From 077fed19b90b80d6cf3929a08a1f7bf6547b06b1 Mon Sep 17 00:00:00 2001
From: Paul Carleton <paulc@anthropic.com>
Date: Thu, 17 Jul 2025 13:54:28 +0100
Subject: [PATCH 1/2] Add PRM metadata to www-authenticate

---
 src/index.ts | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/index.ts b/src/index.ts
index bdd16a6..956657f 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -1,5 +1,5 @@
 import { BearerAuthMiddlewareOptions, requireBearerAuth } from "@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js";
-import { AuthRouterOptions, mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
+import { AuthRouterOptions, getOAuthProtectedResourceMetadataUrl, mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
 import cors from "cors";
 import express from "express";
 import path from "path";
@@ -44,13 +44,13 @@ const baseSecurityHeaders = (req: express.Request, res: express.Response, next:
 // Structured logging middleware
 const loggingMiddleware = (req: express.Request, res: express.Response, next: express.NextFunction) => {
   const startTime = Date.now();
-  
+
   // Sanitize headers to remove sensitive information
   const sanitizedHeaders = { ...req.headers };
   delete sanitizedHeaders.authorization;
   delete sanitizedHeaders.cookie;
   delete sanitizedHeaders['x-api-key'];
-  
+
   // Log request (without sensitive data)
   logger.info('Request received', {
     method: req.method,
@@ -145,7 +145,8 @@ const dearerAuthMiddlewareOptions: BearerAuthMiddlewareOptions = {
   // verifyAccessToken(token: string): Promise<AuthInfo>;
   verifier: {
     verifyAccessToken: authProvider.verifyAccessToken.bind(authProvider),
-  }
+  },
+  resourceMetadataUrl: getOAuthProtectedResourceMetadataUrl(BASE_URI),
 }
 
 app.use(mcpAuthRouter(options));
@@ -166,7 +167,7 @@ app.get("/mcp-logo.png", (req, res) => {
   res.sendFile(logoPath);
 });
 
-// Upstream auth routes  
+// Upstream auth routes
 app.get("/fakeupstreamauth/authorize", cors(corsOptions), handleFakeAuthorize);
 app.get("/fakeupstreamauth/callback", cors(corsOptions), handleFakeAuthorizeRedirect);
 

From 1160524a70aaf3002c35bdd4de58d4f3023d509d Mon Sep 17 00:00:00 2001
From: Paul Carleton <paulc@anthropic.com>
Date: Thu, 17 Jul 2025 14:20:50 +0100
Subject: [PATCH 2/2] types

---
 src/index.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/index.ts b/src/index.ts
index 956657f..cb8c1b2 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -146,7 +146,7 @@ const dearerAuthMiddlewareOptions: BearerAuthMiddlewareOptions = {
   verifier: {
     verifyAccessToken: authProvider.verifyAccessToken.bind(authProvider),
   },
-  resourceMetadataUrl: getOAuthProtectedResourceMetadataUrl(BASE_URI),
+  resourceMetadataUrl: getOAuthProtectedResourceMetadataUrl(new URL(BASE_URI)),
 }
 
 app.use(mcpAuthRouter(options));