oauth-callback 2.1.1 → 2.2.0

package/dist/mcp-types.d.ts

@@ -18,34 +18,30 @@ export interface ClientInfo {
     clientIdIssuedAt?: number;
     clientSecretExpiresAt?: number;
 }
-/**
- * Active OAuth flow state for crash recovery.
- * Preserves PKCE verifier and state across process restarts.
- */
-export interface OAuthSession {
-    codeVerifier?: string;
-    state?: string;
-}
 /**
  * Minimal storage interface for OAuth tokens.
- * @invariant Implementations must be thread-safe within process.
  * @invariant Keys are scoped to avoid collisions between multiple OAuth flows.
  */
 export interface TokenStore {
     get(key: string): Promise<Tokens | null>;
     set(key: string, tokens: Tokens): Promise<void>;
     delete(key: string): Promise<void>;
-    clear(): Promise<void>;
 }
+/** Brand symbol for OAuthStore type detection. */
+export declare const OAuthStoreBrand: unique symbol;
 /**
- * Full OAuth state storage including client registration and session.
- * Enables recovery from crashes mid-flow and reuse of dynamic registration.
+ * Extended storage with client registration and PKCE verifier persistence.
+ * Enables crash recovery mid-flow and reuse of dynamic registration.
+ * @invariant Implementations must include `[OAuthStoreBrand]: true` property.
  */
 export interface OAuthStore extends TokenStore {
+    readonly [OAuthStoreBrand]: true;
     getClient(key: string): Promise<ClientInfo | null>;
     setClient(key: string, client: ClientInfo): Promise<void>;
-    getSession(key: string): Promise<OAuthSession | null>;
-    setSession(key: string, session: OAuthSession): Promise<void>;
+    deleteClient(key: string): Promise<void>;
+    getCodeVerifier(key: string): Promise<string | null>;
+    setCodeVerifier(key: string, verifier: string): Promise<void>;
+    deleteCodeVerifier(key: string): Promise<void>;
 }
 /**
  * Configuration for browser-based OAuth flows with MCP servers.
@@ -53,8 +49,16 @@ export interface OAuthStore extends TokenStore {
  * @see https://datatracker.ietf.org/doc/html/rfc8252
  */
 export interface BrowserAuthOptions {
-    /** Pre-registered OAuth client credentials. Omit for dynamic registration. */
+    /**
+     * Pre-registered OAuth client ID. Omit to use dynamic client registration.
+     * When provided, takes precedence over any DCR-obtained client.
+     */
     clientId?: string;
+    /**
+     * Pre-registered client secret (for confidential clients).
+     * Determines auth method for token requests: `client_secret_post` if set, `none` otherwise.
+     * This is fixed at construction - DCR-obtained secrets don't change the auth method.
+     */
     clientSecret?: string;
     scope?: string;
     /** Local callback server config. Must match redirect_uri in client registration. */
@@ -72,5 +76,11 @@ export interface BrowserAuthOptions {
     errorHtml?: string;
     /** Request inspection callback for debugging OAuth flows. */
     onRequest?: (req: Request) => void;
+    /**
+     * Authorization server base URL (issuer) for token endpoint discovery.
+     * Pass the origin (e.g., `https://auth.example.com`), not `/token`.
+     * Defaults to the authorization URL origin. Discovery failures are non-fatal.
+     */
+    authServerUrl?: string | URL;
 }
 //# sourceMappingURL=mcp-types.d.ts.map

