Returning undefined from discoverOAuthMetadata for CORS errors

geelen · geelen · commit 2301ec9d1d33 · 2025-07-01T21:27:16.000+10:00
This behaviour was already happening for the root URL, but the new `fetchWithCorsRetry` logic differed.

The issue was if the server returns a 404 for `/.well-known/oauth-authorization-server/xyz` that didn't have the `access-control-allow-origin`, a TypeError was being thrown. There was logic there already to handle a TypeError for a _preflight_ request (cause by custom headers), but not the fallback. I refactored so all combinations return `undefined`.
diff --git a/src/client/auth.ts b/src/client/auth.ts
@@ -292,25 +292,24 @@ export async function discoverOAuthProtectedResourceMetadata(
   return OAuthProtectedResourceMetadataSchema.parse(await response.json());
 }
 
-/**
- * Looks up RFC 8414 OAuth 2.0 Authorization Server Metadata.
- *
- * If the server returns a 404 for the well-known endpoint, this function will
- * return `undefined`. Any other errors will be thrown as exceptions.
- */
 /**
  * Helper function to handle fetch with CORS retry logic
  */
 async function fetchWithCorsRetry(
   url: URL,
-  headers: Record<string, string>,
-): Promise<Response> {
+  headers?: Record<string, string>,
+): Promise<Response | undefined> {
   try {
     return await fetch(url, { headers });
   } catch (error) {
-    // CORS errors come back as TypeError, retry without headers
     if (error instanceof TypeError) {
-      return await fetch(url);
+      if (headers) {
+        // CORS errors come back as TypeError, retry without headers
+        return fetchWithCorsRetry(url)
+      } else {
+        // We're getting CORS errors on retry too, return undefined
+        return undefined
+      }
     }
     throw error;
   }
@@ -334,7 +333,7 @@ function buildWellKnownPath(pathname: string): string {
 async function tryMetadataDiscovery(
   url: URL,
   protocolVersion: string,
-): Promise<Response> {
+): Promise<Response | undefined> {
   const headers = {
     "MCP-Protocol-Version": protocolVersion
   };
@@ -344,10 +343,16 @@ async function tryMetadataDiscovery(
 /**
  * Determines if fallback to root discovery should be attempted
  */
-function shouldAttemptFallback(response: Response, pathname: string): boolean {
-  return response.status === 404 && pathname !== '/';
+function shouldAttemptFallback(response: Response | undefined, pathname: string): boolean {
+  return !response || response.status === 404 && pathname !== '/';
 }
 
+/**
+ * Looks up RFC 8414 OAuth 2.0 Authorization Server Metadata.
+ *
+ * If the server returns a 404 for the well-known endpoint, this function will
+ * return `undefined`. Any other errors will be thrown as exceptions.
+ */
 export async function discoverOAuthMetadata(
   authorizationServerUrl: string | URL,
   opts?: { protocolVersion?: string },
@@ -362,18 +367,10 @@ export async function discoverOAuthMetadata(
 
   // If path-aware discovery fails with 404, try fallback to root discovery
   if (shouldAttemptFallback(response, issuer.pathname)) {
-    try {
-      const rootUrl = new URL("/.well-known/oauth-authorization-server", issuer);
-      response = await tryMetadataDiscovery(rootUrl, protocolVersion);
-
-      if (response.status === 404) {
-        return undefined;
-      }
-    } catch {
-      // If fallback fails, return undefined
-      return undefined;
-    }
-  } else if (response.status === 404) {
+    const rootUrl = new URL("/.well-known/oauth-authorization-server", issuer);
+    response = await tryMetadataDiscovery(rootUrl, protocolVersion);
+  }
+  if (!response || response.status === 404) {
     return undefined;
   }
 
