mcp-travelcode 1.0.4 → 1.0.6

package/build/client/api-client.d.ts

@@ -23,7 +23,7 @@ export declare class TravelCodeApiClient {
     private ensureValidToken;
     get<T>(path: string, params?: Record<string, string | number | boolean | undefined>): Promise<T>;
     post<T>(path: string, body?: unknown, extraHeaders?: Record<string, string>): Promise<T>;
-    getAerodatabox<T>(aerodataboxPath: string, params?: Record<string, string | number | boolean | undefined>): Promise<T>;
+    getFlightStats<T>(subPath: string, params?: Record<string, string | number | boolean | undefined>): Promise<T>;
     /**
      * POST request that returns an SSE stream.
      * Collects events and returns them as an array of {event, data} objects.

package/build/client/api-client.js

@@ -74,10 +74,10 @@ export class TravelCodeApiClient {
         });
         return this.handleResponse(response);
     }
-    async getAerodatabox(aerodataboxPath, params) {
+    async getFlightStats(subPath, params) {
         await this.ensureValidToken();
-        // Build the AeroDataBox path with query params
-        const pathUrl = new URL(`https://placeholder${aerodataboxPath}`);
+        // Build the inner path with query params
+        const pathUrl = new URL(`https://placeholder${subPath}`);
         if (params) {
             for (const [key, value] of Object.entries(params)) {
                 if (value !== undefined) {
@@ -85,11 +85,10 @@ export class TravelCodeApiClient {
                 }
             }
         }
-        const fullAeroPath = pathUrl.pathname + pathUrl.search;
-        // Proxy URL: strip /v1 from base URL, route through /flight/aerodatabox
-        const proxyBaseUrl = this.baseUrl.replace(/\/v1\/?$/, "");
-        const proxyUrl = new URL(`${proxyBaseUrl}/flight/aerodatabox`);
-        proxyUrl.searchParams.set("path", fullAeroPath);
+        const fullPath = pathUrl.pathname + pathUrl.search;
+        // Route through the TravelCode flight stats proxy endpoint
+        const proxyUrl = new URL(`${this.baseUrl}/flight/aerostats`);
+        proxyUrl.searchParams.set("path", fullPath);
         const response = await fetch(proxyUrl.toString(), {
             method: "GET",
             headers: this.headers(),

