fastmcp 3.35.0 → 4.0.1

package/dist/FastMCP.cjs

@@ -7,7 +7,7 @@
 
 
 
-var _chunkJP7QSER3cjs = require('./chunk-JP7QSER3.cjs');
+var _chunkEXZZ3NKLcjs = require('./chunk-EXZZ3NKL.cjs');
 
 
 
@@ -20,7 +20,7 @@ var _chunkJP7QSER3cjs = require('./chunk-JP7QSER3.cjs');
 
 
 
-var _chunk7UDY4VFQcjs = require('./chunk-7UDY4VFQ.cjs');
+var _chunkSSVFQCSNcjs = require('./chunk-SSVFQCSN.cjs');
 
 
 
@@ -41,5 +41,5 @@ var _chunk7UDY4VFQcjs = require('./chunk-7UDY4VFQ.cjs');
 
 
 
-exports.AuthProvider = _chunk7UDY4VFQcjs.AuthProvider; exports.AzureProvider = _chunk7UDY4VFQcjs.AzureProvider; exports.DiscoveryDocumentCache = _chunkJP7QSER3cjs.DiscoveryDocumentCache; exports.FastMCP = _chunkJP7QSER3cjs.FastMCP; exports.FastMCPSession = _chunkJP7QSER3cjs.FastMCPSession; exports.GitHubProvider = _chunk7UDY4VFQcjs.GitHubProvider; exports.GoogleProvider = _chunk7UDY4VFQcjs.GoogleProvider; exports.OAuthProvider = _chunk7UDY4VFQcjs.OAuthProvider; exports.ServerState = _chunkJP7QSER3cjs.ServerState; exports.UnexpectedStateError = _chunkJP7QSER3cjs.UnexpectedStateError; exports.UserError = _chunkJP7QSER3cjs.UserError; exports.audioContent = _chunkJP7QSER3cjs.audioContent; exports.getAuthSession = _chunk7UDY4VFQcjs.getAuthSession; exports.imageContent = _chunkJP7QSER3cjs.imageContent; exports.requireAll = _chunk7UDY4VFQcjs.requireAll; exports.requireAny = _chunk7UDY4VFQcjs.requireAny; exports.requireAuth = _chunk7UDY4VFQcjs.requireAuth; exports.requireRole = _chunk7UDY4VFQcjs.requireRole; exports.requireScopes = _chunk7UDY4VFQcjs.requireScopes;
+exports.AuthProvider = _chunkSSVFQCSNcjs.AuthProvider; exports.AzureProvider = _chunkSSVFQCSNcjs.AzureProvider; exports.DiscoveryDocumentCache = _chunkEXZZ3NKLcjs.DiscoveryDocumentCache; exports.FastMCP = _chunkEXZZ3NKLcjs.FastMCP; exports.FastMCPSession = _chunkEXZZ3NKLcjs.FastMCPSession; exports.GitHubProvider = _chunkSSVFQCSNcjs.GitHubProvider; exports.GoogleProvider = _chunkSSVFQCSNcjs.GoogleProvider; exports.OAuthProvider = _chunkSSVFQCSNcjs.OAuthProvider; exports.ServerState = _chunkEXZZ3NKLcjs.ServerState; exports.UnexpectedStateError = _chunkEXZZ3NKLcjs.UnexpectedStateError; exports.UserError = _chunkEXZZ3NKLcjs.UserError; exports.audioContent = _chunkEXZZ3NKLcjs.audioContent; exports.getAuthSession = _chunkSSVFQCSNcjs.getAuthSession; exports.imageContent = _chunkEXZZ3NKLcjs.imageContent; exports.requireAll = _chunkSSVFQCSNcjs.requireAll; exports.requireAny = _chunkSSVFQCSNcjs.requireAny; exports.requireAuth = _chunkSSVFQCSNcjs.requireAuth; exports.requireRole = _chunkSSVFQCSNcjs.requireRole; exports.requireScopes = _chunkSSVFQCSNcjs.requireScopes;
 //# sourceMappingURL=FastMCP.cjs.map

