fix: Pass RequestInit options to auth requests

dsp-ant · claude · dsp-ant · commit 7d907b16ead3 · 2025-11-17T15:57:04.000Z
Fixes an issue where custom headers (like user-agent) and other RequestInit options set when creating transports were not being passed through to authorization requests (.well-known/ discovery, token exchange, DCR, etc.). Changes: - Created createFetchWithInit() utility in shared/transport.ts to wrap fetch with base RequestInit options - Transports now wrap their fetch function before passing to auth module - All RequestInit options (headers, credentials, mode, etc.) are now preserved - Auth-specific headers properly override base headers when needed - Extracted normalizeHeaders() to shared/transport.ts for reuse 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/src/client/sse.ts b/src/client/sse.ts
@@ -1,5 +1,5 @@
 import { EventSource, type ErrorEvent, type EventSourceInit } from 'eventsource';
-import { Transport, FetchLike } from '../shared/transport.js';
+import { Transport, FetchLike, createFetchWithInit } from '../shared/transport.js';
 import { JSONRPCMessage, JSONRPCMessageSchema } from '../types.js';
 import { auth, AuthResult, extractWWWAuthenticateParams, OAuthClientProvider, UnauthorizedError } from './auth.js';
 
@@ -93,11 +93,14 @@ export class SSEClientTransport implements Transport {
 
         let result: AuthResult;
         try {
+            // Wrap fetch to automatically include base RequestInit options
+            const fetchFn = createFetchWithInit(this._fetch, this._requestInit);
+
             result = await auth(this._authProvider, {
                 serverUrl: this._url,
                 resourceMetadataUrl: this._resourceMetadataUrl,
                 scope: this._scope,
-                fetchFn: this._fetch
+                fetchFn
             });
         } catch (error) {
             this.onerror?.(error as Error);
@@ -215,12 +218,15 @@ export class SSEClientTransport implements Transport {
             throw new UnauthorizedError('No auth provider');
         }
 
+        // Wrap fetch to automatically include base RequestInit options
+        const fetchFn = createFetchWithInit(this._fetch, this._requestInit);
+
         const result = await auth(this._authProvider, {
             serverUrl: this._url,
             authorizationCode,
             resourceMetadataUrl: this._resourceMetadataUrl,
             scope: this._scope,
-            fetchFn: this._fetch
+            fetchFn
         });
         if (result !== 'AUTHORIZED') {
             throw new UnauthorizedError('Failed to authorize');
@@ -256,11 +262,14 @@ export class SSEClientTransport implements Transport {
                     this._resourceMetadataUrl = resourceMetadataUrl;
                     this._scope = scope;
 
+                    // Wrap fetch to automatically include base RequestInit options
+                    const fetchFn = createFetchWithInit(this._fetch, this._requestInit);
+
                     const result = await auth(this._authProvider, {
                         serverUrl: this._url,
                         resourceMetadataUrl: this._resourceMetadataUrl,
                         scope: this._scope,
-                        fetchFn: this._fetch
+                        fetchFn
                     });
                     if (result !== 'AUTHORIZED') {
                         throw new UnauthorizedError();
diff --git a/src/client/streamableHttp.ts b/src/client/streamableHttp.ts
@@ -1,4 +1,4 @@
-import { Transport, FetchLike } from '../shared/transport.js';
+import { Transport, FetchLike, createFetchWithInit, normalizeHeaders } from '../shared/transport.js';
 import { isInitializedNotification, isJSONRPCRequest, isJSONRPCResponse, JSONRPCMessage, JSONRPCMessageSchema } from '../types.js';
 import { auth, AuthResult, extractWWWAuthenticateParams, OAuthClientProvider, UnauthorizedError } from './auth.js';
 import { EventSourceParserStream } from 'eventsource-parser/stream';
@@ -156,11 +156,14 @@ export class StreamableHTTPClientTransport implements Transport {
 
         let result: AuthResult;
         try {
+            // Wrap fetch to automatically include base RequestInit options
+            const fetchFn = createFetchWithInit(this._fetch, this._requestInit);
+
             result = await auth(this._authProvider, {
                 serverUrl: this._url,
                 resourceMetadataUrl: this._resourceMetadataUrl,
                 scope: this._scope,
-                fetchFn: this._fetch
+                fetchFn
             });
         } catch (error) {
             this.onerror?.(error as Error);
@@ -190,7 +193,7 @@ export class StreamableHTTPClientTransport implements Transport {
             headers['mcp-protocol-version'] = this._protocolVersion;
         }
 
-        const extraHeaders = this._normalizeHeaders(this._requestInit?.headers);
+        const extraHeaders = normalizeHeaders(this._requestInit?.headers);
 
         return new Headers({
             ...headers,
@@ -255,19 +258,6 @@ export class StreamableHTTPClientTransport implements Transport {
         return Math.min(initialDelay * Math.pow(growFactor, attempt), maxDelay);
     }
 
-    private _normalizeHeaders(headers: HeadersInit | undefined): Record<string, string> {
-        if (!headers) return {};
-
-        if (headers instanceof Headers) {
-            return Object.fromEntries(headers.entries());
-        }
-
-        if (Array.isArray(headers)) {
-            return Object.fromEntries(headers);
-        }
-
-        return { ...(headers as Record<string, string>) };
-    }
 
     /**
      * Schedule a reconnection attempt with exponential backoff
diff --git a/src/shared/transport.ts b/src/shared/transport.ts
@@ -2,6 +2,51 @@ import { JSONRPCMessage, MessageExtraInfo, RequestId } from '../types.js';
 
 export type FetchLike = (url: string | URL, init?: RequestInit) => Promise<Response>;
 
+/**
+ * Normalizes HeadersInit to a plain Record<string, string> for manipulation.
+ * Handles Headers objects, arrays of tuples, and plain objects.
+ */
+export function normalizeHeaders(headers: HeadersInit | undefined): Record<string, string> {
+    if (!headers) return {};
+
+    if (headers instanceof Headers) {
+        return Object.fromEntries(headers.entries());
+    }
+
+    if (Array.isArray(headers)) {
+        return Object.fromEntries(headers);
+    }
+
+    return { ...(headers as Record<string, string>) };
+}
+
+/**
+ * Creates a fetch function that includes base RequestInit options.
+ * This ensures requests inherit settings like credentials, mode, headers, etc. from the base init.
+ *
+ * @param baseFetch - The base fetch function to wrap (defaults to global fetch)
+ * @param baseInit - The base RequestInit to merge with each request
+ * @returns A wrapped fetch function that merges base options with call-specific options
+ */
+export function createFetchWithInit(baseFetch: FetchLike = fetch, baseInit?: RequestInit): FetchLike {
+    if (!baseInit) {
+        return baseFetch;
+    }
+
+    // Return a wrapped fetch that merges base RequestInit with call-specific init
+    return async (url: string | URL, init?: RequestInit): Promise<Response> => {
+        const mergedInit: RequestInit = {
+            ...baseInit,
+            ...init,
+            // Headers need special handling - merge instead of replace
+            headers: init?.headers
+                ? { ...normalizeHeaders(baseInit.headers), ...normalizeHeaders(init.headers) }
+                : baseInit.headers
+        };
+        return baseFetch(url, mergedInit);
+    };
+}
+
 /**
  * Options for sending a JSON-RPC message.
  */
