DX-120403 Log auth 401s in transport middleware

aniket-s-kulkarni · aniket-s-kulkarni · commit df28ae21cea2 · 2026-05-08T16:41:48.000-04:00
diff --git a/src/dremioai/servers/mcp.py b/src/dremioai/servers/mcp.py
@@ -299,18 +299,19 @@ def streamable_http_app(self):
         else:
             token_verifier = FastMCPServerWithAuthToken.DelegatingTokenVerifier()
         app = super().streamable_http_app()
-        app.add_middleware(MCPTransportLoggingMiddleware)
         app.add_middleware(RequireAuthWithWWWAuthenticateMiddleware)
         app.add_middleware(AuthContextMiddleware)
         app.add_middleware(
             AuthenticationMiddleware, backend=BearerAuthBackend(token_verifier)
         )
-        # Add middleware in reverse order (last added = first executed)
+        # Starlette inserts middleware at the front, so the last added middleware
+        # runs first. Keep transport logging outermost so it observes auth 401s.
         if self.support_project_id_endpoints:
             # this means, dynamically allow endpoints
             # like ../mcp/{project_id}/..  and extract that project id as
             # context var
             app.add_middleware(ProjectIdMiddleware)
+        app.add_middleware(MCPTransportLoggingMiddleware)
 
         # Metrics are now served on a separate port, not mounted here
         return app
diff --git a/tests/servers/test_jwks_verifier.py b/tests/servers/test_jwks_verifier.py
@@ -23,6 +23,7 @@
 import structlog
 from unittest.mock import patch, MagicMock, AsyncMock
 
+import httpx
 import jwt as pyjwt
 from jwt import PyJWKClient, PyJWKClientError, ExpiredSignatureError
 from mcp.server.lowlevel.server import request_ctx
@@ -423,6 +424,34 @@ def test_streamable_http_transport_is_stateless(self):
 
         assert mcp.settings.stateless_http is True
 
+    @pytest.mark.asyncio
+    async def test_transport_logging_wraps_unauthorized_responses(self, caplog):
+        with patch("dremioai.servers.mcp.tools.get_tools", return_value=[]), patch(
+            "dremioai.servers.mcp.tools.get_resources", return_value=[]
+        ):
+            mcp = init(
+                mode=None,
+                transport=Transports.streamable_http,
+                host="127.0.0.1",
+                port=8000,
+                mock=True,
+            )
+
+        app = mcp.streamable_http_app()
+        transport = httpx.ASGITransport(app=app)
+        async with httpx.AsyncClient(
+            transport=transport, base_url="http://testserver"
+        ) as client:
+            with caplog.at_level(logging.INFO):
+                response = await client.post("/mcp")
+
+        assert response.status_code == 401
+        messages = [str(r.message) for r in caplog.records if r.levelno >= logging.INFO]
+        assert any("Unauthorized request rejected" in msg for msg in messages)
+        assert any(
+            "MCP transport request failed" in msg and "401" in msg for msg in messages
+        )
+
 
 class TestMakeLoggedInvoke:
     """Tests for make_logged_invoke WARNING logging on tool exceptions."""
