rivet-design 0.11.1 → 0.11.2

package/dist/mcp/auth/httpOAuthProvider.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.RivetOAuthServerProvider = void 0;
+exports.RivetOAuthServerProvider = exports.MCP_BROWSER_AUTH_COOKIE_NAME = void 0;
 const crypto_1 = require("crypto");
 const errors_js_1 = require("@modelcontextprotocol/sdk/server/auth/errors.js");
 const accessTokenRefresh_1 = require("../../services/accessTokenRefresh");
@@ -16,6 +16,12 @@ const TOKEN_POLL_INTERVAL_MS = 1000;
 const PROFILE_FETCH_TIMEOUT_MS = 10_000;
 const MCP_OAUTH_SCOPE = 'rivet';
 const HOSTED_DASHBOARD_AUTH_URL = 'https://rivet-proxy.onrender.com/dashboard/';
+exports.MCP_BROWSER_AUTH_COOKIE_NAME = 'rivet_mcp_oauth';
+const CURSOR_DESKTOP_REDIRECT_PROTOCOL = 'cursor:';
+const CURSOR_DESKTOP_REDIRECT_HOST = 'anysphere.cursor-mcp';
+const CURSOR_DESKTOP_REDIRECT_PATH = '/oauth/callback';
+const CURSOR_CLOUD_REDIRECT_HOST = 'www.cursor.com';
+const CURSOR_CLOUD_REDIRECT_PATH = '/agents/mcp/oauth/callback';
 const LOOPBACK_REDIRECT_HOSTS = new Set([
     'localhost',
     '127.0.0.1',
@@ -29,8 +35,8 @@ class InMemoryClientsStore {
         return this.clients.get(clientId);
     }
     registerClient(client) {
-        if (!client.redirect_uris.every(isLoopbackRedirectUri)) {
-            throw new errors_js_1.InvalidClientMetadataError('Rivet MCP OAuth clients must use loopback HTTP redirect URIs.');
+        if (!client.redirect_uris.every(isAllowedRedirectUri)) {
+            throw new errors_js_1.InvalidClientMetadataError('Rivet MCP OAuth clients must declare valid loopback or Cursor redirect URIs.');
         }
         const registered = {
             ...client,
@@ -50,6 +56,31 @@ const isLoopbackRedirectUri = (redirectUri) => {
         return false;
     }
 };
+const isAllowedRedirectUri = (redirectUri) => {
+    try {
+        const url = new URL(redirectUri);
+        if (url.hash) {
+            return false;
+        }
+        if (isLoopbackRedirectUri(redirectUri)) {
+            return true;
+        }
+        if (url.protocol === CURSOR_DESKTOP_REDIRECT_PROTOCOL &&
+            url.hostname === CURSOR_DESKTOP_REDIRECT_HOST &&
+            url.pathname === CURSOR_DESKTOP_REDIRECT_PATH &&
+            !url.search) {
+            return true;
+        }
+        return (url.protocol === 'https:' &&
+            url.hostname.toLowerCase() === CURSOR_CLOUD_REDIRECT_HOST &&
+            url.pathname === CURSOR_CLOUD_REDIRECT_PATH &&
+            !url.search &&
+            !url.port);
+    }
+    catch {
+        return false;
+    }
+};
 const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
 const escapeHtml = (value) => value
     .replace(/&/g, '&')
@@ -57,12 +88,17 @@ const escapeHtml = (value) => value
     .replace(/>/g, '>')
     .replace(/"/g, '"')
     .replace(/'/g, ''');
+const DASHBOARD_AUTH_STYLESHEET_PATH = '/dashboard/auth.css';
+const GOOGLE_ICON_URL = 'https://www.gstatic.com/firebasejs/ui/2.0.0/images/auth/google.svg';
+const getBrowserAuthCookieValue = (sessionId, nonce) => `${sessionId}:${nonce}`;
 /**
  * Shows the browser user which local OAuth client will receive the code before
  * starting Google sign-in.
