feat: Allow setting Authorization header from tool arguments #144
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #143
Description:
This PR enhances the
_execute_api_toolmethod infastapi_mcp/server.pyto provide more flexibility for authenticating internal tool calls.Problem:
Currently,
_execute_api_toolprimarily looks for anAuthorizationheader inhttp_request_info.headers. This works well for external clients. However, for internal MCP clients (e.g., a backend service calling a tool viaMCPClientSession), it's often more convenient to pass authentication tokens through theargumentsof thecall_toolrequest rather than reconstructing HTTP headers. If the token is passed only in the arguments, the tool execution would fail if the tool endpoint is protected.Solution:
This change modifies
_execute_api_toolto check theargumentsdictionary for auser_access_tokenkey if anAuthorizationheader is not already present inhttp_request_info.headersor already set.If
user_access_tokenis found in thearguments:Bearertoken.Bearertoken is set as theAuthorizationheader for thehttpx.AsyncClientrequest made to the tool's endpoint.user_access_tokenis removed from theargumentsdictionary to prevent it from being unintentionally passed in the request body.This approach maintains the priority of an explicitly passed
Authorizationheader if one exists. It makesfastapi-mcpmore adaptable for internal tool usage patterns where passing authentication details via arguments is preferred.Changes:
fastapi_mcp/server.pyto include logic for extractinguser_access_tokenfrom tool arguments and setting theAuthorizationheader.