feat: remove mcplugin mount streamable http (#112)

* build: updated the project dependencies

* fix: preserve configured mcp trailing slash

* refactor: remove mcp streamable http mount helper

Author: mplemay

README.md

@@ -214,6 +214,9 @@ Visit `http://localhost:8000/login/google` to sign in.
 
 - `bind()` has been removed from plugins.
 - Register plugins with callable config objects: `auth.add_plugin(GoogleOAuth(...))`.
+- `McpPlugin.mount_streamable_http()` has been removed.
+- Mount and configure the MCP SDK streamable HTTP app in your FastAPI/Starlette app directly, using
+  `plugin.auth`, `plugin.token_verifier`, and `plugin.server_path`.
 
 ## Router endpoints
 

examples/mcp/README.md

@@ -28,15 +28,17 @@ The app runs at `http://localhost:8000`.
 - `GET|POST /auth/oauth/authorize`
 - `POST /auth/oauth/token`
 - `POST /auth/oauth/introspect`
-- `POST /mcp` or `POST /mcp/` (MCP streamable HTTP endpoint)
+- `POST /mcp/` (MCP streamable HTTP endpoint)
 - `GET /.well-known/oauth-protected-resource/mcp`
 - `GET /.well-known/oauth-protected-resource`
 
 ## Notes
 
-- The MCP server is mounted at `/mcp` and accepts both `/mcp` and `/mcp/`.
-- Streamable HTTP transport security is derived from the configured MCP resource URL, so production hosts no longer
-  need a custom `host="localhost"` override.
+- The example mounts the MCP SDK's `streamable_http_app(...)` directly with `app.mount(mcp_plugin.server_path, ...)`.
+- `McpPlugin` now only provides `auth`, `token_verifier`, and the derived `server_path`/`server_url`; mounting and
+  streamable HTTP transport configuration are owned by the application.
+- If you need transport security settings such as allowed hosts/origins, pass them directly to
+  `mcp_server.streamable_http_app(...)`.
 - OAuth discovery serving (`/.well-known/oauth-authorization-server*` and
   `/.well-known/oauth-protected-resource*`) is owned by `OAuthServerPlugin`.
 - Configure `OAuthServer.resources=[OAuthResource(prefix="/mcp", ...)]` so protected

examples/mcp/main.py

@@ -207,7 +207,12 @@ async def lifespan(_app: FastAPI) -> AsyncIterator[None]:
 
 app.include_router(belgie.router)
 
-_ = mcp_plugin.mount_streamable_http(app, mcp_server)
+app.mount(
+    mcp_plugin.server_path,
+    mcp_server.streamable_http_app(
+        streamable_http_path="/",
+    ),
+)
 
 
 @mcp_server.tool()

packages/belgie-mcp/src/belgie_mcp/__tests__/test_plugin.py

@@ -1,13 +1,8 @@
-from collections.abc import AsyncIterator
-from contextlib import asynccontextmanager
-from dataclasses import dataclass, field
 from types import SimpleNamespace
 from urllib.parse import parse_qs, urlparse
 from uuid import uuid4
 
 import pytest
-from fastapi import FastAPI
-from fastapi.testclient import TestClient
 from pydantic import AnyUrl
 
 pytest.importorskip("mcp")
@@ -20,7 +15,6 @@
 from belgie_oauth_server.provider import AccessToken as OAuthAccessToken, AuthorizationParams, SimpleOAuthProvider
 from belgie_oauth_server.settings import OAuthServer
 from mcp.server.auth.provider import AccessToken
-from mcp.server.mcpserver import MCPServer
 
 
 def _belgie_settings() -> BelgieSettings:
@@ -90,7 +84,7 @@ def test_mcp_plugin_builds_server_url_from_base_url() -> None:
     assert str(plugin.auth.resource_server_url) == "https://example.com/mcp"
 
 
-def test_mcp_plugin_defaults_base_url_from_belgie_settings() -> None:
+def test_mcp_plugin_preserves_trailing_slash_in_server_path() -> None:
     settings = OAuthServer(
         base_url="https://auth.local",
         redirect_uris=["http://localhost/callback"],
@@ -103,266 +97,93 @@ def test_mcp_plugin_defaults_base_url_from_belgie_settings() -> None:
         _belgie_settings(),
         Mcp(
             oauth=settings,
-            server_path="/mcp",
+            base_url="https://example.com",
+            server_path="/mcp/",
         ),
     )
 
-    assert str(plugin.auth.resource_server_url) == "https://example.com/mcp"
+    assert plugin.server_path == "/mcp/"
+    assert str(plugin.auth.resource_server_url) == "https://example.com/mcp/"
 
