modelcontextprotocol
diff --git a/‎CLAUDE.md
Lines changed: 25 additions & 0 deletions b/‎CLAUDE.md
Lines changed: 25 additions & 0 deletions
diff --git a/‎README.md
Lines changed: 19 additions & 8 deletions b/‎README.md
Lines changed: 19 additions & 8 deletions
diff --git a/‎package-lock.json
Lines changed: 15 additions & 9 deletions b/‎package-lock.json
Lines changed: 15 additions & 9 deletions
diff --git a/‎package.json
Lines changed: 3 additions & 1 deletion b/‎package.json
Lines changed: 3 additions & 1 deletion
diff --git a/‎src/client/auth.test.ts
Lines changed: 62 additions & 0 deletions b/‎src/client/auth.test.ts
Lines changed: 62 additions & 0 deletions
diff --git a/‎src/client/auth.ts
Lines changed: 18 additions & 4 deletions b/‎src/client/auth.ts
Lines changed: 18 additions & 4 deletions
@@ -0,0 +1,25 @@
+# MCP TypeScript SDK Guide
+
+## Build & Test Commands
+```
+npm run build        # Build ESM and CJS versions
+npm run lint         # Run ESLint
+npm test             # Run all tests
+npx jest path/to/file.test.ts  # Run specific test file
+npx jest -t "test name"        # Run tests matching pattern
+```
+
+## Code Style Guidelines
+- **TypeScript**: Strict type checking, ES modules, explicit return types
+- **Naming**: PascalCase for classes/types, camelCase for functions/variables
+- **Files**: Lowercase with hyphens, test files with `.test.ts` suffix
+- **Imports**: ES module style, include `.js` extension, group imports logically
+- **Error Handling**: Use TypeScript's strict mode, explicit error checking in tests
+- **Formatting**: 2-space indentation, semicolons required, single quotes preferred
+- **Testing**: Co-locate tests with source files, use descriptive test names
+- **Comments**: JSDoc for public APIs, inline comments for complex logic
+
+## Project Structure
+- `/src`: Source code with client, server, and shared modules
+- Tests alongside source files with `.test.ts` suffix
+- Node.js >= 18 required
@@ -211,7 +211,7 @@ await server.connect(transport);
 For remote servers, start a web server with a Server-Sent Events (SSE) endpoint, and a separate endpoint for the client to send its messages to:
 
 ```typescript
-import express from "express";
+import express, { Request, Response } from "express";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
 
@@ -224,16 +224,27 @@ const server = new McpServer({
 
 const app = express();
 
-app.get("/sse", async (req, res) => {
-  const transport = new SSEServerTransport("/messages", res);
+// to support multiple simultaneous connections we have a lookup object from
+// sessionId to transport
+const transports: {[sessionId: string]: SSEServerTransport} = {};
+
+app.get("/sse", async (_: Request, res: Response) => {
+  const transport = new SSEServerTransport('/messages', res);
+  transports[transport.sessionId] = transport;
+  res.on("close", () => {
+    delete transports[transport.sessionId];
+  });
   await server.connect(transport);
 });
 
-app.post("/messages", async (req, res) => {
-  // Note: to support multiple simultaneous connections, these messages will
-  // need to be routed to a specific matching transport. (This logic isn't
-  // implemented here, for simplicity.)
-  await transport.handlePostMessage(req, res);
+app.post("/messages", async (req: Request, res: Response) => {
+  const sessionId = req.query.sessionId as string;
+  const transport = transports[sessionId];
+  if (transport) {
+    await transport.handlePostMessage(req, res);
+  } else {
+    res.status(400).send('No transport found for sessionId');
+  }
 });
 
 app.listen(3001);
 
@@ -1,6 +1,6 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.6.0",
+  "version": "1.8.0",
   "description": "Model Context Protocol implementation for TypeScript",
   "license": "MIT",
   "author": "Anthropic, PBC (https://anthropic.com)",
@@ -48,6 +48,7 @@
   "dependencies": {
     "content-type": "^1.0.5",
     "cors": "^2.8.5",
+    "cross-spawn": "^7.0.3",
     "eventsource": "^3.0.2",
     "express": "^5.0.1",
     "express-rate-limit": "^7.5.0",
@@ -61,6 +62,7 @@
     "@jest-mock/express": "^3.0.0",
     "@types/content-type": "^1.1.8",
     "@types/cors": "^2.8.17",
+    "@types/cross-spawn": "^6.0.6",
     "@types/eslint__js": "^8.42.3",
     "@types/eventsource": "^1.1.15",
     "@types/express": "^5.0.0",
 
@@ -43,6 +43,64 @@ describe("OAuth Authorization", () => {
       });
     });
 
+    it("returns metadata when first fetch fails but second without MCP header succeeds", async () => {
+      // Set up a counter to control behavior
+      let callCount = 0;
+
+      // Mock implementation that changes behavior based on call count
+      mockFetch.mockImplementation((_url, _options) => {
+        callCount++;
+
+        if (callCount === 1) {
+          // First call with MCP header - fail with TypeError (simulating CORS error)
+          // We need to use TypeError specifically because that's what the implementation checks for
+          return Promise.reject(new TypeError("Network error"));
+        } else {
+          // Second call without header - succeed
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => validMetadata
+          });
+        }
+      });
+
+      // Should succeed with the second call
+      const metadata = await discoverOAuthMetadata("https://auth.example.com");
+      expect(metadata).toEqual(validMetadata);
+
+      // Verify both calls were made
+      expect(mockFetch).toHaveBeenCalledTimes(2);
+
+      // Verify first call had MCP header
+      expect(mockFetch.mock.calls[0][1]?.headers).toHaveProperty("MCP-Protocol-Version");
+    });
+
+    it("throws an error when all fetch attempts fail", async () => {
+      // Set up a counter to control behavior
+      let callCount = 0;
+
+      // Mock implementation that changes behavior based on call count
+      mockFetch.mockImplementation((_url, _options) => {
+        callCount++;
+
+        if (callCount === 1) {
+          // First call - fail with TypeError
+          return Promise.reject(new TypeError("First failure"));
+        } else {
+          // Second call - fail with different error
+          return Promise.reject(new Error("Second failure"));
+        }
+      });
+
+      // Should fail with the second error
+      await expect(discoverOAuthMetadata("https://auth.example.com"))
+        .rejects.toThrow("Second failure");
+
+      // Verify both calls were made
+      expect(mockFetch).toHaveBeenCalledTimes(2);
+    });
+
     it("returns undefined when discovery endpoint returns 404", async () => {
       mockFetch.mockResolvedValueOnce({
         ok: false,
@@ -192,6 +250,7 @@ describe("OAuth Authorization", () => {
         clientInformation: validClientInfo,
         authorizationCode: "code123",
         codeVerifier: "verifier123",
+        redirectUri: "http://localhost:3000/callback",
       });
 
       expect(tokens).toEqual(validTokens);
@@ -213,6 +272,7 @@ describe("OAuth Authorization", () => {
       expect(body.get("code_verifier")).toBe("verifier123");
       expect(body.get("client_id")).toBe("client123");
       expect(body.get("client_secret")).toBe("secret123");
+      expect(body.get("redirect_uri")).toBe("http://localhost:3000/callback");
     });
 
     it("validates token response schema", async () => {
@@ -230,6 +290,7 @@ describe("OAuth Authorization", () => {
           clientInformation: validClientInfo,
           authorizationCode: "code123",
           codeVerifier: "verifier123",
+          redirectUri: "http://localhost:3000/callback",
         })
       ).rejects.toThrow();
     });
@@ -245,6 +306,7 @@ describe("OAuth Authorization", () => {
           clientInformation: validClientInfo,
           authorizationCode: "code123",
           codeVerifier: "verifier123",
+          redirectUri: "http://localhost:3000/callback",
         })
       ).rejects.toThrow("Token exchange failed");
     });
 
@@ -115,6 +115,7 @@ export async function auth(
       clientInformation,
       authorizationCode,
       codeVerifier,
+      redirectUri: provider.redirectUrl,
     });
 
     await provider.saveTokens(tokens);
@@ -163,11 +164,21 @@ export async function discoverOAuthMetadata(
   opts?: { protocolVersion?: string },
 ): Promise<OAuthMetadata | undefined> {
   const url = new URL("/.well-known/oauth-authorization-server", serverUrl);
-  const response = await fetch(url, {
-    headers: {
-      "MCP-Protocol-Version": opts?.protocolVersion ?? LATEST_PROTOCOL_VERSION
+  let response: Response;
+  try {
+    response = await fetch(url, {
+      headers: {
+        "MCP-Protocol-Version": opts?.protocolVersion ?? LATEST_PROTOCOL_VERSION
+      }
+    });
+  } catch (error) {
+    // CORS errors come back as TypeError
+    if (error instanceof TypeError) {
+      response = await fetch(url);
+    } else {
+      throw error;
     }
-  });
+  }
 
   if (response.status === 404) {
     return undefined;
@@ -249,11 +260,13 @@ export async function exchangeAuthorization(
     clientInformation,
     authorizationCode,
     codeVerifier,
+    redirectUri,
   }: {
     metadata?: OAuthMetadata;
     clientInformation: OAuthClientInformation;
     authorizationCode: string;
     codeVerifier: string;
+    redirectUri: string | URL;
   },
 ): Promise<OAuthTokens> {
   const grantType = "authorization_code";
@@ -280,6 +293,7 @@ export async function exchangeAuthorization(
     client_id: clientInformation.client_id,
     code: authorizationCode,
     code_verifier: codeVerifier,
+    redirect_uri: String(redirectUri),
   });
 
   if (clientInformation.client_secret) {