fix(transport): protocol and transport hardening for auth and lifecycle consistency (#3344)

* fix: protocol and transport hardening for auth and lifecycle consistency

Improve RPC/protocol validation behavior and error mapping, enforce admin-only diagnostics access, and harden stateful streamable HTTP session teardown semantics.

Align nginx upstream behavior for replica-aware balancing and remove overlapping proxy security headers. Update and expand unit coverage across main/version/oauth/streamable transport paths.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* chore: docstring hardening for lint consistency

Update endpoint/helper docstrings for explicit args/returns/raises coverage and keep doctest examples aligned with current admin diagnostics access semantics.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* test: add differential coverage for protocol/transport hardening paths

Cover RPC-path SamplingError and CompletionError mapping to JSON-RPC
-32602, stateful session owner assertion (404/403 deny paths), ping
endpoint non-dict body handling, and streamable HTTP session close
error branches (registry None, remove_session failure).

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* fix: harden version endpoint auth and align test expectations

- version.py: _has_version_admin_access now accepts string inputs from
  require_admin_auth (which returns email after verifying admin status)
- test_version.py: reference require_admin_auth instead of nonexistent require_auth
- test_main_apis.py: ping invalid-method test expects 400 (not 500)
- test_main_extended.py: fix params list->dict, remove stale RPCRequest patch

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
Signed-off-by: Jonathan Springer <jps@s390x.com>

* refactor: harden RPC error responses — extract helper, skip redundant validation, remove data leaks

- Extract _jsonrpc_invalid_request() helper to deduplicate 5 identical
  error envelope constructions across ping() and _handle_rpc_authenticated()
- Skip RPCRequest Pydantic validation for trusted internal Rust dispatch
  (restores intentional perf optimization; manual type checks still run)
- Remove session_id from JSONRPCError data to avoid reflecting client input
- Remove full params dict from SamplingError/CompletionError JSON-RPC errors
  to prevent request payload leakage in error responses

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
Signed-off-by: Jonathan Springer <jps@s390x.com>

---------

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Signed-off-by: Jonathan Springer <jps@s390x.com>
Co-authored-by: Jonathan Springer <jps@s390x.com>
Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>

Author: 3 people

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "(?x)( package-lock\\.json$ |Cargo\\.lock$ |uv\\.lock$ |go\\.sum$ |mcpgateway/sri_hashes\\.json$ )|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2026-04-23T10:40:16Z",
+  "generated_at": "2026-04-23T15:27:18Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -5018,7 +5018,7 @@
         "hashed_secret": "d3ecb0d890368d7659ee54010045b835dacb8efe",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 611,
+        "line_number": 615,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -5484,15 +5484,15 @@
         "hashed_secret": "9addbf544119efa4a64223b649750a510f0d463f",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 850,
+        "line_number": 851,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "9addbf544119efa4a64223b649750a510f0d463f",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 912,
+        "line_number": 913,
         "type": "Basic Auth Credentials",
         "verified_result": null
       }
@@ -5982,7 +5982,7 @@
         "hashed_secret": "4dfad2d5130a5bcaf2716c495de92da13f4389e0",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 764,
+        "line_number": 763,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -9510,7 +9510,7 @@
         "hashed_secret": "516b9783fca517eecbd1d064da2d165310b19759",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 183,
+        "line_number": 210,
         "type": "Basic Auth Credentials",
         "verified_result": null
       }
@@ -9548,15 +9548,15 @@
         "hashed_secret": "b4c9248600a42f8c38c01b632f392dbcb4c7b19a",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 12820,
+        "line_number": 12928,
         "type": "Hex High Entropy String",
         "verified_result": null
       },
       {
         "hashed_secret": "90bd1b48e958257948487b90bee080ba5ed00caa",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 13995,
+        "line_number": 14103,
         "type": "Hex High Entropy String",
         "verified_result": null
       }

infra/nginx/nginx-performance.conf

@@ -156,8 +156,9 @@ http {
         # Load balancing: least_conn distributes to backend with fewest active connections
         # Fixes imbalance caused by keepalive connections sticking to one backend
         least_conn;
+        zone gateway_backend 64k;
 
-        server gateway:4444 max_fails=0;  # Disable failure tracking (always retry)
+        server gateway:4444 resolve max_fails=0;  # Re-resolve Docker DNS for replica-aware balancing
 
         # Keepalive pool sizing for 10,000 capacity:
         # - Each nginx worker maintains its own pool
@@ -199,11 +200,7 @@ http {
         listen [::]:80 backlog=65535 reuseport;
         server_name localhost;
 
-        # Security headers
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header X-XSS-Protection "1; mode=block" always;
-        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        # Security headers are authored by the gateway app middleware.
 
