[BUG]: Token scoping

[danaszuokas]

🐞 Bug Summary

Server-scoped tokens cannot access the /rpc endpoint because it's not included in the general_endpoints list in the token scoping middleware. This prevents SSE transport from working with server-scoped tokens.

---

🧩 Affected Component

• mcpgateway - API
• mcpgateway - UI (admin panel)
• mcpgateway.wrapper - stdio wrapper
• Federation or Transports
• CLI, Makefiles, or shell scripts
• Container setup (Docker/Podman/Compose)
• Other (explain below)

---

🔁 Steps to Reproduce

1. Create a server-scoped API token
2. Attempt to use SSE transport to connect to an MCP server
3. SSE transport calls /rpc endpoint
4. Observe: HTTP 403 Forbidden

---

🤔 Expected Behavior

Server-scoped tokens should be able to access /rpc since it's an internal RPC endpoint required for MCP protocol operations.

---

🔍 Root Cause Analysis

In mcpgateway/middleware/token_scoping.py, the _check_server_restriction function:

1. Checks if /rpc matches any server path pattern → NO
2. Checks if /rpc is in general_endpoints → NO (not listed)
3. Returns False → HTTP 403

Current code:

general_endpoints = ["/health", "/metrics", "/openapi.json", "/docs", "/redoc"]

Missing: /rpc

---

🛠️ Proposed Fix

Add /rpc to the general_endpoints list:

general_endpoints = ["/health", "/metrics", "/openapi.json", "/docs", "/redoc", "/rpc"]

File: mcpgateway/middleware/token_scoping.py

---

✅ Acceptance Criteria

• /rpc added to general_endpoints
• Server-scoped tokens can access /rpc
• SSE transport works with server-scoped tokens
• Existing token scoping tests pass
• No security regression (verify /rpc should be accessible)

---

🔗 Related Issues

• Related: [BUG][SSE]: SSE transport incorrect endpoint and data parsing #1595 (SSE transport incorrect endpoint)