v0.2.4

Patch Changes

• #136 a8c5936 Thanks @mattzcarey! - Add /.well-known/oauth-protected-resource endpoint (RFC 9728) for OAuth 2.0 Protected Resource Metadata discovery, as required by the MCP authorization specification. The endpoint is always served with sensible defaults (request origin as resource and authorization server), and can be customized via the new resourceMetadata option.

• #151 dbb150e Thanks @mattzcarey! - Add allowPlainPKCE option to enforce S256-only PKCE as recommended by OAuth 2.1. When set to false, the plain PKCE method is rejected and only S256 is accepted. Defaults to true for backward compatibility.

• #140 65d5cfa Thanks @mattzcarey! - Fix apiHandler route matching when set to '/' to use exact match instead of prefix match, preventing it from matching all routes and breaking OAuth endpoints

• #150 734738c Thanks @mattzcarey! - Fix TypeScript types by making OAuthProviderOptions generic over Env, eliminating the need for @ts-expect-error workarounds when using typed environments

• #145 6ce5c10 Thanks @mattzcarey! - Add RFC 8252 Section 7.3 compliance: allow any port for loopback redirect URIs (127.x.x.x, ::1) to support native apps that use ephemeral ports

• #143 8909060 Thanks @mattzcarey! - Include resource_metadata URL in WWW-Authenticate headers on 401 responses per RFC 9728 §5.1, enabling clients to discover the protected resource metadata endpoint directly from authentication challenges.