jwt handling improvements

2026-02-05 11:17:59 -05:00
parent 9f16273cb8
commit 13b6092cda
5 changed files with 126 additions and 122 deletions
--- a/auth/mcp_session_middleware.py
+++ b/auth/mcp_session_middleware.py
@@ -62,24 +62,8 @@ class MCPSessionMiddleware(BaseHTTPMiddleware):
                mcp_session_id = request.state.session_id
                logger.debug(f"Found FastMCP session ID: {mcp_session_id}")

-            # Also check Authorization header for bearer tokens
-            auth_header = headers.get("authorization")
-            if (
-                auth_header
-                and auth_header.lower().startswith("bearer ")
-                and not user_email
-            ):
-                try:
-                    import jwt
-
-                    token = auth_header[7:]  # Remove "Bearer " prefix
-                    # Decode without verification to extract email
-                    claims = jwt.decode(token, options={"verify_signature": False})
-                    user_email = claims.get("email")
-                    if user_email:
-                        logger.debug(f"Extracted user email from JWT: {user_email}")
-                except Exception:
-                    pass
+            # SECURITY: Do not decode JWT without verification
+            # User email must come from verified sources only (FastMCP auth context)

            # Build session context
            if session_id or auth_context or user_email or mcp_session_id: