Merge pull request #792 from Chris0Jeky/feature/mcp-http-transport-apikey-654

MCP-03: HTTP transport with API key authentication

Author: Chris0Jeky

backend/src/Taskdeck.Api/Controllers/ApiKeysController.cs

@@ -0,0 +1,138 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Taskdeck.Api.Contracts;
+using Taskdeck.Application.Interfaces;
+using Taskdeck.Application.Services;
+using Taskdeck.Domain.Exceptions;
+
+namespace Taskdeck.Api.Controllers;
+
+/// <summary>
+/// Manages MCP API keys for HTTP transport authentication.
+/// Keys are scoped to the authenticated user and use the <c>tdsk_</c> prefix.
+/// </summary>
+[ApiController]
+[Route("api/[controller]")]
+[Authorize]
+public class ApiKeysController : AuthenticatedControllerBase
+{
+    private readonly ApiKeyService _apiKeyService;
+
+    public ApiKeysController(ApiKeyService apiKeyService, IUserContext userContext)
+        : base(userContext)
+    {
+        _apiKeyService = apiKeyService;
+    }
+
+    /// <summary>
+    /// Create a new API key. The plaintext key is returned once and cannot be retrieved again.
+    /// </summary>
+    [HttpPost]
+    [ProducesResponseType(typeof(CreateApiKeyResponse), StatusCodes.Status201Created)]
+    [ProducesResponseType(typeof(ApiErrorResponse), StatusCodes.Status400BadRequest)]
+    public async Task<IActionResult> Create([FromBody] CreateApiKeyRequest request, CancellationToken cancellationToken)
+    {
+        if (!TryGetCurrentUserId(out var userId, out var errorResult))
+            return errorResult!;
+
+        if (string.IsNullOrWhiteSpace(request.Name))
+            return BadRequest(new ApiErrorResponse(ErrorCodes.ValidationError, "Name is required"));
+
+        TimeSpan? expiresIn = request.ExpiresInDays.HasValue
+            ? TimeSpan.FromDays(request.ExpiresInDays.Value)
+            : null;
+
+        try
+        {
+            var (plaintextKey, entity) = await _apiKeyService.CreateKeyAsync(
+                userId, request.Name, expiresIn, cancellationToken);
+
+            return StatusCode(StatusCodes.Status201Created, new CreateApiKeyResponse(
+                entity.Id,
+                plaintextKey,
+                entity.KeyPrefix_,
+                entity.Name,
+                entity.CreatedAt,
+                entity.ExpiresAt));
+        }
+        catch (DomainException ex)
+        {
+            return BadRequest(new ApiErrorResponse(ex.ErrorCode, ex.Message));
+        }
+    }
+
+    /// <summary>List all API keys for the authenticated user.</summary>
+    [HttpGet]
+    [ProducesResponseType(typeof(ListApiKeysResponse), StatusCodes.Status200OK)]
+    public async Task<IActionResult> List(CancellationToken cancellationToken)
+    {
+        if (!TryGetCurrentUserId(out var userId, out var errorResult))
+            return errorResult!;
+
+        var keys = await _apiKeyService.ListKeysAsync(userId, cancellationToken);
+
+        var items = keys.Select(k => new ApiKeyListItem(
+            k.Id,
+            k.KeyPrefix_,
+            k.Name,
+            k.CreatedAt,
+            k.ExpiresAt,
+            k.RevokedAt,
+            k.LastUsedAt,
+            k.IsActive));
+
+        return Ok(new ListApiKeysResponse(items.ToList()));
+    }
+
+    /// <summary>Revoke an API key.</summary>
+    [HttpDelete("{id:guid}")]
+    [ProducesResponseType(StatusCodes.Status204NoContent)]
+    [ProducesResponseType(typeof(ApiErrorResponse), StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> Revoke(Guid id, CancellationToken cancellationToken)
+    {
+        if (!TryGetCurrentUserId(out var userId, out var errorResult))
+            return errorResult!;
+
+        try
+        {
+            await _apiKeyService.RevokeKeyAsync(id, userId, cancellationToken);
+            return NoContent();
+        }
+        catch (DomainException ex) when (ex.ErrorCode == ErrorCodes.NotFound)
+        {
+            return NotFound(new ApiErrorResponse(ex.ErrorCode, ex.Message));
+        }
+        catch (DomainException ex) when (ex.ErrorCode == ErrorCodes.Forbidden)
+        {
+            return StatusCode(StatusCodes.Status403Forbidden, new ApiErrorResponse(ex.ErrorCode, ex.Message));
+        }
+        catch (DomainException ex)
+        {
+            return BadRequest(new ApiErrorResponse(ex.ErrorCode, ex.Message));
+        }
+    }
+}
+
+// ── Request / Response contracts ──────────────────────────────────────────────
+
+public sealed record CreateApiKeyRequest(string Name, int? ExpiresInDays = null);
+
+public sealed record CreateApiKeyResponse(
+    Guid Id,
+    string Key,
+    string KeyPrefix,
+    string Name,
+    DateTimeOffset CreatedAt,
+    DateTimeOffset? ExpiresAt);
+
+public sealed record ApiKeyListItem(
+    Guid Id,
+    string KeyPrefix,
+    string Name,
+    DateTimeOffset CreatedAt,
+    DateTimeOffset? ExpiresAt,
+    DateTimeOffset? RevokedAt,
+    DateTimeOffset? LastUsedAt,
+    bool IsActive);
+
+public sealed record ListApiKeysResponse(List<ApiKeyListItem> Keys);

