@mgsoftwarebv/mg-dashboard-mcp 3.0.2 → 3.0.4

package/dist/index.js

@@ -1016,7 +1016,226 @@ var RateLimiter = class {
 var authRateLimiter = new RateLimiter(5, 15 * 60 * 1e3);
 setInterval(() => {
   authRateLimiter.cleanup();
+  toolRateLimiter.cleanup();
 }, 5 * 60 * 1e3).unref();
+var TOOL_RATE_CATEGORIES = {
+  "ssh-execute": "ssh",
+  "sftp-write": "sftp_write",
+  "sftp-delete": "sftp_write",
+  "sftp-list": "sftp_read",
+  "sftp-read": "sftp_read",
+  "db-query": "db",
+  "db-discover": "db",
+  "db-tables": "db",
+  "db-describe": "db"
+};
+var TOOL_RATE_LIMITS = {
+  ssh: { max: 120, windowMs: 60 * 60 * 1e3 },
+  sftp_write: { max: 60, windowMs: 60 * 60 * 1e3 },
+  sftp_read: { max: 200, windowMs: 60 * 60 * 1e3 },
+  db: { max: 200, windowMs: 60 * 60 * 1e3 },
+  default: { max: 300, windowMs: 60 * 60 * 1e3 }
+};
+var toolRateLimiter = new RateLimiter(300, 60 * 60 * 1e3);
+var toolRateBuckets = /* @__PURE__ */ new Map();
+function checkToolRateLimit(toolName) {
+  const category = TOOL_RATE_CATEGORIES[toolName] || "default";
+  const limits = TOOL_RATE_LIMITS[category] ?? TOOL_RATE_LIMITS.default;
+  let limiter = toolRateBuckets.get(category);
+  if (!limiter) {
+    limiter = new RateLimiter(limits.max, limits.windowMs);
+    toolRateBuckets.set(category, limiter);
+  }
+  const result = limiter.check(authContext?.apiKeyId || "unknown");
+  return { allowed: result.allowed, category, retryAfterMs: result.retryAfterMs };
+}
+var SENSITIVE_KEYS = /* @__PURE__ */ new Set(["password", "private_key", "passphrase", "secret", "token", "key", "api_key", "credentials"]);
+function redactSensitiveArgs(args2) {
+  const redacted = {};
+  for (const [k, v] of Object.entries(args2)) {
+    if (SENSITIVE_KEYS.has(k.toLowerCase())) {
+      redacted[k] = "[REDACTED]";
+    } else if (typeof v === "string" && v.length > 500) {
+      redacted[k] = v.slice(0, 500) + "...[truncated]";
+    } else {
+      redacted[k] = v;
+    }
+  }
+  return redacted;
+}
+async function writeAuditLog(entry) {
+  if (!authContext) return;
+  try {
+    await supabase.from("mcp_audit_log").insert({
+      api_key_id: authContext.apiKeyId,
+      user_id: authContext.userId,
+      tool_name: entry.toolName,
+      arguments: entry.arguments ? redactSensitiveArgs(entry.arguments) : null,
+      ip_address: entry.ipAddress || null,
+      server_id: entry.serverId || null,
+      result_status: entry.resultStatus,
+      error_message: entry.errorMessage?.slice(0, 1e3) || null,
+      duration_ms: entry.durationMs || null
+    });
+  } catch (err) {
+    console.error("[Audit] Failed to write audit log:", err instanceof Error ? err.message : err);
+  }
+}
+var TELEGRAM_API = "https://api.telegram.org/bot";
+var cachedTelegramConfig = null;
+async function getTelegramBotConfig() {
+  if (cachedTelegramConfig) return cachedTelegramConfig;
+  const { data, error } = await supabase.from("telegram_bot_config").select("bot_token_encrypted, chat_id, notifications_enabled").limit(1).maybeSingle();
+  if (error) {
+    console.error("[Telegram Config] Query error:", error.message);
+    return null;
+  }
+  if (!data?.bot_token_encrypted || !data?.chat_id) {
+    console.error("[Telegram Config] Missing bot_token or chat_id in telegram_bot_config table");
+    return null;
+  }
+  if (!data.notifications_enabled) {
+    console.error("[Telegram Config] Notifications disabled in telegram_bot_config");
+    return null;
+  }
+  try {
+    const token = decrypt(data.bot_token_encrypted);
+    cachedTelegramConfig = { botToken: token, chatId: data.chat_id };
+    console.error("[Telegram Config] Loaded successfully");
+    return cachedTelegramConfig;
+  } catch (err) {
+    console.error("[Telegram Config] Failed to decrypt bot token:", err instanceof Error ? err.message : err);
+    return null;
+  }
+}
+function escapeHtmlTg(str) {
+  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+async function sendTelegramMessage(token, chatId, text, replyMarkup) {
+  try {
+    const body = { chat_id: chatId, text, parse_mode: "HTML" };
+    if (replyMarkup) body.reply_markup = replyMarkup;
+    const res = await fetch(`${TELEGRAM_API}${token}/sendMessage`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body)
+    });
+    const result = await res.json();
+    return { ok: result.ok, messageId: result.result?.message_id };
+  } catch {
+    return { ok: false };
+  }
+}
+async function sendTelegramAlert(text) {
+  const config = await getTelegramBotConfig();
+  if (!config) return;
+  await sendTelegramMessage(config.botToken, config.chatId, text);
+}
+async function checkIpAllowlist(ipAddress) {
+  if (!authContext || !authContext.requireIpApproval) {
+    console.error(`[IP Check] Skipped (requireIpApproval=${authContext?.requireIpApproval})`);
+    return { allowed: true };
+  }
+  console.error(`[IP Check] Checking IP ${ipAddress} for key ${authContext.apiKeyId}`);
+  const { data: existing, error: lookupErr } = await supabase.from("mcp_ip_allowlist").select("id").eq("api_key_id", authContext.apiKeyId).eq("ip_address", ipAddress).maybeSingle();
+  if (lookupErr) {
+    console.error(`[IP Check] Allowlist lookup error: ${lookupErr.message}`);
+  }
+  if (existing) {
+    console.error(`[IP Check] IP ${ipAddress} found in allowlist`);
+    return { allowed: true };
+  }
+  console.error(`[IP Check] IP ${ipAddress} NOT in allowlist, requesting Telegram approval...`);
+  const tgConfig = await getTelegramBotConfig();
+  if (!tgConfig) {
+    console.error("[IP Check] BLOCKING: Unknown IP and no Telegram configured");
+    return { allowed: false, reason: "Unknown IP and no approval channel configured" };
+  }
+  let geoInfo = null;
+  try {
+    const geoRes = await fetch(`http://ip-api.com/json/${ipAddress}?fields=country,city,isp`);
+    if (geoRes.ok) geoInfo = await geoRes.json();
+  } catch {
+  }
+  const geoLabel = geoInfo ? `${geoInfo.city || "?"}, ${geoInfo.country || "?"} (${geoInfo.isp || "?"})` : "Onbekend";
+  const { data: request, error: insertErr } = await supabase.from("mcp_ip_approval_request").insert({
+    api_key_id: authContext.apiKeyId,
+    ip_address: ipAddress,
+    status: "pending",
+    geo_info: geoInfo
+  }).select("id").single();
+  if (insertErr || !request) {
+    console.error(`[IP Check] Failed to create approval request: ${insertErr?.message || "no data returned"}`);
+    return { allowed: false, reason: `Failed to create approval request: ${insertErr?.message || "unknown"}` };
+  }
+  console.error(`[IP Check] Created approval request ${request.id}`);
+  const message = [
+    `<b>MCP IP Approval</b>`,
+    ``,
+    `<b>IP:</b> <code>${escapeHtmlTg(ipAddress)}</code>`,
+    `<b>Locatie:</b> ${escapeHtmlTg(geoLabel)}`,
+    `<b>API Key:</b> ${escapeHtmlTg(authContext.apiKeyName)}`,
+    `<b>User:</b> ${escapeHtmlTg(authContext.userId)}`,
+    ``,
+    `<i>Onbekend IP probeert verbinding te maken met de MCP server.</i>`
+  ].join("\n");
+  const tgResult = await sendTelegramMessage(tgConfig.botToken, tgConfig.chatId, message, {
+    inline_keyboard: [
+      [
+        { text: "Goedkeuren", callback_data: `mcp_ip_approve:${request.id}` },
+        { text: "Weigeren", callback_data: `mcp_ip_deny:${request.id}` }
+      ]
+    ]
+  });
+  if (tgResult.messageId) {