package/dist/FastMCP.d.cts

@@ -10,8 +10,8 @@ import { Hono } from 'hono';
 import http from 'http';
 import { StrictEventEmitter } from 'strict-event-emitter-types';
 import { z } from 'zod';
-import { A as AuthProvider, O as OAuthSession, a as OAuthProxy } from './OAuthProvider-R8buLRa8.cjs';
-export { j as AuthProviderConfig, b as AzureProvider, k as AzureProviderConfig, l as AzureSession, m as GenericOAuthProviderConfig, G as GitHubProvider, n as GitHubSession, c as GoogleProvider, o as GoogleSession, d as OAuthProvider, g as getAuthSession, r as requireAll, e as requireAny, f as requireAuth, h as requireRole, i as requireScopes } from './OAuthProvider-R8buLRa8.cjs';
+import { A as AuthProvider, O as OAuthSession, a as OAuthProxy } from './OAuthProvider-BV6EpF_k.cjs';
+export { j as AuthProviderConfig, b as AzureProvider, k as AzureProviderConfig, l as AzureSession, m as GenericOAuthProviderConfig, G as GitHubProvider, n as GitHubSession, c as GoogleProvider, o as GoogleSession, d as OAuthProvider, g as getAuthSession, r as requireAll, e as requireAny, f as requireAuth, h as requireRole, i as requireScopes } from './OAuthProvider-BV6EpF_k.cjs';
 import 'node:http';
 
 declare class DiscoveryDocumentCache {

package/dist/FastMCP.d.ts

@@ -10,8 +10,8 @@ import { Hono } from 'hono';
 import http from 'http';
 import { StrictEventEmitter } from 'strict-event-emitter-types';
 import { z } from 'zod';
-import { A as AuthProvider, O as OAuthSession, a as OAuthProxy } from './OAuthProvider-R8buLRa8.js';
-export { j as AuthProviderConfig, b as AzureProvider, k as AzureProviderConfig, l as AzureSession, m as GenericOAuthProviderConfig, G as GitHubProvider, n as GitHubSession, c as GoogleProvider, o as GoogleSession, d as OAuthProvider, g as getAuthSession, r as requireAll, e as requireAny, f as requireAuth, h as requireRole, i as requireScopes } from './OAuthProvider-R8buLRa8.js';
+import { A as AuthProvider, O as OAuthSession, a as OAuthProxy } from './OAuthProvider-BV6EpF_k.js';
+export { j as AuthProviderConfig, b as AzureProvider, k as AzureProviderConfig, l as AzureSession, m as GenericOAuthProviderConfig, G as GitHubProvider, n as GitHubSession, c as GoogleProvider, o as GoogleSession, d as OAuthProvider, g as getAuthSession, r as requireAll, e as requireAny, f as requireAuth, h as requireRole, i as requireScopes } from './OAuthProvider-BV6EpF_k.js';
 import 'node:http';
 
 declare class DiscoveryDocumentCache {

package/dist/FastMCP.js

@@ -7,7 +7,7 @@ import {
   UserError,
   audioContent,
   imageContent
-} from "./chunk-UVX47AE5.js";
+} from "./chunk-TNX4H4LB.js";
 import {
   AuthProvider,
   AzureProvider,
@@ -20,7 +20,7 @@ import {
   requireAuth,
   requireRole,
   requireScopes
-} from "./chunk-H4VC4YTC.js";
+} from "./chunk-UN72PIH2.js";
 export {
   AuthProvider,
   AzureProvider,

package/dist/{OAuthProvider-R8buLRa8.d.cts → OAuthProvider-BV6EpF_k.d.cts}

@@ -185,7 +185,23 @@ interface OAuthProviderConfig {
 interface OAuthProxyConfig {
     /** Access token TTL in seconds (default: 3600) */
     accessTokenTtl?: number;
-    /** Allowed redirect URI patterns for client registration */
+    /**
+     * Allow-list of redirect URI patterns accepted by Dynamic Client Registration.
+     *
+     * A client calling POST /oauth/register must present a `redirect_uri` that
+     * matches one of these patterns (exact string or glob with `*` / `?`);
+     * otherwise the registration is rejected with `invalid_redirect_uri`. Once
+     * registered, the same exact URI must be echoed back at /oauth/authorize —
+     * the proxy performs exact string comparison per RFC 6749 §3.1.2.3.
+     *
+     * Default: `[]` (DCR rejects everything — explicit opt-in required).
+     *
+     * Prior versions defaulted to `["https://*", "http://localhost:*"]` with an
+     * implicit fallback that allowed any https URL. This enabled CWE-601
+     * open-redirect / authorization-code theft: an attacker could DCR their own
+     * URL and then steal victim codes via /oauth/authorize. Do not loosen this
+     * default without understanding that threat model.
+     */
     allowedRedirectUriPatterns?: string[];
     /** Authorization code TTL in seconds (default: 300) */
     authorizationCodeTtl?: number;
@@ -548,7 +564,16 @@ declare class OAuthProxy {
      */
     private startCleanup;
     /**
-     * Validate redirect URI against allowed patterns
+     * Validate a redirect URI against the configured allow-list.
+     *
+     * Returns `true` only if the URI is syntactically valid AND matches one of
+     * the explicitly configured `allowedRedirectUriPatterns`. An empty or unset
+     * pattern list means DCR will reject every URI — framework users must
+     * opt-in by listing the exact URIs (or wildcards) they trust.
+     *
+     * Prior versions also fell back to allowing any https URL or localhost,
+     * which enabled attackers to DCR an arbitrary URL and then abuse it via
+     * /oauth/authorize (CWE-601). Do not re-introduce that fallback.
      */
     private validateRedirectUri;
 }
@@ -573,7 +598,17 @@ declare class OAuthProxyError extends Error {
  * Configuration common to all OAuth providers.
  */
 interface AuthProviderConfig {
-    /** Allowed redirect URI patterns (default: ["http://localhost:*", "https://*"]) */
+    /**
+     * Allow-list of redirect URI patterns accepted by Dynamic Client
+     * Registration. Required for any deployment that exposes /oauth/register
+     * or /oauth/authorize — an empty/unset list rejects every URI.
+     *
+     * Example: `["https://yourapp.example.com/*"]`
+     *
+     * Prior versions defaulted to `["http://localhost:*", "https://*"]`, which
+     * enabled CWE-601 open-redirect / authorization-code theft. See the
+     * SECURITY advisory before loosening this.
+     */
     allowedRedirectUriPatterns?: string[];
     /** Base URL where the MCP server is accessible */
     baseUrl: string;

package/dist/{OAuthProvider-R8buLRa8.d.ts → OAuthProvider-BV6EpF_k.d.ts}

@@ -185,7 +185,23 @@ interface OAuthProviderConfig {
 interface OAuthProxyConfig {
     /** Access token TTL in seconds (default: 3600) */
     accessTokenTtl?: number;
-    /** Allowed redirect URI patterns for client registration */
+    /**
+     * Allow-list of redirect URI patterns accepted by Dynamic Client Registration.
+     *
+     * A client calling POST /oauth/register must present a `redirect_uri` that
+     * matches one of these patterns (exact string or glob with `*` / `?`);
+     * otherwise the registration is rejected with `invalid_redirect_uri`. Once
+     * registered, the same exact URI must be echoed back at /oauth/authorize —
+     * the proxy performs exact string comparison per RFC 6749 §3.1.2.3.
+     *
+     * Default: `[]` (DCR rejects everything — explicit opt-in required).
+     *
+     * Prior versions defaulted to `["https://*", "http://localhost:*"]` with an
+     * implicit fallback that allowed any https URL. This enabled CWE-601
+     * open-redirect / authorization-code theft: an attacker could DCR their own
+     * URL and then steal victim codes via /oauth/authorize. Do not loosen this
+     * default without understanding that threat model.
+     */
     allowedRedirectUriPatterns?: string[];
     /** Authorization code TTL in seconds (default: 300) */
     authorizationCodeTtl?: number;
@@ -548,7 +564,16 @@ declare class OAuthProxy {
      */
     private startCleanup;
     /**
-     * Validate redirect URI against allowed patterns
+     * Validate a redirect URI against the configured allow-list.
+     *
+     * Returns `true` only if the URI is syntactically valid AND matches one of
+     * the explicitly configured `allowedRedirectUriPatterns`. An empty or unset
+     * pattern list means DCR will reject every URI — framework users must
+     * opt-in by listing the exact URIs (or wildcards) they trust.
+     *
+     * Prior versions also fell back to allowing any https URL or localhost,
+     * which enabled attackers to DCR an arbitrary URL and then abuse it via
+     * /oauth/authorize (CWE-601). Do not re-introduce that fallback.
      */
     private validateRedirectUri;
 }
@@ -573,7 +598,17 @@ declare class OAuthProxyError extends Error {
  * Configuration common to all OAuth providers.
  */
 interface AuthProviderConfig {
-    /** Allowed redirect URI patterns (default: ["http://localhost:*", "https://*"]) */
+    /**
+     * Allow-list of redirect URI patterns accepted by Dynamic Client
+     * Registration. Required for any deployment that exposes /oauth/register
+     * or /oauth/authorize — an empty/unset list rejects every URI.
+     *
+     * Example: `["https://yourapp.example.com/*"]`
+     *
+     * Prior versions defaulted to `["http://localhost:*", "https://*"]`, which
+     * enabled CWE-601 open-redirect / authorization-code theft. See the
+     * SECURITY advisory before loosening this.
+     */
     allowedRedirectUriPatterns?: string[];
     /** Base URL where the MCP server is accessible */
     baseUrl: string;

package/dist/auth/index.cjs

@@ -24,7 +24,7 @@
 
 
 
-var _chunk7UDY4VFQcjs = require('../chunk-7UDY4VFQ.cjs');
+var _chunkSSVFQCSNcjs = require('../chunk-SSVFQCSN.cjs');
 
 
 
@@ -51,5 +51,5 @@ var _chunk7UDY4VFQcjs = require('../chunk-7UDY4VFQ.cjs');
 
 
 
-exports.AuthProvider = _chunk7UDY4VFQcjs.AuthProvider; exports.AzureProvider = _chunk7UDY4VFQcjs.AzureProvider; exports.ConsentManager = _chunk7UDY4VFQcjs.ConsentManager; exports.DEFAULT_ACCESS_TOKEN_TTL = _chunk7UDY4VFQcjs.DEFAULT_ACCESS_TOKEN_TTL; exports.DEFAULT_ACCESS_TOKEN_TTL_NO_REFRESH = _chunk7UDY4VFQcjs.DEFAULT_ACCESS_TOKEN_TTL_NO_REFRESH; exports.DEFAULT_AUTHORIZATION_CODE_TTL = _chunk7UDY4VFQcjs.DEFAULT_AUTHORIZATION_CODE_TTL; exports.DEFAULT_REFRESH_TOKEN_TTL = _chunk7UDY4VFQcjs.DEFAULT_REFRESH_TOKEN_TTL; exports.DEFAULT_TRANSACTION_TTL = _chunk7UDY4VFQcjs.DEFAULT_TRANSACTION_TTL; exports.DiskStore = _chunk7UDY4VFQcjs.DiskStore; exports.EncryptedTokenStorage = _chunk7UDY4VFQcjs.EncryptedTokenStorage; exports.GitHubProvider = _chunk7UDY4VFQcjs.GitHubProvider; exports.GoogleProvider = _chunk7UDY4VFQcjs.GoogleProvider; exports.JWKSVerifier = _chunk7UDY4VFQcjs.JWKSVerifier; exports.JWTIssuer = _chunk7UDY4VFQcjs.JWTIssuer; exports.MemoryTokenStorage = _chunk7UDY4VFQcjs.MemoryTokenStorage; exports.OAuthProvider = _chunk7UDY4VFQcjs.OAuthProvider; exports.OAuthProxy = _chunk7UDY4VFQcjs.OAuthProxy; exports.OAuthProxyError = _chunk7UDY4VFQcjs.OAuthProxyError; exports.PKCEUtils = _chunk7UDY4VFQcjs.PKCEUtils; exports.getAuthSession = _chunk7UDY4VFQcjs.getAuthSession; exports.requireAll = _chunk7UDY4VFQcjs.requireAll; exports.requireAny = _chunk7UDY4VFQcjs.requireAny; exports.requireAuth = _chunk7UDY4VFQcjs.requireAuth; exports.requireRole = _chunk7UDY4VFQcjs.requireRole; exports.requireScopes = _chunk7UDY4VFQcjs.requireScopes;
+exports.AuthProvider = _chunkSSVFQCSNcjs.AuthProvider; exports.AzureProvider = _chunkSSVFQCSNcjs.AzureProvider; exports.ConsentManager = _chunkSSVFQCSNcjs.ConsentManager; exports.DEFAULT_ACCESS_TOKEN_TTL = _chunkSSVFQCSNcjs.DEFAULT_ACCESS_TOKEN_TTL; exports.DEFAULT_ACCESS_TOKEN_TTL_NO_REFRESH = _chunkSSVFQCSNcjs.DEFAULT_ACCESS_TOKEN_TTL_NO_REFRESH; exports.DEFAULT_AUTHORIZATION_CODE_TTL = _chunkSSVFQCSNcjs.DEFAULT_AUTHORIZATION_CODE_TTL; exports.DEFAULT_REFRESH_TOKEN_TTL = _chunkSSVFQCSNcjs.DEFAULT_REFRESH_TOKEN_TTL; exports.DEFAULT_TRANSACTION_TTL = _chunkSSVFQCSNcjs.DEFAULT_TRANSACTION_TTL; exports.DiskStore = _chunkSSVFQCSNcjs.DiskStore; exports.EncryptedTokenStorage = _chunkSSVFQCSNcjs.EncryptedTokenStorage; exports.GitHubProvider = _chunkSSVFQCSNcjs.GitHubProvider; exports.GoogleProvider = _chunkSSVFQCSNcjs.GoogleProvider; exports.JWKSVerifier = _chunkSSVFQCSNcjs.JWKSVerifier; exports.JWTIssuer = _chunkSSVFQCSNcjs.JWTIssuer; exports.MemoryTokenStorage = _chunkSSVFQCSNcjs.MemoryTokenStorage; exports.OAuthProvider = _chunkSSVFQCSNcjs.OAuthProvider; exports.OAuthProxy = _chunkSSVFQCSNcjs.OAuthProxy; exports.OAuthProxyError = _chunkSSVFQCSNcjs.OAuthProxyError; exports.PKCEUtils = _chunkSSVFQCSNcjs.PKCEUtils; exports.getAuthSession = _chunkSSVFQCSNcjs.getAuthSession; exports.requireAll = _chunkSSVFQCSNcjs.requireAll; exports.requireAny = _chunkSSVFQCSNcjs.requireAny; exports.requireAuth = _chunkSSVFQCSNcjs.requireAuth; exports.requireRole = _chunkSSVFQCSNcjs.requireRole; exports.requireScopes = _chunkSSVFQCSNcjs.requireScopes;
 //# sourceMappingURL=index.cjs.map

package/dist/auth/index.d.cts

@@ -1,5 +1,5 @@
-import { p as OAuthTransaction, C as ConsentData, T as TokenStorage, q as TokenVerifier, s as TokenVerificationResult, P as PKCEPair } from '../OAuthProvider-R8buLRa8.cjs';
-export { A as AuthProvider, j as AuthProviderConfig, y as AuthorizationParams, b as AzureProvider, k as AzureProviderConfig, l as AzureSession, z as ClientCode, B as DCRClientMetadata, E as DCRRequest, F as DCRResponse, D as DEFAULT_ACCESS_TOKEN_TTL, u as DEFAULT_ACCESS_TOKEN_TTL_NO_REFRESH, v as DEFAULT_AUTHORIZATION_CODE_TTL, w as DEFAULT_REFRESH_TOKEN_TTL, x as DEFAULT_TRANSACTION_TTL, m as GenericOAuthProviderConfig, G as GitHubProvider, n as GitHubSession, c as GoogleProvider, o as GoogleSession, H as OAuthError, d as OAuthProvider, I as OAuthProviderConfig, a as OAuthProxy, J as OAuthProxyConfig, t as OAuthProxyError, O as OAuthSession, K as ProxyDCRClient, R as RefreshRequest, L as TokenMapping, M as TokenRequest, N as TokenResponse, U as UpstreamTokenSet, g as getAuthSession, r as requireAll, e as requireAny, f as requireAuth, h as requireRole, i as requireScopes } from '../OAuthProvider-R8buLRa8.cjs';
+import { p as OAuthTransaction, C as ConsentData, T as TokenStorage, q as TokenVerifier, s as TokenVerificationResult, P as PKCEPair } from '../OAuthProvider-BV6EpF_k.cjs';
+export { A as AuthProvider, j as AuthProviderConfig, y as AuthorizationParams, b as AzureProvider, k as AzureProviderConfig, l as AzureSession, z as ClientCode, B as DCRClientMetadata, E as DCRRequest, F as DCRResponse, D as DEFAULT_ACCESS_TOKEN_TTL, u as DEFAULT_ACCESS_TOKEN_TTL_NO_REFRESH, v as DEFAULT_AUTHORIZATION_CODE_TTL, w as DEFAULT_REFRESH_TOKEN_TTL, x as DEFAULT_TRANSACTION_TTL, m as GenericOAuthProviderConfig, G as GitHubProvider, n as GitHubSession, c as GoogleProvider, o as GoogleSession, H as OAuthError, d as OAuthProvider, I as OAuthProviderConfig, a as OAuthProxy, J as OAuthProxyConfig, t as OAuthProxyError, O as OAuthSession, K as ProxyDCRClient, R as RefreshRequest, L as TokenMapping, M as TokenRequest, N as TokenResponse, U as UpstreamTokenSet, g as getAuthSession, r as requireAll, e as requireAny, f as requireAuth, h as requireRole, i as requireScopes } from '../OAuthProvider-BV6EpF_k.cjs';
 import 'node:http';
 
