feat: ADD Bearer Token param for MCP server#13264
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2d2aa58374
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if oauth2Bearer := strings.TrimSpace(mcpServer.OAuth2Bearer); oauth2Bearer != "" { | ||
| command = append(command, "--oauth2Bearer", oauth2Bearer) | ||
| } |
There was a problem hiding this comment.
Enforce bearer auth instead of only setting headers
When a user fills this new bearer-token field for a stdio-backed MCP server, this code still builds a --stdio supergateway server and merely appends --oauth2Bearer. I checked supergateway's stdio→SSE/Streamable HTTP implementation: that option is converted into headers and applied with res.setHeader(...); it does not validate the incoming request's Authorization header. As a result, any MCP server exposed through a bound domain or 0.0.0.0 remains accessible without the configured token, which defeats the security expectation of adding a bearer token here.
Useful? React with 👍 / 👎.
No description provided.