feat(auth): add token revocation and proxy auth to middleware#2548
Merged
crivetimihai merged 8 commits intomainfrom Jan 29, 2026
Merged
feat(auth): add token revocation and proxy auth to middleware#2548crivetimihai merged 8 commits intomainfrom
crivetimihai merged 8 commits intomainfrom
Conversation
112bd90 to
7dc102a
Compare
Member
There was a problem hiding this comment.
I'm seeing issues with functionality.
Token is not getting revoked after given time - maybe my time limit was too aggressive?
TOKEN_EXPIRY=3
REQUIRE_TOKEN_EXPIRATION=true
REQUIRE_JTI=true
I'm not getting access denied after timeout period is reached.
But I am getting logged out of my browser session.
For registration, the message coming back with PUBLIC_REGISTRATION_ENABLED=false set is always:
{
"detail": "User with email fake@email.com already exists"
}
(I'm passing in fake email) - should it default to that message or just give a generic access_denied/403 response?
- Support token revocation checks in AdminAuthMiddleware - Enable proxy authentication for admin routes - Filter session listings by user ownership - Validate team membership for OAuth operations - Add configurable public registration setting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
- Set require_token_expiration default to true (was false) - Set require_jti default to true (was false) - Update .env.example to reflect new secure defaults Tokens without expiration or JTI claims will now be rejected by default. Set REQUIRE_TOKEN_EXPIRATION=false or REQUIRE_JTI=false to restore previous behavior if needed for backward compatibility. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
… controls Add documentation for: - Token lifecycle management (revocation, validation settings) - Admin route authentication requirements - Session management access controls - User registration configuration - Updated production checklist with new settings Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
- SSO redirect_uri validation now uses server-side allowlist only (allowed_origins, app_domain) instead of trusting Host header - Full origin comparison including scheme and port to prevent cross-port or HTTP downgrade redirects - AdminAuthMiddleware now supports API token authentication - AdminAuthMiddleware now honors platform admin bootstrap when REQUIRE_USER_IN_DB=false for fresh deployments Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Align AdminAuthMiddleware with require_admin_auth by supporting: - HTTP Basic authentication for legacy deployments - Basic auth users are treated as admin (consistent with existing behavior) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
- Move hashlib/base64 imports to top-level in main.py (pylint C0415) - Add CHANGELOG entry for 1.0.0-RC1 secure defaults release - Add Security Defaults section to .env.example - Update test helpers to include JTI by default for REQUIRE_JTI=true Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
- Simplify Admin UI to use session-based email/password authentication - Add API_ALLOW_BASIC_AUTH setting for granular API auth control - Scope gateway credentials to prevent unintended forwarding - Update 25+ documentation files for auth model clarity - Add comprehensive test coverage for auth settings - Fix REQUIRE_TOKEN_EXPIRATION and REQUIRE_JTI defaults in docs - Remove BASIC_AUTH_* from Docker examples (not needed by default) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
968481b to
379ed76
Compare
20 tasks
- Reword RC1 changelog entries to use neutral language - Add coverage.svg to .gitignore (generated by make coverage) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
379ed76 to
b2c950d
Compare
41 tasks
This was referenced Jan 31, 2026
hughhennelly
pushed a commit
to hughhennelly/mcp-context-forge
that referenced
this pull request
Feb 8, 2026
* feat(auth): add token revocation and proxy auth to admin middleware - Support token revocation checks in AdminAuthMiddleware - Enable proxy authentication for admin routes - Filter session listings by user ownership - Validate team membership for OAuth operations - Add configurable public registration setting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix(config): change token validation defaults to secure-by-default - Set require_token_expiration default to true (was false) - Set require_jti default to true (was false) - Update .env.example to reflect new secure defaults Tokens without expiration or JTI claims will now be rejected by default. Set REQUIRE_TOKEN_EXPIRATION=false or REQUIRE_JTI=false to restore previous behavior if needed for backward compatibility. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * docs(security): expand securing guide with token lifecycle and access controls Add documentation for: - Token lifecycle management (revocation, validation settings) - Admin route authentication requirements - Session management access controls - User registration configuration - Updated production checklist with new settings Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix(auth): address SSO redirect validation and admin middleware gaps - SSO redirect_uri validation now uses server-side allowlist only (allowed_origins, app_domain) instead of trusting Host header - Full origin comparison including scheme and port to prevent cross-port or HTTP downgrade redirects - AdminAuthMiddleware now supports API token authentication - AdminAuthMiddleware now honors platform admin bootstrap when REQUIRE_USER_IN_DB=false for fresh deployments Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix(auth): add basic auth support to AdminAuthMiddleware Align AdminAuthMiddleware with require_admin_auth by supporting: - HTTP Basic authentication for legacy deployments - Basic auth users are treated as admin (consistent with existing behavior) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix(auth): finalize secure defaults and update changelog for RC1 - Move hashlib/base64 imports to top-level in main.py (pylint C0415) - Add CHANGELOG entry for 1.0.0-RC1 secure defaults release - Add Security Defaults section to .env.example - Update test helpers to include JTI by default for REQUIRE_JTI=true Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * refactor(auth): streamline authentication model and update documentation - Simplify Admin UI to use session-based email/password authentication - Add API_ALLOW_BASIC_AUTH setting for granular API auth control - Scope gateway credentials to prevent unintended forwarding - Update 25+ documentation files for auth model clarity - Add comprehensive test coverage for auth settings - Fix REQUIRE_TOKEN_EXPIRATION and REQUIRE_JTI defaults in docs - Remove BASIC_AUTH_* from Docker examples (not needed by default) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * docs: update changelog with neutral language and ignore coverage.svg - Reword RC1 changelog entries to use neutral language - Add coverage.svg to .gitignore (generated by make coverage) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: hughhennnelly <hughhennelly06@gmail.com>
Merged
2 tasks
kcostell06
pushed a commit
to kcostell06/mcp-context-forge
that referenced
this pull request
Feb 24, 2026
* feat(auth): add token revocation and proxy auth to admin middleware - Support token revocation checks in AdminAuthMiddleware - Enable proxy authentication for admin routes - Filter session listings by user ownership - Validate team membership for OAuth operations - Add configurable public registration setting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix(config): change token validation defaults to secure-by-default - Set require_token_expiration default to true (was false) - Set require_jti default to true (was false) - Update .env.example to reflect new secure defaults Tokens without expiration or JTI claims will now be rejected by default. Set REQUIRE_TOKEN_EXPIRATION=false or REQUIRE_JTI=false to restore previous behavior if needed for backward compatibility. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * docs(security): expand securing guide with token lifecycle and access controls Add documentation for: - Token lifecycle management (revocation, validation settings) - Admin route authentication requirements - Session management access controls - User registration configuration - Updated production checklist with new settings Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix(auth): address SSO redirect validation and admin middleware gaps - SSO redirect_uri validation now uses server-side allowlist only (allowed_origins, app_domain) instead of trusting Host header - Full origin comparison including scheme and port to prevent cross-port or HTTP downgrade redirects - AdminAuthMiddleware now supports API token authentication - AdminAuthMiddleware now honors platform admin bootstrap when REQUIRE_USER_IN_DB=false for fresh deployments Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix(auth): add basic auth support to AdminAuthMiddleware Align AdminAuthMiddleware with require_admin_auth by supporting: - HTTP Basic authentication for legacy deployments - Basic auth users are treated as admin (consistent with existing behavior) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix(auth): finalize secure defaults and update changelog for RC1 - Move hashlib/base64 imports to top-level in main.py (pylint C0415) - Add CHANGELOG entry for 1.0.0-RC1 secure defaults release - Add Security Defaults section to .env.example - Update test helpers to include JTI by default for REQUIRE_JTI=true Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * refactor(auth): streamline authentication model and update documentation - Simplify Admin UI to use session-based email/password authentication - Add API_ALLOW_BASIC_AUTH setting for granular API auth control - Scope gateway credentials to prevent unintended forwarding - Update 25+ documentation files for auth model clarity - Add comprehensive test coverage for auth settings - Fix REQUIRE_TOKEN_EXPIRATION and REQUIRE_JTI defaults in docs - Remove BASIC_AUTH_* from Docker examples (not needed by default) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * docs: update changelog with neutral language and ignore coverage.svg - Reword RC1 changelog entries to use neutral language - Add coverage.svg to .gitignore (generated by make coverage) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Comprehensive authentication and authorization improvements across the gateway. Closes #2555
Changes
Admin Middleware & Token Handling
AdminAuthMiddlewareTRUST_PROXY_AUTH,PROXY_USER_HEADER)Session Management
SSO & OAuth
ALLOW_PUBLIC_REGISTRATION)API Authentication
API_ALLOW_BASIC_AUTHsetting (default:false) for granular controlToken Validation Defaults
REQUIRE_TOKEN_EXPIRATIONdefault changed totrueREQUIRE_JTIdefault changed totrueGateway Credentials
Documentation (25+ files)
BASIC_AUTH_*from Docker examplesConfiguration
.env.exampleand config schemasdocker-compose.ymlwith current defaultsTests
require_admin_auth()tests for Basic auth gatingget_auth_token()testsFiles Changed
Test Plan
API_ALLOW_BASIC_AUTH=true