fix(mcp): route download through public API instead of internal endpoint (#5001)

RafaelPo · github-actions[bot] · commit 6b9dbdae83fe · 2026-03-23T16:42:57.000Z
## Summary - MCP download route was calling the Engine's internal `/tasks/{id}/output_rows` by stripping `/api/v0` from the public URL — this goes through Traefik which doesn't expose internal routes, causing 404 - Fix: forward the per-task API key from Redis and call the public `GET /api/v0/tasks/{id}/result` endpoint instead - Stop popping the task token on completion so it remains available for downloads (Redis TTL expires it naturally) Fixes https://futuresearch-ai.sentry.io/issues/7357940590/ ## Test plan - [x] All 19 route tests pass - [ ] Deploy MCP to staging, verify CSV download works end-to-end 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Sourced from commit 77721e7adc1ca5227769aacef8ab6e7c55dd4f93
diff --git a/futuresearch-mcp/src/futuresearch_mcp/routes.py b/futuresearch-mcp/src/futuresearch_mcp/routes.py
@@ -6,7 +6,6 @@
 import json
 import logging
 import secrets
-from typing import Any
 from uuid import UUID
 
 import httpx
@@ -173,8 +172,8 @@ async def api_progress(request: Request) -> Response:  # noqa: PLR0911
 
         ts = TaskState(status_response)
 
-        if ts.is_terminal:
-            await redis_store.pop_task_token(task_id)
+        # Don't pop the token on completion — the download route needs it.
+        # Let the Redis TTL expire it naturally.
 
         return JSONResponse(
             ts.model_dump(mode="json", exclude=_UI_EXCLUDE), headers=cors
@@ -236,15 +235,14 @@ async def api_download_url(request: Request) -> Response:
     return JSONResponse({"download_url": download_url}, headers=cors)
 
 
-async def api_download(request: Request) -> Response:
+async def api_download(request: Request) -> Response:  # noqa: PLR0911
     """Download task results as CSV or JSON.
 
-    Unauthenticated — the task ID (UUID) is sufficient. The Engine's
-    internal ``/tasks/{id}/output_rows`` endpoint is also unauthenticated.
+    Fetches results from the public Engine API using the per-task API key
+    stored in Redis.
 
     Query params:
         format: "csv" (default) or "json"
-        raw: "true" to keep _source_bank for client-side citation rendering
     """
     cors = _cors_headers()
     if request.method == "OPTIONS":
@@ -263,30 +261,28 @@ async def api_download(request: Request) -> Response:
         return JSONResponse(
             {"error": "Unsupported format"}, status_code=400, headers=cors
         )
-    raw = request.query_params.get("raw", "").lower() in ("true", "1")
-
-    # Pass processing flags to the Engine — it does the stripping/resolution.
-    engine_params: dict[str, Any] = {"offset": 0, "limit": 100000}
-    if raw:
-        engine_params["strip_internal_cols"] = True
-    else:
-        engine_params.update(
-            resolve_citations=True,
-            strip_source_bank=True,
-            strip_internal_cols=True,
+    # Fetch results via the public API (paginated path handles citation
+    # resolution and internal column stripping automatically).
+    api_key = await redis_store.get_task_token(task_id)
+    if not api_key:
+        return JSONResponse(
+            {"error": "Unknown task or expired session"},
+            status_code=404,
+            headers=cors,
         )
 
     try:
-        engine_base = settings.futuresearch_api_url.removesuffix(
-            "/api/v0"
-        ).removesuffix("/")
-        async with httpx.AsyncClient(base_url=engine_base) as http:
-            resp = await http.post(
-                f"/tasks/{task_id}/output_rows",
-                params=engine_params,
+        async with httpx.AsyncClient(
+            base_url=settings.futuresearch_api_url,
+            headers={"Authorization": f"Bearer {api_key}"},
+        ) as http:
+            resp = await http.get(
+                f"/tasks/{task_id}/result",
+                params={"offset": 0, "limit": 100000},
             )
             resp.raise_for_status()
-            records: list[dict] = resp.json()
+            body = resp.json()
+            records: list[dict] = body.get("data") or []
     except Exception:
         logger.exception("Failed to fetch results for download, task %s", task_id)
         return JSONResponse(
diff --git a/futuresearch-mcp/tests/test_http_integration.py b/futuresearch-mcp/tests/test_http_integration.py
@@ -225,8 +225,8 @@ async def test_completed_task_cleans_up_tokens(self, client: httpx.AsyncClient):
         assert resp.status_code == 200
         assert resp.json()["status"] == "completed"
 
-        # Task token cleaned up; poll token kept for CSV download
-        assert await redis_store.get_task_token(task_id) is None
+        # Both tokens kept — task token needed for CSV download, TTL expires them
+        assert await redis_store.get_task_token(task_id) is not None
         assert await redis_store.get_poll_token(task_id) is not None
 
     @pytest.mark.asyncio
@@ -299,12 +299,8 @@ async def test_progress_lifecycle(self, client: httpx.AsyncClient):
         assert resp.status_code == 200
         assert resp.json()["status"] == "completed"
 
-        # 4. Task token is gone — further progress polls return 404
-        resp = await client.get(
-            f"/api/progress/{task_id}",
-            params={"token": poll_token},
-        )
-        assert resp.status_code == 404
+        # 4. Task token is still available (TTL-based expiry, not popped)
+        assert await redis_store.get_task_token(task_id) is not None
 
 
 # ── Download-token endpoint ──────────────────────────────────
@@ -387,14 +383,18 @@ async def test_multiple_calls_return_same_url(self, client: httpx.AsyncClient):
 
     @pytest.mark.asyncio
     async def test_download_is_repeatable(self, client: httpx.AsyncClient):
-        """Download endpoint can be called multiple times (unauthenticated)."""
+        """Download endpoint can be called multiple times."""
         task_id = str(uuid4())
+        await redis_store.store_task_token(task_id, "sk-cho-test")
 
         mock_resp = MagicMock()
         mock_resp.raise_for_status = MagicMock()
-        mock_resp.json.return_value = [{"x": 1, "y": 2}]
+        mock_resp.json.return_value = {
+            "data": [{"x": 1, "y": 2}],
+            "status": "completed",
+        }
         mock_http = AsyncMock()
-        mock_http.__aenter__.return_value.post.return_value = mock_resp
+        mock_http.__aenter__.return_value.get.return_value = mock_resp
 
         with patch(
             "futuresearch_mcp.routes.httpx.AsyncClient",
@@ -423,6 +423,7 @@ async def test_get_url_and_download(self, client: httpx.AsyncClient):
 
         await redis_store.store_poll_token(task_id, poll_token, user_id="test-user")
         await redis_store.store_task_owner(task_id, "test-user")
+        await redis_store.store_task_token(task_id, "sk-cho-test")
 
         # 1. Get the download URL
         mint_resp = await client.get(
@@ -433,15 +434,18 @@ async def test_get_url_and_download(self, client: httpx.AsyncClient):
         download_url = mint_resp.json()["download_url"]
         assert f"/api/results/{task_id}/download" in download_url
 
-        # 2. Download CSV — Engine is called to fetch rows (unauthenticated)
+        # 2. Download CSV via public API (forwards API key from Redis)
         mock_resp = MagicMock()
         mock_resp.raise_for_status = MagicMock()
-        mock_resp.json.return_value = [
-            {"name": "Alice", "score": 95},
-            {"name": "Bob", "score": 87},
-        ]
+        mock_resp.json.return_value = {
+            "data": [
+                {"name": "Alice", "score": 95},
+                {"name": "Bob", "score": 87},
+            ],
+            "status": "completed",
+        }
         mock_http = AsyncMock()
-        mock_http.__aenter__.return_value.post.return_value = mock_resp
+        mock_http.__aenter__.return_value.get.return_value = mock_resp
 
         with patch(
             "futuresearch_mcp.routes.httpx.AsyncClient",
diff --git a/futuresearch-mcp/tests/test_result_store.py b/futuresearch-mcp/tests/test_result_store.py
@@ -290,15 +290,19 @@ async def client(self, app):
     @pytest.mark.asyncio
     async def test_valid_download(self, client: httpx.AsyncClient):
         task_id = str(uuid4())
+        await redis_store.store_task_token(task_id, "sk-cho-test")
 
         mock_resp = MagicMock()
         mock_resp.raise_for_status = MagicMock()
-        mock_resp.json.return_value = [
-            {"name": "Alice", "score": 95},
-            {"name": "Bob", "score": 87},
-        ]
+        mock_resp.json.return_value = {
+            "data": [
+                {"name": "Alice", "score": 95},
+                {"name": "Bob", "score": 87},
+            ],
+            "status": "completed",
+        }
         mock_http = AsyncMock()
-        mock_http.__aenter__.return_value.post.return_value = mock_resp
+        mock_http.__aenter__.return_value.get.return_value = mock_resp
 
         with patch(
             "futuresearch_mcp.routes.httpx.AsyncClient",
@@ -315,15 +319,19 @@ async def test_valid_download(self, client: httpx.AsyncClient):
     async def test_json_format_returns_json(self, client: httpx.AsyncClient):
         """?format=json returns a JSON array fetched from the Engine."""
         task_id = str(uuid4())
+        await redis_store.store_task_token(task_id, "sk-cho-test")
 
         mock_resp = MagicMock()
         mock_resp.raise_for_status = MagicMock()
-        mock_resp.json.return_value = [
-            {"name": "Alice", "score": 95},
-            {"name": "Bob", "score": 87},
-        ]
+        mock_resp.json.return_value = {
+            "data": [
+                {"name": "Alice", "score": 95},
+                {"name": "Bob", "score": 87},
+            ],
+            "status": "completed",
+        }
         mock_http = AsyncMock()
-        mock_http.__aenter__.return_value.post.return_value = mock_resp
+        mock_http.__aenter__.return_value.get.return_value = mock_resp
 
         with patch(
             "futuresearch_mcp.routes.httpx.AsyncClient",
diff --git a/futuresearch-mcp/tests/test_routes.py b/futuresearch-mcp/tests/test_routes.py
@@ -281,8 +281,8 @@ async def test_completed_task_pops_tokens(self):
         body = json.loads(bytes(resp.body).decode())
         assert body["status"] == "completed"
 
-        # Task token cleaned up; poll token kept for CSV download
-        assert await redis_store.get_task_token(task_id) is None
+        # Both tokens kept — task token needed for CSV download, TTL expires them
+        assert await redis_store.get_task_token(task_id) is not None
         assert await redis_store.get_poll_token(task_id) is not None
 
     @pytest.mark.asyncio
@@ -380,6 +380,7 @@ async def test_download_url_works_for_download(self):
 
         await redis_store.store_poll_token(task_id, poll_token, user_id="test-user")
         await redis_store.store_task_owner(task_id, "test-user")
+        await redis_store.store_task_token(task_id, "sk-cho-test")
 
         # Step 1: Get the download URL
         mint_req = FakeRequest(
@@ -392,15 +393,15 @@ async def test_download_url_works_for_download(self):
         download_url = mint_body["download_url"]
         assert f"/api/results/{task_id}/download" in download_url
 
-        # Step 2: Download directly (unauthenticated)
+        # Step 2: Download via public API (forwards API key from Redis)
         dl_req = FakeRequest(
             path_params={"task_id": task_id},
         )
         mock_resp = MagicMock()
         mock_resp.raise_for_status = MagicMock()
-        mock_resp.json.return_value = records
+        mock_resp.json.return_value = {"data": records, "status": "completed"}
         mock_http = AsyncMock()
-        mock_http.__aenter__.return_value.post.return_value = mock_resp
+        mock_http.__aenter__.return_value.get.return_value = mock_resp
 
         with patch(
             "futuresearch_mcp.routes.httpx.AsyncClient",
@@ -427,15 +428,16 @@ async def test_csv_download_quotes_all_fields(self):
             },
         ]
 
-        # Download CSV directly (unauthenticated)
+        await redis_store.store_task_token(task_id, "sk-cho-test")
+
         dl_req = FakeRequest(
             path_params={"task_id": task_id},
         )
         mock_resp = MagicMock()
         mock_resp.raise_for_status = MagicMock()
-        mock_resp.json.return_value = records
+        mock_resp.json.return_value = {"data": records, "status": "completed"}
         mock_http = AsyncMock()
-        mock_http.__aenter__.return_value.post.return_value = mock_resp
+        mock_http.__aenter__.return_value.get.return_value = mock_resp
 
         with patch(
             "futuresearch_mcp.routes.httpx.AsyncClient",
