refactor(core): move mergeScopes to shared authUtils

Author: rechedev9

packages/client/src/client/sse.ts

@@ -1,26 +1,18 @@
 import type { FetchLike, JSONRPCMessage, Transport } from '@modelcontextprotocol/core';
-import { createFetchWithInit, JSONRPCMessageSchema, normalizeHeaders, SdkError, SdkErrorCode } from '@modelcontextprotocol/core';
+import {
+    createFetchWithInit,
+    JSONRPCMessageSchema,
+    mergeScopes,
+    normalizeHeaders,
+    SdkError,
+    SdkErrorCode
+} from '@modelcontextprotocol/core';
 import type { ErrorEvent, EventSourceInit } from 'eventsource';
 import { EventSource } from 'eventsource';
 
 import type { AuthProvider, OAuthClientProvider } from './auth.js';
 import { adaptOAuthProvider, auth, extractWWWAuthenticateParams, isOAuthClientProvider, UnauthorizedError } from './auth.js';
 
-/**
- * Merges two space-separated OAuth scope strings into a deduplicated union.
- * Returns undefined when the resulting set is empty.
- * Preserves insertion order of first occurrence for determinism.
- */
-function mergeScopes(existing: string | undefined, incoming: string | undefined): string | undefined {
-    const existingTokens = existing?.split(/\s+/).filter(Boolean) ?? [];
-    const incomingTokens = incoming?.split(/\s+/).filter(Boolean) ?? [];
-    const merged = new Set<string>([...existingTokens, ...incomingTokens]);
-    if (merged.size === 0) {
-        return undefined;
-    }
-    return [...merged].join(' ');
-}
-
 export class SseError extends Error {
     constructor(
         public readonly code: number | undefined,

packages/client/src/client/streamableHttp.ts

@@ -7,6 +7,7 @@ import {
     isJSONRPCRequest,
     isJSONRPCResultResponse,
     JSONRPCMessageSchema,
+    mergeScopes,
     normalizeHeaders,
     SdkError,
     SdkErrorCode
@@ -16,21 +17,6 @@ import { EventSourceParserStream } from 'eventsource-parser/stream';
 import type { AuthProvider, OAuthClientProvider } from './auth.js';
 import { adaptOAuthProvider, auth, extractWWWAuthenticateParams, isOAuthClientProvider, UnauthorizedError } from './auth.js';
 
-/**
- * Merges two space-separated OAuth scope strings into a deduplicated union.
- * Returns undefined when the resulting set is empty.
- * Preserves insertion order of first occurrence for determinism.
- */
-function mergeScopes(existing: string | undefined, incoming: string | undefined): string | undefined {
-    const existingTokens = existing?.split(/\s+/).filter(Boolean) ?? [];
-    const incomingTokens = incoming?.split(/\s+/).filter(Boolean) ?? [];
-    const merged = new Set<string>([...existingTokens, ...incomingTokens]);
-    if (merged.size === 0) {
-        return undefined;
-    }
-    return [...merged].join(' ');
-}
-
 // Default reconnection options for StreamableHTTP connections
 const DEFAULT_STREAMABLE_HTTP_RECONNECTION_OPTIONS: StreamableHTTPReconnectionOptions = {
     initialReconnectionDelay: 1000,

packages/core/src/shared/authUtils.ts

@@ -55,3 +55,18 @@ export function checkResourceAllowed({
 
     return requestedPath.startsWith(configuredPath);
 }
+
+/**
+ * Merges two space-separated OAuth scope strings into a deduplicated union.
+ * Returns undefined when the resulting set is empty.
+ * Preserves insertion order of first occurrence for determinism.
+ */
+export function mergeScopes(existing: string | undefined, incoming: string | undefined): string | undefined {
+    const existingTokens = existing?.split(/\s+/).filter(Boolean) ?? [];
+    const incomingTokens = incoming?.split(/\s+/).filter(Boolean) ?? [];
+    const merged = new Set<string>([...existingTokens, ...incomingTokens]);
+    if (merged.size === 0) {
+        return undefined;
+    }
+    return [...merged].join(' ');
+}

packages/core/test/shared/authUtils.test.ts

@@ -1,4 +1,4 @@
-import { checkResourceAllowed, resourceUrlFromServerUrl } from '../../src/shared/authUtils.js';
+import { checkResourceAllowed, mergeScopes, resourceUrlFromServerUrl } from '../../src/shared/authUtils.js';
 
 describe('auth-utils', () => {
     describe('resourceUrlFromServerUrl', () => {
@@ -87,4 +87,31 @@ describe('auth-utils', () => {
             ).toBe(false);
         });
     });
+
+    describe('mergeScopes', () => {
+        it('should return undefined when both inputs are undefined', () => {
+            expect(mergeScopes(undefined, undefined)).toBeUndefined();
+        });
+
+        it('should return existing when incoming is undefined', () => {
+            expect(mergeScopes('read write', undefined)).toBe('read write');
+        });
+
+        it('should return incoming when existing is undefined', () => {
+            expect(mergeScopes(undefined, 'read write')).toBe('read write');
+        });
+
+        it('should merge and deduplicate scopes', () => {
+            expect(mergeScopes('read write', 'write execute')).toBe('read write execute');
+        });
+
+        it('should return undefined for empty strings', () => {
+            expect(mergeScopes('', '')).toBeUndefined();
+            expect(mergeScopes('', undefined)).toBeUndefined();
+        });
+
+        it('should handle multiple whitespace separators', () => {
+            expect(mergeScopes('read  write', 'write\texecute')).toBe('read write execute');
+        });
+    });
 });