skybridge 0.0.0-dev.ff4b4a2 → 0.0.0-dev.ffaef7a

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (434) hide show
  1. package/README.md +124 -115
  2. package/dist/cli/build-helpers.d.ts +10 -0
  3. package/dist/cli/build-helpers.js +93 -0
  4. package/dist/cli/build-helpers.js.map +1 -0
  5. package/dist/cli/build-helpers.test.js +89 -0
  6. package/dist/cli/build-helpers.test.js.map +1 -0
  7. package/dist/cli/build-steps.d.ts +2 -0
  8. package/dist/cli/build-steps.js +68 -0
  9. package/dist/cli/build-steps.js.map +1 -0
  10. package/dist/cli/build-steps.test.js +52 -0
  11. package/dist/cli/build-steps.test.js.map +1 -0
  12. package/dist/cli/detect-port.d.ts +18 -0
  13. package/dist/cli/detect-port.js +50 -0
  14. package/dist/cli/detect-port.js.map +1 -0
  15. package/dist/cli/header.d.ts +1 -1
  16. package/dist/cli/header.js +1 -1
  17. package/dist/cli/header.js.map +1 -1
  18. package/dist/cli/resolve-views-dir.d.ts +1 -0
  19. package/dist/cli/resolve-views-dir.js +17 -0
  20. package/dist/cli/resolve-views-dir.js.map +1 -0
  21. package/dist/cli/run-command.js.map +1 -1
  22. package/dist/cli/run-plain.d.ts +18 -0
  23. package/dist/cli/run-plain.js +89 -0
  24. package/dist/cli/run-plain.js.map +1 -0
  25. package/dist/cli/telemetry.js.map +1 -1
  26. package/dist/cli/tunnel-control-server.d.ts +9 -0
  27. package/dist/cli/tunnel-control-server.js +31 -0
  28. package/dist/cli/tunnel-control-server.js.map +1 -0
  29. package/dist/cli/tunnel-control-server.test.d.ts +1 -0
  30. package/dist/cli/tunnel-control-server.test.js +39 -0
  31. package/dist/cli/tunnel-control-server.test.js.map +1 -0
  32. package/dist/cli/tunnel-handler.d.ts +3 -0
  33. package/dist/cli/tunnel-handler.js +48 -0
  34. package/dist/cli/tunnel-handler.js.map +1 -0
  35. package/dist/cli/tunnel-handler.test.d.ts +1 -0
  36. package/dist/cli/tunnel-handler.test.js +105 -0
  37. package/dist/cli/tunnel-handler.test.js.map +1 -0
  38. package/dist/cli/tunnel.d.ts +57 -0
  39. package/dist/cli/tunnel.js +154 -0
  40. package/dist/cli/tunnel.js.map +1 -0
  41. package/dist/cli/tunnel.test.d.ts +1 -0
  42. package/dist/cli/tunnel.test.js +190 -0
  43. package/dist/cli/tunnel.test.js.map +1 -0
  44. package/dist/cli/types.d.ts +5 -0
  45. package/dist/cli/types.js +2 -0
  46. package/dist/cli/types.js.map +1 -0
  47. package/dist/cli/use-execute-steps.d.ts +1 -1
  48. package/dist/cli/use-execute-steps.js.map +1 -1
  49. package/dist/cli/use-messages.d.ts +3 -0
  50. package/dist/cli/use-messages.js +11 -0
  51. package/dist/cli/use-messages.js.map +1 -0
  52. package/dist/cli/use-nodemon.d.ts +16 -6
  53. package/dist/cli/use-nodemon.js +77 -54
  54. package/dist/cli/use-nodemon.js.map +1 -1
  55. package/dist/cli/use-open-browser.d.ts +1 -0
  56. package/dist/cli/use-open-browser.js +44 -0
  57. package/dist/cli/use-open-browser.js.map +1 -0
  58. package/dist/cli/use-tunnel.d.ts +14 -0
  59. package/dist/cli/use-tunnel.js +131 -0
  60. package/dist/cli/use-tunnel.js.map +1 -0
  61. package/dist/cli/use-typescript-check.d.ts +9 -2
  62. package/dist/cli/use-typescript-check.js +89 -51
  63. package/dist/cli/use-typescript-check.js.map +1 -1
  64. package/dist/commands/build.d.ts +0 -3
  65. package/dist/commands/build.js +3 -18
  66. package/dist/commands/build.js.map +1 -1
  67. package/dist/commands/create.d.ts +9 -0
  68. package/dist/commands/create.js +30 -0
  69. package/dist/commands/create.js.map +1 -0
  70. package/dist/commands/dev.d.ts +5 -1
  71. package/dist/commands/dev.js +105 -8
  72. package/dist/commands/dev.js.map +1 -1
  73. package/dist/commands/start.d.ts +3 -1
  74. package/dist/commands/start.js +37 -15
  75. package/dist/commands/start.js.map +1 -1
  76. package/dist/commands/telemetry/disable.js.map +1 -1
  77. package/dist/commands/telemetry/enable.js.map +1 -1
  78. package/dist/commands/telemetry/status.js.map +1 -1
  79. package/dist/server/asset-base-url-transform-plugin.d.ts +6 -6
  80. package/dist/server/asset-base-url-transform-plugin.js +25 -11
  81. package/dist/server/asset-base-url-transform-plugin.js.map +1 -1
  82. package/dist/server/asset-base-url-transform-plugin.test.js +92 -14
  83. package/dist/server/asset-base-url-transform-plugin.test.js.map +1 -1
  84. package/dist/server/auth/discovery.d.ts +32 -0
  85. package/dist/server/auth/discovery.js +56 -0
  86. package/dist/server/auth/discovery.js.map +1 -0
  87. package/dist/server/auth/discovery.test.d.ts +1 -0
  88. package/dist/server/auth/discovery.test.js +93 -0
  89. package/dist/server/auth/discovery.test.js.map +1 -0
  90. package/dist/server/auth/index.d.ts +18 -0
  91. package/dist/server/auth/index.js +2 -0
  92. package/dist/server/auth/index.js.map +1 -0
  93. package/dist/server/auth/providers/auth0.d.ts +18 -0
  94. package/dist/server/auth/providers/auth0.js +31 -0
  95. package/dist/server/auth/providers/auth0.js.map +1 -0
  96. package/dist/server/auth/providers/auth0.test.d.ts +1 -0
  97. package/dist/server/auth/providers/auth0.test.js +48 -0
  98. package/dist/server/auth/providers/auth0.test.js.map +1 -0
  99. package/dist/server/auth/providers/clerk.d.ts +14 -0
  100. package/dist/server/auth/providers/clerk.js +16 -0
  101. package/dist/server/auth/providers/clerk.js.map +1 -0
  102. package/dist/server/auth/providers/clerk.test.d.ts +1 -0
  103. package/dist/server/auth/providers/clerk.test.js +28 -0
  104. package/dist/server/auth/providers/clerk.test.js.map +1 -0
  105. package/dist/server/auth/providers/custom.d.ts +24 -0
  106. package/dist/server/auth/providers/custom.js +37 -0
  107. package/dist/server/auth/providers/custom.js.map +1 -0
  108. package/dist/server/auth/providers/custom.test.d.ts +1 -0
  109. package/dist/server/auth/providers/custom.test.js +107 -0
  110. package/dist/server/auth/providers/custom.test.js.map +1 -0
  111. package/dist/server/auth/providers/descope.d.ts +15 -0
  112. package/dist/server/auth/providers/descope.js +33 -0
  113. package/dist/server/auth/providers/descope.js.map +1 -0
  114. package/dist/server/auth/providers/descope.test.d.ts +1 -0
  115. package/dist/server/auth/providers/descope.test.js +37 -0
  116. package/dist/server/auth/providers/descope.test.js.map +1 -0
  117. package/dist/server/auth/providers/shared.d.ts +2 -0
  118. package/dist/server/auth/providers/shared.js +6 -0
  119. package/dist/server/auth/providers/shared.js.map +1 -0
  120. package/dist/server/auth/providers/shared.test.d.ts +1 -0
  121. package/dist/server/auth/providers/shared.test.js +10 -0
  122. package/dist/server/auth/providers/shared.test.js.map +1 -0
  123. package/dist/server/auth/providers/stytch.d.ts +12 -0
  124. package/dist/server/auth/providers/stytch.js +13 -0
  125. package/dist/server/auth/providers/stytch.js.map +1 -0
  126. package/dist/server/auth/providers/workos.d.ts +11 -0
  127. package/dist/server/auth/providers/workos.js +12 -0
  128. package/dist/server/auth/providers/workos.js.map +1 -0
  129. package/dist/server/auth/security-schemes.d.ts +13 -0
  130. package/dist/server/auth/security-schemes.js +53 -0
  131. package/dist/server/auth/security-schemes.js.map +1 -0
  132. package/dist/server/auth/security-schemes.test.d.ts +1 -0
  133. package/dist/server/auth/security-schemes.test.js +90 -0
  134. package/dist/server/auth/security-schemes.test.js.map +1 -0
  135. package/dist/server/auth/setup.d.ts +6 -0
  136. package/dist/server/auth/setup.js +98 -0
  137. package/dist/server/auth/setup.js.map +1 -0
  138. package/dist/server/auth/setup.test.d.ts +1 -0
  139. package/dist/server/auth/setup.test.js +450 -0
  140. package/dist/server/auth/setup.test.js.map +1 -0
  141. package/dist/server/auth/verify.d.ts +12 -0
  142. package/dist/server/auth/verify.js +38 -0
  143. package/dist/server/auth/verify.js.map +1 -0
  144. package/dist/server/auth/verify.test.d.ts +1 -0
  145. package/dist/server/auth/verify.test.js +100 -0
  146. package/dist/server/auth/verify.test.js.map +1 -0
  147. package/dist/server/auth.d.ts +20 -0
