Skip to content

Commit 2310b50

Browse files
express: reuse the neutral AuthMetadataOptions type instead of an empty Omit-extends interface; option and env var both enable the insecure-issuer escape hatch
1 parent 543db9e commit 2310b50

1 file changed

Lines changed: 9 additions & 16 deletions

File tree

packages/middleware/express/src/auth/metadataRouter.ts

Lines changed: 9 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -51,14 +51,12 @@ export function metadataHandler(metadata: OAuthMetadata | OAuthProtectedResource
5151
}
5252

5353
/**
54-
* Options for {@link mcpAuthMetadataRouter}. Same shape as the runtime-neutral
55-
* `AuthMetadataOptions` in `@modelcontextprotocol/server`, except the
56-
* insecure-issuer escape hatch is controlled here by the
57-
* `MCP_DANGEROUSLY_ALLOW_INSECURE_ISSUER_URL` environment variable instead of
58-
* an option.
54+
* Options for {@link mcpAuthMetadataRouter}: the runtime-neutral
55+
* `AuthMetadataOptions` from `@modelcontextprotocol/server`. The
56+
* insecure-issuer escape hatch can also be enabled here by the
57+
* `MCP_DANGEROUSLY_ALLOW_INSECURE_ISSUER_URL` environment variable.
5958
*/
60-
// eslint-disable-next-line @typescript-eslint/no-empty-object-type
61-
export interface AuthMetadataOptions extends Omit<NeutralAuthMetadataOptions, 'dangerouslyAllowInsecureIssuerUrl'> {}
59+
export type { AuthMetadataOptions } from '@modelcontextprotocol/server';
6260

6361
/**
6462
* Builds an Express router that serves the two OAuth discovery documents an
@@ -79,16 +77,11 @@ export interface AuthMetadataOptions extends Omit<NeutralAuthMetadataOptions, 'd
7977
* `getOAuthProtectedResourceMetadataUrl` as its `resourceMetadataUrl`
8078
* so unauthenticated clients can discover the AS from the 401 challenge.
8179
*/
82-
export function mcpAuthMetadataRouter(options: AuthMetadataOptions): Router {
83-
// Explicit fields, not a spread: a wider object cannot smuggle in (or be
84-
// clobbered on) the insecure-issuer flag — here it comes only from the env.
80+
export function mcpAuthMetadataRouter(options: NeutralAuthMetadataOptions): Router {
8581
const protectedResourceMetadata = buildOAuthProtectedResourceMetadata({
86-
oauthMetadata: options.oauthMetadata,
87-
resourceServerUrl: options.resourceServerUrl,
88-
serviceDocumentationUrl: options.serviceDocumentationUrl,
89-
scopesSupported: options.scopesSupported,
90-
resourceName: options.resourceName,
91-
dangerouslyAllowInsecureIssuerUrl: allowInsecureIssuerUrl
82+
...options,
83+
// The env var and the option are both honored; either enables it.
84+
dangerouslyAllowInsecureIssuerUrl: allowInsecureIssuerUrl || options.dangerouslyAllowInsecureIssuerUrl
9285
});
9386

9487
const router = express.Router();

0 commit comments

Comments
 (0)