ebay-mcp-remote-edition 2.0.14 → 2.0.15

package/build/auth/kv-store.js

@@ -88,7 +88,9 @@ export class CloudflareKVStore {
         await this.client.put(`/values/${encodeURIComponent(key)}`, JSON.stringify(value), { params });
         // Keep the in-memory cache consistent with what we wrote.
         // If the KV entry has its own TTL, honour it for the cache as well.
-        const cacheTtl = expirationTtl ? Math.min(expirationTtl * 1_000, this.cacheTtlMs) : this.cacheTtlMs;
+        const cacheTtl = expirationTtl
+            ? Math.min(expirationTtl * 1_000, this.cacheTtlMs)
+            : this.cacheTtlMs;
         this.cache.set(key, { value, expiresAt: Date.now() + cacheTtl });
     }
     async delete(key) {

package/build/auth/multi-user-store.js

@@ -118,6 +118,37 @@ export class MultiUserAuthStore {
         await this.kv.put(`client:${clientId}`, record);
         return record;
     }
+    /**
+     * Upserts a client record using a **caller-supplied** `clientId`.
+     *
+     * Used by the `/authorize` endpoint to auto-register trusted desktop MCP
+     * clients (VS Code, Cursor, Windsurf, localhost loopback) that arrive at
+     * `/authorize` without a prior `/register` call (e.g. because the in-memory
+     * registration was lost between requests, or the client drives `/authorize`
+     * directly).
+     *
+     * An existing record for `clientId` is overwritten only if the supplied
+     * `redirectUri` is not already listed (additive merge otherwise).
+     */
+    async registerClientWithId(clientId, redirectUris, clientName) {
+        const existing = await this.kv.get(`client:${clientId}`);
+        const now = new Date().toISOString();
+        if (existing) {
+            // Merge any new redirect URIs into the existing record
+            const merged = Array.from(new Set([...existing.redirectUris, ...redirectUris]));
+            const updated = { ...existing, redirectUris: merged };
+            await this.kv.put(`client:${clientId}`, updated);
+            return updated;
+        }
+        const record = {
+            clientId,
+            redirectUris,
+            clientName,
+            createdAt: now,
+        };
+        await this.kv.put(`client:${clientId}`, record);
+        return record;
+    }
     async getClient(clientId) {
         return await this.kv.get(`client:${clientId}`);
     }

package/build/server-http.js

@@ -61,6 +61,36 @@ function requireOauthStartKey(req, res, next) {
     }
     next();
 }
+/**
+ * Returns true when a redirect URI belongs to a well-known desktop / IDE
+ * MCP client (VS Code, Cursor, Windsurf) or a localhost loopback.
+ *
+ * These clients drive the authorize flow directly and cannot always guarantee
+ * that their /register request was persisted before /authorize is called.
+ * We allow them to self-register on the fly so the flow doesn't hard-fail on
+ * a missing client_id when the user's eBay app credentials are already in env.
+ */
+function isTrustedDesktopRedirectUri(redirectUri) {
+    try {
+        const u = new URL(redirectUri);
+        // Desktop IDE callback schemes
+        if (u.protocol === 'vscode:' ||
+            u.protocol === 'cursor:' ||
+            u.protocol === 'windsurf:' ||
+            u.protocol === 'claude:') {
+            return true;
+        }
+        // Localhost loopback (any port)
+        if ((u.protocol === 'http:' || u.protocol === 'https:') &&
+            (u.hostname === 'localhost' || u.hostname === '127.0.0.1' || u.hostname === '::1')) {
+            return true;
+        }
+    }
+    catch {
+        // Malformed URI – treat as untrusted
+    }
+    return false;
+}
 async function createUserScopedApi(userId, environment) {
     const api = new EbaySellerApi(getEbayConfig(environment), { userId, environment });
     await api.initialize();
@@ -161,10 +191,20 @@ function createApp() {
                     .json({ error: 'invalid_request', error_description: 'client_id is required' });
                 return;
             }
-            const client = await authStore.getClient(clientId);
+            // Look up the MCP client. If unknown, auto-register it for trusted desktop
+            // redirect URIs (VS Code, Cursor, Windsurf, localhost) so that the flow
+            // continues even when /register state was not persisted (e.g. memory backend)
+            // or when the IDE drives /authorize directly without a prior /register call.
+            let client = await authStore.getClient(clientId);
             if (!client) {
-                res.status(400).json({ error: 'invalid_client', error_description: 'Unknown client_id' });
-                return;
+                if (redirectUri && isTrustedDesktopRedirectUri(redirectUri)) {
+                    serverLogger.info('[authorize] Auto-registering trusted desktop MCP client (client_id not in store)', { clientId, redirectUri });
+                    client = await authStore.registerClientWithId(clientId, [redirectUri]);
+                }
+                else {
+                    res.status(400).json({ error: 'invalid_client', error_description: 'Unknown client_id' });
+                    return;
+                }
             }
             if (!redirectUri || !client.redirectUris.includes(redirectUri)) {
                 res.status(400).json({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ebay-mcp-remote-edition",
-  "version": "2.0.14",
+  "version": "2.0.15",
   "description": "Remote + Local MCP server for eBay APIs - provides access to eBay developer functionality through MCP (Model Context Protocol)",
   "type": "module",
   "main": "build/index.js",