NADO_MCP_SUPABASE_ANON_KEY='...'
+export NADO_MCP_CONNECT_URL='https://language.nado.ai.kr/mcp/connect'
 export NADO_MCP_AUTH_RELAY_URL='https://language.nado.ai.kr/auth/mcp-callback'
 ```

package/dist/nado-language-server.mjs CHANGED Viewed

@@ -257,7 +257,7 @@ async function getAccessToken() {
   const email = clampText(env.NADO_MCP_EMAIL || '', 320);
   const password = env.NADO_MCP_PASSWORD || '';
   if (!email || !password) {
-    throw new Error('AUTH_NOT_CONFIGURED: run `nado-mcp login`, or in a repo checkout run `npm run mcp:nado:auth -- --provider google`, before using Nado MCP tools.');
+    throw new Error('AUTH_NOT_CONFIGURED: run `nado-mcp login`, or in a repo checkout run `npm run mcp:nado:auth`, before using Nado MCP tools.');
   }
   if (cachedPasswordGrant && cachedPasswordGrant.expiresAt > Date.now() + 60_000) {

package/dist/nado-mcp-auth.mjs CHANGED Viewed

@@ -11,6 +11,7 @@ import { fileURLToPath } from 'node:url';
 const DEFAULT_SUPABASE_URL = 'https://ptbwzhxifxdnfmqsiugi.supabase.co';
 const DEFAULT_SUPABASE_ANON_KEY = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InB0Ynd6aHhpZnhkbmZtcXNpdWdpIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzU1MTU4MjEsImV4cCI6MjA5MTA5MTgyMX0.c0SU8lvIb8BbwhYyI529dn7tQUfwTl1cGqeahGKaD_g';
 const DEFAULT_RELAY_URL = 'https://language.nado.ai.kr/auth/mcp-callback';
+const DEFAULT_CONNECT_URL = 'https://language.nado.ai.kr/mcp/connect';
 const SUPPORTED_PROVIDERS = new Set(['google', 'kakao', 'apple']);
 const SUPPORTED_REDIRECT_MODES = new Set(['azure', 'local']);
@@ -51,13 +52,14 @@ function parseCli(argv) {
   }
   const options = {
-    provider: 'google',
+    provider: '',
     port: 0,
     envFile: process.env.NADO_MCP_AUTH_ENV_FILE || defaultAuthEnvFile(),
     supabaseUrl: process.env.NADO_MCP_SUPABASE_URL || process.env.EXPO_PUBLIC_SUPABASE_URL || DEFAULT_SUPABASE_URL,
     anonKey: process.env.NADO_MCP_SUPABASE_ANON_KEY || process.env.EXPO_PUBLIC_SUPABASE_ANON_KEY || DEFAULT_SUPABASE_ANON_KEY,
     redirectMode: 'azure',
     relayUrl: process.env.NADO_MCP_AUTH_RELAY_URL || DEFAULT_RELAY_URL,
+    connectUrl: process.env.NADO_MCP_CONNECT_URL || DEFAULT_CONNECT_URL,
     noOpen: false,
     timeoutMs: 300_000,
     help: false,
@@ -80,6 +82,7 @@ function parseCli(argv) {
     else if (flag === '--anon-key') options.anonKey = readValue();
     else if (flag === '--redirect-mode') options.redirectMode = readValue();
     else if (flag === '--relay-url') options.relayUrl = readValue();
+    else if (flag === '--connect-url') options.connectUrl = readValue();
     else if (flag === '--timeout-ms') options.timeoutMs = Number(readValue());
     else if (flag === '--no-open') options.noOpen = true;
     else if (flag === '--help' || flag === '-h') options.help = true;
@@ -123,10 +126,7 @@ function defaultUserAuthEnvFile() {
 async function login(options) {
   const provider = String(options.provider || '').toLowerCase();
-  if (provider === 'naver') {
-    throw new Error('Naver login is not available for local MCP auth yet because the Naver Edge Function uses fixed redirect URLs. Use google, kakao, or apple.');
-  }
-  if (!SUPPORTED_PROVIDERS.has(provider)) {
+  if (provider && !SUPPORTED_PROVIDERS.has(provider)) {
     throw new Error(`Unsupported provider: ${provider}. Use google, kakao, or apple.`);
   }
@@ -145,6 +145,10 @@ async function login(options) {
           sendHtml(response, 404, 'Nado MCP Auth', 'Unknown callback path.');
           return;
         }
+        if (request.method === 'OPTIONS') {
+          sendCors(response, 204);
+          return;
+        }
         if (settled) {
           sendHtml(response, 200, 'Nado MCP Auth', 'Login already completed. You can close this tab.');
           return;
@@ -154,6 +158,23 @@ async function login(options) {
         if (oauthError) throw new Error(oauthError);
         if (url.searchParams.get('state') !== state) throw new Error('Invalid OAuth state.');
+        if (request.method === 'POST') {
+          const session = await readPostedSession(request);
+          const user = await fetchUser(options.supabaseUrl, options.anonKey, session.access_token);
+          writeAuthEnv(options.envFile, {
+            NADO_MCP_SUPABASE_URL: options.supabaseUrl,
+            NADO_MCP_SUPABASE_ANON_KEY: options.anonKey,
+            NADO_MCP_ACCESS_TOKEN: session.access_token,
+            NADO_MCP_REFRESH_TOKEN: session.refresh_token,
+          });
+          settled = true;
+          sendJson(response, 200, { ok: true, email: user.email || null });
+          resolve({ session, user });
+          return;
+        }
         const code = url.searchParams.get('code');
         if (!code) throw new Error('Missing OAuth code.');
@@ -197,9 +218,9 @@ async function login(options) {
     codeChallenge,
   });
-  console.log(`Opening browser for Nado MCP login (${provider}).`);
+  console.log('Opening browser for Nado MCP login.');
   console.log(`Local callback: ${localCallbackUrl.toString()}`);
-  if (options.redirectMode === 'azure') console.log(`Azure relay: ${options.relayUrl}`);
+  if (provider && options.redirectMode === 'azure') console.log(`Azure relay: ${options.relayUrl}`);
   if (!options.noOpen) openBrowser(browserUrl);
   console.log(`If the browser did not open, visit:\n${browserUrl}`);
@@ -221,14 +242,21 @@ async function login(options) {
 function loginTimeoutError(options) {
   return new Error([
     'Timed out waiting for browser login.',
-    `Rerun \`nado-mcp login --provider ${options.provider} --timeout-ms 900000\` and keep the terminal open until the browser says login completed.`,
+    'Rerun `nado-mcp login --timeout-ms 900000` and keep the terminal open until the browser says login completed.',
     'If the browser did not open, copy the printed URL into the same desktop browser where you can sign in.',
-    'If Google login succeeds but the browser lands on the normal Nado site, upgrade @nado-language/mcp and confirm Supabase Auth allows the exact relay URL without query parameters.',
-    'If it still times out after the relay page says it is returning to the local helper, check that the browser can reach the printed 127.0.0.1 local callback URL.',
+    'If login succeeds but this still times out, check that the browser can reach the printed 127.0.0.1 local callback URL.',
   ].join(' '));
 }
 function buildBrowserLoginUrl({ options, provider, localCallbackUrl, codeChallenge }) {
+  if (!provider) {
+    return buildConnectUrl({
+      connectUrl: options.connectUrl,
+      localCallbackUrl,
+      supabaseUrl: options.supabaseUrl,
+    });
+  }
   if (options.redirectMode === 'local') {
     return buildAuthorizeUrl({
       supabaseUrl: options.supabaseUrl,
@@ -260,6 +288,17 @@ function buildRelayStartUrl({ relayUrl: value, localCallbackUrl, provider, supab
   return relayUrl.toString();
 }
+function buildConnectUrl({ connectUrl: value, localCallbackUrl, supabaseUrl }) {
+  const connectUrl = new URL(value);
+  if (connectUrl.protocol !== 'https:' && connectUrl.hostname !== 'localhost' && connectUrl.hostname !== '127.0.0.1') {
+    throw new Error('--connect-url must be an HTTPS URL unless it points to localhost.');
+  }
+  connectUrl.searchParams.set('local_callback', localCallbackUrl);
+  connectUrl.searchParams.set('supabase_url', supabaseUrl);
+  connectUrl.searchParams.set('client_version', packageVersion);
+  return connectUrl.toString();
+}
 function printStatus(options) {
   const values = readEnvFile(options.envFile);
   const accessToken = process.env.NADO_MCP_ACCESS_TOKEN || values.NADO_MCP_ACCESS_TOKEN || process.env.NADO_ACCESS_TOKEN || '';
@@ -339,6 +378,34 @@ async function readJsonResponse(response) {
   }
 }
+async function readPostedSession(request) {
+  const body = await readRequestJson(request);
+  const session = body?.session && typeof body.session === 'object' ? body.session : body;
+  const accessToken = typeof session?.access_token === 'string' ? session.access_token : '';
+  const refreshToken = typeof session?.refresh_token === 'string' ? session.refresh_token : '';
+  if (!accessToken || !refreshToken) {
