mcp-proxy 5.11.2 → 5.12.1

package/jsr.json

@@ -3,5 +3,5 @@
   "include": ["src/index.ts", "src/bin/mcp-proxy.ts"],
   "license": "MIT",
   "name": "@punkpeye/mcp-proxy",
-  "version": "5.11.2"
+  "version": "5.12.1"
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mcp-proxy",
-  "version": "5.11.2",
+  "version": "5.12.1",
   "main": "dist/index.js",
   "scripts": {
     "build": "tsdown",
@@ -38,27 +38,27 @@
     ]
   },
   "devDependencies": {
-    "@eslint/js": "^9.36.0",
-    "@modelcontextprotocol/sdk": "^1.18.1",
-    "@sebbo2002/semantic-release-jsr": "^3.0.1",
-    "@tsconfig/node22": "^22.0.2",
-    "@types/express": "^5.0.3",
-    "@types/node": "^24.5.2",
-    "@types/yargs": "^17.0.33",
-    "eslint": "^9.36.0",
+    "@eslint/js": "^9.39.1",
+    "@modelcontextprotocol/sdk": "^1.24.3",
+    "@sebbo2002/semantic-release-jsr": "^3.1.0",
+    "@tsconfig/node22": "^22.0.5",
+    "@types/express": "^5.0.6",
+    "@types/node": "^24.10.1",
+    "@types/yargs": "^17.0.35",
+    "eslint": "^9.39.1",
     "eslint-config-prettier": "^10.1.8",
-    "eslint-plugin-perfectionist": "^4.15.0",
-    "eventsource": "^4.0.0",
-    "express": "^5.0.1",
+    "eslint-plugin-perfectionist": "^4.15.1",
+    "eventsource": "^4.1.0",
+    "express": "^5.2.1",
     "get-port-please": "^3.2.0",
-    "jiti": "^2.5.1",
+    "jiti": "^2.6.1",
     "jsr": "^0.13.5",
-    "prettier": "^3.6.2",
-    "semantic-release": "^24.2.8",
-    "tsdown": "^0.15.2",
-    "tsx": "^4.20.5",
-    "typescript": "^5.9.2",
-    "typescript-eslint": "^8.44.0",
+    "prettier": "^3.7.4",
+    "semantic-release": "^24.2.9",
+    "tsdown": "^0.15.12",
+    "tsx": "^4.21.0",
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.48.1",
     "vitest": "^3.2.4",
     "yargs": "^18.0.0"
   },

