mcp-proxy 5.12.0 → 5.12.2

package/src/proxyServer.test.ts

@@ -28,33 +28,47 @@ interface TestEnvironment {
   streamClient: Client;
 }
 
-async function createTestEnvironment(config: TestConfig = {}): Promise<TestEnvironment> {
-  const { 
-    requestTimeout, 
-    serverDelay, 
-    serverFixture = "simple-stdio-server.ts" 
+async function createTestEnvironment(
+  config: TestConfig = {},
+): Promise<TestEnvironment> {
+  const {
+    requestTimeout,
+    serverDelay,
+    serverFixture = "simple-stdio-server.ts",
   } = config;
-  
+
   const stdioTransport = new StdioClientTransport({
     args: [`src/fixtures/${serverFixture}`],
     command: "tsx",
-    env: serverDelay ? { ...process.env, RESPONSE_DELAY: serverDelay } as Record<string, string> : process.env as Record<string, string>,
+    env: serverDelay
+      ? ({ ...process.env, RESPONSE_DELAY: serverDelay } as Record<
+          string,
+          string
+        >)
+      : (process.env as Record<string, string>),
   });
 
   const stdioClient = new Client(
     { name: "mcp-proxy-test", version: "1.0.0" },
-    { capabilities: {} }
+    { capabilities: {} },
   );
 
   await stdioClient.connect(stdioTransport);
 
-  const serverVersion = stdioClient.getServerVersion() as { name: string; version: string };
-  const serverCapabilities = stdioClient.getServerCapabilities() as { capabilities: Record<string, unknown> };
+  const serverVersion = stdioClient.getServerVersion() as {
+    name: string;
+    version: string;
+  };
+  const serverCapabilities = stdioClient.getServerCapabilities() as {
+    capabilities: Record<string, unknown>;
+  };
   const port = await getRandomPort();
 
   const httpServer = await startHTTPServer({
     createServer: async () => {
-      const mcpServer = new Server(serverVersion, { capabilities: serverCapabilities });
+      const mcpServer = new Server(serverVersion, {
+        capabilities: serverCapabilities,
+      });
       await proxyServer({
         client: stdioClient,
         requestTimeout,
@@ -68,20 +82,22 @@ async function createTestEnvironment(config: TestConfig = {}): Promise<TestEnvir
 
   const streamClient = new Client(
     { name: "stream-client", version: "1.0.0" },
-    { capabilities: {} }
+    { capabilities: {} },
   );
 
-  const transport = new StreamableHTTPClientTransport(new URL(`http://localhost:${port}/mcp`));
+  const transport = new StreamableHTTPClientTransport(
+    new URL(`http://localhost:${port}/mcp`),
+  );
   await streamClient.connect(transport);
 
-  return { 
+  return {
     cleanup: async () => {
       await streamClient.close();
       await stdioClient.close();
-    }, 
-    httpServer, 
-    stdioClient, 
-    streamClient
+    },
+    httpServer,
+    stdioClient,
+    streamClient,
   };
 }
 
@@ -90,7 +106,7 @@ describe("proxyServer timeout functionality", () => {
     const { cleanup, streamClient } = await createTestEnvironment({
       requestTimeout: 1000,
       serverDelay: "500",
-      serverFixture: "slow-stdio-server.ts"
+      serverFixture: "slow-stdio-server.ts",
     });
 
     // This should succeed as timeout (1s) > delay (500ms)
@@ -105,7 +121,7 @@ describe("proxyServer timeout functionality", () => {
     const { cleanup, streamClient } = await createTestEnvironment({
       requestTimeout: 500,
       serverDelay: "1000",
-      serverFixture: "slow-stdio-server.ts"
+      serverFixture: "slow-stdio-server.ts",
     });
 
     // This should throw a timeout error as delay (1s) > timeout (500ms)
@@ -128,7 +144,7 @@ describe("proxyServer timeout functionality", () => {
     const { cleanup, streamClient } = await createTestEnvironment({
       requestTimeout: 600,
       serverDelay: "300",
-      serverFixture: "slow-stdio-server.ts"
+      serverFixture: "slow-stdio-server.ts",
     });
 
     // First get the resources
@@ -141,7 +157,9 @@ describe("proxyServer timeout functionality", () => {
     });
 
     expect(resourceContent.contents).toBeDefined();
-    expect(resourceContent.contents[0].text).toContain("300ms delay");
+    expect((resourceContent.contents[0] as { text: string }).text).toContain(
+      "300ms delay",
+    );
 
     await cleanup();
   }, 10000);

package/src/startHTTPServer.test.ts

@@ -1339,8 +1339,8 @@ it("returns 401 with custom error message when { authenticated: false, error: '.
       },
     }),
     headers: {
-      "Accept": "application/json, text/event-stream",
-      "Authorization": "Bearer expired-token",
+      Accept: "application/json, text/event-stream",
+      Authorization: "Bearer expired-token",
       "Content-Type": "application/json",
     },
     method: "POST",
@@ -1408,8 +1408,8 @@ it("returns 401 when createServer throws authentication error", async () => {
       },
     }),
     headers: {
-      "Accept": "application/json, text/event-stream",
-      "Authorization": "Bearer test-token",
+      Accept: "application/json, text/event-stream",
+      Authorization: "Bearer test-token",
       "Content-Type": "application/json",
     },
     method: "POST",
@@ -1451,7 +1451,7 @@ it("returns 401 when createServer throws JWT-related error", async () => {
       },
     }),
     headers: {
-      "Accept": "application/json, text/event-stream",
+      Accept: "application/json, text/event-stream",
       "Content-Type": "application/json",
     },
     method: "POST",
@@ -1492,7 +1492,7 @@ it("returns 401 when createServer throws Token-related error", async () => {
       },
     }),
     headers: {
-      "Accept": "application/json, text/event-stream",
+      Accept: "application/json, text/event-stream",
       "Content-Type": "application/json",
     },
     method: "POST",
@@ -1533,7 +1533,7 @@ it("returns 401 when createServer throws Unauthorized error", async () => {
       },
     }),
     headers: {
-      "Accept": "application/json, text/event-stream",
+      Accept: "application/json, text/event-stream",
       "Content-Type": "application/json",
     },
     method: "POST",
@@ -1574,7 +1574,7 @@ it("returns 500 when createServer throws non-auth error", async () => {
       },
     }),
     headers: {
-      "Accept": "application/json, text/event-stream",
+      Accept: "application/json, text/event-stream",
       "Content-Type": "application/json",
     },
     method: "POST",
@@ -1614,7 +1614,7 @@ it("includes WWW-Authenticate header in 401 response with OAuth config", async (
       },
     }),
     headers: {
-      "Accept": "application/json, text/event-stream",
+      Accept: "application/json, text/event-stream",
       "Content-Type": "application/json",
     },
     method: "POST",
@@ -1624,9 +1624,11 @@ it("includes WWW-Authenticate header in 401 response with OAuth config", async (
 
   const wwwAuthHeader = response.headers.get("WWW-Authenticate");
   expect(wwwAuthHeader).toBeTruthy();
-  expect(wwwAuthHeader).toContain('Bearer');
+  expect(wwwAuthHeader).toContain("Bearer");
   expect(wwwAuthHeader).toContain('realm="mcp-server"');
-  expect(wwwAuthHeader).toContain('resource_metadata="https://example.com/.well-known/oauth-protected-resource"');
+  expect(wwwAuthHeader).toContain(
+    'resource_metadata="https://example.com/.well-known/oauth-protected-resource"',
+  );
   expect(wwwAuthHeader).toContain('error="invalid_token"');
   expect(wwwAuthHeader).toContain('error_description="Invalid JWT token"');
 
@@ -1636,7 +1638,9 @@ it("includes WWW-Authenticate header in 401 response with OAuth config", async (
 it("includes WWW-Authenticate header when authenticate callback fails with OAuth", async () => {
   const port = await getRandomPort();
 
