( url: string, resolvedIP?: string | null )
| 19 | * SSRF-guarded fetch validates and pins each request itself. |
| 20 | */ |
| 21 | export async function detectMcpAuthType( |
| 22 | url: string, |
| 23 | resolvedIP?: string | null |
| 24 | ): Promise<McpAuthType> { |
| 25 | let parsed: URL |
| 26 | try { |
| 27 | parsed = new URL(url) |
| 28 | } catch { |
| 29 | return 'headers' |
| 30 | } |
| 31 | const isLoopbackHttp = parsed.protocol === 'http:' && isLoopbackHostname(parsed.hostname) |
| 32 | if (parsed.protocol !== 'https:' && !isLoopbackHttp) { |
| 33 | return 'headers' |
| 34 | } |
| 35 | |
| 36 | const probeFetch: FetchLike = resolvedIP |
| 37 | ? createPinnedFetch(resolvedIP) |
| 38 | : createSsrfGuardedMcpFetch() |
| 39 | |
| 40 | const controller = new AbortController() |
| 41 | const timer = setTimeout(() => controller.abort(), PROBE_TIMEOUT_MS) |
| 42 | |
| 43 | try { |
| 44 | const res = await probeFetch(url, { |
| 45 | method: 'POST', |
| 46 | redirect: 'manual', |
| 47 | headers: { |
| 48 | 'Content-Type': 'application/json', |
| 49 | Accept: 'application/json, text/event-stream', |
| 50 | }, |
| 51 | body: JSON.stringify({ |
| 52 | jsonrpc: '2.0', |
| 53 | id: 1, |
| 54 | method: 'initialize', |
| 55 | params: { |
| 56 | protocolVersion: '2025-06-18', |
| 57 | capabilities: {}, |
| 58 | clientInfo: { name: 'sim-platform-probe', version: '1.0.0' }, |
| 59 | }, |
| 60 | }), |
| 61 | signal: controller.signal, |
| 62 | }) |
| 63 | |
| 64 | const sessionId = res.headers.get('mcp-session-id') |
| 65 | if (sessionId) { |
| 66 | void closeMcpSession(url, sessionId, probeFetch) |
| 67 | } |
| 68 | |
| 69 | if (res.status === 401) { |
| 70 | const params = extractWWWAuthenticateParams(res) |
| 71 | // Per RFC 9728, an OAuth-protected resource signals OAuth via |
| 72 | // `resource_metadata=...` in WWW-Authenticate. `scope=...` is also an |
| 73 | // OAuth-specific hint. A bare `error="invalid_token"` is generic Bearer |
| 74 | // and used by plain API-key servers too, so it must not classify as OAuth. |
| 75 | if (params.resourceMetadataUrl || params.scope) { |
| 76 | return 'oauth' |
| 77 | } |
| 78 | return 'headers' |
no test coverage detected