@smithery/sdk 1.5.10 → 1.6.2

package/dist/server/index.d.ts

@@ -1,3 +1,4 @@
 export * from "./stateful.js";
 export * from "./stateless.js";
 export * from "./session.js";
+export * from "./oauth.js";

package/dist/server/index.js

@@ -1,3 +1,4 @@
 export * from "./stateful.js";
 export * from "./stateless.js";
 export * from "./session.js";
+export * from "./oauth.js";

package/dist/server/oauth.d.ts

@@ -0,0 +1,14 @@
+import type express from "express";
+import type { OAuthServerProvider } from "@modelcontextprotocol/sdk/server/auth/provider.js";
+import type { Response } from "express";
+/**
+ * OAuth server provider that supports a callback handler.
+ * The callback handler is invoked to catch the OAuth callback from the OAuth provider.
+ */
+export interface CallbackOAuthServerProvider extends OAuthServerProvider {
+    /** Provider-specific callback handler used by the SDK */
+    handleOAuthCallback?: (code: string, state: string | undefined, res: Response) => Promise<URL>;
+    basePath?: string;
+    callbackPath: string;
+}
+export declare function mountOAuth(app: express.Application, provider: CallbackOAuthServerProvider): void;

package/dist/server/oauth.js

@@ -0,0 +1,36 @@
+import { requireBearerAuth } from "@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js";
+import { mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
+export function mountOAuth(app, provider) {
+    // Mount OAuth authorization and token routes with dynamic issuer URL and provider
+    app.use(provider.basePath ?? "/", (req, res, next) => {
+        const host = req.get("host") ?? "localhost";
+        // Issuer URL must be https
+        const issuerUrl = new URL(`https://${host}`);
+        const router = mcpAuthRouter({ provider, issuerUrl });
+        return router(req, res, next);
+    });
+    const callbackHandler = provider.handleOAuthCallback;
+    if (callbackHandler) {
+        // Callback handler
+        app.get(provider.callbackPath, async (req, res) => {
+            const code = typeof req.query.code === "string" ? req.query.code : undefined;
+            const state = typeof req.query.state === "string" ? req.query.state : undefined;
+            if (!code) {
+                res.status(400).send("Invalid request parameters");
+                return;
+            }
+            try {
+                const redirectUrl = await callbackHandler.bind(provider)(code, state, res);
+                res.redirect(redirectUrl.toString());
+            }
+            catch (error) {
+                console.error(error);
+                res.status(500).send("Error during authentication callback");
+            }
+        });
+    }
+    // Bearer protection for all /mcp routes (POST/GET/DELETE)
+    app.use("/mcp", (req, res, next) => {
+        return requireBearerAuth({ verifier: provider })(req, res, next);
+    });
+}

package/dist/server/stateful.d.ts

@@ -1,14 +1,17 @@
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import type { AuthInfo } from "@modelcontextprotocol/sdk/server/auth/types.js";
 import express from "express";
 import type { z } from "zod";
 import type { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { type SessionStore } from "./session.js";
+import type { CallbackOAuthServerProvider } from "./oauth.js";
 /**
  * Arguments when we create a new instance of your server
  */
 export interface CreateServerArg<T = Record<string, unknown>> {
     sessionId: string;
     config: T;
+    auth?: AuthInfo;
 }
 export type CreateServerFn<T = Record<string, unknown>> = (arg: CreateServerArg<T>) => Server;
 /**
@@ -27,6 +30,10 @@ export interface StatefulServerOptions<T = Record<string, unknown>> {
      * Express app instance to use (optional)
      */
     app?: express.Application;
+    /**
+     * OAuth provider instance. If provided, OAuth routes and bearer protection are auto-wired.
+     */
+    oauthProvider?: CallbackOAuthServerProvider;
 }
 /**
  * Creates a stateful server for handling MCP requests.

package/dist/server/stateful.js

@@ -5,6 +5,7 @@ import { randomUUID } from "node:crypto";
 import { parseAndValidateConfig } from "../shared/config.js";
 import { zodToJsonSchema } from "zod-to-json-schema";
 import { createLRUStore } from "./session.js";
+import { mountOAuth } from "./oauth.js";
 /**
  * Creates a stateful server for handling MCP requests.
  * For every new session, we invoke createMcpServer to create a new instance of the server.
@@ -14,6 +15,11 @@ import { createLRUStore } from "./session.js";
  */
 export function createStatefulServer(createMcpServer, options) {
     const app = options?.app ?? express();
+    // Auto-wire OAuth routes and bearer protection if configured
+    const oauthProvider = options?.oauthProvider;
+    if (oauthProvider) {
+        mountOAuth(app, oauthProvider);
+    }
     app.use("/mcp", express.json());
     const sessionStore = options?.sessionStore ?? createLRUStore();
     // Handle POST requests for client-to-server communication
@@ -54,6 +60,7 @@ export function createStatefulServer(createMcpServer, options) {
                 const server = createMcpServer({
                     sessionId: newSessionId,
                     config: config,
+                    auth: req.auth,
                 });
                 // Connect to the MCP server
                 await server.connect(transport);

package/dist/server/stateless.d.ts

@@ -1,11 +1,14 @@
 import express from "express";
 import type { z } from "zod";
 import type { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import type { AuthInfo } from "@modelcontextprotocol/sdk/server/auth/types.js";
+import type { CallbackOAuthServerProvider } from "./oauth.js";
 /**
  * Arguments when we create a stateless server instance
  */
 export interface CreateStatelessServerArg<T = Record<string, unknown>> {
     config: T;
+    auth?: AuthInfo;
 }
 export type CreateStatelessServerFn<T = Record<string, unknown>> = (arg: CreateStatelessServerArg<T>) => Server;
 /**
@@ -20,6 +23,10 @@ export interface StatelessServerOptions<T = Record<string, unknown>> {
      * Express app instance to use (optional)
      */
     app?: express.Application;
+    /**
+     * OAuth provider instance. If provided, OAuth routes and bearer protection are auto-wired.
+     */
+    oauthProvider?: CallbackOAuthServerProvider;
 }
 /**
  * Creates a stateless server for handling MCP requests.

package/dist/server/stateless.js

@@ -2,6 +2,7 @@ import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/
 import express from "express";
 import { parseAndValidateConfig } from "../shared/config.js";
 import { zodToJsonSchema } from "zod-to-json-schema";
+import { mountOAuth } from "./oauth.js";
 /**
  * Creates a stateless server for handling MCP requests.
  * Each request creates a new server instance - no session state is maintained.
@@ -13,6 +14,11 @@ import { zodToJsonSchema } from "zod-to-json-schema";
  */
 export function createStatelessServer(createMcpServer, options) {
     const app = options?.app ?? express();
+    // Auto-wire OAuth routes and bearer protection if configured
+    const oauthProvider = options?.oauthProvider;
+    if (oauthProvider) {
+        mountOAuth(app, oauthProvider);
+    }
     app.use("/mcp", express.json());
     // Handle POST requests for client-to-server communication
     app.post("/mcp", async (req, res) => {
@@ -31,6 +37,7 @@ export function createStatelessServer(createMcpServer, options) {
             // Create a fresh server instance for each request
             const server = createMcpServer({
                 config,
+                auth: req.auth,
             });
             // Create a new transport for this request (no session management)
             const transport = new StreamableHTTPServerTransport({

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@smithery/sdk",
-	"version": "1.5.10",
+	"version": "1.6.2",
 	"description": "SDK to develop with Smithery",
 	"type": "module",
 	"main": "./dist/index.js",