From fcc2d598c8da431d260da560f8aeeeb181702063 Mon Sep 17 00:00:00 2001 From: SATISH K C <157192662+satishkc7@users.noreply.github.com> Date: Tue, 31 Mar 2026 03:52:34 -0500 Subject: [PATCH] fix: include API key in CORS proxy requests for MCP connections (#21193) * fix: include API key in CORS proxy requests for MCP connections When llama-server is started with --api-key-file and --webui-mcp-proxy, the /cors-proxy endpoint requires authentication. The WebUI was not including the Authorization header in proxy requests, causing MCP connections to fail with 401. Inject getAuthHeaders() into requestInit when useProxy is true so the proxy request carries the Bearer token alongside the forwarded target headers. Fixes #21167 * fix: simplify headers assignment based on reviewer suggestion Apply buildProxiedHeaders only when useProxy is true, pass headers directly to the transport otherwise. --- tools/server/webui/src/lib/services/mcp.service.ts | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/tools/server/webui/src/lib/services/mcp.service.ts b/tools/server/webui/src/lib/services/mcp.service.ts index cf401bc30e..9d11dd9a08 100644 --- a/tools/server/webui/src/lib/services/mcp.service.ts +++ b/tools/server/webui/src/lib/services/mcp.service.ts @@ -42,6 +42,7 @@ import type { import { buildProxiedUrl, buildProxiedHeaders, + getAuthHeaders, throwIfAborted, isAbortError, createBase64DataUrl @@ -124,7 +125,14 @@ export class MCPService { const requestInit: RequestInit = {}; if (config.headers) { - requestInit.headers = buildProxiedHeaders(config.headers); + requestInit.headers = config.useProxy ? buildProxiedHeaders(config.headers) : config.headers; + } + + if (useProxy) { + requestInit.headers = { + ...getAuthHeaders(), + ...(requestInit.headers as Record) + }; } if (config.credentials) {