Bug Fix: MCP_ALLOW_ANONYMOUS_ACCESS=true ignored in dashboard
Fixes #621 — when MCP_ALLOW_ANONYMOUS_ACCESS=true was set, the dashboard still showed a login prompt instead of granting access. This was a regression introduced during the OAuth middleware refactor where the anonymous path granted only read scope, which was insufficient for the dashboard's write-level auth check.
What Changed
- OAuth middleware: Anonymous users now receive
read writescope whenMCP_ALLOW_ANONYMOUS_ACCESS=true, matching the server's intended behavior for locally-trusted deployments - Documentation:
.env.exampleupdated to clearly state the flag grants full read+write access (not read-only) - Dashboard auth modal: Updated warning text to reflect the actual scope granted
- Tests: Docstrings updated for consistency
Who Is Affected
Users who rely on MCP_ALLOW_ANONYMOUS_ACCESS=true for dashboard access (e.g. behind a firewall, using Nginx Basic Auth, or in local development) were being incorrectly required to provide credentials. This fix restores the expected behavior.
Upgrade
No migration required. Update to v10.28.5 and the dashboard will respect the flag immediately.
Full changelog: https://github.com/doobidoo/mcp-memory-service/blob/main/CHANGELOG.md#10285---2026-03-29