mcp-oauth-password

The server implements OAuth 2.1 with Proof Key for Code Exchange (PKCE), bcrypt password hashing (10 rounds), and secure session cookies (httpOnly, secure, sameSite=Lax). Session and authorization codes are stored persistently in PostgreSQL. Redirect URI validation and automatic rate limiting on login, token, and authorize endpoints help mitigate common attacks. Audit logging tracks authentication events for monitoring. The 'secure' cookie flag is correctly enforced based on the NODE_ENV. For its intended use in personal/self-hosted environments, these features provide strong security. However, as noted in the README, features like token expiration with refresh tokens and multi-user support (beyond a single configured password) are still on the roadmap for full enterprise-grade production readiness (v1.0.0). The example provides default credentials for demonstration, but the core library design encourages using environment variables for sensitive data.