package/dist/mcp-types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mcp-types.d.ts","sourceRoot":"","sources":["../src/mcp-types.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,MAAM,WAAW,MAAM;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAChC;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;GAIG;AACH,MAAM,WAAW,UAAU;IACzB,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACzC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAChD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnC,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACxB;AAED;;;GAGG;AACH,MAAM,WAAW,UAAW,SAAQ,UAAU;IAC5C,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1D,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAAC;IACtD,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC/D;AAED;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC,8EAA8E;IAC9E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,oFAAoF;IACpF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,KAAK,CAAC,EAAE,UAAU,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;4FACwF;IACxF,MAAM,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC;IAElC,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,2EAA2E;IAC3E,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,6DAA6D;IAC7D,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,IAAI,CAAC;CACpC"}
+{"version":3,"file":"mcp-types.d.ts","sourceRoot":"","sources":["../src/mcp-types.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,MAAM,WAAW,MAAM;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAChC;AAED;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACzC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAChD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACpC;AAED,kDAAkD;AAClD,eAAO,MAAM,eAAe,EAAE,OAAO,MAA6B,CAAC;AAEnE;;;;GAIG;AACH,MAAM,WAAW,UAAW,SAAQ,UAAU;IAC5C,QAAQ,CAAC,CAAC,eAAe,CAAC,EAAE,IAAI,CAAC;IAEjC,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1D,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzC,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACrD,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9D,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAChD;AAED;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,oFAAoF;IACpF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,KAAK,CAAC,EAAE,UAAU,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;4FACwF;IACxF,MAAM,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC;IAElC,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,2EAA2E;IAC3E,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,6DAA6D;IAC7D,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,IAAI,CAAC;IAEnC;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,GAAG,GAAG,CAAC;CAC9B"}

package/dist/mcp.d.ts

@@ -7,5 +7,6 @@
 export { browserAuth } from "./auth/browser-auth";
 export { inMemoryStore } from "./storage/memory";
 export { fileStore } from "./storage/file";
-export type { BrowserAuthOptions, Tokens, TokenStore, ClientInfo, OAuthSession, OAuthStore, } from "./mcp-types";
+export { OAuthStoreBrand } from "./mcp-types";
+export type { BrowserAuthOptions, Tokens, TokenStore, ClientInfo, OAuthStore, } from "./mcp-types";
 //# sourceMappingURL=mcp.d.ts.map

package/dist/mcp.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mcp.d.ts","sourceRoot":"","sources":["../src/mcp.ts"],"names":[],"mappings":"AAGA;;;;;GAKG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAElD,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAE3C,YAAY,EACV,kBAAkB,EAClB,MAAM,EACN,UAAU,EACV,UAAU,EACV,YAAY,EACZ,UAAU,GACX,MAAM,aAAa,CAAC"}
+{"version":3,"file":"mcp.d.ts","sourceRoot":"","sources":["../src/mcp.ts"],"names":[],"mappings":"AAGA;;;;;GAKG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAElD,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAE3C,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC9C,YAAY,EACV,kBAAkB,EAClB,MAAM,EACN,UAAU,EACV,UAAU,EACV,UAAU,GACX,MAAM,aAAa,CAAC"}

package/dist/mcp.js

@@ -74,11 +74,11 @@ var init_is_inside_container = __esm(() => {
 });
 
 // node_modules/is-wsl/index.js
-import process from "node:process";
+import process2 from "node:process";
 import os2 from "node:os";
 import fs4 from "node:fs";
 var isWsl = () => {
-  if (process.platform !== "linux") {
+  if (process2.platform !== "linux") {
     return false;
   }
   if (os2.release().toLowerCase().includes("microsoft")) {
@@ -95,15 +95,15 @@ var isWsl = () => {
 }, is_wsl_default;
 var init_is_wsl = __esm(() => {
   init_is_inside_container();
-  is_wsl_default = process.env.__IS_WSL_TEST__ ? isWsl : isWsl();
+  is_wsl_default = process2.env.__IS_WSL_TEST__ ? isWsl : isWsl();
 });
 
 // node_modules/powershell-utils/index.js
-import process2 from "node:process";
+import process3 from "node:process";
 import { Buffer } from "node:buffer";
 import { promisify } from "node:util";
 import childProcess from "node:child_process";
-var execFile, powerShellPath = () => `${process2.env.SYSTEMROOT || process2.env.windir || String.raw`C:\Windows`}\\System32\\WindowsPowerShell\\v1.0\\powershell.exe`, executePowerShell = async (command, options = {}) => {
+var execFile, powerShellPath = () => `${process3.env.SYSTEMROOT || process3.env.windir || String.raw`C:\Windows`}\\System32\\WindowsPowerShell\\v1.0\\powershell.exe`, executePowerShell = async (command, options = {}) => {
   const {
     powerShellPath: psPath,
     ...execFileOptions
@@ -233,10 +233,10 @@ function defineLazyProperty(object, propertyName, valueGetter) {
 
 // node_modules/default-browser-id/index.js
 import { promisify as promisify3 } from "node:util";
-import process3 from "node:process";
+import process4 from "node:process";
 import { execFile as execFile3 } from "node:child_process";
 async function defaultBrowserId() {
-  if (process3.platform !== "darwin") {
+  if (process4.platform !== "darwin") {
     throw new Error("macOS only");
   }
   const { stdout } = await execFileAsync("defaults", ["read", "com.apple.LaunchServices/com.apple.launchservices.secure", "LSHandlers"]);
@@ -249,11 +249,11 @@ var init_default_browser_id = __esm(() => {
 });
 
 // node_modules/run-applescript/index.js
-import process4 from "node:process";
+import process5 from "node:process";
 import { promisify as promisify4 } from "node:util";
 import { execFile as execFile4, execFileSync } from "node:child_process";
 async function runAppleScript(script, { humanReadableOutput = true } = {}) {
-  if (process4.platform !== "darwin") {
+  if (process5.platform !== "darwin") {
     throw new Error("macOS only");
   }
   const outputArguments = humanReadableOutput ? [] : ["-ss"];
@@ -323,21 +323,21 @@ var init_windows = __esm(() => {
 
 // node_modules/default-browser/index.js
 import { promisify as promisify6 } from "node:util";
-import process5 from "node:process";
+import process6 from "node:process";
 import { execFile as execFile6 } from "node:child_process";
 async function defaultBrowser2() {
-  if (process5.platform === "darwin") {
+  if (process6.platform === "darwin") {
     const id = await defaultBrowserId();
     const name = await bundleName(id);
     return { name, id };
   }
-  if (process5.platform === "linux") {
+  if (process6.platform === "linux") {
     const { stdout } = await execFileAsync4("xdg-mime", ["query", "default", "x-scheme-handler/http"]);
     const id = stdout.trim();
     const name = titleize(id.replace(/.desktop$/, "").replace("-", " "));
     return { name, id };
   }
-  if (process5.platform === "win32") {
+  if (process6.platform === "win32") {
     return defaultBrowser();
   }
   throw new Error("Only macOS, Linux, and Windows are supported");
@@ -352,10 +352,10 @@ var init_default_browser = __esm(() => {
 });
 
 // node_modules/is-in-ssh/index.js
-import process6 from "node:process";
+import process7 from "node:process";
 var isInSsh, is_in_ssh_default;
 var init_is_in_ssh = __esm(() => {
-  isInSsh = Boolean(process6.env.SSH_CONNECTION || process6.env.SSH_CLIENT || process6.env.SSH_TTY);
+  isInSsh = Boolean(process7.env.SSH_CONNECTION || process7.env.SSH_CLIENT || process7.env.SSH_TTY);
   is_in_ssh_default = isInSsh;
 });
 