package/src/InMemoryEventStore.test.ts

@@ -8,7 +8,7 @@ describe("InMemoryEventStore", () => {
   it("stores events and replays them after a specific event ID", async () => {
     const store = new InMemoryEventStore();
     const streamId = "test-stream-123";
-    
+
     // Create test messages
     const messages: JSONRPCMessage[] = [
       { id: 1, jsonrpc: "2.0", method: "initialize" },
@@ -17,7 +17,7 @@ describe("InMemoryEventStore", () => {
       { id: 3, jsonrpc: "2.0", result: { success: true } },
       { id: 4, jsonrpc: "2.0", method: "shutdown" },
     ];
-    
+
     // Store all events and keep track of event IDs
     // Add small delays to ensure different timestamps for proper ordering
     const eventIds: string[] = [];
@@ -26,32 +26,33 @@ describe("InMemoryEventStore", () => {
       expect(eventId).toContain(streamId);
       eventIds.push(eventId);
       // Small delay to ensure different timestamps
-      await new Promise(resolve => setTimeout(resolve, 1));
+      await new Promise((resolve) => setTimeout(resolve, 1));
     }
-    
+
     // Test replaying events after the second event
-    const replayedEvents: Array<{ eventId: string; message: JSONRPCMessage }> = [];
+    const replayedEvents: Array<{ eventId: string; message: JSONRPCMessage }> =
+      [];
     const sendMock = vi.fn(async (eventId: string, message: JSONRPCMessage) => {
       replayedEvents.push({ eventId, message });
     });
-    
+
     const returnedStreamId = await store.replayEventsAfter(
       eventIds[1], // Replay after the second event
-      { send: sendMock }
+      { send: sendMock },
     );
-    
+
     // Verify the correct stream ID was returned
     expect(returnedStreamId).toBe(streamId);
-    
+
     // Verify that events 3, 4, and 5 were replayed (after event 2)
     expect(replayedEvents).toHaveLength(3);
     expect(sendMock).toHaveBeenCalledTimes(3);
-    
+
     // Verify the replayed messages are correct and in order
     expect(replayedEvents[0].message).toEqual(messages[2]);
     expect(replayedEvents[1].message).toEqual(messages[3]);
     expect(replayedEvents[2].message).toEqual(messages[4]);
-    
+
     // Verify event IDs are preserved
     expect(replayedEvents[0].eventId).toBe(eventIds[2]);
     expect(replayedEvents[1].eventId).toBe(eventIds[3]);
@@ -62,99 +63,106 @@ describe("InMemoryEventStore", () => {
     const store = new InMemoryEventStore();
     const streamId1 = "stream-alpha";
     const streamId2 = "stream-beta";
-    
+
     // Create messages for two different streams
     const stream1Messages: JSONRPCMessage[] = [
       { id: 1, jsonrpc: "2.0", method: "stream1.init" },
       { id: 2, jsonrpc: "2.0", method: "stream1.process" },
       { id: 3, jsonrpc: "2.0", method: "stream1.complete" },
     ];
-    
+
     const stream2Messages: JSONRPCMessage[] = [
       { id: 10, jsonrpc: "2.0", method: "stream2.init" },
       { id: 20, jsonrpc: "2.0", method: "stream2.process" },
       { id: 30, jsonrpc: "2.0", method: "stream2.complete" },
     ];
-    
+
     // Interleave storing events from both streams with small delays
     const stream1EventIds: string[] = [];
     const stream2EventIds: string[] = [];
-    
+
     // Store first event from each stream
     stream1EventIds.push(await store.storeEvent(streamId1, stream1Messages[0]));
-    await new Promise(resolve => setTimeout(resolve, 1));
+    await new Promise((resolve) => setTimeout(resolve, 1));
     stream2EventIds.push(await store.storeEvent(streamId2, stream2Messages[0]));
-    await new Promise(resolve => setTimeout(resolve, 1));
-    
+    await new Promise((resolve) => setTimeout(resolve, 1));
+
     // Store second event from each stream
     stream1EventIds.push(await store.storeEvent(streamId1, stream1Messages[1]));
-    await new Promise(resolve => setTimeout(resolve, 1));
+    await new Promise((resolve) => setTimeout(resolve, 1));
     stream2EventIds.push(await store.storeEvent(streamId2, stream2Messages[1]));
-    await new Promise(resolve => setTimeout(resolve, 1));
-    
+    await new Promise((resolve) => setTimeout(resolve, 1));
+
     // Store third event from each stream
     stream1EventIds.push(await store.storeEvent(streamId1, stream1Messages[2]));
-    await new Promise(resolve => setTimeout(resolve, 1));
+    await new Promise((resolve) => setTimeout(resolve, 1));
     stream2EventIds.push(await store.storeEvent(streamId2, stream2Messages[2]));
-    
+
     // Replay events from stream 1 after its first event
-    const stream1ReplayedEvents: Array<{ eventId: string; message: JSONRPCMessage }> = [];
-    const stream1SendMock = vi.fn(async (eventId: string, message: JSONRPCMessage) => {
-      stream1ReplayedEvents.push({ eventId, message });
-    });
-    
+    const stream1ReplayedEvents: Array<{
+      eventId: string;
+      message: JSONRPCMessage;
+    }> = [];
+    const stream1SendMock = vi.fn(
+      async (eventId: string, message: JSONRPCMessage) => {
+        stream1ReplayedEvents.push({ eventId, message });
+      },
+    );
+
     const returnedStreamId1 = await store.replayEventsAfter(
       stream1EventIds[0],
-      { send: stream1SendMock }
+      { send: stream1SendMock },
     );
-    
+
     // Verify only stream 1 events were replayed
     expect(returnedStreamId1).toBe(streamId1);
     expect(stream1ReplayedEvents).toHaveLength(2);
     expect(stream1ReplayedEvents[0].message).toEqual(stream1Messages[1]);
     expect(stream1ReplayedEvents[1].message).toEqual(stream1Messages[2]);
-    
+
     // Verify no stream 2 events were included
     for (const event of stream1ReplayedEvents) {
       expect(event.eventId).toContain(streamId1);
       expect(event.eventId).not.toContain(streamId2);
     }
-    
+
     // Now replay events from stream 2 after its first event
-    const stream2ReplayedEvents: Array<{ eventId: string; message: JSONRPCMessage }> = [];
-    const stream2SendMock = vi.fn(async (eventId: string, message: JSONRPCMessage) => {
-      stream2ReplayedEvents.push({ eventId, message });
-    });
-    
+    const stream2ReplayedEvents: Array<{
+      eventId: string;
+      message: JSONRPCMessage;
+    }> = [];
+    const stream2SendMock = vi.fn(
+      async (eventId: string, message: JSONRPCMessage) => {
+        stream2ReplayedEvents.push({ eventId, message });
+      },
+    );
+
     const returnedStreamId2 = await store.replayEventsAfter(
       stream2EventIds[0],
-      { send: stream2SendMock }
+      { send: stream2SendMock },
     );
-    
+
     // Verify only stream 2 events were replayed
     expect(returnedStreamId2).toBe(streamId2);
     expect(stream2ReplayedEvents).toHaveLength(2);
     expect(stream2ReplayedEvents[0].message).toEqual(stream2Messages[1]);
     expect(stream2ReplayedEvents[1].message).toEqual(stream2Messages[2]);
-    
+
     // Verify no stream 1 events were included
     for (const event of stream2ReplayedEvents) {
       expect(event.eventId).toContain(streamId2);
       expect(event.eventId).not.toContain(streamId1);
     }
-    
+
     // Test edge case: replay with non-existent event ID returns empty string
     const invalidResult = await store.replayEventsAfter(
       "non-existent-event-id",
-      { send: vi.fn() }
+      { send: vi.fn() },
     );
     expect(invalidResult).toBe("");
-    
+
     // Test edge case: replay with empty event ID returns empty string
-    const emptyResult = await store.replayEventsAfter(
-      "",
-      { send: vi.fn() }
-    );
+    const emptyResult = await store.replayEventsAfter("", { send: vi.fn() });
     expect(emptyResult).toBe("");
   });
 