         # Cache status header (for debugging)
         add_header X-Cache-Status $upstream_cache_status always;

infra/nginx/nginx-tls.conf

@@ -156,8 +156,9 @@ http {
         # Load balancing: least_conn distributes to backend with fewest active connections
         # Fixes imbalance caused by keepalive connections sticking to one backend
         least_conn;
+        zone gateway_backend 64k;
 
-        server gateway:4444 max_fails=0;  # Disable failure tracking (always retry)
+        server gateway:4444 resolve max_fails=0;  # Re-resolve Docker DNS for replica-aware balancing
 
         # Keepalive pool sizing for 4000 capacity:
         # - Each nginx worker maintains its own pool
@@ -213,11 +214,7 @@ http {
 
         server_name localhost;
 
-        # Security headers
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header X-XSS-Protection "1; mode=block" always;
-        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        # Security headers are authored by the gateway app middleware.
 
         # Cache status header (for debugging)
         add_header X-Cache-Status $upstream_cache_status always;
@@ -296,11 +293,8 @@ http {
 
         server_name localhost;
 
-        # Security headers (with HSTS for HTTPS)
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header X-XSS-Protection "1; mode=block" always;
-        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        # Security headers are authored by the gateway app middleware.
+        # HSTS can still be configured here if edge-only enforcement is desired.
         # HSTS - Only enable if you want to force HTTPS (15768000 = 6 months)
         # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
 

infra/nginx/nginx.conf

@@ -235,11 +235,7 @@ http {
 
         server_name localhost;
 
-        # Security headers
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header X-XSS-Protection "1; mode=block" always;
-        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        # Security headers are authored by the gateway app middleware.
 
         # Cache status header (for debugging)
         add_header X-Cache-Status $upstream_cache_status always;

mcpgateway/main.py

@@ -85,7 +85,7 @@
 from mcpgateway.db import A2ATask as DbA2ATask
 from mcpgateway.db import refresh_slugs_on_startup, SessionLocal
 from mcpgateway.db import Tool as DbTool
-from mcpgateway.handlers.sampling import SamplingHandler
+from mcpgateway.handlers.sampling import SamplingError, SamplingHandler
 from mcpgateway.middleware.compression import SSEAwareCompressMiddleware
 from mcpgateway.middleware.correlation_id import CorrelationIDMiddleware
 from mcpgateway.middleware.http_auth_middleware import HttpAuthMiddleware, run_pre_request_hooks
@@ -152,7 +152,7 @@
 from mcpgateway.services.a2a_server_service import A2AServerService
 from mcpgateway.services.a2a_service import A2AAgentError, A2AAgentNameConflictError, A2AAgentNotFoundError, A2AAgentService
 from mcpgateway.services.cancellation_service import cancellation_service
-from mcpgateway.services.completion_service import CompletionService
+from mcpgateway.services.completion_service import CompletionError, CompletionService
 from mcpgateway.services.content_security import ContentSizeError, ContentTypeError
 from mcpgateway.services.email_auth_service import EmailAuthService
 from mcpgateway.services.export_service import ExportError, ExportService
@@ -3540,6 +3540,11 @@ async def require_valid_server(server_id: str, db: Session = Depends(get_db)) ->
     return server_id
 
 
+def _jsonrpc_invalid_request(req_id: Optional[Union[int, str]] = None) -> dict:
+    """Build a JSON-RPC 2.0 ``Invalid Request`` error envelope."""
+    return {"jsonrpc": "2.0", "error": {"code": -32600, "message": "Invalid Request"}, "id": req_id}
+
+
 async def _read_request_json(request: Request) -> Any:
     """Read JSON payload using orjson.
 
