test: cover lowlevel auth app construction

lavish0000 · lavish0000 · commit 92610cb9974f · 2026-03-05T23:39:13.000+01:00
diff --git a/tests/server/test_lowlevel_streamable_http_auth_app.py b/tests/server/test_lowlevel_streamable_http_auth_app.py
@@ -0,0 +1,66 @@
+from unittest.mock import Mock
+
+from pydantic import AnyHttpUrl
+from starlette.applications import Starlette
+from starlette.middleware.authentication import AuthenticationMiddleware
+
+from mcp.server.auth.middleware.auth_context import AuthContextMiddleware
+from mcp.server.auth.provider import AccessToken
+from mcp.server.auth.settings import AuthSettings
+from mcp.server.lowlevel.server import Server
+
+
+class DummyTokenVerifier:
+    async def verify_token(self, token: str) -> AccessToken | None:
+        return None
+
+
+def route_paths(app: Starlette) -> set[str]:
+    paths: set[str] = set()
+    for route in app.routes:
+        path = getattr(route, "path", None)
+        if isinstance(path, str):
+            paths.add(path)
+    return paths
+
+
+def test_streamable_http_app_adds_auth_routes_without_token_verifier():
+    server = Server("test-server")
+
+    app = server.streamable_http_app(
+        host="testserver",
+        auth=AuthSettings(
+            issuer_url=AnyHttpUrl("https://auth.example.com"),
+            resource_server_url=AnyHttpUrl("https://testserver/mcp"),
+        ),
+        auth_server_provider=Mock(),
+    )
+
+    assert {
+        "/mcp",
+        "/authorize",
+        "/token",
+        "/.well-known/oauth-authorization-server",
+        "/.well-known/oauth-protected-resource/mcp",
+    }.issubset(route_paths(app))
+
+
+def test_streamable_http_app_skips_resource_metadata_route_when_resource_server_url_missing():
+    server = Server("test-server")
+
+    app = server.streamable_http_app(
+        host="testserver",
+        auth=AuthSettings(
+            issuer_url=AnyHttpUrl("https://auth.example.com"),
+            resource_server_url=None,
+        ),
+        token_verifier=DummyTokenVerifier(),
+    )
+
+    paths = route_paths(app)
+    middleware_classes = [middleware.cls for middleware in app.user_middleware]
+
+    assert "/mcp" in paths
+    assert "/.well-known/oauth-protected-resource/mcp" not in paths
+    assert AuthenticationMiddleware in middleware_classes
+    assert AuthContextMiddleware in middleware_classes
