From 99f8bd2ce615eaa6bf8a5e62abbe7b422fd7a8dd Mon Sep 17 00:00:00 2001 From: Atef Bellaaj Date: Thu, 4 Dec 2025 21:37:23 +0100 Subject: [PATCH] =?UTF-8?q?=F0=9F=8F=97=EF=B8=8F=20feat:=20Dynamic=20MCP?= =?UTF-8?q?=20Server=20Infrastructure=20with=20Access=20Control=20(#10787)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Feature: Dynamic MCP Server with Full UI Management * 🚦 feat: Add MCP Connection Status icons to MCPBuilder panel (#10805) * feature: Add MCP server connection status icons to MCPBuilder panel * refactor: Simplify MCPConfigDialog rendering in MCPBuilderPanel --------- Co-authored-by: Atef Bellaaj Co-authored-by: Danny Avila * fix: address code review feedback for MCP server management - Fix OAuth secret preservation to avoid mutating input parameter by creating a merged config copy in ServerConfigsDB.update() - Improve error handling in getResourcePermissionsMap to propagate critical errors instead of silently returning empty Map - Extract duplicated MCP server filter logic by exposing selectableServers from useMCPServerManager hook and using it in MCPSelect component * test: Update PermissionService tests to throw errors on invalid resource types - Changed the test for handling invalid resource types to ensure it throws an error instead of returning an empty permissions map. - Updated the expectation to check for the specific error message when an invalid resource type is provided. * feat: Implement retry logic for MCP server creation to handle race conditions - Enhanced the createMCPServer method to include retry logic with exponential backoff for handling duplicate key errors during concurrent server creation. - Updated tests to verify that all concurrent requests succeed and that unique server names are generated. - Added a helper function to identify MongoDB duplicate key errors, improving error handling during server creation. * refactor: StatusIcon to use CircleCheck for connected status - Replaced the PlugZap icon with CircleCheck in the ConnectedStatusIcon component to better represent the connected state. - Ensured consistent icon usage across the component for improved visual clarity. * test: Update AccessControlService tests to throw errors on invalid resource types - Modified the test for invalid resource types to ensure it throws an error with a specific message instead of returning an empty permissions map. - This change enhances error handling and improves test coverage for the AccessControlService. * fix: Update error message for missing server name in MCP server retrieval - Changed the error message returned when the server name is not provided from 'MCP ID is required' to 'Server name is required' for better clarity and accuracy in the API response. --------- Co-authored-by: Atef Bellaaj Co-authored-by: Danny Avila --- api/models/Agent.js | 31 + .../controllers/PermissionsController.js | 52 +- api/server/controllers/UserController.js | 2 +- api/server/controllers/mcp.js | 112 +- .../canAccessMCPServerResource.js | 61 + .../canAccessMCPServerResource.spec.js | 627 ++++++++++ .../middleware/accessResources/index.js | 2 + api/server/routes/__tests__/mcp.spec.js | 226 ++++ api/server/routes/accessPermissions.js | 15 + api/server/routes/mcp.js | 106 +- api/server/routes/roles.js | 12 + api/server/services/MCP.js | 2 +- api/server/services/MCP.spec.js | 2 +- api/server/services/PermissionService.js | 45 + api/server/services/PermissionService.spec.js | 328 +++++ client/src/Providers/AgentPanelContext.tsx | 27 +- client/src/Providers/MCPPanelContext.tsx | 31 - client/src/Providers/index.ts | 1 - client/src/common/mcp.ts | 26 - client/src/common/types.ts | 11 +- .../src/components/Chat/Input/MCPSelect.tsx | 27 +- .../src/components/Chat/Input/MCPSubMenu.tsx | 2 +- .../components/Chat/Input/ToolsDropdown.tsx | 9 +- .../components/MCP/MCPServerStatusIcon.tsx | 45 +- .../Sharing/PublicSharingToggle.tsx | 6 +- .../SidePanel/Agents/AgentConfig.tsx | 1 + .../SidePanel/Agents/AgentPanelSwitch.tsx | 4 - .../components/SidePanel/Agents/MCPInput.tsx | 295 ----- .../components/SidePanel/Agents/MCPPanel.tsx | 175 --- .../SidePanel/Agents/MCPSection.tsx | 57 - .../components/SidePanel/Agents/MCPTools.tsx | 11 +- .../src/components/SidePanel/MCP/MCPPanel.tsx | 213 ---- .../SidePanel/MCP/MCPPanelSkeleton.tsx | 21 - .../SidePanel/MCPBuilder/MCPAdminSettings.tsx | 231 ++++ .../SidePanel/MCPBuilder/MCPAuth.tsx | 408 +++++++ .../SidePanel/MCPBuilder/MCPBuilderPanel.tsx | 63 + .../SidePanel/MCPBuilder/MCPServerDialog.tsx | 639 ++++++++++ .../SidePanel/MCPBuilder/MCPServerList.tsx | 91 ++ .../components/SidePanel/MCPBuilder/index.ts | 5 + .../components/Tools/MCPToolSelectDialog.tsx | 3 +- client/src/data-provider/MCP/index.ts | 1 + client/src/data-provider/MCP/mutations.ts | 141 +++ client/src/data-provider/roles.ts | 37 + client/src/hooks/MCP/index.ts | 2 +- client/src/hooks/MCP/useMCPServerManager.ts | 62 +- client/src/hooks/Nav/useSideNavLinks.ts | 34 +- .../Sharing/useResourcePermissionState.ts | 2 +- client/src/locales/en/translation.json | 39 +- client/src/utils/resources.ts | 11 + client/src/utils/roles.ts | 13 + librechat.example.yaml | 18 +- .../api/src/acl/accessControlService.spec.ts | 1084 +++++++++++++++++ packages/api/src/acl/accessControlService.ts | 360 ++++++ packages/api/src/app/permissions.spec.ts | 70 ++ packages/api/src/app/permissions.ts | 19 + packages/api/src/mcp/ConnectionsRepository.ts | 4 +- packages/api/src/mcp/UserConnectionManager.ts | 2 +- .../__tests__/ConnectionsRepository.test.ts | 10 +- .../src/mcp/registry/MCPServersInitializer.ts | 4 +- .../src/mcp/registry/MCPServersRegistry.ts | 8 +- .../ServerConfigsRepositoryInterface.ts | 4 +- ...rversInitializer.cache_integration.spec.ts | 12 + ...PServersRegistry.cache_integration.spec.ts | 31 +- .../__tests__/MCPServersRegistry.test.ts | 2 +- .../__tests__/ServerConfigsDB.test.ts | 844 +++++++++++++ .../cache/ServerConfigsCacheInMemory.ts | 10 +- .../registry/cache/ServerConfigsCacheRedis.ts | 10 +- .../ServerConfigsCacheInMemory.test.ts | 6 +- .../src/mcp/registry/db/ServerConfigsDB.ts | 309 ++++- packages/api/src/mcp/types/index.ts | 9 +- packages/api/src/mcp/utils.ts | 27 + .../client/src/components/MultiSelect.tsx | 39 +- packages/client/tsconfig.json | 1 + .../data-provider/src/accessPermissions.ts | 10 + packages/data-provider/src/api-endpoints.ts | 6 + packages/data-provider/src/config.ts | 17 +- packages/data-provider/src/data-service.ts | 45 + packages/data-provider/src/keys.ts | 1 + packages/data-provider/src/mcp.ts | 7 + packages/data-provider/src/permissions.ts | 12 + .../src/react-query/react-query-service.ts | 14 + packages/data-provider/src/roles.ts | 12 + packages/data-provider/src/types/agents.ts | 2 +- packages/data-provider/src/types/index.ts | 1 + .../data-provider/src/types/mcpServers.ts | 13 +- packages/data-provider/src/types/mutations.ts | 8 + .../src/methods/accessRole.spec.ts | 3 + .../data-schemas/src/methods/accessRole.ts | 21 + .../data-schemas/src/methods/aclEntry.spec.ts | 272 +++++ packages/data-schemas/src/methods/aclEntry.ts | 53 + packages/data-schemas/src/methods/index.ts | 5 + .../src/methods/mcpServer.spec.ts | 827 +++++++++++++ .../data-schemas/src/methods/mcpServer.ts | 324 +++++ packages/data-schemas/src/models/index.ts | 2 + packages/data-schemas/src/models/mcpServer.ts | 11 + .../data-schemas/src/schema/accessRole.ts | 2 +- packages/data-schemas/src/schema/agent.ts | 6 + packages/data-schemas/src/schema/mcpServer.ts | 31 + packages/data-schemas/src/schema/role.ts | 5 + packages/data-schemas/src/types/agent.ts | 2 + packages/data-schemas/src/types/index.ts | 2 + packages/data-schemas/src/types/mcp.ts | 12 + packages/data-schemas/src/types/role.ts | 5 + 103 files changed, 7978 insertions(+), 1003 deletions(-) create mode 100644 api/server/middleware/accessResources/canAccessMCPServerResource.js create mode 100644 api/server/middleware/accessResources/canAccessMCPServerResource.spec.js delete mode 100644 client/src/Providers/MCPPanelContext.tsx delete mode 100644 client/src/common/mcp.ts delete mode 100644 client/src/components/SidePanel/Agents/MCPInput.tsx delete mode 100644 client/src/components/SidePanel/Agents/MCPPanel.tsx delete mode 100644 client/src/components/SidePanel/Agents/MCPSection.tsx delete mode 100644 client/src/components/SidePanel/MCP/MCPPanel.tsx delete mode 100644 client/src/components/SidePanel/MCP/MCPPanelSkeleton.tsx create mode 100644 client/src/components/SidePanel/MCPBuilder/MCPAdminSettings.tsx create mode 100644 client/src/components/SidePanel/MCPBuilder/MCPAuth.tsx create mode 100644 client/src/components/SidePanel/MCPBuilder/MCPBuilderPanel.tsx create mode 100644 client/src/components/SidePanel/MCPBuilder/MCPServerDialog.tsx create mode 100644 client/src/components/SidePanel/MCPBuilder/MCPServerList.tsx create mode 100644 client/src/components/SidePanel/MCPBuilder/index.ts create mode 100644 client/src/data-provider/MCP/mutations.ts create mode 100644 packages/api/src/acl/accessControlService.spec.ts create mode 100644 packages/api/src/acl/accessControlService.ts create mode 100644 packages/api/src/mcp/registry/__tests__/ServerConfigsDB.test.ts create mode 100644 packages/data-schemas/src/methods/mcpServer.spec.ts create mode 100644 packages/data-schemas/src/methods/mcpServer.ts create mode 100644 packages/data-schemas/src/models/mcpServer.ts create mode 100644 packages/data-schemas/src/schema/mcpServer.ts create mode 100644 packages/data-schemas/src/types/mcp.ts diff --git a/api/models/Agent.js b/api/models/Agent.js index 1cd6ba3ed9..5f171ef1f2 100644 --- a/api/models/Agent.js +++ b/api/models/Agent.js @@ -15,6 +15,29 @@ const { getMCPServerTools } = require('~/server/services/Config'); const { Agent, AclEntry } = require('~/db/models'); const { getActions } = require('./Action'); +/** + * Extracts unique MCP server names from tools array + * Tools format: "toolName_mcp_serverName" or "sys__server__sys_mcp_serverName" + * @param {string[]} tools - Array of tool identifiers + * @returns {string[]} Array of unique MCP server names + */ +const extractMCPServerNames = (tools) => { + if (!tools || !Array.isArray(tools)) { + return []; + } + const serverNames = new Set(); + for (const tool of tools) { + if (!tool || !tool.includes(mcp_delimiter)) { + continue; + } + const parts = tool.split(mcp_delimiter); + if (parts.length >= 2) { + serverNames.add(parts[parts.length - 1]); + } + } + return Array.from(serverNames); +}; + /** * Create an agent with the provided data. * @param {Object} agentData - The agent data to create. @@ -34,6 +57,7 @@ const createAgent = async (agentData) => { }, ], category: agentData.category || 'general', + mcpServerNames: extractMCPServerNames(agentData.tools), }; return (await Agent.create(initialAgentData)).toObject(); @@ -354,6 +378,13 @@ const updateAgent = async (searchParameter, updateData, options = {}) => { } = currentAgent.toObject(); const { $push, $pull, $addToSet, ...directUpdates } = updateData; + // Sync mcpServerNames when tools are updated + if (directUpdates.tools !== undefined) { + const mcpServerNames = extractMCPServerNames(directUpdates.tools); + directUpdates.mcpServerNames = mcpServerNames; + updateData.mcpServerNames = mcpServerNames; // Also update the original updateData + } + let actionsHash = null; // Generate actions hash if agent has actions diff --git a/api/server/controllers/PermissionsController.js b/api/server/controllers/PermissionsController.js index f44aebae7b..e22e9532c9 100644 --- a/api/server/controllers/PermissionsController.js +++ b/api/server/controllers/PermissionsController.js @@ -4,13 +4,15 @@ const mongoose = require('mongoose'); const { logger } = require('@librechat/data-schemas'); -const { ResourceType, PrincipalType } = require('librechat-data-provider'); +const { ResourceType, PrincipalType, PermissionBits } = require('librechat-data-provider'); const { bulkUpdateResourcePermissions, ensureGroupPrincipalExists, getEffectivePermissions, ensurePrincipalExists, getAvailableRoles, + findAccessibleResources, + getResourcePermissionsMap, } = require('~/server/services/PermissionService'); const { AclEntry } = require('~/db/models'); const { @@ -475,10 +477,58 @@ const searchPrincipals = async (req, res) => { } }; +/** + * Get user's effective permissions for all accessible resources of a type + * @route GET /api/permissions/{resourceType}/effective/all + */ +const getAllEffectivePermissions = async (req, res) => { + try { + const { resourceType } = req.params; + validateResourceType(resourceType); + + const { id: userId } = req.user; + + // Find all resources the user has at least VIEW access to + const accessibleResourceIds = await findAccessibleResources({ + userId, + role: req.user.role, + resourceType, + requiredPermissions: PermissionBits.VIEW, + }); + + if (accessibleResourceIds.length === 0) { + return res.status(200).json({}); + } + + // Get effective permissions for all accessible resources + const permissionsMap = await getResourcePermissionsMap({ + userId, + role: req.user.role, + resourceType, + resourceIds: accessibleResourceIds, + }); + + // Convert Map to plain object for JSON response + const result = {}; + for (const [resourceId, permBits] of permissionsMap) { + result[resourceId] = permBits; + } + + res.status(200).json(result); + } catch (error) { + logger.error('Error getting all effective permissions:', error); + res.status(500).json({ + error: 'Failed to get all effective permissions', + details: error.message, + }); + } +}; + module.exports = { updateResourcePermissions, getResourcePermissions, getResourceRoles, getUserEffectivePermissions, + getAllEffectivePermissions, searchPrincipals, }; diff --git a/api/server/controllers/UserController.js b/api/server/controllers/UserController.js index e95cdc36a0..b0cfd7ede2 100644 --- a/api/server/controllers/UserController.js +++ b/api/server/controllers/UserController.js @@ -317,7 +317,7 @@ const maybeUninstallOAuthMCP = async (userId, pluginKey, appConfig) => { const serverConfig = (await getMCPServersRegistry().getServerConfig(serverName, userId)) ?? appConfig?.mcpServers?.[serverName]; - const oauthServers = await getMCPServersRegistry().getOAuthServers(); + const oauthServers = await getMCPServersRegistry().getOAuthServers(userId); if (!oauthServers.has(serverName)) { // this server does not use OAuth, so nothing to do here as well return; diff --git a/api/server/controllers/mcp.js b/api/server/controllers/mcp.js index 591816cd14..a629dc9ce7 100644 --- a/api/server/controllers/mcp.js +++ b/api/server/controllers/mcp.js @@ -1,9 +1,12 @@ /** * MCP Tools Controller * Handles MCP-specific tool endpoints, decoupled from regular LibreChat tools + * + * @import { MCPServerRegistry } from '@librechat/api' + * @import { MCPServerDocument } from 'librechat-data-provider' */ const { logger } = require('@librechat/data-schemas'); -const { Constants } = require('librechat-data-provider'); +const { Constants, MCPServerUserInputSchema } = require('librechat-data-provider'); const { cacheMCPServerTools, getMCPServerTools } = require('~/server/services/Config'); const { getMCPManager, getMCPServersRegistry } = require('~/config'); @@ -133,7 +136,6 @@ const getMCPServersList = async (req, res) => { if (!userId) { return res.status(401).json({ message: 'Unauthorized' }); } - // TODO - Ensure DB servers loaded into registry (configs only) // 2. Get all server configs from registry (YAML + DB) const serverConfigs = await getMCPServersRegistry().getAllServerConfigs(userId); @@ -145,7 +147,113 @@ const getMCPServersList = async (req, res) => { } }; +/** + * Create MCP server + * @route POST /api/mcp/servers + */ +const createMCPServerController = async (req, res) => { + try { + const userId = req.user?.id; + const { config } = req.body; + + const validation = MCPServerUserInputSchema.safeParse(config); + if (!validation.success) { + return res.status(400).json({ + message: 'Invalid configuration', + errors: validation.error.errors, + }); + } + const result = await getMCPServersRegistry().addServer( + 'temp_server_name', + validation.data, + 'DB', + userId, + ); + res.status(201).json({ + serverName: result.serverName, + ...result.config, + }); + } catch (error) { + logger.error('[createMCPServer]', error); + res.status(500).json({ message: error.message }); + } +}; + +/** + * Get MCP server by ID + */ +const getMCPServerById = async (req, res) => { + try { + const userId = req.user?.id; + const { serverName } = req.params; + if (!serverName) { + return res.status(400).json({ message: 'Server name is required' }); + } + const parsedConfig = await getMCPServersRegistry().getServerConfig(serverName, userId); + + if (!parsedConfig) { + return res.status(404).json({ message: 'MCP server not found' }); + } + + res.status(200).json(parsedConfig); + } catch (error) { + logger.error('[getMCPServerById]', error); + res.status(500).json({ message: error.message }); + } +}; + +/** + * Update MCP server + * @route PATCH /api/mcp/servers/:serverName + */ +const updateMCPServerController = async (req, res) => { + try { + const userId = req.user?.id; + const { serverName } = req.params; + const { config } = req.body; + + const validation = MCPServerUserInputSchema.safeParse(config); + if (!validation.success) { + return res.status(400).json({ + message: 'Invalid configuration', + errors: validation.error.errors, + }); + } + const parsedConfig = await getMCPServersRegistry().updateServer( + serverName, + validation.data, + 'DB', + userId, + ); + + res.status(200).json(parsedConfig); + } catch (error) { + logger.error('[updateMCPServer]', error); + res.status(500).json({ message: error.message }); + } +}; + +/** + * Delete MCP server + * @route DELETE /api/mcp/servers/:serverName + */ +const deleteMCPServerController = async (req, res) => { + try { + const userId = req.user?.id; + const { serverName } = req.params; + await getMCPServersRegistry().removeServer(serverName, 'DB', userId); + res.status(200).json({ message: 'MCP server deleted successfully' }); + } catch (error) { + logger.error('[deleteMCPServer]', error); + res.status(500).json({ message: error.message }); + } +}; + module.exports = { getMCPTools, getMCPServersList, + createMCPServerController, + getMCPServerById, + updateMCPServerController, + deleteMCPServerController, }; diff --git a/api/server/middleware/accessResources/canAccessMCPServerResource.js b/api/server/middleware/accessResources/canAccessMCPServerResource.js new file mode 100644 index 0000000000..69f5f4e4f6 --- /dev/null +++ b/api/server/middleware/accessResources/canAccessMCPServerResource.js @@ -0,0 +1,61 @@ +const { ResourceType } = require('librechat-data-provider'); +const { canAccessResource } = require('./canAccessResource'); +const { findMCPServerById } = require('~/models'); + +/** + * MCP Server ID resolver function + * Resolves custom MCP server ID (e.g., "mcp_abc123") to MongoDB ObjectId + * + * @param {string} mcpServerCustomId - Custom MCP server ID from route parameter + * @returns {Promise} MCP server document with _id field, or null if not found + */ +const resolveMCPServerId = async (mcpServerCustomId) => { + return await findMCPServerById(mcpServerCustomId); +}; + +/** + * MCP Server-specific middleware factory that creates middleware to check MCP server access permissions. + * This middleware extends the generic canAccessResource to handle MCP server custom ID resolution. + * + * @param {Object} options - Configuration options + * @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share) + * @param {string} [options.resourceIdParam='serverName'] - The name of the route parameter containing the MCP server custom ID + * @returns {Function} Express middleware function + * + * @example + * // Basic usage for viewing MCP servers + * router.get('/servers/:serverName', + * canAccessMCPServerResource({ requiredPermission: 1 }), + * getMCPServer + * ); + * + * @example + * // Custom resource ID parameter and edit permission + * router.patch('/servers/:id', + * canAccessMCPServerResource({ + * requiredPermission: 2, + * resourceIdParam: 'id' + * }), + * updateMCPServer + * ); + */ +const canAccessMCPServerResource = (options) => { + const { requiredPermission, resourceIdParam = 'serverName' } = options; + + if (!requiredPermission || typeof requiredPermission !== 'number') { + throw new Error( + 'canAccessMCPServerResource: requiredPermission is required and must be a number', + ); + } + + return canAccessResource({ + resourceType: ResourceType.MCPSERVER, + requiredPermission, + resourceIdParam, + idResolver: resolveMCPServerId, + }); +}; + +module.exports = { + canAccessMCPServerResource, +}; diff --git a/api/server/middleware/accessResources/canAccessMCPServerResource.spec.js b/api/server/middleware/accessResources/canAccessMCPServerResource.spec.js new file mode 100644 index 0000000000..5eef1438ff --- /dev/null +++ b/api/server/middleware/accessResources/canAccessMCPServerResource.spec.js @@ -0,0 +1,627 @@ +const mongoose = require('mongoose'); +const { ResourceType, PrincipalType, PrincipalModel } = require('librechat-data-provider'); +const { MongoMemoryServer } = require('mongodb-memory-server'); +const { canAccessMCPServerResource } = require('./canAccessMCPServerResource'); +const { User, Role, AclEntry } = require('~/db/models'); +const { createMCPServer } = require('~/models'); + +describe('canAccessMCPServerResource middleware', () => { + let mongoServer; + let req, res, next; + let testUser; + + beforeAll(async () => { + mongoServer = await MongoMemoryServer.create(); + const mongoUri = mongoServer.getUri(); + await mongoose.connect(mongoUri); + }); + + afterAll(async () => { + await mongoose.disconnect(); + await mongoServer.stop(); + }); + + beforeEach(async () => { + await mongoose.connection.dropDatabase(); + await Role.create({ + name: 'test-role', + permissions: { + MCPSERVERS: { + USE: true, + CREATE: true, + SHARED_GLOBAL: false, + }, + }, + }); + + // Create a test user + testUser = await User.create({ + email: 'test@example.com', + name: 'Test User', + username: 'testuser', + role: 'test-role', + }); + + req = { + user: { id: testUser._id, role: testUser.role }, + params: {}, + }; + res = { + status: jest.fn().mockReturnThis(), + json: jest.fn(), + }; + next = jest.fn(); + + jest.clearAllMocks(); + }); + + describe('middleware factory', () => { + test('should throw error if requiredPermission is not provided', () => { + expect(() => canAccessMCPServerResource({})).toThrow( + 'canAccessMCPServerResource: requiredPermission is required and must be a number', + ); + }); + + test('should throw error if requiredPermission is not a number', () => { + expect(() => canAccessMCPServerResource({ requiredPermission: '1' })).toThrow( + 'canAccessMCPServerResource: requiredPermission is required and must be a number', + ); + }); + + test('should throw error if requiredPermission is null', () => { + expect(() => canAccessMCPServerResource({ requiredPermission: null })).toThrow( + 'canAccessMCPServerResource: requiredPermission is required and must be a number', + ); + }); + + test('should create middleware with default resourceIdParam (serverName)', () => { + const middleware = canAccessMCPServerResource({ requiredPermission: 1 }); + expect(typeof middleware).toBe('function'); + expect(middleware.length).toBe(3); // Express middleware signature + }); + + test('should create middleware with custom resourceIdParam', () => { + const middleware = canAccessMCPServerResource({ + requiredPermission: 2, + resourceIdParam: 'mcpId', + }); + expect(typeof middleware).toBe('function'); + expect(middleware.length).toBe(3); + }); + }); + + describe('permission checking with real MCP servers', () => { + test('should allow access when user is the MCP server author', async () => { + // Create an MCP server owned by the test user + const mcpServer = await createMCPServer({ + config: { + type: 'sse', + url: 'https://example.com/mcp', + title: 'Test MCP Server', + }, + author: testUser._id, + }); + + // Create ACL entry for the author (owner permissions) + await AclEntry.create({ + principalType: PrincipalType.USER, + principalId: testUser._id, + principalModel: PrincipalModel.USER, + resourceType: ResourceType.MCPSERVER, + resourceId: mcpServer._id, + permBits: 15, // All permissions (1+2+4+8) + grantedBy: testUser._id, + }); + + req.params.serverName = mcpServer.serverName; + + const middleware = canAccessMCPServerResource({ requiredPermission: 1 }); // VIEW permission + await middleware(req, res, next); + + expect(next).toHaveBeenCalled(); + expect(res.status).not.toHaveBeenCalled(); + }); + + test('should deny access when user is not the author and has no ACL entry', async () => { + // Create an MCP server owned by a different user + const otherUser = await User.create({ + email: 'other@example.com', + name: 'Other User', + username: 'otheruser', + role: 'test-role', + }); + + const mcpServer = await createMCPServer({ + config: { + type: 'sse', + url: 'https://example.com/mcp', + title: 'Other User MCP Server', + }, + author: otherUser._id, + }); + + // Create ACL entry for the other user (owner) + await AclEntry.create({ + principalType: PrincipalType.USER, + principalId: otherUser._id, + principalModel: PrincipalModel.USER, + resourceType: ResourceType.MCPSERVER, + resourceId: mcpServer._id, + permBits: 15, // All permissions + grantedBy: otherUser._id, + }); + + req.params.serverName = mcpServer.serverName; + + const middleware = canAccessMCPServerResource({ requiredPermission: 1 }); // VIEW permission + await middleware(req, res, next); + + expect(next).not.toHaveBeenCalled(); + expect(res.status).toHaveBeenCalledWith(403); + expect(res.json).toHaveBeenCalledWith({ + error: 'Forbidden', + message: 'Insufficient permissions to access this mcpServer', + }); + }); + + test('should allow access when user has ACL entry with sufficient permissions', async () => { + // Create an MCP server owned by a different user + const otherUser = await User.create({ + email: 'other2@example.com', + name: 'Other User 2', + username: 'otheruser2', + role: 'test-role', + }); + + const mcpServer = await createMCPServer({ + config: { + type: 'sse', + url: 'https://example.com/mcp', + title: 'Shared MCP Server', + }, + author: otherUser._id, + }); + + // Create ACL entry granting view permission to test user + await AclEntry.create({ + principalType: PrincipalType.USER, + principalId: testUser._id, + principalModel: PrincipalModel.USER, + resourceType: ResourceType.MCPSERVER, + resourceId: mcpServer._id, + permBits: 1, // VIEW permission + grantedBy: otherUser._id, + }); + + req.params.serverName = mcpServer.serverName; + + const middleware = canAccessMCPServerResource({ requiredPermission: 1 }); // VIEW permission + await middleware(req, res, next); + + expect(next).toHaveBeenCalled(); + expect(res.status).not.toHaveBeenCalled(); + }); + + test('should deny access when ACL permissions are insufficient', async () => { + // Create an MCP server owned by a different user + const otherUser = await User.create({ + email: 'other3@example.com', + name: 'Other User 3', + username: 'otheruser3', + role: 'test-role', + }); + + const mcpServer = await createMCPServer({ + config: { + type: 'sse', + url: 'https://example.com/mcp', + title: 'Limited Access MCP Server', + }, + author: otherUser._id, + }); + + // Create ACL entry granting only view permission + await AclEntry.create({ + principalType: PrincipalType.USER, + principalId: testUser._id, + principalModel: PrincipalModel.USER, + resourceType: ResourceType.MCPSERVER, + resourceId: mcpServer._id, + permBits: 1, // VIEW permission only + grantedBy: otherUser._id, + }); + + req.params.serverName = mcpServer.serverName; + + const middleware = canAccessMCPServerResource({ requiredPermission: 2 }); // EDIT permission required + await middleware(req, res, next); + + expect(next).not.toHaveBeenCalled(); + expect(res.status).toHaveBeenCalledWith(403); + expect(res.json).toHaveBeenCalledWith({ + error: 'Forbidden', + message: 'Insufficient permissions to access this mcpServer', + }); + }); + + test('should handle non-existent MCP server', async () => { + req.params.serverName = 'non-existent-mcp-server'; + + const middleware = canAccessMCPServerResource({ requiredPermission: 1 }); + await middleware(req, res, next); + + expect(next).not.toHaveBeenCalled(); + expect(res.status).toHaveBeenCalledWith(404); + expect(res.json).toHaveBeenCalledWith({ + error: 'Not Found', + message: 'mcpServer not found', + }); + }); + + test('should use custom resourceIdParam', async () => { + const mcpServer = await createMCPServer({ + config: { + type: 'sse', + url: 'https://example.com/mcp', + title: 'Custom Param MCP Server', + }, + author: testUser._id, + }); + + // Create ACL entry for the author + await AclEntry.create({ + principalType: PrincipalType.USER, + principalId: testUser._id, + principalModel: PrincipalModel.USER, + resourceType: ResourceType.MCPSERVER, + resourceId: mcpServer._id, + permBits: 15, // All permissions + grantedBy: testUser._id, + }); + + req.params.mcpId = mcpServer.serverName; // Using custom param name + + const middleware = canAccessMCPServerResource({ + requiredPermission: 1, + resourceIdParam: 'mcpId', + }); + await middleware(req, res, next); + + expect(next).toHaveBeenCalled(); + expect(res.status).not.toHaveBeenCalled(); + }); + }); + + describe('permission levels', () => { + let mcpServer; + + beforeEach(async () => { + mcpServer = await createMCPServer({ + config: { + type: 'sse', + url: 'https://example.com/mcp', + title: 'Permission Test MCP Server', + }, + author: testUser._id, + }); + + // Create ACL entry with all permissions for the owner + await AclEntry.create({ + principalType: PrincipalType.USER, + principalId: testUser._id, + principalModel: PrincipalModel.USER, + resourceType: ResourceType.MCPSERVER, + resourceId: mcpServer._id, + permBits: 15, // All permissions (1+2+4+8) + grantedBy: testUser._id, + }); + + req.params.serverName = mcpServer.serverName; + }); + + test('should support view permission (1)', async () => { + const middleware = canAccessMCPServerResource({ requiredPermission: 1 }); + await middleware(req, res, next); + expect(next).toHaveBeenCalled(); + }); + + test('should support edit permission (2)', async () => { + const middleware = canAccessMCPServerResource({ requiredPermission: 2 }); + await middleware(req, res, next); + expect(next).toHaveBeenCalled(); + }); + + test('should support delete permission (4)', async () => { + const middleware = canAccessMCPServerResource({ requiredPermission: 4 }); + await middleware(req, res, next); + expect(next).toHaveBeenCalled(); + }); + + test('should support share permission (8)', async () => { + const middleware = canAccessMCPServerResource({ requiredPermission: 8 }); + await middleware(req, res, next); + expect(next).toHaveBeenCalled(); + }); + + test('should support combined permissions', async () => { + const viewAndEdit = 1 | 2; // 3 + const middleware = canAccessMCPServerResource({ requiredPermission: viewAndEdit }); + await middleware(req, res, next); + expect(next).toHaveBeenCalled(); + }); + }); + + describe('integration with resolveMCPServerId', () => { + test('should resolve serverName to MongoDB ObjectId correctly', async () => { + const mcpServer = await createMCPServer({ + config: { + type: 'sse', + url: 'https://example.com/mcp', + title: 'Integration Test MCP Server', + }, + author: testUser._id, + }); + + // Create ACL entry for the author + await AclEntry.create({ + principalType: PrincipalType.USER, + principalId: testUser._id, + principalModel: PrincipalModel.USER, + resourceType: ResourceType.MCPSERVER, + resourceId: mcpServer._id, + permBits: 15, // All permissions + grantedBy: testUser._id, + }); + + req.params.serverName = mcpServer.serverName; + + const middleware = canAccessMCPServerResource({ requiredPermission: 1 }); + await middleware(req, res, next); + + expect(next).toHaveBeenCalled(); + // Verify that req.resourceAccess was set correctly + expect(req.resourceAccess).toBeDefined(); + expect(req.resourceAccess.resourceType).toBe(ResourceType.MCPSERVER); + expect(req.resourceAccess.resourceId.toString()).toBe(mcpServer._id.toString()); + expect(req.resourceAccess.customResourceId).toBe(mcpServer.serverName); + }); + + test('should work with MCP server CRUD operations', async () => { + // Create MCP server + const mcpServer = await createMCPServer({ + config: { + type: 'sse', + url: 'https://example.com/mcp', + title: 'CRUD Test MCP Server', + description: 'Testing integration', + }, + author: testUser._id, + }); + + // Create ACL entry for the author + await AclEntry.create({ + principalType: PrincipalType.USER, + principalId: testUser._id, + principalModel: PrincipalModel.USER, + resourceType: ResourceType.MCPSERVER, + resourceId: mcpServer._id, + permBits: 15, // All permissions + grantedBy: testUser._id, + }); + + req.params.serverName = mcpServer.serverName; + + // Test view access + const viewMiddleware = canAccessMCPServerResource({ requiredPermission: 1 }); + await viewMiddleware(req, res, next); + expect(next).toHaveBeenCalled(); + jest.clearAllMocks(); + + // Update the MCP server + const { updateMCPServer } = require('~/models'); + await updateMCPServer(mcpServer.serverName, { + config: { + type: 'sse', + url: 'https://example.com/mcp', + title: 'CRUD Test MCP Server', + description: 'Updated description', + }, + }); + + // Test edit access + const editMiddleware = canAccessMCPServerResource({ requiredPermission: 2 }); + await editMiddleware(req, res, next); + expect(next).toHaveBeenCalled(); + }); + + test('should handle stdio type MCP server', async () => { + const mcpServer = await createMCPServer({ + config: { + type: 'stdio', + command: 'node', + args: ['server.js'], + title: 'Stdio MCP Server', + }, + author: testUser._id, + }); + + // Create ACL entry for the author + await AclEntry.create({ + principalType: PrincipalType.USER, + principalId: testUser._id, + principalModel: PrincipalModel.USER, + resourceType: ResourceType.MCPSERVER, + resourceId: mcpServer._id, + permBits: 15, + grantedBy: testUser._id, + }); + + req.params.serverName = mcpServer.serverName; + + const middleware = canAccessMCPServerResource({ requiredPermission: 1 }); + await middleware(req, res, next); + + expect(next).toHaveBeenCalled(); + expect(req.resourceAccess.resourceInfo.config.type).toBe('stdio'); + }); + }); + + describe('authentication and authorization edge cases', () => { + test('should return 400 when serverName parameter is missing', async () => { + // Don't set req.params.serverName + + const middleware = canAccessMCPServerResource({ requiredPermission: 1 }); + await middleware(req, res, next); + + expect(next).not.toHaveBeenCalled(); + expect(res.status).toHaveBeenCalledWith(400); + expect(res.json).toHaveBeenCalledWith({ + error: 'Bad Request', + message: 'serverName is required', + }); + }); + + test('should return 401 when user is not authenticated', async () => { + req.user = null; + req.params.serverName = 'some-server'; + + const middleware = canAccessMCPServerResource({ requiredPermission: 1 }); + await middleware(req, res, next); + + expect(next).not.toHaveBeenCalled(); + expect(res.status).toHaveBeenCalledWith(401); + expect(res.json).toHaveBeenCalledWith({ + error: 'Unauthorized', + message: 'Authentication required', + }); + }); + + test('should return 401 when user id is missing', async () => { + req.user = { role: 'test-role' }; // No id + req.params.serverName = 'some-server'; + + const middleware = canAccessMCPServerResource({ requiredPermission: 1 }); + await middleware(req, res, next); + + expect(next).not.toHaveBeenCalled(); + expect(res.status).toHaveBeenCalledWith(401); + expect(res.json).toHaveBeenCalledWith({ + error: 'Unauthorized', + message: 'Authentication required', + }); + }); + + test('should allow admin users to bypass permission checks', async () => { + const { SystemRoles } = require('librechat-data-provider'); + + // Create an MCP server owned by another user + const otherUser = await User.create({ + email: 'owner@example.com', + name: 'Owner User', + username: 'owneruser', + role: 'test-role', + }); + + const mcpServer = await createMCPServer({ + config: { + type: 'sse', + url: 'https://example.com/mcp', + title: 'Admin Test MCP Server', + }, + author: otherUser._id, + }); + + // Set user as admin + req.user = { id: testUser._id, role: SystemRoles.ADMIN }; + req.params.serverName = mcpServer.serverName; + + const middleware = canAccessMCPServerResource({ requiredPermission: 4 }); // DELETE permission + await middleware(req, res, next); + + expect(next).toHaveBeenCalled(); + expect(res.status).not.toHaveBeenCalled(); + }); + }); + + describe('error