fix(auth): use module-local async get_db() in _set_proxy_user_context

jonpspri · jonpspri · commit d6224d490117 · 2026-04-25T09:32:36.000+01:00
Resolves pylint W0621 (redefined-outer-name): the function shadowed the
module-local async get_db() at :721 with a local import of
mcpgateway.db.get_db. Switched to the existing async context manager,
which also provides proper cancellation handling for MCP long-lived
connections and removes the explicit try/finally/db.close() boilerplate
(addresses review note M4).

Signed-off-by: Jonathan Springer &lt;jps@s390x.com&gt;
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "(?x)( package-lock\\.json$ |Cargo\\.lock$ |uv\\.lock$ |go\\.sum$ |mcpgateway/sri_hashes\\.json$ )|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2026-04-24T21:03:53Z",
+  "generated_at": "2026-04-25T08:30:54Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -5456,7 +5456,7 @@
         "hashed_secret": "a4b48a81cdab1e1a5dd37907d6c85ca1c61ddc7c",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 572,
+        "line_number": 681,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -9530,15 +9530,15 @@
         "hashed_secret": "b4c9248600a42f8c38c01b632f392dbcb4c7b19a",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 12937,
+        "line_number": 13105,
         "type": "Hex High Entropy String",
         "verified_result": null
       },
       {
         "hashed_secret": "90bd1b48e958257948487b90bee080ba5ed00caa",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 14112,
+        "line_number": 14280,
         "type": "Hex High Entropy String",
         "verified_result": null
       }
diff --git a/mcpgateway/transports/streamablehttp_transport.py b/mcpgateway/transports/streamablehttp_transport.py
@@ -4550,11 +4550,12 @@ async def _set_proxy_user_context(proxy_user: str) -> dict[str, Any] | None:
     """
     # First-Party
     from mcpgateway.auth import _resolve_teams_from_db  # pylint: disable=import-outside-toplevel
-    from mcpgateway.db import get_db  # pylint: disable=import-outside-toplevel
     from mcpgateway.services.email_auth_service import EmailAuthService  # pylint: disable=import-outside-toplevel
 
-    db = next(get_db())
-    try:
+    # Use the module-local async get_db() context manager (line 721) rather than
+    # mcpgateway.db.get_db: it provides proper cancellation handling for MCP
+    # handlers cancelled mid-auth (client disconnect, timeout).
+    async with get_db() as db:
         auth_service = EmailAuthService(db)
         user_info = await auth_service.get_user_by_email(proxy_user)
 
@@ -4590,8 +4591,6 @@ async def _set_proxy_user_context(proxy_user: str) -> dict[str, Any] | None:
         # pre-authentication contract of set_trace_context_from_teams.
         set_trace_context_from_teams(token_teams or [], user_email=proxy_user, is_admin=is_admin, auth_method="proxy")
         return None
-    finally:
-        db.close()
 
 
 def get_streamable_http_auth_context() -> dict[str, Any]:
diff --git a/tests/unit/mcpgateway/transports/test_streamablehttp_transport.py b/tests/unit/mcpgateway/transports/test_streamablehttp_transport.py
@@ -4893,11 +4893,11 @@ async def send(msg):
     mock_user.is_active = True
     mock_user.email = "proxy_user@example.com"
 
-    with patch("mcpgateway.db.get_db") as mock_get_db, patch(
-        "mcpgateway.services.email_auth_service.EmailAuthService"
-    ) as mock_auth_service, patch(
-        "mcpgateway.auth._resolve_teams_from_db", new_callable=AsyncMock
-    ) as mock_resolve_teams:
+    with (
+        patch("mcpgateway.db.get_db") as mock_get_db,
+        patch("mcpgateway.services.email_auth_service.EmailAuthService") as mock_auth_service,
+        patch("mcpgateway.auth._resolve_teams_from_db", new_callable=AsyncMock) as mock_resolve_teams,
+    ):
         mock_get_db.return_value = iter([Mock()])
         mock_auth_service.return_value.get_user_by_email = AsyncMock(return_value=mock_user)
         mock_resolve_teams.return_value = []
@@ -4944,11 +4944,11 @@ async def send(msg):
     mock_user.is_active = True
     mock_user.email = "proxy_fallback@example.com"
 
-    with patch("mcpgateway.db.get_db") as mock_get_db, patch(
-        "mcpgateway.services.email_auth_service.EmailAuthService"
-    ) as mock_auth_service, patch(
-        "mcpgateway.auth._resolve_teams_from_db", new_callable=AsyncMock
-    ) as mock_resolve_teams:
+    with (
+        patch("mcpgateway.db.get_db") as mock_get_db,
+        patch("mcpgateway.services.email_auth_service.EmailAuthService") as mock_auth_service,
+        patch("mcpgateway.auth._resolve_teams_from_db", new_callable=AsyncMock) as mock_resolve_teams,
+    ):
         mock_get_db.return_value = iter([Mock()])
         mock_auth_service.return_value.get_user_by_email = AsyncMock(return_value=mock_user)
         mock_resolve_teams.return_value = []
@@ -4964,6 +4964,129 @@ async def send(msg):
     assert user_ctx["is_admin"] is False
 
 
+# ---------------------------------------------------------------------------
+# Proxy auth: disabled user rejected via _set_proxy_user_context (line 4567, 4727)
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+async def test_streamable_http_auth_proxy_rejects_disabled_user(monkeypatch):
+    """Disabled user gets 401 'Account disabled' through proxy auth (lines 4567, 4727)."""
+    monkeypatch.setattr("mcpgateway.transports.streamablehttp_transport.settings.mcp_client_auth_enabled", False)
+    monkeypatch.setattr("mcpgateway.transports.streamablehttp_transport.settings.trust_proxy_auth", True)
+    monkeypatch.setattr("mcpgateway.transports.streamablehttp_transport.settings.trust_proxy_auth_dangerously", True)
+    monkeypatch.setattr("mcpgateway.transports.streamablehttp_transport.settings.proxy_user_header", "x-forwarded-user")
+
+    scope = _make_scope(
+        "/servers/1/mcp",
+        headers=[
+            (b"x-forwarded-user", b"disabled@example.com"),
+        ],
+    )
+    sent = []
+
+    async def send(msg):
+        sent.append(msg)
+
+    mock_user = Mock()
+    mock_user.is_admin = True
+    mock_user.is_active = False
+    mock_user.email = "disabled@example.com"
+
+    with patch("mcpgateway.db.get_db") as mock_get_db, patch("mcpgateway.services.email_auth_service.EmailAuthService") as mock_auth_service:
+        mock_get_db.return_value = iter([Mock()])
+        mock_auth_service.return_value.get_user_by_email = AsyncMock(return_value=mock_user)
+
+        result = await streamable_http_auth(scope, None, send)
+
+    assert result is False
+    starts = [m for m in sent if m.get("type") == "http.response.start"]
+    assert starts and starts[0]["status"] == 401
+    bodies = [m for m in sent if m.get("type") == "http.response.body"]
+    assert bodies and b"Account disabled" in bodies[0]["body"]
+
+
+# ---------------------------------------------------------------------------
+# Proxy auth: admin bypass when user not in DB (lines 4572-4575)
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+async def test_streamable_http_auth_proxy_admin_bypass_no_db_record(monkeypatch):
+    """Platform admin email gets admin bypass when not in DB and require_user_in_db=False (lines 4572-4575)."""
+    monkeypatch.setattr("mcpgateway.transports.streamablehttp_transport.settings.mcp_client_auth_enabled", False)
+    monkeypatch.setattr("mcpgateway.transports.streamablehttp_transport.settings.trust_proxy_auth", True)
+    monkeypatch.setattr("mcpgateway.transports.streamablehttp_transport.settings.trust_proxy_auth_dangerously", True)
+    monkeypatch.setattr("mcpgateway.transports.streamablehttp_transport.settings.proxy_user_header", "x-forwarded-user")
+    monkeypatch.setattr("mcpgateway.transports.streamablehttp_transport.settings.require_user_in_db", False)
+    monkeypatch.setattr("mcpgateway.transports.streamablehttp_transport.settings.platform_admin_email", "admin@example.com")
+
+    scope = _make_scope(