@@ -188,12 +196,12 @@ describe("InMemoryEventStore", () => {
 
     const timestampParts = parts.map(([, timestamp]) => timestamp);
     expect(timestampParts).toEqual(
-      Array(messages.length).fill(fixedTimestamp.toString())
+      Array(messages.length).fill(fixedTimestamp.toString()),
     );
 
     const counterSuffixes = parts.map(([, , counter]) => counter);
     expect(counterSuffixes).toEqual(
-      messages.map((_, index) => (index).toString(36).padStart(4, "0"))
+      messages.map((_, index) => index.toString(36).padStart(4, "0")),
     );
 
     // Random parts should be 3 base36 characters each (due to substring(2, 5))
@@ -229,4 +237,4 @@ describe("InMemoryEventStore", () => {
       secondSpy.mockRestore();
     }
   });
-});
+});

package/src/InMemoryEventStore.ts

@@ -81,13 +81,12 @@ export class InMemoryEventStore implements EventStore {
   }
 
   /**
-   * Generates a monotonic unique event ID in 
+   * Generates a monotonic unique event ID in
    * `${streamId}_${timestamp}_${counter}_${random}` format.
    */
   private generateEventId(streamId: string): string {
-
     const now = Date.now();
-    
+
     if (now === this.lastTimestamp) {
       this.lastTimestampCounter++;
     } else {

package/src/authentication.test.ts

@@ -4,7 +4,9 @@ import { describe, expect, it } from "vitest";
 import { AuthenticationMiddleware } from "./authentication.js";
 