handling', () => { + test('should handle server returning null gracefully (treated as not found)', async () => { + // When an MCP server is not found, findMCPServerById returns null + // which the middleware correctly handles as a 404 + req.params.serverName = 'definitely-non-existent-server'; + + const middleware = canAccessMCPServerResource({ requiredPermission: 1 }); + await middleware(req, res, next); + + expect(next).not.toHaveBeenCalled(); + expect(res.status).toHaveBeenCalledWith(404); + expect(res.json).toHaveBeenCalledWith({ + error: 'Not Found', + message: 'mcpServer not found', + }); + }); + }); + + describe('multiple servers with same title', () => { + test('should handle MCP servers with auto-generated suffixes', async () => { + // Create multiple servers with the same title (will have different serverNames) + const mcpServer1 = await createMCPServer({ + config: { + type: 'sse', + url: 'https://example.com/mcp1', + title: 'Duplicate Title', + }, + author: testUser._id, + }); + + const mcpServer2 = await createMCPServer({ + config: { + type: 'sse', + url: 'https://example.com/mcp2', + title: 'Duplicate Title', + }, + author: testUser._id, + }); + + // Create ACL entries for both + await AclEntry.create({ + principalType: PrincipalType.USER, + principalId: testUser._id, + principalModel: PrincipalModel.USER, + resourceType: ResourceType.MCPSERVER, + resourceId: mcpServer1._id, + permBits: 15, + grantedBy: testUser._id, + }); + + await AclEntry.create({ + principalType: PrincipalType.USER, + principalId: testUser._id, + principalModel: PrincipalModel.USER, + resourceType: ResourceType.MCPSERVER, + resourceId: mcpServer2._id, + permBits: 15, + grantedBy: testUser._id, + }); + + // Verify they have different serverNames + expect(mcpServer1.serverName).toBe('duplicate-title'); + expect(mcpServer2.serverName).toBe('duplicate-title-2'); + + // Test access to first server + req.params.serverName = mcpServer1.serverName; + const middleware1 = canAccessMCPServerResource({ requiredPermission: 1 }); + await middleware1(req, res, next); + expect(next).toHaveBeenCalled(); + expect(req.resourceAccess.resourceId.toString()).toBe(mcpServer1._id.toString()); + + jest.clearAllMocks(); + + // Test access to second server + req.params.serverName = mcpServer2.serverName; + const middleware2 = canAccessMCPServerResource({ requiredPermission: 1 }); + await middleware2(req, res, next); + expect(next).toHaveBeenCalled(); + expect(req.resourceAccess.resourceId.toString()).toBe(mcpServer2._id.toString()); + }); + }); +}); diff --git a/api/server/middleware/accessResources/index.js b/api/server/middleware/accessResources/index.js index e1c5def829..838834919a 100644 --- a/api/server/middleware/accessResources/index.js +++ b/api/server/middleware/accessResources/index.js @@ -3,6 +3,7 @@ const { canAccessAgentResource } = require('./canAccessAgentResource'); const { canAccessAgentFromBody } = require('./canAccessAgentFromBody'); const { canAccessPromptViaGroup } = require('./canAccessPromptViaGroup'); const { canAccessPromptGroupResource } = require('./canAccessPromptGroupResource'); +const { canAccessMCPServerResource } = require('./canAccessMCPServerResource'); module.exports = { canAccessResource, @@ -10,4 +11,5 @@ module.exports = { canAccessAgentFromBody, canAccessPromptViaGroup, canAccessPromptGroupResource, + canAccessMCPServerResource, }; diff --git a/api/server/routes/__tests__/mcp.spec.js b/api/server/routes/__tests__/mcp.spec.js index 4a53581d4c..af038ba8d6 100644 --- a/api/server/routes/__tests__/mcp.spec.js +++ b/api/server/routes/__tests__/mcp.spec.js @@ -7,6 +7,9 @@ const mockRegistryInstance = { getServerConfig: jest.fn(), getOAuthServers: jest.fn(), getAllServerConfigs: jest.fn(), + addServer: jest.fn(), + updateServer: jest.fn(), + removeServer: jest.fn(), }; jest.mock('@librechat/api', () => ({ @@ -24,6 +27,7 @@ jest.mock('@librechat/api', () => ({ deleteUserTokens: jest.fn(), }, getUserMCPAuthMap: jest.fn(), + generateCheckAccess: jest.fn(() => (req, res, next) => next()), MCPServersRegistry: { getInstance: () => mockRegistryInstance, }, @@ -57,6 +61,7 @@ jest.mock('~/models', () => ({ createToken: jest.fn(), deleteTokens: jest.fn(), findPluginAuthsByKeys: jest.fn(), + getRoleByName: jest.fn(), })); jest.mock('~/server/services/Config', () => ({ @@ -92,6 +97,7 @@ jest.mock('~/cache', () => ({ jest.mock('~/server/middleware', () => ({ requireJwtAuth: (req, res, next) => next(), + canAccessMCPServerResource: () => (req, res, next) => next(), })); jest.mock('~/server/services/Tools/mcp', () => ({ @@ -1488,4 +1494,224 @@ describe('MCP Routes', () => { expect(response.body).toEqual({ error: 'Database error' }); }); }); + + describe('POST /servers', () => { + it('should create MCP server with valid SSE config', async () => { + const validConfig = { + type: 'sse', + url: 'https://mcp-server.example.com/sse', + title: 'Test SSE Server', + description: 'A test SSE server', + }; + + mockRegistryInstance.addServer.mockResolvedValue({ + serverName: 'test-sse-server', + config: validConfig, + }); + + const response = await request(app).post('/api/mcp/servers').send({ config: validConfig }); + + expect(response.status).toBe(201); + expect(response.body).toEqual({ + serverName: 'test-sse-server', + ...validConfig, + }); + expect(mockRegistryInstance.addServer).toHaveBeenCalledWith( + 'temp_server_name', + expect.objectContaining({ + type: 'sse', + url: 'https://mcp-server.example.com/sse', + }), + 'DB', + 'test-user-id', + ); + }); + + it('should create MCP server with valid stdio config', async () => { + const validConfig = { + type: 'stdio', + command: 'node', + args: ['server.js'], + title: 'Test Stdio Server', + }; + + mockRegistryInstance.addServer.mockResolvedValue({ + serverName: 'test-stdio-server', + config: validConfig, + }); + + const response = await request(app).post('/api/mcp/servers').send({ config: validConfig }); + + expect(response.status).toBe(201); + expect(response.body.serverName).toBe('test-stdio-server'); + }); + + it('should return 400 for invalid configuration', async () => { + const invalidConfig = { + type: 'sse', + // Missing required 'url' field + title: 'Invalid Server', + }; + + const response = await request(app).post('/api/mcp/servers').send({ config: invalidConfig }); + + expect(response.status).toBe(400); + expect(response.body.message).toBe('Invalid configuration'); + expect(response.body.errors).toBeDefined(); + }); + + it('should return 400 for SSE config with invalid URL protocol', async () => { + const invalidConfig = { + type: 'sse', + url: 'ws://invalid-protocol.example.com/sse', + title: 'Invalid Protocol Server', + }; + + const response = await request(app).post('/api/mcp/servers').send({ config: invalidConfig }); + + expect(response.status).toBe(400); + expect(response.body.message).toBe('Invalid configuration'); + }); + + it('should return 500 when registry throws error', async () => { + const validConfig = { + type: 'sse', + url: 'https://mcp-server.example.com/sse', + title: 'Test Server', + }; + + mockRegistryInstance.addServer.mockRejectedValue(new Error('Database connection failed')); + + const response = await request(app).post('/api/mcp/servers').send({ config: validConfig }); + + expect(response.status).toBe(500); + expect(response.body).toEqual({ message: 'Database connection failed' }); + }); + }); + + describe('GET /servers/:serverName', () => { + it('should return server config when found', async () => { + const mockConfig = { + type: 'sse', + url: 'https://mcp-server.example.com/sse', + title: 'Test Server', + }; + + mockRegistryInstance.getServerConfig.mockResolvedValue(mockConfig); + + const response = await request(app).get('/api/mcp/servers/test-server'); + + expect(response.status).toBe(200); + expect(response.body).toEqual(mockConfig); + expect(mockRegistryInstance.getServerConfig).toHaveBeenCalledWith( + 'test-server', + 'test-user-id', + ); + }); + + it('should return 404 when server not found', async () => { + mockRegistryInstance.getServerConfig.mockResolvedValue(null); + + const response = await request(app).get('/api/mcp/servers/non-existent-server'); + + expect(response.status).toBe(404); + expect(response.body).toEqual({ message: 'MCP server not found' }); + }); + + it('should return 500 when registry throws error', async () => { + mockRegistryInstance.getServerConfig.mockRejectedValue(new Error('Database error')); + + const response = await request(app).get('/api/mcp/servers/error-server'); + + expect(response.status).toBe(500); + expect(response.body).toEqual({ message: 'Database error' }); + }); + }); + + describe('PATCH /servers/:serverName', () => { + it('should update server with valid config', async () => { + const updatedConfig = { + type: 'sse', + url: 'https://updated-mcp-server.example.com/sse', + title: 'Updated Server', + description: 'Updated description', + }; + + mockRegistryInstance.updateServer.mockResolvedValue(updatedConfig); + + const response = await request(app) + .patch('/api/mcp/servers/test-server') + .send({ config: updatedConfig }); + + expect(response.status).toBe(200); + expect(response.body).toEqual(updatedConfig); + expect(mockRegistryInstance.updateServer).toHaveBeenCalledWith( + 'test-server', + expect.objectContaining({ + type: 'sse', + url: 'https://updated-mcp-server.example.com/sse', + }), + 'DB', + 'test-user-id', + ); + }); + + it('should return 400 for invalid configuration', async () => { + const invalidConfig = { + type: 'sse', + // Missing required 'url' field + title: 'Invalid Update', + }; + + const response = await request(app) + .patch('/api/mcp/servers/test-server') + .send({ config: invalidConfig }); + + expect(response.status).toBe(400); + expect(response.body.message).toBe('Invalid configuration'); + expect(response.body.errors).toBeDefined(); + }); + + it('should return 500 when registry throws error', async () => { + const validConfig = { + type: 'sse', + url: 'https://mcp-server.example.com/sse', + title: 'Test Server', + }; + + mockRegistryInstance.updateServer.mockRejectedValue(new Error('Update failed')); + + const response = await request(app) + .patch('/api/mcp/servers/test-server') + .send({ config: validConfig }); + + expect(response.status).toBe(500); + expect(response.body).toEqual({ message: 'Update failed' }); + }); + }); + + describe('DELETE /servers/:serverName', () => { + it('should delete server successfully', async () => { + mockRegistryInstance.removeServer.mockResolvedValue(undefined); + + const response = await request(app).delete('/api/mcp/servers/test-server'); + + expect(response.status).toBe(200); + expect(response.body).toEqual({ message: 'MCP server deleted successfully' }); + expect(mockRegistryInstance.removeServer).toHaveBeenCalledWith( + 'test-server', + 'DB', + 'test-user-id', + ); + }); + + it('should return 500 when registry throws error', async () => { + mockRegistryInstance.removeServer.mockRejectedValue(new Error('Deletion failed')); + + const response = await request(app).delete('/api/mcp/servers/error-server'); + + expect(response.status).toBe(500); + expect(response.body).toEqual({ message: 'Deletion failed' }); + }); + }); }); diff --git a/api/server/routes/accessPermissions.js b/api/server/routes/accessPermissions.js index 532f3bc50c..7431a86f1e 100644 --- a/api/server/routes/accessPermissions.js +++ b/api/server/routes/accessPermissions.js @@ -2,6 +2,7 @@ const express = require('express'); const { ResourceType, PermissionBits } = require('librechat-data-provider'); const { getUserEffectivePermissions, + getAllEffectivePermissions, updateResourcePermissions, getResourcePermissions, getResourceRoles, @@ -9,6 +10,7 @@ const { } = require('~/server/controllers/PermissionsController'); const { requireJwtAuth, checkBan, uaParser, canAccessResource } = require('~/server/middleware'); const { checkPeoplePickerAccess } = require('~/server/middleware/checkPeoplePickerAccess'); +const { findMCPServerById } = require('~/models'); const router = express.Router(); @@ -63,6 +65,13 @@ router.put( requiredPermission: PermissionBits.SHARE, resourceIdParam: 'resourceId', }); + } else if (resourceType === ResourceType.MCPSERVER) { + middleware = canAccessResource({ + resourceType: ResourceType.MCPSERVER, + requiredPermission: PermissionBits.SHARE, + resourceIdParam: 'resourceId', + idResolver: findMCPServerById, + }); } else { return res.status(400).json({ error: 'Bad Request', @@ -76,6 +85,12 @@ router.put( updateResourcePermissions, ); +/** + * GET /api/permissions/{resourceType}/effective/all + * Get user's effective permissions for all accessible resources of a type + */ +router.get('/:resourceType/effective/all', getAllEffectivePermissions); + /** * GET /api/permissions/{resourceType}/{resourceId}/effective * Get user's effective permissions for a specific resource diff --git a/api/server/routes/mcp.js b/api/server/routes/mcp.js index 62d735a797..0cee7f991a 100644 --- a/api/server/routes/mcp.js +++ b/api/server/routes/mcp.js @@ -1,11 +1,18 @@ const { Router } = require('express'); const { logger } = require('@librechat/data-schemas'); -const { CacheKeys, Constants } = require('librechat-data-provider'); +const { + CacheKeys, + Constants, + PermissionBits, + PermissionTypes, + Permissions, +} = require('librechat-data-provider'); const { createSafeUser, MCPOAuthHandler, MCPTokenStorage, getUserMCPAuthMap, + generateCheckAccess, } = require('@librechat/api'); const { getMCPManager, @@ -14,15 +21,22 @@ const { getMCPServersRegistry, } = require('~/config'); const { getMCPSetupData, getServerConnectionStatus } = require('~/server/services/MCP'); +const { requireJwtAuth, canAccessMCPServerResource } = require('~/server/middleware'); const { findToken, updateToken, createToken, deleteTokens } = require('~/models'); const { getUserPluginAuthValue } = require('~/server/services/PluginService'); const { updateMCPServerTools } = require('~/server/services/Config/mcp'); const { reinitMCPServer } = require('~/server/services/Tools/mcp'); -const { getMCPServersList } = require('~/server/controllers/mcp'); const { getMCPTools } = require('~/server/controllers/mcp'); -const { requireJwtAuth } = require('~/server/middleware'); const { findPluginAuthsByKeys } = require('~/models'); +const { getRoleByName } = require('~/models/Role'); const { getLogStores } = require('~/cache'); +const { + createMCPServerController, + getMCPServerById, + getMCPServersList, + updateMCPServerController, + deleteMCPServerController, +} = require('~/server/controllers/mcp'); const router = Router(); @@ -573,11 +587,93 @@ async function getOAuthHeaders(serverName, userId) { const serverConfig = await getMCPServersRegistry().getServerConfig(serverName, userId); return serverConfig?.oauth_headers ?? {}; } + +/** +MCP Server CRUD Routes (User-Managed MCP Servers) +*/ + +// Permission checkers for MCP server management +const checkMCPUsePermissions = generateCheckAccess({ + permissionType: PermissionTypes.MCP_SERVERS, + permissions: [Permissions.USE], + getRoleByName, +}); + +const checkMCPCreate = generateCheckAccess({ + permissionType: PermissionTypes.MCP_SERVERS, + permissions: [Permissions.USE, Permissions.CREATE], + getRoleByName, +}); + /** * Get list of accessible MCP servers * @route GET /api/mcp/servers - * @returns {MCPServersListResponse} 200 - Success response - application/json + * @param {Object} req.query - Query parameters for pagination and search + * @param {number} [req.query.limit] - Number of results per page + * @param {string} [req.query.after] - Pagination cursor + * @param {string} [req.query.search] - Search query for title/description + * @returns {MCPServerListResponse} 200 - Success response - application/json */ -router.get('/servers', requireJwtAuth, getMCPServersList); +router.get('/servers', requireJwtAuth, checkMCPUsePermissions, getMCPServersList); + +/** + * Create a new MCP server + * @route POST /api/mcp/servers + * @param {MCPServerCreateParams} req.body - The MCP server creation parameters. + * @returns {MCPServer} 201 - Success response - application/json + */ +router.post('/servers', requireJwtAuth, checkMCPCreate, createMCPServerController); + +/** + * Get single MCP server by ID + * @route GET /api/mcp/servers/:serverName + * @param {string} req.params.serverName - MCP server identifier. + * @returns {MCPServer} 200 - Success response - application/json + */ +router.get( + '/servers/:serverName', + requireJwtAuth, + checkMCPUsePermissions, + canAccessMCPServerResource({ + requiredPermission: PermissionBits.VIEW, + resourceIdParam: 'serverName', + }), + getMCPServerById, +); + +/** + * Update MCP server + * @route PATCH /api/mcp/servers/:serverName + * @param {string} req.params.serverName - MCP server identifier. + * @param {MCPServerUpdateParams} req.body - The MCP server update parameters. + * @returns {MCPServer} 200 - Success response - application/json + */ +router.patch( + '/servers/:serverName', + requireJwtAuth, + checkMCPCreate, + canAccessMCPServerResource({ + requiredPermission: PermissionBits.EDIT, + resourceIdParam: 'serverName', + }), + updateMCPServerController, +); + +/** + * Delete MCP server + * @route DELETE /api/mcp/servers/:serverName + * @param {string} req.params.serverName - MCP server identifier. + * @returns {Object} 200 - Success response - application/json + */ +router.delete( + '/servers/:serverName', + requireJwtAuth, + checkMCPCreate, + canAccessMCPServerResource({ + requiredPermission: PermissionBits.DELETE, + resourceIdParam: 'serverName', + }), + deleteMCPServerController, +); module.exports = router; diff --git a/api/server/routes/roles.js b/api/server/routes/roles.js index f197417774..abb53141bd 100644 --- a/api/server/routes/roles.js +++ b/api/server/routes/roles.js @@ -8,6 +8,7 @@ const { memoryPermissionsSchema, marketplacePermissionsSchema, peoplePickerPermissionsSchema, + mcpServersPermissionsSchema, } = require('librechat-data-provider'); const { checkAdmin, requireJwtAuth } = require('~/server/middleware'); const { updateRoleByName, getRoleByName } = require('~/models/Role'); @@ -40,6 +41,11 @@ const permissionConfigs = { permissionType: PermissionTypes.PEOPLE_PICKER, errorMessage: 'Invalid people picker permissions.', }, + 'mcp-servers': { + schema: mcpServersPermissionsSchema, + permissionType: PermissionTypes.MCP_SERVERS, + errorMessage: 'Invalid MCP servers permissions.', + }, marketplace: { schema: marketplacePermissionsSchema, permissionType: PermissionTypes.MARKETPLACE, @@ -142,6 +148,12 @@ router.put('/:roleName/memories', checkAdmin, createPermissionUpdateHandler('mem */ router.put('/:roleName/people-picker', checkAdmin, createPermissionUpdateHandler('people-picker')); +/** + * PUT /api/roles/:roleName/mcp-servers + * Update MCP servers permissions for a specific role + */ +router.put('/:roleName/mcp-servers', checkAdmin, createPermissionUpdateHandler('mcp-servers')); + /** * PUT /api/roles/:roleName/marketplace * Update marketplace permissions for a specific role diff --git a/api/server/services/MCP.js b/api/server/services/MCP.js index d0568fd189..57fa07110a 100644 --- a/api/server/services/MCP.js +++ b/api/server/services/MCP.js @@ -541,7 +541,7 @@ async function getServerConnectionStatus( oauthServers, ) { const connection = appConnections.get(serverName) || userConnections.get(serverName); - const isStaleOrDoNotExist = connection ? connection?.isStale(config.lastUpdatedAt) : true; + const isStaleOrDoNotExist = connection ? connection?.isStale(config.updatedAt) : true; const baseConnectionState = isStaleOrDoNotExist ? 'disconnected' diff --git a/api/server/services/MCP.spec.js b/api/server/services/MCP.spec.js index 2f6d1603a9..7f68c3210c 100644 --- a/api/server/services/MCP.spec.js +++ b/api/server/services/MCP.spec.js @@ -330,7 +330,7 @@ describe('tests for the new helper functions used by the MCP connection status e describe('getServerConnectionStatus', () => { const mockUserId = 'user-123'; const mockServerName = 'test-server'; - const mockConfig = { lastUpdatedAt: Date.now() }; + const mockConfig = { updatedAt: Date.now() }; it('should return app connection state when available', async () => { const appConnections = new Map([ diff --git a/api/server/services/PermissionService.js b/api/server/services/PermissionService.js index 58afffec4a..c35faf7c8d 100644 --- a/api/server/services/PermissionService.js +++ b/api/server/services/PermissionService.js @@ -12,6 +12,7 @@ const { const { findAccessibleResources: findAccessibleResourcesACL, getEffectivePermissions: getEffectivePermissionsACL, + getEffectivePermissionsForResources: getEffectivePermissionsForResourcesACL, grantPermission: grantPermissionACL, findEntriesByPrincipalsAndResource, findGroupByExternalId, @@ -184,6 +185,49 @@ const getEffectivePermissions = async ({ userId, role, resourceType, resourceId } }; +/** + * Get effective permissions for multiple resources in a batch operation + * Returns map of resourceId → effectivePermissionBits + * + * @param {Object} params - Parameters + * @param {string|mongoose.Types.ObjectId} params.userId - User ID + * @param {string} [params.role] - User role (for group membership) + * @param {string} params.resourceType - Resource type (must be valid ResourceType) + * @param {Array} params.resourceIds - Array of resource IDs + * @returns {Promise>} Map of resourceId string → permission bits + * @throws {Error} If resourceType is invalid + */ +const getResourcePermissionsMap = async ({ userId, role, resourceType, resourceIds }) => { + // Validate resource type - throw on invalid type + validateResourceType(resourceType); + + // Handle empty input + if (!Array.isArray(resourceIds) || resourceIds.length === 0) { + return new Map(); + } + + try { + // Get user principals (user + groups + public) + const principals = await getUserPrincipals({ userId, role }); + + // Use batch method from aclEntry + const permissionsMap = await getEffectivePermissionsForResourcesACL( + principals, + resourceType, + resourceIds, + ); + + logger.debug( + `[PermissionService.getResourcePermissionsMap] Computed permissions for ${resourceIds.length} resources, ${permissionsMap.size} have permissions`, + ); + + return permissionsMap; + } catch (error) { + logger.error(`[PermissionService.getResourcePermissionsMap] Error: ${error.message}`, error); + throw error; + } +}; + /** * Find all resources of a specific type that a user has access to with specific permission bits * @param {Object} params - Parameters for finding accessible resources @@ -788,6 +832,7 @@ module.exports = { grantPermission, checkPermission, getEffectivePermissions, + getResourcePermissionsMap, findAccessibleResources, findPubliclyAccessibleResources, hasPublicPermission, diff --git a/api/server/services/PermissionService.spec.js b/api/server/services/PermissionService.spec.js index 5772f3b909..b41780f345 100644 --- a/api/server/services/PermissionService.spec.js +++ b/api/server/services/PermissionService.spec.js @@ -1604,4 +1604,332 @@ describe('PermissionService', () => { expect(effectivePermissions).toBe(3); // EDITOR includes VIEW }); }); + + describe('getResourcePermissionsMap - Batch Permission Queries', () => { + const { getResourcePermissionsMap } = require('./PermissionService'); + + beforeEach(async () => { + await AclEntry.deleteMany({}); + getUserPrincipals.mockReset(); + }); + + test('should get permissions for multiple resources in single query', async () => { + const resource1 = new mongoose.Types.ObjectId(); + const resource2 = new mongoose.Types.ObjectId(); + const resource3 = new mongoose.Types.ObjectId(); + + // Grant different permissions to different resources + await grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.MCPSERVER, + resourceId: resource1, + accessRoleId: AccessRoleIds.MCPSERVER_VIEWER, + grantedBy: grantedById, + }); + + await grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.MCPSERVER, + resourceId: resource2, + accessRoleId: AccessRoleIds.MCPSERVER_EDITOR, + grantedBy: grantedById, + }); + + // resource3 has no permissions + + // Mock getUserPrincipals + getUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + { principalType: PrincipalType.PUBLIC }, + ]); + + const permissionsMap = await getResourcePermissionsMap({ + userId, + resourceType: ResourceType.MCPSERVER, + resourceIds: [resource1, resource2, resource3], + }); + + expect(permissionsMap).toBeInstanceOf(Map); + expect(permissionsMap.size).toBe(2); // Only resource1 and resource2 + expect(permissionsMap.get(resource1.toString())).toBe(1); // VIEW + expect(permissionsMap.get(resource2.toString())).toBe(3); // VIEW | EDIT + expect(permissionsMap.get(resource3.toString())).toBeUndefined(); + }); + + test('should combine permissions from multiple principals', async () => { + const resource1 = new mongoose.Types.ObjectId(); + const resource2 = new mongoose.Types.ObjectId(); + + // User has VIEW on both resources + await grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.MCPSERVER, + resourceId: resource1, + accessRoleId: AccessRoleIds.MCPSERVER_VIEWER, + grantedBy: grantedById, + }); + + await grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.MCPSERVER, + resourceId: resource2, + accessRoleId: AccessRoleIds.MCPSERVER_VIEWER, + grantedBy: grantedById, + }); + + // Group has EDIT on resource1 + await grantPermission({ + principalType: PrincipalType.GROUP, + principalId: groupId, + resourceType: ResourceType.MCPSERVER, + resourceId: resource1, + accessRoleId: AccessRoleIds.MCPSERVER_EDITOR, + grantedBy: grantedById, + }); + + // Mock getUserPrincipals with user + group + getUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + { principalType: PrincipalType.GROUP, principalId: groupId }, + { principalType: PrincipalType.PUBLIC }, + ]); + + const permissionsMap = await getResourcePermissionsMap({ + userId, + resourceType: ResourceType.MCPSERVER, + resourceIds: [resource1, resource2], + }); + + expect(permissionsMap.size).toBe(2); + // Resource1 should have VIEW (1) | EDIT (3) = 3 + expect(permissionsMap.get(resource1.toString())).toBe(3); + // Resource2 should have only VIEW (1) + expect(permissionsMap.get(resource2.toString())).toBe(1); + }); + + test('should handle empty resource list', async () => { + getUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + ]); + + const permissionsMap = await getResourcePermissionsMap({ + userId, + resourceType: ResourceType.MCPSERVER, + resourceIds: [], + }); + + expect(permissionsMap).toBeInstanceOf(Map); + expect(permissionsMap.size).toBe(0); + }); + + test('should throw on invalid resource type', async () => { + const resource1 = new mongoose.Types.ObjectId(); + + getUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + ]); + + // Validation errors should throw immediately + await expect( + getResourcePermissionsMap({ + userId, + resourceType: 'invalid_type', + resourceIds: [resource1], + }), + ).rejects.toThrow('Invalid resourceType: invalid_type'); + }); + + test('should include public permissions in batch query', async () => { + const resource1 = new mongoose.Types.ObjectId(); + const resource2 = new mongoose.Types.ObjectId(); + + // User has VIEW | EDIT on resource1 + await grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.MCPSERVER, + resourceId: resource1, + accessRoleId: AccessRoleIds.MCPSERVER_EDITOR, + grantedBy: grantedById, + }); + + // Public has VIEW on resource2 + await grantPermission({ + principalType: PrincipalType.PUBLIC, + principalId: null, + resourceType: ResourceType.MCPSERVER, + resourceId: resource2, + accessRoleId: AccessRoleIds.MCPSERVER_VIEWER, + grantedBy: grantedById, + }); + + // Mock getUserPrincipals with user + public + getUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + { principalType: PrincipalType.PUBLIC }, + ]); + + const permissionsMap = await getResourcePermissionsMap({ + userId, + resourceType: ResourceType.MCPSERVER, + resourceIds: [resource1, resource2], + }); + + expect(permissionsMap.size).toBe(2); + expect(permissionsMap.get(resource1.toString())).toBe(3); // VIEW | EDIT + expect(permissionsMap.get(resource2.toString())).toBe(1); // VIEW (public) + }); + + test('should handle large batch efficiently', async () => { + // Create 50 resources + const resources = Array.from({ length: 50 }, () => new mongoose.Types.ObjectId()); + + // Grant permissions to first 30 resources + for (let i = 0; i < 30; i++) { + await grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.MCPSERVER, + resourceId: resources[i], + accessRoleId: AccessRoleIds.MCPSERVER_VIEWER, + grantedBy: grantedById, + }); + } + + // Grant group permissions to resources 20-40 (overlap) + for (let i = 20; i < 40; i++) { + await grantPermission({ + principalType: PrincipalType.GROUP, + principalId: groupId, + resourceType: ResourceType.MCPSERVER, + resourceId: resources[i], + accessRoleId: AccessRoleIds.MCPSERVER_EDITOR, + grantedBy: grantedById, + }); + } + + getUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + { principalType: PrincipalType.GROUP, principalId: groupId }, + ]); + + const startTime = Date.now(); + const permissionsMap = await getResourcePermissionsMap({ + userId, + resourceType: ResourceType.MCPSERVER, + resourceIds: resources, + }); + const duration = Date.now() - startTime; + + // Should complete in reasonable time (under 1 second) + expect(duration).toBeLessThan(1000); + + // Verify results + expect(permissionsMap.size).toBe(40); // Resources 0-39 have permissions + + // Resources 0-19: USER VIEW only + for (let i = 0; i < 20; i++) { + expect(permissionsMap.get(resources[i].toString())).toBe(1); // VIEW + } + + // Resources 20-29: USER VIEW | GROUP EDIT = 3 + for (let i = 20; i < 30; i++) { + expect(permissionsMap.get(resources[i].toString())).toBe(3); // VIEW | EDIT + } + + // Resources 30-39: GROUP EDIT = 3 + for (let i = 30; i < 40; i++) { + expect(permissionsMap.get(resources[i].toString())).toBe(3); // EDIT includes VIEW + } + + // Resources 40-49: No permissions + for (let i = 40; i < 50; i++) { + expect(permissionsMap.get(resources[i].toString())).toBeUndefined(); + } + }); + + test('should work with role parameter optimization', async () => { + const resource1 = new mongoose.Types.ObjectId(); + const resource2 = new mongoose.Types.ObjectId(); + + // Grant permissions to ADMIN role + await grantPermission({ + principalType: PrincipalType.ROLE, + principalId: 'ADMIN', + resourceType: ResourceType.MCPSERVER, + resourceId: resource1, + accessRoleId: AccessRoleIds.MCPSERVER_OWNER, + grantedBy: grantedById, + }); + + await grantPermission({ + principalType: PrincipalType.ROLE, + principalId: 'ADMIN', + resourceType: ResourceType.MCPSERVER, + resourceId: resource2, + accessRoleId: AccessRoleIds.MCPSERVER_EDITOR, + grantedBy: grantedById, + }); + + getUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + { principalType: PrincipalType.ROLE, principalId: 'ADMIN' }, + { principalType: PrincipalType.PUBLIC }, + ]); + + const permissionsMap = await getResourcePermissionsMap({ + userId, + role: 'ADMIN', + resourceType: ResourceType.MCPSERVER, + resourceIds: [resource1, resource2], + }); + + expect(permissionsMap.size).toBe(2); + expect(permissionsMap.get(resource1.toString())).toBe(15); // OWNER = all bits + expect(permissionsMap.get(resource2.toString())).toBe(3); // EDIT + expect(getUserPrincipals).toHaveBeenCalledWith({ userId, role: 'ADMIN' }); + }); + + test('should handle mixed ObjectId and string resource IDs', async () => { + const resource1 = new mongoose.Types.ObjectId(); + const resource2 = new mongoose.Types.ObjectId(); + + await grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.MCPSERVER, + resourceId: resource1, + accessRoleId: AccessRoleIds.MCPSERVER_VIEWER, + grantedBy: grantedById, + }); + + await grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.MCPSERVER, + resourceId: resource2, + accessRoleId: AccessRoleIds.MCPSERVER_EDITOR, + grantedBy: grantedById, + }); + + getUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + ]); + + // Pass mix of ObjectId and string + const permissionsMap = await getResourcePermissionsMap({ + userId, + resourceType: ResourceType.MCPSERVER, + resourceIds: [resource1, resource2.toString()], + }); + + expect(permissionsMap.size).toBe(2); + expect(permissionsMap.get(resource1.toString())).toBe(1); + expect(permissionsMap.get(resource2.toString())).toBe(3); + }); + }); }); diff --git a/client/src/Providers/AgentPanelContext.tsx b/client/src/Providers/AgentPanelContext.tsx index cb0fbe9dc9..b0d74374b4 100644 --- a/client/src/Providers/AgentPanelContext.tsx +++ b/client/src/Providers/AgentPanelContext.tsx @@ -66,10 +66,16 @@ export function AgentPanelProvider({ children }: { children: React.ReactNode }) if (mcpData?.servers) { for (const [serverName, serverData] of Object.entries(mcpData.servers)) { + // Get title and description from config with fallbacks + const serverConfig = availableMCPServersMap?.[serverName]; + const displayName = serverConfig?.title || serverName; + const displayDescription = + serverConfig?.description || `${localize('com_ui_tool_collection_prefix')} ${serverName}`; + const metadata = { - name: serverName, + name: displayName, pluginKey: serverName, - description: `${localize('com_ui_tool_collection_prefix')} ${serverName}`, + description: displayDescription, icon: serverData.icon || '', authConfig: serverData.authConfig, authenticated: serverData.authenticated, @@ -91,6 +97,7 @@ export function AgentPanelProvider({ children }: { children: React.ReactNode }) isConfigured: configuredServers.has(serverName), isConnected: connectionStatus?.[serverName]?.connectionState === 'connected', metadata, + consumeOnly: serverConfig?.consumeOnly, }); } } @@ -100,11 +107,18 @@ export function AgentPanelProvider({ children }: { children: React.ReactNode }) if (serversMap.has(mcpServerName)) { continue; } + // Get title and description from config with fallbacks + const serverConfig = availableMCPServersMap?.[mcpServerName]; + const displayName = serverConfig?.title || mcpServerName; + const displayDescription = + serverConfig?.description || + `${localize('com_ui_tool_collection_prefix')} ${mcpServerName}`; + const metadata = { - icon: '', - name: mcpServerName, + icon: serverConfig?.iconPath || '', + name: displayName, pluginKey: mcpServerName, - description: `${localize('com_ui_tool_collection_prefix')} ${mcpServerName}`, + description: displayDescription, } as TPlugin; serversMap.set(mcpServerName, { @@ -113,11 +127,12 @@ export function AgentPanelProvider({ children }: { children: React.ReactNode }) isConfigured: true, serverName: mcpServerName, isConnected: connectionStatus?.[mcpServerName]?.connectionState === 'connected', + consumeOnly: serverConfig?.consumeOnly, }); } return serversMap; - }, [mcpData, localize, mcpServerNames, connectionStatus]); + }, [mcpData, localize, mcpServerNames, connectionStatus, availableMCPServersMap]); const value: AgentPanelContextType = { mcp, diff --git a/client/src/Providers/MCPPanelContext.tsx b/client/src/Providers/MCPPanelContext.tsx deleted file mode 100644 index 948be0ad65..0000000000 --- a/client/src/Providers/MCPPanelContext.tsx +++ /dev/null @@ -1,31 +0,0 @@ -import React, { createContext, useContext, useMemo } from 'react'; -import { Constants } from 'librechat-data-provider'; -import { useChatContext } from './ChatContext'; - -interface MCPPanelContextValue { - conversationId: string; -} - -const MCPPanelContext = createContext(undefined); - -export function MCPPanelProvider({ children }: { children: React.ReactNode }) { - const { conversation } = useChatContext(); - - /** Context value only created when conversationId changes */ - const contextValue = useMemo( - () => ({ - conversationId: conversation?.conversationId ?? Constants.NEW_CONVO, - }), - [conversation?.conversationId], - ); - - return {children}; -} - -export function useMCPPanelContext() { - const context = useContext(MCPPanelContext); - if (!context) { - throw new Error('useMCPPanelContext must be used within MCPPanelProvider'); - } - return context; -} diff --git a/client/src/Providers/index.ts b/client/src/Providers/index.ts index d3607d291d..43a16fa976 100644 --- a/client/src/Providers/index.ts +++ b/client/src/Providers/index.ts @@ -24,7 +24,6 @@ export * from './SearchContext'; export * from './BadgeRowContext'; export * from './SidePanelContext'; export * from './DragDropContext'; -export * from './MCPPanelContext'; export * from './ArtifactsContext'; export * from './PromptGroupsContext'; export * from './MessagesViewContext'; diff --git a/client/src/common/mcp.ts b/client/src/common/mcp.ts deleted file mode 100644 index b4f44a1f94..0000000000 --- a/client/src/common/mcp.ts +++ /dev/null @@ -1,26 +0,0 @@ -import { - AuthorizationTypeEnum, - AuthTypeEnum, - TokenExchangeMethodEnum, -} from 'librechat-data-provider'; -import { MCPForm } from '~/common/types'; - -export const defaultMCPFormValues: MCPForm = { - type: AuthTypeEnum.None, - saved_auth_fields: false, - api_key: '', - authorization_type: AuthorizationTypeEnum.Basic, - custom_auth_header: '', - oauth_client_id: '', - oauth_client_secret: '', - authorization_url: '', - client_url: '', - scope: '', - token_exchange_method: TokenExchangeMethodEnum.DefaultPost, - name: '', - description: '', - url: '', - tools: [], - icon: '', - trust: false, -}; diff --git a/client/src/common/types.ts b/client/src/common/types.ts index 1c2ff06c9e..ba3d4d34a3 100644 --- a/client/src/common/types.ts +++ b/client/src/common/types.ts @@ -153,7 +153,6 @@ export enum Panel { actions = 'actions', model = 'model', version = 'version', - mcp = 'mcp', } export type FileSetter = @@ -177,15 +176,6 @@ export type ActionAuthForm = { token_exchange_method: t.TokenExchangeMethodEnum; }; -export type MCPForm = ActionAuthForm & { - name?: string; - description?: string; - url?: string; - tools?: string[]; - icon?: string; - trust?: boolean; -}; - export type ActionWithNullableMetadata = Omit & { metadata: t.ActionMetadata | null; }; @@ -226,6 +216,7 @@ export interface MCPServerInfo { tools: t.AgentToolType[]; isConfigured: boolean; isConnected: boolean; + consumeOnly?: boolean; metadata: t.TPlugin; } diff --git a/client/src/components/Chat/Input/MCPSelect.tsx b/client/src/components/Chat/Input/MCPSelect.tsx index f634d3b11e..12b6bd627e 100644 --- a/client/src/components/Chat/Input/MCPSelect.tsx +++ b/client/src/components/Chat/Input/MCPSelect.tsx @@ -1,8 +1,10 @@ import React, { memo, useCallback } from 'react'; +import { PermissionTypes, Permissions } from 'librechat-data-provider'; import { MultiSelect, MCPIcon } from '@librechat/client'; import MCPServerStatusIcon from '~/components/MCP/MCPServerStatusIcon'; import MCPConfigDialog from '~/components/MCP/MCPConfigDialog'; import { useBadgeRowContext } from '~/Providers'; +import { useHasAccess } from '~/hooks'; function MCPSelectContent() { const { conversationId, mcpServerManager } = useBadgeRowContext(); @@ -15,16 +17,21 @@ function MCPSelectContent() { batchToggleServers, getConfigDialogProps, getServerStatusIconProps, - availableMCPServers, + selectableServers, } = mcpServerManager; const renderSelectedValues = useCallback( - (values: string[], placeholder?: string) => { + ( + values: string[], + placeholder?: string, + items?: (string | { label: string; value: string })[], + ) => { if (values.length === 0) { return placeholder || localize('com_ui_select_placeholder'); } if (values.length === 1) { - return values[0]; + const selectedItem = items?.find((i) => typeof i !== 'string' && i.value == values[0]); + return selectedItem && typeof selectedItem !== 'string' ? selectedItem.label : values[0]; } return localize('com_ui_x_selected', { 0: values.length }); }, @@ -74,11 +81,13 @@ function MCPSelectContent() { } const configDialogProps = getConfigDialogProps(); - return ( <> s.serverName)} + items={selectableServers.map((s) => ({ + label: s.config.title || s.serverName, + value: s.serverName, + }))} selectedValues={mcpValues ?? []} setSelectedValues={batchToggleServers} renderSelectedValues={renderSelectedValues} @@ -99,9 +108,13 @@ function MCPSelectContent() { function MCPSelect() { const { mcpServerManager } = useBadgeRowContext(); - const { availableMCPServers } = mcpServerManager; + const { selectableServers } = mcpServerManager; + const canUseMcp = useHasAccess({ + permissionType: PermissionTypes.MCP_SERVERS, + permission: Permissions.USE, + }); - if (!availableMCPServers || availableMCPServers.length === 0) { + if (!canUseMcp || !selectableServers || selectableServers.length === 0) { return null; } diff --git a/client/src/components/Chat/Input/MCPSubMenu.tsx b/client/src/components/Chat/Input/MCPSubMenu.tsx index 5c07785c9c..fc4152be5c 100644 --- a/client/src/components/Chat/Input/MCPSubMenu.tsx +++ b/client/src/components/Chat/Input/MCPSubMenu.tsx @@ -112,7 +112,7 @@ const MCPSubMenu = React.forwardRef( >
