fix(gateway): validate Origin before auth on GET/DELETE; merge-safe test token

anagnorisis2peripeteia · anagnorisis2peripeteia · commit a4e3cedad5a1 · 2026-06-06T23:21:13.000+01:00
Addresses review:
- Reorder the new GET and DELETE branches so rejectsBrowserLoopbackRequest()
  runs BEFORE bearer auth, matching the POST path — a browser-Origin loopback
  request is now rejected (403) before auth, preserving the loopback Origin
  boundary even for unauthenticated browser requests. Added focused tests:
  browser-Origin GET and DELETE with no bearer return 403 (before auth).
- The new transport tests now read the loopback owner token from
  getActiveMcpLoopbackRuntime().ownerToken instead of resolveMcpLoopbackBearerToken,
  so they don't depend on that helper's import (which current main's test file
  no longer carries).
diff --git a/src/gateway/mcp-http.request.ts b/src/gateway/mcp-http.request.ts
@@ -94,6 +94,14 @@ export function validateMcpLoopbackRequest(params: {
   }
 
   if (params.req.method === "GET") {
+    // Origin validation first (matches the POST path): a browser loopback request is
+    // rejected before bearer auth, so the local-loopback Origin boundary holds even for
+    // unauthenticated browser requests.
+    if (rejectsBrowserLoopbackRequest(params.req)) {
+      params.res.writeHead(403, { "Content-Type": "application/json" });
+      params.res.end(JSON.stringify({ error: "forbidden" }));
+      return null;
+    }
     const authHeader = getHeader(params.req, "authorization") ?? "";
     const ownerTokenMatched = safeEqualSecret(authHeader, `Bearer ${params.ownerToken}`);
     const nonOwnerTokenMatched = safeEqualSecret(authHeader, `Bearer ${params.nonOwnerToken}`);
@@ -102,11 +110,6 @@ export function validateMcpLoopbackRequest(params: {
       params.res.end(JSON.stringify({ error: "unauthorized" }));
       return null;
     }
-    if (rejectsBrowserLoopbackRequest(params.req)) {
-      params.res.writeHead(403, { "Content-Type": "application/json" });
-      params.res.end(JSON.stringify({ error: "forbidden" }));
-      return null;
-    }
     logMcpLoopbackHttp("sse-open", { method: "GET", path: url.pathname });
     params.res.writeHead(200, {
       "Content-Type": "text/event-stream",
@@ -127,6 +130,12 @@ export function validateMcpLoopbackRequest(params: {
     // Streamable HTTP session teardown. The loopback server is stateless — it owns no
     // session lifecycle — so this is an auth-gated no-op acknowledgement: clients that
     // send DELETE when closing the transport get a clean 200 rather than a 405.
+    // Origin validation first (matches the POST/GET paths), before bearer auth.
+    if (rejectsBrowserLoopbackRequest(params.req)) {
+      params.res.writeHead(403, { "Content-Type": "application/json" });
+      params.res.end(JSON.stringify({ error: "forbidden" }));
+      return null;
+    }
     const authHeader = getHeader(params.req, "authorization") ?? "";
     const ownerTokenMatched = safeEqualSecret(authHeader, `Bearer ${params.ownerToken}`);
     const nonOwnerTokenMatched = safeEqualSecret(authHeader, `Bearer ${params.nonOwnerToken}`);
@@ -135,11 +144,6 @@ export function validateMcpLoopbackRequest(params: {
       params.res.end(JSON.stringify({ error: "unauthorized" }));
       return null;
     }
-    if (rejectsBrowserLoopbackRequest(params.req)) {
-      params.res.writeHead(403, { "Content-Type": "application/json" });
-      params.res.end(JSON.stringify({ error: "forbidden" }));
-      return null;
-    }
     logMcpLoopbackHttp("session-delete", { method: "DELETE", path: url.pathname });
     params.res.writeHead(200, { "Content-Type": "application/json" });
     params.res.end(JSON.stringify({ ok: true }));
diff --git a/src/gateway/mcp-http.test.ts b/src/gateway/mcp-http.test.ts
@@ -657,8 +657,7 @@ describe("createMcpLoopbackServerConfig", () => {
 
   it("opens an auth-gated SSE stream on GET (Streamable HTTP notification channel)", async () => {
     server = await startMcpLoopbackServer(0);
-    const runtime = getActiveMcpLoopbackRuntime();
-    const token = runtime ? resolveMcpLoopbackBearerToken(runtime, false) : undefined;
+    const token = getActiveMcpLoopbackRuntime()?.ownerToken;
     const res = await fetch(`http://127.0.0.1:${server.port}/mcp`, {
       method: "GET",
       headers: token ? { authorization: `Bearer ${token}` } : {},
@@ -677,8 +676,7 @@ describe("createMcpLoopbackServerConfig", () => {
 
   it("rejects a GET notification channel from a browser Origin (403)", async () => {
     server = await startMcpLoopbackServer(0);
-    const runtime = getActiveMcpLoopbackRuntime();
-    const token = runtime ? resolveMcpLoopbackBearerToken(runtime, false) : undefined;
+    const token = getActiveMcpLoopbackRuntime()?.ownerToken;
     const res = await fetch(`http://127.0.0.1:${server.port}/mcp`, {
       method: "GET",
       headers: {
@@ -692,8 +690,7 @@ describe("createMcpLoopbackServerConfig", () => {
 
   it("acknowledges DELETE session teardown with 200 (stateless no-op)", async () => {
     server = await startMcpLoopbackServer(0);
-    const runtime = getActiveMcpLoopbackRuntime();
-    const token = runtime ? resolveMcpLoopbackBearerToken(runtime, false) : undefined;
+    const token = getActiveMcpLoopbackRuntime()?.ownerToken;
     const res = await fetch(`http://127.0.0.1:${server.port}/mcp`, {
       method: "DELETE",
       headers: token ? { authorization: `Bearer ${token}` } : {},
@@ -716,14 +713,32 @@ describe("createMcpLoopbackServerConfig", () => {
 
   it("stays stateless: POST responses advertise no Mcp-Session-Id", async () => {
     server = await startMcpLoopbackServer(0);
-    const runtime = getActiveMcpLoopbackRuntime();
     const res = await sendRaw({
       port: server.port,
-      token: runtime ? resolveMcpLoopbackBearerToken(runtime, false) : undefined,
+      token: getActiveMcpLoopbackRuntime()?.ownerToken,
       headers: { "content-type": "application/json", "x-session-key": "agent:main:main" },
       body: JSON.stringify({ jsonrpc: "2.0", id: 1, method: "tools/list" }),
     });
     expect(res.status).toBe(200);
     expect(res.headers.get("mcp-session-id")).toBeNull();
   });
+
+  it("rejects a browser-Origin GET before auth (403, no bearer)", async () => {
+    server = await startMcpLoopbackServer(0);
+    const res = await fetch(`http://127.0.0.1:${server.port}/mcp`, {
+      method: "GET",
+      headers: { origin: "https://evil.example" },
+    });
+    expect(res.status).toBe(403);
+    await res.body?.cancel();
+  });
+
+  it("rejects a browser-Origin DELETE before auth (403, no bearer)", async () => {
+    server = await startMcpLoopbackServer(0);
+    const res = await fetch(`http://127.0.0.1:${server.port}/mcp`, {
+      method: "DELETE",
+      headers: { origin: "https://evil.example" },
+    });
+    expect(res.status).toBe(403);
+  });
 });
