[BUG][API]: Endpoints using current_user_ctx["db"] fail with NoneType error #2641
Description
Bug Summary
Multiple router endpoints access current_user_ctx["db"] which is always None since commit 93102499e (2026-01-27). This causes 'NoneType' object has no attribute 'execute' errors when these endpoints are called.
Root Cause
The get_current_user_with_permissions() function in mcpgateway/middleware/rbac.py returns "db": None with the comment:
"db": None, # Session closed; use endpoint's db param insteadHowever, 22 endpoints across 3 routers still extract the db session from user context instead of using Depends(get_db).
Affected Endpoints
mcpgateway/routers/teams.py (3 endpoints)
| Line | Method | Path | Function |
|---|---|---|---|
| 89 | POST | /teams/ |
create_team() |
| 143 | GET | /teams/ |
list_teams() |
| 728 | GET | /teams/discover |
discover_public_teams() |
mcpgateway/routers/email_auth.py (6 endpoints)
| Line | Method | Path | Function |
|---|---|---|---|
| 537 | GET | /auth/email/admin/users |
list_users() |
| 576 | GET | /auth/email/admin/events |
list_all_auth_events() |
| 613 | POST | /auth/email/admin/users |
create_user() |
| 665 | GET | /auth/email/admin/users/{user_email} |
get_user() |
| 698 | PUT | /auth/email/admin/users/{user_email} |
update_user() |
| 757 | DELETE | /auth/email/admin/users/{user_email} |
delete_user() |
mcpgateway/routers/llm_config_router.py (13 endpoints)
| Line | Method | Path | Function |
|---|---|---|---|
| 83 | POST | /llm/providers |
create_provider() |
| 125 | GET | /llm/providers |
list_providers() |
| 167 | GET | /llm/providers/{provider_id} |
get_provider() |
| 201 | PATCH | /llm/providers/{provider_id} |
update_provider() |
| 237 | DELETE | /llm/providers/{provider_id} |
delete_provider() |
| 269 | POST | /llm/providers/{provider_id}/models |
add_model() |
| 301 | POST | /llm/providers/{provider_id}/set-default |
set_default_provider() |
| 337 | POST | /llm/models/{model_id}/set-default |
set_default_model() |
| 373 | GET | /llm/models |
list_models() |
| 422 | GET | /llm/models/{model_id} |
get_model() |
| 459 | PATCH | /llm/models/{model_id} |
update_model() |
| 491 | DELETE | /llm/models/{model_id} |
delete_model() |
| 523 | POST | /llm/models/{model_id}/test |
test_model() |
Error Message
ERROR - Error listing teams: 'NoneType' object has no attribute 'execute'
Steps to Reproduce
# Get JWT token
TOKEN=$(python -m mcpgateway.utils.create_jwt_token --username [email protected] --exp 60 --secret "$JWT_SECRET")
# Any of these will fail with 500 error:
curl -X GET "http://localhost:8080/teams/" -H "Authorization: Bearer $TOKEN"
curl -X GET "http://localhost:8080/auth/email/admin/users" -H "Authorization: Bearer $TOKEN"
curl -X GET "http://localhost:8080/llm/providers" -H "Authorization: Bearer $TOKEN"Expected Behavior
Endpoints return data successfully.
Actual Behavior
Returns HTTP 500 with {"detail":"Failed to list teams"} (or similar).
Fix
Add db: Session = Depends(get_db) as an endpoint parameter and use it directly:
Before:
async def list_teams(
current_user_ctx: dict = Depends(get_current_user_with_permissions),
):
db = current_user_ctx["db"] # Always None!
service = TeamManagementService(db)After:
async def list_teams(
db: Session = Depends(get_db),
current_user_ctx: dict = Depends(get_current_user_with_permissions),
):
service = TeamManagementService(db)Regression Information
- Introduced: 2026-01-27 by commit
93102499e("fix(db): release DB sessions before external HTTP calls") - Related closed issue: [BUG][TEAMS]: list_teams uses current_user_ctx["db"] which is always None #2608 (only covered
list_teams, closed without fixing all endpoints)
Related Issues
- [BUG]: Apply fresh_db_session() to remaining 271 endpoints using Depends(get_db) #2334 - Parent issue for applying
fresh_db_session()to 271 endpoints - [BUG]: Apply fresh_db_session() to admin.py endpoints (135 usages) #2335 - Apply to admin.py (135 usages)
- [BUG]: Apply fresh_db_session() to remaining 52 REST endpoints in main.py #2336 - Apply to main.py (52 usages)
- [BUG]: RBAC middleware holds database sessions for entire request duration #2340 - RBAC middleware session accumulation (PR Fix/issue 2340 - eliminate RBAC middleware session accumulation under high load #2549)
Acceptance Criteria
- All 22 affected endpoints updated to use
db: Session = Depends(get_db) - Unit tests updated/added for affected endpoints
- Manual verification with JWT authentication