fix(auth): satisfy pyright + add coverage for Basic auth fallback edges

Two changes to make CI green:

1. token.py: guard the Basic auth fallback assignment so pyright can
   narrow client_info.client_id from `str | None` to `str` before it
   lands in starlette's FormData (whose values are `UploadFile | str`).
   Semantically a no-op — ClientAuthenticator already guarantees a
   non-empty client_id reached this point.

2. test_auth_integration.py: cover the two previously-uncovered edges
   in client_auth.py's Basic auth fallback (lines 62-66):
   - decoded credentials without ':' separator
   - malformed base64 in the Authorization header
   Both should be silently swallowed so the request surfaces the normal
   "Missing client_id" error path rather than a Basic-auth-specific one.
   Coverage of src/mcp/server/auth/middleware/client_auth.py is now 100%.

Also restores ruff-format compliance (single blank line between methods).

Author: n0madgang

src/mcp/server/auth/handlers/token.py

@@ -99,7 +99,9 @@ async def handle(self, request: Request):
             # client_id may have been supplied via HTTP Basic auth header instead of the
             # request body (RFC 6749 §2.3.1). ClientAuthenticator already verified it,
             # so we can safely populate it from client_info when absent from form data.
-            if "client_id" not in form_data:
+            # The truthiness check narrows `str | None` to `str` for the type checker;
+            # ClientAuthenticator guarantees a non-empty client_id reached this point.
+            if "client_id" not in form_data and client_info.client_id:
                 form_data["client_id"] = client_info.client_id
             token_request = token_request_adapter.validate_python(form_data)
         except ValidationError as validation_error:  # pragma: no cover

tests/server/mcpserver/auth/test_auth_integration.py

@@ -1366,7 +1366,6 @@ async def test_none_auth_method_public_client(
         token_response = response.json()
         assert "access_token" in token_response
 
-
     @pytest.mark.anyio
     async def test_basic_auth_without_client_id_in_body(
         self, test_client: httpx.AsyncClient, mock_oauth_provider: MockOAuthProvider, pkce_challenge: dict[str, str]
@@ -1454,6 +1453,34 @@ async def test_basic_auth_refresh_token_without_client_id_in_body(
         token_response = response.json()
         assert "access_token" in token_response
 
+    @pytest.mark.anyio
+    async def test_basic_auth_fallback_invalid_base64_falls_through(self, test_client: httpx.AsyncClient):
+        """Basic auth fallback (no client_id in body): invalid base64 is silently ignored,
+        request continues without client_id and surfaces a normal 'invalid_request' error."""
+        # client_id missing from body AND the Basic header is malformed base64
+        response = await test_client.post(
+            "/token",
+            headers={"Authorization": "Basic !!!not-valid-base64!!!"},
+            data={"grant_type": "authorization_code", "code": "irrelevant"},
+        )
+        # The malformed base64 is swallowed; client_id remains missing → standard 401
+        assert response.status_code == 401
+        assert response.json()["error"] == "invalid_client"
+
+    @pytest.mark.anyio
+    async def test_basic_auth_fallback_no_colon_falls_through(self, test_client: httpx.AsyncClient):
+        """Basic auth fallback (no client_id in body): decoded credentials without a colon
+        are not treated as a valid client_id, and the request fails with 'invalid_client'."""
+        # b64("no_colon_here") decodes cleanly but contains no ':' separator
+        encoded = base64.b64encode(b"no_colon_here").decode()
+        response = await test_client.post(
+            "/token",
+            headers={"Authorization": f"Basic {encoded}"},
+            data={"grant_type": "authorization_code", "code": "irrelevant"},
+        )
+        assert response.status_code == 401
+        assert response.json()["error"] == "invalid_client"
+
 
 class TestAuthorizeEndpointErrors:
     """Test error handling in the OAuth authorization endpoint."""