Feat: accept per-client API key via headers in HTTP mode#46
Open
liranfarage89 wants to merge 2 commits into
Open
Feat: accept per-client API key via headers in HTTP mode#46liranfarage89 wants to merge 2 commits into
liranfarage89 wants to merge 2 commits into
Conversation
In HTTP mode the server baked a single env-var API key into one shared Env0Service, so all connected clients shared one key and one RBAC role. This prevented self-hosting the server for multiple users. Now HTTP mode builds a per-session Env0Service from the request headers: the client sends Authorization (forwarded verbatim to env0) and x-env0-organization-id, so each user acts under their own env0 key and role. Requests without Authorization are rejected with 401. stdio mode is unchanged (still per-user via env vars). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Per-request API keys must not traverse plain HTTP. Note suggested by Yariv. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
In HTTP mode (
MCP_TRANSPORT=http) the server baked a single env-var API key into one sharedEnv0Client/Env0Serviceat startup and reused it across every session. So all connected clients shared one key and one RBAC role — making it impossible to self-host the server for multiple users where each acts under their own env0 role.RBAC is enforced by env0's backend based on the API key's permissions; it isn't implemented in this repo. So forwarding each client's own key is the RBAC mechanism — no RBAC code was needed.
What changed
HTTP mode now builds a per-session
Env0Servicefrom the request headers:Authorization: Basic base64(keyId:keySecret)— forwarded verbatim to the env0 API.x-env0-organization-idfor the org.Authorizationare rejected with 401.stdio mode is unchanged — already per-user via the client's
envblock.Files
env0-client.ts— optionalauthHeaderonEnv0Config, used verbatim with fallback toBasic base64(id:secret).config.ts—getAndValidateConfig(overrides, requireCredentials = true); HTTP passesfalseso the server starts without env-var keys.server.ts—startHttpServertakes a(headers) => McpServerfactory;buildSessionServerdoes the auth check + per-session build; per-sessionserversmap. Also removed/sseheader logging that leaked the secret.cli.ts— wires the header→server factory for HTTP; stdio path unchanged.README.md— documents the per-client header contract.Verification
tsc+eslintclean.Authorization→ 401; valid header → 200 + session initialized.authHeader).Not yet exercised (needs live env0 keys): an actual tool call returning that key's data, and two-key cross-isolation.
🤖 Generated with Claude Code