[v1.x] fix(auth): coerce empty-string optional URL fields to None in OAuthClientMetadata #2405

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

felixweinberger merged 3 commits into v1.x from fweinberger/dcr-empty-url-coerce-v1x

Apr 13, 2026

+99 −1

Merged

[v1.x] fix(auth): coerce empty-string optional URL fields to None in OAuthClientMetadata #2405

fix(auth): coerce empty-string optional URL fields to None in OAuthCl…

Claude / Claude Code Review completed Apr 8, 2026 in 7m 23s

Code review found 1 potential issue

Found 5 candidates, confirmed 1. See review comments for details.

Details

Severity	Count
🔴 Important	0
🟡 Nit	0
🟣 Pre-existing	1

Severity	File:Line	Issue
🟣 Pre-existing	`src/mcp/shared/auth.py:74-94`	Missing empty-string coercion in OAuthMetadata and ProtectedResourceMetadata

Annotations

Check notice on line 94 in src/mcp/shared/auth.py

claude / Claude Code Review

Missing empty-string coercion in OAuthMetadata and ProtectedResourceMetadata

This PR correctly adds empty-string coercion for `OAuthClientMetadata`, but `OAuthMetadata` and `ProtectedResourceMetadata` have the same defect for their optional `AnyHttpUrl` fields and are left unprotected. This is a pre-existing gap — the PR does not introduce or modify these classes — but the same Postel's law rationale applies equally to them.

View more details on Claude