Simplify WWW-Authenticate parsing by keeping extractFieldFromWwwAuth private

pcarleton · claude · pcarleton · commit 48f4470cce55 · 2025-11-20T19:34:30.000Z
Instead of exporting extractFieldFromWwwAuth as a separate function, keep it private and extend extractWWWAuthenticateParams to also return the 'error' field. This provides a cleaner API while maintaining all functionality. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
@@ -8,7 +8,6 @@ import {
     refreshAuthorization,
     registerClient,
     discoverOAuthProtectedResourceMetadata,
-    extractFieldFromWwwAuth,
     extractWWWAuthenticateParams,
     auth,
     type OAuthClientProvider,
@@ -36,50 +35,6 @@ describe('OAuth Authorization', () => {
         mockFetch.mockReset();
     });
 
-    describe('extractFieldFromWwwAuth', () => {
-        function mockResponseWithWWWAuthenticate(headerValue: string): Response {
-            return {
-                headers: {
-                    get: vi.fn(name => (name === 'WWW-Authenticate' ? headerValue : null))
-                }
-            } as unknown as Response;
-        }
-
-        it('returns the value of a quoted field', () => {
-            const mockResponse = mockResponseWithWWWAuthenticate(`Bearer realm="example", field="value"`);
-            expect(extractFieldFromWwwAuth(mockResponse, 'field')).toBe('value');
-        });
-
-        it('returns the value of an unquoted field', () => {
-            const mockResponse = mockResponseWithWWWAuthenticate(`Bearer realm=example, field=value`);
-            expect(extractFieldFromWwwAuth(mockResponse, 'field')).toBe('value');
-        });
-
-        it('returns the correct value when multiple parameters are present', () => {
-            const mockResponse = mockResponseWithWWWAuthenticate(
-                `Bearer realm="api", error="invalid_token", field="test_value", scope="admin"`
-            );
-            expect(extractFieldFromWwwAuth(mockResponse, 'field')).toBe('test_value');
-        });
-
-        it('returns null if the field is not present', () => {
-            const mockResponse = mockResponseWithWWWAuthenticate(`Bearer realm="api", scope="admin"`);
-            expect(extractFieldFromWwwAuth(mockResponse, 'missing_field')).toBeNull();
-        });
-
-        it('returns null if the WWW-Authenticate header is missing', () => {
-            const mockResponse = { headers: new Headers() } as unknown as Response;
-            expect(extractFieldFromWwwAuth(mockResponse, 'field')).toBeNull();
-        });
-
-        it('handles fields with special characters in quotes', () => {
-            const mockResponse = mockResponseWithWWWAuthenticate(
-                `Bearer error="invalid_token", error_description="The token has expired, please re-authenticate."`
-            );
-            expect(extractFieldFromWwwAuth(mockResponse, 'error_description')).toBe('The token has expired, please re-authenticate.');
-        });
-    });
-
     describe('extractWWWAuthenticateParams', () => {
         it('returns resource metadata url when present', async () => {
             const resourceUrl = 'https://resource.example.com/.well-known/oauth-protected-resource';
@@ -140,6 +95,16 @@ describe('OAuth Authorization', () => {
 
             expect(extractWWWAuthenticateParams(mockResponse)).toEqual({ scope: scope });
         });
+
+        it('returns error when present', async () => {
+            const mockResponse = {
+                headers: {
+                    get: vi.fn(name => (name === 'WWW-Authenticate' ? `Bearer error="insufficient_scope", scope="admin"` : null))
+                }
+            } as unknown as Response;
+
+            expect(extractWWWAuthenticateParams(mockResponse)).toEqual({ error: 'insufficient_scope', scope: 'admin' });
+        });
     });
 
     describe('discoverOAuthProtectedResourceMetadata', () => {
diff --git a/src/client/auth.ts b/src/client/auth.ts
@@ -522,9 +522,9 @@ export async function selectResourceURL(
 }
 
 /**
- * Extract resource_metadata and scope from WWW-Authenticate header.
+ * Extract resource_metadata, scope, and error from WWW-Authenticate header.
  */
-export function extractWWWAuthenticateParams(res: Response): { resourceMetadataUrl?: URL; scope?: string } {
+export function extractWWWAuthenticateParams(res: Response): { resourceMetadataUrl?: URL; scope?: string; error?: string } {
     const authenticateHeader = res.headers.get('WWW-Authenticate');
     if (!authenticateHeader) {
         return {};
@@ -547,10 +547,12 @@ export function extractWWWAuthenticateParams(res: Response): { resourceMetadataU
     }
 
     const scope = extractFieldFromWwwAuth(res, 'scope') || undefined;
+    const error = extractFieldFromWwwAuth(res, 'error') || undefined;
 
     return {
         resourceMetadataUrl,
-        scope
+        scope,
+        error
     };
 }
 
@@ -561,7 +563,7 @@ export function extractWWWAuthenticateParams(res: Response): { resourceMetadataU
  * @param fieldName The name of the field to extract (e.g., "realm", "nonce").
  * @returns The field value
  */
-export function extractFieldFromWwwAuth(response: Response, fieldName: string): string | null {
+function extractFieldFromWwwAuth(response: Response, fieldName: string): string | null {
     const wwwAuthHeader = response.headers.get('WWW-Authenticate');
     if (!wwwAuthHeader) {
         return null;
diff --git a/src/client/streamableHttp.ts b/src/client/streamableHttp.ts
@@ -1,6 +1,6 @@
 import { Transport, FetchLike, createFetchWithInit, normalizeHeaders } from '../shared/transport.js';
 import { isInitializedNotification, isJSONRPCRequest, isJSONRPCResponse, JSONRPCMessage, JSONRPCMessageSchema } from '../types.js';
-import { auth, AuthResult, extractFieldFromWwwAuth, extractWWWAuthenticateParams, OAuthClientProvider, UnauthorizedError } from './auth.js';
+import { auth, AuthResult, extractWWWAuthenticateParams, OAuthClientProvider, UnauthorizedError } from './auth.js';
 import { EventSourceParserStream } from 'eventsource-parser/stream';
 
 // Default reconnection options for StreamableHTTP connections
@@ -454,7 +454,7 @@ export class StreamableHTTPClientTransport implements Transport {
                 }
 
                 if (response.status === 403 && this._authProvider) {
-                    const error = extractFieldFromWwwAuth(response, 'error');
+                    const { resourceMetadataUrl, scope, error } = extractWWWAuthenticateParams(response);
 
                     if (error === 'insufficient_scope') {
                         const wwwAuthHeader = response.headers.get('WWW-Authenticate');
@@ -464,8 +464,6 @@ export class StreamableHTTPClientTransport implements Transport {
                             throw new StreamableHTTPError(403, 'Server returned 403 after trying upscoping');
                         }
 
-                        const { resourceMetadataUrl, scope } = extractWWWAuthenticateParams(response);
-
                         if (scope) {
                             this._scope = scope;
                         }