+    await supabase.from("mcp_ip_approval_request").update({ telegram_message_id: tgResult.messageId }).eq("id", request.id);
+  }
+  console.error(`[IP Check] Waiting for Telegram approval for IP ${ipAddress}...`);
+  const deadline = Date.now() + 6e4;
+  while (Date.now() < deadline) {
+    await new Promise((r) => setTimeout(r, 2e3));
+    const { data: check } = await supabase.from("mcp_ip_approval_request").select("status").eq("id", request.id).single();
+    if (check?.status === "approved") {
+      await supabase.from("mcp_ip_allowlist").insert({
+        api_key_id: authContext.apiKeyId,
+        ip_address: ipAddress,
+        label: geoLabel,
+        approved_by: "telegram"
+      });
+      console.error(`[IP Check] IP ${ipAddress} approved via Telegram`);
+      return { allowed: true };
+    }
+    if (check?.status === "denied") {
+      console.error(`[IP Check] IP ${ipAddress} denied via Telegram`);
+      return { allowed: false, reason: "IP denied via Telegram" };
+    }
+  }
+  await supabase.from("mcp_ip_approval_request").update({ status: "denied", resolved_at: (/* @__PURE__ */ new Date()).toISOString() }).eq("id", request.id);
+  console.error(`[IP Check] IP ${ipAddress} approval timed out`);
+  return { allowed: false, reason: "Approval request timed out (60s)" };
+}
+var SESSION_TTL_MS = 8 * 60 * 60 * 1e3;
+var SESSION_MAX_ABSOLUTE_MS = 24 * 60 * 60 * 1e3;
+async function getOrCreateSession(ipAddress) {
+  if (!authContext) return { valid: false, reason: "Not authenticated" };
+  const now = /* @__PURE__ */ new Date();
+  const { data: existing } = await supabase.from("mcp_session").select("id, created_at, expires_at").eq("api_key_id", authContext.apiKeyId).eq("ip_address", ipAddress).gt("expires_at", now.toISOString()).order("created_at", { ascending: false }).limit(1).maybeSingle();
+  if (existing) {
+    const createdAt = new Date(existing.created_at).getTime();
+    if (now.getTime() - createdAt > SESSION_MAX_ABSOLUTE_MS) {
+      await supabase.from("mcp_session").delete().eq("id", existing.id);
+      return { valid: false, reason: "Session exceeded absolute TTL (24h)" };
+    }
+    await supabase.from("mcp_session").update({ last_activity_at: now.toISOString() }).eq("id", existing.id);
+    return { valid: true, sessionId: existing.id };
+  }
+  const { data: newSession } = await supabase.from("mcp_session").insert({
+    api_key_id: authContext.apiKeyId,
+    ip_address: ipAddress,
+    expires_at: new Date(now.getTime() + SESSION_TTL_MS).toISOString()
+  }).select("id").single();
+  return { valid: true, sessionId: newSession?.id };
+}
 var MODULE_KEYS = [
   "users",
   "ssh_servers",
@@ -1102,7 +1321,7 @@ async function validateApiKey(key) {
     console.error(`Rate limited: too many failed auth attempts. Retry in ${retryMin} minute(s).`);
     return null;
   }
-  const { data, error } = await supabase.from("dashboard_mcp_api_key").select("id, created_by, allowed_server_ids, is_active, expires_at").eq("api_key_hash", keyHash).eq("is_active", true).single();
+  const { data, error } = await supabase.from("dashboard_mcp_api_key").select("id, name, created_by, allowed_server_ids, is_active, expires_at, require_ip_approval").eq("api_key_hash", keyHash).eq("is_active", true).single();
   if (error || !data) {
     console.error(`API key not found or inactive (${rateCheck.remaining} attempts remaining)`);
     return null;
@@ -1128,10 +1347,13 @@ async function validateApiKey(key) {
   const moduleCount = MODULE_KEYS.filter((k) => permissions.modules[k]).length;
   console.error(`Authenticated as user ${data.created_by} (role: ${roleName}, modules: ${moduleCount}/${MODULE_KEYS.length})`);
