[FR] Allow MCP client to pass non sb auth token in request. #872
Description
In some cases where sb is run in no-auth mode, auth is implemented by a reverse proxy such as dex or google auth infront of the API.
It would be usefull to provide a mechanism for the MCP client to auth with these other methods, by passing a auth bearer token.
Claude writeup of a potential fix:
Sourcebot MCP Server - Dex/Bearer Token Authentication Support
================================================================
This document describes the changes needed to add Bearer token
authentication support to @sourcebot/mcp for use with Dex or
other OAuth2/OIDC providers.
Overview
Currently the MCP server only supports SOURCEBOT_API_KEY which sets
the X-Sourcebot-Api-Key header. To work with Dex, we need to add
support for Bearer tokens via the Authorization: Bearer <token> header.
Files to Modify/Create
- packages/mcp/src/env.ts - Add new environment variables
- packages/mcp/src/auth.ts - New file for centralized auth logic
- packages/mcp/src/client.ts - Use the new auth module
================================================================================
1. env.ts - Add these environment variables
================================================================================
Add after the existing SOURCEBOT_API_KEY definition:
// Bearer token auth (for Dex, OAuth2, OIDC)
SOURCEBOT_AUTH_TOKEN: z.string().optional(),
// Auth type selector: 'api-key' | 'bearer' | 'auto'
// 'auto' will prefer bearer token if set, then api-key
SOURCEBOT_AUTH_TYPE: z.enum(['api-key', 'bearer', 'auto']).default('auto'),================================================================================
2. auth.ts - Create new file
================================================================================
Create packages/mcp/src/auth.ts:
import { env } from './env.js';
export type AuthHeaders = Record<string, string>;
/**
* Builds authentication headers based on configured auth method.
*
* Priority (when SOURCEBOT_AUTH_TYPE is 'auto'):
* 1. Bearer token (SOURCEBOT_AUTH_TOKEN) - for Dex/OAuth2/OIDC
* 2. API key (SOURCEBOT_API_KEY) - for Sourcebot native auth
* 3. No auth headers
*/
export const getAuthHeaders = (): AuthHeaders => {
const authType = env.SOURCEBOT_AUTH_TYPE;
// Bearer token auth
if (authType === 'bearer') {
if (!env.SOURCEBOT_AUTH_TOKEN) {
throw new Error(
'SOURCEBOT_AUTH_TOKEN required when SOURCEBOT_AUTH_TYPE is "bearer"'
);
}
return { 'Authorization': `Bearer ${env.SOURCEBOT_AUTH_TOKEN}` };
}
// API key auth
if (authType === 'api-key') {
if (!env.SOURCEBOT_API_KEY) {
throw new Error(
'SOURCEBOT_API_KEY required when SOURCEBOT_AUTH_TYPE is "api-key"'
);
}
return { 'X-Sourcebot-Api-Key': env.SOURCEBOT_API_KEY };
}
// Auto-detect: prefer bearer, then api-key
if (env.SOURCEBOT_AUTH_TOKEN) {
return { 'Authorization': `Bearer ${env.SOURCEBOT_AUTH_TOKEN}` };
}
if (env.SOURCEBOT_API_KEY) {
return { 'X-Sourcebot-Api-Key': env.SOURCEBOT_API_KEY };
}
return {};
};================================================================================
3. client.ts - Update to use auth module
================================================================================
Add import at top:
import { getAuthHeaders } from './auth.js';Replace all instances of:
... (186 lines left)