feat(mcp): add header auth

Author: taltultc

README.md

@@ -2,7 +2,6 @@
 
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) ![NPM Version](https://img.shields.io/npm/v/%40doitintl%2Fdoit-mcp-server?registry_uri=https%3A%2F%2Fregistry.npmjs.com%2F%40doitintl%2Fdoit-mcp-server)
 
-
 DoiT MCP Server provides access to the DoiT API. This server enables LLMs like Claude to access DoiT platform data for troubleshooting and analysis.
 
 ![top-services](https://github.com/user-attachments/assets/749dd237-3021-439d-b447-64605393389d)
@@ -11,14 +10,32 @@ DoiT MCP Server provides access to the DoiT API. This server enables LLMs like C
 
 - Node.js v18 or higher
 - DoiT API key with appropriate permissions
-- Customer context identifier (for customer-specific data)
 
 ## Installation
 
 To get your DoiT API key, visit the [API key section in your DoiT profile](https://help.doit.com/docs/general/profile#api-key).
 
 There are several ways to install and configure the MCP server:
 
+### DoiT MCP URL
+
+The DoiT MCP server is available at: https://mcp.doit.com/sse
+
+### Claude Desktop App
+
+```json
+{
+  "mcpServers": {
+    "doit_mcp_server": {
+      "command": "npx",
+      "args": ["mcp-remote", "https://mcp.doit.com/sse"]
+    }
+  }
+}
+```
+
+## STDIO - local server
+
 ### Claude Desktop App
 
 To manually configure the MCP server for Claude Desktop App, add the following to your `claude_desktop_config.json` file or through "Settings" as described [here](https://modelcontextprotocol.io/quickstart/user#2-add-the-filesystem-mcp-server):

doit-mcp-server/src/index.ts

@@ -71,6 +71,7 @@ export class ContextStorage extends DurableObject {
       customerContext,
       this.ctx.id.toString().slice(-6)
     );
+
     await this.ctx.storage.put("customerContext", customerContext);
   }
 
@@ -140,7 +141,9 @@ export class DoitMCPAgent extends McpAgent {
   private createToolCallback(toolName: string) {
     return async (args: any) => {
       const token = this.getToken();
-      const customerContext = await this.loadPersistedProps();
+      const persistedCustomerContext = await this.loadPersistedProps();
+      const customerContext =
+        persistedCustomerContext || (this.props.customerContext as string);
 
       const argsWithCustomerContext = {
         ...args,
@@ -271,13 +274,88 @@ async function handleMcpRequest(req: Request, env: Env, ctx: ExecutionContext) {
   return new Response("Not found", { status: 404 });
 }
 
-// Export the OAuth handler as the default
-export default new OAuthProvider({
+// Helper function to extract token from Authorization header
+function extractTokenFromAuthHeader(authHeader: string): string | null {
+  if (!authHeader) return null;
+
+  // Support both "Bearer <token>" and just "<token>" formats
+  const bearerMatch = authHeader.match(/^Bearer\s+(.+)$/i);
+  if (bearerMatch) {
+    return bearerMatch[1];
+  }
+
+  // If no Bearer prefix, assume the whole header is the token
+  return authHeader;
+}
+
+// Create the OAuth provider instance
+const oauthProvider = new OAuthProvider({
   apiHandler: { fetch: handleMcpRequest as any },
   apiRoute: ["/sse", "/mcp"],
   // @ts-expect-error
   defaultHandler: app,
   authorizeEndpoint: "/authorize",
   tokenEndpoint: "/token",
   clientRegistrationEndpoint: "/register",
+  accessTokenTTL: 1000 * 60 * 60 * 24 * 24, // 24 days (2,073,600,000 - within 32-bit range)
+  tokenExchangeCallback: async ({ grantType, props }) => {
+    console.log("tokenExchangeCallback", grantType, props);
+    if (grantType === "refresh_token" || grantType === "authorization_code") {
+      return {
+        newProps: {
+          ...props,
+          customerContext: props.customerContext,
+          apiKey: props.apiKey,
+          isDoitUser: props.isDoitUser,
+        },
+      };
+    }
+  },
 });
+
+// Main request handler that checks for Authorization header
+async function handleRequest(
+  req: Request,
+  env: Env,
+  ctx: ExecutionContext
+): Promise<Response> {
+  const url = new URL(req.url);
+  const authHeader = req.headers.get("Authorization");
+
+  // Check if this is an API route and has Authorization header
+  if (
+    (url.pathname === "/sse" ||
+      url.pathname === "/sse/message" ||
+      url.pathname === "/mcp") &&
+    authHeader
+  ) {
+    const token = extractTokenFromAuthHeader(authHeader);
+    const customerContext = url.searchParams.get("customerContext") || "";
+
+    if (token && customerContext) {
+      console.log("Using Authorization header for authentication");
+
+      ctx.props = {
+        ...ctx.props,
+        apiKey: token,
+        customerContext: customerContext,
+      };
+
+      // Handle the request directly with the modified request
+      if (url.pathname === "/sse" || url.pathname === "/sse/message") {
+        return DoitMCPAgent.serveSSE("/sse").fetch(req, env, ctx);
+      }
+      if (url.pathname === "/mcp") {
+        return DoitMCPAgent.serve("/mcp").fetch(req, env, ctx);
+      }
+    }
+  }
+
+  // If no Authorization header or not an API route, use the OAuth provider
+  return oauthProvider.fetch(req, env, ctx);
+}
+
+// Export the main handler as the default
+export default {
+  fetch: handleRequest,
+};

doit-mcp-server/src/utils.ts

@@ -261,11 +261,16 @@ export const renderApproveContent = async (
       <a
         href="${redirectUrl}"
         class="inline-block py-2 px-4 bg-primary text-white rounded-md font-medium hover:bg-primary/90 transition-colors"
+        id="return-home-link"
+        style="display: none;"
       >
         Return to Home
       </a>
       ${raw(`
 				<script>
+					setTimeout(() => {
+						document.getElementById('return-home-link').style.display = 'inline-block';
+					}, 1400);
 					setTimeout(() => {
 						window.location.href = "${redirectUrl}";
 					}, 2000);