coerce 'expires_in' to be a number

adam-kuhn · adam-kuhn · commit db6bea66c8e9 · 2025-11-14T10:03:45.000+02:00
diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
@@ -14,7 +14,7 @@ import {
     selectClientAuthMethod
 } from './auth.js';
 import { ServerError } from '../server/auth/errors.js';
-import { AuthorizationServerMetadata } from '../shared/auth.js';
+import { AuthorizationServerMetadata, OAuthTokens } from '../shared/auth.js';
 
 // Mock fetch globally
 const mockFetch = jest.fn();
@@ -1073,7 +1073,7 @@ describe('OAuth Authorization', () => {
     });
 
     describe('exchangeAuthorization', () => {
-        const validTokens = {
+        const validTokens: OAuthTokens = {
             access_token: 'access123',
             token_type: 'Bearer',
             expires_in: 3600,
@@ -1132,6 +1132,43 @@ describe('OAuth Authorization', () => {
             expect(body.get('resource')).toBe('https://api.example.com/mcp-server');
         });
 
+        it('allows for string "expires_in" values', async () => {
+            mockFetch.mockResolvedValueOnce({
+                ok: true,
+                status: 200,
+                json: async () => ({ ...validTokens, expires_in: '3600' })
+            });
+
+            const tokens = await exchangeAuthorization('https://auth.example.com', {
+                clientInformation: validClientInfo,
+                authorizationCode: 'code123',
+                codeVerifier: 'verifier123',
+                redirectUri: 'http://localhost:3000/callback',
+                resource: new URL('https://api.example.com/mcp-server')
+            });
+
+            expect(tokens).toEqual(validTokens);
+            expect(mockFetch).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    href: 'https://auth.example.com/token'
+                }),
+                expect.objectContaining({
+                    method: 'POST',
+                    headers: new Headers({
+                        'Content-Type': 'application/x-www-form-urlencoded'
+                    })
+                })
+            );
+
+            const body = mockFetch.mock.calls[0][1].body as URLSearchParams;
+            expect(body.get('grant_type')).toBe('authorization_code');
+            expect(body.get('code')).toBe('code123');
+            expect(body.get('code_verifier')).toBe('verifier123');
+            expect(body.get('client_id')).toBe('client123');
+            expect(body.get('client_secret')).toBe('secret123');
+            expect(body.get('redirect_uri')).toBe('http://localhost:3000/callback');
+            expect(body.get('resource')).toBe('https://api.example.com/mcp-server');
+        });
         it('exchanges code for tokens with auth', async () => {
             mockFetch.mockResolvedValueOnce({
                 ok: true,
diff --git a/src/shared/auth.ts b/src/shared/auth.ts
@@ -136,7 +136,7 @@ export const OAuthTokensSchema = z
         access_token: z.string(),
         id_token: z.string().optional(), // Optional for OAuth 2.1, but necessary in OpenID Connect
         token_type: z.string(),
-        expires_in: z.number().optional(),
+        expires_in: z.coerce.number().optional(),
         scope: z.string().optional(),
         refresh_token: z.string().optional()
     })
