skybridge 0.0.0-dev.fff2bae → 0.0.0-next.1ec1c19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (277) hide show
  1. package/README.md +132 -124
  2. package/dist/cli/build-helpers.d.ts +7 -0
  3. package/dist/cli/build-helpers.js +82 -0
  4. package/dist/cli/build-helpers.js.map +1 -0
  5. package/dist/cli/build-helpers.test.d.ts +1 -0
  6. package/dist/cli/build-helpers.test.js +64 -0
  7. package/dist/cli/build-helpers.test.js.map +1 -0
  8. package/dist/cli/detect-port.d.ts +2 -2
  9. package/dist/cli/detect-port.js +9 -20
  10. package/dist/cli/detect-port.js.map +1 -1
  11. package/dist/cli/resolve-views-dir.d.ts +1 -0
  12. package/dist/cli/resolve-views-dir.js +17 -0
  13. package/dist/cli/resolve-views-dir.js.map +1 -0
  14. package/dist/cli/use-typescript-check.js +1 -1
  15. package/dist/cli/use-typescript-check.js.map +1 -1
  16. package/dist/commands/build.d.ts +0 -1
  17. package/dist/commands/build.js +18 -30
  18. package/dist/commands/build.js.map +1 -1
  19. package/dist/commands/create.d.ts +9 -0
  20. package/dist/commands/create.js +30 -0
  21. package/dist/commands/create.js.map +1 -0
  22. package/dist/commands/dev.js +16 -0
  23. package/dist/commands/dev.js.map +1 -1
  24. package/dist/commands/start.js +7 -1
  25. package/dist/commands/start.js.map +1 -1
  26. package/dist/server/asset-base-url-transform-plugin.d.ts +1 -0
  27. package/dist/server/asset-base-url-transform-plugin.js +16 -1
  28. package/dist/server/asset-base-url-transform-plugin.js.map +1 -1
  29. package/dist/server/asset-base-url-transform-plugin.test.js +51 -1
  30. package/dist/server/asset-base-url-transform-plugin.test.js.map +1 -1
  31. package/dist/server/auth/discovery.d.ts +32 -0
  32. package/dist/server/auth/discovery.js +56 -0
  33. package/dist/server/auth/discovery.js.map +1 -0
  34. package/dist/server/auth/discovery.test.d.ts +1 -0
  35. package/dist/server/auth/discovery.test.js +93 -0
  36. package/dist/server/auth/discovery.test.js.map +1 -0
  37. package/dist/server/auth/index.d.ts +18 -0
  38. package/dist/server/auth/index.js +2 -0
  39. package/dist/server/auth/index.js.map +1 -0
  40. package/dist/server/auth/providers/auth0.d.ts +18 -0
  41. package/dist/server/auth/providers/auth0.js +31 -0
  42. package/dist/server/auth/providers/auth0.js.map +1 -0
  43. package/dist/server/auth/providers/auth0.test.d.ts +1 -0
  44. package/dist/server/auth/providers/auth0.test.js +48 -0
  45. package/dist/server/auth/providers/auth0.test.js.map +1 -0
  46. package/dist/server/auth/providers/clerk.d.ts +14 -0
  47. package/dist/server/auth/providers/clerk.js +16 -0
  48. package/dist/server/auth/providers/clerk.js.map +1 -0
  49. package/dist/server/auth/providers/clerk.test.d.ts +1 -0
  50. package/dist/server/auth/providers/clerk.test.js +28 -0
  51. package/dist/server/auth/providers/clerk.test.js.map +1 -0
  52. package/dist/server/auth/providers/custom.d.ts +24 -0
  53. package/dist/server/auth/providers/custom.js +37 -0
  54. package/dist/server/auth/providers/custom.js.map +1 -0
  55. package/dist/server/auth/providers/custom.test.d.ts +1 -0
  56. package/dist/server/auth/providers/custom.test.js +107 -0
  57. package/dist/server/auth/providers/custom.test.js.map +1 -0
  58. package/dist/server/auth/providers/descope.d.ts +15 -0
  59. package/dist/server/auth/providers/descope.js +33 -0
  60. package/dist/server/auth/providers/descope.js.map +1 -0
  61. package/dist/server/auth/providers/descope.test.d.ts +1 -0
  62. package/dist/server/auth/providers/descope.test.js +37 -0
  63. package/dist/server/auth/providers/descope.test.js.map +1 -0
  64. package/dist/server/auth/providers/shared.d.ts +2 -0
  65. package/dist/server/auth/providers/shared.js +6 -0
  66. package/dist/server/auth/providers/shared.js.map +1 -0
  67. package/dist/server/auth/providers/shared.test.d.ts +1 -0
  68. package/dist/server/auth/providers/shared.test.js +10 -0
  69. package/dist/server/auth/providers/shared.test.js.map +1 -0
  70. package/dist/server/auth/providers/stytch.d.ts +12 -0
  71. package/dist/server/auth/providers/stytch.js +13 -0
  72. package/dist/server/auth/providers/stytch.js.map +1 -0
  73. package/dist/server/auth/providers/workos.d.ts +11 -0
  74. package/dist/server/auth/providers/workos.js +12 -0
  75. package/dist/server/auth/providers/workos.js.map +1 -0
  76. package/dist/server/auth/setup.d.ts +4 -0
  77. package/dist/server/auth/setup.js +51 -0
  78. package/dist/server/auth/setup.js.map +1 -0
  79. package/dist/server/auth/setup.test.d.ts +1 -0
  80. package/dist/server/auth/setup.test.js +185 -0
  81. package/dist/server/auth/setup.test.js.map +1 -0
  82. package/dist/server/auth/verify.d.ts +12 -0
  83. package/dist/server/auth/verify.js +38 -0
  84. package/dist/server/auth/verify.js.map +1 -0
  85. package/dist/server/auth/verify.test.d.ts +1 -0
  86. package/dist/server/auth/verify.test.js +100 -0
  87. package/dist/server/auth/verify.test.js.map +1 -0
  88. package/dist/server/auth.d.ts +20 -0
  89. package/dist/server/auth.js +28 -0
  90. package/dist/server/auth.js.map +1 -0
  91. package/dist/server/build-manifest.test.d.ts +1 -0
  92. package/dist/server/build-manifest.test.js +27 -0
  93. package/dist/server/build-manifest.test.js.map +1 -0
  94. package/dist/server/content-helpers.d.ts +40 -0
  95. package/dist/server/content-helpers.js +33 -0
  96. package/dist/server/content-helpers.js.map +1 -1
  97. package/dist/server/express.test.js +61 -0
  98. package/dist/server/express.test.js.map +1 -1
  99. package/dist/server/file-ref.d.ts +28 -0
  100. package/dist/server/file-ref.js +27 -0
  101. package/dist/server/file-ref.js.map +1 -0
  102. package/dist/server/index.d.ts +11 -2
  103. package/dist/server/index.js +9 -1
  104. package/dist/server/index.js.map +1 -1
  105. package/dist/server/middleware.d.ts +16 -3
  106. package/dist/server/middleware.js.map +1 -1
  107. package/dist/server/requestOrigin.d.ts +7 -0
  108. package/dist/server/requestOrigin.js +25 -0
  109. package/dist/server/requestOrigin.js.map +1 -0
  110. package/dist/server/server.d.ts +221 -6
  111. package/dist/server/server.js +301 -159
  112. package/dist/server/server.js.map +1 -1
  113. package/dist/server/view-resource-resolution.test.d.ts +6 -0
  114. package/dist/server/view-resource-resolution.test.js +103 -0
  115. package/dist/server/view-resource-resolution.test.js.map +1 -0
  116. package/dist/test/view.test.js +109 -96
  117. package/dist/test/view.test.js.map +1 -1
  118. package/dist/web/bridges/adaptor.d.ts +51 -0
  119. package/dist/web/bridges/adaptor.js +310 -0
  120. package/dist/web/bridges/adaptor.js.map +1 -0
  121. package/dist/web/bridges/adaptor.test.d.ts +1 -0
  122. package/dist/web/bridges/adaptor.test.js +197 -0
  123. package/dist/web/bridges/adaptor.test.js.map +1 -0
  124. package/dist/web/bridges/apps-sdk/bridge.d.ts +6 -1
  125. package/dist/web/bridges/apps-sdk/bridge.js +15 -3
  126. package/dist/web/bridges/apps-sdk/bridge.js.map +1 -1
  127. package/dist/web/bridges/apps-sdk/index.d.ts +0 -1
  128. package/dist/web/bridges/apps-sdk/index.js +0 -1
  129. package/dist/web/bridges/apps-sdk/index.js.map +1 -1
  130. package/dist/web/bridges/apps-sdk/types.d.ts +2 -0
  131. package/dist/web/bridges/apps-sdk/types.js.map +1 -1
  132. package/dist/web/bridges/apps-sdk/use-apps-sdk-context.d.ts +11 -0
  133. package/dist/web/bridges/apps-sdk/use-apps-sdk-context.js +11 -0
  134. package/dist/web/bridges/apps-sdk/use-apps-sdk-context.js.map +1 -1
  135. package/dist/web/bridges/get-adaptor.d.ts +7 -0
  136. package/dist/web/bridges/get-adaptor.js +9 -7
  137. package/dist/web/bridges/get-adaptor.js.map +1 -1
  138. package/dist/web/bridges/get-adaptor.test.d.ts +1 -0
  139. package/dist/web/bridges/get-adaptor.test.js +32 -0
  140. package/dist/web/bridges/get-adaptor.test.js.map +1 -0
  141. package/dist/web/bridges/mcp-app/bridge.d.ts +15 -2
  142. package/dist/web/bridges/mcp-app/bridge.js +68 -4
  143. package/dist/web/bridges/mcp-app/bridge.js.map +1 -1
