Skip to content

v0.15.1 — MCP bearer-flow auth fix

Choose a tag to compare

@0xSteph 0xSteph released this 20 May 05:47

Patch follow-up to 0.15.0 closing a silent auth failure on the headline flow: bearer profiles.

Fixed

  • MCP bearer-flow auth profile resolution (mcp_server/auth.py). Profiles declaring flow: bearer with password_source: env silently fell back to form-post: resolve_auth_profile_to_dict ignored prof.flow and returned a form_post dict for any password-source profile. Downstream POSTed form-encoded credentials to JSON-only endpoints like Juice Shop /rest/user/login and the login silently failed with auth_profile '<name>' could not be resolved or login failed. Adds a bearer_dynamic branch on both sides of the resolver. Two integration tests cover the dict shape and the async POST→JWT path. Validated end-to-end against Juice Shop v19.2.1 (8 phases completed, 100 findings, same 43/68 catch set as the 0.15.0 deterministic baseline).

Install

pip install ptai==0.15.1

PyPI: https://pypi.org/project/ptai/0.15.1/

Full notes in CHANGELOG.md.