test: add coverage for PRM resource validation

pcarleton · pcarleton · commit 0e3d18ab822a · 2026-02-05T19:18:07.000Z
Tests for resource mismatch rejection, matching resources,
custom callback override, and root URL trailing slash normalization.
diff --git a/src/mcp/client/auth/oauth2.py b/src/mcp/client/auth/oauth2.py
@@ -492,7 +492,7 @@ async def _validate_resource_match(self, prm: ProtectedResourceMetadata) -> None
             return
 
         if not prm_resource:
-            return
+            return  # pragma: no cover
         default_resource = resource_url_from_server_url(self.context.server_url)
         # Normalize: Pydantic AnyHttpUrl adds trailing slash to root URLs
         # (e.g. "https://example.com/") while resource_url_from_server_url may not.
diff --git a/tests/client/test_auth.py b/tests/client/test_auth.py
@@ -11,6 +11,7 @@
 from pydantic import AnyHttpUrl, AnyUrl
 
 from mcp.client.auth import OAuthClientProvider, PKCEParameters
+from mcp.client.auth.exceptions import OAuthFlowError
 from mcp.client.auth.utils import (
     build_oauth_authorization_server_metadata_discovery_urls,
     build_protected_resource_metadata_discovery_urls,
@@ -818,6 +819,88 @@ async def test_resource_param_included_with_protected_resource_metadata(self, oa
         assert "resource=" in content
 
 
+class TestResourceValidation:
+    """Test PRM resource validation in OAuthClientProvider."""
+
+    @pytest.mark.anyio
+    async def test_rejects_mismatched_resource(self, client_metadata, mock_storage):
+        """Client must reject PRM resource that doesn't match server URL."""
+        provider = OAuthClientProvider(
+            server_url="https://api.example.com/v1/mcp",
+            client_metadata=client_metadata,
+            storage=mock_storage,
+        )
+        provider._initialized = True
+
+        prm = ProtectedResourceMetadata(
+            resource=AnyHttpUrl("https://evil.example.com/mcp"),
+            authorization_servers=[AnyHttpUrl("https://auth.example.com")],
+        )
+        with pytest.raises(OAuthFlowError, match="does not match expected"):
+            await provider._validate_resource_match(prm)
+
+    @pytest.mark.anyio
+    async def test_accepts_matching_resource(self, client_metadata, mock_storage):
+        """Client must accept PRM resource that matches server URL."""
+        provider = OAuthClientProvider(
+            server_url="https://api.example.com/v1/mcp",
+            client_metadata=client_metadata,
+            storage=mock_storage,
+        )
+        provider._initialized = True
+
+        prm = ProtectedResourceMetadata(
+            resource=AnyHttpUrl("https://api.example.com/v1/mcp"),
+            authorization_servers=[AnyHttpUrl("https://auth.example.com")],
+        )
+        # Should not raise
+        await provider._validate_resource_match(prm)
+
+    @pytest.mark.anyio
+    async def test_custom_validate_resource_url_callback(self, client_metadata, mock_storage):
+        """Custom callback overrides default validation."""
+        callback_called_with: list[tuple[str, str | None]] = []
+
+        async def custom_validate(server_url: str, prm_resource: str | None) -> None:
+            callback_called_with.append((server_url, prm_resource))
+
+        provider = OAuthClientProvider(
+            server_url="https://api.example.com/v1/mcp",
+            client_metadata=client_metadata,
+            storage=mock_storage,
+            validate_resource_url=custom_validate,
+        )
+        provider._initialized = True
+
+        # This would normally fail default validation (different origin),
+        # but custom callback accepts it
+        prm = ProtectedResourceMetadata(
+            resource=AnyHttpUrl("https://evil.example.com/mcp"),
+            authorization_servers=[AnyHttpUrl("https://auth.example.com")],
+        )
+        await provider._validate_resource_match(prm)
+        assert len(callback_called_with) == 1
+        assert callback_called_with[0][0] == "https://api.example.com/v1/mcp"
+        assert callback_called_with[0][1] == "https://evil.example.com/mcp"
+
+    @pytest.mark.anyio
+    async def test_accepts_root_url_with_trailing_slash(self, client_metadata, mock_storage):
+        """Root URLs with trailing slash normalization should match."""
+        provider = OAuthClientProvider(
+            server_url="https://api.example.com",
+            client_metadata=client_metadata,
+            storage=mock_storage,
+        )
+        provider._initialized = True
+
+        prm = ProtectedResourceMetadata(
+            resource=AnyHttpUrl("https://api.example.com/"),
+            authorization_servers=[AnyHttpUrl("https://auth.example.com")],
+        )
+        # Should not raise despite trailing slash difference
+        await provider._validate_resource_match(prm)
+
+
 class TestRegistrationResponse:
     """Test client registration response handling."""
 
