fastmcp 4.0.1 → 4.0.2

package/README.md

@@ -2270,3 +2270,5 @@ Refer to this [issue](https://github.com/punkpeye/fastmcp/issues/25#issuecomment
 - FastMCP is inspired by the [Python implementation](https://github.com/jlowin/fastmcp) by [Jonathan Lowin](https://github.com/jlowin).
 - Parts of codebase were adopted from [LiteMCP](https://github.com/wong2/litemcp).
 - Parts of codebase were adopted from [Model Context protocolでSSEをやってみる](https://dev.classmethod.jp/articles/mcp-sse/).
+
+This project is tested with BrowserStack.

package/dist/FastMCP.cjs

@@ -20,7 +20,7 @@ var _chunkEXZZ3NKLcjs = require('./chunk-EXZZ3NKL.cjs');
 
 
 
-var _chunkSSVFQCSNcjs = require('./chunk-SSVFQCSN.cjs');
+var _chunkOARN6YYKcjs = require('./chunk-OARN6YYK.cjs');
 
 
 
@@ -41,5 +41,5 @@ var _chunkSSVFQCSNcjs = require('./chunk-SSVFQCSN.cjs');
 
 
 
-exports.AuthProvider = _chunkSSVFQCSNcjs.AuthProvider; exports.AzureProvider = _chunkSSVFQCSNcjs.AzureProvider; exports.DiscoveryDocumentCache = _chunkEXZZ3NKLcjs.DiscoveryDocumentCache; exports.FastMCP = _chunkEXZZ3NKLcjs.FastMCP; exports.FastMCPSession = _chunkEXZZ3NKLcjs.FastMCPSession; exports.GitHubProvider = _chunkSSVFQCSNcjs.GitHubProvider; exports.GoogleProvider = _chunkSSVFQCSNcjs.GoogleProvider; exports.OAuthProvider = _chunkSSVFQCSNcjs.OAuthProvider; exports.ServerState = _chunkEXZZ3NKLcjs.ServerState; exports.UnexpectedStateError = _chunkEXZZ3NKLcjs.UnexpectedStateError; exports.UserError = _chunkEXZZ3NKLcjs.UserError; exports.audioContent = _chunkEXZZ3NKLcjs.audioContent; exports.getAuthSession = _chunkSSVFQCSNcjs.getAuthSession; exports.imageContent = _chunkEXZZ3NKLcjs.imageContent; exports.requireAll = _chunkSSVFQCSNcjs.requireAll; exports.requireAny = _chunkSSVFQCSNcjs.requireAny; exports.requireAuth = _chunkSSVFQCSNcjs.requireAuth; exports.requireRole = _chunkSSVFQCSNcjs.requireRole; exports.requireScopes = _chunkSSVFQCSNcjs.requireScopes;
+exports.AuthProvider = _chunkOARN6YYKcjs.AuthProvider; exports.AzureProvider = _chunkOARN6YYKcjs.AzureProvider; exports.DiscoveryDocumentCache = _chunkEXZZ3NKLcjs.DiscoveryDocumentCache; exports.FastMCP = _chunkEXZZ3NKLcjs.FastMCP; exports.FastMCPSession = _chunkEXZZ3NKLcjs.FastMCPSession; exports.GitHubProvider = _chunkOARN6YYKcjs.GitHubProvider; exports.GoogleProvider = _chunkOARN6YYKcjs.GoogleProvider; exports.OAuthProvider = _chunkOARN6YYKcjs.OAuthProvider; exports.ServerState = _chunkEXZZ3NKLcjs.ServerState; exports.UnexpectedStateError = _chunkEXZZ3NKLcjs.UnexpectedStateError; exports.UserError = _chunkEXZZ3NKLcjs.UserError; exports.audioContent = _chunkEXZZ3NKLcjs.audioContent; exports.getAuthSession = _chunkOARN6YYKcjs.getAuthSession; exports.imageContent = _chunkEXZZ3NKLcjs.imageContent; exports.requireAll = _chunkOARN6YYKcjs.requireAll; exports.requireAny = _chunkOARN6YYKcjs.requireAny; exports.requireAuth = _chunkOARN6YYKcjs.requireAuth; exports.requireRole = _chunkOARN6YYKcjs.requireRole; exports.requireScopes = _chunkOARN6YYKcjs.requireScopes;
 //# sourceMappingURL=FastMCP.cjs.map

package/dist/FastMCP.d.cts

@@ -10,8 +10,8 @@ import { Hono } from 'hono';
 import http from 'http';
 import { StrictEventEmitter } from 'strict-event-emitter-types';
 import { z } from 'zod';
-import { A as AuthProvider, O as OAuthSession, a as OAuthProxy } from './OAuthProvider-BV6EpF_k.cjs';
-export { j as AuthProviderConfig, b as AzureProvider, k as AzureProviderConfig, l as AzureSession, m as GenericOAuthProviderConfig, G as GitHubProvider, n as GitHubSession, c as GoogleProvider, o as GoogleSession, d as OAuthProvider, g as getAuthSession, r as requireAll, e as requireAny, f as requireAuth, h as requireRole, i as requireScopes } from './OAuthProvider-BV6EpF_k.cjs';
+import { A as AuthProvider, O as OAuthSession, a as OAuthProxy } from './OAuthProvider-BS7O-cik.cjs';
+export { j as AuthProviderConfig, b as AzureProvider, k as AzureProviderConfig, l as AzureSession, m as GenericOAuthProviderConfig, G as GitHubProvider, n as GitHubSession, c as GoogleProvider, o as GoogleSession, d as OAuthProvider, g as getAuthSession, r as requireAll, e as requireAny, f as requireAuth, h as requireRole, i as requireScopes } from './OAuthProvider-BS7O-cik.cjs';
 import 'node:http';
 
 declare class DiscoveryDocumentCache {

package/dist/FastMCP.d.ts

@@ -10,8 +10,8 @@ import { Hono } from 'hono';
 import http from 'http';
 import { StrictEventEmitter } from 'strict-event-emitter-types';
 import { z } from 'zod';
-import { A as AuthProvider, O as OAuthSession, a as OAuthProxy } from './OAuthProvider-BV6EpF_k.js';
-export { j as AuthProviderConfig, b as AzureProvider, k as AzureProviderConfig, l as AzureSession, m as GenericOAuthProviderConfig, G as GitHubProvider, n as GitHubSession, c as GoogleProvider, o as GoogleSession, d as OAuthProvider, g as getAuthSession, r as requireAll, e as requireAny, f as requireAuth, h as requireRole, i as requireScopes } from './OAuthProvider-BV6EpF_k.js';
+import { A as AuthProvider, O as OAuthSession, a as OAuthProxy } from './OAuthProvider-BS7O-cik.js';
+export { j as AuthProviderConfig, b as AzureProvider, k as AzureProviderConfig, l as AzureSession, m as GenericOAuthProviderConfig, G as GitHubProvider, n as GitHubSession, c as GoogleProvider, o as GoogleSession, d as OAuthProvider, g as getAuthSession, r as requireAll, e as requireAny, f as requireAuth, h as requireRole, i as requireScopes } from './OAuthProvider-BS7O-cik.js';
 import 'node:http';
 
 declare class DiscoveryDocumentCache {

package/dist/FastMCP.js

@@ -20,7 +20,7 @@ import {
   requireAuth,
   requireRole,
   requireScopes
-} from "./chunk-UN72PIH2.js";
+} from "./chunk-HGUUOYR4.js";
 export {
   AuthProvider,
   AzureProvider,

package/dist/{OAuthProvider-BV6EpF_k.d.cts → OAuthProvider-BS7O-cik.d.cts}

@@ -192,15 +192,17 @@ interface OAuthProxyConfig {
      * matches one of these patterns (exact string or glob with `*` / `?`);
      * otherwise the registration is rejected with `invalid_redirect_uri`. Once
      * registered, the same exact URI must be echoed back at /oauth/authorize —
-     * the proxy performs exact string comparison per RFC 6749 §3.1.2.3.
+     * the proxy performs an exact per-client match per RFC 6749 §3.1.2.3.
      *
-     * Default: `[]` (DCR rejects everything — explicit opt-in required).
+     * Behaviour by value:
+     *   - `undefined` (default): allow `http://localhost:*` and `http://127.0.0.1:*`
+     *     only. Covers the standard MCP use-case of dynamic loopback ports.
+     *   - `[]` (empty array): DCR rejects every URI — use for deployments that
+     *     configure patterns explicitly and want no implicit fallback.
+     *   - `["pattern", ...]`: accept URIs matching any glob pattern in the list.
      *
-     * Prior versions defaulted to `["https://*", "http://localhost:*"]` with an
-     * implicit fallback that allowed any https URL. This enabled CWE-601
-     * open-redirect / authorization-code theft: an attacker could DCR their own
-     * URL and then steal victim codes via /oauth/authorize. Do not loosen this
-     * default without understanding that threat model.
+     * Do not widen the default beyond loopback addresses — allowing arbitrary
+     * https URLs enables CWE-601 open-redirect / authorization-code theft.
      */
     allowedRedirectUriPatterns?: string[];
     /** Authorization code TTL in seconds (default: 300) */
@@ -293,14 +295,16 @@ interface PKCEPair {
  * Dynamic client registration data
  */
 interface ProxyDCRClient {
-    /** Registered callback URL */
+    /** Primary (first) registered callback URL */
     callbackUrl: string;
-    /** Generated or assigned client ID */
+    /** Proxy-issued client ID (not the upstream provider's client_id) */
     clientId: string;
-    /** Client secret (optional) */
+    /** Proxy-issued client secret (not the upstream provider's client_secret) */
     clientSecret?: string;
     /** Client metadata from registration request */
     metadata?: DCRClientMetadata;
+    /** All redirect URIs registered by this client */
+    redirectUris: string[];
     /** Client registration timestamp */
     registeredAt: Date;
 }
@@ -419,7 +423,10 @@ declare class OAuthProxy {
     private config;
     private consentManager;
     private jwtIssuer?;
+    /** Keyed by redirect_uri for defence-in-depth checks in handleCallback/handleConsent */
     private registeredClients;
+    /** Keyed by proxy-issued client_id for authorize/token-exchange lookups */
+    private registeredClientsByClientId;
     private tokenStorage;
     private transactions;
     constructor(config: OAuthProxyConfig);
@@ -566,14 +573,17 @@ declare class OAuthProxy {
     /**
      * Validate a redirect URI against the configured allow-list.
      *
-     * Returns `true` only if the URI is syntactically valid AND matches one of
-     * the explicitly configured `allowedRedirectUriPatterns`. An empty or unset
-     * pattern list means DCR will reject every URI — framework users must
-     * opt-in by listing the exact URIs (or wildcards) they trust.
+     * Behaviour by configuration value:
+     *   - `undefined` (not set): allow localhost/127.0.0.1 only — safe default
+     *     that covers the common MCP use-case of dynamic loopback ports without
+     *     opening the proxy to arbitrary redirect URIs.
+     *   - `[]` (empty array): reject every URI — opt-in strict mode for deployments
+     *     that want full control and will configure patterns explicitly.
+     *   - `["pattern", ...]`: accept URIs matching any of the glob patterns.
      *
-     * Prior versions also fell back to allowing any https URL or localhost,
-     * which enabled attackers to DCR an arbitrary URL and then abuse it via
-     * /oauth/authorize (CWE-601). Do not re-introduce that fallback.
+     * Prior versions defaulted to `["https://*", "http://localhost:*"]` which
+     * matched any https URL, enabling CWE-601 open-redirect / authorization-code
+     * theft. Do not loosen the default beyond loopback addresses.
      */
     private validateRedirectUri;
 }

package/dist/{OAuthProvider-BV6EpF_k.d.ts → OAuthProvider-BS7O-cik.d.ts}

@@ -192,15 +192,17 @@ interface OAuthProxyConfig {
      * matches one of these patterns (exact string or glob with `*` / `?`);
      * otherwise the registration is rejected with `invalid_redirect_uri`. Once
      * registered, the same exact URI must be echoed back at /oauth/authorize —
-     * the proxy performs exact string comparison per RFC 6749 §3.1.2.3.
+     * the proxy performs an exact per-client match per RFC 6749 §3.1.2.3.
      *
-     * Default: `[]` (DCR rejects everything — explicit opt-in required).
+     * Behaviour by value:
+     *   - `undefined` (default): allow `http://localhost:*` and `http://127.0.0.1:*`
+     *     only. Covers the standard MCP use-case of dynamic loopback ports.
+     *   - `[]` (empty array): DCR rejects every URI — use for deployments that
+     *     configure patterns explicitly and want no implicit fallback.
+     *   - `["pattern", ...]`: accept URIs matching any glob pattern in the list.
      *
-     * Prior versions defaulted to `["https://*", "http://localhost:*"]` with an
-     * implicit fallback that allowed any https URL. This enabled CWE-601
-     * open-redirect / authorization-code theft: an attacker could DCR their own
-     * URL and then steal victim codes via /oauth/authorize. Do not loosen this
-     * default without understanding that threat model.
+     * Do not widen the default beyond loopback addresses — allowing arbitrary
+     * https URLs enables CWE-601 open-redirect / authorization-code theft.
      */
     allowedRedirectUriPatterns?: string[];
     /** Authorization code TTL in seconds (default: 300) */
@@ -293,14 +295,16 @@ interface PKCEPair {
  * Dynamic client registration data
  */
 interface ProxyDCRClient {
-    /** Registered callback URL */
+    /** Primary (first) registered callback URL */
     callbackUrl: string;
-    /** Generated or assigned client ID */
+    /** Proxy-issued client ID (not the upstream provider's client_id) */
     clientId: string;
-    /** Client secret (optional) */
+    /** Proxy-issued client secret (not the upstream provider's client_secret) */
     clientSecret?: string;
     /** Client metadata from registration request */
     metadata?: DCRClientMetadata;
+    /** All redirect URIs registered by this client */
+    redirectUris: string[];
     /** Client registration timestamp */
     registeredAt: Date;
 }
@@ -419,7 +423,10 @@ declare class OAuthProxy {
     private config;
     private consentManager;
     private jwtIssuer?;
+    /** Keyed by redirect_uri for defence-in-depth checks in handleCallback/handleConsent */
     private registeredClients;
+    /** Keyed by proxy-issued client_id for authorize/token-exchange lookups */
+    private registeredClientsByClientId;
     private tokenStorage;
     private transactions;
     constructor(config: OAuthProxyConfig);
@@ -566,14 +573,17 @@ declare class OAuthProxy {
     /**
      * Validate a redirect URI against the configured allow-list.
      *
-     * Returns `true` only if the URI is syntactically valid AND matches one of
-     * the explicitly configured `allowedRedirectUriPatterns`. An empty or unset
-     * pattern list means DCR will reject every URI — framework users must
-     * opt-in by listing the exact URIs (or wildcards) they trust.
+     * Behaviour by configuration value:
+     *   - `undefined` (not set): allow localhost/127.0.0.1 only — safe default
+     *     that covers the common MCP use-case of dynamic loopback ports without
+     *     opening the proxy to arbitrary redirect URIs.
+     *   - `[]` (empty array): reject every URI — opt-in strict mode for deployments
+     *     that want full control and will configure patterns explicitly.
+     *   - `["pattern", ...]`: accept URIs matching any of the glob patterns.
      *
-     * Prior versions also fell back to allowing any https URL or localhost,
-     * which enabled attackers to DCR an arbitrary URL and then abuse it via
-     * /oauth/authorize (CWE-601). Do not re-introduce that fallback.
+     * Prior versions defaulted to `["https://*", "http://localhost:*"]` which
+     * matched any https URL, enabling CWE-601 open-redirect / authorization-code
+     * theft. Do not loosen the default beyond loopback addresses.
      */
     private validateRedirectUri;
 }

package/dist/auth/index.cjs

@@ -24,7 +24,7 @@
 
 
 
-var _chunkSSVFQCSNcjs = require('../chunk-SSVFQCSN.cjs');
+var _chunkOARN6YYKcjs = require('../chunk-OARN6YYK.cjs');
 
 
 
@@ -51,5 +51,5 @@ var _chunkSSVFQCSNcjs = require('../chunk-SSVFQCSN.cjs');
 
 
 
