fix: handle root_path in MCPPathRewriteMiddleware for reverse proxy deployments (#4217)

* fix: handle root_path in MCPPathRewriteMiddleware for reverse proxy deployments

Fixes #4215

The /servers/{id}/mcp endpoint was returning 404 in reverse proxy
deployments with path prefixes because MCPPathRewriteMiddleware
checked original_path without stripping the root_path prefix.

- Extract root_path from scope or settings before pattern matching
- Strip root_path to get app-relative path for /servers/ detection
- Preserve root_path when rewriting to /mcp/
- Add 8 unit tests covering prefix scenarios and security checks

Pattern follows streamablehttp_transport.py:831 and token_scoping.py:354

Signed-off-by: Mohan Lakshmaiah <mohan.economist@gmail.com>

* refactor: use _normalize_scope_path in MCPPathRewriteMiddleware

Replace inline root_path stripping with existing _normalize_scope_path()
which provides full-segment boundary checks and root_path="/" safety.

Closes #4215

Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Update .secrets.baseline

Signed-off-by: Brian Hussey <brian.hussey@ie.ibm.com>

---------

Signed-off-by: Mohan Lakshmaiah <mohan.economist@gmail.com>
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
Signed-off-by: Brian Hussey <brian.hussey@ie.ibm.com>
Co-authored-by: Madhav Kandukuri <madhav165@gmail.com>
Co-authored-by: Brian Hussey <brian.hussey@ie.ibm.com>

Author: 3 people

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline|package-lock.json|Cargo.lock|scripts/sign_image.sh|scripts/zap|sonar-project.properties|uv.lock|go.sum|mcpgateway/sri_hashes.json|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2026-04-15T13:04:45Z",
+  "generated_at": "2026-04-15T14:38:50Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"

mcpgateway/main.py

@@ -1434,9 +1434,7 @@ def jsonpath_modifier(data: Any, jsonpath: str = "$[*]", mappings: Optional[Dict
     # Log jsonpath_modifier invocation with structured data (only if debug enabled)
     if logger.isEnabledFor(logging.DEBUG):
         data_length = len(data) if isinstance(data, list) else None
-        logger.debug(
-            f"jsonpath_modifier: path='{SecurityValidator.sanitize_log_message(jsonpath)}', has_mappings={mappings is not None}, " f"data_type={type(data).__name__}, data_length={data_length}"
-        )
+        logger.debug(f"jsonpath_modifier: path='{SecurityValidator.sanitize_log_message(jsonpath)}', has_mappings={mappings is not None}, data_type={type(data).__name__}, data_length={data_length}")
 
     try:
         main_expr: JSONPath = _parse_jsonpath(jsonpath)
@@ -3005,20 +3003,27 @@ async def _call_streamable_http(self, scope, receive, send):
         original_path = scope.get("path", "")
         scope["modified_path"] = original_path
 
+        # Strip root_path prefix before pattern matching.
+        # In reverse proxy deployments, scope["path"] may contain the full path
+        # including the proxy prefix (e.g., "/dev/mcp-gateway/service/gateway/servers/123/mcp").
+        # We need to strip this prefix to correctly match the /servers/ pattern.
+        root_path = (scope.get("root_path") or settings.app_root_path or "").rstrip("/")
+        app_path = _normalize_scope_path(original_path, root_path)
+
         # Skip rewriting for well-known URIs (RFC 9728 OAuth metadata, etc.)
         # These paths may end with /mcp but should not be rewritten to the MCP transport
-        if not original_path.startswith("/.well-known/"):
-            if (original_path.endswith("/mcp") and original_path != "/mcp") or (original_path.endswith("/mcp/") and original_path != "/mcp/"):
+        if not app_path.startswith("/.well-known/"):
+            if (app_path.endswith("/mcp") and app_path != "/mcp") or (app_path.endswith("/mcp/") and app_path != "/mcp/"):
                 # SECURITY: Only rewrite recognised MCP paths — /servers/{id}/mcp.
                 # Arbitrary prefixes (e.g. /foo/mcp) must NOT be rewritten to
                 # /mcp/ as that would expose the global MCP transport under
                 # undocumented aliases, broadening the externally reachable
                 # route surface.
-                if original_path.startswith("/servers/"):
+                if app_path.startswith("/servers/"):
                     # Validate that a non-empty server_id segment is present.
                     # Without this check, paths like /servers//mcp (empty ID)
                     # would be rewritten and silently fall through (#3891).
-                    _srv_match = re.match(r"/servers/([^/]+)/mcp", original_path)
+                    _srv_match = re.match(r"/servers/([^/]+)/mcp", app_path)
                     if not _srv_match:
                         response = ORJSONResponse({"detail": "Invalid server identifier"}, status_code=404)
                         await response(scope, receive, send)
@@ -3028,7 +3033,8 @@ async def _call_streamable_http(self, scope, receive, send):
                     await self.application(scope, receive, send)
                     return
                 # Rewrite to /mcp/ and continue through middleware (lets CORSMiddleware handle preflight)
-                scope["path"] = "/mcp/"
+                # Preserve root_path prefix when rewriting
+                scope["path"] = f"{root_path}/mcp/" if root_path else "/mcp/"
                 await self.application(scope, receive, send)
                 return
         await self.application(scope, receive, send)

tests/unit/mcpgateway/test_main_extended.py

@@ -2833,6 +2833,162 @@ async def send(msg):
         # ORJSONResponse sends http.response.start + http.response.body
         assert any(m.get("status") == 404 for m in sent if m.get("type") == "http.response.start")
 
+    @pytest.mark.asyncio
+    async def test_rewrite_servers_mcp_with_root_path_in_scope(self):
+        """Documented pattern works when root_path is set in scope."""
+        app_mock = AsyncMock()
+        middleware = MCPPathRewriteMiddleware(app_mock)
+        scope = {
+            "type": "http",
+            "path": "/gateway/servers/123/mcp",
+            "root_path": "/gateway",
+            "headers": []
+        }
+        receive, send = AsyncMock(), AsyncMock()
+
+        with patch("mcpgateway.main.streamable_http_auth", return_value=True):
+            await middleware._call_streamable_http(scope, receive, send)
+
+        assert scope["path"] == "/gateway/mcp/"  # Rewritten with prefix preserved
+        app_mock.assert_called_once()
+
+    @pytest.mark.asyncio
+    async def test_rewrite_servers_mcp_with_multilevel_prefix(self):
+        """Handle complex multi-level prefixes."""
+        app_mock = AsyncMock()
+        middleware = MCPPathRewriteMiddleware(app_mock)
+        scope = {
+            "type": "http",
+            "path": "/dev/mcp-gateway/service/gateway/servers/123/mcp",
+            "root_path": "/dev/mcp-gateway/service/gateway",
+            "headers": []
+        }
+        receive, send = AsyncMock(), AsyncMock()
+
+        with patch("mcpgateway.main.streamable_http_auth", return_value=True):
+            await middleware._call_streamable_http(scope, receive, send)
+
+        assert scope["path"] == "/dev/mcp-gateway/service/gateway/mcp/"
+        app_mock.assert_called_once()
+
+    @pytest.mark.asyncio
+    async def test_rewrite_servers_mcp_with_prefix_in_path_no_scope_root(self):
+        """Handle prefix in path when scope['root_path'] is empty but APP_ROOT_PATH is set."""
+        app_mock = AsyncMock()
+        middleware = MCPPathRewriteMiddleware(app_mock)
+        scope = {
+            "type": "http",
+            "path": "/gateway/servers/123/mcp",
+            "root_path": "",  # Not set in scope
+            "headers": []
+        }
+        receive, send = AsyncMock(), AsyncMock()
+
+        with patch('mcpgateway.config.settings.app_root_path', '/gateway'):
+            with patch("mcpgateway.main.streamable_http_auth", return_value=True):
+                await middleware._call_streamable_http(scope, receive, send)
+
+        assert scope["path"] == "/gateway/mcp/"
+        app_mock.assert_called_once()
+
+    @pytest.mark.asyncio
+    async def test_workaround_mcp_servers_passes_through(self):
+        """Undocumented workaround /mcp/servers/{id} passes through without rewrite."""
+        app_mock = AsyncMock()
+        middleware = MCPPathRewriteMiddleware(app_mock)
+        scope = {"type": "http", "path": "/mcp/servers/123", "headers": []}
+        receive, send = AsyncMock(), AsyncMock()
+
+        with patch("mcpgateway.main.streamable_http_auth", return_value=True):
+            await middleware._call_streamable_http(scope, receive, send)
+
+        assert scope["path"] == "/mcp/servers/123"  # NOT rewritten
+        app_mock.assert_called_once()
+
+    @pytest.mark.asyncio