  148. package/dist/server/auth.js +28 -0
  149. package/dist/server/auth.js.map +1 -0
  150. package/dist/server/build-manifest.test.d.ts +1 -0
  151. package/dist/server/build-manifest.test.js +27 -0
  152. package/dist/server/build-manifest.test.js.map +1 -0
  153. package/dist/server/content-helpers.d.ts +67 -0
  154. package/dist/server/content-helpers.js +79 -0
  155. package/dist/server/content-helpers.js.map +1 -0
  156. package/dist/server/content-helpers.test.d.ts +1 -0
  157. package/dist/server/content-helpers.test.js +70 -0
  158. package/dist/server/content-helpers.test.js.map +1 -0
  159. package/dist/server/express.d.ts +11 -0
  160. package/dist/server/express.js +101 -0
  161. package/dist/server/express.js.map +1 -0
  162. package/dist/server/express.test.d.ts +1 -0
  163. package/dist/server/express.test.js +491 -0
  164. package/dist/server/express.test.js.map +1 -0
  165. package/dist/server/file-ref.d.ts +28 -0
  166. package/dist/server/file-ref.js +27 -0
  167. package/dist/server/file-ref.js.map +1 -0
  168. package/dist/server/index.d.ts +14 -3
  169. package/dist/server/index.js +11 -2
  170. package/dist/server/index.js.map +1 -1
  171. package/dist/server/inferUtilityTypes.d.ts +6 -6
  172. package/dist/server/inferUtilityTypes.js.map +1 -1
  173. package/dist/server/metric.d.ts +14 -0
  174. package/dist/server/metric.js +62 -0
  175. package/dist/server/metric.js.map +1 -0
  176. package/dist/server/middleware.d.ts +137 -0
  177. package/dist/server/middleware.js +93 -0
  178. package/dist/server/middleware.js.map +1 -0
  179. package/dist/server/middleware.test-d.d.ts +1 -0
  180. package/dist/server/middleware.test-d.js +75 -0
  181. package/dist/server/middleware.test-d.js.map +1 -0
  182. package/dist/server/middleware.test.d.ts +1 -0
  183. package/dist/server/middleware.test.js +493 -0
  184. package/dist/server/middleware.test.js.map +1 -0
  185. package/dist/server/requestOrigin.d.ts +7 -0
  186. package/dist/server/requestOrigin.js +25 -0
  187. package/dist/server/requestOrigin.js.map +1 -0
  188. package/dist/server/server.d.ts +391 -58
  189. package/dist/server/server.js +644 -111
  190. package/dist/server/server.js.map +1 -1
  191. package/dist/server/templateHelper.d.ts +5 -8
  192. package/dist/server/templateHelper.js +3 -22
  193. package/dist/server/templateHelper.js.map +1 -1
  194. package/dist/server/templates.generated.d.ts +4 -0
  195. package/dist/server/templates.generated.js +47 -0
  196. package/dist/server/templates.generated.js.map +1 -0
  197. package/dist/server/tunnel-proxy-router.d.ts +7 -0
  198. package/dist/server/tunnel-proxy-router.js +110 -0
  199. package/dist/server/tunnel-proxy-router.js.map +1 -0
  200. package/dist/server/tunnel-proxy-router.test.d.ts +1 -0
  201. package/dist/server/tunnel-proxy-router.test.js +229 -0
  202. package/dist/server/tunnel-proxy-router.test.js.map +1 -0
  203. package/dist/server/view-name.test-d.d.ts +1 -0
  204. package/dist/server/view-name.test-d.js +8 -0
  205. package/dist/server/view-name.test-d.js.map +1 -0
  206. package/dist/server/view-resource-resolution.test.d.ts +6 -0
  207. package/dist/server/view-resource-resolution.test.js +171 -0
  208. package/dist/server/view-resource-resolution.test.js.map +1 -0
  209. package/dist/server/viewsDevServer.d.ts +14 -0
  210. package/dist/server/viewsDevServer.js +45 -0
  211. package/dist/server/viewsDevServer.js.map +1 -0
  212. package/dist/test/utils.d.ts +13 -21
  213. package/dist/test/utils.js +42 -37
  214. package/dist/test/utils.js.map +1 -1
  215. package/dist/test/view.test.d.ts +1 -0
  216. package/dist/test/view.test.js +536 -0
  217. package/dist/test/view.test.js.map +1 -0
  218. package/dist/version.d.ts +1 -0
  219. package/dist/version.js +3 -0
  220. package/dist/version.js.map +1 -0
  221. package/dist/web/bridges/adaptor.d.ts +51 -0
  222. package/dist/web/bridges/adaptor.js +330 -0
  223. package/dist/web/bridges/adaptor.js.map +1 -0
  224. package/dist/web/bridges/adaptor.test.d.ts +1 -0
  225. package/dist/web/bridges/adaptor.test.js +208 -0
  226. package/dist/web/bridges/adaptor.test.js.map +1 -0
  227. package/dist/web/bridges/apps-sdk/bridge.d.ts +7 -2
  228. package/dist/web/bridges/apps-sdk/bridge.js +15 -3
  229. package/dist/web/bridges/apps-sdk/bridge.js.map +1 -1
  230. package/dist/web/bridges/apps-sdk/index.d.ts +1 -2
  231. package/dist/web/bridges/apps-sdk/index.js +0 -1
  232. package/dist/web/bridges/apps-sdk/index.js.map +1 -1
  233. package/dist/web/bridges/apps-sdk/types.d.ts +32 -14
  234. package/dist/web/bridges/apps-sdk/types.js.map +1 -1
  235. package/dist/web/bridges/apps-sdk/use-apps-sdk-context.d.ts +11 -0
  236. package/dist/web/bridges/apps-sdk/use-apps-sdk-context.js +11 -0
  237. package/dist/web/bridges/apps-sdk/use-apps-sdk-context.js.map +1 -1
  238. package/dist/web/bridges/get-adaptor.d.ts +7 -0
  239. package/dist/web/bridges/get-adaptor.js +9 -7
  240. package/dist/web/bridges/get-adaptor.js.map +1 -1
  241. package/dist/web/bridges/get-adaptor.test.d.ts +1 -0
  242. package/dist/web/bridges/get-adaptor.test.js +32 -0
  243. package/dist/web/bridges/get-adaptor.test.js.map +1 -0
  244. package/dist/web/bridges/index.js.map +1 -1
  245. package/dist/web/bridges/mcp-app/bridge.d.ts +27 -31
  246. package/dist/web/bridges/mcp-app/bridge.js +109 -198
  247. package/dist/web/bridges/mcp-app/bridge.js.map +1 -1
  248. package/dist/web/bridges/mcp-app/bridge.test.d.ts +1 -0
  249. package/dist/web/bridges/mcp-app/bridge.test.js +17 -0
  250. package/dist/web/bridges/mcp-app/bridge.test.js.map +1 -0
  251. package/dist/web/bridges/mcp-app/index.d.ts +0 -1
  252. package/dist/web/bridges/mcp-app/index.js +0 -1
  253. package/dist/web/bridges/mcp-app/index.js.map +1 -1
  254. package/dist/web/bridges/mcp-app/types.js.map +1 -1
  255. package/dist/web/bridges/mcp-app/use-mcp-app-context.d.ts +17 -3
  256. package/dist/web/bridges/mcp-app/use-mcp-app-context.js +14 -2
  257. package/dist/web/bridges/mcp-app/use-mcp-app-context.js.map +1 -1
  258. package/dist/web/bridges/mcp-app/use-mcp-app-context.test.js +1 -41
  259. package/dist/web/bridges/mcp-app/use-mcp-app-context.test.js.map +1 -1
  260. package/dist/web/bridges/mcp-app/view-tools.test.d.ts +1 -0
  261. package/dist/web/bridges/mcp-app/view-tools.test.js +143 -0
  262. package/dist/web/bridges/mcp-app/view-tools.test.js.map +1 -0
  263. package/dist/web/bridges/types.d.ts +130 -14
  264. package/dist/web/bridges/types.js +14 -1
  265. package/dist/web/bridges/types.js.map +1 -1
  266. package/dist/web/bridges/types.test.d.ts +1 -0
  267. package/dist/web/bridges/types.test.js +19 -0
  268. package/dist/web/bridges/types.test.js.map +1 -0
  269. package/dist/web/bridges/use-host-context.d.ts +5 -0
  270. package/dist/web/bridges/use-host-context.js +5 -0
  271. package/dist/web/bridges/use-host-context.js.map +1 -1
  272. package/dist/web/components/modal-provider.d.ts +1 -1
  273. package/dist/web/components/modal-provider.js +5 -6
  274. package/dist/web/components/modal-provider.js.map +1 -1
  275. package/dist/web/create-store.d.ts +26 -0
  276. package/dist/web/create-store.js +43 -3
  277. package/dist/web/create-store.js.map +1 -1
  278. package/dist/web/create-store.test.js +31 -25
  279. package/dist/web/create-store.test.js.map +1 -1
  280. package/dist/web/data-llm.d.ts +35 -2
  281. package/dist/web/data-llm.js +31 -3
  282. package/dist/web/data-llm.js.map +1 -1
  283. package/dist/web/data-llm.test.js +50 -35
  284. package/dist/web/data-llm.test.js.map +1 -1
  285. package/dist/web/generate-helpers.d.ts +22 -18
  286. package/dist/web/generate-helpers.js +22 -18
  287. package/dist/web/generate-helpers.js.map +1 -1
  288. package/dist/web/generate-helpers.test-d.js +30 -28
  289. package/dist/web/generate-helpers.test-d.js.map +1 -1
  290. package/dist/web/generate-helpers.test.js.map +1 -1
  291. package/dist/web/helpers/state.d.ts +2 -2
  292. package/dist/web/helpers/state.js +11 -11
  293. package/dist/web/helpers/state.js.map +1 -1
  294. package/dist/web/helpers/state.test.js +9 -9
  295. package/dist/web/helpers/state.test.js.map +1 -1
  296. package/dist/web/hooks/index.d.ts +6 -2
  297. package/dist/web/hooks/index.js +5 -1
  298. package/dist/web/hooks/index.js.map +1 -1
  299. package/dist/web/hooks/test/utils.d.ts +6 -2
  300. package/dist/web/hooks/test/utils.js +17 -2
  301. package/dist/web/hooks/test/utils.js.map +1 -1
  302. package/dist/web/hooks/use-call-tool.d.ts +45 -0
  303. package/dist/web/hooks/use-call-tool.js +28 -0
  304. package/dist/web/hooks/use-call-tool.js.map +1 -1
  305. package/dist/web/hooks/use-call-tool.test-d.js.map +1 -1
  306. package/dist/web/hooks/use-call-tool.test.js +62 -27
  307. package/dist/web/hooks/use-call-tool.test.js.map +1 -1
  308. package/dist/web/hooks/use-display-mode.d.ts +23 -3
  309. package/dist/web/hooks/use-display-mode.js +20 -0
  310. package/dist/web/hooks/use-display-mode.js.map +1 -1
  311. package/dist/web/hooks/use-display-mode.test-d.d.ts +1 -0
  312. package/dist/web/hooks/use-display-mode.test-d.js +8 -0
  313. package/dist/web/hooks/use-display-mode.test-d.js.map +1 -0
  314. package/dist/web/hooks/use-display-mode.test.js +56 -20
  315. package/dist/web/hooks/use-display-mode.test.js.map +1 -1
  316. package/dist/web/hooks/use-download.d.ts +5 -0
  317. package/dist/web/hooks/use-download.js +8 -0
  318. package/dist/web/hooks/use-download.js.map +1 -0
  319. package/dist/web/hooks/use-download.test.d.ts +1 -0
  320. package/dist/web/hooks/use-download.test.js +103 -0
  321. package/dist/web/hooks/use-download.test.js.map +1 -0
  322. package/dist/web/hooks/use-files.d.ts +34 -1
  323. package/dist/web/hooks/use-files.js +33 -0
  324. package/dist/web/hooks/use-files.js.map +1 -1
  325. package/dist/web/hooks/use-files.test.js +35 -3
  326. package/dist/web/hooks/use-files.test.js.map +1 -1
  327. package/dist/web/hooks/use-layout.d.ts +2 -0
  328. package/dist/web/hooks/use-layout.js +2 -0
  329. package/dist/web/hooks/use-layout.js.map +1 -1
  330. package/dist/web/hooks/use-layout.test.js +62 -29
  331. package/dist/web/hooks/use-layout.test.js.map +1 -1
  332. package/dist/web/hooks/use-open-external.d.ts +20 -1
  333. package/dist/web/hooks/use-open-external.js +17 -1
  334. package/dist/web/hooks/use-open-external.js.map +1 -1
  335. package/dist/web/hooks/use-open-external.test.js +38 -13
  336. package/dist/web/hooks/use-open-external.test.js.map +1 -1
  337. package/dist/web/hooks/use-register-view-tool.d.ts +38 -0
  338. package/dist/web/hooks/use-register-view-tool.js +50 -0
  339. package/dist/web/hooks/use-register-view-tool.js.map +1 -0
  340. package/dist/web/hooks/use-request-close.d.ts +16 -0
  341. package/dist/web/hooks/use-request-close.js +21 -0
  342. package/dist/web/hooks/use-request-close.js.map +1 -0
  343. package/dist/web/hooks/use-request-close.test.d.ts +1 -0
  344. package/dist/web/hooks/use-request-close.test.js +47 -0
  345. package/dist/web/hooks/use-request-close.test.js.map +1 -0
  346. package/dist/web/hooks/use-request-modal.d.ts +16 -1
  347. package/dist/web/hooks/use-request-modal.js +19 -4
  348. package/dist/web/hooks/use-request-modal.js.map +1 -1
  349. package/dist/web/hooks/use-request-modal.test.js +15 -1
  350. package/dist/web/hooks/use-request-modal.test.js.map +1 -1
  351. package/dist/web/hooks/use-request-size.d.ts +20 -0
  352. package/dist/web/hooks/use-request-size.js +24 -0
  353. package/dist/web/hooks/use-request-size.js.map +1 -0
  354. package/dist/web/hooks/use-request-size.test.d.ts +1 -0
  355. package/dist/web/hooks/use-request-size.test.js +47 -0
  356. package/dist/web/hooks/use-request-size.test.js.map +1 -0
  357. package/dist/web/hooks/use-send-follow-up-message.d.ts +19 -1
  358. package/dist/web/hooks/use-send-follow-up-message.js +19 -2
  359. package/dist/web/hooks/use-send-follow-up-message.js.map +1 -1
  360. package/dist/web/hooks/use-set-open-in-app-url.d.ts +17 -0
  361. package/dist/web/hooks/use-set-open-in-app-url.js +17 -0
  362. package/dist/web/hooks/use-set-open-in-app-url.js.map +1 -1
  363. package/dist/web/hooks/use-set-open-in-app-url.test.js +30 -16
  364. package/dist/web/hooks/use-set-open-in-app-url.test.js.map +1 -1
  365. package/dist/web/hooks/use-tool-info.d.ts +53 -2
  366. package/dist/web/hooks/use-tool-info.js +30 -7
  367. package/dist/web/hooks/use-tool-info.js.map +1 -1
  368. package/dist/web/hooks/use-tool-info.test-d.js +11 -29
  369. package/dist/web/hooks/use-tool-info.test-d.js.map +1 -1
  370. package/dist/web/hooks/use-tool-info.test.js +43 -33
  371. package/dist/web/hooks/use-tool-info.test.js.map +1 -1
  372. package/dist/web/hooks/use-user.d.ts +2 -0
  373. package/dist/web/hooks/use-user.js +20 -2
  374. package/dist/web/hooks/use-user.js.map +1 -1
  375. package/dist/web/hooks/use-user.test.js +101 -27
  376. package/dist/web/hooks/use-user.test.js.map +1 -1
  377. package/dist/web/hooks/use-view-state.d.ts +25 -0
  378. package/dist/web/hooks/use-view-state.js +32 -0
  379. package/dist/web/hooks/use-view-state.js.map +1 -0
  380. package/dist/web/hooks/use-view-state.test.d.ts +1 -0
  381. package/dist/web/hooks/use-view-state.test.js +181 -0
  382. package/dist/web/hooks/use-view-state.test.js.map +1 -0
  383. package/dist/web/index.d.ts +1 -2
  384. package/dist/web/index.js +1 -2
  385. package/dist/web/index.js.map +1 -1
  386. package/dist/web/mount-view.d.ts +20 -0
  387. package/dist/web/{mount-widget.js → mount-view.js} +21 -2
  388. package/dist/web/mount-view.js.map +1 -0
  389. package/dist/web/plugin/data-llm.test.js.map +1 -1
  390. package/dist/web/plugin/plugin.d.ts +32 -1
  391. package/dist/web/plugin/plugin.js +160 -18
  392. package/dist/web/plugin/plugin.js.map +1 -1
  393. package/dist/web/plugin/scan-views.d.ts +16 -0
  394. package/dist/web/plugin/scan-views.js +88 -0
  395. package/dist/web/plugin/scan-views.js.map +1 -0
  396. package/dist/web/plugin/scan-views.test.d.ts +1 -0
  397. package/dist/web/plugin/scan-views.test.js +99 -0
  398. package/dist/web/plugin/scan-views.test.js.map +1 -0
  399. package/dist/web/plugin/transform-data-llm.js +1 -1
  400. package/dist/web/plugin/transform-data-llm.js.map +1 -1
  401. package/dist/web/plugin/transform-data-llm.test.js.map +1 -1
  402. package/dist/web/plugin/validate-view.d.ts +1 -0
  403. package/dist/web/plugin/validate-view.js +9 -0
  404. package/dist/web/plugin/validate-view.js.map +1 -0
  405. package/dist/web/plugin/validate-view.test.d.ts +1 -0
  406. package/dist/web/plugin/validate-view.test.js +24 -0
  407. package/dist/web/plugin/validate-view.test.js.map +1 -0
  408. package/dist/web/proxy.js.map +1 -1
  409. package/dist/web/types.d.ts +4 -0
  410. package/dist/web/types.js.map +1 -1
  411. package/package.json +51 -30
  412. package/tsconfig.base.json +33 -0
  413. package/dist/server/templates/development.hbs +0 -67
  414. package/dist/server/templates/production.hbs +0 -6
  415. package/dist/server/widgetsDevServer.d.ts +0 -12
  416. package/dist/server/widgetsDevServer.js +0 -57
  417. package/dist/server/widgetsDevServer.js.map +0 -1
  418. package/dist/test/widget.test.js +0 -255
  419. package/dist/test/widget.test.js.map +0 -1
  420. package/dist/web/bridges/apps-sdk/adaptor.d.ts +0 -22
  421. package/dist/web/bridges/apps-sdk/adaptor.js +0 -64
  422. package/dist/web/bridges/apps-sdk/adaptor.js.map +0 -1
  423. package/dist/web/bridges/mcp-app/adaptor.d.ts +0 -36
  424. package/dist/web/bridges/mcp-app/adaptor.js +0 -185
  425. package/dist/web/bridges/mcp-app/adaptor.js.map +0 -1
  426. package/dist/web/hooks/use-widget-state.d.ts +0 -4
  427. package/dist/web/hooks/use-widget-state.js +0 -32
  428. package/dist/web/hooks/use-widget-state.js.map +0 -1
  429. package/dist/web/hooks/use-widget-state.test.js +0 -61
  430. package/dist/web/hooks/use-widget-state.test.js.map +0 -1
  431. package/dist/web/mount-widget.d.ts +0 -1
  432. package/dist/web/mount-widget.js.map +0 -1
  433. /package/dist/{test/widget.test.d.ts → cli/build-helpers.test.d.ts} +0 -0
  434. /package/dist/{web/hooks/use-widget-state.test.d.ts → cli/build-steps.test.d.ts} +0 -0
@@ -0,0 +1 @@
1
+ {"version":3,"file":"security-schemes.test.js","sourceRoot":"","sources":["../../../src/server/auth/security-schemes.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAG9C,OAAO,EACL,qBAAqB,EACrB,4BAA4B,EAC5B,uBAAuB,EACvB,6BAA6B,EAC7B,qBAAqB,GACtB,MAAM,uBAAuB,CAAC;AAE/B,QAAQ,CAAC,8BAA8B,EAAE,GAAG,EAAE;IAC5C,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,CAAC,4BAA4B,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClE,MAAM,CAAC,4BAA4B,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3D,MAAM,CAAC,4BAA4B,CAAC,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpE,MAAM,CAAC,4BAA4B,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,qBAAqB,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;YACtD,EAAE,IAAI,EAAE,QAAQ,EAAE;YAClB,EAAE,IAAI,EAAE,QAAQ,EAAE;SACnB,CAAC,CAAC;QACH,MAAM,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;QAChE,MAAM,CAAC,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;YAC9D,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE;SACzC,CAAC,CAAC;QACH,MAAM,CACJ,qBAAqB,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC,CAC9D,CAAC,OAAO,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,MAAM,QAAQ,GAAG,CAAC,MAAgB,EAAY,EAAE,CAAC,CAAC;IAChD,KAAK,EAAE,GAAG;IACV,QAAQ,EAAE,GAAG;IACb,MAAM;CACP,CAAC,CAAC;AAEH,QAAQ,CAAC,+BAA+B,EAAE,GAAG,EAAE;IAC7C,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,CAAC,6BAA6B,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvE,MAAM,CACJ,6BAA6B,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,CACxE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACb,MAAM,CAAC,6BAA6B,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxE,MAAM,CAAC,6BAA6B,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;IACvC,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,OAAO,GAAqB,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC3E,MAAM,CAAC,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+DAA+D,EAAE,GAAG,EAAE;QACvE,MAAM,CACJ,uBAAuB,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EAAE,SAAS,CAAC,EAAE,KAAK,CAChE,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6EAA6E,EAAE,GAAG,EAAE;QACrF,MAAM,OAAO,GAAqB;YAChC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE;SACzC,CAAC;QACF,MAAM,CAAC,uBAAuB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,CACxE,oBAAoB,CACrB,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,OAAO,GAAqB;YAChC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE;SACzC,CAAC;QACF,MAAM,CACJ,uBAAuB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC,CACnE,CAAC,aAAa,EAAE,CAAC;IACpB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0EAA0E,EAAE,GAAG,EAAE;QAClF,MAAM,CAAC,uBAAuB,CAAC,SAAS,EAAE,SAAS,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,CAC/D,eAAe,CAChB,CAAC;QACF,MAAM,CAAC,uBAAuB,CAAC,SAAS,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IAC3E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,OAAO,GAAqB;YAChC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE;SACzC,CAAC;QACF,MAAM,CAAC,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC;YAClE,UAAU;SACX,CAAC,CAAC;QACH,MAAM,CACJ,uBAAuB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,MAAM,CAC/D,CAAC,OAAO,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,MAAM,MAAM,GAAG,qBAAqB,CAAC;YACnC,KAAK,EAAE,oBAAoB;YAC3B,WAAW,EAAE,uCAAuC;YACpD,MAAM,EAAE,CAAC,UAAU,CAAC;SACrB,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,4BAA4B,CAAC,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,MAAM,GAAG,qBAAqB,CAAC;YACnC,KAAK,EAAE,eAAe;YACtB,WAAW,EAAE,2BAA2B;YACxC,MAAM,EAAE,EAAE;SACX,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC","sourcesContent":["import { describe, expect, it } from \"vitest\";\nimport type { AuthInfo } from \"../auth.js\";\nimport type { SecurityScheme } from \"../server.js\";\nimport {\n authToSecuritySchemes,\n clientPrefersInBandChallenge,\n evaluateSecuritySchemes,\n securitySchemesAllowAnonymous,\n wwwAuthenticateHeader,\n} from \"./security-schemes.js\";\n\ndescribe(\"clientPrefersInBandChallenge\", () => {\n it(\"detects ChatGPT / OpenAI user agents\", () => {\n expect(clientPrefersInBandChallenge(\"openai-mcp/1.0\")).toBe(true);\n expect(clientPrefersInBandChallenge(\"ChatGPT\")).toBe(true);\n expect(clientPrefersInBandChallenge(\"Claude-User/1.0\")).toBe(false);\n expect(clientPrefersInBandChallenge(undefined)).toBe(false);\n });\n});\n\ndescribe(\"authToSecuritySchemes\", () => {\n it(\"maps the auth shorthand\", () => {\n expect(authToSecuritySchemes({ public: true })).toEqual([\n { type: \"noauth\" },\n { type: \"oauth2\" },\n ]);\n expect(authToSecuritySchemes({})).toEqual([{ type: \"oauth2\" }]);\n expect(authToSecuritySchemes({ scopes: [\"checkout\"] })).toEqual([\n { type: \"oauth2\", scopes: [\"checkout\"] },\n ]);\n expect(\n authToSecuritySchemes({ public: true, scopes: [\"checkout\"] }),\n ).toEqual([{ type: \"noauth\" }, { type: \"oauth2\", scopes: [\"checkout\"] }]);\n });\n});\n\nconst authInfo = (scopes: string[]): AuthInfo => ({\n token: \"t\",\n clientId: \"c\",\n scopes,\n});\n\ndescribe(\"securitySchemesAllowAnonymous\", () => {\n it(\"is true only when a noauth scheme is present\", () => {\n expect(securitySchemesAllowAnonymous([{ type: \"noauth\" }])).toBe(true);\n expect(\n securitySchemesAllowAnonymous([{ type: \"noauth\" }, { type: \"oauth2\" }]),\n ).toBe(true);\n expect(securitySchemesAllowAnonymous([{ type: \"oauth2\" }])).toBe(false);\n expect(securitySchemesAllowAnonymous(undefined)).toBe(false);\n });\n});\n\ndescribe(\"evaluateSecuritySchemes\", () => {\n it(\"lets anonymous callers through a noauth tool\", () => {\n const schemes: SecurityScheme[] = [{ type: \"noauth\" }, { type: \"oauth2\" }];\n expect(evaluateSecuritySchemes(schemes, undefined)).toBeUndefined();\n });\n\n it(\"fails an oauth2-only tool with no token (invalid_token / 401)\", () => {\n expect(\n evaluateSecuritySchemes([{ type: \"oauth2\" }], undefined)?.error,\n ).toBe(\"invalid_token\");\n });\n\n it(\"fails when the token is missing a required scope (insufficient_scope / 403)\", () => {\n const schemes: SecurityScheme[] = [\n { type: \"oauth2\", scopes: [\"checkout\"] },\n ];\n expect(evaluateSecuritySchemes(schemes, authInfo([\"openid\"]))?.error).toBe(\n \"insufficient_scope\",\n );\n });\n\n it(\"passes when the token carries every required scope\", () => {\n const schemes: SecurityScheme[] = [\n { type: \"oauth2\", scopes: [\"checkout\"] },\n ];\n expect(\n evaluateSecuritySchemes(schemes, authInfo([\"openid\", \"checkout\"])),\n ).toBeUndefined();\n });\n\n it(\"treats an undeclared tool as auth-required, satisfied by any valid token\", () => {\n expect(evaluateSecuritySchemes(undefined, undefined)?.error).toBe(\n \"invalid_token\",\n );\n expect(evaluateSecuritySchemes(undefined, authInfo([]))).toBeUndefined();\n });\n\n it(\"carries the tool's required scopes on the failure\", () => {\n const schemes: SecurityScheme[] = [\n { type: \"oauth2\", scopes: [\"checkout\"] },\n ];\n expect(evaluateSecuritySchemes(schemes, undefined)?.scopes).toEqual([\n \"checkout\",\n ]);\n expect(\n evaluateSecuritySchemes(schemes, authInfo([\"openid\"]))?.scopes,\n ).toEqual([\"checkout\"]);\n });\n});\n\ndescribe(\"wwwAuthenticateHeader\", () => {\n it(\"names the required scopes so the client can step up\", () => {\n const header = wwwAuthenticateHeader({\n error: \"insufficient_scope\",\n description: \"Missing required scope for this tool.\",\n scopes: [\"checkout\"],\n });\n expect(header).toContain('error=\"insufficient_scope\"');\n expect(header).toContain('scope=\"checkout\"');\n });\n\n it(\"omits the scope parameter when there are none\", () => {\n const header = wwwAuthenticateHeader({\n error: \"invalid_token\",\n description: \"Sign in to use this tool.\",\n scopes: [],\n });\n expect(header).not.toContain(\"scope=\");\n });\n});\n"]}
