🔒 feat: Add MCP server domain restrictions for remote transports (#11013)

* 🔒 feat: Add MCP server domain restrictions for remote transports * 🔒 feat: Implement comprehensive MCP error handling and domain validation - Added `handleMCPError` function to centralize error responses for domain restrictions and inspection failures. - Introduced custom error classes: `MCPDomainNotAllowedError` and `MCPInspectionFailedError` for better error management. - Updated MCP server controllers to utilize the new error handling mechanism. - Enhanced domain validation logic in `createMCPTools` and `createMCPTool` functions to prevent operations on disallowed domains. - Added tests for runtime domain validation scenarios to ensure correct behavior. * chore: import order * 🔒 feat: Enhance domain validation in MCP tools with user role-based restrictions - Integrated `getAppConfig` to fetch allowed domains based on user roles in `createMCPTools` and `createMCPTool` functions. - Removed the deprecated `getAllowedDomains` method from `MCPServersRegistry`. - Updated tests to verify domain restrictions are applied correctly based on user roles. - Ensured that domain validation logic is consistent and efficient across tool creation processes. * 🔒 test: Refactor MCP tests to utilize configurable app settings - Introduced a mock for `getAppConfig` to enhance test flexibility. - Removed redundant mock definition to streamline test setup. - Ensured tests are aligned with the latest domain validation logic. --------- Co-authored-by: Atef Bellaaj <slalom.bellaaj@external.daimlertruck.com> Co-authored-by: Danny Avila <danny@librechat.ai>
2025-12-20 10:20:15 +01:00 · 2025-12-18 19:57:49 +01:00 · 2025-12-18 19:57:49 +01:00 · 95a69df70e
commit 95a69df70e
parent 98294755ee
19 changed files with 815 additions and 75 deletions
--- a/packages/api/src/auth/domain.spec.ts
+++ b/packages/api/src/auth/domain.spec.ts
@ -1,5 +1,10 @@
 /* eslint-disable @typescript-eslint/ban-ts-comment */
-import { isEmailDomainAllowed, isActionDomainAllowed } from './domain';
+import {
+  isEmailDomainAllowed,
+  isActionDomainAllowed,
+  extractMCPServerDomain,
+  isMCPDomainAllowed,
+} from './domain';

