Security hardening: MCP server auth + client URL validation#540
Draft
Security hardening: MCP server auth + client URL validation#540
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses security scan findings #14 (MCP server mounted without auth) and #15 (MCP client accepts arbitrary URLs). TypeScript half of a 3-SDK PR set (PY + C# are separate PRs on the same branch name).
#14 — MCP server auth
New opt-in
requireAuthhook onMcpPluginOptions:```ts
new McpPlugin({
requireAuth: (req) => req.headers.authorization === 'Bearer ...'
})
```
Hook is called once per inbound MCP request;
false/throw returns 401 and short-circuits. When unset, all requests are accepted and a one-time startup warning fires when the SSE transport comes up. Path-filtered to/mcponly; the activity route (/api/messages) and other plugins are unaffected.#15 — MCP client SSRF
New
url-validation.tsgate, wired intomakeMcpClientbefore transport build. Two new fields onMcpClientPluginParams:allowPrivateNetwork?: boolean(defaultfalse) — block RFC1918, loopback, link-local, IPv6 unique-local whenfalsevalidateUrl?: (url: URL) => boolean | Promise<boolean>— when set, fully replaces the default scheme + host-network checksDefault policy: scheme ∈ {
http,https}; if notallowPrivateNetwork, DNS resolve and reject private addresses. IP literals short-circuit DNS.Behavior change to be aware of
MCP client calls that previously pointed at localhost / on-prem MCP servers will now fail with
UrlValidationErrorunlessallowPrivateNetwork: trueis set on the call's params. Set the flag for intentional on-prem deployments.Design docs
design/mcp-server-auth-options.mddesign/mcp-client-ssrf-options.mdE2E verified
/mcpreturns 401 without auth, SSE handshake on correct bearerREQUIRE_AUTH=1active simultaneouslyrequireAuthis unset; silent when setNote on DNS rebinding
Default private-network filter rejects at registration time but does not prevent DNS rebinding (a public hostname that resolves to a private IP at connection time). Known residual risk; call out if follow-up work is wanted.