@@ -65,6 +65,39 @@ func (s *MCPServer) readJSONRPCRequest(w http.ResponseWriter, r *http.Request) (
6565 return req , true
6666}
6767
68+ func bearerTokenFromRequest (r * http.Request ) (string , bool ) {
69+ headers := r .Header .Values ("Authorization" )
70+ if len (headers ) == 0 {
71+ // Compatibility fallback for clients that send the non-standard Authentication header.
72+ headers = r .Header .Values ("Authentication" )
73+ }
74+
75+ for _ , authHeader := range headers {
76+ for _ , candidate := range strings .Split (authHeader , "," ) {
77+ fields := strings .Fields (strings .TrimSpace (candidate ))
78+ if len (fields ) < 2 || ! strings .EqualFold (fields [0 ], "bearer" ) {
79+ continue
80+ }
81+
82+ token := strings .TrimSpace (strings .Join (fields [1 :], " " ))
83+ for len (token ) >= 8 && strings .EqualFold (token [:7 ], "bearer " ) {
84+ token = strings .TrimSpace (token [7 :])
85+ }
86+ if len (token ) >= 2 {
87+ if (token [0 ] == '"' && token [len (token )- 1 ] == '"' ) || (token [0 ] == '\'' && token [len (token )- 1 ] == '\'' ) {
88+ token = token [1 : len (token )- 1 ]
89+ }
90+ }
91+ token = strings .TrimSpace (token )
92+ if token != "" {
93+ return token , true
94+ }
95+ }
96+ }
97+
98+ return "" , false
99+ }
100+
68101func (s * MCPServer ) authorizeToken (ctx context.Context , rawToken string ) (* AuthResult , error ) {
69102 if s .authEnabled && s .authenticator == nil {
70103 return nil , fmt .Errorf ("unauthorized" )
@@ -147,9 +180,8 @@ func (s *MCPServer) sseHandler(w http.ResponseWriter, r *http.Request) {
147180 }
148181 var authResult * AuthResult
149182 var rawToken string
150- authHeader := r .Header .Get ("Authorization" )
151- if authHeader != "" && len (authHeader ) > 7 && strings .EqualFold (authHeader [:7 ], "bearer " ) {
152- rawToken = authHeader [7 :]
183+ if token , ok := bearerTokenFromRequest (r ); ok {
184+ rawToken = token
153185 var err error
154186 authResult , err = s .authorizeToken (r .Context (), rawToken )
155187 if err != nil {
@@ -250,9 +282,8 @@ func (s *MCPServer) sseMCPHandler(w http.ResponseWriter, r *http.Request) {
250282 ctx := r .Context ()
251283 var authResult * AuthResult
252284 var rawToken string
253- authHeader := r .Header .Get ("Authorization" )
254- if authHeader != "" && len (authHeader ) > 7 && strings .EqualFold (authHeader [:7 ], "bearer " ) {
255- rawToken = authHeader [7 :]
285+ if token , ok := bearerTokenFromRequest (r ); ok {
286+ rawToken = token
256287 var err error
257288 authResult , err = s .authorizeToken (ctx , rawToken )
258289 if err != nil {
@@ -355,11 +386,9 @@ func (s *MCPServer) httpHandler(w http.ResponseWriter, r *http.Request) {
355386 }
356387
357388 ctx := r .Context ()
358- authHeader := r .Header .Get ("Authorization" )
359389 hasToken := false
360390 tokenPreview := "NoAuth"
361- if authHeader != "" && len (authHeader ) > 7 && strings .EqualFold (authHeader [:7 ], "bearer " ) {
362- rawToken := authHeader [7 :]
391+ if rawToken , ok := bearerTokenFromRequest (r ); ok {
363392 hasToken = true
364393 tokenPreview = "Authorized"
365394 authResult , err := s .authorizeToken (ctx , rawToken )
@@ -388,8 +417,6 @@ func (s *MCPServer) httpHandler(w http.ResponseWriter, r *http.Request) {
388417 authInfo := "no-token"
389418 if hasToken {
390419 authInfo = "token=" + tokenPreview
391- } else if authHeader != "" {
392- authInfo = fmt .Sprintf ("invalid-auth-header=%q" , authHeader )
393420 }
394421 toolName := ""
395422 toolArgs := ""
0 commit comments