- {s.serverName} + {s.config.title || s.serverName}
{statusIcon &&
{statusIcon}
} diff --git a/client/src/components/Chat/Input/ToolsDropdown.tsx b/client/src/components/Chat/Input/ToolsDropdown.tsx index 43117c9a03..1acb381b2d 100644 --- a/client/src/components/Chat/Input/ToolsDropdown.tsx +++ b/client/src/components/Chat/Input/ToolsDropdown.tsx @@ -72,6 +72,11 @@ const ToolsDropdown = ({ disabled }: ToolsDropdownProps) => { permission: Permissions.USE, }); + const canUseMcp = useHasAccess({ + permissionType: PermissionTypes.MCP_SERVERS, + permission: Permissions.USE, + }); + const showWebSearchSettings = useMemo(() => { const authTypes = webSearchAuthData?.authTypes ?? []; if (authTypes.length === 0) return true; @@ -286,8 +291,8 @@ const ToolsDropdown = ({ disabled }: ToolsDropdownProps) => { }); } - const { configuredServers } = mcpServerManager; - if (configuredServers && configuredServers.length > 0) { + const { availableMCPServers } = mcpServerManager; + if (canUseMcp && availableMCPServers && availableMCPServers.length > 0) { dropdownItems.push({ hideOnClick: false, render: (props) => , diff --git a/client/src/components/MCP/MCPServerStatusIcon.tsx b/client/src/components/MCP/MCPServerStatusIcon.tsx index cebd15368d..36a876e23e 100644 --- a/client/src/components/MCP/MCPServerStatusIcon.tsx +++ b/client/src/components/MCP/MCPServerStatusIcon.tsx @@ -1,6 +1,6 @@ import React from 'react'; -import { Spinner } from '@librechat/client'; -import { SettingsIcon, AlertTriangle, KeyRound, PlugZap, X } from 'lucide-react'; +import { Spinner, TooltipAnchor } from '@librechat/client'; +import { SettingsIcon, AlertTriangle, KeyRound, PlugZap, X, CircleCheck } from 'lucide-react'; import type { MCPServerStatus, TPlugin } from 'librechat-data-provider'; import { useLocalize } from '~/hooks'; @@ -85,7 +85,13 @@ export default function MCPServerStatusIcon({ /> ); } - return null; // No config button for connected servers without customUserVars + return ( + + ); } return null; @@ -192,3 +198,36 @@ function AuthenticatedStatusIcon({ ); } + +interface ConnectedStatusProps { + serverName: string; + requiresOAuth?: boolean; + onConfigClick: (e: React.MouseEvent) => void; +} + +function ConnectedStatusIcon({ serverName, requiresOAuth, onConfigClick }: ConnectedStatusProps) { + if (requiresOAuth) { + return ( + + + + ); + } + + return ( + + + + ); +} diff --git a/client/src/components/Sharing/PublicSharingToggle.tsx b/client/src/components/Sharing/PublicSharingToggle.tsx index 393c7e6f85..3f68d4fdf6 100644 --- a/client/src/components/Sharing/PublicSharingToggle.tsx +++ b/client/src/components/Sharing/PublicSharingToggle.tsx @@ -16,9 +16,13 @@ interface PublicSharingToggleProps { className?: string; } -const accessDescriptions: Record = { +const accessDescriptions: Record< + ResourceType, + 'com_ui_agent' | 'com_ui_prompt' | 'com_ui_mcp_server' +> = { [ResourceType.AGENT]: 'com_ui_agent', [ResourceType.PROMPTGROUP]: 'com_ui_prompt', + [ResourceType.MCPSERVER]: 'com_ui_mcp_server', }; export default function PublicSharingToggle({ diff --git a/client/src/components/SidePanel/Agents/AgentConfig.tsx b/client/src/components/SidePanel/Agents/AgentConfig.tsx index 940607549c..2e247a00f0 100644 --- a/client/src/components/SidePanel/Agents/AgentConfig.tsx +++ b/client/src/components/SidePanel/Agents/AgentConfig.tsx @@ -312,6 +312,7 @@ export default function AgentConfig() { setShowMCPToolDialog={setShowMCPToolDialog} /> )} + {/* Agent Tools & Actions */}
+ } + selection={{ + selectHandler: handleDelete, + selectClasses: + 'bg-destructive text-white transition-all duration-200 hover:bg-destructive/80', + selectText: isDeleting ? : localize('com_ui_delete'), + }} + /> + + + {/* Post-creation redirect URI dialog */} + { + setShowRedirectUriDialog(open); + if (!open) { + onOpenChange(false); + setCreatedServerId(null); + } + }} + > + + + {localize('com_ui_mcp_server_created')} + +
+

+ {localize('com_ui_redirect_uri_instructions')} +

+
+ +
+ + +
+
+
+ +
+
+ + + + {/* Main MCP Server Dialog */} + + {children} + +
+ {/* Icon Picker */} +
+ +
+ + {/* Title */} +
+ + + {errors.title && ( + + {errors.title.type === 'pattern' + ? errors.title.message + : localize('com_ui_field_required')} + + )} +
+ + {/* Description */} +
+ + +
+ + {/* URL */} +
+ + + {errors.url && ( + + {errors.url.type === 'required' + ? localize('com_ui_field_required') + : errors.url.message} + + )} +
+ + {/* Server Type */} +
+ + ( + +
+ +
+
+ +
+ + )} + /> +
+ + {/* Authentication */} + } + /> + + {/* Trust Checkbox */} +
+ ( + + )} + /> + +
+ {errors.trust && ( + {localize('com_ui_field_required')} + )} +
+ + } + footerClassName="sm:justify-between" + leftButtons={ + server ? ( +
+ + {shouldShowShareButton && ( + + )} +
+ ) : null + } + buttons={ + + } + /> + + + ); +} diff --git a/client/src/components/SidePanel/MCPBuilder/MCPServerList.tsx b/client/src/components/SidePanel/MCPBuilder/MCPServerList.tsx new file mode 100644 index 0000000000..5b36c8e4d2 --- /dev/null +++ b/client/src/components/SidePanel/MCPBuilder/MCPServerList.tsx @@ -0,0 +1,91 @@ +import { useState, useRef } from 'react'; +import { GearIcon, MCPIcon, OGDialogTrigger } from '@librechat/client'; +import { + PermissionBits, + PermissionTypes, + Permissions, + hasPermissions, +} from 'librechat-data-provider'; +import { useLocalize, useHasAccess, MCPServerDefinition } from '~/hooks'; +import MCPServerStatusIcon from '~/components/MCP/MCPServerStatusIcon'; +import MCPServerDialog from './MCPServerDialog'; + +interface MCPServerListProps { + servers: MCPServerDefinition[]; + getServerStatusIconProps: ( + serverName: string, + ) => React.ComponentProps; +} + +// Self-contained edit button component (follows MemoryViewer pattern) +const EditMCPServerButton = ({ server }: { server: MCPServerDefinition }) => { + const localize = useLocalize(); + const [open, setOpen] = useState(false); + const triggerRef = useRef(null); + + return ( + + + + + + ); +}; + +export default function MCPServerList({ servers, getServerStatusIconProps }: MCPServerListProps) { + const canCreateEditMCPs = useHasAccess({ + permissionType: PermissionTypes.MCP_SERVERS, + permission: Permissions.CREATE, + }); + const localize = useLocalize(); + + if (servers.length === 0) { + return ( +
+

{localize('com_ui_no_mcp_servers')}

+

{localize('com_ui_add_first_mcp_server')}

+
+ ); + } + + return ( +
+ {servers.map((server) => { + const canEditThisServer = hasPermissions(server.effectivePermissions, PermissionBits.EDIT); + const displayName = server.config?.title || server.serverName; + const serverKey = `key_${server.serverName}`; + + return ( +
+
+ {/* Server Icon */} + {server.config?.iconPath ? ( + {displayName} + ) : ( + + )} + + {/* Server Info */} +
+

{displayName}

+
+ + {/* Edit Button - Only for DB servers and when user has CREATE access */} + {canCreateEditMCPs && canEditThisServer && } + + {/* Connection Status Icon */} + +
+
+ ); + })} +
+ ); +} diff --git a/client/src/components/SidePanel/MCPBuilder/index.ts b/client/src/components/SidePanel/MCPBuilder/index.ts new file mode 100644 index 0000000000..33cdbd03ec --- /dev/null +++ b/client/src/components/SidePanel/MCPBuilder/index.ts @@ -0,0 +1,5 @@ +export { default } from './MCPBuilderPanel'; +export { default as MCPBuilderPanel } from './MCPBuilderPanel'; +export { default as MCPServerList } from './MCPServerList'; +export { default as MCPServerDialog } from './MCPServerDialog'; +export { default as MCPAuth } from './MCPAuth'; diff --git a/client/src/components/Tools/MCPToolSelectDialog.tsx b/client/src/components/Tools/MCPToolSelectDialog.tsx index 1b6936a959..487f767250 100644 --- a/client/src/components/Tools/MCPToolSelectDialog.tsx +++ b/client/src/components/Tools/MCPToolSelectDialog.tsx @@ -207,7 +207,7 @@ function MCPToolSelectDialog({ }, [mcpServerNames]); const mcpServers = useMemo(() => { - const servers = Array.from(mcpServersMap.values()); + const servers = Array.from(mcpServersMap.values()).filter((s) => !s.consumeOnly); return servers.sort((a, b) => a.serverName.localeCompare(b.serverName)); }, [mcpServersMap]); @@ -340,7 +340,6 @@ function MCPToolSelectDialog({ tool_id: serverInfo.serverName, metadata: { ...serverInfo.metadata, - description: `${localize('com_ui_tool_collection_prefix')} ${serverInfo.serverName}`, }, }; diff --git a/client/src/data-provider/MCP/index.ts b/client/src/data-provider/MCP/index.ts index 3cf1ef310b..d0720956a0 100644 --- a/client/src/data-provider/MCP/index.ts +++ b/client/src/data-provider/MCP/index.ts @@ -1 +1,2 @@ export * from './queries'; +export * from './mutations'; diff --git a/client/src/data-provider/MCP/mutations.ts b/client/src/data-provider/MCP/mutations.ts new file mode 100644 index 0000000000..19fa2c3653 --- /dev/null +++ b/client/src/data-provider/MCP/mutations.ts @@ -0,0 +1,141 @@ +import { useMutation, useQueryClient, UseMutationResult } from '@tanstack/react-query'; +import { dataService, QueryKeys, ResourceType } from 'librechat-data-provider'; +import type * as t from 'librechat-data-provider'; + +/** + * Hook for creating a new MCP server + */ +export const useCreateMCPServerMutation = (options?: { + onMutate?: (variables: t.MCPServerCreateParams) => void; + onSuccess?: ( + data: t.MCPServerDBObjectResponse, + variables: t.MCPServerCreateParams, + context: unknown, + ) => void; + onError?: (error: Error, variables: t.MCPServerCreateParams, context: unknown) => void; +}): UseMutationResult => { + const queryClient = useQueryClient(); + + return useMutation((data: t.MCPServerCreateParams) => dataService.createMCPServer(data), { + onMutate: (variables) => options?.onMutate?.(variables), + onError: (error, variables, context) => options?.onError?.(error, variables, context), + onSuccess: (newServer, variables, context) => { + const listRes = queryClient.getQueryData([QueryKeys.mcpServers]); + if (listRes) { + queryClient.setQueryData([QueryKeys.mcpServers], { + ...listRes, + [newServer.serverName!]: newServer, + }); + } + + queryClient.invalidateQueries([QueryKeys.mcpServers]); + queryClient.invalidateQueries([QueryKeys.mcpTools]); + queryClient.invalidateQueries([QueryKeys.mcpAuthValues]); + queryClient.invalidateQueries([QueryKeys.mcpConnectionStatus]); + queryClient.invalidateQueries([ + QueryKeys.effectivePermissions, + 'all', + ResourceType.MCPSERVER, + ]); + + return options?.onSuccess?.(newServer, variables, context); + }, + }); +}; + +/** + * Hook for updating an existing MCP server + */ +export const useUpdateMCPServerMutation = (options?: { + onMutate?: (variables: { serverName: string; data: t.MCPServerUpdateParams }) => void; + onSuccess?: ( + data: t.MCPServerDBObjectResponse, + variables: { serverName: string; data: t.MCPServerUpdateParams }, + context: unknown, + ) => void; + onError?: ( + error: Error, + variables: { serverName: string; data: t.MCPServerUpdateParams }, + context: unknown, + ) => void; +}): UseMutationResult< + t.MCPServerDBObjectResponse, + Error, + { serverName: string; data: t.MCPServerUpdateParams } +> => { + const queryClient = useQueryClient(); + + return useMutation( + ({ serverName, data }: { serverName: string; data: t.MCPServerUpdateParams }) => + dataService.updateMCPServer(serverName, data), + { + onMutate: (variables: { serverName: string; data: t.MCPServerUpdateParams }) => + options?.onMutate?.(variables), + onError: ( + error: Error, + variables: { serverName: string; data: t.MCPServerUpdateParams }, + context: unknown, + ) => options?.onError?.(error, variables, context), + onSuccess: ( + updatedServer: t.MCPServerDBObjectResponse, + variables: { serverName: string; data: t.MCPServerUpdateParams }, + context: unknown, + ) => { + // Update list cache + const listRes = queryClient.getQueryData([QueryKeys.mcpServers]); + if (listRes) { + // eslint-disable-next-line @typescript-eslint/no-unused-vars + const { type, ...oldServer } = listRes[variables.serverName!]; + listRes[variables.serverName!] = { ...oldServer, ...updatedServer }; + + queryClient.setQueryData([QueryKeys.mcpServers], { + ...listRes, + }); + } + + queryClient.setQueryData([QueryKeys.mcpServer, variables.serverName], updatedServer); + queryClient.invalidateQueries([QueryKeys.mcpServers]); + queryClient.invalidateQueries([QueryKeys.mcpTools]); + queryClient.invalidateQueries([QueryKeys.mcpAuthValues]); + queryClient.invalidateQueries([QueryKeys.mcpConnectionStatus]); + + return options?.onSuccess?.(updatedServer, variables, context); + }, + }, + ); +}; + +/** + * Hook for deleting an MCP server + */ +export const useDeleteMCPServerMutation = (options?: { + onMutate?: (variables: string) => void; + onSuccess?: (_data: { success: boolean }, variables: string, context: unknown) => void; + onError?: (error: Error, variables: string, context: unknown) => void; +}): UseMutationResult<{ success: boolean }, Error, string> => { + const queryClient = useQueryClient(); + + return useMutation((serverName: string) => dataService.deleteMCPServer(serverName), { + onMutate: (variables) => options?.onMutate?.(variables), + onError: (error, variables, context) => options?.onError?.(error, variables, context), + onSuccess: (_data, serverName, context) => { + // Update list cache by removing the deleted server (immutable update) + const listRes = queryClient.getQueryData([QueryKeys.mcpServers]); + if (listRes) { + const { [serverName]: _removed, ...remaining } = listRes; + queryClient.setQueryData([QueryKeys.mcpServers], remaining); + } + + // Remove from specific server query cache + queryClient.removeQueries([QueryKeys.mcpServer, serverName]); + + // Invalidate list query to ensure consistency + queryClient.invalidateQueries([QueryKeys.mcpServers]); + queryClient.invalidateQueries([QueryKeys.mcpTools]); + queryClient.invalidateQueries([QueryKeys.mcpAuthValues]); + queryClient.invalidateQueries([QueryKeys.mcpConnectionStatus]); + + return options?.onSuccess?.(_data, serverName, context); + }, + }); +}; diff --git a/client/src/data-provider/roles.ts b/client/src/data-provider/roles.ts index a60047cecb..46edcd2dc9 100644 --- a/client/src/data-provider/roles.ts +++ b/client/src/data-provider/roles.ts @@ -6,6 +6,7 @@ import { memoryPermissionsSchema, marketplacePermissionsSchema, peoplePickerPermissionsSchema, + mcpServersPermissionsSchema, } from 'librechat-data-provider'; import type { UseQueryOptions, @@ -171,6 +172,42 @@ export const useUpdatePeoplePickerPermissionsMutation = ( ); }; +export const useUpdateMCPServersPermissionsMutation = ( + options?: t.UpdateMCPServersPermOptions, +): UseMutationResult< + t.UpdatePermResponse, + t.TError | undefined, + t.UpdateMCPServersPermVars, + unknown +> => { + const queryClient = useQueryClient(); + const { onMutate, onSuccess, onError } = options ?? {}; + return useMutation( + (variables) => { + mcpServersPermissionsSchema.partial().parse(variables.updates); + return dataService.updateMCPServersPermissions(variables); + }, + { + onSuccess: (data, variables, context) => { + queryClient.invalidateQueries([QueryKeys.roles, variables.roleName]); + if (onSuccess) { + onSuccess(data, variables, context); + } + }, + onError: (...args) => { + const error = args[0]; + if (error != null) { + console.error('Failed to update MCP servers permissions:', error); + } + if (onError) { + onError(...args); + } + }, + onMutate, + }, + ); +}; + export const useUpdateMarketplacePermissionsMutation = ( options?: t.UpdateMarketplacePermOptions, ): UseMutationResult< diff --git a/client/src/hooks/MCP/index.ts b/client/src/hooks/MCP/index.ts index 0ee7e9494d..705ca58910 100644 --- a/client/src/hooks/MCP/index.ts +++ b/client/src/hooks/MCP/index.ts @@ -1,5 +1,5 @@ export * from './useMCPConnectionStatus'; export * from './useMCPSelect'; export * from './useVisibleTools'; -export { useMCPServerManager } from './useMCPServerManager'; +export * from './useMCPServerManager'; export { useRemoveMCPTool } from './useRemoveMCPTool'; diff --git a/client/src/hooks/MCP/useMCPServerManager.ts b/client/src/hooks/MCP/useMCPServerManager.ts index e3f47502dc..89cc62aed4 100644 --- a/client/src/hooks/MCP/useMCPServerManager.ts +++ b/client/src/hooks/MCP/useMCPServerManager.ts @@ -1,11 +1,12 @@ import { useCallback, useState, useMemo, useRef, useEffect } from 'react'; import { useToastContext } from '@librechat/client'; import { useQueryClient } from '@tanstack/react-query'; -import { Constants, QueryKeys, MCPOptions } from 'librechat-data-provider'; +import { Constants, QueryKeys, MCPOptions, ResourceType } from 'librechat-data-provider'; import { useCancelMCPOAuthMutation, useUpdateUserPluginsMutation, useReinitializeMCPServerMutation, + useGetAllEffectivePermissionsQuery, } from 'librechat-data-provider/react-query'; import type { TUpdateUserPlugins, TPlugin, MCPServersResponse } from 'librechat-data-provider'; import type { ConfigFieldDetail } from '~/common'; @@ -15,9 +16,9 @@ import { useGetStartupConfig, useMCPServersQuery } from '~/data-provider'; export interface MCPServerDefinition { serverName: string; config: MCPOptions; - mcp_id?: string; - _id?: string; // MongoDB ObjectId for database servers (used for permissions) + dbId?: string; // MongoDB ObjectId for database servers (used for permissions) effectivePermissions: number; // Permission bits (VIEW=1, EDIT=2, DELETE=4, SHARE=8) + consumeOnly?: boolean; } interface ServerState { @@ -36,35 +37,44 @@ export function useMCPServerManager({ conversationId }: { conversationId?: strin const { data: loadedServers, isLoading } = useMCPServersQuery(); + // Fetch effective permissions for all MCP servers + const { data: permissionsMap } = useGetAllEffectivePermissionsQuery(ResourceType.MCPSERVER); + const [isConfigModalOpen, setIsConfigModalOpen] = useState(false); const [selectedToolForConfig, setSelectedToolForConfig] = useState(null); const previousFocusRef = useRef(null); - const configuredServers = useMemo(() => { - if (!loadedServers) return []; - return Object.keys(loadedServers).filter((name) => loadedServers[name]?.chatMenu !== false); - }, [loadedServers]); const availableMCPServers: MCPServerDefinition[] = useMemo(() => { const definitions: MCPServerDefinition[] = []; if (loadedServers) { for (const [serverName, metadata] of Object.entries(loadedServers)) { - // eslint-disable-next-line @typescript-eslint/no-unused-vars - const { _id, mcp_id, effectivePermissions, author, updatedAt, createdAt, ...config } = - metadata; + const { dbId, consumeOnly, ...config } = metadata; + + // Get effective permissions from the permissions map using _id + // Fall back to 1 (VIEW) for YAML-based servers without _id + const effectivePermissions = dbId && permissionsMap?.[dbId] ? permissionsMap[dbId] : 1; + definitions.push({ serverName, - mcp_id, - effectivePermissions: effectivePermissions || 1, + dbId, + effectivePermissions, + consumeOnly, config, }); } } return definitions; - }, [loadedServers]); + }, [loadedServers, permissionsMap]); + + // Memoize filtered servers for useMCPSelect to prevent infinite loops + const selectableServers = useMemo( + () => availableMCPServers.filter((s) => s.config.chatMenu !== false && !s.consumeOnly), + [availableMCPServers], + ); const { mcpValues, setMCPValues, isPinned, setIsPinned } = useMCPSelect({ conversationId, - servers: availableMCPServers, + servers: selectableServers, }); const mcpValuesRef = useRef(mcpValues); @@ -73,6 +83,14 @@ export function useMCPServerManager({ conversationId }: { conversationId?: strin mcpValuesRef.current = mcpValues; }, [mcpValues]); + // Check if specific permission bit is set + const checkEffectivePermission = useCallback( + (effectivePermissions: number, permissionBit: number): boolean => { + return (effectivePermissions & permissionBit) !== 0; + }, + [], + ); + const reinitializeMutation = useReinitializeMCPServerMutation(); const cancelOAuthMutation = useCancelMCPOAuthMutation(); @@ -98,8 +116,8 @@ export function useMCPServerManager({ conversationId }: { conversationId?: strin const [serverStates, setServerStates] = useState>(() => { const initialStates: Record = {}; - configuredServers.forEach((serverName) => { - initialStates[serverName] = { + availableMCPServers.forEach((server) => { + initialStates[server.serverName] = { isInitializing: false, oauthUrl: null, oauthStartTime: null, @@ -111,7 +129,7 @@ export function useMCPServerManager({ conversationId }: { conversationId?: strin }); const { connectionStatus } = useMCPConnectionStatus({ - enabled: !isLoading && configuredServers.length > 0, + enabled: !isLoading && availableMCPServers.length > 0, }); const updateServerState = useCallback((serverName: string, updates: Partial) => { @@ -366,7 +384,12 @@ export function useMCPServerManager({ conversationId }: { conversationId?: strin cancelOAuthMutation.mutate(serverName, { onSuccess: () => { cleanupServerState(serverName); - queryClient.invalidateQueries([QueryKeys.mcpConnectionStatus]); + Promise.all([ + queryClient.invalidateQueries([QueryKeys.mcpServers]), + queryClient.invalidateQueries([QueryKeys.mcpTools]), + queryClient.invalidateQueries([QueryKeys.mcpAuthValues]), + queryClient.invalidateQueries([QueryKeys.mcpConnectionStatus]), + ]); showToast({ message: localize('com_ui_mcp_oauth_cancelled', { 0: serverName }), @@ -629,6 +652,8 @@ export function useMCPServerManager({ conversationId }: { conversationId?: strin return { availableMCPServers, + /** MCP servers filtered for chat menu selection (chatMenu !== false && !consumeOnly) */ + selectableServers, availableMCPServersMap: loadedServers, isLoading, connectionStatus, @@ -655,5 +680,6 @@ export function useMCPServerManager({ conversationId }: { conversationId?: strin handleRevoke, getServerStatusIconProps, getConfigDialogProps, + checkEffectivePermission, }; } diff --git a/client/src/hooks/Nav/useSideNavLinks.ts b/client/src/hooks/Nav/useSideNavLinks.ts index 6ec798eaa6..ab6904247b 100644 --- a/client/src/hooks/Nav/useSideNavLinks.ts +++ b/client/src/hooks/Nav/useSideNavLinks.ts @@ -10,6 +10,7 @@ import { isAssistantsEndpoint, } from 'librechat-data-provider'; import type { TInterfaceConfig, TEndpointsConfig } from 'librechat-data-provider'; +import MCPBuilderPanel from '~/components/SidePanel/MCPBuilder/MCPBuilderPanel'; import type { NavLink } from '~/common'; import AgentPanelSwitch from '~/components/SidePanel/Agents/AgentPanelSwitch'; import BookmarkPanel from '~/components/SidePanel/Bookmarks/BookmarkPanel'; @@ -18,7 +19,6 @@ import PanelSwitch from '~/components/SidePanel/Builder/PanelSwitch'; import PromptsAccordion from '~/components/Prompts/PromptsAccordion'; import Parameters from '~/components/SidePanel/Parameters/Panel'; import FilesPanel from '~/components/SidePanel/Files/Panel'; -import MCPPanel from '~/components/SidePanel/MCP/MCPPanel'; import { useHasAccess, useMCPServerManager } from '~/hooks'; export default function useSideNavLinks({ @@ -60,7 +60,10 @@ export default function useSideNavLinks({ permissionType: PermissionTypes.AGENTS, permission: Permissions.CREATE, }); - + const hasAccessToUseMCPSettings = useHasAccess({ + permissionType: PermissionTypes.MCP_SERVERS, + permission: Permissions.USE, + }); const { availableMCPServers } = useMCPServerManager(); const Links = useMemo(() => { @@ -152,21 +155,13 @@ export default function useSideNavLinks({ }); } - if ( - availableMCPServers && - availableMCPServers.some( - (server: any) => - (server.config.customUserVars && Object.keys(server.config.customUserVars).length > 0) || - server.config.isOAuth || - server.config.startup === false, - ) - ) { + if (hasAccessToUseMCPSettings && availableMCPServers && availableMCPServers.length > 0) { links.push({ title: 'com_nav_setting_mcp', label: '', icon: MCPIcon, - id: 'mcp-settings', - Component: MCPPanel, + id: 'mcp-builder', + Component: MCPBuilderPanel, }); } @@ -180,19 +175,20 @@ export default function useSideNavLinks({ return links; }, [ - endpointsConfig, - interfaceConfig.parameters, - keyProvided, - endpointType, endpoint, + endpointsConfig, + keyProvided, hasAccessToAgents, + hasAccessToCreateAgents, hasAccessToPrompts, hasAccessToMemories, hasAccessToReadMemories, + interfaceConfig.parameters, + endpointType, hasAccessToBookmarks, - hasAccessToCreateAgents, - hidePanel, availableMCPServers, + hasAccessToUseMCPSettings, + hidePanel, ]); return Links; diff --git a/client/src/hooks/Sharing/useResourcePermissionState.ts b/client/src/hooks/Sharing/useResourcePermissionState.ts index da84244f8f..0a9f8ce386 100644 --- a/client/src/hooks/Sharing/useResourcePermissionState.ts +++ b/client/src/hooks/Sharing/useResourcePermissionState.ts @@ -8,7 +8,7 @@ import { getResourceConfig } from '~/utils'; /** * Hook to manage resource permission state including current shares, public access, and mutations - * @param resourceType - Type of resource (e.g., ResourceType.AGENT, ResourceType.PROMPTGROUP) + * @param resourceType - Type of resource (e.g., ResourceType.AGENT, ResourceType.PROMPTGROUP, ResourceType.MCPSERVER) * @param resourceDbId - Database ID of the resource * @param isModalOpen - Whether the modal is open (for effect dependencies) * @returns Object with permission state and update mutation diff --git a/client/src/locales/en/translation.json b/client/src/locales/en/translation.json index 0c420fe2b3..d4e0756608 100644 --- a/client/src/locales/en/translation.json +++ b/client/src/locales/en/translation.json @@ -75,10 +75,8 @@ "com_agents_marketplace_subtitle": "Discover and use powerful AI agents to enhance your workflows and productivity", "com_agents_mcp_description_placeholder": "Explain what it does in a few words", "com_agents_mcp_icon_size": "Minimum size 128 x 128 px", - "com_agents_mcp_info": "Add MCP servers to your agent to enable it to perform tasks and interact with external services", "com_agents_mcp_name_placeholder": "Custom Tool", "com_agents_mcp_trust_subtext": "Custom connectors are not verified by LibreChat", - "com_agents_mcps_disabled": "You need to create an agent before adding MCPs.", "com_agents_missing_name": "Please type in a name before creating an agent.", "com_agents_missing_provider_model": "Please select a provider and model before creating an agent.", "com_agents_name_placeholder": "Optional: The name of the agent", @@ -536,6 +534,7 @@ "com_nav_long_audio_warning": "Longer texts will take longer to process.", "com_nav_maximize_chat_space": "Maximize chat space", "com_nav_mcp_configure_server": "Configure {{0}}", + "com_nav_mcp_status_connected": "Connected", "com_nav_mcp_status_connecting": "{{0}} - Connecting", "com_nav_mcp_vars_update_error": "Error updating MCP custom user variables", "com_nav_mcp_vars_updated": "MCP custom user variables updated successfully.", @@ -593,7 +592,6 @@ "com_sidepanel_conversation_tags": "Bookmarks", "com_sidepanel_hide_panel": "Hide Panel", "com_sidepanel_manage_files": "Manage Files", - "com_sidepanel_mcp_no_servers_with_vars": "No MCP servers with configurable variables.", "com_sidepanel_parameters": "Parameters", "com_sources_agent_file": "Source Document", "com_sources_agent_files": "Agent Files", @@ -631,6 +629,10 @@ "com_ui_add_web_search_api_keys": "Add Web Search API Keys", "com_ui_add_mcp": "Add MCP", "com_ui_add_mcp_server": "Add MCP Server", + "com_ui_no_mcp_servers": "No MCP servers yet", + "com_ui_add_first_mcp_server": "Create your first MCP server to get started", + "com_ui_mcp_server_created": "MCP server created successfully", + "com_ui_mcp_server_updated": "MCP server updated successfully", "com_ui_add_model_preset": "Add a model or preset for an additional response", "com_ui_add_multi_conversation": "Add multi-conversation", "com_ui_add_special_variables": "Add Special Variables", @@ -691,6 +693,9 @@ "com_ui_agents_allow_create": "Allow creating Agents", "com_ui_agents_allow_share": "Allow sharing Agents", "com_ui_agents_allow_use": "Allow using Agents", + "com_ui_mcp_servers_allow_create": "Allow users to create MCP servers", + "com_ui_mcp_servers_allow_share": "Allow users to share MCP servers", + "com_ui_mcp_servers_allow_use": "Allow users to use MCP servers", "com_ui_all": "all", "com_ui_all_proper": "All", "com_ui_analyzing": "Analyzing", @@ -725,7 +730,6 @@ "com_ui_authentication": "Authentication", "com_ui_authentication_type": "Authentication Type", "com_ui_auto": "Auto", - "com_ui_available_tools": "Available Tools", "com_ui_avatar": "Avatar", "com_ui_azure": "Azure", "com_ui_azure_ad": "Entra ID", @@ -864,10 +868,6 @@ "com_ui_delete_confirm_strong": "This will delete {{title}}", "com_ui_delete_confirm_prompt_version_var": "This will delete the selected version for \"{{0}}.\" If no other versions exist, the prompt will be deleted.", "com_ui_delete_conversation": "Delete chat?", - "com_ui_delete_mcp": "Delete MCP", - "com_ui_delete_mcp_confirm": "Are you sure you want to delete this MCP server?", - "com_ui_delete_mcp_error": "Failed to delete MCP server", - "com_ui_delete_mcp_success": "MCP server deleted successfully", "com_ui_delete_memory": "Delete Memory", "com_ui_delete_not_allowed": "Delete operation is not allowed", "com_ui_delete_preset": "Delete Preset?", @@ -887,6 +887,7 @@ "com_ui_deselect_all": "Deselect All", "com_ui_detailed": "Detailed", "com_ui_disabling": "Disabling...", + "com_ui_done": "Done", "com_ui_download": "Download", "com_ui_download_artifact": "Download Artifact", "com_ui_download_backup": "Download Backup Codes", @@ -904,9 +905,9 @@ "com_ui_edit": "Edit", "com_ui_edit_editing_image": "Editing image", "com_ui_edit_mcp_server": "Edit MCP Server", + "com_ui_edit_mcp_server_dialog_description": "Unique Server Identifier: {{serverName}}", "com_ui_edit_memory": "Edit Memory", "com_ui_edit_preset_title": "Edit Preset - {{title}}", - "com_ui_edit_server": "Edit {{serverName}}", "com_ui_edit_prompt_page": "Edit Prompt Page", "com_ui_editable_message": "Editable Message", "com_ui_editor_instructions": "Drag the image to reposition • Use zoom slider or buttons to adjust size", @@ -1047,7 +1048,7 @@ "com_ui_mcp_initialized_success": "MCP server '{{0}}' initialized successfully", "com_ui_mcp_oauth_cancelled": "OAuth login cancelled for {{0}}", "com_ui_mcp_oauth_timeout": "OAuth login timed out for {{0}}", - "com_ui_mcp_server_not_found": "Server not found.", + "com_ui_mcp_server": "MCP Server", "com_ui_mcp_servers": "MCP Servers", "com_ui_mcp_update_var": "Update {{0}}", "com_ui_mcp_url": "MCP Server URL", @@ -1109,7 +1110,6 @@ "com_ui_oauth_error_missing_code": "Authorization code is missing. Please try again.", "com_ui_oauth_error_missing_state": "State parameter is missing. Please try again.", "com_ui_oauth_error_title": "Authentication Failed", - "com_ui_oauth_revoke": "Revoke", "com_ui_oauth_success_description": "Your authentication was successful. This window will close in", "com_ui_oauth_success_title": "Authentication Successful", "com_ui_of": "of", @@ -1154,6 +1154,9 @@ "com_ui_quality": "Quality", "com_ui_read_aloud": "Read aloud", "com_ui_redirecting_to_provider": "Redirecting to {{0}}, please wait...", + "com_ui_redirect_uri": "Redirect URI", + "com_ui_redirect_uri_info": "The redirect URI will be provided after the server is created. Configure it in your OAuth provider settings.", + "com_ui_redirect_uri_instructions": "Copy this redirect URI and configure it in your OAuth provider settings.", "com_ui_reference_saved_memories": "Reference saved memories", "com_ui_reference_saved_memories_description": "Allow the assistant to reference and use your saved memories when responding", "com_ui_refresh": "Refresh", @@ -1199,6 +1202,18 @@ "com_ui_role_select": "Role", "com_ui_role_viewer": "Viewer", "com_ui_role_viewer_desc": "Can view and use the agent but cannot modify it", + "com_ui_mcp_server_role_viewer": "MCP Server Viewer", + "com_ui_mcp_server_role_viewer_desc": "Can view and use MCP servers", + "com_ui_mcp_server_role_editor": "MCP Server Editor", + "com_ui_mcp_server_role_editor_desc": "Can view, use, and edit MCP servers", + "com_ui_mcp_server_role_owner": "MCP Server Owner", + "com_ui_mcp_server_role_owner_desc": "Full control over MCP servers", + "com_ui_mcp_server_delete_confirm": "Are you sure you want to delete this MCP server?", + "com_ui_mcp_server_deleted": "MCP server deleted successfully", + "com_ui_mcp_title_invalid": "Title can only contain letters, numbers, and spaces", + "com_ui_mcp_server_type": "Server Type", + "com_ui_mcp_type_streamable_http": "Streamable HTTPS", + "com_ui_mcp_type_sse": "SSE", "com_ui_roleplay": "Roleplay", "com_ui_rotate": "Rotate", "com_ui_rotate_90": "Rotate 90 degrees", @@ -1312,8 +1327,6 @@ "com_ui_unpin": "Unpin", "com_ui_untitled": "Untitled", "com_ui_update": "Update", - "com_ui_update_mcp_error": "There was an error creating or updating the MCP.", - "com_ui_update_mcp_success": "Successfully created or updated MCP", "com_ui_upload": "Upload", "com_ui_upload_agent_avatar": "Successfully updated agent avatar", "com_ui_upload_agent_avatar_label": "Upload agent avatar image", diff --git a/client/src/utils/resources.ts b/client/src/utils/resources.ts index dc18ea9b8b..f7c3586dfb 100644 --- a/client/src/utils/resources.ts +++ b/client/src/utils/resources.ts @@ -36,6 +36,17 @@ export const RESOURCE_CONFIGS: Record = { `Manage permissions for ${name && name !== '' ? `"${name}"` : 'prompt'}`, getCopyUrlMessage: () => 'Prompt URL copied', }, + [ResourceType.MCPSERVER]: { + resourceType: ResourceType.MCPSERVER, + defaultViewerRoleId: AccessRoleIds.MCPSERVER_VIEWER, + defaultEditorRoleId: AccessRoleIds.MCPSERVER_EDITOR, + defaultOwnerRoleId: AccessRoleIds.MCPSERVER_OWNER, + getResourceName: (name?: string) => (name && name !== '' ? `"${name}"` : 'MCP server'), + getShareMessage: (name?: string) => (name && name !== '' ? `"${name}"` : 'MCP server'), + getManageMessage: (name?: string) => + `Manage permissions for ${name && name !== '' ? `"${name}"` : 'MCP server'}`, + getCopyUrlMessage: () => 'MCP Server URL copied', + }, }; export const getResourceConfig = (resourceType: ResourceType): ResourceConfig | undefined => { diff --git a/client/src/utils/roles.ts b/client/src/utils/roles.ts index 7848e6b340..8bc38b7d52 100644 --- a/client/src/utils/roles.ts +++ b/client/src/utils/roles.ts @@ -35,6 +35,19 @@ export const ROLE_LOCALIZATIONS = { name: 'com_ui_role_owner' as const, description: 'com_ui_role_owner_desc' as const, } as const, + // MCPServer roles + mcpServer_viewer: { + name: 'com_ui_mcp_server_role_viewer' as const, + description: 'com_ui_mcp_server_role_viewer_desc' as const, + } as const, + mcpServer_editor: { + name: 'com_ui_mcp_server_role_editor' as const, + description: 'com_ui_mcp_server_role_editor_desc' as const, + } as const, + mcpServer_owner: { + name: 'com_ui_mcp_server_role_owner' as const, + description: 'com_ui_mcp_server_role_owner_desc' as const, + } as const, }; /** diff --git a/librechat.example.yaml b/librechat.example.yaml index f163f8d4ac..da0b0b7bb1 100644 --- a/librechat.example.yaml +++ b/librechat.example.yaml @@ -94,8 +94,17 @@ interface: groups: true roles: true marketplace: - use: false + use: false fileCitations: true + mcpServers: + # MCP Servers configuration + # Controls user permissions for MCP (Model Context Protocol) server management + # - use: Allow users to use configured MCP servers + # - create: Allow users to create and manage new MCP servers + # - share: Allow users to share MCP servers with other users + use: false + create: false + share: false # Temporary chat retention period in hours (default: 720, min: 1, max: 8760) # temporaryChatRetention: 1 @@ -291,7 +300,7 @@ endpoints: apiKey: '${OPENROUTER_KEY}' baseURL: 'https://openrouter.ai/api/v1' headers: - x-librechat-body-parentmessageid: '{{LIBRECHAT_BODY_PARENTMESSAGEID}}' + x-librechat-body-parentmessageid: '{{LIBRECHAT_BODY_PARENTMESSAGEID}}' models: default: ['meta-llama/llama-3-70b-instruct'] fetch: true @@ -308,9 +317,10 @@ endpoints: apiKey: '${HELICONE_KEY}' baseURL: 'https://ai-gateway.helicone.ai' headers: - x-librechat-body-parentmessageid: '{{LIBRECHAT_BODY_PARENTMESSAGEID}}' + x-librechat-body-parentmessageid: '{{LIBRECHAT_BODY_PARENTMESSAGEID}}' models: - default: ['gpt-4o-mini', 'claude-4.5-sonnet', 'llama-3.1-8b-instruct', 'gemini-2.5-flash-lite'] + default: + ['gpt-4o-mini', 'claude-4.5-sonnet', 'llama-3.1-8b-instruct', 'gemini-2.5-flash-lite'] fetch: true titleConvo: true titleModel: 'gpt-4o-mini' diff --git a/packages/api/src/acl/accessControlService.spec.ts b/packages/api/src/acl/accessControlService.spec.ts new file mode 100644 index 0000000000..ad1dcf18ac --- /dev/null +++ b/packages/api/src/acl/accessControlService.spec.ts @@ -0,0 +1,1084 @@ +import mongoose, { Types, Model } from 'mongoose'; +import { createModels, createMethods, RoleBits } from '@librechat/data-schemas'; +import { MongoMemoryServer } from 'mongodb-memory-server'; +import { ResourceType, AccessRoleIds, PrincipalType } from 'librechat-data-provider'; +import { AccessControlService } from './accessControlService'; + +// Mock the logger +jest.mock('@librechat/data-schemas', () => ({ + ...jest.requireActual('@librechat/data-schemas'), + logger: { + error: jest.fn(), + warn: jest.fn(), + debug: jest.fn(), + info: jest.fn(), + }, +})); + +let mongoServer: MongoMemoryServer; +let AclEntry: Model; +let service: AccessControlService; +let dbMethods: ReturnType; + +// Mock getUserPrincipals to control test scenarios +const mockGetUserPrincipals = jest.fn(); + +beforeAll(async () => { + mongoServer = await MongoMemoryServer.create(); + const mongoUri = mongoServer.getUri(); + await mongoose.connect(mongoUri); + + // Initialize all models + createModels(mongoose); + + AclEntry = mongoose.models.AclEntry; + + // Create methods and seed default roles + dbMethods = createMethods(mongoose); + await dbMethods.seedDefaultRoles(); + + // Create service instance + service = new AccessControlService(mongoose); + + // Mock getUserPrincipals in the dbMethods + const originalMethods = service['_dbMethods']; + service['_dbMethods'] = { + ...originalMethods, + getUserPrincipals: mockGetUserPrincipals, + }; +}); + +afterAll(async () => { + await mongoose.disconnect(); + await mongoServer.stop(); +}); + +beforeEach(async () => { + // Clear test data but keep seeded roles + await AclEntry.deleteMany({}); + mockGetUserPrincipals.mockReset(); +}); + +describe('AccessControlService', () => { + // Common test data + const userId = new Types.ObjectId(); + const groupId = new Types.ObjectId(); + const resourceId = new Types.ObjectId(); + const grantedById = new Types.ObjectId(); + + describe('grantPermission', () => { + describe('validation', () => { + test('should throw error for invalid principal type', async () => { + await expect( + service.grantPermission({ + principalType: 'invalid' as PrincipalType, + principalId: userId, + resourceType: ResourceType.AGENT, + resourceId, + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }), + ).rejects.toThrow('Invalid principal type: invalid'); + }); + + test('should throw error for missing principalId with user type', async () => { + await expect( + service.grantPermission({ + principalType: PrincipalType.USER, + principalId: null, + resourceType: ResourceType.AGENT, + resourceId, + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }), + ).rejects.toThrow('Principal ID is required for user, group, and role principals'); + }); + + test('should throw error for missing principalId with group type', async () => { + await expect( + service.grantPermission({ + principalType: PrincipalType.GROUP, + principalId: null, + resourceType: ResourceType.AGENT, + resourceId, + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }), + ).rejects.toThrow('Principal ID is required for user, group, and role principals'); + }); + + test('should throw error for missing principalId with role type', async () => { + await expect( + service.grantPermission({ + principalType: PrincipalType.ROLE, + principalId: null, + resourceType: ResourceType.AGENT, + resourceId, + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }), + ).rejects.toThrow('Principal ID is required for user, group, and role principals'); + }); + + test('should throw error for invalid role ID (empty string)', async () => { + // Empty string is falsy, so it triggers the "principalId required" check first + await expect( + service.grantPermission({ + principalType: PrincipalType.ROLE, + principalId: '', + resourceType: ResourceType.AGENT, + resourceId, + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }), + ).rejects.toThrow('Principal ID is required for user, group, and role principals'); + }); + + test('should throw error for invalid role ID (whitespace only)', async () => { + await expect( + service.grantPermission({ + principalType: PrincipalType.ROLE, + principalId: ' ', + resourceType: ResourceType.AGENT, + resourceId, + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }), + ).rejects.toThrow('Invalid role ID:'); + }); + + test('should throw error for invalid user principal ID (non-ObjectId)', async () => { + await expect( + service.grantPermission({ + principalType: PrincipalType.USER, + principalId: 'invalid-id', + resourceType: ResourceType.AGENT, + resourceId, + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }), + ).rejects.toThrow('Invalid principal ID: invalid-id'); + }); + + test('should throw error for invalid resource ID', async () => { + await expect( + service.grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.AGENT, + resourceId: 'invalid-id', + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }), + ).rejects.toThrow('Invalid resource ID: invalid-id'); + }); + + test('should throw error for invalid resource type', async () => { + await expect( + service.grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: 'invalidType' as ResourceType, + resourceId, + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }), + ).rejects.toThrow('Invalid resourceType: invalidType'); + }); + }); + + describe('role lookup', () => { + test('should throw error for non-existent role', async () => { + await expect( + service.grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.AGENT, + resourceId, + accessRoleId: 'non_existent_role' as AccessRoleIds, + grantedBy: grantedById, + }), + ).rejects.toThrow('Role non_existent_role not found'); + }); + + test('should throw error for role-resource type mismatch', async () => { + await expect( + service.grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.AGENT, + resourceId, + accessRoleId: AccessRoleIds.PROMPTGROUP_VIEWER, // PromptGroup role for agent resource + grantedBy: grantedById, + }), + ).rejects.toThrow('Role promptGroup_viewer is for promptGroup resources, not agent'); + }); + }); + + describe('successful grant', () => { + test('should grant permission to a user with a role', async () => { + const entry = await service.grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.AGENT, + resourceId, + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }); + + expect(entry).toBeDefined(); + expect(entry!.principalType).toBe(PrincipalType.USER); + expect(entry!.principalId!.toString()).toBe(userId.toString()); + expect(entry!.resourceType).toBe(ResourceType.AGENT); + expect(entry!.resourceId.toString()).toBe(resourceId.toString()); + expect(entry!.permBits).toBe(RoleBits.VIEWER); + }); + + test('should grant permission to a group with a role', async () => { + const entry = await service.grantPermission({ + principalType: PrincipalType.GROUP, + principalId: groupId, + resourceType: ResourceType.AGENT, + resourceId, + accessRoleId: AccessRoleIds.AGENT_EDITOR, + grantedBy: grantedById, + }); + + expect(entry).toBeDefined(); + expect(entry!.principalType).toBe(PrincipalType.GROUP); + expect(entry!.principalId!.toString()).toBe(groupId.toString()); + expect(entry!.permBits).toBe(RoleBits.EDITOR); + }); + + test('should grant public permission with a role', async () => { + const entry = await service.grantPermission({ + principalType: PrincipalType.PUBLIC, + principalId: null, + resourceType: ResourceType.AGENT, + resourceId, + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }); + + expect(entry).toBeDefined(); + expect(entry!.principalType).toBe(PrincipalType.PUBLIC); + expect(entry!.principalId).toBeUndefined(); + expect(entry!.permBits).toBe(RoleBits.VIEWER); + }); + + test('should grant permission to a role principal', async () => { + const entry = await service.grantPermission({ + principalType: PrincipalType.ROLE, + principalId: 'admin', + resourceType: ResourceType.AGENT, + resourceId, + accessRoleId: AccessRoleIds.AGENT_EDITOR, + grantedBy: grantedById, + }); + + expect(entry).toBeDefined(); + expect(entry!.principalType).toBe(PrincipalType.ROLE); + expect(entry!.principalId).toBe('admin'); + expect(entry!.permBits).toBe(RoleBits.EDITOR); + }); + + test('should update existing permission when granting to same principal and resource', async () => { + // First grant with viewer role + await service.grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.AGENT, + resourceId, + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }); + + // Then update to editor role + const updated = await service.grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.AGENT, + resourceId, + accessRoleId: AccessRoleIds.AGENT_EDITOR, + grantedBy: grantedById, + }); + + expect(updated!.permBits).toBe(RoleBits.EDITOR); + + // Verify there's only one entry + const entries = await AclEntry.find({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.AGENT, + resourceId, + }); + expect(entries).toHaveLength(1); + }); + }); + }); + + describe('findAccessibleResources', () => { + const resource1 = new Types.ObjectId(); + const resource2 = new Types.ObjectId(); + const resource3 = new Types.ObjectId(); + + beforeEach(async () => { + // User can view resource 1 + await service.grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.AGENT, + resourceId: resource1, + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }); + + // User can edit resource 2 + await service.grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.AGENT, + resourceId: resource2, + accessRoleId: AccessRoleIds.AGENT_EDITOR, + grantedBy: grantedById, + }); + + // Group can view resource 3 + await service.grantPermission({ + principalType: PrincipalType.GROUP, + principalId: groupId, + resourceType: ResourceType.AGENT, + resourceId: resource3, + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }); + }); + + describe('validation errors', () => { + test('should throw error when requiredPermissions is not a positive number', async () => { + mockGetUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + ]); + + await expect( + service.findAccessibleResources({ + userId, + resourceType: ResourceType.AGENT, + requiredPermissions: 0, + }), + ).rejects.toThrow('requiredPermissions must be a positive number'); + }); + + test('should throw error when requiredPermissions is negative', async () => { + await expect( + service.findAccessibleResources({ + userId, + resourceType: ResourceType.AGENT, + requiredPermissions: -1, + }), + ).rejects.toThrow('requiredPermissions must be a positive number'); + }); + + test('should return empty array for invalid resource type (error is caught)', async () => { + // The service catches invalid resourceType errors and returns empty array + const result = await service.findAccessibleResources({ + userId, + resourceType: 'invalid' as ResourceType, + requiredPermissions: 1, + }); + + expect(result).toEqual([]); + }); + }); + + describe('empty principals', () => { + test('should return empty array when no principals found', async () => { + mockGetUserPrincipals.mockResolvedValue([]); + + const result = await service.findAccessibleResources({ + userId, + resourceType: ResourceType.AGENT, + requiredPermissions: 1, + }); + + expect(result).toEqual([]); + }); + }); + + describe('successful queries', () => { + test('should find resources user can view', async () => { + mockGetUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + ]); + + const viewableResources = await service.findAccessibleResources({ + userId, + resourceType: ResourceType.AGENT, + requiredPermissions: 1, // VIEW + }); + + expect(viewableResources).toHaveLength(2); + const resourceIds = viewableResources.map((id) => id.toString()); + expect(resourceIds).toContain(resource1.toString()); + expect(resourceIds).toContain(resource2.toString()); + }); + + test('should find resources user can edit', async () => { + mockGetUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + ]); + + const editableResources = await service.findAccessibleResources({ + userId, + resourceType: ResourceType.AGENT, + requiredPermissions: 3, // EDIT + }); + + expect(editableResources).toHaveLength(1); + expect(editableResources[0].toString()).toBe(resource2.toString()); + }); + + test('should find resources accessible via group membership', async () => { + mockGetUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + { principalType: PrincipalType.GROUP, principalId: groupId }, + ]); + + const viewableResources = await service.findAccessibleResources({ + userId, + resourceType: ResourceType.AGENT, + requiredPermissions: 1, // VIEW + }); + + expect(viewableResources).toHaveLength(3); + }); + + test('should pass role when provided', async () => { + mockGetUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + { principalType: PrincipalType.ROLE, principalId: 'admin' }, + ]); + + await service.findAccessibleResources({ + userId, + role: 'admin', + resourceType: ResourceType.AGENT, + requiredPermissions: 1, + }); + + expect(mockGetUserPrincipals).toHaveBeenCalledWith({ + userId, + role: 'admin', + }); + }); + }); + }); + + describe('findPubliclyAccessibleResources', () => { + const publicResource1 = new Types.ObjectId(); + const publicResource2 = new Types.ObjectId(); + const privateResource = new Types.ObjectId(); + + beforeEach(async () => { + // Public can view resource 1 + await service.grantPermission({ + principalType: PrincipalType.PUBLIC, + principalId: null, + resourceType: ResourceType.AGENT, + resourceId: publicResource1, + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }); + + // Public can edit resource 2 + await service.grantPermission({ + principalType: PrincipalType.PUBLIC, + principalId: null, + resourceType: ResourceType.AGENT, + resourceId: publicResource2, + accessRoleId: AccessRoleIds.AGENT_EDITOR, + grantedBy: grantedById, + }); + + // Private resource - only user access + await service.grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.AGENT, + resourceId: privateResource, + accessRoleId: AccessRoleIds.AGENT_OWNER, + grantedBy: grantedById, + }); + }); + + describe('validation', () => { + test('should throw error when requiredPermissions is not a positive number', async () => { + await expect( + service.findPubliclyAccessibleResources({ + resourceType: ResourceType.AGENT, + requiredPermissions: 0, + }), + ).rejects.toThrow('requiredPermissions must be a positive number'); + }); + + test('should return empty array for invalid resource type (error is caught)', async () => { + // The service catches invalid resourceType errors and returns empty array + const result = await service.findPubliclyAccessibleResources({ + resourceType: 'invalid' as ResourceType, + requiredPermissions: 1, + }); + + expect(result).toEqual([]); + }); + }); + + describe('finding public resources', () => { + test('should find publicly viewable resources', async () => { + const publicResources = await service.findPubliclyAccessibleResources({ + resourceType: ResourceType.AGENT, + requiredPermissions: 1, // VIEW + }); + + expect(publicResources).toHaveLength(2); + const resourceIds = publicResources.map((id) => id.toString()); + expect(resourceIds).toContain(publicResource1.toString()); + expect(resourceIds).toContain(publicResource2.toString()); + expect(resourceIds).not.toContain(privateResource.toString()); + }); + + test('should find publicly editable resources', async () => { + const editableResources = await service.findPubliclyAccessibleResources({ + resourceType: ResourceType.AGENT, + requiredPermissions: 3, // EDIT + }); + + expect(editableResources).toHaveLength(1); + expect(editableResources[0].toString()).toBe(publicResource2.toString()); + }); + + test('should return empty array when no public permissions exist', async () => { + const noPublicResources = await service.findPubliclyAccessibleResources({ + resourceType: ResourceType.PROMPTGROUP, + requiredPermissions: 1, + }); + + expect(noPublicResources).toEqual([]); + }); + }); + }); + + describe('getResourcePermissionsMap', () => { + const resource1 = new Types.ObjectId(); + const resource2 = new Types.ObjectId(); + const resource3 = new Types.ObjectId(); + + beforeEach(async () => { + // User has VIEW on resource1 + await service.grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.AGENT, + resourceId: resource1, + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }); + + // User has EDIT on resource2 + await service.grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.AGENT, + resourceId: resource2, + accessRoleId: AccessRoleIds.AGENT_EDITOR, + grantedBy: grantedById, + }); + + // Group has EDIT on resource1 (higher permission) + await service.grantPermission({ + principalType: PrincipalType.GROUP, + principalId: groupId, + resourceType: ResourceType.AGENT, + resourceId: resource1, + accessRoleId: AccessRoleIds.AGENT_EDITOR, + grantedBy: grantedById, + }); + // resource3 has no permissions + }); + + describe('empty arrays', () => { + test('should return empty map for empty resourceIds array', async () => { + mockGetUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + ]); + + const permissionsMap = await service.getResourcePermissionsMap({ + userId, + role: 'user', + resourceType: ResourceType.AGENT, + resourceIds: [], + }); + + expect(permissionsMap).toBeInstanceOf(Map); + expect(permissionsMap.size).toBe(0); + }); + + test('should throw on invalid resource type', async () => { + await expect( + service.getResourcePermissionsMap({ + userId, + role: 'user', + resourceType: 'invalid' as ResourceType, + resourceIds: [resource1], + }), + ).rejects.toThrow('Invalid resourceType: invalid'); + }); + }); + + describe('batch queries', () => { + test('should get permissions for multiple resources in single query', async () => { + mockGetUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + { principalType: PrincipalType.PUBLIC }, + ]); + + const permissionsMap = await service.getResourcePermissionsMap({ + userId, + role: 'user', + resourceType: ResourceType.AGENT, + resourceIds: [resource1, resource2, resource3], + }); + + expect(permissionsMap).toBeInstanceOf(Map); + expect(permissionsMap.size).toBe(2); // resource1 and resource2 + expect(permissionsMap.get(resource1.toString())).toBe(RoleBits.VIEWER); + expect(permissionsMap.get(resource2.toString())).toBe(RoleBits.EDITOR); + expect(permissionsMap.get(resource3.toString())).toBeUndefined(); + }); + + test('should combine permissions from multiple principals', async () => { + mockGetUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + { principalType: PrincipalType.GROUP, principalId: groupId }, + ]); + + const permissionsMap = await service.getResourcePermissionsMap({ + userId, + role: 'user', + resourceType: ResourceType.AGENT, + resourceIds: [resource1, resource2], + }); + + expect(permissionsMap.size).toBe(2); + // Resource1 should have VIEW (1) | EDIT (3) = 3 from combined user+group + expect(permissionsMap.get(resource1.toString())).toBe(RoleBits.EDITOR); + expect(permissionsMap.get(resource2.toString())).toBe(RoleBits.EDITOR); + }); + + test('should use role optimization when provided', async () => { + mockGetUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + { principalType: PrincipalType.ROLE, principalId: 'admin' }, + ]); + + await service.getResourcePermissionsMap({ + userId, + role: 'admin', + resourceType: ResourceType.AGENT, + resourceIds: [resource1], + }); + + expect(mockGetUserPrincipals).toHaveBeenCalledWith({ userId, role: 'admin' }); + }); + }); + }); + + describe('removeAllPermissions', () => { + const resourceToDelete = new Types.ObjectId(); + + beforeEach(async () => { + // Grant multiple permissions to the resource + await service.grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.AGENT, + resourceId: resourceToDelete, + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }); + + await service.grantPermission({ + principalType: PrincipalType.GROUP, + principalId: groupId, + resourceType: ResourceType.AGENT, + resourceId: resourceToDelete, + accessRoleId: AccessRoleIds.AGENT_EDITOR, + grantedBy: grantedById, + }); + + await service.grantPermission({ + principalType: PrincipalType.PUBLIC, + principalId: null, + resourceType: ResourceType.AGENT, + resourceId: resourceToDelete, + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }); + }); + + describe('validation', () => { + test('should throw error for invalid resource type', async () => { + await expect( + service.removeAllPermissions({ + resourceType: 'invalid' as ResourceType, + resourceId: resourceToDelete, + }), + ).rejects.toThrow('Invalid resourceType: invalid'); + }); + + test('should throw error for invalid resource ID', async () => { + await expect( + service.removeAllPermissions({ + resourceType: ResourceType.AGENT, + resourceId: 'invalid-id', + }), + ).rejects.toThrow('Invalid resource ID: invalid-id'); + }); + }); + + describe('cleanup', () => { + test('should delete all permissions for a resource', async () => { + // Verify permissions exist + const beforeCount = await AclEntry.countDocuments({ + resourceType: ResourceType.AGENT, + resourceId: resourceToDelete, + }); + expect(beforeCount).toBe(3); + + const result = await service.removeAllPermissions({ + resourceType: ResourceType.AGENT, + resourceId: resourceToDelete, + }); + + expect(result.acknowledged).toBe(true); + expect(result.deletedCount).toBe(3); + + // Verify permissions are deleted + const afterCount = await AclEntry.countDocuments({ + resourceType: ResourceType.AGENT, + resourceId: resourceToDelete, + }); + expect(afterCount).toBe(0); + }); + + test('should return result even when no permissions existed', async () => { + const newResourceId = new Types.ObjectId(); + + const result = await service.removeAllPermissions({ + resourceType: ResourceType.AGENT, + resourceId: newResourceId, + }); + + expect(result.acknowledged).toBe(true); + expect(result.deletedCount).toBe(0); + }); + + test('should not affect other resources permissions', async () => { + const otherResource = new Types.ObjectId(); + + // Grant permission to another resource + await service.grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.AGENT, + resourceId: otherResource, + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }); + + await service.removeAllPermissions({ + resourceType: ResourceType.AGENT, + resourceId: resourceToDelete, + }); + + // Verify other resource still has permissions + const otherResourcePerms = await AclEntry.countDocuments({ + resourceType: ResourceType.AGENT, + resourceId: otherResource, + }); + expect(otherResourcePerms).toBe(1); + }); + }); + }); + + describe('checkPermission', () => { + const testResource = new Types.ObjectId(); + const groupResource = new Types.ObjectId(); + + beforeEach(async () => { + // User has VIEW on testResource + await service.grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.AGENT, + resourceId: testResource, + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }); + + // Group has EDIT on groupResource + await service.grantPermission({ + principalType: PrincipalType.GROUP, + principalId: groupId, + resourceType: ResourceType.AGENT, + resourceId: groupResource, + accessRoleId: AccessRoleIds.AGENT_EDITOR, + grantedBy: grantedById, + }); + }); + + describe('validation', () => { + test('should throw error when requiredPermission is not a positive number', async () => { + await expect( + service.checkPermission({ + userId: userId.toString(), + resourceType: ResourceType.AGENT, + resourceId: testResource, + requiredPermission: 0, + }), + ).rejects.toThrow('requiredPermission must be a positive number'); + }); + + test('should throw error when requiredPermission is negative', async () => { + await expect( + service.checkPermission({ + userId: userId.toString(), + resourceType: ResourceType.AGENT, + resourceId: testResource, + requiredPermission: -1, + }), + ).rejects.toThrow('requiredPermission must be a positive number'); + }); + + test('should return false for invalid resource type (error is caught)', async () => { + // The service catches invalid resourceType errors and returns false + const hasPermission = await service.checkPermission({ + userId: userId.toString(), + resourceType: 'invalid' as ResourceType, + resourceId: testResource, + requiredPermission: 1, + }); + + expect(hasPermission).toBe(false); + }); + }); + + describe('permission scenarios', () => { + test('should return true when user has required permission', async () => { + mockGetUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + ]); + + const hasPermission = await service.checkPermission({ + userId: userId.toString(), + resourceType: ResourceType.AGENT, + resourceId: testResource, + requiredPermission: 1, // VIEW + }); + + expect(hasPermission).toBe(true); + }); + + test('should return false when user lacks required permission', async () => { + mockGetUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + ]); + + const hasPermission = await service.checkPermission({ + userId: userId.toString(), + resourceType: ResourceType.AGENT, + resourceId: testResource, + requiredPermission: 3, // EDIT + }); + + expect(hasPermission).toBe(false); + }); + + test('should return false when no principals found', async () => { + mockGetUserPrincipals.mockResolvedValue([]); + + const hasPermission = await service.checkPermission({ + userId: userId.toString(), + resourceType: ResourceType.AGENT, + resourceId: testResource, + requiredPermission: 1, + }); + + expect(hasPermission).toBe(false); + }); + + test('should check permission via group membership', async () => { + mockGetUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + { principalType: PrincipalType.GROUP, principalId: groupId }, + ]); + + const hasPermission = await service.checkPermission({ + userId: userId.toString(), + resourceType: ResourceType.AGENT, + resourceId: groupResource, + requiredPermission: 1, // VIEW (editor includes view) + }); + + expect(hasPermission).toBe(true); + }); + + test('should return false for non-existent resource', async () => { + mockGetUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + ]); + + const hasPermission = await service.checkPermission({ + userId: userId.toString(), + resourceType: ResourceType.AGENT, + resourceId: new Types.ObjectId(), + requiredPermission: 1, + }); + + expect(hasPermission).toBe(false); + }); + + test('should pass role when provided for optimization', async () => { + mockGetUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + { principalType: PrincipalType.ROLE, principalId: 'admin' }, + ]); + + await service.checkPermission({ + userId: userId.toString(), + role: 'admin', + resourceType: ResourceType.AGENT, + resourceId: testResource, + requiredPermission: 1, + }); + + expect(mockGetUserPrincipals).toHaveBeenCalledWith({ + userId: userId.toString(), + role: 'admin', + }); + }); + }); + + describe('public access', () => { + test('should check permission for public access', async () => { + const publicResource = new Types.ObjectId(); + + await service.grantPermission({ + principalType: PrincipalType.PUBLIC, + principalId: null, + resourceType: ResourceType.AGENT, + resourceId: publicResource, + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }); + + mockGetUserPrincipals.mockResolvedValue([ + { principalType: PrincipalType.USER, principalId: userId }, + { principalType: PrincipalType.PUBLIC }, + ]); + + const hasPermission = await service.checkPermission({ + userId: userId.toString(), + resourceType: ResourceType.AGENT, + resourceId: publicResource, + requiredPermission: 1, + }); + + expect(hasPermission).toBe(true); + }); + }); + }); + + describe('validateResourceType (via public methods)', () => { + test('should accept AGENT resource type', async () => { + mockGetUserPrincipals.mockResolvedValue([]); + + const result = await service.findAccessibleResources({ + userId, + resourceType: ResourceType.AGENT, + requiredPermissions: 1, + }); + + expect(result).toEqual([]); + }); + + test('should accept PROMPTGROUP resource type', async () => { + mockGetUserPrincipals.mockResolvedValue([]); + + const result = await service.findAccessibleResources({ + userId, + resourceType: ResourceType.PROMPTGROUP, + requiredPermissions: 1, + }); + + expect(result).toEqual([]); + }); + + test('should accept MCPSERVER resource type', async () => { + mockGetUserPrincipals.mockResolvedValue([]); + + const result = await service.findAccessibleResources({ + userId, + resourceType: ResourceType.MCPSERVER, + requiredPermissions: 1, + }); + + expect(result).toEqual([]); + }); + + test('should return empty array for unknown resource type (error caught)', async () => { + // findAccessibleResources catches invalid resource type and returns empty array + const result = await service.findAccessibleResources({ + userId, + resourceType: 'unknown_type' as ResourceType, + requiredPermissions: 1, + }); + + expect(result).toEqual([]); + }); + + test('should return empty array for empty string resource type (error caught)', async () => { + // findAccessibleResources catches invalid resource type and returns empty array + const result = await service.findAccessibleResources({ + userId, + resourceType: '' as ResourceType, + requiredPermissions: 1, + }); + + expect(result).toEqual([]); + }); + + test('should throw for invalid resource type in grantPermission', async () => { + // grantPermission throws directly for invalid resource type + await expect( + service.grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: 'unknown_type' as ResourceType, + resourceId, + accessRoleId: AccessRoleIds.AGENT_VIEWER, + grantedBy: grantedById, + }), + ).rejects.toThrow('Invalid resourceType: unknown_type'); + }); + + test('should throw for empty string resource type in removeAllPermissions', async () => { + // removeAllPermissions throws directly for invalid resource type + await expect( + service.removeAllPermissions({ + resourceType: '' as ResourceType, + resourceId, + }), + ).rejects.toThrow('Invalid resourceType:'); + }); + }); +}); diff --git a/packages/api/src/acl/accessControlService.ts b/packages/api/src/acl/accessControlService.ts new file mode 100644 index 0000000000..98bc939c24 --- /dev/null +++ b/packages/api/src/acl/accessControlService.ts @@ -0,0 +1,360 @@ +import { Types, ClientSession, DeleteResult } from 'mongoose'; +import { AllMethods, IAclEntry, createMethods, logger } from '@librechat/data-schemas'; +import { AccessRoleIds, PrincipalType, ResourceType } from 'librechat-data-provider'; + +export class AccessControlService { + private _dbMethods: AllMethods; + private _aclModel; + constructor(mongoose: typeof import('mongoose')) { + this._dbMethods = createMethods(mongoose); + this._aclModel = mongoose.models.AclEntry; + } + + /** + * Grant a permission to a principal for a resource using a role + * @param {Object} params - Parameters for granting role-based permission + * @param {string} params.principalType - PrincipalType.USER, PrincipalType.GROUP, or PrincipalType.PUBLIC + * @param {string|mongoose.Types.ObjectId|null} params.principalId - The ID of the principal (null for PrincipalType.PUBLIC) + * @param {string} params.resourceType - Type of resource (e.g., 'agent') + * @param {string|mongoose.Types.ObjectId} params.resourceId - The ID of the resource + * @param {string} params.accessRoleId - The ID of the role (e.g., AccessRoleIds.AGENT_VIEWER, AccessRoleIds.AGENT_EDITOR) + * @param {Types.ObjectId} params.grantedBy - User ID granting the permission + * @param {ClientSession} [params.session] - Optional MongoDB session for transactions + * @returns {Promise} The created or updated ACL entry + */ + public async grantPermission(args: { + principalType: PrincipalType; + principalId: string | Types.ObjectId | null; + resourceType: string; + resourceId: string | Types.ObjectId; + accessRoleId: AccessRoleIds; + + grantedBy: string | Types.ObjectId; + session?: ClientSession; + roleId?: string | Types.ObjectId; + }): Promise { + const { + principalType, + principalId, + resourceType, + resourceId, + accessRoleId, + grantedBy, + session, + } = args; + try { + if (!Object.values(PrincipalType).includes(principalType)) { + throw new Error(`Invalid principal type: ${principalType}`); + } + + if (principalType !== PrincipalType.PUBLIC && !principalId) { + throw new Error('Principal ID is required for user, group, and role principals'); + } + + // Validate principalId based on type + if (principalId && principalType === PrincipalType.ROLE) { + // Role IDs are strings (role names) + if (typeof principalId !== 'string' || principalId.trim().length === 0) { + throw new Error(`Invalid role ID: ${principalId}`); + } + } else if ( + principalType && + principalType !