backend/src/Taskdeck.Api/Extensions/ApplicationServiceRegistration.cs

@@ -59,6 +59,7 @@ public static IServiceCollection AddApplicationServices(this IServiceCollection
             new BoardMetricsService(
                 sp.GetRequiredService<IUnitOfWork>(),
                 sp.GetRequiredService<IAuthorizationService>()));
+        services.AddScoped<ApiKeyService>();
         services.AddScoped<IForecastingService>(sp =>
             new ForecastingService(
                 sp.GetRequiredService<IUnitOfWork>(),

backend/src/Taskdeck.Api/Extensions/PipelineConfiguration.cs

@@ -1,6 +1,7 @@
 using System.Globalization;
 using System.Net;
 using Microsoft.AspNetCore.HttpOverrides;
+using Microsoft.AspNetCore.RateLimiting;
 using Microsoft.EntityFrameworkCore;
 using Taskdeck.Api.Hubs;
 using Taskdeck.Api.Middleware;
@@ -82,6 +83,11 @@ public static WebApplication ConfigureTaskdeckPipeline(
             }
         });
 
+        // API key authentication for MCP HTTP transport (/mcp path).
+        // Must run before UseAuthentication so MCP requests are handled by API key auth,
+        // not JWT auth. Non-MCP requests pass through unaffected.
+        app.UseMiddleware<ApiKeyMiddleware>();
+
         app.UseAuthentication();
         // Reject tokens for deleted/deactivated users or tokens issued before invalidation.
         // Must run after UseAuthentication (so JWT is parsed) and before UseAuthorization.
@@ -95,6 +101,15 @@ public static WebApplication ConfigureTaskdeckPipeline(
         app.MapControllers();
         app.MapHub<BoardsHub>("/hubs/boards");
 
+        // MCP Streamable HTTP endpoint for external AI agent integration.
+        // Authenticated via ApiKeyMiddleware (Bearer tdsk_... tokens).
+        // Rate limiting applied per API key user identity.
+        var mcpEndpoint = app.MapMcp();
+        if (rateLimitingSettings.Enabled)
+        {
+            mcpEndpoint.RequireRateLimiting(RateLimiting.RateLimitingPolicyNames.McpPerApiKey);
+        }
+
         // SPA fallback: any route not matched by a controller or hub endpoint returns index.html,
         // enabling Vue Router's client-side navigation. API (/api/*) and hub (/hubs/*) routes
         // are matched above and never reach this fallback.

backend/src/Taskdeck.Api/Extensions/RateLimitingRegistration.cs

@@ -72,6 +72,13 @@ await context.HttpContext.Response.WriteAsJsonAsync(
             var partitionKey = $"capture-user:{ResolveUserOrClientIdentifier(httpContext)}";
             return BuildFixedWindowPartition(partitionKey, settings.CaptureWritePerUser);
         });
+
+        options.AddPolicy(RateLimitingPolicyNames.McpPerApiKey, httpContext =>
+        {
+            // Partition by API key user or fall back to IP for unauthenticated attempts.
+            var partitionKey = $"mcp-apikey:{ResolveUserOrClientIdentifier(httpContext)}";
+            return BuildFixedWindowPartition(partitionKey, settings.McpPerApiKey);
+        });
     }
 
     private static RateLimitPartition<string> BuildFixedWindowPartition(string partitionKey, RateLimitPolicySettings policy)

