fix(agent-readiness): host-aware oauth-protected-resource endpoint (#3351)

* fix(agent-readiness): host-aware oauth-protected-resource endpoint isitagentready.com enforces that `authorization_servers[*]` share origin with `resource` (same-origin rule, matches Cloudflare's mcp.cloudflare.com reference — RFC 9728 §3 permits split origins but the scanner is stricter). A single static file served from 3 hosts (apex/www/api) can only satisfy one origin at a time. Replacing with an edge function that derives both `resource` and `authorization_servers` from the request `Host` header gives each origin self-consistent metadata. No server-side behavior changes: api/oauth/*.js token issuer doesn't bind tokens to a specific resource value (verified in the previous PR's review). * fix(agent-readiness): host-derive resource_metadata + runtime guardrails Addresses P1/P2 review on this PR: - api/mcp.ts (P1): WWW-Authenticate resource_metadata was still hardcoded to apex even when the client hit api.worldmonitor.app. Derive from request.headers.get('host') so each client gets a pointer matching their own origin — consistent with the host- aware edge function this PR introduces. - api/oauth-protected-resource.ts (P2): add Vary: Host so any intermediate cache keys by hostname (belt + suspenders on top of Vercel's routing). - tests/deploy-config.test.mjs (P2): replace regex-on-source with a runtime handler invocation asserting origin-matching metadata for apex/www/api hosts, and tighten the api/mcp.ts assertion to require host-derived resource_metadata construction. --------- Co-authored-by: Elie Habib <elie@worldmonitor.app>
2026-04-25 17:14:57 +02:00 · 2026-04-23 21:17:32 +04:00
parent fc94829ce7
commit d75bde4e03
6 changed files with 134 additions and 76 deletions
--- a/api/api-route-exceptions.json
+++ b/api/api-route-exceptions.json
@@ -37,6 +37,13 @@
      "owner": "@SebastienMelki",
      "removal_issue": null
    },
    {
      "path": "api/oauth-protected-resource.ts",
      "category": "external-protocol",
      "reason": "RFC 9728 OAuth Protected Resource metadata. Dynamic per-host to satisfy scanner origin-match rules — shape dictated by RFC 9728.",
      "owner": "@SebastienMelki",
      "removal_issue": null
    },
    {
      "path": "api/discord/oauth/callback.ts",
      "category": "external-protocol",
--- a/api/mcp.ts
+++ b/api/mcp.ts
@@ -830,6 +830,13 @@ export default async function handler(req: Request): Promise<Response> {
  if (origin && origin !== 'https://claude.ai' && origin !== 'https://claude.com') {
    return new Response('Forbidden', { status: 403, headers: corsHeaders });
  }
  // Host-derived resource_metadata pointer: a client probing api.worldmonitor.app/mcp
  // must see a pointer at its own origin, not the apex — otherwise the 401's
  // WWW-Authenticate points at apex metadata whose `resource` field is apex too,
  // and same-origin scanners (isitagentready.com, Cloudflare mcp.cloudflare.com)
  // flag the mismatch. Matches the host-extraction in api/oauth-protected-resource.ts.