  */
 const getClientApprovalHtml = (input) => {
     const clientName = input.clientName?.trim() || 'Unknown MCP client';
+    const escapedAuthUrl = escapeHtml(input.authUrl);
+    const escapedRedirectUri = escapeHtml(input.redirectUri);
     return `<!doctype html>
 <html>
   <head>
@@ -70,41 +106,217 @@ const getClientApprovalHtml = (input) => {
     <meta name="viewport" content="width=device-width, initial-scale=1" />
     <title>Approve Rivet MCP sign in</title>
     <style>
+      @font-face {
+        font-family: 'Satoshi';
+        src: url('/fonts/Satoshi-Variable.woff2') format('woff2-variations');
+        font-weight: 300 900;
+        font-style: normal;
+        font-display: swap;
+      }
+      :root {
+        color-scheme: dark;
+        --bg: #1c1c20;
+        --text: #ffffff;
+        --text-muted: #d1d5db;
+        --muted: #9ca3af;
+        --border: #232328;
+        --surface-hover: #404040;
+        --primary: #ff3300;
+        --primary-hover: #c2410c;
+        --ease: cubic-bezier(0.4, 0, 0.2, 1);
+        --shadow-panel:
+          inset 0 1px 0 rgba(255, 255, 255, 0.04),
+          inset 0 0 0 1px rgba(255, 255, 255, 0.06),
+          0 24px 24px -12px rgba(0, 0, 0, 0.35),
+          0 48px 48px -24px rgba(0, 0, 0, 0.35);
+      }
+      * {
+        box-sizing: border-box;
+      }
       body {
         margin: 0;
         min-height: 100vh;
-        display: grid;
-        place-items: center;
-        font-family: system-ui, sans-serif;
-        background: #0b0b0f;
-        color: #fff;
+        font-family: 'Satoshi', 'Inter', system-ui, sans-serif;
+        background:
+          linear-gradient(
+            180deg,
+            rgba(255, 255, 255, 0.018),
+            transparent 240px
+          ),
+          radial-gradient(
+            circle at 18% 0%,
+            rgba(255, 51, 0, 0.05),
+            transparent 32%
+          ),
+          var(--bg);
+        color: var(--text);
+        display: flex;
+        flex-direction: column;
+        align-items: center;
+        padding: 0;
+        -webkit-font-smoothing: antialiased;
+        -moz-osx-font-smoothing: grayscale;
       }
       main {
-        max-width: 480px;
-        padding: 32px;
+        width: 100%;
+        max-width: 920px;
+        padding: 28px 20px 96px;
+      }
+      .auth-shell {
+        display: flex;
+        flex-direction: column;
+        align-items: center;
+        justify-content: center;
+        min-height: 60vh;
+        width: 100%;
+      }
+      .auth-card {
+        background:
+          linear-gradient(
+            180deg,
+            rgba(255, 255, 255, 0.025),
+            rgba(255, 255, 255, 0.01)
+          ),
+          var(--bg);
+        border: 1px solid rgba(255, 255, 255, 0.06);
+        border-radius: 24px;
+        padding: 40px;
+        width: 100%;
+        max-width: 400px;
+        display: flex;
+        flex-direction: column;
+        align-items: center;
+        gap: 32px;
+        backdrop-filter: blur(20px);
+        -webkit-backdrop-filter: blur(20px);
+        box-shadow: var(--shadow-panel);
+      }
+      .wordmark {
+        display: block;
+        width: auto;
+        height: 32px;
+        object-fit: contain;
+      }
+      .auth-copy {
+        text-align: center;
+      }
+      .auth-heading {
+        margin: 0 0 8px;
+        font-size: 20px;
+        font-weight: 500;
+        line-height: 1.2;
+        letter-spacing: 0;
+        color: var(--text);
       }
-      code {
+      .auth-subtitle {
+        margin: 0;
+        font-size: 14px;
+        font-weight: 400;
+        line-height: 1.5;
+        color: var(--text-muted);
+      }
+      .auth-code {
+        display: block;
+        margin-top: 12px;
+        border-radius: 12px;
+        background: #17171b;
+        padding: 10px 12px;
+        color: var(--text);
+        font-size: 12px;
+        line-height: 1.5;
         word-break: break-all;
       }
-      a {
-        display: inline-block;
-        margin-top: 20px;
-        padding: 10px 14px;
-        border-radius: 8px;
-        background: #fff;
-        color: #0b0b0f;
+      .auth-actions {
+        display: flex;
+        flex-direction: column;
+        align-items: stretch;
+        gap: 12px;
+        width: 100%;
+      }
+      .button-link {
+        display: inline-flex;
+        align-items: center;
+        justify-content: center;
+        gap: 8px;
+        min-height: 40px;
+        padding: 10px 18px;
+        border-radius: 10px;
+        font-family: inherit;
+        font-size: 14px;
+        font-weight: 500;
+        cursor: pointer;
+        transition:
+          background-color 160ms var(--ease),
+          border-color 160ms var(--ease),
+          color 160ms var(--ease),
+          transform 100ms ease;
+        border: 1px solid transparent;
         text-decoration: none;
-        font-weight: 600;
+        color: var(--text);
+        background: rgba(255, 255, 255, 0.015);
+        backdrop-filter: blur(20px);
+        -webkit-backdrop-filter: blur(20px);
+      }
+      .button-link:hover {
+        background: rgba(255, 255, 255, 0.1);
+      }
+      .button-link:active {
+        transform: scale(0.98);
+      }
+      .auth-google-button {
+        min-height: 48px;
+        padding: 14px 32px;
+        gap: 12px;
+        border-radius: 12px;
+        background: rgba(255, 255, 255, 0.015);
+        border-color: rgba(255, 255, 255, 0.03);
+        color: var(--text);
+        font-size: 14px;
+        font-weight: 500;
+      }
+      .auth-google-button:hover {
+        background: rgba(255, 255, 255, 0.1);
+      }
+      .auth-google-icon {
+        width: 20px;
+        height: 20px;
+        filter: brightness(1.1);
+        flex: 0 0 20px;
       }
     </style>
+    <link rel="stylesheet" href="${DASHBOARD_AUTH_STYLESHEET_PATH}" />
   </head>
   <body>
     <main>
-      <h1>Approve Rivet MCP sign in</h1>
-      <p><strong>${escapeHtml(clientName)}</strong> wants to connect to Rivet.</p>
-      <p>After sign-in, Rivet will return an OAuth code to:</p>
-      <p><code>${escapeHtml(input.redirectUri)}</code></p>
-      <a href="${escapeHtml(input.authUrl)}">Continue to Rivet sign in</a>
+      <section class="auth-shell">
+        <div class="auth-card" aria-labelledby="approval-title">
+          <img class="wordmark" src="/dashboard/assets/logo.png" alt="Rivet" />
+          <div class="auth-copy">
+            <h1 id="approval-title" class="auth-heading">Approve Rivet MCP sign in</h1>
+            <p class="auth-subtitle">
+              <strong>${escapeHtml(clientName)}</strong> wants to connect to Rivet.
+            </p>
+            <p class="auth-subtitle">After sign-in, Rivet will return an OAuth code to:</p>
+            <p class="auth-subtitle">
+              <code class="auth-code">${escapedRedirectUri}</code>
+            </p>
+          </div>
+          <div class="auth-actions">
+            <a
+              href="${escapedAuthUrl}"
+              class="button-link auth-google-button"
+              aria-label="Sign in with Google to approve Rivet MCP"
+            >
+              <img
+                class="auth-google-icon"
+                src="${GOOGLE_ICON_URL}"
+                alt="Google"
+              />
+              Sign in with Google
+            </a>
+          </div>
+        </div>
+      </section>
     </main>
   </body>
 </html>`;
@@ -130,14 +342,13 @@ const normalizeProfileUser = (user) => {
  *    Supabase hash tokens to `completeBrowserCallback`. That completes the
  *    proxy login, obtains the Rivet access token, and mints a single-use
  *    authorization code bound to the client's PKCE challenge.
- * 3. `exchangeAuthorizationCode` returns the Rivet access token as the OAuth
- *    access token; `verifyAccessToken` validates bearer tokens against the
- *    proxy profile endpoint.
+ * 3. `exchangeAuthorizationCode` returns opaque MCP OAuth tokens; the Rivet
+ *    proxy tokens stay server-side and are used only after provider validation.
