npm - toolcraft - Versions diffs - 0.0.23 → 0.0.25 - Mend

toolcraft 0.0.23 → 0.0.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (152) hide show

package/node_modules/mcp-oauth/dist/client/default-oauth-client-provider.js CHANGED Viewed

@@ -15,7 +15,6 @@ export function createDefaultOAuthClientProvider(options) {
     const sessionStore = options.sessionStore ?? createAuthStoreSessionStore(options.authStore);
     const clientStore = options.authStore === undefined ? null : createAuthStoreClientStore(options.authStore);
     const now = options.now ?? Date.now;
-    const sessions = new Map();
     const registeredClients = new Map();
     const refreshPromises = new Map();
     const authorizationPromises = new Map();
@@ -25,7 +24,10 @@ export function createDefaultOAuthClientProvider(options) {
             const requestUrl = canonicalizeResourceIndicator(input.requestUrl);
             const session = await ensureAuthorizedSession(requestUrl, undefined, input.fetch, false);
             const accessToken = session?.tokens?.accessToken;
-            if (session === null || accessToken === undefined) {
+            if (session === null
+                || accessToken === undefined
+                || session.tokens === undefined
+                || isExpired(session.tokens, now)) {
                 return;
             }
             assertRequestMatchesResource(requestUrl, session.resource);
@@ -71,10 +73,11 @@ export function createDefaultOAuthClientProvider(options) {
                 return session;
             }
         }
-        if (!allowInteractive || sessionDiscovery === undefined) {
-            return session;
-        }
         if (forceRefresh && session?.tokens !== undefined) {
+            session = clearSessionTokens(session);
+            await saveSession(canonicalResource, session);
+        }
+        if (!allowInteractive || sessionDiscovery === undefined) {
             return session;
         }
         return authorizeSession(canonicalResource, session, sessionDiscovery, fetch);
@@ -125,7 +128,10 @@ export function createDefaultOAuthClientProvider(options) {
                 }
                 const updatedSession = {
                     ...session,
-                    tokens: refreshedTokens,
+                    tokens: {
+                        ...refreshedTokens,
+                        refreshToken: refreshedTokens.refreshToken ?? session.tokens.refreshToken,
+                    },
                     discovery: toStoredDiscovery(discovery),
                 };
                 await saveSession(resource, updatedSession);
@@ -285,7 +291,7 @@ export function createDefaultOAuthClientProvider(options) {
         });
         const payload = await readOAuthJsonObjectResponse(response);
         if (typeof payload.client_id !== "string" ||
-            payload.client_id.length === 0) {
+            payload.client_id.trim().length === 0) {
             throw new Error("OAuth client registration response missing client_id");
         }
         const registeredClient = {
@@ -302,19 +308,12 @@ export function createDefaultOAuthClientProvider(options) {
         };
     }
     async function loadSession(resource) {
-        if (sessions.has(resource)) {
-            return sessions.get(resource) ?? null;
-        }
-        const session = await sessionStore.load(resource);
-        sessions.set(resource, session);
-        return session;
+        return normalizeLoadedSession(await sessionStore.load(resource));
     }
     async function saveSession(resource, session) {
-        sessions.set(resource, session);
         await sessionStore.save(resource, session);
     }
     async function clearSession(resource) {
-        sessions.delete(resource);
         await sessionStore.clear(resource);
     }
     async function loadRegisteredClient(issuer) {
@@ -325,6 +324,10 @@ export function createDefaultOAuthClientProvider(options) {
             return null;
         }
         const client = await clientStore.load(issuer);
+        if (client !== null && !isUsableClient(client)) {
+            await clientStore.clear(issuer);
+            return null;
+        }
         registeredClients.set(issuer, client);
         return client;
     }
@@ -382,6 +385,34 @@ function clearSessionTokens(session) {
 function hasCachedAccessToken(session) {
     return session?.tokens?.accessToken !== undefined;
 }
+function normalizeLoadedSession(session) {
+    if (session === null) {
+        return null;
+    }
+    if (!isUsableClient(session.client)) {
+        return { ...session, client: { clientId: "" }, tokens: undefined };
+    }
+    return isUsableTokens(session.tokens)
+        ? session
+        : { ...session, tokens: undefined };
+}
+function isUsableClient(client) {
+    return (typeof client.clientId === "string"
+        && client.clientId.trim().length > 0
+        && (client.clientSecret === undefined
+            || (typeof client.clientSecret === "string" && client.clientSecret.trim().length > 0)));
+}
+function isUsableTokens(tokens) {
+    if (tokens === undefined) {
+        return true;
+    }
+    return (typeof tokens.accessToken === "string"
+        && tokens.accessToken.trim().length > 0
+        && tokens.tokenType === "Bearer"
+        && (tokens.expiresAt === null || (typeof tokens.expiresAt === "number" && Number.isFinite(tokens.expiresAt)))
+        && (tokens.refreshToken === undefined
+            || (typeof tokens.refreshToken === "string" && tokens.refreshToken.trim().length > 0)));
+}
 function getClientMetadata(client) {
     return client.metadata;
 }

package/node_modules/mcp-oauth/dist/client/loopback-authorization.js CHANGED Viewed

@@ -17,8 +17,14 @@ export async function createLoopbackAuthorizationSession(options = {}) {
     };
 }
 async function startServer(server) {
-    return new Promise((resolve) => {
+    return new Promise((resolve, reject) => {
+        const handleError = (error) => {
+            server.off("error", handleError);
+            reject(error);
+        };
+        server.once("error", handleError);
         server.listen(0, "127.0.0.1", () => {
+            server.off("error", handleError);
             const address = server.address();
             resolve(address.port);
         });
@@ -41,20 +47,34 @@ function waitForAuthorizationCode(server, authorizationUrl, options, callbackPat
                 res.end("Not found");
                 return;
             }
-            const error = url.searchParams.get("error");
-            if (error !== null) {
-                const description = url.searchParams.get("error_description") ?? error;
+            const callbackParameters = {
+                code: url.searchParams.get("code"),
+                error: url.searchParams.get("error"),
+                errorDescription: url.searchParams.get("error_description"),
+                state: url.searchParams.get("state"),
+                iss: url.searchParams.get("iss"),
+            };
+            try {
+                validateAuthorizationCallbackBinding(callbackParameters, expectedAuthorization);
+            }
+            catch (error) {
+                res.writeHead(400);
+                res.end(error instanceof Error ? error.message : "Invalid OAuth callback");
+                if (callbackParameters.error === null) {
+                    settle(() => reject(error instanceof Error ? error : new Error(String(error))));
+                }
+                return;
+            }
+            const authorizationError = callbackParameters.error;
+            if (authorizationError !== null) {
+                const description = callbackParameters.errorDescription ?? authorizationError;
                 res.writeHead(400);
                 res.end(`Authorization failed: ${description}`);
-                settle(() => reject(new Error(`OAuth authorization failed: ${error} — ${description}`)));
+                settle(() => reject(createAuthorizationError(authorizationError, description)));
                 return;
             }
             try {
-                const code = validateAuthorizationCallbackParameters({
-                    code: url.searchParams.get("code"),
-                    state: url.searchParams.get("state"),
-                    iss: url.searchParams.get("iss"),
-                }, expectedAuthorization);
+                const code = validateAuthorizationCallbackParameters(callbackParameters, expectedAuthorization);
                 res.writeHead(200, { "Content-Type": "text/html" });
                 res.end(buildSuccessPage(options.landingPage));
                 settle(() => resolve(code));
@@ -73,13 +93,20 @@ function waitForAuthorizationCode(server, authorizationUrl, options, callbackPat
                     return;
                 }
                 try {
+                    validateAuthorizationCallbackBinding(callbackParameters, expectedAuthorization);
+                    if (callbackParameters.error !== null) {
+                        const description = callbackParameters.errorDescription ?? callbackParameters.error;
+                        throw createAuthorizationError(callbackParameters.error, description);
+                    }
                     const code = validateAuthorizationCallbackParameters(callbackParameters, expectedAuthorization);
                     settle(() => resolve(code));
                 }
                 catch (error) {
                     settle(() => reject(error instanceof Error ? error : new Error(String(error))));
                 }
-            }).catch(() => undefined);
+            }).catch((error) => {
+                settle(() => reject(error instanceof Error ? error : new Error(String(error))));
+            });
         }
         if (options.openBrowser !== undefined) {
             options.openBrowser(authorizationUrl).catch((error) => {
@@ -100,6 +127,8 @@ function extractCallbackParametersFromInput(input) {
         const url = new URL(trimmed);
         return {
             code: url.searchParams.get("code"),
+            error: url.searchParams.get("error"),
+            errorDescription: url.searchParams.get("error_description"),
             state: url.searchParams.get("state"),
             iss: url.searchParams.get("iss"),
         };
@@ -107,6 +136,8 @@ function extractCallbackParametersFromInput(input) {
     catch {
         return {
             code: trimmed,
+            error: null,
+            errorDescription: null,
             state: null,
             iss: null,
         };
@@ -123,9 +154,13 @@ function readExpectedAuthorizationCallback(authorizationUrl) {
     };
 }
 function validateAuthorizationCallbackParameters(callback, expected) {
+    validateAuthorizationCallbackBinding(callback, expected);
     if (callback.code === null || callback.code.length === 0) {
         throw new Error("OAuth callback missing authorization code");
     }
+    return callback.code;
+}
+function validateAuthorizationCallbackBinding(callback, expected) {
     if (expected.state !== null) {
         if (callback.state === null || callback.state.length === 0) {
             throw new Error("OAuth callback missing state");
@@ -145,7 +180,9 @@ function validateAuthorizationCallbackParameters(callback, expected) {
         && callback.iss !== expected.issuer) {
         throw new Error("OAuth callback issuer mismatch");
     }
-    return callback.code;
+}
+function createAuthorizationError(error, description) {
+    return new Error(`OAuth authorization failed: ${error} — ${description}`);
 }
 function escapeHtml(text) {
     return text