   return {
+    apiKeyId: data.id,
+    apiKeyName: data.name || "Unknown",
     userId: data.created_by,
     allowedServerIds,
     permissions,
-    roleName
+    roleName,
+    requireIpApproval: data.require_ip_approval ?? true
   };
 }
 function assertServerAccess(serverId) {
@@ -2254,7 +2476,7 @@ var TOOLS = [
   // ----- Agent Reporting -----
   ...AGENT_TOOLS
 ];
-var MCP_VERSION = "2.3.1";
+var MCP_VERSION = "3.0.4";
 async function handleListTools() {
   if (!authContext) return { tools: TOOLS };
   const accessible = TOOLS.filter((tool) => {
@@ -2279,19 +2501,54 @@ async function handleCallTool(request) {
       }]
     };
   }
+  const rateResult = checkToolRateLimit(name);
+  if (!rateResult.allowed) {
+    const retryMin = Math.ceil(rateResult.retryAfterMs / 6e4);
+    void sendTelegramAlert(
+      `<b>MCP Rate Limit</b>
+
+Tool category <code>${escapeHtmlTg(rateResult.category)}</code> rate limited.
+Key: ${escapeHtmlTg(authContext.apiKeyName)}
+Retry in ${retryMin} min.`
+    );
+    return {
+      content: [{
+        type: "text",
+        text: `Rate limited: too many ${rateResult.category} calls. Retry in ${retryMin} minute(s).`
+      }]
+    };
+  }
+  const startTime = Date.now();
+  const serverId = a.serverId || a.server_id;
+  const result = await executeToolCall(name, a);
+  const durationMs = Date.now() - startTime;
+  const isError = result.content?.[0]?.text?.startsWith("Error:");
+  void writeAuditLog({
+    toolName: name,
+    arguments: a,
+    serverId,
+    resultStatus: isError ? "error" : "success",
+    errorMessage: isError ? result.content?.[0]?.text : void 0,
+    durationMs
+  });
+  return result;
+}
+async function executeToolCall(name, a, _serverId) {
+  const ctx = authContext;
   try {
     switch (name) {
       // ----- Servers -----
       case "list-servers": {
-        let query = supabase.from("ssh_server").select("id, name, hostname, port, username, tags, hosted_by, created_at").order("name");
-        if (authContext.allowedServerIds !== null) {
-          query = query.in("id", authContext.allowedServerIds);
+        let query = supabase.from("ssh_server").select("id, name, hostname, port, username, tags, hosted_by, os_type, created_at").order("name");
+        if (ctx.allowedServerIds !== null) {
+          query = query.in("id", ctx.allowedServerIds);
         }
         const { data, error } = await query;
         if (error) throw new Error(error.message);
         const lines = (data || []).map((s) => {
           const tags = Array.isArray(s.tags) ? s.tags.join(", ") : "";
-          return `${s.id}  ${s.name}  ${s.hostname}:${s.port}  ${s.username}  [${tags}]  ${s.hosted_by || ""}`;
+          const os = s.os_type || "linux";
+          return `${s.id}  ${s.name}  ${s.hostname}:${s.port}  ${s.username}  [${tags}]  ${s.hosted_by || ""}  os:${os}`;
         });
         return { content: [{ type: "text", text: lines.length ? lines.join("\n") : "No servers found" }] };
       }
@@ -2738,6 +2995,32 @@ function createMcpServer() {
   return s;
 }
 var server = createMcpServer();
+async function resolvePublicIp() {
+  const services = [
+    "https://api.ipify.org",
+    "https://ifconfig.me/ip",
+    "https://icanhazip.com"
+  ];
+  for (const url of services) {
+    try {
+      const controller = new AbortController();
+      const timer = setTimeout(() => controller.abort(), 5e3);
+      const res = await fetch(url, { signal: controller.signal });
+      clearTimeout(timer);
+      if (res.ok) {
+        const ip = (await res.text()).trim();
+        if (ip && /^[\d.:a-f]+$/i.test(ip)) {
