Skip to content

[BUG][API]: Root path resolution missing settings fallback outside admin.py #3298

New issue
New issue
Open
Bug
#3337
Open
[BUG][API]: Root path resolution missing settings fallback outside admin.py#3298
Bug
#3337
Assignees
rakdutta
Labels
SHOULDP2: Important but not vital; high-value items that are not crucial for the immediate releaseapiREST API Related itembugSomething isn't workingreadyValidated, ready-to-work-on items
Milestone
Release 1.0.0
@crivetimihai

Description

@crivetimihai
crivetimihai
opened on Feb 26, 2026

Bug Summary

PR #3297 fixed _resolve_root_path() fallback in mcpgateway/admin.py, but 12 other call sites across 5 files still read request.scope.get("root_path", "") directly without falling back to settings.app_root_path. These produce incorrect URLs in proxy/embedded deployments where scope["root_path"] is empty but APP_ROOT_PATH is configured — the same scenario described in #3296.

Note: mcpgateway/middleware/token_scoping.py:331 already implements the fallback correctly inline (scope.get("root_path") or settings.app_root_path or ""), so only the files listed below are affected.

Affected Component

  • mcpgateway - API
  • mcpgateway - UI (admin panel)
  • mcpgateway.wrapper - stdio wrapper
  • Federation or Transports
  • CLI, Makefiles, or shell scripts
  • Container setup (Docker/Podman/Compose)
  • Other (explain below)

Affected Call Sites

File Line(s) Context
mcpgateway/main.py 1612, 1702 Path normalization in auth middleware (route protection matching)
mcpgateway/routers/sso.py 328 SSO callback URL construction
mcpgateway/routers/oauth_router.py 447 OAuth callback URL construction
mcpgateway/routers/llm_admin_router.py 113, 212, 262, 385, 483 LLM admin template context root_path
mcpgateway/utils/verify_credentials.py 1156, 1173, 1203 Login redirect URLs on auth failure

Total: 12 call sites across 5 files.

Steps to Reproduce

  1. Set APP_ROOT_PATH=/api/proxy/mcp and deploy behind a proxy that does not populate the ASGI scope["root_path"].
  2. Trigger any of the affected code paths (e.g., SSO callback, OAuth callback, auth failure redirect, LLM admin pages).
  3. Observe URLs resolve to /admin/... instead of /api/proxy/mcp/admin/....

Expected Behavior

All root path resolution should use the same fallback logic as _resolve_root_path() in admin.py: check scope["root_path"] first, fall back to settings.app_root_path, normalize (leading /, no trailing /).

Proposed Fix

Either:

  1. Move _resolve_root_path() from admin.py to a shared utility (e.g., mcpgateway/utils/paths.py) and replace all 12 call sites, or
  2. Inline the fallback pattern (scope.get("root_path") or settings.app_root_path or "") at each call site, consistent with token_scoping.py:331.

Option 1 is preferred for DRY and consistency.

Environment Info

Key Value
Version or commit main (post #3297 merge)
Runtime Python 3.11+
Platform / OS Any
Container Any proxy/embedded deployment

Additional Context

Discovered during review of PR #3297. The admin.py fix is correct and complete for its scope; this issue tracks the remaining call sites in other modules.

Metadata

Metadata

Assignees

Labels

SHOULDP2: Important but not vital; high-value items that are not crucial for the immediate releaseapiREST API Related itembugSomething isn't workingreadyValidated, ready-to-work-on items

Type

Bug

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions