From 5d26671bc0c3d2efef2a7969770cb0774c12f1bd Mon Sep 17 00:00:00 2001 From: JD Maturen <70791+jdmaturen@users.noreply.github.com> Date: Sun, 8 Feb 2026 22:06:04 -0800 Subject: [PATCH] fix: use InvalidTokenError instead of generic Error in MockTokenVerifier MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The SDK's `requireBearerAuth` middleware only converts `InvalidTokenError` instances to HTTP 401 responses. Generic `Error` instances fall through as HTTP 500, which prevents clients from detecting authentication failures and initiating the OAuth refresh/re-auth flow. This was discovered while building token refresh conformance scenarios — the mock server was returning 500 for expired/invalid tokens instead of the expected 401. Co-authored-by: Cursor --- src/scenarios/client/auth/helpers/mockTokenVerifier.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/scenarios/client/auth/helpers/mockTokenVerifier.ts b/src/scenarios/client/auth/helpers/mockTokenVerifier.ts index 8cbfae1..022fa4d 100644 --- a/src/scenarios/client/auth/helpers/mockTokenVerifier.ts +++ b/src/scenarios/client/auth/helpers/mockTokenVerifier.ts @@ -1,5 +1,6 @@ import { OAuthTokenVerifier } from '@modelcontextprotocol/sdk/server/auth/provider.js'; import { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js'; +import { InvalidTokenError } from '@modelcontextprotocol/sdk/server/auth/errors.js'; import type { ConformanceCheck } from '../../../../types'; import { SpecReferences } from '../spec-references'; @@ -53,6 +54,6 @@ export class MockTokenVerifier implements OAuthTokenVerifier { token: token ? token.substring(0, 10) + '...' : 'missing' } }); - throw new Error('Invalid token'); + throw new InvalidTokenError('Invalid token'); } }