+    throw new Error('Missing session tokens from Nado web login.');
+  }
+  return {
+    access_token: accessToken,
+    refresh_token: refreshToken,
+  };
+}
+async function readRequestJson(request) {
+  const chunks = [];
+  for await (const chunk of request) {
+    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+  }
+  const text = Buffer.concat(chunks).toString('utf8');
+  if (!text) return {};
+  try {
+    return JSON.parse(text);
+  } catch {
+    throw new Error('Invalid JSON callback payload.');
+  }
+}
 function openBrowser(url) {
   const platform = os.platform();
   const command = platform === 'darwin' ? 'open' : platform === 'win32' ? 'cmd' : 'xdg-open';
@@ -503,10 +570,29 @@ function closeServer(server) {
 }
 function sendHtml(response, status, title, message) {
-  response.writeHead(status, { 'content-type': 'text/html; charset=utf-8' });
+  response.writeHead(status, { ...callbackCorsHeaders(), 'content-type': 'text/html; charset=utf-8' });
   response.end(`<!doctype html><html><head><meta charset="utf-8"><title>${escapeHtml(title)}</title></head><body><h1>${escapeHtml(title)}</h1><p>${escapeHtml(message)}</p></body></html>`);
 }
+function sendJson(response, status, body) {
+  response.writeHead(status, { ...callbackCorsHeaders(), 'content-type': 'application/json; charset=utf-8' });
+  response.end(JSON.stringify(body));
+}
+function sendCors(response, status) {
+  response.writeHead(status, callbackCorsHeaders());
+  response.end();
+}
+function callbackCorsHeaders() {
+  return {
+    'access-control-allow-origin': '*',
+    'access-control-allow-methods': 'GET,POST,OPTIONS',
+    'access-control-allow-headers': 'content-type',
+    'access-control-allow-private-network': 'true',
+  };
+}
 function escapeHtml(value) {
   return String(value)
     .replace(/&/g, '&amp;')
@@ -520,30 +606,36 @@ function printHelp() {
   console.log(`Nado Language MCP browser auth
 Usage:
-  nado-mcp login [--provider google|kakao|apple]
+  nado-mcp login
+  nado-mcp login --provider google|kakao|apple
   nado-mcp status
   nado-mcp logout
   nado-mcp-auth --version
 Repo checkout aliases:
-  npm run mcp:nado:auth -- [login] [--provider google|kakao|apple]
+  npm run mcp:nado:auth -- [login]
   npm run mcp:nado:auth -- status
   npm run mcp:nado:auth -- logout
 Options:
-  --provider <name>       OAuth provider for login. Default: google
+  --provider <name>       Legacy direct OAuth provider. Normally omit this and sign in on the Nado web page.
   --auth-file <path>      Auth env file to write. Default: OS user config in package installs, .env.mcp.local in repo checkouts
   --port <number>         Local callback port. Default: 0 (random)
   --redirect-mode <mode>  azure or local. Default: azure
   --relay-url <url>       Azure Static Web Apps relay URL. Default: ${DEFAULT_RELAY_URL}
+  --connect-url <url>     Provider-neutral Nado web connect URL. Default: ${DEFAULT_CONNECT_URL}
   --no-open               Print the URL without opening a browser
   --timeout-ms <number>   Login wait timeout. Default: 300000
   --supabase-url <url>    Supabase project URL
   --anon-key <key>        Supabase anon key
   --version               Print installed Nado MCP version
-Default mode uses the existing Azure Static Web Apps site as a zero-new-resource
-OAuth relay. Supabase Auth must allow this redirect URL:
+Default mode opens the Nado web connect page. Sign in there with any provider
+supported by the web app, then the page posts the browser session to the local
+127.0.0.1 helper. Tokens are not placed in the browser URL.
+Legacy provider mode uses the existing Azure Static Web Apps site as a
+zero-new-resource OAuth relay. Supabase Auth must allow this redirect URL:
   ${DEFAULT_RELAY_URL}
 The relay starts login with local state in browser sessionStorage, then sends

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@nado-language/mcp",
-  "version": "0.1.5",
+  "version": "0.1.6",
   "description": "Nado Language MCP server for saving AI-generated English flashcards and practicing saved materials.",
   "type": "module",
   "private": false,