mirror of
https://github.com/danny-avila/LibreChat.git
synced 2025-12-31 15:48:51 +01:00
95a69df70e
* 🔒 feat: Add MCP server domain restrictions for remote transports * 🔒 feat: Implement comprehensive MCP error handling and domain validation - Added `handleMCPError` function to centralize error responses for domain restrictions and inspection failures. - Introduced custom error classes: `MCPDomainNotAllowedError` and `MCPInspectionFailedError` for better error management. - Updated MCP server controllers to utilize the new error handling mechanism. - Enhanced domain validation logic in `createMCPTools` and `createMCPTool` functions to prevent operations on disallowed domains. - Added tests for runtime domain validation scenarios to ensure correct behavior. * chore: import order * 🔒 feat: Enhance domain validation in MCP tools with user role-based restrictions - Integrated `getAppConfig` to fetch allowed domains based on user roles in `createMCPTools` and `createMCPTool` functions. - Removed the deprecated `getAllowedDomains` method from `MCPServersRegistry`. - Updated tests to verify domain restrictions are applied correctly based on user roles. - Ensured that domain validation logic is consistent and efficient across tool creation processes. * 🔒 test: Refactor MCP tests to utilize configurable app settings - Introduced a mock for `getAppConfig` to enhance test flexibility. - Removed redundant mock definition to streamline test setup. - Ensured tests are aligned with the latest domain validation logic. --------- Co-authored-by: Atef Bellaaj <slalom.bellaaj@external.daimlertruck.com> Co-authored-by: Danny Avila <danny@librechat.ai>
61 lines
1.9 KiB
TypeScript
61 lines
1.9 KiB
TypeScript
/**
|
|
* MCP-specific error classes
|
|
*/
|
|
|
|
export const MCPErrorCodes = {
|
|
DOMAIN_NOT_ALLOWED: 'MCP_DOMAIN_NOT_ALLOWED',
|
|
INSPECTION_FAILED: 'MCP_INSPECTION_FAILED',
|
|
} as const;
|
|
|
|
export type MCPErrorCode = (typeof MCPErrorCodes)[keyof typeof MCPErrorCodes];
|
|
|
|
/**
|
|
* Custom error for MCP domain restriction violations.
|
|
* Thrown when a user attempts to connect to an MCP server whose domain is not in the allowlist.
|
|
*/
|
|
export class MCPDomainNotAllowedError extends Error {
|
|
public readonly code = MCPErrorCodes.DOMAIN_NOT_ALLOWED;
|
|
public readonly statusCode = 403;
|
|
public readonly domain: string;
|
|
|
|
constructor(domain: string) {
|
|
super(`Domain "${domain}" is not allowed`);
|
|
this.name = 'MCPDomainNotAllowedError';
|
|
this.domain = domain;
|
|
Object.setPrototypeOf(this, MCPDomainNotAllowedError.prototype);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Custom error for MCP server inspection failures.
|
|
* Thrown when attempting to connect/inspect an MCP server fails.
|
|
*/
|
|
export class MCPInspectionFailedError extends Error {
|
|
public readonly code = MCPErrorCodes.INSPECTION_FAILED;
|
|
public readonly statusCode = 400;
|
|
public readonly serverName: string;
|
|
|
|
constructor(serverName: string, cause?: Error) {
|
|
super(`Failed to connect to MCP server "${serverName}"`);
|
|
this.name = 'MCPInspectionFailedError';
|
|
this.serverName = serverName;
|
|
if (cause) {
|
|
this.cause = cause;
|
|
}
|
|
Object.setPrototypeOf(this, MCPInspectionFailedError.prototype);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Type guard to check if an error is an MCPDomainNotAllowedError
|
|
*/
|
|
export function isMCPDomainNotAllowedError(error: unknown): error is MCPDomainNotAllowedError {
|
|
return error instanceof MCPDomainNotAllowedError;
|
|
}
|
|
|
|
/**
|
|
* Type guard to check if an error is an MCPInspectionFailedError
|
|
*/
|
|
export function isMCPInspectionFailedError(error: unknown): error is MCPInspectionFailedError {
|
|
return error instanceof MCPInspectionFailedError;
|
|
}
|