  const requestHost = req.headers.get('host') ?? new URL(req.url).host;
  const resourceMetadataUrl = `https://${requestHost}/.well-known/oauth-protected-resource`;
  // Auth chain (in priority order):
  //   1. Authorization: Bearer <oauth_token> — issued by /oauth/token (spec-compliant OAuth 2.0)
  //   2. X-WorldMonitor-Key header — direct API key (curl, custom integrations)
@@ -853,7 +860,7 @@ export default async function handler(req: Request): Promise<Response> {
      // Bearer token present but unresolvable — expired or invalid UUID
      return new Response(
        JSON.stringify({ jsonrpc: '2.0', id: null, error: { code: -32001, message: 'Invalid or expired OAuth token. Re-authenticate via /oauth/token.' } }),
-        { status: 401, headers: { 'Content-Type': 'application/json', 'WWW-Authenticate': 'Bearer realm="worldmonitor", error="invalid_token", resource_metadata="https://worldmonitor.app/.well-known/oauth-protected-resource"', ...corsHeaders } }
+        { status: 401, headers: { 'Content-Type': 'application/json', 'WWW-Authenticate': `Bearer realm="worldmonitor", error="invalid_token", resource_metadata="${resourceMetadataUrl}"`, ...corsHeaders } }
      );
    }
  } else {
@@ -861,7 +868,7 @@ export default async function handler(req: Request): Promise<Response> {
    if (!candidateKey) {
      return new Response(
        JSON.stringify({ jsonrpc: '2.0', id: null, error: { code: -32001, message: 'Authentication required. Use OAuth (/oauth/token) or pass your API key via X-WorldMonitor-Key header.' } }),
-        { status: 401, headers: { 'Content-Type': 'application/json', 'WWW-Authenticate': 'Bearer realm="worldmonitor", resource_metadata="https://worldmonitor.app/.well-known/oauth-protected-resource"', ...corsHeaders } }
+        { status: 401, headers: { 'Content-Type': 'application/json', 'WWW-Authenticate': `Bearer realm="worldmonitor", resource_metadata="${resourceMetadataUrl}"`, ...corsHeaders } }
      );
    }
    const validKeys = (process.env.WORLDMONITOR_VALID_KEYS || '').split(',').filter(Boolean);
--- a/api/oauth-protected-resource.ts
+++ b/api/oauth-protected-resource.ts
@@ -0,0 +1,46 @@
 /**
 * GET /.well-known/oauth-protected-resource (rewritten to /api/oauth-protected-resource)
 *
 * RFC 9728 OAuth Protected Resource Metadata, served dynamically so every
 * host that terminates the request (apex worldmonitor.app, www, or
 * api.worldmonitor.app) returns self-consistent `resource` +
 * `authorization_servers` pointing at itself.
 *
 * Why dynamic: scanners like isitagentready.com (and Cloudflare's reference
 * at mcp.cloudflare.com) enforce that `authorization_servers[*]` share
 * origin with `resource`. A single static file served from 3 hosts can only
 * satisfy one origin at a time; deriving both fields from the request Host
 * header makes the response correct regardless of which host is scanned.
 *
 * RFC 9728 §3 permits split origins, but the scanner is stricter — and
 * same-origin by construction is simpler than arguing with scanner authors.
 */
 export const config = { runtime: 'edge' };
 export default function handler(req: Request): Response {
  const url = new URL(req.url);
  const host = req.headers.get('host') ?? url.host;
  const origin = `https://${host}`;
  const body = JSON.stringify({
    resource: origin,
    authorization_servers: [origin],
    bearer_methods_supported: ['header'],
    scopes_supported: ['mcp'],
  });
  return new Response(body, {
    status: 200,
    headers: {
      'Content-Type': 'application/json',
      'Cache-Control': 'public, max-age=3600',
      'Access-Control-Allow-Origin': '*',
      // Response body varies by Host (resource/authorization_servers derived
      // from it). Any intermediate cache keying on path alone could serve
      // wrong-origin metadata across hosts. Vercel's own router is per-host,
      // but this is belt-and-braces against downstream caches.
      'Vary': 'Host',
    },
  });
 }
--- a/public/.well-known/oauth-protected-resource
+++ b/public/.well-known/oauth-protected-resource
@@ -1,6 +0,0 @@
 {
  "resource": "https://worldmonitor.app",
  "authorization_servers": ["https://api.worldmonitor.app"],
  "bearer_methods_supported": ["header"],
  "scopes_supported": ["mcp"]
 }
--- a/tests/deploy-config.test.mjs
+++ b/tests/deploy-config.test.mjs
@@ -376,72 +376,83 @@ describe('agent readiness: api-catalog + openapi build', () => {
  });
 });
-// The MCP endpoint and OAuth protected-resource metadata must share an
+// The MCP endpoint and OAuth protected-resource metadata must be
-// origin — a scanner or client that enters from a mismatched host sees
+// self-consistent per host. The static file that used to live at
-// "this server says its resource lives on a different origin", which
+// public/.well-known/oauth-protected-resource was replaced with a
-// violates RFC 9728 and breaks the PRM discovery flow in strict clients.
