Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Misc fixes in auth #157

Merged
merged 9 commits into from
Feb 25, 2025
Merged

Misc fixes in auth #157

merged 9 commits into from
Feb 25, 2025

Conversation

jerome3o-anthropic
Copy link
Contributor

@jerome3o-anthropic jerome3o-anthropic commented Feb 23, 2025
edited
Loading

While hacking with this I ran into a few little issues, these are the fixes.

  • Check token expiry in requireAuth middleware
  • Gracefully handle cors issues in metadata fetching (experienced due to MCP-Protocol-Version header)
  • Don't set client secret expiry for public clients

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 23, 2025
View reviewed changes
k6l3
k6l3 approved these changes Feb 24, 2025
View reviewed changes
src/client/auth.ts Outdated
try {
response = await fetch(url);
} catch {
return undefined;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure you don't want to log/throw the exception?

jspahrsummers
jspahrsummers approved these changes Feb 24, 2025
View reviewed changes
Copy link
Member

@jspahrsummers jspahrsummers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some comments, but the logic looks good 👍

src/server/auth/handlers/register.ts Outdated
Comment on lines 92 to 96
client_secret_expires_at: isPublicClient
? clientSecretExpirySeconds > 0
? clientIdIssuedAt + clientSecretExpirySeconds
: 0
: undefined,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nested ternaries is a bit much—can we pull some of this out into one or two intermediate variables?

src/client/auth.ts Outdated
}
});
} catch {
try {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to conditionalize this based on what the error actually was?

src/client/auth.ts Outdated
Comment on lines 174 to 177
try {
response = await fetch(url);
} catch {
return undefined;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it should be fine to let this error propagate if there's an actual network error (or otherwise), rather than a 404.

@jerome3o-anthropic jerome3o-anthropic merged commit 42b1738 into main Feb 25, 2025
4 checks passed
@jerome3o-anthropic jerome3o-anthropic deleted the jerome/fix/no-mcp-header-in-metadata-fetching branch February 25, 2025 09:54
MediaInfluences pushed a commit to MediaInfluences/typescript-sdk that referenced this pull request Apr 3, 2025
@jerome3o-anthropic
Merge pull request modelcontextprotocol#157 from modelcontextprotocol…
ec46e17 
…/jerome/fix/no-mcp-header-in-metadata-fetching

* Check token expiry in requireAuth middleware
* Gracefully handle cors issues in metadata fetching (experienced due to MCP-Protocol-Version header)
* Don't set client secret expiry for public clients
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jspahrsummers jspahrsummers jspahrsummers approved these changes

@k6l3 k6l3 k6l3 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jerome3o-anthropic @jspahrsummers @k6l3