 
-@pytest.mark.asyncio
-async def test_mcp_plugin_verifier_uses_linked_oauth_plugin_provider() -> None:
+def test_mcp_plugin_defaults_base_url_from_belgie_settings() -> None:
     settings = OAuthServer(
         base_url="https://auth.local",
         redirect_uris=["http://localhost/callback"],
         client_id="client",
         client_secret="secret",
         default_scope="user",
     )
-    provider = SimpleOAuthProvider(settings, issuer_url=str(settings.issuer_url))
-    oauth_plugin = OAuthServerPlugin(_belgie_settings(), settings)
-    oauth_plugin._provider = provider
+
     plugin = McpPlugin(
         _belgie_settings(),
         Mcp(
             oauth=settings,
-            server_url="https://mcp.local/mcp",
+            server_path="/mcp",
         ),
     )
-    _ = plugin.router(SimpleNamespace(plugins=[oauth_plugin, plugin]))
-    token_value, stored_token = await _issue_dynamic_client_access_token(
-        provider,
-        user_id=str(uuid4()),
-        resource="https://mcp.local/mcp",
-    )
 
-    token = await plugin.token_verifier.verify_token(token_value)
-
-    assert token == AccessToken(
-        token=token_value,
-        client_id=stored_token.client_id,
-        scopes=["user"],
-        expires_at=stored_token.expires_at,
-        resource="https://mcp.local/mcp",
-    )
+    assert str(plugin.auth.resource_server_url) == "https://example.com/mcp"
 
 
-def test_mount_streamable_http_accepts_alias_path_without_redirect() -> None:
+def test_mcp_plugin_preserves_trailing_slash_in_server_url() -> None:
     settings = OAuthServer(
         base_url="https://auth.local",
         redirect_uris=["http://localhost/callback"],
         client_id="client",
         client_secret="secret",
         default_scope="user",
     )
+
     plugin = McpPlugin(
         _belgie_settings(),
         Mcp(
             oauth=settings,
-            server_path="/mcp",
+            server_url="https://mcp.local/mcp/",
         ),
     )
-    server = MCPServer(name="Belgie MCP")
-    app = _build_test_app(plugin, server)
-
-    with TestClient(app, base_url="https://example.com") as client:
-        alias_response = client.post(
-            "/mcp",
-            headers={"Content-Type": "application/json"},
-            content="{}",
-            follow_redirects=False,
-        )
-        mounted_response = client.post(
-            "/mcp/",
-            headers={"Content-Type": "application/json"},
-            content="{}",
-            follow_redirects=False,
-        )
-
-    assert alias_response.status_code == 400
-    assert mounted_response.status_code == 400
-    assert alias_response.headers.get("location") is None
-    assert mounted_response.headers.get("location") is None
-    assert alias_response.json() == mounted_response.json()
-
-
-@pytest.mark.parametrize("host_header", ["localhost:8000", "127.0.0.1:8000", "[::1]:8000"])
-def test_mount_streamable_http_allows_loopback_hosts(host_header: str) -> None:
-    plugin = _build_plugin(server_url="http://localhost:8000/mcp")
-    server = MCPServer(
-        name="Belgie MCP",
-        auth=plugin.auth,
-        token_verifier=_AllowingTokenVerifier(),
-    )
-    app = _build_test_app(plugin, server)
-
-    with TestClient(app, base_url="http://localhost:8000") as client:
-        response = client.post(
-            "/mcp",
-            headers={
-                "Authorization": "Bearer valid-token",
-                "Host": host_header,
-            },
-            json=_build_initialize_request(),
-            follow_redirects=False,
-        )
-
-    assert response.status_code == 200
-    assert response.headers["content-type"].startswith("text/event-stream")
-    assert response.headers.get("mcp-session-id")
-
-
-def test_mount_streamable_http_allows_configured_external_host() -> None:
-    plugin = _build_plugin(server_url="https://example.com/mcp")
-    server = MCPServer(
-        name="Belgie MCP",
-        auth=plugin.auth,
-        token_verifier=_AllowingTokenVerifier(),
-    )
-    app = _build_test_app(plugin, server)
-
-    with TestClient(app, base_url="https://example.com") as client:
-        response = client.post(
-            "/mcp",
-            headers={
-                "Authorization": "Bearer valid-token",
-                "Host": "example.com",
-            },
-            json=_build_initialize_request(),
-            follow_redirects=False,
-        )
-
-    assert response.status_code == 200
-    assert response.headers["content-type"].startswith("text/event-stream")
-    assert response.headers.get("mcp-session-id")
-
-
-def test_mount_streamable_http_rejects_mismatched_host() -> None:
-    plugin = _build_plugin(server_url="http://localhost:8000/mcp")
-    server = MCPServer(
-        name="Belgie MCP",
-        auth=plugin.auth,
-        token_verifier=_AllowingTokenVerifier(),
-    )
-    app = _build_test_app(plugin, server)
 
