fix(auth): allow cookie auth for same-origin OAuth callback fetch requests (#4868)

* fix(auth): allow cookie auth for same-origin OAuth callback fetch requests

The browser detection logic in the auth middleware only recognized
/admin referrers as same-origin UI requests. Fetch calls from the
OAuth callback page (/oauth/callback) use Accept: application/json,
causing the middleware to treat them as external API requests and
reject cookie-based authentication with a 401.

Extended the same-origin referer check to also match /oauth/callback
paths, so tool-fetching after a successful OAuth authorization flow
is no longer incorrectly blocked.

Fixes #4867

Signed-off-by: Bogdan-Marius-Catanus <bogdan-marius.catanus@ibm.com>

* fix .secrets.baseline

Signed-off-by: Bogdan-Marius-Catanus <bogdan-marius.catanus@ibm.com>

* fixed the pre-commit

Signed-off-by: Jitesh Nair <jiteshnair@ibm.com>

---------

Signed-off-by: Bogdan-Marius-Catanus <bogdan-marius.catanus@ibm.com>
Signed-off-by: Jitesh Nair <jiteshnair@ibm.com>
Co-authored-by: Bogdan-Marius-Catanus <bogdan-marius.catanus@ibm.com>
Co-authored-by: Jitesh Nair <jiteshnair@ibm.com>

Author: 3 people

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "(?x)( package-lock\\.json$ |Cargo\\.lock$ |uv\\.lock$ |go\\.sum$ |mcpgateway/sri_hashes\\.json$ )|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2026-06-04T10:56:44Z",
+  "generated_at": "2026-06-04T16:06:29Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"

mcpgateway/admin.py

@@ -4805,13 +4805,29 @@ def _build_keycloak_logout_url(root_path: str) -> Optional[str]:
 
     # For GET requests, distinguish between browser navigation and OIDC front-channel logout
     if request.method == "GET":
-        # Check if request is from a browser (Accept: text/html, HX-Request header, or admin referer)
+        # Check if request is from a browser (Accept: text/html, HX-Request header, or same-origin admin/oauth referer)
         # Detection must match auth_middleware.py and rbac.py patterns to ensure consistent behavior
         # Browser navigation should redirect to login, OIDC callbacks should return 200 OK
         accept_header = request.headers.get("accept", "")
         is_htmx = request.headers.get("hx-request") == "true"
         referer = request.headers.get("referer", "")
-        is_browser_request = "text/html" in accept_header or is_htmx or "/admin" in referer
+
+        # Check if referer is from same origin (for admin UI and OAuth callback pages)
+        is_same_origin_referer = False
+        if referer:
+            try:
+                # Standard
+                from urllib.parse import urlparse
+
+                referer_parsed = urlparse(referer)
+                request_host = request.headers.get("host", "")
+                # Match if referer host matches request host and path contains /admin or /oauth/callback
+                if referer_parsed.netloc == request_host and ("/admin" in referer_parsed.path or "/oauth/callback" in referer_parsed.path):
+                    is_same_origin_referer = True
+            except Exception:
+                pass  # Invalid referer URL, treat as not same-origin
+
+        is_browser_request = "text/html" in accept_header or is_htmx or is_same_origin_referer
 
         if is_browser_request:
             # Browser navigation - redirect to login (cookies cleared below)

mcpgateway/middleware/auth_middleware.py

@@ -271,11 +271,27 @@ async def dispatch(self, request: Request, call_next: Callable) -> Response:
                 # without user context so the RBAC layer can redirect to /admin/login.
                 # API requests: return a hard JSON 401/403 deny.
                 # Detection must match rbac.py's is_browser_request logic (Accept,
-                # HX-Request, and Referer: /admin) to avoid breaking admin UI flows.
+                # HX-Request, and same-origin Referer: /admin or /oauth/callback) to avoid breaking admin UI flows.
                 accept_header = request.headers.get("accept", "")
                 is_htmx = request.headers.get("hx-request") == "true"
                 referer = request.headers.get("referer", "")
-                is_browser = "text/html" in accept_header or is_htmx or "/admin" in referer
+
+                # Check if referer is from same origin (for admin UI and OAuth callback pages)
+                is_same_origin_referer = False
+                if referer:
+                    try:
+                        # Standard
+                        from urllib.parse import urlparse
+
+                        referer_parsed = urlparse(referer)
+                        request_host = request.headers.get("host", "")
+                        # Match if referer host matches request host and path contains /admin or /oauth/callback
+                        if referer_parsed.netloc == request_host and ("/admin" in referer_parsed.path or "/oauth/callback" in referer_parsed.path):
+                            is_same_origin_referer = True
+                    except Exception:
+                        pass  # Invalid referer URL, treat as not same-origin
+
+                is_browser = "text/html" in accept_header or is_htmx or is_same_origin_referer
                 if is_browser:
                     logger.debug("Browser request with rejected auth — continuing without user for redirect")
                     return await call_next(request)

mcpgateway/middleware/rbac.py

@@ -351,11 +351,26 @@ def _set_trace_context_for_identity(*, email: Optional[str], is_admin: bool, aut
     accept_header = request.headers.get("accept", "")
     is_htmx = request.headers.get("hx-request") == "true"
     referer = request.headers.get("referer", "")
-    is_admin_ui_request = "/admin" in referer
-    is_browser_request = "text/html" in accept_header or is_htmx or is_admin_ui_request
+
+    # Check if referer is from same origin (for admin UI and OAuth callback pages)
+    is_same_origin_referer = False
+    if referer:
+        try:
+            # Standard
+            from urllib.parse import urlparse
+
+            referer_parsed = urlparse(referer)
+            request_host = request.headers.get("host", "")
+            # Match if referer host matches request host and path contains /admin or /oauth/callback
+            if referer_parsed.netloc == request_host and ("/admin" in referer_parsed.path or "/oauth/callback" in referer_parsed.path):
+                is_same_origin_referer = True
+        except Exception:
+            pass  # Invalid referer URL, treat as not same-origin
+
+    is_browser_request = "text/html" in accept_header or is_htmx or is_same_origin_referer
 
     # SECURITY: Reject cookie-only authentication for API requests
-    # Cookies should only be used for browser/HTML requests (including admin UI fetch calls)
+    # Cookies should only be used for browser/HTML requests (including admin UI and OAuth callback fetch calls)
     if token_from_cookie and not is_browser_request:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,

tests/unit/mcpgateway/middleware/test_auth_middleware.py

@@ -48,6 +48,59 @@ async def test_no_token_continues(monkeypatch):
     assert "user" not in request.state.__dict__
 
 
+@pytest.mark.asyncio
+async def test_invalid_referer_url_treated_as_api_request():
+    """Invalid referer URL that causes urlparse exception should be treated as not same-origin and trigger hard deny for cookie auth."""
+    from fastapi import HTTPException
+
+    middleware = AuthContextMiddleware(app=AsyncMock())
+    call_next = AsyncMock(return_value=Response("ok"))
+    request = MagicMock(spec=Request)
+    request.url.path = "/api/data"
+    request.cookies = {"jwt_token": "invalid_token"}
+    request.headers = {
+        "accept": "application/json",
+        "referer": "http://example.com/admin",  # Valid URL but will be mocked to raise exception
+        "host": "localhost:4444"
+    }
+    request.client = MagicMock()
+    request.client.host = "127.0.0.1"
+
+    # Mock urlparse to raise an exception to test exception handling (lines 289-290)
+    # Mock get_current_user to raise a hard-deny exception (simulating revoked token)
+    with patch("urllib.parse.urlparse", side_effect=ValueError("Invalid URL")):
+        with patch("mcpgateway.middleware.auth_middleware.get_current_user", side_effect=HTTPException(status_code=401, detail="Token has been revoked")):
+            response = await middleware.dispatch(request, call_next)
+            # Should return hard deny (401) because exception means not a browser request
+            assert response.status_code == 401
+            assert "Token has been revoked" in response.body.decode()
+
+@pytest.mark.asyncio
+async def test_oauth_callback_referer_allows_browser_continuation():
+    """OAuth callback referer should be treated as same-origin and allow browser request to continue."""
+    from fastapi import HTTPException
+
+    middleware = AuthContextMiddleware(app=AsyncMock())
+    call_next = AsyncMock(return_value=Response("ok"))
+    request = MagicMock(spec=Request)
+    request.url.path = "/api/data"
+    request.cookies = {"jwt_token": "invalid_token"}
+    request.headers = {
+        "accept": "application/json",
+        "referer": "http://localhost:4444/oauth/callback?code=abc123",
+        "host": "localhost:4444"
+    }
+    request.client = MagicMock()
+    request.client.host = "127.0.0.1"
+
+    # Mock get_current_user to raise a hard-deny exception (simulating revoked token)
+    with patch("mcpgateway.middleware.auth_middleware.get_current_user", side_effect=HTTPException(status_code=401, detail="Token has been revoked")):
+        response = await middleware.dispatch(request, call_next)
+        # Should continue to call_next (browser request) instead of returning hard deny
+        call_next.assert_awaited_once_with(request)
+        assert response.status_code == 200
+
+
 @pytest.mark.asyncio
 async def test_token_from_cookie(monkeypatch):
     """Token extracted from cookie triggers authentication."""

tests/unit/mcpgateway/middleware/test_rbac.py

@@ -114,7 +114,7 @@ async def test_cookie_auth_allowed_with_admin_referer():
     """/admin referer marks the request as a browser/UI request; cookie auth must be accepted."""
     mock_request = MagicMock(spec=Request)
     mock_request.cookies = {"jwt_token": "token123"}
-    mock_request.headers = {"accept": "application/json", "referer": "http://localhost:4444/admin#gateways"}
+    mock_request.headers = {"accept": "application/json", "referer": "http://localhost:4444/admin#gateways", "host": "localhost:4444"}
     mock_request.client = MagicMock()
     mock_request.client.host = "127.0.0.1"
     mock_request.state = MagicMock(auth_method="jwt", request_id="req-admin", token_teams=["team-1"])
@@ -141,6 +141,34 @@ async def test_cookie_auth_allowed_with_accept_text_html():
     assert result["email"] == "user@example.com"
 
 
+@pytest.mark.asyncio
+async def test_cookie_auth_allowed_with_oauth_callback_referer():
+    """OAuth callback referer with Accept: application/json must be treated as a browser request.
+
+    This test covers the scenario where the OAuth callback success page makes a fetch
+    request to /oauth/fetch-tools with Accept: application/json. The referer header
+    indicates it's from the OAuth callback page, so cookie authentication should be allowed.
+
+    Regression test for issue where OAuth tool fetching failed after PR #2680 added
+    cookie authentication restrictions for API requests.
+    """
+    mock_request = MagicMock(spec=Request)
+    mock_request.cookies = {"jwt_token": "token123"}
+    mock_request.headers = {
+        "accept": "application/json",
+        "referer": "http://localhost:4444/oauth/callback?code=abc&state=xyz",
+        "host": "localhost:4444"
+    }
+    mock_request.client = MagicMock()
+    mock_request.client.host = "127.0.0.1"
+    mock_request.state = MagicMock(auth_method="jwt", request_id="req-oauth-fetch", token_teams=["team-1"])
+
+    mock_user = MagicMock(email="user@example.com", full_name="User", is_admin=False)
+    with patch("mcpgateway.auth.validate_token_user", return_value=mock_user):
+        result = await rbac.get_current_user_with_permissions(mock_request, credentials=None, jwt_token="token123")
+    assert result["email"] == "user@example.com"
+
+
 @pytest.mark.asyncio
 async def test_cookie_auth_rejected_with_cross_origin_oauth_referer():
     """Cross-origin /oauth/ referer without browser headers must NOT grant cookie auth."""
@@ -156,6 +184,30 @@ async def test_cookie_auth_rejected_with_cross_origin_oauth_referer():
     assert exc.value.status_code == status.HTTP_401_UNAUTHORIZED
     assert "Cookie authentication not allowed" in exc.value.detail
 
+@pytest.mark.asyncio
+async def test_cookie_auth_rejected_with_invalid_referer_url():
+    """Invalid referer URL that causes urlparse exception should be treated as not same-origin and reject cookie auth."""
+    from unittest.mock import patch
+
+    mock_request = MagicMock(spec=Request)
+    mock_request.cookies = {"jwt_token": "token123"}
+    mock_request.headers = {
+        "accept": "application/json",
+        "referer": "http://example.com/admin",  # Valid URL but will be mocked to raise exception
+        "host": "localhost:4444"
+    }
+    mock_request.client = MagicMock()
+    mock_request.client.host = "127.0.0.1"
+    mock_request.state = MagicMock(auth_method="jwt", request_id="req-invalid")
+
+    # Mock urlparse to raise an exception to test exception handling
+    with patch("urllib.parse.urlparse", side_effect=ValueError("Invalid URL")):
+        with pytest.raises(HTTPException) as exc:
+            await rbac.get_current_user_with_permissions(mock_request, credentials=None, jwt_token=None)
+        assert exc.value.status_code == status.HTTP_401_UNAUTHORIZED
+        assert "Cookie authentication not allowed" in exc.value.detail
+
+
 
 @pytest.mark.asyncio
 async def test_cookie_auth_rejected_with_unrelated_referer():

tests/unit/mcpgateway/test_admin_module.py

@@ -507,7 +507,7 @@ async def test_admin_logout_paths():
     # GET request with admin referer should redirect to login
     get_referer_request = _make_request(root_path="/root")
     get_referer_request.method = "GET"
-    get_referer_request.headers = {"accept": "application/json", "referer": "http://localhost:4444/admin/users"}
+    get_referer_request.headers = {"accept": "application/json", "referer": "http://localhost:4444/admin/users", "host": "localhost:4444"}
     response = await admin._admin_logout(get_referer_request)
     assert isinstance(response, RedirectResponse)
     assert response.status_code == 303