== PrincipalType.PUBLIC && + (!principalId || !Types.ObjectId.isValid(principalId)) + ) { + // User and Group IDs must be valid ObjectIds + throw new Error(`Invalid principal ID: ${principalId}`); + } + + if (!resourceId || !Types.ObjectId.isValid(resourceId)) { + throw new Error(`Invalid resource ID: ${resourceId}`); + } + + this.validateResourceType(resourceType as ResourceType); + + // Get the role to determine permission bits + const role = await this._dbMethods.findRoleByIdentifier(accessRoleId); + if (!role) { + throw new Error(`Role ${accessRoleId} not found`); + } + + // Ensure the role is for the correct resource type + if (role.resourceType !== resourceType) { + throw new Error( + `Role ${accessRoleId} is for ${role.resourceType} resources, not ${resourceType}`, + ); + } + return await this._dbMethods.grantPermission( + principalType, + principalId, + resourceType, + resourceId, + role.permBits, + grantedBy, + session, + role._id, + ); + } catch (error) { + logger.error( + `[PermissionService.grantPermission] Error: ${error instanceof Error ? error.message : ''}`, + error, + ); + throw error; + } + } + + /** + * Find all resources of a specific type that a user has access to with specific permission bits + * @param {Object} params - Parameters for finding accessible resources + * @param {string | Types.ObjectId} params.userId - The ID of the user + * @param {string} [params.role] - Optional user role (if not provided, will query from DB) + * @param {string} params.resourceType - Type of resource (e.g., 'agent') + * @param {number} params.requiredPermissions - The minimum permission bits required (e.g., 1 for VIEW, 3 for VIEW+EDIT) + * @returns {Promise} Array of resource IDs + */ + public async findAccessibleResources({ + userId, + role, + resourceType, + requiredPermissions, + }: { + userId: string | Types.ObjectId; + role?: string; + resourceType: string; + requiredPermissions: number; + }): Promise { + try { + if (typeof requiredPermissions !== 'number' || requiredPermissions < 1) { + throw new Error('requiredPermissions must be a positive number'); + } + + this.validateResourceType(resourceType as ResourceType); + + // Get all principals for the user (user + groups + public) + const principalsList = await this._dbMethods.getUserPrincipals({ userId, role }); + + if (principalsList.length === 0) { + return []; + } + return await this._dbMethods.findAccessibleResources( + principalsList, + resourceType, + requiredPermissions, + ); + } catch (error) { + if (error instanceof Error) { + logger.error(`[PermissionService.findAccessibleResources] Error: ${error.message}`); + // Re-throw validation errors + if (error.message.includes('requiredPermissions must be')) { + throw error; + } + } + return []; + } + } + + /** + * Find all publicly accessible resources of a specific type + * @param {Object} params - Parameters for finding publicly accessible resources + * @param {ResourceType} params.resourceType - Type of resource (e.g., 'agent') + * @param {number} params.requiredPermissions - The minimum permission bits required (e.g., 1 for VIEW, 3 for VIEW+EDIT) + * @returns {Promise} Array of resource IDs + */ + public async findPubliclyAccessibleResources({ + resourceType, + requiredPermissions, + }: { + resourceType: ResourceType; + requiredPermissions: number; + }): Promise { + try { + if (typeof requiredPermissions !== 'number' || requiredPermissions < 1) { + throw new Error('requiredPermissions must be a positive number'); + } + + this.validateResourceType(resourceType); + + // Find all public ACL entries where the public principal has at least the required permission bits + const entries = await this._aclModel + .find({ + principalType: PrincipalType.PUBLIC, + resourceType, + permBits: { $bitsAllSet: requiredPermissions }, + }) + .distinct('resourceId'); + + return entries; + } catch (error) { + if (error instanceof Error) { + logger.error(`[PermissionService.findPubliclyAccessibleResources] Error: ${error.message}`); + // Re-throw validation errors + if (error.message.includes('requiredPermissions must be')) { + throw error; + } + } + return []; + } + } + + /** + * Get effective permissions for multiple resources in a batch operation + * Returns map of resourceId → effectivePermissionBits + * + * @param {Object} params - Parameters + * @param {string|mongoose.Types.ObjectId} params.userId - User ID + * @param {string} [params.role] - User role (for group membership) + * @param {string} params.resourceType - Resource type (must be valid ResourceType) + * @param {Array} params.resourceIds - Array of resource IDs + * @returns {Promise>} Map of resourceId string → permission bits + * @throws {Error} If resourceType is invalid + */ + public async getResourcePermissionsMap({ + userId, + role, + resourceType, + resourceIds, + }: { + userId: string | Types.ObjectId; + role: string; + resourceType: ResourceType; + resourceIds: (string | Types.ObjectId)[]; + }): Promise> { + // Validate resource type - throw on invalid type + this.validateResourceType(resourceType); + + // Handle empty input + if (!Array.isArray(resourceIds) || resourceIds.length === 0) { + return new Map(); + } + + try { + // Get user principals (user + groups + public) + const principals = await this._dbMethods.getUserPrincipals({ userId, role }); + + // Use batch method from aclEntry + const permissionsMap = await this._dbMethods.getEffectivePermissionsForResources( + principals, + resourceType, + resourceIds, + ); + + logger.debug( + `[PermissionService.getResourcePermissionsMap] Computed permissions for ${resourceIds.length} resources, ${permissionsMap.size} have permissions`, + ); + + return permissionsMap; + } catch (error) { + if (error instanceof Error) { + logger.error( + `[PermissionService.getResourcePermissionsMap] Error: ${error.message}`, + error, + ); + } + throw error; + } + } + + /** + * Remove all permissions for a resource (cleanup when resource is deleted) + * @param {Object} params - Parameters for removing all permissions + * @param {string} params.resourceType - Type of resource (e.g., 'agent', 'prompt') + * @param {string|mongoose.Types.ObjectId} params.resourceId - The ID of the resource + * @returns {Promise} Result of the deletion operation + */ + public async removeAllPermissions({ + resourceType, + resourceId, + }: { + resourceType: ResourceType; + resourceId: string | Types.ObjectId; + }): Promise { + try { + this.validateResourceType(resourceType); + + if (!resourceId || !Types.ObjectId.isValid(resourceId)) { + throw new Error(`Invalid resource ID: ${resourceId}`); + } + + const result = await this._aclModel.deleteMany({ + resourceType, + resourceId, + }); + + return result; + } catch (error) { + if (error instanceof Error) { + logger.error(`[PermissionService.removeAllPermissions] Error: ${error.message}`); + } + throw error; + } + } + + /** + * Check if a user has specific permission bits on a resource + * @param {Object} params - Parameters for checking permissions + * @param {string|mongoose.Types.ObjectId} params.userId - The ID of the user + * @param {string} [params.role] - Optional user role (if not provided, will query from DB) + * @param {string} params.resourceType - Type of resource (e.g., 'agent') + * @param {string|mongoose.Types.ObjectId} params.resourceId - The ID of the resource + * @param {number} params.requiredPermissions - The permission bits required (e.g., 1 for VIEW, 3 for VIEW+EDIT) + * @returns {Promise} Whether the user has the required permission bits + */ + public async checkPermission({ + userId, + role, + resourceType, + resourceId, + requiredPermission, + }: { + userId: string; + role?: string; + resourceType: ResourceType; + resourceId: string | Types.ObjectId; + requiredPermission: number; + }): Promise { + try { + if (typeof requiredPermission !== 'number' || requiredPermission < 1) { + throw new Error('requiredPermission must be a positive number'); + } + + this.validateResourceType(resourceType); + + // Get all principals for the user (user + groups + public) + const principals = await this._dbMethods.getUserPrincipals({ userId, role }); + + if (principals.length === 0) { + return false; + } + + return await this._dbMethods.hasPermission( + principals, + resourceType, + resourceId, + requiredPermission, + ); + } catch (error) { + if (error instanceof Error) { + logger.error(`[PermissionService.checkPermission] Error: ${error.message}`); + // Re-throw validation errors + if (error.message.includes('requiredPermission must be')) { + throw error; + } + } + return false; + } + } + + /** + * Validates that the resourceType is one of the supported enum values + * @param {string} resourceType - The resource type to validate + * @throws {Error} If resourceType is not valid + */ + private validateResourceType(resourceType: ResourceType): void { + const validTypes = Object.values(ResourceType); + if (!validTypes.includes(resourceType)) { + throw new Error( + `Invalid resourceType: ${resourceType}. Valid types: ${validTypes.join(', ')}`, + ); + } + } +} diff --git a/packages/api/src/app/permissions.spec.ts b/packages/api/src/app/permissions.spec.ts index 6eeb70d7d7..9890ad5299 100644 --- a/packages/api/src/app/permissions.spec.ts +++ b/packages/api/src/app/permissions.spec.ts @@ -74,6 +74,11 @@ describe('updateInterfacePermissions - permissions', () => { }, [PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: true }, [PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true }, + [PermissionTypes.MCP_SERVERS]: { + [Permissions.USE]: true, + [Permissions.CREATE]: true, + [Permissions.SHARE]: false, + }, }; const expectedPermissionsForAdmin = { @@ -103,6 +108,11 @@ describe('updateInterfacePermissions - permissions', () => { }, [PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: true }, [PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true }, + [PermissionTypes.MCP_SERVERS]: { + [Permissions.USE]: true, + [Permissions.CREATE]: true, + [Permissions.SHARE]: true, + }, }; expect(mockUpdateAccessPermissions).toHaveBeenCalledTimes(2); @@ -182,6 +192,11 @@ describe('updateInterfacePermissions - permissions', () => { }, [PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: false }, [PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: false }, + [PermissionTypes.MCP_SERVERS]: { + [Permissions.USE]: true, + [Permissions.CREATE]: true, + [Permissions.SHARE]: false, + }, }; const expectedPermissionsForAdmin = { @@ -211,6 +226,11 @@ describe('updateInterfacePermissions - permissions', () => { }, [PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: false }, [PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: false }, + [PermissionTypes.MCP_SERVERS]: { + [Permissions.USE]: true, + [Permissions.CREATE]: true, + [Permissions.SHARE]: true, + }, }; expect(mockUpdateAccessPermissions).toHaveBeenCalledTimes(2); @@ -290,6 +310,11 @@ describe('updateInterfacePermissions - permissions', () => { }, [PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: true }, [PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true }, + [PermissionTypes.MCP_SERVERS]: { + [Permissions.USE]: true, + [Permissions.CREATE]: true, + [Permissions.SHARE]: false, + }, }; const expectedPermissionsForAdmin = { @@ -319,6 +344,11 @@ describe('updateInterfacePermissions - permissions', () => { }, [PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: true }, [PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true }, + [PermissionTypes.MCP_SERVERS]: { + [Permissions.USE]: true, + [Permissions.CREATE]: true, + [Permissions.SHARE]: true, + }, }; expect(mockUpdateAccessPermissions).toHaveBeenCalledTimes(2); @@ -411,6 +441,11 @@ describe('updateInterfacePermissions - permissions', () => { }, [PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: false }, [PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true }, + [PermissionTypes.MCP_SERVERS]: { + [Permissions.USE]: true, + [Permissions.CREATE]: true, + [Permissions.SHARE]: false, + }, }; const expectedPermissionsForAdmin = { @@ -440,6 +475,11 @@ describe('updateInterfacePermissions - permissions', () => { }, [PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: false }, [PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true }, + [PermissionTypes.MCP_SERVERS]: { + [Permissions.USE]: true, + [Permissions.CREATE]: true, + [Permissions.SHARE]: true, + }, }; expect(mockUpdateAccessPermissions).toHaveBeenCalledTimes(2); @@ -519,6 +559,11 @@ describe('updateInterfacePermissions - permissions', () => { }, [PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: true }, [PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true }, + [PermissionTypes.MCP_SERVERS]: { + [Permissions.USE]: true, + [Permissions.CREATE]: true, + [Permissions.SHARE]: false, + }, }; const expectedPermissionsForAdmin = { @@ -548,6 +593,11 @@ describe('updateInterfacePermissions - permissions', () => { }, [PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: true }, [PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true }, + [PermissionTypes.MCP_SERVERS]: { + [Permissions.USE]: true, + [Permissions.CREATE]: true, + [Permissions.SHARE]: true, + }, }; expect(mockUpdateAccessPermissions).toHaveBeenCalledTimes(2); @@ -630,6 +680,11 @@ describe('updateInterfacePermissions - permissions', () => { }, [PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: true }, [PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true }, + [PermissionTypes.MCP_SERVERS]: { + [Permissions.USE]: true, + [Permissions.CREATE]: true, + [Permissions.SHARE]: false, + }, }; const expectedPermissionsForAdmin = { @@ -653,6 +708,11 @@ describe('updateInterfacePermissions - permissions', () => { }, [PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: true }, [PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true }, + [PermissionTypes.MCP_SERVERS]: { + [Permissions.USE]: true, + [Permissions.CREATE]: true, + [Permissions.SHARE]: true, + }, }; expect(mockUpdateAccessPermissions).toHaveBeenCalledTimes(2); @@ -751,6 +811,11 @@ describe('updateInterfacePermissions - permissions', () => { }, [PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: true }, [PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true }, + [PermissionTypes.MCP_SERVERS]: { + [Permissions.USE]: true, + [Permissions.CREATE]: true, + [Permissions.SHARE]: false, + }, }; const expectedPermissionsForAdmin = { @@ -777,6 +842,11 @@ describe('updateInterfacePermissions - permissions', () => { }, [PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: true }, [PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true }, + [PermissionTypes.MCP_SERVERS]: { + [Permissions.USE]: true, + [Permissions.CREATE]: true, + [Permissions.SHARE]: true, + }, }; expect(mockUpdateAccessPermissions).toHaveBeenCalledTimes(2); diff --git a/packages/api/src/app/permissions.ts b/packages/api/src/app/permissions.ts index eaaa5c9705..eb93cd4e7d 100644 --- a/packages/api/src/app/permissions.ts +++ b/packages/api/src/app/permissions.ts @@ -41,6 +41,8 @@ function hasExplicitConfig( return interfaceConfig?.fileSearch !== undefined; case PermissionTypes.FILE_CITATIONS: return interfaceConfig?.fileCitations !== undefined; + case PermissionTypes.MCP_SERVERS: + return interfaceConfig?.mcpServers !== undefined; default: return false; } @@ -256,6 +258,23 @@ export async function updateInterfacePermissions({ defaults.fileCitations, ), }, + [PermissionTypes.MCP_SERVERS]: { + [Permissions.USE]: getPermissionValue( + loadedInterface.mcpServers?.use, + defaultPerms[PermissionTypes.MCP_SERVERS]?.[Permissions.USE], + defaults.mcpServers?.use, + ), + [Permissions.CREATE]: getPermissionValue( + loadedInterface.mcpServers?.create, + defaultPerms[PermissionTypes.MCP_SERVERS]?.[Permissions.CREATE], + defaults.mcpServers?.create, + ), + [Permissions.SHARE]: getPermissionValue( + loadedInterface.mcpServers?.share, + defaultPerms[PermissionTypes.MCP_SERVERS]?.[Permissions.SHARE], + defaults.mcpServers?.share, + ), + }, }; // Check and add each permission type if needed diff --git a/packages/api/src/mcp/ConnectionsRepository.ts b/packages/api/src/mcp/ConnectionsRepository.ts index 4e2ad5bc9d..e2c48c88ab 100644 --- a/packages/api/src/mcp/ConnectionsRepository.ts +++ b/packages/api/src/mcp/ConnectionsRepository.ts @@ -50,12 +50,12 @@ export class ConnectionsRepository { } if (existingConnection) { // Check if config was cached/updated since connection was created - if (serverConfig.lastUpdatedAt && existingConnection.isStale(serverConfig.lastUpdatedAt)) { + if (serverConfig.updatedAt && existingConnection.isStale(serverConfig.updatedAt)) { logger.info( `${this.prefix(serverName)} Existing connection for ${serverName} is outdated. Recreating a new connection.`, { connectionCreated: new Date(existingConnection.createdAt).toISOString(), - configCachedAt: new Date(serverConfig.lastUpdatedAt).toISOString(), + configCachedAt: new Date(serverConfig.updatedAt).toISOString(), }, ); diff --git a/packages/api/src/mcp/UserConnectionManager.ts b/packages/api/src/mcp/UserConnectionManager.ts index a775b4d78d..1b85b69eac 100644 --- a/packages/api/src/mcp/UserConnectionManager.ts +++ b/packages/api/src/mcp/UserConnectionManager.ts @@ -79,7 +79,7 @@ export abstract class UserConnectionManager { } connection = undefined; // Force creation of a new connection } else if (connection) { - if (!config || (config.lastUpdatedAt && connection.isStale(config.lastUpdatedAt))) { + if (!config || (config.updatedAt && connection.isStale(config.updatedAt))) { if (config) { logger.info( `[MCP][User: ${userId}][${serverName}] Config was updated, disconnecting stale connection`, diff --git a/packages/api/src/mcp/__tests__/ConnectionsRepository.test.ts b/packages/api/src/mcp/__tests__/ConnectionsRepository.test.ts index bc382ebe39..e722b38375 100644 --- a/packages/api/src/mcp/__tests__/ConnectionsRepository.test.ts +++ b/packages/api/src/mcp/__tests__/ConnectionsRepository.test.ts @@ -145,10 +145,10 @@ describe('ConnectionsRepository', () => { isStale: jest.fn().mockReturnValue(true), } as unknown as jest.Mocked; - // Update server config with lastUpdatedAt timestamp + // Update server config with updatedAt timestamp const configWithCachedAt = { ...mockServerConfigs.server1, - lastUpdatedAt: configCachedAt, + updatedAt: configCachedAt, }; mockRegistry.getServerConfig.mockResolvedValueOnce(configWithCachedAt); @@ -156,7 +156,7 @@ describe('ConnectionsRepository', () => { const result = await repository.get('server1'); - // Verify stale check was called with the config's lastUpdatedAt timestamp + // Verify stale check was called with the config's updatedAt timestamp expect(staleConnection.isStale).toHaveBeenCalledWith(configCachedAt); // Verify old connection was disconnected @@ -190,10 +190,10 @@ describe('ConnectionsRepository', () => { isStale: jest.fn().mockReturnValue(false), } as unknown as jest.Mocked; - // Update server config with lastUpdatedAt timestamp + // Update server config with updatedAt timestamp const configWithCachedAt = { ...mockServerConfigs.server1, - lastUpdatedAt: configCachedAt, + updatedAt: configCachedAt, }; mockRegistry.getServerConfig.mockResolvedValueOnce(configWithCachedAt); diff --git a/packages/api/src/mcp/registry/MCPServersInitializer.ts b/packages/api/src/mcp/registry/MCPServersInitializer.ts index 15f6a42f4e..38ea986e4e 100644 --- a/packages/api/src/mcp/registry/MCPServersInitializer.ts +++ b/packages/api/src/mcp/registry/MCPServersInitializer.ts @@ -59,12 +59,12 @@ export class MCPServersInitializer { /** Initializes a single server with all its metadata and adds it to appropriate collections */ public static async initializeServer(serverName: string, rawConfig: t.MCPOptions): Promise { try { - const config = await MCPServersRegistry.getInstance().addServer( + const result = await MCPServersRegistry.getInstance().addServer( serverName, rawConfig, 'CACHE', ); - MCPServersInitializer.logParsedConfig(serverName, config); + MCPServersInitializer.logParsedConfig(serverName, result.config); } catch (error) { logger.error(`${MCPServersInitializer.prefix(serverName)} Failed to initialize:`, error); } diff --git a/packages/api/src/mcp/registry/MCPServersRegistry.ts b/packages/api/src/mcp/registry/MCPServersRegistry.ts index b12afdeeb5..cf44041f48 100644 --- a/packages/api/src/mcp/registry/MCPServersRegistry.ts +++ b/packages/api/src/mcp/registry/MCPServersRegistry.ts @@ -76,11 +76,10 @@ export class MCPServersRegistry { config: t.MCPOptions, storageLocation: 'CACHE' | 'DB', userId?: string, - ): Promise { + ): Promise { const configRepo = this.getConfigRepository(storageLocation); const parsedConfig = await MCPServerInspector.inspect(serverName, config); - await configRepo.add(serverName, parsedConfig, userId); - return parsedConfig; + return await configRepo.add(serverName, parsedConfig, userId); } public async updateServer( @@ -88,10 +87,11 @@ export class MCPServersRegistry { config: t.MCPOptions, storageLocation: 'CACHE' | 'DB', userId?: string, - ): Promise { + ): Promise { const configRepo = this.getConfigRepository(storageLocation); const parsedConfig = await MCPServerInspector.inspect(serverName, config); await configRepo.update(serverName, parsedConfig, userId); + return parsedConfig; } // TODO: This is currently used to determine if a server requires OAuth. However, this info can diff --git a/packages/api/src/mcp/registry/ServerConfigsRepositoryInterface.ts b/packages/api/src/mcp/registry/ServerConfigsRepositoryInterface.ts index 9f8b2e25fe..1c913dd1a3 100644 --- a/packages/api/src/mcp/registry/ServerConfigsRepositoryInterface.ts +++ b/packages/api/src/mcp/registry/ServerConfigsRepositoryInterface.ts @@ -1,10 +1,10 @@ -import { ParsedServerConfig } from '~/mcp/types'; +import { ParsedServerConfig, AddServerResult } from '~/mcp/types'; /** * Interface for future DB implementation */ export interface IServerConfigsRepositoryInterface { - add(serverName: string, config: ParsedServerConfig, userId?: string): Promise; + add(serverName: string, config: ParsedServerConfig, userId?: string): Promise; //ACL Entry check if update is possible update(serverName: string, config: ParsedServerConfig, userId?: string): Promise; diff --git a/packages/api/src/mcp/registry/__tests__/MCPServersInitializer.cache_integration.spec.ts b/packages/api/src/mcp/registry/__tests__/MCPServersInitializer.cache_integration.spec.ts index 4119b17ea0..908817a84c 100644 --- a/packages/api/src/mcp/registry/__tests__/MCPServersInitializer.cache_integration.spec.ts +++ b/packages/api/src/mcp/registry/__tests__/MCPServersInitializer.cache_integration.spec.ts @@ -8,6 +8,18 @@ jest.mock('~/cluster', () => ({ isLeader: jest.fn().mockResolvedValue(true), })); +// Mock ServerConfigsDB to avoid needing MongoDB for cache integration tests +jest.mock('../db/ServerConfigsDB', () => ({ + ServerConfigsDB: jest.fn().mockImplementation(() => ({ + get: jest.fn().mockResolvedValue(undefined), + getAll: jest.fn().mockResolvedValue({}), + add: jest.fn().mockResolvedValue({ config: {}, isNew: true }), + update: jest.fn().mockResolvedValue(undefined), + remove: jest.fn().mockResolvedValue(undefined), + reset: jest.fn().mockResolvedValue(undefined), + })), +})); + describe('MCPServersInitializer Redis Integration Tests', () => { let MCPServersInitializer: typeof import('../MCPServersInitializer').MCPServersInitializer; let MCPServersRegistry: typeof import('../MCPServersRegistry').MCPServersRegistry; diff --git a/packages/api/src/mcp/registry/__tests__/MCPServersRegistry.cache_integration.spec.ts b/packages/api/src/mcp/registry/__tests__/MCPServersRegistry.cache_integration.spec.ts index 7e0accf687..c2a3a0ae09 100644 --- a/packages/api/src/mcp/registry/__tests__/MCPServersRegistry.cache_integration.spec.ts +++ b/packages/api/src/mcp/registry/__tests__/MCPServersRegistry.cache_integration.spec.ts @@ -1,8 +1,22 @@ import { expect } from '@playwright/test'; -import { MongoMemoryServer } from 'mongodb-memory-server'; import type * as t from '~/mcp/types'; import type { MCPServersRegistry as MCPServersRegistryType } from '../MCPServersRegistry'; +// Mock ServerConfigsDB to avoid needing MongoDB for cache integration tests +jest.mock('../db/ServerConfigsDB', () => ({ + ServerConfigsDB: jest.fn().mockImplementation(() => ({ + get: jest.fn().mockResolvedValue(undefined), + getAll: jest.fn().mockResolvedValue({}), + add: jest.fn().mockResolvedValue({ + serverName: 'mock-server', + config: {} as t.ParsedServerConfig, + }), + update: jest.fn().mockResolvedValue(undefined), + remove: jest.fn().mockResolvedValue(undefined), + reset: jest.fn().mockResolvedValue(undefined), + })), +})); + /** * Integration tests for MCPServersRegistry using Redis-backed cache. * For unit tests using in-memory cache, see MCPServersRegistry.test.ts @@ -18,7 +32,6 @@ describe('MCPServersRegistry Redis Integration Tests', () => { let LeaderElection: typeof import('~/cluster/LeaderElection').LeaderElection; let leaderInstance: InstanceType; let MCPServerInspector: typeof import('../MCPServerInspector').MCPServerInspector; - let mongoServer: MongoMemoryServer; const testParsedConfig: t.ParsedServerConfig = { type: 'stdio', @@ -60,21 +73,12 @@ describe('MCPServersRegistry Redis Integration Tests', () => { const leaderElectionModule = await import('~/cluster/LeaderElection'); const inspectorModule = await import('../MCPServerInspector'); const mongoose = await import('mongoose'); - const { userSchema } = await import('@librechat/data-schemas'); MCPServersRegistry = registryModule.MCPServersRegistry; keyvRedisClient = redisClients.keyvRedisClient; LeaderElection = leaderElectionModule.LeaderElection; MCPServerInspector = inspectorModule.MCPServerInspector; - // Set up MongoDB with MongoMemoryServer for db methods - mongoServer = await MongoMemoryServer.create(); - const mongoUri = mongoServer.getUri(); - if (!mongoose.default.models.User) { - mongoose.default.model('User', userSchema); - } - await mongoose.default.connect(mongoUri); - // Reset singleton and create new instance with mongoose (MCPServersRegistry as unknown as { instance: undefined }).instance = undefined; MCPServersRegistry.createInstance(mongoose.default); @@ -135,11 +139,6 @@ describe('MCPServersRegistry Redis Integration Tests', () => { // Close Redis connection if (keyvRedisClient?.isOpen) await keyvRedisClient.disconnect(); - - // Close MongoDB connection and stop memory server - const mongoose = await import('mongoose'); - await mongoose.default.disconnect(); - if (mongoServer) await mongoServer.stop(); }); // Tests for the old privateServersCache API have been removed diff --git a/packages/api/src/mcp/registry/__tests__/MCPServersRegistry.test.ts b/packages/api/src/mcp/registry/__tests__/MCPServersRegistry.test.ts index 54956ec340..9db43c4f87 100644 --- a/packages/api/src/mcp/registry/__tests__/MCPServersRegistry.test.ts +++ b/packages/api/src/mcp/registry/__tests__/MCPServersRegistry.test.ts @@ -49,7 +49,7 @@ describe('MCPServersRegistry', () => { }, }, }, - lastUpdatedAt: FIXED_TIME, + updatedAt: FIXED_TIME, }; beforeAll(() => { jest.useFakeTimers(); diff --git a/packages/api/src/mcp/registry/__tests__/ServerConfigsDB.test.ts b/packages/api/src/mcp/registry/__tests__/ServerConfigsDB.test.ts new file mode 100644 index 0000000000..ea2dc48285 --- /dev/null +++ b/packages/api/src/mcp/registry/__tests__/ServerConfigsDB.test.ts @@ -0,0 +1,844 @@ +import mongoose from 'mongoose'; +import { MongoMemoryServer } from 'mongodb-memory-server'; +import { + AccessRoleIds, + PermissionBits, + PrincipalType, + PrincipalModel, + ResourceType, +} from 'librechat-data-provider'; +import { createModels, createMethods, RoleBits } from '@librechat/data-schemas'; +import { ServerConfigsDB } from '../db/ServerConfigsDB'; +import type { ParsedServerConfig } from '~/mcp/types'; + +// Mock the logger +jest.mock('@librechat/data-schemas', () => ({ + ...jest.requireActual('@librechat/data-schemas'), + logger: { + error: jest.fn(), + warn: jest.fn(), + debug: jest.fn(), + info: jest.fn(), + }, +})); + +let mongoServer: MongoMemoryServer; +let serverConfigsDB: ServerConfigsDB; + +// Test data helpers +const createSSEConfig = ( + title?: string, + description?: string, + oauth?: { client_secret?: string; client_id?: string }, +): ParsedServerConfig => ({ + type: 'sse', + url: 'https://example.com/mcp', + ...(title && { title }), + ...(description && { description }), + ...(oauth && { oauth }), +}); + +let dbMethods: ReturnType; + +beforeAll(async () => { + mongoServer = await MongoMemoryServer.create(); + const mongoUri = mongoServer.getUri(); + await mongoose.connect(mongoUri); + + // Initialize all models + createModels(mongoose); + + // Create methods and seed default roles + dbMethods = createMethods(mongoose); + await dbMethods.seedDefaultRoles(); + + serverConfigsDB = new ServerConfigsDB(mongoose); +}); + +afterAll(async () => { + await mongoose.disconnect(); + await mongoServer.stop(); +}); + +beforeEach(async () => { + // Clear collections except AccessRole + await mongoose.models.MCPServer.deleteMany({}); + await mongoose.models.Agent.deleteMany({}); + await mongoose.models.AclEntry.deleteMany({}); +}); + +describe('ServerConfigsDB', () => { + const userId = new mongoose.Types.ObjectId().toString(); + const userId2 = new mongoose.Types.ObjectId().toString(); + + describe('constructor', () => { + it('should throw error when mongoose is not provided', () => { + expect(() => new ServerConfigsDB(null as unknown as typeof mongoose)).toThrow( + 'ServerConfigsDB requires mongoose instance', + ); + }); + + it('should create instance when mongoose is provided', () => { + const instance = new ServerConfigsDB(mongoose); + expect(instance).toBeInstanceOf(ServerConfigsDB); + }); + }); + + describe('add()', () => { + it('should throw error when userId is not provided', async () => { + await expect(serverConfigsDB.add('test-server', createSSEConfig('Test'))).rejects.toThrow( + 'User ID is required to create a database-stored MCP server', + ); + }); + + it('should create server and return AddServerResult with generated serverName', async () => { + const config = createSSEConfig('My Test Server', 'A test server'); + const result = await serverConfigsDB.add('temp-name', config, userId); + + expect(result).toBeDefined(); + expect(result.serverName).toBe('my-test-server'); + expect(result.config).toMatchObject({ + type: 'sse', + url: 'https://example.com/mcp', + title: 'My Test Server', + description: 'A test server', + }); + expect(result.config.dbId).toBeDefined(); + }); + + it('should grant owner ACL to the user', async () => { + const config = createSSEConfig('ACL Test Server'); + const result = await serverConfigsDB.add('temp-name', config, userId); + + // Verify ACL entry was created + const aclEntry = await mongoose.models.AclEntry.findOne({ + principalType: PrincipalType.USER, + principalId: new mongoose.Types.ObjectId(userId), + resourceType: ResourceType.MCPSERVER, + }); + + expect(aclEntry).toBeDefined(); + expect(aclEntry!.resourceId.toString()).toBe(result.config.dbId); + // OWNER role has VIEW | EDIT | DELETE | SHARE = 15 + expect(aclEntry!.permBits).toBe(RoleBits.OWNER); + }); + + it('should include dbId and updatedAt in returned config', async () => { + const config = createSSEConfig('Metadata Test'); + const result = await serverConfigsDB.add('temp-name', config, userId); + + expect(result.config.dbId).toBeDefined(); + expect(typeof result.config.dbId).toBe('string'); + expect(result.config.updatedAt).toBeDefined(); + expect(typeof result.config.updatedAt).toBe('number'); + }); + }); + + describe('update()', () => { + it('should throw error when userId is not provided', async () => { + await expect(serverConfigsDB.update('test-server', createSSEConfig('Test'))).rejects.toThrow( + 'User ID is required to update a database-stored MCP server', + ); + }); + + it('should update server config', async () => { + const config = createSSEConfig('Original Title', 'Original description'); + const created = await serverConfigsDB.add('temp-name', config, userId); + + const updatedConfig = createSSEConfig('Original Title', 'Updated description'); + await serverConfigsDB.update(created.serverName, updatedConfig, userId); + + const retrieved = await serverConfigsDB.get(created.serverName, userId); + expect(retrieved?.description).toBe('Updated description'); + }); + + it('should preserve oauth.client_secret when not provided in update', async () => { + const config = createSSEConfig('OAuth Server', 'Test', { + client_id: 'my-client-id', + client_secret: 'super-secret-key', + }); + const created = await serverConfigsDB.add('temp-name', config, userId); + + // Update without client_secret + const updatedConfig = createSSEConfig('OAuth Server', 'Updated description', { + client_id: 'my-client-id', + // client_secret not provided + }); + await serverConfigsDB.update(created.serverName, updatedConfig, userId); + + // Verify the secret is preserved + const MCPServer = mongoose.models.MCPServer; + const server = await MCPServer.findOne({ serverName: created.serverName }); + expect(server?.config?.oauth?.client_secret).toBe('super-secret-key'); + }); + + it('should allow updating oauth.client_secret when explicitly provided', async () => { + const config = createSSEConfig('OAuth Server 2', 'Test', { + client_id: 'my-client-id', + client_secret: 'old-secret', + }); + const created = await serverConfigsDB.add('temp-name', config, userId); + + // Update with new client_secret + const updatedConfig = createSSEConfig('OAuth Server 2', 'Updated', { + client_id: 'my-client-id', + client_secret: 'new-secret', + }); + await serverConfigsDB.update(created.serverName, updatedConfig, userId); + + // Verify the secret is updated + const MCPServer = mongoose.models.MCPServer; + const server = await MCPServer.findOne({ serverName: created.serverName }); + expect(server?.config?.oauth?.client_secret).toBe('new-secret'); + }); + }); + + describe('remove()', () => { + it('should delete server from database', async () => { + const config = createSSEConfig('Delete Test'); + const created = await serverConfigsDB.add('temp-name', config, userId); + + await serverConfigsDB.remove(created.serverName, userId); + + const MCPServer = mongoose.models.MCPServer; + const server = await MCPServer.findOne({ serverName: created.serverName }); + expect(server).toBeNull(); + }); + + it('should remove all ACL entries for the server', async () => { + const config = createSSEConfig('ACL Delete Test'); + const created = await serverConfigsDB.add('temp-name', config, userId); + + // Verify ACL exists before deletion + let aclEntries = await mongoose.models.AclEntry.find({ + resourceType: ResourceType.MCPSERVER, + resourceId: new mongoose.Types.ObjectId(created.config.dbId!), + }); + expect(aclEntries.length).toBeGreaterThan(0); + + await serverConfigsDB.remove(created.serverName, userId); + + // Verify ACL entries are removed + aclEntries = await mongoose.models.AclEntry.find({ + resourceType: ResourceType.MCPSERVER, + resourceId: new mongoose.Types.ObjectId(created.config.dbId!), + }); + expect(aclEntries.length).toBe(0); + }); + + it('should handle non-existent server gracefully', async () => { + // Should not throw + await expect(serverConfigsDB.remove('non-existent-server', userId)).resolves.toBeUndefined(); + }); + }); + + describe('get()', () => { + describe('public access (no userId)', () => { + it('should return undefined for non-public server without userId', async () => { + const config = createSSEConfig('Private Server'); + const created = await serverConfigsDB.add('temp-name', config, userId); + + const result = await serverConfigsDB.get(created.serverName); + expect(result).toBeUndefined(); + }); + + it('should return server when publicly shared', async () => { + const config = createSSEConfig('Public Server'); + const created = await serverConfigsDB.add('temp-name', config, userId); + + // Grant public access + await mongoose.models.AclEntry.create({ + principalType: PrincipalType.PUBLIC, + resourceType: ResourceType.MCPSERVER, + resourceId: new mongoose.Types.ObjectId(created.config.dbId!), + permBits: PermissionBits.VIEW, + grantedBy: new mongoose.Types.ObjectId(userId), + }); + + const result = await serverConfigsDB.get(created.serverName); + expect(result).toBeDefined(); + expect(result?.title).toBe('Public Server'); + }); + + it('should return server with consumeOnly when accessible via public agent', async () => { + const config = createSSEConfig('Agent MCP Server'); + const created = await serverConfigsDB.add('temp-name', config, userId); + + // Create an agent that has this MCP server + const Agent = mongoose.models.Agent; + const agent = await Agent.create({ + id: 'test-agent-id', + name: 'Test Agent', + provider: 'openai', + model: 'gpt-4', + author: new mongoose.Types.ObjectId(userId), + mcpServerNames: [created.serverName], + }); + + // Grant public access to the agent + await mongoose.models.AclEntry.create({ + principalType: PrincipalType.PUBLIC, + resourceType: ResourceType.AGENT, + resourceId: agent._id, + permBits: PermissionBits.VIEW, + grantedBy: new mongoose.Types.ObjectId(userId), + }); + + const result = await serverConfigsDB.get(created.serverName); + expect(result).toBeDefined(); + expect(result?.consumeOnly).toBe(true); + }); + }); + + describe('user direct access', () => { + it('should return server when user has direct VIEW permission', async () => { + const config = createSSEConfig('Direct Access Server'); + const created = await serverConfigsDB.add('temp-name', config, userId); + + // The owner should have access + const result = await serverConfigsDB.get(created.serverName, userId); + expect(result).toBeDefined(); + expect(result?.title).toBe('Direct Access Server'); + expect(result?.consumeOnly).toBeUndefined(); + }); + + it('should return undefined when user has no permission', async () => { + const config = createSSEConfig('Restricted Server'); + await serverConfigsDB.add('temp-name', config, userId); + + // Different user without access + const result = await serverConfigsDB.get('restricted-server', userId2); + expect(result).toBeUndefined(); + }); + + it('should return server when user is granted VIEW permission', async () => { + const config = createSSEConfig('Shared Server'); + const created = await serverConfigsDB.add('temp-name', config, userId); + + // Grant VIEW permission to userId2 + const role = await mongoose.models.AccessRole.findOne({ + accessRoleId: AccessRoleIds.MCPSERVER_VIEWER, + }); + await mongoose.models.AclEntry.create({ + principalType: PrincipalType.USER, + principalModel: PrincipalModel.USER, + principalId: new mongoose.Types.ObjectId(userId2), + resourceType: ResourceType.MCPSERVER, + resourceId: new mongoose.Types.ObjectId(created.config.dbId!), + permBits: PermissionBits.VIEW, + roleId: role!._id, + grantedBy: new mongoose.Types.ObjectId(userId), + }); + + const result = await serverConfigsDB.get(created.serverName, userId2); + expect(result).toBeDefined(); + expect(result?.title).toBe('Shared Server'); + }); + }); + + describe('agent-based access (consumeOnly)', () => { + it('should return server with consumeOnly when user has access via agent', async () => { + const config = createSSEConfig('Agent Accessible Server'); + const created = await serverConfigsDB.add('temp-name', config, userId); + + // Create an agent with this MCP server + const Agent = mongoose.models.Agent; + const agent = await Agent.create({ + id: 'agent-for-user2', + name: 'Agent for User 2', + provider: 'openai', + model: 'gpt-4', + author: new mongoose.Types.ObjectId(userId), + mcpServerNames: [created.serverName], + }); + + // Grant agent access to userId2 + const agentRole = await mongoose.models.AccessRole.findOne({ + accessRoleId: AccessRoleIds.AGENT_VIEWER, + }); + await mongoose.models.AclEntry.create({ + principalType: PrincipalType.USER, + principalModel: PrincipalModel.USER, + principalId: new mongoose.Types.ObjectId(userId2), + resourceType: ResourceType.AGENT, + resourceId: agent._id, + permBits: PermissionBits.VIEW, + roleId: agentRole!._id, + grantedBy: new mongoose.Types.ObjectId(userId), + }); + + const result = await serverConfigsDB.get(created.serverName, userId2); + expect(result).toBeDefined(); + expect(result?.consumeOnly).toBe(true); + expect(result?.title).toBe('Agent Accessible Server'); + }); + + it('should prefer direct access over agent access (no consumeOnly)', async () => { + const config = createSSEConfig('Both Access Server'); + const created = await serverConfigsDB.add('temp-name', config, userId); + + // Create an agent with this MCP server + const Agent = mongoose.models.Agent; + const agent = await Agent.create({ + id: 'agent-both-access', + name: 'Agent Both Access', + provider: 'openai', + model: 'gpt-4', + author: new mongoose.Types.ObjectId(userId), + mcpServerNames: [created.serverName], + }); + + // Grant userId2 both direct MCP access and agent access + const mcpRole = await mongoose.models.AccessRole.findOne({ + accessRoleId: AccessRoleIds.MCPSERVER_VIEWER, + }); + await mongoose.models.AclEntry.create({ + principalType: PrincipalType.USER, + principalModel: PrincipalModel.USER, + principalId: new mongoose.Types.ObjectId(userId2), + resourceType: ResourceType.MCPSERVER, + resourceId: new mongoose.Types.ObjectId(created.config.dbId!), + permBits: PermissionBits.VIEW, + roleId: mcpRole!._id, + grantedBy: new mongoose.Types.ObjectId(userId), + }); + + const agentRole = await mongoose.models.AccessRole.findOne({ + accessRoleId: AccessRoleIds.AGENT_VIEWER, + }); + await mongoose.models.AclEntry.create({ + principalType: PrincipalType.USER, + principalModel: PrincipalModel.USER, + principalId: new mongoose.Types.ObjectId(userId2), + resourceType: ResourceType.AGENT, + resourceId: agent._id, + permBits: PermissionBits.VIEW, + roleId: agentRole!._id, + grantedBy: new mongoose.Types.ObjectId(userId), + }); + + // Direct access should take precedence (no consumeOnly) + const result = await serverConfigsDB.get(created.serverName, userId2); + expect(result).toBeDefined(); + expect(result?.consumeOnly).toBeUndefined(); + }); + }); + + it('should return undefined for non-existent server', async () => { + const result = await serverConfigsDB.get('non-existent-server', userId); + expect(result).toBeUndefined(); + }); + }); + + describe('getAll()', () => { + describe('public access (no userId)', () => { + it('should return empty object when no public servers exist', async () => { + const config = createSSEConfig('Private Server'); + await serverConfigsDB.add('temp-name', config, userId); + + const result = await serverConfigsDB.getAll(); + expect(Object.keys(result)).toHaveLength(0); + }); + + it('should return only publicly shared servers', async () => { + const config1 = createSSEConfig('Public Server 1'); + const config2 = createSSEConfig('Private Server'); + const created1 = await serverConfigsDB.add('temp1', config1, userId); + await serverConfigsDB.add('temp2', config2, userId); + + // Make first server public + await mongoose.models.AclEntry.create({ + principalType: PrincipalType.PUBLIC, + resourceType: ResourceType.MCPSERVER, + resourceId: new mongoose.Types.ObjectId(created1.config.dbId!), + permBits: PermissionBits.VIEW, + grantedBy: new mongoose.Types.ObjectId(userId), + }); + + const result = await serverConfigsDB.getAll(); + expect(Object.keys(result)).toHaveLength(1); + expect(result['public-server-1']).toBeDefined(); + }); + }); + + describe('user access', () => { + it('should return servers directly accessible by user', async () => { + const config1 = createSSEConfig('User Server 1'); + const config2 = createSSEConfig('User Server 2'); + await serverConfigsDB.add('temp1', config1, userId); + await serverConfigsDB.add('temp2', config2, userId); + + // Create server by different user (not accessible) + await serverConfigsDB.add('temp3', createSSEConfig('Other User Server'), userId2); + + const result = await serverConfigsDB.getAll(userId); + expect(Object.keys(result)).toHaveLength(2); + expect(result['user-server-1']).toBeDefined(); + expect(result['user-server-2']).toBeDefined(); + expect(result['other-user-server']).toBeUndefined(); + }); + + it('should include agent-accessible servers with consumeOnly flag', async () => { + const config1 = createSSEConfig('Direct Server'); + const config2 = createSSEConfig('Agent Only Server'); + await serverConfigsDB.add('temp1', config1, userId); + const created2 = await serverConfigsDB.add('temp2', config2, userId); + + // Create an agent with second MCP server, accessible by userId2 + const Agent = mongoose.models.Agent; + const agent = await Agent.create({ + id: 'getall-agent', + name: 'GetAll Agent', + provider: 'openai', + model: 'gpt-4', + author: new mongoose.Types.ObjectId(userId), + mcpServerNames: [created2.serverName], + }); + + const agentRole = await mongoose.models.AccessRole.findOne({ + accessRoleId: AccessRoleIds.AGENT_VIEWER, + }); + await mongoose.models.AclEntry.create({ + principalType: PrincipalType.USER, + principalModel: PrincipalModel.USER, + principalId: new mongoose.Types.ObjectId(userId2), + resourceType: ResourceType.AGENT, + resourceId: agent._id, + permBits: PermissionBits.VIEW, + roleId: agentRole!._id, + grantedBy: new mongoose.Types.ObjectId(userId), + }); + + const result = await serverConfigsDB.getAll(userId2); + expect(Object.keys(result)).toHaveLength(1); + expect(result['agent-only-server']).toBeDefined(); + expect(result['agent-only-server'].consumeOnly).toBe(true); + }); + + it('should deduplicate servers with both direct and agent access', async () => { + const config = createSSEConfig('Dedup Server'); + const created = await serverConfigsDB.add('temp', config, userId); + + // Create an agent with this MCP server + const Agent = mongoose.models.Agent; + const agent = await Agent.create({ + id: 'dedup-agent', + name: 'Dedup Agent', + provider: 'openai', + model: 'gpt-4', + author: new mongoose.Types.ObjectId(userId), + mcpServerNames: [created.serverName], + }); + + // Grant userId2 both direct MCP access and agent access + const mcpRole = await mongoose.models.AccessRole.findOne({ + accessRoleId: AccessRoleIds.MCPSERVER_VIEWER, + }); + await mongoose.models.AclEntry.create({ + principalType: PrincipalType.USER, + principalModel: PrincipalModel.USER, + principalId: new mongoose.Types.ObjectId(userId2), + resourceType: ResourceType.MCPSERVER, + resourceId: new mongoose.Types.ObjectId(created.config.dbId!), + permBits: PermissionBits.VIEW, + roleId: mcpRole!._id, + grantedBy: new mongoose.Types.ObjectId(userId), + }); + + const agentRole = await mongoose.models.AccessRole.findOne({ + accessRoleId: AccessRoleIds.AGENT_VIEWER, + }); + await mongoose.models.AclEntry.create({ + principalType: PrincipalType.USER, + principalModel: PrincipalModel.USER, + principalId: new mongoose.Types.ObjectId(userId2), + resourceType: ResourceType.AGENT, + resourceId: agent._id, + permBits: PermissionBits.VIEW, + roleId: agentRole!._id, + grantedBy: new mongoose.Types.ObjectId(userId), + }); + + const result = await serverConfigsDB.getAll(userId2); + // Should only have one entry (deduplicated) + expect(Object.keys(result)).toHaveLength(1); + // Direct access takes precedence - no consumeOnly + expect(result['dedup-server']).toBeDefined(); + expect(result['dedup-server'].consumeOnly).toBeUndefined(); + }); + + it('should merge servers from multiple agents', async () => { + const config1 = createSSEConfig('Agent1 Server'); + const config2 = createSSEConfig('Agent2 Server'); + const created1 = await serverConfigsDB.add('temp1', config1, userId); + const created2 = await serverConfigsDB.add('temp2', config2, userId); + + // Create two agents, each with a different MCP server + const Agent = mongoose.models.Agent; + const agent1 = await Agent.create({ + id: 'multi-agent-1', + name: 'Multi Agent 1', + provider: 'openai', + model: 'gpt-4', + author: new mongoose.Types.ObjectId(userId), + mcpServerNames: [created1.serverName], + }); + + const agent2 = await Agent.create({ + id: 'multi-agent-2', + name: 'Multi Agent 2', + provider: 'openai', + model: 'gpt-4', + author: new mongoose.Types.ObjectId(userId), + mcpServerNames: [created2.serverName], + }); + + // Grant userId2 access to both agents + const agentRole = await mongoose.models.AccessRole.findOne({ + accessRoleId: AccessRoleIds.AGENT_VIEWER, + }); + + await mongoose.models.AclEntry.create([ + { + principalType: PrincipalType.USER, + principalModel: PrincipalModel.USER, + principalId: new mongoose.Types.ObjectId(userId2), + resourceType: ResourceType.AGENT, + resourceId: agent1._id, + permBits: PermissionBits.VIEW, + roleId: agentRole!._id, + grantedBy: new mongoose.Types.ObjectId(userId), + }, + { + principalType: PrincipalType.USER, + principalModel: PrincipalModel.USER, + principalId: new mongoose.Types.ObjectId(userId2), + resourceType: ResourceType.AGENT, + resourceId: agent2._id, + permBits: PermissionBits.VIEW, + roleId: agentRole!._id, + grantedBy: new mongoose.Types.ObjectId(userId), + }, + ]); + + const result = await serverConfigsDB.getAll(userId2); + expect(Object.keys(result)).toHaveLength(2); + expect(result['agent1-server']?.consumeOnly).toBe(true); + expect(result['agent2-server']?.consumeOnly).toBe(true); + }); + }); + }); + + describe('hasAccessViaAgent() - private method integration', () => { + it('should return false when no agents exist', async () => { + const config = createSSEConfig('No Agent Server'); + const created = await serverConfigsDB.add('temp', config, userId); + + // Access via get() which uses hasAccessViaAgent internally + const result = await serverConfigsDB.get(created.serverName, userId2); + expect(result).toBeUndefined(); + }); + + it('should return false when agent has MCP but user has no agent access', async () => { + const config = createSSEConfig('Inaccessible Agent Server'); + const created = await serverConfigsDB.add('temp', config, userId); + + // Create an agent with this MCP server but no ACL for userId2 + const Agent = mongoose.models.Agent; + await Agent.create({ + id: 'inaccessible-agent', + name: 'Inaccessible Agent', + provider: 'openai', + model: 'gpt-4', + author: new mongoose.Types.ObjectId(userId), + mcpServerNames: [created.serverName], + }); + + const result = await serverConfigsDB.get(created.serverName, userId2); + expect(result).toBeUndefined(); + }); + + it('should return true when user has VIEW access to agent with the MCP server', async () => { + const config = createSSEConfig('Accessible Agent Server'); + const created = await serverConfigsDB.add('temp', config, userId); + + const Agent = mongoose.models.Agent; + const agent = await Agent.create({ + id: 'accessible-agent', + name: 'Accessible Agent', + provider: 'openai', + model: 'gpt-4', + author: new mongoose.Types.ObjectId(userId), + mcpServerNames: [created.serverName], + }); + + const agentRole = await mongoose.models.AccessRole.findOne({ + accessRoleId: AccessRoleIds.AGENT_VIEWER, + }); + await mongoose.models.AclEntry.create({ + principalType: PrincipalType.USER, + principalModel: PrincipalModel.USER, + principalId: new mongoose.Types.ObjectId(userId2), + resourceType: ResourceType.AGENT, + resourceId: agent._id, + permBits: PermissionBits.VIEW, + roleId: agentRole!._id, + grantedBy: new mongoose.Types.ObjectId(userId), + }); + + const result = await serverConfigsDB.get(created.serverName, userId2); + expect(result).toBeDefined(); + expect(result?.consumeOnly).toBe(true); + }); + + it('should handle multiple agents - one accessible, one not', async () => { + const config = createSSEConfig('Multi Agent Access Server'); + const created = await serverConfigsDB.add('temp', config, userId); + + const Agent = mongoose.models.Agent; + + // Agent 1: has MCP server but no user access + await Agent.create({ + id: 'no-access-agent', + name: 'No Access Agent', + provider: 'openai', + model: 'gpt-4', + author: new mongoose.Types.ObjectId(userId), + mcpServerNames: [created.serverName], + }); + + // Agent 2: has MCP server AND user has access + const accessibleAgent = await Agent.create({ + id: 'has-access-agent', + name: 'Has Access Agent', + provider: 'openai', + model: 'gpt-4', + author: new mongoose.Types.ObjectId(userId), + mcpServerNames: [created.serverName], + }); + + const agentRole = await mongoose.models.AccessRole.findOne({ + accessRoleId: AccessRoleIds.AGENT_VIEWER, + }); + await mongoose.models.AclEntry.create({ + principalType: PrincipalType.USER, + principalModel: PrincipalModel.USER, + principalId: new mongoose.Types.ObjectId(userId2), + resourceType: ResourceType.AGENT, + resourceId: accessibleAgent._id, + permBits: PermissionBits.VIEW, + roleId: agentRole!._id, + grantedBy: new mongoose.Types.ObjectId(userId), + }); + + const result = await serverConfigsDB.get(created.serverName, userId2); + expect(result).toBeDefined(); + expect(result?.consumeOnly).toBe(true); + }); + }); + + describe('reset()', () => { + it('should be a no-op and not throw', async () => { + // Create a server first + const config = createSSEConfig('Reset Test'); + await serverConfigsDB.add('temp', config, userId); + + // Reset should complete without error + await expect(serverConfigsDB.reset()).resolves.toBeUndefined(); + + // Server should still exist (reset is no-op for DB storage) + const result = await serverConfigsDB.get('reset-test', userId); + expect(result).toBeDefined(); + }); + }); + + describe('mapDBServerToParsedConfig()', () => { + it('should include dbId from _id', async () => { + const config = createSSEConfig('Map Test'); + const created = await serverConfigsDB.add('temp', config, userId); + + expect(created.config.dbId).toBeDefined(); + expect(typeof created.config.dbId).toBe('string'); + expect(mongoose.Types.ObjectId.isValid(created.config.dbId!)).toBe(true); + }); + + it('should include updatedAt as timestamp', async () => { + const config = createSSEConfig('Timestamp Test'); + const created = await serverConfigsDB.add('temp', config, userId); + + expect(created.config.updatedAt).toBeDefined(); + expect(typeof created.config.updatedAt).toBe('number'); + expect(created.config.updatedAt).toBeLessThanOrEqual(Date.now()); + }); + }); + + describe('edge cases', () => { + it('should handle server with empty mcpServerNames in agent', async () => { + const config = createSSEConfig('Edge Case Server'); + const created = await serverConfigsDB.add('temp', config, userId); + + // Create an agent with empty mcpServerNames + const Agent = mongoose.models.Agent; + const agent = await Agent.create({ + id: 'empty-mcp-agent', + name: 'Empty MCP Agent', + provider: 'openai', + model: 'gpt-4', + author: new mongoose.Types.ObjectId(userId), + mcpServerNames: [], // Empty array + }); + + const agentRole = await mongoose.models.AccessRole.findOne({ + accessRoleId: AccessRoleIds.AGENT_VIEWER, + }); + await mongoose.models.AclEntry.create({ + principalType: PrincipalType.USER, + principalModel: PrincipalModel.USER, + principalId: new mongoose.Types.ObjectId(userId2), + resourceType: ResourceType.AGENT, + resourceId: agent._id, + permBits: PermissionBits.VIEW, + roleId: agentRole!._id, + grantedBy: new mongoose.Types.ObjectId(userId), + }); + + // Should not find the server via agent (empty mcpServerNames) + const result = await serverConfigsDB.get(created.serverName, userId2); + expect(result).toBeUndefined(); + }); + + it('should handle agent without mcpServerNames field', async () => { + const config = createSSEConfig('No Field Server'); + const created = await serverConfigsDB.add('temp', config, userId); + + // Create an agent without mcpServerNames field (uses default) + const Agent = mongoose.models.Agent; + const agent = await Agent.create({ + id: 'no-field-agent', + name: 'No Field Agent', + provider: 'openai', + model: 'gpt-4', + author: new mongoose.Types.ObjectId(userId), + // mcpServerNames not specified - should default to [] + }); + + const agentRole = await mongoose.models.AccessRole.findOne({ + accessRoleId: AccessRoleIds.AGENT_VIEWER, + }); + await mongoose.models.AclEntry.create({ + principalType: PrincipalType.USER, + principalModel: PrincipalModel.USER, + principalId: new mongoose.Types.ObjectId(userId2), + resourceType: ResourceType.AGENT, + resourceId: agent._id, + permBits: PermissionBits.VIEW, + roleId: agentRole!._id, + grantedBy: new mongoose.Types.ObjectId(userId), + }); + + // Should not find the server via agent + const result = await serverConfigsDB.get(created.serverName, userId2); + expect(result).toBeUndefined(); + }); + }); +}); diff --git a/packages/api/src/mcp/registry/cache/ServerConfigsCacheInMemory.ts b/packages/api/src/mcp/registry/cache/ServerConfigsCacheInMemory.ts index 0e03bf8dff..384c477756 100644 --- a/packages/api/src/mcp/registry/cache/ServerConfigsCacheInMemory.ts +++ b/packages/api/src/mcp/registry/cache/ServerConfigsCacheInMemory.ts @@ -1,4 +1,4 @@ -import { ParsedServerConfig } from '~/mcp/types'; +import { ParsedServerConfig, AddServerResult } from '~/mcp/types'; /** * In-memory implementation of MCP server configurations cache for single-instance deployments. @@ -10,12 +10,14 @@ import { ParsedServerConfig } from '~/mcp/types'; export class ServerConfigsCacheInMemory { private readonly cache: Map = new Map(); - public async add(serverName: string, config: ParsedServerConfig): Promise { + public async add(serverName: string, config: ParsedServerConfig): Promise { if (this.cache.has(serverName)) throw new Error( `Server "${serverName}" already exists in cache. Use update() to modify existing configs.`, ); - this.cache.set(serverName, { ...config, lastUpdatedAt: Date.now() }); + const storedConfig = { ...config, updatedAt: Date.now() }; + this.cache.set(serverName, storedConfig); + return { serverName, config: storedConfig }; } public async update(serverName: string, config: ParsedServerConfig): Promise { @@ -23,7 +25,7 @@ export class ServerConfigsCacheInMemory { throw new Error( `Server "${serverName}" does not exist in cache. Use add() to create new configs.`, ); - this.cache.set(serverName, { ...config, lastUpdatedAt: Date.now() }); + this.cache.set(serverName, { ...config, updatedAt: Date.now() }); } public async remove(serverName: string): Promise { diff --git a/packages/api/src/mcp/registry/cache/ServerConfigsCacheRedis.ts b/packages/api/src/mcp/registry/cache/ServerConfigsCacheRedis.ts index f5126a640f..4532afa251 100644 --- a/packages/api/src/mcp/registry/cache/ServerConfigsCacheRedis.ts +++ b/packages/api/src/mcp/registry/cache/ServerConfigsCacheRedis.ts @@ -1,7 +1,7 @@ import type Keyv from 'keyv'; import { fromPairs } from 'lodash'; import { standardCache, keyvRedisClient } from '~/cache'; -import { ParsedServerConfig } from '~/mcp/types'; +import { ParsedServerConfig, AddServerResult } from '~/mcp/types'; import { BaseRegistryCache } from './BaseRegistryCache'; import { IServerConfigsRepositoryInterface } from '../ServerConfigsRepositoryInterface'; @@ -25,15 +25,17 @@ export class ServerConfigsCacheRedis this.cache = standardCache(`${this.PREFIX}::Servers::${namespace}`); } - public async add(serverName: string, config: ParsedServerConfig): Promise { + public async add(serverName: string, config: ParsedServerConfig): Promise { if (this.leaderOnly) await this.leaderCheck(`add ${this.namespace} MCP servers`); const exists = await this.cache.has(serverName); if (exists) throw new Error( `Server "${serverName}" already exists in cache. Use update() to modify existing configs.`, ); - const success = await this.cache.set(serverName, { ...config, lastUpdatedAt: Date.now() }); + const storedConfig = { ...config, updatedAt: Date.now() }; + const success = await this.cache.set(serverName, storedConfig); this.successCheck(`add ${this.namespace} server "${serverName}"`, success); + return { serverName, config: storedConfig }; } public async update(serverName: string, config: ParsedServerConfig): Promise { @@ -43,7 +45,7 @@ export class ServerConfigsCacheRedis throw new Error( `Server "${serverName}" does not exist in cache. Use add() to create new configs.`, ); - const success = await this.cache.set(serverName, { ...config, lastUpdatedAt: Date.now() }); + const success = await this.cache.set(serverName, { ...config, updatedAt: Date.now() }); this.successCheck(`update ${this.namespace} server "${serverName}"`, success); } diff --git a/packages/api/src/mcp/registry/cache/__tests__/ServerConfigsCacheInMemory.test.ts b/packages/api/src/mcp/registry/cache/__tests__/ServerConfigsCacheInMemory.test.ts index 96536d9615..97d30caca0 100644 --- a/packages/api/src/mcp/registry/cache/__tests__/ServerConfigsCacheInMemory.test.ts +++ b/packages/api/src/mcp/registry/cache/__tests__/ServerConfigsCacheInMemory.test.ts @@ -15,14 +15,14 @@ describe('ServerConfigsCacheInMemory Integration Tests', () => { command: 'node', args: ['server1.js'], env: { TEST: 'value1' }, - lastUpdatedAt: FIXED_TIME, + updatedAt: FIXED_TIME, }; const mockConfig2: ParsedServerConfig = { command: 'python', args: ['server2.py'], env: { TEST: 'value2' }, - lastUpdatedAt: FIXED_TIME, + updatedAt: FIXED_TIME, }; const mockConfig3: ParsedServerConfig = { @@ -30,7 +30,7 @@ describe('ServerConfigsCacheInMemory Integration Tests', () => { args: ['server3.js'], url: 'http://localhost:3000', requiresOAuth: true, - lastUpdatedAt: FIXED_TIME, + updatedAt: FIXED_TIME, }; beforeAll(async () => { diff --git a/packages/api/src/mcp/registry/db/ServerConfigsDB.ts b/packages/api/src/mcp/registry/db/ServerConfigsDB.ts index 81540e6e87..e6ef642d16 100644 --- a/packages/api/src/mcp/registry/db/ServerConfigsDB.ts +++ b/packages/api/src/mcp/registry/db/ServerConfigsDB.ts @@ -1,7 +1,14 @@ -/* eslint-disable @typescript-eslint/no-unused-vars */ -import { AllMethods, createMethods, logger } from '@librechat/data-schemas'; +import { Types } from 'mongoose'; +import { + AccessRoleIds, + PermissionBits, + PrincipalType, + ResourceType, +} from 'librechat-data-provider'; +import { AllMethods, MCPServerDocument, createMethods, logger } from '@librechat/data-schemas'; import type { IServerConfigsRepositoryInterface } from '~/mcp/registry/ServerConfigsRepositoryInterface'; -import type { ParsedServerConfig } from '~/mcp/types'; +import { AccessControlService } from '~/acl/accessControlService'; +import type { ParsedServerConfig, AddServerResult } from '~/mcp/types'; /** * DB backed config storage @@ -10,35 +17,211 @@ import type { ParsedServerConfig } from '~/mcp/types'; */ export class ServerConfigsDB implements IServerConfigsRepositoryInterface { private _dbMethods: AllMethods; + private _aclService: AccessControlService; + private _mongoose: typeof import('mongoose'); + constructor(mongoose: typeof import('mongoose')) { if (!mongoose) { throw new Error('ServerConfigsDB requires mongoose instance'); } + this._mongoose = mongoose; this._dbMethods = createMethods(mongoose); + this._aclService = new AccessControlService(mongoose); } - public async add(serverName: string, config: ParsedServerConfig, userId?: string): Promise { - logger.debug('ServerConfigsDB add not yet implemented'); - return; + /** + * Checks if user has access to an MCP server via an agent they can VIEW. + * @param serverName - The MCP server name to check + * @param userId - The user ID (optional - if not provided, checks publicly accessible agents) + * @returns true if user has VIEW access to at least one agent that has this MCP server + */ + private async hasAccessViaAgent(serverName: string, userId?: string): Promise { + let accessibleAgentIds: Types.ObjectId[]; + + if (!userId) { + // Get publicly accessible agents + accessibleAgentIds = await this._aclService.findPubliclyAccessibleResources({ + resourceType: ResourceType.AGENT, + requiredPermissions: PermissionBits.VIEW, + }); + } else { + // Get user-accessible agents + accessibleAgentIds = await this._aclService.findAccessibleResources({ + userId, + requiredPermissions: PermissionBits.VIEW, + resourceType: ResourceType.AGENT, + }); + } + + if (accessibleAgentIds.length === 0) { + return false; + } + + // Check if any accessible agent has this MCP server + const Agent = this._mongoose.model('Agent'); + const exists = await Agent.exists({ + _id: { $in: accessibleAgentIds }, + mcpServerNames: serverName, + }); + + return exists !== null; } + /** + * Creates a new MCP server and grants owner permissions to the user. + * @param serverName - Temporary server name (not persisted) will be replaced by the nano id generated by the db method + * @param config - Server configuration to store + * @param userId - ID of the user creating the server (required) + * @returns The created server result with serverName and config (including dbId) + * @throws Error if userId is not provided + */ + public async add( + serverName: string, + config: ParsedServerConfig, + userId?: string, + ): Promise { + logger.debug( + `[ServerConfigsDB.add] Starting Creating server with temp servername: ${serverName} for the user with the ID ${userId}`, + ); + if (!userId) { + throw new Error( + '[ServerConfigsDB.add] User ID is required to create a database-stored MCP server.', + ); + } + const createdServer = await this._dbMethods.createMCPServer({ config: config, author: userId }); + await this._aclService.grantPermission({ + principalType: PrincipalType.USER, + principalId: userId, + resourceType: ResourceType.MCPSERVER, + resourceId: createdServer._id, + accessRoleId: AccessRoleIds.MCPSERVER_OWNER, + grantedBy: userId, + }); + return { + serverName: createdServer.serverName, + config: this.mapDBServerToParsedConfig(createdServer), + }; + } + + /** + * + * @param serverName mcp server unique identifier "serverName" + * @param config new Configuration to update + * @param userId user id required to update DB server config + */ public async update( serverName: string, config: ParsedServerConfig, userId?: string, ): Promise { - logger.debug('ServerConfigsDB update not yet implemented'); - return; + if (!userId) { + throw new Error( + '[ServerConfigsDB.update] User ID is required to update a database-stored MCP server.', + ); + } + + // Preserve sensitive fields (like oauth.client_secret) that may not be sent from the client + // Create a copy to avoid mutating the input parameter + let mergedConfig = config; + const existingServer = await this._dbMethods.findMCPServerById(serverName); + if (existingServer?.config?.oauth?.client_secret && !config.oauth?.client_secret) { + mergedConfig = { + ...config, + oauth: { + ...config.oauth, + client_secret: existingServer.config.oauth.client_secret, + }, + }; + } + + // specific user permissions for action permission will be handled in the controller calling the update method of the registry + await this._dbMethods.updateMCPServer(serverName, { config: mergedConfig }); } + /** + * Deletes an MCP server and removes all associated ACL entries. + * @param serverName - The serverName of the server to remove + * @param userId - User performing the deletion (for logging) + */ public async remove(serverName: string, userId?: string): Promise { - logger.debug('ServerConfigsDB remove not yet implemented'); - return; + logger.debug(`[ServerConfigsDB.remove] removing ${serverName}. UserId: ${userId}`); + const deletedServer = await this._dbMethods.deleteMCPServer(serverName); + if (deletedServer && deletedServer._id) { + logger.debug(`[ServerConfigsDB.remove] removing all permissions entries of ${serverName}.`); + await this._aclService.removeAllPermissions({ + resourceType: ResourceType.MCPSERVER, + resourceId: deletedServer._id!, + }); + return; + } + logger.warn(`[ServerConfigsDB.remove] server with serverName ${serverName} does not exist`); } + /** + * Retrieves a single MCP server configuration by its serverName. + * @param serverName - The serverName of the server to retrieve + * @param userId - the user id provide the scope of the request. If the user Id is not provided, only publicly visible servers are returned. + * @returns The parsed server config or undefined if not found. If accessed via agent, consumeOnly will be true. + */ public async get(serverName: string, userId?: string): Promise { - logger.debug('ServerConfigsDB get not yet implemented'); - return; + const server = await this._dbMethods.findMCPServerById(serverName); + if (!server) return undefined; + + // Check public access if no userId + if (!userId) { + const directlyAccessibleMCPIds = ( + await this._aclService.findPubliclyAccessibleResources({ + resourceType: ResourceType.MCPSERVER, + requiredPermissions: PermissionBits.VIEW, + }) + ).map((id) => id.toString()); + if (directlyAccessibleMCPIds.indexOf(server._id.toString()) > -1) { + return this.mapDBServerToParsedConfig(server); + } + + // Check access via publicly accessible agents + const hasAgentAccess = await this.hasAccessViaAgent(serverName); + if (hasAgentAccess) { + logger.debug( + `[ServerConfigsDB.get] accessing ${serverName} via public agent (consumeOnly)`, + ); + return { + ...this.mapDBServerToParsedConfig(server), + consumeOnly: true, + }; + } + + return undefined; + } + + // Check direct user access + const userHasDirectAccess = await this._aclService.checkPermission({ + userId, + resourceType: ResourceType.MCPSERVER, + requiredPermission: PermissionBits.VIEW, + resourceId: server._id, + }); + + if (userHasDirectAccess) { + logger.debug( + `[ServerConfigsDB.get] getting ${serverName} for user with the UserId: ${userId}`, + ); + return this.mapDBServerToParsedConfig(server); + } + + // Check agent access (user can VIEW an agent that has this MCP server) + const hasAgentAccess = await this.hasAccessViaAgent(serverName, userId); + if (hasAgentAccess) { + logger.debug( + `[ServerConfigsDB.get] user ${userId} accessing ${serverName} via agent (consumeOnly)`, + ); + return { + ...this.mapDBServerToParsedConfig(server), + consumeOnly: true, + }; + } + + return undefined; } /** @@ -47,13 +230,109 @@ export class ServerConfigsDB implements IServerConfigsRepositoryInterface { * @returns record of parsed configs */ public async getAll(userId?: string): Promise> { - // TODO: Implement DB-backed config retrieval - logger.debug('[ServerConfigsDB] getAll not yet implemented', { userId }); - return {}; + // 1. Get directly accessible MCP IDs + let directlyAccessibleMCPIds: Types.ObjectId[] = []; + if (!userId) { + logger.debug(`[ServerConfigsDB.getAll] fetching all publicly shared mcp servers`); + directlyAccessibleMCPIds = await this._aclService.findPubliclyAccessibleResources({ + resourceType: ResourceType.MCPSERVER, + requiredPermissions: PermissionBits.VIEW, + }); + } else { + logger.debug( + `[ServerConfigsDB.getAll] fetching mcp servers directly shared with the user with ID: ${userId}`, + ); + directlyAccessibleMCPIds = await this._aclService.findAccessibleResources({ + userId, + requiredPermissions: PermissionBits.VIEW, + resourceType: ResourceType.MCPSERVER, + }); + } + + // 2. Get agent-accessible MCP server names + let agentMCPServerNames: string[] = []; + let accessibleAgentIds: Types.ObjectId[] = []; + + if (!userId) { + // Get publicly accessible agents + accessibleAgentIds = await this._aclService.findPubliclyAccessibleResources({ + resourceType: ResourceType.AGENT, + requiredPermissions: PermissionBits.VIEW, + }); + } else { + // Get user-accessible agents + accessibleAgentIds = await this._aclService.findAccessibleResources({ + userId, + requiredPermissions: PermissionBits.VIEW, + resourceType: ResourceType.AGENT, + }); + } + + if (accessibleAgentIds.length > 0) { + // Efficient query: get agents with non-empty mcpServerNames + const Agent = this._mongoose.model('Agent'); + const agentsWithMCP = await Agent.find( + { + _id: { $in: accessibleAgentIds }, + mcpServerNames: { $exists: true, $not: { $size: 0 } }, + }, + { mcpServerNames: 1 }, + ).lean(); + + // Flatten and dedupe server names + agentMCPServerNames = [ + ...new Set( + // eslint-disable-next-line @typescript-eslint/no-explicit-any + agentsWithMCP.flatMap((a: any) => a.mcpServerNames || []), + ), + ]; + } + + // 3. Fetch directly accessible MCP servers + const directResults = await this._dbMethods.getListMCPServersByIds({ + ids: directlyAccessibleMCPIds, + }); + + // 4. Build result with direct access servers + const parsedConfigs: Record = {}; + const directServerNames = new Set(); + + for (const s of directResults.data || []) { + parsedConfigs[s.serverName] = this.mapDBServerToParsedConfig(s); + directServerNames.add(s.serverName); + } + + // 5. Fetch agent-accessible servers (excluding already direct) + const agentOnlyServerNames = agentMCPServerNames.filter((name) => !directServerNames.has(name)); + + if (agentOnlyServerNames.length > 0) { + const agentServers = await this._dbMethods.getListMCPServersByNames({ + names: agentOnlyServerNames, + }); + + for (const s of agentServers.data || []) { + parsedConfigs[s.serverName] = { + ...this.mapDBServerToParsedConfig(s), + consumeOnly: true, + }; + } + } + + return parsedConfigs; } + /** No-op for DB storage; logs a warning if called. */ public async reset(): Promise { logger.warn('Attempt to reset the DB config storage'); return; } + + /** Maps a MongoDB server document to the ParsedServerConfig format. */ + private mapDBServerToParsedConfig(serverDBDoc: MCPServerDocument): ParsedServerConfig { + return { + ...serverDBDoc.config, + dbId: (serverDBDoc._id as Types.ObjectId).toString(), + updatedAt: serverDBDoc.updatedAt?.getTime(), + }; + } } diff --git a/packages/api/src/mcp/types/index.ts b/packages/api/src/mcp/types/index.ts index 0b6b2dbec7..346d6338e5 100644 --- a/packages/api/src/mcp/types/index.ts +++ b/packages/api/src/mcp/types/index.ts @@ -153,8 +153,15 @@ export type ParsedServerConfig = MCPOptions & { tools?: string; toolFunctions?: LCAvailableTools; initDuration?: number; - lastUpdatedAt?: number; + updatedAt?: number; dbId?: string; + /** True if access is only via agent (not directly shared with user) */ + consumeOnly?: boolean; +}; + +export type AddServerResult = { + serverName: string; + config: ParsedServerConfig; }; export interface BasicConnectionOptions { diff --git a/packages/api/src/mcp/utils.ts b/packages/api/src/mcp/utils.ts index 447754031e..fbd8ed7c95 100644 --- a/packages/api/src/mcp/utils.ts +++ b/packages/api/src/mcp/utils.ts @@ -45,3 +45,30 @@ export function sanitizeUrlForLogging(url: string | URL): string { return '[invalid URL]'; } } + +/** + * Escapes special regex characters in a string so they are treated literally. + * @param str - The string to escape + * @returns The escaped string safe for use in a regex pattern + */ +export function escapeRegex(str: string): string { + return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'); +} + +/** + * Generates a URL-friendly server name from a title. + * Converts to lowercase, replaces spaces with hyphens, removes special characters. + * @param title - The display title to convert + * @returns A slug suitable for use as serverName (e.g., "GitHub MCP Tool" → "github-mcp-tool") + */ +export function generateServerNameFromTitle(title: string): string { + const slug = title + .toLowerCase() + .trim() + .replace(/[^a-z0-9\s-]/g, '') // Remove special chars except spaces and hyphens + .replace(/\s+/g, '-') // Replace spaces with hyphens + .replace(/-+/g, '-') // Remove consecutive hyphens + .replace(/^-|-$/g, ''); // Trim leading/trailing hyphens + + return slug || 'mcp-server'; // Fallback if empty +} diff --git a/packages/client/src/components/MultiSelect.tsx b/packages/client/src/components/MultiSelect.tsx index 8fa60137ea..66efe92b1a 100644 --- a/packages/client/src/components/MultiSelect.tsx +++ b/packages/client/src/components/MultiSelect.tsx @@ -11,12 +11,26 @@ import { import './AnimatePopover.css'; import { cn } from '~/utils'; +type MultiSelectItem = T | { label: string; value: T }; + +function getItemValue(item: MultiSelectItem): T { + return typeof item === 'string' ? item : item.value; +} + +function getItemLabel(item: MultiSelectItem): string { + return typeof item === 'string' ? item : item.label; +} + interface MultiSelectProps { - items: T[]; + items: MultiSelectItem[]; label?: string; placeholder?: string; onSelectedValuesChange?: (values: T[]) => void; - renderSelectedValues?: (values: T[], placeholder?: string) => React.ReactNode; + renderSelectedValues?: ( + values: T[], + placeholder?: string, + items?: MultiSelectItem[], + ) => React.ReactNode; className?: string; itemClassName?: string; labelClassName?: string; @@ -33,11 +47,22 @@ interface MultiSelectProps { ) => React.ReactNode; } -function defaultRender(values: T[], placeholder?: string) { +function defaultRender( + values: T[], + placeholder?: string, + items?: MultiSelectItem[], +) { if (values.length === 0) { return placeholder || 'Select...'; } if (values.length === 1) { + // Find the item to get its label + if (items) { + const item = items.find((item) => getItemValue(item) === values[0]); + if (item) { + return getItemLabel(item); + } + } return values[0]; } return `${values.length} items selected`; @@ -90,7 +115,7 @@ export default function MultiSelect({ > {selectIcon && {selectIcon as React.JSX.Element}} - {renderSelectedValues(selectedValues, placeholder)} + {renderSelectedValues(selectedValues, placeholder, items)} @@ -109,11 +134,13 @@ export default function MultiSelect({ popoverClassName, )} > - {items.map((value) => { + {items.map((item) => { + const value = getItemValue(item); + const label = getItemLabel(item); const defaultContent = ( <> - {value} + {label} ); const isCurrentItemSelected = selectedValues.includes(value); diff --git a/packages/client/tsconfig.json b/packages/client/tsconfig.json index 447cb1e66a..c487529285 100644 --- a/packages/client/tsconfig.json +++ b/packages/client/tsconfig.json @@ -8,6 +8,7 @@ "declaration": true, "declarationMap": true, "declarationDir": "./dist/types", + "sourceMap": true, "esModuleInterop": true, "allowSyntheticDefaultImports": true, "strict": true, diff --git a/packages/data-provider/src/accessPermissions.ts b/packages/data-provider/src/accessPermissions.ts index 3c5a232c65..5fa288e4b3 100644 --- a/packages/data-provider/src/accessPermissions.ts +++ b/packages/data-provider/src/accessPermissions.ts @@ -45,6 +45,7 @@ export type TAccessLevel = 'none' | 'viewer' | 'editor' | 'owner'; export enum ResourceType { AGENT = 'agent', PROMPTGROUP = 'promptGroup', + MCPSERVER = 'mcpServer', } /** @@ -71,6 +72,9 @@ export enum AccessRoleIds { PROMPTGROUP_VIEWER = 'promptGroup_viewer', PROMPTGROUP_EDITOR = 'promptGroup_editor', PROMPTGROUP_OWNER = 'promptGroup_owner', + MCPSERVER_VIEWER = 'mcpServer_viewer', + MCPSERVER_EDITOR = 'mcpServer_editor', + MCPSERVER_OWNER = 'mcpServer_owner', } // ===== ZOD SCHEMAS ===== @@ -269,6 +273,12 @@ export const effectivePermissionsResponseSchema = z.object({ */ export type TEffectivePermissionsResponse = z.infer; +/** + * All effective permissions response type + * Map of resourceId to permissionBits for all accessible resources + */ +export type TAllEffectivePermissionsResponse = Record; + // ===== UTILITY TYPES ===== /** diff --git a/packages/data-provider/src/api-endpoints.ts b/packages/data-provider/src/api-endpoints.ts index 417375386d..aa97a75303 100644 --- a/packages/data-provider/src/api-endpoints.ts +++ b/packages/data-provider/src/api-endpoints.ts @@ -231,6 +231,8 @@ export const mcp = { servers: `${BASE_URL}/api/mcp/servers`, }; +export const mcpServer = (serverName: string) => `${BASE_URL}/api/mcp/servers/${serverName}`; + export const revertAgentVersion = (agent_id: string) => `${agents({ path: `${agent_id}/revert` })}`; export const files = () => `${BASE_URL}/api/files`; @@ -319,6 +321,7 @@ export const updateMemoryPermissions = (roleName: string) => `${getRole(roleName export const updateAgentPermissions = (roleName: string) => `${getRole(roleName)}/agents`; export const updatePeoplePickerPermissions = (roleName: string) => `${getRole(roleName)}/people-picker`; +export const updateMCPServersPermissions = (roleName: string) => `${getRole(roleName)}/mcp-servers`; export const updateMarketplacePermissions = (roleName: string) => `${getRole(roleName)}/marketplace`; @@ -383,6 +386,9 @@ export const updateResourcePermissions = (resourceType: ResourceType, resourceId export const getEffectivePermissions = (resourceType: ResourceType, resourceId: string) => `${BASE_URL}/api/permissions/${resourceType}/${resourceId}/effective`; +export const getAllEffectivePermissions = (resourceType: ResourceType) => + `${BASE_URL}/api/permissions/${resourceType}/effective/all`; + // SharePoint Graph API Token export const graphToken = (scopes: string) => `${BASE_URL}/api/auth/graph-token?scopes=${encodeURIComponent(scopes)}`; diff --git a/packages/data-provider/src/config.ts b/packages/data-provider/src/config.ts index 1604e8588b..580aa1ac66 100644 --- a/packages/data-provider/src/config.ts +++ b/packages/data-provider/src/config.ts @@ -515,9 +515,14 @@ const termsOfServiceSchema = z.object({ export type TTermsOfService = z.infer; -const mcpServersSchema = z.object({ - placeholder: z.string().optional(), -}); +const mcpServersSchema = z + .object({ + placeholder: z.string().optional(), + use: z.boolean().optional(), + create: z.boolean().optional(), + share: z.boolean().optional(), + }) + .optional(); export type TMcpServersConfig = z.infer; @@ -583,6 +588,11 @@ export const interfaceSchema = z marketplace: { use: false, }, + mcpServers: { + use: true, + create: true, + share: false, + }, fileSearch: true, fileCitations: true, }); @@ -675,6 +685,7 @@ export type TStartupConfig = { chatMenu?: boolean; isOAuth?: boolean; startup?: boolean; + iconPath?: string; } >; mcpPlaceholder?: string; diff --git a/packages/data-provider/src/data-service.ts b/packages/data-provider/src/data-service.ts index 88ad31db0c..21d5251388 100644 --- a/packages/data-provider/src/data-service.ts +++ b/packages/data-provider/src/data-service.ts @@ -565,6 +565,39 @@ export const getMCPServers = async (): Promise => { return request.get(endpoints.mcp.servers); }; +/** + * Get a single MCP server by ID + */ +export const getMCPServer = async (serverName: string): Promise => { + return request.get(endpoints.mcpServer(serverName)); +}; + +/** + * Create a new MCP server + */ +export const createMCPServer = async ( + data: mcp.MCPServerCreateParams, +): Promise => { + return request.post(endpoints.mcp.servers, data); +}; + +/** + * Update an existing MCP server + */ +export const updateMCPServer = async ( + serverName: string, + data: mcp.MCPServerUpdateParams, +): Promise => { + return request.patch(endpoints.mcpServer(serverName), data); +}; + +/** + * Delete an MCP server + */ +export const deleteMCPServer = async (serverName: string): Promise<{ success: boolean }> => { + return request.delete(endpoints.mcpServer(serverName)); +}; + /** * Imports a conversations file. * @@ -832,6 +865,12 @@ export function updatePeoplePickerPermissions( ); } +export function updateMCPServersPermissions( + variables: m.UpdateMCPServersPermVars, +): Promise { + return request.put(endpoints.updateMCPServersPermissions(variables.roleName), variables.updates); +} + export function updateMarketplacePermissions( variables: m.UpdateMarketplacePermVars, ): Promise { @@ -984,6 +1023,12 @@ export function getEffectivePermissions( return request.get(endpoints.getEffectivePermissions(resourceType, resourceId)); } +export function getAllEffectivePermissions( + resourceType: permissions.ResourceType, +): Promise { + return request.get(endpoints.getAllEffectivePermissions(resourceType)); +} + // SharePoint Graph API Token export function getGraphApiToken(params: q.GraphTokenParams): Promise { return request.get(endpoints.graphToken(params.scopes)); diff --git a/packages/data-provider/src/keys.ts b/packages/data-provider/src/keys.ts index fa4656722d..879435d411 100644 --- a/packages/data-provider/src/keys.ts +++ b/packages/data-provider/src/keys.ts @@ -59,6 +59,7 @@ export enum QueryKeys { graphToken = 'graphToken', /* MCP Servers */ mcpServers = 'mcpServers', + mcpServer = 'mcpServer', } // Dynamic query keys that require parameters diff --git a/packages/data-provider/src/mcp.ts b/packages/data-provider/src/mcp.ts index dd359d750a..66d3abd3df 100644 --- a/packages/data-provider/src/mcp.ts +++ b/packages/data-provider/src/mcp.ts @@ -3,6 +3,13 @@ import { TokenExchangeMethodEnum } from './types/agents'; import { extractEnvVariable } from './utils'; const BaseOptionsSchema = z.object({ + /** Display name for the MCP server - only letters, numbers, and spaces allowed */ + title: z + .string() + .regex(/^[a-zA-Z0-9 ]+$/, 'Title can only contain letters, numbers, and spaces') + .optional(), + /** Description of the MCP server */ + description: z.string().optional(), /** * Controls whether the MCP server is initialized during application startup. * - true (default): Server is initialized during app startup and included in app-level connections diff --git a/packages/data-provider/src/permissions.ts b/packages/data-provider/src/permissions.ts index 1621ea73e0..b5c90aadeb 100644 --- a/packages/data-provider/src/permissions.ts +++ b/packages/data-provider/src/permissions.ts @@ -52,6 +52,10 @@ export enum PermissionTypes { * Type for using the "File Citations" feature in agents */ FILE_CITATIONS = 'FILE_CITATIONS', + /** + * Type for MCP Server Permissions + */ + MCP_SERVERS = 'MCP_SERVERS', } /** @@ -144,6 +148,13 @@ export const fileCitationsPermissionsSchema = z.object({ }); export type TFileCitationsPermissions = z.infer; +export const mcpServersPermissionsSchema = z.object({ + [Permissions.USE]: z.boolean().default(true), + [Permissions.CREATE]: z.boolean().default(true), + [Permissions.SHARE]: z.boolean().default(false), +}); +export type TMcpServersPermissions = z.infer; + // Define a single permissions schema that holds all permission types. export const permissionsSchema = z.object({ [PermissionTypes.PROMPTS]: promptPermissionsSchema, @@ -158,4 +169,5 @@ export const permissionsSchema = z.object({ [PermissionTypes.MARKETPLACE]: marketplacePermissionsSchema, [PermissionTypes.FILE_SEARCH]: fileSearchPermissionsSchema, [PermissionTypes.FILE_CITATIONS]: fileCitationsPermissionsSchema, + [PermissionTypes.MCP_SERVERS]: mcpServersPermissionsSchema, }); diff --git a/packages/data-provider/src/react-query/react-query-service.ts b/packages/data-provider/src/react-query/react-query-service.ts index c4b55e2039..cd259fb50c 100644 --- a/packages/data-provider/src/react-query/react-query-service.ts +++ b/packages/data-provider/src/react-query/react-query-service.ts @@ -493,6 +493,20 @@ export const useGetEffectivePermissionsQuery = ( }); }; +export const useGetAllEffectivePermissionsQuery = ( + resourceType: ResourceType, + config?: UseQueryOptions, +): QueryObserverResult => { + return useQuery({ + queryKey: [QueryKeys.effectivePermissions, 'all', resourceType], + queryFn: () => dataService.getAllEffectivePermissions(resourceType), + enabled: !!resourceType, + refetchOnWindowFocus: false, + staleTime: 30000, + ...config, + }); +}; + export const useMCPServerConnectionStatusQuery = ( serverName: string, config?: UseQueryOptions, diff --git a/packages/data-provider/src/roles.ts b/packages/data-provider/src/roles.ts index 22d20ebd5a..02fbeaf6db 100644 --- a/packages/data-provider/src/roles.ts +++ b/packages/data-provider/src/roles.ts @@ -14,6 +14,7 @@ import { temporaryChatPermissionsSchema, peoplePickerPermissionsSchema, fileCitationsPermissionsSchema, + mcpServersPermissionsSchema, } from './permissions'; /** @@ -89,6 +90,11 @@ const defaultRolesSchema = z.object({ [PermissionTypes.FILE_CITATIONS]: fileCitationsPermissionsSchema.extend({ [Permissions.USE]: z.boolean().default(true), }), + [PermissionTypes.MCP_SERVERS]: mcpServersPermissionsSchema.extend({ + [Permissions.USE]: z.boolean().default(true), + [Permissions.CREATE]: z.boolean().default(true), + [Permissions.SHARE]: z.boolean().default(true), + }), }), }), [SystemRoles.USER]: roleSchema.extend({ @@ -147,6 +153,11 @@ export const roleDefaults = defaultRolesSchema.parse({ [PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: true, }, + [PermissionTypes.MCP_SERVERS]: { + [Permissions.USE]: true, + [Permissions.CREATE]: true, + [Permissions.SHARE]: true, + }, }, }, [SystemRoles.USER]: { @@ -170,6 +181,7 @@ export const roleDefaults = defaultRolesSchema.parse({ }, [PermissionTypes.FILE_SEARCH]: {}, [PermissionTypes.FILE_CITATIONS]: {}, + [PermissionTypes.MCP_SERVERS]: {}, }, }, }); diff --git a/packages/data-provider/src/types/agents.ts b/packages/data-provider/src/types/agents.ts index 756ae51e7f..f9101e782e 100644 --- a/packages/data-provider/src/types/agents.ts +++ b/packages/data-provider/src/types/agents.ts @@ -333,7 +333,7 @@ export type ActionMetadataRuntime = ActionMetadata & { }; export type MCP = { - mcp_id: string; + serverName: string; metadata: MCPMetadata; } & ({ assistant_id: string; agent_id?: never } | { assistant_id?: never; agent_id?: string }); diff --git a/packages/data-provider/src/types/index.ts b/packages/data-provider/src/types/index.ts index 3cf1ef310b..bd6e3ad79b 100644 --- a/packages/data-provider/src/types/index.ts +++ b/packages/data-provider/src/types/index.ts @@ -1 +1,2 @@ export * from './queries'; +export * from './mcpServers'; diff --git a/packages/data-provider/src/types/mcpServers.ts b/packages/data-provider/src/types/mcpServers.ts index ad27445b75..27520a11d5 100644 --- a/packages/data-provider/src/types/mcpServers.ts +++ b/packages/data-provider/src/types/mcpServers.ts @@ -1,4 +1,3 @@ -import { PermissionBits } from '../accessPermissions'; import type { MCPOptions, MCPServerUserInput } from '../mcp'; /** @@ -7,7 +6,7 @@ import type { MCPOptions, MCPServerUserInput } from '../mcp'; */ export interface IMCPServerDB { _id?: string; // MongoDB ObjectId (used for ACL/permissions) - mcp_id: string; + serverName: string; config: MCPOptions; author?: string | null; createdAt?: Date; @@ -41,12 +40,10 @@ export type MCPServerUpdateParams = { * Response for MCP server list endpoint */ export type MCPServerDBObjectResponse = { - _id?: string; - mcp_id?: string; - author?: string | null; - createdAt?: Date; - updatedAt?: Date; - effectivePermissions?: PermissionBits; + dbId?: string; + serverName: string; + /** True if access is only via agent (not directly shared with user) */ + consumeOnly?: boolean; } & MCPOptions; export type MCPServersListResponse = Record; diff --git a/packages/data-provider/src/types/mutations.ts b/packages/data-provider/src/types/mutations.ts index 810fa15e49..4f8c1857b1 100644 --- a/packages/data-provider/src/types/mutations.ts +++ b/packages/data-provider/src/types/mutations.ts @@ -274,6 +274,7 @@ export type UpdatePromptPermVars = UpdatePermVars; export type UpdateMemoryPermVars = UpdatePermVars; export type UpdateAgentPermVars = UpdatePermVars; export type UpdatePeoplePickerPermVars = UpdatePermVars; +export type UpdateMCPServersPermVars = UpdatePermVars; export type UpdatePermResponse = r.TRole; @@ -305,6 +306,13 @@ export type UpdatePeoplePickerPermOptions = MutationOptions< types.TError | null | undefined >; +export type UpdateMCPServersPermOptions = MutationOptions< + UpdatePermResponse, + UpdateMCPServersPermVars, + unknown, + types.TError | null | undefined +>; + export type UpdateMarketplacePermVars = UpdatePermVars; export type UpdateMarketplacePermOptions = MutationOptions< diff --git a/packages/data-schemas/src/methods/accessRole.spec.ts b/packages/data-schemas/src/methods/accessRole.spec.ts index 15a22b1eb1..b0f7ba70ef 100644 --- a/packages/data-schemas/src/methods/accessRole.spec.ts +++ b/packages/data-schemas/src/methods/accessRole.spec.ts @@ -200,6 +200,9 @@ describe('AccessRole Model Tests', () => { AccessRoleIds.PROMPTGROUP_EDITOR, AccessRoleIds.PROMPTGROUP_OWNER, AccessRoleIds.PROMPTGROUP_VIEWER, + AccessRoleIds.MCPSERVER_EDITOR, + AccessRoleIds.MCPSERVER_OWNER, + AccessRoleIds.MCPSERVER_VIEWER, ].sort(), ); diff --git a/packages/data-schemas/src/methods/accessRole.ts b/packages/data-schemas/src/methods/accessRole.ts index d15583e38c..0971c0f9e8 100644 --- a/packages/data-schemas/src/methods/accessRole.ts +++ b/packages/data-schemas/src/methods/accessRole.ts @@ -146,6 +146,27 @@ export function createAccessRoleMethods(mongoose: typeof import('mongoose')) { resourceType: ResourceType.PROMPTGROUP, permBits: RoleBits.OWNER, }, + { + accessRoleId: AccessRoleIds.MCPSERVER_VIEWER, + name: 'com_ui_mcp_server_role_viewer', + description: 'com_ui_mcp_server_role_viewer_desc', + resourceType: ResourceType.MCPSERVER, + permBits: RoleBits.VIEWER, + }, + { + accessRoleId: AccessRoleIds.MCPSERVER_EDITOR, + name: 'com_ui_mcp_server_role_editor', + description: 'com_ui_mcp_server_role_editor_desc', + resourceType: ResourceType.MCPSERVER, + permBits: RoleBits.EDITOR, + }, + { + accessRoleId: AccessRoleIds.MCPSERVER_OWNER, + name: 'com_ui_mcp_server_role_owner', + description: 'com_ui_mcp_server_role_owner_desc', + resourceType: ResourceType.MCPSERVER, + permBits: RoleBits.OWNER, + }, ]; const result: Record = {}; diff --git a/packages/data-schemas/src/methods/aclEntry.spec.ts b/packages/data-schemas/src/methods/aclEntry.spec.ts index be18a81c1b..804b51870a 100644 --- a/packages/data-schemas/src/methods/aclEntry.spec.ts +++ b/packages/data-schemas/src/methods/aclEntry.spec.ts @@ -679,4 +679,276 @@ describe('AclEntry Model Tests', () => { expect(effective).toBe(PermissionBits.VIEW); }); }); + + describe('Batch Permission Queries', () => { + test('should get effective permissions for multiple resources in single query', async () => { + const resource1 = new mongoose.Types.ObjectId(); + const resource2 = new mongoose.Types.ObjectId(); + const resource3 = new mongoose.Types.ObjectId(); + + /** Grant different permissions to different resources */ + await methods.grantPermission( + PrincipalType.USER, + userId, + ResourceType.MCPSERVER, + resource1, + PermissionBits.VIEW, + grantedById, + ); + + await methods.grantPermission( + PrincipalType.USER, + userId, + ResourceType.MCPSERVER, + resource2, + PermissionBits.VIEW | PermissionBits.EDIT, + grantedById, + ); + + await methods.grantPermission( + PrincipalType.GROUP, + groupId, + ResourceType.MCPSERVER, + resource3, + PermissionBits.DELETE, + grantedById, + ); + + /** Get permissions for all resources */ + const permissionsMap = await methods.getEffectivePermissionsForResources( + [{ principalType: PrincipalType.USER, principalId: userId }], + ResourceType.MCPSERVER, + [resource1, resource2, resource3], + ); + + expect(permissionsMap.size).toBe(2); // Only resource1 and resource2 for user + expect(permissionsMap.get(resource1.toString())).toBe(PermissionBits.VIEW); + expect(permissionsMap.get(resource2.toString())).toBe(PermissionBits.VIEW | PermissionBits.EDIT); + expect(permissionsMap.get(resource3.toString())).toBeUndefined(); // User has no access + }); + + test('should combine permissions from multiple principals in batch query', async () => { + const resource1 = new mongoose.Types.ObjectId(); + const resource2 = new mongoose.Types.ObjectId(); + + /** User has VIEW on both resources */ + await methods.grantPermission( + PrincipalType.USER, + userId, + ResourceType.MCPSERVER, + resource1, + PermissionBits.VIEW, + grantedById, + ); + + await methods.grantPermission( + PrincipalType.USER, + userId, + ResourceType.MCPSERVER, + resource2, + PermissionBits.VIEW, + grantedById, + ); + + /** Group has EDIT on resource1 */ + await methods.grantPermission( + PrincipalType.GROUP, + groupId, + ResourceType.MCPSERVER, + resource1, + PermissionBits.EDIT, + grantedById, + ); + + /** Get combined permissions for user + group */ + const permissionsMap = await methods.getEffectivePermissionsForResources( + [ + { principalType: PrincipalType.USER, principalId: userId }, + { principalType: PrincipalType.GROUP, principalId: groupId }, + ], + ResourceType.MCPSERVER, + [resource1, resource2], + ); + + expect(permissionsMap.size).toBe(2); + /** Resource1 should have VIEW | EDIT (from user + group) */ + expect(permissionsMap.get(resource1.toString())).toBe(PermissionBits.VIEW | PermissionBits.EDIT); + /** Resource2 should have only VIEW (from user) */ + expect(permissionsMap.get(resource2.toString())).toBe(PermissionBits.VIEW); + }); + + test('should handle empty resource list', async () => { + const permissionsMap = await methods.getEffectivePermissionsForResources( + [{ principalType: PrincipalType.USER, principalId: userId }], + ResourceType.MCPSERVER, + [], + ); + + expect(permissionsMap.size).toBe(0); + }); + + test('should handle resources with no permissions', async () => { + const resource1 = new mongoose.Types.ObjectId(); + const resource2 = new mongoose.Types.ObjectId(); + + /** Only grant permission to resource1 */ + await methods.grantPermission( + PrincipalType.USER, + userId, + ResourceType.MCPSERVER, + resource1, + PermissionBits.VIEW, + grantedById, + ); + + const permissionsMap = await methods.getEffectivePermissionsForResources( + [{ principalType: PrincipalType.USER, principalId: userId }], + ResourceType.MCPSERVER, + [resource1, resource2], // resource2 has no permissions + ); + + expect(permissionsMap.size).toBe(1); + expect(permissionsMap.get(resource1.toString())).toBe(PermissionBits.VIEW); + expect(permissionsMap.get(resource2.toString())).toBeUndefined(); + }); + + test('should include public permissions in batch query', async () => { + const resource1 = new mongoose.Types.ObjectId(); + const resource2 = new mongoose.Types.ObjectId(); + + /** User has VIEW on resource1 */ + await methods.grantPermission( + PrincipalType.USER, + userId, + ResourceType.MCPSERVER, + resource1, + PermissionBits.VIEW | PermissionBits.EDIT, + grantedById, + ); + + /** Public has VIEW on resource2 */ + await methods.grantPermission( + PrincipalType.PUBLIC, + null, + ResourceType.MCPSERVER, + resource2, + PermissionBits.VIEW, + grantedById, + ); + + /** Query with user + public principals */ + const permissionsMap = await methods.getEffectivePermissionsForResources( + [ + { principalType: PrincipalType.USER, principalId: userId }, + { principalType: PrincipalType.PUBLIC }, + ], + ResourceType.MCPSERVER, + [resource1, resource2], + ); + + expect(permissionsMap.size).toBe(2); + expect(permissionsMap.get(resource1.toString())).toBe(PermissionBits.VIEW | PermissionBits.EDIT); + expect(permissionsMap.get(resource2.toString())).toBe(PermissionBits.VIEW); + }); + + test('should handle large batch efficiently', async () => { + /** Create 50 resources with various permissions */ + const resources = Array.from({ length: 50 }, () => new mongoose.Types.ObjectId()); + + /** Grant permissions to first 30 resources */ + for (let i = 0; i < 30; i++) { + await methods.grantPermission( + PrincipalType.USER, + userId, + ResourceType.MCPSERVER, + resources[i], + PermissionBits.VIEW, + grantedById, + ); + } + + /** Grant group permissions to resources 20-40 (overlap with user) */ + for (let i = 20; i < 40; i++) { + await methods.grantPermission( + PrincipalType.GROUP, + groupId, + ResourceType.MCPSERVER, + resources[i], + PermissionBits.EDIT, + grantedById, + ); + } + + const startTime = Date.now(); + const permissionsMap = await methods.getEffectivePermissionsForResources( + [ + { principalType: PrincipalType.USER, principalId: userId }, + { principalType: PrincipalType.GROUP, principalId: groupId }, + ], + ResourceType.MCPSERVER, + resources, + ); + const duration = Date.now() - startTime; + + /** Should be reasonably fast (under 1 second for 50 resources) */ + expect(duration).toBeLessThan(1000); + + /** Verify results */ + expect(permissionsMap.size).toBe(40); // Resources 0-39 have permissions + + /** Resources 0-19: USER VIEW only */ + for (let i = 0; i < 20; i++) { + expect(permissionsMap.get(resources[i].toString())).toBe(PermissionBits.VIEW); + } + + /** Resources 20-29: USER VIEW | GROUP EDIT */ + for (let i = 20; i < 30; i++) { + expect(permissionsMap.get(resources[i].toString())).toBe(PermissionBits.VIEW | PermissionBits.EDIT); + } + + /** Resources 30-39: GROUP EDIT only */ + for (let i = 30; i < 40; i++) { + expect(permissionsMap.get(resources[i].toString())).toBe(PermissionBits.EDIT); + } + + /** Resources 40-49: No permissions */ + for (let i = 40; i < 50; i++) { + expect(permissionsMap.get(resources[i].toString())).toBeUndefined(); + } + }); + + test('should handle mixed ObjectId and string resource IDs', async () => { + const resource1 = new mongoose.Types.ObjectId(); + const resource2 = new mongoose.Types.ObjectId(); + + await methods.grantPermission( + PrincipalType.USER, + userId, + ResourceType.MCPSERVER, + resource1, + PermissionBits.VIEW, + grantedById, + ); + + await methods.grantPermission( + PrincipalType.USER, + userId, + ResourceType.MCPSERVER, + resource2, + PermissionBits.EDIT, + grantedById, + ); + + /** Pass mix of ObjectId and string */ + const permissionsMap = await methods.getEffectivePermissionsForResources( + [{ principalType: PrincipalType.USER, principalId: userId }], + ResourceType.MCPSERVER, + [resource1, resource2.toString()], // Mix of ObjectId and string + ); + + expect(permissionsMap.size).toBe(2); + expect(permissionsMap.get(resource1.toString())).toBe(PermissionBits.VIEW); + expect(permissionsMap.get(resource2.toString())).toBe(PermissionBits.EDIT); + }); + }); }); diff --git a/packages/data-schemas/src/methods/aclEntry.ts b/packages/data-schemas/src/methods/aclEntry.ts index 67e91ad018..c1848960cc 100644 --- a/packages/data-schemas/src/methods/aclEntry.ts +++ b/packages/data-schemas/src/methods/aclEntry.ts @@ -118,6 +118,58 @@ export function createAclEntryMethods(mongoose: typeof import('mongoose')) { return effectiveBits; } + /** + * Get effective permissions for multiple resources in a single query (BATCH) + * Returns a map of resourceId → effectivePermissionBits + * + * @param principalsList - List of principals (user + groups + public) + * @param resourceType - The type of resource ('MCPSERVER', 'AGENT', etc.) + * @param resourceIds - Array of resource IDs to check + * @returns {Promise>} Map of resourceId → permission bits + * + * @example + * const principals = await getUserPrincipals({ userId, role }); + * const serverIds = [id1, id2, id3]; + * const permMap = await getEffectivePermissionsForResources( + * principals, + * ResourceType.MCPSERVER, + * serverIds + * ); + * // permMap.get(id1.toString()) → 7 (VIEW|EDIT|DELETE) + */ + async function getEffectivePermissionsForResources( + principalsList: Array<{ principalType: string; principalId?: string | Types.ObjectId }>, + resourceType: string, + resourceIds: Array, + ): Promise> { + if (!Array.isArray(resourceIds) || resourceIds.length === 0) { + return new Map(); + } + + const AclEntry = mongoose.models.AclEntry as Model; + const principalsQuery = principalsList.map((p) => ({ + principalType: p.principalType, + ...(p.principalType !== PrincipalType.PUBLIC && { principalId: p.principalId }), + })); + + // Batch query for all resources at once + const aclEntries = await AclEntry.find({ + $or: principalsQuery, + resourceType, + resourceId: { $in: resourceIds }, + }).lean(); + + // Compute effective permissions per resource + const permissionsMap = new Map(); + for (const entry of aclEntries) { + const rid = entry.resourceId.toString(); + const currentBits = permissionsMap.get(rid) || 0; + permissionsMap.set(rid, currentBits | entry.permBits); + } + + return permissionsMap; + } + /** * Grant permission to a principal for a resource * @param principalType - The type of principal ('user', 'group', 'public') @@ -301,6 +353,7 @@ export function createAclEntryMethods(mongoose: typeof import('mongoose')) { findEntriesByPrincipalsAndResource, hasPermission, getEffectivePermissions, + getEffectivePermissionsForResources, grantPermission, revokePermission, modifyPermissionBits, diff --git a/packages/data-schemas/src/methods/index.ts b/packages/data-schemas/src/methods/index.ts index cb93f8d95a..122e48419c 100644 --- a/packages/data-schemas/src/methods/index.ts +++ b/packages/data-schemas/src/methods/index.ts @@ -8,6 +8,8 @@ import { createFileMethods, type FileMethods } from './file'; import { createMemoryMethods, type MemoryMethods } from './memory'; /* Agent Categories */ import { createAgentCategoryMethods, type AgentCategoryMethods } from './agentCategory'; +/* MCP Servers */ +import { createMCPServerMethods, type MCPServerMethods } from './mcpServer'; /* Plugin Auth */ import { createPluginAuthMethods, type PluginAuthMethods } from './pluginAuth'; /* Permissions */ @@ -24,6 +26,7 @@ export type AllMethods = UserMethods & FileMethods & MemoryMethods & AgentCategoryMethods & + MCPServerMethods & UserGroupMethods & AclEntryMethods & ShareMethods & @@ -44,6 +47,7 @@ export function createMethods(mongoose: typeof import('mongoose')): AllMethods { ...createFileMethods(mongoose), ...createMemoryMethods(mongoose), ...createAgentCategoryMethods(mongoose), + ...createMCPServerMethods(mongoose), ...createAccessRoleMethods(mongoose), ...createUserGroupMethods(mongoose), ...createAclEntryMethods(mongoose), @@ -61,6 +65,7 @@ export type { FileMethods, MemoryMethods, AgentCategoryMethods, + MCPServerMethods, UserGroupMethods, AclEntryMethods, ShareMethods, diff --git a/packages/data-schemas/src/methods/mcpServer.spec.ts b/packages/data-schemas/src/methods/mcpServer.spec.ts new file mode 100644 index 0000000000..387a697ffc --- /dev/null +++ b/packages/data-schemas/src/methods/mcpServer.spec.ts @@ -0,0 +1,827 @@ +import mongoose from 'mongoose'; +import { MongoMemoryServer } from 'mongodb-memory-server'; +import type { MCPOptions } from 'librechat-data-provider'; +import type * as t from '~/types'; +import { createMCPServerMethods } from './mcpServer'; +import mcpServerSchema from '~/schema/mcpServer'; + +let mongoServer: MongoMemoryServer; +let MCPServer: mongoose.Model; +let methods: ReturnType; + +beforeAll(async () => { + mongoServer = await MongoMemoryServer.create(); + const mongoUri = mongoServer.getUri(); + MCPServer = mongoose.models.MCPServer || mongoose.model('MCPServer', mcpServerSchema); + methods = createMCPServerMethods(mongoose); + await mongoose.connect(mongoUri); +}); + +afterAll(async () => { + await mongoose.disconnect(); + await mongoServer.stop(); +}); + +beforeEach(async () => { + await mongoose.connection.dropDatabase(); +}); + +describe('MCPServer Model Tests', () => { + const authorId = new mongoose.Types.ObjectId(); + const authorId2 = new mongoose.Types.ObjectId(); + + const createSSEConfig = (title?: string, description?: string): MCPOptions => ({ + type: 'sse', + url: 'https://example.com/mcp', + ...(title && { title }), + ...(description && { description }), + }); + + describe('createMCPServer', () => { + test('should create server with title and generate slug from title', async () => { + const config = createSSEConfig('My Test Server', 'A test server'); + const server = await methods.createMCPServer({ config, author: authorId }); + + expect(server).toBeDefined(); + expect(server.serverName).toBe('my-test-server'); + expect(server.config.title).toBe('My Test Server'); + expect(server.config.description).toBe('A test server'); + expect(server.author.toString()).toBe(authorId.toString()); + expect(server.createdAt).toBeInstanceOf(Date); + expect(server.updatedAt).toBeInstanceOf(Date); + }); + + test('should create server without title and use nanoid', async () => { + const config: MCPOptions = { + type: 'sse', + url: 'https://example.com/mcp', + }; + const server = await methods.createMCPServer({ config, author: authorId }); + + expect(server).toBeDefined(); + expect(server.serverName).toMatch(/^mcp-[a-zA-Z0-9_-]{16}$/); + expect(server.config.title).toBeUndefined(); + }); + + test('should handle title with special characters', async () => { + const config = createSSEConfig('My @#$% Server!!! 