+          console.error(`[IP Resolve] Got public IP: ${ip} (from ${url})`);
+          return ip;
+        }
+      }
+    } catch (err) {
+      console.error(`[IP Resolve] Failed ${url}: ${err instanceof Error ? err.message : err}`);
+    }
+  }
+  console.error("[IP Resolve] All services failed, returning unknown");
+  return "unknown";
+}
 async function main() {
   console.error("Starting MG Dashboard MCP Server...");
   authContext = await validateApiKey(apiKey);
@@ -2745,6 +3028,23 @@ async function main() {
     console.error("API key validation failed");
     process.exit(1);
   }
+  console.error(`[Security] MCP v${MCP_VERSION} | Key: ${authContext.apiKeyName} | requireIpApproval: ${authContext.requireIpApproval}`);
+  if (authContext.requireIpApproval) {
+    console.error("[Security] IP approval enabled, resolving public IP...");
+    const publicIp = await resolvePublicIp();
+    console.error(`[Security] Public IP: ${publicIp}`);
+    const ipResult = await checkIpAllowlist(publicIp);
+    if (!ipResult.allowed) {
+      console.error(`[Security] BLOCKED \u2014 ${ipResult.reason}`);
+      console.error("[Security] MCP server will not start. Approve the IP via Telegram or add it manually in the dashboard.");
+      process.exit(1);
+    }
+    console.error("[Security] IP approved, creating session...");
+    await getOrCreateSession(publicIp);
+    console.error("[Security] Session created");
+  } else {
+    console.error("[Security] IP approval disabled for this key");
+  }
   const toolNames = TOOLS.map((t) => t.name).join(", ");
   if (httpMode) {
     console.error(`API key validated. Starting Streamable HTTP transport on port ${httpPort}...`);
@@ -2755,8 +3055,37 @@ async function main() {
     };
     const httpServer = createServer(async (req, res) => {
       const url = new URL(req.url ?? "/", `http://localhost:${httpPort}`);
+      const clientIp = (req.headers["x-forwarded-for"]?.split(",")[0]?.trim() || req.headers["x-real-ip"] || req.socket.remoteAddress || "unknown").replace(/^::ffff:/, "");
+      if (authContext?.requireIpApproval) {
+        const { data: allowed } = await supabase.from("mcp_ip_allowlist").select("id").eq("api_key_id", authContext.apiKeyId).eq("ip_address", clientIp).maybeSingle();
+        if (!allowed) {
+          res.writeHead(403, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: `IP ${clientIp} not in allowlist. Approve via Telegram first.` }));
+          return;
+        }
+      }
+      if (authContext) {
+        const sessionResult = await getOrCreateSession(clientIp);
+        if (!sessionResult.valid) {
+          console.error(`[Session] Session expired: ${sessionResult.reason}`);
+          res.writeHead(401, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: `Session expired: ${sessionResult.reason}. Restart the MCP server to re-authenticate.` }));
+          return;
+        }
+      }
       const restToolName = REST_TOOL_MAP[url.pathname];
       if (restToolName && req.method === "POST") {
+        if (!authContext) {
+          res.writeHead(401, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "Not authenticated" }));
+          return;
+        }
+        const requiredModule = TOOL_MODULE_MAP[restToolName];
+        if (requiredModule && authContext.permissions.modules[requiredModule] !== true) {
+          res.writeHead(403, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: `Access denied: no permission for "${requiredModule}" module` }));
+          return;
+        }
         const chunks = [];
         for await (const chunk of req) chunks.push(chunk);
         let toolArgs;