Fix MCP auth vulnerability, clean up imports and CSS

Sbussiso · claude · Sbussiso · commit daf603391e74 · 2026-04-08T19:59:03.000-07:00
- Reject empty Bearer tokens before hashing (security fix)
- Remove unused Context import, fix Session type hint
- Move HTTPException to top-level import in mcp_keys
- Add standalone .locked-icon CSS for MCP upgrade prompt

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/backend/app/api/mcp_keys.py b/backend/app/api/mcp_keys.py
@@ -6,7 +6,7 @@
 import hashlib
 import secrets
 
-from fastapi import APIRouter, Depends
+from fastapi import APIRouter, Depends, HTTPException
 from sqlalchemy.orm import Session
 
 from app.core.auth import AuthUser, require_admin
@@ -79,7 +79,6 @@ async def revoke_mcp_key(
         .first()
     )
     if not mcp_key:
-        from fastapi import HTTPException
         raise HTTPException(status_code=404, detail="Key not found")
 
     mcp_key.revoked = True
diff --git a/backend/app/mcp/server.py b/backend/app/mcp/server.py
@@ -11,10 +11,11 @@
 from datetime import datetime, timedelta
 from typing import Annotated
 
-from fastmcp import FastMCP, Context
+from fastmcp import FastMCP
 from fastmcp.server.dependencies import get_http_headers
 from fastmcp.exceptions import ToolError
 from pydantic import Field
+from sqlalchemy.orm import Session
 
 from app.core.database import SessionLocal
 from app.models.models import (
@@ -47,7 +48,7 @@
 # Auth helper — resolve Bearer token to org_id
 # ---------------------------------------------------------------------------
 
-def _resolve_org(headers: dict | None) -> tuple[str, SessionLocal]:
+def _resolve_org(headers: dict | None) -> tuple[str, Session]:
     """Validate the Bearer token and return (org_id, db_session)."""
     if not headers:
         raise ToolError("Unauthorized: no headers present")
@@ -57,6 +58,9 @@ def _resolve_org(headers: dict | None) -> tuple[str, SessionLocal]:
         raise ToolError("Unauthorized: missing Bearer token")
 
     raw_key = auth.split(" ", 1)[1].strip()
+    if not raw_key:
+        raise ToolError("Unauthorized: empty Bearer token")
+
     key_hash = hashlib.sha256(raw_key.encode()).hexdigest()
 
     db = SessionLocal()
diff --git a/frontend/src/index.css b/frontend/src/index.css
@@ -2059,7 +2059,8 @@ body {
     margin: 0 auto;
 }
 
-.upgrade-icon {
+.upgrade-icon,
+.locked-icon {
     font-size: 3rem;
     margin-bottom: 1rem;
 }

Original file line number	Diff line number	Diff line change
`@@ -2059,7 +2059,8 @@ body {`
`2059`	`2059`	`margin: 0 auto;`
`2060`	`2060`	`}`
`2061`	`2061`
`2062`		`-.upgrade-icon {`
	`2062`	`+.upgrade-icon,`
	`2063`	`+.locked-icon {`
`2063`	`2064`	`font-size: 3rem;`
`2064`	`2065`	`margin-bottom: 1rem;`
`2065`	`2066`	`}`