  */
 class RivetOAuthServerProvider {
     clientsStore = new InMemoryClientsStore();
-    proxyUrl;
-    callbackUrl;
+    getProxyUrl;
+    getCallbackUrl;
     mcpEditor;
     persistTokens;
     isRefreshTokenCurrent;
@@ -149,22 +360,41 @@ class RivetOAuthServerProvider {
     verifiedTokens = new Map();
     revokedAccessTokens = new Set();
     revokedRefreshTokens = new Set();
-    activeRefreshTokens = new Set();
+    activeRefreshTokens = new Map();
     constructor(options) {
-        this.proxyUrl = options.proxyUrl.replace(/\/$/, '');
-        this.callbackUrl = options.callbackUrl;
+        const { proxyUrl, callbackUrl } = options;
+        this.getProxyUrl =
+            typeof proxyUrl === 'function'
+                ? () => proxyUrl().replace(/\/$/, '')
+                : () => proxyUrl.replace(/\/$/, '');
+        this.getCallbackUrl =
+            typeof callbackUrl === 'function' ? callbackUrl : () => callbackUrl;
         this.mcpEditor = options.mcpEditor;
         this.persistTokens = options.persistTokens;
         this.isRefreshTokenCurrent = options.isRefreshTokenCurrent;
         this.fetchFn = options.fetchImpl ?? fetch;
         this.pollIntervalMs = options.pollIntervalMs ?? TOKEN_POLL_INTERVAL_MS;
     }
+    getBrowserAuthCookie(sessionId, nonce) {
+        const callbackUrl = new URL(this.getCallbackUrl());
+        const attributes = [
+            `${exports.MCP_BROWSER_AUTH_COOKIE_NAME}=${encodeURIComponent(getBrowserAuthCookieValue(sessionId, nonce))}`,
+            'Path=/',
+            'HttpOnly',
+            'SameSite=Lax',
+            `Max-Age=${Math.ceil(PENDING_AUTH_TTL_MS / 1000)}`,
+        ];
+        if (callbackUrl.protocol === 'https:') {
+            attributes.push('Secure');
+        }
+        return attributes.join('; ');
+    }
     async authorize(client, params, res) {
-        const response = await this.fetchFn(`${this.proxyUrl}/api/auth/google/start`, {
+        const response = await this.fetchFn(`${this.getProxyUrl()}/api/auth/google/start`, {
             method: 'POST',
             headers: { 'Content-Type': 'application/json' },
             body: JSON.stringify({
-                redirectOrigin: this.callbackUrl,
+                redirectOrigin: this.getCallbackUrl(),
                 authDestination: HOSTED_DASHBOARD_AUTH_URL,
                 source: 'mcp',
                 editor: this.mcpEditor,
@@ -182,13 +412,16 @@ class RivetOAuthServerProvider {
             throw new errors_js_1.ServerError('Failed to start Rivet sign-in');
         }
         this.prunePendingAuthorizations();
+        const browserNonce = (0, crypto_1.randomBytes)(32).toString('base64url');
         this.pendingAuthorizations.set(result.sessionId, {
             client,
             params,
             pollSecret: result.pollSecret,
             completionSecret: result.completionSecret,
+            browserNonce,
             expiresAt: Date.now() + PENDING_AUTH_TTL_MS,
         });
+        res.setHeader('Set-Cookie', this.getBrowserAuthCookie(result.sessionId, browserNonce));
         res.status(200).type('html').send(getClientApprovalHtml({
             authUrl: result.authUrl,
             clientName: client.client_name,
@@ -201,7 +434,7 @@ class RivetOAuthServerProvider {
      * single-use authorization code, and returns the MCP client redirect URL.
      */
     async completeBrowserCallback(input) {
-        const { sessionId, accessToken, refreshToken } = input;
+        const { sessionId, accessToken, refreshToken, browserAuthCookie } = input;
         if (!sessionId || !accessToken) {
             throw new Error('OAuth callback missing session or token');
         }
@@ -210,7 +443,11 @@ class RivetOAuthServerProvider {
         if (!pending || pending.expiresAt < Date.now()) {
             throw new Error('Unknown or expired sign-in session');
         }
-        const completeResponse = await this.fetchFn(`${this.proxyUrl}/api/auth/google/complete`, {
+        if (browserAuthCookie !==
+            getBrowserAuthCookieValue(sessionId, pending.browserNonce)) {
+            throw new Error('OAuth callback missing browser session');
+        }
+        const completeResponse = await this.fetchFn(`${this.getProxyUrl()}/api/auth/google/complete`, {
             method: 'POST',
             headers: { 'Content-Type': 'application/json' },
             body: JSON.stringify({
@@ -259,60 +496,90 @@ class RivetOAuthServerProvider {
             throw new errors_js_1.InvalidGrantError('redirect_uri does not match');
         }
         this.authorizationCodes.delete(authorizationCode);
-        this.rememberIssuedBearerToken({
-            token: entry.accessToken,
-            refreshToken: entry.refreshToken,
+        const issuedTokens = this.rememberIssuedBearerToken({
+            proxyAccessToken: entry.accessToken,
+            proxyRefreshToken: entry.refreshToken,
             user: entry.user,
         });
-        return this.toOAuthTokens(entry.accessToken, entry.refreshToken);
