Patch Changes
-
#2420
7635115Thanks @felixweinberger! - Add runtime-neutral Bearer authentication to@modelcontextprotocol/server:
requireBearerAuthgates web-standardfetch(request)hosts (Cloudflare
Workers, Deno, Bun, Hono), built on the exportedverifyBearerTokenand
bearerAuthChallengeResponsepieces, withOAuthTokenVerifiernow defined
here. The Express middleware adapts the same core and is unchanged in
behavior, except thatWWW-Authenticatechallenge values are now RFC 7235
quoted-string sanitized (quotes and backslashes escaped, control and
non-ASCII characters replaced);@modelcontextprotocol/expressre-exports
OAuthTokenVerifieras before. -
#2422
61866d7Thanks @felixweinberger! - Add runtime-neutral OAuth discovery serving to@modelcontextprotocol/server:
oauthMetadataResponseserves the RFC 9728 Protected Resource Metadata and
RFC 8414 Authorization Server metadata documents from web-standard
fetch(request)hosts, built on the exported
buildOAuthProtectedResourceMetadata, with
getOAuthProtectedResourceMetadataUrlnow defined here. The Express metadata
router adapts the same core and is unchanged in behavior; the insecure-issuer
escape hatch is an explicitdangerouslyAllowInsecureIssuerUrloption in the
neutral core instead of a module-scope environment read. The web-standard
matcher validates lazily so unmatched traffic always falls through, tolerates
a trailing slash, supports HEAD, and marks reflected CORS preflights with
Vary. -
Updated dependencies [
44797d7,1b90c96,561c6d8,ce2f65d,7e69735,e8de519,0ab5d14,24be404,7635115,61866d7]:- @modelcontextprotocol/server@2.0.0-beta.3