Block mcp oauth

Author: BenjaminMichaelis

EssentialCSharp.Web.Tests/McpRateLimitingTests.cs

@@ -212,3 +212,34 @@ await Assert.That(getResponse.StatusCode)
         await Assert.That(rateLimitedGetResponse.StatusCode).IsEqualTo(HttpStatusCode.TooManyRequests);
     }
 }
+
+[NotInParallel("McpTests")]
+[ClassDataSource<WebApplicationFactory>(Shared = SharedType.PerClass)]
+public class McpWellKnownIsolationRateLimitingTests(WebApplicationFactory factory)
+{
+    [Test]
+    public async Task WellKnownRequests_DoNotConsumeContentLimiterBudget()
+    {
+        HttpClient client = McpTestHelper.CreateClient(factory);
+
+        for (int i = 0; i < 10; i++)
+        {
+            using HttpResponseMessage wellKnownResponse =
+                await client.GetAsync("/.well-known/oauth-protected-resource");
+            await Assert.That(wellKnownResponse.StatusCode)
+                .IsEqualTo(HttpStatusCode.NotFound)
+                .Because($"well-known request {i + 1} should short-circuit with 404");
+        }
+
+        for (int i = 0; i < 10; i++)
+        {
+            using HttpResponseMessage contentResponse = await client.GetAsync("/hello-world");
+            await Assert.That(contentResponse.StatusCode)
+                .IsNotEqualTo(HttpStatusCode.TooManyRequests)
+                .Because($"content request {i + 1} should still have its full limiter budget");
+        }
+
+        using HttpResponseMessage rateLimitedResponse = await client.GetAsync("/hello-world");
+        await Assert.That(rateLimitedResponse.StatusCode).IsEqualTo(HttpStatusCode.TooManyRequests);
+    }
+}

EssentialCSharp.Web.Tests/McpTests.cs

@@ -28,7 +28,23 @@ public async Task McpEndpoint_WithoutToken_Returns401()
         using var request = McpTestHelper.CreateInitializeRequest("/mcp");
         using HttpResponseMessage response = await client.SendAsync(request);
 
-        await Assert.That(response.StatusCode).IsEqualTo(HttpStatusCode.Unauthorized);
+        await AssertUnauthorizedMcpChallengeAsync(response);
+    }
+
+    [Test]
+    public async Task McpEndpoint_WithSiteCookieButWithoutBearer_Returns401()
+    {
+        string cookieUserId = await McpTestHelper.CreateUserAsync(factory, "mcp-cookie-only");
+        (string cookieName, string cookieValue) =
+            await McpTestHelper.CreateIdentityApplicationCookieAsync(factory, cookieUserId);
+
+        HttpClient client = McpTestHelper.CreateClient(factory);
+        using var request = McpTestHelper.CreateInitializeRequest("/mcp");
+        McpTestHelper.AddCookie(request, cookieName, cookieValue);
+
+        using HttpResponseMessage response = await client.SendAsync(request);
+
+        await AssertUnauthorizedMcpChallengeAsync(response);
     }
 
     [Test]
@@ -96,7 +112,7 @@ public async Task McpEndpoint_WithInvalidToken_Returns401()
         using var request = McpTestHelper.CreateInitializeRequest("/mcp");
         McpTestHelper.AddBearerToken(request, "mcp_invalid_token_that_does_not_exist");
         using HttpResponseMessage response = await client.SendAsync(request);
-        await Assert.That(response.StatusCode).IsEqualTo(HttpStatusCode.Unauthorized);
+        await AssertUnauthorizedMcpChallengeAsync(response);
     }
 
     [Test]
@@ -115,7 +131,7 @@ public async Task McpEndpoint_WithRevokedToken_Returns401()
         using var request = McpTestHelper.CreateInitializeRequest("/mcp");
         McpTestHelper.AddBearerToken(request, rawToken);
         using HttpResponseMessage response = await client.SendAsync(request);
-        await Assert.That(response.StatusCode).IsEqualTo(HttpStatusCode.Unauthorized);
+        await AssertUnauthorizedMcpChallengeAsync(response);
     }
 