 describe("AuthenticationMiddleware", () => {
-  const createMockRequest = (headers: Record<string, string> = {}): IncomingMessage => {
+  const createMockRequest = (
+    headers: Record<string, string> = {},
+  ): IncomingMessage => {
     // Simulate Node.js http module behavior which converts all header names to lowercase
     const lowercaseHeaders: Record<string, string> = {};
     for (const [key, value] of Object.entries(headers)) {
@@ -98,7 +100,9 @@ describe("AuthenticationMiddleware", () => {
 
       const body = JSON.parse(response.body);
       expect(body.error.code).toBe(401);
-      expect(body.error.message).toBe("Unauthorized: Invalid or missing API key");
+      expect(body.error.message).toBe(
+        "Unauthorized: Invalid or missing API key",
+      );
       expect(body.jsonrpc).toBe("2.0");
       expect(body.id).toBe(null);
     });
@@ -207,8 +211,12 @@ describe("AuthenticationMiddleware", () => {
       });
       const response = middleware.getUnauthorizedResponse();
 
-      expect(response.headers["WWW-Authenticate"]).toContain('realm="example-realm"');
-      expect(response.headers["WWW-Authenticate"]).toContain('resource_metadata="https://example.com/.well-known/oauth-protected-resource"');
+      expect(response.headers["WWW-Authenticate"]).toContain(
+        'realm="example-realm"',
+      );
+      expect(response.headers["WWW-Authenticate"]).toContain(
+        'resource_metadata="https://example.com/.well-known/oauth-protected-resource"',
+      );
     });
 
     it("should include custom error in WWW-Authenticate header via options", () => {
@@ -225,8 +233,12 @@ describe("AuthenticationMiddleware", () => {
         error_description: "The request requires higher privileges",
       });
 
-      expect(response.headers["WWW-Authenticate"]).toContain('error="insufficient_scope"');
-      expect(response.headers["WWW-Authenticate"]).toContain('error_description="The request requires higher privileges"');
+      expect(response.headers["WWW-Authenticate"]).toContain(
+        'error="insufficient_scope"',
+      );
+      expect(response.headers["WWW-Authenticate"]).toContain(
+        'error_description="The request requires higher privileges"',
+      );
     });
 
     it("should include scope in WWW-Authenticate header", () => {
@@ -241,7 +253,9 @@ describe("AuthenticationMiddleware", () => {
       });
       const response = middleware.getUnauthorizedResponse();
 
-      expect(response.headers["WWW-Authenticate"]).toContain('scope="read write"');
+      expect(response.headers["WWW-Authenticate"]).toContain(
+        'scope="read write"',
+      );
     });
 
     it("should override config error with options error", () => {
@@ -260,10 +274,18 @@ describe("AuthenticationMiddleware", () => {
         error_description: "Options error description",
       });
 
-      expect(response.headers["WWW-Authenticate"]).toContain('error="invalid_token"');
-      expect(response.headers["WWW-Authenticate"]).toContain('error_description="Options error description"');
-      expect(response.headers["WWW-Authenticate"]).not.toContain("invalid_request");
-      expect(response.headers["WWW-Authenticate"]).not.toContain("Config error description");
+      expect(response.headers["WWW-Authenticate"]).toContain(
+        'error="invalid_token"',
+      );
+      expect(response.headers["WWW-Authenticate"]).toContain(
+        'error_description="Options error description"',
+      );
+      expect(response.headers["WWW-Authenticate"]).not.toContain(
+        "invalid_request",
+      );
+      expect(response.headers["WWW-Authenticate"]).not.toContain(
+        "Config error description",
+      );
     });
 
     it("should include error_uri in WWW-Authenticate header", () => {
@@ -278,7 +300,9 @@ describe("AuthenticationMiddleware", () => {
       });
       const response = middleware.getUnauthorizedResponse();
 
-      expect(response.headers["WWW-Authenticate"]).toContain('error_uri="https://example.com/errors/auth"');
+      expect(response.headers["WWW-Authenticate"]).toContain(
+        'error_uri="https://example.com/errors/auth"',
+      );
     });
 
     it("should properly escape quotes in error_description", () => {
@@ -294,7 +318,9 @@ describe("AuthenticationMiddleware", () => {
         error_description: 'Token "abc123" is invalid',
       });
 
-      expect(response.headers["WWW-Authenticate"]).toContain('error_description="Token \\"abc123\\" is invalid"');
+      expect(response.headers["WWW-Authenticate"]).toContain(
+        'error_description="Token \\"abc123\\" is invalid"',
+      );
     });
 
     it("should include all parameters in correct order", () => {
@@ -315,16 +341,247 @@ describe("AuthenticationMiddleware", () => {
 
       const header = response.headers["WWW-Authenticate"];
       expect(header).toContain('realm="my-realm"');
-      expect(header).toContain('resource_metadata="https://example.com/.well-known/oauth-protected-resource"');
+      expect(header).toContain(
+        'resource_metadata="https://example.com/.well-known/oauth-protected-resource"',
+      );
       expect(header).toContain('error="invalid_token"');
       expect(header).toContain('error_description="Token expired"');
       expect(header).toContain('error_uri="https://example.com/errors"');
       expect(header).toContain('scope="read write"');
 
       // Check order: realm, resource_metadata, error, error_description, error_uri, scope
-      expect(header.indexOf('realm=')).toBeLessThan(header.indexOf('resource_metadata='));
-      expect(header.indexOf('resource_metadata=')).toBeLessThan(header.indexOf('error='));
-      expect(header.indexOf('error=')).toBeLessThan(header.indexOf('error_description='));
+      expect(header.indexOf("realm=")).toBeLessThan(
+        header.indexOf("resource_metadata="),
+      );
+      expect(header.indexOf("resource_metadata=")).toBeLessThan(
+        header.indexOf("error="),
+      );
+      expect(header.indexOf("error=")).toBeLessThan(
+        header.indexOf("error_description="),
+      );
+    });
+  });
+
+  describe("getScopeChallengeResponse", () => {
+    it("should return 403 status code", () => {
+      const middleware = new AuthenticationMiddleware({
+        oauth: {
+          protectedResource: {
+            resource: "https://example.com",
+          },
+        },
+      });
+      const response = middleware.getScopeChallengeResponse(["read", "write"]);
+
+      expect(response.statusCode).toBe(403);
+    });
+
+    it("should include required scopes in WWW-Authenticate header", () => {
+      const middleware = new AuthenticationMiddleware({
+        oauth: {
+          protectedResource: {
+            resource: "https://example.com",
+          },
+        },
+      });
+      const response = middleware.getScopeChallengeResponse(["read", "write"]);
+
+      expect(response.headers["WWW-Authenticate"]).toContain(
+        'error="insufficient_scope"',
+      );
+      expect(response.headers["WWW-Authenticate"]).toContain(
+        'scope="read write"',
+      );
+      expect(response.headers["WWW-Authenticate"]).toContain(
+        'resource_metadata="https://example.com/.well-known/oauth-protected-resource"',
+      );
+    });
+
+    it("should include error_description in WWW-Authenticate header", () => {
+      const middleware = new AuthenticationMiddleware({
+        oauth: {
+          protectedResource: {
+            resource: "https://example.com",
+          },
+        },
+      });
+      const response = middleware.getScopeChallengeResponse(
+        ["admin"],
+        "Admin access required",
+      );
+
+      expect(response.headers["WWW-Authenticate"]).toContain(
+        'error_description="Admin access required"',
+      );
+    });
+
+    it("should escape quotes in error_description", () => {
+      const middleware = new AuthenticationMiddleware({
+        oauth: {
+          protectedResource: {
+            resource: "https://example.com",
+          },
+        },
+      });
+      const response = middleware.getScopeChallengeResponse(
+        ["admin"],
+        'Requires "admin" scope',
+      );
+
+      expect(response.headers["WWW-Authenticate"]).toContain(
+        'error_description="Requires \\"admin\\" scope"',
+      );
+    });
+
+    it("should include request ID in response body", () => {
+      const middleware = new AuthenticationMiddleware({
+        oauth: {
+          protectedResource: {
+            resource: "https://example.com",
+          },
+        },
+      });
+      const response = middleware.getScopeChallengeResponse(
+        ["read"],
+        undefined,
+        123,
+      );
+
+      const body = JSON.parse(response.body);