@@ -0,0 +1,6 @@
1
+ import type { Express } from "express";
2
+ import type { SecurityScheme } from "../server.js";
3
+ import type { OAuthConfig } from "./index.js";
4
+ export type ResourceMetadataUrlResolver = (getHeader: (key: string) => string | undefined) => string;
5
+ /** Mounts the well-known OAuth metadata and bearer auth on `/mcp`. */
6
+ export declare function setupOAuth(app: Express, config: OAuthConfig, schemesByTool: Map<string, SecurityScheme[] | undefined>): ResourceMetadataUrlResolver;
@@ -0,0 +1,98 @@
1
+ import { getOAuthProtectedResourceMetadataUrl, mcpAuthMetadataRouter, } from "@modelcontextprotocol/sdk/server/auth/router.js";
2
+ import cors from "cors";
3
+ import { optionalBearerAuth, requireBearerAuth } from "../auth.js";
4
+ import { resolveServerOrigin } from "../requestOrigin.js";
5
+ import { clientPrefersInBandChallenge, evaluateSecuritySchemes, httpStatusForFailure, securitySchemesAllowAnonymous, wwwAuthenticateHeader, } from "./security-schemes.js";
6
+ import { createJwksVerifier } from "./verify.js";
7
+ /** Mounts the well-known OAuth metadata and bearer auth on `/mcp`. */
8
+ export function setupOAuth(app, config, schemesByTool) {
9
+ if (!config.verify?.issuer) {
10
+ throw new Error("oauth.verify requires an `issuer`");
11
+ }
12
+ const acceptsAnonymous = () => [...schemesByTool.values()].some(securitySchemesAllowAnonymous);
13
+ const verifier = createJwksVerifier(config.verify);
14
+ const bearer = (options) => {
15
+ const required = requireBearerAuth(options);
16
+ const optional = optionalBearerAuth(options);
17
+ return (req, res, next) => (acceptsAnonymous() ? optional : required)(req, res, next);
18
+ };
19
+ let resourceMetadataUrl;
20
+ // baseUrl known at boot: bake the resource URLs once, no Host-header trust.
21
+ if (config.baseUrl !== undefined) {
22
+ let baseUrl;
23
+ try {
24
+ baseUrl = new URL(config.baseUrl);
25
+ }
26
+ catch {
27
+ throw new Error(`oauth.baseUrl must be a valid absolute URL, got: ${JSON.stringify(config.baseUrl)}`);
28
+ }
29
+ app.use(mcpAuthMetadataRouter({
30
+ oauthMetadata: config.oauthMetadata,
31
+ resourceServerUrl: baseUrl,
32
+ scopesSupported: config.scopesSupported,
33
+ }));
34
+ const url = getOAuthProtectedResourceMetadataUrl(baseUrl);
35
+ resourceMetadataUrl = () => url;
36
+ }
37
+ else {
38
+ // No baseUrl: resolve the resource origin per request from forwarded headers
39
+ // (same precedence the framework uses for view serverUrl). Origin headers are
40
+ // pathless, so the PRM path stays at root, matching the SDK's static layout.
41
+ const resolveOrigin = (getHeader) => new URL(resolveServerOrigin(getHeader));
42
+ app.use("/.well-known/oauth-authorization-server", cors(), (_req, res) => void res.json(config.oauthMetadata));
43
+ app.use("/.well-known/oauth-protected-resource", cors(), (req, res) => {
44
+ res.json({
45
+ resource: resolveOrigin((key) => req.get(key)).href,
46
+ authorization_servers: [config.oauthMetadata.issuer],
47
+ scopes_supported: config.scopesSupported,
48
+ });
49
+ });
50
+ resourceMetadataUrl = (getHeader) => getOAuthProtectedResourceMetadataUrl(resolveOrigin(getHeader));
51
+ }
52
+ app.use("/mcp", (req, res, next) => bearer({
53
+ verifier,
54
+ requiredScopes: config.requiredScopes,
55
+ resourceMetadataUrl: resourceMetadataUrl((key) => req.get(key)),
56
+ })(req, res, next));
57
+ app.use("/mcp", (req, res, next) => {
58
+ const body = req.body;
59
+ const calls = Array.isArray(body) ? body : [body];
60
+ const auth = req.auth;
61
+ let failure;
62
+ for (const call of calls) {
63
+ const tool = call?.params?.name;
64
+ if (call?.method === "tools/call" && tool && schemesByTool.has(tool)) {
65
+ failure = evaluateSecuritySchemes(schemesByTool.get(tool), auth);
66
+ if (failure) {
67
+ break;
68
+ }
69
+ }
70
+ }
71
+ if (!failure) {
72
+ return next();
73
+ }
74
+ const challenge = wwwAuthenticateHeader(failure, resourceMetadataUrl((key) => req.get(key)));
75
+ if (clientPrefersInBandChallenge(req.get("user-agent"))) {
76
+ if (Array.isArray(body)) {
77
+ return next();
78
+ }
79
+ res.json({
80
+ jsonrpc: "2.0",
81
+ id: body?.id ?? null,
82
+ result: {
83
+ content: [{ type: "text", text: failure.description }],
84
+ isError: true,
85
+ _meta: { "mcp/www_authenticate": [challenge] },
86
+ },
87
+ });
88
+ return;
89
+ }
90
+ res.set("WWW-Authenticate", challenge);
91
+ res.status(httpStatusForFailure(failure)).json({
92
+ error: failure.error,
93
+ error_description: failure.description,
94
+ });
95
+ });
96
+ return resourceMetadataUrl;
97
+ }
98
+ //# sourceMappingURL=setup.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"setup.js","sourceRoot":"","sources":["../../../src/server/auth/setup.ts"],"names":[],"mappings":"AACA,OAAO,EACL,oCAAoC,EACpC,qBAAqB,GACtB,MAAM,iDAAiD,CAAC;AACzD,OAAO,IAAI,MAAM,MAAM,CAAC;AAGxB,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAG1D,OAAO,EACL,4BAA4B,EAC5B,uBAAuB,EACvB,oBAAoB,EAEpB,6BAA6B,EAC7B,qBAAqB,GACtB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAMjD,sEAAsE;AACtE,MAAM,UAAU,UAAU,CACxB,GAAY,EACZ,MAAmB,EACnB,aAAwD;IAExD,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IAED,MAAM,gBAAgB,GAAG,GAAG,EAAE,CAC5B,CAAC,GAAG,aAAa,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;IAClE,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACnD,MAAM,MAAM,GAAG,CAAC,OAAoC,EAAkB,EAAE;QACtE,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAC5C,MAAM,QAAQ,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAC7C,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,CACxB,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;IAC/D,CAAC,CAAC;IAEF,IAAI,mBAAgD,CAAC;IAErD,4EAA4E;IAC5E,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QACjC,IAAI,OAAY,CAAC;QACjB,IAAI,CAAC;YACH,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACpC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CACb,oDAAoD,IAAI,CAAC,SAAS,CAChE,MAAM,CAAC,OAAO,CACf,EAAE,CACJ,CAAC;QACJ,CAAC;QACD,GAAG,CAAC,GAAG,CACL,qBAAqB,CAAC;YACpB,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,iBAAiB,EAAE,OAAO;YAC1B,eAAe,EAAE,MAAM,CAAC,eAAe;SACxC,CAAC,CACH,CAAC;QACF,MAAM,GAAG,GAAG,oCAAoC,CAAC,OAAO,CAAC,CAAC;QAC1D,mBAAmB,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC;IAClC,CAAC;SAAM,CAAC;QACN,6EAA6E;QAC7E,8EAA8E;QAC9E,6EAA6E;QAC7E,MAAM,aAAa,GAAG,CAAC,SAA8C,EAAE,EAAE,CACvE,IAAI,GAAG,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC,CAAC;QAC1C,GAAG,CAAC,GAAG,CACL,yCAAyC,EACzC,IAAI,EAAE,EACN,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE,CAAC,KAAK,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CACnD,CAAC;QACF,GAAG,CAAC,GAAG,CAAC,uCAAuC,EAAE,IAAI,EAAE,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YACpE,GAAG,CAAC,IAAI,CAAC;gBACP,QAAQ,EAAE,aAAa,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI;gBACnD,qBAAqB,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC;gBACpD,gBAAgB,EAAE,MAAM,CAAC,eAAe;aACzC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACH,mBAAmB,GAAG,CAAC,SAAS,EAAE,EAAE,CAClC,oCAAoC,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC;IACnE,CAAC;IAED,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,CACjC,MAAM,CAAC;QACL,QAAQ;QACR,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,mBAAmB,EAAE,mBAAmB,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;KAChE,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CACnB,CAAC;IAEF,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAMjC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAiC,CAAC;QACnD,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAClD,MAAM,IAAI,GAAI,GAAqC,CAAC,IAAI,CAAC;QACzD,IAAI,OAAkC,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,IAAI,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC;YAChC,IAAI,IAAI,EAAE,MAAM,KAAK,YAAY,IAAI,IAAI,IAAI,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrE,OAAO,GAAG,uBAAuB,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC;gBACjE,IAAI,OAAO,EAAE,CAAC;oBACZ,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;QACD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QACD,MAAM,SAAS,GAAG,qBAAqB,CACrC,OAAO,EACP,mBAAmB,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAC3C,CAAC;QACF,IAAI,4BAA4B,CAAC,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC;YACxD,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxB,OAAO,IAAI,EAAE,CAAC;YAChB,CAAC;YACD,GAAG,CAAC,IAAI,CAAC;gBACP,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,IAAI,EAAE,EAAE,IAAI,IAAI;gBACpB,MAAM,EAAE;oBACN,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,WAAW,EAAE,CAAC;oBACtD,OAAO,EAAE,IAAI;oBACb,KAAK,EAAE,EAAE,sBAAsB,EAAE,CAAC,SAAS,CAAC,EAAE;iBAC/C;aACF,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAAE,SAAS,CAAC,CAAC;QACvC,GAAG,CAAC,MAAM,CAAC,oBAAoB,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;YAC7C,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,iBAAiB,EAAE,OAAO,CAAC,WAAW;SACvC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,OAAO,mBAAmB,CAAC;AAC7B,CAAC","sourcesContent":["import