     [Test]
@@ -131,7 +147,25 @@ public async Task McpEndpoint_WithExpiredToken_Returns401()
         using var request = McpTestHelper.CreateInitializeRequest("/mcp");
         McpTestHelper.AddBearerToken(request, rawToken);
         using HttpResponseMessage response = await client.SendAsync(request);
-        await Assert.That(response.StatusCode).IsEqualTo(HttpStatusCode.Unauthorized);
+        await AssertUnauthorizedMcpChallengeAsync(response);
+    }
+
+    [Test]
+    public async Task WellKnownOAuthProtectedResource_AllMethodsReturn404WithoutRedirectAndNoStore()
+    {
+        HttpClient client = McpTestHelper.CreateClient(factory);
+
+        foreach (HttpMethod method in new[] { HttpMethod.Get, HttpMethod.Post, HttpMethod.Options })
+        {
+            using var request = new HttpRequestMessage(method, "/.well-known/oauth-protected-resource");
+            using HttpResponseMessage response = await client.SendAsync(request);
+
+            await Assert.That(response.StatusCode)
+                .IsEqualTo(HttpStatusCode.NotFound)
+                .Because($"/.well-known should short-circuit for {method} requests");
+            await Assert.That(response.Headers.Location).IsNull();
+            await Assert.That(response.Headers.CacheControl?.NoStore ?? false).IsTrue();
+        }
     }
 
     [Test]
@@ -169,4 +203,12 @@ public async Task McpEndpoint_GetFromLoopbackOrigin_Returns405WithoutRedirect()
         await Assert.That(response.Headers.TryGetValues("Access-Control-Allow-Origin", out IEnumerable<string>? origins)).IsTrue();
         await Assert.That(origins?.SingleOrDefault()).IsEqualTo("http://localhost:6274");
     }
+
+    private static async Task AssertUnauthorizedMcpChallengeAsync(HttpResponseMessage response)
+    {
+        await Assert.That(response.StatusCode).IsEqualTo(HttpStatusCode.Unauthorized);
+        await Assert.That(response.Headers.Location).IsNull();
+        await Assert.That(response.Headers.TryGetValues("WWW-Authenticate", out IEnumerable<string>? values)).IsTrue();
+        await Assert.That(values?.Any(value => value.Contains("Bearer", StringComparison.OrdinalIgnoreCase)) ?? false).IsTrue();
+    }
 }

EssentialCSharp.Web/Auth/McpApiKeyAuthenticationHandler.cs

@@ -18,6 +18,17 @@ public class McpApiKeyAuthenticationHandler(
     McpApiTokenService tokenService)
     : AuthenticationHandler<AuthenticationSchemeOptions>(options, logger, encoder)
 {
+    protected override Task HandleChallengeAsync(AuthenticationProperties properties)
+    {
+        Response.StatusCode = StatusCodes.Status401Unauthorized;
+        if (!Response.Headers.ContainsKey("WWW-Authenticate"))
+        {
+            Response.Headers.Append("WWW-Authenticate", "Bearer");
+        }
+
+        return Task.CompletedTask;
+    }
+
     protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
     {
         if (!McpBearerAuthentication.TryGetRawToken(Request, out string? rawToken))

EssentialCSharp.Web/Program.cs

@@ -553,6 +553,18 @@ await McpJsonRpcResponseWriter.WriteErrorAsync(
             .RequireAuthorization("McpPolicy")
             .RequireRateLimiting(McpRateLimiterPolicy.PolicyName);
 
+        app.Map("/.well-known", (HttpResponse response) =>
+        {
+            response.Headers.CacheControl = "no-store";
+            return Results.NotFound();
+        }).DisableRateLimiting();
+
+        app.Map("/.well-known/{**path}", (HttpResponse response) =>
+        {
+            response.Headers.CacheControl = "no-store";
+            return Results.NotFound();
+        }).DisableRateLimiting();
+
         app.MapFallbackToController("Index", "Home");
 
         // Generate sitemap.xml at startup