fix(core): use public origin for MCP discovery 401

Author: pejmanjohn

packages/core/src/astro/middleware/auth.ts

@@ -67,13 +67,17 @@ function csrfRejectedResponse(): Response {
 	);
 }
 
-function mcpUnauthorizedResponse(url: URL): Response {
+function mcpUnauthorizedResponse(
+	url: URL,
+	config?: Parameters<typeof getPublicOrigin>[1],
+): Response {
+	const origin = getPublicOrigin(url, config);
 	return Response.json(
 		{ error: { code: "NOT_AUTHENTICATED", message: "Not authenticated" } },
 		{
 			status: 401,
 			headers: {
-				"WWW-Authenticate": `Bearer resource_metadata="${url.origin}/.well-known/oauth-protected-resource"`,
+				"WWW-Authenticate": `Bearer resource_metadata="${origin}/.well-known/oauth-protected-resource"`,
 				...MW_CACHE_HEADERS,
 			},
 		},
@@ -217,7 +221,7 @@ export const onRequest = defineMiddleware(async (context, next) => {
 	const method = context.request.method.toUpperCase();
 	const isMcpEndpoint = url.pathname === MCP_ENDPOINT_PATH;
 	if (isMcpEndpoint && !isTokenAuth) {
-		return mcpUnauthorizedResponse(url);
+		return mcpUnauthorizedResponse(url, context.locals.emdash?.config);
 	}
 
 	// CSRF protection: require X-EmDash-Request header on state-changing requests.

packages/core/tests/unit/auth/mcp-discovery-post.test.ts

@@ -48,6 +48,7 @@ async function runAuthMiddleware(opts: {
 	method?: string;
 	headers?: HeadersInit;
 	sessionUserId?: string | null;
+	siteUrl?: string;
 }) {
 	const url = new URL(opts.pathname, "https://example.com");
 	const session = {
@@ -76,7 +77,7 @@ async function runAuthMiddleware(opts: {
 			locals: {
 				emdash: {
 					db: {},
-					config: {},
+					config: opts.siteUrl ? { siteUrl: opts.siteUrl } : {},
 				},
 			},
 			session,
@@ -120,6 +121,20 @@ describe("MCP discovery auth middleware", () => {
 		expect(session.get).not.toHaveBeenCalled();
 	});
 
+	it("uses the configured public origin for anonymous MCP POST discovery responses", async () => {
+		const { response, next } = await runAuthMiddleware({
+			pathname: "/_emdash/api/mcp",
+			headers: { "Content-Type": "application/json" },
+			siteUrl: "https://public.example.com",
+		});
+
+		expect(next).not.toHaveBeenCalled();
+		expect(response.status).toBe(401);
+		expect(response.headers.get("WWW-Authenticate")).toBe(
+			'Bearer resource_metadata="https://public.example.com/.well-known/oauth-protected-resource"',
+		);
+	});
+
 	it("returns 401 with discovery metadata for invalid bearer tokens on MCP POST", async () => {
 		const { response, next } = await runAuthMiddleware({
 			pathname: "/_emdash/api/mcp",