auth examples - demo flag, configs

Author: KKonstantinov

examples/server/src/elicitationUrlExample.ts

@@ -235,7 +235,7 @@ let authMiddleware = null;
 const mcpServerUrl = new URL(`http://localhost:${MCP_PORT}/mcp`);
 const authServerUrl = new URL(`http://localhost:${AUTH_PORT}`);
 
-setupAuthServer({ authServerUrl, mcpServerUrl, strictResource: true });
+setupAuthServer({ authServerUrl, mcpServerUrl, strictResource: true, demoMode: true });
 
 // Add protected resource metadata route to the MCP server
 // This allows clients to discover the auth server

examples/server/src/simpleStreamableHttp.ts

@@ -527,7 +527,7 @@ if (useOAuth) {
     const mcpServerUrl = new URL(`http://localhost:${MCP_PORT}/mcp`);
     const authServerUrl = new URL(`http://localhost:${AUTH_PORT}`);
 
-    setupAuthServer({ authServerUrl, mcpServerUrl, strictResource: strictOAuth });
+    setupAuthServer({ authServerUrl, mcpServerUrl, strictResource: strictOAuth, demoMode: true });
 
     // Add protected resource metadata route to the MCP server
     // This allows clients to discover the auth server

examples/shared/src/auth.ts

@@ -9,6 +9,7 @@
 
 import { randomBytes } from 'node:crypto';
 
+import type { BetterAuthOptions } from 'better-auth';
 import { betterAuth } from 'better-auth';
 import { mcp } from 'better-auth/plugins';
 import Database from 'better-sqlite3';
@@ -173,6 +174,7 @@ export interface CreateDemoAuthOptions {
     baseURL: string;
     resource?: string;
     loginPage?: string;
+    demoMode: boolean;
 }
 
 /**
@@ -186,7 +188,7 @@ export interface CreateDemoAuthOptions {
  * @see https://www.better-auth.com/docs/plugins/mcp
  */
 export function createDemoAuth(options: CreateDemoAuthOptions) {
-    const { baseURL, resource, loginPage = '/sign-in' } = options;
+    const { baseURL, resource, loginPage = '/sign-in', demoMode } = options;
 
     // Use in-memory SQLite database for demo purposes
     // Note: All data is lost on restart - demo only!
@@ -214,28 +216,30 @@ export function createDemoAuth(options: CreateDemoAuthOptions) {
         baseURL,
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         database: db as any, // Type cast to avoid exposing better-sqlite3 in exported types
-        trustedOrigins: ['*'],
+        trustedOrigins: [baseURL.toString()],
         // Basic email+password for demo
         emailAndPassword: {
             enabled: true,
             requireEmailVerification: false
         },
         plugins: [mcpPlugin],
         // Enable verbose logging for demo/debugging
-        logger: {
-            disabled: false,
-            level: 'debug',
-            log: (level, message, ...args) => {
-                const timestamp = new Date().toISOString();
-                const prefix = `[Auth ${level.toUpperCase()}]`;
-                if (args.length > 0) {
-                    console.log(`${timestamp} ${prefix} ${message}`, ...args);
-                } else {
-                    console.log(`${timestamp} ${prefix} ${message}`);
-                }
-            }
-        }
-    });
+        logger: demoMode
+            ? {
+                  disabled: false,
+                  level: 'debug',
+                  log: (level, message, ...args) => {
+                      const timestamp = new Date().toISOString();
+                      const prefix = `[Auth ${level.toUpperCase()}]`;
+                      if (args.length > 0) {
+                          console.log(`${timestamp} ${prefix} ${message}`, ...args);
+                      } else {
+                          console.log(`${timestamp} ${prefix} ${message}`);
+                      }
+                  }
+              }
+            : undefined
+    } satisfies BetterAuthOptions);
 }
 
 /**

examples/shared/src/authServer.ts

@@ -21,6 +21,10 @@ export interface SetupAuthServerOptions {
     authServerUrl: URL;
     mcpServerUrl: URL;
     strictResource?: boolean;
+    /**
+     * Examples should be used for **demo** only and not for production purposes, however this mode disables some logging and other features.
+     */
+    demoMode: boolean;
 }
 