  144. package/dist/web/bridges/mcp-app/bridge.test.d.ts +1 -0
  145. package/dist/web/bridges/mcp-app/bridge.test.js +17 -0
  146. package/dist/web/bridges/mcp-app/bridge.test.js.map +1 -0
  147. package/dist/web/bridges/mcp-app/index.d.ts +0 -1
  148. package/dist/web/bridges/mcp-app/index.js +0 -1
  149. package/dist/web/bridges/mcp-app/index.js.map +1 -1
  150. package/dist/web/bridges/mcp-app/use-mcp-app-context.d.ts +12 -0
  151. package/dist/web/bridges/mcp-app/use-mcp-app-context.js +12 -0
  152. package/dist/web/bridges/mcp-app/use-mcp-app-context.js.map +1 -1
  153. package/dist/web/bridges/mcp-app/view-tools.test.d.ts +1 -0
  154. package/dist/web/bridges/mcp-app/view-tools.test.js +143 -0
  155. package/dist/web/bridges/mcp-app/view-tools.test.js.map +1 -0
  156. package/dist/web/bridges/types.d.ts +104 -1
  157. package/dist/web/bridges/types.js +14 -1
  158. package/dist/web/bridges/types.js.map +1 -1
  159. package/dist/web/bridges/types.test.d.ts +1 -0
  160. package/dist/web/bridges/types.test.js +19 -0
  161. package/dist/web/bridges/types.test.js.map +1 -0
  162. package/dist/web/bridges/use-host-context.d.ts +5 -0
  163. package/dist/web/bridges/use-host-context.js +5 -0
  164. package/dist/web/bridges/use-host-context.js.map +1 -1
  165. package/dist/web/components/modal-provider.js +4 -3
  166. package/dist/web/components/modal-provider.js.map +1 -1
  167. package/dist/web/create-store.d.ts +26 -0
  168. package/dist/web/create-store.js +26 -0
  169. package/dist/web/create-store.js.map +1 -1
  170. package/dist/web/create-store.test.js +8 -5
  171. package/dist/web/create-store.test.js.map +1 -1
  172. package/dist/web/data-llm.d.ts +33 -0
  173. package/dist/web/data-llm.js +28 -0
  174. package/dist/web/data-llm.js.map +1 -1
  175. package/dist/web/data-llm.test.js +9 -5
  176. package/dist/web/data-llm.test.js.map +1 -1
  177. package/dist/web/generate-helpers.d.ts +2 -0
  178. package/dist/web/generate-helpers.js +2 -0
  179. package/dist/web/generate-helpers.js.map +1 -1
  180. package/dist/web/generate-helpers.test-d.js +4 -2
  181. package/dist/web/generate-helpers.test-d.js.map +1 -1
  182. package/dist/web/hooks/index.d.ts +4 -0
  183. package/dist/web/hooks/index.js +4 -0
  184. package/dist/web/hooks/index.js.map +1 -1
  185. package/dist/web/hooks/test/utils.d.ts +6 -2
  186. package/dist/web/hooks/test/utils.js +13 -2
  187. package/dist/web/hooks/test/utils.js.map +1 -1
  188. package/dist/web/hooks/use-call-tool.d.ts +45 -0
  189. package/dist/web/hooks/use-call-tool.js +28 -0
  190. package/dist/web/hooks/use-call-tool.js.map +1 -1
  191. package/dist/web/hooks/use-call-tool.test.js +62 -23
  192. package/dist/web/hooks/use-call-tool.test.js.map +1 -1
  193. package/dist/web/hooks/use-display-mode.d.ts +20 -0
  194. package/dist/web/hooks/use-display-mode.js +20 -0
  195. package/dist/web/hooks/use-display-mode.js.map +1 -1
  196. package/dist/web/hooks/use-display-mode.test.js +56 -20
  197. package/dist/web/hooks/use-display-mode.test.js.map +1 -1
  198. package/dist/web/hooks/use-download.d.ts +5 -0
  199. package/dist/web/hooks/use-download.js +8 -0
  200. package/dist/web/hooks/use-download.js.map +1 -0
  201. package/dist/web/hooks/use-download.test.d.ts +1 -0
  202. package/dist/web/hooks/use-download.test.js +103 -0
  203. package/dist/web/hooks/use-download.test.js.map +1 -0
  204. package/dist/web/hooks/use-files.d.ts +32 -0
  205. package/dist/web/hooks/use-files.js +32 -0
  206. package/dist/web/hooks/use-files.js.map +1 -1
  207. package/dist/web/hooks/use-files.test.js +10 -2
  208. package/dist/web/hooks/use-files.test.js.map +1 -1
  209. package/dist/web/hooks/use-layout.d.ts +2 -0
  210. package/dist/web/hooks/use-layout.js +2 -0
  211. package/dist/web/hooks/use-layout.js.map +1 -1
  212. package/dist/web/hooks/use-layout.test.js +59 -26
  213. package/dist/web/hooks/use-layout.test.js.map +1 -1
  214. package/dist/web/hooks/use-open-external.d.ts +17 -0
  215. package/dist/web/hooks/use-open-external.js +16 -0
  216. package/dist/web/hooks/use-open-external.js.map +1 -1
  217. package/dist/web/hooks/use-open-external.test.js +13 -3
  218. package/dist/web/hooks/use-open-external.test.js.map +1 -1
  219. package/dist/web/hooks/use-register-view-tool.d.ts +38 -0
  220. package/dist/web/hooks/use-register-view-tool.js +50 -0
  221. package/dist/web/hooks/use-register-view-tool.js.map +1 -0
  222. package/dist/web/hooks/use-request-close.d.ts +16 -0
  223. package/dist/web/hooks/use-request-close.js +21 -0
  224. package/dist/web/hooks/use-request-close.js.map +1 -0
  225. package/dist/web/hooks/use-request-close.test.d.ts +1 -0
  226. package/dist/web/hooks/use-request-close.test.js +47 -0
  227. package/dist/web/hooks/use-request-close.test.js.map +1 -0
  228. package/dist/web/hooks/use-request-modal.d.ts +16 -1
  229. package/dist/web/hooks/use-request-modal.js +16 -1
  230. package/dist/web/hooks/use-request-modal.js.map +1 -1
  231. package/dist/web/hooks/use-request-modal.test.js +10 -0
  232. package/dist/web/hooks/use-request-modal.test.js.map +1 -1
  233. package/dist/web/hooks/use-request-size.d.ts +20 -0
  234. package/dist/web/hooks/use-request-size.js +24 -0
  235. package/dist/web/hooks/use-request-size.js.map +1 -0
  236. package/dist/web/hooks/use-request-size.test.d.ts +1 -0
  237. package/dist/web/hooks/use-request-size.test.js +47 -0
  238. package/dist/web/hooks/use-request-size.test.js.map +1 -0
  239. package/dist/web/hooks/use-send-follow-up-message.d.ts +17 -0
  240. package/dist/web/hooks/use-send-follow-up-message.js +17 -0
  241. package/dist/web/hooks/use-send-follow-up-message.js.map +1 -1
  242. package/dist/web/hooks/use-set-open-in-app-url.d.ts +17 -0
  243. package/dist/web/hooks/use-set-open-in-app-url.js +17 -0
  244. package/dist/web/hooks/use-set-open-in-app-url.js.map +1 -1
  245. package/dist/web/hooks/use-set-open-in-app-url.test.js +28 -8
  246. package/dist/web/hooks/use-set-open-in-app-url.test.js.map +1 -1
  247. package/dist/web/hooks/use-tool-info.d.ts +53 -2
  248. package/dist/web/hooks/use-tool-info.js +30 -7
  249. package/dist/web/hooks/use-tool-info.js.map +1 -1
  250. package/dist/web/hooks/use-tool-info.test-d.js +11 -29
  251. package/dist/web/hooks/use-tool-info.test-d.js.map +1 -1
  252. package/dist/web/hooks/use-tool-info.test.js +42 -32
  253. package/dist/web/hooks/use-tool-info.test.js.map +1 -1
  254. package/dist/web/hooks/use-user.d.ts +2 -0
  255. package/dist/web/hooks/use-user.js +2 -0
  256. package/dist/web/hooks/use-user.js.map +1 -1
  257. package/dist/web/hooks/use-user.test.js +81 -35
  258. package/dist/web/hooks/use-user.test.js.map +1 -1
  259. package/dist/web/hooks/use-view-state.d.ts +21 -0
  260. package/dist/web/hooks/use-view-state.js.map +1 -1
  261. package/dist/web/hooks/use-view-state.test.js +6 -2
  262. package/dist/web/hooks/use-view-state.test.js.map +1 -1
  263. package/dist/web/mount-view.d.ts +19 -0
  264. package/dist/web/mount-view.js +19 -0
  265. package/dist/web/mount-view.js.map +1 -1
  266. package/dist/web/plugin/plugin.d.ts +28 -0
  267. package/dist/web/plugin/plugin.js +33 -0
  268. package/dist/web/plugin/plugin.js.map +1 -1
  269. package/dist/web/types.d.ts +4 -0
  270. package/dist/web/types.js.map +1 -1
  271. package/package.json +10 -3
  272. package/dist/web/bridges/apps-sdk/adaptor.d.ts +0 -24
  273. package/dist/web/bridges/apps-sdk/adaptor.js +0 -96
  274. package/dist/web/bridges/apps-sdk/adaptor.js.map +0 -1
  275. package/dist/web/bridges/mcp-app/adaptor.d.ts +0 -48
  276. package/dist/web/bridges/mcp-app/adaptor.js +0 -263
  277. package/dist/web/bridges/mcp-app/adaptor.js.map +0 -1
@@ -0,0 +1,15 @@
1
+ import type { OAuthConfig } from "../index.js";
2
+ import { type CustomProviderOptions } from "./custom.js";
3
+ /**
4
+ * OAuth provider for a Descope MCP Server. `url` is the MCP Server's **Discovery
5
+ * URL** (a.k.a. Issuer) from the console's Connection Information, e.g.
6
+ * `https://api.descope.com/v1/apps/agentic/<projectId>/<mcpServerId>` (or your
7
+ * custom domain). Requires DCR enabled on the MCP Server. For Descope with DCR
8
+ * disabled and Alpic's DCR proxy, use {@link customProvider} with `serverUrl`
9
+ * instead (see `examples/auth-descope-alpic`). The token `audience` defaults to
10
+ * the **Project ID** derived from the URL — Descope binds `aud` to [DCR client
11
+ * id, project id], not the server URL; pass `audience` to override.
12
+ */
13
+ export declare function descopeProvider(opts: {
14
+ url: string;
15
+ } & Omit<CustomProviderOptions, "issuer">): Promise<OAuthConfig>;
@@ -0,0 +1,33 @@
1
+ import { customProvider } from "./custom.js";
2
+ /**
3
+ * Derives the Descope Project ID from an MCP Server URL
4
+ * (`…/agentic/<projectId>/<mcpServerId>`). Descope binds the token `aud` to the
5
+ * project id, so it doubles as the audience.
6
+ */
7
+ function projectIdFromUrl(url) {
8
+ const projectId = url.match(/\/agentic\/([^/]+)\/[^/]+/)?.[1];
9
+ if (!projectId) {
10
+ throw new Error(`Could not derive the Descope project id from "${url}"; pass an explicit \`audience\`.`);
11
+ }
12
+ return projectId;
13
+ }
14
+ /**
15
+ * OAuth provider for a Descope MCP Server. `url` is the MCP Server's **Discovery
16
+ * URL** (a.k.a. Issuer) from the console's Connection Information, e.g.
17
+ * `https://api.descope.com/v1/apps/agentic/<projectId>/<mcpServerId>` (or your
18
+ * custom domain). Requires DCR enabled on the MCP Server. For Descope with DCR
19
+ * disabled and Alpic's DCR proxy, use {@link customProvider} with `serverUrl`
20
+ * instead (see `examples/auth-descope-alpic`). The token `audience` defaults to
21
+ * the **Project ID** derived from the URL — Descope binds `aud` to [DCR client
22
+ * id, project id], not the server URL; pass `audience` to override.
23
+ */
24
+ export function descopeProvider(opts) {
25
+ const { url, audience, ...rest } = opts;
26
+ const issuer = url.replace(/\/\.well-known\/[^?#]*$/, "").replace(/\/$/, "");
27
+ return customProvider({
28
+ issuer,
29
+ audience: audience ?? projectIdFromUrl(issuer),
30
+ ...rest,
31
+ });
32
+ }
33
+ //# sourceMappingURL=descope.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"descope.js","sourceRoot":"","sources":["../../../../src/server/auth/providers/descope.ts"],"names":[],"mappings":"AACA,OAAO,EAA8B,cAAc,EAAE,MAAM,aAAa,CAAC;AAEzE;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,GAAW;IACnC,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,2BAA2B,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC9D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,iDAAiD,GAAG,mCAAmC,CACxF,CAAC;IACJ,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,eAAe,CAC7B,IAA6D;IAE7D,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,GAAG,IAAI,CAAC;IACxC,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,yBAAyB,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC7E,OAAO,cAAc,CAAC;QACpB,MAAM;QACN,QAAQ,EAAE,QAAQ,IAAI,gBAAgB,CAAC,MAAM,CAAC;QAC9C,GAAG,IAAI;KACR,CAAC,CAAC;AACL,CAAC","sourcesContent":["import type { OAuthConfig } from \"../index.js\";\nimport { type CustomProviderOptions, customProvider } from \"./custom.js\";\n\n/**\n * Derives the Descope Project ID from an MCP Server URL\n * (`…/agentic/<projectId>/<mcpServerId>`). Descope binds the token `aud` to the\n * project id, so it doubles as the audience.\n */\nfunction projectIdFromUrl(url: string): string {\n const projectId = url.match(/\\/agentic\\/([^/]+)\\/[^/]+/)?.[1];\n if (!projectId) {\n throw new Error(\n `Could not derive the Descope project id from \"${url}\"; pass an explicit \\`audience\\`.`,\n );\n }\n return projectId;\n}\n\n/**\n * OAuth provider for a Descope MCP Server. `url` is the MCP Server's **Discovery\n * URL** (a.k.a. Issuer) from the console's Connection Information, e.g.\n * `https://api.descope.com/v1/apps/agentic/<projectId>/<mcpServerId>` (or your\n * custom domain). Requires DCR enabled on the MCP Server. For Descope with DCR\n * disabled and Alpic's DCR proxy, use {@link customProvider} with `serverUrl`\n * instead (see `examples/auth-descope-alpic`). The token `audience` defaults to\n * the **Project ID** derived from the URL — Descope binds `aud` to [DCR client\n * id, project id], not the server URL; pass `audience` to override.\n */\nexport function descopeProvider(\n opts: { url: string } & Omit<CustomProviderOptions, \"issuer\">,\n): Promise<OAuthConfig> {\n const { url, audience, ...rest } = opts;\n const issuer = url.replace(/\\/\\.well-known\\/[^?#]*$/, \"\").replace(/\\/$/, \"\");\n return customProvider({\n issuer,\n audience: audience ?? projectIdFromUrl(issuer),\n ...rest,\n });\n}\n"]}
@@ -0,0 +1 @@
1
+ export {};
@@ -0,0 +1,37 @@
1
+ // @vitest-environment node
2
+ import { afterEach, describe, expect, it, vi } from "vitest";
3
+ import { descopeProvider } from "./descope.js";
4
+ afterEach(() => vi.restoreAllMocks());
5
+ function discoveryDoc(issuer) {
6
+ return {
7
+ issuer,
8
+ authorization_endpoint: `${issuer}/authorize`,
9
+ token_endpoint: `${issuer}/token`,
10
+ registration_endpoint: `${issuer}/register`,
11
+ response_types_supported: ["code"],
12
+ scopes_supported: ["openid"],
13
+ jwks_uri: `${issuer}/.well-known/jwks.json`,
14
+ };
15
+ }
16
+ function mockDiscovery(issuer) {
17
+ return vi.spyOn(globalThis, "fetch").mockResolvedValue(new Response(JSON.stringify(discoveryDoc(issuer)), {
18
+ headers: { "content-type": "application/json" },
19
+ }));
20
+ }
21
+ describe("descopeProvider", () => {
22
+ it("derives issuer and audience (project id) from the MCP Server URL", async () => {
23
+ const issuer = "https://api.descope.com/v1/apps/agentic/P123/MS456";
24
+ const fetchSpy = mockDiscovery(issuer);
25
+ const config = await descopeProvider({ url: issuer });
26
+ expect(fetchSpy).toHaveBeenCalledWith(`${issuer}/.well-known/openid-configuration`, expect.anything());
27
+ expect(config.verify.issuer).toBe(issuer);
28
+ expect(config.verify.audience).toBe("P123");
29
+ });
30
+ it("lets an explicit audience override the derived project id", async () => {
31
+ const issuer = "https://api.descope.com/v1/apps/agentic/P123/MS456";
32
+ mockDiscovery(issuer);
33
+ const config = await descopeProvider({ url: issuer, audience: "custom" });
34
+ expect(config.verify.audience).toBe("custom");
35
+ });
36
+ });
37
+ //# sourceMappingURL=descope.test.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"descope.test.js","sourceRoot":"","sources":["../../../../src/server/auth/providers/descope.test.ts"],"names":[],"mappings":"AAAA,2BAA2B;AAC3B,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAE/C,SAAS,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,eAAe,EAAE,CAAC,CAAC;AAEtC,SAAS,YAAY,CAAC,MAAc;IAClC,OAAO;QACL,MAAM;QACN,sBAAsB,EAAE,GAAG,MAAM,YAAY;QAC7C,cAAc,EAAE,GAAG,MAAM,QAAQ;QACjC,qBAAqB,EAAE,GAAG,MAAM,WAAW;QAC3C,wBAAwB,EAAE,CAAC,MAAM,CAAC;QAClC,gBAAgB,EAAE,CAAC,QAAQ,CAAC;QAC5B,QAAQ,EAAE,GAAG,MAAM,wBAAwB;KAC5C,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,MAAc;IACnC,OAAO,EAAE,CAAC,KAAK,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,iBAAiB,CACpD,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,EAAE;QACjD,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;KAChD,CAAC,CACH,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;QAChF,MAAM,MAAM,GAAG,oDAAoD,CAAC;QACpE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;QAEvC,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC,CAAC;QAEtD,MAAM,CAAC,QAAQ,CAAC,CAAC,oBAAoB,CACnC,GAAG,MAAM,mCAAmC,EAC5C,MAAM,CAAC,QAAQ,EAAE,CAClB,CAAC;QACF,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,MAAM,MAAM,GAAG,oDAAoD,CAAC;QACpE,aAAa,CAAC,MAAM,CAAC,CAAC;QAEtB,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;QAE1E,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC","sourcesContent":["// @vitest-environment node\nimport { afterEach, describe, expect, it, vi } from \"vitest\";\nimport { descopeProvider } from \"./descope.js\";\n\nafterEach(() => vi.restoreAllMocks());\n\nfunction discoveryDoc(issuer: string) {\n return {\n issuer,\n authorization_endpoint: `${issuer}/authorize`,\n token_endpoint: `${issuer}/token`,\n registration_endpoint: `${issuer}/register`,\n response_types_supported: [\"code\"],\n scopes_supported: [\"openid\"],\n jwks_uri: `${issuer}/.well-known/jwks.json`,\n };\n}\n\nfunction mockDiscovery(issuer: string) {\n return vi.spyOn(globalThis, \"fetch\").mockResolvedValue(\n new Response(JSON.stringify(discoveryDoc(issuer)), {\n headers: { \"content-type\": \"application/json\" },\n }),\n );\n}\n\ndescribe(\"descopeProvider\", () => {\n it(\"derives issuer and audience (project id) from the MCP Server URL\", async () => {\n const issuer = \"https://api.descope.com/v1/apps/agentic/P123/MS456\";\n const fetchSpy = mockDiscovery(issuer);\n\n const config = await descopeProvider({ url: issuer });\n\n expect(fetchSpy).toHaveBeenCalledWith(\n `${issuer}/.well-known/openid-configuration`,\n expect.anything(),\n );\n expect(config.verify.issuer).toBe(issuer);\n expect(config.verify.audience).toBe(\"P123\");\n });\n\n it(\"lets an explicit audience override the derived project id\", async () => {\n const issuer = \"https://api.descope.com/v1/apps/agentic/P123/MS456\";\n mockDiscovery(issuer);\n\n const config = await descopeProvider({ url: issuer, audience: \"custom\" });\n\n expect(config.verify.audience).toBe(\"custom\");\n });\n});\n"]}
