metamcp: robust auth in provision/user-bootstrap by mirroring raw Set-Cookie to in-cluster host; bump to 0.1.21

Author: masterkain

charts/metamcp/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: metamcp
 description: MetaMCP aggregator Helm chart for Kubernetes
 type: application
-version: 0.1.20
+version: 0.1.21
 appVersion: "latest"
 icon: https://icoretech.github.io/helm/charts/metamcp/logo.png
 keywords:

charts/metamcp/scripts/provision.py

@@ -72,20 +72,31 @@ def signin(retries=8, delay=1.5):
                     )
                 except Exception:
                     token = None
-                if not token:
-                    # try to read cookie set by server and mirror it under our in-cluster host
-                    for c in sess.cookies:
-                        if c.name in ('better-auth.session_token','__Secure-better-auth.session_token') and c.value:
-                            token = c.value
-                            break
-                if token:
+                # Try to capture the raw cookie value from Set-Cookie header (preferred for signed cookies)
+                raw_cookie = None
+                try:
+                    sch = r.headers.get('set-cookie') or r.headers.get('Set-Cookie')
+                    if sch:
+                        # pick either __Secure-better-auth.session_token or better-auth.session_token
+                        for nm in ('__Secure-better-auth.session_token','better-auth.session_token'):
+                            marker = nm + '='
+                            if marker in sch:
+                                seg = sch.split(marker,1)[1]
+                                raw_cookie = seg.split(';',1)[0]
+                                break
+                except Exception:
+                    raw_cookie = None
+                # Prefer raw signed cookie value; otherwise fall back to token from JSON
+                cookie_val = raw_cookie or token
+                if cookie_val:
                     # set both cookie names to maximize compatibility with secure-cookie deployments
                     for cname in ('better-auth.session_token','__Secure-better-auth.session_token'):
                         try:
-                            sess.cookies.set(cname, token, domain=host, path='/')
+                            sess.cookies.set(cname, cookie_val, domain=host, path='/')
                         except Exception:
-                            sess.cookies.set(cname, token)
-                    sess.headers['Authorization'] = f"Bearer {token}"
+                            sess.cookies.set(cname, cookie_val)
+                    if token:
+                        sess.headers['Authorization'] = f"Bearer {token}"
                 # Persist cookies to mozilla jar and reload next time
                 try:
                     mozjar.clear()

charts/metamcp/scripts/user-bootstrap.py

@@ -79,13 +79,34 @@ def k8s_upsert_secret(name: str, email: str, api_key: str):
         if resp.status_code != 200:
             log(f"WARN: sign-in status {resp.status_code}: {resp.text[:160]}")
         else:
+            host = SVC.split(':')[0]
+            token = None
             try:
-                token = resp.json().get('token')
-                if token:
-                    host = SVC.split(':')[0]
-                    s.cookies.set('better-auth.session_token', token, domain=host, path='/')
+                j = resp.json()
+                token = j.get('token') or j.get('sessionToken') or (j.get('data') or {}).get('token') or (j.get('data') or {}).get('sessionToken')
             except Exception:
-                pass
+                token = None
+            raw_cookie = None
+            try:
+                sch = resp.headers.get('set-cookie') or resp.headers.get('Set-Cookie')
+                if sch:
+                    for nm in ('__Secure-better-auth.session_token','better-auth.session_token'):
+                        marker = nm + '='
+                        if marker in sch:
+                            seg = sch.split(marker,1)[1]
+                            raw_cookie = seg.split(';',1)[0]
+                            break
+            except Exception:
+                raw_cookie = None
+            cookie_val = raw_cookie or token
+            if cookie_val:
+                for cname in ('better-auth.session_token','__Secure-better-auth.session_token'):
+                    try:
+                        s.cookies.set(cname, cookie_val, domain=host, path='/')
+                    except Exception:
+                        s.cookies.set(cname, cookie_val)
+            if token:
+                s.headers['Authorization'] = f"Bearer {token}"
     except Exception as e:
         log(f"WARN: sign-in exception: {e}")
     sessions.append(s)