backend/src/Taskdeck.Api/Middleware/ApiKeyMiddleware.cs

@@ -0,0 +1,151 @@
+using System.Security.Cryptography;
+using System.Text;
+using Microsoft.EntityFrameworkCore;
+using Taskdeck.Api.Contracts;
+using Taskdeck.Domain.Entities;
+using Taskdeck.Domain.Exceptions;
+using Taskdeck.Infrastructure.Mcp;
+using Taskdeck.Infrastructure.Persistence;
+
+namespace Taskdeck.Api.Middleware;
+
+/// <summary>
+/// Middleware that authenticates MCP HTTP requests using API keys.
+/// Extracts a Bearer token from the Authorization header, hashes it with SHA-256,
+/// looks up the hash in the ApiKeys table, and sets the user ID in
+/// HttpContext.Items for <see cref="HttpUserContextProvider"/>.
+///
+/// Only active on the MCP endpoint path (/mcp). REST API endpoints continue
+/// to use JWT authentication.
+/// </summary>
+public sealed class ApiKeyMiddleware
+{
+    private readonly RequestDelegate _next;
+    private readonly ILogger<ApiKeyMiddleware> _logger;
+
+    /// <summary>The path prefix that triggers API key authentication.</summary>
+    private const string McpPathPrefix = "/mcp";
+
+    public ApiKeyMiddleware(RequestDelegate next, ILogger<ApiKeyMiddleware> logger)
+    {
+        _next = next;
+        _logger = logger;
+    }
+
+    public async Task InvokeAsync(HttpContext context, TaskdeckDbContext dbContext)
+    {
+        // Only authenticate MCP endpoint requests
+        if (!context.Request.Path.StartsWithSegments(McpPathPrefix, StringComparison.OrdinalIgnoreCase))
+        {
+            await _next(context);
+            return;
+        }
+
+        var authHeader = context.Request.Headers.Authorization.ToString();
+        if (string.IsNullOrWhiteSpace(authHeader))
+        {
+            await WriteErrorResponse(context, StatusCodes.Status401Unauthorized,
+                "Missing Authorization header. Provide a Bearer token with your API key.");
+            return;
+        }
+
+        if (!authHeader.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
+        {
+            await WriteErrorResponse(context, StatusCodes.Status401Unauthorized,
+                "Invalid Authorization header format. Use: Bearer tdsk_...");
+            return;
+        }
+
+        var token = authHeader["Bearer ".Length..].Trim();
+
+        if (string.IsNullOrWhiteSpace(token) || !token.StartsWith(ApiKey.KeyPrefix))
+        {
+            await WriteErrorResponse(context, StatusCodes.Status401Unauthorized,
+                "Invalid API key format. Keys must start with 'tdsk_'.");
+            return;
+        }
+
+        // Hash the provided key and look up in the database
+        var keyHash = HashKey(token);
+
+        var apiKey = await dbContext.ApiKeys
+            .AsNoTracking()
+            .FirstOrDefaultAsync(k => k.KeyHash == keyHash, context.RequestAborted);
+
+        if (apiKey is null)
+        {
+            _logger.LogWarning("MCP API key authentication failed: key not found (prefix: {Prefix})",
+                token.Length >= 8 ? token[..8] : "short");
+            await WriteErrorResponse(context, StatusCodes.Status401Unauthorized,
+                "Invalid API key.");
+            return;
+        }
+
+        if (!apiKey.IsActive)
+        {
+            var reason = apiKey.RevokedAt is not null ? "revoked" : "expired";
+            _logger.LogWarning("MCP API key authentication failed: key is {Reason} (id: {KeyId})",
+                reason, apiKey.Id);
+            // Return generic message to avoid leaking key state (revoked vs expired)
+            await WriteErrorResponse(context, StatusCodes.Status401Unauthorized,
+                "Invalid API key.");
+            return;
+        }
+
+        // Verify the user account is active
+        var user = await dbContext.Users
+            .AsNoTracking()
+            .FirstOrDefaultAsync(u => u.Id == apiKey.UserId, context.RequestAborted);
+
+        if (user is null || !user.IsActive)
+        {
+            _logger.LogWarning("MCP API key authentication failed: user inactive (userId: {UserId})", apiKey.UserId);
+            await WriteErrorResponse(context, StatusCodes.Status401Unauthorized,
+                "User account is inactive or has been deleted.");
+            return;
+        }
+
+        // Set the authenticated user ID for HttpUserContextProvider
+        context.Items[HttpUserContextProvider.UserIdItemKey] = apiKey.UserId;
+
+        // Update last-used timestamp before continuing the pipeline.
+        // This is non-critical so failures are swallowed.
+        await UpdateLastUsedAsync(dbContext, apiKey.Id);
+
+        await _next(context);
+    }
+
+    private static string HashKey(string plaintextKey)
+    {
+        var bytes = Encoding.UTF8.GetBytes(plaintextKey);
+        var hash = SHA256.HashData(bytes);
+        return Convert.ToHexString(hash).ToLowerInvariant();
+    }
+
+    private async Task UpdateLastUsedAsync(TaskdeckDbContext dbContext, Guid keyId)
+    {
+        try
+        {
+            // Direct update to avoid concurrency issues with the read-only query above.
+            await dbContext.ApiKeys
+                .Where(k => k.Id == keyId)
+                .ExecuteUpdateAsync(setters => setters
+                    .SetProperty(k => k.LastUsedAt, DateTimeOffset.UtcNow)
+                    .SetProperty(k => k.UpdatedAt, DateTimeOffset.UtcNow));
+        }
+        catch (Exception ex)
+        {
+            // Non-critical: if usage tracking fails, authentication still succeeds.
+            _logger.LogDebug(ex, "Failed to update API key last-used timestamp for key {KeyId}", keyId);
+        }
+    }
+
+    private static async Task WriteErrorResponse(HttpContext context, int statusCode, string message)
+    {
+        context.Response.StatusCode = statusCode;
+        context.Response.ContentType = "application/json";
+        await context.Response.WriteAsJsonAsync(new ApiErrorResponse(
+            ErrorCodes.Unauthorized,
+            message));
+    }
+}

