fix(auth): default clientSecretExpirySeconds to undefined (no expiration)

grimmerk · grimmerk · commit 5e5caa3b19d0 · 2025-12-17T22:56:59.000+08:00
The 30-day default caused MCP clients to fail with "Client secret has expired"
after 30 days. Aligns with Python SDK behavior (defaults to None).

- undefined: omit client_secret_expires_at (no expiry)
- 0: set to 0 (no expiry per RFC 7591)
- positive: set to now + seconds
diff --git a/src/server/auth/handlers/register.test.ts b/src/server/auth/handlers/register.test.ts
@@ -199,7 +199,7 @@ describe('Client Registration Handler', () => {
     });
 
     it('sets no expiry when clientSecretExpirySeconds=0', async () => {
-      // Create handler with no expiry
+      // Create handler with explicit 0 (no expiry per RFC 7591)
       const customApp = express();
       const options: ClientRegistrationHandlerOptions = {
         clientsStore: mockClientStoreWithRegistration,
@@ -218,6 +218,27 @@ describe('Client Registration Handler', () => {
       expect(response.body.client_secret_expires_at).toBe(0);
     });
 
+    it('omits client_secret_expires_at when clientSecretExpirySeconds is undefined (default)', async () => {
+      // Create handler with default undefined (no expiry, omit from response)
+      const customApp = express();
+      const options: ClientRegistrationHandlerOptions = {
+        clientsStore: mockClientStoreWithRegistration
+        // clientSecretExpirySeconds not set - defaults to undefined
+      };
+
+      customApp.use('/register', clientRegistrationHandler(options));
+
+      const response = await supertest(customApp)
+        .post('/register')
+        .send({
+          redirect_uris: ['https://example.com/callback']
+        });
+
+      expect(response.status).toBe(201);
+      expect(response.body.client_secret).toBeDefined(); // Still has secret
+      expect(response.body.client_secret_expires_at).toBeUndefined(); // But no expiry
+    });
+
     it('sets no client_id when clientIdGeneration=false', async () => {
       // Create handler with no expiry
       const customApp = express();
diff --git a/src/server/auth/handlers/register.ts b/src/server/auth/handlers/register.ts
@@ -19,9 +19,12 @@ export type ClientRegistrationHandlerOptions = {
   clientsStore: OAuthRegisteredClientsStore;
 
   /**
-   * The number of seconds after which to expire issued client secrets, or 0 to prevent expiration of client secrets (not recommended).
-   * 
-   * If not set, defaults to 30 days.
+   * The number of seconds after which to expire issued client secrets.
+   * - If set to a positive number, client secrets will expire after that many seconds.
+   * - If set to 0, client_secret_expires_at will be 0 (meaning no expiration per RFC 7591).
+   * - If not set (undefined), client_secret_expires_at will be omitted from the response (no expiration).
+   *
+   * Defaults to undefined (no expiration), consistent with Python SDK behavior.
    */
   clientSecretExpirySeconds?: number;
 
@@ -40,11 +43,9 @@ export type ClientRegistrationHandlerOptions = {
   clientIdGeneration?: boolean;
 };
 
-const DEFAULT_CLIENT_SECRET_EXPIRY_SECONDS = 30 * 24 * 60 * 60; // 30 days
-
 export function clientRegistrationHandler({
   clientsStore,
-  clientSecretExpirySeconds = DEFAULT_CLIENT_SECRET_EXPIRY_SECONDS,
+  clientSecretExpirySeconds,
   rateLimit: rateLimitConfig,
   clientIdGeneration = true,
 }: ClientRegistrationHandlerOptions): RequestHandler {
@@ -92,9 +93,18 @@ export function clientRegistrationHandler({
       const clientIdIssuedAt = Math.floor(Date.now() / 1000);
 
       // Calculate client secret expiry time
-      const clientsDoExpire = clientSecretExpirySeconds > 0
-      const secretExpiryTime = clientsDoExpire ? clientIdIssuedAt + clientSecretExpirySeconds : 0
-      const clientSecretExpiresAt = isPublicClient ? undefined : secretExpiryTime
+      // - undefined: omit client_secret_expires_at (no expiration)
+      // - 0: set to 0 (no expiration per RFC 7591)
+      // - positive number: set to now + seconds
+      let clientSecretExpiresAt: number | undefined;
+      if (!isPublicClient) {
+        if (clientSecretExpirySeconds !== undefined && clientSecretExpirySeconds > 0) {
+          clientSecretExpiresAt = clientIdIssuedAt + clientSecretExpirySeconds;
+        } else if (clientSecretExpirySeconds === 0) {
+          clientSecretExpiresAt = 0;
+        }
+        // else: undefined - omit from response (no expiration)
+      }
 
       let clientInfo: Omit<OAuthClientInformationFull, "client_id"> & { client_id?: string } = {
         ...clientMetadata,
