Merge branch 'dr-upstream-auth-value-from-env-optional' into 'main'

fix(upstream-auth): inherit interceptors.auth format + fix OAuth-only gate bypass

See merge request ai-adoption/mcp/mcp4openapi!13

Author: Růžička, David

docs/PROFILE-GUIDE.md

@@ -104,31 +104,59 @@ When `enterprise_authorization.mode` is `required`, HTTP initialization accepts
 
 - `transport.type` must be `"http-streamable"`
 - `transport.url` must be an absolute `http` or `https` URL without inline credentials
-- `auth.type` may be `bearer`, `query`, or `custom-header`
-- `auth.value_from_env` names the env variable that holds the credential (token, header value, or query param value); inline secrets are not supported for any auth type. The downstream client token always takes precedence - `value_from_env` is used only as a local fallback when the client sends no token (e.g. server-side deployments sharing a fixed env secret)
+- `auth` is **optional**. When omitted, the auth format is inherited from `interceptors.auth` (see below).
+- `auth.type` may be `bearer`, `query`, or `custom-header`. Set explicitly only when the upstream expects a different format than inbound clients use.
+- `auth.value_from_env` names the env variable holding the credential — **stdio transport only**. On HTTP transport the downstream client's session token is always forwarded directly; `value_from_env` is never read.
 - `upstream_mcp_from_env` must point to a single JSON object and takes precedence over static `upstream_mcp`
 - `stdio` upstream definitions are intentionally rejected in this iteration so the later feature-gated implementation can add process lifecycle hardening separately
 