123'); + const server = await methods.createMCPServer({ config, author: authorId }); + + expect(server.serverName).toBe('my-server-123'); + }); + + test('should handle title with only spaces and special chars', async () => { + const config = createSSEConfig(' @#$% '); + const server = await methods.createMCPServer({ config, author: authorId }); + + // Should fallback to 'mcp-server' + expect(server.serverName).toBe('mcp-server'); + }); + + test('should handle title with multiple spaces', async () => { + const config = createSSEConfig('My Multiple Spaces Server'); + const server = await methods.createMCPServer({ config, author: authorId }); + + expect(server.serverName).toBe('my-multiple-spaces-server'); + }); + + test('should handle string author ID', async () => { + const config = createSSEConfig('String Author Test'); + const server = await methods.createMCPServer({ + config, + author: authorId.toString(), + }); + + expect(server).toBeDefined(); + expect(server.author.toString()).toBe(authorId.toString()); + }); + + test('should create server with stdio config', async () => { + const config: MCPOptions = { + type: 'stdio', + command: 'node', + args: ['server.js'], + title: 'Stdio Server', + }; + const server = await methods.createMCPServer({ config, author: authorId }); + + expect(server.serverName).toBe('stdio-server'); + expect(server.config.type).toBe('stdio'); + }); + }); + + describe('findNextAvailableServerName', () => { + test('should return base name when no duplicates exist', async () => { + // Create server directly via model to set up initial state + await MCPServer.create({ + serverName: 'other-server', + config: createSSEConfig('Other Server'), + author: authorId, + }); + + const config = createSSEConfig('Test Server'); + const server = await methods.createMCPServer({ config, author: authorId }); + + expect(server.serverName).toBe('test-server'); + }); + + test('should append -2 when base name exists', async () => { + // Create first server + await methods.createMCPServer({ + config: createSSEConfig('Test Server'), + author: authorId, + }); + + // Create second server with same title + const server = await methods.createMCPServer({ + config: createSSEConfig('Test Server'), + author: authorId, + }); + + expect(server.serverName).toBe('test-server-2'); + }); + + test('should find next available number in sequence', async () => { + // Create servers with sequential names + await MCPServer.create({ + serverName: 'test-server', + config: createSSEConfig('Test Server'), + author: authorId, + }); + await MCPServer.create({ + serverName: 'test-server-2', + config: createSSEConfig('Test Server'), + author: authorId, + }); + await MCPServer.create({ + serverName: 'test-server-3', + config: createSSEConfig('Test Server'), + author: authorId, + }); + + const server = await methods.createMCPServer({ + config: createSSEConfig('Test Server'), + author: authorId, + }); + + expect(server.serverName).toBe('test-server-4'); + }); + + test('should handle gaps in sequence', async () => { + // Create servers with gaps: test, test-2, test-5 + await MCPServer.create({ + serverName: 'test-server', + config: createSSEConfig('Test Server'), + author: authorId, + }); + await MCPServer.create({ + serverName: 'test-server-2', + config: createSSEConfig('Test Server'), + author: authorId, + }); + await MCPServer.create({ + serverName: 'test-server-5', + config: createSSEConfig('Test Server'), + author: authorId, + }); + + const server = await methods.createMCPServer({ + config: createSSEConfig('Test Server'), + author: authorId, + }); + + // Should append -6 (max + 1) + expect(server.serverName).toBe('test-server-6'); + }); + + test('should not match partial names', async () => { + // Create 'test-server-extra' which shouldn't affect 'test-server' sequence + await MCPServer.create({ + serverName: 'test-server-extra', + config: createSSEConfig('Test Server Extra'), + author: authorId, + }); + + const server = await methods.createMCPServer({ + config: createSSEConfig('Test Server'), + author: authorId, + }); + + // 'test-server' is available, so should use it + expect(server.serverName).toBe('test-server'); + }); + + test('should handle special regex characters in base name', async () => { + // The slug generation removes special characters, but test the regex escaping + await MCPServer.create({ + serverName: 'test-server', + config: createSSEConfig('Test Server'), + author: authorId, + }); + + const server = await methods.createMCPServer({ + config: createSSEConfig('Test Server'), + author: authorId2, + }); + + expect(server.serverName).toBe('test-server-2'); + }); + }); + + describe('findMCPServerById', () => { + test('should find server by serverName', async () => { + const created = await methods.createMCPServer({ + config: createSSEConfig('Find By Id Test'), + author: authorId, + }); + + const found = await methods.findMCPServerById(created.serverName); + + expect(found).toBeDefined(); + expect(found?.serverName).toBe('find-by-id-test'); + expect(found?.config.title).toBe('Find By Id Test'); + }); + + test('should return null when server not found', async () => { + const found = await methods.findMCPServerById('non-existent-server'); + + expect(found).toBeNull(); + }); + + test('should return lean document', async () => { + await methods.createMCPServer({ + config: createSSEConfig('Lean Test'), + author: authorId, + }); + + const found = await methods.findMCPServerById('lean-test'); + + // Lean documents don't have mongoose methods + expect(found).toBeDefined(); + // eslint-disable-next-line @typescript-eslint/no-explicit-any + expect(typeof (found as any).save).toBe('undefined'); + }); + }); + + describe('findMCPServerByObjectId', () => { + test('should find server by MongoDB ObjectId', async () => { + const created = await methods.createMCPServer({ + config: createSSEConfig('Object Id Test'), + author: authorId, + }); + + const found = await methods.findMCPServerByObjectId(created._id); + + expect(found).toBeDefined(); + expect(found?.serverName).toBe('object-id-test'); + expect(found?._id.toString()).toBe(created._id.toString()); + }); + + test('should find server by string ObjectId', async () => { + const created = await methods.createMCPServer({ + config: createSSEConfig('String Object Id Test'), + author: authorId, + }); + + const found = await methods.findMCPServerByObjectId(created._id.toString()); + + expect(found).toBeDefined(); + expect(found?.serverName).toBe('string-object-id-test'); + }); + + test('should return null when ObjectId not found', async () => { + const randomId = new mongoose.Types.ObjectId(); + const found = await methods.findMCPServerByObjectId(randomId); + + expect(found).toBeNull(); + }); + + test('should return null for invalid ObjectId string', async () => { + await expect(methods.findMCPServerByObjectId('invalid-id')).rejects.toThrow(); + }); + }); + + describe('findMCPServersByAuthor', () => { + test('should find all servers by author', async () => { + await methods.createMCPServer({ + config: createSSEConfig('Author Server 1'), + author: authorId, + }); + await methods.createMCPServer({ + config: createSSEConfig('Author Server 2'), + author: authorId, + }); + await methods.createMCPServer({ + config: createSSEConfig('Other Author Server'), + author: authorId2, + }); + + const servers = await methods.findMCPServersByAuthor(authorId); + + expect(servers).toHaveLength(2); + expect(servers.every((s) => s.author.toString() === authorId.toString())).toBe(true); + }); + + test('should return empty array when author has no servers', async () => { + const servers = await methods.findMCPServersByAuthor(new mongoose.Types.ObjectId()); + + expect(servers).toEqual([]); + }); + + test('should sort by updatedAt descending', async () => { + // Create servers with slight delay to ensure different timestamps + const server1 = await methods.createMCPServer({ + config: createSSEConfig('First Created'), + author: authorId, + }); + + // Update first server to make it most recently updated + await MCPServer.findByIdAndUpdate(server1._id, { + $set: { 'config.description': 'Updated' }, + }); + + await methods.createMCPServer({ + config: createSSEConfig('Second Created'), + author: authorId, + }); + + const servers = await methods.findMCPServersByAuthor(authorId); + + expect(servers).toHaveLength(2); + // Most recently updated should come first + expect(servers[0].serverName).toBe('second-created'); + }); + + test('should handle string author ID', async () => { + await methods.createMCPServer({ + config: createSSEConfig('String Author Server'), + author: authorId, + }); + + const servers = await methods.findMCPServersByAuthor(authorId.toString()); + + expect(servers).toHaveLength(1); + }); + }); + + describe('getListMCPServersByIds', () => { + let server1: t.MCPServerDocument; + let server2: t.MCPServerDocument; + let server3: t.MCPServerDocument; + + beforeEach(async () => { + server1 = await methods.createMCPServer({ + config: createSSEConfig('Server One'), + author: authorId, + }); + server2 = await methods.createMCPServer({ + config: createSSEConfig('Server Two'), + author: authorId, + }); + server3 = await methods.createMCPServer({ + config: createSSEConfig('Server Three'), + author: authorId, + }); + }); + + test('should return servers matching provided IDs', async () => { + const result = await methods.getListMCPServersByIds({ + ids: [server1._id, server2._id], + }); + + expect(result.data).toHaveLength(2); + expect(result.has_more).toBe(false); + expect(result.after).toBeNull(); + }); + + test('should return empty data for empty IDs array', async () => { + const result = await methods.getListMCPServersByIds({ ids: [] }); + + expect(result.data).toEqual([]); + expect(result.has_more).toBe(false); + expect(result.after).toBeNull(); + }); + + test('should handle pagination with limit', async () => { + const result = await methods.getListMCPServersByIds({ + ids: [server1._id, server2._id, server3._id], + limit: 2, + }); + + expect(result.data).toHaveLength(2); + expect(result.has_more).toBe(true); + expect(result.after).not.toBeNull(); + }); + + test('should paginate using cursor', async () => { + // Get first page + const firstPage = await methods.getListMCPServersByIds({ + ids: [server1._id, server2._id, server3._id], + limit: 2, + }); + + expect(firstPage.has_more).toBe(true); + expect(firstPage.after).not.toBeNull(); + + // Get second page using cursor + const secondPage = await methods.getListMCPServersByIds({ + ids: [server1._id, server2._id, server3._id], + limit: 2, + after: firstPage.after, + }); + + expect(secondPage.data).toHaveLength(1); + expect(secondPage.has_more).toBe(false); + expect(secondPage.after).toBeNull(); + + // Ensure no duplicates between pages + const firstPageIds = firstPage.data.map((s) => s._id.toString()); + const secondPageIds = secondPage.data.map((s) => s._id.toString()); + const intersection = firstPageIds.filter((id) => secondPageIds.includes(id)); + expect(intersection).toHaveLength(0); + }); + + test('should handle invalid cursor gracefully', async () => { + const result = await methods.getListMCPServersByIds({ + ids: [server1._id, server2._id], + after: 'invalid-cursor', + }); + + // Should still return results, ignoring invalid cursor + expect(result.data).toHaveLength(2); + }); + + test('should return all when limit is null', async () => { + const result = await methods.getListMCPServersByIds({ + ids: [server1._id, server2._id, server3._id], + limit: null, + }); + + expect(result.data).toHaveLength(3); + expect(result.has_more).toBe(false); + expect(result.after).toBeNull(); + }); + + test('should apply additional filters via otherParams', async () => { + // Create a server with different config + const serverWithDesc = await methods.createMCPServer({ + config: createSSEConfig('Filtered Server', 'Has description'), + author: authorId, + }); + + const result = await methods.getListMCPServersByIds({ + ids: [server1._id, server2._id, serverWithDesc._id], + otherParams: { 'config.description': 'Has description' }, + }); + + expect(result.data).toHaveLength(1); + expect(result.data[0].serverName).toBe('filtered-server'); + }); + + test('should normalize limit to valid range', async () => { + // Limit should be clamped to 1-100 + const resultLow = await methods.getListMCPServersByIds({ + ids: [server1._id, server2._id, server3._id], + limit: 0, + }); + + expect(resultLow.data.length).toBeGreaterThanOrEqual(1); + + const resultHigh = await methods.getListMCPServersByIds({ + ids: [server1._id, server2._id, server3._id], + limit: 200, + }); + + expect(resultHigh.data).toHaveLength(3); // All 3 servers (less than 100) + }); + + test('should sort by updatedAt descending, _id ascending', async () => { + const result = await methods.getListMCPServersByIds({ + ids: [server1._id, server2._id, server3._id], + }); + + expect(result.data).toHaveLength(3); + // Most recently created/updated should come first + for (let i = 0; i < result.data.length - 1; i++) { + const current = new Date(result.data[i].updatedAt!).getTime(); + const next = new Date(result.data[i + 1].updatedAt!).getTime(); + expect(current).toBeGreaterThanOrEqual(next); + } + }); + }); + + describe('updateMCPServer', () => { + test('should update server config', async () => { + const created = await methods.createMCPServer({ + config: createSSEConfig('Update Test', 'Original description'), + author: authorId, + }); + + const updated = await methods.updateMCPServer(created.serverName, { + config: createSSEConfig('Update Test', 'Updated description'), + }); + + expect(updated).toBeDefined(); + expect(updated?.config.description).toBe('Updated description'); + expect(updated?.serverName).toBe('update-test'); // serverName shouldn't change + }); + + test('should return null when server not found', async () => { + const updated = await methods.updateMCPServer('non-existent', { + config: createSSEConfig('Test'), + }); + + expect(updated).toBeNull(); + }); + + test('should return updated document (new: true)', async () => { + const created = await methods.createMCPServer({ + config: createSSEConfig('Return Test'), + author: authorId, + }); + + const updated = await methods.updateMCPServer(created.serverName, { + config: createSSEConfig('Return Test', 'New description'), + }); + + expect(updated?.config.description).toBe('New description'); + }); + + test('should run validators on update', async () => { + const created = await methods.createMCPServer({ + config: createSSEConfig('Validation Test'), + author: authorId, + }); + + // The update should succeed with valid config + const updated = await methods.updateMCPServer(created.serverName, { + config: createSSEConfig('Validation Test', 'Valid config'), + }); + + expect(updated).toBeDefined(); + }); + + test('should update timestamps', async () => { + const created = await methods.createMCPServer({ + config: createSSEConfig('Timestamp Test'), + author: authorId, + }); + + const originalUpdatedAt = created.updatedAt; + + // Wait a bit to ensure timestamp difference + await new Promise((resolve) => setTimeout(resolve, 10)); + + const updated = await methods.updateMCPServer(created.serverName, { + config: createSSEConfig('Timestamp Test', 'Updated'), + }); + + expect(updated?.updatedAt).toBeDefined(); + expect(new Date(updated!.updatedAt!).getTime()).toBeGreaterThan( + new Date(originalUpdatedAt!).getTime(), + ); + }); + + test('should handle partial config updates', async () => { + const created = await methods.createMCPServer({ + config: { + type: 'sse', + url: 'https://example.com/mcp', + title: 'Partial Update Test', + description: 'Original', + }, + author: authorId, + }); + + const updated = await methods.updateMCPServer(created.serverName, { + config: { + type: 'sse', + url: 'https://example.com/mcp', + title: 'Partial Update Test', + description: 'New description', + iconPath: '/icons/new-icon.png', + }, + }); + + expect(updated?.config.description).toBe('New description'); + expect(updated?.config.iconPath).toBe('/icons/new-icon.png'); + }); + }); + + describe('deleteMCPServer', () => { + test('should delete existing server', async () => { + const created = await methods.createMCPServer({ + config: createSSEConfig('Delete Test'), + author: authorId, + }); + + const deleted = await methods.deleteMCPServer(created.serverName); + + expect(deleted).toBeDefined(); + expect(deleted?.serverName).toBe('delete-test'); + + // Verify it's actually deleted + const found = await methods.findMCPServerById('delete-test'); + expect(found).toBeNull(); + }); + + test('should return null when server does not exist', async () => { + const deleted = await methods.deleteMCPServer('non-existent-server'); + + expect(deleted).toBeNull(); + }); + + test('should return the deleted document', async () => { + const created = await methods.createMCPServer({ + config: createSSEConfig('Delete Return Test', 'Will be deleted'), + author: authorId, + }); + + const deleted = await methods.deleteMCPServer(created.serverName); + + expect(deleted?.config.description).toBe('Will be deleted'); + }); + }); + + describe('getListMCPServersByNames', () => { + test('should return empty data for empty names array', async () => { + const result = await methods.getListMCPServersByNames({ names: [] }); + + expect(result.data).toEqual([]); + }); + + test('should find servers by serverName strings', async () => { + await methods.createMCPServer({ + config: createSSEConfig('Name Query One'), + author: authorId, + }); + await methods.createMCPServer({ + config: createSSEConfig('Name Query Two'), + author: authorId, + }); + await methods.createMCPServer({ + config: createSSEConfig('Name Query Three'), + author: authorId, + }); + + const result = await methods.getListMCPServersByNames({ + names: ['name-query-one', 'name-query-two'], + }); + + expect(result.data).toHaveLength(2); + const serverNames = result.data.map((s) => s.serverName); + expect(serverNames).toContain('name-query-one'); + expect(serverNames).toContain('name-query-two'); + expect(serverNames).not.toContain('name-query-three'); + }); + + test('should handle non-existent names gracefully', async () => { + await methods.createMCPServer({ + config: createSSEConfig('Existing Server'), + author: authorId, + }); + + const result = await methods.getListMCPServersByNames({ + names: ['existing-server', 'non-existent-1', 'non-existent-2'], + }); + + expect(result.data).toHaveLength(1); + expect(result.data[0].serverName).toBe('existing-server'); + }); + + test('should return all matching servers for multiple names', async () => { + const server1 = await methods.createMCPServer({ + config: createSSEConfig('Multi Name 1'), + author: authorId, + }); + const server2 = await methods.createMCPServer({ + config: createSSEConfig('Multi Name 2'), + author: authorId, + }); + const server3 = await methods.createMCPServer({ + config: createSSEConfig('Multi Name 3'), + author: authorId, + }); + + const result = await methods.getListMCPServersByNames({ + names: [server1.serverName, server2.serverName, server3.serverName], + }); + + expect(result.data).toHaveLength(3); + }); + + test('should handle duplicate names in input', async () => { + await methods.createMCPServer({ + config: createSSEConfig('Duplicate Test'), + author: authorId, + }); + + const result = await methods.getListMCPServersByNames({ + names: ['duplicate-test', 'duplicate-test', 'duplicate-test'], + }); + + // Should only return one server (unique by serverName) + expect(result.data).toHaveLength(1); + }); + }); + + describe('Edge Cases', () => { + test('should handle concurrent creation with retry logic for race conditions', async () => { + // Ensure indexes are created before concurrent test + await MCPServer.ensureIndexes(); + + // Create multiple servers with same title concurrently + // The retry logic handles TOCTOU race conditions by retrying with + // exponential backoff when duplicate key errors occur + const promises = Array.from({ length: 5 }, () => + methods.createMCPServer({ + config: createSSEConfig('Concurrent Test'), + author: authorId, + }), + ); + + const results = await Promise.allSettled(promises); + + const successes = results.filter( + (r): r is PromiseFulfilledResult => r.status === 'fulfilled', + ); + const failures = results.filter((r): r is PromiseRejectedResult => r.status === 'rejected'); + + // With retry logic, all concurrent requests should succeed + // Each will get a unique serverName (concurrent-test, concurrent-test-2, etc.) + expect(successes.length).toBe(5); + expect(failures.length).toBe(0); + + // Verify all servers have unique names + const serverNames = successes.map((s) => s.value.serverName); + const uniqueNames = new Set(serverNames); + expect(uniqueNames.size).toBe(5); + + // Verify all servers exist in the database + const dbServers = await MCPServer.find({ + serverName: { $regex: /^concurrent-test/ }, + }).lean(); + expect(dbServers.length).toBe(5); + }); + + test('should handle sequential creation with same title - no race condition', async () => { + // Create multiple servers with same title sequentially + // Each creation completes before the next one starts, so no race condition + const results: t.MCPServerDocument[] = []; + for (let i = 0; i < 5; i++) { + const server = await methods.createMCPServer({ + config: createSSEConfig('Sequential Test'), + author: authorId, + }); + results.push(server); + } + + // All should succeed with unique serverNames + const serverNames = results.map((r) => r.serverName); + const uniqueNames = new Set(serverNames); + expect(uniqueNames.size).toBe(5); + expect(serverNames).toContain('sequential-test'); + expect(serverNames).toContain('sequential-test-2'); + expect(serverNames).toContain('sequential-test-3'); + expect(serverNames).toContain('sequential-test-4'); + expect(serverNames).toContain('sequential-test-5'); + }); + + test('should handle very long titles', async () => { + const longTitle = 'A'.repeat(200) + ' Server'; + const config = createSSEConfig(longTitle); + const server = await methods.createMCPServer({ config, author: authorId }); + + expect(server).toBeDefined(); + expect(server.serverName).toBe('a'.repeat(200) + '-server'); + }); + + test('should handle unicode in title', async () => { + // Unicode characters should be stripped, leaving only alphanumeric + const config = createSSEConfig('Serveur Français 日本語'); + const server = await methods.createMCPServer({ config, author: authorId }); + + expect(server.serverName).toBe('serveur-franais'); + }); + + test('should handle empty string title', async () => { + const config: MCPOptions = { + type: 'sse', + url: 'https://example.com/mcp', + title: '', + }; + const server = await methods.createMCPServer({ config, author: authorId }); + + // Empty title should fallback to nanoid + expect(server.serverName).toMatch(/^mcp-[a-zA-Z0-9_-]{16}$/); + }); + + test('should handle whitespace-only title', async () => { + const config = createSSEConfig(' '); + const server = await methods.createMCPServer({ config, author: authorId }); + + // Whitespace-only title after trimming results in fallback + expect(server.serverName).toBe('mcp-server'); + }); + }); +}); diff --git a/packages/data-schemas/src/methods/mcpServer.ts b/packages/data-schemas/src/methods/mcpServer.ts new file mode 100644 index 0000000000..4250e1db24 --- /dev/null +++ b/packages/data-schemas/src/methods/mcpServer.ts @@ -0,0 +1,324 @@ +import type { Model, RootFilterQuery, Types } from 'mongoose'; +import type { MCPServerDocument } from '../types'; +import type { MCPOptions } from 'librechat-data-provider'; +import logger from '~/config/winston'; +import { nanoid } from 'nanoid'; + +const NORMALIZED_LIMIT_DEFAULT = 20; +const MAX_CREATE_RETRIES = 3; +const RETRY_BASE_DELAY_MS = 10; + +/** + * Helper to check if an error is a MongoDB duplicate key error. + * Since serverName is the only unique index on MCPServer, any E11000 error + * during creation is necessarily a serverName collision. + */ +function isDuplicateKeyError(error: unknown): boolean { + if (error && typeof error === 'object' && 'code' in error) { + const mongoError = error as { code: number }; + return mongoError.code === 11000; + } + return false; +} + +/** + * Escapes special regex characters in a string so they are treated literally. + */ +function escapeRegex(str: string): string { + return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'); +} + +/** + * Generates a URL-friendly server name from a title. + * Converts to lowercase, replaces spaces with hyphens, removes special characters. + */ +function generateServerNameFromTitle(title: string): string { + const slug = title + .toLowerCase() + .trim() + .replace(/[^a-z0-9\s-]/g, '') // Remove special chars except spaces and hyphens + .replace(/\s+/g, '-') // Replace spaces with hyphens + .replace(/-+/g, '-') // Remove consecutive hyphens + .replace(/^-|-$/g, ''); // Trim leading/trailing hyphens + + return slug || 'mcp-server'; // Fallback if empty +} + +export function createMCPServerMethods(mongoose: typeof import('mongoose')) { + /** + * Finds the next available server name by checking for duplicates. + * If baseName exists, returns baseName-2, baseName-3, etc. + */ + async function findNextAvailableServerName(baseName: string): Promise { + const MCPServer = mongoose.models.MCPServer as Model; + + // Find all servers with matching base name pattern (baseName or baseName-N) + const escapedBaseName = escapeRegex(baseName); + const existing = await MCPServer.find({ + serverName: { $regex: `^${escapedBaseName}(-\\d+)?$` }, + }) + .select('serverName') + .lean(); + + if (existing.length === 0) { + return baseName; + } + + // Extract numbers from existing names + const numbers = existing.map((s) => { + const match = s.serverName.match(/-(\d+)$/); + return match ? parseInt(match[1], 10) : 1; + }); + + const maxNumber = Math.max(...numbers); + return `${baseName}-${maxNumber + 1}`; + } + + /** + * Create a new MCP server with retry logic for handling race conditions. + * When multiple requests try to create servers with the same title simultaneously, + * they may get the same serverName from findNextAvailableServerName() before any + * creates the record (TOCTOU race condition). This is handled by retrying with + * exponential backoff when a duplicate key error occurs. + * @param data - Object containing config (with title, description, url, etc.) and author + * @returns The created MCP server document + */ + async function createMCPServer(data: { + config: MCPOptions; + author: string | Types.ObjectId; + }): Promise { + const MCPServer = mongoose.models.MCPServer as Model; + let lastError: unknown; + + for (let attempt = 0; attempt < MAX_CREATE_RETRIES; attempt++) { + try { + // Generate serverName from title, with fallback to nanoid if no title + // Important: regenerate on each attempt to get fresh available name + let serverName: string; + if (data.config.title) { + const baseSlug = generateServerNameFromTitle(data.config.title); + serverName = await findNextAvailableServerName(baseSlug); + } else { + serverName = `mcp-${nanoid(16)}`; + } + + const newServer = await MCPServer.create({ + serverName, + config: data.config, + author: data.author, + }); + + return newServer.toObject() as MCPServerDocument; + } catch (error) { + lastError = error; + + // Only retry on duplicate key errors (serverName collision) + if (isDuplicateKeyError(error) && attempt < MAX_CREATE_RETRIES - 1) { + // Exponential backoff: 10ms, 20ms, 40ms + const delay = RETRY_BASE_DELAY_MS * Math.pow(2, attempt); + logger.debug( + `[createMCPServer] Duplicate serverName detected, retrying (attempt ${attempt + 2}/${MAX_CREATE_RETRIES}) after ${delay}ms`, + ); + await new Promise((resolve) => setTimeout(resolve, delay)); + continue; + } + + // Not a duplicate key error or out of retries - throw immediately + throw error; + } + } + + // Should not reach here, but TypeScript requires a return + throw lastError; + } + + /** + * Find an MCP server by serverName + * @param serverName - The MCP server ID + * @returns The MCP server document or null + */ + async function findMCPServerById(serverName: string): Promise { + const MCPServer = mongoose.models.MCPServer as Model; + return await MCPServer.findOne({ serverName }).lean(); + } + + /** + * Find an MCP server by MongoDB ObjectId + * @param _id - The MongoDB ObjectId + * @returns The MCP server document or null + */ + async function findMCPServerByObjectId( + _id: string | Types.ObjectId, + ): Promise { + const MCPServer = mongoose.models.MCPServer as Model; + return await MCPServer.findById(_id).lean(); + } + + /** + * Find MCP servers by author + * @param authorId - The author's ObjectId or string + * @returns Array of MCP server documents + */ + async function findMCPServersByAuthor( + authorId: string | Types.ObjectId, + ): Promise { + const MCPServer = mongoose.models.MCPServer as Model; + return await MCPServer.find({ author: authorId }).sort({ updatedAt: -1 }).lean(); + } + + /** + * Get a paginated list of MCP servers by IDs with filtering and search + * @param ids - Array of ObjectIds to include + * @param otherParams - Additional filter parameters (e.g., search) + * @param limit - Page size limit (null for no pagination) + * @param after - Cursor for pagination + * @returns Paginated list of MCP servers + */ + async function getListMCPServersByIds({ + ids = [], + otherParams = {}, + limit = null, + after = null, + }: { + ids?: Types.ObjectId[]; + otherParams?: RootFilterQuery; + limit?: number | null; + after?: string | null; + }): Promise<{ + data: MCPServerDocument[]; + has_more: boolean; + after: string | null; + }> { + const MCPServer = mongoose.models.MCPServer as Model; + const isPaginated = limit !== null && limit !== undefined; + const normalizedLimit = isPaginated + ? Math.min(Math.max(1, parseInt(String(limit)) || NORMALIZED_LIMIT_DEFAULT), 100) + : null; + + // Build base query combining accessible servers with other filters + const baseQuery: RootFilterQuery = { ...otherParams, _id: { $in: ids } }; + + // Add cursor condition + if (after) { + try { + const cursor = JSON.parse(Buffer.from(after, 'base64').toString('utf8')); + const { updatedAt, _id } = cursor; + + const cursorCondition = { + $or: [ + { updatedAt: { $lt: new Date(updatedAt) } }, + { updatedAt: new Date(updatedAt), _id: { $gt: new mongoose.Types.ObjectId(_id) } }, + ], + }; + + // Merge cursor condition with base query + if (Object.keys(baseQuery).length > 0) { + baseQuery.$and = [{ ...baseQuery }, cursorCondition]; + // Remove the original conditions from baseQuery to avoid duplication + Object.keys(baseQuery).forEach((key) => { + if (key !== '$and') { + delete baseQuery[key]; + } + }); + } + } catch (error) { + // Invalid cursor, ignore + logger.warn('[getListMCPServersByIds] Invalid cursor provided', error); + } + } + + if (normalizedLimit === null) { + // No pagination - return all matching servers + const servers = await MCPServer.find(baseQuery).sort({ updatedAt: -1, _id: 1 }).lean(); + + return { + data: servers, + has_more: false, + after: null, + }; + } + + // Paginated query - assign to const to help TypeScript + const servers = await MCPServer.find(baseQuery) + .sort({ updatedAt: -1, _id: 1 }) + .limit(normalizedLimit + 1) + .lean(); + + const hasMore = servers.length > normalizedLimit; + const data = hasMore ? servers.slice(0, normalizedLimit) : servers; + + let nextCursor = null; + if (hasMore && data.length > 0) { + const lastItem = data[data.length - 1]; + nextCursor = Buffer.from( + JSON.stringify({ + updatedAt: lastItem.updatedAt, + _id: lastItem._id, + }), + ).toString('base64'); + } + + return { + data, + has_more: hasMore, + after: nextCursor, + }; + } + + /** + * Update an MCP server + * @param serverName - The MCP server ID + * @param updateData - Object containing config to update + * @returns The updated MCP server document or null + */ + async function updateMCPServer( + serverName: string, + updateData: { config?: MCPOptions }, + ): Promise { + const MCPServer = mongoose.models.MCPServer as Model; + return await MCPServer.findOneAndUpdate( + { serverName }, + { $set: updateData }, + { new: true, runValidators: true }, + ).lean(); + } + + /** + * Delete an MCP server + * @param serverName - The MCP server ID + * @returns The deleted MCP server document or null + */ + async function deleteMCPServer(serverName: string): Promise { + const MCPServer = mongoose.models.MCPServer as Model; + return await MCPServer.findOneAndDelete({ serverName }).lean(); + } + + /** + * Get MCP servers by their serverName strings + * @param names - Array of serverName strings to fetch + * @returns Object containing array of MCP server documents + */ + async function getListMCPServersByNames({ names = [] }: { names: string[] }): Promise<{ + data: MCPServerDocument[]; + }> { + if (names.length === 0) { + return { data: [] }; + } + const MCPServer = mongoose.models.MCPServer as Model; + const servers = await MCPServer.find({ serverName: { $in: names } }).lean(); + return { data: servers }; + } + + return { + createMCPServer, + findMCPServerById, + findMCPServerByObjectId, + findMCPServersByAuthor, + getListMCPServersByIds, + getListMCPServersByNames, + updateMCPServer, + deleteMCPServer, + }; +} + +export type MCPServerMethods = ReturnType; diff --git a/packages/data-schemas/src/models/index.ts b/packages/data-schemas/src/models/index.ts index dd1d8ee23c..45516d5a7c 100644 --- a/packages/data-schemas/src/models/index.ts +++ b/packages/data-schemas/src/models/index.ts @@ -6,6 +6,7 @@ import { createConversationModel } from './convo'; import { createMessageModel } from './message'; import { createAgentModel } from './agent'; import { createAgentCategoryModel } from './agentCategory'; +import { createMCPServerModel } from './mcpServer'; import { createRoleModel } from './role'; import { createActionModel } from './action'; import { createAssistantModel } from './assistant'; @@ -39,6 +40,7 @@ export function createModels(mongoose: typeof import('mongoose')) { Message: createMessageModel(mongoose), Agent: createAgentModel(mongoose), AgentCategory: createAgentCategoryModel(mongoose), + MCPServer: createMCPServerModel(mongoose), Role: createRoleModel(mongoose), Action: createActionModel(mongoose), Assistant: createAssistantModel(mongoose), diff --git a/packages/data-schemas/src/models/mcpServer.ts b/packages/data-schemas/src/models/mcpServer.ts new file mode 100644 index 0000000000..e2ad054068 --- /dev/null +++ b/packages/data-schemas/src/models/mcpServer.ts @@ -0,0 +1,11 @@ +import mcpServerSchema from '~/schema/mcpServer'; +import type { MCPServerDocument } from '~/types'; + +/** + * Creates or returns the MCPServer model using the provided mongoose instance and schema + */ +export function createMCPServerModel(mongoose: typeof import('mongoose')) { + return ( + mongoose.models.MCPServer || mongoose.model('MCPServer', mcpServerSchema) + ); +} diff --git a/packages/data-schemas/src/schema/accessRole.ts b/packages/data-schemas/src/schema/accessRole.ts index 210a2b0694..082c28a5f0 100644 --- a/packages/data-schemas/src/schema/accessRole.ts +++ b/packages/data-schemas/src/schema/accessRole.ts @@ -16,7 +16,7 @@ const accessRoleSchema = new Schema( description: String, resourceType: { type: String, - enum: ['agent', 'project', 'file', 'promptGroup'], + enum: ['agent', 'project', 'file', 'promptGroup', 'mcpServer'], required: true, default: 'agent', }, diff --git a/packages/data-schemas/src/schema/agent.ts b/packages/data-schemas/src/schema/agent.ts index 716c105000..4b10572afe 100644 --- a/packages/data-schemas/src/schema/agent.ts +++ b/packages/data-schemas/src/schema/agent.ts @@ -112,6 +112,12 @@ const agentSchema = new Schema( default: false, index: true, }, + /** MCP server names extracted from tools for efficient querying */ + mcpServerNames: { + type: [String], + default: [], + index: true, + }, }, { timestamps: true, diff --git a/packages/data-schemas/src/schema/mcpServer.ts b/packages/data-schemas/src/schema/mcpServer.ts new file mode 100644 index 0000000000..8210c258d6 --- /dev/null +++ b/packages/data-schemas/src/schema/mcpServer.ts @@ -0,0 +1,31 @@ +import { Schema } from 'mongoose'; +import type { MCPServerDocument } from '~/types'; + +const mcpServerSchema = new Schema( + { + serverName: { + type: String, + index: true, + unique: true, + required: true, + }, + config: { + type: Schema.Types.Mixed, + required: true, + // Config contains: title, description, url, oauth, etc. + }, + author: { + type: Schema.Types.ObjectId, + ref: 'User', + required: true, + index: true, + }, + }, + { + timestamps: true, + }, +); + +mcpServerSchema.index({ updatedAt: -1, _id: 1 }); + +export default mcpServerSchema; diff --git a/packages/data-schemas/src/schema/role.ts b/packages/data-schemas/src/schema/role.ts index eb16ddd284..e8da248c8d 100644 --- a/packages/data-schemas/src/schema/role.ts +++ b/packages/data-schemas/src/schema/role.ts @@ -53,6 +53,11 @@ const rolePermissionsSchema = new Schema( [PermissionTypes.FILE_CITATIONS]: { [Permissions.USE]: { type: Boolean }, }, + [PermissionTypes.MCP_SERVERS]: { + [Permissions.USE]: { type: Boolean }, + [Permissions.CREATE]: { type: Boolean }, + [Permissions.SHARE]: { type: Boolean }, + }, }, { _id: false }, ); diff --git a/packages/data-schemas/src/types/agent.ts b/packages/data-schemas/src/types/agent.ts index 2a60635751..b150b2ec3f 100644 --- a/packages/data-schemas/src/types/agent.ts +++ b/packages/data-schemas/src/types/agent.ts @@ -40,4 +40,6 @@ export interface IAgent extends Omit { category: string; support_contact?: ISupportContact; is_promoted?: boolean; + /** MCP server names extracted from tools for efficient querying */ + mcpServerNames?: string[]; } diff --git a/packages/data-schemas/src/types/index.ts b/packages/data-schemas/src/types/index.ts index 58122cbc55..828cdf9c8f 100644 --- a/packages/data-schemas/src/types/index.ts +++ b/packages/data-schemas/src/types/index.ts @@ -27,3 +27,5 @@ export * from './aclEntry'; export * from './group'; /* Web */ export * from './web'; +/* MCP Servers */ +export * from './mcp'; diff --git a/packages/data-schemas/src/types/mcp.ts b/packages/data-schemas/src/types/mcp.ts new file mode 100644 index 0000000000..9b1c622293 --- /dev/null +++ b/packages/data-schemas/src/types/mcp.ts @@ -0,0 +1,12 @@ +import { Document, Types } from 'mongoose'; +import type { MCPServerDB } from 'librechat-data-provider'; + +/** + * Mongoose document interface for MCP Server + * Extends API interface with Mongoose-specific database fields + */ +export interface MCPServerDocument + extends Omit, + Document { + author: Types.ObjectId; // ObjectId reference in DB (vs string in API) +} diff --git a/packages/data-schemas/src/types/role.ts b/packages/data-schemas/src/types/role.ts index a672e3fae2..679e80010f 100644 --- a/packages/data-schemas/src/types/role.ts +++ b/packages/data-schemas/src/types/role.ts @@ -51,6 +51,11 @@ export interface IRole extends Document { [PermissionTypes.FILE_CITATIONS]?: { [Permissions.USE]?: boolean; }; + [PermissionTypes.MCP_SERVERS]?: { + [Permissions.USE]?: boolean; + [Permissions.CREATE]?: boolean; + [Permissions.SHARE]?: boolean; + }; }; }