feat(express): restore Resource-Server auth glue (requireBearerAuth, mcpAuthMetadataRouter)#1907
Draft
felixweinberger wants to merge 1 commit intomainfrom
Draft
feat(express): restore Resource-Server auth glue (requireBearerAuth, mcpAuthMetadataRouter)#1907felixweinberger wants to merge 1 commit intomainfrom
felixweinberger wants to merge 1 commit intomainfrom
Conversation
🦋 Changeset detectedLatest commit: 15c44b6 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
@modelcontextprotocol/client
@modelcontextprotocol/server
@modelcontextprotocol/express
@modelcontextprotocol/fastify
@modelcontextprotocol/hono
@modelcontextprotocol/node
commit: |
felixweinberger
force-pushed
the
fweinberger/v2-bc-express-rs-glue
branch
from
f9f1d76 to
d1e0ddf
Compare
…col/express Adds first-class (not deprecated) OAuth Resource-Server helpers to the Express adapter, restoring the v1 src/server/auth pieces that an MCP server needs when it delegates to an external Authorization Server: - requireBearerAuth: Express middleware that validates a Bearer token via a pluggable OAuthTokenVerifier, attaches AuthInfo to req.auth, and on failure emits RFC 6750 WWW-Authenticate challenges (with optional resource_metadata pointer per RFC 9728). - mcpAuthMetadataRouter: serves RFC 9728 Protected Resource Metadata at /.well-known/oauth-protected-resource[/<path>] and mirrors the AS metadata at /.well-known/oauth-authorization-server, with permissive CORS and a GET/OPTIONS allow-list. - getOAuthProtectedResourceMetadataUrl: builds the path-aware PRM URL for a given server URL. - OAuthTokenVerifier interface, plus metadataHandler / allowedMethods building blocks. Adapted to v2's single OAuthError + OAuthErrorCode (no per-code subclasses) and to types re-exported via @modelcontextprotocol/server. Adds cors as a runtime dependency and supertest as a dev dependency for the integration tests.
felixweinberger
force-pushed
the
fweinberger/v2-bc-express-rs-glue
branch
from
d1e0ddf to
15c44b6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part of the v2 backwards-compatibility series — see reviewer guide.
v2 removed all server-side auth. The Resource-Server half (bearer-token verification, RFC 9728 PRM metadata) is MCP-spec-mandated and v2's own examples reimplement ~688 LOC of it. This restores those pieces in
/expressfirst-class (not deprecated). v1's auth was Express-specific.Motivation and Context
v2 removed all server-side auth. The Resource-Server half (bearer-token verification, RFC 9728 PRM metadata) is MCP-spec-mandated and v2's own examples reimplement ~688 LOC of it. This restores those pieces in
/expressfirst-class (not deprecated). v1's auth was Express-specific.v1 vs v2 pattern & evidence
v1 pattern:
`import { requireBearerAuth } from '@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js'`v2-native:
`import { requireBearerAuth } from '@modelcontextprotocol/express'`Evidence: Express peer widened to
^4 || ^5.How Has This Been Tested?
v2-bc-integrationvalidation branchpnpm typecheck:all && pnpm lint:all && pnpm test:allgreenBreaking Changes
None — additive
@deprecatedshim. Removed in v3.Types of changes
Checklist
Additional context
Stacks on: none