-exports.AuthProvider = _chunkSSVFQCSNcjs.AuthProvider; exports.AzureProvider = _chunkSSVFQCSNcjs.AzureProvider; exports.ConsentManager = _chunkSSVFQCSNcjs.ConsentManager; exports.DEFAULT_ACCESS_TOKEN_TTL = _chunkSSVFQCSNcjs.DEFAULT_ACCESS_TOKEN_TTL; exports.DEFAULT_ACCESS_TOKEN_TTL_NO_REFRESH = _chunkSSVFQCSNcjs.DEFAULT_ACCESS_TOKEN_TTL_NO_REFRESH; exports.DEFAULT_AUTHORIZATION_CODE_TTL = _chunkSSVFQCSNcjs.DEFAULT_AUTHORIZATION_CODE_TTL; exports.DEFAULT_REFRESH_TOKEN_TTL = _chunkSSVFQCSNcjs.DEFAULT_REFRESH_TOKEN_TTL; exports.DEFAULT_TRANSACTION_TTL = _chunkSSVFQCSNcjs.DEFAULT_TRANSACTION_TTL; exports.DiskStore = _chunkSSVFQCSNcjs.DiskStore; exports.EncryptedTokenStorage = _chunkSSVFQCSNcjs.EncryptedTokenStorage; exports.GitHubProvider = _chunkSSVFQCSNcjs.GitHubProvider; exports.GoogleProvider = _chunkSSVFQCSNcjs.GoogleProvider; exports.JWKSVerifier = _chunkSSVFQCSNcjs.JWKSVerifier; exports.JWTIssuer = _chunkSSVFQCSNcjs.JWTIssuer; exports.MemoryTokenStorage = _chunkSSVFQCSNcjs.MemoryTokenStorage; exports.OAuthProvider = _chunkSSVFQCSNcjs.OAuthProvider; exports.OAuthProxy = _chunkSSVFQCSNcjs.OAuthProxy; exports.OAuthProxyError = _chunkSSVFQCSNcjs.OAuthProxyError; exports.PKCEUtils = _chunkSSVFQCSNcjs.PKCEUtils; exports.getAuthSession = _chunkSSVFQCSNcjs.getAuthSession; exports.requireAll = _chunkSSVFQCSNcjs.requireAll; exports.requireAny = _chunkSSVFQCSNcjs.requireAny; exports.requireAuth = _chunkSSVFQCSNcjs.requireAuth; exports.requireRole = _chunkSSVFQCSNcjs.requireRole; exports.requireScopes = _chunkSSVFQCSNcjs.requireScopes;
+exports.AuthProvider = _chunkOARN6YYKcjs.AuthProvider; exports.AzureProvider = _chunkOARN6YYKcjs.AzureProvider; exports.ConsentManager = _chunkOARN6YYKcjs.ConsentManager; exports.DEFAULT_ACCESS_TOKEN_TTL = _chunkOARN6YYKcjs.DEFAULT_ACCESS_TOKEN_TTL; exports.DEFAULT_ACCESS_TOKEN_TTL_NO_REFRESH = _chunkOARN6YYKcjs.DEFAULT_ACCESS_TOKEN_TTL_NO_REFRESH; exports.DEFAULT_AUTHORIZATION_CODE_TTL = _chunkOARN6YYKcjs.DEFAULT_AUTHORIZATION_CODE_TTL; exports.DEFAULT_REFRESH_TOKEN_TTL = _chunkOARN6YYKcjs.DEFAULT_REFRESH_TOKEN_TTL; exports.DEFAULT_TRANSACTION_TTL = _chunkOARN6YYKcjs.DEFAULT_TRANSACTION_TTL; exports.DiskStore = _chunkOARN6YYKcjs.DiskStore; exports.EncryptedTokenStorage = _chunkOARN6YYKcjs.EncryptedTokenStorage; exports.GitHubProvider = _chunkOARN6YYKcjs.GitHubProvider; exports.GoogleProvider = _chunkOARN6YYKcjs.GoogleProvider; exports.JWKSVerifier = _chunkOARN6YYKcjs.JWKSVerifier; exports.JWTIssuer = _chunkOARN6YYKcjs.JWTIssuer; exports.MemoryTokenStorage = _chunkOARN6YYKcjs.MemoryTokenStorage; exports.OAuthProvider = _chunkOARN6YYKcjs.OAuthProvider; exports.OAuthProxy = _chunkOARN6YYKcjs.OAuthProxy; exports.OAuthProxyError = _chunkOARN6YYKcjs.OAuthProxyError; exports.PKCEUtils = _chunkOARN6YYKcjs.PKCEUtils; exports.getAuthSession = _chunkOARN6YYKcjs.getAuthSession; exports.requireAll = _chunkOARN6YYKcjs.requireAll; exports.requireAny = _chunkOARN6YYKcjs.requireAny; exports.requireAuth = _chunkOARN6YYKcjs.requireAuth; exports.requireRole = _chunkOARN6YYKcjs.requireRole; exports.requireScopes = _chunkOARN6YYKcjs.requireScopes;
 //# sourceMappingURL=index.cjs.map

package/dist/auth/index.d.cts

@@ -1,5 +1,5 @@
-import { p as OAuthTransaction, C as ConsentData, T as TokenStorage, q as TokenVerifier, s as TokenVerificationResult, P as PKCEPair } from '../OAuthProvider-BV6EpF_k.cjs';
-export { A as AuthProvider, j as AuthProviderConfig, y as AuthorizationParams, b as AzureProvider, k as AzureProviderConfig, l as AzureSession, z as ClientCode, B as DCRClientMetadata, E as DCRRequest, F as DCRResponse, D as DEFAULT_ACCESS_TOKEN_TTL, u as DEFAULT_ACCESS_TOKEN_TTL_NO_REFRESH, v as DEFAULT_AUTHORIZATION_CODE_TTL, w as DEFAULT_REFRESH_TOKEN_TTL, x as DEFAULT_TRANSACTION_TTL, m as GenericOAuthProviderConfig, G as GitHubProvider, n as GitHubSession, c as GoogleProvider, o as GoogleSession, H as OAuthError, d as OAuthProvider, I as OAuthProviderConfig, a as OAuthProxy, J as OAuthProxyConfig, t as OAuthProxyError, O as OAuthSession, K as ProxyDCRClient, R as RefreshRequest, L as TokenMapping, M as TokenRequest, N as TokenResponse, U as UpstreamTokenSet, g as getAuthSession, r as requireAll, e as requireAny, f as requireAuth, h as requireRole, i as requireScopes } from '../OAuthProvider-BV6EpF_k.cjs';
+import { p as OAuthTransaction, C as ConsentData, T as TokenStorage, q as TokenVerifier, s as TokenVerificationResult, P as PKCEPair } from '../OAuthProvider-BS7O-cik.cjs';
+export { A as AuthProvider, j as AuthProviderConfig, y as AuthorizationParams, b as AzureProvider, k as AzureProviderConfig, l as AzureSession, z as ClientCode, B as DCRClientMetadata, E as DCRRequest, F as DCRResponse, D as DEFAULT_ACCESS_TOKEN_TTL, u as DEFAULT_ACCESS_TOKEN_TTL_NO_REFRESH, v as DEFAULT_AUTHORIZATION_CODE_TTL, w as DEFAULT_REFRESH_TOKEN_TTL, x as DEFAULT_TRANSACTION_TTL, m as GenericOAuthProviderConfig, G as GitHubProvider, n as GitHubSession, c as GoogleProvider, o as GoogleSession, H as OAuthError, d as OAuthProvider, I as OAuthProviderConfig, a as OAuthProxy, J as OAuthProxyConfig, t as OAuthProxyError, O as OAuthSession, K as ProxyDCRClient, R as RefreshRequest, L as TokenMapping, M as TokenRequest, N as TokenResponse, U as UpstreamTokenSet, g as getAuthSession, r as requireAll, e as requireAny, f as requireAuth, h as requireRole, i as requireScopes } from '../OAuthProvider-BS7O-cik.cjs';
 import 'node:http';
 
 /**

package/dist/auth/index.d.ts

@@ -1,5 +1,5 @@
-import { p as OAuthTransaction, C as ConsentData, T as TokenStorage, q as TokenVerifier, s as TokenVerificationResult, P as PKCEPair } from '../OAuthProvider-BV6EpF_k.js';
-export { A as AuthProvider, j as AuthProviderConfig, y as AuthorizationParams, b as AzureProvider, k as AzureProviderConfig, l as AzureSession, z as ClientCode, B as DCRClientMetadata, E as DCRRequest, F as DCRResponse, D as DEFAULT_ACCESS_TOKEN_TTL, u as DEFAULT_ACCESS_TOKEN_TTL_NO_REFRESH, v as DEFAULT_AUTHORIZATION_CODE_TTL, w as DEFAULT_REFRESH_TOKEN_TTL, x as DEFAULT_TRANSACTION_TTL, m as GenericOAuthProviderConfig, G as GitHubProvider, n as GitHubSession, c as GoogleProvider, o as GoogleSession, H as OAuthError, d as OAuthProvider, I as OAuthProviderConfig, a as OAuthProxy, J as OAuthProxyConfig, t as OAuthProxyError, O as OAuthSession, K as ProxyDCRClient, R as RefreshRequest, L as TokenMapping, M as TokenRequest, N as TokenResponse, U as UpstreamTokenSet, g as getAuthSession, r as requireAll, e as requireAny, f as requireAuth, h as requireRole, i as requireScopes } from '../OAuthProvider-BV6EpF_k.js';
+import { p as OAuthTransaction, C as ConsentData, T as TokenStorage, q as TokenVerifier, s as TokenVerificationResult, P as PKCEPair } from '../OAuthProvider-BS7O-cik.js';
+export { A as AuthProvider, j as AuthProviderConfig, y as AuthorizationParams, b as AzureProvider, k as AzureProviderConfig, l as AzureSession, z as ClientCode, B as DCRClientMetadata, E as DCRRequest, F as DCRResponse, D as DEFAULT_ACCESS_TOKEN_TTL, u as DEFAULT_ACCESS_TOKEN_TTL_NO_REFRESH, v as DEFAULT_AUTHORIZATION_CODE_TTL, w as DEFAULT_REFRESH_TOKEN_TTL, x as DEFAULT_TRANSACTION_TTL, m as GenericOAuthProviderConfig, G as GitHubProvider, n as GitHubSession, c as GoogleProvider, o as GoogleSession, H as OAuthError, d as OAuthProvider, I as OAuthProviderConfig, a as OAuthProxy, J as OAuthProxyConfig, t as OAuthProxyError, O as OAuthSession, K as ProxyDCRClient, R as RefreshRequest, L as TokenMapping, M as TokenRequest, N as TokenResponse, U as UpstreamTokenSet, g as getAuthSession, r as requireAll, e as requireAny, f as requireAuth, h as requireRole, i as requireScopes } from '../OAuthProvider-BS7O-cik.js';
 import 'node:http';
 
 /**

package/dist/auth/index.js

@@ -24,7 +24,7 @@ import {
   requireAuth,
   requireRole,
   requireScopes
-} from "../chunk-UN72PIH2.js";
+} from "../chunk-HGUUOYR4.js";
 export {
   AuthProvider,
   AzureProvider,

package/dist/{chunk-UN72PIH2.js → chunk-HGUUOYR4.js}

@@ -858,16 +858,14 @@ var OAuthProxy = class {
   config;
   consentManager;
   jwtIssuer;
+  /** Keyed by redirect_uri for defence-in-depth checks in handleCallback/handleConsent */
   registeredClients = /* @__PURE__ */ new Map();
+  /** Keyed by proxy-issued client_id for authorize/token-exchange lookups */
+  registeredClientsByClientId = /* @__PURE__ */ new Map();
   tokenStorage;
   transactions = /* @__PURE__ */ new Map();
   constructor(config) {
     this.config = {
-      // Empty by default. Framework users must explicitly configure the URIs they
-      // trust, per RFC 6819 §4.1.5. The previous default (`["https://*", "http://localhost:*"]`)
-      // allowed open DCR registration of any https URL, enabling CWE-601 open-redirect
-      // attacks against /oauth/authorize.
-      allowedRedirectUriPatterns: [],
       authorizationCodeTtl: DEFAULT_AUTHORIZATION_CODE_TTL,
       consentRequired: true,
       enableTokenSwap: true,
@@ -917,10 +915,13 @@ var OAuthProxy = class {
         "Only 'code' response type is supported"
       );
     }
-    if (params.client_id !== this.config.upstreamClientId) {
+    const registeredClient = this.registeredClientsByClientId.get(
+      params.client_id
+    );
+    if (!registeredClient) {
       throw new OAuthProxyError("invalid_client", "Unknown client_id");
     }
-    if (!this.registeredClients.has(params.redirect_uri)) {
+    if (!registeredClient.redirectUris.includes(params.redirect_uri)) {
       throw new OAuthProxyError(
         "invalid_request",
         "redirect_uri is not registered for this client"
@@ -952,6 +953,7 @@ var OAuthProxy = class {
     this.transactions.clear();
     this.clientCodes.clear();
     this.registeredClients.clear();
+    this.registeredClientsByClientId.clear();
   }
   /**
    * Token endpoint - exchange authorization code for tokens
@@ -963,7 +965,7 @@ var OAuthProxy = class {
         "Only authorization_code grant type is supported"
       );
     }
-    if (request.client_id !== this.config.upstreamClientId) {
+    if (!this.registeredClientsByClientId.has(request.client_id)) {
       throw new OAuthProxyError("invalid_client", "Unknown client_id");
     }
     const clientCode = this.clientCodes.get(request.code);
@@ -1185,11 +1187,12 @@ var OAuthProxy = class {
         );
       }
     }
-    const clientId = this.config.upstreamClientId;
+    const proxyClientId = randomBytes4(16).toString("hex");
+    const proxyClientSecret = randomBytes4(32).toString("base64url");
     const client = {
       callbackUrl: request.redirect_uris[0],
-      clientId,
-      clientSecret: this.config.upstreamClientSecret,
+      clientId: proxyClientId,
+      clientSecret: proxyClientSecret,
       metadata: {
         client_name: request.client_name,
         client_uri: request.client_uri,
@@ -1203,17 +1206,19 @@ var OAuthProxy = class {
         software_version: request.software_version,
         tos_uri: request.tos_uri
       },
+      redirectUris: request.redirect_uris,
       registeredAt: /* @__PURE__ */ new Date()
     };
+    this.registeredClientsByClientId.set(proxyClientId, client);
     for (const uri of request.redirect_uris) {
       this.registeredClients.set(uri, client);
     }
     const response = {
-      client_id: clientId,
+      client_id: proxyClientId,
       client_id_issued_at: Math.floor(Date.now() / 1e3),
       // Echo back optional metadata
       client_name: request.client_name,
-      client_secret: this.config.upstreamClientSecret,
+      client_secret: proxyClientSecret,
       client_secret_expires_at: 0,
       // Never expires
       client_uri: request.client_uri,
@@ -1812,14 +1817,17 @@ var OAuthProxy = class {
   /**
    * Validate a redirect URI against the configured allow-list.
    *
-   * Returns `true` only if the URI is syntactically valid AND matches one of
-   * the explicitly configured `allowedRedirectUriPatterns`. An empty or unset
-   * pattern list means DCR will reject every URI — framework users must
-   * opt-in by listing the exact URIs (or wildcards) they trust.
+   * Behaviour by configuration value:
+   *   - `undefined` (not set): allow localhost/127.0.0.1 only — safe default
+   *     that covers the common MCP use-case of dynamic loopback ports without
+   *     opening the proxy to arbitrary redirect URIs.
+   *   - `[]` (empty array): reject every URI — opt-in strict mode for deployments
+   *     that want full control and will configure patterns explicitly.
+   *   - `["pattern", ...]`: accept URIs matching any of the glob patterns.
    *
-   * Prior versions also fell back to allowing any https URL or localhost,
-   * which enabled attackers to DCR an arbitrary URL and then abuse it via
-   * /oauth/authorize (CWE-601). Do not re-introduce that fallback.
+   * Prior versions defaulted to `["https://*", "http://localhost:*"]` which
+   * matched any https URL, enabling CWE-601 open-redirect / authorization-code
+   * theft. Do not loosen the default beyond loopback addresses.
    */
   validateRedirectUri(uri) {
     try {
@@ -1827,11 +1835,17 @@ var OAuthProxy = class {
     } catch {
       return false;
     }
-    const patterns = this.config.allowedRedirectUriPatterns || [];
-    if (patterns.length === 0) {
+    const patterns = this.config.allowedRedirectUriPatterns;
+    if (Array.isArray(patterns) && patterns.length === 0) {
       return false;
     }
-    return patterns.some((pattern) => this.matchesPattern(uri, pattern));
+    const effectivePatterns = patterns ?? [
+      "http://localhost:*",
+      "http://127.0.0.1:*"
+    ];
+    return effectivePatterns.some(
+      (pattern) => this.matchesPattern(uri, pattern)
+    );
   }
 };
 var OAuthProxyError = class extends Error {
@@ -2378,4 +2392,4 @@ export {
   DiskStore,
   JWKSVerifier
 };
-//# sourceMappingURL=chunk-UN72PIH2.js.map
+//# sourceMappingURL=chunk-HGUUOYR4.js.map