From bdbe078630dd1cb914830b9154871c3e833f1d4a Mon Sep 17 00:00:00 2001 From: quicksand Date: Mon, 15 Sep 2025 19:24:12 +0800 Subject: [PATCH] fix(mcp): prevent masked headers from overwriting real values (#25722) --- .../tools/mcp_tools_manage_service.py | 23 +++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/api/services/tools/mcp_tools_manage_service.py b/api/services/tools/mcp_tools_manage_service.py index 7e301c9bac..dd626dd615 100644 --- a/api/services/tools/mcp_tools_manage_service.py +++ b/api/services/tools/mcp_tools_manage_service.py @@ -259,11 +259,30 @@ class MCPToolManageService: if sse_read_timeout is not None: mcp_provider.sse_read_timeout = sse_read_timeout if headers is not None: - # Encrypt headers + # Merge masked headers from frontend with existing real values if headers: - encrypted_headers_dict = MCPToolManageService._encrypt_headers(headers, tenant_id) + # existing decrypted and masked headers + existing_decrypted = mcp_provider.decrypted_headers + existing_masked = mcp_provider.masked_headers + + # Build final headers: if value equals masked existing, keep original decrypted value + final_headers: dict[str, str] = {} + for key, incoming_value in headers.items(): + if ( + key in existing_masked + and key in existing_decrypted + and isinstance(incoming_value, str) + and incoming_value == existing_masked.get(key) + ): + # unchanged, use original decrypted value + final_headers[key] = str(existing_decrypted[key]) + else: + final_headers[key] = incoming_value + + encrypted_headers_dict = MCPToolManageService._encrypt_headers(final_headers, tenant_id) mcp_provider.encrypted_headers = json.dumps(encrypted_headers_dict) else: + # Explicitly clear headers if empty dict passed mcp_provider.encrypted_headers = None db.session.commit() except IntegrityError as e: