fix(auth): add asyncio lock to prevent duplicate profile client creation

benjaminjstoll · claude · benjaminjstoll · commit 56f0492ebdbb · 2026-04-06T07:53:44.000-05:00
Concurrent tool calls (e.g. from parallel subagents) could race in
_get_profile_client, each creating a separate Client for the same
profile. The loser's client would leak — connected but never tracked
or cleaned up. Wrapping in an asyncio.Lock ensures only one client
is created per profile.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/mcp_proxy_for_aws/middleware/profile_switcher.py b/mcp_proxy_for_aws/middleware/profile_switcher.py
@@ -22,6 +22,7 @@
 so parallel subagents querying different accounts don't interfere with each other.
 """
 
+import asyncio
 import httpx
 import logging
 import mcp.types as mt
@@ -68,6 +69,7 @@ def __init__(
         self._metadata = metadata
         self._timeout = timeout
         self._profile_clients: dict[str, Client] = {}
+        self._lock = asyncio.Lock()
 
     # ── tool listing ────────────────────────────────────────────────
 
@@ -121,20 +123,21 @@ async def _get_profile_client(self, profile: str) -> Client:
         so that requests signed with different AWS identities don't collide
         on the same backend session.
         """
-        if profile not in self._profile_clients:
-            logger.info('Creating dedicated connection for profile %s', profile)
-            transport = create_transport_with_sigv4(
-                self._endpoint,
-                self._service,
-                self._region,
-                self._metadata,
-                self._timeout,
-                profile,
-            )
-            client = Client(transport=transport)
-            await client.__aenter__()
-            self._profile_clients[profile] = client
-        return self._profile_clients[profile]
+        async with self._lock:
+            if profile not in self._profile_clients:
+                logger.info('Creating dedicated connection for profile %s', profile)
+                transport = create_transport_with_sigv4(
+                    self._endpoint,
+                    self._service,
+                    self._region,
+                    self._metadata,
+                    self._timeout,
+                    profile,
+                )
+                client = Client(transport=transport)
+                await client.__aenter__()
+                self._profile_clients[profile] = client
+            return self._profile_clients[profile]
 
     async def disconnect_profile_clients(self) -> None:
         """Disconnect all per-profile clients. Call during server shutdown."""
diff --git a/tests/unit/test_profile_switcher.py b/tests/unit/test_profile_switcher.py
@@ -14,6 +14,7 @@
 
 """Tests for the ProfileOverrideMiddleware."""
 
+import asyncio
 import httpx
 import pytest
 from fastmcp.server.middleware import MiddlewareContext
@@ -206,6 +207,46 @@ async def test_profile_override_tool_call_failure(self, middleware, mock_context
         assert 'backend error' not in result.content[0].text
 
 
+class TestGetProfileClient:
+    """Tests for the _get_profile_client method."""
+
+    @pytest.mark.asyncio
+    async def test_lock_prevents_duplicate_client_creation(self, middleware):
+        """Concurrent calls for the same profile only create one client."""
+        call_count = 0
+        mock_client = AsyncMock()
+
+        original_aenter = mock_client.__aenter__
+
+        async def slow_aenter(*args, **kwargs):
+            nonlocal call_count
+            call_count += 1
+            await asyncio.sleep(0.05)
+            return await original_aenter(*args, **kwargs)
+
+        mock_client.__aenter__ = slow_aenter
+
+        mock_transport = Mock()
+
+        with patch(
+            'mcp_proxy_for_aws.middleware.profile_switcher.create_transport_with_sigv4',
+            return_value=mock_transport,
+        ), patch(
+            'mcp_proxy_for_aws.middleware.profile_switcher.Client',
+            return_value=mock_client,
+        ):
+            results = await asyncio.gather(
+                middleware._get_profile_client('dev-profile'),
+                middleware._get_profile_client('dev-profile'),
+                middleware._get_profile_client('dev-profile'),
+            )
+
+        # All calls return the same client
+        assert all(r is mock_client for r in results)
+        # Client was only created once despite 3 concurrent calls
+        assert call_count == 1
+
+
 class TestDisconnectProfileClients:
     """Tests for the disconnect_profile_clients method."""
 
