mcp over http is failing

backend/src/api/main.py

@@ -5,10 +5,15 @@ from __future__ import annotations
 import logging
 from pathlib import Path
 
+import asyncio
 from fastapi import FastAPI, HTTPException, Request
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.responses import JSONResponse
 from fastapi.staticfiles import StaticFiles
+from fastapi.routing import ASGIRoute
+from starlette.responses import Response
+
+from fastmcp.server.streamable_http import StreamableHTTPSessionManager
 
 from .routes import auth, index, notes, search
 from ..mcp.server import mcp
@@ -81,9 +86,49 @@ app.include_router(search.router, tags=["search"])
 app.include_router(index.router, tags=["index"])
 
 # Hosted MCP HTTP endpoint (mounted Starlette app)
-mcp_http_app = mcp.http_app(path="/", transport="http")
-app.mount("/mcp", mcp_http_app)
-logger.info("MCP HTTP endpoint mounted at /mcp")
+
+session_manager = StreamableHTTPSessionManager(
+    app=mcp._mcp_server,
+    event_store=None,
+    json_response=False,
+    stateless=True,
+)
+
+
+@app.api_route("/mcp", methods=["GET", "POST", "DELETE"])
+async def mcp_http_bridge(request: Request) -> Response:
+    """Forward HTTP requests to the FastMCP streamable HTTP session manager."""
+
+    send_queue: asyncio.Queue = asyncio.Queue()
+
+    async def send(message):
+        await send_queue.put(message)
+
+    await session_manager.handle_request(request.scope, request.receive, send)
+    await send_queue.put(None)
+
+    result_body = b""
+    headers = {}
+    status = 200
+
+    while True:
+        message = await send_queue.get()
+        if message is None:
+            break
+        msg_type = message["type"]
+        if msg_type == "http.response.start":
+            status = message.get("status", 200)
+            raw_headers = message.get("headers", [])
+            headers = {key.decode(): value.decode() for key, value in raw_headers}
+        elif msg_type == "http.response.body":
+            result_body += message.get("body", b"")
+            if not message.get("more_body"):
+                break
+
+    return Response(content=result_body, status_code=status, headers=headers)
+
+
+logger.info("MCP HTTP endpoint mounted at /mcp via StreamableHTTPSessionManager")
 
 
 @app.get("/health")

backend/src/api/routes/auth.py

@@ -5,17 +5,21 @@ from __future__ import annotations
 import logging
 import secrets
 import time
+from datetime import datetime, timezone
 from typing import Optional
 from urllib.parse import urlencode
 
 import httpx
 from fastapi import APIRouter, Depends, HTTPException, Query, Request
 from fastapi.responses import RedirectResponse
-from pydantic import BaseModel
 
+from ...models.auth import TokenResponse
+from ...models.user import HFProfile, User
+from ...services.auth import AuthService
 from ...services.config import get_config
 from ...services.seed import ensure_welcome_note
-from ..middleware import extract_user_id_from_jwt
+from ...services.vault import VaultService
+from ..middleware import AuthContext, get_auth_context
 
 logger = logging.getLogger(__name__)
 
@@ -24,6 +28,8 @@ router = APIRouter()
 OAUTH_STATE_TTL_SECONDS = 300
 oauth_states: dict[str, float] = {}
 
+auth_service = AuthService()
+
 
 def _create_oauth_state() -> str:
     """Generate a state token and store it with a timestamp."""
@@ -46,14 +52,6 @@ def _consume_oauth_state(state: str | None) -> None:
     del oauth_states[state]
 
 
-class UserInfo(BaseModel):
-    """Current user information."""
-
-    user_id: str
-    username: str
-    email: Optional[str] = None
-
-
 def get_base_url(request: Request) -> str:
     """
     Get the base URL for OAuth redirects.
@@ -271,23 +269,43 @@ async def callback(
         )
 
 
-@router.get("/api/me", response_model=UserInfo)
-async def get_current_user(user_id: str = Depends(extract_user_id_from_jwt)):
-    """Return basic profile data for the authenticated user."""
-    if user_id == "local-dev":
-        return UserInfo(user_id="local-dev", username="local-dev")
+@router.post("/api/tokens", response_model=TokenResponse)
+async def create_api_token(auth: AuthContext = Depends(get_auth_context)):
+    """Issue a new JWT for the authenticated user."""
+    token, expires_at = auth_service.issue_token_response(auth.user_id)
+    return TokenResponse(token=token, token_type="bearer", expires_at=expires_at)
 
-    # Derive a friendly username if possible
-    username = user_id
-    email = None
 