 /**

package/dist/auth/index.d.ts

@@ -1,5 +1,5 @@
-import { p as OAuthTransaction, C as ConsentData, T as TokenStorage, q as TokenVerifier, s as TokenVerificationResult, P as PKCEPair } from '../OAuthProvider-R8buLRa8.js';
-export { A as AuthProvider, j as AuthProviderConfig, y as AuthorizationParams, b as AzureProvider, k as AzureProviderConfig, l as AzureSession, z as ClientCode, B as DCRClientMetadata, E as DCRRequest, F as DCRResponse, D as DEFAULT_ACCESS_TOKEN_TTL, u as DEFAULT_ACCESS_TOKEN_TTL_NO_REFRESH, v as DEFAULT_AUTHORIZATION_CODE_TTL, w as DEFAULT_REFRESH_TOKEN_TTL, x as DEFAULT_TRANSACTION_TTL, m as GenericOAuthProviderConfig, G as GitHubProvider, n as GitHubSession, c as GoogleProvider, o as GoogleSession, H as OAuthError, d as OAuthProvider, I as OAuthProviderConfig, a as OAuthProxy, J as OAuthProxyConfig, t as OAuthProxyError, O as OAuthSession, K as ProxyDCRClient, R as RefreshRequest, L as TokenMapping, M as TokenRequest, N as TokenResponse, U as UpstreamTokenSet, g as getAuthSession, r as requireAll, e as requireAny, f as requireAuth, h as requireRole, i as requireScopes } from '../OAuthProvider-R8buLRa8.js';
+import { p as OAuthTransaction, C as ConsentData, T as TokenStorage, q as TokenVerifier, s as TokenVerificationResult, P as PKCEPair } from '../OAuthProvider-BV6EpF_k.js';
+export { A as AuthProvider, j as AuthProviderConfig, y as AuthorizationParams, b as AzureProvider, k as AzureProviderConfig, l as AzureSession, z as ClientCode, B as DCRClientMetadata, E as DCRRequest, F as DCRResponse, D as DEFAULT_ACCESS_TOKEN_TTL, u as DEFAULT_ACCESS_TOKEN_TTL_NO_REFRESH, v as DEFAULT_AUTHORIZATION_CODE_TTL, w as DEFAULT_REFRESH_TOKEN_TTL, x as DEFAULT_TRANSACTION_TTL, m as GenericOAuthProviderConfig, G as GitHubProvider, n as GitHubSession, c as GoogleProvider, o as GoogleSession, H as OAuthError, d as OAuthProvider, I as OAuthProviderConfig, a as OAuthProxy, J as OAuthProxyConfig, t as OAuthProxyError, O as OAuthSession, K as ProxyDCRClient, R as RefreshRequest, L as TokenMapping, M as TokenRequest, N as TokenResponse, U as UpstreamTokenSet, g as getAuthSession, r as requireAll, e as requireAny, f as requireAuth, h as requireRole, i as requireScopes } from '../OAuthProvider-BV6EpF_k.js';
 import 'node:http';
 
 /**

package/dist/auth/index.js

@@ -24,7 +24,7 @@ import {
   requireAuth,
   requireRole,
   requireScopes
-} from "../chunk-H4VC4YTC.js";
+} from "../chunk-UN72PIH2.js";
 export {
   AuthProvider,
   AzureProvider,

package/dist/{chunk-JP7QSER3.cjs → chunk-EXZZ3NKL.cjs}

@@ -1819,23 +1819,26 @@ var FastMCP = class extends FastMCPEventEmitter {
       const url2 = new URL(req.url || "", `http://${host}`);
       try {
         if (req.method === "POST" && url2.pathname === "/oauth/register") {
-          let body = "";
-          req.on("data", (chunk) => body += chunk);
-          req.on("end", async () => {
-            try {
-              const request = JSON.parse(body);
-              const response = await oauthProxy.registerClient(request);
-              res.writeHead(201, { "Content-Type": "application/json" }).end(JSON.stringify(response));
-            } catch (error) {
-              const statusCode = error.statusCode || 400;
-              res.writeHead(statusCode, { "Content-Type": "application/json" }).end(
-                JSON.stringify(
-                  _optionalChain([error, 'access', _44 => _44.toJSON, 'optionalCall', _45 => _45()]) || {
-                    error: "invalid_request"
-                  }
-                )
-              );
-            }
+          await new Promise((resolve) => {
+            let body = "";
+            req.on("data", (chunk) => body += chunk);
+            req.on("end", async () => {
+              try {
+                const request = JSON.parse(body);
+                const response = await oauthProxy.registerClient(request);
+                res.writeHead(201, { "Content-Type": "application/json" }).end(JSON.stringify(response));
+              } catch (error) {
+                const statusCode = error.statusCode || 400;
+                res.writeHead(statusCode, { "Content-Type": "application/json" }).end(
+                  JSON.stringify(
+                    _optionalChain([error, 'access', _44 => _44.toJSON, 'optionalCall', _45 => _45()]) || {
+                      error: "invalid_request"
+                    }
+                  )
+                );
+              }
+              resolve();
+            });
           });
           return;
         }
@@ -1886,82 +1889,93 @@ var FastMCP = class extends FastMCPEventEmitter {
           return;
         }
         if (req.method === "POST" && url2.pathname === "/oauth/consent") {
-          let body = "";
-          req.on("data", (chunk) => body += chunk);
-          req.on("end", async () => {
-            try {
-              const mockRequest = new Request(`http://${host}/oauth/consent`, {
-                body,
-                headers: {
-                  "Content-Type": "application/x-www-form-urlencoded"
-                },
-                method: "POST"
-              });
-              const response = await oauthProxy.handleConsent(mockRequest);
-              const location = response.headers.get("Location");
-              if (location) {
-                res.writeHead(response.status, { Location: location }).end();
-              } else {
-                const text = await response.text();
-                res.writeHead(response.status).end(text);
-              }
-            } catch (error) {
-              res.writeHead(400, { "Content-Type": "application/json" }).end(
-                JSON.stringify(
-                  _optionalChain([error, 'access', _50 => _50.toJSON, 'optionalCall', _51 => _51()]) || {
-                    error: "server_error"
+          await new Promise((resolve) => {
+            let body = "";
+            req.on("data", (chunk) => body += chunk);
+            req.on("end", async () => {
+              try {
+                const mockRequest = new Request(
+                  `http://${host}/oauth/consent`,
+                  {
+                    body,
+                    headers: {
+                      "Content-Type": "application/x-www-form-urlencoded"
+                    },
+                    method: "POST"
                   }
-                )
-              );
-            }
+                );
+                const response = await oauthProxy.handleConsent(mockRequest);
+                const location = response.headers.get("Location");
+                if (location) {
+                  res.writeHead(response.status, { Location: location }).end();
+                } else {
+                  const text = await response.text();
+                  res.writeHead(response.status).end(text);
+                }
+              } catch (error) {
+                res.writeHead(400, { "Content-Type": "application/json" }).end(
+                  JSON.stringify(
+                    _optionalChain([error, 'access', _50 => _50.toJSON, 'optionalCall', _51 => _51()]) || {
+                      error: "server_error"
+                    }
+                  )
+                );
+              }
+              resolve();
+            });
           });
           return;
         }
         if (req.method === "POST" && url2.pathname === "/oauth/token") {
-          let body = "";
-          req.on("data", (chunk) => body += chunk);
-          req.on("end", async () => {
-            try {
-              const params = new URLSearchParams(body);
-              const grantType = params.get("grant_type");
-              const basicAuth = parseBasicAuthHeader(req.headers.authorization);
-              const clientId = _optionalChain([basicAuth, 'optionalAccess', _52 => _52.clientId]) || params.get("client_id") || "";
-              const clientSecret = _nullishCoalesce(_nullishCoalesce(_optionalChain([basicAuth, 'optionalAccess', _53 => _53.clientSecret]), () => ( params.get("client_secret"))), () => ( void 0));
-              let response;
-              if (grantType === "authorization_code") {
-                response = await oauthProxy.exchangeAuthorizationCode({
-                  client_id: clientId,
-                  client_secret: clientSecret,
-                  code: params.get("code") || "",
-                  code_verifier: params.get("code_verifier") || void 0,
-                  grant_type: "authorization_code",
-                  redirect_uri: params.get("redirect_uri") || ""
-                });
-              } else if (grantType === "refresh_token") {
-                response = await oauthProxy.exchangeRefreshToken({
-                  client_id: clientId,
-                  client_secret: clientSecret,
-                  grant_type: "refresh_token",
-                  refresh_token: params.get("refresh_token") || "",
-                  scope: params.get("scope") || void 0
-                });
-              } else {
-                throw {
-                  statusCode: 400,
-                  toJSON: () => ({ error: "unsupported_grant_type" })
-                };
+          await new Promise((resolve) => {
+            let body = "";
+            req.on("data", (chunk) => body += chunk);
+            req.on("end", async () => {
+              try {
+                const params = new URLSearchParams(body);
+                const grantType = params.get("grant_type");
+                const basicAuth = parseBasicAuthHeader(
+                  req.headers.authorization
+                );
+                const clientId = _optionalChain([basicAuth, 'optionalAccess', _52 => _52.clientId]) || params.get("client_id") || "";
+                const clientSecret = _nullishCoalesce(_nullishCoalesce(_optionalChain([basicAuth, 'optionalAccess', _53 => _53.clientSecret]), () => ( params.get("client_secret"))), () => ( void 0));
+                let response;
+                if (grantType === "authorization_code") {
+                  response = await oauthProxy.exchangeAuthorizationCode({
+                    client_id: clientId,
+                    client_secret: clientSecret,
+                    code: params.get("code") || "",
+                    code_verifier: params.get("code_verifier") || void 0,
+                    grant_type: "authorization_code",
+                    redirect_uri: params.get("redirect_uri") || ""
+                  });
+                } else if (grantType === "refresh_token") {
+                  response = await oauthProxy.exchangeRefreshToken({
+                    client_id: clientId,
+                    client_secret: clientSecret,
+                    grant_type: "refresh_token",
+                    refresh_token: params.get("refresh_token") || "",
+                    scope: params.get("scope") || void 0
+                  });
+                } else {
+                  throw {
+                    statusCode: 400,
+                    toJSON: () => ({ error: "unsupported_grant_type" })
+                  };
+                }
+                res.writeHead(200, { "Content-Type": "application/json" }).end(JSON.stringify(response));
+              } catch (error) {
+                const statusCode = error.statusCode || 400;
+                res.writeHead(statusCode, { "Content-Type": "application/json" }).end(
+                  JSON.stringify(
+                    _optionalChain([error, 'access', _54 => _54.toJSON, 'optionalCall', _55 => _55()]) || {
+                      error: "invalid_request"
+                    }
+                  )
+                );
               }
-              res.writeHead(200, { "Content-Type": "application/json" }).end(JSON.stringify(response));
-            } catch (error) {
-              const statusCode = error.statusCode || 400;
-              res.writeHead(statusCode, { "Content-Type": "application/json" }).end(
-                JSON.stringify(
-                  _optionalChain([error, 'access', _54 => _54.toJSON, 'optionalCall', _55 => _55()]) || {
-                    error: "invalid_request"
-                  }
-                )
-              );
-            }
+              resolve();
+            });
           });
           return;
         }
@@ -1971,7 +1985,6 @@ var FastMCP = class extends FastMCPEventEmitter {
         return;
       }
     }
-    res.writeHead(404).end();
   };
   /**
    * Converts Node.js IncomingMessage to Web Request for Hono
@@ -2107,4 +2120,4 @@ var FastMCP = class extends FastMCPEventEmitter {
 
 
 exports.DiscoveryDocumentCache = DiscoveryDocumentCache; exports.imageContent = imageContent; exports.audioContent = audioContent; exports.UnexpectedStateError = UnexpectedStateError; exports.UserError = UserError; exports.ServerState = ServerState; exports.FastMCPSession = FastMCPSession; exports.FastMCP = FastMCP;
-//# sourceMappingURL=chunk-JP7QSER3.cjs.map
+//# sourceMappingURL=chunk-EXZZ3NKL.cjs.map