Trim implementation

Author: localden

src/ModelContextProtocol.AspNetCore/HttpMcpServerBuilderExtensions.cs

@@ -25,7 +25,6 @@ public static IMcpServerBuilder WithHttpTransport(this IMcpServerBuilder builder
 
         builder.Services.TryAddSingleton<StreamableHttpHandler>();
         builder.Services.TryAddSingleton<SseHandler>();
-        builder.Services.TryAddSingleton<McpAuthorizationFilterFactory>();
         builder.Services.AddHostedService<IdleTrackingBackgroundService>();
 
         if (configureOptions is not null)

src/ModelContextProtocol.AspNetCore/McpAuthorizationFilterFactory.cs

@@ -0,0 +1,64 @@
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using ModelContextProtocol.Protocol.Auth;
+
+namespace ModelContextProtocol.AspNetCore;
+
+/// <summary>
+/// Provides extension methods for adding MCP authorization to endpoints.
+/// </summary>
+public static class McpEndpointAuthorizationExtensions
+{
+    /// <summary>
+    /// Adds MCP authorization filter to an endpoint.
+    /// </summary>
+    /// <param name="builder">The endpoint convention builder.</param>
+    /// <param name="authProvider">The authorization provider.</param>
+    /// <param name="serviceProvider">The service provider.</param>
+    /// <returns>The builder for chaining.</returns>    
+    public static IEndpointConventionBuilder AddMcpAuthorization(
+        this IEndpointConventionBuilder builder, 
+        IServerAuthorizationProvider authProvider,
+        IServiceProvider serviceProvider)
+    {
+        if (authProvider == null)
+        {
+            return builder; // No authorization needed
+        }
+
+        var logger = serviceProvider.GetRequiredService<ILogger<McpEndpointAuthorizationFilter>>();
+        var filter = new McpEndpointAuthorizationFilter(logger, authProvider);
+        
+        return builder.AddEndpointFilter(filter);
+    }
+
+    /// <summary>
+    /// Adds MCP authorization filter to multiple endpoints.
+    /// </summary>
+    /// <param name="endpoints">The collection of endpoint convention builders.</param>
+    /// <param name="authProvider">The authorization provider.</param>
+    /// <param name="serviceProvider">The service provider.</param>
+    /// <returns>The original collection for chaining.</returns>    
+    public static IEnumerable<IEndpointConventionBuilder> AddMcpAuthorization(
+        this IEnumerable<IEndpointConventionBuilder> endpoints,
+        IServerAuthorizationProvider authProvider,
+        IServiceProvider serviceProvider)
+    {
+        if (authProvider == null)
+        {
+            return endpoints; // No authorization needed
+        }
+
+        var logger = serviceProvider.GetRequiredService<ILogger<McpEndpointAuthorizationFilter>>();
+        var filter = new McpEndpointAuthorizationFilter(logger, authProvider);
+
+        foreach (var endpoint in endpoints)
+        {
+            endpoint.AddEndpointFilter(filter);
+        }
+
+        return endpoints;
+    }
+}

src/ModelContextProtocol.AspNetCore/McpEndpointAuthorizationExtensions.cs

@@ -0,0 +1,84 @@
+// filepath: c:\Users\ddelimarsky\source\csharp-sdk\src\ModelContextProtocol.AspNetCore\McpEndpointAuthorizationFilter.cs
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Logging;
+using ModelContextProtocol.Protocol.Auth;
+
+namespace ModelContextProtocol.AspNetCore;
+
+/// <summary>
+/// An endpoint filter that handles authorization for MCP endpoints using the standard ASP.NET Core endpoint filter pattern.
+/// </summary>
+internal class McpEndpointAuthorizationFilter : IEndpointFilter
+{
+    private readonly ILogger _logger;
+    private readonly IServerAuthorizationProvider _authProvider;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="McpEndpointAuthorizationFilter"/> class.
+    /// </summary>
+    /// <param name="logger">The logger.</param>
+    /// <param name="authProvider">The authorization provider.</param>
+    public McpEndpointAuthorizationFilter(ILogger logger, IServerAuthorizationProvider authProvider)
+    {
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _authProvider = authProvider ?? throw new ArgumentNullException(nameof(authProvider));
+    }
+
+    /// <inheritdoc/>
+    public async ValueTask<object?> InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next)
+    {
+        var httpContext = context.HttpContext;
+
+        // Check if the Authorization header is present
+        if (!httpContext.Request.Headers.TryGetValue("Authorization", out var authHeader) || string.IsNullOrEmpty(authHeader))
+        {
+            // No Authorization header present, return 401 Unauthorized
+            var prm = _authProvider.GetProtectedResourceMetadata();
+            var prmUrl = GetPrmUrl(httpContext, prm.Resource);
+            
+            _logger.LogDebug("Authorization required, returning 401 Unauthorized with WWW-Authenticate header");
+            httpContext.Response.StatusCode = StatusCodes.Status401Unauthorized;
+            httpContext.Response.Headers.Append("WWW-Authenticate", $"Bearer resource_metadata=\"{prmUrl}\"");
+            return Results.Empty;
+        }
+
+        // Validate the token
+        string authHeaderValue = authHeader.ToString();
+        bool isValid = await _authProvider.ValidateTokenAsync(authHeaderValue);
+        if (!isValid)
+        {
+            // Invalid token, return 401 Unauthorized
+            var prm = _authProvider.GetProtectedResourceMetadata();
+            var prmUrl = GetPrmUrl(httpContext, prm.Resource);
+            
+            _logger.LogDebug("Invalid authorization token, returning 401 Unauthorized");
+            httpContext.Response.StatusCode = StatusCodes.Status401Unauthorized;
+            httpContext.Response.Headers.Append("WWW-Authenticate", $"Bearer resource_metadata=\"{prmUrl}\"");
+            return Results.Empty;
+        }
+
+        // Token is valid, proceed to the next filter
+        return await next(context);
+    }
+
+    /// <summary>
+    /// Builds the URL for the protected resource metadata endpoint.
+    /// </summary>
+    /// <param name="context">The HTTP context.</param>
+    /// <param name="resourceUri">The resource URI from the protected resource metadata.</param>
+    /// <returns>The full URL to the protected resource metadata endpoint.</returns>
+    private static string GetPrmUrl(HttpContext context, string resourceUri)
+    {
+        // Use the actual resource URI from PRM if it's an absolute URL, otherwise build the URL
+        if (Uri.TryCreate(resourceUri, UriKind.Absolute, out _))
+        {
+            return $"{resourceUri.TrimEnd('/')}/.well-known/oauth-protected-resource";
+        }
+
+        // Build the URL from the current request
+        var request = context.Request;
+        var scheme = request.Scheme;
+        var host = request.Host.Value;
+        return $"{scheme}://{host}/.well-known/oauth-protected-resource";
+    }
+}

src/ModelContextProtocol.AspNetCore/McpEndpointAuthorizationFilter.cs

@@ -66,26 +66,23 @@ public static IEndpointConventionBuilder MapMcp(this IEndpointRouteBuilder endpo
         streamableHttpGroup.MapDelete("", streamableHttpHandler.HandleDeleteRequestAsync);
 
         // Map legacy HTTP with SSE endpoints.
-        var sseHandler = endpoints.ServiceProvider.GetRequiredService<SseHandler>();
-        var sseGroup = mcpGroup.MapGroup("")
+        var sseHandler = endpoints.ServiceProvider.GetRequiredService<SseHandler>(); var sseGroup = mcpGroup.MapGroup("")
             .WithDisplayName(b => $"MCP HTTP with SSE | {b.DisplayName}");
 
-        // Apply authorization filter to SSE endpoints if authorization is configured
-        if (authProvider != null)
-        {
-            // Create the filter factory
-            var filterFactory = endpoints.ServiceProvider.GetRequiredService<McpAuthorizationFilterFactory>();
-            
-            // Apply filter to SSE and message endpoints
-            sseGroup.AddEndpointFilterFactory(filterFactory.Create);
-        }
-
-        sseGroup.MapGet("/sse", sseHandler.HandleSseRequestAsync)
+        // Configure SSE endpoints
+        var sseEndpoint = sseGroup.MapGet("/sse", sseHandler.HandleSseRequestAsync)
             .WithMetadata(new ProducesResponseTypeMetadata(StatusCodes.Status200OK, contentTypes: ["text/event-stream"]));
-        sseGroup.MapPost("/message", sseHandler.HandleMessageRequestAsync)
+
+        var messageEndpoint = sseGroup.MapPost("/message", sseHandler.HandleMessageRequestAsync)
             .WithMetadata(new AcceptsMetadata(["application/json"]))
             .WithMetadata(new ProducesResponseTypeMetadata(StatusCodes.Status202Accepted));
 
+        // Apply authorization filter directly to SSE endpoints if authorization is configured
+        if (authProvider != null)
+        {
+            // Apply authorization to both endpoints using the extension method
+            new[] { sseEndpoint, messageEndpoint }.AddMcpAuthorization(authProvider, endpoints.ServiceProvider);
+        }
         return mcpGroup;
     }
-}
+}

src/ModelContextProtocol.AspNetCore/McpEndpointRouteBuilderExtensions.cs

@@ -1,11 +1,9 @@
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Abstractions;
-using ModelContextProtocol.Protocol.Auth;
 using ModelContextProtocol.Protocol.Messages;
 using ModelContextProtocol.Utils;
 using ModelContextProtocol.Utils.Json;
 using System.Diagnostics;
-using System.Net;
 using System.Net.Http.Headers;
 using System.Net.ServerSentEvents;
 using System.Text;
@@ -26,7 +24,6 @@ internal sealed partial class SseClientSessionTransport : TransportBase
     private Task? _receiveTask;
     private readonly ILogger _logger;
     private readonly TaskCompletionSource<bool> _connectionEstablished;
-    private readonly IAuthorizationHandler _authorizationHandler;
 
     /// <summary>
     /// SSE transport for client endpoints. Unlike stdio it does not launch a process, but connects to an existing server.
@@ -48,18 +45,6 @@ public SseClientSessionTransport(SseClientTransportOptions transportOptions, Htt
         _connectionCts = new CancellationTokenSource();
         _logger = (ILogger?)loggerFactory?.CreateLogger<SseClientTransport>() ?? NullLogger.Instance;
         _connectionEstablished = new TaskCompletionSource<bool>(TaskCreationOptions.RunContinuationsAsynchronously);
-        
-        // Initialize the authorization handler
-        if (transportOptions.AuthorizationOptions?.AuthorizationHandler != null)
-        {
-            // Use explicitly provided handler
-            _authorizationHandler = transportOptions.AuthorizationOptions.AuthorizationHandler;
-        }
-        else
-        {
-            // Create default handler with auth options
-            _authorizationHandler = new DefaultAuthorizationHandler(loggerFactory, transportOptions.AuthorizationOptions);
-        }
     }
 
     /// <inheritdoc/>
@@ -89,48 +74,18 @@ public override async Task SendMessageAsync(
         if (_messageEndpoint == null)
             throw new InvalidOperationException("Transport not connected");
 
+        using var content = new StringContent(
+            JsonSerializer.Serialize(message, McpJsonUtilities.JsonContext.Default.JsonRpcMessage),
+            Encoding.UTF8,
+            "application/json"
+        );
+
         string messageId = "(no id)";
 
         if (message is JsonRpcMessageWithId messageWithId)
         {
             messageId = messageWithId.Id.ToString();
         }
-        
-        // Send the request, handling potential auth challenges
-        HttpResponseMessage? response = null;
-        bool authRetry = false;
-        
-        do
-        {
-            authRetry = false;
-            
-            // Create a new request for each attempt
-            using var currentRequest = new HttpRequestMessage(HttpMethod.Post, _messageEndpoint);
-            currentRequest.Content = new StringContent(
-                JsonSerializer.Serialize(message, McpJsonUtilities.JsonContext.Default.JsonRpcMessage),
-                Encoding.UTF8,
-                "application/json"
-            );
-            
-            // Add authorization headers if needed - the handler will only add headers if auth is required
-            await _authorizationHandler.AuthenticateRequestAsync(currentRequest).ConfigureAwait(false);
-            
-            // Copy additional headers
-            CopyAdditionalHeaders(currentRequest.Headers);
-            
-            // Dispose previous response before making a new request
-            response?.Dispose();
-            
-            response = await _httpClient.SendAsync(currentRequest, cancellationToken).ConfigureAwait(false);
-            
-            // Handle 401 Unauthorized response - this will only execute if the server requires auth
-            if (response.StatusCode == HttpStatusCode.Unauthorized)
-            {
-                // Try to handle the unauthorized response
-                authRetry = await _authorizationHandler.HandleUnauthorizedResponseAsync(
-                    response, _messageEndpoint).ConfigureAwait(false);
-            }
-        } while (authRetry);
 
         using var httpRequestMessage = new HttpRequestMessage(HttpMethod.Post, _messageEndpoint)
         {
@@ -139,25 +94,26 @@ public override async Task SendMessageAsync(
         StreamableHttpClientSessionTransport.CopyAdditionalHeaders(httpRequestMessage.Headers, _options.AdditionalHeaders);
         var response = await _httpClient.SendAsync(httpRequestMessage, cancellationToken).ConfigureAwait(false);
 
-            var responseContent = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+        response.EnsureSuccessStatusCode();
 
-            // Check if the message was an initialize request
-            if (message is JsonRpcRequest request && request.Method == RequestMethods.Initialize)
-            {
-                // If the response is not a JSON-RPC response, it is an SSE message
-                if (string.IsNullOrEmpty(responseContent) || responseContent.Equals("accepted", StringComparison.OrdinalIgnoreCase))
-                {
-                    LogAcceptedPost(Name, messageId);
-                    // The response will arrive as an SSE message
-                }
-                else
-                {
-                    JsonRpcResponse initializeResponse = JsonSerializer.Deserialize(responseContent, McpJsonUtilities.JsonContext.Default.JsonRpcResponse) ??
-                        throw new InvalidOperationException("Failed to initialize client");
+        var responseContent = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
 
         if (string.IsNullOrEmpty(responseContent) || responseContent.Equals("accepted", StringComparison.OrdinalIgnoreCase))
         {
-            response.Dispose();
+            LogAcceptedPost(Name, messageId);
+        }
+        else
+        {
+            if (_logger.IsEnabled(LogLevel.Trace))
+            {
+                LogRejectedPostSensitive(Name, messageId, responseContent);
+            }
+            else
+            {
+                LogRejectedPost(Name, messageId);
+            }
+
+            throw new InvalidOperationException("Failed to send message");
         }
     }