backend/src/Taskdeck.Api/Program.cs

@@ -172,6 +172,18 @@
 builder.Services.AddHttpContextAccessor();
 builder.Services.AddScoped<Taskdeck.Application.Interfaces.IUserContext, Taskdeck.Infrastructure.Identity.UserContext>();
 
+// Register MCP HTTP transport (Streamable HTTP alongside REST on the same Kestrel instance).
+// The HttpUserContextProvider resolves user identity from the API key set by ApiKeyMiddleware.
+builder.Services.AddScoped<IUserContextProvider, Taskdeck.Infrastructure.Mcp.HttpUserContextProvider>();
+builder.Services.AddMcpServer()
+    .WithHttpTransport()
+    .WithResources<BoardResources>()
+    .WithResources<CaptureResources>()
+    .WithResources<ProposalResources>()
+    .WithTools<ReadTools>()
+    .WithTools<WriteTools>()
+    .WithTools<ProposalTools>();
+
 // Add JWT Authentication (with optional GitHub OAuth)
 builder.Services.AddTaskdeckAuthentication(jwtSettings, gitHubOAuthSettings);
 

backend/src/Taskdeck.Api/RateLimiting/RateLimitingPolicyNames.cs

@@ -5,4 +5,5 @@ public static class RateLimitingPolicyNames
     public const string AuthPerIp = "AuthPerIp";
     public const string HotPathPerUser = "HotPathPerUser";
     public const string CaptureWritePerUser = "CaptureWritePerUser";
+    public const string McpPerApiKey = "McpPerApiKey";
 }

backend/src/Taskdeck.Api/Taskdeck.Api.csproj

@@ -28,6 +28,7 @@
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
     <PackageReference Include="ModelContextProtocol" Version="1.2.0" />
+    <PackageReference Include="ModelContextProtocol.AspNetCore" Version="1.2.0" />
     <PackageReference Include="OpenTelemetry.Exporter.Console" Version="1.15.1" />
     <PackageReference Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.15.1" />
     <PackageReference Include="OpenTelemetry.Extensions.Hosting" Version="1.15.1" />

backend/src/Taskdeck.Application/Interfaces/IApiKeyRepository.cs

@@ -0,0 +1,12 @@
+using Taskdeck.Domain.Entities;
+
+namespace Taskdeck.Application.Interfaces;
+
+public interface IApiKeyRepository : IRepository<ApiKey>
+{
+    /// <summary>Look up an API key by its SHA-256 hash.</summary>
+    Task<ApiKey?> GetByKeyHashAsync(string keyHash, CancellationToken cancellationToken = default);
+
+    /// <summary>List all API keys belonging to a user (including revoked).</summary>
+    Task<IEnumerable<ApiKey>> GetByUserIdAsync(Guid userId, CancellationToken cancellationToken = default);
+}