fix(server): validate OAuth code redirect URI

[Genmin]

Summary

• validate authorization-code token requests against the original authorization redirect_uri when providers expose it
• add a provider hook for revoking tokens previously issued for a replayed authorization code
• wire the demo in-memory OAuth provider to store redirect URIs and code-to-token mappings

Why

The v1.x OAuth token handler could exchange an authorization code with a different redirect_uri than the one used at /authorize. It also had no framework hook to let providers revoke tokens after authorization-code reuse was detected.

Fixes #209.
Fixes #235.

Validation

• npm test -- test/server/auth/handlers/token.test.ts test/examples/server/demoInMemoryOAuthProvider.test.ts
• npm run typecheck
• npx eslint src/server/auth/provider.ts src/server/auth/handlers/token.ts src/examples/server/demoInMemoryOAuthProvider.ts test/server/auth/handlers/token.test.ts test/examples/server/demoInMemoryOAuthProvider.test.ts
• npx prettier --check .changeset/fix-v1x-oauth-code-redirect.md src/server/auth/provider.ts src/server/auth/handlers/token.ts src/examples/server/demoInMemoryOAuthProvider.ts test/server/auth/handlers/token.test.ts test/examples/server/demoInMemoryOAuthProvider.test.ts
• git diff --check

[changeset-bot]

🦋 Changeset detected

Latest commit: 90972ff

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@modelcontextprotocol/sdk@1997

commit: 90972ff