finish exercise 3 instructions

Author: kentcdodds

exercises/03.auth-info/01.problem.introspect/README.mdx

@@ -1 +1,75 @@
 # Introspect
+
+👨‍💼 Ok, so we've got the user's auth token, but what do we do with it? Our server needs to know:
+
+- Is the token valid?
+- Is it still active?
+- Who is this person? (user ID)
+- What permissions do they have? (scopes)
+
+So we need to "introspect" the token to get this information.
+
+```ts
+// When a user makes a request, we need to resolve their token
+const authInfo = await resolveAuthInfo(request.headers.get('authorization'))
+if (!authInfo) {
+	return handleUnauthorized(request)
+}
+
+console.log(`User ${authInfo.extra.userId} from ${authInfo.clientId}`)
+console.log(`Has scopes: ${authInfo.scopes.join(', ')}`)
+```
+
+Auth providers implement this slightly differently, but the core concept is the same: you send the token to the auth server, and it tells you everything you need to know about that token. Some auth providers store their token as a JWT which means the information is contained within the token itself and you don't need to perform a request to the auth server to get the information.
+
+One way or another though, you need to determine whether the token is valid and active.
+
+<callout-info>
+	🔍 Token validation is essential for user-specific features. Without it, you
+	can't personalize the experience or enforce proper permissions.
+</callout-info>
+
+The introspection process involves making a POST request to the auth server's introspection endpoint with the token. The response contains the user ID (`sub`), client ID (`client_id`), and scopes (`scope`) that tell you exactly what this token represents.
+
+```ts
+// Example introspection request
+const validateUrl = new URL('/oauth/introspection', 'https://auth.example.com')
+const resp = await fetch(validateUrl, {
+	method: 'POST',
+	headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+	body: new URLSearchParams({ token }),
+})
+
+const result = await resp.json()
+// result.sub = user ID
+// result.client_id = app the user is using
+// result.scope = space-separated list of permissions
+```
+
+<callout-info>
+	🎯 When you're finished with this exercise, the behavior won't change
+	visually. Consider adding a `console.log` to see the introspection results in
+	action!
+</callout-info>
+
+```mermaid
+sequenceDiagram
+    MCP Client->>MCP Server: POST /mcp (Authorization: Bearer token)
+    MCP Server->>Auth Server: POST /oauth/introspection (token)
+    alt Token is active
+        Auth Server-->>MCP Server: Returns user info (sub, client_id, scope)
+        MCP Server-->>MCP Client: Processes request with user context
+    else Token is invalid/expired
+        Auth Server-->>MCP Server: Returns error or inactive status
+        MCP Server-->>MCP Client: Returns unauthorized response
+    end
+```
+
+<callout-muted>
+	📜 For more details on token introspection, see the [OAuth 2.0 Token
+	Introspection RFC](https://datatracker.ietf.org/doc/html/rfc7662).
+</callout-muted>
+
+The goal is to transform anonymous tokens into rich user context, enabling personalized experiences and proper permission enforcement.
+
+Now, let's implement the `resolveAuthInfo` function to make this happen!

exercises/03.auth-info/01.solution.introspect/README.mdx

@@ -1 +1,3 @@
 # Introspect
+
+👨‍💼 Super! You've successfully implemented token introspection, which transforms anonymous tokens into rich user context. Now our MCP server can identify who each user is and understand their permissions, enabling personalized experiences and proper access control.

exercises/03.auth-info/02.problem.error/README.mdx

@@ -1 +1,44 @@
 # Invalid Token Error
+
+👨‍💼 When clients provide an authentication token that turns out to be invalid or expired, they need clear feedback about what went wrong. Without proper error messaging, users might think the service is broken or get confused about why their request failed.
+
+The current error response doesn't distinguish between "no token provided" and "invalid token provided." This makes it harder for clients to provide helpful guidance to clients about what they need to do next.
+
+```
+// When no Authorization header is present:
+WWW-Authenticate: Bearer realm="EpicMe", resource_metadata=https://example.com/.well-known/oauth-protected-resource/mcp
+
+// When Authorization header is present but token is invalid:
+WWW-Authenticate: Bearer realm="EpicMe", error="invalid_token", error_description="The access token is invalid or expired", resource_metadata=https://example.com/.well-known/oauth-protected-resource/mcp
+```
+
+By adding the `error` and `error_description` parameters to the `WWW-Authenticate` header when an Authorization header is present, clients can provide more specific guidance to users. This helps clients know what they need to do to fix the problem.
+
+<callout-info>
+	🎯 The `error` parameter follows OAuth 2.0 standards and helps clients
+	distinguish between different types of authentication failures.
+</callout-info>
+
+```mermaid
+sequenceDiagram
+    User->>MCP Client: Makes request
+    MCP Client->>MCP Server: POST /mcp<br/>(Authorization: Bearer {invalid_token})
+    MCP Server->>Auth Server: POST /oauth/introspection<br/>(invalid_token)
+    Auth Server-->>MCP Server: Returns error or inactive status
+    MCP Server-->>MCP Client: 401 with error="invalid_token"<br/>and error_description
+    MCP Client->>User: Shows "Token expired,<br/>please log in again"
+```
+
+<callout-warning>
+	Only include error parameters when an Authorization header is present. Users
+	without tokens should get a generic unauthorized response.
+</callout-warning>
+
+<callout-muted>
+	📜 For more details on OAuth 2.0 error handling, see the [OAuth 2.0 Bearer
+	Token Usage RFC](https://datatracker.ietf.org/doc/html/rfc6750#section-3.1).
+</callout-muted>
+
+The goal is to make authentication errors more actionable for users, helping them understand exactly what they need to do to fix the problem.
+
+Now, let's enhance the error handling to provide better feedback when tokens are invalid!