+      expect(body.id).toBe(123);
+    });
+
+    it("should include required scopes in response body data", () => {
+      const middleware = new AuthenticationMiddleware({
+        oauth: {
+          protectedResource: {
+            resource: "https://example.com",
+          },
+        },
+      });
+      const response = middleware.getScopeChallengeResponse(["read", "write"]);
+
+      const body = JSON.parse(response.body);
+      expect(body.error.code).toBe(-32001);
+      expect(body.error.message).toBe("Insufficient scope");
+      expect(body.error.data.error).toBe("insufficient_scope");
+      expect(body.error.data.required_scopes).toEqual(["read", "write"]);
+    });
+
+    it("should use custom error_description in response body message", () => {
+      const middleware = new AuthenticationMiddleware({
+        oauth: {
+          protectedResource: {
+            resource: "https://example.com",
+          },
+        },
+      });
+      const response = middleware.getScopeChallengeResponse(
+        ["admin"],
+        "Admin privileges required",
+      );
+
+      const body = JSON.parse(response.body);
+      expect(body.error.message).toBe("Admin privileges required");
+    });
+
+    it("should handle single scope", () => {
+      const middleware = new AuthenticationMiddleware({
+        oauth: {
+          protectedResource: {
+            resource: "https://example.com",
+          },
+        },
+      });
+      const response = middleware.getScopeChallengeResponse(["admin"]);
+
+      expect(response.headers["WWW-Authenticate"]).toContain('scope="admin"');
+      const body = JSON.parse(response.body);
+      expect(body.error.data.required_scopes).toEqual(["admin"]);
+    });
+
+    it("should handle multiple scopes", () => {
+      const middleware = new AuthenticationMiddleware({
+        oauth: {
+          protectedResource: {
+            resource: "https://example.com",
+          },
+        },
+      });
+      const response = middleware.getScopeChallengeResponse([
+        "read",
+        "write",
+        "admin",
+      ]);
+
+      expect(response.headers["WWW-Authenticate"]).toContain(
+        'scope="read write admin"',
+      );
+      const body = JSON.parse(response.body);
+      expect(body.error.data.required_scopes).toEqual([
+        "read",
+        "write",
+        "admin",
+      ]);
+    });
+
+    it("should not include WWW-Authenticate header without OAuth config", () => {
+      const middleware = new AuthenticationMiddleware({});
+      const response = middleware.getScopeChallengeResponse(["admin"]);
+
+      expect(response.headers["WWW-Authenticate"]).toBeUndefined();
+      expect(response.headers["Content-Type"]).toBe("application/json");
+    });
+
+    it("should return proper JSON-RPC 2.0 format", () => {
+      const middleware = new AuthenticationMiddleware({
+        oauth: {
+          protectedResource: {
+            resource: "https://example.com",
+          },
+        },
+      });
+      const response = middleware.getScopeChallengeResponse(
+        ["read"],
+        "Description",
+        "req-123",
+      );
+
+      const body = JSON.parse(response.body);
+      expect(body.jsonrpc).toBe("2.0");
+      expect(body.id).toBe("req-123");
+      expect(body.error).toBeDefined();
+      expect(body.error.code).toBe(-32001);
+      expect(body.error.message).toBe("Description");
+      expect(body.error.data).toBeDefined();
+    });
+
+    it("should include Content-Type header", () => {
+      const middleware = new AuthenticationMiddleware({
+        oauth: {
+          protectedResource: {
+            resource: "https://example.com",
+          },
+        },
+      });
+      const response = middleware.getScopeChallengeResponse(["read"]);
+
+      expect(response.headers["Content-Type"]).toBe("application/json");
+    });
+
+    it("should handle empty scopes array", () => {
+      const middleware = new AuthenticationMiddleware({
+        oauth: {
+          protectedResource: {
+            resource: "https://example.com",
+          },
+        },
+      });
+      const response = middleware.getScopeChallengeResponse([]);
+
+      expect(response.headers["WWW-Authenticate"]).toContain('scope=""');
+      const body = JSON.parse(response.body);
+      expect(body.error.data.required_scopes).toEqual([]);
     });
   });
-});
+});