mirror of
https://github.com/samanhappy/mcphub.git
synced 2025-12-24 02:39:19 -05:00
339 lines
6.3 KiB
Plaintext
339 lines
6.3 KiB
Plaintext
---
|
|
title: 'Authentication & Security'
|
|
description: 'Configure authentication and security settings for MCPHub'
|
|
---
|
|
|
|
## Overview
|
|
|
|
MCPHub provides flexible authentication mechanisms to secure your MCP server management platform. The system supports multiple authentication methods and role-based access control.
|
|
|
|
## Authentication Methods
|
|
|
|
### Environment-based Authentication
|
|
|
|
Configure basic authentication using environment variables:
|
|
|
|
```bash
|
|
# Basic auth credentials
|
|
AUTH_USERNAME=admin
|
|
AUTH_PASSWORD=your-secure-password
|
|
|
|
# JWT settings
|
|
JWT_SECRET=your-jwt-secret-key
|
|
JWT_EXPIRES_IN=24h
|
|
```
|
|
|
|
### Database Authentication
|
|
|
|
For production deployments, enable database-backed user management:
|
|
|
|
```json
|
|
{
|
|
"auth": {
|
|
"provider": "database",
|
|
"database": {
|
|
"url": "postgresql://user:pass@localhost:5432/mcphub",
|
|
"userTable": "users"
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
## User Management
|
|
|
|
### Creating Users
|
|
|
|
Create users via the admin interface or API:
|
|
|
|
```bash
|
|
# Via API
|
|
curl -X POST http://localhost:3000/api/auth/users \
|
|
-H "Content-Type: application/json" \
|
|
-H "Authorization: Bearer $ADMIN_TOKEN" \
|
|
-d '{
|
|
"username": "newuser",
|
|
"email": "user@example.com",
|
|
"password": "securepassword",
|
|
"role": "user"
|
|
}'
|
|
```
|
|
|
|
### User Roles
|
|
|
|
MCPHub supports role-based access control:
|
|
|
|
- **Admin**: Full system access, user management, server configuration
|
|
- **Manager**: Server management, group management, monitoring
|
|
- **User**: Basic server access within assigned groups
|
|
- **Viewer**: Read-only access to assigned resources
|
|
|
|
## Group-based Access Control
|
|
|
|
### Assigning Users to Groups
|
|
|
|
```bash
|
|
# Add user to group
|
|
curl -X POST http://localhost:3000/api/groups/{groupId}/users \
|
|
-H "Authorization: Bearer $TOKEN" \
|
|
-d '{"userId": "user123"}'
|
|
```
|
|
|
|
### Group Permissions
|
|
|
|
Configure group-level permissions:
|
|
|
|
```json
|
|
{
|
|
"groupId": "dev-team",
|
|
"permissions": {
|
|
"servers": ["read", "write", "execute"],
|
|
"tools": ["read", "execute"],
|
|
"logs": ["read"],
|
|
"config": ["read"]
|
|
}
|
|
}
|
|
```
|
|
|
|
## API Authentication
|
|
|
|
### JWT Token Authentication
|
|
|
|
```javascript
|
|
// Login to get token
|
|
const response = await fetch('/api/auth/login', {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: JSON.stringify({
|
|
username: 'your-username',
|
|
password: 'your-password',
|
|
}),
|
|
});
|
|
|
|
const { token } = await response.json();
|
|
|
|
// Use token for authenticated requests
|
|
const serversResponse = await fetch('/api/servers', {
|
|
headers: { Authorization: `Bearer ${token}` },
|
|
});
|
|
```
|
|
|
|
### API Key Authentication
|
|
|
|
For service-to-service communication:
|
|
|
|
```bash
|
|
# Generate API key
|
|
curl -X POST http://localhost:3000/api/auth/api-keys \
|
|
-H "Authorization: Bearer $ADMIN_TOKEN" \
|
|
-d '{
|
|
"name": "my-service",
|
|
"permissions": ["servers:read", "tools:execute"]
|
|
}'
|
|
|
|
# Use API key
|
|
curl -H "X-API-Key: your-api-key" \
|
|
http://localhost:3000/api/servers
|
|
```
|
|
|
|
## Security Configuration
|
|
|
|
### HTTPS Setup
|
|
|
|
Configure HTTPS for production:
|
|
|
|
```yaml
|
|
# docker-compose.yml
|
|
services:
|
|
mcphub:
|
|
environment:
|
|
- HTTPS_ENABLED=true
|
|
- SSL_CERT_PATH=/certs/cert.pem
|
|
- SSL_KEY_PATH=/certs/key.pem
|
|
volumes:
|
|
- ./certs:/certs:ro
|
|
```
|
|
|
|
### CORS Configuration
|
