@@ -26,6 +26,7 @@ import {
2626} from "@dkg/plugins/testing" ;
2727import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js" ;
2828import type { Client } from "@modelcontextprotocol/sdk/client/index.js" ;
29+ import type { AuthInfo } from "@modelcontextprotocol/sdk/server/auth/types.js" ;
2930import express from "express" ;
3031
3132const story = bicycleStory as any ;
@@ -54,14 +55,24 @@ type ToolCallParams = {
5455 arguments ?: Record < string , unknown > ;
5556} ;
5657
57- const MCP_TOOL_AUTH = {
58+ const MCP_TOOL_AUTH : { authInfo : AuthInfo } = {
5859 authInfo : {
60+ token : "test-token" ,
61+ clientId : "test-client" ,
5962 scopes : [ "epcis.read" , "epcis.write" ] ,
6063 } ,
61- } as const ;
64+ } ;
65+
66+ let setMcpClientAuthInfo : ( ( authInfo ?: AuthInfo ) => void ) | null = null ;
6267
6368function callToolWithAuth ( client : Client , params : ToolCallParams ) {
64- return client . callTool ( params , undefined , MCP_TOOL_AUTH as any ) ;
69+ setMcpClientAuthInfo ?.( MCP_TOOL_AUTH . authInfo ) ;
70+ return client . callTool ( params ) ;
71+ }
72+
73+ function callToolWithoutAuth ( client : Client , params : ToolCallParams ) {
74+ setMcpClientAuthInfo ?.( undefined ) ;
75+ return client . callTool ( params ) ;
6576}
6677
6778describe ( "@dkg/plugin-epcis checks" , function ( ) {
@@ -87,9 +98,11 @@ describe("@dkg/plugin-epcis checks", function () {
8798 } ;
8899 dkgQueryStub = sinon . stub ( dkgContext . dkg . graph , "query" ) ;
89100
90- const { server, client, connect } = await createMcpServerClientPair ( ) ;
101+ const { server, client, connect, setClientAuthInfo } =
102+ await createMcpServerClientPair ( ) ;
91103 mockMcpServer = server ;
92104 mockMcpClient = client ;
105+ setMcpClientAuthInfo = setClientAuthInfo ;
93106 apiRouter = express . Router ( ) ;
94107 app = createExpressApp ( ) ;
95108
@@ -99,6 +112,7 @@ describe("@dkg/plugin-epcis checks", function () {
99112 } ) ;
100113
101114 afterEach ( ( ) => {
115+ setMcpClientAuthInfo = null ;
102116 sinon . restore ( ) ;
103117 if ( originalMcpUrl !== undefined ) {
104118 process . env . EXPO_PUBLIC_MCP_URL = originalMcpUrl ;
@@ -562,6 +576,18 @@ describe("@dkg/plugin-epcis checks", function () {
562576 ) ;
563577 } ) ;
564578
579+ it ( "returns Forbidden when MCP auth context is missing" , async ( ) => {
580+ const result = await callToolWithoutAuth ( mockMcpClient , {
581+ name : "epcis-query" ,
582+ arguments : { bizStep : "receiving" } ,
583+ } ) ;
584+ const payload = parseToolResult ( result ) ;
585+
586+ expect ( result . isError ) . to . equal ( true ) ;
587+ expect ( payload . error ) . to . equal ( "Forbidden" ) ;
588+ expect ( payload . requiredScope ) . to . equal ( "epcis.read" ) ;
589+ } ) ;
590+
565591 it ( "returns MCP error when DKG query fails" , async ( ) => {
566592 dkgQueryStub . rejects ( new Error ( "query exploded" ) ) ;
567593 const result = await callToolWithAuth ( mockMcpClient , {
0 commit comments