Authorization middleware does not filter tools list #1188
Description
Bug description
The Authorization middleware assumes that the response for the tools/list call is sent over the same socket as the request's (see here).
This is not the case for the SSE transport, where JSON-RPC responses are sent over another, previously obtained connection usually (but not necessarily) via an HTTP GET.
Additionally, HTTP GETs are skipped here because they don't have body, and their ResponseWriter is not wrapped so no policy is applied to response bodies.
This does not affect Streamable HTTP transport which sees responses returned on the same TCP stream, but it's still affected by another bug on JSON parsing.
Steps to reproduce
I could only verify it using dlv and curl. See here for some example steps, but bear in mind that, when using SSE transport, StacklokLabs/gofetch MCP server relies on a single endpoint, namely /sse, for both SSE stream and messages, which is not conformant to the MCP spec.
Additional context
This is a tough question, as this authorization mechanism requires session management to work with SSE transport, but sessions are optional in the MCP spec. We might have to rethink the feature from first principles.