mcp-proxy 5.9.0 → 5.11.0

package/src/startHTTPServer.ts

@@ -11,6 +11,15 @@ import { randomUUID } from "node:crypto";
 import { AuthConfig, AuthenticationMiddleware } from "./authentication.js";
 import { InMemoryEventStore } from "./InMemoryEventStore.js";
 
+export interface CorsOptions {
+  allowedHeaders?: string | string[]; // Allow string[] or '*' for wildcard
+  credentials?: boolean;
+  exposedHeaders?: string[];
+  maxAge?: number;
+  methods?: string[];
+  origin?: ((origin: string) => boolean) | string | string[];
+}
+
 export type SSEServer = {
   close: () => Promise<void>;
 };
@@ -52,22 +61,82 @@ const createJsonRpcErrorResponse = (code: number, message: string) => {
 // Helper function to get WWW-Authenticate header value
 const getWWWAuthenticateHeader = (
   oauth?: AuthConfig["oauth"],
+  options?: {
+    error?: string;
+    error_description?: string;
+    error_uri?: string;
+    scope?: string;
+  },
 ): string | undefined => {
-  if (!oauth?.protectedResource?.resource) {
+  if (!oauth) {
+    return undefined;
+  }
+
+  const params: string[] = [];
+
+  // Add realm if configured
+  if (oauth.realm) {
+    params.push(`realm="${oauth.realm}"`);
+  }
+
+  // Add resource_metadata if configured
+  if (oauth.protectedResource?.resource) {
+    params.push(`resource_metadata="${oauth.protectedResource.resource}/.well-known/oauth-protected-resource"`);
+  }
+
+  // Add error from options or config (options takes precedence)
+  const error = options?.error || oauth.error;
+  if (error) {
+    params.push(`error="${error}"`);
+  }
+
+  // Add error_description from options or config (options takes precedence)
+  const error_description = options?.error_description || oauth.error_description;
+  if (error_description) {
+    // Escape quotes in error description
+    const escaped = error_description.replace(/"/g, '\\"');
+    params.push(`error_description="${escaped}"`);
+  }
+
+  // Add error_uri from options or config (options takes precedence)
+  const error_uri = options?.error_uri || oauth.error_uri;
+  if (error_uri) {
+    params.push(`error_uri="${error_uri}"`);
+  }
+
+  // Add scope from options or config (options takes precedence)
+  const scope = options?.scope || oauth.scope;
+  if (scope) {
+    params.push(`scope="${scope}"`);
+  }
+
+  // Return undefined if no parameters were added
+  if (params.length === 0) {
     return undefined;
   }
 
-  return `Bearer resource_metadata="${oauth.protectedResource.resource}/.well-known/oauth-protected-resource"`;
+  return `Bearer ${params.join(", ")}`;
 };
 
 // Helper function to handle Response errors and send appropriate HTTP response
-const handleResponseError = (
+const handleResponseError = async (
   error: unknown,
   res: http.ServerResponse,
-): boolean => {
-  if (error instanceof Response) {
+): Promise<boolean> => {
+  // Check if it's a Response-like object (duck typing)
+  // The instanceof check may fail due to different Response implementations across module boundaries
+  const isResponseLike = error &&
+    typeof error === 'object' &&
+    'status' in error &&
+    'headers' in error &&
+    'statusText' in error;
+
+  if (isResponseLike || error instanceof Response) {
+    const responseError = error as Response;
+
+    // Convert Headers to http.OutgoingHttpHeaders format
     const fixedHeaders: http.OutgoingHttpHeaders = {};
-    error.headers.forEach((value, key) => {
+    responseError.headers.forEach((value, key) => {
       if (fixedHeaders[key]) {
         if (Array.isArray(fixedHeaders[key])) {
           (fixedHeaders[key] as string[]).push(value);
@@ -78,11 +147,16 @@ const handleResponseError = (
         fixedHeaders[key] = value;
       }
     });
-    res
-      .writeHead(error.status, error.statusText, fixedHeaders)
-      .end(error.statusText);
+
+    // Read the body from the Response object
+    const body = await responseError.text();
+
+    res.writeHead(responseError.status, responseError.statusText, fixedHeaders);
+    res.end(body);
+
     return true;
   }
+
   return false;
 };
 
@@ -102,6 +176,94 @@ const cleanupServer = async <T extends ServerLike>(
   }
 };
 
