Skip to content

Make AuthInfo.expiresAt mandatory since it is validated as mandatory at runtime #957

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Make AuthInfo.expiresAt mandatory since it is validated as mandatory at runtime #957

wants to merge 2 commits into from
+8 −3

Conversation

Nick-Lucas
Copy link

@Nick-Lucas Nick-Lucas commented Sep 21, 2025
edited
Loading

expiresAt is currently an optional key in AuthInfo, but requireBearerAuth runtime validates that is it set. This is misleading when implementing an authenticated MCP Server because MCP Clients will only see that they're not authenticated after authentication due to their token being assumed as expired immediately

typescript-sdk/src/server/auth/middleware/bearerAuth.ts

Lines 67 to 70 in c94ba4b

if (typeof authInfo.expiresAt !== 'number' || isNaN(authInfo.expiresAt)) {
throw new InvalidTokenError("Token has no expiration time");
} else if (authInfo.expiresAt < Date.now() / 1000) {
throw new InvalidTokenError("Token has expired");

Motivation and Context

Misleading types causing a broken auth flow

How Has This Been Tested?

Updated unit tests

Breaking Changes

The change to runtime validating this is set occured in a previous release, so this fixes the type accuracy

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • [ X] I have read the MCP Documentation
  • [ X] My code follows the repository's style guidelines
  • [ X] New and existing tests pass locally
  • [ X] I have added appropriate error handling
  • [ X] I have added or updated documentation as needed

Additional context

@Nick-Lucas Nick-Lucas requested review from a team as code owners September 21, 2025 14:18
@Nick-Lucas Nick-Lucas requested review from ochafik and ihrpr September 21, 2025 14:18
@Nick-Lucas Nick-Lucas force-pushed the mandatory-expiredat-authinfo branch from 7532303 to 46d620a Compare September 21, 2025 14:23
@Nick-Lucas Nick-Lucas force-pushed the mandatory-expiredat-authinfo branch from 46d620a to c26f4a8 Compare September 21, 2025 14:23
@Nick-Lucas Nick-Lucas changed the title Make expiresAt mandatory since it is validated as mandatory at runtime Make AuthInfo.expiresAt mandatory since it is validated as mandatory at runtime Sep 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ochafik ochafik Awaiting requested review from ochafik ochafik is a code owner automatically assigned from modelcontextprotocol/typescript-sdk-auth

@ihrpr ihrpr Awaiting requested review from ihrpr ihrpr is a code owner automatically assigned from modelcontextprotocol/typescript-sdk

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Nick-Lucas