Skip to content

fix: exempt MCP endpoint from session auth in proxy#132

Merged
liamwalder merged 3 commits intomainfrom
fix/mcp-cloud-proxy-bypass
Apr 7, 2026
Merged

fix: exempt MCP endpoint from session auth in proxy#132
liamwalder merged 3 commits intomainfrom
fix/mcp-cloud-proxy-bypass

Conversation

@ysamcode
Copy link
Copy Markdown
Collaborator

@ysamcode ysamcode commented Apr 4, 2026

Summary

Fix MCP endpoint not working on Ycode Cloud. The cloud proxy intercepts
all /ycode/* routes and requires session auth, which redirects MCP
clients to the login page instead of reaching the route handler. MCP
authenticates via its own URL token, not session cookies.

Changes

  • Add explicit /ycode/mcp/ bypass in proxy.ts before the session auth check
  • Add maxDuration: 60 for MCP route in vercel.json (was missing because the
    existing glob app/ycode/api/**/*.ts doesn't match app/(builder)/ycode/mcp/)
  • Install missing @modelcontextprotocol/sdk dependency (was listed in
    package.json but absent from node_modules, causing TypeScript build failures
    for all lib/mcp/tools/*.ts files)

Still required (cloud overlay)

This fix alone does not resolve the issue on Ycode Cloud. The cloud
deployment uses a path-alias overlay that replaces proxy.ts with its
own version. The cloud overlay proxy must also skip session auth for
/ycode/mcp/ routes — add the same early-return pattern:

if (pathname.startsWith('/ycode/mcp/')) {
  // MCP uses its own token auth — skip session auth
  const response = NextResponse.next();
  response.headers.set('x-pathname', pathname);
  // set x-tenant-id if needed for tenant-scoped DB queries
  return response;
}

Without this cloud-side change, MCP requests will continue to be
redirected to the login page on *.ycode.website domains.

Test plan

  • Self-hosted: verify MCP still connects successfully via Cursor/Claude
  • Cloud: after updating the cloud overlay, verify MCP connects on *.ycode.website
  • Verify npm run type-check passes (no more MCP SDK resolution errors)
  • Verify MCP tool calls don't time out on Vercel (60s limit now applied)

Made with Cursor

@ysamcode
fix: exempt MCP endpoint from session auth in proxy
09f2d52 
The cloud proxy intercepts all /ycode/* routes and requires session
auth, which blocks MCP clients that authenticate via URL token.

- Skip session auth for /ycode/mcp/ paths in proxy
- Extend Vercel function timeout to cover MCP route handlers
- Install missing @modelcontextprotocol/sdk (was in package.json
  but absent from node_modules, causing TS build failures)

Made-with: Cursor
@ysamcode ysamcode added the Bug Something isn't working label Apr 4, 2026
@ysamcode ysamcode self-assigned this Apr 4, 2026
@ysamcode ysamcode added the Bug Something isn't working label Apr 4, 2026
Base automatically changed from develop to main April 6, 2026 08:27
@liamwalder liamwalder closed this Apr 7, 2026
@liamwalder liamwalder deleted the fix/mcp-cloud-proxy-bypass branch April 7, 2026 07:10
@liamwalder liamwalder restored the fix/mcp-cloud-proxy-bypass branch April 7, 2026 07:12
@liamwalder liamwalder reopened this Apr 7, 2026
@liamwalder liamwalder merged commit 4caf0d2 into main Apr 7, 2026
3 checks passed
@liamwalder liamwalder deleted the fix/mcp-cloud-proxy-bypass branch April 7, 2026 07:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@liamwalder liamwalder liamwalder approved these changes

@lunenas lunenas Awaiting requested review from lunenas lunenas is a code owner

@tristan-mouchet tristan-mouchet Awaiting requested review from tristan-mouchet tristan-mouchet is a code owner

Assignees

@ysamcode ysamcode

Labels

Bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ysamcode @liamwalder