Server implementation of MCP auth

package.json

@@ -47,24 +47,30 @@
   },
   "dependencies": {
     "content-type": "^1.0.5",
+    "cors": "^2.8.5",
     "eventsource": "^3.0.2",
+    "express": "^5.0.1",
+    "express-rate-limit": "^7.5.0",
     "pkce-challenge": "^4.1.0",
     "raw-body": "^3.0.0",
     "zod": "^3.23.8",
     "zod-to-json-schema": "^3.24.1"
   },
   "devDependencies": {
     "@eslint/js": "^9.8.0",
+    "@jest-mock/express": "^3.0.0",
     "@types/content-type": "^1.1.8",
+    "@types/cors": "^2.8.17",
     "@types/eslint__js": "^8.42.3",
     "@types/eventsource": "^1.1.15",
-    "@types/express": "^4.17.21",
+    "@types/express": "^5.0.0",
     "@types/jest": "^29.5.12",
     "@types/node": "^22.0.2",
+    "@types/supertest": "^6.0.2",
     "@types/ws": "^8.5.12",
     "eslint": "^9.8.0",
-    "express": "^4.19.2",
     "jest": "^29.7.0",
+    "supertest": "^7.0.0",
     "ts-jest": "^29.2.4",
     "tsx": "^4.16.5",
     "typescript": "^5.5.4",
@@ -74,4 +80,4 @@
   "resolutions": {
     "strip-ansi": "6.0.1"
   }
-}
+}

src/client/auth.test.ts

@@ -6,7 +6,6 @@ import {
   registerClient,
 } from "./auth.js";
 
-
 // Mock fetch globally
 const mockFetch = jest.fn();
 global.fetch = mockFetch;

src/client/auth.ts

@@ -1,84 +1,7 @@
 import pkceChallenge from "pkce-challenge";
-import { z } from "zod";
 import { LATEST_PROTOCOL_VERSION } from "../types.js";
-
-export const OAuthMetadataSchema = z
-  .object({
-    issuer: z.string(),
-    authorization_endpoint: z.string(),
-    token_endpoint: z.string(),
-    registration_endpoint: z.string().optional(),
-    scopes_supported: z.array(z.string()).optional(),
-    response_types_supported: z.array(z.string()),
-    response_modes_supported: z.array(z.string()).optional(),
-    grant_types_supported: z.array(z.string()).optional(),
-    token_endpoint_auth_methods_supported: z.array(z.string()).optional(),
-    token_endpoint_auth_signing_alg_values_supported: z
-      .array(z.string())
-      .optional(),
-    service_documentation: z.string().optional(),
-    revocation_endpoint: z.string().optional(),
-    revocation_endpoint_auth_methods_supported: z.array(z.string()).optional(),
-    revocation_endpoint_auth_signing_alg_values_supported: z
-      .array(z.string())
-      .optional(),
-    introspection_endpoint: z.string().optional(),
-    introspection_endpoint_auth_methods_supported: z
-      .array(z.string())
-      .optional(),
-    introspection_endpoint_auth_signing_alg_values_supported: z
-      .array(z.string())
-      .optional(),
-    code_challenge_methods_supported: z.array(z.string()).optional(),
-  })
-  .passthrough();
-
-export const OAuthTokensSchema = z
-  .object({
-    access_token: z.string(),
-    token_type: z.string(),
-    expires_in: z.number().optional(),
-    scope: z.string().optional(),
-    refresh_token: z.string().optional(),
-  })
-  .strip();
-
-/**
- * Client metadata schema according to RFC 7591 OAuth 2.0 Dynamic Client Registration
- */
-export const OAuthClientMetadataSchema = z.object({
-  redirect_uris: z.array(z.string()),
-  token_endpoint_auth_method: z.string().optional(),
-  grant_types: z.array(z.string()).optional(),
-  response_types: z.array(z.string()).optional(),
-  client_name: z.string().optional(),
-  client_uri: z.string().optional(),
-  logo_uri: z.string().optional(),
-  scope: z.string().optional(),
-  contacts: z.array(z.string()).optional(),
-  tos_uri: z.string().optional(),
-  policy_uri: z.string().optional(),
-  jwks_uri: z.string().optional(),
-  jwks: z.any().optional(),
-  software_id: z.string().optional(),
-  software_version: z.string().optional(),
-}).passthrough();
-
-/**
- * Client information response schema according to RFC 7591
- */
-export const OAuthClientInformationSchema = z.object({
-  client_id: z.string(),
-  client_secret: z.string().optional(),
-  client_id_issued_at: z.number().optional(),
-  client_secret_expires_at: z.number().optional(),
-}).passthrough();
-
-export type OAuthMetadata = z.infer<typeof OAuthMetadataSchema>;
-export type OAuthTokens = z.infer<typeof OAuthTokensSchema>;
-
-export type OAuthClientMetadata = z.infer<typeof OAuthClientMetadataSchema>;
-export type OAuthClientInformation = z.infer<typeof OAuthClientInformationSchema>;
+import type { OAuthClientMetadata, OAuthClientInformation, OAuthTokens, OAuthMetadata, OAuthClientInformationFull } from "../shared/auth.js";
+import { OAuthClientInformationFullSchema, OAuthMetadataSchema, OAuthTokensSchema } from "../shared/auth.js";
 
 /**
  * Implements an end-to-end OAuth client to be used with one MCP server.
@@ -113,7 +36,7 @@ export interface OAuthClientProvider {
    * This method is not required to be implemented if client information is
    * statically known (e.g., pre-registered).
    */
-  saveClientInformation?(clientInformation: OAuthClientInformation): void | Promise<void>;
+  saveClientInformation?(clientInformation: OAuthClientInformationFull): void | Promise<void>;
 
   /**
    * Loads any existing OAuth tokens for the current session, or returns
@@ -175,12 +98,13 @@ export async function auth(
       throw new Error("OAuth client information must be saveable for dynamic registration");
     }
 
-    clientInformation = await registerClient(serverUrl, {
+    const fullInformation = await registerClient(serverUrl, {
       metadata,
       clientMetadata: provider.clientMetadata,
     });
 
-    await provider.saveClientInformation(clientInformation);
+    await provider.saveClientInformation(fullInformation);
+    clientInformation = fullInformation;
   }
 
   // Exchange authorization code for tokens
@@ -448,7 +372,7 @@ export async function registerClient(
     metadata?: OAuthMetadata;
     clientMetadata: OAuthClientMetadata;
   },
-): Promise<OAuthClientInformation> {
+): Promise<OAuthClientInformationFull> {
   let registrationUrl: URL;
 
   if (metadata) {
@@ -473,5 +397,5 @@ export async function registerClient(
     throw new Error(`Dynamic client registration failed: HTTP ${response.status}`);
   }
 
-  return OAuthClientInformationSchema.parse(await response.json());
+  return OAuthClientInformationFullSchema.parse(await response.json());
 }

src/client/sse.test.ts

@@ -2,7 +2,8 @@ import { createServer, type IncomingMessage, type Server } from "http";
 import { AddressInfo } from "net";
 import { JSONRPCMessage } from "../types.js";
 import { SSEClientTransport } from "./sse.js";
-import { OAuthClientProvider, OAuthTokens, UnauthorizedError } from "./auth.js";
+import { OAuthClientProvider, UnauthorizedError } from "./auth.js";
+import { OAuthTokens } from "../shared/auth.js";
 
 describe("SSEClientTransport", () => {
   let server: Server;