@@ -0,0 +1,2 @@
1
+ /** Normalises a bare host to an https issuer URL and strips a trailing slash. */
2
+ export declare function toIssuerUrl(domain: string): string;
@@ -0,0 +1,6 @@
1
+ /** Normalises a bare host to an https issuer URL and strips a trailing slash. */
2
+ export function toIssuerUrl(domain) {
3
+ const withScheme = /^https?:\/\//.test(domain) ? domain : `https://${domain}`;
4
+ return withScheme.replace(/\/$/, "");
5
+ }
6
+ //# sourceMappingURL=shared.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"shared.js","sourceRoot":"","sources":["../../../../src/server/auth/providers/shared.ts"],"names":[],"mappings":"AAAA,iFAAiF;AACjF,MAAM,UAAU,WAAW,CAAC,MAAc;IACxC,MAAM,UAAU,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,MAAM,EAAE,CAAC;IAC9E,OAAO,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACvC,CAAC","sourcesContent":["/** Normalises a bare host to an https issuer URL and strips a trailing slash. */\nexport function toIssuerUrl(domain: string): string {\n const withScheme = /^https?:\\/\\//.test(domain) ? domain : `https://${domain}`;\n return withScheme.replace(/\\/$/, \"\");\n}\n"]}
@@ -0,0 +1 @@
1
+ export {};
@@ -0,0 +1,10 @@
1
+ import { describe, expect, it } from "vitest";
2
+ import { toIssuerUrl } from "./shared.js";
3
+ describe("toIssuerUrl", () => {
4
+ it("adds https to a bare host, preserves an explicit scheme, strips a trailing slash", () => {
5
+ expect(toIssuerUrl("acme.authkit.app")).toBe("https://acme.authkit.app");
6
+ expect(toIssuerUrl("https://acme.authkit.app/")).toBe("https://acme.authkit.app");
7
+ expect(toIssuerUrl("http://localhost:3000")).toBe("http://localhost:3000");
8
+ });
9
+ });
10
+ //# sourceMappingURL=shared.test.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"shared.test.js","sourceRoot":"","sources":["../../../../src/server/auth/providers/shared.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;IAC3B,EAAE,CAAC,kFAAkF,EAAE,GAAG,EAAE;QAC1F,MAAM,CAAC,WAAW,CAAC,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QACzE,MAAM,CAAC,WAAW,CAAC,2BAA2B,CAAC,CAAC,CAAC,IAAI,CACnD,0BAA0B,CAC3B,CAAC;QACF,MAAM,CAAC,WAAW,CAAC,uBAAuB,CAAC,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC","sourcesContent":["import { describe, expect, it } from \"vitest\";\nimport { toIssuerUrl } from \"./shared.js\";\n\ndescribe(\"toIssuerUrl\", () => {\n it(\"adds https to a bare host, preserves an explicit scheme, strips a trailing slash\", () => {\n expect(toIssuerUrl(\"acme.authkit.app\")).toBe(\"https://acme.authkit.app\");\n expect(toIssuerUrl(\"https://acme.authkit.app/\")).toBe(\n \"https://acme.authkit.app\",\n );\n expect(toIssuerUrl(\"http://localhost:3000\")).toBe(\"http://localhost:3000\");\n });\n});\n"]}
@@ -0,0 +1,12 @@
1
+ import type { OAuthConfig } from "../index.js";
2
+ import { type CustomProviderOptions } from "./custom.js";
3
+ /**
4
+ * OAuth provider for Stytch Connected Apps. `domain` is the project domain,
5
+ * e.g. `acme.customers.stytch.dev`, or a configured custom domain. Requires
6
+ * DCR enabled in the Stytch dashboard. `audience` is the Stytch Project ID
7
+ * (the default token audience).
8
+ */
9
+ export declare function stytchProvider(opts: {
10
+ domain: string;
11
+ audience: string;
12
+ } & Omit<CustomProviderOptions, "issuer" | "audience">): Promise<OAuthConfig>;
@@ -0,0 +1,13 @@
1
+ import { customProvider } from "./custom.js";
2
+ import { toIssuerUrl } from "./shared.js";
3
+ /**
4
+ * OAuth provider for Stytch Connected Apps. `domain` is the project domain,
5
+ * e.g. `acme.customers.stytch.dev`, or a configured custom domain. Requires
6
+ * DCR enabled in the Stytch dashboard. `audience` is the Stytch Project ID
7
+ * (the default token audience).
8
+ */
9
+ export function stytchProvider(opts) {
10
+ const { domain, ...rest } = opts;
11
+ return customProvider({ issuer: toIssuerUrl(domain), ...rest });
12
+ }
13
+ //# sourceMappingURL=stytch.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"stytch.js","sourceRoot":"","sources":["../../../../src/server/auth/providers/stytch.ts"],"names":[],"mappings":"AACA,OAAO,EAA8B,cAAc,EAAE,MAAM,aAAa,CAAC;AACzE,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAC5B,IAGC;IAED,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,IAAI,CAAC;IACjC,OAAO,cAAc,CAAC,EAAE,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC;AAClE,CAAC","sourcesContent":["import type { OAuthConfig } from \"../index.js\";\nimport { type CustomProviderOptions, customProvider } from \"./custom.js\";\nimport { toIssuerUrl } from \"./shared.js\";\n\n/**\n * OAuth provider for Stytch Connected Apps. `domain` is the project domain,\n * e.g. `acme.customers.stytch.dev`, or a configured custom domain. Requires\n * DCR enabled in the Stytch dashboard. `audience` is the Stytch Project ID\n * (the default token audience).\n */\nexport function stytchProvider(\n opts: { domain: string; audience: string } & Omit<\n CustomProviderOptions,\n \"issuer\" | \"audience\"\n >,\n): Promise<OAuthConfig> {\n const { domain, ...rest } = opts;\n return customProvider({ issuer: toIssuerUrl(domain), ...rest });\n}\n"]}
@@ -0,0 +1,11 @@
1
+ import type { OAuthConfig } from "../index.js";
2
+ import { type CustomProviderOptions } from "./custom.js";
3
+ /**
4
+ * OAuth provider for WorkOS AuthKit. `domain` is the AuthKit domain, e.g.
5
+ * `acme.authkit.app`. Requires DCR enabled in the WorkOS dashboard
6
+ * (Connect → Configuration). `audience` is the MCP server's Resource Indicator.
7
+ */
8
+ export declare function workosProvider(opts: {
9
+ domain: string;
10
+ audience: string;
11
+ } & Omit<CustomProviderOptions, "issuer" | "audience">): Promise<OAuthConfig>;
@@ -0,0 +1,12 @@
1
+ import { customProvider } from "./custom.js";
2
+ import { toIssuerUrl } from "./shared.js";
3
+ /**
4
+ * OAuth provider for WorkOS AuthKit. `domain` is the AuthKit domain, e.g.
5
+ * `acme.authkit.app`. Requires DCR enabled in the WorkOS dashboard
6
+ * (Connect → Configuration). `audience` is the MCP server's Resource Indicator.
7
+ */
8
+ export function workosProvider(opts) {
9
+ const { domain, ...rest } = opts;
10
+ return customProvider({ issuer: toIssuerUrl(domain), ...rest });
11
+ }
12
+ //# sourceMappingURL=workos.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"workos.js","sourceRoot":"","sources":["../../../../src/server/auth/providers/workos.ts"],"names":[],"mappings":"AACA,OAAO,EAA8B,cAAc,EAAE,MAAM,aAAa,CAAC;AACzE,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAC5B,IAGC;IAED,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,IAAI,CAAC;IACjC,OAAO,cAAc,CAAC,EAAE,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC;AAClE,CAAC","sourcesContent":["import type { OAuthConfig } from \"../index.js\";\nimport { type CustomProviderOptions, customProvider } from \"./custom.js\";\nimport { toIssuerUrl } from \"./shared.js\";\n\n/**\n * OAuth provider for WorkOS AuthKit. `domain` is the AuthKit domain, e.g.\n * `acme.authkit.app`. Requires DCR enabled in the WorkOS dashboard\n * (Connect → Configuration). `audience` is the MCP server's Resource Indicator.\n */\nexport function workosProvider(\n opts: { domain: string; audience: string } & Omit<\n CustomProviderOptions,\n \"issuer\" | \"audience\"\n >,\n): Promise<OAuthConfig> {\n const { domain, ...rest } = opts;\n return customProvider({ issuer: toIssuerUrl(domain), ...rest });\n}\n"]}
@@ -0,0 +1,4 @@
1
+ import type { Express } from "express";
2
+ import type { OAuthConfig } from "./index.js";
3
+ /** Mounts the well-known OAuth metadata and bearer auth on `/mcp`. */
4
+ export declare function setupOAuth(app: Express, config: OAuthConfig): void;
@@ -0,0 +1,51 @@
1
+ import { getOAuthProtectedResourceMetadataUrl, mcpAuthMetadataRouter, } from "@modelcontextprotocol/sdk/server/auth/router.js";
2
+ import cors from "cors";
3
+ import { requireBearerAuth } from "../auth.js";
4
+ import { resolveServerOrigin } from "../requestOrigin.js";
5
+ import { createJwksVerifier } from "./verify.js";
6
+ /** Mounts the well-known OAuth metadata and bearer auth on `/mcp`. */
7
+ export function setupOAuth(app, config) {
8
+ if (!config.verify?.issuer) {
9
+ throw new Error("oauth.verify requires an `issuer`");
10
+ }
11
+ const verifier = createJwksVerifier(config.verify);
12
+ // baseUrl known at boot: bake the resource URLs once, no Host-header trust.
