Skip to content

Fix: Refresh auth context per Streamable HTTP request #1998

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
bgaidioz wants to merge 3 commits into
base: v1.x
Choose a base branch
from
Draft

Fix: Refresh auth context per Streamable HTTP request #1998

bgaidioz wants to merge 3 commits into from
+196 −0

Conversation

@bgaidioz
Copy link

@bgaidioz bgaidioz commented Feb 5, 2026
edited
Loading

This changeset addresses issue #1250: after the MCP client refreshes its token and starts using the new one, server‑side tools still receive the old (expired) token from get_access_token().

CI failed on coverage for the new branch in _handle_request. I added a small, low‑level unit test to cover it, but it’s fairly close to internals and I’m not sure this is the preferred approach. If there’s a better way to cover this path, please let me know what you recommend.

Motivation and Context

We've hit the bug and found this matching GitHub issue. I provided test code to reproduce the bug. Eventually I noticed project fastmcp hit the same problem and a patch was committed.

How Has This Been Tested?

Breaking Changes

No.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

My understanding: The context var is correct inside the ASGI request task where AuthContextMiddleware runs. The problem is that tool execution happens later in a different task. The context var value isn’t visible. StreamableHTTPSessionManager only wraps the request in a ServerMessageMetadata and writes it to a MemoryObjectSendStream. When that message is processed later, unless it's re-set, the context var isn’t the correct one.

The fastmcp fix patches get_access_token() to read the token from the current request (available via request metadata in the tool execution context). Which permits to avoid reading the stale context var. This change instead updates auth_context_var from the current request’s scope["user"] inside _handle_request, so each message sees the latest token in the context var.

@bgaidioz bgaidioz marked this pull request as draft February 5, 2026 15:11
@bgaidioz bgaidioz force-pushed the fix/stale-access-token-1250 branch from 913b3c5 to 96ae6b7 Compare February 5, 2026 16:12
@bgaidioz bgaidioz mentioned this pull request Feb 5, 2026
Open
2 tasks
@bgaidioz bgaidioz force-pushed the fix/stale-access-token-1250 branch from 96ae6b7 to e571c42 Compare February 5, 2026 16:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bgaidioz