Cancel Request Authorization #33624
Description
The Authorization check for cancelRequest is different to that when calling and listing tools. Rather than checking that the user has the right role for the tool, we want to check that the request was created by the same user.
Currently we just rely on the Session ID, which should be secure since it's only revealed to the client which creates the session, but we may want to tie the session to the authenticated user and deny access to any request using that session ID but a different user.