Update 401 handling logic. Remove pragma warning silencing.

Author: localden

src/ModelContextProtocol/Authentication/AuthorizationDelegatingHandler.cs

@@ -42,73 +42,114 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
 
         if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized)
         {
-            // Gather the schemes the server wants us to use from WWW-Authenticate headers
-            var serverSchemes = ExtractServerSupportedSchemes(response);
+            return await HandleUnauthorizedResponseAsync(request, response, cancellationToken).ConfigureAwait(false);
+        }
+
+        return response;
+    }
+
+    /// <summary>
+    /// Handles a 401 Unauthorized response by attempting to authenticate and retry the request.
+    /// </summary>
+    private async Task<HttpResponseMessage> HandleUnauthorizedResponseAsync(
+        HttpRequestMessage originalRequest, 
+        HttpResponseMessage response, 
+        CancellationToken cancellationToken)
+    {
+        // Gather the schemes the server wants us to use from WWW-Authenticate headers
+        var serverSchemes = ExtractServerSupportedSchemes(response);
+
+        // Find the intersection between what the server supports and what our provider supports
+        var supportedSchemes = _authorizationProvider.SupportedSchemes.ToList();
+        string? bestSchemeMatch = null;
+
+        // First try to find a direct match with the current scheme if it's still valid
+        string schemeUsed = originalRequest.Headers.Authorization?.Scheme ?? _currentScheme ?? string.Empty;
+        if (serverSchemes.Contains(schemeUsed) && supportedSchemes.Contains(schemeUsed))
+        {
+            bestSchemeMatch = schemeUsed;
+        }
+        else
+        {
+            // Try to find any matching scheme between server and provider using a HashSet for O(N) time complexity
+            // Convert the supported schemes to a HashSet for O(1) lookups
+            var supportedSchemesSet = new HashSet<string>(supportedSchemes, StringComparer.OrdinalIgnoreCase);
 
-            // Find the intersection between what the server supports and what our provider supports
-            var supportedSchemes = _authorizationProvider.SupportedSchemes.ToList();
-            string? bestSchemeMatch = null;
+            // Find the first server scheme that's in our supported set
+            bestSchemeMatch = serverSchemes.FirstOrDefault(scheme => supportedSchemesSet.Contains(scheme));
 
-            // First try to find a direct match with the current scheme if it's still valid
-            string schemeUsed = request.Headers.Authorization?.Scheme ?? _currentScheme ?? string.Empty;
-            if (serverSchemes.Contains(schemeUsed) && supportedSchemes.Contains(schemeUsed))
-            {
-                bestSchemeMatch = schemeUsed;
-            }
-            else
+            // If no match was found, either throw an exception or use default
+            if (bestSchemeMatch is null)
             {
-                // Try to find any matching scheme between server and provider using a HashSet for O(N) time complexity
-                // Convert the supported schemes to a HashSet for O(1) lookups
-                var supportedSchemesSet = new HashSet<string>(supportedSchemes, StringComparer.OrdinalIgnoreCase);
-                
-                // Find the first server scheme that's in our supported set
-                bestSchemeMatch = serverSchemes.FirstOrDefault(scheme => supportedSchemesSet.Contains(scheme));
-                
-                // If no match was found, either throw an exception or use default
-                if (bestSchemeMatch is null)
+                if (serverSchemes.Count > 0)
                 {
-                    if (serverSchemes.Count > 0)
-                    {
-                        throw new AuthenticationSchemeMismatchException(
-                            $"No matching authentication scheme found. Server supports: [{string.Join(", ", serverSchemes)}], " +
-                            $"Provider supports: [{string.Join(", ", supportedSchemes)}].",
-                            serverSchemes,
-                            supportedSchemes);
-                    }
-
-                    // If the server didn't specify any schemes, use the provider's default
-                    bestSchemeMatch = supportedSchemes.FirstOrDefault();
+                    throw new AuthenticationSchemeMismatchException(
+                        $"No matching authentication scheme found. Server supports: [{string.Join(", ", serverSchemes)}], " +
+                        $"Provider supports: [{string.Join(", ", supportedSchemes)}].",
+                        serverSchemes,
+                        supportedSchemes);
                 }
+
+                // If the server didn't specify any schemes, use the provider's default
+                bestSchemeMatch = supportedSchemes.FirstOrDefault();
+            }
+        }
+
+        // If we have a scheme to try, use it
+        if (bestSchemeMatch != null)
+        {
+            // Try to handle the 401 response with the selected scheme
+            var (handled, recommendedScheme) = await _authorizationProvider.HandleUnauthorizedResponseAsync(
+                response,
+                bestSchemeMatch,
+                cancellationToken).ConfigureAwait(false);
+
+            if (!handled)
+            {
+                throw new McpException(
+                    $"Failed to handle unauthorized response with scheme '{bestSchemeMatch}'. " +
+                    "The authentication provider was unable to process the authentication challenge.");
             }
 
-            // If we have a scheme to try, use it
-            if (bestSchemeMatch != null)
+            _currentScheme = recommendedScheme ?? bestSchemeMatch;
+            
+            var retryRequest = new HttpRequestMessage(originalRequest.Method, originalRequest.RequestUri)
             {
-                // Try to handle the 401 response with the selected scheme
-                var (handled, recommendedScheme) = await _authorizationProvider.HandleUnauthorizedResponseAsync(
-                    response,
-                    bestSchemeMatch,
-                    cancellationToken).ConfigureAwait(false);
-
-                if (handled)
-                {
-                    var retryRequest = await CloneHttpRequestMessageAsync(request).ConfigureAwait(false);
-                    
-                    _currentScheme = recommendedScheme ?? bestSchemeMatch;
-                    
-                    await AddAuthorizationHeaderAsync(retryRequest, _currentScheme, cancellationToken).ConfigureAwait(false);
-                    return await base.SendAsync(retryRequest, cancellationToken).ConfigureAwait(false);
-                }
-                else
+                Version = originalRequest.Version,
+#if NET
+                VersionPolicy = originalRequest.VersionPolicy,
+#endif
+                Content = originalRequest.Content
+            };
+            
+            // Copy headers except Authorization which we'll set separately
+            foreach (var header in originalRequest.Headers)
+            {
+                if (!header.Key.Equals("Authorization", StringComparison.OrdinalIgnoreCase))
                 {
-                    throw new McpException(
-                        $"Failed to handle unauthorized response with scheme '{bestSchemeMatch}'. " +
-                        "The authentication provider was unable to process the authentication challenge.");
+                    retryRequest.Headers.TryAddWithoutValidation(header.Key, header.Value);
                 }
             }
-        }
+#if NET
+            foreach (var property in originalRequest.Options)
+            {
+                retryRequest.Options.Set(new HttpRequestOptionsKey<object?>(property.Key), property.Value);
+            }
+#else
+            foreach (var property in originalRequest.Properties)
+            {
+                retryRequest.Properties.Add(property);
+            }
+#endif
 
-        return response;
+            // Add the new authorization header
+            await AddAuthorizationHeaderAsync(retryRequest, _currentScheme, cancellationToken).ConfigureAwait(false);
+            
+            // Send the retry request
+            return await base.SendAsync(retryRequest, cancellationToken).ConfigureAwait(false);
+        }
+        
+        return response; // Return the original response if we couldn't handle it
     }
 
     /// <summary>
@@ -149,46 +190,4 @@ private async Task AddAuthorizationHeaderAsync(HttpRequestMessage request, strin
             }
         }
     }
-
-    /// <summary>
-    /// Creates a clone of the HTTP request message.
-    /// </summary>
-    private static async Task<HttpRequestMessage> CloneHttpRequestMessageAsync(HttpRequestMessage request)
-    {
-        var clone = new HttpRequestMessage(request.Method, request.RequestUri);
-
-        // Copy the request headers
-        foreach (var header in request.Headers)
-        {
-            clone.Headers.TryAddWithoutValidation(header.Key, header.Value);
-        }
-
-        // Copy the request content if present
-        if (request.Content != null)
-        {
-            var contentBytes = await request.Content.ReadAsByteArrayAsync().ConfigureAwait(false);
-            var cloneContent = new ByteArrayContent(contentBytes);
-
-            // Copy the content headers
-            foreach (var header in request.Content.Headers)
-            {
-                cloneContent.Headers.TryAddWithoutValidation(header.Key, header.Value);
-            }
-
-            clone.Content = cloneContent;
-        }
-
-        // Copy the request properties
-#pragma warning disable CS0618 // Type or member is obsolete
-        foreach (var property in request.Properties)
-        {
-            clone.Properties.Add(property);
-        }
-#pragma warning restore CS0618 // Type or member is obsolete
-
-        // Copy the request version
-        clone.Version = request.Version;
-
-        return clone;
-    }
 }