Merge branch 'main' into main

Author: li-yechao

README.md

@@ -211,7 +211,7 @@ await server.connect(transport);
 For remote servers, start a web server with a Server-Sent Events (SSE) endpoint, and a separate endpoint for the client to send its messages to:
 
 ```typescript
-import express from "express";
+import express, { Request, Response } from "express";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
 
@@ -224,16 +224,27 @@ const server = new McpServer({
 
 const app = express();
 
-app.get("/sse", async (req, res) => {
-  const transport = new SSEServerTransport("/messages", res);
+// to support multiple simultaneous connections we have a lookup object from
+// sessionId to transport
+const transports: {[sessionId: string]: SSEServerTransport} = {};
+
+app.get("/sse", async (_: Request, res: Response) => {
+  const transport = new SSEServerTransport('/messages', res);
+  transports[transport.sessionId] = transport;
+  res.on("close", () => {
+    delete transports[transport.sessionId];
+  });
   await server.connect(transport);
 });
 
-app.post("/messages", async (req, res) => {
-  // Note: to support multiple simultaneous connections, these messages will
-  // need to be routed to a specific matching transport. (This logic isn't
-  // implemented here, for simplicity.)
-  await transport.handlePostMessage(req, res);
+app.post("/messages", async (req: Request, res: Response) => {
+  const sessionId = req.query.sessionId as string;
+  const transport = transports[sessionId];
+  if (transport) {
+    await transport.handlePostMessage(req, res);
+  } else {
+    res.status(400).send('No transport found for sessionId');
+  }
 });
 
 app.listen(3001);

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.7.0",
+  "version": "1.8.0",
   "description": "Model Context Protocol implementation for TypeScript",
   "license": "MIT",
   "author": "Anthropic, PBC (https://anthropic.com)",
@@ -48,6 +48,7 @@
   "dependencies": {
     "content-type": "^1.0.5",
     "cors": "^2.8.5",
+    "cross-spawn": "^7.0.3",
     "eventsource": "^3.0.2",
     "express": "^5.0.1",
     "express-rate-limit": "^7.5.0",
@@ -61,6 +62,7 @@
     "@jest-mock/express": "^3.0.0",
     "@types/content-type": "^1.1.8",
     "@types/cors": "^2.8.17",
+    "@types/cross-spawn": "^6.0.6",
     "@types/eslint__js": "^8.42.3",
     "@types/eventsource": "^1.1.15",
     "@types/express": "^5.0.0",

package.json

@@ -46,11 +46,11 @@ describe("OAuth Authorization", () => {
     it("returns metadata when first fetch fails but second without MCP header succeeds", async () => {
       // Set up a counter to control behavior
       let callCount = 0;
-      
+
       // Mock implementation that changes behavior based on call count
       mockFetch.mockImplementation((_url, _options) => {
         callCount++;
-        
+
         if (callCount === 1) {
           // First call with MCP header - fail with TypeError (simulating CORS error)
           // We need to use TypeError specifically because that's what the implementation checks for
@@ -68,22 +68,22 @@ describe("OAuth Authorization", () => {
       // Should succeed with the second call
       const metadata = await discoverOAuthMetadata("https://auth.example.com");
       expect(metadata).toEqual(validMetadata);
-      
+
       // Verify both calls were made
       expect(mockFetch).toHaveBeenCalledTimes(2);
-      
+
       // Verify first call had MCP header
       expect(mockFetch.mock.calls[0][1]?.headers).toHaveProperty("MCP-Protocol-Version");
     });
 
     it("throws an error when all fetch attempts fail", async () => {
       // Set up a counter to control behavior
       let callCount = 0;
-      
+
       // Mock implementation that changes behavior based on call count
       mockFetch.mockImplementation((_url, _options) => {
         callCount++;
-        
+
         if (callCount === 1) {
           // First call - fail with TypeError
           return Promise.reject(new TypeError("First failure"));
@@ -96,7 +96,7 @@ describe("OAuth Authorization", () => {
       // Should fail with the second error
       await expect(discoverOAuthMetadata("https://auth.example.com"))
         .rejects.toThrow("Second failure");
-        
+
       // Verify both calls were made
       expect(mockFetch).toHaveBeenCalledTimes(2);
     });
@@ -250,6 +250,7 @@ describe("OAuth Authorization", () => {
         clientInformation: validClientInfo,
         authorizationCode: "code123",
         codeVerifier: "verifier123",
+        redirectUri: "http://localhost:3000/callback",
       });
 
       expect(tokens).toEqual(validTokens);
@@ -271,6 +272,7 @@ describe("OAuth Authorization", () => {
       expect(body.get("code_verifier")).toBe("verifier123");
       expect(body.get("client_id")).toBe("client123");
       expect(body.get("client_secret")).toBe("secret123");
+      expect(body.get("redirect_uri")).toBe("http://localhost:3000/callback");
     });
 
     it("validates token response schema", async () => {
@@ -288,6 +290,7 @@ describe("OAuth Authorization", () => {
           clientInformation: validClientInfo,
           authorizationCode: "code123",
           codeVerifier: "verifier123",
+          redirectUri: "http://localhost:3000/callback",
         })
       ).rejects.toThrow();
     });
@@ -303,6 +306,7 @@ describe("OAuth Authorization", () => {
           clientInformation: validClientInfo,
           authorizationCode: "code123",
           codeVerifier: "verifier123",
+          redirectUri: "http://localhost:3000/callback",
         })
       ).rejects.toThrow("Token exchange failed");
     });

src/client/auth.test.ts

@@ -115,6 +115,7 @@ export async function auth(
       clientInformation,
       authorizationCode,
       codeVerifier,
+      redirectUri: provider.redirectUrl,
     });
 
     await provider.saveTokens(tokens);
@@ -259,11 +260,13 @@ export async function exchangeAuthorization(
     clientInformation,
     authorizationCode,
     codeVerifier,
+    redirectUri,
   }: {
     metadata?: OAuthMetadata;
     clientInformation: OAuthClientInformation;
     authorizationCode: string;
     codeVerifier: string;
+    redirectUri: string | URL;
   },
 ): Promise<OAuthTokens> {
   const grantType = "authorization_code";
@@ -290,6 +293,7 @@ export async function exchangeAuthorization(
     client_id: clientInformation.client_id,
     code: authorizationCode,
     code_verifier: codeVerifier,
+    redirect_uri: String(redirectUri),
   });
 
   if (clientInformation.client_secret) {

src/client/auth.ts

@@ -0,0 +1,131 @@
+import { StdioClientTransport } from "./stdio.js";
+import spawn from "cross-spawn";
+import { JSONRPCMessage } from "../types.js";
+import { ChildProcess } from "node:child_process";
+
+// mock cross-spawn
+jest.mock("cross-spawn");
+const mockSpawn = spawn as jest.MockedFunction<typeof spawn>;
+
+describe("StdioClientTransport using cross-spawn", () => {
+  beforeEach(() => {
+    // mock cross-spawn's return value
+    mockSpawn.mockImplementation(() => {
+      const mockProcess: {
+        on: jest.Mock;
+        stdin?: { on: jest.Mock; write: jest.Mock };
+        stdout?: { on: jest.Mock };
+        stderr?: null;
+      } = {
+        on: jest.fn((event: string, callback: () => void) => {
+          if (event === "spawn") {
+            callback();
+          }
+          return mockProcess;
+        }),
+        stdin: {
+          on: jest.fn(),
+          write: jest.fn().mockReturnValue(true)
+        },
+        stdout: {
+          on: jest.fn()
+        },
+        stderr: null
+      };
+      return mockProcess as unknown as ChildProcess;
+    });
+  });
+
+  afterEach(() => {
+    jest.clearAllMocks();
+  });
+
+  test("should call cross-spawn correctly", async () => {
+    const transport = new StdioClientTransport({
+      command: "test-command",
+      args: ["arg1", "arg2"]
+    });
+
+    await transport.start();
+
+    // verify spawn is called correctly
+    expect(mockSpawn).toHaveBeenCalledWith(
+      "test-command",
+      ["arg1", "arg2"],
+      expect.objectContaining({
+        shell: false
+      })
+    );
+  });
+
+  test("should pass environment variables correctly", async () => {
+    const customEnv = { TEST_VAR: "test-value" };
+    const transport = new StdioClientTransport({
+      command: "test-command",
+      env: customEnv
+    });
+
+    await transport.start();
+
+    // verify environment variables are passed correctly
+    expect(mockSpawn).toHaveBeenCalledWith(
+      "test-command",
+      [],
+      expect.objectContaining({
+        env: customEnv
+      })
+    );
+  });
+
+  test("should send messages correctly", async () => {
+    const transport = new StdioClientTransport({
+      command: "test-command"
+    });
+
+    // get the mock process object
+    const mockProcess: {
+      on: jest.Mock;
+      stdin: {
+        on: jest.Mock;
+        write: jest.Mock;
+        once: jest.Mock;
+      };
+      stdout: {
+        on: jest.Mock;
+      };
+      stderr: null;
+    } = {
+      on: jest.fn((event: string, callback: () => void) => {
+        if (event === "spawn") {
+          callback();
+        }
+        return mockProcess;
+      }),
+      stdin: {
+        on: jest.fn(),
+        write: jest.fn().mockReturnValue(true),
+        once: jest.fn()
+      },
+      stdout: {
+        on: jest.fn()
+      },
+      stderr: null
+    };
+
+    mockSpawn.mockReturnValue(mockProcess as unknown as ChildProcess);
+
+    await transport.start();
+
+    // 关键修复：确保 jsonrpc 是字面量 "2.0"
+    const message: JSONRPCMessage = {
+      jsonrpc: "2.0",
+      id: "test-id",
+      method: "test-method"
+    };
+
+    await transport.send(message);
+
+    // verify message is sent correctly
+    expect(mockProcess.stdin.write).toHaveBeenCalled();
+  });
+});