fix: implement RFC 6750 Section 3.1 compliance for missing authentication

[runeb]

The MCP SDK's requireBearerAuth middleware was incorrectly treating missing Authorization headers as invalid tokens, violating RFC 6750 Section 3.1 compliance.

Motivation and Context

The current implementation violates RFC 6750 Section 3.1, which states:

"If the request lacks any authentication information, the resource server SHOULD NOT include an error code or other error information."

Current behavior (non-compliant):

WWW-Authenticate: Bearer error="invalid_token", error_description="Missing Authorization header"

RFC 6750 compliant behavior:

WWW-Authenticate: Bearer realm="protected"

This fix improves interoperability with OAuth 2.0 clients that expect standards-compliant bearer token authentication.

How Has This Been Tested?

• ✅ All existing tests pass
• ✅ New test cases verify RFC 6750 compliant behavior for missing authentication
• ✅ Existing invalid/malformed token handling preserved
• ✅ Resource metadata URL inclusion works correctly
• ✅ Built and linted successfully

Test scenarios covered:

• Missing Authorization header → returns Bearer realm="protected"
• Invalid tokens → still return Bearer error="invalid_token"
• Insufficient scope → still return Bearer error="insufficient_scope"
• Resource metadata URL inclusion in all scenarios

Breaking Changes

None. This is a compliance fix that only changes the WWW-Authenticate header format for missing authentication. All other authentication error scenarios remain unchanged.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

Implementation approach:

1. Created new MissingAuthenticationError class following existing error patterns
2. Updated requireBearerAuth middleware to throw MissingAuthenticationError for missing headers
3. Added specific error handling for missing authentication that returns RFC-compliant headers
4. Preserved all existing behavior for invalid/malformed tokens

Standards reference:

• RFC 6750 Section 3.1: https://tools.ietf.org/html/rfc6750#section-3.1

Files changed:

• src/server/auth/errors.ts - Added MissingAuthenticationError class
• src/server/auth/middleware/bearerAuth.ts - Updated middleware logic
• src/server/auth/middleware/bearerAuth.test.ts - Updated test expectations

[runeb]

Thank you for the thoughtful review @pcarleton. I agree with you that adding the protected realm here does not actually make sense. The reason it was included was to avoid breaking a MUST from the RFC 6750 spec which states

Section 3

All challenges defined by this specification MUST use the auth-scheme
   value "Bearer".  This scheme MUST be followed by one or more
   auth-param values.

So a plain Bearer is invalid according to 6750. That does leave the option of returning

Bearer realm=""

but it does not feel right to mention a realm here and not elsewhere.

I have therefore concluded that the least problematic solution is to keep the current implementation as that only violates a SHOULD versus a MUST. It seems my PR only makes sense if users can configure a realm.