chrisdickinson
diff --git a/‎src/client/auth.test.ts‎
Lines changed: 0 additions & 60 deletions b/‎src/client/auth.test.ts‎
Lines changed: 0 additions & 60 deletions
@@ -1030,65 +1030,5 @@ describe("OAuth Authorization", () => {
  expect(body.get("grant_type")).toBe("refresh_token");
  expect(body.get("refresh_token")).toBe("refresh123");
  });
-
- it("verifies resource parameter distinguishes between different paths on same domain", async () => {
- // Mock successful metadata discovery
- mockFetch.mockImplementation((url) => {
- const urlString = url.toString();
- if (urlString.includes("/.well-known/oauth-authorization-server")) {
- return Promise.resolve({
- ok: true,
- status: 200,
- json: async () => ({
- issuer: "https://auth.example.com",
- authorization_endpoint: "https://auth.example.com/authorize",
- token_endpoint: "https://auth.example.com/token",
- response_types_supported: ["code"],
- code_challenge_methods_supported: ["S256"],
- }),
- });
- }
- return Promise.resolve({ ok: false, status: 404 });
- });
-
- // Mock provider methods
- (mockProvider.clientInformation as jest.Mock).mockResolvedValue({
- client_id: "test-client",
- client_secret: "test-secret",
- });
- (mockProvider.tokens as jest.Mock).mockResolvedValue(undefined);
- (mockProvider.saveCodeVerifier as jest.Mock).mockResolvedValue(undefined);
- (mockProvider.redirectToAuthorization as jest.Mock).mockResolvedValue(undefined);
-
- // Test with different resource paths on same domain
- // This tests the security fix that prevents token confusion between
- // multiple MCP servers on the same domain
- const result1 = await auth(mockProvider, {
- serverUrl: "https://api.example.com/mcp-server-1/v1",
- });
-
- expect(result1).toBe("REDIRECT");
-
- const redirectCall1 = (mockProvider.redirectToAuthorization as jest.Mock).mock.calls[0];
- const authUrl1: URL = redirectCall1[0];
- expect(authUrl1.searchParams.get("resource")).toBe("https://api.example.com/mcp-server-1/v1");
-
- // Clear mock calls
- (mockProvider.redirectToAuthorization as jest.Mock).mockClear();
-
- // Test with different path on same domain
- const result2 = await auth(mockProvider, {
- serverUrl: "https://api.example.com/mcp-server-2/v1",
- });
-
- expect(result2).toBe("REDIRECT");
-
- const redirectCall2 = (mockProvider.redirectToAuthorization as jest.Mock).mock.calls[0];
- const authUrl2: URL = redirectCall2[0];
- expect(authUrl2.searchParams.get("resource")).toBe("https://api.example.com/mcp-server-2/v1");
- 
- // Verify that the two resources are different (critical for security)
- expect(authUrl1.searchParams.get("resource")).not.toBe(authUrl2.searchParams.get("resource"));
- });
  });
 });