Release-cycle review found the /mcp Basic path skipped the controller's
pre-token gates and over-eagerly minted sessions:
- SSO/MFA bypass (blocker): the Basic path called AuthService.login/
verifyUserCredentials directly, but validateSsoEnforcement + the lazy EE MFA
gate live in AuthController.login. Now enforceBasicLoginGate runs in the Basic
branch BEFORE any token is minted: validateSsoEnforcement(workspace) (reject
on enforced SSO) and the same lazy-require MFA check the controller uses
(reject MFA users -> 'use a Bearer access token'). No EE module bundled (this
fork) -> no MFA gate, identical to the controller; a throw from the check
fails closed (no token). Bearer/service-account paths are not gated (those
JWTs are minted post-gate).
- Non-init session mint: isSessionInit is now (no mcp-session-id) AND the body
is a real JSON-RPC initialize (isInitializeRequestBody). A header-less
non-initialize request takes the side-effect-free verifyCredentials path -> no
user_sessions row, no USER_LOGIN audit, no lastLoginAt bump.
- FailedLoginLimiter.sweep() now runs on an unref'd 60s interval, cleared on
module destroy (was never scheduled -> unbounded Map growth under XFF rotation).
- Subsequent (non-init) valid login no longer resets the global per-email brute
bucket (only per-IP / per-IP+email); the email backstop is reset only on a
deliberate init login.
Note: in a hypothetical EE build, checkMfaRequirements is called with no
FastifyReply (we only read requirement flags); a res-dereferencing EE impl would
surface as a clean rejection (fail-closed), not a bypass.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
bfd79b94bc