Commit 7e606c4
Narrow CIMD callback port range to 5 and drop localhost redirect URIs (#189)
* Add public OAuth CIMD and use it as default for mcpc login
Host a Client ID Metadata Document (CIMD) at
https://apify.github.io/mcpc/client-metadata/v1.json so every mcpc
installation presents a consistent client identity on CIMD-capable
authorization servers. This follows the same pattern as VS Code and
Claude Code.
Key changes:
- New docs/client-metadata/v1.json served via GitHub Pages
- mcpc login now defaults to the hosted CIMD; use --no-client-metadata-url
to opt out or --client-metadata-url <url> to override
- OAuth callback uses fixed port range 13316-13325 to match the CIMD's
registered redirect_uris (CIMD docs are static, so exact-match ports
are required by most authorization servers)
- Tightened CIMD URL validation per the spec: reject fragments, embedded
credentials, and dot path segments
- Added logo_uri, tos_uri, policy_uri to the DCR client metadata getter
for branding parity with the hosted CIMD
https://claude.ai/code/session_015YnY1wPJF48HUrfdPaFJ1x
* Use fixed port range 13316–13325 for all OAuth callbacks
Drop the branching between CIMD and non-CIMD port ranges. Using the same
fixed range in all modes (CIMD, DCR, pre-registered --client-id) makes
the callback port predictable for firewalls, docs, and pre-registered
clients, and removes a chunk of conditional logic. Pre-registered
clients can rely on RFC 8252 loopback-any-port semantics or list the
mcpc range in their redirect URIs, same as before.
https://claude.ai/code/session_015YnY1wPJF48HUrfdPaFJ1x
* Show full default CIMD URL in --client-metadata-url help text
https://claude.ai/code/session_015YnY1wPJF48HUrfdPaFJ1x
* Shorten default CIMD URL to /mcpc/client.json
Matches the draft-ietf-oauth-client-id-metadata-document spec example
URL (https://example.com/client.json) and trims 13 chars off the
displayed client_id on consent screens.
https://claude.ai/code/session_015YnY1wPJF48HUrfdPaFJ1x
* Serve GitHub Pages from repo root so / renders the main README
Move client.json from docs/ to the repo root and add a minimal
_config.yml excluding dev dirs, so https://apify.github.io/mcpc/ shows
the project README and https://apify.github.io/mcpc/client.json serves
the OAuth CIMD.
Note: requires changing the GitHub Pages source in repo Settings from
"main / docs" to "main / (root)".
https://claude.ai/code/session_015YnY1wPJF48HUrfdPaFJ1x
* Fix CIMD metadata URIs: use Pages-hosted paths, drop policy_uri
- logo_uri → client-logo.svg (served via GitHub Pages)
- tos_uri → LICENSE on GitHub Pages (not raw GitHub blob URL)
- Remove policy_uri (no standalone privacy policy page)
https://claude.ai/code/session_015YnY1wPJF48HUrfdPaFJ1x
* Narrow CIMD callback port range to 5 and drop localhost redirect URIs
- Reduce port range from 10 (13316–13325) to 5 (13316–13320). Matches
the conservative pattern used by VS Code (1 port) and Claude Code
(1 port), while leaving headroom for occasional concurrent logins.
- Drop "http://localhost:PORT/callback" entries from the CIMD document
in favor of "http://127.0.0.1:PORT/callback" only. RFC 8252 §8.3
explicitly recommends the IP literal over "localhost" to avoid DNS
resolution ambiguity (a misconfigured /etc/hosts could route
"localhost" to a non-loopback address). mcpc already binds the
callback server to 127.0.0.1 only, so the localhost variants were
dead weight.
- CIMD redirect_uris list shrinks from 20 entries to 5.
https://claude.ai/code/session_015YnY1wPJF48HUrfdPaFJ1x
* Use 6 non-contiguous OAuth callback ports
Replaces the contiguous range (13316–13320) with an explicit list of
6 spread-out ports: 13163, 13316, 16133, 16313, 31316, 31613. A single
unrelated process squatting on 13316 is now less likely to also hit
the rest of mcpc's callback ports.
findAvailablePort() now takes an explicit `ports` list instead of a
start+range pair.
https://claude.ai/code/session_015YnY1wPJF48HUrfdPaFJ1x
* Revert port sorting; start list with 13316
Order: 13316, 13163, 31316, 31613, 16133, 16313.
https://claude.ai/code/session_015YnY1wPJF48HUrfdPaFJ1x
* Add E2E tests for --callback-port and CIMD defaults
Tier 1 (flag-level):
- --callback-port appears in `mcpc login --help`
- --help shows the full default CIMD URL
- --callback-port rejects non-numeric values, 0, values >65535, and
negatives (validation now in src/cli/index.ts)
Tier 2 (end-to-end port binding):
- Starts `mcpc login --callback-port <port> --no-client-metadata-url`
against a hanging local HTTP server so the OAuth flow stalls
during discovery and keeps its callback server bound.
- Polls 127.0.0.1:<port> via bash /dev/tcp probe until it's listening,
proving --callback-port is honored end-to-end (not just parsed).
