Skip to content

fix: reject conflicting auth sources instead of silent override#37

Open
xyaz1313 wants to merge 1 commit into
openapi:mainfrom
xyaz1313:fix/reject-conflicting-auth-27
Open

fix: reject conflicting auth sources instead of silent override#37
xyaz1313 wants to merge 1 commit into
openapi:mainfrom
xyaz1313:fix/reject-conflicting-auth-27

Conversation

@xyaz1313

Copy link
Copy Markdown

Problem

When both an Authorization header and a ?token= query parameter are provided, TokenQuerystringMiddleware silently discards the header and uses the query token. This hides client misconfiguration and makes auth debugging harder.

Root Cause

In src/openapi_mcp_sdk/main.py lines 163-170, the middleware unconditionally strips the existing Authorization header when ?token= is present:

headers = [(k, v) for k, v in scope["headers"] if k.lower() != b"authorization"]

Fix

Reject conflicting auth sources with a 400 response instead of silently overriding:

  • ?token= alone → works as before (lifted to header)
  • Authorization header alone → works as before (existing JIT flow)
  • Both present → 400 with clear error message
{
  "error": "conflicting_auth",
  "message": "Both Authorization header and ?token= query parameter are provided. Use only one authentication method."
}

This is a realistic integration mistake with browser-hosted clients, local proxies, and copied config snippets. A hard fail surfaces the problem immediately.

Fixes #27

When both Authorization header and ?token= query parameter are present,
the TokenQuerystringMiddleware previously discarded the header and
silently used the query token. This hides client misconfiguration and
makes auth debugging harder.

Now returns 400 with a clear error message when both are present.

Fixes openapi#27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant