Inconsistent Resource Name Parsing Causes Authentication Failures #3
Description
GitHub Issue #1: Inconsistent Resource Name Parsing Causes Authentication Failures
Issue Type
🐛 Bug Report
Summary
The SDK inconsistently parses resource names with the "prefix:toolname" format, causing authentication failures when MCP clients use prefixed resource names. The parsing logic exists in verifyProof() but is missing in the tool name extraction logic.
Current Behavior
When a client sends a resource name like "ngrok weather:get-alerts":
- Tool name extraction (line ~461): Uses full resource name
"ngrok weather:get-alerts" - Proof verification (line ~787-789): Correctly extracts tool name
"get-alerts" - Comparison fails (line ~791):
"ngrok weather:get-alerts"≠"get-alerts"
This results in authentication failure with error:
Proof is for tool 'get-alerts' (from 'ngrok weather:get-alerts'), not 'ngrok weather:get-alerts'
Expected Behavior
The SDK should consistently extract just the tool name portion (get-alerts) from prefixed resource names (ngrok weather:get-alerts) in both:
- Tool name extraction logic
- Proof verification logic
Steps to Reproduce
- Create an MCP client that uses prefixed resource names (e.g., Claude Web)
- Configure tool with resource name like
"client-prefix:tool-name" - Attempt authentication with valid proof
- Observe authentication failure due to tool name mismatch
Developer Experience Impact
Current Developer Experience
- Mysterious Authentication Failures: Developers using MCP clients with prefixed resource names experience authentication failures with unclear error messages
- No Clear Workaround: Developers cannot easily work around this without modifying client-side resource naming
- Inconsistent Behavior: The same resource name works in some parts of the SDK but fails in others
Expected Developer Experience
- Seamless Integration: Prefixed resource names should work transparently without special configuration
- Clear Error Messages: If there are naming issues, error messages should clearly indicate the problem
- Documentation: SDK documentation should clarify supported resource name formats
Expected Behavior
The SDK should consistently handle prefixed resource names throughout the authentication flow. When a client uses resource names like "client-prefix:tool-name", the SDK should:
- Extract the tool name portion (
tool-name) consistently in all processing steps - Use the extracted tool name for all comparisons and validations
- Accept both prefixed and non-prefixed resource names seamlessly
Impact
- Critical: Breaks authentication with any MCP client using prefixed resource names
- Affects: Claude Web, custom MCP clients with naming conventions
- Workaround: None available without client-side resource name modification
Environment
- SDK Version: Latest (from repository analysis)
- Node.js: 16.0.0+
- MCP Client: Claude Web, custom implementations
Additional Context
This was discovered during integration testing with Claude Web, where the client naturally uses prefixed resource names following MCP conventions. The inconsistency between parsing approaches suggests this was an oversight rather than intentional behavior.
Acceptance Criteria
- Resource name parsing is consistent across all SDK methods
- Authentication succeeds with prefixed resource names
- Backward compatibility maintained for non-prefixed names
- Unit tests cover both prefixed and non-prefixed scenarios
- No breaking changes to existing API
Labels: bug, authentication, compatibility
Priority: High
Milestone: Next Release