Add configurable HTTP header forwarding

[floran-putter]

Describe your changes

• Add headers argument to FastApiMCP to specify an allow-list for HTTP header forwarding.
• In _execute_api_tool, match incoming headers case-insensitive against the allow-list and forward them using their original names.
• Remove previous logic that renamed "authorization" to "Authorization" and update the existing header-passthrough test accordingly.
• Add pytest fixture fastapi_mcp_with_custom_header and test_custom_header_passthrough_to_tool_handler to test custom header passthrough.

Issue ticket number and link (if applicable)

Closes #113

Screenshots of the feature / bugfix

Checklist before requesting a review

• Added relevant tests
• Run ruff & mypy
• All tests pass

[erpic]

self._forward_headers = {h.lower() for h in (headers or ["Authorization"])}

I think adding "Authorization" as default value here has no effect. This set is tested against lower cased strings so that would never match. Also, "Authorization" is added separately

Suggest changing to this?

self._forward_headers = {h.lower() for h in (headers or [])}

Or to this:

self._forward_headers = {h.lower() for h in (headers or ["authorization"])}
and then remove the logic on testing for "Authroization" or "authroization

[floran-putter]

Just to clarify, "Authorization" does get lowercased by the set comprehension, so the default of self._forward_headers becomes {"authorization"} as intended.

The special-case check for testing "Authorization" or "authorization" was already removed in this PR, and keeping ["Authorization"] as the default is necessary for backwards compatibility, so this setup makes sense as-is.

[Robiemaan]

self._forward_headers = {h.lower() for h in (headers or ["Authorization"])}

I think adding "Authorization" as default value here has no effect. This set is tested against lower cased strings so that would never match. Also, "Authorization" is added separately

Suggest changing to this?

self._forward_headers = {h.lower() for h in (headers or [])}

Or to this:

self._forward_headers = {h.lower() for h in (headers or ["authorization"])} and then remove the logic on testing for "Authroization" or "authroization

@erpic see @floran-putter 's message Re Authorization backwards compatibility. Can we merge?

[devilb2103]

On god please merge this 😭

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

📢 Thoughts on this report? Let us know!

[shahar4499]

Great job! Thanks!!

[FilippTrigub]

Hey there, please add this to the guide (https://fastapi-mcp.tadata.com/advanced/auth).

I'm sure other devs will appreciate this as myself would have some hours ago haha