nitrostack 1.0.23 → 1.0.24

package/templates/typescript-auth/package.json

@@ -6,7 +6,8 @@
   "scripts": {
     "dev": "nitrostack dev",
     "build": "nitrostack build",
-    "start": "nitrostack start",
+    "start": "npm run build && nitrostack start",
+    "start:prod": "nitrostack start",
     "widget": "npm --prefix src/widgets",
     "setup-db": "node --loader ts-node/esm src/db/setup.ts"
   },

package/templates/typescript-auth/src/index.ts

@@ -9,39 +9,20 @@
  * - Production (NODE_ENV=production): Dual transport (STDIO + HTTP SSE)
  */
 
+import { config } from 'dotenv';
 import { McpApplicationFactory } from 'nitrostack';
 import { AppModule } from './app.module.js';
 
+// Load environment variables from .env file
+config();
+
 /**
  * Bootstrap the application
  */
 async function bootstrap() {
-  // Create the MCP server from AppModule
+  // Create and start the MCP server
   const server = await McpApplicationFactory.create(AppModule);
-  
-  // Determine transport based on environment
-  const isDevelopment = process.env.NODE_ENV === 'development' || !process.env.NODE_ENV;
-  
-  if (isDevelopment) {
-    // Development: STDIO only (for local testing with MCP Inspector, Claude Desktop)
-    await server.start('stdio');
-    console.error('🚀 Server running in DEVELOPMENT mode (STDIO only)');
-  } else {
-    // Production: Dual transport (STDIO + HTTP SSE)
-    const port = parseInt(process.env.PORT || '3002');
-    const host = process.env.HOST || '0.0.0.0';
-    
-    await server.start('dual', {
-      port,
-      host,
-      endpoint: '/mcp',
-      enableCors: process.env.ENABLE_CORS !== 'false', // Enable by default, disable with ENABLE_CORS=false
-    });
-    
-    console.error('🚀 Server running in PRODUCTION mode (DUAL)');
-    console.error(`   📡 STDIO: Ready for direct connections`);
-    console.error(`   🌐 HTTP SSE: http://${host}:${port}/mcp`);
-  }
+  await server.start();
 }
 
 // Start the application

package/templates/typescript-auth-api-key/package.json

@@ -6,10 +6,12 @@
   "scripts": {
     "dev": "nitrostack dev",
     "build": "nitrostack build",
-    "start": "nitrostack start",
+    "start": "npm run build && nitrostack start",
+    "start:prod": "nitrostack start",
     "widget": "npm --prefix src/widgets"
   },
   "dependencies": {
+    "dotenv": "^16.4.5",
     "nitrostack": "^1",
     "zod": "^3.23.8"
   },

package/templates/typescript-auth-api-key/src/index.ts

@@ -1,7 +1,11 @@
 #!/usr/bin/env node
+import { config } from 'dotenv';
 import { McpApplicationFactory } from 'nitrostack';
 import { AppModule } from './app.module.js';
 
+// Load environment variables from .env file
+config();
+
 /**
  * API Key Authentication MCP Server
  * 
@@ -34,32 +38,8 @@ async function bootstrap() {
     console.error('   - Protected tools require valid API key');
     console.error('   - Public tools accessible without authentication\n');
 
-    // Determine transport based on environment
-    const isDevelopment = process.env.NODE_ENV === 'development' || !process.env.NODE_ENV;
-    
-    if (isDevelopment) {
-      // Development: STDIO only (for local testing)
-      await app.start('stdio');
-      console.error('🚀 Server running in DEVELOPMENT mode (STDIO only)');
-      console.error('   Use MCP Inspector or Claude Desktop for testing\n');
-    } else {
-      // Production: Dual transport (STDIO + HTTP SSE)
-      const port = parseInt(process.env.PORT || '3002');
-      const host = process.env.HOST || '0.0.0.0';
-      
-      await app.start('dual', {
-        port,
-        host,
-        endpoint: '/mcp',
-        enableCors: process.env.ENABLE_CORS !== 'false', // Enable by default, disable with ENABLE_CORS=false
-      });
-      
-      console.error('🚀 Server running in PRODUCTION mode (DUAL)');
-      console.error(`   📡 STDIO: Ready for direct connections`);
-      console.error(`   🌐 HTTP SSE: http://${host}:${port}/mcp`);
-      console.error('   Open NitroStack Studio to test the server');
-      console.error('   Set your API key in Studio → Auth → API Key section\n');
-    }
+    // Start the server
+    await app.start();
     
   } catch (error) {
     console.error('❌ Failed to start server:', error);

package/templates/typescript-oauth/.env.example

@@ -1,59 +1,70 @@
 # OAuth 2.1 MCP Server Configuration
 
+# =============================================================================
+# TRANSPORT MODE (AUTO-CONFIGURED)
+# =============================================================================
+# When OAuth is configured, the server automatically runs in DUAL mode:
+# - STDIO: For MCP protocol communication with Studio/Claude
+# - HTTP: For OAuth metadata endpoints (/.well-known/oauth-protected-resource)
+# Both transports run simultaneously on different channels.
+
 # =============================================================================
 # REQUIRED: Server Configuration
 # =============================================================================
 
-# Your MCP server's public URL (used for token audience binding - RFC 8707)
-# This MUST match the URL where your MCP server is accessible
-# Example: https://mcp.yourapp.com or http://localhost:3000 for development
-RESOURCE_URI=https://mcp.example.com
+# Your MCP server's resource URI (used for token audience binding - RFC 8707)
+# ⚠️ CRITICAL: This MUST match EXACTLY the "API Identifier" in your OAuth provider
+# 
+# For Auth0: Copy the "Identifier" from APIs → Your API → Settings
+# For development: Can be any unique URI like https://mcplocal or http://localhost:3005
+# For production: Use your actual domain like https://api.yourapp.com
+#
+# ⚠️ This value is used for:
+#   1. Token audience validation (security critical!)
+#   2. OAuth discovery metadata
+#   3. The "audience" parameter sent to your OAuth provider
+RESOURCE_URI=https://mcplocal
 
 # Your OAuth 2.1 authorization server URL
 # This is the base URL of your OAuth provider (Auth0, Okta, Keycloak, etc.)
 # Example for Auth0: https://your-tenant.auth0.com
 # Example for Okta: https://your-domain.okta.com
-AUTH_SERVER_URL=https://auth.example.com
+AUTH_SERVER_URL=https://your-tenant.auth0.com
 
 # =============================================================================
 # OPTIONAL: Token Configuration
 # =============================================================================
 
 # Expected token audience (defaults to RESOURCE_URI if not set)
-# This MUST match the audience claim in access tokens
-TOKEN_AUDIENCE=https://mcp.example.com
+# ⚠️ This MUST match EXACTLY the RESOURCE_URI above
+TOKEN_AUDIENCE=https://mcplocal
 
 # Expected token issuer (recommended for security)
 # This MUST match the issuer claim in access tokens
-# Example for Auth0: https://your-tenant.auth0.com/
+# ⚠️ For Auth0: Add trailing slash! https://your-tenant.auth0.com/
 # Example for Okta: https://your-domain.okta.com/oauth2/default
-TOKEN_ISSUER=https://auth.example.com/
+TOKEN_ISSUER=https://your-tenant.auth0.com/
 
-# =============================================================================
-# OPTIONAL: Token Introspection (for opaque tokens)
-# =============================================================================
 
-# If your OAuth provider issues opaque tokens (not JWTs), configure these:
 
-# Token introspection endpoint (RFC 7662)
-# Example for Auth0: https://your-tenant.auth0.com/oauth/token/introspection
-# Example for Okta: https://your-domain.okta.com/oauth2/default/v1/introspect
-# INTROSPECTION_ENDPOINT=https://auth.example.com/oauth/introspect
 
-# Client credentials for introspection
-# These are separate from your MCP client credentials
-# INTROSPECTION_CLIENT_ID=your-introspection-client-id
-# INTROSPECTION_CLIENT_SECRET=your-introspection-client-secret
 
 # =============================================================================
 # Provider-Specific Examples
 # =============================================================================
 
-# --- Auth0 Example ---
-# RESOURCE_URI=https://mcp.yourapp.com
+# --- Auth0 Example (RECOMMENDED FOR TESTING) ---
+# Step 1: Create API in Auth0 with Identifier = https://mcplocal
+# Step 2: Create "Regular Web Application" in Auth0
+# Step 3: Authorize the Application to access the API
+# Step 4: Use these settings:
+#
+# RESOURCE_URI=https://mcplocal
 # AUTH_SERVER_URL=https://your-tenant.auth0.com
-# TOKEN_AUDIENCE=https://mcp.yourapp.com
+# TOKEN_AUDIENCE=https://mcplocal
 # TOKEN_ISSUER=https://your-tenant.auth0.com/
+#
+# ⚠️ CRITICAL: RESOURCE_URI must match Auth0 API Identifier EXACTLY!
 
 # --- Okta Example ---
 # RESOURCE_URI=https://mcp.yourapp.com