iT,dZddlmZddlZddlmZddlmZddl m Z ddl m Z m Z ddlmZmZddlmZdd lmZmZmZdd lmZdd lmZmZmZdd lmZmZej@e!Z"Gd deZ#y)aAuthorization middleware for FastMCP. This module provides middleware-based authorization using callable auth checks. AuthMiddleware applies auth checks globally to all components on the server. Example: ```python from fastmcp import FastMCP from fastmcp.server.auth import require_scopes, restrict_tag from fastmcp.server.middleware import AuthMiddleware # Require specific scope for all components mcp = FastMCP(middleware=[ AuthMiddleware(auth=require_scopes("api")) ]) # Tag-based: components tagged "admin" require "admin" scope mcp = FastMCP(middleware=[ AuthMiddleware(auth=restrict_tag("admin", scopes=["admin"])) ]) ``` ) annotationsN)Sequence)AuthorizationError)Prompt PromptResult)ResourceResourceResult)ResourceTemplate) AuthCheck AuthContextrun_auth_checks)get_access_token)CallNext MiddlewareMiddlewareContext)Tool ToolResultceZdZdZd dZ d dZ d dZ ddZ ddZ ddZ ddZ dd Z y )AuthMiddlewareaGlobal authorization middleware using callable checks. This middleware applies auth checks to all components (tools, resources, prompts) on the server. It uses the same callable API as component-level auth checks. The middleware: - Filters tools/resources/prompts from list responses based on auth checks - Checks auth before tool execution, resource read, and prompt render - Skips all auth checks for STDIO transport (no OAuth concept) Args: auth: A single auth check function or list of check functions. All checks must pass for authorization to succeed (AND logic). Example: ```python from fastmcp import FastMCP from fastmcp.server.auth import require_scopes # Require specific scope for all components mcp = FastMCP(middleware=[AuthMiddleware(auth=require_scopes("api"))]) # Multiple scopes (AND logic) mcp = FastMCP(middleware=[ AuthMiddleware(auth=require_scopes("read", "api")) ]) ``` c||_y)N)auth)selfrs w/Users/bowang/.openclaw/workspace/ChatDev/.venv/lib/python3.12/site-packages/fastmcp/server/middleware/authorization.py__init__zAuthMiddleware.__init__Rs  c*K||d{}ddlm}|jdk(r|St}g}|D]?}t ||} t |j |d{r|j|A|S7q7#t$rYSwxYww)z0Filter tools/list response based on auth checks.Nr_current_transportstdiotoken component fastmcp.server.contextrgetrr r rappendr) rcontext call_nexttoolsrr!authorized_toolstoolctxs r on_list_toolszAuthMiddleware.on_list_toolsUs  (( >  ! ! #w .L "')DET:C (C888$++D1  ))9%  E BB=B B&B'B<BB B BBBcKddlm}|jdk(r||d{S|jj}|j }|(t jd|dtd|d|jj|d{}|td|d t}t|| }t|j|d{std|d ||d{S77k7'7 w) z!Check auth before tool execution.rrrNz2AuthMiddleware: fastmcp_context is None for tool ''. Denying access for security.zAuthorization failed for tool '': missing contextz': tool not foundr ': insufficient permissions)r$rr%messagenamefastmcp_contextloggerwarningrfastmcpget_toolrr r r) rr'r(r tool_namer8r+r!r,s r on_call_toolzAuthMiddleware.on_call_toolqs( >  ! ! #w ."7++ +OO(( )) ? NNDYKP// %1)  ! ! #w .  "/1!HEX>C (C888(//9 "$#'-9%  r.cKddlm}|jdk(r||d{S|jj}|j }|(t jd|dtd|d|jjt|d{}|,|jjt|d{}|td|d t}t|| }t|j |d{std|d ||d{S777n7*7 w) z Check auth before resource read.rrrNz6AuthMiddleware: fastmcp_context is None for resource 'r0z#Authorization failed for resource 'r1z': resource not foundr r2)r$rr%r3urir5r6r7rr8 get_resourcestrget_resource_templaterr r r) rr'r(rrCr8r"r!r,s ron_read_resourcezAuthMiddleware.on_read_resourcesS >  ! ! #w ."7++ +oo!!)) ? NNHN// %5cU:LM  "//66s3x@@  %ooCCCHMMI  $5cU:OP  !";$TYY444$5cU:UV w'''?,AM5 (sY%ED7A7ED: -E D<AED>E2E3E:E<E>EEc*K||d{}ddlm}|jdk(r|St}g}|D]?}t ||} t |j |d{r|j|A|S7q7#t$rYSwxYww)z=Filter resource templates/list response based on auth checks.Nrrrr r#) rr'r( templatesrr!authorized_templatestemplater,s ron_list_resource_templatesz)AuthMiddleware.on_list_resource_templatess$G,,  >  ! ! #w .  "79!HEX>C (C888(//9 "$#'-9%  r.c*K||d{}ddlm}|jdk(r|St}g}|D]?}t ||} t |j |d{r|j|A|S7q7#t$rYSwxYww)z2Filter prompts/list response based on auth checks.Nrrrr r#) rr'r(promptsrr!authorized_promptspromptr,s ron_list_promptszAuthMiddleware.on_list_promptss "'** >  ! ! #w .N "+-FEV  ! ! #w ."7++ +oo** )) ? NNF{mT// %3K=@RS  11+>> >$3K=@ST  !"8$TYY444$3K=@[\ w''';,?5 (r<N)rzAuthCheck | list[AuthCheck]returnNone)r'z&MiddlewareContext[mt.ListToolsRequest]r(z-CallNext[mt.ListToolsRequest, Sequence[Tool]]rVzSequence[Tool])r'z+MiddlewareContext[mt.CallToolRequestParams]r(z.CallNext[mt.CallToolRequestParams, ToolResult]rVr)r'z*MiddlewareContext[mt.ListResourcesRequest]r(z5CallNext[mt.ListResourcesRequest, Sequence[Resource]]rVzSequence[Resource])r'z/MiddlewareContext[mt.ReadResourceRequestParams]r(z6CallNext[mt.ReadResourceRequestParams, ResourceResult]rVr )r'z2MiddlewareContext[mt.ListResourceTemplatesRequest]r(zECallNext[mt.ListResourceTemplatesRequest, Sequence[ResourceTemplate]]rVzSequence[ResourceTemplate])r'z(MiddlewareContext[mt.ListPromptsRequest]r(z1CallNext[mt.ListPromptsRequest, Sequence[Prompt]]rVzSequence[Prompt])r'z,MiddlewareContext[mt.GetPromptRequestParams]r(z1CallNext[mt.GetPromptRequestParams, PromptResult]rVr) __name__ __module__ __qualname____doc__rr-r;rArGrLrQrUrrrr3s< 7 A    8)(<)(B)(  )(V$;$I$  $6)(@)(J)(  )(V$C$ $ $ $:"9"E"  "6'(='(E'(  '(rr)$r[ __future__rloggingcollections.abcr mcp.typestypesmtfastmcp.exceptionsrfastmcp.prompts.promptrrfastmcp.resources.resourcerr fastmcp.resources.templater !fastmcp.server.auth.authorizationr r r fastmcp.server.dependenciesr$fastmcp.server.middleware.middlewarerrrfastmcp.tools.toolrr getLoggerrXr6rr\rrrlsb.#$17?7 9 0   8 $N(ZN(r