finished instructions

Author: kentcdodds

exercises/01.discovery/01.problem.cors/README.mdx

@@ -6,7 +6,7 @@ If we can't handle cross-origin requests properly, users will encounter frustrat
 
 ```ts
 // Example: A user trying to access our MCP server from a different domain
-const response = await fetch('https://our-mcp-server.com/mcp', {
+const response = await fetch('https://our-mcp-server.example.com/mcp', {
 	method: 'POST',
 	headers: {
 		'Content-Type': 'application/json',

exercises/01.discovery/02.problem.as/README.mdx

@@ -7,7 +7,7 @@ The problem is: how do we provide clients with the information they need to auth
 ```ts
 // Example: A user trying to discover our OAuth server capabilities
 const response = await fetch(
-	'https://our-mcp-server.com/.well-known/oauth-authorization-server',
+	'https://our-mcp-server.example.com/.well-known/oauth-authorization-server',
 )
 const metadata = await response.json()
 // metadata includes things like:

exercises/01.discovery/README.mdx

@@ -41,7 +41,7 @@ sequenceDiagram
 ```ts
 // Discover resource server metadata
 const resourceMeta = await fetch(
-	'https://our-mcp-server.com/.well-known/oauth-protected-resource',
+	'https://our-mcp-server.example.com/.well-known/oauth-protected-resource',
 ).then((r) => r.json())
 
 // Find the authorization server URL

exercises/02.init/02.problem.params/README.mdx

@@ -5,7 +5,7 @@
 For example, if a robot tries to fetch `/api/lemonade` without the right credentials, the response should include a realm and a resource_metadata parameter:
 
