@dxheroes/local-mcp-backend 0.9.2 → 0.10.0

package/src/modules/proxy/proxy.controller.ts

@@ -19,46 +19,33 @@ import {
   Post,
   Req,
   Res,
-  UnauthorizedException,
+  UseGuards,
 } from '@nestjs/common';
 import { EventEmitter2 } from '@nestjs/event-emitter';
 import type { Request, Response } from 'express';
 import { fromEvent, map } from 'rxjs';
-import { AuthService } from '../auth/auth.service.js';
 import { Public } from '../auth/decorators/public.decorator.js';
+import { McpOAuthGuard } from '../auth/mcp-oauth.guard.js';
 import { GATEWAY_PROFILE_CHANGED, SettingsService } from '../settings/settings.service.js';
 import type { McpRequest, McpResponse } from './proxy.service.js';
 import { ProxyService } from './proxy.service.js';
 
 @Public()
+@UseGuards(McpOAuthGuard)
 @Controller('mcp')
 export class ProxyController {
   constructor(
     private readonly proxyService: ProxyService,
     private readonly settingsService: SettingsService,
-    private readonly eventEmitter: EventEmitter2,
-    private readonly authService: AuthService
+    private readonly eventEmitter: EventEmitter2
   ) {}
 
   /**
-   * Resolve user from Bearer token (MCP OAuth).
-   * When no token is provided, returns unauthenticated sentinel so
-   * system profiles (organizationId=null) still work for unauthenticated MCP clients.
+   * Resolve user from request.
+   * McpOAuthGuard always validates and attaches user before this is called.
    */
-  private async resolveUser(req: Request): Promise<{ id: string }> {
-    const authHeader = req.headers.authorization;
-    if (!authHeader?.startsWith('Bearer ')) {
-      // No token — unauthenticated MCP client, can only access system profiles
-      return { id: '__unauthenticated__' };
-    }
-
-    const token = authHeader.slice(7);
-    const user = await this.authService.validateMcpToken(token);
-    if (!user) {
-      throw new UnauthorizedException('Invalid or expired MCP OAuth token');
-    }
-
-    return user;
+  private resolveUser(req: Request): { id: string } {
+    return req.user!;
   }
 
   // =========================================
@@ -90,7 +77,7 @@ export class ProxyController {
    */
   @Get('gateway/info')
   async getGatewayInfo(@Req() req: Request) {
-    const user = await this.resolveUser(req);
+    const user = this.resolveUser(req);
     const profileName = await this.settingsService.getDefaultGatewayProfile();
 
     try {
@@ -121,7 +108,7 @@ export class ProxyController {
       return this.streamGatewayEvents(req, res);
     }
 
-    const user = await this.resolveUser(req);
+    const user = this.resolveUser(req);
     const profileName = await this.settingsService.getDefaultGatewayProfile();
 
     try {
@@ -195,7 +182,7 @@ export class ProxyController {
     @Req() req: Request,
     @Body() request: McpRequest
   ): Promise<McpResponse> {
-    const user = await this.resolveUser(req);
+    const user = this.resolveUser(req);
     const profileName = await this.settingsService.getDefaultGatewayProfile();
 
