Hynes/Void-Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(mcp): mcpAuth middleware — agent bearer + space scope + rate limit

Browse Source 
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
root
2026-06-04 20:08:45 +10:00
parent 185a4f3c96
commit 0b29b8c2f3
2 changed files with 106 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
lib/api/middleware/mcp_auth.js Normal file
View File

@@ -0,0 +1,44 @@
// Auth gate for /mcp. External agents must present a Void agent bearer token
// bound to a Space (scopes.space_id). Owner / CF-Access identities are NOT
// accepted here — external agents never inherit owner powers. CF Access service
// tokens are enforced at the edge (Cloudflare policy on mcp.void.hynesy.com).
import * as agents from '../../db/repos/agents.js';
// Minimal fixed-window in-memory rate limit per token (defense-in-depth; the
// real gate is CF Access + bearer). Window is 60s.
const WINDOW_MS = 60_000;
const hits = new Map(); // token -> { count, resetAt }
export function _resetMcpRate() { hits.clear(); }
function rateLimited(token) {
const limit = Number(process.env.MCP_RATE_LIMIT || 120);
const now = Date.now();
let h = hits.get(token);
if (!h || now > h.resetAt) { h = { count: 0, resetAt: now + WINDOW_MS }; hits.set(token, h); }
h.count += 1;
return h.count > limit;
}
export async function mcpAuth(req, res, next) {
const auth = req.headers.authorization || '';
const [scheme, token] = auth.split(' ');
if (scheme !== 'Bearer' || !token) {
return res.status(401).json({ error: { code: 'unauthorized', message: 'missing bearer token' } });
}
if (process.env.OWNER_TOKEN && token === process.env.OWNER_TOKEN) {
return res.status(401).json({ error: { code: 'agent_required', message: 'owner token not valid for MCP' } });
}
if (rateLimited(token)) {
return res.status(429).json({ error: { code: 'rate_limited', message: 'too many requests' } });
}
let agent;
try { agent = await agents.verifyToken(token); }
catch (e) { return next(e); }
if (!agent) {
return res.status(401).json({ error: { code: 'unauthorized', message: 'invalid token' } });
}
if (!(agent.scopes && agent.scopes.space_id)) {
return res.status(403).json({ error: { code: 'no_space_scope', message: 'agent has no space scope' } });
}
req.mcpAgent = agent;
next();
}