Skip to content

fix(mcp): correct auth failure contract in _get_auth_headers#85

Closed
DavidJBianco wants to merge 1 commit into
batch-a-quick-fixesfrom
batch-b-auth-contract
Closed

fix(mcp): correct auth failure contract in _get_auth_headers#85
DavidJBianco wants to merge 1 commit into
batch-a-quick-fixesfrom
batch-b-auth-contract

Conversation

@DavidJBianco

@DavidJBianco DavidJBianco commented Apr 23, 2026

Copy link
Copy Markdown
Collaborator

Summary

Fixes the MCP auth bypass where _get_auth_headers returned {} on failure while _connect_http_server only gated on False — so misconfigured auth silently connected unauthenticated.

Root cause fix (prefer over #71): Changes the _get_auth_headers return contract so the function returns None on any auth failure and {} only when no auth is configured. _connect_http_server gates on None. Updates all affected return sites and existing unit tests to match.

Supersedes #74 (cherry-picked from that branch). Closes #71 as a weaker alternative (that PR only gated at the caller without fixing the lying return type).

Test plan

  • Run PYTHONPATH=. pytest -q tests/unit_tests/test_mcp_oauth_env_vars.py in a full env
  • Verify an HTTP MCP server with a missing bearer token does not appear in active_clients
  • Verify an HTTP MCP server with no auth config still connects

🤖 Generated with Claude Code

@DavidJBianco

DavidJBianco commented Apr 23, 2026

Copy link
Copy Markdown
Collaborator Author

Merged into dev via merge commit 27a476d.

This was referenced Apr 23, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DavidJBianco