feat(lightspeed): add MCP servers settings panel (#2582)

* feat(lightspeed): add MCP servers settings panel

* improved UI

Signed-off-by: Yi Cai <yicai@redhat.com>

* backend integration

Signed-off-by: Yi Cai <yicai@redhat.com>

* code improvement

Signed-off-by: Yi Cai <yicai@redhat.com>

* error messages improvements

Signed-off-by: Yi Cai <yicai@redhat.com>

* fixed failed test

Signed-off-by: Yi Cai <yicai@redhat.com>

* resovled qoto comments

Signed-off-by: Yi Cai <yicai@redhat.com>

* resolved failed e2e tests

Signed-off-by: Yi Cai <yicai@redhat.com>

* fixed failed ci check

Signed-off-by: Yi Cai <yicai@redhat.com>

* addressed review points

Signed-off-by: Yi Cai <yicai@redhat.com>

* prettier fix

Signed-off-by: Yi Cai <yicai@redhat.com>

* fixed failed tests

Signed-off-by: Yi Cai <yicai@redhat.com>

---------

Signed-off-by: Yi Cai <yicai@redhat.com>

Author: ciiay

workspaces/lightspeed/plugins/lightspeed-backend/__fixtures__/mcpHandlers.ts

@@ -28,7 +28,10 @@ const MOCK_TOOLS = [
 export const mcpHandlers: HttpHandler[] = [
   http.post(MOCK_MCP_ADDR, async ({ request }) => {
     const auth = request.headers.get('Authorization');
-    if (auth !== `Bearer ${MOCK_MCP_VALID_TOKEN}`) {
+    if (
+      auth !== MOCK_MCP_VALID_TOKEN &&
+      auth !== `Bearer ${MOCK_MCP_VALID_TOKEN}`
+    ) {
       return HttpResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }
 

workspaces/lightspeed/plugins/lightspeed-backend/src/service/mcp-server-validator.test.ts

@@ -0,0 +1,77 @@
+/*
+ * Copyright Red Hat, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { McpServerValidator } from './mcp-server-validator';
+
+describe('McpServerValidator auth header behavior', () => {
+  const url = 'https://mcp.example.com';
+  const childMock = jest.fn();
+  const logger: ConstructorParameters<typeof McpServerValidator>[0] = {
+    debug: jest.fn(),
+    info: jest.fn(),
+    warn: jest.fn(),
+    error: jest.fn(),
+    child: childMock,
+  };
+  childMock.mockImplementation(() => logger);
+
+  const originalFetch = global.fetch;
+
+  afterEach(() => {
+    global.fetch = originalFetch;
+    jest.clearAllMocks();
+  });
+
+  it('tries raw token first, then Bearer on 401/403', async () => {
+    const fetchMock = jest
+      .fn()
+      .mockResolvedValue(new Response(null, { status: 401 }));
+    global.fetch = fetchMock;
+
+    const validator = new McpServerValidator(logger);
+    const result = await validator.validate(url, 'raw-token');
+
+    expect(result).toMatchObject({
+      valid: false,
+      toolCount: 0,
+      tools: [],
+      error: 'Invalid credentials — server returned 401/403',
+    });
+    expect(fetchMock).toHaveBeenCalledTimes(2);
+    expect(fetchMock.mock.calls[0][1]?.headers).toMatchObject({
+      Authorization: 'raw-token',
+    });
+    expect(fetchMock.mock.calls[1][1]?.headers).toMatchObject({
+      Authorization: 'Bearer raw-token',
+    });
+  });
+
+  it('uses token as-is when it already has an auth scheme', async () => {
+    const fetchMock = jest
+      .fn()
+      .mockResolvedValue(new Response(null, { status: 401 }));
+    global.fetch = fetchMock;
+
+    const validator = new McpServerValidator(logger);
+    const result = await validator.validate(url, 'Basic abc123');
+
+    expect(result.valid).toBe(false);
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+    expect(fetchMock.mock.calls[0][1]?.headers).toMatchObject({
+      Authorization: 'Basic abc123',
+    });
+  });
+});

workspaces/lightspeed/plugins/lightspeed-backend/src/service/mcp-server-validator.ts

@@ -19,6 +19,82 @@ import type { LoggerService } from '@backstage/backend-plugin-api';
 import { McpValidationResult } from './mcp-server-types';
 
 const REQUEST_TIMEOUT_MS = 10_000;
+const INVALID_CREDENTIALS_ERROR =
+  'Invalid credentials — server returned 401/403';
+
+const getEndpointLabel = (targetUrl: string): string => {
+  try {
+    const parsed = new URL(targetUrl);
+    return parsed.port ? `${parsed.hostname}:${parsed.port}` : parsed.hostname;
+  } catch {
+    return targetUrl;
+  }
+};
+
+const getNestedError = (error: unknown): Error | undefined => {
+  if (
+    error &&
+    typeof error === 'object' &&
+    'cause' in error &&
+    (error as { cause?: unknown }).cause instanceof Error
+  ) {
+    return (error as { cause: Error }).cause;
+  }
+  return undefined;
+};
+
+const getNetworkErrorMessage = (url: string, error: unknown): string => {
+  const endpoint = getEndpointLabel(url);
+  const nestedError = getNestedError(error);
+  const fullMessage = [
+    error instanceof Error ? error.message : '',
+    nestedError?.name ?? '',
+    nestedError?.message ?? '',
+  ]
+    .filter(Boolean)
+    .join(' ')
+    .toLowerCase();
+
+  if (
+    fullMessage.includes('timeout') ||
+    fullMessage.includes('aborterror') ||
+    fullMessage.includes('aborted')
+  ) {
+    return `Connection timed out while contacting ${endpoint}`;
+  }
+  if (
+    fullMessage.includes('econnrefused') ||
+    fullMessage.includes('connection refused')
+  ) {
+    return `Connection refused by ${endpoint}`;
+  }
+  if (
+    fullMessage.includes('enotfound') ||
+    fullMessage.includes('getaddrinfo')
+  ) {
+    return `Host not found for ${endpoint}`;
+  }
+  if (
+    fullMessage.includes('econnreset') ||
+    fullMessage.includes('socket hang up')
+  ) {
+    return `Connection reset by ${endpoint}`;
+  }
+  if (
+    fullMessage.includes('ehostunreach') ||
+    fullMessage.includes('enetunreach')
+  ) {
+    return `Host unreachable: ${endpoint}`;
+  }
+  if (fullMessage.includes('fetch failed')) {
+    return `Unable to connect to ${endpoint}`;
+  }
+
+  return (
+    nestedError?.message ||
+    (error instanceof Error ? error.message : String(error))
+  );
+};
 
 /**
  * Validates MCP server credentials using the Streamable HTTP transport.
@@ -32,13 +108,51 @@ export class McpServerValidator {
   constructor(private readonly logger: LoggerService) {}
 
   async validate(url: string, token: string): Promise<McpValidationResult> {
-    // Bearer prefix is required here because the validator hits the MCP server
-    // directly (not through LCS). LCS handles its own auth scheme via
-    // MCP-HEADERS (see buildMcpHeaders in router.ts), but direct MCP
-    // Streamable HTTP endpoints expect standard Bearer authentication.
+    const trimmedToken = token.trim();
+    const hasAuthScheme = /^[A-Za-z][A-Za-z0-9_-]*\s+/.test(trimmedToken);
+    const authorizationHeaders = hasAuthScheme
+      ? [trimmedToken]
+      : [trimmedToken, `Bearer ${trimmedToken}`];
+
+    let lastResult: McpValidationResult = {
+      valid: false,
+      toolCount: 0,
+      tools: [],
+      error: INVALID_CREDENTIALS_ERROR,
+    };
+
+    for (const [index, authorizationHeader] of authorizationHeaders.entries()) {
+      const result = await this.validateWithAuthorizationHeader(
+        url,
+        authorizationHeader,
+      );
+      lastResult = result;
+
+      const isLastAttempt = index === authorizationHeaders.length - 1;
+      const shouldRetryWithAlternativeAuth =
+        !isLastAttempt &&
+        !result.valid &&
+        result.error === INVALID_CREDENTIALS_ERROR;
+
+      if (!shouldRetryWithAlternativeAuth) {
+        return result;
+      }
+
+      this.logger.debug(
+        `MCP validation got 401/403 for ${url}; retrying with an alternate Authorization header format`,
+      );
+    }
+
+    return lastResult;
+  }
+
+  private async validateWithAuthorizationHeader(
+    url: string,
+    authorizationHeader: string,
+  ): Promise<McpValidationResult> {
     const headers: Record<string, string> = {
       'Content-Type': 'application/json',
-      Authorization: `Bearer ${token}`,
+      Authorization: authorizationHeader,
       Accept: 'application/json, text/event-stream',
     };
 
@@ -65,7 +179,7 @@ export class McpServerValidator {
           valid: false,
           toolCount: 0,
           tools: [],
-          error: 'Invalid credentials — server returned 401/403',
+          error: INVALID_CREDENTIALS_ERROR,
         };
       }
 
@@ -150,20 +264,7 @@ export class McpServerValidator {
       );
       return { valid: true, toolCount: 0, tools: [] };
     } catch (error: unknown) {
-      const message = error instanceof Error ? error.message : String(error);
-
-      if (
-        message.includes('TimeoutError') ||
-        message.includes('AbortError') ||
-        message.includes('abort')
-      ) {
-        return {
-          valid: false,
-          toolCount: 0,
-          tools: [],
-          error: 'Connection timed out',
-        };
-      }
+      const message = getNetworkErrorMessage(url, error);
 
       this.logger.error(`MCP validation failed for ${url}: ${message}`);
       return {

workspaces/lightspeed/plugins/lightspeed-backend/src/service/mcp-server.test.ts

@@ -400,7 +400,7 @@ describe('MCP server management endpoints', () => {
       expect(response.body.error).toContain('url and token are required');
     });
 
-    it('sends Bearer prefix when validating directly against MCP server', async () => {
+    it('sends raw token first when validating directly against MCP server', async () => {
       let capturedAuth = '';
       server.use(
         http.post(MOCK_MCP_ADDR, ({ request: req }) => {
@@ -422,7 +422,7 @@ describe('MCP server management endpoints', () => {
         .post('/api/lightspeed/mcp-servers/validate')
         .send({ url: MOCK_MCP_ADDR, token: 'my-raw-token' });
 
-      expect(capturedAuth).toBe('Bearer my-raw-token');
+      expect(capturedAuth).toBe('my-raw-token');
     });
 
     it('rejects unknown URL (SSRF protection)', async () => {

workspaces/lightspeed/plugins/lightspeed/package.json

@@ -68,6 +68,7 @@
     "@patternfly/chatbot": "6.5.0",
     "@patternfly/react-core": "6.4.1",
     "@patternfly/react-icons": "^6.3.1",
+    "@patternfly/react-table": "^6.4.1",
     "@red-hat-developer-hub/backstage-plugin-lightspeed-common": "workspace:^",
     "@red-hat-developer-hub/backstage-plugin-theme": "^0.12.0",
     "@tanstack/react-query": "^5.59.15",