+    async def test_workaround_mcp_servers_with_prefix(self):
+        """Workaround /mcp/servers/{id} with prefix passes through."""
+        app_mock = AsyncMock()
+        middleware = MCPPathRewriteMiddleware(app_mock)
+        scope = {
+            "type": "http",
+            "path": "/gateway/mcp/servers/123",
+            "root_path": "/gateway",
+            "headers": []
+        }
+        receive, send = AsyncMock(), AsyncMock()
+
+        with patch("mcpgateway.main.streamable_http_auth", return_value=True):
+            await middleware._call_streamable_http(scope, receive, send)
+
+        assert scope["path"] == "/gateway/mcp/servers/123"  # NOT rewritten
+        app_mock.assert_called_once()
+
+    @pytest.mark.asyncio
+    async def test_security_arbitrary_prefix_not_rewritten(self):
+        """PR #3892 security: Arbitrary paths ending with /mcp are NOT rewritten."""
+        app_mock = AsyncMock()
+        middleware = MCPPathRewriteMiddleware(app_mock)
+        scope = {
+            "type": "http",
+            "path": "/arbitrary/prefix/mcp",
+            "root_path": "",
+            "headers": []
+        }
+        receive, send = AsyncMock(), AsyncMock()
+
+        with patch("mcpgateway.main.streamable_http_auth", return_value=True):
+            await middleware._call_streamable_http(scope, receive, send)
+
+        # Should pass through WITHOUT rewrite (security check)
+        assert scope["path"] == "/arbitrary/prefix/mcp"
+        app_mock.assert_called_once()
+
+    @pytest.mark.asyncio
+    async def test_security_arbitrary_prefix_with_root_path(self):
+        """Security: Arbitrary paths rejected even with root_path."""
+        app_mock = AsyncMock()
+        middleware = MCPPathRewriteMiddleware(app_mock)
+        scope = {
+            "type": "http",
+            "path": "/gateway/arbitrary/prefix/mcp",
+            "root_path": "/gateway",
+            "headers": []
+        }
+        receive, send = AsyncMock(), AsyncMock()
+
+        with patch("mcpgateway.main.streamable_http_auth", return_value=True):
+            await middleware._call_streamable_http(scope, receive, send)
+
+        # After stripping root_path, path is "/arbitrary/prefix/mcp"
+        # Should pass through WITHOUT rewrite
+        assert scope["path"] == "/gateway/arbitrary/prefix/mcp"
+        app_mock.assert_called_once()
+
+    @pytest.mark.asyncio
+    async def test_security_empty_server_id_with_prefix_rejected(self):
+        """Security: Empty server ID with prefix is rejected."""
+        app_mock = AsyncMock()
+        middleware = MCPPathRewriteMiddleware(app_mock)
+        scope = {
+            "type": "http",
+            "path": "/gateway/servers//mcp",
+            "root_path": "/gateway",
+            "headers": []
+        }
+        receive, send = AsyncMock(), AsyncMock()
+        sent = []
+
+        async def mock_send(msg):
+            sent.append(msg)
+
+        with patch("mcpgateway.main.streamable_http_auth", return_value=True):
+            await middleware._call_streamable_http(scope, receive, mock_send)
+
+        app_mock.assert_not_called()
+        # ORJSONResponse sends http.response.start + http.response.body
+        assert any(m.get("status") == 404 for m in sent if m.get("type") == "http.response.start")
+
 
 class TestServerEndpointCoverage:
     """Exercise server endpoints and SSE coverage."""