refactor(mcp): harden OAuth empty-token, chain resolver errors, sharpen docs#33
Merged
Conversation
…en docs
Code quality + docs pass for @gemstack/mcp:
- OAuth: reject an empty bearer token ("Authorization: Bearer " with no
value) up front with 401 invalid_token instead of forwarding an empty
string to verifyToken. Neutralized the framework-specific wording in the
oauth2 core docs (any JWT library / introspection endpoint).
- handle-deps: chain the original error via { cause } when a @handle
dependency fails to resolve, preserving the stack.
- Documented McpResponse.text/json/error and when to prefer error() over
throwing.
- README: completed the OAuth 2.1 section (real jose-based verifyToken;
spelled out that oauth2McpMiddleware AND registerOAuth2Metadata must
both be wired, with the discovery rationale); softened the origin framing.
Added an empty-token test. Build + 105 tests green.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Code quality + docs pass for
@gemstack/mcp(part of the per-package GemStack quality sweep).A note on scope: several survey-flagged items were checked and intentionally not changed because they were already correct - the
Bearerprefix is validated with the trailing space (soslice(7)is safe),new (...args: any[])is the correct "any constructor" idiom (unknown[]would reject real class constructors),zod-to-json-schemaalready has a try/catch fallback, and theMcpTool/McpResource/McpPromptabstract methods +shouldRegistersemantics are already well-documented.Code quality
Authorization: Bearerheader with no value is now rejected with401 invalid_tokenbefore callingverifyToken, instead of forwarding an empty string.@Handledependency resolution now chains the original error via{ cause }.Docs
McpResponse.text/json/errorand when to prefererror()over throwing.jose-basedverifyToken, and spelled out thatoauth2McpMiddlewareandregisterOAuth2Metadatamust both be wired (with the client-discovery rationale). Softened the origin framing.Verification
Added an empty-token test. Build + 105 tests green. Patch changeset included.