package/node_modules/mcp-oauth/dist/client/token-endpoint.js CHANGED Viewed

@@ -75,13 +75,18 @@ async function requestTokens(input) {
         body: body.toString(),
     });
     const payload = await readOAuthJsonObjectResponse(response);
-    if (typeof payload.access_token !== "string" || payload.access_token.length === 0) {
+    if (typeof payload.access_token !== "string" || payload.access_token.trim().length === 0) {
         throw new Error("OAuth token response missing access_token");
     }
     const tokenType = normalizeBearerTokenType(payload.token_type);
     if (tokenType === null) {
         throw new Error("OAuth token response missing token_type=Bearer");
     }
+    if (typeof payload.expires_in === "number"
+        && Number.isFinite(payload.expires_in)
+        && payload.expires_in < 0) {
+        throw new Error("OAuth token response has invalid expires_in");
+    }
     return {
         accessToken: payload.access_token,
         refreshToken: typeof payload.refresh_token === "string" && payload.refresh_token.length > 0

package/node_modules/mcp-oauth/dist/server/jwks-token-verifier.js CHANGED Viewed

@@ -242,7 +242,7 @@ export function createJwksTokenVerifier(options) {
                 const audience = normalizeVerifiedAudience(verified.payload.aud, expectedResource);
                 const accessToken = toVerifiedAccessToken(input.token, verified.payload, audience);
                 if (input.requiredScopes.length > 0
-                    && !accessToken.scopes.some((scope) => input.requiredScopes.includes(scope))) {
+                    && !input.requiredScopes.every((scope) => accessToken.scopes.includes(scope))) {
                     throw createTokenVerificationError({
                         error: "insufficient_scope",
                         errorDescription: "insufficient scope",

package/node_modules/mcp-oauth/package.json CHANGED Viewed

@@ -1,6 +1,7 @@
 {
   "name": "mcp-oauth",
   "version": "0.0.1",
+  "private": true,
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/node_modules/tiny-mcp-client/.turbo/turbo-build.log CHANGED Viewed

@@ -3,5 +3,5 @@ npm warn Unknown project config "package-manager-strict". This will stop working
 npm warn Unknown project config "prefer-workspace-packages". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
 > tiny-mcp-client@0.1.0 build
-> tsc
+> node ../../scripts/guard-package-dist.mjs && tsc

package/node_modules/tiny-mcp-client/dist/internal.d.ts CHANGED Viewed

@@ -1,14 +1,14 @@
 import type { ChildProcessWithoutNullStreams, SpawnOptions } from "node:child_process";
 import type { Readable, Writable } from "node:stream";
 import type { JSONRPCMessage as SdkJsonRpcMessage } from "@modelcontextprotocol/sdk/types.js";
-import { type OAuthClientProviderOptions } from "../../mcp-oauth/dist/index.js";
+import { type OAuthClientProviderOptions } from "mcp-oauth";
 import type { Server as TinyStdioMcpServer } from "tiny-stdio-mcp-server";
 import type { OAuthDiscoveryCache } from "./oauth-discovery.js";
 export { OAuthMetadataDiscovery, discoverOAuthMetadata, parseBearerWwwAuthenticateHeader, resolveAuthorizationServerMetadataUrl, resolveProtectedResourceMetadataUrl, } from "./oauth-discovery.js";
-export { createAuthStoreSessionStore, createDefaultOAuthClientProvider, } from "../../mcp-oauth/dist/index.js";
+export { createAuthStoreSessionStore, createDefaultOAuthClientProvider, } from "mcp-oauth";
 export type { OAuthDiscoveryCache, } from "./oauth-discovery.js";
 export type { OAuthAuthorizationServerMetadata, OAuthDiscoveryResult, OAuthMetadataFetch, OAuthProtectedResourceMetadata, OAuthUnauthorizedChallenge } from "./oauth-discovery.js";
-export type { DefaultOAuthClientProviderOptions, OAuthClientProvider, OAuthClientProviderOptions, OAuthSessionStore, StoredOAuthSession, } from "../../mcp-oauth/dist/index.js";
+export type { DefaultOAuthClientProviderOptions, OAuthClientProvider, OAuthClientProviderOptions, OAuthSessionStore, StoredOAuthSession, } from "mcp-oauth";
 export type RequestId = number | string;
 export interface Implementation {
     name: string;
@@ -59,6 +59,7 @@ export interface InitializeResult {
 }
 export interface McpClientOptions {
     clientInfo: Implementation;
+    requestTimeoutMs?: number;
     capabilities?: ClientCapabilities;
     onToolsChanged?: () => void | Promise<void>;
     onResourcesChanged?: () => void | Promise<void>;
@@ -72,8 +73,11 @@ export interface McpClientOptions {
 export declare class McpClient {
     private currentState;
     private currentServerCapabilities;
+    private currentClientCapabilities;
     private currentServerInfo;
     private currentInstructions;
+    private readonly subscribedResourceUris;
+    private readonly activeProgressTokens;
     private readonly options;
     private transport;
     private messageLayer;
@@ -418,6 +422,7 @@ export declare class HttpTransport implements McpTransport {
     private readonly openSseReaders;
     constructor({ url, headers, fetch: fetchImpl, oauth, oauthDiscoveryCache, }: HttpTransportOptions);
     dispose(reason?: Error): void;
+    private closeWithSessionTermination;
     private abortInFlightFetches;
     private cancelOpenSseReaders;
     private fetchWithAbort;
@@ -428,7 +433,6 @@ export declare class HttpTransport implements McpTransport {
     private authorizeRequestHeaders;
     private captureSessionId;
     private maybeOpenGetSseStream;
-    private terminateSession;
     private sendSessionTerminationRequest;
     private consumeGetSseStream;
     private throwForPostHttpError;
@@ -511,6 +515,7 @@ export declare class SseParser {
 export interface JsonRpcRequestOptions {
     timeoutMs?: number;
     onRequestId?: (requestId: RequestId) => void;
+    onTimeout?: (requestId: RequestId) => void;
 }
 interface JsonRpcRequestContext {
     id: RequestId;