feat(auth): enhance AuthContext for server-side handling

[pedrofrxncx]

Added a new serverSide property to the AuthContext interface to manage MCP OAuth and API key sessions more effectively. Updated the createBoundAuthClient function to conditionally use empty headers for server-side calls, ensuring compatibility with Better Auth's session middleware. Adjusted related functions to utilize the new property for user ID resolution and header management.

What is this contribution about?

Describe your changes and why they're needed.

Screenshots/Demonstration

Add screenshots or a Loom video if your changes affect the UI.

How to Test

Provide step-by-step instructions for reviewers to test your changes:

1. Step one
2. Step two
3. Expected outcome

Migration Notes

If this PR requires database migrations, configuration changes, or other setup steps, document them here. Remove this section if not applicable.

Review Checklist

• PR title is clear and descriptive
• Changes are tested and working
• Documentation is updated (if needed)
• No breaking changes

---

Summary by cubic

Adds a serverSide flag to AuthContext and routes server-side MCP OAuth/API key flows without Authorization headers to keep Better Auth session middleware from mis-resolving tokens. This fixes org/member queries on the server by using query/body params and correct user scoping.

• Bug Fixes
  • createBoundAuthClient: when serverSide, sends empty headers to Better Auth and relies on query/body params instead of Bearer tokens.
  • Corrects user scoping: for server-side org listing, prefers the provided userId or falls back to context userId.
  • Marks MCP OAuth sessions in authenticateRequest and sets serverSide in createMeshContextFactory when MCP OAuth or API key is detected.

^{Written for commit 6fdb139. Summary will update on new commits.}

[github-actions]

🧪 Benchmark

Should we run the Virtual MCP strategy benchmark for this PR?

React with 👍 to run the benchmark.

Reaction	Action
👍	Run quick benchmark (10 & 128 tools)

Benchmark will run on the next push after you react.

[github-actions]

Release Options

Should a new version be published when this PR is merged?

React with an emoji to vote on the release type:

Reaction	Type	Next Version
👍	Prerelease	2.175.2-alpha.1
🎉	Patch	2.175.2
❤️	Minor	2.176.0
🚀	Major	3.0.0

Current version: 2.175.1

Deployment

• Deploy to production (triggers ArgoCD sync after Docker image is published)

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/mesh/src/core/context-factory.ts">

<violation number="1" location="apps/mesh/src/core/context-factory.ts:312">
P2: Clearing headers here breaks `organization.get()` for server-side auth because existing callers rely on the active organization from session and do not pass an `organizationId`.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: Clearing headers here breaks organization.get() for server-side auth because existing callers rely on the active organization from session and do not pass an organizationId.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/mesh/src/core/context-factory.ts, line 312:

<comment>Clearing headers here breaks `organization.get()` for server-side auth because existing callers rely on the active organization from session and do not pass an `organizationId`.</comment>

<file context>
@@ -303,15 +309,16 @@ export function createBoundAuthClient(ctx: AuthContext): BoundAuthClient {
       get: async (organizationId) => {
         return auth.api.getFullOrganization({
-          headers,
+          headers: serverSide ? serverHeaders : headers,
           query: organizationId ? { organizationId } : undefined,
         });
</file context>