feat(mcp): bearer-token auth resolver
Thin parser over the existing api_keys lookup. Strips the Bearer prefix, validates the token via services/api_keys.lookup_key (which already filters revoked keys and updates last_used_at), and returns the user_id for the in-flight MCP request. Tests follow the existing mock-async_session pattern in test_api_keys.py rather than introducing a real DB fixture. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,19 @@
|
||||
"""MCP-side Bearer token resolution. Reuses the existing api_keys infrastructure."""
|
||||
from __future__ import annotations
|
||||
|
||||
from fabledassistant.services.api_keys import lookup_key
|
||||
|
||||
|
||||
async def resolve_bearer_to_user_id(auth_header: str | None) -> int | None:
|
||||
"""Parse an `Authorization: Bearer <token>` header and return the user_id.
|
||||
|
||||
Returns None if the header is missing, malformed, or the token is invalid
|
||||
or revoked. The underlying lookup_key already updates last_used_at on hit.
|
||||
"""
|
||||
if not auth_header or not auth_header.startswith("Bearer "):
|
||||
return None
|
||||
raw_token = auth_header[len("Bearer "):].strip()
|
||||
if not raw_token:
|
||||
return None
|
||||
api_key = await lookup_key(raw_token)
|
||||
return api_key.user_id if api_key else None
|
||||
Reference in New Issue
Block a user