Skip to content

[BUG][SONAR][LOW]: Missing expires_at calculation in DCR client registration #2378

Closed
Bug
Closed
[BUG][SONAR][LOW]: Missing expires_at calculation in DCR client registration#2378
Bug
Assignees
suciu-daniel
Labels
MUSTP1: Non-negotiable, critical requirements without which the product is non-functional or unsafebugSomething isn't workingpythonPython / backend development (FastAPI)securityImproves securitysonarSonarQube code quality findings
Milestone
Release 1.0.0-RC1
@crivetimihai

Description

@crivetimihai
crivetimihai
opened on Jan 24, 2026

Severity: LOW
File: mcpgateway/services/dcr_service.py
Line: 210
Rule: TODO comment

Description

When registering a Dynamic Client Registration (DCR) client, the expires_at field is always set to None instead of being calculated from the response.

Code

# Line 210
expires_at=None,  # TODO: Calculate from client_id_issued_at + client_secret_expires_at

Impact

DCR clients may have expiration times but the system doesn't track them. This could lead to:

  • Attempting to use expired client credentials
  • No automatic re-registration when credentials expire

Suggested Fix

Calculate expiration from the DCR response:

# Calculate expires_at from DCR response
expires_at = None
client_secret_expires_at = registration_response.get("client_secret_expires_at")
if client_secret_expires_at and client_secret_expires_at > 0:
    expires_at = datetime.fromtimestamp(client_secret_expires_at, tz=timezone.utc)

Metadata

Metadata

Assignees

Labels

MUSTP1: Non-negotiable, critical requirements without which the product is non-functional or unsafebugSomething isn't workingpythonPython / backend development (FastAPI)securityImproves securitysonarSonarQube code quality findings

Type

Bug

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions