fix: verify header API key against Plane API

[sriramveeraghanta]

Summary

PlaneHeaderAuthProvider previously accepted any x-api-key header without validating it — it only logged that a key was present and immediately issued an AccessToken. This means an invalid or revoked key would still pass MCP auth.

This change verifies the API key against the Plane API before granting access.

Changes

• Verify the key: call GET /api/v1/users/me/ with the supplied x-api-key. Reject the token (return None) on any non-200 response.
• Base URL resolution: prefer PLANE_INTERNAL_BASE_URL, then PLANE_BASE_URL, defaulting to https://api.plane.so — consistent with server-to-server call handling elsewhere.
• Configurable timeout: timeout_seconds constructor arg (default 10s).
• Fail closed on httpx.RequestError (network/timeout) — returns None rather than granting access.

Notes

• stdio transport is unaffected (no active HTTP request → existing RuntimeError path).
• Adds an outbound request per token verification; the resulting AccessToken is still cached for 1h via expires_at.

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e8da5175-5cc2-4f71-af0f-5122925860f9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/verify-header-api-key

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}