exercises/03.auth-info/02.solution.error/README.mdx

@@ -1 +1,5 @@
 # Invalid Token Error
+
+👨‍💼 Excellent! We've enhanced our error handling to provide clear, actionable feedback when clients provide invalid tokens. Now users get specific guidance about token expiration instead of generic error messages, making the authentication experience much more user-friendly.
+
+This improvement means clients can distinguish between "no token provided" and "invalid token provided," enabling them to show appropriate messages like "Please log in again" when tokens expire.

exercises/03.auth-info/03.problem.active/README.mdx

@@ -1 +1,84 @@
 # Token Active
+
+👨‍💼 When we introspect an auth token, the introspection endpoint will return whether the token is currently active (because tokens can be revoked or expired) and we need to check for that in our resolution callback.
+
+The solution is to always verify that a token is active before trusting any of its claims. OAuth 2.0 introspection responses include an `active` property that tells us exactly this.
+
+It's pretty simple:
+
+```ts
+const data = await introspectionResopnse.json()
+if (!data.active) {
+	// Token is expired, revoked, or invalid
+	return null
+}
+```
+
+## Discriminated Unions
+
+🦉 As a bonus in this exercise step you can make the types nicer if you use discriminated unions. When working with responses that can have different shapes based on a property value, TypeScript's discriminated unions are incredibly useful. They let you create types that change based on a specific field, giving you type safety and better IntelliSense.
+
+Here's a simple example of how discriminated unions work:
+
+```ts
+// A discriminated union based on the "status" property
+type ApiResponse =
+	| { status: 'success'; data: Array<string> }
+	| { status: 'error'; message: string }
+
+// TypeScript knows the shape based on the status
+function handleResponse(response: ApiResponse) {
+	if (response.status === 'success') {
+		// TypeScript knows response.data exists here
+		console.log(response.data.length)
+	} else {
+		// TypeScript knows response.message exists here
+		console.log(response.message)
+	}
+}
+```
+
+Here's how you represent that with zod:
+
+```ts
+const introspectResponseSchema = z.discriminatedUnion('status', [
+	z.object({
+		status: z.literal('success'),
+		data: z.array(z.string()),
+	}),
+	z.object({
+		status: z.literal('error'),
+		message: z.string(),
+	}),
+])
+```
+
+In our case, we'll use a discriminated union based on the `active` property to handle both active and inactive token responses safely.
+
+<callout-warning>
+	🎯 When a token is inactive, don't process any of its claims. Return null
+	immediately to prevent unauthorized access.
+</callout-warning>
+
+```mermaid
+sequenceDiagram
+    MCP Client->>MCP Server: POST /mcp (Authorization: Bearer token)
+    MCP Server->>Auth Server: POST /oauth/introspection (token)
+    alt Token is active
+        Auth Server-->>MCP Server: { active: true, sub: "user123", ... }
+        MCP Server-->>MCP Client: Processes request with user context
+    else Token is inactive
+        Auth Server-->>MCP Server: { active: false }
+        MCP Server-->>MCP Client: Returns null (no auth info)
+    end
+```
+
+<callout-muted>
+	📜 For more details on OAuth 2.0 token introspection and the `active`
+	property, see the [OAuth 2.0 Token Introspection
+	RFC](https://datatracker.ietf.org/doc/html/rfc7662).
+</callout-muted>
+
+The goal is to ensure that only active, valid tokens can access our MCP server resources, maintaining security and providing a reliable user experience.
+
+Now, let's implement proper token validation by checking the `active` property!

exercises/03.auth-info/03.solution.active/README.mdx

@@ -1 +1,3 @@
 # Token Active
+
+👨‍💼 Great job. Really checking the `active` property was just a simple change, but making it typesafe with discriminated unions was a nice bonus!

exercises/03.auth-info/FINISHED.mdx

@@ -1 +1,3 @@
 # Auth Info
+
+Great work on this. You now know how to go from an auth token to user-specific information that will help you identify the user and their permissions in your server. Now on to getting that information into your MCP tools!