Skip to content

feat(mcp): server-side permission enforcement and token auth for the AlianHub MCP server#238

Merged
parth0025 merged 2 commits into
stagingfrom
feat/mcp-server
Jun 15, 2026
Merged

feat(mcp): server-side permission enforcement and token auth for the AlianHub MCP server#238
parth0025 merged 2 commits into
stagingfrom
feat/mcp-server

Conversation

@parth0025

Copy link
Copy Markdown
Collaborator

What & why

Adds server-side permission enforcement and token auth so the MCP server (and any API client — scripts, curl) obeys the same roles & permissions as the web app, instead of bypassing checks that previously ran only in the Vue frontend.

Backend

  • Config/permissionGuard.js (new) — a backend mirror of the frontend permission model (single source of truth). Owner/admin bypass; role ≥ 3 evaluated against the company RULES doc; three-value result (no-access / read-only / write). Includes a DISABLE_PERMISSION_ENFORCEMENT ops kill-switch for the fine-grained layer (role guards stay on regardless).
  • API-token auth hardening in Config/jwt.js / Config/setMiddleware.js and Modules/ApiTokens/{controller,routes}.js.
  • Guarded routesrequirePermission / requireRole wired onto the endpoints the MCP server calls: Tasks, Sprints, createProject, EstimatedTime, Project list, settings/Members, settings/securityPermissions.

Scripts

  • scripts/issue-api-token.js, toggle-api-token.js, clear-api-tokens.js, print-permissions.js — token management / inspection helpers.

Verification

  • All 17 changed JS files pass node --check.

Notes

  • This carries parallel-session work from the working tree; only the MCP-related changes are included (plan docs and local settings were intentionally excluded).

🤖 Generated with Claude Code

…the MCP server

Adds Config/permissionGuard.js — a backend mirror of the frontend
permission model — so API clients (the MCP server, scripts, curl) using
a valid token obey the same roles and permissions as the web app
instead of bypassing checks that previously ran only in Vue. Wires the
requirePermission / requireRole guards onto the task, sprint, project,
member, estimated-time and security-permission routes the MCP server
calls, hardens the API-token auth, and adds token-management scripts
(issue / toggle / clear / print-permissions).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 12, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 1cf1da05-b6e4-47c8-b61c-95359346e8b5

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/mcp-server

Comment @coderabbitai help to get the list of available commands and usage tips.

@parth0025 parth0025 added Hold enhancement New feature or request labels Jun 12, 2026
@parth0025 parth0025 self-assigned this Jun 12, 2026
@parth0025 parth0025 changed the title feat(mcp): server-side permission enforcement and token auth for the MCP server feat(mcp): server-side permission enforcement and token auth for the AlianHub MCP server Jun 12, 2026
…t keys

Adds project_folder_create and the project name/description/details/
assignee permission keys to MCP_PERMISSION_KEYS so the MCP server can
perform those project operations under the server-side permission guard.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@parth0025 parth0025 removed the Hold label Jun 15, 2026
@parth0025 parth0025 merged commit ea6f669 into staging Jun 15, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant