feat: add handler for OAuth authorization server metadata requests

Author: kentcdodds

exercises/99.finished/99.solution/src/auth.ts

@@ -102,3 +102,22 @@ export async function handleOAuthProtectedResourceRequest(request: Request) {
 		scopes_supported: ['read', 'write'],
 	})
 }
+
+/**
+ * Handles requests for OAuth authorization server metadata.
+ * Fetches the metadata from the auth server and forwards it to the client.
+ * This should only be used for backwards compatibility. Newer clients should
+ * use `/.well-known/oauth-protected-resource/mcp` to discover the authorization
+ * server and make this request directly to the authorization server instead.
+ */
+export async function handleOAuthAuthorizationServerRequest() {
+	const metadataUrl = new URL(
+		'/.well-known/oauth-authorization-server',
+		EPIC_ME_AUTH_SERVER_URL,
+	)
+
+	const response = await fetch(metadataUrl.toString())
+	const data = await response.json()
+
+	return Response.json(data)
+}

exercises/99.finished/99.solution/src/index.ts

@@ -10,6 +10,7 @@ import {
 	type AuthInfo,
 	getAuthInfo,
 	handleInsufficientScope,
+	handleOAuthAuthorizationServerRequest,
 	handleOAuthProtectedResourceRequest,
 	handleUnauthorized,
 	validateScopes,
@@ -96,6 +97,11 @@ export default {
 				return handleOAuthProtectedResourceRequest(request)
 			}
 
+			// for backwards compatibility with old clients that think we're the authorization server
+			if (url.pathname === '/.well-known/oauth-authorization-server') {
+				return handleOAuthAuthorizationServerRequest()
+			}
+
 			if (url.pathname === '/mcp') {
 				const authInfo = await getAuthInfo(request)
 				if (!authInfo) return handleUnauthorized(request)