fix(auth): reduce token TTL and explicitly reject missing workspace slug

adamoutler · adamoutler · commit 9493f083e1b7 · 2026-04-09T23:21:13.000-04:00
diff --git a/plane_mcp/auth/plane_header_auth_provider.py b/plane_mcp/auth/plane_header_auth_provider.py
@@ -21,7 +21,7 @@ async def verify_token(self, token: str) -> AccessToken | None:
                 workspace_slug = headers.get("x-workspace-slug")
                 if workspace_slug:
                     logger.info("Using API key from HTTP headers")
-                    expires_at = int(time.time() + 3600)
+                    expires_at = int(time.time() + 300)
                     return AccessToken(
                         token=token,
                         client_id="api_key_header_user",
@@ -34,6 +34,8 @@ async def verify_token(self, token: str) -> AccessToken | None:
                     )
                 else:
                     logger.warning("x-api-key header found but x-workspace-slug is missing")
+                    from fastapi import HTTPException
+                    raise HTTPException(status_code=401, detail="Missing x-workspace-slug header. This header is required to scope the API key to a specific workspace.")
         except RuntimeError:
             # No active HTTP request available (e.g., stdio transport)
             logger.debug("No active HTTP request available for header check")
