Merge pull request #160 from QuantGeekDev/fix/80-apikey-auth-fallbacks

fix: API key auth fallbacks for SSE clients without custom headers

Author: QuantGeekDev

src/auth/providers/apikey.ts

@@ -13,7 +13,10 @@ export interface APIKeyConfig {
   keys: string[];
 
   /**
-   * Name of the header containing the API key
+   * Name of the header containing the API key.
+   * Note: Some SSE client libraries (including the standard EventSource API)
+   * do not support custom headers. For these clients, the API key can also
+   * be sent as a query parameter: ?api_key=<key> or ?apiKey=<key>
    * @default "X-API-Key"
    */
   headerName?: string;
@@ -78,8 +81,37 @@ export class APIKeyAuthProvider implements AuthProvider {
       }
     }
 
+    // Fallback: check Authorization Bearer header
+    // Some clients (e.g., LangChain) may send API key as Bearer token
     if (!apiKey) {
-      logger.debug(`API Key header missing}`);
+      const authHeader = req.headers['authorization'];
+      if (authHeader && typeof authHeader === 'string' && authHeader.startsWith('Bearer ')) {
+        const bearerToken = authHeader.slice(7).trim();
+        if (bearerToken) {
+          apiKey = bearerToken;
+          matchedHeader = 'Authorization Bearer';
+          logger.debug('API key found in Authorization Bearer header (fallback)');
+        }
+      }
+    }
+
+    // Fallback: check query parameter for SSE clients that cannot send custom headers
+    if (!apiKey && req.url) {
+      try {
+        const url = new URL(req.url, `http://${req.headers.host || 'localhost'}`);
+        const queryKey = url.searchParams.get('api_key') || url.searchParams.get('apiKey');
+        if (queryKey) {
+          apiKey = queryKey;
+          matchedHeader = 'query parameter';
+          logger.debug('API key found in query parameter (EventSource fallback)');
+        }
+      } catch {
+        // URL parsing failed, skip query parameter check
+      }
+    }
+
+    if (!apiKey) {
+      logger.debug(`API Key header missing`);
       logger.debug(`Available headers: ${Object.keys(req.headers).join(', ')}`);
       return false;
     }

src/transports/utils/auth-handler.ts

@@ -28,12 +28,31 @@ export async function handleAuthentication(
 
   const isApiKey = authConfig.provider instanceof APIKeyAuthProvider;
 
-  // Special handling for API Key - check header exists before authenticate
+  // Special handling for API Key - check header/Bearer/query exists before authenticate
   if (isApiKey) {
     const provider = authConfig.provider as APIKeyAuthProvider;
     const headerValue = getRequestHeader(req.headers, provider.getHeaderName());
 
+    // Also check Authorization Bearer and query parameter as fallbacks
+    // (for SSE clients like EventSource that can't send custom headers)
+    let hasFallbackKey = false;
     if (!headerValue) {
+      const authHeader = req.headers['authorization'];
+      if (authHeader && typeof authHeader === 'string' && authHeader.startsWith('Bearer ')) {
+        hasFallbackKey = true;
+      }
+
+      if (!hasFallbackKey && req.url) {
+        try {
+          const url = new URL(req.url, `http://${req.headers.host || 'localhost'}`);
+          hasFallbackKey = !!(url.searchParams.get('api_key') || url.searchParams.get('apiKey'));
+        } catch {
+          // URL parsing failed
+        }
+      }
+    }
+
+    if (!headerValue && !hasFallbackKey) {
       const error = provider.getAuthError?.() || DEFAULT_AUTH_ERROR;
       res.setHeader('WWW-Authenticate', `ApiKey realm="MCP Server", header="${provider.getHeaderName()}"`);
       res.writeHead(error.status).end(