Skip to content

Commit a7b1083

Browse files
Merge pull request #4 from modelcontextprotocol/pcarleton/prm-www
Add PRM metadata to www-authenticate
2 parents 927d34c + 1160524 commit a7b1083

File tree

1 file changed

+6
-5
lines changed

1 file changed

+6
-5
lines changed

src/index.ts

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
import { BearerAuthMiddlewareOptions, requireBearerAuth } from "@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js";
2-
import { AuthRouterOptions, mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
2+
import { AuthRouterOptions, getOAuthProtectedResourceMetadataUrl, mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
33
import cors from "cors";
44
import express from "express";
55
import path from "path";
@@ -44,13 +44,13 @@ const baseSecurityHeaders = (req: express.Request, res: express.Response, next:
4444
// Structured logging middleware
4545
const loggingMiddleware = (req: express.Request, res: express.Response, next: express.NextFunction) => {
4646
const startTime = Date.now();
47-
47+
4848
// Sanitize headers to remove sensitive information
4949
const sanitizedHeaders = { ...req.headers };
5050
delete sanitizedHeaders.authorization;
5151
delete sanitizedHeaders.cookie;
5252
delete sanitizedHeaders['x-api-key'];
53-
53+
5454
// Log request (without sensitive data)
5555
logger.info('Request received', {
5656
method: req.method,
@@ -145,7 +145,8 @@ const dearerAuthMiddlewareOptions: BearerAuthMiddlewareOptions = {
145145
// verifyAccessToken(token: string): Promise<AuthInfo>;
146146
verifier: {
147147
verifyAccessToken: authProvider.verifyAccessToken.bind(authProvider),
148-
}
148+
},
149+
resourceMetadataUrl: getOAuthProtectedResourceMetadataUrl(new URL(BASE_URI)),
149150
}
150151

151152
app.use(mcpAuthRouter(options));
@@ -166,7 +167,7 @@ app.get("/mcp-logo.png", (req, res) => {
166167
res.sendFile(logoPath);
167168
});
168169

169-
// Upstream auth routes
170+
// Upstream auth routes
170171
app.get("/fakeupstreamauth/authorize", cors(corsOptions), handleFakeAuthorize);
171172
app.get("/fakeupstreamauth/callback", cors(corsOptions), handleFakeAuthorizeRedirect);
172173

0 commit comments

Comments
 (0)