Merge pull request #6 from 3nethz/main

Fix mismatch with protocol

Author: brionmario

.changeset/deep-wolves-cough.md

@@ -0,0 +1,6 @@
+---
+'@brionmario-experimental/mcp-express': patch
+'@brionmario-experimental/mcp-node': patch
+---
+
+Fix endpoints to match the protocol, change error handling

examples/express-mcp-server/src/index.ts

@@ -15,7 +15,7 @@ app.use(
   McpAuthServer({
     providers: [
       {
-        baseUrl: process.env.BASE_URL || 'http://localhost:3000',
+        baseUrl: process.env.BASE_URL as string,
         issuer: process.env.ISSUER,
         clientId: process.env.CLIENT_ID || '',
         clientSecret: process.env.CLIENT_SECRET,
@@ -31,7 +31,7 @@ app.use('/api', publicRoutes);
 app.use(
   '/api/protected',
   protectedRoute({
-    baseUrl: process.env.BASE_URL || 'http://localhost:3000',
+    baseUrl: process.env.BASE_URL as string,
     issuer: process.env.ISSUER,
     clientId: process.env.CLIENT_ID || '',
     clientSecret: process.env.CLIENT_SECRET,

packages/mcp-express/src/middlewares/protected-route.ts

@@ -16,15 +16,11 @@
  * under the License.
  */
 
-import {
-  AUTHORIZATION_SERVER_METADATA_URL,
-  validateAccessToken,
-  McpAuthProvider,
-} from '@brionmario-experimental/mcp-node';
+import {PROTECTED_RESOURCE_URL, validateAccessToken, McpAuthProvider} from '@brionmario-experimental/mcp-node';
 import {NextFunction, Request, Response} from 'express';
 
 export default function protectedRoute(provider?: McpAuthProvider) {
-  return async function (
+  return async function protectedMiddleware(
     req: Request,
     res: Response,
     next: NextFunction,
@@ -34,32 +30,39 @@ export default function protectedRoute(provider?: McpAuthProvider) {
     if (!authHeader) {
       res.setHeader(
         'WWW-Authenticate',
-        `Bearer resource_metadata="${req.protocol}://${req.get('host')}${AUTHORIZATION_SERVER_METADATA_URL}"`,
+        `Bearer resource_metadata="${req.protocol}://${req.get('host')}${PROTECTED_RESOURCE_URL}"`,
       );
       return res.status(401).json({
         error: 'unauthorized',
         error_description: 'Missing authorization token',
       });
     }
 
-    const parts = authHeader.split(' ');
+    const parts: string[] = authHeader.split(' ');
     if (parts.length !== 2 || parts[0] !== 'Bearer') {
       return res.status(401).json({
         error: 'invalid_token',
         error_description: 'Authorization header must be in format: Bearer [token]',
       });
     }
 
-    const token = parts[1];
+    const token: string = parts[1];
 
-    const issuerBase = provider?.baseUrl;
+    const issuerBase: string | undefined = provider?.baseUrl;
 
-    const TOKEN_VALIDATION_CONFIG = {
+    const TOKEN_VALIDATION_CONFIG: {
+      jwksUri: string;
+      options: {
+        audience?: string;
+        clockTolerance: number;
+        issuer: string;
+      };
+    } = {
       jwksUri: `${issuerBase}/oauth2/jwks`,
       options: {
-        issuer: `${issuerBase}/oauth2/token`,
         audience: provider?.clientId,
         clockTolerance: 60,
+        issuer: `${issuerBase}/oauth2/token`,
       },
     };
 
@@ -68,7 +71,6 @@ export default function protectedRoute(provider?: McpAuthProvider) {
       next();
       return undefined;
     } catch (error: any) {
-      console.error('Token validation failed:', error.message);
       return res.status(401).json({
         error: 'invalid_token',
         error_description: error.message || 'Invalid or expired token',

packages/mcp-node/src/constants/authorization-server.ts

@@ -26,4 +26,4 @@ export const AUTHORIZATION_SERVER_METADATA_URL: string = '/.well-known/oauth-aut
  * The well-known path for OAuth 2.0 Resource Server Metadata.
  * @see https://datatracker.ietf.org/doc/html/rfc9728#name-obtaining-protected-resourc
  */
-export const PROTECTED_RESOURCE_URL: string = '/.well-known/protected-resource';
+export const PROTECTED_RESOURCE_URL: string = '/.well-known/oauth-protected-resource';

packages/mcp-node/src/utils/generate-authorization-server-metadata.ts

@@ -57,7 +57,7 @@ export default function generateAuthorizationServerMetadata(
   }
 
   // TODO: Check this further.
-  metadata.jwks_uri = `${options.baseUrl}/jwks.json`;
+  metadata.jwks_uri = `${options.baseUrl}/oauth/jwks`;
 
   return metadata;
 }

packages/mcp-node/src/utils/validate-access-token.ts

@@ -17,7 +17,7 @@
  */
 
 import {URL} from 'url';
-import {createRemoteJWKSet, jwtVerify, JWTVerifyResult, JWTPayload, JWTVerifyOptions} from 'jose';
+import {createRemoteJWKSet, jwtVerify, JWTVerifyResult, JWTPayload, JWTVerifyOptions, ResolvedKey} from 'jose';
 
 export default async function validateAccessToken(
   accessToken: string,
@@ -47,13 +47,13 @@ export default async function validateAccessToken(
     throw new Error('Audience must be a non-empty string or array of strings in options.');
   }
 
-  const JWKS = createRemoteJWKSet(jwksUrl);
+  const JWKS: ReturnType<typeof createRemoteJWKSet> = createRemoteJWKSet(jwksUrl);
 
   try {
-    const result = await jwtVerify(accessToken, JWKS, {
-      issuer,
+    const result: JWTVerifyResult<JWTPayload> & ResolvedKey = await jwtVerify(accessToken, JWKS, {
       audience,
       clockTolerance,
+      issuer,
     });
 
     const SUPPORTED_SIGNATURE_ALGORITHMS: string[] = ['RS256', 'RS512', 'RS384', 'PS256'];
@@ -70,22 +70,42 @@ export default async function validateAccessToken(
   } catch (error: any) {
     if (error.code) {
       switch (error.code) {
-        case 'ERR_JOSE_GENERIC':
-          if (error.message.includes('request failed')) {
-            throw new Error(`Failed to fetch JWKS from ${jwksUri}: ${error.message}`);
-          }
-          break;
-        case 'ERR_JOSE_NO_KEY_MATCHED':
-          throw new Error(`No matching key found in JWKS for the token's 'kid' header: ${error.message}`);
-        case 'ERR_JOSE_JWK_SET_MALFORMED':
-          throw new Error(`Malformed JWKS found at ${jwksUri}: ${error.message}`);
+        // JWKS specific issues
+        case 'ERR_JWKS_TIMEOUT':
+          throw new Error(`Timeout while fetching JWKS from ${jwksUri}: ${error.message}`);
+        case 'ERR_JWKS_NO_MATCHING_KEY':
+          throw new Error(`No matching key found in JWKS at ${jwksUri} for the token's header: ${error.message}`);
+        case 'ERR_JWKS_INVALID':
+          throw new Error(`Invalid or malformed JWKS found at ${jwksUri}: ${error.message}`);
+
+        // JWS/JWT structural or signature issues
+        case 'ERR_JWS_INVALID':
+          throw new Error(`Invalid JWS structure: ${error.message}`);
+        case 'ERR_JWT_INVALID':
+          throw new Error(`Invalid JWT structure or payload: ${error.message}`);
+        case 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED':
+          throw new Error(`Token signature verification failed: ${error.message}`);
+
+        // Common JWT claim validation issues
+        case 'ERR_JWT_EXPIRED':
+          throw new Error(`Token has expired: ${error.message}`);
+        case 'ERR_JWT_CLAIM_VALIDATION_FAILED':
+          throw new Error(`JWT claim validation failed (${error.claim || 'unknown claim'}): ${error.message}`);
+
+        // Other JOSE potential issues
+        case 'ERR_JOSE_ALG_NOT_ALLOWED':
+          throw new Error(`Token algorithm is not allowed: ${error.message}`);
+        case 'ERR_JOSE_NOT_SUPPORTED':
+          throw new Error(`An unsupported JOSE feature/algorithm was encountered: ${error.message}`);
+
         default:
-          if (error.code.startsWith('ERR_JWT_')) {
-            throw new Error(`JWT validation error: ${error.message} (Code: ${error.code})`);
-          }
+          throw new Error(`JOSE validation error: ${error.message} (Code: ${error.code})`);
       }
     }
 
-    throw new Error(`An unexpected error occurred during token validation: ${error.message}`);
+    // Fallback for non-JOSE errors or errors without a code property
+    throw new Error(
+      `An unexpected error occurred during token validation: ${error instanceof Error ? error.message : String(error)}`,
+    );
   }
 }