chore(internal): support oauth authorization code flow for MCP servers

Author: stainless-app[bot]

packages/mcp-server/package.json

@@ -34,10 +34,12 @@
     "@cloudflare/cabidela": "^0.2.4",
     "@modelcontextprotocol/sdk": "^1.25.2",
     "@valtown/deno-http-worker": "^0.0.21",
+    "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",
     "express": "^5.1.0",
     "fuse.js": "^7.1.0",
     "jq-web": "https://github.com/stainless-api/jq-web/releases/download/v0.8.8/jq-web.tar.gz",
+    "morgan": "^1.10.0",
     "qs": "^6.14.1",
     "typescript": "5.8.3",
     "yargs": "^17.7.2",
@@ -50,9 +52,11 @@
   },
   "devDependencies": {
     "@anthropic-ai/mcpb": "^2.1.2",
+    "@types/cookie-parser": "^1.4.10",
     "@types/cors": "^2.8.19",
     "@types/express": "^5.0.3",
     "@types/jest": "^29.4.0",
+    "@types/morgan": "^1.9.10",
     "@types/qs": "^6.14.0",
     "@types/yargs": "^17.0.8",
     "@typescript-eslint/eslint-plugin": "8.31.1",

packages/mcp-server/src/headers.ts

@@ -3,7 +3,7 @@
 import { IncomingMessage } from 'node:http';
 import { ClientOptions } from '@imagekit/nodejs';
 
-export const parseAuthHeaders = (req: IncomingMessage): Partial<ClientOptions> => {
+export const parseAuthHeaders = (req: IncomingMessage, required?: boolean): Partial<ClientOptions> => {
   if (req.headers.authorization) {
     const scheme = req.headers.authorization.split(' ')[0]!;
     const value = req.headers.authorization.slice(scheme.length + 1);
@@ -19,6 +19,8 @@ export const parseAuthHeaders = (req: IncomingMessage): Partial<ClientOptions> =
           'Unsupported authorization scheme. Expected the "Authorization" header to be a supported scheme (Basic).',
         );
     }
+  } else if (required) {
+    throw new Error('Missing required Authorization header; see WWW-Authenticate header for details.');
   }
 
   const privateKey =

packages/mcp-server/src/http.ts

@@ -2,8 +2,8 @@
 
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp';
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
-
 import express from 'express';
+import morgan from 'morgan';
 import { McpOptions } from './options';
 import { ClientOptions, initMcpServer, newMcpServer } from './server';
 import { parseAuthHeaders } from './headers';
@@ -20,7 +20,7 @@ const newServer = ({
   const server = newMcpServer();
 
   try {
-    const authOptions = parseAuthHeaders(req);
+    const authOptions = parseAuthHeaders(req, false);
     initMcpServer({
       server: server,
       clientOptions: {
@@ -75,14 +75,15 @@ const del = async (req: express.Request, res: express.Response) => {
 
 export const streamableHTTPApp = ({
   clientOptions = {},
-  mcpOptions = {},
+  mcpOptions,
 }: {
   clientOptions?: ClientOptions;
-  mcpOptions?: McpOptions;
+  mcpOptions: McpOptions;
 }): express.Express => {
   const app = express();
   app.set('query parser', 'extended');
   app.use(express.json());
+  app.use(morgan('combined'));
 
   app.get('/', get);
   app.post('/', post({ clientOptions, mcpOptions }));

packages/mcp-server/src/options.ts

@@ -35,6 +35,7 @@ export function parseCLIOptions(): CLIOptions {
     })
     .option('port', {
       type: 'number',
+      default: 3000,
       description: 'Port to serve on if using http transport',
     })
     .option('socket', {