mirror of
https://github.com/samanhappy/mcphub.git
synced 2025-12-24 02:39:19 -05:00
500eec3979
- Fix validateBearerAuth to use loadOriginalSettings() instead of loadSettings() to prevent bearer auth bypass when no user context exists - Add authentication validation to sseUserContextMiddleware for user-scoped routes to prevent user impersonation via URL path parameters - Require valid OAuth/bearer token for accessing /:user/mcp and /:user/sse endpoints - Return 401 Unauthorized for user-scoped routes without authentication - Return 403 Forbidden when authenticated user doesn't match requested username Security improvements: 1. Bearer auth now correctly reads enableBearerAuth from system config 2. User-scoped endpoints now require authentication 3. Users can only access their own resources 4. Prevents impersonation attacks via URL manipulation Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>