type { BearerAuthMiddlewareOptions } from \"@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js\";\nimport {\n getOAuthProtectedResourceMetadataUrl,\n mcpAuthMetadataRouter,\n} from \"@modelcontextprotocol/sdk/server/auth/router.js\";\nimport cors from \"cors\";\nimport type { Express, Request, RequestHandler } from \"express\";\nimport type { AuthInfo } from \"../auth.js\";\nimport { optionalBearerAuth, requireBearerAuth } from \"../auth.js\";\nimport { resolveServerOrigin } from \"../requestOrigin.js\";\nimport type { SecurityScheme } from \"../server.js\";\nimport type { OAuthConfig } from \"./index.js\";\nimport {\n clientPrefersInBandChallenge,\n evaluateSecuritySchemes,\n httpStatusForFailure,\n type SchemeFailure,\n securitySchemesAllowAnonymous,\n wwwAuthenticateHeader,\n} from \"./security-schemes.js\";\nimport { createJwksVerifier } from \"./verify.js\";\n\nexport type ResourceMetadataUrlResolver = (\n getHeader: (key: string) => string | undefined,\n) => string;\n\n/** Mounts the well-known OAuth metadata and bearer auth on `/mcp`. */\nexport function setupOAuth(\n app: Express,\n config: OAuthConfig,\n schemesByTool: Map<string, SecurityScheme[] | undefined>,\n): ResourceMetadataUrlResolver {\n if (!config.verify?.issuer) {\n throw new Error(\"oauth.verify requires an `issuer`\");\n }\n\n const acceptsAnonymous = () =>\n [...schemesByTool.values()].some(securitySchemesAllowAnonymous);\n const verifier = createJwksVerifier(config.verify);\n const bearer = (options: BearerAuthMiddlewareOptions): RequestHandler => {\n const required = requireBearerAuth(options);\n const optional = optionalBearerAuth(options);\n return (req, res, next) =>\n (acceptsAnonymous() ? optional : required)(req, res, next);\n };\n\n let resourceMetadataUrl: ResourceMetadataUrlResolver;\n\n // baseUrl known at boot: bake the resource URLs once, no Host-header trust.\n if (config.baseUrl !== undefined) {\n let baseUrl: URL;\n try {\n baseUrl = new URL(config.baseUrl);\n } catch {\n throw new Error(\n `oauth.baseUrl must be a valid absolute URL, got: ${JSON.stringify(\n config.baseUrl,\n )}`,\n );\n }\n app.use(\n mcpAuthMetadataRouter({\n oauthMetadata: config.oauthMetadata,\n resourceServerUrl: baseUrl,\n scopesSupported: config.scopesSupported,\n }),\n );\n const url = getOAuthProtectedResourceMetadataUrl(baseUrl);\n resourceMetadataUrl = () => url;\n } else {\n // No baseUrl: resolve the resource origin per request from forwarded headers\n // (same precedence the framework uses for view serverUrl). Origin headers are\n // pathless, so the PRM path stays at root, matching the SDK's static layout.\n const resolveOrigin = (getHeader: (key: string) => string | undefined) =>\n new URL(resolveServerOrigin(getHeader));\n app.use(\n \"/.well-known/oauth-authorization-server\",\n cors(),\n (_req, res) => void res.json(config.oauthMetadata),\n );\n app.use(\"/.well-known/oauth-protected-resource\", cors(), (req, res) => {\n res.json({\n resource: resolveOrigin((key) => req.get(key)).href,\n authorization_servers: [config.oauthMetadata.issuer],\n scopes_supported: config.scopesSupported,\n });\n });\n resourceMetadataUrl = (getHeader) =>\n getOAuthProtectedResourceMetadataUrl(resolveOrigin(getHeader));\n }\n\n app.use(\"/mcp\", (req, res, next) =>\n bearer({\n verifier,\n requiredScopes: config.requiredScopes,\n resourceMetadataUrl: resourceMetadataUrl((key) => req.get(key)),\n })(req, res, next),\n );\n\n app.use(\"/mcp\", (req, res, next) => {\n type Call = {\n id?: string | number | null;\n method?: string;\n params?: { name?: string };\n };\n const body = req.body as Call | Call[] | undefined;\n const calls = Array.isArray(body) ? body : [body];\n const auth = (req as Request & { auth?: AuthInfo }).auth;\n let failure: SchemeFailure | undefined;\n for (const call of calls) {\n const tool = call?.params?.name;\n if (call?.method === \"tools/call\" && tool && schemesByTool.has(tool)) {\n failure = evaluateSecuritySchemes(schemesByTool.get(tool), auth);\n if (failure) {\n break;\n }\n }\n }\n if (!failure) {\n return next();\n }\n const challenge = wwwAuthenticateHeader(\n failure,\n resourceMetadataUrl((key) => req.get(key)),\n );\n if (clientPrefersInBandChallenge(req.get(\"user-agent\"))) {\n if (Array.isArray(body)) {\n return next();\n }\n res.json({\n jsonrpc: \"2.0\",\n id: body?.id ?? null,\n result: {\n content: [{ type: \"text\", text: failure.description }],\n isError: true,\n _meta: { \"mcp/www_authenticate\": [challenge] },\n },\n });\n return;\n }\n res.set(\"WWW-Authenticate\", challenge);\n res.status(httpStatusForFailure(failure)).json({\n error: failure.error,\n error_description: failure.description,\n });\n });\n\n return resourceMetadataUrl;\n}\n"]}
@@ -0,0 +1 @@
1
+ export {};
@@ -0,0 +1,450 @@
1
+ // @vitest-environment node
2
+ import http from "node:http";
3
+ import { Client } from "@modelcontextprotocol/sdk/client/index.js";
4
+ import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
5
+ import * as jose from "jose";
6
+ import { afterEach, describe, expect, it, vi } from "vitest";
7
+ import { McpServer } from "../server.js";
8
+ vi.mock("@skybridge/devtools", () => ({
9
+ devtoolsStaticServer: () => ((_req, _res, next) => next()),
10
+ }));
11
+ vi.mock("../viewsDevServer.js", () => ({
12
+ viewsDevServer: (_httpServer) => ((_req, _res, next) => next()),
13
+ }));
14
+ const ISSUER = "https://issuer.test";
15
+ const AUDIENCE = "api://default";
16
+ let jwksServer;
17
+ let appServer;
18
+ afterEach(() => {
19
+ jwksServer?.close();
20
+ appServer?.close();
21
+ });
22
+ async function startJwks() {
23
+ const { publicKey, privateKey } = await jose.generateKeyPair("RS256");
24
+ const jwk = {
25
+ ...(await jose.exportJWK(publicKey)),
26
+ kid: "test-key",
27
+ alg: "RS256",
28
+ use: "sig",
29
+ };
30
+ const server = http.createServer((_req, res) => {
31
+ res.setHeader("content-type", "application/json");
32
+ res.end(JSON.stringify({ keys: [jwk] }));
33
+ });
34
+ await new Promise((resolve) => server.listen(0, resolve));
35
+ jwksServer = server;
36
+ const port = server.address().port;
37
+ return { privateKey, jwksUri: `http://localhost:${port}/jwks` };
38
+ }
39
+ function signToken(key, scope = "openid email") {
40
+ return new jose.SignJWT({
41
+ client_id: "client-1",
42
+ scope,
43
+ sub: "user-1",
44
+ })
45
+ .setProtectedHeader({ alg: "RS256", kid: "test-key" })
46
+ .setIssuer(ISSUER)
47
+ .setAudience(AUDIENCE)
48
+ .setExpirationTime("1h")
49
+ .sign(key);
50
+ }
51
+ async function bootServer(jwksUri, { baseUrl = "https://app.example.test" } = {}) {
52
+ const { createApp } = await import("../express.js");
53
+ const server = new McpServer({ name: "auth-test", version: "0.0.0" }, { capabilities: {} }, {
54
+ oauth: {
55
+ ...(baseUrl === null ? {} : { baseUrl }),
56
+ oauthMetadata: {
57
+ issuer: ISSUER,
58
+ authorization_endpoint: `${ISSUER}/authorize`,
59
+ token_endpoint: `${ISSUER}/token`,
60
+ response_types_supported: ["code"],
61
+ },
62
