mcp-auth-wrapper 1.0.1 → 1.0.3

package/dist/server.js

@@ -65,7 +65,6 @@ const createProxyServer = (pool, store, userId, config, baseUrl, accessToken) =>
 };
 const createApp = (config, pool, provider, oidcClient, store) => {
     const app = (0, express_1.default)();
-    app.set('trust proxy', 1);
     const baseUrl = config.issuerUrl ?? `http://localhost:${config.port ?? 3000}`;
     const issuerUrl = new URL(baseUrl);
     const mcpUrl = new URL('/mcp', issuerUrl);
@@ -104,12 +103,21 @@ const createApp = (config, pool, provider, oidcClient, store) => {
             }
         });
     });
-    // OAuth routes (discovery, token, register, revoke — /authorize is handled above)
+    // OAuth routes (discovery, token, register, revoke — /authorize is handled above).
+    // Rate limiting is disabled: the MCP SDK defaults conflict with reverse proxies
+    // (X-Forwarded-For / trust proxy issues), and it's unnecessary here because all
+    // auth codes and tokens are AES-256-GCM sealed blobs with fresh random IVs and
+    // mandatory PKCE — brute forcing is cryptographically infeasible.
+    const noRateLimit = { rateLimit: false };
     app.use((0, router_js_1.mcpAuthRouter)({
         provider,
         issuerUrl,
         baseUrl: issuerUrl,
         resourceServerUrl: mcpUrl,
+        tokenOptions: noRateLimit,
+        authorizationOptions: noRateLimit,
+        clientRegistrationOptions: noRateLimit,
+        revocationOptions: noRateLimit,
     }));
     // Upstream OIDC callback
     app.get('/callback', async (req, res) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mcp-auth-wrapper",
-  "version": "1.0.1",
+  "version": "1.0.3",
   "description": "Wrap any stdio MCP server with per-user auth, exposing it as a streamable HTTP endpoint.",
   "license": "MIT",
   "author": "Adam Jones (domdomegg)",