Remove all request validation from Dash

Author: KoolADE85

dash/mcp/_server.py

@@ -64,11 +64,11 @@ def _url_from_path(*parts: str) -> str:
 
 
 def _setup_mcp_oauth(app: Dash, mcp_path: str, mcp_authorization_server: str) -> None:
-    """Register OAuth metadata endpoint and auth gate for MCP.
+    """Register RFC 9728 Protected Resource Metadata endpoint for MCP.
 
-    Serves RFC 9728 Protected Resource Metadata so MCP clients can
-    discover the authorization server, and returns 401 with
-    WWW-Authenticate for unauthenticated requests to the MCP endpoint.
+    Serves discovery metadata so MCP clients can find the authorization
+    server. Auth enforcement is the responsibility of the hosting platform
+    (e.g. Plotly Cloud gateway, Dash Embedded, or a reverse proxy).
     """
     well_known_path = urljoin("/.well-known/oauth-protected-resource/", mcp_path)
 
@@ -89,26 +89,10 @@ def _serve_resource_metadata() -> Response:
     # pylint: disable-next=protected-access
     app._add_url(well_known_path.lstrip("/"), _serve_resource_metadata)
 
-    @app.server.before_request
-    def _mcp_require_auth():
-        if request.path != app.config.routes_pathname_prefix + mcp_path:
-            return None
-        auth_header = request.headers.get("Authorization", "")
-        if auth_header.startswith("Bearer "):
-            return None
-        resource_metadata_url = _url_from_path(well_known_path)
-        return Response(
-            json.dumps({"error": "unauthorized"}),
-            status=401,
-            content_type="application/json",
-            headers={
-                "WWW-Authenticate": (
-                    f'Bearer resource_metadata="{resource_metadata_url}"'
-                ),
-            },
-        )
-
-    logger.info("MCP OAuth enabled, authorization server: %s", mcp_authorization_server)
+    logger.info(
+        "MCP OAuth discovery enabled, authorization server: %s",
+        mcp_authorization_server,
+    )
 
 
 def enable_mcp_server(