-    with TestClient(app, base_url="http://localhost:8000") as client:
-        response = client.post(
-            "/mcp",
-            headers={
-                "Authorization": "Bearer valid-token",
-                "Host": "example.com",
-            },
-            json=_build_initialize_request(),
-            follow_redirects=False,
-        )
+    assert plugin.server_path == "/mcp/"
+    assert str(plugin.auth.resource_server_url) == "https://mcp.local/mcp/"
 
-    assert response.status_code == 421
-    assert response.text == "Invalid Host header"
 
-
-def test_mount_streamable_http_preserves_auth_middleware() -> None:
+@pytest.mark.asyncio
+async def test_mcp_plugin_verifier_uses_linked_oauth_plugin_provider() -> None:
     settings = OAuthServer(
         base_url="https://auth.local",
         redirect_uris=["http://localhost/callback"],
         client_id="client",
         client_secret="secret",
         default_scope="user",
     )
+    provider = SimpleOAuthProvider(settings, issuer_url=str(settings.issuer_url))
+    oauth_plugin = OAuthServerPlugin(_belgie_settings(), settings)
+    oauth_plugin._provider = provider
     plugin = McpPlugin(
         _belgie_settings(),
         Mcp(
             oauth=settings,
-            server_path="/mcp",
+            server_url="https://mcp.local/mcp",
         ),
     )
-    verifier = _StubTokenVerifier()
-    server = MCPServer(
-        name="Belgie MCP",
-        auth=plugin.auth,
-        token_verifier=verifier,
+    _ = plugin.router(SimpleNamespace(plugins=[oauth_plugin, plugin]))
+    token_value, stored_token = await _issue_dynamic_client_access_token(
+        provider,
+        user_id=str(uuid4()),
+        resource="https://mcp.local/mcp",
     )
-    app = _build_test_app(plugin, server)
-
-    with TestClient(app, base_url="https://example.com") as client:
-        alias_response = client.post(
-            "/mcp",
-            headers={"Authorization": "Bearer alias-token"},
-            follow_redirects=False,
-        )
-        mounted_response = client.post(
-            "/mcp/",
-            headers={"Authorization": "Bearer mounted-token"},
-            follow_redirects=False,
-        )
-
-    assert verifier.tokens == ["alias-token", "mounted-token"]
-    assert alias_response.status_code == 401
-    assert mounted_response.status_code == 401
-    assert alias_response.headers.get("location") is None
-    assert mounted_response.headers.get("location") is None
-    assert alias_response.json() == mounted_response.json()
-
-
-def _build_test_app(plugin: McpPlugin, server: MCPServer) -> FastAPI:
-    @asynccontextmanager
-    async def lifespan(_app: FastAPI) -> AsyncIterator[None]:
-        async with server.session_manager.run():
-            yield
-
-    app = FastAPI(lifespan=lifespan)
-    _ = plugin.mount_streamable_http(app, server)
-    return app
-
-
-@dataclass(slots=True)
-class _StubTokenVerifier:
-    tokens: list[str] = field(default_factory=list)
-
-    async def verify_token(self, token: str) -> None:
-        self.tokens.append(token)
-
-
-@dataclass(slots=True)
-class _AllowingTokenVerifier:
-    async def verify_token(self, token: str) -> AccessToken:
-        return AccessToken(
-            token=token,
-            client_id="client",
-            scopes=["user"],
-        )
 
+    token = await plugin.token_verifier.verify_token(token_value)
 
-def _build_plugin(*, server_url: str) -> McpPlugin:
-    settings = OAuthServer(
-        base_url="https://auth.local",
-        redirect_uris=["http://localhost/callback"],
-        client_id="client",
-        client_secret="secret",
-        default_scope="user",
-    )
-    return McpPlugin(
-        _belgie_settings(),
-        Mcp(
-            oauth=settings,
-            server_url=server_url,
-        ),
+    assert token == AccessToken(
+        token=token_value,
+        client_id=stored_token.client_id,
+        scopes=["user"],
+        expires_at=stored_token.expires_at,
+        resource="https://mcp.local/mcp",
     )
 
 
-def _build_initialize_request() -> dict[str, object]:
-    return {
-        "jsonrpc": "2.0",
-        "id": 1,
-        "method": "initialize",
-        "params": {
-            "protocolVersion": "2025-03-26",
-            "capabilities": {},
-            "clientInfo": {"name": "test-client", "version": "1"},
-        },
-    }
-
-
 async def _issue_dynamic_client_access_token(
     provider: SimpleOAuthProvider,
     *,