@@ -51,14 +51,12 @@ export function metadataHandler(metadata: OAuthMetadata | OAuthProtectedResource
5151}
5252
5353/**
54- * Options for {@link mcpAuthMetadataRouter}. Same shape as the runtime-neutral
55- * `AuthMetadataOptions` in `@modelcontextprotocol/server`, except the
56- * insecure-issuer escape hatch is controlled here by the
57- * `MCP_DANGEROUSLY_ALLOW_INSECURE_ISSUER_URL` environment variable instead of
58- * an option.
54+ * Options for {@link mcpAuthMetadataRouter}: the runtime-neutral
55+ * `AuthMetadataOptions` from `@modelcontextprotocol/server`. The
56+ * insecure-issuer escape hatch can also be enabled here by the
57+ * `MCP_DANGEROUSLY_ALLOW_INSECURE_ISSUER_URL` environment variable.
5958 */
60- // eslint-disable-next-line @typescript-eslint/no-empty-object-type
61- export interface AuthMetadataOptions extends Omit < NeutralAuthMetadataOptions , 'dangerouslyAllowInsecureIssuerUrl' > { }
59+ export type { AuthMetadataOptions } from '@modelcontextprotocol/server' ;
6260
6361/**
6462 * Builds an Express router that serves the two OAuth discovery documents an
@@ -79,16 +77,11 @@ export interface AuthMetadataOptions extends Omit<NeutralAuthMetadataOptions, 'd
7977 * `getOAuthProtectedResourceMetadataUrl` as its `resourceMetadataUrl`
8078 * so unauthenticated clients can discover the AS from the 401 challenge.
8179 */
82- export function mcpAuthMetadataRouter ( options : AuthMetadataOptions ) : Router {
83- // Explicit fields, not a spread: a wider object cannot smuggle in (or be
84- // clobbered on) the insecure-issuer flag — here it comes only from the env.
80+ export function mcpAuthMetadataRouter ( options : NeutralAuthMetadataOptions ) : Router {
8581 const protectedResourceMetadata = buildOAuthProtectedResourceMetadata ( {
86- oauthMetadata : options . oauthMetadata ,
87- resourceServerUrl : options . resourceServerUrl ,
88- serviceDocumentationUrl : options . serviceDocumentationUrl ,
89- scopesSupported : options . scopesSupported ,
90- resourceName : options . resourceName ,
91- dangerouslyAllowInsecureIssuerUrl : allowInsecureIssuerUrl
82+ ...options ,
83+ // The env var and the option are both honored; either enables it.
84+ dangerouslyAllowInsecureIssuerUrl : allowInsecureIssuerUrl || options . dangerouslyAllowInsecureIssuerUrl
9285 } ) ;
9386
9487 const router = express . Router ( ) ;
0 commit comments