fix(http): auto-extract caller User-Agent in get_client()

timothedelion · timothedelion · commit 990a5d899576 · 2026-03-25T10:55:18.000+01:00
Tool handlers call get_client() directly from utils without passing
user_agent, bypassing the MCP server's _get_caller_user_agent() method.
This caused all tool-initiated API calls to use the default
"GitGuardian-MCP-Server/&lt;version&gt;" user-agent instead of forwarding
the caller's (e.g. "GitGuardian-In-App-Agent").

Move user-agent extraction into utils.get_client() so all callers
benefit automatically.

Issue: #
diff --git a/packages/gg_api_core/src/gg_api_core/mcp_server.py b/packages/gg_api_core/src/gg_api_core/mcp_server.py
@@ -160,22 +160,9 @@ async def get_token_info(self) -> dict[str, Any]:
         """Return the token info dictionary."""
         pass
 
-    def _get_caller_user_agent(self) -> str | None:
-        """Try to extract User-Agent from the incoming MCP request headers.
-
-        Returns None if not available (e.g. stdio transport).
-        """
-        try:
-            headers = get_http_headers(include={"user-agent"})
-            return headers.get("user-agent") if headers else None
-        except Exception:
-            logger.exception("Error when trying to extract User-Agent from headers")
-            return None
-
     async def get_client(self) -> GitGuardianClient:
         return await get_client(
             personal_access_token=self.get_personal_access_token(),
-            user_agent=self._get_caller_user_agent(),
         )
 
     async def revoke_current_token(self) -> dict[str, Any]:
diff --git a/packages/gg_api_core/src/gg_api_core/oauth.py b/packages/gg_api_core/src/gg_api_core/oauth.py
@@ -688,7 +688,7 @@ async def redirect_handler(authorization_url: str) -> None:
             headers: dict[str, str] = {
                 "Content-Type": "application/x-www-form-urlencoded",
                 "X-Token-Name": str(self.token_name),  # Custom header with token name
-                "User-Agent": f"MCP-Server/{self.token_name}",  # Include in user agent
+                "User-Agent": f"GitGuardian-MCP-Server/{self.token_name}",  # Include in user agent
             }
 
             async with httpx.AsyncClient(follow_redirects=True) as client:
diff --git a/packages/gg_api_core/src/gg_api_core/utils.py b/packages/gg_api_core/src/gg_api_core/utils.py
@@ -66,6 +66,8 @@ async def get_client(personal_access_token: str | None = None, user_agent: str |
 
     Args:
         personal_access_token: Optional PAT for explicit authentication.
+        user_agent: Optional User-Agent string. If not provided, automatically
+            extracted from incoming HTTP request headers (when available).
 
     Returns:
         GitGuardianClient: Client instance configured with appropriate authentication
@@ -74,6 +76,10 @@ async def get_client(personal_access_token: str | None = None, user_agent: str |
         ValidationError: In multi-tenant mode, if MCP_PORT not set or Authorization header missing
         RuntimeError: In single-tenant mode, if no token source is available
     """
+    # Extract caller User-Agent from HTTP headers if not explicitly provided
+    if user_agent is None:
+        user_agent = _get_caller_user_agent()
+
     # 1. Explicit PAT provided - caller manages the token (no caching, no automatic refresh)
     if personal_access_token:
         logger.debug("Creating client with explicitly provided token")
@@ -107,6 +113,19 @@ async def get_client(personal_access_token: str | None = None, user_agent: str |
     return _client_singleton
 
 
+def _get_caller_user_agent() -> str | None:
+    """Try to extract User-Agent from the incoming MCP request headers.
+
+    Returns None if not available (e.g. stdio transport).
+    """
+    try:
+        headers = get_http_headers(include={"user-agent"})
+        return headers.get("user-agent") if headers else None
+    except Exception:
+        logger.exception("Error when trying to extract User-Agent from headers")
+        return None
+
+
 def _get_token_from_request_headers() -> str:
     """Extract personal access token from HTTP request headers.
 
