Merge branch 'main' into fix/router-prm-baseurl

Author: blustAI

README.md

@@ -898,7 +898,7 @@ const upgradeAuthTool = server.tool(
       // If we've just upgraded to 'write' permissions, we can still call 'upgradeAuth' 
       // but can only upgrade to 'admin'. 
       upgradeAuthTool.update({
-        paramSchema: { permission: z.enum(["admin"]) }, // change validation rules
+        paramsSchema: { permission: z.enum(["admin"]) }, // change validation rules
       })
     } else {
       // If we're now an admin, we no longer have anywhere to upgrade to, so fully remove that tool

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.17.2",
+  "version": "1.17.3",
   "description": "Model Context Protocol implementation for TypeScript",
   "license": "MIT",
   "author": "Anthropic, PBC (https://anthropic.com)",

package.json

@@ -212,11 +212,11 @@ describe("OAuth Authorization", () => {
       expect(url.toString()).toBe("https://resource.example.com/.well-known/oauth-protected-resource/path?param=value");
     });
 
-    it("falls back to root discovery when path-aware discovery returns 404", async () => {
-      // First call (path-aware) returns 404
+    it.each([400, 401, 403, 404, 410, 422, 429])("falls back to root discovery when path-aware discovery returns %d", async (statusCode) => {
+      // First call (path-aware) returns 4xx
       mockFetch.mockResolvedValueOnce({
         ok: false,
-        status: 404,
+        status: statusCode,
       });
 
       // Second call (root fallback) succeeds
@@ -267,6 +267,20 @@ describe("OAuth Authorization", () => {
       expect(calls.length).toBe(2);
     });
 
+    it("throws error on 500 status and does not fallback", async () => {
+      // First call (path-aware) returns 500
+      mockFetch.mockResolvedValueOnce({
+        ok: false,
+        status: 500,
+      });
+
+      await expect(discoverOAuthProtectedResourceMetadata("https://resource.example.com/path/name"))
+        .rejects.toThrow();
+
+      const calls = mockFetch.mock.calls;
+      expect(calls.length).toBe(1); // Should not attempt fallback
+    });
+
     it("does not fallback when the original URL is already at root path", async () => {
       // First call (path-aware for root) returns 404
       mockFetch.mockResolvedValueOnce({
@@ -907,7 +921,7 @@ describe("OAuth Authorization", () => {
       const metadata = await discoverAuthorizationServerMetadata("https://auth.example.com/tenant1");
 
       expect(metadata).toBeUndefined();
-      
+
       // Verify that all discovery URLs were attempted
       expect(mockFetch).toHaveBeenCalledTimes(8); // 4 URLs × 2 attempts each (with and without headers)
     });

src/client/auth.test.ts

@@ -359,6 +359,7 @@ async function authInternal(
     const fullInformation = await registerClient(authorizationServerUrl, {
       metadata,
       clientMetadata: provider.clientMetadata,
+      fetchFn,
     });
 
     await provider.saveClientInformation(fullInformation);
@@ -395,6 +396,7 @@ async function authInternal(
         refreshToken: tokens.refresh_token,
         resource,
         addClientAuthentication: provider.addClientAuthentication,
+        fetchFn,
       });
 
       await provider.saveTokens(newTokens);
@@ -569,7 +571,7 @@ async function tryMetadataDiscovery(
  * Determines if fallback to root discovery should be attempted
  */
 function shouldAttemptFallback(response: Response | undefined, pathname: string): boolean {
-  return !response || response.status === 404 && pathname !== '/';
+  return !response || (response.status >= 400 && response.status < 500) && pathname !== '/';
 }
 
 /**