+// Helper function to apply CORS headers
+const applyCorsHeaders = (
+  req: http.IncomingMessage,
+  res: http.ServerResponse,
+  corsOptions?: boolean | CorsOptions,
+) => {
+  if (!req.headers.origin) {
+    return;
+  }
+
+  // Default CORS configuration for backward compatibility
+  const defaultCorsOptions: CorsOptions = {
+    allowedHeaders: "Content-Type, Authorization, Accept, Mcp-Session-Id, Last-Event-Id",
+    credentials: true,
+    exposedHeaders: ["Mcp-Session-Id"],
+    methods: ["GET", "POST", "OPTIONS"],
+    origin: "*",
+  };
+
+  let finalCorsOptions: CorsOptions;
+
+  if (corsOptions === false) {
+    // CORS disabled
+    return;
+  } else if (corsOptions === true || corsOptions === undefined) {
+    // Use default CORS settings
+    finalCorsOptions = defaultCorsOptions;
+  } else {
+    // Merge user options with defaults
+    finalCorsOptions = {
+      ...defaultCorsOptions,
+      ...corsOptions,
+    };
+  }
+
+  try {
+    const origin = new URL(req.headers.origin);
+
+    // Handle origin
+    let allowedOrigin = "*";
+    if (finalCorsOptions.origin) {
+      if (typeof finalCorsOptions.origin === "string") {
+        allowedOrigin = finalCorsOptions.origin;
+      } else if (Array.isArray(finalCorsOptions.origin)) {
+        allowedOrigin = finalCorsOptions.origin.includes(origin.origin)
+          ? origin.origin
+          : "false";
+      } else if (typeof finalCorsOptions.origin === "function") {
+        allowedOrigin = finalCorsOptions.origin(origin.origin) ? origin.origin : "false";
+      }
+    }
+
+    if (allowedOrigin !== "false") {
+      res.setHeader("Access-Control-Allow-Origin", allowedOrigin);
+    }
+
+    // Handle credentials
+    if (finalCorsOptions.credentials !== undefined) {
+      res.setHeader("Access-Control-Allow-Credentials", finalCorsOptions.credentials.toString());
+    }
+
+    // Handle methods
+    if (finalCorsOptions.methods) {
+      res.setHeader("Access-Control-Allow-Methods", finalCorsOptions.methods.join(", "));
+    }
+
+    // Handle allowed headers
+    if (finalCorsOptions.allowedHeaders) {
+      const allowedHeaders = typeof finalCorsOptions.allowedHeaders === "string"
+        ? finalCorsOptions.allowedHeaders
+        : finalCorsOptions.allowedHeaders.join(", ");
+      res.setHeader("Access-Control-Allow-Headers", allowedHeaders);
+    }
+
+    // Handle exposed headers
+    if (finalCorsOptions.exposedHeaders) {
+      res.setHeader("Access-Control-Expose-Headers", finalCorsOptions.exposedHeaders.join(", "));
+    }
+
+    // Handle max age
+    if (finalCorsOptions.maxAge !== undefined) {
+      res.setHeader("Access-Control-Max-Age", finalCorsOptions.maxAge.toString());
+    }
+  } catch (error) {
+    console.error("[mcp-proxy] error parsing origin", error);
+  }
+};
+
 const handleStreamRequest = async <T extends ServerLike>({
   activeTransports,
   authenticate,
@@ -163,7 +325,10 @@ const handleStreamRequest = async <T extends ServerLike>({
             res.setHeader("Content-Type", "application/json");
 
             // Add WWW-Authenticate header if OAuth config is available
-            const wwwAuthHeader = getWWWAuthenticateHeader(oauth);
+            const wwwAuthHeader = getWWWAuthenticateHeader(oauth, {
+              error: "invalid_token",
+              error_description: errorMessage,
+            });
             if (wwwAuthHeader) {
               res.setHeader("WWW-Authenticate", wwwAuthHeader);
             }
@@ -181,13 +346,21 @@ const handleStreamRequest = async <T extends ServerLike>({
             return true;
           }
         } catch (error) {
+          // Check if error is a Response object with headers already set
+          if (await handleResponseError(error, res)) {
+            return true;
+          }
+
           // Extract error details from thrown errors
           const errorMessage = error instanceof Error ? error.message : "Unauthorized: Authentication error";
           console.error("Authentication error:", error);
           res.setHeader("Content-Type", "application/json");
 
           // Add WWW-Authenticate header if OAuth config is available
-          const wwwAuthHeader = getWWWAuthenticateHeader(oauth);
+          const wwwAuthHeader = getWWWAuthenticateHeader(oauth, {
+            error: "invalid_token",
+            error_description: errorMessage,
+          });
           if (wwwAuthHeader) {
             res.setHeader("WWW-Authenticate", wwwAuthHeader);
           }
@@ -260,6 +433,11 @@ const handleStreamRequest = async <T extends ServerLike>({
         try {
           server = await createServer(req);
         } catch (error) {
+          // Check if error is a Response object with headers already set
+          if (await handleResponseError(error, res)) {
+            return true;
+          }
+
           // Detect authentication errors and return HTTP 401
           const errorMessage = error instanceof Error ? error.message : String(error);
           const isAuthError = errorMessage.includes('Authentication') ||
@@ -271,7 +449,10 @@ const handleStreamRequest = async <T extends ServerLike>({
             res.setHeader("Content-Type", "application/json");
 
             // Add WWW-Authenticate header if OAuth config is available
-            const wwwAuthHeader = getWWWAuthenticateHeader(oauth);
+            const wwwAuthHeader = getWWWAuthenticateHeader(oauth, {
+              error: "invalid_token",
+              error_description: errorMessage,
+            });
             if (wwwAuthHeader) {
               res.setHeader("WWW-Authenticate", wwwAuthHeader);
             }
@@ -287,10 +468,6 @@ const handleStreamRequest = async <T extends ServerLike>({
             return true;
           }
 
-          if (handleResponseError(error, res)) {
-            return true;
-          }
-
           res.writeHead(500).end("Error creating server");
 
           return true;
@@ -319,6 +496,11 @@ const handleStreamRequest = async <T extends ServerLike>({
         try {
           server = await createServer(req);
         } catch (error) {
+          // Check if error is a Response object with headers already set
+          if (await handleResponseError(error, res)) {
+            return true;
+          }
+
           // Detect authentication errors and return HTTP 401
           const errorMessage = error instanceof Error ? error.message : String(error);
           const isAuthError = errorMessage.includes('Authentication') ||
@@ -330,7 +512,10 @@ const handleStreamRequest = async <T extends ServerLike>({
             res.setHeader("Content-Type", "application/json");
 
             // Add WWW-Authenticate header if OAuth config is available
-            const wwwAuthHeader = getWWWAuthenticateHeader(oauth);
+            const wwwAuthHeader = getWWWAuthenticateHeader(oauth, {
+              error: "invalid_token",
+              error_description: errorMessage,
+            });
             if (wwwAuthHeader) {
               res.setHeader("WWW-Authenticate", wwwAuthHeader);
             }
@@ -346,10 +531,6 @@ const handleStreamRequest = async <T extends ServerLike>({
             return true;
           }
 
-          if (handleResponseError(error, res)) {
-            return true;
-          }
-
           res.writeHead(500).end("Error creating server");
 
           return true;
@@ -504,7 +685,7 @@ const handleSSERequest = async <T extends ServerLike>({
     try {
       server = await createServer(req);
     } catch (error) {
-      if (handleResponseError(error, res)) {
+      if (await handleResponseError(error, res)) {
         return true;
       }
 
@@ -586,6 +767,7 @@ const handleSSERequest = async <T extends ServerLike>({
 export const startHTTPServer = async <T extends ServerLike>({
   apiKey,
   authenticate,
+  cors,
   createServer,
   enableJsonResponse,
   eventStore,
@@ -601,6 +783,7 @@ export const startHTTPServer = async <T extends ServerLike>({
 }: {
   apiKey?: string;
   authenticate?: (request: http.IncomingMessage) => Promise<unknown>;
+  cors?: boolean | CorsOptions;
   createServer: (request: http.IncomingMessage) => Promise<T>;
   enableJsonResponse?: boolean;
   eventStore?: EventStore;
@@ -633,19 +816,8 @@ export const startHTTPServer = async <T extends ServerLike>({
    * @author https://dev.classmethod.jp/articles/mcp-sse/
    */
   const httpServer = http.createServer(async (req, res) => {
-    if (req.headers.origin) {
-      try {
-        const origin = new URL(req.headers.origin);
-
-        res.setHeader("Access-Control-Allow-Origin", origin.origin);
-        res.setHeader("Access-Control-Allow-Credentials", "true");
-        res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
-        res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, Accept, Mcp-Session-Id, Last-Event-Id");
-        res.setHeader("Access-Control-Expose-Headers", "Mcp-Session-Id");
-      } catch (error) {
-        console.error("[mcp-proxy] error parsing origin", error);
-      }
-    }
+    // Apply CORS headers
+    applyCorsHeaders(req, res, cors);
 
     if (req.method === "OPTIONS") {
       res.writeHead(204);