n8n-workflow-builder-mcp 0.1.0

package/src/middleware/auth.js

@@ -0,0 +1,273 @@
+/**
+ * Authentication Middleware
+ * 
+ * Handles authentication for API requests
+ */
+
+const jwt = require('jsonwebtoken');
+const { logger } = require('../utils/logger');
+const { createErrorResponse } = require('../utils/mcp');
+const { logSecurityEvent } = require('../utils/securityLogger');
+
+// Get API key from environment
+const API_KEY = process.env.MCP_API_KEY || 'development-key';
+
+// Rate limiting storage
+const rateLimitStore = new Map();
+
+/**
+ * Validate API key against environment variables or config
+ * @param {string} apiKey - The API key to validate
+ * @returns {boolean} - True if valid, false otherwise
+ */
+const validateApiKey = (apiKey) => {
+    // Check environment variables first
+    if (process.env.API_KEYS) {
+        const validKeys = process.env.API_KEYS.split(',').map(key => key.trim());
+        return validKeys.includes(apiKey);
+    }
+
+    // Check config if available
+    try {
+        const config = require('../../config/default');
+        if (config.auth && config.auth.apiKeys && Array.isArray(config.auth.apiKeys)) {
+            return config.auth.apiKeys.includes(apiKey);
+        }
+    } catch (error) {
+        // Config not available, fall back to default
+    }
+
+    // Fall back to default API key
+    return apiKey === API_KEY;
+};
+
+/**
+ * Check rate limiting for an IP address
+ * @param {string} ip - The IP address to check
+ * @returns {boolean} - True if rate limited, false otherwise
+ */
+const isRateLimited = (ip) => {
+    const attempts = rateLimitStore.get(ip) || 0;
+    return attempts >= 5;
+};
+
+/**
+ * Increment failed attempts for an IP address
+ * @param {string} ip - The IP address to track
+ */
+const trackFailedAttempt = (ip) => {
+    const attempts = rateLimitStore.get(ip) || 0;
+    rateLimitStore.set(ip, attempts + 1);
+
+    // Clean up after 1 hour
+    setTimeout(() => {
+        rateLimitStore.delete(ip);
+    }, 3600000);
+};
+
+/**
+ * API Key authentication middleware
+ * @param {Object} req - Express request object
+ * @param {Object} res - Express response object
+ * @param {Function} next - Express next middleware function
+ */
+const apiKeyAuth = (req, res, next) => {
+    const apiKey = req.headers['x-api-key'];
+    const ip = req.ip || req.connection?.remoteAddress || '127.0.0.1';
+
+    // Check rate limiting
+    if (isRateLimited(ip)) {
+        const errorResponse = createErrorResponse(
+            'Too many failed attempts',
+            'RATE_LIMITED',
+            429
+        );
+        return res.status(errorResponse.status).json({ error: errorResponse.error });
+    }
+
+    if (!apiKey) {
+        trackFailedAttempt(ip);
+        logSecurityEvent({
+            level: 'warn',
+            eventType: 'authentication_failure',
+            ip,
+            details: {
+                reason: 'Missing API key',
+                endpoint: req.path
+            }
+        });
+
+        const errorResponse = createErrorResponse(
+            'API key required',
+            'MISSING_API_KEY',
+            401
+        );
+        return res.status(errorResponse.status).json({ error: errorResponse.error });
+    }
+
+    if (!validateApiKey(apiKey)) {
+        trackFailedAttempt(ip);
+        logSecurityEvent({
+            level: 'warn',
+            eventType: 'authentication_failure',
+            ip,
+            details: {
+                reason: 'Invalid API key',
+                endpoint: req.path
+            }
+        });
+
+        const errorResponse = createErrorResponse(
+            'Invalid API key',
+            'INVALID_API_KEY',
+            401
+        );
+        return res.status(errorResponse.status).json({ error: errorResponse.error });
+    }
+
+    // Set auth info
+    req.auth = {
+        type: 'apikey',
+        key: apiKey
+    };
+
+    next();
+};
+
+/**
+ * JWT authentication middleware
+ * @param {Object} req - Express request object
+ * @param {Object} res - Express response object
+ * @param {Function} next - Express next middleware function
+ */
+const jwtAuth = (req, res, next) => {
+    const authHeader = req.headers.authorization;
