Address PR feedback

halter73 · halter73 · commit d3186fd91751 · 2025-09-10T09:50:26.000-07:00
- Update filters.md to use DI and logging
- Update filters.md  Mention that uncaught McpExceptions get turned into JSON-RPC errors
- Added newlines to McpServer between blocks
- Remove TODO from AuthorizationFilterSetup now that an issue has been filed
diff --git a/docs/concepts/filters.md b/docs/concepts/filters.md
@@ -38,13 +38,15 @@ services.AddMcpServer()
     })
     .AddListToolsFilter(next => async (context, cancellationToken) =>
     {
+        var logger = context.Services?.GetService<ILogger<Program>>();
+
         // Pre-processing logic
-        Console.WriteLine("Before handler execution");
+        logger?.LogInformation("Before handler execution");
 
         var result = await next(context, cancellationToken);
 
         // Post-processing logic
-        Console.WriteLine("After handler execution");
+        logger?.LogInformation("After handler execution");
         return result;
     });
 ```
@@ -67,9 +69,11 @@ Execution flow: `filter1 -> filter2 -> filter3 -> baseHandler -> filter3 -> filt
 ```csharp
 .AddListToolsFilter(next => async (context, cancellationToken) =>
 {
-    Console.WriteLine($"Processing request from {context.Meta.ProgressToken}");
+    var logger = context.Services?.GetService<ILogger<Program>>();
+
+    logger?.LogInformation($"Processing request from {context.Meta.ProgressToken}");
     var result = await next(context, cancellationToken);
-    Console.WriteLine($"Returning {result.Tools?.Count ?? 0} tools");
+    logger?.LogInformation($"Returning {result.Tools?.Count ?? 0} tools");
     return result;
 });
 ```
@@ -97,10 +101,12 @@ Execution flow: `filter1 -> filter2 -> filter3 -> baseHandler -> filter3 -> filt
 ```csharp
 .AddListToolsFilter(next => async (context, cancellationToken) =>
 {
+    var logger = context.Services?.GetService<ILogger<Program>>();
+
     var stopwatch = Stopwatch.StartNew();
     var result = await next(context, cancellationToken);
     stopwatch.Stop();
-    Console.WriteLine($"Handler took {stopwatch.ElapsedMilliseconds}ms");
+    logger?.LogInformation($"Handler took {stopwatch.ElapsedMilliseconds}ms");
     return result;
 });
 ```
@@ -109,9 +115,13 @@ Execution flow: `filter1 -> filter2 -> filter3 -> baseHandler -> filter3 -> filt
 ```csharp
 .AddListResourcesFilter(next => async (context, cancellationToken) =>
 {
+    var cache = context.Services!.GetRequiredService<IMemoryCache>();
+
     var cacheKey = $"resources:{context.Params.Cursor}";
     if (cache.TryGetValue(cacheKey, out var cached))
-        return cached;
+    {
+        return (ListResourcesResult)cached;
+    }
 
     var result = await next(context, cancellationToken);
     cache.Set(cacheKey, result, TimeSpan.FromMinutes(5));
@@ -207,11 +217,7 @@ The authorization filters work differently for list operations versus individual
 For list operations, the filters automatically remove unauthorized items from the results. Users only see tools, prompts, or resources they have permission to access.
 
 #### Individual Operations (CallTool, GetPrompt, ReadResource)
-For individual operations, the filters return authorization errors when access is denied:
-
-- **Tools**: Returns a `CallToolResult` with `IsError = true` and an error message
-- **Prompts**: Throws an `McpException` with "Access forbidden" message
-- **Resources**: Throws an `McpException` with "Access forbidden" message
+For individual operations, the filters throw an `McpException` with "Access forbidden" message. These get turned into JSON-RPC errors if uncaught by middleware.
 
 ### Filter Execution Order and Authorization
 
@@ -232,18 +238,22 @@ services.AddMcpServer()
     .WithHttpTransport()
     .AddListToolsFilter(next => async (context, cancellationToken) =>
     {
+        var logger = context.Services?.GetService<ILogger<Program>>();
+
         // This filter runs BEFORE authorization - sees all tools
-        Console.WriteLine("Request for tools list - will see all tools");
+        logger?.LogInformation("Request for tools list - will see all tools");
         var result = await next(context, cancellationToken);
-        Console.WriteLine($"Returning {result.Tools?.Count ?? 0} tools after authorization");
+        logger?.LogInformation($"Returning {result.Tools?.Count ?? 0} tools after authorization");
         return result;
     })
     .AddAuthorizationFilters() // Authorization filtering happens here
     .AddListToolsFilter(next => async (context, cancellationToken) =>
     {
+        var logger = context.Services?.GetService<ILogger<Program>>();
+
         // This filter runs AFTER authorization - only sees authorized tools
         var result = await next(context, cancellationToken);
-        Console.WriteLine($"Post-auth filter sees {result.Tools?.Count ?? 0} authorized tools");
+        logger?.LogInformation($"Post-auth filter sees {result.Tools?.Count ?? 0} authorized tools");
         return result;
     })
     .WithTools<WeatherTools>();
diff --git a/src/ModelContextProtocol.AspNetCore/AuthorizationFilterSetup.cs b/src/ModelContextProtocol.AspNetCore/AuthorizationFilterSetup.cs
@@ -283,7 +283,6 @@ private async ValueTask<AuthorizationResult> GetAuthorizationResultAsync(
             throw new InvalidOperationException($"You must call AddAuthorization() because an authorization related attribute was found on {primitive.Id}");
         }
 
-        // TODO: Cache policy lookup. We would probably use a singleton (not-static) ConditionalWeakTable<IMcpServerPrimitive, AuthorizationPolicy?>.
         var policy = await CombineAsync(policyProvider, primitive.Metadata);
         if (policy is null)
         {
diff --git a/src/ModelContextProtocol.AspNetCore/StreamableHttpHandler.cs b/src/ModelContextProtocol.AspNetCore/StreamableHttpHandler.cs
@@ -279,10 +279,9 @@ internal static string MakeNewSessionId()
         // Implementation for reading a JSON-RPC message from the request body
         var message = await context.Request.ReadFromJsonAsync(s_messageTypeInfo, context.RequestAborted);
 
-        if (context.User?.Identity?.IsAuthenticated ?? false && message is not null)
+        if (context.User?.Identity?.IsAuthenticated == true && message is not null)
         {
-            // We get weird CS0131 errors only on the Windows build GitHub Action if we use "message?.Context = ..."
-            message!.Context = new()
+            message.Context = new()
             {
                 User = context.User,
             };
diff --git a/src/ModelContextProtocol.Core/Server/McpServer.cs b/src/ModelContextProtocol.Core/Server/McpServer.cs
@@ -667,18 +667,22 @@ private static McpRequestHandler<TParams, TResult> BuildFilterPipeline<TParams,
         McpRequestFilter<TParams, TResult>? finalHandler = null)
     {
         var current = baseHandler;
+
         if (finalHandler is not null)
         {
             current = finalHandler(current);
         }
+
         for (int i = filters.Count - 1; i >= 0; i--)
         {
             current = filters[i](current);
         }
+
         if (initialHandler is not null)
         {
             current = initialHandler(current);
         }
+
         return current;
     }
 

Original file line number	Diff line number	Diff line change
`@@ -283,7 +283,6 @@ private async ValueTask<AuthorizationResult> GetAuthorizationResultAsync(`
`283`	`283`	`throw new InvalidOperationException($"You must call AddAuthorization() because an authorization related attribute was found on {primitive.Id}");`
`284`	`284`	`}`
`285`	`285`
`286`		`- // TODO: Cache policy lookup. We would probably use a singleton (not-static) ConditionalWeakTable<IMcpServerPrimitive, AuthorizationPolicy?>.`
`287`	`286`	`var policy = await CombineAsync(policyProvider, primitive.Metadata);`
`288`	`287`	`if (policy is null)`
`289`	`288`	`{`
Original file line number	Diff line number	Diff line change
`@@ -279,10 +279,9 @@ internal static string MakeNewSessionId()`
`279`	`279`	`// Implementation for reading a JSON-RPC message from the request body`
`280`	`280`	`var message = await context.Request.ReadFromJsonAsync(s_messageTypeInfo, context.RequestAborted);`
`281`	`281`
`282`		`- if (context.User?.Identity?.IsAuthenticated ?? false && message is not null)`
	`282`	`+ if (context.User?.Identity?.IsAuthenticated == true && message is not null)`
`283`	`283`	`{`
`284`		`- // We get weird CS0131 errors only on the Windows build GitHub Action if we use "message?.Context = ..."`
`285`		`- message!.Context = new()`
	`284`	`+ message.Context = new()`
`286`	`285`	`{`
`287`	`286`	`User = context.User,`
`288`	`287`	`};`
Original file line number	Diff line number	Diff line change
`@@ -667,18 +667,22 @@ private static McpRequestHandler<TParams, TResult> BuildFilterPipeline<TParams,`
`667`	`667`	`McpRequestFilter<TParams, TResult>? finalHandler = null)`
`668`	`668`	`{`
`669`	`669`	`var current = baseHandler;`
	`670`	`+`
`670`	`671`	`if (finalHandler is not null)`
`671`	`672`	`{`
`672`	`673`	`current = finalHandler(current);`
`673`	`674`	`}`
	`675`	`+`
`674`	`676`	`for (int i = filters.Count - 1; i >= 0; i--)`
`675`	`677`	`{`
`676`	`678`	`current = filters[i](current);`
`677`	`679`	`}`
	`680`	`+`
`678`	`681`	`if (initialHandler is not null)`
`679`	`682`	`{`
`680`	`683`	`current = initialHandler(current);`
`681`	`684`	`}`
	`685`	`+`
`682`	`686`	`return current;`
`683`	`687`	`}`
`684`	`688`