Hiddenden/AegisGitea-MCP
3
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: scope query param auth to MCP endpoints

Browse Source 
Restrict api_key query parameter to /mcp/tools, /mcp/tool/call,
and /mcp/sse only. Updated documentation to reflect query param
usage for ChatGPT UI without header support.
This commit is contained in:
Latte
2026-01-29 21:07:37 +01:00
parent b990c6c527
commit 0a2a21cc52
3 changed files with 21 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/aegis_gitea_mcp/server.py
View File

@@ -74,8 +74,8 @@ async def authenticate_request(request: Request, call_next):
auth_header = request.headers.get("authorization")
api_key = auth_validator.extract_bearer_token(auth_header)
# Fallback: allow API key via query parameter (for ChatGPT UI without headers)
if not api_key:
# Fallback: allow API key via query parameter only for MCP endpoints
if not api_key and request.url.path in {"/mcp/tools", "/mcp/tool/call", "/mcp/sse"}:
api_key = request.query_params.get("api_key")
# Validate API key