Fix MCP server auth being invalidated when only URL query parameters change

Author: ericdallo

CHANGELOG.md

@@ -2,6 +2,8 @@
 
 ## Unreleased
 
+- Fix MCP server auth being invalidated when only URL query parameters change.
+
 ## 0.115.2
 
 - Fix STDIO MCP server deadlock caused by list_changed notification handlers blocking the reader thread.

src/eca/features/tools/mcp.clj

@@ -342,8 +342,9 @@
             ;; Skip OAuth entirely if Authorization header is configured
             has-static-auth? (some-> server-config :headers :Authorization some?)
             mcp-auth (get-in @db* [:mcp-auth name])
-            ;; Invalidate cached credentials when URL changed
-            mcp-auth (when (= url (:url mcp-auth)) mcp-auth)
+            ;; Invalidate cached credentials when base URL changed (ignore query params)
+            mcp-auth (when (= (oauth/url-without-query url)
+                              (oauth/url-without-query (:url mcp-auth))) mcp-auth)
             has-token? (some? (:access-token mcp-auth))
             token-expired? (token-expired? (:expires-at mcp-auth))
             ;; Try to refresh if token exists but is expired

src/eca/oauth.clj

@@ -51,6 +51,15 @@
          (when (pos? (.getPort uri))
            (str ":" (.getPort uri))))))
 
+(defn url-without-query
+  "Strip query string and fragment from a URL, preserving scheme, authority and path.
+   E.g., 'https://api.example.com/v1/mcp?token=x#frag' -> 'https://api.example.com/v1/mcp'
+   Returns nil for nil input."
+  [^String url]
+  (when url
+    (let [uri (java.net.URI. url)]
+      (str (.getScheme uri) "://" (.getAuthority uri) (.getPath uri)))))
+
 (defn get-free-port []
   (let [socket (java.net.ServerSocket. 0)
         port (.getLocalPort socket)]

test/eca/oauth_test.clj

@@ -330,3 +330,35 @@
                                {:status 404}))]
       (let [info (oauth/oauth-info "https://example.com/mcp" nil)]
         (is (= oauth/eca-client-id (:client-id info)))))))
+
+(deftest url-without-query-test
+  (testing "strips query string"
+    (is (= "https://mcp.example.com/v1"
+           (oauth/url-without-query "https://mcp.example.com/v1?token=x&debug=true"))))
+
+  (testing "strips fragment"
+    (is (= "https://mcp.example.com/v1"
+           (oauth/url-without-query "https://mcp.example.com/v1#section"))))
+
+  (testing "strips both query and fragment"
+    (is (= "https://mcp.example.com/v1"
+           (oauth/url-without-query "https://mcp.example.com/v1?a=1#frag"))))
+
+  (testing "returns URL unchanged when no query or fragment"
+    (is (= "https://mcp.example.com/v1/mcp"
+           (oauth/url-without-query "https://mcp.example.com/v1/mcp"))))
+
+  (testing "preserves port"
+    (is (= "https://mcp.example.com:8443/v1"
+           (oauth/url-without-query "https://mcp.example.com:8443/v1?key=val"))))
+
+  (testing "different paths are distinct"
+    (is (not= (oauth/url-without-query "https://mcp.example.com/v1")
+              (oauth/url-without-query "https://mcp.example.com/v2"))))
+
+  (testing "different hosts are distinct"
+    (is (not= (oauth/url-without-query "https://a.example.com/v1")
+              (oauth/url-without-query "https://b.example.com/v1"))))
+
+  (testing "returns nil for nil input"
+    (is (nil? (oauth/url-without-query nil)))))