chore: add allowRequestOverrides

gagik · gagik · commit 82f38d0f0f04 · 2025-11-24T17:06:39.000+01:00
diff --git a/src/common/config/configOverrides.ts b/src/common/config/configOverrides.ts
@@ -25,6 +25,11 @@ export function applyConfigOverrides({
         return baseConfig;
     }
 
+    // Only apply overrides if allowRequestOverrides is enabled
+    if (!baseConfig.allowRequestOverrides) {
+        return baseConfig;
+    }
+
     const result: UserConfig = { ...baseConfig };
     const overridesFromHeaders = extractConfigOverrides("header", request.headers);
     const overridesFromQuery = extractConfigOverrides("query", request.query);
diff --git a/src/common/config/userConfig.ts b/src/common/config/userConfig.ts
@@ -207,4 +207,11 @@ export const UserConfigSchema = z4.object({
         .default([])
         .describe("An array of preview features that are enabled.")
         .register(configRegistry, { overrideBehavior: "merge" }),
+    allowRequestOverrides: z4
+        .preprocess(parseBoolean, z4.boolean())
+        .default(false)
+        .describe(
+            "When set to true, allows configuration values to be overridden via request headers and query parameters."
+        )
+        .register(configRegistry, { overrideBehavior: "not-allowed" }),
 });
diff --git a/tests/integration/transports/configOverrides.test.ts b/tests/integration/transports/configOverrides.test.ts
@@ -48,11 +48,34 @@ describe("Config Overrides via HTTP", () => {
     });
 
     describe("override behavior", () => {
+        it("should not apply overrides when allowRequestOverrides is false", async () => {
+            await startRunner({
+                ...defaultTestConfig,
+                httpPort: 0,
+                readOnly: false,
+                allowRequestOverrides: false,
+            });
+
+            await connectClient({
+                ["x-mongodb-mcp-read-only"]: "true",
+            });
+
+            const response = await client.listTools();
+
+            expect(response).toBeDefined();
+            expect(response.tools).toBeDefined();
+
+            // Verify read-only mode is NOT applied - insert-many should still be available
+            const writeTools = response.tools.filter((tool) => tool.name === "insert-many");
+            expect(writeTools.length).toBe(1);
+        });
+
         it("should override readOnly config via header (false to true)", async () => {
             await startRunner({
                 ...defaultTestConfig,
                 httpPort: 0,
                 readOnly: false,
+                allowRequestOverrides: true,
             });
 
             await connectClient({
@@ -78,6 +101,7 @@ describe("Config Overrides via HTTP", () => {
                 ...defaultTestConfig,
                 httpPort: 0,
                 connectionString: undefined,
+                allowRequestOverrides: true,
             });
 
             await connectClient({
@@ -96,6 +120,7 @@ describe("Config Overrides via HTTP", () => {
                 ...defaultTestConfig,
                 httpPort: 0,
                 disabledTools: ["insert-many"],
+                allowRequestOverrides: true,
             });
 
             await connectClient({
@@ -158,6 +183,7 @@ describe("Config Overrides via HTTP", () => {
             await startRunner({
                 ...defaultTestConfig,
                 httpPort: 0,
+                allowRequestOverrides: true,
             });
 
             try {
@@ -178,6 +204,7 @@ describe("Config Overrides via HTTP", () => {
             await startRunner({
                 ...defaultTestConfig,
                 httpPort: 0,
+                allowRequestOverrides: true,
             });
 
             try {
@@ -208,6 +235,7 @@ describe("Config Overrides via HTTP", () => {
                 ...defaultTestConfig,
                 httpPort: 0,
                 readOnly: false,
+                allowRequestOverrides: true,
             });
 
             // Note: SDK doesn't support query params directly, so this test verifies the mechanism exists
@@ -230,6 +258,7 @@ describe("Config Overrides via HTTP", () => {
                 ...defaultTestConfig,
                 httpPort: 0,
                 readOnly: false,
+                allowRequestOverrides: true,
             };
 
             // createSessionConfig receives the config after header overrides are applied
@@ -274,6 +303,7 @@ describe("Config Overrides via HTTP", () => {
             const userConfig = {
                 ...defaultTestConfig,
                 httpPort: 0,
+                allowRequestOverrides: true,
             };
 
             let capturedRequest: RequestContext | undefined;
@@ -308,6 +338,7 @@ describe("Config Overrides via HTTP", () => {
                 ...defaultTestConfig,
                 httpPort: 0,
                 readOnly: false,
+                allowRequestOverrides: true,
             });
 
             await connectClient({
@@ -332,6 +363,7 @@ describe("Config Overrides via HTTP", () => {
                 ...defaultTestConfig,
                 httpPort: 0,
                 readOnly: true,
+                allowRequestOverrides: true,
             });
 
             try {
@@ -360,6 +392,7 @@ describe("Config Overrides via HTTP", () => {
                 indexCheck: false,
                 idleTimeoutMs: 600_000,
                 disabledTools: ["tool1"],
+                allowRequestOverrides: true,
             });
 
             await connectClient({
diff --git a/tests/tsconfig.json b/tests/tsconfig.json
diff --git a/tests/unit/common/config/configOverrides.test.ts b/tests/unit/common/config/configOverrides.test.ts
@@ -20,6 +20,7 @@ describe("configOverrides", () => {
         exportTimeoutMs: 300_000,
         exportCleanupIntervalMs: 120_000,
         atlasTemporaryDatabaseUserLifetimeMs: 14_400_000,
+        allowRequestOverrides: true,
     };
 
     describe("helper functions", () => {
@@ -67,6 +68,51 @@ describe("configOverrides", () => {
             expect(result).toEqual(baseConfig);
         });
 
+        describe("allowRequestOverrides", () => {
+            it("should not apply overrides when allowRequestOverrides is false", () => {
+                const request: RequestContext = {
+                    headers: {
+                        "x-mongodb-mcp-read-only": "true",
+                        "x-mongodb-mcp-idle-timeout-ms": "300000",
+                    },
+                };
+                const configWithOverridesDisabled = {
+                    ...baseConfig,
+                    allowRequestOverrides: false,
+                } as UserConfig;
+                const result = applyConfigOverrides({ baseConfig: configWithOverridesDisabled, request });
+                // Config should remain unchanged
+                expect(result.readOnly).toBe(false);
+                expect(result.idleTimeoutMs).toBe(600_000);
+            });
+
+            it("should apply overrides when allowRequestOverrides is true", () => {
+                const request: RequestContext = {
+                    headers: {
+                        "x-mongodb-mcp-read-only": "true",
+                        "x-mongodb-mcp-idle-timeout-ms": "300000",
+                    },
+                };
+                const result = applyConfigOverrides({ baseConfig: baseConfig as UserConfig, request });
+                // Config should be overridden
+                expect(result.readOnly).toBe(true);
+                expect(result.idleTimeoutMs).toBe(300000);
+            });
+
+            it("should not apply overrides by default when allowRequestOverrides is not set", () => {
+                const request: RequestContext = {
+                    headers: {
+                        "x-mongodb-mcp-read-only": "true",
+                    },
+                };
+                // eslint-disable-next-line @typescript-eslint/no-unused-vars
+                const { allowRequestOverrides, ...configWithoutOverridesFlag } = baseConfig;
+                const result = applyConfigOverrides({ baseConfig: configWithoutOverridesFlag as UserConfig, request });
+                // Should not apply overrides since the default is false
+                expect(result.readOnly).toBe(false);
+            });
+        });
+
         describe("override behavior", () => {
             it("should override boolean values with override behavior", () => {
                 const request: RequestContext = {
@@ -162,6 +208,7 @@ describe("configOverrides", () => {
                     "maxDocumentsPerQuery",
                     "exportsPath",
                     "voyageApiKey",
+                    "allowRequestOverrides",
                 ]);
             });
 