+    const ip = req.ip || req.connection?.remoteAddress || '127.0.0.1';
+
+    // Check rate limiting
+    if (isRateLimited(ip)) {
+        const errorResponse = createErrorResponse(
+            'Too many failed attempts',
+            'RATE_LIMITED',
+            429
+        );
+        return res.status(errorResponse.status).json({ error: errorResponse.error });
+    }
+
+    if (!authHeader) {
+        trackFailedAttempt(ip);
+        const errorResponse = createErrorResponse(
+            'JWT token required',
+            'MISSING_JWT_TOKEN',
+            401
+        );
+        return res.status(errorResponse.status).json({ error: errorResponse.error });
+    }
+
+    const parts = authHeader.split(' ');
+    if (parts.length !== 2 || parts[0] !== 'Bearer') {
+        trackFailedAttempt(ip);
+        const errorResponse = createErrorResponse(
+            'JWT token required',
+            'MISSING_JWT_TOKEN',
+            401
+        );
+        return res.status(errorResponse.status).json({ error: errorResponse.error });
+    }
+
+    const token = parts[1];
+
+    try {
+        // Use a default secret if not configured
+        const secret = process.env.JWT_SECRET || 'default-secret';
+        const decoded = jwt.verify(token, secret);
+
+        req.auth = {
+            type: 'jwt',
+            user: decoded
+        };
+
+        next();
+    } catch (error) {
+        trackFailedAttempt(ip);
+
+        let errorCode = 'INVALID_JWT_TOKEN';
+        let message = 'Invalid JWT token';
+
+        if (error.name === 'TokenExpiredError') {
+            errorCode = 'EXPIRED_JWT_TOKEN';
+            message = 'JWT token has expired';
+        } else if (error.name === 'JsonWebTokenError') {
+            if (error.message.includes('invalid signature')) {
+                errorCode = 'INVALID_JWT_SIGNATURE';
+                message = 'Invalid JWT signature';
+            } else if (error.message.includes('malformed')) {
+                errorCode = 'MALFORMED_JWT_TOKEN';
+                message = 'Malformed JWT token';
+            }
+        }
+
+        const errorResponse = createErrorResponse(message, errorCode, 401);
+        return res.status(errorResponse.status).json({ error: errorResponse.error });
+    }
+};
+
+/**
+ * Main authentication middleware - supports both API key and JWT
+ * @param {Object} req - Express request object
+ * @param {Object} res - Express response object
+ * @param {Function} next - Express next middleware function
+ */
+const authenticate = (req, res, next) => {
+    // Set MCP version header
+    res.setHeader('X-MCP-Version', '1.0');
+
+    // Skip authentication in development if configured
+    if (process.env.NODE_ENV === 'development' && process.env.SKIP_AUTH === 'true') {
+        logger.warn('Authentication bypassed in development mode');
+        req.auth = {
+            type: 'development',
+            user: { id: 'dev-user' }
+        };
+        return next();
+    }
+
+    const apiKey = req.headers['x-api-key'];
+    const authHeader = req.headers.authorization;
+
+    if (apiKey) {
+        // Use API key authentication
+        return apiKeyAuth(req, res, next);
+    } else if (authHeader) {
+        // Use JWT authentication
+        return jwtAuth(req, res, next);
+    } else {
+        // No authentication method provided
+        const ip = req.ip || req.connection?.remoteAddress || '127.0.0.1';
+
+        logSecurityEvent({
+            level: 'warn',
+            eventType: 'authentication_failure',
+            ip,
+            details: {
+                reason: 'Missing authorization header',
+                endpoint: req.path
+            }
+        });
+
+        const errorResponse = createErrorResponse(
+            'Authentication required',
+            'AUTHENTICATION_REQUIRED',
+            401
+        );
+        return res.status(errorResponse.status).json({ error: errorResponse.error });
+    }
+};
+
+module.exports = {
+    authenticate,
+    apiKeyAuth,
+    jwtAuth,
+    validateApiKey,
+    rateLimitStore // Export for testing
+}; 

package/src/middleware/authorize.js

@@ -0,0 +1,183 @@
+/**
+ * Authorization Middleware
+ * 
+ * Handles role-based authorization for the MCP server.
+ */
+
+const { PERMISSIONS, hasPermission } = require('../models/user');
+const { createErrorResponse } = require('../utils/mcp');
+const { logger } = require('../utils/logger');
+
+/**
+ * Authorization middleware to check if the user has the required permission
+ * 
+ * @param {String} permission - The permission required for the operation
+ * @returns {Function} Express middleware function
+ */
+const authorize = (permission) => {
+    return (req, res, next) => {
+        if (!req.auth) {
+            // No authentication data available
+            const errorResponse = createErrorResponse(
+                'Authorization requires authentication',
+                'AUTHENTICATION_REQUIRED',
+                401
+            );
+            return res.status(errorResponse.status).json({ error: errorResponse.error });
+        }
+
+        // For API key auth, assign default admin role
+        // In a real-world scenario, API keys would have specific permissions associated with them
+        if (req.auth.type === 'apikey') {
+            req.user = {
+                roles: ['admin']
+            };
+            return next();
+        }
+
+        // For JWT auth, use the user data from the token
+        if (req.auth.type === 'jwt') {
+            // User data should be available in req.auth.user
+            const user = req.auth.user;
+
+            // If no roles in the token, access is denied
+            if (!user || !user.roles) {
+                const errorResponse = createErrorResponse(
+                    'User has no defined roles',
+                    'MISSING_ROLES',
+                    403
+                );
+                return res.status(errorResponse.status).json({ error: errorResponse.error });
+            }
+
+            // Store the user object for use in other middleware/routes
+            req.user = user;
+
+            // Skip permission check if no specific permission required
+            if (!permission) {
+                return next();
+            }
+
+            // Check if user has the required permission
+            if (hasPermission(user, permission)) {
+                return next();
+            }
+
+            // Permission denied
+            logger.warn(`Access denied: User lacks permission: ${permission}`);
+            const errorResponse = createErrorResponse(
+                `You don't have permission to perform this action`,
+                'PERMISSION_DENIED',
+                403
+            );
+            return res.status(errorResponse.status).json({ error: errorResponse.error });
+        }
+
+        // Unsupported auth type
+        const errorResponse = createErrorResponse(
+            'Unsupported authentication type',
+            'UNSUPPORTED_AUTH_TYPE',
+            401
+        );
+        return res.status(errorResponse.status).json({ error: errorResponse.error });
+    };
+};
+
+/**
+ * Middleware to handle workflow permissions
+ */
+const authorizeWorkflow = {
+    // Permission middleware for viewing workflows
+    view: authorize(PERMISSIONS.WORKFLOW_VIEW),
+
+    // Permission middleware for creating workflows
+    create: authorize(PERMISSIONS.WORKFLOW_CREATE),
+
+    // Permission middleware for editing workflows
+    edit: authorize(PERMISSIONS.WORKFLOW_EDIT),
+
+    // Permission middleware for deleting workflows
+    delete: authorize(PERMISSIONS.WORKFLOW_DELETE),
+
+    // Permission middleware for executing workflows
+    execute: authorize(PERMISSIONS.WORKFLOW_EXECUTE)
+};
+
+/**
+ * Middleware to handle node permissions
+ */
+const authorizeNode = {
+    // Permission middleware for viewing nodes
+    view: authorize(PERMISSIONS.NODE_VIEW),
+
+    // Permission middleware for adding nodes
+    add: authorize(PERMISSIONS.NODE_ADD),
+
+    // Permission middleware for editing nodes
+    edit: authorize(PERMISSIONS.NODE_EDIT),
+
+    // Permission middleware for deleting nodes
+    delete: authorize(PERMISSIONS.NODE_DELETE)
+};
+
+/**
+ * Middleware to handle connection permissions
+ */
+const authorizeConnection = {
+    // Permission middleware for viewing connections
+    view: authorize(PERMISSIONS.CONNECTION_VIEW),
+
+    // Permission middleware for creating connections
+    create: authorize(PERMISSIONS.CONNECTION_CREATE),
+
+    // Permission middleware for deleting connections
+    delete: authorize(PERMISSIONS.CONNECTION_DELETE)
+};
+
+/**
+ * Middleware to handle credential permissions
+ */
+const authorizeCredential = {
+    // Permission middleware for viewing credentials
+    view: authorize(PERMISSIONS.CREDENTIAL_VIEW),
+
+    // Permission middleware for creating credentials
+    create: authorize(PERMISSIONS.CREDENTIAL_CREATE),
+
+    // Permission middleware for editing credentials