- Cleans up both the stall server and the backgrounded mcpc login
process regardless of outcome.
https://claude.ai/code/session_015YnY1wPJF48HUrfdPaFJ1x
* Serve full docs/ dir via GitHub Pages and clean up _config.yml
List what IS served as a comment (whitelist intent), exclude everything
else. Stop cherry-picking inside docs/ — the full directory is now
published at /mcpc/docs/.
https://claude.ai/code/session_015YnY1wPJF48HUrfdPaFJ1x
---------
Co-authored-by: Claude <noreply@anthropic.com>1 parent 4e374e6 commit 7e606c4
7 files changed
Lines changed: 146 additions & 44 deletions
File tree
- src
- cli
- lib/auth
- test/e2e/suites/basic
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
9 | 9 | | |
10 | 10 | | |
11 | 11 | | |
| 12 | + | |
12 | 13 | | |
13 | 14 | | |
14 | 15 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | | - | |
2 | | - | |
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
3 | 14 | | |
4 | 15 | | |
5 | | - | |
6 | | - | |
7 | 16 | | |
8 | 17 | | |
9 | 18 | | |
| 19 | + | |
10 | 20 | | |
11 | 21 | | |
12 | | - | |
13 | | - | |
14 | 22 | | |
15 | | - | |
16 | | - | |
17 | 23 | | |
| 24 | + | |
18 | 25 | | |
19 | 26 | | |
20 | 27 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
5 | 5 | | |
6 | 6 | | |
7 | 7 | | |
8 | | - | |
9 | | - | |
10 | | - | |
11 | | - | |
12 | | - | |
13 | | - | |
14 | | - | |
15 | | - | |
16 | | - | |
17 | | - | |
18 | | - | |
19 | | - | |
20 | | - | |
21 | | - | |
22 | | - | |
23 | | - | |
24 | | - | |
25 | | - | |
26 | | - | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
27 | 13 | | |
28 | 14 | | |
29 | 15 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
616 | 616 | | |
617 | 617 | | |
618 | 618 | | |
| 619 | + | |
| 620 | + | |
| 621 | + | |
| 622 | + | |
| 623 | + | |
| 624 | + | |
| 625 | + | |
| 626 | + | |
| 627 | + | |
| 628 | + | |
619 | 629 | | |
620 | 630 | | |
621 | 631 | | |
622 | 632 | | |
623 | 633 | | |
624 | 634 | | |
625 | | - | |
| 635 | + | |
626 | 636 | | |
627 | 637 | | |
628 | 638 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
15 | 15 | | |
16 | 16 | | |
17 | 17 | | |
18 | | - | |
19 | | - | |
20 | | - | |
21 | | - | |
22 | | - | |
| 18 | + | |
23 | 19 | | |
24 | 20 | | |
25 | 21 | | |
| |||
257 | 253 | | |
258 | 254 | | |
259 | 255 | | |
260 | | - | |
261 | | - | |
| 256 | + | |
| 257 | + | |
262 | 258 | | |
263 | | - | |
264 | | - | |
| 259 | + | |
| 260 | + | |
265 | 261 | | |
266 | 262 | | |
267 | 263 | | |
| |||
277 | 273 | | |
278 | 274 | | |
279 | 275 | | |
280 | | - | |
| 276 | + | |
281 | 277 | | |
282 | 278 | | |
283 | 279 | | |
| |||
434 | 430 | | |
435 | 431 | | |
436 | 432 | | |
437 | | - | |
438 | | - | |
439 | | - | |
440 | | - | |
| 433 | + | |
| 434 | + | |
441 | 435 | | |
442 | 436 | | |
443 | 437 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
16 | | - | |
17 | | - | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
18 | 25 | | |
19 | 26 | | |
20 | 27 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
158 | 158 | | |
159 | 159 | | |
160 | 160 | | |
| 161 | + | |
| 162 | + | |
| 163 | + | |
| 164 | + | |
| 165 | + | |
| 166 | + | |
| 167 | + | |
| 168 | + | |
| 169 | + | |
| 170 | + | |
| 171 | + | |
| 172 | + | |
| 173 | + | |
| 174 | + | |
| 175 | + | |
| 176 | + | |
| 177 | + | |
| 178 | + | |
| 179 | + | |
| 180 | + | |
| 181 | + | |
| 182 | + | |
| 183 | + | |
| 184 | + | |
| 185 | + | |
| 186 | + | |
| 187 | + | |
| 188 | + | |
| 189 | + | |
| 190 | + | |
| 191 | + | |
| 192 | + | |
| 193 | + | |
| 194 | + | |
| 195 | + | |
| 196 | + | |
| 197 | + | |
| 198 | + | |
| 199 | + | |
| 200 | + | |
| 201 | + | |
| 202 | + | |
| 203 | + | |
| 204 | + | |
| 205 | + | |
| 206 | + | |
| 207 | + | |
| 208 | + | |
| 209 | + | |
| 210 | + | |
| 211 | + | |
| 212 | + | |
| 213 | + | |
| 214 | + | |
| 215 | + | |
| 216 | + | |
| 217 | + | |
| 218 | + | |
| 219 | + | |
| 220 | + | |
| 221 | + | |
| 222 | + | |
| 223 | + | |
| 224 | + | |
| 225 | + | |
| 226 | + | |
| 227 | + | |
| 228 | + | |
| 229 | + | |
| 230 | + | |
| 231 | + | |
| 232 | + | |
| 233 | + | |
| 234 | + | |
| 235 | + | |
| 236 | + | |
| 237 | + | |
| 238 | + | |
| 239 | + | |
| 240 | + | |
| 241 | + | |
| 242 | + | |
| 243 | + | |
| 244 | + | |
| 245 | + | |
| 246 | + | |
| 247 | + | |
| 248 | + | |
| 249 | + | |
| 250 | + | |
| 251 | + | |
| 252 | + | |
| 253 | + | |
| 254 | + | |
| 255 | + | |
| 256 | + | |
| 257 | + | |
161 | 258 | | |
0 commit comments