fix: 404 the whole /.well-known/* tree for MCP discovery probes#829
Merged
Conversation
The SPA catch-all was answering OAuth/OIDC discovery probes with an HTML 200, which newer MCP HTTP clients parse as a broken auth flow — aborting MCP registration or inferring a phantom authenticate step. Radar's MCP endpoint is unauthenticated locally; a clean 404 across the whole /.well-known/* tree (RFC 9728 / RFC 8414 / OIDC all probe there, at both bare and resource-scoped paths) tells clients no auth handshake is needed. Replaces the two hardcoded oauth-* paths with a tree-wide handler.
Smoke-tested with claude-code 2.1.158: with only /.well-known/*
covered, the chi `r.Mount("/mcp", ...)` answers `/mcp/.well-known/*`
with HTTP 405 because the MCP handler only accepts POST. Newer MCP
HTTP clients probe both forms — path-prefix (/mcp/.well-known/X) and
path-suffix (/.well-known/X/mcp) — per RFC 9728. A 405 there trips
the same `needs-auth` detection as the SPA's HTML 200.
Add the second handler and register BOTH before the /mcp Mount so
chi's radix tree resolves the more specific pattern to NotFound
instead of letting the MCP handler answer with 405.
Verified with a logging reverse-proxy: claude-code now makes zero
.well-known probes during MCP `initialize`; `mcp_servers.status`
goes straight to "connected" instead of stopping at "needs-auth".
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The SPA catch-all route was answering
/.well-known/*discovery probes with an HTML200. Newer MCP HTTP clients (claude-code et al.) probe/.well-known/oauth-protected-resource,/.well-known/oauth-authorization-server, and the resource-scoped variants (e.g./.well-known/oauth-protected-resource/mcp) per RFC 9728 / RFC 8414 / OIDC discovery. Getting an HTML 200 back instead of a proper JSON document or a 404 makes them treat it as a broken OAuth flow — they either abort MCP registration outright or infer a phantom authenticate step that doesn't exist.Radar's MCP endpoint is unauthenticated when run locally. The fix replaces the two previously-hardcoded
oauth-*paths with a single tree-wide handler that returns a clean404for the entire/.well-known/*subtree, so clients correctly infer "no auth handshake needed" and proceed with registration.Scope
internal/server/server.go(+ explanatory comment)./.well-knownroute.Note
Low Risk
Routing-only change for discovery URLs; no auth, API, or SPA behavior outside
/.well-knownpaths.Overview
MCP HTTP clients (e.g. Claude Code) probe
/.well-known/*and/mcp/.well-known/*before MCP initialize. Without explicit handlers, those paths were answered by the SPA catch-all (200 + HTML) or the/mcpmount (405 on non-POST), which clients treat as a broken OAuth-protected server and surface phantom authenticate tools.This change registers
http.NotFoundHandler()for both subtrees insetupRoutes, before the/mcpmount and SPA/*fallback, so unauthenticated local MCP gets a spec-correct 404 and clients infer no OAuth handshake is required.Reviewed by Cursor Bugbot for commit 3bbfa36. Bugbot is set up for automated code reviews on this repo. Configure here.