mcp-auth-wrapper 1.0.0 → 1.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/server.js +10 -1
- package/package.json +1 -1
package/dist/server.js
CHANGED
|
@@ -103,12 +103,21 @@ const createApp = (config, pool, provider, oidcClient, store) => {
|
|
|
103
103
|
}
|
|
104
104
|
});
|
|
105
105
|
});
|
|
106
|
-
// OAuth routes (discovery, token, register, revoke — /authorize is handled above)
|
|
106
|
+
// OAuth routes (discovery, token, register, revoke — /authorize is handled above).
|
|
107
|
+
// Rate limiting is disabled: the MCP SDK defaults conflict with reverse proxies
|
|
108
|
+
// (X-Forwarded-For / trust proxy issues), and it's unnecessary here because all
|
|
109
|
+
// auth codes and tokens are AES-256-GCM sealed blobs with fresh random IVs and
|
|
110
|
+
// mandatory PKCE — brute forcing is cryptographically infeasible.
|
|
111
|
+
const noRateLimit = { rateLimit: false };
|
|
107
112
|
app.use((0, router_js_1.mcpAuthRouter)({
|
|
108
113
|
provider,
|
|
109
114
|
issuerUrl,
|
|
110
115
|
baseUrl: issuerUrl,
|
|
111
116
|
resourceServerUrl: mcpUrl,
|
|
117
|
+
tokenOptions: noRateLimit,
|
|
118
|
+
authorizationOptions: noRateLimit,
|
|
119
|
+
clientRegistrationOptions: noRateLimit,
|
|
120
|
+
revocationOptions: noRateLimit,
|
|
112
121
|
}));
|
|
113
122
|
// Upstream OIDC callback
|
|
114
123
|
app.get('/callback', async (req, res) => {
|
package/package.json
CHANGED