From 814bc9545743e04379a3991fdfb445a8416bbf3c Mon Sep 17 00:00:00 2001 From: Pavel Malai Date: Mon, 19 May 2025 11:37:57 +0200 Subject: [PATCH 1/2] add auth headers to request context --- src/mcp/server/lowlevel/server.py | 5 +++++ src/mcp/server/sse.py | 6 ++++++ src/mcp/shared/context.py | 1 + src/mcp/types.py | 1 + 4 files changed, 13 insertions(+) diff --git a/src/mcp/server/lowlevel/server.py b/src/mcp/server/lowlevel/server.py index 876aef8171..7f566095c3 100644 --- a/src/mcp/server/lowlevel/server.py +++ b/src/mcp/server/lowlevel/server.py @@ -554,15 +554,20 @@ async def _handle_request( logger.debug(f"Dispatching request of type {type(req).__name__}") token = None + try: # Set our global state that can be retrieved via # app.get_request_context() + auth = None + if hasattr(message.request.root, "auth"): + auth = message.request.root.auth token = request_ctx.set( RequestContext( message.request_id, message.request_meta, session, lifespan_context, + auth ) ) response = await handler(req) diff --git a/src/mcp/server/sse.py b/src/mcp/server/sse.py index a6350a39ba..bc7bbd56f2 100644 --- a/src/mcp/server/sse.py +++ b/src/mcp/server/sse.py @@ -203,6 +203,12 @@ async def handle_post_message( await writer.send(err) return + if "authorization" in request.headers: + auth_header = request.headers["authorization"] + if auth_header.startswith("Bearer "): + message.root.auth = auth_header[7:] + logger.debug(f"Authorization header found: {message.root.auth}") + session_message = SessionMessage(message) logger.debug(f"Sending session message to writer: {session_message}") response = Response("Accepted", status_code=202) diff --git a/src/mcp/shared/context.py b/src/mcp/shared/context.py index ae85d3a19b..4f5142c0c9 100644 --- a/src/mcp/shared/context.py +++ b/src/mcp/shared/context.py @@ -16,3 +16,4 @@ class RequestContext(Generic[SessionT, LifespanContextT]): meta: RequestParams.Meta | None session: SessionT lifespan_context: LifespanContextT + auth: str | None = None diff --git a/src/mcp/types.py b/src/mcp/types.py index d864b19da6..4ed9df87f6 100644 --- a/src/mcp/types.py +++ b/src/mcp/types.py @@ -122,6 +122,7 @@ class JSONRPCRequest(Request[dict[str, Any] | None, str]): id: RequestId method: str params: dict[str, Any] | None = None + auth: str | None = None class JSONRPCNotification(Notification[dict[str, Any] | None, str]): From 3279ab12b55ee46d58cafc25f2826dd1f5517a15 Mon Sep 17 00:00:00 2001 From: flagman Date: Sat, 31 May 2025 06:38:46 +0200 Subject: [PATCH 2/2] Update streamable_http.py Add support for authorisation --- src/mcp/server/streamable_http.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/mcp/server/streamable_http.py b/src/mcp/server/streamable_http.py index 8f4a1f5126..806f65d6ff 100644 --- a/src/mcp/server/streamable_http.py +++ b/src/mcp/server/streamable_http.py @@ -362,7 +362,12 @@ async def _handle_post_request( ) await response(scope, receive, send) return - + + if "authorization" in request.headers: + auth_header = request.headers["authorization"] + if auth_header.startswith("Bearer "): + message.root.auth = auth_header[7:] + logger.debug(f"Authorization header found: {message.root.auth}") # Check if this is an initialization request is_initialization_request = ( isinstance(message.root, JSONRPCRequest)