13
+ if (config.baseUrl !== undefined) {
14
+ let baseUrl;
15
+ try {
16
+ baseUrl = new URL(config.baseUrl);
17
+ }
18
+ catch {
19
+ throw new Error(`oauth.baseUrl must be a valid absolute URL, got: ${JSON.stringify(config.baseUrl)}`);
20
+ }
21
+ app.use(mcpAuthMetadataRouter({
22
+ oauthMetadata: config.oauthMetadata,
23
+ resourceServerUrl: baseUrl,
24
+ scopesSupported: config.scopesSupported,
25
+ }));
26
+ app.use("/mcp", requireBearerAuth({
27
+ verifier,
28
+ requiredScopes: config.requiredScopes,
29
+ resourceMetadataUrl: getOAuthProtectedResourceMetadataUrl(baseUrl),
30
+ }));
31
+ return;
32
+ }
33
+ // No baseUrl: resolve the resource origin per request from forwarded headers
34
+ // (same precedence the framework uses for view serverUrl). Origin headers are
35
+ // pathless, so the PRM path stays at root, matching the SDK's static layout.
36
+ const resolveOrigin = (req) => new URL(resolveServerOrigin((key) => req.get(key)));
37
+ app.use("/.well-known/oauth-authorization-server", cors(), (_req, res) => void res.json(config.oauthMetadata));
38
+ app.use("/.well-known/oauth-protected-resource", cors(), (req, res) => {
39
+ res.json({
40
+ resource: resolveOrigin(req).href,
41
+ authorization_servers: [config.oauthMetadata.issuer],
42
+ scopes_supported: config.scopesSupported,
43
+ });
44
+ });
45
+ app.use("/mcp", (req, res, next) => requireBearerAuth({
46
+ verifier,
47
+ requiredScopes: config.requiredScopes,
48
+ resourceMetadataUrl: getOAuthProtectedResourceMetadataUrl(resolveOrigin(req)),
49
+ })(req, res, next));
50
+ }
51
+ //# sourceMappingURL=setup.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"setup.js","sourceRoot":"","sources":["../../../src/server/auth/setup.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,oCAAoC,EACpC,qBAAqB,GACtB,MAAM,iDAAiD,CAAC;AACzD,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAEjD,sEAAsE;AACtE,MAAM,UAAU,UAAU,CAAC,GAAY,EAAE,MAAmB;IAC1D,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IAED,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAEnD,4EAA4E;IAC5E,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QACjC,IAAI,OAAY,CAAC;QACjB,IAAI,CAAC;YACH,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACpC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CACb,oDAAoD,IAAI,CAAC,SAAS,CAChE,MAAM,CAAC,OAAO,CACf,EAAE,CACJ,CAAC;QACJ,CAAC;QACD,GAAG,CAAC,GAAG,CACL,qBAAqB,CAAC;YACpB,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,iBAAiB,EAAE,OAAO;YAC1B,eAAe,EAAE,MAAM,CAAC,eAAe;SACxC,CAAC,CACH,CAAC;QACF,GAAG,CAAC,GAAG,CACL,MAAM,EACN,iBAAiB,CAAC;YAChB,QAAQ;YACR,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,mBAAmB,EAAE,oCAAoC,CAAC,OAAO,CAAC;SACnE,CAAC,CACH,CAAC;QACF,OAAO;IACT,CAAC;IAED,6EAA6E;IAC7E,8EAA8E;IAC9E,6EAA6E;IAC7E,MAAM,aAAa,GAAG,CAAC,GAAY,EAAE,EAAE,CACrC,IAAI,GAAG,CAAC,mBAAmB,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAEtD,GAAG,CAAC,GAAG,CACL,yCAAyC,EACzC,IAAI,EAAE,EACN,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE,CAAC,KAAK,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CACnD,CAAC;IACF,GAAG,CAAC,GAAG,CAAC,uCAAuC,EAAE,IAAI,EAAE,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACpE,GAAG,CAAC,IAAI,CAAC;YACP,QAAQ,EAAE,aAAa,CAAC,GAAG,CAAC,CAAC,IAAI;YACjC,qBAAqB,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC;YACpD,gBAAgB,EAAE,MAAM,CAAC,eAAe;SACzC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IACH,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,CACjC,iBAAiB,CAAC;QAChB,QAAQ;QACR,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,mBAAmB,EAAE,oCAAoC,CACvD,aAAa,CAAC,GAAG,CAAC,CACnB;KACF,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CACnB,CAAC;AACJ,CAAC","sourcesContent":["import {\n getOAuthProtectedResourceMetadataUrl,\n mcpAuthMetadataRouter,\n} from \"@modelcontextprotocol/sdk/server/auth/router.js\";\nimport cors from \"cors\";\nimport type { Express, Request } from \"express\";\nimport { requireBearerAuth } from \"../auth.js\";\nimport { resolveServerOrigin } from \"../requestOrigin.js\";\nimport type { OAuthConfig } from \"./index.js\";\nimport { createJwksVerifier } from \"./verify.js\";\n\n/** Mounts the well-known OAuth metadata and bearer auth on `/mcp`. */\nexport function setupOAuth(app: Express, config: OAuthConfig): void {\n if (!config.verify?.issuer) {\n throw new Error(\"oauth.verify requires an `issuer`\");\n }\n\n const verifier = createJwksVerifier(config.verify);\n\n // baseUrl known at boot: bake the resource URLs once, no Host-header trust.\n if (config.baseUrl !== undefined) {\n let baseUrl: URL;\n try {\n baseUrl = new URL(config.baseUrl);\n } catch {\n throw new Error(\n `oauth.baseUrl must be a valid absolute URL, got: ${JSON.stringify(\n config.baseUrl,\n )}`,\n );\n }\n app.use(\n mcpAuthMetadataRouter({\n oauthMetadata: config.oauthMetadata,\n resourceServerUrl: baseUrl,\n scopesSupported: config.scopesSupported,\n }),\n );\n app.use(\n \"/mcp\",\n requireBearerAuth({\n verifier,\n requiredScopes: config.requiredScopes,\n resourceMetadataUrl: getOAuthProtectedResourceMetadataUrl(baseUrl),\n }),\n );\n return;\n }\n\n // No baseUrl: resolve the resource origin per request from forwarded headers\n // (same precedence the framework uses for view serverUrl). Origin headers are\n // pathless, so the PRM path stays at root, matching the SDK's static layout.\n const resolveOrigin = (req: Request) =>\n new URL(resolveServerOrigin((key) => req.get(key)));\n\n app.use(\n \"/.well-known/oauth-authorization-server\",\n cors(),\n (_req, res) => void res.json(config.oauthMetadata),\n );\n app.use(\"/.well-known/oauth-protected-resource\", cors(), (req, res) => {\n res.json({\n resource: resolveOrigin(req).href,\n authorization_servers: [config.oauthMetadata.issuer],\n scopes_supported: config.scopesSupported,\n });\n });\n app.use(\"/mcp\", (req, res, next) =>\n requireBearerAuth({\n verifier,\n requiredScopes: config.requiredScopes,\n resourceMetadataUrl: getOAuthProtectedResourceMetadataUrl(\n resolveOrigin(req),\n ),\n })(req, res, next),\n );\n}\n"]}
@@ -0,0 +1 @@
1
+ export {};
@@ -0,0 +1,185 @@
1
+ // @vitest-environment node
2
+ import http from "node:http";
3
+ import { Client } from "@modelcontextprotocol/sdk/client/index.js";
4
+ import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
5
+ import * as jose from "jose";
6
+ import { afterEach, describe, expect, it, vi } from "vitest";
7
+ import { McpServer } from "../server.js";
8
+ vi.mock("@skybridge/devtools", () => ({
9
+ devtoolsStaticServer: () => ((_req, _res, next) => next()),
10
+ }));
11
+ vi.mock("../viewsDevServer.js", () => ({
12
+ viewsDevServer: (_httpServer) => ((_req, _res, next) => next()),
13
+ }));
14
+ const ISSUER = "https://issuer.test";
15
+ const AUDIENCE = "api://default";
16
+ let jwksServer;
17
+ let appServer;
18
+ afterEach(() => {
19
+ jwksServer?.close();
20
+ appServer?.close();
21
+ });
22
+ async function startJwks() {
23
+ const { publicKey, privateKey } = await jose.generateKeyPair("RS256");
24
+ const jwk = {
25
+ ...(await jose.exportJWK(publicKey)),
26
+ kid: "test-key",
27
+ alg: "RS256",
28
+ use: "sig",
29
+ };
30
+ const server = http.createServer((_req, res) => {
31
+ res.setHeader("content-type", "application/json");
32
+ res.end(JSON.stringify({ keys: [jwk] }));
33
+ });
34
+ await new Promise((resolve) => server.listen(0, resolve));
35
+ jwksServer = server;
36
+ const port = server.address().port;
37
+ return { privateKey, jwksUri: `http://localhost:${port}/jwks` };
38
+ }
39
+ function signToken(key) {
40
+ return new jose.SignJWT({
41
+ client_id: "client-1",
42
+ scope: "openid email",
43
+ sub: "user-1",
44
+ })
45
+ .setProtectedHeader({ alg: "RS256", kid: "test-key" })
46
+ .setIssuer(ISSUER)
47
+ .setAudience(AUDIENCE)
48
+ .setExpirationTime("1h")
49
+ .sign(key);
50
+ }
51
+ async function bootServer(jwksUri, { baseUrl = "https://app.example.test" } = {}) {
52
+ const { createApp } = await import("../express.js");
53
+ const server = new McpServer({ name: "auth-test", version: "0.0.0" }, { capabilities: {} }, {
54
+ oauth: {
55
+ ...(baseUrl === null ? {} : { baseUrl }),
56
+ oauthMetadata: {
57
+ issuer: ISSUER,
58
+ authorization_endpoint: `${ISSUER}/authorize`,
59
+ token_endpoint: `${ISSUER}/token`,
60
+ response_types_supported: ["code"],
61
+ },
62
+ verify: { issuer: ISSUER, audience: AUDIENCE, jwksUri },
63
+ scopesSupported: ["openid", "email"],
64
+ requiredScopes: ["openid"],
65
+ },
66
+ }).registerTool({
67
+ name: "whoami",
68
+ description: "Returns the caller identity.",
69
+ inputSchema: {},
70
+ }, (_args, extra) => ({
71
+ structuredContent: { clientId: extra.authInfo?.clientId ?? null },
72
+ content: [{ type: "text", text: extra.authInfo?.clientId ?? "anon" }],
73
+ }));
74
+ const httpServer = http.createServer();
75
+ await createApp({ mcpServer: server, httpServer });
76
+ const listening = http.createServer(server.express);
77
+ await new Promise((resolve) => listening.listen(0, resolve));
78
+ appServer = listening;
79
+ const port = listening.address().port;
80
+ return `http://localhost:${port}`;
81
+ }
82
+ describe("setupOAuth wiring", () => {
83
+ it("serves protected-resource metadata", async () => {
84
+ const { jwksUri } = await startJwks();
85
+ const base = await bootServer(jwksUri);
86
+ const res = await fetch(`${base}/.well-known/oauth-protected-resource`);
87
+ expect(res.status).toBe(200);
88
+ const body = (await res.json());
89
+ expect(body.resource).toBe("https://app.example.test/");
90
+ expect(body.authorization_servers).toContain(ISSUER);
91
+ expect(body.scopes_supported).toEqual(["openid", "email"]);
92
+ });
93
+ it("rejects /mcp without a token (401 + WWW-Authenticate)", async () => {
94
+ const { jwksUri } = await startJwks();
95
+ const base = await bootServer(jwksUri);
96
+ const res = await fetch(`${base}/mcp`, {
97
+ method: "POST",
98
+ headers: { "Content-Type": "application/json" },
99
+ body: JSON.stringify({ jsonrpc: "2.0", method: "initialize", id: 1 }),
100
+ });
101
+ expect(res.status).toBe(401);
102
+ expect(res.headers.get("www-authenticate")).toMatch(/resource_metadata=/);
103
+ });
104
+ it("threads authInfo into the tool handler for a valid token", async () => {
105
+ const { privateKey, jwksUri } = await startJwks();
106
+ const base = await bootServer(jwksUri);
107
+ const token = await signToken(privateKey);
108
+ const client = new Client({ name: "test-client", version: "0.0.0" });
109
+ const transport = new StreamableHTTPClientTransport(new URL(`${base}/mcp`), { requestInit: { headers: { Authorization: `Bearer ${token}` } } });
110
+ await client.connect(transport);
111
+ const result = (await client.callTool({
112
+ name: "whoami",
113
+ arguments: {},
114
+ }));
115
+ expect(result.content[0]?.text).toBe("client-1");
116
+ await client.close();
117
+ });
118
+ });
119
+ describe("baseUrl inferred from headers", () => {
120
+ it("derives the resource origin from x-forwarded-host", async () => {
121
+ const { jwksUri } = await startJwks();
122
+ const base = await bootServer(jwksUri, { baseUrl: null });
123
+ const res = await fetch(`${base}/.well-known/oauth-protected-resource`, {
124
+ headers: { "x-forwarded-host": "infer.example.test" },
125
+ });
126
+ expect(res.status).toBe(200);
127
+ const body = (await res.json());
128
+ expect(body.resource).toBe("https://infer.example.test/");
129
+ });
130
+ it("uses the first hop of a forwarded-host chain", async () => {
131
+ const { jwksUri } = await startJwks();
132
+ const base = await bootServer(jwksUri, { baseUrl: null });
133
+ const res = await fetch(`${base}/.well-known/oauth-protected-resource`, {
134
+ headers: {
135
+ "x-forwarded-host": "public.example, internal.local",
136
+ "x-forwarded-proto": "https, http",
137
+ },
138
+ });
139
+ expect(res.status).toBe(200);
140
+ const body = (await res.json());
141
+ expect(body.resource).toBe("https://public.example/");
142
+ });
143
+ it("ignores the client Origin header, using Host instead", async () => {
144
+ const { jwksUri } = await startJwks();
145
+ const base = await bootServer(jwksUri, { baseUrl: null });
146
+ const res = await fetch(`${base}/.well-known/oauth-protected-resource`, {
147
+ headers: { origin: "https://chatgpt.com" },
148
+ });
149
+ expect(res.status).toBe(200);
150
+ const body = (await res.json());
151
+ expect(body.resource).toMatch(/^http:\/\/(localhost|127\.0\.0\.1):/);
152
+ });
153
+ it("points the 401 WWW-Authenticate at the inferred host", async () => {
154
+ const { jwksUri } = await startJwks();
155
+ const base = await bootServer(jwksUri, { baseUrl: null });
156
+ const res = await fetch(`${base}/mcp`, {
157
+ method: "POST",
158
+ headers: {
159
+ "Content-Type": "application/json",
160
+ "x-forwarded-host": "infer.example.test",
161
+ },
162
+ body: JSON.stringify({ jsonrpc: "2.0", method: "initialize", id: 1 }),
163
+ });
164
+ expect(res.status).toBe(401);
165
+ expect(res.headers.get("www-authenticate")).toMatch(/resource_metadata="https:\/\/infer\.example\.test\//);
166
+ });
167
+ });
168
+ describe("oauth config validation", () => {
169
+ const validMetadata = {
170
+ issuer: ISSUER,
171
+ authorization_endpoint: `${ISSUER}/authorize`,
172
+ token_endpoint: `${ISSUER}/token`,
173
+ response_types_supported: ["code"],
174
+ };
175
+ it("throws on a non-absolute baseUrl", () => {
176
+ expect(() => new McpServer({ name: "t", version: "0" }, undefined, {
177
+ oauth: {
178
+ baseUrl: "not-a-url",
179
+ oauthMetadata: validMetadata,
180
+ verify: { issuer: ISSUER, audience: AUDIENCE },
181
+ },
182
+ })).toThrow(/baseUrl must be a valid absolute URL/);
183
+ });
184
+ });
185
+ //# sourceMappingURL=setup.test.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"setup.test.js","sourceRoot":"","sources":["../../../src/server/auth/setup.test.ts"],"names":[],"mappings":"AAAA,2BAA2B;AAC3B,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAC;AAEnG,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC7D,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,EAAE,CAAC,IAAI,CAAC,qBAAqB,EAAE,GAAG,EAAE,CAAC,CAAC;IACpC,oBAAoB,EAAE,GAAG,EAAE,CACzB,CAAC,CAAC,IAAa,EAAE,IAAa,EAAE,IAAgB,EAAE,EAAE,CAClD,IAAI,EAAE,CAAmB;CAC9B,CAAC,CAAC,CAAC;AACJ,EAAE,CAAC,IAAI,CAAC,sBAAsB,EAAE,GAAG,EAAE,CAAC,CAAC;IACrC,cAAc,EAAE,CAAC,WAAoB,EAAE,EAAE,CACvC,CAAC,CAAC,IAAa,EAAE,IAAa,EAAE,IAAgB,EAAE,EAAE,CAClD,IAAI,EAAE,CAAmB;CAC9B,CAAC,CAAC,CAAC;AAEJ,MAAM,MAAM,GAAG,qBAAqB,CAAC;AACrC,MAAM,QAAQ,GAAG,eAAe,CAAC;AAEjC,IAAI,UAAmC,CAAC;AACxC,IAAI,SAAkC,CAAC;AACvC,SAAS,CAAC,GAAG,EAAE;IACb,UAAU,EAAE,KAAK,EAAE,CAAC;IACpB,SAAS,EAAE,KAAK,EAAE,CAAC;AACrB,CAAC,CAAC,CAAC;AAEH,KAAK,UAAU,SAAS;IACtB,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;IACtE,MAAM,GAAG,GAAG;QACV,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACpC,GAAG,EAAE,UAAU;QACf,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,KAAK;KACX,CAAC;IACF,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QAC7C,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;QAClD,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IACH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;IAChE,UAAU,GAAG,MAAM,CAAC;IACpB,MAAM,IAAI,GAAI,MAAM,CAAC,OAAO,EAAuB,CAAC,IAAI,CAAC;IACzD,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,oBAAoB,IAAI,OAAO,EAAE,CAAC;AAClE,CAAC;AAED,SAAS,SAAS,CAAC,GAAc;IAC/B,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC;QACtB,SAAS,EAAE,UAAU;QACrB,KAAK,EAAE,cAAc;QACrB,GAAG,EAAE,QAAQ;KACd,CAAC;SACC,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC;SACrD,SAAS,CAAC,MAAM,CAAC;SACjB,WAAW,CAAC,QAAQ,CAAC;SACrB,iBAAiB,CAAC,IAAI,CAAC;SACvB,IAAI,CAAC,GAAG,CAAC,CAAC;AACf,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,OAAe,EACf,EAAE,OAAO,GAAG,0BAA0B,KAAkC,EAAE;IAE1E,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,IAAI,SAAS,CAC1B,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,EAAE,EACvC,EAAE,YAAY,EAAE,EAAE,EAAE,EACpB;QACE,KAAK,EAAE;YACL,GAAG,CAAC,OAAO,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC;YACxC,aAAa,EAAE;gBACb,MAAM,EAAE,MAAM;gBACd,sBAAsB,EAAE,GAAG,MAAM,YAAY;gBAC7C,cAAc,EAAE,GAAG,MAAM,QAAQ;gBACjC,wBAAwB,EAAE,CAAC,MAAM,CAAC;aACnC;YACD,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE;YACvD,eAAe,EAAE,CAAC,QAAQ,EAAE,OAAO,CAAC;YACpC,cAAc,EAAE,CAAC,QAAQ,CAAC;SAC3B;KACF,CACF,CAAC,YAAY,CACZ;QACE,IAAI,EAAE,QAAQ;QACd,WAAW,EAAE,8BAA8B;QAC3C,WAAW,EAAE,EAAE;KAChB,EACD,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC;QACjB,iBAAiB,EAAE,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,QAAQ,IAAI,IAAI,EAAE;QACjE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,CAAC,QAAQ,EAAE,QAAQ,IAAI,MAAM,EAAE,CAAC;KACtE,CAAC,CACH,CAAC;IAEF,MAAM,UAAU,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