+@router.get("/api/me", response_model=User)
+async def get_current_user(auth: AuthContext = Depends(get_auth_context)):
+    """Return profile metadata for the authenticated user."""
+    user_id = auth.user_id
+    vault_service = VaultService()
+    vault_path = vault_service.initialize_vault(user_id)
+
+    # Attempt to derive a stable "created" timestamp from the vault directory
+    try:
+        stat = vault_path.stat()
+        created_dt = datetime.fromtimestamp(stat.st_ctime, tz=timezone.utc)
+    except Exception:
+        created_dt = datetime.now(timezone.utc)
+
+    profile: Optional[HFProfile] = None
     if user_id.startswith("hf-"):
         username = user_id[len("hf-") :]
+        profile = HFProfile(
+            username=username,
+            name=username.replace("-", " ").title(),
+            avatar_url=f"https://api.dicebear.com/7.x/initials/svg?seed={username}",
+        )
+    elif user_id not in {"local-dev", "demo-user"}:
+        profile = HFProfile(username=user_id)
 
-    return UserInfo(
+    return User(
         user_id=user_id,
-        username=username,
-        email=email,
+        hf_profile=profile,
+        vault_path=str(vault_path),
+        created=created_dt,
     )
 
 

scripts/test_mcp_tools.py

@@ -0,0 +1,111 @@
+#!/usr/bin/env python3
+"""Exercise all MCP tools exposed by the hosted server."""
+
+from __future__ import annotations
+
+import argparse
+import asyncio
+import json
+import os
+import sys
+import uuid
+from typing import Any, Dict
+
+from fastmcp.client import Client, StreamableHttpTransport
+from fastmcp.client.client import ToolError
+
+
+def build_parser() -> argparse.ArgumentParser:
+    parser = argparse.ArgumentParser(description="Test MCP HTTP tools end-to-end")
+    parser.add_argument(
+        "--url",
+        default=os.environ.get("MCP_URL", "https://bigwolfe-document-mcp.hf.space/mcp"),
+        help="Hosted MCP endpoint base URL",
+    )
+    parser.add_argument(
+        "--token",
+        default=os.environ.get("MCP_TOKEN"),
+        help="Bearer token for authentication (or set MCP_TOKEN env variable)",
+    )
+    parser.add_argument(
+        "--note",
+        default=f"mcp-test-{uuid.uuid4().hex}.md",
+        help="Temporary note path to create and delete during the test",
+    )
+    return parser
+
+
+async def exercise_tools(url: str, token: str, note_path: str) -> Dict[str, Any]:
+    transport = StreamableHttpTransport(url=url, headers={"Authorization": f"Bearer {token}"})
+    async with Client(transport, name="multi-tenant-audit") as client:
+        results: Dict[str, Any] = {}
+
+        tools = await client.list_tools()
+        results["list_tools"] = [tool.name for tool in tools]
+
+        results["list_notes_before"] = await client.call_tool("list_notes", {})
+
+        # Read the welcome note if it exists
+        try:
+            results["read_note"] = await client.call_tool(
+                "read_note", {"path": "Welcome.md"}
+            )
+        except ToolError as exc:
+            results["read_note_error"] = str(exc)
+
+        # Create a temporary note
+        body = "# MCP Test\n\nThis note was created by the MCP HTTP audit script."
+        results["write_note"] = await client.call_tool(
+            "write_note",
+            {
+                "path": note_path,
+                "body": body,
+                "title": "MCP Test",
+                "metadata": {"tags": ["mcp", "audit"]},
+            },
+        )
+
+        # Search for the word "MCP"
+        results["search_notes"] = await client.call_tool(
+            "search_notes", {"query": "MCP", "limit": 10}
+        )
+
+        # Fetch backlinks for the welcome note (if present)
+        try:
+            results["get_backlinks"] = await client.call_tool(
+                "get_backlinks", {"path": "Welcome.md"}
+            )
+        except ToolError as exc:
+            results["get_backlinks_error"] = str(exc)
+
+        # Fetch tags
+        results["get_tags"] = await client.call_tool("get_tags", {})
+
+        # Delete the temporary note and show list afterwards
+        results["delete_note"] = await client.call_tool(
+            "delete_note", {"path": note_path}
+        )
+        results["list_notes_after"] = await client.call_tool("list_notes", {})
+
+        return results
+
+
+def main() -> None:
+    parser = build_parser()
+    args = parser.parse_args()
+
+    if not args.token:
+        parser.error("Bearer token must be provided via --token or MCP_TOKEN env variable")
+
+    try:
+        results = asyncio.run(exercise_tools(args.url, args.token, args.note))
+    except Exception as exc:  # pragma: no cover
+        print(f"Error exercising MCP tools: {exc}", file=sys.stderr)
+        raise SystemExit(1) from exc
+
+    json.dump(results, sys.stdout, indent=2, sort_keys=True)
+    print()
+
+
+if __name__ == "__main__":
+    main()