feat: support api key

gboston · gboston · commit bc48c93c050a · 2025-03-04T21:23:45.000+01:00
diff --git a/README.md b/README.md
@@ -123,6 +123,26 @@ If you want to use the tools inside of [claude desktop](https://claude.ai/downlo
 
 To add new MCP servers, edit the config.json file.
 
+### API Key Authentication
+
+MCP-Bridge supports API key authentication to secure your server. To enable this feature, add an `api_key` field to your config.json file:
+
+```json
+{
+    "api_key": "your-secure-api-key-here"
+}
+```
+
+When making requests to the MCP-Bridge server, include the API key in the Authorization header as a Bearer token:
+
+```
+Authorization: Bearer your-secure-api-key-here
+```
+
+If the `api_key` field is empty or not present in the configuration, authentication will be skipped, allowing backward compatibility.
+
+### Full Configuration Example
+
 an example config.json file with most of the options explicitly set:
 
 ```json
@@ -162,7 +182,8 @@ an example config.json file with most of the options explicitly set:
     },
     "logging": {
         "log_level": "DEBUG"
-    }
+    },
+    "api_key": "your-secure-api-key-here"
 }
 ```
 
@@ -172,6 +193,7 @@ an example config.json file with most of the options explicitly set:
 | mcp_servers      | The MCP servers configuration      |
 | network          | uvicorn network configuration      |
 | logging          | The logging configuration          |
+| api_key          | API key for server authentication  |
 
 ## Support
 
diff --git a/mcp_bridge/auth.py b/mcp_bridge/auth.py
@@ -0,0 +1,35 @@
+from fastapi import Depends, HTTPException, Security, status
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from mcp_bridge.config import config
+
+security = HTTPBearer(auto_error=False)
+
+async def get_api_key(credentials: HTTPAuthorizationCredentials = Security(security)):
+    """
+    Validate the API key provided in the Authorization header.
+    
+    If no API key is configured in the server settings, authentication is skipped.
+    If an API key is configured, the request must include a matching API key.
+    
+    The API key should be provided in the Authorization header as:
+    Authorization: Bearer your-api-key-here
+    """
+    # If no API key is configured, skip authentication
+    if not config.api_key:
+        return True
+    
+    # If API key is configured but not provided in the request
+    if not credentials:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="API key is required in Authorization header (Bearer token)",
+        )
+    
+    # If API key is provided but doesn't match
+    if credentials.credentials != config.api_key:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid API key",
+        )
+    
+    return True 
diff --git a/mcp_bridge/config/final.py b/mcp_bridge/config/final.py
@@ -73,6 +73,11 @@ class Settings(BaseSettings):
         default_factory=lambda: Network.model_construct(),
         description="network config",
     )
+    
+    api_key: str = Field(
+        default="",
+        description="API key for authenticating requests to the MCP Bridge server"
+    )
 
     model_config = SettingsConfigDict(
         env_prefix="MCP_BRIDGE__",
diff --git a/mcp_bridge/endpoints.py b/mcp_bridge/endpoints.py
@@ -1,4 +1,4 @@
-from fastapi import APIRouter
+from fastapi import APIRouter, Depends
 
 from lmos_openai_types import CreateChatCompletionRequest, CreateCompletionRequest
 
@@ -10,8 +10,9 @@
 )
 
 from mcp_bridge.openapi_tags import Tag
+from mcp_bridge.auth import get_api_key
 
-router = APIRouter(prefix="/v1", tags=[Tag.openai])
+router = APIRouter(prefix="/v1", tags=[Tag.openai], dependencies=[Depends(get_api_key)])
 
 
 @router.post("/completions")
diff --git a/mcp_bridge/mcpManagement/router.py b/mcp_bridge/mcpManagement/router.py
@@ -1,12 +1,13 @@
-from fastapi import APIRouter
+from fastapi import APIRouter, Depends
 from mcp_bridge.openapi_tags import Tag
+from mcp_bridge.auth import get_api_key
 
 from .tools import router as tools_router
 from .prompts import router as prompts_router
 from .resources import router as resources_router
 from .server import router as server_router
 
-router = APIRouter(prefix="/mcp", tags=[Tag.mcp_management])
+router = APIRouter(prefix="/mcp", tags=[Tag.mcp_management], dependencies=[Depends(get_api_key)])
 
 router.include_router(tools_router)
 router.include_router(prompts_router)
diff --git a/mcp_bridge/mcp_server/__init__.py b/mcp_bridge/mcp_server/__init__.py
@@ -1,8 +1,9 @@
-from fastapi import APIRouter
+from fastapi import APIRouter, Depends
 from .sse import router as sse_router
 from mcp_bridge.openapi_tags import Tag
+from mcp_bridge.auth import get_api_key
 
 __all__ = ["router"]
 
-router = APIRouter(prefix="/mcp-server", tags=[Tag.mcp_server])
+router = APIRouter(prefix="/mcp-server", tags=[Tag.mcp_server], dependencies=[Depends(get_api_key)])
 router.include_router(sse_router)
diff --git a/uv.lock b/uv.lock