diff --git a/tests/test_get_client_safeguards.py b/tests/test_get_client_safeguards.py
@@ -5,7 +5,7 @@
 
 import pytest
 from fastmcp.exceptions import ValidationError
-from gg_api_core.utils import get_client, get_mcp_port_or_none, is_multi_tenant_mode
+from gg_api_core.utils import _get_caller_user_agent, get_client, get_mcp_port_or_none, is_multi_tenant_mode
 
 
 class TestGetMcpPortOrNone:
@@ -128,7 +128,7 @@ async def test_multi_tenant_extracts_token_from_headers(self, mock_client_class,
         GIVEN MULTI_TENANCY_ENABLED=true and MCP_PORT is set
         AND Authorization header is present
         WHEN get_client is called
-        THEN it extracts token from headers and creates new client
+        THEN it extracts token and user-agent from headers and creates new client
         """
         mock_get_headers.return_value = {"authorization": "Bearer request-token"}
         mock_client = MagicMock()
@@ -140,6 +140,31 @@ async def test_multi_tenant_extracts_token_from_headers(self, mock_client_class,
         mock_client_class.assert_called_once_with(personal_access_token="request-token", user_agent=None)
         assert result == mock_client
 
+    @patch("gg_api_core.utils.get_http_headers")
+    @patch("gg_api_core.utils.GitGuardianClient")
+    async def test_multi_tenant_forwards_caller_user_agent(self, mock_client_class, mock_get_headers):
+        """
+        GIVEN MULTI_TENANCY_ENABLED=true and MCP_PORT is set
+        AND request has both Authorization and User-Agent headers
+        WHEN get_client is called
+        THEN the caller's User-Agent is forwarded to GitGuardianClient
+        """
+        mock_get_headers.return_value = {
+            "authorization": "Bearer request-token",
+            "user-agent": "GitGuardian-In-App-Agent",
+        }
+        mock_client = MagicMock()
+        mock_client_class.return_value = mock_client
+
+        with patch.dict(os.environ, {"MULTI_TENANCY_ENABLED": "true", "MCP_PORT": "8080"}, clear=True):
+            result = await get_client()
+
+        mock_client_class.assert_called_once_with(
+            personal_access_token="request-token",
+            user_agent="GitGuardian-In-App-Agent",
+        )
+        assert result == mock_client
+
     @patch("gg_api_core.utils.get_http_headers")
     @patch("gg_api_core.utils.GitGuardianClient")
     async def test_multi_tenant_creates_new_client_per_request(self, mock_client_class, mock_get_headers):
@@ -148,9 +173,13 @@ async def test_multi_tenant_creates_new_client_per_request(self, mock_client_cla
         WHEN get_client is called multiple times with different tokens
         THEN it creates a new client each time (no singleton)
         """
+        # get_http_headers is called twice per get_client():
+        # once for user-agent extraction, once for authorization extraction
         mock_get_headers.side_effect = [
-            {"authorization": "Bearer token1"},
-            {"authorization": "Bearer token2"},
+            {"authorization": "Bearer token1", "user-agent": "Agent1"},
+            {"authorization": "Bearer token1", "user-agent": "Agent1"},
+            {"authorization": "Bearer token2", "user-agent": "Agent2"},
+            {"authorization": "Bearer token2", "user-agent": "Agent2"},
         ]
         mock_client1 = MagicMock()
         mock_client2 = MagicMock()
@@ -338,3 +367,99 @@ async def test_multi_tenant_never_uses_singleton(self, mock_client_class, mock_g
         assert mock_client_class.call_count == 3
         # Singleton should remain None
         assert gg_api_core.utils._client_singleton is None
+
+
+class TestCallerUserAgentExtraction:
+    """Tests for _get_caller_user_agent() and automatic user-agent forwarding."""
+
+    @patch("gg_api_core.utils.get_http_headers")
+    def test_extracts_user_agent_from_headers(self, mock_get_headers):
+        """
+        GIVEN an HTTP request with a User-Agent header
+        WHEN _get_caller_user_agent is called
