feat(auth): enhance OAuth authentication for HttpStreamTransport and SSEServerTransport with comprehensive tests

Author: jmrobles

src/transports/http/server.ts

@@ -165,13 +165,28 @@ export class HttpStreamTransport extends AbstractTransport {
         await transport.handleRequest(req, res, body);
         return;
       } else {
+        if (this._config.auth?.endpoints?.messages !== false) {
+          const isAuthenticated = await this.handleAuthentication(req, res, 'message');
+          if (!isAuthenticated) return;
+        }
+
         this.sendError(res, 400, -32000, 'Bad Request: No valid session ID provided');
         return;
       }
     } else if (!sessionId) {
+      if (this._config.auth?.endpoints?.messages !== false) {
+        const isAuthenticated = await this.handleAuthentication(req, res, 'message');
+        if (!isAuthenticated) return;
+      }
+
       this.sendError(res, 400, -32000, 'Bad Request: No valid session ID provided');
       return;
     } else {
+      if (this._config.auth?.endpoints?.messages !== false) {
+        const isAuthenticated = await this.handleAuthentication(req, res, 'message');
+        if (!isAuthenticated) return;
+      }
+
       this.sendError(res, 404, -32001, 'Session not found');
       return;
     }
@@ -247,6 +262,9 @@ export class HttpStreamTransport extends AbstractTransport {
       if (isApiKey) {
         const provider = this._config.auth.provider as APIKeyAuthProvider;
         res.setHeader('WWW-Authenticate', `ApiKey realm="MCP Server", header="${provider.getHeaderName()}"`);
+      } else if (this._config.auth.provider instanceof OAuthAuthProvider) {
+        const provider = this._config.auth.provider as OAuthAuthProvider;
+        res.setHeader('WWW-Authenticate', provider.getWWWAuthenticateHeader('invalid_token', 'Missing or invalid authentication token'));
       }
 
       res.writeHead(error.status).end(

src/transports/sse/server.ts

@@ -167,6 +167,11 @@ export class SSEServerTransport extends AbstractTransport {
     }
 
     if (req.method === "POST" && url.pathname === this._config.messageEndpoint) {
+      if (this._config.auth?.endpoints?.messages !== false) {
+        const isAuthenticated = await this.handleAuthentication(req, res, "message")
+        if (!isAuthenticated) return
+      }
+
       // **Connection Validation (User Requested):**
       // Check if the 'sessionId' from the POST request URL query parameter
       // (which should contain a connectionId provided by the server via the 'endpoint' event)
@@ -178,11 +183,6 @@ export class SSEServerTransport extends AbstractTransport {
           return;
       }
 
-      if (this._config.auth?.endpoints?.messages !== false) {
-        const isAuthenticated = await this.handleAuthentication(req, res, "message")
-        if (!isAuthenticated) return
-      }
-
       await this.handlePostMessage(req, res)
       return
     }
@@ -222,8 +222,11 @@ export class SSEServerTransport extends AbstractTransport {
       if (isApiKey) {
         const provider = this._config.auth.provider as APIKeyAuthProvider
         res.setHeader("WWW-Authenticate", `ApiKey realm="MCP Server", header="${provider.getHeaderName()}"`)
+      } else if (this._config.auth.provider instanceof OAuthAuthProvider) {
+        const provider = this._config.auth.provider as OAuthAuthProvider
+        res.setHeader("WWW-Authenticate", provider.getWWWAuthenticateHeader('invalid_token', 'Missing or invalid authentication token'))
       }
-      
+
       res.writeHead(error.status).end(JSON.stringify({
         error: error.message,
         status: error.status,

tests/auth/validators/introspection-validator.test.ts

@@ -230,7 +230,7 @@ describe('IntrospectionValidator', () => {
       await validator.validate(token);
       const cachedCallTime = Date.now() - cachedStartTime;
 
-      expect(cachedCallTime).toBeLessThan(firstCallTime);
+      expect(cachedCallTime).toBeLessThanOrEqual(firstCallTime);
     });
 
     it('should expire cache after TTL', async () => {