-Example:
+#### Auth inheritance from `interceptors.auth`
+
+When `upstream_mcp.auth` is omitted, the gateway inherits the auth format from `interceptors.auth` using the same priority-based selection as outbound OpenAPI calls. Only `bearer`, `query`, and `custom-header` types are inherited — `oauth` and `session-cookie` are not forwarded.
+
+**Common case — client Bearer token forwarded as Bearer to upstream (zero config):**
 
 ```json
 {
-  "upstream_mcp_from_env": "MCP4_UPSTREAM_MCP_JSON",
+  "interceptors": {
+    "auth": { "type": "bearer", "value_from_env": "MY_API_TOKEN" }
+  },
   "upstream_mcp": {
     "name": "remote-mcp",
-    "transport": {
-      "type": "http-streamable",
-      "url": "https://remote-mcp.example/mcp"
-    },
-    "auth": {
-      "type": "bearer",
-      "value_from_env": "REMOTE_MCP_TOKEN"
-    },
+    "transport": { "type": "http-streamable", "url": "https://remote-mcp.example/mcp" }
+  }
+}
+```
+
+The client's `Authorization: Bearer <token>` is extracted from the inbound request and forwarded as-is to the upstream. If the inbound request carries no token, the upstream connection is refused. On stdio, `value_from_env` from `interceptors.auth` is used as the service-account credential.
+
+**Override — upstream expects a different format than inbound clients:**
+
+```json
+{
+  "interceptors": {
+    "auth": { "type": "custom-header", "header_name": "X-Client-Key", "value_from_env": "CLIENT_KEY" }
+  },
+  "upstream_mcp": {
+    "name": "remote-mcp",
+    "transport": { "type": "http-streamable", "url": "https://remote-mcp.example/mcp" },
+    "auth": { "type": "bearer" }
+  }
+}
+```
+
+Clients authenticate with `X-Client-Key`; gateway forwards to upstream as `Authorization: Bearer`.
+
+**Explicit `value_from_env` on `upstream_mcp.auth` (stdio only):**
+
+```json
+{
+  "upstream_mcp": {
+    "name": "remote-mcp",
+    "transport": { "type": "http-streamable", "url": "https://remote-mcp.example/mcp" },
+    "auth": { "type": "bearer", "value_from_env": "UPSTREAM_TOKEN" },
     "tool_prefix": "remote",
-    "tools": {
-      "allow": ["github_*"],
-      "deny": ["admin_*"]
-    },
+    "tools": { "allow": ["github_*"], "deny": ["admin_*"] },
     "timeout_ms": 30000
   }
 }

src/generated-schemas.ts

@@ -35,7 +35,7 @@ export const authTokenConfigSchema = z.object({
 });
 
 export const upstreamMcpAuthConfigSchema = authTokenConfigSchema.extend({
-    value_from_env: z.string()
+    value_from_env: z.string().optional()
 });
 
 export const resourceFetchDefinitionSchema = z.object({

src/mcp/mcp-server.test.ts

@@ -4837,6 +4837,106 @@ paths:
       });
     });
 
+    // -------------------------------------------------------------------------
+    describe('getEffectiveUpstreamAuth', () => {
+      it('skips oauth and returns bearer when interceptors.auth = [oauth, bearer]', async () => {
+        const provider = { ...upstreamProvider }; // no provider.auth
+        (upstreamServer as any).profile.interceptors = {
+          auth: [
+            { type: 'oauth' },
+            { type: 'bearer', value_from_env: 'BEARER_TOKEN' },
+          ],
+        };
+        (upstreamServer as any).httpTransport = {
+          ...(upstreamServer as any).httpTransport,
+          getUpstreamMcpConfig: () => provider,
+          getSessionToken: () => 'client-token',
+        };
+        try {
+          await (upstreamServer as any).handleOtherRequest(
+            { jsonrpc: '2.0', id: '1', method: 'tools/list', params: {} },
+            'session-123',
+            'upstream-profile',
+          );
+          // effectiveAuth should be bearer; effectiveProvider passed to client should have auth.type === 'bearer'
+          expect(mockGetUpstreamClient).toHaveBeenCalledWith(
+            'session-123',
+            expect.objectContaining({ auth: expect.objectContaining({ type: 'bearer' }) }),
+            'client-token',
+          );
+        } finally {
+          delete (upstreamServer as any).profile.interceptors;
+        }
+      });
+
+      it('returns undefined when interceptors.auth = [session-cookie] only', () => {
+        const server = new MCPServer();
+        (server as any).profile = {
+          profile_name: 'p',
+          tools: [],
+          interceptors: { auth: [{ type: 'session-cookie' }] },
+        };
+        const result = (server as any).getEffectiveUpstreamAuth({ name: 'x', transport: { type: 'http-streamable', url: 'https://example.com' } });
+        expect(result).toBeUndefined();
+      });
+
+      it('priority sort: lower priority value wins — query(priority:1) before bearer(priority:5)', () => {
+        const server = new MCPServer();
+        (server as any).profile = {
+          profile_name: 'p',
+          tools: [],
+          interceptors: {
+            auth: [
+              { type: 'bearer', value_from_env: 'T', priority: 5 },
+              { type: 'query', value_from_env: 'T', query_param: 'token', priority: 1 },
+            ],
+          },
+        };
+        const result = (server as any).getEffectiveUpstreamAuth({ name: 'x', transport: { type: 'http-streamable', url: 'https://example.com' } });
+        expect(result?.type).toBe('query');
+      });
+
+      it('uses provider.auth directly and ignores interceptors.auth when provider.auth set', () => {
+        const server = new MCPServer();
+        (server as any).profile = {
+          profile_name: 'p',
+          tools: [],
+          interceptors: { auth: [{ type: 'bearer', value_from_env: 'INTERCEPTOR_TOKEN' }] },
+        };
+        const providerAuth = { type: 'bearer' as const, value_from_env: 'PROVIDER_TOKEN' };
+        const result = (server as any).getEffectiveUpstreamAuth({
