icode-mcp-adapter 1.0.6 → 1.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/transport/fastifyAdapter.js +4 -2
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "icode-mcp-adapter",
3
- "version": "1.0.6",
3
+ "version": "1.0.7",
4
4
  "description": "Dynamic MCP server adapter — auto-generates CRUD tools from schema configs. Plugs into icode-server via Fastify or runs standalone.",
5
5
  "type": "module",
6
6
  "main": "src/engine/McpEngine.js",
package/src/transport/fastifyAdapter.js CHANGED
@@ -49,11 +49,13 @@ function readBearer(req) {
49
49
  return /^bearer$/i.test(scheme) && token ? token.trim() : null;
50
50
  }
51
51
 
52
- /** MCP-spec 401 — points the client at the protected-resource metadata (Login with icode). */
52
+ /** MCP-spec 401 — points the client at the PER-RESOURCE metadata (RFC 9728), keeping the
53
+ * MCP path in the URL so the auth server knows which app/env is being authorized. */
53
54
  function unauthorized(req, reply) {
54
55
  const proto = req.headers['x-forwarded-proto'] || req.protocol || 'https';
55
56
  const host = req.headers['x-forwarded-host'] || req.headers.host;
56
- reply.header('WWW-Authenticate', `Bearer resource_metadata="${proto}://${host}/.well-known/oauth-protected-resource"`);
57
+ const path = (req.url || '').split('?')[0]; // e.g. /v1/mcp/paaal4--dev
58
+ reply.header('WWW-Authenticate', `Bearer resource_metadata="${proto}://${host}/.well-known/oauth-protected-resource${path}"`);
57
59
  return reply.code(401).send({
58
60
  jsonrpc: '2.0',
59
61
  error: { code: -32001, message: 'Authentication required' },