+ verify: { issuer: ISSUER, audience: AUDIENCE, jwksUri },
63
+ scopesSupported: ["openid", "email"],
64
+ requiredScopes: ["openid"],
65
+ },
66
+ }).registerTool({
67
+ name: "whoami",
68
+ description: "Returns the caller identity.",
69
+ inputSchema: {},
70
+ }, (_args, extra) => ({
71
+ structuredContent: { clientId: extra.authInfo?.clientId ?? null },
72
+ content: [{ type: "text", text: extra.authInfo?.clientId ?? "anon" }],
73
+ }));
74
+ const httpServer = http.createServer();
75
+ await createApp({ mcpServer: server, httpServer });
76
+ const listening = http.createServer(server.express);
77
+ await new Promise((resolve) => listening.listen(0, resolve));
78
+ appServer = listening;
79
+ const port = listening.address().port;
80
+ return `http://localhost:${port}`;
81
+ }
82
+ describe("setupOAuth wiring", () => {
83
+ it("serves protected-resource metadata", async () => {
84
+ const { jwksUri } = await startJwks();
85
+ const base = await bootServer(jwksUri);
86
+ const res = await fetch(`${base}/.well-known/oauth-protected-resource`);
87
+ expect(res.status).toBe(200);
88
+ const body = (await res.json());
89
+ expect(body.resource).toBe("https://app.example.test/");
90
+ expect(body.authorization_servers).toContain(ISSUER);
91
+ expect(body.scopes_supported).toEqual(["openid", "email"]);
92
+ });
93
+ it("rejects /mcp without a token (401 + WWW-Authenticate)", async () => {
94
+ const { jwksUri } = await startJwks();
95
+ const base = await bootServer(jwksUri);
96
+ const res = await fetch(`${base}/mcp`, {
97
+ method: "POST",
98
+ headers: { "Content-Type": "application/json" },
99
+ body: JSON.stringify({ jsonrpc: "2.0", method: "initialize", id: 1 }),
100
+ });
101
+ expect(res.status).toBe(401);
102
+ expect(res.headers.get("www-authenticate")).toMatch(/resource_metadata=/);
103
+ });
104
+ it("threads authInfo into the tool handler for a valid token", async () => {
105
+ const { privateKey, jwksUri } = await startJwks();
106
+ const base = await bootServer(jwksUri);
107
+ const token = await signToken(privateKey);
108
+ const client = new Client({ name: "test-client", version: "0.0.0" });
109
+ const transport = new StreamableHTTPClientTransport(new URL(`${base}/mcp`), { requestInit: { headers: { Authorization: `Bearer ${token}` } } });
110
+ await client.connect(transport);
111
+ const result = (await client.callTool({
112
+ name: "whoami",
113
+ arguments: {},
114
+ }));
115
+ expect(result.content[0]?.text).toBe("client-1");
116
+ await client.close();
117
+ });
118
+ });
119
+ describe("baseUrl inferred from headers", () => {
120
+ it("derives the resource origin from x-forwarded-host", async () => {
121
+ const { jwksUri } = await startJwks();
122
+ const base = await bootServer(jwksUri, { baseUrl: null });
123
+ const res = await fetch(`${base}/.well-known/oauth-protected-resource`, {
124
+ headers: { "x-forwarded-host": "infer.example.test" },
125
+ });
126
+ expect(res.status).toBe(200);
127
+ const body = (await res.json());
128
+ expect(body.resource).toBe("https://infer.example.test/");
129
+ });
130
+ it("uses the first hop of a forwarded-host chain", async () => {
131
+ const { jwksUri } = await startJwks();
132
+ const base = await bootServer(jwksUri, { baseUrl: null });
133
+ const res = await fetch(`${base}/.well-known/oauth-protected-resource`, {
134
+ headers: {
135
+ "x-forwarded-host": "public.example, internal.local",
136
+ "x-forwarded-proto": "https, http",
137
+ },
138
+ });
139
+ expect(res.status).toBe(200);
140
+ const body = (await res.json());
141
+ expect(body.resource).toBe("https://public.example/");
142
+ });
143
+ it("ignores the client Origin header, using Host instead", async () => {
144
+ const { jwksUri } = await startJwks();
145
+ const base = await bootServer(jwksUri, { baseUrl: null });
146
+ const res = await fetch(`${base}/.well-known/oauth-protected-resource`, {
147
+ headers: { origin: "https://chatgpt.com" },
148
+ });
149
+ expect(res.status).toBe(200);
150
+ const body = (await res.json());
151
+ expect(body.resource).toMatch(/^http:\/\/(localhost|127\.0\.0\.1):/);
152
+ });
153
+ it("points the 401 WWW-Authenticate at the inferred host", async () => {
154
+ const { jwksUri } = await startJwks();
155
+ const base = await bootServer(jwksUri, { baseUrl: null });
156
+ const res = await fetch(`${base}/mcp`, {
157
+ method: "POST",
158
+ headers: {
159
+ "Content-Type": "application/json",
160
+ "x-forwarded-host": "infer.example.test",
161
+ },
162
+ body: JSON.stringify({ jsonrpc: "2.0", method: "initialize", id: 1 }),
163
+ });
164
+ expect(res.status).toBe(401);
165
+ expect(res.headers.get("www-authenticate")).toMatch(/resource_metadata="https:\/\/infer\.example\.test\//);
166
+ });
167
+ });
168
+ async function bootMixedServer(jwksUri) {
169
+ const { createApp } = await import("../express.js");
170
+ const server = new McpServer({ name: "mixed-auth-test", version: "0.0.0" }, { capabilities: {} }, {
171
+ oauth: {
172
+ baseUrl: "https://app.example.test",
173
+ oauthMetadata: {
174
+ issuer: ISSUER,
175
+ authorization_endpoint: `${ISSUER}/authorize`,
176
+ token_endpoint: `${ISSUER}/token`,
177
+ response_types_supported: ["code"],
178
+ },
179
+ verify: { issuer: ISSUER, audience: AUDIENCE, jwksUri },
180
+ },
181
+ })
182
+ .registerTool({
183
+ name: "public-whoami",
184
+ description: "Public.",
185
+ inputSchema: {},
186
+ auth: { public: true },
187
+ }, (_args, extra) => ({
188
+ content: [{ type: "text", text: extra.authInfo?.clientId ?? "anon" }],
189
+ }))
190
+ .registerTool({
191
+ name: "private-whoami",
192
+ description: "Private.",
193
+ inputSchema: {},
194
+ auth: {},
195
+ }, (_args, extra) => ({
196
+ content: [{ type: "text", text: extra.authInfo?.clientId ?? "anon" }],
197
+ }));
198
+ server.registerTool("legacy-whoami", {
199
+ description: "Registered via the legacy string overload.",
200
+ inputSchema: {},
201
+ }, (_args, extra) => ({
202
+ content: [{ type: "text", text: extra.authInfo?.clientId ?? "anon" }],
203
+ }));
204
+ const httpServer = http.createServer();
205
+ await createApp({ mcpServer: server, httpServer });
206
+ const listening = http.createServer(server.express);
207
+ await new Promise((resolve) => listening.listen(0, resolve));
208
+ appServer = listening;
209
+ const port = listening.address().port;
210
+ return `http://localhost:${port}`;
211
+ }
212
+ describe("mixed-auth door", () => {
213
+ it("lets an anonymous caller initialize and run a noauth tool", async () => {
214
+ const { jwksUri } = await startJwks();
215
+ const base = await bootMixedServer(jwksUri);
216
+ const client = new Client({ name: "test-client", version: "0.0.0" });
217
+ await client.connect(new StreamableHTTPClientTransport(new URL(`${base}/mcp`)));
218
+ const result = (await client.callTool({
219
+ name: "public-whoami",
220
+ arguments: {},
221
+ }));
222
+ expect(result.content[0]?.text).toBe("anon");
223
+ await client.close();
224
+ });
225
+ it("exposes securitySchemes at the top level of tools/list (not only _meta)", async () => {
226
+ const { jwksUri } = await startJwks();
227
+ const base = await bootMixedServer(jwksUri);
228
+ const headers = {
229
+ "Content-Type": "application/json",
230
+ Accept: "application/json, text/event-stream",
231
+ };
232
+ await fetch(`${base}/mcp`, {
233
+ method: "POST",
234
+ headers,
235
+ body: JSON.stringify({
236
+ jsonrpc: "2.0",
237
+ id: 1,
238
+ method: "initialize",
239
+ params: {
240
+ protocolVersion: "2025-06-18",
241
+ capabilities: {},
242
+ clientInfo: { name: "c", version: "0" },
243
+ },
244
+ }),
245
+ });
246
+ const res = await fetch(`${base}/mcp`, {
247
+ method: "POST",
248
+ headers,
249
+ body: JSON.stringify({ jsonrpc: "2.0", id: 2, method: "tools/list" }),
250
+ });
251
+ const text = await res.text();
252
+ const json = JSON.parse((text.match(/\{[\s\S]*\}/) ?? ["{}"])[0]);
253
+ const whoami = json.result.tools.find((t) => t.name === "private-whoami");
254
+ expect(whoami?.securitySchemes).toEqual([{ type: "oauth2" }]);