+          name: 'x',
+          transport: { type: 'http-streamable', url: 'https://example.com' },
+          auth: providerAuth,
+        });
+        expect(result).toBe(providerAuth);
+      });
+
+      it('blocks anonymous HTTP session when interceptors.auth contains only oauth (gate bypass fix)', async () => {
+        const provider = { ...upstreamProvider }; // no provider.auth
+        (upstreamServer as any).profile.interceptors = {
+          auth: [{ type: 'oauth' }],
+        };
+        (upstreamServer as any).httpTransport = {
+          ...(upstreamServer as any).httpTransport,
+          getUpstreamMcpConfig: () => provider,
+          getSessionToken: () => undefined, // anonymous HTTP session
+        };
+        try {
+          const response = await (upstreamServer as any).handleOtherRequest(
+            { jsonrpc: '2.0', id: '1', method: 'tools/list', params: {} },
+            'session-123',
+            'upstream-profile',
+          ) as any;
+          expect(mockGetUpstreamClient).not.toHaveBeenCalled();
+          expect(response.error).toBeDefined();
+          expect(response.error.code).toBe(-32603);
+        } finally {
+          delete (upstreamServer as any).profile.interceptors;
+        }
+      });
+    });
+
     // -------------------------------------------------------------------------
     describe('tool_prefix warning', () => {
       it('emits a warning when tool_prefix is configured', async () => {

src/mcp/mcp-server.ts

@@ -50,7 +50,7 @@ import { OAUTH_RATE_LIMIT } from '../core/constants.js';
 import { HttpClient } from '../transport/interceptors.js';
 import { HttpClientFactory } from '../transport/http-client-factory.js';
 import { SchemaValidator } from '../validation/schema-validator.js';
-import type { Profile, ToolDefinition, AuthInterceptor, OAuthConfig, ProxyDownloadOperation, UpstreamMcpServerConfig } from '../types/profile.js';
+import type { Profile, ToolDefinition, AuthInterceptor, OAuthConfig, ProxyDownloadOperation, UpstreamMcpServerConfig, UpstreamMcpAuthConfig } from '../types/profile.js';
 import type { Client } from '@modelcontextprotocol/sdk/client/index.js';
 import { sanitizeToolList, isValidUpstreamToolName, applyProviderToolPolicy, isToolAllowedByProviderPolicy } from '../upstream/upstream-tool-sanitizer.js';
 import { UpstreamConnectionManager } from '../upstream/upstream-connection-manager.js';
@@ -1834,35 +1834,68 @@ export class MCPServer {
     return this.profile?.upstream_mcp;
   }
 
+  /**
+   * Resolve the effective upstream auth config for a provider.
+   * If upstream_mcp.auth is explicitly set, use it as-is.
+   * Otherwise inherit from interceptors.auth using the same selection logic as
+   * AuthStrategyRegistry (priority sort, first non-oauth/session-cookie entry).
+   * Only bearer/query/custom-header types are inherited — oauth and session-cookie
+   * cannot be meaningfully forwarded to an upstream MCP server.
+   */
+  private getEffectiveUpstreamAuth(provider: UpstreamMcpServerConfig): UpstreamMcpAuthConfig | undefined {
+    if (provider.auth) return provider.auth;
+    const raw = this.profile?.interceptors?.auth;
+    if (!raw) return undefined;
+    const configs = Array.isArray(raw) ? raw : [raw];
+    const sorted = [...configs].sort((a, b) => (a.priority ?? 0) - (b.priority ?? 0));
+    const selected = sorted.find(c => ['bearer', 'query', 'custom-header'].includes(c.type));
+    if (!selected) return undefined;
+    return {
+      type: selected.type as UpstreamMcpAuthConfig['type'],
+      header_name: selected.header_name,
+      query_param: selected.query_param,
+      value_from_env: selected.value_from_env,
+    };
+  }
+
   /**
    * Extract the auth token to use for upstream MCP calls.
-   * Downstream client token takes precedence; value_from_env acts as local fallback
-   * only for non-HTTP contexts (stdio) where there is no session concept.
+   * On HTTP transport the downstream client's session token is always forwarded directly.
+   * On stdio, value_from_env from the effective auth config (upstream_mcp.auth or inherited
+   * from interceptors.auth) is used as the service-account credential.
    *
-   * Security invariant: for HTTP transport, value_from_env (server-held upstream credential)
-   * is NEVER used — an HTTP session with no verified client token is an anonymous session
-   * (e.g. allowed by hasServerEnvAuthToken on the inbound side) and must not receive
-   * privileged upstream access. This closes the open-proxy escalation path regardless of
-   * whether inbound auth is configured.
+   * Security invariant: if any auth is configured (directly or inherited), an HTTP session
+   * with no verified client token is rejected — prevents anonymous clients from reaching
+   * privileged upstream resources.
    */
-  private getUpstreamToken(sessionId: string | undefined, profileId: string | undefined, provider: UpstreamMcpServerConfig): string | undefined {
+  private getUpstreamToken(
+    sessionId: string | undefined,
+    profileId: string | undefined,
+    provider: UpstreamMcpServerConfig,
+    effectiveAuth: UpstreamMcpAuthConfig | undefined,
+  ): string | undefined {
     if (this.httpTransport && sessionId && profileId) {
       const sessionToken = this.httpTransport.getSessionToken(profileId, sessionId);
       if (sessionToken) return sessionToken;
-      // HTTP session carries no verified client token — refuse to forward server-held
-      // upstream credentials to an anonymous caller.
-      if (provider.auth?.value_from_env) {
+      // Reject anonymous HTTP sessions when ANY auth is configured (directly or inherited).
