feat: Add authentication to the endpoints #107
Conversation
pablotp
force-pushed
the
add-authentication
branch
from
d09de51 to
0565b1f
Compare
pablotp
force-pushed
the
add-authentication
branch
from
0565b1f to
72fa239
Compare
Codecov Report❌ Patch coverage is
@@ Coverage Diff @@
## main #107 +/- ##
==========================================
+ Coverage 97.20% 97.42% +0.22%
==========================================
Files 6 8 +2
Lines 823 972 +149
Branches 30 36 +6
==========================================
+ Hits 800 947 +147
- Misses 15 16 +1
- Partials 8 9 +1
Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
|
Hey @pablotp, nice contribution! Can you resolve failures in the build checks? |
Fixes sparfenyuk#95 This adds the option `--log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}` to define the log level. If both `--debug` and `--log-level` are provided, the former takes precedence.
pablotp
force-pushed
the
add-authentication
branch
from
4f9c96a to
2f8f658
Compare
|
@sparfenyuk I'm sorry for not looking more carefully into the pre-commits and test setup. I've just pushed a commit to address the issues and resolve the conflicts with |
|
@sparfenyuk it seems a file outside of my PR caused an error for the linter. I've pushed a new commit to address this: 218da4f Thanks for your prompt response! |
|
@pablotp Thank you, and no worries - all good! |
There was a problem hiding this comment.
Pull Request Overview
This PR adds optional API key authentication to protect MCP proxy endpoints. Authentication is disabled by default for backward compatibility and can be enabled via CLI argument or environment variable.
- Added
AuthMiddlewareclass for API key validation with configurable protection for specific endpoints - Added CLI
--api-keyargument andMCP_PROXY_API_KEYenvironment variable support - Refactored the
run_mcp_serverfunction to improve maintainability and support middleware integration
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
src/mcp_proxy/auth.py |
New authentication middleware implementation |
src/mcp_proxy/__main__.py |
Added CLI argument and environment variable support for API key |
src/mcp_proxy/mcp_server.py |
Refactored server setup and integrated authentication middleware |
tests/test_auth_simple.py |
Comprehensive test suite for authentication scenarios |
tests/test_mcp_server.py |
Added test for authentication integration |
README.md |
Updated documentation with authentication usage examples |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| # Check if path needs protection (/sse, /mcp, /messages, /servers/*/sse, /servers/*/mcp) | ||
| path = request.url.path | ||
| needs_auth = ( | ||
| path.startswith(("/sse", "/mcp", "/messages")) or "/sse" in path or "/mcp" in path |
There was a problem hiding this comment.
The path protection logic is duplicated and could match unintended paths. For example, /sse in path would match /something/sse/other. Consider using a more precise pattern matching approach or regex to avoid false positives.
| # Setup named servers | ||
| for name, params in named_server_params.items(): | ||
| logger.info( | ||
| "Setting up named server '%s': %s %s", | ||
| name, | ||
| params.command, | ||
| " ".join(params.args), | ||
| ) | ||
| stdio_streams_named = await stack.enter_async_context(stdio_client(params)) | ||
| session_named = await stack.enter_async_context(ClientSession(*stdio_streams_named)) | ||
| proxy_named = await create_proxy_server(session_named) | ||
|
|
||
| instance_routes_named, http_manager_named = create_single_instance_routes( | ||
| proxy_named, | ||
| stateless_instance=mcp_settings.stateless, | ||
| ) | ||
| await stack.enter_async_context( | ||
| http_manager_named.run(), | ||
| ) # Manage lifespan by calling run() | ||
|
|
||
| # Mount these routes under /servers/<name>/ | ||
| server_mount = Mount(f"/servers/{name}", routes=instance_routes_named) | ||
| all_routes.append(server_mount) | ||
| _global_status["server_instances"][name] = "configured" | ||
|
|
||
| if not default_server_params and not named_server_params: | ||
| logger.error("No servers configured to run.") | ||
| return | ||
|
|
||
| middleware: list[Middleware] = [] | ||
| if mcp_settings.allow_origins: | ||
| middleware.append( | ||
| Middleware( | ||
| CORSMiddleware, | ||
| allow_origins=mcp_settings.allow_origins, | ||
| allow_methods=["*"], | ||
| allow_headers=["*"], | ||
| ), | ||
| ) | ||
| if named_server_params: | ||
| named_routes = await _setup_named_servers(stack, named_server_params, mcp_settings) |
There was a problem hiding this comment.
The variable named_server_params is checked for truthiness after being defaulted to an empty dict on line 213. This check will always be True for an empty dict. Consider checking if named_server_params: or use if len(named_server_params) > 0: for clarity.
|
this would be so useful. what can i do to help move it along? |
4 participants
Add authentication support
Summary
Adds optional API key authentication to protect
/sseand/mcpendpoints. Authentication is disabled by default for backward compatibility.Changes
AuthMiddlewareclass for API key validation--api-keyCLI argument andMCP_PROXY_API_KEYenvironment variable support/sse,/mcp,/messages/*(including named server paths)/status, OPTIONS requestsUsage
Testing
Manual verification commands
Make sure you have installed dependencies:
Test 1: Server WITHOUT Authentication
Open Terminal 1 and start the server:
Open Terminal 2 and test endpoints:
Test 2: Server WITH Authentication (CLI argument)
Open Terminal 1 and start the server with API key:
Open Terminal 2 and test endpoints:
Test 3: Server WITH Authentication (Environment Variable)
Open Terminal 1 and start the server with env var:
Open Terminal 2 and test:
Test 4: Named Server Endpoints
Start server with named servers and authentication:
Test in another terminal:
Expected Results
Related