@@ -366,7 +366,7 @@ __export(exports_open, {
   default: () => open_default,
   apps: () => apps
 });
-import process7 from "node:process";
+import process8 from "node:process";
 import path2 from "node:path";
 import { fileURLToPath } from "node:url";
 import childProcess3 from "node:child_process";
@@ -537,7 +537,7 @@ var fallbackAttemptSymbol, __dirname2, localXdgOpenPath, platform, arch, tryEach
         await fs6.access(localXdgOpenPath, fsConstants2.X_OK);
         exeLocalXdgOpen = true;
       } catch {}
-      const useSystemXdgOpen = process7.versions.electron ?? (platform === "android" || isBundled || !exeLocalXdgOpen);
+      const useSystemXdgOpen = process8.versions.electron ?? (platform === "android" || isBundled || !exeLocalXdgOpen);
       command = useSystemXdgOpen ? "xdg-open" : localXdgOpenPath;
     }
     if (appArguments.length > 0) {
@@ -624,7 +624,7 @@ var init_open = __esm(() => {
   fallbackAttemptSymbol = Symbol("fallbackAttempt");
   __dirname2 = import.meta.url ? path2.dirname(fileURLToPath(import.meta.url)) : "";
   localXdgOpenPath = path2.join(__dirname2, "xdg-open");
-  ({ platform, arch } = process7);
+  ({ platform, arch } = process8);
   apps = {
     browser: "browser",
     browserPrivate: "browserPrivate"
@@ -672,6 +672,9 @@ var init_open = __esm(() => {
 // src/auth/browser-auth.ts
 import { randomBytes } from "node:crypto";
 
+// src/mcp-types.ts
+var OAuthStoreBrand = Symbol("OAuthStore");
+
 // src/utils/token.ts
 function calculateExpiry(expiresIn) {
   if (!expiresIn)
@@ -691,9 +694,6 @@ function inMemoryStore() {
     },
     async delete(key) {
       store.delete(key);
-    },
-    async clear() {
-      store.clear();
     }
   };
 }
@@ -982,7 +982,9 @@ function fileStore(filepath) {
   }
   async function writeStore(data) {
     await ensureDir();
-    await fs.writeFile(file, JSON.stringify(data, null, 2), "utf-8");
+    const tmp = `${file}.tmp.${process.pid}`;
+    await fs.writeFile(tmp, JSON.stringify(data, null, 2), "utf-8");
+    await fs.rename(tmp, file);
   }
   return {
     async get(key) {
@@ -998,9 +1000,6 @@ function fileStore(filepath) {
       const store = await readStore();
       delete store[key];
       await writeStore(store);
-    },
-    async clear() {
-      await writeStore({});
     }
   };
 }
@@ -1049,6 +1048,10 @@ async function getAuthCode(input) {
 }
 