-  const authenticate = vi.fn().mockRejectedValue(new Error("Token signature verification failed"));
+  const authenticate = vi
+    .fn()
+    .mockRejectedValue(new Error("Token signature verification failed"));
 
   const httpServer = await startHTTPServer({
     authenticate,
@@ -1670,8 +1674,8 @@ it("includes WWW-Authenticate header when authenticate callback fails with OAuth
       },
     }),
     headers: {
-      "Accept": "application/json, text/event-stream",
-      "Authorization": "Bearer expired-token",
+      Accept: "application/json, text/event-stream",
+      Authorization: "Bearer expired-token",
       "Content-Type": "application/json",
     },
     method: "POST",
@@ -1682,12 +1686,18 @@ it("includes WWW-Authenticate header when authenticate callback fails with OAuth
 
   const wwwAuthHeader = response.headers.get("WWW-Authenticate");
   expect(wwwAuthHeader).toBeTruthy();
-  expect(wwwAuthHeader).toContain('Bearer');
+  expect(wwwAuthHeader).toContain("Bearer");
   expect(wwwAuthHeader).toContain('realm="example-api"');
-  expect(wwwAuthHeader).toContain('resource_metadata="https://api.example.com/.well-known/oauth-protected-resource"');
+  expect(wwwAuthHeader).toContain(
+    'resource_metadata="https://api.example.com/.well-known/oauth-protected-resource"',
+  );
   expect(wwwAuthHeader).toContain('error="invalid_token"');
-  expect(wwwAuthHeader).toContain('error_description="Token signature verification failed"');
-  expect(wwwAuthHeader).toContain('error_uri="https://example.com/docs/errors"');
+  expect(wwwAuthHeader).toContain(
+    'error_description="Token signature verification failed"',
+  );
+  expect(wwwAuthHeader).toContain(
+    'error_uri="https://example.com/docs/errors"',
+  );
 
   await httpServer.close();
 });
@@ -1715,7 +1725,7 @@ it("does not include WWW-Authenticate header in 401 response without OAuth confi
       },
     }),
     headers: {
-      "Accept": "application/json, text/event-stream",
+      Accept: "application/json, text/event-stream",
       "Content-Type": "application/json",
     },
     method: "POST",
@@ -1916,7 +1926,9 @@ it("supports origin validation with array", async () => {
   });
 
   expect(response1.status).toBe(204);
-  expect(response1.headers.get("Access-Control-Allow-Origin")).toBe("https://app.example.com");
+  expect(response1.headers.get("Access-Control-Allow-Origin")).toBe(
+    "https://app.example.com",
+  );
 
   // Test with disallowed origin
   const response2 = await fetch(`http://localhost:${port}/mcp`, {
@@ -1958,7 +1970,9 @@ it("supports origin validation with function", async () => {
   });
 
   expect(response1.status).toBe(204);
-  expect(response1.headers.get("Access-Control-Allow-Origin")).toBe("https://subdomain.example.com");
+  expect(response1.headers.get("Access-Control-Allow-Origin")).toBe(
+    "https://subdomain.example.com",
+  );
 
   // Test with disallowed origin
   const response2 = await fetch(`http://localhost:${port}/mcp`, {
@@ -2029,7 +2043,9 @@ it("uses default CORS settings when cors: true", async () => {
 
   expect(response.status).toBe(204);
   expect(response.headers.get("Access-Control-Allow-Origin")).toBe("*");
-  expect(response.headers.get("Access-Control-Allow-Headers")).toBe("Content-Type, Authorization, Accept, Mcp-Session-Id, Last-Event-Id");
+  expect(response.headers.get("Access-Control-Allow-Headers")).toBe(
+    "Content-Type, Authorization, Accept, Mcp-Session-Id, Last-Event-Id",
+  );
   expect(response.headers.get("Access-Control-Allow-Credentials")).toBe("true");
 
