mcp remoto token

2026-04-20 11:10:51 +00:00
parent 41ebd39908
commit 950d43f5d7
4 changed files with 211 additions and 1 deletions
--- a/mcp-server/httpServer.js
+++ b/mcp-server/httpServer.js
@@ -18,6 +18,7 @@ import {
    getMcpSessionCredentials
 } from "./auth/index.js";
 import { fetchProjectInfo } from "./auth/localClient.js";
+import { validateMcpToken } from "./auth/mcpTokens.js";
 import { createSessionServer } from "./server.js";
 import { runWithSession } from "./utils/sessionContext.js";

@@ -180,11 +181,45 @@ export function startHttpServer() {
    app.use(cors({
        origin: '*',
        methods: ['GET', 'POST', 'DELETE', 'OPTIONS'],
-        allowedHeaders: ['Content-Type', 'X-Acai-Token', 'X-Acai-Website', 'X-Acai-Token-Hash', 'X-User-Token', 'X-Project-Name', 'X-Acai-User', 'Authorization', 'Mcp-Session-Id'],
+        allowedHeaders: ['Content-Type', 'X-Acai-Token', 'X-Acai-Website', 'X-Acai-Token-Hash', 'X-User-Token', 'X-Project-Name', 'X-Acai-User', 'X-MCP-Secret', 'Authorization', 'Mcp-Session-Id'],
        exposedHeaders: ['Mcp-Session-Id'],
        credentials: true
    }));

+    //=============================================================================
+    // MCP SECRET MIDDLEWARE
+    // Si llega X-MCP-Secret, lo validamos contra Redis (mcp_tokens:<sha256>) y
+    // reemplazamos los headers de identidad con los del token. El cliente NO
+    // puede forzar X-Acai-User / X-Project-Name si esta usando X-MCP-Secret.
+    // Si NO llega X-MCP-Secret, pasa de largo (modo legacy/dev: el cliente se
+    // identifica manualmente con X-Acai-User + X-Project-Name).
+    //=============================================================================
+    app.use(async (req, res, next) => {
+        const secret = req.headers["x-mcp-secret"];
+        if (!secret) {
+            return next();
+        }
+        try {
+            const auth = await validateMcpToken(secret);
+            if (!auth) {
+                res.status(401)
+                    .setHeader("Content-Type", "application/json")
+                    .end(JSON.stringify({ error: "Invalid MCP token" }));
+                return;
+            }
+            // Sobrescribe los headers de identidad con los del token validado.
+            req.headers["x-acai-user"] = auth.user;
+            req.headers["x-project-name"] = auth.project;
+            return next();
+        } catch (err) {
+            console.error("[MCP] mcpSecretMiddleware error:", err.message);
+            res.status(401)
+                .setHeader("Content-Type", "application/json")
+                .end(JSON.stringify({ error: "Invalid MCP token" }));
+            return;
+        }
+    });
+
    //=============================================================================
    // STREAMABLE HTTP TRANSPORT (PROTOCOL VERSION 2025-03-26)
    // This is the new recommended transport for MCP