fix auth context reset for streamable HTTP

Epochex · Epochex · commit 9e515ac92334 · 2026-05-25T01:09:41.000+02:00
diff --git a/src/mcp/server/auth/middleware/auth_context.py b/src/mcp/server/auth/middleware/auth_context.py
@@ -38,9 +38,7 @@ def push_auth_context_from_request(request: Request | None) -> Token[Authenticat
             user = getattr(request, "user", None)
         except AssertionError:
             user = None
-    if isinstance(user, AuthenticatedUser):
-        return auth_context_var.set(user)
-    return None
+    return auth_context_var.set(user if isinstance(user, AuthenticatedUser) else None)
 
 
 def pop_auth_context(token: Token[AuthenticatedUser | None] | None) -> None:
diff --git a/tests/server/auth/test_get_access_token_streamable_http.py b/tests/server/auth/test_get_access_token_streamable_http.py
@@ -14,7 +14,6 @@
 from mcp.server.auth.middleware.bearer_auth import BearerAuthBackend
 from mcp.server.auth.provider import AccessToken
 from mcp.server.streamable_http_manager import StreamableHTTPSessionManager
-from mcp.server.transport_security import TransportSecuritySettings
 from mcp.types import (
     CallToolRequestParams,
     CallToolResult,
@@ -43,11 +42,12 @@ async def _handle_list_tools(ctx: ServerRequestContext, params: PaginatedRequest
 
 
 class _MutableBearerAuth(httpx.Auth):
-    def __init__(self, token: str) -> None:
+    def __init__(self, token: str | None) -> None:
         self.token = token
 
     def auth_flow(self, request: httpx.Request):
-        request.headers["Authorization"] = f"Bearer {self.token}"
+        if self.token is not None:
+            request.headers["Authorization"] = f"Bearer {self.token}"
         yield request
 
 
@@ -61,11 +61,7 @@ async def test_get_access_token_reflects_current_request_in_stateful_session() -
         on_list_tools=_handle_list_tools,
     )
 
-    security = TransportSecuritySettings(
-        allowed_hosts=[host, f"{host}:*"],
-        allowed_origins=[f"http://{host}:*"],
-    )
-    session_manager = StreamableHTTPSessionManager(app=server, security_settings=security, stateless=False)
+    session_manager = StreamableHTTPSessionManager(app=server, stateless=False)
 
     asgi_app = Starlette(
         routes=[Mount("/mcp", app=session_manager.handle_request)],
@@ -89,7 +85,7 @@ async def test_get_access_token_reflects_current_request_in_stateful_session() -
             ) as http_client,
         ):
             transport_ctx = streamable_http_client(f"http://{host}/mcp", http_client=http_client)
-            async with Client(transport_ctx) as client:
+            async with Client(transport_ctx) as client:  # pragma: no branch
                 r1 = await client.call_tool("whoami", {})
                 assert isinstance(r1.content[0], TextContent)
                 assert r1.content[0].text == "token-A"
@@ -98,3 +94,8 @@ async def test_get_access_token_reflects_current_request_in_stateful_session() -
                 r2 = await client.call_tool("whoami", {})
                 assert isinstance(r2.content[0], TextContent)
                 assert r2.content[0].text == "token-B"
+
+                auth.token = None
+                r3 = await client.call_tool("whoami", {})
+                assert isinstance(r3.content[0], TextContent)
+                assert r3.content[0].text == "<none>"
