fix(auth): set request.state.token_teams for proxy authentication flow to resolve admin status#4591
Open
Conversation
…esolve admin status Signed-off-by: Bogdan-Marius-Catanus <bogdan-marius.catanus@ibm.com>
bogdanmariusc10
requested review from
brian-hussey and
crivetimihai
as code owners
bogdanmariusc10
added
SHOULD
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🔗 Related Issue
Closes #4587
📝 Summary
Fixes proxy-authenticated admin users being unable to access private/team-scoped tools despite having
is_admin=truein the database.Root Cause: The
_authenticate_proxy_user()function correctly resolved admin status and teams from the database but failed to setrequest.state.token_teams. This caused downstream code inget_token_teams_from_request()to fall back tonormalize_token_teams()instead of using the pre-resolved value, breaking admin bypass for proxy-authenticated requests.Solution: Added
request.state.token_teamsassignment in both proxy authentication paths (DB user lookup and platform admin bootstrap), matching the pattern used byget_current_user()for JWT session tokens.Impact: Admin users authenticated via proxy headers (when
TRUST_PROXY_AUTH=true) now correctly receive admin bypass (token_teams=None) and can access all tools (public + team + private).🏷️ Type of Change
🧪 Verification
make lintmake testmake coverage✅ Checklist
make black isort pre-commit)📓 Notes
Changes Made
File:
mcpgateway/utils/verify_credentials.pyrequest.state.token_teams = token_teamsafter resolving teams via_resolve_teams_from_db()request.state.token_teams = Nonefor platform admin bootstrap whenREQUIRE_USER_IN_DB=falseWhy This Works
The fix ensures proxy-authenticated requests follow the same state-setting pattern as JWT session tokens:
auth.py:1403):get_current_user()setsrequest.state.token_teamsafter callingresolve_session_teams()_authenticate_proxy_user()setsrequest.state.token_teamsafter calling_resolve_teams_from_db()This makes
get_token_teams_from_request()find the pre-resolved value immediately instead of falling back tonormalize_token_teams(), ensuring consistent admin bypass behavior.