From e7f1e044b745bfafb58c455d47a82043a7d97471 Mon Sep 17 00:00:00 2001 From: Robert Helewka Date: Mon, 4 May 2026 18:18:50 -0400 Subject: [PATCH] fix(pallas): read bearer token from raw Authorization header MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit get_access_token() requires FastMCP auth middleware to populate AuthenticatedUser in the request scope — Pallas runs without auth middleware so it always returned None. Read the Authorization header directly from the ASGI request instead. Co-Authored-By: Claude Sonnet 4.6 --- pallas/multimodal_server.py | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/pallas/multimodal_server.py b/pallas/multimodal_server.py index 8683b0e..0707e4f 100644 --- a/pallas/multimodal_server.py +++ b/pallas/multimodal_server.py @@ -39,13 +39,20 @@ logger = get_logger(__name__) def _get_request_bearer_token() -> str | None: - """Return the authenticated bearer token for the current MCP request.""" - try: - from fastmcp.server.dependencies import get_access_token + """Return the raw bearer token from the current MCP request's Authorization header. - access_token = get_access_token() - if access_token is not None: - return access_token.token + Reads the header directly rather than going through get_access_token() because + Pallas runs without FastMCP auth middleware — there is no AuthenticatedUser in + the request scope, so get_access_token() always returns None here. The token + is an opaque string forwarded to opted-in downstream servers by _fastagent_patch. + """ + try: + from fastmcp.server.dependencies import get_http_request + + request = get_http_request() + auth = request.headers.get("authorization", "") + if auth.lower().startswith("bearer "): + return auth[7:] except Exception: pass return None