+        THEN it returns the user-agent string
+        """
+        mock_get_headers.return_value = {"user-agent": "GitGuardian-In-App-Agent"}
+
+        result = _get_caller_user_agent()
+
+        assert result == "GitGuardian-In-App-Agent"
+
+    @patch("gg_api_core.utils.get_http_headers")
+    def test_returns_none_when_no_user_agent(self, mock_get_headers):
+        """
+        GIVEN an HTTP request without a User-Agent header
+        WHEN _get_caller_user_agent is called
+        THEN it returns None
+        """
+        mock_get_headers.return_value = {"authorization": "Bearer token"}
+
+        result = _get_caller_user_agent()
+
+        assert result is None
+
+    @patch("gg_api_core.utils.get_http_headers")
+    def test_returns_none_when_no_http_context(self, mock_get_headers):
+        """
+        GIVEN no active HTTP request (e.g. stdio transport)
+        WHEN _get_caller_user_agent is called
+        THEN it returns None
+        """
+        mock_get_headers.return_value = {}
+
+        result = _get_caller_user_agent()
+
+        assert result is None
+
+    @patch("gg_api_core.utils.get_http_headers")
+    def test_returns_none_on_exception(self, mock_get_headers):
+        """
+        GIVEN get_http_headers raises an exception
+        WHEN _get_caller_user_agent is called
+        THEN it returns None (graceful degradation)
+        """
+        mock_get_headers.side_effect = RuntimeError("Unexpected error")
+
+        result = _get_caller_user_agent()
+
+        assert result is None
+
+    @patch("gg_api_core.utils.get_http_headers")
+    @patch("gg_api_core.utils.GitGuardianClient")
+    async def test_get_client_auto_extracts_user_agent(self, mock_client_class, mock_get_headers):
+        """
+        GIVEN an HTTP request with User-Agent header
+        WHEN get_client() is called without explicit user_agent (as tool handlers do)
+        THEN the caller's User-Agent is automatically forwarded to GitGuardianClient
+        """
+        mock_get_headers.return_value = {
+            "authorization": "Bearer request-token",
+            "user-agent": "GitGuardian-In-App-Agent",
+        }
+        mock_client_class.return_value = MagicMock()
+
+        with patch.dict(os.environ, {"MULTI_TENANCY_ENABLED": "true", "MCP_PORT": "8080"}, clear=True):
+            await get_client()
+
+        mock_client_class.assert_called_once_with(
+            personal_access_token="request-token",
+            user_agent="GitGuardian-In-App-Agent",
+        )
+
+    @patch("gg_api_core.utils.get_http_headers")
+    @patch("gg_api_core.utils.GitGuardianClient")
+    async def test_explicit_user_agent_takes_precedence(self, mock_client_class, mock_get_headers):
+        """
+        GIVEN an HTTP request with User-Agent header
+        WHEN get_client() is called with an explicit user_agent
+        THEN the explicit user_agent is used, not the one from headers
+        """
+        mock_get_headers.return_value = {"user-agent": "GitGuardian-In-App-Agent"}
+        mock_client_class.return_value = MagicMock()
+
+        await get_client(personal_access_token="explicit-token", user_agent="Custom-Agent")
+
+        mock_client_class.assert_called_once_with(
+            personal_access_token="explicit-token",
+            user_agent="Custom-Agent",
+        )

Original file line number	Diff line number	Diff line change
`@@ -688,7 +688,7 @@ async def redirect_handler(authorization_url: str) -> None:`
`688`	`688`	`headers: dict[str, str] = {`
`689`	`689`	`"Content-Type": "application/x-www-form-urlencoded",`
`690`	`690`	`"X-Token-Name": str(self.token_name), # Custom header with token name`
`691`		`- "User-Agent": f"MCP-Server/{self.token_name}", # Include in user agent`
	`691`	`+ "User-Agent": f"GitGuardian-MCP-Server/{self.token_name}", # Include in user agent`
`692`	`692`	`}`
`693`	`693`
`694`	`694`	`async with httpx.AsyncClient(follow_redirects=True) as client:`