Add support for disabling API key validation when api_key is set to None

openhands-agent · openhands-agent · commit a719bef3bce5 · 2025-04-22T22:20:59.000Z
diff --git a/README.md b/README.md
@@ -180,6 +180,9 @@ router_config = {
 }
 router = MCPRouter(api_key="your-custom-api-key", router_config=router_config)
 
+# Disable API key validation by setting api_key to None
+router = MCPRouter(api_key=None)
+
 # Optionally, create a global config from the router's configuration
 router.create_global_config()
 ```
diff --git a/src/mcpm/router/router.py b/src/mcpm/router/router.py
@@ -53,6 +53,9 @@ class MCPRouter:
         }
         router = MCPRouter(api_key="your-api-key", router_config=router_config)
         
+        # Disable API key validation by setting api_key to None
+        router = MCPRouter(api_key=None)
+        
         # Create a global config from the router's configuration
         router.create_global_config()
         ```
@@ -73,7 +76,7 @@ def __init__(
         :param profile_path: Path to the profile file
         :param strict: Whether to use strict mode for duplicated tool name.
                        If True, raise error when duplicated tool name is found else auto resolve by adding server name prefix
-        :param api_key: Optional API key to use for authentication
+        :param api_key: Optional API key to use for authentication. Set to None to disable API key validation.
         :param router_config: Optional router configuration to use instead of the global config
         """
         self.server_sessions: t.Dict[str, ServerConnection] = {}
diff --git a/src/mcpm/router/transport.py b/src/mcpm/router/transport.py
@@ -239,6 +239,11 @@ async def handle_post_message(self, scope: Scope, receive: Receive, send: Send):
                 self._session_id_to_identifier.pop(session_id, None)
 
     def _validate_api_key(self, scope: Scope, api_key: str | None) -> bool:
+        # If api_key is explicitly set to None, disable API key validation
+        if self.api_key is None:
+            logger.debug("API key validation disabled")
+            return True
+            
         # If we have a directly provided API key and it matches the request's API key, return True
         if self.api_key is not None and api_key == self.api_key:
             return True
diff --git a/tests/router/__init__.py b/tests/router/__init__.py
diff --git a/tests/router/test_api_key_disabled.py b/tests/router/test_api_key_disabled.py
@@ -0,0 +1,47 @@
+import unittest
+from unittest.mock import MagicMock, patch
+
+from mcpm.router.transport import RouterSseTransport
+
+
+class TestApiKeyDisabled(unittest.TestCase):
+    """Test that API key validation is disabled when api_key is set to None."""
+
+    def test_api_key_disabled(self):
+        """Test that API key validation is disabled when api_key is set to None."""
+        # Create a transport with api_key=None
+        transport = RouterSseTransport("/messages/", api_key=None)
+        
+        # Mock the scope
+        scope = MagicMock()
+        
+        # Test that _validate_api_key returns True regardless of the api_key parameter
+        self.assertTrue(transport._validate_api_key(scope, api_key=None))
+        self.assertTrue(transport._validate_api_key(scope, api_key="some-key"))
+        self.assertTrue(transport._validate_api_key(scope, api_key="invalid-key"))
+
+    def test_api_key_enabled(self):
+        """Test that API key validation works when api_key is set."""
+        # Create a transport with a specific api_key
+        transport = RouterSseTransport("/messages/", api_key="test-key")
+        
+        # Mock the scope
+        scope = MagicMock()
+        
+        # Test that _validate_api_key returns True only for the matching key
+        self.assertTrue(transport._validate_api_key(scope, api_key="test-key"))
+        self.assertFalse(transport._validate_api_key(scope, api_key="wrong-key"))
+        
+        # When using the default validation logic, we need to mock the ConfigManager
+        with patch("mcpm.router.transport.ConfigManager") as mock_config_manager:
+            # Set up the mock to make the default validation logic fail
+            mock_instance = mock_config_manager.return_value
+            mock_instance.read_share_config.return_value = {"url": "http://example.com", "api_key": "share-key"}
+            mock_instance.get_router_config.return_value = {"host": "localhost"}
+            
+            # Test with a key that doesn't match the transport's key
+            self.assertFalse(transport._validate_api_key(scope, api_key="wrong-key"))
+
+
+if __name__ == "__main__":
+    unittest.main()

Original file line number	Diff line number	Diff line change
`@@ -180,6 +180,9 @@ router_config = {`
`180`	`180`	`}`
`181`	`181`	`router = MCPRouter(api_key="your-custom-api-key", router_config=router_config)`
`182`	`182`
	`183`	`+# Disable API key validation by setting api_key to None`
	`184`	`+router = MCPRouter(api_key=None)`
	`185`	`+`
`183`	`186`	`# Optionally, create a global config from the router's configuration`
`184`	`187`	`router.create_global_config()`
`185`	`188`	```