 ```
-WWW-Authenticate: Bearer realm="EpicMe", resource_metadata="https://lemonade-stand.com/.well-known/oauth-protected-resource/mcp"
+WWW-Authenticate: Bearer realm="EpicMe", resource_metadata="https://lemonade-stand.example.com/.well-known/oauth-protected-resource/mcp"
 ```
 
 - **realm**: Identifies the protected area (like a journal or a lemonade stand) so clients know which resource needs credentials.

exercises/05.scopes/01.problem.check-scopes/README.mdx

@@ -1 +1,40 @@
 # Check Scopes
+
+👨‍💼 We're going to start adding more fine-grained control to what our MCP server can do by adding scopes. Our authorization server already supports scopes, and it makes no sense for the MCP server to show tools, resources, or prompts that the user doesn't have permission to use anyway.
+
+This is where OAuth scopes come in. They give us fine-grained control over what authenticated users can access.
+
+Let's look at an example of how this works in a music streaming app:
+
+```ts
+// Define what scopes are available in our app
+const musicScopes = [
+	'playlist:read', // View playlists
+	'playlist:write', // Create/edit playlists
+	'songs:read', // Search and play songs
+	'profile:read', // View user profile
+] as const
+
+// Check if user has permission to create playlists
+function hasScope(userScopes: Array<string>) {
+	return userScopes.includes('playlist:write')
+}
+
+// Only show "Create Playlist" if user has permission
+if (hasScope(authInfo.scopes)) {
+	// show create playlist functionality
+}
+```
+
+To make this work in our EpicMe journaling app, we need to create scope validation utilities. These will help us check what permissions users have and ensure they can only access the features they're authorized for.
+
+<callout-info>
+	🧝‍♀️ I added `scopes` to the `whoami` tool so you can easily see what
+	permissions are available when testing your implementation.
+</callout-info>
+
+Once you have the scope validation utilities in place, you'll also need to add a convenient `hasScope` method to the `EpicMeMCP` class that makes it easy to check permissions throughout your app:
+
+This approach means users will only see the tools and features they're actually authorized to use, creating a smooth and intuitive experience that matches their permission level.
+
+📜 For more details on OAuth scopes and how they work in MCP servers, see the [OAuth 2.0 Scopes RFC](https://tools.ietf.org/html/rfc6749#section-3.3) and the [MCP Authentication Specification](https://modelcontextprotocol.io/specification/2025-06-18/server/auth).

exercises/05.scopes/01.solution.check-scopes/README.mdx

@@ -1 +1,7 @@
 # Check Scopes
+
+👨‍💼 Excellent work! We've successfully implemented scope validation utilities that give our EpicMe journaling app fine-grained control over what authenticated users can access. Now our MCP server can check if users have the required permissions before allowing them to perform sensitive operations like reading private entries or managing tags.
+
+This improvement means users get proper access control based on their granted scopes, ensuring that personal journal data stays secure and only authorized actions are permitted. The scope validation utilities we built will be the foundation for all our permission checks going forward.
+
+🧝‍♀️ I'm expanding this scope validation system to cover more scenarios and adding better error handling for insufficient permissions. Feel free to try implementing that yourself, or just <NextDiffLink>check out my changes</NextDiffLink> if you'd like to see how it's done.

exercises/05.scopes/02.problem.validate-sufficient-scope/README.mdx

@@ -1 +1,60 @@
 # Validate Sufficient Scope
+
+👨‍💼 Some users are authenticating with no scopes which results in having a valid token, but not enough permissions to actually do anything useful with the MCP server. It would be better if we could let them know up front that they don't have enough permissions and need a new token with the appropriate scopes.
+
+To do this, you return a `403 Forbidden` response with the appropriate `WWW-Authenticate` header:
+
+```ts
+// A music streaming app might check scopes like this
+const requiredScopes = ['music:read', 'playlists:write']
+const userScopes = ['music:read'] // User only has read access
+
+const hasRequiredScopes = requiredScopes.every((scope) =>
+	userScopes.includes(scope),
+)
+
+if (!hasRequiredScopes) {
+	return new Response('Forbidden', {
+		status: 403,
+		headers: {
+			'WWW-Authenticate': [
+				`Bearer realm="MusicApp"`,
+				`error="insufficient_scope"`,
+				`scopes="${requiredScopes.join(' ')}"`,
+			].join(', '),
+		},
+	})
+}
+```
+
+The `WWW-Authenticate` header includes:
+
+- The realm (`MusicApp`)
+- The error type (`insufficient_scope`)
+- The required scopes (`music:read playlists:write`)
+
+However, the `scopes` auth param is tricky for us because there's actually a list of valid scope combinations that are allowed. The user could have one of several scopes that would be enough to use the MCP server. There's not an established pattern for handling this case, so we'll skip the `scopes` auth param and instead include a `error_description` that explains what scope combinations are valid.
+
+```mermaid
+sequenceDiagram
+    Client->>MCP_Server: Request with valid token
+    MCP_Server->>Auth_Server: Introspect token
+    Auth_Server-->>MCP_Server: Token info + scopes
+    MCP_Server->>MCP_Server: Check hasSufficientScope()
+    alt Has sufficient scope
+        MCP_Server-->>Client: Success - MCP server access granted
+    else Insufficient scope
+        MCP_Server-->>Client: 403 Forbidden with scope requirements
+    end
+```
+
+<callout-muted>
+	📜 For more details on OAuth scope validation and error handling, see the
+	[OAuth 2.0 Authorization Framework
+	RFC](https://tools.ietf.org/html/rfc6749#section-3.3) and [OAuth 2.0 Bearer
+	Token Usage RFC](https://tools.ietf.org/html/rfc6750#section-3.1).
+</callout-muted>
+
+🧝‍♀️ I created a `minimalValidScopeCombinations` array and a `hasSufficientScope` function for you to use. It's just hard to describe what you should do, but simple once you see it. Feel free to <PrevDiffLink>check out my changes</PrevDiffLink> if you want.
+
+Now, let's implement the scope validation logic to ensure only properly authorized clients can access the EpicMe MCP server!

exercises/05.scopes/02.problem.validate-sufficient-scope/src/auth.ts

@@ -89,9 +89,8 @@ export function hasSufficientScope(authInfo: AuthInfo) {
 // 🐨 create a handleInsufficientScope function that returns a 403 response with
 // the appropriate WWW-Authenticate header.
 // The header should be similar to the handleUnauthorized one below. It needs
-// the following auth params: error, error_description, and error_uri
+// the following auth params: error and error_description
 // 💰 use the minimalValidScopeCombinations array to create the error_description to explain the valid combinations of scopes
-// 💰 use the url.toString() to create the error_uri (this is the same as the handleUnauthorized one below)
 
 export function handleUnauthorized(request: Request) {
 	const hasAuthHeader = request.headers.has('authorization')

exercises/05.scopes/02.problem.validate-sufficient-scope/src/index.ts

@@ -107,7 +107,7 @@ export default {
 				if (!authInfo) return handleUnauthorized(request)
 
 				// 🐨 check whether the authInfo includes all the required scopes
-				// 🐨 if it doesn't, call and return the result of handleInsufficientScope(request)
+				// 🐨 if it doesn't, call and return the result of handleInsufficientScope()
 
 				const mcp = EpicMeMCP.serve('/mcp', {
 					binding: 'EPIC_ME_MCP_OBJECT',

exercises/05.scopes/02.solution.validate-sufficient-scope/README.mdx

@@ -1 +1,3 @@
 # Validate Sufficient Scope
+
+👨‍💼 Excellent work! Now users won't be able to access the MCP server if they don't have useful permissions.