MCP server now proxies any Authorization headers it receives

wendorf · tuckerchapin · wendorf · commit 3425c73a94c0 · 2025-06-23T11:02:27.000-07:00
This doesn't affect stdio transport, but for streamable http servers
any number of tokens can be used in parallel.

Co-authored-by: Tucker Chapin &lt;tucker@render.com&gt;
diff --git a/cmd/server.go b/cmd/server.go
@@ -5,11 +5,13 @@ import (
 	"os"
 
 	"github.com/mark3labs/mcp-go/server"
+	"github.com/render-oss/render-mcp-server/pkg/authn"
 	"github.com/render-oss/render-mcp-server/pkg/cfg"
 	"github.com/render-oss/render-mcp-server/pkg/client"
 	"github.com/render-oss/render-mcp-server/pkg/deploy"
 	"github.com/render-oss/render-mcp-server/pkg/keyvalue"
 	"github.com/render-oss/render-mcp-server/pkg/logs"
+	"github.com/render-oss/render-mcp-server/pkg/multicontext"
 	"github.com/render-oss/render-mcp-server/pkg/owner"
 	"github.com/render-oss/render-mcp-server/pkg/postgres"
 	"github.com/render-oss/render-mcp-server/pkg/service"
@@ -48,11 +50,21 @@ func Serve(transport string) *server.MCPServer {
 			log.Print("using in-memory session store\n")
 			sessionStore = session.NewInMemoryStore()
 		}
-		if err := server.NewStreamableHTTPServer(s, server.WithHTTPContextFunc(session.ContextWithHTTPSession(sessionStore))).Start(":10000"); err != nil {
+		err := server.
+			NewStreamableHTTPServer(s, server.WithHTTPContextFunc(multicontext.MultiHTTPContextFunc(
+				session.ContextWithHTTPSession(sessionStore),
+				authn.ContextWithAPITokenFromHeader,
+			))).
+			Start(":10000")
+		if err != nil {
 			log.Fatalf("Starting Streamable server: %v\n:", err)
 		}
 	} else {
-		if err := server.ServeStdio(s, server.WithStdioContextFunc(session.ContextWithStdioSession)); err != nil {
+		err := server.ServeStdio(s, server.WithStdioContextFunc(multicontext.MultiStdioContextFunc(
+			session.ContextWithStdioSession,
+			authn.ContextWithAPITokenFromConfig,
+		)))
+		if err != nil {
 			log.Fatalf("Starting STDIO server: %v\n", err)
 		}
 	}
diff --git a/pkg/authn/authn.go b/pkg/authn/authn.go
@@ -0,0 +1,49 @@
+package authn
+
+import (
+	"context"
+	"errors"
+	"log"
+	"net/http"
+
+	"github.com/render-oss/render-mcp-server/pkg/cfg"
+)
+
+const apiTokenKey string = "token"
+
+var ErrNotAuthorized = errors.New("resource not found")
+
+func APITokenFromContext(ctx context.Context) string {
+	if token, ok := ctx.Value(apiTokenKey).(string); ok {
+		return token
+	}
+	return ""
+}
+
+func ContextWithAPIToken(ctx context.Context, token string) context.Context {
+	return context.WithValue(ctx, apiTokenKey, token)
+}
+
+func ContextWithAPITokenFromHeader(ctx context.Context, req *http.Request) context.Context {
+	token := req.Header.Get("Authorization")
+
+	if token == "" {
+		return ctx
+	}
+
+	// Note: we strip the "Bearer " prefix if it exists
+	// MCP Inspector attaches this prefix automatically, but it's unclear how standard this is
+	if len(token) > 7 && token[:7] == "Bearer " {
+		token = token[7:]
+	}
+
+	return ContextWithAPIToken(ctx, token)
+}
+
+func ContextWithAPITokenFromConfig(ctx context.Context) context.Context {
+	token := cfg.GetAPIKey()
+	if token == "" {
+		log.Fatal("Error getting API token from config")
+	}
+	return ContextWithAPIToken(ctx, token)
+}
diff --git a/pkg/client/client.go b/pkg/client/client.go
@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"reflect"
 
+	"github.com/render-oss/render-mcp-server/pkg/authn"
 	"github.com/render-oss/render-mcp-server/pkg/cfg"
 	"github.com/render-oss/render-mcp-server/pkg/config"
 )
@@ -92,7 +93,7 @@ func firstNonNilErrorField(response any) *ErrorWithCode {
 
 func clientWithAuth(httpClient *http.Client, apiCfg config.APIConfig) (*ClientWithResponses, error) {
 	insertAuth := func(ctx context.Context, req *http.Request) error {
-		req.Header = AddHeaders(req.Header, apiCfg.Key)
+		req.Header = AddHeaders(req.Header, authn.APITokenFromContext(ctx))
 		return nil
 	}
 
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -29,7 +29,6 @@ type Config struct {
 }
 
 type APIConfig struct {
-	Key          string `yaml:"key,omitempty"`
 	ExpiresAt    int64  `yaml:"expires_at,omitempty"`
 	Host         string `json:"host,omitempty"`
 	RefreshToken string `json:"refresh_token,omitempty"`
@@ -61,18 +60,9 @@ func init() {
 
 func DefaultAPIConfig() (APIConfig, error) {
 	apiCfg := APIConfig{
-		Key:  cfg.GetAPIKey(),
 		Host: cfg.GetHost(),
 	}
 
-	var err error
-	if apiCfg.Key == "" {
-		apiCfg, err = getAPIConfig()
-		if err != nil || apiCfg.Key == "" {
-			return APIConfig{}, ErrLogin
-		}
-	}
-
 	if apiCfg.Host == "" {
 		apiCfg.Host = cfg.GetHost()
 	}
@@ -159,7 +149,6 @@ func SetAPIConfig(input APIConfig) error {
 	}
 
 	cfg.Host = input.Host
-	cfg.Key = input.Key
 	cfg.ExpiresAt = input.ExpiresAt
 	cfg.RefreshToken = input.RefreshToken
 	return cfg.Persist()
diff --git a/pkg/multicontext/multicontext.go b/pkg/multicontext/multicontext.go
@@ -0,0 +1,26 @@
+package multicontext
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/mark3labs/mcp-go/server"
+)
+
+func MultiHTTPContextFunc(fns ...server.HTTPContextFunc) server.HTTPContextFunc {
+	return func(ctx context.Context, r *http.Request) context.Context {
+		for _, fn := range fns {
+			ctx = fn(ctx, r)
+		}
+		return ctx
+	}
+}
+
+func MultiStdioContextFunc(fns ...server.StdioContextFunc) server.StdioContextFunc {
+	return func(ctx context.Context) context.Context {
+		for _, fn := range fns {
+			ctx = fn(ctx)
+		}
+		return ctx
+	}
+}
diff --git a/render.yaml b/render.yaml
@@ -6,8 +6,6 @@ services:
   buildCommand: go build -tags netgo -ldflags '-s -w' -o app
   startCommand: ./app --transport http
   envVars:
-  - key: RENDER_API_KEY
-    sync: false
   - key: REDIS_URL
     fromService:
       name: mcp-kv

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ import (`
`8`	`8`	`"net/http"`
`9`	`9`	`"reflect"`
`10`	`10`
	`11`	`+ "github.com/render-oss/render-mcp-server/pkg/authn"`
`11`	`12`	`"github.com/render-oss/render-mcp-server/pkg/cfg"`
`12`	`13`	`"github.com/render-oss/render-mcp-server/pkg/config"`
`13`	`14`	`)`
`@@ -92,7 +93,7 @@ func firstNonNilErrorField(response any) *ErrorWithCode {`
`92`	`93`
`93`	`94`	`func clientWithAuth(httpClient http.Client, apiCfg config.APIConfig) (ClientWithResponses, error) {`
`94`	`95`	`insertAuth := func(ctx context.Context, req *http.Request) error {`
`95`		`- req.Header = AddHeaders(req.Header, apiCfg.Key)`
	`96`	`+ req.Header = AddHeaders(req.Header, authn.APITokenFromContext(ctx))`
`96`	`97`	`return nil`
`97`	`98`	`}`
`98`	`99`