src/server/auth/clients.test.ts

@@ -0,0 +1,144 @@
+import { OAuthRegisteredClientsStore } from './clients.js';
+import { OAuthClientInformationFull } from '../../shared/auth.js';
+
+describe('OAuthRegisteredClientsStore', () => {
+  // Create a mock implementation class for testing
+  class MockClientStore implements OAuthRegisteredClientsStore {
+    private clients: Record<string, OAuthClientInformationFull> = {};
+
+    async getClient(clientId: string): Promise<OAuthClientInformationFull | undefined> {
+      const client = this.clients[clientId];
+
+      // Return undefined for non-existent client
+      if (!client) return undefined;
+
+      // Check if client secret has expired
+      if (client.client_secret &&
+        client.client_secret_expires_at &&
+        client.client_secret_expires_at < Math.floor(Date.now() / 1000)) {
+        // If expired, retain client but remove the secret
+        // eslint-disable-next-line @typescript-eslint/no-unused-vars
+        const { client_secret, ...clientWithoutSecret } = client;
+        return clientWithoutSecret as OAuthClientInformationFull;
+      }
+
+      return client;
+    }
+
+    async registerClient(client: OAuthClientInformationFull): Promise<OAuthClientInformationFull> {
+      this.clients[client.client_id] = { ...client };
+      return client;
+    }
+  }
+
+  let mockStore: MockClientStore;
+
+  beforeEach(() => {
+    mockStore = new MockClientStore();
+  });
+
+  describe('getClient', () => {
+    it('returns undefined for non-existent client', async () => {
+      const result = await mockStore.getClient('non-existent-id');
+      expect(result).toBeUndefined();
+    });
+
+    it('returns client information for existing client', async () => {
+      const mockClient: OAuthClientInformationFull = {
+        client_id: 'test-client-123',
+        client_secret: 'secret456',
+        redirect_uris: ['https://example.com/callback']
+      };
+
+      await mockStore.registerClient(mockClient);
+      const result = await mockStore.getClient('test-client-123');
+
+      expect(result).toEqual(mockClient);
+    });
+
+    it('handles expired client secrets correctly', async () => {
+      const now = Math.floor(Date.now() / 1000);
+
+      // Client with expired secret (one hour in the past)
+      const expiredClient: OAuthClientInformationFull = {
+        client_id: 'expired-client',
+        client_secret: 'expired-secret',
+        client_secret_expires_at: now - 3600,
+        redirect_uris: ['https://example.com/callback']
+      };
+
+      await mockStore.registerClient(expiredClient);
+      const result = await mockStore.getClient('expired-client');
+
+      // Expect client to be returned but without the secret
+      expect(result).toBeDefined();
+      expect(result!.client_id).toBe('expired-client');
+      expect(result!.client_secret).toBeUndefined();
+    });
+
+    it('keeps valid client secrets', async () => {
+      const now = Math.floor(Date.now() / 1000);
+
+      // Client with valid secret (expires one hour in the future)
+      const validClient: OAuthClientInformationFull = {
+        client_id: 'valid-client',
+        client_secret: 'valid-secret',
+        client_secret_expires_at: now + 3600,
+        redirect_uris: ['https://example.com/callback']
+      };
+
+      await mockStore.registerClient(validClient);
+      const result = await mockStore.getClient('valid-client');
+
+      // Secret should still be present
+      expect(result?.client_secret).toBe('valid-secret');
+    });
+  });
+
+  describe('registerClient', () => {
+    it('successfully registers a new client', async () => {
+      const newClient: OAuthClientInformationFull = {
+        client_id: 'new-client-id',
+        client_secret: 'new-client-secret',
+        redirect_uris: ['https://example.com/callback']
+      };
+
+      const result = await mockStore.registerClient(newClient);
+
+      // Verify registration returns the client
+      expect(result).toEqual(newClient);
+
+      // Verify the client is retrievable
+      const storedClient = await mockStore.getClient('new-client-id');
+      expect(storedClient).toEqual(newClient);
+    });
+
+    it('handles clients with all metadata fields', async () => {
+      const fullClient: OAuthClientInformationFull = {
+        client_id: 'full-client',
+        client_secret: 'full-secret',
+        client_id_issued_at: Math.floor(Date.now() / 1000),
+        client_secret_expires_at: Math.floor(Date.now() / 1000) + 86400, // 24 hours
+        redirect_uris: ['https://example.com/callback'],
+        token_endpoint_auth_method: 'client_secret_basic',
+        grant_types: ['authorization_code', 'refresh_token'],
+        response_types: ['code'],
+        client_name: 'Test Client',
+        client_uri: 'https://example.com',
+        logo_uri: 'https://example.com/logo.png',
+        scope: 'profile email',
+        contacts: ['[email protected]'],
+        tos_uri: 'https://example.com/tos',
+        policy_uri: 'https://example.com/privacy',
+        jwks_uri: 'https://example.com/jwks',
+        software_id: 'test-software',
+        software_version: '1.0.0'
+      };
+
+      await mockStore.registerClient(fullClient);
+      const result = await mockStore.getClient('full-client');
+
+      expect(result).toEqual(fullClient);
+    });
+  });
+});

src/server/auth/clients.ts

@@ -0,0 +1,20 @@
+import { OAuthClientInformationFull } from "../../shared/auth.js";
+
+/**
+ * Stores information about registered OAuth clients for this server.
+ */
+export interface OAuthRegisteredClientsStore {
+  /**
+   * Returns information about a registered client, based on its ID.
+   */
+  getClient(clientId: string): OAuthClientInformationFull | undefined | Promise<OAuthClientInformationFull | undefined>;
+
+  /**
+   * Registers a new client with the server. The client ID and secret will be automatically generated by the library. A modified version of the client information can be returned to reflect specific values enforced by the server.
+   * 
+   * NOTE: Implementations must ensure that client secrets, if present, are expired in accordance with the `client_secret_expires_at` field.
+   * 
+   * If unimplemented, dynamic client registration is unsupported.
+   */
+  registerClient?(client: OAuthClientInformationFull): OAuthClientInformationFull | Promise<OAuthClientInformationFull>;
+}