Fix: 401 Unauthorized on all [Authorize]-protected MCP tools due to premature authentication check

[alealoisi-nts]

Problem

When an MCP client calls a tool mapped to a controller action protected by
[Authorize], the dispatcher always returns 401 Unauthorized — even when
valid credentials are present in the Authorization header.

Root Cause

McpToolDispatcher.DispatchAsync() contained an early authentication guard:

if (RequiresAuthentication(descriptor) && !IsAuthenticated(context))
    return DispatchResult.Failure(401, "Unauthorized");

This check evaluates context.User on the freshly built synthetic HttpContext
before invoker.InvokeAsync() is called. Since authentication runs as part
of the ASP.NET Core filter pipeline (inside InvokeAsync), the User principal
is always empty at this point — causing every protected tool to be rejected
regardless of the credentials provided.

The Authorization header forwarding in SyntheticHttpContextFactory was
already working correctly — the header is present on the synthetic request,
but the early check prevented the pipeline from ever reading it.

Fix

• Removed the RequiresAuthentication / IsAuthenticated guard block from
  DispatchAsync and their two helper methods.
• Authentication is now handled entirely by the ASP.NET Core action invoker
  pipeline, which correctly reads the forwarded Authorization header and
  authenticates the user before the action executes.

Testing

Verified with an ASP.NET Core API using [Authorize(AuthenticationSchemes = "Basic")]
at controller level. After this fix, MCP tool calls with a valid Authorization: Basic
header are correctly authenticated and return 200 OK.

[kaladinstorm84]

Could you please add this change to zeroMcp/zeromcp.net as this repo has been migrated and is in the process of being wound down.

I would migrate the changes over myself, but would like you to maintain the credit