 describe('isEmailDomainAllowed', () => {
  afterEach(() => {
@ -213,3 +218,209 @@ describe('isActionDomainAllowed', () => {
    });
  });
 });
+
+describe('extractMCPServerDomain', () => {
+  afterEach(() => {
+    jest.clearAllMocks();
+  });
+
+  describe('URL extraction', () => {
+    it('should extract domain from HTTPS URL', () => {
+      const config = { url: 'https://api.example.com/sse' };
+      expect(extractMCPServerDomain(config)).toBe('api.example.com');
+    });
+
+    it('should extract domain from HTTP URL', () => {
+      const config = { url: 'http://api.example.com/sse' };
+      expect(extractMCPServerDomain(config)).toBe('api.example.com');
+    });
+
+    it('should extract domain from WebSocket URL', () => {
+      const config = { url: 'wss://ws.example.com' };
+      expect(extractMCPServerDomain(config)).toBe('ws.example.com');
+    });
+
+    it('should handle URL with port', () => {
+      const config = { url: 'https://localhost:3001/sse' };
+      expect(extractMCPServerDomain(config)).toBe('localhost');
+    });
+
+    it('should strip www prefix', () => {
+      const config = { url: 'https://www.example.com/api' };
+      expect(extractMCPServerDomain(config)).toBe('example.com');
+    });
+
+    it('should handle URL with path and query parameters', () => {
+      const config = { url: 'https://api.example.com/v1/sse?token=abc' };
+      expect(extractMCPServerDomain(config)).toBe('api.example.com');
+    });
+  });
+
+  describe('stdio transports (no URL)', () => {
+    it('should return null for stdio transport with command only', () => {
+      const config = { command: 'npx', args: ['-y', '@modelcontextprotocol/server-puppeteer'] };
+      expect(extractMCPServerDomain(config)).toBeNull();
+    });
+
+    it('should return null when url is undefined', () => {
+      const config = { command: 'node', args: ['server.js'] };
+      expect(extractMCPServerDomain(config)).toBeNull();
+    });
+
+    it('should return null for empty object', () => {
+      const config = {};
+      expect(extractMCPServerDomain(config)).toBeNull();
+    });
+  });
+
+  describe('invalid URLs', () => {
+    it('should return null for invalid URL format', () => {
+      const config = { url: 'not-a-valid-url' };
+      expect(extractMCPServerDomain(config)).toBeNull();
+    });
+
+    it('should return null for empty URL string', () => {
+      const config = { url: '' };
+      expect(extractMCPServerDomain(config)).toBeNull();
+    });
+
+    it('should return null for non-string url', () => {
+      const config = { url: 12345 };
+      expect(extractMCPServerDomain(config)).toBeNull();
+    });
+
+    it('should return null for null url', () => {
+      const config = { url: null };
+      expect(extractMCPServerDomain(config)).toBeNull();
+    });
+  });
+});
+
+describe('isMCPDomainAllowed', () => {
+  afterEach(() => {
+    jest.clearAllMocks();
+  });
+
+  describe('stdio transports (always allowed)', () => {
+    it('should allow stdio transport regardless of allowlist', async () => {
+      const config = { command: 'npx', args: ['-y', '@modelcontextprotocol/server-puppeteer'] };
+      expect(await isMCPDomainAllowed(config, ['example.com'])).toBe(true);
+    });
+
+    it('should allow stdio transport even with empty allowlist', async () => {
+      const config = { command: 'node', args: ['server.js'] };
+      expect(await isMCPDomainAllowed(config, [])).toBe(true);
+    });
+
+    it('should allow stdio transport when no URL present', async () => {
+      const config = {};
+      expect(await isMCPDomainAllowed(config, ['restricted.com'])).toBe(true);
+    });
+  });
+
+  describe('permissive defaults (no restrictions)', () => {
+    it('should allow all domains when allowedDomains is null', async () => {
+      const config = { url: 'https://any-domain.com/sse' };
+      expect(await isMCPDomainAllowed(config, null)).toBe(true);
+    });
+
+    it('should allow all domains when allowedDomains is undefined', async () => {
+      const config = { url: 'https://any-domain.com/sse' };
+      expect(await isMCPDomainAllowed(config, undefined)).toBe(true);
+    });
+
+    it('should allow all domains when allowedDomains is empty array', async () => {
+      const config = { url: 'https://any-domain.com/sse' };
+      expect(await isMCPDomainAllowed(config, [])).toBe(true);
+    });
+  });
+
+  describe('exact domain matching', () => {
+    const allowedDomains = ['example.com', 'localhost', 'trusted-mcp.com'];
+
+    it('should allow exact domain match', async () => {
+      const config = { url: 'https://example.com/api' };
+      expect(await isMCPDomainAllowed(config, allowedDomains)).toBe(true);
+    });
+
+    it('should allow localhost', async () => {
+      const config = { url: 'http://localhost:3001/sse' };
+      expect(await isMCPDomainAllowed(config, allowedDomains)).toBe(true);
+    });
+
+    it('should reject non-allowed domain', async () => {
+      const config = { url: 'https://malicious.com/sse' };
+      expect(await isMCPDomainAllowed(config, allowedDomains)).toBe(false);
+    });
+
+    it('should reject subdomain when only parent is allowed', async () => {
+      const config = { url: 'https://api.example.com/sse' };
+      expect(await isMCPDomainAllowed(config, allowedDomains)).toBe(false);
+    });
+  });
+
+  describe('wildcard domain matching', () => {
+    const allowedDomains = ['*.example.com', 'localhost'];
+
+    it('should allow subdomain with wildcard', async () => {
+      const config = { url: 'https://api.example.com/sse' };
+      expect(await isMCPDomainAllowed(config, allowedDomains)).toBe(true);
+    });
+
+    it('should allow any subdomain with wildcard', async () => {
+      const config = { url: 'https://staging.example.com/sse' };
+      expect(await isMCPDomainAllowed(config, allowedDomains)).toBe(true);
+    });
+
+    it('should allow base domain with wildcard', async () => {
+      const config = { url: 'https://example.com/sse' };
+      expect(await isMCPDomainAllowed(config, allowedDomains)).toBe(true);
+    });
+
+    it('should allow nested subdomain with wildcard', async () => {
+      const config = { url: 'https://deep.nested.example.com/sse' };
+      expect(await isMCPDomainAllowed(config, allowedDomains)).toBe(true);
+    });
+
+    it('should reject different domain even with wildcard', async () => {
+      const config = { url: 'https://api.other.com/sse' };
+      expect(await isMCPDomainAllowed(config, allowedDomains)).toBe(false);
+    });
+  });
+
+  describe('case insensitivity', () => {
+    it('should match domains case-insensitively', async () => {
+      const config = { url: 'https://EXAMPLE.COM/sse' };
+      expect(await isMCPDomainAllowed(config, ['example.com'])).toBe(true);
+    });
+
+    it('should match with uppercase in allowlist', async () => {
+      const config = { url: 'https://example.com/sse' };
+      expect(await isMCPDomainAllowed(config, ['EXAMPLE.COM'])).toBe(true);
+    });
+
+    it('should match with mixed case', async () => {
+      const config = { url: 'https://Api.Example.Com/sse' };
+      expect(await isMCPDomainAllowed(config, ['*.example.com'])).toBe(true);
+    });
+  });
+
+  describe('www prefix handling', () => {
+    it('should strip www prefix from URL before matching', async () => {
+      const config = { url: 'https://www.example.com/sse' };
+      expect(await isMCPDomainAllowed(config, ['example.com'])).toBe(true);
+    });
+
+    it('should match www in allowlist to non-www URL', async () => {
+      const config = { url: 'https://example.com/sse' };
+      expect(await isMCPDomainAllowed(config, ['www.example.com'])).toBe(true);
+    });
+  });
+
+  describe('invalid URL handling', () => {
+    it('should allow config with invalid URL (treated as stdio)', async () => {
+      const config = { url: 'not-a-valid-url' };
+      expect(await isMCPDomainAllowed(config, ['example.com'])).toBe(true);
+    });
+  });
+});
--- a/packages/api/src/auth/domain.ts
+++ b/packages/api/src/auth/domain.ts
@ -96,3 +96,45 @@ export async function isActionDomainAllowed(

  return false;
 }
+
+/**
+ * Extracts domain from MCP server config URL.
+ * Returns null for stdio transports (no URL) or invalid URLs.
+ * @param config - MCP server configuration (accepts any config with optional url field)
+ */
+export function extractMCPServerDomain(config: Record<string, unknown>): string | null {
+  const url = config.url;
+  // Stdio transports don't have URLs - always allowed
+  if (!url || typeof url !== 'string') {
+    return null;
+  }
+
+  try {
+    const parsedUrl = new URL(url);
+    return parsedUrl.hostname.replace(/^www\./i, '');
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Validates MCP server domain against allowedDomains.
+ * Reuses isActionDomainAllowed for consistent validation logic.
+ * Stdio transports (no URL) are always allowed.
+ * @param config - MCP server configuration with optional url field
+ * @param allowedDomains - List of allowed domains (with wildcard support)
+ */
+export async function isMCPDomainAllowed(
+  config: Record<string, unknown>,
+  allowedDomains?: string[] | null,
+): Promise<boolean> {
+  const domain = extractMCPServerDomain(config);
+
+  // Stdio transports don't have domains - always allowed
+  if (!domain) {
+    return true;
+  }
+
+  // Reuse existing validation logic (includes wildcard support)
+  return isActionDomainAllowed(domain, allowedDomains);
+}
--- a/packages/api/src/index.ts
+++ b/packages/api/src/index.ts
@ -9,6 +9,7 @@ export * from './mcp/connection';
 export * from './mcp/oauth';
 export * from './mcp/auth';
 export * from './mcp/zod';
+export * from './mcp/errors';
 /* Utilities */
 export * from './mcp/utils';
 export * from './utils';
--- a/packages/api/src/mcp/errors.ts
+++ b/packages/api/src/mcp/errors.ts
@ -0,0 +1,61 @@
+/**
+ * MCP-specific error classes
+ */
+
+export const MCPErrorCodes = {
+  DOMAIN_NOT_ALLOWED: 'MCP_DOMAIN_NOT_ALLOWED',
+  INSPECTION_FAILED: 'MCP_INSPECTION_FAILED',
+} as const;
+
+export type MCPErrorCode = (typeof MCPErrorCodes)[keyof typeof MCPErrorCodes];
+
+/**
+ * Custom error for MCP domain restriction violations.
+ * Thrown when a user attempts to connect to an MCP server whose domain is not in the allowlist.
+ */
+export class MCPDomainNotAllowedError extends Error {
+  public readonly code = MCPErrorCodes.DOMAIN_NOT_ALLOWED;
+  public readonly statusCode = 403;
+  public readonly domain: string;
+
+  constructor(domain: string) {
+    super(`Domain "${domain}" is not allowed`);
+    this.name = 'MCPDomainNotAllowedError';
+    this.domain = domain;
+    Object.setPrototypeOf(this, MCPDomainNotAllowedError.prototype);
+  }
+}
+
+/**
+ * Custom error for MCP server inspection failures.
+ * Thrown when attempting to connect/inspect an MCP server fails.
+ */
+export class MCPInspectionFailedError extends Error {
+  public readonly code = MCPErrorCodes.INSPECTION_FAILED;
+  public readonly statusCode = 400;
+  public readonly serverName: string;
+
+  constructor(serverName: string, cause?: Error) {
+    super(`Failed to connect to MCP server "${serverName}"`);
+    this.name = 'MCPInspectionFailedError';
+    this.serverName = serverName;
+    if (cause) {
+      this.cause = cause;
+    }
+    Object.setPrototypeOf(this, MCPInspectionFailedError.prototype);
+  }
+}
+
+/**
+ * Type guard to check if an error is an MCPDomainNotAllowedError
+ */
+export function isMCPDomainNotAllowedError(error: unknown): error is MCPDomainNotAllowedError {
+  return error instanceof MCPDomainNotAllowedError;
+}
+
+/**
+ * Type guard to check if an error is an MCPInspectionFailedError
+ */
+export function isMCPInspectionFailedError(error: unknown): error is MCPInspectionFailedError {
+  return error instanceof MCPInspectionFailedError;
+}
--- a/packages/api/src/mcp/registry/MCPServerInspector.ts
+++ b/packages/api/src/mcp/registry/MCPServerInspector.ts
@ -2,7 +2,9 @@ import { Constants } from 'librechat-data-provider';
 import type { JsonSchemaType } from '@librechat/data-schemas';
 import type { MCPConnection } from '~/mcp/connection';
 import type * as t from '~/mcp/types';
+import { isMCPDomainAllowed, extractMCPServerDomain } from '~/auth/domain';
 import { MCPConnectionFactory } from '~/mcp/MCPConnectionFactory';
+import { MCPDomainNotAllowedError } from '~/mcp/errors';
 import { detectOAuthRequirement } from '~/mcp/oauth';
 import { isEnabled } from '~/utils';

@ -24,13 +26,22 @@ export class MCPServerInspector {
   * @param serverName - The name of the server (used for tool function naming)
   * @param rawConfig - The raw server configuration
   * @param connection - The MCP connection
+   * @param allowedDomains - Optional list of allowed domains for remote transports
   * @returns A fully processed and enriched configuration with server metadata
   */
  public static async inspect(
    serverName: string,
    rawConfig: t.MCPOptions,
    connection?: MCPConnection,
+    allowedDomains?: string[] | null,
  ): Promise<t.ParsedServerConfig> {
+    // Validate domain against allowlist BEFORE attempting connection
+    const isDomainAllowed = await isMCPDomainAllowed(rawConfig, allowedDomains);
+    if (!isDomainAllowed) {
+      const domain = extractMCPServerDomain(rawConfig);
+      throw new MCPDomainNotAllowedError(domain ?? 'unknown');
+    }
+
    const start = Date.now();
    const inspector = new MCPServerInspector(serverName, rawConfig, connection);
    await inspector.inspectServer();
--- a/packages/api/src/mcp/registry/MCPServersRegistry.ts
+++ b/packages/api/src/mcp/registry/MCPServersRegistry.ts
@ -1,6 +1,7 @@
 import { logger } from '@librechat/data-schemas';
 import type { IServerConfigsRepositoryInterface } from './ServerConfigsRepositoryInterface';
 import type * as t from '~/mcp/types';
+import { MCPInspectionFailedError, isMCPDomainNotAllowedError } from '~/mcp/errors';
 import { ServerConfigsCacheFactory } from './cache/ServerConfigsCacheFactory';
 import { MCPServerInspector } from './MCPServerInspector';
 import { ServerConfigsDB } from './db/ServerConfigsDB';
@ -20,14 +21,19 @@ export class MCPServersRegistry {

  private readonly dbConfigsRepo: IServerConfigsRepositoryInterface;
  private readonly cacheConfigsRepo: IServerConfigsRepositoryInterface;
+  private readonly allowedDomains?: string[] | null;

-  constructor(mongoose: typeof import('mongoose')) {
+  constructor(mongoose: typeof import('mongoose'), allowedDomains?: string[] | null) {
    this.dbConfigsRepo = new ServerConfigsDB(mongoose);
    this.cacheConfigsRepo = ServerConfigsCacheFactory.create('App', false);
+    this.allowedDomains = allowedDomains;
  }