|
|
|
Configure CORS for web applications:
|
|
|
|
```json
|
|
{
|
|
"cors": {
|
|
"origin": ["https://your-frontend.com"],
|
|
"credentials": true,
|
|
"methods": ["GET", "POST", "PUT", "DELETE"]
|
|
}
|
|
}
|
|
```
|
|
|
|
### Rate Limiting
|
|
|
|
Protect against abuse with rate limiting:
|
|
|
|
```json
|
|
{
|
|
"rateLimit": {
|
|
"windowMs": 900000,
|
|
"max": 100,
|
|
"message": "Too many requests from this IP"
|
|
}
|
|
}
|
|
```
|
|
|
|
## Session Management
|
|
|
|
### Session Configuration
|
|
|
|
```json
|
|
{
|
|
"session": {
|
|
"secret": "your-session-secret",
|
|
"cookie": {
|
|
"secure": true,
|
|
"httpOnly": true,
|
|
"maxAge": 86400000
|
|
},
|
|
"store": "redis",
|
|
"redis": {
|
|
"host": "localhost",
|
|
"port": 6379
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
### Logout and Session Cleanup
|
|
|
|
```javascript
|
|
// Logout endpoint
|
|
app.post('/api/auth/logout', (req, res) => {
|
|
req.session.destroy();
|
|
res.json({ message: 'Logged out successfully' });
|
|
});
|
|
```
|
|
|
|
## Security Best Practices
|
|
|
|
### Password Security
|
|
|
|
- Use strong password requirements
|
|
- Implement password hashing with bcrypt
|
|
- Support password reset functionality
|
|
- Enable two-factor authentication (2FA)
|
|
|
|
### Token Security
|
|
|
|
- Use secure JWT secrets
|
|
- Implement token rotation
|
|
- Set appropriate expiration times
|
|
- Store tokens securely in httpOnly cookies
|
|
|
|
### Network Security
|
|
|
|
- Use HTTPS in production
|
|
- Implement proper CORS policies
|
|
- Enable request validation
|
|
- Use security headers (helmet.js)
|
|
|
|
### Monitoring Security Events
|
|
|
|
```javascript
|
|
// Log security events
|
|
const auditLog = {
|
|
event: 'login_attempt',
|
|
user: username,
|
|
ip: req.ip,
|
|
userAgent: req.headers['user-agent'],
|
|
success: true,
|
|
timestamp: new Date(),
|
|
};
|
|
```
|
|
|
|
## Troubleshooting
|
|
|
|
### Common Authentication Issues
|
|
|
|
**Invalid Credentials**
|
|
|
|
```bash
|
|
# Check user exists and password is correct
|
|
curl -X POST http://localhost:3000/api/auth/verify \
|
|
-d '{"username": "user", "password": "pass"}'
|
|
```
|
|
|
|
**Token Expiration**
|
|
|
|
```javascript
|
|
// Handle token refresh
|
|
if (response.status === 401) {
|
|
const newToken = await refreshToken();
|
|
// Retry request with new token
|
|
}
|
|
```
|
|
|
|
**Permission Denied**
|
|
|
|
```bash
|
|
# Check user permissions
|
|
curl -H "Authorization: Bearer $TOKEN" \
|
|
http://localhost:3000/api/auth/permissions
|
|
```
|
|
|
|
### Debug Authentication
|
|
|
|
Enable authentication debugging:
|
|
|
|
```bash
|
|
DEBUG=mcphub:auth npm start
|
|
```
|
|
|
|
## Integration Examples
|
|
|
|
### Frontend Integration
|
|
|
|
```javascript
|
|
// React authentication hook
|
|
const useAuth = () => {
|
|
const [user, setUser] = useState(null);
|
|
|
|
const login = async (credentials) => {
|
|
const response = await fetch('/api/auth/login', {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: JSON.stringify(credentials),
|
|
});
|
|
|
|
if (response.ok) {
|
|
const userData = await response.json();
|
|
setUser(userData.user);
|
|
return true;
|
|
}
|
|
return false;
|
|
};
|
|
|
|
return { user, login };
|
|
};
|
|
```
|
|
|
|
### Middleware Integration
|
|
|
|
```javascript
|
|
// Express middleware
|
|
const authMiddleware = (req, res, next) => {
|
|
const token = req.headers.authorization?.split(' ')[1];
|
|
|
|
if (!token) {
|
|
return res.status(401).json({ error: 'No token provided' });
|
|
}
|
|
|
|
try {
|
|
const decoded = jwt.verify(token, process.env.JWT_SECRET);
|
|
req.user = decoded;
|
|
next();
|
|
} catch (error) {
|
|
res.status(401).json({ error: 'Invalid token' });
|
|
}
|
|
};
|
|
```
|