package/build/client/types.d.ts

@@ -128,11 +128,11 @@ export interface FlightSearchResultsResponse {
         airports?: Record<string, DictionaryAirport>;
     };
 }
-export interface AeroFlightTime {
+export interface FlightTime {
     utc?: string;
     local?: string;
 }
-export interface AeroFlightEndpoint {
+export interface FlightEndpoint {
     airport?: {
         icao?: string;
         iata?: string;
@@ -145,17 +145,17 @@ export interface AeroFlightEndpoint {
         };
         countryCode?: string;
     };
-    scheduledTime?: AeroFlightTime;
-    revisedTime?: AeroFlightTime;
-    predictedTime?: AeroFlightTime;
-    actualTime?: AeroFlightTime;
+    scheduledTime?: FlightTime;
+    revisedTime?: FlightTime;
+    predictedTime?: FlightTime;
+    actualTime?: FlightTime;
     terminal?: string;
     gate?: string;
     baggageBelt?: string;
     checkInDesk?: string;
     quality?: string[];
 }
-export interface AeroFlightAircraft {
+export interface FlightAircraft {
     reg?: string;
     modeS?: string;
     model?: string;
@@ -167,11 +167,11 @@ export interface AeroFlightAircraft {
         description?: string;
     };
 }
-export interface AeroFlightStatus {
+export interface FlightStatus {
     type?: string;
     status?: string;
-    departure: AeroFlightEndpoint;
-    arrival: AeroFlightEndpoint;
+    departure: FlightEndpoint;
+    arrival: FlightEndpoint;
     number?: string;
     callSign?: string;
     airline?: {
@@ -179,7 +179,7 @@ export interface AeroFlightStatus {
         iata?: string;
         icao?: string;
     };
-    aircraft?: AeroFlightAircraft;
+    aircraft?: FlightAircraft;
     location?: {
         pressureAltFt?: number;
         gsKt?: number;
@@ -194,10 +194,10 @@ export interface AeroFlightStatus {
         mile?: number;
     };
 }
-export type AeroFlightStatusResponse = AeroFlightStatus[];
-export interface AeroBoardFlight {
-    departure: AeroFlightEndpoint;
-    arrival: AeroFlightEndpoint;
+export type FlightStatusResponse = FlightStatus[];
+export interface BoardFlight {
+    departure: FlightEndpoint;
+    arrival: FlightEndpoint;
     number?: string;
     status?: string;
     codeshareStatus?: string;
@@ -212,11 +212,11 @@ export interface AeroBoardFlight {
         reg?: string;
     };
 }
-export interface AeroAirportBoardResponse {
-    departures?: AeroBoardFlight[];
-    arrivals?: AeroBoardFlight[];
+export interface AirportBoardResponse {
+    departures?: BoardFlight[];
+    arrivals?: BoardFlight[];
 }
-export interface AeroFlightDelayStats {
+export interface FlightDelayStats {
     route?: {
         from?: string;
         to?: string;
@@ -231,21 +231,21 @@ export interface AeroFlightDelayStats {
     onTimePercentage?: number;
     observations?: number;
 }
-export interface AeroAirportDelayInfo {
+export interface AirportDelayInfo {
     averageDelayMin?: number;
     delayIndex?: number;
     medianDelayMin?: number;
     cancellations?: number;
     totalFlights?: number;
 }
-export interface AeroAirportDelayStats {
+export interface AirportDelayStats {
     airport?: {
         iata?: string;
         name?: string;
     };
     date?: string;
-    departures?: AeroAirportDelayInfo;
-    arrivals?: AeroAirportDelayInfo;
+    departures?: AirportDelayInfo;
+    arrivals?: AirportDelayInfo;
 }
 export interface OrderShort {
     orderId: number;

package/build/formatters/flight-stats-formatter.d.ts

@@ -0,0 +1,6 @@
+import { FlightStatus, BoardFlight, FlightDelayStats, AirportDelayStats } from "../client/types.js";
+export declare function formatFlightStatus(flights: FlightStatus[], flightNumber: string, date: string): string;
+export declare function formatAirportBoard(flights: BoardFlight[], airportCode: string, direction: string, fromTime: string, toTime: string): string;
+export declare function formatFlightDelayStats(stats: FlightDelayStats, flightNumber: string): string;
+export declare function formatAirportDelayStats(stats: AirportDelayStats, airportCode: string, date: string): string;
+//# sourceMappingURL=flight-stats-formatter.d.ts.map

package/build/formatters/{aerodatabox-formatter.js → flight-stats-formatter.js}

@@ -243,4 +243,4 @@ function assessDelay(avgDelayMin) {
         return "Moderate delays";
     return "Severe delays";
 }
-//# sourceMappingURL=aerodatabox-formatter.js.map
+//# sourceMappingURL=flight-stats-formatter.js.map

package/build/http-server.d.ts

@@ -3,12 +3,20 @@
  * HTTP entry point for the TravelCode MCP Server.
  *
  * Supports OAuth 2.1 via MCP spec:
- * - Serves Protected Resource Metadata (RFC 9728) at /.well-known/oauth-protected-resource
- * - Returns 401 with WWW-Authenticate header when Bearer token is missing
- * - Creates per-session McpServer instances using the user's OAuth token
- *
- * The Authorization Server is TravelCode's own OAuth server.
- * Tokens are opaque and validated by TravelCode API on each request.
+ * - Serves Protected Resource Metadata (RFC 9728) at the path-aware well-known
+ *   URL (`/.well-known/oauth-protected-resource/mcp`) AND the legacy
+ *   non-suffixed path for older clients.
+ * - Proxies Authorization Server Metadata (RFC 8414) at
+ *   `/.well-known/oauth-authorization-server`. travel-code.com's nginx blocks
+ *   `/.well-known/*` on its own origin, so MCP clients cannot discover AS
+ *   metadata there directly. We advertise the sidecar itself as the AS in the
+ *   Protected Resource Metadata document and serve the AS metadata here with
+ *   the real upstream `authorization_endpoint` / `token_endpoint` /
+ *   `registration_endpoint` / `revocation_endpoint` values. The browser and
+ *   client hit those upstream URLs directly — only discovery is proxied.
+ * - Returns 401 with WWW-Authenticate on missing Bearer and on unknown session,
+ *   so clients can restart the OAuth flow after a sidecar restart.
+ * - Creates per-session McpServer instances using the user's OAuth token.
  *
  * Stdio transport (src/index.ts) remains unchanged for backward compatibility.
  */