+// dynamic edge function at api/oauth-protected-resource.ts that
-// The resource/authorization-server split is intentional: apex serves
+// derives `resource` and `authorization_servers` from the request
-// the MCP transport + resource metadata, api.worldmonitor.app serves
+// Host header, so every origin (apex / www / api) sees same-origin
-// the OAuth endpoints. Keep them in lockstep — all resource-side
+// metadata regardless of which host the scanner entered from.
-// pointers (MCP server-card transport.endpoint, MCP server-card
+// Scanners like isitagentready.com (and Cloudflare's reference at
-// authentication.resource, oauth-protected-resource.resource, and every
+// mcp.cloudflare.com) enforce that `authorization_servers[*]` share
-// WWW-Authenticate resource_metadata pointer emitted from api/mcp.ts)
+// origin with `resource` — this construction guarantees that.
 // must agree, while authorization_servers stays on the api host.
 describe('agent readiness: MCP/OAuth origin alignment', () => {
-  const mcpCard = JSON.parse(
+  it('oauth-protected-resource handler returns origin-matching metadata per host', async () => {
-    readFileSync(resolve(__dirname, '../public/.well-known/mcp/server-card.json'), 'utf-8')
+    // Runtime test (not source-regex): dynamically import the edge handler
-  );
+    // and invoke it against synthetic Host headers to prove the response
-  const oauthMeta = JSON.parse(
+    // is actually same-origin per host, with correct Vary + Content-Type.
-    readFileSync(resolve(__dirname, '../public/.well-known/oauth-protected-resource'), 'utf-8')
+    const mod = await import('../api/oauth-protected-resource.ts');
-  );
+    const handler = mod.default;
    assert.equal(typeof handler, 'function', 'handler must be the default export');
-  const mcpEndpointOrigin = new URL(mcpCard.transport.endpoint).origin;
+    const hosts = ['worldmonitor.app', 'www.worldmonitor.app', 'api.worldmonitor.app'];
-  const resourceOrigin = new URL(oauthMeta.resource).origin;
+    for (const host of hosts) {
-
+      const req = new Request(`https://${host}/.well-known/oauth-protected-resource`, {
-  it('MCP transport.endpoint origin matches OAuth metadata resource origin', () => {
+        headers: { host },
-    assert.equal(
+      });
-      mcpEndpointOrigin,
+      const res = await handler(req);
-      resourceOrigin,
+      assert.equal(res.status, 200, `status 200 for ${host}`);
-      'MCP transport.endpoint and OAuth resource must share the same origin'
+      assert.equal(res.headers.get('content-type'), 'application/json', `JSON for ${host}`);
-    );
+      assert.equal(res.headers.get('vary'), 'Host', `Vary: Host for ${host}`);
-  });
+      const json = await res.json();
-
+      assert.equal(json.resource, `https://${host}`, `resource matches ${host}`);
-  it('MCP card authentication.resource equals OAuth metadata resource exactly', () => {
+      assert.deepEqual(json.authorization_servers, [`https://${host}`], `auth_servers match ${host}`);
-    assert.equal(
+      assert.deepEqual(json.bearer_methods_supported, ['header']);
-      mcpCard.authentication.resource,
+      assert.deepEqual(json.scopes_supported, ['mcp']);
      oauthMeta.resource,
      'MCP card authentication.resource must equal OAuth metadata resource'
    );
  });
  it('authorization_servers stay on api.worldmonitor.app (intentional resource/AS split)', () => {
    assert.ok(
      Array.isArray(oauthMeta.authorization_servers) && oauthMeta.authorization_servers.length > 0,
      'oauth-protected-resource.authorization_servers must be a non-empty array'
    );
    for (const s of oauthMeta.authorization_servers) {
      assert.equal(
        new URL(s).origin,
        'https://api.worldmonitor.app',
        `authorization_servers entry must stay on api.worldmonitor.app, got: ${s}`
      );