 // src/auth/browser-auth.ts
+import {
+  exchangeAuthorization,
+  discoverAuthorizationServerMetadata
+} from "@modelcontextprotocol/sdk/client/auth.js";
 function browserAuth(options = {}) {
   return new BrowserOAuthProvider(options);
 }
@@ -1060,6 +1063,7 @@ class BrowserOAuthProvider {
   _hostname;
   _callbackPath;
   _authTimeout;
+  _redirectUrl;
   _launch;
   _clientId;
   _clientSecret;
@@ -1067,12 +1071,11 @@ class BrowserOAuthProvider {
   _successHtml;
   _errorHtml;
   _onRequest;
+  _authServerUrl;
   _clientInfo;
   _tokens;
+  _expiresAt;
   _codeVerifier;
-  _pendingAuthCode;
-  _pendingAuthState;
-  _isExchangingCode = false;
   _tokensLoaded = false;
   _loadingTokens;
   _authInProgress;
@@ -1083,6 +1086,7 @@ class BrowserOAuthProvider {
     this._hostname = options.hostname ?? "localhost";
     this._callbackPath = options.callbackPath ?? "/callback";
     this._authTimeout = options.authTimeout ?? 300000;
+    this._redirectUrl = `http://${this._hostname}:${this._port}${this._callbackPath}`;
     this._launch = options.launch;
     this._clientId = options.clientId;
     this._clientSecret = options.clientSecret;
@@ -1090,6 +1094,7 @@ class BrowserOAuthProvider {
     this._successHtml = options.successHtml;
     this._errorHtml = options.errorHtml;
     this._onRequest = options.onRequest;
+    this._authServerUrl = options.authServerUrl ? new URL(options.authServerUrl) : undefined;
   }
   async _ensureTokensLoaded() {
     if (this._tokensLoaded)
@@ -1103,28 +1108,30 @@ class BrowserOAuthProvider {
     try {
       const stored = await this._store.get(this._storeKey);
       if (stored) {
+        this._expiresAt = stored.expiresAt;
         this._tokens = {
           access_token: stored.accessToken,
           token_type: "Bearer",
           refresh_token: stored.refreshToken,
-          expires_in: stored.expiresAt ? Math.floor((stored.expiresAt - Date.now()) / 1000) : undefined,
           scope: stored.scope
         };
       }
       if (this._isOAuthStore(this._store)) {
-        const clientInfo = await this._store.getClient(this._storeKey);
-        if (clientInfo?.clientId) {
-          this._clientInfo = {
-            client_id: clientInfo.clientId,
-            client_secret: clientInfo.clientSecret,
-            client_id_issued_at: clientInfo.clientIdIssuedAt,
-            client_secret_expires_at: clientInfo.clientSecretExpiresAt,
-            redirect_uris: [this.redirectUrl]
-          };
+        if (!this._clientId) {
+          const clientInfo = await this._store.getClient(this._storeKey);
+          if (clientInfo?.clientId) {
+            this._clientInfo = {
+              client_id: clientInfo.clientId,
+              client_secret: clientInfo.clientSecret,
+              client_id_issued_at: clientInfo.clientIdIssuedAt,
+              client_secret_expires_at: clientInfo.clientSecretExpiresAt,
+              redirect_uris: [this.redirectUrl]
+            };
+          }
         }
-        const session = await this._store.getSession(this._storeKey);
-        if (session?.codeVerifier) {
-          this._codeVerifier = session.codeVerifier;
+        const verifier = await this._store.getCodeVerifier(this._storeKey);
+        if (verifier) {
+          this._codeVerifier = verifier;
         }
       }
       this._tokensLoaded = true;
@@ -1133,17 +1140,17 @@ class BrowserOAuthProvider {
     }
   }
   _isOAuthStore(store) {
-    return typeof store.getClient === "function" && typeof store.setClient === "function" && typeof store.getSession === "function";
+    return OAuthStoreBrand in store;
   }
   get redirectUrl() {
-    return `http://${this._hostname}:${this._port}${this._callbackPath}`;
+    return this._redirectUrl;
   }
   get clientMetadata() {
     return {
       client_name: "OAuth Callback Handler",
       client_uri: "https://github.com/kriasoft/oauth-callback",
       redirect_uris: [this.redirectUrl],
-      grant_types: ["authorization_code", "refresh_token"],
+      grant_types: ["authorization_code"],
       response_types: ["code"],
       scope: this._scope,
       token_endpoint_auth_method: this._clientSecret ? "client_secret_post" : "none"
@@ -1185,19 +1192,19 @@ class BrowserOAuthProvider {
     if (!this._tokens) {
       return;
     }
-    const stored = await this._store.get(this._storeKey);
-    if (stored?.expiresAt && Date.now() >= stored.expiresAt - 60000) {
+    if (this._expiresAt && Date.now() >= this._expiresAt - 60000) {
       return;
     }
     return this._tokens;
   }
   async saveTokens(tokens) {
     this._tokens = tokens;
+    this._expiresAt = tokens.expires_in ? calculateExpiry(tokens.expires_in) : undefined;
     this._tokensLoaded = true;
     const storedTokens = {
       accessToken: tokens.access_token,
       refreshToken: tokens.refresh_token,
-      expiresAt: tokens.expires_in ? calculateExpiry(tokens.expires_in) : undefined,
+      expiresAt: this._expiresAt,
       scope: tokens.scope
     };
     await this._store.set(this._storeKey, storedTokens);
@@ -1207,14 +1214,14 @@ class BrowserOAuthProvider {
       await this._authInProgress;
       return;
     }
-    this._authInProgress = this._doAuthorization(authorizationUrl);
+    this._authInProgress = this._completeAuthorizationFlow(authorizationUrl);
     try {
       await this._authInProgress;
     } finally {
       this._authInProgress = undefined;
     }
   }
-  async _doAuthorization(authorizationUrl) {
+  async _completeAuthorizationFlow(authorizationUrl) {
     const baseOptions = {
       port: this._port,
       hostname: this._hostname,
@@ -1229,23 +1236,49 @@ class BrowserOAuthProvider {
       authorizationUrl: authorizationUrl.href,
       launch: this._launch
     } : baseOptions);
-    this._pendingAuthCode = result.code;
-    this._pendingAuthState = result.state;
-    setTimeout(() => {
-      if (this._pendingAuthCode === result.code) {
-        this._pendingAuthCode = undefined;
-        this._pendingAuthState = undefined;
+    if (!result.code) {
+      throw new Error("No authorization code received");
+    }
+    const expectedState = authorizationUrl.searchParams.get("state");
+    if (expectedState && result.state !== expectedState) {
+      throw new Error("OAuth state mismatch - possible CSRF attack");
+    }
+    await this._exchangeCodeForTokens(authorizationUrl, result.code);
+  }
+  async _exchangeCodeForTokens(authorizationUrl, code) {
+    const authServerUrl = this._authServerUrl ?? new URL("/", authorizationUrl.origin);
+    const metadata = await discoverAuthorizationServerMetadata(authServerUrl).catch(() => {
+      return;
+    });
+    const clientInfo = await this.clientInformation();
+    if (!clientInfo) {
+      throw new Error("Client information required for token exchange. " + "Provide clientId in options or ensure DCR succeeded.");
+    }
+    if (!this._codeVerifier) {
+      throw new Error("Code verifier required for token exchange");
+    }
+    let tokens;
+    try {
+      tokens = await exchangeAuthorization(authServerUrl, {
+        metadata,
+        clientInformation: clientInfo,
+        authorizationCode: code,
+        codeVerifier: this._codeVerifier,
+        redirectUri: this.redirectUrl
+      });
+    } catch (error) {
+      if (!this._authServerUrl && !metadata) {
+        const msg = error instanceof Error ? error.message : String(error);
+        throw new Error(`Token exchange failed: ${msg}. ` + `If the token endpoint differs from ${authorizationUrl.origin}, set authServerUrl explicitly.`);
       }
-    }, this._authTimeout);
+      throw error;
+    }
+    await this.saveTokens(tokens);
   }
   async saveCodeVerifier(codeVerifier) {
     this._codeVerifier = codeVerifier;
     if (this._isOAuthStore(this._store)) {
-      const session = {
-        codeVerifier,
-        state: this._pendingAuthState
-      };
-      await this._store.setSession(this._storeKey, session);
+      await this._store.setCodeVerifier(this._storeKey, codeVerifier);
     }
   }
   async codeVerifier() {
@@ -1255,36 +1288,34 @@ class BrowserOAuthProvider {
     return this._codeVerifier;
   }
   async invalidateCredentials(scope) {
-    if (scope === "all" && this._isExchangingCode) {
-      this._tokens = undefined;
-      await this._store.delete(this._storeKey);
-      return;
-    }
-    if (this._isExchangingCode && (scope === "client" || scope === "all")) {
-      this._isExchangingCode = false;
-    }
     switch (scope) {
       case "all":
         this._clientInfo = undefined;
         this._tokens = undefined;
+        this._expiresAt = undefined;
         this._codeVerifier = undefined;
         this._tokensLoaded = false;
-        await this._store.clear();
+        await this._store.delete(this._storeKey);
+        if (this._isOAuthStore(this._store)) {
+          await this._store.deleteClient(this._storeKey);
+          await this._store.deleteCodeVerifier(this._storeKey);
+        }
         break;
       case "client":
         this._clientInfo = undefined;
         if (this._isOAuthStore(this._store)) {
-          await this._store.setClient(this._storeKey, { clientId: "" });
+          await this._store.deleteClient(this._storeKey);
         }
         break;
       case "tokens":
         this._tokens = undefined;
+        this._expiresAt = undefined;
         await this._store.delete(this._storeKey);
         break;
       case "verifier":
         this._codeVerifier = undefined;
         if (this._isOAuthStore(this._store)) {
-          await this._store.setSession(this._storeKey, {});
+          await this._store.deleteCodeVerifier(this._storeKey);
         }
         break;
     }
@@ -1292,22 +1323,10 @@ class BrowserOAuthProvider {
   async validateResourceURL(_serverUrl, _resource) {
     return;
   }
-  getPendingAuthCode() {
-    if (this._pendingAuthCode) {
-      const result = {
-        code: this._pendingAuthCode,
-        state: this._pendingAuthState
-      };
-      this._isExchangingCode = true;
-      this._pendingAuthCode = undefined;
-      this._pendingAuthState = undefined;
-      return result;
-    }
-    return;
-  }
 }
 export {
   inMemoryStore,
   fileStore,
-  browserAuth
+  browserAuth,
+  OAuthStoreBrand
 };