   await httpServer.close();
@@ -2062,7 +2078,9 @@ it("supports custom methods and maxAge", async () => {
   });
 
   expect(response.status).toBe(204);
-  expect(response.headers.get("Access-Control-Allow-Methods")).toBe("GET, POST, PUT, DELETE");
+  expect(response.headers.get("Access-Control-Allow-Methods")).toBe(
+    "GET, POST, PUT, DELETE",
+  );
   expect(response.headers.get("Access-Control-Max-Age")).toBe("86400");
 
   await httpServer.close();

package/src/startHTTPServer.ts

@@ -81,7 +81,9 @@ const getWWWAuthenticateHeader = (
 
   // Add resource_metadata if configured
   if (oauth.protectedResource?.resource) {
-    params.push(`resource_metadata="${oauth.protectedResource.resource}/.well-known/oauth-protected-resource"`);
+    params.push(
+      `resource_metadata="${oauth.protectedResource.resource}/.well-known/oauth-protected-resource"`,
+    );
   }
 
   // Add error from options or config (options takes precedence)
@@ -91,7 +93,8 @@ const getWWWAuthenticateHeader = (
   }
 
   // Add error_description from options or config (options takes precedence)
-  const error_description = options?.error_description || oauth.error_description;
+  const error_description =
+    options?.error_description || oauth.error_description;
   if (error_description) {
     // Escape quotes in error description
     const escaped = error_description.replace(/"/g, '\\"');
@@ -119,7 +122,9 @@ const getWWWAuthenticateHeader = (
 };
 
 // Helper function to detect scope challenge errors
-const isScopeChallengeError = (error: unknown): error is {
+const isScopeChallengeError = (
+  error: unknown,
+): error is {
   data: {
     error: string;
     errorDescription?: string;
@@ -147,11 +152,12 @@ const handleResponseError = async (
 ): Promise<boolean> => {
   // Check if it's a Response-like object (duck typing)
   // The instanceof check may fail due to different Response implementations across module boundaries
-  const isResponseLike = error &&
-    typeof error === 'object' &&
-    'status' in error &&
-    'headers' in error &&
-    'statusText' in error;
+  const isResponseLike =
+    error &&
+    typeof error === "object" &&
+    "status" in error &&
+    "headers" in error &&
+    "statusText" in error;
 
   if (isResponseLike || error instanceof Response) {
     const responseError = error as Response;
@@ -210,7 +216,8 @@ const applyCorsHeaders = (
 
   // Default CORS configuration for backward compatibility
   const defaultCorsOptions: CorsOptions = {
-    allowedHeaders: "Content-Type, Authorization, Accept, Mcp-Session-Id, Last-Event-Id",
+    allowedHeaders:
+      "Content-Type, Authorization, Accept, Mcp-Session-Id, Last-Event-Id",
     credentials: true,
     exposedHeaders: ["Mcp-Session-Id"],
     methods: ["GET", "POST", "OPTIONS"],
@@ -246,7 +253,9 @@ const applyCorsHeaders = (
           ? origin.origin
           : "false";
       } else if (typeof finalCorsOptions.origin === "function") {
-        allowedOrigin = finalCorsOptions.origin(origin.origin) ? origin.origin : "false";
+        allowedOrigin = finalCorsOptions.origin(origin.origin)
+          ? origin.origin
+          : "false";
       }
     }
 
@@ -256,30 +265,43 @@ const applyCorsHeaders = (
 
     // Handle credentials
     if (finalCorsOptions.credentials !== undefined) {
-      res.setHeader("Access-Control-Allow-Credentials", finalCorsOptions.credentials.toString());
+      res.setHeader(
+        "Access-Control-Allow-Credentials",
+        finalCorsOptions.credentials.toString(),
+      );
     }
 
     // Handle methods
     if (finalCorsOptions.methods) {
-      res.setHeader("Access-Control-Allow-Methods", finalCorsOptions.methods.join(", "));
+      res.setHeader(
+        "Access-Control-Allow-Methods",
+        finalCorsOptions.methods.join(", "),
+      );
     }
 