    }
  });
-  it('api/mcp.ts WWW-Authenticate resource_metadata pointers share origin with oauth-protected-resource', () => {
+  it('MCP server card authentication.resource is a valid https URL on a known host', () => {
-    const mcpSource = readFileSync(resolve(__dirname, '../api/mcp.ts'), 'utf-8');
+    const mcpCard = JSON.parse(
-    const matches = [...mcpSource.matchAll(/resource_metadata="([^"]+)"/g)];
+      readFileSync(resolve(__dirname, '../public/.well-known/mcp/server-card.json'), 'utf-8')
    assert.ok(
      matches.length > 0,
      'api/mcp.ts should emit resource_metadata pointers in its 401 WWW-Authenticate headers'
    );
-    for (const [, url] of matches) {
+    const u = new URL(mcpCard.authentication.resource);
-      assert.equal(
+    assert.equal(u.protocol, 'https:');
-        new URL(url).origin,
+    assert.ok(
-        resourceOrigin,
+      ['worldmonitor.app', 'www.worldmonitor.app', 'api.worldmonitor.app'].includes(u.host),
-        `api/mcp.ts resource_metadata pointer ${url} must share origin with oauth-protected-resource`
+      `unexpected host: ${u.host}`
-      );
+    );
-    }
+  });
  it('api/mcp.ts resource_metadata is host-derived, not hardcoded', () => {
    const source = readFileSync(resolve(__dirname, '../api/mcp.ts'), 'utf-8');
    // Must NOT contain a hardcoded apex or api URL for resource_metadata —
    // that regressed once (PR #3351 review: apex pointer emitted from
    // api.worldmonitor.app/mcp 401s) and the grep-only test didn't catch it.
    assert.ok(
      !/resource_metadata="https:\/\/(?:api\.)?worldmonitor\.app\/\.well-known\//.test(source),
      'api/mcp.ts must not hardcode resource_metadata URL — derive from request host'
    );
    // Must contain a template-literal construction that uses a host variable.
    assert.match(
      source,
      /resource_metadata="\$\{[A-Za-z_][A-Za-z0-9_]*\}"|`[^`]*resource_metadata="\$\{[^}]+\}"/,
      'api/mcp.ts must construct resource_metadata from a host-derived variable'
    );
    // Must actually read the request host header somewhere in the file.
    assert.match(
      source,
      /request\.headers\.get\(['"]host['"]\)|req\.headers\.get\(['"]host['"]\)/i,
      'api/mcp.ts should read the request host header'
    );
  });
  it('vercel.json rewrites /.well-known/oauth-protected-resource to the edge fn', () => {
    const rewrite = vercelConfig.rewrites.find(
      (r) => r.source === '/.well-known/oauth-protected-resource'
    );
    assert.ok(rewrite, 'expected a rewrite for /.well-known/oauth-protected-resource');
    assert.equal(rewrite.destination, '/api/oauth-protected-resource');
  });
 });
--- a/vercel.json
+++ b/vercel.json
@@ -12,6 +12,7 @@
    { "source": "/oauth/token", "destination": "/api/oauth/token" },
    { "source": "/oauth/register", "destination": "/api/oauth/register" },
    { "source": "/oauth/authorize", "destination": "/api/oauth/authorize" },
    { "source": "/.well-known/oauth-protected-resource", "destination": "/api/oauth-protected-resource" },
    { "source": "/((?!api|mcp|oauth|assets|blog|docs|favico|map-styles|data|textures|pro|sw\\.js|workbox-[a-f0-9]+\\.js|manifest\\.webmanifest|offline\\.html|robots\\.txt|sitemap\\.xml|llms\\.txt|llms-full\\.txt|openapi\\.yaml|\\.well-known|wm-widget-sandbox\\.html).*)", "destination": "/index.html" }
  ],
  "headers": [
@@ -39,14 +40,6 @@
        { "key": "Access-Control-Allow-Headers", "value": "Content-Type, Authorization" }
      ]
    },
    {
      "source": "/.well-known/oauth-protected-resource",
      "headers": [
        { "key": "Content-Type", "value": "application/json" },
        { "key": "Access-Control-Allow-Origin", "value": "*" },
        { "key": "Cache-Control", "value": "public, max-age=3600" }
      ]
    },
    {
      "source": "/.well-known/oauth-authorization-server",
      "headers": [