255
+ });
256
+ it("denies a protected tool inside an anonymous JSON-RPC batch", async () => {
257
+ const { jwksUri } = await startJwks();
258
+ const base = await bootMixedServer(jwksUri);
259
+ const res = await fetch(`${base}/mcp`, {
260
+ method: "POST",
261
+ headers: {
262
+ "Content-Type": "application/json",
263
+ Accept: "application/json, text/event-stream",
264
+ },
265
+ body: JSON.stringify([
266
+ {
267
+ jsonrpc: "2.0",
268
+ id: 1,
269
+ method: "tools/call",
270
+ params: { name: "private-whoami", arguments: {} },
271
+ },
272
+ ]),
273
+ });
274
+ expect(res.status).toBe(401);
275
+ const wwwAuthenticate = res.headers.get("www-authenticate") ?? "";
276
+ expect(wwwAuthenticate).toMatch(/^Bearer /);
277
+ expect(wwwAuthenticate).toContain("resource_metadata=");
278
+ const text = await res.text();
279
+ expect(text).not.toContain("client-1");
280
+ });
281
+ it("gates a tool registered via the legacy string overload (secure default)", async () => {
282
+ const { jwksUri } = await startJwks();
283
+ const base = await bootMixedServer(jwksUri);
284
+ const res = await fetch(`${base}/mcp`, {
285
+ method: "POST",
286
+ headers: {
287
+ "Content-Type": "application/json",
288
+ Accept: "application/json, text/event-stream",
289
+ },
290
+ body: JSON.stringify({
291
+ jsonrpc: "2.0",
292
+ id: 1,
293
+ method: "tools/call",
294
+ params: { name: "legacy-whoami", arguments: {} },
295
+ }),
296
+ });
297
+ expect(res.status).toBe(401);
298
+ });
299
+ it("returns 401 + WWW-Authenticate for a protected tool while anonymous", async () => {
300
+ const { jwksUri } = await startJwks();
301
+ const base = await bootMixedServer(jwksUri);
302
+ const res = await fetch(`${base}/mcp`, {
303
+ method: "POST",
304
+ headers: {
305
+ "Content-Type": "application/json",
306
+ Accept: "application/json, text/event-stream",
307
+ },
308
+ body: JSON.stringify({
309
+ jsonrpc: "2.0",
310
+ id: 1,
311
+ method: "tools/call",
312
+ params: { name: "private-whoami", arguments: {} },
313
+ }),
314
+ });
315
+ expect(res.status).toBe(401);
316
+ expect(res.headers.get("www-authenticate")).toMatch(/error="invalid_token"/);
317
+ expect(res.headers.get("www-authenticate")).toMatch(/resource_metadata=/);
318
+ });
319
+ it("returns an in-band mcp/www_authenticate array to ChatGPT (not a transport 401)", async () => {
320
+ const { jwksUri } = await startJwks();
321
+ const base = await bootMixedServer(jwksUri);
322
+ const res = await fetch(`${base}/mcp`, {
323
+ method: "POST",
324
+ headers: {
325
+ "Content-Type": "application/json",
326
+ Accept: "application/json, text/event-stream",
327
+ "User-Agent": "openai-mcp/1.0",
328
+ },
329
+ body: JSON.stringify({
330
+ jsonrpc: "2.0",
331
+ id: 7,
332
+ method: "tools/call",
333
+ params: { name: "private-whoami", arguments: {} },
334
+ }),
335
+ });
336
+ expect(res.status).toBe(200);
337
+ expect(res.headers.get("www-authenticate")).toBeNull();
338
+ const body = (await res.json());
339
+ expect(body.id).toBe(7);
340
+ expect(body.result.isError).toBe(true);
341
+ const challenge = body.result._meta["mcp/www_authenticate"];
342
+ expect(Array.isArray(challenge)).toBe(true);
343
+ expect(challenge[0]).toMatch(/error="invalid_token"/);
344
+ expect(challenge[0]).toMatch(/resource_metadata=/);
345
+ });
346
+ });
347
+ async function bootScopedServer(jwksUri) {
348
+ const { createApp } = await import("../express.js");
349
+ const server = new McpServer({ name: "scoped-auth-test", version: "0.0.0" }, { capabilities: {} }, {
350
+ oauth: {
351
+ baseUrl: "https://app.example.test",
352
+ oauthMetadata: {
353
+ issuer: ISSUER,
354
+ authorization_endpoint: `${ISSUER}/authorize`,
355
+ token_endpoint: `${ISSUER}/token`,
356
+ response_types_supported: ["code"],
357
+ },
358
+ verify: { issuer: ISSUER, audience: AUDIENCE, jwksUri },
359
+ },
360
+ }).registerTool({
361
+ name: "checkout",
362
+ description: "Needs the checkout scope.",
363
+ inputSchema: {},
364
+ auth: { scopes: ["checkout"] },
365
+ }, () => ({ content: [{ type: "text", text: "ok" }] }));
366
+ const httpServer = http.createServer();
367
+ await createApp({ mcpServer: server, httpServer });
368
+ const listening = http.createServer(server.express);
369
+ await new Promise((resolve) => listening.listen(0, resolve));
370
+ appServer = listening;
371
+ const port = listening.address().port;
372
+ return `http://localhost:${port}`;
373
+ }
374
+ describe("per-tool scope enforcement in fully-authenticated mode", () => {
375
+ it("returns 403 for a valid token missing the tool's scope", async () => {
376
+ const { privateKey, jwksUri } = await startJwks();
377
+ const base = await bootScopedServer(jwksUri);
378
+ const token = await signToken(privateKey, "openid");
379
+ const res = await fetch(`${base}/mcp`, {
380
+ method: "POST",
381
+ headers: {
382
+ "Content-Type": "application/json",
383
+ Accept: "application/json, text/event-stream",
384
+ Authorization: `Bearer ${token}`,
385
+ },
386
+ body: JSON.stringify({
387
+ jsonrpc: "2.0",
388
+ id: 1,
389
+ method: "tools/call",
390
+ params: { name: "checkout", arguments: {} },
391
+ }),
392
+ });
393
+ expect(res.status).toBe(403);
394
+ const header = res.headers.get("www-authenticate");
395
+ expect(header).toMatch(/error="insufficient_scope"/);
396
+ expect(header).toMatch(/scope="checkout"/);
397
+ });
398
+ it("allows a token carrying the tool's scope", async () => {
399
+ const { privateKey, jwksUri } = await startJwks();
400
+ const base = await bootScopedServer(jwksUri);
401
+ const token = await signToken(privateKey, "openid checkout");
402
+ const client = new Client({ name: "test-client", version: "0.0.0" });
403
+ await client.connect(new StreamableHTTPClientTransport(new URL(`${base}/mcp`), {
404
+ requestInit: { headers: { Authorization: `Bearer ${token}` } },
405
+ }));
406
+ const result = (await client.callTool({
407
+ name: "checkout",
408
+ arguments: {},
409
+ }));
410
+ expect(result.content[0]?.text).toBe("ok");
411
+ await client.close();
412
+ });
413
+ });
414
+ describe("auth shorthand validation", () => {
415
+ it("throws when `auth` requires sign-in but no oauth provider is configured", () => {
416
+ expect(() => new McpServer({ name: "t", version: "0" }).registerTool({ name: "x", inputSchema: {}, auth: {} }, () => ({ content: [{ type: "text", text: "" }] }))).toThrow(/no `oauth` provider/);
417
+ });
418
+ it("throws when `auth` sets scopes but no oauth provider is configured", () => {
419
+ expect(() => new McpServer({ name: "t", version: "0" }).registerTool({ name: "x", inputSchema: {}, auth: { scopes: ["checkout"] } }, () => ({ content: [{ type: "text", text: "" }] }))).toThrow(/no `oauth` provider/);
420
+ });
421
+ it("allows `auth: { public: true }` without an oauth provider", () => {
422
+ expect(() => new McpServer({ name: "t", version: "0" }).registerTool({ name: "x", inputSchema: {}, auth: { public: true } }, () => ({ content: [{ type: "text", text: "" }] }))).not.toThrow();
423
+ });
424
+ it("prefers `securitySchemes` over `auth` when both are set (untyped path)", () => {
425
+ expect(() => new McpServer({ name: "t", version: "0" }).registerTool({
426
+ name: "x",
427
+ inputSchema: {},
428
+ auth: {},
429
+ securitySchemes: [{ type: "oauth2" }],
430
+ }, () => ({ content: [{ type: "text", text: "" }] }))).not.toThrow();
431
+ });
432
+ });
433
+ describe("oauth config validation", () => {
434
+ const validMetadata = {
435
+ issuer: ISSUER,
436
+ authorization_endpoint: `${ISSUER}/authorize`,
437
+ token_endpoint: `${ISSUER}/token`,
438
+ response_types_supported: ["code"],
439
+ };
440
+ it("throws on a non-absolute baseUrl", () => {
441
+ expect(() => new McpServer({ name: "t", version: "0" }, undefined, {
442
+ oauth: {
443
+ baseUrl: "not-a-url",
444
+ oauthMetadata: validMetadata,
445
+ verify: { issuer: ISSUER, audience: AUDIENCE },
446
+ },
447
+ })).toThrow(/baseUrl must be a valid absolute URL/);
448
+ });
449
+ });
450
+ //# sourceMappingURL=setup.test.js.map