Support HTTP bearer authentication for mcp proxy and wrap (#4368)

rubys · web-flow · commit 498db94b9b6a · 2025-05-12T10:02:43.000-04:00
diff --git a/internal/command/mcp/proxy.go b/internal/command/mcp/proxy.go
@@ -41,6 +41,10 @@ func NewProxy() *cobra.Command {
 			Name:        "url",
 			Description: "URL of the MCP wrapper server",
 		},
+		flag.String{
+			Name:        "bearer-token",
+			Description: "Bearer token to authenticate with",
+		},
 		flag.String{
 			Name:        "user",
 			Description: "User to authenticate with",
@@ -305,7 +309,9 @@ func getFromServer(ctx context.Context, url string) error {
 	req.Header.Set("Accept", "application/json")
 
 	// Set basic authentication if user is provided
-	if flag.GetString(ctx, "user") != "" {
+	if flag.GetString(ctx, "bearer-token") != "" {
+		req.Header.Set("Authorization", "Bearer "+flag.GetString(ctx, "bearer-token"))
+	} else if flag.GetString(ctx, "user") != "" {
 		req.SetBasicAuth(flag.GetString(ctx, "user"), flag.GetString(ctx, "password"))
 	}
 
diff --git a/internal/command/mcp/wrap.go b/internal/command/mcp/wrap.go
@@ -30,6 +30,7 @@ import (
 type Server struct {
 	port     int
 	mcp      string
+	token    string
 	user     string
 	password string
 	private  bool
@@ -63,6 +64,10 @@ func NewWrap() *cobra.Command {
 			Description: "Path to the stdio MCP program to be wrapped.",
 			Shorthand:   "m",
 		},
+		flag.String{
+			Name:        "bearer-token",
+			Description: "Bearer token to authenticate with. Defaults to the value of the FLY_MCP_BEARER_TOKEN environment variable.",
+		},
 		flag.String{
 			Name:        "user",
 			Description: "User to authenticate with. Defaults to the value of the FLY_MCP_USER environment variable.",
@@ -81,10 +86,15 @@ func NewWrap() *cobra.Command {
 }
 
 func runWrap(ctx context.Context) error {
+	token, _ := os.LookupEnv("FLY_MCP_BEARER_TOKEN")
 	user, _ := os.LookupEnv("FLY_MCP_USER")
 	password, _ := os.LookupEnv("FLY_MCP_PASSWORD")
 	_, private := os.LookupEnv("FLY_MCP_PRIVATE")
 
+	if token == "" {
+		token = flag.GetString(ctx, "bearer-token")
+	}
+
 	if user == "" {
 		user = flag.GetString(ctx, "user")
 	}
@@ -96,6 +106,7 @@ func runWrap(ctx context.Context) error {
 	// Create server
 	server := &Server{
 		port:     flag.GetInt(ctx, "port"),
+		token:    token,
 		user:     user,
 		password: password,
 		private:  flag.GetBool(ctx, "private") || private,
@@ -247,7 +258,14 @@ func (s *Server) HandleHTTPRequest(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	if s.user != "" {
+	if s.token != "" {
+		// Check for bearer token
+		bearerToken := r.Header.Get("Authorization")
+		if bearerToken == "" || !strings.HasPrefix(bearerToken, "Bearer ") || strings.TrimSpace(bearerToken[7:]) != s.token {
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+	} else if s.user != "" {
 		// Check for basic authentication
 		user, password, ok := r.BasicAuth()
 		if !ok || user != s.user || password != s.password {
