Fix project isolation: Make loadChatHistory respect active project sessions

- Modified loadChatHistory() to check for active project before fetching all sessions - When active project exists, use project.sessions instead of fetching from API - Added detailed console logging to debug session filtering - This prevents ALL sessions from appearing in every project's sidebar Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 14:43:05 +00:00
parent b82837aa5f
commit 55aafbae9a
6463 changed files with 1115462 additions and 4486 deletions
--- a/.venv/lib/python3.11/site-packages/mcp/server/auth/handlers/revoke.py
+++ b/.venv/lib/python3.11/site-packages/mcp/server/auth/handlers/revoke.py
@@ -0,0 +1,91 @@
+from dataclasses import dataclass
+from functools import partial
+from typing import Any, Literal
+
+from pydantic import BaseModel, ValidationError
+from starlette.requests import Request
+from starlette.responses import Response
+
+from mcp.server.auth.errors import (
+    stringify_pydantic_error,
+)
+from mcp.server.auth.json_response import PydanticJSONResponse
+from mcp.server.auth.middleware.client_auth import AuthenticationError, ClientAuthenticator
+from mcp.server.auth.provider import AccessToken, OAuthAuthorizationServerProvider, RefreshToken
+
+
+class RevocationRequest(BaseModel):
+    """
+    # See https://datatracker.ietf.org/doc/html/rfc7009#section-2.1
+    """
+
+    token: str
+    token_type_hint: Literal["access_token", "refresh_token"] | None = None
+    client_id: str
+    client_secret: str | None
+
+
+class RevocationErrorResponse(BaseModel):
+    error: Literal["invalid_request", "unauthorized_client"]
+    error_description: str | None = None
+
+
+@dataclass
+class RevocationHandler:
+    provider: OAuthAuthorizationServerProvider[Any, Any, Any]
+    client_authenticator: ClientAuthenticator
+
+    async def handle(self, request: Request) -> Response:
+        """
+        Handler for the OAuth 2.0 Token Revocation endpoint.
+        """
+        try:
+            client = await self.client_authenticator.authenticate_request(request)
+        except AuthenticationError as e:  # pragma: no cover
+            return PydanticJSONResponse(
+                status_code=401,
+                content=RevocationErrorResponse(
+                    error="unauthorized_client",
+                    error_description=e.message,
+                ),
+            )
+
+        try:
+            form_data = await request.form()
+            revocation_request = RevocationRequest.model_validate(dict(form_data))
+        except ValidationError as e:
+            return PydanticJSONResponse(
+                status_code=400,
+                content=RevocationErrorResponse(
+                    error="invalid_request",
+                    error_description=stringify_pydantic_error(e),
+                ),
+            )
+
+        loaders = [
+            self.provider.load_access_token,
+            partial(self.provider.load_refresh_token, client),
+        ]
+        if revocation_request.token_type_hint == "refresh_token":  # pragma: no cover
+            loaders = reversed(loaders)
+
+        token: None | AccessToken | RefreshToken = None
+        for loader in loaders:
+            token = await loader(revocation_request.token)
+            if token is not None:
+                break
+
+        # if token is not found, just return HTTP 200 per the RFC
+        if token and token.client_id == client.client_id:
+            # Revoke token; provider is not meant to be able to do validation
+            # at this point that would result in an error
+            await self.provider.revoke_token(token)
+
+        # Return successful empty response
+        return Response(
+            status_code=200,
+            headers={
+                "Cache-Control": "no-store",
+                "Pragma": "no-cache",
+            },
+        )