mcp-auth-wrapper 1.0.1 → 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/server.js +10 -2
  2. package/package.json +1 -1
package/dist/server.js CHANGED
@@ -65,7 +65,6 @@ const createProxyServer = (pool, store, userId, config, baseUrl, accessToken) =>
65
65
  };
66
66
  const createApp = (config, pool, provider, oidcClient, store) => {
67
67
  const app = (0, express_1.default)();
68
- app.set('trust proxy', 1);
69
68
  const baseUrl = config.issuerUrl ?? `http://localhost:${config.port ?? 3000}`;
70
69
  const issuerUrl = new URL(baseUrl);
71
70
  const mcpUrl = new URL('/mcp', issuerUrl);
@@ -104,12 +103,21 @@ const createApp = (config, pool, provider, oidcClient, store) => {
104
103
  }
105
104
  });
106
105
  });
107
- // OAuth routes (discovery, token, register, revoke — /authorize is handled above)
106
+ // OAuth routes (discovery, token, register, revoke — /authorize is handled above).
107
+ // Rate limiting is disabled: the MCP SDK defaults conflict with reverse proxies
108
+ // (X-Forwarded-For / trust proxy issues), and it's unnecessary here because all
109
+ // auth codes and tokens are AES-256-GCM sealed blobs with fresh random IVs and
110
+ // mandatory PKCE — brute forcing is cryptographically infeasible.
111
+ const noRateLimit = { rateLimit: false };
108
112
  app.use((0, router_js_1.mcpAuthRouter)({
109
113
  provider,
110
114
  issuerUrl,
111
115
  baseUrl: issuerUrl,
112
116
  resourceServerUrl: mcpUrl,
117
+ tokenOptions: noRateLimit,
118
+ authorizationOptions: noRateLimit,
119
+ clientRegistrationOptions: noRateLimit,
120
+ revocationOptions: noRateLimit,
113
121
  }));
114
122
  // Upstream OIDC callback
115
123
  app.get('/callback', async (req, res) => {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "mcp-auth-wrapper",
3
- "version": "1.0.1",
3
+ "version": "1.0.3",
4
4
  "description": "Wrap any stdio MCP server with per-user auth, exposing it as a streamable HTTP endpoint.",
5
5
  "license": "MIT",
6
6
  "author": "Adam Jones (domdomegg)",