feat(chore): access-control interceptor support for MCP endpoint

access-control interceptor support for MCP endpoint

GH-1

Author: vaibhavbhalla2505

.github/workflows/main.yaml

@@ -18,7 +18,7 @@ jobs:
         with:
           node-version: ${{ matrix.node-version }}
       - name: Install Dependencies
-        run: npm ci
+        run: npm ci --ignore-scripts
       - name: Run Test Cases
         run: npm run test
 

.github/workflows/release.yaml

@@ -39,7 +39,7 @@ jobs:
           CONFIG_EMAIL: ${{ vars.RELEASE_COMMIT_EMAIL }}
 
       - name: Install 📌
-        run: npm install
+        run: npm install --ignore-scripts
 
       - name: Test 🔧
         run: npm run test

README.md

@@ -54,7 +54,7 @@ The schema field allows defining a Zod-based validation schema for tool input pa
   To use hooks with MCP tools, follow the provider-based approach:
 
   Step 1: Create a hook provider:
-  ```typescript
+  ```ts
   // src/providers/my-hook.provider.ts
   export class MyHookProvider implements Provider<McpHookFunction> {
     constructor(@inject(LOGGER.LOGGER_INJECT) private logger: ILogger) {}
@@ -66,7 +66,7 @@ The schema field allows defining a Zod-based validation schema for tool input pa
  }
   ```
   Step 2: Add binding key to McpHookBindings:
-  ```typescript
+  ```ts
   // src/keys.ts
   export namespace McpHookBindings {
     export const MY_HOOK = BindingKey.create<McpHookFunction>('hooks.mcp.myHook');
@@ -77,10 +77,64 @@ The schema field allows defining a Zod-based validation schema for tool input pa
   this.bind(McpHookBindings.MY_HOOK).toProvider(MyHookProvider);
  ```
   Step 4: Use in decorator:
-  ```typescript
+  ```ts
   @mcpTool({
    name: 'my-tool',
    description: 'my-description'
    preHookBinding: McpHookBindings.MY_HOOK,
     postHookBinding: 'hooks.mcp.myOtherHook' // or string binding key
   })
+  ```
+## MCP Access Control
+By default, any authenticated user can call the `/mcp` endpoint.
+To restrict which users can access MCP functionality, this extension supports adding a custom LoopBack 4 interceptor.
+
+Create an interceptor that validates the authenticated user before the request reaches the MCP controller.
+
+```ts
+import {
+  InvocationContext,
+  InvocationResult,
+  Provider,
+  ValueOrPromise,
+  inject,
+  interceptor,
+} from '@loopback/core';
+import {HttpErrors} from '@loopback/rest';
+import {AuthenticationBindings, IAuthUser} from 'loopback4-authentication';
+
+export class McpAccessInterceptor implements Provider<Interceptor> {
+  constructor(
+    @inject(AuthenticationBindings.CURRENT_USER, {optional: true})
+    private readonly currentUser: IAuthUser,
+  ) {}
+
+  value() {
+    return this.intercept.bind(this);
+  }
+
+  intercept(
+    invocationCtx: InvocationContext,
+    next: () => ValueOrPromise<InvocationResult>,
+  ): ValueOrPromise<InvocationResult> {
+    if (!this.currentUser) {
+      throw new HttpErrors.Unauthorized('User not authenticated');
+    }
+
+    const user = this.currentUser;
+
+    // Example rule: only admins or users with `access-mcp` permission
+    if (user.role !== 'admin' && !user.permissions?.includes('access-mcp')) {
+      throw new HttpErrors.Forbidden(
+        `User ${user.username} is not allowed to access MCP`,
+      );
+    }
+
+    return next();
+  }
+}
+```
+Bind it in your `application.ts`:
+```ts
+this.bind(McpBindings.ACCESS_INTERCEPTOR).toProvider(McpAccessInterceptor);
+```