Skip to content

♻️ Require authorization for MCP management API #2799#2801

Open
shaun0927 wants to merge 2 commits intoModelEngine-Group:developfrom
shaun0927:fix/mcp-management-auth-2799
Open

♻️ Require authorization for MCP management API #2799#2801
shaun0927 wants to merge 2 commits intoModelEngine-Group:developfrom
shaun0927:fix/mcp-management-auth-2799

Conversation

@shaun0927
Copy link
Copy Markdown

@shaun0927 shaun0927 commented Apr 17, 2026

♻️ Require authorization for MCP management API #2799

[Specification Details]

  1. Require validated authorization on the MCP management endpoints before listing, refreshing, or deleting outer API tools.
  2. Forward the current request's authorization token from the tool-management call path when refreshing or deleting outer API tools, so authenticated flows continue to work after the endpoint hardening.
  3. Update regression tests and related test setup for the new authorization contract.

[Test Result]

  • python3 -m py_compile backend/mcp_service.py backend/services/tool_configuration_service.py backend/apps/tool_config_app.py test/backend/services/test_mcp_service.py test/backend/app/test_tool_config_app.py test/backend/services/test_tool_configuration_service.py
  • Stubbed local validation confirmed unauthorized MCP management API access now returns 401, while authorized access still succeeds.
  • Stubbed local validation confirmed refresh and delete calls now forward the Authorization header to the MCP management API.

WMC001 and others added 2 commits April 10, 2026 15:49
@WMC001
Release v2.0.1
249341b 
Develop
@shaun0927
Require authenticated access for MCP management API
bd43f20 
The management API currently accepts Authorization headers without validating them, and the tool-management call path drops the caller token before refresh and delete operations. This patch hardens the management endpoints and forwards the current request token so the existing MCP management flow keeps working under authentication.

Constraint: Keep scope limited to MCP management auth hardening for mergeability
Rejected: Broader API-to-MCP trust-boundary changes | needs product and architecture discussion
Confidence: medium
Scope-risk: narrow
Directive: Keep management endpoint auth and caller-token forwarding aligned when adding new MCP management routes
Tested: python3 -m py_compile on changed files; stubbed local auth-validation script; stubbed local header-forwarding script
Not-tested: Full pytest suite in the current local environment (FastAPI/SDK dependency mismatch during collection)
@shaun0927 shaun0927 changed the base branch from main to develop April 17, 2026 00:09
@shaun0927
Copy link
Copy Markdown
Author

shaun0927 commented Apr 17, 2026

Retargeted this PR to develop to match the recent MCP-related merge pattern in the repository. The scope remains intentionally narrow: require authorization on the MCP management endpoints and forward the current request token for refresh/delete calls so existing authenticated flows keep working after the hardening. Happy to split or adjust this further if there is a preferred integration point.

@shaun0927 shaun0927 mentioned this pull request Apr 17, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Phinease Phinease Awaiting requested review from Phinease

@WMC001 WMC001 Awaiting requested review from WMC001 WMC001 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shaun0927 @WMC001