+      // effectiveAuth is undefined for oauth/session-cookie-only interceptors (those types can't
+      // be forwarded), but the presence of auth config still signals the endpoint must be protected.
+      const interceptorsAuth = this.profile?.interceptors?.auth;
+      const hasAnyInterceptorsAuth = Array.isArray(interceptorsAuth)
+        ? interceptorsAuth.length > 0
+        : !!interceptorsAuth;
+      if (provider.auth || hasAnyInterceptorsAuth) {
         throw new UpstreamConnectionError(
-          'upstream_mcp.auth.value_from_env requires an authenticated HTTP session — ' +
-          'the inbound caller must supply a verified identity token.',
+          'upstream_mcp proxy requires an authenticated HTTP session — ' +
+          'the inbound client must supply a verified token.',
           provider.name,
         );
       }
       return undefined;
     }
-    // Non-HTTP path (stdio): no session concept; value_from_env allowed for service-account use.
-    if (provider.auth?.value_from_env) {
-      return process.env[provider.auth.value_from_env];
+    // Non-HTTP path (stdio): use value_from_env from effective auth (may come from interceptors.auth)
+    if (effectiveAuth?.value_from_env) {
+      return process.env[effectiveAuth.value_from_env];
     }
     return undefined;
   }
@@ -1890,8 +1923,10 @@ export class MCPServer {
       });
     }
     try {
-      const token = this.getUpstreamToken(sessionId, profileId, provider);
-      const client = await this.getUpstreamClientFn!(sessionId, provider, token);
+      const effectiveAuth = this.getEffectiveUpstreamAuth(provider);
+      const effectiveProvider = effectiveAuth !== provider.auth ? { ...provider, auth: effectiveAuth } : provider;
+      const token = this.getUpstreamToken(sessionId, profileId, provider, effectiveAuth);
+      const client = await this.getUpstreamClientFn!(sessionId, effectiveProvider, token);
       const result = await client.listTools();
       if (!result || typeof result !== 'object') {
         throw new UpstreamMalformedResponseError(
@@ -1984,8 +2019,10 @@ export class MCPServer {
     }
 
     try {
-      const token = this.getUpstreamToken(sessionId, profileId, provider);
-      const client = await this.getUpstreamClientFn!(sessionId, provider, token);
+      const effectiveAuth = this.getEffectiveUpstreamAuth(provider);
+      const effectiveProvider = effectiveAuth !== provider.auth ? { ...provider, auth: effectiveAuth } : provider;
+      const token = this.getUpstreamToken(sessionId, profileId, provider, effectiveAuth);
+      const client = await this.getUpstreamClientFn!(sessionId, effectiveProvider, token);
       const result = await (provider.timeout_ms !== undefined
         ? client.callTool({ name: toolName, arguments: args }, undefined, { timeout: provider.timeout_ms })
         : client.callTool({ name: toolName, arguments: args }));

src/profile/profile-resolver.test.ts

@@ -193,6 +193,27 @@ describe('profile-resolver', () => {
     expect(profiles[0].envVars).toContain('LEGACY_UPSTREAM_TOKEN');
   });
 
+  it('reports authMethods=[] and envVars=[] for upstream_mcp proxy with no auth anywhere', async () => {
+    const root = await createTempDir();
+    const profilesDir = path.join(root, 'profiles');
+
+    await writeJson(path.join(profilesDir, 'no-auth-proxy.json'), {
+      profile_name: 'seznam-scif',
+      profile_id: 'seznam-scif',
+      tools: [],
+      upstream_mcp: {
+        name: 'scif',
+        transport: { type: 'http-streamable', url: 'https://scif.example.com/mcp' },
+      },
+    });
+
+    const profiles = await listProfilesDetailed(profilesDir);
+    expect(profiles).toHaveLength(1);
+    expect(profiles[0].authMethods).toEqual([]);
+    expect(profiles[0].envVars).toEqual([]);
+    expect(profiles[0].oauthEnvVars).toEqual([]);
+  });
+
   it('returns specPath=undefined for upstream_mcp proxy profile with no openapi_spec_path', async () => {
     const root = await createTempDir();
     const profilesDir = path.join(root, 'profiles');

src/profile/upstream-mcp-config.test.ts

@@ -98,6 +98,15 @@ describe('resolveUpstreamMcpConfig – validator error branches', () => {
     expect(() => resolveUpstreamMcpConfig(profile)).toThrow(/value_from_env must not be empty/);
   });
 
+  it('accepts bearer auth without value_from_env (HTTP session-passthrough)', () => {
+    const profile = makeProfile({
+      name: 'p1',
+      transport: { type: 'http-streamable', url: 'https://example.com/mcp' },
+      auth: { type: 'bearer' },
+    });
+    expect(() => resolveUpstreamMcpConfig(profile)).not.toThrow();
+  });
+
   it('rejects custom-header auth with unsafe header_name', () => {
     const profile = makeProfile({
       name: 'p1',

src/profile/upstream-mcp-config.ts

@@ -108,8 +108,8 @@ function validateUpstreamAuth(auth: UpstreamMcpAuthConfig | undefined, path: str
     );
   }
 
-  if (!auth.value_from_env.trim()) {
-    throw new ValidationError(`${path}.value_from_env must not be empty`, { path: `${path}.value_from_env` });
+  if (auth.value_from_env !== undefined && !auth.value_from_env.trim()) {
+    throw new ValidationError(`${path}.value_from_env must not be empty when provided`, { path: `${path}.value_from_env` });
   }
 
   if (auth.type === 'custom-header') {
@@ -263,7 +263,7 @@ export function resolveUpstreamMcpConfig(
     tool_prefix: provider.tool_prefix?.trim(),
     auth: provider.auth ? {
       ...provider.auth,
-      value_from_env: provider.auth.value_from_env.trim(),
+      value_from_env: provider.auth.value_from_env?.trim(),
       header_name: provider.auth.header_name?.trim(),
       query_param: provider.auth.query_param?.trim(),
     } : undefined,