+        return this.toOAuthTokens(issuedTokens.accessToken, issuedTokens.refreshToken, issuedTokens.expiresIn);
     }
     async exchangeRefreshToken(_client, refreshToken) {
+        const activeRefreshToken = this.activeRefreshTokens.get(refreshToken);
         if (this.revokedRefreshTokens.has(refreshToken) ||
-            !this.activeRefreshTokens.has(refreshToken) ||
-            this.isRefreshTokenCurrent?.(refreshToken) === false) {
+            !activeRefreshToken ||
+            this.isRefreshTokenCurrent?.(activeRefreshToken.proxyRefreshToken) === false) {
             throw new errors_js_1.InvalidGrantError('Refresh token was revoked');
         }
         const refreshed = await (0, accessTokenRefresh_1.refreshAccessTokenViaProxy)({
-            refreshToken,
-            proxyUrl: this.proxyUrl,
+            refreshToken: activeRefreshToken.proxyRefreshToken,
+            proxyUrl: this.getProxyUrl(),
             fetchImpl: this.fetchFn,
         });
         if (!refreshed) {
             throw new errors_js_1.InvalidGrantError('Refresh token was rejected');
         }
-        const nextRefreshToken = refreshed.refreshToken ?? refreshToken;
+        const nextProxyRefreshToken = refreshed.refreshToken ?? activeRefreshToken.proxyRefreshToken;
         try {
             this.persistTokens?.({
                 token: refreshed.token,
-                refreshToken: nextRefreshToken,
+                refreshToken: nextProxyRefreshToken,
             });
         }
         catch (error) {
             log.warn('Failed to persist refreshed Rivet tokens:', error);
         }
         this.activeRefreshTokens.delete(refreshToken);
-        this.rememberIssuedBearerToken({
-            token: refreshed.token,
-            refreshToken: nextRefreshToken,
+        this.revokedRefreshTokens.add(refreshToken);
+        const issuedTokens = this.rememberIssuedBearerToken({
+            proxyAccessToken: refreshed.token,
+            proxyRefreshToken: nextProxyRefreshToken,
+            user: activeRefreshToken.user,
         });
-        return this.toOAuthTokens(refreshed.token, nextRefreshToken);
+        return this.toOAuthTokens(issuedTokens.accessToken, issuedTokens.refreshToken, issuedTokens.expiresIn);
+    }
+    async revokeToken(_client, request) {
+        const { token } = request;
+        const knownAccessToken = this.issuedBearerTokens.get(token);
+        const knownRefreshToken = this.activeRefreshTokens.has(token);
+        if (knownAccessToken) {
+            this.revokeAccessToken(token);
+            return;
+        }
+        if (!knownRefreshToken) {
+            return;
+        }
+        this.revokedRefreshTokens.add(token);
+        this.activeRefreshTokens.delete(token);
+        for (const [accessToken, issuedToken] of this.issuedBearerTokens) {
+            if (issuedToken.refreshToken === token) {
+                this.revokedAccessTokens.add(accessToken);
+                this.issuedBearerTokens.delete(accessToken);
+                this.verifiedTokens.delete(accessToken);
+            }
+        }
     }
     async verifyAccessToken(token) {
         if (this.revokedAccessTokens.has(token)) {
             this.verifiedTokens.delete(token);
             throw new errors_js_1.InvalidTokenError('Access token was revoked');
         }
+        this.pruneIssuedBearerTokens();
+        const issuedToken = this.issuedBearerTokens.get(token);
+        if (!issuedToken) {
+            this.verifiedTokens.delete(token);
+            throw new errors_js_1.InvalidTokenError('Access token was not issued by this OAuth provider');
+        }
         const cached = this.verifiedTokens.get(token);
         if (cached && cached.cachedUntil > Date.now()) {
             return cached.authInfo;
         }
         let response;
         try {
-            response = await this.fetchFn(`${this.proxyUrl}/api/user/profile`, {
+            response = await this.fetchFn(`${this.getProxyUrl()}/api/user/profile`, {
                 method: 'GET',
                 headers: {
                     'Content-Type': 'application/json',
-                    Authorization: `Bearer ${token}`,
+                    Authorization: `Bearer ${issuedToken.proxyAccessToken}`,
                 },
                 signal: AbortSignal.timeout(PROFILE_FETCH_TIMEOUT_MS),
             });
@@ -326,18 +593,18 @@ class RivetOAuthServerProvider {
             this.verifiedTokens.delete(token);
             throw new errors_js_1.InvalidTokenError('Rivet rejected the access token');
         }
-        this.pruneIssuedBearerTokens();
-        const issuedToken = this.issuedBearerTokens.get(token);
         const user = normalizeProfileUser(result.user) ?? issuedToken?.user;
-        const secondsUntilExpiry = (0, accessTokenRefresh_1.getJwtSecondsUntilExpiry)(token) ?? DEFAULT_TOKEN_TTL_SECONDS;
+        const secondsUntilExpiry = (0, accessTokenRefresh_1.getJwtSecondsUntilExpiry)(issuedToken.proxyAccessToken) ??
