test(client): cover refresh retry after invalid token 401

[mattzcarey]

Summary

• add WWW-Authenticate parsing coverage for Bearer error="invalid_token" with protected resource metadata
• add StreamableHTTP coverage showing a 401 invalid_token POST triggers refresh_token grant, saves rotated tokens, and retries the original POST body with the new access token

The transport already performs this flow through the existing OAuth unauthorized handler; this PR pins the behavior for the issue repro.

Closes #2031

Verification

• pnpm --filter @modelcontextprotocol/client test -- auth.test.ts streamableHttp.test.ts
• pnpm run typecheck:all
• pnpm run lint:all
• pnpm run build:all
• pre-push hook (build, typecheck, lint)

[changeset-bot]

⚠️ No Changeset found

Latest commit: c1892d8

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@2367

@modelcontextprotocol/codemod

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/codemod@2367

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@2367

@modelcontextprotocol/server-legacy

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server-legacy@2367

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@2367

@modelcontextprotocol/fastify

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/fastify@2367

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@2367

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@2367

commit: c1892d8

[claude]

LGTM — test-only PR adding coverage for the existing 401 invalid_token refresh-and-retry flow; no source changes.

Extended reasoning...

Overview

This PR only touches two test files: packages/client/test/client/auth.test.ts (a new extractWWWAuthenticateParams case parsing error="invalid_token" together with resource_metadata) and packages/client/test/client/streamableHttp.test.ts (a new transport test pinning that a 401 invalid_token POST triggers a refresh_token grant, saves rotated tokens, and retries the original POST body with the new access token). No production code is modified.

Security risks

None — the changes are confined to test files and exercise the existing OAuth refresh path through mocks; no auth, crypto, or transport logic is altered.

Level of scrutiny

Low. Test-only additions that follow the established patterns already used in this suite (mocked globalThis.fetch, mocked OAuthClientProvider). I verified the new auth.test assertion matches the actual return shape of extractWWWAuthenticateParams (resourceMetadataUrl + error, with undefined scope ignored by toEqual, consistent with the adjacent insufficient_scope test). The streamableHttp test's mock endpoints (protected resource metadata, AS metadata, token endpoint) line up with the discovery flow the transport performs, and the assertions on the two MCP POSTs are self-contained.

Other factors

No changeset is needed for test-only changes (the changeset-bot warning is expected). The bug-hunting system found no issues, and the author reports typecheck/lint/build/test passing. The PR is small, self-contained, and adds regression coverage for issue #2031 without changing any behavior.

[claude]

LGTM — test-only change adding coverage for the existing 401 invalid_token → refresh → retry flow; no production code touched.

Extended reasoning...

Overview

This PR only modifies two test files in packages/client/test/client/: auth.test.ts gains a unit test for extractWWWAuthenticateParams parsing a Bearer error="invalid_token" challenge with a resource_metadata URL, and streamableHttp.test.ts gains an end-to-end-style test (via a fetch mock) showing a 401 invalid_token POST triggers a refresh_token grant, saves the rotated tokens, and retries the original POST body with the new access token without redirecting to authorization. No source files, public API, or transport behavior change — the PR pins existing behavior as a repro for issue #2031.

Security risks

None. The changes are confined to test code; no auth, crypto, or transport logic is altered. The tests exercise the existing OAuth refresh path but do not modify it.

Level of scrutiny

Low. Test-only additions following the established mocking patterns already used in the same file (mocked OAuthClientProvider, globalThis.fetch spies, well-known endpoint mocks). The new tests are self-contained, assert the relevant invariants (refresh grant parameters, rotated token persistence, retried POST body/headers, no redirect), and the author reports the full test/typecheck/lint/build suite passing; CI will catch any flakiness. The missing changeset is appropriate since no published code changes.

Other factors

The bug hunting system found no issues, and there are no outstanding human reviewer comments. The new StreamableHTTP test complements rather than duplicates the existing 'attempts auth flow on 401' and 'returns 401 after successful auth' tests by covering the silent-refresh-success path.