Remove WWW-Authenticate: Bearer challenge from MCP 401 responses

The Bearer challenge (RFC 6750) triggers the MCP 2025 spec's mandatory OAuth
2.0 Protected Resource Metadata discovery flow in compliant clients such as the
GitHub Copilot CLI add-server wizard. The wizard probes /.well-known/*, finds
no authorization server metadata, and falls back to prompting the user for
OAuth client credentials they don't have.

This server uses opaque mcp_... API tokens stored in the database — not OAuth.
Removing the challenge stops compliant clients from entering the OAuth flow
while still returning the correct 401 status for unauthenticated requests.

Update tests: AssertUnauthorizedMcpChallengeAsync now explicitly asserts that
WWW-Authenticate is absent, documenting the intentional behaviour.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: BenjaminMichaelis

EssentialCSharp.Web.Tests/McpTests.cs

@@ -208,7 +208,10 @@ private static async Task AssertUnauthorizedMcpChallengeAsync(HttpResponseMessag
     {
         await Assert.That(response.StatusCode).IsEqualTo(HttpStatusCode.Unauthorized);
         await Assert.That(response.Headers.Location).IsNull();
-        await Assert.That(response.Headers.TryGetValues("WWW-Authenticate", out IEnumerable<string>? values)).IsTrue();
-        await Assert.That(values?.Any(value => value.Contains("Bearer", StringComparison.OrdinalIgnoreCase)) ?? false).IsTrue();
+        // WWW-Authenticate: Bearer must NOT be present. Emitting a Bearer challenge triggers the
+        // MCP 2025 spec's OAuth 2.0 Protected Resource Metadata discovery flow in compliant
+        // clients (e.g. GitHub Copilot CLI), causing them to prompt the user for OAuth credentials
+        // even though this server uses opaque API tokens, not OAuth.
+        await Assert.That(response.Headers.Contains("WWW-Authenticate")).IsFalse();
     }
 }

EssentialCSharp.Web/Auth/McpApiKeyAuthenticationHandler.cs

@@ -21,11 +21,13 @@ public class McpApiKeyAuthenticationHandler(
     protected override Task HandleChallengeAsync(AuthenticationProperties properties)
     {
         Response.StatusCode = StatusCodes.Status401Unauthorized;
-        if (!Response.Headers.ContainsKey("WWW-Authenticate"))
-        {
-            Response.Headers.Append("WWW-Authenticate", "Bearer");
-        }
-
+        // Intentionally omit WWW-Authenticate: Bearer.
+        // RFC 6750 "Bearer" challenges trigger the MCP 2025 spec's mandatory OAuth 2.0
+        // Protected Resource Metadata discovery flow in compliant clients (e.g. GitHub
+        // Copilot CLI). This server uses opaque mcp_... API tokens — not OAuth — so
+        // advertising a Bearer challenge would cause clients to attempt OAuth discovery,
+        // fail to find authorization server metadata, and prompt the user for OAuth
+        // credentials they don't have.
         return Task.CompletedTask;
     }