     // Handle allowed headers
     if (finalCorsOptions.allowedHeaders) {
-      const allowedHeaders = typeof finalCorsOptions.allowedHeaders === "string"
-        ? finalCorsOptions.allowedHeaders
-        : finalCorsOptions.allowedHeaders.join(", ");
+      const allowedHeaders =
+        typeof finalCorsOptions.allowedHeaders === "string"
+          ? finalCorsOptions.allowedHeaders
+          : finalCorsOptions.allowedHeaders.join(", ");
       res.setHeader("Access-Control-Allow-Headers", allowedHeaders);
     }
 
     // Handle exposed headers
     if (finalCorsOptions.exposedHeaders) {
-      res.setHeader("Access-Control-Expose-Headers", finalCorsOptions.exposedHeaders.join(", "));
+      res.setHeader(
+        "Access-Control-Expose-Headers",
+        finalCorsOptions.exposedHeaders.join(", "),
+      );
     }
 
     // Handle max age
     if (finalCorsOptions.maxAge !== undefined) {
-      res.setHeader("Access-Control-Max-Age", finalCorsOptions.maxAge.toString());
+      res.setHeader(
+        "Access-Control-Max-Age",
+        finalCorsOptions.maxAge.toString(),
+      );
     }
   } catch (error) {
     console.error("[mcp-proxy] error parsing origin", error);
@@ -340,10 +362,18 @@ const handleStreamRequest = async <T extends ServerLike>({
           const authResult = await authenticate(req);
 
           // Check for both falsy AND { authenticated: false } pattern
-          if (!authResult || (typeof authResult === 'object' && 'authenticated' in authResult && !authResult.authenticated)) {
+          if (
+            !authResult ||
+            (typeof authResult === "object" &&
+              "authenticated" in authResult &&
+              !authResult.authenticated)
+          ) {
             // Extract error message if available
             const errorMessage =
-              authResult && typeof authResult === 'object' && 'error' in authResult && typeof authResult.error === 'string'
+              authResult &&
+              typeof authResult === "object" &&
+              "error" in authResult &&
+              typeof authResult.error === "string"
                 ? authResult.error
                 : "Unauthorized: Authentication failed";
 
@@ -362,11 +392,11 @@ const handleStreamRequest = async <T extends ServerLike>({
               JSON.stringify({
                 error: {
                   code: -32000,
-                  message: errorMessage
+                  message: errorMessage,
                 },
                 id: (body as { id?: unknown })?.id ?? null,
-                jsonrpc: "2.0"
-              })
+                jsonrpc: "2.0",
+              }),
             );
             return true;
           }
@@ -377,7 +407,10 @@ const handleStreamRequest = async <T extends ServerLike>({
           }
 
           // Extract error details from thrown errors
-          const errorMessage = error instanceof Error ? error.message : "Unauthorized: Authentication error";
+          const errorMessage =
+            error instanceof Error
+              ? error.message
+              : "Unauthorized: Authentication error";
           console.error("Authentication error:", error);
           res.setHeader("Content-Type", "application/json");
 
@@ -394,11 +427,11 @@ const handleStreamRequest = async <T extends ServerLike>({
             JSON.stringify({
               error: {
                 code: -32000,
-                message: errorMessage
+                message: errorMessage,
               },
               id: (body as { id?: unknown })?.id ?? null,
-              jsonrpc: "2.0"
-            })
+              jsonrpc: "2.0",
+            }),
           );
           return true;
         }
@@ -464,11 +497,13 @@ const handleStreamRequest = async <T extends ServerLike>({
           }
 
           // Detect authentication errors and return HTTP 401
-          const errorMessage = error instanceof Error ? error.message : String(error);
-          const isAuthError = errorMessage.includes('Authentication') ||
-                             errorMessage.includes('Invalid JWT') ||
-                             errorMessage.includes('Token') ||
-                             errorMessage.includes('Unauthorized');
+          const errorMessage =
+            error instanceof Error ? error.message : String(error);
+          const isAuthError =
+            errorMessage.includes("Authentication") ||
+            errorMessage.includes("Invalid JWT") ||
+            errorMessage.includes("Token") ||
+            errorMessage.includes("Unauthorized");
 
           if (isAuthError) {
             res.setHeader("Content-Type", "application/json");
@@ -482,14 +517,16 @@ const handleStreamRequest = async <T extends ServerLike>({
               res.setHeader("WWW-Authenticate", wwwAuthHeader);
             }
 
-            res.writeHead(401).end(JSON.stringify({
-              error: {
-                code: -32000,
-                message: errorMessage
-              },
-              id: (body as { id?: unknown })?.id ?? null,
-              jsonrpc: "2.0"
-            }));
+            res.writeHead(401).end(
+              JSON.stringify({
+                error: {
+                  code: -32000,
+                  message: errorMessage,
+                },
+                id: (body as { id?: unknown })?.id ?? null,
+                jsonrpc: "2.0",
+              }),
+            );
             return true;
           }
 
@@ -527,11 +564,13 @@ const handleStreamRequest = async <T extends ServerLike>({
           }
 
           // Detect authentication errors and return HTTP 401
-          const errorMessage = error instanceof Error ? error.message : String(error);
-          const isAuthError = errorMessage.includes('Authentication') ||
-                             errorMessage.includes('Invalid JWT') ||
-                             errorMessage.includes('Token') ||
-                             errorMessage.includes('Unauthorized');
+          const errorMessage =
+            error instanceof Error ? error.message : String(error);
+          const isAuthError =
+            errorMessage.includes("Authentication") ||
+            errorMessage.includes("Invalid JWT") ||
+            errorMessage.includes("Token") ||
+            errorMessage.includes("Unauthorized");
 
           if (isAuthError) {
             res.setHeader("Content-Type", "application/json");
@@ -545,14 +584,16 @@ const handleStreamRequest = async <T extends ServerLike>({
               res.setHeader("WWW-Authenticate", wwwAuthHeader);
             }
 
-            res.writeHead(401).end(JSON.stringify({
-              error: {
-                code: -32000,
-                message: errorMessage
-              },
-              id: (body as { id?: unknown })?.id ?? null,
-              jsonrpc: "2.0"
-            }));
+            res.writeHead(401).end(
+              JSON.stringify({
+                error: {
+                  code: -32000,
+                  message: errorMessage,
+                },
+                id: (body as { id?: unknown })?.id ?? null,
+                jsonrpc: "2.0",
+              }),
+            );
             return true;
           }
 

package/src/startStdioServer.test.ts

@@ -19,9 +19,8 @@ describe("startStdioServer.test.ts", () => {
   let proc: ChildProcess;
 
   beforeEach(async () => {
-    const serverPath = require.resolve(
-      "@modelcontextprotocol/sdk/examples/server/sseAndStreamableHttpCompatibleServer.js",
-    );
+    const serverPath =
+      require.resolve("@modelcontextprotocol/sdk/examples/server/sseAndStreamableHttpCompatibleServer.js");
     proc = fork(serverPath, [], {
       stdio: "pipe",
     });
@@ -83,9 +82,11 @@ describe("startStdioServer.test.ts", () => {
         {
           description:
             "Starts sending periodic notifications for testing resumability",
+          execution: {
+            taskSupport: "forbidden",
+          },
           inputSchema: {
             $schema: "http://json-schema.org/draft-07/schema#",
-            additionalProperties: false,
             properties: {
               count: {
                 default: 50,
@@ -177,9 +178,11 @@ describe("startStdioServer.test.ts", () => {
         {
           description:
             "Starts sending periodic notifications for testing resumability",
+          execution: {
+            taskSupport: "forbidden",
+          },
           inputSchema: {
             $schema: "http://json-schema.org/draft-07/schema#",
-            additionalProperties: false,
             properties: {
               count: {
                 default: 50,