MCP Auth

index.test.ts•2.45 kB

import { test, expect, inject } from 'vitest' const mcpServerPort = inject('mcpServerPort') const mcpServerUrl = `http://localhost:${mcpServerPort}` async function makeInitRequest(accessToken?: string) { const response = await fetch(`${mcpServerUrl}/mcp`, { method: 'POST', headers: { 'content-type': 'application/json', accept: 'application/json, text/event-stream', ...(accessToken ? { authorization: `Bearer ${accessToken}` } : {}), }, body: JSON.stringify({ jsonrpc: '2.0', id: 1, method: 'initialize', params: { protocolVersion: '2024-11-05', capabilities: {}, clientInfo: { name: 'Test Client', version: '1.0.0', }, }, }), }) return response } test(`MCP server introspects tokens before processing requests`, async () => { // Test that the MCP server attempts to introspect tokens and validates them // The solution should introspect the token and fail when the token is invalid // The problem version only checks if the authorization header exists const testToken = '1:1:test-token-id' // Make an initialization request to the MCP server with an invalid token const mcpResponse = await makeInitRequest(testToken) // The solution implementation should reject invalid tokens after introspection // The current solution throws a ZodError when parsing invalid introspection response, resulting in 500 // The problem version would accept any token and let the MCP server handle it (returning 200) expect( mcpResponse.status, '🚨 Solution should reject invalid tokens after introspection', ).toBe(500) // Verify that the server attempted introspection by checking the error response const responseText = await mcpResponse.text() expect( responseText, '🚨 Should get an error response indicating introspection failure', ).toContain('ZodError') }) test(`MCP server rejects requests without authorization header`, async () => { // Make an initialization request without any authorization header const mcpResponse = await makeInitRequest() expect( mcpResponse.status, '🚨 MCP server should return 401 for requests without authorization', ).toBe(401) const wwwAuthenticate = mcpResponse.headers.get('WWW-Authenticate') expect( wwwAuthenticate, '🚨 Response should include WWW-Authenticate header', ).toBeTruthy() expect( wwwAuthenticate, '🚨 WWW-Authenticate should include Bearer realm', ).toContain('Bearer realm="EpicMe"') })

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/rubenpenap/mcp-auth'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

index.test.ts•2.45 kB