Merge branch 'main' into main

Author: SoldierSacha

.github/CODEOWNERS

@@ -2,22 +2,22 @@
 # See https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
 
 # Default maintainers for everything
-* @modelcontextprotocol/python-sdk-maintainers
+* @modelcontextprotocol/python-sdk
 
 # Auth-related code requires additional review from auth team
-/src/mcp/client/auth.py @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
-/src/mcp/server/auth/ @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
-/src/mcp/server/transport_security.py @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
-/src/mcp/shared/auth*.py @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
+/src/mcp/client/auth.py @modelcontextprotocol/python-sdk-auth
+/src/mcp/server/auth/ @modelcontextprotocol/python-sdk-auth
+/src/mcp/server/transport_security.py @modelcontextprotocol/python-sdk-auth
+/src/mcp/shared/auth*.py @modelcontextprotocol/python-sdk-auth
 
 # Auth-related tests
-/tests/client/test_auth.py @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
-/tests/server/auth/ @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
-/tests/server/test_*security.py @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
-/tests/server/fastmcp/auth/ @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
-/tests/shared/test_auth*.py @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
+/tests/client/test_auth.py @modelcontextprotocol/python-sdk-auth
+/tests/server/auth/ @modelcontextprotocol/python-sdk-auth
+/tests/server/test_*security.py @modelcontextprotocol/python-sdk-auth
+/tests/server/fastmcp/auth/ @modelcontextprotocol/python-sdk-auth
+/tests/shared/test_auth*.py @modelcontextprotocol/python-sdk-auth
 
 # Auth-related examples
-/examples/clients/simple-auth-client/ @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
-/examples/snippets/clients/oauth_client.py @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
-/examples/snippets/servers/oauth_server.py @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
+/examples/clients/simple-auth-client/ @modelcontextprotocol/python-sdk-auth
+/examples/snippets/clients/oauth_client.py @modelcontextprotocol/python-sdk-auth
+/examples/snippets/servers/oauth_server.py @modelcontextprotocol/python-sdk-auth

src/mcp/client/auth.py

@@ -526,8 +526,8 @@ async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx.
                                 break
                             except ValidationError:
                                 continue
-                        elif oauth_metadata_response.status_code != 404:
-                            break  # Non-404 error, stop trying
+                        elif oauth_metadata_response.status_code < 400 or oauth_metadata_response.status_code >= 500:
+                            break  # Non-4XX error, stop trying
 
                     # Step 3: Register client if needed
                     registration_request = await self._register_client()

src/mcp/server/lowlevel/server.py

@@ -647,6 +647,12 @@ async def _handle_request(
                 response = await handler(req)
             except McpError as err:
                 response = err.error
+            except anyio.get_cancelled_exc_class():
+                logger.info(
+                    "Request %s cancelled - duplicate response suppressed",
+                    message.request_id,
+                )
+                return
             except Exception as err:
                 if raise_exceptions:
                     raise err

tests/client/test_auth.py

@@ -337,6 +337,109 @@ async def test_oauth_discovery_fallback_order(self, oauth_provider):
             "https://api.example.com/v1/mcp/.well-known/openid-configuration",
         ]
 
+    @pytest.mark.anyio
+    async def test_oauth_discovery_fallback_conditions(self, oauth_provider):
+        """Test the conditions during which an AS metadata discovery fallback will be attempted."""
+        # Ensure no tokens are stored
+        oauth_provider.context.current_tokens = None
+        oauth_provider.context.token_expiry_time = None
+        oauth_provider._initialized = True
+
+        # Mock client info to skip DCR
+        oauth_provider.context.client_info = OAuthClientInformationFull(
+            client_id="existing_client",
+            redirect_uris=[AnyUrl("http://localhost:3030/callback")],
+        )
+
+        # Create a test request
+        test_request = httpx.Request("GET", "https://api.example.com/v1/mcp")
+
+        # Mock the auth flow
+        auth_flow = oauth_provider.async_auth_flow(test_request)
+
+        # First request should be the original request without auth header
+        request = await auth_flow.__anext__()
+        assert "Authorization" not in request.headers
+
+        # Send a 401 response to trigger the OAuth flow
+        response = httpx.Response(
+            401,
+            headers={
+                "WWW-Authenticate": 'Bearer resource_metadata="https://api.example.com/.well-known/oauth-protected-resource"'
+            },
+            request=test_request,
+        )
+
+        # Next request should be to discover protected resource metadata
+        discovery_request = await auth_flow.asend(response)
+        assert str(discovery_request.url) == "https://api.example.com/.well-known/oauth-protected-resource"
+        assert discovery_request.method == "GET"
+
+        # Send a successful discovery response with minimal protected resource metadata
+        discovery_response = httpx.Response(
+            200,
+            content=b'{"resource": "https://api.example.com/v1/mcp", "authorization_servers": ["https://auth.example.com/v1/mcp"]}',
+            request=discovery_request,
+        )
+
+        # Next request should be to discover OAuth metadata
+        oauth_metadata_request_1 = await auth_flow.asend(discovery_response)
+        assert (
+            str(oauth_metadata_request_1.url)
+            == "https://auth.example.com/.well-known/oauth-authorization-server/v1/mcp"
+        )
+        assert oauth_metadata_request_1.method == "GET"
+
+        # Send a 404 response
+        oauth_metadata_response_1 = httpx.Response(
+            404,
+            content=b"Not Found",
+            request=oauth_metadata_request_1,
+        )
+
+        # Next request should be to discover OAuth metadata at the next endpoint
+        oauth_metadata_request_2 = await auth_flow.asend(oauth_metadata_response_1)
+        assert str(oauth_metadata_request_2.url) == "https://auth.example.com/.well-known/oauth-authorization-server"
+        assert oauth_metadata_request_2.method == "GET"
+
+        # Send a 400 response
+        oauth_metadata_response_2 = httpx.Response(
+            400,
+            content=b"Bad Request",
+            request=oauth_metadata_request_2,
+        )
+
+        # Next request should be to discover OAuth metadata at the next endpoint
+        oauth_metadata_request_3 = await auth_flow.asend(oauth_metadata_response_2)
+        assert str(oauth_metadata_request_3.url) == "https://auth.example.com/.well-known/openid-configuration/v1/mcp"
+        assert oauth_metadata_request_3.method == "GET"
+
+        # Send a 500 response
+        oauth_metadata_response_3 = httpx.Response(
+            500,
+            content=b"Internal Server Error",
+            request=oauth_metadata_request_3,
+        )
+
+        # Mock the authorization process to minimize unnecessary state in this test
+        oauth_provider._perform_authorization = mock.AsyncMock(return_value=("test_auth_code", "test_code_verifier"))
+
+        # Next request should fall back to legacy behavior and auth with the RS (mocked /authorize, next is /token)
+        token_request = await auth_flow.asend(oauth_metadata_response_3)
+        assert str(token_request.url) == "https://api.example.com/token"
+        assert token_request.method == "POST"
+
+        # Send a successful token response
+        token_response = httpx.Response(
+            200,
+            content=(
+                b'{"access_token": "new_access_token", "token_type": "Bearer", "expires_in": 3600, '
+                b'"refresh_token": "new_refresh_token"}'
+            ),
+            request=token_request,
+        )
+        token_request = await auth_flow.asend(token_response)
+
     @pytest.mark.anyio
     async def test_handle_metadata_response_success(self, oauth_provider):
         """Test successful metadata response handling."""

tests/server/test_cancel_handling.py

@@ -0,0 +1,111 @@
+"""Test that cancelled requests don't cause double responses."""
+
+import anyio
+import pytest
+
+import mcp.types as types
+from mcp.server.lowlevel.server import Server
+from mcp.shared.exceptions import McpError
+from mcp.shared.memory import create_connected_server_and_client_session
+from mcp.types import (
+    CallToolRequest,
+    CallToolRequestParams,
+    CallToolResult,
+    CancelledNotification,
+    CancelledNotificationParams,
+    ClientNotification,
+    ClientRequest,
+    Tool,
+)
+
+
+@pytest.mark.anyio
+async def test_server_remains_functional_after_cancel():
+    """Verify server can handle new requests after a cancellation."""
+
+    server = Server("test-server")
+
+    # Track tool calls
+    call_count = 0
+    ev_first_call = anyio.Event()
+    first_request_id = None
+
+    @server.list_tools()
+    async def handle_list_tools() -> list[Tool]:
+        return [
+            Tool(
+                name="test_tool",
+                description="Tool for testing",
+                inputSchema={},
+            )
+        ]
+
+    @server.call_tool()
+    async def handle_call_tool(name: str, arguments: dict | None) -> list:
+        nonlocal call_count, first_request_id
+        if name == "test_tool":
+            call_count += 1
+            if call_count == 1:
+                first_request_id = server.request_context.request_id
+                ev_first_call.set()
+                await anyio.sleep(5)  # First call is slow
+            return [types.TextContent(type="text", text=f"Call number: {call_count}")]
+        raise ValueError(f"Unknown tool: {name}")
+
+    async with create_connected_server_and_client_session(server) as client:
+        # First request (will be cancelled)
+        async def first_request():
+            try:
+                await client.send_request(
+                    ClientRequest(
+                        CallToolRequest(
+                            method="tools/call",
+                            params=CallToolRequestParams(name="test_tool", arguments={}),
+                        )
+                    ),
+                    CallToolResult,
+                )
+                pytest.fail("First request should have been cancelled")
+            except McpError:
+                pass  # Expected
+
+        # Start first request
+        async with anyio.create_task_group() as tg:
+            tg.start_soon(first_request)
+
+            # Wait for it to start
+            await ev_first_call.wait()
+
+            # Cancel it
+            assert first_request_id is not None
+            await client.send_notification(
+                ClientNotification(
+                    CancelledNotification(
+                        method="notifications/cancelled",
+                        params=CancelledNotificationParams(
+                            requestId=first_request_id,
+                            reason="Testing server recovery",
+                        ),
+                    )
+                )
+            )
+
+        # Second request (should work normally)
+        result = await client.send_request(
+            ClientRequest(
+                CallToolRequest(
+                    method="tools/call",
+                    params=CallToolRequestParams(name="test_tool", arguments={}),
+                )
+            ),
+            CallToolResult,
+        )
+
+        # Verify second request completed successfully
+        assert len(result.content) == 1
+        # Type narrowing for pyright
+        content = result.content[0]
+        assert content.type == "text"
+        assert isinstance(content, types.TextContent)
+        assert content.text == "Call number: 2"
+        assert call_count == 2