@@ -3821,23 +3826,14 @@ async def ping(request: Request, user=Depends(get_current_user)) -> JSONResponse
     Raises:
         HTTPException: If the request method is not "ping".
     """
-    req_id: Optional[str] = None
-    try:
-        body: dict = await _read_request_json(request)
-        if body.get("method") != "ping":
-            raise HTTPException(status_code=400, detail="Invalid method")
-        req_id = body.get("id")
-        logger.debug(f"Authenticated user {SecurityValidator.sanitize_log_message(str(user))} sent ping request.")
-        # Return an empty result per the MCP ping specification.
-        response: dict = {"jsonrpc": "2.0", "id": req_id, "result": {}}
-        return ORJSONResponse(content=response)
-    except Exception as e:
-        error_response: dict = {
-            "jsonrpc": "2.0",
-            "id": req_id,  # Now req_id is always defined
-            "error": {"code": -32603, "message": "Internal error", "data": str(e)},
-        }
-        return ORJSONResponse(status_code=500, content=error_response)
+    body = await _read_request_json(request)
+    req_id = body.get("id") if isinstance(body, dict) else None
+    if not isinstance(body, dict) or body.get("method") != "ping":
+        return ORJSONResponse(status_code=400, content=_jsonrpc_invalid_request(req_id))
+
+    logger.debug(f"Authenticated user {SecurityValidator.sanitize_log_message(str(user))} sent ping request.")
+    response: dict = {"jsonrpc": "2.0", "id": req_id, "result": {}}
+    return ORJSONResponse(content=response)
 
 
 @protocol_router.post("/notifications")
@@ -3887,6 +3883,9 @@ async def handle_completion(request: Request, db: Session = Depends(get_db), use
 
     Returns:
         The result of the completion process.
+
+    Raises:
+        HTTPException: If completion request validation fails.
     """
     body = await _read_request_json(request)
     logger.debug(f"User {SecurityValidator.sanitize_log_message(user['email'])} sent a completion request")
@@ -3895,7 +3894,10 @@ async def handle_completion(request: Request, db: Session = Depends(get_db), use
         user_email = None
     elif token_teams is None:
         token_teams = []
-    return await completion_service.handle_completion(db, body, user_email=user_email, token_teams=token_teams)
+    try:
+        return await completion_service.handle_completion(db, body, user_email=user_email, token_teams=token_teams)
+    except CompletionError as exc:
+        raise HTTPException(status_code=400, detail=str(exc)) from exc
 
 
 @protocol_router.post("/sampling/createMessage")
@@ -3910,10 +3912,16 @@ async def handle_sampling(request: Request, db: Session = Depends(get_db), user=
 
     Returns:
         The result of the message creation process.
+
+    Raises:
+        HTTPException: If sampling request validation fails.
     """
     logger.debug(f"User {SecurityValidator.sanitize_log_message(user['email'])} sent a sampling request")
     body = await _read_request_json(request)
-    return await sampling_handler.create_message(db, body)
+    try:
+        return await sampling_handler.create_message(db, body)
+    except SamplingError as exc:
+        raise HTTPException(status_code=400, detail=str(exc)) from exc
 
 
 ###############
@@ -10121,7 +10129,7 @@ async def _handle_rpc_authenticated(request: Request, db: Session, user):
         PluginError: If encounters issue with plugin
         PluginViolationError: If plugin violated the request. Example - In case of OPA plugin, if the request is denied by policy.
     """
-    req_id = None
+    req_id: Optional[Union[int, str]] = None
     try:
         # Extract user identifier from either RBAC user object or JWT payload
         if hasattr(user, "email"):
@@ -10143,6 +10151,22 @@ async def _handle_rpc_authenticated(request: Request, db: Session, user):
                     "id": None,
                 },
             )
+        if not isinstance(body, dict):
+            return _jsonrpc_invalid_request()
+
+        req_id = body.get("id")
+        if req_id is not None and not isinstance(req_id, (str, int)):
+            return _jsonrpc_invalid_request()
+
+        method = body.get("method")
+        params = body.get("params", {})
+        if params is None:
+            params = {}
+        jsonrpc_version = body.get("jsonrpc")
+
+        if jsonrpc_version != "2.0" or not isinstance(method, str) or not method.strip() or not isinstance(params, dict):
+            return _jsonrpc_invalid_request(req_id)
+
         request_headers = request.headers
         lowered_headers: Optional[Dict[str, str]] = None
 
@@ -10160,13 +10184,14 @@ def _lowered_request_headers() -> Dict[str, str]:
         _trusted_internal_mcp_dispatch = _get_internal_mcp_auth_context(request) is not None
         _internal_runtime_server_id = request_headers.get("x-contextforge-server-id") if request_headers.get("x-contextforge-mcp-runtime") == "rust" else None
 
