Skip to content

🔑 fix: Type-Safe User Context Forwarding for Non-OAuth Tool Discovery#12348

Merged
danny-avila merged 2 commits into
danny-avila:devfrom
crossagent:fix/mcp-vars
Mar 21, 2026
Merged

🔑 fix: Type-Safe User Context Forwarding for Non-OAuth Tool Discovery#12348
danny-avila merged 2 commits into
danny-avila:devfrom
crossagent:fix/mcp-vars

Conversation

@crossagent

Copy link
Copy Markdown
Contributor

Summary

This PR fixes a bug that prevents MCP servers from being shared by multiple users when user-specific API keys / authentication are passed via customUserVars inside URL query parameters or headers (e.g., ?key={{user_api_key}}).

Previously, during unauthenticated tool discovery, MCPManager.ts omitted the user and customUserVars parameters when calling MCPConnectionFactory.discoverTools(). Because of this bug, dynamic placeholders in the server config URL were never replaced with the corresponding user's tokens. This resulted in literal strings like ?key={{user_api_key}} being sent backward to the MCP server endpoint, causing connection request parameters to error out and fail.

By explicitly forwarding the customUserVars and user properties into the config options for discoverTools, shared MCP servers relying on per-user custom variables now successfully substitute credentials and work perfectly as intended for all users.

Change Type

  • Bug fix (non-breaking change which fixes an issue)

Testing

Test Configuration:

  1. Configure an MCP server in librechat.yaml with requiresOAuth: false.
  2. Define a customUserVars for the user API Key, and map it via a placeholder in the connection url (e.g., url: "https://my-mcp.server.com/server?key={{MY_CUSTOM_KEY}}").
  3. From the UI, enter the specific API key for that server under the User profile and hit 'Reinstall' / 'refresh tools'.

Result Status:

  • Without this PR: The literal string {{MY_CUSTOM_KEY}} is passed across the streamable-http client transport, resulting in a Server-side [PARAM_ERROR] / empty parameter rejection from the MCP backend.
  • With this PR: The substituted value correctly materializes (e.g. ?key=c527bd0...) resulting in a successful HTTP 200 payload and successful tool discovery.

Checklist

  • My code adheres to this project's style guidelines
  • I have performed a self-review of my own code
  • Local unit tests pass with my changes

crossagent and others added 2 commits March 21, 2026 14:17
Extract UserConnectionContext from OAuthConnectionOptions to properly
model the non-OAuth case where user/customUserVars/requestBody need
placeholder resolution without requiring OAuth-specific fields.

- Remove prohibited `as unknown as` double-cast
- Forward requestBody and connectionTimeout (previously omitted)
- Add unit tests for argument forwarding at Manager and Factory layers
- Add integration test exercising real processMCPEnv substitution
@danny-avila danny-avila changed the title fix(mcp): pass missing customUserVars yielding dynamic API key support for MCP connections 🔑 fix: Type-Safe User Context Forwarding for Non-OAuth Tool Discovery Mar 21, 2026
@danny-avila
danny-avila changed the base branch from main to dev March 21, 2026 16:41
@danny-avila
danny-avila merged commit 290984c into danny-avila:dev Mar 21, 2026
8 checks passed
jcbartle pushed a commit to jcbartle/LibreChat that referenced this pull request May 11, 2026
…danny-avila#12348)

* fix(mcp): pass missing customUserVars and user during unauthenticated tool discovery

* fix(mcp): type-safe user context forwarding for non-OAuth tool discovery

Extract UserConnectionContext from OAuthConnectionOptions to properly
model the non-OAuth case where user/customUserVars/requestBody need
placeholder resolution without requiring OAuth-specific fields.

- Remove prohibited `as unknown as` double-cast
- Forward requestBody and connectionTimeout (previously omitted)
- Add unit tests for argument forwarding at Manager and Factory layers
- Add integration test exercising real processMCPEnv substitution

---------

Co-authored-by: Danny Avila <danny@librechat.ai>
ThomasVuNguyen pushed a commit to ThomasVuNguyen/LibreChat that referenced this pull request Jul 15, 2026
…danny-avila#12348)

* fix(mcp): pass missing customUserVars and user during unauthenticated tool discovery

* fix(mcp): type-safe user context forwarding for non-OAuth tool discovery

Extract UserConnectionContext from OAuthConnectionOptions to properly
model the non-OAuth case where user/customUserVars/requestBody need
placeholder resolution without requiring OAuth-specific fields.

- Remove prohibited `as unknown as` double-cast
- Forward requestBody and connectionTimeout (previously omitted)
- Add unit tests for argument forwarding at Manager and Factory layers
- Add integration test exercising real processMCPEnv substitution

---------

Co-authored-by: Danny Avila <danny@librechat.ai>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants