Chris Coutinho
737d62fe91
fix: allow OAuth Bearer tokens on /mcp endpoint by excluding from session auth
SessionAuthBackend was blocking MCP clients using OAuth Bearer tokens because
it returned None when no session cookie was present, causing 401 responses
before FastMCP's OAuth provider could validate Bearer tokens.
Changes:
- Add path-based exclusion to SessionAuthBackend.authenticate()
- Skip session auth for paths using other authentication methods:
- /mcp (FastMCP OAuth Bearer tokens)
- /.well-known/oauth-protected-resource (public PRM endpoint)
- /health/live, /health/ready (public health checks)
- /oauth/login, /oauth/login-callback, /oauth/authorize (OAuth flow pages)
- Browser routes (/user, /user/page, /oauth/logout) still require session cookies
This allows MCP clients to connect with OAuth Bearer tokens while maintaining
session-based authentication for browser UI routes.
Testing:
- OAuth tests pass (test_mcp_oauth_server_connection, etc.)
- Browser routes still require session auth (/user returns 303 redirect)
- Public endpoints remain accessible (/health/live works)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-04 03:26:13 +01:00
..
2025-11-04 03:26:13 +01:00
2025-10-25 19:28:35 +02:00
2025-10-18 22:02:19 +02:00
2025-10-25 19:52:45 +02:00
2025-10-24 06:18:13 +02:00
2025-11-04 02:32:40 +01:00
2025-10-25 19:52:45 +02:00
2025-05-04 23:24:55 +02:00
2025-11-04 03:06:11 +01:00
2025-11-04 00:26:07 +01:00
2025-11-03 20:33:56 +01:00