Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2025-12-16 16:30:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

🏗️ feat: Dynamic MCP Server Infrastructure with Access Control (#10787)

Browse source 
* Feature: Dynamic MCP Server with Full UI Management

* 🚦 feat: Add MCP Connection Status icons to MCPBuilder panel (#10805)

* feature: Add MCP server connection status icons to MCPBuilder panel

* refactor: Simplify MCPConfigDialog rendering in MCPBuilderPanel

---------

Co-authored-by: Atef Bellaaj <slalom.bellaaj@external.daimlertruck.com>
Co-authored-by: Danny Avila <danny@librechat.ai>

* fix: address code review feedback for MCP server management

- Fix OAuth secret preservation to avoid mutating input parameter
  by creating a merged config copy in ServerConfigsDB.update()

- Improve error handling in getResourcePermissionsMap to propagate
  critical errors instead of silently returning empty Map

- Extract duplicated MCP server filter logic by exposing selectableServers
  from useMCPServerManager hook and using it in MCPSelect component

* test: Update PermissionService tests to throw errors on invalid resource types

- Changed the test for handling invalid resource types to ensure it throws an error instead of returning an empty permissions map.
- Updated the expectation to check for the specific error message when an invalid resource type is provided.

* feat: Implement retry logic for MCP server creation to handle race conditions

- Enhanced the createMCPServer method to include retry logic with exponential backoff for handling duplicate key errors during concurrent server creation.
- Updated tests to verify that all concurrent requests succeed and that unique server names are generated.
- Added a helper function to identify MongoDB duplicate key errors, improving error handling during server creation.

* refactor: StatusIcon to use CircleCheck for connected status

- Replaced the PlugZap icon with CircleCheck in the ConnectedStatusIcon component to better represent the connected state.
- Ensured consistent icon usage across the component for improved visual clarity.

* test: Update AccessControlService tests to throw errors on invalid resource types

- Modified the test for invalid resource types to ensure it throws an error with a specific message instead of returning an empty permissions map.
- This change enhances error handling and improves test coverage for the AccessControlService.

* fix: Update error message for missing server name in MCP server retrieval

- Changed the error message returned when the server name is not provided from 'MCP ID is required' to 'Server name is required' for better clarity and accuracy in the API response.

---------

Co-authored-by: Atef Bellaaj <slalom.bellaaj@external.daimlertruck.com>
Co-authored-by: Danny Avila <danny@librechat.ai>
This commit is contained in:
Atef Bellaaj 2025-12-04 21:37:23 +01:00 committed by Danny Avila
parent 41c0a96d39
commit 99f8bd2ce6
No known key found for this signature in database
GPG key ID: BF31EEB2C5CA0956
103 changed files with 7978 additions and 1003 deletions
Download patch file Download diff file Expand all files Collapse all files

31
api/models/Agent.js
View file

@ -15,6 +15,29 @@ const { getMCPServerTools } = require('~/server/services/Config');
const { Agent, AclEntry } = require('~/db/models');
const { getActions } = require('./Action');
/**
* Extracts unique MCP server names from tools array
* Tools format: "toolName_mcp_serverName" or "sys__server__sys_mcp_serverName"
* @param {string[]} tools - Array of tool identifiers
* @returns {string[]} Array of unique MCP server names
*/
const extractMCPServerNames = (tools) => {
if (!tools || !Array.isArray(tools)) {
return [];
}
const serverNames = new Set();
for (const tool of tools) {
if (!tool || !tool.includes(mcp_delimiter)) {
continue;
}
const parts = tool.split(mcp_delimiter);
if (parts.length >= 2) {
serverNames.add(parts[parts.length - 1]);
}
}
return Array.from(serverNames);
};
/**
* Create an agent with the provided data.
* @param {Object} agentData - The agent data to create.
@ -34,6 +57,7 @@ const createAgent = async (agentData) => {
},
],
category: agentData.category || 'general',
mcpServerNames: extractMCPServerNames(agentData.tools),
};
return (await Agent.create(initialAgentData)).toObject();
@ -354,6 +378,13 @@ const updateAgent = async (searchParameter, updateData, options = {}) => {
} = currentAgent.toObject();
const { $push, $pull, $addToSet, ...directUpdates } = updateData;
// Sync mcpServerNames when tools are updated
if (directUpdates.tools !== undefined) {
const mcpServerNames = extractMCPServerNames(directUpdates.tools);
directUpdates.mcpServerNames = mcpServerNames;
updateData.mcpServerNames = mcpServerNames; // Also update the original updateData
}
let actionsHash = null;
// Generate actions hash if agent has actions

52
api/server/controllers/PermissionsController.js
View file

@ -4,13 +4,15 @@
const mongoose = require('mongoose');
const { logger } = require('@librechat/data-schemas');
const { ResourceType, PrincipalType } = require('librechat-data-provider');
const { ResourceType, PrincipalType, PermissionBits } = require('librechat-data-provider');
const {
bulkUpdateResourcePermissions,
ensureGroupPrincipalExists,
getEffectivePermissions,
ensurePrincipalExists,
getAvailableRoles,
findAccessibleResources,
getResourcePermissionsMap,
} = require('~/server/services/PermissionService');
const { AclEntry } = require('~/db/models');
const {
@ -475,10 +477,58 @@ const searchPrincipals = async (req, res) => {
}
};
/**
* Get user's effective permissions for all accessible resources of a type
* @route GET /api/permissions/{resourceType}/effective/all
*/
const getAllEffectivePermissions = async (req, res) => {
try {
const { resourceType } = req.params;
validateResourceType(resourceType);
const { id: userId } = req.user;
// Find all resources the user has at least VIEW access to
const accessibleResourceIds = await findAccessibleResources({
userId,
role: req.user.role,
resourceType,
requiredPermissions: PermissionBits.VIEW,
});
if (accessibleResourceIds.length === 0) {
return res.status(200).json({});
}
// Get effective permissions for all accessible resources
const permissionsMap = await getResourcePermissionsMap({
userId,
role: req.user.role,
resourceType,
resourceIds: accessibleResourceIds,
});
// Convert Map to plain object for JSON response
const result = {};
for (const [resourceId, permBits] of permissionsMap) {
result[resourceId] = permBits;
}
res.status(200).json(result);
} catch (error) {
logger.error('Error getting all effective permissions:', error);
res.status(500).json({
error: 'Failed to get all effective permissions',
details: error.message,
});
}
};
module.exports = {
updateResourcePermissions,
getResourcePermissions,
getResourceRoles,
getUserEffectivePermissions,
getAllEffectivePermissions,
searchPrincipals,
};

2
api/server/controllers/UserController.js
View file

@ -317,7 +317,7 @@ const maybeUninstallOAuthMCP = async (userId, pluginKey, appConfig) => {
const serverConfig =
(await getMCPServersRegistry().getServerConfig(serverName, userId)) ??
appConfig?.mcpServers?.[serverName];
const oauthServers = await getMCPServersRegistry().getOAuthServers();
const oauthServers = await getMCPServersRegistry().getOAuthServers(userId);
if (!oauthServers.has(serverName)) {
// this server does not use OAuth, so nothing to do here as well
return;

112
api/server/controllers/mcp.js
View file

@ -1,9 +1,12 @@
/**
* MCP Tools Controller
* Handles MCP-specific tool endpoints, decoupled from regular LibreChat tools
*
* @import { MCPServerRegistry } from '@librechat/api'
* @import { MCPServerDocument } from 'librechat-data-provider'
*/
const { logger } = require('@librechat/data-schemas');
const { Constants } = require('librechat-data-provider');
const { Constants, MCPServerUserInputSchema } = require('librechat-data-provider');
const { cacheMCPServerTools, getMCPServerTools } = require('~/server/services/Config');
const { getMCPManager, getMCPServersRegistry } = require('~/config');
@ -133,7 +136,6 @@ const getMCPServersList = async (req, res) => {
if (!userId) {
return res.status(401).json({ message: 'Unauthorized' });
}
// TODO - Ensure DB servers loaded into registry (configs only)
// 2. Get all server configs from registry (YAML + DB)
const serverConfigs = await getMCPServersRegistry().getAllServerConfigs(userId);
@ -145,7 +147,113 @@ const getMCPServersList = async (req, res) => {
}
};
/**
* Create MCP server
* @route POST /api/mcp/servers
*/
const createMCPServerController = async (req, res) => {
try {
const userId = req.user?.id;
const { config } = req.body;
const validation = MCPServerUserInputSchema.safeParse(config);
if (!validation.success) {
return res.status(400).json({
message: 'Invalid configuration',
errors: validation.error.errors,
});
}
const result = await getMCPServersRegistry().addServer(
'temp_server_name',
validation.data,
'DB',
userId,
);
res.status(201).json({
serverName: result.serverName,
...result.config,
});
} catch (error) {
logger.error('[createMCPServer]', error);
res.status(500).json({ message: error.message });
}
};
/**
* Get MCP server by ID
*/
const getMCPServerById = async (req, res) => {
try {
const userId = req.user?.id;
const { serverName } = req.params;
if (!serverName) {
return res.status(400).json({ message: 'Server name is required' });
}
const parsedConfig = await getMCPServersRegistry().getServerConfig(serverName, userId);
if (!parsedConfig) {
return res.status(404).json({ message: 'MCP server not found' });
}
res.status(200).json(parsedConfig);
} catch (error) {
logger.error('[getMCPServerById]', error);
res.status(500).json({ message: error.message });
}
};
/**
* Update MCP server
* @route PATCH /api/mcp/servers/:serverName
*/
const updateMCPServerController = async (req, res) => {
try {
const userId = req.user?.id;
const { serverName } = req.params;
const { config } = req.body;
const validation = MCPServerUserInputSchema.safeParse(config);
if (!validation.success) {
return res.status(400).json({
message: 'Invalid configuration',
errors: validation.error.errors,
});
}
const parsedConfig = await getMCPServersRegistry().updateServer(
serverName,
validation.data,
'DB',
userId,
);
res.status(200).json(parsedConfig);
} catch (error) {
logger.error('[updateMCPServer]', error);
res.status(500).json({ message: error.message });
}
};
/**
* Delete MCP server
* @route DELETE /api/mcp/servers/:serverName
*/
const deleteMCPServerController = async (req, res) => {
try {
const userId = req.user?.id;
const { serverName } = req.params;
await getMCPServersRegistry().removeServer(serverName, 'DB', userId);
res.status(200).json({ message: 'MCP server deleted successfully' });
} catch (error) {
logger.error('[deleteMCPServer]', error);
res.status(500).json({ message: error.message });
}
};
module.exports = {
getMCPTools,
getMCPServersList,
createMCPServerController,
getMCPServerById,
updateMCPServerController,
deleteMCPServerController,
};

61
api/server/middleware/accessResources/canAccessMCPServerResource.js Normal file
View file

@ -0,0 +1,61 @@
const { ResourceType } = require('librechat-data-provider');
const { canAccessResource } = require('./canAccessResource');
const { findMCPServerById } = require('~/models');
/**
* MCP Server ID resolver function
* Resolves custom MCP server ID (e.g., "mcp_abc123") to MongoDB ObjectId
*
* @param {string} mcpServerCustomId - Custom MCP server ID from route parameter
* @returns {Promise<Object|null>} MCP server document with _id field, or null if not found
*/
const resolveMCPServerId = async (mcpServerCustomId) => {
return await findMCPServerById(mcpServerCustomId);
};
/**
* MCP Server-specific middleware factory that creates middleware to check MCP server access permissions.
* This middleware extends the generic canAccessResource to handle MCP server custom ID resolution.
*
* @param {Object} options - Configuration options
* @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)
* @param {string} [options.resourceIdParam='serverName'] - The name of the route parameter containing the MCP server custom ID
* @returns {Function} Express middleware function
*
* @example
* // Basic usage for viewing MCP servers
* router.get('/servers/:serverName',
* canAccessMCPServerResource({ requiredPermission: 1 }),
* getMCPServer
* );
*
* @example
* // Custom resource ID parameter and edit permission
* router.patch('/servers/:id',
* canAccessMCPServerResource({
* requiredPermission: 2,
* resourceIdParam: 'id'
* }),
* updateMCPServer
* );
*/
const canAccessMCPServerResource = (options) => {
const { requiredPermission, resourceIdParam = 'serverName' } = options;
if (!requiredPermission || typeof requiredPermission !== 'number') {
throw new Error(
'canAccessMCPServerResource: requiredPermission is required and must be a number',
);
}
return canAccessResource({
resourceType: ResourceType.MCPSERVER,
requiredPermission,
resourceIdParam,
idResolver: resolveMCPServerId,
});
};
module.exports = {
canAccessMCPServerResource,
};

627
api/server/middleware/accessResources/canAccessMCPServerResource.spec.js Normal file
View file

@ -0,0 +1,627 @@
const mongoose = require('mongoose');
const { ResourceType, PrincipalType, PrincipalModel } = require('librechat-data-provider');
const { MongoMemoryServer } = require('mongodb-memory-server');
const { canAccessMCPServerResource } = require('./canAccessMCPServerResource');
const { User, Role, AclEntry } = require('~/db/models');
const { createMCPServer } = require('~/models');
describe('canAccessMCPServerResource middleware', () => {
let mongoServer;
let req, res, next;
let testUser;
beforeAll(async () => {
mongoServer = await MongoMemoryServer.create();
const mongoUri = mongoServer.getUri();
await mongoose.connect(mongoUri);
});
afterAll(async () => {
await mongoose.disconnect();
await mongoServer.stop();
});
beforeEach(async () => {
await mongoose.connection.dropDatabase();
await Role.create({
name: 'test-role',
permissions: {
MCPSERVERS: {
USE: true,
CREATE: true,
SHARED_GLOBAL: false,
},
},
});
// Create a test user
testUser = await User.create({
email: 'test@example.com',
name: 'Test User',
username: 'testuser',
role: 'test-role',
});
req = {
user: { id: testUser._id, role: testUser.role },
params: {},
};
res = {
status: jest.fn().mockReturnThis(),
json: jest.fn(),
};
next = jest.fn();
jest.clearAllMocks();
});
describe('middleware factory', () => {
test('should throw error if requiredPermission is not provided', () => {
expect(() => canAccessMCPServerResource({})).toThrow(
'canAccessMCPServerResource: requiredPermission is required and must be a number',
);
});
test('should throw error if requiredPermission is not a number', () => {
expect(() => canAccessMCPServerResource({ requiredPermission: '1' })).toThrow(
'canAccessMCPServerResource: requiredPermission is required and must be a number',
);
});
test('should throw error if requiredPermission is null', () => {
expect(() => canAccessMCPServerResource({ requiredPermission: null })).toThrow(
'canAccessMCPServerResource: requiredPermission is required and must be a number',
);
});
test('should create middleware with default resourceIdParam (serverName)', () => {
const middleware = canAccessMCPServerResource({ requiredPermission: 1 });
expect(typeof middleware).toBe('function');
expect(middleware.length).toBe(3); // Express middleware signature
});
test('should create middleware with custom resourceIdParam', () => {
const middleware = canAccessMCPServerResource({
requiredPermission: 2,
resourceIdParam: 'mcpId',
});
expect(typeof middleware).toBe('function');
expect(middleware.length).toBe(3);
});
});
describe('permission checking with real MCP servers', () => {
test('should allow access when user is the MCP server author', async () => {
// Create an MCP server owned by the test user
const mcpServer = await createMCPServer({
config: {
type: 'sse',
url: 'https://example.com/mcp',
title: 'Test MCP Server',
},
author: testUser._id,
});
// Create ACL entry for the author (owner permissions)
await AclEntry.create({
principalType: PrincipalType.USER,
principalId: testUser._id,
principalModel: PrincipalModel.USER,
resourceType: ResourceType.MCPSERVER,
resourceId: mcpServer._id,
permBits: 15, // All permissions (1+2+4+8)
grantedBy: testUser._id,
});
req.params.serverName = mcpServer.serverName;
const middleware = canAccessMCPServerResource({ requiredPermission: 1 }); // VIEW permission
await middleware(req, res, next);
expect(next).toHaveBeenCalled();
expect(res.status).not.toHaveBeenCalled();
});
test('should deny access when user is not the author and has no ACL entry', async () => {
// Create an MCP server owned by a different user
const otherUser = await User.create({
email: 'other@example.com',
name: 'Other User',
username: 'otheruser',
role: 'test-role',
});
const mcpServer = await createMCPServer({
config: {
type: 'sse',
url: 'https://example.com/mcp',
title: 'Other User MCP Server',
},
author: otherUser._id,
});
// Create ACL entry for the other user (owner)
await AclEntry.create({
principalType: PrincipalType.USER,
principalId: otherUser._id,
principalModel: PrincipalModel.USER,
resourceType: ResourceType.MCPSERVER,
resourceId: mcpServer._id,
permBits: 15, // All permissions
grantedBy: otherUser._id,
});
req.params.serverName = mcpServer.serverName;
const middleware = canAccessMCPServerResource({ requiredPermission: 1 }); // VIEW permission
await middleware(req, res, next);
expect(next).not.toHaveBeenCalled();
expect(res.status).toHaveBeenCalledWith(403);
expect(res.json).toHaveBeenCalledWith({
error: 'Forbidden',
message: 'Insufficient permissions to access this mcpServer',
});
});
test('should allow access when user has ACL entry with sufficient permissions', async () => {
// Create an MCP server owned by a different user
const otherUser = await User.create({
email: 'other2@example.com',
name: 'Other User 2',
username: 'otheruser2',
role: 'test-role',
});
const mcpServer = await createMCPServer({
config: {
type: 'sse',
url: 'https://example.com/mcp',
title: 'Shared MCP Server',
},
author: otherUser._id,
});
// Create ACL entry granting view permission to test user
await AclEntry.create({
principalType: PrincipalType.USER,
principalId: testUser._id,
principalModel: PrincipalModel.USER,
resourceType: ResourceType.MCPSERVER,
resourceId: mcpServer._id,
permBits: 1, // VIEW permission
grantedBy: otherUser._id,
});
req.params.serverName = mcpServer.serverName;
const middleware = canAccessMCPServerResource({ requiredPermission: 1 }); // VIEW permission
await middleware(req, res, next);
expect(next).toHaveBeenCalled();
expect(res.status).not.toHaveBeenCalled();
});
test('should deny access when ACL permissions are insufficient', async () => {
// Create an MCP server owned by a different user
const otherUser = await User.create({
email: 'other3@example.com',
name: 'Other User 3',
username: 'otheruser3',
role: 'test-role',
});
const mcpServer = await createMCPServer({
config: {
type: 'sse',
url: 'https://example.com/mcp',
title: 'Limited Access MCP Server',
},
author: otherUser._id,
});
// Create ACL entry granting only view permission
await AclEntry.create({
principalType: PrincipalType.USER,
principalId: testUser._id,
principalModel: PrincipalModel.USER,
resourceType: ResourceType.MCPSERVER,
resourceId: mcpServer._id,
permBits: 1, // VIEW permission only
grantedBy: otherUser._id,
});
req.params.serverName = mcpServer.serverName;
const middleware = canAccessMCPServerResource({ requiredPermission: 2 }); // EDIT permission required
await middleware(req, res, next);
expect(next).not.toHaveBeenCalled();
expect(res.status).toHaveBeenCalledWith(403);
expect(res.json).toHaveBeenCalledWith({
error: 'Forbidden',
message: 'Insufficient permissions to access this mcpServer',
});
});
test('should handle non-existent MCP server', async () => {
req.params.serverName = 'non-existent-mcp-server';
const middleware = canAccessMCPServerResource({ requiredPermission: 1 });
await middleware(req, res, next);
expect(next).not.toHaveBeenCalled();
expect(res.status).toHaveBeenCalledWith(404);
expect(res.json).toHaveBeenCalledWith({
error: 'Not Found',
message: 'mcpServer not found',
});
});
test('should use custom resourceIdParam', async () => {
const mcpServer = await createMCPServer({
config: {
type: 'sse',
url: 'https://example.com/mcp',
title: 'Custom Param MCP Server',
},
author: testUser._id,
});
// Create ACL entry for the author
await AclEntry.create({
principalType: PrincipalType.USER,
principalId: testUser._id,
principalModel: PrincipalModel.USER,
resourceType: ResourceType.MCPSERVER,
resourceId: mcpServer._id,
permBits: 15, // All permissions
grantedBy: testUser._id,
});
req.params.mcpId = mcpServer.serverName; // Using custom param name
const middleware = canAccessMCPServerResource({
requiredPermission: 1,
resourceIdParam: 'mcpId',
});
await middleware(req, res, next);
expect(next).toHaveBeenCalled();
expect(res.status).not.toHaveBeenCalled();
});
});
describe('permission levels', () => {
let mcpServer;
beforeEach(async () => {
mcpServer = await createMCPServer({
config: {
type: 'sse',
url: 'https://example.com/mcp',
title: 'Permission Test MCP Server',
},
author: testUser._id,
});
// Create ACL entry with all permissions for the owner
await AclEntry.create({
principalType: PrincipalType.USER,
principalId: testUser._id,
principalModel: PrincipalModel.USER,
resourceType: ResourceType.MCPSERVER,
resourceId: mcpServer._id,
permBits: 15, // All permissions (1+2+4+8)
grantedBy: testUser._id,
});
req.params.serverName = mcpServer.serverName;
});
test('should support view permission (1)', async () => {
const middleware = canAccessMCPServerResource({ requiredPermission: 1 });
await middleware(req, res, next);
expect(next).toHaveBeenCalled();
});
test('should support edit permission (2)', async () => {
const middleware = canAccessMCPServerResource({ requiredPermission: 2 });
await middleware(req, res, next);
expect(next).toHaveBeenCalled();
});
test('should support delete permission (4)', async () => {
const middleware = canAccessMCPServerResource({ requiredPermission: 4 });
await middleware(req, res, next);
expect(next).toHaveBeenCalled();
});
test('should support share permission (8)', async () => {
const middleware = canAccessMCPServerResource({ requiredPermission: 8 });
await middleware(req, res, next);
expect(next).toHaveBeenCalled();
});
test('should support combined permissions', async () => {
const viewAndEdit = 1 | 2; // 3
const middleware = canAccessMCPServerResource({ requiredPermission: viewAndEdit });
await middleware(req, res, next);
expect(next).toHaveBeenCalled();
});
});
describe('integration with resolveMCPServerId', () => {
test('should resolve serverName to MongoDB ObjectId correctly', async () => {
const mcpServer = await createMCPServer({
config: {
type: 'sse',
url: 'https://example.com/mcp',
title: 'Integration Test MCP Server',
},
author: testUser._id,
});
// Create ACL entry for the author
await AclEntry.create({
principalType: PrincipalType.USER,
principalId: testUser._id,
principalModel: PrincipalModel.USER,
resourceType: ResourceType.MCPSERVER,
resourceId: mcpServer._id,
permBits: 15, // All permissions
grantedBy: testUser._id,
});
req.params.serverName = mcpServer.serverName;
const middleware = canAccessMCPServerResource({ requiredPermission: 1 });
await middleware(req, res, next);
expect(next).toHaveBeenCalled();
// Verify that req.resourceAccess was set correctly
expect(req.resourceAccess).toBeDefined();
expect(req.resourceAccess.resourceType).toBe(ResourceType.MCPSERVER);
expect(req.resourceAccess.resourceId.toString()).toBe(mcpServer._id.toString());
expect(req.resourceAccess.customResourceId).toBe(mcpServer.serverName);
});
test('should work with MCP server CRUD operations', async () => {
// Create MCP server
const mcpServer = await createMCPServer({
config: {
type: 'sse',
url: 'https://example.com/mcp',
title: 'CRUD Test MCP Server',
description: 'Testing integration',
},
author: testUser._id,
});
// Create ACL entry for the author
await AclEntry.create({
principalType: PrincipalType.USER,
principalId: testUser._id,
principalModel: PrincipalModel.USER,
resourceType: ResourceType.MCPSERVER,
resourceId: mcpServer._id,
permBits: 15, // All permissions
grantedBy: testUser._id,
});
req.params.serverName = mcpServer.serverName;
// Test view access
const viewMiddleware = canAccessMCPServerResource({ requiredPermission: 1 });
await viewMiddleware(req, res, next);
expect(next).toHaveBeenCalled();
jest.clearAllMocks();
// Update the MCP server
const { updateMCPServer } = require('~/models');
await updateMCPServer(mcpServer.serverName, {
config: {
type: 'sse',
url: 'https://example.com/mcp',
title: 'CRUD Test MCP Server',
description: 'Updated description',
},
});
// Test edit access
const editMiddleware = canAccessMCPServerResource({ requiredPermission: 2 });
await editMiddleware(req, res, next);
expect(next).toHaveBeenCalled();
});
test('should handle stdio type MCP server', async () => {
const mcpServer = await createMCPServer({
config: {
type: 'stdio',
command: 'node',
args: ['server.js'],
title: 'Stdio MCP Server',
},
author: testUser._id,
});
// Create ACL entry for the author
await AclEntry.create({
principalType: PrincipalType.USER,
principalId: testUser._id,
principalModel: PrincipalModel.USER,
resourceType: ResourceType.MCPSERVER,
resourceId: mcpServer._id,
permBits: 15,
grantedBy: testUser._id,
});
req.params.serverName = mcpServer.serverName;
const middleware = canAccessMCPServerResource({ requiredPermission: 1 });
await middleware(req, res, next);
expect(next).toHaveBeenCalled();
expect(req.resourceAccess.resourceInfo.config.type).toBe('stdio');
});
});
describe('authentication and authorization edge cases', () => {
test('should return 400 when serverName parameter is missing', async () => {
// Don't set req.params.serverName
const middleware = canAccessMCPServerResource({ requiredPermission: 1 });
await middleware(req, res, next);
expect(next).not.toHaveBeenCalled();
expect(res.status).toHaveBeenCalledWith(400);
expect(res.json).toHaveBeenCalledWith({
error: 'Bad Request',
message: 'serverName is required',
});
});
test('should return 401 when user is not authenticated', async () => {
req.user = null;
req.params.serverName = 'some-server';
const middleware = canAccessMCPServerResource({ requiredPermission: 1 });
await middleware(req, res, next);
expect(next).not.toHaveBeenCalled();
expect(res.status).toHaveBeenCalledWith(401);
expect(res.json).toHaveBeenCalledWith({
error: 'Unauthorized',
message: 'Authentication required',
});
});
test('should return 401 when user id is missing', async () => {
req.user = { role: 'test-role' }; // No id
req.params.serverName = 'some-server';
const middleware = canAccessMCPServerResource({ requiredPermission: 1 });
await middleware(req, res, next);
expect(next).not.toHaveBeenCalled();
expect(res.status).toHaveBeenCalledWith(401);
expect(res.json).toHaveBeenCalledWith({
error: 'Unauthorized',
message: 'Authentication required',
});
});
test('should allow admin users to bypass permission checks', async () => {
const { SystemRoles } = require('librechat-data-provider');
// Create an MCP server owned by another user
const otherUser = await User.create({
email: 'owner@example.com',
name: 'Owner User',
username: 'owneruser',
role: 'test-role',
});
const mcpServer = await createMCPServer({
config: {
type: 'sse',
url: 'https://example.com/mcp',
title: 'Admin Test MCP Server',
},
author: otherUser._id,
});
// Set user as admin
req.user = { id: testUser._id, role: SystemRoles.ADMIN };
req.params.serverName = mcpServer.serverName;
const middleware = canAccessMCPServerResource({ requiredPermission: 4 }); // DELETE permission
await middleware(req, res, next);
expect(next).toHaveBeenCalled();
expect(res.status).not.toHaveBeenCalled();
});
});
describe('error handling', () => {
test('should handle server returning null gracefully (treated as not found)', async () => {
// When an MCP server is not found, findMCPServerById returns null
// which the middleware correctly handles as a 404
req.params.serverName = 'definitely-non-existent-server';
const middleware = canAccessMCPServerResource({ requiredPermission: 1 });
await middleware(req, res, next);
expect(next).not.toHaveBeenCalled();
expect(res.status).toHaveBeenCalledWith(404);
expect(res.json).toHaveBeenCalledWith({
error: 'Not Found',
message: 'mcpServer not found',
});
});
});
describe('multiple servers with same title', () => {
test('should handle MCP servers with auto-generated suffixes', async () => {
// Create multiple servers with the same title (will have different serverNames)
const mcpServer1 = await createMCPServer({
config: {
type: 'sse',
url: 'https://example.com/mcp1',
title: 'Duplicate Title',
},
author: testUser._id,
});
const mcpServer2 = await createMCPServer({
config: {
type: 'sse',
url: 'https://example.com/mcp2',
title: 'Duplicate Title',
},
author: testUser._id,
});
// Create ACL entries for both
await AclEntry.create({
principalType: PrincipalType.USER,
principalId: testUser._id,
principalModel: PrincipalModel.USER,
resourceType: ResourceType.MCPSERVER,
resourceId: mcpServer1._id,
permBits: 15,
grantedBy: testUser._id,
});
await AclEntry.create({
principalType: PrincipalType.USER,
principalId: testUser._id,
principalModel: PrincipalModel.USER,
resourceType: ResourceType.MCPSERVER,
resourceId: mcpServer2._id,
permBits: 15,
grantedBy: testUser._id,
});
// Verify they have different serverNames
expect(mcpServer1.serverName).toBe('duplicate-title');
expect(mcpServer2.serverName).toBe('duplicate-title-2');
// Test access to first server
req.params.serverName = mcpServer1.serverName;
const middleware1 = canAccessMCPServerResource({ requiredPermission: 1 });
await middleware1(req, res, next);
expect(next).toHaveBeenCalled();
expect(req.resourceAccess.resourceId.toString()).toBe(mcpServer1._id.toString());
jest.clearAllMocks();
// Test access to second server
req.params.serverName = mcpServer2.serverName;
const middleware2 = canAccessMCPServerResource({ requiredPermission: 1 });
await middleware2(req, res, next);
expect(next).toHaveBeenCalled();
expect(req.resourceAccess.resourceId.toString()).toBe(mcpServer2._id.toString());
});
});
});

2
api/server/middleware/accessResources/index.js
View file

@ -3,6 +3,7 @@ const { canAccessAgentResource } = require('./canAccessAgentResource');
const { canAccessAgentFromBody } = require('./canAccessAgentFromBody');
const { canAccessPromptViaGroup } = require('./canAccessPromptViaGroup');
const { canAccessPromptGroupResource } = require('./canAccessPromptGroupResource');
const { canAccessMCPServerResource } = require('./canAccessMCPServerResource');
module.exports = {
canAccessResource,
@ -10,4 +11,5 @@ module.exports = {
canAccessAgentFromBody,
canAccessPromptViaGroup,
canAccessPromptGroupResource,
canAccessMCPServerResource,
};

226
api/server/routes/__tests__/mcp.spec.js
View file

@ -7,6 +7,9 @@ const mockRegistryInstance = {
getServerConfig: jest.fn(),
getOAuthServers: jest.fn(),
getAllServerConfigs: jest.fn(),
addServer: jest.fn(),
updateServer: jest.fn(),
removeServer: jest.fn(),
};
jest.mock('@librechat/api', () => ({
@ -24,6 +27,7 @@ jest.mock('@librechat/api', () => ({
deleteUserTokens: jest.fn(),
},
getUserMCPAuthMap: jest.fn(),
generateCheckAccess: jest.fn(() => (req, res, next) => next()),
MCPServersRegistry: {
getInstance: () => mockRegistryInstance,
},
@ -57,6 +61,7 @@ jest.mock('~/models', () => ({
createToken: jest.fn(),
deleteTokens: jest.fn(),
findPluginAuthsByKeys: jest.fn(),
getRoleByName: jest.fn(),
}));
jest.mock('~/server/services/Config', () => ({
@ -92,6 +97,7 @@ jest.mock('~/cache', () => ({
jest.mock('~/server/middleware', () => ({
requireJwtAuth: (req, res, next) => next(),
canAccessMCPServerResource: () => (req, res, next) => next(),
}));
jest.mock('~/server/services/Tools/mcp', () => ({
@ -1488,4 +1494,224 @@ describe('MCP Routes', () => {
expect(response.body).toEqual({ error: 'Database error' });
});
});
describe('POST /servers', () => {
it('should create MCP server with valid SSE config', async () => {
const validConfig = {
type: 'sse',
url: 'https://mcp-server.example.com/sse',
title: 'Test SSE Server',
description: 'A test SSE server',
};
mockRegistryInstance.addServer.mockResolvedValue({
serverName: 'test-sse-server',
config: validConfig,
});
const response = await request(app).post('/api/mcp/servers').send({ config: validConfig });
expect(response.status).toBe(201);
expect(response.body).toEqual({
serverName: 'test-sse-server',
...validConfig,
});
expect(mockRegistryInstance.addServer).toHaveBeenCalledWith(
'temp_server_name',
expect.objectContaining({
type: 'sse',
url: 'https://mcp-server.example.com/sse',
}),
'DB',
'test-user-id',
);
});
it('should create MCP server with valid stdio config', async () => {
const validConfig = {
type: 'stdio',
command: 'node',
args: ['server.js'],
title: 'Test Stdio Server',
};
mockRegistryInstance.addServer.mockResolvedValue({
serverName: 'test-stdio-server',
config: validConfig,
});
const response = await request(app).post('/api/mcp/servers').send({ config: validConfig });
expect(response.status).toBe(201);
expect(response.body.serverName).toBe('test-stdio-server');
});
it('should return 400 for invalid configuration', async () => {
const invalidConfig = {
type: 'sse',
// Missing required 'url' field
title: 'Invalid Server',
};
const response = await request(app).post('/api/mcp/servers').send({ config: invalidConfig });
expect(response.status).toBe(400);
expect(response.body.message).toBe('Invalid configuration');
expect(response.body.errors).toBeDefined();
});
it('should return 400 for SSE config with invalid URL protocol', async () => {
const invalidConfig = {
type: 'sse',
url: 'ws://invalid-protocol.example.com/sse',
title: 'Invalid Protocol Server',
};
const response = await request(app).post('/api/mcp/servers').send({ config: invalidConfig });
expect(response.status).toBe(400);
expect(response.body.message).toBe('Invalid configuration');
});
it('should return 500 when registry throws error', async () => {
const validConfig = {
type: 'sse',
url: 'https://mcp-server.example.com/sse',
title: 'Test Server',
};
mockRegistryInstance.addServer.mockRejectedValue(new Error('Database connection failed'));
const response = await request(app).post('/api/mcp/servers').send({ config: validConfig });
expect(response.status).toBe(500);
expect(response.body).toEqual({ message: 'Database connection failed' });
});
});
describe('GET /servers/:serverName', () => {
it('should return server config when found', async () => {
const mockConfig = {
type: 'sse',
url: 'https://mcp-server.example.com/sse',
title: 'Test Server',
};
mockRegistryInstance.getServerConfig.mockResolvedValue(mockConfig);
const response = await request(app).get('/api/mcp/servers/test-server');
expect(response.status).toBe(200);
expect(response.body).toEqual(mockConfig);
expect(mockRegistryInstance.getServerConfig).toHaveBeenCalledWith(
'test-server',
'test-user-id',
);
});
it('should return 404 when server not found', async () => {
mockRegistryInstance.getServerConfig.mockResolvedValue(null);
const response = await request(app).get('/api/mcp/servers/non-existent-server');
expect(response.status).toBe(404);
expect(response.body).toEqual({ message: 'MCP server not found' });
});
it('should return 500 when registry throws error', async () => {
mockRegistryInstance.getServerConfig.mockRejectedValue(new Error('Database error'));
const response = await request(app).get('/api/mcp/servers/error-server');
expect(response.status).toBe(500);
expect(response.body).toEqual({ message: 'Database error' });
});
});
describe('PATCH /servers/:serverName', () => {
it('should update server with valid config', async () => {
const updatedConfig = {
type: 'sse',
url: 'https://updated-mcp-server.example.com/sse',
title: 'Updated Server',
description: 'Updated description',
};
mockRegistryInstance.updateServer.mockResolvedValue(updatedConfig);
const response = await request(app)
.patch('/api/mcp/servers/test-server')
.send({ config: updatedConfig });
expect(response.status).toBe(200);
expect(response.body).toEqual(updatedConfig);
expect(mockRegistryInstance.updateServer).toHaveBeenCalledWith(
'test-server',
expect.objectContaining({
type: 'sse',
url: 'https://updated-mcp-server.example.com/sse',
}),
'DB',
'test-user-id',
);
});
it('should return 400 for invalid configuration', async () => {
const invalidConfig = {
type: 'sse',
// Missing required 'url' field
title: 'Invalid Update',
};
const response = await request(app)
.patch('/api/mcp/servers/test-server')
.send({ config: invalidConfig });
expect(response.status).toBe(400);
expect(response.body.message).toBe('Invalid configuration');
expect(response.body.errors).toBeDefined();
});
it('should return 500 when registry throws error', async () => {
const validConfig = {
type: 'sse',
url: 'https://mcp-server.example.com/sse',
title: 'Test Server',
};
mockRegistryInstance.updateServer.mockRejectedValue(new Error('Update failed'));
const response = await request(app)
.patch('/api/mcp/servers/test-server')
.send({ config: validConfig });
expect(response.status).toBe(500);
expect(response.body).toEqual({ message: 'Update failed' });
});
});
describe('DELETE /servers/:serverName', () => {
it('should delete server successfully', async () => {
mockRegistryInstance.removeServer.mockResolvedValue(undefined);
const response = await request(app).delete('/api/mcp/servers/test-server');
expect(response.status).toBe(200);
expect(response.body).toEqual({ message: 'MCP server deleted successfully' });
expect(mockRegistryInstance.removeServer).toHaveBeenCalledWith(
'test-server',
'DB',
'test-user-id',
);
});
it('should return 500 when registry throws error', async () => {
mockRegistryInstance.removeServer.mockRejectedValue(new Error('Deletion failed'));
const response = await request(app).delete('/api/mcp/servers/error-server');
expect(response.status).toBe(500);
expect(response.body).toEqual({ message: 'Deletion failed' });
});
});
});

15
api/server/routes/accessPermissions.js
View file

@ -2,6 +2,7 @@ const express = require('express');
const { ResourceType, PermissionBits } = require('librechat-data-provider');
const {
getUserEffectivePermissions,
getAllEffectivePermissions,
updateResourcePermissions,
getResourcePermissions,
getResourceRoles,
@ -9,6 +10,7 @@ const {
} = require('~/server/controllers/PermissionsController');
const { requireJwtAuth, checkBan, uaParser, canAccessResource } = require('~/server/middleware');
const { checkPeoplePickerAccess } = require('~/server/middleware/checkPeoplePickerAccess');
const { findMCPServerById } = require('~/models');
const router = express.Router();
@ -63,6 +65,13 @@ router.put(
requiredPermission: PermissionBits.SHARE,
resourceIdParam: 'resourceId',
});
} else if (resourceType === ResourceType.MCPSERVER) {
middleware = canAccessResource({
resourceType: ResourceType.MCPSERVER,
requiredPermission: PermissionBits.SHARE,
resourceIdParam: 'resourceId',
idResolver: findMCPServerById,
});
} else {
return res.status(400).json({
error: 'Bad Request',
@ -76,6 +85,12 @@ router.put(
updateResourcePermissions,
);
/**
* GET /api/permissions/{resourceType}/effective/all
* Get user's effective permissions for all accessible resources of a type
*/
router.get('/:resourceType/effective/all', getAllEffectivePermissions);
/**
* GET /api/permissions/{resourceType}/{resourceId}/effective
* Get user's effective permissions for a specific resource

106
api/server/routes/mcp.js
View file

@ -1,11 +1,18 @@
const { Router } = require('express');
const { logger } = require('@librechat/data-schemas');
const { CacheKeys, Constants } = require('librechat-data-provider');
const {
CacheKeys,
Constants,
PermissionBits,
PermissionTypes,
Permissions,
} = require('librechat-data-provider');
const {
createSafeUser,
MCPOAuthHandler,
MCPTokenStorage,
getUserMCPAuthMap,
generateCheckAccess,
} = require('@librechat/api');
const {
getMCPManager,
@ -14,15 +21,22 @@ const {
getMCPServersRegistry,
} = require('~/config');
const { getMCPSetupData, getServerConnectionStatus } = require('~/server/services/MCP');
const { requireJwtAuth, canAccessMCPServerResource } = require('~/server/middleware');
const { findToken, updateToken, createToken, deleteTokens } = require('~/models');
const { getUserPluginAuthValue } = require('~/server/services/PluginService');
const { updateMCPServerTools } = require('~/server/services/Config/mcp');
const { reinitMCPServer } = require('~/server/services/Tools/mcp');
const { getMCPServersList } = require('~/server/controllers/mcp');
const { getMCPTools } = require('~/server/controllers/mcp');
const { requireJwtAuth } = require('~/server/middleware');
const { findPluginAuthsByKeys } = require('~/models');
const { getRoleByName } = require('~/models/Role');
const { getLogStores } = require('~/cache');
const {
createMCPServerController,
getMCPServerById,
getMCPServersList,
updateMCPServerController,
deleteMCPServerController,
} = require('~/server/controllers/mcp');
const router = Router();
@ -573,11 +587,93 @@ async function getOAuthHeaders(serverName, userId) {
const serverConfig = await getMCPServersRegistry().getServerConfig(serverName, userId);
return serverConfig?.oauth_headers ?? {};
}
/**
MCP Server CRUD Routes (User-Managed MCP Servers)
*/
// Permission checkers for MCP server management
const checkMCPUsePermissions = generateCheckAccess({
permissionType: PermissionTypes.MCP_SERVERS,
permissions: [Permissions.USE],
getRoleByName,
});
const checkMCPCreate = generateCheckAccess({
permissionType: PermissionTypes.MCP_SERVERS,
permissions: [Permissions.USE, Permissions.CREATE],
getRoleByName,
});
/**
* Get list of accessible MCP servers
* @route GET /api/mcp/servers
* @returns {MCPServersListResponse} 200 - Success response - application/json
* @param {Object} req.query - Query parameters for pagination and search
* @param {number} [req.query.limit] - Number of results per page
* @param {string} [req.query.after] - Pagination cursor
* @param {string} [req.query.search] - Search query for title/description
* @returns {MCPServerListResponse} 200 - Success response - application/json
*/
router.get('/servers', requireJwtAuth, getMCPServersList);
router.get('/servers', requireJwtAuth, checkMCPUsePermissions, getMCPServersList);
/**
* Create a new MCP server
* @route POST /api/mcp/servers
* @param {MCPServerCreateParams} req.body - The MCP server creation parameters.
* @returns {MCPServer} 201 - Success response - application/json
*/
router.post('/servers', requireJwtAuth, checkMCPCreate, createMCPServerController);
/**
* Get single MCP server by ID
* @route GET /api/mcp/servers/:serverName
* @param {string} req.params.serverName - MCP server identifier.
* @returns {MCPServer} 200 - Success response - application/json
*/
router.get(
'/servers/:serverName',
requireJwtAuth,
checkMCPUsePermissions,
canAccessMCPServerResource({
requiredPermission: PermissionBits.VIEW,
resourceIdParam: 'serverName',
}),
getMCPServerById,
);
/**
* Update MCP server
* @route PATCH /api/mcp/servers/:serverName
* @param {string} req.params.serverName - MCP server identifier.
* @param {MCPServerUpdateParams} req.body - The MCP server update parameters.
* @returns {MCPServer} 200 - Success response - application/json
*/
router.patch(
'/servers/:serverName',
requireJwtAuth,
checkMCPCreate,
canAccessMCPServerResource({
requiredPermission: PermissionBits.EDIT,
resourceIdParam: 'serverName',
}),
updateMCPServerController,
);
/**
* Delete MCP server
* @route DELETE /api/mcp/servers/:serverName
* @param {string} req.params.serverName - MCP server identifier.
* @returns {Object} 200 - Success response - application/json
*/
router.delete(
'/servers/:serverName',
requireJwtAuth,
checkMCPCreate,
canAccessMCPServerResource({
requiredPermission: PermissionBits.DELETE,
resourceIdParam: 'serverName',
}),
deleteMCPServerController,
);
module.exports = router;

12
api/server/routes/roles.js
View file

@ -8,6 +8,7 @@ const {
memoryPermissionsSchema,
marketplacePermissionsSchema,
peoplePickerPermissionsSchema,
mcpServersPermissionsSchema,
} = require('librechat-data-provider');
const { checkAdmin, requireJwtAuth } = require('~/server/middleware');
const { updateRoleByName, getRoleByName } = require('~/models/Role');
@ -40,6 +41,11 @@ const permissionConfigs = {
permissionType: PermissionTypes.PEOPLE_PICKER,
errorMessage: 'Invalid people picker permissions.',
},
'mcp-servers': {
schema: mcpServersPermissionsSchema,
permissionType: PermissionTypes.MCP_SERVERS,
errorMessage: 'Invalid MCP servers permissions.',
},
marketplace: {
schema: marketplacePermissionsSchema,
permissionType: PermissionTypes.MARKETPLACE,
@ -142,6 +148,12 @@ router.put('/:roleName/memories', checkAdmin, createPermissionUpdateHandler('mem
*/
router.put('/:roleName/people-picker', checkAdmin, createPermissionUpdateHandler('people-picker'));
/**
* PUT /api/roles/:roleName/mcp-servers
* Update MCP servers permissions for a specific role
*/
router.put('/:roleName/mcp-servers', checkAdmin, createPermissionUpdateHandler('mcp-servers'));
/**
* PUT /api/roles/:roleName/marketplace
* Update marketplace permissions for a specific role

2
api/server/services/MCP.js
View file

@ -541,7 +541,7 @@ async function getServerConnectionStatus(
oauthServers,
) {
const connection = appConnections.get(serverName) || userConnections.get(serverName);
const isStaleOrDoNotExist = connection ? connection?.isStale(config.lastUpdatedAt) : true;
const isStaleOrDoNotExist = connection ? connection?.isStale(config.updatedAt) : true;
const baseConnectionState = isStaleOrDoNotExist
? 'disconnected'

2
api/server/services/MCP.spec.js
View file

@ -330,7 +330,7 @@ describe('tests for the new helper functions used by the MCP connection status e
describe('getServerConnectionStatus', () => {
const mockUserId = 'user-123';
const mockServerName = 'test-server';
const mockConfig = { lastUpdatedAt: Date.now() };
const mockConfig = { updatedAt: Date.now() };
it('should return app connection state when available', async () => {
const appConnections = new Map([

45
api/server/services/PermissionService.js
View file

@ -12,6 +12,7 @@ const {
const {
findAccessibleResources: findAccessibleResourcesACL,
getEffectivePermissions: getEffectivePermissionsACL,
getEffectivePermissionsForResources: getEffectivePermissionsForResourcesACL,
grantPermission: grantPermissionACL,
findEntriesByPrincipalsAndResource,
findGroupByExternalId,
@ -184,6 +185,49 @@ const getEffectivePermissions = async ({ userId, role, resourceType, resourceId
}
};
/**
* Get effective permissions for multiple resources in a batch operation
* Returns map of resourceId effectivePermissionBits
*
* @param {Object} params - Parameters
* @param {string|mongoose.Types.ObjectId} params.userId - User ID
* @param {string} [params.role] - User role (for group membership)
* @param {string} params.resourceType - Resource type (must be valid ResourceType)
* @param {Array<mongoose.Types.ObjectId>} params.resourceIds - Array of resource IDs
* @returns {Promise<Map<string, number>>} Map of resourceId string permission bits
* @throws {Error} If resourceType is invalid
*/
const getResourcePermissionsMap = async ({ userId, role, resourceType, resourceIds }) => {
// Validate resource type - throw on invalid type
validateResourceType(resourceType);
// Handle empty input
if (!Array.isArray(resourceIds) || resourceIds.length === 0) {
return new Map();
}
try {
// Get user principals (user + groups + public)
const principals = await getUserPrincipals({ userId, role });
// Use batch method from aclEntry
const permissionsMap = await getEffectivePermissionsForResourcesACL(
principals,
resourceType,
resourceIds,
);
logger.debug(
`[PermissionService.getResourcePermissionsMap] Computed permissions for ${resourceIds.length} resources, ${permissionsMap.size} have permissions`,
);
return permissionsMap;
} catch (error) {
logger.error(`[PermissionService.getResourcePermissionsMap] Error: ${error.message}`, error);
throw error;
}
};
/**
* Find all resources of a specific type that a user has access to with specific permission bits
* @param {Object} params - Parameters for finding accessible resources
@ -788,6 +832,7 @@ module.exports = {
grantPermission,
checkPermission,
getEffectivePermissions,
getResourcePermissionsMap,
findAccessibleResources,
findPubliclyAccessibleResources,
hasPublicPermission,

328
api/server/services/PermissionService.spec.js
View file

@ -1604,4 +1604,332 @@ describe('PermissionService', () => {
expect(effectivePermissions).toBe(3); // EDITOR includes VIEW
});
});
describe('getResourcePermissionsMap - Batch Permission Queries', () => {
const { getResourcePermissionsMap } = require('./PermissionService');
beforeEach(async () => {
await AclEntry.deleteMany({});
getUserPrincipals.mockReset();
});
test('should get permissions for multiple resources in single query', async () => {
const resource1 = new mongoose.Types.ObjectId();
const resource2 = new mongoose.Types.ObjectId();
const resource3 = new mongoose.Types.ObjectId();
// Grant different permissions to different resources
await grantPermission({
principalType: PrincipalType.USER,
principalId: userId,
resourceType: ResourceType.MCPSERVER,
resourceId: resource1,
accessRoleId: AccessRoleIds.MCPSERVER_VIEWER,
grantedBy: grantedById,
});
await grantPermission({
principalType: PrincipalType.USER,
principalId: userId,
resourceType: ResourceType.MCPSERVER,
resourceId: resource2,
accessRoleId: AccessRoleIds.MCPSERVER_EDITOR,
grantedBy: grantedById,
});
// resource3 has no permissions
// Mock getUserPrincipals
getUserPrincipals.mockResolvedValue([
{ principalType: PrincipalType.USER, principalId: userId },
{ principalType: PrincipalType.PUBLIC },
]);
const permissionsMap = await getResourcePermissionsMap({
userId,
resourceType: ResourceType.MCPSERVER,
resourceIds: [resource1, resource2, resource3],
});
expect(permissionsMap).toBeInstanceOf(Map);
expect(permissionsMap.size).toBe(2); // Only resource1 and resource2
expect(permissionsMap.get(resource1.toString())).toBe(1); // VIEW
expect(permissionsMap.get(resource2.toString())).toBe(3); // VIEW | EDIT
expect(permissionsMap.get(resource3.toString())).toBeUndefined();
});
test('should combine permissions from multiple principals', async () => {
const resource1 = new mongoose.Types.ObjectId();
const resource2 = new mongoose.Types.ObjectId();
// User has VIEW on both resources
await grantPermission({
principalType: PrincipalType.USER,
principalId: userId,
resourceType: ResourceType.MCPSERVER,
resourceId: resource1,
accessRoleId: AccessRoleIds.MCPSERVER_VIEWER,
grantedBy: grantedById,
});
await grantPermission({
principalType: PrincipalType.USER,
principalId: userId,
resourceType: ResourceType.MCPSERVER,
resourceId: resource2,
accessRoleId: AccessRoleIds.MCPSERVER_VIEWER,
grantedBy: grantedById,
});
// Group has EDIT on resource1
await grantPermission({
principalType: PrincipalType.GROUP,
principalId: groupId,
resourceType: ResourceType.MCPSERVER,
resourceId: resource1,
accessRoleId: AccessRoleIds.MCPSERVER_EDITOR,
grantedBy: grantedById,
});
// Mock getUserPrincipals with user + group
getUserPrincipals.mockResolvedValue([
{ principalType: PrincipalType.USER, principalId: userId },
{ principalType: PrincipalType.GROUP, principalId: groupId },
{ principalType: PrincipalType.PUBLIC },
]);
const permissionsMap = await getResourcePermissionsMap({
userId,
resourceType: ResourceType.MCPSERVER,
resourceIds: [resource1, resource2],
});
expect(permissionsMap.size).toBe(2);
// Resource1 should have VIEW (1) | EDIT (3) = 3
expect(permissionsMap.get(resource1.toString())).toBe(3);
// Resource2 should have only VIEW (1)
expect(permissionsMap.get(resource2.toString())).toBe(1);
});
test('should handle empty resource list', async () => {
getUserPrincipals.mockResolvedValue([
{ principalType: PrincipalType.USER, principalId: userId },
]);
const permissionsMap = await getResourcePermissionsMap({
userId,
resourceType: ResourceType.MCPSERVER,
resourceIds: [],
});
expect(permissionsMap).toBeInstanceOf(Map);
expect(permissionsMap.size).toBe(0);
});
test('should throw on invalid resource type', async () => {
const resource1 = new mongoose.Types.ObjectId();
getUserPrincipals.mockResolvedValue([
{ principalType: PrincipalType.USER, principalId: userId },
]);
// Validation errors should throw immediately
await expect(
getResourcePermissionsMap({
userId,
resourceType: 'invalid_type',
resourceIds: [resource1],
}),
).rejects.toThrow('Invalid resourceType: invalid_type');
});
test('should include public permissions in batch query', async () => {
const resource1 = new mongoose.Types.ObjectId();
const resource2 = new mongoose.Types.ObjectId();
// User has VIEW | EDIT on resource1
await grantPermission({
principalType: PrincipalType.USER,
principalId: userId,
resourceType: ResourceType.MCPSERVER,
resourceId: resource1,
accessRoleId: AccessRoleIds.MCPSERVER_EDITOR,
grantedBy: grantedById,
});
// Public has VIEW on resource2
await grantPermission({
principalType: PrincipalType.PUBLIC,
principalId: null,
resourceType: ResourceType.MCPSERVER,
resourceId: resource2,
accessRoleId: AccessRoleIds.MCPSERVER_VIEWER,
grantedBy: grantedById,
});
// Mock getUserPrincipals with user + public
getUserPrincipals.mockResolvedValue([
{ principalType: PrincipalType.USER, principalId: userId },
{ principalType: PrincipalType.PUBLIC },
]);
const permissionsMap = await getResourcePermissionsMap({
userId,
resourceType: ResourceType.MCPSERVER,
resourceIds: [resource1, resource2],
});
expect(permissionsMap.size).toBe(2);
expect(permissionsMap.get(resource1.toString())).toBe(3); // VIEW | EDIT
expect(permissionsMap.get(resource2.toString())).toBe(1); // VIEW (public)
});
test('should handle large batch efficiently', async () => {
// Create 50 resources
const resources = Array.from({ length: 50 }, () => new mongoose.Types.ObjectId());
// Grant permissions to first 30 resources
for (let i = 0; i < 30; i++) {
await grantPermission({
principalType: PrincipalType.USER,
principalId: userId,
resourceType: ResourceType.MCPSERVER,
resourceId: resources[i],
accessRoleId: AccessRoleIds.MCPSERVER_VIEWER,
grantedBy: grantedById,
});
}
// Grant group permissions to resources 20-40 (overlap)
for (let i = 20; i < 40; i++) {
await grantPermission({
principalType: PrincipalType.GROUP,
principalId: groupId,
resourceType: ResourceType.MCPSERVER,
resourceId: resources[i],
accessRoleId: AccessRoleIds.MCPSERVER_EDITOR,
grantedBy: grantedById,
});
}
getUserPrincipals.mockResolvedValue([
{ principalType: PrincipalType.USER, principalId: userId },
{ principalType: PrincipalType.GROUP, principalId: groupId },
]);
const startTime = Date.now();
const permissionsMap = await getResourcePermissionsMap({
userId,
resourceType: ResourceType.MCPSERVER,
resourceIds: resources,
});
const duration = Date.now() - startTime;
// Should complete in reasonable time (under 1 second)
expect(duration).toBeLessThan(1000);
// Verify results
expect(permissionsMap.size).toBe(40); // Resources 0-39 have permissions
// Resources 0-19: USER VIEW only
for (let i = 0; i < 20; i++) {
expect(permissionsMap.get(resources[i].toString())).toBe(1); // VIEW
}
// Resources 20-29: USER VIEW | GROUP EDIT = 3
for (let i = 20; i < 30; i++) {
expect(permissionsMap.get(resources[i].toString())).toBe(3); // VIEW | EDIT
}
// Resources 30-39: GROUP EDIT = 3
for (let i = 30; i < 40; i++) {
expect(permissionsMap.get(resources[i].toString())).toBe(3); // EDIT includes VIEW
}
// Resources 40-49: No permissions
for (let i = 40; i < 50; i++) {
expect(permissionsMap.get(resources[i].toString())).toBeUndefined();
}
});
test('should work with role parameter optimization', async () => {
const resource1 = new mongoose.Types.ObjectId();
const resource2 = new mongoose.Types.ObjectId();
// Grant permissions to ADMIN role
await grantPermission({
principalType: PrincipalType.ROLE,
principalId: 'ADMIN',
resourceType: ResourceType.MCPSERVER,
resourceId: resource1,
accessRoleId: AccessRoleIds.MCPSERVER_OWNER,
grantedBy: grantedById,
});
await grantPermission({
principalType: PrincipalType.ROLE,
principalId: 'ADMIN',
resourceType: ResourceType.MCPSERVER,
resourceId: resource2,
accessRoleId: AccessRoleIds.MCPSERVER_EDITOR,
grantedBy: grantedById,
});
getUserPrincipals.mockResolvedValue([
{ principalType: PrincipalType.USER, principalId: userId },
{ principalType: PrincipalType.ROLE, principalId: 'ADMIN' },
{ principalType: PrincipalType.PUBLIC },
]);
const permissionsMap = await getResourcePermissionsMap({
userId,
role: 'ADMIN',
resourceType: ResourceType.MCPSERVER,
resourceIds: [resource1, resource2],
});
expect(permissionsMap.size).toBe(2);
expect(permissionsMap.get(resource1.toString())).toBe(15); // OWNER = all bits
expect(permissionsMap.get(resource2.toString())).toBe(3); // EDIT
expect(getUserPrincipals).toHaveBeenCalledWith({ userId, role: 'ADMIN' });
});
test('should handle mixed ObjectId and string resource IDs', async () => {
const resource1 = new mongoose.Types.ObjectId();
const resource2 = new mongoose.Types.ObjectId();
await grantPermission({
principalType: PrincipalType.USER,
principalId: userId,
resourceType: ResourceType.MCPSERVER,
resourceId: resource1,
accessRoleId: AccessRoleIds.MCPSERVER_VIEWER,
grantedBy: grantedById,
});
await grantPermission({
principalType: PrincipalType.USER,
principalId: userId,
resourceType: ResourceType.MCPSERVER,
resourceId: resource2,
accessRoleId: AccessRoleIds.MCPSERVER_EDITOR,
grantedBy: grantedById,
});
getUserPrincipals.mockResolvedValue([
{ principalType: PrincipalType.USER, principalId: userId },
]);
// Pass mix of ObjectId and string
const permissionsMap = await getResourcePermissionsMap({
userId,
resourceType: ResourceType.MCPSERVER,
resourceIds: [resource1, resource2.toString()],
});
expect(permissionsMap.size).toBe(2);
expect(permissionsMap.get(resource1.toString())).toBe(1);
expect(permissionsMap.get(resource2.toString())).toBe(3);
});
});
});

27
client/src/Providers/AgentPanelContext.tsx
View file

@ -66,10 +66,16 @@ export function AgentPanelProvider({ children }: { children: React.ReactNode })
if (mcpData?.servers) {
for (const [serverName, serverData] of Object.entries(mcpData.servers)) {
// Get title and description from config with fallbacks
const serverConfig = availableMCPServersMap?.[serverName];
const displayName = serverConfig?.title || serverName;
const displayDescription =
serverConfig?.description || `${localize('com_ui_tool_collection_prefix')} ${serverName}`;
const metadata = {
name: serverName,
name: displayName,
pluginKey: serverName,
description: `${localize('com_ui_tool_collection_prefix')} ${serverName}`,
description: displayDescription,
icon: serverData.icon || '',
authConfig: serverData.authConfig,
authenticated: serverData.authenticated,
@ -91,6 +97,7 @@ export function AgentPanelProvider({ children }: { children: React.ReactNode })
isConfigured: configuredServers.has(serverName),
isConnected: connectionStatus?.[serverName]?.connectionState === 'connected',
metadata,
consumeOnly: serverConfig?.consumeOnly,
});
}
}
@ -100,11 +107,18 @@ export function AgentPanelProvider({ children }: { children: React.ReactNode })
if (serversMap.has(mcpServerName)) {
continue;
}
// Get title and description from config with fallbacks
const serverConfig = availableMCPServersMap?.[mcpServerName];
const displayName = serverConfig?.title || mcpServerName;
const displayDescription =
serverConfig?.description ||
`${localize('com_ui_tool_collection_prefix')} ${mcpServerName}`;
const metadata = {
icon: '',
name: mcpServerName,
icon: serverConfig?.iconPath || '',
name: displayName,
pluginKey: mcpServerName,
description: `${localize('com_ui_tool_collection_prefix')} ${mcpServerName}`,
description: displayDescription,
} as TPlugin;
serversMap.set(mcpServerName, {
@ -113,11 +127,12 @@ export function AgentPanelProvider({ children }: { children: React.ReactNode })
isConfigured: true,
serverName: mcpServerName,
isConnected: connectionStatus?.[mcpServerName]?.connectionState === 'connected',
consumeOnly: serverConfig?.consumeOnly,
});
}
return serversMap;
}, [mcpData, localize, mcpServerNames, connectionStatus]);
}, [mcpData, localize, mcpServerNames, connectionStatus, availableMCPServersMap]);
const value: AgentPanelContextType = {
mcp,

31
client/src/Providers/MCPPanelContext.tsx
View file

@ -1,31 +0,0 @@
import React, { createContext, useContext, useMemo } from 'react';
import { Constants } from 'librechat-data-provider';
import { useChatContext } from './ChatContext';
interface MCPPanelContextValue {
conversationId: string;
}
const MCPPanelContext = createContext<MCPPanelContextValue | undefined>(undefined);
export function MCPPanelProvider({ children }: { children: React.ReactNode }) {
const { conversation } = useChatContext();
/** Context value only created when conversationId changes */
const contextValue = useMemo<MCPPanelContextValue>(
() => ({
conversationId: conversation?.conversationId ?? Constants.NEW_CONVO,
}),
[conversation?.conversationId],
);
return <MCPPanelContext.Provider value={contextValue}>{children}</MCPPanelContext.Provider>;
}
export function useMCPPanelContext() {
const context = useContext(MCPPanelContext);
if (!context) {
throw new Error('useMCPPanelContext must be used within MCPPanelProvider');
}
return context;
}

1
client/src/Providers/index.ts
View file

@ -24,7 +24,6 @@ export * from './SearchContext';
export * from './BadgeRowContext';
export * from './SidePanelContext';
export * from './DragDropContext';
export * from './MCPPanelContext';
export * from './ArtifactsContext';
export * from './PromptGroupsContext';
export * from './MessagesViewContext';

26
client/src/common/mcp.ts
View file

@ -1,26 +0,0 @@
import {
AuthorizationTypeEnum,
AuthTypeEnum,
TokenExchangeMethodEnum,
} from 'librechat-data-provider';
import { MCPForm } from '~/common/types';
export const defaultMCPFormValues: MCPForm = {
type: AuthTypeEnum.None,
saved_auth_fields: false,
api_key: '',
authorization_type: AuthorizationTypeEnum.Basic,
custom_auth_header: '',
oauth_client_id: '',
oauth_client_secret: '',
authorization_url: '',
client_url: '',
scope: '',
token_exchange_method: TokenExchangeMethodEnum.DefaultPost,
name: '',
description: '',
url: '',
tools: [],
icon: '',
trust: false,
};

11
client/src/common/types.ts
View file

@ -153,7 +153,6 @@ export enum Panel {
actions = 'actions',
model = 'model',
version = 'version',
mcp = 'mcp',
}
export type FileSetter =
@ -177,15 +176,6 @@ export type ActionAuthForm = {
token_exchange_method: t.TokenExchangeMethodEnum;
};
export type MCPForm = ActionAuthForm & {
name?: string;
description?: string;
url?: string;
tools?: string[];
icon?: string;
trust?: boolean;
};
export type ActionWithNullableMetadata = Omit<t.Action, 'metadata'> & {
metadata: t.ActionMetadata | null;
};
@ -226,6 +216,7 @@ export interface MCPServerInfo {
tools: t.AgentToolType[];
isConfigured: boolean;
isConnected: boolean;
consumeOnly?: boolean;
metadata: t.TPlugin;
}

27
client/src/components/Chat/Input/MCPSelect.tsx
View file

@ -1,8 +1,10 @@
import React, { memo, useCallback } from 'react';
import { PermissionTypes, Permissions } from 'librechat-data-provider';
import { MultiSelect, MCPIcon } from '@librechat/client';
import MCPServerStatusIcon from '~/components/MCP/MCPServerStatusIcon';
import MCPConfigDialog from '~/components/MCP/MCPConfigDialog';
import { useBadgeRowContext } from '~/Providers';
import { useHasAccess } from '~/hooks';
function MCPSelectContent() {
const { conversationId, mcpServerManager } = useBadgeRowContext();
@ -15,16 +17,21 @@ function MCPSelectContent() {
batchToggleServers,
getConfigDialogProps,
getServerStatusIconProps,
availableMCPServers,
selectableServers,
} = mcpServerManager;
const renderSelectedValues = useCallback(
(values: string[], placeholder?: string) => {
(
values: string[],
placeholder?: string,
items?: (string | { label: string; value: string })[],
) => {
if (values.length === 0) {
return placeholder || localize('com_ui_select_placeholder');
}
if (values.length === 1) {
return values[0];
const selectedItem = items?.find((i) => typeof i !== 'string' && i.value == values[0]);
return selectedItem && typeof selectedItem !== 'string' ? selectedItem.label : values[0];
}
return localize('com_ui_x_selected', { 0: values.length });
},
@ -74,11 +81,13 @@ function MCPSelectContent() {
}
const configDialogProps = getConfigDialogProps();
return (
<>
<MultiSelect
items={availableMCPServers?.map((s) => s.serverName)}
items={selectableServers.map((s) => ({
label: s.config.title || s.serverName,
value: s.serverName,
}))}
selectedValues={mcpValues ?? []}
setSelectedValues={batchToggleServers}
renderSelectedValues={renderSelectedValues}
@ -99,9 +108,13 @@ function MCPSelectContent() {
function MCPSelect() {
const { mcpServerManager } = useBadgeRowContext();
const { availableMCPServers } = mcpServerManager;
const { selectableServers } = mcpServerManager;
const canUseMcp = useHasAccess({
permissionType: PermissionTypes.MCP_SERVERS,
permission: Permissions.USE,
});
if (!availableMCPServers || availableMCPServers.length === 0) {
if (!canUseMcp || !selectableServers || selectableServers.length === 0) {
return null;
}

2
client/src/components/Chat/Input/MCPSubMenu.tsx
View file

@ -112,7 +112,7 @@ const MCPSubMenu = React.forwardRef<HTMLDivElement, MCPSubMenuProps>(
>
<div className="flex flex-grow items-center gap-2">
<Ariakit.MenuItemCheck checked={isSelected} />
<span>{s.serverName}</span>
<span>{s.config.title || s.serverName}</span>
</div>
{statusIcon && <div className="ml-2 flex items-center">{statusIcon}</div>}
</Ariakit.MenuItem>

9
client/src/components/Chat/Input/ToolsDropdown.tsx
View file

@ -72,6 +72,11 @@ const ToolsDropdown = ({ disabled }: ToolsDropdownProps) => {
permission: Permissions.USE,
});
const canUseMcp = useHasAccess({
permissionType: PermissionTypes.MCP_SERVERS,
permission: Permissions.USE,
});
const showWebSearchSettings = useMemo(() => {
const authTypes = webSearchAuthData?.authTypes ?? [];
if (authTypes.length === 0) return true;
@ -286,8 +291,8 @@ const ToolsDropdown = ({ disabled }: ToolsDropdownProps) => {
});
}
const { configuredServers } = mcpServerManager;
if (configuredServers && configuredServers.length > 0) {
const { availableMCPServers } = mcpServerManager;
if (canUseMcp && availableMCPServers && availableMCPServers.length > 0) {
dropdownItems.push({
hideOnClick: false,
render: (props) => <MCPSubMenu {...props} placeholder={mcpPlaceholder} />,

45
client/src/components/MCP/MCPServerStatusIcon.tsx
View file

@ -1,6 +1,6 @@
import React from 'react';
import { Spinner } from '@librechat/client';
import { SettingsIcon, AlertTriangle, KeyRound, PlugZap, X } from 'lucide-react';
import { Spinner, TooltipAnchor } from '@librechat/client';
import { SettingsIcon, AlertTriangle, KeyRound, PlugZap, X, CircleCheck } from 'lucide-react';
import type { MCPServerStatus, TPlugin } from 'librechat-data-provider';
import { useLocalize } from '~/hooks';
@ -85,7 +85,13 @@ export default function MCPServerStatusIcon({
/>
);
}
return null; // No config button for connected servers without customUserVars
return (
<ConnectedStatusIcon
serverName={serverName}
requiresOAuth={requiresOAuth}
onConfigClick={onConfigClick}
/>
);
}
return null;
@ -192,3 +198,36 @@ function AuthenticatedStatusIcon({
</button>
);
}
interface ConnectedStatusProps {
serverName: string;
requiresOAuth?: boolean;
onConfigClick: (e: React.MouseEvent) => void;
}
function ConnectedStatusIcon({ serverName, requiresOAuth, onConfigClick }: ConnectedStatusProps) {
if (requiresOAuth) {
return (
<TooltipAnchor
role="button"
onClick={onConfigClick}
className="flex h-6 w-6 items-center justify-center rounded p-1 hover:bg-surface-secondary"
aria-label={localize('com_nav_mcp_configure_server', { 0: serverName })}
description={localize('com_nav_mcp_status_connected')}
side="top"
>
<CircleCheck className="h-4 w-4 text-green-500" />
</TooltipAnchor>
);
}
return (
<TooltipAnchor
className="flex h-6 w-6 items-center justify-center rounded p-1"
description={localize('com_nav_mcp_status_connected')}
side="top"
>
<CircleCheck className="h-4 w-4 text-green-500" />
</TooltipAnchor>
);
}

6
client/src/components/Sharing/PublicSharingToggle.tsx
View file

@ -16,9 +16,13 @@ interface PublicSharingToggleProps {
className?: string;
}
const accessDescriptions: Record<ResourceType, 'com_ui_agent' | 'com_ui_prompt'> = {
const accessDescriptions: Record<
ResourceType,
'com_ui_agent' | 'com_ui_prompt' | 'com_ui_mcp_server'
> = {
[ResourceType.AGENT]: 'com_ui_agent',
[ResourceType.PROMPTGROUP]: 'com_ui_prompt',
[ResourceType.MCPSERVER]: 'com_ui_mcp_server',
};
export default function PublicSharingToggle({

1
client/src/components/SidePanel/Agents/AgentConfig.tsx
View file

@ -312,6 +312,7 @@ export default function AgentConfig() {
setShowMCPToolDialog={setShowMCPToolDialog}
/>
)}
{/* Agent Tools & Actions */}
<div className="mb-4">
<label className={labelClass}>

4
client/src/components/SidePanel/Agents/AgentPanelSwitch.tsx
View file

@ -5,7 +5,6 @@ import VersionPanel from './Version/VersionPanel';
import { useChatContext } from '~/Providers';
import ActionsPanel from './ActionsPanel';
import AgentPanel from './AgentPanel';
import MCPPanel from './MCPPanel';
export default function AgentPanelSwitch() {
return (
@ -32,8 +31,5 @@ function AgentPanelSwitchWithContext() {
if (activePanel === Panel.version) {
return <VersionPanel />;
}
if (activePanel === Panel.mcp) {
return <MCPPanel />;
}
return <AgentPanel />;
}

295
client/src/components/SidePanel/Agents/MCPInput.tsx
View file

@ -1,295 +0,0 @@
import { useState, useEffect } from 'react';
import { useFormContext, Controller } from 'react-hook-form';
import { Label, Checkbox, Spinner, useToastContext } from '@librechat/client';
import type { MCP } from 'librechat-data-provider';
import MCPAuth from '~/components/SidePanel/Builder/MCPAuth';
import MCPIcon from '~/components/SidePanel/Agents/MCPIcon';
import { MCPForm } from '~/common/types';
import { useLocalize } from '~/hooks';
function useUpdateAgentMCP({
onSuccess,
onError,
}: {
onSuccess: (data: [string, MCP]) => void;
onError: (error: Error) => void;
}) {
return {
mutate: async ({
mcp_id,
metadata,
agent_id,
}: {
mcp_id?: string;
metadata: MCP['metadata'];
agent_id: string;
}) => {
try {
// TODO: Implement MCP endpoint
onSuccess(['success', { mcp_id, metadata, agent_id } as MCP]);
} catch (error) {
onError(error as Error);
}
},
isLoading: false,
};
}
interface MCPInputProps {
mcp?: MCP;
agent_id?: string;
setMCP: React.Dispatch<React.SetStateAction<MCP | undefined>>;
}
export default function MCPInput({ mcp, agent_id, setMCP }: MCPInputProps) {
const localize = useLocalize();
const { showToast } = useToastContext();
const {
handleSubmit,
register,
formState: { errors },
control,
} = useFormContext<MCPForm>();
const [isLoading, setIsLoading] = useState(false);
const [showTools, setShowTools] = useState(false);
const [selectedTools, setSelectedTools] = useState<string[]>([]);
// Initialize tools list if editing existing MCP
useEffect(() => {
if (mcp?.mcp_id && mcp.metadata.tools) {
setShowTools(true);
setSelectedTools(mcp.metadata.tools);
}
}, [mcp]);
const updateAgentMCP = useUpdateAgentMCP({
onSuccess(data) {
showToast({
message: localize('com_ui_update_mcp_success'),
status: 'success',
});
setMCP(data[1]);
setShowTools(true);
setSelectedTools(data[1].metadata.tools ?? []);
setIsLoading(false);
},
onError(error) {
showToast({
message: (error as Error).message || localize('com_ui_update_mcp_error'),
status: 'error',
});
setIsLoading(false);
},
});
const saveMCP = handleSubmit(async (data: MCPForm) => {
setIsLoading(true);
try {
const response = await updateAgentMCP.mutate({
agent_id: agent_id ?? '',
mcp_id: mcp?.mcp_id,
metadata: {
...data,
tools: selectedTools,
},
});
setMCP(response[1]);
showToast({
message: localize('com_ui_update_mcp_success'),
status: 'success',
});
} catch {
showToast({
message: localize('com_ui_update_mcp_error'),
status: 'error',
});
} finally {
setIsLoading(false);
}
});
const handleSelectAll = () => {
if (mcp?.metadata.tools) {
setSelectedTools(mcp.metadata.tools);
}
};
const handleDeselectAll = () => {
setSelectedTools([]);
};
const handleToolToggle = (tool: string) => {
setSelectedTools((prev) =>
prev.includes(tool) ? prev.filter((t) => t !== tool) : [...prev, tool],
);
};
const handleToggleAll = () => {
if (selectedTools.length === mcp?.metadata.tools?.length) {
handleDeselectAll();
} else {
handleSelectAll();
}
};
const handleIconChange = (e: React.ChangeEvent<HTMLInputElement>) => {
const file = e.target.files?.[0];
if (file) {
const reader = new FileReader();
reader.onloadend = () => {
const base64String = reader.result as string;
setMCP({
mcp_id: mcp?.mcp_id ?? '',
agent_id: agent_id ?? '',
metadata: {
...mcp?.metadata,
icon: base64String,
},
});
};
reader.readAsDataURL(file);
}
};
return (
<div className="flex flex-col gap-4">
{/* Icon Picker */}
<div className="mb-4">
<MCPIcon icon={mcp?.metadata.icon} onIconChange={handleIconChange} />
</div>
{/* name, description, url */}
<div className="flex flex-col gap-4">
<div className="flex flex-col gap-2">
<Label htmlFor="name">{localize('com_ui_name')}</Label>
<input
id="name"
{...register('name', { required: true })}
className="border-token-border-medium flex h-9 w-full rounded-lg border bg-transparent px-3 py-1.5 text-sm outline-none placeholder:text-text-secondary-alt focus:ring-1 focus:ring-border-light"
placeholder={localize('com_agents_mcp_name_placeholder')}
/>
{errors.name && (
<span className="text-xs text-red-500">{localize('com_ui_field_required')}</span>
)}
</div>
<div className="flex flex-col gap-2">
<Label htmlFor="description">
{localize('com_ui_description')}
<span className="ml-1 text-xs text-text-secondary-alt">
{localize('com_ui_optional')}
</span>
</Label>
<input
id="description"
{...register('description')}
className="border-token-border-medium flex h-9 w-full rounded-lg border bg-transparent px-3 py-1.5 text-sm outline-none placeholder:text-text-secondary-alt focus:ring-1 focus:ring-border-light"
placeholder={localize('com_agents_mcp_description_placeholder')}
/>
</div>
<div className="flex flex-col gap-2">
<Label htmlFor="url">{localize('com_ui_mcp_url')}</Label>
<input
id="url"
{...register('url', {
required: true,
})}
className="border-token-border-medium flex h-9 w-full rounded-lg border bg-transparent px-3 py-1.5 text-sm outline-none placeholder:text-text-secondary-alt focus:ring-1 focus:ring-border-light"
placeholder={'https://mcp.example.com'}
/>
{errors.url && (
<span className="text-xs text-red-500">
{errors.url.type === 'required'
? localize('com_ui_field_required')
: errors.url.message}
</span>
)}
</div>
<MCPAuth />
<div className="my-2 flex items-center gap-2">
<Controller
name="trust"
control={control}
rules={{ required: true }}
render={({ field }) => (
<Checkbox
id="trust-checkbox"
checked={field.value}
onCheckedChange={field.onChange}
aria-labelledby="trust-label"
/>
)}
/>
<Label id="trust-label" htmlFor="trust-checkbox" className="flex flex-col">
{localize('com_ui_trust_app')}
<span className="text-xs text-text-secondary">
{localize('com_agents_mcp_trust_subtext')}
</span>
</Label>
</div>
{errors.trust && (
<span className="text-xs text-red-500">{localize('com_ui_field_required')}</span>
)}
</div>
<div className="flex items-center justify-end">
<button
onClick={saveMCP}
disabled={isLoading}
className="focus:shadow-outline mt-1 flex min-w-[100px] items-center justify-center rounded bg-green-500 px-4 py-2 font-semibold text-white hover:bg-green-400 focus:border-green-500 focus:outline-none focus:ring-0 disabled:bg-green-400"
type="button"
>
{(() => {
if (isLoading) {
return <Spinner className="icon-md" />;
}
return mcp?.mcp_id ? localize('com_ui_update') : localize('com_ui_create');
})()}
</button>
</div>
{showTools && mcp?.metadata.tools && (
<div className="mt-4 flex flex-col gap-4">
<div className="flex items-center justify-between">
<h3 className="text-token-text-primary block font-medium">
{localize('com_ui_available_tools')}
</h3>
<button
onClick={handleToggleAll}
type="button"
className="btn btn-neutral border-token-border-light relative h-8 rounded-full px-4 font-medium"
>
{selectedTools.length === mcp.metadata.tools.length
? localize('com_ui_deselect_all')
: localize('com_ui_select_all')}
</button>
</div>
<div className="flex flex-col gap-2">
{mcp.metadata.tools.map((tool) => (
<label
key={tool}
htmlFor={tool}
className="border-token-border-light hover:bg-token-surface-secondary flex cursor-pointer items-center rounded-lg border p-2"
>
<Checkbox
id={tool}
checked={selectedTools.includes(tool)}
onCheckedChange={() => handleToolToggle(tool)}
className="relative float-left mr-2 inline-flex h-4 w-4 cursor-pointer"
aria-label={tool
.split('_')
.map((word) => word.charAt(0).toUpperCase() + word.slice(1))
.join(' ')}
/>
<span className="text-token-text-primary">
{tool
.split('_')
.map((word) => word.charAt(0).toUpperCase() + word.slice(1))
.join(' ')}
</span>
</label>
))}
</div>
</div>
)}
</div>
);
}

175
client/src/components/SidePanel/Agents/MCPPanel.tsx
View file

@ -1,175 +0,0 @@
import { useEffect } from 'react';
import { ChevronLeft } from 'lucide-react';
import { useForm, FormProvider } from 'react-hook-form';
import {
AuthTypeEnum,
AuthorizationTypeEnum,
TokenExchangeMethodEnum,
} from 'librechat-data-provider';
import {
Label,
OGDialog,
TrashIcon,
OGDialogTrigger,
useToastContext,
OGDialogTemplate,
} from '@librechat/client';
import type { MCPForm } from '~/common';
import { useAgentPanelContext } from '~/Providers/AgentPanelContext';
import { defaultMCPFormValues } from '~/common/mcp';
import { Panel, isEphemeralAgent } from '~/common';
import { useLocalize } from '~/hooks';
import MCPInput from './MCPInput';
function useDeleteAgentMCP({
onSuccess,
onError,
}: {
onSuccess: () => void;
onError: (error: Error) => void;
}) {
return {
mutate: async ({ mcp_id, agent_id }: { mcp_id: string; agent_id: string }) => {
try {
console.log('Mock delete MCP:', { mcp_id, agent_id });
onSuccess();
} catch (error) {
onError(error as Error);
}
},
};
}
export default function MCPPanel() {
const localize = useLocalize();
const { showToast } = useToastContext();
const { mcp, setMcp, agent_id, setActivePanel } = useAgentPanelContext();
const deleteAgentMCP = useDeleteAgentMCP({
onSuccess: () => {
showToast({
message: localize('com_ui_delete_mcp_success'),
status: 'success',
});
setActivePanel(Panel.builder);
setMcp(undefined);
},
onError(error) {
showToast({
message: (error as Error).message ?? localize('com_ui_delete_mcp_error'),
status: 'error',
});
},
});
const methods = useForm<MCPForm>({
defaultValues: defaultMCPFormValues,
mode: 'onChange',
});
const { reset } = methods;
useEffect(() => {
if (mcp) {
const formData = {
icon: mcp.metadata.icon ?? '',
name: mcp.metadata.name ?? '',
description: mcp.metadata.description ?? '',
url: mcp.metadata.url ?? '',
tools: mcp.metadata.tools ?? [],
trust: mcp.metadata.trust ?? false,
};
if (mcp.metadata.auth) {
Object.assign(formData, {
type: mcp.metadata.auth.type || AuthTypeEnum.None,
saved_auth_fields: false,
api_key: mcp.metadata.api_key ?? '',
authorization_type: mcp.metadata.auth.authorization_type || AuthorizationTypeEnum.Basic,
oauth_client_id: mcp.metadata.oauth_client_id ?? '',
oauth_client_secret: mcp.metadata.oauth_client_secret ?? '',
authorization_url: mcp.metadata.auth.authorization_url ?? '',
client_url: mcp.metadata.auth.client_url ?? '',
scope: mcp.metadata.auth.scope ?? '',
token_exchange_method:
mcp.metadata.auth.token_exchange_method ?? TokenExchangeMethodEnum.DefaultPost,
});
}
reset(formData);
}
}, [mcp, reset]);
return (
<FormProvider {...methods}>
<form className="h-full grow overflow-hidden">
<div className="h-full overflow-auto px-2 pb-12 text-sm">
<div className="relative flex flex-col items-center px-16 py-6 text-center">
<div className="absolute left-0 top-6">
<button
type="button"
className="btn btn-neutral relative"
onClick={() => {
setActivePanel(Panel.builder);
setMcp(undefined);
}}
>
<div className="flex w-full items-center justify-center gap-2">
<ChevronLeft />
</div>
</button>
</div>
{!!mcp && (
<OGDialog>
<OGDialogTrigger asChild>
<div className="absolute right-0 top-6">
<button
type="button"
disabled={isEphemeralAgent(agent_id) || !mcp.mcp_id}
className="btn btn-neutral border-token-border-light relative h-9 rounded-lg font-medium"
>
<TrashIcon className="text-red-500" />
</button>
</div>
</OGDialogTrigger>
<OGDialogTemplate
showCloseButton={false}
title={localize('com_ui_delete_mcp')}
className="max-w-[450px]"
main={
<Label className="text-left text-sm font-medium">
{localize('com_ui_delete_mcp_confirm')}
</Label>
}
selection={{
selectHandler: () => {
if (isEphemeralAgent(agent_id)) {
return showToast({
message: localize('com_agents_no_agent_id_error'),
status: 'error',
});
}
deleteAgentMCP.mutate({
mcp_id: mcp.mcp_id,
agent_id: agent_id || '',
});
},
selectClasses:
'bg-red-700 dark:bg-red-600 hover:bg-red-800 dark:hover:bg-red-800 transition-color duration-200 text-white',
selectText: localize('com_ui_delete'),
}}
/>
</OGDialog>
)}
<div className="text-xl font-medium">
{mcp ? localize('com_ui_edit_mcp_server') : localize('com_ui_add_mcp_server')}
</div>
<div className="text-xs text-text-secondary">{localize('com_agents_mcp_info')}</div>
</div>
<MCPInput mcp={mcp} agent_id={agent_id} setMCP={setMcp} />
</div>
</form>
</FormProvider>
);
}

57
client/src/components/SidePanel/Agents/MCPSection.tsx
View file

@ -1,57 +0,0 @@
import { useCallback } from 'react';
import { useLocalize } from '~/hooks';
import { useToastContext } from '@librechat/client';
import { useAgentPanelContext } from '~/Providers/AgentPanelContext';
import MCP from '~/components/SidePanel/Builder/MCP';
import { Panel, isEphemeralAgent } from '~/common';
export default function MCPSection() {
const localize = useLocalize();
const { showToast } = useToastContext();
const { mcps = [], agent_id, setMcp, setActivePanel } = useAgentPanelContext();
const handleAddMCP = useCallback(() => {
if (isEphemeralAgent(agent_id)) {
showToast({
message: localize('com_agents_mcps_disabled'),
status: 'warning',
});
return;
}
setActivePanel(Panel.mcp);
}, [agent_id, setActivePanel, showToast, localize]);
return (
<div className="mb-4">
<label className="text-token-text-primary mb-2 block font-medium">
{localize('com_ui_mcp_servers')}
</label>
<div className="space-y-2">
{mcps
.filter((mcp) => mcp.agent_id === agent_id)
.map((mcp, i) => (
<MCP
key={i}
mcp={mcp}
onClick={() => {
setMcp(mcp);
setActivePanel(Panel.mcp);
}}
/>
))}
<div className="flex space-x-2">
<button
type="button"
onClick={handleAddMCP}
className="btn btn-neutral border-token-border-light relative h-9 w-full rounded-lg font-medium"
aria-haspopup="dialog"
>
<div className="flex w-full items-center justify-center gap-2">
{localize('com_ui_add_mcp')}
</div>
</button>
</div>
</div>
</div>
);
}

11
client/src/components/SidePanel/Agents/MCPTools.tsx
View file

@ -2,8 +2,9 @@ import React from 'react';
import UninitializedMCPTool from './UninitializedMCPTool';
import UnconfiguredMCPTool from './UnconfiguredMCPTool';
import { useAgentPanelContext } from '~/Providers';
import { useLocalize } from '~/hooks';
import { useHasAccess, useLocalize } from '~/hooks';
import MCPTool from './MCPTool';
import { PermissionTypes, Permissions } from 'librechat-data-provider';
export default function MCPTools({
agentId,
@ -16,7 +17,13 @@ export default function MCPTools({
}) {
const localize = useLocalize();
const { mcpServersMap } = useAgentPanelContext();
const hasMcpAccess = useHasAccess({
permissionType: PermissionTypes.MCP_SERVERS,
permission: Permissions.USE,
});
if (!hasMcpAccess) {
return null;
}
return (
<div className="mb-4">
<label className="text-token-text-primary mb-2 block font-medium">

213
client/src/components/SidePanel/MCP/MCPPanel.tsx
View file

@ -1,213 +0,0 @@
import React, { useState, useCallback } from 'react';
import { ChevronLeft, Trash2 } from 'lucide-react';
import { useQueryClient } from '@tanstack/react-query';
import { Button, useToastContext } from '@librechat/client';
import { Constants, QueryKeys } from 'librechat-data-provider';
import { useUpdateUserPluginsMutation } from 'librechat-data-provider/react-query';
import type { TUpdateUserPlugins } from 'librechat-data-provider';
import ServerInitializationSection from '~/components/MCP/ServerInitializationSection';
import CustomUserVarsSection from '~/components/MCP/CustomUserVarsSection';
import { MCPPanelProvider, useMCPPanelContext } from '~/Providers';
import { useLocalize, useMCPServerManager } from '~/hooks';
import MCPPanelSkeleton from './MCPPanelSkeleton';
function MCPPanelContent() {
const localize = useLocalize();
const queryClient = useQueryClient();
const { showToast } = useToastContext();
const { conversationId } = useMCPPanelContext();
const { availableMCPServers, isLoading, connectionStatus } = useMCPServerManager({
conversationId,
});
const [selectedServerNameForEditing, setSelectedServerNameForEditing] = useState<string | null>(
null,
);
const updateUserPluginsMutation = useUpdateUserPluginsMutation({
onSuccess: async () => {
showToast({ message: localize('com_nav_mcp_vars_updated'), status: 'success' });
await Promise.all([
queryClient.invalidateQueries([QueryKeys.mcpTools]),
queryClient.invalidateQueries([QueryKeys.mcpAuthValues]),
queryClient.invalidateQueries([QueryKeys.mcpConnectionStatus]),
]);
},
onError: (error: unknown) => {
console.error('Error updating MCP auth:', error);
showToast({
message: localize('com_nav_mcp_vars_update_error'),
status: 'error',
});
},
});
const handleServerClickToEdit = (serverName: string) => {
setSelectedServerNameForEditing(serverName);
};
const handleGoBackToList = () => {
setSelectedServerNameForEditing(null);
};
const handleConfigSave = useCallback(
(targetName: string, authData: Record<string, string>) => {
console.log(
`[MCP Panel] Saving config for ${targetName}, pluginKey: ${`${Constants.mcp_prefix}${targetName}`}`,
);
const payload: TUpdateUserPlugins = {
pluginKey: `${Constants.mcp_prefix}${targetName}`,
action: 'install',
auth: authData,
};
updateUserPluginsMutation.mutate(payload);
},
[updateUserPluginsMutation],
);
const handleConfigRevoke = useCallback(
(targetName: string) => {
const payload: TUpdateUserPlugins = {
pluginKey: `${Constants.mcp_prefix}${targetName}`,
action: 'uninstall',
auth: {},
};
updateUserPluginsMutation.mutate(payload);
},
[updateUserPluginsMutation],
);
if (isLoading) {
return <MCPPanelSkeleton />;
}
if (availableMCPServers.length === 0) {
return (
<div className="p-4 text-center text-sm text-gray-500">
{localize('com_sidepanel_mcp_no_servers_with_vars')}
</div>
);
}
if (selectedServerNameForEditing) {
// Editing View
const serverBeingEdited = availableMCPServers.find(
(s) => s.serverName === selectedServerNameForEditing,
);
if (!serverBeingEdited) {
// Fallback to list view if server not found
setSelectedServerNameForEditing(null);
return (
<div className="p-4 text-center text-sm text-gray-500">
{localize('com_ui_error')}: {localize('com_ui_mcp_server_not_found')}
</div>
);
}
const serverStatus = connectionStatus?.[selectedServerNameForEditing];
const isConnected = serverStatus?.connectionState === 'connected';
return (
<div className="h-auto max-w-full space-y-4 overflow-x-hidden py-2">
<Button
variant="outline"
onClick={handleGoBackToList}
size="sm"
aria-label={localize('com_ui_back')}
>
<ChevronLeft className="mr-1 h-4 w-4" aria-hidden="true" />
{localize('com_ui_back')}
</Button>
<div className="mb-4">
<CustomUserVarsSection
serverName={selectedServerNameForEditing}
fields={serverBeingEdited.config.customUserVars || {}}
onSave={(authData) => {
if (selectedServerNameForEditing) {
handleConfigSave(selectedServerNameForEditing, authData);
}
}}
onRevoke={() => {
if (selectedServerNameForEditing) {
handleConfigRevoke(selectedServerNameForEditing);
}
}}
isSubmitting={updateUserPluginsMutation.isLoading}
/>
</div>
<ServerInitializationSection
sidePanel={true}
conversationId={conversationId}
serverName={selectedServerNameForEditing}
requiresOAuth={serverStatus?.requiresOAuth || false}
hasCustomUserVars={
serverBeingEdited.config.customUserVars &&
Object.keys(serverBeingEdited.config.customUserVars).length > 0
}
/>
{serverStatus?.requiresOAuth && isConnected && (
<Button
className="w-full"
size="sm"
variant="destructive"
onClick={() => handleConfigRevoke(selectedServerNameForEditing)}
aria-label={localize('com_ui_oauth_revoke')}
>
<Trash2 className="h-4 w-4" aria-hidden="true" />
{localize('com_ui_oauth_revoke')}
</Button>
)}
</div>
);
} else {
// Server List View
return (
<div className="h-auto max-w-full overflow-x-hidden py-2">
<div className="space-y-2">
{availableMCPServers.map((server) => {
const serverStatus = connectionStatus?.[server.serverName];
const isConnected = serverStatus?.connectionState === 'connected';
return (
<div key={server.serverName} className="flex items-center gap-2">
<Button
variant="outline"
className="flex-1 justify-start dark:hover:bg-gray-700"
onClick={() => handleServerClickToEdit(server.serverName)}
aria-label={localize('com_ui_edit_server', { serverName: server.serverName })}
>
<div className="flex items-center gap-2">
<span>{server.serverName}</span>
{serverStatus && (
<span
className={`rounded-xl px-2 py-0.5 text-xs ${
isConnected
? 'bg-green-100 text-green-700 dark:bg-green-900 dark:text-green-300'
: 'bg-gray-100 text-gray-700 dark:bg-gray-800 dark:text-gray-300'
}`}
>
{serverStatus.connectionState}
</span>
)}
</div>
</Button>
</div>
);
})}
</div>
</div>
);
}
}
export default function MCPPanel() {
return (
<MCPPanelProvider>
<MCPPanelContent />
</MCPPanelProvider>
);
}

21
client/src/components/SidePanel/MCP/MCPPanelSkeleton.tsx
View file

@ -1,21 +0,0 @@
import React from 'react';
import { Skeleton } from '@librechat/client';
export default function MCPPanelSkeleton() {
return (
<div className="space-y-6 p-2">
{[1, 2].map((serverIdx) => (
<div key={serverIdx} className="space-y-4">
<Skeleton className="h-6 w-1/3 rounded-lg" /> {/* Server Name */}
{[1, 2].map((varIdx) => (
<div key={varIdx} className="space-y-2">
<Skeleton className="h-5 w-1/4 rounded-lg" /> {/* Variable Title */}
<Skeleton className="h-8 w-full rounded-lg" /> {/* Input Field */}
<Skeleton className="h-4 w-2/3 rounded-lg" /> {/* Description */}
</div>
))}
</div>
))}
</div>
);
}

231
client/src/components/SidePanel/MCPBuilder/MCPAdminSettings.tsx Normal file
View file

@ -0,0 +1,231 @@
import { useMemo, useEffect, useState } from 'react';
import * as Ariakit from '@ariakit/react';
import { ShieldEllipsis } from 'lucide-react';
import { useForm, Controller } from 'react-hook-form';
import { Permissions, SystemRoles, roleDefaults, PermissionTypes } from 'librechat-data-provider';
import {
Button,
Switch,
OGDialog,
DropdownPopup,
OGDialogTitle,
OGDialogContent,
OGDialogTrigger,
useToastContext,
} from '@librechat/client';
import type { Control, UseFormSetValue, UseFormGetValues } from 'react-hook-form';
import { useUpdateMCPServersPermissionsMutation } from '~/data-provider';
import { useLocalize, useAuthContext } from '~/hooks';
type FormValues = Record<Permissions, boolean>;
type LabelControllerProps = {
label: string;
mcpServersPerm: Permissions;
control: Control<FormValues, unknown, FormValues>;
setValue: UseFormSetValue<FormValues>;
getValues: UseFormGetValues<FormValues>;
};
const LabelController: React.FC<LabelControllerProps> = ({
control,
mcpServersPerm,
label,
getValues,
setValue,
}) => (
<div className="mb-4 flex items-center justify-between gap-2">
<button
className="cursor-pointer select-none"
type="button"
onClick={() =>
setValue(mcpServersPerm, !getValues(mcpServersPerm), {
shouldDirty: true,
})
}
tabIndex={0}
>
{label}
</button>
<Controller
name={mcpServersPerm}
control={control}
render={({ field }) => (
<Switch
{...field}
checked={field.value}
onCheckedChange={field.onChange}
value={field.value?.toString()}
/>
)}
/>
</div>
);
const MCPAdminSettings = () => {
const localize = useLocalize();
const { showToast } = useToastContext();
const { user, roles } = useAuthContext();
const { mutate, isLoading } = useUpdateMCPServersPermissionsMutation({
onSuccess: () => {
showToast({ status: 'success', message: localize('com_ui_saved') });
},
onError: () => {
showToast({ status: 'error', message: localize('com_ui_error_save_admin_settings') });
},
});
const [isRoleMenuOpen, setIsRoleMenuOpen] = useState(false);
const [selectedRole, setSelectedRole] = useState<SystemRoles>(SystemRoles.USER);
const defaultValues = useMemo(() => {
const rolePerms = roles?.[selectedRole]?.permissions;
if (rolePerms) {
return rolePerms[PermissionTypes.MCP_SERVERS];
}
return roleDefaults[selectedRole].permissions[PermissionTypes.MCP_SERVERS];
}, [roles, selectedRole]);
const {
reset,
control,
setValue,
getValues,
handleSubmit,
formState: { isSubmitting },
} = useForm<FormValues>({
mode: 'onChange',
defaultValues,
});
useEffect(() => {
const value = roles?.[selectedRole]?.permissions?.[PermissionTypes.MCP_SERVERS];
if (value) {
reset(value);
} else {
reset(roleDefaults[selectedRole].permissions[PermissionTypes.MCP_SERVERS]);
}
}, [roles, selectedRole, reset]);
if (user?.role !== SystemRoles.ADMIN) {
return null;
}
const labelControllerData = [
{
mcpServersPerm: Permissions.USE,
label: localize('com_ui_mcp_servers_allow_use'),
},
{
mcpServersPerm: Permissions.CREATE,
label: localize('com_ui_mcp_servers_allow_create'),
},
{
mcpServersPerm: Permissions.SHARE,
label: localize('com_ui_mcp_servers_allow_share'),
},
];
const onSubmit = (data: FormValues) => {
mutate({ roleName: selectedRole, updates: data });
};
const roleDropdownItems = [
{
label: SystemRoles.USER,
onClick: () => {
setSelectedRole(SystemRoles.USER);
},
},
{
label: SystemRoles.ADMIN,
onClick: () => {
setSelectedRole(SystemRoles.ADMIN);
},
},
];
return (
<OGDialog>
<OGDialogTrigger asChild>
<Button
size={'sm'}
variant={'outline'}
className="btn btn-neutral border-token-border-light relative h-9 w-full gap-1 rounded-lg font-medium"
>
<ShieldEllipsis className="cursor-pointer" aria-hidden="true" />
{localize('com_ui_admin_settings')}
</Button>
</OGDialogTrigger>
<OGDialogContent className="border-border-light bg-surface-primary text-text-primary lg:w-1/4">
<OGDialogTitle>{`${localize('com_ui_admin_settings')} - ${localize(
'com_ui_mcp_servers',
)}`}</OGDialogTitle>
<div className="p-2">
{/* Role selection dropdown */}
<div className="flex items-center gap-2">
<span className="font-medium">{localize('com_ui_role_select')}:</span>
<DropdownPopup
unmountOnHide={true}
menuId="role-dropdown"
isOpen={isRoleMenuOpen}
setIsOpen={setIsRoleMenuOpen}
trigger={
<Ariakit.MenuButton className="inline-flex w-1/4 items-center justify-center rounded-lg border border-border-light bg-transparent px-2 py-1 text-text-primary transition-all ease-in-out hover:bg-surface-tertiary">
{selectedRole}
</Ariakit.MenuButton>
}
items={roleDropdownItems}
itemClassName="items-center justify-center"
sameWidth={true}
/>
</div>
{/* Permissions form */}
<form onSubmit={handleSubmit(onSubmit)}>
<div className="py-5">
{labelControllerData.map(({ mcpServersPerm, label }) => (
<div key={mcpServersPerm}>
<LabelController
control={control}
mcpServersPerm={mcpServersPerm}
label={label}
getValues={getValues}
setValue={setValue}
/>
{selectedRole === SystemRoles.ADMIN && mcpServersPerm === Permissions.USE && (
<>
<div className="mb-2 max-w-full whitespace-normal break-words text-sm text-red-600">
<span>{localize('com_ui_admin_access_warning')}</span>
{'\n'}
<a
href="https://www.librechat.ai/docs/configuration/librechat_yaml/object_structure/interface"
target="_blank"
rel="noreferrer"
className="text-blue-500 underline"
>
{localize('com_ui_more_info')}
</a>
</div>
</>
)}
</div>
))}
</div>
<div className="flex justify-end">
<button
type="button"
onClick={handleSubmit(onSubmit)}
disabled={isSubmitting || isLoading}
className="btn rounded bg-green-500 font-bold text-white transition-all hover:bg-green-600"
>
{localize('com_ui_save')}
</button>
</div>
</form>
</div>
</OGDialogContent>
</OGDialog>
);
};
export default MCPAdminSettings;

408
client/src/components/SidePanel/MCPBuilder/MCPAuth.tsx Normal file
View file

@ -0,0 +1,408 @@
import { useState } from 'react';
import { FormProvider, useForm, useFormContext } from 'react-hook-form';
import * as RadioGroup from '@radix-ui/react-radio-group';
import { Copy, CopyCheck } from 'lucide-react';
import {
OGDialog,
OGDialogTrigger,
OGDialogTemplate,
Button,
useToastContext,
} from '@librechat/client';
import { TranslationKeys, useLocalize, useCopyToClipboard } from '~/hooks';
import { cn } from '~/utils';
enum AuthTypeEnum {
None = 'none',
ServiceHttp = 'service_http',
OAuth = 'oauth',
}
enum AuthorizationTypeEnum {
Basic = 'basic',
Bearer = 'bearer',
Custom = 'custom',
}
// Auth configuration type
export interface AuthConfig {
auth_type?: AuthTypeEnum;
api_key?: string;
api_key_authorization_type?: AuthorizationTypeEnum;
api_key_custom_header?: string;
oauth_client_id?: string;
oauth_client_secret?: string;
oauth_authorization_url?: string;
oauth_token_url?: string;
oauth_scope?: string;
server_id?: string; // For edit mode redirect URI
}
// Export enums for parent components
export { AuthTypeEnum, AuthorizationTypeEnum };
/**
* Returns the appropriate localization key for authentication type
*/
function getAuthLocalizationKey(type: AuthTypeEnum): TranslationKeys {
switch (type) {
case AuthTypeEnum.ServiceHttp:
return 'com_ui_api_key';
case AuthTypeEnum.OAuth:
return 'com_ui_oauth';
default:
return 'com_ui_none';
}
}
/**
* OAuth and API Key authentication dialog for MCP Server Builder
* Self-contained controlled component with its own form state
* Only updates parent on Save, discards changes on Cancel
*/
export default function MCPAuth({
value,
onChange,
}: {
value: AuthConfig;
onChange: (config: AuthConfig) => void;
}) {
const localize = useLocalize();
const [openAuthDialog, setOpenAuthDialog] = useState(false);
// Create local form with current value as default
const methods = useForm<AuthConfig>({
defaultValues: value,
});
const { handleSubmit, watch, reset } = methods;
const authType = watch('auth_type') || AuthTypeEnum.None;
const inputClasses = cn(
'mb-2 h-9 w-full resize-none overflow-y-auto rounded-lg border px-3 py-2 text-sm',
'border-border-medium bg-surface-primary outline-none',
'focus:ring-2 focus:ring-ring',
);
// Reset form when dialog opens with latest value from parent
const handleDialogOpen = (open: boolean) => {
if (open) {
reset(value);
}
setOpenAuthDialog(open);
};
// Save: update parent and close
const handleSave = handleSubmit((formData) => {
onChange(formData);
setOpenAuthDialog(false);
});
return (
<OGDialog open={openAuthDialog} onOpenChange={handleDialogOpen}>
<OGDialogTrigger asChild>
<div className="relative mb-4">
<div className="mb-1.5 flex items-center">
<label className="text-token-text-primary block font-medium">
{localize('com_ui_authentication')}
</label>
</div>
<div className="border-token-border-medium flex rounded-lg border text-sm hover:cursor-pointer">
<div className="h-9 grow px-3 py-2">{localize(getAuthLocalizationKey(authType))}</div>
<div className="bg-token-border-medium w-px"></div>
<button type="button" color="neutral" className="flex items-center gap-2 px-3">
<svg
width="24"
height="24"
viewBox="0 0 24 24"
fill="none"
xmlns="http://www.w3.org/2000/svg"
className="icon-sm"
>
<path
d="M11.6439 3C10.9352 3 10.2794 3.37508 9.92002 3.98596L9.49644 4.70605C8.96184 5.61487 7.98938 6.17632 6.93501 6.18489L6.09967 6.19168C5.39096 6.19744 4.73823 6.57783 4.38386 7.19161L4.02776 7.80841C3.67339 8.42219 3.67032 9.17767 4.01969 9.7943L4.43151 10.5212C4.95127 11.4386 4.95127 12.5615 4.43151 13.4788L4.01969 14.2057C3.67032 14.8224 3.67339 15.5778 4.02776 16.1916L4.38386 16.8084C4.73823 17.4222 5.39096 17.8026 6.09966 17.8083L6.93502 17.8151C7.98939 17.8237 8.96185 18.3851 9.49645 19.294L9.92002 20.014C10.2794 20.6249 10.9352 21 11.6439 21H12.3561C13.0648 21 13.7206 20.6249 14.08 20.014L14.5035 19.294C15.0381 18.3851 16.0106 17.8237 17.065 17.8151L17.9004 17.8083C18.6091 17.8026 19.2618 17.4222 19.6162 16.8084L19.9723 16.1916C20.3267 15.5778 20.3298 14.8224 19.9804 14.2057L19.5686 13.4788C19.0488 12.5615 19.0488 11.4386 19.5686 10.5212L19.9804 9.7943C20.3298 9.17767 20.3267 8.42219 19.9723 7.80841L19.6162 7.19161C19.2618 6.57783 18.6091 6.19744 17.9004 6.19168L17.065 6.18489C16.0106 6.17632 15.0382 5.61487 14.5036 4.70605L14.08 3.98596C13.7206 3.37508 13.0648 3 12.3561 3H11.6439Z"
stroke="currentColor"
strokeWidth="2"
strokeLinejoin="round"
/>
<circle cx="12" cy="12" r="2.5" stroke="currentColor" strokeWidth="2" />
</svg>
</button>
</div>
</div>
</OGDialogTrigger>
<FormProvider {...methods}>
<OGDialogTemplate
title={localize('com_ui_authentication')}
showCloseButton={false}
className="w-full max-w-md"
main={
<div className="space-y-4">
<div>
<label className="mb-1 block text-sm font-medium">
{localize('com_ui_authentication_type')}
</label>
<RadioGroup.Root
defaultValue={AuthTypeEnum.None}
onValueChange={(value) =>
methods.setValue('auth_type', value as AuthConfig['auth_type'])
}
value={authType}
role="radiogroup"
aria-required="false"
dir="ltr"
className="flex gap-4"
style={{ outline: 'none' }}
>
<div className="flex items-center gap-2">
<label htmlFor="auth-none" className="flex cursor-pointer items-center gap-1">
<RadioGroup.Item
type="button"
role="radio"
value={AuthTypeEnum.None}
id="auth-none"
className={cn(
'mr-1 flex h-5 w-5 items-center justify-center rounded-full border',
'border-border-heavy bg-surface-primary',
)}
>
<RadioGroup.Indicator className="h-2 w-2 rounded-full bg-text-primary" />
</RadioGroup.Item>
{localize('com_ui_none')}
</label>
</div>
{/*
TODO Support API keys for auth
<div className="flex items-center gap-2">
<label htmlFor="auth-apikey" className="flex cursor-pointer items-center gap-1">
<RadioGroup.Item
type="button"
role="radio"
value={AuthTypeEnum.ServiceHttp}
id="auth-apikey"
className={cn(
'mr-1 flex h-5 w-5 items-center justify-center rounded-full border',
'border-border-heavy bg-surface-primary',
)}
>
<RadioGroup.Indicator className="h-2 w-2 rounded-full bg-text-primary" />
</RadioGroup.Item>
{localize('com_ui_api_key')}
</label>
</div> */}
<div className="flex items-center gap-2">
<label htmlFor="auth-oauth" className="flex cursor-pointer items-center gap-1">
<RadioGroup.Item
type="button"
role="radio"
value={AuthTypeEnum.OAuth}
id="auth-oauth"
className={cn(
'mr-1 flex h-5 w-5 items-center justify-center rounded-full border',
'border-border-heavy bg-surface-primary',
)}
>
<RadioGroup.Indicator className="h-2 w-2 rounded-full bg-text-primary" />
</RadioGroup.Item>
{localize('com_ui_oauth')}
</label>
</div>
</RadioGroup.Root>
</div>
{authType === AuthTypeEnum.None && null}
{authType === AuthTypeEnum.ServiceHttp && <ApiKey inputClasses={inputClasses} />}
{authType === AuthTypeEnum.OAuth && <OAuth inputClasses={inputClasses} />}
</div>
}
buttons={
<Button type="button" variant="submit" onClick={handleSave} className="text-white">
{localize('com_ui_save')}
</Button>
}
/>
</FormProvider>
</OGDialog>
);
}
const ApiKey = ({ inputClasses }: { inputClasses: string }) => {
const localize = useLocalize();
const { register, watch, setValue } = useFormContext();
const authorization_type = watch('api_key_authorization_type') || AuthorizationTypeEnum.Basic;
return (
<>
<label className="mb-1 block text-sm font-medium">{localize('com_ui_api_key')}</label>
<input
placeholder="<HIDDEN>"
type="password"
autoComplete="new-password"
className={inputClasses}
{...register('api_key')}
/>
<label className="mb-1 block text-sm font-medium">{localize('com_ui_auth_type')}</label>
<RadioGroup.Root
defaultValue={AuthorizationTypeEnum.Basic}
onValueChange={(value) => setValue('api_key_authorization_type', value)}
value={authorization_type}
role="radiogroup"
aria-required="true"
dir="ltr"
className="mb-2 flex gap-6 overflow-hidden rounded-lg"
style={{ outline: 'none' }}
>
<div className="flex items-center gap-2">
<label htmlFor="auth-basic" className="flex cursor-pointer items-center gap-1">
<RadioGroup.Item
type="button"
role="radio"
value={AuthorizationTypeEnum.Basic}
id="auth-basic"
className={cn(
'mr-1 flex h-5 w-5 items-center justify-center rounded-full border',
'border-border-heavy bg-surface-primary',
)}
>
<RadioGroup.Indicator className="h-2 w-2 rounded-full bg-text-primary" />
</RadioGroup.Item>
{localize('com_ui_basic')}
</label>
</div>
<div className="flex items-center gap-2">
<label htmlFor="auth-bearer" className="flex cursor-pointer items-center gap-1">
<RadioGroup.Item
type="button"
role="radio"
value={AuthorizationTypeEnum.Bearer}
id="auth-bearer"
className={cn(
'mr-1 flex h-5 w-5 items-center justify-center rounded-full border',
'border-border-heavy bg-surface-primary',
)}
>
<RadioGroup.Indicator className="h-2 w-2 rounded-full bg-text-primary" />
</RadioGroup.Item>
{localize('com_ui_bearer')}
</label>
</div>
<div className="flex items-center gap-2">
<label htmlFor="auth-custom" className="flex cursor-pointer items-center gap-1">
<RadioGroup.Item
type="button"
role="radio"
value={AuthorizationTypeEnum.Custom}
id="auth-custom"
className={cn(
'mr-1 flex h-5 w-5 items-center justify-center rounded-full border',
'border-border-heavy bg-surface-primary',
)}
>
<RadioGroup.Indicator className="h-2 w-2 rounded-full bg-text-primary" />
</RadioGroup.Item>
{localize('com_ui_custom')}
</label>
</div>
</RadioGroup.Root>
{authorization_type === AuthorizationTypeEnum.Custom && (
<div className="mt-2">
<label className="mb-1 block text-sm font-medium">
{localize('com_ui_custom_header_name')}
</label>
<input
className={inputClasses}
placeholder="X-Api-Key"
{...register('api_key_custom_header')}
/>
</div>
)}
</>
);
};
const OAuth = ({ inputClasses }: { inputClasses: string }) => {
const localize = useLocalize();
const { showToast } = useToastContext();
const { register, watch } = useFormContext();
const [isCopying, setIsCopying] = useState(false);
// Check if we're in edit mode (server exists with ID)
const serverId = watch('server_id');
const isEditMode = !!serverId;
// Calculate redirect URI for edit mode
const redirectUri = isEditMode
? `${window.location.origin}/api/mcp/${serverId}/oauth/callback`
: '';
const copyLink = useCopyToClipboard({ text: redirectUri });
return (
<>
<label className="mb-1 block text-sm font-medium">{localize('com_ui_client_id')}</label>
<input
placeholder="<HIDDEN>"
type="password"
autoComplete="new-password"
className={inputClasses}
{...register('oauth_client_id')}
/>
<label className="mb-1 block text-sm font-medium">{localize('com_ui_client_secret')}</label>
<input
placeholder="<HIDDEN>"
type="password"
autoComplete="new-password"
className={inputClasses}
{...register('oauth_client_secret')}
/>
<label className="mb-1 block text-sm font-medium">{localize('com_ui_auth_url')}</label>
<input className={inputClasses} {...register('oauth_authorization_url')} />
<label className="mb-1 block text-sm font-medium">{localize('com_ui_token_url')}</label>
<input className={inputClasses} {...register('oauth_token_url')} />
{/* Redirect URI - read-only in edit mode, info message in create mode */}
<label className="mb-1 block text-sm font-medium">{localize('com_ui_redirect_uri')}</label>
{isEditMode ? (
<div className="relative mb-2 flex items-center">
<div className="border-token-border-medium bg-token-surface-primary hover:border-token-border-hover flex h-10 w-full rounded-lg border">
<div className="flex-1 overflow-hidden">
<div className="relative w-full">
<input
type="text"
readOnly
value={redirectUri}
className="w-full border-0 bg-transparent px-3 py-2 pr-12 text-sm text-text-secondary-alt focus:outline-none"
style={{ direction: 'rtl' }}
/>
</div>
</div>
<div className="absolute right-0 flex h-full items-center pr-1">
<Button
size="sm"
variant="ghost"
type="button"
onClick={() => {
if (isCopying) {
return;
}
showToast({ message: localize('com_ui_copied_to_clipboard') });
copyLink(setIsCopying);
}}
className={cn('h-8 rounded-md px-2', isCopying ? 'cursor-default' : '')}
aria-label={localize('com_ui_copy_link')}
>
{isCopying ? <CopyCheck className="size-4" /> : <Copy className="size-4" />}
</Button>
</div>
</div>
</div>
) : (
<div className="mb-2 rounded-lg border border-border-medium bg-surface-secondary p-2">
<p className="text-xs text-text-secondary">{localize('com_ui_redirect_uri_info')}</p>
</div>
)}
<label className="mb-1 block text-sm font-medium">{localize('com_ui_scope')}</label>
<input className={inputClasses} {...register('oauth_scope')} />
</>
);
};

63
client/src/components/SidePanel/MCPBuilder/MCPBuilderPanel.tsx Normal file
View file

@ -0,0 +1,63 @@
import { useState, useRef } from 'react';
import { Plus } from 'lucide-react';
import { PermissionTypes, Permissions } from 'librechat-data-provider';
import { Button, Spinner, OGDialogTrigger } from '@librechat/client';
import { useLocalize, useMCPServerManager, useHasAccess } from '~/hooks';
import MCPServerList from './MCPServerList';
import MCPServerDialog from './MCPServerDialog';
import MCPConfigDialog from '~/components/MCP/MCPConfigDialog';
import MCPAdminSettings from './MCPAdminSettings';
export default function MCPBuilderPanel() {
const localize = useLocalize();
const { availableMCPServers, isLoading, getServerStatusIconProps, getConfigDialogProps } =
useMCPServerManager();
const hasCreateAccess = useHasAccess({
permissionType: PermissionTypes.MCP_SERVERS,
permission: Permissions.CREATE,
});
const [showDialog, setShowDialog] = useState(false);
const addButtonRef = useRef<HTMLButtonElement | null>(null);
const configDialogProps = getConfigDialogProps();
return (
<div className="flex h-full w-full flex-col overflow-hidden">
<div role="region" aria-label="MCP Builder" className="mt-2 space-y-2">
{/* Admin Settings Button */}
<MCPAdminSettings />
{hasCreateAccess && (
<MCPServerDialog open={showDialog} onOpenChange={setShowDialog} triggerRef={addButtonRef}>
<OGDialogTrigger asChild>
<div className="flex w-full justify-end">
<Button
ref={addButtonRef}
variant="outline"
className="w-full bg-transparent"
onClick={() => setShowDialog(true)}
>
<Plus className="size-4" aria-hidden />
{localize('com_ui_add_mcp')}
</Button>
</div>
</OGDialogTrigger>
</MCPServerDialog>
)}
{/* Server List */}
{isLoading ? (
<div className="flex items-center justify-center p-8">
<Spinner className="h-6 w-6" />
</div>
) : (
<MCPServerList
servers={availableMCPServers}
getServerStatusIconProps={getServerStatusIconProps}
/>
)}
{configDialogProps && <MCPConfigDialog {...configDialogProps} />}
</div>
</div>
);
}

639
client/src/components/SidePanel/MCPBuilder/MCPServerDialog.tsx Normal file
View file

@ -0,0 +1,639 @@
import React, { useState, useEffect, useMemo } from 'react';
import { FormProvider, useForm, Controller } from 'react-hook-form';
import * as RadioGroup from '@radix-ui/react-radio-group';
import type { MCPServerCreateParams } from 'librechat-data-provider';
import {
OGDialog,
OGDialogTemplate,
OGDialogContent,
OGDialogHeader,
OGDialogTitle,
TrashIcon,
Button,
Label,
Checkbox,
Spinner,
useToastContext,
} from '@librechat/client';
import {
useCreateMCPServerMutation,
useUpdateMCPServerMutation,
useDeleteMCPServerMutation,
} from '~/data-provider/MCP';
import MCPAuth, { type AuthConfig, AuthTypeEnum, AuthorizationTypeEnum } from './MCPAuth';
import MCPIcon from '~/components/SidePanel/Agents/MCPIcon';
import { useLocalize } from '~/hooks';
import { cn } from '~/utils';
import {
SystemRoles,
Permissions,
ResourceType,
PermissionBits,
PermissionTypes,
} from 'librechat-data-provider';
import { GenericGrantAccessDialog } from '~/components/Sharing';
import { useAuthContext, useHasAccess, useResourcePermissions, MCPServerDefinition } from '~/hooks';
// Form data with nested auth structure matching AuthConfig
interface MCPServerFormData {
// Server metadata
title: string;
description?: string;
icon?: string;
// Connection details
url: string;
type: 'streamable-http' | 'sse';
// Nested auth configuration (matches AuthConfig directly)
auth: AuthConfig;
// UI-only validation
trust: boolean;
}
interface MCPServerDialogProps {
open: boolean;
onOpenChange: (open: boolean) => void;
children: React.ReactNode;
triggerRef?: React.MutableRefObject<HTMLButtonElement | null>;
server?: MCPServerDefinition | null;
}
export default function MCPServerDialog({
open,
onOpenChange,
children,
triggerRef,
server,
}: MCPServerDialogProps) {
const localize = useLocalize();
const { showToast } = useToastContext();
// Mutations
const createMutation = useCreateMCPServerMutation();
const updateMutation = useUpdateMCPServerMutation();
const deleteMutation = useDeleteMCPServerMutation();
// Convert McpServer to form data
const defaultValues = useMemo<MCPServerFormData>(() => {
if (server) {
// Determine auth type from server config
let authType: AuthTypeEnum = AuthTypeEnum.None;
if (server.config.oauth) {
authType = AuthTypeEnum.OAuth;
} else if ('api_key' in server.config) {
authType = AuthTypeEnum.ServiceHttp;
}
return {
title: server.config.title || '',
description: server.config.description || '',
url: 'url' in server.config ? server.config.url : '',
type: (server.config.type as 'streamable-http' | 'sse') || 'streamable-http',
icon: server.config.iconPath || '',
auth: {
auth_type: authType,
api_key: '',
api_key_authorization_type: AuthorizationTypeEnum.Basic,
api_key_custom_header: '',
oauth_client_id: server.config.oauth?.client_id || '',
oauth_client_secret: '', // NEVER pre-fill secrets
oauth_authorization_url: server.config.oauth?.authorization_url || '',
oauth_token_url: server.config.oauth?.token_url || '',
oauth_scope: server.config.oauth?.scope || '',
server_id: server.serverName, // For edit mode redirect URI
},
trust: true, // Pre-check for existing servers
};
}
return {
title: '',
description: '',
url: '',
type: 'streamable-http',
icon: '',
auth: {
auth_type: AuthTypeEnum.None,
api_key: '',
api_key_authorization_type: AuthorizationTypeEnum.Basic,
api_key_custom_header: '',
oauth_client_id: '',
oauth_client_secret: '',
oauth_authorization_url: '',
oauth_token_url: '',
oauth_scope: '',
},
trust: false,
};
}, [server]);
const methods = useForm<MCPServerFormData>({
defaultValues,
});
const {
handleSubmit,
register,
formState: { errors },
control,
watch,
reset,
} = methods;
const iconValue = watch('icon');
const [isSubmitting, setIsSubmitting] = useState(false);
const [showRedirectUriDialog, setShowRedirectUriDialog] = useState(false);
const [createdServerId, setCreatedServerId] = useState<string | null>(null);
const [showDeleteConfirm, setShowDeleteConfirm] = useState(false);
const [isDeleting, setIsDeleting] = useState(false);
// Reset form when dialog opens or server changes
useEffect(() => {
if (open) {
reset(defaultValues);
}
// eslint-disable-next-line react-hooks/exhaustive-deps -- defaultValues is derived from server
}, [open, server, reset]);
const handleIconChange = (e: React.ChangeEvent<HTMLInputElement>) => {
const file = e.target.files?.[0];
if (file) {
const reader = new FileReader();
reader.onloadend = () => {
const base64String = reader.result as string;
methods.setValue('icon', base64String);
};
reader.readAsDataURL(file);
}
};
const handleDelete = async () => {
if (!server) {
return;
}
setIsDeleting(true);
try {
await deleteMutation.mutateAsync(server.serverName);
showToast({
message: localize('com_ui_mcp_server_deleted'),
status: 'success',
});
setShowDeleteConfirm(false);
onOpenChange(false);
setTimeout(() => {
triggerRef?.current?.focus();
}, 0);
} catch (error: any) {
let errorMessage = localize('com_ui_error');
if (error && typeof error === 'object' && 'response' in error) {
const axiosError = error as any;
if (axiosError.response?.data?.error) {
errorMessage = axiosError.response.data.error;
}
} else if (error.message) {
errorMessage = error.message;
}
showToast({
message: errorMessage,
status: 'error',
});
} finally {
setIsDeleting(false);
}
};
const onSubmit = handleSubmit(async (formData: MCPServerFormData) => {
setIsSubmitting(true);
try {
// Convert form data to API params - everything goes in config now
const config: any = {
type: formData.type,
url: formData.url,
title: formData.title,
...(formData.description && { description: formData.description }),
...(formData.icon && { iconPath: formData.icon }),
};
// Add OAuth if auth type is oauth and any fields are filled
if (
formData.auth.auth_type === AuthTypeEnum.OAuth &&
(formData.auth.oauth_client_id ||
formData.auth.oauth_client_secret ||
formData.auth.oauth_authorization_url ||
formData.auth.oauth_token_url ||
formData.auth.oauth_scope)
) {
config.oauth = {};
if (formData.auth.oauth_client_id) {
config.oauth.client_id = formData.auth.oauth_client_id;
}
if (formData.auth.oauth_client_secret) {
config.oauth.client_secret = formData.auth.oauth_client_secret;
}
if (formData.auth.oauth_authorization_url) {
config.oauth.authorization_url = formData.auth.oauth_authorization_url;
}
if (formData.auth.oauth_token_url) {
config.oauth.token_url = formData.auth.oauth_token_url;
}
if (formData.auth.oauth_scope) {
config.oauth.scope = formData.auth.oauth_scope;
}
}
const params: MCPServerCreateParams = {
config,
};
// Call mutation based on create vs edit mode
const result = server
? await updateMutation.mutateAsync({ serverName: server.serverName, data: params })
: await createMutation.mutateAsync(params);
showToast({
message: server
? localize('com_ui_mcp_server_updated')
: localize('com_ui_mcp_server_created'),
status: 'success',
});
// Show redirect URI dialog only on creation with OAuth
if (!server && formData.auth.auth_type === AuthTypeEnum.OAuth) {
setCreatedServerId(result.serverName);
setShowRedirectUriDialog(true);
} else {
onOpenChange(false);
}
setTimeout(() => {
triggerRef?.current?.focus();
}, 0);
} catch (error: any) {
let errorMessage = localize('com_ui_error');
if (error && typeof error === 'object' && 'response' in error) {
const axiosError = error as any;
if (axiosError.response?.data?.error) {
errorMessage = axiosError.response.data.error;
}
} else if (error.message) {
errorMessage = error.message;
}
showToast({
message: errorMessage,
status: 'error',
});
} finally {
setIsSubmitting(false);
}
});
const { user } = useAuthContext();
// Check global permission to share MCP servers
const hasAccessToShareMcpServers = useHasAccess({
permissionType: PermissionTypes.MCP_SERVERS,
permission: Permissions.SHARE,
});
// Check user's permissions on this specific MCP server
const { hasPermission, isLoading: permissionsLoading } = useResourcePermissions(
ResourceType.MCPSERVER,
server?.dbId || '',
);
const canShareThisServer = hasPermission(PermissionBits.SHARE);
const shouldShowShareButton =
server && // Only in edit mode
(user?.role === SystemRoles.ADMIN || canShareThisServer) &&
hasAccessToShareMcpServers &&
!permissionsLoading;
const redirectUri = createdServerId
? `${window.location.origin}/api/mcp/${createdServerId}/oauth/callback`
: '';
return (
<>
{/* Delete confirmation dialog */}
<OGDialog
open={showDeleteConfirm}
onOpenChange={(open) => {
setShowDeleteConfirm(open);
}}
>
<OGDialogTemplate
title={localize('com_ui_delete')}
className="max-w-[450px]"
main={
<Label className="text-left text-sm font-medium">
{localize('com_ui_mcp_server_delete_confirm')}
</Label>
}
selection={{
selectHandler: handleDelete,
selectClasses:
'bg-destructive text-white transition-all duration-200 hover:bg-destructive/80',
selectText: isDeleting ? <Spinner /> : localize('com_ui_delete'),
}}
/>
</OGDialog>
{/* Post-creation redirect URI dialog */}
<OGDialog
open={showRedirectUriDialog}
onOpenChange={(open) => {
setShowRedirectUriDialog(open);
if (!open) {
onOpenChange(false);
setCreatedServerId(null);
}
}}
>
<OGDialogContent className="w-full max-w-lg border-none bg-surface-primary text-text-primary">
<OGDialogHeader className="border-b border-border-light sm:p-3">
<OGDialogTitle>{localize('com_ui_mcp_server_created')}</OGDialogTitle>
</OGDialogHeader>
<div className="p-4 sm:p-6 sm:pt-4">
<p className="mb-4 text-sm text-text-primary">
{localize('com_ui_redirect_uri_instructions')}
</p>
<div className="rounded-lg border border-border-medium bg-surface-secondary p-3">
<label className="mb-2 block text-xs font-medium text-text-secondary">
{localize('com_ui_redirect_uri')}
</label>
<div className="flex items-center gap-2">
<input
className="flex-1 rounded border border-border-medium bg-surface-primary px-3 py-2 text-sm"
value={redirectUri}
readOnly
/>
<Button
onClick={() => {
navigator.clipboard.writeText(redirectUri);
showToast({
message: localize('com_ui_copied'),
status: 'success',
});
}}
variant="outline"
className="whitespace-nowrap"
>
{localize('com_ui_copy_link')}
</Button>
</div>
</div>
<div className="mt-6 flex justify-end">
<Button
onClick={() => {
setShowRedirectUriDialog(false);
onOpenChange(false);
setCreatedServerId(null);
}}
variant="submit"
className="text-white"
>
{localize('com_ui_done')}
</Button>
</div>
</div>
</OGDialogContent>
</OGDialog>
{/* Main MCP Server Dialog */}
<OGDialog open={open} onOpenChange={onOpenChange} triggerRef={triggerRef}>
{children}
<OGDialogTemplate
title={server ? localize('com_ui_edit_mcp_server') : localize('com_ui_add_mcp_server')}
description={
server
? localize('com_ui_edit_mcp_server_dialog_description', {
serverName: server.serverName,
})
: undefined
}
className="w-11/12 md:max-w-2xl"
main={
<FormProvider {...methods}>
<div className="max-h-[60vh] space-y-4 overflow-y-auto px-1">
{/* Icon Picker */}
<div>
<MCPIcon icon={iconValue} onIconChange={handleIconChange} />
</div>
{/* Title */}
<div className="space-y-2">
<Label htmlFor="title" className="text-sm font-medium">
{localize('com_ui_name')} <span className="text-red-500">*</span>
</Label>
<input
autoComplete="off"
{...register('title', {
required: true,
pattern: {
value: /^[a-zA-Z0-9 ]+$/,
message: localize('com_ui_mcp_title_invalid'),
},
})}
className="border-token-border-medium flex h-9 w-full rounded-lg border bg-transparent px-3 py-1.5 text-sm outline-none placeholder:text-text-secondary-alt focus:ring-1 focus:ring-border-light"
placeholder={localize('com_agents_mcp_name_placeholder')}
/>
{errors.title && (
<span className="text-xs text-red-500">
{errors.title.type === 'pattern'
? errors.title.message
: localize('com_ui_field_required')}
</span>
)}
</div>
{/* Description */}
<div className="space-y-2">
<Label htmlFor="description" className="text-sm font-medium">
{localize('com_ui_description')}
<span className="ml-1 text-xs text-text-secondary-alt">
{localize('com_ui_optional')}
</span>
</Label>
<input
id="description"
{...register('description')}
className="border-token-border-medium flex h-9 w-full rounded-lg border bg-transparent px-3 py-1.5 text-sm outline-none placeholder:text-text-secondary-alt focus:ring-1 focus:ring-border-light"
placeholder={localize('com_agents_mcp_description_placeholder')}
/>
</div>
{/* URL */}
<div className="space-y-2">
<Label htmlFor="url" className="text-sm font-medium">
{localize('com_ui_mcp_url')} <span className="text-red-500">*</span>
</Label>
<input
id="url"
{...register('url', {
required: true,
})}
className="border-token-border-medium flex h-9 w-full rounded-lg border bg-transparent px-3 py-1.5 text-sm outline-none placeholder:text-text-secondary-alt focus:ring-1 focus:ring-border-light"
placeholder="https://mcp.example.com"
/>
{errors.url && (
<span className="text-xs text-red-500">
{errors.url.type === 'required'
? localize('com_ui_field_required')
: errors.url.message}
</span>
)}
</div>
{/* Server Type */}
<div className="space-y-2">
<Label htmlFor="type" className="text-sm font-medium">
{localize('com_ui_mcp_server_type')}
</Label>
<Controller
name="type"
control={control}
render={({ field }) => (
<RadioGroup.Root
value={field.value}
onValueChange={field.onChange}
className="flex gap-4"
>
<div className="flex items-center gap-2">
<label
htmlFor="type-streamable-http"
className="flex cursor-pointer items-center gap-1"
>
<RadioGroup.Item
type="button"
value="streamable-http"
id="type-streamable-http"
className={cn(
'mr-1 flex h-5 w-5 items-center justify-center rounded-full border',
'border-border-heavy bg-surface-primary',
)}
>
<RadioGroup.Indicator className="h-2 w-2 rounded-full bg-text-primary" />
</RadioGroup.Item>
{localize('com_ui_mcp_type_streamable_http')}
</label>
</div>
<div className="flex items-center gap-2">
<label
htmlFor="type-sse"
className="flex cursor-pointer items-center gap-1"
>
<RadioGroup.Item
type="button"
value="sse"
id="type-sse"
className={cn(
'mr-1 flex h-5 w-5 items-center justify-center rounded-full border',
'border-border-heavy bg-surface-primary',
)}
>
<RadioGroup.Indicator className="h-2 w-2 rounded-full bg-text-primary" />
</RadioGroup.Item>
{localize('com_ui_mcp_type_sse')}
</label>
</div>
</RadioGroup.Root>
)}
/>
</div>
{/* Authentication */}
<Controller
name="auth"
control={control}
render={({ field }) => <MCPAuth value={field.value} onChange={field.onChange} />}
/>
{/* Trust Checkbox */}
<div className="flex items-center gap-2">
<Controller
name="trust"
control={control}
rules={{ required: true }}
render={({ field }) => (
<Checkbox
id="trust"
checked={field.value}
onCheckedChange={field.onChange}
aria-labelledby="trust-this-mcp-label"
/>
)}
/>
<Label
id="trust-this-mcp-label"
htmlFor="trust"
className="flex cursor-pointer flex-col text-sm font-medium"
>
<span>
{localize('com_ui_trust_app')} <span className="text-red-500">*</span>
</span>
<span className="text-xs font-normal text-text-secondary">
{localize('com_agents_mcp_trust_subtext')}
</span>
</Label>
</div>
{errors.trust && (
<span className="text-xs text-red-500">{localize('com_ui_field_required')}</span>
)}
</div>
</FormProvider>
}
footerClassName="sm:justify-between"
leftButtons={
server ? (
<div className="flex items-center gap-2">
<Button
type="button"
variant="outline"
size="sm"
aria-label="Delete MCP server"
onClick={() => setShowDeleteConfirm(true)}
disabled={isSubmitting || isDeleting}
>
<div className="flex w-full items-center justify-center gap-2 text-red-500">
<TrashIcon />
</div>
</Button>
{shouldShowShareButton && (
<GenericGrantAccessDialog
resourceDbId={server.dbId}
resourceName={server.config.title || ''}
resourceType={ResourceType.MCPSERVER}
/>
)}
</div>
) : null
}
buttons={
<Button
type="button"
variant="submit"
onClick={onSubmit}
disabled={isSubmitting}
className="text-white"
>
{isSubmitting ? (
<Spinner className="size-4" />
) : (
localize(server ? 'com_ui_update' : 'com_ui_create')
)}
</Button>
}
/>
</OGDialog>
</>
);
}

91
client/src/components/SidePanel/MCPBuilder/MCPServerList.tsx Normal file
View file

@ -0,0 +1,91 @@
import { useState, useRef } from 'react';
import { GearIcon, MCPIcon, OGDialogTrigger } from '@librechat/client';
import {
PermissionBits,
PermissionTypes,
Permissions,
hasPermissions,
} from 'librechat-data-provider';
import { useLocalize, useHasAccess, MCPServerDefinition } from '~/hooks';
import MCPServerStatusIcon from '~/components/MCP/MCPServerStatusIcon';
import MCPServerDialog from './MCPServerDialog';
interface MCPServerListProps {
servers: MCPServerDefinition[];
getServerStatusIconProps: (
serverName: string,
) => React.ComponentProps<typeof MCPServerStatusIcon>;
}
// Self-contained edit button component (follows MemoryViewer pattern)
const EditMCPServerButton = ({ server }: { server: MCPServerDefinition }) => {
const localize = useLocalize();
const [open, setOpen] = useState(false);
const triggerRef = useRef<HTMLButtonElement>(null);
return (
<MCPServerDialog open={open} onOpenChange={setOpen} triggerRef={triggerRef} server={server}>
<OGDialogTrigger asChild>
<button
ref={triggerRef}
onClick={() => setOpen(true)}
className="flex h-5 w-5 items-center justify-center rounded hover:bg-surface-secondary"
aria-label={localize('com_ui_edit')}
>
<GearIcon className="h-4 w-4" />
</button>
</OGDialogTrigger>
</MCPServerDialog>
);
};
export default function MCPServerList({ servers, getServerStatusIconProps }: MCPServerListProps) {
const canCreateEditMCPs = useHasAccess({
permissionType: PermissionTypes.MCP_SERVERS,
permission: Permissions.CREATE,
});
const localize = useLocalize();
if (servers.length === 0) {
return (
<div className="rounded-lg border border-border-light bg-transparent p-8 text-center shadow-sm">
<p className="text-sm text-text-secondary">{localize('com_ui_no_mcp_servers')}</p>
<p className="mt-1 text-xs text-text-tertiary">{localize('com_ui_add_first_mcp_server')}</p>
</div>
);
}
return (
<div className="space-y-2">
{servers.map((server) => {
const canEditThisServer = hasPermissions(server.effectivePermissions, PermissionBits.EDIT);
const displayName = server.config?.title || server.serverName;
const serverKey = `key_${server.serverName}`;
return (
<div key={serverKey} className="rounded-lg border border-border-light bg-transparent p-3">
<div className="flex items-center gap-3">
{/* Server Icon */}
{server.config?.iconPath ? (
<img src={server.config.iconPath} className="h-5 w-5 rounded" alt={displayName} />
) : (
<MCPIcon className="h-5 w-5" />
)}
{/* Server Info */}
<div className="min-w-0 flex-1">
<h3 className="truncate font-semibold text-text-primary">{displayName}</h3>
</div>
{/* Edit Button - Only for DB servers and when user has CREATE access */}
{canCreateEditMCPs && canEditThisServer && <EditMCPServerButton server={server} />}
{/* Connection Status Icon */}
<MCPServerStatusIcon {...getServerStatusIconProps(server.serverName)} />
</div>
</div>
);
})}
</div>
);
}

5
client/src/components/SidePanel/MCPBuilder/index.ts Normal file
View file

@ -0,0 +1,5 @@
export { default } from './MCPBuilderPanel';
export { default as MCPBuilderPanel } from './MCPBuilderPanel';
export { default as MCPServerList } from './MCPServerList';
export { default as MCPServerDialog } from './MCPServerDialog';
export { default as MCPAuth } from './MCPAuth';

3
client/src/components/Tools/MCPToolSelectDialog.tsx
View file

@ -207,7 +207,7 @@ function MCPToolSelectDialog({
}, [mcpServerNames]);
const mcpServers = useMemo(() => {
const servers = Array.from(mcpServersMap.values());
const servers = Array.from(mcpServersMap.values()).filter((s) => !s.consumeOnly);
return servers.sort((a, b) => a.serverName.localeCompare(b.serverName));
}, [mcpServersMap]);
@ -340,7 +340,6 @@ function MCPToolSelectDialog({
tool_id: serverInfo.serverName,
metadata: {
...serverInfo.metadata,
description: `${localize('com_ui_tool_collection_prefix')} ${serverInfo.serverName}`,
},
};

1
client/src/data-provider/MCP/index.ts
View file

@ -1 +1,2 @@
export * from './queries';
export * from './mutations';

141
client/src/data-provider/MCP/mutations.ts Normal file
View file

@ -0,0 +1,141 @@
import { useMutation, useQueryClient, UseMutationResult } from '@tanstack/react-query';
import { dataService, QueryKeys, ResourceType } from 'librechat-data-provider';
import type * as t from 'librechat-data-provider';
/**
* Hook for creating a new MCP server
*/
export const useCreateMCPServerMutation = (options?: {
onMutate?: (variables: t.MCPServerCreateParams) => void;
onSuccess?: (
data: t.MCPServerDBObjectResponse,
variables: t.MCPServerCreateParams,
context: unknown,
) => void;
onError?: (error: Error, variables: t.MCPServerCreateParams, context: unknown) => void;
}): UseMutationResult<t.MCPServerDBObjectResponse, Error, t.MCPServerCreateParams> => {
const queryClient = useQueryClient();
return useMutation((data: t.MCPServerCreateParams) => dataService.createMCPServer(data), {
onMutate: (variables) => options?.onMutate?.(variables),
onError: (error, variables, context) => options?.onError?.(error, variables, context),
onSuccess: (newServer, variables, context) => {
const listRes = queryClient.getQueryData<t.MCPServersListResponse>([QueryKeys.mcpServers]);
if (listRes) {
queryClient.setQueryData<t.MCPServersListResponse>([QueryKeys.mcpServers], {
...listRes,
[newServer.serverName!]: newServer,
});
}
queryClient.invalidateQueries([QueryKeys.mcpServers]);
queryClient.invalidateQueries([QueryKeys.mcpTools]);
queryClient.invalidateQueries([QueryKeys.mcpAuthValues]);
queryClient.invalidateQueries([QueryKeys.mcpConnectionStatus]);
queryClient.invalidateQueries([
QueryKeys.effectivePermissions,
'all',
ResourceType.MCPSERVER,
]);
return options?.onSuccess?.(newServer, variables, context);
},
});
};
/**
* Hook for updating an existing MCP server
*/
export const useUpdateMCPServerMutation = (options?: {
onMutate?: (variables: { serverName: string; data: t.MCPServerUpdateParams }) => void;
onSuccess?: (
data: t.MCPServerDBObjectResponse,
variables: { serverName: string; data: t.MCPServerUpdateParams },
context: unknown,
) => void;
onError?: (
error: Error,
variables: { serverName: string; data: t.MCPServerUpdateParams },
context: unknown,
) => void;
}): UseMutationResult<
t.MCPServerDBObjectResponse,
Error,
{ serverName: string; data: t.MCPServerUpdateParams }
> => {
const queryClient = useQueryClient();
return useMutation(
({ serverName, data }: { serverName: string; data: t.MCPServerUpdateParams }) =>
dataService.updateMCPServer(serverName, data),
{
onMutate: (variables: { serverName: string; data: t.MCPServerUpdateParams }) =>
options?.onMutate?.(variables),
onError: (
error: Error,
variables: { serverName: string; data: t.MCPServerUpdateParams },
context: unknown,
) => options?.onError?.(error, variables, context),
onSuccess: (
updatedServer: t.MCPServerDBObjectResponse,
variables: { serverName: string; data: t.MCPServerUpdateParams },
context: unknown,
) => {
// Update list cache
const listRes = queryClient.getQueryData<t.MCPServersListResponse>([QueryKeys.mcpServers]);
if (listRes) {
// eslint-disable-next-line @typescript-eslint/no-unused-vars
const { type, ...oldServer } = listRes[variables.serverName!];
listRes[variables.serverName!] = { ...oldServer, ...updatedServer };
queryClient.setQueryData<t.MCPServersListResponse>([QueryKeys.mcpServers], {
...listRes,
});
}
queryClient.setQueryData([QueryKeys.mcpServer, variables.serverName], updatedServer);
queryClient.invalidateQueries([QueryKeys.mcpServers]);
queryClient.invalidateQueries([QueryKeys.mcpTools]);
queryClient.invalidateQueries([QueryKeys.mcpAuthValues]);
queryClient.invalidateQueries([QueryKeys.mcpConnectionStatus]);
return options?.onSuccess?.(updatedServer, variables, context);
},
},
);
};
/**
* Hook for deleting an MCP server
*/
export const useDeleteMCPServerMutation = (options?: {
onMutate?: (variables: string) => void;
onSuccess?: (_data: { success: boolean }, variables: string, context: unknown) => void;
onError?: (error: Error, variables: string, context: unknown) => void;
}): UseMutationResult<{ success: boolean }, Error, string> => {
const queryClient = useQueryClient();
return useMutation((serverName: string) => dataService.deleteMCPServer(serverName), {
onMutate: (variables) => options?.onMutate?.(variables),
onError: (error, variables, context) => options?.onError?.(error, variables, context),
onSuccess: (_data, serverName, context) => {
// Update list cache by removing the deleted server (immutable update)
const listRes = queryClient.getQueryData<t.MCPServersListResponse>([QueryKeys.mcpServers]);
if (listRes) {
const { [serverName]: _removed, ...remaining } = listRes;
queryClient.setQueryData<t.MCPServersListResponse>([QueryKeys.mcpServers], remaining);
}
// Remove from specific server query cache
queryClient.removeQueries([QueryKeys.mcpServer, serverName]);
// Invalidate list query to ensure consistency
queryClient.invalidateQueries([QueryKeys.mcpServers]);
queryClient.invalidateQueries([QueryKeys.mcpTools]);
queryClient.invalidateQueries([QueryKeys.mcpAuthValues]);
queryClient.invalidateQueries([QueryKeys.mcpConnectionStatus]);
return options?.onSuccess?.(_data, serverName, context);
},
});
};

37
client/src/data-provider/roles.ts
View file

@ -6,6 +6,7 @@ import {
memoryPermissionsSchema,
marketplacePermissionsSchema,
peoplePickerPermissionsSchema,
mcpServersPermissionsSchema,
} from 'librechat-data-provider';
import type {
UseQueryOptions,
@ -171,6 +172,42 @@ export const useUpdatePeoplePickerPermissionsMutation = (
);
};
export const useUpdateMCPServersPermissionsMutation = (
options?: t.UpdateMCPServersPermOptions,
): UseMutationResult<
t.UpdatePermResponse,
t.TError | undefined,
t.UpdateMCPServersPermVars,
unknown
> => {
const queryClient = useQueryClient();
const { onMutate, onSuccess, onError } = options ?? {};
return useMutation(
(variables) => {
mcpServersPermissionsSchema.partial().parse(variables.updates);
return dataService.updateMCPServersPermissions(variables);
},
{
onSuccess: (data, variables, context) => {
queryClient.invalidateQueries([QueryKeys.roles, variables.roleName]);
if (onSuccess) {
onSuccess(data, variables, context);
}
},
onError: (...args) => {
const error = args[0];
if (error != null) {
console.error('Failed to update MCP servers permissions:', error);
}
if (onError) {
onError(...args);
}
},
onMutate,
},
);
};
export const useUpdateMarketplacePermissionsMutation = (
options?: t.UpdateMarketplacePermOptions,
): UseMutationResult<

2
client/src/hooks/MCP/index.ts
View file

@ -1,5 +1,5 @@
export * from './useMCPConnectionStatus';
export * from './useMCPSelect';
export * from './useVisibleTools';
export { useMCPServerManager } from './useMCPServerManager';
export * from './useMCPServerManager';
export { useRemoveMCPTool } from './useRemoveMCPTool';

62
client/src/hooks/MCP/useMCPServerManager.ts
View file

@ -1,11 +1,12 @@
import { useCallback, useState, useMemo, useRef, useEffect } from 'react';
import { useToastContext } from '@librechat/client';
import { useQueryClient } from '@tanstack/react-query';
import { Constants, QueryKeys, MCPOptions } from 'librechat-data-provider';
import { Constants, QueryKeys, MCPOptions, ResourceType } from 'librechat-data-provider';
import {
useCancelMCPOAuthMutation,
useUpdateUserPluginsMutation,
useReinitializeMCPServerMutation,
useGetAllEffectivePermissionsQuery,
} from 'librechat-data-provider/react-query';
import type { TUpdateUserPlugins, TPlugin, MCPServersResponse } from 'librechat-data-provider';
import type { ConfigFieldDetail } from '~/common';
@ -15,9 +16,9 @@ import { useGetStartupConfig, useMCPServersQuery } from '~/data-provider';
export interface MCPServerDefinition {
serverName: string;
config: MCPOptions;
mcp_id?: string;
_id?: string; // MongoDB ObjectId for database servers (used for permissions)
dbId?: string; // MongoDB ObjectId for database servers (used for permissions)
effectivePermissions: number; // Permission bits (VIEW=1, EDIT=2, DELETE=4, SHARE=8)
consumeOnly?: boolean;
}
interface ServerState {
@ -36,35 +37,44 @@ export function useMCPServerManager({ conversationId }: { conversationId?: strin
const { data: loadedServers, isLoading } = useMCPServersQuery();
// Fetch effective permissions for all MCP servers
const { data: permissionsMap } = useGetAllEffectivePermissionsQuery(ResourceType.MCPSERVER);
const [isConfigModalOpen, setIsConfigModalOpen] = useState(false);
const [selectedToolForConfig, setSelectedToolForConfig] = useState<TPlugin | null>(null);
const previousFocusRef = useRef<HTMLElement | null>(null);
const configuredServers = useMemo(() => {
if (!loadedServers) return [];
return Object.keys(loadedServers).filter((name) => loadedServers[name]?.chatMenu !== false);
}, [loadedServers]);
const availableMCPServers: MCPServerDefinition[] = useMemo<MCPServerDefinition[]>(() => {
const definitions: MCPServerDefinition[] = [];
if (loadedServers) {
for (const [serverName, metadata] of Object.entries(loadedServers)) {
// eslint-disable-next-line @typescript-eslint/no-unused-vars
const { _id, mcp_id, effectivePermissions, author, updatedAt, createdAt, ...config } =
metadata;
const { dbId, consumeOnly, ...config } = metadata;
// Get effective permissions from the permissions map using _id
// Fall back to 1 (VIEW) for YAML-based servers without _id
const effectivePermissions = dbId && permissionsMap?.[dbId] ? permissionsMap[dbId] : 1;
definitions.push({
serverName,
mcp_id,
effectivePermissions: effectivePermissions || 1,
dbId,
effectivePermissions,
consumeOnly,
config,
});
}
}
return definitions;
}, [loadedServers]);
}, [loadedServers, permissionsMap]);
// Memoize filtered servers for useMCPSelect to prevent infinite loops
const selectableServers = useMemo(
() => availableMCPServers.filter((s) => s.config.chatMenu !== false && !s.consumeOnly),
[availableMCPServers],
);
const { mcpValues, setMCPValues, isPinned, setIsPinned } = useMCPSelect({
conversationId,
servers: availableMCPServers,
servers: selectableServers,
});
const mcpValuesRef = useRef(mcpValues);
@ -73,6 +83,14 @@ export function useMCPServerManager({ conversationId }: { conversationId?: strin
mcpValuesRef.current = mcpValues;
}, [mcpValues]);
// Check if specific permission bit is set
const checkEffectivePermission = useCallback(
(effectivePermissions: number, permissionBit: number): boolean => {
return (effectivePermissions & permissionBit) !== 0;
},
[],
);
const reinitializeMutation = useReinitializeMCPServerMutation();
const cancelOAuthMutation = useCancelMCPOAuthMutation();
@ -98,8 +116,8 @@ export function useMCPServerManager({ conversationId }: { conversationId?: strin
const [serverStates, setServerStates] = useState<Record<string, ServerState>>(() => {
const initialStates: Record<string, ServerState> = {};
configuredServers.forEach((serverName) => {
initialStates[serverName] = {
availableMCPServers.forEach((server) => {
initialStates[server.serverName] = {
isInitializing: false,
oauthUrl: null,
oauthStartTime: null,
@ -111,7 +129,7 @@ export function useMCPServerManager({ conversationId }: { conversationId?: strin
});
const { connectionStatus } = useMCPConnectionStatus({
enabled: !isLoading && configuredServers.length > 0,
enabled: !isLoading && availableMCPServers.length > 0,
});
const updateServerState = useCallback((serverName: string, updates: Partial<ServerState>) => {
@ -366,7 +384,12 @@ export function useMCPServerManager({ conversationId }: { conversationId?: strin
cancelOAuthMutation.mutate(serverName, {
onSuccess: () => {
cleanupServerState(serverName);
queryClient.invalidateQueries([QueryKeys.mcpConnectionStatus]);
Promise.all([
queryClient.invalidateQueries([QueryKeys.mcpServers]),
queryClient.invalidateQueries([QueryKeys.mcpTools]),
queryClient.invalidateQueries([QueryKeys.mcpAuthValues]),
queryClient.invalidateQueries([QueryKeys.mcpConnectionStatus]),
]);
showToast({
message: localize('com_ui_mcp_oauth_cancelled', { 0: serverName }),
@ -629,6 +652,8 @@ export function useMCPServerManager({ conversationId }: { conversationId?: strin
return {
availableMCPServers,
/** MCP servers filtered for chat menu selection (chatMenu !== false && !consumeOnly) */
selectableServers,
availableMCPServersMap: loadedServers,
isLoading,
connectionStatus,
@ -655,5 +680,6 @@ export function useMCPServerManager({ conversationId }: { conversationId?: strin
handleRevoke,
getServerStatusIconProps,
getConfigDialogProps,
checkEffectivePermission,
};
}

34
client/src/hooks/Nav/useSideNavLinks.ts
View file

@ -10,6 +10,7 @@ import {
isAssistantsEndpoint,
} from 'librechat-data-provider';
import type { TInterfaceConfig, TEndpointsConfig } from 'librechat-data-provider';
import MCPBuilderPanel from '~/components/SidePanel/MCPBuilder/MCPBuilderPanel';
import type { NavLink } from '~/common';
import AgentPanelSwitch from '~/components/SidePanel/Agents/AgentPanelSwitch';
import BookmarkPanel from '~/components/SidePanel/Bookmarks/BookmarkPanel';
@ -18,7 +19,6 @@ import PanelSwitch from '~/components/SidePanel/Builder/PanelSwitch';
import PromptsAccordion from '~/components/Prompts/PromptsAccordion';
import Parameters from '~/components/SidePanel/Parameters/Panel';
import FilesPanel from '~/components/SidePanel/Files/Panel';
import MCPPanel from '~/components/SidePanel/MCP/MCPPanel';
import { useHasAccess, useMCPServerManager } from '~/hooks';
export default function useSideNavLinks({
@ -60,7 +60,10 @@ export default function useSideNavLinks({
permissionType: PermissionTypes.AGENTS,
permission: Permissions.CREATE,
});
const hasAccessToUseMCPSettings = useHasAccess({
permissionType: PermissionTypes.MCP_SERVERS,
permission: Permissions.USE,
});
const { availableMCPServers } = useMCPServerManager();
const Links = useMemo(() => {
@ -152,21 +155,13 @@ export default function useSideNavLinks({
});
}
if (
availableMCPServers &&
availableMCPServers.some(
(server: any) =>
(server.config.customUserVars && Object.keys(server.config.customUserVars).length > 0) ||
server.config.isOAuth ||
server.config.startup === false,
)
) {
if (hasAccessToUseMCPSettings && availableMCPServers && availableMCPServers.length > 0) {
links.push({
title: 'com_nav_setting_mcp',
label: '',
icon: MCPIcon,
id: 'mcp-settings',
Component: MCPPanel,
id: 'mcp-builder',
Component: MCPBuilderPanel,
});
}
@ -180,19 +175,20 @@ export default function useSideNavLinks({
return links;
}, [
endpointsConfig,
interfaceConfig.parameters,
keyProvided,
endpointType,
endpoint,
endpointsConfig,
keyProvided,
hasAccessToAgents,
hasAccessToCreateAgents,
hasAccessToPrompts,
hasAccessToMemories,
hasAccessToReadMemories,
interfaceConfig.parameters,
endpointType,
hasAccessToBookmarks,
hasAccessToCreateAgents,
hidePanel,
availableMCPServers,
hasAccessToUseMCPSettings,
hidePanel,
]);
return Links;

2
client/src/hooks/Sharing/useResourcePermissionState.ts
View file

@ -8,7 +8,7 @@ import { getResourceConfig } from '~/utils';
/**
* Hook to manage resource permission state including current shares, public access, and mutations
* @param resourceType - Type of resource (e.g., ResourceType.AGENT, ResourceType.PROMPTGROUP)
* @param resourceType - Type of resource (e.g., ResourceType.AGENT, ResourceType.PROMPTGROUP, ResourceType.MCPSERVER)
* @param resourceDbId - Database ID of the resource
* @param isModalOpen - Whether the modal is open (for effect dependencies)
* @returns Object with permission state and update mutation

39
client/src/locales/en/translation.json
View file

@ -75,10 +75,8 @@
"com_agents_marketplace_subtitle": "Discover and use powerful AI agents to enhance your workflows and productivity",
"com_agents_mcp_description_placeholder": "Explain what it does in a few words",
"com_agents_mcp_icon_size": "Minimum size 128 x 128 px",
"com_agents_mcp_info": "Add MCP servers to your agent to enable it to perform tasks and interact with external services",
"com_agents_mcp_name_placeholder": "Custom Tool",
"com_agents_mcp_trust_subtext": "Custom connectors are not verified by LibreChat",
"com_agents_mcps_disabled": "You need to create an agent before adding MCPs.",
"com_agents_missing_name": "Please type in a name before creating an agent.",
"com_agents_missing_provider_model": "Please select a provider and model before creating an agent.",
"com_agents_name_placeholder": "Optional: The name of the agent",
@ -536,6 +534,7 @@
"com_nav_long_audio_warning": "Longer texts will take longer to process.",
"com_nav_maximize_chat_space": "Maximize chat space",
"com_nav_mcp_configure_server": "Configure {{0}}",
"com_nav_mcp_status_connected": "Connected",
"com_nav_mcp_status_connecting": "{{0}} - Connecting",
"com_nav_mcp_vars_update_error": "Error updating MCP custom user variables",
"com_nav_mcp_vars_updated": "MCP custom user variables updated successfully.",
@ -593,7 +592,6 @@
"com_sidepanel_conversation_tags": "Bookmarks",
"com_sidepanel_hide_panel": "Hide Panel",
"com_sidepanel_manage_files": "Manage Files",
"com_sidepanel_mcp_no_servers_with_vars": "No MCP servers with configurable variables.",
"com_sidepanel_parameters": "Parameters",
"com_sources_agent_file": "Source Document",
"com_sources_agent_files": "Agent Files",
@ -631,6 +629,10 @@
"com_ui_add_web_search_api_keys": "Add Web Search API Keys",
"com_ui_add_mcp": "Add MCP",
"com_ui_add_mcp_server": "Add MCP Server",
"com_ui_no_mcp_servers": "No MCP servers yet",
"com_ui_add_first_mcp_server": "Create your first MCP server to get started",
"com_ui_mcp_server_created": "MCP server created successfully",
"com_ui_mcp_server_updated": "MCP server updated successfully",
"com_ui_add_model_preset": "Add a model or preset for an additional response",
"com_ui_add_multi_conversation": "Add multi-conversation",
"com_ui_add_special_variables": "Add Special Variables",
@ -691,6 +693,9 @@
"com_ui_agents_allow_create": "Allow creating Agents",
"com_ui_agents_allow_share": "Allow sharing Agents",
"com_ui_agents_allow_use": "Allow using Agents",
"com_ui_mcp_servers_allow_create": "Allow users to create MCP servers",
"com_ui_mcp_servers_allow_share": "Allow users to share MCP servers",
"com_ui_mcp_servers_allow_use": "Allow users to use MCP servers",
"com_ui_all": "all",
"com_ui_all_proper": "All",
"com_ui_analyzing": "Analyzing",
@ -725,7 +730,6 @@
"com_ui_authentication": "Authentication",
"com_ui_authentication_type": "Authentication Type",
"com_ui_auto": "Auto",
"com_ui_available_tools": "Available Tools",
"com_ui_avatar": "Avatar",
"com_ui_azure": "Azure",
"com_ui_azure_ad": "Entra ID",
@ -864,10 +868,6 @@
"com_ui_delete_confirm_strong": "This will delete <strong>{{title}}</strong>",
"com_ui_delete_confirm_prompt_version_var": "This will delete the selected version for \"{{0}}.\" If no other versions exist, the prompt will be deleted.",
"com_ui_delete_conversation": "Delete chat?",
"com_ui_delete_mcp": "Delete MCP",
"com_ui_delete_mcp_confirm": "Are you sure you want to delete this MCP server?",
"com_ui_delete_mcp_error": "Failed to delete MCP server",
"com_ui_delete_mcp_success": "MCP server deleted successfully",
"com_ui_delete_memory": "Delete Memory",
"com_ui_delete_not_allowed": "Delete operation is not allowed",
"com_ui_delete_preset": "Delete Preset?",
@ -887,6 +887,7 @@
"com_ui_deselect_all": "Deselect All",
"com_ui_detailed": "Detailed",
"com_ui_disabling": "Disabling...",
"com_ui_done": "Done",
"com_ui_download": "Download",
"com_ui_download_artifact": "Download Artifact",
"com_ui_download_backup": "Download Backup Codes",
@ -904,9 +905,9 @@
"com_ui_edit": "Edit",
"com_ui_edit_editing_image": "Editing image",
"com_ui_edit_mcp_server": "Edit MCP Server",
"com_ui_edit_mcp_server_dialog_description": "Unique Server Identifier: {{serverName}}",
"com_ui_edit_memory": "Edit Memory",
"com_ui_edit_preset_title": "Edit Preset - {{title}}",
"com_ui_edit_server": "Edit {{serverName}}",
"com_ui_edit_prompt_page": "Edit Prompt Page",
"com_ui_editable_message": "Editable Message",
"com_ui_editor_instructions": "Drag the image to reposition • Use zoom slider or buttons to adjust size",
@ -1047,7 +1048,7 @@
"com_ui_mcp_initialized_success": "MCP server '{{0}}' initialized successfully",
"com_ui_mcp_oauth_cancelled": "OAuth login cancelled for {{0}}",
"com_ui_mcp_oauth_timeout": "OAuth login timed out for {{0}}",
"com_ui_mcp_server_not_found": "Server not found.",
"com_ui_mcp_server": "MCP Server",
"com_ui_mcp_servers": "MCP Servers",
"com_ui_mcp_update_var": "Update {{0}}",
"com_ui_mcp_url": "MCP Server URL",
@ -1109,7 +1110,6 @@
"com_ui_oauth_error_missing_code": "Authorization code is missing. Please try again.",
"com_ui_oauth_error_missing_state": "State parameter is missing. Please try again.",
"com_ui_oauth_error_title": "Authentication Failed",
"com_ui_oauth_revoke": "Revoke",
"com_ui_oauth_success_description": "Your authentication was successful. This window will close in",
"com_ui_oauth_success_title": "Authentication Successful",
"com_ui_of": "of",
@ -1154,6 +1154,9 @@
"com_ui_quality": "Quality",
"com_ui_read_aloud": "Read aloud",
"com_ui_redirecting_to_provider": "Redirecting to {{0}}, please wait...",
"com_ui_redirect_uri": "Redirect URI",
"com_ui_redirect_uri_info": "The redirect URI will be provided after the server is created. Configure it in your OAuth provider settings.",
"com_ui_redirect_uri_instructions": "Copy this redirect URI and configure it in your OAuth provider settings.",
"com_ui_reference_saved_memories": "Reference saved memories",
"com_ui_reference_saved_memories_description": "Allow the assistant to reference and use your saved memories when responding",
"com_ui_refresh": "Refresh",
@ -1199,6 +1202,18 @@
"com_ui_role_select": "Role",
"com_ui_role_viewer": "Viewer",
"com_ui_role_viewer_desc": "Can view and use the agent but cannot modify it",
"com_ui_mcp_server_role_viewer": "MCP Server Viewer",
"com_ui_mcp_server_role_viewer_desc": "Can view and use MCP servers",
"com_ui_mcp_server_role_editor": "MCP Server Editor",
"com_ui_mcp_server_role_editor_desc": "Can view, use, and edit MCP servers",
"com_ui_mcp_server_role_owner": "MCP Server Owner",
"com_ui_mcp_server_role_owner_desc": "Full control over MCP servers",
"com_ui_mcp_server_delete_confirm": "Are you sure you want to delete this MCP server?",
"com_ui_mcp_server_deleted": "MCP server deleted successfully",
"com_ui_mcp_title_invalid": "Title can only contain letters, numbers, and spaces",
"com_ui_mcp_server_type": "Server Type",
"com_ui_mcp_type_streamable_http": "Streamable HTTPS",
"com_ui_mcp_type_sse": "SSE",
"com_ui_roleplay": "Roleplay",
"com_ui_rotate": "Rotate",
"com_ui_rotate_90": "Rotate 90 degrees",
@ -1312,8 +1327,6 @@
"com_ui_unpin": "Unpin",
"com_ui_untitled": "Untitled",
"com_ui_update": "Update",
"com_ui_update_mcp_error": "There was an error creating or updating the MCP.",
"com_ui_update_mcp_success": "Successfully created or updated MCP",
"com_ui_upload": "Upload",
"com_ui_upload_agent_avatar": "Successfully updated agent avatar",
"com_ui_upload_agent_avatar_label": "Upload agent avatar image",

11
client/src/utils/resources.ts
View file

@ -36,6 +36,17 @@ export const RESOURCE_CONFIGS: Record<ResourceType, ResourceConfig> = {
`Manage permissions for ${name && name !== '' ? `"${name}"` : 'prompt'}`,
getCopyUrlMessage: () => 'Prompt URL copied',
},
[ResourceType.MCPSERVER]: {
resourceType: ResourceType.MCPSERVER,
defaultViewerRoleId: AccessRoleIds.MCPSERVER_VIEWER,
defaultEditorRoleId: AccessRoleIds.MCPSERVER_EDITOR,
defaultOwnerRoleId: AccessRoleIds.MCPSERVER_OWNER,
getResourceName: (name?: string) => (name && name !== '' ? `"${name}"` : 'MCP server'),
getShareMessage: (name?: string) => (name && name !== '' ? `"${name}"` : 'MCP server'),
getManageMessage: (name?: string) =>
`Manage permissions for ${name && name !== '' ? `"${name}"` : 'MCP server'}`,
getCopyUrlMessage: () => 'MCP Server URL copied',
},
};
export const getResourceConfig = (resourceType: ResourceType): ResourceConfig | undefined => {

13
client/src/utils/roles.ts
View file

@ -35,6 +35,19 @@ export const ROLE_LOCALIZATIONS = {
name: 'com_ui_role_owner' as const,
description: 'com_ui_role_owner_desc' as const,
} as const,
// MCPServer roles
mcpServer_viewer: {
name: 'com_ui_mcp_server_role_viewer' as const,
description: 'com_ui_mcp_server_role_viewer_desc' as const,
} as const,
mcpServer_editor: {
name: 'com_ui_mcp_server_role_editor' as const,
description: 'com_ui_mcp_server_role_editor_desc' as const,
} as const,
mcpServer_owner: {
name: 'com_ui_mcp_server_role_owner' as const,
description: 'com_ui_mcp_server_role_owner_desc' as const,
} as const,
};
/**

18
librechat.example.yaml
View file

@ -94,8 +94,17 @@ interface:
groups: true
roles: true
marketplace:
use: false
use: false
fileCitations: true
mcpServers:
# MCP Servers configuration
# Controls user permissions for MCP (Model Context Protocol) server management
# - use: Allow users to use configured MCP servers
# - create: Allow users to create and manage new MCP servers
# - share: Allow users to share MCP servers with other users
use: false
create: false
share: false
# Temporary chat retention period in hours (default: 720, min: 1, max: 8760)
# temporaryChatRetention: 1
@ -291,7 +300,7 @@ endpoints:
apiKey: '${OPENROUTER_KEY}'
baseURL: 'https://openrouter.ai/api/v1'
headers:
x-librechat-body-parentmessageid: '{{LIBRECHAT_BODY_PARENTMESSAGEID}}'
x-librechat-body-parentmessageid: '{{LIBRECHAT_BODY_PARENTMESSAGEID}}'
models:
default: ['meta-llama/llama-3-70b-instruct']
fetch: true
@ -308,9 +317,10 @@ endpoints:
apiKey: '${HELICONE_KEY}'
baseURL: 'https://ai-gateway.helicone.ai'
headers:
x-librechat-body-parentmessageid: '{{LIBRECHAT_BODY_PARENTMESSAGEID}}'
x-librechat-body-parentmessageid: '{{LIBRECHAT_BODY_PARENTMESSAGEID}}'
models:
default: ['gpt-4o-mini', 'claude-4.5-sonnet', 'llama-3.1-8b-instruct', 'gemini-2.5-flash-lite']
default:
['gpt-4o-mini', 'claude-4.5-sonnet', 'llama-3.1-8b-instruct', 'gemini-2.5-flash-lite']
fetch: true
titleConvo: true
titleModel: 'gpt-4o-mini'

1084
packages/api/src/acl/accessControlService.spec.ts Normal file
View file

File diff suppressed because it is too large Load diff

360
packages/api/src/acl/accessControlService.ts Normal file
View file

@ -0,0 +1,360 @@
import { Types, ClientSession, DeleteResult } from 'mongoose';
import { AllMethods, IAclEntry, createMethods, logger } from '@librechat/data-schemas';
import { AccessRoleIds, PrincipalType, ResourceType } from 'librechat-data-provider';
export class AccessControlService {
private _dbMethods: AllMethods;
private _aclModel;
constructor(mongoose: typeof import('mongoose')) {
this._dbMethods = createMethods(mongoose);
this._aclModel = mongoose.models.AclEntry;
}
/**
* Grant a permission to a principal for a resource using a role
* @param {Object} params - Parameters for granting role-based permission
* @param {string} params.principalType - PrincipalType.USER, PrincipalType.GROUP, or PrincipalType.PUBLIC
* @param {string|mongoose.Types.ObjectId|null} params.principalId - The ID of the principal (null for PrincipalType.PUBLIC)
* @param {string} params.resourceType - Type of resource (e.g., 'agent')
* @param {string|mongoose.Types.ObjectId} params.resourceId - The ID of the resource
* @param {string} params.accessRoleId - The ID of the role (e.g., AccessRoleIds.AGENT_VIEWER, AccessRoleIds.AGENT_EDITOR)
* @param {Types.ObjectId} params.grantedBy - User ID granting the permission
* @param {ClientSession} [params.session] - Optional MongoDB session for transactions
* @returns {Promise<IAclEntry>} The created or updated ACL entry
*/
public async grantPermission(args: {
principalType: PrincipalType;
principalId: string | Types.ObjectId | null;
resourceType: string;
resourceId: string | Types.ObjectId;
accessRoleId: AccessRoleIds;
grantedBy: string | Types.ObjectId;
session?: ClientSession;
roleId?: string | Types.ObjectId;
}): Promise<IAclEntry | null> {
const {
principalType,
principalId,
resourceType,
resourceId,
accessRoleId,
grantedBy,
session,
} = args;
try {
if (!Object.values(PrincipalType).includes(principalType)) {
throw new Error(`Invalid principal type: ${principalType}`);
}
if (principalType !== PrincipalType.PUBLIC && !principalId) {
throw new Error('Principal ID is required for user, group, and role principals');
}
// Validate principalId based on type
if (principalId && principalType === PrincipalType.ROLE) {
// Role IDs are strings (role names)
if (typeof principalId !== 'string' || principalId.trim().length === 0) {
throw new Error(`Invalid role ID: ${principalId}`);
}
} else if (
principalType &&
principalType !== PrincipalType.PUBLIC &&
(!principalId || !Types.ObjectId.isValid(principalId))
) {
// User and Group IDs must be valid ObjectIds
throw new Error(`Invalid principal ID: ${principalId}`);
}
if (!resourceId || !Types.ObjectId.isValid(resourceId)) {
throw new Error(`Invalid resource ID: ${resourceId}`);
}
this.validateResourceType(resourceType as ResourceType);
// Get the role to determine permission bits
const role = await this._dbMethods.findRoleByIdentifier(accessRoleId);
if (!role) {
throw new Error(`Role ${accessRoleId} not found`);
}
// Ensure the role is for the correct resource type
if (role.resourceType !== resourceType) {
throw new Error(
`Role ${accessRoleId} is for ${role.resourceType} resources, not ${resourceType}`,
);
}
return await this._dbMethods.grantPermission(
principalType,
principalId,
resourceType,
resourceId,
role.permBits,
grantedBy,
session,
role._id,
);
} catch (error) {
logger.error(
`[PermissionService.grantPermission] Error: ${error instanceof Error ? error.message : ''}`,
error,
);
throw error;
}
}
/**
* Find all resources of a specific type that a user has access to with specific permission bits
* @param {Object} params - Parameters for finding accessible resources
* @param {string | Types.ObjectId} params.userId - The ID of the user
* @param {string} [params.role] - Optional user role (if not provided, will query from DB)
* @param {string} params.resourceType - Type of resource (e.g., 'agent')
* @param {number} params.requiredPermissions - The minimum permission bits required (e.g., 1 for VIEW, 3 for VIEW+EDIT)
* @returns {Promise<Array>} Array of resource IDs
*/
public async findAccessibleResources({
userId,
role,
resourceType,
requiredPermissions,
}: {
userId: string | Types.ObjectId;
role?: string;
resourceType: string;
requiredPermissions: number;
}): Promise<Types.ObjectId[]> {
try {
if (typeof requiredPermissions !== 'number' || requiredPermissions < 1) {
throw new Error('requiredPermissions must be a positive number');
}
this.validateResourceType(resourceType as ResourceType);
// Get all principals for the user (user + groups + public)
const principalsList = await this._dbMethods.getUserPrincipals({ userId, role });
if (principalsList.length === 0) {
return [];
}
return await this._dbMethods.findAccessibleResources(
principalsList,
resourceType,
requiredPermissions,
);
} catch (error) {
if (error instanceof Error) {
logger.error(`[PermissionService.findAccessibleResources] Error: ${error.message}`);
// Re-throw validation errors
if (error.message.includes('requiredPermissions must be')) {
throw error;
}
}
return [];
}
}
/**
* Find all publicly accessible resources of a specific type
* @param {Object} params - Parameters for finding publicly accessible resources
* @param {ResourceType} params.resourceType - Type of resource (e.g., 'agent')
* @param {number} params.requiredPermissions - The minimum permission bits required (e.g., 1 for VIEW, 3 for VIEW+EDIT)
* @returns {Promise<Types.ObjectId[]>} Array of resource IDs
*/
public async findPubliclyAccessibleResources({
resourceType,
requiredPermissions,
}: {
resourceType: ResourceType;
requiredPermissions: number;
}): Promise<Types.ObjectId[]> {
try {
if (typeof requiredPermissions !== 'number' || requiredPermissions < 1) {
throw new Error('requiredPermissions must be a positive number');
}
this.validateResourceType(resourceType);
// Find all public ACL entries where the public principal has at least the required permission bits
const entries = await this._aclModel
.find({
principalType: PrincipalType.PUBLIC,
resourceType,
permBits: { $bitsAllSet: requiredPermissions },
})
.distinct('resourceId');
return entries;
} catch (error) {
if (error instanceof Error) {
logger.error(`[PermissionService.findPubliclyAccessibleResources] Error: ${error.message}`);
// Re-throw validation errors
if (error.message.includes('requiredPermissions must be')) {
throw error;
}
}
return [];
}
}
/**
* Get effective permissions for multiple resources in a batch operation
* Returns map of resourceId effectivePermissionBits
*
* @param {Object} params - Parameters
* @param {string|mongoose.Types.ObjectId} params.userId - User ID
* @param {string} [params.role] - User role (for group membership)
* @param {string} params.resourceType - Resource type (must be valid ResourceType)
* @param {Array<mongoose.Types.ObjectId>} params.resourceIds - Array of resource IDs
* @returns {Promise<Map<string, number>>} Map of resourceId string permission bits
* @throws {Error} If resourceType is invalid
*/
public async getResourcePermissionsMap({
userId,
role,
resourceType,
resourceIds,
}: {
userId: string | Types.ObjectId;
role: string;
resourceType: ResourceType;
resourceIds: (string | Types.ObjectId)[];
}): Promise<Map<string, number>> {
// Validate resource type - throw on invalid type
this.validateResourceType(resourceType);
// Handle empty input
if (!Array.isArray(resourceIds) || resourceIds.length === 0) {
return new Map();
}
try {
// Get user principals (user + groups + public)
const principals = await this._dbMethods.getUserPrincipals({ userId, role });
// Use batch method from aclEntry
const permissionsMap = await this._dbMethods.getEffectivePermissionsForResources(
principals,
resourceType,
resourceIds,
);
logger.debug(
`[PermissionService.getResourcePermissionsMap] Computed permissions for ${resourceIds.length} resources, ${permissionsMap.size} have permissions`,
);
return permissionsMap;
} catch (error) {
if (error instanceof Error) {
logger.error(
`[PermissionService.getResourcePermissionsMap] Error: ${error.message}`,
error,
);
}
throw error;
}
}
/**
* Remove all permissions for a resource (cleanup when resource is deleted)
* @param {Object} params - Parameters for removing all permissions
* @param {string} params.resourceType - Type of resource (e.g., 'agent', 'prompt')
* @param {string|mongoose.Types.ObjectId} params.resourceId - The ID of the resource
* @returns {Promise<DeleteResult>} Result of the deletion operation
*/
public async removeAllPermissions({
resourceType,
resourceId,
}: {
resourceType: ResourceType;
resourceId: string | Types.ObjectId;
}): Promise<DeleteResult> {
try {
this.validateResourceType(resourceType);
if (!resourceId || !Types.ObjectId.isValid(resourceId)) {
throw new Error(`Invalid resource ID: ${resourceId}`);
}
const result = await this._aclModel.deleteMany({
resourceType,
resourceId,
});
return result;
} catch (error) {
if (error instanceof Error) {
logger.error(`[PermissionService.removeAllPermissions] Error: ${error.message}`);
}
throw error;
}
}
/**
* Check if a user has specific permission bits on a resource
* @param {Object} params - Parameters for checking permissions
* @param {string|mongoose.Types.ObjectId} params.userId - The ID of the user
* @param {string} [params.role] - Optional user role (if not provided, will query from DB)
* @param {string} params.resourceType - Type of resource (e.g., 'agent')
* @param {string|mongoose.Types.ObjectId} params.resourceId - The ID of the resource
* @param {number} params.requiredPermissions - The permission bits required (e.g., 1 for VIEW, 3 for VIEW+EDIT)
* @returns {Promise<boolean>} Whether the user has the required permission bits
*/
public async checkPermission({
userId,
role,
resourceType,
resourceId,
requiredPermission,
}: {
userId: string;
role?: string;
resourceType: ResourceType;
resourceId: string | Types.ObjectId;
requiredPermission: number;
}): Promise<boolean> {
try {
if (typeof requiredPermission !== 'number' || requiredPermission < 1) {
throw new Error('requiredPermission must be a positive number');
}
this.validateResourceType(resourceType);
// Get all principals for the user (user + groups + public)
const principals = await this._dbMethods.getUserPrincipals({ userId, role });
if (principals.length === 0) {
return false;
}
return await this._dbMethods.hasPermission(
principals,
resourceType,
resourceId,
requiredPermission,
);
} catch (error) {
if (error instanceof Error) {
logger.error(`[PermissionService.checkPermission] Error: ${error.message}`);
// Re-throw validation errors
if (error.message.includes('requiredPermission must be')) {
throw error;
}
}
return false;
}
}
/**
* Validates that the resourceType is one of the supported enum values
* @param {string} resourceType - The resource type to validate
* @throws {Error} If resourceType is not valid
*/
private validateResourceType(resourceType: ResourceType): void {
const validTypes = Object.values(ResourceType);
if (!validTypes.includes(resourceType)) {
throw new Error(
`Invalid resourceType: ${resourceType}. Valid types: ${validTypes.join(', ')}`,
);
}
}
}

70
packages/api/src/app/permissions.spec.ts
View file

@ -74,6 +74,11 @@ describe('updateInterfacePermissions - permissions', () => {
},
[PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: true },
[PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true },
[PermissionTypes.MCP_SERVERS]: {
[Permissions.USE]: true,
[Permissions.CREATE]: true,
[Permissions.SHARE]: false,
},
};
const expectedPermissionsForAdmin = {
@ -103,6 +108,11 @@ describe('updateInterfacePermissions - permissions', () => {
},
[PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: true },
[PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true },
[PermissionTypes.MCP_SERVERS]: {
[Permissions.USE]: true,
[Permissions.CREATE]: true,
[Permissions.SHARE]: true,
},
};
expect(mockUpdateAccessPermissions).toHaveBeenCalledTimes(2);
@ -182,6 +192,11 @@ describe('updateInterfacePermissions - permissions', () => {
},
[PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: false },
[PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: false },
[PermissionTypes.MCP_SERVERS]: {
[Permissions.USE]: true,
[Permissions.CREATE]: true,
[Permissions.SHARE]: false,
},
};
const expectedPermissionsForAdmin = {
@ -211,6 +226,11 @@ describe('updateInterfacePermissions - permissions', () => {
},
[PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: false },
[PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: false },
[PermissionTypes.MCP_SERVERS]: {
[Permissions.USE]: true,
[Permissions.CREATE]: true,
[Permissions.SHARE]: true,
},
};
expect(mockUpdateAccessPermissions).toHaveBeenCalledTimes(2);
@ -290,6 +310,11 @@ describe('updateInterfacePermissions - permissions', () => {
},
[PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: true },
[PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true },
[PermissionTypes.MCP_SERVERS]: {
[Permissions.USE]: true,
[Permissions.CREATE]: true,
[Permissions.SHARE]: false,
},
};
const expectedPermissionsForAdmin = {
@ -319,6 +344,11 @@ describe('updateInterfacePermissions - permissions', () => {
},
[PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: true },
[PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true },
[PermissionTypes.MCP_SERVERS]: {
[Permissions.USE]: true,
[Permissions.CREATE]: true,
[Permissions.SHARE]: true,
},
};
expect(mockUpdateAccessPermissions).toHaveBeenCalledTimes(2);
@ -411,6 +441,11 @@ describe('updateInterfacePermissions - permissions', () => {
},
[PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: false },
[PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true },
[PermissionTypes.MCP_SERVERS]: {
[Permissions.USE]: true,
[Permissions.CREATE]: true,
[Permissions.SHARE]: false,
},
};
const expectedPermissionsForAdmin = {
@ -440,6 +475,11 @@ describe('updateInterfacePermissions - permissions', () => {
},
[PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: false },
[PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true },
[PermissionTypes.MCP_SERVERS]: {
[Permissions.USE]: true,
[Permissions.CREATE]: true,
[Permissions.SHARE]: true,
},
};
expect(mockUpdateAccessPermissions).toHaveBeenCalledTimes(2);
@ -519,6 +559,11 @@ describe('updateInterfacePermissions - permissions', () => {
},
[PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: true },
[PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true },
[PermissionTypes.MCP_SERVERS]: {
[Permissions.USE]: true,
[Permissions.CREATE]: true,
[Permissions.SHARE]: false,
},
};
const expectedPermissionsForAdmin = {
@ -548,6 +593,11 @@ describe('updateInterfacePermissions - permissions', () => {
},
[PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: true },
[PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true },
[PermissionTypes.MCP_SERVERS]: {
[Permissions.USE]: true,
[Permissions.CREATE]: true,
[Permissions.SHARE]: true,
},
};
expect(mockUpdateAccessPermissions).toHaveBeenCalledTimes(2);
@ -630,6 +680,11 @@ describe('updateInterfacePermissions - permissions', () => {
},
[PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: true },
[PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true },
[PermissionTypes.MCP_SERVERS]: {
[Permissions.USE]: true,
[Permissions.CREATE]: true,
[Permissions.SHARE]: false,
},
};
const expectedPermissionsForAdmin = {
@ -653,6 +708,11 @@ describe('updateInterfacePermissions - permissions', () => {
},
[PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: true },
[PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true },
[PermissionTypes.MCP_SERVERS]: {
[Permissions.USE]: true,
[Permissions.CREATE]: true,
[Permissions.SHARE]: true,
},
};
expect(mockUpdateAccessPermissions).toHaveBeenCalledTimes(2);
@ -751,6 +811,11 @@ describe('updateInterfacePermissions - permissions', () => {
},
[PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: true },
[PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true },
[PermissionTypes.MCP_SERVERS]: {
[Permissions.USE]: true,
[Permissions.CREATE]: true,
[Permissions.SHARE]: false,
},
};
const expectedPermissionsForAdmin = {
@ -777,6 +842,11 @@ describe('updateInterfacePermissions - permissions', () => {
},
[PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: true },
[PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true },
[PermissionTypes.MCP_SERVERS]: {
[Permissions.USE]: true,
[Permissions.CREATE]: true,
[Permissions.SHARE]: true,
},
};
expect(mockUpdateAccessPermissions).toHaveBeenCalledTimes(2);

19
packages/api/src/app/permissions.ts
View file

@ -41,6 +41,8 @@ function hasExplicitConfig(
return interfaceConfig?.fileSearch !== undefined;
case PermissionTypes.FILE_CITATIONS:
return interfaceConfig?.fileCitations !== undefined;
case PermissionTypes.MCP_SERVERS:
return interfaceConfig?.mcpServers !== undefined;
default:
return false;
}
@ -256,6 +258,23 @@ export async function updateInterfacePermissions({
defaults.fileCitations,
),
},
[PermissionTypes.MCP_SERVERS]: {
[Permissions.USE]: getPermissionValue(
loadedInterface.mcpServers?.use,
defaultPerms[PermissionTypes.MCP_SERVERS]?.[Permissions.USE],
defaults.mcpServers?.use,
),
[Permissions.CREATE]: getPermissionValue(
loadedInterface.mcpServers?.create,
defaultPerms[PermissionTypes.MCP_SERVERS]?.[Permissions.CREATE],
defaults.mcpServers?.create,
),
[Permissions.SHARE]: getPermissionValue(
loadedInterface.mcpServers?.share,
defaultPerms[PermissionTypes.MCP_SERVERS]?.[Permissions.SHARE],
defaults.mcpServers?.share,
),
},
};
// Check and add each permission type if needed

4
packages/api/src/mcp/ConnectionsRepository.ts
View file

@ -50,12 +50,12 @@ export class ConnectionsRepository {
}
if (existingConnection) {
// Check if config was cached/updated since connection was created
if (serverConfig.lastUpdatedAt && existingConnection.isStale(serverConfig.lastUpdatedAt)) {
if (serverConfig.updatedAt && existingConnection.isStale(serverConfig.updatedAt)) {
logger.info(
`${this.prefix(serverName)} Existing connection for ${serverName} is outdated. Recreating a new connection.`,
{
connectionCreated: new Date(existingConnection.createdAt).toISOString(),
configCachedAt: new Date(serverConfig.lastUpdatedAt).toISOString(),
configCachedAt: new Date(serverConfig.updatedAt).toISOString(),
},
);

2
packages/api/src/mcp/UserConnectionManager.ts
View file

@ -79,7 +79,7 @@ export abstract class UserConnectionManager {
}
connection = undefined; // Force creation of a new connection
} else if (connection) {
if (!config || (config.lastUpdatedAt && connection.isStale(config.lastUpdatedAt))) {
if (!config || (config.updatedAt && connection.isStale(config.updatedAt))) {
if (config) {
logger.info(
`[MCP][User: ${userId}][${serverName}] Config was updated, disconnecting stale connection`,

10
packages/api/src/mcp/__tests__/ConnectionsRepository.test.ts
View file

@ -145,10 +145,10 @@ describe('ConnectionsRepository', () => {
isStale: jest.fn().mockReturnValue(true),
} as unknown as jest.Mocked<MCPConnection>;
// Update server config with lastUpdatedAt timestamp
// Update server config with updatedAt timestamp
const configWithCachedAt = {
...mockServerConfigs.server1,
lastUpdatedAt: configCachedAt,
updatedAt: configCachedAt,
};
mockRegistry.getServerConfig.mockResolvedValueOnce(configWithCachedAt);
@ -156,7 +156,7 @@ describe('ConnectionsRepository', () => {
const result = await repository.get('server1');
// Verify stale check was called with the config's lastUpdatedAt timestamp
// Verify stale check was called with the config's updatedAt timestamp
expect(staleConnection.isStale).toHaveBeenCalledWith(configCachedAt);
// Verify old connection was disconnected
@ -190,10 +190,10 @@ describe('ConnectionsRepository', () => {
isStale: jest.fn().mockReturnValue(false),
} as unknown as jest.Mocked<MCPConnection>;
// Update server config with lastUpdatedAt timestamp
// Update server config with updatedAt timestamp
const configWithCachedAt = {
...mockServerConfigs.server1,
lastUpdatedAt: configCachedAt,
updatedAt: configCachedAt,
};
mockRegistry.getServerConfig.mockResolvedValueOnce(configWithCachedAt);

4
packages/api/src/mcp/registry/MCPServersInitializer.ts
View file

@ -59,12 +59,12 @@ export class MCPServersInitializer {
/** Initializes a single server with all its metadata and adds it to appropriate collections */
public static async initializeServer(serverName: string, rawConfig: t.MCPOptions): Promise<void> {
try {
const config = await MCPServersRegistry.getInstance().addServer(
const result = await MCPServersRegistry.getInstance().addServer(
serverName,
rawConfig,
'CACHE',
);
MCPServersInitializer.logParsedConfig(serverName, config);
MCPServersInitializer.logParsedConfig(serverName, result.config);
} catch (error) {
logger.error(`${MCPServersInitializer.prefix(serverName)} Failed to initialize:`, error);
}

8
packages/api/src/mcp/registry/MCPServersRegistry.ts
View file

@ -76,11 +76,10 @@ export class MCPServersRegistry {
config: t.MCPOptions,
storageLocation: 'CACHE' | 'DB',
userId?: string,
): Promise<t.ParsedServerConfig> {
): Promise<t.AddServerResult> {
const configRepo = this.getConfigRepository(storageLocation);
const parsedConfig = await MCPServerInspector.inspect(serverName, config);
await configRepo.add(serverName, parsedConfig, userId);
return parsedConfig;
return await configRepo.add(serverName, parsedConfig, userId);
}
public async updateServer(
@ -88,10 +87,11 @@ export class MCPServersRegistry {
config: t.MCPOptions,
storageLocation: 'CACHE' | 'DB',
userId?: string,
): Promise<void> {
): Promise<t.ParsedServerConfig> {
const configRepo = this.getConfigRepository(storageLocation);
const parsedConfig = await MCPServerInspector.inspect(serverName, config);
await configRepo.update(serverName, parsedConfig, userId);
return parsedConfig;
}
// TODO: This is currently used to determine if a server requires OAuth. However, this info can

4
packages/api/src/mcp/registry/ServerConfigsRepositoryInterface.ts
View file

@ -1,10 +1,10 @@
import { ParsedServerConfig } from '~/mcp/types';
import { ParsedServerConfig, AddServerResult } from '~/mcp/types';
/**
* Interface for future DB implementation
*/
export interface IServerConfigsRepositoryInterface {
add(serverName: string, config: ParsedServerConfig, userId?: string): Promise<void>;
add(serverName: string, config: ParsedServerConfig, userId?: string): Promise<AddServerResult>;
//ACL Entry check if update is possible
update(serverName: string, config: ParsedServerConfig, userId?: string): Promise<void>;

12
packages/api/src/mcp/registry/__tests__/MCPServersInitializer.cache_integration.spec.ts
View file

@ -8,6 +8,18 @@ jest.mock('~/cluster', () => ({
isLeader: jest.fn().mockResolvedValue(true),
}));
// Mock ServerConfigsDB to avoid needing MongoDB for cache integration tests
jest.mock('../db/ServerConfigsDB', () => ({
ServerConfigsDB: jest.fn().mockImplementation(() => ({
get: jest.fn().mockResolvedValue(undefined),
getAll: jest.fn().mockResolvedValue({}),
add: jest.fn().mockResolvedValue({ config: {}, isNew: true }),
update: jest.fn().mockResolvedValue(undefined),
remove: jest.fn().mockResolvedValue(undefined),
reset: jest.fn().mockResolvedValue(undefined),
})),
}));
describe('MCPServersInitializer Redis Integration Tests', () => {
let MCPServersInitializer: typeof import('../MCPServersInitializer').MCPServersInitializer;
let MCPServersRegistry: typeof import('../MCPServersRegistry').MCPServersRegistry;

31
packages/api/src/mcp/registry/__tests__/MCPServersRegistry.cache_integration.spec.ts
View file

@ -1,8 +1,22 @@
import { expect } from '@playwright/test';
import { MongoMemoryServer } from 'mongodb-memory-server';
import type * as t from '~/mcp/types';
import type { MCPServersRegistry as MCPServersRegistryType } from '../MCPServersRegistry';
// Mock ServerConfigsDB to avoid needing MongoDB for cache integration tests
jest.mock('../db/ServerConfigsDB', () => ({
ServerConfigsDB: jest.fn().mockImplementation(() => ({
get: jest.fn().mockResolvedValue(undefined),
getAll: jest.fn().mockResolvedValue({}),
add: jest.fn().mockResolvedValue({
serverName: 'mock-server',
config: {} as t.ParsedServerConfig,
}),
update: jest.fn().mockResolvedValue(undefined),
remove: jest.fn().mockResolvedValue(undefined),
reset: jest.fn().mockResolvedValue(undefined),
})),
}));
/**
* Integration tests for MCPServersRegistry using Redis-backed cache.
* For unit tests using in-memory cache, see MCPServersRegistry.test.ts
@ -18,7 +32,6 @@ describe('MCPServersRegistry Redis Integration Tests', () => {
let LeaderElection: typeof import('~/cluster/LeaderElection').LeaderElection;
let leaderInstance: InstanceType<typeof import('~/cluster/LeaderElection').LeaderElection>;
let MCPServerInspector: typeof import('../MCPServerInspector').MCPServerInspector;
let mongoServer: MongoMemoryServer;
const testParsedConfig: t.ParsedServerConfig = {
type: 'stdio',
@ -60,21 +73,12 @@ describe('MCPServersRegistry Redis Integration Tests', () => {
const leaderElectionModule = await import('~/cluster/LeaderElection');
const inspectorModule = await import('../MCPServerInspector');
const mongoose = await import('mongoose');
const { userSchema } = await import('@librechat/data-schemas');
MCPServersRegistry = registryModule.MCPServersRegistry;
keyvRedisClient = redisClients.keyvRedisClient;
LeaderElection = leaderElectionModule.LeaderElection;
MCPServerInspector = inspectorModule.MCPServerInspector;
// Set up MongoDB with MongoMemoryServer for db methods
mongoServer = await MongoMemoryServer.create();
const mongoUri = mongoServer.getUri();
if (!mongoose.default.models.User) {
mongoose.default.model('User', userSchema);
}
await mongoose.default.connect(mongoUri);
// Reset singleton and create new instance with mongoose
(MCPServersRegistry as unknown as { instance: undefined }).instance = undefined;
MCPServersRegistry.createInstance(mongoose.default);
@ -135,11 +139,6 @@ describe('MCPServersRegistry Redis Integration Tests', () => {
// Close Redis connection
if (keyvRedisClient?.isOpen) await keyvRedisClient.disconnect();
// Close MongoDB connection and stop memory server
const mongoose = await import('mongoose');
await mongoose.default.disconnect();
if (mongoServer) await mongoServer.stop();
});
// Tests for the old privateServersCache API have been removed

2
packages/api/src/mcp/registry/__tests__/MCPServersRegistry.test.ts
View file

@ -49,7 +49,7 @@ describe('MCPServersRegistry', () => {
},
},
},
lastUpdatedAt: FIXED_TIME,
updatedAt: FIXED_TIME,
};
beforeAll(() => {
jest.useFakeTimers();

844
packages/api/src/mcp/registry/__tests__/ServerConfigsDB.test.ts Normal file
View file

@ -0,0 +1,844 @@
import mongoose from 'mongoose';
import { MongoMemoryServer } from 'mongodb-memory-server';
import {
AccessRoleIds,
PermissionBits,
PrincipalType,
PrincipalModel,
ResourceType,
} from 'librechat-data-provider';
import { createModels, createMethods, RoleBits } from '@librechat/data-schemas';
import { ServerConfigsDB } from '../db/ServerConfigsDB';
import type { ParsedServerConfig } from '~/mcp/types';
// Mock the logger
jest.mock('@librechat/data-schemas', () => ({
...jest.requireActual('@librechat/data-schemas'),
logger: {
error: jest.fn(),
warn: jest.fn(),
debug: jest.fn(),
info: jest.fn(),
},
}));
let mongoServer: MongoMemoryServer;
let serverConfigsDB: ServerConfigsDB;
// Test data helpers
const createSSEConfig = (
title?: string,
description?: string,
oauth?: { client_secret?: string; client_id?: string },
): ParsedServerConfig => ({
type: 'sse',
url: 'https://example.com/mcp',
...(title && { title }),
...(description && { description }),
...(oauth && { oauth }),
});
let dbMethods: ReturnType<typeof createMethods>;
beforeAll(async () => {
mongoServer = await MongoMemoryServer.create();
const mongoUri = mongoServer.getUri();
await mongoose.connect(mongoUri);
// Initialize all models
createModels(mongoose);
// Create methods and seed default roles
dbMethods = createMethods(mongoose);
await dbMethods.seedDefaultRoles();
serverConfigsDB = new ServerConfigsDB(mongoose);
});
afterAll(async () => {
await mongoose.disconnect();
await mongoServer.stop();
});
beforeEach(async () => {
// Clear collections except AccessRole
await mongoose.models.MCPServer.deleteMany({});
await mongoose.models.Agent.deleteMany({});
await mongoose.models.AclEntry.deleteMany({});
});
describe('ServerConfigsDB', () => {
const userId = new mongoose.Types.ObjectId().toString();
const userId2 = new mongoose.Types.ObjectId().toString();
describe('constructor', () => {
it('should throw error when mongoose is not provided', () => {
expect(() => new ServerConfigsDB(null as unknown as typeof mongoose)).toThrow(
'ServerConfigsDB requires mongoose instance',
);
});
it('should create instance when mongoose is provided', () => {
const instance = new ServerConfigsDB(mongoose);
expect(instance).toBeInstanceOf(ServerConfigsDB);
});
});
describe('add()', () => {
it('should throw error when userId is not provided', async () => {
await expect(serverConfigsDB.add('test-server', createSSEConfig('Test'))).rejects.toThrow(
'User ID is required to create a database-stored MCP server',
);
});
it('should create server and return AddServerResult with generated serverName', async () => {
const config = createSSEConfig('My Test Server', 'A test server');
const result = await serverConfigsDB.add('temp-name', config, userId);
expect(result).toBeDefined();
expect(result.serverName).toBe('my-test-server');
expect(result.config).toMatchObject({
type: 'sse',
url: 'https://example.com/mcp',
title: 'My Test Server',
description: 'A test server',
});
expect(result.config.dbId).toBeDefined();
});
it('should grant owner ACL to the user', async () => {
const config = createSSEConfig('ACL Test Server');
const result = await serverConfigsDB.add('temp-name', config, userId);
// Verify ACL entry was created
const aclEntry = await mongoose.models.AclEntry.findOne({
principalType: PrincipalType.USER,
principalId: new mongoose.Types.ObjectId(userId),
resourceType: ResourceType.MCPSERVER,
});
expect(aclEntry).toBeDefined();
expect(aclEntry!.resourceId.toString()).toBe(result.config.dbId);
// OWNER role has VIEW | EDIT | DELETE | SHARE = 15
expect(aclEntry!.permBits).toBe(RoleBits.OWNER);
});
it('should include dbId and updatedAt in returned config', async () => {
const config = createSSEConfig('Metadata Test');
const result = await serverConfigsDB.add('temp-name', config, userId);
expect(result.config.dbId).toBeDefined();
expect(typeof result.config.dbId).toBe('string');
expect(result.config.updatedAt).toBeDefined();
expect(typeof result.config.updatedAt).toBe('number');
});
});
describe('update()', () => {
it('should throw error when userId is not provided', async () => {
await expect(serverConfigsDB.update('test-server', createSSEConfig('Test'))).rejects.toThrow(
'User ID is required to update a database-stored MCP server',
);
});
it('should update server config', async () => {
const config = createSSEConfig('Original Title', 'Original description');
const created = await serverConfigsDB.add('temp-name', config, userId);
const updatedConfig = createSSEConfig('Original Title', 'Updated description');
await serverConfigsDB.update(created.serverName, updatedConfig, userId);
const retrieved = await serverConfigsDB.get(created.serverName, userId);
expect(retrieved?.description).toBe('Updated description');
});
it('should preserve oauth.client_secret when not provided in update', async () => {
const config = createSSEConfig('OAuth Server', 'Test', {
client_id: 'my-client-id',
client_secret: 'super-secret-key',
});
const created = await serverConfigsDB.add('temp-name', config, userId);
// Update without client_secret
const updatedConfig = createSSEConfig('OAuth Server', 'Updated description', {
client_id: 'my-client-id',
// client_secret not provided
});
await serverConfigsDB.update(created.serverName, updatedConfig, userId);
// Verify the secret is preserved
const MCPServer = mongoose.models.MCPServer;
const server = await MCPServer.findOne({ serverName: created.serverName });
expect(server?.config?.oauth?.client_secret).toBe('super-secret-key');
});
it('should allow updating oauth.client_secret when explicitly provided', async () => {
const config = createSSEConfig('OAuth Server 2', 'Test', {
client_id: 'my-client-id',
client_secret: 'old-secret',
});
const created = await serverConfigsDB.add('temp-name', config, userId);
// Update with new client_secret
const updatedConfig = createSSEConfig('OAuth Server 2', 'Updated', {
client_id: 'my-client-id',
client_secret: 'new-secret',
});
await serverConfigsDB.update(created.serverName, updatedConfig, userId);
// Verify the secret is updated
const MCPServer = mongoose.models.MCPServer;
const server = await MCPServer.findOne({ serverName: created.serverName });
expect(server?.config?.oauth?.client_secret).toBe('new-secret');
});
});
describe('remove()', () => {
it('should delete server from database', async () => {
const config = createSSEConfig('Delete Test');
const created = await serverConfigsDB.add('temp-name', config, userId);
await serverConfigsDB.remove(created.serverName, userId);
const MCPServer = mongoose.models.MCPServer;
const server = await MCPServer.findOne({ serverName: created.serverName });
expect(server).toBeNull();
});
it('should remove all ACL entries for the server', async () => {
const config = createSSEConfig('ACL Delete Test');
const created = await serverConfigsDB.add('temp-name', config, userId);
// Verify ACL exists before deletion
let aclEntries = await mongoose.models.AclEntry.find({
resourceType: ResourceType.MCPSERVER,
resourceId: new mongoose.Types.ObjectId(created.config.dbId!),
});
expect(aclEntries.length).toBeGreaterThan(0);
await serverConfigsDB.remove(created.serverName, userId);
// Verify ACL entries are removed
aclEntries = await mongoose.models.AclEntry.find({
resourceType: ResourceType.MCPSERVER,
resourceId: new mongoose.Types.ObjectId(created.config.dbId!),
});
expect(aclEntries.length).toBe(0);
});
it('should handle non-existent server gracefully', async () => {
// Should not throw
await expect(serverConfigsDB.remove('non-existent-server', userId)).resolves.toBeUndefined();
});
});
describe('get()', () => {
describe('public access (no userId)', () => {
it('should return undefined for non-public server without userId', async () => {
const config = createSSEConfig('Private Server');
const created = await serverConfigsDB.add('temp-name', config, userId);
const result = await serverConfigsDB.get(created.serverName);
expect(result).toBeUndefined();
});
it('should return server when publicly shared', async () => {
const config = createSSEConfig('Public Server');
const created = await serverConfigsDB.add('temp-name', config, userId);
// Grant public access
await mongoose.models.AclEntry.create({
principalType: PrincipalType.PUBLIC,
resourceType: ResourceType.MCPSERVER,
resourceId: new mongoose.Types.ObjectId(created.config.dbId!),
permBits: PermissionBits.VIEW,
grantedBy: new mongoose.Types.ObjectId(userId),
});
const result = await serverConfigsDB.get(created.serverName);
expect(result).toBeDefined();
expect(result?.title).toBe('Public Server');
});
it('should return server with consumeOnly when accessible via public agent', async () => {
const config = createSSEConfig('Agent MCP Server');
const created = await serverConfigsDB.add('temp-name', config, userId);
// Create an agent that has this MCP server
const Agent = mongoose.models.Agent;
const agent = await Agent.create({
id: 'test-agent-id',
name: 'Test Agent',
provider: 'openai',
model: 'gpt-4',
author: new mongoose.Types.ObjectId(userId),
mcpServerNames: [created.serverName],
});
// Grant public access to the agent
await mongoose.models.AclEntry.create({
principalType: PrincipalType.PUBLIC,
resourceType: ResourceType.AGENT,
resourceId: agent._id,
permBits: PermissionBits.VIEW,
grantedBy: new mongoose.Types.ObjectId(userId),
});
const result = await serverConfigsDB.get(created.serverName);
expect(result).toBeDefined();
expect(result?.consumeOnly).toBe(true);
});
});
describe('user direct access', () => {
it('should return server when user has direct VIEW permission', async () => {
const config = createSSEConfig('Direct Access Server');
const created = await serverConfigsDB.add('temp-name', config, userId);
// The owner should have access
const result = await serverConfigsDB.get(created.serverName, userId);
expect(result).toBeDefined();
expect(result?.title).toBe('Direct Access Server');
expect(result?.consumeOnly).toBeUndefined();
});
it('should return undefined when user has no permission', async () => {
const config = createSSEConfig('Restricted Server');
await serverConfigsDB.add('temp-name', config, userId);
// Different user without access
const result = await serverConfigsDB.get('restricted-server', userId2);
expect(result).toBeUndefined();
});
it('should return server when user is granted VIEW permission', async () => {
const config = createSSEConfig('Shared Server');
const created = await serverConfigsDB.add('temp-name', config, userId);
// Grant VIEW permission to userId2
const role = await mongoose.models.AccessRole.findOne({
accessRoleId: AccessRoleIds.MCPSERVER_VIEWER,
});
await mongoose.models.AclEntry.create({
principalType: PrincipalType.USER,
principalModel: PrincipalModel.USER,
principalId: new mongoose.Types.ObjectId(userId2),
resourceType: ResourceType.MCPSERVER,
resourceId: new mongoose.Types.ObjectId(created.config.dbId!),
permBits: PermissionBits.VIEW,
roleId: role!._id,
grantedBy: new mongoose.Types.ObjectId(userId),
});
const result = await serverConfigsDB.get(created.serverName, userId2);
expect(result).toBeDefined();
expect(result?.title).toBe('Shared Server');
});
});
describe('agent-based access (consumeOnly)', () => {
it('should return server with consumeOnly when user has access via agent', async () => {
const config = createSSEConfig('Agent Accessible Server');
const created = await serverConfigsDB.add('temp-name', config, userId);
// Create an agent with this MCP server
const Agent = mongoose.models.Agent;
const agent = await Agent.create({
id: 'agent-for-user2',
name: 'Agent for User 2',
provider: 'openai',
model: 'gpt-4',
author: new mongoose.Types.ObjectId(userId),
mcpServerNames: [created.serverName],
});
// Grant agent access to userId2
const agentRole = await mongoose.models.AccessRole.findOne({
accessRoleId: AccessRoleIds.AGENT_VIEWER,
});
await mongoose.models.AclEntry.create({
principalType: PrincipalType.USER,
principalModel: PrincipalModel.USER,
principalId: new mongoose.Types.ObjectId(userId2),
resourceType: ResourceType.AGENT,
resourceId: agent._id,
permBits: PermissionBits.VIEW,
roleId: agentRole!._id,
grantedBy: new mongoose.Types.ObjectId(userId),
});
const result = await serverConfigsDB.get(created.serverName, userId2);
expect(result).toBeDefined();
expect(result?.consumeOnly).toBe(true);
expect(result?.title).toBe('Agent Accessible Server');
});
it('should prefer direct access over agent access (no consumeOnly)', async () => {
const config = createSSEConfig('Both Access Server');
const created = await serverConfigsDB.add('temp-name', config, userId);
// Create an agent with this MCP server
const Agent = mongoose.models.Agent;
const agent = await Agent.create({
id: 'agent-both-access',
name: 'Agent Both Access',
provider: 'openai',
model: 'gpt-4',
author: new mongoose.Types.ObjectId(userId),
mcpServerNames: [created.serverName],
});
// Grant userId2 both direct MCP access and agent access
const mcpRole = await mongoose.models.AccessRole.findOne({
accessRoleId: AccessRoleIds.MCPSERVER_VIEWER,
});
await mongoose.models.AclEntry.create({
principalType: PrincipalType.USER,
principalModel: PrincipalModel.USER,
principalId: new mongoose.Types.ObjectId(userId2),
resourceType: ResourceType.MCPSERVER,
resourceId: new mongoose.Types.ObjectId(created.config.dbId!),
permBits: PermissionBits.VIEW,
roleId: mcpRole!._id,
grantedBy: new mongoose.Types.ObjectId(userId),
});
const agentRole = await mongoose.models.AccessRole.findOne({
accessRoleId: AccessRoleIds.AGENT_VIEWER,
});
await mongoose.models.AclEntry.create({
principalType: PrincipalType.USER,
principalModel: PrincipalModel.USER,
principalId: new mongoose.Types.ObjectId(userId2),
resourceType: ResourceType.AGENT,
resourceId: agent._id,
permBits: PermissionBits.VIEW,
roleId: agentRole!._id,
grantedBy: new mongoose.Types.ObjectId(userId),
});
// Direct access should take precedence (no consumeOnly)
const result = await serverConfigsDB.get(created.serverName, userId2);
expect(result).toBeDefined();
expect(result?.consumeOnly).toBeUndefined();
});
});
it('should return undefined for non-existent server', async () => {
const result = await serverConfigsDB.get('non-existent-server', userId);
expect(result).toBeUndefined();
});
});
describe('getAll()', () => {
describe('public access (no userId)', () => {
it('should return empty object when no public servers exist', async () => {
const config = createSSEConfig('Private Server');
await serverConfigsDB.add('temp-name', config, userId);
const result = await serverConfigsDB.getAll();
expect(Object.keys(result)).toHaveLength(0);
});
it('should return only publicly shared servers', async () => {
const config1 = createSSEConfig('Public Server 1');
const config2 = createSSEConfig('Private Server');
const created1 = await serverConfigsDB.add('temp1', config1, userId);
await serverConfigsDB.add('temp2', config2, userId);
// Make first server public
await mongoose.models.AclEntry.create({
principalType: PrincipalType.PUBLIC,
resourceType: ResourceType.MCPSERVER,
resourceId: new mongoose.Types.ObjectId(created1.config.dbId!),
permBits: PermissionBits.VIEW,
grantedBy: new mongoose.Types.ObjectId(userId),
});
const result = await serverConfigsDB.getAll();
expect(Object.keys(result)).toHaveLength(1);
expect(result['public-server-1']).toBeDefined();
});
});
describe('user access', () => {
it('should return servers directly accessible by user', async () => {
const config1 = createSSEConfig('User Server 1');
const config2 = createSSEConfig('User Server 2');
await serverConfigsDB.add('temp1', config1, userId);
await serverConfigsDB.add('temp2', config2, userId);
// Create server by different user (not accessible)
await serverConfigsDB.add('temp3', createSSEConfig('Other User Server'), userId2);
const result = await serverConfigsDB.getAll(userId);
expect(Object.keys(result)).toHaveLength(2);
expect(result['user-server-1']).toBeDefined();
expect(result['user-server-2']).toBeDefined();
expect(result['other-user-server']).toBeUndefined();
});
it('should include agent-accessible servers with consumeOnly flag', async () => {
const config1 = createSSEConfig('Direct Server');
const config2 = createSSEConfig('Agent Only Server');
await serverConfigsDB.add('temp1', config1, userId);
const created2 = await serverConfigsDB.add('temp2', config2, userId);
// Create an agent with second MCP server, accessible by userId2
const Agent = mongoose.models.Agent;
const agent = await Agent.create({
id: 'getall-agent',
name: 'GetAll Agent',
provider: 'openai',
model: 'gpt-4',
author: new mongoose.Types.ObjectId(userId),
mcpServerNames: [created2.serverName],
});
const agentRole = await mongoose.models.AccessRole.findOne({
accessRoleId: AccessRoleIds.AGENT_VIEWER,
});
await mongoose.models.AclEntry.create({
principalType: PrincipalType.USER,
principalModel: PrincipalModel.USER,
principalId: new mongoose.Types.ObjectId(userId2),
resourceType: ResourceType.AGENT,
resourceId: agent._id,
permBits: PermissionBits.VIEW,
roleId: agentRole!._id,
grantedBy: new mongoose.Types.ObjectId(userId),
});
const result = await serverConfigsDB.getAll(userId2);
expect(Object.keys(result)).toHaveLength(1);
expect(result['agent-only-server']).toBeDefined();
expect(result['agent-only-server'].consumeOnly).toBe(true);
});
it('should deduplicate servers with both direct and agent access', async () => {
const config = createSSEConfig('Dedup Server');
const created = await serverConfigsDB.add('temp', config, userId);
// Create an agent with this MCP server
const Agent = mongoose.models.Agent;
const agent = await Agent.create({
id: 'dedup-agent',
name: 'Dedup Agent',
provider: 'openai',
model: 'gpt-4',
author: new mongoose.Types.ObjectId(userId),
mcpServerNames: [created.serverName],
});
// Grant userId2 both direct MCP access and agent access
const mcpRole = await mongoose.models.AccessRole.findOne({
accessRoleId: AccessRoleIds.MCPSERVER_VIEWER,
});
await mongoose.models.AclEntry.create({
principalType: PrincipalType.USER,
principalModel: PrincipalModel.USER,
principalId: new mongoose.Types.ObjectId(userId2),
resourceType: ResourceType.MCPSERVER,
resourceId: new mongoose.Types.ObjectId(created.config.dbId!),
permBits: PermissionBits.VIEW,
roleId: mcpRole!._id,
grantedBy: new mongoose.Types.ObjectId(userId),
});
const agentRole = await mongoose.models.AccessRole.findOne({
accessRoleId: AccessRoleIds.AGENT_VIEWER,
});
await mongoose.models.AclEntry.create({
principalType: PrincipalType.USER,
principalModel: PrincipalModel.USER,
principalId: new mongoose.Types.ObjectId(userId2),
resourceType: ResourceType.AGENT,
resourceId: agent._id,
permBits: PermissionBits.VIEW,
roleId: agentRole!._id,
grantedBy: new mongoose.Types.ObjectId(userId),
});
const result = await serverConfigsDB.getAll(userId2);
// Should only have one entry (deduplicated)
expect(Object.keys(result)).toHaveLength(1);
// Direct access takes precedence - no consumeOnly
expect(result['dedup-server']).toBeDefined();
expect(result['dedup-server'].consumeOnly).toBeUndefined();
});
it('should merge servers from multiple agents', async () => {
const config1 = createSSEConfig('Agent1 Server');
const config2 = createSSEConfig('Agent2 Server');
const created1 = await serverConfigsDB.add('temp1', config1, userId);
const created2 = await serverConfigsDB.add('temp2', config2, userId);
// Create two agents, each with a different MCP server
const Agent = mongoose.models.Agent;
const agent1 = await Agent.create({
id: 'multi-agent-1',
name: 'Multi Agent 1',
provider: 'openai',
model: 'gpt-4',
author: new mongoose.Types.ObjectId(userId),
mcpServerNames: [created1.serverName],
});
const agent2 = await Agent.create({
id: 'multi-agent-2',
name: 'Multi Agent 2',
provider: 'openai',
model: 'gpt-4',
author: new mongoose.Types.ObjectId(userId),
mcpServerNames: [created2.serverName],
});
// Grant userId2 access to both agents
const agentRole = await mongoose.models.AccessRole.findOne({
accessRoleId: AccessRoleIds.AGENT_VIEWER,
});
await mongoose.models.AclEntry.create([
{
principalType: PrincipalType.USER,
principalModel: PrincipalModel.USER,
principalId: new mongoose.Types.ObjectId(userId2),
resourceType: ResourceType.AGENT,
resourceId: agent1._id,
permBits: PermissionBits.VIEW,
roleId: agentRole!._id,
grantedBy: new mongoose.Types.ObjectId(userId),
},
{
principalType: PrincipalType.USER,
principalModel: PrincipalModel.USER,
principalId: new mongoose.Types.ObjectId(userId2),
resourceType: ResourceType.AGENT,
resourceId: agent2._id,
permBits: PermissionBits.VIEW,
roleId: agentRole!._id,
grantedBy: new mongoose.Types.ObjectId(userId),
},
]);
const result = await serverConfigsDB.getAll(userId2);
expect(Object.keys(result)).toHaveLength(2);
expect(result['agent1-server']?.consumeOnly).toBe(true);
expect(result['agent2-server']?.consumeOnly).toBe(true);
});
});
});
describe('hasAccessViaAgent() - private method integration', () => {
it('should return false when no agents exist', async () => {
const config = createSSEConfig('No Agent Server');
const created = await serverConfigsDB.add('temp', config, userId);
// Access via get() which uses hasAccessViaAgent internally
const result = await serverConfigsDB.get(created.serverName, userId2);
expect(result).toBeUndefined();
});
it('should return false when agent has MCP but user has no agent access', async () => {
const config = createSSEConfig('Inaccessible Agent Server');
const created = await serverConfigsDB.add('temp', config, userId);
// Create an agent with this MCP server but no ACL for userId2
const Agent = mongoose.models.Agent;
await Agent.create({
id: 'inaccessible-agent',
name: 'Inaccessible Agent',
provider: 'openai',
model: 'gpt-4',
author: new mongoose.Types.ObjectId(userId),
mcpServerNames: [created.serverName],
});
const result = await serverConfigsDB.get(created.serverName, userId2);
expect(result).toBeUndefined();
});
it('should return true when user has VIEW access to agent with the MCP server', async () => {
const config = createSSEConfig('Accessible Agent Server');
const created = await serverConfigsDB.add('temp', config, userId);
const Agent = mongoose.models.Agent;
const agent = await Agent.create({
id: 'accessible-agent',
name: 'Accessible Agent',
provider: 'openai',
model: 'gpt-4',
author: new mongoose.Types.ObjectId(userId),
mcpServerNames: [created.serverName],
});
const agentRole = await mongoose.models.AccessRole.findOne({
accessRoleId: AccessRoleIds.AGENT_VIEWER,
});
await mongoose.models.AclEntry.create({
principalType: PrincipalType.USER,
principalModel: PrincipalModel.USER,
principalId: new mongoose.Types.ObjectId(userId2),
resourceType: ResourceType.AGENT,
resourceId: agent._id,
permBits: PermissionBits.VIEW,
roleId: agentRole!._id,
grantedBy: new mongoose.Types.ObjectId(userId),
});
const result = await serverConfigsDB.get(created.serverName, userId2);
expect(result).toBeDefined();
expect(result?.consumeOnly).toBe(true);
});
it('should handle multiple agents - one accessible, one not', async () => {
const config = createSSEConfig('Multi Agent Access Server');
const created = await serverConfigsDB.add('temp', config, userId);
const Agent = mongoose.models.Agent;
// Agent 1: has MCP server but no user access
await Agent.create({
id: 'no-access-agent',
name: 'No Access Agent',
provider: 'openai',
model: 'gpt-4',
author: new mongoose.Types.ObjectId(userId),
mcpServerNames: [created.serverName],
});
// Agent 2: has MCP server AND user has access
const accessibleAgent = await Agent.create({
id: 'has-access-agent',
name: 'Has Access Agent',
provider: 'openai',
model: 'gpt-4',
author: new mongoose.Types.ObjectId(userId),
mcpServerNames: [created.serverName],
});
const agentRole = await mongoose.models.AccessRole.findOne({
accessRoleId: AccessRoleIds.AGENT_VIEWER,
});
await mongoose.models.AclEntry.create({
principalType: PrincipalType.USER,
principalModel: PrincipalModel.USER,
principalId: new mongoose.Types.ObjectId(userId2),
resourceType: ResourceType.AGENT,
resourceId: accessibleAgent._id,
permBits: PermissionBits.VIEW,
roleId: agentRole!._id,
grantedBy: new mongoose.Types.ObjectId(userId),
});
const result = await serverConfigsDB.get(created.serverName, userId2);
expect(result).toBeDefined();
expect(result?.consumeOnly).toBe(true);
});
});
describe('reset()', () => {
it('should be a no-op and not throw', async () => {
// Create a server first
const config = createSSEConfig('Reset Test');
await serverConfigsDB.add('temp', config, userId);
// Reset should complete without error
await expect(serverConfigsDB.reset()).resolves.toBeUndefined();
// Server should still exist (reset is no-op for DB storage)
const result = await serverConfigsDB.get('reset-test', userId);
expect(result).toBeDefined();
});
});
describe('mapDBServerToParsedConfig()', () => {
it('should include dbId from _id', async () => {
const config = createSSEConfig('Map Test');
const created = await serverConfigsDB.add('temp', config, userId);
expect(created.config.dbId).toBeDefined();
expect(typeof created.config.dbId).toBe('string');
expect(mongoose.Types.ObjectId.isValid(created.config.dbId!)).toBe(true);
});
it('should include updatedAt as timestamp', async () => {
const config = createSSEConfig('Timestamp Test');
const created = await serverConfigsDB.add('temp', config, userId);
expect(created.config.updatedAt).toBeDefined();
expect(typeof created.config.updatedAt).toBe('number');
expect(created.config.updatedAt).toBeLessThanOrEqual(Date.now());
});
});
describe('edge cases', () => {
it('should handle server with empty mcpServerNames in agent', async () => {
const config = createSSEConfig('Edge Case Server');
const created = await serverConfigsDB.add('temp', config, userId);
// Create an agent with empty mcpServerNames
const Agent = mongoose.models.Agent;
const agent = await Agent.create({
id: 'empty-mcp-agent',
name: 'Empty MCP Agent',
provider: 'openai',
model: 'gpt-4',
author: new mongoose.Types.ObjectId(userId),
mcpServerNames: [], // Empty array
});
const agentRole = await mongoose.models.AccessRole.findOne({
accessRoleId: AccessRoleIds.AGENT_VIEWER,
});
await mongoose.models.AclEntry.create({
principalType: PrincipalType.USER,
principalModel: PrincipalModel.USER,
principalId: new mongoose.Types.ObjectId(userId2),
resourceType: ResourceType.AGENT,
resourceId: agent._id,
permBits: PermissionBits.VIEW,
roleId: agentRole!._id,
grantedBy: new mongoose.Types.ObjectId(userId),
});
// Should not find the server via agent (empty mcpServerNames)
const result = await serverConfigsDB.get(created.serverName, userId2);
expect(result).toBeUndefined();
});
it('should handle agent without mcpServerNames field', async () => {
const config = createSSEConfig('No Field Server');
const created = await serverConfigsDB.add('temp', config, userId);
// Create an agent without mcpServerNames field (uses default)
const Agent = mongoose.models.Agent;
const agent = await Agent.create({
id: 'no-field-agent',
name: 'No Field Agent',
provider: 'openai',
model: 'gpt-4',
author: new mongoose.Types.ObjectId(userId),
// mcpServerNames not specified - should default to []
});
const agentRole = await mongoose.models.AccessRole.findOne({
accessRoleId: AccessRoleIds.AGENT_VIEWER,
});
await mongoose.models.AclEntry.create({
principalType: PrincipalType.USER,
principalModel: PrincipalModel.USER,
principalId: new mongoose.Types.ObjectId(userId2),
resourceType: ResourceType.AGENT,
resourceId: agent._id,
permBits: PermissionBits.VIEW,
roleId: agentRole!._id,
grantedBy: new mongoose.Types.ObjectId(userId),
});
// Should not find the server via agent
const result = await serverConfigsDB.get(created.serverName, userId2);
expect(result).toBeUndefined();
});
});
});

10
packages/api/src/mcp/registry/cache/ServerConfigsCacheInMemory.ts vendored
View file

@ -1,4 +1,4 @@
import { ParsedServerConfig } from '~/mcp/types';
import { ParsedServerConfig, AddServerResult } from '~/mcp/types';
/**
* In-memory implementation of MCP server configurations cache for single-instance deployments.
@ -10,12 +10,14 @@ import { ParsedServerConfig } from '~/mcp/types';
export class ServerConfigsCacheInMemory {
private readonly cache: Map<string, ParsedServerConfig> = new Map();
public async add(serverName: string, config: ParsedServerConfig): Promise<void> {
public async add(serverName: string, config: ParsedServerConfig): Promise<AddServerResult> {
if (this.cache.has(serverName))
throw new Error(
`Server "${serverName}" already exists in cache. Use update() to modify existing configs.`,
);
this.cache.set(serverName, { ...config, lastUpdatedAt: Date.now() });
const storedConfig = { ...config, updatedAt: Date.now() };
this.cache.set(serverName, storedConfig);
return { serverName, config: storedConfig };
}
public async update(serverName: string, config: ParsedServerConfig): Promise<void> {
@ -23,7 +25,7 @@ export class ServerConfigsCacheInMemory {
throw new Error(
`Server "${serverName}" does not exist in cache. Use add() to create new configs.`,
);
this.cache.set(serverName, { ...config, lastUpdatedAt: Date.now() });
this.cache.set(serverName, { ...config, updatedAt: Date.now() });
}
public async remove(serverName: string): Promise<void> {

10
packages/api/src/mcp/registry/cache/ServerConfigsCacheRedis.ts vendored
View file

@ -1,7 +1,7 @@
import type Keyv from 'keyv';
import { fromPairs } from 'lodash';
import { standardCache, keyvRedisClient } from '~/cache';
import { ParsedServerConfig } from '~/mcp/types';
import { ParsedServerConfig, AddServerResult } from '~/mcp/types';
import { BaseRegistryCache } from './BaseRegistryCache';
import { IServerConfigsRepositoryInterface } from '../ServerConfigsRepositoryInterface';
@ -25,15 +25,17 @@ export class ServerConfigsCacheRedis
this.cache = standardCache(`${this.PREFIX}::Servers::${namespace}`);
}
public async add(serverName: string, config: ParsedServerConfig): Promise<void> {
public async add(serverName: string, config: ParsedServerConfig): Promise<AddServerResult> {
if (this.leaderOnly) await this.leaderCheck(`add ${this.namespace} MCP servers`);
const exists = await this.cache.has(serverName);
if (exists)
throw new Error(
`Server "${serverName}" already exists in cache. Use update() to modify existing configs.`,
);
const success = await this.cache.set(serverName, { ...config, lastUpdatedAt: Date.now() });
const storedConfig = { ...config, updatedAt: Date.now() };
const success = await this.cache.set(serverName, storedConfig);
this.successCheck(`add ${this.namespace} server "${serverName}"`, success);
return { serverName, config: storedConfig };
}
public async update(serverName: string, config: ParsedServerConfig): Promise<void> {
@ -43,7 +45,7 @@ export class ServerConfigsCacheRedis
throw new Error(
`Server "${serverName}" does not exist in cache. Use add() to create new configs.`,
);
const success = await this.cache.set(serverName, { ...config, lastUpdatedAt: Date.now() });
const success = await this.cache.set(serverName, { ...config, updatedAt: Date.now() });
this.successCheck(`update ${this.namespace} server "${serverName}"`, success);
}

6
packages/api/src/mcp/registry/cache/__tests__/ServerConfigsCacheInMemory.test.ts vendored
View file

@ -15,14 +15,14 @@ describe('ServerConfigsCacheInMemory Integration Tests', () => {
command: 'node',
args: ['server1.js'],
env: { TEST: 'value1' },
lastUpdatedAt: FIXED_TIME,
updatedAt: FIXED_TIME,
};
const mockConfig2: ParsedServerConfig = {
command: 'python',
args: ['server2.py'],
env: { TEST: 'value2' },
lastUpdatedAt: FIXED_TIME,
updatedAt: FIXED_TIME,
};
const mockConfig3: ParsedServerConfig = {
@ -30,7 +30,7 @@ describe('ServerConfigsCacheInMemory Integration Tests', () => {
args: ['server3.js'],
url: 'http://localhost:3000',
requiresOAuth: true,
lastUpdatedAt: FIXED_TIME,
updatedAt: FIXED_TIME,
};
beforeAll(async () => {

309
packages/api/src/mcp/registry/db/ServerConfigsDB.ts
View file

@ -1,7 +1,14 @@
/* eslint-disable @typescript-eslint/no-unused-vars */
import { AllMethods, createMethods, logger } from '@librechat/data-schemas';
import { Types } from 'mongoose';
import {
AccessRoleIds,
PermissionBits,
PrincipalType,
ResourceType,
} from 'librechat-data-provider';
import { AllMethods, MCPServerDocument, createMethods, logger } from '@librechat/data-schemas';
import type { IServerConfigsRepositoryInterface } from '~/mcp/registry/ServerConfigsRepositoryInterface';
import type { ParsedServerConfig } from '~/mcp/types';
import { AccessControlService } from '~/acl/accessControlService';
import type { ParsedServerConfig, AddServerResult } from '~/mcp/types';
/**
* DB backed config storage
@ -10,35 +17,211 @@ import type { ParsedServerConfig } from '~/mcp/types';
*/
export class ServerConfigsDB implements IServerConfigsRepositoryInterface {
private _dbMethods: AllMethods;
private _aclService: AccessControlService;
private _mongoose: typeof import('mongoose');
constructor(mongoose: typeof import('mongoose')) {
if (!mongoose) {
throw new Error('ServerConfigsDB requires mongoose instance');
}
this._mongoose = mongoose;
this._dbMethods = createMethods(mongoose);
this._aclService = new AccessControlService(mongoose);
}
public async add(serverName: string, config: ParsedServerConfig, userId?: string): Promise<void> {
logger.debug('ServerConfigsDB add not yet implemented');
return;
/**
* Checks if user has access to an MCP server via an agent they can VIEW.
* @param serverName - The MCP server name to check
* @param userId - The user ID (optional - if not provided, checks publicly accessible agents)
* @returns true if user has VIEW access to at least one agent that has this MCP server
*/
private async hasAccessViaAgent(serverName: string, userId?: string): Promise<boolean> {
let accessibleAgentIds: Types.ObjectId[];
if (!userId) {
// Get publicly accessible agents
accessibleAgentIds = await this._aclService.findPubliclyAccessibleResources({
resourceType: ResourceType.AGENT,
requiredPermissions: PermissionBits.VIEW,
});
} else {
// Get user-accessible agents
accessibleAgentIds = await this._aclService.findAccessibleResources({
userId,
requiredPermissions: PermissionBits.VIEW,
resourceType: ResourceType.AGENT,
});
}
if (accessibleAgentIds.length === 0) {
return false;
}
// Check if any accessible agent has this MCP server
const Agent = this._mongoose.model('Agent');
const exists = await Agent.exists({
_id: { $in: accessibleAgentIds },
mcpServerNames: serverName,
});
return exists !== null;
}
/**
* Creates a new MCP server and grants owner permissions to the user.
* @param serverName - Temporary server name (not persisted) will be replaced by the nano id generated by the db method
* @param config - Server configuration to store
* @param userId - ID of the user creating the server (required)
* @returns The created server result with serverName and config (including dbId)
* @throws Error if userId is not provided
*/
public async add(
serverName: string,
config: ParsedServerConfig,
userId?: string,
): Promise<AddServerResult> {
logger.debug(
`[ServerConfigsDB.add] Starting Creating server with temp servername: ${serverName} for the user with the ID ${userId}`,
);
if (!userId) {
throw new Error(
'[ServerConfigsDB.add] User ID is required to create a database-stored MCP server.',
);
}
const createdServer = await this._dbMethods.createMCPServer({ config: config, author: userId });
await this._aclService.grantPermission({
principalType: PrincipalType.USER,
principalId: userId,
resourceType: ResourceType.MCPSERVER,
resourceId: createdServer._id,
accessRoleId: AccessRoleIds.MCPSERVER_OWNER,
grantedBy: userId,
});
return {
serverName: createdServer.serverName,
config: this.mapDBServerToParsedConfig(createdServer),
};
}
/**
*
* @param serverName mcp server unique identifier "serverName"
* @param config new Configuration to update
* @param userId user id required to update DB server config
*/
public async update(
serverName: string,
config: ParsedServerConfig,
userId?: string,
): Promise<void> {
logger.debug('ServerConfigsDB update not yet implemented');
return;
if (!userId) {
throw new Error(
'[ServerConfigsDB.update] User ID is required to update a database-stored MCP server.',
);
}
// Preserve sensitive fields (like oauth.client_secret) that may not be sent from the client
// Create a copy to avoid mutating the input parameter
let mergedConfig = config;
const existingServer = await this._dbMethods.findMCPServerById(serverName);
if (existingServer?.config?.oauth?.client_secret && !config.oauth?.client_secret) {
mergedConfig = {
...config,
oauth: {
...config.oauth,
client_secret: existingServer.config.oauth.client_secret,
},
};
}
// specific user permissions for action permission will be handled in the controller calling the update method of the registry
await this._dbMethods.updateMCPServer(serverName, { config: mergedConfig });
}
/**
* Deletes an MCP server and removes all associated ACL entries.
* @param serverName - The serverName of the server to remove
* @param userId - User performing the deletion (for logging)
*/
public async remove(serverName: string, userId?: string): Promise<void> {
logger.debug('ServerConfigsDB remove not yet implemented');
return;
logger.debug(`[ServerConfigsDB.remove] removing ${serverName}. UserId: ${userId}`);
const deletedServer = await this._dbMethods.deleteMCPServer(serverName);
if (deletedServer && deletedServer._id) {
logger.debug(`[ServerConfigsDB.remove] removing all permissions entries of ${serverName}.`);
await this._aclService.removeAllPermissions({
resourceType: ResourceType.MCPSERVER,
resourceId: deletedServer._id!,
});
return;
}
logger.warn(`[ServerConfigsDB.remove] server with serverName ${serverName} does not exist`);
}
/**
* Retrieves a single MCP server configuration by its serverName.
* @param serverName - The serverName of the server to retrieve
* @param userId - the user id provide the scope of the request. If the user Id is not provided, only publicly visible servers are returned.
* @returns The parsed server config or undefined if not found. If accessed via agent, consumeOnly will be true.
*/
public async get(serverName: string, userId?: string): Promise<ParsedServerConfig | undefined> {
logger.debug('ServerConfigsDB get not yet implemented');
return;
const server = await this._dbMethods.findMCPServerById(serverName);
if (!server) return undefined;
// Check public access if no userId
if (!userId) {
const directlyAccessibleMCPIds = (
await this._aclService.findPubliclyAccessibleResources({
resourceType: ResourceType.MCPSERVER,
requiredPermissions: PermissionBits.VIEW,
})
).map((id) => id.toString());
if (directlyAccessibleMCPIds.indexOf(server._id.toString()) > -1) {
return this.mapDBServerToParsedConfig(server);
}
// Check access via publicly accessible agents
const hasAgentAccess = await this.hasAccessViaAgent(serverName);
if (hasAgentAccess) {
logger.debug(
`[ServerConfigsDB.get] accessing ${serverName} via public agent (consumeOnly)`,
);
return {
...this.mapDBServerToParsedConfig(server),
consumeOnly: true,
};
}
return undefined;
}
// Check direct user access
const userHasDirectAccess = await this._aclService.checkPermission({
userId,
resourceType: ResourceType.MCPSERVER,
requiredPermission: PermissionBits.VIEW,
resourceId: server._id,
});
if (userHasDirectAccess) {
logger.debug(
`[ServerConfigsDB.get] getting ${serverName} for user with the UserId: ${userId}`,
);
return this.mapDBServerToParsedConfig(server);
}
// Check agent access (user can VIEW an agent that has this MCP server)
const hasAgentAccess = await this.hasAccessViaAgent(serverName, userId);
if (hasAgentAccess) {
logger.debug(
`[ServerConfigsDB.get] user ${userId} accessing ${serverName} via agent (consumeOnly)`,
);
return {
...this.mapDBServerToParsedConfig(server),
consumeOnly: true,
};
}
return undefined;
}
/**
@ -47,13 +230,109 @@ export class ServerConfigsDB implements IServerConfigsRepositoryInterface {
* @returns record of parsed configs
*/
public async getAll(userId?: string): Promise<Record<string, ParsedServerConfig>> {
// TODO: Implement DB-backed config retrieval
logger.debug('[ServerConfigsDB] getAll not yet implemented', { userId });
return {};
// 1. Get directly accessible MCP IDs
let directlyAccessibleMCPIds: Types.ObjectId[] = [];
if (!userId) {
logger.debug(`[ServerConfigsDB.getAll] fetching all publicly shared mcp servers`);
directlyAccessibleMCPIds = await this._aclService.findPubliclyAccessibleResources({
resourceType: ResourceType.MCPSERVER,
requiredPermissions: PermissionBits.VIEW,
});
} else {
logger.debug(
`[ServerConfigsDB.getAll] fetching mcp servers directly shared with the user with ID: ${userId}`,
);
directlyAccessibleMCPIds = await this._aclService.findAccessibleResources({
userId,
requiredPermissions: PermissionBits.VIEW,
resourceType: ResourceType.MCPSERVER,
});
}
// 2. Get agent-accessible MCP server names
let agentMCPServerNames: string[] = [];
let accessibleAgentIds: Types.ObjectId[] = [];
if (!userId) {
// Get publicly accessible agents
accessibleAgentIds = await this._aclService.findPubliclyAccessibleResources({
resourceType: ResourceType.AGENT,
requiredPermissions: PermissionBits.VIEW,
});
} else {
// Get user-accessible agents
accessibleAgentIds = await this._aclService.findAccessibleResources({
userId,
requiredPermissions: PermissionBits.VIEW,
resourceType: ResourceType.AGENT,
});
}
if (accessibleAgentIds.length > 0) {
// Efficient query: get agents with non-empty mcpServerNames
const Agent = this._mongoose.model('Agent');
const agentsWithMCP = await Agent.find(
{
_id: { $in: accessibleAgentIds },
mcpServerNames: { $exists: true, $not: { $size: 0 } },
},
{ mcpServerNames: 1 },
).lean();
// Flatten and dedupe server names
agentMCPServerNames = [
...new Set(
// eslint-disable-next-line @typescript-eslint/no-explicit-any
agentsWithMCP.flatMap((a: any) => a.mcpServerNames || []),
),
];
}
// 3. Fetch directly accessible MCP servers
const directResults = await this._dbMethods.getListMCPServersByIds({
ids: directlyAccessibleMCPIds,
});
// 4. Build result with direct access servers
const parsedConfigs: Record<string, ParsedServerConfig> = {};
const directServerNames = new Set<string>();
for (const s of directResults.data || []) {
parsedConfigs[s.serverName] = this.mapDBServerToParsedConfig(s);
directServerNames.add(s.serverName);
}
// 5. Fetch agent-accessible servers (excluding already direct)
const agentOnlyServerNames = agentMCPServerNames.filter((name) => !directServerNames.has(name));
if (agentOnlyServerNames.length > 0) {
const agentServers = await this._dbMethods.getListMCPServersByNames({
names: agentOnlyServerNames,
});
for (const s of agentServers.data || []) {
parsedConfigs[s.serverName] = {
...this.mapDBServerToParsedConfig(s),
consumeOnly: true,
};
}
}
return parsedConfigs;
}
/** No-op for DB storage; logs a warning if called. */
public async reset(): Promise<void> {
logger.warn('Attempt to reset the DB config storage');
return;
}
/** Maps a MongoDB server document to the ParsedServerConfig format. */
private mapDBServerToParsedConfig(serverDBDoc: MCPServerDocument): ParsedServerConfig {
return {
...serverDBDoc.config,
dbId: (serverDBDoc._id as Types.ObjectId).toString(),
updatedAt: serverDBDoc.updatedAt?.getTime(),
};
}
}

9
packages/api/src/mcp/types/index.ts
View file

@ -153,8 +153,15 @@ export type ParsedServerConfig = MCPOptions & {
tools?: string;
toolFunctions?: LCAvailableTools;
initDuration?: number;
lastUpdatedAt?: number;
updatedAt?: number;
dbId?: string;
/** True if access is only via agent (not directly shared with user) */
consumeOnly?: boolean;
};
export type AddServerResult = {
serverName: string;
config: ParsedServerConfig;
};
export interface BasicConnectionOptions {

27
packages/api/src/mcp/utils.ts
View file

@ -45,3 +45,30 @@ export function sanitizeUrlForLogging(url: string | URL): string {
return '[invalid URL]';
}
}
/**
* Escapes special regex characters in a string so they are treated literally.
* @param str - The string to escape
* @returns The escaped string safe for use in a regex pattern
*/
export function escapeRegex(str: string): string {
return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
}
/**
* Generates a URL-friendly server name from a title.
* Converts to lowercase, replaces spaces with hyphens, removes special characters.
* @param title - The display title to convert
* @returns A slug suitable for use as serverName (e.g., "GitHub MCP Tool" "github-mcp-tool")
*/
export function generateServerNameFromTitle(title: string): string {
const slug = title
.toLowerCase()
.trim()
.replace(/[^a-z0-9\s-]/g, '') // Remove special chars except spaces and hyphens
.replace(/\s+/g, '-') // Replace spaces with hyphens
.replace(/-+/g, '-') // Remove consecutive hyphens
.replace(/^-|-$/g, ''); // Trim leading/trailing hyphens
return slug || 'mcp-server'; // Fallback if empty
}

39
packages/client/src/components/MultiSelect.tsx
View file

@ -11,12 +11,26 @@ import {
import './AnimatePopover.css';
import { cn } from '~/utils';
type MultiSelectItem<T extends string> = T | { label: string; value: T };
function getItemValue<T extends string>(item: MultiSelectItem<T>): T {
return typeof item === 'string' ? item : item.value;
}
function getItemLabel<T extends string>(item: MultiSelectItem<T>): string {
return typeof item === 'string' ? item : item.label;
}
interface MultiSelectProps<T extends string> {
items: T[];
items: MultiSelectItem<T>[];
label?: string;
placeholder?: string;
onSelectedValuesChange?: (values: T[]) => void;
renderSelectedValues?: (values: T[], placeholder?: string) => React.ReactNode;
renderSelectedValues?: (
values: T[],
placeholder?: string,
items?: MultiSelectItem<T>[],
) => React.ReactNode;
className?: string;
itemClassName?: string;
labelClassName?: string;
@ -33,11 +47,22 @@ interface MultiSelectProps<T extends string> {
) => React.ReactNode;
}
function defaultRender<T extends string>(values: T[], placeholder?: string) {
function defaultRender<T extends string>(
values: T[],
placeholder?: string,
items?: MultiSelectItem<T>[],
) {
if (values.length === 0) {
return placeholder || 'Select...';
}
if (values.length === 1) {
// Find the item to get its label
if (items) {
const item = items.find((item) => getItemValue(item) === values[0]);
if (item) {
return getItemLabel(item);
}
}
return values[0];
}
return `${values.length} items selected`;
@ -90,7 +115,7 @@ export default function MultiSelect<T extends string>({
>
{selectIcon && <span>{selectIcon as React.JSX.Element}</span>}
<span className="mr-auto hidden truncate md:block">
{renderSelectedValues(selectedValues, placeholder)}
{renderSelectedValues(selectedValues, placeholder, items)}
</span>
<SelectArrow className="ml-1 hidden stroke-1 text-base opacity-75 md:block" />
</Select>
@ -109,11 +134,13 @@ export default function MultiSelect<T extends string>({
popoverClassName,
)}
>
{items.map((value) => {
{items.map((item) => {
const value = getItemValue(item);
const label = getItemLabel(item);
const defaultContent = (
<>
<SelectItemCheck className="mr-0.5 text-primary" />
<span className="truncate">{value}</span>
<span className="truncate">{label}</span>
</>
);
const isCurrentItemSelected = selectedValues.includes(value);

1
packages/client/tsconfig.json
View file

@ -8,6 +8,7 @@
"declaration": true,
"declarationMap": true,
"declarationDir": "./dist/types",
"sourceMap": true,
"esModuleInterop": true,
"allowSyntheticDefaultImports": true,
"strict": true,

10
packages/data-provider/src/accessPermissions.ts
View file

@ -45,6 +45,7 @@ export type TAccessLevel = 'none' | 'viewer' | 'editor' | 'owner';
export enum ResourceType {
AGENT = 'agent',
PROMPTGROUP = 'promptGroup',
MCPSERVER = 'mcpServer',
}
/**
@ -71,6 +72,9 @@ export enum AccessRoleIds {
PROMPTGROUP_VIEWER = 'promptGroup_viewer',
PROMPTGROUP_EDITOR = 'promptGroup_editor',
PROMPTGROUP_OWNER = 'promptGroup_owner',
MCPSERVER_VIEWER = 'mcpServer_viewer',
MCPSERVER_EDITOR = 'mcpServer_editor',
MCPSERVER_OWNER = 'mcpServer_owner',
}
// ===== ZOD SCHEMAS =====
@ -269,6 +273,12 @@ export const effectivePermissionsResponseSchema = z.object({
*/
export type TEffectivePermissionsResponse = z.infer<typeof effectivePermissionsResponseSchema>;
/**
* All effective permissions response type
* Map of resourceId to permissionBits for all accessible resources
*/
export type TAllEffectivePermissionsResponse = Record<string, number>;
// ===== UTILITY TYPES =====
/**

6
packages/data-provider/src/api-endpoints.ts
View file

@ -231,6 +231,8 @@ export const mcp = {
servers: `${BASE_URL}/api/mcp/servers`,
};
export const mcpServer = (serverName: string) => `${BASE_URL}/api/mcp/servers/${serverName}`;
export const revertAgentVersion = (agent_id: string) => `${agents({ path: `${agent_id}/revert` })}`;
export const files = () => `${BASE_URL}/api/files`;
@ -319,6 +321,7 @@ export const updateMemoryPermissions = (roleName: string) => `${getRole(roleName
export const updateAgentPermissions = (roleName: string) => `${getRole(roleName)}/agents`;
export const updatePeoplePickerPermissions = (roleName: string) =>
`${getRole(roleName)}/people-picker`;
export const updateMCPServersPermissions = (roleName: string) => `${getRole(roleName)}/mcp-servers`;
export const updateMarketplacePermissions = (roleName: string) =>
`${getRole(roleName)}/marketplace`;
@ -383,6 +386,9 @@ export const updateResourcePermissions = (resourceType: ResourceType, resourceId
export const getEffectivePermissions = (resourceType: ResourceType, resourceId: string) =>
`${BASE_URL}/api/permissions/${resourceType}/${resourceId}/effective`;
export const getAllEffectivePermissions = (resourceType: ResourceType) =>
`${BASE_URL}/api/permissions/${resourceType}/effective/all`;
// SharePoint Graph API Token
export const graphToken = (scopes: string) =>
`${BASE_URL}/api/auth/graph-token?scopes=${encodeURIComponent(scopes)}`;

17
packages/data-provider/src/config.ts
View file

@ -515,9 +515,14 @@ const termsOfServiceSchema = z.object({
export type TTermsOfService = z.infer<typeof termsOfServiceSchema>;
const mcpServersSchema = z.object({
placeholder: z.string().optional(),
});
const mcpServersSchema = z
.object({
placeholder: z.string().optional(),
use: z.boolean().optional(),
create: z.boolean().optional(),
share: z.boolean().optional(),
})
.optional();
export type TMcpServersConfig = z.infer<typeof mcpServersSchema>;
@ -583,6 +588,11 @@ export const interfaceSchema = z
marketplace: {
use: false,
},
mcpServers: {
use: true,
create: true,
share: false,
},
fileSearch: true,
fileCitations: true,
});
@ -675,6 +685,7 @@ export type TStartupConfig = {
chatMenu?: boolean;
isOAuth?: boolean;
startup?: boolean;
iconPath?: string;
}
>;
mcpPlaceholder?: string;

45
packages/data-provider/src/data-service.ts
View file

@ -565,6 +565,39 @@ export const getMCPServers = async (): Promise<mcp.MCPServersListResponse> => {
return request.get(endpoints.mcp.servers);
};
/**
* Get a single MCP server by ID
*/
export const getMCPServer = async (serverName: string): Promise<mcp.MCPServerDBObjectResponse> => {
return request.get(endpoints.mcpServer(serverName));
};
/**
* Create a new MCP server
*/
export const createMCPServer = async (
data: mcp.MCPServerCreateParams,
): Promise<mcp.MCPServerDBObjectResponse> => {
return request.post(endpoints.mcp.servers, data);
};
/**
* Update an existing MCP server
*/
export const updateMCPServer = async (
serverName: string,
data: mcp.MCPServerUpdateParams,
): Promise<mcp.MCPServerDBObjectResponse> => {
return request.patch(endpoints.mcpServer(serverName), data);
};
/**
* Delete an MCP server
*/
export const deleteMCPServer = async (serverName: string): Promise<{ success: boolean }> => {
return request.delete(endpoints.mcpServer(serverName));
};
/**
* Imports a conversations file.
*
@ -832,6 +865,12 @@ export function updatePeoplePickerPermissions(
);
}
export function updateMCPServersPermissions(
variables: m.UpdateMCPServersPermVars,
): Promise<m.UpdatePermResponse> {
return request.put(endpoints.updateMCPServersPermissions(variables.roleName), variables.updates);
}
export function updateMarketplacePermissions(
variables: m.UpdateMarketplacePermVars,
): Promise<m.UpdatePermResponse> {
@ -984,6 +1023,12 @@ export function getEffectivePermissions(
return request.get(endpoints.getEffectivePermissions(resourceType, resourceId));
}
export function getAllEffectivePermissions(
resourceType: permissions.ResourceType,
): Promise<permissions.TAllEffectivePermissionsResponse> {
return request.get(endpoints.getAllEffectivePermissions(resourceType));
}
// SharePoint Graph API Token
export function getGraphApiToken(params: q.GraphTokenParams): Promise<q.GraphTokenResponse> {
return request.get(endpoints.graphToken(params.scopes));

1
packages/data-provider/src/keys.ts
View file

@ -59,6 +59,7 @@ export enum QueryKeys {
graphToken = 'graphToken',
/* MCP Servers */
mcpServers = 'mcpServers',
mcpServer = 'mcpServer',
}
// Dynamic query keys that require parameters

7
packages/data-provider/src/mcp.ts
View file

@ -3,6 +3,13 @@ import { TokenExchangeMethodEnum } from './types/agents';
import { extractEnvVariable } from './utils';
const BaseOptionsSchema = z.object({
/** Display name for the MCP server - only letters, numbers, and spaces allowed */
title: z
.string()
.regex(/^[a-zA-Z0-9 ]+$/, 'Title can only contain letters, numbers, and spaces')
.optional(),
/** Description of the MCP server */
description: z.string().optional(),
/**
* Controls whether the MCP server is initialized during application startup.
* - true (default): Server is initialized during app startup and included in app-level connections

12
packages/data-provider/src/permissions.ts
View file

@ -52,6 +52,10 @@ export enum PermissionTypes {
* Type for using the "File Citations" feature in agents
*/
FILE_CITATIONS = 'FILE_CITATIONS',
/**
* Type for MCP Server Permissions
*/
MCP_SERVERS = 'MCP_SERVERS',
}
/**
@ -144,6 +148,13 @@ export const fileCitationsPermissionsSchema = z.object({
});
export type TFileCitationsPermissions = z.infer<typeof fileCitationsPermissionsSchema>;
export const mcpServersPermissionsSchema = z.object({
[Permissions.USE]: z.boolean().default(true),
[Permissions.CREATE]: z.boolean().default(true),
[Permissions.SHARE]: z.boolean().default(false),
});
export type TMcpServersPermissions = z.infer<typeof mcpServersPermissionsSchema>;
// Define a single permissions schema that holds all permission types.
export const permissionsSchema = z.object({
[PermissionTypes.PROMPTS]: promptPermissionsSchema,
@ -158,4 +169,5 @@ export const permissionsSchema = z.object({
[PermissionTypes.MARKETPLACE]: marketplacePermissionsSchema,
[PermissionTypes.FILE_SEARCH]: fileSearchPermissionsSchema,
[PermissionTypes.FILE_CITATIONS]: fileCitationsPermissionsSchema,
[PermissionTypes.MCP_SERVERS]: mcpServersPermissionsSchema,
});

14
packages/data-provider/src/react-query/react-query-service.ts
View file

@ -493,6 +493,20 @@ export const useGetEffectivePermissionsQuery = (
});
};
export const useGetAllEffectivePermissionsQuery = (
resourceType: ResourceType,
config?: UseQueryOptions<permissions.TAllEffectivePermissionsResponse>,
): QueryObserverResult<permissions.TAllEffectivePermissionsResponse> => {
return useQuery<permissions.TAllEffectivePermissionsResponse>({
queryKey: [QueryKeys.effectivePermissions, 'all', resourceType],
queryFn: () => dataService.getAllEffectivePermissions(resourceType),
enabled: !!resourceType,
refetchOnWindowFocus: false,
staleTime: 30000,
...config,
});
};
export const useMCPServerConnectionStatusQuery = (
serverName: string,
config?: UseQueryOptions<MCPServerConnectionStatusResponse>,

12
packages/data-provider/src/roles.ts
View file

@ -14,6 +14,7 @@ import {
temporaryChatPermissionsSchema,
peoplePickerPermissionsSchema,
fileCitationsPermissionsSchema,
mcpServersPermissionsSchema,
} from './permissions';
/**
@ -89,6 +90,11 @@ const defaultRolesSchema = z.object({
[PermissionTypes.FILE_CITATIONS]: fileCitationsPermissionsSchema.extend({
[Permissions.USE]: z.boolean().default(true),
}),
[PermissionTypes.MCP_SERVERS]: mcpServersPermissionsSchema.extend({
[Permissions.USE]: z.boolean().default(true),
[Permissions.CREATE]: z.boolean().default(true),
[Permissions.SHARE]: z.boolean().default(true),
}),
}),
}),
[SystemRoles.USER]: roleSchema.extend({
@ -147,6 +153,11 @@ export const roleDefaults = defaultRolesSchema.parse({
[PermissionTypes.FILE_CITATIONS]: {
[Permissions.USE]: true,
},
[PermissionTypes.MCP_SERVERS]: {
[Permissions.USE]: true,
[Permissions.CREATE]: true,
[Permissions.SHARE]: true,
},
},
},
[SystemRoles.USER]: {
@ -170,6 +181,7 @@ export const roleDefaults = defaultRolesSchema.parse({
},
[PermissionTypes.FILE_SEARCH]: {},
[PermissionTypes.FILE_CITATIONS]: {},
[PermissionTypes.MCP_SERVERS]: {},
},
},
});

2
packages/data-provider/src/types/agents.ts
View file

@ -333,7 +333,7 @@ export type ActionMetadataRuntime = ActionMetadata & {
};
export type MCP = {
mcp_id: string;
serverName: string;
metadata: MCPMetadata;
} & ({ assistant_id: string; agent_id?: never } | { assistant_id?: never; agent_id?: string });

1
packages/data-provider/src/types/index.ts
View file

@ -1 +1,2 @@
export * from './queries';
export * from './mcpServers';

13
packages/data-provider/src/types/mcpServers.ts
View file

@ -1,4 +1,3 @@
import { PermissionBits } from '../accessPermissions';
import type { MCPOptions, MCPServerUserInput } from '../mcp';
/**
@ -7,7 +6,7 @@ import type { MCPOptions, MCPServerUserInput } from '../mcp';
*/
export interface IMCPServerDB {
_id?: string; // MongoDB ObjectId (used for ACL/permissions)
mcp_id: string;
serverName: string;
config: MCPOptions;
author?: string | null;
createdAt?: Date;
@ -41,12 +40,10 @@ export type MCPServerUpdateParams = {
* Response for MCP server list endpoint
*/
export type MCPServerDBObjectResponse = {
_id?: string;
mcp_id?: string;
author?: string | null;
createdAt?: Date;
updatedAt?: Date;
effectivePermissions?: PermissionBits;
dbId?: string;
serverName: string;
/** True if access is only via agent (not directly shared with user) */
consumeOnly?: boolean;
} & MCPOptions;
export type MCPServersListResponse = Record<string, MCPServerDBObjectResponse>;

8
packages/data-provider/src/types/mutations.ts
View file

@ -274,6 +274,7 @@ export type UpdatePromptPermVars = UpdatePermVars<p.TPromptPermissions>;
export type UpdateMemoryPermVars = UpdatePermVars<p.TMemoryPermissions>;
export type UpdateAgentPermVars = UpdatePermVars<p.TAgentPermissions>;
export type UpdatePeoplePickerPermVars = UpdatePermVars<p.TPeoplePickerPermissions>;
export type UpdateMCPServersPermVars = UpdatePermVars<p.TMcpServersPermissions>;
export type UpdatePermResponse = r.TRole;
@ -305,6 +306,13 @@ export type UpdatePeoplePickerPermOptions = MutationOptions<
types.TError | null | undefined
>;
export type UpdateMCPServersPermOptions = MutationOptions<
UpdatePermResponse,
UpdateMCPServersPermVars,
unknown,
types.TError | null | undefined
>;
export type UpdateMarketplacePermVars = UpdatePermVars<p.TMarketplacePermissions>;
export type UpdateMarketplacePermOptions = MutationOptions<

3
packages/data-schemas/src/methods/accessRole.spec.ts
View file

@ -200,6 +200,9 @@ describe('AccessRole Model Tests', () => {
AccessRoleIds.PROMPTGROUP_EDITOR,
AccessRoleIds.PROMPTGROUP_OWNER,
AccessRoleIds.PROMPTGROUP_VIEWER,
AccessRoleIds.MCPSERVER_EDITOR,
AccessRoleIds.MCPSERVER_OWNER,
AccessRoleIds.MCPSERVER_VIEWER,
].sort(),
);

21
packages/data-schemas/src/methods/accessRole.ts
View file

@ -146,6 +146,27 @@ export function createAccessRoleMethods(mongoose: typeof import('mongoose')) {
resourceType: ResourceType.PROMPTGROUP,
permBits: RoleBits.OWNER,
},
{
accessRoleId: AccessRoleIds.MCPSERVER_VIEWER,
name: 'com_ui_mcp_server_role_viewer',
description: 'com_ui_mcp_server_role_viewer_desc',
resourceType: ResourceType.MCPSERVER,
permBits: RoleBits.VIEWER,
},
{
accessRoleId: AccessRoleIds.MCPSERVER_EDITOR,
name: 'com_ui_mcp_server_role_editor',
description: 'com_ui_mcp_server_role_editor_desc',
resourceType: ResourceType.MCPSERVER,
permBits: RoleBits.EDITOR,
},
{
accessRoleId: AccessRoleIds.MCPSERVER_OWNER,
name: 'com_ui_mcp_server_role_owner',
description: 'com_ui_mcp_server_role_owner_desc',
resourceType: ResourceType.MCPSERVER,
permBits: RoleBits.OWNER,
},
];
const result: Record<string, IAccessRole> = {};

272
packages/data-schemas/src/methods/aclEntry.spec.ts
View file

@ -679,4 +679,276 @@ describe('AclEntry Model Tests', () => {
expect(effective).toBe(PermissionBits.VIEW);
});
});
describe('Batch Permission Queries', () => {
test('should get effective permissions for multiple resources in single query', async () => {
const resource1 = new mongoose.Types.ObjectId();
const resource2 = new mongoose.Types.ObjectId();
const resource3 = new mongoose.Types.ObjectId();
/** Grant different permissions to different resources */
await methods.grantPermission(
PrincipalType.USER,
userId,
ResourceType.MCPSERVER,
resource1,
PermissionBits.VIEW,
grantedById,
);
await methods.grantPermission(
PrincipalType.USER,
userId,
ResourceType.MCPSERVER,
resource2,
PermissionBits.VIEW | PermissionBits.EDIT,
grantedById,
);
await methods.grantPermission(
PrincipalType.GROUP,
groupId,
ResourceType.MCPSERVER,
resource3,
PermissionBits.DELETE,
grantedById,
);
/** Get permissions for all resources */
const permissionsMap = await methods.getEffectivePermissionsForResources(
[{ principalType: PrincipalType.USER, principalId: userId }],
ResourceType.MCPSERVER,
[resource1, resource2, resource3],
);
expect(permissionsMap.size).toBe(2); // Only resource1 and resource2 for user
expect(permissionsMap.get(resource1.toString())).toBe(PermissionBits.VIEW);
expect(permissionsMap.get(resource2.toString())).toBe(PermissionBits.VIEW | PermissionBits.EDIT);
expect(permissionsMap.get(resource3.toString())).toBeUndefined(); // User has no access
});
test('should combine permissions from multiple principals in batch query', async () => {
const resource1 = new mongoose.Types.ObjectId();
const resource2 = new mongoose.Types.ObjectId();
/** User has VIEW on both resources */
await methods.grantPermission(
PrincipalType.USER,
userId,
ResourceType.MCPSERVER,
resource1,
PermissionBits.VIEW,
grantedById,
);
await methods.grantPermission(
PrincipalType.USER,
userId,
ResourceType.MCPSERVER,
resource2,
PermissionBits.VIEW,
grantedById,
);
/** Group has EDIT on resource1 */
await methods.grantPermission(
PrincipalType.GROUP,
groupId,
ResourceType.MCPSERVER,
resource1,
PermissionBits.EDIT,
grantedById,
);
/** Get combined permissions for user + group */
const permissionsMap = await methods.getEffectivePermissionsForResources(
[
{ principalType: PrincipalType.USER, principalId: userId },
{ principalType: PrincipalType.GROUP, principalId: groupId },
],
ResourceType.MCPSERVER,
[resource1, resource2],
);
expect(permissionsMap.size).toBe(2);
/** Resource1 should have VIEW | EDIT (from user + group) */
expect(permissionsMap.get(resource1.toString())).toBe(PermissionBits.VIEW | PermissionBits.EDIT);
/** Resource2 should have only VIEW (from user) */
expect(permissionsMap.get(resource2.toString())).toBe(PermissionBits.VIEW);
});
test('should handle empty resource list', async () => {
const permissionsMap = await methods.getEffectivePermissionsForResources(
[{ principalType: PrincipalType.USER, principalId: userId }],
ResourceType.MCPSERVER,
[],
);
expect(permissionsMap.size).toBe(0);
});
test('should handle resources with no permissions', async () => {
const resource1 = new mongoose.Types.ObjectId();
const resource2 = new mongoose.Types.ObjectId();
/** Only grant permission to resource1 */
await methods.grantPermission(
PrincipalType.USER,
userId,
ResourceType.MCPSERVER,
resource1,
PermissionBits.VIEW,
grantedById,
);
const permissionsMap = await methods.getEffectivePermissionsForResources(
[{ principalType: PrincipalType.USER, principalId: userId }],
ResourceType.MCPSERVER,
[resource1, resource2], // resource2 has no permissions
);
expect(permissionsMap.size).toBe(1);
expect(permissionsMap.get(resource1.toString())).toBe(PermissionBits.VIEW);
expect(permissionsMap.get(resource2.toString())).toBeUndefined();
});
test('should include public permissions in batch query', async () => {
const resource1 = new mongoose.Types.ObjectId();
const resource2 = new mongoose.Types.ObjectId();
/** User has VIEW on resource1 */
await methods.grantPermission(
PrincipalType.USER,
userId,
ResourceType.MCPSERVER,
resource1,
PermissionBits.VIEW | PermissionBits.EDIT,
grantedById,
);
/** Public has VIEW on resource2 */
await methods.grantPermission(
PrincipalType.PUBLIC,
null,
ResourceType.MCPSERVER,
resource2,
PermissionBits.VIEW,
grantedById,
);
/** Query with user + public principals */
const permissionsMap = await methods.getEffectivePermissionsForResources(
[
{ principalType: PrincipalType.USER, principalId: userId },
{ principalType: PrincipalType.PUBLIC },
],
ResourceType.MCPSERVER,
[resource1, resource2],
);
expect(permissionsMap.size).toBe(2);
expect(permissionsMap.get(resource1.toString())).toBe(PermissionBits.VIEW | PermissionBits.EDIT);
expect(permissionsMap.get(resource2.toString())).toBe(PermissionBits.VIEW);
});
test('should handle large batch efficiently', async () => {
/** Create 50 resources with various permissions */
const resources = Array.from({ length: 50 }, () => new mongoose.Types.ObjectId());
/** Grant permissions to first 30 resources */
for (let i = 0; i < 30; i++) {
await methods.grantPermission(
PrincipalType.USER,
userId,
ResourceType.MCPSERVER,
resources[i],
PermissionBits.VIEW,
grantedById,
);
}
/** Grant group permissions to resources 20-40 (overlap with user) */
for (let i = 20; i < 40; i++) {
await methods.grantPermission(
PrincipalType.GROUP,
groupId,
ResourceType.MCPSERVER,
resources[i],
PermissionBits.EDIT,
grantedById,
);
}
const startTime = Date.now();
const permissionsMap = await methods.getEffectivePermissionsForResources(
[
{ principalType: PrincipalType.USER, principalId: userId },
{ principalType: PrincipalType.GROUP, principalId: groupId },
],
ResourceType.MCPSERVER,
resources,
);
const duration = Date.now() - startTime;
/** Should be reasonably fast (under 1 second for 50 resources) */
expect(duration).toBeLessThan(1000);
/** Verify results */
expect(permissionsMap.size).toBe(40); // Resources 0-39 have permissions
/** Resources 0-19: USER VIEW only */
for (let i = 0; i < 20; i++) {
expect(permissionsMap.get(resources[i].toString())).toBe(PermissionBits.VIEW);
}
/** Resources 20-29: USER VIEW | GROUP EDIT */
for (let i = 20; i < 30; i++) {
expect(permissionsMap.get(resources[i].toString())).toBe(PermissionBits.VIEW | PermissionBits.EDIT);
}
/** Resources 30-39: GROUP EDIT only */
for (let i = 30; i < 40; i++) {
expect(permissionsMap.get(resources[i].toString())).toBe(PermissionBits.EDIT);
}
/** Resources 40-49: No permissions */
for (let i = 40; i < 50; i++) {
expect(permissionsMap.get(resources[i].toString())).toBeUndefined();
}
});
test('should handle mixed ObjectId and string resource IDs', async () => {
const resource1 = new mongoose.Types.ObjectId();
const resource2 = new mongoose.Types.ObjectId();
await methods.grantPermission(
PrincipalType.USER,
userId,
ResourceType.MCPSERVER,
resource1,
PermissionBits.VIEW,
grantedById,
);
await methods.grantPermission(
PrincipalType.USER,
userId,
ResourceType.MCPSERVER,
resource2,
PermissionBits.EDIT,
grantedById,
);
/** Pass mix of ObjectId and string */
const permissionsMap = await methods.getEffectivePermissionsForResources(
[{ principalType: PrincipalType.USER, principalId: userId }],
ResourceType.MCPSERVER,
[resource1, resource2.toString()], // Mix of ObjectId and string
);
expect(permissionsMap.size).toBe(2);
expect(permissionsMap.get(resource1.toString())).toBe(PermissionBits.VIEW);
expect(permissionsMap.get(resource2.toString())).toBe(PermissionBits.EDIT);
});
});
});

53
packages/data-schemas/src/methods/aclEntry.ts
View file

@ -118,6 +118,58 @@ export function createAclEntryMethods(mongoose: typeof import('mongoose')) {
return effectiveBits;
}
/**
* Get effective permissions for multiple resources in a single query (BATCH)
* Returns a map of resourceId effectivePermissionBits
*
* @param principalsList - List of principals (user + groups + public)
* @param resourceType - The type of resource ('MCPSERVER', 'AGENT', etc.)
* @param resourceIds - Array of resource IDs to check
* @returns {Promise<Map<string, number>>} Map of resourceId permission bits
*
* @example
* const principals = await getUserPrincipals({ userId, role });
* const serverIds = [id1, id2, id3];
* const permMap = await getEffectivePermissionsForResources(
* principals,
* ResourceType.MCPSERVER,
* serverIds
* );
* // permMap.get(id1.toString()) → 7 (VIEW|EDIT|DELETE)
*/
async function getEffectivePermissionsForResources(
principalsList: Array<{ principalType: string; principalId?: string | Types.ObjectId }>,
resourceType: string,
resourceIds: Array<string | Types.ObjectId>,
): Promise<Map<string, number>> {
if (!Array.isArray(resourceIds) || resourceIds.length === 0) {
return new Map();
}
const AclEntry = mongoose.models.AclEntry as Model<IAclEntry>;
const principalsQuery = principalsList.map((p) => ({
principalType: p.principalType,
...(p.principalType !== PrincipalType.PUBLIC && { principalId: p.principalId }),
}));
// Batch query for all resources at once
const aclEntries = await AclEntry.find({
$or: principalsQuery,
resourceType,
resourceId: { $in: resourceIds },
}).lean();
// Compute effective permissions per resource
const permissionsMap = new Map<string, number>();
for (const entry of aclEntries) {
const rid = entry.resourceId.toString();
const currentBits = permissionsMap.get(rid) || 0;
permissionsMap.set(rid, currentBits | entry.permBits);
}
return permissionsMap;
}
/**
* Grant permission to a principal for a resource
* @param principalType - The type of principal ('user', 'group', 'public')
@ -301,6 +353,7 @@ export function createAclEntryMethods(mongoose: typeof import('mongoose')) {
findEntriesByPrincipalsAndResource,
hasPermission,
getEffectivePermissions,
getEffectivePermissionsForResources,
grantPermission,
revokePermission,
modifyPermissionBits,

