fix(auth): reject empty-fragment redirect_uri (RFC 7591 §2)

Author: CrypticCortex

src/mcp/server/auth/routes.py

@@ -65,7 +65,7 @@ def validate_registered_redirect_uri(url: AnyUrl) -> None:
     if url.scheme == "http" and url.host not in ("localhost", "127.0.0.1", "[::1]"):
         raise InvalidRedirectUriError(f"redirect_uri must use https for non-loopback hosts; got {str(url)!r}")
     # RFC 7591 §2: redirect_uri MUST NOT contain a fragment component.
-    if url.fragment:
+    if url.fragment is not None:
         raise InvalidRedirectUriError(f"redirect_uri must not have a fragment; got {str(url)!r}")
 
 

tests/server/auth/test_routes.py

@@ -102,3 +102,8 @@ def test_validate_registered_redirect_uri_http_127_prefix_domain_rejected():
 def test_validate_registered_redirect_uri_fragment_rejected():
     with pytest.raises(InvalidRedirectUriError, match="must not have a fragment"):
         validate_registered_redirect_uri(AnyUrl("https://example.com/cb#frag"))
+
+
+def test_validate_registered_redirect_uri_empty_fragment_rejected():
+    with pytest.raises(InvalidRedirectUriError, match="must not have a fragment"):
+        validate_registered_redirect_uri(AnyUrl("https://example.com/cb#"))