+            DEFAULT_TOKEN_TTL_SECONDS;
         const authInfo = {
-            token,
+            token: issuedToken.proxyAccessToken,
             clientId: 'rivet-mcp',
             scopes: [MCP_OAUTH_SCOPE],
             expiresAt: Math.floor(Date.now() / 1000) + Math.max(secondsUntilExpiry, 1),
             extra: {
-                ...(issuedToken?.refreshToken
-                    ? { refreshToken: issuedToken.refreshToken }
+                mcpAccessToken: token,
+                ...(issuedToken.proxyRefreshToken
+                    ? { refreshToken: issuedToken.proxyRefreshToken }
                     : {}),
                 ...(user ? { email: user.email, userId: user.id } : {}),
             },
@@ -366,14 +633,29 @@ class RivetOAuthServerProvider {
     }
     rememberIssuedBearerToken(tokens) {
         this.pruneIssuedBearerTokens();
-        this.issuedBearerTokens.set(tokens.token, {
-            refreshToken: tokens.refreshToken,
+        const accessToken = `rivet_mcp_at_${(0, crypto_1.randomBytes)(32).toString('base64url')}`;
+        const refreshToken = tokens.proxyRefreshToken
+            ? `rivet_mcp_rt_${(0, crypto_1.randomBytes)(32).toString('base64url')}`
+            : undefined;
+        const expiresAt = getTokenExpiryMs(tokens.proxyAccessToken);
+        this.issuedBearerTokens.set(accessToken, {
+            proxyAccessToken: tokens.proxyAccessToken,
+            proxyRefreshToken: tokens.proxyRefreshToken,
+            refreshToken,
             user: tokens.user,
-            expiresAt: getTokenExpiryMs(tokens.token),
+            expiresAt,
         });
-        if (tokens.refreshToken) {
-            this.activeRefreshTokens.add(tokens.refreshToken);
+        if (refreshToken && tokens.proxyRefreshToken) {
+            this.activeRefreshTokens.set(refreshToken, {
+                proxyRefreshToken: tokens.proxyRefreshToken,
+                user: tokens.user,
+            });
         }
+        return {
+            accessToken,
+            refreshToken,
+            expiresIn: Math.max(Math.floor((expiresAt - Date.now()) / 1000), 1),
+        };
     }
     getValidCodeEntry(client, authorizationCode) {
         const entry = this.authorizationCodes.get(authorizationCode);
@@ -385,19 +667,18 @@ class RivetOAuthServerProvider {
         }
         return entry;
     }
-    toOAuthTokens(accessToken, refreshToken) {
-        const secondsUntilExpiry = (0, accessTokenRefresh_1.getJwtSecondsUntilExpiry)(accessToken) ?? DEFAULT_TOKEN_TTL_SECONDS;
+    toOAuthTokens(accessToken, refreshToken, expiresIn = DEFAULT_TOKEN_TTL_SECONDS) {
         return {
             access_token: accessToken,
             token_type: 'bearer',
-            expires_in: Math.max(secondsUntilExpiry, 1),
+            expires_in: Math.max(expiresIn, 1),
             scope: MCP_OAUTH_SCOPE,
             ...(refreshToken ? { refresh_token: refreshToken } : {}),
         };
     }
     async pollForRivetTokens(sessionId, pollSecret) {
         for (let attempt = 0; attempt < TOKEN_POLL_MAX_ATTEMPTS; attempt++) {
-            const response = await this.fetchFn(`${this.proxyUrl}/api/auth/google/token`, {
+            const response = await this.fetchFn(`${this.getProxyUrl()}/api/auth/google/token`, {
                 method: 'POST',
                 headers: { 'Content-Type': 'application/json' },
                 body: JSON.stringify({ session: sessionId, pollSecret }),