package/dist/storage/file.d.ts

@@ -1,8 +1,8 @@
 import type { TokenStore } from "../mcp-types";
 /**
  * Persistent file-based token storage.
+ * Not safe for concurrent access across multiple processes.
  * Default: ~/.mcp/tokens.json
- * WARNING: Not safe for concurrent access across processes.
  */
 export declare function fileStore(filepath?: string): TokenStore;
 //# sourceMappingURL=file.d.ts.map

package/dist/storage/file.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"file.d.ts","sourceRoot":"","sources":["../../src/storage/file.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,UAAU,EAAU,MAAM,cAAc,CAAC;AAEvD;;;;GAIG;AACH,wBAAgB,SAAS,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,UAAU,CA4CvD"}
+{"version":3,"file":"file.d.ts","sourceRoot":"","sources":["../../src/storage/file.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,UAAU,EAAU,MAAM,cAAc,CAAC;AAEvD;;;;GAIG;AACH,wBAAgB,SAAS,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,UAAU,CAyCvD"}

package/dist/storage/memory.d.ts

@@ -1,7 +1,7 @@
 import type { TokenStore } from "../mcp-types";
 /**
  * Ephemeral in-memory token storage.
- * Tokens lost on process restart. Safe for concurrent access within process.
+ * Tokens lost on process restart.
  */
 export declare function inMemoryStore(): TokenStore;
 //# sourceMappingURL=memory.d.ts.map

package/dist/storage/memory.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"memory.d.ts","sourceRoot":"","sources":["../../src/storage/memory.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAU,MAAM,cAAc,CAAC;AAEvD;;;GAGG;AACH,wBAAgB,aAAa,IAAI,UAAU,CAoB1C"}
+{"version":3,"file":"memory.d.ts","sourceRoot":"","sources":["../../src/storage/memory.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAU,MAAM,cAAc,CAAC;AAEvD;;;GAGG;AACH,wBAAgB,aAAa,IAAI,UAAU,CAgB1C"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oauth-callback",
-  "version": "2.1.1",
+  "version": "2.2.0",
   "description": "Lightweight OAuth 2.0 callback handler for Node.js, Deno, and Bun with built-in browser flow and MCP SDK integration",
   "keywords": [
     "oauth",
@@ -104,7 +104,7 @@
   },
   "scripts": {
     "build:templates": "bun run templates/build.ts",
-    "build": "bun run build:templates && bun build ./src/index.ts --outdir=./dist --target=node && bun build ./src/mcp.ts --outdir=./dist --target=node && tsc --declaration --emitDeclarationOnly --outDir ./dist",
+    "build": "bun run build:templates && bun build ./src/index.ts --outdir=./dist --target=node && bun build ./src/mcp.ts --outdir=./dist --target=node --external=@modelcontextprotocol/sdk && tsc --declaration --emitDeclarationOnly --outDir ./dist",
     "clean": "rm -rf dist",
     "test": "bun test",
     "test:login": "bun run scripts/test-login.ts",