package/build/http-server.js

@@ -3,12 +3,20 @@
  * HTTP entry point for the TravelCode MCP Server.
  *
  * Supports OAuth 2.1 via MCP spec:
- * - Serves Protected Resource Metadata (RFC 9728) at /.well-known/oauth-protected-resource
- * - Returns 401 with WWW-Authenticate header when Bearer token is missing
- * - Creates per-session McpServer instances using the user's OAuth token
- *
- * The Authorization Server is TravelCode's own OAuth server.
- * Tokens are opaque and validated by TravelCode API on each request.
+ * - Serves Protected Resource Metadata (RFC 9728) at the path-aware well-known
+ *   URL (`/.well-known/oauth-protected-resource/mcp`) AND the legacy
+ *   non-suffixed path for older clients.
+ * - Proxies Authorization Server Metadata (RFC 8414) at
+ *   `/.well-known/oauth-authorization-server`. travel-code.com's nginx blocks
+ *   `/.well-known/*` on its own origin, so MCP clients cannot discover AS
+ *   metadata there directly. We advertise the sidecar itself as the AS in the
+ *   Protected Resource Metadata document and serve the AS metadata here with
+ *   the real upstream `authorization_endpoint` / `token_endpoint` /
+ *   `registration_endpoint` / `revocation_endpoint` values. The browser and
+ *   client hit those upstream URLs directly — only discovery is proxied.
+ * - Returns 401 with WWW-Authenticate on missing Bearer and on unknown session,
+ *   so clients can restart the OAuth flow after a sidecar restart.
+ * - Creates per-session McpServer instances using the user's OAuth token.
  *
  * Stdio transport (src/index.ts) remains unchanged for backward compatibility.
  */
@@ -19,11 +27,21 @@ import { createServer } from "./server.js";
 // --- Configuration ---
 const PORT = parseInt(process.env.PORT || "3000", 10);
 const API_BASE_URL = (process.env.TRAVELCODE_API_BASE_URL || "https://api.travel-code.com/v1").replace(/\/+$/, "");
-const OAUTH_ISSUER = process.env.OAUTH_ISSUER || "https://travel-code.com";
-// Resource URI — the public URL of this MCP server.
+// Upstream Authorization Server origin — where the real OAuth endpoints live.
+// travel-code.com implements /oauth/authorize, /oauth/token, /oauth/register,
+// /oauth/revoke but does NOT expose RFC 8414 metadata (nginx blocks
+// /.well-known/*), so we proxy AS metadata from this sidecar.
+const UPSTREAM_AS_ORIGIN = (process.env.OAUTH_ISSUER || "https://travel-code.com").replace(/\/+$/, "");
+// Resource URI — the public URL of this MCP server (origin, no path).
 // In production, set to the actual public URL (e.g. https://mcp.travel-code.com).
 // Locally defaults to http://localhost:PORT.
-const RESOURCE_URI = process.env.RESOURCE_URI || `http://localhost:${PORT}`;
+const RESOURCE_URI = (process.env.RESOURCE_URI || `http://localhost:${PORT}`).replace(/\/+$/, "");
+// MCP endpoint path — advertised as the canonical resource identifier in
+// Protected Resource Metadata (RFC 9728) so audience binding (RFC 8707) works.
+const MCP_PATH = "/mcp";
+const MCP_RESOURCE_IDENTIFIER = `${RESOURCE_URI}${MCP_PATH}`;
+// Path-aware PRM URL per RFC 9728 §3.1.
+const PRM_URL = `${RESOURCE_URI}/.well-known/oauth-protected-resource${MCP_PATH}`;
 const POLL_INTERVAL_MS = parseInt(process.env.TRAVELCODE_POLL_INTERVAL_MS || "2000", 10);
 const POLL_TIMEOUT_MS = parseInt(process.env.TRAVELCODE_POLL_TIMEOUT_MS || "90000", 10);
 const SCOPES_SUPPORTED = [
@@ -59,18 +77,59 @@ app.use((_req, res, next) => {
     res.setHeader("Access-Control-Expose-Headers", "Mcp-Session-Id");
     next();
 });
-app.options("*", (_req, res) => {
+app.options(/.*/, (_req, res) => {
     res.sendStatus(204);
 });
 // --- Protected Resource Metadata (RFC 9728) ---
+//
+// `resource` MUST match the URL the client is actually using (the MCP endpoint)
+// so that audience binding / RFC 8707 resource indicators line up.
+//
+// `authorization_servers` points to the sidecar itself rather than the upstream
+// travel-code.com origin, because the upstream blocks /.well-known/* at the
+// edge. The client will discover AS metadata from us at
+// `/.well-known/oauth-authorization-server` (served below), which in turn
+// advertises the real upstream authorize/token/register/revoke endpoints.
+const protectedResourceMetadata = {
+    resource: MCP_RESOURCE_IDENTIFIER,
+    authorization_servers: [RESOURCE_URI],
+    scopes_supported: SCOPES_SUPPORTED,
+    bearer_methods_supported: ["header"],
+    resource_name: "TravelCode MCP Server",
+};
+app.get("/.well-known/oauth-protected-resource/mcp", (_req, res) => {
+    res.json(protectedResourceMetadata);
+});
+// Legacy non-path-suffixed PRM for older clients that don't do
+// path-aware discovery per RFC 9728 §3.1.
 app.get("/.well-known/oauth-protected-resource", (_req, res) => {
-    res.json({
-        resource: RESOURCE_URI,
-        authorization_servers: [OAUTH_ISSUER],
-        scopes_supported: SCOPES_SUPPORTED,
-        bearer_methods_supported: ["header"],
-        resource_name: "TravelCode MCP Server",
-    });
+    res.json(protectedResourceMetadata);
+});
+// --- Authorization Server Metadata (RFC 8414) — proxied ---
+//
+// travel-code.com's nginx blocks /.well-known/oauth-authorization-server at
+// the edge, so we host the document ourselves. `issuer` MUST match the URL at
+// which this metadata was fetched (RFC 8414 §3.3) — that's RESOURCE_URI.
+// The endpoints point to the real upstream OAuth server; the browser and
+// token-endpoint calls go there directly.
+const authorizationServerMetadata = {
+    issuer: RESOURCE_URI,
+    authorization_endpoint: `${UPSTREAM_AS_ORIGIN}/oauth/authorize`,
+    token_endpoint: `${UPSTREAM_AS_ORIGIN}/oauth/token`,
+    registration_endpoint: `${UPSTREAM_AS_ORIGIN}/oauth/register`,
+    revocation_endpoint: `${UPSTREAM_AS_ORIGIN}/oauth/revoke`,
+    scopes_supported: SCOPES_SUPPORTED,
+    response_types_supported: ["code"],
+    grant_types_supported: ["authorization_code", "refresh_token"],
+    token_endpoint_auth_methods_supported: ["none"],
+    code_challenge_methods_supported: ["S256"],
+};
+app.get("/.well-known/oauth-authorization-server", (_req, res) => {
+    res.json(authorizationServerMetadata);
+});
+// Some MCP clients also probe a path-suffixed variant.
+app.get("/.well-known/oauth-authorization-server/mcp", (_req, res) => {
+    res.json(authorizationServerMetadata);
 });
 // --- Health check ---
 app.get("/health", (_req, res) => {
@@ -81,11 +140,10 @@ app.get("/health", (_req, res) => {
     });
 });
 // --- Helper: send 401 ---
-function send401(res) {
-    const metadataUrl = `${RESOURCE_URI}/.well-known/oauth-protected-resource`;
+function send401(res, description = "Bearer token required") {
     res.status(401)
-        .set("WWW-Authenticate", `Bearer resource_metadata="${metadataUrl}"`)
-        .json({ error: "unauthorized", error_description: "Bearer token required" });
+        .set("WWW-Authenticate", `Bearer resource_metadata="${PRM_URL}"`)
+        .json({ error: "unauthorized", error_description: description });
 }
 // --- MCP endpoint ---
 app.all("/mcp", async (req, res) => {
@@ -105,10 +163,10 @@ app.all("/mcp", async (req, res) => {
     if (sessionId) {
         const session = sessions.get(sessionId);
         if (!session) {
-            res.status(404).json({
-                jsonrpc: "2.0",
-                error: { code: -32000, message: "Session not found. Please start a new session." },
-            });
+            // Return 401 (not 404) so the client restarts the OAuth flow after a
+            // sidecar restart or TTL expiry, instead of giving up with a dead
+            // session ID.
+            send401(res, "Session not found or expired. Please re-authenticate.");
             return;
         }
         await session.transport.handleRequest(req, res, req.body);
@@ -155,10 +213,11 @@ app.all("/mcp", async (req, res) => {
 // --- Start ---
 app.listen(PORT, () => {
     console.log(`TravelCode MCP Server (HTTP) listening on port ${PORT}`);
-    console.log(`MCP endpoint:        ${RESOURCE_URI}/mcp`);
-    console.log(`Resource metadata:   ${RESOURCE_URI}/.well-known/oauth-protected-resource`);
-    console.log(`OAuth issuer:        ${OAUTH_ISSUER}`);
-    console.log(`API base URL:        ${API_BASE_URL}`);
-    console.log(`Scopes:              ${SCOPES_SUPPORTED.join(", ")}`);
+    console.log(`MCP endpoint:         ${MCP_RESOURCE_IDENTIFIER}`);
+    console.log(`Protected Resource:   ${PRM_URL}`);
+    console.log(`AS metadata (proxy):  ${RESOURCE_URI}/.well-known/oauth-authorization-server`);
+    console.log(`Upstream OAuth:       ${UPSTREAM_AS_ORIGIN}/oauth/{authorize,token,register,revoke}`);
+    console.log(`API base URL:         ${API_BASE_URL}`);
+    console.log(`Scopes:               ${SCOPES_SUPPORTED.join(", ")}`);
 });
 //# sourceMappingURL=http-server.js.map