5
packages/data-schemas/src/methods/index.ts
View file

@ -8,6 +8,8 @@ import { createFileMethods, type FileMethods } from './file';
import { createMemoryMethods, type MemoryMethods } from './memory';
/* Agent Categories */
import { createAgentCategoryMethods, type AgentCategoryMethods } from './agentCategory';
/* MCP Servers */
import { createMCPServerMethods, type MCPServerMethods } from './mcpServer';
/* Plugin Auth */
import { createPluginAuthMethods, type PluginAuthMethods } from './pluginAuth';
/* Permissions */
@ -24,6 +26,7 @@ export type AllMethods = UserMethods &
FileMethods &
MemoryMethods &
AgentCategoryMethods &
MCPServerMethods &
UserGroupMethods &
AclEntryMethods &
ShareMethods &
@ -44,6 +47,7 @@ export function createMethods(mongoose: typeof import('mongoose')): AllMethods {
...createFileMethods(mongoose),
...createMemoryMethods(mongoose),
...createAgentCategoryMethods(mongoose),
...createMCPServerMethods(mongoose),
...createAccessRoleMethods(mongoose),
...createUserGroupMethods(mongoose),
...createAclEntryMethods(mongoose),
@ -61,6 +65,7 @@ export type {
FileMethods,
MemoryMethods,
AgentCategoryMethods,
MCPServerMethods,
UserGroupMethods,
AclEntryMethods,
ShareMethods,

827
packages/data-schemas/src/methods/mcpServer.spec.ts Normal file
View file

@ -0,0 +1,827 @@
import mongoose from 'mongoose';
import { MongoMemoryServer } from 'mongodb-memory-server';
import type { MCPOptions } from 'librechat-data-provider';
import type * as t from '~/types';
import { createMCPServerMethods } from './mcpServer';
import mcpServerSchema from '~/schema/mcpServer';
let mongoServer: MongoMemoryServer;
let MCPServer: mongoose.Model<t.MCPServerDocument>;
let methods: ReturnType<typeof createMCPServerMethods>;
beforeAll(async () => {
mongoServer = await MongoMemoryServer.create();
const mongoUri = mongoServer.getUri();
MCPServer = mongoose.models.MCPServer || mongoose.model('MCPServer', mcpServerSchema);
methods = createMCPServerMethods(mongoose);
await mongoose.connect(mongoUri);
});
afterAll(async () => {
await mongoose.disconnect();
await mongoServer.stop();
});
beforeEach(async () => {
await mongoose.connection.dropDatabase();
});
describe('MCPServer Model Tests', () => {
const authorId = new mongoose.Types.ObjectId();
const authorId2 = new mongoose.Types.ObjectId();
const createSSEConfig = (title?: string, description?: string): MCPOptions => ({
type: 'sse',
url: 'https://example.com/mcp',
...(title && { title }),
...(description && { description }),
});
describe('createMCPServer', () => {
test('should create server with title and generate slug from title', async () => {
const config = createSSEConfig('My Test Server', 'A test server');
const server = await methods.createMCPServer({ config, author: authorId });
expect(server).toBeDefined();
expect(server.serverName).toBe('my-test-server');
expect(server.config.title).toBe('My Test Server');
expect(server.config.description).toBe('A test server');
expect(server.author.toString()).toBe(authorId.toString());
expect(server.createdAt).toBeInstanceOf(Date);
expect(server.updatedAt).toBeInstanceOf(Date);
});
test('should create server without title and use nanoid', async () => {
const config: MCPOptions = {
type: 'sse',
url: 'https://example.com/mcp',
};
const server = await methods.createMCPServer({ config, author: authorId });
expect(server).toBeDefined();
expect(server.serverName).toMatch(/^mcp-[a-zA-Z0-9_-]{16}$/);
expect(server.config.title).toBeUndefined();
});
test('should handle title with special characters', async () => {
const config = createSSEConfig('My @#$% Server!!! 123');
const server = await methods.createMCPServer({ config, author: authorId });
expect(server.serverName).toBe('my-server-123');
});
test('should handle title with only spaces and special chars', async () => {
const config = createSSEConfig(' @#$% ');
const server = await methods.createMCPServer({ config, author: authorId });
// Should fallback to 'mcp-server'
expect(server.serverName).toBe('mcp-server');
});
test('should handle title with multiple spaces', async () => {
const config = createSSEConfig('My Multiple Spaces Server');
const server = await methods.createMCPServer({ config, author: authorId });
expect(server.serverName).toBe('my-multiple-spaces-server');
});
test('should handle string author ID', async () => {
const config = createSSEConfig('String Author Test');
const server = await methods.createMCPServer({
config,
author: authorId.toString(),
});
expect(server).toBeDefined();
expect(server.author.toString()).toBe(authorId.toString());
});
test('should create server with stdio config', async () => {
const config: MCPOptions = {
type: 'stdio',
command: 'node',
args: ['server.js'],
title: 'Stdio Server',
};
const server = await methods.createMCPServer({ config, author: authorId });
expect(server.serverName).toBe('stdio-server');
expect(server.config.type).toBe('stdio');
});
});
describe('findNextAvailableServerName', () => {
test('should return base name when no duplicates exist', async () => {
// Create server directly via model to set up initial state
await MCPServer.create({
serverName: 'other-server',
config: createSSEConfig('Other Server'),
author: authorId,
});
const config = createSSEConfig('Test Server');
const server = await methods.createMCPServer({ config, author: authorId });
expect(server.serverName).toBe('test-server');
});
test('should append -2 when base name exists', async () => {
// Create first server
await methods.createMCPServer({
config: createSSEConfig('Test Server'),
author: authorId,
});
// Create second server with same title
const server = await methods.createMCPServer({
config: createSSEConfig('Test Server'),
author: authorId,
});
expect(server.serverName).toBe('test-server-2');
});
test('should find next available number in sequence', async () => {
// Create servers with sequential names
await MCPServer.create({
serverName: 'test-server',
config: createSSEConfig('Test Server'),
author: authorId,
});
await MCPServer.create({
serverName: 'test-server-2',
config: createSSEConfig('Test Server'),
author: authorId,
});
await MCPServer.create({
serverName: 'test-server-3',
config: createSSEConfig('Test Server'),
author: authorId,
});
const server = await methods.createMCPServer({
config: createSSEConfig('Test Server'),
author: authorId,
});
expect(server.serverName).toBe('test-server-4');
});
test('should handle gaps in sequence', async () => {
// Create servers with gaps: test, test-2, test-5
await MCPServer.create({
serverName: 'test-server',
config: createSSEConfig('Test Server'),
author: authorId,
});
await MCPServer.create({
serverName: 'test-server-2',
config: createSSEConfig('Test Server'),
author: authorId,
});
await MCPServer.create({
serverName: 'test-server-5',
config: createSSEConfig('Test Server'),
author: authorId,
});
const server = await methods.createMCPServer({
config: createSSEConfig('Test Server'),
author: authorId,
});
// Should append -6 (max + 1)
expect(server.serverName).toBe('test-server-6');
});
test('should not match partial names', async () => {
// Create 'test-server-extra' which shouldn't affect 'test-server' sequence
await MCPServer.create({
serverName: 'test-server-extra',
config: createSSEConfig('Test Server Extra'),
author: authorId,
});
const server = await methods.createMCPServer({
config: createSSEConfig('Test Server'),
author: authorId,
});
// 'test-server' is available, so should use it
expect(server.serverName).toBe('test-server');
});
test('should handle special regex characters in base name', async () => {
// The slug generation removes special characters, but test the regex escaping
await MCPServer.create({
serverName: 'test-server',
config: createSSEConfig('Test Server'),
author: authorId,
});
const server = await methods.createMCPServer({
config: createSSEConfig('Test Server'),
author: authorId2,
});
expect(server.serverName).toBe('test-server-2');
});
});
describe('findMCPServerById', () => {
test('should find server by serverName', async () => {
const created = await methods.createMCPServer({
config: createSSEConfig('Find By Id Test'),
author: authorId,
});
const found = await methods.findMCPServerById(created.serverName);
expect(found).toBeDefined();
expect(found?.serverName).toBe('find-by-id-test');
expect(found?.config.title).toBe('Find By Id Test');
});
test('should return null when server not found', async () => {
const found = await methods.findMCPServerById('non-existent-server');
expect(found).toBeNull();
});
test('should return lean document', async () => {
await methods.createMCPServer({
config: createSSEConfig('Lean Test'),
author: authorId,
});
const found = await methods.findMCPServerById('lean-test');
// Lean documents don't have mongoose methods
expect(found).toBeDefined();
// eslint-disable-next-line @typescript-eslint/no-explicit-any
expect(typeof (found as any).save).toBe('undefined');
});
});
describe('findMCPServerByObjectId', () => {
test('should find server by MongoDB ObjectId', async () => {
const created = await methods.createMCPServer({
config: createSSEConfig('Object Id Test'),
author: authorId,
});
const found = await methods.findMCPServerByObjectId(created._id);
expect(found).toBeDefined();
expect(found?.serverName).toBe('object-id-test');
expect(found?._id.toString()).toBe(created._id.toString());
});
test('should find server by string ObjectId', async () => {
const created = await methods.createMCPServer({
config: createSSEConfig('String Object Id Test'),
author: authorId,
});
const found = await methods.findMCPServerByObjectId(created._id.toString());
expect(found).toBeDefined();
expect(found?.serverName).toBe('string-object-id-test');
});
test('should return null when ObjectId not found', async () => {
const randomId = new mongoose.Types.ObjectId();
const found = await methods.findMCPServerByObjectId(randomId);
expect(found).toBeNull();
});
test('should return null for invalid ObjectId string', async () => {
await expect(methods.findMCPServerByObjectId('invalid-id')).rejects.toThrow();
});
});
describe('findMCPServersByAuthor', () => {
test('should find all servers by author', async () => {
await methods.createMCPServer({
config: createSSEConfig('Author Server 1'),
author: authorId,
});
await methods.createMCPServer({
config: createSSEConfig('Author Server 2'),
author: authorId,
});
await methods.createMCPServer({
config: createSSEConfig('Other Author Server'),
author: authorId2,
});
const servers = await methods.findMCPServersByAuthor(authorId);
expect(servers).toHaveLength(2);
expect(servers.every((s) => s.author.toString() === authorId.toString())).toBe(true);
});
test('should return empty array when author has no servers', async () => {
const servers = await methods.findMCPServersByAuthor(new mongoose.Types.ObjectId());
expect(servers).toEqual([]);
});
test('should sort by updatedAt descending', async () => {
// Create servers with slight delay to ensure different timestamps
const server1 = await methods.createMCPServer({
config: createSSEConfig('First Created'),
author: authorId,
});
// Update first server to make it most recently updated
await MCPServer.findByIdAndUpdate(server1._id, {
$set: { 'config.description': 'Updated' },
});
await methods.createMCPServer({
config: createSSEConfig('Second Created'),
author: authorId,
});
const servers = await methods.findMCPServersByAuthor(authorId);
expect(servers).toHaveLength(2);
// Most recently updated should come first
expect(servers[0].serverName).toBe('second-created');
});
test('should handle string author ID', async () => {
await methods.createMCPServer({
config: createSSEConfig('String Author Server'),
author: authorId,
});
const servers = await methods.findMCPServersByAuthor(authorId.toString());
expect(servers).toHaveLength(1);
});
});
describe('getListMCPServersByIds', () => {
let server1: t.MCPServerDocument;
let server2: t.MCPServerDocument;
let server3: t.MCPServerDocument;
beforeEach(async () => {
server1 = await methods.createMCPServer({
config: createSSEConfig('Server One'),
author: authorId,
});
server2 = await methods.createMCPServer({
config: createSSEConfig('Server Two'),
author: authorId,
});
server3 = await methods.createMCPServer({
config: createSSEConfig('Server Three'),
author: authorId,
});
});
test('should return servers matching provided IDs', async () => {
const result = await methods.getListMCPServersByIds({
ids: [server1._id, server2._id],
});
expect(result.data).toHaveLength(2);
expect(result.has_more).toBe(false);
expect(result.after).toBeNull();
});
test('should return empty data for empty IDs array', async () => {
const result = await methods.getListMCPServersByIds({ ids: [] });
expect(result.data).toEqual([]);
expect(result.has_more).toBe(false);
expect(result.after).toBeNull();
});
test('should handle pagination with limit', async () => {
const result = await methods.getListMCPServersByIds({
ids: [server1._id, server2._id, server3._id],
limit: 2,
});
expect(result.data).toHaveLength(2);
expect(result.has_more).toBe(true);
expect(result.after).not.toBeNull();
});
test('should paginate using cursor', async () => {
// Get first page
const firstPage = await methods.getListMCPServersByIds({
ids: [server1._id, server2._id, server3._id],
limit: 2,
});
expect(firstPage.has_more).toBe(true);
expect(firstPage.after).not.toBeNull();
// Get second page using cursor
const secondPage = await methods.getListMCPServersByIds({
ids: [server1._id, server2._id, server3._id],
limit: 2,
after: firstPage.after,
});
expect(secondPage.data).toHaveLength(1);
expect(secondPage.has_more).toBe(false);
expect(secondPage.after).toBeNull();
// Ensure no duplicates between pages
const firstPageIds = firstPage.data.map((s) => s._id.toString());
const secondPageIds = secondPage.data.map((s) => s._id.toString());
const intersection = firstPageIds.filter((id) => secondPageIds.includes(id));
expect(intersection).toHaveLength(0);
});
test('should handle invalid cursor gracefully', async () => {
const result = await methods.getListMCPServersByIds({
ids: [server1._id, server2._id],
after: 'invalid-cursor',
});
// Should still return results, ignoring invalid cursor
expect(result.data).toHaveLength(2);
});
test('should return all when limit is null', async () => {
const result = await methods.getListMCPServersByIds({
ids: [server1._id, server2._id, server3._id],
limit: null,
});
expect(result.data).toHaveLength(3);
expect(result.has_more).toBe(false);
expect(result.after).toBeNull();
});
test('should apply additional filters via otherParams', async () => {
// Create a server with different config
const serverWithDesc = await methods.createMCPServer({
config: createSSEConfig('Filtered Server', 'Has description'),
author: authorId,
});
const result = await methods.getListMCPServersByIds({
ids: [server1._id, server2._id, serverWithDesc._id],
otherParams: { 'config.description': 'Has description' },
});
expect(result.data).toHaveLength(1);
expect(result.data[0].serverName).toBe('filtered-server');
});
test('should normalize limit to valid range', async () => {
// Limit should be clamped to 1-100
const resultLow = await methods.getListMCPServersByIds({
ids: [server1._id, server2._id, server3._id],
limit: 0,
});
expect(resultLow.data.length).toBeGreaterThanOrEqual(1);
const resultHigh = await methods.getListMCPServersByIds({
ids: [server1._id, server2._id, server3._id],
limit: 200,
});
expect(resultHigh.data).toHaveLength(3); // All 3 servers (less than 100)
});
test('should sort by updatedAt descending, _id ascending', async () => {
const result = await methods.getListMCPServersByIds({
ids: [server1._id, server2._id, server3._id],
});
expect(result.data).toHaveLength(3);
// Most recently created/updated should come first
for (let i = 0; i < result.data.length - 1; i++) {
const current = new Date(result.data[i].updatedAt!).getTime();
const next = new Date(result.data[i + 1].updatedAt!).getTime();
expect(current).toBeGreaterThanOrEqual(next);
}
});
});
describe('updateMCPServer', () => {
test('should update server config', async () => {
const created = await methods.createMCPServer({
config: createSSEConfig('Update Test', 'Original description'),
author: authorId,
});
const updated = await methods.updateMCPServer(created.serverName, {
config: createSSEConfig('Update Test', 'Updated description'),
});
expect(updated).toBeDefined();
expect(updated?.config.description).toBe('Updated description');
expect(updated?.serverName).toBe('update-test'); // serverName shouldn't change
});
test('should return null when server not found', async () => {
const updated = await methods.updateMCPServer('non-existent', {
config: createSSEConfig('Test'),
});
expect(updated).toBeNull();
});
test('should return updated document (new: true)', async () => {
const created = await methods.createMCPServer({
config: createSSEConfig('Return Test'),
author: authorId,
});
const updated = await methods.updateMCPServer(created.serverName, {
config: createSSEConfig('Return Test', 'New description'),
});
expect(updated?.config.description).toBe('New description');
});
test('should run validators on update', async () => {
const created = await methods.createMCPServer({
config: createSSEConfig('Validation Test'),
author: authorId,
});
// The update should succeed with valid config
const updated = await methods.updateMCPServer(created.serverName, {
config: createSSEConfig('Validation Test', 'Valid config'),
});
expect(updated).toBeDefined();
});
test('should update timestamps', async () => {
const created = await methods.createMCPServer({
config: createSSEConfig('Timestamp Test'),
author: authorId,
});
const originalUpdatedAt = created.updatedAt;
// Wait a bit to ensure timestamp difference
await new Promise((resolve) => setTimeout(resolve, 10));
const updated = await methods.updateMCPServer(created.serverName, {
config: createSSEConfig('Timestamp Test', 'Updated'),
});
expect(updated?.updatedAt).toBeDefined();
expect(new Date(updated!.updatedAt!).getTime()).toBeGreaterThan(
new Date(originalUpdatedAt!).getTime(),
);
});
test('should handle partial config updates', async () => {
const created = await methods.createMCPServer({
config: {
type: 'sse',
url: 'https://example.com/mcp',
title: 'Partial Update Test',
description: 'Original',
},
author: authorId,
});
const updated = await methods.updateMCPServer(created.serverName, {
config: {
type: 'sse',
url: 'https://example.com/mcp',
title: 'Partial Update Test',
description: 'New description',
iconPath: '/icons/new-icon.png',
},
});
expect(updated?.config.description).toBe('New description');
expect(updated?.config.iconPath).toBe('/icons/new-icon.png');
});
});
describe('deleteMCPServer', () => {
test('should delete existing server', async () => {
const created = await methods.createMCPServer({
config: createSSEConfig('Delete Test'),
author: authorId,
});
const deleted = await methods.deleteMCPServer(created.serverName);
expect(deleted).toBeDefined();
expect(deleted?.serverName).toBe('delete-test');
// Verify it's actually deleted
const found = await methods.findMCPServerById('delete-test');
expect(found).toBeNull();
});
test('should return null when server does not exist', async () => {
const deleted = await methods.deleteMCPServer('non-existent-server');
expect(deleted).toBeNull();
});
test('should return the deleted document', async () => {
const created = await methods.createMCPServer({
config: createSSEConfig('Delete Return Test', 'Will be deleted'),
author: authorId,
});
const deleted = await methods.deleteMCPServer(created.serverName);
expect(deleted?.config.description).toBe('Will be deleted');
});
});
describe('getListMCPServersByNames', () => {
test('should return empty data for empty names array', async () => {
const result = await methods.getListMCPServersByNames({ names: [] });
expect(result.data).toEqual([]);
});
test('should find servers by serverName strings', async () => {
await methods.createMCPServer({
config: createSSEConfig('Name Query One'),
author: authorId,
});
await methods.createMCPServer({
config: createSSEConfig('Name Query Two'),
author: authorId,
});
await methods.createMCPServer({
config: createSSEConfig('Name Query Three'),
author: authorId,
});
const result = await methods.getListMCPServersByNames({
names: ['name-query-one', 'name-query-two'],
});
expect(result.data).toHaveLength(2);
const serverNames = result.data.map((s) => s.serverName);
expect(serverNames).toContain('name-query-one');
expect(serverNames).toContain('name-query-two');
expect(serverNames).not.toContain('name-query-three');
});
test('should handle non-existent names gracefully', async () => {
await methods.createMCPServer({
config: createSSEConfig('Existing Server'),
author: authorId,
});
const result = await methods.getListMCPServersByNames({
names: ['existing-server', 'non-existent-1', 'non-existent-2'],
});
expect(result.data).toHaveLength(1);
expect(result.data[0].serverName).toBe('existing-server');
});
test('should return all matching servers for multiple names', async () => {
const server1 = await methods.createMCPServer({
config: createSSEConfig('Multi Name 1'),
author: authorId,
});
const server2 = await methods.createMCPServer({
config: createSSEConfig('Multi Name 2'),
author: authorId,
});
const server3 = await methods.createMCPServer({
config: createSSEConfig('Multi Name 3'),
author: authorId,
});
const result = await methods.getListMCPServersByNames({
names: [server1.serverName, server2.serverName, server3.serverName],
});
expect(result.data).toHaveLength(3);
});
test('should handle duplicate names in input', async () => {
await methods.createMCPServer({
config: createSSEConfig('Duplicate Test'),
author: authorId,
});
const result = await methods.getListMCPServersByNames({
names: ['duplicate-test', 'duplicate-test', 'duplicate-test'],
});
// Should only return one server (unique by serverName)
expect(result.data).toHaveLength(1);
});
});
describe('Edge Cases', () => {
test('should handle concurrent creation with retry logic for race conditions', async () => {
// Ensure indexes are created before concurrent test
await MCPServer.ensureIndexes();
// Create multiple servers with same title concurrently
// The retry logic handles TOCTOU race conditions by retrying with
// exponential backoff when duplicate key errors occur
const promises = Array.from({ length: 5 }, () =>
methods.createMCPServer({
config: createSSEConfig('Concurrent Test'),
author: authorId,
}),
);
const results = await Promise.allSettled(promises);
const successes = results.filter(
(r): r is PromiseFulfilledResult<t.MCPServerDocument> => r.status === 'fulfilled',
);
const failures = results.filter((r): r is PromiseRejectedResult => r.status === 'rejected');
// With retry logic, all concurrent requests should succeed
// Each will get a unique serverName (concurrent-test, concurrent-test-2, etc.)
expect(successes.length).toBe(5);
expect(failures.length).toBe(0);
// Verify all servers have unique names
const serverNames = successes.map((s) => s.value.serverName);
const uniqueNames = new Set(serverNames);
expect(uniqueNames.size).toBe(5);
// Verify all servers exist in the database
const dbServers = await MCPServer.find({
serverName: { $regex: /^concurrent-test/ },
}).lean();
expect(dbServers.length).toBe(5);
});
test('should handle sequential creation with same title - no race condition', async () => {
// Create multiple servers with same title sequentially
// Each creation completes before the next one starts, so no race condition
const results: t.MCPServerDocument[] = [];
for (let i = 0; i < 5; i++) {
const server = await methods.createMCPServer({
config: createSSEConfig('Sequential Test'),
author: authorId,
});
results.push(server);
}
// All should succeed with unique serverNames
const serverNames = results.map((r) => r.serverName);
const uniqueNames = new Set(serverNames);
expect(uniqueNames.size).toBe(5);
expect(serverNames).toContain('sequential-test');
expect(serverNames).toContain('sequential-test-2');
expect(serverNames).toContain('sequential-test-3');
expect(serverNames).toContain('sequential-test-4');
expect(serverNames).toContain('sequential-test-5');
});
test('should handle very long titles', async () => {
const longTitle = 'A'.repeat(200) + ' Server';
const config = createSSEConfig(longTitle);
const server = await methods.createMCPServer({ config, author: authorId });
expect(server).toBeDefined();
expect(server.serverName).toBe('a'.repeat(200) + '-server');
});
test('should handle unicode in title', async () => {
// Unicode characters should be stripped, leaving only alphanumeric
const config = createSSEConfig('Serveur Français 日本語');
const server = await methods.createMCPServer({ config, author: authorId });
expect(server.serverName).toBe('serveur-franais');
});
test('should handle empty string title', async () => {
const config: MCPOptions = {
type: 'sse',
url: 'https://example.com/mcp',
title: '',
};
const server = await methods.createMCPServer({ config, author: authorId });
// Empty title should fallback to nanoid
expect(server.serverName).toMatch(/^mcp-[a-zA-Z0-9_-]{16}$/);
});
test('should handle whitespace-only title', async () => {
const config = createSSEConfig(' ');
const server = await methods.createMCPServer({ config, author: authorId });
// Whitespace-only title after trimming results in fallback
expect(server.serverName).toBe('mcp-server');
});
});
});

324
packages/data-schemas/src/methods/mcpServer.ts Normal file
View file

@ -0,0 +1,324 @@
import type { Model, RootFilterQuery, Types } from 'mongoose';
import type { MCPServerDocument } from '../types';
import type { MCPOptions } from 'librechat-data-provider';
import logger from '~/config/winston';
import { nanoid } from 'nanoid';
const NORMALIZED_LIMIT_DEFAULT = 20;
const MAX_CREATE_RETRIES = 3;
const RETRY_BASE_DELAY_MS = 10;
/**
* Helper to check if an error is a MongoDB duplicate key error.
* Since serverName is the only unique index on MCPServer, any E11000 error
* during creation is necessarily a serverName collision.
*/
function isDuplicateKeyError(error: unknown): boolean {
if (error && typeof error === 'object' && 'code' in error) {
const mongoError = error as { code: number };
return mongoError.code === 11000;
}
return false;
}
/**
* Escapes special regex characters in a string so they are treated literally.
*/
function escapeRegex(str: string): string {
return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
}
/**
* Generates a URL-friendly server name from a title.
* Converts to lowercase, replaces spaces with hyphens, removes special characters.
*/
function generateServerNameFromTitle(title: string): string {
const slug = title
.toLowerCase()
.trim()
.replace(/[^a-z0-9\s-]/g, '') // Remove special chars except spaces and hyphens
.replace(/\s+/g, '-') // Replace spaces with hyphens
.replace(/-+/g, '-') // Remove consecutive hyphens
.replace(/^-|-$/g, ''); // Trim leading/trailing hyphens
return slug || 'mcp-server'; // Fallback if empty
}
export function createMCPServerMethods(mongoose: typeof import('mongoose')) {
/**
* Finds the next available server name by checking for duplicates.
* If baseName exists, returns baseName-2, baseName-3, etc.
*/
async function findNextAvailableServerName(baseName: string): Promise<string> {
const MCPServer = mongoose.models.MCPServer as Model<MCPServerDocument>;
// Find all servers with matching base name pattern (baseName or baseName-N)
const escapedBaseName = escapeRegex(baseName);
const existing = await MCPServer.find({
serverName: { $regex: `^${escapedBaseName}(-\\d+)?$` },
})
.select('serverName')
.lean();
if (existing.length === 0) {
return baseName;
}
// Extract numbers from existing names
const numbers = existing.map((s) => {
const match = s.serverName.match(/-(\d+)$/);
return match ? parseInt(match[1], 10) : 1;
});
const maxNumber = Math.max(...numbers);
return `${baseName}-${maxNumber + 1}`;
}
/**
* Create a new MCP server with retry logic for handling race conditions.
* When multiple requests try to create servers with the same title simultaneously,
* they may get the same serverName from findNextAvailableServerName() before any
* creates the record (TOCTOU race condition). This is handled by retrying with
* exponential backoff when a duplicate key error occurs.
* @param data - Object containing config (with title, description, url, etc.) and author
* @returns The created MCP server document
*/
async function createMCPServer(data: {
config: MCPOptions;
author: string | Types.ObjectId;
}): Promise<MCPServerDocument> {
const MCPServer = mongoose.models.MCPServer as Model<MCPServerDocument>;
let lastError: unknown;
for (let attempt = 0; attempt < MAX_CREATE_RETRIES; attempt++) {
try {
// Generate serverName from title, with fallback to nanoid if no title
// Important: regenerate on each attempt to get fresh available name
let serverName: string;
if (data.config.title) {
const baseSlug = generateServerNameFromTitle(data.config.title);
serverName = await findNextAvailableServerName(baseSlug);
} else {
serverName = `mcp-${nanoid(16)}`;
}
const newServer = await MCPServer.create({
serverName,
config: data.config,
author: data.author,
});
return newServer.toObject() as MCPServerDocument;
} catch (error) {
lastError = error;
// Only retry on duplicate key errors (serverName collision)
if (isDuplicateKeyError(error) && attempt < MAX_CREATE_RETRIES - 1) {
// Exponential backoff: 10ms, 20ms, 40ms
const delay = RETRY_BASE_DELAY_MS * Math.pow(2, attempt);
logger.debug(
`[createMCPServer] Duplicate serverName detected, retrying (attempt ${attempt + 2}/${MAX_CREATE_RETRIES}) after ${delay}ms`,
);
await new Promise((resolve) => setTimeout(resolve, delay));
continue;
}
// Not a duplicate key error or out of retries - throw immediately
throw error;
}
}
// Should not reach here, but TypeScript requires a return
throw lastError;
}
/**
* Find an MCP server by serverName
* @param serverName - The MCP server ID
* @returns The MCP server document or null
*/
async function findMCPServerById(serverName: string): Promise<MCPServerDocument | null> {
const MCPServer = mongoose.models.MCPServer as Model<MCPServerDocument>;
return await MCPServer.findOne({ serverName }).lean();
}
/**
* Find an MCP server by MongoDB ObjectId
* @param _id - The MongoDB ObjectId
* @returns The MCP server document or null
*/
async function findMCPServerByObjectId(
_id: string | Types.ObjectId,
): Promise<MCPServerDocument | null> {
const MCPServer = mongoose.models.MCPServer as Model<MCPServerDocument>;
return await MCPServer.findById(_id).lean();
}
/**
* Find MCP servers by author
* @param authorId - The author's ObjectId or string
* @returns Array of MCP server documents
*/
async function findMCPServersByAuthor(
authorId: string | Types.ObjectId,
): Promise<MCPServerDocument[]> {
const MCPServer = mongoose.models.MCPServer as Model<MCPServerDocument>;
return await MCPServer.find({ author: authorId }).sort({ updatedAt: -1 }).lean();
}
/**
* Get a paginated list of MCP servers by IDs with filtering and search
* @param ids - Array of ObjectIds to include
* @param otherParams - Additional filter parameters (e.g., search)
* @param limit - Page size limit (null for no pagination)
* @param after - Cursor for pagination
* @returns Paginated list of MCP servers
*/
async function getListMCPServersByIds({
ids = [],
otherParams = {},
limit = null,
after = null,
}: {
ids?: Types.ObjectId[];
otherParams?: RootFilterQuery<MCPServerDocument>;
limit?: number | null;
after?: string | null;
}): Promise<{
data: MCPServerDocument[];
has_more: boolean;
after: string | null;
}> {
const MCPServer = mongoose.models.MCPServer as Model<MCPServerDocument>;
const isPaginated = limit !== null && limit !== undefined;
const normalizedLimit = isPaginated
? Math.min(Math.max(1, parseInt(String(limit)) || NORMALIZED_LIMIT_DEFAULT), 100)
: null;
// Build base query combining accessible servers with other filters
const baseQuery: RootFilterQuery<MCPServerDocument> = { ...otherParams, _id: { $in: ids } };
// Add cursor condition
if (after) {
try {
const cursor = JSON.parse(Buffer.from(after, 'base64').toString('utf8'));
const { updatedAt, _id } = cursor;
const cursorCondition = {
$or: [
{ updatedAt: { $lt: new Date(updatedAt) } },
{ updatedAt: new Date(updatedAt), _id: { $gt: new mongoose.Types.ObjectId(_id) } },
],
};
// Merge cursor condition with base query
if (Object.keys(baseQuery).length > 0) {
baseQuery.$and = [{ ...baseQuery }, cursorCondition];
// Remove the original conditions from baseQuery to avoid duplication
Object.keys(baseQuery).forEach((key) => {
if (key !== '$and') {
delete baseQuery[key];
}
});
}
} catch (error) {
// Invalid cursor, ignore
logger.warn('[getListMCPServersByIds] Invalid cursor provided', error);
}
}
if (normalizedLimit === null) {
// No pagination - return all matching servers
const servers = await MCPServer.find(baseQuery).sort({ updatedAt: -1, _id: 1 }).lean();
return {
data: servers,
has_more: false,
after: null,
};
}
// Paginated query - assign to const to help TypeScript
const servers = await MCPServer.find(baseQuery)
.sort({ updatedAt: -1, _id: 1 })
.limit(normalizedLimit + 1)
.lean();
const hasMore = servers.length > normalizedLimit;
const data = hasMore ? servers.slice(0, normalizedLimit) : servers;
let nextCursor = null;
if (hasMore && data.length > 0) {
const lastItem = data[data.length - 1];
nextCursor = Buffer.from(
JSON.stringify({
updatedAt: lastItem.updatedAt,
_id: lastItem._id,
}),
).toString('base64');
}
return {
data,
has_more: hasMore,
after: nextCursor,
};
}
/**
* Update an MCP server
* @param serverName - The MCP server ID
* @param updateData - Object containing config to update
* @returns The updated MCP server document or null
*/
async function updateMCPServer(
serverName: string,
updateData: { config?: MCPOptions },
): Promise<MCPServerDocument | null> {
const MCPServer = mongoose.models.MCPServer as Model<MCPServerDocument>;
return await MCPServer.findOneAndUpdate(
{ serverName },
{ $set: updateData },
{ new: true, runValidators: true },
).lean();
}
/**
* Delete an MCP server
* @param serverName - The MCP server ID
* @returns The deleted MCP server document or null
*/
async function deleteMCPServer(serverName: string): Promise<MCPServerDocument | null> {
const MCPServer = mongoose.models.MCPServer as Model<MCPServerDocument>;
return await MCPServer.findOneAndDelete({ serverName }).lean();
}
/**
* Get MCP servers by their serverName strings
* @param names - Array of serverName strings to fetch
* @returns Object containing array of MCP server documents
*/
async function getListMCPServersByNames({ names = [] }: { names: string[] }): Promise<{
data: MCPServerDocument[];
}> {
if (names.length === 0) {
return { data: [] };
}
const MCPServer = mongoose.models.MCPServer as Model<MCPServerDocument>;
const servers = await MCPServer.find({ serverName: { $in: names } }).lean();
return { data: servers };
}
return {
createMCPServer,
findMCPServerById,
findMCPServerByObjectId,
findMCPServersByAuthor,
getListMCPServersByIds,
getListMCPServersByNames,
updateMCPServer,
deleteMCPServer,
};
}
export type MCPServerMethods = ReturnType<typeof createMCPServerMethods>;

2
packages/data-schemas/src/models/index.ts
View file

@ -6,6 +6,7 @@ import { createConversationModel } from './convo';
import { createMessageModel } from './message';
import { createAgentModel } from './agent';
import { createAgentCategoryModel } from './agentCategory';
import { createMCPServerModel } from './mcpServer';
import { createRoleModel } from './role';
import { createActionModel } from './action';
import { createAssistantModel } from './assistant';
@ -39,6 +40,7 @@ export function createModels(mongoose: typeof import('mongoose')) {
Message: createMessageModel(mongoose),
Agent: createAgentModel(mongoose),
AgentCategory: createAgentCategoryModel(mongoose),
MCPServer: createMCPServerModel(mongoose),
Role: createRoleModel(mongoose),
Action: createActionModel(mongoose),
Assistant: createAssistantModel(mongoose),

11
packages/data-schemas/src/models/mcpServer.ts Normal file
View file

@ -0,0 +1,11 @@
import mcpServerSchema from '~/schema/mcpServer';
import type { MCPServerDocument } from '~/types';
/**
* Creates or returns the MCPServer model using the provided mongoose instance and schema
*/
export function createMCPServerModel(mongoose: typeof import('mongoose')) {
return (
mongoose.models.MCPServer || mongoose.model<MCPServerDocument>('MCPServer', mcpServerSchema)
);
}

2
packages/data-schemas/src/schema/accessRole.ts
View file

@ -16,7 +16,7 @@ const accessRoleSchema = new Schema<IAccessRole>(
description: String,
resourceType: {
type: String,
enum: ['agent', 'project', 'file', 'promptGroup'],
enum: ['agent', 'project', 'file', 'promptGroup', 'mcpServer'],
required: true,
default: 'agent',
},

6
packages/data-schemas/src/schema/agent.ts
View file

@ -112,6 +112,12 @@ const agentSchema = new Schema<IAgent>(
default: false,
index: true,
},
/** MCP server names extracted from tools for efficient querying */
mcpServerNames: {
type: [String],
default: [],
index: true,
},
},
{
timestamps: true,

31
packages/data-schemas/src/schema/mcpServer.ts Normal file
View file

@ -0,0 +1,31 @@
import { Schema } from 'mongoose';
import type { MCPServerDocument } from '~/types';
const mcpServerSchema = new Schema<MCPServerDocument>(
{
serverName: {
type: String,
index: true,
unique: true,
required: true,
},
config: {
type: Schema.Types.Mixed,
required: true,
// Config contains: title, description, url, oauth, etc.
},
author: {
type: Schema.Types.ObjectId,
ref: 'User',
required: true,
index: true,
},
},
{
timestamps: true,
},
);
mcpServerSchema.index({ updatedAt: -1, _id: 1 });
export default mcpServerSchema;

5
packages/data-schemas/src/schema/role.ts
View file

@ -53,6 +53,11 @@ const rolePermissionsSchema = new Schema(
[PermissionTypes.FILE_CITATIONS]: {
[Permissions.USE]: { type: Boolean },
},
[PermissionTypes.MCP_SERVERS]: {
[Permissions.USE]: { type: Boolean },
[Permissions.CREATE]: { type: Boolean },
[Permissions.SHARE]: { type: Boolean },
},
},
{ _id: false },
);

2
packages/data-schemas/src/types/agent.ts
View file

@ -40,4 +40,6 @@ export interface IAgent extends Omit<Document, 'model'> {
category: string;
support_contact?: ISupportContact;
is_promoted?: boolean;
/** MCP server names extracted from tools for efficient querying */
mcpServerNames?: string[];
}

Some files were not shown because too many files have changed in this diff Show more