+        "/servers/1/mcp",
+        headers=[
+            (b"x-forwarded-user", b"admin@example.com"),
+        ],
+    )
+    sent = []
+
+    async def send(msg):
+        sent.append(msg)
+
+    with patch("mcpgateway.db.get_db") as mock_get_db, patch("mcpgateway.services.email_auth_service.EmailAuthService") as mock_auth_service:
+        mock_get_db.return_value = iter([Mock()])
+        mock_auth_service.return_value.get_user_by_email = AsyncMock(return_value=None)
+
+        result = await streamable_http_auth(scope, None, send)
+
+    assert result is True
+    assert sent == []
+
+    user_ctx = tr.user_context_var.get()
+    assert user_ctx["email"] == "admin@example.com"
+    assert user_ctx["teams"] is None
+    assert user_ctx["is_admin"] is True
+    assert user_ctx["auth_method"] == "proxy"
+
+
+# ---------------------------------------------------------------------------
+# Proxy auth: unknown user rejected (line 4577, 4727)
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+async def test_streamable_http_auth_proxy_rejects_unknown_user(monkeypatch):
+    """Unknown user (not in DB, not platform admin) gets 401 'User not found' (lines 4577, 4727)."""
+    monkeypatch.setattr("mcpgateway.transports.streamablehttp_transport.settings.mcp_client_auth_enabled", False)
+    monkeypatch.setattr("mcpgateway.transports.streamablehttp_transport.settings.trust_proxy_auth", True)
+    monkeypatch.setattr("mcpgateway.transports.streamablehttp_transport.settings.trust_proxy_auth_dangerously", True)
+    monkeypatch.setattr("mcpgateway.transports.streamablehttp_transport.settings.proxy_user_header", "x-forwarded-user")
+    monkeypatch.setattr("mcpgateway.transports.streamablehttp_transport.settings.require_user_in_db", True)
+    monkeypatch.setattr("mcpgateway.transports.streamablehttp_transport.settings.platform_admin_email", "admin@example.com")
+
+    scope = _make_scope(
+        "/servers/1/mcp",
+        headers=[
+            (b"x-forwarded-user", b"unknown@example.com"),
+        ],
+    )
+    sent = []
+
+    async def send(msg):
+        sent.append(msg)
+
+    with patch("mcpgateway.db.get_db") as mock_get_db, patch("mcpgateway.services.email_auth_service.EmailAuthService") as mock_auth_service:
+        mock_get_db.return_value = iter([Mock()])
+        mock_auth_service.return_value.get_user_by_email = AsyncMock(return_value=None)
+
+        result = await streamable_http_auth(scope, None, send)
+
+    assert result is False
+    starts = [m for m in sent if m.get("type") == "http.response.start"]
+    assert starts and starts[0]["status"] == 401
+    bodies = [m for m in sent if m.get("type") == "http.response.body"]
+    assert bodies and b"User not found in database" in bodies[0]["body"]
+
+
 @pytest.mark.asyncio
 async def test_streamable_http_auth_proxy_user_context_on_valid_jwt(monkeypatch):
     """Proxy auth takes precedence even when a valid JWT Bearer header is present."""
@@ -4995,11 +5118,11 @@ async def send(msg):
     mock_user.is_active = True
     mock_user.email = "proxy_user@example.com"
 
-    with patch("mcpgateway.db.get_db") as mock_get_db, patch(
-        "mcpgateway.services.email_auth_service.EmailAuthService"
-    ) as mock_auth_service, patch(
-        "mcpgateway.auth._resolve_teams_from_db", new_callable=AsyncMock
-    ) as mock_resolve_teams:
+    with (
+        patch("mcpgateway.db.get_db") as mock_get_db,
+        patch("mcpgateway.services.email_auth_service.EmailAuthService") as mock_auth_service,
+        patch("mcpgateway.auth._resolve_teams_from_db", new_callable=AsyncMock) as mock_resolve_teams,
+    ):
         mock_get_db.return_value = iter([Mock()])
         mock_auth_service.return_value.get_user_by_email = AsyncMock(return_value=mock_user)
         mock_resolve_teams.return_value = []
