fix(auth): only hard-deny revocation/disabled 401s, not all auth failures

crivetimihai · crivetimihai · commit 4a74b098a8c3 · 2026-03-06T08:43:30.000Z
The auth middleware was hard-denying ALL 401/403 HTTPExceptions, which
broke registration scripts and other callers using minimal JWT claims
(no user/teams/token_use). These previously fell through to route-level
auth handlers.

Narrow the hard-deny to only security-critical rejections: "Token has
been revoked", "Account disabled", and "Token validation failed". All
other 401/403s continue as anonymous for route-level handling.

Signed-off-by: Mihai Criveti &lt;crivetimihai@gmail.com&gt;
diff --git a/mcpgateway/middleware/auth_middleware.py b/mcpgateway/middleware/auth_middleware.py
@@ -146,10 +146,13 @@ async def dispatch(self, request: Request, call_next: Callable) -> Response:
                         logger.debug(f"Failed to close database session: {close_error}")
 
         except HTTPException as e:
-            if e.status_code in (401, 403):
-                # Security-critical rejections (revoked tokens, disabled accounts) must NOT
-                # be swallowed — propagate as a hard deny so revoked/expired tokens cannot
-                # fall through to public-access endpoints.
+            # Only hard-deny for security-critical rejections (revoked tokens,
+            # disabled accounts).  Other 401s (e.g. malformed tokens, missing
+            # claims) fall through so route-level auth can handle them — this
+            # preserves backwards compatibility with registration scripts and
+            # other callers that use minimal JWT claims.
+            _HARD_DENY_DETAILS = frozenset({"Token has been revoked", "Account disabled", "Token validation failed"})
+            if e.status_code in (401, 403) and e.detail in _HARD_DENY_DETAILS:
                 logger.info(f"✗ Auth rejected ({e.status_code}): {e.detail}")
 
                 if log_failure:
diff --git a/tests/unit/mcpgateway/middleware/test_auth_middleware.py b/tests/unit/mcpgateway/middleware/test_auth_middleware.py
@@ -344,7 +344,7 @@ async def test_http_403_returns_json_deny_for_api_request():
 
     with patch("mcpgateway.middleware.auth_middleware._should_log_auth_success", return_value=False), \
          patch("mcpgateway.middleware.auth_middleware._should_log_auth_failure", return_value=False), \
-         patch("mcpgateway.middleware.auth_middleware.get_current_user", AsyncMock(side_effect=HTTPException(status_code=403, detail="Forbidden"))):
+         patch("mcpgateway.middleware.auth_middleware.get_current_user", AsyncMock(side_effect=HTTPException(status_code=403, detail="Account disabled"))):
         response = await middleware.dispatch(request, call_next)
 
     assert response.status_code == 403
@@ -427,7 +427,7 @@ async def test_http_401_logging_db_error_handled():
          patch("mcpgateway.middleware.auth_middleware._should_log_auth_failure", return_value=True), \
          patch("mcpgateway.middleware.auth_middleware.SessionLocal", return_value=mock_db), \
          patch("mcpgateway.middleware.auth_middleware.security_logger", mock_security_logger), \
-         patch("mcpgateway.middleware.auth_middleware.get_current_user", AsyncMock(side_effect=HTTPException(status_code=401, detail="Revoked"))):
+         patch("mcpgateway.middleware.auth_middleware.get_current_user", AsyncMock(side_effect=HTTPException(status_code=401, detail="Token has been revoked"))):
         response = await middleware.dispatch(request, call_next)
 
     # Should still return 401 despite logging failure
@@ -457,7 +457,7 @@ async def test_http_401_logging_db_close_error_handled():
          patch("mcpgateway.middleware.auth_middleware._should_log_auth_failure", return_value=True), \
          patch("mcpgateway.middleware.auth_middleware.SessionLocal", return_value=mock_db), \
          patch("mcpgateway.middleware.auth_middleware.security_logger", mock_security_logger), \
-         patch("mcpgateway.middleware.auth_middleware.get_current_user", AsyncMock(side_effect=HTTPException(status_code=401, detail="Revoked"))):
+         patch("mcpgateway.middleware.auth_middleware.get_current_user", AsyncMock(side_effect=HTTPException(status_code=401, detail="Token has been revoked"))):
         response = await middleware.dispatch(request, call_next)
 
     assert response.status_code == 401
@@ -487,6 +487,30 @@ async def test_non_401_403_http_exception_continues_as_anonymous():
     assert response.status_code == 200
 
 
+@pytest.mark.asyncio
+async def test_non_revocation_401_falls_through_as_anonymous():
+    """Non-revocation 401 (e.g. malformed token) continues as anonymous for route-level auth."""
+    from fastapi import HTTPException
+
+    middleware = AuthContextMiddleware(app=AsyncMock())
+    call_next = AsyncMock(return_value=Response("ok"))
+    request = MagicMock(spec=Request)
+    request.url.path = "/api/tools"
+    request.cookies = {"jwt_token": "minimal_jwt"}
+    request.headers = {"accept": "application/json"}
+    request.client = MagicMock()
+    request.client.host = "127.0.0.1"
+
+    with patch("mcpgateway.middleware.auth_middleware._should_log_auth_success", return_value=False), \
+         patch("mcpgateway.middleware.auth_middleware._should_log_auth_failure", return_value=False), \
+         patch("mcpgateway.middleware.auth_middleware.get_current_user", AsyncMock(side_effect=HTTPException(status_code=401, detail="Invalid authentication credentials"))):
+        response = await middleware.dispatch(request, call_next)
+
+    # Non-revocation 401 should fall through, not hard-deny
+    call_next.assert_awaited_once_with(request)
+    assert response.status_code == 200
+
+
 @pytest.mark.asyncio
 async def test_http_401_referer_admin_continues_for_redirect():
     """HTTPException 401 with Referer: /admin continues for RBAC redirect (not JSON deny)."""
@@ -527,7 +551,7 @@ async def test_http_401_json_deny_includes_security_headers():
 
     with patch("mcpgateway.middleware.auth_middleware._should_log_auth_success", return_value=False), \
          patch("mcpgateway.middleware.auth_middleware._should_log_auth_failure", return_value=False), \
-         patch("mcpgateway.middleware.auth_middleware.get_current_user", AsyncMock(side_effect=HTTPException(status_code=401, detail="Revoked"))):
+         patch("mcpgateway.middleware.auth_middleware.get_current_user", AsyncMock(side_effect=HTTPException(status_code=401, detail="Token has been revoked"))):
         response = await middleware.dispatch(request, call_next)
 
     assert response.status_code == 401