package/build/server.js

@@ -33,7 +33,7 @@ export function createServer(config) {
     // Flight search tools
     registerSearchFlights(server, client, config);
     registerGetFlightResults(server, client);
-    // Flight statistics tools (AeroDataBox)
+    // Flight statistics tools
     registerGetFlightStatus(server, client);
     registerGetAirportFlights(server, client);
     registerGetFlightDelayStats(server, client);

package/build/tools/get-airport-delay-stats.js

@@ -1,5 +1,5 @@
 import { z } from "zod";
-import { formatAirportDelayStats } from "../formatters/aerodatabox-formatter.js";
+import { formatAirportDelayStats } from "../formatters/flight-stats-formatter.js";
 export const getAirportDelayStatsSchema = {
     airport_code: z
         .string()
@@ -12,7 +12,7 @@ export function registerGetAirportDelayStats(server, client) {
     server.tool("get_airport_delay_stats", "Get current delay statistics for an airport on a specific date. Shows average departure/arrival delays and cancellation rates. Use this during weather events or disruptions to assess the situation at an airport.", getAirportDelayStatsSchema, async ({ airport_code, date }) => {
         try {
             const code = airport_code.toUpperCase();
-            const stats = await client.getAerodatabox(`/airports/iata/${encodeURIComponent(code)}/delays/${date}`);
+            const stats = await client.getFlightStats(`/airports/iata/${encodeURIComponent(code)}/delays/${date}`);
             return {
                 content: [{ type: "text", text: formatAirportDelayStats(stats, code, date) }],
             };

package/build/tools/get-airport-flights.js

@@ -1,5 +1,5 @@
 import { z } from "zod";
-import { formatAirportBoard } from "../formatters/aerodatabox-formatter.js";
+import { formatAirportBoard } from "../formatters/flight-stats-formatter.js";
 export const getAirportFlightsSchema = {
     airport_code: z
         .string()
@@ -49,7 +49,7 @@ export function registerGetAirportFlights(server, client) {
                 };
             }
             const code = airport_code.toUpperCase();
-            const board = await client.getAerodatabox(`/flights/airports/iata/${encodeURIComponent(code)}/${from_time}/${to_time}`, {
+            const board = await client.getFlightStats(`/flights/airports/iata/${encodeURIComponent(code)}/${from_time}/${to_time}`, {
                 withCancellations: true,
                 withCodeshares: include_codeshares,
                 withCargo: include_cargo,

package/build/tools/get-flight-delay-stats.js

@@ -1,5 +1,5 @@
 import { z } from "zod";
-import { formatFlightDelayStats } from "../formatters/aerodatabox-formatter.js";
+import { formatFlightDelayStats } from "../formatters/flight-stats-formatter.js";
 export const getFlightDelayStatsSchema = {
     flight_number: z
         .string()
@@ -9,7 +9,7 @@ export function registerGetFlightDelayStats(server, client) {
     server.tool("get_flight_delay_stats", "Get historical delay statistics for a specific flight number. Shows how often the flight is delayed, average delay duration, and reliability assessment. Use this to evaluate a flight's punctuality before booking.", getFlightDelayStatsSchema, async ({ flight_number }) => {
         try {
             const normalized = flight_number.replace(/\s+/g, "").toUpperCase();
-            const stats = await client.getAerodatabox(`/flights/${encodeURIComponent(normalized)}/delays`);
+            const stats = await client.getFlightStats(`/flights/${encodeURIComponent(normalized)}/delays`);
             return {
                 content: [{ type: "text", text: formatFlightDelayStats(stats, normalized) }],
             };

package/build/tools/get-flight-status.js

@@ -1,5 +1,5 @@
 import { z } from "zod";
-import { formatFlightStatus } from "../formatters/aerodatabox-formatter.js";
+import { formatFlightStatus } from "../formatters/flight-stats-formatter.js";
 export const getFlightStatusSchema = {
     flight_number: z
         .string()
@@ -20,7 +20,7 @@ export function registerGetFlightStatus(server, client) {
     server.tool("get_flight_status", "Get real-time status of a specific flight by flight number and date. Returns departure/arrival times (scheduled, actual, estimated), terminals, gates, aircraft info, and delay information. Use this to check if a flight is on time, delayed, or cancelled.", getFlightStatusSchema, async ({ flight_number, date, with_aircraft_image, with_location }) => {
         try {
             const normalized = flight_number.replace(/\s+/g, "").toUpperCase();
-            const flights = await client.getAerodatabox(`/flights/number/${encodeURIComponent(normalized)}/${date}`, {
+            const flights = await client.getFlightStats(`/flights/number/${encodeURIComponent(normalized)}/${date}`, {
                 withAircraftImage: with_aircraft_image,
                 withLocation: with_location,
             });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mcp-travelcode",
-  "version": "1.0.4",
+  "version": "1.0.6",
   "description": "MCP server for TravelCode — flights, hotels, orders. Search flights & hotels, manage bookings via AI assistants.",
   "type": "module",
   "main": "./build/index.js",

package/build/formatters/aerodatabox-formatter.d.ts

@@ -1,6 +0,0 @@
-import { AeroFlightStatus, AeroBoardFlight, AeroFlightDelayStats, AeroAirportDelayStats } from "../client/types.js";
-export declare function formatFlightStatus(flights: AeroFlightStatus[], flightNumber: string, date: string): string;
-export declare function formatAirportBoard(flights: AeroBoardFlight[], airportCode: string, direction: string, fromTime: string, toTime: string): string;
-export declare function formatFlightDelayStats(stats: AeroFlightDelayStats, flightNumber: string): string;
-export declare function formatAirportDelayStats(stats: AeroAirportDelayStats, airportCode: string, date: string): string;
-//# sourceMappingURL=aerodatabox-formatter.d.ts.map