;IACvC,MAAM,SAAS,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;IACnD,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACpD,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;IACnE,SAAS,GAAG,SAAS,CAAC;IACtB,MAAM,IAAI,GAAI,SAAS,CAAC,OAAO,EAAuB,CAAC,IAAI,CAAC;IAC5D,OAAO,oBAAoB,IAAI,EAAE,CAAC;AACpC,CAAC;AAED,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC,CAAC;QAEvC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,uCAAuC,CAAC,CAAC;QACxE,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAI7B,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;QACxD,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACrD,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;QACrE,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC,CAAC;QAEvC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,MAAM,EAAE;YACrC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC;SACtE,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;QACxE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,EAAE,CAAC;QAClD,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC,CAAC;QACvC,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,UAAU,CAAC,CAAC;QAE1C,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;QACrE,MAAM,SAAS,GAAG,IAAI,6BAA6B,CACjD,IAAI,GAAG,CAAC,GAAG,IAAI,MAAM,CAAC,EACtB,EAAE,WAAW,EAAE,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE,EAAE,EAAE,CACnE,CAAC;QACF,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAEhC,MAAM,MAAM,GAAG,CAAC,MAAM,MAAM,CAAC,QAAQ,CAAC;YACpC,IAAI,EAAE,QAAQ;YACd,SAAS,EAAE,EAAE;SACd,CAAC,CAED,CAAC;QACF,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAEjD,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,+BAA+B,EAAE,GAAG,EAAE;IAC7C,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QACjE,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QAE1D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,uCAAuC,EAAE;YACtE,OAAO,EAAE,EAAE,kBAAkB,EAAE,oBAAoB,EAAE;SACtD,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAyB,CAAC;QACxD,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QAE1D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,uCAAuC,EAAE;YACtE,OAAO,EAAE;gBACP,kBAAkB,EAAE,gCAAgC;gBACpD,mBAAmB,EAAE,aAAa;aACnC;SACF,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAyB,CAAC;QACxD,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QAE1D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,uCAAuC,EAAE;YACtE,OAAO,EAAE,EAAE,MAAM,EAAE,qBAAqB,EAAE;SAC3C,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAyB,CAAC;QACxD,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,qCAAqC,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QAE1D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,MAAM,EAAE;YACrC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,kBAAkB,EAAE,oBAAoB;aACzC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC;SACtE,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAC,OAAO,CACjD,qDAAqD,CACtD,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;IACvC,MAAM,aAAa,GAAG;QACpB,MAAM,EAAE,MAAM;QACd,sBAAsB,EAAE,GAAG,MAAM,YAAY;QAC7C,cAAc,EAAE,GAAG,MAAM,QAAQ;QACjC,wBAAwB,EAAE,CAAC,MAAM,CAAC;KACnC,CAAC;IAEF,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,CACJ,GAAG,EAAE,CACH,IAAI,SAAS,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE,SAAS,EAAE;YACpD,KAAK,EAAE;gBACL,OAAO,EAAE,WAAW;gBACpB,aAAa,EAAE,aAAa;gBAC5B,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE;aAC/C;SACF,CAAC,CACL,CAAC,OAAO,CAAC,sCAAsC,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC","sourcesContent":["// @vitest-environment node\nimport http from \"node:http\";\nimport { Client } from \"@modelcontextprotocol/sdk/client/index.js\";\nimport { StreamableHTTPClientTransport } from \"@modelcontextprotocol/sdk/client/streamableHttp.js\";\nimport type { RequestHandler } from \"express\";\nimport * as jose from \"jose\";\nimport { afterEach, describe, expect, it, vi } from \"vitest\";\nimport { McpServer } from \"../server.js\";\n\nvi.mock(\"@skybridge/devtools\", () => ({\n devtoolsStaticServer: () =>\n ((_req: unknown, _res: unknown, next: () => void) =>\n next()) as RequestHandler,\n}));\nvi.mock(\"../viewsDevServer.js\", () => ({\n viewsDevServer: (_httpServer: unknown) =>\n ((_req: unknown, _res: unknown, next: () => void) =>\n next()) as RequestHandler,\n}));\n\nconst ISSUER = \"https://issuer.test\";\nconst AUDIENCE = \"api://default\";\n\nlet jwksServer: http.Server | undefined;\nlet appServer: http.Server | undefined;\nafterEach(() => {\n jwksServer?.close();\n appServer?.close();\n});\n\nasync function startJwks() {\n const { publicKey, privateKey } = await jose.generateKeyPair(\"RS256\");\n const jwk = {\n ...(await jose.exportJWK(publicKey)),\n kid: \"test-key\",\n alg: \"RS256\",\n use: \"sig\",\n };\n const server = http.createServer((_req, res) => {\n res.setHeader(\"content-type\", \"application/json\");\n res.end(JSON.stringify({ keys: [jwk] }));\n });\n await new Promise<void>((resolve) => server.listen(0, resolve));\n jwksServer = server;\n const port = (server.address() as { port: number }).port;\n return { privateKey, jwksUri: `http://localhost:${port}/jwks` };\n}\n\nfunction signToken(key: CryptoKey) {\n return new jose.SignJWT({\n client_id: \"client-1\",\n scope: \"openid email\",\n sub: \"user-1\",\n })\n .setProtectedHeader({ alg: \"RS256\", kid: \"test-key\" })\n .setIssuer(ISSUER)\n .setAudience(AUDIENCE)\n .setExpirationTime(\"1h\")\n .sign(key);\n}\n\nasync function bootServer(\n jwksUri: string,\n { baseUrl = \"https://app.example.test\" }: { baseUrl?: string | null } = {},\n) {\n const { createApp } = await import(\"../express.js\");\n const server = new McpServer(\n { name: \"auth-test\", version: \"0.0.0\" },\n { capabilities: {} },\n {\n oauth: {\n ...(baseUrl === null ? {} : { baseUrl }),\n oauthMetadata: {\n issuer: ISSUER,\n authorization_endpoint: `${ISSUER}/authorize`,\n token_endpoint: `${ISSUER}/token`,\n response_types_supported: [\"code\"],\n },\n verify: { issuer: ISSUER, audience: AUDIENCE, jwksUri },\n scopesSupported: [\"openid\", \"email\"],\n requiredScopes: [\"openid\"],\n },\n },\n ).registerTool(\n {\n name: \"whoami\",\n description: \"Returns the caller identity.\",\n inputSchema: {},\n },\n (_args, extra) => ({\n structuredContent: { clientId: extra.authInfo?.clientId ?? null },\n content: [{ type: \"text\", text: extra.authInfo?.clientId ?? \"anon\" }],\n }),\n );\n\n const httpServer = http.createServer();\n await createApp({ mcpServer: server, httpServer });\n const listening = http.createServer(server.express);\n await new Promise<void>((resolve) => listening.listen(0, resolve));\n appServer = listening;\n const port = (listening.address() as { port: number }).port;\n return `http://localhost:${port}`;\n}\n\ndescribe(\"setupOAuth wiring\", () => {\n it(\"serves protected-resource metadata\", async () => {\n const { jwksUri } = await startJwks();\n const base = await bootServer(jwksUri);\n\n const res = await fetch(`${base}/.well-known/oauth-protected-resource`);\n expect(res.status).toBe(200);\n const body = (await res.json()) as {\n resource: string;\n authorization_servers: string[];\n scopes_supported: string[];\n };\n expect(body.resource).toBe(\"https://app.example.test/\");\n expect(body.authorization_servers).toContain(ISSUER);\n expect(body.scopes_supported).toEqual([\"openid\", \"email\"]);\n });\n\n it(\"rejects /mcp without a token (401 + WWW-Authenticate)\", async () => {\n const { jwksUri } = await startJwks();\n const base = await bootServer(jwksUri);\n\n const res = await fetch(`${base}/mcp`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ jsonrpc: \"2.0\", method: \"initialize\", id: 1 }),\n });\n expect(res.status).toBe(401);\n expect(res.headers.get(\"www-authenticate\")).toMatch(/resource_metadata=/);\n });\n\n it(\"threads authInfo into the tool handler for a valid token\", async () => {\n const { privateKey, jwksUri } = await startJwks();\n const base = await bootServer(jwksUri);\n const token = await signToken(privateKey);\n\n const client = new Client({ name: \"test-client\", version: \"0.0.0\" });\n const transport = new StreamableHTTPClientTransport(\n new URL(`${base}/mcp`),\n { requestInit: { headers: { Authorization: `Bearer ${token}` } } },\n );\n await client.connect(transport);\n\n const result = (await client.callTool({\n name: \"whoami\",\n arguments: {},\n })) as unknown as {\n content: { type: string; text: string }[];\n };\n expect(result.content[0]?.text).toBe(\"client-1\");\n\n await client.close();\n });\n});\n\ndescribe(\"baseUrl inferred from headers\", () => {\n it(\"derives the resource origin from x-forwarded-host\", async () => {\n const { jwksUri } = await startJwks();\n const base = await bootServer(jwksUri, { baseUrl: null });\n\n const res = await fetch(`${base}/.well-known/oauth-protected-resource`, {\n headers: { \"x-forwarded-host\": \"infer.example.test\" },\n });\n expect(res.status).toBe(200);\n const body = (await res.json()) as { resource: string };\n expect(body.resource).toBe(\"https://infer.example.test/\");\n });\n\n it(\"uses the first hop of a forwarded-host chain\", async () => {\n const { jwksUri } = await startJwks();\n const base = await bootServer(jwksUri, { baseUrl: null });\n\n const res = await fetch(`${base}/.well-known/oauth-protected-resource`, {\n headers: {\n \"x-forwarded-host\": \"public.example, internal.local\",\n \"x-forwarded-proto\": \"https, http\",\n },\n });\n expect(res.status).toBe(200);\n const body = (await res.json()) as { resource: string };\n expect(body.resource).toBe(\"https://public.example/\");\n });\n\n it(\"ignores the client Origin header, using Host instead\", async () => {\n const { jwksUri } = await startJwks();\n const base = await bootServer(jwksUri, { baseUrl: null });\n\n const res = await fetch(`${base}/.well-known/oauth-protected-resource`, {\n headers: { origin: \"https://chatgpt.com\" },\n });\n expect(res.status).toBe(200);\n const body = (await res.json()) as { resource: string };\n expect(body.resource).toMatch(/^http:\\/\\/(localhost|127\\.0\\.0\\.1):/);\n });\n\n it(\"points the 401 WWW-Authenticate at the inferred host\", async () => {\n const { jwksUri } = await startJwks();\n const base = await bootServer(jwksUri, { baseUrl: null });\n\n const res = await fetch(`${base}/mcp`, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/json\",\n \"x-forwarded-host\": \"infer.example.test\",\n },\n body: JSON.stringify({ jsonrpc: \"2.0\", method: \"initialize\", id: 1 }),\n });\n expect(res.status).toBe(401);\n expect(res.headers.get(\"www-authenticate\")).toMatch(\n /resource_metadata=\"https:\\/\\/infer\\.example\\.test\\//,\n );\n });\n});\n\ndescribe(\"oauth config validation\", () => {\n const validMetadata = {\n issuer: ISSUER,\n authorization_endpoint: `${ISSUER}/authorize`,\n token_endpoint: `${ISSUER}/token`,\n response_types_supported: [\"code\"],\n };\n\n it(\"throws on a non-absolute baseUrl\", () => {\n expect(\n () =>\n new McpServer({ name: \"t\", version: \"0\" }, undefined, {\n oauth: {\n baseUrl: \"not-a-url\",\n oauthMetadata: validMetadata,\n verify: { issuer: ISSUER, audience: AUDIENCE },\n },\n }),\n ).toThrow(/baseUrl must be a valid absolute URL/);\n });\n});\n"]}
@@ -0,0 +1,12 @@
1
+ import type { OAuthTokenVerifier } from "@modelcontextprotocol/sdk/server/auth/provider.js";
2
+ export type JwksVerifyConfig = {
3
+ /** Expected `iss` claim. */
4
+ issuer: string;
5
+ /** Expected `aud` claim. Omit to skip audience verification — for IdPs that
6
+ * don't bind an audience to their access tokens (e.g. Clerk). */
7
+ audience?: string;
8
+ /** Defaults to `${issuer}/.well-known/jwks.json`. */
9
+ jwksUri?: string;
10
+ };
11
+ /** Builds an `OAuthTokenVerifier` validating JWTs against a remote JWKS. Internal, not exported. */
12
+ export declare function createJwksVerifier(config: JwksVerifyConfig): OAuthTokenVerifier;
@@ -0,0 +1,38 @@
1
+ import { InvalidTokenError } from "@modelcontextprotocol/sdk/server/auth/errors.js";
2
+ import * as jose from "jose";
3
+ /** Builds an `OAuthTokenVerifier` validating JWTs against a remote JWKS. Internal, not exported. */
4
+ export function createJwksVerifier(config) {
5
+ const jwksUri = config.jwksUri ??
6
+ `${config.issuer.replace(/\/$/, "")}/.well-known/jwks.json`;
7
+ const jwks = jose.createRemoteJWKSet(new URL(jwksUri));
8
+ return {
9
+ async verifyAccessToken(token) {
10
+ let payload;
11
+ try {
12
+ ({ payload } = await jose.jwtVerify(token, jwks, {
13
+ issuer: config.issuer,
14
+ // jose skips the aud check when `audience` is undefined.
15
+ ...(config.audience !== undefined && { audience: config.audience }),
16
+ }));
17
+ }
18
+ catch (err) {
19
+ const message = err instanceof Error ? err.message : String(err);
20
+ throw new InvalidTokenError(`Token verification failed: ${message}`);
21
+ }
22
+ const { client_id, scope, exp, sub, ...rest } = payload;
23
+ const scopes = Array.isArray(scope)
24
+ ? scope.map(String)
25
+ : typeof scope === "string"
26
+ ? scope.split(/\s+/).filter(Boolean)
27
+ : [];
28
+ return {
29
+ token,
30
+ clientId: client_id ?? "",
31
+ scopes,
32
+ expiresAt: exp,
33
+ extra: { subject: sub, ...rest },
34
+ };
35
+ },
36
+ };
37
+ }
38
+ //# sourceMappingURL=verify.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"verify.js","sourceRoot":"","sources":["../../../src/server/auth/verify.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,iDAAiD,CAAC;AAGpF,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAY7B,oGAAoG;AACpG,MAAM,UAAU,kBAAkB,CAChC,MAAwB;IAExB,MAAM,OAAO,GACX,MAAM,CAAC,OAAO;QACd,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,wBAAwB,CAAC;IAC9D,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;IAEvD,OAAO;QACL,KAAK,CAAC,iBAAiB,CAAC,KAAa;YACnC,IAAI,OAAwB,CAAC;YAC7B,IAAI,CAAC;gBACH,CAAC,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE;oBAC/C,MAAM,EAAE,MAAM,CAAC,MAAM;oBACrB,yDAAyD;oBACzD,GAAG,CAAC,MAAM,CAAC,QAAQ,KAAK,SAAS,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC;iBACpE,CAAC,CAAC,CAAC;YACN,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBACjE,MAAM,IAAI,iBAAiB,CAAC,8BAA8B,OAAO,EAAE,CAAC,CAAC;YACvE,CAAC;YAED,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,GAAG,OAQ/C,CAAC;YAEF,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;gBACjC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC;gBACnB,CAAC,CAAC,OAAO,KAAK,KAAK,QAAQ;oBACzB,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;oBACpC,CAAC,CAAC,EAAE,CAAC;YAET,OAAO;gBACL,KAAK;gBACL,QAAQ,EAAE,SAAS,IAAI,EAAE;gBACzB,MAAM;gBACN,SAAS,EAAE,GAAG;gBACd,KAAK,EAAE,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE;aACd,CAAC;QACvB,CAAC;KACF,CAAC;AACJ,CAAC","sourcesContent":["import { InvalidTokenError } from \"@modelcontextprotocol/sdk/server/auth/errors.js\";\nimport type { OAuthTokenVerifier } from \"@modelcontextprotocol/sdk/server/auth/provider.js\";\nimport type { AuthInfo } from \"@modelcontextprotocol/sdk/server/auth/types.js\";\nimport * as jose from \"jose\";\n\nexport type JwksVerifyConfig = {\n /** Expected `iss` claim. */\n issuer: string;\n /** Expected `aud` claim. Omit to skip audience verification — for IdPs that\n * don't bind an audience to their access tokens (e.g. Clerk). */\n audience?: string;\n /** Defaults to `${issuer}/.well-known/jwks.json`. */\n jwksUri?: string;\n};\n\n/** Builds an `OAuthTokenVerifier` validating JWTs against a remote JWKS. Internal, not exported. */\nexport function createJwksVerifier(\n config: JwksVerifyConfig,\n): OAuthTokenVerifier {\n const jwksUri =\n config.jwksUri ??\n `${config.issuer.replace(/\\/$/, \"\")}/.well-known/jwks.json`;\n const jwks = jose.createRemoteJWKSet(new URL(jwksUri));\n\n return {\n async verifyAccessToken(token: string): Promise<AuthInfo> {\n let payload: jose.JWTPayload;\n try {\n ({ payload } = await jose.jwtVerify(token, jwks, {\n issuer: config.issuer,\n // jose skips the aud check when `audience` is undefined.\n ...(config.audience !== undefined && { audience: config.audience }),\n }));\n } catch (err) {\n const message = err instanceof Error ? err.message : String(err);\n throw new InvalidTokenError(`Token verification failed: ${message}`);\n }\n\n const { client_id, scope, exp, sub, ...rest } = payload as Record<\n string,\n unknown\n > & {\n client_id?: string;\n scope?: string | string[];\n exp?: number;\n sub?: string;\n };\n\n const scopes = Array.isArray(scope)\n ? scope.map(String)\n : typeof scope === \"string\"\n ? scope.split(/\\s+/).filter(Boolean)\n : [];\n\n return {\n token,\n clientId: client_id ?? \"\",\n scopes,\n expiresAt: exp,\n extra: { subject: sub, ...rest },\n } satisfies AuthInfo;\n },\n };\n}\n"]}
@@ -0,0 +1 @@
1
+ export {};