 // Store auth instance globally so it can be used for token verification
@@ -75,13 +79,14 @@ async function ensureDemoUserExists(auth: DemoAuth): Promise<void> {
  * @param options - Server configuration
  */
 export function setupAuthServer(options: SetupAuthServerOptions): void {
-    const { authServerUrl, mcpServerUrl } = options;
+    const { authServerUrl, mcpServerUrl, demoMode } = options;
 
     // Create better-auth instance with MCP plugin
     const auth = createDemoAuth({
         baseURL: authServerUrl.toString().replace(/\/$/, ''),
         resource: mcpServerUrl.toString(),
-        loginPage: '/sign-in'
+        loginPage: '/sign-in',
+        demoMode: demoMode
     });
 
     // Store globally for token verification
@@ -111,23 +116,25 @@ export function setupAuthServer(options: SetupAuthServerOptions): void {
             console.log(`${timestamp} [Auth Request] Content-Type: ${req.headers['content-type']}`);
         }
 
-        // Log response when it finishes
-        const originalSend = res.send.bind(res);
-        res.send = function (body) {
-            console.log(`${timestamp} [Auth Response] ${res.statusCode} ${req.url}`);
-            if (res.statusCode >= 400 && body) {
-                try {
-                    const parsed = typeof body === 'string' ? JSON.parse(body) : body;
-                    console.log(`${timestamp} [Auth Response] Error:`, parsed);
-                } catch {
-                    // Not JSON, log as-is if short
-                    if (typeof body === 'string' && body.length < 200) {
-                        console.log(`${timestamp} [Auth Response] Body: ${body}`);
+        if (demoMode) {
+            // Log response when it finishes
+            const originalSend = res.send.bind(res);
+            res.send = function (body) {
+                console.log(`${timestamp} [Auth Response] ${res.statusCode} ${req.url}`);
+                if (res.statusCode >= 400 && body) {
+                    try {
+                        const parsed = typeof body === 'string' ? JSON.parse(body) : body;
+                        console.log(`${timestamp} [Auth Response] Error:`, parsed);
+                    } catch {
+                        // Not JSON, log as-is if short
+                        if (typeof body === 'string' && body.length < 200) {
+                            console.log(`${timestamp} [Auth Response] Body: ${body}`);
+                        }
                     }
                 }
-            }
-            return originalSend(body);
-        };
+                return originalSend(body);
+            };
+        }
         next();
     });
 
@@ -137,7 +144,6 @@ export function setupAuthServer(options: SetupAuthServerOptions): void {
 
     // OAuth metadata endpoints using better-auth's built-in handlers
     authApp.get('/.well-known/oauth-authorization-server', toNodeHandler(oAuthDiscoveryMetadata(auth)));
-    authApp.get('/.well-known/oauth-protected-resource', toNodeHandler(oAuthProtectedResourceMetadata(auth)));
 
     // Body parsers for non-better-auth routes (like /sign-in)
     authApp.use(express.json());

examples/shared/test/demoInMemoryOAuthProvider.test.ts

@@ -16,7 +16,8 @@ describe('createDemoAuth', () => {
     const validOptions: CreateDemoAuthOptions = {
         baseURL: 'http://localhost:3001',
         resource: 'http://localhost:3000/mcp',
-        loginPage: '/sign-in'
+        loginPage: '/sign-in',
+        demoMode: true
     };
 
     it('creates a better-auth instance with MCP plugin', () => {
@@ -27,7 +28,8 @@ describe('createDemoAuth', () => {
 
     it('uses default loginPage when not specified', () => {
         const options: CreateDemoAuthOptions = {
-            baseURL: 'http://localhost:3001'
+            baseURL: 'http://localhost:3001',
+            demoMode: true
         };
         const auth = createDemoAuth(options);
         expect(auth).toBeDefined();