Merge pull request #6549 from FlowFuse/6546-expert-access-mcp-with-auth

Add support for expert access to mcp servers with auth

Author: cstns

forge/ee/routes/httpTokens/index.js

@@ -40,8 +40,11 @@ module.exports = async function (app) {
         preHandler: app.needsPermission('project:edit')
     }, async (request, reply) => {
         const tokens = await app.db.models.AccessToken.getProjectHTTPTokens(request.project)
+        // exclude FF-Expert auto generated HTTP MCP tokens from listing
+        const withoutExpertMcpTokens = tokens.filter(token => !isExpertMcpToken(token))
+        const tokensView = app.db.views.AccessToken.instanceHTTPTokenSummaryList(withoutExpertMcpTokens)
         reply.send({
-            tokens: app.db.views.AccessToken.instanceHTTPTokenSummaryList(tokens),
+            tokens: tokensView,
             count: tokens.length
         })
     })
@@ -51,6 +54,10 @@ module.exports = async function (app) {
     }, async (request, reply) => {
         try {
             const body = request.body
+            // Prevent creation of Expert MCP Access Tokens via this route
+            if (isExpertMcpToken({ scope: body.scope })) {
+                throw new Error('Cannot create Expert MCP Access Token via this route')
+            }
             const token = await app.db.controllers.AccessToken.createHTTPNodeToken(request.project, body.name, body.scope, body.expiresAt)
             // token has already been sanitised via views.AccessToken.instanceHTTPTokenSummary
             await app.auditLog.Project.project.httpToken.created(request.session.User, null, request.project, body)
@@ -67,6 +74,10 @@ module.exports = async function (app) {
         try {
             const oldToken = await app.db.models.AccessToken.byId(request.params.id, 'http', request.project.id)
             if (oldToken) {
+                // Prevent modification of Expert MCP Access Tokens via this route
+                if (isExpertMcpToken(oldToken)) {
+                    throw new Error('Cannot modify Expert MCP Access Token')
+                }
                 const body = request.body
                 const token = await app.db.controllers.AccessToken.updateHTTPNodeToken(request.project, request.params.id, body.scope, body.expiresAt)
                 const updates = new app.auditLog.formatters.UpdatesCollection()
@@ -99,4 +110,11 @@ module.exports = async function (app) {
             reply.code(400).send(resp)
         }
     })
+
+    function isExpertMcpToken (token) {
+        if (!token || !token.scope) {
+            return false
+        }
+        return token.scope.includes('ff-expert:mcp')
+    }
 }

forge/expert/index.js

@@ -0,0 +1,93 @@
+const fp = require('fastify-plugin')
+const { LRUCache } = require('lru-cache')
+// decorate the app with the expert helpers and cache utilities
+
+module.exports = fp(async function (app, _opts) {
+    // Get the assistant service configuration
+    const serviceEnabled = app.config.expert?.enabled === true
+    const expertUrl = app.config.expert?.service?.url
+    const serviceToken = app.config.expert?.service?.token
+    const requestTimeout = app.config.expert?.service?.requestTimeout || 60000
+
+    const TOKEN_TTL = app.config.expert?.tokenCache?.ttl || 5 * 60 * 1000 // Default 5 minutes
+    const TOKEN_REMAINING_LIMIT = 15000 // token life edge window (avoid using tokens about to expire)
+    const mcpAccessTokenCache = new LRUCache({
+        name: 'ExpertMCPAccessTokenCache', // for testing purposes
+        max: app.config.expert?.tokenCache?.max || 1000,
+        ttl: TOKEN_TTL,
+        updateAgeOnGet: false // do not update the age on get, we want it to expire after the original ttl
+    })
+
+    function clearMcpAccessTokenCache (cacheKey) {
+        if (cacheKey) {
+            mcpAccessTokenCache.delete(cacheKey)
+        } else {
+            mcpAccessTokenCache.clear()
+        }
+    }
+
+    async function getOrCreateMcpAccessToken (instance, instanceType, instanceId, teamHttpSecurityFeatureEnabled) {
+        let mcpAccessToken
+        if (mcpAccessTokenCache.has(instanceId)) {
+            const remainingTTL = mcpAccessTokenCache.getRemainingTTL(instanceId)
+            if (remainingTTL > TOKEN_REMAINING_LIMIT) { // only use cached token if it has more than 5 second remaining
+                mcpAccessToken = mcpAccessTokenCache.get(instanceId)
+            }
+        }
+
+        if (!mcpAccessToken) {
+            const instanceSettings = await instance.getSetting('settings')
+            const httpNodeAuth = instanceSettings?.httpNodeAuth
+            const tokenName = 'FlowFuse Expert MCP Access Token'
+            const scope = ['ff-expert:mcp', instanceType]
+            if (httpNodeAuth?.type === 'flowforge-user' && teamHttpSecurityFeatureEnabled) {
+                // FlowFuse auth is enabled for this instance
+                const expiresAt = new Date(Date.now() + (TOKEN_TTL))
+                const token = await app.db.controllers.AccessToken.createHTTPNodeToken(instance, tokenName, scope, expiresAt)
+                mcpAccessToken = {
+                    scheme: 'Bearer',
+                    scope,
+                    token: token.token
+                }
+            } else if (httpNodeAuth?.type === 'basic') {
+                // Basic auth is enabled - MCP client will need to use basic auth
+                mcpAccessToken = {
+                    scheme: 'Basic',
+                    scope,
+                    token: '' // basic auth is not supported - we have no access to the password. For now, just return an empty string.
+                }
+            } else {
+                // default - no auth
+                mcpAccessToken = {
+                    scheme: '',
+                    scope,
+                    token: null
+                }
+            }
+            mcpAccessTokenCache.set(instanceId, mcpAccessToken)
+        }
+        return mcpAccessToken
+    }
+
+    function getCachedMcpAccessToken (instanceId) {
+        if (mcpAccessTokenCache.has(instanceId)) {
+            const remainingTTL = mcpAccessTokenCache.getRemainingTTL(instanceId)
+            if (remainingTTL > 15000) { // only use cached token if it is not about to expire
+                return mcpAccessTokenCache.get(instanceId)
+            }
+        }
+        return null
+    }
+
+    app.decorate('expert', {
+        serviceEnabled,
+        expertUrl,
+        serviceToken,
+        requestTimeout,
+        mcp: {
+            clearTokenCache: clearMcpAccessTokenCache,
+            getCachedToken: getCachedMcpAccessToken,
+            getOrCreateToken: getOrCreateMcpAccessToken
+        }
+    })
+}, { name: 'app.expert' })

forge/forge.js

@@ -11,6 +11,7 @@ const config = require('./config') // eslint-disable-line n/no-unpublished-requi
 const containers = require('./containers')
 const db = require('./db')
 const ee = require('./ee')
+const expert = require('./expert')
 const housekeeper = require('./housekeeper')
 const { generatePassword } = require('./lib/userTeam')
 const license = require('./licensing')
@@ -251,9 +252,10 @@ module.exports = async (options = {}) => {
         await server.register(license)
         // Audit Logging
         await server.register(auditLog)
-
         // Housekeeper
         await server.register(housekeeper)
+        // Expert
+        await server.register(expert)
 
         // HTTP Server configuration
         if (!server.settings.get('cookieSecret')) {