fix(auth): avoid Request.user assertion without auth middleware

Epochex · Epochex · commit de67bd78f60e · 2026-05-24T22:19:07.000+02:00
diff --git a/src/mcp/server/auth/middleware/auth_context.py b/src/mcp/server/auth/middleware/auth_context.py
@@ -31,7 +31,16 @@ def _push_auth_context_from_request(request: Request | None) -> Token[Authentica
     """
     if request is None:
         return None
-    user = getattr(request, "user", None)
+    # Avoid Request.user, which asserts AuthenticationMiddleware is installed.
+    user = None
+    scope = getattr(request, "scope", None)
+    if isinstance(scope, dict):
+        user = scope.get("user")
+    if user is None:
+        try:
+            user = getattr(request, "user", None)
+        except AssertionError:
+            user = None
     if isinstance(user, AuthenticatedUser):
         return auth_context_var.set(user)
     return None