-        method = body["method"]
-        req_id = body.get("id")
+        if not _trusted_internal_mcp_dispatch:
+            try:
+                RPCRequest(jsonrpc=jsonrpc_version, method=method, params=params, id=req_id)
+            except (ValidationError, ValueError):
+                return _jsonrpc_invalid_request(req_id)
+
         if req_id is None:
             req_id = str(uuid.uuid4())
-        params = body.get("params", {})
-        if not isinstance(params, dict):
-            params = {}
         if _internal_runtime_server_id:
             params["server_id"] = _internal_runtime_server_id
         server_id = params.get("server_id", None)
@@ -10202,9 +10227,6 @@ def _lowered_request_headers() -> Dict[str, str]:
         elif _token_server_id is not None:
             server_id = _token_server_id
 
-        if not _trusted_internal_mcp_dispatch:
-            RPCRequest(jsonrpc="2.0", method=method, params=params)  # Validate the request body against the RPCRequest model
-
         forwarded_response = await _maybe_forward_affinitized_rpc_request(
             request,
             method=method,
@@ -10215,6 +10237,14 @@ def _lowered_request_headers() -> Dict[str, str]:
         if forwarded_response is not None:
             return forwarded_response
 
+        if settings.use_stateful_sessions and mcp_session_id and method != "initialize":
+            try:
+                await _assert_session_owner_or_admin(request, user, mcp_session_id)
+            except HTTPException as exc:
+                if exc.status_code == status.HTTP_404_NOT_FOUND:
+                    raise JSONRPCError(-32002, "Session not found", {"method": method}) from exc
+                raise JSONRPCError(-32003, str(exc.detail), {"method": method}) from exc
+
         if method == "initialize":
             result = await _execute_rpc_initialize(
                 request,
@@ -10560,7 +10590,10 @@ def _lowered_request_headers() -> Dict[str, str]:
             result = {}
         elif method == "sampling/createMessage":
             # MCP spec-compliant sampling endpoint
-            result = await sampling_handler.create_message(db, params)
+            try:
+                result = await sampling_handler.create_message(db, params)
+            except SamplingError as e:
+                raise JSONRPCError(-32602, str(e)) from e
         elif method.startswith("sampling/"):
             # Catch-all for other sampling/* methods (currently unsupported)
             result = {}
@@ -10656,7 +10689,10 @@ def _lowered_request_headers() -> Dict[str, str]:
                 user_email = None
             elif token_teams is None:
                 token_teams = []
-            result = await completion_service.handle_completion(db, params, user_email=user_email, token_teams=token_teams)
+            try:
+                result = await completion_service.handle_completion(db, params, user_email=user_email, token_teams=token_teams)
+            except CompletionError as e:
+                raise JSONRPCError(-32602, str(e)) from e
         elif method.startswith("completion/"):
             # Catch-all for other completion/* methods (currently unsupported)
             result = {}
@@ -10722,12 +10758,10 @@ def _lowered_request_headers() -> Dict[str, str]:
         error = e.to_dict()
         return {"jsonrpc": "2.0", "error": error["error"], "id": req_id}
     except Exception as e:
-        if isinstance(e, ValueError):
-            return ORJSONResponse(content={"message": "Method invalid"}, status_code=422)
         logger.error(f"RPC error: {str(e)}")
         return {
             "jsonrpc": "2.0",
-            "error": {"code": -32000, "message": "Internal error", "data": str(e)},
+            "error": {"code": -32603, "message": "Internal error"},
             "id": req_id,
         }
 

mcpgateway/routers/oauth_router.py

@@ -412,7 +412,7 @@ async def initiate_oauth_flow(
 @oauth_router.get("/callback")
 async def oauth_callback(
     code: Annotated[str | None, Query(description="Authorization code from OAuth provider")] = None,
-    state: Annotated[str, Query(description="State parameter for CSRF protection")] = ...,
+    state: Annotated[str | None, Query(description="State parameter for CSRF protection")] = None,
     error: Annotated[str | None, Query(description="OAuth provider error code")] = None,
     error_description: Annotated[str | None, Query(description="OAuth provider error description")] = None,
     # Remove the gateway_id parameter requirement
@@ -510,6 +510,10 @@ def _invalid_state_response() -> HTMLResponse:
                 status_code=400,
             )
 
+        if not state:
+            logger.warning("OAuth callback missing state parameter")
+            return _invalid_state_response()
+
         oauth_manager = OAuthManager(token_storage=TokenStorageService(db))
         gateway_id = await oauth_manager.resolve_gateway_id_from_state(state, allow_legacy_fallback=False)
         if not gateway_id: