214 lines
5.5 KiB
TypeScript
214 lines
5.5 KiB
TypeScript
/**
|
|
* Authenticated MCP Server Template
|
|
*
|
|
* An MCP server with API key authentication using Cloudflare KV.
|
|
* Essential for production deployments to prevent unauthorized access.
|
|
*
|
|
* Setup:
|
|
* 1. npm install @modelcontextprotocol/sdk hono zod
|
|
* 2. npm install -D @cloudflare/workers-types wrangler typescript
|
|
* 3. Create KV namespace: wrangler kv namespace create MCP_API_KEYS
|
|
* 4. Add binding to wrangler.jsonc
|
|
* 5. Add API keys: wrangler kv key put --binding=MCP_API_KEYS "key:YOUR_KEY" "true"
|
|
* 6. wrangler deploy
|
|
*
|
|
* Usage:
|
|
* - Clients must send Authorization header: "Bearer YOUR_API_KEY"
|
|
*/
|
|
|
|
import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
|
|
import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
|
|
import { Hono } from 'hono';
|
|
import { cors } from 'hono/cors';
|
|
import { z } from 'zod';
|
|
|
|
type Env = {
|
|
MCP_API_KEYS: KVNamespace; // Required for authentication
|
|
DB?: D1Database;
|
|
CACHE?: KVNamespace;
|
|
};
|
|
|
|
const server = new McpServer({
|
|
name: 'authenticated-mcp-server',
|
|
version: '1.0.0'
|
|
});
|
|
|
|
// Register tools
|
|
server.registerTool(
|
|
'secure-operation',
|
|
{
|
|
description: 'Performs a secure operation (requires authentication)',
|
|
inputSchema: z.object({
|
|
operation: z.string().describe('Operation to perform'),
|
|
data: z.string().describe('Operation data')
|
|
})
|
|
},
|
|
async ({ operation, data }) => {
|
|
return {
|
|
content: [{
|
|
type: 'text',
|
|
text: `Performed secure operation "${operation}" with data: ${data}`
|
|
}]
|
|
};
|
|
}
|
|
);
|
|
|
|
server.registerTool(
|
|
'get-status',
|
|
{
|
|
description: 'Returns server status',
|
|
inputSchema: z.object({})
|
|
},
|
|
async () => {
|
|
return {
|
|
content: [{
|
|
type: 'text',
|
|
text: JSON.stringify({
|
|
status: 'running',
|
|
authenticated: true,
|
|
timestamp: new Date().toISOString()
|
|
}, null, 2)
|
|
}]
|
|
};
|
|
}
|
|
);
|
|
|
|
// HTTP setup
|
|
const app = new Hono<{ Bindings: Env }>();
|
|
|
|
// CORS configuration (adjust origins for your use case)
|
|
app.use('/mcp', cors({
|
|
origin: [
|
|
'http://localhost:3000',
|
|
'http://localhost:8787',
|
|
'https://your-app.com' // Replace with your domain
|
|
],
|
|
allowMethods: ['POST', 'OPTIONS'],
|
|
allowHeaders: ['Content-Type', 'Authorization'],
|
|
credentials: true
|
|
}));
|
|
|
|
// Authentication middleware
|
|
app.use('/mcp', async (c, next) => {
|
|
const authHeader = c.req.header('Authorization');
|
|
|
|
// Check for Authorization header
|
|
if (!authHeader || !authHeader.startsWith('Bearer ')) {
|
|
return c.json({
|
|
error: 'Unauthorized',
|
|
message: 'Missing or invalid Authorization header. Use: Authorization: Bearer YOUR_API_KEY'
|
|
}, 401);
|
|
}
|
|
|
|
// Extract API key
|
|
const apiKey = authHeader.replace('Bearer ', '');
|
|
|
|
// Validate API key against KV store
|
|
try {
|
|
const storedKey = await c.env.MCP_API_KEYS.get(`key:${apiKey}`);
|
|
|
|
if (!storedKey) {
|
|
return c.json({
|
|
error: 'Forbidden',
|
|
message: 'Invalid API key'
|
|
}, 403);
|
|
}
|
|
|
|
// Optional: Track API key usage
|
|
const usageKey = `usage:${apiKey}:${new Date().toISOString().split('T')[0]}`;
|
|
const currentUsage = await c.env.MCP_API_KEYS.get(usageKey);
|
|
await c.env.MCP_API_KEYS.put(
|
|
usageKey,
|
|
String(parseInt(currentUsage || '0') + 1),
|
|
{ expirationTtl: 86400 * 7 } // Keep for 7 days
|
|
);
|
|
|
|
// User is authenticated, continue
|
|
await next();
|
|
} catch (error) {
|
|
return c.json({
|
|
error: 'Internal Server Error',
|
|
message: 'Authentication failed'
|
|
}, 500);
|
|
}
|
|
});
|
|
|
|
// Rate limiting middleware (per IP)
|
|
app.use('/mcp', async (c, next) => {
|
|
const ip = c.req.header('CF-Connecting-IP') || 'unknown';
|
|
const rateLimitKey = `ratelimit:${ip}:${Math.floor(Date.now() / 60000)}`; // Per minute
|
|
|
|
try {
|
|
const count = await c.env.MCP_API_KEYS.get(rateLimitKey);
|
|
const requestCount = parseInt(count || '0');
|
|
|
|
// Allow 100 requests per minute per IP
|
|
if (requestCount >= 100) {
|
|
return c.json({
|
|
error: 'Rate Limit Exceeded',
|
|
message: 'Too many requests. Please try again later.'
|
|
}, 429);
|
|
}
|
|
|
|
await c.env.MCP_API_KEYS.put(
|
|
rateLimitKey,
|
|
String(requestCount + 1),
|
|
{ expirationTtl: 60 }
|
|
);
|
|
|
|
await next();
|
|
} catch (error) {
|
|
// Rate limiting is best-effort, continue if it fails
|
|
await next();
|
|
}
|
|
});
|
|
|
|
// Public health check (no auth required)
|
|
app.get('/', (c) => {
|
|
return c.json({
|
|
name: 'authenticated-mcp-server',
|
|
version: '1.0.0',
|
|
status: 'running',
|
|
authentication: 'required',
|
|
mcp_endpoint: '/mcp',
|
|
usage: 'Send POST requests to /mcp with Authorization: Bearer YOUR_API_KEY'
|
|
});
|
|
});
|
|
|
|
// Authenticated MCP endpoint
|
|
app.post('/mcp', async (c) => {
|
|
const transport = new StreamableHTTPServerTransport({
|
|
sessionIdGenerator: undefined,
|
|
enableJsonResponse: true
|
|
});
|
|
|
|
c.res.raw.on('close', () => transport.close());
|
|
|
|
await server.connect(transport);
|
|
await transport.handleRequest(c.req.raw, c.res.raw, await c.req.json());
|
|
|
|
return c.body(null);
|
|
});
|
|
|
|
export default app;
|
|
|
|
/**
|
|
* API Key Management Commands
|
|
* ============================
|
|
*
|
|
* Add a new API key:
|
|
* wrangler kv key put --binding=MCP_API_KEYS "key:abc123xyz" "true"
|
|
*
|
|
* Revoke an API key:
|
|
* wrangler kv key delete --binding=MCP_API_KEYS "key:abc123xyz"
|
|
*
|
|
* List all API keys:
|
|
* wrangler kv key list --binding=MCP_API_KEYS --prefix="key:"
|
|
*
|
|
* Check API key usage:
|
|
* wrangler kv key get --binding=MCP_API_KEYS "usage:abc123xyz:2025-10-28"
|
|
*
|
|
* Generate secure API key (local):
|
|
* node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
|
|
*/
|