refactor: use set operations for scope validation per reviewer feedback

enjoykumawat · enjoykumawat · commit 6434eef9d02d · 2026-04-08T15:30:33.000+05:30
Replace the for-loop with set.issubset() for clarity and to report all invalid scopes at once rather than one per loop iteration. Github-Issue: #2216
diff --git a/src/mcp/shared/auth.py b/src/mcp/shared/auth.py
@@ -74,10 +74,13 @@ def validate_scope(self, requested_scope: str | None) -> list[str] | None:
         if self.scope is None:
             # Client registered without scope restrictions — allow any requested scope
             return requested_scopes
-        allowed_scopes = self.scope.split(" ")
-        for scope in requested_scopes:
-            if scope not in allowed_scopes:
-                raise InvalidScopeError(f"Client was not registered with scope {scope}")
+        requested = set(requested_scopes)
+        allowed = set(self.scope.split())
+        if not requested.issubset(allowed):
+            invalid = requested - allowed
+            raise InvalidScopeError(
+                f"Client was not registered with scope(s): {' '.join(sorted(invalid))}"
+            )
         return requested_scopes
 
     def validate_redirect_uri(self, redirect_uri: AnyUrl | None) -> AnyUrl:
