@W-21581935: Add passthrough auth

[anyoung-tableau]

This PR originated from #234 and the discussion on it.

Fixes #237

This PR introduces "pass through" auth which allows clients to provide the Tableau access token used by the REST APIs to be provided directly on the X-Tableau-Auth header or workgroup_session_id cookie. This allows for user-less agents, both external or internal, to use Tableau MCP without being forced to authenticate interactively or provide a client credential.

When enabled, this auth method complements the default auth method configured on the AUTH environment variable. That is, requests with the X-Tableau-Auth header will take precedence over whatever form of auth would have occurred otherwise. This includes OAuth. See the new docs page for more details.

[Copilot]

Pull request overview

Adds an optional “passthrough auth” path for HTTP deployments so clients (or a trusted gateway/proxy) can authenticate MCP requests using Tableau REST credentials supplied via X-Tableau-Auth or workgroup_session_id, taking precedence over the configured AUTH mode (including OAuth).

Changes:

• Introduces passthroughAuthMiddleware to extract/validate Tableau credentials (with optional in-memory caching).
• Updates REST API instantiation to reuse provided credentials and avoid signing out for passthrough sessions.
• Adds config/env plumbing, CI wiring, tests, and new documentation for passthrough auth.

Reviewed changes

Copilot reviewed 16 out of 18 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
types/process-env.d.ts	Adds env var typings for passthrough auth toggles/interval.
tests/oauth/embedded-authz/oauth.test.ts	Adds OAuth-suite tests for X-Tableau-Auth header and workgroup_session_id cookie flows.
src/testSetup.ts	Extends RestApi mocks with credential-setter methods.
src/server/passthroughAuthMiddleware.ts	New middleware: extracts header/cookie, validates session, caches auth info, sets req.auth.
src/server/oauth/schemas.ts	Extends auth info schema union to include Passthrough auth info.
src/server/oauth/authMiddleware.ts	Skips OAuth auth when a previous middleware already populated req.auth.
src/server/express.ts	Wires cookie parsing + passthrough middleware (behind config flag) and adjusts CORS headers.
src/scripts/createClaudeMcpBundleManifest.ts	Adds passthrough env var metadata to the bundle manifest generator.
src/restApiInstance.ts	Supports Passthrough auth info (set credentials; skip sign-out); refactors return shape for sign-out decision.
src/restApiInstance.test.ts	Expands coverage for PAT/direct-trust/UAT/OAuth and adds Passthrough credential test.
src/config.ts	Parses new passthrough env vars into Config.
src/config.test.ts	Adds unit tests for new config values/defaults.
package.json	Adds cookie-parser dependency and @types/cookie-parser.
package-lock.json	Locks new cookie-parser-related dependencies.
docs/docs/configuration/mcp-config/authentication/passthrough.md	New docs page describing passthrough auth and env vars.
docs/docs/configuration/mcp-config/authentication/README.md	Links to passthrough auth docs.
.github/workflows/ci.yml	Adds Connected App/JWT env vars for CI.
.github/actions/run-oauth-embedded-authz-tests/action.yml	Enables passthrough auth in embedded OAuth test action env.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[bbartels]

Just tested out the PR in it's current state and works perfectly with out internal infra 🎉

[bbartels]

@anyoung-tableau Would you mind creating a new release? Then I can give it a try internally :)