+    edit: authorize(PERMISSIONS.CREDENTIAL_EDIT),
+
+    // Permission middleware for deleting credentials
+    delete: authorize(PERMISSIONS.CREDENTIAL_DELETE)
+};
+
+/**
+ * Middleware for system admin permissions
+ */
+const authorizeAdmin = authorize(PERMISSIONS.SYSTEM_ADMIN);
+
+/**
+ * Get middleware that logs access attempts and enforces permission check
+ * 
+ * @param {String} permission - Permission required for the operation
+ * @param {String} operation - Description of the operation for logging
+ * @returns {Function} Express middleware function
+ */
+const logAndAuthorize = (permission, operation) => {
+    return (req, res, next) => {
+        logger.info(`Access attempt: ${operation}, User: ${req.auth?.user?.id || 'API Key'}`);
+
+        // Use the authorize middleware with the specified permission
+        authorize(permission)(req, res, next);
+    };
+};
+
+module.exports = {
+    authorize,
+    authorizeWorkflow,
+    authorizeNode,
+    authorizeConnection,
+    authorizeCredential,
+    authorizeAdmin,
+    logAndAuthorize
+}; 

package/src/middleware/logging.js

@@ -0,0 +1,64 @@
+/**
+ * Logging Middleware
+ * 
+ * Contains middleware functions for HTTP request logging
+ */
+
+const { logger } = require('../utils/logger');
+const { logSecurityEvent } = require('../utils/securityLogger');
+
+/**
+ * Logs MCP requests for debugging and security purposes
+ * 
+ * @param {Object} req - Express request object
+ * @param {Object} res - Express response object
+ * @param {Function} next - Express next middleware function
+ */
+const logMcpRequest = (req, res, next) => {
+    // Log basic request info
+    logger.debug(`MCP Request: ${req.method} ${req.path}`);
+
+    // Extract user ID if available
+    const userId = req.auth?.user?.id || 'anonymous';
+
+    // Log request details without sensitive information
+    if (req.body && Object.keys(req.body).length > 0) {
+        // Create a sanitized copy of the request body for logging
+        const sanitizedBody = { ...req.body };
+
+        // Redact sensitive information from parameters
+        if (sanitizedBody.parameters) {
+            const sensitiveKeys = ['apiKey', 'token', 'password', 'secret', 'key', 'auth'];
+
+            for (const key of Object.keys(sanitizedBody.parameters)) {
+                if (sensitiveKeys.some(sk => key.toLowerCase().includes(sk))) {
+                    sanitizedBody.parameters[key] = '[REDACTED]';
+                }
+            }
+        }
+
+        logger.debug(`Request Body: ${JSON.stringify(sanitizedBody)}`);
+    }
+
+    // Log security event for non-GET requests
+    if (req.method !== 'GET') {
+        logSecurityEvent({
+            level: 'info',
+            eventType: 'mcp_request',
+            userId,
+            ip: req.ip || req.connection.remoteAddress,
+            details: {
+                method: req.method,
+                path: req.path,
+                userAgent: req.headers['user-agent'] || 'unknown'
+            }
+        });
+    }
+
+    // Call next middleware
+    next();
+};
+
+module.exports = {
+    logMcpRequest
+}; 

package/src/middleware/mcp.js

@@ -0,0 +1,187 @@
+/**
+ * MCP Protocol Middleware
+ * 
+ * Handles validation and processing of MCP protocol requests
+ */
+
+const Ajv = require('ajv');
+const { logger } = require('../utils/logger');
+const { createErrorResponse } = require('../utils/mcp');
+const { logValidationFailure } = require('../utils/securityLogger');
+const { toolDefinitions } = require('../tools/toolDefinitions');
+
+// Initialize AJV
+const ajv = new Ajv({ allErrors: true });
+
+// Create schema for MCP requests
+const toolRequestSchema = {
+    type: 'object',
+    required: ['name', 'parameters'],
+    additionalProperties: false,
+    properties: {
+        name: { type: 'string' },
+        parameters: {
+            type: 'object',
+            additionalProperties: true
+        }
+    }
+};
+
+/**
+ * Validate tool request against schema
+ * 
+ * @param {Object} req - Express request object
+ * @param {Object} res - Express response object
+ * @param {Function} next - Express next middleware function
+ */
+const validateToolRequest = (req, res, next) => {
+    // Extract tool info from request
+    const { name, parameters = {} } = req.body;
+
+    // Basic request format validation
+    const validate = ajv.compile(toolRequestSchema);
+    const valid = validate(req.body);
+
+    if (!valid) {
+        const errors = validate.errors.map(err =>
+            `${err.instancePath} ${err.message}`
+        ).join('; ');
+
+        // Log the validation error
+        logger.warn(`MCP protocol validation error: ${errors}`);
+
+        // Security logging
+        const clientIp = req.ip || req.connection.remoteAddress;
+        const userId = req.auth ? (req.auth.user ? req.auth.user.id : null) : null;
+
+        logValidationFailure({
+            ip: clientIp,
+            userId,
+            endpoint: req.path,
+            method: req.method,
+            violationType: 'mcp_protocol_validation',
+            inputField: 'request_format'
+        });
+
+        const errorResponse = createErrorResponse(
+            `Invalid request format: ${errors}`,
+            'INVALID_REQUEST_FORMAT',
+            400
+        );
+        return res.status(errorResponse.status).json({ error: errorResponse.error });
+    }
+
+    // Validate tool existence and parameter types if tool exists
+    const toolDef = toolDefinitions[name];
+    if (toolDef) {
+        // Create a validator for this tool's input schema
+        if (toolDef.input_schema && toolDef.input_schema.properties) {
+            try {
+                const inputValidator = ajv.compile(toolDef.input_schema);
+                const paramsValid = inputValidator(parameters);
+
+                if (!paramsValid) {
+                    const paramErrors = inputValidator.errors.map(err =>
+                        `${err.instancePath} ${err.message}`
+                    ).join('; ');
+
+                    // Log the validation error
+                    logger.warn(`Tool parameter validation error for ${name}: ${paramErrors}`);
+
+                    // Security logging
+                    const clientIp = req.ip || req.connection.remoteAddress;
+                    const userId = req.auth ? (req.auth.user ? req.auth.user.id : null) : null;
+
+                    logValidationFailure({
+                        ip: clientIp,
+                        userId,
+                        endpoint: req.path,
+                        method: req.method,
+                        violationType: 'tool_parameter_validation',
+                        inputField: name
+                    });
+
+                    const errorResponse = createErrorResponse(
+                        `Invalid parameters for tool ${name}: ${paramErrors}`,
+                        'INVALID_TOOL_PARAMETERS',
+                        400
+                    );
+                    return res.status(errorResponse.status).json({ error: errorResponse.error });
+                }
+            } catch (err) {
+                logger.error(`Error validating parameters for tool ${name}: ${err.message}`);
+            }
+        }
+    }
+
+    // Continue to the next middleware
+    next();
+};
+
+/**
+ * Sanitizes input parameters to prevent injection attacks
+ */
+const sanitizeParameters = (parameters) => {
+    // Recursive function to sanitize all string values
+    const sanitizeObject = (obj) => {
+        for (const key in obj) {
+            const value = obj[key];
+
+            if (typeof value === 'string') {
+                // Basic sanitization for strings
+                obj[key] = sanitizeString(value);
+            } else if (value !== null && typeof value === 'object') {
+                // Recursively sanitize nested objects and arrays
+                sanitizeObject(value);
+            }
+        }
+    };
+
+    sanitizeObject(parameters);
+};
+
+/**
+ * Sanitizes a string to prevent common injection attacks
+ */
+const sanitizeString = (str) => {
+    // Replace potentially dangerous characters/patterns
+    // This is a simple example - in production, use a proper sanitization library
+    return str
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#x27;')
+        .replace(/\//g, '&#x2F;');
+};
+
+/**
+ * Logs MCP requests for debugging
+ */
+const logMcpRequest = (req, res, next) => {
+    // Only run in development mode
+    if (process.env.NODE_ENV !== 'production') {
+        logger.debug(`MCP Request: ${req.method} ${req.path}`);
+        if (req.body && Object.keys(req.body).length > 0) {
+            // Avoid logging sensitive data in parameters
+            const sanitizedBody = { ...req.body };
+            if (sanitizedBody.parameters) {
+                // Replace potentially sensitive parameter values with "[REDACTED]"
+                const sensitiveKeys = ['apiKey', 'token', 'password', 'secret'];
+                for (const key of Object.keys(sanitizedBody.parameters)) {
+                    if (sensitiveKeys.some(sk => key.toLowerCase().includes(sk))) {
+                        sanitizedBody.parameters[key] = '[REDACTED]';
+                    }
+                }
+            }
+            logger.debug(`Request Body: ${JSON.stringify(sanitizedBody)}`);
+        }
+    }
+    next();
+};
+
+module.exports = {
+    validateToolRequest,
+    logMcpRequest,
+    sanitizeParameters,
+    sanitizeString
+};