  /** Creates and initializes the singleton MCPServersRegistry instance */
-  public static createInstance(mongoose: typeof import('mongoose')): MCPServersRegistry {
+  public static createInstance(
+    mongoose: typeof import('mongoose'),
+    allowedDomains?: string[] | null,
+  ): MCPServersRegistry {
    if (!mongoose) {
      throw new Error(
        'MCPServersRegistry creation failed: mongoose instance is required for database operations. ' +
@ -39,7 +45,7 @@ export class MCPServersRegistry {
      return MCPServersRegistry.instance;
    }
    logger.info('[MCPServersRegistry] Creating new instance');
-    MCPServersRegistry.instance = new MCPServersRegistry(mongoose);
+    MCPServersRegistry.instance = new MCPServersRegistry(mongoose, allowedDomains);
    return MCPServersRegistry.instance;
  }

@ -80,10 +86,19 @@ export class MCPServersRegistry {
    const configRepo = this.getConfigRepository(storageLocation);
    let parsedConfig: t.ParsedServerConfig;
    try {
-      parsedConfig = await MCPServerInspector.inspect(serverName, config);
+      parsedConfig = await MCPServerInspector.inspect(
+        serverName,
+        config,
+        undefined,
+        this.allowedDomains,
+      );
    } catch (error) {
      logger.error(`[MCPServersRegistry] Failed to inspect server "${serverName}":`, error);
-      throw new Error(`MCP_INSPECTION_FAILED: Failed to connect to MCP server "${serverName}"`);
+      // Preserve domain-specific error for better error handling
+      if (isMCPDomainNotAllowedError(error)) {
+        throw error;
+      }
+      throw new MCPInspectionFailedError(serverName, error as Error);
    }
    return await configRepo.add(serverName, parsedConfig, userId);
  }
@ -113,10 +128,19 @@ export class MCPServersRegistry {

    let parsedConfig: t.ParsedServerConfig;
    try {
-      parsedConfig = await MCPServerInspector.inspect(serverName, configForInspection);
+      parsedConfig = await MCPServerInspector.inspect(
+        serverName,
+        configForInspection,
+        undefined,
+        this.allowedDomains,
+      );
    } catch (error) {
      logger.error(`[MCPServersRegistry] Failed to inspect server "${serverName}":`, error);
-      throw new Error(`MCP_INSPECTION_FAILED: Failed to connect to MCP server "${serverName}"`);
+      // Preserve domain-specific error for better error handling
+      if (isMCPDomainNotAllowedError(error)) {
+        throw error;
+      }
+      throw new MCPInspectionFailedError(serverName, error as Error);
    }
    await configRepo.update(serverName, parsedConfig, userId);
    return parsedConfig;
--- a/packages/api/src/mcp/registry/tests/MCPServersInitializer.test.ts
+++ b/packages/api/src/mcp/registry/tests/MCPServersInitializer.test.ts
@ -224,18 +224,38 @@ describe('MCPServersInitializer', () => {
    it('should process all server configs through inspector', async () => {
      await MCPServersInitializer.initialize(testConfigs);

-      // Verify all configs were processed by inspector (without connection parameter)
+      // Verify all configs were processed by inspector
+      // Signature: inspect(serverName, rawConfig, connection?, allowedDomains?)
      expect(mockInspect).toHaveBeenCalledTimes(5);
-      expect(mockInspect).toHaveBeenCalledWith('disabled_server', testConfigs.disabled_server);
-      expect(mockInspect).toHaveBeenCalledWith('oauth_server', testConfigs.oauth_server);
-      expect(mockInspect).toHaveBeenCalledWith('file_tools_server', testConfigs.file_tools_server);
+      expect(mockInspect).toHaveBeenCalledWith(
+        'disabled_server',
+        testConfigs.disabled_server,
+        undefined,
+        undefined,
+      );
+      expect(mockInspect).toHaveBeenCalledWith(
+        'oauth_server',
+        testConfigs.oauth_server,
+        undefined,
+        undefined,
+      );
+      expect(mockInspect).toHaveBeenCalledWith(
+        'file_tools_server',
+        testConfigs.file_tools_server,
+        undefined,
+        undefined,
+      );
      expect(mockInspect).toHaveBeenCalledWith(
        'search_tools_server',
        testConfigs.search_tools_server,
+        undefined,
+        undefined,
      );
      expect(mockInspect).toHaveBeenCalledWith(
        'remote_no_oauth_server',
        testConfigs.remote_no_oauth_server,
+        undefined,
+        undefined,
      );
    });