Hynes/Void-Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(mcp): mcpAuth middleware — agent bearer + space scope + rate limit

Browse Source 
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
root
2026-06-04 20:08:45 +10:00
parent 185a4f3c96
commit 0b29b8c2f3
2 changed files with 106 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
tests/mcp/mcp_auth.test.js Normal file
View File

@@ -0,0 +1,62 @@
import { describe, it, expect, beforeAll, vi } from 'vitest';
import { resetDb } from '../helpers/db.js';
import { migrateUp } from '../../lib/db/migrate.js';
import { pool } from '../../lib/db/pool.js';
import * as agentsRepo from '../../lib/db/repos/agents.js';
import { mcpAuth, _resetMcpRate } from '../../lib/api/middleware/mcp_auth.js';
const owner = { kind: 'user', id: null };
function mockRes() {
return { statusCode: 200, body: null,
status(c) { this.statusCode = c; return this; },
json(b) { this.body = b; return this; } };
}
async function run(headers) {
const req = { headers };
const res = mockRes();
const next = vi.fn();
await mcpAuth(req, res, next);
return { req, res, next };
}
let scopedToken, unscopedToken;
beforeAll(async () => {
await resetDb(); await migrateUp();
process.env.OWNER_TOKEN = 'test-token';
const { rows: [{ id: spaceId }] } = await pool.query(`INSERT INTO spaces(slug,name) VALUES('s','S') RETURNING id`);
const scoped = await agentsRepo.create({ slug: `s-${Date.now()}`, name: 'S', kind: 'claude', model: 'sonnet',
capabilities: { read: true, suggest: true }, scopes: { space_id: spaceId } }, owner);
({ token: scopedToken } = await agentsRepo.createToken(scoped.id, 'mcp'));
const unscoped = await agentsRepo.create({ slug: `u-${Date.now()}`, name: 'U', kind: 'claude', model: 'sonnet',
capabilities: { read: true, suggest: true }, scopes: {} }, owner);
({ token: unscopedToken } = await agentsRepo.createToken(unscoped.id, 'mcp'));
});
describe('mcpAuth', () => {
it('missing bearer → 401', async () => {
const { res, next } = await run({}); expect(res.statusCode).toBe(401); expect(next).not.toHaveBeenCalled();
});
it('owner token → 401 agent_required', async () => {
const { res } = await run({ authorization: 'Bearer test-token' });
expect(res.statusCode).toBe(401); expect(res.body.error.code).toBe('agent_required');
});
it('invalid token → 401', async () => {
const { res } = await run({ authorization: 'Bearer vk_nope.nope' }); expect(res.statusCode).toBe(401);
});
it('agent without space scope → 403 no_space_scope', async () => {
const { res } = await run({ authorization: `Bearer ${unscopedToken}` });
expect(res.statusCode).toBe(403); expect(res.body.error.code).toBe('no_space_scope');
});
it('valid scoped agent → next() + req.mcpAgent', async () => {
const { req, next } = await run({ authorization: `Bearer ${scopedToken}` });
expect(next).toHaveBeenCalled(); expect(req.mcpAgent.scopes.space_id).toBeTruthy();
});
it('rate limit → 429 past the cap', async () => {
_resetMcpRate(); process.env.MCP_RATE_LIMIT = '2';
await run({ authorization: `Bearer ${scopedToken}` });
await run({ authorization: `Bearer ${scopedToken}` });
const { res } = await run({ authorization: `Bearer ${scopedToken}` });
expect(res.statusCode).toBe(429);
delete process.env.MCP_RATE_LIMIT;
});
});