feat: Allow verifyToken to throw errors (#63)

Author: max-stytch

src/next/auth-wrapper.ts

@@ -1,10 +1,10 @@
-import { AuthInfo } from "@modelcontextprotocol/sdk/server/auth/types.js";
+import {AuthInfo} from "@modelcontextprotocol/sdk/server/auth/types.js";
 import {
   InvalidTokenError,
   InsufficientScopeError,
   ServerError,
 } from "@modelcontextprotocol/sdk/server/auth/errors.js";
-import { withAuthContext } from "./auth-context";
+import {withAuthContext} from "./auth-context";
 
 declare global {
   interface Request {
@@ -29,16 +29,32 @@ export function withMcpAuth(
   } = {}
 ) {
   return async (req: Request) => {
-    try {
-      const authHeader = req.headers.get("Authorization");
-      const [type, token] = authHeader?.split(" ") || [];
+    const origin = new URL(req.url).origin;
+    const resourceMetadataUrl = `${origin}${resourceMetadataPath}`;
 
-      // Only support bearer token as per the MCP spec
-      // https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization#2-6-1-token-requirements
-      const bearerToken = type?.toLowerCase() === "bearer" ? token : undefined;
+    const authHeader = req.headers.get("Authorization");
+    const [type, token] = authHeader?.split(" ") || [];
 
-      const authInfo = await verifyToken(req, bearerToken);
+    // Only support bearer token as per the MCP spec
+    // https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization#2-6-1-token-requirements
+    const bearerToken = type?.toLowerCase() === "bearer" ? token : undefined;
 
+    let authInfo: AuthInfo | undefined;
+    try {
+      authInfo = await verifyToken(req, bearerToken);
+    } catch (error) {
+      console.error("Unexpected error authenticating bearer token:", error);
+      const publicError = new InvalidTokenError("Invalid token");
+      return new Response(JSON.stringify(publicError.toResponseObject()), {
+        status: 401,
+        headers: {
+          "WWW-Authenticate": `Bearer error="${publicError.errorCode}", error_description="${publicError.message}", resource_metadata="${resourceMetadataUrl}"`,
+          "Content-Type": "application/json",
+        },
+      });
+    }
+
+    try {
       if (required && !authInfo) {
         throw new InvalidTokenError("No authorization provided");
       }
@@ -50,7 +66,7 @@ export function withMcpAuth(
       // Check if token has the required scopes (if any)
       if (requiredScopes?.length) {
         const hasAllScopes = requiredScopes.every((scope) =>
-          authInfo.scopes.includes(scope)
+          authInfo!.scopes.includes(scope)
         );
 
         if (!hasAllScopes) {
@@ -68,9 +84,6 @@ export function withMcpAuth(
 
       return withAuthContext(authInfo, () => handler(req));
     } catch (error) {
-      const origin = new URL(req.url).origin;
-      const resourceMetadataUrl = `${origin}${resourceMetadataPath}`;
-
       if (error instanceof InvalidTokenError) {
         return new Response(JSON.stringify(error.toResponseObject()), {
           status: 401,

tests/e2e.test.ts

@@ -1,4 +1,4 @@
-import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import {describe, it, expect, beforeEach, afterEach, vi, Mock} from "vitest";
 import { z } from "zod";
 import {
   createServer,
@@ -16,6 +16,7 @@ describe("e2e", () => {
   let server: Server;
   let endpoint: string;
   let client: Client;
+  let verifyTokenMock: Mock;
 
   beforeEach(async () => {
     const _mcpHandler = createMcpHandler(
@@ -55,7 +56,7 @@ describe("e2e", () => {
       }
     );
 
-    const mcpHandler = withMcpAuth(_mcpHandler, (req) => {
+    verifyTokenMock = vi.fn((req) => {
       const header = req.headers.get("Authorization");
       if (header?.startsWith("Bearer ")) {
         const token = header.slice(7).trim();
@@ -66,7 +67,9 @@ describe("e2e", () => {
         });
       }
       return undefined;
-    });
+    })
+
+    const mcpHandler = withMcpAuth(_mcpHandler, verifyTokenMock);
 
     server = createServer(nodeToWebHandler(mcpHandler));
     await new Promise<void>((resolve) => {
@@ -173,6 +176,37 @@ describe("e2e", () => {
       "Tool echo: Are you there? for ACCESS_TOKEN"
     );
   });
+
+  it("should return an invalid token error when verifyToken fails", async () => {
+    const authenticatedTransport = new StreamableHTTPClientTransport(
+      new URL(`${endpoint}/mcp`),
+      {
+        requestInit: {
+          headers: {
+            Authorization: `Bearer ACCESS_TOKEN`,
+          },
+        },
+      }
+    );
+    const authenticatedClient = new Client(
+      {
+        name: "example-client",
+        version: "1.0.0",
+      },
+      {
+        capabilities: {
+          prompts: {},
+          resources: {},
+          tools: {},
+        },
+      }
+    );
+    verifyTokenMock.mockImplementation(() => {
+      throw new Error('JWT signature failed, or something')
+    })
+
+    expect(() => authenticatedClient.connect(authenticatedTransport)).rejects.toThrow('Invalid token')
+  });
 });
 
 function nodeToWebHandler(