fix: remove auth bypass - server locked until API key generated

Anuj Shrivastava · Anuj Shrivastava · commit bb0af5d5f04d · 2026-03-10T11:54:11.000+05:30
- Remove first-run open-access bypass in APIKeyMiddleware
- No API keys = HTTP 503 with hint to generate via /admin/keys
- Add Dockerfile for multi-arch container build
- Add requirements.txt and run.py
- Add GitHub Actions workflow for linux/amd64 + linux/arm64 build+push
diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml
@@ -0,0 +1,40 @@
+name: Build & Push Multi-Arch Container
+
+on:
+  push:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  build-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU (for cross-arch builds)
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ghcr.io/ibm/verify-mcp-server:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,22 @@
+FROM python:3.12-slim
+
+WORKDIR /app
+
+# Install dependencies
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Copy source
+COPY src/ ./src/
+COPY run.py .
+
+# Data volume for keystore persistence
+VOLUME ["/data"]
+
+ENV MCP_TRANSPORT=sse
+ENV MCP_PORT=8004
+ENV KEYSTORE_PATH=/data/keys.json
+
+EXPOSE 8004
+
+CMD ["python", "-m", "src"]
diff --git a/requirements.txt b/requirements.txt
@@ -0,0 +1,5 @@
+mcp[cli]>=1.0.0
+httpx>=0.25.0
+uvicorn>=0.30.0
+starlette>=0.38.0
+python-dotenv>=1.0.0
diff --git a/run.py b/run.py
@@ -0,0 +1,28 @@
+"""WXO STDIO entry point for Verify MCP Server."""
+import os
+
+# Force STDIO transport
+os.environ["MCP_TRANSPORT"] = "stdio"
+
+# Map WXO connection env vars to the bare names expected by config.py
+# WXO injects: WXO_CONNECTION_<app_id>_<field> = value
+# Our code reads: <field>
+_APP_ID = "verify_creds"
+_ENV_KEYS = [
+    "VERIFY_TENANT",
+    "API_CLIENT_ID",
+    "API_CLIENT_SECRET",
+    "OIDC_CLIENT_ID",
+    "OIDC_CLIENT_SECRET",
+    "VERIFY_SSL",
+]
+for key in _ENV_KEYS:
+    wxo_key = f"WXO_CONNECTION_{_APP_ID}_{key}"
+    val = os.environ.get(wxo_key)
+    if val and not os.environ.get(key):
+        os.environ[key] = val
+
+from src.server import main
+
+if __name__ == "__main__":
+    main()
diff --git a/src/server.py b/src/server.py
@@ -74,10 +74,26 @@ async def dispatch(self, request: Request, call_next):
         # Everything else requires a valid API key
         ks = _get_key_store()
 
-        # If no keys have been generated yet, allow open access
-        # (first-run experience — admin should generate a key immediately)
+        # If no keys have been generated yet, block ALL requests.
+        # The admin MUST generate at least one key before the server
+        # will accept connections.  Use:
+        #   docker exec <container> curl -s -X POST \
+        #     http://localhost:8004/admin/keys \
+        #     -H 'Content-Type: application/json' \
+        #     -d '{"user":"admin"}'
         if not ks.has_any_keys():
-            return await call_next(request)
+            return JSONResponse(
+                {
+                    "error": "Server is locked — no API keys have been configured.",
+                    "hint": (
+                        "Generate a key: docker exec <container> curl -s -X POST "
+                        "http://localhost:8004/admin/keys "
+                        "-H 'Content-Type: application/json' "
+                        "-d '{\"user\":\"admin\"}'"
+                    ),
+                },
+                status_code=503,
+            )
 
         auth_header = request.headers.get("Authorization", "")
         if not auth_header:
@@ -251,8 +267,10 @@ def main() -> None:
             logger.info("API key authentication ENABLED (%d key(s) loaded)", len(ks.list_keys()))
         else:
             logger.warning(
-                "No API keys configured — SSE endpoint is OPEN. "
-                "Generate a key: curl -X POST http://localhost:%d/admin/keys -H 'Content-Type: application/json' -d '{\"user\":\"admin@ibm.com\"}'",
+                "LOCKED — No API keys configured. ALL requests will be rejected with HTTP 503 "
+                "until you generate a key: "
+                "docker exec <container> curl -s -X POST http://localhost:%d/admin/keys "
+                "-H 'Content-Type: application/json' -d '{\"user\":\"admin\"}'",
                 SSE_PORT,
             )
 
