merge commit

Author: KKonstantinov

.changeset/oauth-error-http200.md

@@ -0,0 +1,7 @@
+---
+'@modelcontextprotocol/client': patch
+---
+
+Fix OAuth error handling for servers returning errors with HTTP 200 status
+
+Some OAuth servers (e.g., GitHub) return error responses with HTTP 200 status instead of 4xx. The SDK now checks for an `error` field in the JSON response before attempting to parse it as tokens, providing users with meaningful error messages.

.changeset/respect-capability-negotiation.md

@@ -0,0 +1,13 @@
+---
+'@modelcontextprotocol/client': patch
+---
+
+Respect capability negotiation in list methods by returning empty lists when server lacks capability
+
+The Client now returns empty lists instead of sending requests to servers that don't advertise the corresponding capability:
+- `listPrompts()` returns `{ prompts: [] }` if server lacks prompts capability
+- `listResources()` returns `{ resources: [] }` if server lacks resources capability
+- `listResourceTemplates()` returns `{ resourceTemplates: [] }` if server lacks resources capability
+- `listTools()` returns `{ tools: [] }` if server lacks tools capability
+
+This respects the MCP spec requirement that "Both parties SHOULD respect capability negotiation" and avoids unnecessary server warnings and traffic. The existing `enforceStrictCapabilities` option continues to throw errors when set to `true`.

packages/client/src/client/auth.ts

@@ -1088,7 +1088,18 @@ async function executeTokenRequest(
         throw await parseErrorResponse(response);
     }
 
-    return OAuthTokensSchema.parse(await response.json());
+    const json: unknown = await response.json();
+
+    try {
+        return OAuthTokensSchema.parse(json);
+    } catch (parseError) {
+        // Some OAuth servers (e.g., GitHub) return error responses with HTTP 200 status.
+        // Check for error field only if token parsing failed.
+        if (typeof json === 'object' && json !== null && 'error' in json) {
+            throw await parseErrorResponse(JSON.stringify(json));
+        }
+        throw parseError;
+    }
 }
 
 /**

packages/client/src/client/client.ts

@@ -289,6 +289,7 @@ export class Client<
     // Error handlers (single callback pattern, matching McpServer)
     private _onErrorHandler?: OnErrorHandler;
     private _onProtocolErrorHandler?: OnProtocolErrorHandler;
+    private _enforceStrictCapabilities: boolean;
 
     /**
      * Initializes this client with the given name and version information.
@@ -301,6 +302,7 @@ export class Client<
         this._capabilities = options?.capabilities ?? {};
         this._jsonSchemaValidator = options?.jsonSchemaValidator ?? new AjvJsonSchemaValidator();
         this._middleware = new ClientMiddlewareManager();
+        this._enforceStrictCapabilities = options?.enforceStrictCapabilities ?? false;
 
         // Store list changed config for setup after connection (when we know server capabilities)
         if (options?.listChanged) {
@@ -970,14 +972,31 @@ export class Client<
     }
 
     async listPrompts(params?: ListPromptsRequest['params'], options?: RequestOptions) {
+        if (!this._serverCapabilities?.prompts && !this._enforceStrictCapabilities) {
+            // Respect capability negotiation: server does not support prompts
+            console.debug('Client.listPrompts() called but server does not advertise prompts capability - returning empty list');
+            return { prompts: [] };
+        }
         return this.request({ method: 'prompts/list', params }, ListPromptsResultSchema, options);
     }
 
     async listResources(params?: ListResourcesRequest['params'], options?: RequestOptions) {
+        if (!this._serverCapabilities?.resources && !this._enforceStrictCapabilities) {
+            // Respect capability negotiation: server does not support resources
+            console.debug('Client.listResources() called but server does not advertise resources capability - returning empty list');
+            return { resources: [] };
+        }
         return this.request({ method: 'resources/list', params }, ListResourcesResultSchema, options);
     }
 
     async listResourceTemplates(params?: ListResourceTemplatesRequest['params'], options?: RequestOptions) {
+        if (!this._serverCapabilities?.resources && !this._enforceStrictCapabilities) {
+            // Respect capability negotiation: server does not support resources
+            console.debug(
+                'Client.listResourceTemplates() called but server does not advertise resources capability - returning empty list'
+            );
+            return { resourceTemplates: [] };
+        }
         return this.request({ method: 'resources/templates/list', params }, ListResourceTemplatesResultSchema, options);
     }
 
@@ -1096,6 +1115,11 @@ export class Client<
     }
 
     async listTools(params?: ListToolsRequest['params'], options?: RequestOptions) {
+        if (!this._serverCapabilities?.tools && !this._enforceStrictCapabilities) {
+            // Respect capability negotiation: server does not support tools
+            console.debug('Client.listTools() called but server does not advertise tools capability - returning empty list');
+            return { tools: [] };
+        }
         const result = await this.request({ method: 'tools/list', params }, ListToolsResultSchema, options);
 
         // Cache the tools and their output schemas for future validation

packages/server/src/server/mcp.ts

@@ -474,7 +474,7 @@ export class McpServer {
         // If that fails, use the schema directly (for union/intersection/etc)
         const inputObj = normalizeObjectSchema(tool.inputSchema);
         const schemaToParse = inputObj ?? (tool.inputSchema as AnySchema);
-        const parseResult = await safeParseAsync(schemaToParse, args);
+        const parseResult = await safeParseAsync(schemaToParse, args ?? {});
         if (!parseResult.success) {
             const error = 'error' in parseResult ? parseResult.error : 'Unknown error';
             const errorMessage = getParseErrorMessage(error);

test/integration/test/client/client.test.ts

@@ -595,6 +595,79 @@ test('should respect server capabilities', async () => {
     ).rejects.toThrow('Server does not support completions');
 });
 
+/***
+ * Test: Return empty lists for missing capabilities (default behavior)
+ * When enforceStrictCapabilities is not set (default), list methods should
+ * return empty lists instead of sending requests to servers that don't
+ * advertise those capabilities.
+ */
+test('should return empty lists for missing capabilities by default', async () => {
+    const server = new Server(
+        {
+            name: 'test server',
+            version: '1.0'
+        },
+        {
+            capabilities: {
+                // Server only supports tools - no prompts or resources
+                tools: {}
+            }
+        }
+    );
+
+    server.setRequestHandler(InitializeRequestSchema, _request => ({
+        protocolVersion: LATEST_PROTOCOL_VERSION,
+        capabilities: {
+            tools: {}
+        },
+        serverInfo: {
+            name: 'test',
+            version: '1.0'
+        }
+    }));
+
+    server.setRequestHandler(ListToolsRequestSchema, () => ({
+        tools: [{ name: 'test-tool', inputSchema: { type: 'object' } }]
+    }));
+
+    const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
+
+    // Client with default settings (enforceStrictCapabilities not set)
+    const client = new Client(
+        {
+            name: 'test client',
+            version: '1.0'
+        },
+        {
+            capabilities: {}
+        }
+    );
+
+    await Promise.all([client.connect(clientTransport), server.connect(serverTransport)]);
+
+    // Server only supports tools
+    expect(client.getServerCapabilities()).toEqual({
+        tools: {}
+    });
+
+    // listTools should work and return actual tools
+    const toolsResult = await client.listTools();
+    expect(toolsResult.tools).toHaveLength(1);
+    expect(toolsResult.tools[0].name).toBe('test-tool');
+
+    // listPrompts should return empty list without sending request
+    const promptsResult = await client.listPrompts();
+    expect(promptsResult.prompts).toEqual([]);
+
+    // listResources should return empty list without sending request
+    const resourcesResult = await client.listResources();
+    expect(resourcesResult.resources).toEqual([]);
+
+    // listResourceTemplates should return empty list without sending request
+    const templatesResult = await client.listResourceTemplates();
+    expect(templatesResult.resourceTemplates).toEqual([]);
+});
+
 /***
  * Test: Respect Client Notification Capabilities
  */
@@ -1885,7 +1958,7 @@ describe('outputSchema validation', () => {
         // Set up server handlers
         server.setRequestHandler(InitializeRequestSchema, async request => ({
             protocolVersion: request.params.protocolVersion,
-            capabilities: {},
+            capabilities: { tools: {} },
             serverInfo: {
                 name: 'test-server',
                 version: '1.0.0'
@@ -1977,7 +2050,7 @@ describe('outputSchema validation', () => {
         // Set up server handlers
         server.setRequestHandler(InitializeRequestSchema, async request => ({
             protocolVersion: request.params.protocolVersion,
-            capabilities: {},
+            capabilities: { tools: {} },
             serverInfo: {
                 name: 'test-server',
                 version: '1.0.0'
@@ -2270,7 +2343,7 @@ describe('outputSchema validation', () => {
         // Set up server handlers
         server.setRequestHandler(InitializeRequestSchema, async request => ({
             protocolVersion: request.params.protocolVersion,
-            capabilities: {},
+            capabilities: { tools: {} },
             serverInfo: {
                 name: 'test-server',
                 version: '1.0.0'

test/integration/test/issues/test400.optional-tool-params.test.ts

@@ -0,0 +1,70 @@
+/**
+ * Regression test for https://github.com/modelcontextprotocol/typescript-sdk/issues/400
+ *
+ * When a tool has all optional parameters, some LLM models call the tool without
+ * providing an `arguments` field. This test verifies that undefined arguments are
+ * handled correctly by defaulting to an empty object.
+ */
+
+import { Client } from '@modelcontextprotocol/client';
+import { CallToolResultSchema, InMemoryTransport } from '@modelcontextprotocol/core';
+import { McpServer } from '@modelcontextprotocol/server';
+import type { ZodMatrixEntry } from '@modelcontextprotocol/test-helpers';
+import { zodTestMatrix } from '@modelcontextprotocol/test-helpers';
+
+describe.each(zodTestMatrix)('Issue #400: $zodVersionLabel', (entry: ZodMatrixEntry) => {
+    const { z } = entry;
+
+    test('should accept undefined arguments when all tool params are optional', async () => {
+        const mcpServer = new McpServer({
+            name: 'test server',
+            version: '1.0'
+        });
+        const client = new Client({
+            name: 'test client',
+            version: '1.0'
+        });
+
+        mcpServer.registerTool(
+            'optional-params-tool',
+            {
+                inputSchema: {
+                    limit: z.number().optional(),
+                    offset: z.number().optional()
+                }
+            },
+            async ({ limit, offset }) => ({
+                content: [
+                    {
+                        type: 'text',
+                        text: `limit: ${limit ?? 'default'}, offset: ${offset ?? 'default'}`
+                    }
+                ]
+            })
+        );
+
+        const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
+
+        await Promise.all([client.connect(clientTransport), mcpServer.server.connect(serverTransport)]);
+
+        // Call tool without arguments (arguments is undefined)
+        const result = await client.request(
+            {
+                method: 'tools/call',
+                params: {
+                    name: 'optional-params-tool'
+                    // arguments is intentionally omitted (undefined)
+                }
+            },
+            CallToolResultSchema
+        );
+
+        expect(result.isError).toBeUndefined();
+        expect(result.content).toEqual([
+            {
+                type: 'text',
+                text: 'limit: default, offset: default'
+            }
+        ]);
+    });
+});

test/integration/test/issues/test_1342OauthErrorHttp200.test.ts

@@ -0,0 +1,44 @@
+/**
+ * Regression test for https://github.com/modelcontextprotocol/typescript-sdk/issues/1342
+ *
+ * Some OAuth servers (e.g., GitHub) return error responses with HTTP 200 status
+ * instead of 4xx. Previously, the SDK would try to parse these as tokens and fail
+ * with a confusing Zod validation error. This test verifies that the SDK properly
+ * detects the error field and surfaces the actual OAuth error message.
+ */
+
+import { exchangeAuthorization } from '@modelcontextprotocol/client';
+import { describe, expect, it, vi } from 'vitest';
+
+const mockFetch = vi.fn();
+vi.stubGlobal('fetch', mockFetch);
+
+describe('Issue #1342: OAuth error response with HTTP 200 status', () => {
+    const validClientInfo = {
+        client_id: 'test-client',
+        client_secret: 'test-secret',
+        redirect_uris: ['http://localhost:3000/callback'],
+        token_endpoint_auth_method: 'client_secret_post' as const
+    };
+
+    it('should throw OAuth error when server returns error with HTTP 200', async () => {
+        // GitHub returns errors with HTTP 200 instead of 4xx
+        mockFetch.mockResolvedValueOnce({
+            ok: true,
+            status: 200,
+            json: async () => ({
+                error: 'invalid_client',
+                error_description: 'The client_id and/or client_secret passed are incorrect.'
+            })
+        });
+
+        await expect(
+            exchangeAuthorization('https://auth.example.com', {
+                clientInformation: validClientInfo,
+                authorizationCode: 'code123',
+                codeVerifier: 'verifier123',
+                redirectUri: 'http://localhost:3000/callback'
+            })
+        ).rejects.toThrow('The client_id and/or client_secret passed are incorrect.');
+    });
+});