add Authorization for mcp endpoint

hjlarry · hjlarry · commit f411b128e17c · 2025-06-16T12:57:53.000+08:00
diff --git a/README.md b/README.md
@@ -48,11 +48,16 @@ The app's input schema must define its input parameters. For a chat dify app, en
 ### 4. enjoy it!
 ![5](./_assets/5.png)
 
+### 5. To keep your data secure, you can add a `Auth Bearer Token` on the endpoint setting.
+
+For example, if your `Auth Bearer Token` is setting to `sk-abcdefgh`, then the request header of MCP client must add `Authorization: Bearer sk-abcdefgh`
+
 
 ## Changelog
 
 ### 0.0.4
 - Add response to the `ping` method of MCP client, some clients use this method to check server health 
+- Add `Authorization: Bearer` token validator
 
 ### 0.0.3
 - To fix sse get non-exist key get lots error logs on the plugin daemon.
diff --git a/endpoints/auth.py b/endpoints/auth.py
@@ -0,0 +1,29 @@
+import json
+from typing import Mapping, Optional
+
+from werkzeug import Request, Response
+
+def validate_bearer_token(r: Request, settings: Mapping) -> Optional[Response]:
+    """
+    Validates the bearer token from the request.
+    Returns a Response object if validation fails, otherwise None.
+    """
+    if settings.get("auth-token"):
+        auth_header = r.headers.get("Authorization")
+        token = None
+        if auth_header and auth_header.startswith("Bearer "):
+            token = auth_header.removeprefix("Bearer ").strip()
+
+        if settings.get("auth-token") != token:
+            req_id = r.json.get("id") if r.is_json else None
+            error_response = {
+                "jsonrpc": "2.0",
+                "id": req_id,
+                "error": {"code": -32000, "message": "Invalid or missing token"},
+            }
+            return Response(
+                json.dumps(error_response),
+                status=401,
+                content_type="application/json",
+            )
+    return None
diff --git a/endpoints/http_post.py b/endpoints/http_post.py
@@ -7,6 +7,8 @@
 from dify_plugin import Endpoint
 from dify_plugin.config.logger_format import plugin_logger_handler
 
+from .auth import validate_bearer_token
+
 logger = logging.getLogger(__name__)
 logger.setLevel(logging.INFO)
 logger.addHandler(plugin_logger_handler)
@@ -23,6 +25,11 @@ def _invoke(self, r: Request, values: Mapping, settings: Mapping) -> Response:
         """
         logger.info(f"HTTPPostEndpoint request headers: {r.headers}")
         logger.info(f"HTTPPostEndpoint request json: {r.json}")
+
+        auth_error = validate_bearer_token(r, settings)
+        if auth_error:
+            return auth_error
+
         app_id = settings.get("app").get("app_id")
         try:
             tool = json.loads(settings.get("app-input-schema"))
diff --git a/endpoints/messages.py b/endpoints/messages.py
@@ -5,6 +5,8 @@
 from dify_plugin import Endpoint
 from dify_plugin.config.logger_format import plugin_logger_handler
 
+from .auth import validate_bearer_token
+
 logger = logging.getLogger(__name__)
 logger.setLevel(logging.INFO)
 logger.addHandler(plugin_logger_handler)
@@ -17,6 +19,11 @@ def _invoke(self, r: Request, values: Mapping, settings: Mapping) -> Response:
         """
         logger.info(f"MessageEndpoint request headers: {r.headers}")
         logger.info(f"MessageEndpoint request json: {r.json}")
+
+        auth_error = validate_bearer_token(r, settings)
+        if auth_error:
+            return auth_error
+        
         app_id = settings.get("app").get("app_id")
         try:
             tool = json.loads(settings.get("app-input-schema"))
@@ -49,7 +56,7 @@ def _invoke(self, r: Request, values: Mapping, settings: Mapping) -> Response:
                 "id": data.get("id"),
                 "result": {},
             }
-            
+
         elif data.get("method") == "notifications/initialized":
             return Response("", status=202, content_type="application/json")
 
diff --git a/endpoints/sse.py b/endpoints/sse.py
@@ -8,6 +8,8 @@
 from dify_plugin import Endpoint
 from dify_plugin.config.logger_format import plugin_logger_handler
 
+from .auth import validate_bearer_token
+
 logger = logging.getLogger(__name__)
 logger.setLevel(logging.INFO)
 logger.addHandler(plugin_logger_handler)
@@ -22,6 +24,11 @@ def _invoke(self, r: Request, values: Mapping, settings: Mapping) -> Response:
         Invokes the endpoint with the given request.
         """
         logger.info(f"SSEEndpoint request headers: {r.headers}")
+
+        auth_error = validate_bearer_token(r, settings)
+        if auth_error:
+            return auth_error
+        
         session_id = str(uuid.uuid4()).replace("-", "")
 
         def generate():
diff --git a/group/mcp-server.yaml b/group/mcp-server.yaml
@@ -13,6 +13,7 @@ settings:
     required: true
     label:
       en_US: App Type
+      zh_Hans: 应用类型
     options:
       - label:
           en_US: Chat
@@ -25,9 +26,19 @@ settings:
     required: true
     label:
       en_US: App Input Schema
+      zh_Hans: 应用输入 schema
     placeholder:
       en_US: the json format of your app input schema
       zh_Hans: 请输入应用所需输入的 json 格式
+  - name: auth-token
+    type: secret-input
+    required: false
+    label:
+      en_US: Auth Bearer Token
+      zh_Hans: 认证Bearer token
+    placeholder:
+      en_US: the auth Bearer token of your app, if not provided, the app will not validate
+      zh_Hans: 请输入应用的认证Bearer token，如果未提供，应用将不验证
 endpoints:
   - endpoints/sse.yaml
   - endpoints/messages.yaml
