[BUG]: RBAC middleware crashes on token creation

[madhav165]

Description

Token creation via the API fails with an AttributeError when the RBAC middleware attempts to derive a team ID from the request payload.

The _derive_team_from_payload() function in mcpgateway/middleware/rbac.py assumes that any kwarg named request is a FastAPI Request object and calls .headers on it. However, several token endpoints (e.g. create_token, create_team_token, update_token) use request: TokenCreateRequest as a parameter name, passing a Pydantic model instead.

Steps to Reproduce

1. Start the gateway (e.g. via Docker Compose with nginx)
2. Authenticate and obtain a valid JWT
3. POST /tokens with a valid TokenCreateRequest body
4. Observe 500 error

Error

File "/app/mcpgateway/middleware/rbac.py", line 414, in _derive_team_from_payload
    content_type = request.headers.get("content-type", "")
                   ^^^^^^^^^^^^^^^
File ".../pydantic/main.py", line 1026, in __getattr__
    raise AttributeError(f'{type(self).__name__!r} object has no attribute {item!r}')
AttributeError: 'TokenCreateRequest' object has no attribute 'headers'

Root Cause

_derive_team_from_payload() at line 412-413:

request = kwargs.get("request")
if request:
    content_type = request.headers.get("content-type", "")

No type check is performed, so any object passed as a kwarg named request is treated as a FastAPI Request.

Impact

• All token creation endpoints are broken (POST /tokens, POST /tokens/teams/{team_id})
• Token update endpoint is also affected (PUT /tokens/{token_id})
• Any other endpoint using request as a Pydantic body parameter name would hit the same issue

Environment

• Observed in Docker Compose deployment behind nginx
• Affects any deployment where RBAC middleware is active

[crivetimihai]

Reproduction Confirmed

Independently reproduced this bug against a Docker Compose deployment (3 gateway instances behind nginx) running the current main branch code.

Reproduction Method

1. Generated a session JWT with "token_use": "session" and "teams": null (simulating admin UI login):

payload = {
    "sub": "admin@example.com",
    "token_use": "session",
    "teams": None,
    "user": {"email": "admin@example.com", "is_admin": True, ...},
    ...
}

2. Called affected endpoints with this session token.

Verified Crash Endpoints

Endpoint	Request Param Type	HTTP Status	Server Error
POST /tokens	TokenCreateRequest	500	'TokenCreateRequest' object has no attribute 'headers'
PUT /tokens/{id}	TokenUpdateRequest	500	Same pattern
DELETE /tokens/{id} with body	Optional[TokenRevokeRequest]	500	Same pattern
POST /teams/	TeamCreateRequest	500	'TeamCreateRequest' object has no attribute 'headers'
POST /logs/search	LogSearchRequest	Likely affected (router not enabled in test env)

Endpoints NOT Affected (short-circuited)

These endpoints also have Pydantic request params but have team_id in the path, so the RBAC middleware resolves the team before reaching _derive_team_from_payload:

• POST /tokens/teams/{team_id} — team_id from path (returns 400 team-not-found, not 500)
• PUT /teams/{team_id} — team_id from path
• POST /teams/{team_id}/invitations — team_id from path

Interesting Edge Case

DELETE /tokens/{id} (revoke) has request: Optional[TokenRevokeRequest] = None. When called without a body, request is None and the truthiness check if request: skips it — so it works. When called with a body (e.g., {"reason": "..."})), it crashes. This confirms the is not None part of the fix is also relevant.

Why Only Session Tokens Are Affected

The vulnerable code path is guarded by:

if not team_id and user_context.get("token_use") == "session":  # line 541

CLI-generated JWTs and API tokens don't have token_use: session, so they never enter this branch. Only admin UI session tokens trigger the bug.

Root Cause Confirmed

_derive_team_from_payload() at rbac.py:412-413:

request = kwargs.get("request")
if request:  # No isinstance check — treats any truthy object as FastAPI Request
    content_type = request.headers.get("content-type", "")  # CRASH