Use a Service token for the mcp tools (#1693)

Part of OPS-3127.

Author: MarceloRGonc

packages/server/api/src/app/ai/mcp/openops-tools.ts

@@ -11,6 +11,7 @@ import fs from 'fs/promises';
 import { OpenAPI } from 'openapi-types';
 import os from 'os';
 import path from 'path';
+import { accessTokenManager } from '../../authentication/context/access-token-manager';
 import { MCPTool } from './types';
 
 const INCLUDED_PATHS: Record<string, string[]> = {
@@ -68,7 +69,7 @@ async function getOpenApiSchemaPath(app: FastifyInstance): Promise<string> {
 
 export async function getOpenOpsTools(
   app: FastifyInstance,
-  authToken: string,
+  userAuthToken: string,
 ): Promise<MCPTool> {
   const basePath = system.getOrThrow<string>(
     AppSystemProp.OPENOPS_MCP_SERVER_PATH,
@@ -79,13 +80,17 @@ export async function getOpenOpsTools(
 
   const tempSchemaPath = await getOpenApiSchemaPath(app);
 
+  const serviceToken = await accessTokenManager.generateServiceToken(
+    userAuthToken,
+  );
+
   const openopsClient = await experimental_createMCPClient({
     transport: new Experimental_StdioMCPTransport({
       command: pythonPath,
       args: [serverPath],
       env: {
         OPENAPI_SCHEMA_PATH: tempSchemaPath,
-        AUTH_TOKEN: authToken,
+        AUTH_TOKEN: serviceToken,
         API_BASE_URL: networkUtls.getInternalApiUrl(),
         OPENOPS_MCP_SERVER_PATH: basePath,
         LOGZIO_TOKEN: system.get<string>(SharedSystemProp.LOGZIO_TOKEN) ?? '',

packages/server/api/src/app/app-connection/app-connection.controller.ts

@@ -171,7 +171,7 @@ const UpsertAppConnectionRequest = {
 
 const PatchAppConnectionRequest = {
   config: {
-    allowedPrincipals: [PrincipalType.USER],
+    allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
     permission: Permission.WRITE_APP_CONNECTION,
   },
   schema: {
@@ -226,7 +226,7 @@ const DeleteAppConnectionRequest = {
 
 const GetAppConnectionRequest = {
   config: {
-    allowedPrincipals: [PrincipalType.USER],
+    allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
     permission: Permission.READ_APP_CONNECTION,
   },
   schema: {
@@ -253,7 +253,7 @@ const GetAppConnectionRequest = {
 
 const GetConnectionMetadataRequest = {
   config: {
-    allowedPrincipals: [PrincipalType.USER],
+    allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
     permission: Permission.READ_APP_CONNECTION,
   },
   schema: {

packages/server/api/src/app/authentication/context/access-token-manager.ts

@@ -81,6 +81,32 @@ export const accessTokenManager = {
     });
   },
 
+  async generateServiceToken(
+    userToken: string,
+    expiresInSeconds: number = openOpsRefreshTokenLifetimeSeconds,
+  ): Promise<string> {
+    const principal = await this.extractPrincipal(userToken);
+    if (principal.type !== PrincipalType.USER) {
+      throw new ApplicationError({
+        code: ErrorCode.INVALID_BEARER_TOKEN,
+        params: {
+          message: 'Service token can only be generated from a user token',
+        },
+      });
+    }
+
+    const secret = await jwtUtils.getJwtSecret();
+
+    return jwtUtils.sign({
+      payload: {
+        ...principal,
+        type: PrincipalType.SERVICE,
+      },
+      key: secret,
+      expiresInSeconds,
+    });
+  },
+
   async extractPrincipal(token: string): Promise<Principal> {
     const secret = await jwtUtils.getJwtSecret();
 

packages/server/api/src/app/blocks/base-block-module.ts

@@ -230,6 +230,9 @@ const ListCategoriesRequest = {
 };
 
 const OptionsBlockRequest = {
+  config: {
+    allowedPrincipals: ALL_PRINCIPAL_TYPES,
+  },
   schema: {
     operationId: 'Execute Block Properties',
     description:

packages/server/api/src/app/file/file.controller.ts

@@ -19,7 +19,7 @@ export const fileController: FastifyPluginAsyncTypebox = async (app) => {
 
 const GetFileRequest = {
   config: {
-    allowedPrincipals: [PrincipalType.USER],
+    allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
   },
   schema: {
     operationId: 'Get File',

packages/server/api/src/app/flows/flow-run/flow-run-controller.ts

@@ -190,6 +190,7 @@ const ResumeFlowRunRequest = {
 
 const RetryFlowRequest = {
   config: {
+    allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
     permission: Permission.RETRY_RUN,
   },
   schema: {

packages/server/api/src/app/flows/flow/flow.controller.ts

@@ -381,6 +381,9 @@ const ListFlowsRequestOptions = {
 };
 
 const CountFlowsRequestOptions = {
+  config: {
+    allowedPrincipals: [PrincipalType.SERVICE, PrincipalType.USER],
+  },
   schema: {
     operationId: 'Get Flow Count',
     description:

packages/server/api/test/unit/ai/openops-tools.test.ts

@@ -16,6 +16,7 @@ const mockTools = {
 const systemMock = {
   get: jest.fn(),
   getOrThrow: jest.fn(),
+  getNumber: jest.fn(),
 };
 
 const loggerMock = {
@@ -27,8 +28,17 @@ const networkUtlsMock = {
   getInternalApiUrl: jest.fn(),
 };
 
-const createMcpClientMock = jest.fn();
+const generateServiceTokenMock = jest.fn();
+jest.mock(
+  '../../../src/app/authentication/context/access-token-manager',
+  () => ({
+    accessTokenManager: {
+      generateServiceToken: generateServiceTokenMock,
+    },
+  }),
+);
 
+const createMcpClientMock = jest.fn();
 jest.mock('ai', () => ({
   experimental_createMCPClient: createMcpClientMock,
 }));
@@ -214,6 +224,7 @@ describe('getOpenOpsTools', () => {
       tools: jest.fn().mockResolvedValue(mockTools),
     };
     createMcpClientMock.mockResolvedValue(mockClient);
+    generateServiceTokenMock.mockResolvedValue('auth-service-token');
 
     const result = await getOpenOpsTools(mockApp, 'test-auth-token');
 
@@ -229,7 +240,7 @@ describe('getOpenOpsTools', () => {
           args: [`${mockBasePath}/main.py`],
           env: expect.objectContaining({
             OPENAPI_SCHEMA_PATH: expect.any(String),
-            AUTH_TOKEN: 'test-auth-token',
+            AUTH_TOKEN: 'auth-service-token',
             API_BASE_URL: mockApiBaseUrl,
             OPENOPS_MCP_SERVER_PATH: mockBasePath,
             LOGZIO_TOKEN: 'test-logzio-token',