     try {
@@ -210,6 +197,114 @@ export class ProxyController {
     }
   }
 
+  // =========================================
+  // Org-scoped Gateway Endpoints: /api/mcp/:orgSlug/gateway
+  // (must come BEFORE :orgSlug/:profileName to avoid "gateway" matching :profileName)
+  // =========================================
+
+  /**
+   * SSE endpoint for org-scoped gateway
+   */
+  @Get(':orgSlug/gateway/sse')
+  async streamOrgGatewaySse(
+    @Param('orgSlug') orgSlug: string,
+    @Req() req: Request,
+    @Res() res: Response
+  ) {
+    const profileName = await this.settingsService.getDefaultGatewayProfile();
+    await this.proxyService.getProfileInfoByOrgSlug(profileName, orgSlug);
+    return this.streamGatewayEvents(req, res);
+  }
+
+  /**
+   * POST handler for org-scoped gateway SSE
+   */
+  @Post(':orgSlug/gateway/sse')
+  @HttpCode(HttpStatus.OK)
+  async handleOrgGatewaySseRequest(
+    @Req() req: Request,
+    @Param('orgSlug') orgSlug: string,
+    @Body() request: McpRequest
+  ): Promise<McpResponse> {
+    const user = this.resolveUser(req);
+    const profileName = await this.settingsService.getDefaultGatewayProfile();
+    return this.proxyService.handleRequestByOrgSlug(profileName, orgSlug, request, user.id);
+  }
+
+  /**
+   * Get org-scoped gateway info
+   */
+  @Get(':orgSlug/gateway/info')
+  async getOrgGatewayInfo(@Param('orgSlug') orgSlug: string) {
+    const profileName = await this.settingsService.getDefaultGatewayProfile();
+    const info = await this.proxyService.getProfileInfoByOrgSlug(profileName, orgSlug);
+    return {
+      ...info,
+      gateway: {
+        activeProfile: profileName,
+      },
+    };
+  }
+
+  /**
+   * GET handler for org-scoped gateway endpoint
+   */
+  @Get(':orgSlug/gateway')
+  async getOrgGatewayEndpoint(
+    @Param('orgSlug') orgSlug: string,
+    @Req() req: Request,
+    @Res() res: Response
+  ) {
+    const acceptHeader = req.headers.accept || '';
+    if (acceptHeader.includes('text/event-stream')) {
+      const profileName = await this.settingsService.getDefaultGatewayProfile();
+      await this.proxyService.getProfileInfoByOrgSlug(profileName, orgSlug);
+      return this.streamGatewayEvents(req, res);
+    }
+
+    const profileName = await this.settingsService.getDefaultGatewayProfile();
+    const info = await this.proxyService.getProfileInfoByOrgSlug(profileName, orgSlug);
+
+    return res.json({
+      message: 'This is the MCP Gateway endpoint. Use POST for JSON-RPC requests.',
+      usage: {
+        method: 'POST',
+        contentType: 'application/json',
+        body: { jsonrpc: '2.0', method: 'tools/list', id: 1 },
+      },
+      endpoints: {
+        sse: `/api/mcp/${orgSlug}/gateway/sse`,
+        http: `/api/mcp/${orgSlug}/gateway`,
+      },
+      gateway: {
+        activeProfile: profileName,
+        settingsEndpoint: '/api/settings/default-gateway-profile',
+      },
+      profile: {
+        name: profileName,
+        toolCount: info.tools.length,
+        serverCount: info.serverStatus.total,
+        connectedServers: info.serverStatus.connected,
+      },
+      infoEndpoint: `/api/mcp/${orgSlug}/gateway/info`,
+    });
+  }
+
+  /**
+   * MCP JSON-RPC endpoint for org-scoped gateway
+   */
+  @Post(':orgSlug/gateway')
+  @HttpCode(HttpStatus.OK)
+  async handleOrgGatewayRequest(
+    @Req() req: Request,
+    @Param('orgSlug') orgSlug: string,
+    @Body() request: McpRequest
+  ): Promise<McpResponse> {
+    const user = this.resolveUser(req);
+    const profileName = await this.settingsService.getDefaultGatewayProfile();
+    return this.proxyService.handleRequestByOrgSlug(profileName, orgSlug, request, user.id);
+  }
+
   // =========================================
   // Org-scoped Profile Endpoints: /api/mcp/:orgSlug/:profileName
   // =========================================
@@ -302,7 +397,7 @@ export class ProxyController {
     @Param('profileName') profileName: string,
     @Body() request: McpRequest
   ): Promise<McpResponse> {
-    const user = await this.resolveUser(req);
+    const user = this.resolveUser(req);
     return this.proxyService.handleRequestByOrgSlug(profileName, orgSlug, request, user.id);
   }
 }

package/src/modules/proxy/proxy.service.ts

@@ -41,6 +41,7 @@ export interface McpResponse {
 interface ServerConfig {
   builtinId?: string;
   url?: string;
+  headers?: Record<string, string>;
   // External server config
   command?: string;
   args?: string[];
@@ -488,11 +489,32 @@ export class ProxyService {
       }
     }
 
+    // For remote_http and remote_sse servers, look up OAuth token
+    let oauthToken = null;
+    if (server.type === 'remote_http' || server.type === 'remote_sse') {
+      const tokenRecord = await this.prisma.oAuthToken.findUnique({
+        where: { mcpServerId: server.id },
+      });
+      if (tokenRecord) {
+        oauthToken = {
+          id: tokenRecord.id,
+          mcpServerId: tokenRecord.mcpServerId,
+          accessToken: tokenRecord.accessToken,
+          tokenType: tokenRecord.tokenType,
+          refreshToken: tokenRecord.refreshToken ?? undefined,
+          scope: tokenRecord.scope ?? undefined,
+          expiresAt: tokenRecord.expiresAt?.getTime(),
+          createdAt: tokenRecord.createdAt.getTime(),
+          updatedAt: tokenRecord.updatedAt.getTime(),
+        };
+      }
+    }
+
     // For remote_http servers, create RemoteHttpMcpServer
     if (server.type === 'remote_http' && config?.url) {
       const remoteServer = new RemoteHttpMcpServer(
-        { url: config.url, transport: 'http' },
-        null,
+        { url: config.url, transport: 'http', headers: config.headers as Record<string, string> },
+        oauthToken,
         apiKeyConfig
       );
       await remoteServer.initialize();
@@ -503,8 +525,8 @@ export class ProxyService {
     // For remote_sse servers, create RemoteSseMcpServer
     if (server.type === 'remote_sse' && config?.url) {
       const remoteServer = new RemoteSseMcpServer(
-        { url: config.url, transport: 'sse' },
-        null,
+        { url: config.url, transport: 'sse', headers: config.headers as Record<string, string> },
+        oauthToken,
         apiKeyConfig
       );
       await remoteServer.initialize();

package/vitest.config.ts

@@ -1,10 +1,11 @@
 import { createVitestConfig } from '@dxheroes/local-mcp-config/vitest';
-import { defineConfig, mergeConfig } from 'vitest/config';
+import { configDefaults, defineConfig, mergeConfig } from 'vitest/config';
 
 export default mergeConfig(
   createVitestConfig(),
   defineConfig({
     test: {
+      exclude: [...configDefaults.exclude, 'dist/**', '**/dist/**'],
       root: '.',
       coverage: {
         provider: 'v8',